bind_tsi.c the new bind 4.x/8.x 'tsi' bug, remote r00t compromise.
bsd_rctty_xpl.c oftentimes rcvtty in BSDi 3.0 and 4.0 is suid root. Here’s code to exploit it.
bsdpwerror.c the pwerror() call is vulnerable to an exploit that will get you root. here's the c code.
bsdproc_xpl.c certain (newer) bsd's have a vulnerable /proc filesystem. use this xploit locally to get r00t.
screen_xpl.txt the suid file screen is vulnerable to a buffer overflow. many bsd's have this hole.
sliplogin_xpl.c bsd's sliplogin is vulnerable to a buffer overflow that will get you r00t.