If you recall the humble vulnerable C programs we wrote before, you'll notice something different this time around. We're already familiar with the strcpy() function, but in this program, we have the system() function. A part of the C standard library, system() will pass a command to the host to be executed.

We can grab individual bytes out of our program's own code, link them together with returns, and pass whatever bytes we want to system(). The potential is there, but we have the problem of figuring out where system() is located. Let's take the spirit of return-to-libc in a different direction.