POC2010 - "Power of Community"

    Home   Notice   Speakers   Schedule   Register   Training   Venue   Events   PastCon   Contact


# Archieves of POC2010

 Chakyi &  Externalist

  Is Your Gaming Console Safe?



Charlie Miller

  Mac OS X Hacking - Snow Leopard Edition



 Jeremy Brown

  Exploiting SCADA Systems




  Internet Explorer exSploit Milk Codes



 Stefan Esser

  iPhone Hacking and Security(Adding ASLR to Jailbroken iPhones)



 Moti & Xu Hao

  A Story about How Hackers' Heart Broken by 0-day



 Tielei Wang

  Heap Taichi: Exploiting Memory Allocation Granularity in Heap- Spraying Attacks




  Antivirus Software 0-day Party



 Xiaobo Chen

  Defeating Windows 7 Browser Memory Protection




  Finding 0-days by Using Vulnhunt



  Android Application Hacking & Security Threat



* All files are from POC2010 CD. No update is applied here.

   Videos are not available right now, but will be uploaded some day.


# Pictures of POC 2010



# Speakers of POC 2009


* Charlie Miller, "Mac OS X Hacking - Snow Leopard Edition"

Charlie Miller was a US National Security Agency researcher. He is the first guy to hack the iPhone and G1 Android phone. He was the winner of CanSecWest 2008, 2009, and 2010 Pwn2Own. He is also a author of Fuzzing for Software Security Testing and Quality Assurance and The Mac Hacker's Handbook. The Mac Hacker's Handbook came out in March 2009. That summer, Snow Leopard came out and broke many of the example. This talk covers those differences and how to still exploit Macs.

His marathon record is 3:59:52.(great!) :)


* Chakyi & Externalist, "Is Your Gaming Console Safe?: Embedded Devices, an AntiVirus-free Safe Hideout for Malware"

Externalist is a student of Hanyang University. He is majoring in Electronics but has a high interest in security and computers in general. He has worked in penetration testing, as well as binary auditing. He also gave several lectures to companies and in seminars regarding Reverse Engineering.

ChakYi is a Security Researcher working in AhnLab, Inc. His main job is to analyze malware and vulnerabilities, and is interested in security threat research. He enjoys studying anything packet related and playing CTF events.

People have false sense of security for Console Gaming systems or Mobile Devices because they are not fully aware that malware can potentially bring the same devastating effects as that of a PC malware. These problems are not only restricted to Gaming consoles or Smartphones but also other various embedded devices. Also, most recent Gaming Consoles contain hardware to connect to the network so an almost idea environment is provided for malware to survive and perform it's job. In this presentation, we will show how these innocent devices can misbehave and pose a serious threat (in particular Wii,  NDS, iPhone, and Andriod), and show a demo of a malware in live action. We will also show some possible defenses to these kind of attacks. Some demos on defenses, and Andriod have been added  since DEFCON.


* Flashsky & alert7, "Finding 0-days by Using Vulnhunt"

* Hasegawa, "Internet Explorer exSploit Milk Codes"

Yosuke Hasegawa is an engineer of NetAgent Co.,Ltd. He has received the Microsoft MVP award for Windows Security every year since 2005. He has investigated on the security issues that the character encoding such as Unicode causes. He has discovered a lot of vulnerabilities of various software applications including Internet Explorer and Mozilla Firefox so far.

Internet Explorer 6 (IE6) is, as Microsoft themselves admit, already an outdated 'spoiled milk' web browser. Actually IE6 has loads of vulnerabilities and security flaws left untouched for years. It is, however, true of a little newer Internet Explorer 7 as well. In this session, I would explain such 'spoiled milk' browsers' vulnerabilities related to Web Applications and improper implementations which were spotted ages ago and still have not been effectively addressed. It will also include demonstrations of some exploits.

In today's web-oriented world where web browsers are released and updated one after another, users tend to leap at their novel features. Yet on the other hand, there are considerable number of users loyal to classic browsers. For those old browsers, even ones still within vender maintenance period, relatively 'minor' flaws are often left unfixed for a long time. Why is it so dangerous to continue using such old browsers? To find a specific answer to this question, we must dig out the issues which are currently buried deep under ignorance.


* Jeremy Brown, "Exploiting SCADA Systems"

Jeremy Brown is a Vulnerability Research Engineer at Tenable Network Security. Jeremy's areas of interest include vulnerability research and analysis, exploit development, penetration testing, fuzzing, and reverse engineering.

SCADA systems are just as vulnerable to attack today than they were ten years ago. The lack of security awareness by SCADA software vendors, combined with the rush of hacking these systems, make them very attractive to hackers. The focus of this presentation will be showing the disconnect between industrial control systems and secure programming, examining how some vendors "get it wrong" in regard to SCADA software security.

This presentation has something for security professionals, security researchers, ICS engineers, or anyone concerned about security issues affecting not just this nation, but electronic infrastructure around the world. I will be discussing different vulnerabilities in SCADA software, a real vendor response, other possible ones, as well as demoing a live exploit that is currently being fixed by the vendor.


* MJ0011, "Antivirus Software 0-day Party"

MJ0011 has been dedicated in the development of kernel security product as well as the research on finding system security vulnerabilities and kernel security attack and defense. He is currently working for 360safe, the most widely used security software in China, provides reliable kernel security defense for its 300 million users. He has spotted large amount of kernel vulnerabilities in Windows operating system and third party software. His work and research was presented at Xcon2008 and POC2009.

This time MJ0011 will present more than 7 kernel vulnerabilities that exist in the Anti-virus/Internet security products. He will demonstrate how to use these vulnerabilities precisely and how to prevent similar vulnerabilities in security products.


* Moti & Xu Hao, "A Story about How Hackers' Heart Broken by 0-day"

Moti Joseph has been involved in computer security. In the last few years he has been working on reverse engineering exploit code and developing security products. He has worked for CheckPoint and WebSense. Also he has given speech on BlackHat2007, ShakaCon2009, POC2009, CONF2009, SYSCAN2010.

Xu Hao keeps on developing security products and researching advanced security technology. Main research areas: Windows kernel, Rootkit and malware, hardware virtualization technology, reverse engineering, smart card & PKI, Mac OSX security. He has spoken at XCON2008, XCON2009, POC2009, SYSCAN2010.

We will tell you the whole story about our working on a 0day for Windows. First we talk about how to find the vulnerable code and show you how good it is. Then we analyze the details and try to find out how to trigger it. After that, we find the limitation of this 0day which really breaks our heart. At last, we will show demos how this 0day can be exploited.

This topic is not very much about technique. It is a real story about how hacker works and we disclose the 0day we found. Hope everyone will enjoy it.


* Silverbug, "Android Application Hacking & Security Threat"

Silverbug works for AhnLab. His main research part is malware, vulnerability, and network analysis. He is a brilliant and so handsome guy.

He will show us the problems and solutions of Andrioid in smartphones. Especially, he will talk about the source disclosure through application decomplile, malicious code propagation through the application modification, applications without considering of security, the problem in Android itself, and privacy, etc.


* Stefan Esser, "iPhone Hacking and Security(Adding ASLR to jailbroken iPhones)"

Stefan Esser is bestknown in the security community as the PHP security guy. Since he became a PHP core developer in 2002 he devoted a lot of time to PHP and PHP application vulnerability research. However in his early days he released lots of advisories about vulnerabilities in software like CVS, Samba, OpenBSD or Internet Explorer. In 2003 he was the first to boot linux directly from the harddisk of an unmodified XBOX through a buffer overflow in the XBOX font loader. In 2004 he founded the Hardened-PHP Project to develop a more secure version of PHP, known as Hardened-PHP, which evolved into the Suhosin PHP Security System in 2006. Since 2007 he works as head of research and development for the german web application company SektionEins GmbH that he co-founded.

This year has brought bad news for the security of the iPhone. First it was demonstrated during the PWN2OWN contest that ROP payloads can steal information like the SMS database from factory iPhones and later this year jailbreakme.com combined multiple exploits for vulnerabilities in MobileSafari, the iOS kernel and the userland to jailbreak the device from remote. And for jailbroken devices the situation is even worse because the jailbreak weakens the otherwise strong security features of the iPhone in a way that remote exploits are far easier to accomplish.

However, it is time to remember that the whole purpose of a jailbreak is to free the device from Apple and to allow users to do whatever they want with their device. The fact that current jailbreaks destroy the security is just because jailbreakers did not bother to find a better solution. This changes now. In this session the differences in exploiting jailbroken and factory iPhones will be highlighted and it will be explained step by step how a new tool was developed that adds ASLR (address space layout randomization) to jailbroken iPhones. With ASLR an exploit mitigation is added that is not available in factory iPhones and makes exploitation more difficult. And this is only the first step, more mitigations and a full reactivation of the codesigning protection are planed for the next months.windows.


* Tielei Wang, "Heap Taichi: Exploiting Memory Allocation Granularity in Heap-Spraying Attacks"

Tielei Wang is PHD of Peking University institute of computer. He is interested in the discovery of binary vulnerabilities and the analysis of malicious code. And he was the first one, came from China mainland and gave a speech at NDSS as the first author affiliation. He was a speaker of Xcon2009 and POC2009.

Heap spraying is an attack technique commonly used in hijacking browsers to execute drive-by downloads. In this attack, attackers first fill the victim process's heap with a large amount of code and data. Then they exploit a vulnerability to redirect the victim process's control to attackers' code on the heap. Because the location of the injected code is not exactly predictable, traditional heap-spraying attacks need to inject a huge amount of executable code to increase the possibility of successful attacks. Injected executable code usually includes lots of NOP-like instructions, which forms the surface area leading to attackers' code. Targetting this attack characteristic, previous solutions detect heap-spraying attacks by searching for the existence of such large amount of NOP sled and other shellcode.

In this presentation, we analyze the implication of modern operating systems' memory allocation granularity and present Heap Taichi, a new heap spraying technique exploiting the weakness in memory alignment. We describe four new heap object structures that can evade existing detection tools, as well as proof-of-concept heap- spraying code implementing our technique. Our research reveals that a large amount of NOP sleds is not necessary for a reliable heap-spraying attack. In our experiments, we showed that our heap- spraying attacks are a realistic threat by evading existing detection mechanisms. To detect and prevent the new heap-spraying attacks, we propose enhancement to existing approaches and propose to use finer memory allocation granularity at memory managers of all levels and studied the impact of this solution on system performance.


* Xiaobo Chen, "Defeating Windows 7 Browser Memory Protection"

XiaoBo Chen is a research scientist of McAfee Labs. He participated in computer security since 2000, working on Scanner, HIPS products. Now he mainly focuses on vulnerabilities and new technologies for vulnerability exploitation.

With the release of windows 7, Microsoft has done a lot of impressive research to enhance windows 7 operating system's security mechanisms in the goal to protect against the well known exploitation vectors on the windows platform. Windows 7 inherited the traditional memory protection mechanisms, such as GS, SafeSEH, DEP and ASLR (IE8 default opens DEP and ASLR in windows 7). This improvement was a big challenge for exploit developers, at least for sometime. In this presentation I want to reveal several ways how to bypass windows memory protection mechanisms, such as bypass DEP and ASLR in windows 7 through IE8 by some disclose vulnerabilities and I will use 4 case studies to demonstrate how to successfully bypass several protection mechanisms in windows.

This topic will also demonstrate the exploitation technique for the Mozilla Firefox on the Windows 7 x86/x64 system with recent Adobe Flash 0day. And discuss about Microsoft EMET and further exploitation research direction.



# Hacker's Dream


This is a malicious code analysis and reverse engineering contest with AhnLab.

The winner took a MacBook Air and a free pass of POC2010 as prizes.

You can download the files here for your study.





532 unique IPs from 26 countries participated in the contest.



The top threes are:








Tsukasa Ooi






Jae-ryoung, Seong-hyun






Jo Hyun-ho







   You can see the winner's report here.



# Hack the Packet

During the conference, all attendees can participate in the contest.

If you want to take part in the contest, you must bring your own computer.

The winners can take an iPad and the hacking magazine "Hacking & Security" as a prize.

You can find the detailed information here(ko) and here(en).





# Sponsors of POC2010



Please contact "pocadm at gmail.com" if your corporation is interested in the sponsorship of POC2011. We will post the banner of your corporation in the web site of POC forever. And we will give you a chance for you and your company to show your possibility and to advertise your products. Your sponsorship will be quite helpful to upgrade the image of your corporation.


# Supporting Friends

song of freedom            syscan.png          




Copyright(c) 2006 ~ 2011 Powerofcommunity All rights reserved.