# CVE-2016-2173 - Remote Code Execution in Spring AMQP - App Test
### Description
The class org.springframework.core.serializer.DefaultDeserializer does not validate the deserialized object against a whitelist. By supplying a crafted serialized object like Chris Frohoff's Commons Collection gadget, remote code execution can be achieved.
### Versions Affected
1.0.0 to 1.5.4
### Vendor
Spring by Pivotal
### Install
- Maven 3.x+
- Java 1.7+
- [RabbitMQ](https://www.rabbitmq.com/download.htm)
### Run App Vulnerbility
- mvn eclipse:eclipse
- import project
- run project (App)
[4.0K] /data/pocs/bb7c0162126c07024305c4727f3562b66e407b5e
├── [4.0K] Exploit
│ ├── [1.6K] code_reverse_tcp.ser
│ ├── [1.4K] exe_code_reverse_tcp.ser
│ ├── [8.6M] exploit-cve2016-2173.jar
│ ├── [ 75] person.ser
│ ├── [ 510] README.md
│ └── [ 14M] ysoserial-0.0.4-all.jar
├── [1.5K] pom.xml
├── [ 587] README.md
├── [4.0K] src
│ ├── [4.0K] main
│ │ ├── [4.0K] java
│ │ │ └── [4.0K] com
│ │ │ └── [4.0K] hatoan
│ │ │ ├── [1.3K] App.java
│ │ │ ├── [ 330] Person.java
│ │ │ └── [2.2K] RabbitConfiguration.java
│ │ └── [4.0K] resources
│ │ └── [ 705] spring.xml
│ └── [4.0K] test
│ └── [4.0K] java
│ └── [4.0K] com
│ └── [4.0K] hatoan
│ └── [1.6K] AppTest.java
└── [4.0K] target
├── [4.0K] classes
│ ├── [4.0K] com
│ │ └── [4.0K] hatoan
│ │ ├── [1009] App.class
│ │ ├── [ 714] Person.class
│ │ ├── [1.4K] RabbitConfiguration$1.class
│ │ └── [2.3K] RabbitConfiguration.class
│ └── [ 705] spring.xml
├── [5.2K] CVE-2016-2173-1.0-SNAPSHOT.jar
├── [4.0K] maven-archiver
│ └── [ 115] pom.properties
└── [4.0K] test-classes
└── [4.0K] com
└── [4.0K] hatoan
└── [2.0K] AppTest.class
19 directories, 21 files