SEH AND SafeSEH - EXPLOIT 
FILE SHARING WIZARD

BUFFER OVERFLOW

First we'll find out in advance where we target our target here is the File Sharing Wizard 1.5
then you open the first file share application and click start.

  
Here we will find that where we are attacked, we will use wireshark to see from the data transmission peroses and receiving data.

below we can see that at 200 we replace it with a buffer so that we coud get the following script  
tests = ('   % s HTTP/1.1 \ r \ n '    ' \ r \ n')% (buffer)
%s here in the python language interpreted for the string.

then make a fuzzer to buffer 1500 ...
If you would like more could have been ..

and the script tes=( '  %s HTTP/1.1\r\n'

'\r\n') % (buffer). We can do this script from the results of our sniffing using wireshark

after you save the fuzzer above,
then you can open the file sharing application wiard and click start.

after that open OllyDbg click file -> attack, then select File Share and the attack.
after that you can just click run and you run the fuzzer

 can you click vew --> SEH chain, than here you can see 414 141 SEH chain is at
Now we will forward data from the SEH chain into memory by pressing shift + F9

and you see EIP with overwrite 4144141

and you can make the pattern for 1500 byte with the following command

 copy the pattern into your fuzzer

after the close OllyDbg and BigAnt applications, and then you go back same way as above. after that click open the SEH chain and you can press Shift + F9

 and you see EIP with overwrite

  then you can calculate how much the EIP is to find out how much the buffer that will be needed.

can you edit fuzzer with replace buffer and you save.

close OllyDbg and BigAnt applications, and then you go back same way as above. after that click open the SEH chain. here made ​​it into the buffer in the SE handler

Here we will determine the module which we will use, You can click view --> excuttable module.
we use only the oledlg.dll

to perform the reading function DllCharactristic which resides in oledlg.dll module you can copy the file oledlg.dll are on xp  transferred to your system Backtrack. And you can make such an order under this :

then we find the location of the command POP, POP RETN in the module. you can click --> view  --> Excutable module --> double click right on a file you can enter oledlg.dll.setelah click right  --> search for --> squence of command

you can fill out the same as below and then click find

 edit return buffer is \ X41 \ X41 \ X41 \ X41 with the address in memory oledlg.dll is 7DF725FF

close OllyDbg and BigAnt applications, and then you go back same way as above. after that click open the SEH chain. here made ​​it into the buffer in the SE handler

after that you can press Shift + F9 and the look is the result ...

here I've tried modules one at a time but not at the address SEH with EIP address when you press 
shift + F9 .. if we continue to be gratuitous.