Hacking NASA With HTML

// Embedding Python In HTML For Malware...

Hey Hackers! You may already be familiar with the popular meme of "hacking NASA with HTML". It's a joke in the hacker community that expresses how newcomers think inspecting the source and editing the HTML is enough to hack NASA. But in reality, this isn't the case...right?

During PyCon of 2022, Anaconda released their latest project, "PyScript". PyScript is a framework that allows users to run Python in HTML. Yes, that's right, Python! All we need to do is add these two lines of code in an HTML head tag:

<head>
	<link rel="stylesheet" href="https://pyscript.net/latest/pyscript.css"/>
	<script defer src="https://pyscript.net/latest/pyscript.js"></script>
</head>	

After adding this, you can execute Python code in your HTML code between "PyScript" tags

<head>
	<link rel="stylesheet" href="https://pyscript.net/latest/pyscript.css"/>
	<script defer src="https://pyscript.net/latest/pyscript.js"></script>
</head>	

<body>
	<!--pyscript code-->
	<py-script>
		# python code goes here
	</py-script>
</body>

Now if we wanted to use any libraries from the Python Package Index, we would simply need to add a PyScript Configuration in the HTML. I'll show an examples of us importing the "requests" library

<head>
	<link rel="stylesheet" href="https://pyscript.net/latest/pyscript.css"/>
	<script defer src="https://pyscript.net/latest/pyscript.js"></script>
	    <py-config>
    packages = [
        "requests"
    ]
    </py-config>
</head>	

<body>
	<!--pyscript code-->
	<py-script>
		# python code goes here
	</py-script>
</body>

// So What?

The ability to execute Python code in HTML could now become an attack vector for hackers. What could be seemingly innocent HTML scripts can now have malicious Python code embedded within them. More importantly, it is the first introduction to getting Python to run "natively" on Windows.

With that said, Let's explore the potential attacks from a hacker capable of using PyScript...and other methods of native Python execution.

HTA Integration: [PoC]

HTML Applications (.HTA files) are a Windows application format that supports the rendering of HTML code. It is a fairly popular format for ransomware messages and other fun native web apps.

With the introduction of concepts like PyScript, I was curious to see if a framework like PyScript would work in an HTA. Unfortunately, I was not successful in this endeavor. HTA does have its attack vectors through languages like Jscript (a bootleg, SoundCloud, made in China version of Javascript). But regarding Python, there was no luck.

// Applications for HTML Applications:

Even though I couldn't get a PoC working for PyScript in HTA, it isn't hard to consider what would be possible. Getting successful Python code execution would mean being able to natively run Python malware on computers. Constructs like reverse shells, ransomware, and shellcode are the least of our concerns when we factor in the sheer number of libraries Python can access.

// Microsoft Excel:

Fast forward to August of 2023, VX-Underground made a post about Microsoft Excel's new support for Python! They jokingly remark about the possible attack vector this could lead to (as seen in the post below):

Even though they were joking, we need to consider the possibility of a new method of executing Python on Windows (natively). Something like this would greatly increase a bad actor's capability to conduct phishing campaigns. No longer will hackers need to write macros in Visual Basic when they can now write Python scripts that can natively be executed by a Windows process. I am sure Windows has implemented proper levels of sanitization for this, but it is an interesting idea nonetheless. Thanks for reading, and as always,

Happy Hacking!

// Socials:

• GitHub

• YouTube

• Instagram

• Discord

© 2022 by Cosmodium CyberSecurity LLC