Kali Linux

Bluffy : Convert Shellcode Into Different Formats

Bluffy is a utility which was used in experiments to bypass Anti-Virus products (statically) by formatting shellcode into realistic looking data formats.

Proof-of-concept tools, such as 0xBoku’s Ninja_UUID_Runner and ChoiSG’s UuidShellcodeExec, inspired the initial concept for Bluffy.

So far, we implemented:

  1. UUID
  2. CLSID
  3. SVG
  4. CSS
  5. CSV

Help

$ python3 bluffy.py -h
⣇⣿⠘⣿⣿⣿⡿⡿⣟⣟⢟⢟⢝⠵⡝⣿⡿⢂⣼⣿⣷⣌⠩⡫⡻⣝⠹⢿⣿⣷
⡆⣿⣆⠱⣝⡵⣝⢅⠙⣿⢕⢕⢕⢕⢝⣥⢒⠅⣿⣿⣿⡿⣳⣌⠪⡪⣡⢑⢝⣇
⡆⣿⣿⣦⠹⣳⣳⣕⢅⠈⢗⢕⢕⢕⢕⢕⢈⢆⠟⠋⠉⠁⠉⠉⠁⠈⠼⢐⢕⢽
⡗⢰⣶⣶⣦⣝⢝⢕⢕⠅⡆⢕⢕⢕⢕⢕⣴⠏⣠⡶⠛⡉⡉⡛⢶⣦⡀⠐⣕⢕
⡝⡄⢻⢟⣿⣿⣷⣕⣕⣅⣿⣔⣕⣵⣵⣿⣿⢠⣿⢠⣮⡈⣌⠨⠅⠹⣷⡀⢱⢕
⡝⡵⠟⠈⢀⣀⣀⡀⠉⢿⣿⣿⣿⣿⣿⣿⣿⣼⣿⢈⡋⠴⢿⡟⣡⡇⣿⡇⡀⢕
⡝⠁⣠⣾⠟⡉⡉⡉⠻⣦⣻⣿⣿⣿⣿⣿⣿⣿⣿⣧⠸⣿⣦⣥⣿⡇⡿⣰⢗⢄
⠁⢰⣿⡏⣴⣌⠈⣌⠡⠈⢻⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣬⣉⣉⣁⣄⢖⢕⢕⢕
⡀⢻⣿⡇⢙⠁⠴⢿⡟⣡⡆⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣷⣵⣵⣿
⡻⣄⣻⣿⣌⠘⢿⣷⣥⣿⠇⣿⣿⣿⣿⣿⣿⠛⠻⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿
⣷⢄⠻⣿⣟⠿⠦⠍⠉⣡⣾⣿⣿⣿⣿⣿⣿⢸⣿⣦⠙⣿⣿⣿⣿⣿⣿⣿⣿⠟
⡕⡑⣑⣈⣻⢗⢟⢞⢝⣻⣿⣿⣿⣿⣿⣿⣿⠸⣿⠿⠃⣿⣿⣿⣿⣿⣿⡿⠁⣠
⡝⡵⡈⢟⢕⢕⢕⢕⣵⣿⣿⣿⣿⣿⣿⣿⣿⣿⣶⣶⣿⣿⣿⣿⣿⠿⠋⣀⣈⠙
⡝⡵⡕⡀⠑⠳⠿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⠿⠛⢉⡠⡲⡫⡪⡪⡣
Convert shellcode into ✨ different ✨ formats!
Written by:
~ Mez0
~ Michael Ranaldo
usage: Bluffy [-h] -b -o -m
optional arguments:
-h, –help show this help message and exit
-b , –bin Specify bin file to load
-m , –mask Specify the mask for the shellcode
-x , –xor XOR the payload
-p , –preview Preview the created format
-pp, –payload_preview Preview the payload prior to C formatting
–list List all the available masks

Written by:

  • Michael Ranaldo
  • Mez0

Requirements And Installation

The following items must be installed prior to using Bluff:

python3.9 or greater

sudo apt install python3.9

rich

sudo pip3 install rich

pcre2.8

Depending on whether its going to be ran on Kali, Ubuntu 18, 19, 20, and so on, the process of getting and building with pcre2.8 may be different.

For us on Ubuntu, it was developed on

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 21.04
Release: 21.04
Codename: hirsute

In order to link libpcre2-8.a, the .a file had to be included within:

/usr/lib/gcc/x86_64-w64-mingw32/10-win32

As for obtaining the header and lib files, MSYS2 was used. But if you’re smarter than us, then just do it from source for Mingw64: https://pcre.org/.

The simplest way to thus acquire and install is to run the following commands (after double checking your architecture etc.):

sudo apt install mingw-64
sudo wget https://packages.msys2.org/package/mingw-w64-x86_64-pcre2?repo=mingw64 -P /usr/lib/gcc/x86_64-w64-mingw32/10-win32

Using Bluffy

To build a payload, get your binary file. For this example, we used calc.bin, which just loads calc.exe as a proof of concept. As Bluffy only seeks to evade static analysis using steganography, by hiding the binary within an otherwise innocuous file, you will need to do further research to ensure that your payload also evades dynamic detection.

Run bluffy, choosing a mask of your choice and providing your .bin file:

python ./bluffy.py -b calc.bin -m css -x

Check your payload, then build it. To build your payload, copy the .h file bluffy creates, rename it css.c, run make to build it to an executable, then test using the included examples directory:

mv css.h examples/css/css.h
cd examples/css
make

This will use the included “main.c” to build an Windows executable. Test this to confirm. If you have also used calc.bin, you should be greeted by a new Calc window opening. If so, congratulations!

R K

Recent Posts

SpyAI : Intelligent Malware With Advanced Capabilities

SpyAI is a sophisticated form of malware that leverages advanced technologies to capture and analyze…

24 hours ago

Proxmark3 : The Ultimate Tool For RFID Security And Analysis

The Proxmark3 is a versatile, open-source tool designed for radio-frequency identification (RFID) security analysis, research,…

24 hours ago

Awesome Solana Security : Enhancing Program Development

The "Awesome Solana Security" collection is a comprehensive resource designed to help developers build more…

24 hours ago

IngressNightmare-POCs : Understanding The Vulnerability Exploitation Flow

The "IngressNightmare" vulnerabilities, disclosed in March 2025, represent a critical set of security issues affecting…

1 day ago

AdaptixC2 : Enhancing Penetration Testing With Advanced Framework Capabilities

AdaptixC2 is an advanced post-exploitation and adversarial emulation framework designed specifically for penetration testers. It…

1 day ago

Bincrypter : Enhancing Linux Binary Security through Runtime Encryption And Obfuscation

Bincrypter is a powerful Linux binary runtime crypter written in BASH. It is designed to…

1 day ago