In this challenge we need to exploit Linux kernel. In the kernel module, tcp_prot.ioctl of TCP socket is written to self-defined function stonks_ioctl, and sk_prot->recvmsg of TCP socket is written to self-defined function stonks_rocket inside one of the handlers in stonks_ioctl. The vulnerability is a use-after-free caused by race condition: sk_user_data field of struct sock is fetched before blocking in stonks_rocket and can be freed while blocking, and one of its function pointer field will be called after blocking. Therefore, we perform heap spray to control its function pointer field so to control rip in kernel mode. Since SMEP is not enabled, we can execute shellcode in user-space memory to call commit_cred(prepare_kernel_cred(0)) and get root privilege.

Original writeup (https://mem2019.github.io/jekyll/update/2021/10/31/HackLu2021-Stonks-Socket.html).