You used python with 128 characters to overwrite eip. That's why when you analyse eip, it is overwritten with '\x90'. I did use your code and used pattern generator from here: https://wiremask.eu/tools/buffer-overflow-pattern-generator/?

I have calculated that the offset is 120 until you overwrite the return address/eip. The exploit code has the issue, that you have to put the return address which points into your NOP sled as well into your string. It's completly missing.

It could look something like this:

¦ NOP ¦ Shellcode ¦ EIP overwrite

Where NOP and shellcode are 120 characters and EIP overwrite is an address inside the NOP block.