Here’s a working exploit for an already disclosed bug - including SafeSEH Bypass - and for the actual version, which is still vulnerable. Sadly.
An important side - note! The bug has not been properly researched:
The Bugtraq - Posting states:
But all other .ini values are vulnerable too. A closer look at the disassembly clearly shows that they are. The vulnerable function is called on every single value of the .ini file: