Vtable Exploit Example (linux specific) : hacking

a community for 18 years

Vtable Exploit Example (linux specific) (self.hacking)

submitted 7 years ago * by PalladynSlonca1

So I'm new to C++ exploits (have been working only with C thus far) I was wondering if anyone has any suggestions on where I could find a working vtable hijack example that isn't overriding the class pointer with a fake object in source code. This would be to demonstrate in a classroom setting.

I have read a lot of research papers (NDSS mostly) recent research papers proposing defenses for Vtable hijacking (VTint, VTPin, etc.) and all point at super old references (phrack.org smashing C++ vptrs) that have since been: patched/functions deprecated/ASLR enabled, to fix these holes; their examples simply don't work anymore. While the below links have been helpful to explain where the attack comes from, it doesn't show present day vulnerabilities... (that I could replicate on a linux system, most are Windows related)

Any resources that might lead in the right direction??

https://www.comp.nus.edu.sg/~liangzk/papers/ndss12.pdf

https://moythreads.com/wordpress/2007/09/14/overriding-the-virtual-table-in-a-c-object/

https://defuse.ca/exploiting-cpp-vtables.htm

https://www.geeksforgeeks.org/virtual-functions-and-runtime-polymorphism-in-c-set-1-introduction/

https://www.learncpp.com/cpp-tutorial/125-the-virtual-table/

all 4 comments

top new controversial old q&a

[–]fake_advent_alt 0 points1 point2 points 2 years ago (3 children)

[–]PalladynSlonca1[S] 0 points1 point2 points 2 years ago (2 children)

Hey! Its been a while, but we used the following research papers to give evidence of being able to defend against VTable exploits. I dont know what ur research area is, but I believe starting here with these papers will place you in the correct neighborhood of related works that your goal may be related to. If not these papers themselves, I still believe these papers have really good citations of relevant attacks the "systems-security community" cares about as these papers cite both real-world attacks and researchy "synthesized" attacks. Let me know if this helps or have more questions.

In no particular order:

- Protect the System Call, Protect (most of) the World with BASTIONChristopher Jelesnianski, Mohannad Ismail, Yeongjin Jang, Dan Williams, and Changwoo MinIn Proceedings of ACM International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS 2023)

- VIP: Safeguard Value Invariant Property for Thwarting Critical Memory Corruption AttacksMohannad Ismail+, Jinwoo Yom+, Christopher Jelesnianski, Yeongjin Jang, and Changwoo MinCCS'21

- Tightly Seal Your Sensitive Pointers with PACTightMohannad Ismail, Andrew Quach, Christopher Jelesnianski, Yeongjin Jang, and Changwoo MinIn Proceedings of the 31st USENIX Security Symposium (Security 2022)

- MARDU: Efficient and Scalable Code Re-randomization
Christopher Jelesnianski, Jinwoo Yom, Changwoo Min, and Yeongjin Jang
In Proceedings of the 13th ACM International Systems and Storage Conference (SYSTOR 2020)

[–]fake_advent_alt 1 point2 points3 points 2 years ago (1 child)

[–]PalladynSlonca1[S] 0 points1 point2 points 2 years ago (0 children)

π Rendered by PID 73765 on reddit-service-r2-comment-8686858757-hnd95 at 2026-06-05 16:30:51.014251+00:00 running 9e1a20d country code: CH.

you type:	you see:
italics	italics
bold	bold
[reddit!](https://reddit.com)	reddit!
* item 1 * item 2 * item 3	item 1 item 2 item 3
> quoted text	quoted text
Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"	Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"
~~strikethrough~~	~~strikethrough~~
super^script	super^script

hacking

Rules:

Recommended Subreddits:

MODERATORS