The tool is only used for security research. It is prohibited to use the tool to launch illegal attacks, and the user is responsible for the consequences

工具仅用于安全研究以及内部自查，禁止使用工具发起非法攻击，造成的后果使用者负责

Apache Tomcat DoS (CVE-2022-29885) Exploit

Denial of Service in EncryptInterceptor (Tomcat Cluster)

The target machine needs to start the Cluster Nio Receiver,Sending a special TCP packet will cause a Denial of Service to the target. Whether EncryptInterceptor is used or not, there is the possibility of denial of service vulnerability

Condition: Enable tomcat cluster function and use NioReceiver for communication

Any version of Tomcat will be affected. The only solution is to use a trusted network

Unsafe config: not use EncryptInterceptor

server.xml

<Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster">
  <Channel className="org.apache.catalina.tribes.group.GroupChannel">
    <Receiver className="org.apache.catalina.tribes.transport.nio.NioReceiver"
      address="0.0.0.0"
      port="5000"
      selectorTimeout="100"
      maxThreads="6"/>
  </Channel>
</Cluster>

exploit: ./dos -h target_ip -p target_nio_port

In unsafe config, you can use Safe-Config-Exploit as well

But in safe config, you can only use Safe-Config-Exploit

Safe config: use EncryptInterceptor

server.xml

<Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster">
  <Channel className="org.apache.catalina.tribes.group.GroupChannel">
    <Receiver className="org.apache.catalina.tribes.transport.nio.NioReceiver"
      address="0.0.0.0"
      port="5000"
      selectorTimeout="100"
      maxThreads="6"/>
    <Interceptor className="org.apache.catalina.tribes.group.interceptors.EncryptInterceptor"
       encryptionAlgorithm="AES/CBC/PKCS5Padding"
       encryptionKey="ANY_KEY(LENGTH:32)"/>
  </Channel>
</Cluster>

exploit: ./dos -h target_ip -p target_nio_port -s

https://lists.apache.org/thread/2b4qmhbcyqvc7dyfpjyx54c03x65vhcv