Stack question

[fiurvertiz () gmail com]

Hi,

I´m right now doing some experiments with buffer overflows and bumbed into format string exploiting. There are a lot of 
different and well (more or less) written articles on the subject, but I have a couple of fundamental questions:

What if I don´t find the user supplied parameters on the stack at all? Are they on the heap then?

I´m running my program with AAAA%[n]$x (I´ve been looping this n-value to around 700-1000, then I get segmentation 
fault) and the 41s (that is the 'A's) doesn´t show up at all. In most test programs I can spot the user supplied 
parameters within 1-8 adress offsets, but in this one I don´t.

In the end I was planning to overwrite the .dtors section (it´s a gcc ELF executable) using a short write %hn (due to 
input buffer limit) but then I have to know the offset to reach the buffer in the format string.
Or do I? Am I able to overwrite the .dtors section without finding the correct offset to the parameters?



Thank you for taking your time for some basic questions, Alex F.