Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

The authors of this post competed in the Paradigm CTF in 2023. One of the challenges was a Solana Jump Oriented Programming (JOP) challenge. The idea was to adapt a traditional binary exploitation technique for Solana. Solana programs can have memory corruption issues. So, having a mechanism to achieve an arbitrary CPI is a great challenge idea.

The vulnerable program has three instructions: a write-what-where primitive, a CPI to a non-existent program and a jump to an arbitrary address. The test environment is a standard Solana node. The competition criteria is that the program contains a PDA with the seed "flag" with a length of 0x1337 and the first bytes being equal to 0x4337. Although you're limited to only a single instruction in the state of the VM (because most things are temporary), we can actually use the primitives above to execute arbitrary instructions.

The goal is to find a way to CPI into the system program with controlled parameters. When looking at the assembly in Binary Ninja, they found a gadget that allows for calling sol_invoke_signed_rust as long as the proper data is in place on the Stack. To store the fake parameters, they can be stored directly in the instruction's input data. Using the write primitive, pointers to this information can be added to the stack.

A pretty neat post on binary exploitation within Solana!