More on socat
socatis a "multipurpose relay" often used to serve binary exploitation challenges in CTFs. Essentially, it transfers
stdoutto the socket and also allows simple forking capabilities. The following is an example of how you could host a binary on port
socat tcp-l:5000,reuseaddr,fork EXEC:"./vuln",pty,stderr
Most of the command is fairly logical (and the rest you can look up). The important part is that in this scenario we don't have to redirect file descriptors, as
socatdoes it all for us.
What is important, however, is
ptymode allows you to communicate with the process as if you were a user, it takes in input literally - including DELETE characters. If you send a
DELETE- it will literally delete the previous character (as shown shortly in my Dream Diary: Chapter 1 writeup). This is incredibly relevant because in 64-bit the
\x7fis almost always present in glibc addresses, so it's not quite so possible to avoid (although you could keep rerunning the exploit until the rare occasion you get an
To bypass this we use the
\x16and prepend it to any
\x7fwe send across.