# Exploiting over Sockets ## Overview **File Descriptors** are integers that represent conections to sockets or files or whatever you're connecting to. In Unix systems, there are `3` main file descriptors (often abbreviated **fd**) for each application: | Name | fd | | -------- | -- | | `stdin` | 0 | | `stdout` | 1 | | `stderr` | 2 | These are, as shown above, **standard input**, **output** and **error**. You've probably used them before yourself, for example to hide errors when running commands: ```bash find / -name secret.txt 2>/dev/null ``` Here you're piping `stderr` to `/dev/null`, which is the same principle. ## File Descriptors and Sockets Many binaries in CTFs use programs such as `socat` to redirect `stdin` and `stdout` (and sometimes `stderr`) to the user when they connect. These are super simple and often require no more than a replacement of ```python p = process() ``` With the line ```python p = remote(host, port) ``` Others, however, implement their own socket programming in C. In these scenarios, `stdin` and `stdout` may not be shown back to the user. The reason for this is every new connection has a **different fd**. If you listen in C, since fd 0-2 is reserved, the listening socket will often be assigned fd `3`. Once we connect, we set up another fd, fd `4` (neither the `3` nor the `4` is certain, but statistically likely). ## Exploitation with File Desciptors In these scenarios, it's just as simple to pop a shell. This shell, however, is not shown back to the user - it's shown back to the terminal running the server. Why? Because it utilises fd `0`, `1` and `2` for its I/O. Here we have to tell the program to **duplicate** the file descriptor in order to redirect `stdin` and `stderr` to fd `4`, and glibc provides a simple way to do so. The `dup` syscall (and C function) duplicates the fd and uses the lowest-numbered free fd. However, we need to ensure it's fd `4` that's used, so we can use `dup2()`. `dup2` takes in two parameters: a `newfd` and an `oldfd`. Descriptor `oldfd` is duplicated to `newfd`, allowing us to interact with `stdin` and `stdout` and actually use any shell we may have popped. Note that the [man page](https://man7.org/linux/man-pages/man2/dup.2.html) outlines how if `newfd` is in use it is silently closed, which is exactly what we wish. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://ir0nstone.gitbook.io/notes/binexp/stack/exploiting-over-sockets.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.