## https://sploitus.com/exploit?id=D26AAA93-F2F9-5FD4-9AD2-2262D134208C
# Symantec Encryption Desktop `PGPwded.sys` local privilege escalation PoC
This repository contains a proof-of-concept for a local privilege escalation path in Symantec Encryption Desktop's `PGPwded.sys` storage filter, based on a low-privileged raw disk read/write primitive.
The PoC was developed and tested against Symantec Encryption Desktop Pro 10.4.2 MP3. Other versions have not been tested with this implementation.
The work was inspired by and builds on the original public research by Kyriakos Economou / Nettitude, now LRQA Nettitude:
- [CVE-2019-9702: Symantec Encryption Desktop Local Privilege Escalation - Exploiting an Arbitrary Hard Disk Read/Write Vulnerability Over NTFS](https://www.lrqa.com/en/cyber-labs/symantec-encryption-desktop-local-privilege-escalation-exploiting-an-arbitrary-hard-disk-read-write-vulnerability-over-ntfs/)
Their post describes the `PGPwded.sys` device access check, the trusted PGP-process injection idea, the raw read/write IOCTLs, and NTFS-based exploitation approaches. This PoC focuses on a reboot-triggered service-binary overwrite variant and includes a read-only precheck utility.
## Repository contents
```text
src/
sym_portable_launcher.c # single-EXE launcher; embeds and drops the staging worker
portable_stage_worker.c # injected worker; maps C:, opens PGPwded, stages payload
spooler_payload.c # service payload run by Spooler as LocalSystem after reboot
sym_portable_precheck.c # single-EXE read-only precheck launcher
precheck_worker.c # injected read-only diagnostic worker
*_bytes.h # generated embedded payload/worker byte arrays
tools/
sym_target_diag_lite.cmd # wrapper script for collecting target diagnostics
```
## What the exploit does
The reboot-stage exploit is a single dropped 32-bit Windows executable. At a high level:
1. The low-privileged user runs the launcher from a normal writable path, for example `C:\Users\Public`.
2. The launcher locates the Symantec PGP Desktop install directory.
3. The launcher drops an embedded 32-bit worker DLL into `%TEMP%`.
4. The launcher starts or uses a trusted PGP Desktop executable and injects the worker into that process.
5. The worker opens `\\.\PGPwdef` from inside the trusted PGP process image path.
6. The worker maps `C:\Windows\System32\spoolsv.exe` to its NTFS extent and computes the backing disk sector.
7. The worker finds which `\Device\000000xx` PGP disk object maps to that C: sector using the raw read IOCTL.
8. The worker backs up the current Spooler binary to `C:\Users\Public\spoolsv.exe.orig.portable`.
9. The worker raw-overwrites the sectors backing `spoolsv.exe` with an embedded LocalSystem service payload.
10. After reboot, the Windows Spooler service starts as LocalSystem and runs the payload.
11. The payload opens a visible SYSTEM command prompt in the active console session.
The read-only precheck follows the same trusted-process path, but only uses the raw read IOCTL. It does not overwrite files and does not stage the exploit.
## Build
Build from a Linux host with MinGW-w64 installed:
```bash
make
```
Expected outputs:
```text
bin/sym_portable_reboot_stage32.exe # exploit/stager
bin/sym_portable_precheck32.exe # read-only precheck
```
## Precheck usage
Run the precheck first. It is intended to answer whether the current exploit conditions are present without modifying protected files.
```cmd
C:\Users\Public\sym_portable_precheck32.exe
notepad C:\Users\Public\sym_portable_precheck.log
```
A viable target should end with:
```text
[OK] current reboot exploit conditions
```
If the log shows no readable PGP PDOs, or no C: sector match, do not run the exploit. That usually means the OS disk is not Symantec WDE-managed/instrumented.
For a fuller target report, copy both files below into the same directory and run the CMD wrapper:
```text
sym_target_diag_lite.cmd
sym_portable_precheck32.exe
```
Then run:
```cmd
C:\Users\Public\sym_target_diag_lite.cmd
notepad C:\Users\Public\sym_target_diag_lite.log
```
## Exploit usage
Only run the exploit on systems where you are authorized to modify protected system files and where the precheck has passed.
Copy the stager to a writable path and run it as the low-privileged user:
```cmd
C:\Users\Public\sym_portable_reboot_stage32.exe
```
Check the staging logs:
```cmd
type C:\Users\Public\sym_portable_launcher.log
type C:\Users\Public\sym_portable_stage.log
```
If staging succeeded, the worker log contains:
```text
STAGED_OK_REBOOT_TO_TRIGGER
```
Reboot the machine. After reboot, the Spooler service should start the payload as LocalSystem and open a command prompt titled:
```text
SYSTEM_CMD_FROM_PORTABLE_REBOOT_LPE
```
## Restore
The stager creates this backup before overwriting the target:
```text
C:\Users\Public\spoolsv.exe.orig.portable
```
A public one-click restore mode is not included. In testing, restoration was performed by raw-writing the backup over the same mapped sectors and rebooting. A safe restore flow should be added and validated before publishing binaries.
## Known constraints
- The current stager targets `C:\Windows\System32\spoolsv.exe`.
- The OS disk must be exposed through `PGPwded.sys`; a Symantec install alone is not sufficient.
- Systems where C: is BitLocker-managed and Symantec reports the disk as unmanaged are not expected to be exploitable by this path.
- The current target file must be single-extent; the worker aborts on fragmentation.
- The current PoC requires a reboot to trigger execution.
- The current payload is intentionally obvious: it opens a visible SYSTEM command prompt.
## Disclaimer
This is research code for authorized testing and defensive validation. Do not run it on systems you do not own or have explicit permission to assess.