Bluffy – Convert Shellcode Into Different Formats

Bluffy - Convert Shellcode Into Different Formats Full Example

Overview

Bluffy is a utility which was used in experiments to bypass Anti-Virus products (statically) by formatting shellcode into realistic looking data formats.

Proof-of-concept tools, such as 0xBoku‘s Ninja_UUID_Runner and ChoiSG‘s UuidShellcodeExec, inspired the initial concept for Bluffy.

So far, we implemented:

  1. UUID
  2. CLSID
  3. SVG
  4. CSS
  5. CSV

Written by:

Requirements and installation

The following items must be installed prior to using Bluff:

python3.9 or greater:

sudo apt install python3.9

rich:

sudo pip3 install rich

Using Bluffy

To build a payload, get your binary file. For this example, we used calc.bin, which just loads calc.exe as a proof of concept. As Bluffy only seeks to evade static analysis using steganography, by hiding the binary within an otherwise innocuous file, you will need to do further research to ensure that your payload also evades dynamic detection.

Run bluffy, choosing a mask of your choice and providing your .bin file:

python ./bluffy.py -b calc.bin -m css -x

Check your payload, then build it. To build your payload, copy the .h file bluffy creates, rename it css.c, run make to build it to an executable, then test using the included examples directory:

mv css.h examples/css/css.h cd examples/css make

This will use the included “main.c” to build an Windows executable. Test this to confirm. If you have also used calc.bin, you should be greeted by a new Calc window opening. If so, congratulations!

For more details on using Bluffy and a walkthrough of how it works and what the output looks like, check out our blog

Here is a full example:

Bluffy - Convert Shellcode Into Different Formats

You May Also Like

Leave a Reply

Your email address will not be published. Required fields are marked *

three × three =