1. In overwriting the return address to main with a new return
address, main's ebp value will also be overwritten since it is just
above the return value on the stack:
+-------------+
| | <- input string will be stored in here
| |
| | getbuf's stack frame
| main's ebp |
+-------------+
|ret in main | Overwrite this address with a new one
+-------------+
| |
| |
| | main's stack frame
| |
| |
+-------------+
2. So the input string must also have main's ebp and the new ret
address as the last 8 bytes.
3. When getbuf returns it will pop its stack frame as usual. We
haven't altered anything to affect that and the top of the stack
will contain main's stack frame.
4. However, our code will be executing instead of main.