Last updated at Tue, 21 Dec 2021 19:16:34 GMT

With heap metadata exploits going out of favor (hzon's fine work not withstanding), I've recently gone after a number of vtable overwrites.  This can be no fun at all to do by hand, so I've added some helpful code to byakugan to let you search for the pointers to pointers to pointers to code that you need. :)

So if you're in a sitation where you get this:

mov ecx, [edx] : edx = [something you control]
push edx
call [ecx + 0x1c]

You know you've trashed a vtable pointer. If you also say have esi pointing to a buffer you control, then you need to get esi into esp, then return.  To do this though, you'll need a pointer to a pointer that when 0x1c is added to it points to a pointer to (for example)

mov esp, esi

To do this automagically in byakugan, you may now type

!jutsu searchVtptr [offset in vtable] [opcodes]

So in this case:

!jutsu searchVtptr 0x1c mov esp, esi | ret

Then you can put the return address to turn off dep in your pointer at esi, and roll on along from there. Happy hunting!