<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/">
  <channel>
    <title>JNI on kiperZ</title>
    <link>https://kiperz.dev/tags/jni/</link>
    <description>Recent content in JNI on kiperZ</description>
    <generator>Hugo -- 0.147.7</generator>
    <language>en</language>
    <lastBuildDate>Tue, 14 Jul 2026 00:00:00 +0000</lastBuildDate>
    <atom:link href="https://kiperz.dev/tags/jni/index.xml" rel="self" type="application/rss+xml" />
    <item>
      <title>3, 2, 1... 0-click (2/3) - Shutlock 2026</title>
      <link>https://kiperz.dev/writeups/3-2-1-0-click-2/</link>
      <pubDate>Tue, 14 Jul 2026 00:00:00 +0000</pubDate>
      <guid>https://kiperz.dev/writeups/3-2-1-0-click-2/</guid>
      <description>&lt;blockquote&gt;
&lt;p&gt;CTF Shutlock 2026 · pwn Android&lt;/p&gt;&lt;/blockquote&gt;
&lt;p&gt;Part 1 gave us 0-click native code execution, but under the app&amp;rsquo;s uid
(&lt;code&gt;ctf.shutlock.csms&lt;/code&gt;). That was enough for &lt;code&gt;flag1&lt;/code&gt;. Not for &lt;code&gt;flag2&lt;/code&gt;, which belongs to
&lt;code&gt;system&lt;/code&gt;: no &lt;code&gt;open()&lt;/code&gt; will read it, whatever native code we run. We need to &lt;strong&gt;borrow
someone else&amp;rsquo;s rights&lt;/strong&gt;.&lt;/p&gt;
&lt;p&gt;Goal: read &lt;code&gt;/data/vendor/flag2.txt&lt;/code&gt; (&lt;code&gt;-r-------- system system&lt;/code&gt;) remotely.&lt;/p&gt;
&lt;h2 id=&#34;tldr&#34;&gt;TL;DR&lt;/h2&gt;
&lt;p&gt;RCE in the app != reading everything: &lt;code&gt;flag2&lt;/code&gt; is protected by DAC (uid &lt;code&gt;system&lt;/code&gt;). We
pivot through a broken &lt;strong&gt;vendor&lt;/strong&gt; &lt;code&gt;ContentProvider&lt;/code&gt; (&lt;code&gt;SNotesProvider&lt;/code&gt;): a path traversal
(&lt;code&gt;content://ctf.shutlock.snotes.provider/../flag2.txt&lt;/code&gt;) makes it read the file with its
&lt;code&gt;system&lt;/code&gt; rights, a &lt;em&gt;confused deputy&lt;/em&gt;. Since a provider &lt;code&gt;query()&lt;/code&gt; is a &lt;strong&gt;Java/Binder&lt;/strong&gt;
operation (not a syscall) and seccomp blocks the &lt;code&gt;execve&lt;/code&gt; shortcut, we &lt;strong&gt;rebuild a
&lt;code&gt;JNIEnv&lt;/code&gt; from raw shellcode&lt;/strong&gt; (resolving &lt;code&gt;JNI_GetCreatedJavaVMs&lt;/code&gt; via &lt;code&gt;/proc/self/maps&lt;/code&gt;,
then &lt;code&gt;GetEnv&lt;/code&gt;) and replay &lt;code&gt;ContentResolver.query()&lt;/code&gt; in JNI. Payload too big for part 1&amp;rsquo;s
groom: we deliver it in two stages. Content XORed with a key hardcoded in the APK,
decoded attacker-side.&lt;/p&gt;</description>
    </item>
  </channel>
</rss>
