Tags: kernel pwn 


Kernel module with 3 main bugs: deterministic prng, lack of validation on pointers for buffer (can pass in pointers to write to kernelspace in the ioctl), and TOCTOU in ioctl that could lead to memcpy OOB read. Use the race condition to leak kernel pointers after spraying kernel structures like tty_struct, and then abuse the arbitrary pointer write to overwrite modprobe_path.

Original writeup (https://cor.team/posts/CSAW-Qualifications-2021---Word-Games-and-Krypto).