corCTF 2024 - Trojan Turtles: A KVM Escape Exploit from the L2 Guest to the L1 Hypervisor

This write-up describes a corCTF 2024 hypervisor escape challenge where a backdoored KVM driver introduces a magic-value trigger that allows an L2 guest to perform arbitrary out-of-bounds reads and writes of the L1 hypervisor's vmcs12 structure via debug registers and emulated vmread/vmwrite handlers. The author explains how they build primitives (vmxon/vmptrld/vmread/vmwrite), locate kernel structures (modprobe_path, physmap, kvm_vcpu/kvm), gain arbitrary kernel read/write, create a 1GB RWX mapping for physical page 0, and overwrite a kvm work function pointer to invoke call_usermodehelper and spawn a reverse shell; the post includes full exploit source code and implementation details.