In this challenge a binary was given with an heap overflow. Basically what we did is to exploit the doubly linked list of the free() function which leaded us to a write-what-where condition. We overwritten the printf() address in the GOT table for taking the EIP control and then just jumped on our shellcode. Also, there was ASLR enabled so we needed to calculate offsets for jump to the correct addres. Here is the exploit code:

http://pastebin.com/bGaNuJwv

Razor4x