• Stars
    star
    344
  • Rank 123,066 (Top 3 %)
  • Language
    Python
  • License
    Apache License 2.0
  • Created over 5 years ago
  • Updated 4 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Ethereum recon and exploitation tool.

Theo

License CircleCI Codacy Badge PyPI Code style: black

Theo aims to be an exploitation framework and a blockchain recon and interaction tool.

Features:

  • Automatic smart contract scanning which generates a list of possible exploits.
  • Sending transactions to exploit a smart contract.
  • Transaction pool monitor.
  • Web3 console
  • Frontrunning and backrunning transactions.
  • Waiting for a list of transactions and sending out others.
  • Estimating gas for transactions means only successful transactions are sent.
  • Disabling gas estimation will send transactions with a fixed gas quantity.

He knows Karl from work.

Theo's purpose is to fight script kiddies that try to be leet hackers. He can listen to them trying to exploit his honeypots and make them lose their funds, for his own gain.

"You didn't bring me along for my charming personality."

Install

Theo is available as a PyPI package:

$ pip install theo
$ theo --help
usage: theo [-h] [--rpc-http RPC_HTTP] [--rpc-ws RPC_WS] [--rpc-ipc RPC_IPC]
            [--account-pk ACCOUNT_PK] [--contract ADDRESS]
            [--skip-mythril SKIP_MYTHRIL] [--load-file LOAD_FILE] [--version]

Monitor contracts for balance changes or tx pool.

optional arguments:
  -h, --help            show this help message and exit
  --rpc-http RPC_HTTP   Connect to this HTTP RPC (default:
                        http://127.0.0.1:8545)
  --account-pk ACCOUNT_PK
                        The account's private key (default: None)
  --contract ADDRESS    Contract to monitor (default: None)
  --skip-mythril SKIP_MYTHRIL
                        Don't try to find exploits with Mythril (default:
                        False)
  --load-file LOAD_FILE
                        Load exploit from file (default: )
  --version             show program's version number and exit

RPC connections:
  --rpc-ws RPC_WS       Connect to this WebSockets RPC (default: None)
  --rpc-ipc RPC_IPC     Connect to this IPC RPC (default: None)

Install from sources

$ git clone https://github.com/cleanunicorn/theo
$ cd theo
$ virtualenv ./venv
$ . ./venv/bin/activate
$ pip install -r requirements.txt
$ pip install -e .
$ theo --help

Requirements:

  • Python 3.5 or higher.
  • An Ethereum node with RPC available. Ganache works really well for testing or for validating exploits.

Demos

Find exploit and execute it

Scan a smart contract, find exploits, exploit it:

  • Start Ganache as our local Ethereum node
  • Deploy the vulnerable contract (happens in a different window)
  • Scan for exploits
  • Run exploit

asciicast

Frontrun victim

Setup a honeypot, deploy honeypot, wait for attacker, frontrun:

  • Start geth as our local Ethereum node
  • Start mining
  • Deploy the honeypot
  • Start Theo and scan the mem pool for transactions
  • Frontrun the attacker and steal his ether

asciicast

Usage

Help screen

It's a good idea to check the help screen first.

$ theo --help
usage: theo [-h] [--rpc-http RPC_HTTP] [--rpc-ws RPC_WS] [--rpc-ipc RPC_IPC]
            [--account-pk ACCOUNT_PK] [--contract ADDRESS] [--skip-mythril]
            [--load-file LOAD_FILE] [--version]

Monitor contracts for balance changes or tx pool.

optional arguments:
  -h, --help            show this help message and exit
  --rpc-http RPC_HTTP   Connect to this HTTP RPC (default:
                        http://127.0.0.1:8545)
  --account-pk ACCOUNT_PK
                        The account's private key (default: None)
  --contract ADDRESS    Contract to interact with (default: None)
  --skip-mythril        Skip scanning the contract with Mythril (default:
                        False)
  --load-file LOAD_FILE
                        Load exploit from file (default: )
  --version             show program's version number and exit

RPC connections:
  --rpc-ws RPC_WS       Connect to this WebSockets RPC (default: None)
  --rpc-ipc RPC_IPC     Connect to this IPC RPC (default: None)

Symbolic execution

A list of exploits is automatically identified using mythril.

Start a session by running:

$ theo --contract=<scanned contract> --account-pk=<your private key>
Scanning for exploits in contract: 0xa586074fa4fe3e546a132a16238abe37951d41fe
Connecting to HTTP: http://127.0.0.1:8545.
Found exploits(s):
 [Exploit: (txs=[Transaction {Data: 0xcf7a8965, Value: 1000000000000000000}])]

A few objects are available in the console:
- `exploits` is an array of loaded exploits found by Mythril or read from a file
- `w3` an initialized instance of web3py for the provided HTTP RPC endpoint

Check the readme for more info:
https://github.com/cleanunicorn/theo

>>> 

It will analyze the contract and will find a list of available exploits.

You can see the available exploits found. In this case one exploit was found. Each exploit is an Exploit object.

>>> exploits[0]
Exploit: (txs=[Transaction: {'input': '0xcf7a8965', 'value': '0xde0b6b3a7640000'}])

Running exploits

The exploit steps can be run by calling .execute() on the exploit object. The transactions will be signed and sent to the node you're connected to.

>>> exploits[0].execute()
2019-07-22 11:26:12,196 - Sending tx: {'to': '0xA586074FA4Fe3E546A132a16238abe37951D41fE', 'gasPrice': 1, 'gas': 30521, 'value': 1000000000000000000, 'data': '0xcf7a8965', 'nonce': 47} 
2019-07-22 11:26:12,200 - Waiting for 0x41b489c78f654cab0b0451fc573010ddb20ee6437cdbf5098b6b03ee1936c33c to be mined... 
2019-07-22 11:26:16,337 - Mined 
2019-07-22 11:26:16,341 - Initial balance:      1155999450759997797167 (1156.00 ether) 
2019-07-22 11:26:16,342 - Final balance:        1156999450759997768901 (1157.00 ether) 

Frontrunning

You can start the frontrunning monitor to listen for other hackers trying to exploit the honeypot.

Use .frontrun() to start listening for the exploit and when found, send a transaction with a higher gas price.

>>> exploits[0].frontrun()
2019-07-22 11:22:26,285 - Scanning the mem pool for transactions... 
2019-07-22 11:22:45,369 - Found tx: 0xf6041abe6e547cea93e80a451fdf53e6bdae67820244246fde44098f91ce1c20 
2019-07-22 11:22:45,375 - Sending tx: {'to': '0xA586074FA4Fe3E546A132a16238abe37951D41fE', 'gasPrice': '0x2', 'data': '0xcf7a8965', 'gas': 30522, 'value': 1000000000000000000, 'nonce': 45} 
2019-07-22 11:22:45,380 - Waiting for 0xa73316daf806e7eef83d09e467c32ce5faa239c6eda3a270a8ce7a7aae48fb7e to be mined... 
2019-07-22 11:22:56,852 - Mined 

"Oh, my God! The quarterback is toast!"

This works very well for some specially crafted contracts or some other vulnerable contracts, as long as you make sure frontrunning is in your favor.

Load transactions from file

Instead of identifying the exploits with mythril, you can specify the list of exploits yourself.

Create a file that looks like this exploits.json:

[
    [
        {
            "name": "claimOwnership()",
            "input": "0x4e71e0c8",
            "value": "0xde0b6b3a7640000"
        },
        {
            "name": "retrieve()",
            "input": "0x2e64cec1",
            "value": "0x0"
        }
    ],
    [
        {
            "name": "claimOwnership()",
            "input": "0x4e71e0c8",
            "value": "0xde0b6b3a7640000"
        }
    ]
]

This one defines 2 exploits, the first one has 2 transactions and the second one only has 1 transaction.

You can load it with:

$ theo --load-file=./exploits.json

Troubleshooting

openssl/aes.h: No such file or directory

If you get this error, you need the libssl source libraries:

    scrypt-1.2.1/libcperciva/crypto/crypto_aes.c:6:10: fatal error: openssl/aes.h: No such file or directory
     #include <openssl/aes.h>
              ^~~~~~~~~~~~~~~
    compilation terminated.
    error: command 'x86_64-linux-gnu-gcc' failed with exit status 1
    
    ----------------------------------------
Command "/usr/bin/python3 -u -c "import setuptools, tokenize;__file__='/tmp/pip-build-5rl4ep94/scrypt/setup.py';f=getattr(tokenize, 'open', open)(__file__);code=f.read().replace('\r\n', '\n');f.close();exec(compile(code, __file__, 'exec'))" install --record /tmp/pip-mnbzx9qe-record/install-record.txt --single-version-externally-managed --compile" failed with error code 1 in /tmp/pip-build-5rl4ep94/scrypt/

On Ubuntu you can install them with:

$ sudo apt install libssl-dev

More Repositories

1

karl

Monitor smart contracts deployed on blockchain and test against vulnerabilities with Mythril. It was presented at DEFCON 2019.
Python
313
star
2

ethereum-smartcontract-template

Ethereum Smart Contract starting template
Solidity
108
star
3

mockprovider

Solidity mocking provider for testing
Solidity
61
star
4

abi2signature

Use the ABI of a smart contract to find out the function signatures
JavaScript
54
star
5

flaterra

The Earth is flat but Solidity source code is not. This fixes that.
Python
20
star
6

mythos

CLI client for the MythX API
TypeScript
20
star
7

santoku

Ethereum ABI decoder
Vue
13
star
8

nutcracker

Solidity
10
star
9

ranploy

Generate tx data payload to deploy any random hex string to Ethereum as a smart contract
Python
6
star
10

hardhat-advanced-sample

TypeScript
5
star
11

transient-storage

Solidity
5
star
12

trustbet

JavaScript
4
star
13

smart-split

Ethereum smart contract splitting received value. Deployed on the main net
JavaScript
4
star
14

ether-wars

Solidity
3
star
15

hitomi

Another web3 console initilizer.
Python
3
star
16

vanity

Go
3
star
17

4byte-update

Solidity
2
star
18

cleanunicorn.github.io

HTML
2
star
19

merkle

JavaScript
2
star
20

nodejs-proxy

A nodejs HTTP Proxy
JavaScript
2
star
21

imago

ERC 777 token contract able to morph into anything the owner needs.
JavaScript
2
star
22

ethereum

Ethereum toolbox
Go
2
star
23

poacher

Save price data into an InfluxDB
Go
2
star
24

digital-arbiter

Digital Ocean manager
CoffeeScript
1
star
25

op-scanner

JavaScript
1
star
26

tcrparty-bot

Python
1
star
27

magnus

Sweeper contracts. DO NOT USE IN PRODUCTION
JavaScript
1
star
28

phrase-app-export

PHP
1
star
29

mnemonic-permutation-python

Python
1
star
30

tbtc-v2-testnet-node-setup

1
star
31

gerhard

A generator in the style of Gerhard Richter's Strip.
Python
1
star
32

squad

Python
1
star
33

capture-the-ether

Python
1
star
34

rust-learn

Rust
1
star
35

polka-dot-mnemonic-brute

Mnemonic bruteforcer for https://polkadot.network/
TypeScript
1
star
36

mozaik

Create mozaiked images
PHP
1
star
37

mnemonic-permutation

Go
1
star