tcploop TCP client and server for bug hunting

1vuio0pswjnm7 · 2025-06-27T22:59:26 1751065166

HN changed their HTML

1. Double quotes used for item id instead of single quotes

2. No more spaces after closing tag "</a>" in "past" hyperlink

Changes to yy095.l

   <MODE1>[ ]id=['"][0-9]+["'] {

   <MODE1>class=\"hnpast\">past<\/a>< fwrite("0);\n",1,4,yyout);

1vuio0pswjnm7 · 2025-06-23T04:36:23 1750653383

   --- tcploop.c 2025-06-17 16:40:54.531128562 +0000
   +++ tcploop1.c 2025-06-23 02:20:15.877128562 +0000
   @@ -461,0 +462 @@
   +static char resp[TRASH_SIZE];
   @@ -473 +474 @@
   -                if (max > sizeof(trash))
   +                /*if (max > sizeof(trash))
   @@ -475 +476,4 @@
   -                ret = recv(sock, trash, max, MSG_NOSIGNAL | MSG_TRUNC);
   +                ret = recv(sock, trash, max, MSG_NOSIGNAL | MSG_TRUNC);*/
   +if(max>sizeof(resp))
   +max=sizeof(resp);
   +ret=recv(sock,resp,max,MSG_DONTWAIT);
   @@ -489 +492,0 @@
   -
   @@ -491 +494,5 @@
   -                        continue;
   +{
   +//fprintf(stdout,"%s",resp);
   +fwrite(resp,1,ret,stdout);
   +                        continue; 
   +}
   @@ -492,0 +500 @@
   +{
   @@ -494 +502,3 @@
   -
   +//fprintf(stdout,"%s",resp);
   +fwrite(resp,1,ret,stdout);
   +}
   @@ -498 +507,0 @@
   -
   @@ -522,0 +532 @@
   +read(0,trash,(count >0)&&(count<sizeof(trash))?count:sizeof(trash));

Send 0x69 then 0x2077 then 0x0a from buffer, one byte string at a time

   echo i w|a.out -v 8001 N L A S1 S:t S2 S:orks S1 R11
   date +%s|a.out -v 8001 C S11 R9

Quickly determine size of response using R, no output

   echo http://example.com|yy025|a.out -v example.com:80 C S70 R

Send 56 byte HTTP request padded to 65 bytes

   echo http://example.com|yy025|a.out -v example.com:80 C I S65 R17

Faster without I, but unreliable

   echo http://example.com|yy025|a.out -v example.com:80 C S65 R17

Output full response

   echo http://example.com|yy025|a.out -v example.com:80 C I S65 R0

Combine R and X

   echo http://example.com|yy025|a.out -v example.com:80 C I S70 R17 Xi grep -o "<title>.*</title>"

1vuio0pswjnm7 · 2025-06-20T17:11:11 1750439471

.

   --- tcploop.c2025-06-17 16:40:54.531128562 +0000
   +++ tcploop1.c2025-06-18 18:20:53.515128562 +0000
   @@ -514,0 +515 @@
   +        if (arg[1]=='-'){count=fread(trash,1,sizeof(trash),stdin);goto s;}
   @@ -524,2 +525 @@
   -
   -        while (1) {
   +        s:while (1) {

   cc -static -s -pedantic tcploop.c

default backlog is 1000

   a.out -v -t 8001 N L A E Xo echo ok
   a.out -v -t 8001 N L A E S:ok\\n
   a.out -v -t 8001 N L A S:"HTTP/1.1 200 OK\r\nContent-Type: text/html\r\n\r\n" Xo date +"%a, %d %b %Y %H:%M:%S GMT"

   a.out 8001 C S G Q Xi cat 
   a.out example.com:80 C S:"GET / HTTP/1.1\r\nHost: example.com\r\nConnection: close\r\n\r\n" Xi cat

client example illustrating combined use of S: plus S- and R

   x=microsoft
   y=github.com
   set -x
   z=$(
   echo "GET /orgs/$x/repositories?type=all HTTP/1.0@#Host: github.com@#" \
   |tr @# '\r\n' \
   |a.out $y:80 C S- R146000 Xi sed -n '/pageCount\":/{s/.*pageCount\"://;s/,.*//;p;q;}'
   )
   test $z||exit
   seq -f 'GET /orgs/'$x'/repositories?type=all&page=%g HTTP/1.1@#Host: github.com@#Connection: keep-alive@#' 1 $z \
   |tr @# '\r\n'  \
   |a.out $y:80 C S- S:"HEAD / HTTP/1.0\r\nHost: 127.0.0.1\r\nConnection: close\r\n\r\n" Xi \
   sh -c "echo '<base href=https://github.com />';yy045"
   
   # seq -f 'https://'$y'/orgs/'$x'/repositories?type=all&page=%g' 1 $z \
   # |yy025 \
   # |a.out $y:80 C S- Xi yy045 \
   # |sed '1s|^|<base href=https://github.com />|'