Format Strings
Format string attacks are utterly fascinating.
In the general case they allow you to overwrite arbitary memory addresses with arbitary contents. So whilst your typical l33t hax0r will overwrite a return address to execute shellcode there are many more interesting things you can do.
One fun, albeit very complicated, attack I made was to take advantage of a format string attack in an authentication module – allowing me to NOP out the “invalid password” response. Almost undetectable, and utterly useful.
It is possible to be much more evil than writing basic shellcode with a little creativity.
It isn’t often I get this excited about low-level code.
(I think the last time I was this pleased was when I was shown a demo of a game that a prior company had written – we were shown it because it made a nice lunchtime talk, and because it wouldn’t run on current versions of Windows; so there was no risk of us wasting time by playing it. A few minutes with a dissassembler later I had a working binary :) )
Just call me +Steve ;)