MODULE

Tomcat Partial PUT Java Deserialization

Try Surface Command Get a continuous 360° view of your attack surface
Back to Search

Tomcat Partial PUT Java Deserialization

Disclosed
03/10/2025
Created
04/03/2025

Description

This module exploits a Java deserialization vulnerability in Apache Tomcat's session restoration functionality that can be exploited with a partial HTTP PUT request to place an attacker controlled deserialization payload in the /webapps/ROOT/ directory. For the exploit to succeed, writes must be enabled for the default servlet, and org.apache.catalina.session.PersistentManager must be configured to use org.apache.catalina.session.FileStore. Verified working on 10.1.16-1

Author(s)

  • sw0rd1ight
  • Calum Hutton
  • h4ck3r-04

Platform

Linux,Unix,Windows

Architectures

cmd

Development

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/multi/http/tomcat_partial_put_deserialization
msf exploit(tomcat_partial_put_deserialization) > show targets
    ...targets...
msf exploit(tomcat_partial_put_deserialization) > set TARGET < target-id >
msf exploit(tomcat_partial_put_deserialization) > show options
    ...show and set options...
msf exploit(tomcat_partial_put_deserialization) > exploit

Metasploit

Penetration testing software for offensive security teams.
Key Features
Free Metasploit Pro Trial View All Features

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security

;