Archives of POC2014


 Bo Qu, Royce Lu, @ga1ois, "Advanced Defense for Internet Explorer"


 Byoungyoung Lee, "Identifying Memory Corruption Bugs with Compiler Instrumentations"


 Florian Grunow, "How to Own your Heart - Hacking Medical Devices"


 GilGil, "mVoIP Hacking"


 hotwing, "Hunting Zero Days in Crash Dumps"


 John C. Matherly, "Behind the Scenes of Shodan"


 Karsten Nohl, "BadUSB — On accessories that turn evil"


 K-dupe, Hyunuk, Kibom, "Physical Memory File Extraction Based on File Object Analysis"


 Matt, AbdulAziz, Jasiel , "Dropping the MIC (Medium Integrity Calculator): Pwning Internet Explorer for fun "


 Maxim Goncharov, "Be first to know about data breach of popular web sites"


 MJ0011, "Windows 10 Control Flow Guard Internals"


 passket & Team SNE, "Only True Love Can Thaw Frozen SCADA Systems"


 Tombkeeper, "JavaScript VM breakout based exploiting"


 Wei Yan, "Auto Mobile Malware, Attack Scenarios, and How to Defend"


Events of POC2014

Power of XX by SISS & HackerSchool

Who can show the power of XX this year? 'Power of XX' is the only one hacking contest for women. Especially, the winner(s) of Power of XX this year, can get a chance to participate in PHDays2015 CTF final round in Moscow, Russia. Also, air tickets and hotel accomodations for 4-5 members will be offered by PHDays, too. We hope you can have the chance.
    - Qualification Round: Oct 11, Sat 10:00 - 18:00 (KST) / Online
    - Final Round: 11.6, Thu 10:00 - 18:00 / The-K Seoul Hotel POC Event Hall, South Korea
    - E-mail:
    - Website:

KIDS CTF by SISS & HackerSchool

'KIDS CTF' is a hacking contest for kids: Elementary school & middle school students in Korea. This event encourages young boys and girls to study information security and make ethical attitudes themselves.
    - When: Oct 11, Sat 10:00 - 18:00 (KST) / Space POC, South Korea
    - E-mail:
    - Website:

Hack The Packet by Hack the Packet

'Hack The Packet' is a game about digging for packets. Tt is more advantageous to get the keys (answers) quickly as much as you can. There are various challenges of security, programming, IT knowledge or so. Points are awarded according to the level of difficulty. Different bonus points on a first 3 solve basis.
    - Twitter: @hack_the_packet
    - Facebook:
    - E-mail:
    - Website:

Crossword Side Script by Kroot

Not Cross Site Script, Crossword Side Script! Crossword Puzzles use security words will be given for certain time, then you have to solve puzzle quickly. Meet us at POC Event Hall.

Annoying Keyboard, What does the Morse say?, Control 32bit by SecurityFirst

‘Annoying Keyboard’ If you can type fast, challenge 'Annoying Keyboard'! You just type relocated Keyboard. But, maybe not easy :p Caution! Please do not destroy keyboard.
‘What does the Morse say?’ Beep-Beep- Do you know Morse code? Morse code is a method of transmitting text information. But, ‘Our’ Morse code has little changed with Substitution cipher :-) Listen carefully and quickly interpret that and then you can be close to prize!
‘Control 32bit’ Can you control your Operation System? How many people know Operation System's control option? You should change Windows options in limited time, as fast as you can!

Tour de Linux by Layer7

There are many keys in Linux and you guys have to find them with commands which we make. You can use various kind of method to get key like exploiting special binary or restoring deleted file using ‘inode’ and so on. This challenge needs from general to deep pwnable knowledge and also Linux knowledge and skills.

The Maze Runner by ICEWALL

Can you escape from the Maze we make? Collect Opcode from 0x00 to 0xff in 256*256 Maze, and execute Shellcode to get freedom!

Leap Service by M0nst3rZ

Explore Earth with Leap Motion! Can you find specific city in Google Earth? Come and enjoy with us!

# Hacker's Talks
    - when: November 7(2nd day of POC2104)
    - where: event room of POC2014(same place of 'Power of XX')
    - Topics / Time Table
    * Lee Byoung Young, "My life and Research as a Hacker in Georgia Tech & Google" (14:00 ~ 15:00)
    * Neotra, "Practical Cyber Incident Analysis as an Agent"(15:30 ~ 16:30)

    - Only 20~30 seats are available

Bo Qu, Royce Lu, @ga1ois, "Advanced Defense for Internet Explorer"

Bo Qu is a Principle Engineer from Palo Alto Networks. His skills include vulnerability research and exploitation, bug hunting, reverse engineering, binary diff, exploitability research and analysis, and vulnerability reproducing and coverage. He also does research on iOS, Android and other mobile OS security.

ChienHua (Royce) Lu is a Security Researcher from Palo Alto Networks. He is interested in anti-malware technology, reverse engineering, kernel programming, virtualization, and exploit detection.

@ga1ois works as a security researcher in Palo Alto Networks, focusing on security of browser and flash. He was also a CanSecWest speaker.

[Abstract] Microsoft has introduced some brand new defensive mechanisms in recent patches regarding heap and its protection. This protection raised the bar for exploitation of Internet Explorer, however, there are still ways to get full control of EIP for certain kind of vulnerabilities. In this talk, we are going to discuss some enhancement in Javascript and Flash. Besides, we will introduce a novel idea for heap protection based on our understanding and experience in exploitation. Also, we will show how this new mechanism stops almost all known exploits without affecting the performance and user experience.

Andrei Costin, "Ghost is in the Air Traffic Attack"

Born and grown-up in Moldova, Andrei is a Computer Science graduate of the Politechnic University of Bucharest where he did his thesis work in Biometrics and Image Processing. While starting out his IT-career in the Computer Games industry, he has worked in the Telecom field and also was a senior developer at a specialized firm programming various GSM/UMTS/GPS sub-systems. He is the author of the MiFare Classic Universal toolKit (MFCUK), the first publically available (FOSS) card-only key cracking tool for the MiFare Classic RFID card family and is known as the "printer guy" for his "Hacking MFPs" and "Hacking PostScript" series of hacks & talks at various international conferences. He is passionate about security in a holistic fashion. Currently he is a PhD candidate with EURECOM in field of "Security of embedded devices".
In this talk and whitepaper, he will approach the ADS-B (in)security from the practical angle, presenting the feasibility and techniques of how potential attackers could play with generated/injected airtraffic and as such potentially opening new attack surfaces onto AirTrafficControl systems.

Byoungyoung Lee, "Identifying Memory Corruption Bugs with Compiler Instrumentations"

Byoungyoung Lee is a PhD student at Georgia Tech. He has interests in both practical and academic software security research. He is one of the contributors of the DarunGrim project, a popular binary diffing tool. With this project, he runs the ExploitShop blog, which uncovers many different Microsoft patched vulnerabilities. He has spoken at Black Hat and Infosec Southwest before, and he also has actively participated in wargames and advanced to DEF CON CTF finals several times. He also loves to write fuzzers targeting various software products for bug bounties.

[Abstract] From stack overflows to use-after-free, memory corruption bugs have been one of most popular attack vectors to subvert a software system. In this talk, we introduce various instrumentation techniques to effectively identify memory corruption bugs with the help of compilers. Depending on different types of vulnerabilities, we will describe how each technique can/cannot identify the vulnerability, and present our recent research results on how to find new vulnerability types.

Florian Grunow, "How to Own your Heart - Hacking Medical Devices"

Florian Grunow holds a Bachelor’s degree in Medical Computer Sciences and a Master’s degree in Software Engineering. He used to work in hospitals and got an inside view on how the daily work of healthcare professionals dealing with IT looks like. He now works as a Senior Security Analyst at ERNW in Heidelberg, Germany, with a focus on application security.

[Abstract] In the last few years we have seen an increase of high tech medical devices, including all flavors of communication capabilities. The need of hospitals and patients to transfer data from devices to a central health information system makes the use of a wide range of communication protocols absolutely essential. This results in an increasing complexity of these devices which also increases the attack surface of the equipment. Vendors of medical devices put a lot of effort into safety. This is especially true for devices with feedback to the patient, e.g. medical pumps, diagnostic systems and anesthesia machines. However, it is often forgotten that the security of these devices is a crucial part in also providing safety. An attacker who is able to gain unauthorized access to these devices may be able to endanger the health of patients.

We decided to take a look at a few devices that are deployed in many major hospitals and probably in hospitals around the world. We focus on the security of these devices and the impact on the patient’s safety. The results will be presented in this talk.

GilGil, "mVoIP Hacking"

GilGil is a freelancer programmer and hacker.

[Abstract] Most Korean ISPs block mVoIP traffic to keep their own monetary benefit from audio communication system such as PSTN. He shows how to bypassing mVoIP blocking by modify VoIP packets.

hotwing, "Hunting Zero Days in Crash Dumps"

hotwing, a brother of skywing, has been working at Microsoft as a security researcher/developer for almost 9 years now. Nobody knows exactly what he’s working on, but a legend says he has been involved in various lucrative projects such as zero day attacks and an underground market where he made a fortune. His brother denies the rumor but their 5 Swiss bank accounts seem to indicate otherwise.

[Abstract] Finding zero days exploited in the wild is an interesting business. Given the fact that not all zero day attacks succeed and many end up in crash dumps, studying crash dumps for zero days is profitable. This talk covers some of the interesting characteristics of crash dumps in terms of zero day hunting and introduces hunting techniques to identify real attacks out of millions of crash dumps.

John C. Matherly, "Behind the Scenes of Shodan"

John Matherly is an Internet cartographer, speaker and founder of Shodan, the world's first search engine for the Internet of Things. Born and raised in Switzerland, he attended the Freies Gymnasium in Zurich where he majored in business and law until he moved to the San Diego, USA at the age of 17.

There he worked at the San Diego Supercomputer Center to help manage the world's foremost protein data bank. At the same time, he was also attending the University of California San Diego's bioinformatics program, which would kindle the fascination with large data and efficient algorithms. His final project included analyzing the human genome for exon code regions and mapping them to proteins while accounting for alternative splicing. After graduating, he worked as a freelance software engineer at a variety of companies including bioinformatics work.

In 2009, his project the Shodan search engine was unveiled on Twitter and within hours the website received a lot of attention due to the unexpected discoveries that people made. Printers, webcams, power plants and more, many of them unprotected or minimally protected, were found over time and the revelations have changed the way security and privacy on the Internet is perceived. Shodan is already seeing TVs, cell phones, traffic lights, industrial controls, infrastructure plants and various home appliances pop-up in the search results. And more of these “Internet of Things” are added each day as the world is becoming more connected. The age of big data and the connected lifestyle could mean little privacy for the unaware technology consumer. Shodan is revealing the infrastructure of all the devices connected to the internet in a way never before seen or available. For the past years, he has been featured in the news on CNN Money, Bloomberg, Washington Post, Forbes and many others.

[Abstract] Learn about the technical details of crawling the Internet every day and making the information accessible to the community. John will discuss the latest developments for Shodan in terms of cutting-edge research and how to make the information accessible to a large audience.

Karsten Nohl, "BadUSB — On accessories that turn evil"

Karsten is a cryptographer and security researcher. He likes to test security assumptions in proprietary systems and typically breaks them.

[Abstract] This talk introduces a new form of malware that operates from controller chips inside USB devices. Peripherals can be reprogrammed in order to take control of a computer, exfiltrate data, or spy on the user. We demonstrate a full system compromise from USB and a self-replicating USB virus not detectable with current defenses. In addition to the BlackHat material, he will add at least one new tech demo for POC and discuss the vendor/market response to the research.

K-dupe, Hyunuk, Kibom, "Physical Memory File Extraction Based on File Object Analysis"

k-dupe is a Ph.D. student at Chonnam National University. He is interested in computer memory forensics and exploitation skill of software vulnerabilities.

Ph.D. hyunuk hwang is a Senior Member of Engineering Staff at The Attached Institute of ETRI, Korea. He has been a family member of Null@Root Hacker Group for a long time. He always likes to analyze new malware by observing the malware activity and his main job is related to digital forensics(especially computer filesystems).

Kibom Kim is a Principal Member of Engineering Staff at The Attached Institute of ETRI, Korea. He is a Advisory Committee Member of Digital Investigation of SPO. He received a doctoral degree of computer science at Korea University in 2001. For over 10 years, his work is related to digital forensics, computer security, network security and incident response.

[Abstract] In this talk, we will show a method of executable and normal file extraction by analyzing information of Windows kernel file object. And we also provide how to analyze the characteristic of physical memory which contains file data. In previous physical memory studies on executable file extraction, especially targeting on running files of memory, it is known as very hard that extracting files from memory as same as original file saved in physical hard disc. But we will present a new method that can extract the same files from memory compared to hdd files.

Matt, AbdulAziz, Jasiel , "Dropping the MIC (Medium Integrity Calculator): Pwning Internet Explorer for fun "

Matt Molinyawe is a vulnerability analyst and exploit developer for HP’s Zero Day Initiative (ZDI) program. His primary role involves performing root cause analysis on ZDI submissions to determine exploitability, followed by developing exploits for accepted cases. Prior to being part of ZDI, he worked at L-3 Communications, USAA, and General Dynamics – Advanced Information Systems. Matt has a BS in Computer Science from the University of Texas at Austin.

AbdulAziz Hariri is a vulnerability analyst and exploit developer for the HP Zero Day Initiative. His primary role involves performing root cause analysis on ZDI submissions to determine exploitability, followed by developing exploits for accepted cases. Prior to joining the ZDI, he was a member of the Morgan Stanley CERT team doing incident response and malware analysis. Abdul holds a BS in Computer Science from the University of Balamand.

Jasiel Spelman is a vulnerability analyst and exploit developer for the Zero Day Initiative (ZDI) program. His primary role involves performing root cause analysis on ZDI submissions to determine exploitability, followed by developing exploits for accepted cases. Prior to being part of ZDI, Jasiel was a member of the Digital Vaccine team where he wrote exploits for ZDI submissions, and helped develop the ReputationDV service from TippingPoint. Jasiel's focus started off in the networking world but then shifted to development until transitioning to security. He has a BA in Computer Science from the University of Texas at Austin.

[Abstract] In March 2014, Pwn4Fun was introduced as part of the annual Pwn2Own contest at CanSecWest. It provided the opportunity for sponsors to participate in the contest. All Pwn4Fun prize winnings were donated to charity.

HP Zero Day Initiative (ZDI) successfully targeted Microsoft’s Internet Explorer (IE) with a full exploit that bypassed the IE sandbox. The exploit was composed of three components. The first component dealt with the exploitation of a use-after-free found in IE that bypassed ASLR and DEP. The second dealt with the continuation and cleanup of this exploit. The third and final component dealt with bypassing the sandbox. In this presentation, we will cover each of these components in-depth.

We will demonstrate this Pwn4Fun exploit. We will also briefly talk about the newest mitigations introduced by Microsoft.

Maxim Goncharov, "Be first to know about data breach of popular web sites"

Maxim Goncharov is a senior security virus analyst in Trend Micro responsible for security consulting to business partners (internal, external), creation of security frameworks, designing technical security architecture, overseeing the build out of an enterprise incident response process, and creation of the enterprise risk management program. He also participated as a speaker in various conferences and training seminars on the topic of cybercrime and related issues (e.g.cyberterrorism, cybersecurity, underground economy, etc. like BlackHat, DeepSec, VB, APWG etc.

[Abstract] If you take a look at your email box, especially into the spam folder, you will see bunch of emails… You're asking yourself how comes all these spammers know my email address and spam it? More interesting when you register brand new email address not really connected to your real name and after sometime spam reaching you and you feels like somebody cheating you… Why it happens, where leaking your data, how data monetised and small Proof-of-concept tool to detect such activities will be presented during the PoC talk.


Talk will consists of three parts:

- Overall summary of data leak cases and what type of data leaking during compromise of popular web resources with examples. 
*Passwords / Access credentials leaks. Leaks during account registration on well know web resources. Leaks on private machines. Leak as a unofficial data resale. 
* Underground market of data leak and how data possibly used / monetised 
* Loud use cases (will be selected right before the conference and synced with PoC committee)

- Technology of one-time emails to catch data leak most popular resources. 
* Two ways of email address leak. 
* One time token emails to detect where exactly information about email going to 
* Possible usage of one time token emails for corporate/private to trace on daily basis if data leak is happened or not.

passket & Team SNE, "Only True Love Can Thaw Frozen SCADA Systems"

passket is one of famous Korea hackers. He is a mentor of Best of the Best Program and one of advisory committe for Korea National Agents about vulnerability analysis part. Recently, he announced vulnerabilities in Korean stock trading system, robot vaccum cleaner, and other things. He is interested in exploiting, reverse engeeniering, and vulnerability hunting.

Team SNE was made in September, 2014 for SCADA system vulnerability research. Currently, the team is doing research for subway, water supply & drainage, intelligent traffic systems, and many areas of SCADA security in KISA(Korea Information Security Agency) ICSS. Team SNE consists of "BoB" program members. The members are Byeong Yun Chung, Yoon-ho Kim, Hyun-woo Kim, Min-Joon Park, and So-sun Kim.

[Abstract] Nowadays, many attack methodologies against SCADA systems are published on conferences or papers. However, it is a little hard to apply them on real world. So, we will discuss attack scenario and methodology to SCADA systems, focusing on Korea's. Of course, there will be an attack demo in a simulated network.

Tombkeeper, "JavaScript VM breakout based exploiting"

Tombkeeper is the Head of Xuanwu Security Lab at Tencent. He has more than a decade of experience researching and working in the computer security space. He has spoken at many security conferences in the past, on different topics at BlackHat, CanSecWest, HITCon, XCon, and etc. He is also a $100,000 Microsoft Mitigation Bypass bounty winner.

[Abstract] Modern Windows use mitigation techniques such as DEP and ASLR to mitigate exploitation. The combination of ASLR and DEP have been proven to be a solid shield in most cases. Mitigation bypass is always one of the hottest topic in the security community. This presentation will introduce a new DEP and ASLR bypass technique, which is based on JavaScript VM breakout. This technique don't need ROP, JIT, third-party plugins or Non-ASLR modules.

Wei Yan, "Auto Mobile Malware, Attack Scenarios, and How to Defend"

Dr. Yan works as the CEO role of VisualThreat, a leading mobile security vendor. He previously worked in McAfee, Trend Micro and Symantec joint venture, and has deep understanding of security services. Dr. Yan is also an active referee and serves as Editorial Board member of peer-reviewed professional journals and technique committee member of many international security conferences.

[Abstract] ABI Research predicts that 60% of new cars will be internet connected by 2017. When mobile devices communicate with cars, the connected auto becomes a new threat target. Apple's CarPlay and Google's Android Auto interfaces will also bring more integrated, but potentially vulnerable mobile apps into the vehicle. Unfortunately, security vulnerabilities existing inside both the auto's CAN BUS and within the mobile apps can introduce new security risks ranging from unauthorized data capture, to more serious offenses such as vehicle or property theft, to criminally malicious hijacking or even the possibility of remotely overriding critical auto systems and control, resulting in accident, injury, or even death. Various attack examples have been demonstrated at several security industry conferences.

Auto malware is coming at a fast pace. Malicious auto mobile apps can send potentially dangerous CAN message commands into cars via the onboard OBD-II port to control or change the auto's systems and/or status. Drivers may be at risk of being targeted by auto hackers, such as thieves, phishing scams, or nefarious phone attacks. There is currently no solution on the market to specifically defend against such attacks and monitor the communication channels between cars and mobile apps.

Auto malware don't need to damage the car, instead they can leverage traditional phishing or spam tricks to fooll drivers, filing the gap between traditional mobile malware and auto domain. In this abstract, we successfully implemented several auto malware demo. For instance, we implemented the first mobile app of auto over-the-air attack. Another example is able to brute-force scan surrounding OBD dongle, measure the distance between mobile and dongle. When the driver is going to leave the car, the malicious code will send "door-open" or "trunk-open" command to car without driver's awareness. When the door is open, the code will send message to remotely hacker about the car's location so that the hacker will come to steal belongings in the car. In this way, we can build up the auto attack scenario database, and use the scenario database for auto security penetration testing.

How to defend against such attacks? We showcase our research findings on the first auto anti-hack solution, adding protection where there presently is none today on the vehicle system to minimize penetration from outside cyber attacks. Our auto security solution can discover and prevent a range of such attack scenarios in real time, including the attacks mentioned by Charlie Miller at Blackhat and Defcon. Our solution is generic, which means firewall signature can be updated from the cloud for different car models.

How is our research work different with that from other researchers?

Their solution:
  . only passively monitor data traffic and are incapable of blocking attacks from the unprotected CAN BUS
  . anomaly detection method will result in high false positive alerts
  . often incompatible with current commercial car diagnostic devices
Our differentiators:
  . the first auto anti-hacking solution from security and auto industry veterans
  . inline CAN BUS protection with updateable threat signature database
  . low false positive
  . prevention of Denial of Service attacks
  . Generic protection, but also customizable for specific car models



Copyright(c) 2006 ~ Powerofcommunity All rights reserved.