win32 heap overflow exploitation

[Adik <netninja () hotmail kg>]

Hi there folks,

I'm havin a problem exploiting an application vulnerable to heap overflow. i 
can write 4 bytes to any place in the memory.

mov dword ptr[eax], ecx
mov dword ptr[ecx+4], eax

I control ecx and eax. I tried overwriting unhandledexceptionfilter pointer 
(located at address 77ee044c) with a pointer to call [ebp-28] this is where a 
pointer to my shellcode is located. 

eax=77ee044c   <--- unhandledexceptionfilter pointer of my version of Windows
ecx=77f8ce83   <--- .text unwritable address points to -> call [ebp-28]

The second line mov dword ptr[ecx+4], eax suppouse to trigger access violation 
on write , because ecx is unwritable address thus invokin exception handler. 
Because exception handler address is overwritten with pointer to call [ebp-28], 
it should theoretically execute call [ebp-28] then my shellcode. But its not 
doin so. Maybe i'm doin somethin wrong. A little help on that would b great. 

What else can i overwrite with my 4 bytes except exception pointers? eEye 
mentioned overwriting PEB lockin pointers. Could anyone please clarify it? I 
couldn't find info on that. Any tips/tricks/methods/techniques/links/papers on 
exploiting windows based heap overflows would b greatly appreciated. thanx


Adik