yeah, I agree with James whole heartedly. I have not done as much as he concerning windows messaging other programs, but I have at least enabled disabled buttons for various purposes.
I've also conceived of a program which will make it easy to send any kind of message to any window. Just one of the many ideas that I haven't yet (or ever?) put into the works. The only thing new - as James said - is that they came up with the innovative idea to store shell code in a edit box for execution. Pretty damn smart.
Now for some new stuff. James, you said this was an application specific exploit. Well, I want to explore that little theory with ya. I was thinking to myself that it is NOT application specific. You don't need an edit control, or to even store the data in the window at all. All you have to do is execute the shellcode stored anywhere in memory from a window with system permissions.
Now, there are many system services running with the default install of Win2k. Sureldly at least one of them has a window - any kind of window that would handle a WM_TIMER message. With this knowledge, you can incorporate this technique into a program to gain system privilages on ANY Win2k system.