缓冲区溢出：格式字符串

Question

攻击者应该输入哪个输入字符串才能获得pw的内容？

void func(char *in)
{
  char *pw = "53cr37p455";
  printf(in);
}

void func2(void)
{
  printf("Dummy string.\n");
}

int main(int argc, char *argv[])
{
  char in[512];
  printf("Buffer located at: 0x%x\n", &in[0]);
  printf("Type in data: ");
  fgets(in, 511, stdin);
  func(in);

return 0;
}

提前致谢