How it works
Uhshax exploits a bug where fetching a USB hub checks to make sure the USB hub index is no greater than 2, but there is no lower bound, allowing negative numbers to point to arbitrary locations. This is exploited by creating a fake hub to be stored in memory, then making a request to deactivate that hub, with a flag claiming it was activated before. The system then tries to deactivate this fake hub, but ends up writing a value to an address, both of which are controlled by the fake hub. This is used to replace a return address on a USB hub manager, throwing code execution back to the program, but with kernel access.
Uhshax then replaces the system call handlers with its own, which responds to most system calls normally, but provides extra access to IOCtl calls, allowing root code to be run from the homebrew being run.