❑ RTL(Return To Library) : It is a technique that changes the RET address of the stack frame to execute other functions in the library.
* It is used to bypass non-executable stacks.
❑ RTL chaining : This is technique that creates a chain to use RTL several times in a row.
❑ e.g.1 This is normal RTL
❑ e.g.2 If there are no parameters in func1, func2, and func3, the following RTL chaining is possible. If a function has function arguments, you can adjust the ESP position with pop * x + ret. And check out the chnages of the stack frame when exiting will helps you understand(Link).
※ Changing RET to execute another function is different from CALL(push eip + jmp [func]) because it means jmp [func].
※ Here is an example that can changes the value of RET with only a change in the SFP.(Link)
※ ROP(Return Oriented Programming) : Link