# Socat

`socat` is a "multipurpose relay" often used to serve binary exploitation challenges in CTFs. Essentially, it transfers `stdin` and `stdout` to the socket and *also* allows simple forking capabilities. The following is an example of how you could host a binary on port `5000`:

```
socat tcp-l:5000,reuseaddr,fork EXEC:"./vuln",pty,stderr
```

Most of the command is fairly logical (and the rest you can look up). The important part is that in this scenario we don't have to [redirect file descriptors](https://ir0nstone.gitbook.io/notes/binexp/stack/exploiting-over-sockets), as `socat` does it all for us.

What **is** important, however, is `pty` mode. Because `pty` mode allows you to communicate with the process as if you were a user, it takes in input literally - **including DELETE characters**. If you send a `\x7f` - a `DELETE` - it will **literally** delete the previous character (as shown shortly in my [*Dream Diary: Chapter 1*](https://ir0nstone.gitbook.io/hackthebox/challenges/dream-diary-chapter-1/unlink-exploit#moving-to-remote) writeup). This is incredibly relevant because in 64-bit the `\x7f` is almost always present in glibc addresses, so it's not quite so possible to avoid (although you *could* keep rerunning the exploit until the rare occasion you get an `0x7e...` libc base).

To bypass this we use the `socat` `pty` escape character `\x16` and prepend it to any `\x7f` we send across.