How this becomes an exploit:
The vulnerable code is printf(buf) instead of printf("%s", buf). Each %p or %x reads the next 8/4 bytes off the stack — leaking addresses, canaries, or pointers into libc. %N$p lets you reach the Nth argument directly (direct parameter access). The killer: %n writes the number of characters printed so far into the address held by the next argument slot — turning a read-primitive into an arbitrary write. Combined with %Nc padding to control the written value, you can overwrite a GOT entry or return address.