Share 
## https://sploitus.com/exploit?id=AF0C9278-F4EA-5BD5-8D55-0A5E4BB82093
# TomcatKiller - CVE-2025-31650

๐Ÿšจ Proof of Concept (PoC) for Apache Tomcat HTTP/2 DoS vulnerability (CVE-2025-31650)

This script triggers a memory exhaustion condition in Apache Tomcat by sending malformed `priority` headers over HTTP/2.

---

## ๐ŸŽฏ Affected Versions

- Apache Tomcat 9.0.76 โ€“ 9.0.102
- Apache Tomcat 10.1.10 โ€“ 10.1.39
- Apache Tomcat 11.0.0-M2 โ€“ 11.0.5

---

## โš™๏ธ Features

- โœ”๏ธ HTTP/2 support verification
- โœ”๏ธ `Server` header inspection (detect Tomcat)
- โœ”๏ธ `--check-only` mode (non-intrusive)
- โœ”๏ธ Async-based scalable exploit with adjustable intensity

---

## ๐Ÿš€ Usage

### โœ… Check-only (safe detection)
```bash
python3 tomcatkiller.py --target https://example.com:8443 --check-only
```

### ๐Ÿ’ฅ Exploit (DoS)
```bash
python3 tomcatkiller.py --target https://example.com:8443 --exploit --tasks 50 --requests 5000
```

---

## ๐Ÿงฉ Arguments

| Parameter         | Description                                           |
|-------------------|-------------------------------------------------------|
| `--target`        | Full target URL with protocol and port               |
| `--check-only`    | Only test if the server supports HTTP/2 & Tomcat     |
| `--exploit`       | Run the actual DoS attack                            |
| `--tasks`         | Number of async tasks (default: 50)                  |
| `--requests`      | Requests per task (default: 5000)                    |

---

## โš ๏ธ Disclaimer

This PoC is for educational and authorized security testing **only**.  
Do **not** use it against systems without explicit permission.

---

## ๐Ÿ™ Credits

- Original concept: [@absholi7ly](https://github.com/absholi7ly/TomcatKiller-CVE-2025-31650)  
- Updated CLI version: [@tunahantekeoglu](https://github.com/tunahantekeoglu)