## https://sploitus.com/exploit?id=E4E784B6-A59D-5F31-AA0B-4BD1AE4C2A25
# nginx-rift-detect
Behavioral detection script for **CVE-2026-42945** (NGINX Rift) โ a heap buffer overflow in `ngx_http_rewrite_module` present in nginx since 2008.




---
## โ ๏ธ Disclaimer
This tool is intended **solely for authorized security testing and research**.
Only run this against systems you own or have **explicit written permission** to test.
Unauthorized use may violate computer crime laws in your jurisdiction.
The author is not responsible for any misuse or damage caused by this tool.
---
## Background
**CVE-2026-42945** is a heap buffer overflow in nginx's rewrite script engine (`ngx_http_rewrite_module`), introduced in version `0.6.27` (2008) and present for ~18 years.
The bug comes from a mismatch between two passes of the rewrite engine:
- **Pass 1** (length calculation): sees `is_args = 0` โ allocates a small buffer
- **Pass 2** (data copy): sees `is_args = 1` โ calls `ngx_escape_uri`, expanding each escapable byte (like `+`) to 3ร its size โ **overflows the heap buffer**
This allows unauthenticated remote code execution.
**Affected versions:**
| Product | Vulnerable | Patched |
|---|---|---|
| NGINX Open Source | 0.6.27 โ 1.30.0 | 1.30.1, 1.31.0+ |
| NGINX Plus | R32 โ R36 | R36 P4, R35 P2, R32 P6 |
**References:**
- [Original research & PoC โ DepthFirstDisclosures](https://github.com/DepthFirstDisclosures/Nginx-Rift)
- [F5 Security Advisory K000160932](https://my.f5.com/manage/s/article/K000160932)
---
## How Detection Works
This script does **not** attempt RCE. It mimics the PoC's flow using raw sockets:
1. **Canary** โ sends 3 normal requests to confirm the server is stable before testing
2. **Heap spray** โ opens 20 connections to hold memory
3. **Trigger** โ sends `GET /api/` as a partial HTTP request
4. **Probe** โ if the trigger socket closes unexpectedly (worker crashed and respawned), the target is flagged as vulnerable
> Detection relies on crashing a worker process. The nginx master will respawn it immediately, but there will be a brief interruption. Use with caution on production systems.
---
## Usage
```bash
# Single target (HTTP)
python3 detect-CVE-2026-42945.py --host 127.0.0.1 --port 80
# Single target (HTTPS)
python3 detect-CVE-2026-42945.py --host example.com --port 443 --tls
# List of targets
python3 detect-CVE-2026-42945.py -l targets.txt
# With threading and output file
python3 detect-CVE-2026-42945.py -l targets.txt --threads 10 -o vulnerable.txt
# More attempts for unreliable targets
python3 detect-CVE-2026-42945.py --host 10.0.0.1 --port 8080 --tries 5
```
**`targets.txt` format** โ one per line:
```
http://example.com
https://example.com:8443
192.168.1.1
192.168.1.1:8080
```
**Options:**
```
--host Single target host
--port Port (default: 80, or 443 with --tls)
--tls Use TLS/HTTPS for single target
-l, --list File with list of targets
--tries Detection attempts per target (default: 3)
--threads Concurrent threads for list scan (default: 5)
-o, --output Save vulnerable targets to CSV file
```
---
## Example Output
```
[*] CVE-2026-42945 NGINX Rift Detection | targets=2 threads=5 tries=3
[*] http://192.168.1.1:80 - nginx/1.28.0
[*] http://192.168.1.2:8080 - nginx/1.31.0
[!!!] VULNERABLE | http://192.168.1.1:80 | nginx/1.28.0 | worker crash (trigger connection closed โ worker respawned)
[+] http://192.168.1.2:8080 - not vulnerable (or timing miss, try --tries 5)
==================================================
[*] Scan complete. 2 targets scanned.
[!!!] 1 VULNERABLE target(s):
http://192.168.1.1:80 (nginx/1.28.0)
==================================================
```
---
## Testing Against the Lab
The original repo includes a Docker lab environment:
```bash
git clone https://github.com/DepthFirstDisclosures/Nginx-Rift
cd Nginx-Rift
chmod +x setup.sh && ./setup.sh
docker compose -f env/docker-compose.yml up -d
python3 detect-CVE-2026-42945.py --host 127.0.0.1 --port 19321
```
---
## License
MIT โ see [LICENSE](LICENSE)
---
*Original vulnerability research and PoC: [DepthFirstDisclosures](https://github.com/DepthFirstDisclosures/Nginx-Rift)*