hey JaPH

My english is quite bad. :(  I hope you understand me.

U can change the excutive flow by overwriting some func`s return address with your own code.
So basic BoF needs 2 points. Return address and shellcode`s one.

1.Check the program`s stack layout. usually EBP + 4 is Return address.
  esp is the edge of the stack. (ex. In GDB, by typing "X/16x $esp", u can see stack)

2. I made it.

3. Actually, the first line is shellcode.
  "\x8d\x4c\x24\x04\x83\xe4\xf0\xff\x71\xfc\x55\x..."
   Let`s look below the line
 
     void main()
{
        int *ret;             //declare variable        
       
         ret =(int *)&ret + 2;

        // &ret means ret`s address and casted to integer point
        // so "+2" ---> "+(int *)x2" -------> "+(4bytes)x2" = "+8bytes."
        // Think it as stack
       
high address
          --------------
           return address   +8
         --------------
                  ebp              +4
         --------------
                  ret               here is ret        
         ---------------
low address

        // U got it? It overwrites Main function`s return address.

        *ret = shell;
       
        // return address is pointed by ret. so shellcode will be excuted.
}

 This source is just for test that shellcode is whether to work or not.