Internet Explorer has standart ImageBase address and PE Win32 header is started at 0x00400000 in memory. So memory cell at the address
0x00400008 contains the short value 0x0004 and at the address
0x00400011 it contains the long value 0x00000000 in any case.
I used these addresses for generating of TIFF-file that uses vulnerability and for controling of EIP.

This exploit tested on:
- Windows 2000 SP4 + IE5.01
- Windows 2000 SP4 + IE5.5
- Windows 2000 SP4 + IE6.0 SP1
_http://www.milw0rm.com/exploits/4616 2007-11-11