Buffer overflow using snprintf

This is an assignment but I am having problems with the basic understanding.

The vulnerable code:

int choc(char *arg)
{
  char buf[400];
  snprintf(buf, sizeof buf, arg);
  return 0;
}

I understand that arg needs to be a format string which will overwrite the return address with the address of the code I want to execute. But I am having trouble creating the format string.

So, things which the format string needs to have:

1. the address of the return instruction, which I need to overwrite
2. A list of %x
3. The value which I would write on the return address. This would be the address of the code I want to execute.

In order to get the return address, I just need to look at the address of the 'ret' instruction in gdb right? What exactly is the purpose to the %x? And how do I encode the address of the code I want to execute in the format string?

A test I did: Using gdb I found that the address of my buf is 0xbffffba0. I generated arg to be "\xa0\xfb\xff\xbf_%x.%x.%n"; Shouldn't this write some value to the start of the buff at the address 0xbffffba0? However I get a segfault. What am I doing wrong?

Any help would be appreciated!

Yes, I read that link. And I believe I am doing exactly what it is telling me to. However instead of writing to buff, I get a segfault. Not sure why

Well, I'm not sure but your problem is probably connected with some exploits countermeasuers that are built-in in newer versions of linux, such as "non-executable stack"

@Catie- It's possible that you're going too far and causing snprintf to access memory past the end of the stack. Step through the function on the assembly level and you should be able to see if this is the problem.

Thanks! So is the return address is saved in %eip? In gdb, I did 'info frame' and saw the saved address of %eip, and created a string same as above, just with that address swapped over. Always a seg fault. I am just trying to make it write anywhere without a seg fault (that is why chose the start of the buff).