POC Heap based buffer overflow

I am developing a POC exploit for an exist buffer overflow.

In the buffer overflow, I can write up to 32000 bytes of memory (it allows my to write all noops - 0x90 - and I can embed payload anywhere in those bytes). It is overwritten in several places, however it is never consistently in the same place. I can get the payload to overwrite a value that is loaded into ecx and then ecx is executed. So I am able to change the direction of execution to any hard-coded address I want. However I can not consistently change it to my attack code because the payload is loaded to different places in memory each time.

The payload is not written directly to ESP or EBP so I can not simply call somewhere in the program where there is a "call esp" or "jmp esp". One of the areas overwritten does seem to be consistently written to ESP + 0x1D00 or EBP + 0x1D10 so I was hoping to find someplace in code where it executes:
add esp, 0x1D00
jmp esp

and other variations but have not had luck finding a useful match.

I could try brute forcing, but the overflow crashes the program so that is not very practical, particularly for demos.

Anyone have any ideas of how to use and address that can consistently find my attack code.

Regards,
Aaron Received on Fri Apr 11 18:53:02 2003