You can either use mona or windbg script (or ropper/ropgadget if you want to do it outside windbg). The following looks for pop pop ret gadgets for SEH overwrites:

.block
{
 .for (r $t0 = 0x58; $t0 < 0x5F; r $t0 = $t0 + 0x01)
 {
 .for (r $t1 = 0x58; $t1 < 0x5F; r $t1 = $t1 + 0x01)
 {
   s-[1]b startAddr endAddr $t0 $t1 c3
 }
 }
}

Load via: `$><path`