How exactly do format string vulnerabilities works [C]?
Format string attack
As you found, %x will pop bytes off the call stack. %08x will print 4 bytes and you can enter multiples of these to walk up the stack.
You now have addresses on the stack and you can print the contents of that memory with %s.
By chance have you tried %n? It should cause a write.
Check this paper for more info https://cs155.stanford.edu/papers/formatstring-1.2.pdf
More on reddit.comConfused about format string vulnerability explanation
Can someone explain to me how format string vulnerability works?
how I can manipulate it to write to a memory address of my choice.
printf being a varadic function doesn't know how many arguments it was sent, it just sees a format specifier, and reads the next argument.
So the simple answer here is you get the location you want to write to as the next argument it reads. So where is it getting the arguments? Probably off the stack. It expects the arguments to be pushed onto the stack before calling, so it just pops off whatever value happens to be there. Its a little more complicated because you have to account for calling conventions, but all conventions that come to my mind right now, will put varadic arguments on the stack. (So to answer your "%p%p" question, its just whatever pops off the stack next.)
So you need to get a value you desire onto the stack, then you "pop" off all the values until you're about to hit your value, which is where you plant the %n so it sees %n, pops your value off and writes to it. Getting your value onto the stack depends on the application and the level of control you have. There is a reasonably chance though at some pointer earlier in teh stack some data you influence will be there, so a common technique is just to %x or %p (both just reflect the value read directly) until you find something you controlled.