git clone https://github.com/Nightmare-Eclipse/BlueHammer.git
cd BlueHammer

# Import the author's key (key ID from signature: FFoRCS0/SbA)
gpg --keyserver keys.openpgp.org --recv-keys 494EF01FFC059584028479BEC5168442 4B4FD26C

# Verify the signed block in README.md
gpg --verify README.md

# If there is a single main source file
gcc -o bluehammer bluehammer.c -Wall -Wextra

# With debug symbols for analysis
gcc -g -O0 -o bluehammer_dbg bluehammer.c -Wall -Wextra

# If the project uses a Makefile
make
make clean && make

# Disable mitigations for testing (lab only)
gcc -o bluehammer bluehammer.c \
    -fno-stack-protector \
    -z execstack \
    -no-pie \
    -Wall

# With address sanitizer for debugging crashes
gcc -o bluehammer bluehammer.c \
    -fsanitize=address \
    -g -O1

# Basic execution
./bluehammer

# With a target argument (common pattern)
./bluehammer <target>

# With verbose/debug output if supported
./bluehammer -v <target>

# Check usage/help
./bluehammer --help
./bluehammer -h

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

// Common pattern: controlled buffer to trigger the condition
void trigger_vulnerability(const char *input, size_t len) {
    char buf[256];
    // Inspect what the PoC does with input
    memcpy(buf, input, len);  // potential overflow if len > 256
    // ... vulnerability logic
}

int main(int argc, char *argv[]) {
    if (argc < 2) {
        fprintf(stderr, "Usage: %s <payload>\n", argv[0]);
        return 1;
    }
    trigger_vulnerability(argv[1], strlen(argv[1]));
    return 0;
}

// When inspecting the PoC, look for these common issues:

// 1. Off-by-one errors
char buf[64];
// Bug: should be < 64, not <= 64
for (int i = 0; i <= 64; i++) buf[i] = 'A';

// Fix:
for (int i = 0; i < 64; i++) buf[i] = 'A';

// 2. Missing null terminator
char buf[8];
strncpy(buf, "longinput", 8);  // no null terminator
// Fix:
strncpy(buf, "longinput", 7);
buf[7] = '\0';

// 3. Incorrect size calculation
int *arr = malloc(10);           // Bug: should be 10 * sizeof(int)
int *arr_fixed = malloc(10 * sizeof(int));  // Fix

// 4. Wrong offset in exploit payload
size_t offset = 128;  // may need adjustment per target binary/environment

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

#define PAYLOAD_SIZE 512
#define OFFSET       264   // adjust based on binary analysis

int main(void) {
    unsigned char payload[PAYLOAD_SIZE];

    // Fill with pattern for offset discovery
    memset(payload, 'A', PAYLOAD_SIZE);

    // Overwrite return address (example — adjust for target)
    unsigned long target_addr = 0xdeadbeefcafeUL;
    memcpy(payload + OFFSET, &target_addr, sizeof(target_addr));

    // Write payload to stdout for piping
    fwrite(payload, 1, PAYLOAD_SIZE, stdout);
    return 0;
}

# Run under GDB to catch crashes
gdb ./bluehammer
(gdb) run <args>
(gdb) bt          # backtrace on crash
(gdb) info registers

# Find the exact crash offset with a cyclic pattern (pwndbg/peda)
python3 -c "import pwn; print(pwn.cyclic(500).decode())" | ./bluehammer

# Use ltrace/strace to trace library/syscalls
strace ./bluehammer <args>
ltrace ./bluehammer <args>

# Check binary protections
checksec --file=./bluehammer
# or with pwntools:
python3 -c "from pwn import *; e = ELF('./bluehammer'); print(e)"

#!/usr/bin/env python3
"""
Harness for testing BlueHammer PoC variants.
Run in an isolated lab environment only.
"""
import subprocess
import struct
import os

BINARY = "./bluehammer"
OFFSET = 264  # adjust via debugging

def build_payload(offset: int, ret_addr: int, shellcode: bytes = b"") -> bytes:
    padding = b"A" * offset
    addr_packed = struct.pack("<Q", ret_addr)  # little-endian 64-bit
    return padding + addr_packed + shellcode

def run_payload(payload: bytes) -> tuple[int, bytes, bytes]:
    """Send payload to the binary, return (returncode, stdout, stderr)."""
    result = subprocess.run(
        [BINARY],
        input=payload,
        capture_output=True,
        timeout=5,
    )
    return result.returncode, result.stdout, result.stderr

def find_offset(max_size: int = 1024) -> int:
    """Brute-force the crash offset."""
    for size in range(16, max_size, 8):
        payload = b"A" * size
        try:
            rc, _, _ = run_payload(payload)
            if rc != 0:
                print(f"[+] Crash at size: {size}")
                return size
        except subprocess.TimeoutExpired:
            print(f"[!] Timeout at size: {size}")
    return -1

if __name__ == "__main__":
    print("[*] Testing BlueHammer PoC")
    payload = build_payload(OFFSET, 0x4141414141414141)
    rc, out, err = run_payload(payload)
    print(f"Return code: {rc}")
    print(f"Stdout: {out}")
    print(f"Stderr: {err}")

# Missing headers — check what the source includes and install dev packages
sudo apt install build-essential libc6-dev

# Link errors
gcc bluehammer.c -o bluehammer -lpthread -lm

# Run with ASAN to get detailed crash info
gcc -fsanitize=address -g -o bluehammer_asan bluehammer.c
./bluehammer_asan <args>

# Ensure you have the full key fingerprint
gpg --list-keys FFoRCS0
# Re-fetch if needed
gpg --keyserver hkps://keys.openpgp.org --recv-keys <full-fingerprint>

# Use a dedicated VM or container — never run on production systems
docker run -it --rm \
    --cap-add SYS_PTRACE \
    --security-opt seccomp=unconfined \
    ubuntu:22.04 bash

# Inside container
apt update && apt install -y gcc gdb python3 python3-pip strace ltrace binutils
pip3 install pwntools

git clone https://github.com/Nightmare-Eclipse/BlueHammer.git
cd BlueHammer