### Exploit summary

Exploit the UAF by freeing the buffer and reallocating the slab with a tty_struct via /dev/ptmx. Leak the kernel base from the ops pointer and the tty address from an internal pointer. Forge a fake ops table in the tty, redirecting ioctl to a mov [rdx], rsi gadget. Use this to overwrite modprobe_path. Trigger modprobe with invalid magic bytes to execute a custom script that reads the flag.

Full writeup link:
[https://razvan.sh/writeups/baby-kernel-uiuctf/](https://razvan.sh/writeups/baby-kernel-uiuctf/)