Re: Where the exploit is explained
True, neither Leo's site, nor his essentially identical posts to Bugtraq and Full Disclosure, actually explain the vulnerability.
As Fowler's follow-up (quoted in the article) implies, though, it's possible to reverse-engineer Leo's attack from the page source. It's convoluted, to put it mildly, but the meat of it is setting window.frames[0].document.body.innerHTML, in a script that's set as the location of top.frames[1].
There's also another script that mucks about with loading Cloudflare, and Ben Lincoln on Full Disclosure asks if this vulnerability only applies to (IE and) sites that use Cloudflare. I haven't looked into the matter myself.
Also on FD, Zaakiy Siddiqui notes that IE 9 does not seem to be vulnerable, but Spartan apparently is.