Help developing an exploit

["Webster Orkin" <webster.orkin () gmail com>]

Hi List,

I discovered a buffer overflow in a networked application that my
company uses.  I plan to notify the company that writes the program,
but I'd like to develop sample exploit code before I do so they'll
take it more seriously.  I've never written exploit code, but I do
have experience with coding, network security, etc.  In the past
couple of weeks I've been looking at a lot of exploit code, reading up
on metasploit, and working with Windbg.  Basically, their program
listens on a TCP port for a connection that sends a username/password
in an XML message.  They don't bounds-check either username (overflows
after 45 chars) or password (overflows after 23 chars).  Playing with
larger inputs, I am able to get a payload sent, and can get values
into EAX, EDX, and EIP at various points.  The problem I've been
having is that my payload ends up at address 0x0012E6B4 and if I try
to get that address into EIP, my entire message is rejected for
containing an x00 character.  Here's what I've found about what I can
send:

(23 bytes)(4 bytes - loaded into EAX)(32 bytes)(4 bytes - loaded into
EDX->EIP)(up to 4500 bytes)

Clearly that last block would be a great place for a payload, but I
just can't seem to get EIP to what I want.  Here are the last three
lines of the program disassembly:
mov     edx,dword ptr [eax]
push    eax
call    dword ptr [edx+8]

That last line is where the debugger keeps stopping because since I
haven't been able to put in the address I want (0012...), I've been
using invalid memory addresses as space hoders (\xb4\xe6\x12\xcc).

I'm not sure if anyone can help, but it feels like I'm very close.  I
can also send along my current metasploit ruby file if that would
help.  If anyone has any suggestions, I'd greatly appreciate it.

Thanks,

-Webster