Couple of questions about format string vulnerabilities
I just starting reading a white paper about the so-called "format string attacks". The paper, which can be found at http://julianor.tripod.com/bc/tn-usfs.pdf, is quite tricky for me. First of all it was written with the x86 architecture in mind. I'm, however, using a x86_64 system (Fedora 9) so I had to download the glibc-devel.i386 package and compile all the sample programs with the "-m32" switch.
And now for my problems: as you can see in the paper, the writer claims that by running the sample program with "%x %x %x %x" as it's invocation argument I can see the value of the local variable x (which is 1). In my case, however, this value appears only when I use five %x's. Why is that?
Moreover, I also noticed that for some reason every time I run the program x is loaded into a different memory address. Why is this? In the paper this address is fixed and doesn't change in between separate executions....
Thanks in advance.