Changing a program memory to jump to shellcode

[compaq]

Hi
I've been trying to change a programs memory to jump to some shellcode, i've got the shellcode in there and have changed some data in the TIB region but the program keeps crash as other code uses that place in memory. I won't beable to overwrite esp,ebp.
I was wondering if anyone know a place with RW access that only gets called by one function,doesn't crash or a better idea how to get eip.

Thanks

[daedalus1776]

use "jmp esp" from user32.dll or another process that is likely to be running, to overwrite eip. Backtrack has a tool called pattern_create you can use to generate a unique string. Use that string to cause a buffer overflow and then pattern_offset to find out the location of the bytes used to overwrite eip. Hope that helps...

[compaq]

Thanks daedalus1776, but I can't use the bufferoverflow ways. The program uses virtualalloc to make a thread in iexplore.exe and copys some shellcode that calls loadlibary to run a dll.
The problem is when its debugged in iexplore it runs ok and loads the dll most times(sometimes goes to different code and crash), but when its not attached it crashs allways.
When the iexplores running, I can't find a place on the stack to overwrite to get control?