Wrapping up a pentest this week and got to do a little "user awareness training" with the current and unpatched ActiveX Control for Microsoft Access Snapshot Viewer exploit. Fsecure has a little writeup on it as well as securityfocus with POC code.
This one is nice because its a auto download exploit. You call the ActiveX control and it downloads the file you specify to the location you specify. This is a great exploit from a user training perspective because you can make the binary as benign or dangerous as you want. I of course shoved a reverse shell out over FBP (firewall bypass protocol aka TCP 443).
Delivery is simple enough, you create an email with a link (see my metagoofil post if you need help gathering those emails) and ask politely for users with elevated permissions on the network to click on it. You embed snapshot viewer code in that page, point the download location to somewhere fun like all users/startup, and tail -f /apache/access.log to see who browses the site, who enables the activeX control (your users do know better right? or you do have your default IE settings to high right?) and who downloads your binary. If all goes well, after lunch you'll have your shell :-)
POC code from secfocus: http://downloads.securityfocus.com/vulnerabilities/exploits/30114.html