Radical Environments part II - This paper continues where part one left off, detailing a technique in writing 0 bytes when exploiting a local buffer overflow using a non-executable stack with the heap being stored in memory at a virtual address containing a \x00 byte.
004f5ce4295a0c7432dff945d7e66862613b1de871421317eb084f690a1eadb4