this is extremely late but here's a brief explanation. the function call we want to exploit is strdup(argv[1]). We want to change this call to system(argv[1]) because we can control argv[1] and if argv[1] = "sh;#...", it will be the equivalent of system("sh;#...") which will execute /bin/sh hopefully and then ignore the rest because # designates a shell script comment. what most printf vulnerabilities make use of is the %hn feature, which writes the current number of bytes emitted to the variable at the address pointed to by the next argument in printf. We can specify exactly what address with some x$hn where x is the argument number we want to write to, 42 and 43 in this case. Given that we walk up the stack further enough, we will find our format string stored in memory and that is why we include the addresses right after sh;#. Because writing an entire 32 bit number's worth of bytes takes a long time and is very messy, we can do it by writing two 16 bit numbers, which is why we write to 0x0804a004 and then 0x0804a006, to write the low and high parts of the address of system(). note that this is significantly harder to do when the address you want to write to contains a null byte, because printf stops after it encounters a null byte.