BobTheSmuggler: Your Covert Cyber Swiss Knife for Undetectable Payload Delivery
Hey there, digital ninjas and keyboard warriors! If you’ve ever felt the thrill of a red team engagement, you know the adrenaline rush of finding a way into the “impenetrable” fortress that is your client’s network. But what happens when you’re in, but can’t quite get your precious cargo where it needs to go thanks to exceptionally strict security policies? Well, that’s when you pull a Houdini and make your payload appear right where you need it, without the all-seeing eyes of cybersecurity tools catching even a glimpse. This is the world of HTML smuggling, my friends, and trust me, it’s every bit as intriguing as it sounds.
So, grab a cup of your favourite caffeinated beverage, and allow me to unravel the tale of “BobTheSmuggler” — more than just a tool, it stands as a testament to the ingenuity of red teamers worldwide.
GitHub Link: https://github.com/TheCyb3rAlpha/BobTheSmuggler
That One Time on a Red Team Gig…
Imagine this scenario: We found ourselves deep within an assumed breach situation, attempting to deploy our payload in the client’s secure environment. Direct delivery? Blocked. Conventional methods? Foiled. It appeared that our payload seemed destined to remain in digital limbo… until, that is, a stroke of genius struck one of my teammates.
Here comes the star of the show: HTML smuggling. Luckily, with 7zip installed on the client’s systems, we held the key to success. We neatly compressed our binary into a 7z package (password-protected, of course), carefully placing it within an HTML file like a confidential message in a bottle. Then, we hosted this HTML file on our dedicated payload server. To our delight, the client’s browser effortlessly accepted the 7z file, no questions asked. In the blink of an eye, the payload was deployed, and our beacon lit up brighter than a neon sign in a cyberpunk cityscape.
The Birth of a Smuggler
From this engagement, I thought to myself, “Hey, wouldn’t it be great to automate the entire process of archiving and embedding?” And as if the idea wasn’t brilliant enough, I faced another challenge — those base64 encoded payloads were making my HTML files significantly larger, like a Thanksgiving turkey on steroids. Not exactly ideal for slipping into someone’s inbox unnoticed.
But then, boom! Idea number two. Why not hide the EXE in a PNG image, like a secret compartment in a digital picture frame? So, I implemented that idea, and guess what? It worked perfectly. But then, staring at the PNG, I noticed the EXE file standing out prominently (blame that MZ header).
Time for idea number three, The good old XOR. A little sprinkle of XOR magic, and my EXE was as invisible as a ghost in the machine — playing peekaboo with the best of ’em.
And thus, “BobTheSmuggler” was born — a tool which represents an advanced and sleek solution, like having a digital Swiss Army knife at your disposal. It’s designed to compress, encrypt, and securely transport your payload with sophistication and ease. Think of it as a digital magician, cleverly hiding a payload in plain sight.
The Perfect Scenario for a Heist
So, when do you call on BobTheSmuggler to save the day? Here’s the rundown:
- Assumed Breach Scenarios: You’ve made it into the network, and now it’s time for a game of hide-and-seek with your payload. For this, you can count on BobTheSmuggler to be your go-to person.
- Phishing Campaign Assessments: You’re the puppet master, pulling the strings with emails that are too tempting not to click. And when they do — Bam! BobTheSmuggler does the heavy lifting.
- Data Exfiltration Exercise: Got some precious digital goods to sneak past those pesky digital guards (DLPs)? BobTheSmuggler is your stealthy escape artist.
The Art of Digital Smuggling
Now, let’s break down the nitty-gritty of how “BobTheSmuggler” pulls off this digital heist:
The Setup
First, you’ve got your binary, your Picasso of payloads. You need to make it travel-size, so you squish it into a 7z/ZIP file (password-protected). Think of it as your payload’s cozy little sleeping bag.
The Disguise
Next up, you play dress-up with your payload using XOR encryption. It’s like putting on an invisibility cloak — it’s there, but no one can see it.
The Trojan Horse
Here’s where it gets clever. You hide your now invisible payload inside an image file. A PNG or GIF plays host, and nobody’s the wiser because, hey, it’s just a picture, right?
The Magic Trick
This is where “BobTheSmuggler” shines. You’ve got a JavaScript code that’s like the magician’s assistant. It pulls out the payload from the image and holds it up in its own little invisible bubble — technically, a memory blob. We’re talking about pure sleight of hand here. It’s like making a rabbit appear out of a hat on the internet stage.
The Grand Finale
You wrap this all up in an HTML or SVG file, which is basically the stage for our magic show. This file gets uploaded to a CDN or your own server, like putting up posters for the big event.
Showtime
When the target system’s browser opens this HTML file, the JavaScript code kicks in like the opening act. It downloads the PNG/GIF, now hiding in plain sight in the cache like a secret agent in a crowd.
The Big Reveal
With a flourish, the JavaScript extracts the encrypted data from the image, does the XOR decrypt with a snap of its digital fingers, and voila! — the payload is now a blob, ready for the taking. Just when you think the show’s over, HTML smuggling pulls off its grandest trick — an auto-click download. Your audience (the target system) doesn’t even need to lift a finger; the payload downloads itself.
And there it is, the payload delivered, the mission accomplished. You take a bow as the beacon signals home. It’s a standing ovation in the world of cyber ops.
Shadow Ops: A Hacker’s Path to Tool Expertise
Let’s get to grips with how to harness BobTheSmuggler’s magic. To create a PNG or GIF file, you can use these commands (assuming you’ve already installed all the necessary libraries. In case you didn’t checkout the GitHub link):
cd BobTheSmuggler
python3 BobTheSmuggler.py -i <path/to/your/payload/file OR directory> -p <PASSWORD_FOR_7z/zip> -f <OUTPUT_HTML_FILENAME> -o <OUTPUT_FILENAME_EXTRACTED_AND_DOWNLOADED> -t <TEMPLATE_TYPE>
By using the command mentioned earlier, BobTheSmuggler will ZIP your EXE file and then embed it within an HTML file. As a result, the size of the HTML file will increase to accommodate the embedded ZIP file. You can change the compression type to 7z using the -c 7z option.
Please note that if you set template type to HTML (
-t html), BobTheSmuggler will not apply XOR encryption to your payload.
The HTML file created by BobTheSmuggler, named NewHTMLSmuggleFile.html, has a file size of 226KB. Upon examining the Javascript code within this file more closely, you’ll notice that it contains the entire base64 encoded payload embedded within the HTML, which contributes to its increased size.
Just a heads up, if you do a quick base64 decode on that encoded stuff in the HTML file, you’ll see it’s actually the ZIP file. And there’s no XOR encryption added when you’re working with the HTML template in BobTheSmuggler. (build it that way)
If you’re looking to drastically reduce the size of your HTML file, shrinking it down from several hundred KBs to just about 1KB, let’s get into how you can do that by creating HTML files with cleverly concealed PNG or GIF files using BobTheSmuggler.
BobTheSmuggler’s Digital Camouflage: From Image to HTML Script
To generate a stealthier HTML file, you can use the -t option to select the PNG/GIF template type. Then, apply the -png or -gif option to include your chosen custom PNG or GIF file.
A sample PNG/GIF file can be found in the
resource/samples/directory of this tool.
python3 BobTheSmuggler.py -i <path/to/your/payload/file OR directory> -p <PASSWORD_FOR_7z/zip> -f <OUTPUT_HTML_FILENAME> -o <OUTPUT_FILENAME_EXTRACTED_AND_DOWNLOADED> -t <png/gif> -png/-gif <path/to/PNG OR GIF file>
After you’ve got all the necessary files ready, which includes the HTML output file and the embedded PNG file, a quick check of the file listing can reveal the difference in file size between the original PNG file and the one embedded in the HTML. In my case, the original file size is 5.4 KB, but after embedding the XOR encrypted payload into the PNG file, its size increases to 171 KB.
If you take a quick peek at the hex dump of each file, you’ll notice that the embedded PNG file has got two extra PNG chunks tacked onto it compared to the original.
And now, if you check out the HTML file created by BobTheSmuggler, you’ll find that its file size has shrunk down to just 1 KB. The JS code looks like this:
NOTE: In the code, you’ll come across a default localhost URL (like http://127.0.0.1:8000/banner.png). What you need to do is replace this URL with the actual CDN URL where you plan to upload your PNG file. This step is not automated.
The HTML file that BobTheSmuggler generates can be employed in various scenarios, like simulating a breach or as an attachment in a phishing campaign. How you use this tool is entirely up to you. However, it’s worth noting that if you open the generated HTML file in a browser, it’ll just show a blank page, which might raise suspicions. To make things less conspicuous, I’ve thought of using custom HTML/SVG templates with BobTheSmuggler. This way, you can create a more visually appealing and less obvious HTML payload. Let’s now explore how to use these custom HTML/SVG templates.
Custom HTML/SVG templates with BobTheSmuggler
To use a custom HTML/SVG template, you can use one of the following commands:
python3 BobTheSmuggler.py -i <path/to/your/payload/file OR directory> -p <PASSWORD_FOR_7z/zip> -f <OUTPUT_HTML_FILENAME> -o <OUTPUT_FILENAME_EXTRACTED_AND_DOWNLOADED> -t <TEMPLATE_TYPE> -e <CUSTOM_HTML_TEMPLATE>OR
python3 BobTheSmuggler.py -i <path/to/your/payload/file OR directory> -p <PASSWORD_FOR_7z/zip> -f <OUTPUT_HTML_FILENAME> -o <OUTPUT_FILENAME_EXTRACTED_AND_DOWNLOADED> -t <png/gif> -png/-gif <path/to/PNG OR GIF file> -e <CUSTOM_HTML_TEMPLATE>The key difference in these commands is in the way your HTML file gets put together. The first command stuffs your compressed payload into your custom HTML file in only base64 format. The second one, though, just adds a link to your PNG/GIF file into the custom HTML you provide. So, it’s up to you to decide which approach you prefer.
BobTheSmuggler will create a new HTML file for you, and when you open this file in a browser, it’ll display as a nicely formatted HTML page. To make things easier, I’ve included two templates that you can use with this tool:
- OneDrive Download HTML Template, which was utilized by the BumbleBee malware delivery mechanism.
- Paypal Fake Invoice SVG Template, commonly used for callback phishing.
These templates are designed to streamline your process and offer more realistic and effective options for your needs.
So there you go, my fellow keyboard commandos. May your connections be secure, and your payloads always find their way. Keep hacking the planet, and always play it like the clever fox amidst the digital hounds. Remember, with “BobTheSmuggler,” you’re not just breaking the mold; you’re crafting a whole new one.
Stay stealthy, stay sharp, and above all, stay out of the digital spotlight.
Hack on and prosper! 🐱💻✨
