<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/">
  <channel>
    <title>Native on kiperZ</title>
    <link>https://kiperz.dev/tags/native/</link>
    <description>Recent content in Native on kiperZ</description>
    <generator>Hugo -- 0.147.7</generator>
    <language>en</language>
    <lastBuildDate>Tue, 14 Jul 2026 00:00:00 +0000</lastBuildDate>
    <atom:link href="https://kiperz.dev/tags/native/index.xml" rel="self" type="application/rss+xml" />
    <item>
      <title>3, 2, 1... 0-click (1/3) - Shutlock 2026</title>
      <link>https://kiperz.dev/writeups/3-2-1-0-click-1/</link>
      <pubDate>Tue, 14 Jul 2026 00:00:00 +0000</pubDate>
      <guid>https://kiperz.dev/writeups/3-2-1-0-click-1/</guid>
      <description>&lt;blockquote&gt;
&lt;p&gt;CTF Shutlock 2026 · pwn Android&lt;/p&gt;&lt;/blockquote&gt;
&lt;p&gt;&lt;code&gt;CSMS&lt;/code&gt; is an Android messenger: a central server, and on the victim side (the
&lt;code&gt;spylock&lt;/code&gt; account) a client app (&lt;code&gt;ctf.shutlock.csms&lt;/code&gt;) that &lt;strong&gt;fetches its new messages
on its own, every 10 s&lt;/strong&gt;, which makes the attack &lt;em&gt;0-click&lt;/em&gt;.&lt;/p&gt;
&lt;p&gt;The challenge hands us plenty to work with: the app&amp;rsquo;s APK, the &lt;strong&gt;C source&lt;/strong&gt; of its
native layer (&lt;code&gt;csms.c&lt;/code&gt;, &lt;code&gt;csms_mem.c&lt;/code&gt;) and a live infra (the server and an Android
emulator running the victim). Every incoming message flows through Java, pure plumbing,
then into a &lt;strong&gt;template engine written in C&lt;/strong&gt; (&lt;code&gt;libcsms.so&lt;/code&gt;); that is where, inside a
homemade allocator, the bug that gives us code execution hides.&lt;/p&gt;</description>
    </item>
  </channel>
</rss>
