This one's pretty bad but there are some preconditions.

Requires a "rewrite" directive with a questionmark in the replacement string, and then a subsequent "set" directive that references a regex capture group (e.g. set $var $1).

Also the POC assumes ASLR is disabled.