Basic buffer overflow able to over EIP but doesn’t correctly overwrite when using memory address

I wrote a basic vulnerable app in C.

#include <string.h> 

void vuln(char *arg) { char buffer[10]; strcpy(buffer, arg); }

int main( int argc, char** argv ) { vuln(argv[1]); return 0; }

I determined that if I input 26 characters, characters 23-26 will overwrite EIP. I can successfully represent this in gdb. When try to replace some arbitrary character with my desired address (the address to system() in libc 0xb7e41b40 on my machine) eip becomes gibberish. The input ends up being “a * 22 \x40\x1b\xe4\xb7” why is that? I pasted the gdb output below as well. Thank you.

(gdb) run aaaaaaaaaaaaaaaaaabbbb\x40\x1b\xe4\xb7 

The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /home/bob/Documents/C/Disassembler_Fun/overflow aaaaaaaaaaaaaaaaaabbbb\x40\x1b\xe4\xb7

Program received signal SIGSEGV, Segmentation fault. 0x78303478 in ?? () (gdb) i r eax 0xbffff276 -1073745290 ecx 0xbffff520 -1073744608 edx 0xbffff28a -1073745270 ebx 0x61616161 1633771873 esp 0xbffff290 0xbffff290 ebp 0x62626262 0x62626262 esi 0x2 2 edi 0xb7fbb000 -1208242176

why not the address? eip 0x78303478 0x78303478 didn’t work?

eflags 0x10282 [ SF IF RF ] cs 0x73 115 ss 0x7b 123 ds 0x7b 123 es 0x7b 123 fs 0x0 0 gs 0x33 51 (gdb) run aaaaaaaaaaaaaaaaaabbbbcccc The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /home/bob/Documents/C/Disassembler_Fun/overflow aaaaaaaaaaaaaaaaaabbbbcccc

Program received signal SIGSEGV, Segmentation fault. 0x63636363 in ?? () (gdb) i r eax 0xbffff286 -1073745274 ecx 0xbffff520 -1073744608 edx 0xbffff292 -1073745262 ebx 0x61616161 1633771873 esp 0xbffff2a0 0xbffff2a0 ebp 0x62626262 0x62626262 esi 0x2 2 edi 0xb7fbb000 -1208242176

over written with cccc eip 0x63636363 0x63636363 worked here

eflags 0x10282 [ SF IF RF ] cs 0x73 115 ss 0x7b 123 ds 0x7b 123 es 0x7b 123 fs 0x0 0 gs 0x33 51 (gdb)