just a comment on point 2. If you find input that overflows some buffer, it can be enough to crash the application (sigsegv, sigbus etc...) you don't need to put extra code in memory etc... that would be some kind of virus, a tougher exploit to craft