BobTheSmuggler: Open-source tool for undetectable payload delivery

BobTheSmuggler is an open-source tool designed to easily compress, encrypt, and securely transport your payload. It basically enables you to hide a payload in plain sight.

BobTheSmuggler is helpful in phishing campaign assessments, data exfiltration exercises, and assumed breach scenarios.

Features

• Hiding the payload inside images and calling it separately from a JavaScript code.
• Using dynamic XOR encryption to hide the payloads. This helps bypass network firewalls and monitoring tools (including DLPs).
• Keeping the HTML size to ~1KB. Easy for payload attachment. It can also be uploaded to CDN or another target server for quick transfer.
• Using custom HTML templates to embed the payload inside.

“In many of my red team engagements, I encountered scenarios where I had to deliver a payload to the target, and due to a DLP or firewall rule, the payload delivery was blocked. I quickly opted for the HTML smuggling technique for payload delivery, but none of the publicly available tools had the feature to hide the payload inside PNG/GIF. Most tools would just base64 encode the binary and embed it inside the HTML file. Due to this reason, the HTML file size would increase to a few MBs. This file wouldn’t be ideal for sending as an email attachment due to size constraints, Harpreet Singh, the creator of BobTheSmuggler, told Help Net Security.

“With BobTheSmuggler, I was able to solve the problems I faced by hiding the payload inside image polyglots, calling the PNG/GIF files from remote (hence keeping the size minimal), and then evading DLPs & firewalls by adding dynamic XOR encryption to the payloads hidden inside the image. Simple Javascript code would download the PNG/GIF file from the server, save it in the cache, and then do its magic with HTML smuggling,” Singh added.

The tool currently support the following payload Delivery Chains:

• .EXE/.DLL –> .7z/.Zip (Password Protected) –> .JS –> .HTML
• .EXE/.DLL –> .7z/.Zip (Password Protected) –> .JS –> .SVG –> .HTML
• .EXE/.DLL –> .7z/.Zip (Password Protected) –> .PNG/.GIF –> .JS –> .HTML
• .EXE/.DLL –> .7z/.Zip (Password Protected) –> .PNG/.GIF –> JS –> .SVG –> .HTML

Future plans

“I want to add more features to make it more useful, and I welcome all the suggestions and feedback I can get to make this tool successful,” Singh added.

Some of the things he would like to add are:

• Adding more image polyglots. (maybe ICO, JPG file formats).
• Adding different file extensions such as PDFs, DOCs, etc.
• Adding EML file support to make a more stealthy approach for payload delivery via attachment.

BobTheSmuggler is available for free on GitHub.

Must read:

• 15 open-source cybersecurity tools you’ll wish you’d known earlier
• 20 essential open-source cybersecurity tools that save you time