64bit buffer overflow fails with SIGILL, cannot understand the reason

I have been doing 32bit buffer overflows for some time and I decided to try some 64bit overflows, to explore some more realistic scenarios. I have compiled my code with gcc -fno-stack-protector -z execstack -no-pie overflow.c -o Overflow.

Here is the code:

#include <stdio.h> #include <string.h> void function(char *str) {     char buffer[32];     strcpy(buffer,str);     puts(buffer); }  int main(int argc, char **argv) {     function(argv[1]); } 

Using gdb I determined how many bytes I need to write to control the return address. This is 40 bytes. So at first I tried to write 40bytes of “A” and then 6bytes of “B” to test the control of the return address.

Here is a screenshot: enter image description here

I found and tested a 23 byte shellcode that executes “/bin/sh”, so I try to write a nop-sled of 13 bytes, the shellcode and the first 6 bytes of the return address that need to change. So I come up with this (in gdb):

r $  (python -c'print "\x90"*13+"\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05"+"\x10\xe1\xff\xff\xff\x7f"') 

I have set 2 breakpoints before and after the execution of strcpy and examine the memory.

This is the stack before the strcpy: enter image description here

where at address 0x00007fffffffe138 is the return address of function function enter image description here

And this is the stack right after the strcpy execution: enter image description here

So in my understanding, after I press c to continue the execution, I must “return” to the nopsled and then execute the shellcode in gdb.

Instead I get a SIGILL, for illegal instruction.

enter image description here

I cannot figure out why this is happening, any help/suggestions/pointer would be much appreciated.