Yes allot of it is random testing, Ive found several buffer overruns by this method.

You can also decompile the code and work from there I dont have a great deal of knowledge of doing this, but for most bufferflows it involves some form of input/ memory storage, these can be seen in decompiled code quite easily.

I have talked only about bufferoverruns as there still one of the most common forms of vunerabilitys but there are other methods such as altering settings or doing something in ways that wouldnt normally be done

i2c