Journey to Freedom: Escaping from VirtualBox
Corentin Bayet, Bruno Pujos
OffensiveCon 2025 · Day 2 · Main
Corentin Bayet and Bruno Pujos of Reverse Tactics present the VirtualBox guest-to-host escape they executed at Pwn2Own Vancouver 2024, earning $90,000. The exploit chains an uninitialized memory read in the `PGMPhysRead` function (a variant of a 2023 Synacktiv bug) to leak stack and heap pointers and defeat ASLR, then uses a stack buffer overflow in the virtio network card's VirtQueue descriptor parsing to gain code execution in the VirtualBox host process via CFG-aware ROP. ---
AI review
A clean, honest account of a Pwn2Own $90K VirtualBox escape: variant bug discovery via pattern-matching from prior research, uninitialized stack read via BusLogic MMIO handler non-initialization to defeat ASLR, Virtio VirtQueue stack overflow to gain code execution, CFG-valid gadget selection to bypass Control Flow Guard. No novel primitives invented here — but the methodology is disciplined, the chain is complete, 100% stable, and the CFG-valid ROP approach deserves attention.