well, basically you should download my
vlcboffs proof-of-concept, edit vlcbof.ssa adding two things:
- the return address for jumping to the shellcode (for example the usual address of a JMP ESP)
- a shellcode, better if alphanumeric
so the usual "technique".
if you need I can also create an example and commenting it a bit