This idea popped in my head a while back and is still on my todo list (note: my todo list never shrinks). The following context/problem applies.
Suppose you want to steal information but the server you want to backdoor has got all ports ip restricted on an application level. Like a IIS instance which restricts users based on their ip address. How could this be bypassed without adjusting the IIS configuration or using a complicated rootkit. I thought of the following (note: this can also be implemented in ring0):