The answer is simple: your %08x are also in memory!

Did you try decoding the section before the AAA in memory (78383025 30252078 20783830 38302520 25207838 78383025 30252078 00414141)? It's something like 0% x x8080% % x8x80%0% x.AAA after hex decoding. The memory output here is aligned by 4 bytes, but you chose to write 35x5 bytes before your A's, which is 175; 4 does not go evenly into 175. For your second attempt, you did 40x5 == 200, which does evenly divide by 4, hence the correct alignment in your output.

As far as the missing 0x41 goes, I suspect this is a 64-bit system and you are only printing 4 bytes per every 8, so one of them simply isn't being printed. If this is a 64-bit system and you are trying to print the whole 8 bytes, I suggest using %p instead of %08x as a format specifier.

Answer from multithr3at3d on Stack Exchange
🌐
OWASP Foundation
owasp.org › www-community › attacks › Format_string_attack
Format string attack | OWASP Foundation
The first line is printed from the non-vulnerable version of printf, and the second line from the vulnerable line. The values printed after the “Hello World” text, are the values on the stack of my computer at the moment of running this example. Also reading and writing to any memory location is possible in some conditions, and even code execution. For more information, please see the Exploiting Format String Vulnerabilities article from 2001.
🌐
Null Byte
null-byte.wonderhowto.com › how-to › exploit-development-read-write-programs-memory-using-format-string-vulnerability-0181919
Exploit Development: How to Read & Write to a Program's Memory Using a Format String Vulnerability :: Null Byte
January 30, 2018 - When a format specifier doesn't ... to be. When we have a program that improperly allows a user to print a string containing a format specifier, an attacker gains the ability to read data right from memory....
🌐
Hacking Lab
hackinglab.cz › en › blog › format-string-vulnerability
Format String Vulnerability - Hacking Lab
October 21, 2024 - If the attacker replaced the last parameter with %s, this would cause the function to read the value stored on the address from the fourth parameter (0x41414141) [2], [5]. Thus, using this technique, the attacker finds out where the beginning of the format string is on the stack – that is, the location in memory that he is able to control.
🌐
Medium
medium.com › @danielorihuelarodriguez › format-string-vulnerability-439acbe81ddf
Format string vulnerability. What’s a format string vulnerability? | by DanielOrihuela | Medium
November 5, 2024 - The format string is crafted to accomplish three things. First, we push the test_val memory address into the stack with $(printf "\x2c\xc0\x04\x08"). Second, we read memory address until we reach the data we inserted at the beginning of the format string with x.x.x.
🌐
BreakInSecurity
axcheron.github.io › exploit-101-format-strings
Exploit 101 - Format Strings - BreakInSecurity
April 22, 2018 - The format string vulnerability can be used to read or write memory and/or execute harmful code. The problem lies into the use of unchecked user input as the format string parameter that perform formatting. A malicious user may use the %s or %x format specifier, among others, to print data ...
🌐
Invicti
invicti.com › blog › web-security › format-string-vulnerabilities
What Are Format String Vulnerabilities?
By crafting format strings that contain a specific number of bytes, attackers can read memory from arbitrary addresses. This is already a critical buffer overread vulnerability that can be used to extract information and prepare other attacks ...
🌐
Gts3
tc.gts3.org › cs6265 › tut › tut05-fmtstr.html
Tut05: Format String Vulnerability - CS6265: Information Security Lab
In this simple case, the third "argument" (i.e. %3$s) happens to be the format string data itself, so we have full control over its value! You can take advantage of this to read a few bytes from an arbitrary memory address, like this:
Find elsewhere
🌐
Stanford
cs155.stanford.edu › papers › formatstring-1.2.pdf pdf
Exploiting Format String Vulnerabilities scut / team teso September 1, 2001
September 1, 2001 - or completely usersupplied string is passed indirectly to a format function. ... However, there may be some interest in crashing the process. At nearly · all UNIX systems illegal pointer accesses are caught by the kernel and the · process will be send a SIGSEGV signal. Normally the program is terminated ... In our case the address is illegal and would be ‘AAA0’. Lets replace it with ... Will dump memory from 0x08480110 until a NUL byte is reached.
🌐
Vickieli
vickieli.dev › binary exploitation › format-string-vulnerabilities
Format String Vulnerabilities - Vickie Li’s Security Blog
August 9, 2020 - Using these techniques, and the trick to access any memory location mentioned in the last section, an attacker can write to arbitrary memory locations. This can allow the attacker to overwrite return addresses, function pointers, the global offset table (GOT), and the destructor table (DTORS), thereby hijacking the flow of the program and execute arbitrary code. Since function arguments for %s are passed by reference, for each %s in the format string, the function will retrieve a value from the stack, treat the value as an address, and print out the string stored at that address.
🌐
Security Boulevard
securityboulevard.com › home › security bloggers network › how to exploit format string vulnerabilities
How to exploit Format String Vulnerabilities - Security Boulevard
September 30, 2020 - Following is the vulnerable program we will use to understand the approach to exploit a simple format string vulnerability to be able to read data from memory.
🌐
NVISO Labs
blog.nviso.eu › 2024 › 05 › 23 › format-string-exploitation-a-hands-on-exploration-for-linux
Format String Exploitation: A Hands-On Exploration for Linux – NVISO Labs
May 23, 2024 - This is a type of vulnerability where submitted data of an input string is evaluated as an argument to an unsafe use of e.g., a printf() function by the application, resulting in the ability to read and/or write to memory.
🌐
Ian
ian.nl › blog › format-string-vulnerability-analysis
Format String Vulnerability: Reading Memory Without Buffers | Ian | Hacking
September 4, 2025 - The 3_simple.c program contains a format string vulnerability on line 7: ... This is unsafe because the user-controlled input name is passed directly as the format string to printf() without a format specifier.
🌐
GyanByte
gyanbyte.com › home › format string vulnerabilities — the read-write primitive hiding in printf()
Format String Vulnerabilities — The Read-Write Primitive Hiding in printf() | GyanByte
March 26, 2026 - When user input is passed directly as the format string to printf(), the attacker gets both a read primitive (%x/%p to leak stack memory) and a write primitive (%n to write to arbitrary addresses).
🌐
Synacktiv
synacktiv.com › en › publications › exploiting-a-blind-format-string-vulnerability-in-modern-binaries-a-case-study-from
Exploiting a Blind Format String Vulnerability in Modern Binaries: A
The print_debug_msg function allows an attacker to control the format string passed to vsnprintf, leading to potential arbitrary memory writes. This blog post outlines our successful exploitation of this format string vulnerability, employing ...
🌐
Exploit-DB
exploit-db.com › docs › english › 28476-linux-format-string-exploitation.pdf pdf
Format String Exploitation-Tutorial By Saif El-Sherei www.elsherei.com
Reads string from · memory · %x · Hexadecimal · Output Hexadecimal · Number · %n · Number of bytes written · so far · Writes the number of · bytes till the format · string to memory · Table 1-1 Format Strings · Format String Vulnerability: Format strings vulnerability exists in most of the printf family below is some.
🌐
DeepWiki
deepwiki.com › firmianay › CTF-All-In-One › 3.3-format-string-vulnerabilities
Format String Vulnerabilities | firmianay/CTF-All-In-One | DeepWiki
April 21, 2025 - Format string vulnerabilities occur ... fprintf(), etc. When these functions are called with improperly sanitized format strings, attackers can manipulate how the program reads or writes to memory....
🌐
Twingate
twingate.com › home › blog › what is a format string attack? how it works & examples
What is a Format String Attack? How It Works & Examples | Twingate
August 7, 2024 - These specifiers, such as %x or %n, can manipulate the function to read or write arbitrary memory locations. Attackers craft input that includes these format specifiers, which the vulnerable application then processes.
🌐
Medium
infosecwriteups.com › exploiting-format-string-vulnerability-97e3d588da1b
EXPLOITING FORMAT STRING VULNERABILITY | by AidenPearce369 | InfoSec Write-ups
January 18, 2024 - Because the address with ... with the memory of the application · So error occurs, be sure of the address and type of the format you are trying to call · The address you are going to call should have a value in it which can support the type of format you need · Lets try to get some data which is not being used in the application ... You can “directly” reference the location in format string vulnerability to call the ...
🌐
Beagle Security
beaglesecurity.com › blog › vulnerability › format-string-vulnerability.html
Format String Vulnerability
October 20, 2023 - Attackers can use format string ... encryption keys, or other confidential data. By carefully crafting the format string, they can read data from the stack or other parts of memory....