bamov970/CVE-2026-42945-Nginx-RCE-bypass-ASLR

# CVE-2026-42945 — NGINX Rift Remote Code Execution Proof-of-concept exploit chain for **CVE-2026-42945**, a critical heap buffer overflow in NGINX `ngx_http_rewrite_module`. Successful exploitation achieves unauthenticated remote code execution on vulnerable servers that use `rewrite` and `set` directives. ## Exploit scripts Three entry points cover different target conditions. All use the same basic invocation: python nginx_rce_bypass_ASLR.py --host 127.0.0.1 --port 19321 --cmd id | # | Script | Environment | Role | | - | ------ | ------------- | ---- | | **1** | `nginx_rce_bypass_ASLR.py` | **ASLR enabled** (recommended) | Full assessment + integrated coreless exploit; best choice when ASLR is on and a file-read primitive exists | | **2** | `nginx_rce_off_ASLR.py` | **ASLR disabled** | Direct overflow exploit using predictable heap/libc layout (no remote memory disclosure) | | **3** | `nginx_vm_RCE.py` | **Docker / test lab** | Coreless chain for container-style targets with LFI + same-UID `/proc//mem` | ### 1 — ASLR enabled (recommended) Use on real x86_64 Linux targets with ASLR on and an HTTP file-read primitive that can reach same-UID nginx worker memory. python nginx_rce_bypass_ASLR.py --host 127.0.0.1 --port 19321 --cmd id `--cmd` automatically enables the exploit path. This script assesses the target first (LFI profile, worker maps, libc, proc-mem reachability), then runs the integrated coreless proc-mem chain. Assessment only (no exploit attempt): python nginx_rce_bypass_ASLR.py --host 127.0.0.1 --port 19321 ### 2 — ASLR disabled Use when ASLR is off or addresses are stable (fixed heap base and libc layout). python nginx_rce_off_ASLR.py --host 127.0.0.1 --port 19321 --cmd id Reverse shell example: python nginx_rce_off_ASLR.py --host 127.0.0.1 --port 19321 --shell ### 3 — Docker / testing environment Use when the target matches a lab or Docker stack: vulnerable nginx, PHP (or similar) file read, and readable worker procfs. python nginx_vm_RCE.py --host 127.0.0.1 --port 19321 --cmd id Runs the coreless `/proc//mem` path: LFI-based disclosure, live memory scan, spray/probe, and command proof. ## Demo video A full walkthrough of the exploit chain is available here: https://github.com/user-attachments/assets/08395114-28ab-45a8-b5d7-f4b25bd53570 ## Vulnerability overview | Field | Detail | | ----- | ------ | | **CVE** | [CVE-2026-42945](https://my.f5.com/manage/s/article/K000160932) | | **Type** | Heap buffer overflow → controlled `system()` via pool cleanup | | **Component** | `ngx_http_rewrite_module` (since 2008) | | **Impact** | Remote code execution | | Product | Affected | Fixed in | | ------- | -------- | -------- | | NGINX Open Source | 0.6.27 – 1.30.0 | 1.31.0, 1.30.1 | | NGINX Plus | R32 – R36 | R36 P4, R35 P2, R32 P6 | **Root cause:** The script engine runs two passes — size calculation, then copy. When a `rewrite` replacement contains `?`, the copy pass sets `is_args` and expands data with `ngx_escape_uri` (up to 3× per byte), but the length pass uses a fresh sub-engine with `is_args = 0`. The heap buffer is too small; attacker-controlled URI data overflows into adjacent pool metadata. **Exploitation idea:** Spray fake structures with POST bodies, trigger the overflow on a rewrite route, corrupt a nearby `ngx_pool_t.cleanup` pointer, and point it at a fake `ngx_pool_cleanup_s` that calls `system()` when the pool is destroyed. ## Which script should I use? ASLR off ──────────────────► nginx_rce_off_ASLR.py ASLR on ──────────────────► nginx_rce_bypass_ASLR.py Docker / lab with LFI+procfs ► nginx_vm_RCE.py ## Requirements - Python 3.8+ - Authorized access to a vulnerable NGINX instance - For scripts **1** and **3**: a working HTTP local file read (LFI) that can read same-UID worker `/proc//maps` and `/proc//mem` ## Legal notice For **authorized security research and testing only**. Do not use against systems without explicit permission. - [F5 advisory K000160932](https://my.f5.com/manage/s/article/K000160932) - Related CVEs: CVE-2026-42946, CVE-2026-40701, CVE-2026-42934