From my understanding a typical way to achieve SEP buffer overflow (ignoring protections like DEP, SafeSEH, etc.) is to overwrite SEH with POP POP RET which goes back to nSEH which we control. nSEH will then be used to point to our located shell code. Below is how the stack will look.
[BUFFER][nSEH to payload][SE handler for POP-POP-RET][Payload]
My question is, why can't you just overwrite SEH with some opcode to jump x amount of bytes straight to the shellcode?
