He's running a web server process w/ Metasploit, configured to serve/run the exploit module. Then he issues a GET request to the server w/ the affected browser and gets a session in Metasploit (framework). The screenshots are basically proof showing that the session (connection to compromised machine w/ high-level/root access) has been created.
Yeah fair point that this exploit gives privs @ the level of the browser's current user. In that parenthetical, I was basically trying to explain what "session" means in Metasploit parlance in general.
Ignoring that most users run their main windows login as administrator, if we pretend it's just a guest account, how much of an impediment would that to them disrupting any anti-virus and installing a some malware?
