This can be remotely exploited by sending a DHCP boot request packet with the DHCP_HOST option set. Version RC5 to RC8 doesn\'t support ddns-update-style ad-hoc, so you have to trigger the vulnerable function on another way. This exploit is only tested against 3.0.1rc4 and prior, however, the offsets might work on RC5 and higher.