CoRCTF 2025 — CoRPhone Android Kernel Pwn

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://github.com/0xdevil/corphone/tree/main
• Blog Title: CoRCTF 2025 — CoRPhone: Android Kernel Pwn
• Suggested Section: Generic Hacking > In-memory code execution (Android JNI) and shellcode packaging pipeline

🎯 Content Summary

What this is
CoRPhone is an Android kernel exploitation challenge for CoRCTF 2025. It models a realistic delivery path where an untrusted Android app downloads raw kernel exploit shellcode and executes it in memory via JNI (no on‑disk binary).

Provided artifacts
• Challenge archive (Dockerized device environment): corphone.tar.gz
• Android kernel with debug symbols for reversing...

🔧 Technical Details

In‑memory shellcode execution via JNI (Android): Deliver a raw shellcode blob over HTTP(S) to an untrusted app and execute it directly in memory through a JNI bridge, avoiding on‑disk artifacts. Generic pattern: fetch bytes → pass to native routine → set RX permissions → call entrypoint; here it’s triggered with pwn https://<server>/sc.

ELF‑to‑shellcode packaging pipeline: Compile an exploit as a static/portable ELF (musl-gcc) and transform it into position‑independent raw shellcode using pwntools. This enables memory‑only loading by a host process that treats the blob as code rather than a file.

Symbol‑assisted kernel reversing workflow: Use a symbolized vmlinux to recover structures, function names, and offsets for exploit dev; prototype on a fast debug image if available, but always re‑validate on the real target because kernel/system images differ and offsets/mitigations may not match.

🤖 Agent Actions

I analyzed the CoRPhone Android kernel pwn challenge and updated HackTricks with the two main reusable techniques highlighted in the repo:

• In-memory native code execution via JNI in Android apps
• ELF-to-raw-shellcode packaging using pwntools shellcraft.loader_append

What I changed and where

1. New page: Android In-Memory Native Code Execution via JNI

• Path: src/mobile-pentesting/android-app-pentesting/in-memory-jni-shellcode-execution.md
• Content:
  • Operator pattern: fetch shellcode bytes → pass to JNI → mmap/mprotect → clear i-cache → call function pointer
  • Ready-to-use code:
    • Java: download bytes and call a JNI method
    • C JNI: mmap RW, memcpy, mprotect RX, execute entrypoint
  • Packaging pipeline: musl-gcc static build + pwntools shellcraft.loader_append to convert an ELF to a single raw shellcode blob
  • Delivery flow and kernel payload validation workflow: symbolized vmlinux for reversing, prototype on debug image but re-validate on real target
  • Hardening/detection tips
  • References: CoRPhone repo and build scripts
• Internal linking:
  • Linked this new page from:
    • Android Applications Pentesting (README) under “Other interesting functions”
    • Reversing Native Libraries page in a “See also” section

2. Updated: Android Applications Pentesting (README)

• Path: src/mobile-pentesting/android-app-pentesting/README.md
• Changes:
  • Added a bullet in “Other interesting functions” that points to the new in-memory JNI execution page
  • Updated “References” with the CoRPhone repo
• Reason:
  • This is the main index for Android app pentesting; the in-memory JNI pattern belongs here for discoverability

3. Updated: Reversing Native Libraries

• Path: src/mobile-pentesting/android-app-pentesting/reversing-native-libraries.md
• Changes:
  • Added a “See also: in‑memory native code execution via JNI” section with an internal ref
  • Updated “References” to include CoRPhone
• Reason:
  • This page already focuses on Android native/JNI; linking to the memory-only execution technique makes it discoverable from reversing workflows

4. Updated: Pwntools

• Path: src/binary-exploitation/basic-stack-binary-exploitation-methodology/tools/pwntools.md
• Changes:
  • Added a new section “ELF → raw shellcode packaging (loader_append)” with a concise, operational pipeline:
    • Build static ELF with musl-gcc
    • Use shellcraft.loader_append(elf.data) and asm() to produce a raw shellcode blob
    • Notes about architecture and PIC assumptions
  • Added a References section linking to pwntools docs and CoRPhone
• Reason:
  • This is the right place to teach the packaging trick that CoRPhone used—many readers won’t know loader_append exists

Why these pages and not others

• The JNI in-memory execution technique is Android-app specific; it belongs under mobile-pentesting/android-app-pentesting and is linked from reversing-native-libraries.
• The packaging pipeline is a general binary exploitation building block; extending the pwntools page to cover loader_append fits naturally.
• Kernel bug specifics aren’t in the repo yet; I summarized the symbol-assisted kernel reversing validation workflow within the new JNI page’s operator guidance rather than creating a big “Android kernel exploiting” page without concrete technique content from the blog.

References added

• All updated pages that changed now include a References section or had it updated to include:
  • https://github.com/0xdevil/corphone
  • direct links to build.sh, exp2sc.py, exploit.c where applicable

No other sections were changed. If you want, I can also add a brief note in the reverse-shells pages about hosting sc and listener setup, but I kept the focus on techniques central to the blog (JNI memory-only native code exec and packaging).

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

🗑️ File Cleanup

• searchindex.js removed: This auto-generated file has been removed to prevent conflicts.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://github.com/0xdevil/corphone/tree/main

Content Categories: Based on the analysis, this content was categorized under "Generic Hacking > In-memory code execution (Android JNI) and shellcode packaging pipeline".

Repository Maintenance:

• MD Files Formatting: 877 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0