Bypass filternet! (a bug in filtering system of Iran) - Proof of Concept

filternet_bypass_bug.php

<?php
/**
  * There is a bug in filternet (filtering system of Iran).
  * 	if you wait 2 seconds or more 
  * 	before sending http request headers, you can bypass 
  *		filternet! Also you should use LF 
  * 	instead of CRLF (like netcat).
  * 
  *
  * How to run:
  * $ php filternet_bypass_bug.php <domain-address> <http-host-value> <sleep-time>
  *
  * - <domain-address> : connecting via tcp
  * - <http-host-value> : [optional] [default: <domain-address>] value of header `Host`
  * - <sleep-time> : [optional] [default: 2] waiting time before requesting
  */

// Create a new socket
$sock = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
if(!$sock){
	die(socket_strerror(socket_last_error($sock)));
}
// Bind the source address
if(!socket_bind($sock, '0.0.0.0')){
	die(socket_strerror(socket_last_error($sock)));
}

// Get arguments
$domain = $argv[1];
$host = isset($argv[2])? $argv[2]: $domain;
$sleepTime = isset($argv[3])? $argv[3]: 2;

$ip = gethostbyname($domain);

// Connect to destination address
echo "Connecting to '$domain' [$ip] ...\n";

if(!socket_connect($sock, $ip, 80)){
	die(socket_strerror(socket_last_error($sock)));
}

echo "Waiting $sleepTime second(s) ... \n";
sleep($sleepTime);

echo "Requesting 'Host: $host' ... \n";
echo "===========================\n\n";

// Write Http request header
$request =  'GET / HTTP/1.1' . "\n" . 
			'Host: ' . $host . "\n\n";
socket_write($sock, $request);

echo socket_read($sock, 4096);

// Close
socket_close($sock);

Please increase waiting time (5 seconds or more) and test it again :)

php filternet_bypass_bug.php bbc.co.uk bbc.co.uk 3
Connecting to 'bbc.co.uk' [212.58.246.103] ...
Waiting 3 second(s) ... 
Requesting 'Host: bbc.co.uk' ... 
===========================

HTTP/1.1 301 Moved Permanently
Content-Type: text/html
Date: Fri, 19 Jun 2015 08:27:38 GMT
Location: http://www.bbc.co.uk/
Connection: Keep-Alive
Content-Length: 0