Vulnerable kernel driver that can only be interfaced via a safe userland program. Utilize negative indexing bug to leak driver module base and kernel base. Then build an arbitrary read and write primitive to walk the task struct onto the safe userland program's and leak its respective stack pointer within the struct. Now, write a ROP chain over the ioctl handler's return addresses to rewrite the userland program's code and trampoline back to it to achieve a shell.

Original writeup (https://www.willsroot.io/2022/03/zer0pts-ctf-2022-krce-writeup.html).