Share
## https://sploitus.com/exploit?id=23F97CA6-ACC2-5A39-BF81-F5CD44698506
# PgBouncer Crash PoC

This repository contains a local proof of concept for a PgBouncer crash caused
by an integer overflow in vulnerable PgBouncer versions. The included Docker
setup builds PgBouncer `1.25.1`, starts a PostgreSQL backend, enables
SCRAM-SHA-256 authentication, and runs `poc.py` against PgBouncer.

This is intended for controlled lab testing only. Do not run this against
systems you do not own or have explicit permission to test.

## Contents

- `poc.py` - Python proof-of-concept client.
- `docker-compose.yml` - Local PostgreSQL, PgBouncer, and PoC runner services.
- `postgres/init.sql` - Creates the test database user.
- `pgbouncer/Dockerfile` - Builds vulnerable PgBouncer `1.25.1`.
- `pgbouncer/pgbouncer.ini` - PgBouncer configuration using SCRAM auth.
- `pgbouncer/gen_userlist.py` - Generates a deterministic SCRAM verifier.

## Requirements

- Docker
- Docker Compose
- Python 3, if running `poc.py` manually from the host

## Run With Docker Compose

Build and start the lab:

```sh
docker compose up --build
```

The compose file starts:

- PostgreSQL on the internal compose network.
- PgBouncer exposed on host port `6432`.
- A one-shot Python container that runs the PoC against PgBouncer.

To run only the services and execute the PoC manually:

```sh
docker compose up --build postgres pgbouncer
python3 poc.py 127.0.0.1 6432
```

## Expected Result

When the vulnerable PgBouncer process hits the malformed SASL initial response,
the client should report a reset connection or PgBouncer becoming unreachable.
The PoC checks for this condition and prints whether the crash was confirmed.

## Cleanup

Stop and remove the lab containers:

```sh
docker compose down
```

## Notes

The PoC defaults to:

- Host: `127.0.0.1`
- Port: `6432`
- User: `testuser`
- Database: `testdb`

Custom target:

```sh
python3 poc.py  
```