This demo is a modified version of Michal Zalewski's "Firefox geolocation consent hijack demo". The DLL load hijacking part of the demo (thanks, TheLeader!) requires that you have uTorrent installed. You should be able to easily modify this demo to use any of the other vulnerable applications. HD Moore, thank you for Metasploit and the new audit toolkit!
Note that this demo is specific to Chrome on Windows, and may not work as expected on other systems or in non-standard screen configurations (dpi, etc); these factors could be accounted for, though. All other browsers supporting the auto-download and one-click-execute "features" seem to be vulnerable. Oh, wait.. There are no such other browsers!
This proof-of-concept, if successful, will download "plugin_dll.dll" and "coupwn.torrent" files to your Downloads directory, and will execute the Windows calculator.