与汇编代码中的系统调用指令混淆

Question

我正在尝试通过缓冲区溢出来研究代码注入。我想将以下代码注入堆栈：

#include <stdio.h>
void main() {
    char *name[2];
    name[0] = "/bin/sh";
    name[1] = NULL;
    execve(name[0], name, NULL);
}

我写了以下与此相对应的汇编指令。

void main() {
    __asm__("jmp 0x2a\n\t"          // 3 bytes - jumps to last instruction
        "popl %esi\n\t"         // 1 byte - get the return address i.e. address of string in register
        "movl %esi,0x8(%esi)\n\t"   // 3 bytes - push contents on stack for syscall
        "movb $0x0,0x7(%esi)\n\t"   // 4 bytes - push contents on stack for syscall
        "movl $0x0,0xc(%esi)\n\t"   // 7 bytes - push contents on stack for syscall
        "movl $0xb,%eax\n\t"        // 5 bytes - store syscall id 11 to register
        "movl %esi,%ebx\n\t"        // 2 bytes - prepare registers for exec syscall
        "leal 0x8(%esi),%ecx\n\t"   // 3 bytes - prepare registers for exec syscall
        "leal 0xc(%esi),%edx\n\t"   // 3 bytes - prepare registers for exec syscall
        "int $0x80\n\t"         // 2 bytes - actual exec syscall
        "movl $0x1, %eax\n\t"       // 5 bytes - prepare registers for exit syscall in case exec fails
        "movl $0x0, %ebx\n\t"       // 5 bytes - prepare registers for exit syscall
        "int $0x80\n\t"         // 2 bytes - exit syscall
        "call -0x2f\n\t"        // 5 bytes - jumps to second instruction pushing the address of string "/bin/sh" on the stack.
        ".string \"/bin/sh\"\n\t"); // 8 bytes
}

通过

编译上述程序

  

gcc shellcodeasm.c -m32 -g -o shellcode -fno-stack-protector -z execstack -static

和

  

运行objdump -S shellcode

我为main获得了以下转储：

08048e24 <main>:
void main() {
 8048e24:       55                      push   %ebp
 8048e25:       89 e5                   mov    %esp,%ebp
        __asm__("jmp 0x2a\n\t"                  // 3 bytes - jumps to second last instruction
 8048e27:       e9 fe 71 fb f7          jmp    2a <data.8998+0x6>
 8048e2c:       5e                      pop    %esi
 8048e2d:       89 76 08                mov    %esi,0x8(%esi)
 8048e30:       c6 46 07 00             movb   $0x0,0x7(%esi)
 8048e34:       c7 46 0c 00 00 00 00    movl   $0x0,0xc(%esi)
 8048e3b:       b8 0b 00 00 00          mov    $0xb,%eax
 8048e40:       89 f3                   mov    %esi,%ebx
 8048e42:       8d 4e 08                lea    0x8(%esi),%ecx
 8048e45:       8d 56 0c                lea    0xc(%esi),%edx
 8048e48:       cd 80                   int    $0x80
 8048e4a:       b8 01 00 00 00          mov    $0x1,%eax
 8048e4f:       bb 00 00 00 00          mov    $0x0,%ebx
 8048e54:       cd 80                   int    $0x80
 8048e56:       e8 76 71 fb f7          call   ffffffd1 <_end+0xf7f14ccd>
 8048e5b:       2f                      das
 8048e5c:       62 69 6e                bound  %ebp,0x6e(%ecx)
 8048e5f:       2f                      das
 8048e60:       73 68                   jae    8048eca <__libc_start_main+0x5a>
 8048e62:       00 5d c3                add    %bl,-0x3d(%ebp)
 8048e65:       66 90                   xchg   %ax,%ax
 8048e67:       66 90                   xchg   %ax,%ax
 8048e69:       66 90                   xchg   %ax,%ax
 8048e6b:       66 90                   xchg   %ax,%ax
 8048e6d:       66 90                   xchg   %ax,%ax
 8048e6f:       90                      nop

除第一个 jmp 和最后一个调用指令外，每条指令都符合预期。我希望 jmp指令跳转到调用指令但是没有发生。相反，它的论点是显示其他 2a data.8998 + 0x6 ，我不明白。请告诉我我错在哪里。还要帮助我做些什么才能让它发挥作用。