I learned a lot from the slmail example that is used on the OSCP, although outside of the lab period trying to find version (I think) 5.5 was difficult - there lots of writeup about it. Also John Hammond mentioned a really good technique and getting shells using BOF check out his OSCP video - wish I had seen it before the course, makes logical sense.