Following the SEH overwrite, there’s very little space for shellcode before the end of the stack. Normally, a POP-POP-RETN set of instructions would be used to reach the Next SEH (NSEH), followed by a short jump forward into the shellcode. We’ll overcome this limited space restriction by developing an exploit to use as much space as possible for our final payload. At this point, we are done with the fuzzing process and we’ll move into developing an exploit for the vulnerability that we found.

This exploit would be a good candidate for an egg hunter, which is a small segment of shellcode that searches memory for the main payload; however, we’ll use a different tactic and overwrite SEH with the POP-POP-RETN instruction ...