JavaScript Auto Download

by Vince
in Blog
Hits: 1332

The other day I wrote about EmbedInHTML and like most things, I wanted to learn more about the mechanics.  While poking around, I found an article, HTML Smuggling, which I guess is the technical term but it started to spell things out for me.  The article is worth reading and there's no need for me to rehash the entire post but the gist of it is that we're taking a document, converting it to Base64, and we're passing that across to the browser with an auto download function.

This is just the source I pulled from their Demo page and I stripped out the unrelated stuff:


Note the placeholder in the document for the Base64.

Next, we cat a document to an output file.  When we look at the output the format contains line feeds.


Maybe there's a way to deal with this in one swoop but I just used sed on the output file and it solves the problem:


Next, we embed this string into the placeholder:


When we hit the URL with Chrome, it automatically downloads the file:


If we were using Firefox, we'd get the Save File dialog box.  Browsers vary and your desire result may also vary based on the application.

When we open the doc, we see that it's completely intact. 


No payload here but that's basically where we could take this for the purpose of a penetration test. Consider the following:


Sub Auto_Open()

Dim Shell As Object
Set Shell = CreateObject("Wscript.Shell")

Shell.Run "powershell -WindowStyle Hidden [System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms'); [System.Windows.Forms.MessageBox]::Show('Hello, World.')"

    Dim title As String
    title = "Micorosoft Office (Compatibility Mode)"
    Dim msg As String
    Dim IntResponse As Integer
    msg = "This application appears to have been made with an older version of the Microsoft Office product suite."
    IntResponse = MsgBox(msg, 16, title)

Application.Quit
    
End Sub


I've been playing around with Macros lately and one thing I can tell you is that what worked last week is not working this week.  In addition, some a/v products won't allow ANY PowerShell to execute, including Hello World.  One a/v product wouldn't even allow the Hello World example to run even when executing from the PowerShell command window. 

One final thought, on that macro script, you might want to remove the Application.Quit line if you want to easily get back into the document.  Otherwise, I think you have to hold down ESC or some combination with ESC to stop the macro from executing.