Very cool paper and demo over at MWR InfoSecurity on DHCP Script Injection.
The paper covers attacking the pfsense admin interface and injecting script into the DHCP hostname field. Because the admin interface runs as root your code is executed as root. The demo also uses a CRSF attack to change the password but I think its far more interesting to be able to inject script into the interface and run with all the exploitation options available there. They also released the tool to do it.
Paper on the DHCP Script Injection