Vulnerable iOS/macOS Kext
In this guide, we'll look at loading a kext that is vulnerable by design in an iPhone and trigger a heap overflow vulnerability.
The kext is available at Vulnerable-Kext
The kext provides these following vulnerbilities to play with:
#define CRASH 0x1
#define HEAP_OVERFLOW 0x2
#define INFO_LEAK 0x3
#define BUFFER_OVERFLOW 0x4
#define USE_AFTER_FREE 0x5 //todo
#define INTEGER_OVERFLOW 0x6 //todo
#define DOUBLE_FETCH 0x7
Before we proceed, we need to collect some symbols from the kernel that are required for the kext.