2021年8月6日 星期五

A New Attack Surface on MS Exchange Part 1 - ProxyLogon!

Author: Orange Tsai(@orange_8361)
P.S. This is a cross-post blog from DEVCORE


The series of A New Attack Surface on MS Exchange:


Microsoft Exchange, as one of the most common email solutions in the world, has become part of the daily operation and security connection for governments and enterprises. This January, we reported a series of vulnerabilities of Exchange Server to Microsoft and named it as ProxyLogon . ProxyLogon might be the most severe and impactful vulnerability in the Exchange history ever. If you were paying attention to the industry news, you must have heard it.

While looking into ProxyLogon from the architectural level, we found it is not just a vulnerability, but an attack surface that is totally new and no one has ever mentioned before. This attack surface could lead the hackers or security researchers to more vulnerabilities. Therefore, we decided to focus on this attack surface and eventually found at least 8 vulnerabilities. These vulnerabilities cover from server side, client side, and even crypto bugs. We chained these vulnerabilities into 3 attacks:

  1. ProxyLogon: The most well-known and impactful Exchange exploit chain
  2. ProxyOracle: The attack which could recover any password in plaintext format of Exchange users
  3. ProxyShell: The exploit chain we demonstrated at Pwn2Own 2021 to take over Exchange and earn $200,000 bounty

I would like to highlight that all vulnerabilities we unveiled here are logic bugs, which means they could be reproduced and exploited more easily than any memory corruption bugs. We have presented our research at Black Hat USA and DEFCON, and won the Best Server-Side bug of Pwnie Awards 2021. You can check our presentation materials here:

  • ProxyLogon is Just the Tip of the Iceberg: A New Attack Surface on Microsoft Exchange Server! [Slides] [Video]


By understanding the basics of this new attack surface, you won’t be surprised why we can pop out 0days easily!


Intro

I would like to state that all the vulnerabilities mentioned have been reported via the responsible vulnerability disclosure process and patched by Microsoft. You could find more detail of the CVEs and the report timeline from the following table.

Report Time Name CVE Patch Time CAS[1] Reported By
Jan 05, 2021 ProxyLogon CVE-2021-26855 Mar 02, 2021 Yes Orange Tsai, Volexity and MSTIC
Jan 05, 2021 ProxyLogon CVE-2021-27065 Mar 02, 2021 - Orange Tsai, Volexity and MSTIC
Jan 17, 2021 ProxyOracle CVE-2021-31196 Jul 13, 2021 Yes Orange Tsai
Jan 17, 2021 ProxyOracle CVE-2021-31195 May 11, 2021 - Orange Tsai
Apr 02, 2021 ProxyShell[2] CVE-2021-34473 Apr 13, 2021 Yes Orange Tsai working with ZDI
Apr 02, 2021 ProxyShell[2] CVE-2021-34523 Apr 13, 2021 Yes Orange Tsai working with ZDI
Apr 02, 2021 ProxyShell[2] CVE-2021-31207 May 11, 2021 - Orange Tsai working with ZDI
Jun 02, 2021 - - - Yes Orange Tsai
Jun 02, 2021 - CVE-2021-33768 Jul 13, 2021 - Orange Tsai and Dlive

[1] Bugs relate to this new attack surface direclty
[2] Pwn2Own 2021 bugs


Why did Exchange Server become a hot topic? From my point of view, the whole ProxyLogon attack surface is actually located at an early stage of Exchange request processing. For instance, if the entrance of Exchange is 0, and 100 is the core business logic, ProxyLogon is somewhere around 10. Again, since the vulnerability is located at the beginning place, I believe anyone who has reviewed the security of Exchange carefully would spot the attack surface. This was also why I tweeted my worry about bug collision after reporting to Microsoft. The vulnerability was so impactful, yet it’s a simple one and located at such an early stage.

You all know what happened next, Volexity found that an APT group was leveraging the same SSRF ( CVE-2021-26855 ) to access users’ emails in early January 2021 and reported to Microsoft. Microsoft also released the urgent patches in March. From the public information released afterwards, we found that even though they used the same SSRF, the APT group was exploiting it in a very different way from us. We completed the ProxyLogon attack chain through CVE-2021-27065 , while the APT group used EWS and two unknown vulnerabilities in their attack. This has convinced us that there is a bug collision on the SSRF vulnerability.

Image from Microsoft Blog


Regarding the ProxyLogon PoC we reported to MSRC appeared in the wild in late February, we were as curious as everyone after eliminating the possibility of leakage from our side through a thorough investigation. With a clearer timeline appearing and more discussion occurring, it seems like this is not the first time that something like this happened to Microsoft . Maybe you would be interested in learning some interesting stories from here.


Why targeting on Exchange Server?

Mail server is a highly valuable asset that holds the most confidential secrets and corporate data. In other words, controlling a mail server means controlling the lifeline of a company. As the most common-use email solution, Exchange Server has been the top target for hackers for a long time. Based on our research, there are more than four hundred thousands Exchange Servers exposed on the Internet. Each server represents a company, and you can imagine how horrible it is while a severe vulnerability appeared in Exchange Server.

Normally, I will review the existing papers and bugs before starting a research. Among the whole Exchange history, is there any interesting case? Of course. Although most vulnerabilities are based on known attack vectors, such as the deserialization or bad input validation, there are still several bugs that are worth mentioning.

The most special

The most special one is the arsenal from Equation Group in 2017. It’s the only practical and public pre-auth RCE in the Exchange history. Unfortunately, the arsenal only works on an ancient Exchange Server 2003. If the arsenal leak happened earlier, it could end up with another nuclear-level crisis.

The most interesting

The most interesting one is CVE-2018-8581 disclosed by someone who cooperated with ZDI. Though it was simply an SSRF, with the feature, it could be combined with NTLM Relay, the attacker could turn a boring SSRF into something really fancy . For instance, it could directly control the whole Domain Controller through a low privilege account.

The most surprising

The most surprising one is CVE-2020-0688 , which was also disclosed by someone working with ZDI. The root cause of this bug is due to a hard-coded cryptographic key in Microsoft Exchange. With this hard-coded key, an attacker with low privilege can take over the whole Exchange Server. And as you can see, even in 2020, a silly, hard-coded cryptographic key could still be found in an essential software like Exchange. This indicated that Exchange is lacking security reviews, which also inspired me to dig more into the Exchange security.




Where is the new attack surface

Exchange is a very sophisticated application. Since 2000, Exchange has released a new version every 3 years. Whenever Exchange releases a new version, the architecture changes a lot and becomes different. The changes of architecture and iterations make it difficult to upgrade an Exchange Server. In order to ensure the compatibility between the new architecture and old ones, several design debts were incurred to Exchange Server and led to the new attack surface we found.




Where did we focus at Microsoft Exchange? We focused on the Client Access Service, CAS. CAS is a fundamental component of Exchange. Back to the version 2000/2003, CAS was an independent Frontend Server in charge of all the Frontend web rendering logics. After several renaming, integrating, and version differences, CAS has been downgraded to a service under the Mailbox Role. The official documentation from Microsoft indicates that:

Mailbox servers contain the Client Access services that accept client connections for all protocols. These frontend services are responsible for routing or proxying connections to the corresponding backend services on a Mailbox server


From the narrative you could realize the importance of CAS, and you could imagine how critical it is when bugs are found in such infrastructure. CAS was where we focused on, and where the attack surface appeared.


The CAS architecture

CAS is the fundamental component in charge of accepting all the connections from the client side, no matter if it’s HTTP, POP3, IMAP or SMTP, and proxies the connections to the corresponding Backend Service. As a Web Security researcher, I focused on the Web implementation of CAS.



The CAS web is built on Microsoft IIS. As you can see, there are two websites inside the IIS. The “Default Website” is the Frontend we mentioned before, and the “Exchange Backend” is where the business logic is. After looking into the configuration carefully, we notice that the Frontend is binding with ports 80 and 443, and the Backend is listening on ports 81 and 444. All the ports are binding with 0.0.0.0, which means anyone could access the Frontend and Backend of Exchange directly. Wouldn’t it be dangerous? Please keep this question in mind and we will answer that later.



Exchange implements the logic of Frontend and Backend via IIS module. There are several modules in Frontend and Backend to complete different tasks, such as the filter, validation, and logging. The Frontend must contain a Proxy Module. The Proxy Module picks up the HTTP request from the client side and adds some internal settings, then forwards the request to the Backend. As for the Backend, all the applications include the Rehydration Module, which is in charge of parsing Frontend requests, populating the client information back, and continuing to process the business logic. Later we will be elaborating how Proxy Module and Rehydration Module work.



Frontend Proxy Module

Proxy Module chooses a handler based on the current ApplicationPath to process the HTTP request from the client side. For instance, visiting /EWS will use EwsProxyRequestHandler, as for /OWA will trigger OwaProxyRequestHandler. All the handlers in Exchange inherit the class from ProxyRequestHandler and implement its core logic, such as how to deal with the HTTP request from the user, which URL from Backend to proxy to, and how to synchronize the information with the Backend. The class is also the most centric part of the whole Proxy Module, we will separate ProxyRequestHandler into 3 sections:



Frontend Request Section

The Request section will parse the HTTP request from the client and determine which cookie and header could be proxied to the Backend. Frontend and Backend relied on HTTP Headers to synchronize information and proxy internal status. Therefore, Exchange has defined a blacklist to avoid some internal Headers being misused.

HttpProxy\ProxyRequestHandler.cs

protected virtual bool ShouldCopyHeaderToServerRequest(string headerName) {
  return !string.Equals(headerName, "X-CommonAccessToken", OrdinalIgnoreCase) 
      && !string.Equals(headerName, "X-IsFromCafe", OrdinalIgnoreCase) 
      && !string.Equals(headerName, "X-SourceCafeServer", OrdinalIgnoreCase) 
      && !string.Equals(headerName, "msExchProxyUri", OrdinalIgnoreCase) 
      && !string.Equals(headerName, "X-MSExchangeActivityCtx", OrdinalIgnoreCase) 
      && !string.Equals(headerName, "return-client-request-id", OrdinalIgnoreCase) 
      && !string.Equals(headerName, "X-Forwarded-For", OrdinalIgnoreCase) 
      && (!headerName.StartsWith("X-Backend-Diag-", OrdinalIgnoreCase) 
      || this.ClientRequest.GetHttpRequestBase().IsProbeRequest());
}


In the last stage of Request, Proxy Module will call the method AddProtocolSpecificHeadersToServerRequest implemented by the handler to add the information to be communicated with the Backend in the HTTP header. This section will also serialize the information from the current login user and put it in a new HTTP header X-CommonAccessToken, which will be forwarded to the Backend later.

For instance, If I log into Outlook Web Access (OWA) with the name Orange, the X-CommonAccessToken that Frontend proxy to Backend will be:



Frontend Proxy Section

The Proxy Section first uses the GetTargetBackendServerURL method to calculate which Backend URL should the HTTP request be forwarded to. Then initialize a new HTTP Client request with the method CreateServerRequest.

HttpProxy\ProxyRequestHandler.cs

protected HttpWebRequest CreateServerRequest(Uri targetUrl) {
    HttpWebRequest httpWebRequest = (HttpWebRequest)WebRequest.Create(targetUrl);
    if (!HttpProxySettings.UseDefaultWebProxy.Value) {
        httpWebRequest.Proxy = NullWebProxy.Instance;
    }
    httpWebRequest.ServicePoint.ConnectionLimit = HttpProxySettings.ServicePointConnectionLimit.Value;
    httpWebRequest.Method = this.ClientRequest.HttpMethod;
    httpWebRequest.Headers["X-FE-ClientIP"] = ClientEndpointResolver.GetClientIP(SharedHttpContextWrapper.GetWrapper(this.HttpContext));
    httpWebRequest.Headers["X-Forwarded-For"] = ClientEndpointResolver.GetClientProxyChainIPs(SharedHttpContextWrapper.GetWrapper(this.HttpContext));
    httpWebRequest.Headers["X-Forwarded-Port"] = ClientEndpointResolver.GetClientPort(SharedHttpContextWrapper.GetWrapper(this.HttpContext));
    httpWebRequest.Headers["X-MS-EdgeIP"] = Utilities.GetEdgeServerIpAsProxyHeader(SharedHttpContextWrapper.GetWrapper(this.HttpContext).Request);
    
    // ...
    
    return httpWebRequest;
}


Exchange will also generate a Kerberos ticket via the HTTP Service-Class of the Backend and put it in the Authorization header. This header is designed to prevent anonymous users from accessing the Backend directly. With the Kerberos Ticket, the Backend could validate the access from the Frontend.

HttpProxy\ProxyRequestHandler.cs

if (this.ProxyKerberosAuthentication) {
    serverRequest.ConnectionGroupName = this.ClientRequest.UserHostAddress + ":" + GccUtils.GetClientPort(SharedHttpContextWrapper.GetWrapper(this.HttpContext));
} else if (this.AuthBehavior.AuthState == AuthState.BackEndFullAuth || this.
    ShouldBackendRequestBeAnonymous() || (HttpProxySettings.TestBackEndSupportEnabled.Value  
    && !string.IsNullOrEmpty(this.ClientRequest.Headers["TestBackEndUrl"]))) {
    serverRequest.ConnectionGroupName = "Unauthenticated";
} else {
    serverRequest.Headers["Authorization"] = KerberosUtilities.GenerateKerberosAuthHeader(
        serverRequest.Address.Host, this.TraceContext, 
        ref this.authenticationContext, ref this.kerberosChallenge);
}

HttpProxy\KerberosUtilities.cs

internal static string GenerateKerberosAuthHeader(string host, int traceContext, ref AuthenticationContext authenticationContext, ref string kerberosChallenge) {
    byte[] array = null;
    byte[] bytes = null;
    // ...
    authenticationContext = new AuthenticationContext();
    string text = "HTTP/" + host;
    authenticationContext.InitializeForOutboundNegotiate(AuthenticationMechanism.Kerberos, text, null, null);
    SecurityStatus securityStatus = authenticationContext.NegotiateSecurityContext(inputBuffer, out bytes);
    // ...
    string @string = Encoding.ASCII.GetString(bytes);
    return "Negotiate " + @string;
}


Therefore, a Client request proxied to the Backend will be added with several HTTP Headers for internal use. The two most essential Headers are X-CommonAccessToken , which indicates the mail users’ log in identity, and Kerberos Ticket, which represents legal access from the Frontend.



Frontend Response Section

The last is the section of Response. It receives the response from the Backend and decides which headers or cookies are allowed to be sent back to the Frontend.


Backend Rehydration Module

Now let’s move on and check how the Backend processes the request from the Frontend. The Backend first uses the method IsAuthenticated to check whether the incoming request is authenticated. Then the Backend will verify whether the request is equipped with an extended right called ms-Exch-EPI-Token-Serialization . With the default setting, only Exchange Machine Account would have such authorization. This is also why the Kerberos Ticket generated by the Frontend could pass the checkpoint but you can’t access the Backend directly with a low authorized account.

After passing the check, Exchange will restore the login identity used in the Frontend, through deserializing the header X-CommonAccessToken back to the original Access Token, and then put it in the httpContext object to progress to the business logic in the Backend.

Authentication\BackendRehydrationModule.cs

private void OnAuthenticateRequest(object source, EventArgs args) {
    if (httpContext.Request.IsAuthenticated) {
        this.ProcessRequest(httpContext);
    }
}

private void ProcessRequest(HttpContext httpContext) {
    CommonAccessToken token;
    if (this.TryGetCommonAccessToken(httpContext, out token)) {
        // ...
    }
}

private bool TryGetCommonAccessToken(HttpContext httpContext, out CommonAccessToken token) {
    string text = httpContext.Request.Headers["X-CommonAccessToken"];
    if (string.IsNullOrEmpty(text)) {
        return false;
    }
        
    bool flag;
    try {
        flag = this.IsTokenSerializationAllowed(httpContext.User.Identity as WindowsIdentity);
    } finally {
        httpContext.Items["BEValidateCATRightsLatency"] = stopwatch.ElapsedMilliseconds - elapsedMilliseconds;
    }

    token = CommonAccessToken.Deserialize(text);
    httpContext.Items["Item-CommonAccessToken"] = token;
    
    //...
}

private bool IsTokenSerializationAllowed(WindowsIdentity windowsIdentity) {
   flag2 = LocalServer.AllowsTokenSerializationBy(clientSecurityContext);
   return flag2;
}

private static bool AllowsTokenSerializationBy(ClientSecurityContext clientContext) {
    return LocalServer.HasExtendedRightOnServer(clientContext, 
        WellKnownGuid.TokenSerializationRightGuid);  // ms-Exch-EPI-Token-Serialization

}

The attack surface

After a brief introduction to the architecture of CAS, we now realize that CAS is just a well-written HTTP Proxy (or Client), and we know that implementing Proxy isn’t easy. So I was wondering:

Could I use a single HTTP request to access different contexts in Frontend and Backend respectively to cause some confusion?


If we could do that, maaaaaybe I could bypass some Frontend restrictions to access arbitrary Backends and abuse some internal API. Or, we can confuse the context to leverage the inconsistency of the definition of dangerous HTTP headers between the Frontend and Backend to do further interesting attacks.

With these thoughts in mind, let’s start hunting!


The ProxyLogon

The first exploit is the ProxyLogon. As introduced before, this may be the most severe vulnerability in the Exchange history ever. ProxyLogon is chained with 2 bugs:


CVE-2021-26855 - Pre-auth SSRF

There are more than 20 handlers corresponding to different application paths in the Frontend. While reviewing the implementations, we found the method GetTargetBackEndServerUrl , which is responsible for calculating the Backend URL in the static resource handler, assigns the Backend target by cookies directly.

Now you figure out how simple this vulnerability is after learning the architecture!

HttpProxy\ProxyRequestHandler.cs

protected virtual Uri GetTargetBackEndServerUrl() {
    this.LogElapsedTime("E_TargetBEUrl");
    Uri result;
    try {
        UrlAnchorMailbox urlAnchorMailbox = this.AnchoredRoutingTarget.AnchorMailbox as UrlAnchorMailbox;
        if (urlAnchorMailbox != null) {
            result = urlAnchorMailbox.Url;
        } else {
            UriBuilder clientUrlForProxy = this.GetClientUrlForProxy();
            clientUrlForProxy.Scheme = Uri.UriSchemeHttps;
            clientUrlForProxy.Host = this.AnchoredRoutingTarget.BackEndServer.Fqdn;
            clientUrlForProxy.Port = 444;
            if (this.AnchoredRoutingTarget.BackEndServer.Version < Server.E15MinVersion) {
                this.ProxyToDownLevel = true;
                RequestDetailsLoggerBase<RequestDetailsLogger>.SafeAppendGenericInfo(this.Logger, "ProxyToDownLevel", true);
                clientUrlForProxy.Port = 443;
            }
            result = clientUrlForProxy.Uri;
        }
    }
    finally {
        this.LogElapsedTime("L_TargetBEUrl");
    }
    return result;
}


From the code snippet, you can see the property BackEndServer.Fqdn of AnchoredRoutingTarget is assigned from the cookie directly.

HttpProxy\OwaResourceProxyRequestHandler.cs

protected override AnchorMailbox ResolveAnchorMailbox() {
    HttpCookie httpCookie = base.ClientRequest.Cookies["X-AnonResource-Backend"];
    if (httpCookie != null) {
        this.savedBackendServer = httpCookie.Value;
    }
    if (!string.IsNullOrEmpty(this.savedBackendServer)) {
        base.Logger.Set(3, "X-AnonResource-Backend-Cookie");
        if (ExTraceGlobals.VerboseTracer.IsTraceEnabled(1)) {
            ExTraceGlobals.VerboseTracer.TraceDebug<HttpCookie, int>((long)this.GetHashCode(), "[OwaResourceProxyRequestHandler::ResolveAnchorMailbox]: AnonResourceBackend cookie used: {0}; context {1}.", httpCookie, base.TraceContext);
        }
        return new ServerInfoAnchorMailbox(BackEndServer.FromString(this.savedBackendServer), this);
    }
    return new AnonymousAnchorMailbox(this);
}


Though we can only control the Host part of the URL, but hang on, isn’t manipulating a URL Parser exactly what I am good at? Exchange builds the Backend URL by built-in UriBuilder. However, since C# didn’t verify the Host , so we can enclose the whole URL with some special characters to access arbitrary servers and ports.

https://[foo]@example.com:443/path#]:444/owa/auth/x.js

 



So far we have a super SSRF that can control almost all the HTTP requests and get all the replies. The most impressive thing is that the Frontend of Exchange will generate a Kerberos Ticket for us, which means even when we are attacking a protected and domain-joined HTTP service, we can still hack with the authentication of Exchange Machine Account.

So, what is the root cause of this arbitrary Backend assignment? As mentioned, the Exchange Server changes its architecture while releasing new versions. It might have different functions in different versions even with the same component under the same name. Microsoft has put great effort into ensuring the architectural capability between new and old versions. This cookie is a quick solution and the design debt of Exchange making the Frontend in the new architecture could identify where the old Backend is.


CVE-2021-27065 - Post-auth Arbitrary-File-Write

Thanks to the super SSRF allowing us to access the Backend without restriction. The next is to find a RCE bug to chain together. Here we leverage a Backend internal API /proxyLogon.ecp to become the admin. The API is also the reason why we called it ProxyLogon.

Because we leverage the Frontend handler of static resources to access the ECExchange Control Panel (ECP) Backend, the header msExchLogonMailbox , which is a special HTTP header in the ECP Backend, will not be blocked by the Frontend. By leveraging this minor inconsistency, we can specify ourselves as the SYSTEM user and generate a valid ECP session with the internal API.



With the inconsistency between the Frontend and Backend, we can access all the functions on ECP by Header forgery and internal Backend API abuse. Next, we have to find an RCE bug on the ECP interface to chain them together. The ECP wraps the Exchange PowerShell commands as an abstract interface by /ecp/DDI/DDIService.svc. The DDIService defines several PowerShell executing pipelines by XAML so that it can be accessed by Web. While verifying the DDI implementation, we found the tag of WriteFileActivity did not check the file path properly and led to an arbitrary-file-write.

DDIService\WriteFileActivity.cs

public override RunResult Run(DataRow input, DataTable dataTable, DataObjectStore store, Type codeBehind, Workflow.UpdateTableDelegate updateTableDelegate) {
    DataRow dataRow = dataTable.Rows[0];
    string value = (string)input[this.InputVariable];
    string path = (string)input[this.OutputFileNameVariable];
    RunResult runResult = new RunResult();
    try {
        runResult.ErrorOccur = true;
        using (StreamWriter streamWriter = new StreamWriter(File.Open(path, FileMode.CreateNew)))
        {
            streamWriter.WriteLine(value);
        }
        runResult.ErrorOccur = false;
    }
    
    // ...
}


There are several paths to trigger the vulnerability of arbitrary-file-write. Here we use ResetOABVirtualDirectory.xaml as an example and write the result of Set-OABVirtualDirectory to the webroot to be our Webshell.



Now we have a working pre-auth RCE exploit chain. An unauthenticated attacker can execute arbitrary commands on Microsoft Exchange Server through an exposed 443 port. Here is an demonstration video:


Epilogue

As the first blog of this series, ProxyLogon perfectly shows how severe this attack surface could be. We will have more examples to come. Stay tuned!



124 則留言:

  1. 12bet: Up to €100 in Free Bets and Promotions | Tastecasino
    Our latest promotion is to receive a €100 bonus 12bet and 100 Free Spins. This offer ラッキーニッキー can be used for free bets on your first deposit. Use 12bet our bonus code VELTESTABET for more.

    回覆刪除
  2. Your site got my attention and shows me different perception for how we should boost our site. This is a really perfect for a new blogger like me who doesn’t want their site to be messy with those spammers who don’t even read your post but they have the guts to comment in your site. Thanks again. ufabet

    回覆刪除
  3. This post gives clear idea designed for the new people of blogging, that truly how to do running a blog. สล็อตxo

    回覆刪除
  4. If your web host doesn't provide this service create a Google Analytics account and insert the code within the web pages. This enables you to track the success of your marketing efforts. 메이저놀이터 추천

    回覆刪除
  5. The online gambling software comes with various customizable features and games. The operators can limit individual bets, daily bets and fix a payback ratio. Some of them also use Vegas Odds, especially in State of Nevada. 토토

    回覆刪除
  6. You were great and everyone received so much from your experience and knowledge. Absolutely amazing, thank you for sharing your knowledge. 토토사이트

    回覆刪除
  7. I clearly stumbled upon your weblog and favored to mention that I’ve truely loved reading your blog posts. 파워볼

    回覆刪除
  8. I think this is one of the most significant information for me. And i’m glad reading your article. But should remark on some general things, The web site style is perfect, the articles is really great : D. Good job. ยูฟ่า168

    回覆刪除
  9. ed those kind of characteristics to guide America to a record 19-9 win over Europe at Whistling Straits last September.

    파워볼전용놀이터

    回覆刪除
  10. Watch and Download world's famous Turkish action drama Kurulus Osman Season 3 in English on link below
    👇
    Kurulus Osman Season 3

    Kurulus Osman Season 3 Episode 1
    On link below
    Kurulus Osman Season 3 Episode 1

    Crypto trading course
    👇
    Crypto quantum leap

    YouTube course
    Be a professional YouTuber and start your carrier
    Tube Mastery and Monetization by matt

    回覆刪除
  11. great post really appreciable work. That will be valuable to everyone who uses it, including myself. Many thanks... 토토사이트

    回覆刪除
  12. Valuable info. Fortunate me I discovered your web site by chance. 경마

    回覆刪除
  13. Thanks for sharing a nice article really such a wonderful site you have done a great job once more thanks a lot 릴게임

    回覆刪除
  14. Thanks for sharing such great information. It was really helpful to me. 토토

    回覆刪除
  15. having read your article Makes me aware of new things all the time. ทางเข้า wm

    回覆刪除
  16. We’re proud of the diversity of themes that we bring to the market across our titles, and continue to broaden our offering through engaging topics.” 바카라사이트

    回覆刪除
  17. Find the Latest Govt Jobs in Pakistan at BerozgarPakistan.com | Jobs in Lahore, Jobs in Islamabad, Jobs in Karachi, Jobs in Quetta, Jobs in Peshawar.
    Jobs in Pakistan

    回覆刪除
  18. You are sharing a very informative and great post.
    pg slot ทางเข้า

    回覆刪除
  19. Variety Silks Michigan, USA mens collection in variety archives includes Sherwani, Kurtas, Mojadis, pagadis and Dhothis. long sherwani, mysore silk crepe, sherwani style blazer.
    green marriage bangles

    回覆刪除
  20. At D Luxe Lab Yorkville Torronto, You will find the Treatment of fine lines & wrinkle reduction, fine lines treatment toronto, hair removal treatment toronto, hair restoration treatment toronto, and wrinkle reduction Best Specialists Must recommend D Luxe Lab Yokville. Book You Appointment Now at D Luxe Lab Canada.
    body treatments toronto

    回覆刪除
  21. Inspiration Learning Centre Canada is the best toronto learning center that provides tutoring and school support for students in every grade and every subject from inspiration tutors. We have safe classrooms and flexible online options for Students to keep learning.
    数学辅导

    回覆刪除
  22. Hello really awesome web site!! Guy .. Beautiful .. Wonderful .. I’ll bookmark your site and consider the feeds moreover. I am pleased to search out beneficial details appropriate here inside of the published material, thanks for sharing…
    섯다

    回覆刪除
  23. Good to become visiting your weblog again, it has been months for me. Nicely this article that I've been waited for so long. I will need this post to total my assignment in the college, and it has exact same topic together with your write-up. Thanks, good share.
    토토

    回覆刪除
  24. What is an outstanding post! “I’ll be back” (to read more of your content). Thanks for the nudge!
    한국야동

    回覆刪除
  25. I think this is an informative post and it is very useful and knowledgeable. therefore, I would like to thank you for the efforts you have made in writing this article.
    토토사이트

    回覆刪除
  26. สล็อตโจ๊กเกอร์ เว็บไซต์ สล็อต ที่มีโบนัส เครดิตฟรีในตัวเกม ดาวน์โหลด Joker ได้ง่ายๆ ผ่านโทรศัพท์มือถือหรือคอมพิวเตอร์
    สามารถ ทดลองเล่นสล็อต ได้ทั้งในระบบ Android และ iOS

    回覆刪除
  27. today, the first shop will PG SLOT
    receive a free half prize of up to 500 baht or ask the shop

    回覆刪除
  28. superslot เกมสล็อตออนไลน์ เว็บตรงที่ดีที่สุดมีเกมสล็อตที่แตกง่ายที่สุดให้ท่านได้เลือกเล่นมากมาย ทดลองเล่นสล็อต ทุกค่ายเกม
    อาทิ PG SLOT , EVOPLAY , SLOTXO , PRAGMATIC PLAY , JILI GAME , RELAX GAMING , DAFABET , JOKER เราชื่อเว็บสล็อตเว็บตรงที่ให้บริการไม่ผ่าน agent สมัครซุปเปอร์สล็อต

    回覆刪除
  29. Thanks for sharing this nice blog. And thanks for the information.
    sexy gaming ติดต่อ

    回覆刪除
  30. Kleen Condition is an industry leader in mold and asbestos removal. Kleen Condition specialists are trained and certified in proper techniques to ensure safe mold removal and asbestos removal in Southern Ontario since 1987.
    ontario mould specialists reviews

    回覆刪除
  31. Mana Auto is best auto transport companies in Canada and door-to-door service is available anywhere in North America. If there is a road, we can ship and deliver your vehicle!
    car shipping by rail in winnipeg

    回覆刪除
  32. Muscat Furniture Oman is best furniture shops in muscat have a good collection of Office Furniture, Bedroom Sets, Kids Sets, Sofa Sets, Dining Tables, Wall Papers, Carpet rugs & much more. We are located in al hail north muscat and provide furniture for sale in muscat.
    chandelier egypt

    回覆刪除
  33. Shisha World Canada is offering you buy hookah vancouver, cloud micro, cloud mini hookah, cloud stick, cocourth coconut charcoals, ferris bowl by hookah john, fumari canada, fumari charcoal burner, german hookah pipes, hookah shisha canada, hookah store toronto is the Shisha World Mississauga.
    shisha shop in laval

    回覆刪除
  34. Your Website is very good, Your Website impressed us a lot.
    igoal88 สมัคร

    回覆刪除
  35. Thanks for writing such useful content, I like your style of writing and frequently read your content.
    ลิงค์รับทรัพย์

    回覆刪除
  36. Watch and Download world's famous Turkish action drama Kurulus Osman Season 3 in English on link below
    👇
    Kurulus Osman Season 3

    Kurulus Osman Season 3 Episode 1
    On link below
    Kurulus Osman Season 3 Episode 1

    Crypto trading course
    Join on link below
    Crypto quantum leap

    YouTube course
    Be a professional YouTuber and start your carrier
    Tube Mastery and Monetization by matt

    Best product for tooth pain ,
    Cavity ,
    Tooth decay ,
    And other oral issues
    Need of every home
    With discount
    And digistore money back guarantee
    Steel Bite Pro

    回覆刪除

  37. 파워볼
    Daria had been thinking about purchasing new workstations for her family, and hurried forward with the buy as she saw

    回覆刪除
  38. Pharmalinx Pharmacy - richmond hill medical clinic and pharmacy is also known as richmond hill pharmacy or richmond ontario medical clinic or surrey medical centre Toronto. We also Provide Services as umrah vaccination clinic, unionville health centre.
    where can i get blood work done in toronto

    回覆刪除
  39. Golden Motor Bike Canada - Buy Full e-motorcycle, e boat, e-atv, ebikezilla, electric inboard motor, electric motorcycle, electric outboard motor, gear sensor, E-Bikes, Scooter, Sun-Ron X, E-Chair, E-Bike Conversion Kits and Accessories at Golden Motors Canada.
    ebike conversion kit

    回覆刪除
  40. United Canada Inc. is a Canadian manufacturer and distributor of medical products. United Canada Inc. is one of the leading suppliers of children’s furniture, office furniture and lighting fixtures – Made in Canada.
    clear vinyl gloves

    回覆刪除
  41. Titanium Exclusive Cookware Inc is the largest distributor of collection of Titanium Cookware in North America.
    non stick wok made in germany

    回覆刪除
  42. Steakshop Canada offer steak delivery canada, wagyu beef delivery canada, wagyu sausage, steak delivery mississauga, steak kobe montreal, steak sale ontario at steaks online canada.
    Experience an exceptional eating experience eveytime at Steak Shop Canada.
    online meat canada

    回覆刪除
  43. No, I haven’t had that experience before, but if you are interested check out this link: percetakan murah jakarta

    回覆刪除
  44. Just added this blog to my favorites. I enjoy reading your blogs and hope you keep them coming! cetak buku umroh

    回覆刪除
  45. You made some decent points there. I looked on the internet for that problem and located most people will go in addition to with the web site. cetak buku murah

    回覆刪除
  46. I think your website has a lot of useful knowledge. I'm so thankful for this website.
    I hope that you continue to share a lot of knowledge.
    This is my website.
    한게임머니상

    回覆刪除
  47. I understand what you're referring to, it's very nice, easy to understand, very knowledgeable. สมัคร bet game tv

    回覆刪除
  48. I like this kind of content and i think that it's very informative!
    pragmaticplay มือถือ

    回覆刪除
  49. Hey friend, it is very well written article, thank you for the valuable and useful information you provide in this post. Keep up the good work! FYI, what does it mean when a cat headbutts you, Pottery Barn Credit Card Review , The book you wish your parents had read book pdf download,My School Essay 10 Lines in English

    回覆刪除
  50. I think your website has a lot of useful knowledge. I'm so thankful for this website.
    I hope that you continue to share a lot of knowledge.come my web site 안전놀이터

    回覆刪除
  51. haven’t had that experience before, but if you are interested check out this link토토사이트

    回覆刪除
  52. Hey friend, it is very well written article, thank you for the valuable and useful information you check my web site 스포츠토토

    回覆刪除
  53. Daria had been thinking about purchasing new workstations for her family, and hurried forward with the buy as she saw check my web site 무직자대출

    回覆刪除
  54. Thanks and keep sharing such valuable updates through your side. You can also visit:
    Cetak Spanduk Murah Jakarta
    Tempat Print Murah Jakarta

    回覆刪除

  55. I have visited all blogs of your website with great content. 123bet กีฬา

    回覆刪除
  56. Thank you for this blog, Do you need Help With Dissertation Writing Paper? we also offer Dissertation Writing Help India contact us for more information.
    ลิงค์รับทรัพย์

    回覆刪除
  57. This is very interesting, You are a very skilled blogger. I've joined your rss feed and look forward to seeking more of your wonderful 메이저토토. Also, I have shared your website in my social networks!

    回覆刪除
  58. After looking over a handful of the blog posts on your website, I really appreciate your way of writing a blog. I book marked it to my bookmark website list and will be checking back soon. Take a look at my web site superslot as well and tell me how you feel

    superslot
    | ฝาก 30รับ100 | <a

    回覆刪除
  59. http://blog.atlas-games.com/2019/01/atlas-games-is-hiring-marketing.html?showComment=1648626714937#c548319413502761340

    回覆刪除
  60. situs prediksi togel sydney terupdate terpopuler prediksi sydney

    回覆刪除
  61. I always used to read piece of writing in newspapers but now as I am a user of net so from
    now I am using net for content, thanks to web. ทดลองเล่นบาคาร่า

    回覆刪除
  62. Hey friend, it is very well written article, thank you for the valuable and useful information you provide in this post. Keep up the good work! FYI,Airtel Axis Bank Credit Card Review
    , the psychology of money pdf, Unforgettable childhood memories essay

    回覆刪除
  63. I would like to receive news from you every day. I will wait and hope you come soon. สมัคร sa gaming

    回覆刪除
  64. I always used to read piece of writing in newspapers but now as I am a user of net so from
    now I am using net for content, thanks to web superslot

    回覆刪除
  65. 안전놀이터 Thailand's wind continues to major tournaments. In the first round of the Chevron Championship of the U.S. Women's Professional Golf Tour at Mission Hills CC in California on the 1st, Patty Tawata Nakit came in

    回覆刪除
  66. 안전놀이터 Schumeljeol also has a good start in joint 10th place at 3-under par. Lee Min-ji, a Korean-Australian, will try to win seven LPGA Tour titles following last year's major Evian Championship. Thailand's Pajari Ananarukan

    回覆刪除
  67. 안전놀이터추천 Lim Hee-jung, who represented the Korean Women's Professional Golf Tour, started at 1-under par and Anna Lin, who finished third after competing for the championship last week, started at even par.

    回覆刪除
  68. 먹튀검증커뮤니티 Ko Jin-young, who played over pars in eight months, said, "I made several great shots, but I couldn't put it. For some reason, I couldn't read the brakes and hit the speed well." Ko Jin-young, who has been in the

    回覆刪除
  69. This is really amazing article. Thanks a lot for sharing wonderful information.
    ลิงค์รับทรัพย์ joker

    回覆刪除
  70. Shisha Nova canada offering buy hookah toronto, shisha canada, Hookah Bowl, Hookah Pipes, Hookah Charcoal, etc at very good price.
    Shisha Canada

    回覆刪除
  71. Manday Grooming is offering a wide rang of beard products in Canada at very good price. Browse the best Mens beard oil, beard kits, shave products, mens grooming products, hemp shampoo, etc.
    Premium men's grooming products

    回覆刪除
  72. After looking over a handful of the blog posts on your website, I really appreciate your way of writing a blog. I book marked it to my bookmark website list and will be checking back soon. Take a look at my web site ทางเข้า superslot
    ทางเข้า ryslotclub
    ทางเข้า ryslotclub
    as well and tell me how you feel.

    回覆刪除
  73. The first few steps of another chapter for myself. Thank you guys for all of the love & support through my journey as an adult. This is my gift to you. 디마크 당산

    回覆刪除
  74. My programmer is trying to convince me to move to .net from 토토사이트. I have always disliked the idea because of the expenses. But he's tryiong none the less.

    回覆刪除
  75. To use article marketing correctly, write interesting and informative articles that will draw people into the article, making them wanting to read more. add more

    回覆刪除
  76. It is in point of fact a nice and helpful piece of info.
    I’m happy that you simply shared this helpful information with us.

    Please stay us up to date like this. Thank you for sharing. 안전놀이터

    回覆刪除
  77. I really enjoy the blog.Really looking forward to read more. Really Great. 한국야동

    回覆刪除
  78. I just want to say I’m very new to weblog and seriously loved your web page. More than likely I’m likely to bookmark your blog post . You actually have outstanding stories. Thanks for sharing with us your webpage. 먹튀검증

    回覆刪除
  79. Nice blog and absolutely outstanding. You can do something much better but i still say this perfect.Keep trying for the best 토토사이트

    回覆刪除
  80. After I read your article like being trapped in a reverie It has a very interesting substance. สมัคร ebet

    回覆刪除
  81. Thanks for such a valuable post. I am waiting for your next post, I have enjoyed a lot reading this post keep it up. ทางเข้าเล่น 123BET

    回覆刪除
  82. I really enjoy your web’s topic. Very creative and friendly for users. Definitely bookmark this and follow it everyday.토토사이트

    回覆刪除
  83. เล่น สล็อต pg slot แล้วไปซื้อของใน shopeeเราก็ยิ่งเสียเงินไปกับการช้อปปิ้งออนไลน์ มากพอสมควรเราจึงมีเกมที่เล่นแล้วได้เงิน นั่นก็คือเกมสล็อต จากค่ายเกม Pg slot นั่นเอง

    回覆刪除
  84. the information is very useful to me and thanks for this & i am happy after consuming a valuable etha

    回覆刪除
  85. If you want to know about the game of บาคาร่า, you can play here immediately. With a formula that will help you to be profitable for sure as well.

    回覆刪除
  86. This amazing post gives an idea. I really like this thread 123เบทติ้ง

    回覆刪除
  87. I really enjoy your web’s topic. Very creative and friendly for users. Definitely bookmark this and follow it everyday. 홀덤사이트

    回覆刪除
  88. รับโปรโมชั่นสูงสุดทีเด็ดแทงบอล
    เกมสล็อตมีโอกาสได้รับเครดิตฟรีในการเข้าเล่น

    回覆刪除
  89. โปรโมชั่นใหม่สำหรับสมาชิกทุกท่านที่มีโอกาสได้รับโปรโมชั่นสูงสุดแทงบอล
    สล็อตออนไลน์ เครดิตฟรีทำเงิน เพื่อเพิ่มต้นทุนในการทำเงินอย่างต่อเนื่อง ไม่มีเงื่อนไข ทั้งยังมีโอกาสได้รับเครดิตฟรีในการเข้าเล่นได้อีกด้วย

    回覆刪除
  90. โปรโมชั่นใหม่สำหรับสมาชิกทุกท่านโปรโมชั่นสูงสุดแทงบอลออนไลน์
    สมัครสล็อต เครดิตฟรีทำเงิน เพื่อเพิ่มต้นทุนในการทำเงินอย่างต่อเนื่อง ไม่มีเงื่อนไข

    回覆刪除
  91. ผู้เล่นทุก ๆ ท่าน ที่เข้ามาเล่น เกมสล็อตออนไลน์ เว็บ BETFLIX เครดิตฟรี 100 และเข้าใช้บริการ Pragmatic Play ส่วนใหญ่ มักเล่นเกมเพื่อ หาผลกำไรเพียงอย่างเดียว และ เล่นเพื่อคลายเครียด หรือ หารายได้ เสริมเล็ก ๆ น้อย ๆ ด้วยความที่ เกมทดลองเล่น SLOT PP สล็อตมีผู้เข้าเล่นจำนวนมาก BETFLIX เครดิตฟรี 100

    回覆刪除
  92. ในช่วงที่เป็นยุคโควิดแบบนี้ เศรษฐกิจไม่ค่อยดี สล็อตเว็บตรงขั้นต่ำ 1 บาท ที่ BETFLIX จะเป็นช่องทางที่เปิดโอกาส ให้ผู้เล่นที่กำลัง ตกงานPG SLOT รายจ่ายมีมากกว่ารายได้ ได้เข้ามาหารายได้เสริม BETFLIX เพิ่มเติมกัน แม้ว่าจะไม่มีเงินทุนใดๆ PG SLOT

    回覆刪除
  93. MEGA GAME ในปัจจุบันนี้ ดูหนังออนไลน์ได้มีเว็บเกิดขึ้นมาใหม่อยู่เต็มไปหมด สล็อตเว็บตรงแตกดี แต่ถ้าหากได้เข้าเล่นกับ สล็อตเว็บตรง กระเป๋าเดียว สล็อตเว็บตรง กระเป๋าเดียว ผู้เล่นจะเล่นกันได้อย่างสบายใจ ไม่ต้องโยกย้ายเว็บไปมาให้ยุ่งยากอีกต่อไป เข้าเล่นที่เดียวสนุกจัดเต็มกันได้ไม่อั้น สล็อตเว็บตรง กระเป๋าเดียว และยังรวมกองทัพเกมสล็อตชั้นนำทั่วไปเทศ มาไว้ให้เล่นใน เว็บสล็อตตรง MEGA GAME กระเป๋าเดียว รวมเกมคุณภาพไว้ให้เล่นมากกว่าใคร เล่นกันได้ผ่านเว็บนี้เลย สนุกสุดมันส์ไปกับโบนัสที่แจกไม่อั้น เราตั้งใจพัฒนาเพื่อรองรับผู้เล่นทุกประเภท ดูหนังออนไลน์ สุดยอดเกมฮิตที่เล่นได้ฟรีๆ ไม่ต้องควักทุนสักบาทเดียว สล็อตเว็บตรง กระเป๋าเดียว เล่นกันได้ตลอด

    回覆刪除
  94. allbet
    Step football betting is a type of gambling. That has been very popular.

    回覆刪除
  95. สูตรเซียน The best games collected here Services Available 24 hrs.

    回覆刪除
  96. หวยยี่กี
    otox can be very helpful with skin wrinkles and it can also help treat bruxi

    回覆刪除
  97. Looking at this article, I miss the time when I didn't wear a mask. 오공슬롯 Hopefully this corona will end soon. My blog is a blog that mainly posts pictures of daily life before Corona and landscapes at that time. If you want to remember that time again, please visit us.

    回覆刪除
  98. BETFLIX ผู้เล่นที่กำลัง เกิคความสนใจ ดูหนังออนไลน์ฟรี อยากลองเปลี่ยนเว็บ ที่จะเข้ามาเดิมพัน สร้างผลกำไรกลับไปแบบคุ้มค่า ต้องลองมาเล่นกับ ที่ BETFLIX เว็บใหญ่ มาแรงล่าสุด ที่มีเกมน่าเล่น เว็บใหญ่ มาแรงล่าสุด มากมายหลากหลายรูปแบบ ก่อนอื่นต้องขอบอกก่อนเลย ว่าสล็อตที่จะเข้าไปเล่นเกมนั้น มีเยอะมากๆ หาเล่นได้ง่าย แต่เว็บที่มีคุณภาพดีๆ สล็อตเว็บตรง มาแรงเหมือนเว็บของเรา หายากยิ่งกว่า

    回覆刪除
  99. News that Ranil Wickremesinghe is the new prime minister has been largely met with dismay and disbelief in Sri Lanka. -> 카지노커뮤니티

    回覆刪除
  100. Your Site is very nice, and it's very helping us this post is unique and interesting, thank you for sharing this awesome information. and visit our blog site also ........
    ลิงค์รับทรัพย์ slot fc

    回覆刪除
  101. Since Russian forces were pushed back from Kyiv at the end of March, the bodies of more than 1,000 civilians have been discovered in the Bucha region - many hastily buried in shallow graves. The BBC's Sarah Rainsford has been investigating what happened at a children's summer camp - now being treated as a crime scene. -> 카지노커뮤니티

    回覆刪除