klog published “The Frame Pointer Overwrite” in Phrack 55 [16]. He showed how to gain execution by using a single byte overwrite to overwrite the last byte of %esp. In some situations this can result in the calling function retrieving its saved EIP from an attacker defined location resulting in altered execution flow.