How to Remotely Exploit Format String Bugs – A practical tutorial. Includes info on guessing the offset, guessing the address of the shellcode in the stack, using format string bugs as debuggers, examples, etc.
You can download it from the following link: https://packetstormsecurity.com/files/download/25978/remotefmt-howto.txt
Source: https://packetstormsecurity.com/files/25978/remotefmt-howto.txt.html