More on socat
socat
is a "multipurpose relay" often used to serve binary exploitation challenges in CTFs. Essentially, it transfers stdin
and stdout
to the socket and also allows simple forking capabilities. The following is an example of how you could host a binary on port 5000
:
Most of the command is fairly logical (and the rest you can look up). The important part is that in this scenario we don't have to redirect file descriptors, as socat
does it all for us.
What is important, however, is pty
mode. Because pty
mode allows you to communicate with the process as if you were a user, it takes in input literally - including DELETE characters. If you send a \x7f
- a DELETE
- it will literally delete the previous character (as shown shortly in my Dream Diary: Chapter 1 writeup). This is incredibly relevant because in 64-bit the \x7f
is almost always present in glibc addresses, so it's not quite so possible to avoid (although you could keep rerunning the exploit until the rare occasion you get an 0x7e...
libc base).
To bypass this we use the socat
pty
escape character \x16
and prepend it to any \x7f
we send across.