https://kiperz.dev/tags/cred_jar/ Recent content in Cred_jar on kiperZ Hugo -- 0.147.7 en-us Tue, 09 Jun 2026 00:00:00 +0000 https://kiperz.dev/writeups/kernel-net/ Tue, 09 Jun 2026 00:00:00 +0000 https://kiperz.dev/writeups/kernel-net/ <h2 id="tldr">TL;DR</h2> <p>A one-byte off-by-one NUL in an Android kernel driver is leveraged into a page-level UAF and then into root via a <code>struct cred</code> overwrite (PageJack). No infoleak, no kernel address. Validated on the local QEMU image and ported to a Corellium device.</p> <pre tabindex="0"><code>Target : Linux 5.15.41 arm64, /dev/kern-net Local : QEMU, nokaslr, uid mhl=1000 Device : Corellium (Android ranchu), KASLR on, SELinux enforcing, uid shell=2000 Flag : MHL{big_things_have_small_beginnings} </code></pre><h2 id="vulnerability">Vulnerability</h2> <p>The driver&rsquo;s <code>LOAD_MODEL_DATA</code> ioctl copies a fixed 128-byte structure from userland into a kernel buffer, then <code>strcpy</code>s the description field:</p>