I would look through the Exploit DB, maintained by Offensive Security. Might also try some of the ones known to work for Wk2, see if they still work.

There are no publicly disclosed rce exploits for iis 7. However, if your just looking for a 2008 exploit, there are options.

You're better off going after the app on that webserver.

cd1zz, this is what I thought. Oh well. FYI these are in a highly specialized deployment and have no web applications and very limited HTTP methods.

Don't forget to think out a deeper solution. If you can get file upload on the server you can upload arbitrary binaries and ASP content to achieve this. Don't think of pen testing as, "I have one exposed service, is there a remote exploit?" Can you find SQLi and execute code that way?

Regards,
Jimbob

Perhaps you'd care to share and help us increase the community knowledge?

It had to do it by sending syn packets with scapy and backing off TTL until the firewall responded with an error packet containing its IP, finding out that the firewall was misconfigured and had its config interface in front of me, guessing the correct password, dumping its config, ssh tunneling through the firewall and proxy scanning the server, enumerating some users, discovering a user with pass as user, looking in the sysvol, finding a bat script with domain admin permissions and rdp. So still not just IIS or web app but just pure luck. I think that is vague enough to not give up any confidential data but informative enough to "share". :-) 

Np homie, sorry if I come off as quippy or arrogant I just do not have a lot of time for long posts. Nothing personal.