Do any of the registers refer to a memory location containing a pointer to your buffer? If thats the case you can use a JMP PTR [Register] opcode, e.g. JMP PTR EBX if the contents of the memory location referred to by register EBX is a memory address pointing to your buffer.
Or does the stack contain a suitable return address, even a few entries down? You can then use an opcode with the appropriate number of POP instructions followed by RET, e.g. if the third entry down on the stack points to an appropriate address use POP, POP, RET. The POP instructions can use any register, the point is just to get at the memory address that you can use for the RET instruction.
Have you looked at a already existing exploit for this vulnerability to see how someone else has done it?