WARNING about the exploit script: docs say it does not survive a reboot. But I just had it happen. Either the reboot was not fully successful (logging was WEIRD, but it did kick me off and not let me log on for a minute; perhaps the relevant su code page is used in reboot somehow?), or this is perhaps because it was an installation under vmware, which meant the vmware server cached all of this stuff for efficiency? Just guessing here. A full power reset in the vmware GUI did reset the exploit. But just running /usr/sbin/reboot DID NOT.
And to be clear, if you test this exploit, ANYONE ON THE SYSTEM can become root with no password after you have run the test, so surviving a reboot is REALLY NOT GOOD.
DO NOT TEST on any system with non-privileged users.