I'm attempting to exploit an already known bug in 3COM TFTPD server, and execute "calc.exe" with my shellcode. I have control of ECX/EIP, and can overwrite both SEH and pointer to next SEH successfully, and have used:

Pointer to next SEH: \xeb\x10\x90\x90

SEH: \x69\x12\xab\x71 (POP/POP/RET in ...

[ more ]