Since we can control the arguments to a particular format string function, we can
cause arbitrary values to be overwritten to specified addresses with the use of the %n
format string character.To actually overwrite the value of pointers on the stack, we must
specify the address to be overwritten and use %n to write to that particular address. Let’s
try to overwrite the value of the variable number. First, we know that when invoking the
vulnerable program with an argument of the length of 10, the variable is located at
0xbffffc18 on the stack. We can now attempt to overwrite the variable number.
1 $ ./example `printf "\x18\xfc\xff\xbf"`%x%x%n
2 bffffc3840049f1840135e48
3 number (0xbffffc18) is equal to 10
4 $
5
As you can see, the variable number now contains ...