Ideally you have to master a low level language like C, socket programming and assembly on various architectures. You can somehow get away with a scripting language like perl or python and drop-in shellcodes but I suggest you do it the hard way.
You can start reading the classics (although most of them not applicable today) like Smashing the Stack for fun and profit by Aleph One, 7350 (teso security group) papers on format-string exploitations as well as various other techniques on heap-over flow techniques, double free()'s etc. A very good book for all round exploitation with some advanced techniques is "The Shellcoders Handbook" which I highly recommend. The Phrack magazine (before the editing team changed) has some really juicy techniques on exploiting various platforms.
Other than that, you should browse through A LOT of source code trying to identify bugs in open source software and subscribe to various security bulletins so you can read advisories and try to exploit them. GDB is your best friend for that job since analyzing core files is the beginning of everything.
Finally you should get involved in security communities (the more under the ground they are, the better) and attend security cons (HAL, Defcon, CCC).
I used to do some heavy exploit writing back in high-school and I can tell you it's really REALLY fun but time-consuming and frustrating sometimes. Exploiting software is a form of puzzle solving.
Also one thing I forgot. I used to enjoy wargames back in the day.. that is preconfigured buggy blackbox services that you have to exploit in order to progress to the next level. Vortex and PullThePlug used to be some of the really good ones. If someone wants to learn how to exploit software, these games are a really good start.
I was surprised no one else had mentioned wargames. There are several at http://smashthestack.org/ that cover a wide range of exploits (from simple buffer overflows to format string exploits and md5 collisions). My favorite one was to develop two BF (http://en.wikipedia.org/wiki/Brainfuck) scripts that print out different strings, yet have the same md5 hash.
You can start reading the classics (although most of them not applicable today) like Smashing the Stack for fun and profit by Aleph One, 7350 (teso security group) papers on format-string exploitations as well as various other techniques on heap-over flow techniques, double free()'s etc. A very good book for all round exploitation with some advanced techniques is "The Shellcoders Handbook" which I highly recommend. The Phrack magazine (before the editing team changed) has some really juicy techniques on exploiting various platforms.
Other than that, you should browse through A LOT of source code trying to identify bugs in open source software and subscribe to various security bulletins so you can read advisories and try to exploit them. GDB is your best friend for that job since analyzing core files is the beginning of everything.
Finally you should get involved in security communities (the more under the ground they are, the better) and attend security cons (HAL, Defcon, CCC).
I used to do some heavy exploit writing back in high-school and I can tell you it's really REALLY fun but time-consuming and frustrating sometimes. Exploiting software is a form of puzzle solving.