pbctf 2021 Nightclub Writeup: More Fun with Linux Kernel Heap Notes!

This writeup details exploitation of the "NightClub" Linux kernel module from pbctf 2021. The authors analyze a kmalloc-128 note structure with a null-byte poison and limited OOB/overflow primitives, describe heap grooming to create a UAF, replace freed chunks with msg_msg objects across kmalloc-128 and kmalloc-96 slabs, obtain kernel pointer leaks, and finally hijack modprobe_path via freelist poisoning to achieve root remote code execution. The report discusses kernel hardening present (SMEP/SMAP/KASLR), slab behaviors, mitigation hurdles encountered, and the step-by-step exploit/poisoning methodology used to complete the challenge.