module
Tomcat Partial PUT Java Deserialization
| Disclosed | Created |
|---|---|
| Mar 10, 2025 | Apr 3, 2025 |
Disclosed
Mar 10, 2025
Created
Apr 3, 2025
Description
This module exploits a Java deserialization vulnerability in Apache
Tomcat's session restoration functionality that can be exploited with a partial HTTP PUT request to
place an attacker controlled deserialization payload in the /webapps/ROOT/ directory.
For the exploit to succeed, writes must be enabled for the default servlet,
and org.apache.catalina.session.PersistentManager must be configured to use
org.apache.catalina.session.FileStore.
Verified working on 10.1.16-1
Tomcat's session restoration functionality that can be exploited with a partial HTTP PUT request to
place an attacker controlled deserialization payload in the /webapps/ROOT/ directory.
For the exploit to succeed, writes must be enabled for the default servlet,
and org.apache.catalina.session.PersistentManager must be configured to use
org.apache.catalina.session.FileStore.
Verified working on 10.1.16-1
Authors
sw0rd1ight
Calum Hutton
h4ck3r-04
Calum Hutton
h4ck3r-04
Platform
Linux,Unix,Windows
Architectures
cmd
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.