What is this “prepare” variable used for in this SEH based buffer overflow payload?


I am trying to understand how a SEH based buffer overflow is working and I have to write a paper about how an exploit works. I took this PoC for my paper.

junk = "\x41" * 4091  nseh = "\x61\x62" seh  = "\x57\x42"           # Overwrite Seh # 0x00420057 : {pivot 8}  prepare =  "\x44\x6e\x53\x6e\x58\x6e\x05" prepare += "\x14\x11\x6e\x2d\x13\x11\x6e\x50\x6d\xc3" prepare += "\x41" * 107; ... 

I don’t really understand how it’s jumping over the next SEH.

  • What is \x61\x62 used for in the nseh variable?
  • What is the prepare variable used for?
  • How is it jumping to the shellcode?

I already understand that the \x57\x42 is used as a pointer to target a pop pop ret to trigger a second error but I am stuck after that…