This paper describes the process of identifying and exploiting 802.11 wireless device driver vulnerabilities on Windows. This process is described in terms of two steps: pre-exploitation and exploitation.

http://www.uninformed.org/?v=6&a=2&t=sumry