cleanunicorn / theo Goto Github PK

View Code? Open in Web Editor NEW

342.0 14.0 94.0 30.38 MB

Ethereum recon and exploitation tool.

License: Apache License 2.0

Python 88.10% Shell 3.22% Makefile 0.32% Solidity 8.36%

ethereum security security-automation

theo's Introduction

Theo

Theo aims to be an exploitation framework and a blockchain recon and interaction tool.

Features:

Automatic smart contract scanning which generates a list of possible exploits.
Sending transactions to exploit a smart contract.
Transaction pool monitor.
Web3 console
Frontrunning and backrunning transactions.
Waiting for a list of transactions and sending out others.
Estimating gas for transactions means only successful transactions are sent.
Disabling gas estimation will send transactions with a fixed gas quantity.

He knows Karl from work.

Theo's purpose is to fight script kiddies that try to be leet hackers. He can listen to them trying to exploit his honeypots and make them lose their funds, for his own gain.

"You didn't bring me along for my charming personality."

Install

Theo is available as a PyPI package:

$ pip install theo
$ theo --help
usage: theo [-h] [--rpc-http RPC_HTTP] [--rpc-ws RPC_WS] [--rpc-ipc RPC_IPC]
            [--account-pk ACCOUNT_PK] [--contract ADDRESS]
            [--skip-mythril SKIP_MYTHRIL] [--load-file LOAD_FILE] [--version]

Monitor contracts for balance changes or tx pool.

optional arguments:
  -h, --help            show this help message and exit
  --rpc-http RPC_HTTP   Connect to this HTTP RPC (default:
                        http://127.0.0.1:8545)
  --account-pk ACCOUNT_PK
                        The account's private key (default: None)
  --contract ADDRESS    Contract to monitor (default: None)
  --skip-mythril SKIP_MYTHRIL
                        Don't try to find exploits with Mythril (default:
                        False)
  --load-file LOAD_FILE
                        Load exploit from file (default: )
  --version             show program's version number and exit

RPC connections:
  --rpc-ws RPC_WS       Connect to this WebSockets RPC (default: None)
  --rpc-ipc RPC_IPC     Connect to this IPC RPC (default: None)

Install from sources

$ git clone https://github.com/cleanunicorn/theo
$ cd theo
$ virtualenv ./venv
$ . ./venv/bin/activate
$ pip install -r requirements.txt
$ pip install -e .
$ theo --help

Requirements:

Python 3.5 or higher.
An Ethereum node with RPC available. Ganache works really well for testing or for validating exploits.

Demos

Find exploit and execute it

Scan a smart contract, find exploits, exploit it:

Start Ganache as our local Ethereum node
Deploy the vulnerable contract (happens in a different window)
Scan for exploits
Run exploit

Frontrun victim

Setup a honeypot, deploy honeypot, wait for attacker, frontrun:

Start geth as our local Ethereum node
Start mining
Deploy the honeypot
Start Theo and scan the mem pool for transactions
Frontrun the attacker and steal his ether

Usage

Help screen

It's a good idea to check the help screen first.

$ theo --help
usage: theo [-h] [--rpc-http RPC_HTTP] [--rpc-ws RPC_WS] [--rpc-ipc RPC_IPC]
            [--account-pk ACCOUNT_PK] [--contract ADDRESS] [--skip-mythril]
            [--load-file LOAD_FILE] [--version]

Monitor contracts for balance changes or tx pool.

optional arguments:
  -h, --help            show this help message and exit
  --rpc-http RPC_HTTP   Connect to this HTTP RPC (default:
                        http://127.0.0.1:8545)
  --account-pk ACCOUNT_PK
                        The account's private key (default: None)
  --contract ADDRESS    Contract to interact with (default: None)
  --skip-mythril        Skip scanning the contract with Mythril (default:
                        False)
  --load-file LOAD_FILE
                        Load exploit from file (default: )
  --version             show program's version number and exit

RPC connections:
  --rpc-ws RPC_WS       Connect to this WebSockets RPC (default: None)
  --rpc-ipc RPC_IPC     Connect to this IPC RPC (default: None)

Symbolic execution

A list of exploits is automatically identified using mythril.

Start a session by running:

$ theo --contract=<scanned contract> --account-pk=<your private key>
Scanning for exploits in contract: 0xa586074fa4fe3e546a132a16238abe37951d41fe
Connecting to HTTP: http://127.0.0.1:8545.
Found exploits(s):
 [Exploit: (txs=[Transaction {Data: 0xcf7a8965, Value: 1000000000000000000}])]

A few objects are available in the console:
- `exploits` is an array of loaded exploits found by Mythril or read from a file
- `w3` an initialized instance of web3py for the provided HTTP RPC endpoint

Check the readme for more info:
https://github.com/cleanunicorn/theo

>>>

It will analyze the contract and will find a list of available exploits.

You can see the available exploits found. In this case one exploit was found. Each exploit is an Exploit object.

>>> exploits[0]
Exploit: (txs=[Transaction: {'input': '0xcf7a8965', 'value': '0xde0b6b3a7640000'}])

Running exploits

The exploit steps can be run by calling .execute() on the exploit object. The transactions will be signed and sent to the node you're connected to.

>>> exploits[0].execute()
2019-07-22 11:26:12,196 - Sending tx: {'to': '0xA586074FA4Fe3E546A132a16238abe37951D41fE', 'gasPrice': 1, 'gas': 30521, 'value': 1000000000000000000, 'data': '0xcf7a8965', 'nonce': 47} 
2019-07-22 11:26:12,200 - Waiting for 0x41b489c78f654cab0b0451fc573010ddb20ee6437cdbf5098b6b03ee1936c33c to be mined... 
2019-07-22 11:26:16,337 - Mined 
2019-07-22 11:26:16,341 - Initial balance:      1155999450759997797167 (1156.00 ether) 
2019-07-22 11:26:16,342 - Final balance:        1156999450759997768901 (1157.00 ether)

Frontrunning

You can start the frontrunning monitor to listen for other hackers trying to exploit the honeypot.

Use .frontrun() to start listening for the exploit and when found, send a transaction with a higher gas price.

>>> exploits[0].frontrun()
2019-07-22 11:22:26,285 - Scanning the mem pool for transactions... 
2019-07-22 11:22:45,369 - Found tx: 0xf6041abe6e547cea93e80a451fdf53e6bdae67820244246fde44098f91ce1c20 
2019-07-22 11:22:45,375 - Sending tx: {'to': '0xA586074FA4Fe3E546A132a16238abe37951D41fE', 'gasPrice': '0x2', 'data': '0xcf7a8965', 'gas': 30522, 'value': 1000000000000000000, 'nonce': 45} 
2019-07-22 11:22:45,380 - Waiting for 0xa73316daf806e7eef83d09e467c32ce5faa239c6eda3a270a8ce7a7aae48fb7e to be mined... 
2019-07-22 11:22:56,852 - Mined

"Oh, my God! The quarterback is toast!"

This works very well for some specially crafted contracts or some other vulnerable contracts, as long as you make sure frontrunning is in your favor.

Load transactions from file

Instead of identifying the exploits with mythril, you can specify the list of exploits yourself.

Create a file that looks like this exploits.json:

[
    [
        {
            "name": "claimOwnership()",
            "input": "0x4e71e0c8",
            "value": "0xde0b6b3a7640000"
        },
        {
            "name": "retrieve()",
            "input": "0x2e64cec1",
            "value": "0x0"
        }
    ],
    [
        {
            "name": "claimOwnership()",
            "input": "0x4e71e0c8",
            "value": "0xde0b6b3a7640000"
        }
    ]
]

This one defines 2 exploits, the first one has 2 transactions and the second one only has 1 transaction.

You can load it with:

$ theo --load-file=./exploits.json

Troubleshooting

openssl/aes.h: No such file or directory

If you get this error, you need the libssl source libraries:

    scrypt-1.2.1/libcperciva/crypto/crypto_aes.c:6:10: fatal error: openssl/aes.h: No such file or directory
     #include <openssl/aes.h>
              ^~~~~~~~~~~~~~~
    compilation terminated.
    error: command 'x86_64-linux-gnu-gcc' failed with exit status 1
    
    ----------------------------------------
Command "/usr/bin/python3 -u -c "import setuptools, tokenize;__file__='/tmp/pip-build-5rl4ep94/scrypt/setup.py';f=getattr(tokenize, 'open', open)(__file__);code=f.read().replace('\r\n', '\n');f.close();exec(compile(code, __file__, 'exec'))" install --record /tmp/pip-mnbzx9qe-record/install-record.txt --single-version-externally-managed --compile" failed with error code 1 in /tmp/pip-build-5rl4ep94/scrypt/

On Ubuntu you can install them with:

$ sudo apt install libssl-dev

theo's People

Contributors

Stargazers

Watchers

Forkers

gnsps kryptoklob seabreg ashr mewbak ineedaspo1 killvxk goupodro jack51706 leiyuch mmillerxyz dandycheung 6egic chaos-monkey-island 5l1v3r1 jaggedsoft fifikobayashi qiqiqiqiqiqiqiqii zhengger yshssh dassel 1337in steelep zhiwei-w-luo bonedaddy mhuichen sabbir883 manifoldfinance carbon-neutral junofs zer0wei breakingofchains ordfin v-pcap advaithd jenil04 federicosan ait-s satcomx00-x00 0xsimulacra raytlty carbonbirdman austinekrash actorexpose kevinrodriguez-io ehabhussein er0080 geeks121 ajay1819 urbanyoungv2 btautist yanrising myconite zerrrow stebansaa agostini33 soyasoya5 redisun antonga23 arbitrage-eth crypto50z playniuniu marcusholter gidomason sajibekanti etsploit eierina topguns23 crackercat rlfql fraugdib yodolescrypto aboogetti earthshotlabs jasko77 lipuu spaceh3ad codergrade uncommon-dev ha910 jg8481 zenkodr psyferlab ccczone

theo's Issues

trouble installing theo in linux environment on chromebook

My system is a chromebook with the linux development environment (I believe its a debian). This is the error I get when I try to install using pip i've also tried recursively install all in the requirements.txt and get a seperate error. I've been working on this for like two days and have tried every solution that i could find from googling.

Below is a file attached which is a log of what my installation process output was
erre when installing theo.txt

Deploy contract

Hello, can someone help me deploying the contract with etherwallet?

error on executing these commands in cmd

virtualenv ./venv
$ . ./venv/bin/activate

i could find files under bin / bin folder is not there when i have installed virtual env

Error scanning the contract

Hi,

After Deploying a contract.

The account's private key (input hidden)

Contract to interact with
0xd3aa556287afe63102e5797bfddd2a1e8dbb3ea5
Scanning for exploits in contract: 0xD3aA556287Afe63102e5797BFDDd2A1E8DbB3eA5
Traceback (most recent call last):
File "/home/zero/.local/bin/theo", line 11, in
load_entry_point('theo', 'console_scripts', 'theo')()
File "/home/zero/theo/theo/interfaces/cli.py", line 71, in main
start_repl(args)
File "/home/zero/theo/theo/interfaces/cli.py", line 90, in start_repl
timeout=args.timeout,
File "/home/zero/theo/theo/scanner/init.py", line 42, in exploits_from_mythril
enable_online_lookup=enable_online_lookup,
File "/home/zero/.local/lib/python3.7/site-packages/mythril/mythril/mythril_disassembler.py", line 40, in init
self.sigs = signatures.SignatureDB(enable_online_lookup=enable_online_lookup)
File "/home/zero/.local/lib/python3.7/site-packages/mythril/support/signatures.py", line 38, in inner_wrapper
return f(*args, **kw)
File "/home/zero/.local/lib/python3.7/site-packages/mythril/support/signatures.py", line 62, in call
cls._instances[cls] = super(Singleton, cls).call(*args, **kwargs)
File "/home/zero/.local/lib/python3.7/site-packages/mythril/support/signatures.py", line 138, in init
with SQLiteDB(self.path) as cur:
File "/home/zero/.local/lib/python3.7/site-packages/mythril/support/signatures.py", line 97, in enter
self.conn = sqlite3.connect(self.path)
sqlite3.OperationalError: unable to open database file

any solution?

Binance Smart Chain (BSC) usage

So BSC has mempool too, the issue is with Theo on BSC. Has anyone got some access to direct BSC node that processes transactions (block producer)? How otherwise to bypass BSC mempool and send transaction directly to block producers, are there any paid services to get direct producer's node endpoint?

https://www.reddit.com/r/ethdev/comments/n11jm1/ethereum_can_be_front_run_but_can_someone_front/

Use filters to monitor for new txs

Send signed transactions

Things to implement:

Get current nonce
Sign transaction doc

Installing requirements fails on my MacOS 10.14

$ sudo pip install -r requirements.txt

Fails with the following error:

  Preparing metadata (setup.py) ... done
Collecting zope.interface==4.6.0
  Downloading zope.interface-4.6.0.tar.gz (150 kB)
     |████████████████████████████████| 150 kB 233 kB/s            
  Preparing metadata (setup.py) ... error
  ERROR: Command errored out with exit status 1:
   command: /Users/macuser/dev/theo/venv/bin/python -c 'import io, os, sys, setuptools, tokenize; sys.argv[0] = '"'"'/private/tmp/pip-install-43w_lkkk/zope-interface_aa293e8505b34d1a9a24e168adec7b63/setup.py'"'"'; __file__='"'"'/private/tmp/pip-install-43w_lkkk/zope-interface_aa293e8505b34d1a9a24e168adec7b63/setup.py'"'"';f = getattr(tokenize, '"'"'open'"'"', open)(__file__) if os.path.exists(__file__) else io.StringIO('"'"'from setuptools import setup; setup()'"'"');code = f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, __file__, '"'"'exec'"'"'))' egg_info --egg-base /private/tmp/pip-pip-egg-info-nurcrki2
       cwd: /private/tmp/pip-install-43w_lkkk/zope-interface_aa293e8505b34d1a9a24e168adec7b63/
  Complete output (5 lines):
  Traceback (most recent call last):
    File "<string>", line 1, in <module>
    File "/private/tmp/pip-install-43w_lkkk/zope-interface_aa293e8505b34d1a9a24e168adec7b63/setup.py", line 26, in <module>
      from setuptools import setup, Extension, Feature
  ImportError: cannot import name 'Feature' from 'setuptools' (/Users/macuser/dev/theo/venv/lib/python3.9/site-packages/setuptools/__init__.py)
  ----------------------------------------
WARNING: Discarding https://files.pythonhosted.org/packages/4e/d0/c9d16bd5b38de44a20c6dc5d5ed80a49626fafcb3db9f9efdc2a19026db6/zope.interface-4.6.0.tar.gz#sha256=1b3d0dcabc7c90b470e59e38a9acaa361be43b3a6ea644c0063951964717f0e5 (from https://pypi.org/simple/zope-interface/) (requires-python:>=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*). Command errored out with exit status 1: python setup.py egg_info Check the logs for full command output.
ERROR: Could not find a version that satisfies the requirement zope.interface==4.6.0 (from versions: 3.3.0b1, 3.3.0b2, 3.3.0, 3.3.0.1, 3.4.0b1, 3.4.0, 3.4.1, 3.5.0, 3.5.1, 3.5.2, 3.5.3, 3.6.0, 3.6.1, 3.6.2, 3.6.3, 3.6.4, 3.6.5, 3.6.6, 3.6.7, 3.6.8, 3.7.0, 3.8.0, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.2.0, 4.3.0, 4.3.1, 4.3.2, 4.3.3, 4.4.0, 4.4.1, 4.4.2, 4.4.3, 4.5.0, 4.6.0, 4.7.0, 4.7.1, 4.7.2, 5.0.0, 5.0.1, 5.0.2, 5.1.0, 5.1.1, 5.1.2, 5.2.0, 5.3.0a1, 5.3.0, 5.4.0)
ERROR: No matching distribution found for zope.interface==4.6.0

Ideas?

Binance smart chain

Does theo work on bep20 contracts?? Are there any changes need to be done on the code for it to work?

Dump exploit with all details

The method dump_to_file should be able to dump an exploit representation fully loadable by --load-file= without losing any data.

not installing properly on linux

× python setup.py egg_info did not run successfully.
│ exit code: 1
╰─> [6 lines of output]
Traceback (most recent call last):
File "", line 2, in
File "", line 34, in
File "/tmp/pip-install-svt00zhe/zope-interface_c5e58486c9a9463b87d29fb577ab4813/setup.py", line 26, in
from setuptools import setup, Extension, Feature
ImportError: cannot import name 'Feature' from 'setuptools' (/home/boosiff/.local/lib/python3.9/site-packages/setuptools/init.py)
[end of output]

note: This error originates from a subprocess, and is likely not a problem with pip.
error: metadata-generation-failed

any suggestions for me on the user side?

IPC / RPC error: encoding with 'idna' codec failed (UnicodeError: label empty or too long)

OS: macOS:

My ganache is running and I ran this command: theo --rpc-http 127.0.0.1:7545
I added the private key of the random address and the address of the deployed contract, it returns this error:

IPC / RPC error: encoding with 'idna' codec failed (UnicodeError: label empty or too long)
No exploits found. You're going to need to load some exploit

attention : error in ubuntu installation

sing cached zope.interface-4.6.0.tar.gz (150 kB)
Preparing metadata (setup.py) ... error
error: subprocess-exited-with-error

× python setup.py egg_info did not run successfully.
│ exit code: 1
╰─> [6 lines of output]
Traceback (most recent call last):
File "", line 2, in
File "", line 34, in
File "/tmp/pip-install-_iruivlh/zope-interface_db3ca22f01e34ea0a3f5d314d1cf9531/setup.py", line 26, in
from setuptools import setup, Extension, Feature
ImportError: cannot import name 'Feature' from 'setuptools' (/usr/lib/python3/dist-packages/setuptools/init.py)
[end of output]

note: This error originates from a subprocess, and is likely not a problem with pip.
error: metadata-generation-failed

× Encountered error while generating package metadata.
╰─> See above for output.

note: This is an issue with the package mentioned above, not pip.
hint: See above for details.

******please solve this error i have encountered during the installation

exploit is failing with : ValueError: {'message': "VM Exception while processing transaction: Transaction's maxFeePerGas (1) is less than the block's baseFeePerGas (40436817490) (vm hf=london -> block -> tx)"

Hi ,
I have ganache --fork running and connected to forked networked with theo , contract is also deployed on address with which i am interacting but while executing exploit i am getting this error.
Thanks in advance...

what should I do to deploy the contract

I successfully started the local ethereum node using the 'ganache-cli -d' command.

next step: Deploy the vulnerable contract (happens in a different window) How do I do it?