well, if it's any consolation, MS has been having a small track record of not fully patching exploit vectors. you could try back tracking a couple patches that have gone out and see if you can think of a way to do around the same thing but just a little bit different.

another thing to think about, what is being served on the apache server? is it running php or asp? you may be able to do something with that. I'd say start nitpicking it.

Can you resolve any of the services/users/shares or anything else that you can use to your advantage?