Hi @Nekiruy,
As far as I know, the stack address which initially contained with EIP will be overwritten and contains an address to the system() when system() is executing.
For more information about ret2libc, you can look at @IoTh1nkN0t explanation Exploiting Techniques \000 - ret2libc