$6\mathrm{.}4.$ When printf$($fmt$)$ is executed, the stack $($from low address to high address$)$ contains

the following values $(4$ bytes each$),$ where the first number is the content of the variable

fmt$,$ which is a pointer pointing to a format string. If you can decide the content of the

format string, what is the smallest number of format specifiers that you can use crash the

program with a $100$ percent probability?

$0$xAABBCCDD, $0$xAABBDDFF, $0$x$22334455,0$x$00000000,0$x$99663322$

$6\mathrm{.}5.$ A server program takes an input from a remote user, saves the input in a buffer allocated

on the stack $($Region $$ in Figure $6\mathrm{.}9).$ The address of this buffer is then stored in the local

variable fmt$,$ which is used in the following statement in the server program:

printf$($fmt$)$;

When the above statement is executed, the current stack layout is depicted in Figure $6\mathrm{.}9.$

If you are a malicious attacker, can you construct the input, so when the input is fed into

the server program, you can get the server program to execute your code? Please write

down the actual content of the input $($you do not need to provide the exact content of

the code; just put $$malicious code$$ in your answer, but you need to put it in the correct

location$).$

$6\mathrm{.}6.$ If your answer to Problem $6\mathrm{.}5.$ causes the server to print out more than a billion characters,

it may take a while for your attack to succeed. Please revise your answer, so the total

number of characters printed out is less than $60,000.$