There are certainly people who write shellcode. As I understand it, people have written shellcodes that use only bytes that happen to map to ASCII, are obfuscated to bypass intrusion detection systems, and so on. I'm sure it requires quite a bit of (specialized) knowledge.

That was more common in the late '90s than it is now (and note that it involves knowing only a very few instructions; enough to call a function or the system call gate).

There are occasional exploits that can't be pieced together out of other people's shellcode, but there are also perhaps 10 people in the world that write those exploits.

Well, more like bytecode that doesn't contain a zero-byte, which'd stop a string dead-on.

In '96 when I wrote the Crispin IMAP server bug, I can't remember which way it was but you either couldn't have uppercase letters, or could only have uppercase letters, in the shellcode. I thought I was kind of badass for writing that code. Of course, by '99, that was a triviality.

Just saying, it's not just NUL.

Actually, no. If you're dealing with obfuscation, IDS and antivirus evasion etc. you need to know how to read, write and otherwise manipulate assembly code (debug, self-modification, name-it).

First, for dealing with obfuscation and evasion, you're reading, not writing.

Second, for every 100 people that talk about e.g. self-modifying viruses or shellcode, there is perhaps 1 person who can actually write something soup-to-nuts, and maybe 5-10 more who can modify that code to make it do something new.

Reading assembly is important for security research. Writing, not as much.