--- name: bluehammer-vulnerability-poc description: Skill for working with the BlueHammer vulnerability proof-of-concept repository, covering build, usage, and code patterns. triggers: - "use bluehammer" - "work with bluehammer vulnerability" - "build bluehammer poc" - "exploit bluehammer" - "run bluehammer" - "bluehammer vulnerability code" - "set up bluehammer" - "understand bluehammer poc" --- # BlueHammer Vulnerability PoC > Skill by [ara.so](https://ara.so) — Daily 2026 Skills collection. ## ⚠️ Important Notice BlueHammer is a **proof-of-concept vulnerability repository** intended for **security research, education, and defensive purposes only**. Use only in authorized, isolated lab environments. The author notes there are known bugs in the PoC that may prevent it from working as-is. --- ## What BlueHammer Does BlueHammer is a C-based proof-of-concept demonstrating a specific vulnerability. The repository is primarily a research artifact — it documents the vulnerability, provides a PoC exploit, and is signed with a PGP key for authenticity verification. --- ## Getting the Code ```bash git clone https://github.com/Nightmare-Eclipse/BlueHammer.git cd BlueHammer ``` ### Verify PGP Signature (Recommended) The README is PGP signed. To verify authenticity: ```bash # Import the author's key (key ID from signature: FFoRCS0/SbA) gpg --keyserver keys.openpgp.org --recv-keys 494EF01FFC059584028479BEC5168442 4B4FD26C # Verify the signed block in README.md gpg --verify README.md ``` --- ## Building the PoC Since the project is written in C with no build system documented, standard patterns apply: ### Single-file build ```bash # If there is a single main source file gcc -o bluehammer bluehammer.c -Wall -Wextra # With debug symbols for analysis gcc -g -O0 -o bluehammer_dbg bluehammer.c -Wall -Wextra # If the project uses a Makefile make make clean && make ``` ### Common C build flags for vulnerability PoCs ```bash # Disable mitigations for testing (lab only) gcc -o bluehammer bluehammer.c \ -fno-stack-protector \ -z execstack \ -no-pie \ -Wall # With address sanitizer for debugging crashes gcc -o bluehammer bluehammer.c \ -fsanitize=address \ -g -O1 ``` --- ## Running the PoC ```bash # Basic execution ./bluehammer # With a target argument (common pattern) ./bluehammer # With verbose/debug output if supported ./bluehammer -v # Check usage/help ./bluehammer --help ./bluehammer -h ``` --- ## Code Patterns — Working with C Vulnerability PoCs ### Reading and understanding the vulnerability trigger ```c #include #include #include // Common pattern: controlled buffer to trigger the condition void trigger_vulnerability(const char *input, size_t len) { char buf[256]; // Inspect what the PoC does with input memcpy(buf, input, len); // potential overflow if len > 256 // ... vulnerability logic } int main(int argc, char *argv[]) { if (argc < 2) { fprintf(stderr, "Usage: %s \n", argv[0]); return 1; } trigger_vulnerability(argv[1], strlen(argv[1])); return 0; } ``` ### Analyzing the PoC for bugs (author noted known bugs) ```c // When inspecting the PoC, look for these common issues: // 1. Off-by-one errors char buf[64]; // Bug: should be < 64, not <= 64 for (int i = 0; i <= 64; i++) buf[i] = 'A'; // Fix: for (int i = 0; i < 64; i++) buf[i] = 'A'; // 2. Missing null terminator char buf[8]; strncpy(buf, "longinput", 8); // no null terminator // Fix: strncpy(buf, "longinput", 7); buf[7] = '\0'; // 3. Incorrect size calculation int *arr = malloc(10); // Bug: should be 10 * sizeof(int) int *arr_fixed = malloc(10 * sizeof(int)); // Fix // 4. Wrong offset in exploit payload size_t offset = 128; // may need adjustment per target binary/environment ``` ### Sending a crafted payload ```c #include #include #include #include #define PAYLOAD_SIZE 512 #define OFFSET 264 // adjust based on binary analysis int main(void) { unsigned char payload[PAYLOAD_SIZE]; // Fill with pattern for offset discovery memset(payload, 'A', PAYLOAD_SIZE); // Overwrite return address (example — adjust for target) unsigned long target_addr = 0xdeadbeefcafeUL; memcpy(payload + OFFSET, &target_addr, sizeof(target_addr)); // Write payload to stdout for piping fwrite(payload, 1, PAYLOAD_SIZE, stdout); return 0; } ``` ### Debugging a non-working PoC ```bash # Run under GDB to catch crashes gdb ./bluehammer (gdb) run (gdb) bt # backtrace on crash (gdb) info registers # Find the exact crash offset with a cyclic pattern (pwndbg/peda) python3 -c "import pwn; print(pwn.cyclic(500).decode())" | ./bluehammer # Use ltrace/strace to trace library/syscalls strace ./bluehammer ltrace ./bluehammer # Check binary protections checksec --file=./bluehammer # or with pwntools: python3 -c "from pwn import *; e = ELF('./bluehammer'); print(e)" ``` ### Python harness for iterating on the PoC ```python #!/usr/bin/env python3 """ Harness for testing BlueHammer PoC variants. Run in an isolated lab environment only. """ import subprocess import struct import os BINARY = "./bluehammer" OFFSET = 264 # adjust via debugging def build_payload(offset: int, ret_addr: int, shellcode: bytes = b"") -> bytes: padding = b"A" * offset addr_packed = struct.pack(" tuple[int, bytes, bytes]: """Send payload to the binary, return (returncode, stdout, stderr).""" result = subprocess.run( [BINARY], input=payload, capture_output=True, timeout=5, ) return result.returncode, result.stdout, result.stderr def find_offset(max_size: int = 1024) -> int: """Brute-force the crash offset.""" for size in range(16, max_size, 8): payload = b"A" * size try: rc, _, _ = run_payload(payload) if rc != 0: print(f"[+] Crash at size: {size}") return size except subprocess.TimeoutExpired: print(f"[!] Timeout at size: {size}") return -1 if __name__ == "__main__": print("[*] Testing BlueHammer PoC") payload = build_payload(OFFSET, 0x4141414141414141) rc, out, err = run_payload(payload) print(f"Return code: {rc}") print(f"Stdout: {out}") print(f"Stderr: {err}") ``` --- ## Troubleshooting ### PoC doesn't crash / no effect - The author acknowledged bugs in the PoC — read the source carefully for off-by-one errors, wrong size calculations, or incorrect offsets. - Recompile without mitigations: `-fno-stack-protector -no-pie -z execstack` - Check if ASLR is interfering: `echo 0 | sudo tee /proc/sys/kernel/randomize_va_space` (lab only, revert after) ### Compilation errors ```bash # Missing headers — check what the source includes and install dev packages sudo apt install build-essential libc6-dev # Link errors gcc bluehammer.c -o bluehammer -lpthread -lm ``` ### Segfault immediately on run ```bash # Run with ASAN to get detailed crash info gcc -fsanitize=address -g -o bluehammer_asan bluehammer.c ./bluehammer_asan ``` ### PGP verification fails ```bash # Ensure you have the full key fingerprint gpg --list-keys FFoRCS0 # Re-fetch if needed gpg --keyserver hkps://keys.openpgp.org --recv-keys ``` --- ## Lab Environment Setup (Recommended) ```bash # Use a dedicated VM or container — never run on production systems docker run -it --rm \ --cap-add SYS_PTRACE \ --security-opt seccomp=unconfined \ ubuntu:22.04 bash # Inside container apt update && apt install -y gcc gdb python3 python3-pip strace ltrace binutils pip3 install pwntools git clone https://github.com/Nightmare-Eclipse/BlueHammer.git cd BlueHammer ``` --- ## Key Facts | Property | Value | |----------|-------| | Language | C | | License | MIT | | Stars | 606 | | Forks | 228 | | Known bugs in PoC | Yes (author confirmed) | | PGP signed | Yes (SHA-512, Ed25519) |