Firstly I would like to say that I did not find this vulnerability, I mearly coded a working exploit that allowed full pwnage and meterpreter shell to the targeted system. The way in which the exploit works is by telling the service that it requires an update and you supply the installation executable to run as SYSTEM would you believe.
Going forward I would like to port this to Metasploit but I don’t believe that at present Metasploit can set up a Samba server on the fly for exploits. As this exploit requires a samba server for the host to collect the payload from it doesn’t appear possible that is why I chose a simple Python script.
However, recently I have seen a Python SMB Server be created here: http://code.google.com/p/impacket/source/browse/trunk/impacket/smbserver.py?r=478
Going forward I would like to wrap this up with once script that sets the SMB server up with a nasty payload and then sends the exploit and viola we have r00t.
Anyway, thought i’d share this info. If you haven’t seen the script you can get it off exploit-db here: