Exploitation of this vuln to code execution is hard and not very stable, but possible. Here is the scenario, that I discovered:
1) Find some pointer to the win32k object (tagWND, for example) in session pool just behind the keyboard layout data.
2) Call the NtUserLoadKeybordLayoutEx() with properly value of offTabale argument, to overwrite this pointer by FIXUP_PTR() macro (see leaked Windows 2000 souces for details).
3) After the overwriting with FIXUP_PTR(), win32k object pointer, with some probability, would point to unallocated part of session pool.
4) Spray the session pool to fill-up the object structure (for example tagWND, as I say above) with your data.
5) Sending some message to window, that represents by early overwritten tagWND, will transfer code execution to atacker-controlled address.
6) ...
7) PROFFIT.
