The return-into-libc exploit [18,13] overflows a buffer to overwrite the return address as the stack smashing attack does. However it overwrites the return address with the address of C library function such as system(). Since it uses an existing code rather than a shellcode, Solar Designer's non-executable stack patch or PaX cannot detect this 2.