This week I’m going to point you to an excellent Defcon 2010 talk given by Cesar Cerrudo from Argeniss, called Token Kidnapping’s Revenge.
Cesar goes through a deep explanation of how he used simple tools like Process Monitor and Process Explorer to find services that spawn multiple threads with impersonation permissions. He used that information by enabling the debugging function of the service and opening a named pipe back to the local host running as the System account. It’s a very interesting talk if you have the time to listen to it completely.
The exploit code is hosted on Exploit-DB.
The vulnerability was patched by Microsoft in MS10-059.