Who knew an incorrect printf statement could actually allow someone to spawn a root shell (using %n). Several docs pointed out by Cyrus Durgin on format string attacks.
http://www.lava.net/~newsham/format-string-attacks.pdf
http://www.team-teso.net/releases/formatstring-1.2.tar.gz

The first is a little light on content, but very well written. The second is full of content however many of the code examples are poorly written (also note that many were written with Sparc Solaris specifics).