•The printf command outputs to stdout (usually the
screen)
•The output can be manipulated by supplying formatted
output of variables via tokens such
as %s or %d:
–char *var[1000];
–var = “text”;
–printf(“The string contains
%s\n”,var);
•This is legal per POSIX as well, albeit vulnerable:
–char *var[1000];
–var = argv[1];
–printf(var);
•What if our input (argv[1]) contained format strings like
%08x or %s or %n?
•The %s goes to stdout, but %n writes data back to the
variable
•If there is no variable to output to stdout, the contents
of the stack are sent to stdout, so %n will
allow us to write to arbitrary memory locations