One of the modern software attacks is returned-oriented programming (ROP).
In ROP attacks, no code is injected by the attacker, but rather one or more portions of legitimate code are executed, such that their combined functionality is harmful. As part of a ROP attack, the stack is overwritten, so that when the instruction pointer returns from a call, the overwritten return addresses point to one or more gadgets, being sequences of instructions each ending with a return statement, such that their combined functionality is equivalent to a malicious code as designed by the attacker. Thus, in ROP attacks, chunks of code ending with a return instruction, which exist in a program or in an available library such as kernel32.dll, user32.dll or the like, are used. The chunks of code perform legitimate needed functionality, but are misused to perform malicious activity. Searching for such chunks to be used in an attack is an easy task, and tools exist that are operative in building the addresses that are to be injected to the stack such that these chunks are executed.