zckevin

## tcp_data_queue.stp
sudo stap -v -e 'probe kernel.function("tcp_data_queue") {
    tcphdr = __get_skb_tcphdr($skb);
    sport = __tcp_skb_sport(tcphdr);
    if (sport == 34025) {
      seq = @cast($skb->cb, "tcp_skb_cb")->seq;
      end_seq = @cast($skb->cb, "tcp_skb_cb")->end_seq;
      printf("%d %d %d %d\n", sport, seq, end_seq, end_seq - seq);
      // print_backtrace();
      // exit()
    }

## issue1.patch
diff --git a/third_party/blink/renderer/bindings/core/v8/v8_dom_configuration.cc b/third_party/blink/renderer/bindings/core/v8/v8_dom_configuration.cc
index d84004cd41..739ba61e9f 100644
--- a/third_party/blink/renderer/bindings/core/v8/v8_dom_configuration.cc
+++ b/third_party/blink/renderer/bindings/core/v8/v8_dom_configuration.cc
@@ -520,7 +520,7 @@ void InstallMethodInternal(
   if (!WorldConfigurationApplies(config, world))
     return;

-  v8::Local<v8::String> name = config.MethodName(isolate);
+  v8::Local<v8::Name> name = config.MethodName(isolate);

## exp5.c
/*
 * CTF-2 `vcat5' exploit (template)
 *
 * Vasileios P. Kemerlis <vpk@cs.brown.edu>
 *  - CSCI 1951H: Software Security and Exploitation
 *  - https://cs.brown.edu/courses/csci1951-h/
 */

#include <stdio.h>
#include <stdlib.h>

## gist:5a54d633ce5ae937462622e97de52511
type Session struct {
    Conns []net.Conn
}

packet
    timeout timer
    history

    onTimeout
        // ? find another conn(not in history)

## wgcf.py
#!/usr/bin/env python3

import subprocess
import json
import os
from pathlib import Path

import requests
from requests.compat import urljoin

## run.sh
systemctl stop firewalld

# compiling dependencies
dnf install mosh tmux git python bzip2 tar pkgconfig atk-devel alsa-lib-devel \
  bison binutils brlapi-devel bluez-libs-devel bzip2-devel cairo-devel \
  cups-devel dbus-devel dbus-glib-devel expat-devel fontconfig-devel \
  freetype-devel gcc-c++ glib2-devel glibc gperf glib2-devel \
  gtk3-devel java-1.8.0-openjdk-devel libatomic libcap-devel libffi-devel \
  libgcc libgnome-keyring-devel libjpeg-devel libstdc++ libX11-devel \
  libXScrnSaver-devel libXtst-devel libxkbcommon-x11-devel ncurses-compat-libs \

## .gclient
solutions = [
  { "name"        : "src",
    "url"         : "https://chromium.googlesource.com/chromium/src.git",
    "deps_file"   : "DEPS",
    "managed"     : True,
    "custom_deps" : {
    },
    "custom_vars": {},
  },
];

## mitm.py
# Mitmproxy: 4.0.4
# Python:    3.6.5
# OpenSSL:   OpenSSL 1.1.0h-fips  27 Mar 2018
# Platform:  Linux-4.16.3-301.fc28.x86_64-x86_64-with-fedora-28-Twenty_Eight

# usage
# mitmdump -p $LISTEN_PORT -s ./mitm.py

import os
from bs4 import BeautifulSoup

## handle.js
// 1. filter out toxic function
let _key = userFns.filter(key=> {
    let fn = window[key]
    if (testHack(fn)) return key
    return false
})[1];
window[_key] = function() {}

// 2. then, wrap all functions
function _wrap(k) {

## raw.js
var _$gm = function _$gm(_$tM, _$rZ) {
    var _$de;
    return function(_$vl, _$aZ) {
        if (_$de === _$yV) {
            _$de = _$ar(_$wL(_$tM), _$wL(_$rZ));
        }
        return _$de;
    };
}
var _$xa = function _$xa(_$rZ) {
	sudo stap -v -e 'probe kernel.function("tcp_data_queue") {
	tcphdr = __get_skb_tcphdr($skb);
	sport = __tcp_skb_sport(tcphdr);
	if (sport == 34025) {
	seq = @cast($skb->cb, "tcp_skb_cb")->seq;
	end_seq = @cast($skb->cb, "tcp_skb_cb")->end_seq;
	printf("%d %d %d %d\n", sport, seq, end_seq, end_seq - seq);
	// print_backtrace();
	// exit()
	}
	diff --git a/third_party/blink/renderer/bindings/core/v8/v8_dom_configuration.cc b/third_party/blink/renderer/bindings/core/v8/v8_dom_configuration.cc
	index d84004cd41..739ba61e9f 100644
	--- a/third_party/blink/renderer/bindings/core/v8/v8_dom_configuration.cc
	+++ b/third_party/blink/renderer/bindings/core/v8/v8_dom_configuration.cc
	@@ -520,7 +520,7 @@ void InstallMethodInternal(
	if (!WorldConfigurationApplies(config, world))
	return;

	- v8::Local<v8::String> name = config.MethodName(isolate);
	+ v8::Local<v8::Name> name = config.MethodName(isolate);
	/*
	* CTF-2 `vcat5' exploit (template)
	*
	* Vasileios P. Kemerlis <vpk@cs.brown.edu>
	* - CSCI 1951H: Software Security and Exploitation
	* - https://cs.brown.edu/courses/csci1951-h/
	*/

	#include <stdio.h>
	#include <stdlib.h>
	type Session struct {
	Conns []net.Conn
	}

	packet
	timeout timer
	history

	onTimeout
	// ? find another conn(not in history)
	#!/usr/bin/env python3

	import subprocess
	import json
	import os
	from pathlib import Path

	import requests
	from requests.compat import urljoin
	systemctl stop firewalld

	# compiling dependencies
	dnf install mosh tmux git python bzip2 tar pkgconfig atk-devel alsa-lib-devel \
	bison binutils brlapi-devel bluez-libs-devel bzip2-devel cairo-devel \
	cups-devel dbus-devel dbus-glib-devel expat-devel fontconfig-devel \
	freetype-devel gcc-c++ glib2-devel glibc gperf glib2-devel \
	gtk3-devel java-1.8.0-openjdk-devel libatomic libcap-devel libffi-devel \
	libgcc libgnome-keyring-devel libjpeg-devel libstdc++ libX11-devel \
	libXScrnSaver-devel libXtst-devel libxkbcommon-x11-devel ncurses-compat-libs \
	solutions = [
	{ "name" : "src",
	"url" : "https://chromium.googlesource.com/chromium/src.git",
	"deps_file" : "DEPS",
	"managed" : True,
	"custom_deps" : {
	},
	"custom_vars": {},
	},
	];
	# Mitmproxy: 4.0.4
	# Python: 3.6.5
	# OpenSSL: OpenSSL 1.1.0h-fips 27 Mar 2018
	# Platform: Linux-4.16.3-301.fc28.x86_64-x86_64-with-fedora-28-Twenty_Eight

	# usage
	# mitmdump -p $LISTEN_PORT -s ./mitm.py

	import os
	from bs4 import BeautifulSoup
	// 1. filter out toxic function
	let _key = userFns.filter(key=> {
	let fn = window[key]
	if (testHack(fn)) return key
	return false
	})[1];
	window[_key] = function() {}

	// 2. then, wrap all functions
	function _wrap(k) {
	var _$gm = function _$gm(_$tM, _$rZ) {
	var _$de;
	return function(_$vl, _$aZ) {
	if (_$de === _$yV) {
	_$de = _$ar(_$wL(_$tM), _$wL(_$rZ));
	}
	return _$de;
	};
	}
	var _$xa = function _$xa(_$rZ) {