In this post we are deviating a bit from the typical format of posts on our blog and try to provide some introductory material into Android/Linux kernel exploitation.

Instead of starting from zero, we’ll base this post on Nicolas Fabretti’s excellent series of blogposts about CVE-2017-11176. We are assuming that you’ve read at least up to part 3 of the original blog posts;
so If you have trouble following along, we suggest revisiting the original series.

We will aim to exploit the same issue, but without any of the simplifying assumptions made in the original blog posts. In particular, we deviate from the control flow takeover exploit strategy used by Nicolas and instead implement a different, data-only, exploit strategy, which is still viable with KASLR and SMAP enabled.

With this post we hope that we can help people, who already have an understanding of the basics, take their next step towards more modern exploit strategies.