• Stars
    star
    462
  • Rank 94,832 (Top 2 %)
  • Language
    HTML
  • License
    GNU General Publi...
  • Created about 7 years ago
  • Updated about 7 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Embed and hide any file in an HTML file

Embed and hide any file in HTML

Author: Arno0x0x - @Arno0x0x

What this tool does is taking a file (any type of file), encrypt it, and embed it into an HTML file as ressource, along with an automatic download routine simulating a user clicking on the embedded ressource.

Then, when the user browses the HTML file, the embedded file is decrypted on the fly, saved in a temporary folder, and the file is then presented to the user as if it was being downloaded from the remote site. Depending on the user's browser and the file type presented, the file can be automatically opened by the browser.

This tool comes in two flavors, providing the same overall functionnality but with some slight changes in the way of using it:

  1. An python script which generates the output HTML file based on a template, using RC4 encryption routines, and embedding the decryption key within the output file. The resulting HTML can either be browsed by the targeted user or sent as an attachement.

  2. An HTML/Javascript that you can drag the file into be encrypted to, which generates the output HTML file, using the WebCrypto API, but NOT embedding the decryption material (key and counter). Instead, the decryption material is displayed as a set of URL parameters to be added into a URL pointing to the HTML resulting file: http(s)://hosting.server.com/result.html#hexencodedkey!hexencodedcounter. So the resulting HTML file cannot be sent as an attachment. The main advantage of this technique is that the decryption material is not embedded into the file itself, hence preventing analysis and even retrieval of the payload by any system which doesn't have the full URL (eg: intercepting proxy)

Side notes:

Usage

Few payload examples files are provided in the payloads_examples directory. For instance the calc.xll is an Excel add-in (XLL) file that contains a metasploit shellcode for x86 processes to launch the calc.exe process.

Using the python script

1/ Generate the malicious html file from the XLL file, along with a secret key: python embedInHTML.py -k mysecretkey -f example_calc.xll -o index.html

2/ Expose the html file on a web server (one can be optionnaly started for you with the -w flag)

Using the HTML/Javascript

1/ Open the embedInHTML.html file within a browser

2/ Simply drag the payload file into the page (you can optionnaly change the output file name)

3/ Save the resulting file and take note of the decryption material as URL parameters to be added to the file name in the form: http(s)://hosting.server.com/result.html#hexencodedkey!hexencodedcounter

Eventually...

Point the target's browser to the html file and let the magic happen:

DISCLAIMER

This tool is intended to be used in a legal and legitimate way only:

  • either on your own systems as a means of learning, of demonstrating what can be done and how, or testing your defense and detection mechanisms
  • on systems you've been officially and legitimately entitled to perform some security assessments (pentest, security audits)

Quoting Empire's authors: There is no way to build offensive tools useful to the legitimate infosec industry while simultaneously preventing malicious actors from abusing them.

More Repositories

1

DNSExfiltrator

Data exfiltration over DNS request covert channel
JavaScript
802
star
2

PowerShellScripts

Collection of PowerShell scripts
PowerShell
434
star
3

ShellcodeWrapper

Shellcode wrapper with encryption for multiple target languages
Python
410
star
4

WSC2

A WebSocket C2 Tool
Python
366
star
5

CSharpScripts

Collection of C# scripts
C#
326
star
6

NtlmRelayToEWS

ntlm relay attack to Exchange Web Services
Python
325
star
7

DivertTCPconn

A TCP packet diverter for Windows platform
C
275
star
8

DBC2

DBC2 (DropboxC2) is a modular post-exploitation tool, composed of an agent running on the victim's machine, a controler, running on any machine, powershell modules, and Dropbox servers as a means of communication.
PowerShell
269
star
9

DNSDelivery

DNSDelivery provides delivery and in memory execution of shellcode or .Net assembly using DNS requests delivery channel.
PowerShell
148
star
10

TwoFactorAuth

Two Factor Authentication web portal written in PHP
PHP
119
star
11

TCPRelayInjecter

Tool for injecting a "TCP Relay" managed assembly into unmanaged processes
C++
119
star
12

WebDavC2

A WebDAV PROPFIND C2 tool
Python
116
star
13

ObfuscateCactusTorch

When CactusTorch meets WebDavDelivery and obfuscation
Python
64
star
14

TCPRelayInjecter2

Tool for injecting a "TCP Relay" managed assembly into an unmanaged process
C#
62
star
15

ReflectiveDnsExfiltrator

Data exfiltration using reflective DNS resolution covert channel
JavaScript
54
star
16

WebDavDelivery

A WebDAV PROPFIND covert channel to deliver payloads
Visual Basic
53
star
17

TermGate

A web application for running shell commands interactively on your server
PHP
21
star
18

BluecoatURLFilteringBypass

Bluecoat proxies URL filtering bypass PoC
JavaScript
14
star
19

MOBACMapsSources

Mobile Atlas Creator Additionnal map sources
11
star
20

NmapScripts

Collection of Nmap scripts
Lua
11
star
21

MultibyteEncodedShellcode

An AV evasion technique using multibyte xor encoding of shellcode
9
star
22

Docker-Dnscat2

Dockerfile and ressources for Dnscat2
Shell
8
star
23

GimmeTheFile

Proof of concept for bypassing corporate web proxies filtering and antiviruses
PHP
8
star
24

DeliverXLLviaHTML

Deliver encrypted XLL embeded in HTML file
7
star
25

Docker-Socator

Dockerfile and ressources for Socat + Tor
Shell
7
star
26

ShellScripts

Collection of shell scripts
Shell
6
star
27

HttpProxy

A simple HttpProxy for NodeJS
JavaScript
6
star
28

Docker-Cryptpad

Dockerfile and ressources for CryptPad application
JavaScript
5
star
29

Docker-DBC2

Dockerfile and ressources for DBC2
1
star
30

Docker-Koadic

Dockerfile and ressources for Koadic
1
star