There’s a bunch of nice features in glibc that make exploiting format strings much easier. For example, it supports the %hn and %hhn modifiers for doing short-sized and byte-sized writes respectively. It also supports positional arguments (%N$x) so you can target arbitrary items on the stack without having to go through all the previous arguments first.
Of course, it also sports mitigations for format string exploits too. IIRC, setting _FORTIFY_SOURCE to 2 or higher will cause it to abort if a %n placeholder is found in a format string and the string is in writable memory.
There’s a bunch of nice features in glibc that make exploiting format strings much easier. For example, it supports the %hn and %hhn modifiers for doing short-sized and byte-sized writes respectively. It also supports positional arguments (%N$x) so you can target arbitrary items on the stack without having to go through all the previous arguments first.
Of course, it also sports mitigations for format string exploits too. IIRC, setting _FORTIFY_SOURCE to 2 or higher will cause it to abort if a %n placeholder is found in a format string and the string is in writable memory.