Thought this might peak some interest so I'll throw it out there. tell me if you have already heard of it or done it. or if you know of patches that have closed these holes.
it regards the way routers handle certain packets related to DNS handling that if tweaked and sent to the right port would in some cases, crash the router. it has been noted on this site that if this knowledge was harnessed it would theoretically be possible to change settings on the router, essentially hijack it to promote further pwnage.
http://www.grc.com/dns/crashtest.htm
>$Grey