What's new
By:

Bughost not fully working

J

jefcolbi

Leecher
I have a bughost which partially works.
I need some advices.

Here is a json of the payload and the response
{
"timestamp": "2026-03-27 03:29:56",
"target_host": "37.59.121.117",
"target_port": 443,
"proxy_host": "X.X.X.X",
"proxy_port": 80,
"mode": "proxy",
"variant": "legacy",
"status_code": 200,
"status_line": "HTTP/1.1 200 Connection established",
"ok": true,
"error": null,
"source_payload": "CONNECT [host_port][protocol][crlf]Host: 0.freebasics.com [crlf][crlf]",
"rendered_payload": "CONNECT 37.59.121.117:443HTTP/1.1\r\nHost: 0.freebasics.com \r\n\r\n",
"response_preview": "HTTP/1.1 200 Connection established\r\n\r\n"
}

This bug only happens when there is no space between [host_port] and [protocol].
When the proxy answer is returned, no data exchange can happen anymore and when it even happens it is only 35KB of data then it is stuck forever.

Does someone already encountered that problem? what is the solution to make this payload fully working?
 
This bug only happens when there is no space between [host_port] and [protocol].
Click to expand...
Yes. Because the server would return 400 if you sent an Invalid request. Unless your proxy ignore it and send a force 200 response (like OHP does).

[You might need OHP server to make it work]

You can do something like this with OHP:
HTTP/0.9[crlf]Host: bughost.com[lf]Connection: keep-alive[crlf][crlf]

And will return 200, and proceed the connection

When the proxy answer is returned, no data exchange can happen anymore and when it even happens it is only 35KB of data then it is stuck forever.
Click to expand...
The problem i see here is that, your bughost is already have been detected by your ISP's DPI causing it not to work in tunneling.
Try another one I guess.

Can you try this payload on your end?

CONNECT [host_port] HTTP:www.lazada.com.ph[split][crlf] HTTP/1.6 200 [crlf]Host: <your_bughost>[lf]

This is an incomplete invalid request, you can try it and see if it respond with 200.
 
Hi. Can you point me to the OHP server you are refering to?

Also i am myself a developer. So i did a TCP server which always return
"HTTP/1.1 200 Connection Established\r\nConnection: Keep-Alive\r\n\r\n" and start send sending some data from only the tcp server.

when i send binary data they never arrive they are blocked.
but when i send data which looks like http traffic like
"HTTP/1.1 200 Connection Established\r\nXXXXXXXXXXXXXXXXXXXXXXXXXX\r\n\r\n" i receive them on the client side but it is limited to only 35KB.

I tried exchanging data client <-> server after the http response, if i send binary data the connection is closed, if i send http traffic i can only send one round.

I have many free hosts i didn't test all of them but those i tested produce the same behavior.

About your payload i will tell you because currently the mobile network is not available.
 
Also i am myself a developer. So i did a TCP server which always return
"HTTP/1.1 200 Connection Established\r\nConnection: Keep-Alive\r\n\r\n" and start send sending some data from only the tcp server.
Click to expand...

Thats what OHP does. Behaves what you want to do (but that tool is special, as it can handle the connection flawlessly for sometime and reconnect if it broke pipe. (It died down when Websocket got popularized, its still a useful proxy tho)

What you're trying to do is called broken pipe trick. It is done by sending malformed HTTP request. You can find a long valid domain in Host header (even if its not free access site (bughost)), see if it can get past that 35KB block.
 
So here is the result of the payload you gave, the server can return HTTP 200 but the data sent after are blocked

Server logs

b'CONNECT 37.59.121.117:443 HTTP:You do not have permission to view the full content of this post. Log in or register now.'
1774706120.8091583 Sent 281 to <socket.socket fd=10, family=2, type=1, proto=0, laddr=('X.X.X.X', 3128), raddr=('102.244.45.219', 35003)>
[DATA] client_to_server | 102.244.45.219:35003 -> 127.0.0.1:8080 | 41 bytes | fd=10
b'\r\n HTTP/1.6 200 \r\nHost: 0.freebasics.com\n'
1774706120.967911 Sent 281 to <socket.socket fd=10, family=2, type=1, proto=0, laddr=('X.X.X.X', 3128), raddr=('102.244.45.219', 35003)>
Sent 2065 to <socket.socket fd=7, family=2, type=1, proto=0, laddr=('X.X.X.X', 3128), raddr=('102.244.45.219', 11689)>
Sent 2065 to <socket.socket fd=8, family=2, type=1, proto=0, laddr=('X.X.X.X', 3128), raddr=('102.244.45.219', 7935)>
Sent 2065 to <socket.socket fd=6, family=2, type=1, proto=0, laddr=('X.X.X.X', 3128), raddr=('102.244.45.219', 19945)>
Sent 2065 to <socket.socket fd=9, family=2, type=1, proto=0, laddr=('X.X.X.X', 3128), raddr=('102.244.45.219', 40351)>
Sent 2065 to <socket.socket fd=10, family=2, type=1, proto=0, laddr=('X.X.X.X', 3128), raddr=('102.244.45.219', 35003)>
Sent 2065 to <socket.socket fd=7, family=2, type=1, proto=0, laddr=('X.X.X.X', 3128), raddr=('102.244.45.219', 11689)>
Sent 2065 to <socket.socket fd=8, family=2, type=1, proto=0, laddr=('X.X.X.X', 3128), raddr=('102.244.45.219', 7935)>
Sent 2065 to <socket.socket fd=6, family=2, type=1, proto=0, laddr=('X.X.X.X', 3128), raddr=('102.244.45.219', 19945)>
Sent 2065 to <socket.socket fd=9, family=2, type=1, proto=0, laddr=('X.X.X.X', 3128), raddr=('102.244.45.219', 40351)>
Sent 2065 to <socket.socket fd=10, family=2, type=1, proto=0, laddr=('X.X.X.X', 3128), raddr=('102.244.45.219', 35003)>
Sent 2065 to <socket.socket fd=7, family=2, type=1, proto=0, laddr=('X.X.X.X', 3128), raddr=('102.244.45.219', 11689)>



Client logs

[*] Connected to proxy X.X.X.X:3128
[*] Payload sent to proxy
[*] Payload 2 sent to proxy
[*] Waiting for [<socket.socket fd=4, family=2, type=1, proto=0, laddr=('10.57.252.150', 39948), raddr=('X.X.X.X', 3128)>] activity
[DATA] server_to_client -> 281 bytes | fd=4
Total = 281 // b'HTTP/1.1 200 Connect'
[*] Waiting for [<socket.socket fd=4, family=2, type=1, proto=0, laddr=('10.57.252.150', 39948), raddr=('X.X.X.X', 3128)>] activity
[*] Waiting for [<socket.socket fd=4, family=2, type=1, proto=0, laddr=('10.57.252.150', 39948), raddr=('X.X.X.X', 3128)>] activity
[*] Waiting for [<socket.socket fd=4, family=2, type=1, proto=0, laddr=('10.57.252.150', 39948), raddr=('X.X.X.X', 3128)>] activity
[*] Waiting for [<socket.socket fd=4, family=2, type=1, proto=0, laddr=('10.57.252.150', 39948), raddr=('X.X.X.X', 3128)>] activity
^C[-] Client closed
 
first don't use any proxy/port for HTTP/TCP methods for droidvpn
---------------------
TS

test with droidvpn pc ver => You do not have permission to view the full content of this post. Log in or register now.
and connect with 'HTTP' method and connect direct,

if u want to use payload, connect with 'TCP' method and change the headers
also as u are not using any proxy/port don't put header 'CONNECT [host_port]', just put 'GET / '
and continue with ur host: etc..,

if it displays, invalid user/password, enter ur droidvpn's free a/c details in the app, it gives daily 300MB/day
 
vivek1 said:
first don't use any proxy/port for HTTP/TCP methods for droidvpn
---------------------
TS

test with droidvpn pc ver => You do not have permission to view the full content of this post. Log in or register now.
and connect with 'HTTP' method and connect direct,

if u want to use payload, connect with 'TCP' method and change the headers
also as u are not using any proxy/port don't put header 'CONNECT [host_port]', just put 'GET / '

if it displays, invalid user/password, enter ur droidvpn's free a/c details in the app, it gives daily 300MB/day
Click to expand...
I tested first with a working internet connection. TCP & HTTP doesn't reach the "invalid username and password" for all servers. only UDP & ICMP do
 
OK

i will give a phreaker tool and openvpn portable
check

and

reply
You do not have permission to view the full content of this post. Log in or register now.
first start the phreaker tool.
then connect the openvpn portable
 
jefcolbi said:
I tested first with a working internet connection. TCP & HTTP doesn't reach the "invalid username and password" for all servers. only UDP & ICMP do
Click to expand...
so, in droidvpn
change the http/tcp port to 443
also
enable proxy and enter ur proxy details


also change the
header
as

GET / HTTP/1.1[crlf]Host: 0.freebasics.com[crlf][crlf]
or
GET You do not have permission to view the full content of this post. Log in or register now. HTTP/1.1[crlf]Host: 0.freebasics.com[crlf][crlf]
or
CONNECT [host_port] .HTTP/1.0[crlf]Host: 0.freebasics.com[crlf][crlf]

the connect header has the . (i.e., . which is important, besides the HTTP/1.0)

or

CONNECT [host_port] SHTTP/1.0 200 OK HTTP/1.0[crlf]Host: 0.freebasics.com[crlf][crlf]
 
vivek1 said:
so, in droidvpn
change the http/tcp port to 443
also
enable proxy and enter ur proxy details


also change the
header
as

GET / HTTP/1.1[crlf]Host: 0.freebasics.com[crlf][crlf]
Click to expand...
i already changed it to 443 before replying to you. and again i tried to connect first with a working internet. i doubt that if it doesn't work with fully working internet it will do without it.
 
vivek1 said:
so, in droidvpn
change the http/tcp port to 443
also
enable proxy and enter ur proxy details


also change the
header
as

GET / HTTP/1.1[crlf]Host: 0.freebasics.com[crlf][crlf]
Click to expand...
the header will not work. as i stated the remote proxy can reply only when there is no space between the http and the http protocol example GET 8.8.8.8HTTP/1.1 ...
 
vivek1 said:
so, in droidvpn
change the http/tcp port to 443
also
enable proxy and enter ur proxy details


also change the
header
as

GET / HTTP/1.1[crlf]Host: 0.freebasics.com[crlf][crlf]
or
CONNECT [host_port] .HTTP/1.0[crlf]Host: 0.freebasics.com[crlf][crlf]

the connect header has the . (i.e., . which is important, besides the http)

or

CONNECT [host_port] SHTTP/1.0 200 OK HTTP/1.0[crlf]Host: 0.freebasics.com[crlf][crlf]
Click to expand...
so here are the results

GET / HTTP/1.1[crlf]Host: 0.freebasics.com[crlf][crlf] -> brutal fails/stop

CONNECT [host_port] .HTTP/1.0[crlf]Host: 0.freebasics.com[crlf][crlf] -> brutal fails/stop

CONNECT [host_port] SHTTP/1.0 200 OK HTTP/1.0[crlf]Host: 0.freebasics.com[crlf][crlf] -> stuck no data received
 
jefcolbi said:
so here are the results

GET / HTTP/1.1[crlf]Host: 0.freebasics.com[crlf][crlf] -> brutal fails/stop

CONNECT [host_port] .HTTP/1.0[crlf]Host: 0.freebasics.com[crlf][crlf] -> brutal fails/stop

CONNECT [host_port] SHTTP/1.0 200 OK HTTP/1.0[crlf]Host: 0.freebasics.com[crlf][crlf] -> stuck no data received
Click to expand...
change the proxy port to 3128, becoz ur proxy is running at 3128 in the
droidvpn
also
without proxy
change the http/tcp port to 3128 and check
 
vivek1 said:
change the proxy port to 3128, becoz ur proxy is running at 3128 in the
droidvpn
also
without proxy
change the http/tcp port to 3128 and check
Click to expand...
my proxy is not a normal proxy bro. it is a test proxy that return the initial http 200 response and continuously send data to the client to verify the connection can be maintained. for now the test proxy can return data for only 60s limited to 35KB. that is it.
There is not a know pattern why the isp firewall is doing this.
I wrote this test proxy because the real ones i used were returning http 200 response and the connexion were not moving forward.
 
jefcolbi said:
Yes. but you are not understanding that even with a WORKING internet connection droidvpn doesn't work. http and tcp don't work at all. port 80 or 443. it stops after "socket connected"
Click to expand...
with legit internet connection also droidvpn is not connecting means there is a pblm with ur internet connection
 
vivek1 said:
with legit internet connection also droidvpn is not connecting means there is a pblm with ur internet connection
Click to expand...
well no. it is what i am using to write you. it is fine.

I simulated a recorded request from facebook with a test websocket server

WITH WORKING INTERNET WIFI



=== Handshake request sent ===
'GET /ws/XXXXXXXXXX?lid=XXXXXXXXXXHTTP/1.1\r\nAccept-Encoding: gzip, deflate, br, zstd\r\nAccept-Language: fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7\r\nCache-Control: no-cache\r\nConnection: Upgrade\r\nCookie: ps_l=1; ps_n=1; datr=cHOfaSpPRmeq18Oh2wj8T3Jr; sb=QY_FaXpP0Q32XCw_F3kmBY72; m_pixel_ratio=2; wd=360x800; c_user=XXXXXXXXXX; xs=26%3AHFYBeqSMVzXLQQ%3A2%3AXXXXXXXXXX%3A-1%3A-1; locale=fr_FR; pas=XXXXXXXXXX; vpd=v1%3B703x360x2; fr=09CUXTfDqRykmXorF.AWfR__q7OjRy3Uc_AhnVHbO1A-1YwOic96i1CIbZzVoPMtJxPTY.BoatBk..AAA.0.0.BpymUl.AWfQXeEr2lA4ky5su9gc5GnhQ8A; wl_cbv=v2%3Bclient_version%3A3128%3Btimestamp%3AXXXXXXXXXX; fbl_st=XXXXXXXXXX%3BT%3AXXXXXXXXXX\r\nHost: kaios-z.facebook.com\r\nOrigin: https://m.facebook.com\r\nPragma: no-cache\r\nSec-WebSocket-Extensions: permessage-deflate; client_max_window_bits\r\nSec-WebSocket-Key: DZJozNUHX2kQZqWoSWPqRA==\r\nSec-WebSocket-Version: 13\r\nUpgrade: websocket\r\nUser-Agent: Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Mobile Safari/537.36\r\n\r\n'

=== Handshake response received ===
HTTP/1.1 101 Switching Protocols
Connection:Upgrade
Sec-WebSocket-Accept: gUxIX0xTzCaJokmDqHmwcSxjZSc=
Upgrade: websocket


Connected. Generating and sending data after each server response.

Sending: generated message #1 at XXXXXXXXXX.XXXXXXXXXX
Server: Server got: generated message #1 at XXXXXXXXXX.XXXXXXXXXX

Sending: generated message #2 at XXXXXXXXXX.XXXXXXXXXX
Server: Server got: generated message #2 at XXXXXXXXXX.XXXXXXXXXX

Sending: generated message #3 at XXXXXXXXXX.XXXXXXXXXX
Server: Server got: generated message #3 at XXXXXXXXXX.XXXXXXXXXX

Sending: generated message #4 at XXXXXXXXXX.XXXXXXXXXX
^C
Client interrupted, sending close frame


WITH THE MOBILE OPERATOR 4G


=== Handshake request sent ===
'GET /ws/XXXXXXXXXX?lid=XXXXXXXXXXHTTP/1.1\r\nAccept-Encoding: gzip, deflate, br, zstd\r\nAccept-Language: fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7\r\nCache-Control: no-cache\r\nConnection: Upgrade\r\nCookie: ps_l=1; ps_n=1; datr=cHOfaSpPRmeq18Oh2wj8T3Jr; sb=QY_FaXpP0Q32XCw_F3kmBY72; m_pixel_ratio=2; wd=360x800; c_user=XXXXXXXXXX; xs=26%3AHFYBeqSMVzXLQQ%3A2%3AXXXXXXXXXX%3A-1%3A-1; locale=fr_FR; pas=XXXXXXXXXX; vpd=v1%3B703x360x2; fr=09CUXTfDqRykmXorF.AWfR__q7OjRy3Uc_AhnVHbO1A-1YwOic96i1CIbZzVoPMtJxPTY.BoatBk..AAA.0.0.BpymUl.AWfQXeEr2lA4ky5su9gc5GnhQ8A; wl_cbv=v2%3Bclient_version%3A3128%3Btimestamp%3AXXXXXXXXXX; fbl_st=XXXXXXXXXX%3BT%3AXXXXXXXXXX\r\nHost: kaios-z.facebook.com\r\nOrigin: https://m.facebook.com\r\nPragma: no-cache\r\nSec-WebSocket-Extensions: permessage-deflate; client_max_window_bits\r\nSec-WebSocket-Key: DZJozNUHX2kQZqWoSWPqRA==\r\nSec-WebSocket-Version: 13\r\nUpgrade: websocket\r\nUser-Agent: Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Mobile Safari/537.36\r\n\r\n'

=== Handshake response received ===
HTTP/1.1 101 Switching Protocols
Connection:Upgrade
Sec-WebSocket-Accept: gUxIX0xTzCaJokmDqHmwcSxjZSc=
Upgrade: websocket


Connected. Generating and sending data after each server response.

Sending: generated message #1 at XXXXXXXXXX.XXXXXXXXXX
^C
Client interrupted, sending close frame

=================================

The simplified payload is
GET /ws/0101529886?lid=7623016534164776458HTTP/1.1\r\nHost: kaios-z.facebook.com \r\n\r\n

You can see that the http 1.1 upgrade is will received, but sending websocket data doesn't work.

So it resumes the whole problem you can receive a response from the server/proxy but sending data from the client will not work and sending from the server/proxy will work for 60s and 35KB max.
 
better put port 3128 in http/tcp setting and check
also
put space after
like
Host: 0.freebasics.com [crlf]
=======================================
also check whether the 0.freebasics.com is a valid freehost, bcoz ur isp may blacklisted that host
check in web browser or any 'host checker' tool
show the output of host checker also in browser
 
Write a reply…

About this Thread

  • 31
    Replies
  • 1K
    Views
  • 4
    Participants
Last reply from:
PHC-TheGlock

New Topics

Trending Topics

Online now

Members online
1,056
Guests online
1,144
Total visitors
2,200

Forum statistics

Threads
2,273,726
Posts
28,951,117
Members
1,234,932
Latest member
dubunie
Back
Top