bluehammer-vulnerability-poc
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseBlueHammer Vulnerability PoC
BlueHammer漏洞PoC
⚠️ Important Notice
⚠️ 重要提示
BlueHammer is a proof-of-concept vulnerability repository intended for security research, education, and defensive purposes only. Use only in authorized, isolated lab environments. The author notes there are known bugs in the PoC that may prevent it from working as-is.
BlueHammer是漏洞概念验证仓库,仅可用于安全研究、教育和防御用途。请仅在经过授权的隔离实验环境中使用。作者明确说明该PoC存在已知bug,可能无法直接正常运行。
What BlueHammer Does
BlueHammer的功能
BlueHammer is a C-based proof-of-concept demonstrating a specific vulnerability. The repository is primarily a research artifact — it documents the vulnerability, provides a PoC exploit, and is signed with a PGP key for authenticity verification.
BlueHammer是基于C语言开发的概念验证工具,用于演示特定漏洞。该仓库属于研究成果产物,记录了漏洞详情、提供了PoC利用代码,且使用PGP密钥签名以验证内容真实性。
Getting the Code
获取代码
bash
git clone https://github.com/Nightmare-Eclipse/BlueHammer.git
cd BlueHammerbash
git clone https://github.com/Nightmare-Eclipse/BlueHammer.git
cd BlueHammerVerify PGP Signature (Recommended)
验证PGP签名(推荐)
The README is PGP signed. To verify authenticity:
bash
undefinedREADME文件已做PGP签名,可通过以下步骤验证真实性:
bash
undefinedImport the author's key (key ID from signature: FFoRCS0/SbA)
导入作者公钥(签名对应的密钥ID:FFoRCS0/SbA)
gpg --keyserver keys.openpgp.org --recv-keys 494EF01FFC059584028479BEC5168442 4B4FD26C
gpg --keyserver keys.openpgp.org --recv-keys 494EF01FFC059584028479BEC5168442 4B4FD26C
Verify the signed block in README.md
验证README.md中的签名块
gpg --verify README.md
---gpg --verify README.md
---Building the PoC
构建PoC
Since the project is written in C with no build system documented, standard patterns apply:
由于该项目基于C语言开发,未提供明确的构建系统,可使用通用构建规则:
Single-file build
单文件构建
bash
undefinedbash
undefinedIf there is a single main source file
当存在单入口源文件时使用
gcc -o bluehammer bluehammer.c -Wall -Wextra
gcc -o bluehammer bluehammer.c -Wall -Wextra
With debug symbols for analysis
带调试符号用于分析
gcc -g -O0 -o bluehammer_dbg bluehammer.c -Wall -Wextra
gcc -g -O0 -o bluehammer_dbg bluehammer.c -Wall -Wextra
If the project uses a Makefile
若项目提供Makefile则使用
make
make clean && make
undefinedmake
make clean && make
undefinedCommon C build flags for vulnerability PoCs
漏洞PoC常用C编译参数
bash
undefinedbash
undefinedDisable mitigations for testing (lab only)
关闭安全 mitigation 用于测试(仅可在实验环境使用)
gcc -o bluehammer bluehammer.c
-fno-stack-protector
-z execstack
-no-pie
-Wall
-fno-stack-protector
-z execstack
-no-pie
-Wall
gcc -o bluehammer bluehammer.c
-fno-stack-protector
-z execstack
-no-pie
-Wall
-fno-stack-protector
-z execstack
-no-pie
-Wall
With address sanitizer for debugging crashes
启用地址消毒剂用于调试崩溃问题
gcc -o bluehammer bluehammer.c
-fsanitize=address
-g -O1
-fsanitize=address
-g -O1
---gcc -o bluehammer bluehammer.c
-fsanitize=address
-g -O1
-fsanitize=address
-g -O1
---Running the PoC
运行PoC
bash
undefinedbash
undefinedBasic execution
基础执行
./bluehammer
./bluehammer
With a target argument (common pattern)
传入目标参数(通用模式)
./bluehammer <target>
./bluehammer <target>
With verbose/debug output if supported
若支持则开启详细/调试输出
./bluehammer -v <target>
./bluehammer -v <target>
Check usage/help
查看使用说明/帮助
./bluehammer --help
./bluehammer -h
---./bluehammer --help
./bluehammer -h
---Code Patterns — Working with C Vulnerability PoCs
代码模式——C语言漏洞PoC处理指南
Reading and understanding the vulnerability trigger
阅读并理解漏洞触发逻辑
c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
// Common pattern: controlled buffer to trigger the condition
void trigger_vulnerability(const char *input, size_t len) {
char buf[256];
// Inspect what the PoC does with input
memcpy(buf, input, len); // potential overflow if len > 256
// ... vulnerability logic
}
int main(int argc, char *argv[]) {
if (argc < 2) {
fprintf(stderr, "Usage: %s <payload>\n", argv[0]);
return 1;
}
trigger_vulnerability(argv[1], strlen(argv[1]));
return 0;
}c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
// 通用模式:可控缓冲区触发漏洞条件
void trigger_vulnerability(const char *input, size_t len) {
char buf[256];
// 检查PoC对输入的处理逻辑
memcpy(buf, input, len); // 如果len>256则存在潜在溢出风险
// ... 其他漏洞逻辑
}
int main(int argc, char *argv[]) {
if (argc < 2) {
fprintf(stderr, "Usage: %s <payload>\n", argv[0]);
return 1;
}
trigger_vulnerability(argv[1], strlen(argv[1]));
return 0;
}Analyzing the PoC for bugs (author noted known bugs)
分析PoC存在的bug(作者已确认存在已知bug)
c
// When inspecting the PoC, look for these common issues:
// 1. Off-by-one errors
char buf[64];
// Bug: should be < 64, not <= 64
for (int i = 0; i <= 64; i++) buf[i] = 'A';
// Fix:
for (int i = 0; i < 64; i++) buf[i] = 'A';
// 2. Missing null terminator
char buf[8];
strncpy(buf, "longinput", 8); // no null terminator
// Fix:
strncpy(buf, "longinput", 7);
buf[7] = '\0';
// 3. Incorrect size calculation
int *arr = malloc(10); // Bug: should be 10 * sizeof(int)
int *arr_fixed = malloc(10 * sizeof(int)); // Fix
// 4. Wrong offset in exploit payload
size_t offset = 128; // may need adjustment per target binary/environmentc
// 检查PoC时可重点关注以下常见问题:
// 1. Off-by-one错误
char buf[64];
// Bug:应该是<64,而非<=64
for (int i = 0; i <= 64; i++) buf[i] = 'A';
// 修复方案:
for (int i = 0; i < 64; i++) buf[i] = 'A';
// 2. 缺少空终止符
char buf[8];
strncpy(buf, "longinput", 8); // 没有添加空终止符
// 修复方案:
strncpy(buf, "longinput", 7);
buf[7] = '\0';
// 3. 大小计算错误
int *arr = malloc(10); // Bug:应该是10 * sizeof(int)
int *arr_fixed = malloc(10 * sizeof(int)); // 修复方案
// 4. 利用payload偏移错误
size_t offset = 128; // 可能需要根据目标二进制/环境调整Sending a crafted payload
发送构造好的payload
c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#define PAYLOAD_SIZE 512
#define OFFSET 264 // adjust based on binary analysis
int main(void) {
unsigned char payload[PAYLOAD_SIZE];
// Fill with pattern for offset discovery
memset(payload, 'A', PAYLOAD_SIZE);
// Overwrite return address (example — adjust for target)
unsigned long target_addr = 0xdeadbeefcafeUL;
memcpy(payload + OFFSET, &target_addr, sizeof(target_addr));
// Write payload to stdout for piping
fwrite(payload, 1, PAYLOAD_SIZE, stdout);
return 0;
}c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#define PAYLOAD_SIZE 512
#define OFFSET 264 // 根据二进制分析结果调整
int main(void) {
unsigned char payload[PAYLOAD_SIZE];
// 填充模式字符用于发现偏移
memset(payload, 'A', PAYLOAD_SIZE);
// 覆盖返回地址(示例——根据目标调整)
unsigned long target_addr = 0xdeadbeefcafeUL;
memcpy(payload + OFFSET, &target_addr, sizeof(target_addr));
// 将payload输出到stdout用于管道传输
fwrite(payload, 1, PAYLOAD_SIZE, stdout);
return 0;
}Debugging a non-working PoC
调试无法正常运行的PoC
bash
undefinedbash
undefinedRun under GDB to catch crashes
在GDB下运行捕获崩溃
gdb ./bluehammer
(gdb) run <args>
(gdb) bt # backtrace on crash
(gdb) info registers
gdb ./bluehammer
(gdb) run <args>
(gdb) bt # 崩溃时打印栈回溯
(gdb) info registers
Find the exact crash offset with a cyclic pattern (pwndbg/peda)
使用循环模式定位精确的崩溃偏移(pwndbg/peda环境)
python3 -c "import pwn; print(pwn.cyclic(500).decode())" | ./bluehammer
python3 -c "import pwn; print(pwn.cyclic(500).decode())" | ./bluehammer
Use ltrace/strace to trace library/syscalls
使用ltrace/strace追踪库调用/系统调用
strace ./bluehammer <args>
ltrace ./bluehammer <args>
strace ./bluehammer <args>
ltrace ./bluehammer <args>
Check binary protections
检查二进制的安全防护机制
checksec --file=./bluehammer
checksec --file=./bluehammer
or with pwntools:
或使用pwntools:
python3 -c "from pwn import *; e = ELF('./bluehammer'); print(e)"
undefinedpython3 -c "from pwn import *; e = ELF('./bluehammer'); print(e)"
undefinedPython harness for iterating on the PoC
用于迭代测试PoC的Python脚手架
python
#!/usr/bin/env python3
"""
Harness for testing BlueHammer PoC variants.
Run in an isolated lab environment only.
"""
import subprocess
import struct
import os
BINARY = "./bluehammer"
OFFSET = 264 # adjust via debugging
def build_payload(offset: int, ret_addr: int, shellcode: bytes = b"") -> bytes:
padding = b"A" * offset
addr_packed = struct.pack("<Q", ret_addr) # little-endian 64-bit
return padding + addr_packed + shellcode
def run_payload(payload: bytes) -> tuple[int, bytes, bytes]:
"""Send payload to the binary, return (returncode, stdout, stderr)."""
result = subprocess.run(
[BINARY],
input=payload,
capture_output=True,
timeout=5,
)
return result.returncode, result.stdout, result.stderr
def find_offset(max_size: int = 1024) -> int:
"""Brute-force the crash offset."""
for size in range(16, max_size, 8):
payload = b"A" * size
try:
rc, _, _ = run_payload(payload)
if rc != 0:
print(f"[+] Crash at size: {size}")
return size
except subprocess.TimeoutExpired:
print(f"[!] Timeout at size: {size}")
return -1
if __name__ == "__main__":
print("[*] Testing BlueHammer PoC")
payload = build_payload(OFFSET, 0x4141414141414141)
rc, out, err = run_payload(payload)
print(f"Return code: {rc}")
print(f"Stdout: {out}")
print(f"Stderr: {err}")python
#!/usr/bin/env python3
"""
用于测试BlueHammer PoC变体的脚手架
仅可在隔离实验环境中运行
"""
import subprocess
import struct
import os
BINARY = "./bluehammer"
OFFSET = 264 # 通过调试调整
def build_payload(offset: int, ret_addr: int, shellcode: bytes = b"") -> bytes:
padding = b"A" * offset
addr_packed = struct.pack("<Q", ret_addr) # 小端64位
return padding + addr_packed + shellcode
def run_payload(payload: bytes) -> tuple[int, bytes, bytes]:
"""向二进制程序发送payload,返回(返回码, stdout, stderr)"""
result = subprocess.run(
[BINARY],
input=payload,
capture_output=True,
timeout=5,
)
return result.returncode, result.stdout, result.stderr
def find_offset(max_size: int = 1024) -> int:
"""暴力破解崩溃偏移"""
for size in range(16, max_size, 8):
payload = b"A" * size
try:
rc, _, _ = run_payload(payload)
if rc != 0:
print(f"[+] 触发崩溃的大小: {size}")
return size
except subprocess.TimeoutExpired:
print(f"[!] 大小为{size}时运行超时")
return -1
if __name__ == "__main__":
print("[*] 测试BlueHammer PoC")
payload = build_payload(OFFSET, 0x4141414141414141)
rc, out, err = run_payload(payload)
print(f"返回码: {rc}")
print(f"标准输出: {out}")
print(f"标准错误: {err}")Troubleshooting
问题排查
PoC doesn't crash / no effect
PoC不崩溃/无效果
- The author acknowledged bugs in the PoC — read the source carefully for off-by-one errors, wrong size calculations, or incorrect offsets.
- Recompile without mitigations:
-fno-stack-protector -no-pie -z execstack - Check if ASLR is interfering: (lab only, revert after)
echo 0 | sudo tee /proc/sys/kernel/randomize_va_space
- 作者已经确认PoC存在bug——仔细阅读源码排查off-by-one错误、大小计算错误或者偏移错误
- 关闭安全防护重新编译:
-fno-stack-protector -no-pie -z execstack - 检查是否ASLR造成干扰:(仅实验环境使用,测试后恢复原值)
echo 0 | sudo tee /proc/sys/kernel/randomize_va_space
Compilation errors
编译错误
bash
undefinedbash
undefinedMissing headers — check what the source includes and install dev packages
缺少头文件——检查源码引用的头文件,安装对应的开发包
sudo apt install build-essential libc6-dev
sudo apt install build-essential libc6-dev
Link errors
链接错误
gcc bluehammer.c -o bluehammer -lpthread -lm
undefinedgcc bluehammer.c -o bluehammer -lpthread -lm
undefinedSegfault immediately on run
运行立即出现段错误
bash
undefinedbash
undefinedRun with ASAN to get detailed crash info
启用ASAN编译获取详细的崩溃信息
gcc -fsanitize=address -g -o bluehammer_asan bluehammer.c
./bluehammer_asan <args>
undefinedgcc -fsanitize=address -g -o bluehammer_asan bluehammer.c
./bluehammer_asan <args>
undefinedPGP verification fails
PGP验证失败
bash
undefinedbash
undefinedEnsure you have the full key fingerprint
确认你获取了完整的密钥指纹
gpg --list-keys FFoRCS0
gpg --list-keys FFoRCS0
Re-fetch if needed
如有需要重新获取密钥
gpg --keyserver hkps://keys.openpgp.org --recv-keys <full-fingerprint>
---gpg --keyserver hkps://keys.openpgp.org --recv-keys <完整指纹>
---Lab Environment Setup (Recommended)
实验环境搭建(推荐)
bash
undefinedbash
undefinedUse a dedicated VM or container — never run on production systems
使用专用虚拟机或容器——绝对不要在生产系统上运行
docker run -it --rm
--cap-add SYS_PTRACE
--security-opt seccomp=unconfined
ubuntu:22.04 bash
--cap-add SYS_PTRACE
--security-opt seccomp=unconfined
ubuntu:22.04 bash
docker run -it --rm
--cap-add SYS_PTRACE
--security-opt seccomp=unconfined
ubuntu:22.04 bash
--cap-add SYS_PTRACE
--security-opt seccomp=unconfined
ubuntu:22.04 bash
Inside container
容器内执行
apt update && apt install -y gcc gdb python3 python3-pip strace ltrace binutils
pip3 install pwntools
git clone https://github.com/Nightmare-Eclipse/BlueHammer.git
cd BlueHammer
---apt update && apt install -y gcc gdb python3 python3-pip strace ltrace binutils
pip3 install pwntools
git clone https://github.com/Nightmare-Eclipse/BlueHammer.git
cd BlueHammer
---Key Facts
核心信息
| Property | Value |
|---|---|
| Language | C |
| License | MIT |
| Stars | 606 |
| Forks | 228 |
| Known bugs in PoC | Yes (author confirmed) |
| PGP signed | Yes (SHA-512, Ed25519) |
| 属性 | 数值 |
|---|---|
| 开发语言 | C |
| 许可证 | MIT |
| 星数 | 606 |
| 复刻数 | 228 |
| PoC存在已知bug | 是(作者确认) |
| PGP签名 | 是(SHA-512, Ed25519) |