Skip to content

Instantly share code, notes, and snippets.

@nbanmp
Last active Feb 26, 2019
Embed
What would you like to do?
pragma solidity ^0.5.0;
contract Vulnerable {
uint256[] public writes;
address[] public owners;
constructor() public payable {
owners.push(msg.sender);
writes.length -= 1;
}
function write_what_where_gadget(uint256 _what, uint256 _where) public {
writes[_where] = _what;
}
function fun_sandbox(address _addr) public payable {
bool taint = false;
for(uint256 i = 0; i < owners.length; i++) {
if(msg.sender == owners[i]) {
taint = true;
}
}
require(taint);
uint256 size;
bytes memory code;
assembly {
size := extcodesize(_addr)
code := mload(0x40)
mstore(0x40, add(code, and(add(add(size, 0x20), 0x1f), not(0x1f))))
mstore(code, size)
extcodecopy(_addr, add(code, 0x20), 0, size)
}
for(uint256 i = 0; i < code.length; i++) {
require(code[i] != 0xf0); // CREATE
require(code[i] != 0xf1); // CALL
require(code[i] != 0xf2); // CALLCODE
require(code[i] != 0xf4); // DELEGATECALL
require(code[i] != 0xfa); // STATICCALL
require(code[i] != 0xff); // SELFDESTRUCT
}
bool success;
bytes memory _;
(success, _) = _addr.delegatecall("");
require(success);
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment