My proof-of-concept source code is now online in HTML format as well. Start here:
I also converted the step-by-step guide in the readme into HTML:
Now you don't have to download the source zip or have Visual Studio to see how simple it all is.
How does this code get on the target client? Is that a fair question?
1.) If there is a already a vulnerable trusted app installed on the user's system and executing when somehow you exploit it in proc via, say, some memory attack, e.g., buffer overrun, which then executes this code in context.
2.) If the user chooses to run an unsigned exe containing this code from an untrusted source, say, from your website.
Please read Jon's post again. Then, read it again. http://blogs.msdn.com/e7/archive/2009/02/05/update-on-uac.aspx