Share
## https://sploitus.com/exploit?id=E4E784B6-A59D-5F31-AA0B-4BD1AE4C2A25
# nginx-rift-detect

Behavioral detection script for **CVE-2026-42945** (NGINX Rift) โ€” a heap buffer overflow in `ngx_http_rewrite_module` present in nginx since 2008.

![Python](https://img.shields.io/badge/python-3.6+-blue?style=flat-square&logo=python)
![CVE](https://img.shields.io/badge/CVE-2026--42945-red?style=flat-square)
![CVSS](https://img.shields.io/badge/CVSS-10.0-critical?style=flat-square)
![License](https://img.shields.io/badge/license-MIT-green?style=flat-square)

---

## โš ๏ธ Disclaimer

This tool is intended **solely for authorized security testing and research**.
Only run this against systems you own or have **explicit written permission** to test.
Unauthorized use may violate computer crime laws in your jurisdiction.
The author is not responsible for any misuse or damage caused by this tool.

---

## Background

**CVE-2026-42945** is a heap buffer overflow in nginx's rewrite script engine (`ngx_http_rewrite_module`), introduced in version `0.6.27` (2008) and present for ~18 years.

The bug comes from a mismatch between two passes of the rewrite engine:
- **Pass 1** (length calculation): sees `is_args = 0` โ†’ allocates a small buffer
- **Pass 2** (data copy): sees `is_args = 1` โ†’ calls `ngx_escape_uri`, expanding each escapable byte (like `+`) to 3ร— its size โ†’ **overflows the heap buffer**

This allows unauthenticated remote code execution.

**Affected versions:**

| Product | Vulnerable | Patched |
|---|---|---|
| NGINX Open Source | 0.6.27 โ€“ 1.30.0 | 1.30.1, 1.31.0+ |
| NGINX Plus | R32 โ€“ R36 | R36 P4, R35 P2, R32 P6 |

**References:**
- [Original research & PoC โ€” DepthFirstDisclosures](https://github.com/DepthFirstDisclosures/Nginx-Rift)
- [F5 Security Advisory K000160932](https://my.f5.com/manage/s/article/K000160932)

---

## How Detection Works

This script does **not** attempt RCE. It mimics the PoC's flow using raw sockets:

1. **Canary** โ€” sends 3 normal requests to confirm the server is stable before testing
2. **Heap spray** โ€” opens 20 connections to hold memory
3. **Trigger** โ€” sends `GET /api/` as a partial HTTP request
4. **Probe** โ€” if the trigger socket closes unexpectedly (worker crashed and respawned), the target is flagged as vulnerable

> Detection relies on crashing a worker process. The nginx master will respawn it immediately, but there will be a brief interruption. Use with caution on production systems.

---

## Usage

```bash
# Single target (HTTP)
python3 detect-CVE-2026-42945.py --host 127.0.0.1 --port 80

# Single target (HTTPS)
python3 detect-CVE-2026-42945.py --host example.com --port 443 --tls

# List of targets
python3 detect-CVE-2026-42945.py -l targets.txt

# With threading and output file
python3 detect-CVE-2026-42945.py -l targets.txt --threads 10 -o vulnerable.txt

# More attempts for unreliable targets
python3 detect-CVE-2026-42945.py --host 10.0.0.1 --port 8080 --tries 5
```

**`targets.txt` format** โ€” one per line:
```
http://example.com
https://example.com:8443
192.168.1.1
192.168.1.1:8080
```

**Options:**
```
--host          Single target host
--port          Port (default: 80, or 443 with --tls)
--tls           Use TLS/HTTPS for single target
-l, --list      File with list of targets
--tries         Detection attempts per target (default: 3)
--threads       Concurrent threads for list scan (default: 5)
-o, --output    Save vulnerable targets to CSV file
```

---

## Example Output

```
[*] CVE-2026-42945 NGINX Rift Detection | targets=2 threads=5 tries=3

[*] http://192.168.1.1:80   - nginx/1.28.0
[*] http://192.168.1.2:8080 - nginx/1.31.0

[!!!] VULNERABLE | http://192.168.1.1:80 | nginx/1.28.0 | worker crash (trigger connection closed โ€” worker respawned)
[+]   http://192.168.1.2:8080 - not vulnerable (or timing miss, try --tries 5)

==================================================
[*] Scan complete. 2 targets scanned.
[!!!] 1 VULNERABLE target(s):
      http://192.168.1.1:80 (nginx/1.28.0)
==================================================
```

---

## Testing Against the Lab

The original repo includes a Docker lab environment:

```bash
git clone https://github.com/DepthFirstDisclosures/Nginx-Rift
cd Nginx-Rift
chmod +x setup.sh && ./setup.sh
docker compose -f env/docker-compose.yml up -d

python3 detect-CVE-2026-42945.py --host 127.0.0.1 --port 19321
```

---

## License

MIT โ€” see [LICENSE](LICENSE)

---

*Original vulnerability research and PoC: [DepthFirstDisclosures](https://github.com/DepthFirstDisclosures/Nginx-Rift)*