OK, so I admittedly don't have the time to fully analyze this, but it looks like the bug is in the code that processes client certificates. The default setting in IIS is to ignore client certificates so does that mean that by default you can't trigger this exploit against an out of the box IIS setup?