Skip to content
shellcodes

Importing shellcode without corrupting a single byte

Common paste formats, whitespace traps, and how to round-trip external shellcode through a browser builder without silent truncation.

Published on 2 min read
converterhexworkflow

Import workflows look safe. You paste hex from msfvenom, from a teammate, or from an old report. One invisible character later, your exploit works in staging and dies in prod because byte 37 became 0x20.

Formats that look equivalent but are not

  • C-style escaped byte strings
  • comma-separated 0xNN lists with trailing commas
  • raw hex without prefixes
  • base64 wrappers from random tools

Each parser makes different assumptions about whitespace, comments, and odd line breaks.

Whitespace and Unicode traps

Copying from PDFs or chat apps introduces:

  • non-breaking spaces
  • smart quotes
  • zero-width joiners

Your eyes see hex. The parser sees garbage.

Normalize before import: paste into a plain text editor, strip non-hex characters deliberately, verify length mod 1 byte (two hex chars).

Round-trip discipline

When I import external shellcode into a builder:

  1. Record source hash of the original blob
  2. Import and export without encoders
  3. Compare output hash to source

If hashes differ, stop. Do not add encoders on top of a corrupted base.

Odd-length hex strings

A single nibbled-off character shifts everything. Some UIs fail loudly. Others pad silently. I prefer loud failure.

Endianness and architecture labels

Importing Windows shellcode into a Linux-labeled session does not convert it. Labels are metadata for your workflow, not transmutation magic. Tag collections correctly so you do not mix payloads across engagements.

Using the converter path

shellcodes ships a converter-oriented flow for "format existing bytes". That is the right entry when the creative work already happened elsewhere. Use the builder for encoders and bad-char passes after import, not as a reason to skip verification.

Failure modes in production-like labs

  • Truncated paste from terminal scrollback
  • URL encoding applied twice through a web proxy
  • JSON escaping that eats backslashes

Attackers exploit parsing differences. Defenders should log exact byte lengths on suspicious processes. Length mismatches are cheap signals.

Small habit, large payoff

Keep a payload.bin on disk for every imported artifact. Hex in tickets is for humans. Binary on disk is for hashes.

Related articles

Leaving msfvenom on the jump box: a browser-native workflow
A migration path from team-server shellcode habits to in-browser generation without losing reproducibility or OPSEC discipline.
workflowwasmtooling