RET 2 ESP

From our previous example, we had something like
- [buffer][ebp][ret][address][address][address][address]
Neat thing about this, is that the %esp register when a function is called, will basically store the address pointing to the beginning of your stack frame. So in short, it points right before buffer.
Well, since functions return to calling functions using the ret instruction.. some magic happens with esp.

From our previous example, we had something like