I came across an article about format string vulnerability in C and didn't understand how the format string %7$llx works.
Here is the code from that article:
#include <stdio.h> #include <unistd.h> int main() { int secret_num = 0x8badf00d; char name[64] = {0}; read(0, name, 64); printf("Hello "); printf(name); printf("! You'll never get my secret!\n"); return 0; }
Command line input and output is this:
./fmt_string
%7$llx
Hello 8badf00d3ea43eef
! You'll never get my secret!
So, I want to find out what happens in stack when printf is given that format string. As article states:
Due to how GCC decided to lay out the stack, secret_num is actually at a lower address on the stack than name, so we only have to go to the 7th "argument" in printf to leak the secret
What does the author mean when saying: "so we only have to go to the 7th argument in printf"? BTW, I understand memory layout and how stack works, it is just the printf and it's %7$llx format I don't understand in this particular piece of code.