We've now had the opportunity to do some testing on different hosts/configurations... the results differed from ours but yet still provided exploitable conditions. The breaks this time were during calls to RtlAllocateHeap and RtlFreeHeap - with careful register manipulation it is STILL possible to execute custom code. More detailed info later. -dark spyrit.
