Hi. I've just recently gotten into SEH exploitation myself, so I'm no authority, but this is what I've found.
First, as far as stuff to read, check out class101's papers page and read at least the first one by Litchfield. That's where I started. However, the information in that one is a bit obsolete:
eEye Digital Security . Check out the Shellcoder's Handbook as well, I have found it to be an actual good book so far and not a howto for professional script kiddies.
To briefly address your question: from what you say, it sounds like you've gotten the basic picture of SEH exploitation. Maybe you already read Litchfield's paper. The problem is that ever since Code Red used that method of exploitation, Microsoft changed the way SEH works. They made it so that all registers are cleared before the exception handler is dispatched. Therefore you can't just find a CALL EBX anymore.
So you have to take a less direct approach. Said approach is described in the page to which I linked above, and probably in some of class101's papers (sorry, I didn't open them all to see what they were). It's still certainly possible, but more difficult.