[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-75782":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":9,"language":10,"languages":9,"totalLinesOfCode":9,"stars":11,"forks":12,"watchers":13,"openIssues":14,"contributorsCount":15,"subscribersCount":15,"size":15,"stars1d":16,"stars7d":17,"stars30d":18,"stars90d":15,"forks30d":15,"starsTrendScore":19,"compositeScore":20,"rankGlobal":9,"rankLanguage":9,"license":9,"archived":21,"fork":21,"defaultBranch":22,"hasWiki":21,"hasPages":21,"topics":23,"createdAt":9,"pushedAt":9,"updatedAt":24,"readmeContent":25,"aiSummary":26,"trendingCount":15,"starSnapshotCount":15,"syncStatus":27,"lastSyncTime":28,"discoverSource":29},75782,"Nginx-Rift","DepthFirstDisclosures\u002FNginx-Rift","DepthFirstDisclosures","exploit for CVE-2026-42945",null,"Python",845,156,5,6,0,1,13,422,8,10.59,false,"main",[],"2026-06-12 02:03:36","# NGINX Rift\n\nRCE Proof of concept for **CVE-2026-42945**, a critical heap buffer overflow in NGINX's `ngx_http_rewrite_module` introduced in 2008. The bug enables unauthenticated remote code execution against servers using `rewrite` and `set` directives.\n\nThis vulnerability — along with three other memory corruption issues (CVE-2026-42946, CVE-2026-40701, CVE-2026-42934) — was autonomously discovered by [depthfirst](https:\u002F\u002Fdepthfirst.com)'s security analysis system after a single click of onboarding the NGINX source.\n\n> Want to find issues like this in your own code? Try the same system at **\u003Chttps:\u002F\u002Fdepthfirst.com\u002Fopen-defense>**.\n\n## The Bug (TL;DR)\n\nNGINX's script engine uses a two-pass process: first compute the required buffer size, then copy data in. The `is_args` flag is set on the main engine when a `rewrite` replacement contains `?`, but the length-calculation pass runs on a freshly zeroed sub-engine. So:\n\n- **Length pass** sees `is_args = 0` → returns raw capture length.\n- **Copy pass** sees `is_args = 1` → calls `ngx_escape_uri` with `NGX_ESCAPE_ARGS`, expanding each escapable byte to 3 bytes.\n\nThe copy overflows the undersized heap buffer with attacker-controlled URI data. Exploitation uses cross-request heap feng shui to corrupt an adjacent `ngx_pool_t`'s `cleanup` pointer (sprayed via POST bodies, since URI bytes can't contain null bytes), redirecting it to a fake `ngx_pool_cleanup_s` invoking `system()` on pool destruction.\n\nRead more about this bug in our [technical write-up](https:\u002F\u002Fdepthfirst.com\u002Fresearch\u002Fnginx-rift-achieving-nginx-rce-via-an-18-year-old-vulnerability).\n\n## Affected & Fixed Versions\n\n| Product | Affected | Fixed in |\n| --- | --- | --- |\n| NGINX Open Source | 0.6.27 – 1.30.0 | 1.31.0, 1.30.1 |\n| NGINX Plus | R32 – R36 | R36 P4, R35 P2, R32 P6 |\n\nFull vendor advisory: \u003Chttps:\u002F\u002Fmy.f5.com\u002Fmanage\u002Fs\u002Farticle\u002FK000160932>\n\n## Usage\n\nTested on Ubuntu 24.04.3 LTS.\n\n1. `.\u002Fsetup.sh` — build the container.\n2. `docker compose -f env\u002Fdocker-compose.yml up` — start the vulnerable NGINX server.\n3. `python3 poc.py --shell` — pop a shell.\n","Nginx-Rift 是一个针对 CVE-2026-42945 漏洞的远程代码执行（RCE）概念验证工具。该项目利用了 NGINX `ngx_http_rewrite_module` 中的一个关键堆缓冲区溢出漏洞，允许攻击者在未认证的情况下通过 `rewrite` 和 `set` 指令对服务器进行远程代码执行。其核心功能在于通过精心构造的请求来触发内存破坏，并最终实现代码执行。技术上，它采用了两阶段处理机制来计算和复制数据，利用跨请求堆风水技术来覆盖相邻内存区域，从而控制程序流。此项目适用于安全研究人员、渗透测试人员以及希望了解该漏洞影响和修复方法的技术人员。",2,"2026-06-11 03:53:21","CREATED_QUERY"]