Tags: pwn 

Rating:

There are obvious Heap Overflow and Information Leak vulnerabilities.
We can overwrite 24bytes next chunk's data which can modify OS X's magazine_malloc's metadatas (Previous, next pointer).
But, we need to do 4bit brute force as there is cookie check routine.

In libsystem_c.dylib, there is also lazy binding mechanism like ELF's GOT section.
We can overwrite that area to hijack control flow :)

Original writeup (https://github.com/vngkv123/CTF/blob/master/ctf_in_2019/applepie.py).