Client Side exploit Delivery - Word files

Today i will do a brief post about how you can deliver an exploit URL to your target.
I was reading the SANS storm post about MS09-002 XML/DOC initial infection vector, and i wanted to try it. Here is the information from SANS:

After many failed attempts and some research, i stumble and old post about a XSS in Word documents where the steps to accomplish the XSS where:

The html file content:

So if you change the value code by your exploit serving URL, you will get your exploit served when the target open the Word document.

In this example i changed the value by "" and the results when opening the word file:

And in the next page is the little frame with the page loaded:

For doing it in a cleaner way, your page will be blank, so there will be no trace at plain sight for a typical user. Also it's possible to play with the object size and location. Also depending on the configuration the user will receive an alert saying that an Activex is trying to run.

So for your next penetration test when you need to perform a targeted client side attack, fire up Metasploit, setup MS09-002 build a Word file, send emails with juicy Subjects , leave some USB sticks on the building and wait :)


0 comentarios: