Tags: pwn
Rating:
There are obvious Heap Overflow and Information Leak vulnerabilities.
We can overwrite 24bytes next chunk's data which can modify OS X's magazine_malloc's metadatas (Previous, next pointer).
But, we need to do 4bit brute force as there is cookie check routine.
In libsystem_c.dylib, there is also lazy binding mechanism like ELF's GOT section.
We can overwrite that area to hijack control flow :)