
Theo aims to be an exploitation framework and a blockchain recon and interaction tool.
Features:
- Automatic smart contract scanning which generates a list of possible exploits.
- Sending transactions to exploit a smart contract.
- Transaction pool monitor.
- Web3 console
- Frontrunning and backrunning transactions.
- Waiting for a list of transactions and sending out others.
- Estimating gas for transactions means only successful transactions are sent.
- Disabling gas estimation will send transactions with a fixed gas quantity.
He knows Karl from work.
Theo’s purpose is to fight script kiddies that try to be leet hackers. He can listen to them trying to exploit his honeypots and make them lose their funds, for his own gain.
“You didn’t bring me along for my charming personality.”
Install
Theo is available as a PyPI package:
Install from sources
$ git clone https://github.com/cleanunicorn/theo
$ cd theo
$ virtualenv ./venv
$ . ./venv/bin/activate
$ pip install -r requirements.txt
$ pip install -e .
$ theo --help
Requirements:
- Python 3.5 or higher.
- An Ethereum node with RPC available. Ganache works really well for testing or for validating exploits.
Demos
Find exploit and execute it
Scan a smart contract, find exploits, exploit it:
- Start Ganache as our local Ethereum node
- Deploy the vulnerable contract (happens in a different window)
- Scan for exploits
- Run exploit
Frontrun victim
Setup a honeypot, deploy honeypot, wait for attacker, frontrun:
- Start geth as our local Ethereum node
- Start mining
- Deploy the honeypot
- Start Theo and scan the mem pool for transactions
- Frontrun the attacker and steal his ether
Usage
Help screen
It’s a good idea to check the help screen first.
$ theo --help
usage: theo [-h] [--rpc-http RPC_HTTP] [--rpc-ws RPC_WS] [--rpc-ipc RPC_IPC]
[--account-pk ACCOUNT_PK] [--contract ADDRESS] [--skip-mythril]
[--load-file LOAD_FILE] [--version]
Monitor contracts for balance changes or tx pool.
optional arguments:
-h, --help show this help message and exit
--rpc-http RPC_HTTP Connect to this HTTP RPC (default:
http://127.0.0.1:8545)
--account-pk ACCOUNT_PK
The account's private key (default: None)
--contract ADDRESS Contract to interact with (default: None)
--skip-mythril Skip scanning the contract with Mythril (default:
False)
--load-file LOAD_FILE
Load exploit from file (default: )
--version show program's version number and exit
RPC connections:
--rpc-ws RPC_WS Connect to this WebSockets RPC (default: None)
--rpc-ipc RPC_IPC Connect to this IPC RPC (default: None)
Symbolic execution
A list of exploits is automatically identified using mythril.
Start a session by running:
$ theo --contract=<scanned contract> --account-pk=<your private key>
Scanning for exploits in contract: 0xa586074fa4fe3e546a132a16238abe37951d41fe
Connecting to HTTP: http://127.0.0.1:8545.
Found exploits(s):
[Exploit: (txs=[Transaction {Data: 0xcf7a8965, Value: 1000000000000000000}])]
A few objects are available in the console:
- `exploits` is an array of loaded exploits found by Mythril or read from a file
- `w3` an initialized instance of web3py for the provided HTTP RPC endpoint
Check the readme for more info:
https://github.com/cleanunicorn/theo
>>>
link GitHub – cleanunicorn/theo: Ethereum recon and exploitation tool.
git clone https://github.com/cleanunicorn/theo.git