360 Total Security 软件（360 杀软）Shcore.dll DLL 劫持提权漏洞https://blogs.securiteam.com/index.php/archives/3314

 ExecScent：在真实网络下使用自适应控制协议模板挖掘新的C&C域名http://paper.kakapo.ml/?p=177

Torrent repack 恶意软件分析

http://mrexodia.cf/reversing/2017/07/12/Analyzing-torrent-repack-malware

利用Office模版注入攻击关键基础设施（原文在下载链接中）

http://bobao.360.cn/learning/detail/4098.html

链接: http://pan.baidu.com/s/1hrAv8Te 密码: 33kg

求关注

360 Total Security 软件（360 杀软）Shcore.dll DLL 劫持提权漏洞（原文）

SSD Advisory – 360 Total Security Privileged Escalation

Want to get paid for a vulnerability similar to this one?

Vulnerability Summary

360 Total Security offers your PC complete protection from Viruses, Trojans and other emerging threats.

Whether you are shopping online, downloading files or chatting with your friends you can be sure that 360 Total Security is there to keep you safe and your computer optimized. Clean-up utility is just one click away to keep your PC in optimal condition.

Credit

Vendor response

Vulnerability Details

360 Total security install Shcore.dll on Windows 8.1 and above, but not in previous versions (for example – Windows 7 and XP). For this reason, the administration components of 360 Total Security try to find and load this DLL in Windows 7 too, where it does not exist.

Placing a DLL named Shcore.dll in a directory listed in the PATH system variable will load this in the memory space of 360 software. Loading the DLL inside a 360 administration process gives us privileges of administrator.

Proof of Concept

• Install 360 Total Security and optionally update to the latest version

• Log into a Windows 7 and create a DLL planting environment

1. The easiest way is to install Python for Windows

2. “Add Python to the path” in the installer (most common install option)

• Log in as a totally unprivileged user and copy the DLL renamed to Shcore.dll to C:\Python27 (in case you used Python as the DLL planting vector)

• Now there are two options in order to trigger the vulnerability

1. In case the administrator is not logged in, log in as administrator (fastest way)

2. If the administrator is already logged in – it will take several minutes. The reason is, 360 launches periodically processes in the background. Any of them will trigger the vulnerability and execute the code. Test have shown this is a matter of minutes.