René details a Perl script that uses a Perl proxy that he also provides. He creates an Oracle suer with nothing but CREATE SESSION and then proceeds to grab the packets as they are sent to the database as part of an authorisation. He finds the string ALTER SESSION SET NLS_... and then works out its position in the packet and also the string end identifier. René then presents another perl script that also uses his proxy but this time the Perl script intercepts the packet and replaces the ALTER SESSION SET NLS... with the code to create a new user. He then starts his proxy and injects the code and connects to SQL*plus as his simple user. The trick is then repeated to grant DBA to this user. A final check in the data dictionary confirms that it has worked.
This is quite a complex exploit to demonstrate how this could work. It can be done much more simply.
As René points out in his article, patch immediately!!