OpenSkillIndex← back to search

Hacktricks-skills ios-heap-exploitation

How to exploit heap buffer overflows on iOS/macOS ARM64 systems. Use this skill whenever the user mentions heap exploitation, buffer overflows, function pointer overwrites, malloc manipulation, Corellium iOS challenges, or CTF heap challenges on Apple platforms. This skill covers heap grooming, zone manipulation, and function pointer hijacking techniques.

install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest: skills/binary-exploitation/ios-exploiting/ios-example-heap-exploit/SKILL.MD
source content

iOS/macOS Heap Exploitation

A skill for exploiting heap buffer overflows on iOS and macOS systems, particularly in CTF challenges and security research.

When to Use This Skill

Use this skill when:

  • You need to exploit a heap buffer overflow vulnerability on iOS/macOS
  • You're working with Corellium iOS exploitation challenges
  • You need to overwrite function pointers in adjacent heap chunks
  • You're dealing with malloc zone manipulation (NanoZone, small zones)
  • You have a CTF challenge involving heap exploitation on Apple platforms

Key Concepts

macOS/iOS Heap Zones

macOS uses different heap zones for different allocation sizes:

  • NanoZone: For very small allocations (default, but unpredictable for exploitation)
  • Small Zones: For small allocations when NanoZone is disabled
  • Large Zones: For larger allocations

Critical: Set 

MallocNanoZone=0
to disable NanoZone and get predictable adjacent allocations.

Heap Grooming

The technique of allocating specific chunks in a specific order to control heap layout:

  1. Allocate the overflow buffer (victim)
  2. Allocate the target object (with function pointer)
  3. Allocate spacer chunks to push allocations into the same zone
  4. Overflow the victim to overwrite the target's function pointer

Exploitation Workflow

Step 1: Analyze the Vulnerability

  1. Identify the overflow source: Find where unbounded writes occur
  2. Identify the target: Find adjacent heap objects with function pointers
  3. Check for ASLR: Look for address leaks or disable ASLR if possible
  4. Determine architecture: ARM64 (aarch64) vs x86_64

Step 2: Compile the Vulnerable Binary

clang -O0 -Wall -Wextra -std=c11 -o heap_groom vuln.c

Use 

-O0
to prevent compiler optimizations that might change heap layout.

Step 3: Determine Heap Layout

The distance between allocations depends on:

  • Buffer size
  • Heap metadata overhead
  • Zone alignment
  • Spacer allocations

Common pattern with MallocNanoZone=0:

  • Buffer: 128 bytes
  • Padding needed: ~432 bytes (varies by system)
  • Total distance: ~560 bytes

Step 4: Build the Exploit

Use the bundled exploit script as a template:

python3 scripts/heap_overflow_exploit.py

The script:

  1. Parses address leaks from the binary
  2. Tries multiple padding values to find the correct offset
  3. Overwrites the function pointer with the target address
  4. Triggers the overwritten function pointer

Step 5: Run the Exploit

export MallocNanoZone=0
python3 scripts/heap_overflow_exploit.py

Common Issues and Solutions

Issue: Allocations not adjacent

Solution: Set 

MallocNanoZone=0
to force allocations into the same zone.

Issue: Wrong padding value

Solution: Try multiple padding values. The exploit script includes common candidates:

  • 432 bytes (most common with spacers)
  • 424, 440, 416, 448 bytes (alignment variations)
  • 0 bytes (direct adjacency, rare)

Issue: ASLR prevents exploitation

Solution:

  1. Look for address leaks in the binary output
  2. Parse leaked addresses to calculate offsets
  3. Use relative addressing if possible

Issue: Heap layout varies between runs

Solution: Run the exploit multiple times. Heap layout can be probabilistic, especially with different malloc implementations.

Architecture Considerations

ARM64 (aarch64)

  • 64-bit pointers
  • Use 
    p64()
    for address packing
  • Common on modern iOS devices and Apple Silicon Macs

x86_64 (amd64)

  • 64-bit pointers
  • Use 
    p64()
    for address packing
  • Common on Intel Macs

Security Notes

  • This skill is for educational purposes and CTF challenges
  • Only use on systems you own or have explicit permission to test
  • Heap exploitation techniques are fundamental to understanding memory safety

References

Bundled Resources

  • scripts/heap_overflow_exploit.py
    - Template exploit script for heap buffer overflows

Example Usage

User: "I have a CTF challenge with a heap overflow on iOS. The binary leaks addresses and I need to overwrite a function pointer."

Response: Use this skill to:

  1. Set 
    MallocNanoZone=0
    for predictable heap layout
  2. Parse the address leak to get the target function address
  3. Calculate the correct padding to reach the function pointer
  4. Run the exploit script with the parsed address

User: "How do I exploit a buffer overflow in malloc'd memory on macOS?"

Response: This skill covers heap exploitation on macOS. The key is:

  1. Disable NanoZone with 
    MallocNanoZone=0
  2. Allocate chunks in the right order to control layout
  3. Overflow the victim buffer to overwrite the target
  4. Trigger the overwritten function pointer