Buffer overflow return address with null byte, workaround

Practising BO using Free Float FTP Server 1.0 on Windows 7 SP1, done simple jmp esp examples on Win XP where system DLL are without rebase or ASLR, trying to write one for Win7 where I haven’t got any system DLL with rebase or ASLR disabled, I can still exploit it but it won’t survive reboot, so I’m very much left with opcodes from the FTPServer.exe but the problem is that they all use a low stack addresses (0x0040xxxx) , so they all end with NULL byte (eg, \xce\x11\x40\x00 ) and hence terminate my exploit. My question is what are the options, if any to workaround the NULL byte in address I want to use, more specifically I want to know whenever there is an option to use NULL byte at the end of return address if it is listed as a bad character?