Developing exploit for a tricky vulnerability

["John Paterson" <john9434 () gmail com>]

Here is the scenario:
There is a buffer located on the heap beginning at address A. I can
overwrite any dword-aligned memory location between A and A+S, where S
is the size of exploit file divided by 2. This is the tricky part -
the value written must be in the range from 0 to FFFF. This is not a
typical heap overflow - in orther to overwrite location X I don't need
to overwrite all locations between A and X, I can overwrite just X.
Multiple locations can be overwritten with different values.
Target platform is Windows XP.
Any ideas how to exploit this?