Interesting exploit and a nice writeup of the process.