#And now make the contract account to analyze source_code = file('coverage.sol').read() user_account = m.create_account(balance=1000) bytecode = m.compile(source_code) #Initialize contract contract_account = m.create_contract(owner=user_account, balance=0, init=bytecode) m.transaction( caller=user_account, address=contract_account, value=None, data=m.SByte(164), ) #Up to here we get only ~30% coverage. #We need 2 transactions to fully explore the contract m.transaction( caller=user_account, address=contract_account, value=None, data=m.SByte(164), ) print "[+] There are %d reverted states now" % len(m.final_state_ids) print "[+] There are %d alive states now" % len(m.running_state_ids) for state_id in m.running_state_ids: print m.report(state_id)
attacker_account, seth.get_balance(attacker_account)) print " exploit_account %x balance: %d" % ( exploit_account, seth.get_balance(exploit_account)) print " user_account %x balance: %d" % (user_account, seth.get_balance(user_account)) print " contract_account %x balance: %d" % ( contract_account, seth.get_balance(contract_account)) print "[+] Setup the exploit" exploit_account.set_vulnerable_contract(contract_account) print "\t Setting 30 reply reps" exploit_account.set_reentry_reps(30) print "\t Setting reply string" exploit_account.set_reentry_attack_string(seth.SByte(4)) #Attacker is print "[+] Attacker first transaction" exploit_account.proxycall(seth.SByte(4), value=seth.SValue) print "[+] Attacker second transaction" exploit_account.proxycall(seth.SByte(4)) print "[+] The attacker destroys the exploit contract and profit" exploit_account.get_money() #print "[+] There are %d reverted states now"% len(seth.final_state_ids) #for state_id in seth.final_state_ids: # seth.report(state_id)
Log("Got something else"); } } } ''' print "[+] Creating a user account" user_account = seth.create_account(balance=1000) print "[+] Creating a contract account" contract_account = seth.solidity_create_contract(source_code, owner=user_account) print "[+] Now the symbolic values" symbolic_data = seth.SByte(320) symbolic_value = None seth.transaction(caller=user_account, address=contract_account, data=symbolic_data, value=symbolic_value) print "[+] There are %d reverted states now" % len(seth.final_state_ids) print "[+] There are %d alive states now" % len(seth.running_state_ids) for state_id in seth.running_state_ids: seth.report(state_id) print "[+] Global coverage:" print seth.coverage(contract_account)
function target(address key) returns (bool){ if (balances[key] > 20) Log("Balance greater than 20"); else Log("Balance less or equal than 20"); } } ''' #Initialize accounts user_account = seth.create_account(balance=1000) contract_account = seth.solidity_create_contract(source_code, owner=user_account) symbolic_data = seth.SByte(64) symbolic_value = 0 seth.transaction( caller=user_account, address=contract_account, value=symbolic_value, data=symbolic_data ) print "[+] There are %d reverted states now"% len(seth.final_state_ids) for state_id in seth.final_state_ids: seth.report(state_id) print "[+] There are %d alive states now"% len(seth.running_state_ids) for state_id in seth.running_state_ids: seth.report(state_id)
function Test(){ balances[0x1111111111111111111111111111111111111111] = 10; balances[0x2222222222222222222222222222222222222222] = 20; balances[0x3333333333333333333333333333333333333333] = 30; balances[0x4444444444444444444444444444444444444444] = 40; balances[0x5555555555555555555555555555555555555555] = 50; } function target(address key) returns (bool){ if (balances[key] > 20) Log("Balance greater than 20"); else Log("Balance less or equal than 20"); } } ''' #Initialize accounts user_account = m.create_account(balance=1000) contract_account = m.solidity_create_contract(source_code, owner=user_account) symbolic_data = m.SByte(64) symbolic_value = 0 m.transaction(caller=user_account, address=contract_account, value=symbolic_value, data=symbolic_data) m.finalize() print "[+] Look for results in %s" % m.workspace
#And now make the contract account to analyze source_code = file('coverage.sol').read() user_account = seth.create_account(balance=1000) bytecode = seth.compile(source_code) #Initialize contract contract_account = seth.create_contract(owner=user_account, balance=0, init=bytecode) seth.transaction( caller=user_account, address=contract_account, value=None, data=seth.SByte(164), ) #Up to here we get only ~30% coverage. #We need 2 transactions to fully explore the contract seth.transaction( caller=user_account, address=contract_account, value=None, data=seth.SByte(164), ) print "[+] There are %d reverted states now" % len(seth.final_state_ids) print "[+] There are %d alive states now" % len(seth.running_state_ids) for state_id in seth.running_state_ids: seth.report(state_id)