By another appalling lack of serendipity that I won’t get into, you can set the return address to point into an earlier part of the buffer itself, and the computer will happily jump to any return address, even one that is in the area reserved for the stack versus where code is normally loaded. So the malicious finger request (such messages are generally known as exploits) can send over the actual code that it wants to run (known as the payload) in the same bogus finger message that it uses to overflow the stack buffer.
I thought this was a short and lucid explanation of why C programs tend to have security problems.
