He successfully read from kernel memory, the first two bytes from the syscall table to be precise. The first entry is sys_read (on x86-64 anyway) and the first field is the address. That's why he shows the full address in the next line; the PoC exploit read the lower 2 bytes of that address.
