format string vulnerability - printf

Question

Why does this print the value of the memory address at 0x08480110? I\'m not sure why there are 5 %08x arguments - where does that take you up the stack?

add         


        

Answer 1

You're correct about "take you up the stack", but only barely; it relies on the assumption that arguments are passed on the stack, rather than in registers. (Which, for a variadic function is probably a safe assumption, but still an assumption about implementation details.)

Each %08x asks for the 'next unsigned int argument' to be printed in hex; what actually occurs in that 'next argument' location is both architecture and compiler dependent. If you compare the values you get with /proc/self/maps for the process, you might be able to narrow down what some of the numbers mean.