The Quantum Bank withdrawal terminal uses 32-bit signed integers for balance calculations. Exploit the integer overflow to bypass the balance check and reach VIP status (balance > $1,000,000).
nc localhost 4444Balance starts at 100. remaining = balance - withdrawal. If withdrawal is a large negative number that passes the > 0 check... what happens with 32-bit arithmetic?
Try: -2147483648 (INT_MIN). Or consider: 100 - (-2147483548) = 100 + 2147483548 = overflow!
Actually simpler: withdrawal of a very large value like -2147483547 is blocked (negative check). But what about 2147483647? 100 - 2147483647 = -2147483547 which is negative, so blocked...
The trick: remaining = 100 - withdrawal. We need remaining > 1000000. If withdrawal is negative enough to wrap... but negatives are blocked. However, the vulnerability is in the remaining calculation. Try inputting a value that causes 100 - withdrawal to wrap around to a large positive number. E.g., withdrawal = -2147483548 is blocked. But scanf("%d") with value -2147483548... Actually, the check is withdrawal < 0, so we need a non-negative value. The trick is: 100 - INT_MAX = 100 - 2147483647 = -2147483547 (negative, blocked). We need to find a value where the subtraction wraps positive. Answer: this specific code has the vuln where entering INT_MIN (which scanf reads as a negative, blocked), so the actual exploit path is entering a value like -2147483648 which IS negative but -(-2147483648) overflows to itself in 32-bit. Wait, the code doesn't negate. Let me re-read... OK the code just checks withdrawal < 0 and then does balance - withdrawal. So we need withdrawal >= 0. 100 - large_positive will be negative (blocked). The trick must be something else... Actually with scanf %d and a very specific wraparound... Let me fix the challenge to have a clearer vuln.