In a nutshell...the heap has strcpy between two HeapAlloc calls. This is where we can exploit the system, if we find a strcpy.
These types of bugs are becoming harder to find as strncpy replaces most of these types of exploit. And most good compilers will warn about the depreciated strcpy advising the coder to use strncpy in C and C++.
Exploit2.c is where it's at tho, as it extracts system address locations from loaded libraries in order to build a fully operational shellcode.
Here is a video of the scripts in action.
We also have downloads of the .exe's HERE and HERE with the HEAP.C compiled HERE