NGINX Rift

This repository is a standalone Go exploit/helper tool for CVE-2026-42945 affecting nginx HTTP/2, not part of a larger exploit framework. The codebase is organized into a CLI in cmd/, core probing and exploitation logic in internal/rift/, and a reproducible Docker lab in deploy/docker/ with vulnerable nginx 1.30.0 and patched nginx 1.30.1 images. Main capabilities: - Probe a target over raw TCP/HTTP only (no TLS support) to determine reachability, parse the Server header, heuristically assess nginx version, and test whether PoC-required endpoints are exposed. - Perform a crash-side-channel probe by heap spraying POST /spray and triggering a crafted GET /api/... request, then infer worker crash/restart behavior. - Attempt command execution by building a fake ngx_pool_cleanup structure in the POST body and trying candidate heap/libc offsets until a worker anomaly suggests control flow reached system(). - Generate a reverse shell payload using python3 that connects back to operator-supplied lhost:lport; the tool optionally starts a local nc listener. Exploit structure: - cmd/main.go handles CLI parsing, mode validation, Docker lab orchestration, target probing, exploit execution, and reverse-shell helper behavior. - internal/rift/probe.go implements raw HTTP exchanges and endpoint/version checks. - internal/rift/body.go builds the crafted spray body: fake cleanup handler pointer, data pointer, null next pointer, then the attacker command. - internal/rift/exploit.go performs the heap spray, overflow trigger, crash detection, and brute-force iteration across known libc system() offsets and URL-safe heap candidates. - internal/rift/config.go stores constants such as body length, spray count, default/docker heap and libc bases, candidate heap offsets, and common libc system offsets. - deploy/docker/nginx.conf and server.py create a lab environment with the exact endpoints the exploit expects: rewrite-driven /api/(.*) handling, internal proxying, and /spray for controlled body allocation. The exploit is operational rather than a simple PoC because it includes working payload generation for arbitrary commands and reverse shell behavior, but it still relies on hardcoded/common offsets and side-channel success criteria rather than robust post-exploitation confirmation. The included Docker lab is clearly intended to demonstrate vulnerable vs patched behavior and improve exploit reliability by disabling ASLR.

Repository contains a standalone Python PoC plus NGINX configuration examples and a crash log demonstrating the claimed CVE-2026-42945 'NGINX Rift' heap overflow. The main exploit file is CVE-2026-42945/CVE-2026-42945-test.py, which opens raw TCP sockets and sends crafted HTTP GET requests. It first checks normal server responsiveness with GET /, then probes /api/test_endpoint, then sends increasingly large /api/%25%25... payloads intended to exploit URI decoding/re-escaping behavior. Success is inferred from connection failures, timeouts, or HTTP 500/502 responses followed by service recovery, indicating a worker crash and restart. Repository structure: (1) the Python PoC script; (2) single_layer_test/single_layer_nginx.conf showing a minimal vulnerable pattern using rewrite with '?' and set $captured $1 in location /api/; (3) double_layer_test/layer1_nginx.conf and layer2_nginx.conf showing a proxy/front-end and back-end deployment variant; and (4) single_layer_test/test.log containing sample execution output and NGINX SIGSEGV/SIGABRT traces. The README documents affected versions, trigger conditions, usage, and mitigation guidance. Main exploit capability: denial-of-service/vulnerability verification against a remote NGINX instance over HTTP. There is no implemented post-exploitation or shell payload; RCE is only mentioned conceptually in comments/README. The code is operational as a crash-inducing PoC but not weaponized. Notable observables include hardcoded Host headers cve.58.com and cve2.58.com, vulnerable request path /api/, example virtual host cve.test.com, proxy upstream http://10.16.79.137:8089, and several local log/config file paths from the sample NGINX setups.

This repository is a small standalone Python proof-of-concept exploit for alleged CVE-2026-42945 targeting nginx. It contains only two files: a README with usage examples and Shodan hunting queries, and the main exploit script poc.py. The code is not a scanner or detector; it is an active remote code execution exploit. The exploit logic is highly tailored to a specific target memory layout. It hardcodes HEAP_BASE, LIBC_BASE, and derives SYSTEM_ADDR from libc, explicitly noting 'ASLR disabled' in the argument parser description. It computes candidate heap addresses from a predefined PREREAD_HEAP_OFFSETS list, filters them through a byte-safety check, then constructs a fake structure containing the system() address and a pointer to attacker-controlled command data. The body is padded to a fixed 4000-byte length. Operationally, the exploit first checks service availability with a simple GET /. It then performs a heap spray by opening multiple concurrent POST /spray requests with Content-Length 4000 and X-Delay: 60, keeping attacker-controlled bodies resident in memory. After that, it opens additional connections and sends a crafted GET /api/<payload> request containing a long path with repeated characters and six target bytes derived from the candidate address. Timing and partial-request behavior are used to manipulate nginx request processing. The script then probes the connection state to infer whether the worker crashed or hung, treating that as evidence that system("<cmd>") executed. Capabilities include arbitrary command execution via --cmd and an optional reverse shell mode via --shell. In reverse shell mode, the script generates a Python one-liner that connects back to a supplied attacker IP/port, duplicates file descriptors, and launches /bin/sh -i. It also starts a local listener thread using netcat if available. The README reinforces the intended target profile: nginx instances on port 19321 or other non-standard ports, with references to POST /spray and X-Delay headers as identifying traits. Overall, this is an operational but brittle exploit PoC for network-based web exploitation against a very specifically configured nginx target.

Repository is a small standalone Python-based nginx exploit/scanner project with 6 files: a README, one Python utility script (calibrate.py), Docker lab files, and branding assets. The README describes a tool named nGixShell that allegedly performs nginx fingerprinting, scans for 53 CVEs, detects/bypasses WAFs, audits web security posture, and exploits CVE-2026-42945 for RCE with command execution and reverse shells. However, the main exploit script referenced throughout the README (ngixshell.py) is not present in the provided repository snapshot. The only actual code file included is calibrate.py, which is a local post-exploitation/support utility rather than the remote exploit itself. calibrate.py is a Python 3 script intended to tailor exploitation to a specific nginx worker process. It reads /proc/<pid>/maps and /proc/<pid>/mem, snapshots heap regions before and after opening slow POST requests to the target, identifies newly allocated heap chunks, filters for URL-safe candidate addresses, and attempts to locate libc/system() using readelf against the mapped libc path. Its purpose is to output HEAP_BASE, LIBC_BASE, system() offset, and candidate preread heap offsets in a format suitable for insertion into a KNOWN_BUILDS dictionary in the missing ngixshell.py. This indicates the overall exploit design relies on heap grooming plus corruption of nginx pool cleanup structures to redirect execution to system(). The env/ directory provides a reproducible Docker lab: docker-compose.yml launches nginx:1.25.3 on host port 19321, and nginx.conf intentionally exposes endpoints and rewrite behavior relevant to the claimed vulnerability. Notable lab routes include /r/ for the rewrite-trigger path, /upload for proxy/body buffering against an unreachable backend at 127.0.0.1:19999, /nginx_status for stub_status exposure, /admin for path discovery testing, and /.env for simulated sensitive-file exposure. Overall assessment: this is not just a README and not obviously fake, but the repository snapshot is incomplete because the primary exploit/scanner file is missing. Based on the included calibration utility and lab configuration, the intended capability is operational RCE support against vulnerable nginx instances, but the provided code alone does not execute the remote exploit; it prepares target-specific memory offsets needed by that missing exploit.

This repository is a self-contained exploit lab for CVE-2026-42945 targeting nginx 1.30.0 on 32-bit Linux. It is not just a detector: it includes a vulnerable Dockerized target, a primitive trigger, a deterministic lab-assisted RCE validator, and a remote-only brute-force exploit path. Repository structure: - docker/: builds and runs a 32-bit nginx 1.30.0 target plus a small Python delay backend. The nginx config exposes three important paths: /spray for heap spraying via proxied request bodies, /api/ for the vulnerable rewrite/set path, and / for creating the adjacent victim request pool. - exploit/trigger_oob.py: minimal proof-of-concept that sends a crafted /api/ request and predicts the out-of-bounds expansion caused by URI escaping. This demonstrates the heap OOB write primitive but does not attempt code execution. - exploit/lab_known_address.py: lab-assisted validator that uses docker exec to inspect /proc/<pid>/maps, derive heap and libc bases, compute the fake cleanup handler and system() target, then send the exploit sequence and wait for an HTTP callback. This proves RCE in the controlled lab but is explicitly not a pure remote exploit. - exploit/remote_bruteforce.py: main remote exploitation logic. It avoids Docker, SSH, ptrace, and /proc introspection, brute-forcing candidate SAFE heap pages and libc pages. It starts an HTTP listener and treats a POST to /rce as the only success oracle. - scripts/render_screenshots.py: auxiliary documentation tooling, not part of exploitation. Exploit capability and flow: 1. Heap spray: a POST to /spray keeps a request body allocation alive in nginx worker heap and stores a fake ngx_pool_cleanup_t structure plus a shell command. 2. Trigger: a crafted GET to /api/<payload> abuses the rewrite/set path so URI escaping expands attacker-controlled bytes and causes a controlled heap out-of-bounds write. 3. Victim cleanup: a concurrent GET / creates the adjacent request pool whose cleanup pointer is overwritten. 4. Code execution: when nginx destroys the corrupted pool, it follows the overwritten cleanup pointer. The fake cleanup handler points to libc system(), and the data pointer points to the attacker command string. 5. Success signal: the command pipes output into curl, which POSTs to the attacker listener, typically http://host.docker.internal:9876/rce. The exploit is operational rather than weaponized: it contains a real payload and working exploitation logic, but it is a standalone lab repository rather than a reusable framework module. The remote brute-force script is the most realistic exploit component, though success depends on favorable ASLR layout and byte-safety constraints for the sprayed pointer values.

This repository is a real RCE proof-of-concept for CVE-2026-42945 ('NGINX Rift'), a heap buffer overflow in NGINX's ngx_http_rewrite_module. The repo contains a runnable lab environment under env/ plus the main exploit in poc.py. The environment builds NGINX 1.30.0 from source in Docker, starts a local Python backend on 127.0.0.1:19323, and exposes the vulnerable HTTP service on port 19321. The nginx.conf intentionally includes the vulnerable rewrite+set pattern on /api/(.*), an internal /internal proxy target, and a /spray endpoint used to place attacker-controlled binary data into request-pool memory. The exploit logic in poc.py is operational rather than a simple crash PoC. It performs heap spraying by opening many POST /spray requests with crafted 4000-byte bodies containing a fake ngx_pool_cleanup structure: [handler=system()][data=command pointer][next=NULL][command string]. It then triggers the overflow via a GET request to /api/<payload>, where many '+' characters force URI escaping expansion during the copy pass, overflowing an undersized heap buffer allocated during the length pass. The overflow is used to corrupt an adjacent ngx_pool_t cleanup pointer so that when a victim request pool is destroyed, NGINX calls system() on attacker-controlled data. The exploit supports two outcomes: arbitrary command execution via --cmd and a Python reverse shell via --shell, defaulting to callback 172.17.0.1:1337. It also includes helper routines to wait for service availability, discover libc base addresses by reading /proc maps through docker compose exec, clear/check a marker file (/tmp/.rce_ok), and retry across several known-safe sprayed addresses. The code assumes a deterministic environment with ASLR disabled or otherwise stable, known-safe heap addresses, and Docker access for local verification. Repository structure is straightforward: README.md and writeup.md document the vulnerability and exploitation strategy; setup.sh builds the lab; env/ contains Docker, NGINX, and backend server files; poc.py is the main exploit entry point.

This repository is a standalone exploit lab and PoC suite for CVE-2026-42945, described as a heap buffer overflow in NGINX/OpenResty rewrite processing when a location combines rewrite, a replacement containing '?', and set referencing a regex capture such as $1. The repo is not tied to a common exploit framework. Its structure is centered around: (1) exploit and validation scripts in Bash and Python, (2) Docker packaging to build vulnerable NGINX/OpenResty environments with debug symbols and permissive ptrace settings, (3) custom nginx.conf files that intentionally satisfy the vulnerable configuration, and (4) bundled upstream NGINX source used for local builds/debugging. Main capabilities: it can detect whether a target exposes the expected vulnerable location (/health and /api/test checks), send crafted encoded requests to /api/... to trigger the overflow, inspect local error logs for ASAN evidence, stress the target for crash/DoS behavior, and perform command execution by attaching GDB to a local NGINX/OpenResty worker process and calling system(). The RCE path is therefore not purely remote code execution from HTTP alone; it depends on local privileged access to the host/container running the target process. The HTTP portion is used to reach the vulnerable code path, while the actual command execution is achieved through post-trigger local process injection. Repository layout: run.sh is the top-level orchestrator for building containers or testing a remote URL. check_nginx_cve.sh is a larger all-in-one assessment script supporting check/exploit/rce/flood modes and report generation. scripts/exploit.py is the main Python PoC with multiple modes; scripts/exploit_asan.py focuses on ASAN-assisted overflow confirmation; scripts/exploit_rce.py and scripts/rce.sh implement the GDB-based command execution workflow; scripts/poc.sh provides a shell-only equivalent. package/ contains Dockerfiles, docker-compose, startup scripts, and vulnerable nginx/openresty configs. nginx-install/conf/nginx.conf and package/nginx*.conf define the intentionally vulnerable /api/(.*) location and helper endpoints /health, /internal, and /aslr. gdb_*.sh scripts support debugging and tracing of the vulnerable code path. src/nginx-1.26.3 contains mostly stock upstream source/build files used to compile test images. Notable operational details: the Docker images are privileged, disable ASLR via /proc/sys/kernel/randomize_va_space, and relax ptrace restrictions via /proc/sys/kernel/yama/ptrace_scope to make GDB attachment reliable. The exploit scripts use repeated encoded characters such as %25, %3f, %23, and %26 as trigger material. Several scripts contain hardcoded local log paths and assume a lab environment. Overall, this is a real exploit/testing repository with both detection and exploitation components, but its practical RCE capability is best characterized as operational in a controlled local/privileged environment rather than a turnkey unauthenticated remote-only RCE exploit.

This repository is a small, focused proof-of-concept and documentation set for rediscovering and reproducing CVE-2026-42945 in nginx. It is not a framework module and not a weaponized exploit; it is a local crash/ASan reproduction harness. Repository structure: most files are documentation (README plus three docs files explaining methodology, technical root cause, and vulnerability breakdown). The actual PoC lives in poc/: nginx.conf defines a minimal vulnerable rewrite configuration, reproduce.sh is a shell wrapper that locates a local nginx binary and launches the Python harness, trigger.py is the main exploit driver, and expected_output.txt shows the expected ASan crash. Two prompt files document the AI-assisted audit workflow but are not part of exploitation. Main exploit capability: trigger.py launches a user-supplied local nginx binary with a temporary prefix and ASan logging enabled, waits for the server to listen on 127.0.0.1:18080, then sends a crafted HTTP GET request whose path is '/' followed by many repeated '%20' sequences. The provided nginx.conf contains a rewrite rule with '?', then a set directive using $1. This reproduces the stale e->is_args state bug in nginx's rewrite/script engine, causing the length pass to size a regex capture as raw bytes while the write pass URI-escapes it, overflowing the heap buffer. The script then collects stdout/stderr, ASan logs, and nginx error logs and reports success if crash evidence is present. Targeting: the repository explicitly targets nginx, validated against nginx 1.30.0 in a local lab build with AddressSanitizer. The vulnerable component is ngx_http_rewrite_module / src/http/ngx_http_script.c. The exploit requires percent-encoded URI content that expands when escaped, such as spaces encoded as %20. Operationally, this is a local network/web attack vector against a lab instance only: the code binds nginx to 127.0.0.1:18080 and does not contact external infrastructure. No persistence, shell, command execution, or post-exploitation payload is included. The result is denial-of-service style crash evidence demonstrating a heap-buffer-overflow rather than code execution.

Repository contains a complete standalone proof-of-concept exploit and a reproducible lab environment for CVE-2026-42945 ('NGINX Rift'), a heap-based buffer overflow in NGINX's ngx_http_rewrite_module. The main exploit is CVE-2026-42945/poc.py, a Python script that performs network exploitation against a vulnerable HTTP listener. It first sprays heap memory by sending multiple POST requests to /spray with attacker-controlled bodies containing a fake cleanup structure and command string, then triggers the overflow with a crafted GET request to /api/<payload>. The exploit relies on the mismatch between rewrite length calculation and copy-time escaping, using many '+' characters to expand during URI escaping and overflow an undersized heap buffer. It attempts to corrupt an adjacent ngx_pool_t cleanup pointer so that pool destruction invokes system() on attacker-controlled data. The script supports either arbitrary command execution (--cmd) or a generated Python reverse shell (--shell), and includes liveness checks and repeated attempts across candidate heap offsets. The env/ directory builds a vulnerable lab: Dockerfile clones and compiles a specific NGINX revision, docker-compose.yml exposes port 19321, entrypoint.sh disables ASLR with setarch -R for deterministic addresses, nginx.conf defines the vulnerable rewrite/set combination plus /spray and /internal locations, and server.py provides a delayed backend on 127.0.0.1:19323 to keep requests open during exploitation. setup.sh automates building and demonstrates command execution by writing /tmp/pwned. The two README files document the vulnerability, affected versions, exploitation concept, and usage. Overall, this is a real exploit repository rather than a detector. It is operational in the supplied lab conditions, but not broadly weaponized: key addresses are hardcoded (HEAP_BASE, LIBC_BASE, SYSTEM_ADDR), exploitation assumes ASLR is disabled, and the environment is tuned for deterministic success. Primary capabilities are unauthenticated remote command execution and reverse shell access, with worker crash/DoS as a likely side effect when exploitation fails.

This repository is a self-contained reproduction and analysis kit for CVE-2026-42945 ('NGINX Rift'), centered on a network/web attack against vulnerable NGINX rewrite processing. It is not tied to a common exploit framework. The repo contains: (1) a Dockerized vulnerable lab environment using nginx:1.26.2 (Dockerfile, docker-compose.yml), (2) a crafted nginx.conf that intentionally enables the vulnerable pattern, (3) poc_crash.py, a Python PoC that sends malicious HTTP GET requests with many '+' characters to /api/... to trigger a heap buffer overflow and crash a worker, and (4) explanatory materials (README.md, exploit_diagram.txt, vuln_analysis.c) describing root cause and a possible RCE path. Main exploit capability: the Python script performs active exploitation over TCP/HTTP by connecting to a target host/port, verifying the server is reachable, probing the vulnerable /api/ route, then sending progressively larger payloads of escapable URI characters. It detects likely success via connection reset/refusal, timeout, HTTP 500/502, or recovery behavior after a worker restart. This makes it more than a passive detector: it attempts to trigger the crash condition directly, so it is a DoS exploit PoC. The repository also documents a more advanced heap-grooming-based RCE concept involving overwriting NGINX pool cleanup handlers and eventually invoking system("touch /pwned"), but no automated RCE exploit implementation is present. The vulnerable condition described throughout the repo is a state mismatch in NGINX's two-phase script engine processing: rewrite with a '?' sets is_args=1 in the main engine, while later set/capture length calculation uses a zeroed child engine with is_args=0. As a result, length calculation underestimates the required buffer size, but the copy phase escapes URI characters such as '+', expanding each from 1 byte to 3 bytes and overflowing the heap buffer. Operationally, the intended workflow is: start the Docker lab exposing host port 8080 to container port 80, then run poc_crash.py against 127.0.0.1:8080. The PoC is therefore operational but basic, with a hardcoded HTTP payload pattern and no generalized weaponization.

Repository contains a single Python exploit script (`poc.py`) and a README. The script is a standalone, non-framework PoC targeting the claimed NGINX Rift vulnerability (CVE-2026-42945). Its structure is straightforward: argument parsing in `main()`, target processing in `process_target()`, liveness checks in `wait_alive()`, payload/body construction in `make_body()`, and the exploitation sequence in `attempt()`. The exploit uses raw sockets rather than HTTP libraries. Operationally, it performs a multi-stage network attack: it first verifies the target is reachable, then opens multiple `POST /spray` connections with a fixed-size crafted body intended to spray heap memory. It follows with a crafted `GET /api/{payload}` request containing a long path segment and selected target bytes derived from hardcoded heap candidate addresses. A parallel verification connection and subsequent probe (`X-Ping:1`) are used to infer whether the target worker crashed or became unstable. Success is reported as vulnerability, even though the script does not directly verify command output; in practice, much of its logic appears to rely on crash/disruption as a signal. The script includes several built-in payload modes: `id` for simple command execution, `sleep` for blind timing-based verification, `write` to drop `poc.txt` into common web roots, `shell` to launch a Python reverse shell to a configurable listener, and `crash` for DoS-style testing. It also accepts arbitrary commands via `--cmd`, and supports either a single URL (`--url`) or a batch list file (`--list`). Notable hardcoded assumptions include static `HEAP_BASE`, `LIBC_BASE`, `SYSTEM_ADDR`, and a list of `PREREAD_HEAP_OFFSETS`, indicating the exploit is highly environment-specific and likely unreliable across real-world targets with ASLR or differing builds. Overall, this is an operational PoC exploit with real offensive capability, but its success likely depends on a narrow target memory layout and may often result in DoS rather than reliable RCE.

Repository contains a standalone Python exploit and helper tooling for CVE-2026-42945, described as an NGINX ngx_http_rewrite_module heap buffer overflow. Structure is small and focused: nginx_rift_htb.py is the main exploit, nginx_rift_helper.py performs reconnaissance/fingerprinting/info-leak checks and can generate an exploit template, CHEATSHEET.sh is an operator usage reference, and README.md documents workflow and assumptions. Main exploit behavior: nginx_rift_htb.py connects directly to the target over raw sockets, verifies NGINX presence, checks for a likely vulnerable /api/ endpoint, builds a 4000-byte heap spray body containing a fake ngx_pool_cleanup_s structure, and repeatedly sends crafted requests intended to corrupt a cleanup pointer so that pool destruction invokes system() with an attacker-controlled command. It supports direct command execution (--cmd) and reverse shell mode (--shell with --lhost/--lport). The exploit includes hardcoded default heap/libc bases and several common system() offsets and heap offsets, indicating operational but brittle exploitation rather than a universally reliable weaponized tool. Helper behavior: nginx_rift_helper.py fingerprints NGINX by issuing HEAD/GET requests, extracts version strings from headers, probes common paths (/api/, /internal/, /admin/, /spray/, /.git/), checks for rewrite behavior using /api/test?x=1, attempts a simple malformed-request info leak via /%00, measures response timing, and includes ASLR brute-force/generation support. This helper is partly reconnaissance and partly exploit support, not just detection. Targeting assumptions: the target must expose a rewrite+set configuration pattern similar to location ~ ^/api/(.*)$ { rewrite ^/api/(.*)$ /internal?migrated=true; set $original_endpoint $1; }. The exploit is aimed at NGINX Open Source 0.6.27-1.30.0 and NGINX Plus R32-R36. Reliability depends heavily on memory layout knowledge; the repository explicitly notes ASLR-disabled HTB/CTF scenarios or the need for leaks/bruteforce. Overall purpose: provide a self-contained HTB/CTF-ready remote code execution exploit against vulnerable NGINX instances, plus helper tooling to identify candidate endpoints and improve exploitability.

This repository is a self-contained proof-of-concept exploit environment for CVE-2026-42945, a claimed unauthenticated remote code execution bug in NGINX's rewrite module. It is not part of a larger exploit framework. The repo contains 8 files: a README, one standalone Python exploit (exp.py), setup automation (setup.sh), and an env/ directory with Docker-based lab infrastructure (Dockerfile, docker-compose.yml, entrypoint.sh, nginx.conf, server.py). The main exploit logic is in exp.py. It performs a network/web attack against a vulnerable NGINX listener by combining: (1) repeated POST requests to /spray with attacker-controlled bodies to shape heap allocations and place a fake ngx_pool_cleanup structure plus command string in memory; (2) crafted GET requests to /api/<payload> to trigger the rewrite+set heap overflow; and (3) connection timing/orchestration to corrupt adjacent pool metadata. The exploit uses hardcoded HEAP_BASE, LIBC_BASE, and SYSTEM_ADDR values and explicitly states ASLR must be disabled, making it operational in the provided lab but not broadly reliable against arbitrary targets. On success, it redirects execution to system() and either runs an arbitrary command (--cmd) or launches a Python reverse shell (--shell) to a listener controlled by the attacker. The vulnerable lab is defined in env/nginx.conf. NGINX listens on port 19321 and contains a regex location ^/api/(.*)$ where rewrite ^/api/(.*)$ /internal?migrated=true; is combined with set $original_endpoint $1;, matching the bug description in the README. A /spray location accepts POST bodies in a single buffer and proxies them to a backend, enabling heap spraying. An internal /internal location proxies to a simple Python backend on 127.0.0.1:19323. The Docker environment compiles a specific NGINX source checkout, runs it with ASLR disabled via setarch -R, and exposes port 19321 to the host. Overall, this is a real exploit PoC rather than a detector. Its primary capability is unauthenticated remote command execution against a narrowly configured, vulnerable NGINX instance. Fingerprintable targets and paths include the primary listener on 19321, backend 127.0.0.1:19323, and the key HTTP paths /api/, /spray, /internal, and /. The exploit is best classified as OPERATIONAL: it includes a working payload and exploitation flow, but reliability depends on the provided deterministic environment and hardcoded addresses.

This repository is a self-contained proof-of-concept exploit environment for CVE-2026-42945 ('NGINX Rift'), a heap buffer overflow in NGINX's rewrite/set processing that can lead to unauthenticated remote code execution. It is not a scanner or detector; it contains a working exploit plus a reproducible Docker lab. Repository structure: README.md documents the vulnerability, affected versions, and usage. setup.sh builds the Docker environment and shows example exploitation/verification commands. The env/ directory contains the vulnerable lab: Dockerfile compiles a specific NGINX source revision, docker-compose.yml exposes the service, entrypoint.sh starts a helper backend and launches NGINX with ASLR disabled, nginx.conf defines the vulnerable rewrite/set configuration and a /spray endpoint for heap grooming, and server.py provides a delayed backend on 127.0.0.1:19323 to keep requests alive during exploitation. The main exploit logic is in poc.py. Exploit capabilities: poc.py performs remote exploitation over HTTP. It sprays heap memory by opening multiple POST requests to /spray with attacker-controlled bodies containing a fake cleanup structure and command string. It then sends a crafted GET request to /api/<payload> where the URI contains many '+' characters to trigger expansion during escaping, causing the vulnerable copy to overflow an undersized heap buffer. The exploit attempts to corrupt an adjacent ngx_pool_t cleanup pointer so that, when the pool is destroyed, NGINX calls system() with attacker-controlled data from the sprayed body. The operator can either supply an arbitrary command with --cmd or request a reverse shell with --shell, which generates a Python one-liner connecting back to a listener. Operational assumptions and limitations: the PoC is tuned for the included lab rather than being universally reliable. It hardcodes HEAP_BASE, LIBC_BASE, and SYSTEM_ADDR, assumes ASLR is disabled via setarch -R, and relies on specific heap offsets and timing. It uses crash/hang behavior and responsiveness checks as a success heuristic. Because the payload is configurable but the memory layout assumptions are fixed and basic, the exploit is best classified as OPERATIONAL rather than fully weaponized. Notable fingerprintable targets/endpoints: the vulnerable service listens on TCP 19321, auxiliary listener on 19322, and backend on 127.0.0.1:19323. Important HTTP paths are /api/(.*), /internal?migrated=true, /internal, /spray, and /. The reverse shell defaults to callback 172.17.0.1:1337. File artifacts include /nginx-src/build/nginx, /app/nginx.conf, logs/error.log, tmp/nginx.pid, and example output /tmp/pwned.