Description
Exploiting a hypervisor is already a challenge; chaining it with a Windows kernel LPE to achieve full host compromise makes it even harder. At Pwn2Own Vancouver 2024, we broke free from VirtualBox and escalated our privileges on the Windows host, turning a controlled guest VM into full administrator access on the host.
The first part of our journey focuses on a VirtualBox escape: how we identified and exploited multiple vulnerabilities, bypassed mitigations, and executed arbitrary code on the host.
The second half covers our privilege escalation on the host Windows' kernel, achieved by ingeniously exhausting the OS memory to force a specific allocation failure, while keeping the whole system alive.
We conclude with an inside look at the Pwn2Own contest itself: our exploit setup, the hardware surprises, and how everything came together. If you’re into hypervisor exploitation, or just enjoy a good hacking war story, this talk is for you.