check http allowed options and see if you can HTTP PUT or use webdav to write to a directory.

you can do it but the keyboards on the tablets make things unfun to do anything serious.

here are a couple of links that may help

http://www.scriptjunkie.us/2011/04/why-encoding-does-not-matter-and-how-metasploit-generates-exes/

http://www.scriptjunkie.us/2011/08/custom-payloads-in-metasploit-4/

this thread from msf mailing list
http://mail.metasploit.com/pipermail/framework/2011-April/007630.html

boot disk to change local admin passwords

something like the elcomsoft system recovery disk

http://www.elcomsoft.com/esr.html

the technical guide will probably help too

http://www.pentest-standard.org/index.php/PTES_Technical_Guidelines

its more of the "how to do it" of the PTES

most of the security consultancies let you live anywhere and just fly when you need to go to customer's location. so having any airport reasonably close would be the only requirement.

you could check out fishnet, trustwave, rapid7, accuvant, etc

so every web app is different from a default content point of view, privilege escalation, XSS, sqli would be dependent on both the backend DB and the oracle application itself.

hope that makes sense. 

thanks Don!

questions or comments send them my way.

they are metasploit modules.  maybe if you are more specific about where you are stuck?!

I have,
this is a pretty good writeup on it

http://blog.securitywhole.com/2010/10/21/net-padding-oracle-attack-padbusterpl-and-the-microsoft-recommended-workarounds.aspx

i've reread this post a few times to try to find the question but i think you are asking other ways to get files on the server.

obviously the blog post is about exploiting webdav shares or writeable shares via normal windows networking.  you could also use some of those techniques if a site allows file uploads as well.  the same caveats would *usually* apply that you cant upload .exe or .asp(x) files in that case it the bypass method may still work for you.

hope that helps

you can check out my whitepaper from Blackhat to get you started

http://www.blackhat.com/presentations/bh-usa-09/GATES/BHUSA09-Gates-OracleMetasploit-PAPER.pdf

you may also need to check out the metasploit wiki to get the gem installed to use the oracle mixin

http://www.metasploit.com/redmine/projects/framework/wiki/OracleUsage

you need to be able to count to 16

perhaps the takeaway from that experience should have been to not be able to lock out a service account that causes that amount of loss per hour. instead create a rule in their SEIM to alert on failed logins for those accounts as that should NEVER happen.

my guess is that the return is bad or something like DEP is preventing code execution. try manually setting the target.