The attack/code he showed cannot, but what you can do it write different iframes. Here is an example:
a+'.'+b+'.'+c+'.'+d
where a=192 b=168 c=0-255 b=0-255
Of course this could be any private network address range[1]. Next you would use document.write or .innertext to make these iframes. Personally I wouldn't stop at the first one. I would log all the frames that loaded into an array and from there test them further. I would also get the users IP address and tack on :80, :8080, :21, ect and see what I am presented with- web torrent frontends, ftp servers, ect.
a+'.'+b+'.'+c+'.'+d
where a=192 b=168 c=0-255 b=0-255
Of course this could be any private network address range[1]. Next you would use document.write or .innertext to make these iframes. Personally I wouldn't stop at the first one. I would log all the frames that loaded into an array and from there test them further. I would also get the users IP address and tack on :80, :8080, :21, ect and see what I am presented with- web torrent frontends, ftp servers, ect.
[1] http://en.wikipedia.org/wiki/Private_network