- ...
interpreter2.1
- There are other classes of post-exploitation
payloads but these two are the most prominent. findsock
style payloads are excluded from this discussion due to the fact
that they are vulnerability dependent and as such not as universal
as the two commonly used payloads.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
- ... succeeded2.2
- In some
cases it is possible to rebind to the port of the service being
exploited. This fact is outside of the scope of this document.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
- ... action2.3
- An
example of this comes in the form of ZoneAlarm's outbound filter
that prompts the user when an application attempts to make a
connection to determine whether or not the connection should be
allowed.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
- ... filters2.4
- The second
most likely, in the author's opinion, is DNS.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
- ... traffic3.1
- It is possible to
make use of technology like chunked encoding, however, such
technology is seen as easier to flag and detect as malicious traffic
from the perspective of an outbound filter and cannot always be
relied upon to work when passing through HTTP proxies.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
- ... fashion3.2
- Which, as fate would
have it, just so happens to align well with this paper's intention
of creating an HTTP tunnel in the context of a trusted process.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
- ... manually3.3
- The control would have to be able to
be registered under the user-specific classes key instead of the
global classes key in order to avoid permission problems.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
- ... PassiveX3.4
- Though PassiveX has
been used for other projects, it seemed only fitting to use for this
one as well.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
- ... same3.5
- This code has
potential issues with certain locales depending on whether or not
assumptions made about code paths or ASCII drive letters are safe.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
- ... Library)3.6
- The
reason that ATL was picked over MFC was due to the fact that MFC is
less portable without CAB'ing dependencies (as when dynamically
linked against the MFC DLLs), or much larger (as when statically
linked against the MFC libs).
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
- ...
interface3.7
- This was tested with Zone Alarm 5.5.062.011.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
- ...
Explorer3.8
- Reference code can be found in the Metaploit
Framework.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
- ... settings3.9
- The API also allows the programmer to
explicitly ignore the pre-cached settings if so desired.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
- ...
functional5.1
- There have been rumors of decisions to make it
impossible to execute a hidden Internet Explorer, though no concrete
information has been posted at the time of this writing.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
- ...
program5.2
- Most firewall products for NT-based versions of
Windows are implemented as NDIS intermediate drivers since such
drivers provide the lowest level of supported filtering.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.