Exploiting new IE Object Type Overflow

[Dave <chaboyd77 () yahoo com>]

Hi,

I've had really good success with basic overflows and have been trying to
attempt something moderate+. I've successfully duplicated the overflow (IE 
Object Type) (ESP doesn't seem to be overwritten, but EDI is). However, 
since the value located in EDI is referenced then program flow can be 
controlled?? I just can't seem to do anything with EDX as stated in the 
EEYE Advisory..

"This allows us to take control of key registers so as to run code that we 
specify, which will be available at the EDX register.

On my system (2000 Pro SP3) EDX always has a value of 0 and nothing I do 
changes its value or any other registers value (besides EDI).  Also, this 
is different from a regular stack overflow as placing the address of a JMP 
ESP in EDI doesn't always seem to be gauranteed to point to my code.

Is there something really easy I'm missing here? 
Thanks,
Dave