You can find this question perfectly solved in the O'Hallaron 's book CSAPP.
Here is the brief introduction:
- Firstly, you get the idea that we can overwrite the ebp by using the buffer overflow. This can work because the call and ret instructions would use the address to put the return point in and pull it back.
- And then, Linux has a kind of protection mechanism which is called stack randomize. This means you cannot find the exact address of ebp. But we can use the instruction names nop and this is called slop(maybe I guess).
- At last, Linux has a last wall to protect: setting canary. This is a value in the (ebp+4) address which is set before calling a function. After return, you can check this one to find if the stack has been overflow attacked.
If you want to try this, you can checkout the ICS's Lab3, and you can get well exercised about this technique.