I used buffer overflow and wrote on ret address in stack. When I debug it with gdb, I understood that the eip sets to the address that I want. The address is a gadget in libc. The opcode of the instructions set properly, but it just doesn't execute them and I get this message:
0xb7fa9dd8 in ?? () from /lib/i386-linux-gnu/libc.so.6
Why? What is this message?
Look at the data below please:
(gdb) x $eip
0xb7fa9dd8: 0xfff2a858
The gadget to execute is:
184dd8: 58 pop %eax
184dd9: a8 f2 test $0xf2,%al
184ddb: ff a8 00 00 00 00 ljmp *0x0(%eax)