ms03-049 exploit xp sp0

["wirepair" <wirepair () roguemail net>]

lo all,
Well I got xp sp0 to execute my code, but sp1 has a different stack layout. after the return address data only has about 4 or 8 
bytes (I can't remember and i'm too lazy to check because i've been messing with this for he past 7 hours). 
Since I have 4/8 bytes to work with i'm contemplating doing some sort of jmp / call and stuff my shellcode in the beginning of the 
buffer instead of tacking it on to the end like my current exploit. Unfortunately my asm is lacking still and I am unsure about
the best way of making it jmp/call the address (without nulls and without hardset stack addresses). 
If you can offer any suggestions I would *greatly* appreciate it.
Anyways here's my code http://sh0dan.org/files/0349.cpp
or the exe: http://sh0dan.org/files/0349.exe. Remember this is SP0 only, sp1 will definitly crash.
Thanks,
-wire
--
Visit Things From Another World for the best
comics, movies, toys, collectibles and more.
http://www.tfaw.com/?qt=wmf