With heap metadata exploits going out of favor (hzon's fine work not withstanding), I've recently gone after a number of vtable overwrites. This can be no fun at all to do by hand, so I've added some helpful code to byakugan to let you search for the pointers to pointers to pointers to code that you need. :)

So if you're in a situation where you get this:

mov ecx, [edx] : edx = [something you control]push edxcall [ecx + 0x1c]


You know you've trashed a vtable pointer. If you also say have esi pointing to a buffer you control, then you need to get esi into esp, then return. To do this though, you'll need a pointer to a pointer that when 0x1c is added to it points to a pointer to (for example):

mov esp, esiret


This used to mean clever IDA scripts, searching over multiple DLLs, lots of time, PITA. To do this automagically in byakugan, you can now type:

!jutsu searchVtptr [offset in vtable] [opcodes]

So in this case:

!jutsu searchVtptr 0x1c mov esp, esi | ret

This works a lot like the searchOpcode jutsu. Instructions are delineated by the | character in your command. Currently, no wildcards are supported, but I plan to add that functionality. The main stopping block to that I think is speed. It's not really a speed demon jutsu now as it is (with three nested search loops) but I suppose it beats hunting by hand ;) So if you're lucky, and your process space contains the code and pointers you need, you'll get something like this back:

0x75cb4b36 -> 0x10450107 -> 0x100ffc08 -> sequence0x6bb322a6 -> 0x1045891b -> 0x100ffc08 -> sequence0x6f862d19 -> 0x1045891b -> 0x100ffc08 -> sequence0x6b7e9459 -> 0x10458b3f -> 0x100ffc08 -> sequence0x6b82884e -> 0x10458b3f -> 0x100ffc08 -> sequence


Once you have a working chain of pointers, you can put the return address to turn off dep in your pointer at esi, one of your chain pointers in edx, and roll on along from there. Happy hunting!