nbanmp/ethereum_sandbox.sol Secret

## ethereum_sandbox.sol
pragma solidity ^0.5.0;

contract Vulnerable {
    uint256[] public writes;
    address[] public owners;

    constructor() public payable {
        owners.push(msg.sender);
        writes.length -= 1;
    }

    function write_what_where_gadget(uint256 _what, uint256 _where) public {
        writes[_where] = _what;
    }

    function fun_sandbox(address _addr) public payable {
        bool taint = false;
        for(uint256 i = 0; i < owners.length; i++) {
            if(msg.sender == owners[i]) {
                taint = true;
            }
        }
        require(taint);

        uint256 size;
        bytes memory code;

        assembly {
            size := extcodesize(_addr)
            code := mload(0x40)
            mstore(0x40, add(code, and(add(add(size, 0x20), 0x1f), not(0x1f))))
            mstore(code, size)
            extcodecopy(_addr, add(code, 0x20), 0, size)
        }

        for(uint256 i = 0; i < code.length; i++) {
            require(code[i] != 0xf0); // CREATE
            require(code[i] != 0xf1); // CALL
            require(code[i] != 0xf2); // CALLCODE
            require(code[i] != 0xf4); // DELEGATECALL
            require(code[i] != 0xfa); // STATICCALL
            require(code[i] != 0xff); // SELFDESTRUCT
        }

        bool success;
        bytes memory _;
        (success, _) = _addr.delegatecall("");
        require(success);

    }
}
	pragma solidity ^0.5.0;

	contract Vulnerable {
	uint256[] public writes;
	address[] public owners;

	constructor() public payable {
	owners.push(msg.sender);
	writes.length -= 1;
	}

	function write_what_where_gadget(uint256 _what, uint256 _where) public {
	writes[_where] = _what;
	}

	function fun_sandbox(address _addr) public payable {
	bool taint = false;
	for(uint256 i = 0; i < owners.length; i++) {
	if(msg.sender == owners[i]) {
	taint = true;
	}
	}
	require(taint);

	uint256 size;
	bytes memory code;

	assembly {
	size := extcodesize(_addr)
	code := mload(0x40)
	mstore(0x40, add(code, and(add(add(size, 0x20), 0x1f), not(0x1f))))
	mstore(code, size)
	extcodecopy(_addr, add(code, 0x20), 0, size)
	}

	for(uint256 i = 0; i < code.length; i++) {
	require(code[i] != 0xf0); // CREATE
	require(code[i] != 0xf1); // CALL
	require(code[i] != 0xf2); // CALLCODE
	require(code[i] != 0xf4); // DELEGATECALL
	require(code[i] != 0xfa); // STATICCALL
	require(code[i] != 0xff); // SELFDESTRUCT
	}

	bool success;
	bytes memory _;
	(success, _) = _addr.delegatecall("");
	require(success);

	}
	}