<< All versions
Skill v1.0.0
currentAutomated scan100/100aradotso/trending-skills/bluehammer-vulnerability-poc
──Details
PublishedApril 29, 2026 at 01:13 AM
Content Hashsha256:bbacd69f0a7e2c7e...
Git SHA5cd3b5fd40f6
──Files
Files (1 file, 8.1 KB)
SKILL.md8.1 KBactive
SKILL.md · 328 lines · 8.1 KB
version: "1.0.0" name: bluehammer-vulnerability-poc description: Skill for working with the BlueHammer vulnerability proof-of-concept repository, covering build, usage, and code patterns. triggers:
- "use bluehammer"
- "work with bluehammer vulnerability"
- "build bluehammer poc"
- "exploit bluehammer"
- "run bluehammer"
- "bluehammer vulnerability code"
- "set up bluehammer"
- "understand bluehammer poc"
BlueHammer Vulnerability PoC
Skill by ara.so — Daily 2026 Skills collection.
⚠️ Important Notice
BlueHammer is a proof-of-concept vulnerability repository intended for security research, education, and defensive purposes only. Use only in authorized, isolated lab environments. The author notes there are known bugs in the PoC that may prevent it from working as-is.
What BlueHammer Does
BlueHammer is a C-based proof-of-concept demonstrating a specific vulnerability. The repository is primarily a research artifact — it documents the vulnerability, provides a PoC exploit, and is signed with a PGP key for authenticity verification.
Getting the Code
bash
git clone https://github.com/Nightmare-Eclipse/BlueHammer.gitcd BlueHammer
Verify PGP Signature (Recommended)
The README is PGP signed. To verify authenticity:
bash
# Import the author's key (key ID from signature: FFoRCS0/SbA)gpg --keyserver keys.openpgp.org --recv-keys 494EF01FFC059584028479BEC5168442 4B4FD26C# Verify the signed block in README.mdgpg --verify README.md
Building the PoC
Since the project is written in C with no build system documented, standard patterns apply:
Single-file build
bash
# If there is a single main source filegcc -o bluehammer bluehammer.c -Wall -Wextra# With debug symbols for analysisgcc -g -O0 -o bluehammer_dbg bluehammer.c -Wall -Wextra# If the project uses a Makefilemakemake clean && make
Common C build flags for vulnerability PoCs
bash
# Disable mitigations for testing (lab only)gcc -o bluehammer bluehammer.c \-fno-stack-protector \-z execstack \-no-pie \-Wall# With address sanitizer for debugging crashesgcc -o bluehammer bluehammer.c \-fsanitize=address \-g -O1
Running the PoC
bash
# Basic execution./bluehammer# With a target argument (common pattern)./bluehammer <target># With verbose/debug output if supported./bluehammer -v <target># Check usage/help./bluehammer --help./bluehammer -h
Code Patterns — Working with C Vulnerability PoCs
Reading and understanding the vulnerability trigger
c
#include <stdio.h>#include <stdlib.h>#include <string.h>// Common pattern: controlled buffer to trigger the conditionvoid trigger_vulnerability(const char *input, size_t len) {char buf[256];// Inspect what the PoC does with inputmemcpy(buf, input, len); // potential overflow if len > 256// ... vulnerability logic}int main(int argc, char *argv[]) {if (argc < 2) {fprintf(stderr, "Usage: %s <payload>\n", argv[0]);return 1;}trigger_vulnerability(argv[1], strlen(argv[1]));return 0;}
Analyzing the PoC for bugs (author noted known bugs)
c
// When inspecting the PoC, look for these common issues:// 1. Off-by-one errorschar buf[64];// Bug: should be < 64, not <= 64for (int i = 0; i <= 64; i++) buf[i] = 'A';// Fix:for (int i = 0; i < 64; i++) buf[i] = 'A';// 2. Missing null terminatorchar buf[8];strncpy(buf, "longinput", 8); // no null terminator// Fix:strncpy(buf, "longinput", 7);buf[7] = '\0';// 3. Incorrect size calculationint *arr = malloc(10); // Bug: should be 10 * sizeof(int)int *arr_fixed = malloc(10 * sizeof(int)); // Fix// 4. Wrong offset in exploit payloadsize_t offset = 128; // may need adjustment per target binary/environment
Sending a crafted payload
c
#include <stdio.h>#include <stdlib.h>#include <string.h>#include <unistd.h>#define PAYLOAD_SIZE 512#define OFFSET 264 // adjust based on binary analysisint main(void) {unsigned char payload[PAYLOAD_SIZE];// Fill with pattern for offset discoverymemset(payload, 'A', PAYLOAD_SIZE);// Overwrite return address (example — adjust for target)unsigned long target_addr = 0xdeadbeefcafeUL;memcpy(payload + OFFSET, &target_addr, sizeof(target_addr));// Write payload to stdout for pipingfwrite(payload, 1, PAYLOAD_SIZE, stdout);return 0;}
Debugging a non-working PoC
bash
# Run under GDB to catch crashesgdb ./bluehammer(gdb) run <args>(gdb) bt # backtrace on crash(gdb) info registers# Find the exact crash offset with a cyclic pattern (pwndbg/peda)python3 -c "import pwn; print(pwn.cyclic(500).decode())" | ./bluehammer# Use ltrace/strace to trace library/syscallsstrace ./bluehammer <args>ltrace ./bluehammer <args># Check binary protectionschecksec --file=./bluehammer# or with pwntools:python3 -c "from pwn import *; e = ELF('./bluehammer'); print(e)"
Python harness for iterating on the PoC
python
#!/usr/bin/env python3"""Harness for testing BlueHammer PoC variants.Run in an isolated lab environment only."""import subprocessimport structimport osBINARY = "./bluehammer"OFFSET = 264 # adjust via debuggingdef build_payload(offset: int, ret_addr: int, shellcode: bytes = b"") -> bytes:padding = b"A" * offsetaddr_packed = struct.pack("<Q", ret_addr) # little-endian 64-bitreturn padding + addr_packed + shellcodedef run_payload(payload: bytes) -> tuple[int, bytes, bytes]:"""Send payload to the binary, return (returncode, stdout, stderr)."""result = subprocess.run([BINARY],input=payload,capture_output=True,timeout=5,)return result.returncode, result.stdout, result.stderrdef find_offset(max_size: int = 1024) -> int:"""Brute-force the crash offset."""for size in range(16, max_size, 8):payload = b"A" * sizetry:rc, _, _ = run_payload(payload)if rc != 0:print(f"[+] Crash at size: {size}")return sizeexcept subprocess.TimeoutExpired:print(f"[!] Timeout at size: {size}")return -1if __name__ == "__main__":print("[*] Testing BlueHammer PoC")payload = build_payload(OFFSET, 0x4141414141414141)rc, out, err = run_payload(payload)print(f"Return code: {rc}")print(f"Stdout: {out}")print(f"Stderr: {err}")
Troubleshooting
PoC doesn't crash / no effect
- The author acknowledged bugs in the PoC — read the source carefully for off-by-one errors, wrong size calculations, or incorrect offsets.
- Recompile without mitigations:
-fno-stack-protector -no-pie -z execstack - Check if ASLR is interfering:
echo 0 | sudo tee /proc/sys/kernel/randomize_va_space(lab only, revert after)
Compilation errors
bash
# Missing headers — check what the source includes and install dev packagessudo apt install build-essential libc6-dev# Link errorsgcc bluehammer.c -o bluehammer -lpthread -lm
Segfault immediately on run
bash
# Run with ASAN to get detailed crash infogcc -fsanitize=address -g -o bluehammer_asan bluehammer.c./bluehammer_asan <args>
PGP verification fails
bash
# Ensure you have the full key fingerprintgpg --list-keys FFoRCS0# Re-fetch if neededgpg --keyserver hkps://keys.openpgp.org --recv-keys <full-fingerprint>
Lab Environment Setup (Recommended)
bash
# Use a dedicated VM or container — never run on production systemsdocker run -it --rm \--cap-add SYS_PTRACE \--security-opt seccomp=unconfined \ubuntu:22.04 bash# Inside containerapt update && apt install -y gcc gdb python3 python3-pip strace ltrace binutilspip3 install pwntoolsgit clone https://github.com/Nightmare-Eclipse/BlueHammer.gitcd BlueHammer
Key Facts
| Property | Value | |
|---|---|---|
| Language | C | |
| License | MIT | |
| Stars | 606 | |
| Forks | 228 | |
| Known bugs in PoC | Yes (author confirmed) | |
| PGP signed | Yes (SHA-512, Ed25519) |