If you restart the surgemail service, reattach the debugger to the process, and rerun the module, you should see the crash that fuzzing found in your debugger. If you’re using the Immunity Debugger, you should be able to see the contents of the SEH chain by selecting View▸SEH chain. Right-click the value, which should be 41414141, and select Follow address in stack to display the stack contents leading to the SEH overwrite in the lower-right pane shown in Figure 14-2.

Figure 14-2. The overwritten SEH entry

Now that you know that you can control the SEH chain on the vulnerable surgemail process with an overly ...