is there a method to inject a dynamic suitable return address?
Yes but it hardly depends on the application, you will seek a leaked pointer allowing you to compute usable addresses like the module base address. How do ASLR and DEP work?
You can also - assuming no ASLR - identify the maximum ammount of data you can send to the remote server and setup a nop sled as big as possible, then try jumping into it. This will slightly increase your success chances.
Is there a possibility to brute-force the addresses?
There is alwyays a possibility, yet you probably don't want to rely on it's probability - especially if it is a 64 bits application. Still this paper might interest you : Protecting Against Address Space Layout Randomization ...
Have fun and good luck!