POC2012 - "Power of Community"



This page is on the update now. More stuffs will be added.

# Archieves of POC2012

 Wan Tao, "Past, Present, and Future of Chinese Hackers"



 Xu Hao & Chen XIaobo, "Find Your Own iOS Kernel Bug"



 Sergey, "SCADA Strangelove or: How I Learned to Start Worrying and Love Nuclear Plants"



 Chengyun Chu, "Exploit Mitigation Improvements in Windows 8"



  MJ0011, "Using a Patched Vulnerability to Bypass Windows 8 x64 Driver Signature Enforcement"



  flashsky, "APT Attack Detection of Vulnhunt"



 Alexander Polyakov, "SSRF 2.0: New Attacks and Vectors"



 Andrei Costin, "Ghost is in the Air Traffic Attack"



 MC & Yaniv Miron, "Fuck 0-days, We Will Pwn U with Hardware Mofos"



 Donato Ferrante & Luigi Auriemma, "Owning Multiplayer Online Games"


 Tora, "Devirtualizing FinSPy"


 RedHidden & silverbug, "Fun of Attacking Firmwares"



* All files are from POC2012 CD. Some updates are applied here, but not all.

  Videos are not available right now, but will be uploaded some day.



# Some Images of POC 2012




# Speakers of POC 2012

# Alexander Polyakov, "SSRF 2.0: New Attacks and Vectors"

Alexander Polyakov is a cto at ERPSCAN, head of DSecRG and architect of ERPSCAN Security scanner for SAP. His expertise covers security of enterprise business-critical software like ERP, CRM, SRM, RDBMS, banking and processing software. He is the manager of OWASP-EAS ( OWASP subproject), a well-known security expert of the enterprise applications of such vendors as SAP and Oracle, who published a significant number of the vulnerabilities found in the applications of these vendors. He is the writer of multiple whitepapers devoted to information security research, and the author of the book "Oracle Security from the Eye of the Auditor: Attack and Defense" (in Russian). He is also one of the contributors to Oracle with Metasploit project.


SSRF, as in Server Side Request Forgery. A great concept of the attack which was discussed in 2008 with very little information about theory and practical examples. We have decided to change it and conducted a deep research in this area. As we deal with ERP security, we take SAP as the example for practicing SSRF attacks. The idea is to find victim server interfaces that will allow sending packets initiated by victim's server to the localhost interface of the victim server or to another server secured by firewall from outside. Ideally this interface must allow us to send any packet to any host and any port. And this interface must be accessed remotely without authentication or at least with minimum rights. Looks like a dream but this is possible. Why this attack is especially dangerous to SAP? Because many restrictions preventing the exploitation of previously found vulnerabilities, for example in RFC and Message Server or Oracle auth, prevent only attacks from external sources but not from localhost!


We have found various SSRF vulnerabilities which allow internal network port scanning, sending any HTTP requests from server, bruteforcing backed and more but the most powerful technique was XXE Tunneling. We made a deep research of the XXE vulnerability and most of the popular XML parsers and found that it can be used not only for file reading and hash stealing but even for getting shell or sending any packet to any host (0-day). What does it mean for business critical systems? Actually XML interfaces are normally used for data transfer between Portal's, ERP's, BI's, DCS's, SCADA's and other systems. Using an XXE vulnerability you can bypass firewalls and other security restrictions. What about practice? To show a real threat we took the most popular business application platform Ð SAP NetWeaver and its various XML parsers. We found that it is possible to bypass almost all security restrictions in SAP systems. Using XXE Tunneling it is possible to reopen many old attacks and conduct new ones which were impossible before.


# Andrei Costin, "Ghost is in the Air Traffic Attack"

Born and grown-up in Moldova, Andrei is a Computer Science graduate of the Politechnic University of Bucharest where he did his thesis work in Biometrics and Image Processing. While starting out his IT-career in the Computer Games industry, he has worked in the Telecom field and also was a senior developer at a specialized firm programming various GSM/UMTS/GPS sub-systems. He is the author of the MiFare Classic Universal toolKit (MFCUK), the first publically available (FOSS) card-only key cracking tool for the MiFare Classic RFID card family and is known as the "printer guy" for his "Hacking MFPs" and "Hacking PostScript" series of hacks & talks at various international conferences. He is passionate about security in a holistic fashion. Currently he is a PhD candidate with EURECOM in field of "Security of embedded devices".


In this talk and whitepaper, he will approach the ADS-B (in)security from the practical angle, presenting the feasibility and techniques of how potential attackers could play with generated/injected airtraffic and as such potentially opening new attack surfaces onto AirTrafficControl systems.


# Chengyun Chu, "Exploit Mitigation Improvements in Windows 8"

Chengyun Chu is a Senior Security Development lead of MSRC Engineering defense team. He joined Microsoft in 2001. He and his defense team generate mitigations and workarounds for use in the monthly Microsoft security bulletins, provide detailed vulnerability documentation for MSRC cases, and act as the engineering technical lead for the Microsoft company-wide Software Security Incident Response Process.


Over the past decade, Microsoft has added security features to the Windows platform that help to mitigate risk by making it difficult and costly for attackers to develop reliable exploits for memory safety vulnerabilities. Some examples of these features include Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), and Visual C++'s code generation security (GS) protection for stack-based buffer overruns. In Windows 8, Microsoft has made a number of substantial improvements that are designed to break known exploitation techniques and in some cases prevent entire classes of vulnerabilities from being exploited. This presentation will provide a detailed technical walkthrough of the improvements that have been made along with an evaluation of their expected impact. In closing, this presentation will look beyond Windows 8 by providing a glimpse into some of the future directions in exploit mitigation research that are currently being explored by Microsoft.


# Donato Ferrante & Luigi Auriemma, "Owning Multiplayer Online Games"

Donato Ferrante is a Co-founder and Security Researcher at ReVuln Ltd. Prior to founding ReVuln Ltd., Donato was a Security Researcher for Research In Motion (Blackberry), where his daily job was performing security research and vulnerability assessments of RIM authored code, products and services including infrastructure, devices, and QNX operating system.


Before moving to RIM Donato analyzed and reversed several rootkits, malware, mobile malware and exploits for Sophos Antivirus. He presented one of his research projects on Java malware and Java Virtual Machine exploits during the CARO workshop in Prague.


Donato found several vulnerabilities in well known commercial products and open source software and his first public disclosed security advisory was released in 2003. He is very passionate about virtual machines and operating systems internals and security.


Luigi Auriemma is a Co-founder and Security Researcher at ReVuln Ltd. Luigi has been in the security field for more than a decade, as an Independent Security Researcher (www.aluigi.org) he is a world recognized expert in this field and discovered more than 2000 vulnerabilities in widely used software.


The following are some key points of Luigi's work:

    •   Highest number of security vulnerabilities disclosed in SCADA/HMI software: General Electric,

        Siemens,ABB/Rockwell, Wonderware, InduSoft, and others

    •   Most known server-side Microsoft vulnerabilities found: ms12-020, ms11-035

    •   Research on Samsung TV vulnerabilities (many not disclosed yet)

    •   Security vulnerabilities affecting the most diffused multiplayer game engines, libraries, middleware and games

    •   Performed vulnerability research on: multiplayer games, SCADA/HMI, TV hardware, enterprise software, media

        players, financial software, ActiveX, network servers and clients


Currently the most prolific vulnerability researcher in the following fields:

    •   total number of security bugs found in any software

    •   SCADA/HMI

    •   media players: QuickTime, RealPlayer, Winamp, VLC and others

    •   multiplayer games

    •   most prolific contributor for Zero Day Initiative currently disclosed advisories (28 Aug 2012)


In this presentation we are going to cover a new field for computer security, which is finding bugs in multiplayer online games and exploiting them. In this presentation we will discuss several high profile bugs that we found with several examples, how to find vulnerabilities in games, and much more. We will also show a demo of 2 0days we found in: Call of Duty: Modern Warfare 3, and Crysis.


# flashsky, "APT Attack Detection of Vulnhunt"

flashsky is a CEO of Vulnhunt. He was a researcher of Venustech, eEye, and Microsoft. He is one of the best of the best hackers in China. He is a core member of the Chinese hacking team Xfocus. You may remember his exploit code.


He will introduce APT attack and defense techniques. And he will also talk about the problem of current APT detection. Fianlly, he will show new APT detection technique of Vulnhunt with 0-day cases.


# MC & Yaniv Miron, "Fuck 0-days, We Will Pwn U with Hardware Mofos"

Yaniv Miron is a security consultant and researcher currently working at FortConsult in Copenhagen, Denmark. Yaniv performs penetration testing and security assessments for international businesses and organizations. Yaniv is the founder of the largest Israeli hacking convention - IL.Hack. Yaniv is certified as a CISO from the Israel Institute of Technology and a Certified Locksmith. Yaniv spoke at security and hacking conferences all around the world (BlackHat/PoC/SyScan/CONFidence/HackerHalted/OWASP/IL.Hack). Yaniv is highly skilled with hands on penetration testing and security research and found many security vulnerabilities at Microsoft/Oracle/IBM  and more.


MC is a security consultant who works at FortConsult in Copenhagen, Denmark. He performs penetration testing and security assessments for international businesses and organizations. He has worked for both niche and big international consulting firms performing security consulting in the US, UK and many European countries for more than 10 years targeting business critical assets and meatware. Marcel has accumulated an abundance of security certifications and has a bachelor's degree in Electrical Engineering from the University of California San Diego, USA, and a Master's Degree from Chalmers, Gothenburg, Sweden. He is into circuit bending and crackly old 12" vinyl records.


We gives you the ultimate hardware hacking kit, wanna pwn some banks? wanna own big companies? You need some boost up. We will show you that your set of tools is not enough, you need to have some help from the hardware part, like 007 has.


We have bundled a set of hardware hacking tools that could assist you, for example we will show you how to bypass Windows 7 with Bitlocker encryption enabled, dumping and extracting goodies from memory, long range RFID tricks to copy ur CEOs card, using hardware screenloggers (not the old crappy keyloggers - cuz everybody knows them and it's lame) and more. You have to be there, cuz we rock.


# MJ0011, "Using a Patched Vulnerability to Bypass Windows 8 x64 Driver Signature Enforcement"

MJ0011 has been dedicated in the development of kernel security product as well as the research on finding system security vulnerabilities and kernel security attack and defense. He is currently working for 360safe, the most widely used security software in China, provides reliable kernel security defense for its users. He has spotted large amount of kernel vulnerabilities in Windows operating system and third party software.


He will show new techniques to bypass a new Windows 8 security policy.


# RedHidden & silverbug, "Fun of Attacking Firmwares"

RedHidden is a security researcher who works for AhnLab. She is excellent at malicious code analysis, network traffic analysis, vulnerability analysis. She was the first woman speaker of POC. Silverbug is so brillian a hacker.


# Sergey Gordeychik, "SCADA Strangelove or: How I Learned to Start Worrying and Love Nuclear Plants"

Sergey Gordeychik, CTO, Positive Technologies. Sergey has developed a number of training courses, including "Wireless Networks Security" and "Analysis and Security Assessment of Web Applications," published several dozens of articles in various titles and a book called "Wireless Networks Security." He is the Science Editor of the SecurityLab.ru portal, a member of the Web Application Security Consortium (WASC) Board of Directors and the RISSPA Council of Experts. Sergey Gordeychik is the Director and Scriptwriter of the Positive Hack Days forum.


Modern civilization unconditionally depends on information systems. It is paradoxical but true that ICS/SCADA systems are the most insecure systems in the world. From network to application, SCADA is full of configuration issues and vulnerabilities. During our presentattion, we will demonstrate how to obtain full access to a plant via:


- a sniffer and a packet generator

- FTP and Telnet

- Metasploit and oslq

- a webserver and a browser


About 20 new vulnerabilities in common SCADA systems including Simatic WinCC will be revealed in the report.



- modbuspatrol (mbpatrol) - free tool to discover and fingerprint PLC

- Simatic WinCC security checklist

- Simatic WinCC forensic checklist and tools

- close to real life attack scenario of a Simatic WinCC based plant


# Tao Wan, "Past, Present, and Future of Chinese Hackers"


# Tora, "Devirtualizing FinSPy"

Tora is a reverse engineer with some computer forensics background, who enjoys analyzing disk images, packed executables, playing around with crypto, researching anti-forensics and trying to collect bugs in software nobody uses. Tora used to work on zynamics and now tries to survive in the ultra expensive Switzerland while working as a security engineer for Google.


In this talk, we'll see how the FinSpy malware tries to hide its payload from being analyzed. First we'll take a look at the obfuscation and virtualization layer and what options do we have, as reverse engineers, to speed-up analysis of code of this kind. Virtualization often scares people, but it's just a matter of time and patience. Once we get rid of the virtualization, the next step would be to check what other anti-analysis measures the malware is using like anti-debugging, anti-sandboxing, anti-AV, etc... and of course some of the interesting tricks the malware uses in order to hide its presence on the system.


# Xu Hao & Chen XIaobo, "Find Your Own iOS Kernel Bug"

Xu Hao now focus on OSX/iOS software development and security research. Also he has more many years experience on Windows security research. Main research areas: OSX/iOS/Windows security, Rootkit and malware, hardware virtualization technology, reverse engineering, smart card & PKI.


Chen Xiaobo is a research scientist of McAfee Labs. He participated in computer security since 2000, working on Scanner, HIPS products. Now he mainly focuses on vulnerabilities/new technologies for vulnerability exploitation and iOS exploitation.


This presentation will talk about how to write your own fuzzer targets iOS kernel and ways to analyze real kernel bugs. iOS kernel exploits are important for Jailbreak to break kernel protection such as code signing check and sandbox. Compared with user space, iOS kernel is much easier to exploit. Here we will introduce you basic knowledge of iOS kernel and give a summary of known bugs used in Jailbreaks. Then we show how to write a fuzzer based on hook technique. Since a passive fuzzer could only fuzz IOKit drivers are in using, we will also tell you how to fuzz all IOKit drivers actively. In fact, fuzz iOS kernel is not that difficult as we think. At the end we show the process of analyzing real kernel bugs.


More than 70% of the topics were presented in POC2012 for the first time.

And 30% of the topics presendetd before POC2012 was updated.

POC will show you only technical, creative and very interesting topics.

Fuck off, marketing and commercial presentation!



# Training Course


   # 2012



11 7(09:00 ~ 18:00)

 ֺ(silverbug), "Smartphone Hacking

11 6 ~7(09:00 ~ 18:00)

 غ(passket), "Practical Web Browser Exploiting"


• silverbug, "Smartphone Hacking"

• passket, "Practical Web Browser Exploiting"

   - Ұ

2004 1st AHF announcement( Zero-effort attack )

2005 PADOCON 2005 announcement( Honeynet based University )

2005 2nd AHF announcement( I don't remember the topic )

2005 KISA Workshop about homepage demonstration( hacking from china )

2005 CONCERT tech workshop demonstration( about newal BOT )

2006 PADOCON 2006 announcement( White-Bot Project )

2009 PADOCON 2009 announcement( A Practice of Remote Code Execution

using CPU bugs )

2009 SecurityProof.org 2009 1st Offline Seminar( CPU Bugs Return ! )

2010 PADOCON 2010 announcement( Exploiting Windows Vista Kernel : SMB

Case Study )

2010 CodeEngn 2010 announcement( Taint Analysis for Vulnerability Discovery )

2011 PADOCON 2011 announcement( Hunting Trip - Automated vulnerability finding )

2011 KAIST Cybersecurity Workshop( Advanced 0-day Detection )

2011 POC 2011 Training Course( Finding 0-day )

2011 POC 2011 announcement( Special Tricks for Exploiting )

2012 KISA workshop announcement( about APT )

2012 Codegate 2012 Training Course( effective vulnerability discovery )

2012 Codegate 2012 announcement( Flow Based Vulnerability Discovery )


   - Ұ

ֱ ǰ ִ. ŭ̳ ɽġʰ Web Browser ݴ Ǽڵ峪 ͽ÷ ִµ, Ϲ ø̼ ݹİ Web Browser ϴ ̰ ִ. Ʈ̴ ڽ Ϲ Web Browser ߰ϴ ߰ Web Browser ϴ , ׸ Web Browser ϴ Ŀ ˾ƺ, ̸ ȸϴ 鿡 ؼ 캻.



# Events of POC2012


# "CD Capture The Flag" by Hackerschool(http://www.cdctf.com)

- A hacking contest for under 13 years old

- This covers hacking, security, programming-algorithm, quiz, etc.

- Qualifying round:

- Final round: 


# "Power of XX" by SISS(http://www.powerofxx.com)

- A hacking contest for only women

- Qualifying round: 

- Final round: 


# "Hack The Packet" (http://www.hackthepacket.com)

This is a game about digging for packets. it is more advantageous to get  the keys (answers) quickly as much as you can. There are various problems of security, programming, IT knowledge or so. Points are awarded according to the level of difficulty. Different bonus points on a first 3 solve basis.


TWITTER :: @hack_the_packet

E-mail :: events@hackthepacket.com


# "Test Your CPU Speed" by Layer7(Sunrin Internet High School)

This is a kind of game to improve your calculating speed. Anyone can join and enjoy. Come and do!


# "SSLStrip for POC" by gilgil

SSLStrip captures inbound and outbound HTTP traffic, analyzes in plain text format and notifies that important private information can be disclosed.


# "Hack My Mind" by Y0U&M3

Quiz contest about hacking/security


# "Mouse Cusor Moving Game" by SecurityFirst

A kind of game finding a wayout through mirrors.


# "Blind Programming" by SecurityFirst

Turn off your monitor, write a code, and then compile it.


# "Typing Practice Game" by SecurityFirst

Type as fast as you can.



# Sponsors of POC2012





# Supporting Friends


song of freedom











Copyright(c) 2006 ~ 2013 Powerofcommunity All rights reserved.