I ran into a confusion about memory address issue during my experiment to practice CTF pwn questions.

I tried to find the start pointer address of a local array variable to insert shellcode with Radare2. But the obtained pointer address was different when it was run from python to use pwntool.

---

This background context is a bit complex. I created a simpler reproducible code and here ere are my questions.

I compiled this following code.

#include <stdio.h>

void main() {
    char buffer[300];
    printf("%x",buffer);
}

with this compile option.

gcc source.c -o vuln -fno-pie -no-pie -fno-stack-protector -z execstack -m32

When I run this program simply from my bash or Radare2, it will generate the address like 0xffffcb24.

But when I use Python to run the built binary with this following python code, the address is different and it was 0xffffc9f4.

import subprocess

subprocess.run("./vuln")

These experiments was on my Ubuntu environment with disabling ASLR.

I don't have any rational explanation on this difference. Could someone help me to understand these difference?

(Note: The address run from a different shell file was also different. I reckon this is not a Python specific problem)