Go for VM escape!



After the spring festival, I am considering what to do besides my research work. Since it seems that VM escape has become a routine challenge in recent CTFs. A zero day is even used as a challenge in 34C3 CTF. I think it’s time to start a new journey on vm escape.


Inspired by the post by Hama [1], I plan to divide the process into three parts.
Part 1: Simplified challenge in CTF
(1) Christmas CTF 2017 ChildVM [5]
(2) Seccon CTF 2017 VM_NO_FUN [7]
(3) 34C3 CTF 2017 LFA [11]

Part 2: QEMU Escape
More background knowledges are required.
(1) QEMU Escape [2]
(2) HITB 2017 Baby QEMU [3]
(3) 0CTF 2017 Final QEMUESCAPE [4] (but the challenge files are missing)

Part 3: Vulnerability Analysis
(1) Replay CVE-2015-5165 and CVE-2015-5704 in [2]
(2) Play CVE-2018-2698 [12][13]


Virtualization is a huge topic.  And VM escape requires deep knowledge on the operating system. Besides the challenges or write-ups above, I may also write some blog demonstrating the background of virtualization technology. At present, I am not sure how far I can travel on this journey. Write this post to push me towards goal step by step.


[1] http://hama.hatenadiary.jp/entry/2017/12/01/000000
[2] QEMU Escape http://www.phrack.org/papers/vm-escape-qemu-case-study.html
[3] HITB 2017 Baby QEMU https://kitctf.de/writeups/hitb2017/babyqemu
[4] 0CTF 2017 Final QEMUESCAPE http://blog.eadom.net/writeups/qemu-escape-vm-escape-from-0ctf-2017-finals-writeup/
[5] Christmas CTF 2017 ChildVM http://hama.hatenadiary.jp/entry/2017/12/26/234306
[6] 34C3 CTF BabyVM https://github.com/niklasb/34c3ctf-sols/blob/master/babyvm/README.md
[7] SECCON CTF 2017 VM_NO_FUN https://github.com/SECCON/SECCON2017_online_CTF/tree/master/pwn/500_vm_no_fun
[8] https://nelhage.com/talks/kvm-defcon-2011.pdf
[9] https://www.coresecurity.com/system/files/publications/2016/05/corelabs-Breaking_Out_of_VirtualBox_through_3D_Acceleration-Francisco_Falcon.pdf
[10] HITCON 2017 CTF Real Ruby Escaping https://github.com/david942j/ctf-writeups/tree/master/hitcon-quals-2017/real-ruby-escaping/sandbox
[11] 34C3 CTF LFA http://gcli.cn/2017/12/31/LFA/
[12] CVE-2018-2698 https://blogs.securiteam.com/index.php/archives/3649
[13] CVE-2018-2698 https://www.exploit-db.com/exploits/43878/

2 thoughts on “Go for VM escape!

  1. Will you exploit Meltdown and Spectre vulnerabilities? In July 2018, two more bugs revealed: ret2spec and SpectreRSB. Meltdown is the third variant of Spectre.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.