Windows Media Services (nskey.dll) on Windows 2000 Server, Advanced Server, and Datacenter Edition all suffer from a stack overflow vulnerability. Using an Active-X control that is safe for scripting/initialize, passing at least 9752 bytes to CallHTMLHelp will overwrite the EIP and remote code execution may be possible.
7dd68791afc2235b0b12444e2fd32dbc8395c768e03a777ceda41ac3bed58fe0