Skill for working with the BlueHammer vulnerability proof-of-concept repository, covering build, usage, and code patterns.
---
name: bluehammer-vulnerability-poc
description: Skill for working with the BlueHammer vulnerability proof-of-concept repository, covering build, usage, and code patterns.
triggers:
- "use bluehammer"
- "work with bluehammer vulnerability"
- "build bluehammer poc"
- "exploit bluehammer"
- "run bluehammer"
- "bluehammer vulnerability code"
- "set up bluehammer"
- "understand bluehammer poc"
---
# BlueHammer Vulnerability PoC
> Skill by [ara.so](https://ara.so) — Daily 2026 Skills collection.
## ⚠️ Important Notice
BlueHammer is a **proof-of-concept vulnerability repository** intended for **security research, education, and defensive purposes only**. Use only in authorized, isolated lab environments. The author notes there are known bugs in the PoC that may prevent it from working as-is.
---
## What BlueHammer Does
BlueHammer is a C-based proof-of-concept demonstrating a specific vulnerability. The repository is primarily a research artifact — it documents the vulnerability, provides a PoC exploit, and is signed with a PGP key for authenticity verification.
---
## Getting the Code
```bash
git clone https://github.com/Nightmare-Eclipse/BlueHammer.git
cd BlueHammer
```
### Verify PGP Signature (Recommended)
The README is PGP signed. To verify authenticity:
```bash
# Import the author's key (key ID from signature: FFoRCS0/SbA)
gpg --keyserver keys.openpgp.org --recv-keys 494EF01FFC059584028479BEC5168442 4B4FD26C
# Verify the signed block in README.md
gpg --verify README.md
```
---
## Building the PoC
Since the project is written in C with no build system documented, standard patterns apply:
### Single-file build
```bash
# If there is a single main source file
gcc -o bluehammer bluehammer.c -Wall -Wextra
# With debug symbols for analysis
gcc -g -O0 -o bluehammer_dbg bluehammer.c -Wall -Wextra
# If the project uses a Makefile
make
make clean && make
```
### Common C build flags for vulnerability PoCs
```bash
# Disable mitigations for testing (lab only)
gcc -o bluehammer bluehammer.c \
-fno-stack-protector \
-z execstack \
-no-pie \
-Wall
# With address sanitizer for debugging crashes
gcc -o bluehammer bluehammer.c \
-fsanitize=address \
-g -O1
```
---
## Running the PoC
```bash
# Basic execution
./bluehammer
# With a target argument (common pattern)
./bluehammer <target>
# With verbose/debug output if supported
./bluehammer -v <target>
# Check usage/help
./bluehammer --help
./bluehammer -h
```
---
## Code Patterns — Working with C Vulnerability PoCs
### Reading and understanding the vulnerability trigger
```c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
// Common pattern: controlled buffer to trigger the condition
void trigger_vulnerability(const char *input, size_t len) {
char buf[256];
// Inspect what the PoC does with input
memcpy(buf, input, len); // potential overflow if len > 256
// ... vulnerability logic
}
int main(int argc, char *argv[]) {
if (argc < 2) {
fprintf(stderr, "Usage: %s <payload>\n", argv[0]);
return 1;
}
trigger_vulnerability(argv[1], strlen(argv[1]));
return 0;
}
```
### Analyzing the PoC for bugs (author noted known bugs)
```c
// When inspecting the PoC, look for these common issues:
// 1. Off-by-one errors
char buf[64];
// Bug: should be < 64, not <= 64
for (int i = 0; i <= 64; i++) buf[i] = 'A';
// Fix:
for (int i = 0; i < 64; i++) buf[i] = 'A';
// 2. Missing null terminator
char buf[8];
strncpy(buf, "longinput", 8); // no null terminator
// Fix:
strncpy(buf, "longinput", 7);
buf[7] = '\0';
// 3. Incorrect size calculation
int *arr = malloc(10); // Bug: should be 10 * sizeof(int)
int *arr_fixed = malloc(10 * sizeof(int)); // Fix
// 4. Wrong offset in exploit payload
size_t offset = 128; // may need adjustment per target binary/environment
```
### Sending a crafted payload
```c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#define PAYLOAD_SIZE 512
#define OFFSET 264 // adjust based on binary analysis
int main(void) {
unsigned char payload[PAYLOAD_SIZE];
// Fill with pattern for offset discovery
memset(payload, 'A', PAYLOAD_SIZE);
// Overwrite return address (example — adjust for target)
unsigned long target_addr = 0xdeadbeefcafeUL;
memcpy(payload + OFFSET, &target_addr, sizeof(target_addr));
// Write payload to stdout for piping
fwrite(payload, 1, PAYLOAD_SIZE, stdout);
return 0;
}
```
### Debugging a non-working PoC
```bash
# Run under GDB to catch crashes
gdb ./bluehammer
(gdb) run <args>
(gdb) bt # backtrace on crash
(gdb) info registers
# Find the exact crash offset with a cyclic pattern (pwndbg/peda)
python3 -c "import pwn; print(pwn.cyclic(500).decode())" | ./bluehammer
# Use ltrace/strace to trace library/syscalls
strace ./bluehammer <args>
ltrace ./bluehammer <args>
# Check binary protections
checksec --file=./bluehammer
# or with pwntools:
python3 -c "from pwn import *; e = ELF('./bluehammer'); print(e)"
```
### Python harness for iterating on the PoC
```python
#!/usr/bin/env python3
"""
Harness for testing BlueHammer PoC variants.
Run in an isolated lab environment only.
"""
import subprocess
import struct
import os
BINARY = "./bluehammer"
OFFSET = 264 # adjust via debugging
def build_payload(offset: int, ret_addr: int, shellcode: bytes = b"") -> bytes:
padding = b"A" * offset
addr_packed = struct.pack("<Q", ret_addr) # little-endian 64-bit
return padding + addr_packed + shellcode
def run_payload(payload: bytes) -> tuple[int, bytes, bytes]:
"""Send payload to the binary, return (returncode, stdout, stderr)."""
result = subprocess.run(
[BINARY],
input=payload,
capture_output=True,
timeout=5,
)
return result.returncode, result.stdout, result.stderr
def find_offset(max_size: int = 1024) -> int:
"""Brute-force the crash offset."""
for size in range(16, max_size, 8):
payload = b"A" * size
try:
rc, _, _ = run_payload(payload)
if rc != 0:
print(f"[+] Crash at size: {size}")
return size
except subprocess.TimeoutExpired:
print(f"[!] Timeout at size: {size}")
return -1
if __name__ == "__main__":
print("[*] Testing BlueHammer PoC")
payload = build_payload(OFFSET, 0x4141414141414141)
rc, out, err = run_payload(payload)
print(f"Return code: {rc}")
print(f"Stdout: {out}")
print(f"Stderr: {err}")
```
---
## Troubleshooting
### PoC doesn't crash / no effect
- The author acknowledged bugs in the PoC — read the source carefully for off-by-one errors, wrong size calculations, or incorrect offsets.
- Recompile without mitigations: `-fno-stack-protector -no-pie -z execstack`
- Check if ASLR is interfering: `echo 0 | sudo tee /proc/sys/kernel/randomize_va_space` (lab only, revert after)
### Compilation errors
```bash
# Missing headers — check what the source includes and install dev packages
sudo apt install build-essential libc6-dev
# Link errors
gcc bluehammer.c -o bluehammer -lpthread -lm
```
### Segfault immediately on run
```bash
# Run with ASAN to get detailed crash info
gcc -fsanitize=address -g -o bluehammer_asan bluehammer.c
./bluehammer_asan <args>
```
### PGP verification fails
```bash
# Ensure you have the full key fingerprint
gpg --list-keys FFoRCS0
# Re-fetch if needed
gpg --keyserver hkps://keys.openpgp.org --recv-keys <full-fingerprint>
```
---
## Lab Environment Setup (Recommended)
```bash
# Use a dedicated VM or container — never run on production systems
docker run -it --rm \
--cap-add SYS_PTRACE \
--security-opt seccomp=unconfined \
ubuntu:22.04 bash
# Inside container
apt update && apt install -y gcc gdb python3 python3-pip strace ltrace binutils
pip3 install pwntools
git clone https://github.com/Nightmare-Eclipse/BlueHammer.git
cd BlueHammer
```
---
## Key Facts
| Property | Value |
|----------|-------|
| Language | C |
| License | MIT |
| Stars | 606 |
| Forks | 228 |
| Known bugs in PoC | Yes (author confirmed) |
| PGP signed | Yes (SHA-512, Ed25519) |
Creator's repository · aradotso/trending-skills