<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/">
  <channel>
    <title>KASLR on kiperZ</title>
    <link>https://kiperz.dev/tags/kaslr/</link>
    <description>Recent content in KASLR on kiperZ</description>
    <generator>Hugo -- 0.147.7</generator>
    <language>en</language>
    <lastBuildDate>Tue, 14 Jul 2026 00:00:00 +0000</lastBuildDate>
    <atom:link href="https://kiperz.dev/tags/kaslr/index.xml" rel="self" type="application/rss+xml" />
    <item>
      <title>3, 2, 1... 0-click (3/3) - Shutlock 2026</title>
      <link>https://kiperz.dev/writeups/3-2-1-0-click-3/</link>
      <pubDate>Tue, 14 Jul 2026 00:00:00 +0000</pubDate>
      <guid>https://kiperz.dev/writeups/3-2-1-0-click-3/</guid>
      <description>&lt;blockquote&gt;
&lt;p&gt;CTF Shutlock 2026 · pwn Android&lt;/p&gt;&lt;/blockquote&gt;
&lt;p&gt;Parts 1 and 2 gave us 0-click native code execution, first under the app&amp;rsquo;s uid
(&lt;code&gt;flag1&lt;/code&gt;), then the ability to make a broken provider read a &lt;code&gt;system&lt;/code&gt; file (&lt;code&gt;flag2&lt;/code&gt;).
&lt;code&gt;flag3&lt;/code&gt; climbs one more notch: it belongs to &lt;code&gt;root&lt;/code&gt;, and, surprise, &lt;strong&gt;root isn&amp;rsquo;t even
enough&lt;/strong&gt;. The file is also SELinux-protected: under &lt;em&gt;enforcing&lt;/em&gt;, even uid 0 takes a
denial. So we need &lt;strong&gt;kernel code&lt;/strong&gt;: enough to become root &lt;em&gt;and&lt;/em&gt; neutralize the SELinux
policy.&lt;/p&gt;</description>
    </item>
  </channel>
</rss>
