abelrguezr/ios-heap-exploitation
skills/binary-exploitation/ios-exploiting/ios-example-heap-exploit/SKILL.md
How to exploit heap buffer overflows on iOS/macOS ARM64 systems. Use this skill whenever the user mentions heap exploitation, buffer overflows, function pointer overwrites, malloc manipulation, Corellium iOS challenges, or CTF heap challenges on Apple platforms. This skill covers heap grooming, zone manipulation, and function pointer hijacking techniques.
$ install --global
skillsauthnpx skillsauth add abelrguezr/hacktricks-skills ios-heap-exploitationInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 16, 2026, 2:10 AM19.4s2 files scanned
SKILL.md
- name:
- ios-heap-exploitation
- description:
- How to exploit heap buffer overflows on iOS/macOS ARM64 systems. Use this skill whenever the user mentions heap exploitation, buffer overflows, function pointer overwrites, malloc manipulation, Corellium iOS challenges, or CTF heap challenges on Apple platforms. This skill covers heap grooming, zone manipulation, and function pointer hijacking techniques.
iOS/macOS Heap Exploitation
A skill for exploiting heap buffer overflows on iOS and macOS systems, particularly in CTF challenges and security research.
When to Use This Skill
Use this skill when:
- You need to exploit a heap buffer overflow vulnerability on iOS/macOS
- You're working with Corellium iOS exploitation challenges
- You need to overwrite function pointers in adjacent heap chunks
- You're dealing with malloc zone manipulation (NanoZone, small zones)
- You have a CTF challenge involving heap exploitation on Apple platforms
Key Concepts
macOS/iOS Heap Zones
macOS uses different heap zones for different allocation sizes:
- NanoZone: For very small allocations (default, but unpredictable for exploitation)
- Small Zones: For small allocations when NanoZone is disabled
- Large Zones: For larger allocations
Critical: Set MallocNanoZone=0 to disable NanoZone and get predictable adjacent allocations.
Heap Grooming
The technique of allocating specific chunks in a specific order to control heap layout:
- Allocate the overflow buffer (victim)
- Allocate the target object (with function pointer)
- Allocate spacer chunks to push allocations into the same zone
- Overflow the victim to overwrite the target's function pointer
Exploitation Workflow
Step 1: Analyze the Vulnerability
- Identify the overflow source: Find where unbounded writes occur
- Identify the target: Find adjacent heap objects with function pointers
- Check for ASLR: Look for address leaks or disable ASLR if possible
- Determine architecture: ARM64 (aarch64) vs x86_64
Step 2: Compile the Vulnerable Binary
clang -O0 -Wall -Wextra -std=c11 -o heap_groom vuln.c
Use -O0 to prevent compiler optimizations that might change heap layout.
Step 3: Determine Heap Layout
The distance between allocations depends on:
- Buffer size
- Heap metadata overhead
- Zone alignment
- Spacer allocations
Common pattern with MallocNanoZone=0:
- Buffer: 128 bytes
- Padding needed: ~432 bytes (varies by system)
- Total distance: ~560 bytes
Step 4: Build the Exploit
Use the bundled exploit script as a template:
python3 scripts/heap_overflow_exploit.py
The script:
- Parses address leaks from the binary
- Tries multiple padding values to find the correct offset
- Overwrites the function pointer with the target address
- Triggers the overwritten function pointer
Step 5: Run the Exploit
export MallocNanoZone=0
python3 scripts/heap_overflow_exploit.py
Common Issues and Solutions
Issue: Allocations not adjacent
Solution: Set MallocNanoZone=0 to force allocations into the same zone.
Issue: Wrong padding value
Solution: Try multiple padding values. The exploit script includes common candidates:
- 432 bytes (most common with spacers)
- 424, 440, 416, 448 bytes (alignment variations)
- 0 bytes (direct adjacency, rare)
Issue: ASLR prevents exploitation
Solution:
- Look for address leaks in the binary output
- Parse leaked addresses to calculate offsets
- Use relative addressing if possible
Issue: Heap layout varies between runs
Solution: Run the exploit multiple times. Heap layout can be probabilistic, especially with different malloc implementations.
Architecture Considerations
ARM64 (aarch64)
- 64-bit pointers
- Use
p64()for address packing - Common on modern iOS devices and Apple Silicon Macs
x86_64 (amd64)
- 64-bit pointers
- Use
p64()for address packing - Common on Intel Macs
Security Notes
- This skill is for educational purposes and CTF challenges
- Only use on systems you own or have explicit permission to test
- Heap exploitation techniques are fundamental to understanding memory safety
References
- Corellium iOS Exploitation
- macOS malloc implementation
- Heap exploitation fundamentals
Bundled Resources
scripts/heap_overflow_exploit.py- Template exploit script for heap buffer overflows
Example Usage
User: "I have a CTF challenge with a heap overflow on iOS. The binary leaks addresses and I need to overwrite a function pointer."
Response: Use this skill to:
- Set
MallocNanoZone=0for predictable heap layout - Parse the address leak to get the target function address
- Calculate the correct padding to reach the function pointer
- Run the exploit script with the parsed address
User: "How do I exploit a buffer overflow in malloc'd memory on macOS?"
Response: This skill covers heap exploitation on macOS. The key is:
- Disable NanoZone with
MallocNanoZone=0 - Allocate chunks in the right order to control layout
- Overflow the victim buffer to overwrite the target
- Trigger the overwritten function pointer
Related Skills
abelrguezr/house-of-lore-exploit
testing
VerifiedTrustedCommunity
How to perform a House of Lore (small bin attack) heap exploitation. Use this skill whenever the user mentions heap exploitation, small bin attacks, fake chunks, glibc heap vulnerabilities, or needs to insert fake chunks into small bins for arbitrary read/write. Trigger for CTF challenges involving heap corruption, glibc 2.31+ exploitation, or when the user needs to bypass malloc sanity checks using fake chunk linking.
5SKILL.mdUpdated Apr 16, 2026
abelrguezr/house-of-force-exploit
testing
VerifiedTrustedCommunity
How to perform House of Force heap exploitation attacks. Use this skill whenever the user mentions heap exploitation, House of Force, top chunk manipulation, arbitrary memory allocation, malloc manipulation, or wants to allocate chunks at specific addresses. Also trigger for CTF challenges involving heap overflows, top chunk size overwrites, or when the user needs to calculate evil_size for heap attacks. Make sure to use this skill for any binary exploitation task involving glibc heap manipulation, even if they don't explicitly say "House of Force".
5SKILL.mdUpdated Apr 16, 2026
abelrguezr/house-of-einherjar
tools
VerifiedTrustedCommunity
How to perform House of Einherjar heap exploitation to allocate memory at arbitrary addresses. Use this skill whenever the user mentions heap exploitation, glibc heap attacks, arbitrary memory allocation, off-by-one overflow exploitation, tcache poisoning, fast bin attacks, or any CTF challenge involving heap manipulation. This is essential for binary exploitation tasks where you need to control malloc() return addresses.
5SKILL.mdUpdated Apr 16, 2026
abelrguezr/heap-overflow-exploitation
testing
VerifiedTrustedCommunity
How to identify, analyze, and exploit heap overflow vulnerabilities in binary exploitation challenges and real-world scenarios. Use this skill whenever the user mentions heap overflows, memory corruption, heap grooming, tcache poisoning, fast-bin attacks, or any heap-related vulnerability in CTF challenges, binary analysis, or security research. This skill covers heap overflow fundamentals, exploitation techniques, heap grooming strategies, and real-world CVE analysis.
5SKILL.mdUpdated Apr 16, 2026