Confirmed on a fully patched Windows XP. It's a stack overflow in inetconn.dll, but it's most likely not exploitable because the DLL is compiled with /GS. There are no other interesting variables to overwrite between the buffer and the return address. Overwriting the arguments doesn't get us anywhere either. It would be exploitable on older systems not compiled with /GS, but the code where the vulnerability is was added in XP SP2. Alex