Code reuse attacks such as return-oriented programming (ROP) are prevalent and powerful and are widely used to exploit memory corruption vulnerabilities in software programs. Recently, many defenses were proposed to mitigate code reuse attacks, but some of them have already been successfully broken. In this paper, we perform a systematic assessment of recently proposed CFI solutions and other defenses against code reuse attacks in the context of object-oriented languages. We focus on C++ since this programming language is used by a large number of today's most attacked software projects (e.g., web browsers, document viewers, and other programming languages' runtime interpreters). We demonstrate that almost all CFI solutions and many other defenses that do not consider object-oriented C++ semantics can be bypassed in practice. Our novel attack technique, denoted as COOP (counterfeit object-oriented programming), induces malicious program behavior by only invoking chains of a program's existing virtual functions through legitimate call sites. COOP is Turing complete under realistic conditions and we demonstrate its viability by developing complex, real-world exploit codes for Internet Explorer 10 on Windows and Firefox 36 on Linux. We also show that even recently proposed defenses (Code-Pointer Separation, T-VIP, vfGuard, and VTint) that specifically target C++ are vulnerable to COOP. Our observation is that no strong defense against COOP exists today that does not require access to source code, and constructing such a defense seems to be challenging. We believe that our investigation and results are helpful contributions to the design and implementation of future defense systems against the severe threat of control-flow hijacking attacks that has sustained in the wild for more than two decades.