Shellcode, as always.

[Dave Aitel <dave () immunitysec com>]

The next shellcode I want to write is a tiny named pipe (MSRPC?) server 
stub that does MOSDEF. There are a couple good reasons for this. I think 
it'd be neat to raise the covertness bar in CANVAS and then have your 
MOSDEF connection fragmented across SMB+MSRPC, or even encrypted under 
packet privacy. There are lots of IDS companies who are triggering on 
the MOSDEF second stage itself, which is annoying. I could step it up a 
notch, and just use a decoder every time I send a MOSDEF packet, which 
is a two line change, but then they'll just trigger on the decoder. And, 
of course, I could do a source-level polymorphic decoder for the second 
stage, since MOSDEF is, at heart, a compiler, and the second stage can 
be as big as it wants. No doubt that'll be a good task for an intern 
some day, but today I want to do the named pipe thing and see how it works.

The other thing I want a named pipe MOSDEF for is for Nematode.py, since 
it makes more sense in that case than a connectback would (which 
normally I much prefer). I think the first public discussion of 
Nematodes is here: 
http://conference.hackinthebox.org/hitbsecconf2005kl/?p=13 . Feel free 
to pipe up with self rightous anger and indignation at the topic. Even 
better if you show up and do it personally. :>

-dave

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave