Deal me into a hand of Blackjack

Our second foray into pwnable.kr takes us into a Blackjack script written by a student named Vladislav Shulman on the C Programming forums. The Program does as you’d expect, allowing players to bet from a limited purse; and playing a random game of Blackjack (21). Our challenge to get the flag: earn ourselves a million dollars at this fake casino table. Of course, you could play this the intended way… but then why would you be here?

blackjack

VPN Recommended: You’re logging into a remote SSH Server, and therefore your IP Address information may become viewable to other users. Use a VPN to mask your true IP.

The challenge introduces us by giving us a link to the full code behind the Blackjack program; as well as a NetCat address and port to connect to. Connecting to that address allows us to play the game exactly as its coded.  I’ve replicated the code below, but if you’d like to see the original post; you can find it here.

As you can read, the program is quite long. I’ll highlight the interesting part below.

This function is called when the user is asked to place a bet on their hand. There are a couple of interesting things about betting.

  1. When you place a bet higher than your cash-on-hand, the system checks and kicks out an error that says “You cannot bet more money than you have.”, and then simply asks you for your bet again. Notice that there is not a second check on your entered value; it simply assumes you’ll follow instructions and lower your bet amount. Entering 10,000,000, getting the error, and then entering 10,000,000 again allows you to bypass this check. Winning the hand after doing this will make you a millionaire.
  2. Both Bet and Cash are signed integers, allowing you to enter negative numbers. But no check for this exists, and when the program stores your bet it does not respect the signed int. You can bet negative money, and still win your bet. Since the negative number always evaluates to lower than your cash-on-hand – You’ll even bypass the error check!
  3. This input is susceptible to an Integer Overflow. I’ll let you experiment with that. Finding a proper overflow number to bet, will allow you to become a millionaire even if you lose the hand.

You can use any of the 3 logic errors above to trick the game into letting you bet well above your current cash-on-hand. The simply win (or lose depending on your method) your hand; and collect your flag as a prize.