Format string attacks are utterly fascinating.
In the general case they allow you to overwrite arbitary memory addresses with arbitary contents. So whilst your typical l33t hax0r will overwrite a return address to execute shellcode there are many more interesting things you can do.
One fun, albeit very complicated, attack I made was to take advantage of a format string attack in an authentication module – allowing me to NOP out the “invalid password” response. Almost undetectable, and utterly useful.
It is possible to be much more evil than writing basic shellcode with a little creativity.
It isn’t often I get this excited about low-level code.
(I think the last time I was this pleased was when I was shown a demo of a game that a prior company had written – we were shown it because it made a nice lunchtime talk, and because it wouldn’t run on current versions of Windows; so there was no risk of us wasting time by playing it. A few minutes with a dissassembler later I had a working binary :) )
Just call me +Steve ;)