The x86 instruction set that we're working with is sometimes described as dense. A single byte instruction can have significant power; lodsb, for example, loads a byte from memory while incrementing a pointer. A program with only a handful of bytes in it? We won't have a tremendous amount of options. But any program linked to the C standard library? There's enough inherent instruction power to let the attacker get away with just about anything. We can turn the code against itself.

When a function is called, its instructions are pushed onto the stack on top of the return address so that the execution can proceed where it left off with the procedure call. During a buffer overflow, we overwrite the return address to control the flow of execution. Now, imagine that we've overwritten the return address so that it points to some instructions that end in a return—that points to some other instructions ending in a return—that points to some other instructions that end in a—you get the idea:

These individual pieces of code are called gadgets. A gadget is typically short, but always ends in an instruction that sends execution somewhere else. We chain these together to create arbitrary functionality—all without injection.