GDB not copting desired string (Buffer Overflow Practice)

Ok so I am trying to learn about buffer overflows and there is this simple program that is vulnerable of a BoF because it copies the first argument into a buffer of 5 characters. In the source code, there is a function called bar that never gets called by the program. My goal was to overflow the buffer and run that function.

So I loaded it up into gdb and I typed disass bar. the first few lines look like this:

(gdb) disas bar
Dump of assembler code for function bar:
   0x0000000000400988 <+0>: push   %rbp

So basically, all I have to do is put the address 0x00400988 into the end of the overflowed buffer. I calculated the return address to be 36 bytes past when I overflow the variable.

So in GDB i used the command set args $(perl -e 'print "A" x 36 . "\x88\x09\x40\x00"')

I set a breakpoint right after the strcpy was run and examined what 20 words of rsp looked like:

(gdb) x/40xw $rsp
0x7fffffffe240: 0xffffe358  0x00007fff  0x00000000  0x00000003
0x7fffffffe250: 0x41414141  0x41414141  0x41414141  0x41414141
0x7fffffffe260: 0x41414141  0x41414141  0x41414141  0x41414141
0x7fffffffe270: 0x41414141  0x00000088  0xf7a54b45  0x00007fff
0x7fffffffe280: 0x00000000  0x00000000  0xffffe358  0x00007fff

My issue is that the return address is not copying correctly. As you can see, it only copies the hex value 88 (and i guess the 00 in the beginning of the buffer.

This is what I have tried so far: I have tried to recompile and check if it was an issue with the address being returned to.

I have tried to change the hex values of the address to random values and that seems to copy. For example, I tried to copy in the values 0x85af4709 into that location and it worked. In fact, I found out that the 09 in the original address is what is causing the issue. For example, I am able to make the address 0x00400788 but it cant be 0x00400788.

That being said, I found out that 07 in ascii is a bell, which can be written as \a. Even if I did that, i got the original issue.

After that, I tried adjusting the amount of "A"s I would copy into the buffer to see if that did anyhting. it didnt.

I even tried to write the string out when typing run in gdb

Then, I googled this issue and found a really good example of exactly what i was trying to do. I used the sample program on page 32 of this article: https://engineering.purdue.edu/kak/compsec/NewLectures/Lecture21.pdf

To my suprise, exactly what I was doing in my program worked exactly as I intended it to work in the authors sample program.

As a conclusion, I was wondering if someone would be able to explain why that one position in the address can contain any hex value except the one I want to copy into it. In addition to that, I wan't to know how I can fix this.

If you would like any additional info id be more than happy to give it to you