Rapid7 Vulnerability & Exploit Database

McAfee SaaS MyCioScan ShowReport Remote Command Execution

Back to Search

McAfee SaaS MyCioScan ShowReport Remote Command Execution



This module exploits a vulnerability found in McAfee Security-as-a-Service. The ShowReport() function (located in the myCIOScn.dll ActiveX component) fails to check the FileName argument, and passes it on to a ShellExecuteW() function, therefore allows any malicious attacker to execute any process that's on the local system. However, if the victim machine is connected to a remote share (or something similar), then it's also possible to execute arbitrary code. Please note that a custom template is required for the payload, because the default Metasploit template is detectable by McAfee -- any Windows binary, such as calc.exe or notepad.exe, should bypass McAfee fine.


  • rgod
  • sinn3r <sinn3r@metasploit.com>




Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/windows/fileformat/mcafee_showreport_exec
msf exploit(mcafee_showreport_exec) > show targets
msf exploit(mcafee_showreport_exec) > set TARGET < target-id >
msf exploit(mcafee_showreport_exec) > show options
    ...show and set options...
msf exploit(mcafee_showreport_exec) > exploit

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security