Buffer Bomb Phase 3

Okay so I'm working on phase 3 of the buffer bomb and this seems fairly straight forward. Correct me if I'm wrong but I need to overwrite ebp to equal my cookie and make sure not to overwrite 0xdeadbeef?

Our preceding attacks have all caused the program to jump to the code for some other function, which then causes the program to exit. As a result, it was acceptable to use exploit strings that corrupt the stack, overwriting the saved value of register %ebp and the return pointer.
The most sophisticated form of buffer overflow attack causes the program to execute some exploit code that patches up the stack and makes the program return to the original calling function (test() in this case). The calling function is oblivious to the attack. This style of attack is tricky, though, since you must: 1) get machine code onto the stack, 2) set the return pointer to the start of this code, and 3) undo the corruptions made to the stack state.

Your job for this level is to supply an exploit string that will cause getbuf() to return your cookie back to test, rather than the value 1. You can see in the code for test that this will cause the program to go Boom!. Your exploit code should set your cookie as the return value, restore any corrupted state, push the correct return location on the stack, and execute a ret instruction to really return to test.

Some Advice:

In order to overwrite the return pointer, you must also overwrite the saved value of %ebp. However, it is important that this value is correctly restored before you return to test. You can do this by either 1) making sure that your exploit string contains the correct value of the saved %ebp in the correct position, so that it never gets corrupted, or 2) restore the correct value as part of your exploit code. Youll see that the code for test() has some explicit tests to check for a corrupted stack.
You can use gdb to get the information you need to construct your exploit string. Set a breakpoint within getbuf() and run to this breakpoint. Determine parameters such as the saved return address and the saved value of %ebp.
Again, let tools such as gcc and objdump do all of the work of generating a byte encoding of the instructions.
Keep in mind that your exploit string depends on your machine, your compiler, and even your teams cookie. Do all of your work on the machine cs367.vsnet.gmu.edu, and make sure you include the proper team name on the command line to bufbomb.
Once you complete this level, pause to reflect on what you have accomplished. You caused a program to execute machine code of your own design. You have done so in a sufficiently stealthy way that the program did not realize that anything was amiss.

Code for test(): 
1 void test()
2 {
3 int val;
4 volatile int local = 0xdeadbeef;
5 entry_check(3); /* Make sure entered this function properly */
6 val = getbuf();
7 /* Check for corrupted stack */
8 if (local != 0xdeadbeef) {
9 printf("Sabotaged!: the stack has been corrupted\n");
10 }
11 else if (val == cookie) {
12 printf("Boom!: getbuf returned 0x%x\n", val);
13 validate(3);
14 }
15 else {
16 printf("Dud: getbuf returned 0x%x\n", val);
17 }
18 }

                                  

1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20: