In this guide, we'll look at loading a kext that is vulnerable by design in an iPhone and trigger a heap overflow vulnerability.
The kext is available at Vulnerable-Kext
The kext provides these following vulnerbilities to play with:
#define CRASH 0x1 #define HEAP_OVERFLOW 0x2 #define INFO_LEAK 0x3 #define BUFFER_OVERFLOW 0x4 #define USE_AFTER_FREE 0x5 //todo #define INTEGER_OVERFLOW 0x6 //todo #define DOUBLE_FETCH 0x7
Before we proceed, we need to collect some symbols from the kernel that are required for the kext.