[ mainpage :: register :: conference :: training :: the venue ]
[ capture the flag (CTF) :: hitb cinema :: lock picking village :: zone-h/hitb hacking challenge :: bzflag ]
[ call for papers (CFP) :: conference agenda :: sponsors :: press/media :: forum ]
[ conference kit (PDF) :: past conferences :: contact us ]

Conference Materials: http://conference.hitb.org/hitbsecconf2007kl/materials/

Official Photos: http://photos.hitb.org

TECH TRAINING 2 - The Exploit Laboratory

Filed under: Main Page — Administrator @ 8:11 pm

Title: The Exploit Laboratory
Trainer: SK Chong (Security Consultant, SCAN Associates Bhd.) & Umesh Nagori (VP, Net-Square)
Capacity: 20 pax
Duration: 2 days
Cost: (per pax) MYR2899 (early bird) / MYR3299 (non early-bird)



This workshop shall introduce how buffer overflow vulnerabilities arise in programs and how they get exploited. The workshop will take you deep inside how programs are loaded and execute within memory, how to spot buffer overflow conditions and how exploits get constructed for these overflow conditions. By exposing the inner mechanisms of such exploits, we will understand how to prevent such vulnerabilities from arising.

The workshop will cover analysis of stack overflows, heap overflows and format string vulnerabilities. Examples of vulnerabilities shall be provided on both the Windows as well as the Unix platform. The class is highly hands-on and very lab intesive. The hands-on lab provides real-life examples of programs containing vulnerabilities, and participants are required to analyse and exploit these vulnerabilities.

Who should attend

Pen-testers, developers, just about anyone who wants to understand how exploits work.

Key learning objectives

Understanding error conditions.
Categories of error conditions - stack overflow, heap overflow, off-
by-one, format string bugs, integer overflows (this class will deal
only with stack, heap and format string)
Unix process memory map
Win32 process memory map
Writing shellcode
Real life exploit construction
Secure coding practices
Kernel level protection mechanisms


Attendees will require:

A working knowledge of operating systems, Win32 and Unix
Ability to compile programs using GCC
Ability to use vi/pico/joe editors
Understanding of C programming would be a bonus

This class requires you to sign a code-of-ethics document, which is to ensure appropriate use of such techniques.

About the trainers:

SK Chong

S.K. (CISSP) is a security consultant from SCAN Associates. His job allows him to play with all kinds of hacking tools in his penentration testing. Most often, he needs to modify and/or enhance these tools before it can be used for legal penetration testing against banks, ISP and goverment agencies. These experiences help him wrote a few security whitepapers on SQL Injection, Buffer Overflow, Shellcode and Windows Kernel stuff, including one of which published in Phrack E-zine #62. His researches was presented in Blackhat (Singapore) 2003, HITBSecConf2003 - Malaysia, RuxC0n2004 (Australia), XCon2004 (China) and many other security conferences.

Umesh Nagori

Umesh, currently, working as VP Business Development for the IT Security Practices at Net-Square. Umesh also provides information security consulting services and trainings to Net-Square clients, specializing in Web hacking and security. He brings more than 10 years of experience in the Information Technology. Right from the software development, he has played key roles in various other areas of Information Technologies like system administration and network management, system analysis, training, project management. He has over 6 years of experience with web application development, application and system security architecture, network architecture, security consulting, security training.

Prior to joining Net-Square, Umesh worked as Sr. System Analyst (IT Application) at Hughes Network Systems, USA (HNS). In his capacity as Sr. System Analyst, he played key role in overseeing the web development and the application security for the internet facing applications at HNS.

Prior to HNS, Umesh worked as Principal Consultant at iROMYX Inc. His experience at iROMYX provided him with numerous challenging projects at clients like Cisco, Motorola, NEC, Carlson, Sycamore, VIAG Interkom (Germany) and many others. Apart from web application development for public facing applications, he provided significant contribution to many clients in designing the security for their web applications.

Prior to his experience in USA, Umesh worked as Research Assistant at Indian Institute of Management, Ahmedabad (India) where he played a role as system & network Administrator for IIMA networks, web designer/developer for the IIMA Internet & Intranet applications and training instructor. Umesh graduated from Gujarat University with a bachelor�s degree in Commerce. He has also successfully completed BS7799 Lead Auditor Course.

Event Organizer

Hack In The Box (M) Sdn. Bhd.

Supported & Endorsed By

Malaysian Communications and Multimedia Commission (MCMC)

Malaysian Administrative Modernisation & Management Planning Unit

Platinum Sponsors

Microsoft Corporation

Gold Sponsors


Official Airline Partner

Internet Bandwidth Sponsor

Global Transit

CTF Sponsor

Scan Associates

CTF Prize Sponsor

Scan Associates

Sponsor for Zone-H/HITB Hacking Challenge


HITB Cinema Sponsor

Avenuz Sdn. Bhd.

Official Creation Station

The Womb.com

Our Speakers are Supported By

F-Secure Corporation

Arbor Networks


Bellua Asia Pacific


Mozilla Corporation

Mu Security

Supporting Media:

Virus Bulletin

Virus Bulletin (VB)

InfoSec News

(ISN) InfoSec News

InfoSec News

XAKEP (Russia)

Insecure Magazine

PHRACK Magazine

Hakin9 Magazine

Supporting Organizations

Chaos Computer Club

ISECOM - Insititue for Security and Open Methodologies


IT Underground

X-Focus China

Zone-H Defacement Mirror

Xatrix Security

Special Interest Group in Security & Information InteGrity Singapore