aradotso/bluehammer-vulnerability-poc

BlueHammer Vulnerability PoC

Skill by ara.so — Daily 2026 Skills collection.

⚠️ Important Notice

BlueHammer is a proof-of-concept vulnerability repository intended for security research, education, and defensive purposes only. Use only in authorized, isolated lab environments. The author notes there are known bugs in the PoC that may prevent it from working as-is.

---

What BlueHammer Does

BlueHammer is a C-based proof-of-concept demonstrating a specific vulnerability. The repository is primarily a research artifact — it documents the vulnerability, provides a PoC exploit, and is signed with a PGP key for authenticity verification.

---

Getting the Code

git clone https://github.com/Nightmare-Eclipse/BlueHammer.git
cd BlueHammer

Verify PGP Signature (Recommended)

The README is PGP signed. To verify authenticity:

# Import the author's key (key ID from signature: FFoRCS0/SbA)
gpg --keyserver keys.openpgp.org --recv-keys 494EF01FFC059584028479BEC5168442 4B4FD26C

# Verify the signed block in README.md
gpg --verify README.md

---

Building the PoC

Since the project is written in C with no build system documented, standard patterns apply:

Single-file build

# If there is a single main source file
gcc -o bluehammer bluehammer.c -Wall -Wextra

# With debug symbols for analysis
gcc -g -O0 -o bluehammer_dbg bluehammer.c -Wall -Wextra

# If the project uses a Makefile
make
make clean && make

Common C build flags for vulnerability PoCs

# Disable mitigations for testing (lab only)
gcc -o bluehammer bluehammer.c \
    -fno-stack-protector \
    -z execstack \
    -no-pie \
    -Wall

# With address sanitizer for debugging crashes
gcc -o bluehammer bluehammer.c \
    -fsanitize=address \
    -g -O1

---

Running the PoC

# Basic execution
./bluehammer

# With a target argument (common pattern)
./bluehammer <target>

# With verbose/debug output if supported
./bluehammer -v <target>

# Check usage/help
./bluehammer --help
./bluehammer -h

---

Code Patterns — Working with C Vulnerability PoCs

Reading and understanding the vulnerability trigger

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

// Common pattern: controlled buffer to trigger the condition
void trigger_vulnerability(const char *input, size_t len) {
    char buf[256];
    // Inspect what the PoC does with input
    memcpy(buf, input, len);  // potential overflow if len > 256
    // ... vulnerability logic
}

int main(int argc, char *argv[]) {
    if (argc < 2) {
        fprintf(stderr, "Usage: %s <payload>\n", argv[0]);
        return 1;
    }
    trigger_vulnerability(argv[1], strlen(argv[1]));
    return 0;
}

Analyzing the PoC for bugs (author noted known bugs)

// When inspecting the PoC, look for these common issues:

// 1. Off-by-one errors
char buf[64];
// Bug: should be < 64, not <= 64
for (int i = 0; i <= 64; i++) buf[i] = 'A';

// Fix:
for (int i = 0; i < 64; i++) buf[i] = 'A';

// 2. Missing null terminator
char buf[8];
strncpy(buf, "longinput", 8);  // no null terminator
// Fix:
strncpy(buf, "longinput", 7);
buf[7] = '\0';

// 3. Incorrect size calculation
int *arr = malloc(10);           // Bug: should be 10 * sizeof(int)
int *arr_fixed = malloc(10 * sizeof(int));  // Fix

// 4. Wrong offset in exploit payload
size_t offset = 128;  // may need adjustment per target binary/environment

Sending a crafted payload

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

#define PAYLOAD_SIZE 512
#define OFFSET       264   // adjust based on binary analysis

int main(void) {
    unsigned char payload[PAYLOAD_SIZE];

    // Fill with pattern for offset discovery
    memset(payload, 'A', PAYLOAD_SIZE);

    // Overwrite return address (example — adjust for target)
    unsigned long target_addr = 0xdeadbeefcafeUL;
    memcpy(payload + OFFSET, &target_addr, sizeof(target_addr));

    // Write payload to stdout for piping
    fwrite(payload, 1, PAYLOAD_SIZE, stdout);
    return 0;
}

Debugging a non-working PoC

# Run under GDB to catch crashes
gdb ./bluehammer
(gdb) run <args>
(gdb) bt          # backtrace on crash
(gdb) info registers

# Find the exact crash offset with a cyclic pattern (pwndbg/peda)
python3 -c "import pwn; print(pwn.cyclic(500).decode())" | ./bluehammer

# Use ltrace/strace to trace library/syscalls
strace ./bluehammer <args>
ltrace ./bluehammer <args>

# Check binary protections
checksec --file=./bluehammer
# or with pwntools:
python3 -c "from pwn import *; e = ELF('./bluehammer'); print(e)"

Python harness for iterating on the PoC

#!/usr/bin/env python3
"""
Harness for testing BlueHammer PoC variants.
Run in an isolated lab environment only.
"""
import subprocess
import struct
import os

BINARY = "./bluehammer"
OFFSET = 264  # adjust via debugging

def build_payload(offset: int, ret_addr: int, shellcode: bytes = b"") -> bytes:
    padding = b"A" * offset
    addr_packed = struct.pack("<Q", ret_addr)  # little-endian 64-bit
    return padding + addr_packed + shellcode

def run_payload(payload: bytes) -> tuple[int, bytes, bytes]:
    """Send payload to the binary, return (returncode, stdout, stderr)."""
    result = subprocess.run(
        [BINARY],
        input=payload,
        capture_output=True,
        timeout=5,
    )
    return result.returncode, result.stdout, result.stderr

def find_offset(max_size: int = 1024) -> int:
    """Brute-force the crash offset."""
    for size in range(16, max_size, 8):
        payload = b"A" * size
        try:
            rc, _, _ = run_payload(payload)
            if rc != 0:
                print(f"[+] Crash at size: {size}")
                return size
        except subprocess.TimeoutExpired:
            print(f"[!] Timeout at size: {size}")
    return -1

if __name__ == "__main__":
    print("[*] Testing BlueHammer PoC")
    payload = build_payload(OFFSET, 0x4141414141414141)
    rc, out, err = run_payload(payload)
    print(f"Return code: {rc}")
    print(f"Stdout: {out}")
    print(f"Stderr: {err}")

---

Troubleshooting

PoC doesn't crash / no effect

• The author acknowledged bugs in the PoC — read the source carefully for off-by-one errors, wrong size calculations, or incorrect offsets.
• Recompile without mitigations: -fno-stack-protector -no-pie -z execstack
• Check if ASLR is interfering: echo 0 | sudo tee /proc/sys/kernel/randomize_va_space (lab only, revert after)

Compilation errors

# Missing headers — check what the source includes and install dev packages
sudo apt install build-essential libc6-dev

# Link errors
gcc bluehammer.c -o bluehammer -lpthread -lm

Segfault immediately on run

# Run with ASAN to get detailed crash info
gcc -fsanitize=address -g -o bluehammer_asan bluehammer.c
./bluehammer_asan <args>

PGP verification fails

# Ensure you have the full key fingerprint
gpg --list-keys FFoRCS0
# Re-fetch if needed
gpg --keyserver hkps://keys.openpgp.org --recv-keys <full-fingerprint>

---

Lab Environment Setup (Recommended)

# Use a dedicated VM or container — never run on production systems
docker run -it --rm \
    --cap-add SYS_PTRACE \
    --security-opt seccomp=unconfined \
    ubuntu:22.04 bash

# Inside container
apt update && apt install -y gcc gdb python3 python3-pip strace ltrace binutils
pip3 install pwntools

git clone https://github.com/Nightmare-Eclipse/BlueHammer.git
cd BlueHammer

---

Key Facts

| Property | Value | |----------|-------| | Language | C | | License | MIT | | Stars | 606 | | Forks | 228 | | Known bugs in PoC | Yes (author confirmed) | | PGP signed | Yes (SHA-512, Ed25519) |