Doh! Yea x/8 doesn't work on every system. Maybe you should try "x/16x" to show more of the stack.

ZF

I'm getting a little closer on Ubuntu 9.04.

If you compile as follows:

and then do the following with gdb:

(gdb) b 2
Breakpoint 1 at 0x804844a: file example3.c, line 2.
(gdb) run
Starting program: /home/joel/hacking/stacksmash/e3

Breakpoint 1, function (a=1, b=2, c=3) at example3.c:2
2   void function(int a, int b, int c) {
(gdb) x/8x buffer1
0xbffff457:   0xfff48808   0x0484f9bf   0x6fe30408   0x6fdff400
0xbffff467:   0x0484e000   0xfff48808   0xfff488bf     0x0484a7bf
(gdb) disas main
Dump of assembler code for function main:
0x0804847e <main+0>:   push   %ebp
0x0804847f <main+1>:   mov    %esp,%ebp
0x08048481 <main+3>:   sub    $0x10,%esp
0x08048484 <main+6>:   movl   $0x0,-0x4(%ebp)
0x0804848b <main+13>:   movl   $0x3,0x8(%esp)
0x08048493 <main+21>:   movl   $0x2,0x4(%esp)
0x0804849b <main+29>:   movl   $0x1,(%esp)
0x080484a2 <main+36>:   call   0x8048444 <function>
0x080484a7 <main+41>:   movl   $0x1,-0x4(%ebp)
0x080484ae <main+48>:   mov    $0x8048590,%eax
0x080484b3 <main+53>:   mov    -0x4(%ebp),%edx
0x080484b6 <main+56>:   mov    %edx,0x4(%esp)
0x080484ba <main+60>:   mov    %eax,(%esp)
0x080484bd <main+63>:   call   0x8048364 <printf@plt>
0x080484c2 <main+68>:   leave 
0x080484c3 <main+69>:   ret   
End of assembler dump.


.... you will see that you can find most of the return address... but something is a bit weird since it is offset a bit. It is almost 28 bytes away from the start of buffer1... but not quite. Almost seems like it's 27 bytes away... but that doesn't seem to make much sense to me!

Not sure if this helps any...

Did you type that wrong? Do you mean you tried it on Ubuntu 7.10 x64 and it really worked?

Oh... wow, my apologies! I didn't think it was reasonable to not work on 9.04, but work on 9.10!! Maybe it is a bug then. Weird.

I'll give it a shot as well.

Joel